P: safe asynchronous event-driven programming

We describe the design and implementation of P, a domain-specific language to write asynchronous event driven code. P allows the programmer to specify the system as a collection of interacting state machines, which communicate with each other using events. P unifies modeling and programming into one activity for the programmer. Not only can a P program be compiled into executable code, but it can also be tested using model checking techniques. P allows the programmer to specify the environment, used to "close" the system during testing, as nondeterministic ghost machines. Ghost machines are erased during compilation to executable code; a type system ensures that the erasure is semantics preserving. The P language is designed so that a P program can be checked for responsiveness---the ability to handle every event in a timely manner. By default, a machine needs to handle every event that arrives in every state. But handling every event in every state is impractical. The language provides a notion of deferred events where the programmer can annotate when she wants to delay processing an event. The default safety checker looks for presence of unhandled events. The language also provides default liveness checks that an event cannot be potentially deferred forever. P was used to implement and verify the core of the USB device driver stack that ships with Microsoft Windows 8. The resulting driver is more reliable and performs better than its prior incarnation (which did not use P); we have more confidence in the robustness of its design due to the language abstractions and verification provided by P.

[1]  David Harel,et al.  Statecharts: A Visual Formalism for Complex Systems , 1987, Sci. Comput. Program..

[2]  James R. Larus,et al.  Teapot: A Domain-Specific Language for Writing Cache Coherence Protocols , 1999, IEEE Trans. Software Eng..

[3]  Marvin Theimer,et al.  Cooperative Task Management Without Manual Stack Management , 2002, USENIX Annual Technical Conference, General Track.

[4]  C. A. R. Hoare,et al.  Communicating sequential processes , 1978, CACM.

[5]  Patrice Godefroid,et al.  Model checking for programming languages using VeriSoft , 1997, POPL '97.

[6]  Jakob Rehof,et al.  Zing: A Model Checker for Concurrent Software , 2004, CAV.

[7]  Peter Norvig,et al.  Artificial Intelligence: A Modern Approach , 1995 .

[8]  Carl Hewitt,et al.  A Universal Modular ACTOR Formalism for Artificial Intelligence , 1973, IJCAI.

[9]  Edmund M. Clarke,et al.  Model Checking , 1999, Handbook of Automated Reasoning.

[10]  Thomas Ball,et al.  Finding and Reproducing Heisenbugs in Concurrent Programs , 2008, OSDI.

[11]  Pascal Raymond,et al.  The synchronous data flow programming language LUSTRE , 1991, Proc. IEEE.

[12]  Richard J. Lipton Reduction: a new method of proving properties of systems of processes , 1975, POPL '75.

[13]  Gérard Berry,et al.  The Esterel Synchronous Programming Language: Design, Semantics, Implementation , 1992, Sci. Comput. Program..

[14]  David Harel,et al.  The Rhapsody Semantics of Statecharts (or, On the Executable Core of the UML) - Preliminary Version , 2004, SoftSpez Final Report.

[15]  Robin Milner,et al.  A Calculus of Communicating Systems , 1980, Lecture Notes in Computer Science.

[16]  Cédric Fournet,et al.  The reflexive CHAM and the join-calculus , 1996, POPL '96.

[17]  Fred Kröger,et al.  Temporal Logic of Programs , 1987, EATCS Monographs on Theoretical Computer Science.

[18]  Zvonimir Rakamaric,et al.  Delay-bounded scheduling , 2011, POPL '11.

[19]  Albert Benveniste,et al.  programmi language and its , 2001 .

[20]  Cormac Flanagan,et al.  A type and effect system for atomicity , 2003, PLDI.

[21]  Peter Norvig,et al.  Artificial intelligence - a modern approach, 2nd Edition , 2003, Prentice Hall series in artificial intelligence.