The Semantics of Asm L in a Proper

The Semantics of Asm. L in a Proper Perspective Yuri Gurevich Microsoft Research

Preamble The intention was to present a forthcoming paper “Semantics of Asm. L” by YG and Wolfram Schulte. But what’s good for a paper is not necessarily good for a talk. Hence a more general view. 2

Agenda A few words on the ASM project and executable specifications An Asm. L demo Asm. L-S n n Why not full Asm. L? Abstract syntax, type system, operational semantics The proof of pudding 3

In the beginning, there was a foundational investigation PDEs model physical world. What are the PDEs of CS? How CS is different? n n n Not a natural science: we study artificial world. In seq case, a state is examinable and – unless the process stops – the next state exists. The traditional math ways to deal with dynamics (math as autopsy) may be insufficient. Hence a machine approach may be apt if we can improve on Turing’s machine. 4

The ASM thesis Every computer system, at any level of abstraction, is an ASM as far as behavior is concerned. n n n Ref: Lipari Guide, #103 at my webpage There is experimental and theoretical confirmation of thesis but this belongs to a different talk. Natural ASM applications: modeling existing systems, executable specifications of future systems 5

Executable Specifications One needs a practical spec language to write and execute ASM models. Hence ASM engines: n ASM Workbench (U Paderborn, Siemens) XASM (TU Berlin, Kestrel) ASM Gofer (U Ulm, Siemens) Asm. L = ASM Language (Microsoft) Asm. L specs do include declarations: invariants, pre- and post-conditions But isn’t an exec spec just a prototype? 6

In-place one-swap-a-time sorting var A as Seq of Integer = [3, 1, 2] Nondeterminsm Swap() choose i, j in Indices(A) where iA(j) A(i) : = A(j) : = A(i) A = [2, 3, 1] A = [1, 3, 2] A = [2, 1, 3] Parallelism Sort() step until fixpoint Swap() A = [1, 2, 3] 7

Topological Sorting Requirement: Given an acyclic digraph G = (V, E), sort the vertices into a sequence S where each edge (u, v) leads forward. Observe: there is a v with no (u, v), and the remainder is still acyclic. Use the observation repeatedly to build the desired sequence S. Modula-2 implementation by Niklaus Wirth Asm. L spec 8

How to validate, enforce a spec? Again, a different talk. Product Idea / Informal Spec What product are you building? Are Validation you building the right product? Asm. L Modeling Refinement Verification Implementation C, C++, C#, . . . Are you building the product right ? 9

Asm. L http: //research. microsoft. com/fse/asml Math e. g. set comprehension {e(x) | x ∊ r | φ(x)} as well as sequence and map comprehension OO Transaction programming and massive synch. parallelism Nondeterminism Interoperability via. NET Literate programming via MS Word and automated programming via XML 10

ASMs in Asm. L Universes are approximated by semantic subtypes. Remark on typing: pragmatically necessary, semantically a drag. n Set theory is untyped for a reason. Dynamic functions are represented by map variables. 11

More Highlights of Asm. L Advanced type system: Disjunctive types, Semantic Subtypes, Generics Pattern Matching: Structures and Classes Intra-step communication with outside world and among submachines Reflection over execution n Data access, structural coverage State as first class citizen: Explore command, etc. Processes (coming) Bootstrapping 12

Why Asm. L-S? The full Asm. L is rich (numerous features are needed for the. NET integration and to support various tools) and evolving. A smaller core fragment may be useful n n to study semantics, refinements for initial experimentation with e. g. FSM generation, model checking, parameter generation 13

Asm. L-S at a glance Math: only maps (with partial updates) n no tuples, sets, sequences OO Restricted type system n no interfaces, union types Compositions – a; b a∥b a⌷b – as well as – while, forall, choose Exceptions An interpreter 14

A core of Asm. L? It would be great to claim that the full Asm. L is a definable extension of Asm. L-S but this is not literally so. The typing discipline does not allow us even to define sets via maps. T → Unit does not work, for example. 15

Abstract Syntax pgm = cls e cls = class c extends c {fld mth} fld = f as t mth = m(l as t) as t e t = b | c | t→t b = Bool | Int |. . . | Null | Thrown | Void v = void | null | true | 0 |. . . o = + | - |. . . e= 16

Abstract syntax of exprs v | l | o(e) | let l = e : e | if e then e else e | new c(e) | new t→t (e↦e) | e. f | e. m | e[e] | e. f: =e | e[e]: =e | remove e[e] | e is t | e as t | e; e | e ∥ e | e⌷e | while(e) do e | forall l in e : e | choose l in e : e | try e catch(l as t) e | throw e | skip 17

Subyping rules Program specific: c extends c’. . . c < c’ General: Trown < t Null < c, t→t’ < Object t 3

Static semantics Class table (as in Featherweight Java) and lookup functions, like fields(c) An example rule T⊦ e 1 : : Bool T ⊦ e 2 : : t -------------------------------------------- T⊦ (while (e 1) do e 2) : : Void 19

Semantic domains Value = Literal ∪ Obj. Id Location = Object. Id × (Field. Id ∪ Value) Store = (Obj. Id ∪ Location) × (Type ∪ Value) Update = Location × (Value ∪ {⊥}) Updates = Set{Update} Status = {X, OK} Effect = Store × Updates × Status Binding = Local. Id → Value 20

Judgements ⊦ cls e ⇓ φ, v B, S ⊦ e ⇓ φ, v where φ is an effect and v is a value. φ gives object types, location values, updates and status. 21

A couple of evaluation rules B, S ⊦ e ⇓ φ, v v ≠ null B, S ⊦ e. f ⇓ φ, (S + store(φ))(v. f) ------------------------------------------------------------------------------------ B, S ⊦ e ⇓ φ, null B, S ⊦ (throw new Null. X()) ⇓ φ’, v’ B, S ⊦ e. f ⇓ φ + φ’, v’ ----------------------------------------------------------------------------------------- Remark on natural semantics. 22

Proof of pudding Who uses Asm. L? n n n Some MS product groups, e. g. XAF. Some academics (who complain that there is no book) Dogfooding Architects, PMs, devs and testers. ESTATE(? ) 23