Operational Semantics. The introduction of the import construct leads to an under-specification of the program: only the names and the types of the imported classes are given but not the code. The consequence is that the semantics definition of a component now consists of two parts. The first part, called internal semantics, deals with internal computations only, i.e., computations which are completely independent of the imported classes but solely determined by the program’s code. This part is given in form of a transition semantics which is almost identical to the one already given in Table 2.7. We only add a premise in rule Call and in rule New which ensures that the called method or constructor, respectively, indeed belongs to a class of the given program code. As for rule New, this additional check is very simple, since the class name itself is part of the new statement. As for the method call, we have to find out, if the callee object, named o, is an instance of a program class. We will see later, however, that the heap function stores information about objects of program classes, only. Therefore, the check can be easily realized by adding the premise o ∈ dom(h).3
Operational Semantics. The operational semantics of a contract is given by the minimal labeled transition system, with labels taken from the set Labels, satisfying the following axiom and rules (a, b, r e Names) α Gl –→ Gjl l e I r g Names( xx.Xx) ieI XGi α Gj invoke(a, X b .C ) (r) X(r(b ).C ) | a(r) ieI –→ l i ieI i –→ i i ieI , receive(a).C a(r) C{r/a} reply(r,b).C τ C | r(b) , –→ 0 –→ r(b) –→ r(b) P a(b) Pj Q a(b) Qj r(b) –→ 0 r(b).C –→ C –→ –→ τ P|Q –→ Pj|Qj P P → α –α Pj α ≠ (r) (r) –→ Pj r g Names(Q) C{recX.C/X } –→ Cj –→ –→ P|Q α Pj|Q P|Q α Pj|Q recX.C α Cj { } { } plus the symmetric version of the three rules for parallel composition. With C r/a we denote the term obtained from C by replacing with r every occurrence of a not inside a receive(a).D, while C recX.C/X denotes the usual substitution of free contract xxxx- xxxxx with the corresponding definition. –→ In the following, we use C α to say that there is some Cj such that C α Cj. Moreover, we use C –→ Cj to de–n→ote reductions, i.e. transitions that C can perfo–rm→also when it is in isolation. Namely, C –→ Cj if C τ Cj or C (r) Cj for some r. We now formalize the notion of client-–s→ervice com–p→liance resorting to must- | testing [13]. Intuitively, a client C is compliant with a service contract S if all the computations of the system C S lead to the client’s success. Other notions of com- pliance have been put forward in the literature [6,7,8]; we have chosen this one because of its technical and conceptual simplicity (see e.g. [10]). –→ –→ · · · –→ –→ · · ·
Operational Semantics. In general the operational semantics of the specification language is very similar to the operational semantics of the original programming language. In particular, the internal steps remain the same. Regarding the inference rules of the external steps, the crucial point is that we have to narrow down the communication steps such that the resulting trace semantics of the specification consists only of the specified traces (and their prefixes). This is implemented, on the one hand, by additional premises and, on the other hand, by allowing incoming communication only if a corresponding communication term is on top of the call stack. The different handling of interface communication as well as the absence of internal method and constructor calls also leads to a somewhat different, i.e., simpler, form of the call stack of a specification. For, the execution of a program never adds or removes an activation record but each inference rule only modifies the topmost activation record. Although this means that the call stack does not consist of several blocked and possibly one active activation record, we still dis- tinguish activation records which only allow incoming communication as the next interface communication from activation records which only allow outgoing com- munication as the next interface communication. Thus, for the activation records of the specification language we define AR ::= ARa | ARp ARa ::= (µ, mcact) ARp ::= (µ, mcpsv) mcact ::= sact | sact ; !return(e); xxxxx mcpsv ::= spsv | spsv ; x =?return(T x).where(e); mcact The rules of the operational semantics are given in Table 3.3. The rules XxxxX and NewO deal with outgoing method and, respectively, constructor call statements. Just as the corresponding rules of the programming language, the expressions within the actual call term are evaluated and the transi- tion is labeled with an outgoing call label. However, in the resulting configuration, the call stack is not blocked by a receive statement but instead only the actual call term of the statement is removed leaving the body of the call statement on top of the call stack. For, the body of the call statement comprises the desired tester/environment interactions that should occur until the call’s incoming return occurs. The variable structure is extended by a variable function for the local variables of the call statement. Note that, although XxxxX and NewO resemble the corresponding rules of the programming language we do not add an activa...
Operational Semantics. We can now define an operational semantics for our contract calculus. The rules of the operational xxxxx- tics appear in Figure 1. The semantics take one of three forms: (i) ϕ −Ñ ϕ1 to denote that contract ϕ a,k can evolve (in one s−tep) to ϕ1 when action a is per- formed, which involves party k (and possibly other parties); or (ii) ϕ pa,kÑq ϕ1 indicating that the contract units: OppPBPqr5s. In this case, equivalence rule 13 ~~~ can be applied after 5 time units: OppPBPqr5s ϕ can evolve to ϕ−1−w−−hen the action a is not offered by ~~~ any party other than k; or (iii) ϕ d ϕ1 to represent OppPBPqr0s ãÑ K. that contract ϕ can evolve to contract ϕ1 when d time \[ p q p q In order to justify the simplification of contract formulae by applying these rules repeatedly, we will need to prove that the rewriting process is terminat- ing and confluent. To prove confluence of ã , we will first prove local confluence, from which conflu- ence follows using a standard result from computer science. Ñ P Ø Proposition 2. The ã C C relation is: (i) ter- minating: there is no infinite sequence ϕ1, ϕ2 . . . , units pass. We will use variable α to stand for a label of either form: a, k or a, k . The rules of the op- erational semantics are always applied to irreducible terms. The core of any contract reasoning formalism is the rules defining the semantics of the deontic modal- ities.
Operational Semantics. ≡ | The structural equivalence relation is defined as the least equivalence over processes closed with respect to α-conversion and satisfying the rules in Figure 2(b). Note that the notion of free names fn(P) of a process P is extended to handle constraints by stating that the set of free names of a constraint c is the support supp(c) of c. The structural axioms can be applied for reducing every process P into a normal form (x˜) (C U ), where C is a parallel composition of constraints and U can only contain restrictions under prefixes, i.e. U /≡ (y)Ur. Well-formedness. Let Ch˜ N be a set of channel names that can only be fused among each other and let chn(P) b⊆e the set of channel names occurring free in P. A process P is ≡ well-formed if there exists a process Q P such that every occurrence of transaction in \ ⊆ { } Q has the form (x˜)[Pr : Qr].U , where (fn(Pr, Qr) chn(Pr, Qr)) x1, . . . , xn . For exam- ≡ | ⟨ ⟩ ≡ ple, P (x)(tell (x = z) (w)[y w .0 : Q].U ) is well-formed, but R (x)(tell (x = | ⟨ ⟩
Operational Semantics. We can now define an operational semantics for our contract calculus. The rules of the opera- tional semantics appear in Figure 1. The xxxxx- b PBP or l p); (iv) similarly if other par- O p qr s ‰ ‰ p −−−− O p qr s Ñ ties or actions are not allowed, the obligation re- mains unchanged by rule O4: PBP 5 pb,lq p PBP 5 (where b PBP or l p ); and finally
Operational Semantics. → ⟨ ⟩ J&s is modeled with a small-step operational semantics. A config- uration consists of an expression e, a stack σ, a heap H, and a refer- ence set R, and evaluation takes the form e, σ, H, R er, σr, Hr, Rr. The stack σ maps variables x to values v. The heap H is a func- tion mapping tuples l, P, f of memory locations, fully qualified class names, and field names to values v. The class P is included in the domain to distinguish copies of duplicate fields, which have the same name. The reference set R collects all the references r that have been generated during evaluation, and is only used by the soundness proof. Most evaluation rules are straightforward. The two notable ones are R-SET and R-VIEW for field assignments and view changes, respectively: σ(x) = ⟨l, P!\ f r⟩ σr = grant(σ, x. f ) Type checking is performed in a typing context Γ, which is a set of variable type bindings x : T , path equivalence constraints p1 = p2, and directional sharing constraints T1 ~ T2. Path equivalence constraints are used to assert equivalence of dependent types during evaluation, and unlike previous calculi on family inheritance, paths with different views are not included, even if they are actually aliases of the same location (see Section 2.3). Sharing constraints are declared by the current method being checked, and are used to type-check view change operations. ▶ Since assignments may remove masks, the J&s type system is flow-sensitive. Typing judgments are of the form Γ e:T, Γr, where Γr represents the updated typing environment after evaluating e. A view change expression (view T )e type-checks, if the type of the source expression e is shared with the target type T : Γ ▶ e : T r, Γr Γ ▶ T r ~ T (T-VIEW) Γ ▶ (view T )e : T, Γr ▶ ▶ — The directional sharing judgment Γ T1 ~ T2 states that a value of type T1 can be transformed to T2 through a view change. A bidirectional sharing judgment Γ T1 T2 is sugar for a pair of directional sharing judgments. — Figure 8 shows all the derivation rules for sharing judgments. In SH-DECL, auxiliary function share(P.C) returns the declared shared type for class P.C, and fnames(fields(P.C) fields(Pr)) gives all the new fields that are not contained in the shared super- class Pr, which are also m asked in the generated sharing relation- ship, in addition to fields f that are masked in the sharing declara- tion. SH-CLS states that for two types to be shared, every subclass of the source type must share a unique subclass of the target...
Operational Semantics. Afirst attempt to formalise aspects of the Modelica language was made at a time where no complete implementation was available and was performed by Kågedal and Fritzson to discover and close gaps in the early specification documents [KF98]. Kågedal and Fritzson distinguish betweenstatic semantics(which describes how the object-oriented structuring of models and their equations work) and thedynamic semantics(which de- scribes the simulation-time behaviour) of Modelica models. Like most later work on formalizing Modelica semantics the work by Kågedal and Fritzson [KF98] addresses the static semanticsand does not intend to describe the equations solving process, nor the actual simulation. The formal semantics provided in their work is expressed in a high- level specification language called Relational Meta Language (RML) [Pet95], which is based on natural semantics (an operational semantics specification style). A compiler generation system allows generating a translator from a language specification written in RML. The paper explains the basic ideas behind that approach, but it does not list the complete RML source-code that was written during that early effort. Development and usage of efficient language implementation generators has been a long- term research effort at the Programming Environments Laboratory (PELAB)2 at Lin- köping University. In [FPBA09], Xxxxx et al. report on practical experience gained with various approaches. The biggest effort was developing a complete Modelica compiler using RML as the specification language. This implementation formed the base for the OpenModelicaenvironment [ FAL+05]. A remarkable observation reported in the paper is the enormous growth of the RML code over time; we reproduce the data below (where we refer to lines of RML code, including comments). 8709 36050 80064 Nowadays the development of OpenModelica has swapped from RML toMetaModelica. MetaModelica is a language developed at PELAB that introduces language modelling features known from languages like RML into the Modelica language. One of its develop- ment motivations was to provide a language with a more gentle learning curve than RML, particularly in regard to prospective OpenModelica developers without a background in formal specification methods. MetaModelica [PF06] has evolved over the years and, more recently, a bootstrapping version has been used in the OpenModelica development [SFP14]. An ongoing project that aims to formalize a clocked discrete-time ...
Operational Semantics. The operational semantics of a contract is given by the minimal labeled transition system, with labels taken from the set Labels, satisfying the following axiom and rules (a, b, r e Names) α Gl –→ Gjl l e I r g Names( xx.Xx) ieI Gi α Gj invoke(a, b .C ) (r) (r(b ).C ) | a(r) ieI –→ l i ieI i –→
Operational Semantics. Operational semantics [59] is a way to express the meaning of a programming language: for each language construct, the effect of its execution on an abstract machine is formalized. The operational semantics of our language will be given in form of a small-step semantics. This kind of semantics is based on the idea that a program execution is considered as a sequence of indivisible steps that manifest themselves in form of changes in the program’s configuration. The small-step semantics stipulates what kind of changes may happen in a certain situation. It is often represented by a transition relation which in turn is described by an inference system where the conclusion of each inference rule determines a (parameterized) transition between two configurations. The concept of using an inference system to describe the computation step, also called structural operational semantics, goes back to Xxxxxxx [56]. Before we take a closer look at the operational semantics’ transition rules let us first discuss the constituents of a program configuration. A program configuration (h, v, CS) is a triple consisting of the current state of the heap h, the global variables v, and the call stack CS. The details about the elements of a program configuration are given in the following definition.
