Dijkstra Monads for Free• Dijkstra monads are essentially monads over weakest-preconditions (WP). • A WP is a predicate transformer mapping a postcondition on the outputs of a

Consist

ent *Complete *

Well D

ocumented*Easyt

oR

euse* *

Evaluated

*POPL*

Artifact

*AEC

Dijkstra Monads for Free

Danel Ahman, Cătălin Hriţcu, Kenji Maillard,Guido Martínez, Gordon Plotkin, Jonathan Protzenko,

Aseem Rastogi, Nikhil Swamy

Microsoft Research, University of Edinburgh,Inria, ENS Paris, UNR Argentina

POPL ’17

1 / 16

Consist

ent *Complete *

Well D

ocumented*Easyt

oR

euse* *

Evaluated

*POPL*

Artifact

*AEC

Combining dependent types and effects

• Known hard problem, various solutions (Ynot/HTT, Idris, Trellys/Zombie, F⋆)

• Common approach: encapsulating effectul programs in monads.But how to reason about them?

• One idea (HTT/F⋆) is to index the monad with a specification:(* No spec *)val incr : unit →ST unit(* Hoare triples *)val incr : unit →ST unit (requires (λ n0 →True))

(ensures (λ n0 r n1 → n1 = n0 + 1))(* Dijkstra’s WPs *)val incr : unit →ST unit (λ post n0 → post () (n0 + 1))

• Dijkstra monads are a generalization of Dijkstra’s predicate transformers toarbitrary effects, and are the bread and butter of F⋆’s reasoning about effects.

2 / 16


• Known hard problem, various solutions (Ynot/HTT, Idris, Trellys/Zombie, F⋆)• Common approach: encapsulating effectul programs in monads.

But how to reason about them?

• One idea (HTT/F⋆) is to index the monad with a specification:(* No spec *)val incr : unit →ST unit(* Hoare triples *)val incr : unit →ST unit (requires (λ n0 →True))



2 / 16



But how to reason about them?• One idea (HTT/F⋆) is to index the monad with a specification:

(* No spec *)val incr : unit →ST unit(* Hoare triples *)val incr : unit →ST unit (requires (λ n0 →True))

(ensures (λ n0 r n1 → n1 = n0 + 1))

(* Dijkstra’s WPs *)val incr : unit →ST unit (λ post n0 → post () (n0 + 1))


2 / 16







2 / 16







2 / 16

Programs(with dirty effects)

Dijkstra Monad(pure and beautiful)

correctlyspecifies

✓

3 / 16

Programs(with dirty effects)

Dijkstra Monad(pure and beautiful)

correctlyspecifies ✓

3 / 16

Problem...

• The Dijkstra monad for each effect needs to be hand-crafted, and proven correct.• This made F⋆ rigid, in that it had a fixed supply of effects.

• A fundamental question arises:

What is the relation between the monadic representationfor an effect and its Dijkstra monad?

• Old dog, new trick: Dijkstra monads are a CPS transform of the representationmonad, allowing automatic derivation.

• Simple monadic definition gives correct-by-construction WP calculus for it.• Implemented in F⋆... now with user-defined effects.• Huge boost in simplicity and expressiveness of the effect system.

Consist

ent *Complete *

Well D

ocumented*Easyt

oR

euse* *

Evaluated

*POPL*

Artifact

*AEC

4 / 16

Problem...

• The Dijkstra monad for each effect needs to be hand-crafted, and proven correct.• This made F⋆ rigid, in that it had a fixed supply of effects.• A fundamental question arises:




Consist

ent *Complete *

Well D

ocumented*Easyt

oR

euse* *

Evaluated

*POPL*

Artifact

*AEC

4 / 16

Problem... solution!




• Simple monadic definition gives correct-by-construction WP calculus for it.

• Implemented in F⋆... now with user-defined effects.• Huge boost in simplicity and expressiveness of the effect system.

Consist

ent *Complete *

Well D

ocumented*Easyt

oR

euse* *

Evaluated

*POPL*

Artifact

*AEC

4 / 16






Consist

ent *Complete *

Well D

ocumented*Easyt

oR

euse* *

Evaluated

*POPL*

Artifact

*AEC

4 / 16






Consist

ent *Complete *

Well D

ocumented*Easyt

oR

euse* *Evaluated

*POPL*

Artifact

*AEC

4 / 16

A reminder on WPs

• Dijkstra monads are essentially monads over weakest-preconditions (WP).• A WP is a predicate transformer mapping a postcondition on the outputs of a

computation to a precondition on its inputs.

• Example: for stateful computations, WPs are of type

STwp t = (t → S → Type0) → S → Type0

where t is the result type.• F⋆’s typing judgment gives a WP to each computation:

Γ ⊢ e : ST t wp

5 / 16

A reminder on WPs


computation to a precondition on its inputs.• Example: for stateful computations, WPs are of type


where t is the result type.

• F⋆’s typing judgment gives a WP to each computation:

Γ ⊢ e : ST t wp

5 / 16

A reminder on WPs




where t is the result type.

• F⋆’s typing judgment gives a WP to each computation:

Γ ⊢ e : ST t wp

5 / 16

A reminder on WPs




where t is the result type.• F⋆’s typing judgment gives a WP to each computation:

Γ ⊢ e : ST t wp

5 / 16

Verifying code

let incr () = let n = get () in put (n + 1)

• Turn it into explicitly monadic form• Compute a WP by simple type inference

val get : unit →ST int getwpval put : n1:int →ST unit ( setwp n1)val bindst : ∀wa wb. ST a wa → (x:a → ST b (wb x)) →ST b ( bindwpst wa wb)

to getval incr : unit → ST unit (bindwpst getwp (λ n → setwp (n + 1)))

= val incr : unit → ST unit (λ post n0 → post () (n0 + 1))

6 / 16

Verifying code

let incr () = bindst (get ()) (λ n → put (n + 1))

• Turn it into explicitly monadic form

• Compute a WP by simple type inferenceval get : unit →ST int getwpval put : n1:int →ST unit ( setwp n1)val bindst : ∀wa wb. ST a wa → (x:a → ST b (wb x)) →ST b ( bindwpst wa wb)



6 / 16

Verifying code






6 / 16

Verifying code






6 / 16

Verifying code






6 / 16

Verifying code






6 / 16

Primitive specs

STwp t = (t → S → Type0) → S → Type0returnwpst v = λp s0. p v s0bindwpst wp f = λp s0. wp (λv s1. f v p s1) s0getwpst = λp s0. p s0 s0setwpst s1 = λp _. p () s1

ST t = S → t × Sreturnst v = λs0. (v, s0)bindst m f = λs0. let vs = m s0 in f (fst vs) (snd vs)get = λs0. (s0, s0)set s1 = λ_. ((), s1)

Can be derived automatically!

7 / 16

Primitive specs

STwp t = S → (t × S → Type0) → Type0returnwpst v = λs0 p. p (v, s0)bindwpst wp f = λs0 p. wp s0 (λvs. f (fst vs) (snd vs) p)getwpst = λs0 p. p (s0, s0)setwpst s1 = λ_ p. p ((), s1)



7 / 16

Primitive specs




7 / 16

Primitive specs



Can be derived automatically!7 / 16

Formalization

• We introduce two calculi: dm and a new F⋆ formalization called emf⋆.

• dm: simply-typed with an abstract base monad τ (and somewhat restricted)• Used to define monads, actions, lifts

• emf⋆: dependently-typed, allows for user-defined effects• Two translations from well-typed dm terms to emf⋆

• ⋆-translation: gives specification (selective CPS)• Elaboration: gives implementation (essentially an identity)

• ⋆-translation gives a correct Dijkstra monad for elaborated terms.Examples: state, exceptions, continuations...

8 / 16

Formalization

• We introduce two calculi: dm and a new F⋆ formalization called emf⋆.• dm: simply-typed with an abstract base monad τ (and somewhat restricted)

• Used to define monads, actions, lifts• emf⋆: dependently-typed, allows for user-defined effects

• Two translations from well-typed dm terms to emf⋆



8 / 16

Formalization


• Used to define monads, actions, lifts• emf⋆: dependently-typed, allows for user-defined effects• Two translations from well-typed dm terms to emf⋆



8 / 16

Formalization


• Used to define monads, actions, lifts• emf⋆: dependently-typed, allows for user-defined effects• Two translations from well-typed dm terms to emf⋆



8 / 16

e : C

e⋆ : C⋆

(dm) (emf⋆)

e : FC e⋆

Logical relation

⋆-translation

elaborationcorrectly

specifies

9 / 16

e : C

e⋆ : C⋆

(dm) (emf⋆)

e : FC e⋆

Logical relation

⋆-translation

elaborationcorrectly

specifies

9 / 16

Pure in emf⋆

• Pure is the only primitive emf⋆ effect.• A WP for Pure t is of type

(t → Type0) → Type0

• The Dijkstra monad for Pure is exactly the continuation monad.Lemma (Correctness of Pure)If ⊢ e : Pure t wp and ⊨ wp p, then e⇝∗ v s.t. ⊨ p v.

10 / 16

Pure in emf⋆



• The Dijkstra monad for Pure is exactly the continuation monad.

Lemma (Correctness of Pure)If ⊢ e : Pure t wp and ⊨ wp p, then e⇝∗ v s.t. ⊨ p v.

10 / 16

Pure in emf⋆



• The Dijkstra monad for Pure is exactly the continuation monad.Lemma (Correctness of Pure)If ⊢ e : Pure t wp and ⊨ wp p, then e⇝∗ v s.t. ⊨ p v.

10 / 16

Reasoning about ST

• Say we have a term e such that

e : S → t × S

• From logical relation, we get

e : s0:S → Pure (t × S) (e⋆ s0)

• From previous and correctness of Pure, we getCorollary (Correctness of ST)If ⊢ e : S → t × S, and ⊨ e⋆ s0 p, then e s0 ⇝∗ (v, s) s.t. ⊨ p (v, s).

11 / 16

Reasoning about ST


e : S → t × S


e : s0:S → Pure (t × S) (e⋆ s0)


11 / 16

Reasoning about ST


e : S → t × S


e : s0:S → Pure (t × S) (e⋆ s0)


11 / 16

Relating effects

• In dm, we can also provide a lift between two monads.

ST t = S → t × S EXNST t = S → (1 + t)× S

lift : ST t → EXNST tlift m = λs0. let vs = m s0 in (inr (fst vs), snd vs)

• It will be translated to a correct Dijkstra monad lift.

liftwp : STwp t → EXNSTwp tliftwp wp = λs0 p. wp s0 (λvs. p (inr (fst vs), snd vs))

12 / 16

Relating effects

• In dm, we can also provide a lift between two monads.

ST t = S → t × S EXNST t = S → (1 + t)× S

lift : ST t → EXNST tlift m = λs0. let vs = m s0 in (inr (fst vs), snd vs)

• It will be translated to a correct Dijkstra monad lift.

liftwp : STwp t → EXNSTwp tliftwp wp = λs0 p. wp s0 (λvs. p (inr (fst vs), snd vs))

12 / 16

13 / 16

Properties of the translationsBesides correctly specifying programs, the generated WPs enjoys some nice properties

• The ⋆-translation preserves equality

• Monads mapped to Dijkstra monads• Lifts mapped to Dijkstra lifts• Laws about actions preserved

• e⋆ is monotonic: it maps weaker postconditions to weaker preconditions.

(∀x.p1 x =⇒ p2 x) =⇒ e⋆ p1 =⇒ e⋆ p2

• e⋆ is conjunctive: it distributes over ∧ and ∀.

e⋆ (λx. p1 x ∧ p2 x) ⇐⇒ e⋆ p1 ∧ e⋆ p2

• These properties together ensure that any dm monad provides a correct Dijkstramonad, that’s also usable within the F⋆ compiler.

14 / 16


• The ⋆-translation preserves equality• Monads mapped to Dijkstra monads• Lifts mapped to Dijkstra lifts• Laws about actions preserved


(∀x.p1 x =⇒ p2 x) =⇒ e⋆ p1 =⇒ e⋆ p2


e⋆ (λx. p1 x ∧ p2 x) ⇐⇒ e⋆ p1 ∧ e⋆ p2


14 / 16




(∀x.p1 x =⇒ p2 x) =⇒ e⋆ p1 =⇒ e⋆ p2


e⋆ (λx. p1 x ∧ p2 x) ⇐⇒ e⋆ p1 ∧ e⋆ p2


14 / 16




(∀x.p1 x =⇒ p2 x) =⇒ e⋆ p1 =⇒ e⋆ p2


e⋆ (λx. p1 x ∧ p2 x) ⇐⇒ e⋆ p1 ∧ e⋆ p2


14 / 16

Conclusions and further work

• We show a formal connection between WPs and CPS, with good properties.• New version of F⋆ with user-defined effects:

greatly broadens its applications and reduces proof obligations.• Extrinsic reasoning; primitive effects: details in paper.

Further work:• Exciting new opportunities in verification:

probabilistic computation, concurrency, cost analysis...• Improve the expresiveness of dm.

Thank you!

15 / 16






Thank you!

15 / 16






Thank you!

15 / 16

Thank you!

16 / 16

Documents

Dijkstra Monads for Free• Dijkstra monads are essentially monads over weakest-preconditions (WP). • A WP is a predicate transformer mapping a postcondition on the outputs of a