Bounding Vectors
Today, lets look at a classic usecase for refinement types, namely, the static verification of vector access bounds. Along the way, we'll see some examples that illustrate how LiquidHaskell reasons about recursion, higherorder functions, data types, and polymorphism.
22: module VectorBounds ( 23: safeLookup 24: , unsafeLookup, unsafeLookup' 25: , absoluteSum, absoluteSum' 26: , dotProduct 27: , sparseProduct, sparseProduct' 28: ) where 29: 30: import Prelude hiding (length) 31: import Data.List (foldl') 32: import Data.Vector hiding (foldl')
Specifying Bounds for Vectors¶
One classical usecase for refinement types is to verify the safety of accesses of arrays and vectors and such, by proving that the indices used in such accesses are within the vector bounds. Lets see how to do this with LiquidHaskell by writing a few short functions that manipulate vectors, in particular, those from the popular vector library.
First things first. Lets specify bounds safety by refining
the types for the key functions exported by the module
Data.Vector
.
Specifications for Data.Vector
50: module spec Data.Vector where 51: 52: import GHC.Base 53: 54: measure vlen :: (Vector a) > Int 55: assume length :: x:(Vector a) > {v:Int  v = (vlen x)} 56: assume ! :: x:(Vector a) > {v:Int  0 <= v && v < (vlen x)} > a
In particular, we
 define a property called
vlen
which denotes the size of the vector,  assume that the
length
function returns an integer equal to the vector's size, and  assume that the lookup function
!
requires an index between0
and the vector's size.
There are several things worth paying close attention to in the above snippet.
Measures
Recall that measures define auxiliary (or socalled ghost)
properties of data values that are useful for specification and verification,
but which don't actually exist at runtime. Thus, they will
only appear in specifications, i.e. inside type refinements, but never
inside code. Often we will use helper functions like length
in this case,
which pull or materialize the ghost values from the refinement world
into the actual code world.
Assumes
We write assume
because in this scenario we are not verifying the
implementation of Data.Vector
, we are simply using the properties of
the library to verify client code. If we wanted to verify the library
itself, we would ascribe the above types to the relevant functions in the
Haskell source for Data.Vector
.
Dependent Refinements
Notice that in the function type (e.g. for length
) we have named the input
parameter x
so that we can refer to it in the output refinement.
In this case, the type
91: assume length :: x:(Vector a) > {v : Int  v = (vlen x)}
states that the Int
output is exactly equal to the size of the input Vector
named x
.
In other words, the output refinement depends on the input value, which crucially allows us to write properties that relate different program values.
Verifying a Simple Wrapper
Lets try write some simple functions to sanity check the above specifications. First, consider an unsafe vector lookup function:
105: vec:(Data.Vector.Vector a) > {VV : (GHC.Types.Int)  (VV < vlen([vec])),(0 <= VV)} > aunsafeLookup (Data.Vector.Vector a)vec {VV : (GHC.Types.Int)  (VV < vlen([vec])),(0 <= VV)}index = {VV : (Data.Vector.Vector a)  (VV = vec),(vlen([VV]) >= 0)}vec x:(Data.Vector.Vector a) > {VV : (GHC.Types.Int)  (VV < vlen([x])),(0 <= VV)} > a! {VV : (GHC.Types.Int)  (VV = index),(VV < vlen([vec])),(0 <= VV)}index
If we run this through LiquidHaskell, it will spit back a type error for
the expression x ! i
because (happily!) it cannot prove that index
is
between 0
and the vlen vec
. Of course, we can specify the bounds
requirement in the input type
114: {@ unsafeLookup :: vec:Vector a 115: > {v: Int  (0 <= v && v < (vlen vec))} 116: > a 117: @}
then LiquidHaskell is happy to verify the lookup. Of course, now the burden
of ensuring the index is valid is pushed to clients of unsafeLookup
.
Instead, we might write a safe lookup function that performs the bounds check before looking up the vector:
127: {@ safeLookup :: Vector a > Int > Maybe a @} 128: (Data.Vector.Vector a) > (GHC.Types.Int) > (Data.Maybe.Maybe a)safeLookup (Data.Vector.Vector a)x (GHC.Types.Int)i 129:  {VV : (GHC.Types.Int)  (VV = (0 : int))}0 x:(GHC.Types.Int) > y:(GHC.Types.Int) > {VV : (GHC.Types.Bool)  ((? Prop([VV])) <=> (x <= y))}<= {VV : (GHC.Types.Int)  (VV = i)}i x:(GHC.Types.Bool) > y:(GHC.Types.Bool) > {VV : (GHC.Types.Bool)  ((? Prop([VV])) <=> && [(? Prop([x])); (? Prop([y]))])}&& {VV : (GHC.Types.Int)  (VV = i)}i x:(GHC.Types.Int) > y:(GHC.Types.Int) > {VV : (GHC.Types.Bool)  ((? Prop([VV])) <=> (x < y))}< x:(Data.Vector.Vector a) > {VV : (GHC.Types.Int)  (VV = vlen([x])),(VV >= 0)}length {VV : (Data.Vector.Vector a)  (VV = x),(vlen([VV]) >= 0)}x = x:a > {VV : (Data.Maybe.Maybe a)  ((? isJust([VV])) <=> true), (fromJust([VV]) = x)}Just ({VV : (Data.Vector.Vector a)  (VV = x),(vlen([VV]) >= 0)}x x:(Data.Vector.Vector a) > {VV : (GHC.Types.Int)  (VV < vlen([x])),(0 <= VV)} > a! {VV : (GHC.Types.Int)  (VV = i)}i) 130:  otherwise = {VV : (Data.Maybe.Maybe {VV : a  false})  ((? isJust([VV])) <=> false)}Nothing
Predicate Aliases
The type for unsafeLookup
above is rather verbose as we have to spell out
the upper and lower bounds and conjoin them. Just as we enjoy abstractions
when programming, we will find it handy to have abstractions in the
specification mechanism. To this end, LiquidHaskell supports
predicate aliases, which are best illustrated by example
142: {@ predicate Btwn Lo I Hi = (Lo <= I && I < Hi) @} 143: {@ predicate InBounds I A = (Btwn 0 I (vlen A)) @}
Now, we can simplify the type for the unsafe lookup function to
149: {@ unsafeLookup' :: x:Vector a > {v:Int  (InBounds v x)} > a @} 150: unsafeLookup' :: Vector a > Int > a 151: x:(Data.Vector.Vector a) > {VV : (GHC.Types.Int)  (VV < vlen([x])),(0 <= VV)} > aunsafeLookup' (Data.Vector.Vector a)x {VV : (GHC.Types.Int)  (VV < vlen([x])),(0 <= VV)}i = {VV : (Data.Vector.Vector a)  (VV = x),(vlen([VV]) >= 0)}x x:(Data.Vector.Vector a) > {VV : (GHC.Types.Int)  (VV < vlen([x])),(0 <= VV)} > a! {VV : (GHC.Types.Int)  (VV = i),(VV < vlen([x])),(0 <= VV)}i
Our First Recursive Function¶
OK, with the tedious preliminaries out of the way, lets write some code!
To start: a vanilla recursive function that adds up the absolute values of the elements of an integer vector.
164: absoluteSum :: Vector Int > Int 165: (Data.Vector.Vector (GHC.Types.Int)) > {VV : (GHC.Types.Int)  (0 <= VV)}absoluteSum (Data.Vector.Vector (GHC.Types.Int))vec = x:(GHC.Prim.Int#) > {VV : (GHC.Types.Int)  (VV = (x : int))}if {VV : (GHC.Types.Int)  (VV = (0 : int))}0 x:{VV : (GHC.Types.Int)  (VV >= 0), (0 <= VV), (VV <= n), (VV <= vlen([vec]))} > y:{VV : (GHC.Types.Int)  (VV >= 0), (0 <= VV), (VV <= n), (VV <= vlen([vec]))} > {VV : (GHC.Types.Bool)  ((? Prop([VV])) <=> (x < y))}< {VV : (GHC.Types.Int)  (VV = n),(VV = vlen([vec])),(VV >= 0)}n then x6:{VV : (GHC.Types.Int)  (VV = 0), (VV < n), (VV < vlen([vec])), (0 <= VV)} > x4:{VV : (GHC.Types.Int)  (VV = 0), (VV = x6), (VV < n), (VV < vlen([vec])), (0 <= VV), (x6 <= VV)} > {VV : (GHC.Types.Int)  (VV >= 0), (VV >= x6), (VV >= x4), (0 <= VV), (x6 <= VV), (x4 <= VV)}go {VV : (GHC.Types.Int)  (VV = (0 : int))}0 {VV : (GHC.Types.Int)  (VV = (0 : int))}0 else x:(GHC.Prim.Int#) > {VV : (GHC.Types.Int)  (VV = (x : int))}0 166: where 167: x6:{VV : (GHC.Types.Int)  (VV = 0), (VV < n), (VV < vlen([vec])), (0 <= VV)} > x4:{VV : (GHC.Types.Int)  (VV = 0), (VV = x6), (VV < n), (VV < vlen([vec])), (0 <= VV), (x6 <= VV)} > {VV : (GHC.Types.Int)  (VV >= 0), (VV >= x6), (VV >= x4), (0 <= VV), (x6 <= VV), (x4 <= VV)}go {VV : (GHC.Types.Int)  (VV >= 0),(0 <= VV)}acc {VV : (GHC.Types.Int)  (VV >= 0), (0 <= VV), (VV <= n), (VV <= vlen([vec]))}i 168:  {VV : (GHC.Types.Int)  (VV = i), (VV >= 0), (0 <= VV), (VV <= n), (VV <= vlen([vec]))}i x:{VV : (GHC.Types.Int)  (VV >= 0), (VV >= i), (0 <= VV), (VV <= n), (VV <= vlen([vec])), (i <= VV)} > y:{VV : (GHC.Types.Int)  (VV >= 0), (VV >= i), (0 <= VV), (VV <= n), (VV <= vlen([vec])), (i <= VV)} > {VV : (GHC.Types.Bool)  ((? Prop([VV])) <=> (x != y))}/= {VV : (GHC.Types.Int)  (VV = n),(VV = vlen([vec])),(VV >= 0)}n = x6:{VV : (GHC.Types.Int)  (VV = 0), (VV < n), (VV < vlen([vec])), (0 <= VV)} > x4:{VV : (GHC.Types.Int)  (VV = 0), (VV = x6), (VV < n), (VV < vlen([vec])), (0 <= VV), (x6 <= VV)} > {VV : (GHC.Types.Int)  (VV >= 0), (VV >= x6), (VV >= x4), (0 <= VV), (x6 <= VV), (x4 <= VV)}go ({VV : (GHC.Types.Int)  (VV = acc),(VV >= 0),(0 <= VV)}acc x:(GHC.Types.Int) > y:(GHC.Types.Int) > {VV : (GHC.Types.Int)  (VV = (x + y))}+ n:(GHC.Types.Int) > {VV : (GHC.Types.Int)  (VV >= 0),(VV >= n)}abz ({VV : (Data.Vector.Vector (GHC.Types.Int))  (VV = vec), (vlen([VV]) >= 0)}vec x:(Data.Vector.Vector (GHC.Types.Int)) > {VV : (GHC.Types.Int)  (VV < vlen([x])),(0 <= VV)} > (GHC.Types.Int)! {VV : (GHC.Types.Int)  (VV = i), (VV >= 0), (0 <= VV), (VV <= n), (VV <= vlen([vec]))}i)) ({VV : (GHC.Types.Int)  (VV = i), (VV >= 0), (0 <= VV), (VV <= n), (VV <= vlen([vec]))}i x:(GHC.Types.Int) > y:(GHC.Types.Int) > {VV : (GHC.Types.Int)  (VV = (x + y))}+ {VV : (GHC.Types.Int)  (VV = (1 : int))}1) 169:  otherwise = {VV : (GHC.Types.Int)  (VV = acc),(VV >= 0),(0 <= VV)}acc 170: {VV : (GHC.Types.Int)  (VV = vlen([vec])),(VV >= 0)}n = x:(Data.Vector.Vector (GHC.Types.Int)) > {VV : (GHC.Types.Int)  (VV = vlen([x])),(VV >= 0)}length {VV : (Data.Vector.Vector (GHC.Types.Int))  (VV = vec), (vlen([VV]) >= 0)}vec
where the function abz
is the absolute value function from before.
176: (GHC.Num.Num a) > (GHC.Classes.Ord a) > n:a > {VV : a  (VV >= 0),(VV >= n)}abz an = {VV : (GHC.Integer.Type.Integer)  (VV = 0)}if a0 x:a > y:a > {VV : (GHC.Types.Bool)  ((? Prop([VV])) <=> (x <= y))}<= {VV : a  (VV = n)}n then {VV : a  (VV = n)}n else (a0 x:a > y:a > {VV : a  (VV = (x  y))} {VV : a  (VV = n)}n)
Digression: Introducing Errors¶
If you are following along in the demo page  I heartily recommend that you try the following modifications, one at a time, and see what happens.
What happens if:

You remove the check
0 < n
(seeabsoluteSumNT
in the demo code) 
You replace the guard with
i <= n
In the former case, LiquidHaskell will verify safety, but in the latter case, it will grumble that your program is unsafe.
Do you understand why? (Thanks to smog_alado for pointing this out :))
Refinement Type Inference¶
LiquidHaskell happily verifies absoluteSum
 or, to be precise,
the safety of the vector accesses vec ! i
. The verification works
out because LiquidHaskell is able to automatically infer a suitable
type for go
. Shuffle your mouse over the identifier above to see
the inferred type. Observe that the type states that the first
parameter acc
(and the output) is 0 <= V
. That is, the returned
value is nonnegative.
More importantly, the type states that the second parameter i
is
0 <= V
and V <= n
and V <= (vlen vec)
. That is, the parameter i
is between 0
and the vector length (inclusive). LiquidHaskell uses these
and the test that i /= n
to establish that i
is in fact between 0
and (vlen vec)
thereby verifing safety.
In fact, if we want to use the function externally (i.e. in another module) we can go ahead and strengthen its type to specify that the output is nonnegative.
221: {@ absoluteSum :: Vector Int > {v: Int  0 <= v} @}
What happens if: You replace the output type for absoluteSum
with {v: Int  0 < v }
?
Bottling Recursion With a HigherOrder loop
¶
Next, lets refactor the above lowlevel recursive function
into a generic higherorder loop
.
233: loop :: Int > Int > a > (Int > a > a) > a 234: lo:{VV : (GHC.Types.Int)  (0 <= VV)} > hi:{VV : (GHC.Types.Int)  (lo <= VV)} > a > ({VV : (GHC.Types.Int)  (VV < hi),(lo <= VV)} > a > a) > aloop {VV : (GHC.Types.Int)  (0 <= VV)}lo {VV : (GHC.Types.Int)  (lo <= VV)}hi abase {VV : (GHC.Types.Int)  (VV < hi),(lo <= VV)} > a > af = {VV : a  (VV = base)} > {VV : (GHC.Types.Int)  (VV = lo), (VV >= 0), (0 <= VV), (VV <= hi), (lo <= VV)} > ago {VV : a  (VV = base)}base {VV : (GHC.Types.Int)  (VV = lo),(0 <= VV)}lo 235: where 236: {VV : a  (VV = base)} > {VV : (GHC.Types.Int)  (VV = lo), (VV >= 0), (0 <= VV), (VV <= hi), (lo <= VV)} > ago aacc {VV : (GHC.Types.Int)  (VV >= 0), (VV >= lo), (VV >= lo), (0 <= VV), (VV <= hi), (VV <= hi), (lo <= VV), (lo <= VV)}i 237:  {VV : (GHC.Types.Int)  (VV = i), (VV >= 0), (VV >= lo), (VV >= lo), (0 <= VV), (VV <= hi), (VV <= hi), (lo <= VV), (lo <= VV)}i x:{VV : (GHC.Types.Int)  (VV >= 0), (VV >= i), (VV >= lo), (VV >= lo), (0 <= VV), (VV <= hi), (VV <= hi), (i <= VV), (lo <= VV), (lo <= VV)} > y:{VV : (GHC.Types.Int)  (VV >= 0), (VV >= i), (VV >= lo), (VV >= lo), (0 <= VV), (VV <= hi), (VV <= hi), (i <= VV), (lo <= VV), (lo <= VV)} > {VV : (GHC.Types.Bool)  ((? Prop([VV])) <=> (x != y))}/= {VV : (GHC.Types.Int)  (VV = hi), (VV = hi), (VV >= 0), (VV >= lo), (VV >= lo), (0 <= VV), (hi <= VV), (lo <= VV), (lo <= VV)}hi = {VV : a  (VV = base)} > {VV : (GHC.Types.Int)  (VV = lo), (VV >= 0), (0 <= VV), (VV <= hi), (lo <= VV)} > ago ({VV : (GHC.Types.Int)  (VV >= 0), (VV >= lo), (VV >= lo), (VV < hi), (VV < hi), (0 <= VV), (lo <= VV), (lo <= VV)} > a > af {VV : (GHC.Types.Int)  (VV = i), (VV >= 0), (VV >= lo), (VV >= lo), (0 <= VV), (VV <= hi), (VV <= hi), (lo <= VV), (lo <= VV)}i {VV : a  (VV = acc)}acc) ({VV : (GHC.Types.Int)  (VV = i), (VV >= 0), (VV >= lo), (VV >= lo), (0 <= VV), (VV <= hi), (VV <= hi), (lo <= VV), (lo <= VV)}i x:(GHC.Types.Int) > y:(GHC.Types.Int) > {VV : (GHC.Types.Int)  (VV = (x + y))}+ {VV : (GHC.Types.Int)  (VV = (1 : int))}1) 238:  otherwise = {VV : a  (VV = acc)}acc
Using loop
to compute absoluteSum
We can now use loop
to implement absoluteSum
like so:
246: (GHC.Num.Num a) > {VV : (Data.Vector.Vector {VV : a  false})  false} > {VV : a  false}absoluteSum' {VV : (Data.Vector.Vector {VV : a  false})  false}vec = {VV : (GHC.Integer.Type.Integer)  (VV = 0)}if {VV : (GHC.Types.Int)  (VV = (0 : int))}0 x:{VV : (GHC.Types.Int)  false} > y:{VV : (GHC.Types.Int)  false} > {VV : (GHC.Types.Bool)  ((? Prop([VV])) <=> (x < y))}< {VV : (GHC.Types.Int)  (VV = n),(VV = vlen([vec])),(VV >= 0)}n then lo:{VV : (GHC.Types.Int)  (0 <= VV)} > hi:{VV : (GHC.Types.Int)  (lo <= VV)} > {VV : a  false} > ({VV : (GHC.Types.Int)  (VV < hi),(lo <= VV)} > {VV : a  false} > {VV : a  false}) > {VV : a  false}loop {VV : (GHC.Types.Int)  (VV = (0 : int))}0 {VV : (GHC.Types.Int)  (VV = n),(VV = vlen([vec])),(VV >= 0)}n a0 {VV : (GHC.Types.Int)  false} > {VV : a  false} > {VV : a  false}body else {VV : (GHC.Integer.Type.Integer)  (VV = 0)}0 247: where {VV : (GHC.Types.Int)  false} > {VV : a  false} > {VV : a  false}body = \{VV : (GHC.Types.Int)  false}i {VV : a  false}acc > {VV : a  false}acc x:a > y:a > {VV : a  (VV = (x + y))}+ ({VV : (Data.Vector.Vector {VV : a  false})  false}vec x:(Data.Vector.Vector {VV : a  false}) > {VV : (GHC.Types.Int)  (VV < vlen([x])),(0 <= VV)} > {VV : a  false}! {VV : (GHC.Types.Int)  false}i) 248: {VV : (GHC.Types.Int)  (VV = vlen([vec])),(VV >= 0)}n = x:(Data.Vector.Vector {VV : a  false}) > {VV : (GHC.Types.Int)  (VV = vlen([x])),(VV >= 0)}length {VV : (Data.Vector.Vector {VV : a  false})  false}vec
LiquidHaskell verifies absoluteSum'
without any trouble.
It is very instructive to see the type that LiquidHaskell infers
for loop
 it looks something like
257: {@ loop :: lo: {v: Int  (0 <= v) } 258: > hi: {v: Int  (lo <= v) } 259: > a 260: > (i: {v: Int  (Btwn lo v hi)} > a > a) 261: > a 262: @}
In english, the above type states that
lo
the loop lower bound is a nonnegative integerhi
the loop upper bound is a greater thanlo
,f
the loop body is only called with integers betweenlo
andhi
.
Inference is a rather convenient option  it can be tedious to have to keep
typing things like the above! Of course, if we wanted to make loop
a
public or exported function, we could use the inferred type to generate
an explicit signature too.
At the call
277: loop 0 n 0 body
the parameters lo
and hi
are instantiated with 0
and n
respectively
(which, by the way is where the inference engine deduces nonnegativity
from) and thus LiquidHaskell concludes that body
is only called with
values of i
that are between 0
and (vlen vec)
, which shows the
safety of the call vec ! i
.
Using loop
to compute dotProduct
Here's another use of loop
 this time to compute the dotProduct
of two vectors.
292: dotProduct :: Vector Int > Vector Int > Int 293: x:(Data.Vector.Vector (GHC.Types.Int)) > {VV : (Data.Vector.Vector (GHC.Types.Int))  (vlen([VV]) = vlen([x]))} > (GHC.Types.Int)dotProduct (Data.Vector.Vector (GHC.Types.Int))x {VV : (Data.Vector.Vector (GHC.Types.Int))  (vlen([VV]) = vlen([x]))}y = lo:{VV : (GHC.Types.Int)  (0 <= VV)} > hi:{VV : (GHC.Types.Int)  (lo <= VV)} > (GHC.Types.Int) > ({VV : (GHC.Types.Int)  (VV < hi),(lo <= VV)} > (GHC.Types.Int) > (GHC.Types.Int)) > (GHC.Types.Int)loop {VV : (GHC.Types.Int)  (VV = (0 : int))}0 (x:(Data.Vector.Vector (GHC.Types.Int)) > {VV : (GHC.Types.Int)  (VV = vlen([x])),(VV >= 0)}length {VV : (Data.Vector.Vector (GHC.Types.Int))  (VV = x), (vlen([VV]) >= 0)}x) {VV : (GHC.Types.Int)  (VV = (0 : int))}0 ({VV : (GHC.Types.Int)  (VV >= 0), (VV < vlen([x])), (VV < vlen([y])), (0 <= VV)} > (GHC.Types.Int) > (GHC.Types.Int)\{VV : (GHC.Types.Int)  (VV >= 0), (VV < vlen([x])), (VV < vlen([y])), (0 <= VV)}i > (x:(GHC.Types.Int) > y:(GHC.Types.Int) > {VV : (GHC.Types.Int)  (VV = (x + y))}+ ({VV : (Data.Vector.Vector (GHC.Types.Int))  (VV = x), (vlen([VV]) >= 0)}x x:(Data.Vector.Vector (GHC.Types.Int)) > {VV : (GHC.Types.Int)  (VV < vlen([x])),(0 <= VV)} > (GHC.Types.Int)! {VV : (GHC.Types.Int)  (VV = i), (VV >= 0), (VV < vlen([x])), (VV < vlen([y])), (0 <= VV)}i) x:(GHC.Types.Int) > y:(GHC.Types.Int) > {VV : (GHC.Types.Int)  (&& [(x >= 0); (y >= 0)] => (VV >= 0))}* ({VV : (Data.Vector.Vector (GHC.Types.Int))  (VV = y), (vlen([VV]) = vlen([x])), (vlen([VV]) >= 0)}y x:(Data.Vector.Vector (GHC.Types.Int)) > {VV : (GHC.Types.Int)  (VV < vlen([x])),(0 <= VV)} > (GHC.Types.Int)! {VV : (GHC.Types.Int)  (VV = i), (VV >= 0), (VV < vlen([x])), (VV < vlen([y])), (0 <= VV)}i)))
The gimleteyed reader will realize that the above is quite unsafe  what
if x
is a 10dimensional vector while y
has only 3dimensions?
A nasty
300: *** Exception: ./Data/Vector/Generic.hs:244 ((!)): index out of bounds ...
Yech.
This is precisely the sort of unwelcome surprise we want to do away with at compiletime. Refinements to the rescue! We can specify that the vectors have the same dimensions quite easily
310: {@ dotProduct :: x:(Vector Int) 311: > y:{v: (Vector Int)  (vlen v) = (vlen x)} 312: > Int 313: @}
after which LiquidHaskell will gladly verify that the implementation of
dotProduct
is indeed safe!
Refining Data Types¶
Next, suppose we want to write a sparse dot product, that is, the dot product of a vector and a sparse vector represented by a list of indexvalue tuples.
Representing Sparse Vectors
We can represent the sparse vector with a refinement type alias
331: {@ type SparseVector a N = [({v: Int  (Btwn 0 v N)}, a)] @}
As with usual types, the alias SparseVector
on the left is just a
shorthand for the (longer) type on the right, it does not actually
define a new type. Thus, the above alias is simply a refinement of
Haskell's [(Int, a)]
type, with a size parameter N
that facilitates
easy specification reuse. In this way, refinements let us express
invariants of containers like lists in a straightforward manner.
Aside: If you are familiar with the indexstyle length
encoding e.g. as found in DML or Agda, then note
that despite appearances, our SparseVector
definition is not
indexed. Instead, we deliberately choose to encode properties
with logical refinement predicates, to facilitate SMT based
checking and inference.
Verifying Uses of Sparse Vectors
Next, we can write a recursive procedure that computes the sparse product
353: {@ sparseProduct :: (Num a) => x:(Vector a) 354: > SparseVector a (vlen x) 355: > a 356: @} 357: (GHC.Num.Num a) > x:(Data.Vector.Vector a) > [({VV : (GHC.Types.Int)  (VV < vlen([x])),(0 <= VV)} , a)] > asparseProduct (Data.Vector.Vector a)x [({VV : (GHC.Types.Int)  (VV < vlen([x])),(0 <= VV)} , a)]y = {VV : a  (VV = 0)} > {VV : [({VV : (GHC.Types.Int)  (VV >= 0), (VV < vlen([x])), (0 <= VV)} , a)]  (VV = y), (len([VV]) = len([y])), (len([VV]) >= 0)} > ago a0 {VV : [({VV : (GHC.Types.Int)  (VV < vlen([x])), (0 <= VV)} , a)]  (VV = y),(len([VV]) >= 0)}y 358: where 359: {VV : a  (VV = 0)} > {VV : [({VV : (GHC.Types.Int)  (VV >= 0), (VV < vlen([x])), (0 <= VV)} , a)]  (VV = y), (len([VV]) = len([y])), (len([VV]) >= 0)} > ago asum ((i, v) : y') = {VV : a  (VV = 0)} > {VV : [({VV : (GHC.Types.Int)  (VV >= 0), (VV < vlen([x])), (0 <= VV)} , a)]  (VV = y), (len([VV]) = len([y])), (len([VV]) >= 0)} > ago ({VV : a  (VV = sum)}sum x:a > y:a > {VV : a  (VV = (x + y))}+ a({VV : (Data.Vector.Vector a)  (VV = x), (VV = x), (vlen([VV]) = vlen([x])), (vlen([VV]) >= 0)}x x:(Data.Vector.Vector a) > {VV : (GHC.Types.Int)  (VV < vlen([x])),(0 <= VV)} > a! {VV : (GHC.Types.Int)  (VV = i), (VV >= 0), (VV < vlen([x])), (VV < vlen([x])), (0 <= VV)}i) x:a > y:a > {VV : a  (&& [(x >= 0); (y >= 0)] => (VV >= 0))}* {VV : a  (VV = v)}v) {VV : [({VV : (GHC.Types.Int)  (VV >= 0), (VV < vlen([x])), (VV < vlen([x])), (0 <= VV)} , a)]  (VV = y'),(len([VV]) >= 0)}y' 360: go sum [] = {VV : a  (VV = sum)}sum
LiquidHaskell verifies the above by using the specification for y
to
conclude that for each tuple (i, v)
in the list, the value of i
is
within the bounds of the vector x
, thereby proving the safety of the
access x ! i
.
Refinements and Polymorphism¶
The sharp reader will have undoubtedly noticed that the sparse product can be more cleanly expressed as a fold.
Indeed! Let us recall the type of the foldl
operation
375: foldl' :: (a > b > a) > a > [b] > a
Thus, we can simply fold over the sparse vector, accumulating the sum
as we go along
382: {@ sparseProduct' :: (Num a) => x:(Vector a) 383: > SparseVector a (vlen x) 384: > a 385: @} 386: (GHC.Num.Num a) > x:(Data.Vector.Vector a) > [({VV : (GHC.Types.Int)  (VV < vlen([x])),(0 <= VV)} , a)] > asparseProduct' (Data.Vector.Vector a)x [({VV : (GHC.Types.Int)  (VV < vlen([x])),(0 <= VV)} , a)]y = (a > ({VV : (GHC.Types.Int)  (VV >= 0), (VV < vlen([x])), (0 <= VV)} , a) > a) > a > [({VV : (GHC.Types.Int)  (VV >= 0), (VV < vlen([x])), (0 <= VV)} , a)] > afoldl' a > ({VV : (GHC.Types.Int)  (VV >= 0), (VV < vlen([x])), (0 <= VV)} , a) > abody a0 {VV : [({VV : (GHC.Types.Int)  (VV < vlen([x])), (0 <= VV)} , a)]  (VV = y),(len([VV]) >= 0)}y 387: where 388: a > ({VV : (GHC.Types.Int)  (VV >= 0), (VV < vlen([x])), (0 <= VV)} , a) > abody asum (i, v) = {VV : a  (VV = sum)}sum x:a > y:a > {VV : a  (VV = (x + y))}+ a({VV : (Data.Vector.Vector a)  (VV = x),(vlen([VV]) >= 0)}x x:(Data.Vector.Vector a) > {VV : (GHC.Types.Int)  (VV < vlen([x])),(0 <= VV)} > a! {VV : (GHC.Types.Int)  (VV = i), (VV >= 0), (VV < vlen([x])), (0 <= VV)}i) x:a > y:a > {VV : a  (&& [(x >= 0); (y >= 0)] => (VV >= 0))}* {VV : a  (VV = v)}v
LiquidHaskell digests this too, without much difficulty.
The main trick is in how the polymorphism of foldl'
is instantiated.

The GHC type inference engine deduces that at this site, the type variable
b
from the signature offoldl'
is instantiated to the Haskell type(Int, a)
. 
Correspondingly, LiquidHaskell infers that in fact
b
can be instantiated to the refined type({v: Int  (Btwn 0 v (vlen x))}, a)
.
Walk the mouse over to i
to see this inferred type. (You can also hover over
foldl'
above to see the rather more verbose fully instantiated type.)
Thus, the inference mechanism saves us a fair bit of typing and allows us to reuse existing polymorphic functions over containers and such without ceremony.
Conclusion¶
That's all for now folks! Hopefully the above gives you a reasonable idea of how one can use refinements to verify size related properties, and more generally, to specify and verify properties of recursive, and polymorphic functions operating over datatypes. Next time, we'll look at how we can teach LiquidHaskell to think about properties of recursive structures like lists and trees.