The Whiley Programming Language
David J. PearceSchool of Engineering and Computer
Science,Victoria University of Wellington,
New Zealand
Motivation
• Ariane 5 (destroyed shortly after take off)
• Mars Global Surveyor (batteries overheated)
• F22-Raptor (“problem” crossing meridian line)
• USS Yorktown (dead in water)• Therac-25 (lethal doses of X-Rays)• …
State of Play
class Date { private int day; private int month; private int year;
public Date(int day, int month, int year){ this.day = day; this.month = month; this.year = year; }
…}
Java Modelling Language (JML)class Date {
// 30 days hath Sept, Apr, Jun and Nov // all the rest have 31, … // except February, which has 28 …
//@ invariant ((month!=9 && month!=4 && month!=6 //@ && month!=11) || day <= 30) && //@ 1 <= day <= 31 && 1 <= months <= 12 && //@ (month!=2 || day <= 28); private int day, month, year;
…}
Verifying OO Programs: The Challengeclass TableRow<T> { private List<T> rows;
…
void set(List<T> rs) { rows = rs; }
void copy(List<T> to) { for(int i=0;i!=rows.size();++i) { to.add(rows.get(i)); } }}
Verifying OO Programs: The Challenge
• Does this make sense ?
class Date { …
//@ ensures \result.compareTo(this) > 0; public Date nextDay() { … }
public int compareTo(Date d) { … }}
Introducting Whiley !!!
• Hybrid OO – Functional Language• Compiles to JVM• Performs Compile-Time Checking of
Constraints
Functional Core
• Functional functions• No aliasing or side-effects• Pass-by-value records, lists + sets• Constraints checked at compile time
define int where $ >= 0 as nat
int f(nat a, nat b) ensures $ > 0: if a == b: return 1 else: return a + b
Quick Demo
Numbers
• OOP: Modular Arithimetic + Floating Point
• Whiley: unbounded ints + rationals
define int where $ >= 0 && $ < 256 as byte
real f(byte x): if x > 0: return 18372.382349823409823409234 return x + 1
Implicit Subtyping
• OOP: subtyping explicit via inheritance• Whiley: Subtyping is implicit, not explicit
define int where $ >= 0 as natdefine int where $ > 0 as pint
pint f(nat a) : return a + 1
int g(nat x): return x – 1
nat y = …int z = g(y)
Lists + Quantifiers
• OOP: sets/lists are objects• JML: quantifies may not be computable• Whiley: Support for first-class lists/sets• Whiley: Support for computable quantifiers
define [int] where no {x in $ | x<0} as nats
int sum(nats ns, int i) requires 0<=i && i<|ns|, ensures $ >= 0: return ns[i]
Imperative Outer Layer
• OOP: objects may be concurrently modified• OOP: methods have re-entrant semantics• Whiley: process methods execute atomically• Whiley: methods are not re-entrant
define process (int x, int y) as PointProc
void PointProc::update(int z): this->y = z
void System::main([string] args): PointProc pp = spawn (x:1,y:2) pp->update(3) print str(*pp)
Compiler Overview
Verification SMT Solver
Parser
Type Checker
Bytecode Generator
whiley.org(under construction)
Top Related