feat(Control/Monad): Weakest preconditions and mcvgen for free monads#604
Open
tannerduve wants to merge 6 commits into
Open
feat(Control/Monad): Weakest preconditions and mcvgen for free monads#604tannerduve wants to merge 6 commits into
tannerduve wants to merge 6 commits into
Conversation
tannerduve
force-pushed
the
feat/free-logic
branch
2 times, most recently
from
d3d44c8 to
d3b6959
Compare
eric-wieser
reviewed
May 28, 2026
tannerduve
force-pushed
the
feat/free-logic
branch
from
d3b6959 to
a00790f
Compare
eric-wieser
reviewed
May 28, 2026
tannerduve
force-pushed
the
feat/free-logic
branch
from
a00790f to
07774bb
Compare
eric-wieser
reviewed
May 28, 2026
eric-wieser
reviewed
May 28, 2026
eric-wieser
reviewed
May 28, 2026
eric-wieser
reviewed
Jun 15, 2026
eric-wieser
reviewed
Jun 15, 2026
eric-wieser
reviewed
Jun 15, 2026
eric-wieser
reviewed
Jun 15, 2026
eric-wieser
reviewed
Jun 15, 2026
Add `Cslib.Foundations.Control.Monad.Free.WP`: a weakest-precondition framework for `FreeM`-based effectful programs via Std.Do's predicate-transformer monad `PredTrans ps`. A logical effect handler `LHandler F ps` lifts through the universal property of `FreeM` to a unique monad morphism `wpH H : FreeM F → PredTrans ps`. Structural rules (`wpH_pure`, `wpH_lift`, `wpH_bind`) follow from `liftM` being a monad morphism, and the adequacy theorem `wpH_ofInterp_eq_wp_liftM` identifies WP-via-handler with Std.Do's WP of the `liftM` interpretation. Handlers and @[spec] lemmas for the existing `StateF` and `ReaderF` effects let `mvcgen` step through `FreeState`/`FreeReader` programs. `CslibTests/FreeMonadWP` demonstrates: `FreeState` triples, a custom counter effect, `FailF` and `DemonicF` effect signatures with logical handlers, sum composition via `LHandler.sum`, and multi-effect triples discharged by `mvcgen`. Follows Vistrup–Sammler–Jung, *Program Logics à la Carte* (POPL 2025), adapted from coinductive ITrees to inductive `FreeM` and from Iris to Std.Do.
Address review feedback: - inline `wpH`, the `LHandler` abbrev/namespace, and `LHandler.ofInterp`; handlers are now plain `F ι → PredTrans ps ι` functions - rename the `HasHandler` class to `FreeM.WP` - restate the adequacy lemma directly on `liftM` as `liftM_wp_eq_wp_liftM`
tannerduve
force-pushed
the
feat/free-logic
branch
from
25f5d80 to
1d58236
Compare
eric-wieser
reviewed
Jun 15, 2026
eric-wieser
reviewed
Jun 15, 2026
eric-wieser
reviewed
Jun 15, 2026
eric-wieser
reviewed
Jun 15, 2026
eric-wieser
reviewed
Jun 15, 2026
eric-wieser
reviewed
Jun 15, 2026
eric-wieser
reviewed
Jun 15, 2026
eric-wieser
reviewed
Jun 15, 2026
eric-wieser
reviewed
Jun 15, 2026
…, naming - Make FreeM.WP a protected class so bare `WP` resolves to Std.Do.WP; rename instances to WP.toDoWP / anonymous WPMonad instance. - Add `wp_lift` and the adequacy lemma `ensures_liftM_of_wp`; reframe `liftM_wp_eq_wp_liftM` as the coherence/uniqueness lemma it is. - Inline StateF/ReaderF logical handlers into their WP instances. - Rename `wp_FreeState_eq_wp_toStateM` / `wp_FreeReader_eq_wp_toReaderM` to lowerCamel `wp_freeState_*` / `wp_freeReader_*`. - Use pattern-matching lambdas for FailF/DemonicF handlers in tests. - Add VistrupSammlerJung2025 to references.bib.
eric-wieser
reviewed
Jun 16, 2026
eric-wieser
reviewed
Jun 16, 2026
eric-wieser
reviewed
Jun 16, 2026
Collaborator
|
Please update the PR description to reflect what's currently here. |
eric-wieser
reviewed
Jun 18, 2026
eric-wieser
reviewed
Jun 18, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This PR adds
Cslib/Foundations/Control/Monad/Free/WP.lean, which givesFreeMprograms aStd.Do.WPinterpretation by lifting logical handlers into the predicate-transformer monadPredTrans.A logical handler
{ι : Type u} → F ι → PredTrans ps ιassigns each operation of the effect signatureFaPredTrans psspecification. SincePredTrans psis a monad andFreeMis free,FreeM.liftMextends such a handler to a monad morphismFreeM F → PredTrans ps; this is the weakest precondition and is compositional wrt the monadic structure.A
FreeM.WP F pstypeclass selects a default handler forFand inducesWP (FreeM F) psandWPMonad (FreeM F) psinstances, so thatStd.Do.Tripleandmvcgenapply toFreeM Fprograms. The main coherence lemma isFreeM.liftM_wp_eq_wp_liftM, andFreeM.wp_liftexposes the one-operation case.Handlers are provided for cslib's existing
FreeStateandFreeReader, along with@[spec]lemmasSpec.get_FreeState,Spec.set_FreeState, andSpec.read_FreeReaderthat letmvcgenstep through state and reader programs.CslibTests/FreeMonadWP.leancontains exampleTriples discharged bymvcgen, covering the supplied state and reader handlers, custom effects, combined effects, and demonic choice.The design follows Vistrup, Sammler, Jung, Program Logics à la Carte (POPL 2025), which uses coinductive free monads (ITrees) and Iris separation logic. Here we use inductive free monads and
Std.Doprogram logic.