• Aucun résultat trouvé

Towards a formal definition of the Foc language

N/A
N/A
Protected

Academic year: 2021

Partager "Towards a formal definition of the Foc language"

Copied!
60
0
0

Texte intégral

(1)

HAL Id: hal-02545623

https://hal.archives-ouvertes.fr/hal-02545623

Submitted on 17 Apr 2020

HAL is a multi-disciplinary open access archive for the deposit and dissemination of sci- entific research documents, whether they are pub- lished or not. The documents may come from teaching and research institutions in France or abroad, or from public or private research centers.

L’archive ouverte pluridisciplinaire HAL, est destinée au dépôt et à la diffusion de documents scientifiques de niveau recherche, publiés ou non, émanant des établissements d’enseignement et de recherche français ou étrangers, des laboratoires publics ou privés.

Towards a formal definition of the Foc language

Stéphane Fechter, Catherine Dubois

To cite this version:

Stéphane Fechter, Catherine Dubois. Towards a formal definition of the Foc language. [Research Report] lip6.2004.001, LIP6. 2004. �hal-02545623�

(2)

StephaneFechter 1

andCatherineDubois 2

1

stephane.fechter@lip6.fr

Laboratoired'InformatiquedeParisVI

8,rueduCapitaineScott

75015 Paris,France

2

dubois@iie.cnam.fr

Cedric-IIE

18, alleeJeanRostand

91025Evry,France

Abstract. TheFoc projectdevelopsaformal languageto implement

certied componentscalled collections. These collections are specied

andimplemented stepby step: theprogrammerdescribesformallythe

properties of the algorithms, the context in which they are executed,

the data representation and provesformally that the implemented al-

gorithmssatisesthespeciedproperties. Thisprogrammingparadigm

impliestheuseofclassicoriented-objectfeaturesandtheuseofmodule

featureslikeinterfacesandencapsulationofdatarepresentation. Inthis

paperweformalizeakerneloftheFoclanguagewhosemainingredients

aremultipleinheritance,latebinding,overriding,interfacesandencap-

sulationof thedatarepresentation. Wespecifyformallythesemantics,

thetypesystem,thesoundnessofthetypingdiscipline.

Resume LeprojetFocdeveloppeunlangageformelpourimplanterdes

composants certiesappeles collections. Ces collections sont speciees

etimplanteespas a pas: le programmeurdecrit formellement les pro-

prietes des algorithmes, le contexte dans lequel ils sont executes, la

representation des donneesetprouve formellement que lesalgorithmes

implantessatisfont les proprietesspeciees. Ceparadigme deprogram-

mationimpliquel'utilisation detraitsorientesobjetsclassiquesetl'uti-

lisationde certain traits des modulescomme les interfaces etl'encap-

sulation de la representation des donnees. Dans ce papier on forma-

lise un noyau du langage Foc dont les ingredients principaux sont le

multi-heritage,laliaisonretardee,les interfacesetl'encapsulationdela

representation des donnees. Onspecie formellement lasemantique,le

systemedetype,las^uretedutypage.

1 Introduction

TheFocproject 3

[1]developsaformallanguagetoimplementcertiedcompo-

nentscalledcollections.Thesecollectionsarespeciedandimplementedstepby

3

(3)

context inwhich theyare executedandthe datarepresentation. Thelanguage

allowsthe correctnessof thecode with respect tothe specied properties: the

programmercanwriteformalproofsthatareveriedbytheproofcheckerCoq.

Thepropertiesandthealgorithmsareorganizedhierarchicallyinstructureswith

an object orientedavor: inheritance, late binding, encapsulation, renement.

This makesthespecicationreuseeasier. Theseobject-orientedfeaturesare at

thesametimepowerfulbutlimitedwithrespecttothestateoftheartofobject

oriented languages. Our purpose is to deliver certied components equipped

withcorrectnessproofs. Andconsequentlyit hasanimpactonthestructureof

thedevelopment,onthedependencieswecanaccept. A staticanalysisensures

that nastydependenciesarerejected[2].

Thenalcode,writteninOCaml,isobtainedbytranslationoftheultimate

specicationscontainedin thecollections. Thegenerated codeis quiteeÆcient

thankstotheoptimizationsdiscoveredbythestaticanalysis.

Uptonow,theFocprojecthasappliedthelanguageandmethodologytothe

computeralgebradomain. Moreprecisely, computeralgebraservedasamodel

and gave the principal guidelines to implement the Foc language [1]. Thus

theFocapproachisvalidatedbyawidecomputeralgebralibrary,developedby

Rioboo[3],thatincludessomecomplexalgorithmswithperformancecomparable

tothebestexistingcomputeralgebrasystems. Forexample,thelibraryprovides

algorithms to computethepolynomial resultantoftwopolynomialswithsome

originalpolynomialrepresentations.

TheFoclanguageprovidestwonotionsofpackageunits: speciesandcol-

lections. A collectioncanbeseenasan abstract datatype, that is amodule

containing the denition of a type, called the carrier type, a set of functions

manipulatingvaluesofthecarriertype,calledtheentitiesofthespeciesanda

set of properties withtheir proofs. The concrete denition of the carriertype

is hidden for the end users: it is encapsulated. This encapsulation is funda-

mental to ensurethat theinvariantonthedata representationassociatedwith

the collection(e.g. the entities are even natural numbers) is never broken. A

collection is the ultimate renement of specications introduced step by step

with dierent abstraction levels. Such a specication unit is called a species:

itspeciesacarriertype,functions andproperties(bothcalledthemethods of

thespecies). Carriertypeandmethodsmaybedenedoronlydeclared. Inthe

lattercase,thedenitionofthefunction isgivenlaterinmoreconcretespecies,

and similarly the proof of aproperty can be deferred. Species come with late

binding: the denition of afunction may use a function that is only declared

at this level. A collection built from a species implements all the denitions

speciedin thespeciesand must provideaproofforeach mentionedproperty.

AspeciesBrenesaspeciesAifthemethodsintroducedinAand/orthecarrier

typeofAaremademoreconcrete(moredened)inB. Thisformofrenement

is completed with the inheritance mechanism, that allows us to build a new

(4)

newmethodsorredeneinheritedones.

Carrier type, multiple inheritance, late binding, encapsulation, renement

are theelementaryingredientsof ourapproach that ensurethat the generated

codesatisesthespeciedproperties. Thepurposeofthisarticleistoformalize

theseelementaryingredients. Weformallydenethetypesystemandsemantics

ofthecorelanguagewecall 4

. Thetypingdisciplineisprovensoundwithrespect

to thesemantics.

In section 2, we present informally the core features of the Foc language

and illustrate them withexamplescomingfrom computeralgebra. Thetermi-

nologytswelltothisdomainandthencanbeintuitivelyunderstood. However

knowledgeincomputeralgebraisnotrequiredto readthispaper. Wecompare

the Foc concepts withnotions comingform other paradigms. Thenwedetail

Otarie: syntax(section4),typediscipline(section5)andsemantics(section6).

Inthelastsection,weconcludeandproposeperspectives.

2 An overview of Foc

Inthissection,weillustratethemainfeaturesofFocwiththehelpofcomputer

algebraexamples. TheFocenvironmentallowsustodescribegeneralalgebraic

structuressuchassetoids. Asetoidisasetequippedwithareexive,symmetric

andtransitivebinaryrelation. Atthislevelofdescription,therepresentationof

theelementsof asetoid, isletabstract. Thespeciessetoidis writtenin Foc

asfollows:

species setoid =

rep ;

sig equal in self->self->bool;

property equal_reflexive : all x in self,

!equal(x,x);

property equal_symmetric : all x y in self,

!equal(x,y) -> !equal (y,x);

property equal_transitive : all x y z in self,

!equal(x,y) -> !equal(y,z) -> !equal(x,z);

end

Inthe previousexample,thekeywordrepintroducesthecarriertypewhich is

not yet dened. The sentence sig equal in self->self->boolconstitutes

4

otarie istheFrenchword forsea-lion. Themodelnamecomes fromajokeaboutthe

language name Foc whichis an homonymfor the French translationof the English

(5)

are two elements of the setoid (self is their type). This method is only

declared, notyet dened,itcanbecompared toavirtualmethod in anobject

oriented language. The properties about the equal relation are introduced

by equalreflexive, equalsymetric and equaltransitive. The symbol

! in front of equal has the same signication than the variable self used in

class-basedlanguageslikeOcaml[4]. Thus!equalissomesyntacticsugarfor

self!equalthat denotes theequalmethod of the collectionthat implements

the species (represented by self). In the denition of the properties, all x

in selfmeans for any element xof thecollection built from setoid. In the

constructionproperty,->denotesthelogicalimplication.

Now,wecan describeanadditivemonoidfromasetoidbyaddinganopera-

tionplusandaneutralelementzero. Forthispurpose,weconstruct

additive monoidbyinheritance of setoid. Thenweaddtheproperties

zeroisneutral(zeroistherightneutralelement)andplusis associative

(plus is associative). Since additive monoidinherits from setoid (and con-

sequently, it inherits therelation equal),we can use!equalto describe these

properties.

species additive_monoid

inherits setoid =

sig zero in self;

property zero_is_unique : all x o in self,

!equal(x,!plus(x,o)) -> !equal(!plus(o,x),x)

-> !equal(o,!zero) ;

sig plus in self-> self -> self;

property zero_is_neutral : all x in self,

!equal(!plus(x,!zero),x) and

!equal(!plus(!zero,x),x) ;

property plus_is_associative : all x y z in self,

!equal(!plus(x,!plus(y,z)),!plus(!plus(x,y),z));

end

Now, we create an additive monoid whose elements are integers. As

above, we create a species additive monoidintegers that inherits from

additive monoid.Thenwedenethecarriertypewithrep=int;whereintis

thetype ofintegers. Andwegiveadenition foreverydeclarationintroduced

previously. Wealsoaddtheconstantone. Inthespeciesandinallthe\daugh-

ter" species, theentities are implemented asintegersand theprogrammercan

(6)

inherits additive_monoid =

rep=int;

let zero in self = 0;

let equal( x in self, y in self) in bool =

#int_eq(x,y);

let plus ( x in self, y in self) in self =

#int_plus(x,y);

let is_zero ( x in self) in bool =

#int_eq(x,!zero);

let one in self = 1;

proof of equal_reflexive = (* proof *);

proof of equal_symmetric = (* proof *);

proof of equal_transitive = (* proof *);

proof of plus_is_associative = (* proof *);

proof of zero_is_neutral = (* proof *);

end

In the above species, #intplus and #inteq are predened operations (the

Ocamlones)forintegeradditionandequality.

Now the equality and the operations are dened, it is possible to prove the

properties. The formalproofs (not detailed in theexample) are introduced by

proof of .... These formal proofscanbedonedirectly with theCoq prover

or with an adhoc prover under development in the project. However some

proofs will not be done because the involved operations are toolowlevel. In

thiscase,wetrustOCaml.

At this level, we could derive another species from

additive monoidintegers inorder toredenethe methodplus. Thiswould

implytoproveagainthepropertiesplusis associativeandzeroisneutral

because they depend on the denition of plus. In this context, let us dene

plus as an operation manipulating and computing integers modulo two. A

classical approach would consist in testing the parameters in order to reject

integers dierent from 0 and 1. However it is not very eÆcient because of

the supplementary tests. So we dene a predicate ismodulo2 (with the

construction letprop) to express that the only entities of modulo 2 integers

are the integers0 and 1. This property is therepresentation invariant. Then

we formulate and prove the property plusmodulo2: for all integers x and

y satisfying the representation invariant, the result of the addition of x and

(7)

modulo 2.

species modulo_2_integers

inherits additive_monoid_integers =

let plus (x in self, y in self) in self =

let r=#int_plus(x,y) in

if (!equal(r,2)) then 0 else r;

proof of plus_is_associative = (* new proof *);

proof of zero_is_neutral = (* new proof *);

letprop is_modulo_2 (x in self) = !equal(x,0) or !equal(x,1);

theorem plus_modulo_2:

all x y in self,

!is_modulo_2(x) -> !is_modulo_2(y) -> !is_modulo_2(!plus(x,y))

proof: ...

theorem zero_modulo_2: !is_modulo_2(!zero)

proof: ...

theorem one_modulo_2: !is_modulo_2(!one)

proof: ...

end

The species modulo2 integers is totally dened. Then we can build a

collectioncfrom thisspecies.

collection c implements modulo_2_integers

To prevent the end user from using the entities in a bad manner, as for

examplein theexpressionc!plus(2,5),thecarriertypeismadeabstract. The

creationofthecollectionccomeswiththisencapsulation. Thenthetypeofplus

becomesc -> c -> cwherecisthenameofthecollection. Andconsequently

theentities denoted byoneand twohavethetypec. Thus, plusmay takeas

parameters oneand two. Generally speaking, only elements generated by the

operationsdened in the collectionc, that is, havingthe resulttypec, canbe

usedwithto plus:

let r=c!plus(c!one,c!zero);;

c!plus(r,c!one);;

As one and zero satisfy the representation invariant, we are sure that plus

returnsamodulotwointegerstoredinthevariabler. Andrcanbeusedagain

asaparameter. Thustherepresentationinvariantisneverbroken.

(8)

by the programmer (with type annotations parameters or declarations). For

example, themethod plusisdened bytheuser withthe typeself -> self

-> self. Such a type is called the method interface. The set of method

interfacesassociatedwiththeirmethodnames,foragivenspecies, iscalledthe

interface of the species. A collectionhasalso aninterface, provided bythe

interface,thespeciesfromthecollectionderives. Andeveryoccurrenceof self

isreplacedbythenameofthecollection.

Furthermore,theFoclanguageoersmultiple inheritance.Theconvention,

in caseofconicts, istochoosethedenitionfrom therightmostspecies.

The language is more restrictive about the carrier type. For example, in the

species modulo2 integers, we cannot redene rep as bool. Moreover, if a

speciesinheritsfromseveralotherspecies,thentheinheritedcarriertypesmust

be the same. We can explain easily this restriction in the computer algebra

domain: aspecies representsanalgebraicstructure that relieson acarrierset.

Thissetisgivenonceforall,sochangingtherepresentationofitselementswould

change thenature of this set. Moreover, in the framework of Foc, instead of

changingthecarriertypefrom inttobool,wewould createaspecies withan

abstractcarriertypeandtwoderivedspecies(inheritingfromtherstone),one

withintasitscarriertypeandanotheronewithboolasitscarriertype.

Lastly,Foc providesparameterizedspecies:

species cartesian_setoid (c1 is setoid, c2 is setoid) =

rep = c1 * c2;

let fst ( x in self ) in c1 = #first(x) ;

let snd ( x in self ) in c2 = #scnd(x) ;

end

Thespeciescartesiansetoidhastwoparametersc1and c2 representing

twocollections whoseinterfaceisderivedfromsetoid.

Asthecollectionnamecanbeconsideredasatype,wecanusec1andc2tode-

nethecarriertypeofcartesiansetoid. Here,anentityofcartesiansetoid

isapairmadeofanentityof c1andanentityof c2.

Incartesiansetoid,weprovidetwomethodsfstandsndtoaccessthecom-

ponents ofan entity. These methods use the Ocamlprojections, #firstand

#snd.

Letsupposetwospeciesboolsetoidandintsetoid,totallydened,withbool

andintasthecarriertypedenitions. Letc boolsetoidandcint setoidthe

collections createdrespectivelyfrom thespeciesbool setoidandint setoid.

Thusc boolsetoidandc intsetoidhaveinterfacesderivedfromthesetoid

interface. Therefore,wecan usec boolsetoidandc intsetoidasparame-

ters for cartesiansetoid. As this application providesanew species totally

dened,wecancreateanewcollectionfromit:

(9)

Neitherspecies norcollections are rstclass objects, evenifcollection may

beused asparametersofspecies.

3 Relative works

Inheritance,latebinding,methodredenitionarefeaturescommontoFocand

class based objects oriented languages. However, there are dierences. First

of all, the Foc carrier type, fundamental ingredient of our approach, has no

counter-part in the OO world. Another important dierence is that a Foc

species hasnostate. We couldconsider the carriertypeasabuilt-in method,

usuallyvirtualintheearlystagesofthedevelopment. Anymethodofaspecies

oracollectionisappliedtoentitieswhichhaveaCamltype,notanobjecttype.

NeverthelesswithobjectswecannotobtaintheFocencapsulationwhenwe

createacollection: thecarriertypemust bemadeabstract whileitis manifest

(inthesamewayas[5])inthespeciesthat allowedtoderivethecollection.

A collectioncan be compared to amodule of functional languages. In this

context, acollectionis closetoastructureprovidingatypewhosedenition is

hidden,thatisanopaquetype,andfunctionstohandleelementsofthatopaque

type.

Species are also close to mixin modules (see [6]). Both have dened com-

ponents and deferred components (declared but not yet dened). Dening a

deferred method in the Foc context can be compared to the operation of the

sumoftwomixins.

The ingredients found in Foc and formalized in ourcore language named

Otarieare notnew,theycome from classbasedlanguagesandmodules. They

are consistentlymixed to provideaframeworkto developcertied components

bytakingadvantageof specicationandcodereuse.

4 Presentation of Otarie

The previous section has presented dierent features of Foc, in particular

those related to the carrier type, the interface and its abstraction. A rst

formalization hasbeenpresented in [7,8]. Howeverthiswork wasnotincorpo-

rating encapsulationandinterfaces. Inthispaperwecome backtothis formal

modelandadapt itto takeintoaccounttheinterfacesandtheencapsulationof

entities.

Our formal denition of Otarie has been inspired by Objective ML [9], a

class-basedmodelthat servesasthefoundationsof theprogramminglanguage

Ocaml. And,evenifacollectionisclosertoamodulethananobject,aspecies

canbeconsideredas aclass, morepreciselyavirtualclasssinceitmaycontain

deferredmethods. A collectioncanbeseenasanobject,aninstanceofaclass,

(10)

InOtarie,weconsider asetof constantscst2K ,aset of variablesx 2X,

aset ofcollections c2C, aset ofspecies namesz2Z, aset ofname methods

m2M. All thesesetsareenumerable.

Fig.1. carriertypedenitionandmethodinterface

carriertypedenition:

t::=

cst

atomictypelikeint,bool,etc...

j In (c) carriertypereferenceofthecollectionc

j t!tjtt

methodinterface:

i::=rep abstractionannotation

j cstjIn(c)

j i!ijii

Thesyntax to dene acarriertype is givenin the gure1. A carriertype

asdened by thedevelopercan mix atomic types, constructorsand collection

names. In this latter case, the collection name is considered as a type name.

Although, in a Foc program, weuse indierently the name c to denote both

thecollectionand irscarriertype, weprefer to adopt in Otarieadisambiguous

syntax. SowewriteIn(c) insteadofc in acarriertype. Thus, byusing In(c),

the developerrefersto the carriertypeof the collectionc. Howeverhe hasan

abstract vision from it. In other words, an expression of type In(c), must be

consideredas anencapsulatedentityofthecollectionc.

Todene amethod interface,the syntacticcategoryi isused. Inthesame

way, an interface is composed of regular types and collection names (tagged

with In()) and incorporate generally occurrences of rep (self in Foc). By

using rep, the developer species that the corresponding parameter or result

is an entity of the species that he is writing. Thanks to the annotation rep,

even if the carrier typedenition is int, in themethod interface rep! int,

wecan do the distinction betweenan integer that is anentity and an integer

thatisnot.Thisinformationwillhelpwhencreatingandabstractingacollection.

Although the syntactic category t is included in i, we do the distinction

between the two categories because the annotation rep must not be used to

dene a carrier type. Indeed, the use of rep to dene a carrier type has no

meaning since rep refers to the carrier type itself. Moreover, this syntactic

distinctionavoidsus nottoadd supplementaryrulesinthetypesystem.

Themain syntax ofOtarieis described inthe gure2. It's anextension of

Références

Documents relatifs

Il n’y a pas d’indication formelle au traitement antiviral dans les formes de varicelle ou de zona sans complications diagnostiquées chez l’enfant ou chez l’adulte,

Supplementary measurements of the external photoluminescence efficiency, under low excitation conditions, allowed us to estimate the interface recombination velocity at

JADEL, which stands for JADE (Java Agent DEvelopment framework) Language, is an agent-oriented programming lan- guage designed to help the development of JADE [1] agents and

More precisely, the compositional account of productivity, that is, the generation of the intended reading of sentences exclusively by formal operations of lexically encoded

On one hand, it combines the (purely synchronous) clock operators of the CCSL specification language [9], adding support for time tags and time scales relations found in the

De plus, trois études récentes ont montré que la protection du corps cellulaire du motoneurone, et donc la préservation du nombre de corps cellulaires de

For aqueous suspensions the simultaneous measurements of aggregation kinetics and particle interactions on the same particles showed that the interaction forces extracted from

The PROJ rule must be applied on a parallel vector available at the current level p. The resulting value is a closure which contains the content of the given vector. As expected,