Weakest precondition interpretation

This module defines the weakest precondition interpretation WP of monadic programs in terms of predicate transformers PredTrans.

This interpretation forms the basis of our notion of Hoare triples. It is the main mechanism of this library for reasoning about monadic programs.

An instance WP m ps determines an interpretation wp⟦x⟧ of a program x : m α in terms of a predicate transformer PredTrans ps α; The monad m determines ps : PostShape and hence the particular shape of the predicate transformer.

This library comes with pre-defined instances for common monads and transformers such as

• WP Id .pure, interpreting pure computations x : Id α in terms of a function (isomorphic to) (α → Prop) → Prop.
• WP (StateT σ m) (.arg σ ps) given an instance WP m ps, interpreting StateM σ α in terms of a function (α → σ → Prop) → σ → Prop.
• WP (ExceptT ε m) (.except ε ps) given an instance WP m ps, interpreting Except ε α in terms of (α → Prop) → (ε → Prop) → Prop.
• WP (EStateM ε σ) (.except ε (.arg σ .pure)) interprets EStateM ε σ α in terms of a function (α → σ → Prop) → (ε → σ → Prop) → σ → Prop.

These instances are all monad morphisms, a fact which is properly encoded and exploited by the subclass WPMonad.

class Std.Do.WP (m : Type → Type u) (ps : outParam PostShape) : Type (max 1 u)

A weakest precondition interpretation of a monadic program x : m α in terms of a predicate transformer PredTrans ps α. The monad m determines ps : PostShape. See the module comment for more details.

• wp {α : Type} (x : m α) : PredTrans ps α

def Std.Do.«termWp⟦_:_⟧» : Lean.ParserDescr

def Std.Do.unexpandWP : Lean.PrettyPrinter.Unexpander

instance Std.Do.Id.instWP : WP Id PostShape.pure

instance Std.Do.StateT.instWP {m : Type → Type u} {ps : PostShape} {σ : Type} [WP m ps] : WP (StateT σ m) (PostShape.arg σ ps)

instance Std.Do.ReaderT.instWP {m : Type → Type u} {ps : PostShape} {ρ : Type} [WP m ps] : WP (ReaderT ρ m) (PostShape.arg ρ ps)

instance Std.Do.ExceptT.instWP {m : Type → Type u} {ps : PostShape} {ε : Type} [WP m ps] : WP (ExceptT ε m) (PostShape.except ε ps)

instance Std.Do.EStateM.instWP {ε σ : Type} : WP (EStateM ε σ) (PostShape.except ε (PostShape.arg σ PostShape.pure))

instance Std.Do.State.instWP {σ : Type} : WP (StateM σ) (PostShape.arg σ PostShape.pure)

instance Std.Do.Reader.instWP {ρ : Type} : WP (ReaderM ρ) (PostShape.arg ρ PostShape.pure)

instance Std.Do.Except.instWP {ε : Type} : WP (Except ε) (PostShape.except ε PostShape.pure)

theorem Std.Do.Id.by_wp {α : Type} {x : α} {prog : Id α} (h : prog.run = x) (P : α → Prop) : wp⟦prog⟧ (Std.Do.PostCond.total P) → P x

theorem Std.Do.StateM.by_wp {σ : Type} {s : σ} {α : Type} {x : α × σ} {prog : StateM σ α} (h : StateT.run prog s = x) (P : α × σ → Prop) : wp⟦prog⟧ (⇓ (a : α) (s' : σ) => P (a, s')) s → P x

theorem Std.Do.EStateM.by_wp {ε σ : Type} {s : σ} {α : Type} {x : EStateM.Result ε σ α} {prog : EStateM ε σ α} (h : prog.run s = x) (P : EStateM.Result ε σ α → Prop) : wp⟦prog⟧ (⇓ (a : α) (s' : σ) => P (EStateM.Result.ok a s')) s → P x