Local Lifetimes for Kotlin: Design Notes

[RossTate]

This is a discussion of the design notes for Local Lifetimes for Kotlin. These notes summarize ongoing research on local lifetimes, a feature that enables programmers to safely take advantage of objects and operations that are only safe to use for a limited time.

Disclaimer: This work is still research in progress. We are sharing it early because we want to collect feedback (hopes, concerns, suggestions, and so on) from the community before determining whether to develop it into a formal proposal.

[whowatchlist]

The section about scala is a bit outdated or misinformed, => is actually just a normal type. You can recreate the behavior shown with any type T^ or class Foo extends SharedCapability. Also, scala doesn't actually have the same any in fun and setFun, because cap, scala's top capability, from my understanding isn't a single value, there are many caps, some that contain others. This snippet shows what I mean https://scastie.scala-lang.org/8UyhtYCnQBOFsRnFyMbWMA . The example code as written gets an error message of:

Found:    (f : () => Unit)
Required: () =>² Unit

Note that capability cap is not included in capture set {cap²}
because cap in method setFun is not visible from cap² in variable fun.

where:    => and cap   refer to a fresh root capability in the type of parameter f
          =>² and cap² refer to a fresh root capability in the type of variable fun

As for the actual proposal, it seems to be well thought out. I would suggest taking some time to look at what effekt calls "effects vs captures", it may help make the explanation of local more accessible.

[kyay10]

I completely agree that this is "a level lower" than Effekt. I've used it for a while as part of a research project, and I've had significant gripes with it, mostly due to the complete lack of explicit lifetime polymorphism (which, while verbose, can be genuinely useful at times), and because its equivalent of contexts cannot be called upon with a contextOf-like function at all, so its contexts can never materialize as real values that you pass around.

This proposal addresses both those gripes, and it seems rather good!

[kyay10]

It's good to note, btw, that Effekt's handlers aren't completely covered by this proposal since their stacks are multi-shot, while (as far as I understand), the proposed stacks aren't (and Kotlin's Continuations aren't either)
You can use reflection or bytecode manipulation to add clone methods to compiler-generated continuations (which I have done), but that's far from being a supported use case. This means that we sadly don't get monad comprehensions or non-determinism handlers, but alas.

[RossTate]

Ah, yes, thanks for catching that! The stacks library can only support single-shot continuations, unlike Effekt's multi-shot continuations.

[Amejonah1200]

@RossTate are you able to add a comparison with effekt in the design documents? Specifically because it is more or less "prior work", which can help understand what Kotlin's direction would be and how it may influence the decisions.

[RossTate]

There are a lot of research languages exploring this space, and each of these languages is made up of a unique combination of novel and existing features, so open-ended comparisons would be overwhelming. But I am happy to answer specific questions about specific languages.

[kyay10]

About localizing the standard library, I think an interesting example shows up with scope functions.
Would they work as expected? As in, do generics also carry lifetime information?
For instance, if I have:

fun foo(local bar: Bar) {
    bar.let { it.someMethod() }
    with(bar) { someMethod() }
}

would that just work?

[RossTate]

Good question! Yes, those work just fine. In your example, the inferred type argument for let/with is Bar_{bar}. There isn't even any need to update their signatures.

[kyay10]

Are "functions that take local parameters" first-class citizens? This example suggests that's the case:

public inline fun <K, V> buildMap(
   once builderAction: local MutableMap<K, V>.() -> Unit
): Map<K, V>

Interestingly, this allows for very simple implementations of Raise from Arrow (which implements the exception-based Lexical Aborts technique you mentioned, so it might be useful to add a link to it or something):

fun interface Raise<E> { fun raise(e: E): Nothing }
inline fun <E, R> recover(block: local Raise<E>.() -> R, recovery: (E) -> R): R = block { return recovery(it) }
// or its simpler cousin
inline fun <R> merge(block: local Raise<R>.() -> R): R = block { return it }

Effectively, this adds Raise to the language as a primitive!

[RossTate]

The recover and merge functions do indeed work as you say. I should note that it's not quite "first-class" though. That is, while function parameters can themselves be functions that take local parameters, you cannot have something like Iterable<(local Foo) -> Unit>. It's like the difference between higher-kinded polymorphism and first-class/impredicative polymorphism.

[kyay10]

Huh, I'll have to think more about that. Is there a reason why that's the case?
Is this allowed?

val merge: (local (local Raise<Int>.() -> Int)) -> Int = ...

I'm guessing it is?

Searching up higher-kinded polymorphism vs impredicative polymorphism, it sounds like function types are special-cased to allow parameterisation inside their types (in this case, lifetime parameters), but other types are not. Is that your point here?

So is it simply that function types are unique, but if I had e.g. fun interface Arrow<T, R> { operator fun invoke(t: T): R } then I can't use Arrow<(local Raise<Int>.() -> Int), Int>, but I can do so if I had typealias Arrow<T, R> = (T) -> R?

[kyay10]

Also, FWIW, it's not such a huge limitation that Iterable<(local Foo) -> Unit> is disallowed, since interface Consumer<T> { operator fun invoke(local t: T) } is isomorphic, and would be allowed, right? I'm guessing they won't be allowed to be fun interfaces though?
If so, then hey, at least we get the spiffy lambda syntax when calling something like merge, and if we really need to store local-taking functions as data, we can always use such a SAM interface workaround.

[RossTate]

I'm trying to keep things decidable. The issue with allowing something like local Raise<Int>.() -> Nothing to be used as a type argument is that it means inference/outference needs to be able to reliably determine that something has that type, even when there's no informative context. So if someone writes val x : Any = listOf { raise(5) }, the type checker would have to automatically determine out of nowhere that that raise could be the method of a local Raise<Int> implicit receiver, and therefore this type checks if the argument to listOf is local Raise<Int>.() -> Nothing. (Note that Raise doesn't even need to be imported; it's full name just needs to be accessible for this to be valid.)

So first-class types are those that can be used as type arguments, and it's important for them to be synthesizable. On the other hand, when we invoke a method, we can check that arguments against the method's signature. That makes it possible to decidably support signatures with more expressive types than what we can use as type arguments. As you note, when you need to get around this gap, you can make an explicit (functional) class/interface (though an alias isn't enough) as an intermediary.

[kyay10]

Something that concerns me here is the verbosity.
You've done a great job in a lot of areas to provide syntactic sugar that the compiler can expand (like fun foo(local bar: Bar) being syntactic sugar for fun <local someLIfetime> foo(bar: Bar_{someLifetime})).
However, I feel that certain types (especially ones that are used as contexts often, i.e. ones that fit the "effects and handlers" philosophy) should, by default, make their parameters local unless otherwise stated. A notable example might be CoroutineScope.
Scala has such a feature, and it makes code less verbose.
There are situations where one might want to use a global version of that type, of course, and that's where the _{} shines. You can just use scope: CoroutineScope_{} to only accept global scopes, and hence be able to use it as you wish. It's rather non-verbose as a workaround, which is nice imo.

[kyay10]

(Alternatively, one could commit to always use continuation-passing style rather than try to optimize for the case where no suspension happens.)

That would be my preference! suspend doesn't seem incredibly expensive, at least people don't treat it as such. If every local-taking function was effectively secretly suspending, I think that'd be reasonable. Hell, suspend could be removed completely, instead replaced with context(local _: Suspend) where Suspend: CoroutineContext (to fit with the other KEEP that has context(_: CoroutineContext) for accessing coroutine context properties in vals and vars)

Speaking of which, if vals and vars are allowed to have local parameters, then we accidentally get suspend vals:

fun interface Foo { fun foo(): Int }
suspend fun getIntFromApi(): Int
// could use a context as well
val local Foo.intFromApi get() = foo()

// in a suspending context
with(Foo { getIntFromApi() }) {
  println(intFromApi) // suspending val!
}

[kyay10]

An interesting test is whether this system can effectively type a shift0/reset delimited continuation system with thunks (similar to delimCC from OCaml/Haskell).
It's niche, but it's my litmus test for how expressive a lifetime/captures/blah system is. Effekt fails this test spectacularly. Scala failed it until they added the @use annotation (to basically force the local lifetime to conform to some other lifetime parameter). However, they deprecated it, so now (AFAIK) they still fail this test.

I haven't read the stacks design notes in detail, but it feels that maybe there's some similarity here?

A quick reminder of the semantics of shift0:
reset gives you access to a lexical Prompt delimiter.
You can jump to it using shift, which captures the continuation up to and including the delimiter, and wraps it into a Cont object. Thus, the Prompt should only be accessible inside reset.
Importantly, the Cont objects it gives you, and the lifetime it gives you access to, upon shifting, does not include that delimiter. In other words, reset { shift { shift { } } } is forbidden.
Also, it lets you access the lifetime outside of reset as you wish inside both reset and shift.
To illustrate:

local val x: Foo = ...
local var cont: Cont<Unit, Unit>? = null
reset {
  x.foo() // allowed, since `reset`'s block is local
  shift { c: Cont<Unit, Unit> ->
    x.foo() // allowed, since shift gives you access to the lifetime outside `reset`
    shift { } // not allowed because the `Prompt` is not accessible inside `shift`
    cont = c // allowed, since the Cont should be accessible outside `reset` just fine.
  }
}

I'll number some of my questions along the way!

Starting off with the simpler version, where it's just shift0/reset without any thunks:

fun interface Cont<T, R> { fun resume(value: T): R }

// l might benefit from local members, but I'm avoiding it for clarity
// (1) is `l` discharged here? I.e., is l included within the `this` lifetime? That's what I want, but it's a minor point. If not, then would `local l^{this}` do the trick? Or maybe `l_{this}`?
interface Prompt<R, local l> { 
 fun <T> shift(block: (Cont<T, R>_{l}) ->_{l} R): T
}

suspend fun <R> reset(local block: local Prompt<R, block>.() -> R): R
// (2) Is this version basically equivalent? I think not because the above version is more granular in that it'll have precisely the lifetime of `block`, while this version has the entire local lifetime.
suspend fun <R> reset(local block: local Prompt<R, local>.() -> R): R

Now for the tricky part. I'm adding a new resumePush function to Cont that lets you operate within the lifetime of shift's callsite:

fun interface Cont<T, R, local l_{}> { // (3) does this syntax work like that? I don't want `l` to be required to use `Cont`, but perhaps that's the default?
  fun resume(value: T): R = resumePush { value }
  // (4) Does this function discharge `l`? i.e., does it require that you can use `l` in the current context? That's not actually what I want
  fun resumePush(value: () ->_{l} T): R
}
// In other words, I want it to function exactly like this, but as a member:
fun <T, R, local l_{}> local Cont<T, R, l>.resumePush2(value: () ->_{l} T): R

interface Prompt<R, local c> {
 fun <T> shift(block: (Cont<T, R, local>_{c}) ->_{c} R): T
}

// example
reset {
  local foo: Foo = ...
  shift { c: Cont<Unit, Unit> ->
    foo.foo() // not allowed because `shift`'s lifetime doesn't include `foo`
    c.resumePush {
      foo.foo() // allowed because our local lifetime is that of the caller of `shift`
      shift { } // allowed because our local lifetime thus also includes the Prompt.
    }
  }
}

Do these examples work as I've specified? Maybe some tweaks need to be done based on the answers to the 4 questions, but with those tweaks, can it be done?

[RossTate]

Yes, this is expressible, and in fact the stack primitives can implement the single-shot semantics for this.

As for your numbered questions:

1. Explicit locality parameters (as opposed to local parameters of functions) are (currently) unconstrained by default. If you need it to be constrained by the this lifetime so that, e.g., you can know it is accessible by methods, then you can do local_{this} lifetime. (Since all methods execute within the this lifetime by default, the constraint will make this a sublocality of lifetime, so you furthermore know the methods are executing within the lifetime locality.)
2. Interestingly, I think these end up being equivalent due to the fact that the local lifetime is itself inferred. But I think the second more directly matches your informal description of the operation.
3. You don't need the bound (and it should go on local rather than the name) because explicit localities are (currently) unconstrained by default.
4. It does not; i.e. the local locality does not have to be within l. (If you did want that, you could use fun_{l} to require local to be a sublocality of l.)

[kyay10]

Some ideas on how IDE support will work would be nice. I'm worried that every value might, all of a sudden, have a ton of lifetime information about it, cluttering tooltips and error messages.
I'm also curious about error messages: how do you tell the user that a value is inaccessible here? This is something that Effekt, IMO, fails at (which is expected for a research language), and that Scala does somewhat okay.

[RossTate]

Good suggestion. I've added some thoughts on this: https://github.com/Kotlin/KEEP/blob/main/notes/0007-local-lifetimes.md#type-checker-feedback

[kyay10]

Could a class being local instead be inferred by usage of this as a lifetime? It seems to me that class vs local class changes nothing for users of the class, and so it only affects the class on the inside. I don't see then why couldn't all classes be local?

[RossTate]

Making a class local restricts the lifetime of the this reference to have the this lifetime rather than the global lifetime. That can break existing code. We also know of a critical case where we do not want that behavior: https://github.com/Kotlin/KEEP/blob/main/notes/0007-local-lifetimes.md#strings

[kyay10]

In theory, this could break existing builder actions. However, that would require explicitly referencing the this receiver, which on its own is rare, and then leaking it from the action. It seems unlikely this will break any code except possibly a few obscure cases.

I think that's fine. buildMap, and its cousins buildList, buildSet, etc, all have in their KDoc that the receiver should not be used after the call finishes. Currently, the receiver can continue to be used as a read-only collection, but the KDoc reserves the ability to break that in the future.

[kyay10]

I think both lazy and AutoClosable can use local_{} since they don't use their lambdas in place:

public expect fun <T> lazy(local_{} initializer: () -> T): Lazy<T>_{initializer}
public expect inline fun AutoCloseable(local_{} closeAction: () -> Unit): AutoCloseable_{closeAction}

which is obviously equivalent to:

public expect fun <T, local initializer> lazy(initializer: () ->_{initializer} T): Lazy<T>_{initializer}
public expect inline fun <local closeAction> AutoCloseable(closeAction: () ->_{closeAction} Unit): AutoCloseable_{closeAction}

[RossTate]

Good catch! I updated the document. Thanks!

[kyay10]

Re local vararg: what if I want a vararg of locals? e.g. a fun foo(vararg lambdas: () -> Unit), but I want all the lambdas to be local.
I guess I can do:

fun foo(vararg lambdas: () ->_{local} Unit)

or even

fun foo(local vararg lambdas: () ->_{lambdas} Unit)

[RossTate]

Yep! The former would restrict the elements in the array to be used only locally, but not the array itself. (For example, you could upcast it to an Array<*> and get its length after foo returns.) The latter restricts the array and its elements to be used only locally.

[kyay10]

The theory for supporting this is achieved by modeling Kotlin-level types as higher-kinded low-level types with a contravariant locality parameter!

I'm very proud of myself for understanding what this means! It might be more digestible for the average reader, though, if it were instead like:

The theory for supporting this is achieved by modeling Kotlin types as having a hidden contravariant locality parameter.

This immediately reminds me of monadic regions, another lifetime-safety technique. In fact, I briefly experimented with implementing it using @RestrictsSuspension on a Region<out R> type, and adding an extra contravariant region type parameter to lifetime-tracked objects. Subregioning is represented by subtyping between region type parameters! I had to use some compiler plugin tricks to work around the lack of higher-rank types. Of course, my system was still awful to use because it needed a lot of ceremony, e.g. explicit polymorphism.

It's interesting to see the convergence on such a design! I wonder if the 2 systems are equivalent (modulo syntax and other conveniences).

[rnett]

I'm still digesting this, but as someone who's only experience with languages supporting lifetimes is getting frustrated figuring out how to express what I know to the rust compiler, I have some initial thoughts:

• This is a super powerful feature that seems like a good fit for Kotlin
• It's very complex, and it's usability and I suspect reception will depend hugely on the UX and syntax of the final design

I'm not sure how much you are considering the UX at this stage, maybe it's for a follow up KEEP, but I would like to see a detailed UX/syntax design KEEP at some point as this moves towards "production".

My thoughts on syntax

• I strongly dislike the use of _ as a seperator. It's a valid character for class names and often used in place of spaces, it doesn't "look" like a seperator to me. I'd propose @ instead.
• local is somewhat confusing since, as you said, it's more of a "track the lifetime of this" modifier.
• I dislike the way local can look like a function modifier but actually apply to the extension receiver. Even requiring (local MyReceiver).foo would IMO be better
• The syntax used gets very verbose very fast, and IMO is hard to scan. A lot of local uses seem like something that could be inferred.

[RossTate]

Ah, moving the bounds to where would be really helpful.

I can't use @ because it's used to disambiguate between thises, which I reuse for the this lifetime. (Consider local inner classes of local classes.) But I can use some operator. And I realized I can drop the braces (in an older version, I needed to be able to specify a list of localities in the restriction, but now it's sufficient to simply repeatedly restrict the lifetime with each locality).

The team has identified a number of issues with the syntax for contracts in general, so we're trying to gradually move away from that syntax.

So, trying out the viable operators available left-to-right on my keyboard, here's how the syntax could look like on a complex example:

With `#`

internal local class TransformingSequence<T, out R> constructor(
    private val sequence: Sequence<T>#this,
    private val transformer: (T) ->#this R
) : Sequence<R> {
    override fun iterator(): Iterator<R>#this = object : Iterator<R> {
        val iterator = sequence.iterator()
        override fun next(): R {
            return transformer(iterator.next())
        }
        override fun hasNext(): Boolean {
            return iterator.hasNext()
        }
    }

    internal fun <E> flatten(
        local# iterator: (R) -> Iterator<E>#iterator
    ): Sequence<E>#this#iterator {
        return FlatteningSequence<T, R, E>(sequence, transformer, iterator)
    }
}

With `$`

internal local class TransformingSequence<T, out R> constructor(
    private val sequence: Sequence<T>$this,
    private val transformer: (T) ->$this R
) : Sequence<R> {
    override fun iterator(): Iterator<R>$this = object : Iterator<R> {
        val iterator = sequence.iterator()
        override fun next(): R {
            return transformer(iterator.next())
        }
        override fun hasNext(): Boolean {
            return iterator.hasNext()
        }
    }

    internal fun <E> flatten(
        local$ iterator: (R) -> Iterator<E>$iterator
    ): Sequence<E>$this$iterator {
        return FlatteningSequence<T, R, E>(sequence, transformer, iterator)
    }
}

With `%`

internal local class TransformingSequence<T, out R> constructor(
    private val sequence: Sequence<T>%this,
    private val transformer: (T) ->%this R
) : Sequence<R> {
    override fun iterator(): Iterator<R>%this = object : Iterator<R> {
        val iterator = sequence.iterator()
        override fun next(): R {
            return transformer(iterator.next())
        }
        override fun hasNext(): Boolean {
            return iterator.hasNext()
        }
    }

    internal fun <E> flatten(
        local% iterator: (R) -> Iterator<E>%iterator
    ): Sequence<E>%this%iterator {
        return FlatteningSequence<T, R, E>(sequence, transformer, iterator)
    }
}

With `^`

internal local class TransformingSequence<T, out R> constructor(
    private val sequence: Sequence<T>^this,
    private val transformer: (T) ->^this R
) : Sequence<R> {
    override fun iterator(): Iterator<R>^this = object : Iterator<R> {
        val iterator = sequence.iterator()
        override fun next(): R {
            return transformer(iterator.next())
        }
        override fun hasNext(): Boolean {
            return iterator.hasNext()
        }
    }

    internal fun <E> flatten(
        local^ iterator: (R) -> Iterator<E>^iterator
    ): Sequence<E>^this^iterator {
        return FlatteningSequence<T, R, E>(sequence, transformer, iterator)
    }
}

With `*`

internal local class TransformingSequence<T, out R> constructor(
    private val sequence: Sequence<T>*this,
    private val transformer: (T) ->*this R
) : Sequence<R> {
    override fun iterator(): Iterator<R>*this = object : Iterator<R> {
        val iterator = sequence.iterator()
        override fun next(): R {
            return transformer(iterator.next())
        }
        override fun hasNext(): Boolean {
            return iterator.hasNext()
        }
    }

    internal fun <E> flatten(
        local* iterator: (R) -> Iterator<E>*iterator
    ): Sequence<E>*this*iterator {
        return FlatteningSequence<T, R, E>(sequence, transformer, iterator)
    }
}

Thoughts?

[Amejonah1200]

Where is '? 🙃

[rnett]

The team has identified a number of issues with the syntax for contracts in general, so we're trying to gradually move away from that syntax.

Yes that makes sense - my idea was more about writing a list of constraints, with whatever syntax works best, as opposed to the generic parameter approach.

Of your examples, I think I like ^ the best, except that Sequence<E>^this^iterator is rather hard to read - unless it has the obvious meaning of "the lifetime is bound by both this and iterator", which I think it actually does?

Is using a keyword an option? E.g. private val sequence: Sequence<T> in this?

[RossTate]

unless it has the obvious meaning of "the lifetime is bound by both this and iterator", which I think it actually does?

It does 😊

Is using a keyword an option?

Probably. But I think an operator would be preferred if we could find a suitable one.

[rnett]

Probably. But I think an operator would be preferred if we could find a suitable one.

Personally I like the keyword because of the spacing, which makes it easier to read (IMO). You can of course do the same with the operator but it looks kind of odd (helpful, I know).

[rnett]

I didn't see the "lifetime applied to arrow" syntax discussed explicitly. Is it just shorthand for (A -> B)_{lifetime}?

[RossTate]

Ah, yes it is. Sorry, I've added a note explicitly stating that now. Thanks for catching this!

[rnett]

It seems like this could significantly increase the burden on library authors or increase the possibility of mistakes. It would be easy for a specialized collections library, like say ImmutableArrays, to just implement their functions without lifetimes. If I understand it right, this would mean they use the global lifetime, and are not usable with any lifetime limited variables.

To write good, usable libraries, every Kotlin library developer would need to be able to localize their entire library, as you did for the stdlib here. This is not a simple task, especially if you haven't used something like lifetimes before. To make it worse, there's no obvious feedback (e.g. IDE warnings) that the non-localized version is wrong somehow. The closest Kotlin comes to this problem today is library developers not adding contracts to functions that could have them.

As an example, if the IDE could infer lifetimes and offer to add them (with reasonably good accuracy), that would alleviate most of my concerns.

[RossTate]

I totally get this concern. While I have made a conscious effort to make local lifetimes have a nice path for gradual adoption, it's of course hard to assess just how real that path is.

If it helps to have a familiar example, I took half an hour to localize the immutable arrays library. You can preview the hypothetical update here. (Since in reality much of the code is generated, I only updated the generic generated code instead of updating the generating code.) In summary, the changes were to

• make 20 parameters local,
• remove (all) 6 occurrences of crossinline,
• and add 1 _{local} and 6 _{this} lifetime restrictions.

You might notice that I did not make ImmutableArray into a local class. That's because I didn't see a particular use for it. Because ImmutableArray is generic, it can already hold elements with local lifetimes. Because ImmutableArray object is just data, making it local doesn't enable any more functionality. And because the length of ImmutableArrays tends to be dynamic, we wouldn't typically be able to allocate it on the stack anyways. So the only benefit I could think of would be to let others artificially restrict the lifetime of an ImmutableArray in order to get the type-checker to help them ensure it doesn't escape, which didn't seem particularly likely to be helpful, and which certainly isn't necessary for the library to work nicely with local lifetimes. (I only made Array into a local class in order to support stack-allocating varargs, since those do typically have a statically known length.)

Regardless, I agree with your point that a tool could likely automate most localization updates, and that it would be a good idea to provide such a tool if this feature were to ship. (A complementary option would be to provide some way to indicate that certain imported libraries have not been localized and to treat them optimistically with respect to localities.)

[rnett]

Nice, that's less invasive than I was expecting.

One concern I still have with the example is that library authors would need to know when they need to or should apply local. For example, I do not think it would be obvious (and wasn't to me) that I should add local to the Array, Iterable, and Sequence receivers unless there was some hinting in the IDE.

Regardless, I agree with your point that a tool could likely automate most localization updates, and that it would be a good idea to provide such a tool if this feature were to ship. (A complementary option would be to provide some way to indicate that certain imported libraries have not been localized and to treat them optimistically with respect to localities.)

I'm not sure how possible it is, but it could be interesting to handle locality inference like smart casts: code in the same compilation unit has its locality inferred (i.e. using the function body), which can then be made explicit in the signature to make it part of the API contract.

[rnett]

Can you (unchecked) cast to a type with a lifetime? I think some bridging of lifetime-aware code and non-lifetime aware code will always be necessary, including for external libraries (including Java and Java's FFI).

[RossTate]

Yes

[rnett]

Also, do you plan on announcing these keeps in the language-features slack channel?

[RossTate]

I think so, but after we first incorporate a round of feedback from this discussion and from after the talk.

[rnett]

For the addAll localization specifically, wouldn't this break any collections that retain the added collection instead of individual members? I'm not aware of any implementations that do this off the top of my head but it seems like it could be a reasonable optimization for some types of sets or trees.

[rnett]

Yes, but for immutable collection types that's guaranteed not to change. But I haven't actually seen any implementations that do something with the collection.

[kyay10]

Immutable collections implementations probably wouldn't be local, so if you downcast it, you'll then be free to leak it wherever you want!

[RossTate]

That wouldn't quite work...yet. Right now, although all objects of a non-local class, say Foo, are always created with a global lifetime, it's not the case that Foo_{restricted} is a subtype of Foo_{global}. That way, if Foo were to be made into a local class, it's guaranteed it wouldn't break any existing code using the Foo type. But, we could extend this design to enable one to declare a class/interface to be global, making it permanently a non-local class/interface, and consequently making it safe to improve subtyping accordingly. I hadn't thought of a case where this would actually be useful, but this example with immutable collections could be one.

[kyay10]

I meant if you knew about some ImmutableListImpl which is explicitly not a local class, then would you be able to downcast to it?
Another example is can I downcast a local Any to a String for instance? I'd imagine that would work

This really is good motivation to have non-local interfaces, although you can get close ish:

interface Foo {
  val globalize: Foo_{global}
}

[RossTate]

Remember that, to support gradual adoption, just because something is not local now does not mean it is not expected to become local eventually. So, if we were at add the global extension I mentioned, and if we were to explicitly mark ImmutableListImpl or String as global, then a type-tag test (i.e. is ImmutableListImpl or is String) would be able to drop the restriction on the lifetime.

P.S. The _{global} in your Foo signature is redundant.

[rnett]

Did you consider making everything local by default as an option? It seems to me like parameters are usually local, and leaking them is the exception, not the expectation. IMO opting-in to potentially dangerous capabilities when you need them is better ergonomics than having to opt out (see also: immutability, and the return value checker).

Obviously there's much more potential for backwards compatibility loss. But I don't have a good feel for how much code would be made red in practice. And migration patterns like the one for the return value checker might be enough.

[RossTate]

I did, but there are two considerations. One is backwards compatibility; making everything local by default would break a lot of existing code (and, even though most parameters can be made local in the standard library, it can often require correspondingly restricting lifetimes in return types). The other is that, in looking at libraries (and especially the standard library), we're biasing our examination towards code where local will be more common (and, in the case of the standard library, used in more advanced ways).

[kyay10]

I want to push back a little on the backwards compatibility concern. Any non-local class cannot have a lifetime, so all of those classes would not suffer at all here.
The question is then about interfaces and local classes. How often is Kotlin code leaking interfaces? I don't know if var x: SomeInterface is that common. Returning an interface is maybe a bit more common, but still relatively rare.

Maybe a happy middle ground would be to have some @LocalByDefault annotation. It then could be also useable on types directly, so one can do typealias LIterator<T> = @LocalByDefault Iterator<T>.

Another idea could be to have a module-wide or per-file toggle, similar to the return value checker.

[LelouBil]

I would also like to see some kind of global flag, this would also allow seeing more what kind of API design comes up when you specify lifetimes from the start, rather than when you add them retroactively to existing APIs that fit them.

[rnett]

I'm having trouble wrapping my head around local classes and how they interacts with locality on types and the class's properties.

For example, with the classes:

class Foo(val a: Int)

local class Bar(val b: Int)

local class Baz(local val c: Int)

My current understanding is that:

1. A parameter like local v: Foo would mean that the reference to v is local to the function, but says nothing about v.a, it could be leaked.
2. A parameter like v: Bar imposes no lifetime restrictions
3. A parameter like local v: Bar is exactly the same as local v: Foo (aka no restrictions on b)
4. The declaration of Baz is actually illegal, because assigning the parameter to the field leaks it outside of the constructor. The corrected declaration is local class Baz(val c: Int_{this}). Does c still need local?
5. A parameter like local v: Baz means that v and c are local to the function.

Is that right? It might make sense for local val to desugar into val v: X_{this}. I would expect classes owning their properties to not be uncommon.

I also don't quite understand this statement:

That is, a local class is implicitly parameterized by a this lifetime, representing the lifetime of the object, and the lifetime of its this reference is restricted to the this lifetime. This makes it possible for each object of a local class to safely access resources with limited lifetimes provided those resources have at least the lifetime of the object.

Can't arbitrary objects already have a lifetime assigned to their type, and properties via generics? If I understand right, all that local class changes is that:

• The lifetime of the this reference in the class, it's initializer, and all of its methods is tracked and can't leak
• Because of this, any properties with a lifetime larger or equal to than the class's lifetime (e.g. _{this}) are accessible in initializers and methods

I guess what I'm having trouble with is the difference between Foo<this = x> and Foo_{x}. Are they the same thing?

[rnett]

It seems that you can only use local v: Blah if Blah is a local class or an interface, so it's illegal to write local v: Int, but I might be wrong on that.

Interesting, I think I had assumed the same without realizing it. But then what about

local val foo: LocalClass
val bar: NonLocalClass_{foo)

?

[kyay10]

I meant to say local and the _{-} syntax, but I forgot midway thru...

In other words, it seems like interfaces and local classes are the only types that can have an intrinsic lifetime. Lifetime parameters seem like they can be added to anything, though

[RossTate]

1. Correct
2. Correct
3. Correct
4. Correct: the declaration should be local class Baz(val c: Int_{this}).
5. Correct, assuming you use the corrected declaration in (4) above.

The lifetime of any type can by restricted. This is important for T_{...} to work even when T is a type parameter (which occasionally arises in the standard library, and is heavily relied upon for the stacks design). Whether a class is local or not has no effect on its subtyping behavior (which leaves room for the class to be made local without breaking code). Making a class local imposes restrictions upon its implementation, particularly by making this be restricted to the this lifetime. (Interfaces have no implementation, which is why there is no notion of a local interface.)

[kyay10]

Interfaces have no implementation, which is why there is no notion of a local interface.

That's a question I've been meaning to ask! What about default methods in interfaces?

interface Foo {
  fun returnSelf(): Foo = this
}

This currently compiles, but presumably would be illegal now?

[RossTate]

What to do about default methods with non-local use of this is admittedly on my to-do list. If I were to pick right now based on intuition, I would reject this. That would technically be a breaking change, but I suspect that instances of this would be rare enough that it would worth shipping the "right" default and forcing such interfaces to incorporate the restricted lifetime into the signature.

[LelouBil]

Hello, the following may be off-topic for this KEEP, but I think it would require it.

Using the proposed changes from this KEEP, would it be possible to implement "Consumed" method parameters ? I mean, specifying in the method signature that the lifetime of the value passed as a parameter needs to end when the method is called (Making it an error if it was used after the method call) ?

It seems like this would at least require the local lifetimes, since by default you cannot know if there were any previous references to the object until the method call, but for local parameters you are sure of that and just need to inspect the current scope.

This whole feature reminded me of one aspect of Rust I liked a lot, which is to be explicit about lifetimes, and while this is less complicated (because there is no borrowing like in Rust), this made me think of the Typestate pattern, that uses the fact that in Rust, a function can "consume" it's parameter and render it unavailable afterward.

To me, it seems like a next-step in the direction that local lifetimes provide.

[kyay10]

This somewhat reminds me of Scala's Separation Checking, which is built on a similar-ish system to lifetimes

[RossTate]

Good question! Local lifetimes were explicitly designed to incorporate lifetimes without typestate. Typestate certainly has applications, but it unfortunately causes a lot more complications for both code and typing algorithms. How to support typestateful features (like "consumes") in a Kotlin-esque manner is still under investigation.

[rnett]

Is it correct to say that, as part of tracking lifetimes for local variables, the compiler knows when the lifetime of any local variable ends? Would it be possible to use this for automatic resource cleanup? For example, some sort of interface LocalResource { fun close() } that can only be implemented by local classes, and has close() called before the lifetime of any instance ends.

[kyay10]

Lifetimes already allow us to have DSLs for automatic resource cleanup, so I don't think a language construct or anything needs to be added here.
The simplest case is giving access to one resource:

fun <R> withFile(path: Path, block: (local File) -> R): R = nativeOpenFile(path).use { block(it) }

The file can never leak outside the block, so using the file is completely safe!
You can take this a step further with something like ResourceScope from Arrow. I won't describe its implementation details here, but simply, it has an onRelease function that registers a finalizer to run at the end of the scope. With lifetimes, it can be made a lot safer:

interface ResourceScope<local outer> { // outer is a nice candidate to be a member lifetime
  fun onRelease(finalizer: () ->_{outer} Unit)
}

inline fun <R> resourceScope(block: local ResourceScope<local>.() -> R): R = ...

context(local scope: ResourceScope<*>)
fun openFile(path: Path): File_{scope} = nativeOpenFile(path).also { file -> scope.onRelease { file.close() } }

openFile is just as safe as withFile. The returned file is only usable within the apt resourceScope block, so all file actions will run before the finalizer, and resourceScope guarantees that the finalizer will run!

[RossTate]

From my experience, different people have different expectations of when the lifetime of a local variable ends. The two most common are when it is no longer used, or when the function call completes. But even these have ambiguities. If a variable is only used in one case of an if, does its lifetime end when we enter the other side or only when the entire if finishes? Alternatively, if a function calls another call in a tail position (in a setting where we know we're not worried about maintaining stack traces), is the current call "completed" by the tail call? Interestingly, my algorithm doesn't actually determine "the" lifetime of an object/operation; it just determines constraints that these lifetimes must satisfy and ensures all the constraints are compatible with each other. So, because ambiguity is kind of inherent in lifetimes, I still recommend that programs be explicit about when important things like cleanup should happen.

[rnett]

How will lifetimes interact with identity-less value classes? I assume they won't, e.g. any value class will not be able to have a lifetime (or, perhaps, has any lifetime)?

[kyay10]

I don't see why a value class can't have a lifetime? A very simple case is a value class that wraps a normal class:

value class MyFlow(val flow: Flow_{this})

Lifetime doesn't need to be tied to identity.

[RossTate]

I see the intuition. Essentially, if we can arbitrarily copy an object, then does its lifetime really matter? In a design where lifetimes were shallow, then not really. But in this design, a lifetime can be deeply integrated into the signature of a class, including into the types of its fields and methods. So a copy of a limited-lifetime object can still need to have a limited lifetime. That said, if we were to add a way to mark certain classes as explicitly global, I suspect that many value classes (and data classes) would be marked as global, since in many cases they are "deeply" copyable.

[rnett]

That makes sense. I was getting a bit ahead of myself and thinking of the deep immutability semantics that have been proposed for value classes. It seems like they would be prime candidates to be global by default.

Also, side note, will the generated copy fun for data classes become fun copy(...): Self_{this}?

[rnett]

In your talk you mentioned that all of the benefits of inline functions can be achieved using local parameters. Does this include reified types and avoiding allocation lambda objects (not just stack allocating them) on the JVM?

[LelouBil]

Reified types are here because of type erasure, so I think you'll still need inline functions for them.

[kyay10]

avoiding allocation lambda objects (not just stack allocating them)

I believe stack allocation means avoiding allocating them entirely. The JVM doesn't really let you "stack allocate" beyond simply placing values on the stack. The stacks library is a clear case where avoiding lambda allocations seems important.

I do wonder how this behaves with binary compatibility guarantees and such, but I guess we'll see!

[RossTate]

Ah, you're right! I made a mistake. It would still be the case that only inline functions can have reified type parameters.

[mikehearn]

I missed the talk (not at KotlinConf) but here's some initial feedback.

As a reader I could use an explanation of the use cases and the benefits of this feature. Lifetime annotations add complexity to the language but the KEEP doesn't contain an introduction or motivation. The opening merely explains it as "a feature that enables programmers to safely take advantage of objects and operations that are only safe to use for a limited time" which is a circular explanation. Later it explains the utility as "providing useful software-engineering compositionality guarantees and safely enabling arguments to have more advanced functionality" which is rather vague ... it could be a description of many programming language features.

In Rust lifetime tracking is justified by the absence of a GC (not relevant to Kotlin) and making concurrent code safer. But there's no concept of a borrow checker here and concurrency safety is never mentioned.

Ideally the KEEP would call out the syntax as a placeholder. At least I'm assuming it is. Otherwise as pointed out elsewhere the syntax is ambiguous - underscores are widely used in class names especially in generated code, and Foo_{bar} is an un-Kotlinlike syntax choice anyway. It looks almost like {bar} is meant to match part of an identifier name.

[kyay10]

I agree that more needs to be said here. Stacks is a good example of a use case (once you get beyond the technical details, they effectively let you have suspend APIs that compose nicely with each other). There's also some performance benefits here (avoiding allocations).

[RossTate]

Thanks for the feedback! Admittedly, these design notes were written with the talk in mind, and I need to go back and make them more self-contained. I'll let y'all know what that's done!

[kyay10]

FWIW, this feature allows for Checked Exceptions to be added to Kotlin without having the same bad interactions with lambdas that Java suffers from. I'm copying this idea 100% from Scala, of course.

interface Throws<in E: Throwable>

context(local _: Throws<IllegalStateException>)
fun myError(message: String) = error(message)

inline fun <reified E, R> catch(catch: (E) -> R, block: context(local Throws<E>) () -> R): R = 
  try { block(object: Throws<E> {}) } catch(e: E) { catch(e) }

myError("") // doesn't compile
catch<IllegalStateException, _>({}) { myError("") } // compiles

[RossTate]

Yes. You might appreciate this paper: https://cs.uwaterloo.ca/~yizhou/papers/abseff-popl2019.pdf

[kyay10]

Unlike that paper, though, my intention here was that the exceptions are still dynamically caught, they just are guaranteed to be caught because of the CanThrow context.
I think the paper makes really strong points that show that CanThrow is a bad idea and that something lexical like Raise from Arrow is better. It also helps motivate the stacks library (since it easily implements lexical effect handlers). In fact, SequenceScope is just a yield effect

[LelouBil]

I saw multiple comments using local context parameters, and I think the document could also have a section explaining them, are they meaningfully different to a local receiver ?

[RossTate]

Context parameters are an upcoming feature that allows you to pass parameters "by context" rather than "by position" or "by name". A local context parameter is simply the combination of that feature with this design's local parameters. It comes up in comments because local context parameters happen to nicely capture features of some other languages.

[Laxystem]

As for syntax: It is majorly confusing. The varying usage of local, and the _{} syntax, _{local} being a thing, the ugliness of it all.

Currently, it is:

fun <A, B> local_{} Iterator<A>.map( // declare lifetime 'iterator. It does not need to be longer than the call.
    local_{} transform: (A) -> B // same...
): Iterator<B>_{this&transform} = object : Iterator { // returns an Iterator that only lives as long as the transform and the iterator.
    override fun hasNext() = this@map.hasNext()
    override fun next() = transform(this@map.next())
    override fun remove() = this@map.remove()
}

How about something more...

fun <A, B> lifetime @(null) Iterator<A>.map(
    lifetime transform: @(null) (A) -> B
): @(this & transform) Iterable<B>

// means
fun <A, B, lifetime this, lifetime transform> Iterator<A>.map(
    transform: @(transform) (A) -> B
): @(this & transform) Iterable<B>

Basically: @(lower..upper), @(lower), @(..upper), (@(lifetime) In) -> Out, @(lifetime) (In) -> Out, (In) -> @(lifetime) Out; local_{local} can be lifetime [...] @(fun) Type.

In Rust lifetime tracking is justified by the absence of a GC (not relevant to Kotlin) and making concurrent code safer. But there's no concept of a borrow checker here and concurrency safety is never mentioned.

About that: I'd like it if as continuation to this KEEP, a no-GC mode would be introduced to Kotlin.
Half the work will be possible with a combination of this feature, context parameters, and value classes.

Additionally:

1. I've proposed before adding a catch operator to Kotlin, e.g.:

   private var counter = 0
   val foo get() = ++counter
   
   fun ... {
      println(foo) // 1
      println(catch foo) // 2
      println(foo) // 2
   }

   Seems like a worthy mention for this KEEP.
2. Will there be a solution to execute code on the end of a lifetime? To force- or as-far-as-Kotlin-is-concerned-GC the object? To query whether an object's lifetime has ended? Will this simply be AutoClosable and some SuspendCloseable, or...?
3. Will we have local/lifetime types in the future, Zig-comptime-style? The proposed syntax seems to prevent that option.
4. Will all value classes be local/lifetime by default? Will all data classes?

Side-note, there are several syntax errors in the KEEP, both in regular Kotlin syntax and in the proposed syntax - it seems local has a tendency to jump between being a parameter modifier and a type modifier, and in the example I provided, there's a missing : in object Iterable...