ethan jackson research in software engineering (rise), microsoft research - redmond
DESCRIPTION
An Introduction to FORMULA. Ethan Jackson Research in Software Engineering (RiSE), Microsoft Research - Redmond. Formal Tools for MBD?. We wanted to develop a tool for the formal specifying, composition, and analyses of DSLs and model transformations. But what should such a tool look like? . - PowerPoint PPT PresentationTRANSCRIPT
Ethan JacksonResearch in Software Engineering (RiSE),
Microsoft Research - Redmond
An Introduction to FORMULA
Formal Tools for MBD?We wanted to develop a tool for the formal specifying, composition, and analyses of DSLs and model transformations. But what should such a tool look like?
Specification Language for
DSLs
Specification Language for
Model Transformations
Formalization of DSLs
Formalization of Model
Transformations
Module system for
composition
Unifying formalization
for both
Algorithms for DSL analysis
Algorithms for transformation
analysis
Algorithms for “multi-step”
analysis
Language Level
Formal Semantics
Formal Methods
FORMULA
DSLs are ADTs + CLP
Transformations are ADTs + CLP
Module system produces new specs.
With semantic guarantees
First-order formulas over
theories
Finite modeling finding loop over an
SMT solver
Language Level
Formal Semantics
Formal Methods
Abstract Data TypesWe have an order sorted set of infinite alphabets closed under intersection:
Type system is decidable and equivalent to composition of tree-automata.
A free constructor deterministically creates new objects from old objects.
Enumeration and union types allow the specification of more complex data structures.
Nil, PosInteger, NegInteger, Natural, Real, String
Example: HFSM
Subterm sharing means the in-memory data model is much smaller than the printed model.
A model is a finite set of finite terms (trees)
Logic ProgrammingA logic program has a dual nature: It is a constraint system and a declaratively specified executable procedure.
Note the LP language of FORMULA is not Prolog, which generalizes SLD-resolution to a declarative programming model.
A pattern introduces typed variables that range over the contents of an input model…
…and places constraints on those variables.
Example: HFSM
Language features: • Primitive/derived constructors, • Selection operators, • Expressions over union types,• Negation as failure,• Constraints over additional theories• Boolean composition of named queries.
Semantics Of FORMULA LPWe assume the logic program is terminating; this is not currently checked. Under this assumption, FORMULA checks that the logic program has the following behavior:
Input Model
M
Finite Input
Range restricted: Constraints quantify over terms (derived from) input model.
Stratification: Constraints checking for absence of terms due so safely.
Finite Extension: The logic program extends the model by only a finite number of terms
Strata finitely extend model
Reduction with Precise Typing (1)
=======================> at (10,55)CONSTRUCT reach(i.init<37>) where i.init --> i.init by the identity functionFind i<35>: InitialWith local variables i.init<36>: StateSuch that the following equalities hold i<35> = Initial(i.init<36>)
Reduction with Precise Typing (2)CONSTRUCT reach(t.dst<34>) where t.dst --> t.dst by the identity functionFind ~iv0<25>: reach(Any|State) t<26>: TransitionWith local variables s<27>: State t.dst<28>: State t.src<29>: State ~iv5<30>: State ~iv6<31>: Event ~iv7<32>: Event ~iv8<33>: StateSuch that the following equalities hold t.src<29> = s<27> = ~iv5<30> ~iv0<25> = reach(s<27>) t<26> = Transition(~iv5<30>,~iv6<31>,t.dst<28>) = Transition(t.src<29>,~iv7<32>,~iv8<33>) t.dst<28> = ~iv8<33> ~iv6<31> = ~iv7<32>
Expansions of Union Types/Selectors (1)
=======================> at (13,15)QUERY COMPOSITION twoLevelsDepends on twoLevels~0 twoLevels~1Must satisfy ( twoLevels~0 | twoLevels~1 )
Expansions of Union Types/Selectors (2)
=======================> at (13,15)QUERY twoLevels~0Find s<0>: State(…,Container|State(…,Container|FSM)) c<1>: FSMWith local variables s.parent<2>: State(…,Container|FSM) s.parent.parent<3>: FSM ~iv4<4>: Basic ~iv5<5>: Basic ~iv6<6>: BasicSuch that the following equalities hold s.parent.parent<3> = c<1> = FSM(~iv6<6>) s<0> = State(~iv4<4>,s.parent<2>) s.parent<2> = State(~iv5<5>,s.parent.parent<3>)
Expansions of Union Types/Selectors (3)
=======================> at (13,15)QUERY twoLevels~1Find s<7>: State(…,Container|State(…,Container|State)) c<8>: StateWith local variables s.parent<9>: State(Basic|Basic,Container|State) s.parent.parent<10>: State ~iv4<11>: Basic ~iv5<12>: Basic ~iv6<13>: Basic ~iv7<14>: ContainerSuch that the following equalities hold s.parent.parent<10> = c<8> = State(~iv6<13>,~iv7<14>) s<7> = State(~iv4<11>,s.parent<9>) s.parent<9> = State(~iv5<12>,s.parent.parent<10>)
Theories and The Type System
=======================> at (15,15)QUERY isIDRelated~0Find s<19>: State(Basic|Real,Container|Container) sp<20>: State(Basic|Real,Container|Container)With local variables s.id<21>: Real sp.id<22>: Real ~iv4<23>: Container ~iv5<24>: ContainerSuch that the following equalities hold s<19> = State(s.id<21>,~iv4<23>) sp<20> = State(sp.id<22>,~iv5<24>)And the following constraints hold s.id<21> = +(sp.id<22>,1) [Arithmetic]
Additional theories constrain variable types to be a subtype of one of the order sorted alphabets.
Negation-as-Failure
Each fail creates in own “fail scope”. Fail scopes do not share data since they do not create bindings.
=======================> at (14,15)QUERY deadState~0Find s<15>: StateWith local variables ~iv2<16>: Basic ~iv3<17>: ContainerSuch that the following equalities hold s<15> = State(~iv2<16>,~iv3<17>)
FAIL Find ~iv1<18>: reach(Any|State)With local type constraints ~iv2<16>: Basic ~iv3<17>: ContainerSuch that the following equalities hold ~iv1<18> = reach(s<15>) s<15> = State(~iv2<16>,~iv3<17>)
Stratification
Execution order
FORMULA specifications do not depend on order of expressions.
Module System For Composition and Reuse
Domains and ConformanceDomains capture abstraction levels using abstract data-types and logic programs.
Every domain has an (implicitly) define query called conforms. A model belongs to the domain if conforms evaluates to true.
=======================> at (28,8)QUERY COMPOSITION conformsDepends on DHFSM.conformsMust satisfy DHFSM.conforms
TransformationsTransformations are (parameterized) specifications that read an input model and produce an output model.
The “as” operator produces a copy of the specification by prefixing all type declarations with its argument.
Transformations can take n-input models, produce m-output models using p typed parameters.
Type Inference and Term RewritingFORMULA can automatically infer types without full qualification of the renaming path. It can also infer term rewriting rules across renaming paths.
=======================> at (41,37)CONSTRUCT out.Transition(x<33>,y<34>,z<35>) where x --> x by the path replacement function in --> out y --> y by the path replacement function in --> out z --> z by the path replacement function in --> outFind ~iv0<27>: in.Transition ~iv4<28>: ~eWith local variables x<29>: in.State y<30>: in.Event z<31>: in.State e~value<32>: in.EventSuch that the following equalities hold ~iv4<28> = ~e(e~value<32>) ~iv0<27> = in.Transition(x<29>,y<30>,z<31>)
Transformations Know Everything
The Module SystemDomains capture abstraction levels using abstract data-types and logic programs.
Composing Non-functional Requirements
A Platform-Independent Domain
An Implementation Domain
The Mapping Problem
FFT
FFT
FlashIOARM
FlashIO
Assign components to device such that:
Building the Language of Maps
FFT
FFT
FlashIOARM
FlashIO
Renaming plus pseudo-product plus extends provable produces a domain with models that are a superset of the cross-product of the original domains.
Throwing Out The Bad OnesRestriction of mapping provable produces a domain with models that are a subset of all possible platform maps
Use Finite Model Finding To Solve Mapping Problem
Case study with Timing Definition Langauge (TDL): About 250 lines of Formula to specify run-to-completion semantics of TDL scheduling problem.
TDL case study joint work with European Microsoft Innovation Center (EMIC).
Z3 used to enumerate deployments and generate scheduling functions. GUI developed to visualize points in the design space.
GeneralizationThis pattern of composition and model finding can be generalized to allow separate specification and composition of many non-functional constraints.
Composition Theorem
ConclusionsFORMULA provides a formal model for DSL/model transformation specification, composition, and analysis.
It uses correct-by-construction operators to create domains that are related in semantic ways.
Finite model finding is the key formal method used to analyze both domains and transformations.
Formal analysis builds on state-of-the-art Z3 solver.
Questions?
An Introduction to FORMULA