KernelF is a functional language built on top of MPS. It is designed to be highly extensible and embeddable in order to support its use at the core of domain-specific languages, realising an approach we sometimes call Funclerative Programming. 'Funclerative' is of course a mash-up of 'functional' and 'declarative' and refers to the idea of using functional programming in the small, and declarative language constructs for the larger-scale, often domain-specific, structures in a program. We have used KernelF in a wide range of languages including health and medicine, insurance contract definition, security analysis, salary calculations, smart contracts and language-definition. In this keynote, I illustrate the evolution of KernelF over the last two years. I discuss requirements on the language, and how those drove design decisions. I showcase a couple of the DSLs we built on top of KernelF to explain how MPS was used to enable the necessary language modularity. I demonstrate how we have integrated the Z3 solver to verify some aspects of programs. I present the architecture we have used to use KernelF-based DSLs in safety-critical environments. I close the keynote with an outlook on how KernelF might evolve in the future, and point out a few challenges for which we don't yet have good solutions.
4. Context
Mobile Apps that help patients w/ treatments
Monitor side-effects and recommend actions
Manage dosage of medications
5. Context
Mobile Apps that help patients w/ treatments
Monitor side-effects and recommend actions
Manage dosage of medications
“Algorithms“ for recommendations and dosage at
the core of these apps.
Safety-critical, since they could hurt patients.
Customer develops many different
apps/algos like this, efficiency of
algo development is key.
12. Company Context
Largest German provider for payroll services.
Avoid re-engineering Fachlichkeit whenever technology changes.
A DSL to capture and test Fachlichkeit.
Execution: Interpreter in the IDE + Code Generator to Java
19. Context
For smart contracts to be useful, the people who understand the
„contract logic“ have to be able to verify its correctness.
High-Level Description
Simulation / Testing
Verification
Core patterns at the core of many SCs:
Decisions, Agreements, Auctions.
27. DSL Development
New Language
GPL Extension
Existing
Domain Notation
(Informal)
Formalization
Formalized
Language
Reuse GPL incl. Expressions and TS
Add/Embed DS-extensions
Compatible notational style
Reduce to GPL
Analyze Domain to find Abstractions
Define suitable, new notations
Rely on existing behavioral paradigm
Reuse standard expression language
Interpret/Generate to one or more GPLs
Use existing notation from domain
Clean up and formalize
Generate/Interpret
Often import existing „models“
28. DSL Development
New Language
Analyze Domain to find Abstractions
Define suitable, new notations
Rely on existing behavioral paradigm
Reuse standard expression language
Interpret/Generate to one or more GPLs
KernelF
30. Functional Features
Functional, no state at its core.
Purity + Effect Tracking
The usual types, literals and op‘s
Various Conditionals
Functions and Blocks
Error Handling
Immutable Collections and higher-order functions
Enums, tuples, records, all immutable
Constraints on types and functions
31. Functional Stuff only: is this useful?
A purely functional language only
heats up the processor. -- Anonymous
32. Functional Features
Functional, no state at its core.
Purity + Effect Tracking
The usual types, literals and op‘s
Various Conditionals
Functions and Blocks
Error Handling
Immutable Collections and higher-order functions
Enums, tuples, records, all immutable
Constraints on types and functions
Boxes (like Clojure‘s ref)
Transactional Memory
State Machines
Interactors
Stateful Features
46. Design Drivers
Simplicity & Readability
Extensibility
Embeddability
Robustness
IDE Support
Accessible to Non-Programmers
Add new domain-specific language concepts if needed
Refer to domain-specific context, remove/replace stuff that is not needed
Make writing correct code as simple as possible
A language without an IDE is irrelevant; Exploit MPS
80. What good is all the abstraction if we cannot
trust the translation to the implementation?
System Architecture
What good is all the abstraction if we cannot
trust the translation to the implementation?
81. What good is all the abstraction if we cannot
trust the translation to the implementation?
System Architecture & Safety Standards
Tools may introduce additional systematic errors if faulty.
Safety standards require reliable mitigation of such errors.
DO-178C EN50129 IEC62304 ISO26262
82. + Risk Analysis + Mitigations
Modeling Architecture
Model the Algo/System with the DSL and also
model the tests/verification. Then translate both
and execute on the level of the implementation.
85. Mitigations – Safe Modeling Architecture
use redundant execution on two execution engines
use different developers for the two trafos
review a subset of the generated code
clearly define and QA the DSL
to use fuzzing on the tests
ensure high coverage for the tests
run the tests on the final device
perform static analysis on the generated code
perform penetration testing on the final system
and use architectural safety mechanisms.
only these specific to DSL use
90. Modular Languages are useful and
feasible based on modern LWB.
Modeling == Programming
Model Trafo == Compiler Construction
The PL and MD communities
should align more closely!
DSLs & Model Trafo is not at odds
with safety-critical systems.
1
2
3
4