Whiley (programming language)

Whiley is an experimental programming language that combines features from the functional and imperative programming paradigms, and supports formal specification through function preconditions, postconditions and loop invariants.^[1] The language uses flow-sensitive typing also termed flow typing.

The Whiley project began in 2009 in response to the "Verifying Compiler Grand Challenge" put forward by Tony Hoare in 2003.^[2] The first public release of Whiley was in June, 2010.^[3]

Developed by David Pearce mainly, Whiley is an open source project with contributions from a small community. The system has been used for student research projects and in teaching undergraduate classes.^[4] It was supported from 2012–2014 by the Royal Society of New Zealand's Marsden Fund.^[5]

The Whiley compiler generates code for the Java virtual machine (JVM) and can interoperate with Java and other JVM-based languages.

The goal of Whiley is to provide a realistic programming language where verification is used routinely and without thought. The idea of such a tool has a long history, but was strongly promoted in the early 2000s through Hoare's Verifying Compiler Grand Challenge. The purpose of this challenge was to spur new efforts to develop a verifying compiler, roughly described as follows:^[6]

A verifying compiler uses mathematical and logical reasoning to check the correctness of the programs that it compiles.

— Tony Hoare

The main purpose of such a tool is to improve software quality by ensuring a program meets a formal specification. Whiley follows many attempts to develop such tools, including notable efforts such as SPARK/Ada, ESC/Java, Spec#, Dafny, Why3,^[7] and Frama-C.

Most previous attempts to develop a verifying compiler focused on extending existing programming languages with constructs for writing specifications. For example, ESC/Java and the Java Modeling Language add annotations to specify preconditions and postconditions to Java. Likewise, Spec# and Frama-C add similar constructs to the C# and C languages. However, these languages contain many features which pose difficult or insurmountable problems for verification.^[8] In contrast, the Whiley language was designed from scratch in an effort to avoid common pitfalls and make verification more tractable.^[9]

The syntax of Whiley follows the general appearance of imperative or object-oriented programming languages. Indentation syntax (the off-side rule) is used instead of braces to delineate statement blocks, giving a strong resemblance to Python. However, the imperative look of Whiley can be somewhat misleading as the language core is functional and pure.

Whiley distinguishes a function (which is pure) from a method (which may have side-effects). This distinction is needed as it allows functions to be used in specifications. A familiar set of primitive data types is available including bool, int, arrays (e.g., int[]) and records (e.g., {int x, int y}). However, unlike most programming languages the integer data type, int, is unbounded and does not correspond to a fixed-width representation such as 32-bit two's complement. Thus, an unconstrained integer in Whiley can take on any possible integer value, subject to the memory constraints of the host environment. This choice simplifies verification, as reasoning about modular arithmetic is a known and hard problem. Compound objects (e.g., arrays or records) are not references to values on the heap as they are in languages such as Java or C# but, instead, are immutable values.

Whiley takes an unusual approach to type checking termed flow typing. Variables can have different static types at different points in a function or method. Flow typing is similar to occurrence typing as found in Racket.^[10] To aid flow typing, Whiley supports union, intersection and negation types.^[11] Union types are comparable to sum types found in functional languages like Haskell but, in Whiley, they are not disjoint. Intersection and negation types are used in the context of flow typing to determine the type of a variable on the true and false branches of a runtime type test. For example, suppose a variable x of type T and a runtime type test x is S. On the true branch, the type of x becomes T & S whilst, on the false branch, it becomes T & !S.

Whiley uses a structural rather than nominal type system. Modula-3, Go and Ceylon are examples of other languages which support structural typing in some form.

Whiley supports reference lifetimes similar to those found in Rust. Lifetimes can be given when allocating new objects to indicate when they can be safely deallocated. References to such objects must then include lifetime identifier to prevent dangling references. Every method has an implicit lifetime referred to by this. A variable of type &this:T represents a reference to an object of type T which is deallocated with the enclosing method. Subtyping between lifetimes is determined by the outlives relation. Thus, &l1:T is a subtype of &l2:T if lifetime l1 statically outlives lifetime l2. A lifetime whose scope encloses another is said to outlive it. Lifetimes in Whiley differ from Rust in that they do not currently include a concept of ownership.

Whiley has no built-in support for concurrency and no formal memory model to determine how reading/writing to shared mutable state should be interpreted.

The following example illustrates many of the interesting features in Whiley, including the use of postconditions, loop invariants, type invariants, union types and flow typing. The function is intended to return the first index of an integer item in an array of integer items. If no such index exists, then null is returned.

// Define the type of natural numbers
type nat is (int x) where x >= 0

public function indexOf(int[] items, int item) -> (int|null index)
// If int returned, element at this position matches item
ensures index is int ==> items[index] == item
// If int returned, element at this position is first match
ensures index is int ==> no { i in 0 .. index | items[i] == item }
// If null returned, no element in items matches item
ensures index is null ==> no { i in 0 .. |items| | items[i] == item }:
    //
    nat i = 0
    //
    while i < |items|
    // No element seen so far matches item
    where no { j in 0 .. i | items[j] == item }:
        //
        if items[i] == item:
            return i
        i = i + 1
    //
    return null

In the above, the function's declared return type is given the union type int|null which indicates that either an int value is returned or null is returned. The function's postcondition is made of three ensures clauses, each of which describe different properties that must hold of the returned index. Flow typing is employed in these clauses through the runtime type test operator, is. For example, in the first ensures clause, the variable index is retyped from int|null to just int on the right-hand side of the implication operator (i.e. ==>).

The above example also illustrates the use of an inductive loop invariant. The loop invariant must be shown to hold on entry to the loop, for any given iteration of the loop and when the loop exits. In this case, the loop invariant states what is known about the elements of the items examined so far, namely, that none of them matches the given item. The loop invariant does not affect the meaning of the program and, in some sense, may be considered unneeded. However, the loop invariant is required to help the automated verifier using in the Whiley compiler to prove this function meets its specification.

The above example also defines the type nat with an appropriate type invariant. This type is used to declare variable i and indicate that it can never hold a negative value. In this case, the declaration prevents the need for an added loop invariant of the form where i >= 0 which would otherwise be needed.

Whiley began in 2009 with the first public release, v0.2.27 following in June 2010 and v0.3.0 in September that year. The language has evolved slowly with many syntax changes made to-date. Versions prior v0.3.33 supported first-class string and char data types, but these were removed in favour of representing strings as constrained int[] arrays. Likewise, versions prior to v0.3.35 supported first-class set (e.g., {int}), dictionary (e.g., {int=>bool}) and resizeable list [int]), but these were dropped in favour of simple arrays (e.g., int[]). Perhaps most controversial was the removal of the real datatype in version v0.3.38. Many of these changes were motivated by a desire to simplify the language and make compiler development more manageable.

Another important milestone in the evolution of Whiley came in version v0.3.40 with the inclusion of reference lifetimes, developed by Sebastian Schweizer as part of his Master's degree thesis at the University of Kaiserslautern.

• Official website
• Whiley on GitHub