2768 \texttt{Lambda} and \texttt{Auth}. |
2768 \texttt{Lambda} and \texttt{Auth}. |
2769 |
2769 |
2770 \index{*coinductive|)} \index{*inductive|)} |
2770 \index{*coinductive|)} \index{*inductive|)} |
2771 |
2771 |
2772 |
2772 |
2773 \section{Executable specifications} |
|
2774 \index{code generator} |
|
2775 |
|
2776 For validation purposes, it is often useful to {\em execute} specifications. |
|
2777 In principle, specifications could be ``executed'' using Isabelle's |
|
2778 inference kernel, i.e. by a combination of resolution and simplification. |
|
2779 Unfortunately, this approach is rather inefficient. A more efficient way |
|
2780 of executing specifications is to translate them into a functional |
|
2781 programming language such as ML. Isabelle's built-in code generator |
|
2782 supports this. |
|
2783 |
|
2784 \railalias{verblbrace}{\texttt{\ttlbrace*}} |
|
2785 \railalias{verbrbrace}{\texttt{*\ttrbrace}} |
|
2786 \railterm{verblbrace} |
|
2787 \railterm{verbrbrace} |
|
2788 |
|
2789 \begin{figure} |
|
2790 \begin{rail} |
|
2791 codegen : ( 'code_module' | 'code_library' ) modespec ? name ? \\ |
|
2792 ( 'file' name ) ? ( 'imports' ( name + ) ) ? \\ |
|
2793 'contains' ( ( name '=' term ) + | term + ); |
|
2794 |
|
2795 modespec : '(' ( name * ) ')'; |
|
2796 \end{rail} |
|
2797 \caption{Code generator invocation syntax} |
|
2798 \label{fig:HOL:codegen-invocation} |
|
2799 \end{figure} |
|
2800 |
|
2801 \begin{figure} |
|
2802 \begin{rail} |
|
2803 constscode : 'consts_code' (codespec +); |
|
2804 |
|
2805 codespec : const template attachment ?; |
|
2806 |
|
2807 typescode : 'types_code' (tycodespec +); |
|
2808 |
|
2809 tycodespec : name template attachment ?; |
|
2810 |
|
2811 const : term; |
|
2812 |
|
2813 template: '(' string ')'; |
|
2814 |
|
2815 attachment: 'attach' modespec ? verblbrace text verbrbrace; |
|
2816 \end{rail} |
|
2817 \caption{Code generator configuration syntax} |
|
2818 \label{fig:HOL:codegen-configuration} |
|
2819 \end{figure} |
|
2820 |
|
2821 \subsection{Invoking the code generator} |
|
2822 |
|
2823 The code generator is invoked via the \ttindex{code_module} and |
|
2824 \ttindex{code_library} commands (see Fig.~\ref{fig:HOL:codegen-invocation}), |
|
2825 which correspond to {\em incremental} and {\em modular} code generation, |
|
2826 respectively. |
|
2827 \begin{description} |
|
2828 \item[Modular] For each theory, an ML structure is generated, containing the |
|
2829 code generated from the constants defined in this theory. |
|
2830 \item[Incremental] All the generated code is emitted into the same structure. |
|
2831 This structure may import code from previously generated structures, which |
|
2832 can be specified via \texttt{imports}. |
|
2833 Moreover, the generated structure may also be referred to in later invocations |
|
2834 of the code generator. |
|
2835 \end{description} |
|
2836 After the \texttt{code_module} and \texttt{code_library} keywords, the user |
|
2837 may specify an optional list of ``modes'' in parentheses. These can be used |
|
2838 to instruct the code generator to emit additional code for special purposes, |
|
2839 e.g.\ functions for converting elements of generated datatypes to Isabelle terms, |
|
2840 or test data generators. The list of modes is followed by a module name. |
|
2841 The module name is optional for modular code generation, but must be specified |
|
2842 for incremental code generation. |
|
2843 The code can either be written to a file, |
|
2844 in which case a file name has to be specified after the \texttt{file} keyword, or be |
|
2845 loaded directly into Isabelle's ML environment. In the latter case, |
|
2846 the \texttt{ML} theory command can be used to inspect the results |
|
2847 interactively. |
|
2848 The terms from which to generate code can be specified after the |
|
2849 \texttt{contains} keyword, either as a list of bindings, or just as |
|
2850 a list of terms. In the latter case, the code generator just produces |
|
2851 code for all constants and types occuring in the term, but does not |
|
2852 bind the compiled terms to ML identifiers. |
|
2853 For example, |
|
2854 \begin{ttbox} |
|
2855 code_module Test |
|
2856 contains |
|
2857 test = "foldl op + (0::int) [1,2,3,4,5]" |
|
2858 \end{ttbox} |
|
2859 binds the result of compiling the term |
|
2860 \texttt{foldl op + (0::int) [1,2,3,4,5]} |
|
2861 (i.e.~\texttt{15}) to the ML identifier \texttt{Test.test}. |
|
2862 |
|
2863 \subsection{Configuring the code generator} |
|
2864 |
|
2865 When generating code for a complex term, the code generator recursively |
|
2866 calls itself for all subterms. |
|
2867 When it arrives at a constant, the default strategy of the code |
|
2868 generator is to look up its definition and try to generate code for it. |
|
2869 Constants which have no definitions that |
|
2870 are immediately executable, may be associated with a piece of ML |
|
2871 code manually using the \ttindex{consts_code} command |
|
2872 (see Fig.~\ref{fig:HOL:codegen-configuration}). |
|
2873 It takes a list whose elements consist of a constant (given in usual term syntax |
|
2874 -- an explicit type constraint accounts for overloading), and a |
|
2875 mixfix template describing the ML code. The latter is very much the |
|
2876 same as the mixfix templates used when declaring new constants. |
|
2877 The most notable difference is that terms may be included in the ML |
|
2878 template using antiquotation brackets \verb|{*|~$\ldots$~\verb|*}|. |
|
2879 A similar mechanism is available for |
|
2880 types: \ttindex{types_code} associates type constructors with |
|
2881 specific ML code. For example, the declaration |
|
2882 \begin{ttbox} |
|
2883 types_code |
|
2884 "*" ("(_ */ _)") |
|
2885 |
|
2886 consts_code |
|
2887 "Pair" ("(_,/ _)") |
|
2888 \end{ttbox} |
|
2889 in theory \texttt{Product_Type} describes how the product type of Isabelle/HOL |
|
2890 should be compiled to ML. Sometimes, the code associated with a |
|
2891 constant or type may need to refer to auxiliary functions, which |
|
2892 have to be emitted when the constant is used. Code for such auxiliary |
|
2893 functions can be declared using \texttt{attach}. For example, the |
|
2894 \texttt{wfrec} function from theory \texttt{Wellfounded_Recursion} |
|
2895 is implemented as follows: |
|
2896 \begin{ttbox} |
|
2897 consts_code |
|
2898 "wfrec" ("\bs<module>wfrec?") |
|
2899 attach \{* |
|
2900 fun wfrec f x = f (wfrec f) x; |
|
2901 *\} |
|
2902 \end{ttbox} |
|
2903 If the code containing a call to \texttt{wfrec} resides in an ML structure |
|
2904 different from the one containing the function definition attached to |
|
2905 \texttt{wfrec}, the name of the ML structure (followed by a ``\texttt{.}'') |
|
2906 is inserted in place of ``\texttt{\bs<module>}'' in the above template. |
|
2907 The ``\texttt{?}'' means that the code generator should ignore the first |
|
2908 argument of \texttt{wfrec}, i.e.\ the termination relation, which is |
|
2909 usually not executable. |
|
2910 |
|
2911 Another possibility of configuring the code generator is to register |
|
2912 theorems to be used for code generation. Theorems can be registered |
|
2913 via the \ttindex{code} attribute. It takes an optional name as |
|
2914 an argument, which indicates the format of the theorem. Currently |
|
2915 supported formats are equations (this is the default when no name |
|
2916 is specified) and horn clauses (this is indicated by the name |
|
2917 \texttt{ind}). The left-hand sides of equations may only contain |
|
2918 constructors and distinct variables, whereas horn clauses must have |
|
2919 the same format as introduction rules of inductive definitions. |
|
2920 For example, the declaration |
|
2921 \begin{ttbox} |
|
2922 lemma Suc_less_eq [iff, code]: "(Suc m < Suc n) = (m < n)" \(\langle\ldots\rangle\) |
|
2923 lemma [code]: "((n::nat) < 0) = False" by simp |
|
2924 lemma [code]: "(0 < Suc n) = True" by simp |
|
2925 \end{ttbox} |
|
2926 in theory \texttt{Nat} specifies three equations from which to generate |
|
2927 code for \texttt{<} on natural numbers. |
|
2928 |
|
2929 \subsection{Specific HOL code generators} |
|
2930 |
|
2931 The basic code generator framework offered by Isabelle/Pure has |
|
2932 already been extended with additional code generators for specific |
|
2933 HOL constructs. These include datatypes, recursive functions and |
|
2934 inductive relations. The code generator for inductive relations |
|
2935 can handle expressions of the form $(t@1,\ldots,t@n) \in r$, where |
|
2936 $r$ is an inductively defined relation. If at least one of the |
|
2937 $t@i$ is a dummy pattern ``$_$'', the above expression evaluates to a |
|
2938 sequence of possible answers. If all of the $t@i$ are proper |
|
2939 terms, the expression evaluates to a boolean value. |
|
2940 \begin{small} |
|
2941 \begin{alltt} |
|
2942 theory Test = Lambda: |
|
2943 |
|
2944 code_module Test |
|
2945 contains |
|
2946 test1 = "Abs (Var 0) \(\circ\) Var 0 -> Var 0" |
|
2947 test2 = "Abs (Abs (Var 0 \(\circ\) Var 0) \(\circ\) (Abs (Var 0) \(\circ\) Var 0)) -> _" |
|
2948 \end{alltt} |
|
2949 \end{small} |
|
2950 In the above example, \texttt{Test.test1} evaluates to the boolean |
|
2951 value \texttt{true}, whereas \texttt{Test.test2} is a sequence whose |
|
2952 elements can be inspected using \texttt{Seq.pull} or similar functions. |
|
2953 \begin{ttbox} |
|
2954 ML \{* Seq.pull Test.test2 *\} -- \{* This is the first answer *\} |
|
2955 ML \{* Seq.pull (snd (the it)) *\} -- \{* This is the second answer *\} |
|
2956 \end{ttbox} |
|
2957 The theory |
|
2958 underlying the HOL code generator is described more detailed in |
|
2959 \cite{Berghofer-Nipkow:2002}. More examples that illustrate the usage |
|
2960 of the code generator can be found e.g.~in theories |
|
2961 \texttt{MicroJava/J/JListExample} and \texttt{MicroJava/JVM/JVMListExample}. |
|
2962 |
|
2963 \section{The examples directories} |
2773 \section{The examples directories} |
2964 |
2774 |
2965 Directory \texttt{HOL/Auth} contains theories for proving the correctness of |
2775 Directory \texttt{HOL/Auth} contains theories for proving the correctness of |
2966 cryptographic protocols~\cite{paulson-jcs}. The approach is based upon |
2776 cryptographic protocols~\cite{paulson-jcs}. The approach is based upon |
2967 operational semantics rather than the more usual belief logics. On the same |
2777 operational semantics rather than the more usual belief logics. On the same |