The Whiley Programming Language

David J. PearceSchool of Engineering and Computer

Science,Victoria University of Wellington,

New Zealand

Motivation

• Ariane 5 (destroyed shortly after take off)

• Mars Global Surveyor (batteries overheated)

• F22-Raptor (“problem” crossing meridian line)

• USS Yorktown (dead in water)• Therac-25 (lethal doses of X-Rays)• …

State of Play

class Date { private int day; private int month; private int year;

public Date(int day, int month, int year){ this.day = day; this.month = month; this.year = year; }

…}

Java Modelling Language (JML)class Date {

// 30 days hath Sept, Apr, Jun and Nov // all the rest have 31, … // except February, which has 28 …

//@ invariant ((month!=9 && month!=4 && month!=6 //@ && month!=11) || day <= 30) && //@ 1 <= day <= 31 && 1 <= months <= 12 && //@ (month!=2 || day <= 28); private int day, month, year;

…}

Verifying OO Programs: The Challengeclass TableRow<T> { private List<T> rows;

…

void set(List<T> rs) { rows = rs; }

void copy(List<T> to) { for(int i=0;i!=rows.size();++i) { to.add(rows.get(i)); } }}

Verifying OO Programs: The Challenge

• Does this make sense ?

class Date { …

//@ ensures \result.compareTo(this) > 0; public Date nextDay() { … }

public int compareTo(Date d) { … }}

Introducting Whiley !!!

• Hybrid OO – Functional Language• Compiles to JVM• Performs Compile-Time Checking of

Constraints

Functional Core

• Functional functions• No aliasing or side-effects• Pass-by-value records, lists + sets• Constraints checked at compile time

define int where $ >= 0 as nat

int f(nat a, nat b) ensures $ > 0: if a == b: return 1 else: return a + b

Quick Demo

Numbers

• OOP: Modular Arithimetic + Floating Point

• Whiley: unbounded ints + rationals

define int where $ >= 0 && $ < 256 as byte

real f(byte x): if x > 0: return 18372.382349823409823409234 return x + 1

Implicit Subtyping

• OOP: subtyping explicit via inheritance• Whiley: Subtyping is implicit, not explicit

define int where $ >= 0 as natdefine int where $ > 0 as pint

pint f(nat a) : return a + 1

int g(nat x): return x – 1

nat y = …int z = g(y)

Lists + Quantifiers

• OOP: sets/lists are objects• JML: quantifies may not be computable• Whiley: Support for first-class lists/sets• Whiley: Support for computable quantifiers

define [int] where no {x in $ | x<0} as nats

int sum(nats ns, int i) requires 0<=i && i<|ns|, ensures $ >= 0: return ns[i]

Imperative Outer Layer

• OOP: objects may be concurrently modified• OOP: methods have re-entrant semantics• Whiley: process methods execute atomically• Whiley: methods are not re-entrant

define process (int x, int y) as PointProc

void PointProc::update(int z): this->y = z

void System::main([string] args): PointProc pp = spawn (x:1,y:2) pp->update(3) print str(*pp)

Compiler Overview

Verification SMT Solver

Parser

Type Checker

Bytecode Generator

whiley.org(under construction)