Generic Hoare Logic for Order-Enriched Effects with Exceptions

. In programming semantics, monads are used to provide a generic encapsulation of side-eﬀects. We introduce a monad-based meta-language that extends Moggi’s computational metalanguage with native exceptions and iteration, interpreted over monads supporting a dcpo structure. We present a Hoare calculus with abnormal postconditions for this metalanguage and prove relative completeness using weakest liberal preconditions, extending earlier work on the exception-free case.


Introduction
The use of monads as a means of modelling side-effecting computations [10] is well-established in the design and semantics of programming languages. A broad range of computational effects is subsumed under this paradigm, e.g. store, non-determinism, exceptions, probabilities, and alternation.
In addition to just modelling side-effects, a matter of interest is how to reason generically about properties of side-effecting programs, one of the most important properties being functional correctness. Goncharov and Schröder [7] have developed a monad-based generic Hoare calculus, and proved relative completeness using weakest liberal preconditions. More precisely the calculus is parametrized by the choice of a predicated monad, i.e. a monad that supports iteration via a suitable dcpo enrichment of its Kleisli category (the associated category of side-effecting functions), and is moreover equipped with a suitable submonad of innocent computations for use in assertions. In fact, the object of truth values is generated from a predicated monad as the type of innocent computations of unit type (pre-and postconditions thus become affirmative assertions in the sense of Vickers [20], e.g. semi-decidable).
Exception monads T E X = T (X + E) (with E an object of exceptions and T a predicated base monad) are, in fact, predicated but include an operation that does not fit into the required scheme for basic operations, namely exception catching catch : T A → T (A + E). The framework covers only operations that are algebraic [15], which catch is not. We therefore extend the generic Hoare calculus with explicit support for exception handling via abnormal postconditions [9], which govern the behaviour of a computation for the case where it terminates with an exception. The calculus thus allows, e.g., for a meaningful specification of exception raising, for which the normal postcondition is just ⊥. Our main result is that the calculus is, again, relatively complete; we prove this by means of a weakest liberal precondition calculus featuring abnormal postconditions.
Related Work. Schröder and Mossakowski [18] present a monad-based Hoare calculus with abnormal postconditions, interpreted over a program semantics where the base category of the monad, rather than only the Kleisli category, is enriched over a suitable category of domains; our setting thus allows for more instances, e.g. involving monads on the category of sets. Moreover the semantics of the Hoare logic of [18] differs from ours in that the object of truth values is assumed in the base category rather than extracted from the monad as in our setting. The calculus of [18] is proved sound but a relative completeness proof is currently missing. Relative completeness proofs in most general formula style have been given for specific effect combinations found in concrete programming languages with exceptions, namely fragments of Java [13,16] and Eiffel [12]. Our approach to generic weakest preconditions essentially follows our previous work on the exception-free case [7]. In work subsequent to [7], Hasuo [8] provides an alternative categorical analysis of monad-based weakest preconditions, notably relying on similar assumptions to ensure well-behavedness of weakest preconditions (see Remark 11 for a detailed comparison). In this setup, no syntactic Hoare calculus, and a fortiori no relative completeness result, is provided.

Preliminaries: Monads and Exceptions
A monad T over a category C with class |C| of objects can be described as a Kleisli triple (T, η, -- * ) in which T is an endomap over |C| (we adopt the general convention to use blackboard characters for monads and the corresponding Roman letters for their functorial parts), η -the unit of the monad -is a family of morphisms (η X : X → T X) X∈|C| and -- * -the Kleisli lifting -is a map sending each f : X → T Y to f * : T X → T Y so that the monad laws are satisfied: This is equivalent to the standard definition of a monad in terms of a functor T with unit and multiplication; in particular, T f = (ηf ) * for morphisms f . One may think of T X as being a type of side-effecting computations delivering results in X; examples include non-termination (T X = X + 1), non-determinism (T X = PX), statefulness (e.g. the partial state monad is given by T X = S (S × X) for an object S of states, where takes partial function spaces), and exceptions (T X = X + E for an object E of exceptions).
Furthermore, a strong monad is a monad T together with a family of morphisms τ : X × T Y → T (X × Y ) natural in both X and Y satisfying a set of coherence axioms (cf. e.g. [11]). As originally noted by Moggi, strong monads support a computational metalanguage [11], incorporated into Haskell as the donotation [21]: it features an operator ret, denoting the unit η, and the do-binder, which from f : X → T Y and g : X × Y → T Z builds do y ← f (x); g(x, y), in which y is syntactically bound and whose meaning is g • τ • id, f : X → T Z. For a term p in the computational metalanguage, FV (p) denotes the set of free variables of p. The monad laws (1) can be rewritten in this style, and then form part of a complete axiomatization: A monad T defines the Kleisli category C T of T, whose objects are those of C and Hom C T (A, B) = Hom C (A, T B) with composition defined using the Kleisli lifting of T; that is, morphisms X → Y in C T may be thought of side-effecting functions X → Y , with side-effects specified by T .
We fix from now on an object E of exceptions and a base monad T on a category C which is distributive, i.e. the canonical distributivity morphism is an isomorphism, with inverse called dist, and which has Kleisli exponentials [19,15], i.e. exponentials [2] of the form T Z Y . The latter condition means that there is a natural isomorphism λ : Hom C (X×Y, T Z) ∼ = Hom C (X, T Z Y ). We furthermore denote pairing and copairing morphisms by angle and square brackets, respectively.
The well-known exception monad transformer [4] adds exceptions as an effect to a given monad: the functor is turned into a strong monad T E , called an exception monad, by putting That is, a computation in T E performs a side effect specified by T and then either terminates normally or with an exception. The definition of binding in T E means that in the latter case, subsequent statements have no further effects (e.g. in case T features statefulness, the state is frozen) other than propagating the exception. On T E , we have operations for raising and catching exceptions (i.e. exposing exceptions raised by a program in the output type),

Order-Enrichment and Innocence
As indicated in the introduction, we require a certain amount of infrastructure in the base monad T to support, on the one hand, loops, and on the other hand, an internalized assertion language. To this end, we require a complete partial order on programs, i.e. Kleisli morphisms, of a given type A → T B. We will then use certain well-behaved programs as logical assertions. Formal definitions are as follows [7].

Definition 1 (Order-enriched monad). The monad T is order-enriched if
every hom-set Hom C (A, T B) carries a bounded-complete and directedcomplete partial ordering (i.e. joins exist for finite bounded subsets and for directed subsets, and consequently for all bounded subsets), for any h ∈ Hom C (A , A) and any u ∈ Hom C (B, T B ), the maps preserve all existing joins (including the empty join ⊥), -Kleisli star is Scott-continuous.
The ordering is to be thought of as the usual information ordering; in particular, non-termination is below termination. Note that we do not include continuity of copairing in the above definition; in fact this follows from preservation of joins (Lemma 6).
We identify a class of innocent computations suitable for use within assertions of the Hoare logic. Intuitively, such a computation may read but should not modify the state, as required already in earlier work on monad-based program logics [17]. Instead of assuming a type of truth values in the base category, we will identify truth with termination, so that truth values are just innocent computations of unit type. Formally, the conditions for innocence are as follows [7].
for all p, q, and fresh x, y, in the computational metalanguage (Section 2). An order-enriched monad is innocent if it is commutative and satisfies copyability do x ← p; y ← p; ret x, y = do x ← p; ret x, x (for all p and fresh x, y) and weak discardability Notice that the notion of weak discardability uses the ordering of the monad. It allows for non-termination; e.g. if p = ⊥ is the everywhere diverging program, then the left hand side of (2) is also ⊥ so that the inequality is satisfied. (Contrastingly, previous approaches [17] used discardability do x ← p; ret = ret , which implies termination.) On the other hand, weakly discardable computations cannot raise exceptions, as these fail to be below ret . Intuitively, the only side-effects an innocent computation may exhibit are possible non-termination and read operations on implicit states encapsulated in the base monad.
A key property of innocent monads P is that they support a logic on the base category, which we will later use as the underlying logic of the assertions of our Hoare calculus. Specifically, P 1 is a distributive lattice object in C, i.e. Hom(--, P 1) factors through distributive lattices, in fact even through frames [7], which are complete lattices in which finite meets distribute over all joins (with morphisms preserving finite meets and all joins). Consequently, P 1 supports a form of geometric logic [20]. Notably, finite meets in P 1 are given by sequential composition. In case C = Set, P 1 is in fact a Heyting algebra, and thus supports full intuitionistic logic.
Computationally relevant monads, e.g. stateful ones, often fail to be innocent but will typically contain a useful innocent submonad. Formally: Definition 3 (Predicated monad). A predicated monad (T, P) consists of an order-enriched monad T and an innocent order-enriched submonad P of T whose inclusion into T is Scott-continuous.

Example 4.
In the nondeterministic state monad T X = S → P(S × X), a program is weakly discardable iff it (possibly reads but) does not change the state. Such a program is copyable iff it is deterministic; all copyable and weakly discardable programs in T commute. We thus obtain an innocent submonad P of T given by P X = S X, the partial reader monad. Taking T to be either the partial state monad (Section 2) or the nondeterministic state monad and P the partial reader monad, we thus thus obtain a predicated monad (T, P).
Lemma 5. Let (T, P) be a predicated monad. Then the exception monad T E is also order-enriched, and (T E , P) is a predicated monad.
From now on, we fix a predicated monad (T, P).

A Computational Metalanguage
We proceed to define the syntax of a monad-based metalanguage that extends Moggi's computational metalanguage (Section 2) with native support for iteration and innocence. We introduce a system of value types A and computation types C by the grammar with W ranging over a set W of basic types (denoting objects of C). While the type constructor T E represents side-effecting computations possibly raising exceptions in E, the type constructor P represents innocent computations. The type Ω of truth values is just a synonym for P 1. Additionally, we fix a signature Σ of typed function symbols f : The term language is defined by means of the set of typing rules for terms in context shown in Figure 1; contexts Γ consist of assignments x : A of value types A to variables x. We have the usual term formation rules for products, coproducts, sequential composition of computations, application of functions from the signature Σ, and most notably for exception raising and handling. Additionally, we incorporate rules for innocent computations saying essentially that P is a submonad of T E , i.e. closed under unit and binding, and each P A has a least element ⊥ (⊥ could of course be defined as a nonterminating loop but for our purposes it is technically more convenient to make it a first-class citizen). Our loop construct is tuned to sum types: initializes the loop variable x with the result of p and then proceeds to execute q repeatedly, binding the result to x, as long as c : B + C remains in the left hand summand. Once c ends up in the right hand summand, the loop terminates and r is executed once, with the result bound to x. Note that the construct at hand allows passing values through the loop; boolean loop conditions as in standard while loops arise as special cases of our sum-type-based loop conditions, as the type 2 of Booleans is the sum type 1 + 1. In addition to the metalanguage of programs, we can now use the fact that P 1 = Ω serves as an object of truth values in geometric logic to develop rules for an assertion language. These rules, given in Figure 2 and understood as extending those of Figure 1, are identical to those for the exception-free case [7], essentially because innocent computations do not raise exceptions. The logic combines a very restricted set of propositional connectives with least and greatest fixpoint constructors over dedicated predicate variables. It is designed to accommodate weakest preconditions, i.e. is strong enough to guarantee relative completeness of the Hoare calculus.

Semantics
The types C of our metalanguage are interpreted over the predicated (exception) monad (T E , P) as C-objects C in the expected way, given an assignment of C-objects W to basic types W , with + and × interpreted as categorical sum and product, P and T E as the corresponding object maps of T E and P, 1 as the terminal object, and A → Ω as the Kleisli exponential ( P 1 ) A . As usual, contexts are then interpreted as the product of the interpretations of the types of their variables, and a term in context Γ p : C as a morphism Γ → C . The term constructors for product and sum types are interpreted using the structure of C as a distributive category in the usual way, and the interpretation of the term constructors for the monadic structure (ret and do) is as in the computational metalanguage [11], instantiated for the exception monad T E , respectively its submonad P for innocent computations; Γ ⊥ : P A is interpreted as the bottom element of Hom( Γ , P A ). The operations catch and raise are interpreted as the corresponding morphisms for T E (Section 2); e.g. Γ catch p : The interpretation of our coproduct-based loop construct itcase follows the treatment of a previous Boolean loop construct [7]. Let ? : A + B → P A be the operator defined by c? = case c of inl y → ret y; inr z → ⊥, and let c →c denote the symmetry isomorphism A + B → B + A, i.e. c = case c of inl y → inr y; inr z → inl z for c : A + B. We adopt the convention to write c? instead of (do c?; ret ) whenever the return type P 1 is expected. Consequently, case is Scott-continuous in both program arguments. By Kleene's fixpoint theorem, we can thus define an interpretation for the special case init x ← ret x itercase c of inl y → q; inr z → r as the least fixed point of the map f → case c of inl y → (do x ← q; f ); inr z → r .
The full itcase construct is then interpreted as Semantics of assertions. Contexts Γ for assertions may contain propositional variables X : A → Ω, giving rise to factors ( P 1 ) A in the interpretation of Γ . Assertions Γ φ : Ω are then interpreted as morphisms Γ → P 1 . Logical conjunction and disjunction are interpreted as meets and joins in Ω = P 1, respectively (which exist because P 1 is a distributive lattice object). For lambda abstraction and evaluation of predicates, we inductively define where is the usual evaluation morphism. Fixpoints Γ ηX. φ with η ∈ {µ, ν} are interpreted using the fact that the hom-sets Hom( Γ × A , Ω ) are complete lattices. In detail, the interpretation of Γ, X : A → Ω φ : Ω is a morphism g : We then take Γ ηX. φ to be ληF ; the required fixpoints exist by the Knaster-Tarski theorem as all assertions are monotone in their variables.

Hoare Calculus
In the exception-free case, a semantics of Hoare triples over order-enriched monads [7] is defined by taking {φ} x ← p {ψ} (with p : T E A and assertions φ, ψ, where ψ may depend on x : A) to abbreviate the equation As indicated previously, this setup is insufficient for the verification of exception-raising programs; e.g. nothing useful can be said about raise beyond { } raise e {⊥}. We thus need an additional postcondition for abnormal termination [9,18]: Intuitively, a Hoare quadruple We write T, P {φ} x ← p {ψ | ε} if the above equality holds in (T, P) (under the given interpretation of the basic programs, elided in the notation). The inference rules for our calculus are shown in Figure 3. The inequalities in (wk) refer to the notion of validity introduced above (Definition 7); inequality ε ε of abnormal postconditions is understood pointwise. We assume a set ∆ of valid axioms for basic programs, and then write ∆ P {φ} x ← p {ψ | ε} if a Hoare quadruple {φ} x ← p {ψ | ε} is derivable from axioms in ∆ and inequalities of assertions valid over P.
The rules (basic), (ret), (do) and (wk) are derived straightforwardly from the rules for the exception-free case [7]; rule (⊥) is clear. We spend some time on discussing the remaining new rules: Rules for exceptions are taken from [18]. The (raise) rule is self-explanatory. The (catch) rule is based on the fact that catch p : T E (A + E) renormalizes the computation p and returns an exception possibly raised by p in the right-hand summand of the normal result.
Case rule. The precondition of a case statement is a disjunction of the preconditions for the two alternatives, with access to the value of the branching condition c within the two summands provided by the c? construct introduced in Section 5. Soundness of the rule is proved by Lemma 6.
Iterated case rule. The full itcase construction, as defined in (3), is actually a sequential composition of two programs. For simplicity, we treat only the special case p = ret x in the Hoare calculus, which we abbreviate as itercase c of inl a → q; inr b → r := init x ← ret x itercase c of inl a → q; inr b → r.
In contrast to the case of while loops [7], we cannot expect that after the loop, the value of the test term c contains a right injection, as c could be affected by the program r, which is executed after the loop terminates. The intuition behind the formulation of the (itcase) rule is the following: The assertion ψ plays the role of the loop invariant. In every iteration, the loop body q, which depends on a, is executed with the value of a extracted from c, and possibly changes the value of c. As a postcondition of q, we thus require that either the loop continues and the invariant ψ still holds for the next iteration, i.e. do a ← c?; ψ holds, or the loop terminates and the precondition of r holds, with b replaced by the value contained in c. As the loop terminates with an execution of r, the postcondition of the loop obtained in the conclusion of the rule is then just that of r. Theorem 8 (Soundness). The Hoare calculus for order-enriched effects with exceptions is sound, i.e.
The main idea in Cook's original proof of relative completeness of ordinary Hoare logic is a calculus of weakest liberal preconditions or shorter weakest preconditions [5], that is (adapted to our setting), for every program p, postcondition ψ and abnormal postcondition ε, a precondition wp(x ← p, ψ | ε) such that is a valid Hoare quadruple and φ wp(x ← p, ψ | ε) whenever {φ} x ← p {ψ | ε}.
If we can prove that all quadruples (4) are derivable in the calculus then relative completeness follows by soundness and (wk). Semantically, we construct weakest preconditions in the obvious way by The join exists because every Hom(X, Ω) is a complete lattice. The definition of a weakest precondition wp(x ← p, ψ) for T is recovered by taking E = 0. By the continuity requirements for order-enriched monads, we have Lemma 9. For all programs p and postconditions ψ | ε, wp(x ← p, ψ | ε) is a weakest precondition.
It remains to show that weakest preconditions are definable in our assertion language under the assumption that the weakest preconditions of all signature symbols exist. To this end we give an inductive definition of syntactic weakest preconditions wp s (x ← p, ψ | ε), extending the corresponding calculus for the exception-free case [7], and prove that the definition of wp s is sound w.r.t. wp. This requires a suitable restriction imposed on the underlying predicated monad, which we first recall for the exception-free case: Definition 10 (Sequential Compatibility [7]). We call a predicated monad (T, P) sequentially compatible if for all programs p, q and assertions ψ, we have Remark 11. The inequality converse to (5) holds automatically, and therefore for sequentially compatible predicated monads ).
Given φ : X → Ω, we can form φ • (p) = wp(x ← p, φ(x)), which yields an operator (--) • : Hom(X, Ω) → Hom(T X, Ω). A predicated monad (T, P) is sequentially compatible iff the right of the following two conditions is satisfied (the left one is satisfied automatically) for all φ : Y → Ω, f : X → T Y : It follows that (--) • is natural in the domain of its argument, for and therefore, by the Yoneda lemma, (--) • is uniquely induced by a map : T Ω → Ω. The axioms (6) then amount to saying that ( , Ω) is a T-algebra. This relates sequential compatibility, introduced in [7], to later work by Hasuo [8] who called such an algebra a modality, under the running assumption that T = P, which we do not assume in general.
The inductive definition of syntactic weakest preconditions is given in Figure 4.
Sequential compatibility of (T, P) generalizes to (T E , P): Lemma 12. Given a sequentially compatible monad (T, P), we have To understand the definition of wp s for catch, first note that catch itself never terminates abnormally; by unfolding the definitions of Hoare quadruples and catch, we thus have that {φ} y ← catch p {ψ | ε} is equivalent to the Hoare triple {φ} y ← catch p {ψ}. We can now eliminate catch by decomposing ψ into a case construction and applying the definition of Hoare quadruple: immediately leading to the definition of wp s (y ← catch p, ψ | ) shown in Figure 4.
For basic programs f ∈ Σ, we need to assume that weakest preconditions wp(x ← f (z), ψ) for every ψ are expressible in the assertion language, and then include {wp(x ← f (z), ψ)} x ← f (z) {ψ | ε} as an axiom in ∆.
Lemma 13. Given a sequentially compatible predicated monad, we have for all programs p and postconditions ψ Proof (Sketch). The proof is via induction over p. We carry out the interesting cases of the inductive step in detail: Case p = catch q. Just note that the rule (catch) essentially connects (15) and (16) in the above chain of equivalences explaining wp s for catch, decorated with an (irrelevant) abnormal postcondition.
Case p = itercase c of inl a → q; inr b → r. Let ξ denote the right-hand side of (12). By the induction hypothesis, {wp s (x ← q, ξ | ε)} x ← q {ξ | ε} is derivable. This quadruple is equivalent to We also have {wp s (x ← r, ψ | ε)} x ← r {ψ | ε} by induction. The required quadruple is obtained directly by applying (itcase) to the previous two quadruples.
By Lemma 13 and soundness, wp s (x ← p, ψ | ε) wp(x ← p, ψ | ε) for all p, ψ, . Conversely, we have Proof (Sketch). Induction over p. Again, we only detail the interesting cases: Case p = itercase c of inl a → q; inr b → r. Let ξ denote the right-hand side of (12). Following [7], we need to prove that φ 0 := wp(x ← p, ψ | ε) is a postfixed point of the functional defining ξ. By the definition of weakest preconditions, this amounts to showing that every φ satisfying {φ} x ← p {ψ | ε} is smaller than the functional evaluated at φ 0 , i.e.
Therefore, by case distinction, we need to show that -Continuation branch. Unrolling the first iteration of the loop, we see that {c? ∧ φ} x ← (do a ← c?; x ← q; p) {ψ | ε} holds and thus do a ← c?; wp(do x ← q; p, ψ | ε).
Case p = catch q. As seen in the derivation of the syntactic weakest precondition for catch, the Hoare quadruple in question is equivalent to Thus, φ wp(x ← q, ψ[inl x/y] | λe. ψ[inr e/y]) which is smaller than wp s (x ← p, ψ | ε) by induction.
We are now ready to prove our main result: Theorem 15 (Relative completeness). Let (T E , P) be a sequentially compatible predicated monad and let the weakest preconditions for basic programs be expressible in the assertion language. Then where ∆ Σ are axioms for the basic programs in the signature Σ.
Proof. By Lemma 13 and Lemma 14, we can express the weakest precondition wp(x ← p, ψ | ε) in the assertion language, and By the definition of wp(x ← p, ψ | ε), we thus have φ wp(x ← p, ψ | ε), so we can use (wk) to derive the required quadruple.

Conclusion and Further Work
We have extended a previous monad-based generic Hoare calculus [7] to cover computations raising exceptions, modelled in terms of the exception monad transformer [4]. To this end, we have added abnormal postconditions [9] to the system, which govern poststates reached by the program in case it terminates with an exception. Our framework is based on order-enriched monads, which provide the requisite semantic infrastructure to support loops while avoiding the assumption that the underlying category of data types is enriched over complete partial orders; consequently, our generic logic applies also to monads that live on categories with less structure, in particular the category of sets. Moreover, we equip the underlying monad with the choice of a submonad of innocent computations causing only restricted side-effects; this choice induces an object of truth values, in the shape of the type of innocent computations of unit type, that supports a form of geometric logic in which we phrase our assertion language.
We have proved soundness and relative completeness, the latter by giving a calculus of weakest (liberal) preconditions, which turn out to be expressible in spite of the fact that the assertion language is quite weak. Here, a key role is played by fixpoint constructs in the assertion language.
Exceptions can be regarded as a very simple case of uninterpreted operations; in future research, we will explore the possibility of extending the framework to cover more general uninterpreted operations, such as process-algebraic action prefixing. Moreover, we will investigate a more general setup where loops are interpreted by axiomatic iteration in the spirit of complete Elgot monads [1,6], thus in particular covering also coinductive resumption monads [14].