We’ve seen all sorts of interesting invariants that can be expressed with refinement predicates. For example, whether a divisor is non-zero, the dimension of lists, ensuring the safety of vector indices and reasoning about the set of values in containers and verifying their uniqueness. In each of these cases, we were working with specific refinement predicates that described whatever property was of interest.
Today, (drumroll please), I want to unveil a brand new feature of LiquidHaskell, which allows us to abstract over specific properties or invariants, which significantly increases the expressiveness of the system, whilst still allowing our friend the SMT solver to carry out verification and inference automatically.
30: 31: module MickeyMouse where 32: 33: import Language.Haskell.Liquid.Prelude (isEven)
Pin The Specification On the Function
Lets look at some tiny mickey-mouse examples to see why we may want to abstract over refinements in the first place.
Consider the following monomorphic max function on Int values:
45: maxInt :: Int -> Int -> Int 46: forall <p :: (GHC.Types.Int)-> Bool>. {VV : (GHC.Types.Int)<p> | true} -> {VV : (GHC.Types.Int)<p> | true} -> {VV : (GHC.Types.Int)<p> | true}maxInt {VV : (GHC.Types.Int) | ((papp1 p VV))}x {VV : (GHC.Types.Int) | ((papp1 p VV))}y = if {VV : (GHC.Types.Int) | ((papp1 p VV)) && (VV == x)}x x:{VV : (GHC.Types.Int) | ((papp1 p VV))} -> y:{VV : (GHC.Types.Int) | ((papp1 p VV))} -> {VV : (GHC.Types.Bool) | (((Prop VV)) <=> (x <= y))}<= {VV : (GHC.Types.Int) | ((papp1 p VV)) && (VV == y)}y then {VV : (GHC.Types.Int) | ((papp1 p VV)) && (VV == y)}y else {VV : (GHC.Types.Int) | ((papp1 p VV)) && (VV == x)}xWe could give
maxInt many, quite different and incomparable refinement types like
50: maxInt :: {v:Int | v >= 0} -> {v:Int | v >= 0} -> {v:Int | v >= 0}or
54: maxInt :: {v:Int | v < 10} -> {v:Int | v < 10} -> {v:Int | v < 10}or even
58: maxInt :: {v:Int | (Even v)} -> {v:Int | (Even v)} -> {v:Int | (Even v)}
All of the above are valid.
But which one is the right type?
At this point, you might be exasperated for one of two reasons.
First, the type enthusiasts among you may cry out – “What? Does this funny refinement type system not have principal types?”
No. Or, to be precise, of course not!
Principal typing is a lovely feature that is one of the many reasons why Hindley-Milner is such a delightful sweet spot. Unfortunately, the moment one wants fancier specifications one must tearfully kiss principal typing good bye.
Oh well.
Second, you may very well say, “Yes yes, does it even matter? Just pick one and get on with it already!”
Unfortunately, it matters quite a bit.
Suppose we had a refined type describing valid RGB values:
87: {-@ type RGB = {v: Int | ((0 <= v) && (v < 256)) } @-}
Now, if I wrote a function that selected the larger, that is to say, the more intense, of two RGB values, I would certainly like to check that it produced an RGB value!
95: {-@ intenser :: RGB -> RGB -> RGB @-} 96: {VV : (GHC.Types.Int) | (VV < 256) && (0 <= VV)} -> {VV : (GHC.Types.Int) | (VV < 256) && (0 <= VV)} -> {VV : (GHC.Types.Int) | (VV < 256) && (0 <= VV)}intenser {VV : (GHC.Types.Int) | (VV < 256) && (0 <= VV)}c1 {VV : (GHC.Types.Int) | (VV < 256) && (0 <= VV)}c2 = forall <p :: (GHC.Types.Int)-> Bool>. {VV : (GHC.Types.Int)<p> | true} -> {VV : (GHC.Types.Int)<p> | true} -> {VV : (GHC.Types.Int)<p> | true}maxInt {VV : (GHC.Types.Int) | (VV == c1) && (VV < 256) && (0 <= VV)}c1 {VV : (GHC.Types.Int) | (VV == c2) && (VV < 256) && (0 <= VV)}c2
Well, guess what. The first type (with v >= 0) one would tell us that
the output was non-negative, losing the upper bound. The second type (with
v < 10) would cause LiquidHaskell to bellyache about maxInt being
called with improper arguments – muttering darkly that an RGB value
is not necesarily less than 10. As for the third type … well, you get the idea.
So alas, the choice of type does matter.
If we were clairvoyant, we would givemaxInt a type like
108: maxInt :: RGB -> RGB -> RGB
but of course, that has its own issues. (“What? I have to write a separate function for picking the larger of two 4 digit numbers?!”)
Defining Parametric Invariants
Lets take a step back from the types, and turn to a spot of handwaving.
What’s really going on with maxInt?
Well, the function returns one of its two arguments x and y.
This means that if both arguments satisfy some property then the output must satisfy that property, regardless of what that property was!
To teach LiquidHaskell to understand this notion of “regardless of property” we introduce the idea of abstracting over refinements or, if you prefer, parameterizing a type over its refinements.
In particular, we type maxInt as
133: {-@ maxInt :: forall <p :: Int -> Prop>. Int<p> -> Int<p> -> Int<p>@-}
Here, the definition says explicitly: for any property p that is a
property of Int, the function takes two inputs each of which satisfy p
and returns an output that satisfies p. That is to say, Int<p> is
just an abbreviation for {v:Int | (p v)}
Digression: Whither Decidability?
At first glance, it may appear that these abstract p have taken us into
the realm of higher-order logics, where we must leave decidable checking
and our faithful SMT companion at that door, and instead roll up our
sleeves for interactive proofs (not that there’s anything wrong with that!)
Fortunately, that’s not the case. We simply encode abstract refinements p
as uninterpreted function symbols in the refinement logic.
p which satisfy only the congruence axiom.
150: forall X, Y. if (X = Y) then p(X) = p(Y)
Happily, reasoning with such uninterpreted functions is quite decidable
(thanks to Ackermann, yes, that Ackermann) and actually rather efficient.
Thus, via SMT, LiquidHaskell happily verifies that maxInt indeed behaves
as advertised: the input types ensure that both (p x) and (p y) hold
and hence that the returned value in either branch of maxInt satisfies
the refinement {v:Int | p(v)}, thereby ensuring the output type.
By the same reasoning, we can define the maximumInt operator on lists:
163: {-@ maximumInt :: forall <p :: Int -> Prop>. x:[Int <p>] -> Int <p>@-} 164: forall <p :: (GHC.Types.Int)-> Bool>. [{VV : (GHC.Types.Int)<p> | true}] -> {VV : (GHC.Types.Int)<p> | true}maximumInt (x:xs) = ({VV : (GHC.Types.Int) | ((papp1 p VV))} -> {VV : (GHC.Types.Int) | ((papp1 p VV))} -> {VV : (GHC.Types.Int) | ((papp1 p VV))}) -> {VV : (GHC.Types.Int) | ((papp1 p VV))} -> [{VV : (GHC.Types.Int) | ((papp1 p VV))}] -> {VV : (GHC.Types.Int) | ((papp1 p VV))}foldr forall <p :: (GHC.Types.Int)-> Bool>. {VV : (GHC.Types.Int)<p> | true} -> {VV : (GHC.Types.Int)<p> | true} -> {VV : (GHC.Types.Int)<p> | true}maxInt {VV : (GHC.Types.Int) | ((papp1 p VV)) && (VV == x)}x {VV : [{VV : (GHC.Types.Int) | ((papp1 p VV))}] | (VV == xs) && ((len VV) >= 0)}xs
Using Parametric Invariants
Its only useful to parametrize over invariants if there is some easy way to instantiate the parameters.
Concretely, consider the function:
176: {-@ maxEvens1 :: xs:[Int] -> {v:Int | (Even v)} @-} 177: [(GHC.Types.Int)] -> {VV : (GHC.Types.Int) | ((VV mod 2) == 0)}maxEvens1 [(GHC.Types.Int)]xs = forall <p :: (GHC.Types.Int)-> Bool>. [{VV : (GHC.Types.Int)<p> | true}] -> {VV : (GHC.Types.Int)<p> | true}maximumInt {VV : [{VV : (GHC.Types.Int) | ((VV mod 2) == 0)}]<\_ VV -> ((VV mod 2) == 0)> | (VV == xs'') && ((len VV) == (1 + (len xs'))) && ((len VV) >= 0)}xs'' 178: where 179: {VV : [{VV : (GHC.Types.Int) | ((VV mod 2) == 0)}]<\_ VV -> ((VV mod 2) == 0)> | ((len VV) >= 0)}xs' = [ (GHC.Types.Int)x | x <- {VV : [(GHC.Types.Int)] | (VV == xs) && ((len VV) >= 0)}xs, x:(GHC.Types.Int) -> {VV : (GHC.Types.Bool) | (((Prop VV)) <=> ((x mod 2) == 0))}isEven (GHC.Types.Int)x] 180: {VV : [{VV : (GHC.Types.Int) | ((VV mod 2) == 0)}]<\_ VV -> ((VV mod 2) == 0)> | ((len VV) == (1 + (len xs')))}xs'' = {VV : (GHC.Types.Int) | (VV == (0 : int))}0 forall <p :: (GHC.Types.Int)-> (GHC.Types.Int)-> Bool>. y:{VV : (GHC.Types.Int) | ((VV mod 2) == 0)} -> ys:[{VV : (GHC.Types.Int)<p y> | ((VV mod 2) == 0)}]<p> -> {VV : [{VV : (GHC.Types.Int) | ((VV mod 2) == 0)}]<p> | ((len VV) == (1 + (len ys)))}: {VV : [{VV : (GHC.Types.Int) | ((VV mod 2) == 0)}]<\_ VV -> ((VV mod 2) == 0)> | (VV == xs') && ((len VV) >= 0)}xs'where the function
isEven is from the Language.Haskell.Liquid.Prelude library:
184: {- isEven :: x:Int -> {v:Bool | (Prop(v) <=> (Even x))} -} 185: isEven :: Int -> Bool 186: isEven x = x `mod` 2 == 0
where the predicate Even is defined as
192: {-@ predicate Even X = ((X mod 2) = 0) @-}
To verify that maxEvens1 returns an even number, LiquidHaskell
infers that the list
(0:xs')has type[{v:Int | (Even v)}], that is, is a list of even numbers.automatically instantiates the refinement parameter of
maximumIntwith the concrete refinement{\v -> (Even v)}and soconcludes that the value returned by
maxEvens1is indeedEven.
Parametric Invariants and Type Classes
Ok, lets be honest, the above is clearly quite contrived. After all,
wouldn’t you write a polymorphic max function? And having done so,
we’d just get all the above goodness from old fashioned parametricity.
213: max :: forall a. a -> a -> a 214: max x y = if x > y then x else y 215: 216: maximum :: forall a. [a] -> a 217: maximum (x:xs) = foldr max x xs
then we could happily instantiate the a with {v:Int | v > 0} or
{v:Int | (Even v)} or whatever was needed at the call-site of max.
Sigh. Perhaps we are still pining for Hindley-Milner.
225: (>) :: (Ord a) => a -> a -> Bool 226: max :: (Ord a) => a -> a -> a 227: maximum :: (Ord a) => [a] -> a
Our first temptation may be to furtively look over our shoulders, and
convinced no one was watching, just pretend that funny (Ord a) business
was not there, and quietly just treat maximum as [a] -> a and summon
parametricity.
That would be most unwise. We may get away with it with the harmless Ord but what of, say, Num.
238: numCrunch :: (Num a) => [a] -> a
is not going to necessarily return one of its inputs as an output.
Thus, it is laughable to believe that numCrunch would, if given
a list of of even (or positive, negative, prime, RGB, …) integers,
return a even (or positive, negative, prime, RGB, …) integer, since
the function might add or subtract or multiply or do other unspeakable
things to the numbers in order to produce the output value.
And yet, typeclasses are everywhere.
How could we possibly verify that
253: {-@ maxEvens2 :: xs:[Int] -> {v:Int | (Even v) } @-} 254: [(GHC.Types.Int)] -> {VV : (GHC.Types.Int) | ((VV mod 2) == 0)}maxEvens2 [(GHC.Types.Int)]xs = [{VV : (GHC.Types.Int) | ((VV mod 2) == 0)}] -> {VV : (GHC.Types.Int) | ((VV mod 2) == 0)}maximumPoly {VV : [{VV : (GHC.Types.Int) | ((VV mod 2) == 0)}]<\_ VV -> ((VV mod 2) == 0)> | (VV == xs'') && ((len VV) == (1 + (len xs'))) && ((len VV) >= 0)}xs'' 255: where 256: {VV : [{VV : (GHC.Types.Int) | ((VV mod 2) == 0)}]<\_ VV -> ((VV mod 2) == 0)> | ((len VV) >= 0)}xs' = [ (GHC.Types.Int)x | x <- {VV : [(GHC.Types.Int)] | (VV == xs) && ((len VV) >= 0)}xs, x:(GHC.Types.Int) -> {VV : (GHC.Types.Bool) | (((Prop VV)) <=> ((x mod 2) == 0))}isEven (GHC.Types.Int)x] 257: {VV : [{VV : (GHC.Types.Int) | ((VV mod 2) == 0)}]<\_ VV -> ((VV mod 2) == 0)> | ((len VV) == (1 + (len xs')))}xs'' = {VV : (GHC.Types.Int) | (VV == (0 : int))}0 forall <p :: (GHC.Types.Int)-> (GHC.Types.Int)-> Bool>. y:{VV : (GHC.Types.Int) | ((VV mod 2) == 0)} -> ys:[{VV : (GHC.Types.Int)<p y> | ((VV mod 2) == 0)}]<p> -> {VV : [{VV : (GHC.Types.Int) | ((VV mod 2) == 0)}]<p> | ((len VV) == (1 + (len ys)))}: {VV : [{VV : (GHC.Types.Int) | ((VV mod 2) == 0)}]<\_ VV -> ((VV mod 2) == 0)> | (VV == xs') && ((len VV) >= 0)}xs'
where the helpers were in the usual Ord style?
263: maximumPoly :: (Ord a) => [a] -> a 264: forall a <p :: a-> Bool>. (GHC.Classes.Ord a) => [{VV : a<p> | true}] -> {VV : a<p> | true}maximumPoly (x:xs) = ({VV : a | ((papp1 p VV))} -> {VV : a | ((papp1 p VV))} -> {VV : a | ((papp1 p VV))}) -> {VV : a | ((papp1 p VV))} -> [{VV : a | ((papp1 p VV))}] -> {VV : a | ((papp1 p VV))}foldr {VV : a | ((papp1 p VV))} -> {VV : a | ((papp1 p VV))} -> {VV : a | ((papp1 p VV))}maxPoly {VV : a | ((papp1 p VV)) && (VV == x)}x {VV : [{VV : a | ((papp1 p VV))}] | (VV == xs) && ((len VV) >= 0)}xs 265: 266: maxPoly :: (Ord a) => a -> a -> a 267: forall a <p :: a-> Bool>. (GHC.Classes.Ord a) => {VV : a<p> | true} -> {VV : a<p> | true} -> {VV : a<p> | true}maxPoly {VV : a | ((papp1 p VV))}x {VV : a | ((papp1 p VV))}y = if {VV : a | ((papp1 p VV)) && (VV == x)}x x:{VV : a | ((papp1 p VV))} -> y:{VV : a | ((papp1 p VV))} -> {VV : (GHC.Types.Bool) | (((Prop VV)) <=> (x <= y))}<= {VV : a | ((papp1 p VV)) && (VV == y)}y then {VV : a | ((papp1 p VV)) && (VV == y)}y else {VV : a | ((papp1 p VV)) && (VV == x)}x
The answer: abstract refinements.
First, via the same analysis as the monomorphic Int case, LiquidHaskell
establishes that
276: {-@ maxPoly :: forall <p :: a -> Prop>. 277: (Ord a) => x:a<p> -> y:a<p> -> a<p> @-}
and hence, that
283: {-@ maximumPoly :: forall <p :: a -> Prop>. 284: (Ord a) => x:[a<p>] -> a<p> @-}
Second, at the call-site for maximumPoly in maxEvens2 LiquidHaskell
instantiates the type variable a with Int, and the abstract refinement
parameter p with {\v -> (Even v)} after which, the verification proceeds
as described earlier (for the Int case).
And So
If you’ve courageously slogged through to this point then you’ve learnt that
Sometimes, choosing the right type can be quite difficult!
But fortunately, with abstract refinements we needn’t choose, but can write types that are parameterized over the actual concrete invariants or refinements, which
Can be instantiated at the call-sites i.e. users of the functions.
We started with some really frivolous examples, but buckle your seatbelt and hold on tight, because we’re going to see some rather nifty things that this new technique makes possible, including induction, reasoning about memoizing functions, and ordering and sorting data. Stay tuned.