an example of translation and proof using higher-order abstract syntax michael w. whalen advanced...
Post on 20-Dec-2015
217 views
TRANSCRIPT
![Page 1: An Example of Translation and Proof using Higher-Order Abstract Syntax Michael W. Whalen Advanced Technology Center Rockwell Collins Inc](https://reader035.vdocuments.us/reader035/viewer/2022062516/56649d4d5503460f94a2ca9b/html5/thumbnails/1.jpg)
An Example of Translation and Proof using Higher-Order
Abstract Syntax
Michael W. Whalen
Advanced Technology Center
Rockwell Collins Inc.
![Page 2: An Example of Translation and Proof using Higher-Order Abstract Syntax Michael W. Whalen Advanced Technology Center Rockwell Collins Inc](https://reader035.vdocuments.us/reader035/viewer/2022062516/56649d4d5503460f94a2ca9b/html5/thumbnails/2.jpg)
http://ww
w.cs.um
n.edu/crisys
2
Safety-Critical Systems
![Page 3: An Example of Translation and Proof using Higher-Order Abstract Syntax Michael W. Whalen Advanced Technology Center Rockwell Collins Inc](https://reader035.vdocuments.us/reader035/viewer/2022062516/56649d4d5503460f94a2ca9b/html5/thumbnails/3.jpg)
http://ww
w.cs.um
n.edu/crisys
3
Code Generation Requirements• Automatic
• Formally-Defined Formal description of source/target language Proof that generated code implements specification
• Correctly-Implemented Transparent transliteration of translation rules Implementation should be rigorously tested
• Usable for Safety-Critical Systems Human-Understandable and traceable
Necessary for fault analysis, code instrumentation Required by regulatory agencies
Fast enough for target environment
![Page 4: An Example of Translation and Proof using Higher-Order Abstract Syntax Michael W. Whalen Advanced Technology Center Rockwell Collins Inc](https://reader035.vdocuments.us/reader035/viewer/2022062516/56649d4d5503460f94a2ca9b/html5/thumbnails/4.jpg)
http://ww
w.cs.um
n.edu/crisys
4
Aspects of Translation
1. Foundations
Language Semantics and
Proof
3. Application
Applying Semantics and Proofs to RSML-e
Translator
4. Implementation
Designing a Translator that transparently
implements rules
2. Formal Architecture
How do we create a formal translation
approach from foundations?
![Page 5: An Example of Translation and Proof using Higher-Order Abstract Syntax Michael W. Whalen Advanced Technology Center Rockwell Collins Inc](https://reader035.vdocuments.us/reader035/viewer/2022062516/56649d4d5503460f94a2ca9b/html5/thumbnails/5.jpg)
http://ww
w.cs.um
n.edu/crisys
5
Formal Definition of Compiler Correctness
RSML-e Syntax
Program Syntax
Compiler Definition
Program Semantics
RSML-e Semantics Output
Output
Proof: Same
Outputs Generated
![Page 6: An Example of Translation and Proof using Higher-Order Abstract Syntax Michael W. Whalen Advanced Technology Center Rockwell Collins Inc](https://reader035.vdocuments.us/reader035/viewer/2022062516/56649d4d5503460f94a2ca9b/html5/thumbnails/6.jpg)
http://ww
w.cs.um
n.edu/crisys
6
Operational Semantics and Proof
• Operational semantics provides framework for evaluation, static semantics, and transformations
• Several different “flavors” of operational semantics SOS, Natural Semantics, Abstract Machines
• We want formalism that leads to elegant transformations and proofs
![Page 7: An Example of Translation and Proof using Higher-Order Abstract Syntax Michael W. Whalen Advanced Technology Center Rockwell Collins Inc](https://reader035.vdocuments.us/reader035/viewer/2022062516/56649d4d5503460f94a2ca9b/html5/thumbnails/7.jpg)
http://ww
w.cs.um
n.edu/crisys
7
Managing Identifiers
• Large part of translation and proof complexity
• Explicit Environments “Environment Carrying” functions [Plotkin: SOS,
Despyroux: Mini-ML] Renaming over scopes [Drossopoulou: Java]
• Implicit Environments Substitution as meta-rule [Pierce PL Book]
Lambda variables in object language Metalevel support [Hannon93, Whalen05]
Lambda variables in metalanguage Proofs describing substitution behavior provided by
metalogic
![Page 8: An Example of Translation and Proof using Higher-Order Abstract Syntax Michael W. Whalen Advanced Technology Center Rockwell Collins Inc](https://reader035.vdocuments.us/reader035/viewer/2022062516/56649d4d5503460f94a2ca9b/html5/thumbnails/8.jpg)
http://ww
w.cs.um
n.edu/crisys
8
(function_def int (param int (λy. (param int (λz. (body (binary_expr (lit_expr y) plus (lit_expr z))))))))
Extended Natural Semantics Example
function sum(y: int; z: int) : int { return y + z; }
Concrete Syntax: Higher-Order Abstract Syntax:
Evaluation Rules:
AB
Example:
![Page 9: An Example of Translation and Proof using Higher-Order Abstract Syntax Michael W. Whalen Advanced Technology Center Rockwell Collins Inc](https://reader035.vdocuments.us/reader035/viewer/2022062516/56649d4d5503460f94a2ca9b/html5/thumbnails/9.jpg)
http://ww
w.cs.um
n.edu/crisys
9
Extended Natural Semantics: Typing
Higher-Order Abstract Syntax: Typing Rules:
(function_def int (param int (λy. (param int (λz. (body (binary_expr (lit_expr y) plus (lit_expr z)))))))).
A
Example:
![Page 10: An Example of Translation and Proof using Higher-Order Abstract Syntax Michael W. Whalen Advanced Technology Center Rockwell Collins Inc](https://reader035.vdocuments.us/reader035/viewer/2022062516/56649d4d5503460f94a2ca9b/html5/thumbnails/10.jpg)
http://ww
w.cs.um
n.edu/crisys
10
Extended Natural Semantics: Transformation
Higher-Order Abstract Syntax: Transformation Rules:
(function_def int (param int (λy. (param int (λz. (body (binary_expr (lit_expr y) plus (lit_expr z))…
is transformed into:
(function_def int (param int (λy. (param int (λz. (body (binary_expr (unary_expr minus (lit_expr y)) plus (unary_expr minus (lit_expr z))…
![Page 11: An Example of Translation and Proof using Higher-Order Abstract Syntax Michael W. Whalen Advanced Technology Center Rockwell Collins Inc](https://reader035.vdocuments.us/reader035/viewer/2022062516/56649d4d5503460f94a2ca9b/html5/thumbnails/11.jpg)
http://ww
w.cs.um
n.edu/crisys
11
ENS Transformation, Expanded
Body[z := c]
Applying cFor z in Body
{ (λz.<Body''>) c, (λz.<Body'''>) c, …}
Several functions may match Body', replacing zero or more instances of c with z
( x ((λz.<Body>) x) ((λz.<Body*>) x))
However, only one function can match the , because the c must be new: it cannot exist outside the scope of the , so all c's must be replaced by z's.
(λz.<Body>) c
Instantiating new constant
c for x
Body'[z := c]
Apply trans rule here. Rule premises define how Body is transformed to Body'
![Page 12: An Example of Translation and Proof using Higher-Order Abstract Syntax Michael W. Whalen Advanced Technology Center Rockwell Collins Inc](https://reader035.vdocuments.us/reader035/viewer/2022062516/56649d4d5503460f94a2ca9b/html5/thumbnails/12.jpg)
http://ww
w.cs.um
n.edu/crisys
12
Aspects of Translation
1. Foundations
Language Semantics and
Proof
3. Application
Applying Semantics and Proofs to RSML-e
Translator
4. Implementation
Designing a Translator that transparently
implements rules
2. Formal Architecture
How do we create a formal translation
approach using foundations?
![Page 13: An Example of Translation and Proof using Higher-Order Abstract Syntax Michael W. Whalen Advanced Technology Center Rockwell Collins Inc](https://reader035.vdocuments.us/reader035/viewer/2022062516/56649d4d5503460f94a2ca9b/html5/thumbnails/13.jpg)
http://ww
w.cs.um
n.edu/crisys
13
Notions of Completeness and Determinism
Source Syntax
Program Syntax
Compiler Rules
Program Semantics Rules
RSML Semantics Rules Output
Output
Are rules deterministic?
Are rules complete?
![Page 14: An Example of Translation and Proof using Higher-Order Abstract Syntax Michael W. Whalen Advanced Technology Center Rockwell Collins Inc](https://reader035.vdocuments.us/reader035/viewer/2022062516/56649d4d5503460f94a2ca9b/html5/thumbnails/14.jpg)
http://ww
w.cs.um
n.edu/crisys
14
Correctness Obligations for SOS Rules
• Obligations are equivalent if source semantics are complete.
• Obligations for deterministic language:
• Despeyroux’s obligations:
![Page 15: An Example of Translation and Proof using Higher-Order Abstract Syntax Michael W. Whalen Advanced Technology Center Rockwell Collins Inc](https://reader035.vdocuments.us/reader035/viewer/2022062516/56649d4d5503460f94a2ca9b/html5/thumbnails/15.jpg)
http://ww
w.cs.um
n.edu/crisys
15
Translation in LayersSemantics Rules
… …
Translation Rules
Completeness Proofs
RSML-e
C, Ada, Java, …
![Page 16: An Example of Translation and Proof using Higher-Order Abstract Syntax Michael W. Whalen Advanced Technology Center Rockwell Collins Inc](https://reader035.vdocuments.us/reader035/viewer/2022062516/56649d4d5503460f94a2ca9b/html5/thumbnails/16.jpg)
http://ww
w.cs.um
n.edu/crisys
16
Evaluation Rules in Translation
...v_expr ::= unknown | id(expr list) | expr....
Source AST Grammar
...v_expr ::= if expr then v_expr else v_expr | expr....
Target AST Grammar
New Syntax
if expr then v_expr else v_expr
Evaluation rules for new syntax:
SourceEvaluation
Rules
Target Evaluation Rules
Rules forRemoved
Syntax-
![Page 17: An Example of Translation and Proof using Higher-Order Abstract Syntax Michael W. Whalen Advanced Technology Center Rockwell Collins Inc](https://reader035.vdocuments.us/reader035/viewer/2022062516/56649d4d5503460f94a2ca9b/html5/thumbnails/17.jpg)
http://ww
w.cs.um
n.edu/crisys
17
Translation Proof Structure
• Describe the correctness of contexts:
• Describe equivalence of program states:
• Describe completeness obligation using evaluation rules for source and target languages + transformation rules:
![Page 18: An Example of Translation and Proof using Higher-Order Abstract Syntax Michael W. Whalen Advanced Technology Center Rockwell Collins Inc](https://reader035.vdocuments.us/reader035/viewer/2022062516/56649d4d5503460f94a2ca9b/html5/thumbnails/18.jpg)
http://ww
w.cs.um
n.edu/crisys
18
Aspects of Translation
1. Foundations
Language Semantics and
Proof
3. Application
Applying Semantics and Proofs to RSML-e
Translator
4. Implementation
Designing a Translator that transparently
implements rules
2. Formal Architecture
How do we create a formal translation
approach from foundations?
![Page 19: An Example of Translation and Proof using Higher-Order Abstract Syntax Michael W. Whalen Advanced Technology Center Rockwell Collins Inc](https://reader035.vdocuments.us/reader035/viewer/2022062516/56649d4d5503460f94a2ca9b/html5/thumbnails/19.jpg)
http://ww
w.cs.um
n.edu/crisys
19
Source Language: RSML-e
• RSML-e is a Reactive Synchronous Dataflow Language Reactive: Specification reacts to changes in external environment at
discrete intervals Synchronous: those reactions take (logically) zero time Dataflow: value of object (variable or interface) can be computed as
soon as objects on which it is dependent have been computed.
• Specification consists of Variables and Interfaces Variables maintain internal state of model Interfaces describe interaction with the external environment
• Two-state model Values of variables from previous step can be referenced
![Page 20: An Example of Translation and Proof using Higher-Order Abstract Syntax Michael W. Whalen Advanced Technology Center Rockwell Collins Inc](https://reader035.vdocuments.us/reader035/viewer/2022062516/56649d4d5503460f94a2ca9b/html5/thumbnails/20.jpg)
http://ww
w.cs.um
n.edu/crisys
20
Source Language: RSML-e
Input Frames: Output Frames:
Reset_ReceiverClock
Clock
DOI_ReceiverClock
Reset_ReceiverClock
...
...
Frame Being Evaluated: Evaluation
Result:
Fault_Sender
<empty>
DOICmd_Sender
...Altitude Switch Specification
DOI_Receiver DOICmd_Sender
Clock
![Page 21: An Example of Translation and Proof using Higher-Order Abstract Syntax Michael W. Whalen Advanced Technology Center Rockwell Collins Inc](https://reader035.vdocuments.us/reader035/viewer/2022062516/56649d4d5503460f94a2ca9b/html5/thumbnails/21.jpg)
http://ww
w.cs.um
n.edu/crisys
21
Source Language: RSML-e
InputInterfaces
State Variables OutputInterfaces
ResetReceiver
ClockReader
DOIReceiver
AltitudeReader
Reset
Clock
DOIStatus
Altitude
AltitudeQuality
SystemMode
AltitudeStatus
DOI DOICmdSender
FaultSender
Altitude Switch Specification
![Page 22: An Example of Translation and Proof using Higher-Order Abstract Syntax Michael W. Whalen Advanced Technology Center Rockwell Collins Inc](https://reader035.vdocuments.us/reader035/viewer/2022062516/56649d4d5503460f94a2ca9b/html5/thumbnails/22.jpg)
http://ww
w.cs.um
n.edu/crisys
22
Source Language: RSML-e
• Each variable or interface has an assignment:
AltitudeStatus :=when initially defined: Status:Okequals Status:Failed if
Altitude < 0 orAltitudeQuality = Quality:Bad
equals Status:Ok ifAltitude > 0 andAltitudeQuality = Quality:Good
AltitudeStatus
![Page 23: An Example of Translation and Proof using Higher-Order Abstract Syntax Michael W. Whalen Advanced Technology Center Rockwell Collins Inc](https://reader035.vdocuments.us/reader035/viewer/2022062516/56649d4d5503460f94a2ca9b/html5/thumbnails/23.jpg)
http://ww
w.cs.um
n.edu/crisys
23
Translation: Intermediate Languages
• We move the language successively closer to an imperative language
RSMLp : We move from the RSML-e synchronous specification language to a synchronous programming language: remove undefined and case lists.
RSMLt : Switch from a structural to a nominal type system
RSMLv: Switch from two-state variables to one-state variables
SIMPLr: Add imperative, rather than functional, assignments to variables (subset of Ada)
SIMPL: Remove record assignments from SIMPLr (subset of C, Java)
![Page 24: An Example of Translation and Proof using Higher-Order Abstract Syntax Michael W. Whalen Advanced Technology Center Rockwell Collins Inc](https://reader035.vdocuments.us/reader035/viewer/2022062516/56649d4d5503460f94a2ca9b/html5/thumbnails/24.jpg)
http://ww
w.cs.um
n.edu/crisys
24
Example: RSML-e to RSML-p
• This transformation does two things: Replaces assignment case lists with assignment
expressions Removes undefined_val from the type system
• To remove undefined_val we transform all variables in the specification var x : T; becomes var x : record{ val: T, def: Boolean };
![Page 25: An Example of Translation and Proof using Higher-Order Abstract Syntax Michael W. Whalen Advanced Technology Center Rockwell Collins Inc](https://reader035.vdocuments.us/reader035/viewer/2022062516/56649d4d5503460f94a2ca9b/html5/thumbnails/25.jpg)
http://ww
w.cs.um
n.edu/crisys
25
Transformation Rules
• Expressions
• Declarations
![Page 26: An Example of Translation and Proof using Higher-Order Abstract Syntax Michael W. Whalen Advanced Technology Center Rockwell Collins Inc](https://reader035.vdocuments.us/reader035/viewer/2022062516/56649d4d5503460f94a2ca9b/html5/thumbnails/26.jpg)
http://ww
w.cs.um
n.edu/crisys
26
Proof Obligations
Context Relation:
State Relation:
State Variable Value Similarity Relation:
![Page 27: An Example of Translation and Proof using Higher-Order Abstract Syntax Michael W. Whalen Advanced Technology Center Rockwell Collins Inc](https://reader035.vdocuments.us/reader035/viewer/2022062516/56649d4d5503460f94a2ca9b/html5/thumbnails/27.jpg)
http://ww
w.cs.um
n.edu/crisys
27
Proof Obligation: Expressions
Expression Obligation:
Lemma about deref:
![Page 28: An Example of Translation and Proof using Higher-Order Abstract Syntax Michael W. Whalen Advanced Technology Center Rockwell Collins Inc](https://reader035.vdocuments.us/reader035/viewer/2022062516/56649d4d5503460f94a2ca9b/html5/thumbnails/28.jpg)
http://ww
w.cs.um
n.edu/crisys
28
Example Proof: pre_exprTransformation
Rule:
RSML-e
Evaluation Rule:
From deref Lemma:
From definition of ≈, and from premise Vals ≠ undefined_val, Valt =
with V2 = Vals. Now, we can derive:
![Page 29: An Example of Translation and Proof using Higher-Order Abstract Syntax Michael W. Whalen Advanced Technology Center Rockwell Collins Inc](https://reader035.vdocuments.us/reader035/viewer/2022062516/56649d4d5503460f94a2ca9b/html5/thumbnails/29.jpg)
http://ww
w.cs.um
n.edu/crisys
29
Aspects of Translation
1. Foundations
Language Semantics and
Proof
3. Application
Applying Semantics and Proofs to RSML-e
Translator
4. Implementation
Designing a Translator that transparently
implements rules
2. Formal Architecture
How do we create a formal translation
approach from foundations?
![Page 30: An Example of Translation and Proof using Higher-Order Abstract Syntax Michael W. Whalen Advanced Technology Center Rockwell Collins Inc](https://reader035.vdocuments.us/reader035/viewer/2022062516/56649d4d5503460f94a2ca9b/html5/thumbnails/30.jpg)
http://ww
w.cs.um
n.edu/crisys
30
Implementation
• Prototype Translator In λProlog
• Transparently Implements ENS Rules
becomes…
![Page 31: An Example of Translation and Proof using Higher-Order Abstract Syntax Michael W. Whalen Advanced Technology Center Rockwell Collins Inc](https://reader035.vdocuments.us/reader035/viewer/2022062516/56649d4d5503460f94a2ca9b/html5/thumbnails/31.jpg)
http://ww
w.cs.um
n.edu/crisys
31
Translator ArchitectureUntrusted "User
Friendly" MLStatic Semantics
Checker
RSML-eConcreteSyntax
File
Trusted ML-YACC Parser
RSML-eAbstractSyntax
File
TrustedLambda-Prolog
Translator
C/C++ConcreteSyntax
File
JavaConcreteSyntax
File
AdaConcrete
Syntax File(Planned)
StaticSemantics
ErrorReport
TraceabilityInformation
Report(Planned)
![Page 32: An Example of Translation and Proof using Higher-Order Abstract Syntax Michael W. Whalen Advanced Technology Center Rockwell Collins Inc](https://reader035.vdocuments.us/reader035/viewer/2022062516/56649d4d5503460f94a2ca9b/html5/thumbnails/32.jpg)
http://ww
w.cs.um
n.edu/crisys
32
Implementation
• Translator Stats Source Code: @ 100KB in 27 source/header files
Rule Type Lines of Code Number of Rules
Translation @2000 278
RSML-e Static Semantics
@1000 141
Scaffolding @500 45
RSML-e Evaluation @350 100
SIMPL Evaluation @320 91
![Page 33: An Example of Translation and Proof using Higher-Order Abstract Syntax Michael W. Whalen Advanced Technology Center Rockwell Collins Inc](https://reader035.vdocuments.us/reader035/viewer/2022062516/56649d4d5503460f94a2ca9b/html5/thumbnails/33.jpg)
http://ww
w.cs.um
n.edu/crisys
33
Implementation
• Translation ResultsFile Name Size (LOC) Compilation Time
records3.rsmle 71 1s
three_altimeters.rsmle 131 2s
numeric_ops.rsmle 230 DNF – Ran out of Memory
function_test.rsmle 215 DNF – Ran out of Memory
• Teyjus Needs Garbage Collection!
![Page 34: An Example of Translation and Proof using Higher-Order Abstract Syntax Michael W. Whalen Advanced Technology Center Rockwell Collins Inc](https://reader035.vdocuments.us/reader035/viewer/2022062516/56649d4d5503460f94a2ca9b/html5/thumbnails/34.jpg)
Post-Mortem
![Page 35: An Example of Translation and Proof using Higher-Order Abstract Syntax Michael W. Whalen Advanced Technology Center Rockwell Collins Inc](https://reader035.vdocuments.us/reader035/viewer/2022062516/56649d4d5503460f94a2ca9b/html5/thumbnails/35.jpg)
http://ww
w.cs.um
n.edu/crisys
35
Discussion
• Original work was in first-order system Used ID-substitution (Drossopoulou) Requires additional rules describing which ids
should be substituted (e.g. no record fields) Required significant additional lemmas about
how terms behave under id substitutions I was struggling to complete proofs (and bored)
due to sheer number of details related to identifiers
![Page 36: An Example of Translation and Proof using Higher-Order Abstract Syntax Michael W. Whalen Advanced Technology Center Rockwell Collins Inc](https://reader035.vdocuments.us/reader035/viewer/2022062516/56649d4d5503460f94a2ca9b/html5/thumbnails/36.jpg)
http://ww
w.cs.um
n.edu/crisys
36
Discussion
• HOAS and λProlog made my dissertation much more straightforward Language descriptions became simpler Translation became much simpler
Use of implication allowed immediate and simple constructions of compiler environment
Relations over correct environments are straightforward to construct
Proofs became much simpler No substitution lemmas [Pierce, Despyroux] Proofs 2-3x shorter
![Page 37: An Example of Translation and Proof using Higher-Order Abstract Syntax Michael W. Whalen Advanced Technology Center Rockwell Collins Inc](https://reader035.vdocuments.us/reader035/viewer/2022062516/56649d4d5503460f94a2ca9b/html5/thumbnails/37.jpg)
http://ww
w.cs.um
n.edu/crisys
37
Binding I: Removing Names
• One goal of HOAS: make identifier names irrelevant
• I was not totally able to do this: Record fields still keyed by id λ-bindings assume a specific order – record
expressions allow arbitrary order Question is it possible / a good idea to remove
field identifiers?
![Page 38: An Example of Translation and Proof using Higher-Order Abstract Syntax Michael W. Whalen Advanced Technology Center Rockwell Collins Inc](https://reader035.vdocuments.us/reader035/viewer/2022062516/56649d4d5503460f94a2ca9b/html5/thumbnails/38.jpg)
http://ww
w.cs.um
n.edu/crisys
38
Binding II: Adding Variables
• Translation from higher-level to lower-level language often requires introduction of new variables Difficult to motivate translation rules at first Led to some odd rule constructions where
bindings and code were constructed “in parallel” Example: moving from a language with record-
creation expressions (a la ML) to one that does not (a la C)
![Page 39: An Example of Translation and Proof using Higher-Order Abstract Syntax Michael W. Whalen Advanced Technology Center Rockwell Collins Inc](https://reader035.vdocuments.us/reader035/viewer/2022062516/56649d4d5503460f94a2ca9b/html5/thumbnails/39.jpg)
http://ww
w.cs.um
n.edu/crisys
39
Remove Record Expressions Example
• Given:type a = record { f1 : int, f2 : real } ;
• Want to change something like: [f1 : 2+y, f2 : 3.1]
• Into:create_a(2+y, 3.1)
• Need to create:fun create_a( f1 : int, f2 : real): a = var r_result : a ; in r_result.f1 = f1 ; r_result.f2 = f2 ; return r_result ; end
![Page 40: An Example of Translation and Proof using Higher-Order Abstract Syntax Michael W. Whalen Advanced Technology Center Rockwell Collins Inc](https://reader035.vdocuments.us/reader035/viewer/2022062516/56649d4d5503460f94a2ca9b/html5/thumbnails/40.jpg)
http://ww
w.cs.um
n.edu/crisys
40
Remove Record Expressions Example
Rule: create_type_fn_body Var Type Fields StmtList Block
- Var is the fresh constant bound to the r_result local variable - Type is the return type of Var - Fields describes the remaining fields to be assigned within the record - StmtList defines the field assignments performed thus far - Block is the returned function block
![Page 41: An Example of Translation and Proof using Higher-Order Abstract Syntax Michael W. Whalen Advanced Technology Center Rockwell Collins Inc](https://reader035.vdocuments.us/reader035/viewer/2022062516/56649d4d5503460f94a2ca9b/html5/thumbnails/41.jpg)
http://ww
w.cs.um
n.edu/crisys
41
Binding II: Adding Variables
• Similar project at RCI: Translating Lustre to several languages (NuSMV, PVS, SAL)
• Lustre supports PRE-operator that allows reference to previous values of variables Fibonacci: x = pre(pre(x, 0), 0) + pre(x,1) ;
• To translate to C, we must introduce additional variables for each pre-operator
• Seems tricky to do in HOAS!
![Page 42: An Example of Translation and Proof using Higher-Order Abstract Syntax Michael W. Whalen Advanced Technology Center Rockwell Collins Inc](https://reader035.vdocuments.us/reader035/viewer/2022062516/56649d4d5503460f94a2ca9b/html5/thumbnails/42.jpg)
http://ww
w.cs.um
n.edu/crisys
42
Binding III: Non-Lexical Scoping
• Many languages allow forward references to identifiers Java Lustre/SCADE I changed the RSML-e semantics to disallow
forward references
• (How) Can we represent “global” scopes in HOAS? Alternately, can we add environments for
“global” ids and still get most of the HOAS benefits?
![Page 43: An Example of Translation and Proof using Higher-Order Abstract Syntax Michael W. Whalen Advanced Technology Center Rockwell Collins Inc](https://reader035.vdocuments.us/reader035/viewer/2022062516/56649d4d5503460f94a2ca9b/html5/thumbnails/43.jpg)
http://ww
w.cs.um
n.edu/crisys
43
Working in a Positivist Logic
• It would be difficult to write semantics and translator entirely without the use of cut List non-membership in static semantics Evaluation rule for not-equal expressions Occasional use of set data structure
• Cuts were not used in rules that referenced structures that could contain meta-level variables or universal constants These uses could affect correctness of reasoning
• How will my use of cut affect reasoning in a formal framework?
![Page 44: An Example of Translation and Proof using Higher-Order Abstract Syntax Michael W. Whalen Advanced Technology Center Rockwell Collins Inc](https://reader035.vdocuments.us/reader035/viewer/2022062516/56649d4d5503460f94a2ca9b/html5/thumbnails/44.jpg)
http://ww
w.cs.um
n.edu/crisys
44
Tool Support
• λProlog gripes No syntax for naming commonly used types – makes
for long type descriptions Syntax allows misplaced comma to conjoin two rule
instances; New symbol for reverse implication in rule instance? (<- ) New rule begins with turnstile? (|- )
Implication (=>) binds tighter than and (,)
• Teyjus gripes No garbage collector No warnings on single use of variable No warnings on rule declaration without definition No warnings on non-use of bound variable within term No debugger
![Page 45: An Example of Translation and Proof using Higher-Order Abstract Syntax Michael W. Whalen Advanced Technology Center Rockwell Collins Inc](https://reader035.vdocuments.us/reader035/viewer/2022062516/56649d4d5503460f94a2ca9b/html5/thumbnails/45.jpg)
http://ww
w.cs.um
n.edu/crisys
45
Conclusion
• Formal approach can be used for real translators
• Difficulty is dependent on choice of formalism Original work was in natural semantics Much simpler with extended natural semantics
• Some things are still tricky to do in HOAS
• A few improvements to tools would really benefit serious users
![Page 46: An Example of Translation and Proof using Higher-Order Abstract Syntax Michael W. Whalen Advanced Technology Center Rockwell Collins Inc](https://reader035.vdocuments.us/reader035/viewer/2022062516/56649d4d5503460f94a2ca9b/html5/thumbnails/46.jpg)
http://ww
w.cs.um
n.edu/crisys
46
Conclusion
• SIMPL – “Small Imperative Language” semantics may be useful to others I didn’t want to write it
YAILS - boring However, I needed a small subset of Ada/Java/C
Literature semantics are cleaner, but no clear correspondence to “real” languages
Supports basic records, arrays, block structuring, functions
Recursion could be added easily However, matching C/Java syntax for recursion
would be harder
![Page 47: An Example of Translation and Proof using Higher-Order Abstract Syntax Michael W. Whalen Advanced Technology Center Rockwell Collins Inc](https://reader035.vdocuments.us/reader035/viewer/2022062516/56649d4d5503460f94a2ca9b/html5/thumbnails/47.jpg)
http://ww
w.cs.um
n.edu/crisys
47
Future Work
• Generalizing work to other source languages Lustre, SCR
• Adding other target languages
• Extensive testing (if actually to be used on DO178B development effort)
• Teyjus Improvements
• Optimizations
![Page 48: An Example of Translation and Proof using Higher-Order Abstract Syntax Michael W. Whalen Advanced Technology Center Rockwell Collins Inc](https://reader035.vdocuments.us/reader035/viewer/2022062516/56649d4d5503460f94a2ca9b/html5/thumbnails/48.jpg)
http://ww
w.cs.um
n.edu/crisys
48
Contact Information
• Crisys Research Group on the web: http://www.cs.umn.edu/crisys
• Mike Whalen e-mail: [email protected] phone: (612) 625-4543
• Mats P.E. Heimdahl e-mail: [email protected] phone: (612) 625-2068