0size returns positive valuesavghead and tail are Safeaveragemapinitinit'insertLists ElementsListkeysMapevalcreate : Allocate and Fill a ByteStringunsafeTake : Extract prefix of size nunpack : Convert ByteString into List of Char
Refinement Types = Types + Predicates
b := Int -- base types
| Bool
| ...
| a, b, c -- type variables
t := {x:b | p} -- refined base
| x:t -> t -- refined function
p := ... -- predicate in decidable logic
p := e -- atom
| e1 == e2 -- equality
| e1 < e2 -- ordering
| (p && p) -- and
| (p || p) -- or
| (not p) -- negation
e := x, y, z,... -- variable
| 0, 1, 2,... -- constant
| (e + e) -- addition
| (e - e) -- subtraction
| (c * e) -- linear multiplication
| (f e1 ... en) -- uninterpreted function
Refinement Logic: QF-UFLIA
Quantifier-Free Logic of Uninterpreted Functions and Linear Arithmetic
0Refinement types via special comments {-@ ... @-}
Q: First, can you fix Pos so poss is rejected?
Q: Next, can you modify poss so it is accepted?
What is the type of 0 ?
{-@ zero :: Zero @-}
zero = 0
{-@ zero' :: Nat @-}
zero' = zero
In environment \(\Gamma\) the type \(t_1\) is a subtype of the type \(t_2\)
\[\boxed{\Gamma \vdash t_1 \preceq t_2}\]
Environment \(\Gamma\) is a sequence of binders
\[\Gamma \doteq \overline{\bindx{x_i}{P_i}}\]
\[\boxed{\Gamma \vdash t_1 \preceq t_2}\]
\[ \begin{array}{rll} {\mathbf{If\ VC\ is\ Valid}} & \bigwedge_i P_i \Rightarrow Q \Rightarrow R & (\mbox{By SMT}) \\ & & \\ {\mathbf{Then}} & \overline{\bindx{x_i}{P_i}} \vdash \reft{v}{b}{Q} \preceq \reft{v}{b}{R} & \\ \end{array} \]
\[ \begin{array}{rcrccll} \mathbf{VC\ is\ Valid:} & \True & \Rightarrow & v = 0 & \Rightarrow & 0 \leq v & \mbox{(by SMT)} \\ & & & & & & \\ \mathbf{So:} & \emptyset & \vdash & \Zero & \preceq & \Nat & \\ \end{array} \]
And so, we can type:
\[ \begin{array}{rcrccll} \mathbf{VC\ is\ Valid:} & x = 3 & \Rightarrow & v = x + 1 & \Rightarrow & 0 \leq v & \mbox{(by SMT)} \\ & & & & & \\ \mathbf{So:} & x = 3 & \vdash & \Zero & \preceq & \Nat & \\ \end{array} \]
And so, we can type:
Eliminates boring proofs ... makes verification practical.
No value satisfies false \(\Rightarrow\) no valid inputs for impossible
Program type-checks \(\Rightarrow\) impossible never called at run-time
Let's write a safe division function
Q: Yikes! Can you fix the type of safeDiv to banish the error?
Precondition
{-@ safeDiv :: n:Int -> d:NonZero -> Int @-}
Verifies As
\[\inferrule{}{(v = 2) \Rightarrow (v \not = 0)} {\bindx{x}{\Int}, \bindx{y}{\Int} \vdash \reftx{v}{v = 2} \preceq \reftx{v}{v \not = 0}} \]
Q: Can you fix calc so it typechecks?
Rejected as n can be any Nat
\[0 \leq n \Rightarrow (v = n) \not \Rightarrow (v \not = 0)\]
size returns positive valuesSpecify post-condition as output type
{-@ size :: [a] -> Pos @-}
size [] = 1 -- (1)
size (_:xs) = 1 + n where n = size xs -- (2)
Verified As
\[\begin{array}{rll} \True & \Rightarrow (v = 1) & \Rightarrow (0 < v) & \qquad \mbox{at (1)} \\ (0 < n) & \Rightarrow (v = 1 + n) & \Rightarrow (0 < v) & \qquad \mbox{at (2)} \\ \end{array}\]
avgVerifies As
\[(0 < n) \Rightarrow (v = n) \Rightarrow (v \not = 0)\]
Refinement Types Types + Predicates
Specify Properties
Via Refined Input- and Output- Types
Verify Properties
Via SMT based Predicate Subtyping
How to prevent calling size with empty lists?
Next: How to describe properties of structures [continue...]