- The paper introduces the CertiBlock framework that uses certificate-carrying rewrites to guarantee behavior preservation in event-driven block programs.
- It details a clear separation between an untrusted optimizer and a trusted checker, with validations performed through mechanized Lean proofs.
- Empirical evaluation on 300 Scratch projects demonstrates efficiency, zero false accepts, and broad applicability of certified program optimizations.
Motivation and Problem Statement
Block-based end-user programming languages such as Scratch present a unique challenge in program transformation and optimization: the authors are typically inexperienced programmers, often children or hobbyists, who are not expected to interpret formal arguments about program correctness. Yet, demand exists for tools that clean up or optimize their programs by removing redundancies, dead code, or unused assets. Traditional approaches establish behavior preservation via static analysis and empirical testing, but these lack exhaustive guarantees and have a brittle trust model: any optimizer bug directly impacts the deployed program, and errors cannot be meaningfully recovered by end users. Addressing this, the paper introduces certificate-carrying source-to-source rewriting for concurrent, event-driven block programs, bridging the trust gap with a robust, mechanized framework.
Framework Overview
The CertiBlock framework defines a clear division between an untrusted optimizer and a trusted checker. The optimizer proposes program rewrites, accompanied by a certificate specifying the rewrite family, observation lens, and edit localization. The checker serves as the sole authority, exhaustively recomputing side conditions essential for behavior preservation, relative to a parameterized observation lens (e.g., player, final-state, debug). The checker mints a decision—accept or reject—solely based on recomputation; no certificate content is trusted a priori. This architecture robustly confines the trust base to a small, auditable checker and a minimal set of model-VM conformance assumptions, decoupling correctness from the optimizer's size and potential unsoundness.
Observation Semantics and Parametric Lenses
CertiBlock formalizes behavior preservation relative to an explicit observation lens. For Scratch, the player lens observes rendered frames, sound, prompts, and the values of visible monitors; the final-state and debug lenses enable more permissive or stricter definitions. Lenses induce trace sets, and behavioral refinement is guaranteed iff the after-program refines the before-program under the relevant lens. Family definitions are tied to lenses, with each rewrite family specifying the lens under which its edits are behavior-preserving, enforced by the checker during validation.
Mechanized Soundness: Cooperative-Frame Theorem
Central to CertiBlock's soundness is the cooperative-frame refinement theorem, mechanized in Lean 4. The theorem abstracts the conditions under which a write to a resource (e.g., variable, renderer state) is unobservable, and thus safely removable. Formally, if the 'pending window'—the segment between a write W1​ and its subsequent overwriter W2​ in the same thread—contains no yields (ensuring single-threadedness), and no observation of the resource occurs in this window, then deleting W1​ preserves behavior under the observation lens. Crucially, the theorem is parameterized both by the observed resource and observation boundary, covering both variables (yield boundaries) and renderer state (frame boundaries), and admits further generalization to other resource types.
Mechanization ensures soundness is not an informal claim but a machine-checked theorem, relying only on core kernel axioms in Lean. The two core decision procedures (for variable and visual dead stores) are extracted as verified-executable Lean functions, serving as a reference for the deployed Python checker.
Rewrite Families and Structural Guarantees
Six rewrite families are implemented:
- Comment cleanup: Eliminates editor-only annotations; proven sound by canonical core equivalence.
- Unused-asset cleanup: Removes costumes, sounds, variables, lists not referenced; special handling prevents index-shift observability bugs.
- Dead-broadcast removal: Deletes broadcasts with no receiver under stringent identifier matching.
- Dead-code elimination: Excises unreachable scripts or handlers.
- Variable dead-store elimination: Removes variable writes that are provably overwritten before observation or yield.
- Visual dead-store elimination: Deletes redundant renderer state writes across uninterrupted program segments if not observed by pen operations, clones, sensing blocks, etc.
Each family supplies a suite of formally stated obligations, discharged by the checker. Structural integrity is strictly enforced: removals must result in clean splices, and only edits corresponding to the declared change class are permitted. A single-allowed-delta obligation ensures no undeclared edits survive, and the checker deliberately fails closed—unsure or malformed cases are rejected by default.
Evaluation
CertiBlock is evaluated on a random sample of 300 real Scratch projects, covering a spectrum from simple animations to large-scale games. The empirical highlights are:
- No false accepts: Cross-family adversarial audits, unit tests, a large adversarial campaign (4,278 perturbed rewrites), and VM-differential validation yield zero false accepts post-audit.
- Narrow trusted base: Only the 9,921-line checker, mechanized Lean model (5,909 LOC), and two explicit conformance assumptions are trusted. All optimizer and harness code is untrusted.
- Efficiency: Certification (side-condition checks and structural verification) costs less than 0.1 seconds per project in all cases (median 2 ms, 95th percentile 66 ms, max 1.3 s).
- Breadth: At least one certified rewrite is accepted on 94.3% of projects. Most acceptances stem from editor and asset cleanup; certified dead-store and runtime rewrites are rarer but validated where applicable.
- Load-bearing side conditions: Permissive (non-checking) removers admit many unsound program transformations confirmed to break behavior by the VM oracle—all are rejected by the full checker with explicit counterexamples.
Practical and Theoretical Implications
The CertiBlock architecture demonstrates that certificate-carrying, verified program transformation is feasible at the source level for concurrent, event-driven, block-based languages targeting end users. Unlike prior tools, it offers behavioral guarantees grounded in formal, observation-parametric refinement theorems, not mere static analysis or empirical evaluation. The design achieves robust trust minimization: future optimizations, new rewrite families, and optimizer aggressiveness are unconstrained by the checker’s trusted volume or complexity.
The cooperative-frame theorem is generalizable to other cooperative-scheduling event-driven languages, provided that observation boundaries can be adequately modeled. Extension to richer observation semantics, integration into educational or analysis pipelines, and mechanized bridging to deployed implementations (closing remaining Trusted Computing Base gaps) are immediate avenues for further work.
Conclusion
CertiBlock constitutes a certificate-carrying source-to-source transformation system for Scratch and related block-based languages, yielding strong, mechanized guarantees of behavior preservation relative to explicit observation lenses. On realistic programs, it achieves high applicability, zero unsound acceptances under adversarial audit, and efficient certification. The separation of trust, the parametric observation model, and the mechanized cooperative-frame theorem together establish a new standard for trustworthy program rewriting in end-user concurrent, event-driven environments.
Reference: "Certificate-Carrying Transformation of Event-Driven Block Programs" (2607.00563).