A Domain-Specific Language for Incremental and Modular Design of Large-Scale Verifiably-Safe Flow Networks (Preliminary Report)

We define a domain-specific language (DSL) to inductively assemble flow networks from small networks or modules to produce arbitrarily large ones, with interchangeable functionally-equivalent parts. Our small networks or modules are “small” only as the building blocks in this inductive definition (there is no limit on their size). Associated with our DSL is a type theory, a system of formal annotations to express desirable properties of flow networks together with rules that enforce them as invariants across their interfaces, i.e, the rules guarantee the properties are preserved as we build larger networks from smaller ones. A prerequisite for a type theory is a formal semantics, i.e, a rigorous definition of the entities that qualify as feasible flows through the networks, possibly restricted to satisfy additional efficiency or safety requirements. This can be carried out in one of two ways, as a denotational semantics or as an operational (or reduction) semantics; we choose the first in preference to the second, partly to avoid exponential-growth rewriting in the operational approach. We set up a typing system and prove its soundness for our DSL.

💡 Research Summary

**
The paper introduces a domain‑specific language (DSL) designed to construct large‑scale flow networks by inductively assembling smaller networks or modules. A flow network is modeled as a directed graph whose arcs have lower‑ and upper‑bound capacities, and a feasible flow is a function assigning a non‑negative real value to each arc while respecting these bounds and the usual flow‑conservation constraints. The authors adopt a denotational semantics: the meaning of a network is the set of all such flow functions. This choice avoids the combinatorial explosion that would arise from an operational (rewriting) semantics, especially when dealing with “holes” – placeholders for modules that are not yet defined.

The DSL provides a small set of primitive constructs: parallel composition M1 ∥ M2, which places two networks side‑by‑side without sharing interfaces, and bind(N, a, b), which connects the output arc a of a network to the input arc b, thereby stitching flows together. On top of these primitives, more elaborate constructs can be derived. Crucially, the language supports hole‑binding forms such as let X = M in N (and, in future work, try‑in, mix‑in, letrec‑in). A hole denotes a sub‑network that may be supplied later; the type system guarantees that any replacement respects the invariants required at the hole’s interface.

A formal type theory is built on top of the DSL. Types are annotations attached to network interfaces that express safety or performance properties: e.g., maximum total flow, voltage‑drop limits, latency bounds, or SLA‑related constraints. The typing rules are threefold: (1) basic modules declare their own properties; (2) composition rules propagate and combine properties for parallel and binding operators; (3) hole‑binding rules check compatibility between the hole’s required interface and the module that fills it. The system is modular (each sub‑module can be typed independently) and fully compositional (the order of type inference does not affect the final result). The authors prove soundness: any well‑typed network, according to the denotational semantics, satisfies all declared properties.

Beyond simple safety constraints, the paper introduces objective functions that can be attached to types, allowing the DSL to express optimization goals such as minimizing power loss, minimizing latency, or limiting the number of SLA violations. This integration enables designers to verify not only that a network is safe but also that it meets quantitative performance targets.

Two illustrative domains are discussed. In cloud computing, compute‑cycle supply, demand, and scheduling are modeled as flow networks; SLA constraints (e.g., “supply meets demand”, “over‑load periods ≤ 100 ms”) become type annotations. The DSL allows designers to reason about resource allocation even when some services are still unspecified, using holes to represent future components. In smart electric grids, each cell (generator, transformer, line, storage) is a module with physical constraints (voltage, current, power rating). By composing cells with the DSL, planners can explore “what‑if” scenarios, such as the impact of a missing line on safety limits, or the most efficient generation‑routing configuration under given constraints.

The authors relate their work to the earlier NetSketch environment, noting that the presented DSL is a simplified, specialized core of NetSketch’s language. NetSketch also includes an automated verifier (AV) and a user interface (UI); the DSL’s formal semantics and type system can be directly fed to such tools for automated safety verification and performance analysis.

In summary, the paper makes the following contributions: (1) a concise DSL for inductive construction of flow networks; (2) a denotational semantics that cleanly defines feasible flows; (3) a robust type system that enforces safety and performance invariants, supports holes, and is provably sound; (4) a demonstration of theory‑agnostic composability, allowing heterogeneous analysis techniques (real‑time scheduling, network calculus, power‑system theory) to be unified under a common interface; and (5) concrete use‑case scenarios showing how the language can aid design, verification, and optimization of large‑scale, safety‑critical systems.