Tomorrow, the 30th of November, 2012, is the first day of my fifth decade here on Earth, and my last day at Microsoft. (*)

I’ve been working at Microsoft full-time since 1996 and had two years of internships before that. **Microsoft is an awesome company.** We do great work here: work that changes the way people interact with information in a fundamental way. And I in particular, have had the pleasure and the privilege to work on technologies that change how developers like me get their jobs done. There is no place doing better work on the design and implementation of real-world, production-strength programming languages that ship to millions of developers.

A number of those developers read this very blog, which I’ve been writing for nine years now. Sharing my fabulous adventures in coding with you all has been one of the most enjoyable parts of this job. I mean to continue writing it, but unfortunately, Microsoft’s (entirely sensible) policy is that only full time employees get to post to MSDN blogs. I am therefore, effective right now, moving my blog to ericlippert.com. **Please subscribe to the RSS feed**, which is at http://ericlippert.com/feed/. (**)

I also intend to finally start “tweeting” occasionally; if you haven’t already, please follow me on Twitter where I am @ericlippert.

A number of people have asked me what motivated this decision. Of course any life decision of this magnitude has a lot of reasons behind it, but the biggest one is simply: I’ve been here for 40% of my entire life, I’ve been feeling for some time that it would be good to take on a new challenge, and an opportunity has arisen that is tailor-made to my skills and interests. I’ll describe that new opportunity in the first post on my new blog. As you’ll see, I am very pleased that it will still involve supporting the C# development community, just in a different way.

Were I to try to make a list of current and erstwhile coworkers to thank it would be extremely long and I would undoubtedly embarrass myself by omitting someone. I’ve had the opportunity to learn about programming languages and developer tools from literally hundreds of developers, testers, writers, editors, program managers, managers, mentors, architects, distinguished engineers and at least a couple of technical fellows. (***) **Thank you all; I hope to continue to work with you in the future.**

And thanks to you all, who have been reading this blog these past nine years. Your comments, praise and always constructive criticism have helped me learn what customers need and helped everyone here shape C# into the amazing tool it is today. **I hope we can continue sharing this adventure;** see you at ericlippert.com.

Eric Lippert

**UPDATE:** Holy goodness, the outpouring here, on the new blog, on reddit, hacker news and twitter of both well-wishing and FUD is delightful for the former and distressing for the latter.

Regarding the former: thank you all for your kind thoughts; I appreciate it very much.

To dispel some of the rumours that are floating around regarding the latter:

(1) C#, Roslyn and .NET in general are doing fine; rumours of their deaths are greatly exaggerated. I certainly would not go to work on yet another C# static analyzer if I did not think there was a bright future to all of them, and to the Microsoft ecosystem in general. The C# language is in good hands; Anders and Mads are still deeply engaged in that process, and I am just one (albeit highly visible) member of a kick-ass team of dozens of people who are building Roslyn. I am leaving it in excellent hands and in excellent shape.

(2) As I said, this was a personal decision based on many factors; the main factor was a desire to pursue a new set of challenges that use my existing skill set. I certainly was not fired, and I look forward to having a close working relationship with the C# team in the future.

And finally:

(3) The first day of my first decade was the day I was born. So tomorrow being the first day of my fifth decade makes me 40, not 50.

Thank you again for your kind thoughts.

Eric

(*) That timing is not coincidental.

(**) Since I will no longer have the ability to reply to comments, they are shut off as of now. If you have comments, please leave them on the new blog. Thanks!

(***) The most hilarious job title at Microsoft as far as I’m concerned.

]]>In C# it is illegal to declare a class D whose base class B is in any way less accessible than D. I’m occasionally asked why that is. There are a number of reasons; today I’ll start with a very specific scenario and then talk about a general philosophy.

Suppose you and your coworker Alice are developing the code for assembly Foo, which you intend to be fully trusted by its users. Alice writes:

public class B

{

public void Dangerous() {…}

}

And you write

public class D : B

{

… other stuff …

}

Later, Alice gets a security review from Bob, who points out that method Dangerous could be used as a component of an attack by partially-trusted code, and who further points out that customer scenarios do not actually require B to be used directly by customers in the first place; B is actually only being used as an implementation detail of other classes. So in keeping with the principle of least privilege, Alice changes B to:

internal class B

{

public void Dangerous() {…}

}

Alice need not change the accessibility of Dangerous, because of course “public” means “public to the people who can see the class in the first place”.

So now what should happen when Alice recompiles before she checks in this change? The C# compiler does not know if you, the author of class D, intended method Dangerous to be accessible by a user of public class D. On the one hand, it is a public method of a base class, and so it seems like it should be accessible. On the other hand, the fact that B is internal is evidence that Dangerous is supposed to be inaccessible outside the assembly. A basic design principle of C# is that **when the intention is unclear, the compiler brings this fact to your attention by failing**. The compiler is identifying yet another form of the Brittle Base Class Failure, which long-time readers know has shown up in numerous places in the design of C#.

Rather than simply making this change and hoping for the best, you and Alice need to sit down and talk about whether B really is a sensible base class of D; it seems plausible that either (1) D ought to be internal also, or (2) D ought to favour composition over inheritance. Which brings us to my more general point:

**More generally**: the inheritance **mechanism** is, as we’ve discussed before, simply the fact that all heritable members of the base type are also members of the derived type. But the inheritance relationship **semantics** are intended to model the “is a kind of” relationship. It seems reasonable that if D is a kind of B, and D is accessible at a location, then B ought to be accessible at that location as well. It seems strange that you could only use the fact that “a Giraffe is a kind of Animal” at specific locations.

In short, this rule of the language encourages you to use inheritance relationships to **model the business domain semantics** rather than as a **mechanism for code reuse**.

Finally, I note that as an alternative, **it is legal for a public class to implement an internal interface**. In that scenario there is no danger of accidentally exposing dangerous functionality from the interface to the implementing type because of course the interface is not associated with any functionality in the first place; an interface is logically “abstract”. Implementing an internal interface can be used as a mechanism that allows public components in the same assembly to communicate with each other over “back channels” that are not exposed to the public.

I am pleased to announce that __Essential C# 5.0__ by Mark Michaelis, and, new for this edition, *yours truly*, is available for pre-order now. It will be in stores in early December.

As long-time readers of this blog know, I was one of the technical editors for __Essential C# 4.0__ and __Essential C# 3.0__. Mark was kind enough to ask me if I would like to take a larger role in the process of updating the text for the new edition, which I gladly agreed to. There is no easier way to get a byline in a book than to assist with an update to a well-written series that you already know inside-out! Many thanks to Mark, as well as to Joan and everyone else at Addison-Wesley who made this process so smooth; you are all a pleasure to work with. Special thanks also to my coworker, C# specification guru Mads Torgersen, who wrote a very nice foreword for us, and to my colleague Stephen Toub who thoroughly reviewed the chapters dealing with asynchrony.

Last time I discussed how “dynamic” tends to spread through a program like a virus: if an expression of dynamic type “touches” another expression then that other expression often also becomes of dynamic type. Today I want to describe one of the least well understood aspects of method type inference, which also uses a contagion model when “dynamic” gets involved.

Long-time readers know that method type inference is one of my favourite parts of the C# language; for new readers who might not be familiar with the feature, let me briefly describe it. The idea is that when you have a method, say, Select<A, R>(IEnumerable<A> items, Func<A, R> projection), and a call to the method, say Select(customers, c=>c.Name), then we infer that you meant to say Select<Customer, string>(customers, c=>c.Name), rather than making you spell it out. In that case, we would first infer that the list of customers is an IEnumerable<Customer> and therefore the type argument corresponding to A is Customer. From that we would infer that lambda parameter c is of type Customer, and therefore the result of the lambda is string, and therefore type argument corresponding to R is string. This algorithm is already complicated, but when dynamic gets involved, it gets downright weird.

The problem that the language designers faced when deciding how method type inference works with dynamic is exacerbated by our basic design goal for dynamic, that I mentioned two weeks ago: the runtime analysis of a dynamic expression honours all the information that we deduced at compile time. We only use the deduced-at-runtime types for the parts of the expression that were actually dynamic; the parts that were statically typed at compile time remain statically typed at runtime, not dynamically typed. Above we inferred R after we knew A, but what if “customers” had been of type dynamic? We now have a problem: depending on the runtime type of customers, type inference might succeed dynamically even though it seems like it must fail statically. But if type inference fails statically then the method is not a candidate, and, as we discussed two weeks ago, if the candidate set of a dynamically-dispatched method group is empty then overload resolution fails at compile-time, not at runtime. So it seems that type inference must succeed statically!

What a mess. How do we get out of this predicament? The spec is surprisingly short on details; it says only:

Any type argument that does not depend directly or indirectly on an argument of type dynamic is inferred using [the usual static analysis rules]. The remaining type arguments are

unknown.[…] Applicability is checked according to [the usual static analysis rules] ignoring parameters whose types areunknown.(*)

So what we have here is essentially another type that spreads via a contagion model, the “unknown” type. Just as “possibly infected” is the transitive closure of the exposure relation in simplistic epidemiology, “unknown” is the transitive closure of the “depends on” relation in method type inference.

For example, if we have:

void M<T, U>(T t, L<U> items)

with a call

M(123, dyn);

Then type inference infers that T is int from the first argument. Because the second argument is of dynamic type, and the formal parameter type involves type parameter U, we “taint” U with the “unknown type”.

When a tainted type parameter is “fixed” to its final type argument, we ignore all other bounds that we have computed so far, even if some of the bounds are contradictory, and infer it to be “unknown”. So in this case, type inference would succeed and we would add M<int, unknown> to the candidate set. As noted above, we skip applicability checking for arguments that correspond to parameters whose types are in any way tainted.

But where does the transitive closure of the dependency relationship come into it? In the C# 4 and 5 compilers we did not handle this particularly well, but in Roslyn we now actually cause the taint to spread. Suppose we have:

void M<T, U, V>(T t, L<U> items, Func<T, U, V> func)

and a call

M(123, dyn, (t, u)=>u.Whatever(t));

We infer T to be int and U to be unknown. We then say that V depends on T and U, and so infer V to be unknown as well. Therefore type inference succeeds with an inference of M<int, unknown, unknown>.

The alert reader will at this point be protesting that no matter what happens with method type inference, this is going to turn into a dynamic call, and that lambdas are not legal in dynamic calls in the first place. However, we want to get as much high-quality analysis done as possible so that IntelliSense and other code analysis works correctly even in badly broken code. It is better to allow U to infect V with the unknown taint and have type inference succeed, as the specification indicates, than to bail out early and have type inference fail. And besides, if by some miracle we do in the future allow lambdas to be in dynamic calls, we’ll already have a sensible implementation of method type inference.

**Next time** on Fabulous Adventures in Coding: **Fabulous Adventures**!

(*) That last clause is a bit unclear in two ways. First, it really should say “whose types are *in any way* unknown”. L<unknown> is considered to be an unknown type. Second, along with skipping applicability checking we also skip constraint satisfaction checking. That is, we assume that the runtime construction of L<unknown> will provide a type argument that satisfies all the necessary generic type constraints.

Suppose you’re an epidemiologist modeling the potential spread of a highly infectious disease. The straightforward way to model such a series of unfortunate events is to assume that the population can be divided into three sets: the definitely infected, the definitely healthy, and the possibly infected. If a member of the healthy population encounters a member of the definitely infected or possibly infected population, then they become a member of the possibly infected population. (Or, put another way, the possibly infected population is closed transitively over the exposure relation.) A member of the possibly infected population becomes classified as either definitely healthy or definitely infected when they undergo some sort of test. And an infected person can become a healthy person by being cured.

This sort of contagion model is fairly common in the design of computer systems. For example, suppose you have a web site that takes in strings from users, stores them in a database, and serves them up to other users. Like, say, this blog, which takes in comments from you, stores them in a database, and then serves them right back up to other users. That’s a Cross Site Scripting (XSS) attack waiting to happen right there. A common way to mitigate the XSS problem is to use data tainting, which uses the contagion model to identify strings that are possibly hostile. Whenever you do anything to a potentially-hostile string, like, say, concatenate it with a non-hostile string, the result is a possibly-hostile string. If the string is determined via some test to be benign, or can have its potentially hostile parts stripped out, then it becomes safe.

The “dynamic” feature in C# 4 and above has a lot in common with these sorts of contagion models. As I pointed out last time, when an argument of a call is dynamic then odds are pretty good that the compiler will classify the result of the call as dynamic as well; the taint spreads. In fact, when you use almost any operator on a dynamic expression, the result is of dynamic type, with a few exceptions. (“is” for example always returns a bool.) You can “cure” an expression to prevent it spreading dynamicism by casting it to object, or to whatever other non-dynamic type you’d like; casting dynamic to object is an identity conversion.

The way that dynamic is contagious is an emergent phenomenon of the rules for working out the types of expressions in C#. There is, however, one place where we explicitly use a contagion model inside the compiler in order to correctly work out the type of an expression that involves dynamic types: it is one of the most arcane aspects of method type inference. Next time I’ll give you all the rundown on that.

]]>I’m implementing the semantic analysis of dynamic expressions in Roslyn this week, so I’m fielding a lot of questions within the team on the design of the dynamic feature of C# 4. A question I get fairly frequently in this space is as follows:

public class Alpha

{

public int Foo(string x) { … }

}

…

dynamic d = whatever;

Alpha alpha = MakeAlpha();

var result = alpha.Foo(d);

How is this analyzed? More specifically, what’s the type of local result?

If the receiver (that is, alpha) of the call were of type dynamic then there would be little we could do at compile time. We’d analyze the compile-time types of the arguments and emit a dynamic call site that caused the semantic analysis to be performed at runtime, using the runtime type of the dynamic expression. But that’s not the case here. We know at compile time what the type of the receiver is. One of the design principles of the C# dynamic feature is that if we have a type that is known at compile time, then at runtime the type analysis honours that. In other words, we only use the runtime type of the things that were actually dynamic; everything else we use the compile-time type. If MakeAlpha() returns a derived class of Alpha, and that derived class has more overloads of Foo, we don’t care.

Because we know that we’re going to be doing overload resolution on a method called Foo on an instance of type Alpha, we can do a “sanity check” at compile time to determine if we know that for sure, this is going to fail at runtime. So we do overload resolution, but instead of doing the full overload resolution algorithm (eliminate inapplicable candidates, determine the unique best applicable candidate, perform final validation of that candidate), we do a partial overload resolution algorithm. We get as far as eliminating the inapplicable candidates, and if that leaves one or more candidates then the call is bound dynamically. If it leaves zero candidates then we report an error at compile time, because we know that nothing is going to work at runtime.

Now, a seemingly reasonable question to ask at this point is: overload resolution in this case could determine that there is exactly one applicable candidate in the method group, and therefore we can determine statically that the type of result is int, so why do we instead say that the type of result is dynamic?

That appears to be a reasonable question, but think about it a bit more. If you and I and the compiler know that overload resolution is going to choose a particular method then *why are we making a dynamic call in the first place?* Why haven’t we cast d to string? This situation is rare, unlikely, and has an easy workaround by inserting casts appropriately (either casting the call expression to int or the argument to string). Situations that are rare, unlikely and easily worked around are poor candidates for compiler optimizations. You asked for a dynamic call, so you’re going to get a dynamic call.

That’s reason enough to not do the proposed feature, but let’s think about it a bit more deeply by exploring a variation on this scenario that I glossed over above. Eta Corporation produces:

public class Eta {}

and Zeta Corporation extends this code:

public class Zeta : Eta

{

public int Foo(string x){ … }

}

…

dynamic d = whatever;

Zeta zeta = new Zeta();

var result = zeta.Foo(d);

Suppose we say that the type of result is int because the method group has only one member. Now suppose that in the next version, Eta Corporation supplies a new method:

public class Eta

{

public string Foo(double x){…}

}

Zeta corporation recompiles their code, and hey presto, suddenly result is of type dynamic! Why should Eta Corporation’s change **to the base class** cause the semantic analysis of code that uses a **derived** class to change? This seems unexpected. C# has been carefully designed to avoid these sorts of “Brittle Base Class” failures; see my other articles on that subject for examples of how we do that.

We can make a bad situation even worse. Suppose Eta’s change is instead:

public class Eta

{

protected string Foo(double x){…}

}

Now what happens? Should we say that the type of result is int when the code appears outside of class Zeta, because overload resolution produces a single applicable candidate, but dynamic when it appears inside, because overload resolution produces two such candidates? That would be quite bizarre indeed.

The proposal is simply too much cleverness in pursuit of too little value. We’ve been asked to perform a dynamic binding, and so we’re going to perform a dynamic binding; the result should in turn be dynamic. The benefits of being able to statically deduce types of dynamic expressions does not pay for the costs, so we don’t attempt to do so. **If you want static analysis then don’t turn it off in the first place.**

**Next time:** the dynamic taint of method type inference.

Presented as a dialogue, as is my wont!

**Is C# a strongly typed or a weakly typed language?**

Yes.

**That is unhelpful.**

I don’t doubt it. Interestingly, if you rephrased the question as an “and” question, the answer would be the same.

**What? You mean, is C# a strongly typed and a weakly typed language? **

Yes, C# is a strongly typed language and a weakly typed language.

**I’m confused.**

Me too. Perhaps you should tell me precisely what you mean by “strongly typed” and “weakly typed”.

**Um. I don’t actually know what I mean by those terms, so perhaps that is the question I should be asking. What does it really mean for a language to be “weakly typed” or “strongly typed”?**

“Weakly typed” means “*this language uses a type verification system that I find distasteful*“, and “strongly typed” means “*this language uses a type system that I find attractive*“.

**No way!**

Way, dude.

**Really?**

These terms are meaningless and you should avoid them. Wikipedia lists *eleven* different meanings for “strongly typed”, several of which contradict each other. Any time two people use “strongly typed” or “weakly typed” in a conversation about programming languages, odds are good that they have two subtly or grossly different meanings in their heads for those terms, and are therefore automatically talking past each other.

**But surely they mean something other than “unattractive” or “attractive”!**

I do exaggerate somewhat for comedic effect. So lets say: a more-strongly-typed language is one that has some *restriction* in its type system that a more-weakly-typed language it is being compared to lacks. That’s all you can really say without more context.

**How can I have sensible conversations about languages and their type systems then?**

You can provide the missing context. Instead of using “strongly typed” and “weakly typed”, actually describe the restriction you mean. For example, C# is *for the most part* a **statically typed** language, because the compiler determines facts about the types of every expression. C# is *for the most part* a **type safe** language because it prevents values of one static type from being stored in variables of an incompatible type (and other similar type errors). And C# is *for the most part *a **memory safe** language because it prevents accidental access to bad memory.

Thus, someone who thinks that “strongly typed” means “the language *encourages* static typing, type safety and memory safety *in the vast majority of normal programs*” would classify C# as a “strongly typed” language. C# is certainly more strongly typed than languages that do not have these restrictions in their type systems.

But here’s the thing: because C# is a pragmatic language there is a way to override all three of those safety systems. Cast operators and “dynamic” in C# 4 override compile-time type checking and replace it with runtime type checking, and “unsafe” blocks allow you to turn off type safety and memory safety should you need to. Someone who thinks that “strongly typed” means “the language *absolutely positively guarantees *static typing, type safety and memory safety *under all circumstances*” would quite rightly classify C# as “weakly typed”. C# is not as strongly typed as languages that do enforce these restrictions all the time.

So which is it, strong or weak? It is impossible to say because it depends on the point of view of the speaker, it depends on what they are comparing it to, and it depends on their attitude towards various language features. It’s therefore best to simply avoid these terms altogether, and speak more precisely about type system features.

]]>No computer programming stuff today; just some fun for Friday.

As I’m writing this Felix Baumgartner’s attempt to set the world record for skydiving height by diving from a helium balloon has been scrubbed due to bad weather. This attempt has got me thinking of my good friend JB, who back in 1982 set the world record (*) for hang gliding height by similarly using a helium balloon.

JB is one of those people who proves the truth of the saying that you really can do anything you put your mind to, as he’s been a world-record breaking hang glider pilot, skydiver, balloonist, airplane pilot, ultra-marathon runner, shuttle astronaut candidate (**), upper-atmosphere physicist, microgravity physicist, nuclear physicist, father, and I’m probably missing a dozen more accomplishments in there. And teacher! When I was a child he taught me useful skills like how to estimate large numbers, how to do trigonometry, and how to do calculus, usually by pointing out things on the beach and then doing math in the sand, like Archimedes. How many grains of sand are on this beach? How far away is the horizon when you stand on the roof of the cottage? What shape path does this rock make in the air when you throw it? These sorts of questions fascinated me as a child, and, I suppose, still do.

Anyway, I recently learned that JB has uploaded the short film his brother Bims made to document the successful attempt at the record. Check it out, and enjoy the hairstyles of the 1980s: **Project Hang Glide**

(*) It’s in the 1988 Guinness Book of World Records.

(**) His microgravity experiment ended up flying on the Vomit Comet rather than the shuttle.

]]>One of the most basic ways to think about a computer program is that it is a device which takes in integers as inputs and spits out integers as outputs. The C# compiler, for example, takes in source code strings, and those source code strings are essentially nothing more than enormous binary numbers. The output of the compiler is either diagnostic text, or strings of IL and metadata, which are also just enormous binary numbers. Because the compiler is not perfect, in some rare cases it terminates abnormally with an internal error message. But those fatal error messages are also just big binary numbers. So let’s take this as our basic model of a computer program: a computer program is a device that either (1) runs forever without producing output, or (2) computes a function that maps one integer to another.

So here’s an interesting question: are there functions which cannot be computed, even in principle on a machine with arbitrarily much storage, by *any* C# program (*)?

We already know the answer to that question. Last year I pointed out that the Halting Problem is not solvable by any computer program, because the assumption that it is solvable leads to a logical contradiction. But the Halting Problem is just a function on integers. Let’s say that the input of our function H is a number which when written out in binary is a Unicode string that might contain a C# program. The output is 1 if the program is an illegal C# program, 2 if it is a legal C# program which halts, and 3 if it is a legal C# program which does not halt. If it were possible to write a program that reliably computes function H and always terminates then it would be possible to use it to solve the Halting Problem, which we’ve shown is impossible. Therefore H is not a computable function.

Let’s explore this a bit further. The “Turing Machine” model of computing is that a computer is a machine that has three kinds of storage: first, there’s a fixed amount of “internal” storage that describes the current state of the processor, second, there is arbitrarily much “external” storage in the form of paper tape, disk drives, or whatever, that can contain binary data, and third, there is some way of identifying the “current position” being manipulated in the external storage. The Turing Machine also has strict rules that describe how to change the internal state, the external state, and the current position. One of the internal states is the “start” state, and one of the internal states is the “halt” state; once the machine gets to the halting state, it stops. Otherwise, it runs forever.

Without loss of generality, let’s suppose that our Turing Machine’s external storage is arbitrarily many bits, either zero or one, and that the internal storage is some fixed number of bits, say n. This is pretty restrictive, but we haven’t actually lost anything fundamental here. Real computers of course give the appearance of manipulating storage that consists of 32 bit integers or 64 bit doubles or whatever, but at some level inside the processor, it is manipulating individual bits. There is no difference in principle between a machine that manipulates one bit at a time and a machine that manipulates 64 bits at a time; the latter is simply more convenient.

So then how many rules do we need to come up with for our Turing machine? A Turing machine with n bits of internal state has 2^{n} possible states, and there are two possibilities for the value at the “current position” in the external state. (**) So that means that there are 2^{n+1} state transition rules. Each transition rule will have to encode three things: (1) what are the n bits of the new internal state? (2) what value should the external state be changed to? and (3) how should we update the current position?

Again without loss of generality, we can update the current position by decreasing it by one, increasing it by one, or leaving it the same. In practice that is inconvenient, but in principle that is enough. So those are three possibilities. Thus, each state transition rule is one of 2 x 2^{n} x 3 possibilities. There are 2^{n+1} state transition rules. Therefore the total number of possible Turing Machines that have n bits of internal storage is 3 x 2^{n+1 } raised to the 2^{n+1 }power, which, yes, grows pretty quickly as n gets large, but which is clearly a finite number.

Each one of these n-bit Turing Machines essentially computes a function. You start it up with the external storage in a particular state and the machine either runs forever, or after some finite number of steps it halts. If it halts, then the output of the function is the value left behind in the external storage.

Again without loss of generality, let’s consider the value computed by each one of those possible Turning machines when the external storage is initially all zeros. When given that starting configuration, each of those Turing machines either runs for some number of steps and then halts with the result, or it runs forever. Let’s ignore the ones that run forever. Of the ones that are left, the ones that terminate, one of them must run the longest (***). That is, one of those machines that halts must have the largest number of steps taken before entering the halting state.

We therefore can come up with a function S that goes from integers to integers. The function S takes in n, the number of bits in the Turing Machine internal state, and gives you back the largest number of steps any of the possible n-bit Turing Machines that halts takes to halt. That is, S takes in the number of bits of internal storage and gives you back the amount of time you have to wait for the **slowest** of the n-bit machines that actually terminates, when it is started with empty external storage.

**Is S a computable function? **Can we write a computer program that computes it?

Your intuition should be telling you “no”, but do you see why?

.

.

.

.

.

.

.

.

Because if S were computable then H would be computable too! All we’d have to do to compute H is to make a computer program that compiles a given C# program into a Turing Machine simulator that starts with an empty tape. We take the number of bits of state, n, of that Turing Machine, and compute S(n). Then we run the Turing Machine simulator and *if it takes more than S(n) steps then we know that it must have been one of the n-bit Turing machines that runs forever*. We’d then be able to reliably compute H in finite time. Since we already know that H is not reliably computable in finite time then we know that S must not be computable either.

The argument that I’m advancing here is known as the “Busy Beaver” argument because the n-bit Turing Machine that runs the longest is the “busiest beaver”. I’ve tweaked the way that it is usually presented; rather than the **n-bit** Turing Machine that **runs the longest** before terminating, the “busiest beaver” is traditionally defined as the **k-state** Turing Machine that **produces the largest output**. The two characterizations are essentially equivalent though; neither version of the function is computable.

An interesting fact about the busy beaver function (either way you characterize it) is that the function grows *enormously fast*. It’s easy to think of functions that grow quickly; even simple functions like n! or 2^{n} grow to astronomical levels for relatively small values of n, like 100. But our busiest beaver function S(n) grows faster than *any* computable function. That is, think of a function that grows quickly where you could write a program to compute its value in finite time; the busiest beaver function grows *faster* than your function, no matter how clever you are in coming up with a fast-growing function. Do you see why? You’ve got all the information you need here to work it out. (****)

(*) Of course, there is nothing special about C#; it is a general-purpose programming language. We’ll take as given that if there is a function that cannot be computed in C# then that function cannot be computed by any program in any programming language.

(**) Of course, we don’t need to state transitions from the halting state, but, whatever. We’ll ignore that unimportant detail.

(***) Of course, there could be a tie for longest, but that doesn’t matter.

(****) Of course, even if the busiest beaver function did not grow absurdly quickly, the fact that it clearly grows more than exponentially is evidence that our proposed technique for solving the Halting Problem would be impractical were it not impossible. Compiling a non-trivial C# program to a Turing Machine simulator would undoubtedly produce a machine with more than, say, 100 bits of state. There are an enormous number of possible Turing Machines with 100 bits of internal state, and the one that runs the longest before it halts undoubtedly runs longer than the universe will last.

]]>I missed the party. I was all set to be on that massive wave of announcements about TypeScript, and then a family emergency kept me away from computers from Thursday of last week until just now, and I did not get my article in the queue. Suffice to say that I am **SUPER EXCITED** about TypeScript. Long-time readers of this blog know that I have a long history with ECMAScript, and I’ve wanted features like this for quite some time. Since I’ve missed the first wave I’m going to digest some of the initial reactions and hopefully post something a bit more thoughtful farther down the road.

Therefore, rather than talking about TypeScript today, here’s a question I got from a coworker recently: since it is obviously important that the C# compiler not go into infinite loops, **how do we ensure that the method type inference algorithm terminates?**

The answer is quite straightforward actually, but if you are not familiar with method type inference then this article is going to make no sense. Check out my type inference archive, and specifically this video, if you need a refresher.

Method type inference since C# 3.0 basically works like this: we create a set of **bounds** on each method type parameter. We then “fix” each type parameter to a member of its bounds set. Once every type parameter is fixed, method type inference has succeeded. If any type parameter cannot be fixed for some reason then type inference fails. We ensure that type inference terminates by going into a loop. If we manage to make it through the body of the loop without fixing at least one type parameter then type inference fails. Therefore, the type inference loop can run at most n times if the method has n type parameters.

That’s a bit highfalutin; let me flesh that out a bit. A “bound” is nothing more than a type, and a bound can be “upper”, “lower” or “exact”. For example, suppose we have a type parameter T with three bounds: a lower bound of Giraffe, an exact bound of Mammal, and an upper bound of Animal. Let’s say that Animal is a “larger” type than Mammal (because all Mammals are Animals but not all Animals are Mammals, thus Animal must be the larger type), and Giraffe is a “smaller” type than Mammal. Given this set of bounds we know that T must be inferred to be first, either Giraffe or a type larger than Giraffe, because Giraffe is a lower bound; you can’t infer a type smaller than Giraffe. Second, we know that T must be Mammal, exactly. And third, we know that T must be either Animal or a type smaller than Animal, because Animal is an upper bound. We cannot infer a type larger than Animal. The C# compiler deduces that Mammal is the only type in the set that meets all three requirements, and so T would be fixed to Mammal. If there are multiple types in the set that meet all the requirements (which of course cannot happen if there are any exact bounds!) then we pick the largest such type. (*)

The interesting part of method type inference is how we deal with lambdas. Suppose we have a method Select<A, R>(I<A>, Func<A, R>) where the second argument is c=>c.Name. We say that A is an “input” type parameter and R is an “output” type parameter. (It is of course possible for a type parameter to be both an input and output type parameter!) Furthermore, we say that R “depends on” A, because the type of A could possibly determine the type of R. (Of course the “depends” relationship can be cyclic.)

The type inference algorithm, at a high level, goes like this:

- Add bounds to type parameters based on all non-lambda arguments, and all lambda arguments where the delegate type has no type parameters in its inputs.
- Loop
- Is every type parameter fixed?
- Type inference has succeeded. Terminate the algorithm.

- Is there any lambda argument converted to a delegate type where the inputs of the delegate type are all known and the output type involves an unfixed type parameter?
- Deduce the return type of all such lambdas and make inferences that add bounds to the corresponding delegate’s output types.

- Is there any unfixed, bounded type parameter that does not appear in an output type of a delegate that has unfixed input types?
- Fix all such type parameters and go back to the top of the loop.

- Is there any unfixed, bounded type parameter such that an unfixed type parameter depends on it, directly or indirectly?
- Fix all such type parameters and go back to the top of the loop.

- If we make it here then we failed to make progress; we have just as many fixed type parameters as we started with. Type inference fails. Terminate the algorithm.

- Is every type parameter fixed?

So, for example, if we had Select(customers, c=>c.Name); where customers implements I<Customer> then we start by inferring that A has a lower bound of Customer (**). We have no lambda arguments that correspond to formal parameters where the delegate type has no type parameters in its inputs, so we enter the loop.

Is every type parameter fixed? No.

Is there any lambda argument converted to a delegate type where the inputs are known and the output involves an unfixed type parameter?

No. There is a lambda argument converted to a delegate type, and the output involves unfixed type parameter R, but the input type is A and A is not fixed. So we have no inferences to make.

Is there an unfixed type parameter that has bounds and does not appear in an output type of a delegate that has unfixed input types?

Yes. A has bounds and does not appear as an output type, period.

Therefore we fix A. It has only one bound, Customer, so we fix it to Customer. We have made progress, so we go back to the top of the loop.

Is every type parameter fixed? No.

Is there any lambda argument converted to a delegate type where the inputs are known and the output involves an unfixed type parameter? Yes!

So now we make an inference. A is fixed to Customer, so we add the type of Customer.Name, say, string, as a lower bound to R.

Now we must fix something. Is there an unfixed type parameter that has bounds and does not appear in an output type of a delegate that has unfixed input types?

Yes. R is unfixed, it has bounds, and it appears as an output type of a delegate that has fixed input types, so it is a candidate for fixing. We fix R to its only bound, string, and start the loop again.

Is every type parameter fixed? Yes. So we’re done.

This technique of preventing infinite loops by requiring that each loop iteration make progress is quite useful, and clearly in this case it guarantees that the algorithm executes the loop no more times than there are type parameters to fix.

You might wonder if it is therefore the case that method type inference is O(n) in the number of type parameters. It turns out that it is not, for several reasons. First, as a practical matter it only makes sense to determine the asymptotic order of an algorithm if the size of the problem is likely to become large. I’ve never seen a method with more than five type parameters in the wild, and even that is pretty unusual. Most generic methods have one or two type parameters. Second, doing the analysis of the lambdas is the expensive part, and it only really makes sense to analyze the behaviour of the most expensive part. We already know that analyzing lambdas is, worst case, an NP-HARD problem so whether or not method type inference is O(some polynomial) is possibly not that relevant. Third, you’ll notice that in my sketch of the algorithm we have to answer questions like “is there any unfixed type parameter that has an unfixed type parameter that depends on it?” This requires solving a graph-traversal problem, whose asymptotic cost we have not analyzed! I won’t take you through the boring analysis, but suffice to say there could be O(n^{2}) dependency relationships that each cost O(n) to analyze, and we could go through the loop n times, for an extremely unlikely worst case of O(n^{4}). The implementation of this algorithm is actually O(n^{2}) in the common case; because n is likely to be small, as I said, we have not put the effort into more sophisticated algorithms that can solve these graph problems even faster in the asymptotic case.

(*) Note that this algorithm is consistent with other type inference features in C# in two ways. First, when asked to infer a best type from a set of types, we always choose a type from the set. We never say “well we have Dog and Cat in the set so let’s infer Mammal”. Second, when faced with multiple possible “best” types, we pick the largest. There is an argument to be made for picking the smallest, but picking the largest seems to match more people’s intuitions of what the right choice is.

(**) Assuming that the type I<T> is covariant in T. If it were contravariant then we would deduce an upper bound, and if it were invariant then we would deduce an exact bound. See my series on variance if that is not clear.

]]>