Add support for bound function arguments

[rossberg]

This specs out the Candid side of the "closure" extension I suggested here.

WDYT, does this work?

Edit: see also #292, for a complementary extension with type dynamic.

[matthewhammer]

LGTM!

My only nit is about the other companion PR, and how to compose this PR with that one in a larger motivating example.

Let's say that the wallet call wants to return some data, and we don't know what it is, or even its arity?

How would we adapt this?:

type wallet = service {
  topup : (amount : nat) -> ();
  forward : (call : () -> ()) -> ();
}

I see three options for the non-unit return type of call and forward:

1. Blob
2. dynamic (see Add support for type dynamic #292)
3. a variant of dynamic that I will call dynamics (e.g., see comment Feature Idea: Generic data #245 (comment))

1. Use Blob

forward : (call : () -> Blob) -> Blob;

And then assume that this Blob holds a candid response sequence, not a single candid value.

Pros: Blob exists today in Candid and Motoko.
Cons: Blob conversions are explicit, and perhaps not ergonomic yet. They could also have type errors.

2. Use dynamic (see #292)

forward : (call : () -> dynamic) -> dynamic;

Pros: Could be a safer option to option 1, since conversions would have dynamic checking and auto trapping (I presume).
Cons: Unfortunately, this API is not quite as "general" as the first, since dynamic cannot encode a sequence of values, but only one value. See option 3.

3. Use dynamics (see comments to #292)

forward : (call : () -> dynamics) -> dynamics;

Pros: Actually solves the problem (I think).
Cons: Furtherest of the options from what we have today.

[chenyan-dfinity]

Suggested change

	forward : (call : () -> ()) -> ();
	forward : (call : func () -> ()) -> ();

syntactically, how do we know if the function has bound arguments? Does the closure supports return type?

[rossberg]

You mean, know it by the type? We don't, it's always allowed. Do you think that would cause issues for bindings?

[chenyan-dfinity]

I see. The existing example has a callback function, which can have bound arguments as well. You are adding another example to illustrate the use of bound arguments, which makes me think there may be syntactic difference for the bound args.

So any function reference can have bound arguments. The return value will be decoded according to the function signature, right? That means we need an abstraction for argument tuples. And if we use the dynamic type as return type, dynamic represents argument tuples instead of a single argument.

[matthewhammer]

That means we need an abstraction for argument tuples.

Yep. That's my thinking too, and more agreement in the comments for #292

[chenyan-dfinity]

this will be a breaking change? or the bound argument is stored in R which was not used before?

[rossberg]

No, R is only used if there are reference types that need it, as before. The type is determined from M.

But I think this is a breaking change in so far that a receiver not understanding the new encoding of closures would choke on it. The only way to avoid this is by indeed introducing a separate closure type as a future type, it seems. Hm, that would be ugly...

[nomeata]

A new type seems to be appropriate. Not breaking existing stuff is part of our value proposition, and given the complexity of this maybe it’s good if a service can say that they really only support plain function references, but not closures?

[rossberg]

Okay, introduced a new (future) type for closures and made it a supertype of func.

[rossberg]

For the time being I think it's fine if this pattern only worked for functions of fixed arity. If we wanted variadic abstraction, maybe we could make a tuple record coercible to a parameter list and vice versa, analogous to what we do in Motoko.

Perhaps n-ary functions as a primitive in Candid were a mistake (as @nomeata always argued, though for different reasons). If we introduced such a coercion, could we retroactively pepper over it?

[nomeata]

A method call f(x,y) now does not just mean “encode (x,y) via Candid and send”, because f could be a closure. This requires

• a heap representation of a Candid closure f, consisting of (likely)
  • service reference
  • method name
  • original type table from the message that carried f (pruned to the actual used types? copied as is? Probably pruning is not possible if the bound values are of a future type we don’t understand)
  • the candid encoded value, kept as an opaque blob (no need to decode, and because of future types we probably can’t)
• the ability to merge that type table with the type table we’d already generate for the explicitly passed (x,y)

That’s a quite high “implementation complexity price” to be paid, so I am overall quite wairy of this.

[nomeata]

Where is the type of v encoded? I’d expect something like

 M*(v^N : <datatype>^N) = leb128(N) I(<datatype>^N)^N  M(v : <datatype>)^N

to match what we do in B

[rossberg]

Ah, good catch, fixed.

[nomeata]

A new type seems to be appropriate. Not breaking existing stuff is part of our value proposition, and given the complexity of this maybe it’s good if a service can say that they really only support plain function references, but not closures?

[nomeata]

You don’t want to support binding arguments to references?

Why not make it a recursive definition that allows you to bind arguments to any function reference (whether it’s opaque, public, or itself a closure – after all, these are all values of the same type, so binding to them should be allowed).

Suggested change

	* `pub(s,n,v*:t*)`, indicates the public method name `n` of the service referenced by `s`, possibly followed by a list of type-annotated bound argument values.
	* `closure(f,v*:t*)`, indicates the function reference `f`, followed by a list of type-annotated bound argument values.

[rossberg]

Ah, yes, that was an oversight. Refactored as you suggest.

[rossberg]

@nomeata, fair points about constructing the new call.

I would assume that the serialiser would not merge but merely extend the type table it gets from the closure. Since we allow duplication, it could do so blindly.

For the argument tuple, if it extended the type table from the closure as just said, then I agree that it suffices to just copy over the serialised blob for each value. (We could even add an leb128 with the length for each value's encoding to the TM function I now introduced; however, I'm not sure we want that – for security reasons, the deserialiser should validate the data anyway to the extend it can, and could separate the individual values right there.)

So yes, some work is required, but it doesn't seem too bad?

(With hindsight, I actually think it was an oversight that our function types did not allow closures from the beginning. It seems like a glaring omission for a higher-order data format.)

[nomeata]

I see, if you put the type table from the closure first, you only have to renumber the type indices you are appending. Still more work than now (where the full type table and thus these indices are pre-computed by the Motoko compiler.)

I still see a problem where you need to pass a closure as an argument to a closure, because now you need to merge and renumber after all. And that's not possible: our future types prevent any kind of operations on type tables or indices.

So bound arguments need their own type table, both in the closure, and in the final call.

So that leads to the nicely simple design where the bound arguments in a closure are simply complete argument sequences with their own type table (i.e. B(args), and we allow the concatenation of encoded argument sequences to represent the encoding of the concatenation (yay, distributivity laws :-)).

Overall, it seems that this feature has very narrow use cases on our platform, because of the prevalent authentication via caller. Canister can really only ever call closures received from fully trusted users. Anything more interesting likely need system-level closures. Maybe worth satisfying the proxy-from-ttusted-user use case without candid support (raw calls), and push for system level closures instead (which then may not even need changes to Candid, since these would be refs)?

[nomeata]

This equation should hold for all forms of function values

Suggested change

	C[func <functype> <: closure <functype'>](func <text>.<id>) = clos(func <text>.<id>, .)
	C[func <functype> <: closure <functype'>](f) = clos(f, .)

[rossberg]

Ah, yes.

[nomeata]

A helper function for “prepend length for future type” would help here?

[rossberg]

Done.

[nomeata]

Dito, a helper function might clarify this somehow?

[rossberg]

Done'

[nomeata]

Why not I, as in other places where we refer to types?

[rossberg]

Good point, changed.

[rossberg]

So bound arguments need their own type table, both in the closure, and in the final call.

So that leads to the nicely simple design where the bound arguments in a closure are simply complete argument sequences with their own type table (i.e. B(args), and we allow the concatenation of encoded argument sequences to represent the encoding of the concatenation (yay, distributivity laws :-)).

Interesting point. But that would require a backwards-incompatible change to the encoding of calls, wouldn't it?

I suppose we could circumvent all this by not allowing currying but only complete binding, i.e., thunks instead of partially applied closures. But that perhaps is a bit too specialised...

[rossberg]

Ah, yes.

[rossberg]

Good point, changed.

[rossberg]

Done.

[rossberg]

Done'

[nomeata]

But that would require a backwards-incompatible change to the encoding of calls, wouldn't it?

Oh, right, of course. But that means we have an impossibly result: we can't merge type tables (because of future types), but we also can't keep them separate (because it wouldn't be backwards compatible). This seems to prevent currying…

[nomeata]

(For some reason I can't mark conversations as resolved here)