{-@ LIQUID "--no-termination" @-}
{-@ LIQUID "--short-names" @-}
module Examples
( sum
, sum'
, sum''
, average
import Prelude hiding (foldr, map, sum, length, (!))
data Vector a
range :: Int -> Int -> [Int]
at :: Vector a -> Int -> a
at = undefined
size :: Vector a -> Int
size = undefined
Refinement Types by Example
Collections & HOFs
Refinements for Datatypes
Refinement Types by Example
Property: In-bounds Array Access
{-@ measure vlen :: Vector a -> Int @-}
Specifications: Pre-Conditions
What does a function require for correct execution?
{-@ at :: v:Vector a -> {i:Nat| i < vlen v} -> a @-}
Refinement on the function's input type
Specifications: Post-Conditions
What does a function ensure about its result?
{-@ size :: v:Vector a -> {n:Int | n == vlen v} @-}
Refinement on the function's output type
Verification: Vector Sum
sum :: Vector Int -> Int
sum v = loop 0
{-@ loop :: Nat -> Int @-}
loop i
| i <= size v = at v i + loop (i + 1)
| otherwise = 0
Oops! What gives?
Verification: Vector Sum
Verification Conditions
& \Rightarrow v = 0
& \Rightarrow 0 \leq v
& \mbox{(A)} \\
0 \leq i \wedge n = \mathit{vlen}\ v \wedge i < n
& \Rightarrow v = i + 1
& \Rightarrow 0 \leq v
& \mbox{(B)} \\
0 \leq i \wedge n = \mathit{vlen}\ v \wedge i < n
& \Rightarrow v = i
& \Rightarrow 0 \leq v < \mathit{vlen}\ v
& \mbox{(C)} \\
The more interesting your types get,
the less fun it is to write them down.
-- Benjamin Pierce
Inference: Vector Sum
sum' :: Vector Int -> Int
sum' v = loop 0
{-@ loop :: _ -> _ @-}
loop i
| i < size v = at v i + loop (i + 1)
| otherwise = 0
Not magic, just Abstract Interpretation
Represent unknown refinements with \(\kvar{}{\cdot}\) variables ...
& \Rightarrow v = 0
& \Rightarrow \kvar{}{v}
& \mbox{(A)} \\
\kvar{}{i} \wedge n = \mathit{vlen}\ v \wedge i < n
& \Rightarrow v = i + 1
& \Rightarrow \kvar{}{v}
& \mbox{(B)} \\
\kvar{}{i} \wedge n = \mathit{vlen}\ v \wedge i < n
& \Rightarrow v = i
& \Rightarrow 0 \leq v < \mathit{vlen}\ v
& \mbox{(C)} \\
& \Rightarrow v = 0
& \Rightarrow \kvar{}{v}
& \mbox{(A)} \\
\kvar{}{i} \wedge n = \mathit{vlen}\ v \wedge i < n
& \Rightarrow v = i + 1
& \Rightarrow \kvar{}{v}
& \mbox{(B)} \\
\kvar{}{i} \wedge n = \mathit{vlen}\ v \wedge i < n
& \Rightarrow v = i
& \Rightarrow 0 \leq v < \mathit{vlen}\ v
& \mbox{(C)} \\
Synthesized Solution
\[\kvar{}{v} = 0 \leq v\]
Collections & Higher-Order Functions
Composition >> Recursion!
Generic Sequences
range lo hi
| lo < hi = lo : range (lo + 1) hi
| otherwise = []
(What's a good type for range?)
Fold over Sequences
foldr :: (a -> b -> b) -> b -> [a] -> b
foldr f b [] = b
foldr f b (x:xs) = f x (foldr f b xs)
"Wholemeal" Vector Sum
sum'' :: Vector Int -> Int
sum'' v = foldr add 0 is
add = \i n -> n + at v i
is = range 0 (size v)
Types make refinement inference "just work" ...
Example: List average
{-@ average :: [Int] -> Int @-}
average xs = total `div` n
total = foldr (+) 0 xs
n = length xs
length :: [a] -> Int
length [] = 0
length (_:xs) = 1 + length xs
Yikes! average requires non-empty lists!
Lift (some) functions into specification logic:
{-@ measure length @-}
which lets us define a type alias
{-@ type ListNE a = {v:[a] | 0 < length v} @-}
Now lets go back and fixaverage ...
data [a] where
[] :: {v:[a] | length v = 0}
(:) :: a
-> t:[a]
-> {v:[a] | length v = 1 + length t}
Where length is uninterpreted in refinement Logic
Example: map over Lists
What's the problem here? (Lets fix it!)
{-@ hwAverage :: ListNE (a, Int) -> Int @-}
hwAverage nxs = average (map snd nxs)
{-@ map :: (a -> b) -> [a] -> [b] @-}
map f [] = []
map f (x:xs) = f x : map f xs
Specify properties as functions over datatypes
Refined Constructors
Instantiate constraints at fold (C ...) & unfold (case-of)
Refined Constructors
Instantiate constraints at fold (C ...) & unfold (case-of)