3007 \texttt{Lambda} and \texttt{Auth}. |
3007 \texttt{Lambda} and \texttt{Auth}. |
3008 |
3008 |
3009 \index{*coinductive|)} \index{*inductive|)} |
3009 \index{*coinductive|)} \index{*inductive|)} |
3010 |
3010 |
3011 |
3011 |
|
3012 \section{Executable specifications} |
|
3013 \index{code generator} |
|
3014 |
|
3015 For validation purposes, it is often useful to {\em execute} specifications. |
|
3016 In principle, specifications could be ``executed'' using Isabelle's |
|
3017 inference kernel, i.e. by a combination of resolution and simplification. |
|
3018 Unfortunately, this approach is rather inefficient. A more efficient way |
|
3019 of executing specifications is to translate them into a functional |
|
3020 programming language such as ML. Isabelle's built-in code generator |
|
3021 supports this. |
|
3022 |
|
3023 \begin{figure} |
|
3024 \begin{rail} |
|
3025 codegen : 'generate_code' ( () | '(' string ')') (code +); |
|
3026 |
|
3027 code : name '=' string; |
|
3028 |
|
3029 constscode : 'consts_code' (codespec +); |
|
3030 |
|
3031 codespec : name ( () | '::' type) '(' mixfix ')'; |
|
3032 |
|
3033 typescode : 'types_code' (tycodespec +); |
|
3034 |
|
3035 tycodespec : name '(' mixfix ')'; |
|
3036 \end{rail} |
|
3037 \caption{Code generator syntax} |
|
3038 \label{fig:HOL:codegen} |
|
3039 \end{figure} |
|
3040 |
|
3041 \subsection{Invoking the code generator} |
|
3042 |
|
3043 The code generator is invoked via the \ttindex{generate_code} command |
|
3044 (see Fig.~\ref{fig:HOL:codegen}). The code can either be written to a file, |
|
3045 in which case a file name has to be specified in parentheses, or be |
|
3046 loaded directly into Isabelle's ML environment. In the latter case, |
|
3047 the \texttt{ML} theory command can be used to inspect the results |
|
3048 interactively. |
|
3049 The \texttt{generate_code} command takes a list of pairs, consisting |
|
3050 of an ML identifier and a string representing a term. The result of |
|
3051 compiling the term is bound to the corresponding ML identifier. |
|
3052 For example, |
|
3053 \begin{ttbox} |
|
3054 generate_code |
|
3055 test = "foldl op + (0::int) [1,2,3,4,5]" |
|
3056 \end{ttbox} |
|
3057 binds the result of compiling the term |
|
3058 \texttt{foldl op + (0::int) [1,2,3,4,5]} |
|
3059 (i.e.~\texttt{15}) to the ML identifier \texttt{test}. |
|
3060 |
|
3061 \subsection{Configuring the code generator} |
|
3062 |
|
3063 When generating code for a complex term, the code generator recursively |
|
3064 calls itself for all subterms. |
|
3065 When it arrives at a constant, the default strategy of the code |
|
3066 generator is to look up its definition and try to generate code for it. |
|
3067 Some primitive constants of a logic, which have no definitions that |
|
3068 are immediately executable, may be associated with a piece of ML |
|
3069 code manually using the \ttindex{consts_code} command |
|
3070 (see Fig.~\ref{fig:HOL:codegen}). |
|
3071 It takes a list whose elements consist of a constant name, together |
|
3072 with an optional type constraint (to account for overloading), and a |
|
3073 mixfix template describing the ML code. The latter is very much the |
|
3074 same as the mixfix templates used when declaring new constants. |
|
3075 The most notable difference is that terms may be included in the ML |
|
3076 template using antiquotation brackets \verb|{*|~$\ldots$~\verb|*}|. |
|
3077 A similar mechanism is available for |
|
3078 types: \ttindex{types_code} associates type constructors with |
|
3079 specific ML code. |
|
3080 |
|
3081 Another possibility of configuring the code generator is to register |
|
3082 theorems to be used for code generation. Theorems can be registered |
|
3083 via the \ttindex{code} attribute. It takes an optional name as |
|
3084 an argument, which indicates the format of the theorem. Currently |
|
3085 supported formats are equations (this is the default when no name |
|
3086 is specified) and horn clauses (this is indicated by the name |
|
3087 \texttt{ind}). The left-hand sides of equations may only contain |
|
3088 constructors and distinct variables, whereas horn clauses must have |
|
3089 the same format as introduction rules of inductive definitions. |
|
3090 |
|
3091 \subsection{Specific HOL code generators} |
|
3092 |
|
3093 The basic code generator framework offered by Isabelle/Pure has |
|
3094 already been extended with additional code generators for specific |
|
3095 HOL constructs. These include datatypes, recursive functions and |
|
3096 inductive relations. The code generator for inductive relations |
|
3097 can handle expressions of the form $(t@1,\ldots,t@n) \in r$, where |
|
3098 $r$ is an inductively defined relation. In case at least one of the |
|
3099 $t@i$ is a dummy pattern $_$, the above expression evaluates to a |
|
3100 sequence of possible answers. If all of the $t@i$ are proper |
|
3101 terms, the expression evaluates to a boolean value. The theory |
|
3102 underlying the HOL code generator is described more detailed in |
|
3103 \cite{Berghofer-Nipkow:2002}. |
|
3104 |
|
3105 |
3012 \section{The examples directories} |
3106 \section{The examples directories} |
3013 |
3107 |
3014 Directory \texttt{HOL/Auth} contains theories for proving the correctness of |
3108 Directory \texttt{HOL/Auth} contains theories for proving the correctness of |
3015 cryptographic protocols~\cite{paulson-jcs}. The approach is based upon |
3109 cryptographic protocols~\cite{paulson-jcs}. The approach is based upon |
3016 operational semantics rather than the more usual belief logics. On the same |
3110 operational semantics rather than the more usual belief logics. On the same |