Abstract
Interaction trees (ITrees) are a general-purpose data structure for representing the behaviors of recursive programs that interact with their environments. A coinductive variant of “free monads,” ITrees are built out of uninterpreted events and their continuations. They support compositional construction of interpreters from event handlers , which give meaning to events by defining their semantics as monadic actions. ITrees are expressive enough to represent impure and potentially nonterminating, mutually recursive computations, while admitting a rich equational theory of equivalence up to weak bisimulation. In contrast to other approaches such as relationally specified operational semantics, ITrees are executable via code extraction, making them suitable for debugging, testing, and implementing software artifacts that are amenable to formal verification. We have implemented ITrees and their associated theory as a Coq library, mechanizing classic domain- and category-theoretic results about program semantics, iteration, monadic structures, and equational reasoning. Although the internals of the library rely heavily on coinductive proofs, the interface hides these details so that clients can use and reason about ITrees without explicit use of Coq’s coinduction tactics. To showcase the utility of our theory, we prove the termination-sensitive correctness of a compiler from a simple imperative source language to an assembly-like target whose meanings are given in an ITree-based denotational semantics. Unlike previous results using operational techniques, our bisimulation proof follows straightforwardly by structural induction and elementary rewriting via an equational theory of combinators for control-flow graphs.
Highlights
Machine-checked proofs are feasible at scale, for real systems, in a wide variety of domains, including programming language semantics and compilers [Kumar et al 2014; Leroy 2009, etc.], operating systems [Gu et al 2016; Klein et al 2009, etc.], interactive servers [Koh et al 2019, etc.], databases [Malecha et al 2010, etc.], and distributed systems [Hawblitzel et al 2015; Wilcox et al 2015, etc.], among many others
To showcase the utility of our theory, we prove the termination-sensitive correctness of a compiler from a simple imperative source language to an assembly-like target whose meanings are given in an Interaction trees (ITrees)-based denotational semantics
These representations have their advantages: they are expressive, since nearly any semantic feature can be modeled by transition systems or traces when combined with appropriate logical predicates; and they fit smoothly with inductive reasoning principles that are well supported by interactive theorem provers
Summary
Machine-checked proofs are feasible at scale, for real systems, in a wide variety of domains, including programming language semantics and compilers [Kumar et al 2014; Leroy 2009, etc.], operating systems [Gu et al 2016; Klein et al 2009, etc.], interactive servers [Koh et al 2019, etc.], databases [Malecha et al 2010, etc.], and distributed systems [Hawblitzel et al 2015; Wilcox et al 2015, etc.], among many others. ITrees allow us to give denotational semantics for effectful and possibly nonterminating computations in Gallina, the specification language of Coq [2018], despite Gallina’s strong purity and termination constraints Such łshallowž representations abstract away many syntactic details and reuse metalanguage features such as function composition and substitution rather than defining them again, making this approach inherently more robust to changes than relational łdeepž embeddings. Our main contribution is the design and implementation of a library that enables formal modeling and reasoning about interactive, effectful, and potentially nonterminating computations Though it rests on a rich body of existing theory, our work is the first to simultaneously address four significant challenges.
Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have