Dijkstra Monads for Free Guido Martnez , Gordon Plotkin, Jonathan - PowerPoint PPT Presentation

f a t i c r t A C o m p * * l t e t n e e * A t * s i W s n E e o L l l C C P D * o O * e c u s P u m e e E R * n o e t v t d y s a E * d a l e u t a 1 / 16 POPL ’17 Inria, ENS Paris, UNR Argentina Microsoft Research, University of Edinburgh, Aseem Rastogi, Nikhil Swamy Dijkstra Monads for Free Guido Martínez , Gordon Plotkin, Jonathan Protzenko, Danel Ahman, Cătălin Hriţcu, Kenji Maillard, i f a c t r t A C o m * * p l t e t n e e * A t * s i W s E n e L o l l C C P D * o O * e c u s P u m E e e R n * o t t e v y d s a E * d a e l t u a

• Common approach: encapsulating efgectul programs in monads. • One idea (HTT/ F ) is to index the monad with a specifjcation: • Dijkstra monads are a generalization of Dijkstra’s predicate transformers to Combining dependent types and efgects n arbitrary efgects, and are the bread and butter of F ’s reasoning about efgects. + 1)) post () (n post n ST unit ( val incr : unit (* Dijkstra’s WPs *) + 1)) = n n r n ( ensures ( True)) n ST unit ( requires ( val incr : unit (* Hoare triples *) ST unit val incr : unit (* No spec *) But how to reason about them? 2 / 16 • Known hard problem, various solutions (Ynot/HTT, Idris, Trellys/Zombie, F ⋆ )

• One idea (HTT/ F ) is to index the monad with a specifjcation: • Dijkstra monads are a generalization of Dijkstra’s predicate transformers to Combining dependent types and efgects r n arbitrary efgects, and are the bread and butter of F ’s reasoning about efgects. + 1)) post () (n post n ST unit ( val incr : unit (* Dijkstra’s WPs *) + 1)) = n n n ( ensures ( True)) n ST unit ( requires ( val incr : unit (* Hoare triples *) ST unit val incr : unit (* No spec *) But how to reason about them? 2 / 16 • Known hard problem, various solutions (Ynot/HTT, Idris, Trellys/Zombie, F ⋆ ) • Common approach: encapsulating efgectul programs in monads.

• Dijkstra monads are a generalization of Dijkstra’s predicate transformers to Combining dependent types and efgects (* Dijkstra’s WPs *) arbitrary efgects, and are the bread and butter of F ’s reasoning about efgects. + 1)) post () (n post n ST unit ( val incr : unit 2 / 16 (* Hoare triples *) (* No spec *) But how to reason about them? • Known hard problem, various solutions (Ynot/HTT, Idris, Trellys/Zombie, F ⋆ ) • Common approach: encapsulating efgectul programs in monads. • One idea (HTT/ F ⋆ ) is to index the monad with a specifjcation: val incr : unit → ST unit val incr : unit → ST unit ( requires ( λ n 0 → True)) ( ensures ( λ n 0 r n 1 → n 1 = n 0 + 1))

• Dijkstra monads are a generalization of Dijkstra’s predicate transformers to Combining dependent types and efgects But how to reason about them? (* No spec *) (* Hoare triples *) (* Dijkstra’s WPs *) arbitrary efgects, and are the bread and butter of F ’s reasoning about efgects. 2 / 16 • Known hard problem, various solutions (Ynot/HTT, Idris, Trellys/Zombie, F ⋆ ) • Common approach: encapsulating efgectul programs in monads. • One idea (HTT/ F ⋆ ) is to index the monad with a specifjcation: val incr : unit → ST unit val incr : unit → ST unit ( requires ( λ n 0 → True)) ( ensures ( λ n 0 r n 1 → n 1 = n 0 + 1)) val incr : unit → ST unit ( λ post n 0 → post () (n 0 + 1))

Combining dependent types and efgects But how to reason about them? (* No spec *) (* Hoare triples *) (* Dijkstra’s WPs *) 2 / 16 • Known hard problem, various solutions (Ynot/HTT, Idris, Trellys/Zombie, F ⋆ ) • Common approach: encapsulating efgectul programs in monads. • One idea (HTT/ F ⋆ ) is to index the monad with a specifjcation: val incr : unit → ST unit val incr : unit → ST unit ( requires ( λ n 0 → True)) ( ensures ( λ n 0 r n 1 → n 1 = n 0 + 1)) val incr : unit → ST unit ( λ post n 0 → post () (n 0 + 1)) • Dijkstra monads are a generalization of Dijkstra’s predicate transformers to arbitrary efgects, and are the bread and butter of F ⋆ ’s reasoning about efgects.

Programs (with dirty efgects) Dijkstra Monad (pure and beautiful) correctly specifjes 3 / 16

Programs (with dirty efgects) Dijkstra Monad (pure and beautiful) correctly specifjes 3 / 16 ✓

f a i c t t r A C o m * p * l e • A fundamental question arises: t t n e e * A t * s i W s E n e L o l C l C P D * o O * c e u s P u m e E e R n * o t e v t d y s * • Old dog, new trick: Dijkstra monads are a CPS transform of the representation a E a d l e u t monad, allowing automatic derivation . a • Simple monadic defjnition gives correct-by-construction WP calculus for it. • Implemented in F ... now with user-defjned efgects. • Huge boost in simplicity and expressiveness of the efgect system. Problem... What is the relation between the monadic representation for an efgect and its Dijkstra monad? 4 / 16 • The Dijkstra monad for each efgect needs to be hand-crafted, and proven correct. • This made F ⋆ rigid, in that it had a fjxed supply of efgects.

f a i c t t r A C o m * p * l e t t n e e * A t * s i W s E n e L o l C l C P D * o O * c e u s P u m e E e R n * o t e v t d y s * • Old dog, new trick: Dijkstra monads are a CPS transform of the representation a E a d l e u t monad, allowing automatic derivation . a • Simple monadic defjnition gives correct-by-construction WP calculus for it. • Implemented in F ... now with user-defjned efgects. • Huge boost in simplicity and expressiveness of the efgect system. Problem... for an efgect and its Dijkstra monad? What is the relation between the monadic representation 4 / 16 • The Dijkstra monad for each efgect needs to be hand-crafted, and proven correct. • This made F ⋆ rigid, in that it had a fjxed supply of efgects. • A fundamental question arises:

f a i c t t r A C o m * p * l e t t n e e * A t * s i W s E n e L o l C l C P D * o O * c e u s P u m e E e R n * o t e v t d y s * a E a d l e u t a • Implemented in F ... now with user-defjned efgects. • Huge boost in simplicity and expressiveness of the efgect system. Problem... solution! for an efgect and its Dijkstra monad? What is the relation between the monadic representation 4 / 16 • The Dijkstra monad for each efgect needs to be hand-crafted, and proven correct. • This made F ⋆ rigid, in that it had a fjxed supply of efgects. • A fundamental question arises: • Old dog, new trick: Dijkstra monads are a CPS transform of the representation monad, allowing automatic derivation . • Simple monadic defjnition gives correct-by-construction WP calculus for it.

f a i c t t r A C o m * p * l e t t n e e * A t * s i W s E n e L o l C l C P D * o O * c e u s P u m e E e R n * o t e v t d y s * a E a d l e u t a Problem... solution! for an efgect and its Dijkstra monad? What is the relation between the monadic representation 4 / 16 • The Dijkstra monad for each efgect needs to be hand-crafted, and proven correct. • This made F ⋆ rigid, in that it had a fjxed supply of efgects. • A fundamental question arises: • Old dog, new trick: Dijkstra monads are a CPS transform of the representation monad, allowing automatic derivation . • Simple monadic defjnition gives correct-by-construction WP calculus for it. • Implemented in F ⋆ ... now with user-defjned efgects. • Huge boost in simplicity and expressiveness of the efgect system.

Problem... solution! What is the relation between the monadic representation for an efgect and its Dijkstra monad? 4 / 16 • The Dijkstra monad for each efgect needs to be hand-crafted, and proven correct. a f i c t t r • This made F ⋆ rigid, in that it had a fjxed supply of efgects. A C o m * p * l e • A fundamental question arises: t t n e e * A t * s i W s E n e L o l C l C P D * o O * c e u s P u m e E e R n * o t e v t d y s * • Old dog, new trick: Dijkstra monads are a CPS transform of the representation a E a d l e u t monad, allowing automatic derivation . a • Simple monadic defjnition gives correct-by-construction WP calculus for it. • Implemented in F ⋆ ... now with user-defjned efgects. • Huge boost in simplicity and expressiveness of the efgect system.

• Example: for stateful computations, WPs are of type ST wp t = • F ’s typing judgment gives a WP to each computation: A reminder on WPs computation to a precondition on its inputs. t S Type S Type where t is the result type. e ST t wp 5 / 16 • Dijkstra monads are essentially monads over weakest-preconditions (WP). • A WP is a predicate transformer mapping a postcondition on the outputs of a

• F ’s typing judgment gives a WP to each computation: A reminder on WPs computation to a precondition on its inputs. where t is the result type. e ST t wp 5 / 16 • Dijkstra monads are essentially monads over weakest-preconditions (WP). • A WP is a predicate transformer mapping a postcondition on the outputs of a • Example: for stateful computations, WPs are of type ST wp t = ( t → S → Type 0 ) → S → Type 0