Jacaranda Language Specification, draft 0.2

"Inside every large problem is a small problem struggling to get out."
  -- C. A. Hoare


Introduction
============

This document is draft version 0.2 of a specification for the
Jacaranda programming language. Jacaranda is an object-capability
[Miller2006] sublanguage of JavaScript.

To be more precise,

Define language A to be an *attribute-verifiable sublanguage* of B
if-and-only-if:

 - there exists an attribute grammar [Knuth1968, Knuth1971, Swierstra2005]
   for A whose underlying grammar recognises a subset of texts recognised
   by B, and that deterministically computes an 'errors' attribute
   (whose value is a set of error indicators) on the start nonterminal;

and the semantics of executing a text in A are:

 - if the text is not recognised by A's underlying grammar or if the
   'errors' attribute on the start nonterminal is non-empty, report these
   errors. Otherwise, execute the program according to the specification
   of language B, in a given execution environment.

If the grammar for A is S-attributed
<http://en.wikipedia.org/wiki/S-attributed_grammar>, then A is an
S-attribute-verifiable sublanguage of B.

By *ES3*, we mean the programming language specified by ECMAScript,
3rd edition, subject to corrections for known specification errors
in that standard as described in the "ES3 Amendments" section below.
Jacaranda is an S-attribute-verifiable sublanguage of ES3.

Note that _any_ implementation of language B that satisfies B's
specification when applied to programs in the A sublanguage, is
sufficient to execute a verified A program. In the case of Jacaranda,
the sublanguage avoids many known bugs in commonly used JavaScript
implementations, and so verified code does not necessarily need to
be run on a fully correct implementation of ES3.

By using this definition of subsetting, Jacaranda differs from some
other proposals for security-focussed sublanguages of ECMAScript, such
as Caja and Cajita [Miller2008] or FBJS [Facebook]. In implementations
of those languages, the code is rewritten to a form that can introduce
additional run-time errors (or other changes in behaviour, called
"gotchas" in the Caja/Cajita specification), that would not occur
when running it directly as ECMAScript.

In Jacaranda, there are necessarily no changes in the possible run-time
behaviour of a verified program relative to the same program in ES3.
There are cases where an existing JavaScript program might have to be
modified in such a way that additional run-time errors could occur --
for example some property accesses may have to be replaced by function
calls, which can throw exceptions -- but these can only happen where
there are explicit changes in the source code.

Other advantages of specifying and implementing a safe sublanguage by
attribute-verification rather than by rewriting include:

 - A verifier is easier to understand and has fewer sources of
   potential implementation error than a rewriter. To understand a
   rewriter, one must keep in mind the semantics of both the source
   and target languages, and convince onesself that the source language
   semantics are preserved by the translation (taking into account the
   run-time library that the translated code depends on). For a verifier,
   the subsetting relation is automatic.

 - It is easy to perform white-box testing of a verifier based on an
   attribute grammar, because the intermediate results are deterministic
   and do not depend on any implementation choices. The attribute grammar
   specifies precisely what tree of attribute values are to be computed for
   any given input. So a single white-box test suite can be run against
   all implementations, or implementations can be compared against each
   other for "fuzzed" input <http://en.wikipedia.org/wiki/Fuzz_testing>,
   and any differences in the resulting attribute tree (not just differences
   in the overall pass/fail outcome of verification) will necessarily
   be bugs. 

 - There are no difficulties in reverifying a program that has already
   been verified. (A non-idempotent rewriter cannot usefully process a
   code fragment twice -- even if the result is correct, it will be too
   inefficient.)

   It would also be possible to apply N-version programming, with
   verifiers written using different languages and/or parser libraries
   by independent teams of programmers: a simple harness could run all
   versions concurrently and if they differ, reject the input program
   and report a bug.

   (Of course these techniques will only directly catch implementation
   rather than specification bugs. They also only apply to the verifier;
   the JavaScript implementation(s) used to execute verified programs
   still need to be tested more conventionally.)

 - In the S-attributed grammars (lexical and syntactic) used to specify
   Jacaranda, all attributes are *synthesized*; that is, each node's
   attributes can be computed only from the attributes and contents of
   its immediate child nodes. This admits a particularly simple and
   efficient (in time and memory) verifier implementation, in which
   programs can be parsed and verified in a single pass, without
   necessarily constructing a syntax tree, abstract or otherwise.

   The verifier can use almost any form of parser (Jacaranda omits
   two misfeatures of ECMAScript syntax that may complicate parsers:
   semicolon insertion, and context-sensitive lexing of regexp literals).
   Attribute computation can be implemented using the "semantic actions"
   supported by most existing general-purpose parser systems, and is
   also straightforward to implement in an ad-hoc recursive descent
   parser.

 - to specify a sublanguage, you only need to define how the
   language is restricted syntactically. If that is done by an
   attribute grammar, there is little room for ambiguity in the
   specification of the verifier. The semantics are already defined
   by the original language specification, modulo bugs and
   ambiguities in that specification.

   (Jacaranda also requires a run-time library written in JavaScript,
   but that library is relatively small and of low implementation
   complexity. In fact it is mostly a set of utility functions which,
   although they are written in JavaScript and therefore have to be
   trusted, are each very short and can be understood independently.)

   A specification that defines a rewriting into another language is
   more complicated, and gives a result that is less directly useful
   and understandable to most users of the subset language.

 - There is less inefficiency introduced into the code that is
   being run. While there is some overhead due to changing property
   accesses to function calls, this is explicitly visible in the
   source code (and can be avoided in many cases).

 - Debugging is simplified because it is the original code that is
   being debugged.

   Although it is possible in principle to provide a debugger with
   a mapping between lines of the input code and its rewritten
   form, in my experience this often doesn't work very well
   (particularly when the ordering of code is changed, as it is
   by many of the Caja rewriting rules).

Despite these differences, Jacaranda is strongly influenced by Caja and
Cajita, and by ADsafe [Crockford], which is also a static sublanguage
of ES3 that could in principle be specified by an attribute grammar.

(Differences between Jacaranda and ADsafe are out of scope for this
document, but in general Jacaranda allows a qualitatively larger
sublanguage of ECMAScript than ADsafe. Also, Jacaranda is an
object-capability language with per-object encapsulation, whereas
ADsafe only provides encapsulation between module instances.)

I encountered the idea of using attribute grammars for validation
(as opposed to their more common uses in assigning semantics or for
code generation) from Meredith Patterson and Len Sassaman [PS2008].
The earliest reference I can find to a programming language being
defined in terms of an attribute grammar, is a 1977 paper defining
a subset of Algol 68 [Simonet1977].


[Knuth1968]  Donald Knuth,
             Semantics of Context-Free Languages,
             California Institute of Technology,
             Theory of Computing Systems, Volume 2 Number 2.
             Springer, New York, June 1968.

[Knuth1971]  Donald Knuth,
             Semantics of Context-Free Languages: Correction,
             Stanford University,
             Theory of Computing Systems, Volume 5 Number 2.
             Springer, New York, June 1971.

[Simonet1977] M. Simonet,
             An attribute description of a subset of Algol 68,
             Proceedings of the Strathclyde ALGOL 68 conference,
             Glasgow, Scotland, pages 129-137, 1977.
             <http://portal.acm.org/citation.cfm?id=807152>

[Swierstra2005] Wouter Swierstra,
             Why Attribute Grammars Matter,
             The Monad.Reader, Issue Four, 01-07-05.
             <http://www.haskell.org/tmrwiki/WhyAttributeGrammarsMatter>

[PS2008]     Meredith L. Patterson and Len Sassaman,
             Validation by Parse Tree Comparison Extended to
             Context-Sensitive Grammars,
             In preparation, 2008.

[Miller2006] Mark S. Miller,
             Robust Composition: Towards a Unified Approach to
             Access Control and Concurrency Control,
             PhD thesis, Johns-Hopkins University, May 2006.
             <http://www.erights.org/talks/thesis/>

[Miller2008] Mark S. Miller,
             Caja draft specfication,
             Latest version available from
             <http://code.google.com/p/google-caja/issues/list>

[Crockford]  Douglas Crockford,
             ADsafe specification,
             <http://www.adsafe.org>

[Facebook]   FBJS - Facebook Developers Wiki,
             <http://wiki.developers.facebook.com/index.php/FBJS>


Conventions
===========

Definitions of technical terms used in this specification should
be taken from the first of the following documents that provides
a definition for the term:

1. This document.
2. ECMA-262, 3rd edition.
3. The Unicode Standard, version 5.1.0.

Defining occurrences of terms in this document are shown like
this: *term*.

A *string* is a sequence of zero or more UTF-16 code units.

In this specification, strings are often presented in
single quotes; this has the same meaning, including use of
\u escape sequences, as the corresponding string literal in ES3.

Terms applied to strings such as *starts with*, *ends with*,
etc. are defined in terms of this code unit sequence,
regardless of whether it is a well-formed UTF-16 encoding.
For example, '\uD800__' is considered to end in '__'.

Code fragments are given in double angle quotation marks:
« ». In general, these fragments should be interpreted as
ES3 code; they may or may not be valid in the Jacaranda
sublanguage. In code fragments, \ stands for itself.

Grammar productions are given in single angle brackets:
< >. An optional occurrence of a production is shown as
< >opt. \u escapes are used in grammar productions to mean
the corresponding unescaped code unit. (These conventions
are different to those in ECMA-262 because in plain text,
we cannot distinguish terminals from nonterminals by font.)

There are three grammars used in this specification:

 - in the lexical grammar, :: is used to separate a nonterminal
   from its definition. The lexical grammar is an S-attributed
   context-free grammar (CFG) [*], and is specified in terms of
   a set of changes to the ES3 lexical grammar. With some minor
   exceptions (/*const*/, /*fallthru*/, and the treatment of
   ++ and -- tokens), these only cause additional rejections;
   they do not change the tokenisation of lexically valid ES3
   source texts. The input to the lexical grammar is a string,
   and the output is a sequence of tokens given by the top-level
   'tokens' attribute. Each output token is a string that may
   also have 'SV', 'MV', and/or 'errors' attributes.
   
   (Note that the <Token> production defined in ECMA-262 is
   misnamed, because it does not include <DivPunctuator>s,
   which are tokens.)

 - in the syntactic grammar, : is used to separate a nonterminal
   from its definition. The syntactic grammar is also an
   S-attributed CFG [*], and is specified in terms of a set of
   changes to the ES3 syntactic grammar. Its input is the
   token sequence computed by the lexical grammar, and its
   principal output is an 'errors' attribute giving the set
   of errors (if any), other than parse errors, that would
   prevent the source text from being a valid Jacaranda program.

 - in the string grammar, ::: is used to separate a nonterminal
   from its definition. The input to the string grammar is a
   sequence of 16-bit code units. It is a regular grammar that
   computes no attributes and is only used to recognise
   classes of strings.

The regexp literal grammar in ES3 has no equivalent in Jacaranda,
which does not allow regexp literals.

The symbol ε in a production means the empty input sequence.

Lexical and syntactic grammar productions that are used by
modified productions, but have not themselves been modified
from ECMA-262, 3rd edition, are explicitly marked with a
reference to the ECMA-262 section number.

The underlying lexical and syntactic grammars are only given as
general CFGs [*], rather than a more specific class such as LALR(k),
because the grammars given in the ES3 specification on which they
are based are not in any more specific class. The syntactic CFG is
unambiguous, independently of the attribute rules; that is, a
possible parse is never rejected based on the values of attributes.
(This property does not quite hold for the lexical grammar, where
attributes are used in the LEX_TOKENISATION rule to control
tokenisation.)

[[FIXME: <MemberExpression> . <PublicIdentifier> <Arguments> is
ambiguous. To fix that we need to distinguish *syntactically* between
public and exposed identifiers.]]


[*] The lexical and syntactic grammars use "but not" and
    "lookahead ∉" constructs, which do not obviously result
    in a CFG by construction.

    In all but one case, "but not" is only used to specify
    sets of individual code units, so it does not increase the
    power of the grammar notation. The single exception is:
    
      <Identifier> ::
        <IdentifierName> but not <ReservedWord>

    from ECMA-262 section 7.6, which is context-free (although
    it would be ugly to write it as such) because <ReservedWord>
    is finite.

    Only one use of the 'lookahead ∉' construct is retained by
    the Jacaranda grammar, in <ExpressionStatement>. This use
    could have been avoided by duplicating all of the
    expression-related productions with versions that do not
    allow an object literal or function expression. It would
    be undesirable to actually do so, but the possibility of
    this rewriting shows that the grammar is context-free.

The types used for attribute values are:
  - rational numbers
  - the undefined value
  - finite sets of other values
  - finite sequences of other values.

The following auxiliary functions are used in attribute rules:

  check(cond, node, arg, msg) = cond ? {} : {error(node, arg, msg)}

  error(node, arg, msg) =
    // representation of an error detected at 'node', with auxiliary
    // information 'arg' (usually an identifier) and message 'msg'

  last(sequence) = (length(sequence) > 0) ? sequence[length(sequence)-1] : undefined

  NumberToString(x) =
    // the result of applying ToString as defined in ECMA-262 section 9.8.1
    // to "the number value for x" as defined in ECMA-262 section 8.5

A convention is used in the syntactic grammar specification in
order to present grammar rules more concisely, by making some
"boilerplate" attribute computation implicit: if no explicit rule
is given to compute an attribute, it is computed by taking the
union of the corresponding attribute values on all child nodes.

This convention applies to the 'freelyUsed', 'freelyAssigned',
'vars', 'usedProperties', 'aliasesForThis', and 'errors' attributes
in the syntactic grammar, and to the 'errors' attribute in the
lexical grammar. (Other attributes are undefined if no specific
rule is given.) These are all set-valued attributes, so that taking
the union of their values for all children of a node is well-defined.
The convention is to be used for _all_ syntactic and lexical grammar
productions, including those that are otherwise unchanged from ES3.


Each rule that restricts Jacaranda relative to ES3 is given an
uppercase name. Any conformance requirements given in the normative
text of these rules are intended to be redundant with, i.e. specify
precisely the same restrictions as, the Jacaranda lexical and
syntactic grammars. If this is not the case then it indicates an
ambiguity in the specification, and clarification should be sought.

Grammar productions given in one rule may also impose constraints
needed to implement other rules, in which case cross-references
are given.

Text in a subsection following "Rationale:" is non-normative;
that is, it does not impose any conformance requirements on
Jacaranda implementations or programs. The same programming
language would be specified if this text were removed.

Rationale:
Analogous to type declarations, some degree of redundancy in a
specification is useful in order to provide a better chance of
detecting specification errors. This is the reason for providing
informal descriptions that are redundant with the grammar rules.


Conformance
===========

The terms *SHALL*, *SHALL NOT* or *SHALL ONLY* are used to
describe constraints on a conforming implementation of Jacaranda.

The terms *MUST*, *MUST NOT* or *MUST ONLY* are used to
describe static constraints on a module definition (see below).
This indirectly specifies that a conforming implementation of
Jacaranda SHALL reject module definitions that fail to satisfy
such a constraint.

The terms *SHOULD*, *SHOULD NOT* or *SHOULD ONLY* are used to
describe a recommendation for Jacaranda code to follow, in order
to mimimise the risk of potential incompatibilities with future
versions of this specification or implementations of ECMAScript.
It has no formal consequence for conformance.

For any constraint that is described as implementation-defined,
a conforming implementation SHALL make a consistent choice
and SHALL document which choice is made.

An *ECMAScript interpreter* is an instance of an ECMAScript
implementation conforming to ECMA-262 3rd edition amended as
described in the section "ES3 Amendments".

The *primordial objects* are the constructors Array, Function,
Object and String, and any other objects necessary for them to
function correctly in a given ECMAScript implementation
(for example the objects comprising their prototype chains).

A *context* is an ECMAScript execution environment that has copies
of the primordial objects independent of other context in the
same ECMAScript interpreter. Contexts may share other objects.
(In typical web browser implementations of JavaScript/ECMAScript,
there is usually one context for each frame or iframe [[CHECK]].)

A *visible side effect* is an effect that changes the state of
one or more objects in an ECMAScript interpreter in a way that
is observable to other code running in that interpreter by overt
means (that is, without making use of timing of events where this
timing is nondeterministic). Memory usage is not considered to
be a visible side effect.

Jacaranda programs are organised into *modules* (typically, these
are independently developed units of source code).

A *module definition* is a string, representing Jacaranda
source code intended to define a module.

An *internal module representation* is a representation of a
module as a collection of values in a given ECMAScript interpreter.
An internal module representation includes a *module object*,
which is a deeply immutable object with the properties specified
in the module definition.

An instance of a Jacaranda module is called a *caplet*. Each caplet
will have a *powerbox* object defined by a specific region of its
module code. The creator of a caplet must provide an *environment*
and a *powersource*. The environment specifies *imports* that will
be in scope throughout the caplet's module code. The powersource is
an object that will only be initially available to the caplet's
powerbox. The caplet will have no overt authority other than that
granted via its environment and its powersource. (It will also have
access to the module object, but that object provides no authority.)

A *module name* is a string, representing the name of a module.

A *Jacaranda interpreter* is an ECMAScript interpreter with the
following additional characteristics:

 - an interpreter has a per-context state consisting of a mapping
   from module names, to internal module representations of
   modules that have been accepted in that context.

 - it is possible to create a context with an initially
   empty mapping.

 - it is possible to submit a module definition to a given
   context, with the following effect:

    - if the module definition violates any of the
      constraints given in sections "Module Definitions" and
      "Static Constraints" below, a *static rejection error*
      SHALL be reported.

    - the module definition may specify a variant of the
      Jacaranda language that is unsupported by the
      implementation. In that case, an
      *unsupported Jacaranda variant error* SHALL be reported.

    - if the module definition does not give a 'name'
      property that is different from any module name
      already in the mapping, a *module name clash error*
      SHALL be reported.

    - the implementation may, for any or no reason, report
      an *implementation failure* when an attempt is made to
      submit a module. Such a failure SHALL be distinguishable
      from other errors.

    - otherwise, a mapping from the module's name to its
      internal module representation SHALL be added to the
      context's state.

   In any of these cases, there SHALL be no other visible
   side effects of submitting the module definition.

 - it is possible to create a caplet by *instantiating* a
   named module, providing an environment and a powersource
   as discussed above.

    - if the import environment specifies a property with an
      unshadowable name, an *unshadowable import error* SHALL
      be reported.

    - if an import named in the caplet's 'imports' list
      is not available in the import environment, an
      *unavailable import error* SHALL be reported.

    - the module MUST have a 'powerbox' property that holds
      a function -- if not then a
      *missing powerbox property error* SHALL be reported.

    - the implementation may, for any or no reason, report
      an *implementation failure* when an attempt is made to
      instantiate a caplet. Such a failure SHALL be distinguishable
      from other errors.

    - the function given by the 'powerbox' property of the module
      SHALL be executed, in an environment specified by the
      section "Module Run-time Environment", with the given
      powersource object and the module object as parameters
      in that order, and with the imports specified in the
      given import environment available in the module's
      outer lexical scope.
      
    - the function given by the 'powerbox' property may interact
      with the environment of the Jacaranda implementation in
      order to set up *event handlers* which cause functions
      created by the module to regain control at some later
      point in time. The specifications of event-handling
      features are implementation-defined.

In cases where the above description says that an error
SHALL occur as a result of submitting or instantiating a
module, other visible side effects SHALL NOT occur.

At any time, and for any or no reason, a Jacaranda implementation
may *lock* a given context, in which case it SHALL NOT run any
further code in that context.

Other aspects of the interaction between a Jacaranda interpreter
and its environment are unspecified. (One possibility is that
a *container* is written in unrestricted ECMAScript to control
this interaction.)

Rationale:
The idea of using different conformance terms to indicate constraints
on the implementation vs constraints on programs is borrowed from W3C
specifications.

The term "lock" is named after the LOCK utility in the
Incompatible Timesharing System:
<http://www.poppyfields.net/filks/00117.html>.

The allowance for implementation failures makes Jacaranda particularly
easy to implement:

  #include <stdio.h>
  int main(int argc, char **argv) {
    puts("Implementation failure.\n");
    return 1;
  }

More seriously, there are good reasons to allow nondeterministic
failures, given that a practical Jacaranda implementation has no
control over what memory or execution resources are available, and
machines with unbounded resources do not exist. The requirement for
these failures to be distinguishable from other errors is actually
quite strong.


ES3 Amendments
==============

Apply the errata given in
<http://www.mozilla.org/js/language/E262-3-errata.html>.

(Note that the grammar productions changed in the errata are disjoint
from those changed for Jacaranda. [[CHECK again]])

Change <VariableStatement> and related productions to allow «const» to
occur in place of «var». The detailed changes to these productions are
given in the DECLARABLE_IDENTIFIERS rule, but are mentioned here because
they are not a sublanguage of ES3.


Section 2  Conformance

 - The following paragraphs do not apply to Jacaranda:

     A conforming implementation of ECMAScript is permitted to provide
     additional types, values, objects, properties, and functions beyond
     those described in this specification. In particular, a conforming
     implementation of ECMAScript is permitted to provide properties not
     described in this specification, and values for those properties,
     for objects that are described in this specification.

     A conforming implementation of ECMAScript is permitted to support
     program and regular expression syntax not described in this
     specification. In particular, a conforming implementation of
     ECMAScript is permitted to support program syntax that makes use
     of the “future reserved words” listed in 7.5.3 of this specification.

   Rationale: permission to provide arbitrary implementation-defined
   extensions is not appropriate for a security-focussed language.
   Any proposed extension should undergo thorough public security review
   and, if accepted, be added to the Jacaranda specification. This does
   not prevent experimentation with proposed extensions, but an
   implementation that supports such experiments is not considered to
   be conformant to this version of the specification.


Section 3  References

 - Replace the reference to Unicode version 2.0 with references to
   Unicode version 5.1.0.

   Rationale: The conformance requirements for Unicode have been
   significantly tightened since version 2.0. (In particular, there
   were security-relevant changes at around version 3.2.) Note that
   this does not require support for characters added in later
   versions.


Sections 4.2 and 4.2.1  Language Overview

 - This (non-normative) section should not be considered to apply to
   Jacaranda.


Section 6  Source Text

   [[TBD]]

   Rationale:
   The terms used here are inconsistent with the definitions in
   the Unicode standard. For example, "character" is used in place
   of "code unit", and "code point" is used entirely incorrectly.

   It's possible to infer what was probably meant, so I won't attempt
   to rewrite it in this draft; the important points are that:

    - strings are sequences of code units
    - an escape sequence represents exactly one code unit.


Section 7.1  Unicode Format Control Characters

 - This section does not apply to Jacaranda; in particular, Format
   Control characters SHALL NOT be "removed from the source text
   before applying the lexical grammar." (Format Control characters
   are not allowed anywhere in a Jacaranda source text.)


Section 7.6  Identifiers

 - The following does not apply to Jacaranda:

     Identifiers are interpreted according to the grammar given in
     Section 5.16 of the upcoming version 3.0 of the Unicode standard,
     with some small modifications. This grammar is based on both
     normative and informative character categories specified by the
     Unicode standard. The characters in the specified categories in
     version 2.1 of the Unicode standard must be treated as in those
     categories by all conforming ECMAScript implementations; however,
     conforming ECMAScript implementations may allow additional legal
     identifier characters based on the category assignment from later
     versions of Unicode.

   The allowed syntax for identifiers in Jacaranda is specified in
   rule LEX_IDENTIFIER_SYNTAX.

   Rationale: the syntax of identifiers needs to be independent of
   which version of the Unicode character data is otherwise used by
   the implementation.


Section 7.9  Semicolon Insertion

 - Replace the entire section (including 7.9.1 and 7.9.2) with:

   7.9 No "Automatic Semicolon Insertion"

       Jacaranda does not allow programs that would trigger
       "automatic semicolon insertion" as defined in ECMA-262 3rd edition,
       section 7.9. Any such program is invalid according to the grammar
       defined in this specification.

   This is implemented in rule LEX_TOKENISATION (and by the use in
   some syntactic productions of <PostIncrement> and <PostDecrement>
   tokens, which correspond to ++ and -- tokens that are not separated
   from the preceding token by a line terminator).

   Rationale:
   In the ES3 grammar, ...
   
   In some cases, "grammatical" semicolon insertion can be
   supported simply by removing the terminating semicolon from ...
   If the semicolon is present, it will be interpreted according to
   this grammar as an <EmptyStatement>, which has no semantic effect.

   In the case of the 'do', 'continue', and 'break' statements, this
   would be relatively harmless because a human reader or a parser would
   need only one token lookahead to understand/parse the resulting language
   unambiguously.

   For the 'return', 'var', 'throw' and expression statements, however,
   this approach fails -- in a way that demonstrates the basic problem
   with implicit semicolon insertion. Consider the example:

     var a = x + y;

   If the .. were simply omitted, then the grammar would be
   ambiguous because .. could be parsed as either

     var a = x;
     + y;
   or
     var a = x + y;

   both of which are syntactically valid. In ES3 it will be parsed as the
   latter -- but if a programmer mistypes + as ++, for example:

     var a = x ++ y;

   then that will be parsed as

     var a = x;
     ++ y;

   In other words, if we make any syntax error in a variable initialiser,
   return, throw, or expression statement, then under ES3's semicolon
   insertion rules it might silently be interpreted as something quite
   different. To determine the resulting parse, we would need to consider
   every possible location at which a semicolon could be inserted in the
   program beyond that point, with unbounded lookahead (it is not even
   sufficient to consider until the next explicit semicolon, in general).
   This is clearly unacceptable.

   By this argument, if Jacaranda were to support grammatical semicolon
   insertion, it could only safely do so after 'do', 'continue' and
   'break' statements, and not after 'return', 'var', 'throw' or
   expression statements. That would create an ugly inconsistency in the
   language. It is better to simply disallow semicolon insertion entirely,
   at the cost of accepting fewer programs.


Annex B  Compatibility

 - The additional syntax specified in section B.1 SHALL NOT be valid in
   Jacaranda.

 - The 'escape' and 'unescape' global functions in section B.2.1 and
   B.2.2 SHALL NOT be available to Jacaranda modules, unless they are
   explicitly provided by an import environment.

 - Whether the additional properties of String and Date specified in
   sections B.2.3 to B.2.6 are available to Jacaranda modules is
   implementation-defined. A Jacaranda program SHOULD NOT rely on the
   presence of these properties.


Lexical Grammar
===============

The lexical grammar of Jacaranda is that of ES3 with the additional
constraints listed below.

LEX_CODE_UNITS:

   Source code units, line terminators, and whitespace MUST ONLY be used
   as follows:

     <SourceCharacter> ::   // Rationale:
       \u0009               // exclude ASCII controls except TAB,
       \u000A               //                               LF,
       \u000D               //                               CR.
       \u0020-\u007E        // \u007F-\u009F controls
       \u00A0-\u00AC        // \u00AD        :Cf:
       \u00AE-\u05FF        // \u0600-\u0603 :Cf:
       \u0604-\u06DC        // \u06DD        :Cf:
       \u06DE-\u070E        // \u070F        :Cf:
       \u0710-\u17B3        // \u17B4-\u17B5 :Cf:
       \u17B6-\u200A        // \u200B-\u200F :Cf:; \u200C-\u200F !Safari !IE6
       \u2010-\u2027        // \u2028-\u2029 !Cajita; \u202A-\u202E :Cf: !Safari !IE6
       \u202F-\u205F        // \u2060-\u2064 :Cf:
       \u2065-\u2069        // \u206A-\u206F :Cf: !Safari !IE6
       \u2070-\uD7FF        // \uD800-\uDFFF UTF-16 surrogates
       \uE000-\uFDCF        // \uFDD0-\uFDEF noncharacters
       \uFDF0-\uFEFE        // \uFEFF (BOM)  :Cf: !Safari !IE6
       \uFF00-\uFFEF        // \uFFF0-\uFFF8 !Safari !Firefox;
                            // \uFFF9-\uFFFB :Cf:
                            // \uFFFC (object replacement character)
                            // \uFFFD (replacement character)
                            // \uFFFE-\uFFFF noncharacters

     <PrintableCharacter> ::
       \u0020-\u007E

     <LineTerminator> ::
       \u000A
       \u000D

     <WhiteSpace> ::
       \u0009
       \u0020

   This rule does not restrict the set of code units that may be
   represented by \u escapes.

   Rationale:
   Start with \u0000-\uFFFF, and
    - remove code units that are not in XML 1.1's <Char> or that are in
      XML 1.1's <RestrictedChar> (see below)
    - remove code units corresponding to BMP characters that are in
      category :Cf: (Format Control) in Unicode 5.1.1:
        <http://unicode.org/cldr/utility/list-unicodeset.jsp?a=[[:Cf:]]>
      (this is a superset of category :Cf: in all previous Unicode versions)
    - remove code units that are disallowed by Cajita according to
      <http://google-caja-discuss.googlegroups.com/web/cajita-bnf.html>.
    - remove \uFFFC and \uFFFD.

   <Char> and <RestrictedChar> from XML 1.1 are used just because that
   is a slightly less arbitrary choice than me deciding on my own what
   control characters should be restricted.

   Disallowing :Cf: characters is in principle the wrong thing for proper
   internationalisation support. However, I eventually concluded that
   it's the only way to guarantee consistent and secure behaviour across
   browsers, which in this case trumps internationalisation.

   (The right thing would be to allow :Cf: characters other than \uFEFF
   only in string literals and comments, and to allow \uFEFF
   [byte order mark] only between tokens. Relaxing the rules later is
   easier than tightening them.)

   Whitespace is restricted to US-ASCII tab and space characters. There
   is no reason to internationalise whitespace used to separate tokens
   in source code. (Other space characters are still allowed in strings.)
   Also, the fact that vertical tab and form feed were treated as
   whitespace rather than as line separators was potentially confusing;
   Jacaranda disallows them.


LEX_COMMENT_FIRST_CHARACTER:

   If the first code unit in a <MultiLineComment> after "/*" is not
   '*' or ' ', or if the first code unit in a <SingleLineComment>
   after "//" is not '/' or ' ', then all code units in the comment
   MUST be printable US-ASCII (that is, [\u0020-\u007E]).

   The necessary grammar change is given in rule LEX_COMMENT_KEYWORDS.

   Rationale: This prevents an adversarial code review attack where
   a comment that looks like /*const*/ does not actually enforce
   constness, and similarly for other comments used by JSLint, for
   example.

   It also prevents the first character in a comment from being a
   non-US-ASCII character that is stripped on parsing, which might
   plausibly result in the LEX_COMMENT_NO_ATSIGN_EXTENSIONS rule
   being bypassed.


LEX_COMMENT_NO_ATSIGN_EXTENSIONS:

   The first character in any comment after «/*» or «//» MUST NOT be «@».

   The necessary grammar change is given in rule LEX_COMMENT_KEYWORDS.

   Rationale: This may trigger non-ES3-compliant extensions (for example
   <http://msdn.microsoft.com/en-us/library/121hztk3.aspx> or
   <http://devedge-temp.mozilla.org/viewsource/2003/venkman/01/index_en.html>).

   ADsafe rejects «@cc» anywhere in a comment. This is sufficient to
   prevent enabling of JScript conditional compilation, but not the
   Venkman debugger extensions.

   Caja and Cajita do not need to reject «@» in comments, because the
   output of cajoling does not include any comments. See
   <http://code.google.com/p/google-caja/wiki/ConditionalCompilationComments>.


LEX_COMMENT_KEYWORDS:

   «/*const*/» and «/*fallthru*/» are treated as non-comment tokens.
   They MUST ONLY appear where specified in the Jacaranda grammar. Note
   the lack of spaces before and after «const» or «fallthru».

   The lexical grammar changes resulting from this and rules
   LEX_COMMENT_FIRST_CHARACTER and LEX_COMMENT_NO_ATSIGN_EXTENSIONS are:

     <Printable> ::
       ε
       <PrintableCharacter> <Printable>

     <c::MultiLineCommentAfterStart> ::
       * /
         { c.lineBreak = false }
       <left::MultiLineNotAsteriskOrSpaceOrAtChar> <right::MultiLineCommentChars>opt * /
         { c.lineBreak = left.lineBreak or right.lineBreak;
           c.errors = check(right is <Printable>, c, right, 'comment does not start with * or space and is not printable ASCII') }
       * <pacc::PostAsteriskCommentChars>opt * /
         { c.lineBreak = pacc.lineBreak }
       \u0020 <mcc::MultiLineCommentChars>opt * /
         { c.lineBreak = mcc.lineBreak }

     <mc::MultiLineNotAsteriskOrSpaceOrAtChar> ::
       <sc::SourceCharacter> but not * or \u0020 or @
         { mc.lineBreak = sc is <LineTerminator> }

     <MultiLineCommentChars> :: as in ECMA-262 section 7.4
         { [[FIXME lineBreak]] }

     <PostAsteriskCommentChars> :: as in ECMA-262 section 7.4
         { [[FIXME lineBreak]] }

     <MultiLineNotAsteriskChar> :: as in EMCA-262 section 7.4
         { [[FIXME lineBreak]] }

     <MultiLineNotForwardSlashOrAsteriskChar> :: as in ECMA-262 section 7.4
         { [[FIXME lineBreak]] }

     <SingleLineCommentAfterStart> ::
       <SingleLineCommentEnd>
       <SingleLineNotForwardSlashOrSpaceOrAtChar> <SingleLinePrintableCommentChars> <SingleLineCommentEnd>
         { c.errors = check(right is <Printable>, c, right, 'comment does not start with / or space and is not printable ASCII') }
       / <SingleLineCommentChars>opt <SingleLineCommentEnd>
       \u0020 <SingleLineCommentChars>opt <SingleLineCommentEnd>

     <SingleLineCommentEnd> ::
       <LineTerminator>
       <EndOfText>

     <SingleLineNotForwardSlashOrSpaceOrAtChar> ::
       <SourceCharacter> but not <LineTerminator> or / or \u0020 or @

     <SingleLineCommentChars> :: as in ECMA-262 section 7.4

     <SingleLineCommentChar> :: as in ECMA-262 section 7.4

   Rationale: /*const*/ and /*fallthru*/ must be ES3 comments in order
   for Jacaranda to remain a sublanguage of ES3. (The approach taken by this
   and the LEX_TOKENISATION rules is to lex them as multiline comments, but
   then retain them as tokens, when other comment tokens are thrown away.)

   See the LEFT_HAND_SIDE rule for a description of the use
   of /*const*/ (it is essentially the same as 'const' in ES4, but with
   static rejection instead of silent failure).

   See also <http://www.haskell.org/haskellwiki/Wadlers_Law>.


LEX_STRING_LITERALS:

   A <CharacterEscapeSequence> MUST ONLY use one of the escape characters
   defined in <SingleEscapeCharacter> below.

   The following attribute definitions are used to compute the
   value of a string literal, which is needed for other rules. They
   correspond exactly to the procedure in ECMA-262 section 7.8.4,
   expressed in the same attribute grammar notion as the rest of
   this specification.

   The grammar has been altered to not require lookahead in the
   <EscapeSequence> production.

     <s:StringLiteral> ::
       " <ds::DoubleStringCharacters> "
         { s.SV = ds.SV }
       ' <ss::SingleStringCharacters> '
         { s.SV = ss.SV }

     <ds::DoubleStringCharacters> ::
       ε
         { ds.SV = "" }
       <c::DoubleStringCharacter> <rest::DoubleStringCharacters>
         { ds.SV = [c.CV] ++ rest.SV }
       \u005C 0 <rest::NIDDoubleStringCharacters>    // no initial decimal
         { ds.SV = ['\u0000'] ++ rest.SV }

     <ds::NIDDoubleStringCharacters> ::
       ε
         { ds.SV = "" }
       <c::NIDDoubleStringCharacter> <rest::DoubleStringCharacters>
         { ds.SV = [c.CV] ++ rest.SV }
       \u005C 0 <rest::NIDDoubleStringCharacters>
         { ds.SV = ['\u0000'] ++ rest.SV }

     <dc::DoubleStringCharacter> ::
       <c::SourceCharacter> but not " or \u005C or <LineTerminator>
         { dc.CV = c }
       \u005C <e::EscapeSequence>
         { dc.CV = e.CV }

     <dc::NIDDoubleStringCharacter> ::
       <c::SourceCharacter> but not " or \u005C or <LineTerminator> or <DecimalDigit>
         { dc.CV = c }
       \u005C <e::EscapeSequence>
         { dc.CV = e.CV }

     <ss::SingleStringCharacters> ::
       ε
         { ss.SV = "" }
       <c::SingleStringCharacter> <rest::SingleStringCharacters>
         { ss.SV = [c.CV] ++ rest.SV }

     <ss::NIDSingleStringCharacters> ::
       ε
         { ss.SV = "" }
       <c::NIDSingleStringCharacter> <rest::SingleStringCharacters>
         { ss.SV = [c.CV] ++ rest.SV }
       \u005C 0 <rest::NIDSingleStringCharacters>
         { ss.SV = ['\u0000'] ++ rest.SV }

     <sc::SingleStringCharacter> ::
       <c::SourceCharacter> but not ' or \u005C or <LineTerminator>
         { sc.CV = c }
       \u005C <e::EscapeSequence>
         { sc.CV = e.CV }

     <sc::NIDSingleStringCharacter> ::
       <c::SourceCharacter> but not ' or \u005C or <LineTerminator> or <DecimalDigit>
         { sc.CV = c }
       \u005C <e::EscapeSequence>
         { sc.CV = e.CV }

     <e::EscapeSequence>
       <ce::CharacterEscapeSequence>
         { e.CV = ce.CV }
       <he::HexEscapeSequence>
         { e.CV = he.CV }
       <ue::UnicodeEscapeSequence>
         { e.CV = ue.CV }

     <ce::CharacterEscapeSequence>
       <se::SingleEscapeSequence>
         { ce.CV = se.CV }

     <se::SingleEscapeCharacter> ::
       b      { se.CV = '\u0008' }
       t      { se.CV = '\u0009' }
       n      { se.CV = '\u000A' }
       f      { se.CV = '\u000C' }
       r      { se.CV = '\u000D' }
       "      { se.CV = '\u0022' }
       '      { se.CV = '\u0027' }
       /      { se.CV = '\u002F' }
       \u005C { se.CV = '\u005C' }

     <he::HexEscapeSequence> ::
       x <a::HexDigit> <b::HexDigit>
         { he.CV = [a.MV*16 + b.MV] }

     <ue::UnicodeEscapeSequence> ::
       u <a::HexDigit> <b::HexDigit> <c::HexDigit> <d::HexDigit>
         { ue.CV = [a.MV*4096 + b.MV*256 + c.MV*16 + d.MV] }

     <hd::HexDigit> ::
       0 { hd.MV =  0 }
       1 { hd.MV =  1 }
       2 { hd.MV =  2 }
       3 { hd.MV =  3 }
       4 { hd.MV =  4 }
       5 { hd.MV =  5 }
       6 { hd.MV =  6 }
       7 { hd.MV =  7 }
       8 { hd.MV =  8 }
       9 { hd.MV =  9 }
       A { hd.MV = 10 }
       B { hd.MV = 11 }
       C { hd.MV = 12 }
       D { hd.MV = 13 }
       E { hd.MV = 14 }
       F { hd.MV = 15 }
       a { hd.MV = 10 }
       b { hd.MV = 11 }
       c { hd.MV = 12 }
       d { hd.MV = 13 }
       e { hd.MV = 14 }
       f { hd.MV = 15 }

   Rationale: JScript does not implement «\v» (it treats it as «v»). This
   could allow lexer confusion attacks. Unlike Caja, we cannot rewrite it
   to a different escape.

   There is no reason to allow «\» followed by an escape character that
   does not have a defined meaning. However, we must allow «\/» in order
   to remain a superset of JSON. (Unfortunately, JSON does not allow
   «\'», otherwise JSON and Jacaranda would support identical syntax for
   double-quoted strings. I considered disallowing «\'» in double-quoted
   strings, but that would create an inconsistency between single- and
   double-quoting.)


LEX_NUMERIC_LITERALS:

   A <DecimalLiteral> MUST NOT have more then 20 significant digits.

   The following attribute definitions are used to compute the
   value of a numeric literal, which is needed for other rules. They
   correspond exactly to the procedure in ECMA-262 section 7.8.3,
   expressed in the same attribute grammar notion as the rest of
   this specification.

     <nl::NumericLiteral> ::
       <dl::DecimalLiteral>
         { nl.MV = dl.MV }
       <hl::HexIntegerLiteral>
         { nl.MV = hl.MV }

     <dl::DecimalLiteral> ::
       <dil::DecimalIntegerLiteral> .
         { dl.MV = dil.MV;
           dl.errors = check(dil.sig <= 20, dl, '> 20 significant digits in decimal literal') }
       <dil::DecimalIntegerLiteral> . <dd::DecimalDigits>
         { dl.MV = dil.MV + dd.MV*10^-(dd.n);
           dl.errors = check((dil ++ dd)::DecimalDigits.sig <= 20, dl, '> 20 significant digits in decimal literal') }
                    [[FIXME: ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ avoid reparsing a computed value]]
       <dil::DecimalIntegerLiteral> . <ep::ExponentPart>
         { dl.MV = dil.MV*10^(ep.MV);
           dl.errors = check(dil.sig <= 20, dl, '> 20 significant digits in decimal literal') }
       <dil::DecimalIntegerLiteral> . <dd::DecimalDigits> <ep::ExponentPart>
         { dl.MV = (dil.MV + dd.MV*10^-(dd.n))*10^(ep.MV);
           dl.errors = check((dil ++ dd)::DecimalDigits.sig <= 20, dl, '> 20 significant digits in decimal literal') }
                    [[FIXME: ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ avoid reparsing a computed value]]
       . <dd::DecimalDigits>
         { dl.MV = dd.MV*10^-(dd.n);
           dl.errors = check(dd.sig <= 20, dl, '> 20 significant digits in decimal literal') }
       . <dd::DecimalDigits> <ep::ExponentPart>
         { dl.MV = dd.MV*10^(ep.MV - dd.n);
           dl.errors = check(dd.sig <= 20, dl, '> 20 significant digits in decimal literal') }
       <dil::DecimalIntegerLiteral> <ep::ExponentPart>
         { dl.MV = dd.MV*10^(ep.MV);
           dl.errors = check(dil.sig <= 20, dl, '> 20 significant digits in decimal literal') }

     <dil::DecimalIntegerLiteral> ::
       <d::DecimalDigit>
         { dil.MV = d.MV;
           dil.n = 1 }
       <nzd::NonZeroDigit> <dd::DecimalDigits>
         { dil.MV = nzd*10^(dd.n) + dd.MV;
           dil.n = dd.n + 1 }

     <dd::DecimalDigits> ::
       0
         { dd.MV = 0;
           dd.sig = 0;
           dd.lead = 0;
           dd.n = 1 }
       <nzd::NonZeroDigit>
         { dd.MV = d.MV;
           dd.sig = 1;
           dd.lead = 1;
           dd.n = 1 }
       0 <rest::DecimalDigits>
         { dd.MV = rest.MV;
           dd.sig = rest.sig;
           dd.lead = rest.lead === 0 ? 0 : (rest.lead + 1);
           dd.n = rest.n + 1 }
       <nzd::NonZeroDigit> <rest::DecimalDigits>
         { dd.MV = nzd.MV*10^(rest.n) + rest.MV;
           dd.sig = rest.sig + 1;
           dd.lead = rest.sig + 1;
           dd.n = rest.n + 1 }

[[CHECK do we still need 'lead'?]]

     <d::DecimalDigit> ::
       0
         { d.MV = 0 }
       <nzd::NonZeroDigit>
         { d.MV = nzd.MV }

     <nzd::NonZeroDigit>
       1 { dd.MV = 1 }
       2 { dd.MV = 2 }
       3 { dd.MV = 3 }
       4 { dd.MV = 4 }
       5 { dd.MV = 5 }
       6 { dd.MV = 6 }
       7 { dd.MV = 7 }
       8 { dd.MV = 8 }
       9 { dd.MV = 9 }

     <ep::ExponentPart> ::
       <ExponentIndicator> <si::SignedInteger>
         { ep.MV = si.MV }

     <ExponentIndicator> :: one of
       e E

     <si::SignedInteger> ::
       <dd::DecimalDigits>
         { si.MV = dd.MV }
       + <dd::DecimalDigits>
         { si.MV = dd.MV }
       - <dd::DecimalDigits>
         { si.MV = -(dd.MV) }

     <hils::HexIntegerLiteral> ::
       0x <hd::HexDigit>
         { hils.MV = hd.MV }
       0X <hd::HexDigit>
         { hils.MV = hd.MV }
       <hil::HexIntegerLiteral> <hd::HexDigit>
         { hils.MV = hil.MV*16 + hd.MV }

     <HexDigit> : see rule LEX_STRING_LITERALS

   Rationale: ECMA-262 section 7.8.3 says that:

     Once the exact MV for a numeric literal has been determined, it is then
     rounded to a value of the Number type. If the MV is 0, then the rounded
     value is +0; otherwise, the rounded value must be /the/ number value for
     the MV (in the sense defined in 8.5), unless the literal is a
     <DecimalLiteral> and the literal has more than 20 significant digits, in
     which case the number value may be either the number value for the MV
     of a literal produced by replacing each significant digit after the 20th
     with a 0 digit or the number value for the MV of a literal produced by
     replacing each significant digit after the 20th with a 0 digit and then
     incrementing the literal at the 20th significant digit position.

   Therefore decimal literals with more than 20 significant digits cannot
   be used to obtain any additional precision.
   (Note that 20 significant digits are more than sufficient to round-trip any
   IEEE double value.)

   This restriction is also necessary in order to enforce that properties in object
   literals are unique. The issue here is that if the conversion to an IEEE double
   is nondeterministic, then the verifier may fail to detect names that should be
   treated as colliding (in rules SCOPE_OF_THIS and MODULE_DEFINITION_SYNTAX).


LEX_RESERVED_WORDS:

   The following are considered to be reserved words (a larger set than that
   specified in ECMA-262 section 7.5):

     <ReservedWord> ::
       <Keyword>
       <FutureReservedWord>
       <NullLiteral>
       <BooleanLiteral>
       $module
       arguments
       Function
       Object

   Rationale:
   $module can be used as a keyword to introduce a module definition, but
   is otherwise unmentionable for two reasons:

    - the implementation of $module assumes that it is called with a module
      definition that has already been verified, so for security, the code
      within a module cannot be allowed to call it with an unrestricted argument;

    - a Jacaranda parser implementation can assume that a «$module» token always
      starts a module. When more than one module is parsed at once, this permits
      any backtracking or other information associated with a module to be thrown
      away each time «$module» is seen, and can allow better diagnostics when a
      module is not terminated correctly.

   «arguments» can only be used in the contexts specified in the
   PUBLIC_PROPERTY_READ rule.

   Function is unmentionable because the Function constructor is unsafe.

   Object is unmentionable because the "static" methods of Object proposed to
   be added in ES3.1, should not be accessible untamed from Jacaranda.

   Note that unlike the other globals that are accessible by default, we
   cannot run module code with a scope chain that rebinds Array, Function,
   Object, or String, because the resulting behaviour is not clearly defined
   by ES3. In some implementations, this changes the behaviour of functions,
   objects, arrays and strings created using literals; in others it does not.
   As it happens, we do not need to rebind Array or String (which have useful
   "static" methods, i.e. methods referenced as «Array.method(...)» or
   «String.method(...)»), and so those can remain first-class (although not
   shadowable).


LEX_IDENTIFIER_SYNTAX:

   Identifiers MUST follow the syntax given below.

     <Identifier> :: as defined in ECMA-262 section 7.6

     <IdentifierStart> ::
       [\$A-Z_a-z\u00c0-\u00d6\u00d8-\u00f6\u00f8-\u00ff]

     <IdentifierPart> ::
       <IdentifierStart>
       0-9

     <ThisIdentifier> ::
       t h i s <IdentifierPart>
       <ThisIdentifier> <IdentifierPart>

     <DollarIdentifier> ::
       $
       <DollarIdentifier> <IdentifierPart>


   Rationale: Letters from ISO-Latin-1 are supported in identifiers.
   Serious consideration was given to supporting full Unicode. However,

    - the only script that is adequately supported in the common set of
      characters allowed by Safari, IE6 and Mozilla, is extended Latin.
      Allowing extended Latin, but no other scripts in identifiers would
      not provide a compelling complexity / functionality tradeoff.

    - Jacaranda defines whether a property name is "exposed" or not
      based partly on whether the name starts with a lowercase letter.
      For consistency, the definition of lowercase should be internationalised
      if Unicode identifiers are allowed, but that would imply doing a Unicode
      property lookup on each access of an object property. [[CHECK]]

   Note that this syntax does not allow the use of \u escapes in identifiers.
   JavaScript implementations do not implement these escapes consistently
   (or in conformance to ES3) in the case where the unescaped identifier
   spells a reserved word. Since \u escapes are essentially useless outside
   string and regexp literals (and would be even if Jacaranda supported Unicode
   identifiers), it is simpler to disallow them completely, than to do so
   only for identifiers that would spell a reserved word.

   <ThisIdentifier> and <DollarIdentifier> are kinds of <Identifier>,
   which means that the token classes are no longer entirely disjoint,
   as they are in the ES3 grammar. This is not likely to cause any
   significant implementation problem (if it does, then it is possible
   to change uses of <ThisIdentifier> etc. to <Identifier>, and add
   explicit attribute checks enforcing that the identifier is of the
   correct form).


LEX_TOKENISATION:

   For clarification, ECMA-262 section 7.3 specifies that
   "A line terminator cannot occur within any token, not even a string."
   Therefore, the "line continuation" syntax supported by some ECMAScript
   implementations, in which a line terminator occurs immediately after a
   «\» code unit, MUST NOT be used in Jacaranda.

   The following restrictions are needed to ensure that a Jacaranda program
   will not trigger semicolon insertion as defined in ECMA-262 section 7.9:

    * A postfix ++ or -- operator MUST be on the same line as the last token
      of its operand.
    * The next token (i.e. identifier, expression, or semicolon) after a
      'continue', 'break', 'return' or 'throw' keyword MUST be on the same
      line as that keyword.

   As specified in ECMA-262 section 7.8.3, the source character immediately
   following a <NumericLiteral> MUST NOT be an <IdentifierStart> or
   <DecimalDigit>.

   <EndOfText> is treated as a distinguished element of the input sequence
   distinct from any other code unit. A source text is tokenised by appending
   <EndOfText> and then applying the following attribute grammar:

     <text::SourceText> ::
       ε
         { text.tokens = [],
           text.lineBreak = false,
           text.partial = '' }
       <left::SourceText> <e::CasesNotRequiringLongestMatch>
         { text.tokens = left.tokens ++ (left.partial === '' ? [] : [left.partial]) ++ e.tokens;
           text.lineBreak = (left.partial === '' and left.lineBreak) or e.lineBreak;
           text.partial = '';
           text.errors = check(left.partial === '' or left.partial is <Token>, text, left.partial, 'invalid token')
                   union check(not(last(ltokens) in {'continue', 'break', 'return', 'throw'} and e.lineBreak),
                               text, last(ltokens), 'misplaced line terminator')
                   union left.errors union e.errors}
       <left::SourceText> / <c::NotAsteriskOrEqualsTokenCharacter>
         { text.tokens = left.tokens ++ ['/'];
           text.lineBreak = false;
           text.partial = c; }
       <left::SourceText> <c::TokenCharacter>
         { // This is supposed to implement the longest-match rule (for tokens not starting with / or ' or ").
           // I'm not sure it is correct yet.
           if (not((left.partial ++ c) is <Token>)) {
             if (left.partial ++ c === '++' and not left.lineBreak) {
               token = <PostIncrement>;
             } else if (left.partial ++ c === '--' and not left.lineBreak) {
               token = <PostDecrement>;
             } else {
               token = left.partial;
             }
             text.tokens = left.tokens ++ token;
             text.lineBreak = false;
             text.partial = c;
             text.errors = check(token is <Token>, text, token, 'invalid token')
                     union check(not(token is <NumericLiteral> and (c is <IdentifierStart> or c is <DecimalDigit>)),
                                 text, token, 'NumericLiteral cannot be followed by IdentifierStart or DecimalDigit');
           } else {
             text.tokens = left.tokens;
             text.lineBreak = left.lineBreak;
             text.partial = left.partial ++ c;
           } }

     <e::CasesNotRequiringLongestMatch> ::
       <WhiteSpace>
         { e.tokens = [];
           e.lineBreak = false }
       <LineTerminator>
         { e.tokens = [];
           e.lineBreak = true }
       / * <c::MultiLineCommentAfterStart>
         { e.tokens = (c === 'const*/' or c === 'fallthru*/') ? ['/*' ++ c] : [];
           e.lineBreak = c.lineBreak }
       / / <SingleLineCommentAfterStart>
         { e.tokens = [];
           e.lineBreak = true }
       / =
         { e.tokens = ['/='];
           e.lineBreak = false }
       <sl::StringLiteral>
         { e.tokens = [sl];
           e.lineBreak = false }
       <EndOfText>
         { e.tokens = [];
           e.lineBreak = false }

     <NotAsteriskOrEqualsTokenCharacter> ::
       <TokenCharacter> but not * or =

     <TokenCharacter> ::
       <SourceCharacter> but not <WhiteSpace> or <LineTerminator>

   The following _syntactic_ productions are also needed:

     <PreIncrement> :
       ++
       <PostIncrement>

     <PreDecrement> :
       --
       <PostDecrement>

   Rationale:
   ECMA-262 defines the process of tokenising a source text only informally.
   The above attribute grammar formalises this process.

   [[I only recently realized that it was possible to do this using an
   attribute grammar, so more thorough checking is needed to ensure that
   it captures all of the hairy special cases in lexing JavaScript.]]

   A left-to-right lexer requires lookahead of up to two code units in order
   to distinguish the alternatives of the <SourceText> production.
   
   [[Explain how <PostIncrement> and <PostDecrement> work.]]


Module Definitions
==================

MODULE_DEFINITION_SYNTAX:

   A module definition MUST be parseable according to the Jacaranda lexical
   grammar; then, the resulting token stream MUST be parseable as the following
   <ModuleDefinition> production.

   Each of the 'imports' and 'optionalImports' properties of a module,
   if present, MUST be a literal array of string literals, none of which
   are a <ProtectedString>.

   The *import set* of a module is the union of the set of strings
   that occur in the module's 'import' property (or the empty set if
   not present) and its 'optionalImports' property (or the empty set
   if not present), and the implicit imports defined below.

   For each freely-used identifier of a module (as defined by
   the SCOPE_OF_IDENTIFIERS rule), a string corresponding to the
   identifier name MUST occur in the module's import set.

   A module MUST NOT have any freely-assigned identifiers.

   [[FIXME: choose which module boilerplate to use]]

     <md::ModuleDefinition> :
       $module ( function ( _ ) { with ( _ ) return { <mlit::SEFObjectLiteral> } } );
     OR
       ( function ( ) { eval ( $module ( <mlit::SEFObjectLiteral> ) ) ; } ) ( ) ;
         { md.errors = { error(mlit, "freely-used identifier " ++ quote(id) ++ " not declared as an import") | id <- mlit.freelyUsed - mlit.imports - mlit.optionalImports - IMPLICIT_IMPORTS}
                 union { error(mlit, "freely-assigned identifier " ++ quote(id) ++ " at module level") | id <- mlit.freelyAssigned }

     <SEFObjectLiteral> :   // SEF stands for "side-effect free"
       { <SEFPropertyNameAndValueList> }

     <nvl::SEFPropertyNameAndValueList> :
       <nv::SEFPropertyNameAndValue>
         { nvl.names = {nv.name} }
       <list::SEFPropertyNameAndValueList> , <nv::SEFPropertyNameAndValue>
         { nvl.names = list.names union {nv.name},
           nvl.errors = check(nv.name not in list.names, nvl, nv.name, 'duplicate property name in module object literal') }

     <PrintablePropertyName> :
       <PrintableIdentifier>
       <PrintableStringLiteral>
       <NumericLiteral>

     <nv::SEFPropertyNameAndValue> :
       <n::PrintablePropertyName> : <v::SEFExpression>
         { nv.name = n,
           if (n === 'imports') {
             nv.imports = literalStringsToSet(v.value);
             nv.errors = check(nv.imports !== undefined, nv, 'value of imports property is not a list of string literals')
                   union { error(id is <ProtectedString>, nv, 'imported identifier is protected') | id <- nv.imports }
                   union n.errors union v.errors; }
           }
           if (n === 'optionalImports') {
             nv.optionalImports = literalStringsToSet(v.value);
             nv.errors = check(nv.optionalImports !== undefined, nv, 'value of optionalImports property is not a list of string literals')
                   union { error(id is <ProtectedString>, nv, 'optionally imported identifier is protected') | id <- nv.optionalImports }
                   union n.errors union v.errors; }
           } }

[[SEFPropertyNameAndValue should *not* allow 'this' in function expressions]]

     <t::SEFExpression> :
       null
       true
       false
       <PrintableStringLiteral>
       <NumericLiteral>
       - <NumericLiteral>
       <SEFObjectLiteral>
       <SEFArrayLiteral>
       <f::FunctionExpression>
         { t.errors = check('this' notin f.freelyUsed, f, "'this' used freely by a function referenced in a module property") union f.errors }

     <t::PrintableStringLiteral> :
       <s::StringLiteral>
         { t.error = check(s.value in <Printable>, t, "string literals in module definitions must be printable") }

     <SEFArrayLiteral> :
       [ <SEFElementList>opt ]

     <sel::SEFElementList> :
       <Elision> <SEFExpression>
         { sel.value = undefined }
       <SEFElementList> , <Elision> <SEFExpression>
         { sel.value = undefined }
       <exp::SEFExpression>
         { sel.value = exp.value }
       <list::SEFElementList> , <exp::SEFExpression>
         { sel.value = (exp.value === undefined) ? undefined : list.value ++ [exp.value] }

     <Elision> : as in ECMA-262 section 11.1.4

     <FunctionExpression> : see the NO_NAMED_FUNCTION_EXPRESSION rule

     function literalStringsToSet(list) {
       if (list is not an array of strings) return undefined;
       return the set of strings in list;
     }

     IMPLICIT_IMPORTS = {
       'Array', 'Boolean', 'Class', 'ConstArray', 'ConstDate', 'ConstRegExp',
       'Date'??, 'decodeURI', 'decodeURIComponent', 'encodeURI', 'encodeURIComponent',
       'Error', 'EvalError', 'Infinity', 'isFinite', 'isNaN', 'Math'??, 'NaN',
       'Number', 'parseFloat'??, 'parseInt'??, 'RangeError', 'ReferenceError',
       'RegExp'??, 'String', 'SyntaxError', 'TypeError', 'undefined', 'URIError'
     }

[[FIXME: imports cannot replace 'Array', 'Object' etc.
Specify this in $makeCaplet?]]

   Rationale: An object literal is used as the argument to enable
   extensibility. Evaluating the object literal itself must have
   no side effects (because it will be evaluated before the call
   to $module). This is not a significant constraint in practice,
   since the main code of the module can be defined in a function
   expression.

   A deeply immutable copy of the object created from the object
   literal will be made accessible to caplets created from this
   module. This allows caplets created from the same module to share
   an arbitrary amount of immutable data (without needing one copy
   of it per caplet).

   Note that only anonymous function expressions are allowed,
   since a named function expression might have the side effect of
   defining the name in the surrounding scope. (This restriction
   applies to Jacaranda in general, not just the top level of a
   module definition -- see NO_NAMED_FUNCTION_EXPRESSION.)

   The module definition could technically have been passed in as
   a string literal and then 'eval'ed, but that option was quickly
   rejected because it would require excessive use of quoting in
   the module code.

   <SEFExpression> does not attempt to be the largest possible
   side-effect-free subset of ES3 expressions, just one that is
   sufficiently expressive for any meta-information that we might
   want to use to describe a module. In fact it is essentially
   JSON, except that:
    - anonymous functions are included;
    - comments are included;
    - string literals use the syntax specified by ES3, not JSON;
    - property names in object literals can be identifiers, not
      only string literals.

   [Thanks to Kris Zyp for the idea that "JSON plus anonymous
   functions" is a potentially useful sublanguage of JavaScript,
   although I'm not using it exactly as he suggested.]

   Trailing commas are not allowed in <SEFArrayLiteral>, because
   Jacaranda also does not allow them in <ArrayLiteral> (see
   ARRAY_LITERAL_NO_TRAILING_COMMAS below).

   One way to submit a module to a Jacaranda interpreter is to simply
   execute the module definition as ECMAScript code -- for example in a
   <script> tag of a web page. In that case, the following global
   definitions are required in order for a module definition to be
   interpreted correctly:

     $module, eval, Array, Function, Object, String

   The global bindings specified in the "Module Run-time Environment"
   section only strictly need to be in effect when module code is run.
   
   A Jacaranda implementation may also support submitting a module
   definition that is given dynamically as a string, using the
   $submitModule function. Support for this is not required because
   it involves embedding a Jacaranda verifier in the run-time library.

   The rationale for declaring imports explicitly is as follows:

   A Jacaranda caplet must only have access to its intended imports.
   Unfortunately there is no way in JavaScript to run code in an
   outer scope that has only a precisely specified set of bindings;
   it is only possible to _add_ bindings. Therefore, we need to know
   the maximum set of identifiers that are freely-used by a module,
   so that we can define it in a lexical scope that includes "blocking"
   bindings for _all_ of those identifiers.

   This is complicated in two ways:

   1. Jacaranda is designed to allow an implementation that first
      verifies the source code, and then executes it on an existing
      ES3-conformant JavaScript interpreter (with the Jacaranda library
      having been loaded). At execution time, any information obtained
      in the verifier's analysis has been "forgotten". Therefore, if
      the set of freely-used identifiers of a module is needed, it has
      to be declared in the module's properties. The rules above ensure
      that the properties used to declare imports are of the correct
      form, and that they include at least all of the module's
      freely-used identifiers, as required by the above implementation
      strategy. (It does not matter if a declared import is not used.)

   2. It is not easy to introduce an arbitrary set of bindings into
      a given _lexical_ scope [[need explanation]]. The boilerplate
      for a module definition:

        $module(function(_) {with(_) return {...}});

      solves this problem by creating a function scope specific to the
      module, and using with to inject bindings into that scope.
      
      We could alteratively have required something like:

        (function(imports) {
          /*const*/ var foo = imports.foo,
                        bar = imports.bar,
                        ...;
          ...
        })();

      but this would be far too verbose, and would violate the
      "don't repeat yourself" principle since each import name is
      mentioned twice.

   Requiring the imports to be declared arguably also has software
   engineering advantages, and could possibly detect some errors due
   to misspelled words. In these respects it is similar to a /*globals*/
   declaration in JSLint.

   Imports can be directly used, but not directly assigned to.
   This ensures that there is no implicit per-module, per-controller or
   per-caplet mutable state. (Explicit per-caplet mutable state can be declared
   by using 'var' in some outer function.) The rationale for this is to
   allow confinement at the granularity of groups of objects, rather
   than only between module instances (see the message quoted at
   <http://groups.google.com/group/google-caja-discuss/msg/27754c7e8138670c>).

   There is no loss of generality in preventing direct assignment to
   imports, because the creator of a caplet could provide it with the
   authority to modify its environment via its powersource. For example:

     function makeCapletWithMutableEnvironment(moduleName, initialEnvironment) {
       // This controller will only be used for one caplet.
       var controller;
       /*const*/ var powersource = {
         setImport: function(name, newValue) {
           return controller.setImport(name, newValue);
         },
         getImport: function(name) {
           return controller.getImport(name);
         },
         ...
       }
       controller = Jacaranda.makeCapletController(moduleName, initialEnvironment, powersource);
       controller.run();
     }

   The powerbox for a caplet created in this way can modify its 'foo' import
   as follows:

     powerbox: function(powersource, module) {
       powersource.setImport('foo', ...);
       ...
     }

   For the purpose of static verification, the set of declared imports
   is given by the union of the identifiers listed in the 'optionalImports'
   and 'imports' properties. At run-time these are treated differently:
   a missing optional import will be bound to 'undefined', while a missing
   required import will prevent the module from being instantiated.


Static Constraints
==================

STRING_CLASSES:

   An *exposed string* is a string that starts with a code unit other
   than a-z, $ or _, or is the string 'length'.

   An *undefinable string* is a string that starts with '__', or is
   listed in the <BlackListed> production below.

   A *definable string* is a string that is not an undefinable string.

   A *protected string* is a string that either starts or ends with '_'
   and is not an exposed string, or is listed in the <BlackListed> production
   below.

   A *public string* is a string that is not a protected string.

     <CodeUnit> :::
       [\u0000-\uFFFF]

     <AnyString> :::
     
       <CodeUnit>*

     <ExposedStartString> :::
       <ExposedStart>
       l e n g t h

     <ExposedStartString> :::
       <ExposedStart>
       <ExposedStartString> <CodeUnit>

     <ExposedStart> :::
       <CodeUnit> but not <UnexposedStart>

     <UnexposedStart> :::
       [a-z]
       $
       _

     <UndefinableString> :::
       _ _ <AnyString>
       <BlackListedString>
       $ <AnyString>
       <FinalListedString>

     <BlackListedString> ::: one of
       apply arguments bind bindAsEventListener call callee caller
       constructor eval hasOwnProperty name propertyIsEnumerable
       prototype stack toSource unwatch watch

     <FinalListedString> ::: one of
       valueOf            [[FIXME: try to get rid of this category]]

     <ProtectedString> :::
       _ <AnyString>
       <UnexposedStart> <AnyString> _
       <UndefinableString>

   Rationale:
   'prototype' is blacklisted because

   'valueOf' is blacklisted because of the issue described in
     <http://code.google.com/p/google-caja/issues/detail?id=323>.
     This ensures that Jacaranda code cannot override valueOf, and
     so the default implementation (for which $eq(x.valueOf(), x))
     will be used unless non-Jacaranda code overrides it.

   'arguments' is blacklisted because of the issue described in
     <...>.

   'bind' and 'bindAsEventListener' are blacklisted because ...

   'callee' ...

   'eval' ...

   'hasOwnProperty' ...

   'isPrototypeOf' does not need to be blacklisted [[explain why not]].

   Jacaranda uses "begins with '__'" rather than "ends with '__'" to
   recognise vendor-defined properties that follow the '__...__' convention.
   This is simpler given that other restrictions are defined in terms of
   prefixes.


DECLARABLE_IDENTIFIERS:

   Any identifier declared by a <VariableStatement>, <IterationStatement>,
   <FunctionDeclaration>, <FormalParameterList>, <Catch>, or the label in a
   <LabelledStatement> MUST be a <DeclarableIdentifier>, with the following
   exception: a <VariableStatement> can declare a <ThisIdentifier> as a
   constant variable that is initialised to «this».

     <did::DeclarableIdentifier> :
       <id::Identifier>
         { did.errors = check(id is not <UnshadowableIdentifier>, did, id, 'unshadowable identifier in declaration')
                  union check(id is not <UndefinableString>, did, id, 'undefinable identifier in declaration')
                  union check(id is not <ThisIdentifier>, did, id, 'this-identifier in non-constant declaration not initialised to this')
                  union id.errors }

     <did::DeclarableOrThisIdentifier> :
       <id::Identifier>
         { did.errors = check(id is not <UnshadowableIdentifier>, did, id, 'unshadowable identifier in declaration')
                  union check(id is not <UndefinableString>, did, id, 'undefinable identifier in declaration')
                  union id.errors }

     <UnshadowableIdentifier> :
       undefined
       Infinity
       NaN
       Array
       String
       RegExp
       toString
       toLocaleString
       isPrototypeOf
       <DollarIdentifier>

     <ConstVar> :
       <Const> var
       const

     <VariableStatement> :
       <ConstVar> <ConstDeclarationList> ;
       var <VariableDeclarationList> ;

     <dl::ConstDeclarationList> :
       <ConstDeclaration>
       <list::ConstDeclarationList> , <d::ConstDeclaration>
         { dl.errors = { error(dl, id, 'multiple declaration') | id <- list.vars intersect d.vars }
                 union list.errors union d.errors }

     <dl::VariableDeclarationList> :
       <VariableDeclaration>
       <list::VariableDeclarationList> , <d::VariableDeclaration>
         { dl.errors = { error(dl, id, 'multiple declaration') | id <- list.vars intersect d.vars }
                 union list.errors union d.errors }
 
     <d::ConstDeclaration> :
       <id::DeclarableOrThisIdentifier> <init::Initialiser>
         { if (id is <ThisIdentifier>) {
             d.aliasesForThis = {id};
             d.errors = check(init is <ThisInitialiser>, d, id, 'this-identifier not initialised to this')
                  union id.errors union init.errors;
           }
           d.freelyUsed = init.freelyUsed - {id} }
 
     <ThisInitialiser> :
       = this

     <VariableDeclaration> :
       <DeclarableIdentifier> <Initialiser>opt

     <IterationStatement> : see rule SIMPLE_STATEMENTS

     <LabelledStatement> :
       <DeclarableIdentifier> : <Statement>

     <Catch> : see rule TRY_CATCH

     <FunctionDeclaration> :
       function <DeclarableIdentifier> ( <FormalParameterList>opt ) { <FunctionBody> }

     <FormalParameterList> :
       <DeclarableIdentifier>
       <FormalParameterList> , <DeclarableIdentifier>

   For the productions above that have been changed from using
   <Identifier> to <DeclarableIdentifier>, the corresponding changes
   are also made to any places in the text of ECMA-262 that reference
   the identifier part of the production. Such changes are necessary
   in ECMA-262 sections 10.1.3, 12.2, 12.12, 12.14, and 13.

   A <ConstDeclaration> has the same semantics as the corresponding
   <VariableDeclaration>, apart from declaring a variable that is treated
   differently by the LEFT_HAND_SIDE rule.

   Rationale: names beginning '$' must be unshadowable in order to allow
   other rules to assume that they refer to functions with known behaviour.
   For example, the security of the PUBLIC_PROPERTY_READ rule depends on the
   fact that all uses of the expression «$num» refer to a function that cannot
   return any non-number value.

   Also, <DeclarableIdentifier> does not include identifiers corresponding to
   <UndefinableString>s or properties of Object.prototype. This ensures that
   a scope object will have only definable properties. It also avoids the
   ES3 specification flaw in which default properties of Object.prototype
   potentially shadow identifiers [[need ref]]. (We assume that either a given
   JavaScript implementation does not have this flaw, or that it does not add
   properties to Object.prototype other than those in <BlackListedString>.)

   The effect of restricting <LabelledStatement> to use <DeclarableIdentifier>
   is that the identifier in a <BreakStatement> or <ContinueStatement>, if
   present, must also be declarable. This is not strictly necessary for
   security because labels are in a separate namespace to identifiers;
   however, I prefer unshadowable names to always refer to the same thing
   in any context. This makes them behave in the same way as reserved literals
   such as true and null.

   The identifiers that can be used in the <PropertyName> production are
   restricted by the DEFINABLE_PROPERTIES rule, not by this rule.

   Since \u escapes are not allowed in Jacaranda identifiers (see rule
   LEX_IDENTIFIER_SYNTAX), it is not necessary to explicitly exclude
   identifiers that spell a non-<Identifier>, <UnshadowableIdentifier>,
   <UndefinableString> or <ThisIdentifier> using \u escapes.

   It is not necessary to modify the <FunctionExpression> production because
   function expressions cannot be named in Jacaranda (see
   NO_NAMED_FUNCTION_EXPRESSION).
   
   The initialiser in a constant declaration is not optional, because:
     - there is little point in having a constant that always refers to
       undefined (which could in any case be expressed as
       «/*const*/ var u = undefined;»).
     - this reserves the syntax without an initialiser for possible future
       support of single-assignment variables ("blank final variables" in
       Java terminology).

   The fact that "<ThisIdentifier> = this" is only allowed in a
   <ConstDeclaration> (and this-identifiers are not otherwise declarable)
   ensures that any this-identifier must refer to an object defined in
   some enclosing object literal. That is what justifies allowing
   access to protected properties via a this-identifier.

   Object literals can be nested, and the different nesting levels referred
   to by different this-identifiers without ambiguity.

   The idiom of using '.bind(this)' instead of this-identifiers was
   considered and rejected because:
    - the resulting code is less explicit about _which_ 'this' is meant
      in cases involving nested object literals;
    - using .bind results in two closures being created when only one is
      needed.


DEFINABLE_PROPERTIES:

   Property names in an object literal MUST be definable strings.

     <n::PropertyName> :
       <did::DefinableIdentifier>
         { n.SV = did.SV }
       <sl::StringLiteral>
         { n.SV = sl.SV
           n.errors = check(not(sl.SV is <UndefinableString>), n, id, 'property name not definable') union sl.errors }
       <nl::NumericLiteral>
         { n.SV = NumberToString(nl.MV)) }

     <did::DefinableIdentifier> :
       <id::Identifier>
         { did.SV = id.SV
           did.errors = check(not(id.SV is <UndefinableString>), n, id, 'property name not definable') union id.errors }

   Rationale: undefinable property names might have special meanings that trigger
   extensions.

   The result of converting a number to a string is always a definable string.

   Caja, Cajita, and ADsafe have similar (not identical) restrictions on definable
   identifiers.


PUBLIC_PROPERTY_READ:

[[This rule is in flux. It is going to be relaxed to allow more cases and
fix a parsing ambiguity -- see the last three Rationale paragraphs.]]

   In a property read using the bracket syntax «foo[x]», where «foo» is
   not <This>, «x» MUST be an <ExposedExpression> as defined below.

   Similarly, in a property read using the dot syntax «foo.id», where
   «foo» is not <This>, «id» MUST be an <ExposedIdentifier>.

   The expression «arguments» is not first-class, but may be used in
   the contexts «arguments[exposed]», «arguments.exposedId», or
   «$constarray(arguments)». These have semantics identical to ES3.

   The <MemberExpression> production of ES3 section 11.2 becomes:

     <e::MemberExpression> :
       <PrimaryExpression>
       <FunctionExpression>
       <MemberExpression> [ <ExposedExpression> ]
       <MemberAccessExpression> [ <ExposedExpression> ]
       arguments [ <ExposedExpression> ]
       <MemberExpression> . <ExposedIdentifier>
       <MemberAccessExpression> [ <ExposedExpression> ]
       arguments . <ExposedIdentifier>
       <MemberExpression> . <PublicIdentifier> <Arguments>
       <ThisReadExpression>
       new <MemberExpression> <Arguments>

     <mae::MemberAccessExpression> :
       <mae::MemberAccessExpression> . <id::Identifier>
       <me::MemberExpression> . <id::Identifier>
         { mae.thisIdentifier = me is <ThisIdentifier> ? me : undefined;     [[should this use me.SV and id.SV?]]
           mae.id = id
           mae.isFirstClass = ... }

[[FIXME: '<MemberExpression> . <ExposedIdentifier> <Arguments>' can
be parsed ambiguously as either
   (<MemberExpression> . <ExposedIdentifier>) <Arguments>
or
   <MemberExpression> . <PublicIdentifier> <Arguments>

The latter parse is correct, but this contradicts the assertion that
parsing is unambiguous regardless of attributes. Note that this
ambiguity is already in the ES3 grammar.]]

     <CallExpression> :
       <MemberExpression> <Arguments>
       <MemberAccessExpression> <Arguments>
       <CallExpression> <Arguments>
       <CallExpression> [ <ExposedExpression> ]
       <CallExpression> . <ExposedIdentifier>
       <CallExpression> . <PublicIdentifier> <Arguments>
       <ThisCallExpression>
       $constarray ( arguments )

[[FIXME: '<MemberExpression> <Arguments>', '<CallExpression> <Arguments>'
and '<ThisCallExpression>' are ambiguous.]]

     <ExposedExpression> :
       <NumericLiteral>
       + <UnaryExpression>
       - <UnaryExpression>
       ~ <UnaryExpression>
       <ShiftExpression> << <AdditiveExpression>
       <ShiftExpression> >> <AdditiveExpression>
       <ShiftExpression> >>> <AdditiveExpression>
       <BitwiseANDExpression> & <EqualityExpression>
       <BitwiseXORExpression> ^ <BitwiseANDExpression>
       <BitwiseORExpression> | <BitwiseXORExpression>
       <LeftHandSideExpression> <PostIncrement>
       <LeftHandSideExpression> <PostDecrement>
       <PreIncrement> <LeftHandSideExpression>
       <PreDecrement> <LeftHandSideExpression>
       <MultiplicativeExpression> * <UnaryExpression>
       <MultiplicativeExpression> / <UnaryExpression>
       <MultiplicativeExpression> % <UnaryExpression>
       <AdditiveExpression> - <MultiplicativeExpression>
       <UnshadowableOnlyReturningExposed> <Arguments>
       <ExposedExpression> + <MultiplicativeExpression>
       <ExposedStartStringLiteral>

     <PostIncrement> : see rule LEX_TOKENISATION

     <PostDecrement> : see rule LEX_TOKENISATION

     <PreIncrement> : see rule LEX_TOKENISATION

     <PreDecrement> : see rule LEX_TOKENISATION

     <UnshadowableOnlyReturningExposed> : one of
       $nat $int $num $numOrNaN $incr $decr $add $sub
       [[TBD: other functions returning numbers]]
       $exposedName

     <Arguments> : as in ECMA-262 section 11.2

     <esl::ExposedStartStringLiteral> :
       <sl::StringLiteral>
         { esl.error = check(sl.SV is <ExposedStartString>, esl, sl, 'initial character of string literal is not exposed') }

     <eid::ExposedIdentifier> :
       <id::Identifier>
         { eid.error = check(id.SV is <ExposedString>, eid, id, 'identifier used for property access is not exposed') }

     <pid::PublicIdentifier> :
       <id::Identifier>
         { eid.error = check(not(id.SV is <ProtectedString>), eid, id, 'identifier used for method call is not public') }

   Rationale: Array indexing, where the argument to «[]» is expected
   to be a number, is a very frequent operation in some programs. So
   it is worth adding some moderate complexity to the language to support
   it as efficiently as possible (despite several design decisions in
   JavaScript that are actively hostile to efficient language
   implementation).

   Jacaranda cannot allow direct use of «[]» in the general case for
   two reasons:
    - the property might be protected;
    - properties are permitted to hold nonsimple functions, but
      nonsimple functions are not allowed as first-class values.

   If we carve off a subset of the property namespace that is public
   and that never holds nonsimple functions, then we can allow direct
   use of «[]» in cases where the index can be _syntactically_
   guaranteed to be in that subset (we don't want to do any non-syntactic
   type analysis on grounds of complexity). Names in this subset are
   called "exposed".

   Some ECMAScript operators, and some of the unshadowable functions in
   the Jacaranda library, are guaranteed to return numbers. For example,
   unary «+» always returns a number. Since the string representations
   of all numbers are exposed, expressions such as «foo[+x]» can be
   allowed, instead of having to write «$get(foo, x)» (which is much
   less efficient in typical ECMAScript implementations).

   Also, if whether a string is exposed is defined by its initial
   character, we can use this to allow efficient lookup on "hash"
   objects, without the possibility of keys colliding with methods or
   special properties.
   For example we can allow «hash['.'+key]» since all strings starting
   with '.' are exposed.

   Note that the binary «+» operator returns a number only if _both_
   its arguments are numbers (see ECMA-262 section 11.6.1). So, it
   may not be obvious why it is valid to treat
   <ExposedExpression> + <MultiplicativeExpression> always as
   exposed, given that the result may be either a number of a string
   depending on the types of the arguments. The answer is that
   numbers are exposed because of the initial code unit in their
   string representation, and so the result will be exposed in all
   four possible cases:

     number         + number    -> number
     exposed string + number    -> exposed string
     number         + nonnumber -> exposed string
     exposed string + nonnumber -> exposed string

   (This depends on the fact that 'Infinity' and 'NaN' start with
   capital letters, which makes them exposed strings. It also depends
   on the fact that 'ToPrimitive' or 'ToString' applied to a
   built-in string returns the input string.)

   It would also have been possible to include 'true' and 'false' in
   the set of exposed names and allow boolean expressions, but that
   doesn't seem particularly useful.

   Rationale for «arguments» not being first-class:

   In ES3, the elements of the arguments object alias the actual
   parameters of the current activation record, which are mutable.
   This is error-prone, and may lead to surprising excess authority
   errors if the arguments object is delegated. The three uses of
   «arguments» permitted by this rule («arguments[exposed]»,
   «arguments.exposedId», and «$constarray(arguments)»), in combination
   with the fact that parameters are "const" (see the LEFT_HAND_SIDE rule),
   do not allow this aliasing behaviour to be observed, while requiring
   only trivial changes to existing code that uses variable arguments.
   They also do not allow any differences between the arguments object
   and a "real" array to be observed.

   The $constarray function is not otherwise special; it can be used in
   any context to create a ConstArray from an arraylike object (as specified
   in the "Module Run-time Environment" section). The security of this
   approach depends on $constarray being unshadowable, which is enforced by
   the DECLARABLE_IDENTIFIERS rule.

   Note that the <CallExpression> <Arguments> form of a <CallExpression>
   excludes «$constarray(arguments)», because «arguments» does not match
   <AssignmentExpression>, therefore «(arguments)» does not match <Arguments>
   (see ECMA-262 section 11.2). So, we need to add it back explicitly in
   order for it to be allowed. It needs to be added to <CallExpression>
   rather than any other kind of expression, so that it has the same
   precedence as in ES3.

   There is no security reason to prevent '$constarray(arguments)'
   from appearing more than once in a function body. It would typically
   be assigned to a variable to avoid unnecessary computation.

   The grammar has been carefully crafted to avoid an ambiguity in the
   parsing of expressions involving direct property accesses. We want to
   preserve the property that parsing is independent of attribute computation,
   but the conditions on what identifiers are allowed in a property access
   depend on whether it is used in a first-class context (i.e. the next
   higher parse tree node). This problem is solved by introducing
   <PropertyAccessExpression>, which has an 'isFirstClass' attribute.
   'isFirstClass' is true when the property access expression can appear
   in any context where a <MemberExpression> can appear, or false if it
   can only appear in second-class contexts, such as a <CallExpression>.

   In addition to keeping the syntactic grammar context-free and
   unambiguous, this approach also made it clearer that property accesses
   could be safely allowed in a larger set of cases than in the previous
   design. For example, chained property accesses can be allowed provided
   that the 'apply' and 'call' methods of Function.prototype are blacklisted
   (because in that case, it is only the ability to call a potentially
   nonsimple value as a function that can cause a problem, and a member
   access is not a call).

   (The Jacaranda library provides an $apply function, such that
   $apply(f, args) is equivalent to f.apply(ignored, args) in ES3 for
   a simple function f, in order to avoid any loss of expressiveness.)


PROTECTED_PROPERTY_READ:

     <This> :
       this
       <ThisIdentifier>

     <tre::ThisReadExpression>
       <t::This> . <id::DefinableIdentifier>
         { tre.usedProperties = {[t, id]} }

     <ThisCallExpression> :
       <This> . <DefinableIdentifier> <Arguments>

     <DefinableIdentifier> : see rule DEFINABLE_PROPERTIES

   Rationale:

   this.id can only be read if it is known to be a field that does not
   hold a this-function (taking into account inherited this-functions).
   Since we are using an S-attributed grammar, the set of fields
   known not to hold this-functions in a given class is available only
   at the parse tree node for the class definition. We can enforce this
   restriction in a similar way to the checks on free identifiers: keep
   track of both the set of properties that have been read, and the set
   of fields known not to hold this-functions, and at the class definition
   node, check that one is contained in the other.
   
   [[FIXME not implemented in grammar yet:]]
   This approach is complicated by the existence of this-identifiers
   (which means that we need to keep track of properties for several
   'this' objects). We use the 'aliasesForThis' attribute on a given node
   to keep track of which this-identifiers could possibly alias the 'this'
   that is in scope at that node.

   The restriction on using properties of this does not need to be enforced
   for assignments, because an assignment can only set the property to a
   first-class value, and this-functions are not first-class.
   (If you want a property that can hold a function and can also be
   directly read, it can't be initialised to a this-function. This does
   not limit expressiveness because you can use lexical encapsulation
   instead of 'this', or use this.get_('...') to read the property.)


LEFT_HAND_SIDE:

   A *left-hand-side* is an expression that is valid as the target
   of a side-effecting operator (that is, assignments, compound
   assignments, and the prefix and postfix ++ and -- operators),
   or the iteration variable in a for-in loop.

   A *constant declaration* is one of:
    - a function declaration;
    - a parameter declaration;
    - a catch declaration;
    - a variable declaration using «/*const*/ var» or «const»;

   «/*const*/» or «const» MUST ONLY appear in a <VariableStatement>,
   in which case all declarations in the statement's
   <ConstDeclarationList> are constant declarations.
   (The corresponding grammar changes are in rule DECLARABLE_IDENTIFIERS.)

   Function, parameter, and catch declarations are implicitly constant
   declarations, even though «/*const*/» or «const» is not used.
   Declarations in the «for (var ...; ...; ...)» form of an
   <IterationStatement> are never constant declarations.

   A *nonconstant declaration* is a variable declaration that is not a
   constant declaration.

   Jacaranda does not allow property writes using either «.» or «[]»
   (except to 'this' as explained below). It also does not allow 'new'
   expressions, function calls, or free identifiers [[clarify]] as a left-hand-side.
   The left-hand-side MUST therefore be one of:

    - a declarable identifier of a nonconstant variable that is in
      scope for that left-hand-side (see also SCOPE_OF_DECLARATIONS).
    - [[FIXME: <This> left-hand-sides]]

   Therefore the <LeftHandSideExpression> production of section 11.2
   becomes:

     <lhs::LeftHandSideExpression> :
       <id::DeclarableIdentifier>
         { lhs.freelyAssigned = {id.SV} }
       <t::This> . <id::DefinableIdentifier>
       <This> [ <ExposedExpression> ]

     <t::This> :
       this
         { t.SV = 'this',
           t.freelyUsed = {'this'} }
       <id::ThisIdentifier>
         { t.freelyUsed = {id} }

   [[FIXME: restrictions on identifier for <This> . <DefinableIdentifier>
   case?]]
   [[explain freelyAssigned attribute]]
   [[FIXME: parsing ambiguity between <DeclarableIdentifier> and
   <ThisIdentifier>]]

   Given this grammar change, we need to repair <PostfixExpression>,
   which should include the productions that were included in the old
   <LeftHandSideExpression>:

     <PostfixExpression> :
       <NewExpression>
       <CallExpression>
       <LeftHandSideExpression> [no LineTerminator here] ++
       <LeftHandSideExpression> [no LineTerminator here] --

     <NewExpression> : see ECMA-262 section 11.2

     <CallExpression> : see rule PUBLIC_PROPERTY_READ

   Rationale:
   [[Mutability should be explicit, both for variables and imports.
   «/*const*/ var» syntax is ugly (but can get used to it); if ES3.1 adds
   an ES4-compatible 'const' then we can use that.]]

   Function and parameter declarations are implicitly const because we
   can get away with that without breaking too much code (named functions
   and parameters, unlike 'var' variables, are not usually modified).
   Catch declarations are implicitly const because all existing JavaScript
   try..catch blocks are broken in Jacaranda anyway (see the TRY_CATCH
   rule), and so there is little additional cost to making an incompatible
   change.

   There is no loss of expressiveness to making function, parameter,
   and catch declarations implicitly const, because it is always
   possible to introduce a 'var':

     var a = function (b_) {
       var b = b_;
       try {
         ...
       } catch (c_) { $caught(c_);
         var c = c_;
         ...
       }
     }

   Caja also has the 'function declarations are implicitly const' rule.

   [[Grammar change is clunky (partly due to redundancy in original
   grammar); see if we can improve it.]]

   It is possible to specify an initial value for a const variable in
   its <Initialiser>, because that is not a <LeftHandSideExpression>.

   «for (/*const*/ var ...; ...; ...)» and «for (const ...; ...; ...)»
   are not supported (see rule SIMPLE_STATEMENTS) because:
    - a «for» statement usually only declares variables that can
      vary between iterations;
    - it is easy to move const declarations to the line before the
      «for» statement.


NO_MULTIPLE_DECLARATION (!A):

   There MUST NOT be more than one declaration of the same identifier by
   a given function (that is, in the function's parameter list, or as
   a variable declared by 'var', 'const' or 'catch', or as a declared
   function).
   
   This rule is enforced by checks on the 'var' attribute of the
   attribute grammar. The following is a complete list of the productions
   in which it is possible for a multiple declaration to occur:

     StatementList/, ConstDeclarationList/, VariableDeclarationList/,
     IterationStatement/, IfStatement/,
     TryStatement, Catch, CaseBlock, CaseClauses, FormalParameterList,
     FunctionDeclaration, FunctionExpression, SourceElements.

[[FIXME: not all of these are done yet]]

     <sl::StatementList> :
       <Statement>
       <list::StatementList> <s::Statement>
         { sl.errors = { error(sl, id, 'multiple declaration') | id <- list.vars intersect s.vars }
                       union list.errors union s.errors }

     <ConstDeclarationList> : see rule DECLARABLE_IDENTIFIERS

     <VariableDeclarationList> : see rule DECLARABLE_IDENTIFIERS

     <IterationStatement> : see rule SIMPLE_STATEMENTS

     <TryStatement> : see rule TRY_CATCH

     <Catch> : see rule TRY_CATCH

   (LabelledStatement is not included in this list because statement labels
   are in a different namespace to variables. CaseStatementList is not
   included because a CaseEndStatement cannot declare a variable.)

   Rationale:
   Disallowing multiple declarations greatly simplifies reasoning about various
   scoping bugs in JavaScript implementations.

   It is bizarre that ES3 allows two or more parameters to
   a function to have the same names (see ECMA-262 section 10.1.3).
   There's no reason to define semantics for something that is a clear
   programming error.

   See also <http://code.google.com/p/google-caja/wiki/InaccessibleLocalVariables>.

   Note that this rule does not ensure that a variable will be reset to the
   undefined value each time a 'var' declaration for that identifier is encountered.
   For example,

     for (var x = 0; x < 2; x++) {
       var y;
       foo(y);  // allowed, but probably an error
       y = 42;
     }

   will call 'foo' with undefined, then with 42 (as specified by ES3). That is,
   it is possible for a variable to retain its value when its strict scope is
   exited and then reentered. Jacaranda programmers SHOULD NOT rely on this behaviour
   (a future version might require 'var y = undefined').
   It is desirable for a Jacaranda verifier to warn when a variable may be used before
   it has definitely been assigned.


SCOPE_OF_DECLARATIONS_AND_THIS (!A):

   A *control block* is a <Block>, <FunctionBody>, or a clause of a switch
   statement (i.e. <CaseClause>, <LastCaseClause>, <DefaultClause> or <LastDefaultClause>).

   The *loose scope* of a declaration is the scope in which occurrences of
   the declared identifier would refer to that declaration according to ES3
   (this is the whole body of the function that declares the identifier,
   including any nested functions in which the identifier is not shadowed).

   The *strict scope* of:

    - a variable declared in a <VariableStatement>, is its loose scope
      restricted to the textually following section of the immediately
      surrounding control block. This includes subsequent, but not prior
      initialisers in the statement's <VariableDeclarationList> or
      <ConstDeclarationList>. It also includes the bodies of function
      expressions (including nested functions, but not uses outside
      a function expression) in the variable's own initialiser.

    - a variable declared in the <VariableDeclarationList> part of the
      «for (var ...; ...; ...)» form of an <IterationStatement>, is its
      loose scope restricted to the textually following section of the
      iteration statement. This includes subsequent, but not prior
      initialisers in the <VariableDeclarationList>, and the
      bodies of function expressions in the variable's own initialiser
      (exactly as for a <VariableStatement>);

    - a variable declared by a <Catch>, is its loose scope restricted to
      that catch block;

    - a function declared by a <FunctionDeclaration>, is its loose scope.

   For each declaration, the declared identifier MUST NOT occur within
   that declaration's loose scope, but outside its strict scope.

   An identifier occurrence in a <LeftHandSideExpression> is called an
   *assigning occurrence*. If an assigning occurrence of an identifier
   is not in the strict scope of any declaration within a given enclosing
   code fragment, it is called a *freely-assigned identifier* of that
   fragment. The 'freelyAssigned' attribute of the Jacaranda grammar
   tracks the set of freely-assigned identifiers of the fragment
   corresponding to each parse tree node.

   An identifier occurrence not in a <LeftHandSideExpression> is called
   a *use occurrence*. If a use occurrence of an identifier is not in the
   strict scope of any declaration within a given enclosing code fragment,
   it is called a *freely-used identifier* of that fragment. The 'freelyUsed'
   attribute of the Jacaranda grammar tracks the set of freely-used identifiers
   of the fragment corresponding to each parse tree node.

   Rationale: ES3's scoping rules are potentially confusing to programmers
   used to languages with block lexical scoping. These restrictions also
   have the effect of hiding some inconsistencies between JavaScript
   implementations.
   
   Also, without this rule, a <ThisIdentifier> could potentially be accessed
   when it is bound to «undefined» rather than to the intended «this»
   object (which would be confusing, even if not strictly a security issue).

   Cajita, but not Caja, has similar scoping restrictions.

   A variable is in scope within the body of function expressions in its
   own initialiser, in order to allow the definition of recursive functions
   within an arbitrary block, for example:

     if (...) {
       /*const*/ var foo = function() {
         ... foo() ...
       }
     }

   This is useful because Jacaranda does not allow the named function
   expression in:

     if (...) {
       (function foo() {
         ... foo() ...
       });
     }

   (see rule NO_NAMED_FUNCTION_EXPRESSION). Uses within the variable's own
   initialiser but outside a function expression are not allowed because
   the variable would have the value «undefined» at that point.

   Note that strict ES3 and Jacaranda do not allow function _declarations_
   within an arbitrary block; declarations are only allowed as a
   <SourceElement>. Although most JavaScript implementations support that
   as an extension, they do so inconsistently [[ref google-caja-discuss thread]].


SCOPE_OF_THIS (!A):

   A *this-function* is a function defined by a <FunctionExpression>
   given in an object literal's <PropertyNameAndValueList>, as the value
   of a property with a name that is not an exposed string.

   The keyword «this» MUST ONLY occur in the body of a this-function,
   not including nested functions.

     <ol::ObjectLiteral> :
       { }
       { nvl::<PropertyNameAndValueList> }
         { ol.aliasesForThis = {},
           ol.usedProperties = {},
           ol.errors = { error(...) | [t, id] <- nvl.usedProperties
                                      where t in (nvl.aliasesForThis union {'this'}) and not(id in nvl.simpleNames) } }

     <nvl::PropertyNameAndValueList> :
       <nv::PropertyNameAndValue>
         { nvl.names = {nv.name},
           nvl.simpleNames = nv.simpleNames }
       <list::PropertyNameAndValueList> , <nv::PropertyNameAndValue>
         { nvl.names = list.names union {nv.name},
           nvl.simpleNames = list.simpleNames union nv.simpleNames,
           nvl.errors = check(nv.name not in list.names, nvl, nv.name, 'duplicate property name in object literal')
                        union list.errors union nv.errors }

     <nv::PropertyNameAndValue> :
       <n::PropertyName> : <v::AssignmentExpression>
         { nv.name = n.name,
           if (v is <FunctionExpression>) {
             if not('this' in v.freelyUsed) {
               nv.simpleNames = {n.name}
             }
             nv.freelyUsed = v.freelyUsed - {'this'},
             nv.errors = check(not('this' in v.freelyUsed and n.name is <ExposedString>), nv, n.name,
                               "'this' used freely in an exposed function") union n.errors union v.errors }
           } else {
             nv.freelyUsed = v.freelyUsed,
             nv.errors = n.errors union v.errors
           } }

[[FIXME obsolete
     <t::PrimaryExpression> :
       this
         { t.errors = check('this' in t.scope, t, "'this' is not allowed here") }
       <id::Identifier>
         { t.used = {id}, t.errors = check(id in t.scope, t, "identifier " ++ quote(id) ++ " is not in scope") }
       <lit::Literal>
         { t.errors = lit.errors }
       <ArrayLiteral>
       <ObjectLiteral>
       ( <Expression> )
   ...
]]

   Rationale: In Jacaranda (as in Caja and many other object-oriented
   languages that support a 'this' keyword), «this» may only be bound
   to an object when within that object's encapsulation boundary --
   that is, within the source text of the object literal defining the
   object.

   Properties with names that are exposed strings are excluded because
   these properties can be accessed directly using the «.» operator,
   and in some cases the «[]» operator (see the PUBLIC_PROPERTY_READ rule).
   If such a property could hold a function that refers directly to
   «this», then the function could be obtained as a first-class value
   and then called, resulting in «this» being bound to the global
   object of the current context:

     var f = {
       Exposed: function () {
         return this;  // not allowed in Jacaranda
       }
     }.Exposed;
     var global = f();

   The concept in Caja corresponding to a function that is allowed to
   refer to «this» is called a "method", but we do not use that term
   because it conflicts with the definition of method in ECMA-262
   ("a function associated with an object via a property").


ARRAY_LITERAL_NO_TRAILING_COMMAS:

   Trailing commas MUST NOT be used in an array literal.

     <ArrayLiteral> ::=
       [ <ElementList>opt ]

   Rationale: JScript implements trailing commas incorrectly.
   [[need ref]]

   Trailing commas are also not allowed in object literals
   (following ES3 strictly), even though they are supported
   in ES3.1 [[need ref]] and as an extension in several implementations.


STATEMENT_NO_WITH:

   The 'with' statement MUST NOT be used.

     <Statement> :
       <Block>
       <VariableStatement>
       <EmptyStatement>
       <ExpressionStatement>
       <IfStatement>
       <IterationStatement>
       <ContinueStatement>
       <BreakStatement>
       <ReturnStatement>
       <LabelledStatement>
       <SwitchStatement>
       <ThrowStatement>
       <TryStatement>

     <ContinueStatement> : see rule SIMPLE_STATEMENTS

     <BreakStatement> : see rule SIMPLE_STATEMENTS

     <ReturnStatement> : see rule SIMPLE_STATEMENTS

     <ThrowStatement> : see rule SIMPLE_STATEMENTS

   Rationale: the 'with' construct seems to have few friends. Some
   problems with it, and alternatives, are discussed at
   <http://yuiblog.com/blog/2006/04/11/with-statement-considered-harmful/>.
   Caja, ADsafe, and FBJS also disallow it unconditionally.

   If 'with' were allowed, it would complicate enforcing other rules, in
   particular DECLARABLE_IDENTIFIERS, that are required to maintain
   Jacaranda's integrity properties. A possible solution is as follows:
   Define an unshadowable function $scope such that «$scope(obj)» enumerates
   the public properties of «obj» having names that are <DeclarableIdentifier>s,
   copies those properties to a new object, and returns that object.
   Require a with statement to be written as «with ($scope(obj)) {...}».
   Note, however, that identifiers used in the with statement's block that
   are not explicitly declared would still have to be treated as potentially
   freely-used identifiers (and therefore declared in the module's imports),
   even though they may be provided by the new scope. While this approach
   would preserve overall integrity, reasoning about the scoping of identifiers
   in a 'with' block would still be difficult. It was rejected for that
   reason, and because the minor additional expressiveness provided by
   'with' does not justify the complexity.
   
   (One reason this approach was considered at all is that it potentially
   allowed some of the code that handles module imports to be implemented
   outside the Jacaranda implementation's TCB. However, on closer examination
   this would not significantly reduce the overall amount of trusted code.)


NO_IN:

   The 'in' keyword MUST NOT be used.

   The ES3 grammar has many productions with both a variant whose name
   ends in 'NoIn', and one that does not. In Jacaranda it is redundant
   to have both variants, since 'in' is not allowed anywhere; therefore,
   the variants with the 'NoIn' suffix are not used.

     <RelationalExpression> :
       <ShiftExpression>
       <RelationalExpression> < <ShiftExpression>
       <RelationalExpression> > <ShiftExpression>
       <RelationalExpression> <= <ShiftExpression>
       <RelationalExpression> >= <ShiftExpression>
       <RelationalExpression> instanceof <ShiftExpression>
   
   The necessary grammar change to <IterationStatement> is given in
   the SIMPLE_STATEMENTS rule.

   Rationale:
   Both 'for..in' and the 'in' operator break encapsulation by revealing
   the existence of non-public properties.

   It would have been possible to allow 'k in obj' in the case where k
   is an <ExposedExpression> or a <StringLiteral> denoting a public string.
   However, the grammar simplification (eliminating 13 productions) that
   results from removing all uses of 'in' was too good to pass up.

   The $hasPublic function in the Jacaranda library replaces the
   functionality of 'k in obj' for testing properties known to be
   public. For Jacaranda objects, there is a protected _hasProperty
   method that replaces the functionality of 'k in this' for any
   definable property.


NO_NAMED_FUNCTION_EXPRESSION:

   An identifier MUST NOT be given after the function keyword of a
   function expression.

     <FunctionExpression> :
       function ( <FormalParameterList>opt ) { <FunctionBody> }

     <FormalParameterList> : see DECLARABLE_IDENTIFIERS rule

     <FunctionBody> : as in ECMA-262 section 13

   Rationale: Named function expressions do not have consistent or
   ES3-conforming behaviour across implementations.
   [[ref Mozilla extensions doc, and explain]]


UNARY_EXPRESSION_NO_DELETE:

   'delete' expressions MUST NOT be used.

     <UnaryExpression> :
       <PostfixExpression>
       void <UnaryExpression>
       typeof <UnaryExpression>
       <PreIncrement> <UnaryExpression>
       <PreDecrement> <UnaryExpression>
       + <UnaryExpression>
       - <UnaryExpression>
       ~ <UnaryExpression>
       ! <UnaryExpression>

     <PreIncrement> : see rule LEX_TOKENISATION

     <PreDecrement> : see rule LEX_TOKENISATION


   Rationale:
   'delete' breaks encapsulation, because an object has no way to
   control whether its properties are deletable.
   It fails silently if the property has the DontDelete attribute,
   rather than throwing an exception. Also, a description of its
   semantics requires "references" (complex lvalues), because
   «delete obj[name]» does not evaluate «obj[name]» normally.

   Jacaranda programs should use one of the following alternatives:

    - to delete a property of an arbitrary object, use
      «$delete(obj, name)». A property can be deleted in this
      way if and only if it could be publically set to 'undefined'
      using «obj.set(name, undefined)».

      [[WRONG, unless we make properties that hold 'undefined'
      non-enumerable??]]

    - to delete a property of 'this', use «this.delete_(name)».
      A property can be deleted in this way if and only if it could
      be set to 'undefined' by the _default_ implementation of
      «this.set_(name, undefined)». [[CHECK]]


SWITCH_NO_ACCIDENTAL_FALLTHRU:

   Each <CaseClause> or <DefaultClause> in a switch statement MUST:
    - have no statements, or
    - end with a «/*fallthru*/» token (see LEX_COMMENT_KEYWORDS), or
    - end with a <ContinueStatement>, <BreakStatement>, <ReturnStatement>,
      or <ThrowStatement>, or
    - be the last clause.

   The last clause in a switch statement MUST NOT end with a «/*fallthru*/»
   token.

   Fallthru tokens have no semantic effect. The <LastCaseClause> or
   <LastDefaultClause> have the same semantics as a <CaseClause> or
   <DefaultClause> in ES3 (as corrected by
   <http://www.mozilla.org/js/language/E262-3-errata.html>).

     <CaseBlock> :
       { }
       { <CaseClauses>opt <LastCaseClause> }
       { <CaseClauses>opt <LastDefaultClause> }
       { <CaseClauses>opt <DefaultClause> <CaseClauses>opt <LastCaseClause> }

     <LastDefaultClause> :
       default : <StatementList>opt

     <LastCaseClause> :
       case <CaseExpression> : <StatementList>opt

     <DefaultClause> :
       default : <CaseStatementList>opt

     <CaseClause> :
       case <CaseExpression> : <CaseStatementList>opt

     <CaseStatementList> :
       <StatementList>opt <CaseEndStatement>

     <StatementList> : as in ECMA-262 section 12.1

     <CaseClauses> : as in ECMA-262 section 12.11

     <CaseEndStatement> :
       /*fallthru*/
       <ContinueStatement>
       <BreakStatement>
       <ReturnStatement>
       <ThrowStatement>

     <ContinueStatement> : see rule SIMPLE_STATEMENTS

     <BreakStatement> : see rule SIMPLE_STATEMENTS

     <ReturnStatement> : see rule SIMPLE_STATEMENTS

     <ThrowStatement> : see rule SIMPLE_STATEMENTS

     <CaseExpression> : see rule SWITCH_NO_CASE_NAN_OR_MINUS_ZERO

   Rationale: mitigates against a very common programming error. The
   common idiom of grouping several case labels together is accepted.
   There is no restriction on the last statement of the last case label,
   because there is no risk of accidental fallthru there.

   For simplicity, there is no attempt to detect cases where a fallthru
   could not occur because the end of the preceding clause cannot be
   reached (for a reason other than ending in a break, continue, return
   or throw statement), such as «while (true) { /* no break */ }».

   JSLint also checks for fallthrus, but does not recognise any marker
   for a deliberate fallthru. I probably got that idea from Cyclone:
   <http://cyclone.thelanguage.org/wiki/Switch%20Statements>.


SWITCH_NO_CASE_NAN_OR_MINUS_ZERO:

   'case NaN:' MUST NOT occur.
   'case -<x>:' MUST NOT occur for any numeric literal <x> with value 0
     (for example 'case -0:' or 'case -0.0:').

     <t::CaseExpression> :
       <exp::Expression>
         { t.error = check(not(exp is NaN), t, "NaN not allowed as case value")
               union check(not(exp is - <nl::NumericLiteral> where nl.MV = 0), t,
                           "-0 not allowed as case value") }

   (SWITCH_NO_ACCIDENTAL_FALLTHRU uses <CaseExpression>.)

   Rationale: cases are matched using the '===' operator, which treats
   NaN as unequal to NaN. So 'case NaN:' will never be matched and is
   almost certainly an error (see
   <http://yuiblog.com/blog/2007/04/25/id-rather-switch-than-fight/>).
   Similarly, a match against -0 is likely to have been intended to match
   _only_ -0, but will actually match both -0 and 0.

   Note that case labels in JavaScript can be general expressions (in fact
   -0 is an expression, not a literal). This rule cannot prevent matching
   against an expression evaluating to NaN, for instance, which is also
   likely to be an error, but is probably quite uncommon.


SIMPLE_STATEMENTS:

   A *simple statement* is an expression statement that is an <AssignmentExpression>,
   or a continue, break, return or throw statement.

   The statement used in the first arm of an 'if', or as the body of any
   iteration statement, MUST be either a simple statement or a <Block>.
   The statement used in the "else" arm of an 'if' MUST be another <IfStatement>,
   or a simple statement or a <Block>.

     <s::IfStatement> :
       if ( <Expression> ) <SimpleStatementOrBlock>
       if ( <Expression> ) <b1::SimpleStatementOrBlock> else <b2::IfOrSimpleStatementOrBlock>
         { s.errors = { error(s, id, 'multiple declaration') | id <- b1.vars intersect b2.vars }
                      union b1.errors union b2.errors }

     <s::IterationStatement> :
       do <SimpleStatementOrBlock> while ( <Expression> ) ;
       while ( <Expression> ) <SimpleStatementOrBlock>
       for ( <Expression>opt ; <Expression>opt ; <Expression>opt ) <SimpleStatementOrBlock>
       for ( var <dl::VariableDeclarationList> ; <Expression>opt ; <Expression>opt ) <b::SimpleStatementOrBlock>
         { s.errors = { error(s, id, 'multiple declaration') | id <- dl.vars intersect b.vars }
                      union dl.errors union b.errors }

     <SimpleStatementOrBlock> :
       [lookahead ∉ {'{', 'function'}] <AssignmentExpression>
       <ContinueStatement>
       <BreakStatement>
       <ReturnStatement>
       <ThrowStatement>
       <Block>

     <IfOrSimpleStatementOrBlock> :
       <IfStatement>
       <SimpleStatementOrBlock>

     <VariableDeclarationList> : see rule DECLARABLE_IDENTIFIERS

     <ContinueStatement> :
       continue <Identifier>opt ;

     <BreakStatement> :
       break <Identifier>opt ;

     <ReturnStatement> :
       return <Expression>opt ;

     <ThrowStatement> :
       throw <Expression> ;

   Rationale:
   In languages with C-like syntax, control constructs such as 'if', 'do',
   'while', 'for' and 'try' can have statements as child productions.
   In many cases the scoping and control flow issues are made clearer by
   requiring that such statements are always blocks. For example, JSLint
   enforces that rule. OTOH, many programmers, and many existing JavaScript
   programs, use a coding style in which the curly brackets need not be used
   provided the statement is "simple enough". It is hard to argue that this
   style causes any practical problem that would justify prohibiting it.
   The above rule attempts to codify this compromise position.

   In practice, there seems to be a fair degree of concensus about which
   statements can be treated as simple in this sense: control/iteration
   statements (that is, anything that can have another statement as a
   subproduction) are definitely out. OTOH, it is fairly harmless to write
   continue, break, return and throw statements without curly brackets.

   Some less obvious cases are:

    - comma expressions are not simple; it would be much clearer to rewrite
      these as a block with each comma-separated expression in its own statement.

    - other expression statements (i.e. <AssignmentExpression>s) are simple.
      Typical cases of this are function or method calls, assignments, and uses
      of side-effecting operators like ++ and --.

    - a <VariableStatement> is not simple because allowing that would make it
      less clear what the scope of a variable is, given Jacaranda's stricter
      scoping rules (it would not be sufficient to say that the scope is
      limited to the immediately surrounding block, as the SCOPE_OF_DECLARATIONS
      rule does).

    - an <EmptyStatement> is not simple because it is always clearer to use
      an empty block, i.e. {}. A semicolon used as an empty statement can
      very easily be misread.

    - a <LabelledStatement> is not simple because it can label an arbitrary
      <Statement> (besides, labelling a simple statement is useless, since
      there can be no loop from which we need to be able to jump out to that
      label).

   Note that this rule means that the "dangling else problem" does not occur
   in Jacaranda.

   The <SwitchStatement> and <TryStatement> productions do not need to be
   modified, because they already require curly brackets around a switch body
   or a try/catch/finally block.

   The "else" arm of an <IfStatement> is allowed to be another <IfStatement>,
   in order to support "if (...) else if (...) ..." chains.

   The <WithStatement> production does not need to be modified because Jacaranda
   does not have with statements.
   
   For an explanation of why <IterationStatement> uses only the <Expression>
   and <VariableDeclarationList> productions, as opposed to <ExpressionNoIn>
   and <VariableDeclarationListNoIn> as defined in ECMA-262, see rule NO_IN.


EXPRESSION_STATEMENTS:

   [[restrict expression statements to expressions that can have side-effects?]]


TRY_CATCH:

   The block following a catch clause MUST start with a call to the global
   $caught function, passing the same identifier as declared by the 'catch'
   as its only argument. A finally clause MUST NOT be present.

     <s::TryStatement> :
       try <b::Block> <c::Catch>
         { s.errors = { error(s, id, 'multiple declaration') | id <- b.vars intersect c.vars }
                      union b.errors union c.errors }

     <c::Catch> :
       catch ( <id::DeclarableIdentifier> ) { $caught ( <id2::Identifier> ) ; <sl::StatementList>opt }
         { c.free = sl.free - {id},
           c.vars = sl.vars union {id},
           c.errors = check(id === id2, c, [id, id2], 'catch and $caught identifiers do not match')
                      union check(id notin sl.vars, ts, id, 'multiple declaration')
                      union id.errors union id2.errors union sl.errors }

   An exception object passed to the $caught function is either:
    - *catchable*, in which case the call has no observable effect, or
    - *uncatchable*, in which case the context in which the exception occurred SHALL
      be locked (see the Conformance section).

   [[CHECK: is the exception guaranteed to have occurred in the same context it is caught?]]

   An exception object that has a 'Catchable' property with value true SHALL be catchable.
   An exception object that has a 'Catchable' property with value false SHALL be uncatchable.
   The criteria used to determine whether other exception objects are catchable or
   uncatchable are implementation-defined.

   Rationale:
   This rule means that a catch block must be written as:

     try {
       ...
     } catch (e) { $caught(e);
       ...
     }

   The implementation of $caught checks whether the exception is
   nondeterministically generated, for example as a result of resource
   exhaustion. Since JavaScript implementations vary in how
   resource exceptions can be detected, the exact criteria are implementation-defined.

   Finally clauses cannot be supported, because they may execute when
   an unknown exception has occurred. Instead, a library function
   $tryFinally is supported:

     ...


Module Run-time Environment
===========================

The environment in which an accepted module is executed has the following
characteristics:

 - the functions defined by the Jacaranda standard library SHALL be available
   in the global scope.

 - for each name specified in the module's 'imports' and 'optionalImports' lists,
   a corresponding property SHALL be available in the global scope. In the case
   of the 'optionalImports' list, this property SHALL be set to «undefined» if
   the import is not available.

[[End of the current draft. The run-time environment section is obviously very
incomplete, although a fair proportion of the reference implementation for the
standard library has been written.]]

-- 
David-Sarah Hopwood