Modular Verification of Programs with Effects and Effect Handlers in Coq

Letan, Thomas; Régis-Gianas, Yann; Chifflier, Pierre; Hiet, Guillaume

doi:10.1007/978-3-319-95582-7_20

Cited by 14 publications

(17 citation statements)

References 16 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…We use interaction trees (ITrees) as a general-purpose structure for specifying such components. ITrees are a Coq adaptation of similar concepts known variously as "freer, " "general, " or "program" monads [Kiselyov and Ishii 2015;Letan et al 2018; McBride 2015]. We defer a deeper comparison until Section 8.…”

Section: Interaction Treesmentioning

confidence: 99%

See 1 more Smart Citation

From C to interaction trees: specifying, verifying, and testing a networked server

Koh

et al. 2019

Proceedings of the 8th ACM SIGPLAN International Conference on Certified Programs and Proofs

View full text Add to dashboard Cite

We present the first formal verification of a networked server implemented in C. Interaction trees, a general structure for representing reactive computations, are used to tie together disparate verification and testing tools (Coq, VST, and Quick-Chick) and to axiomatize the behavior of the operating system on which the server runs (CertiKOS). The main theorem connects a specification of acceptable server behaviors, written in a straightforward "one client at a time" style, with the CompCert semantics of the C program. The variability introduced by low-level buffering of messages and interleaving of multiple TCP connections is captured using network refinement, a variant of observational refinement.

show abstract

Section: Interaction Treesmentioning

confidence: 99%

“…Our coinductively defined interaction trees also support a general (monadic) fixpoint combinator. Letan et al [2018] present the "program monad" to model components of complex computing systems. Like the general monad, it is defined inductively.…”

Section: Related Workmentioning

confidence: 99%

From C to interaction trees: specifying, verifying, and testing a networked server

Koh

et al. 2019

Proceedings of the 8th ACM SIGPLAN International Conference on Certified Programs and Proofs

View full text Add to dashboard Cite

show abstract

“…The FreeSpec Coq library, implemented by Letan et al [2018], uses what they call the "program monad" to model components of complex computing systems. The program monad is identical to the inductive version of ITrees 10 (without Tau).…”

Section: Effects In Type Theorymentioning

confidence: 99%

“…CoInductive world E : Type := World ( io : ∀ { A : Type } , E A → option ( A * world E ) ) . Letan et al [2018] use a definition essentially identical to this one (without the option) to define their notion of "semantics" for the program monad. Given such a definition, we can define a world that satisfies a certain property (for example, one that never produces 9 as an answer), and use it to constrain the inputs given to the program, by "running" the program under consideration in the given world.…”

Section: Composition With the Environmentmentioning

confidence: 99%

Interaction trees: representing recursive and impure programs in Coq

Xia

Zakowski

et al. 2019

Proc. ACM Program. Lang.

View full text Add to dashboard Cite

We present interaction trees (ITrees), a general-purpose data structure in Coq for formalizing the behaviors of recursive programs that interact with their environment. ITrees are built of uninterpreted events and their continuations-a coinductive variant of a "free monad. " We study the compositional properties of interpreters built from event handlers and show how to use them to implement a general mutual recursion operator. The resulting theory enables equational reasoning about ITrees up to weak bisimulation. Using this theory, we prove the termination-sensitive correctness of a compiler from a simple imperative source language to an assembly-like target whose meanings are given as an ITree-based denotational semantics. Crucially, the correctness proof follows entirely by structural induction and the equational theory of combinators for control-flow graphs, which are built on top of the mutual recursion operator. ITrees are also executable, e.g. through extraction, making them suitable for debugging, testing, and implementing executable artifacts.

show abstract

“…Another alternative was to use freer monads introduced by Kiselyov et al [17], whose definition did not need a representation of striclty positive types using containers at all. There were already several encodings to model different kinds of monadic effects using freer monads: McBride [21] defines a General monad to model general recursion as effect, Letan et al [19] use the Program monad initially presented in the operational package known from Haskell 11 to reason about a small imperative language, and Koh et al [18] identify interaction trees as a suitable tool to verify functional correctness of a server implemented in C.…”

Section: :22mentioning

confidence: 99%

One Monad to Prove Them All

Dylus¹,

Christiansen

Teegen

2019

Programming

View full text Add to dashboard Cite

One Monad to Prove Them All is a modern fairy tale about curiosity and perseverance, two important properties of a successful PhD student. We follow the PhD student Mona on her adventure of proving properties about Haskell programs in the proof assistant Coq.On the one hand, as a PhD student in computer science Mona observes an increasing demand for correct software products. In particular, because of the large amount of existing software, verifying existing software products becomes more important. Verifying programs in the functional programming language Haskell is no exception. On the other hand, Mona is delighted to see that communities in the area of theorem proving are becoming popular. Thus, Mona sets out to learn more about the interactive theorem prover Coq and verifying Haskell programs in Coq.To prove properties about a Haskell function in Coq, Mona has to translate the function into Coq code. As Coq programs have to be total and Haskell programs are often not, Mona has to model partiality explicitly in Coq. In her quest for a solution Mona finds an ancient manuscript that explains how properties about Haskell functions can be proven in the proof assistant Agda by translating Haskell programs into monadic Agda programs. By instantiating the monadic program with a concrete monad instance the proof can be performed in either a total or a partial setting. Mona discovers that the proposed transformation does not work in Coq due to a restriction in the termination checker. In fact the transformation does not work in Agda anymore as well, as the termination checker in Agda has been improved.We follow Mona on an educational journey through the land of functional programming where she learns about concepts like free monads and containers as well as basics and restrictions of proof assistants like Coq. These concepts are well-known individually, but their interplay gives rise to a solution for Mona's problem based on the originally proposed monadic tranformation that has not been presented before. When Mona starts to test her approach by proving a statement about simple Haskell functions, she realizes that her approach has an additional advantage over the original idea in Agda. Mona's final solution not only works for a specific monad instance but even allows her to prove monad-generic properties. Instead of proving properties over and over again for specific monad instances she is able to prove properties that hold for all monads representable by a container-based instance of the free monad. In order to strengthen her confidence in the practicability of her approach, Mona evaluates her approach in a case study that compares two implementations for queues. In order to share the results with other functional programmers the fairy tale is available as a literate Coq file.If you are a citizen of the land of functional programming or are at least familiar with its customs, had a journey that involved reasoning about functional programs of your own, or are just a curious soul looking for the next story about monads ...

show abstract

Modular Verification of Programs with Effects and Effect Handlers in Coq

Cited by 14 publications

References 16 publications

From C to interaction trees: specifying, verifying, and testing a networked server

From C to interaction trees: specifying, verifying, and testing a networked server

Interaction trees: representing recursive and impure programs in Coq

One Monad to Prove Them All

Contact Info

Product

Resources

About