TTowards Modal Software Engineering
Ramy Shahin
University of Toronto, [email protected]
Abstract —In this paper we introduce the notion of Modal Soft-ware Engineering: automatically turning sequential, determinis-tic programs into semantically equivalent programs efficientlyoperating on inputs coming from multiple overlapping worlds.We are drawing an analogy between modal logics, and softwareapplication domains where multiple sets of inputs (multipleworlds) need to be processed efficiently. Typically those sets highlyoverlap, so processing them independently would involve a lotof redundancy, resulting in lower performance, and in manycases intractability. Three application domains are presented:reasoning about feature-based variability of Software ProductLines (SPLs), probabilistic programming, and approximate pro-gramming.
I. I
NTRODUCTION
Computer programs take concrete values as inputs, performa sequence of operations on those inputs (assuming sequential,deterministic programs), and generate concrete outputs. Allvalues involved in this process (inputs, intermediate values,and outputs) can be considered an abstraction of the world in which the program operates. A single world is typicallyassumed by a program. For example, a program variable v oftype T maps to a single value of that type at any point in time,and a conditional expression takes a single branch based onwhat its guard evaluates to.In the realm of mathematical logic, reasoning about multipleworlds at the same time has been the motivation behind modallogics . For example, temporal logics reason about not onlythe world at the current instance of time, but also aboutdifferent instances (worlds) in the future. The S5 logic [1]is another example, distinguishing essential truth (true in allworlds) and possible truth (true only in some worlds). Modallogics have many applications in numerous domains, includ-ing verification of concurrent systems [2], reasoning aboutcomputer programs [3], artificial intelligence [4], robotics [5],linguistics [6], and philosophy [7]. This is a strong indicationof how complex real-life problems are, and that new logicalformalisms are continuously being introduced to address themeffectively.In several practical domains, software systems are alsorequired to compute over inputs coming from multiple, po-tentially overlapping, worlds. Values varying from one worldto another are appropriately labeled to ensure that outputsare also labeled accordingly. For example, a search enginestoring multiple versions of a database has to effectivelyindex and query multiple logical databases, each considered aworld. Physically though, since those versions are only slightlydifferent from one another, it is highly inefficient to store themand perform queries over them separately. Mining Software (a) A computation maps inputs to outputs.(b) A modal computation maps inputs from multiple overlappingworlds, to potentially overlapping outputs corresponding to thoseworlds. Fig. 1: Computation vs. modal computation.Repositories (MSR) [8] is an example of a domain where suchhighly overlapping databases (successive versions of softwareartifacts) are common, and the scalability of different MSRsystems is considered a challenge both to researchers andpractitioners because of that [9].In this paper we follow the analogy of modal logics, andargue that computing over multiple worlds is common aroundus, and needs to be addressed systematically (Sec. II). Thehigh-level logic of a program operating over multiple worldsis essentially the same as that of a single-world program.At the implementation level though, it needs to computeover multi-valued variables, where each value is appropriatelylabeled by an identifier of the world(s) it belongs to. Theimplementation also needs to be efficient , i.e., with as fewredundant computations as possible. We also argue that sincethe high-level program logic is oblivious to the number ofworlds it is operating on, turning a single-world program intoa modal (multi-world) one can be performed automatically, ina way similar to compiler optimizations. We provide a visionfor rewriting single-world programs into their efficient modalcounterparts in Sec. III.Fig. 1 illustrates the difference between single-world com-putations (Fig. 1a), mapping a single set of inputs to a singleset of outputs, and modal computations (Fig. 1b), workingon multiple potentially overlapping sets of inputs at the sametime and generating outputs for each world, also potentiallyoverlapping. There are cases where each world is explicitly a r X i v : . [ c s . S E ] F e b abeled, and others in which they can be only quantitativelydescribed. Examples of each are discussed in Sec. IV.II. M OTIVATION
This work has been originally motivated by the analysisof
Software Product Lines (SPLs) . An SPL is a family ofrelated software products, developed together from a commonset of artifacts [10]. The unit of variability in an SPL is a feature . Each feature can be either present or absent in eachof the product variants of the SPL. Given this combinatorialnature of features, the number of products grows exponentiallywith the number of features. Each product is defined by a feature configuration , which is the set of features present inthat product. A feature expression is a propositional formulaover features, denoting a set of products.Efficiently analyzing SPLs has been an active area ofsoftware engineering and programming languages researchfor more than a decade. Software analyses (of source code,transition system models, graphical models, etc...) typicallywork on a single product at a time, and they need to bemodified to be applicable to a whole SPL. This is an instanceof the problem of taking a single-world program, and turningit into a semantically equivalent multi-world one.The product line example in Listing 1 has two features:FA and FB. Assuming all product combinations are valid,four products can be generated from this example with thefollowing feature combinations: {}, {FA}, {FB}, and {FA,FB}. Assume we have a static program analysis for detectingdivision-by-zero errors. Only one of the four configurations({FB}) has a statically detectable division-by-zero error, wherethe value of variable c is not incremented in line 5 becauseFA is absent, and line 9 (specific to feature FB) divides (x + y) by c . The original single-world analysis can beapplied to each of the four products of this SPL individually,reporting results for each. However, real-life SPLs usuallyhave hundreds, sometimes thousands, of features (The Linuxkernel has more than 10,000 features [11]), so enumeratingall products and analyzing them one-by-one is not generallyfeasible. In addition, different product variants have a lot incommon, and leveraging this amount of commonality canmake analyzing the whole product line at once much moreefficient than analyzing the products one at a time.Several analyses of different kinds have been manuallyredesigned and re-implemented to support variability [12],[13], [14], [15], [16], [17]. Re-implementing an analysis is alengthy and error-prone process, so several attempts have beenmade to come up with systematic or automated approachesto this process. Examples include systematic variability-awareabstract interpretation [18], SPL data-flow analyses based onthe IFDS framework [19], [20], variability-aware analyseswritten in Datalog [21], and program analyses written in afunctional language [22].We argue that the research effort that has been put inSPL analysis (also known as variability-aware lifting ) canbe generalized to domains other than SPLs, where efficientcomputations are needed over multiple overlapping worlds. 1 i n t f o o ( i n t x , i n t y )2 {3 i n t c = 0 ;4 FA5 c ++;6 FB9 r e t u r n ( x + y ) / c ;10 r e t u r n ( x + c ) / y ;12
13 }Listing 1: Example of a Software Product Line (SPL).In SPL analysis, each product is considered a world, labeledby a feature configuration. Inputs, outputs and intermediatevalues of the analysis are labeled by propositional formulasover features (known as
Presence Conditions (PCs) ) denotingsets of products. Other problem domains can be mapped intothis same formulation of worlds.There are also cases where the individual worlds are notexplicit, but rather quantified. For example, in a probabilis-tic program , a variable v can have the value {(7,0.2),(9,0.8)} , i.e., the value with probability 0.2 (20% ofpossible worlds), and the value 9 with probability 0.8 (80% ofpossible worlds). Another example is approximate computing ,where instead of a concrete value, a variable can at any pointin time be defined by a minimum-maximum interval. Forexample, v = [4..9] means v is approximated to the range4 to 9 inclusively. III. V ISION
Mathematical logic provides a formal framework for reason-ing about truth. There are many cases though where truth andfalsehood are not absolute; for example a statement can be truenow but not in the future, or it can be true from one person’sperspective and false from another’s. Modal logics [23], [24]add qualifiers to logical formulas, and those qualifiers denotemodalities, or modes of truth. For example, in the modallogic of necessity and possibility S5 [1], the (cid:50) connectiveindicates necessity (truth in all possible worlds), while the (cid:51) connective indicates possibility (truth in some possibleworld(s)). Those are two unary connectives that qualify thetruth of propositional formulas.Given how logic and computation are sometimes viewedas two sides of one coin (e.g., the Curry-Howard isomor-phism [25]), computing, rather than just reasoning, about mul-tiple worlds also has potentially many applications. Examplesinclude explicit variability in Software Product Lines (SPLs),and quantitative variability in probabilistic models.Our goal is to take a single-world program, and automati-cally convert it into a semantically equivalent multiple-world(or modal) program. Modalities labeling the individual worlds = {( -7 , F A ),( , ¬ F A )} y = {( , F A ∧ F B ), ( , F A ∧ ¬
F B ), ( , ¬ F A ∧ F B ), ( , ¬ F A ∧ ¬
F B )} z = {( , True )} (a) Arguments x , y , and z . i n t f o o ( i n t x , i n t y , i n t z ) {r e t u r n b a r ( x , y ) + b a z ( z ) ;} (b) Function foo . x y z LABEL -7 1 5
F A ∧ F B -7 8 5
F A ∧ ¬
F B -7 4 5
F A ∧ ¬
F A -7 10 5
F A ∧ ¬
F A ¬ F A ∧ F A ¬ F A ∧ F A ¬ F A ∧ F B ¬ F A ∧ ¬
F B (c) Input vectors for foo . Fig. 2: Variability-aware application of function foo to modal arguments x , y , and z , tracing the cross-product of modalarguments (adapted from [22]).or quantifying them, and the semantics of those modalities, areorthogonal to the rewriting process. We refer to the process ofmodal program rewriting as modal lifting .For example, function foo in Fig. 2b takes three parametersof type int . A semantically equivalent lifted function wouldtake three arguments of type int ↑ instead, where valuesof type int ↑ are sets of (int, LABEL) pairs. Variables x , y , and z in Fig. 2a are of type int ↑ , where labelsare propositional formulas identifying sets of products in asoftware product line with two features FA and FB.Each label within a modal value denotes a set of worlds, andhas to satisfy two conditions: (1) Disjointness : within the samemodal value, the sets of worlds denoted by the different labelshave to be mutually disjoint. If they are not, then we wouldbe allowing different values within the same world, whichwould result in non-deterministic evaluation of programs. (2)
Totality : within the same modal value, the union of all the setsof worlds denoted by the different labels has to be equal tothe set of all worlds. This ensures that each modal value isdefined in each world.In the case of software product lines, disjointness and total-ity on feature expressions are defined in [22]. Disjointness isdefined as the propositional unsatisfiability of the conjunctionof any pair of different labels within the same modal value. Forexample, the variable y in Fig. 2a has four labels: F A ∧ F B , F A ∧ ¬
F B , ¬ F A ∧ F B , and ¬ F A ∧ ¬
F B . Conjoining anytwo of them results in an unsatisfiable propositional formula.Totality on the other hand is defined as the disjunction of labelswithin a modal value resulting in a tautology. Again, this isthe case for each of the variables in Fig. 2a.In the context of software product lines, two automaticprogram lifting approaches have been proposed in [22]: shal-low lifting and deep lifting . Shallow lifting takes a programas a black-box and generates the cross-product of programarguments, passing each combination of arguments to theoriginal single-world program. For example, tuples of thecross-product of arguments in Fig. 2a are listed in Fig. 2c.Algorithm 1 outlines how an n-ary function f is shallowlifted and applied to modal arguments arg , ..., arg n . First, wecalculate the cross product of the arguments (each of which is a set of pairs). Each element in the cross-product is an n-tuple of ( v, label ) pairs. Within each element, if the intersection of thesets of worlds denoted by the labels is the empty set, then wecan safely ignore this element. However, if the intersection isnot empty, we apply the function f to the arguments v , ..., v n .and add the result to the output set, which is returned at theend. Input: f , arg , ..., arg n Result: applying shallow lifting of f to argsoutput = {} ; foreach (( v , label ) , ..., ( v n , label n )) ∈ ( arg × ... × arg n ) doif ( (cid:84) ni =1 label i (cid:54) = φ ) then output = output ∪ { f ( v , ..., v n ) } ; endendreturn output ; Algorithm 1:
Shallow lifting algorithm.Applying the shallow lifting algorithm to the example inFig. 2, the first step is calculating the cross-product of argu-ments x , y , and z (Fig. 2c). For each row in the table, LABEL is the conjunction of presence conditions of the componentsof x , y , and z in this row. Recall that conjunction is thelogical operator corresponding to intersection of sets denotedby propositional formulas (feature expressions). Rows crossedout have unsatisfiable labels, i.e., they correspond to the emptyset of worlds, so they are ignored, leaving out four inputvectors.Shallow lifting suffers from the inability to exploit com-monalities and eliminate redundancies, and thus can be furtheroptimized. For example, function foo in Fig. 2b internallypasses x and y to bar , and passes z to baz . Assumingthe values in Fig. 2a, z happens to be the constant value across all configurations, so shallow-lifted foo ends upcalling baz four times, passing the same argument each time.Shallow lifting treats foo as a black-box, so the opportunityto eliminate the redundant calls is not visible.Deep lifting on the other hand inspects the internals of a oftware Product Lines Probabilistic Programming Approximate ProgrammingLabel Representation Propositional formula Probability ∈ [0 .. MIN and MAXCardinality > 0 > 0 2Intersection conjunction multiplication Group by MIN, MAXUnion disjunction addition Group by MIN, MAXEmptiness unsatisfiability 0.0 v MAX < v
MIN
Disjointness ∀ i (cid:54) = j · unsat ( l i ∧ l j ) Σ i l i ≤ . (cid:87) i l i = True Σ i l i = 1 . TABLE I: Comparing modalities, their invariants, and operations across three application domains: feature-based reasoning ofsoftware product lines, probabilistic programming, and approximate programming.program, rewriting it to maximize sharing of common values,and to minimize redundancy. The idea behind deep lifting isto statically push the calculation of cross-products of modalvalues as deep as possible down the call tree of a program.For example, foo is re-written into foo ↑ as follows: int ↑ foo ↑ ( int ↑ x , int ↑ y , int ↑ z ) {r e t u r ns h a l l o w L i f t ( ( + ) ,s h a l l o w L i f t ( b a r , x , y ) ,s h a l l o w L i f t ( baz , z ) ) ;} Function foo internally calls three functions/operators: bar , baz , and the (+) operator. Each of the three can beshallow lifted using Algorithm 1, and their shallow liftedcounterparts operate on int ↑ rather than int arguments.This way, the expression shallowLift(baz, z) within foo ↑ calls the underlying function baz on the single compo-nent of argument z only once. If any of bar or baz is nota primitive function, it can be similarly rewritten into a deep-lifted function, which is then called from within foo insteadof using shallowLift . This process can recursively applieddown the call tree, rewriting the whole program. Deep liftingrewrite rules for a subset of Haskell including conditionalexpressions, pattern matching, and polymorphic lists have beenpresented in [22] in the context of lifting program analyses tosoftware product lines.IV. A PPLICATIONS
In this section we show how modal rewriting is obliviousto the specific modality used, which means the same liftingapproach can be used across different kinds of modalities. Wecompare three application domains: Featured-based variabilityof software product lines, probabilistic programming, andapproximate programming. The modalities of each applicationdomain, their invariants and operators are summarized inTable I.
A. Feature-based Variability
When reasoning about Software Product Lines (SPLs), eachfeature is represented as a propositional symbol, and a set ofproducts is denoted by propositional formulas over features(usually referred to as feature expressions ). The set of worldsin this context is the set of products, and labels within modalvalues are feature expressions. A modal feature-based value has at least one element (cardi-nality > 0). Intersection of sets of products denoted by featureexpressions is conjunction of feature expressions. Similarly,union is disjunction. A set denoted by a feature expression isempty when the feature expression is an unsatisfiable formula.Disjointness of feature expressions is the same as setdisjointness: sets are disjoint when their pair-wise intersectionis empty. Translating this to feature expressions, a collectionof feature expressions is disjoint if their pair-wise conjunctionis unsatisfiable. Similarly, totality of a collection of sets isthe universe being equal to the union of that collection. Inpropositional logic, the tautology
True is analogous to theuniverse of all worlds, and disjunction is analogous to setunion.
B. Probabilistic Programming
Probabilistic programming surprisingly has a lot in commonwith feature-based variability. The main difference is thatfeature expressions define explicit sets, while probabilitiesquantify over them. For example, a probability of 0.8 indicates80% of all worlds, without naming which 80%. This kindof quantitative description of sets has many applications,particularly in modeling and simulation.Labels for probabilistic modal values come from the range[0.0..1.0]. Cardinality has to be greater than zero, same asin feature-based modalities. Assuming probabilistic indepen-dence, intersection of two sets denoted by probabilities is themultiplication of those probabilities. Similarly, union is theiraddition, and a probability of 0.0 denotes the empty set.Because probabilities do not define explicit sets, disjointnessis also quantitative rather than explicit. A necessary condition(but not always adequate) for disjointness of a collectionof sets denoted by probabilities is that the sum of thoseprobabilities is at most 1.0. Totality makes this bound morestrict though, turning the inequality into an equality.
C. Approximate Programming
Approximate programming has many applications, particu-larly in software systems running in power-saving mode [27],and systems reading inputs from imprecise sensors. Approxi-mation modalities can be represented in many ways, includinga fidelity of a single value, or a range of possible values(minimum and maximum) over a continuous domain. Wefollow the latter representation in this example.Cardinality here is fixed at two, since each modal rangevalue will have exactly two sub-values: one labeled as MINnd the other labeled as MAX. Values in this MIN..MAXrange form a uniform distribution of possible values. Inter-section and union are again different in this case because theyboth boil down to grouping MIN values together and MAXvalues together. A range is empty when the value labeled byMAX is less than that labeled by MIN.Similarly, the disjointness and totality invariants are en-forced by the fact that there is exactly one MIN value andexactly one MAX value. Lifted programs will compute resultsfor the MIN value and MAX value, labeling the results.accordingly.V. C
ONCLUSION AND F UTURE W ORK
In this paper we introduced the notion of Modal SoftwareEngineering: automatically turning sequential, deterministicprograms into semantically equivalent programs, that effi-ciently operate on inputs coming from multiple intersectingworlds. We drew an analogy between modal logics, and soft-ware application domains where multiple sets of potentiallyoverlapping inputs (multiple worlds) need to be processedefficiently. Processing each world independently instead wouldresult in a lot of redundancy, resulting in lower performance,and in many cases intractability. Three application domainshave been presented: reasoning about feature-based variabilityof Software Product Lines (SPLs), probabilistic programming,and approximate programming.For future work, we plan to investigate the three exampledomains presented in this paper in more depth, identifyingdomain-specific problems and reflecting on whether they arerelated to problems in other domains. Examples of such prob-lems are dependent variables in probabilistic programs, andapproximate computing over categorical values. An orthogonalresearch direction we plan to pursue is studying the differentprogram rewriting techniques (and their trade-offs) for liftingprograms into modal ones.A
CKNOWLEDGMENTS
The author thanks the anonymous reviewers for their feed-back and insightful suggestions.R
EFERENCES[1] B. F. Chellas,
Modal Logic: An Introduction . Cambridge UniversityPress, 1980.[2] E. M. Clarke, T. A. Henzinger, H. Veith, and R. Bloem,
Handbook ofModel Checking , 1st ed. Springer Publishing Company, Incorporated,2018.[3] V. R. Pratt, “Application of modal logic to programming,”
Studia Logica:An International Journal for Symbolic Logic
ArtificialIntelligence
Proceedings of the 2005 IEEEInternational Conference on Robotics and Automation , 2005, pp. 2020–2025. [6] L. Moss and H. Tiede, “19 applications of modal logic in linguistics,”
Studies in Logic and Practical Reasoning , vol. 3, pp. 1031–1076, 122007.[7] L. Humberstone,
Philosophical Applications of Modal Logic , ser.Studies in Logic. College Publications, 2016. [Online]. Available:https://books.google.com.eg/books?id=Wi8PkAEACAAJ[8] H. Kagdi, M. L. Collard, and J. I. Maletic, “A survey and taxonomy ofapproaches for mining software repositories in the context of softwareevolution,”
Journal of software maintenance and evolution: Researchand practice , vol. 19, no. 2, pp. 77–131, 2007.[9] W. Shang, B. Adams, and A. E. Hassan, “An experience reporton scaling tools for mining software repositories using mapreduce,”in
Proceedings of the IEEE/ACM International Conference onAutomated Software Engineering , ser. ASE ’10. New York, NY, USA:Association for Computing Machinery, 2010, p. 275–284. [Online].Available: https://doi.org/10.1145/1858996.1859050[10] P. Clements and L. Northrop,
Software Product Lines: Practices andPatterns . Addison-Wesley Professional, 2001.[11] S. Nadi and R. Holt, “The Linux Kernel: A Case Study of Build SystemVariability,”
J. Softw. Evol. Process , vol. 26, no. 8, p. 730–746, Aug.2014.[12] C. Kästner, P. G. Giarrusso, T. Rendel, S. Erdweg, K. Ostermann, andT. Berger, “Variability-aware Parsing in the Presence of Lexical Macrosand Conditional Compilation,” in
Proc. of OOPSLA’11 . ACM, 2011,pp. 805–824.[13] P. Gazzillo and R. Grimm, “SuperC: Parsing All of C by Taming thePreprocessor,” in
Proc. of PLDI’12 . ACM, 2012, pp. 323–334.[14] A. Classen, M. Cordy, P.-Y. Schobbens, P. Heymans, A. Legay, andJ.-F. Raskin, “Featured Transition Systems: Foundations for VerifyingVariability-Intensive Systems and Their Application to LTL ModelChecking,”
IEEE Trans. Softw. Eng. , vol. 39, no. 8, pp. 1069–1089,Aug. 2013.[15] T. Thüm, S. Apel, C. Kästner, I. Schaefer, and G. Saake, “A Classifi-cation and Survey of Analysis Strategies for Software Product Lines,”
ACM Comput. Surv. , vol. 47, no. 1, pp. 6:1–6:45, Jun. 2014.[16] R. Salay, M. Famelis, J. Rubin, A. Di Sandro, and M. Chechik, “LiftingModel Transformations to Product Lines,” in
Proc. of ICSE’14 . NewYork, NY, USA: ACM, 2014, pp. 117–128.[17] A. Von Rhein, J. Liebig, A. Janker, C. Kästner, and S. Apel, “Variability-Aware Static Analysis at Scale: An Empirical Study,”
ACM Trans. Softw.Eng. Methodol. , vol. 27, no. 4, Nov. 2018.[18] J. Midtgaard, A. S. Dimovski, C. Brabrand, and A. W ˛asowski, “Sys-tematic Derivation of Correct Variability-aware Program Analyses,”
Sci.Comput. Program. , vol. 105, no. C, pp. 145–170, Jul. 2015.[19] T. Reps, S. Horwitz, and M. Sagiv, “Precise Interprocedural DataflowAnalysis via Graph Reachability,” in
Proc. of POPL’95 . ACM, 1995,pp. 49–61.[20] E. Bodden, T. Tolêdo, M. Ribeiro, C. Brabrand, P. Borba, and M. Mezini,“SPLLIFT: Statically Analyzing Software Product Lines in MinutesInstead of Years,” in
Proc. of PLDI’13 . ACM, 2013, pp. 355–364.[21] R. Shahin, M. Chechik, and R. Salay, “Lifting Datalog-based Analysesto Software Product Lines,” in
Proc. of ESEC/FSE’19 . New York, NY,USA: ACM, 2019, pp. 39–49.[22] R. Shahin and M. Chechik, “Automatic and Efficient Variability-AwareLifting of Functional Programs,” in
Proc. of OOPSLA’20 , 2020.[23] P. Blackburn, M. d. Rijke, and Y. Venema,
Modal Logic , ser. CambridgeTracts in Theoretical Computer Science. Cambridge University Press,2001.[24] M. Huth and M. Ryan,
Logic in Computer Science (2nd ed.) . CambridgeUniversity Press, 2004.[25] R. Nederpelt and H. Geuvers,
Type Theory and Formal Proof: AnIntroduction . Cambridge University Press, 2014.[26] R. Shahin and M. Chechik, “Variability-aware datalog,” in
PracticalAspects of Declarative Languages - 22nd International Symposium,PADL 2020, New Orleans, LA, USA, January 20-21, 2020, Proceedings ,ser. Lecture Notes in Computer Science, E. Komendantskaya andY. A. Liu, Eds., vol. 12007. Springer, 2020, pp. 213–221. [Online].Available: https://doi.org/10.1007/978-3-030-39197-3_14[27] S. Mittal, “A survey of techniques for approximate computing,”