Abstract
We propose the first framework for defining relational program logics for arbitrary monadic effects. The framework is embedded within a relational dependent type theory and is highly expressive. At the semantic level, we provide an algebraic presentation of relational specifications as a class of relative monads, and link computations and specifications by introducing relational effect observations, which map pairs of monadic computations to relational specifications in a way that respects the algebraic structure. For an arbitrary relational effect observation, we generically define the core of a sound relational program logic, and explain how to complete it to a full-fledged logic for the monadic effect at hand. We show that this generic framework can be used to define relational program logics for effects as diverse as state, input-output, nondeterminism, and discrete probabilities. We, moreover, show that by instantiating our framework with state and unbounded iteration we can embed a variant of Benton's Relational Hoare Logic, and also sketch how to reconstruct Relational Hoare Type Theory. Finally, we identify and overcome conceptual challenges that prevented previous relational program logics from properly dealing with control effects, and are the first to provide a relational program logic for exceptions.
Supplemental Material
- C. Abate, R. Blanco, D. Garg, C. Hriţcu, M. Patrignani, and J. Thibault. Journey beyond full abstraction: Exploring robust property preservation for secure compilation . CSF , 2019. To Appear.Google Scholar
Cross Ref
- A. Aguirre, G. Barthe, M. Gaboardi, D. Garg, and P.-Y. Strub. A relational logic for higher-order programs . ICFP, 2017.Google Scholar
Digital Library
- D. Ahman, C. Hriţcu, K. Maillard, G. Martínez, G. Plotkin, J. Protzenko, A. Rastogi, and N. Swamy. Dijkstra monads for free . POPL . 2017. Google Scholar
Digital Library
- A. Ahmed, D. Dreyer, and A. Rossberg. State-dependent representation independence . POPL. 2009. Google Scholar
Digital Library
- T. Altenkirch, J. Chapman, and T. Uustalu. Monads need not be endofunctors . LMCS, 11(1), 2015. Google Scholar
Cross Ref
- T. Antonopoulos, P. Gazzillo, M. Hicks, E. Koskinen, T. Terauchi, and S. Wei. Decomposition instead of self-composition for proving the absence of timing channels . PLDI . 2017. Google Scholar
Digital Library
- P. Audebaud and C. Paulin-Mohring. Proofs of randomized algorithms in coq. In T. Uustalu, editor, Mathematics of Program Construction . 2006.Google Scholar
Digital Library
- A. Banerjee, D. A. Naumann, and M. Nikouei. Relational logic with framing and hypotheses . FSTTCS. 2016. Google Scholar
Cross Ref
- G. Barthe, B. Grégoire, and S. Zanella-Béguelin. Formal certification of code-based cryptographic proofs . POPL, 2009. Google Scholar
Digital Library
- G. Barthe, P. R. D’Argenio, and T. Rezk. Secure information flow by self-composition . MSCS, 21(6):1207–1252, 2011. Google Scholar
Digital Library
- G. Barthe, F. Dupressoir, B. Grégoire, C. Kunz, B. Schmidt, and P. Strub. EasyCrypt: A tutorial . In A. Aldini, J. Lopez, and F. Martinelli, editors, Foundations of Security Analysis and Design VII - FOSAD 2012/2013 Tutorial Lectures. 2013a. Google Scholar
Cross Ref
- G. Barthe, B. Köpf, F. Olmedo, and S. Zanella-Béguelin. Probabilistic relational reasoning for differential privacy . TOPLAS, 35(3):9:1–9:49, 2013b. Google Scholar
Digital Library
- G. Barthe, C. Fournet, B. Grégoire, P. Strub, N. Swamy, and S. Zanella-Béguelin. Probabilistic relational verification for cryptographic implementations . POPL. 2014. Google Scholar
Digital Library
- G. Barthe, T. Espitau, B. Grégoire, J. Hsu, L. Stefanesco, and P. Strub. Relational reasoning via probabilistic coupling . In Logic for Programming, Artificial Intelligence, and Reasoning - 20th International Conference, LPAR-20 2015, Suva, Fiji, November 24-28, 2015, Proceedings , 2015a. Google Scholar
Digital Library
- G. Barthe, M. Gaboardi, E. J. G. Arias, J. Hsu, A. Roth, and P. Strub. Higher-order approximate relational refinement types for mechanism design and differential privacy . POPL. 2015b. Google Scholar
Digital Library
- G. Barthe, J. M. Crespo, and C. Kunz. Product programs and relational program logics . JLAMP, 85(5):847–859, 2016. Google Scholar
Cross Ref
- G. Barthe, B. Grégoire, J. Hsu, and P. Strub. Coupling proofs are probabilistic product programs . POPL. 2017.Google Scholar
- G. Barthe, R. Eilers, P. Georgiou, B. Gleiss, L. Kovács, and M. Maffei. Verifying relational properties using trace logic . Draft, 2019.Google Scholar
Cross Ref
- D. A. Basin, A. Lochbihler, and S. R. Sefidgar. CryptHOL: Game-based proofs in higher-order logic . IACR Cryptology ePrint Archive , 2017:753, 2017.Google Scholar
- N. Benton. Simple relational correctness proofs for static analyses and program transformations . POPL. 2004. Google Scholar
Digital Library
- N. Benton, J. Hughes, and E. Moggi. Monads and effects . APPSEM. 2000. Google Scholar
Cross Ref
- N. Benton, A. Kennedy, L. Beringer, and M. Hofmann. Relational semantics for effect-based program transformations: higher-order store . POPL. 2009. Google Scholar
Digital Library
- N. Benton, M. Hofmann, and V. Nigam. Proof-relevant logical relations for name generation . TLCA. 2013. Google Scholar
Cross Ref
- N. Benton, M. Hofmann, and V. Nigam. Abstract effects and proof-relevant logical relations . POPL. 2014. Google Scholar
Digital Library
- N. Benton, A. Kennedy, M. Hofmann, and V. Nigam. Counting successes: Effects and transformations for non-deterministic programs . In S. Lindley, C. McBride, P. W. Trinder, and D. Sannella, editors, A List of Successes That Can Change the World - Essays Dedicated to Philip Wadler on the Occasion of His 60th Birthday . 2016. Google Scholar
Cross Ref
- C. Berger, P.-A. Melliès, and M. Weber. Monads with arities and their associated theories . Journal of Pure and Applied Algebra , 216(8-9):2029–2048, 2012. New introduction; Section 1 shortened and redispatched with Section 2; Subsections on symmetric operads (3.14) and symmetric simplicial sets (4.17) added; Bibliography completed.Google Scholar
Cross Ref
- B. Blanchet, M. Abadi, and C. Fournet. Automated verification of selected equivalences for security protocols . J. Log. Algebr. Program. , 75(1):3–51, 2008. Google Scholar
Cross Ref
- S. Boulier, P. Pédrot, and N. Tabareau. The next 700 syntactical models of type theory . CPP, 2017. Google Scholar
Digital Library
- N. Bowler, S. Goncharov, P. B. Levy, and L. Schröder. Exploring the boundaries of monad tensorability on set . Logical Methods in Computer Science , 9(3), 2013. Google Scholar
Cross Ref
- M. Carbin, D. Kim, S. Misailovic, and M. C. Rinard. Proving acceptability properties of relaxed nondeterministic approximate programs . PLDI . 2012. Google Scholar
Digital Library
- C. Casinghino, V. Sjöberg, and S. Weirich. Combining proofs and programs in a dependently typed language . In The 41st Annual ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages, POPL ’14, San Diego, CA, USA, January 20-21, 2014 , 2014. Google Scholar
Digital Library
- R. Chadha, V. Cheval, Ştefan Ciobâcă, and S. Kremer. Automated verification of equivalence properties of cryptographic protocols . ACM Trans. Comput. Log., 17(4):23:1–23:32, 2016.Google Scholar
Digital Library
- E. Çiçek, G. Barthe, M. Gaboardi, D. Garg, and J. Hoffmann. Relational cost analysis . POPL, 2017.Google Scholar
- M. R. Clarkson and F. B. Schneider. Hyperproperties . J. Comput. Secur., 18(6):1157–1210, 2010.Google Scholar
Cross Ref
- U. Dal Lago, F. Gavazzo, and P. B. Levy. Effectful applicative bisimilarity: Monads, relators, and Howe’s method . LICS. 2017. Google Scholar
Cross Ref
- G. A. Delbianco and A. Nanevski. Hoare-style reasoning with (algebraic) continuations . ICFP. 2013. Google Scholar
Digital Library
- D. Dreyer, G. Neis, A. Rossberg, and L. Birkedal. A relational modal logic for higher-order stateful ADTs . POPL. 2010. Google Scholar
Digital Library
- D. Dreyer, A. Ahmed, and L. Birkedal. Logical step-indexed logical relations . Logical Methods in Computer Science, 7(2), 2011. Google Scholar
Cross Ref
- D. Dreyer, G. Neis, and L. Birkedal. The impact of higher-order state and control effects on local relational reasoning . J. Funct. Program. , 22(4-5):477–528, 2012. Google Scholar
Digital Library
- M. Eilers, P. Müller, and S. Hitz. Modular product programs . In A. Ahmed, editor, Programming Languages and Systems -27th European Symposium on Programming, ESOP 2018, Held as Part of the European Joint Conferences on Theory and Practice of Software, ETAPS 2018, Thessaloniki, Greece, April 14-20, 2018, Proceedings . 2018. Google Scholar
Cross Ref
- F. Faissole and B. Spitters. Synthetic topology in homotopy type theory for probabilistic programming . PPS 2017 - Workshop on probabilistic programming semantics, 2017. Poster.Google Scholar
- A. Farzan and A. Vandikas. Automated hypersafety verification . In I. Dillig and S. Tasiran, editors, Computer Aided Verification - 31st International Conference, CAV 2019, New York City, NY, USA, July 15-18, 2019, Proceedings, Part I . 2019. Google Scholar
Cross Ref
- C. Führmann. Varieties of effects . FOSSACS, 2002. Google Scholar
Cross Ref
- M. Gaboardi, A. Haeberlen, J. Hsu, A. Narayan, and B. C. Pierce. Linear dependent types for differential privacy . POPL. 2013. Google Scholar
Digital Library
- F. Gavazzo. Quantitative behavioural reasoning for higher-order effectful programs: Applicative distances . LICS. 2018. Google Scholar
Digital Library
- T. Girka, D. Mentré, and Y. Régis-Gianas. A mechanically checked generation of correlating programs directed by structured syntactic differences . In Automated Technology for Verification and Analysis - 13th International Symposium, ATVA 2015, Shanghai, China, October 12-15, 2015, Proceedings , 2015. Google Scholar
Cross Ref
- T. Girka, D. Mentré, and Y. Régis-Gianas. Verifiable semantic difference languages . In Proceedings of the 19th International Symposium on Principles and Practice of Declarative Programming, Namur, Belgium, October 09 - 11, 2017 , 2017. Google Scholar
Digital Library
- M. Giry. A categorical approach to probability theory . Categorical Aspects of Topology and Analysis. 1982.Google Scholar
- B. Godlin and O. Strichman. Inference rules for proving the equivalence of recursive procedures . In Z. Manna and D. A. Peled, editors, Time for Verification, Essays in Memory of Amir Pnueli. 2010. Google Scholar
Cross Ref
- N. Grimm, K. Maillard, C. Fournet, C. Hriţcu, M. Maffei, J. Protzenko, T. Ramananandro, A. Rastogi, N. Swamy, and S. ZanellaBéguelin. A monadic framework for relational verification: Applied to information security, program equivalence, and optimizations . CPP, 2018.Google Scholar
Digital Library
- S. He, S. K. Lahiri, and Z. Rakamaric. Verifying relative safety, accuracy, and termination for program approximations . J. Autom. Reasoning , 60(1):23–42, 2018. Google Scholar
Digital Library
- C. Hur, D. Dreyer, G. Neis, and V. Vafeiadis. The marriage of bisimulations and kripke logical relations . POPL. 2012. Google Scholar
Digital Library
- C. Hur, G. Neis, D. Dreyer, and V. Vafeiadis. A logical step forward in parametric bisimulations . Technical Report MPI-SWS-2014-003, 2014.Google Scholar
- B. Jacobs. Dijkstra and Hoare monads in monadic computation . Theor. Comput. Sci., 604:30–45, 2015. Google Scholar
Digital Library
- C. Kapulkin and P. L. Lumsdaine. Homotopical inverse diagrams in categories with attributes , 2018.Google Scholar
- S. Katsumata. Parametric effect monads and semantics of effect systems . POPL. 2014. Google Scholar
Digital Library
- G. Kelly. Basic Concepts of Enriched Category Theory. Lecture note series / London mathematical society. Cambridge University Press, 1982.Google Scholar
- V. Koutavas and M. Wand. Small bisimulations for reasoning about higher-order imperative programs . POPL. 2006. Google Scholar
Digital Library
- S. Kundu, Z. Tatlock, and S. Lerner. Proving optimizations correct using parameterized program equivalence . PLDI . 2009. Google Scholar
Digital Library
- S. K. Lahiri, C. Hawblitzel, M. Kawaguchi, and H. Rebêlo. SYMDIFF: A language-agnostic semantic diff tool for imperative programs . CAV . 2012. Google Scholar
Digital Library
- A. Lochbihler. Effect polymorphism in higher-order logic (proof pearl) . JAR, 2018.Google Scholar
- D. Lucanu and V. Rusu. Program equivalence by circular reasoning . Formal Asp. Comput., 27(4):701–726, 2015. Google Scholar
Cross Ref
- C. Lüth and N. Ghani. Composing monads using coproducts . ICFP. 2002. Google Scholar
Digital Library
- K. Maillard, D. Ahman, R. Atkey, G. Martínez, C. Hriţcu, E. Rivas, and É. Tanter. Dijkstra monads for all . PACMPL, 3(ICFP): 104:1–104:29, 2019. Google Scholar
Digital Library
- J. C. Mitchell. Representation independence and data abstraction . In POPL. 1986. Google Scholar
Digital Library
- E. Moggi. Computational lambda-calculus and monads . LICS. 1989. Google Scholar
Cross Ref
- A. Nanevski, G. Morrisett, A. Shinnar, P. Govereau, and L. Birkedal. Ynot: dependent types for imperative programs . ICFP. 2008a. Google Scholar
Digital Library
- A. Nanevski, J. G. Morrisett, and L. Birkedal. Hoare type theory, polymorphism and separation . JFP, 18(5-6):865–911, 2008b.Google Scholar
Digital Library
- A. Nanevski, A. Banerjee, and D. Garg. Dependent type theory for verification of information flow and access control policies . ACM TOPLAS, 35(2):6, 2013. Google Scholar
Digital Library
- D. A. Naumann. From coupling relations to mated invariants for checking information flow . ESORICS. 2006. Google Scholar
Digital Library
- P. Pédrot and N. Tabareau. Failure is not an option - an exceptional type theory . ESOP, 2018. Google Scholar
Cross Ref
- A. Petcher and G. Morrisett. The foundational cryptography framework . POST . 2015. Google Scholar
Digital Library
- G. D. Plotkin and J. Power. Notions of computation determine monads . FOSSACS, 2002. Google Scholar
Cross Ref
- G. D. Plotkin and M. Pretnar. Handlers of algebraic effects . ESOP. 2009. Google Scholar
Digital Library
- W. Qu, M. Gaboardi, and D. Garg. Relational cost analysis for functional-imperative programs . To appear at ICFP, 2019.Google Scholar
- I. Radicek, G. Barthe, M. Gaboardi, D. Garg, and F. Zuleger. Monadic refinements for relational cost analysis . PACMPL, 2 (POPL):36:1–36:32, 2018. Google Scholar
Digital Library
- A. Sabelfeld and A. C. Myers. Language-based information-flow security . IEEE Journal on Selected Areas in Communications, 21(1):5–19, 2003. Google Scholar
Digital Library
- D. Sangiorgi, N. Kobayashi, and E. Sumii. Environmental bisimulations for higher-order languages . ACM Trans. Program. Lang. Syst. , 33(1):5:1–5:69, 2011. Google Scholar
Digital Library
- T. Sato, A. Aguirre, G. Barthe, M. Gaboardi, D. Garg, and J. Hsu. Formal verification of higher-order probabilistic programs: reasoning about approximation, convergence, bayesian inference, and optimization . PACMPL, 3(POPL):38:1–38:30, 2019. Google Scholar
Digital Library
- M. Shulman. Univalence for inverse diagrams and homotopy canonicity . Mathematical Structures in Computer Science, 25: 1203–1277, 2014. Google Scholar
Cross Ref
- M. Sousa and I. Dillig. Cartesian Hoare logic for verifying k-safety properties . PLDI . 2016. Google Scholar
Digital Library
- R. Street. The formal theory of monads . Journal of Pure and Applied Algebra, 2, 1972. Google Scholar
Cross Ref
- E. Sumii. A complete characterization of observational equivalence in polymorphic lambda-calculus with general references . CSL . 2009. Google Scholar
Cross Ref
- N. Swamy, J. Weinberger, C. Schlesinger, J. Chen, and B. Livshits. Verifying higher-order programs with the Dijkstra monad . PLDI , 2013.Google Scholar
Digital Library
- N. Swamy, C. Hriţcu, C. Keller, A. Rastogi, A. Delignat-Lavaud, S. Forest, K. Bhargavan, C. Fournet, P.-Y. Strub, M. Kohlweiss, J.-K. Zinzindohoué, and S. Zanella-Béguelin. Dependent types and multi-monadic effects in F* . POPL. 2016.Google Scholar
- T. Terauchi and A. Aiken. Secure information flow as a safety problem . SAS. 2005. Google Scholar
Digital Library
- A. Timany and L. Birkedal. Mechanized relational verification of concurrent programs with continuations . To appear at ICFP, 2019.Google Scholar
- A. Timany, L. Stefanesco, M. Krogh-Jespersen, and L. Birkedal. A logical relation for monadic encapsulation of state: proving contextual equivalences in the presence of runST . PACMPL, 2(POPL):64:1–64:28, 2018. Google Scholar
Digital Library
- S. Tonelli. Investigations into a model of type theory based on the concept of basic pair . Master’s thesis, Stockholm University, 2013. supervisors Erik Palmgren and Giovanni Sambin.Google Scholar
- D. Unruh. Quantum relational Hoare logic . PACMPL, 3(POPL):33:1–33:31, 2019. Google Scholar
Digital Library
- Y. Wang, I. Dillig, S. K. Lahiri, and W. R. Cook. Verifying equivalence of database-driven applications . PACMPL, 2(POPL): 56:1–56:29, 2018. Google Scholar
Digital Library
- D. Winograd-Cort, A. Haeberlen, A. Roth, and B. C. Pierce. A framework for adaptive differential privacy . PACMPL, 1(ICFP): 10:1–10:29, 2017. Google Scholar
Digital Library
- H. Yang. Relational separation logic . Theor. Comput. Sci., 375(1-3):308–334, 2007. Google Scholar
Digital Library
- H. Yasuoka and T. Terauchi. Quantitative information flow as safety and liveness hyperproperties . Theor. Comput. Sci., 538: 167–182, 2014. Google Scholar
Cross Ref
- A. Zaks and A. Pnueli. CoVaC: Compiler validation by program analysis of the cross-product . FM. 2008. Google Scholar
Digital Library
- N. Zeilberger. The Logical Basis of Evaluation Order and Pattern-Matching . PhD thesis, Carnegie Mellon University, 2009.Google Scholar
- D. Zhang and D. Kifer. LightDP: towards automating differential privacy proofs . POPL. 2017.Google Scholar
- H. Zhang, E. Roth, A. Haeberlen, B. C. Pierce, and A. Roth. Fuzzi: A three-level logic for differential privacy . CoRR, abs/1905.12594, 2019.Google Scholar
Index Terms
The next 700 relational program logics
Recommendations
Dijkstra monads for all
This paper proposes a general semantic framework for verifying programs with arbitrary monadic side-effects using Dijkstra monads, which we define as monad-like structures indexed by a specification monad. We prove that any monad morphism between a ...
Cyclic proofs of program termination in separation logic
POPL '08We propose a novel approach to proving the termination of heap-manipulating programs, which combines separation logic with cyclic proof within a Hoare-style proof system.Judgements in this system express (guaranteed) termination of the program when ...
Modular monadic meta-theory
ICFP '13This paper presents 3MT, a framework for modular mechanized meta-theory of languages with effects. Using 3MT, individual language features and their corresponding definitions -- semantic functions, theorem statements and proofs-- can be built separately ...






Comments