What is the Meaning of These Constant Interruptions?

Graham Hutton and Joel Wright University of Nottingham

What Is An Exception?

An event within a computation that causes termination in a non-standard way Examples:  Division by zero  Null pointer 1

What Is An Interrupt?

An exception that arises from the external environement, e.g. another computation Examples:  Terminate  Any exception 2

This Talk

 Haskell is unique in providing both full support for interrupts and a semantics for this.

 But the semantics is subtle, and relies on quite considerable technical machinery.

 We give a simple, formally justified, semantics for interrupts in a small language.

3

An Exceptional Language

Syntax: data Expr = Val Int | Throw | Add Expr Expr | Seq Expr Expr | Catch Expr Expr Semantics: e  v e can evaluate to v 4

Sequencing: x  Val n y Seq x y  v  v Catch: x  Val n Catch x y  Val n x  Throw Seq x y  Throw x  Throw y  v Catch x y  v 5

Finally, An Example

Problem: how can we ensure that evaluation of x is always succeeded by evaluation of y?

= finally x y 6

Finally, An Example

Problem: how can we ensure that evaluation of x is always succeeded by evaluation of y?

finally x y = Seq x y 7

Finally, An Example

Problem: how can we ensure that evaluation of x is always succeeded by evaluation of y?

finally x y = Seq x y If x produces an exception, y is not evaluated 8

Finally, An Example

Problem: how can we ensure that evaluation of x is always succeeded by evaluation of y?

finally x y = Seq ( Catch x y ) y 9

Finally, An Example

Problem: how can we ensure that evaluation of x is always succeeded by evaluation of y?

finally x y If x produces an exception, y may be evaluated twice = Seq ( Catch x y ) y 10

Finally, An Example

Problem: how can we ensure that evaluation of x is always succeeded by evaluation of y?

finally x y = Seq (Catch x ( Seq y Throw )) y 11

Finally, An Example

Problem: how can we ensure that evaluation of x is always succeeded by evaluation of y?

= finally x y Now has the correct behaviour Seq (Catch x (Seq y Throw)) y 12

Adding Interrupts

To avoid the need for concurrency, we adopt the following worst-case rule for interrupts: x  Throw Evaluation can be interrupted at any time by replacing the current expression by throw 13

Note:  Evaluation is now non-deterministic.

 Finally no longer behaves as expected.

Seq (Catch x (Seq y Throw)) y could be interrupted as y is about to be evaluated 14

Controlling Interrupts

Syntax: data Expr = ••• | Block Expr | Unblock Expr Semantics: e  i v e can evaluate to v in interrupt status i 15

Key rules: x  B v Block x  i v x  U Throw x  U v Unblock x  i v The other rules are simply modified to propogate the current interrupt status to their arguments.

16

Finally Revisited

finally x y = Seq (Catch x (Seq y Throw)) y 17

Finally Revisited

finally x y = Block (Seq (Catch ( Unblock (Seq y Throw)) y) x) 18

Finally Revisited

finally x y = Block (Seq (Catch ( Unblock (Seq y Throw)) y) x) Modulo syntax, finally in Haskell is defined in precisely the same way 19

Is Our Semantics Correct?

 How does our high-level semantics reflect our low-level intuition about interrupts?

 To address this issue, we first define a virtual machine, its semantics, and a compiler.

 We explain the basic ideas informally using an example - the paper gives full details.

20

Example

Catch (Unblock (2+3)) 4 Code 21

Example

Catch (Unblock (2+3)) 4 Code 22

Example

Catch (Unblock (2+3)) 4 Code MARK [ ] UNMARK 23

Example

Catch (Unblock (2+3)) 4 Code MARK [ ] UNMARK 24

Example

Catch (Unblock (2+3)) 4 Code MARK [PUSH 4] UNMARK 25

Example

Catch ( Unblock (2+3)) 4 Code MARK [PUSH 4] UNMARK 26

Example

Catch ( Unblock (2+3)) 4 Code MARK [PUSH 4] SET U RESET UNMARK 27

Example

Catch (Unblock ( 2+3 )) 4 Code MARK [PUSH 4] SET U RESET UNMARK 28

Example

Catch (Unblock (2+3)) 4 Code MARK [PUSH 4] SET U PUSH 2 PUSH 3 ADD RESET UNMARK 29

Example

Catch (Unblock (2+3)) 4 Code MARK [PUSH 4] SET U PUSH 2 PUSH 3 ADD RESET UNMARK Status Stack 30

Example

Catch (Unblock (2+3)) 4 Code MARK [PUSH 4] SET U PUSH 2 PUSH 3 ADD RESET UNMARK Status B Stack 31

Example

Catch (Unblock (2+3)) 4 Code SET U PUSH 2 PUSH 3 ADD RESET UNMARK Status B Stack HAN [PUSH 4] 32

Example

Catch (Unblock (2+3)) 4 Code PUSH 2 PUSH 3 ADD RESET UNMARK Status U Stack INT B HAN [PUSH 4] 33

Example

Catch (Unblock (2+3)) 4 Code PUSH 3 ADD RESET UNMARK Status U Stack VAL 2 INT B HAN [PUSH 4] 34

Example

Catch (Unblock (2+3)) 4 Code ADD RESET UNMARK Status U Stack VAL 3 VAL 2 INT B HAN [PUSH 4] 35

Example

Catch (Unblock (2+3)) 4 Code ADD RESET UNMARK Status U interrupt!

Stack VAL 3 VAL 2 INT B HAN [PUSH 4] 36

Example

Catch (Unblock (2+3)) 4 Code THROW RESET UNMARK Status U interrupt!

Stack VAL 3 VAL 2 INT B HAN [PUSH 4] 37

Example

Catch (Unblock (2+3)) 4 Code THROW RESET UNMARK Status U Stack VAL 2 INT B HAN [PUSH 4] 38

Example

Catch (Unblock (2+3)) 4 Code THROW RESET UNMARK Status U Stack INT B HAN [PUSH 4] 39

Example

Catch (Unblock (2+3)) 4 Code THROW RESET UNMARK Status B Stack HAN [PUSH 4] 40

Example

Catch (Unblock (2+3)) 4 Code PUSH 4 Status B Stack 41

Example

Catch (Unblock (2+3)) 4 Code Status B Stack VAL 4 42

Example

Catch (Unblock (2+3)) 4 Code Status B Stack VAL 4 Final result 43

Compiler Correctness

We will exploit two basic notions of reachability for configurations of our virtual machine.

x * Y x can reach everything in Y x Y x will reach something in Y 44

Theorem

comp e c i s * { | e  i Val n } U { | e  i Throw } Proof: approximately 10 pages of calculation, much of which requires considerable care.

45

Summary

 Simple semantics for interrupts, formally justified by a compiler correctness theorem.

 Discovery of an error in the semantics for Haskell, concerning the delivery of interrupts.

 Verification of finally, a useful high-level operator for programming with exceptions/interrupts.

46

Further Work

 Mechanical verification  Bisimulation theorem  Generalising the language  Reasoning about programs  Calculating the compiler 47