Formal Islands and Certified Pattern Matching Code

loria-logo

Introduction Languages Validation method Conclusion

Formal Islands and Certified Pattern MatchingCode

Claude Kirchner

joint work with

Pierre-Etienne Moreau, Antoine Reilles

INRIA & LORIA & CNRS

September 7, 2005

Formal Islands and Certified Pattern Matching Code 1 / 27

loria-logo

1. IntroductionFormal IslandsThe Tom languageOur goal

2. LanguagesThe PIL languageMappingSemantics

3. Validation methodDefinition of correct compilationHow this worksResults

4. Conclusion

Introduction Languages Validation method Conclusion Formal Islands The Tom language Our goal

Principle schema, 1

Existing codeJAVA program

Principle schema, 2

Algebraic anchorageLinks Java with the basic extensions

Principle schema, 3

Building of the islandG → D

Principle schema, 4

Building ValidationsProperty proofs

Principle schema, end

Island dissolutionJAVA ProgramSituation similar to the starting one, but we are sure of the codegenerated, thanks to the formal island.

Formal Islands for Language Extension

I We use the notion of Formal Island and anchoring to extendan existing languages with formal capabilities

I Anchoring means to describe new features in terms of theavailable functionalities of the host language

I Once compiled, these features are translated into pure hostlanguage constructs

Formal Islands Capabilities

1. To extend the expressivity of the language with higher-levelconstructs at design time

2. To perform formal proofs or transformations on the formalisland constructions

3. To certify the implementation of the formal island compilationinto the host language

Allows for the formal island creation based on:

I matching

I rewriting

I traversals and strategies

In Java: JTOMIn C: CTOMIn CAML: CamTOM

http://tom.loria.fr

The Tom language

Rewriting as a programming language:

fib(3)→ fib(2) + fib(1)fib(2) + fib(1)→ fib(2) + 1

fib(2) + 1→ fib(1) + fib(0) + 1fib(1) + fib(0) + 1→ . . .

Tom: pattern matching compiler for Java, C, . . .

The Tom language

Rewriting languages

Fixed data-structure

plug-in (Objects, XML,. . . )

Everything is rewriting

Java, C,. . .

The Tom language

Rewriting languages Tom

Fixed data-structure plug-in (Objects, XML,. . . )Everything is rewriting Java, C,. . .

The Tom language

f i b ( x ) {%match ( x ) {

z e r o ( ) −>{return ‘ suc ( z e r o ( ) ) ; }suc ( z e r o ())−>{ return ‘ suc ( z e r o ( ) ) ; }suc ( suc ( n))−>{ return ‘ p l u s ( f i b ( suc ( n ) ) , f i b ( n ) ) ; }

The Tom language

f i b ( x ) {%match ( x ) {

z e r o ( ) −>{return ‘ suc ( z e r o ( ) ) ; }suc ( z e r o ())−>{ return ‘ suc ( z e r o ( ) ) ; }suc ( suc ( n))−>{ return ‘ p l u s ( f i b ( suc ( n ) ) , f i b ( n ) ) ; }

Match against Java data-structures

Pattern matching

Typical example:The pattern x + y matches the subject 1 + 2 using the variableassignment x 7→ 1, y 7→ 2.

In general, given:a pattern pa subject tfind variables assignment σ such thatσ(p) = tSuch a pattern matching problem is denoted p � t

Objectives

I Need for certification of matching

I Independent of the used data-structures

I Compilation:

I Independent of the compilation process

Objectives

I Compilation:

Objectives

I Compilation:

p � compile// Pp

Objectives

I Compilation:

p �t

��

compile// Pp(t)

��

σ ooabstract

Objectives

I Compilation:

p �t

��

compile// Pp(t)

��

σ ooabstract

When we are using a compiler, we believe it is correctWhen writing a compiler, we know it is incorrect!

In the Tom compiler

HostLanguage

+Patterns

Parser BackendHost

LanguageCompiler

Tom Compiler

p� t PIL

Introduction Languages Validation method Conclusion The PIL language Mapping Semantics

The PIL language

instr ::= accept| refuse

| if(expr, instr, instr)| let(pxq, term, instr) (x ∈ X )

expr ::= true | false| is fsym(term, pf q) (f ∈ F)| eq(term, term)

term ::= pxq (x ∈ X )| ptq (t ∈ T (F))| subtermf (term, int) (f ∈ F)

Access the tree structure

The PIL language

instr ::= accept| refuse| if(expr, instr, instr)| let(pxq, term, instr) (x ∈ X )

The PIL language

Definition of mapping : why and what ?

I Mapping between algebraic terms and their objectrepresentation

I How to represent a term (How to make it)?

I How to destruct a term?

Algebraic space Concrete space

Abstract Data type� �Person(name:String,age:int)� �

� �c l a s s Person {

S t r i n g name ;S t r i n g f i r s tName ;i n t age ;

}� �Person

xxqqqq!!DDD

”smith” 42

Symb(t)t|1t|2

Person

”smith””bob”42

instanceoft.namet.age

is fsym(dte, df e) ≡ dSymb(t) = f esubtermf (dte, die) ≡ dt|ie

}� �

Personxxqqqq

!!DDDD

”smith” 42

Symb(t)t|1t|2

Person

}� �Person

xxqqqq!!DDD

”smith” 42

Symb(t)t|1t|2

Person

}� �Person

xxqqqq!!DDD

”smith” 42

Symb(t)t|1t|2

Person

}� �Person

xxqqqq!!DDD

”smith” 42

Symb(t)t|1t|2

Person

}� �Person

xxqqqq!!DDD

”smith” 42

Symb(t)t|1t|2

Person

}� �Person

xxqqqq!!DDD

”smith” 42

Symb(t)t|1t|2

Person

Validation method

Consider the pattern g(f (x), b) and the term g(f (a), b)and the program P

g(f (x), b)�g(f (a), b)

match��

compile // P(dg(f (a), b)e)

semantics��

[x ← a] ooabstract

{x := dae}

Validation method

Consider the pattern g(f (x), b) and the term g(f (a), b)and the program P

g(f (x), b)�X

match��

compile // P(dX e)

semantics��

[x ← X|1|1] ooabstract

{x := dX|1|1e}

Big-step semantics

Rules for instructions instr:

〈ε, accept〉 7→ 〈ε, accept〉 (accept)

〈ε, refuse〉 7→ 〈ε, refuse〉 (refuse)

〈ε, i1〉 7→ 〈ε′, i〉〈ε, if(e, i1, i2)〉 7→ 〈ε′, i〉

if ε(e) ≡ true(iftrue)

〈ε, i2〉 7→ 〈ε′, i〉〈ε, if(e, i1, i2)〉 7→ 〈ε′, i〉

if ε(e) ≡ false(iffalse)

〈ε[x ← dte], i1〉 7→ 〈ε′, i〉〈ε, let(x , u, i1)〉 7→ 〈ε′, i〉

if ε(u) ≡ dte(let)

Big-step semantics

〈ε, i1〉 7→ 〈ε′, i〉〈ε, if(e, i1, i2)〉 7→ 〈ε′, i〉

〈ε, i2〉 7→ 〈ε′, i〉〈ε, if(e, i1, i2)〉 7→ 〈ε′, i〉

Big-step semantics

〈ε, i1〉 7→ 〈ε′, i〉〈ε, if(e, i1, i2)〉 7→ 〈ε′, i〉

〈ε, i2〉 7→ 〈ε′, i〉〈ε, if(e, i1, i2)〉 7→ 〈ε′, i〉

Big-step semantics

〈ε, i1〉 7→ 〈ε′, i〉〈ε, if(e, i1, i2)〉 7→ 〈ε′, i〉

〈ε, i2〉 7→ 〈ε′, i〉〈ε, if(e, i1, i2)〉 7→ 〈ε′, i〉

Introduction Languages Validation method Conclusion Definition of correct compilation How this works Results

Definition of a correct compilation

Definition

Given a formal anchor de, a well-formed program πp is a correctcompilation of p when both:

If the program results in accept, then a match is computed∀ε, ε′ ∈ Env ,∀t ∈ T (F),

〈ε, πp(dte)〉 7→ 〈ε′, accept〉 ⇒ Φ(ε′)(p) = t

(soundOK )If p matches t, then the program finds a match∀ε ∈ Env ,∀t ∈ T (F),

p � t ⇒ ∃ε′ ∈ Env , 〈ε, πp(dte)〉 7→ 〈ε′, accept〉

∧Φ(ε′)(p) = t (completeOK )

Result

Theorem

Given a formal anchor de, a pattern p ∈ T (F ,X ), and awell-formed program πp ∈ PIL, we have:

πp is a correct compilation of p⇐⇒

∀ε, ε′ ∈ Env ,∀t ∈ T (F),

〈ε, πp(dte)〉 7→ 〈ε′, accept〉 ⇔ Φ(ε′)(p) = t

Now, how to use these tools ?

Result

Theorem

Given a formal anchor de, a pattern p ∈ T (F ,X ), and awell-formed program πp ∈ PIL, we have:

πp is a correct compilation of p⇐⇒

∀ε, ε′ ∈ Env ,∀t ∈ T (F),

〈ε, πp(dte)〉 7→ 〈ε′, accept〉 ⇔ Φ(ε′)(p) = t

Now, how to use these tools ?

Method

Let’s consider the pattern p : g(f (x), b)

πg(f (x),b)(s) ,if(is fsym(s, dge),

if(is fsym(subtermg (s, 1), df e),let(x1, subtermf (subtermg (s, 1), 1),

if(is fsym(subtermg (s, 2), dbe),let(x , x1, accept),refuse)),

refuse),refuse)

Deriving constraints for g(f (x), b)

refuse),refuse)

is fsym(s, dge) ≡ true → Symb(s) = gis fsym(subtermg (s, 1), df e) ≡ true → Symb(s|1) = fx1 = subtermf (subtermg (s, 1), 1) → x1 = s|1|1is fsym(subtermg (s, 2), dbe) ≡ true → Symb(s|2) = bx = x1 → x = s|1|1

refuse),refuse)

is fsym(s, dge) ≡ true

→ Symb(s) = gis fsym(subtermg (s, 1), df e) ≡ true → Symb(s|1) = fx1 = subtermf (subtermg (s, 1), 1) → x1 = s|1|1is fsym(subtermg (s, 2), dbe) ≡ true → Symb(s|2) = bx = x1 → x = s|1|1

refuse),refuse)

→ Symb(s) = gis fsym(subtermg (s, 1), df e) ≡ true → Symb(s|1) = fx1 = subtermf (subtermg (s, 1), 1) → x1 = s|1|1is fsym(subtermg (s, 2), dbe) ≡ true → Symb(s|2) = bx = x1 → x = s|1|1

refuse),refuse)

→ Symb(s) = g

is fsym(subtermg (s, 1), df e) ≡ true

→ Symb(s|1) = fx1 = subtermf (subtermg (s, 1), 1) → x1 = s|1|1is fsym(subtermg (s, 2), dbe) ≡ true → Symb(s|2) = bx = x1 → x = s|1|1

refuse),refuse)

→ Symb(s) = g

→ Symb(s|1) = fx1 = subtermf (subtermg (s, 1), 1) → x1 = s|1|1is fsym(subtermg (s, 2), dbe) ≡ true → Symb(s|2) = bx = x1 → x = s|1|1

refuse),refuse)

→ Symb(s) = g

→ Symb(s|1) = f

x1 = subtermf (subtermg (s, 1), 1)

→ x1 = s|1|1is fsym(subtermg (s, 2), dbe) ≡ true → Symb(s|2) = bx = x1 → x = s|1|1

refuse),refuse)

→ Symb(s) = g

→ Symb(s|1) = f

→ x1 = s|1|1is fsym(subtermg (s, 2), dbe) ≡ true → Symb(s|2) = bx = x1 → x = s|1|1

refuse),refuse)

→ Symb(s) = g

→ Symb(s|1) = f

→ x1 = s|1|1

is fsym(subtermg (s, 2), dbe) ≡ true

→ Symb(s|2) = bx = x1 → x = s|1|1

refuse),refuse)

→ Symb(s) = g

→ Symb(s|1) = f

→ x1 = s|1|1

→ Symb(s|2) = bx = x1 → x = s|1|1

refuse),refuse)

→ Symb(s) = g

→ Symb(s|1) = f

→ x1 = s|1|1

→ Symb(s|2) = b

x = x1

→ x = s|1|1

refuse),refuse)

Proof obligation

We have to prove:

∀s, x : g(f (x), b) = s⇔

Symb(s) = g∧ Symb(s|1) = f∧ Symb(s|2) = b∧ x = s|1|1

Handled by Zenon [Doligez, INRIA], first order theorem prover

Proof obligation

We have to prove:

∀s, x : g(f (x), b) = s⇔

Proof obligation

We have to prove:

∀s, x : g(f (x), b) = s⇔

In the Tom compiler

Input Parser Backend Output

Compiler

constraints extraction

Optimizer

Proof ΠZenon

Tom Compiler

Patterns PIL

Cp,σ ⇔ Cπp

Application

Application on the Tom compiler itself

I more than 200 patterns

I verification takes about 20% of the compilation time

Conclusion

I ContributionsI Formal Island concept: safely build on existing codeI Certification of pattern matching codeI Model of the mapping between formal and actual

data-structure

I PerspectivesI Extention to rewriting (inlining)I DecidabilityI Extention to associative matchingI Support for equational theories

http://tom.loria.fr

Formal Islands and Certified Pattern Matching Code

Documents

Employment Support Professional (ESPro) Competencies ... · language identifying job tasks for increased work efficiencies and the matching of an ... Vocational Assessment Formal

Pacific Islands. Polynesia – many islands Micronesia – tiny islands Melanesia – black islands

Tahitian limes from the Cook Islands, Niue, Samoa, Tonga ... · Tahitian limes from Cook Islands, Niue, Samoa, Tonga and Vanuatu into Australia. The department received formal requests

Fast Pattern Matching. Fast Pattern Matching: Presentation Plan Pattern Matching: Definitions Classic Pattern Matching Algorithms Fast pattern matching

Islands Magazine British Virgin Islands

Islands Collection by Knoll...144 Graphite Pear* ** 145 Zebra* 147 Silverwood 148 Smokewood 149 Barnwood** *Matching edgeband available **Melamine worksurface finish POLISHED FINISH

On the Failure of the Bootstrap for Matching Estimators · validity of the bootstrap for matching estimators, along with simulations that conﬁrm the formal results. Section 4 concludes

Property Matching and Weighted Matching

KD-Tree Algorithm for Propensity Score Matching PhD ...jh2jf/pdfs/quals_defense.pdf · Motivation Formal De nitionCurrent Approaches kd-tree Algorithm Algorithm AnalysisConclusions

GIP Matching - Matching tools

Val_Impedance Matching and Matching Networks(2)

Image Matching: Correlation - Auckland · Outline Correlation 2D correlation Faster matching LS correlation Concurrent matching Correlation Matching: Probability Model of Signals

Land Disputation in Vanuatu - Pacific Islands Legal ... Disputation in Vanuatu.… · Land Dispute forums Informal and Formal dispute resolution forums Informal: Small family gatherings,

Fingerprint Matching and Non-Matching Analysis for Different … · Fingerprint Matching and Non-Matching Analysis for Different Tolerance Rotation Degrees in Commercial Matching

Northumbria Research Linknrl.northumbria.ac.uk/4385/1/reichert.tim_phd.pdf · pattern matching and instantiation and that this pattern-based approach provides a formal and practical

|Datum 09-12-2013 Matching op de RUG 1. |Datum 09-12-2013 Inhoud 2 ›Waarom matching? ›Wat is matching? ›Matching 2014 ›Voorlichting en matching

Ghostscript wrapper for Z:SYZYFOWE PRACESmart …formal language, linkers, supporting sentences) Making the World a Better Place (texts) – (multiple matching, answer questions) (Environmental

Obesity in Caribbean Children: Its - University ... - uwi.edu in... · Young adult obesity is ... Tobago, the British Virgin Islands and Antigua. ... received little formal assess-

Matching and Market Design: Introduction, Bipartite Matching

SOLOMON ISLANDS - The World Bank · Task Team Leader: Jeremy Strudwick ... Types of Semi-formal and Non-formal Skills Training Providers ... Solomon Islands Workshop on NSTP Study