Euclid(ID:756/euc001)

Verifiable system software language  

(named for the Greek geometer, fl ca 300 BC.) A Pascal descendant for development of verifiable system software. No goto, no side effects, no global assignments, no functional arguments, no nested procedures, no floats, no enumeration types. Pointers are treated as indices of special arrays called collections. To prevent aliasing, Euclid forbids any overlap in the list of actual parameters of a procedure. Each procedure gives an imports list, and the compiler determines the identifiers that are implicitly imported. Iterators.

The Euclid Project. Holt et al, University of Toronto, (1977-80). Project supported by Canadian and USA governments and by IBM to build a compiler for a systems programming language with verification facilities. Used at I.P. Sharp Associates (Toronto), MITRE Corp. (Boston) and various institutes for system programming and research in secure software.


People:
Structures:
Related languages
Pascal => Euclid   Evolution of
Euclid => Capsule   Incorporated some features of
Euclid => Cedar   Evolution of
Euclid => EV2   Evolution of
Euclid => Ottawa Euclid   Dialect of
Euclid => Pascal*   Influence
Euclid => PLAIN   Influence
Euclid => Real-Time Euclid   Augmentation of
Euclid => Simple Euclid   Subset
Euclid => Small Euclid   Subset
Euclid => Theseus   for verifiability complete Extension of
Euclid => Toronto Euclid   Dialect of
Euclid => ZENO   Extension of
References:
  • Horning, J. J. "Some desirable properties of data abstraction facilities" pp60-62 view details Extract: Euclid Modules
    2 Euclid Modules
    The module in Euclid is an encapsulation mechanism whereby the representation of an abstract object and the implementation of associated operations can be hidden from the enclosing scope. Multiple instances of an abstraction can be realized from the definition of a module type by declaring variables of that type. Closed scopes, and modules in particular, provide explicit control over the visibility of identifiers. Objects, operations, and types defined within the module must be explicitly exported in order to be used; similarly, values of variables declared outside a module must be imported explicitly to be known inside.
    Extract: Modules as Abstraction Mechanisms
    2.1 Modules as Abstraction Mechanisms
    A data type is defined by a set of values and a set of operations on those values. An abstract data type is a data type with a representat ion-independent definition. Thus, abstract data types permit access by outside routines only to the abstract values and operations, and not to any of the underlying representation. In this sense, clusters in CLU [Liskov et ai.77] and forms in Alphard [Wulf et al. 76] are abstract data types, whereas classes in Simula 67 [Dahl et al.68] are not, since all data structures in the outermost scope of a class are accessible. Palm, [73] has shown, however, how the necessary protection could be added to Simula 67 in a straightforward way.
    For reasons similar to those for Simula 67 classes, Euclid modules are not true abstract data types. Access to identifiers within a module is severely restricted by the import and export clauses as well as the Euclid scope rules~ but access is allowed. Euclid modules can be used, hoverers to implement abstract data types. This would require additional programmer disciplines unenforceable by the language itself to ensure that the only entities accessible to outside routines are those abstract entities being defined.

          in SIGPLAN Notices 11(02) February 1976 also Proceedings of the SIGPLAN '76 Conference on Data: Abstraction, Definition and Structure, Salt Lake City, Utah, USA, March 22-24, 1976 view details
  • The Higher Order Language Working Group (HOLWG) Working Paper on 23 exisitng programming languages view details
          in SIGPLAN Notices 11(02) February 1976 also Proceedings of the SIGPLAN '76 Conference on Data: Abstraction, Definition and Structure, Salt Lake City, Utah, USA, March 22-24, 1976 view details
  • G. J. Popek, J. J. Horning, B. W. Lampson, J. G. Mitchell, R. L. London "Notes on the design of Euclid" pp11-18 view details Abstract: Euclid is a language for writing system programs that are to be verified. We believe that verification and reliability are closely related, because if it is hard to reason about programs using a language feature, it will be difficult to write programs that use it properly. This paper discusses a number of issues in the design of Euclid, including such topics as the scope of names, aliasing, modules, type-checking, and the confinement of machine dependencies; it gives some of the reasons for our expectation that programming in Euclid will be more reliable (and will produce more reliable programs) than programming in Pascal, on which Euclid is based. DOI
          in Proceedings of an ACM conference on Language design for reliable software 1977, Raleigh, North Carolina view details
  • Lampson, B.W.; Horning, J.J.; London, R.L.; Mitchell, J.G.; Popek, G.J. "Report on the programming language Euclid" view details
          in SIGPLAN Notices 12(02) February 1977 view details
  • Aseltine, Edward G. and Spencer, Henry "Isolation of machine dependencies in Euclid" pp43-48 view details Abstract: The programming language Euclid was designed for programming such software as operating system kernels, I/O routines, and storage allocators. These applications require access to low level machine details. Euclid makes a serious effort to limit machine dependencies and to isolate them in readily identifiable sections of code. This paper surveys the machine dependencies of Euclid and assesses the effectiveness of the isolation mechanisms. DOI
          in SIGPLAN Notices 13(03) March 1978 view details
  • Barnard, D. T., W. D. Elliott, et al. "Euclid and Modula." view details Abstract: Both Euclid and Modula are programming languages based on Pascal and intended for writing system software such as operating system kernels. The further goals of each language, however, resulted in two rather different languages. Modula is meant to be used in multiprogramming systems primarily on mini-computers; thus Modula aims for very small run-time support and efficient compilation by a small compiler. Many of the Euclid language design decisions, on the other hand, were influenced by the authors' overriding concern for the ability to verify Euclid programs. This paper discusses design goals of the two languages and the language differences that resulted. After contrasting individual features of the two languages, modules and multiprogramming are discussed in more detail.
          in SIGPLAN Notices 13(03) March 1978 view details
  • Chang, Ernest; Kaden, Neil E.; Elliott; W. David "Abstract data types in Euclid" pp34-42 view details Abstract: The programming language Euclid provides features that support abstract data types, but does not strictly speaking provide a true data abstraction mechanism. This paper assesses the data abstraction facilities that Euclid does provide, examines the two ways of instantiating Euclid modules, and discusses other features of modules that the designers of Euclid chose not to include. In particular, the paper addresses the issues of (1) enforceable separation between abstract definition and representation, (2) specifying the relationship between abstract definition and representation, (3) type parameters in modules, (4) operator extensions, and (5) scope restrictions on identifiers. DOI Extract: Introduction
    The programming language Euclid [Lampson et al. 77] was designed to support the writing of verifiable system software, with the subgoal as a near-term projects to differ from Pascal as little as possible. Hence Euclid was expressly intended to be a research vehicle for new ideas in programming languages. One notable exception the Euclid designers made was in the area of data abstraction.
    Virtually all data abstraction mechanisms claim lineage from the Simula 67 class [Dahl et al. 68]. Descendent data abstraction mechanisms have not in general been used long enough for us to have much experience with their user and as a result much of the area of data abstraction still belongs in the realm of research.
    Although it was not absolutely necessary for Euclid to provide a data abstraction facility, its designers felt that such a programming tool would greatly contribute to the ability to decompose large programs so that they could be verified with existing verification methodso A data abstraction mechanism also encourages writing modular and structured programs, and thus helps meet other Euclid design goals. ([Horning76] provides an excellent summary of the advantages provided by abstraction mechanisms, both data and procedural.)
          in SIGPLAN Notices 13(03) March 1978 view details
  • Elliott, W. David "Index to the Euclid report" pp85-89 view details Abstract: The programming language Fuc!id is based on Pascal and
    intended for writing verifiable system protrams, The following
    is an index for the defininq report for Euclid [Lampson et
    al,77 ]. DOI
          in SIGPLAN Notices 13(03) March 1978 view details
  • Rivieres, Jim des and Spencer, Henry "Readability and writability in Euclid" pp49-56 view details Abstract: Neither readability nor writability of programs were major design goals of the programming language Euclid, yet both are obviously important considerations in determining how effectively the language can be used. This paper considers the influence of various Euclid features on readability and writability.

    DOI
          in SIGPLAN Notices 13(03) March 1978 view details
  • Venema, Ted and Rivieres, Jim des "Euclid and PASCAL" pp57-69 view details Abstract: The programming language Euclid was intended for writing system programs that could be verifiable by state-of-the-art verification methods. Since verification was not an explicit goal in the design of Pascal, it is not surprising that this gave rise to differences between the two languages. The Euclid designers intended to change Pascal only where it fell short of this goal. This paper examines differences in the two languages in the light of this objective. These differences are roughly grouped under the headings verification, system programming, and user-oriented changes. DOI Extract: Euclid
    Euclid [Lampson et a~.77] is a programming Language based on
    Pascal and intended for writing verifiable system programs° The
    basic me%hod for verifying ~uclid programs is an inductive
    assertion one similar to %hat used for Pascal [ Hoare and
    Wirth73]. Those features present in both Euclid and Pascal~ but
    different in Euclid due to the verification requirements will be
    the focus of attention in %his paper° Constructs added to Euclid
    specifically for verification will not be discussed~ since %hey
    in general have no Pascal counterpart.
          in SIGPLAN Notices 13(03) March 1978 view details
  • Holt, Richard C. and Wortman, David B. "A model for implementing Euclid modules and type templates", p8-12 view details
          in Proceedings of the SIGPLAN symposium on Compiler construction, August 06-10, 1979, Denver, Colorado, United States view details
  • London, Ralph L. et al "Proof Rules for the Programming Language Euclid" pp1-26 view details
          in Acta Informatica 10(1) August 4, 1978 view details
  • Schwartz, Richard L. "Aliasing among pointers in EUCLID" Inf. Process. Lett. 9, 2 (Aug. 1979), pp76-79. view details
          in Acta Informatica 10(1) August 4, 1978 view details
  • Wasserman, A. I. "Testing and Verification Aspects of Pascal-Like Languages" view details
          in Computer Languages 4(3-4) view details
  • Pagan, F. G. review of Schwartz 1980 (Euclid) view details Abstract: This brief note deals with a very narrow, though rather troublesome, aspect of language design: the elimination of aliasing among variables in order to facilitate formal program verification. To this end, the programming language EUCLID prohibits the passing of both an array and an element of the array as parameters to a procedure. Taking collections and pointers to be analogous to arrays and subscripts, it also prohibits passing both a collection and an element of the collection. The author establishes that this second restriction is stronger than necessary, the basic reason being that the pointers cannot be manipulated as freely as subscripts. He states that a more liberal aliasing restriction would improve the convenience and clarity of programming at little cost to the compiler or verifier.

          in ACM Computing Reviews 21(01) January 1980 view details
  • Wand, I. C. "Dynamic resource allocation and supervision with the programming language MODULA" view details Extract: Modula
    MODULA is a simple programming language proposed by Wirth (1977a) for use in programming areas still dominated by Assembly code, such as process control, computerised laboratory equipment and input/output device drivers. Coding exercises in MODULA by Wirth (1977b) and others (Holden and Wand, 1978) have shown that the language is quite successful in these areas of application and is particularly good for the expressioh of single programs that will run on dedicated computing equipment.
    However the language does have a number of drawbacks if it is to be used for the coding of operating systems kernels or for the writing of any software component where supervision plays an important part. In particular these difficulties centre upon
    (a) a process supervising other processes
    (b) a storage allocation process and
    (c) the general handling of error conditions at both the process and module level.
    It is interesting to note that these are all requirements of the so-called 'Ironman' language (1977).
    This paper examines extensions to MODULA which attempt to overcome these drawbacks. A new storage mechanism is proposed based upon a declared type called a region which is very similar to the implicit heap in PASCAL. For references into such storage, PASCAL-like pointers are proposed. In addition it is proposed that processes and their storage must be allocated within a region, although it is not suggested that device processes should be included in this new mechanism. Thereafter references to ordinary processes must be made via pointers, and, furthermore, when a process is run it can be executed for a given number of signal occurrences (usually originating from a device process) under the supervision of a parent process. By this mechanism supervisory processes can be constructed which can then make sure that a process can only run for a limited period and can subsequently terminate that process if necessary. An exception mechanism is proposed for transmitting error conditions; however the mechanism can be used quite generally.
    We suggest that these extensions will cause moderate complications in the language definition and in the compiler. The major run time complication is in the storage allocation mechanism which implies a PASCAL-like heap within every region, although with the simplification that any region is allocated within the storage space of the parent process. In conclusion we suggest that the facilities proposed will enable a MODULA-like language to be used for the coding of basic operating system components. Extract: Modula vs GYVE vs EUCLID
    Note that this proposal certainly lacks the flexibility of GYVE
    pointers (Schwartz and Shaw, 1976) or the completeness of the
    Euclid (Lampson et al., 1977) visibility rules. However it is
    suggested that the simple rules of MODULA, together with the
    modification suggested here, will deal with the majority of
    practical cases.
          in The Computer Journal 23(2) 1980 view details
  • Wasserman, A. "Revised Report on the Programming Language PLAIN", view details
          in SIGPLAN Notices 16(05) May 1981 view details
  • Wortman, David B.; Cordy, James R. "Early experiences with Euclid" pp27-32 view details
          in Proceedings of the 5th International Conference on Software Engineering 1981, March 09-12, 1981, San Diego, California, United States view details
  • Holt, Richard C.; Wortman, David B. "A Model for Implementing EUCLID Modules and Prototypes" pp552-562 view details
          in TOPLAS 4(4) October 1982 view details
  • R.P. Cook and T.J. LeBlanc "A Symbol Table Abstraction to Implement Languages with Explicit Scope Control" from IEEE Transactions on Software Engineering, January 1983 view details
          in TOPLAS 4(4) October 1982 view details
    Resources
    • Programming languages and compilers by Butler Lampson
      Euclid (1976-79): With Horning, Mitchell, London and Popek I designed this language for writing verifiable system software [17, 18, 20]. It has been implemented at the University of Toronto, and has had several descendants (Concurrent Euclid, Turing, and less directly, Ada).

      external link