Zulip Chat Archive
Stream: Program verification
Topic: Verification of functions using mutability (STRef)
Francisco Giordano (Dec 12 2023 at 17:05):
Sorry for the broad question but I am wondering if in general functions using mutability such as STRefs in Lean are amenable to verification, so if it is possible to prove theorems about those functions in Lean. Interested in any thoughts about this.
Jannis Limperg (Dec 12 2023 at 17:26):
As it stands, no. Lean would need to provide a semantics for IO actions, which are currently completely opaque (i.e. you can't prove anything about them). In principle, sure, such a semantics could be provided.
Shreyas Srinivas (Dec 12 2023 at 17:27):
To what degree is this an open question?
Jannis Limperg (Dec 12 2023 at 17:29):
Don't know. I imagine someone must have experimented with stuff like this though.
Mario Carneiro (Dec 12 2023 at 18:06):
Here's a relevant quote from me on the matter:
By the way (on the subject of "This conflicts with my belief that monadic code should also be able to be proven correct"), I have a strong suspicion that
STis inconsistent, or at leastSTaugmented with reasonable axioms for how references behave, although I have not been able to prove it. (The short version is thatST ω Unitis an impossibly big type, since it seems to hold the state of an arbitrary number of references in arbitrarily large types, includingST ω Unititself.)
Mario Carneiro (Dec 12 2023 at 18:09):
Continued in a PM with @Joe Hendrix (I think there is nothing in here which can't be reprinted):
Mario Carneiro: The
STmonad lets you create new references withST.mkRef, and these references can store values of any typeMario Carneiro: and the current state of all references is conceptually "stored in" the monad state
Mario Carneiro: This is in stark contrast to
StateT, which has space for exactly one "reference", and the type of this reference is part of the monad itselfJoe Hendrix: Oh, I interpreted that as meaning types in bigger universes. It does seem tricky to formalize.
Mario Carneiro: Well the fact that it's any type in the same universe is already bad
Mario Carneiro: If
STlived one universe up it would be fineMario Carneiro: but you can create
ST.Refscontaining the whole monad state, this is a short trip to cantor's paradoxMario Carneiro:
STwas originally designed for haskell, which uses System F as it's underlying theory, and there the whole thing with quantifying over types as a means of abstraction works marvelously. But in lean we can't do this because it's basicallyType : Type, and in the context of a universe hierarchy it is deeply suspicious that ST doesn't involve a universe bump
Joe Hendrix (Dec 12 2023 at 18:13):
Thanks Mario. Monadic verification is something I plan to work on in 2024. Lean should support Hoare triples on monadic computations. There's some existing work in Std due to @Mario Carneiro.
Due to the above foundational issues, I think we may not be able to reason about IO, but rather some subset that includes no references or constrained references.
Shreyas Srinivas (Dec 12 2023 at 18:41):
Are there literature references you would recommend to someone who wishes to work on this problem. For reference I am currently taking a graduate semantics course which covers basic stuff upto system F and then switches to separation logic (iris) in the second half.
Joe Hendrix (Dec 12 2023 at 18:54):
I haven't looked closely myself. Relational Hoare triples is a topic that comes up in this context, and this was one of the first results when searching for papers on the topic.
Francisco Giordano (Dec 16 2023 at 19:36):
Mario Carneiro said:
a strong suspicion that
STis inconsistent, or at leastSTaugmented with reasonable axioms for how references behave
I'd be interested in seeing a draft of what these axioms could be
Last updated: Dec 20 2023 at 11:08 UTC