Interaction trees: representing recursive and impure programs in Coq

Interaction trees (ITrees) are a general-purpose data structure for representing the behaviors of recursive programs that interact with their environments. A coinductive variant of “free monads,” ITrees are built out of uninterpreted events and their continuations. They support compositional construction of interpreters from event handlers, which give meaning to events by defining their semantics as monadic actions. ITrees are expressive enough to represent impure and potentially nonterminating, mutually recursive computations, while admitting a rich equational theory of equivalence up to weak bisimulation. In contrast to other approaches such as relationally specified operational semantics, ITrees are executable via code extraction, making them suitable for debugging, testing, and implementing software artifacts that are amenable to formal verification. We have implemented ITrees and their associated theory as a Coq library, mechanizing classic domain- and category-theoretic results about program semantics, iteration, monadic structures, and equational reasoning. Although the internals of the library rely heavily on coinductive proofs, the interface hides these details so that clients can use and reason about ITrees without explicit use of Coq’s coinduction tactics. To showcase the utility of our theory, we prove the termination-sensitive correctness of a compiler from a simple imperative source language to an assembly-like target whose meanings are given in an ITree-based denotational semantics. Unlike previous results using operational techniques, our bisimulation proof follows straightforwardly by structural induction and elementary rewriting via an equational theory of combinators for control-flow graphs.

[1]  Zhong Shao,et al.  CertiKOS: An Extensible Architecture for Building Certified Concurrent OS Kernels , 2016, OSDI.

[2]  Xavier Leroy,et al.  Formal verification of a realistic compiler , 2009, CACM.

[3]  Anton Setzer Object-oriented programming in dependent type theory , 2006, Trends in Functional Programming.

[4]  Gordon D. Plotkin,et al.  A structural approach to operational semantics , 2004, J. Log. Algebraic Methods Program..

[5]  Christoph Rauch,et al.  Unifying Guarded and Unguarded Iteration , 2017, FoSSaCS.

[6]  Patricia Johann,et al.  A Generic Operational Metatheory for Algebraic Effects , 2010, 2010 25th Annual IEEE Symposium on Logic in Computer Science.

[7]  Gordon D. Plotkin,et al.  Combining effects: Sum and tensor , 2006, Theor. Comput. Sci..

[8]  U. Norell,et al.  Towards a practical programming language based on dependent type theory , 2007 .

[9]  Ramana Kumar,et al.  Functional Big-Step Semantics , 2016, ESOP.

[10]  Peter Hancock,et al.  Interactive Programs in Dependent Type Theory , 2000, CSL.

[11]  Luca Aceto,et al.  Structural Operational Semantics , 1999, Handbook of Process Algebra.

[12]  Dominic R. Verity,et al.  Traced monoidal categories , 1996, Mathematical Proceedings of the Cambridge Philosophical Society.

[13]  Christine Paulin-Mohring,et al.  The coq proof assistant reference manual , 2000 .

[14]  Andreas Abel,et al.  Interactive programming in Agda – Objects and graphical user interfaces , 2017, Journal of Functional Programming.

[15]  Adam Chlipala,et al.  A verified compiler for an impure functional language , 2010, POPL '10.

[16]  Conor McBride Turing-Completeness Totally Free , 2015, MPC.

[17]  Jeremy Gibbons,et al.  The Coinductive Resumption Monad , 2014, MFPS.

[18]  Arthur Charguéraud,et al.  Pretty-Big-Step Semantics , 2013, ESOP.

[19]  Lawrence Charles Paulson,et al.  Isabelle/HOL: A Proof Assistant for Higher-Order Logic , 2002 .

[20]  Benjamin C. Pierce,et al.  From C to interaction trees: specifying, verifying, and testing a networked server , 2018, CPP.

[21]  Bruno C. d. S. Oliveira,et al.  Meta-theory à la carte , 2013, POPL.

[22]  Xavier Leroy,et al.  Coinductive big-step operational semantics , 2006, Inf. Comput..

[23]  Masahito Hasegawa,et al.  Recursion from Cyclic Sharing: Traced Monoidal Categories and Models of Cyclic Lambda Calculi , 1997, TLCA.

[24]  Pietro Cenciarelli,et al.  A Syntactic Approach to Modularity in Denotational Semantics , 1993 .

[25]  B. Pierce,et al.  QuickChick: Property-based testing for Coq , 2014 .

[26]  Paul Hudak,et al.  Monad transformers and modular interpreters , 1995, POPL '95.

[27]  Eduardo Giménez,et al.  Un calcul de constructions infinies et son application a la verification de systemes communicants , 1996 .

[28]  Hugo Herbelin,et al.  The Coq proof assistant : reference manual, version 6.1 , 1997 .

[29]  Z. Ésik,et al.  Iteration Theories: The Equational Logic of Iterative Processes , 1993 .

[30]  Eugenio Moggi,et al.  Computational lambda-calculus and monads , 1989, [1989] Proceedings. Fourth Annual Symposium on Logic in Computer Science.

[31]  Andrew W. Appel,et al.  Oracle semantics , 2008 .

[32]  Tarmo Uustalu,et al.  The Delay Monad and Restriction Categories , 2017, ICTAC.

[33]  Peter Aczel,et al.  Infinite trees and completely iterative theories: a coalgebraic view , 2003, Theor. Comput. Sci..

[34]  Gordon D. Plotkin,et al.  Handling Algebraic Effects , 2013, Log. Methods Comput. Sci..

[35]  Philip Wadler,et al.  Monads for functional programming , 1995, NATO ASI PDC.

[36]  Uday S. Reddy,et al.  Imperative functional programming , 1996, CSUR.

[37]  Andrew W. Appel,et al.  Position paper: the science of deep specification , 2017, Philosophical Transactions of the Royal Society A: Mathematical, Physical and Engineering Sciences.

[38]  Gordon D. Plotkin,et al.  Notions of Computation Determine Monads , 2002, FoSSaCS.

[39]  Nick Benton,et al.  Some Domain Theory and Denotational Semantics in Coq , 2009, TPHOLs.

[40]  J. Gregory Morrisett,et al.  Toward a verified relational database management system , 2010, POPL '10.

[41]  Eduardo Giménez,et al.  Codifying Guarded Definitions with Recursive Schemes , 1994, TYPES.

[42]  Thorsten Altenkirch,et al.  Partiality, Revisited: The Partiality Monad as a Quotient Inductive-Inductive Type , 2017, FoSSaCS.

[43]  Jeremy Avigad,et al.  The Lean Theorem Prover (System Description) , 2015, CADE.

[44]  Tarmo Uustalu,et al.  Resumptions, Weak Bisimilarity and Big-Step Semantics for While with Interactive I/O: An Exercise in Mixed Induction-Coinduction , 2010, SOS.

[45]  Eugenio Moggi,et al.  Notions of Computation and Monads , 1991, Inf. Comput..

[46]  Adam Chlipala Infinite Data and Proofs , 2013 .

[47]  Zhong Shao,et al.  Certified concurrent abstraction layers , 2018, PLDI.

[48]  Xi Wang,et al.  Verdi: a framework for implementing and formally verifying distributed systems , 2015, PLDI.

[49]  Tatsuya Hagino,et al.  Codatatypes in ML , 1989, J. Symb. Comput..

[50]  Michael Norrish,et al.  seL4: formal verification of an OS kernel , 2009, SOSP '09.

[51]  Gordon D. Plotkin,et al.  Adequacy for Algebraic Effects , 2001, FoSSaCS.

[52]  Oleg Kiselyov,et al.  Freer monads, more extensible effects , 2015, Haskell.

[53]  Gordon D. Plotkin,et al.  The origins of structural operational semantics , 2004, J. Log. Algebraic Methods Program..

[54]  Andrew W. Appel Verified Software Toolchain - (Invited Talk) , 2011, ESOP.

[55]  Andrew W. Appel,et al.  Program Logics for Certified Compilers , 2014 .

[56]  Lars Birkedal,et al.  Formalizing Domains, Ultrametric Spaces and Semantics of Programming Languages , 2010 .

[57]  Gordon D. Plotkin,et al.  Algebraic Operations and Generic Effects , 2003, Appl. Categorical Struct..

[58]  Nils Anders Danielsson Operational semantics using the partiality monad , 2012, ICFP '12.

[59]  Robin Milner,et al.  Processes: A Mathematical Model of Computing Agents , 1975 .

[60]  Matthias Felleisen,et al.  The Denotational Specifications of Complex Languages , 2005 .

[61]  Amr Sabry,et al.  Extensible effects: an alternative to monad transformers , 2013, Haskell '13.

[62]  Chung-Kil Hur,et al.  The power of parameterization in coinductive proof , 2013, POPL.

[63]  Peter Hancock,et al.  Ordinals and interactive programs , 2000 .

[64]  Srinath T. V. Setty,et al.  IronFleet: proving practical distributed systems correct , 2015, SOSP.

[65]  Tarmo Uustalu,et al.  Quotienting the delay monad by weak bisimilarity , 2015, Mathematical Structures in Computer Science.

[66]  Adam Chlipala,et al.  A certified type-preserving compiler from lambda calculus to assembly language , 2007, PLDI '07.

[67]  Yann Régis-Gianas,et al.  Modular Verification of Programs with Effects and Effect Handlers in Coq , 2018, FM.

[68]  Sergey Goncharov,et al.  A Coinductive Calculus for Asynchronous Side-Effecting Processes , 2011, FCT.

[69]  Wouter Swierstra,et al.  Data types à la carte , 2008, Journal of Functional Programming.

[70]  Stefan Milius Completely iterative algebras and completely iterative monads , 2005, Inf. Comput..

[71]  Ramana Kumar,et al.  CakeML: a verified implementation of ML , 2014, POPL.

[72]  Andrej Bauer,et al.  Programming with algebraic effects and handlers , 2012, J. Log. Algebraic Methods Program..

[73]  Amal Ahmed,et al.  Semantics of types for mutable state , 2004 .

[74]  Venanzio Capretta,et al.  General recursion via coinductive types , 2005, Log. Methods Comput. Sci..

[75]  John Hughes,et al.  Generalising monads to arrows , 2000, Sci. Comput. Program..

[76]  Guy L. Steele,et al.  Building interpreters by composing monads , 1994, POPL '94.

[77]  Yu Guo,et al.  Deep Specifications and Certified Abstraction Layers , 2015, POPL.