Dependent types and multi-monadic effects in F∗

Nikhil Swamy; CǍtǍlin Hritçu; Chantal Keller; Aseem Rastogi; Antoine Delignat-Lavaud; Simon Forest; Karthikeyan Bhargavan; Cédric Fournet; Pierre Yves Strub; Markulf Kohlweiss; Jean Karim Zinzindohoue; Santiago Zanella-Béguelin

doi:10.1145/2837614.2837655

Dependent types and multi-monadic effects in F∗

Nikhil Swamy
, CǍtǍlin Hritçu
, Chantal Keller
, Aseem Rastogi
, Antoine Delignat-Lavaud
, Simon Forest
, Karthikeyan Bhargavan
, Cédric Fournet
, Pierre Yves Strub
, Markulf Kohlweiss
, Jean Karim Zinzindohoue
, Santiago Zanella-Béguelin

Microsoft Research
INRIA Institut National de Recherche en Informatique et en Automatique
MSR-INRIA
UMD
PSL research University & IPSL
IMDEA Software Institute

Research output: Contribution to journal › Article › peer-review

Abstract

We present a new, completely redesigned, version of F∗, a language that works both as a proof assistant as well as a general-purpose, verification-oriented, effectful programming language. In support of these complementary roles, F? is a dependently typed, higher-order, call-by-value language with primitive effects including state, exceptions, divergence and IO. Although primitive, programmers choose the granularity at which to specify effects by equipping each effect with a monadic, predicate transformer semantics. F∗ uses this to efficiently compute weakest preconditions and discharges the resulting proof obligations using a combination of SMT solving and manual proofs. Isolated from the effects, the core of F∗ is a language of pure functions used to write specifications and proof terms-its consistency is maintained by a semantic termination check based on a well-founded order. We evaluate our design on more than 55,000 lines of F∗ we have authored in the last year, focusing on three main case studies. Showcasing its use as a general-purpose programming language, F∗ is programmed (but not verified) in F∗, and bootstraps in both OCaml and F#. Our experience confirms F∗'s pay-As-you-go cost model: writing idiomatic ML-like code with no finer specifications imposes no user burden. As a verification-oriented language, our most significant evaluation of F∗ is in verifying several key modules in an implementation of the TLS-1.2 protocol standard. For the modules we considered, we are able to prove more properties, with fewer annotations using F∗ than in a prior verified implementation of TLS-1.2. Finally, as a proof assistant, we discuss our use of F∗ in mechanizing the metatheory of a range of lambda calculi, starting from the simply typed lambda calculus to System Fw and even μF∗, a sizeable fragment of F∗ itself-these proofs make essential use of F∗'s flexible combination of SMT automation and constructive proofs, enabling a tactic-free style of programming and proving at a relatively large scale.

Original language	English
Pages (from-to)	256-270
Number of pages	15
Journal	ACM SIGPLAN Notices
Volume	51
Issue number	1
DOIs	https://doi.org/10.1145/2837614.2837655
Publication status	Published - 8 Apr 2016
Externally published	Yes

Keywords

Effectful programming
Proof assistants
Verification

Access to Document

10.1145/2837614.2837655

Cite this

@article{df43ab627926414eb78e00cdc6eb7baf,

title = "Dependent types and multi-monadic effects in F∗",

abstract = "We present a new, completely redesigned, version of F∗, a language that works both as a proof assistant as well as a general-purpose, verification-oriented, effectful programming language. In support of these complementary roles, F? is a dependently typed, higher-order, call-by-value language with primitive effects including state, exceptions, divergence and IO. Although primitive, programmers choose the granularity at which to specify effects by equipping each effect with a monadic, predicate transformer semantics. F∗ uses this to efficiently compute weakest preconditions and discharges the resulting proof obligations using a combination of SMT solving and manual proofs. Isolated from the effects, the core of F∗ is a language of pure functions used to write specifications and proof terms-its consistency is maintained by a semantic termination check based on a well-founded order. We evaluate our design on more than 55,000 lines of F∗ we have authored in the last year, focusing on three main case studies. Showcasing its use as a general-purpose programming language, F∗ is programmed (but not verified) in F∗, and bootstraps in both OCaml and F\#. Our experience confirms F∗'s pay-As-you-go cost model: writing idiomatic ML-like code with no finer specifications imposes no user burden. As a verification-oriented language, our most significant evaluation of F∗ is in verifying several key modules in an implementation of the TLS-1.2 protocol standard. For the modules we considered, we are able to prove more properties, with fewer annotations using F∗ than in a prior verified implementation of TLS-1.2. Finally, as a proof assistant, we discuss our use of F∗ in mechanizing the metatheory of a range of lambda calculi, starting from the simply typed lambda calculus to System Fw and even μF∗, a sizeable fragment of F∗ itself-these proofs make essential use of F∗'s flexible combination of SMT automation and constructive proofs, enabling a tactic-free style of programming and proving at a relatively large scale.",

keywords = "Effectful programming, Proof assistants, Verification",

author = "Nikhil Swamy and CǍtǍlin Hrit{\c c}u and Chantal Keller and Aseem Rastogi and Antoine Delignat-Lavaud and Simon Forest and Karthikeyan Bhargavan and C{\'e}dric Fournet and Strub, \{Pierre Yves\} and Markulf Kohlweiss and Zinzindohoue, \{Jean Karim\} and Santiago Zanella-B{\'e}guelin",

note = "Publisher Copyright: Copyright is held by the owner/author(s).",

year = "2016",

month = apr,

day = "8",

doi = "10.1145/2837614.2837655",

language = "English",

volume = "51",

pages = "256--270",

journal = "ACM SIGPLAN Notices",

issn = "1523-2867",

number = "1",

}

TY - JOUR

T1 - Dependent types and multi-monadic effects in F∗

AU - Swamy, Nikhil

AU - Hritçu, CǍtǍlin

AU - Keller, Chantal

AU - Rastogi, Aseem

AU - Delignat-Lavaud, Antoine

AU - Forest, Simon

AU - Bhargavan, Karthikeyan

AU - Fournet, Cédric

AU - Strub, Pierre Yves

AU - Kohlweiss, Markulf

AU - Zinzindohoue, Jean Karim

AU - Zanella-Béguelin, Santiago

N1 - Publisher Copyright: Copyright is held by the owner/author(s).

PY - 2016/4/8

Y1 - 2016/4/8

N2 - We present a new, completely redesigned, version of F∗, a language that works both as a proof assistant as well as a general-purpose, verification-oriented, effectful programming language. In support of these complementary roles, F? is a dependently typed, higher-order, call-by-value language with primitive effects including state, exceptions, divergence and IO. Although primitive, programmers choose the granularity at which to specify effects by equipping each effect with a monadic, predicate transformer semantics. F∗ uses this to efficiently compute weakest preconditions and discharges the resulting proof obligations using a combination of SMT solving and manual proofs. Isolated from the effects, the core of F∗ is a language of pure functions used to write specifications and proof terms-its consistency is maintained by a semantic termination check based on a well-founded order. We evaluate our design on more than 55,000 lines of F∗ we have authored in the last year, focusing on three main case studies. Showcasing its use as a general-purpose programming language, F∗ is programmed (but not verified) in F∗, and bootstraps in both OCaml and F#. Our experience confirms F∗'s pay-As-you-go cost model: writing idiomatic ML-like code with no finer specifications imposes no user burden. As a verification-oriented language, our most significant evaluation of F∗ is in verifying several key modules in an implementation of the TLS-1.2 protocol standard. For the modules we considered, we are able to prove more properties, with fewer annotations using F∗ than in a prior verified implementation of TLS-1.2. Finally, as a proof assistant, we discuss our use of F∗ in mechanizing the metatheory of a range of lambda calculi, starting from the simply typed lambda calculus to System Fw and even μF∗, a sizeable fragment of F∗ itself-these proofs make essential use of F∗'s flexible combination of SMT automation and constructive proofs, enabling a tactic-free style of programming and proving at a relatively large scale.

AB - We present a new, completely redesigned, version of F∗, a language that works both as a proof assistant as well as a general-purpose, verification-oriented, effectful programming language. In support of these complementary roles, F? is a dependently typed, higher-order, call-by-value language with primitive effects including state, exceptions, divergence and IO. Although primitive, programmers choose the granularity at which to specify effects by equipping each effect with a monadic, predicate transformer semantics. F∗ uses this to efficiently compute weakest preconditions and discharges the resulting proof obligations using a combination of SMT solving and manual proofs. Isolated from the effects, the core of F∗ is a language of pure functions used to write specifications and proof terms-its consistency is maintained by a semantic termination check based on a well-founded order. We evaluate our design on more than 55,000 lines of F∗ we have authored in the last year, focusing on three main case studies. Showcasing its use as a general-purpose programming language, F∗ is programmed (but not verified) in F∗, and bootstraps in both OCaml and F#. Our experience confirms F∗'s pay-As-you-go cost model: writing idiomatic ML-like code with no finer specifications imposes no user burden. As a verification-oriented language, our most significant evaluation of F∗ is in verifying several key modules in an implementation of the TLS-1.2 protocol standard. For the modules we considered, we are able to prove more properties, with fewer annotations using F∗ than in a prior verified implementation of TLS-1.2. Finally, as a proof assistant, we discuss our use of F∗ in mechanizing the metatheory of a range of lambda calculi, starting from the simply typed lambda calculus to System Fw and even μF∗, a sizeable fragment of F∗ itself-these proofs make essential use of F∗'s flexible combination of SMT automation and constructive proofs, enabling a tactic-free style of programming and proving at a relatively large scale.

KW - Effectful programming

KW - Proof assistants

KW - Verification

UR - https://www.scopus.com/pages/publications/84965057562

U2 - 10.1145/2837614.2837655

DO - 10.1145/2837614.2837655

M3 - Article

AN - SCOPUS:84965057562

SN - 1523-2867

VL - 51

SP - 256

EP - 270

JO - ACM SIGPLAN Notices

JF - ACM SIGPLAN Notices

IS - 1

ER -

Dependent types and multi-monadic effects in F∗

Abstract

Keywords

Access to Document

Other files and links

Fingerprint

Cite this