Farm2014 Copy 2.Key

Temporal semantics for a live coding language slides

Sam Aaron, Dominic Orchard, Alan Blackwell

@samaaron @dorchard Fibonacci Crisis

FARM 2014, 6th September 2014, Gothenburg vertone

http://overtone.github.io Sam Aaron @samaaron @sonic_pi

1

π))) Sonic Pi

Statement Real Duration Time

Δa play :C Δa Δb play :E Δa + Δb Δc play :G Δa + Δb + Δc sleep 1 Δa + Δb + Δc + 1 Δd play :F Δa + Δb + Δc + 1 + Δd Δe play :A Δa + Δb + Δc + 1 + Δd + Δe Δf play :C Δa + Δb + Δc + 1 + Δd + Δe + Δf sleep 0.5

Δa + Δb + Δc + 1 + Δd + Δe + Δf + 0.5 Δg play :G Δa + Δb + Δc + 1 + Δd + Δe + Δf + 0.5 + Δf Δh play :B Δa + Δb + Δc + 1 + Δd + Δe + Δf + 0.5 + Δf + Δg Δi play :D Δa + Δb + Δc + 1 + Δd + Δe + Δf + 0.5 + Δf + Δg + Δh Statement Real Virtual Scheduled Duration Time Time Time

Δa play :C 0.5 0 + Δa 0 Δb play :E 0.5 0 + Δa + Δb 0 Δc play :G 0.5 0 + Δa + Δb + Δc 0 sleep 1 1 1 Δd play :F 1.5 1 + Δd 1 Δe play :A 1.5 1 + Δd + Δe 1 Δf play :C 1.5 1 + Δd + Δe + Δf 1 sleep 0.5

1.5 1.5 Δg play :G 2 1.5 + Δg 1.5 Δh play :B 2 1.5 + Δg + Δh 1.5 Δi play :D 2 1.5 + Δg + Δh + Δi 1.5 A formal semantics for sleep

• Abstract interpretation “time system”

• Denotational semantics (via monads)

• Prove “time safety” = prove semantics sound wrt. time system

Paper has the full details sleep 1 kernelSleep 1 kernelSleep 2 kernelSleep 2 Statement Real Virtual Scheduled Duration Time Time Time sleep 2 sleep 1 sleep 1 sleep 1 sleep 2 sleep 2 kernelSleep 2 Δ a play :C 0.5 sleep 2 0 + Δa 0 Δb play :E 0.5 0 + Δa + Δb 0 (a) Two sleeps (b) One sleep (c) Half a sleep (d) No sleeps Δc play :G 0.5 0 + Δa + Δb + Δc 0 sleep 1 Figure 7. Example programs with different sleep behaviours 1 1 Δd play :F 1.5 1 + Δd 1 4. A time system for Sonic Pi Δe play :A 1.5 1 + Δd + Δe 1 From our experiences, we’ve found that the programming model Δf play :C 1.5 1 + Δd + Δe + Δf 1 of Sonic Pi, particularly its temporal model, is easy to understand by even complete beginners, including children. By a few simple sleep 0.5 examples it is easy to demonstrate the temporal semantics, using 1.5 1.5 sounds as output, without having to appeal to any meta-theory; Δg play :G 2 1.5 + Δg 1.5 Sonic Pi attains the goal of being a good first language. Δh play :B 2 In this section, we approach the programming model of Sonic Pi 1.5 + Δ + Δ g h 1.5 from a more theoretical angle, in order to develop a specification of Δi play :D 2 1.5 + Δg + Δh + Δi 1.5 our programming model that can be reused for other applications and languages outside of the Sonic Pi context. From our model we prove a number of core properties of Sonic Pi as well. It is in Figure 6. Timing behaviour of Sonic Pi v2.0 including virtual and no way necessary for programmers of Sonic Pi to understand this scheduled time with a scheduleAheadTime of 0.5. theory, but the contribution here is useful for future language design and implementation research. Firstly, we define an abstract specification of virtual time and ac- value is added to the current virtual time for all asynchronously tual elapsed time in a simple core subset of Sonic Pi (Section 4.1). scheduled effects. Provided that the addition of the jitter time and This gives an abstract, axiomatic model of the semantics which we the execution time between calls to sleep never exceeds this value, call a time system. This model is made more concrete by providing the temporal expectations of the system are met. a denotational-style, monadic semantics in the next section (Sec- It is possible that a computation preceding a sleep can over- tion 5), introducing the temporal monad. We prove the monadic run; that is, run longer than the sleep time. Thus, the programming model sound with respect to the initial axiomatic specification, up model is not suitable for realtime systems requiring hard deadlines to small permutations in time delay (Section 5.3). but sleep instead provides a soft deadline (in the terminology of Hansson and Jonsson [HJ94]). However, if a given thread falls be- Terminology and notation We refer to sequences of statements as hind, the user receives explicit timing warnings (described further programs. Throughout, P , Q range over programs, and s, t range in Section 6). Finally, if the thread falls further behind by a user- over times (usually in seconds). specifiable amount of time then Sonic Pi will stop that thread by A core fragment of Sonic Pi In the rest of this paper, we model throwing a time exception. This therefore not only provides essen- a core subsetSimplified of the Sonic Sonic Pi Pi v2.0 v2.0 language syntax with the following tial information to users about the temporal behaviour of the pro- grammar, where P are programs, S statements, and E expressions: gram but also serves as a safety mechanism against a common class of errors such as placing an isolated call to play within a loop with P ::= P ; S | ; no calls sleep. In such cases, the thread will no longer permanently S ::= E v = E | sit in a tight loop consuming all resources, but will self-terminate i E ::= sleep R 0 A v allowing any other threads to continue executing normally. > | | where Ai represents operations (actions) in Sonic Pi other than 3.1 Examples sleep, e.g., some Aj is the play operation. We use this to abstract Figure 7 shows four similar programs which each have different over operations in the language which do not modify virtual time. internal behaviours for sleep, illustrating its semantics. We use By the above definition, programs P are a “snoc”-list (i.e., el- the function kernelSleep, which is not a standard part of the ements are “consed” onto the end, not front as is standard for Sonic Pi language, as a placeholder to represent a computation inductively-defined lists) where is the empty list. Equivalently, se- lasting a particular length of time (as specified by the parameter quential composition of statements; is syntactically left-associated. to kernelSleep). The first three example programs take 3s to This structure aids later proofs since it allows inductive reasoning execute and the last takes 4s to execute, with the behaviours: on a statement of a program and its preceding program, which is key to accurately modelling sleep. (a) 3s – sleeps for 1s then sleeps for 2s (two sleeps performed); Statements S may be expressions on their own, or may have (b) 3s – performs a computation lasting 1s, ignores the first sleep (pure) bindings to variables. Throughout we consider the first case since its minimum duration has been reached, and then sleeps of S as a degenerate case of the second where the variable is for 2s (one sleep performed); irrelevant i.e., = E where denotes a wildcard variable. (c) 3s – performs a computation lasting 2s, which means that the We’ll add the previously seen kernelSleep operation to the first sleep is ignored, and the second sleep waits for only 1s core subset here, which blocks the current computation for the time to reach its minimum duration (half a sleep performed); specified by its parameter, i.e., it has the semantics of POSIX sleep. This operation is not available in the actual language, but it is useful (d) 4s – performs a computation lasting 2s, thus the first sleep for examples and contrasting with sleep. is ignored, then performs a computation lasting 2s, thus the This core subset is a zero-order language, in the sense that we do second sleep is ignored (no sleeps performed). not include the definition or calling of user-defined functions; nor do we incorporate the threading constructs provided by Sonic Pi. – [kernelSleep 2; sleep 1]t 2 Extending the model here to include these is however straightfor- ⇡ where P = kernelSleep 2, [P ]v =0, t =1, and ward, but we stick with a simple language for the sake of succinctly [P ]t =2, thus ([P ]v + t) < [P ]t introducing and reasoning about the core temporal behaviour.

– [kernelSleep 1; sleep 2]t 2 4.1 Virtual time and real time ⇡ where P = kernelSleep 1, [P ]v =0, t =2, and As described previously, the programming model of Sonic Pi dis- [P ]t =1, thus ([P ]v + t) > [P ]t tinguishes between the actual time elapsed since the start of a pro- gram P which we write here as [P ]t and the virtual time which is Definition 2 illuminates the semantics of sleep, showing the in- advanced by sleep statements which we write as [P ]v. Both these teraction between actual [ ]t and virtual time [ ]v in the case for abstract functions return time values, thus, [ ]v, [ ]t , i.e., sleep. In this case, the definition of [ ]t is not a straightforward R>0 both return positive, real-number values. 2 recursive decomposition on programs, statements, and expressions In this section, we give specifications to [ ]v and [ ]t providing as in the definition of [ ]v. Instead, the actual time of a sleep an axiomatic model of Sonic Pi’s temporal behaviour. depends on its context, which is the pre-composed (preceding) pro- Virtual time [ ]v can be easily defined over all programs, state- gram P and its actual time [P ]t. This is why we have structured the ments, and expressions, since the sleep operation is the only ex- core subset language here in terms of “snoc”-list since the tempo- pression changing virtual time: ral semantics of an individual statement can depend on the program that has come before it (the tail of the “snoc”-list). Thus, the syntac- Definition 1. Virtual time is specified for statements of Sonic Pi tic structure here facilitates the modelling of sleep and subsequent programs by the following cases: proofs on program properties (coming up next). [P ; v = E]v =[P ]v +[E]v [sleep t]v = t [v]v =0 The specifications on [ ]v and [ ]t provide the following i [ ]v =0 [A ]v =0 lemma about the temporal semantics of Sonic Pi programs: ; We therefore overload [ ]v to programs, statements, and expres- Lemma 1. For any program P then [P ]t > [P ]v. sions. Anything other than sleep or sequential composition has That is, the actual running time of a program is always at least the virtual time is 0. Note that the equations on the left define the virtual time; a Sonic Pi program never “under runs” its virtual [ ]v for programs (with statements covered by the single case for time specification. P; v = E), and on the right for expressions. Equality on time Providing exact deadlines in real-time systems Proof. By induction on the structure of programs. is difficult due to non-determinism combined with execution over- P = . Trivial since [ ]v =0by Definition 1. heads. We do not ignore this problem in the programming model • ; ; P =(P 0; v = E), split on E of Sonic Pi and the discussion here. We define the relation on • actual times, where: ⇡ E = sleep t (a) by Definition 1, [P 0; sleep t]v =[P 0]v + t. do we incorporate the threading constructss, t. provided s t by Sonic(s t) Pi.6 ✏ – [kernelSleep(1) 2; sleep 1]t 2 8 ⇡ ⌘ | | (b) by Definition⇡ 2, [P 0; sleep t]t =([P 0]v +t) max [P 0]t. Extending the model here to include these✏ is however straightfor- (c) by (b) (([P 0]v + t) max [P 0]t) [P 0]v + t do we incorporate the threading constructs provided byfor Sonic some Pi. value of which– [kernelSleep is the maximum 2 negligible; sleep 1time]t where value2 P = kernelSleep 2, [P ]v =0, t =1> , and ward, but we stick with awith simple respect language to the for application the sake at of hand. succinctly For example, if ✏ ⇡=0.1 by (a) and (c) then [P 0; sleep t]t [P 0sleep t]v Extending the model here to includedo these we incorporate is however the straightfor- threading constructs provided by Sonic Pi. – [kernelSleep[P ]t =2, thus 2;([sleepP)]v + 1t])t < [2P ]t > introducing and reasoning about3 3 the.05 core2. temporal92 where behaviour.P = kernelSleep 2, [P ]v =0, t =1⇡ , andi Extending the model herethen to include these is.kernelSleep however straightfor- 2 sleep 1 otherwise E = A ward,do but we we incorporate stick with the a simple threading language constructs for provided the sake by of succinctly Sonic⇡ Pi. ⇡ – [ ; ✏ ]t 2 where P = kernelSleep 2, [P ]v =0, ti =1, and ward, but we stick with a simpleIn the languagecase of Sonic for the Pi, sake we[P ] mitigatet of=2 succinctly, thus any -time([P ]v differences+⇡–t[)kernelSleep< [P by]t 1; sleep(a) by 2 Definition]t 2 1, [P 0; v = A ]v =[P 0]v introducingExtending and the reasoning model here about to include the4.1 core these Virtual temporal is however time behaviour. and straightfor- real time [P ]t =2, thus ([P ]v + t) <⇡[P ]t i i scheduling calls to the synthesisewhere P server= kernelSleep using the current 2, virtual[P ]v =0, t =1(b), by and Definition 2, [P 0; v = A ]t =[P 0]t +[A ]t ward, but we stick with a simple languageintroducing for the and sake reasoning of succinctly about the core temporal behaviour. where P = kernelSleep 1, [P ]v =0, t =2, and As described previously,time the (see programming the diagram model– of[ FigurekernelSleep[P ] oft =2 6).Sonic, Later thus Pi in([ dis-P 1the;]vsleep denotational+ t) < 2[P]t ]t model2 (c) by inductive hypothesis [P 0]t > [P 0]v. 4.1introducing Virtual time and reasoning and real about time the core temporal behaviour.(Section 5), we’ll demonstrate sources of temporal variations– [kernelSleep⇡[P ]t✏,=1, thus 1;([sleepP ]v + 2t])t > [2P ]t tinguishes4.1 Virtual between time the and actual real time time elapsed since the start of a pro- (d) since⇡[ ]t R>0, by monotonicity and (c) [P 0]t + P = kernelSleep 1 [P ] =01t =2 2 which are limited– to[kernelSleep a verywhere small part 1; ofsleep the model. 2]t Crucially,2 , P v= kernelSleep, 0, 1 and[P ] =0t =2 As described previously, the programminggram P which model we of write Sonic here Pi as dis-[P ]t and the virtual time which is Definitionwhere 2 illuminates the[A ] semanticst > [P ]v., of sleepv , showing, the, and in- 4.1 Virtual time and real time As described previously,these the✏ programmingtime differences model do not[P of] accumulate–t Sonic=1, Pi thus dis- the([Psleep]v +⇡toperation) > [P ]t i i advanced by sleep statements which we writewhere as [P ]vP. Both= thesekernelSleepteraction 1, [[PP between]]tv =1=0, thus actual, t ([=2P)[]vby+],t andand (a),t) > (b), virtual[P (d)]t then time[P[ 0;]vv =inA the]t case> [P for0; v = A ]v. tinguishesAs described between previously, the actual the time programming elapsedtinguishes since model between the of start Sonic theprovides actual of Pi a dis- pro- time a barrier elapsed which since prevents the start this. of a pro- abstract functions return time values, thus, [ ]v[P, []t ]=1t ,R thus0,([i.e.P,]v + t) sleep> [P ]t. In this case, the definition of [ ]t is not a straightforward gram P which we write here as [P ]gramt andP thewhich virtual we write time herewhich as is[P ]t andDefinition the virtual time 2 illuminates which> is theDefinition semantics 2 of illuminatessleep, showing the semantics the in- of sleep, showing the in- tinguishes between the actual timeboth elapsed return since positive, the start real-numberAxioms of a pro- of values. actual timeThe virtual2 time and actual timerecursive of a single decompositionNote that on programs, this proof only statements, makes use and of expressions basic properties on rela- sleep advanced by sleep[P ]statements which weteraction write as [P between]v. Both these actual [ ]teractiont and virtual between time actual[ ]v[ in]t theand case virtual for time [ ]v in the case for advancedgram P bywhich westatements write here aswhich[P ]t weand write the virtual as timev. Both which these is Definition 2 illuminates[sleep the semanticst] [sleep of sleept] , showingtions and the the in- specifications of [ ]t and [ ]v given here. This will In this section, we givesleep specifications statement are to roughly[ ]v and the[ same,]t providingi.e., v assleep in the definitiont of[ ]v. Instead,[ the] actual time of a sleep abstract functions return time values,abstract thus, functions[ ]v, [ ] returnt time, i.e. values,, thus,sleep[ ]v,.[ In]t thisR case,>0, i.e. the, definition⇡ . of In[ this]t case,isbe not the useful a definition straightforward later: we of can provet is not soundness a straightforward of our denotational model advanced by sleep statements which we write as [P ]v. BothandR> thus these0 [sleep teractiont]t t (by between the specification actual [ ]t inand Definitiondepends virtual ontime 1). its[context]v in the, which case is for the pre-composed (preceding) pro- anboth axiomatic return positive, model of real-number2 Sonic Pi’s temporal values. behaviour.⇡ 2 recursive decomposition on programs, statements, and expressions bothabstract return positive, functions real-number return time values, values. thus, [ ]v, [ ]t This0, holdsi.e., only whensleeprecursivesleep. In thisis decomposition used case, in the isolation, definition on that programs, of is,[ when]t is it statements, not a straightforwardwith respect and expressions to the two definitions and get the above lemma for free Virtual time [ ]v canR be> easily defined over all programs, state- gram P and its actual time [P ]t. This is why we have structured the In this section, we2 give specifications to [ ]v and [ ]t providing as in the definitionfollowing of [ ]v. from Instead, this proof. the actual time of a sleep Inboth this return section, positive, we give real-number specificationsments, values. to and[ expressions,]v and [ ]tisproviding since the only the sleep statementrecursiveoperationas in in a program. the decomposition is definition the As only shown ex- of on by[ programs, the]v.core examples Instead, subset statements, of the language actual and here expressions time in of terms a sleep of “snoc”-list since the tempo- an axiomatic model of Sonic Pi’s temporal behaviour.sleep depends on its context, which is the pre-composed (preceding) pro- an axiomaticIn this section, model of we Sonic give specifications Pi’s temporalpression to changing behaviour.[ ]v and virtual[ ]t providingSection time: 3.1, the useasdepends of in the definition ont in its a programcontext of [ does,]v which. Instead, notral mean is semantics the the that pre-composed actual a of an time individual of (preceding) a sleep statement pro- can depend on the program Virtual time [ ]v canprogram be easily necessarily defineddepends waits over all for on programs,t itsseconds–context state- depending, which is on thegram the pre-composed context,P and its actual (preceding)The time abstract[P ] pro-t specification. This is why of we the have temporal structured behaviour the here gives us Virtualan axiomatic time [ model]v can of be Sonic easily Pi’s defined temporal over behaviour. all programs, state- gram P and its actual time [Pthat]t. has Thiscome is why before weit have (the tail structured of the “snoc”-list). the Thus, the syntac- ments, and expressions, since the sleep operation is the0 onlyt ex- core subset languagea model here to in reason terms of about “snoc”-list time in Sonic since Pi the programs. tempo- Virtual time[ ]v can be easilyDefinition definedTime over 1.system allVirtual programs, timeit may is state- specifiedwait for anywhere forgram statementsP betweenand its of actualand Sonic timeseconds. Pi [P ]t. This is why we have structured the ments, and expressions, since the sleeppressionoperation changing is virtual the only time: ex- core subset language here inticral terms structure semantics of “snoc”-list here of an facilitates individual since the statement the modelling tempo- can of dependsleep onand the subsequent program ments, and expressions, since theprogramssleep operation by the following is the only cases: ex- core subset language here in terms of “snoc”-list sinceExample the tempo- 2. Consider subprograms A, B, C where [A]v =[B]v = pression changing virtual time: Definition 2. The actualral semantics elapsed time of[ an]t individualcan be (partially)proofsthat statement has on spec-come program can before depend propertiesit (the on tail the (coming of program the “snoc”-list). up next). Thus, the syntac- pression changing virtual time: [—]v : virtualified time at the level ofral programs semantics[—]t : by actual of the an following individual time equations: statement can depend[ onC] thev =0 programwhich are interposed with two sleep statements of Definition[P ; v = E] 1.v =[VirtualP ]v +[ timeE]v is specified[sleep forthat statementst] hasv =comet of[v before Sonic]v =0 Piit (the tailtic of structureThe the specifications “snoc”-list). here facilitates onThus, the[ ] the modellingv and syntac-[ ] oft providesleep and the subsequent following that hasi come before it (the tail of the “snoc”-list). Thus,duration the syntac-s1and s2: Definition 1. Virtual time is specifiedprograms for statements by[ ]v the=0 following of Sonic cases: Pi [A []v] =00 lemma about the temporal semantics of Sonic Pi programs: Definition 1. Virtual time is specified for statements; of Sonic Pi tic structuret here facilitates theproofs modelling on programsleep of sleep propertiesand (coming subsequent up next). programs by the following cases: tic structure; ⇡ here facilitates the modelling of and subsequentP = A; sleep s1; B; sleep s2; C programs by the following cases: [P ; v = E]v =[P ]v +[E]v [sleep t]v = t [v]v =0 The specifications on [ ]v and [ ]t provide the following We therefore overload [ ]v to programs,[P ;proofssleepproofs statements,t on]t on program([ program andP ]v + expres- propertiest) propertiesmax [P (coming]t Lemma (coming up 1. next). upFor next). any program P then [P ]t > [P ]v. [ ] =0 [Ai] =0⇡ lemma about the temporal semantics of Sonic Pi programs: [P ; v = E]v =[P ]v +[E]v sions.[sleepsleep Anythingt]v v= othert than[v]v sleep=0 or sequentialTheiv composition specificationsi has on [ ]v and [ ]t provideThen by the the following above definitions, we see that if [A]t 6 s1 and [P ; v = E]v =[P ]v +[E]v [ t;]v = t [v]v =0 [P ; v =TheA ]t specifications[P ]t +[A ] ont [ ]v andThat[ ]t is,provide the actual the running following time of a program is always at least the virtual timeii is 0. Note that the equations on⇡ the left define [B]t 6 s2 then [P ]t = s1 + s2 +[C]t. [ ]v[ =0]v =0We therefore [ [AA ]]vv overload=0 [ ]v to programs,i lemmalemma statements, about about the and the temporal expres- temporal semantics semanticsLemma of Sonic 1. ofFor Sonic Pi programs: any Pi program programs:P then [P ]t > [P ]v. ; In the case of A = kernelSleep, then [kernelSleepthet virtual]t = t. time; a Sonic Pi program never “under runs” its virtual ; [ sions.]v for Anything programs other (with than statementssleep coveredor sequential by the composition single case hasfor We now move on to a denotational model, which provides a seman- WeWe therefore therefore overload overload[ []v ]vtoto programs, programs, statements, statements, and and expres- expres- LemmaLemma 1. 1.ForFor any any program programP thentimePThat[thenP specification.]t is,>[P the[P]t]v> actual. [P ]v running. time of a program is always at least Pthe; v = virtualE), and time on is the0. rightExample Note for that expressions. 1. theThe equations following on two the small left example define programs illustrate tics for the core subset of the language described here. We’ll prove sions.sions. Anything Anything other other than thansleepsleeporore.g. sequential sequential P; sleep composition composition 2 where has has [P ]t = 1, [P ]v = 0 the virtual time; a Sonic Pi program never “under runs” its virtual [ ]v for programs (withthis statements definition, covered both ofThat by whichThat the is, theis, have single the actual actual case actual running time for running 2 but time arising timeof a program from of a program isthis always sound is always at semanticsleast at least with respect to the axiomatic model of this the virtual time is0 0. Note thatEquality the equations on time on theProviding left define exact deadlinessleep in real-timekernelSleep systems Proof.time specification.By induction on the structure of programs. the virtual time is . Note that theP ; equationsv = E), and on on the the leftdifferent right∴ define[P for; sleep calls expressions. to 2]thet = virtual(0and + 2) time; max 1 a = Sonic 2 . Pi program never “under runs”section, its linking virtual the two levels of model. [ ] is difficult due to non-determinism combinedthe with virtual execution time; a over- Sonic Pi program never “under runs” its virtual [ ]v forv programsfor programs (with (with statements statements covered covered by by the single single case case for for heads. We do not ignore this[P problem; sleep 2] intimev the=time 2 specification. programming specification. model P = . Trivial since [ ]v =0by Definition 1. P; vP=; vE= E), and on the right for expressions.Equality on time Providing exact deadlines in real-time systems Proof.• By; induction on the; structure of programs. ), and on the right for expressions. P =(P 0; v = E), split on E ofis Sonic difficult Pi due and to the non-determinism discussion here. combined We define with the execution relation over-on • Equality on time Providing exact deadlines in real-time systems Proof. By induction on⇡ the structureP of= programs.E =. Trivialsleep sincet [ ]v =0by Definition 1. Equality on time Providing exactactualheads. deadlines times, We do in where: not real-time ignore systems this problem inProof. the programmingBy induction model on the structure• ; of programs. ; is difficult due to non-determinismof combined Sonic Pi with and the execution discussion over- here. We define the relation on P =((a)P by0; Definitionv = E), split 1, [P on0;Esleep t]v =[P 0]v + t. is difficultheads. We due do to not non-determinism ignore this problem combined in the with programming executions, t. s model over-t (s t)P6=✏ . Trivial since⇡(1)[ ]v =0by• Definition 1. actual times, where:8 ⇡ ⌘ | • | P ;= . Trivial since; [ ]v =0by(b)E Definition= bysleep Definitiont 1. 2, [P 0; sleep t]t =([P 0]v +t) max [P 0]t. heads.of Sonic We do Pi not and ignore the discussion this problem here. We in the define programming the relation modelon P• =(P 0; v = E), split on E for some value of ✏ which is the maximum• negligible; time value ; (c)(a) by by (b)Definition(([P 0]v 1,+[Pt)0;maxsleep[Pt0]tv)=[> P[P0]0v]v++tt. of Sonicactual Pi times, and where: the discussion here. We define the relations, t. s ⇡ t on (s t) 6PE✏=(= sleepP 0; v =t E(1)), split on E with respect to the8 application⇡⇡ at⌘ hand.| For•| example, if ✏ =0.1 )(b)by by (a) Definition and (c) then 2, [P[0P; sleep0; sleept]tt=([]t >P[P0]0vsleep+t) maxt]v [P 0]t. actual times, where: (a)E by= Definitionsleep t 1, [P 0; sleep t]v =[P 0]v + t. i s, t. s t thenfor(s3 somet3). value05 ✏ of2.92✏ which. is(1) the maximum negligible time value otherwise(c) by (b) (([E P=0]Av + t) max [P 0]t) > [P 0]v + t ⇡ 6 ⇡ 0 0 0 0 0 i 8 ⇡ ⌘ | | ✏ (b)(a) by Definition by Definition✏ =0 2,.1[P 1,; sleep[P ; sleept]t =([byt (a)]Pv =[] andv +Pt (c)) ]maxv then+ t[[.PP 0];tsleep. t]t [P 0sleep t]v s, t. s t with(Ins the respectt) case6 to✏ of the Sonic application Pi, we mitigate(1) at hand. any For example,-time differences if by (a)) by Definition 1, [P 0; v = A ]v =[>P 0]v for some value8 of ✏ which⇡ is the⌘scheduling maximumthen| 3 |3 calls negligible.05 to2. the92 time. synthesise value server using(c) the(b) by current (b) by Definition(([ virtualP 0]v + t) 2,max[P 0;[sleepP 0]totherwise) >t[]Pt =([0]v E+P=t 0]Av +i t) max [Pi0]t. i ⇡ ⇡ (b) by Definition 2, [P 0; v = A ]t =[P 0]t +[A ]t for somewith respect value of to the✏ which application is the at maximum hand.In the For case negligible example, of Sonic if time✏ Pi,=0 we value.1 mitigate any ✏-time) by(c) differences(a) by and (b) (c)(([ thenP by0]v[P+0;tsleep) maxt][tP>0]t[)P 0sleep[P 0]vt]+v t i time (see the diagram of Figure 6). Later in the denotational model (c)(a) by by inductiveDefinition> hypothesis 1, [P 0; v =[PA0]]tv>=[[PP0]0v]v. then 3 3.05 2.92. i i i with respect to the application at(Section hand.scheduling For 5), example, calls we’ll to demonstrate the if synthesise✏ =0 sources.1 server of using temporalotherwise the currentby variations (a)E and= virtualA (c)✏, then [P 0; sleep t]t [P 0sleep0 t]v 0 ⇡ ⇡ ) i (d)(b) by since Definition>[ ]t 2,R[P>0;,v by= monotonicityA ]t =[P ]t +[ andA (c)]t [P 0]t + In the case of Sonic Pi, we mitigatetime (see any the✏-time diagram differences of Figure by 6). Later in the(a) denotational by Definition model 1, [Pi0; v = A ]v =[1 P 0]v 2 then 3 3.05 2.92. which are limited to a very small part of the model.otherwise Crucially,E = A [(c)A by]t inductive[P 0]v. hypothesis [P 0]t > [P 0]v. scheduling calls to the synthesise server using the current virtual i > i ⇡ ⇡ these(Section✏ time 5), differences we’ll demonstrate do not accumulate– sources of temporal the(b)sleep by Definition variationsoperation 2,✏, [P 0; v = A ]t =[iP 0]t +[[ ]A ]t i i[P 0] + In the case of Sonic Pi, we mitigate any ✏-time differences by (a) by Definition 1, [P 0; v =)(d)Aby since] (a),v =[ (b),P t0 (d)]v thenR>[0P,0 by; v monotonicity= A ]t > [P 0 and; v = (c)A ]v. t time (see the diagram of Figure 6).which Later in are the limited denotational to a very model small part of the model. Crucially, [P 0] 1[P 0] 2 scheduling calls to the synthesiseprovides server using a barrier the which current prevents virtual this. (c) by inductive hypothesis t [>A ]it >v.[P 0]v. i (Section 5), we’ll demonstrate sources✏ of temporal variations ✏, (b)sleep by Definition 2, [P 0; v = A ]t =[P 0]t +[A ]t i i these time differences do not accumulate– the(d) since [operation]t R>0, by monotonicityby (a), (b), and (d) (c) then[P 0[]Pt +0; v = A ]t [P 0; v = A ]v. time (see the diagram of Figure 6).Axioms Later in of the actual denotational time The model virtual time and actual1(c) time by of inductive a single2 hypothesisNote that[)P 0 this]t proof[P 0]v only. makes use of basic> properties on rela- which are limited to a very smallprovides part of a the barrier model. which Crucially, prevents this. [A ]t [P 0]v. > > tions and the specifications of [ ]t and [ ]v given here. This will (Section 5),✏ we’ll demonstrate sourcessleep statement of temporal aresleep roughly variations the same,✏, i.e., [sleep t(d)]v since[sleep[ t]]tt 0, byi monotonicity andi (c) [P 0]t + these time differences do not accumulate– the operation by (a), (b), (d) then [PR0;>v = A ]t [P 0; v = A ]v. Axioms ofsleep actual time The virtual time and actual) time1⇡ of a single 2 beNote useful that later: this> proof we can only prove makes soundness use of of basic our properties denotational on model rela- whichprovides are limited a barrier to which a very prevents smalland this. part thus of[ the model.t]t Crucially,t (by the specification in[A Definition]t [P 0] 1).v. ⇡ > tions and the specifications of [ ]t and [ ]v given here. This will these ✏ time differences do not accumulate–Thissleep holds statement only the sleep when are roughlysleepoperation theis same, used ini.e. isolation,, [sleep t that]v is,[sleep whent it]t with respect toi the two definitionsi and get the above lemma for free Note that) thisby⇡ proof (a), (b), only (d) makes thenbe use[P useful0; ofv basic= later:A properties]t we> can[P 0 prove; v on= rela- soundnessA ]v. of our denotational model providesAxioms a barrier of actual which time preventsThe virtual this.isand the time thus only and[ statementsleep actual timet]t in of a a program.t single(by the As specification shown by in the Definition examples 1). of following from this proof. ⇡ tions and the specifications of [ with]t and respect[ ]v given to the two here. definitions This will and get the above lemma for free sleep statement are roughly the same,SectionThisi.e. holds, 3.1,[sleep theonly uset when]v of [sleepsleepsleepttis]int used a program in isolation, does not that mean is, when that a it ⇡ be useful later: we can prove soundnessfollowing of ourfrom denotational this proof. model Axiomsand of thus actual[sleep timet]t Thet virtual(by theprogramis time specification the and only necessarily actual statement in time Definition waits in of a for a program. singlet 1).seconds– As shown dependingNote by that the on this examples the context, proof of only makesThe abstract use of specification basic properties of the temporal on rela- behaviour here gives us ⇡ with respect to the two definitions and get the above lemma for free sleepThis statement holds only are whenroughlysleep the same,is useditSection mayi.e. in wait, isolation,[sleep 3.1, for the anywheret use that]v of is,[sleepsleep between whent ittin]t0 aand programt seconds.tions does and not the mean specifications that a a of model[ ]t toand reason[ ]v aboutgiven time here. in SonicThis will Pi programs. is the only statement in a program.program As shown necessarily by the⇡ examples waits for t ofseconds–following dependingbe useful from on later: the this context, we proof. can proveThe soundness abstract specification of our denotational of the temporal model behaviour here gives us and thus [sleep t]t t (by the specification in Definition 1). Example 2. Consider subprograms A, B, C where [A]v =[B]v = Section 3.1, the use⇡ of sleep t inDefinitionit a may program wait 2. does forThe anywhere not actual mean elapsed between that a time0 and[ t]twithseconds.can be respect (partially) to the spec- two definitionsa model and to get reason the about above time lemma in Sonic for free Pi programs. This holds only when sleep is usedified in at isolation, the level of that programs is, when by the it followingThe abstract equations: specification of the[ temporalC]v =0 behaviourwhich are here interposed gives us with two sleep statements of program necessarily waits for t seconds– depending on the context, following from this proof. Example 2. Consider subprograms A, B, C where [A]v =[B]v = is the only statement in a program.Definition As shown 2. byThe the actual examples elapsed of time [a model]t can be to (partially) reason about spec- time in Sonicduration Pi programs.s1 and s2: it may wait for anywhere between 0 and t seconds. [ ]t 0 [C]v =0which are interposed with two sleep statements of Section 3.1, the use of sleep t in aified program at the leveldoes of not programs mean; ⇡ that by the a following equations: duration s1 andPs2=: A; sleep s1; B; sleep s2; C The actual elapsed time [ ]t can[P be; (partially)sleep t]t spec-([P ]v + Examplet) Themax abstract[P 2.]t Consider specification subprograms of theA, temporalB, C where behaviour[A]v =[B here]v = gives us programDefinition necessarily 2. waits for t seconds– depending on the[ context,]t 0 ; ⇡⇡ [C]v =0which are interposed with two sleep statements of it mayified wait at the for level anywhere of programs between by the0 and followingt seconds. equations: i ia model to reason about timeThen in Sonic by the Pi programs.aboveP = A definitions,; sleep s1; weB; seesleep thats2 if; C[A]t 6 s1 and [[PP;;vsleep= A ]tt]t [P([P]t ]+[v +At)]tmax s[P ]t s ⇡ duration 1 and 2: [B]t s2 then [P ]t = s1 + s2 +[C]t. [ ]t 0 ⇡ 6 Definition 2. The actual elapsed time [ ]t can bei (partially)i spec- iExample 2. Consider subprogramsThen byA the, B above, C where definitions,[A]v =[ weB] seev = that if [A]t 6 s1 and ; ⇡ In the case of A[P=; vkernelSleep= A ]t [P,]t then+[A[kernelSleep]t Pt]=t =A;t.sleep s1; B; sleep s2; C [P ; sleep t]t ([P ]v +t) max [P ]t ⇡ [C]v =0which are interposedWe[B]t now6 s with move2 then twoon[P to]t sleep a= denotationals1 + statementss2 +[C model,]t. of which provides a seman- ified at the level of programs by⇡ the following equations:i ExampleIn the case 1. ofTheA following= kernelSleep two small, then example[kernelSleep programst illustrate]t = t. tics for the core subset of the language described here. We’ll prove [P ; v = Ai] [P ] +[Ai] Thenduration by thes1 aboveand s2 definitions,: We we now see move that if on[A to] at denotational6 s1 and model, which provides a seman- [ ]t t 0 thist definition,t both of which have actual time 2 but arising from this sound semantics with respect to the axiomatic model of this ⇡ Example 1. The following two small example[B]t 6 s programs2 then [P illustrate]t = s1 + s2 +[ticsC] fort. the core subset of the language described here. We’ll prove i ; ⇡ different calls to sleep and kernelSleep. P = A; sleepsection,s1; B linking; sleep thes two2; C levels of model. In the case[ ofP ;Asleep= kernelSleept]t ([P ]this,v then+ definition,t)[kernelSleepmax [P both]t oft] whicht = t. have actual time 2 but arising from this sound semantics with respect to the axiomatic model of this ⇡ We now move on to a denotational model, which provides a seman- i differenti calls to sleep and kernelSleepThen. by the above definitions,section, we linking see that the two if [ levelsA]t of model.s1 and Example 1.[PThe; v = followingA ]t two[P small]t +[ exampleA ]t programs illustrate tics for the core subset of the language described here. We’ll prove6 this definition, both of which⇡ have actual time 2 but arising from this[B sound]t 6 s semantics2 then [P with]t = respects1 + s2 to+[ theC axiomatic]t. model of this i In thedifferent case of callsA to=sleepkernelSleepand kernelSleep, then [kernelSleep. t]t = t. section, linking the two levels of model. We now move on to a denotational model, which provides a seman- Example 1. The following two small example programs illustrate tics for the core subset of the language described here. We’ll prove this definition, both of which have actual time 2 but arising from this sound semantics with respect to the axiomatic model of this different calls to sleep and kernelSleep. section, linking the two levels of model. do we incorporate the threading constructs provided by Sonic Pi. – [kernelSleep 2; sleep 1]t 2 Extending the model here to include these is however straightfor- ⇡ where P = kernelSleep 2, [P ]v =0, t =1, and ward, but we stick with a simple language for the sake of succinctly [P ]t =2, thus ([P ]v + t) < [P ]t introducing and reasoning about the core temporal behaviour.

– [kernelSleep 1; sleep 2]t 2 4.1 Virtual time and real time ⇡ where P = kernelSleep 1, [P ]v =0, t =2, and As described previously, the programming model of Sonic Pi dis- [P ]t =1, thus ([P ]v + t) > [P ]t tinguishes between the actual time elapsed since the start of a pro- gram P which we write here as [P ]t and the virtual time which is Definition 2 illuminates the semantics of sleep, showing the in- advanced by sleep statements which we write as [P ]v. Both these teraction between actual [ ]t and virtual time [ ]v in the case for abstract functions return time values, thus, [ ]v, [ ]t , i.e., sleep. In this case, the definition of [ ]t is not a straightforward R>0 both return positive, real-number values. 2 recursive decomposition on programs, statements, and expressions In this section, we give specifications to [ ]v and [ ]t providing as in the definition of [ ]v. Instead, the actual time of a sleep an axiomatic model of Sonic Pi’s temporal behaviour. depends on its context, which is the pre-composed (preceding) pro- Virtual time [ ]v can be easily defined over all programs, state- gram P and its actual time [P ]t. This is why we have structured the ments, and expressions, since the sleep operation is the only ex- core subset language here in terms of “snoc”-list since the tempo- pression changing virtual time: ral semantics of an individual statement can depend on the program that has come before it (the tail of the “snoc”-list). Thus, the syntac- Definition 1. Virtual time is specified for statements of Sonic Pi tic structure here facilitates the modelling of sleep and subsequent programs by the following cases: proofs on program properties (coming up next). [P ; v = E]v =[P ]v +[E]v [sleep t]v = t [v]v =0 The specifications on [ ]v and [ ]t provide the following i [ ]v =0 [A ]v =0 lemma about the temporal semantics of Sonic Pi programs: ; We therefore overload [ ]v to programs, statements, and expres- Lemma 1. For any program P then [P ]t > [P ]v. sions. Anything other than sleep or sequential composition has That is, the actual running time of a program is always at least the virtual time is 0. Note that the equations on the left define the virtual time; a Sonic Pi program never “under runs” its virtual [ ]v for programs (with statements covered by the single case for time specification. P; v = E), and on the right for expressions. Equality on time Providing exact deadlines in real-time systems Proof. By induction on the structure of programs. is difficult due to non-determinism combined with execution over- P = . Trivial since [ ]v =0by Definition 1. heads. We do not ignore this problem in the programming model • ; ; P =(P 0; v = E), split on E of Sonic Pi and the discussion here. We define the relation on • actual times, where: ⇡ E = sleep t (a) by Definition 1, [P 0; sleep t]v =[P 0]v + t. do we incorporate the threading constructss, t. provided s t by Sonic(s t) Pi.6 ✏ – [kernelSleep(1) 2; sleep 1]t 2 8 ⇡ ⌘ | | (b) by Definition⇡ 2, [P 0; sleep t]t =([P 0]v +t) max [P 0]t. Extending the model here to include these✏ is however straightfor- (c) by (b) (([P 0]v + t) max [P 0]t) [P 0]v + t do we incorporate the threading constructs provided byfor Sonic some Pi. value of which– [kernelSleep is the maximum 2 negligible; sleep 1time]t where value2 P = kernelSleep 2, [P ]v =0, t =1> , and ward, but we stick with awith simple respect language to the for application the sake at of hand. succinctly For example, if ✏ ⇡=0.1 by (a) and (c) then [P 0; sleep t]t [P 0sleep t]v Extending the model here to includedo these we incorporate is however the straightfor- threading constructs provided by Sonic Pi. – [kernelSleep[P ]t =2, thus 2;([sleepP)]v + 1t])t < [2P ]t > introducing and reasoning about3 3 the.05 core2. temporal92 where behaviour.P = kernelSleep 2, [P ]v =0, t =1⇡ , andi Extending the model herethen to include these is.kernelSleep however straightfor- 2 sleep 1 otherwise E = A ward,do but we we incorporate stick with the a simple threading language constructs for provided the sake by of succinctly Sonic⇡ Pi. ⇡ – [ ; ✏ ]t 2 where P = kernelSleep 2, [P ]v =0, ti =1, and ward, but we stick with a simpleIn the languagecase of Sonic for the Pi, sake we[P ] mitigatet of=2 succinctly, thus any -time([P ]v differences+⇡–t[)kernelSleep< [P by]t 1; sleep(a) by 2 Definition]t 2 1, [P 0; v = A ]v =[P 0]v introducingExtending and the reasoning model here about to include the4.1 core these Virtual temporal is however time behaviour. and straightfor- real time [P ]t =2, thus ([P ]v + t) <⇡[P ]t i i scheduling calls to the synthesisewhere P server= kernelSleep using the current 2, virtual[P ]v =0, t =1(b), by and Definition 2, [P 0; v = A ]t =[P 0]t +[A ]t ward, but we stick with a simple languageintroducing for the and sake reasoning of succinctly about the core temporal behaviour. where P = kernelSleep 1, [P ]v =0, t =2, and As described previously,time the (see programming the diagram model– of[ FigurekernelSleep[P ] oft =2 6).Sonic, Later thus Pi in([ dis-P 1the;]vsleep denotational+ t) < 2[P]t ]t model2 (c) by inductive hypothesis [P 0]t > [P 0]v. 4.1introducing Virtual time and reasoning and real about time the core temporal behaviour.(Section 5), we’ll demonstrate sources of temporal variations– [kernelSleep⇡[P ]t✏,=1, thus 1;([sleepP ]v + 2t])t > [2P ]t tinguishes4.1 Virtual between time the and actual real time time elapsed since the start of a pro- (d) since⇡[ ]t R>0, by monotonicity and (c) [P 0]t + P = kernelSleep 1 [P ] =01t =2 2 which are limited– to[kernelSleep a verywhere small part 1; ofsleep the model. 2]t Crucially,2 , P v= kernelSleep, 0, 1 and[P ] =0t =2 As described previously, the programminggram P which model we of write Sonic here Pi as dis-[P ]t and the virtual time which is Definitionwhere 2 illuminates the[A ] semanticst > [P ]v., of sleepv , showing, the, and in- 4.1 Virtual time and real time As described previously,these the✏ programmingtime differences model do not[P of] accumulate–t Sonic=1, Pi thus dis- the([Psleep]v +⇡toperation) > [P ]t i i advanced by sleep statements which we writewhere as [P ]vP. Both= thesekernelSleepteraction 1, [[PP between]]tv =1=0, thus actual, t ([=2P)[]vby+],t andand (a),t) > (b), virtual[P (d)]t then time[P[ 0;]vv =inA the]t case> [P for0; v = A ]v. tinguishesAs described between previously, the actual the time programming elapsedtinguishes since model between the of start Sonic theprovides actual of Pi a dis- pro- time a barrier elapsed which since prevents the start this. of a pro- abstract functions return time values, thus, [ ]v[P, []t ]=1t ,R thus0,([i.e.P,]v + t) sleep> [P ]t. In this case, the definition of [ ]t is not a straightforward gram P which we write here as [P ]gramt andP thewhich virtual we write time herewhich as is[P ]t andDefinition the virtual time 2 illuminates which> is theDefinition semantics 2 of illuminatessleep, showing the semantics the in- of sleep, showing the in- tinguishes between the actual timeboth elapsed return since positive, the start real-numberAxioms of a pro- of values. actual timeThe virtual2 time and actual timerecursive of a single decompositionNote that on programs, this proof only statements, makes use and of expressions basic properties on rela- sleep advanced by sleep[P ]statements which weteraction write as [P between]v. Both these actual [ ]teractiont and virtual between time actual[ ]v[ in]t theand case virtual for time [ ]v in the case for advancedgram P bywhich westatements write here aswhich[P ]t weand write the virtual as timev. Both which these is Definition 2 illuminates[sleep the semanticst] [sleep of sleept] , showingtions and the the in- specifications of [ ]t and [ ]v given here. This will In this section, we givesleep specifications statement are to roughly[ ]v and the[ same,]t providingi.e., v assleep in the definitiont of[ ]v. Instead,[ the] actual time of a sleep abstract functions return time values,abstract thus, functions[ ]v, [ ] returnt time, i.e. values,, thus,sleep[ ]v,.[ In]t thisR case,>0, i.e. the, definition⇡ . of In[ this]t case,isbe not the useful a definition straightforward later: we of can provet is not soundness a straightforward of our denotational model advanced by sleep statements which we write as [P ]v. BothandR> thus these0 [sleep teractiont]t t (by between the specification actual [ ]t inand Definitiondepends virtual ontime 1). its[context]v in the, which case is for the pre-composed (preceding) pro- anboth axiomatic return positive, model of real-number2 Sonic Pi’s temporal values. behaviour.⇡ 2 recursive decomposition on programs, statements, and expressions bothabstract return positive, functions real-number return time values, values. thus, [ ]v, [ ]t This0, holdsi.e., only whensleeprecursivesleep. In thisis decomposition used case, in the isolation, definition on that programs, of is,[ when]t is it statements, not a straightforwardwith respect and expressions to the two definitions and get the above lemma for free Virtual time [ ]v canR be> easily defined over all programs, state- gram P and its actual time [P ]t. This is why we have structured the In this section, we2 give specifications to [ ]v and [ ]t providing as in the definitionfollowing of [ ]v. from Instead, this proof. the actual time of a sleep Inboth this return section, positive, we give real-number specificationsments, values. to and[ expressions,]v and [ ]tisproviding since the only the sleep statementrecursiveoperationas in in a program. the decomposition is definition the As only shown ex- of on by[ programs, the]v.core examples Instead, subset statements, of the language actual and here expressions time in of terms a sleep of “snoc”-list since the tempo- an axiomatic model of Sonic Pi’s temporal behaviour.sleep depends on its context, which is the pre-composed (preceding) pro- an axiomaticIn this section, model of we Sonic give specifications Pi’s temporalpression to changing behaviour.[ ]v and virtual[ ]t providingSection time: 3.1, the useasdepends of in the definition ont in its a programcontext of [ does,]v which. Instead, notral mean is semantics the the that pre-composed actual a of an time individual of (preceding) a sleep statement pro- can depend on the program Virtual time [ ]v canprogram be easily necessarily defineddepends waits over all for on programs,t itsseconds–context state- depending, which is on thegram the pre-composed context,P and its actual (preceding)The time abstract[P ] pro-t specification. This is why of we the have temporal structured behaviour the here gives us Virtualan axiomatic time [ model]v can of be Sonic easily Pi’s defined temporal over behaviour. all programs, state- gram P and its actual time [Pthat]t. has Thiscome is why before weit have (the tail structured of the “snoc”-list). the Thus, the syntac- ments, and expressions, since the sleep operation is the0 onlyt ex- core subset languagea model here to in reason terms of about “snoc”-list time in Sonic since Pi the programs. tempo- Virtual time[ ]v can be easilyDefinition definedTime over 1.system allVirtual programs, timeit may is state- specifiedwait for anywhere forgram statementsP betweenand its of actualand Sonic timeseconds. Pi [P ]t. This is why we have structured the ments, and expressions, since the sleeppressionoperation changing is virtual the only time: ex- core subset language here inticral terms structure semantics of “snoc”-list here of an facilitates individual since the statement the modelling tempo- can of dependsleep onand the subsequent program ments, and expressions, since theprogramssleep operation by the following is the only cases: ex- core subset language here in terms of “snoc”-list sinceExample the tempo- 2. Consider subprograms A, B, C where [A]v =[B]v = pression changing virtual time: Definition 2. The actualral semantics elapsed time of[ an]t individualcan be (partially)proofsthat statement has on spec-come program can before depend propertiesit (the on tail the (coming of program the “snoc”-list). up next). Thus, the syntac- pression changing virtual time: [—]v : virtualified time at the level ofral programs semantics[—]t : by actual of the an following individual time equations: statement can depend[ onC] thev =0 programwhich are interposed with two sleep statements of Definition[P ; v = E] 1.v =[VirtualP ]v +[ timeE]v is specified[sleep forthat statementst] hasv =comet of[v before Sonic]v =0 Piit (the tailtic of structureThe the specifications “snoc”-list). here facilitates onThus, the[ ] the modellingv and syntac-[ ] oft providesleep and the subsequent following that hasi come before it (the tail of the “snoc”-list). Thus,duration the syntac-s1and s2: Definition 1. Virtual time is specifiedprograms for statements by[ ]v the=0 following of Sonic cases: Pi [A []v] =00 lemma about the temporal semantics of Sonic Pi programs: Definition 1. Virtual time is specified for statements; of Sonic Pi tic structuret here facilitates theproofs modelling on programsleep of sleep propertiesand (coming subsequent up next). programs by the following cases: tic structure; ⇡ here facilitates the modelling of and subsequentP = A; sleep s1; B; sleep s2; C programs by the following cases: [P ; v = E]v =[P ]v +[E]v [sleep t]v = t [v]v =0 The specifications on [ ]v and [ ]t provide the following We therefore overload [ ]v to programs,[P ;proofssleepproofs statements,t on]t on program([ program andP ]v + expres- propertiest) propertiesmax [P (coming]t Lemma (coming up 1. next). upFor next). any program P then [P ]t > [P ]v. [ ] =0 [Ai] =0⇡ lemma about the temporal semantics of Sonic Pi programs: [P ; v = E]v =[P ]v +[E]v sions.[sleepsleep Anythingt]v v= othert than[v]v sleep=0 or sequentialTheiv composition specificationsi has on [ ]v and [ ]t provideThen by the the following above definitions, we see that if [A]t 6 s1 and [P ; v = E]v =[P ]v +[E]v [ t;]v = t [v]v =0 [P ; v =TheA ]t specifications[P ]t +[A ] ont [ ]v andThat[ ]t is,provide the actual the running following time of a program is always at least the virtual timeii is 0. Note that the equations on⇡ the left define [B]t 6 s2 then [P ]t = s1 + s2 +[C]t. [ ]v[ =0]v =0We therefore [ [AA ]]vv overload=0 [ ]v to programs,i lemmalemma statements, about about the and the temporal expres- temporal semantics semanticsLemma of Sonic 1. ofFor Sonic Pi programs: any Pi program programs:P then [P ]t > [P ]v. ; In the case of A = kernelSleep, then [kernelSleepthet virtual]t = t. time; a Sonic Pi program never “under runs” its virtual ; [ sions.]v for Anything programs other (with than statementssleep coveredor sequential by the composition single case hasfor We now move on to a denotational model, which provides a seman- WeWe therefore therefore overload overload[ []v ]vtoto programs, programs, statements, statements, and and expres- expres- LemmaLemma 1. 1.ForFor any any program programP thentimePThat[thenP specification.]t is,>[P the[P]t]v> actual. [P ]v running. time of a program is always at least Pthe; v = virtualE), and time on is the0. rightExample Note for that expressions. 1. theThe equations following on two the small left example define programs illustrate tics for the core subset of the language described here. We’ll prove sions.sions. Anything Anything other other than thansleepsleeporore.g. sequential sequential P; sleep composition composition 1 where has has [P ]t = 2, [P ]v = 0 the virtual time; a Sonic Pi program never “under runs” its virtual [ ]v for programs (withthis statements definition, covered both ofThat by which the is, the have single actual actual case running time for 2 but time arising of a program from isthis always sound at semanticsleast with respect to the axiomatic model of this the virtual time is 0. Note thatEquality the equations on time on theProviding left define exact deadlinesThat in real-time is, the systems actual runningProof.time time specification.By of induction a program on is the always structure at of least programs. the virtual time is 0. Note that theP ; equationsv = E), and on on the the leftdifferent right∴ define[P for; sleep calls expressions. to 1]sleepthet = virtual(0 and+ 1)kernelSleep time;max 2 a = Sonic 2 . Pi program never “under runs”section, its linking virtual the two levels of model. [ ]v for programs (with statementsis difficult covered due by the to non-determinism single case for combinedthe with virtual execution time; a over- Sonic Pi program never “under runs” its virtual [ ]v for programs (with statements covered by the single case for heads. We do not ignore this[P problem; sleep 1] intimev =1 thetime specification. programming specification. model P = . Trivial since [ ]v =0by Definition 1. P; vP=; vE= E), and on the right for expressions.Equality on time Providing exact deadlines in real-time systems Proof.• By; induction on the; structure of programs. ), and on the right for expressions. P =(P 0; v = E), split on E ofis Sonic difficult Pi due and to the non-determinism discussion here. combined We define with the execution relation over-on • Equality on time Providing exact deadlines in real-time systems Proof. By induction on⇡ the structureP of= programs.E =. Trivialsleep sincet [ ]v =0by Definition 1. Equality on time Providing exactactualheads. deadlines times, We do in where: not real-time ignore systems this problem inProof. the programmingBy induction model on the structure• ; of programs. ; is difficult due to non-determinismof combined Sonic Pi with and the execution discussion over- here. We define the relation on P =((a)P by0; Definitionv = E), split 1, [P on0;Esleep t]v =[P 0]v + t. is difficultheads. We due do to not non-determinism ignore this problem combined in the with programming executions, t. s model over-t (s t)P6=✏ . Trivial since⇡(1)[ ]v =0by• Definition 1. actual times, where:8 ⇡ ⌘ | • | P ;= . Trivial since; [ ]v =0by(b)E Definition= bysleep Definitiont 1. 2, [P 0; sleep t]t =([P 0]v +t) max [P 0]t. heads.of Sonic We do Pi not and ignore the discussion this problem here. We in the define programming the relation modelon P• =(P 0; v = E), split on E for some value of ✏ which is the maximum• negligible; time value ; (c)(a) by by (b)Definition(([P 0]v 1,+[Pt)0;maxsleep[Pt0]tv)=[> P[P0]0v]v++tt. of Sonicactual Pi times, and where: the discussion here. We define the relations, t. s ⇡ t on (s t) 6PE✏=(= sleepP 0; v =t E(1)), split on E with respect to the8 application⇡⇡ at⌘ hand.| For•| example, if ✏ =0.1 )(b)by by (a) Definition and (c) then 2, [P[0P; sleep0; sleept]tt=([]t >P[P0]0vsleep+t) maxt]v [P 0]t. actual times, where: (a)E by= Definitionsleep t 1, [P 0; sleep t]v =[P 0]v + t. i s, t. s t thenfor(s3 somet3). value05 ✏ of2.92✏ which. is(1) the maximum negligible time value otherwise(c) by (b) (([E P=0]Av + t) max [P 0]t) > [P 0]v + t ⇡ 6 ⇡ 0 0 0 0 0 i 8 ⇡ ⌘ | | ✏ (b)(a) by Definition by Definition✏ =0 2,.1[P 1,; sleep[P ; sleept]t =([byt (a)]Pv =[] andv +Pt (c)) ]maxv then+ t[[.PP 0];tsleep. t]t [P 0sleep t]v s, t. s t with(Ins the respectt) case6 to✏ of the Sonic application Pi, we mitigate(1) at hand. any For example,-time differences if by (a)) by Definition 1, [P 0; v = A ]v =[>P 0]v for some value8 of ✏ which⇡ is the⌘scheduling maximumthen| 3 |3 calls negligible.05 to2. the92 time. synthesise value server using(c) the(b) by current (b) by Definition(([ virtualP 0]v + t) 2,max[P 0;[sleepP 0]totherwise) >t[]Pt =([0]v E+P=t 0]Av +i t) max [Pi0]t. i ⇡ ⇡ (b) by Definition 2, [P 0; v = A ]t =[P 0]t +[A ]t for somewith respect value of to the✏ which application is the at maximum hand.In the For case negligible example, of Sonic if time✏ Pi,=0 we value.1 mitigate any ✏-time) by(c) differences(a) by and (b) (c)(([ thenP by0]v[P+0;tsleep) maxt][tP>0]t[)P 0sleep[P 0]vt]+v t i time (see the diagram of Figure 6). Later in the denotational model (c)(a) by by inductiveDefinition> hypothesis 1, [P 0; v =[PA0]]tv>=[[PP0]0v]v. then 3 3.05 2.92. i i i with respect to the application at(Section hand.scheduling For 5), example, calls we’ll to demonstrate the if synthesise✏ =0 sources.1 server of using temporalotherwise the currentby variations (a)E and= virtualA (c)✏, then [P 0; sleep t]t [P 0sleep0 t]v 0 ⇡ ⇡ ) i (d)(b) by since Definition>[ ]t 2,R[P>0;,v by= monotonicityA ]t =[P ]t +[ andA (c)]t [P 0]t + In the case of Sonic Pi, we mitigatetime (see any the✏-time diagram differences of Figure by 6). Later in the(a) denotational by Definition model 1, [Pi0; v = A ]v =[1 P 0]v 2 then 3 3.05 2.92. which are limited to a very small part of the model.otherwise Crucially,E = A [(c)A by]t inductive[P 0]v. hypothesis [P 0]t > [P 0]v. scheduling calls to the synthesise server using the current virtual i > i ⇡ ⇡ these(Section✏ time 5), differences we’ll demonstrate do not accumulate– sources of temporal the(b)sleep by Definition variationsoperation 2,✏, [P 0; v = A ]t =[iP 0]t +[[ ]A ]t i i[P 0] + In the case of Sonic Pi, we mitigate any ✏-time differences by (a) by Definition 1, [P 0; v =)(d)Aby since] (a),v =[ (b),P t0 (d)]v thenR>[0P,0 by; v monotonicity= A ]t > [P 0 and; v = (c)A ]v. t time (see the diagram of Figure 6).which Later in are the limited denotational to a very model small part of the model. Crucially, [P 0] 1[P 0] 2 scheduling calls to the synthesiseprovides server using a barrier the which current prevents virtual this. (c) by inductive hypothesis t [>A ]it >v.[P 0]v. i (Section 5), we’ll demonstrate sources✏ of temporal variations ✏, (b)sleep by Definition 2, [P 0; v = A ]t =[P 0]t +[A ]t i i these time differences do not accumulate– the(d) since [operation]t R>0, by monotonicityby (a), (b), and (d) (c) then[P 0[]Pt +0; v = A ]t [P 0; v = A ]v. time (see the diagram of Figure 6).Axioms Later in of the actual denotational time The model virtual time and actual1(c) time by of inductive a single2 hypothesisNote that[)P 0 this]t proof[P 0]v only. makes use of basic> properties on rela- which are limited to a very smallprovides part of a the barrier model. which Crucially, prevents this. [A ]t [P 0]v. > > tions and the specifications of [ ]t and [ ]v given here. This will (Section 5),✏ we’ll demonstrate sourcessleep statement of temporal aresleep roughly variations the same,✏, i.e., [sleep t(d)]v since[sleep[ t]]tt 0, byi monotonicity andi (c) [P 0]t + these time differences do not accumulate– the operation by (a), (b), (d) then [PR0;>v = A ]t [P 0; v = A ]v. Axioms ofsleep actual time The virtual time and actual) time1⇡ of a single 2 beNote useful that later: this> proof we can only prove makes soundness use of of basic our properties denotational on model rela- whichprovides are limited a barrier to which a very prevents smalland this. part thus of[ the model.t]t Crucially,t (by the specification in[A Definition]t [P 0] 1).v. ⇡ > tions and the specifications of [ ]t and [ ]v given here. This will these ✏ time differences do not accumulate–Thissleep holds statement only the sleep when are roughlysleepoperation theis same, used ini.e. isolation,, [sleep t that]v is,[sleep whent it]t with respect toi the two definitionsi and get the above lemma for free Note that) thisby⇡ proof (a), (b), only (d) makes thenbe use[P useful0; ofv basic= later:A properties]t we> can[P 0 prove; v on= rela- soundnessA ]v. of our denotational model providesAxioms a barrier of actual which time preventsThe virtual this.isand the time thus only and[ statementsleep actual timet]t in of a a program.t single(by the As specification shown by in the Definition examples 1). of following from this proof. ⇡ tions and the specifications of [ with]t and respect[ ]v given to the two here. definitions This will and get the above lemma for free sleep statement are roughly the same,SectionThisi.e. holds, 3.1,[sleep theonly uset when]v of [sleepsleepsleepttis]int used a program in isolation, does not that mean is, when that a it ⇡ be useful later: we can prove soundnessfollowing of ourfrom denotational this proof. model Axiomsand of thus actual[sleep timet]t Thet virtual(by theprogramis time specification the and only necessarily actual statement in time Definition waits in of a for a program. singlet 1).seconds– As shown dependingNote by that the on this examples the context, proof of only makesThe abstract use of specification basic properties of the temporal on rela- behaviour here gives us ⇡ with respect to the two definitions and get the above lemma for free sleepThis statement holds only are whenroughlysleep the same,is useditSection mayi.e. in wait, isolation,[sleep 3.1, for the anywheret use that]v of is,[sleepsleep between whent ittin]t0 aand programt seconds.tions does and not the mean specifications that a a of model[ ]t toand reason[ ]v aboutgiven time here. in SonicThis will Pi programs. is the only statement in a program.program As shown necessarily by the⇡ examples waits for t ofseconds–following dependingbe useful from on later: the this context, we proof. can proveThe soundness abstract specification of our denotational of the temporal model behaviour here gives us and thus [sleep t]t t (by the specification in Definition 1). Example 2. Consider subprograms A, B, C where [A]v =[B]v = Section 3.1, the use⇡ of sleep t inDefinitionit a may program wait 2. does forThe anywhere not actual mean elapsed between that a time0 and[ t]twithseconds.can be respect (partially) to the spec- two definitionsa model and to get reason the about above time lemma in Sonic for free Pi programs. This holds only when sleep is usedified in at isolation, the level of that programs is, when by the it followingThe abstract equations: specification of the[ temporalC]v =0 behaviourwhich are here interposed gives us with two sleep statements of program necessarily waits for t seconds– depending on the context, following from this proof. Example 2. Consider subprograms A, B, C where [A]v =[B]v = is the only statement in a program.Definition As shown 2. byThe the actual examples elapsed of time [a model]t can be to (partially) reason about spec- time in Sonicduration Pi programs.s1 and s2: it may wait for anywhere between 0 and t seconds. [ ]t 0 [C]v =0which are interposed with two sleep statements of Section 3.1, the use of sleep t in aified program at the leveldoes of not programs mean; ⇡ that by the a following equations: duration s1 andPs2=: A; sleep s1; B; sleep s2; C The actual elapsed time [ ]t can[P be; (partially)sleep t]t spec-([P ]v + Examplet) Themax abstract[P 2.]t Consider specification subprograms of theA, temporalB, C where behaviour[A]v =[B here]v = gives us programDefinition necessarily 2. waits for t seconds– depending on the[ context,]t 0 ; ⇡⇡ [C]v =0which are interposed with two sleep statements of it mayified wait at the for level anywhere of programs between by the0 and followingt seconds. equations: i ia model to reason about timeThen in Sonic by the Pi programs.aboveP = A definitions,; sleep s1; weB; seesleep thats2 if; C[A]t 6 s1 and [[PP;;vsleep= A ]tt]t [P([P]t ]+[v +At)]tmax s[P ]t s ⇡ duration 1 and 2: [B]t s2 then [P ]t = s1 + s2 +[C]t. [ ]t 0 ⇡ 6 Definition 2. The actual elapsed time [ ]t can bei (partially)i spec- iExample 2. Consider subprogramsThen byA the, B above, C where definitions,[A]v =[ weB] seev = that if [A]t 6 s1 and ; ⇡ In the case of A[P=; vkernelSleep= A ]t [P,]t then+[A[kernelSleep]t Pt]=t =A;t.sleep s1; B; sleep s2; C [P ; sleep t]t ([P ]v +t) max [P ]t ⇡ [C]v =0which are interposedWe[B]t now6 s with move2 then twoon[P to]t sleep a= denotationals1 + statementss2 +[C model,]t. of which provides a seman- ified at the level of programs by⇡ the following equations:i ExampleIn the case 1. ofTheA following= kernelSleep two small, then example[kernelSleep programst illustrate]t = t. tics for the core subset of the language described here. We’ll prove [P ; v = Ai] [P ] +[Ai] Thenduration by thes1 aboveand s2 definitions,: We we now see move that if on[A to] at denotational6 s1 and model, which provides a seman- [ ]t t 0 thist definition,t both of which have actual time 2 but arising from this sound semantics with respect to the axiomatic model of this ⇡ Example 1. The following two small example[B]t 6 s programs2 then [P illustrate]t = s1 + s2 +[ticsC] fort. the core subset of the language described here. We’ll prove i ; ⇡ different calls to sleep and kernelSleep. P = A; sleepsection,s1; B linking; sleep thes two2; C levels of model. In the case[ ofP ;Asleep= kernelSleept]t ([P ]this,v then+ definition,t)[kernelSleepmax [P both]t oft] whicht = t. have actual time 2 but arising from this sound semantics with respect to the axiomatic model of this ⇡ We now move on to a denotational model, which provides a seman- i differenti calls to sleep and kernelSleepThen. by the above definitions,section, we linking see that the two if [ levelsA]t of model.s1 and Example 1.[PThe; v = followingA ]t two[P small]t +[ exampleA ]t programs illustrate tics for the core subset of the language described here. We’ll prove6 this definition, both of which⇡ have actual time 2 but arising from this[B sound]t 6 s semantics2 then [P with]t = respects1 + s2 to+[ theC axiomatic]t. model of this i In thedifferent case of callsA to=sleepkernelSleepand kernelSleep, then [kernelSleep. t]t = t. section, linking the two levels of model. We now move on to a denotational model, which provides a seman- Example 1. The following two small example programs illustrate tics for the core subset of the language described here. We’ll prove this definition, both of which have actual time 2 but arising from this sound semantics with respect to the axiomatic model of this different calls to sleep and kernelSleep. section, linking the two levels of model. do we incorporate the threading constructs provided by Sonic Pi. – [kernelSleep 2; sleep 1]t 2 Extending the model here to include these is however straightfor- ⇡ where P = kernelSleep 2, [P ]v =0, t =1, and ward, but we stick with a simple language for the sake of succinctly [P ]t =2, thus ([P ]v + t) < [P ]t introducing and reasoning about the core temporal behaviour.

– [kernelSleep 1; sleep 2]t 2 4.1 Virtual time and real time ⇡ where P = kernelSleep 1, [P ]v =0, t =2, and As described previously, the programming model of Sonic Pi dis- [P ]t =1, thus ([P ]v + t) > [P ]t tinguishes between the actual time elapsed since the start of a pro- gram P which we write here as [P ]t and the virtual time which is Definition 2 illuminates the semantics of sleep, showing the in- advanced by sleep statements which we write as [P ]v. Both these teraction between actual [ ]t and virtual time [ ]v in the case for abstract functions return time values, thus, [ ]v, [ ]t , i.e., sleep. In this case, the definition of [ ]t is not a straightforward R>0 both return positive, real-number values. 2 recursive decomposition on programs, statements, and expressions In this section, we give specifications to [ ]v and [ ]t providing as in the definition of [ ]v. Instead, the actual time of a sleep an axiomatic model of Sonic Pi’s temporal behaviour. depends on its context, which is the pre-composed (preceding) pro- Virtual time [ ]v can be easily defined over all programs, state- gram P and its actual time [P ]t. This is why we have structured the ments, and expressions, since the sleep operation is the only ex- core subset language here in terms of “snoc”-list since the tempo- pression changing virtual time: ral semantics of an individual statement can depend on the program that has come before it (the tail of the “snoc”-list). Thus, the syntac- Definition 1. Virtual time is specified for statements of Sonic Pi tic structure here facilitates the modelling of sleep and subsequent programs by the following cases: proofs on program properties (coming up next). [P ; v = E]v =[P ]v +[E]v [sleep t]v = t [v]v =0 The specifications on [ ]v and [ ]t provide the following i [ ]v =0 [A ]v =0 lemma about the temporal semantics of Sonic Pi programs: ; We therefore overload [ ]v to programs, statements, and expres- Lemma 1. For any program P then [P ]t > [P ]v. sions. Anything other than sleep or sequential composition has That is, the actual running time of a program is always at least the virtual time is 0. Note that the equations on the left define the virtual time; a Sonic Pi program never “under runs” its virtual [ ]v for programs (with statements covered by the single case for time specification. P; v = E), and on the right for expressions. Equality on time Providing exact deadlines in real-time systems Proof. By induction on the structure of programs. is difficult due to non-determinism combined with execution over- P = . Trivial since [ ]v =0by Definition 1. heads. We do not ignore this problem in the programming model • ; ; P =(P 0; v = E), split on E of Sonic Pi and the discussion here. We define the relation on • actual times, where: ⇡ E = sleep t (a) by Definition 1, [P 0; sleep t]v =[P 0]v + t. do we incorporate the threading constructss, t. provided s t by Sonic(s t) Pi.6 ✏ – [kernelSleep(1) 2; sleep 1]t 2 8 ⇡ ⌘ | | (b) by Definition⇡ 2, [P 0; sleep t]t =([P 0]v +t) max [P 0]t. Extending the model here to include these✏ is however straightfor- (c) by (b) (([P 0]v + t) max [P 0]t) [P 0]v + t do we incorporate the threading constructs provided byfor Sonic some Pi. value of which– [kernelSleep is the maximum 2 negligible; sleep 1time]t where value2 P = kernelSleep 2, [P ]v =0, t =1> , and ward, but we stick with a simple language for the sake of succinctly ✏ =0.1 by (a) and (c) then [P 0; sleep t]t [P 0sleep t]v do we incorporate thewith threading respect constructs to the application provided at by hand. Sonic For Pi. example,– if [kernelSleep⇡[P ]t =2, thus 2;([sleepP)]v + 1t])t < [2P ]t > Extending the model here to includeintroducing these is and however reasoning straightfor- about the core temporal behaviour.P = kernelSleep 2 [P ] =0t =1 i Extending the model herethen to3 include3.05 these2.92 is. howeverwhere straightfor- , v otherwise, ⇡E,= andA ward,do but we we incorporate stick with the a simple threading language constructs for provided the sake by of succinctly Sonic⇡ Pi. ⇡ – [kernelSleep 2; sleep 1]t 2 where P = kernelSleep 2, [P ]v =0, ti =1, and In the case of Sonic Pi, we[P ] mitigatet =2, thus any ✏-time([P ]v differences+ t[)kernelSleep< [P by]t 1; sleep 2] 2 [P 0; v = A ] =[P 0] do we incorporate the threading constructsExtending the provided model here by Sonic to include Pi.ward, these but is we– however[ stickkernelSleep with straightfor- a simple 2 language; sleep for 1]t the sake2 of succinctly ⇡– (a) by Definitiont 1, v v introducing and reasoning about the4.1 core Virtual temporal time behaviour. andscheduling real time calls to the synthesise⇡where P server= kernelSleep using the current 2, virtual[[PP]]tv =2=0, thus, t ([=1P ]v +, andt) <⇡[P ]t i i Extending the model here to include these is however straightfor-introducing and reasoning about the core temporal behaviour. P = kernelSleep(b) by Definition 1 [ 2,P ][P 0=0; v = At ]t=2=[P 0]t +[A ]t ward, but we stick with a simple language for the sakewhere of succinctlyP = kernelSleep 2, [P ]v =0, t =1, andwhere , v , , and As described previously,time the (see programming the diagram model– of[ FigurekernelSleep[P ] oft =2 6).Sonic, Later thus Pi in([ dis-P 1the;]vsleep denotational+ t) < 2[P]t ]t model2 (c) by inductive hypothesis [P 0]t > [P 0]v. ward, but we stick with a simple4.1 languageintroducing Virtual for time and the reasoning and sake real of succinctly about time the core temporal behaviour.[P ] =2(Section 5),([ we’llP ] + demonstratet) < [P ] sources of temporal variations– [kernelSleep⇡[P ]t✏,=1, thus 1;([sleepP ]v + 2t])t > [2P ]t tinguishes4.1 Virtual between time the andt actual real, thus time time elapsedv since the startt of a pro- (d) since⇡[ ]t R>0, by monotonicity and (c) [P 0]t + P = kernelSleep 1 [P ] =01t =2 2 introducing and reasoning about the core temporal behaviour. which are limited– to[kernelSleep a verywhere small part 1; ofsleep the model. 2]t Crucially,2 , P v= kernelSleep, 0, 1 and[P ] =0t =2 As described previously, the programminggram P which model we of write Sonic here Pi as dis-[P ]t and the virtual time which is Definitionwhere 2 illuminates the[A ] semanticst > [P ]v., of sleepv , showing, the, and in- 4.1 Virtual time and real time As described previously,these the✏ programmingtime differences model do not[P of] accumulate–t Sonic=1, Pi thus dis- the([Psleep]v +⇡toperation) > [P ]t i i advanced by–sleep[kernelSleepstatements which 1; sleep we write 2]t where as 2[P ]vP. Both= thesekernelSleepteraction 1, [[PP between]]tv =1=0, thus actual, t ([=2P)[]vby+],t andand (a),t) > (b), virtual[P (d)]t then time[P[ 0;]vv =inA the]t case> [P for0; v = A ]v. 4.1 Virtual time and real timetinguishesAs described between previously, the actual the time programming elapsedtinguishes since model between the of start Sonic theprovides actual of Pi a dis- pro- time a barrier elapsed which since prevents⇡ the start this. of a pro- abstract functions return time values, thus, [ ]v[P, []t ]=1t ,R thus0,([i.e.P,]v + t) sleep> [P ]t. In this case, the definition of [ ]t is not a straightforward gram P which we write here as [P ]gramt andP thewhich virtual wewhere write time herewhichP = as is[kernelSleepP ]t andDefinition the virtual 1, time 2[P illuminates]v which> =0 is, t the=2Definition semantics, and 2 of illuminatessleep, showing the semantics the in- of sleep, showing the in- As described previously, the programmingtinguishes between model of the Sonic actual Pi time dis-both elapsed return since positive, the start real-numberAxioms of a pro- of values. actual timeThe virtual2 time and actual timerecursive of a single decompositionNote that on programs, this proof only statements, makes use and of expressions basic properties on rela- sleep advanced by sleep[[PP]]statementst =1, thus which([P ] wev +teraction writet) > as[P[P] betweent]v. Both these actual [ ]teractiont and virtual between time actual[ ]v[ in]t theand case virtual for time [ ]v in the case for advancedgram P bywhich westatements write here aswhich[P ]t weand write the virtual as timev. Both which these is Definition 2 illuminates[sleep the semanticst] [sleep of sleept] , showingtions and the the in- specifications of [ ]t and [ ]v given here. This will tinguishes between the actual time elapsed since the start of a pro- In this section, we givesleep specifications statement are to roughly[ ]v and the[ same,]t providingi.e., v assleep in the definitiont of[ ]v. Instead,[ the] actual time of a sleep abstract functions return time values,abstract thus, functions[ ]v, [ ] returnt time, i.e. values,, thus,sleep[ ]v,.[ In]t thisR case,>0, i.e. the, definition⇡ . of In[ this]t case,isbe not the useful a definition straightforward later: we of can provet is not soundness a straightforward of our denotational model advanced by sleep statements which we write as [P ]v. BothandR> thus these0 [sleep teractiont]t t (by between the specification actual [ ]t inand Definitiondepends virtual ontime 1). its[context]v in the, which case is for the pre-composed (preceding) pro- gram P which we write here as [P ]t and the virtual time whichan isboth axiomatic returnDefinition positive, model of real-number2 2 Sonic illuminates Pi’s temporal values. the semantics behaviour.⇡ of2sleep, showing recursive the in- decomposition on programs, statements, and expressions bothabstract return positive, functions real-number return time values, values. thus, [ ]v, [ ]t This0, holdsi.e., only whensleeprecursivesleep. In thisis decomposition used case, in the isolation, definition on that programs, of is,[ when]t is it statements, not a straightforwardwith respect and expressions to the two definitions and get the above lemma for free Virtual time [ ]v canR be> easily defined over all programs, state- gram P and its actual time [P ]t. This is why we have structured the advanced by sleep statements which we write as [P ]v. Both these In thisteraction section, we between2 give specifications actual [ ] tot and[ ]v virtualand [ ] timet providing[ ]v in theas case in the for definitionfollowing of [ ]v. from Instead, this proof. the actual time of a sleep Inboth this return section, positive, we give real-number specificationsments, values. to and[ expressions,]v and [ ]tisproviding since the only the sleep statementrecursiveoperationas in in a program. the decomposition is definition the As only shown ex- of on by[ programs, the]v.core examples Instead, subset statements, of the language actual and here expressions time in of terms a sleep of “snoc”-list since the tempo- abstract functions return time values, thus, [ ]v, [ ]t R 0, i.e.an, axiomaticsleep model. In of this Sonic case, Pi’s the temporal definition behaviour. of [ ]t is not a straightforward depends on its context, which is the pre-composed (preceding) pro- an axiomaticIn this section, model of we Sonic give specifications Pi’s> temporal to behaviour.[ ]v and [ ]t providingSection 3.1, the useasdepends of insleep the definition ontin its a programcontext of [ does,]v which. Instead, notral mean is semantics the the that pre-composed actual a of an time individual of (preceding) a sleep statement pro- can depend on the program 2 pression changing[ virtual] time: gram P and its actualThe time abstract[P ]t specification. This is why of we the have temporal structured behaviour the here gives us both return positive, real-number values.an axiomatic model of Sonic Pi’s temporalVirtual behaviour.recursive time v decompositioncanprogram be easily necessarily defined ondepends programs, waits over all forP on programs,t its statements,seconds–context state- depending, which and is expressions[ on theP ] the pre-composed context, (preceding) pro- Virtual time [ ]v can be easily definedments, and over expressions, all programs, since state- the sleep gramoperationand is the its only actual ex- time thatcoret. has This subsetcome is language why before wea modelit have here (the to in tail structured reason terms of the of about “snoc”-list). “snoc”-list the time in Sonic since Thus, Pi the the programs. tempo- syntac- In this section, we give specifications to [ ]v and [ ]t providingDefinitionas 1. inVirtual the definition timeit may is specifiedwait of for[ anywhere]v for. Instead, statementsP between the of0 actualand Sonict seconds. time Pi [P ] oft a sleep ments,Virtual and expressions, time [ ]v can since be easily the sleep definedTimeoperation over system all programs, is the only state- ex- gramcore subsetand its actuallanguage time here. in Thistic terms structure is why of “snoc”-listwe here have facilitates structured since the the the modelling tempo- of sleep and subsequent programspression bychangingdepends the following onvirtual its context time: cases: , which is the pre-composed (preceding)ral semantics pro- of an individual statement can depend onA theB programC [A] =[B] = an axiomatic model of Sonic Pi’sments, temporal and behaviour. expressions, since the sleep operation is theDefinition only ex- 2. Thecore actual subset elapsed language time [ here]t can in be terms (partially)proofs of “snoc”-list on spec- program sinceExample properties the tempo- 2. (comingConsider up subprograms next). , , where v v pression changing virtual time: ral semantics of an individualthat statement has come can before dependit (the on tail the of program the “snoc”-list). Thus, the syntac- Virtual time [ ]v can be easilypression defined changing over all programs, virtual time: state- [gram—]v P: virtualand itsified time actual at the time level of[ralP programs]t semantics.[— This]t : is by actual why of the an following we individual time have equations: structured statement the can depend[ onC] thev =0 programwhich are interposed with two sleep statements of Definition[P ; v = E] 1.v =[VirtualP ]v +[ timeE]v is specified[sleep forthat statementst] hasv =comet of[v before Sonic]v =0 Piit (the tailtic of structureThe the specifications “snoc”-list). here facilitates onThus, the[ ] the modellingv and syntac-[ ] oft providesleep and the subsequent following that hasi come before it (the tail of the “snoc”-list). Thus,duration the syntac-s1and s2: ments, and expressions, sinceDefinition the sleep 1.operationVirtual istime the is only specified ex-programs for statementscore by[ ]v the subset=0 following of language Sonic cases: Pi here in terms [A []v] =0 of “snoc”-list0 since thelemma tempo- about the temporal semantics of Sonic Pi programs: Definition 1. Virtual time is specified for statements; of Sonic Pi tic structuret here facilitates theproofs modelling on programsleep of sleep propertiesand (coming subsequent up next). programs by the following cases: ral semantics of an individualtic statement structure; ⇡ here can facilitates depend on the the modelling program of and subsequentP = A; sleep s1; B; sleep s2; C pression changing virtual time: programs by the following cases: [P ; v = E]v =[P ]v +[E]v [sleep t]v = t [v]v =0 The specifications on [ ]v and [ ]t provide the following We therefore overload [ ]v to programs,[P ;proofssleepproofs statements,t on]t on program([ program andP ]v + expres- propertiest) propertiesmax [P (coming]t Lemma (coming up 1. next). upFor next). any program P then [P ]t > [P ]v. that[ ] has=0come before it (the tail [ofAi the] =0⇡ “snoc”-list). Thus, thelemma syntac- about the temporal semantics of Sonic Pi programs: Virtual time is specified[P ; v = E for]v statements=[P ]v +[ ofE]v Sonicsions. Pi [sleepsleep Anythingt]v v= othert than[v]v sleep=0 or sequentialTheiv composition specificationsi has on [ ]v and [ ]t provideThen by the the following above definitions, we see that if [A]t 6 s1 and Definition 1. [P ; v = E]v =[P ]v +[E]v [ tict;] structurev = t [ herev]v =0 facilitates[P ; thev =The modellingA ]t specifications[P of]t +[sleepA ] ont and[ ] subsequentv andThat[ ]t is,provide the actual the running following time of a program is always at least the virtual timeii is 0. Note that the equations on⇡ the left define [B]t 6 s2 then [P ]t = s1 + s2 +[C]t. programs by the following cases: [ ]v[ =0]v =0We therefore [ [AA ]]vv overload=0 [ ]v to programs,i lemmalemma statements, about about the and the temporal expres- temporal semantics semanticsLemma of Sonic 1. ofFor Sonic Pi programs: any Pi program programs:P then [P ]t > [P ]v. proofs on programIn the case properties of A = kernelSleep (coming up next)., then [kernelSleepthet virtual]t = t. time; a Sonic Pi program never “under runs” its virtual ; ; [ ]v for programs (with statements covered by the single case for sions. Anything other than sleep or sequential composition has time specification.We now move on to a denotational model, which provides a seman- [P ; v = E]v =[P ]v +[E]vWeWe therefore therefore[sleep overloadt overload]v = t [ [][vv]vto]vto=0 programs, programs,P; v = E statements, statements,), andThe on thespecifications and and right expres- expres- for expressions. on [LemmaLemma]v and 1. [ 1.For]tFor anyprovide any program program theP followingthenPThat[thenP ]t is,>[P the[P]t]v> actual. [P ]v running. time of a program is always at least i the virtual time is 0.Example Note that 1. theThe equations following on two the small left example define programs illustrate tics for the core subset of the language described here. We’ll prove [ ]v =0sions.sions. Anything Anything [A other]v =0 other than thansleepsleeporor sequential sequentiallemma composition composition about the temporal has has semantics of Sonic Pi programs:the virtual time; a Sonic Pi program never “under runs” its virtual [ ]v for programs (withthis statements definition, covered both ofThat by which the is, the have single actual actual case running time for 2 but time arising of a program from isthis always sound at semanticsleast with respect to the axiomatic model of this ; the virtual time is 0. Note thatEquality the equations on time on theProviding left define exact deadlinesThat in real-time is, the systems actual runningProof.time time specification.By of induction a program on is the always structure at of least programs. the virtual time is 0. Note that theP ; equationsv = E), and on on the the leftdifferent right define for calls expressions. to sleepthe virtualand kernelSleep time; a Sonic. Pi program never “under runs”section, its linking virtual the two levels of model. We therefore overload [ ]v to programs,[ ] statements, and expres-is difficultLemma due to non-determinism 1. For any program combinedtheP then with virtual[ executionP ]t time;> [P a over-]v Sonic. Pi program never “under runs” its virtual [ ]v forv programsfor programs (with (with statements statements covered covered by by the single single case case for for sions. Anything other than sleepor sequential composition hasheads. We do not ignore this problem intime thetime specification. programming specification. model P = . Trivial since [ ]v =0by Definition 1. P; vP=; vE= E), and on the right for expressions.Equality on time Providing exact deadlines in real-time systems Proof.• By; induction on the; structure of programs. ), and on the right for expressions. That is, the actual running time of a program is always atP least=(P 0; v = E), split on E the virtual time is 0. Note that the equations on the left defineofis Sonic difficult Pi due and to the non-determinism discussion here. combined We define with the execution relation over-on • Equality on time Providing exact deadlinesthe in virtual real-time time; systems a Sonic PiProof. programBy never induction “under on⇡ the runs” structure its virtualP of= programs.. Trivial since [ ]v =0by Definition 1. [ ]v for programs (with statements covered by theProviding single case exact foractualheads. deadlines times, We do in where: not real-time ignore systems this problem inProof. the programmingBy induction model on the structure• E of= programs.sleep t Equalityis difficult on time due to non-determinism combinedtime with specification. execution over- ; ; P; v = E of Sonic Pi and the discussion here. We define the relation on P =((a)P by0; Definitionv = E), split 1, [P on0;Esleep t]v =[P 0]v + t. ), and on the right foris difficult expressions.heads. We due do to not non-determinism ignore this problem combined in the with programming executions, t. s model over-t (s t)P6=✏ . Trivial since⇡(1)[ ]v =0by• Definition 1. actual times, where:8 ⇡ ⌘ | • | P ;= . Trivial since; [ ]v =0by(b)E Definition= bysleep Definitiont 1. 2, [P 0; sleep t]t =([P 0]v +t) max [P 0]t. heads.of Sonic We do Pi not and ignore the discussion this problem here. We in the define programming the relation modelon P• =(P 0; v = E), split on E Equality on time Providing exact deadlines in real-time systemsfor some valueProof. ofBy✏ which induction is the on maximum the structure• negligible of; programs. time value ; (c)(a) by by (b)Definition(([P 0]v 1,+[Pt)0;maxsleep[Pt0]tv)=[> P[P0]0v]v++tt. of Sonicactual Pi times, and where: the discussion here. We define the relations, t. s ⇡ t on (s t) 6PE✏=(= sleepP 0; v =t E(1)), split on E is difficult due to non-determinism combined with execution over-with respect to the8 application⇡⇡ at⌘ hand.| For•| example, if ✏ =0.1 )(b)by by (a) Definition and (c) then 2, [P[0P; sleep0; sleept]tt=([]t >P[P0]0vsleep+t) maxt]v [P 0]t. actual times, where: (a)E by= Definitionsleep t 1, [P 0; sleep t]v =[P 0]v + t. i heads. We do not ignore this problem in the programmings, t. s modelt thenfor(s3 somet3). value05P✏ = of2.92✏ .which. Trivial is(1) since the maximum[ ]v =0 negligibleby Definition time value 1. otherwise(c) by (b) (([E P=0]Av + t) max [P 0]t) > [P 0]v + t ⇡ •6 ⇡ ; ; 0 0 0 0 0 i 8 ⇡ ⌘ | | ✏ (b)(a) by Definition by Definition✏ =0 2,.1[P 1,; sleep[P ; sleept]t =([byt (a)]Pv =[] andv +Pt (c)) ]maxv then+ t[[.PP 0];tsleep. t]t [P 0sleep t]v of Sonic Pi and the discussion here. We defines, the t. relation s t onwith(Ins the respectt) case6P to✏ of=( the Sonic applicationP 0; Pi,v = weE mitigate(1)) at, split hand. onany ForE example,-time differences if by (a)) by Definition 1, [P 0; v = A ]v =[>P 0]v for some value8 of ✏ which⇡ is⇡ the⌘ maximumthen| 3 |3• negligible.05 2.92 time. value (c)(b) by (b) by Definition(([P 0]v + t) 2,max[P 0;[sleepP 0]t) >t[]Pt =([0]v +Pt 0]v +i t) max [Pi0]t. i actual times, where: scheduling calls toE the= synthesisesleep t server using the current virtual (b)otherwise by DefinitionE = A 2, [P 0; v = A ]t =[P 0]t +[A ]t with respect to the application at hand. For⇡ example,⇡ if ✏ =0.1 by (a) and (c) then [P 0; sleep t]t [P 0sleep t]v i for some value of ✏ which is the maximumtimeIn (see the the case negligible diagram of Sonic of time Figure Pi, we value 6). mitigate Later in any the✏-time) denotational(c) differences by (b) model(([P by0]v + t) max(a)[P> by0]t Definition) > [P 0]v 1,+[Pt 0; v = A ]v =[P 0]v (a) by Definition 1, [P 0; sleep t]v =[P 0]v i+ t. (c) by inductive hypothesis [P 0]t > [P 0]v. then 3 3.05 2.92. otherwise E = A i i s, t. s witht respect(s t to) 6 the✏ application at(1)(Section hand.scheduling For 5), example, calls we’ll to demonstrate the if synthesise✏ =0 sources.1 server of using temporal the) currentby variations (a) and virtual (c)✏, then [P 0; sleep(d)(b) by sincet Definition]t >[ []Pt 0sleep 2, [P 0;,vt by]v= monotonicityA ]t =[P 0]t +[ andA (c)]t [P 0]t + ⇡ ⇡ (b) by Definition 2, [P 0; sleep t]t =([P 0]v +t) max [Pi 0]t. R> 8 ⇡ ⌘ |In the case| of Sonic Pi, we mitigatetime (see any the✏-time diagram differences of Figure by 6). Later in the(a) denotational by Definition model 1, [Pi0; v = A ]v =[1 P 0]v 2 then 3 3.05 2.92. which are limited to a very small part of the model.otherwise Crucially,E = A [(c)A by]t inductive[P 0]v. hypothesis [P 0]t > [P 0]v. for some value of ✏ which is thescheduling maximum calls negligible to the synthesise time value server using the(c) current by (b) virtual(([P 0]v + t) max [P 0]t) [P 0]v + t i > i ⇡ ⇡ these(Section✏ time 5), differences we’ll demonstrate do not accumulate– sources of temporal the(b)sleep by Definition variations>operation 2,✏, [P 0; v = A ]t =[iP 0]t +[[ ]A ]t i i[P 0] + In the case of Sonic Pi, we mitigate any ✏-time differences by (a) by Definition 1, [P 0; v =)(d)Aby since] (a),v =[ (b),P t0 (d)]v thenR>[0P,0 by; v monotonicity= A ]t > [P 0 and; v = (c)A ]v. t with respect to the application attime hand. (see For the example, diagram of if Figure✏ =0 6)..which1 Later in are the limited denotational) toby a (a) very model and small (c) then part[P of0; thesleep model.t]t Crucially,> [P 0sleep t]v[P 0] 1[P 0] 2 scheduling calls to the synthesiseprovides server using a barrier the which current prevents virtual this. (c) by inductive hypothesis t [>A ]it >v.[P 0]v. i then 3 3.05 2.92. (Section 5), we’ll demonstrate sources✏ of temporal variations ✏, i (b)sleep by Definition 2, [P 0; v = A ]t =[P 0]t +[A ]t i i these time differencesotherwise do notE = accumulate–A the(d) since [operation]t R>0, by monotonicityby (a), (b), and (d) (c) then[P 0[]Pt +0; v = A ]t [P 0; v = A ]v. ⇡ ⇡ time (see the diagram of Figure 6).Axioms Later in of the actual denotational time The model virtual time and actual1(c) timei by of inductive a single2 hypothesisNote that[)P 0 this]t proof[P 0]v only. makes use of basic> properties on rela- In the case of Sonic Pi, we mitigatewhich are any limited✏-time to differences a very small byprovides part of a the barrier model. which Crucially, prevents this. [A ]t [P 0]v. > (a) by Definition 1, [P 0; v = A ]>v =[P 0]v tions and the specifications of [ ]t and [ ]v given here. This will (Section 5),✏ we’ll demonstrate sourcessleep statement of temporal aresleep roughly variations the same,✏, i.e., [sleep t(d)]vi since[sleep[ t]]tt i 0, byi monotonicity andi (c) [P 0]t + scheduling calls to the synthesisethese servertime using differences the current do not virtual accumulate– the operation by (a), (b), (d) then [PR0;>v = A ]t [P 0; v = A ]v. Axioms ofsleep actual(b) time by DefinitionThe virtual time 2, [P and0; v actual=) A time]1⇡t =[ ofP a single0]t +[2A ]t beNote useful that later: this> proof we can only prove makes soundness use of of basic our properties denotational on model rela- whichprovides are limited a barrier to which a very prevents smalland this. part thus of[ the model.t]t Crucially,t (by the specification in[A Definition]t [P 0] 1).v. time (see the diagram of Figure 6). Later in the denotational model ⇡ > tions and the specifications of [ ]t and [ ]v given here. This will ✏ Thissleep holds statement onlysleep when are(c) roughly bysleep inductive theis same, used hypothesis ini.e. isolation,, [sleep[Pt0 that]]vt > is,[[sleepP when0]v. t it]t with respect toi the two definitionsi and get the above lemma for free these time differences do not accumulate– the operation by⇡ (a), (b), (d) then [P 0; v = A ]t [P 0; v = A]v. (Section 5), we’ll demonstrate sourcesAxioms of of actual temporal time variationsThe virtual✏, time and[sleep actual timet] of at single Note that) this proof only makesfollowingbe use useful0 of basic later: from properties we this> can proof. prove on rela- soundness of our denotational model provides a barrier which prevents this.isand the thus only statement(d)t in since a program.(by[ ]t the As specificationR shown>0, by by monotonicity in the Definition examples 1). of and (c) [P ]t + 1 ⇡ 2 tions and the specifications of [ with]t and respect[ ]v given to the two here. definitions This will and get the above lemma for free which are limited to a very smallsleep part statement of the are model. roughly Crucially, the same,SectionThisi.e. holds, 3.1,[sleep theonly uset when][vA of]t[sleepsleepsleep[P 0tt]is]vint. used a program in isolation, does not that mean is, when that a it ⇡ > be useful later: we can prove soundnessfollowing of ourfrom denotational this proof. model these ✏ time differences do notAxioms accumulate–and of thus actual[sleep the timesleept]t Theoperationt virtual(by theprogramis time specification the and only necessarily actual statement in time Definition waits in of a for a program. singlet 1).seconds– As shown dependingNote by that the on thisi examples the context, proof of only makesThei abstract use of specification basic properties of the temporal on rela- behaviour here gives us ⇡ ) by (a), (b), (d) thenwith[P 0 respect; v = A to the]t > two[P definitions0; v = A ] andv. get the above lemma for free provides a barrier which preventssleepThis this. statement holds only are whenroughlysleep the same,is useditSection mayi.e. in wait, isolation,[sleep 3.1, for the anywheret use that]v of is,[sleepsleep between whent ittin]t0 aand programt seconds.tions does and not the mean specifications that a a of model[ ]t toand reason[ ]v aboutgiven time here. in SonicThis will Pi programs. is the only statement in a program.program As shown necessarily by the⇡ examples waits for t ofseconds–following dependingbe useful from on later: the this context, we proof. can proveThe soundness abstract specification of our denotational of the temporal model behaviour here gives us and thus [sleep t]t t (by the specification in Definition 1). Consider subprograms A, B, C where [A]v =[B]v = Axioms of actual time The virtual time and actual time of a singleDefinitionNote 2. The that actual this elapsed proof only time [ makes]t can use be (partially) of basic spec- propertiesExamplea on model rela- to 2. reason about time in Sonic Pi programs. ThisSection holds only 3.1, the when use⇡ ofsleepsleepist usedinit a may program in isolation, wait does for anywhere not that mean is, between when that a it0 andtwithseconds. respect to the two definitions and get the above lemma for free i.e. [sleep t] [sleep ifiedt] at thetions level and of programs the specifications by the followingThe of [ abstract equations:]t and specification[ ]v given ofhere. the This[ temporalC]v will=0 behaviourwhich are here interposed gives us with two sleep statements of sleep statement are roughly the same,program, necessarilyv waits for t seconds–t depending on the context, following from this proof. Example 2. Consider subprograms A, B, C where [A]v =[B]v = is the only statement in⇡ a program.Definition As shownbe 2. useful byThe the actual later: examples elapsed we can of time prove[a model] soundnesst can be to (partially) reason of our about spec- denotational time in Sonicduration model Pi programs.s1 and s2: and thus [sleep t]t t (by theit may specification wait for anywhere in Definition between 1).0 and t seconds. [ ]t 0 [C]v =0which are interposed with two sleep statements of ⇡ Section 3.1, the use of sleep t in aified program at thewith leveldoes respect of not programs mean to; the⇡ that by two the a definitions following equations: and get the above lemma for free This holds only when sleep is used in isolation, that is, when it duration s1 andPs2=: A; sleep s1; B; sleep s2; C Definition 2. The actual elapsed time [ ]t can[P be; (partially)sleep t]t spec-([P ]v + Examplet) Themax abstract[P 2.]t Consider specification subprograms of theA, temporalB, C where behaviour[A]v =[B here]v = gives us program necessarily waits for t seconds– dependingfollowing on from the[ context,] thist ⇡ proof.0 is the only statement in a program.ified As at shown the level by of the programs examples by the of following equations: i; ⇡ [Cia]v model=0 towhich reason are about interposed time in with Sonic two Pi sleep programs. statements of it may wait for anywhere between 0 and t seconds.[P ; v = A ] [P ] +[A ] Then by the aboveP = A definitions,; sleep s1; weB; seesleep thats2 if; C[A]t 6 s1 and Section 3.1, the use of sleep t in a program does not mean that a [P ; sleep tt]t ([Pt ]v +durationt) tmax s[P1 ]andt s2: [ ] 0 ⇡⇡ [B]t 6 s2 then [P ]t = s1 + s2 +[C]t. t The abstracti specificationi of theiExample temporal 2. Consider behaviour subprograms hereThen gives by usA the, B above, C where definitions,[A]v =[ weB] seev = that if [A]t s1 and program necessarily waits forDefinitiont seconds– 2. dependingThe actual on elapsedthe; context,⇡ timeIn the[ case]t can of A be[P= (partially); vkernelSleep= A ] spec-[P,] then+[A[kernelSleep] t]t = t. 6 t t t P = A; sleep s1We; B now; sleep moves2 on; C to a denotational model, which provides a seman- it may wait for anywhere between 0 and t seconds.[P ; sleep t]t ([P ]v +t) maxa model[P ]t to reason⇡ about time in[C Sonic]v =0 Pi programs.which are interposed[B]t 6 s with2 then two[P ]t sleep= s1 + statementss2 +[C]t. of ified at the level of programs by⇡ the following equations:i i ExampleIn the casei 1. ofTheA following= kernelSleep two small, then exampleThen[kernelSleepduration by programs thes1 aboveandt illustrate]t s=2 definitions,:t. tics we for see the that core if subset[A]t of thes1 languageand described here. We’ll prove [P ; v = A ]t [P ]t +[A ]t We now move on to a denotational6 model, which provides a seman- Definition 2. The actual elapsed time [ ]t can be (partially)[ ]t 0 spec-this definition,Example both of 2. whichConsider have subprograms actual time 2A but, B arising, C where from[A]v =[thisB sound]v = semantics with respect to the axiomatic model of this ; ⇡⇡ Example 1. The following two small example[B]t 6 s programs2 then [P illustrate]t = s1 + s2 +[ticsC] fort. the core subset of the language described here. We’ll prove ified at the level of programs by the following equations:i different calls[C]v to sleep=0whichand kernelSleep are interposed. with twoP sleep= A; statementssleepsection,s1; ofB linking; sleep thes two2; C levels of model. In the case[ ofP ;Asleep= kernelSleept]t ([P ]this,v then+ definition,t)[kernelSleepmax [P both]t oft] whicht = t. have actual time 2 but arising from this sound semantics with respect to the axiomatic model of this ⇡ duration s1 and s2: We now move on to a denotational model, which provides a seman- [ ]t 0 Example 1. The followingi two smalldifferent examplei calls programs to sleep illustrateand kernelSleepticsThen. for the by core the subset above of definitions, the languagesection, we described linking see that the here. two if We’ll[ levelsA]t prove6 of model.s1 and ; ⇡ [P ; v = A ]t [P ]t +[A ]t this definition, both of which⇡ have actual time 2 but arisingP from= A; sleepthis[Bs sound1]t; 6B;s semantics2sleepthen [sP2 with];t C= respects1 + s2 to+[ theC axiomatic]t. model of this [P ; sleep t]t ([P ]v + t) maxi [P ]t ⇡In thedifferent case of callsA to=sleepkernelSleepand kernelSleep, then [kernelSleep. t]t = t. section, linking the two levels of model. i i Then by the above definitions,We now we see move that on if to a[A denotational]t s1 and model, which provides a seman- [P ; v = A ]t [P ]t +[A ]t 6 ⇡Example 1. The following two small example[B]t programs6 s2 then illustrate[P ]t = s1 + stics2 +[ forC] thet. core subset of the language described here. We’ll prove i In the case of A = kernelSleepthis definition,, then [kernelSleep both of whicht]t = havet. actual time 2 but arising from this sound semantics with respect to the axiomatic model of this We now move on to a denotational model, which provides a seman- different calls to sleep and kernelSleep. section, linking the two levels of model. Example 1. The following two small example programs illustrate tics for the core subset of the language described here. We’ll prove this definition, both of which have actual time 2 but arising from this sound semantics with respect to the axiomatic model of this different calls to sleep and kernelSleep. section, linking the two levels of model. Denotational semantics where ˆ represents (forwards, left-to-right) sequential, monadic nowT time and the kernelSleep operation. The initial time composition of denotations in the Temporal monad. operation retrieves the current time and is used to calculate the The interpretation of statement sequences is defined: duration of the preceding program. Any sleeping that happens P :: (Env Temporal ()) Temporal () however occurs after we have calculated the amount of time to sleep ! ! and after we have decided whether a sleep is needed (all of which k = k emptyEnv ; takes some time to compute). Therefore a small ✏ time is introduced PJ; SK k = P (env ( S env) >> = k) here. We will account for this in the following section. Denotational semantics ! The parameterJ Kk is a continuation (taking an environment Env) for • 5.3 Soundness of the temporal monad: time safety State thefor tailvirtual ofJ thetimeK right-associated J K semantics.J K In the inductive case, the We replay the previous axiomatic specifications on the temporal • Read continuationonly actual time passed (updated to P fromis the OS) pre-composition of the interpre- tation of the statement S to the parameter continuation k. behaviour of Sonic Pi programs, and show that the monadic model Temporal a = (start time, current time) → is sound with respect to these, i.e., that the model meets this spec- At the top-level, we interpretJ K a closed program to a Temporal () value by passing in(old the vtime trivial → continuation(a, new vtime)) returning (): ification. We call this a time safety property of the language, with respect to the time system provided by the axiomatic specification. P top := TemporalrunTime ( ()P ( return ())) ! Definition 1 (recap). Virtual time is specified for statements of • PaperThe describes interpretation core semantics of statements with Haskell maps an environment to a possibly Sonic Pi programs by the following cases: updated environment,J K inside of aJ TemporalK computation, defined: Temporal a = (Time, Time) → [P ; v = E]v =[P ]v +[E]v [sleep t]v = t [v]v =0 i S :: Env (VTimeTemporal → IO (a, EnvVTime)) [ ]v =0 [A ]v =0 ! ; = E env =(E env) >> =( return env ) ! Lemma 2. [runTime P ]v =[P ]v, i.e., the virtual time of the v =JEK env =(E env) >> =(x return env [v x]) evaluated denotational model matches the virtual time calculated ! 7! ForJ both kindsK of statement,J K with and without variable binding, the from the axiomatic model.J K expressionJ KE is evaluatedJ K where E :: Env Temporal Value . ! Proof. For our model, the proof is straightforward. For the case of The result of evaluating E is then monadically composed (via P ; S, we rely on the monotonicity of virtual time: virtual time is >> = of the Temporal monad) withJ K a computation returning an only ever increasing, and is only ever incremented by sleep. environment. For statements without a binding, the environment env is returned unmodified; for statements with a binding, the Definition 2 (recap). The actual elapsed time [ ]t can be (par- environment env is extended with a mapping from v to the value x tially) specified at the level of programs by the following equations: of the evaluated expression, written here as env[v x]. 7! [ ]t 0 For expressions, we show just the interpretation of sleep and ; ⇡ variables expressions: [P ; sleep t]t ([P ]v + t) max [P ]t ⇡ i i E :: Env Temporal Value [P ; v = A ]t [P ]t +[A ]t ! ⇡ sleep t env = sleep t J K v env = return (env v) Lemma 3. [runTime P ]t [P ]t, i.e., the actual time of the ⇡ Thus, sleep isJ interpretedK in terms of the sleep function (see be- evaluated denotational model is approximately equal to actual time low), where t is a constant,J K and variable expressions are interpreted calculated from the axiomaticJ K model. as a projection from the environment. The concrete interpretation Proof. The key case is for (P ; sleep t), which we show here. Our of other actions in the language, such as play, is ignored here since model interprets the evaluation of (P ; sleep t) as: they does not relate directly to the temporal semantics. runTime ( P ; sleep t ( return ())) Interpretation of sleep The sleep operation, used above, pro- ! vides the semantics for sleep as: which desugars and simplifies as follows: J K sleep :: VTime Temporal Value runTime ( P (e ( sleep t e) >> = return ())) sleep delayT =!do nowT time runTime ( P sleep! t ) ! vT getVirtualTime ⌘ The semanticsJ reassociatesK statements,J K thus the interpretation for let vT 0 = vT + delayT P =(( ; S1); ...J );KJSn is of theK form ( S1 ˆ ...( Sn ˆ sleep t )) setVirtualTime vT 0 (where ;f ˆ g is monadic forwards composition, i.e., fˆ g = x startT start ! (fx) >> = g). Therefore, we can unrollJ andK simplifyJ K theJ semanticsK let di↵T = di↵Time nowT startT further to get the following IO computation (where P 0 denotes if (vT 0 < di↵T ) the unrolled interpretation of P ): then return () do startT getCurrentTime J K else kernelSleep (vT 0 di↵T ) (x, vT 0) P 0 (startT , startT )0 return NoValue nowT getCurrentTime where NoValue Value. Thus, sleep proceeds first by getting 2 let vT 00 = vTJ 0K+ t the current time nowT, calculating the new virtual time vT’ and setVirtualTime vT 00 updating the virtual time state. If the new virtual time is less than let di↵T = di↵Time nowT startT the elapsed time diffT then no actual (kernel) sleeping happens. if (vT 00 < di↵T ) then return () However, if the new virtual time is ahead of the elapsed time, else kernelSleep0 (vT 00 di↵T ) then the process waits for the difference such that the elapsed time equals the virtual time. where kernelSleep0 x = threadDelay (round (x 1000000)) is Note that in this definition we have introduced an overhead, an used to simplify the code here (as per the definition⇤ of kernelSleep ✏ time, arising from the time elapsed between the first statement in Figure 8). where ˆ represents (forwards, left-to-right) sequential, monadic nowT time and the kernelSleep operation. The initial time composition of denotations in the Temporal monad. operation retrieves the current time and is used to calculate the The interpretation of statement sequences is defined: duration of the preceding program. Any sleeping that happens P :: (Env Temporal ()) Temporal () however occurs after we have calculated the amount of time to sleep ! ! and after we have decided whether a sleep is needed (all of which k = k emptyEnv ; takes some time to compute). Therefore a small ✏ time is introduced PJ; SK k = P (env ( S env) >> = k) here. We will account for this in the following section. J K ! The parameter k is a continuation (taking an environment Env) for 5.3 Soundness of the temporal monad: time safety the tail ofJ theK right-associatedJ K semantics.J K In the inductive case, the continuation passed to P is the pre-composition of the interpre- We replay the previous axiomatic specifications on the temporal tation of the statement S to the parameter continuation k. behaviour of Sonic Pi programs, and show that the monadic model where ˆ represents (forwards, left-to-right) sequential, monadic isnowT sound withtime respectand to the these,kernelSleepi.e., that theoperation. model meets The initial this spec-time At the top-level, we interpretJ K a closed program to a Temporal () compositionvalue by passing of denotations in the trivial in the continuationTemporal returningmonad. (): ification.operation We retrieves call this the a time current safety timeproperty and is of used the to language, calculate with the The interpretation of statement sequences is defined: respectduration to of the the time preceding system provided program. by theAny axiomatic sleeping specification. that happens P top = runTime ( P ( return ())) P :: (Env Temporal ()) ! Temporal () Definitionhowever occurs 1 (recap). after weVirtual have calculated time is specified the amount for of statements time to sleep of The interpretation of statements! maps an environment! to a possibly and after we have decided whether a sleep is needed (all of which k = k emptyEnv Sonic Pi programs by the following cases: updated environment,J; K inside of aJ TemporalK computation, defined: takes some time to compute). Therefore a small ✏ time is introduced J K [P ; v = E]v =[P ]v +[E]v [sleep t]v = t [v]v =0 P ; S k = P (env ( S env) >> = k) here. We will account for this in the followingi section. S :: Env Temporal! Env [ ]v =0 [A ]v =0 J K ! ; The parameter= E envk is=( a continuationE env) >> =( (taking anreturn environment env ) Env) for 5.3 Soundness of the temporal monad: time safety Lemma 2. [runTime P ]v =[P ]v, i.e., the virtual time of the the tail ofJJ theK K right-associatedJ K semantics.J K! In the inductive case, the continuationv = E env passed=( toEPenvis) the>> =( pre-compositionx return env of the[v interpre-x]) evaluatedWe replay denotational the previous model axiomatic matches specifications the virtual time on the calculated temporal ! 7! behaviour of Sonic Pi programs, and show that the monadic model tationForJ both of the kindsK statement of statement,J SKto the with parameter and without continuation variable binding,k. the from the axiomatic model.J K expressionAtJ the top-level,KE is evaluated weJ interpretK where a closedE :: Env programTemporal to a Temporal Value(). is sound with respect to these, i.e., that the model meets this spec- J K ! Proof.ification.For We our call model, this athetime proof safety is straightforward.property of the For language, the case with of valueThe by result passing of evaluating in the trivialE continuationis then monadically returning composed(): (via P ; S, we rely on the monotonicity of virtual time: virtual time is >> = of the Temporal monad) with a computation returning an respect to the time system provided by the axiomatic specification. P top = runTime ( PJ K( return ())) only ever increasing, and is only ever incremented by sleep. environment. For statements without a binding,! the environmentTime safetyDefinition 1 (recap). Virtual time is specified for statements of Theenv interpretationis returned unmodified; of statements for maps statements an environment with a to binding, a possibly the DefinitionSonic Pisoundness programs 2 (recap). of by the theThe denotational following actual elapsed cases: semantics time [ ]t can be (par- updatedenvironment environment,J Kenv is extended inside of with aJ TemporalK a mappingcomputation, from v to the defined: value x tially) specified at the level of programs by the following equations: [P ; v = E]v =[P ]v +[E]v [sleep t]v = t [v]v =0 of the evaluated expression, written here as env[v x]. i S :: Env Temporal Env 7! • wrt. virtual time [ ]v =0[ ]t 0 [A ]v =0 For expressions,! we show just the interpretation of sleep and ; ; ⇡ variables= E expressions:env =(E env) >> =( return env ) [P ; sleep t]t ([P ]v + t) max [P ]t ! Lemma 2. [runTime P ]⇡v =[P ]v, i.e., the virtual time of the J K i i v = E env =(E env:: Env) >> =(Temporalx return Value env [v x]) evaluated denotational[P ; v = A model]t matches[P ]t +[A the]t virtual time calculated J K J K ! ! 7! from the axiomatic model. ⇡ For both kinds ofsleep statement,t env with= sleep and without t variable binding, the• wrt. actual time (modulo constantJ K sequential overhead) expressionJ KE is evaluatedJ KK where E :: Env Temporal Value . v env = return (env! v) LemmaProof. For 3. our[runTime model, theP proof]t is[P straightforward.]t, i.e., the actual For time the caseof the of The result of evaluating E is then monadically composed (via P ; S, we rely on the monotonicity⇡ of virtual time: virtual time is Thus, sleep isJ interpretedK in terms of the sleep function (see be- evaluated denotational model is approximately equal to actual time >> = of the Temporal monad) withJ K a computation returning an only ever increasing, and is only ever incremented by sleep. environment.low), where t Foris a statements constant,J K and without variable a expressions binding, the are environment interpreted calculated from the axiomaticJ K model. as a projection from the environment. The concrete interpretation env is returned unmodified; for statements with a binding, the Proof.DefinitionThe key 2 (recap). case is forThe(P actual; sleep elapsedt), which time we[ show]t can here. be Our (par- of other actions in the language, such as play, is ignored here since environment env is extended with a mapping from v to the value x modeltially) specified interprets at the the evaluation level of programs of (P ; sleep by thet) followingas: equations: ofthey the does evaluated not relate expression, directly written to the temporal here as env semantics.[v x]. 7! runTime ( P ; sleep[ ]tt ( 0 return ())) InterpretationFor expressions, of sleep we showThe justsleep the interpretationoperation, used of above,sleep pro-and ; ⇡ ! variables expressions: [P ; sleep t]t ([P ]v + t) max [P ]t vides the semantics for sleep as: which desugars and simplifies⇡ as follows: J i K i sleep :: VTime E Temporal:: Env Temporal Value Value runTime ([PP; v(=eA ]t( sleep[P ]t t+[eA) >>]t= return ())) ! ! ⇡ sleep delayTsleep= dot envnowT= sleeptime t runTime ( P sleep! t ) ! ⌘ J K vT getVirtualTime v env = return (env v) TheLemma semantics 3. [runTimeJ reassociatesK P statements,]Jt [P ]Kt, thus i.e., the the actual interpretation time of for the let vT 0 = vT + delayT J KJ K ⇡ ˆ ˆ sleep Thus, sleep isJ interpretedK in terms of the sleep function (see be- Pevaluated=(( ; S denotational1); ...); Sn is model of the is form approximately( S1 ...( equalSn to actualt time)) setVirtualTime vT 0 ;f ˆ g fˆ g x low), where t is a constant,J K and variable expressions are interpreted (wherecalculated fromis monadic the axiomatic forwards model. composition, i.e., = startT start (fx) >> =g J K ! as a projection from the environment. The concrete interpretation ). Therefore, we can unrollJ andK simplifyJ K theJ semanticsK let di↵T = di↵Time nowT startT furtherProof. The to get key the case following is for (PIO; sleepcomputationt), which (where we showP 0 here.denotes Our of other actions in the language, such as play, is ignored here since if (vT 0 < di↵T ) themodel unrolled interprets interpretation the evaluation of P ): of (P ; sleep t) as: they does not relate directlythen to thereturn temporal() semantics. dorunTimestartT( P ; sleepgetCurrentTimet ( return ())) J K Interpretation of sleep TheelsesleepkernelSleepoperation,(vT used0 di above,↵T ) pro- ! (x, vT 0) P 0 (startT , startT )0 vides the semantics for sleepreturnas: NoValue which desugars and simplifies as follows: nowT getCurrentTime J K wheresleepNoValue:: VTime ValueTemporal. Thus, Valuesleep proceeds first by getting runTimelet vT(00 P= (vTe0 + t( sleep t e) >> = return ())) 2! J K! ! thesleep current delayT time =nowTdo,nowT calculatingtime the new virtual time vT’ and runTimesetVirtualTime( P sleep vT 00t ) updating the virtual time state. If the new virtual time is less than ⌘ vT getVirtualTime let di↵TJ =K di↵TimeJ nowT startTK the elapsed time diffT then no actual (kernel) sleeping happens. The semantics reassociates statements, thus the interpretation for let vT 0 = vT + delayT if (vT 00 < di↵T ) then return () However, if the new virtual time is ahead of the elapsed time, P =(( ; S1); ...J );KJSn is of theK form ( S1 ˆ ...( Sn ˆ sleep t )) setVirtualTime vT 0 ; else kernelSleep0 (vT 00 di↵T ) then the process waits for the difference such that the elapsed time (where f ˆ g is monadic forwards composition, i.e.,f ˆ g = x startT start (fx) >> =g ! kernelSleep). Therefore,0 x = wethreadDelay can unroll( andround simplify(x 1000000)) the semantics equals the virtual time. let di↵T = di↵Time nowT startT where J K J K J Kis Note that in this definition we have introduced an overhead, an usedfurther to tosimplify get the the following code hereIO (ascomputation per the definition (where⇤ of kernelSleepP 0 denotes if (vT 0 < di↵T ) ✏ time, arising from the time elapsed between the first statement inthe Figure unrolled 8). interpretation of P ): then return () do startT getCurrentTime J K else kernelSleep (vT 0 di↵T ) (x, vT 0) P 0 (startT , startT )0 return NoValue nowT getCurrentTime where NoValue Value. Thus, sleep proceeds first by getting 2 let vT 00 = vTJ 0K+ t the current time nowT, calculating the new virtual time vT’ and setVirtualTime vT 00 updating the virtual time state. If the new virtual time is less than let di↵T = di↵Time nowT startT the elapsed time diffT then no actual (kernel) sleeping happens. if (vT 00 < di↵T ) then return () However, if the new virtual time is ahead of the elapsed time, else kernelSleep0 (vT 00 di↵T ) then the process waits for the difference such that the elapsed time equals the virtual time. where kernelSleep0 x = threadDelay (round (x 1000000)) is Note that in this definition we have introduced an overhead, an used to simplify the code here (as per the definition⇤ of kernelSleep ✏ time, arising from the time elapsed between the first statement in Figure 8). Temporal monad for you?

• Reusable for other purposes

• Code online (http://github.com/dorchard/temporal-monad)

• Generalisations to applicative functor & monoid

• Over-run warnings (hard & soft)