VSEL

Document

Formal Specification

**Verifiable Semantic Execution Layer (VSEL)**

Verifiable Semantic Execution Layer (VSEL)

1. Purpose

This document defines the formal semantics of VSEL as a deterministic, closed-world state machine.

It establishes:

  • the set of valid states
  • the allowed transitions
  • the structure of execution traces
  • the invariants governing system behavior

All downstream layers (execution, constraints, proofs) must be derived from this specification.

If a behavior is not defined here, it is invalid by definition.

2. Mathematical Model

We define the system as a labeled transition system:

[ \mathcal{M} = (S, I, T, O) ]

Where:

  • ( S ) is the set of valid states
  • ( I \subseteq S ) is the set of initial states
  • ( T \subseteq S \times \Sigma \times S ) is the transition relation
  • ( \Sigma ) is the set of inputs
  • ( O ) is the set of observable outputs

A transition is:

[ (s, \sigma, s') \in T ]

3. State Space Definition

A state ( s \in S ) is defined as a tuple:

[ s = (C, D, E, \Omega, \tau) ]

Where:

  • ( C ): canonical system state (balances, storage, etc.)
  • ( D ): derived state (caches, commitments)
  • ( E ): environment context (block metadata, timestamps, etc.)
  • ( \Omega ): economic context (price oracles, exposure limits, liquidity thresholds, fee schedules, collateral requirements)
  • ( \tau ): execution metadata (trace index, history commitments)

The economic context ( \Omega ) is deterministically derived from canonical state and environment:

[ \Omega = DeriveEconomic(C, E) ]

( \Omega ) is not auxiliary data. It is a formal state component subject to the same invariant, constraint, and proof obligations as all other components. See ECONOMIC_INVARIANTS.md for the complete economic invariant system.

3.1 State Validity

A state is valid if:

[ ValidState(s) \equiv P_C(C) \land P_D(D) \land P_E(E) \land P_\tau(\tau) ]

Where each ( P_* ) is a predicate defining structural and semantic correctness.

4. Initial States

[ I = { s \in S \mid Init(s) } ]

Where:

  • ( C ) satisfies genesis constraints
  • ( D ) is correctly derived from ( C )
  • ( E ) is initialized to valid environment parameters
  • ( \tau = 0 )

5. Transition System

A transition:

[ (s, \sigma, s') \in T ]

is valid if:

[ ValidTransition(s, \sigma, s') \equiv ]

[ ValidState(s) \land ValidInput(\sigma) \land ]

[ Apply(s, \sigma) = s' \land ]

[ ValidState(s') \land ]

[ PreserveInvariants(s, s') ]

6. Transition Function

[ Apply: S \times \Sigma \rightarrow S ]

The transition function is deterministic:

[ \forall s, \sigma: \exists! s' \text{ such that } Apply(s, \sigma) = s' ]

No nondeterminism is allowed.

7. Observables

Observables map internal state transitions to externally visible outputs:

[ Obs: S \times \Sigma \times S \rightarrow O ]

Correctness requires:

  • observables must be derivable from state
  • no hidden side effects
  • no external dependency not modeled in ( E )

8. Execution Traces

An execution trace is:

[ \tau = (s_0, \sigma_0, s_1, \sigma_1, ..., s_n) ]

Such that:

  • ( s_0 \in I )
  • ( (s_i, \sigma_i, s_{i+1}) \in T ) for all ( i )

8.1 Trace Validity

[ ValidTrace(\tau) \equiv ]

[ s_0 \in I \land \forall i: ValidTransition(s_i, \sigma_i, s_{i+1}) ]

9. Invariants

9.1 Local Invariants

For every transition:

[ \forall (s, \sigma, s') \in T: L(s, \sigma, s') ]

Example:

  • conservation of value
  • bounded resource changes

9.2 Global Invariants

For every state:

[ \forall s \in S: G(s) ]

Example:

  • total supply consistency
  • structural constraints

9.3 Temporal Invariants

Across traces:

[ \forall \tau: TInv(\tau) ]

Example:

  • monotonic counters
  • no rollback of committed state

10. Determinism Requirement

The system must satisfy:

[ (s, \sigma) \rightarrow s' \text{ is unique} ]

No hidden randomness is allowed unless explicitly modeled in ( E ).

If randomness exists, it must be:

  • explicitly represented
  • reproducible
  • verifiable

11. Closure Property

The system is closed under transitions:

[ \forall s \in S, \sigma \in \Sigma: Apply(s, \sigma) = s' \Rightarrow s' \in S ]

No transition may produce an invalid state.

12. Safety Properties

Safety requires:

[ \forall \tau: ValidTrace(\tau) \Rightarrow \forall s \in \tau: G(s) ]

Meaning:

  • no invariant violation is reachable

13. Liveness Properties

Liveness defines progress:

[ \forall s \in S: \exists \sigma \text{ such that } Apply(s, \sigma) \neq s ]

Optional constraints:

  • eventual execution
  • no deadlock states

14. Semantic Equivalence

Two executions ( \tau_1, \tau_2 ) are equivalent if:

[ Obs(\tau_1) = Obs(\tau_2) ]

Used for:

  • optimization
  • compression
  • proof equivalence

15. Forbidden States

Define:

[ S_{invalid} = { s \mid \neg ValidState(s) } ]

System must ensure:

[ Reachable(S_{invalid}) = \emptyset ]

16. Error Handling Semantics

Invalid inputs must not produce undefined behavior.

Instead:

[ Apply(s, \sigma_{invalid}) = s_{error} ]

Where:

  • ( s_{error} \in S )
  • explicitly defined
  • preserves invariants

17. Composability Constraints

For two systems ( \mathcal{M}_1, \mathcal{M}_2 ):

Composition requires:

[ Compatible(S_1, S_2) \land Preserve(G_1 \cup G_2) ]

Composition must define:

  • shared state
  • interaction rules
  • cross-invariants

18. Completeness Requirement

The specification is complete if:

Every possible execution path of the implementation maps to a valid trace in this model.

If any execution cannot be represented here, the specification is incomplete.

19. Minimal Correctness Definition

An execution is correct if and only if:

[ ValidTrace(\tau) ]

This replaces:

“execution matches circuit”

with:

“execution belongs to the formal language of the system”

20. Closing Statement

This specification defines correctness independently of:

  • implementation
  • optimization
  • proof system

Everything else must conform to it.

If the system behaves differently than this model, the system is wrong. Not the model.

Previous

Threat Model

Next

State Machine