The Design, Evolution and Use of KernelF

DESIGN, EVOLUTION AND USE
Markus Völter
voelter@acm.org
www.voelter.de
@markusvoelter
of
KernelF

http://voelter.de/data
/pub/kernelf-icmt.pdf
Check out the paper!

Context
Mobile Apps that help patients w/ treatments
Monitor side-effects and recommend actions
Manage dosage of medications

Context
Mobile Apps that help patients w/ treatments
Monitor side-effects and recommend actions
Manage dosage of medications
“Algorithms“ for recommendations and dosage at
the core of these apps.
Safety-critical, since they could hurt patients.
Customer develops many different
apps/algos like this, efficiency of
algo development is key.

What good is all the abstraction if we cannot
trust the translation to the implementation?
Execution Architecture

Company Context
Largest German provider for payroll services.
Avoid re-engineering Fachlichkeit whenever technology changes.
A DSL to capture and test Fachlichkeit.
Execution: Interpreter in the IDE + Code Generator to Java

DSL Features – Dates and Currencies

DSL Features – Temporal Data

DSL Features – Data & Calculations

DSL Features – Polymorphic Overriding

Context
For smart contracts to be useful, the people who understand the
„contract logic“ have to be able to verify its correctness.
High-Level Description
Simulation / Testing
Verification
Core patterns at the core of many SCs:
Decisions, Agreements, Auctions.

Combination with State Machines

Combintation with State Machines II

Preventing Game Theoretical Attacks

DESIGN, EVOLUITION AND USE
So, what do all of
these languages
have in common?

DSL Development
New Language
GPL Extension
Existing
Domain Notation
(Informal)
Formalization
Formalized
Language
Reuse GPL incl. Expressions and TS
Add/Embed DS-extensions
Compatible notational style
Reduce to GPL
Analyze Domain to find Abstractions
Define suitable, new notations
Rely on existing behavioral paradigm
Reuse standard expression language
Interpret/Generate to one or more GPLs
Use existing notation from domain
Clean up and formalize
Generate/Interpret
Often import existing „models“

DSL Development
New Language
Analyze Domain to find Abstractions
Define suitable, new notations
Rely on existing behavioral paradigm
Reuse standard expression language
Interpret/Generate to one or more GPLs
KernelF

Functional Features
Functional, no state at its core.
Purity + Effect Tracking
The usual types, literals and op‘s
Various Conditionals
Functions and Blocks
Error Handling
Immutable Collections and higher-order functions
Enums, tuples, records, all immutable
Constraints on types and functions

Functional Stuff only: is this useful?
A purely functional language only
heats up the processor. -- Anonymous

Functional Features
Functional, no state at its core.
Purity + Effect Tracking
The usual types, literals and op‘s
Various Conditionals
Functions and Blocks
Error Handling
Immutable Collections and higher-order functions
Enums, tuples, records, all immutable
Constraints on types and functions
Boxes (like Clojure‘s ref)
Transactional Memory
State Machines
Interactors
Stateful Features

All languages shown in this talk
are built with the open source
JetBrains MPS language workbench.

+ Refactorings, Find Usages, Syntax Coloring, Debugging, ...

5
Design Decisions
and Evolution

Design Drivers
Simplicity & Readability
Extensibility
Embeddability
Robustness
IDE Support
Accessible to Non-Programmers
Add new domain-specific language concepts if needed
Refer to domain-specific context, remove/replace stuff that is not needed
Make writing correct code as simple as possible
A language without an IDE is irrelevant; Exploit MPS

What we have.

Keyword-Rich
Many first-class abstractions
instead of the functional
minimalism; better tool support.

Static Types
Essential for good error
messages and code completion
for end users.

Type Inference
Only the really necessary
types have to be written down
explicitly.

Numeric Types
Few domains actually want
int and real

Option Types
... to explicitly deal with
null values

What we have not.

No Generics
... for user-defined types,
only built-in for collections.

No Algebraic Types
Construction of sophisticated
abstractions not necessary in
DSLs; developed as langusage
extensions.

No Exceptions
Hard to implement efficiently
on some platforms; but attempt
types are an ok replacement.

No Function Comp & Monads
Definition of sophisticated
reusable functional abstractions
not needed for DSL users.

No Reflection or Meta-Prog.
All the „magic“ happens outside
programs using the LWB.

Enabling Extension
and Embedding.

Abstract Concepts
Expression
Type
IToplevelContent
IDotTarget

Concept Removals
MPS Constraints can be used
to effectively reduce the language.

Exchangeable Primitives
PTF.create<Type>()
Plus an extension infrastructure
to contribute types.

Structure vs. Types
Types, such as ListType or
IRecordType can be used for
custom language concepts.

Syntax Overriding
New syntax can be defined
for existing language concepts.

Evolution.

number type
We started with int and real,
and quickly noticed that domain
experts don‘t want this.

Transparent Options?
val v : opt<T> = some(t)
val v : opt<T> = t
convenience Java generator

Records
Didn‘t we say that structures are
domain specific?
Yes, but useful for prototyping.

ADTs + Patterns
I did build an ADT language,
but it‘s an extension.
Problem with option and attempt.

State
Isn‘t KernelF functional?
Yes, but foundations for stateful
extensions are very helpful.

So, is this modeling
or programming?
ICMT

Programming vs. MD: What it can be

It becomes hard to
separate (modern)
model-driven from
programming.

Wait, so you‘re at ICMT, you
should at least talk a little
bit about Transformation!
ICMT

System Architecture

System Architecture & Safety Standards
Tools may introduce additional systematic errors if faulty.
Safety standards require reliable mitigation of such errors.
DO-178C EN50129 IEC62304 ISO26262

+ Risk Analysis + Mitigations
Modeling Architecture
Model the Algo/System with the DSL and also
model the tests/verification. Then translate both
and execute on the level of the implementation.

Mitigations – Safe Modeling Architecture

Mitigations – Safe Modeling Architecture
use redundant execution on two execution engines
use different developers for the two trafos
review a subset of the generated code
clearly define and QA the DSL
to use fuzzing on the tests
ensure high coverage for the tests
run the tests on the final device
perform static analysis on the generated code
perform penetration testing on the final system
and use architectural safety mechanisms.
only these specific to DSL use

http://voelter.de/data/pub/MPS-in-Safety-1.0.pdf
Successfully
passed FDA
Pre-Submission

Incremental Graph Transformation
Model
Derived
Model
Incremental
Analyser
Interpreter
Generator
Incremental, Fast
Acceptable Memory Overhead
In MPS (client) and on the server (future)
Convenient DSL for specifying the transformations

Modular Languages are useful and
feasible based on modern LWB.
Modeling == Programming
Model Trafo == Compiler Construction
The PL and MD communities
should align more closely!
DSLs & Model Trafo is not at odds
with safety-critical systems.
1
2
3
4

The Design, Evolution and Use of KernelF

More Related Content

What's hot (20)

Similar to The Design, Evolution and Use of KernelF (20)

More from Markus Voelter (16)

Recently uploaded (20)

The Design, Evolution and Use of KernelF