ethan jackson research in software engineering (rise), microsoft research - redmond
DESCRIPTION
An Introduction to FORMULA. Ethan Jackson Research in Software Engineering (RiSE), Microsoft Research - Redmond. Formal Tools for MBD?. We wanted to develop a tool for the formal specifying, composition, and analyses of DSLs and model transformations. But what should such a tool look like? . - PowerPoint PPT PresentationTRANSCRIPT
![Page 1: Ethan Jackson Research in Software Engineering (RiSE), Microsoft Research - Redmond](https://reader035.vdocuments.net/reader035/viewer/2022062323/568167f0550346895ddd60f2/html5/thumbnails/1.jpg)
Ethan JacksonResearch in Software Engineering (RiSE),
Microsoft Research - Redmond
An Introduction to FORMULA
![Page 2: Ethan Jackson Research in Software Engineering (RiSE), Microsoft Research - Redmond](https://reader035.vdocuments.net/reader035/viewer/2022062323/568167f0550346895ddd60f2/html5/thumbnails/2.jpg)
Formal Tools for MBD?We wanted to develop a tool for the formal specifying, composition, and analyses of DSLs and model transformations. But what should such a tool look like?
Specification Language for
DSLs
Specification Language for
Model Transformations
Formalization of DSLs
Formalization of Model
Transformations
Module system for
composition
Unifying formalization
for both
Algorithms for DSL analysis
Algorithms for transformation
analysis
Algorithms for “multi-step”
analysis
Language Level
Formal Semantics
Formal Methods
![Page 3: Ethan Jackson Research in Software Engineering (RiSE), Microsoft Research - Redmond](https://reader035.vdocuments.net/reader035/viewer/2022062323/568167f0550346895ddd60f2/html5/thumbnails/3.jpg)
FORMULA
DSLs are ADTs + CLP
Transformations are ADTs + CLP
Module system produces new specs.
With semantic guarantees
First-order formulas over
theories
Finite modeling finding loop over an
SMT solver
Language Level
Formal Semantics
Formal Methods
![Page 4: Ethan Jackson Research in Software Engineering (RiSE), Microsoft Research - Redmond](https://reader035.vdocuments.net/reader035/viewer/2022062323/568167f0550346895ddd60f2/html5/thumbnails/4.jpg)
Abstract Data TypesWe have an order sorted set of infinite alphabets closed under intersection:
Type system is decidable and equivalent to composition of tree-automata.
A free constructor deterministically creates new objects from old objects.
Enumeration and union types allow the specification of more complex data structures.
Nil, PosInteger, NegInteger, Natural, Real, String
![Page 5: Ethan Jackson Research in Software Engineering (RiSE), Microsoft Research - Redmond](https://reader035.vdocuments.net/reader035/viewer/2022062323/568167f0550346895ddd60f2/html5/thumbnails/5.jpg)
Example: HFSM
Subterm sharing means the in-memory data model is much smaller than the printed model.
A model is a finite set of finite terms (trees)
![Page 6: Ethan Jackson Research in Software Engineering (RiSE), Microsoft Research - Redmond](https://reader035.vdocuments.net/reader035/viewer/2022062323/568167f0550346895ddd60f2/html5/thumbnails/6.jpg)
Logic ProgrammingA logic program has a dual nature: It is a constraint system and a declaratively specified executable procedure.
Note the LP language of FORMULA is not Prolog, which generalizes SLD-resolution to a declarative programming model.
A pattern introduces typed variables that range over the contents of an input model…
…and places constraints on those variables.
![Page 7: Ethan Jackson Research in Software Engineering (RiSE), Microsoft Research - Redmond](https://reader035.vdocuments.net/reader035/viewer/2022062323/568167f0550346895ddd60f2/html5/thumbnails/7.jpg)
Example: HFSM
Language features: • Primitive/derived constructors, • Selection operators, • Expressions over union types,• Negation as failure,• Constraints over additional theories• Boolean composition of named queries.
![Page 8: Ethan Jackson Research in Software Engineering (RiSE), Microsoft Research - Redmond](https://reader035.vdocuments.net/reader035/viewer/2022062323/568167f0550346895ddd60f2/html5/thumbnails/8.jpg)
Semantics Of FORMULA LPWe assume the logic program is terminating; this is not currently checked. Under this assumption, FORMULA checks that the logic program has the following behavior:
Input Model
M
Finite Input
Range restricted: Constraints quantify over terms (derived from) input model.
Stratification: Constraints checking for absence of terms due so safely.
Finite Extension: The logic program extends the model by only a finite number of terms
Strata finitely extend model
![Page 9: Ethan Jackson Research in Software Engineering (RiSE), Microsoft Research - Redmond](https://reader035.vdocuments.net/reader035/viewer/2022062323/568167f0550346895ddd60f2/html5/thumbnails/9.jpg)
Reduction with Precise Typing (1)
=======================> at (10,55)CONSTRUCT reach(i.init<37>) where i.init --> i.init by the identity functionFind i<35>: InitialWith local variables i.init<36>: StateSuch that the following equalities hold i<35> = Initial(i.init<36>)
![Page 10: Ethan Jackson Research in Software Engineering (RiSE), Microsoft Research - Redmond](https://reader035.vdocuments.net/reader035/viewer/2022062323/568167f0550346895ddd60f2/html5/thumbnails/10.jpg)
Reduction with Precise Typing (2)CONSTRUCT reach(t.dst<34>) where t.dst --> t.dst by the identity functionFind ~iv0<25>: reach(Any|State) t<26>: TransitionWith local variables s<27>: State t.dst<28>: State t.src<29>: State ~iv5<30>: State ~iv6<31>: Event ~iv7<32>: Event ~iv8<33>: StateSuch that the following equalities hold t.src<29> = s<27> = ~iv5<30> ~iv0<25> = reach(s<27>) t<26> = Transition(~iv5<30>,~iv6<31>,t.dst<28>) = Transition(t.src<29>,~iv7<32>,~iv8<33>) t.dst<28> = ~iv8<33> ~iv6<31> = ~iv7<32>
![Page 11: Ethan Jackson Research in Software Engineering (RiSE), Microsoft Research - Redmond](https://reader035.vdocuments.net/reader035/viewer/2022062323/568167f0550346895ddd60f2/html5/thumbnails/11.jpg)
Expansions of Union Types/Selectors (1)
=======================> at (13,15)QUERY COMPOSITION twoLevelsDepends on twoLevels~0 twoLevels~1Must satisfy ( twoLevels~0 | twoLevels~1 )
![Page 12: Ethan Jackson Research in Software Engineering (RiSE), Microsoft Research - Redmond](https://reader035.vdocuments.net/reader035/viewer/2022062323/568167f0550346895ddd60f2/html5/thumbnails/12.jpg)
Expansions of Union Types/Selectors (2)
=======================> at (13,15)QUERY twoLevels~0Find s<0>: State(…,Container|State(…,Container|FSM)) c<1>: FSMWith local variables s.parent<2>: State(…,Container|FSM) s.parent.parent<3>: FSM ~iv4<4>: Basic ~iv5<5>: Basic ~iv6<6>: BasicSuch that the following equalities hold s.parent.parent<3> = c<1> = FSM(~iv6<6>) s<0> = State(~iv4<4>,s.parent<2>) s.parent<2> = State(~iv5<5>,s.parent.parent<3>)
![Page 13: Ethan Jackson Research in Software Engineering (RiSE), Microsoft Research - Redmond](https://reader035.vdocuments.net/reader035/viewer/2022062323/568167f0550346895ddd60f2/html5/thumbnails/13.jpg)
Expansions of Union Types/Selectors (3)
=======================> at (13,15)QUERY twoLevels~1Find s<7>: State(…,Container|State(…,Container|State)) c<8>: StateWith local variables s.parent<9>: State(Basic|Basic,Container|State) s.parent.parent<10>: State ~iv4<11>: Basic ~iv5<12>: Basic ~iv6<13>: Basic ~iv7<14>: ContainerSuch that the following equalities hold s.parent.parent<10> = c<8> = State(~iv6<13>,~iv7<14>) s<7> = State(~iv4<11>,s.parent<9>) s.parent<9> = State(~iv5<12>,s.parent.parent<10>)
![Page 14: Ethan Jackson Research in Software Engineering (RiSE), Microsoft Research - Redmond](https://reader035.vdocuments.net/reader035/viewer/2022062323/568167f0550346895ddd60f2/html5/thumbnails/14.jpg)
Theories and The Type System
=======================> at (15,15)QUERY isIDRelated~0Find s<19>: State(Basic|Real,Container|Container) sp<20>: State(Basic|Real,Container|Container)With local variables s.id<21>: Real sp.id<22>: Real ~iv4<23>: Container ~iv5<24>: ContainerSuch that the following equalities hold s<19> = State(s.id<21>,~iv4<23>) sp<20> = State(sp.id<22>,~iv5<24>)And the following constraints hold s.id<21> = +(sp.id<22>,1) [Arithmetic]
Additional theories constrain variable types to be a subtype of one of the order sorted alphabets.
![Page 15: Ethan Jackson Research in Software Engineering (RiSE), Microsoft Research - Redmond](https://reader035.vdocuments.net/reader035/viewer/2022062323/568167f0550346895ddd60f2/html5/thumbnails/15.jpg)
Negation-as-Failure
Each fail creates in own “fail scope”. Fail scopes do not share data since they do not create bindings.
=======================> at (14,15)QUERY deadState~0Find s<15>: StateWith local variables ~iv2<16>: Basic ~iv3<17>: ContainerSuch that the following equalities hold s<15> = State(~iv2<16>,~iv3<17>)
FAIL Find ~iv1<18>: reach(Any|State)With local type constraints ~iv2<16>: Basic ~iv3<17>: ContainerSuch that the following equalities hold ~iv1<18> = reach(s<15>) s<15> = State(~iv2<16>,~iv3<17>)
![Page 16: Ethan Jackson Research in Software Engineering (RiSE), Microsoft Research - Redmond](https://reader035.vdocuments.net/reader035/viewer/2022062323/568167f0550346895ddd60f2/html5/thumbnails/16.jpg)
Stratification
Execution order
FORMULA specifications do not depend on order of expressions.
![Page 17: Ethan Jackson Research in Software Engineering (RiSE), Microsoft Research - Redmond](https://reader035.vdocuments.net/reader035/viewer/2022062323/568167f0550346895ddd60f2/html5/thumbnails/17.jpg)
Module System For Composition and Reuse
![Page 18: Ethan Jackson Research in Software Engineering (RiSE), Microsoft Research - Redmond](https://reader035.vdocuments.net/reader035/viewer/2022062323/568167f0550346895ddd60f2/html5/thumbnails/18.jpg)
Domains and ConformanceDomains capture abstraction levels using abstract data-types and logic programs.
Every domain has an (implicitly) define query called conforms. A model belongs to the domain if conforms evaluates to true.
=======================> at (28,8)QUERY COMPOSITION conformsDepends on DHFSM.conformsMust satisfy DHFSM.conforms
![Page 19: Ethan Jackson Research in Software Engineering (RiSE), Microsoft Research - Redmond](https://reader035.vdocuments.net/reader035/viewer/2022062323/568167f0550346895ddd60f2/html5/thumbnails/19.jpg)
TransformationsTransformations are (parameterized) specifications that read an input model and produce an output model.
The “as” operator produces a copy of the specification by prefixing all type declarations with its argument.
Transformations can take n-input models, produce m-output models using p typed parameters.
![Page 20: Ethan Jackson Research in Software Engineering (RiSE), Microsoft Research - Redmond](https://reader035.vdocuments.net/reader035/viewer/2022062323/568167f0550346895ddd60f2/html5/thumbnails/20.jpg)
Type Inference and Term RewritingFORMULA can automatically infer types without full qualification of the renaming path. It can also infer term rewriting rules across renaming paths.
=======================> at (41,37)CONSTRUCT out.Transition(x<33>,y<34>,z<35>) where x --> x by the path replacement function in --> out y --> y by the path replacement function in --> out z --> z by the path replacement function in --> outFind ~iv0<27>: in.Transition ~iv4<28>: ~eWith local variables x<29>: in.State y<30>: in.Event z<31>: in.State e~value<32>: in.EventSuch that the following equalities hold ~iv4<28> = ~e(e~value<32>) ~iv0<27> = in.Transition(x<29>,y<30>,z<31>)
![Page 21: Ethan Jackson Research in Software Engineering (RiSE), Microsoft Research - Redmond](https://reader035.vdocuments.net/reader035/viewer/2022062323/568167f0550346895ddd60f2/html5/thumbnails/21.jpg)
Transformations Know Everything
![Page 22: Ethan Jackson Research in Software Engineering (RiSE), Microsoft Research - Redmond](https://reader035.vdocuments.net/reader035/viewer/2022062323/568167f0550346895ddd60f2/html5/thumbnails/22.jpg)
The Module SystemDomains capture abstraction levels using abstract data-types and logic programs.
![Page 23: Ethan Jackson Research in Software Engineering (RiSE), Microsoft Research - Redmond](https://reader035.vdocuments.net/reader035/viewer/2022062323/568167f0550346895ddd60f2/html5/thumbnails/23.jpg)
Composing Non-functional Requirements
![Page 24: Ethan Jackson Research in Software Engineering (RiSE), Microsoft Research - Redmond](https://reader035.vdocuments.net/reader035/viewer/2022062323/568167f0550346895ddd60f2/html5/thumbnails/24.jpg)
A Platform-Independent Domain
![Page 25: Ethan Jackson Research in Software Engineering (RiSE), Microsoft Research - Redmond](https://reader035.vdocuments.net/reader035/viewer/2022062323/568167f0550346895ddd60f2/html5/thumbnails/25.jpg)
An Implementation Domain
![Page 26: Ethan Jackson Research in Software Engineering (RiSE), Microsoft Research - Redmond](https://reader035.vdocuments.net/reader035/viewer/2022062323/568167f0550346895ddd60f2/html5/thumbnails/26.jpg)
The Mapping Problem
FFT
FFT
FlashIOARM
FlashIO
Assign components to device such that:
![Page 27: Ethan Jackson Research in Software Engineering (RiSE), Microsoft Research - Redmond](https://reader035.vdocuments.net/reader035/viewer/2022062323/568167f0550346895ddd60f2/html5/thumbnails/27.jpg)
Building the Language of Maps
FFT
FFT
FlashIOARM
FlashIO
Renaming plus pseudo-product plus extends provable produces a domain with models that are a superset of the cross-product of the original domains.
![Page 28: Ethan Jackson Research in Software Engineering (RiSE), Microsoft Research - Redmond](https://reader035.vdocuments.net/reader035/viewer/2022062323/568167f0550346895ddd60f2/html5/thumbnails/28.jpg)
Throwing Out The Bad OnesRestriction of mapping provable produces a domain with models that are a subset of all possible platform maps
![Page 29: Ethan Jackson Research in Software Engineering (RiSE), Microsoft Research - Redmond](https://reader035.vdocuments.net/reader035/viewer/2022062323/568167f0550346895ddd60f2/html5/thumbnails/29.jpg)
Use Finite Model Finding To Solve Mapping Problem
Case study with Timing Definition Langauge (TDL): About 250 lines of Formula to specify run-to-completion semantics of TDL scheduling problem.
TDL case study joint work with European Microsoft Innovation Center (EMIC).
Z3 used to enumerate deployments and generate scheduling functions. GUI developed to visualize points in the design space.
![Page 30: Ethan Jackson Research in Software Engineering (RiSE), Microsoft Research - Redmond](https://reader035.vdocuments.net/reader035/viewer/2022062323/568167f0550346895ddd60f2/html5/thumbnails/30.jpg)
GeneralizationThis pattern of composition and model finding can be generalized to allow separate specification and composition of many non-functional constraints.
![Page 31: Ethan Jackson Research in Software Engineering (RiSE), Microsoft Research - Redmond](https://reader035.vdocuments.net/reader035/viewer/2022062323/568167f0550346895ddd60f2/html5/thumbnails/31.jpg)
Composition Theorem
![Page 32: Ethan Jackson Research in Software Engineering (RiSE), Microsoft Research - Redmond](https://reader035.vdocuments.net/reader035/viewer/2022062323/568167f0550346895ddd60f2/html5/thumbnails/32.jpg)
ConclusionsFORMULA provides a formal model for DSL/model transformation specification, composition, and analysis.
It uses correct-by-construction operators to create domains that are related in semantic ways.
Finite model finding is the key formal method used to analyze both domains and transformations.
Formal analysis builds on state-of-the-art Z3 solver.
![Page 33: Ethan Jackson Research in Software Engineering (RiSE), Microsoft Research - Redmond](https://reader035.vdocuments.net/reader035/viewer/2022062323/568167f0550346895ddd60f2/html5/thumbnails/33.jpg)
Questions?
An Introduction to FORMULA