| E | |
|---|---|
| Paradigm | Multi-paradigm:object-oriented,message passing |
| Designed by | Mark S. Miller |
| First appeared | 1997; 28 years ago (1997) |
| Typing discipline | Strong,dynamic |
| OS | Cross-platform |
| License | Portions in differentfree licenses |
| Website | erights |
| Majorimplementations | |
| E-on-Java, E-on-CL | |
| Influenced by | |
| Joule,Original-E,Java | |
| Influenced | |
| Pony | |
E is anobject-oriented programming language forsecuredistributed computing, created byMark S. Miller,[1]Dan Bornstein,Douglas Crockford,[2]Chip Morningstar[3] and others at Electric Communities in 1997. E is mainly descended from the concurrent languageJoule and from Original-E, a set of extensions to Java for secure distributed programming. E combinesmessage-based computation withJava-like syntax. Aconcurrency model based onevent loops andpromises ensures thatdeadlock can never occur.[4]
The E language is designed forcomputer security and secure computing. This is performed mainly by strict adherence to the object-oriented computing model, which in its pure form, has properties that support secure computing. The E language and its standardlibrary employ acapability-based design philosophy throughout in order to help programmers build secure software and to enable software components to co-operate even if they don't fully trust each other. In E, object references serve as capabilities, hence capabilities add no computational or conceptual overhead costs. The language syntax is designed to be easy for people to audit for security flaws. For example, lexicalscoping limits the amount of code that must be examined for its effects on a given variable. As another example, the language uses the== operator for comparison and the:= operator for assignment; to avoid the possibility of confusion, there is no= operator.
In E, all values areobjects and computation is performed by sending messages to objects. Each object belongs to avat (analogous to aprocess). Each vat has a single thread of execution, a stack frame, and an event queue.Distributed programming is just a matter of sending messages to remote objects (objects in other vats). All communication with remote parties isencrypted by the E runtime. Arriving messages are placed into the vat's event queue; the vat's event loop processes the incoming messages one by one in order of arrival.
E has two ways to send messages: animmediate call and aneventual send. An immediate call is just like a typical function or method call in a non-concurrent language: a sender waits until a receiver finishes and returns a value. An eventual send sends a message while producing a placeholder for a result called apromise. A sender proceeds immediately with the promise. Later, when a receiver finishes and yields a result, the promise resolves to a result. Since only eventual sends are allowed when communicating with remote objects,deadlocks cannot happen. In distributed systems, the promise mechanism also minimizes delays caused by network latency.
E's syntax is most similar toJava, though it also bears some resemblance toPython andPascal. Variables aredynamically typed and lexicallyscoped. Unlike Java or Python, however, E is composed entirely ofexpressions. Here is an extremely simple E program:
println("Hello, world!")
Here is a recursive function for computing the factorial of a number, written in E. Functions are defined using thedef keyword.
deffactorial(n:int):int{if(n==1){return1}elseif(n>0){returnn*factorial(n-1)}else{throw("invalid argument to factorial: "+n)}}
In the first line,:int is aguard that constrains the argument and result of the function. A guard is not quite the same thing as a type declaration; guards are optional and can specify constraints. The first:int ensures that the body of the function will only have to handle an integer argument. Without the second:int above, the function would not be able to return a value. Being able to see up front that information escapes out of the function is helpful for security auditing.
Since E is intended to support secure co-operation, the canonical example for E programs is the mint, a simple electronic money system in just a few lines of E. The following code defines a function that makes mints, where each mint has its own currency. Each mint can make purses that hold its currency, and any holder of two purses of the same currency can securely transfer money between the purses. By quick examination of the source code, an E programmer can easily verify that only mints may change the amount of money in circulation, that money can only be created and not destroyed, that mints can only create money of their own currency, and that only the holder of a purse can change its balance.
defmakeMint(name):any{def[sealer,unsealer]:=makeBrandPair(name)defmint{tomakePurse(varbalance:(int>=0)):any{defdecr(amount:(0..balance)):void{balance-=amount}defpurse{togetBalance():int{returnbalance}tosprout():any{returnmint.makePurse(0)}togetDecr():any{returnsealer.seal(decr)}todeposit(amount:int,src):void{unsealer.unseal(src.getDecr())(amount)balance+=amount}}returnpurse}}returnmint}
Objects in E are defined with thedef keyword, and within the object definition, theto keyword begins each method. The guard expressions in this example illustrate how to specify a value constraint (as in:(int >= 0) or:(0..balance)).
The mint example makes use of a built-in mechanism called asealer. The functionmakeBrandPair creates two associated objects, a sealer and an unsealer, such that the sealer can seal an object in a box and the unsealer is the only object that can retrieve the contents of the box. See the E website for a more detailed explanation of this money example.[5]
Before presenting the following simple example of capability-based money, we must attempt to head off a confusion this example repeatedly causes. We are not proposing to actually do money this way! A desirable money system must also provide for...