350 likes | 508 Views
An Introduction to FORMULA. Ethan Jackson Research in Software Engineering (RiSE), Microsoft Research - Redmond. Formal Tools for MBD?. We wanted to develop a tool for the formal specifying, composition, and analyses of DSLs and model transformations. But what should such a tool look like? .
E N D
An Introduction to FORMULA Ethan Jackson Research in Software Engineering (RiSE), Microsoft Research - Redmond
Formal Tools for MBD? We wanted to develop a tool for the formal specifying, composition, and analyses of DSLs and model transformations. But what should such a tool look like? Specification Language for DSLs Module system for composition Specification Language for Model Transformations Language Level Formalization of DSLs Unifying formalization for both Formalization of Model Transformations Formal Semantics Algorithms for DSL analysis Algorithms for “multi-step” analysis Algorithms for transformation analysis Formal Methods
FORMULA Module system produces new specs. With semantic guarantees DSLs are ADTs + CLP Transformations are ADTs + CLP Language Level First-order formulas over theories Formal Semantics Finite modeling finding loop over an SMT solver Formal Methods
Abstract Data Types We have an order sorted set of infinite alphabets closed under intersection: Nil, PosInteger, NegInteger, Natural, Real, String A free constructor deterministically creates new objects from old objects. Enumeration and union types allow the specification of more complex data structures. Type system is decidable and equivalent to composition of tree-automata.
Example: HFSM A model is a finite set of finite terms (trees) Subterm sharing means the in-memory data model is much smaller than the printed model.
Logic Programming A logic program has a dual nature: It is a constraint system and a declaratively specified executable procedure. A pattern introduces typed variables that range over the contents of an input model… …and places constraints on those variables. Note the LP language of FORMULA is not Prolog, which generalizes SLD-resolution to a declarative programming model.
Example: HFSM • Language features: • Primitive/derived constructors, • Selection operators, • Expressions over union types, • Negation as failure, • Constraints over additional theories • Boolean composition of named queries.
Semantics Of FORMULA LP We assume the logic program is terminating; this is not currently checked. Under this assumption, FORMULA checks that the logic program has the following behavior: Range restricted: Constraints quantify over terms (derived from) input model. Stratification: Constraints checking for absence of terms due so safely. Strata finitely extend model Input Model M Finite Input Finite Extension: The logic program extends the model by only a finite number of terms
Reduction with Precise Typing (1) =======================> at (10,55) CONSTRUCT reach(i.init<37>) where i.init --> i.init by the identity function Find i<35>: Initial With local variables i.init<36>: State Such that the following equalities hold i<35> = Initial(i.init<36>)
Reduction with Precise Typing (2) CONSTRUCT reach(t.dst<34>) where t.dst --> t.dst by the identity function Find ~iv0<25>: reach(Any|State) t<26>: Transition With local variables s<27>: State t.dst<28>: State t.src<29>: State ~iv5<30>: State ~iv6<31>: Event ~iv7<32>: Event ~iv8<33>: State Such that the following equalities hold t.src<29> = s<27> = ~iv5<30> ~iv0<25> = reach(s<27>) t<26> = Transition(~iv5<30>,~iv6<31>,t.dst<28>) = Transition(t.src<29>,~iv7<32>,~iv8<33>) t.dst<28> = ~iv8<33> ~iv6<31> = ~iv7<32>
Expansions of Union Types/Selectors (1) =======================> at (13,15) QUERY COMPOSITION twoLevels Depends on twoLevels~0 twoLevels~1 Must satisfy ( twoLevels~0 | twoLevels~1 )
Expansions of Union Types/Selectors (2) =======================> at (13,15) QUERY twoLevels~0 Find s<0>: State(…,Container|State(…,Container|FSM)) c<1>: FSM With local variables s.parent<2>: State(…,Container|FSM) s.parent.parent<3>: FSM ~iv4<4>: Basic ~iv5<5>: Basic ~iv6<6>: Basic Such that the following equalities hold s.parent.parent<3> = c<1> = FSM(~iv6<6>) s<0> = State(~iv4<4>,s.parent<2>) s.parent<2> = State(~iv5<5>,s.parent.parent<3>)
Expansions of Union Types/Selectors (3) =======================> at (13,15) QUERY twoLevels~1 Find s<7>: State(…,Container|State(…,Container|State)) c<8>: State With local variables s.parent<9>: State(Basic|Basic,Container|State) s.parent.parent<10>: State ~iv4<11>: Basic ~iv5<12>: Basic ~iv6<13>: Basic ~iv7<14>: Container Such that the following equalities hold s.parent.parent<10> = c<8> = State(~iv6<13>,~iv7<14>) s<7> = State(~iv4<11>,s.parent<9>) s.parent<9> = State(~iv5<12>,s.parent.parent<10>)
Theories and The Type System =======================> at (15,15) QUERY isIDRelated~0 Find s<19>: State(Basic|Real,Container|Container) sp<20>: State(Basic|Real,Container|Container) With local variables s.id<21>: Real sp.id<22>: Real ~iv4<23>: Container ~iv5<24>: Container Such that the following equalities hold s<19> = State(s.id<21>,~iv4<23>) sp<20> = State(sp.id<22>,~iv5<24>) And the following constraints hold s.id<21> = +(sp.id<22>,1) [Arithmetic] Additional theories constrain variable types to be a subtype of one of the order sorted alphabets.
Negation-as-Failure =======================> at (14,15) QUERY deadState~0 Find s<15>: State With local variables ~iv2<16>: Basic ~iv3<17>: Container Such that the following equalities hold s<15> = State(~iv2<16>,~iv3<17>) FAIL Find ~iv1<18>: reach(Any|State) With local type constraints ~iv2<16>: Basic ~iv3<17>: Container Such that the following equalities hold ~iv1<18> = reach(s<15>) s<15> = State(~iv2<16>,~iv3<17>) Each fail creates in own “fail scope”. Fail scopes do not share data since they do not create bindings.
Stratification Execution order FORMULA specifications do not depend on order of expressions.
Domains and Conformance Domains capture abstraction levels using abstract data-types and logic programs. Every domain has an (implicitly) define query called conforms. A model belongs to the domain if conforms evaluates to true. =======================> at (28,8) QUERY COMPOSITION conforms Depends on DHFSM.conforms Must satisfy DHFSM.conforms
Transformations Transformations are (parameterized) specifications that read an input model and produce an output model. Transformations can take n-input models, produce m-output models using p typed parameters. The “as” operator produces a copy of the specification by prefixing all type declarations with its argument.
Type Inference and Term Rewriting FORMULA can automatically infer types without full qualification of the renaming path. It can also infer term rewriting rules across renaming paths. =======================> at (41,37) CONSTRUCT out.Transition(x<33>,y<34>,z<35>) where x --> x by the path replacement function in --> out y --> y by the path replacement function in --> out z --> z by the path replacement function in --> out Find ~iv0<27>: in.Transition ~iv4<28>: ~e With local variables x<29>: in.State y<30>: in.Event z<31>: in.State e~value<32>: in.Event Such that the following equalities hold ~iv4<28> = ~e(e~value<32>) ~iv0<27> = in.Transition(x<29>,y<30>,z<31>)
The Module System Domains capture abstraction levels using abstract data-types and logic programs.
The Mapping Problem Assign components to device such that: FFT ARM FlashIO FlashIO FFT
Building the Language of Maps Renaming plus pseudo-product plus extends provable produces a domain with models that are a superset of the cross-product of the original domains. FFT ARM FlashIO FlashIO FFT
Throwing Out The Bad Ones Restriction of mapping provable produces a domain with models that are a subset of all possible platform maps
Use Finite Model Finding To Solve Mapping Problem Case study with Timing Definition Langauge (TDL): About 250 lines of Formula to specify run-to-completion semantics of TDL scheduling problem. TDL case study joint work with European Microsoft Innovation Center (EMIC). Z3 used to enumerate deployments and generate scheduling functions. GUI developed to visualize points in the design space.
Generalization This pattern of composition and model finding can be generalized to allow separate specification and composition of many non-functional constraints.
Conclusions FORMULA provides a formal model for DSL/model transformation specification, composition, and analysis. It uses correct-by-construction operators to create domains that are related in semantic ways. Finite model finding is the key formal method used to analyze both domains and transformations. Formal analysis builds on state-of-the-art Z3 solver.
An Introduction to FORMULA Questions?