The Semantics of AsmLin a Proper Perspective

Yuri GurevichMicrosoft Research

2

Preamble

The intention was to present a forthcoming paper “Semantics of AsmL” by YG and Wolfram Schulte. But what’s good for a paper is not necessarily good for a talk. Hence a more general view.

3

Agenda

A few words on the ASM project and executable specificationsAn AsmL demoAsmL-S Why not full AsmL? Abstract syntax, type system,

operational semantics

The proof of pudding

4

In the beginning, there wasa foundational investigation

PDEs model physical world.What are the PDEs of CS?How CS is different? Not a natural science: we study artificial world. In seq case, a state is examinable and – unless

the process stops – the next state exists. The traditional math ways to deal with

dynamics (math as autopsy) may be insufficient.

Hence a machine approach may be apt if we can improve on Turing’s machine.

5

The ASM thesis

Every computer system, at any level of abstraction, is an ASMas far as behavior is concerned. Ref: Lipari Guide, #103 at my webpage

There is experimental and theoretical confirmation of the thesis but this belongs to a different talk.

Natural ASM applications: modeling existing systems, executable specifications of future

systems

6

Executable Specifications

One needs a practical spec language to write and execute ASM models. Hence ASM engines: ASM Workbench (U Paderborn, Siemens)

XASM (TU Berlin, Kestrel) ASM Gofer (U Ulm, Siemens)AsmL = ASM Language (Microsoft)

AsmL specs do include declarations: invariants, pre- and post-conditions

But isn’t an exec spec just a prototype?

7

In-place one-swap-a-time sorting

var A as Seq of Integer = [3,1,2]

Swap() choose i,j in Indices(A) where i<j and A(i)>A(j) A(i) := A(j) A(j) := A(i)

Sort() step until fixpoint Swap()

A = [2,3,1]

A = [1,3,2]

A = [1,2,3]

A = [2,1,3]

Nondeterminsm

Parallelism

8

Topological Sorting

Requirement: Given an acyclic digraph G = (V,E), sort the vertices into a sequence S where each edge (u,v) leads forward.Observe: there is a v with no (u,v), and the remainder is still acyclic. Use the observation repeatedly to build the desired sequence S. Modula-2 implementation by Niklaus WirthAsmL spec

9

Modeling

Validation

Refinement Verification

AsmL Model

Implementation

C, C++, C#, ...

Product Idea / Informal Spec

Are you building the product right ?

Are you building the

right product?

What product are you building?

How to validate, enforce a spec? Again, a different talk.

10

AsmL http://research.microsoft.com/fse/asml

Math e.g. set comprehension {e(x) | x ∊ r | φ(x)} as well as sequence and map comprehension

OOTransaction programming and massive synch. parallelism

NondeterminismInteroperability via .NETLiterate programming via MS Word and automated programming via XML

11

ASMs in AsmL

Universes are approximated by semantic subtypes.Remark on typing: pragmatically necessary, semantically a drag. Set theory is untyped for a reason.

Dynamic functions are represented by map variables.

12

More Highlights of AsmL

Advanced type system: Disjunctive types, Semantic Subtypes, Generics

Pattern Matching: Structures and Classes

Intra-step communication with outside world and among submachines Reflection over execution Data access, structural coverage

State as first class citizen: Explore command, etc.Processes (coming)Bootstrapping

13

Why AsmL-S?

The full AsmL is rich (numerous features are needed for the .NET integration and to support various tools) and evolving.A smaller core fragment may be useful to study semantics, refinements for initial experimentation with e.g.

FSM generation, model checking, parameter generation

14

AsmL-S at a glance

Math: only maps (with partial updates) no tuples, sets, sequences

OORestricted type system no interfaces, union types

Compositions – a;b a∥b a⌷b – as well as – while, forall, choose Exceptions

An interpreter

15

A core of AsmL?

It would be great to claim that the full AsmL is a definable extension of AsmL-S but this is not literally so.The typing discipline does not allow us even to define sets via maps.

T → Unit does not work, for example.

16

Abstract Syntaxpgm = cls ecls = class c extends c {fld mth}fld = f as tmth = m(l as t) as t et = b | c | t→tb = Bool | Int | ... | Null | Thrown | Voidv = void | null | true | 0 | ...o = + | - | ...e =

17

Abstract syntax of exprs

v | l | o(e) | let l = e : e | if e then e else e |new c(e) | new t→t (e↦e) | e.f | e.m | e[e] |e.f:=e | e[e]:=e | remove e[e] | e is t | e as t | e;e | e ∥ e | e e ⌷ | while(e) do e | forall l in e : e | choose l in e : e |try e catch(l as t) e | throw e | skip

18

Subyping rules

Program specific: c extends c’...------------------------------------------------------------------------ ----------------

c < c’General:

Trown < t Null < c, t→t’ < Objectt3<t1 t2<t4

------------------------------------------------------------------------------------

t1→t2 < t3<t4

< if reflexive, transitiveBasic types are not objects in AsmL-S

though they are in AsmL.

19

Static semantics

Class table (as in Featherweight Java) and lookup functions, like fields(c)An example rule

T⊦ e1 :: Bool T ⊦ e2 :: t ---------------------------------------------------------------------------------------

T⊦ (while (e1) do e2) :: Void

20

Semantic domains

Value = Literal ∪ ObjIdLocation = ObjectId × (FieldId ∪ Value)Store = (ObjId ∪ Location) × (Type ∪ Value)Update = Location × (Value ∪ {⊥})Updates = Set{Update}Status = {X,OK}Effect = Store × Updates × StatusBinding = LocalId → Value

21

Judgements

⊦ cls e ⇓ φ,v

B,S ⊦ e ⇓ φ,v

where φ is an effect and v is a value.φ gives object types, location values,

updates and status.

22

A couple of evaluation rules

B,S ⊦ e ⇓ φ,v v ≠ null------------------------------------------------------------------------------------------------------------------------------------------------------------------------

B,S ⊦ e.f ⇓ φ,(S + store(φ))(v.f)

B,S ⊦ e ⇓ φ,nullB,S ⊦ (throw new NullX()) ⇓ φ’,v’----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

B,S ⊦ e.f ⇓ φ + φ’, v’

Remark on natural semantics.

23

Proof of pudding

Who uses AsmL? Some MS product groups, e.g. XAF. Some academics (who complain that

there is no book) Dogfooding

Architects, PMs, devs and testers.ESTATE(?)