THE EUCI.m LANGUAGE: A PROGRESS REPORT
Richard C. Holt
David B. W o r t m a n
J a m e s R. Cordy
Coz~tp~ter Systewts Research Group
University of Toronto
Toronto, Canada
David R. Crowe
I.P. Shar1~ Associates
145 King S t r e e t ~rest
Toronto, Canada
Euclid is a p r o g r a m m i n g l a n g u a g e for writing verifiable s y s t e m p r o g r a m s . A
c o m p i l e r for Euclid is being i m p l e m e n t e d by t h e a u t h o r s . Since its d e f i n i t i o n
[I], t h e l a n g u a g e has evolved largely in r e s p o n s e to p r o b l e m s d i s c o v e r e d in t h e
c o u r s e of i m p l e m e n t a t i o n . This p a p e r gives a s u m m a r y of l a n g u a g e c h a n g e s ,
the s t a t u s of t h e i m p l e m e n t a t i o n and some o b s e r v a t i o n s a b o u t use of Euclid as
a p r a c t i c a l p r o g r a m m i n g language.
Keyzuozgs az~d Phrases: Aliasing, d a t a e n c a p s u l a t i o n , Euclid, language, legality
a s s e r t i o n s , m a c h i n e d e p e n d e n c i e s , p a r a m e t e r i z e d types, Pascal, reliability,
storage allocation, s y s t e m s p r o g r a m m i n g , verification, visibility of n a m e s .
CR Categories: 4.12, 4.2, 4.34, 5.24
1.
As can be seen from this list of additions,
E u c h d is a m u c h larger and m o r e conlplex language
than Pascal. The largeness of Euclid c o m e s from
addition of features that the p r o g r a m m e r needs for
system p r o g r a m m i n g and that the verifier n e e d s to
prove Euclid programs correct. The complexity of
the language contributes to the difficulty of its implementation and to the possibility of language ambiguities and inconsistencies. Euclid is m u c h m o r e
difficult to implement and to cure of its "remaining
trouble spots" [8] than its m u c h smaller base
language Pascal.
Introduction
The
Euclid p r o g r a m m i n g l a n g u a g e is a
m o d i f i c a t i o n of P a s c a l d e s i g n e d for writing s y s t e m s
p r o g r a m s t h a t c a n be verified using s t a t e - o f - t h e - a r t
t e c h n i q u e s . The i m p o r t a n t f e a t u r e s a d d e d to P a s c a l
include: c o n t r o l of visibility of n a m e s , e.g., explicit
i m p o r t i n g a n d e x p o r t i n g of i d e n t i f i e r s f r o m
m o d u l e s ; p a r t i t i o n i n g p o i n t e r s into d i s t i n c t collections; s t o r a g e allocation t h a t c a n use r e f e r e n c e c o u n t e d p o i n t e r s a n d u s e r - i m p l e m e n t e d s t o r a g e allocators; e x t e n d i n g t y p e s to have p a r a m e t e r s so
t h a t a type d e c l a r a t i o n c a n be a t e m p l a t e for m a n y
different i n s t a n c e types; m o d u l e t y p e s to provide
d a t a a b s t r a c t i o n a n d i n f o r m a t i o n hiding; g e n e r a l i z a tion of P a s c a l c o n s t a n t s to allow t h e i r values to be
c a l c u l a t e d at r u n - t i m e ; loops whose i t e r a t i o n is
specified by m o d u l e g e n e r a t o r s ; m a c h i n e - d e p e n d e n t
f e a t u r e s for i m m e d i a t e access to the u n d e r l y i n g
hardware; a n d a s s e r t s t a t e m e n t s . The i m p o r t a n t
f e a t u r e s of P a s c a l t h a t a r e o m i t t e d f r o m Euclid are:
input/output, real n u m b e r s , goto statements, and
passing functions or procedures as parameters.
This paper is a progress report on the Euclid effort. It s u m m a r i z e s language changes and
discusses the ongoing implementation. S o m e preliminary observations are m a d e about using the
language for actually writing programs. Since this
paper is written by the implementation team, rather than the language designers, it will inevitably
have a different point of view than their overview
paper [3], which provides an excellent introduction
to Euclid and its design goals.
The
Euclid Report
ill specifies the
language as of February 1977. A revised report is in
progress [2]. Notes on Euclid [4] gives com/nentaries on the language and example programs.
Permission to copy without fee all or part of this material is granted provided
that the copies are not made or distributed for direct commercial advantage,
the ACM copyright notice and the title of the publication and its date appear,
and notice is given that copying is by permission of the Association for Computing Machinery, Inc. To copy otherwise, or to republish, requi~es a fee and/or
specific permission.
The proof rules for Euclid are given by [8].
See [5] for a m o r e detailed description of the rule
for procedures. Despite language changes after the
completion of the proof rules, the rules remain
essentially up-to-date. The reason for this fortunate
-}1978 ACM 0-89791-000-i/78/0012/0llt /$00.75
iii
c i r c u m s t a n c e is t h a t m a n y of t h e c h a n g e s r e s u l t e d
f r o m t h e d e s i r e t o e n f o r c e c l e a n s e m a n t i c s , and
t h e s e s e m a n t i c s w e r e a l r e a d y specified by t h e rules.
s u c c e s s f u l l y c o m p l e t i n g a useful c o m p i l e r in a r e a so n ab l e t i m e . And all this i n t e r a c t i o n was c a r r i e d
on t h r o u g h t h e c o n s t r a i n i n g and n o t always r e l i a b l e
m e d i u m of t e r m i n a l s and t h e ARPA net. This culm i n a t e d in a m e e t i n g in California in J a n u a r y 1978,
at which d e s i g n e r s and i m p l e m e n t o r s a g r e e d to
solutions to o u t s t a n d i n g p r o b l e m s . Since t h a t t i m e ,
t r o u b l e s o m e issues have again b e e n c o l l e c t e d ,
t h o u g h at a m u c h d e c r e a s e d r a t e ; t h e s e a r e to be
r e s o l v e d at a f u t u r e m e e t i n g .
The p a p e r On Legality A s s e r t i o n s in Euclid
[7] d i s c u s s e s ' h e s o u r c e level " l e g a l it y a s s e r t i o n s "
t h a t a Euclid c . , n p i l e r is to add to a Euclid p r o g r a m
and t h e p r o b l e m s r e l a t e d to t h e i r i m p l e m e n t a t i o n .
~-. Locating and Resolving Language Difficulties
This e x t e n s i v e i n t e r a c t i o n was due in p a r t
to t h e c o m p l e x i t y of t h e Euclid l a n g u a g e . B ut t h e r e
was a n o t h e r r e a s o n for m a n y e x c h a n g e s , and this
was r e l a t e d to t h e l a n g u a g e ' s v e r i f i c a t i o n p u r p o s e s .
B o t h d e s i g n e r s and i m p l e m e n t o r s have c o n s i s t e n t l y
s t r i v e n to r e s o l v e p r o b l e m s t h a t co u l d i n t e r f e r e
with verifiability. I s s u e s t h a t m i g h t o t h e r w i s e h a v e
b e e n q u i e t l y s e t t l e d by u n d o c u m e n t e d i m p l e m e n t a tion d e c i s i o n s w e r e s u b j e c t to c a r e f u l s c r u t i n y to
see if t h e y would affect t h e l a n g u a g e ' s i n t e n d e d sem a n t i c s.
The p r e s e n t Euclid i m p l e m e n t a t i o n b e g a n
in July 1977 as a j o i n t effort of t h e C o m p u t e r Syst e m s R e s e a r c h Group at t h e U n i v e r s i t y of To r o n t o
and t h e S p e c i a l S y s t e m s Division of I.P. S h a r p Assoc i a t e s Ltd. It was p r e c e d e d by an i m p l e m e n t a t i o n
a t t e m p t by S y s t e m D e v e l o p m e n t C o r p o r a t i o n , which
was n o t c o m p l e t e d . The Toronto i m p l e m e n t a t i o n
b e g a n by s t u d y i n g t h e l a n g u a g e in g r e a t d e t a i l while
in p a r a l l e l c o n s t r u c t i n g a s c a n n e r and p a r s e r . The
m e t h o d of c o n s t r u c t i o n of t h e c o m p i l e r will be disc u s s e d in a l a t e r s e c t i o n . We wilt c o n c e n t r a t e first
on t h e r e s u l t s of s t u d y i n g t h e l a n g u a g e .
3. Language Changes
The i m p l e m e n t a t i o n t e a m h a d h a d conside r a b l e e x p e r i e n c e in building p r o d u c t i o n c o m p i l e r s ,
with b a c k g r o u n d s f r o m t h e XPL, PL/C, SUE S y s t e m
Language and S P / k p r o j e c t s . Despite this e x p e r i ence, t h e y were s u r p r i s e d at t h e c o n s i d e r a b l e t i m e
r e q u i r e d to l e a r n t h e Euclid l a n g u a g e well e n o u g h t o
a p p r e c i a t e t h e ways in which its f e a t u r e s could int e r a c t . Taken s e p a r a t e l y , for e x a m p l e , p a r a m e t e r ized types, m o d u l e s and v a r i a n t r e c o r d s are r el atively s i m p l e f e a t u r e s . However, s t a t i c a n d d y n a m i c
i n t e r a c t i o n s a m o n g t h e s e and o t h e r f e a t u r e s c a u s e d
m a n y i m p l e m e n t a t i o n p r o b l e m s . During l a t e 1977
lists of q u e s t i o n s and s u s p i c i o u s e x a m p l e s w e r e collected.
If t h e r e is a m a j o r t r e n d in t h e r e s u l t i n g
l a n g u a g e c h a n g e s , it is t h a t i n d i v i d u a l f e a t u r e s w e r e
r ef i n ed to r e m o v e u n d e s i r a b l e i n t e r a c t i o n s with othe r f e a t u r e s . One r e c u r r i n g class of p r o b l e m s , w hi c h
c a m e to be k n o w n as " u n s p e a k a b l e a s s e r t i o n s " ,
deserves special attention.
The Euclid l a n g u a g e definition r e q u i r e s
t h a t t h e c o m p i l e r add c e r t a i n s o u r c e l e ve l a s s e r t
s t a t e m e n t s to a Euclid p r o g r a m . These a r e c a l l e d
legality a s s e r t i o n s and e a c h c o n t a i n s a B ool e a n exp r e s s i o n t h a t m u s t be t r u e f o r t h e p r o g r a m to be
m e a n i n g f u l . Fo r e x a m p l e , c o n s i d e r t h e u s e r ' s s t a t e ment
The m e t h o d of r e s o lv in g l a n g u a g e questions was s o m e w h a t u n i q u e a n d p r o c e e d e d as follows. The i m p l e m e n t a t i o n t e a m , l o c a t e d in Toronto,
c o m m u n i c a t e d with t h e d e s i g n t e a m , l o c a t e d in California (Palo Alto and Los Angeles) via t h e ARPA net.
A highly d i s c i p l i n e d f o r m of i n t e r a c t i o n d e v e l o p e d in
wh i ch t h e i m p l e m e n t o r s would s e n d q u e r i e s of t h r e e
levels of s e r i o u s n e s s :
(1) i n t e r p r e t a t i o n s ,
(2)
cl ari fi cat i o n s , and (3) l a n g u a g e points. " I n t e r p r e t a tions" g e n e r a l l y did n o t r e q u i r e a reply; r a t h e r t h e y
e l a b o r a t e d what s e e m e d to be t r u e f r o m t h e s o m e t i m e s t e r s e Euclid R e p o r t . "Clarifications" g e n e r a l ly r e q u i r e d a r e s p o n s e as t h e y p r e s e n t e d an a m b i g u i t y in n e e d of r e s o l u t i o n . " L a n g u a g e p o i n t s " indic a t e d t h a t t h e r e was a n e e d f o r a l a n g u a g e ch an g e;
t h e s e w e r e f e w e s t in n u m b e r , b u t m o s t s e r i o u s in
t e r m s of t h e ongoing i m p l e m e n t a t i o n . S o m e t i m e s
interpretations
e s c a l a t e d to c l a r i f i c a t i o n s an d
c l a r i f i c a t i o n s to l a n g u a g e points. A final c a t e g o r y of
"official h a r d p r o b l e m s " was set up for issues t h a t
t h e l a n g u a g e d e s i g n e r s c o u l d n o t q u i c k ly r e s o l v e .
z := a(i)
that references an element of array a that has a
subscript range of 1 to i0. If the compiler cannot
ascertain that i is within the subscript range, then a
legality assertion such as ihe following would be inserted before the assignment statement.
assert (i >= 1 and i <= tO)
Each legality assertion should be true whe n e v e r executed. Given that this is proven, the p r o g r a m is
t e r m e d "legal" and the proof rules of Euclid will
hold.
This concept of legality assertions interacts with the concept of control of n a m e visibility. In s o m e situations, the n a m e s required in a
legality assertion were hidden, e.g., were not imported into the scope that needed them. To correct
these situations, n e w constraints were add e d to the
language to guarantee that all legality assertions
would be "speakable".
The p s y c h o l o g i c a l a s p e c t s of t h e comznunication
have
been
interesting.
The
language
d e s i g n e r s w e r e o c c a s i o n a l l y d i s m a y e d at t h e inability of t h e i m p l e m e n t o r s to d i s c o v e r t h e i n t e n t of t h e
l a n g u a g e s p e c i f i c a t i o n . The i m p l e m e n t o r s , on t h e
o t h e r hand, w e r e o c c a s i o n a l l y d i s m a y e d by t h e inability of t h e d e s i g n e r s to s e e l a n g u a g e i n c o n s i s t e n cies. Moreover, t h e goals of t h e d e s i g n e r s of
defining an e l e g a n t , p o w e r f u l l a n g u a g e w e r e s o m e t i m e s at odds with t h e i m p l e m e n t o r s ' d e s i r e s of
The following list of the principal changes
since the published Report [I] is intended to give an
idea of the extent of the language's evolution.
Type conzpatibility rifles. The Euclid rules
spell out w h e n two types are compatible for the purpose of assignment and address binding. The basic
112
i d e a is t h a t n a m i n g a t y p e Or r e - w r i t i n g a t y p e d o e s
n o t c r e a t e a n e w t y p e , a n d t h a t two t y p e s a r e c o n s i d e r e d t h e s a m e if t h e y h a v e e q u i v a l e n t d e f i n i t i o n s .
The e x c e p t i o n is m o d u l e t y p e s , e a c h of w h i c h is distinct. Certain ambiguities about this equivalence
had to be resolved, mostly related to the expansion
of p a r a m e t e r i z e d t y p e s .
SignedInl < < = Enur~(v)
w a s m e a n t t o c o n s i d e r v a l u e v, w h o s e t y p e is E~zum,
t o b e a v a l u e of t y p e SignedInt. This a w k w a r d n o t a tion, which had unique scope rules, was replaced by
a function-like entity. For example, given the user's
d e c l a r a t i o n of Changer a s a t y p e c o n v e r t e r :
Uni'nitialized
problem came
following:
variables.
This d i f f i c u l t
to a head in situations such as the
converter
Changer (E•um) r e t u r n s (SignedInt)
the enumerated
v a l u e v is n o w c o n v e r t e d
t o a Sig-
nedInt b y w r i t i n g
v a r x: l.. 10
v a r y: 0..9
Changer(v)
x:=y+ 1
Dangling pointers. The p r o b l e m of d e t e c t ing a p o i n t e r r e f e r e n c i n g a d e a l l o c a t e d o b j e c t w a s
solved by introducing checkable collections. Given
that a collection has the attribute checkable the
c o m p i l e r is a b l e t o g e n e r a t e i m p l i c i t r e f e r e n c e
counting that detects dangling pointers.
The c o m p i l e r m u s t i s s u e a l e g a h t y a s s e r t i o n if it
cannot ensure that y+1 will yield the mathematically c o r r e c t r e s u l t . I n m o s t i m p l e m e n t a t i o n s ,
the
result
cannot
o v e r f l o w a n d is m a t h e m a t i c a l l y
c o r r e c t , g i v e n t h a t y is i n i t s s p e c i f i e d r a n g e . If,
however, y had never been initialized, ttien evaluat i o n of y + l c o u l d c o n c e i v a b l y c a u s e a n overflow.
For scalar variables, the necessary legality assertion can be easily written as
As c a n b e s e e n f r o m t h i s l i s t , c h a n g e s w e r e
generally localized in effect, and many were in the
f o r m of s e m a n t i c r e s t r i c t i o n s t h a t i n t r o d u c e d n o
new syntactic forms.
y i n y.ItsType
To allow a l e g a l i t y a s s e r t i o n to e x p r e s s t h i s i d e a f o r
a g g r e g a t e s (i.e., a r r a y s a n d r e c o r d s ) , t h e InRange
p r e d i c a t e was i n v e n t e d . We c o n s i d e r y t o b e i n
r a n g e if i t s v a l u e is w i t h i n i t s d e c l a r e d r a n g e .
4. I m p l e m e n t i n g
a Compiler
The c o m p i l e r b e i n g i m p l e m e n t e d p r o d u c e s
code for the PDP-11/45. Hopefully, a version req u i r i n g o n l y t h e b a s i c PDP-II
i n s t r u c t i o n s e t will
follow, a n d t h e r e is a p o s s i b i l i t y of d e v e l o p i n g c o m pilers for other machines.
The i m p l e m e n t a t i o n
is
c u r r e n t l y u s i n g t h e f a c i l i t i e s of t h e UNIX o p e r a t i n g
s y s t e m [10].
Well-behaved arithrnetic. As i n t h e a b o v e
example, legality assertions must be generated
whenever the compiler cannot assure that an exp r e s s i o n will b e h a v e a c c o r d i n g t o i t s s p e c i f i e d sem a n t i c s . The c o n c e p t of " w e l l - b e h a v e d " a r i t h m e t i c
was developed to specify which operations a Euclid
compiler must support and which legality assertions
must be generated to guarantee correct semantics
for arithmetic expressions.
The f i r s t m a j o r i m p l e m e n t a t i o n
decision
w a s t o w r i t e t h e E u c l i d c o m p i l e r i n a s u b s e t of Euclid. This s u b s e t , c a l l e d S m a l l E u c l i d , w a s d e s i g n e d
so it c o u l d b e e a s i l y t r a n s l i t e r a t e d i n t o t h e UNIX C
language. A transliterator, written in Small Euclid,
that accepts Small Euclid and produces C code was
b o o t s t r a p p e d a n d t e s t e d i n D e c e m b e r 1977. I t h a s
been in use since then as the tool for producing executable code from Small Euclid source. The translit e r a t o r c o n t a i n s a s c a n n e r f o r full E u c l i d a n d a
t a b l e - d r i v e n p a r s e r . With s u b s t i t u t i o n of t a b l e s , t h e
p a r s e r a c c e p t s full E u c l i d . T h u s t h e t r a n s l i t e r a t o r
u s e s t h e s a m e s c a n n e r a n d p a r s e r t h a t will e v e n t u ally b e u s e d b y t h e f u l l E u c l i d c o m p i l e r .
Formals of param2~erized types. O r i g i n a l ly t h e E u c l i d R e p o r t a l l o w e d t h e f o r m a l p a r a m e t e r s
of p a r a m e t e r i z e d
t y p e s t o b e of a r b i t r a r y t y p e s .
This g e n e r a l i t y c a u s e d i m p l e m e n t a t i o n
difficulties
and provided little advantage to the user. The types
of t h e s e p a r a m e t e r s h a v e n o w b e e n t i g h t l y r e s t r i c t ed.
Variant records and discriminating cases:
E u c l i d p r o v i d e s v a r i a n t r e c o r d s m u c h like t h o s e ot
P a s c a l , b u t allows a c c e s s t o t h e v a r y i n g p a r t s o n l y
within a special statement called a "discriminating
case". These features have evolved from the origin a l r e p o r t , s o t h a t t h e r e is n o w a s p e c i a l c o m p o n e n t
of a v a r i a n t r e c o r d c a l l e d itsTag, w h i c h g i v e s t h e
record's current tag value. Variants can no longer
b e d i r e c t l y n e s t e d ; i n s t e a d n e s t i n g is d o n e u s i n g
nested records.
The s c a n n i n g a n d p a r s i n g of E u c l i d is
s t r a i g h t f o r w a r d , w i t h a few e x c e p t i o n s . One is t h a t
the (almost) optional semicolons in Euclid cause
some syntactic ambiguities. These were solved by
the implementation
restriction that parentheses
a r e r e q u i r e d a r o u n d t h e o p t i o n a l e x p r e s s i o n s i n assert and return statements.
A n o t h e r d i f f i c u l t y is
that some expressions and type definitions border
on ambiguity. For example, consider
Strings. S t r i n g s i n E u c l i d w e r e o r i g i n a l l y
similar to PL/I's varying length strings. They'are
n o w s i m i l a r t o P a s c a l s i m p l e r s t r i n g s , i.e., a r r a y s of
characters.
f o r j i n a. b (i). C
If C is a n i n d e x t y p e , t h e n t h i s is a f o r l o o p i n w h i c h
j r a n g e s o v e r t h e v a l u e s i n C. If C is a s e t ( p o w e r s e t ) v a l u e t h e n t h i s is a f o r loop t h a t e x e c u t e s f o r j
e q u a l t o e a c h of t h e m e m b e r s i n t h e s e t . If C is a n
integer constant, then
Type converters.
E u c l i d allows a c o n trolled loophole in its otherwise strong type rules
t h r o u g h t h e u s e of t y p e c o n v e r t e r s . F o r e x a m p l e , i n
the original syntax, the expression
113
f o r j i n a . b ( i ) . C .. 10
mentation on Euclid, and is to be the first heavy use
of the compiler .beyond its self-compilation.
e x e c u t e s for values in t h e r a n g e C to 10. This n e a r
a m b i g u i t y was solved at t h e e x p e n s e of c o m p i l e r
c o m p l e x i t y by d e f e r r i n g c o m p i l a t i o n a c t i o n s u n t i l
all of a.b(i).C was a c c e p t e d . Despite p r o b l e m s s u c h
as these, construction of a scanner and parser was
relatively easy.
5. Early O b s e r v a t i o n s o n U s i n g E u c l i d
Euclid has b e e n u s e d first in i m p l e m e n t i n g
t h e S m a l l Euclid s c a n n e r , p a r s e r , and t r a n s l i t e r a t o t , and p r e s e n t l y , in i m p l e m e n t i n g t h e full Euclid
s e m a n t i c analysis and code g e n e r a t i o n pa s s e s .
S e v e r a l t h o u s a n d lines of Euclid c o d e have b e e n
w r i t t e n ; c o n c l u s i o n s b a s e d on this l i m i t e d e x p e r i e n c e are n e c e s s a r i l y t e n t a t i v e .
The h a r d p a r t of c o m p i l i n g Euclid c l e a r l y
lies in t h e handling of its s e m a n t i c s . With t he m a j o r
l a n g u a g e p r o b l e m s solved a n d with s o m e c o n f i d e n c e
g a i n e d f r o m writing t h e s c a n n e r and p a r s e r in Euclid, design of t h e difficult p a r t s of t h e c o m p i l e r beg an in e a r n e s t .
Due to t h e c o n s t r a i n t of s t a y i n g within
Sm al l Euclid, no first h a n d e x p e r i e n c e h a s b e e n
g a i n e d in using s o m e of t h e m o r e n o v el f e a t u r e s of
full Euclid. Fo r e x a m p l e , Sm al l Euclid does n o t allow m u l t i p l e
instances
of m o d u l e
types
or
p a r a m e t e r i z e d types. However, it does p r o v i d e t h e
c o r e f e a t u r e s of Euclid, i n cl u d i n g m o d u l e s t h a t h a v e
a single i n s t a n c e ( m u c h like t h e m o d u l e s of t h e
Modula l a n g u a g e [ I I ] ) .
Another major implementation decision
has b e e n to i m p l e m e n t a l a r g e r s u b s e t c a l l e d Middle
Euclid. I n s t e a d of p r o d u c i n g s o u r c e C code, t h e
t r a n s l a t o r for Middle Euclid will d i r e c t l y g e n e r a t e
PDP-11 a s s e m b l y l a n g u a g e . Once Middle Euclid is
b o o t s t r a p p e d , d e p e n d e n c y on t h e C c o m p i l e r will be
r e m o v e d . The t r a n s l a t o r for Middle Euclid d e f e r s
s o m e difficult f e a t u r e s , s u c h as g e n e r a t i n g l e g a l i t y
a s s e r t i o n s . Once it is c o m p l e t e d , it will be u s e d to
build a full Euclid c o m p i l e r .
The Euclid c o m p i l e r is being w r i t t e n
w i t h o u t t h e i m m e d i a t e i n t e n t i o n of v er i f y i n g it. We
felt t h a t writing t h e c o m p i l e r was going to be chal-'
lenging e n o u g h w i t h o u t s i m u l t a n e o u s l y t r y i n g to
m a s t e r and utilize t h e r e l a t i v e l y new t e c h n i q u e s of
p r o g r a m verification.
The goals of r u n n i n g on t h e PDP-11/45,
which has l i m i t e d a d d r e s s space, and of h a n d l i n g
l ar g e Euclid p r o g r a m s , d i c t a t e d t h a t the c o m p i I e r
use m u l t i p l e p a s s e s a n d t h a t t h e s y m b o l / t y p e t a b l e
be d i s k - r e s i d e n t .
This c o n s t r a i n t has p r o b a b l y
b e n e f i t e d t h e c o m p i l e r d e s i g n as it has f o r c e d divisions into s e v e r a l p a r t s (passes) with l i m i t e d and
well-defined i n t e r f a c e s b e t w e e n t h e m .
The l a c k of i n p u t / o u t p u t in Euclid was
r e m e d i e d by i m p l e m e n t i n g a s i m p l e i n p u t s t r e a m , a
s i m p l e o u t p u t s t r e a m , an d c o m b i n a t i o n s e q u e n t i a l
and r a n d o m a c c e s s g e n e r a l p u r p o s e files. The i n t e r face to this i n p u t / o u t p u t is defined in an o p e r a t i n g
s y s t e m i n d e p e n d e n t m a n n e r in t e r m s of a Euclid
m o d u l e . It is c u r r e n t l y s u p p o r t e d by calls to t h e
UNIX o p e r a t i n g s y s t e m .
The i m p l e m e n t a t i o n of Euclid has n o t prog r e s s e d as q u i c k l y as h a d b e e n h o p e d . Beyond t h e
u s u a l difficulties in p r e d i c t i n g t i m e to c r e a t e
software, t h e lack of a s t a b l e a n d u n a m b i g u o u s
language specification diverted implementation
effort into what a m o u n t e d to l a n g u a g e design. The
size of t h e l a n g u a g e is easily u n d e r e s t i m a t e d , e s p e cially due to t h e i n t e r a c t i o n of r e l a t i v e l y so p h i st i c a t e d f e a t u r e s . S o m e f e a t u r e s , s u c h as p a r a m e t e r i z e d - t y p e s and l e g a l i t y a s s e r t i o n s , a r e r e c e n t l y
d e v e l o p e d and r e q u i r e d t h e i m p l e m e n t o r s to
d e v e l o p new c o m p i l e r and r u n t i m e s t r u c t u r e s .
The i m p l e m e n t o r s h a v e found t h a t Euclid
has k e p t t h e p l e a s a n t r e a d a b i l i t y of l a n g u a g e s s u c h
as P a s c a l and t h e SUE S y s t e m Language [9]. The
i m p l e m e n t a t i o n t e a m h ad e x t e n s i v e e x p e r i e n c e using SUE to build c o m p i l e r s and o p e r a t i n g s y s t e m s ,
and found t h a t t h e i r p r o g r a m m i n g t e c h n i q u e s a nd
styles t r a n s f e r r e d easily to Euclid. Although Euclid
was d e s i g n e d with verifiability as a p r i m a r y goal,
this did n o t s e e m to r e q u i r e s a c r i f i c e s in t e r m s of
e a s e of e i t h e r writing or r e a d i n g p r o g r a m s . It
s e e m s t h a t as a p r a c t i c a l s o f t w a r e building tool, Euclid c a n be a good r e p l a c e m e n t for SUE, once t h e
Euclid c o m p i l e r stabilizes.
A l t h o u g h p r o g r e s s has n o t b e e n as fast as
h o p e d , it has c o n t i n u e d at a r e s p e c t a b l e p a ce. More
i m p o r t a n t l y , it has" u n c o v e r e d n e i t h e r f u n d a m e n t a l
b l u n d e r s in t h e l a n g u a g e d e s i g n n o r f e a t u r e s t h a t
are t e r r i b l y difficult to i m p l e m e n t . The t e n t a t i v e
c o n c l u s i o n is t h a t it is n o t easy to c o m p i l e Euclid,
b u t with t i m e and c a r e , a good, p r a c t i c a l , p r o d u c t i o n c o m p i l e r c a n be p r o d u c e d .
One of the significant departures of Euclid
from both Pascal and S U E has b e e n in requiring
each procedure or function to explicitly import the
n a m e s of inherited items (variables, constants,
types, etc.) that it uses. H o w m u c h of a bur d e n this
would place on the p r o g r a m m e r was an o p e n question. The tentative conclusion is that it is not a particularly b o t h e r s o m e task to create import lists,because the p r o g r a m m e r knows what global items he
wants to use. Once these lists are created, they are
of benefit to p r o g r a m m e r s in determining at a
glance the possible interaction the routine can have
with other parts of the program.
It a p p e a r s t h a t t h e quality of g e n e r a t e d
c o d e should be c o m p e t i t i v e with t h a t p r o d u c e d by
existing
production
compilers
for
systems
l a n g u a g e s . In g e n e r a l , t h e l a n g u a g e does n o t s t a n d
in t h e way of good code g e n e r a t i o n , and in v a r i o u s
ways p r o v i d e s c o n v e n i e n t i n f o r m a t i o n for code optimization.
It wilt n o t be r e a s o n a b l e t o m a k e c o n c l u sions a b o u t the q u a l it y of t h e c o m p i l e r , u n t i l s u c h
t i m e as it has b e e n u s e d to build p r o d u c t i o n s y s t e m
software. The KSOS ( k e r n e l i z e d s e c u r e o p e r a t i n g
s y s t e m ) effort at F o r d A e r o s p a c e a n d C o m m u n i c a tions C o r p o r a t i o n is planning on basing t h e i r i m p l e -
F r o m preliminary observations, it appears
that, given a good compiler, Euclid should be a good
production software tool, even for p r o g r a m s that
are not to be formally verified. Most of the featu1es
114
i n t e n d e d to help verification c o n t r i b u t e as well to
t r a d i t i o n a l software goals s u c h as m a i n t a i n a b i l i t y .
For example, i m p o r t lists limit the d a m a g e t h a t c a n
be done by a b a d l y p a t c h e d r o u t i n e , a n d n o n overlap c o n s t r a i n t s p r e v e n t m y s t e r i o u s c h a n g e s in
p r o g r a m variables.
5.
6. S l l m m a r y
6. R.L. London, J.V. Guttag, J.J. Horning, B.W. Lampson, J.G. Mitchell a n d G.J. Popek, "Proof Rules
for the P r o g r a m m i n g Language Euclid", Ac~a In-
Euclid is a new l a n g u a g e a n d t h e c o m p i l e r
for it has n o t yet b e e n c o m p l e t e d (as of S e p t e m b e r
1978). Its c o m p i l e r is being w r i t t e n in a s u b s e t of
Euclid, a n d is providing the first p r a c t i c a l t e s t of
the language. Due to the close s c r u t i n y of l a n g u a g e
f e a t u r e s r e q u i r e d by the c o m p i l e r design, incons i s t e n c i e s and a m b i g u i t i e s have b e e n d i s c o v e r e d
and s u b s e q u e n t l y r e m o v e d by l a n g u a g e c h a n g e s a n d
clarifications. The m o s t c o m m o n c h a n g e s in the
l a n g u a g e have b e e n r e f i n e m e n t s of individual
f e a t u r e s to avoid u n d e s i r a b l e i n t e r a c t i o n with o t h e r
features. Early e x p e r i e n c e using the l a n g u a g e indic a t e s t h a t it c a n be a p r a c t i c a l p r o d u c t i o n software
tool, even when f o r m a l verificatior~ is n o t to be attempted.
f orrna tic a.
7. D.B. Wortman, "On Legality Assertions in Euchd",
(IEEE T r a n s a c t i o n s on Software E n g i n e e r i n g , to
appear).
8. D.E. Knuth, "The R e m a i n i n g Trouble Spots in Algol 60", Comm. ACM, 10,10 (October 1967), pp.
611-617.
9.
11. N. Wirth, "Modula: A l a n g u a g e for m o d u l a r m u l t i p r o g r a m m i n g " , ,.;oftware - P r a c t i c e a n d Exp e r i e n c e 7,1 ( J a n u a r y - F e b r u a r y 1977), pp. 3-35.
The d e s i g n e r s of t h e Euclid l a n g u a g e are
J.J. Horning, B.W. Lampson, R.L. London, J.G.
Mitchell a n d G.L. Popek, with a s s i s t a n c e f r o m J.V.
Guttag. The i m p l e m e n t o r s are g r a t e f u l for the large
effort t h a t the d e s i g n e r s have c o n t i n u e d to c o n t r i b u t e to the Euciid project. The Euclid i m p l e m e n t a tion t e a m consists of t h e a u t h o r s plus David B o n y u n
and John G r u e r of I.P. S h a r p Associates Ltd. The
Euclid i m p l e m e n t a t i o n p r o j e c t is f u n d e d by the Defense Advanced R e s e a r c h P r o j e c t s Agency of the
U.S. D e p a r t m e n t of Defense a n d by the Chief
R e s e a r c h and D e v e l o p m e n t of t h e C a n a d i a n Departm e n t of National. Defense.
References
B.W. Lampson, J.J. Horning, R.L. London, J.G.
Mitchell a n d G.J. Popek, "Report on t h e Prog r a m m i n g Language Euclid", SIGPLAN Not/ces
12,2 ( F e b r u a r y 1977).
2.
B.W. Lampson, J.J. Horning, R.L. London, J.G.
Mitchell, a n d G.J. Popek, "Revised Report on the
P r o g r a m m i n g Language Euclid", .Xerox Palo Alto
R e s e a r c h Center T e c h n i c a l R e p o r t CSL 7B-2 (to
appear).
3.
G.J. Popek, J.J. Horning, B.W. Lampson, J.G.
Mitchell, a n d R.L. London, "Notes on the Design
of Euclid", P r o c e e d i n g s o f the ACM C o n f e r e n c e
on
Language Design for Reliable Software,
Raleigh, N.C., March 1977 (also in SIGPLAN Notices 12,3 (March 1977)).
B.L. Clark a n d J.J. Horning, "Reflections on a
l a n g u a g e d e s i g n e d to write an o p e r a t i n g system", SIGPLAN N o t i c e s 8,9 ( S e p t e m b e r 1973),
pp. 52-56.
10. D.M. Ritchie a n d K. Thompson, The UNIX t i m e s h a r i n g s y s t e m . Comm. ACM 17,7 (July 1974) pp.
365-375.
Acknowledgements
1.
J.V. Guttag, J.J. Horning, a n d R.L. London, "A
Proof Rule for Euclid P r o c e d u r e s " , in E. Neuhold
(ed.), Working C o n f e r e n c e on F o r m a l Description o f P r o g r a m m i n g Concepts, North Holland
P u b l i s h i n g Co., pp. ~11-220, (to a p p e a r ) (also
USC I n f o r m a t i o n S c i e n c e s I n s t i t u t e Technical
R e p o r t ISI/RR-77-60, (May 1977)).
4. W.D. Elli0tt a n d D.T. B a r n a r d (eds.), "Notes on
Euclid", C o m p u t e r S y s t e m s R e s e a r c h Group,
U n i v e r s i t y o f Toronto, T e c h n i c a l R e p o r t CSRG82, August 1977 (also in SIGPLAN Notices 13,,3
(March 1978)).
115