Dijkstra Monads for Free Guido Martnez , Gordon Plotkin, Jonathan - - PowerPoint PPT Presentation

dijkstra monads for free
SMART_READER_LITE
LIVE PREVIEW

Dijkstra Monads for Free Guido Martnez , Gordon Plotkin, Jonathan - - PowerPoint PPT Presentation

Oct 12, 2022 449 likes •968 views

f a t i c r t A C o m p * * l t e t n e e * A t * s i W s n E e o L l l C C P D * o O * e c u s P u m e e E R * n o e t v t d y s a E * d a l e u t a 1 / 16 POPL 17

slide-1
SLIDE 1 C
  • n
s i s t e n t * C
  • m
p l e t e * W e l l D
  • c
u m e n t e d * E a s y t
  • R
e u s e * * E v a l u a t e d * P O P L * A r t i f a c t * A E C

Dijkstra Monads for Free

Danel Ahman, Cătălin Hriţcu, Kenji Maillard, Guido Martínez, Gordon Plotkin, Jonathan Protzenko, Aseem Rastogi, Nikhil Swamy Microsoft Research, University of Edinburgh, Inria, ENS Paris, UNR Argentina POPL ’17 1 / 16 C
  • n
s i s t e n t * C
  • m
p l e t e * W e l l D
  • c
u m e n t e d * E a s y t
  • R
e u s e * * E v a l u a t e d * P O P L * A r t i f a c t * A E C
slide-2
SLIDE 2

Combining dependent types and efgects

  • Known hard problem, various solutions (Ynot/HTT, Idris, Trellys/Zombie, F⋆)
  • Common approach: encapsulating efgectul programs in monads.
But how to reason about them?
  • One idea (HTT/F ) is to index the monad with a specifjcation:
(* No spec *) val incr : unit ST unit (* Hoare triples *) val incr : unit ST unit (requires ( n True)) (ensures ( n r n n = n + 1)) (* Dijkstra’s WPs *) val incr : unit ST unit ( post n post () (n + 1))
  • Dijkstra monads are a generalization of Dijkstra’s predicate transformers to
arbitrary efgects, and are the bread and butter of F ’s reasoning about efgects. 2 / 16
slide-3
SLIDE 3

Combining dependent types and efgects

  • Known hard problem, various solutions (Ynot/HTT, Idris, Trellys/Zombie, F⋆)
  • Common approach: encapsulating efgectul programs in monads.
But how to reason about them?
  • One idea (HTT/F ) is to index the monad with a specifjcation:
(* No spec *) val incr : unit ST unit (* Hoare triples *) val incr : unit ST unit (requires ( n True)) (ensures ( n r n n = n + 1)) (* Dijkstra’s WPs *) val incr : unit ST unit ( post n post () (n + 1))
  • Dijkstra monads are a generalization of Dijkstra’s predicate transformers to
arbitrary efgects, and are the bread and butter of F ’s reasoning about efgects. 2 / 16
slide-4
SLIDE 4

Combining dependent types and efgects

  • Known hard problem, various solutions (Ynot/HTT, Idris, Trellys/Zombie, F⋆)
  • Common approach: encapsulating efgectul programs in monads.
But how to reason about them?
  • One idea (HTT/F⋆) is to index the monad with a specifjcation:
(* No spec *) val incr : unit → ST unit (* Hoare triples *) val incr : unit → ST unit (requires (λ n0 → True)) (ensures (λ n0 r n1 → n1 = n0 + 1)) (* Dijkstra’s WPs *) val incr : unit ST unit ( post n post () (n + 1))
  • Dijkstra monads are a generalization of Dijkstra’s predicate transformers to
arbitrary efgects, and are the bread and butter of F ’s reasoning about efgects. 2 / 16
slide-5
SLIDE 5

Combining dependent types and efgects

  • Known hard problem, various solutions (Ynot/HTT, Idris, Trellys/Zombie, F⋆)
  • Common approach: encapsulating efgectul programs in monads.
But how to reason about them?
  • One idea (HTT/F⋆) is to index the monad with a specifjcation:
(* No spec *) val incr : unit → ST unit (* Hoare triples *) val incr : unit → ST unit (requires (λ n0 → True)) (ensures (λ n0 r n1 → n1 = n0 + 1)) (* Dijkstra’s WPs *) val incr : unit → ST unit (λ post n0 → post () (n0 + 1))
  • Dijkstra monads are a generalization of Dijkstra’s predicate transformers to
arbitrary efgects, and are the bread and butter of F ’s reasoning about efgects. 2 / 16
slide-6
SLIDE 6

Combining dependent types and efgects

  • Known hard problem, various solutions (Ynot/HTT, Idris, Trellys/Zombie, F⋆)
  • Common approach: encapsulating efgectul programs in monads.
But how to reason about them?
  • One idea (HTT/F⋆) is to index the monad with a specifjcation:
(* No spec *) val incr : unit → ST unit (* Hoare triples *) val incr : unit → ST unit (requires (λ n0 → True)) (ensures (λ n0 r n1 → n1 = n0 + 1)) (* Dijkstra’s WPs *) val incr : unit → ST unit (λ post n0 → post () (n0 + 1))
  • Dijkstra monads are a generalization of Dijkstra’s predicate transformers to
arbitrary efgects, and are the bread and butter of F⋆’s reasoning about efgects. 2 / 16
slide-7
SLIDE 7 Programs (with dirty efgects) Dijkstra Monad (pure and beautiful) correctly specifjes 3 / 16
slide-8
SLIDE 8 Programs (with dirty efgects) Dijkstra Monad (pure and beautiful) correctly specifjes

3 / 16
slide-9
SLIDE 9

Problem...

  • The Dijkstra monad for each efgect needs to be hand-crafted, and proven correct.
  • This made F⋆ rigid, in that it had a fjxed supply of efgects.
  • A fundamental question arises:
What is the relation between the monadic representation for an efgect and its Dijkstra monad?
  • Old dog, new trick: Dijkstra monads are a CPS transform of the representation
monad, allowing automatic derivation.
  • Simple monadic defjnition gives correct-by-construction WP calculus for it.
  • Implemented in F ... now with user-defjned efgects.
  • Huge boost in simplicity and expressiveness of the efgect system.
C
  • n
s i s t e n t * C
  • m
p l e t e * W e l l D
  • c
u m e n t e d * E a s y t
  • R
e u s e *

*

E v a l u a t e d

* P O P L *

A r t i f a c t

* A E C

4 / 16
slide-10
SLIDE 10

Problem...

  • The Dijkstra monad for each efgect needs to be hand-crafted, and proven correct.
  • This made F⋆ rigid, in that it had a fjxed supply of efgects.
  • A fundamental question arises:
What is the relation between the monadic representation for an efgect and its Dijkstra monad?
  • Old dog, new trick: Dijkstra monads are a CPS transform of the representation
monad, allowing automatic derivation.
  • Simple monadic defjnition gives correct-by-construction WP calculus for it.
  • Implemented in F ... now with user-defjned efgects.
  • Huge boost in simplicity and expressiveness of the efgect system.
C
  • n
s i s t e n t * C
  • m
p l e t e * W e l l D
  • c
u m e n t e d * E a s y t
  • R
e u s e *

*

E v a l u a t e d

* P O P L *

A r t i f a c t

* A E C

4 / 16
slide-11
SLIDE 11

Problem... solution!

  • The Dijkstra monad for each efgect needs to be hand-crafted, and proven correct.
  • This made F⋆ rigid, in that it had a fjxed supply of efgects.
  • A fundamental question arises:
What is the relation between the monadic representation for an efgect and its Dijkstra monad?
  • Old dog, new trick: Dijkstra monads are a CPS transform of the representation
monad, allowing automatic derivation.
  • Simple monadic defjnition gives correct-by-construction WP calculus for it.
  • Implemented in F ... now with user-defjned efgects.
  • Huge boost in simplicity and expressiveness of the efgect system.
C
  • n
s i s t e n t * C
  • m
p l e t e * W e l l D
  • c
u m e n t e d * E a s y t
  • R
e u s e *

*

E v a l u a t e d

* P O P L *

A r t i f a c t

* A E C

4 / 16
slide-12
SLIDE 12

Problem... solution!

  • The Dijkstra monad for each efgect needs to be hand-crafted, and proven correct.
  • This made F⋆ rigid, in that it had a fjxed supply of efgects.
  • A fundamental question arises:
What is the relation between the monadic representation for an efgect and its Dijkstra monad?
  • Old dog, new trick: Dijkstra monads are a CPS transform of the representation
monad, allowing automatic derivation.
  • Simple monadic defjnition gives correct-by-construction WP calculus for it.
  • Implemented in F⋆... now with user-defjned efgects.
  • Huge boost in simplicity and expressiveness of the efgect system.
C
  • n
s i s t e n t * C
  • m
p l e t e * W e l l D
  • c
u m e n t e d * E a s y t
  • R
e u s e *

*

E v a l u a t e d

* P O P L *

A r t i f a c t

* A E C

4 / 16
slide-13
SLIDE 13

Problem... solution!

  • The Dijkstra monad for each efgect needs to be hand-crafted, and proven correct.
  • This made F⋆ rigid, in that it had a fjxed supply of efgects.
  • A fundamental question arises:
What is the relation between the monadic representation for an efgect and its Dijkstra monad?
  • Old dog, new trick: Dijkstra monads are a CPS transform of the representation
monad, allowing automatic derivation.
  • Simple monadic defjnition gives correct-by-construction WP calculus for it.
  • Implemented in F⋆... now with user-defjned efgects.
  • Huge boost in simplicity and expressiveness of the efgect system.
C
  • n
s i s t e n t * C
  • m
p l e t e * W e l l D
  • c
u m e n t e d * E a s y t
  • R
e u s e *

*

E v a l u a t e d

* P O P L *

A r t i f a c t

* A E C

4 / 16
slide-14
SLIDE 14

A reminder on WPs

  • Dijkstra monads are essentially monads over weakest-preconditions (WP).
  • A WP is a predicate transformer mapping a postcondition on the outputs of a
computation to a precondition on its inputs.
  • Example: for stateful computations, WPs are of type
STwp t = t S Type S Type where t is the result type.
  • F ’s typing judgment gives a WP to each computation:
e ST t wp 5 / 16
slide-15
SLIDE 15

A reminder on WPs

  • Dijkstra monads are essentially monads over weakest-preconditions (WP).
  • A WP is a predicate transformer mapping a postcondition on the outputs of a
computation to a precondition on its inputs.
  • Example: for stateful computations, WPs are of type
STwp t = (t → S → Type0) → S → Type0 where t is the result type.
  • F ’s typing judgment gives a WP to each computation:
e ST t wp 5 / 16
slide-16
SLIDE 16

A reminder on WPs

  • Dijkstra monads are essentially monads over weakest-preconditions (WP).
  • A WP is a predicate transformer mapping a postcondition on the outputs of a
computation to a precondition on its inputs.
  • Example: for stateful computations, WPs are of type
STwp t = (t → S → Type0) → S → Type0 where t is the result type.
  • F ’s typing judgment gives a WP to each computation:
e ST t wp 5 / 16
slide-17
SLIDE 17

A reminder on WPs

  • Dijkstra monads are essentially monads over weakest-preconditions (WP).
  • A WP is a predicate transformer mapping a postcondition on the outputs of a
computation to a precondition on its inputs.
  • Example: for stateful computations, WPs are of type
STwp t = (t → S → Type0) → S → Type0 where t is the result type.
  • F⋆’s typing judgment gives a WP to each computation:
Γ ⊢ e : ST t wp 5 / 16
slide-18
SLIDE 18

Verifying code

let incr () = let n = get () in put (n + 1)
  • Turn it into explicitly monadic form
  • Compute a WP by simple type inference
val get : unit ST int getwp val put : n :int ST unit ( setwp n ) val bindst : wa wb. ST a wa (x:a ST b (wb x)) ST b ( bindwpst wa wb) to get val incr : unit ST unit (bindwpst getwp ( n setwp (n + 1))) = val incr : unit ST unit ( post n post () (n + 1)) 6 / 16
slide-19
SLIDE 19

Verifying code

let incr () = bindst (get ()) (λ n → put (n + 1))
  • Turn it into explicitly monadic form
  • Compute a WP by simple type inference
val get : unit ST int getwp val put : n :int ST unit ( setwp n ) val bindst : wa wb. ST a wa (x:a ST b (wb x)) ST b ( bindwpst wa wb) to get val incr : unit ST unit (bindwpst getwp ( n setwp (n + 1))) = val incr : unit ST unit ( post n post () (n + 1)) 6 / 16
slide-20
SLIDE 20

Verifying code

let incr () = bindst (get ()) (λ n → put (n + 1))
  • Turn it into explicitly monadic form
  • Compute a WP by simple type inference
val get : unit → ST int getwp val put : n1:int → ST unit ( setwp n1) val bindst : ∀wa wb. ST a wa → (x:a → ST b (wb x)) → ST b ( bindwpst wa wb) to get val incr : unit ST unit (bindwpst getwp ( n setwp (n + 1))) = val incr : unit ST unit ( post n post () (n + 1)) 6 / 16
slide-21
SLIDE 21

Verifying code

let incr () = bindst (get ()) (λ n → put (n + 1))
  • Turn it into explicitly monadic form
  • Compute a WP by simple type inference
val get : unit → ST int getwp val put : n1:int → ST unit ( setwp n1) val bindst : ∀wa wb. ST a wa → (x:a → ST b (wb x)) → ST b ( bindwpst wa wb) to get val incr : unit → ST unit (bindwpst getwp (λ n → setwp (n + 1))) = val incr : unit ST unit ( post n post () (n + 1)) 6 / 16
slide-22
SLIDE 22

Verifying code

let incr () = bindst (get ()) (λ n → put (n + 1))
  • Turn it into explicitly monadic form
  • Compute a WP by simple type inference
val get : unit → ST int getwp val put : n1:int → ST unit ( setwp n1) val bindst : ∀wa wb. ST a wa → (x:a → ST b (wb x)) → ST b ( bindwpst wa wb) to get val incr : unit → ST unit (bindwpst getwp (λ n → setwp (n + 1))) = val incr : unit → ST unit (λ post n0 → post () (n0 + 1)) 6 / 16
slide-23
SLIDE 23

Verifying code

let incr () = bindst (get ()) (λ n → put (n + 1))
  • Turn it into explicitly monadic form
  • Compute a WP by simple type inference
val get : unit → ST int getwp val put : n1:int → ST unit ( setwp n1) val bindst : ∀wa wb. ST a wa → (x:a → ST b (wb x)) → ST b ( bindwpst wa wb) to get val incr : unit → ST unit (bindwpst getwp (λ n → setwp (n + 1))) = val incr : unit → ST unit (λ post n0 → post () (n0 + 1)) 6 / 16
slide-24
SLIDE 24

Primitive specs

STwp t = (t → S → Type0) → S → Type0 returnwpst v = λp s0. p v s0 bindwpst wp f = λp s0. wp (λv s1. f v p s1) s0 getwpst = λp s0. p s0 s0 setwpst s1 = λp _. p () s1 ST t = S t S returnst v = s v s bindst m f = s let vs = m s in f fst vs snd vs get = s s s set s = _ s

Can be derived automatically!

7 / 16
slide-25
SLIDE 25

Primitive specs

STwp t = S → (t × S → Type0) → Type0 returnwpst v = λs0 p. p (v, s0) bindwpst wp f = λs0 p. wp s0 (λvs. f (fst vs) (snd vs) p) getwpst = λs0 p. p (s0, s0) setwpst s1 = λ_ p. p ((), s1) ST t = S t S returnst v = s v s bindst m f = s let vs = m s in f fst vs snd vs get = s s s set s = _ s

Can be derived automatically!

7 / 16
slide-26
SLIDE 26

Primitive specs

STwp t = S → (t × S → Type0) → Type0 returnwpst v = λs0 p. p (v, s0) bindwpst wp f = λs0 p. wp s0 (λvs. f (fst vs) (snd vs) p) getwpst = λs0 p. p (s0, s0) setwpst s1 = λ_ p. p ((), s1) ST t = S → t × S returnst v = λs0. (v, s0) bindst m f = λs0. let vs = m s0 in f (fst vs) (snd vs) get = λs0. (s0, s0) set s1 = λ_. ((), s1)

Can be derived automatically!

7 / 16
slide-27
SLIDE 27

Primitive specs

STwp t = S → (t × S → Type0) → Type0 returnwpst v = λs0 p. p (v, s0) bindwpst wp f = λs0 p. wp s0 (λvs. f (fst vs) (snd vs) p) getwpst = λs0 p. p (s0, s0) setwpst s1 = λ_ p. p ((), s1) ST t = S → t × S returnst v = λs0. (v, s0) bindst m f = λs0. let vs = m s0 in f (fst vs) (snd vs) get = λs0. (s0, s0) set s1 = λ_. ((), s1)

Can be derived automatically!

7 / 16
slide-28
SLIDE 28

Formalization

  • We introduce two calculi: dm and a new F⋆ formalization called emf⋆.
  • dm: simply-typed with an abstract base monad
(and somewhat restricted)
  • Used to defjne monads, actions, lifts
  • emf : dependently-typed, allows for user-defjned efgects
  • Two translations from well-typed dm terms to emf
  • translation: gives specifjcation (selective CPS)
  • Elaboration: gives implementation (essentially an identity)
  • translation gives a correct Dijkstra monad for elaborated terms.
Examples: state, exceptions, continuations... 8 / 16
slide-29
SLIDE 29

Formalization

  • We introduce two calculi: dm and a new F⋆ formalization called emf⋆.
  • dm: simply-typed with an abstract base monad τ (and somewhat restricted)
  • Used to defjne monads, actions, lifts
  • emf⋆: dependently-typed, allows for user-defjned efgects
  • Two translations from well-typed dm terms to emf
  • translation: gives specifjcation (selective CPS)
  • Elaboration: gives implementation (essentially an identity)
  • translation gives a correct Dijkstra monad for elaborated terms.
Examples: state, exceptions, continuations... 8 / 16
slide-30
SLIDE 30

Formalization

  • We introduce two calculi: dm and a new F⋆ formalization called emf⋆.
  • dm: simply-typed with an abstract base monad τ (and somewhat restricted)
  • Used to defjne monads, actions, lifts
  • emf⋆: dependently-typed, allows for user-defjned efgects
  • Two translations from well-typed dm terms to emf⋆
  • ⋆-translation: gives specifjcation (selective CPS)
  • Elaboration: gives implementation (essentially an identity)
  • translation gives a correct Dijkstra monad for elaborated terms.
Examples: state, exceptions, continuations... 8 / 16
slide-31
SLIDE 31

Formalization

  • We introduce two calculi: dm and a new F⋆ formalization called emf⋆.
  • dm: simply-typed with an abstract base monad τ (and somewhat restricted)
  • Used to defjne monads, actions, lifts
  • emf⋆: dependently-typed, allows for user-defjned efgects
  • Two translations from well-typed dm terms to emf⋆
  • ⋆-translation: gives specifjcation (selective CPS)
  • Elaboration: gives implementation (essentially an identity)
  • ⋆-translation gives a correct Dijkstra monad for elaborated terms.
Examples: state, exceptions, continuations... 8 / 16
slide-32
SLIDE 32 e : C e⋆ : C⋆ (dm) (emf⋆) e : FC e⋆ Logical relation ⋆-translation elaboration correctly specifjes 9 / 16
slide-33
SLIDE 33 e : C e⋆ : C⋆ (dm) (emf⋆) e : FC e⋆ Logical relation ⋆-translation elaboration correctly specifjes 9 / 16
slide-34
SLIDE 34

Pure in emf⋆

  • Pure is the only primitive emf⋆ efgect.
  • A WP for Pure t is of type
(t → Type0) → Type0
  • The Dijkstra monad for Pure is exactly the continuation monad.
Lemma (Correctness of Pure) If e Pure t wp and wp p, then e v s.t. p v. 10 / 16
slide-35
SLIDE 35

Pure in emf⋆

  • Pure is the only primitive emf⋆ efgect.
  • A WP for Pure t is of type
(t → Type0) → Type0
  • The Dijkstra monad for Pure is exactly the continuation monad.
Lemma (Correctness of Pure) If e Pure t wp and wp p, then e v s.t. p v. 10 / 16
slide-36
SLIDE 36

Pure in emf⋆

  • Pure is the only primitive emf⋆ efgect.
  • A WP for Pure t is of type
(t → Type0) → Type0
  • The Dijkstra monad for Pure is exactly the continuation monad.
Lemma (Correctness of Pure) If ⊢ e : Pure t wp and ⊨ wp p, then e ⇝∗ v s.t. ⊨ p v. 10 / 16
slide-37
SLIDE 37

Reasoning about ST

  • Say we have a term e such that
e : S → t × S
  • From logical relation, we get
e s :S Pure t S e s
  • From previous and correctness of Pure, we get
Corollary (Correctness of ST) If e S t S, and e s p, then e s v s s.t. p v s . 11 / 16
slide-38
SLIDE 38

Reasoning about ST

  • Say we have a term e such that
e : S → t × S
  • From logical relation, we get
e : s0:S → Pure (t × S) (e⋆ s0)
  • From previous and correctness of Pure, we get
Corollary (Correctness of ST) If e S t S, and e s p, then e s v s s.t. p v s . 11 / 16
slide-39
SLIDE 39

Reasoning about ST

  • Say we have a term e such that
e : S → t × S
  • From logical relation, we get
e : s0:S → Pure (t × S) (e⋆ s0)
  • From previous and correctness of Pure, we get
Corollary (Correctness of ST) If ⊢ e : S → t × S, and ⊨ e⋆ s0 p, then e s0 ⇝∗ (v, s) s.t. ⊨ p (v, s). 11 / 16
slide-40
SLIDE 40

Relating efgects

  • In dm, we can also provide a lift between two monads.
ST t = S → t × S EXNST t = S → (1 + t) × S lift : ST t → EXNST t lift m = λs0. let vs = m s0 in (inr (fst vs), snd vs)
  • It will be translated to a correct Dijkstra monad lift.
liftwp STwp t EXNSTwp t liftwp wp = s p wp s vs p inr fst vs snd vs 12 / 16
slide-41
SLIDE 41

Relating efgects

  • In dm, we can also provide a lift between two monads.
ST t = S → t × S EXNST t = S → (1 + t) × S lift : ST t → EXNST t lift m = λs0. let vs = m s0 in (inr (fst vs), snd vs)
  • It will be translated to a correct Dijkstra monad lift.
liftwp : STwp t → EXNSTwp t liftwp wp = λs0 p. wp s0 (λvs. p (inr (fst vs), snd vs)) 12 / 16
slide-42
SLIDE 42 13 / 16
slide-43
SLIDE 43

Properties of the translations

Besides correctly specifying programs, the generated WPs enjoys some nice properties
  • The ⋆-translation preserves equality
  • Monads mapped to Dijkstra monads
  • Lifts mapped to Dijkstra lifts
  • Laws about actions preserved
  • e is monotonic: it maps weaker postconditions to weaker preconditions.
x p x = p x = e p = e p
  • e is conjunctive: it distributes over
and . e x p x p x e p e p
  • These properties together ensure that any dm monad provides a correct Dijkstra
monad, that’s also usable within the F compiler. 14 / 16
slide-44
SLIDE 44

Properties of the translations

Besides correctly specifying programs, the generated WPs enjoys some nice properties
  • The ⋆-translation preserves equality
  • Monads mapped to Dijkstra monads
  • Lifts mapped to Dijkstra lifts
  • Laws about actions preserved
  • e is monotonic: it maps weaker postconditions to weaker preconditions.
x p x = p x = e p = e p
  • e is conjunctive: it distributes over
and . e x p x p x e p e p
  • These properties together ensure that any dm monad provides a correct Dijkstra
monad, that’s also usable within the F compiler. 14 / 16
slide-45
SLIDE 45

Properties of the translations

Besides correctly specifying programs, the generated WPs enjoys some nice properties
  • The ⋆-translation preserves equality
  • Monads mapped to Dijkstra monads
  • Lifts mapped to Dijkstra lifts
  • Laws about actions preserved
  • e⋆ is monotonic: it maps weaker postconditions to weaker preconditions.
(∀x.p1 x = ⇒ p2 x) = ⇒ e⋆ p1 = ⇒ e⋆ p2
  • e⋆ is conjunctive: it distributes over ∧ and ∀.
e⋆ (λx. p1 x ∧ p2 x) ⇐ ⇒ e⋆ p1 ∧ e⋆ p2
  • These properties together ensure that any dm monad provides a correct Dijkstra
monad, that’s also usable within the F compiler. 14 / 16
slide-46
SLIDE 46

Properties of the translations

Besides correctly specifying programs, the generated WPs enjoys some nice properties
  • The ⋆-translation preserves equality
  • Monads mapped to Dijkstra monads
  • Lifts mapped to Dijkstra lifts
  • Laws about actions preserved
  • e⋆ is monotonic: it maps weaker postconditions to weaker preconditions.
(∀x.p1 x = ⇒ p2 x) = ⇒ e⋆ p1 = ⇒ e⋆ p2
  • e⋆ is conjunctive: it distributes over ∧ and ∀.
e⋆ (λx. p1 x ∧ p2 x) ⇐ ⇒ e⋆ p1 ∧ e⋆ p2
  • These properties together ensure that any dm monad provides a correct Dijkstra
monad, that’s also usable within the F⋆ compiler. 14 / 16
slide-47
SLIDE 47

Conclusions and further work

  • We show a formal connection between WPs and CPS, with good properties.
  • New version of F⋆ with user-defjned efgects:
greatly broadens its applications and reduces proof obligations.
  • Extrinsic reasoning; primitive efgects: details in paper.
Further work:
  • Exciting new opportunities in verifjcation:
probabilistic computation, concurrency, cost analysis...
  • Improve the expresiveness of dm.

Thank you!

15 / 16
slide-48
SLIDE 48

Conclusions and further work

  • We show a formal connection between WPs and CPS, with good properties.
  • New version of F⋆ with user-defjned efgects:
greatly broadens its applications and reduces proof obligations.
  • Extrinsic reasoning; primitive efgects: details in paper.
Further work:
  • Exciting new opportunities in verifjcation:
probabilistic computation, concurrency, cost analysis...
  • Improve the expresiveness of dm.

Thank you!

15 / 16
slide-49
SLIDE 49

Conclusions and further work

  • We show a formal connection between WPs and CPS, with good properties.
  • New version of F⋆ with user-defjned efgects:
greatly broadens its applications and reduces proof obligations.
  • Extrinsic reasoning; primitive efgects: details in paper.
Further work:
  • Exciting new opportunities in verifjcation:
probabilistic computation, concurrency, cost analysis...
  • Improve the expresiveness of dm.

Thank you!

15 / 16
slide-50
SLIDE 50

Thank you!

16 / 16