Transition-Oriented Programming: Developing Verifiable Systems
TTransition-Oriented Programming: DevelopingVerifiable Systems
Yepeng Ding and Hiroyuki Sato
The University of Tokyo, Tokyo, Japan { youhoutei,schuko } @satolab.itc.u-tokyo.ac.jp Abstract.
It is extremely challenging to develop verifiable systems thatare regulated by formal specifications and checked by formal verificationtechniques in practice. Although formal verification has made significantprogress over the past decades, the issue caused by the gulf between thesystem implementation and formal verification still has a huge cost. Tofundamentally solve the issue, we propose transition-oriented program-ming (TOP), a novel programming paradigm, to instruct developers todevelop verifiable systems by thinking in a formal way. TOP introducesthe theories of the transition system as the joint of the implementationand formal verification to promote formal thinking during development.Furthermore, we propose a novel programming language named Seni tosupport the TOP features. We argue that TOP is useful and usable todevelop verifiable systems in a wide range of fields.
Keywords:
Programming paradigm · Software engineering · Verifiablesystem · Formal verification · Transition system.
Formal verification is a powerful method of ensuring the satisfaction of the for-mal specifications, which supports in designing and implementing verifiable andprovably correct systems and protocols. Typical methods of formal verificationinclude model checking and theorem proving. There have been lots of useful toolsthat implement these methods such as SPIN [10], NuSMV [3], JKIND [8], andAdamMC [7] for model checking, or Coq [18], Isabelle [14] for theorem proving.However, current formal verification tools usually have their own domain-specific languages and best practices for modeling and verification, which leadsto the huge gulf between verification and implementation. For instance, the ver-ification enforced by the SPIN model checker depends on the formal modeling ofthe system with Promela [11], while the system is implemented by some general-purpose languages such as Java or C++. The gulf highly increases the cost ofverification during the development, which is reflected in three aspects. – Design cost. It lacks unitarity between the implementation and verification,which increases the complexity of the system design due to the necessity ofthe compromise. a r X i v : . [ c s . P L ] S e p Y. Ding and H. Sato – Maintenance expense. It requires at least two sets of codes describing thesame system merely from different perspectives: implementation and verifi-cation. – Labor cost. The use of formal verification requires domain knowledge, whichusually needs additional specialists to collaborate with developers.Our motivation is to bridge the gulf between the formal verification andimplementation to facilitate developing verifiable and provably correct systemswith less cost. To remedy the situation, we introduce transition that is a con-cept originated from the transition system as the joint of the implementationand verification. The concept of the transition system has been well studied intheoretical computer science. It is of fundamental importance for the abstractionof both the sequential and concurrent systems, which makes it capable of guidingthe implementation of systems in a rigorous manner. Besides, the transition sys-tem plays an imperative role in formal verification, especially in model-checkingtechniques. It is trivial to check the correctness and properties of the abstractioncompared to the implementation.In this paper, we propose a novel programming paradigm called transition-oriented programming (TOP) that instructs developers to develop verifiable sys-tems by thinking in the transition system. With the theories of the transitionsystem, TOP promotes formal thinking during the development by regardingreal-world systems as transition systems. The system behavior is rigorously con-trolled by the formal specification. Besides, TOP supports both vertical modu-larity (refinement) and horizontal modularity (modularization) that are imper-ative in modern software engineering. Furthermore, the parallelism is also wellsupported in TOP to design, implement, and verify complex systems. Addition-ally, we propose a general-purpose programming language named Seni, the firstlanguage to support TOP.We summarize the main advantages of TOP as follows:1. TOP enables formal thinking during the development to ensure the rigorousimplementation and facilitate formal verification.2. By using TOP, programmers can develop verifiable systems to ensure thecorrectness and properties in a natural way.3. TOP reduces the cost of formal verification by circumventing the issuescaused by the gulf between the implementation and verification.The remainder of this paper is organized as follows. Section 2 briefly reviewsrelated work. Section 3 presents the core concepts and features of TOP, followedby the introduction of Seni to support TOP in Section 4. We discuss the visionof TOP in the application in Section 5. Section 6 concludes the paper.
Our work is inspired by the transition system theory that plays an importantrole in formal methods [4,1,19,2,5,16]. With the support of the transition sys-tem theory, many tools of formal methods have been developed such as modelcheckers [10,20,3] and SMT solvers [6,12]. ransition-Oriented Programming: Developing Verifiable Systems 3
To improve the usability of these tools and understandability of the appli-cation of formal methods, many front-end frameworks such as translators andwrappers have been developed. Java PathFinder [9] is a translator from Javato Promela, which allows programmers to annotate the Java program with as-sertions and verify them with the SPIN model checker after the translation toPromela. PlusCal [13] provides a pseudocode-like interface for the TLA+ spec-ification language, which makes the mathematical specification easier for pro-grammers to understand. Wrappers also facilitate the use of some tools such asvarious bindings of Z3 for various programming languages.However, these front-end frameworks focus on addressing issues of the us-ability and understandability of the verification. Perhaps other works such asstate-oriented programming [17] have similar interfaces as TOP, but they illus-trate completely different ideas. To the best of our knowledge, there has notbeen a work focusing on bridging the gulf of the implementation and formalverification from the perspective of the programming paradigm.
This section focuses on the main concepts and features of TOP. The conceptualmodel of TOP is visualized in Figure 1. The TOP paradigm supported with atransition-oriented programming language aims to implement verifiable systemswith the integration of built-in formal methods such as formal specification,formal verification, and formal testing.
Fig. 1.
The conceptual model of the transition-oriented programming. Y. Ding and H. Sato
As a programming paradigm, TOP highlights formal thinking during thedevelopment. It regards every real-world system as a transition system. Basedon the fundamental theories of the transition system, TOP presents many usefulfeatures and makes the formal verification more usable in practice.
The term transition connects the static state with the dynamic change withina system. In TOP, a minimal program unit is a transition system, which is alsocalled an abstraction.
Definition 1 (Transition system).
In TOP, a transition system S over set V of typed state variables and set F of pure functions is defined as follows: S (cid:44) (cid:104) S, A, (cid:44) → , I, P, L (cid:105) , where – S is a set of states that are determined by (cid:74) V (cid:75) , the set of evaluations of statevariables, – A is a set of actions that determines the modifications of state variables withpure functions, – (cid:44) → ⊆ S × A × S is a transition relation, – I ⊆ S is the initial state that is determined by the set of initial evaluationsof state variables, – P is a set of propositions, – L (cid:44) S (cid:55)→ P is a labelling function. It is adequate to implement computable systems with the transition systemstructured in TOP by abstracting the observable states and actions. Further-more, states are bond with propositions by the labeling function, which is thekey to the connection between the implementation and verification in TOP.It is noteworthy that the concept of the state variable is different from theordinary variable. State variables are used to describe states in the transitionsystem while ordinary variables are used to implement certain functions. Besides,states variables can only be modified by actions while ordinary variables can bemodified in their scopes including actions and pure functions.The pure function is used to assist the implementation of actions to improvethe reusability, which cannot modify the state variable because it has no sideeffects. Hence, a set of pure functions are usually embedded in an action bodyor defined globally to perform tasks. Different from the pure function, the actionis used to specify the system behaviors by modifying state variables. It does notimplement concrete tasks but declares the way of the state transition.
For simplicity, we will use the term specification to refer to the formal specifi-cation. In TOP, a specification is composed of a set of actions and sub-systems,which is formulated in the temporal logic. It forces the developers to construct ransition-Oriented Programming: Developing Verifiable Systems 5 unambiguous, complete, and minimal specifications to describe the system be-havior rigorously.For instance, the behavior of a twinkling LED light can be specified as S = (cid:3) ( SwitchOn , SwitchOff ) where
SwitchOn , SwitchOff ∈ A . Here, (cid:3) is a temporalmodality that can be pronounced as always, which means that the actions inthis scope will be executed now and forever in the future. The comma is used todefine the ordering relation between actions.A system must contain at least one specification to represent the main controlflow. One specification can be decomposed into multiple smaller ones to specifydifferent types of system behaviors, which is supported by the logical connective.It is noteworthy that all actions in TOP can only be triggered in specifi-cations, which means that all operations associated with the modification ofstate variables are specified in TOP specifications. In this manner, the systembehavior is rigorously controlled. TOP puts a high value on modularity to improve flexibility and reusability. Wedivide the modularity of TOP into two types: vertical modularity and horizontalmodularity. Vertical modularity refers to the support of the refinement, whichallows programmers to describe the transition system at different abstractionlevels while preserving the equivalence or preorder relations. Horizontal modu-larity allows the programmers to modularize the system by decomposing a largetransition system into modules to improve reusability. Generally, a completetransition system contains a set of modules with multiple abstractions, which isshown in Figure 2.
Fig. 2.
The illustration of the modularity within a transition system. Y. Ding and H. Sato
With the vertical modularity, it is reasonable to start from the abstractionand land on the concrete implementation by a set of refining iterations, which issupported by the simulation theory of the transition system. For instance, if amore detailed transition system S refines S , then the simulation order S (cid:23) S (cid:48) holds, which means that transition system S is simulated by S . Due to thereflexivity and transitivity of (cid:23) , there can be a set of refinements at differentabstraction levels. Additionally, if S (cid:23) S , then these two transition systems aresimulation-equivalent.In the meanwhile, TOP supports the import of encapsulated sub-systems.The pure functions globally defined in the imported sub-systems can be reusedin the actions while the imported sub-systems can be reused in the specifications. In TOP, parallelism is well supported by the operational models of the transi-tion system including interleaving, concurrency, synchronous, and asynchronousmessage passing. It is flexible to describe a wide range of parallel real-worldsystems, especially distributed systems.The specification in a transition system can specify the behavior of the par-allel composition of a set of transition systems, which is supported by the hori-zontal modularity of TOP. For instance, an effective specification for a parallelsystem can be represented as S (cid:107) S (cid:107) · · · (cid:107) S n . The transition system makes the joint of the implementation and verification.TOP has native support for defining propositions, properties, and formulae.All defined propositions are attached to the state by the labeling function L automatically by observing the state variables. In this manner, some techniquesof formal verification can be integrated naturally.For instance, TOP allows developers to check system properties staticallywith a built-in model checker during the compile-time. The properties can beformulated into temporal logics such as linear-time, branching-time, and real-time logics. Take the twinkling LED light as an example, we can define twopropositions isOn and isOff for the twinkling LED light as follows: isOn (cid:44) (cid:74) isEnable (cid:75) = (cid:62) , isOff (cid:44) (cid:74) isEnable (cid:75) = ⊥ . In this manner, the property S = ⇒ (cid:3) ( isOn ∨ isOff ) can be verified duringthe compile-time.Furthermore, runtime verification can be also supported by TOP to avoid thecomplexity of the model checking by interacting with the executing transitionsystem.Another instance is the support of the SMT solver. In TOP, developers cancheck the satisfiability of a certain formula composed of a set of propositions in ransition-Oriented Programming: Developing Verifiable Systems 7 first-order logic. For example, if we declare three Boolean state variables r , g , b to represent the status of red, green, and blue light respectively, the satisfiabilityof formula (cid:74) r (cid:75) ∧ (cid:74) g (cid:75) → (cid:74) b (cid:75) = (cid:62) can be determined with satisfying models. To make TOP usable in practice, we propose Seni, the first transition-orientedprogramming language, together with its ecosystem.
The design of Seni integrates many features to facilitate the development ofverifiable systems under the TOP paradigm. Seni is defined and implementedrigorously with formal semantics [15]. Besides, Seni introduces the concept ofthe pure function in functional programming to implement the action and theconcept of the record to define the object structure. Furthermore, Seni aims toprovide a user-centric interface for the understandability and maintainabilitywith a set of useful syntactic sugars and reserve words for specification, imple-mentation, and verification.The main features of Seni are summarized as follows.
Transition-oriented.
In Seni, it fully supports the TOP paradigm by organiz-ing the program as the transition system with declarations of state variables,actions, initialized action, specifications, propositions, formulae, and properties.The main control flow is driven by the specification formulated in temporal logics.For modularity, Seni reserves the word refine to refine a system at a more detailedabstraction level and the word import to import functions or sub-systems.
General-purpose.
Seni is designed to be capable of developing verifiable systemsin a wild variety of application domains.
Type-safe.
Seni is a strongly statically typed language supported by a typesystem with type inference. It enforces statically type checking to prevent typeerrors and contributes to program correctness.
Verification-integration.
In Seni, it has a built-in verification mechanism sup-ported by techniques of formal methods to verify properties formulated by pro-grammers.
Parallelism-support.
Seni allows programmers to define several types of parallelsystems including interleaving systems, concurrent systems, and message-passingsystems, which is well supported by the parallelism theory of the transitionsystem. Furthermore, the properties of parallel systems are also verifiable.
Y. Ding and H. Sato
Seni is a compiled language that requires the compiler to generate the interme-diate code running on a virtual machine. The model checker and SMT solver arealso integrated into the compiler toolchain for verification.Furthermore, the standard libraries are essential for the actual developmentsuch as the IO library, network library, Math library, GUI library, etc.
In this section, we discuss the vision for the application of TOP.
Compiler.
In TOP, it is trivial to describe and implement automata and relatedalgorithms that play a major role in compiler construction. Most importantly,TOP satisfies the safety requirement of the compiler implementation by thesupport of formal verification. Additionally, a TOP language is generally capableof bootstrapping.
Distributed system.
With the support of modularity and parallelism, distributedsystems with complex architectures can be well designed and implemented inTOP.
Decentralized system.
With the advancement of blockchain technology, numer-ous decentralized systems have been developed that highly require security as-surance due to the lack of central supervision. TOP facilitates the developmentof verifiable decentralized systems to help to solve trust issues.
Artificial intelligence (AI) system.
As AI techniques become ubiquitous, safetyand explainability have attracted huge attention. TOP provides a rigorous wayof developing AI systems, especially knowledge-based systems with the supportof formal knowledge representation.
Protocol design.
In TOP, the specifications and properties are formulated intemporal logics, which facilitates the design and verification of the protocol.With the support of message-passing in parallelism, TOP can handle the designand implementation of distributed protocols.
Hardware design.
It is vital to prevent errors in hardware design due to the highfabrication costs. The transition system can represent many models in hardwaredesign such as circuits. Meanwhile, formal verification has been widely used inhardware design. Therefore, TOP provides a feasible way of making rigoroushardware design with the support of the handy implementation of the transitionsystem and enforcements of formal verification. ransition-Oriented Programming: Developing Verifiable Systems 9
We have presented TOP, a novel programming paradigm for developing verifiablesystems. It bridges the gulf between the implementation and formal verificationby instructing developers to think in the transition system during the develop-ment, which reduces the cost of applying formal verification in practice. Besides,we have proposed Seni, the first transition-oriented programming language, topracticalize the TOP paradigm. Furthermore, we have discussed the vision ofthe application of TOP that has the potential to dramatically change the wayof developing verifiable and provably correct systems in a wide range of fields.
References
1. Baier, C., Katoen, J.P.: Principles of model checking. MIT press (2008)2. Bradley, A.R.: SAT-based model checking without unrolling. In: InternationalWorkshop on Verification, Model Checking, and Abstract Interpretation. pp. 70–87. Springer (2011)3. Cimatti, A., Clarke, E., Giunchiglia, E., Giunchiglia, F., Pistore, M., Roveri, M.,Sebastiani, R., Tacchella, A.: Nusmv 2: An opensource tool for symbolic modelchecking. In: International Conference on Computer Aided Verification. pp. 359–364. Springer (2002)4. Clarke, E.M., Grumberg, O., Long, D.E.: Model checking and abstraction. ACMtransactions on Programming Languages and Systems (TOPLAS) (5), 1512–1542 (1994), iSBN: 0164-0925 Publisher: ACM New York, NY, USA5. Clarke Jr, E.M., Grumberg, O., Kroening, D., Peled, D., Veith, H.: Model checking.MIT press (2018)6. De Moura, L., Bjrner, N.: Z3: An efficient SMT solver. In: International conferenceon Tools and Algorithms for the Construction and Analysis of Systems. pp. 337–340. Springer (2008)7. Finkbeiner, B., Gieseking, M., Hecking-Harbusch, J., Olderog, E.R.: AdamMC:A model checker for Petri nets with transits against Flow-LTL. In: InternationalConference on Computer Aided Verification. pp. 64–76. Springer (2020)8. Gacek, A., Backes, J., Whalen, M., Wagner, L., Ghassabani, E.: The JK ind modelchecker. In: International Conference on Computer Aided Verification. pp. 20–27.Springer (2018)9. Havelund, K.: Java PathFinder A Translator from Java to Promela. In: Inter-national SPIN Workshop on Model Checking of Software. pp. 152–152. Springer(1999)10. Holzmann, G.J.: The model checker SPIN. IEEE Transactions on software engi-neering (5), 279–295 (1997), iSBN: 0098-5589 Publisher: IEEE11. Holzmann, G.J., Lieberman, W.S.: Design and validation of computer protocols,vol. 512. Prentice hall Englewood Cliffs (1991)12. Katz, G., Barrett, C., Dill, D.L., Julian, K., Kochenderfer, M.J.: Reluplex: An effi-cient SMT solver for verifying deep neural networks. In: International Conferenceon Computer Aided Verification. pp. 97–117. Springer (2017)13. Lamport, L.: The PlusCal algorithm language. In: International Colloquium onTheoretical Aspects of Computing. pp. 36–60. Springer (2009)14. Nipkow, T., Paulson, L.C., Wenzel, M.: Isabelle/HOL: a proof assistant for higher-order logic, vol. 2283. Springer Science & Business Media (2002)0 Y. Ding and H. Sato15. Rou, G., erbnut, T.F.: An overview of the K semantic framework. The Journal ofLogic and Algebraic Programming (6), 397–434 (2010), iSBN: 1567-8326 Pub-lisher: Elsevier16. Rusu, V., Grimaud, G., Hauspie, M.: Proving partial-correctness and invarianceproperties of transition-system models. Science of Computer Programming ,102342 (2020), iSBN: 0167-6423 Publisher: Elsevier17. Samek, M., Montgomery, P.: State oriented programming. Embedded Systems Pro-gramming (8), 22–43 (2000)18. Welcome! ||