skip to main content
article

Dependent types and multi-monadic effects in F*

Published:11 January 2016Publication History
Skip Abstract Section

Abstract

We present a new, completely redesigned, version of F*, a language that works both as a proof assistant as well as a general-purpose, verification-oriented, effectful programming language. In support of these complementary roles, F* is a dependently typed, higher-order, call-by-value language with _primitive_ effects including state, exceptions, divergence and IO. Although primitive, programmers choose the granularity at which to specify effects by equipping each effect with a monadic, predicate transformer semantics. F* uses this to efficiently compute weakest preconditions and discharges the resulting proof obligations using a combination of SMT solving and manual proofs. Isolated from the effects, the core of F* is a language of pure functions used to write specifications and proof terms---its consistency is maintained by a semantic termination check based on a well-founded order. We evaluate our design on more than 55,000 lines of F* we have authored in the last year, focusing on three main case studies. Showcasing its use as a general-purpose programming language, F* is programmed (but not verified) in F*, and bootstraps in both OCaml and F#. Our experience confirms F*'s pay-as-you-go cost model: writing idiomatic ML-like code with no finer specifications imposes no user burden. As a verification-oriented language, our most significant evaluation of F* is in verifying several key modules in an implementation of the TLS-1.2 protocol standard. For the modules we considered, we are able to prove more properties, with fewer annotations using F* than in a prior verified implementation of TLS-1.2. Finally, as a proof assistant, we discuss our use of F* in mechanizing the metatheory of a range of lambda calculi, starting from the simply typed lambda calculus to System F-omega and even micro-F*, a sizeable fragment of F* itself---these proofs make essential use of F*'s flexible combination of SMT automation and constructive proofs, enabling a tactic-free style of programming and proving at a relatively large scale.

References

  1. A. Abel. foetus – termination checker for simple functional programs. Programming Lab Report 474, LMU München, 1998.Google ScholarGoogle Scholar
  2. A. Abel. Type-based termination: a polymorphic lambda-calculus with sized higher-order types. PhD thesis, LMU München, 2007.Google ScholarGoogle Scholar
  3. R. Adams. Formalized metatheory with terms represented by an indexed family of types. In Types for Proofs and Programs, International Workshop, TYPES 2004, Jouy-en-Josas, France, December 15-18, 2004, Revised Selected Papers, 2006. Google ScholarGoogle ScholarDigital LibraryDigital Library
  4. T. Altenkirch and B. Reus. Monadic presentations of lambda terms using generalized inductive types. In Computer Science Logic, 13th International Workshop, CSL ’99, 8th Annual Conference of the EACSL, Madrid, Spain, September 20-25, 1999, Proceedings, 1999. Google ScholarGoogle ScholarDigital LibraryDigital Library
  5. R. Atkey. Parameterised notions of computation. Journal of Functional Programming, 19:335–376, 2009. Google ScholarGoogle ScholarDigital LibraryDigital Library
  6. L. Augustsson. Cayenne—a language with dependent types. In Proceedings of the Third ACM SIGPLAN International Conference on Functional Programming, 1998. Google ScholarGoogle ScholarDigital LibraryDigital Library
  7. G. Barthe, M. J. Frade, E. Giménez, L. Pinto, and T. Uustalu. Typebased termination of recursive definitions. Mathematical Structures in Computer Science, 14(1):97–141, 2004. Google ScholarGoogle ScholarDigital LibraryDigital Library
  8. N. Benton, C. Hur, A. Kennedy, and C. McBride. Strongly typed term representations in Coq. J. Autom. Reasoning, 49(2):141–159, 2012. Google ScholarGoogle ScholarDigital LibraryDigital Library
  9. K. Bhargavan, C. Fournet, and A. D. Gordon. Modular verification of security protocol code by typing. In 37th ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages (POPL’10), 2010. Google ScholarGoogle ScholarDigital LibraryDigital Library
  10. K. Bhargavan, C. Fournet, M. Kohlweiss, A. Pironti, and P. Strub. Implementing TLS with verified cryptographic security. In IEEE Symposium on Security and Privacy, 2013. Google ScholarGoogle ScholarDigital LibraryDigital Library
  11. A. Bove. Simple general recursion in type theory. Nordic Journal of Computing, 8(1):22–42, 2001. Google ScholarGoogle ScholarDigital LibraryDigital Library
  12. E. Brady. Programming and reasoning with algebraic effects and dependent types. In Proceedings of the 18th ACM SIGPLAN International Conference on Functional Programming, 2013. Google ScholarGoogle ScholarDigital LibraryDigital Library
  13. C. Casinghino, V. Sjöberg, and S. Weirich. Combining proofs and programs in a dependently typed language. In The 41st Annual ACM SIGPLANSIGACT Symposium on Principles of Programming Languages, POPL ’14, San Diego, CA, USA, January 20-21, 2014, 2014. Google ScholarGoogle ScholarDigital LibraryDigital Library
  14. C. Chen and H. Xi. Combining Programming with Theorem Proving. In Proceedings of the Tenth ACM SIGPLAN International Conference on Functional Programming, September 2005. Google ScholarGoogle ScholarDigital LibraryDigital Library
  15. A. Chlipala, G. Malecha, G. Morrisett, A. Shinnar, and R. Wisnesky. Effective interactive proofs for higher-order imperative programs. In Proceedings of the 14th ACM SIGPLAN International Conference on Functional Programming, 2009. Google ScholarGoogle ScholarDigital LibraryDigital Library
  16. R. L. Constable, S. F. Allen, H. M. Bromley, W. R. Cleaveland, J. F. Cremer, R. W. Harper, D. J. Howe, T. B. Knoblock, N. P. Mendler, P. Panangaden, J. T. Sasaki, and S. F. Smith. Implementing Mathematics with the Nuprl Proof Development System. Prentice-Hall, 1986. Google ScholarGoogle ScholarDigital LibraryDigital Library
  17. T. Dierks and E. Rescorla. The Transport Layer Security (TLS) Protocol Version 1.2. IETF RFC 5246, 2008.Google ScholarGoogle Scholar
  18. E. W. Dijkstra. Guarded commands, nondeterminacy and formal derivation of programs. Commun. ACM, 18(8):453–457, Aug. 1975. Google ScholarGoogle ScholarDigital LibraryDigital Library
  19. J.-C. Filliˆatre and A. Paskevich. Why3 — where programs meet provers. In M. Felleisen and P. Gardner, editors, Proceedings of the 22nd European Symposium on Programming. Mar. 2013. Google ScholarGoogle ScholarDigital LibraryDigital Library
  20. T. Freeman and F. Pfenning. Refinement types for ML. In Proceedings of the ACM SIGPLAN’91 Conference on Programming Language Design and Implementation (PLDI), Toronto, Ontario, Canada, June 26-28, 1991, 1991. Google ScholarGoogle ScholarDigital LibraryDigital Library
  21. R. Harper. Practical foundations for programming languages. Cambridge University Press, second edition, 2015.Google ScholarGoogle Scholar
  22. G. Kimmell, A. Stump, H. D. E. III, P. Fu, T. Sheard, S. Weirich, C. Casinghino, V. Sjöberg, N. Collins, and K. Y. Ahn. Equational reasoning about programs with general recursion and call-by-value semantics. Progress in Informatics, 2013.Google ScholarGoogle ScholarCross RefCross Ref
  23. A. Krauss, C. Sternagel, R. Thiemann, C. Fuhs, and J. Giesl. Termination of Isabelle functions via termination of rewriting. In Second International Conference on Interactive Theorem Proving. 2011. Google ScholarGoogle ScholarDigital LibraryDigital Library
  24. B. W. Lampson, J. J. Horning, R. L. London, J. G. Mitchell, and G. J. Popek. Report on the programming language Euclid. SIGPLAN Not., 12(2):1–79, Feb. 1977. Google ScholarGoogle ScholarDigital LibraryDigital Library
  25. K. R. M. Leino. Dafny: An automatic program verifier for functional correctness. In Proceedings of the 16th International Conference on Logic for Programming, Artificial Intelligence, and Reasoning. 2010. Google ScholarGoogle ScholarDigital LibraryDigital Library
  26. P. Letouzey. Coq extraction, an overview. In LTA ’08. 2008.Google ScholarGoogle Scholar
  27. J. McCarthy. Towards a mathematical science of computation. In IFIP Congress, 1962.Google ScholarGoogle Scholar
  28. E. Moggi. Computational lambda-calculus and monads. In Proceedings of the Fourth Annual Symposium on Logic in Computer Science (LICS ’89), Pacific Grove, California, USA, June 5-8, 1989, 1989. Google ScholarGoogle ScholarDigital LibraryDigital Library
  29. A. Nanevski, J. G. Morrisett, and L. Birkedal. Hoare type theory, polymorphism and separation. J. Funct. Program., 18(5-6):865–911, 2008. Google ScholarGoogle ScholarDigital LibraryDigital Library
  30. U. Norell. Towards a practical programming language based on dependent type theory. PhD thesis, Department of Computer Science and Engineering, Chalmers University of Technology, 2007.Google ScholarGoogle Scholar
  31. P. Rogaway. Authenticated-encryption with associated-data. In 9th ACM Conference on Computer and Communications Security, 2002. Google ScholarGoogle ScholarDigital LibraryDigital Library
  32. P. M. Rondon, M. Kawaguchi, and R. Jhala. Liquid types. In Proceedings of the ACM SIGPLAN 2008 Conference on Programming Language Design and Implementation, Tucson, AZ, USA, June 7-13, 2008, 2008. Google ScholarGoogle ScholarDigital LibraryDigital Library
  33. J. Rushby, S. Owre, and N. Shankar. Subtypes for specifications: Predicate subtyping in pvs. IEEE Transactions on Software Engineering, 24:709– 720, 1998. Google ScholarGoogle ScholarDigital LibraryDigital Library
  34. S. Schäfer, T. Tebbi, and G. Smolka. Autosubst: Reasoning with de Bruijn terms and parallel substitutions. In Interactive Theorem Proving - 6th International Conference, ITP 2015, Nanjing, China, August 24-27, 2015, Proceedings. 2015.Google ScholarGoogle Scholar
  35. M. Sozeau. Subset Coercions in Coq. In T. Altenkirch and C. McBride, editors, TYPES’06. 2007. Google ScholarGoogle ScholarDigital LibraryDigital Library
  36. N. Swamy, J. Chen, C. Fournet, P. Strub, K. Bhargavan, and J. Yang. Secure distributed programming with value-dependent types. J. Funct. Program., 23(4):402–451, 2013a. N. Swamy, J. Weinberger, C. Schlesinger, J. Chen, and B. Livshits. Verifying higher-order programs with the Dijkstra monad. In Proceedings of the 34th annual ACM SIGPLAN conference on Programming Language Design and Implementation, 2013b. The Coq development team. The Coq proof assistant. M. Tofte and J.-P. Talpin. Region-based memory management. Inf. Comput., 132(2):109–176, Feb. 1997. Google ScholarGoogle ScholarDigital LibraryDigital Library
  37. M. Utting. Reasoning about aliasing. In The Fourth Australasian Refinement Workshop, 1996.Google ScholarGoogle Scholar
  38. N. Vazou, E. L. Seidel, R. Jhala, D. Vytiniotis, and S. L. P. Jones. Refinement types for Haskell. In Proceedings of the 19th ACM SIGPLAN international conference on Functional programming (ICFP’14), 2014. Google ScholarGoogle ScholarDigital LibraryDigital Library
  39. B. Ziliani, D. Dreyer, N. R. Krishnaswami, A. Nanevski, and V. Vafeiadis. Mtac: a monad for typed tactic programming in Coq. In G. Morrisett and T. Uustalu, editors, ACM SIGPLAN International Conference on Functional Programming. 2013. Google ScholarGoogle ScholarDigital LibraryDigital Library

Index Terms

  1. Dependent types and multi-monadic effects in F*

          Recommendations

          Comments

          Login options

          Check if you have access through your login credentials or your institution to get full access on this article.

          Sign in

          Full Access

          • Published in

            cover image ACM SIGPLAN Notices
            ACM SIGPLAN Notices  Volume 51, Issue 1
            POPL '16
            January 2016
            815 pages
            ISSN:0362-1340
            EISSN:1558-1160
            DOI:10.1145/2914770
            • Editor:
            • Andy Gill
            Issue’s Table of Contents
            • cover image ACM Conferences
              POPL '16: Proceedings of the 43rd Annual ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages
              January 2016
              815 pages
              ISBN:9781450335492
              DOI:10.1145/2837614

            Copyright © 2016 ACM

            Publisher

            Association for Computing Machinery

            New York, NY, United States

            Publication History

            • Published: 11 January 2016

            Check for updates

            Qualifiers

            • article

          PDF Format

          View or Download as a PDF file.

          PDF

          eReader

          View online with eReader.

          eReader
          About Cookies On This Site

          We use cookies to ensure that we give you the best experience on our website.

          Learn more

          Got it!