the whiley programming language david j. pearce school of engineering and computer science, victoria...
TRANSCRIPT
The Whiley Programming Language
David J. PearceSchool of Engineering and Computer
Science,Victoria University of Wellington,
New Zealand
Motivation
• Ariane 5 (destroyed shortly after take off)
• Mars Global Surveyor (batteries overheated)
• F22-Raptor (“problem” crossing meridian line)
• USS Yorktown (dead in water)• Therac-25 (lethal doses of X-Rays)• …
State of Play
class Date { private int day; private int month; private int year;
public Date(int day, int month, int year){ this.day = day; this.month = month; this.year = year; }
…}
Java Modelling Language (JML)class Date {
// 30 days hath Sept, Apr, Jun and Nov // all the rest have 31, … // except February, which has 28 …
//@ invariant ((month!=9 && month!=4 && month!=6 //@ && month!=11) || day <= 30) && //@ 1 <= day <= 31 && 1 <= months <= 12 && //@ (month!=2 || day <= 28); private int day, month, year;
…}
Verifying OO Programs: The Challengeclass TableRow<T> { private List<T> rows;
…
void set(List<T> rs) { rows = rs; }
void copy(List<T> to) { for(int i=0;i!=rows.size();++i) { to.add(rows.get(i)); } }}
Verifying OO Programs: The Challenge
• Does this make sense ?
class Date { …
//@ ensures \result.compareTo(this) > 0; public Date nextDay() { … }
public int compareTo(Date d) { … }}
Introducting Whiley !!!
• Hybrid OO – Functional Language• Compiles to JVM• Performs Compile-Time Checking of
Constraints
Functional Core
• Functional functions• No aliasing or side-effects• Pass-by-value records, lists + sets• Constraints checked at compile time
define int where $ >= 0 as nat
int f(nat a, nat b) ensures $ > 0: if a == b: return 1 else: return a + b
Quick Demo
Numbers
• OOP: Modular Arithimetic + Floating Point
• Whiley: unbounded ints + rationals
define int where $ >= 0 && $ < 256 as byte
real f(byte x): if x > 0: return 18372.382349823409823409234 return x + 1
Implicit Subtyping
• OOP: subtyping explicit via inheritance• Whiley: Subtyping is implicit, not explicit
define int where $ >= 0 as natdefine int where $ > 0 as pint
pint f(nat a) : return a + 1
int g(nat x): return x – 1
nat y = …int z = g(y)
Lists + Quantifiers
• OOP: sets/lists are objects• JML: quantifies may not be computable• Whiley: Support for first-class lists/sets• Whiley: Support for computable quantifiers
define [int] where no {x in $ | x<0} as nats
int sum(nats ns, int i) requires 0<=i && i<|ns|, ensures $ >= 0: return ns[i]
Imperative Outer Layer
• OOP: objects may be concurrently modified• OOP: methods have re-entrant semantics• Whiley: process methods execute atomically• Whiley: methods are not re-entrant
define process (int x, int y) as PointProc
void PointProc::update(int z): this->y = z
void System::main([string] args): PointProc pp = spawn (x:1,y:2) pp->update(3) print str(*pp)
Compiler Overview
Verification SMT Solver
Parser
Type Checker
Bytecode Generator
whiley.org(under construction)