Changeset 5e0b6657 for doc

Timestamp:

Dec 8, 2025, 11:29:33 AM (2 months ago)

Author:

Michael Brooks <mlbrooks@…>

Branches:

master, stuck-waitfor-destruct

Children:

79ba50c

Parents:

8f448e0 (diff), 79ec8c3 (diff)
Note: this is a merge changeset, the changes displayed below correspond to the merge itself.
Use the (diff) links above to see all the changes relative to each parent.

Message:

Merge remote-tracking branch 'refs/remotes/origin/master'

Location:

doc

Files:

• LaTeXmacros/common.sty (modified) (2 diffs)
• LaTeXmacros/common.tex (modified) (2 diffs)
• bibliography/pl.bib (modified) (37 diffs)
• proposals/autogen.md (modified) (1 diff)
• theses/fangren_yu_MMath/test.adb (modified) (1 diff)
• theses/mike_brooks_MMath/intro.tex (modified) (9 diffs)
• theses/mike_brooks_MMath/uw-ethesis-frontpgs.tex (modified) (1 diff)
• uC++toCFA/uC++toCFA.tex (modified) (19 diffs)

doc/LaTeXmacros/common.sty

@@ -11 +11 @@
 %% Created On       : Sat Apr  9 10:06:17 2016
 %% Last Modified By : Peter A. Buhr
-%% Last Modified On : Mon May  5 21:37:13 2025
-%% Update Count     : 666
+%% Last Modified On : Sun Sep 21 22:17:15 2025
+%% Update Count     : 667
 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
 
@@ -325 +325 @@
   {<-}{$\leftarrow$}2
   {=>}{$\Rightarrow$}2
+  {/*}{/{\raisebox{-2pt}{*}}}2
+  {*/}{{\raisebox{-2pt}{*}}/}2
 %  {->}{\raisebox{-1pt}{\texttt{-}}\kern-0.1ex\textgreater}2,
 }% lstset

doc/LaTeXmacros/common.tex

@@ -11 +11 @@
 %% Created On       : Sat Apr  9 10:06:17 2016
 %% Last Modified By : Peter A. Buhr
-%% Last Modified On : Mon May  5 21:34:53 2025
-%% Update Count     : 709
+%% Last Modified On : Sun Sep 21 22:16:43 2025
+%% Update Count     : 710
 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
 
@@ -329 +329 @@
   {<-}{$\leftarrow$}2
   {=>}{$\Rightarrow$}2
+  {/*}{/{\raisebox{-2pt}{*}}}2
+  {*/}{{\raisebox{-2pt}{*}}/}2
 %  {->}{\raisebox{-1pt}{\texttt{-}}\kern-0.1ex\textgreater}2,
 }% lstset

doc/bibliography/pl.bib

@@ -362 +362 @@
     school      = {University of Waterloo},
     year        = 1991,
-    address     = {Waterloo, Ontario, Canada, N2L 3G1},
+    address     = {Waterloo, Ontario, Canada},
 }
 
@@ -426 +426 @@
     year        = 2010,
     month       = dec,
-    address     = {Waterloo, Ontario, Canada, N2L 3G1},
+    address     = {Waterloo, Ontario, Canada},
     optnote     = {\textsf{http://uwspace.uwaterloo.ca/\-bitstream/10012/\-5751\-/1/Krischer\_Roy.pdf}},
     note        = {\url{http://uwspace.uwaterloo.ca/bitstream/10012/5751/1/Krischer_Roy.pdf}},
@@ -929 +929 @@
 
 % B
+
+@misc{ONCD,
+    keywords    = {programming lnaguage safety},
+    contributer = {pabuhr@plg},
+    key         = {Final-ONCD-Technical-Report},
+    title       = {Back to the Building Blocks: A Path Toward Secure and Measurable Software},
+    author      = {},
+    howpublished= {\url{https://bidenwhitehouse.archives.gov/wp-content/uploads/2024/02/Final-ONCD-Technical-Report.pdf}},
+    year        = 2024,
+}
 
 @article{Michael13,
@@ -1154 +1164 @@
 % C
 
+@mastersthesis{HummelViirola25,
+    keywords    = {C, Rust, conversion},
+    contributer = {pabuhr@plg},
+    author      = {Johan Hummel and Ella Viirola},
+    title       = {From C 2 Rust: Evaluating the Feasibility of Translating C to a Memory-Safe Programming Language at Ericsson},
+    school      = {Lund University},
+    year        = 2025,
+    address     = {Lund, Sweden},
+}
+
 @book{C,
     keywords    = {C},
@@ -1247 +1267 @@
     title       = {\textsf{C}$\mathbf{\forall}$ Container Library},
     school      = {School of Computer Science, University of Waterloo},
-    address     = {Waterloo, Ontario, Canada, N2L 3G1},
+    address     = {Waterloo, Ontario, Canada},
     publisher   = {UWSpace},
     year        = {2025},
-    note        = {\url{https://hdl.handle.net/10012/XXXXX}},
+    note        = {\url{https://hdl.handle.net/10012/12345}},
 }
 
@@ -1324 +1344 @@
     title       = {The \textsf{C}$\mathbf{\forall}$ Scheduler},
     school      = {School of Computer Science, University of Waterloo},
-    address     = {Waterloo, Ontario, Canada, N2L 3G1},
+    address     = {Waterloo, Ontario, Canada},
     publisher   = {UWSpace},
     year        = 2022,
@@ -1345 +1365 @@
     school      = {School of Computer Science, University of Waterloo},
     year        = 2004,
-    address     = {Waterloo, Ontario, Canada, N2L 3G1},
+    address     = {Waterloo, Ontario, Canada},
     note        = {\url{http://plg.uwaterloo.ca/theses/EstevesThesis.pdf}},
 }
@@ -1355 +1375 @@
     school      = {School of Computer Science, University of Waterloo},
     year        = 2019,
-    address     = {Waterloo, Ontario, Canada, N2L 3G1},
+    address     = {Waterloo, Ontario, Canada},
     note        = {\url{https://hdl.handle.net/10012/14584}},
 }
@@ -1510 +1530 @@
     title       = {\textsf{C}$\mathbf{\forall}$ Users Guide, Version 0.1},
     institution = {Department of Computer Science, University of Waterloo},
-    address     = {Waterloo, Ontario, Canada, N2L 3G1},
+    address     = {Waterloo, Ontario, Canada},
     month       = oct,
     year        = 2001,
@@ -1833 +1853 @@
     year        = 1997,
     month       = sep,
-    address     = {Waterloo, Ontario, Canada, N2L 3G1},
+    address     = {Waterloo, Ontario, Canada},
     note        = {\url{http://plg.uwaterloo.ca/theses/MokThesis.pdf}},
 }
@@ -2058 +2078 @@
     school      = {School of Computer Sc., University of Waterloo},
     year        = 2015,
-    address     = {Waterloo, Ontario, Canada, N2L 3G1},
+    address     = {Waterloo, Ontario, Canada},
     note        = {\url{https://hdl.handle.net/10012/10013}},
 }
@@ -2104 +2124 @@
     title       = {Concurrency in \textsf{C}$\mathbf{\forall}$},
     school      = {School of Computer Science, University of Waterloo},
-    address     = {Waterloo, Ontario, Canada, N2L 3G1},
+    address     = {Waterloo, Ontario, Canada},
     publisher   = {UWSpace},
     year        = 2018,
@@ -2116 +2136 @@
     title       = {Concurrency in {C}{\kern-.1em\hbox{\large\texttt{+\kern-.25em+}}}},
     institution = {Department of Computer Science, University of Waterloo},
-    address     = {Waterloo, Ontario, Canada, N2L 3G1},
+    address     = {Waterloo, Ontario, Canada},
     number      = {CS-90-18},
     month       = may,
@@ -2209 +2229 @@
     school      = {Department of Computer Science, University of Waterloo},
     year        = 1992,
-    address     = {Waterloo, Ontario, Canada, N2L 3G1},
+    address     = {Waterloo, Ontario, Canada},
     note        = {\url{http://plg.uwaterloo.ca/theses/DitchfieldThesis.pdf}}
 }
@@ -3289 +3309 @@
     title       = {Enumerated Types in \textsf{C}$\mathbf{\forall}$},
     school      = {School of Computer Science, University of Waterloo},
-    address     = {Waterloo, Ontario, Canada, N2L 3G1},
+    address     = {Waterloo, Ontario, Canada},
     publisher   = {UWSpace},
     year        = {2024},
@@ -3496 +3516 @@
     title       = {Exception Handling in \textsf{C}$\mathbf{\forall}$},
     school      = {School of Computer Science, University of Waterloo},
-    address     = {Waterloo, Ontario, Canada, N2L 3G1},
+    address     = {Waterloo, Ontario, Canada},
     publisher   = {UWSpace},
     year        = {2021},
@@ -3752 +3772 @@
     year        = 2008,
     month       = jan,
-    address     = {Waterloo, Ontario, Canada, N2L 3G1},
+    address     = {Waterloo, Ontario, Canada},
     note        = {\url{http://uwspace.uwaterloo.ca/bitstream/10012/3501/1/Thesis.pdf}},
 }
@@ -4209 +4229 @@
     year        = 2009,
     month       = sep,
-    address     = {Waterloo, Ontario, Canada, N2L 3G1},
+    address     = {Waterloo, Ontario, Canada},
     note        = {\textsf{http://uwspace.uwaterloo.ca/bitstream/\-10012/\-4735/\-1/\-Chen-Jun.pdf}},
 }
@@ -4230 +4250 @@
     author      = {Haskell},
     title       = {Haskell 2010 Language Report},
-    edition     = {{S}imon {M}arlow},
+    optedition  = {{S}imon {M}arlow},
     year        = 2010,
     note        = {\url{https://haskell.org/definition/haskell2010.pdf}},
@@ -4291 +4311 @@
     title       = {High Level Concurrency in \textsf{C}$\mathbf{\forall}$},
     school      = {School of Computer Science, University of Waterloo},
-    address     = {Waterloo, Ontario, Canada, N2L 3G1},
+    address     = {Waterloo, Ontario, Canada},
     publisher   = {UWSpace},
     year        = {2023},
@@ -4302 +4322 @@
     author      = {Mubeen Zulfiqar},
     title       = {High-Performance Concurrent Memory Allocation},
-    school      = {School of Computer Science, University of Waterloo},
+    school      = {School of Comp. Sc., Univ. of Waterloo},
     year        = 2022,
-    address     = {Waterloo, Ontario, Canada, N2L 3G1},
+    address     = {Waterloo, Ontario, Canada},
     note        = {\url{https://hdl.handle.net/10012/18329}},
 }
@@ -4323 +4343 @@
     author      = {Srihari Radhakrishnan},
     title       = {High Performance Web Servers: A Study In Concurrent Programming Models},
-    school      = {School of Computer Sc., University of Waterloo},
+    school      = {School of Computer Science, University of Waterloo},
     year        = 2019,
-    address     = {Waterloo, Ontario, Canada, N2L 3G1},
+    address     = {Waterloo, Ontario, Canada},
     note        = {\url{https://hdl.handle.net/10012/14706}},
 }
@@ -4529 +4549 @@
     author      = {Richard C. Bilson},
     title       = {Implementing Overloading and Polymorphism in \textsf{C}$\mathbf{\forall}$},
-    school      = {School of Computer Science, University of Waterloo},
+    school      = {University of Waterloo},
     year        = 2003,
-    address     = {Waterloo, Ontario, Canada, N2L 3G1},
+    address     = {Waterloo, Ontario, Canada},
     note        = {\url{http://plg.uwaterloo.ca/theses/BilsonThesis.pdf}},
 }
@@ -4572 +4592 @@
     year        = 2018,
     month       = sep,
-    address     = {Waterloo, Ontario, Canada, N2L 3G1},
+    address     = {Waterloo, Ontario, Canada},
     note        = {\url{https://uwspace.uwaterloo.ca/handle/10012/13935}},
 }
@@ -5109 +5129 @@
     school      = {University of Waterloo},
     year        = 1990,
-    address     = {Waterloo, Ontario, Canada, N2L 3G1}
+    address     = {Waterloo, Ontario, Canada}
 }
 
@@ -5531 +5551 @@
     title       = {$\mu${S}ystem Annotated Reference Manual, Version 4.4.3},
     institution = {Department of Computer Science, University of Waterloo},
-    address     = {Waterloo, Ontario, Canada, N2L 3G1},
+    address     = {Waterloo, Ontario, Canada},
     month       = sep,
     year        = 1994,
@@ -6273 +6293 @@
     contributer = {pabuhr@plg},
     key         = {OCaml},
-    title       = {The {OC}aml system, release 5.1},
-    address     = {Rust Project Developers},
-    year        = 2023,
-    note        = {\url{https://v2.ocaml.org/manual/}},
+    author      = {Xavier Leroy, Damien Doligez, Alain Frisch, Jacques Garrigue, Didier Rémy and Jérôme Vouillon},
+    title       = {The {OC}aml system, release 5.4},
+    year        = 2025,
+    note        = {\url{https://v2.ocaml.org/manual}},
 }
 
@@ -7733 +7753 @@
     school      = {School of Computer Science, University of Waterloo},
     year        = 2017,
-    address     = {Waterloo, Ontario, Canada, N2L 3G1},
+    address     = {Waterloo, Ontario, Canada},
     note        = {\url{https://hdl.handle.net/10012/11830}},
 }
@@ -7819 +7839 @@
     contributer = {pabuhr@plg},
     key         = {Rust},
-    title       = {{R}ust Programming Language},
-    address     = {Rust Project Developers},
+    title       = {The {R}ust Reference},
+    address     = {Rust Developers},
     year        = 2015,
-    note        = {\url{https://doc.rust-lang.org/reference.html}},
+    note        = {\url{https://doc.rust-lang.org/stable/reference}},
 }
 
@@ -7875 +7895 @@
     month       = jun,
     pages       = {35-46},
+}
+
+@inproceedings{Kashyap17,
+    contributer = {pabuhr@plg},
+    author      = {Sanidhya Kashyap and Changwoo Min and Taesoo Kim},
+    title       = {Scalable {NUMA-aware} Blocking Synchronization Primitives},
+    booktitle   = {2017 USENIX Annual Tech. Conf.},
+    address     = {Santa Clara, CA},
+    pages       = {603-615},
+    publisher   = {USENIX Assoc.},
+    year        = 2017,
+    month       = jul,
 }
 
@@ -8321 +8353 @@
     contributer = {pabuhr@plg},
     author      = {Michael D. Tiemann},
-    title       = {Solving the RPC problem in GNU {C}{\kern-.1em\hbox{\large\texttt{+\kern-.25em+}}}},
+    title       = {Solving the {RPC} problem in {GNU} {C}{\kern-.1em\hbox{\large\texttt{+\kern-.25em+}}}},
     booktitle   = {Proceedings of the USENIX {C}{\kern-.1em\hbox{\large\texttt{+\kern-.25em+}}} Conference},
     organization= {USENIX Association},
@@ -8333 +8365 @@
     keywords    = {Polymorphic C},
     contributor = {a3moss@uwaterloo.ca},
-    title       = {A sound polymorphic type system for a dialect of {C}},
+    title       = {A Sound Polymorphic Type System for a Dialect of {C}},
     author      = {Smith, Geoffrey and Volpano, Dennis},
     journal     = {Science of computer programming},
@@ -8543 +8575 @@
     school      = {Department of Computer Science, University of Waterloo},
     year        = 1989,
-    address     = {Waterloo, Ontario, Canada, N2L 3G1},
+    address     = {Waterloo, Ontario, Canada},
 }
 
@@ -8784 +8816 @@
     volume      = 40,
     number      = 6,
-    month       = jun,
+    optmonth    = jun,
     year        = 2005,
     pages       = {261-268},
@@ -8909 +8941 @@
 }
 
+@misc{Tractor,
+    keywords    = {Rust, C conversion},
+    contributer = {pabuhr@plg},
+    key         = {Tractor},
+    title       = {TRACTOR: Translating All C to Rust},
+    author      = {Dan Wallach},
+    note        = {DARPA},
+    howpublished= {\url{https://www.darpa.mil/research/programs/translating-all-c-to-rust}},
+    year        = 2024,
+}
+
 @misc{Miller19,
     keywords    = {memory management, errors, unsafe},
     contributer = {pabuhr@plg},
-    title       = {Trends, challenges, and strategic shifts in the software vulnerability mitigation landscape},
+    title       = {Trends, Challenges, and Strategic Shifts in the Software Vulnerability Mitigation Landscape},
     author      = {Matt Miller},
     month       = feb,
@@ -8926 +8969 @@
     school      = {Department of Computer Science, University of Waterloo},
     year        = 1989,
-    address     = {Waterloo, Ontario, Canada, N2L 3G1},
+    address     = {Waterloo, Ontario, Canada},
 }
 
@@ -9087 +9130 @@
     title       = {Type Resolution in \textsf{C}$\mathbf{\forall}$},
     school      = {School of Computer Science, University of Waterloo},
-    address     = {Waterloo, Ontario, Canada, N2L 3G1},
+    address     = {Waterloo, Ontario, Canada},
     publisher   = {UWSpace},
     year        = {2025},

doc/proposals/autogen.md

@@ -100 +100 @@
 The main reason to manually remove functions is to enforce a behaviour based interface for a type, as opposed to a data based one. To enforce that new interface, this would have to interact with visibility.
 
+### Automatic Remove Hides Everything
+As soon as you declare a custom constructor, _all_ autogenerated constructors become inaccessible. Often, this behaviour is good, and it agrees with C++. But the desire dual to "manually remove" exists: "manually keep." Furthermore, there is a use case for invoking an automatically provided constructor as a helper, when implementing a custom constructor.
+
+        struct S {
+            int i;
+            int & j;
+        };
+        void ?{}( S & s, int & w ) {
+            // Unique best alternative includes deleted identifier in:
+            s{ 3, w };
+            // intended meaning / workaround:
+            // s.i = 3; &s.j = &w;
+        }
+
+This use case should be considered also, along with visibility. A private helper constructor should be usable in the implementation of a public value-add constructor. The private helper being an autogen is one such arrangement.
+
+Users should have the option to adopt the idiom: All constructors funnel into the most private, all-member constructor.
+
+### Removed Functions Linger
+Even if a function is made CFA-uncallable, it still shows in the emitted C code (`cfa -CFA`). An uncallable function shows identically to a callable function, with no indication of, "This declaration has been deleted," or, "Here is a redaction of X." This quirk reduces the utility of inspecting -CFA to answer, "What constructors would be available to me?" or, "What's the net effect of the constructor declarations and deletions that I've given?"
+
 ## Other Problems & Requested Features
 

doc/theses/fangren_yu_MMath/test.adb

@@ -6 +6 @@
         Function Random return Float is begin return 3.5; end;
         Function Random return Unbounded_String is begin return To_Unbounded_String( "abc" ); end;
-        
+
         Procedure Print( V : Integer ) is begin Put_Line( Integer'Image(V) ); end;
         Procedure Print( V : Float ) is begin Put_Line( Float'Image(V) ); end;
         Procedure Print( V : Unbounded_String ) is begin Put_Line( Ada.Strings.Unbounded.To_String(V) ); end;
-        
+
         Function Func( V : Integer ) return Integer is begin return V; end;
         Function Func( V : Float ) return Float is begin return V; end;
         Function Func( V : Unbounded_String ) return Unbounded_String is begin return V; end;
         Function Func( V1 : Integer; V2 : Float ) return Float is begin return Float(V1) + V2; end;
-        
-        subtype Int       is Integer;
+
+        subtype Int              is Integer;
         J : Int;
         Function "-"( L, R : Int ) return Int is begin Put_Line( "X" ); return Integer(L) + (-Integer(R)); end; --  prevent infinite recusion
-        
---      duplicate body for "-" declared at line 20
---      subtype SInt is Integer range -10 .. 10;
---      Function "-"( L, R : SInt ) return SInt is begin Put_Line( "X" ); return Integer(L) + (-Integer(R)); end; --  prevent infinite recusion
-        
+
+        --      duplicate body for "-" declared at line 20
+        --      subtype SInt is Integer range -10 .. 10;
+        --      Function "-"( L, R : SInt ) return SInt is begin Put_Line( "X" ); return Integer(L) + (-Integer(R)); end; --  prevent infinite recusion
+
         i : Integer;
         f : Float;
         s : Unbounded_String;
-        
+
         Type Complex is
-        record
-            Re, Im : Float;
-        end record;
+                record
+                 Re, Im : Float;
+                end record;
         c : Complex := (Re => 1.0, Im => 1.0);
-    Procedure Grind (X : Complex) is begin Put_Line( "Grind1" ); end;
-    Procedure Grind (X : Unbounded_String) is begin Put_Line( "Grind2" ); end;
-        
+        Procedure Grind (X : Complex) is begin Put_Line( "Grind1" ); end;
+        Procedure Grind (X : Unbounded_String) is begin Put_Line( "Grind2" ); end;
+
         generic
-           type T is private;
-           with function "+"( X, Y: T ) return T;
+                type T is private;
+                with function "+"( X, Y: T ) return T;
         function twice( X : T ) return T;
-        
+
         function twice( X: T ) return T is
         begin
-           Put_Line( "XXX" ); return X + X;   -- The formal operator "*".
+                Put_Line( "XXX" ); return X + X;        -- The formal operator "*".
         end twice;
 
         function Int_Twice is new Twice( Integer, "+" => "+" );
         function float_Twice is new Twice( float, "+" => "+" );
-        
---      generic units cannot be overloaded
---      generic
---        type T is private;
---        with function "+"( X, Y: T ) return T;
---      function twice( X : T; Y : T ) return T;
-        
---      function twice( X: T; Y : T ) return T is
---      begin
---        Put_Line( "XXX" ); return X + X;   -- The formal operator "*".
---      end twice;
+
+        --      generic units cannot be overloaded
+        --      generic
+        --              type T is private;
+        --              with function "+"( X, Y: T ) return T;
+        --      function twice( X : T; Y : T ) return T;
+
+        --      function twice( X: T; Y : T ) return T is
+        --      begin
+        --              Put_Line( "XXX" ); return X + X;        -- The formal operator "*".
+        --      end twice;
 begin
-   I := 3;
-   I := 7 - 3;
-        Print( i );
-   F := 3.8;
-   I := 7 - 2;
-        Print( i );
-   J := 7 - 3;
-        Print( j );
-   
+        I := 3;
+        I := 7 - 3;
+        Print( i );
+        F := 3.8;
+        I := 7 - 2;
+        Print( i );
+        J := 7 - 3;
+        Print( j );
+
         i := Random;
-        Print( i );
+        Print( i );
         f := Random;
-        Print( f );
+        Print( f );
         s := Random;
-        Print( s );
-        
-        Print( Func( V => 7 ) );
-        Print( Func( 7.5 ) );
-        Print( Func( To_Unbounded_String( "abc" ) ) );
-        Print( Func( 3, 3.5 ) );
---      Print( Func( 3, 3 ) );
-        
+        Print( s );
+
+        Print( Func( V => 7 ) );
+        Print( Func( 7.5 ) );
+        Print( Func( To_Unbounded_String( "abc" ) ) );
+        Print( Func( 3, 3.5 ) );
+        --              Print( Func( 3, 3 ) );
+
         Grind( X => (Re => 1.0, Im => 1.0) );
         Grind( c );
         Grind( To_Unbounded_String( "abc" ) );
-        
+
         i := Int_Twice( 2 );
         Put_Line( Integer'Image(i) );
         f := float_Twice( 2.5 );
-        Print( f );
+        Print( f );
 end test;
 

doc/theses/mike_brooks_MMath/intro.tex

@@ -2 +2 @@
 
 All modern programming languages provide three high-level containers (collections): array, linked-list, and string.
-Often array is part of the programming language, while linked-list is built from (recursive) pointer types, and string from a combination of array and linked-list.
+Often array is part of the programming language, while linked-lists are built from (recursive) pointer types, and strings from a combination of array and linked-list.
 For all three types, languages and/or their libraries supply varying degrees of high-level mechanisms for manipulating these objects at the bulk and component level, such as copying, slicing, extracting, and iterating among elements.
 
 Unfortunately, these three aspects of C cause a significant number of memory errors~\cite{Oorschot23}.
+Estimates suggest 50\%~\cite{Mendio24} of total reported open-source vulnerabilities occurring in C result from errors using these facilities (memory errors).
 For operating system and browser vendors, who heavily use systems languages, 60\%--70\% of reported software vulnerabilities involved memory errors~\cite{Kehrer23}.
 For Microsoft, 70\% of vulnerabilities addressed via security updates between 2006--2018 are memory safety issues~\cite[slide 10]{Miller19}.
 In a study of software exploits in the U.S. National Vulnerability Database over 2013--2017, the top reported vulnerability is (memory) buffer errors, among 19 vulnerability categories~\cite{Cifuentes19}.
-Therefore, hardening these three C types goes a long way to make the majority of C programs safer.
+Therefore, hardening these three C types goes a long way to make the majority of C programs safer and eliminating major hacker attack-vectors.
 
 This work looks at extending these three foundational container types in the programming language \CFA, which is a new dialect of the C programming language.
@@ -26 +27 @@
 The array size can be static, dynamic but fixed after creation, or dynamic and variable after creation.
 For static and dynamic-fixed, an array can be stack allocated, while dynamic-variable requires the heap.
-Because array layout has contiguous components, subscripting is a computation (some form of pointer arithmetic).
+Because array layout has contiguous components, subscripting is a computation, \ie some form of pointer arithmetic.
 
 C provides a simple array type as a language feature.
-However, it adopts the controversial language position of treating pointer and array as duals, leading to multiple problems.
+However, it adopts the controversial position of treating pointer and array as duals, leading to multiple problems.
 
 
@@ -36 +37 @@
 A linked-list provides a homogeneous container often with $O(log N)$ or $O(N)$ access to elements using successor and predecessor operations that normally involve pointer chasing.
 Subscripting by value (rather than position or location as for array) is sometimes available, \eg hash table.
-Linked types are normally dynamically sized by adding and removing nodes using link fields internal or external to the elements (nodes).
-If a programming language allows pointers to stack storage, linked-list nodes can be allocated on the stack and connected with stack addresses (pointers);
+Linked types are dynamically sized by adding and removing nodes using link fields internal or external to the list elements (nodes).
+If a programming language allows pointers to stack storage, linked-list nodes can be allocated on the stack and connected with stack addresses;
 otherwise, elements are heap allocated with internal or external link fields.
 
@@ -47 +48 @@
 hash search table consisting of a key (string) with associated data (@<search.h>@)
 \end{itemize}
-Because these libraries are simple, awkward to use, and unsafe, C programmers commonly build bespoke linked data-structures.
+Because these container libraries can be restrictive, awkward to use, and unsafe, C programmers often build bespoke linked data-structures, which further increases the potential for memory errors.
 
 
@@ -54 +55 @@
 A string provides a dynamic array of homogeneous elements, where the elements are (often) some form of human-readable characters.
 What differentiates a string from other types in that many of its operations work on groups of elements for scanning and changing, \eg @index@ and @substr@.
-While subscripting individual elements is usually available, working at the individual character level is considered poor practise, \ie underutilizing the powerful string operations.
+While subscripting individual elements is usually available, working at the character level is considered poor practise, \ie underutilizing the powerful string operations.
 Therefore, the cost of a string operation is usually less important than the power of the operation to accomplish complex text manipulation, \eg search, analysing, composing, and decomposing string text.
 The dynamic nature of a string means storage is normally heap allocated but often implicitly managed, even in unmanaged languages.
-In some cases, string management is separate from heap management, \ie strings roll their own heap.
+In many cases, string management is separate from heap management, \ie strings roll their own heap.
 
 The C string type is just a character array and requires user storage-management to handle varying size.
-The character array uses the convention of marking its (variable) array length by placing the 0-valued control character at the end (null-terminated).
+C adopts a terminating sentinel character, @'\0'@, to mark the end of a variable-length character-array versus a preceding length field.
+Hence, the sentinel character is excluded from a string and determining the string length is an $O(N)$ operation.
 The C standard library includes a number of high-level operations for working with this representation.
-Most of these operations are awkward and error prone.
+Most of these operations are awkward to use and error prone.
 
 
@@ -80 +82 @@
 \begin{enumerate}[leftmargin=*]
 \item
-These three aspects of C are difficult to understand, teach, and get right because they are correspondingly low level.
+The three primary container types in C are difficult to understand, teach, and get right because they are too low level.
 Providing higher-level, feature-rich versions of these containers in \CFA is a major component of the primary goal.
+The result is a simplify programming experience, which increases productivity and maintainability.
 \item
-These three aspects of C cause the greatest safety issues because there are few or no safe guards when a programmer misunderstands or misuses these features~\cite{Elliott18, Blache19, Ruef19, Oorschot23}.
-Estimates suggest 50\%~\cite{Mendio24} of total reported open-source vulnerabilities occurring in C result from errors using these facilities (memory errors), providing the major hacker attack-vectors.
+The new container types must be as correct and safe to use as those in other modern programming languages, which has been shown to a primary concern of industry, government, and military~\cite{ONCD}.
+Prior approaches focus on out-of-bound array accesses using a model-based approach (ASCET) in embedded systems (\eg cars)~\cite{Blache19}, and general and null-terminated string arrays using a \CC template syntax (Checked C)~\cite{Elliott18,Ruef19}.
+Both White House~\cite{WhiteHouse24} and DARPA~\cite{DARPA24} recently released a recommendation to \emph{move away} from C and \CC, because of cybersecurity threats exploiting vulnerabilities in these languages.
+Fixing these vulnerabilities negates this need, allowing C and its ecosystem to continue into the future.
 \end{enumerate}
-Both White House~\cite{WhiteHouse24} and DARPA~\cite{DARPA24} recently released a recommendation to move away from C and \CC, because of cybersecurity threats exploiting vulnerabilities in these older languages.
-Hardening these three types goes a long way to make the majority of C programs safer.
 
-
-While multiple new languages purport to be systems languages replacing C, the reality is that rewriting massive C code-bases is impractical and a non-starter if the new runtime uses garage collection.
+While new languages, \eg Go, Rust, Swift, purport to be systems languages replacing C, the reality is that rewriting massive C code-bases is impractical and a non-starter if the runtime uses garbage collection.
+Even assuming automated conversion of C programs to other safe languages, who will maintain this massive new code-base?
 Furthermore, new languages must still interact with the underlying C operating system through fragile, type-unsafe, interlanguage-communication.
-Switching to \CC is equally impractical as its complex and interdependent type-system (\eg objects, overloading, inheritance, templates) means idiomatic \CC code is difficult to use from C, and C programmers must expend significant effort learning new \CC.
-Hence, rewriting and retraining costs for these languages can be prohibitive for companies with a large C software-base (Google, Apple, Microsoft, Amazon, AMD, Nvidia).
+Switching to \CC is equally impractical as its complex and interdependent type-system (\eg objects, overloading, inheritance, templates) means idiomatic \CC code is difficult to use from C, and C programmers must expend significant effort learning new \CC features and idioms.
+Finally, projects claiming to be modern C replacements (Cyclone~\cite{Grossman06}, Polymorphic C~\cite{Smith98}, GObject~\cite{GObject}) do not retain C backwards compatibility in syntax, programing model, or semantic compatibility;
+these languages are equivalent to switching to a different programming language.
+Hence, rewriting and retraining costs for other languages are prohibitive when companies have a large C software-base (Google, Apple, Microsoft, Amazon, AMD, Nvidia).
 
 
@@ -100 +105 @@
 Like many established programming languages, C has a standards committee and multiple ANSI/\-ISO language manuals~\cite{C99,C11,C18,C23}.
 However, most programming languages are only partially explained by their standard's manual(s).
-When it comes to explaining how C works, the definitive source is the @gcc@ compiler, which is mimicked by other C compilers, such as Clang~\cite{clang}.
-Often other C compilers \emph{must} mimic @gcc@ because a large part of the C library (runtime) system (@glibc@ on Linux) contains @gcc@ features.
+When it comes to explaining how C works, the definitive source is the @gcc@ compiler, which is mimicked by other C compilers, such as Clang~\cite{clang}, because a large part of the C library (runtime) system (@glibc@ on Linux) contains @gcc@ features.
 Some key aspects of C need to be explained and understood by quoting from the language reference manual.
 However, to illustrate actual program semantics, this thesis constructs multiple small programs whose behaviour exercises a particular point and then confirms the behaviour by running the program using multiple @gcc@ compilers.
 These example programs show
-\begin{itemize}
+\begin{itemize}[itemsep=0pt]
         \item if the compiler accepts or rejects certain syntax,
         \item prints output to buttress a behavioural claim,
@@ -111 +115 @@
 \end{itemize}
 These programs are tested across @gcc@ versions 8--14 and clang versions 10--14 running on ARM, AMD, and Intel architectures.
-Any discovered anomalies among compilers, versions, or architectures is discussed.
+Any discovered anomalies among compilers, versions, or architectures are discussed.
 In general, it is never clear whether the \emph{truth} lies in the C standard or the compiler(s), which may be true for other programming languages.
 
@@ -118 +122 @@
 
 Overall, this work has produced significant syntactic and semantic improvements to C's arrays, linked-lists and string types.
-As well, a strong plan for general iteration has been sketched out.
+% As well, a strong plan for general iteration has been sketched out.
 The following are the detailed contributions, where performance and safety were always the motivating factors.
 
 \subsection{Array}
 
-This work's array improvements are:
+The improvements to C arrays are:
 \begin{enumerate}[leftmargin=*]
 \item
-Introduce a small number of subtle changes to the typing rules for the C array, while still achieving significant backwards compatibility
+Introduce a small number of subtle changes to the typing rules for the C array, while still achieving significant backwards compatibility.
 \item
 Create a new polymorphic mechanism in the \CFA @forall@ clause to specify array dimension values, similar to a fixed-typed parameter in a \CC \lstinline[language=C++]{template}.

doc/theses/mike_brooks_MMath/uw-ethesis-frontpgs.tex

@@ -129 +129 @@
 \begin{center}\textbf{Abstract}\end{center}
 
+\CFA strives to fix mistakes in C, chief among them, safety.
+This thesis presents a significant step forward in \CFA's goal to remove unsafe pointer operations.
+The thesis presents improvements to the \CFA language design, both syntax and semantics, to support advanced container features.
+These features are implemented across the \CFA compiler, libraries, and runtime system.
+The results maintain another \CFA goal of remaining 99\% backwards compatible with C.
+This thesis leverages preexisting work within the compiler's type and runtime systems generated by prior students working on the \CFA project.
+
 All modern programming languages provide three high-level containers (collections): array, linked-list, and string.
-Often array is part of the programming language, while linked-list is built from (recursive) pointer types, and string from a combination of array and linked-list.
+Often array is part of the programming language, while linked-lists are built from (recursive) pointer types, and strings from a combination of array and linked-list.
 For all three types, languages and/or their libraries supply varying degrees of high-level mechanisms for manipulating these objects at the bulk and component level, such as copying, slicing, extracting, and iterating among elements.
-Unfortunately, these three aspects of C cause 60\%--70\% of the reported software vulnerabilities involved memory errors, and 70\%--80\% of hacker attack-vectors target these types.
+Unfortunately, these three aspects of C cause 60\%--70\% of the reported software vulnerabilities involving memory errors, and 70\%--80\% of hacker attack-vectors target these types.
 Therefore, hardening these three C types goes a long way to make the majority of C programs safer.
 
-This work looks at extending these three foundational container types in the programming language \CFA, which is a new dialect of the C programming language.
-The thesis describes improvements made to the \CFA language design, both syntax and semantics, to support the container features, and the source code created within the \CFA compiler, libraries, and runtime system to implement these features.
-This work leverages preexisting work within the compiler's type and runtime systems generated by prior students working on the \CFA project.
-
-Overall, this work has produced significant syntactic and semantic improvements to C's container types.
-\begin{enumerate}[leftmargin=*]
-\item
-Introduce a small number of subtle changes to the typing rules for the C array, while still achieving significant backwards compatibility.
-\item
-Create a new polymorphic mechanism in the \CFA @forall@ clause to specify array dimension values, similar to a fixed-typed parameter in a \CC \lstinline[language=C++]{template}.
-The new array type, enabled by prior features, defines an array with guaranteed runtime bound checks (often optimizer-removable) and implicit (guaranteed accurate) inter-function length communication.
-\item
-Create a new polymorphic list type and its runtime library following the established design pattern of intrusive link-fields for performance reasons, especially in concurrent programs.
-\item
-Create a new string type and runtime library comparable to the \CC @string@ type, including analogous coexistence with raw-character pointers, enabling programs to work with strings by value, without incurring excessive copying.
-Substrings are supported, including the ability for overlapping ranges to share edits transparently.
-\end{enumerate}
-The thesis includes a performance evaluation that shows the new \CFA containers perform comparably with their C counterparts in many programming cases.
+Specifically, an array utility is provided that tracks length internally, relieving the user of managing explicit length parameters and stopping buffer-overrun errors.
+This feature requires augmenting the \CFA type system, making array length available at compile and runtime.
+A linked-list utility is provided, which obviates many explicit recursive pointers by catering directly to system-programming uses (intrusive lists) for which a library solution is often dismissed.
+Finally, a string utility is provided with implicit memory management of text in a specialized heap, relieving error-prone buffer management, including overrun, and providing a copy-on-write speed boost.
+For all three utilities, performance is argued to be on-par with, and occasionally surpassing relevant comparators.
+With the array, this case is made by showing complete erasure down to a naked C array, modulo runtime bound checks, which are removable more often than with Java-style length management.
+With the linked list and string, empirical measures are compared with relevant libraries.
+These utilities offer a system programmer workable alternatives to hand-rolling several common causes of system vulnerabilities, thereby improving \CFA's position as a safety-forward system-programming alternative.
 
 \cleardoublepage

doc/uC++toCFA/uC++toCFA.tex

@@ -11 +11 @@
 %% Created On       : Wed Apr  6 14:53:29 2016
 %% Last Modified By : Peter A. Buhr
-%% Last Modified On : Mon Sep  8 18:10:30 2025
-%% Update Count     : 6534
+%% Last Modified On : Mon Nov 17 11:14:48 2025
+%% Update Count     : 6677
 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
 
@@ -345 +345 @@
 
 \begin{cquote}
+\setlength{\tabcolsep}{5pt}
 \begin{tabular}{@{}l|ll@{}}
 \begin{uC++}
 
 
-void main() {
+void Coroutine::main() {
         try {
                 _Enable {
@@ -357 +358 @@
           catch( E & ) { ... }
 }
+void Coroutine::mem() { resume(); }
 \end{uC++}
 &
@@ -362 +364 @@
 #define resumePoll( coroutine ) resume( coroutine ); poll()
 #define suspendPoll suspend; poll()
-void main() {
+void main( Coroutine & cor ) {
         try {
                 enable_ehm();
@@ -370 +372 @@
           catch( E & ) { ... }
 }
+void mem( Coroutine & cor ) { resumePoll(); }
 \end{cfa}
 \end{tabular}
@@ -429 +432 @@
 \end{tabular}
 \end{cquote}
+
+
+\section{Time}
+
+\begin{cquote}
+\setlength{\tabcolsep}{5pt}
+\begin{tabular}{@{}l|l@{}}
+\begin{uC++}
+
+uTime start = uClock::currTime();
+...
+cout << "duration " << uClock::currTime() - start
+        << " sec." << endl;
+\end{uC++}
+&
+\begin{cfa}
+#include <clock.hfa>
+Time start = timeHiRes(); // time with nanoseconds
+...
+sout | "duration " | timeHiRes() - start | " sec.";
+
+\end{cfa}
+\end{tabular}
+\end{cquote}
+
+
+\section{Constructor / Destructor}
+
+A constructor/destructor must have its structure type as the first parameter and be a reference.
+\begin{cquote}
+\begin{tabular}{@{}l|l@{}}
+\begin{uC++}
+
+struct S {
+        int i, j;
+        @S@() { i = j = 3; }
+        @S@( int i, int j ) { S::i = i; S::j = j; }
+        @S@( const S & s ) { *this = s; }
+        @~S@() {}
+};
+S s0, s1 = { 1, 2 };
+
+S * s2 = new S{ 1, 2 };   delete s2;
+s2 = new S{ 1, 2 };   delete s2;
+S & s3 = *new S{ 1, 2 };   delete &s3;
+s3 = *new S{ 1, 2 };   delete &s3;
+\end{uC++}
+&
+\begin{cfa}
+#include <stdlib.hfa> // new (malloc)
+struct S { int i, j; };
+
+void @?{}@( @S & s@ ) { s.i = s.j = 3; } $\C[3in]{// default}$
+void @?{}@( @S & s@, int i, int j ) { s.i = i; s.j = j; } $\C{// initializer}$
+void @?{}@( @S & s@, const S rhs ) { ?{}( s, rhs.i, rhs.j ); } $\C{// copy}$
+void @^?{}@( @S & s@ ) { s.i = 0; s.j = 0; } $\C{// destructor}\CRT$
+
+S s0, s1 = { 1, 2 };
+// bug, cannot use 0/1 (zero_t/one_t) with "new"
+S * s2 = new( 0@n@, 2 );   /* suffix n => (natural int) */  delete( s2 );
+s2 = new( 1@n@, 2 );   delete( s2 );
+S & s3 = *new( 2, 2 );   delete( &s3 );
+&s3 = &*new( 3, 2 );   delete( &s3 );
+\end{cfa}
+\end{tabular}
+\end{cquote}
+
+
+\section{\texorpdfstring{Structures (object-oriented \protect\vs routine style)}{Structures (object-oriented vs. routine style)}}
+
+\CFA is NOT an object-oriented programming-language, so there is no receiver (\lstinline[language=c++]{this}) or nested structure routines.
+The equivalent of a \emph{member} routine has an explicit structure parameter in any parameter position (often the first).
+\begin{cquote}
+\begin{tabular}{@{}l|l@{}}
+\begin{uC++}
+struct S {
+        int i = 0;  // cheat, implicit default constructor
+        int setter( int j ) { int t = i; i = j; return t; }
+        int getter() { return i; }
+};
+S s;
+@s.@setter( 3 );  // object calls
+int k = @s.@getter();
+\end{uC++}
+&
+\begin{cfa}
+struct S {  int i;  };
+void ?{}( S & s ) { s.i = 0; } // explicit default constructor
+int setter( @S & s,@ int j ) @with( s )@ { int t = i; i = j; return t; }
+int getter( @S & s@ ) @with( s )@ { return i; }
+
+S s;
+setter( @s,@ 3 );  // normal calls
+int k = getter( @s@ );
+\end{cfa}
+\end{tabular}
+\end{cquote}
+Aggregate qualification is reduced or eliminated by opening scopes using the @with@ clause.
+\begin{cfa}
+struct S { int i; int j; double m; };  // field i has same type in structures S and T
+struct T { int i; int k; int m; };
+void foo( S s, T t ) @with( s, t )@ {   // open structure scope s and t in parallel
+        j + k;                          $\C[1.6in]{// unambiguous, s.j + t.k}$
+        m = 5.0;                        $\C{// unambiguous, s.m = 5.0}$
+        m = 1;                          $\C{// unambiguous, t.m = 1}$
+        int a = m;                      $\C{// unambiguous, a = t.m}$
+        double b = m;           $\C{// unambiguous, b = s.m}$
+        int c = s.i + t.i;      $\C{// unambiguous with qualification}$
+        (double)m;                      $\C{// unambiguous with cast s.m}\CRT$
+}
+\end{cfa}
+\noindent
+In subsequent code examples, the left example is \CC/\uC and the right example is \CFA.
 
 
@@ -474 +590 @@
 
 
+\enlargethispage{1000pt}
 \section{\texorpdfstring{\lstinline{uArray}}{uArray}}
 
@@ -525 +642 @@
 \end{cquote}
 
-
-\section{\texorpdfstring{Structures (object-oriented \protect\vs routine style)}{Structures (object-oriented vs. routine style)}}
-
-\CFA is NOT an object-oriented programming-language, so there is no receiver (\lstinline[language=c++]{this}) or nested structure routines.
-The equivalent of a \emph{member} routine has an explicit structure parameter in any parameter position (often the first).
-\begin{cquote}
-\begin{tabular}{@{}l|l@{}}
+\newpage
+
+
+\section{Doubly-Linked Intrusive List}
+
+\begin{cquote}
+\setlength{\tabcolsep}{10pt}
+\begin{tabular}{@{}l|l@{}}
+\begin{uC++}
+#include <iostream>
+using namespace std;
+struct Node : @public uSeqable@ {
+        int i;
+        Node( int i ) : i( i ) {}
+};
+
+
+int main() {
+        @uSequence<Node> dlist;@
+        Node n1{ 1 }, n2{ 2 }, n3{ 3 };
+        dlist.addTail( &n1 );
+        dlist.addHead( &n2 );  // out of order
+        dlist.insertAft( &n1, &n3 );  // insertBef
+        for ( Node * it = dlist.head(); it; it = dlist.succ( it ) ) {
+                cout << it->i << endl;
+        }
+        dlist.remove( &n3 );  // shorten list
+        dlist.dropTail();  // dropHead
+        Node * it;
+        for ( uSeqIter<Node> seqit(dlist);  // uSeqIterRev
+                          seqit >> it; ) {
+                cout << it->i << endl;
+        }
+}
+\end{uC++}
+&
+\begin{cfa}
+#include <fstream.hfa>
+#include <list.hfa>
+struct Node {
+        @inline dlink( Node );@
+        int i;
+};
+@P9_EMBEDDED( Node, dlink( Node ) );@  // magic
+void ?{}( Node & node, int i ) { node.i = i; }
+int main() {
+        @dlist( Node ) dlist;@
+        Node n1{ 1 }, n2{ 2 }, n3{ 3 };
+        insert_last( dlist, n1 );
+        insert_first( dlist, n2 );  // out of order
+        insert_after( n1, n3 );  // insert_before
+        for ( Node & it = first( dlist ); &it; &it = &next( it ) ) {
+                sout | it.i;
+        }
+        remove( n3 );  // shorten list
+        remove_last( dlist );  // remove_first
+
+        FOREACH( dlist, it ) {  // FOREACH_REV
+
+                sout | it.i;
+        }
+}
+\end{cfa}
+\end{tabular}
+\end{cquote}
+
+
+\section{RAII Dynamic Allocation}
+
+\begin{cquote}
+\begin{tabular}{@{}l|ll@{}}
 \begin{uC++}
 struct S {
-        int i = 0;  // cheat, implicit default constructor
-        int setter( int j ) { int t = i; i = j; return t; }
-        int getter() { return i; }
-};
-S s;
-@s.@setter( 3 );  // object calls
-int k = @s.@getter();
-\end{uC++}
-&
-\begin{cfa}
-struct S {  int i;  };
-void ?{}( S & s ) { s.i = 0; } // explicit default constructor
-int setter( @S & s,@ int j ) @with( s )@ { int t = i; i = j; return t; }
-int getter( @S & s@ ) @with( s )@ { return i; }
-
-S s;
-setter( @s,@ 3 );  // normal calls
-int k = getter( @s@ );
-\end{cfa}
-\end{tabular}
-\end{cquote}
-Aggregate qualification is reduced or eliminated by opening scopes using the @with@ clause.
-\begin{cfa}
-struct S { int i; int j; double m; };  // field i has same type in structures S and T
-struct T { int i; int k; int m; };
-void foo( S s, T t ) @with( s, t )@ {   // open structure scope s and t in parallel
-        j + k;                          $\C[1.6in]{// unambiguous, s.j + t.k}$
-        m = 5.0;                        $\C{// unambiguous, s.m = 5.0}$
-        m = 1;                          $\C{// unambiguous, t.m = 1}$
-        int a = m;                      $\C{// unambiguous, a = t.m}$
-        double b = m;           $\C{// unambiguous, b = s.m}$
-        int c = s.i + t.i;      $\C{// unambiguous with qualification}$
-        (double)m;                      $\C{// unambiguous with cast s.m}\CRT$
-}
-\end{cfa}
-\noindent
-In subsequent code examples, the left example is \CC/\uC and the right example is \CFA.
-
-
-\section{Constructor / Destructor}
-
-A constructor/destructor must have its structure type as the first parameter and be a reference.
-\begin{cquote}
-\begin{tabular}{@{}l|l@{}}
-\begin{uC++}
-
-struct S {
-        int i, j;
-        @S@() { i = j = 3; }
-        @S@( int i, int j ) { S::i = i; S::j = j; }
-        @S@( const S & s ) { *this = s; }
-        @~S@() {}
-};
-S s0;
-S s1 = { 1, 2 };
-
-S * s2 = new S{ 1, 2 };
-delete s2;
-s2 = new S{ 1, 2 };
-delete s2;
-S & s3 = *new S{ 1, 2 };
-delete &s3;
-s3 = *new S{ 1, 2 };
-delete &s3;
-\end{uC++}
-&
-\begin{cfa}
-#include <stdlib.hfa> // new (malloc)
-struct S { int i, j; };
-
-void @?{}@( @S & s@ ) { s.i = s.j = 3; } $\C[3in]{// default}$
-void @?{}@( @S & s@, int i, int j ) { s.i = i; s.j = j; } $\C{// initializer}$
-void @?{}@( @S & s@, const S rhs ) { ?{}( s, rhs.i, rhs.j ); } $\C{// copy}$
-void @^?{}@( @S & s@ ) { s.i = 0; s.j = 0; } $\C{// destructor}\CRT$
-
-S s0;
-S s1 = { 1, 2 };
-// bug, cannot use 0/1 (zero_t/one_t) with "new"
-S * s2 = new( 0@n@, 2 ); // suffix n => (natural int)
-delete( s2 );
-s2 = new( 1@n@, 2 );
-delete( s2 );
-S & s3 = *new( 2, 2 );
-delete( &s3 );
-&s3 = &*new( 3, 2 );
-delete( &s3 );
+        ...    S() { ... }    ~S() { ... }   // ctor / dtor
+};
+S * s = new S;             delete s;
+S * sa = new S[10];     delete [] sa;
+\end{uC++}
+&
+\begin{cfa}
+#include <stdlib.hfa>
+struct S { ... };
+void ?{}( S & ) { ... }    void ^?{}( S & ) { ... }   // ctor / dtor
+S * s = new();        delete( s );
+S * sa = anew( 10 );    adelete( sa );
 \end{cfa}
 \end{tabular}
@@ -660 +767 @@
 }
 \end{cfa}
-\\
-\multicolumn{2}{@{}l@{}}{\lstinline{C c;}}
 \end{tabular}
 \end{cquote}
@@ -708 +813 @@
 
 \begin{cquote}
+\setlength{\tabcolsep}{10pt}
 \begin{tabular}{@{}l|ll@{}}
 \begin{uC++}
@@ -738 +844 @@
 }
 \end{cfa}
-\end{tabular}
-\begin{tabular}{@{}l|ll@{}}
+\\
 \begin{uC++}
 _Actor Hello { ${\color{red}\LstCommentStyle{// : public uActor}}$
@@ -829 +934 @@
 
 uOwnerLock m;
-uCondLock s;
+uCondLock c;
 m.acquire();
-if ( ! s.empty() ) s.wait( m );
+if ( ! c.empty() ) c.wait( m );
 else {
         m.release();
@@ -841 +946 @@
 #include <locks.hfa>
 owner_lock m;
-cond_lock( owner_lock ) s;  // generic type on mutex lock
+cond_lock( owner_lock ) c;  // generic type on mutex lock
 lock( m );
-if ( ! empty( s ) ) wait( s, m );
+if ( ! empty( c ) ) wait( c, m );
 else {
         unlock( m );
@@ -852 +957 @@
 \end{cquote}
 
+\begin{cquote}
+\begin{tabular}{@{}l|ll@{}}
+\begin{uC++}
+
+uSemaphore m, c;
+m.P();
+if ( ! c.empty() ) c.P( m );
+else {
+        m.V();
+}
+\end{uC++}
+&
+\begin{cfa}
+#include <locks.hfa>
+semaphore m, c;
+P( m );
+if ( ! empty( c ) ) P( c, m );
+else {
+        V( m );
+}
+\end{cfa}
+\end{tabular}
+\end{cquote}
+
+
+\enlargethispage{1000pt}
 
 \section{Barrier}
@@ -888 +1019 @@
 #include <mutex_stmt.hfa>
 struct Barrier {
-        @barrier b;@                    // containment
+        @inline barrier;@
         int total;
 
 };
-void ?{}( Barrier & B, unsigned int group ) with(B) {
-        @?{}( b, group );@              // initialize barrier
+void ?{}( Barrier & b, unsigned int group ) with( b ) {
+        @(b){ group };@         // initialize barrier
         total = 0;
 }
-unsigned int block( Barrier & B, int subtotal ) with(B) {
-        void @last@() { sout | total; } // called by Gth arriving thread
+unsigned int block( Barrier & b, int subtotal ) with( b ) {
+        void @last@(...) { sout | total; }      // called by Gth arriving thread
         @mutex( b )@ {  // use barrier's mutual exclusion
                 total += subtotal;
@@ -909 +1040 @@
 \end{cquote}
 
+\newpage
 
 \enlargethispage{1000pt}
@@ -916 +1048 @@
 Internal Scheduling
 \begin{cquote}
+\setlength{\tabcolsep}{5pt}
 \begin{tabular}{@{}l|ll@{}}
 \begin{uC++}
@@ -979 +1112 @@
 \end{cquote}
 
-\newpage
+\bigskip
 \noindent
 External Scheduling
 \begin{cquote}
+\setlength{\tabcolsep}{5pt}
 \begin{tabular}{@{}l|ll@{}}
 \begin{uC++}
@@ -1039 +1173 @@
 
 
-\input{uC++toCFA.ind}
+\newpage
+
+\section{Futures (reference counting)}
+
+
+{\lstset{tabsize=3}
+\setlength{\tabcolsep}{5pt}
+\begin{tabular}{@{}l|ll@{}}
+\begin{uC++}
+#include <uFuture.h>
+@Future_ISM@<int> fi;
+@Future_ISM@<double> fd;
+struct Msg { int i, j; }; @Future_ISM@<Msg> fm;
+struct Stop {}; @Future_ISM@<Stop> fs;
+struct Cont {}; @Future_ISM@<Cont> fc;
+
+_Task Worker {
+        void main() {
+
+                for ( ;; ) {
+                        _Select( fi ) { cout << fi() << endl; fi.reset(); }
+                        and _Select( fd ) { cout << fd() << endl; fd.reset(); }
+                        and _Select( fm ) {
+                                cout << fm().i << " " << fm().j << endl; fm.reset();
+                        } or _Select( fs ) { cout << "stop" << endl; break; }
+                        fc.delivery( (Cont){} );        // synchronize
+                }
+        }
+
+};
+int main() {
+        Worker worker;
+        for ( int i = 0; i < 10; i += 1 ) {
+                fi( i );   fd( i + 2.5 );   fm( (Msg){ i, 2 } ); // fulfil
+                fc(); fc.reset();                               // synchronize
+        }
+        fs( (Stop){} );
+} // wait for worker to terminate
+\end{uC++}
+&
+\begin{cfa}
+#include <future.hfa>
+@future_rc@(int) fi;
+@future_rc@(double) fd;
+struct Msg { int i, j; }; @future_rc@(Msg) fm;
+struct Stop {}; @future_rc@(Stop) fs;
+struct Cont {}; @future_rc@(Cont) fc;
+ExceptionDecl( Break );
+thread Worker {};
+void main( Worker & ) {
+        try {
+                for () {
+                        waituntil( fi ) { sout | fi(); reset( fi ); }
+                        and waituntil( fd ) { sout | fd(); reset( fd ); }
+                        and waituntil( fm ) { sout | fm().i | fm().j; reset( fm ); }
+                        or waituntil( fs ) { sout | "stop";
+                                throw ExceptionInst( Break );
+                        }
+                        fc( (Cont){} );         // synchronize
+                }
+        } catch( Break * ) {}
+}
+int main() {
+        Worker worker;
+        for ( i; 10 ) {
+                fi( i );   fd( i + 2.5 );   fm( (Msg){ i, 2 } ); // fulfil
+                fc(); reset( fc );              // synchronize
+        }
+        fs( (Stop){} );
+} // wait for worker to terminate
+\end{cfa}
+\end{tabular}
+}%
+
+%\input{uC++toCFA.ind}
 
 % \bibliographystyle{plain}