E Tensible,Fastandsecurescalae Ressionevaluationengine

Journal of Automation, Mobile Robotics & Intelligent Systems VOLUME 11, N∘ 3 2017

EE,, F A S S E E E

Submied: 25th March 2017; accepted: 26th October 2017

Arkadiusz Janik, Roman Janusz

DOI: 10.14313/JAMRIS_3-2017/26 Keywords: expression evaluaon engine, Scala

Abstract: 1. Introducon Scripng and expression evaluaon engines are popular Embedding scripting environments inside larger tools in the Java soware ecosystem which is understood software systems is a commonly used technique as any environment using Java Virtual Machine (JVM) to where the system serves as a container for some spe- execute code (which does not have to be generated from cialized, domain speciic logic that can be loaded and Java language). With the current, wide-spread popularity executed dynamically. Such environments allow im- of Java and Java bytecode compliant languages it me- plementing features that cannot be expressed by sim- ans that both: tradional, stand-alone Java programs as ple graphical interfaces without losing much of ine- well as enterprise systems run on applicaon servers or grained control and generality provided by a scripting even systems deployed in microservices architecture can language. be considered. Expression evaluaon engines are oen used for purposes like defining document templates, en- Perhaps the most ubiquitous example of such a sy- hancing various stac configuraon formats with dyna- stem is any web browser. The scripting language that mically evaluated snippets or defining data binding for it embeds is of course JavaScript and the browser ser- user interfaces. However, most of these soluons em- ves as an execution environment for scripts. ploy dynamically typed languages and suffer from limi- Embedded scripting enables dynamic loading and ted performance and lack of any concern for security. execution of entire programs. A more lightweight and This effecvely makes it impossible to use expression lan- limited version of scripting engine is an expression guage as a feature exposed to end users. This paper pre- evaluation engine. Instead of scripts that can be long sents a new approach to implemenng an expression en- and complex, an expression engine allows only sim- gine. It uses Scala as the expression language and levera- ple expressions to be evaluated, with no access to con- ges its stac type system as well as its rich feature set structs like loops, deinitions of functions or classes, to create an expression evaluaon engine with expres- etc. Expressions usually consist of method or function sive and concise language, high evaluaon performance invocations and operator applications that operate on and fine grained security control. In the paper we pre- expression input and produce some output data. The- sent use case built for the domain of telecommunicaon refore, unlike script execution, expression evaluation networks. In large telecommunicaon networks one can is usually not allowed to cause any side effects. find hundreds of devices for which configuraon has to be One of the most challenging aspects of embedded updated either periodically or on-demand when a given scripting and expression evaluation engines is secu- event occurs. Contents of configuraon files may have to rity. Loading and executing code provided dynami- be generated dynamically (based on some data associ- cally by some third party poses a serious threat of ated with a given device). On top of that, since commu- letting malicious program execute which could result nicaon networks are heterogeneous environments with in either damage to the host system or unauthorized hardware delivered by different providers, exact form of access to sensitive data. The more freedom a scripting each config file may vary depending on a type of a device engine allows, the harder it is to secure it. An expres- and its manufacturer. Moreover, as structure and size of sion engine is much easier to secure than a full-blown telecommunicaon networks evolve as new devices are embedded scripting engine like browser-embedded added, there is a need to dynamically and remotely sup- JavaScript. port completely new types of devices with a completely A good example of an expression evaluation use new format of configuraon. This paper presents how the case is an expression-enhanced administrative panel. problem can be solved by using configuraon file templa- Such panel may be used, for example, to adjust a greet- tes with placeholders that would be filled by some data ing message that is displayed to users upon logging associated with a given device. Each template is an ex- into a web portal. The message would be conigured pression that evaluates to exact configuraon file. Perfor- as an expression (template) that has access to the data mance is crucial (due to size of network) and so is security: of the user logging in. the soluon should allow to control what kind of configu- Another example could be an administrative inter- raon and by whom may be applied to devices while sll face for massive data processing system where a user allowing network operators to use a Graphical User Inter- could dynamically specify a data crunching job to be face to define (or redefine) configuraon file templates. executed on a large amount of potentially distributed

30 Journal of Automation, Mobile Robotics & Intelligent Systems VOLUME 11, N∘ 3 2017

data (e.g. a map-reduce job). An expression would de- hors to build a domain-speciic language in Scala (that ine actual transformations performed on that data. was used to deine allowed language syntactical con- The domain that authors of this paper focused on structs and calls to control and limit evaluations in when building the real-life use case, though, is tele- terms of security) and to build a real-life, working and communication networks where there is a need to commercially used system that utilizes the evaluation update coniguration of network devices (or provide engine to remotely manage devices in telecommunica- coniguration of newly added devices) in some situ- tion networks. ations such as device reconiguration, device decom- missioning, network topology change etc. The propo- 2. Related Work sed solution has been successfully used to built a device management platform that allows telco operators The paper [19] presents the algorithm for evalu- to monitor and manage devices installed in their net- ating physical expressions and performing automatic works. As mentioned above the system has to work in conversions between quantities measured in different network with virtually unlimited number of devices. physical units. The paper describes CellML - the XML- The devices can be automatically or manually grouped based modelling language that can be used to repre- into hierarchies so that it is possible to manage them sent units and expressions in a way that allows their in bulk but still allowing ine-grained differences bet- easy validation and unit conversion. The authors des- ween conigurations if required. Network devices have cribed the two phases, partial evaluation algorithm. to be reconigured remotely and it can be easily done The solution, although very interesting cannot be used with coniguration iles periodically fetched by devi- in our research as it only provides a part of required ces from management systems. As part of conigura- features. It proposes checking physical units at the le- tion content is attributes (or metadata) of a given de- vel of the modelling language, removing the need for vice, coniguration ile templates can be used. In other the support in the programming language. Also - due words: each template is an expression that evaluates to a nature of the solution - security problems are not to a coniguration ile. In order to adapt to changing to- addressed at all. Similarly, although [23] presents a pology of a network and to be able to support new ty- novel approach to interpretation for abstract equati- pes of devices with a new format of coniguration iles ons using table-driven pattern matching it does not there is a need to provide a user interface to network address security problems and cannot be used to eva- operators allowing them to deine new formats dyn- luate general expressions. amically. The system guarantees a ine-grain security An interesting idea to build an expression evalua- control over information that can/cannot be deined tion engine is to use XQuery as a base and one of avai- in the template. lable XQuery engines as the execution environment. The evaluation engine built is part on an inter- This could be achieved directly in Java - for instance nal scripting language that has to be lexible as both: by using XQuery Processor for Java solution. The pa- format of coniguration expected by a given device per [20] presents XQuery as a very convenient expres- as well as output format used by a given device can sion evaluation engine. The paper summarizes non- vary but should be uniied for end-user experience. By standard applications of XQuery - using it to solve re- end-user we understood network administrators with creational problems and puzzles or - speaking more some technical background. The evaluation engine al- generally - using it as a problem-solving language. lows them to (re)adjust the system for needs of a given A special case of an evaluation engine is regular ex- customer without rebuilding and redeploying the sy- pression searching engine. A regular expression can stem. be understood as a domain speciic language (DSL) This paper describes an attempt to create an ex- that has to deal with text-parsing. There is a vari- pression engine running on the JVM that is good for ety of engines available for Java platform. FIRE/J is use cases like the ones described above. More syste- one of them [21]. What makes the solution unique matically, the essential requirements for such engine is its speed. According to the authors of the publica- are: tion their solution is the fastest one which is one of - very high evaluation performance - a single expres- goals of our project. FIRE/J has a major limitation, sion, compiled once, is likely to be evaluated massi- though. It’s developed as a tool for direct code genera- vely, for many inputs tion. FIRE/J transforms each regular expression into a class ile that is tailored speciically for the expres- - ine grained security control - ability to easily reject sion. As a result the solution cannot be used to pro- potentially dangerous expressions by limiting what vide a real, run-time expression evaluation engine. Re- constructs and what API can be used gular expression evaluation engine is also a part of - lexibility and extensibility of the expression lan- [29]. Even though the main subject of the paper is im- guage proving eficiency on spam iltering techniques some All of these requirements have a common deno- ideas presented may be useful in the broader context minator: to allow the expressions to be dynamically of evaluation engines. The paper focuses on evaluating provided in runtime by means of graphical (e.g. admi- regular expressions in a fast and eficient way. Despite nistrative) interfaces without fear of security breaches of a lack of support for general expressions, the solu- and performance bottlenecks. tion focuses on C/C++ platform. The research described in the paper allowed aut- Although the major subject of the paper [30] is

31 Journal of Automation, Mobile Robotics & Intelligent Systems VOLUME 11, N∘ 3 2017

combining textual and visual programming by dis- rantee embedded languages identical to correspon- playing Python and Java objects in a visual way some ding stand-alone language implementations when it ideas presented could be utilized in the general con- comes to safety, performance and expressiveness. The cept of evaluation engine. Extending the evaluation en- above mentioned paper mentions major safety pro- gine so that it allows a user to specify the expression blems related with language virtualization and DSL. as a combination of text (expression code) and visual However, the paper does not focus on safety thus not constructs may improve the user experience. One of provide a solution. test cases presented summarizes a visual editor of re- The work presented in [24] was the initial survey gular expressions. Nevertheless, the paper focuses on of the area and has been continued by the team of Visual Programming Languages (VPL) thus making it Tiark Rompf and Hassan Chai later on. One of inte- only partially useful in the context of our research. resting applications of DSL is described in [25]. The Another example of a special case of expression work is driven by the need to support increasing size evaluation engine is a database query engine. The of datasets and limited amount of computational po- good description of an algorithm for evaluating data- wer. Authors propose an alternative to MATLAB: Op- base queries is described in [22]. Queries are repre- tiML - a domain-speciic language for machine lear- sented as expressions in a logical language. The recur- ning. The major problem authors focused on is hete- sive algorithm computes values of (sub)expressions in rogenous environment which, despite of lots of ad- such a way that re-evaluation is avoided. To increase vantages requires researchers to have expert know- performance additional techniques are used such as ledge in different programming models (aimed at a transformations of the input expression. Although the speciic component of a computing system: message- performance of the proposed algorithm is high the so- passing libraries, threaded libraries, data parallel pro- lution focuses on a database queries only. Moreover, it gramming models etc.). What makes this research par- does not describe the whole engine. Security aspect - ticularly interesting is fact that OptiML is embedded in due to a nature of queries - is not addressed, neither. Scala. Its complier is implemented in Scala so OptiML Another example of research done on building ef- programs are also valid Scala programs. OptiML uses icient query engines is presented in [28]. What con- technique called lightweight modular staging to build stitutes the research particularly interesting for our an intermediate representation of a program. Several work is Scala language that has been selected to imple- static and dynamic optimization techniques are used ment LegoBase - a query engine being analysed by aut- including pattern rewriting, op fusing, best effort com- hors. The paper is part of abstraction without regret puting or relaxed dependencies. Authors focus on per- manifesto. Authors claim that database query compi- formance aspect of the problem but security control is lers should allow both: productivity (by using high le- beyond the scope of the research. vel languages) and high performance. It means that It has to be underlined that signiicant difference developers should not be forced to use low-level ab- between our research and OptiML is OptiML’s de- straction to program database management systems pendency on Scala-Virtualized [26]. Scala-Virtualized in order to obtain high performance. The approach ta- is a branch of the Scala compiler and standard li- ken by authors is to use Scala (which means: a high- brary that contains a few additions to provide even level language) which is then optimized to optimized, better support for embedded DSLs. The major con- low-level C code for each SQL query. Authors used tribution is overloadable control structures (while- Scala to emit C code. Generative (meta)programming loops, if-then-else, pattern matching), variables, ob- in Scala takes advantage of the type system of the lan- ject creation, etc. In Scala-Virtualized concept of trans- guage which ensures that abstractions such as generic lating for-comprehensions into method calls (to al- data-structures or function calls are optimized away low a programmer to change the meaning of a for- during code generation. Similar concept has been se- comprehension by implementing these methods in a lected in our research: each evaluation is compiled to required way) has been generalized to all control low Java bytecode (.class), loaded to JVM and then in- operators. stantiated. Such an instance is ready for evaluation. An extremely interesting and practical application As mentioned before a regular expression lan- of Lightweight Modular Staging is Lancet - a Just-In- guage is an example of a domain speciic language Time (JIT) compiler framework for a Java bytecode (DSL), sometimes ”little languages”. A DSL is a concise [27]. Traditional JIT compilers use rather simple sta- programming language designed to express in a clear tistics to determine piece of code to be compiled (such way a small domain of problems. A particularly inte- as a number of a method’s calls) and use speculative resting case for our purposes is embedded DSL which (”optimistics”) inlining decisions (which means that lives inside a host language which allows developers later on, during program’s exeecution the method call to use existing language instead of learning a new syn- may resolve to a different target thus forcing JIT com- tax. The paper [24] addresses signiicant problem of piler to deoptimize compiled code and compile/inline such languages. As DSLs exist inside a general pur- again). What Lancet adds on top of techniques used by pose language it is dificult for them to exploit dom- modern JIT compilers is ”access” to many other infor- ain knowledge. To deal with the problem there is a mation that could be exploited runtime. Mixing DSL- need for virtualizable languages - the ones that pro- expressions in a more general program allows expli- vide environment for embedded languages that gua- cit compilation and compile-time computation. Expli-

32 Journal of Automation, Mobile Robotics & Intelligent Systems VOLUME 11, N∘ 3 2017

cit (on-demand) compilation is utilized by invoking JUEL and SpEL were designed to be used in static re- JIT compilation directly by programs which gives an sources of applications that use them. None of the possibility to relay warning (or error) messages to the three engines have any security features or means of program. That, combined with several techniques of easily achieving it. code optimization (namely controlled inlining, dead code elimination and aggressive partial evaluation) allows the compiler to guarantee (in same cases) that Expression Engine on Top Exisng Language Perhaps the part of compiled code will never allocate objects the most well known speciication of an embedded on the heap. As a result, that part of code can excluded scripting engine on the JVM is the JSR-233 standard, from garbage collector’s tracking. Compile-time com- Scripting for the Java Platform [5]. It speciies standard putation is a technique that allows JIT compiler to call data types and interfaces that must be provided by an back into the running program. In other words, the engine that allows dynamic script execution inside a JIT compiler is provided access to a ”context” - proper running JVM program. This standardized API prima- ”smart” library provided by a programmer of an appli- rily deines the way that host a program can commu- cation allows smart, domain-speciic compilation op- nicate with an embedded script - a glue layer. It is ag- timizations. Even though the goal of authors - more ef- nostic of the actual scripting language. icient, better native code generated by JIT compilers There is a vast amount of JSR-233 implementati- - is beyond the scope of our work some concepts pre- ons for many standalone programming languages as sented in the above mentioned paper have been inclu- well as custom, ad-hoc scripting languages. These in- ded into our research. For instance SyntaxValidator clude Java, JavaScript, Groovy, Scala, Ruby, Python, trait implements similar logic to a part of Lancet called PHP, etc. ”taint-analysis” which tracks what happens to user input. It is assumed that input is tainted and validation An JSR-233 scripting engine could be used as a ba- is performed to check whether the tainted data is ”le- sis for an expression engine providing that there is a aked” to branched part of code etc. way to limit the scripting language to simple expressions with proper security enforcement. The standard itself does not deine any means to achieve that, but Dedicated Expression Engines JVM has a signiicant concrete implementations and the scripting language number of expression evaluation engine implementa- that they use may have such capability. tions. In this article, particular three are of our inte- If a programming language has a standalone inter- rest: preter or compiler to JVM bytecode that by itself also - Java Uniied Expression Language (JUEL) [1] runs under JVM, it could be used directly instead of re- - Spring Expression Language (SpEL) [2, ch.8] lying on a JSR-233 implementation. In general, suitability of an JSR-233 implementa- - MVFLEX Expression Language (MVEL) [3] tion or a standalone compiler for implementing an ex- JUEL is an implementation of the Uniied Expres- pression evaluation engine depends heavily on traits sion Language standardized as a part of JSR-245 spe- of the language itself. Since the new expression en- ciication - Java Server Pages [4]. In JSP and JSF (Java gine targets the JVM, we are only considering langua- Server Faces [6], its successor) an expression language ges that have a JVM implementation. Also, require- is used mostly as a data binding layer between a web ments for evaluation performance and ability to sta- interface and an underlying business layer. Expres- tically analyze expression code suggest that languages sions are embedded inside JSP/JSF pages to specify with at least some form of static typing should more what data various UI components link to. This is a good easily meet these requirements than dynamically ty- example of a template-based user interface develop- ped languages. ment, where a web page is a template that has some Three languages have been chosen for evaluation ”holes” that need to be illed up in concrete context by in this paper: an expression evaluation. SpEL is an expression language used by the Spring - Java [7] - statically typed but verbose and inlexible Framework [2], primarily for enhancing coniguration in many aspects of application components (called beans) in the IoC - Groovy [9] - concise and lexible in many ways, but (Inversion of Control) container. In particular, expres- mostly dynamically typed (static typing as an op- sions can be embedded in XML iles that conigure be- tion) ans or inside Java annotations in source code of application components. This allows setting dynamic va- - Scala [8] - statically typed, with conciseness and lex- lues to various coniguration properties that can’t be ibility potentially on par with dynamically typed lan- expressed by simple literal values. guages thanks to type inference and other features MVEL is a general purpose expression engine with Scala and Groovy are normally languages compi- a hybrid dynamically-statically typed language and an led to JVM bytecode, but this does not mean there’s no optional compilation to JVM bytecode which signii- point in them supporting JSR-233. The point of JSR- cantly improves performance. 233 is not just interoperability with JVM objects but The three listed expression engines use mostly dy- dynamic, embedded execution without need for expli- namically typed, ad-hoc, simple expression languages. cit compilation and deployment.

33 Journal of Automation, Mobile Robotics & Intelligent Systems VOLUME 11, N∘ 3 2017

3. Language Comparison of additional features that are important for the pro- In order to choose a programming language that grammer who sets up the expression evaluation con- could serve as a basis of an expression evaluation en- text. In particular, he/she must be able to inluence gine, we must recognize what features in detail should how expressions in concrete context are compiled and the expression language provide. The new expression evaluated and what constructs, API and types are avai- engine should be considered as a potential replace- lable to the author of expressions. In detail, these fea- ment or alternative to already existing engines and tures include: therefore should support most of expression language - ability to deine what top-level functions and objects constructs that these engines provide. are available in the expression More in-depth research on engines mentioned ear- - pluggable strategies for implementing dynamic ob- lier (JUEL, MvEL, SpEL) as well as a closer look on ge- ject property access and method calls neral purpose programming languages that could be a basis for the new expression engine reveals the follo- - enhancing API of existing types, e.g. by adding addi- wing set of commonly supported constructs: tional methods to standard data types like strings - essential constructs: literals, constants, arithmetic - limiting the API of well-known types only to a desi- and logical operators red set of methods, ields, etc. - variable assignments and references - deining additional automatic type conversions - custom operators and operator overloading - function and method calls - ability to statically (during expression compilation) - class instantiation analyze the expression code and reject potentially - operators for concise access to array, list and map unsafe or forbidden constructs and invocations elements (like square brackets for array access in JUEL, MVEL and SpEL engines as well as the lan- Java) guages Java, Groovy and Scala were all veriied in - concise syntax for array, list and map creation detail if features mentioned above are supported by them in any form. Table 1 summarizes the results of - ield references and assignments this research. - anonymous functions (lambdas) As we can see, Scala and Groovy seem to be the - basic higher-order functions for collections like il- most promising. They have most of the language featu- tering and transformation res required for an expression engine and they are the only two technologies with possibility of static expres- - automatic type coercion sion code analysis, which is probably the most impor- - null-safe dereference, e.g. the .? operator in Groovy tant requirement for the new expression engine con- [10]. sidering its need for security enforcement. Additionally, after more detailed analysis, Scala Example: expression obj.?field will evaluate to seems to be the winning option over Groovy since the null when obj is null instead of failing with an ex- latter is severely limited in its static analysis capa- ception. bilities by dynamic typing. Although it is possible to - default value operator (e.g. Groovy Elvis - ?: [11]) force static typing in Groovy and obtain some type information during compilation (by means of Groovy’s Makes it possible to concisely provide a fallback va- ASTTransformation feature), this cripples other lan- lue that should be used when another value is null. guage features like dynamic method calls or ability to Example: obj.name ?: "unknown" enhance API of existing types. - conditional expressions (e.g. ternary operator ?: in Adding language features and extensibility mecha- Java) nism listed in Table 1 to already existing languages - structural and imperative constructs (loops, would be a non-trivial task requiring probably cre- if-else etc.) ating a fork of each language and modifying their compilers/interpreters accordingly. Therefore, Scala - template expressions - string literals with ”holes” is selected as the most suitable technology for imple- that will be illed by actual expressions. menting the extensible, fast and secure expression en- An example of atemplate expression in SpEL (see gine described in this article. [2, p.189]): My name is ${person.name} where It is worth explaining how the constructs to be ex- person is the input object containing a property posed in language comparison were chosen. Expres- name. sion language is not meant to be a full programming language. In order to implement use cases like the one - standard C/C++ and Java like syntax for function described in the paper (conig ile templates) we only and method invocations and operators (this exclu- need the ability to deine relatively small, pure functi- des Lisp or Haskell like languages) ons. For that, constructs like ield/property selection, The features listed above are only the purely syn- function/method/operator application, ’if’-’else’ ex- tactical constructs used by the end user who will ac- pressions, lambda expressions, literals and constants tually write expressions. However, there is also a set are suficient. Expression engine will not be used

34 Journal of Automation, Mobile Robotics & Intelligent Systems VOLUME 11, N∘ 3 2017

Tab. 1. Language comparison summary

Feature Java Groovy Scala JUEL SpEL MVEL constants and literals arithmetic and logical expressions variables object property access and assignment method calls class instantiation concise collection and map element access concise collection and map creation basic higher order functions for collections lambda expressions automatic type coercion null-safe dereference default value operator conditional expressions imperative and structural statements template expressions pluggable dynamic property access and assignment strategies pluggable dynamic method invocation strategies enhancing API of existing types limiting API of existing types custom automatic type conversions custom operators and operator overloading static expression code analysis to implement complex algorithms, side-effecting pro- lexibility to dynamically typed programming langua- grams, low-level programs or large codebases. The- ges. refore, there is no need to support language con- Scala version 2.10 introduces important metapro- structs like methods or classes, which are associated gramming facilities - relection and macros which are with code reuse, abstraction, modularity, readability key for implementing security features of the expres- and long-term maintenance. Supporting minimal, suf- sion engine. icient subset of language features also makes it way Scala naturally supports essential constructs like easier to secure the engine against exploits and write constants, arithmetic expressions, object property UI tools for syntax highlighting, suggestions, etc. access and method calls, constructors, etc. Expressi- ons in Scala mostly have a syntax similar to Java. Dif- 4. Scala as Expression Language ferences include e.g. usage of square brackets instead of angle brackets to denote generic types. For exam- In this section we will present a quick overview ple, Arrays.asList("str") in Java beco- of essential properties of the Scala programming lan- mes Arrays.asList[String]("str") in Scala (the guage and discuss in detail how its various features type can however be usually omitted due to type in- are suficient to meet requirements discussed earlier. ference). See [12] and [13] for more complete overview of the In Scala, there is no clear difference between a met- language. hod and an operator. Every operator can be though as Scala [8] is a programming language for the JVM ai- if it’s a method with a symbolic name. At the same time ming to blend the object oriented and functional pro- every method which takes exactly one argument can gramming paradigms and retain good interoperability be called with an inix syntax. All of the following con- with Java. It is a statically typed language with type in- structs are correct: ference and very complex, ine-grained type system. At the same time it aims to be close in its conciseness and 1 + 2

35 Journal of Automation, Mobile Robotics & Intelligent Systems VOLUME 11, N∘ 3 2017

1.+(2) List(1, 2, 3, 4).filter(_ % 2 == 0) set.contains(element) List(1, 2, 3, 4).filter(i => i %2 == 0) set contains element List(1, 2, 3, 4).map(_.toString)

An unique feature of Scala is an ability to deine im- Scala does not have a ternary conditional operator plicit conversions [12, ch.15] between types. In an ex- (?:) from Java but it does not explicitly need it, be- pression evaluation engine, this can be used for two cause - unlike in Java - the if-else statement is an purposes: expression in Scala which means that is has a value. - to provide custom automatic type coercion This means that if-else can be used instead of ternary operator: - to enhance API of existing types with new methods, ields, etc. val yes: Boolean = ??? The API enhancing is possible thanks to the so cal- val repr = if(yes) "yes" else "no" led implicit views. By introducing an implicit conver- Scala also does not have null-safe dereference sion from type A to type B we effectively enhance API operator or default value operator, but it is possible to of A with API of B. Methods in type B become extension create a custom operator in Scala that serves both pur- methods of type A. This is often realized in Scala using poses. We will not show the implementation in this ar- a syntactic sugar called implicit classes. The follo- ticle, but as a guideline, the technique used to do this wing example enhances type String with an additio- involves either macros or an implicit conversion that nal capitalize method: takes its input as an by name argument (another dis- implicit class richStr(str: String) { tinct feature of Scala). As a result, following syntax is def capitalize = possible: str(0).toUpper + str.substring(1) obj.prop.method(arg) ? defaultValue } The expression in above example will evaluate to It is worth noting that extension method can also defaultValue either when left-hand-side operator be called with an inix syntax, so it is effectively possi- evaluates to null or when evaluation of left-hand-side ble to create and overload operators. would result in a NullPointerException. So the ? Scala also has a number of syntactic sugars that operator is actually a combination of null-safe dere- increase conciseness. For example, when a method is ference and fallback value operator. called apply, it can serve as an overloaded function In version 2.10, Scala introduced string interpola- application operator, i.e. obj.apply(arg) can be re- tion syntax. It allows to splice identiiers and expres- written just as obj(arg). Thanks to this, we can have sions into a string literal instead of concatenating all concise collection creation constructs like: the parts with the + operator. The syntax happens to be similar or identical to template expression syntax in List(1, 2, 3, 4) JUEL/SpEL/MVEL and therefore, string interpolations Array("str", null, "sth") can directly serve as a realization of template expres- Map("one" -> 1, "two" -> 2) sions.

The example above also uses a few other, indepen- val name = "John" dent Scala features: val surname = "Kowalski" - variadic arguments (the apply method takes a vari- val greeting = s"Hello, $name $surname!" able number of arguments of the same type) - irst-class objects (List, Array and Map are actually An area where Scala is perhaps more limited than singletons associated with their corresponding col- dynamically typed expression languages is the abi- lection types - so called companion objects) lity to provide pluggable strategies for dynamic property access and method invocations on arbitrary ty- - type inference (the apply methods on objects List, pes. The limitation is caused primarily by the static ty- Array and Map are generic) ping in Scala. However, this feature is often used in - custom operators (the -> is a custom operator that JUEL/SpEL/MVEL as a method for API enhancement creates a pair out of its operands) which has already been shown to be possible in Scala The apply method can also be used to im- using implicit classes. plement concise access to collection elements, e.g. Scala allows dynamic method and property access someList(2), someMap("key"). on types that the programmer has control of (is their It is important to remember that implicit con- author). There is a special trait (base type) in Scala - versions are resolved statically, based on types scala.Dynamic that can be extended by classes that known at compile-time (unlike type coersions in need to support dynamic property/method access. JUEL/SpEL/MVEL which use runtime type informa- In order to actually provide the property or met- tion). hod resolution strategy, that class needs to implement Scala is a functional language, so it naturally sup- selectDynamic and applyDynamic methods. ports constructs like lambda expressions and higher It is important to remember that selectDynamic order functions. Examples: and applyDynamic still are statically typed - they have

36 Journal of Automation, Mobile Robotics & Intelligent Systems VOLUME 11, N∘ 3 2017

a statically typed arguments and a static return type. of the trees after they are typechecked. Types have So this feature cannot be used to somehow introduce a rich API which, among other things, makes it pos- dynamic typing into Scala. sible to inspect what members are available on various types or perform operations like type confor- 5. Metaprogramming in Scala mance tests. Metaprogramming is the method used by Scala- - Symbol objects represent various entities found in based expression engine to enforce security of evalua- the source code. For example, each variable, method, ted expressions. Therefore it deserves a separate over- class, object, etc. has a symbol. Symbols are divided view in this article. into two subcategories - term symbols (values, variables, objects, etc.) and type symbols (classes, traits, Scala Compiler Metaprogramming techniques in abstract types, type aliases, etc.). Symbols are also Scala are heavily related to internal architecture of associated with most of the trees after typechecking. the Scala compiler. Therefore we will briely describe For example, a tree representing a method invoca- the compilation process and data types used by the tion will have the symbol of the method being invo- compiler to represent various entities in compiled ked associated with it. programs. These data types are also exposed by the relection API, which is used in both runtime Trees, types and symbols are relection and macros (described later). Reﬂecon and Macros not only used by the compiler internally, but they are A compiler run consists of several phases [14]. also exposed by the Scala relection API [15]. This API Each phase takes as an input the output of the previ- is used by two metaprogramming facilities in Scala - ous phase. In most cases, that input and output is the runtime relection an macros. abstract syntax tree (AST) of the program. Each phase performs some modiications and reinements on the Runtime relection [17] allows a programmer to AST. In total, there is about 30 phases. Phases can be work with trees, types and symbols in runtime, as the divided logically into two stages, according to a stan- name suggests. It is possible to obtain types and sym- dard, generic architecture of compilers: bols for runtime objects and extract various information from it. - Stage of analysis is responsible for extracting as Macros [16] are a form of compile time metapro- much information as possible from the textual gramming in Scala. A macro is a special declaration source code and transforms it into canonical inter- in the Scala source code which is syntactically similar mediate representation ready to be compiled into to a regular method. The difference between a macro JVM bytecode. The most important phases of analy- and a method is that while a method works in runtime sis are the parser, namer and typer. Parser trans- - on values of its arguments and returns some other forms the textual code into an initial AST. Namer is value - a macro is invoked during compilation and ta- responsible at least for resolution of imports and ty- kes as its input and output a Tree for each argument. per - the most complex and time consuming phase - It can inspect these trees and modify them before re- performs the typechecking of the code. turning a inal tree that will replace the macro invoca- - Stage of synthesis gradually transforms the AST into tion and eventually be compiled to JVM bytecode. Ma- more raw forms, closer to the inal representation cros are expanded inside the typechecker phase. This which is ultimately translated into JVM bytecode. It means that the trees that macros work on carry max- contains several phases which are not of an interest imum information, including types and symbols. Ma- in this article. cros can also trigger compilation errors during their The compiled program is represented inside the expansion. compiler primarily by three types of objects which re- Macros are the key feature for implementing se- fer to each other: curity in a Scala based expression evaluation engine. - Tree is a representation of abstract syntax tree that They effectively allow a static analysis of expression is an input and output of most of the phases. Trees code which can inspect what language constructs are have immutable, hierarchical structure and mutable being used in an expression being compiled and what attributes. The structure of the tree heavily depends methods are being invoked by it. Upon detection of a on what phase is being executed. For example, a tree forbidden construct or invocation, the macro can sim- just after parsing is closest in its structure to textual ply trigger a compilation error. source code - no syntactic sugars have not yet been expanded, no types inferred, no implicit conversions 6. Scala Expression Engine Implementaon applied, etc. The tree is still closest to its textual form in this phase because things like import resolution, This section describes the core API of the Scala ex- type inference and implicit resolution have not been pression evaluation engine as well as gives more de- performed yet. On the other hand, all of this informa- tails about the underlying implementation. tion is explicitly represented in the tree after it exists the typechecker phase. Essenal Components and Types The central - Type is a representation of every Scala data type. Ty- component of the Scala expression engine is the pes are one of the attributes associated with most ScexCompiler object. It encapsulates the actual Scala

37 Journal of Automation, Mobile Robotics & Intelligent Systems VOLUME 11, N∘ 3 2017

compiler and provides the toplevel API for expres- proile, but can be different for each expression that sion compilation. The most important method for uses the same proile. expression compilation has the following signature: import scala.reflect Compilaon Process Expression Compilation is Per- .runtime.universe.TypeTag formed in the Following Steps: 1) ExpressionDef object is created. This intermedi- def getCompiledExpression[ ate object contains full information about how the C <: ExpressionContext[_, _] : TypeTag, expression should be compiled, what the expres- T: TypeTag]( sion code is and what are the input and output ty- profile: ExpressionProfile, pes. expression: String, 2) ExpressionDef object is optionally preprocessed. template: Boolean = true, Preprocessing may include any modiication of ex- header: String = ""): Expression[C, T] pression deinition (e.g. additional pre-translation The types used in above signature and other API of code) elements are: 3) Expression code is wrapped into a proper Scala - TypeTag is a type from Scala runtime relection source ile that contains the expression class im- API. The syntax T: TypeTag denotes that method plementing Expression trait. The bare expression getCompiledExpression will have access to run- code is wrapped into an invocation of security- time information about type T. enforcing macro. - Expression[C,T] is a function that takes an expres- 4) Source ile is passed into the Scala compiler for ac- sion context (type C) as an input and returns some tual compilation. arbitrary value of type T. This is what we understand 5) During typer phase, the security-enforcing macro as expression evaluation. is expanded. The macro uses syntax validator and - ExpressionContext[R,V] is the input of the ex- symbol validator to analyze expression code for pression and serves two purposes: forbidden constructs and invocations. - It encapsulates the root object of the expression - 6) Expression class is compiled into JVM bytecode an object of arbitrary type R whose API is directly and .class iles are generated. exposed to be used by expression code. Root ob- 7) Expression class is loaded into the JVM, instantia- ject is also de facto the actual input data of the ex- ted and returned as a compiled expression. pression. - It serves as a container for variables of an arbitrary Conﬁguraon of Validators As described earlier, the type V which can be accessed inside the expres- programmer can decide what language constructs and sion. invocations can be used inside expression code by pro- - ExpressionProfile customizes the way expres- viding a SyntaxValidator and a SymbolValidator sion is compiled. The proile consists of: instance through ExpressionProfile. This section - SyntaxValidator deines what language con- describes how these two components are conigured. structs are allowed to be used by the expression. Syntax validator is a following trait: - SymbolValidator deines which methods can be import scala.reflect.macros.Universe invoked and which ields can be accessed for particular types. trait SyntaxValidator { - Expression header - code that will be compiled al- def validateSyntax ong each expression. Header is primarily used to (u: Universe)(tree: u.Tree): provide import clauses for expression code. (Boolean, List[u.Tree]) - Expression utils - implementation of additional } API that can be used inside expressions. This can be used to implement some API in Scala in situa- The tree is a fully typechecked tree representing tion when application using the expression evalu- the expression code. Since it contains type informa- ation engine is by itself written in Java. tion, it may be used for much deeper validation than just syntax validation. However, validation of types Symbol validator and syntax validator are the core and symbols is much more complex in its implemen- components performing static analysis of expressi- tation and was done as a separate component - the ons and security enforcement. The way they are cre- symbol validator. Syntax validator is intended to be ated and conigured will be described in more detail used to look for forbidden syntactic constructs, like later in this paper. deinitions or loops. Such validation can be easily im- - The template parameter controls whether an ex- plemented using pattern matching on particular ca- pression is compiled as a template expression. ses of trees. This is what is usually done inside the - The header parameter provides additional header validateSyntax method. that will be compiled in expression code. Its pur- The validateSyntax method returns a pair that pose is similar to the header speciied in expression denotes whether the tree passed the validation and

38 Journal of Automation, Mobile Robotics & Intelligent Systems VOLUME 11, N∘ 3 2017

a list of children trees that need to be validated next. programmer wants to allow or deny usage of a non- This way syntax validation descends through the en- static member on some type, that reference must be tire expression tree. additionally put inside an on statement which speci- By default, the expression engine provides a stan- ies the exact type on which the member is allowed or dard implementation of a syntax validator that al- denied. lows only simple expressions to be used. This includes Simple example of ACL created with symbol vali- constants, identiicators, method calls, operator appli- dation DSL: cations, lambda expressions, conditional statements, simple blocks and constructor invocations. No assign- val acl = allow { ments, declarations, deinitions or loops are allowed. String.valueOf(_: Int) Symbol validator is much more complex to imple- } ++ deny { ment and requires some more convenient conigura- on { obj: java.lang.Object => tion layer to avoid dealing with raw Tree objects. obj.wait() In order to create an instance of obj.notify() SymbolValidator, the programmer needs to pro- obj.equals _ vide an ACL-like structure (Access Control List). In } a program using Scala expression engine, this ACL } is represented by type List[MemberAccessSpec]. In the example above, the acl value will have the Each element, a MemberAccessSpec instance either type List[MemberAccessSpec] which can be conca- allows or denies usage of some symbol (method, ield tenated with other ACL parts or eventually used to or constructor, including methods visible through create a symbol validator. The above example allows implicit views) on a particular type. In detail, the usage of a static method valueOf that takes a single MemberAccessSpec contains following information: Int argument of a class java.lang.String and de- - information about the type nies instance methods wait, notify and equals on - signature of the member of that type that is being type java.lang.Object. denied or allowed by this element As in all ACL-like structures, if more than one element in the ACL matches invocation that is being vali- - optional signature of implicit conversion that is used dated, the element earlier in the list has a priority over to obtain an implicit view that causes that member to the latter one. be available on that type Symbol validator DSL also provides additional con- - information about whether this element denies or venience constructs for allowing or denying the entire allows usage of given symbol on given type sets of members with single statements. Below is presented a comprehensive list of all available constructs Symbol Validaon DSL Instances of in the DSL (examples are assumed to be inside allow MemberAccessSpec and the ACL are not created or deny block): by the programmer manually. Instead, a dedicated - static members (explicitly) Scala DSL (domain speciic language) has been created for that purpose. That DSL is an example of a Integer.parseInt(_: String) technique called language virtualization, which essen- tially means to replace standard semantics of some - instance members (explicitly) - either available di- language (in this context Scala) with some custom rectly or by an implicit view semantics, i.e. leverage syntax and type system of Scala for a different purpose than compilation of Scala on { str: String => program. str.substring(_: Int) Language virtualization in symbol validation DSL str.substring(_: Int, _: Int) is realized by another set of Scala macros, allow and str.toString() deny. Each of these macros take a speciic block of } code (format described below) and generate code that - all static members of some Java class evaluates to a part of the ACL. These parts can be later concatenated into a full ACL using standard Scala list allStatic[String].members concatenation operator ++. The blocks being passed as inputs to allow and - all static members of some Java class with a given deny contain a references to scala types and their name members that the programmer wants to allow or deny. References are represented as lambda expressions or allStatic[String].membersNamed.valueOf simple method calls (i.e. lambda expressions and method calls are virtualized as references to symbols). - all members available on a given type If a programmer wants to allow or deny usage of some static Java member or member of Scala tople- on { str: String => vel object, the reference to that member is put directly str.all.members into the block passed as input to allow or deny. If the }

39 Journal of Automation, Mobile Robotics & Intelligent Systems VOLUME 11, N∘ 3 2017

This deliberately excludes members declared in top- Detailed Security Analysis Syntax and symbol valida- level types Any and AnyRef, i.e. equals, hashCode, tors provide means to achieve tight security enforce- == etc. since they are available on all types (or all re- ment, but they must be used carefully and with full ference types) and it’s not usually the intention of a awareness of possible vulnerabilities. Every security programmer to include them. feature protects only against some particular class of - all members available on given type with given name attacks. This section describes possible security vulnerabilities that could be exposed by expression en- on { str: String => gine and makes it clear which of them the Scala expres- str.all.membersNamed.substring sion engine protects against. It also discusses which } security problems must be addressed separately, in other layers of the software that uses an expression en- - all members available on a given type declared in gine. class representing that type Exposing expressions to a malicious user could ge- on { str: String => nerally cause three types of security breaches: str.all.declared.members - unauthorized access to sensitive data } - unauthorized access to operations that could da- This includes all members declared in that class di- mage or compromise the host system rectly and all members that this class overrides. - exhaustion of resources used by the host system or - all members available on a given type declared in a abnormally high utilization of these resources class representing that type and not inherited from All of these breaches could obviously be caused by supertypes exposing an expression API that is insecure by itself. It is a responsibility of the programmer/administrator on { str: String => to ensure that functions and operations that can be str.all.introduced.members used in an expression are internally secure. If they } aren’t, the engine itself has no way of knowing this, This includes all members declared in that class that since it only uses compile-time information for vali- don’t override a member from superclass. dation. So the most basic rule of designing secure ex- - all members available on given type by an implicit pression API is to make sure each exposed method is view to some type secure by itself. However, sometimes it may not be obvious that on { str: String => some operation is insecure. For that reason, we give str.implicitlyAs[StringOps] examples of common ways in which a member of ex- .all.members pression API may become a security hole. } - Exposing toString() - a single constructor for a given type Allowing toString() calls is an easy way to leak sensitive information. The toString() method new java.util.Date should only be allowed on simple data types that - all constructors for a given type have an obvious implementation of toString(). Therefore, one should be extremely careful when al- on { str: String => lowing calling toString() on: str.all.constructors } - classes encapsulating something else than immutable data, e.g. some internal state - all bean getters, bean setters, scala getters or scala - classes and interfaces that are a base of an open setters available on a given type type hierarchy - even if the base type itself is se- on { jb: SomeJavaBean => cure, any of its subtypes may no longer be so jb.all.beanGetters - generic containers, e.g. collections jb.all.beanSetters For example, allowing calling toString() on } type List[Any] is an obvious security issue. on { sc: ScalaClass => List’s toString() implementation internally calls sc.all.scalaGetters toString() on its elements and the expression en- sc.all.scalaSetters gine doesn’t know about it, because this information } is not available in compile time. This effectively gi- Constructs listed above can be freely combined to form ves us access to results of toString() on any value more complex patterns, e.g. that could be inside a list. List[Any]#toString() is therefore as insecure as Any#toString(). on { o: SomeType => o.implicitlyAs[OtherType] - Exposing API that internally uses toString() .all.introduced.beanGetters In any API which exposes string manipulation met- } hods, there usually are some functions and opera-

40 Journal of Automation, Mobile Robotics & Intelligent Systems VOLUME 11, N∘ 3 2017

tors which take arbitrary values as their arguments 7. Usage Example and call toString() on them internally. The + ope- This section outlines a typical use case for Scala ex- rator for concatenation of strings and arbitrary va- pression engine and explains how its features make it lues is perhaps the most apparent example of such a viable solution that retains good performance and API. Therefore, when exposing these API fragments, enforces tight security. one must be as careful as with the toString() - Exposing untyped operations Dynamic Serving of Conﬁguraon Files Scala expres- It is highly recommended that the exposed expression engine could be used in a system for mass ma- sion API is as strongly, statically typed as possible. nagement and coniguration of devices, e.g. telecom- This way we have much more information to work munication devices like routers. These devices usually with in compile time and we can be vastly more pre- require dynamic, remote reconiguration. This may be cise when deining security rules using symbol vali- easily done with coniguration iles periodically fet- dator DSL. ched by devices from the management system. Howe- - Exposing API with non-constant time or memory ver, contents of coniguration iles may need to be ge- complexity. nerated dynamically, based on some data associated This could lead to easy exhaustion of host system re- with particular device asking for coniguration. Additi- sources, especially considering the fact that expres- onally, the exact format of each conig ile may need to sions are meant to be evaluated massively, on multi- be different for various device types. Above all this, sy- ple pieces of input data. stem operators may want to change the contents and structure of served coniguration iles on a regular ba- Even more dangerous than exposing methods with sis, without reconiguring and restarting the manage- just non-constant (e.g. linear) complexity is expo- ment system itself. sing APIs with complexity determined by runtime This problem can be easily addressed with an ex- values passed to them. For example, Scala standard pression engine: operators could use some user inter- library provides an * operator on the String class face to deine coniguration ile templates. Each tem- which takes an integer argument and replicates a plate may have placeholders that would be illed by string given number of times. Simply by passing a some data associated with the device when that de- large integer value, e.g. "abc"*10000000, expres- vice asks for coniguration ile. In other words, each sion writer can easily cause allocation of very large template would be an expression that evaluates to ex- amounts of memory. act coniguration ile contents based on particular de- Apart from securing the API itself, one must also vice data. take some measures to secure the syntax. Scala is a For example, let’s assume that the data associated general-purpose programming language, but the Scala with a device is represented by following Scala trait: expression engine enables only a small portion of its syntactic constructs. This is done on purpose, to disal- trait DeviceData { low elements which could easily exhaust resources of def id: String the host systems (e.g. loops). Although it is possible def currentIP: String to provide custom syntax validator and allow more, def modelName: String it is highly recommended to stay with the predei- def manufacturer: String ned simple-expression syntax subset of Scala. In ot- def wifiSSID: String her words, we should keep the expression engine an def wifiPassword: String expression engine and not make it a scripting engine, def wifiEncryption: String which is much harder to secure. } Exhaustivity of security heavily depends on the language constructs exposed. That’s why it’s important to keep them minimal. The simpliest general ex- This data is either sent by the device when it asks ample of an API secured with our evaluation expres- for coniguration ile (e.g. current IP) or is stored in sion would be exposing desired subset of some Java the system database (e.g. WiFi parameters to be set). class and forbidding usage of common methods that It may also come from some external systems. could lead to information leaking (toString, concate- Let’s assume that we need to send coniguration nation with Strings, getClass, etc.) or low-level operati- ile to a group of home routers in order to setup the ons that could disrupt the entire process (wait, notify, WiFi network. The coniguration ile format accepted etc.). by devices may look like this: Finally, one must be aware that usage of CPU and memory during expression evaluation is at least pro- [wifi] portional to the overall complexity of the expression. ssid=homeWifi Therefore, some limits must be enforced in this area. password=secretPassword For example, one may want to limit the textual length encryption=WPA2 of an expression or maximum depth of its syntax tree. The latter case can be easily implemented with a cus- System operator could then deine a template for tom syntax validator. such coniguration ile. This template would be a SCEX

41 Journal of Automation, Mobile Robotics & Intelligent Systems VOLUME 11, N∘ 3 2017

expression that could look like below. This is assu- - Scala 2.11.1 ming that the programmer has deined the expres- Comparison was done against: sion API for this particular purpose to contain a value - SpEL for Spring Framework 4.0.6 deviceData which is of type DeviceData. - JUEL 2.2.7 [wifi] - MVEL 2.2.1 ssid=${deviceData.wifiSSID} password=${deviceData.wifiPassword} Evaluation encryption=${deviceData.wifiEncryption} Scala 1312 Scala engine 2312 However, some types of devices may not accept the SpEL 150565 values in the same format as they are stored in the sy- JUEL 161567 stem database. For example, let’s assume that encryp- MVEL 14627 tion mode saved in database is exactly ”WPA2”, but the Compilation device accepts only lowercase ”wpa2”. System operator can quickly deine a separate template for this par- Scala engine 115868 ticular type of device and adjust to device behavior: SpEL 51 JUEL 56 encryption= MVEL 1039 ${deviceData.wifiEncryption.toLowerCase} The tests show that evaluation performance is in- Thanks to the fact that an expression engine allows deed close to raw Scala code compiled statically, but us to dynamically deine small snippets of code, the the price is a heavyweight compilation process. This is operator has very detailed control over what exactly however well-suited for requirements deined in this is being sent to devices. Also, since such strange issues article - a single, compiled expression is expected to may be very unpredictable, it is very hard to preconi- be evaluated massively, on multiple inputs. It is also gure the management system to handle all device ty- worth mentioning where differences between SpEL, pes properly. The possibility of dynamic loading and JUEL and MVEL come from. In SpEL and JUEL expressi- redeinition of templates is very useful here. ons are interpreted fully dynamically and compilation Use case described above has all the important step involves only basic parsing of an evaluation. As a needs that SCEX addresses: result their compilation time is better but evaluation signiicantly worse. - templates (expressions) are deined and loaded dynamically 9. Summary - templates are deined by system users, possibly We have presented a new approach to imple- using graphical interfaces - security enforcement is menting an expression evaluation engine for the JVM. needed The key goals of that approach is high evaluation per- - single template is typically evaluated and applied on formance and secure compilation and evaluation of large number of devices - evaluation performance is expressions so that they can be safely created by po- important tentially malicious users, possibly using graphical system interfaces. These properties should not result in 8. Performance a less rich or lexible expression language than ones A set of performance tests was carried out to con- provided by existing solutions. irm that the evaluation of expressions in the new en- We have shown that already existing solutions, re- gine is comparable to performance of raw bytecode. presented primarily by engines JUEL, SpEL and MVEL The engine was compared with statically compiled do not meet these requirements. We have also evalu- Scala code and engines described earlier - JUEL, SpEL ated already existing, general purpose programming and MVEL. Also, a simple compilation performance languages for suitability of building an expression en- test was carried out. gine on top of them. The language of choice was Scala. The purpose of tests is not to give any precise nu- Its primary advantage over other languages is sta- meric coeficients since evaluation and compilation tic type system which guarantees good performance performance greatly depend on what kind of expres- and makes it possible to statically analyze code using sions are actually compiled and evaluated. macros, a compile metaprogramming facility. Despite The tests consisted of series of evaluations or com- being statically typed, Scala still retains much of the pilations of expressions in a loop. Tables below pre- lexibility and conciseness of dynamically typed lan- sent the results. The numbers are in milliseconds and guages. serve only for comparison with each other. We have described how exactly Scala features can Following coniguration was used in the test case: be leveraged for an expression language and presen- - processor Intel Core i7-3520M 2.90GHz ted a quick overview of its metaprogramming capabi- lities. Then we have outlined the most important ele- - Microsoft Windows 7 64bit ments of API and architecture of the new expression - Oracle JDK 8 update 20 64bit engine. As one of the most important elements, a DSL

42 Journal of Automation, Mobile Robotics & Intelligent Systems VOLUME 11, N∘ 3 2017

for specifying what invocations are allowed inside ex- [14] Overview of Scala Compiler Phases pression code was presented in more detail. https://wiki.scala-lang.org/display Finally we have shown that the new expression /SIW/Overview+of+Compiler+Phases engine meets its performance requirements by being access: September 2014. comparable to statically compiled Scala code. [15] Scala Relection API: Symbols, Trees and Types http://docs.scala-lang.org/overviews /reflection/reflection/ AUTHORS symbols-trees-types.html ∗ Arkadiusz Janik – AGH University of Science and access: September 2014. Technology, al. Mickiewicza 30, 30-059 Krakow, Po- land, e-mail: [email protected]. [16] E. Burmako, M. Odersky Scala Macros, a Techni- Roman Janusz – AGH University of Science and cal Report. Ecole Polytechnique Fédérale de Lau- Technology, al. Mickiewicza 30, 30-059 Krakow, Po- sanne (EPFL), July 2012. land, e-mail: [email protected]. [17] Y. Coppel Relecting Scala. Laboratory for pro- ∗Corresponding author gramming methods, EPFL, January 2008. [18] E. Burmako Scala Macros: Let Our Powers Com- bine! EPFL, July 2013. REFERENCES [19] J. Cooper, S. McKeever A model-driven appro- [1] Java Uniied Expression Language. ach to automatic conversion of physical units Soft- http://juel.sourceforge.net/juel.pdf ware: Practice and Experience, vol. 38, no 4, 10 access: September 2014. April 2008, 337–-359. DOI: 10.1002/spe.828. [2] R. Johnson et al. Spring Framework Reference Do- [20] P. Kilpelainen Using XQuery for problem sol- cumentation, 3.2.4.RELEASE, 2013. ving Software: Practice and Experience, vol. [3] MVFLEX Expression Language. 42, no.12, December 2012, 1433–-1465. DOI: http://mvel.codehaus.org/ 10.1002/spe.1140. access: September 2014. [21] V. Karakoidas, D. Spinellis FIRE/J—optimizing [4] K.M. Chung JavaServer Pages™Speciication Ver- regular expression searches with generative sion 2.3, Maintenace Release 3. May 2013. programming Software: Practice and Expe- rience, vol. 38, no. 6, May 2008, 557–-573. DOI: [5] M. Grogan JSR-223 – Scripting for the Java Plat- 10.1002/spe.841. form. Final Draft Speciication, version 1.0. Sun Microsystems, 2006. [22] J. H. M. De Vet A practical algorithm for evaluating database queries Software: Practice and Ex- [6] E. Burns JavaServer™Faces Speciication, Version perience, vol. 19, no. 5, , October 2006, 491–-504. 2.2. Oracle America, Inc, March 2006. DOI: 10.1002/spe.4380190505. [7] J. Gosling et al. The Java®Language Speciication, [23] C. Hoffman, M. O’donnell, R. Strandth Imple- Java SE 7 Edition Oracle America, Inc, February mentation of an interpreter for abstract equa- 2013. tions Software: Practice and Experience, vol. [8] M. Odersky Scala Language Speciication, Version 15, no. 12, October 2006, 1185–-1204. DOI: 2.8. Programming Methods Laboratory, EPFL, 10.1002/spe.4380151205. September 2013. [24] C. Hassan, Z. DeVito, A. Moors, T. Rompf, [9] The Groovy programming language A. Sujeeth, P. Hanrahan, M. Odersky, K. Olu- http://groovy.codehaus.org/ kotun, ”Language Virtualization for Hetero- access: September 2014. geneous Parallel Computing”. In: Proceedings of the ACM international conference on Ob- [10] Groovy - Safe Navigation Operator ject oriented programming systems langua- http://groovy.codehaus.org/Operators ges and applications, 2010, 835–847. DOI: #Operators-SafeNavigationOperator 10.1145/1869459.1869527. %28?.%29 access: September 2014. [25] K. Sujeeth, Arvind, Lee, HyoukJoong, J. Brown, Kevin, et al. OptiML: an implicitly parallel dom- [11] Groovy - Elvis Operator ainspeciic language for machine learning. In: http://groovy.codehaus.org/Operators Proceedings of the 28th International Conference #Operators-ElvisOperator%28?:%29 on Machine Learning, ser. ICML, Pages 609-616, access: September 2014. 2011. [12] M. Odersky Scala by Example Programming Met- [26] Rompf, Tiark, Amin, Nada, Moors, Adriaan hods Laboratory, EPFL, June 2014. et al. Scala-Virtualized: linguistic reuse for [13] M. Odersky, L. Spoon, B. Venners Programming deep embeddings Higher-Order and Symbo- in Scala: a comprehensive step-by-step guide, 1st lic Computation, March 2012, 165–207. DOI: edition. Artima Press, 2008. 10.1007/s10990-013-9096-9,

43 Journal of Automation, Mobile Robotics & Intelligent Systems VOLUME 11, N∘ 3 2017

[27] Tiark Rompf, Arvind K. Sujeeth, Kevin J. Brown, HyoukJoong Lee, Hassan Chai, Kunle Olukotun. Surgical precision JIT compilers. In Proceedings of the 35th ACM SIGPLAN Conference on Pro- gramming Language Design and Implementation (PLDI ’14). ACM, New York, NY,USA, 41-52., 2014 DOI: 10.1145/2594291.2594316, [28] Yannis Klonatos, Christoph Koch, Tiark Rompf, Hassan Chai. Building eficient query engines in a high-level language.In: Proc. VLDB Endow. 7, 10 June 2014, 853–864. DOI: 10.14778/2732951.2732959. [29] N. Perez-Diaz, F. Fdez-Riverola, J. Mendez Wire- brush4SPAM: a novel framework for improving eficiency on spam iltering services Software: Practice and Experience, vol. 43, no. 11, Novem- ber 2013, 1299–1318. DOI: 10.1002/spe.2135, [30] G. French, J. Kennaway, A. Day Programs as visual, interactive documents Software: Practice and Ex- perience, Volume 44, Issue 8, pages 911–930, Au- gust 2014. DOI: 10.1002/spe.2182,