Post on 18-Jan-2018
description
transcript
What is the Meaning of These Constant Interruptions?
Graham Hutton and Joel WrightUniversity of Nottingham
2
What Is An Exception?
Division by zeroNull pointer
Examples:
An event within a computation that causes termination in a non-
standard way
3
What Is An Interrupt?
An exception that arises from the external environement, e.g. another
computation
TerminateAny exception
Examples:
4
This TalkHaskell is unique in providing both full support
for interrupts and a semantics for this.
But the semantics is subtle, and relies on quite considerable technical machinery.
We give a simple, formally justified, semantics for interrupts in a small language.
5
An Exceptional Language
data Expr = Val Int | Throw | Add Expr Expr | Seq Expr Expr | Catch Expr Expr
Syntax:
Semantics:
e ve can evaluate to
v
6
Sequencing:
Seq x y v
x Val n y v
Seq x y Throw
x Throw
Catch x y Val n
x Val n
Catch x y v
x Throw y v
Catch:
7
Finally, An Example
Problem: how can we ensure that evaluation of x is always succeeded by evaluation of y?
finally x y
=
8
Finally, An Example
Problem: how can we ensure that evaluation of x is always succeeded by evaluation of y?
finally x y
=
Seq x y
9
Finally, An Example
Problem: how can we ensure that evaluation of x is always succeeded by evaluation of y?
finally x y
=
Seq x y
If x produces an exception,
y is not evaluated
10
Seq (Catch x y) y
Finally, An Example
Problem: how can we ensure that evaluation of x is always succeeded by evaluation of y?
finally x y
=
11
Seq (Catch x y) y
Finally, An Example
Problem: how can we ensure that evaluation of x is always succeeded by evaluation of y?
finally x y
=
If x produces an exception, y
may be evaluated twice
12
Seq (Catch x (Seq y Throw)) y
Finally, An Example
Problem: how can we ensure that evaluation of x is always succeeded by evaluation of y?
finally x y
=
13
Seq (Catch x (Seq y Throw)) y
Finally, An Example
Problem: how can we ensure that evaluation of x is always succeeded by evaluation of y?
finally x y
=
Now has the correct
behaviour
14
Adding Interrupts
To avoid the need for concurrency, we adopt the following worst-case rule for interrupts:
x ThrowEvaluation can be interrupted at any time by replacing
the current expression by throw
15
Seq (Catch x (Seq y Throw)) y
Note:
Evaluation is now non-deterministic.
Finally no longer behaves as expected.
could be interrupted as y is about to be
evaluated
16
Controlling Interrupts
data Expr = ••• | Block Expr | Unblock Expr
Syntax:
Semantics:
e i ve can evaluate to
v in interrupt status i
17
Key rules:
Block x i v
x B v
Unblock x i v
x U v
x U Throw
The other rules are simply modified to propogate the current interrupt status to their arguments.
18
Finally Revisited
finally x y
=
Seq (Catch x (Seq y Throw)) y
19
Block (Seq (Catch (Unblock x) (Seq y Throw)) y)
Finally Revisited
finally x y
=
20
Block (Seq (Catch (Unblock x) (Seq y Throw)) y)
Finally Revisited
finally x y
=
Modulo syntax, finally in Haskell is defined in precisely
the same way
21
Is Our Semantics Correct?
How does our high-level semantics reflect our low-level intuition about interrupts?
To address this issue, we first define a virtual machine, its semantics, and a compiler.
We explain the basic ideas informally using an example - the paper gives full details.
22
Catch (Unblock (2+3)) 4
Example
Code
23
Catch (Unblock (2+3)) 4
Example
Code
24
Catch (Unblock (2+3)) 4
Example
MARK [ ]
UNMARK
Code
25
Catch (Unblock (2+3)) 4
Example
MARK [ ]
UNMARK
Code
26
Catch (Unblock (2+3)) 4
Example
MARK [PUSH 4]
UNMARK
Code
27
Catch (Unblock (2+3)) 4
Example
MARK [PUSH 4]
UNMARK
Code
28
Catch (Unblock (2+3)) 4
Example
MARK [PUSH 4]SET U
RESETUNMARK
Code
29
Catch (Unblock (2+3)) 4
Example
MARK [PUSH 4]SET U
RESETUNMARK
Code
30
Catch (Unblock (2+3)) 4
Example
MARK [PUSH 4]SET UPUSH 2PUSH 3ADDRESETUNMARK
Code
31
Catch (Unblock (2+3)) 4
Example
MARK [PUSH 4]SET UPUSH 2PUSH 3ADDRESETUNMARK
Code
Stack
Status
32
Catch (Unblock (2+3)) 4
Example
MARK [PUSH 4]SET UPUSH 2PUSH 3ADDRESETUNMARK
Code
Stack
Status
B
33
Catch (Unblock (2+3)) 4
Example
SET UPUSH 2PUSH 3ADDRESETUNMARK
Code
Stack
HAN [PUSH 4]
Status
B
34
Catch (Unblock (2+3)) 4
Example
PUSH 2PUSH 3ADDRESETUNMARK
Code
Stack
INT BHAN [PUSH 4]
Status
U
35
Catch (Unblock (2+3)) 4
Example
PUSH 3ADDRESETUNMARK
Code
Stack
VAL 2INT BHAN [PUSH 4]
Status
U
36
Catch (Unblock (2+3)) 4
Example
ADDRESETUNMARK
Code
Stack
VAL 3VAL 2INT BHAN [PUSH 4]
Status
U
37
Catch (Unblock (2+3)) 4
Example
ADDRESETUNMARK
Code
Stack
VAL 3VAL 2INT BHAN [PUSH 4]
Status
U
interrupt!
38
Catch (Unblock (2+3)) 4
Example
THROWRESETUNMARK
Code
Stack
VAL 3VAL 2INT BHAN [PUSH 4]
Status
U
interrupt!
39
Catch (Unblock (2+3)) 4
Example
THROWRESETUNMARK
Code
Stack
VAL 2INT BHAN [PUSH 4]
Status
U
40
Catch (Unblock (2+3)) 4
Example
THROWRESETUNMARK
Code
Stack
INT BHAN [PUSH 4]
Status
U
41
Catch (Unblock (2+3)) 4
Example
THROWRESETUNMARK
Code
Stack
HAN [PUSH 4]
Status
B
42
Catch (Unblock (2+3)) 4
Example
PUSH 4
Code
Stack
Status
B
43
Catch (Unblock (2+3)) 4
Example
Code
Stack
VAL 4
Status
B
44
Catch (Unblock (2+3)) 4
Example
Code
Stack
VAL 4
Status
B
Final result
45
Compiler CorrectnessWe will exploit two basic notions of reachability for configurations of our virtual machine.
x can reach everything in
Y
x will reach something in
Y
x * Y
x Y
46
Theorem
{ | e i Val n }
{ | e i Throw }
*
U
Proof: approximately 10 pages of calculation, much of which requires considerable care.
comp e c i s
c i VAL n : s
i s
47
Summary
Simple semantics for interrupts, formally justified by a compiler correctness theorem.
Discovery of an error in the semantics for Haskell, concerning the delivery of interrupts.
Verification of finally, a useful high-level operator for programming with exceptions/interrupts.
48
Further Work
Mechanical verification
Bisimulation theorem
Generalising the language
Reasoning about programs
Calculating the compiler