. Mobile agents are processes which can autonomously migrate to new hosts. Despite its many practical benets, mobile agent technology results in signicant new security threats from malicious agents and hosts. The primary added complication is that, as an agent traverses multiple hosts that are trusted to dierent degrees, its state can change in ways that adversely impact its functionality. In this paper, we discuss achievable security goals for mobile agents, and we propose an architecture to achieve these goals. The architecture models the trust relations between the principals of mobile agent systems. A unique aspect of the architecture is a \state appraisal" mechanism that protects users and hosts from attacks via state modications and that provides users with exible control over the authority of their agents. 1 Introduction Currently, distributed systems employ models in which processes are statically attached to hosts and communicate by asynchronous messages or s...

. Scheme 48 is an implementation of the Scheme programming language constructed with tractability and reliability as its primary design goals. It has the structural properties of large, compiler-based Lisp implementations: it is written entirely in Scheme, is bootstrapped via its compiler, and provides numerous language extensions. It controls the complexity that ordinarily attends such large Lisp implementations through clear articulation of internal modularity and by the exclusion of features, optimizations, and generalizations that are of only marginal value. 1. Introduction Scheme 48 is an implementation of the Scheme programming language constructed with tractability and reliability as its primary design goals. By tractability we mean the ease with which the system can be understood and changed. Although Lisp dialects, including Scheme, are relatively simple languages, implementation tractability is often threatened by the demands of providing high performance and extended funct...

VLISP has produced a rigorously verified compiler from Scheme to byte codes, and a verified interpreter for the resulting byte codes. The official denotational semantics for Scheme provides the main criterion of correctness. The Wand-Clinger technique was used to prove correctness of the main compiler step. Then a state machine operational semantics is proved to be faithful to the denotational semantics. The remainder of the implementation is verified by a succession of state machine refinement proofs. These include proofs that garbage collection is a sound implementation strategy,

. We present Bigloo, a highly portable and optimizing compiler. Bigloo is the first compiler for strict functional languages that can efficiently compile several languages: Bigloo is the first compiler for full Scheme and full ML, and for these two languages, Bigloo is one of the most efficient compiler now available (Bigloo is available by anonymous ftp on ftp.inria.fr [192.93.2.54]). This high level of performance is achieved by numerous high-level optimizations. Some of those are classical optimizations adapted to higherorder functional languages (e.g. inlining), other optimization schemes are specific to Bigloo (e.g. a new refined closure analysis, an original optimization of imperative variables, and intensive use of higher-order control flow analysis). All these optimizations share the same design guideline: the reduction of heap allocation. 1 Introduction Strict functional programming languages have many different variations, but they all belong to the same family, the so-calle...

This paper introduces the concepts of wide classes and widening as extensions to the object model of class-based languages such as Java and Smalltalk. Widening allows an object to be temporarily widened, that is transformed into an instance of a subclass, a wide class, and, later on, to be shrunk, that is reshaped to its original class. Wide classes share the main properties of plain classes: they have a name, a superclass, they may be instantiated, they have an associated class predicate and an associated type that may be used to override function definnitions. Widening is also useful to implement transient data storage for longlasting computations. In particular, it helps reducing software data retention. This phenomenon arises when the actual data structures used in a program fail to reect time-dependent properties of values and can cause excessive memory consumption during the execution. Wide classes may be implemented for any dynamically-typed class-based programm...

Originally conceived as a neat idea that could help solve problems in the design and implementation of CLOS, the metaobject protocol framework now appears to have applicability to a wide range of problems that come up in high-level languages. This chapter sketches this wider potential, by drawing an analogy to ordinary language design, by presenting some early design principles, and by presenting an overview of three new metaobject protcols we have designed that, respectively, control the semantics of Scheme, the compilation of Scheme, and the static parallelization of Scheme programs.

Cooperation between independent agents depends upon establishing a degree of security. Each of the cooperating agents needs assurance that the cooperation will not endanger resources of value to that agent. In a computer system, a computational mechanism can assure safe cooperation among the system's users by mediating resource access according to desired security policy. Such a mechanism, which is called a security kernel , lies at the heart of many operating systems and programming environments. This report describes Scheme 48, a programming environment whose design is guided by established principles of operating system security. Scheme 48's security kernel is small, consisting of the call-by-value -calculus with a few simple extensions to support abstract data types, object mutation, and access to hardware resources. Each agent (user or subsystem) has a separate evaluation environment that holds objects representing privileges granted to that agent. Because environments ultimatel...

Two independently developed implementations of Scheme have been extended to compile into portable C code that implements full tail-recursion. Like other compilers for higher-order languages that implement full tail-recursion, measurements of these systems indicate a performance degradation of a factor between two and three compared to the native code emitted by the same compilers. We describe the details of the compilation technique for a non-statically typed language (Scheme) and show that the performance difficulty arises largely from the cost of C function calls. In theory, these expensive calls can be eliminated. In practice, however, they are required to avoid excessively long compilation times by modern C compilers, and to support separate compilation. 1 Introduction Two independently-developed Scheme systems (MIT Scheme[7] and Gambit[4]) have been extended to produce portable C output code. The projects were undertaken completely independently with different design goals, yet h...

. Inline function expansion is an optimization that may improve program performance by removing calling sequences and enlarging the scope of other optimizations. Unfortunately it also has the drawback of enlarging programs. This might impair executable programs performance. In order to get rid of this annoying effect, we present, an easy to implement, inlining optimization that minimizes code size growth by combining a compile-time algorithm deciding when expansion should occur with different expansion frameworks describing how they should be performed. We present the experimental measures that have driven the design of inline function expansion. We conclude with measurements showing that our optimization succeeds in producing faster codes while avoiding code size increase. Keywords: Compilation, Optimization, Inlining, Functional languages. 1 Introduction Inline function expansion (henceforth "inlining") replaces a function invocation with a modified copy of the function body. Studi...

. This paper describes a verified compiler for PreScheme, the implementation language for the vlisp run-time system. The compiler and proof were divided into three parts: A transformational front end that translates source text into a core language, a syntax-directed compiler that translates the core language into a combinator-based tree-manipulation language, and a linearizer that translates combinator code into code for an abstract stored-program machine with linear memory for both data and code. This factorization enabled different proof techniques to be used for the different phases of the compiler, and also allowed the generation of good code. Finally, the whole process was made possible by carefully defining the semantics of vlisp PreScheme rather than just adopting Scheme's. We believe that the architecture of the compiler and its correctness proof can easily be applied to compilers for languages other than PreScheme. Table of Contents 1 Introduction : : : : : : : : : : : : : :...