Refinement Reflection on ADTs
Lists are Monoids¶
Previously we saw how Refinement Reflection can be used to write Haskell functions that prove theorems about other Haskell functions. Today, we will see how Refinement Reflection works on recursive data types. As an example, we will prove that lists are monoids (under nil and append).
Lets see how to express the monoid laws as liquid types, and then prove the laws by writing plain Haskell functions that are checked by LiquidHaskell.
Recursive Paper and Pencil Proofs.
"Drawing Hands" by Escher.
46: {-@ LIQUID "--higherorder" @-} 47: {-@ LIQUID "--totality" @-} 48: module StructuralInduction where 49: import Language.Haskell.Liquid.ProofCombinators 50: 51: import Prelude hiding (length) 52: 53: length :: List a -> Int 54: leftId :: List a -> Proof 55: rightId :: List a -> Proof 56: associativity :: List a -> List a -> List a -> Proof
Lists¶
First, lets define the List a
data type
66: data List a = N | C a (List a)
Induction on Lists¶
As we will see, proofs by structural induction will correspond to programs that perform recursion on lists. To keep things legit, we must verify that those programs are total and terminating.
To that end, lets define a length
function that
computes the natural number that is the size of a
list.
81: {-@ measure length @-} 82: {-@ length :: List a -> Nat @-} 83: x1:(StructuralInduction.List a) -> {v : GHC.Types.Int | v >= 0 && v == length x1}length N = 0 84: length (C x xs) = {v : GHC.Types.Int | v == (1 : int)}1 x1:GHC.Types.Int -> x2:GHC.Types.Int -> {v : GHC.Types.Int | v == x1 + x2}+ {v : GHC.Types.Int | v >= 0 && v == length xs && v == length xs}length xs
We lift length
in the logic, as a measure.
We can now tell Liquid Haskell that when proving termination
on recursive functions with a list argument xs
, it should
check whether the length xs
is decreasing.
94: {-@ data List [length] a = N | C {hd :: a, tl :: List a} @-}
Reflecting Lists into the Logic¶
To talk about lists in the logic, we use the annotation
104: {-@ LIQUID "--exact-data-cons" @-}
which automatically derives measures for
- testing if a value has a given data constructor, and
- extracting the corresponding field's value.
For our example, LH will automatically derive the following functions in the refinement logic.
116: isN :: L a -> Bool -- Haskell's null 117: isC :: L a -> Bool -- Haskell's not . null 118: 119: select_C_1 :: L a -> a -- Haskell's head 120: select_C_2 :: L a -> L a -- Haskell's tail
A programmer never sees the above operators; they are internally used by LH to reflect Haskell functions into the refinement logic, as we shall see shortly.
Defining the Monoid Operators¶
A structure is a monoid, when it has two operators:
- the identity element
empty
and - an associative operator
<>
.
Lets define these two operators for our List
.
- the identity element is the empty list, and
- the associative operator
<>
is list append.
141: {-@ reflect empty @-} 142: empty :: List a 143: {VV : (StructuralInduction.List a) | VV == empty && VV == StructuralInduction.N}empty = N 144: 145: {-@ infix <> @-} 146: {-@ reflect <> @-} 147: (<>) :: List a -> List a -> List a 148: N x1:(StructuralInduction.List a) -> x2:(StructuralInduction.List a) -> {VV : (StructuralInduction.List a) | VV == <> x1 x2 && VV == (if is_N x1 then x2 else StructuralInduction.C (select_C_1 x1) (<> (select_C_2 x1) x2))}<> (StructuralInduction.List a)ys = ys 149: (C x xs) <> ys = x1:(StructuralInduction.List a) -> {v : (StructuralInduction.List a) | tl v == x1 && hd v == x && select_C_2 v == x1 && select_C_1 v == x && (is_C v <=> true) && (is_N v <=> false) && length v == 1 + length x1 && v == StructuralInduction.C x x1}C x ({VV : (StructuralInduction.List a) | VV == <> xs ys && VV == (if is_N xs then ys else StructuralInduction.C (select_C_1 xs) (<> (select_C_2 xs) ys)) && VV == <> xs ys}xs <> ys)
LiquidHaskell automatically checked that the recursive (<>)
is terminating, by checking that the length
of its first
argument is decreasing. Since both the above operators are
provably terminating, LH lets us reflect them into logic.
As with our previous
fibonacci
example, reflection of a function
into logic, means strengthening the result type
of the function with its implementation.
Thus, the automatically derived, strengthened
types for empty
and (<>)
will be
166: empty :: {v:List a | v == empty && v == N } 167: 168: (<>) :: xs:List a -> ys:List a 169: -> {v:List a | v == xs <> ys && 170: v == if isN xs then ys else 171: C (select_C_1 xs) (select_C_2 xs <> ys) 172: }
In effect, the derived checker and selector functions are used
to translate Haskell to logic. The above is just to explain
how LH reasons about the operators; the programmer never (directly)
reads or writes the operators isN
or select_C_1
etc.
Proving the Monoid Laws¶
Finally, we have set everything up, (actually LiquidHaskell
did most of the work for us) and we are ready to prove the
monoid laws for the List
.
First we prove left identity of empty
.
190: {-@ leftId :: x:List a -> { empty <> x == x } @-} 191: x1:(StructuralInduction.List a) -> {VV : () | <> empty x1 == x1}leftId (StructuralInduction.List a)x 192: = (StructuralInduction.List a)empty <> x 193: (StructuralInduction.List a) -> (StructuralInduction.List a) -> (StructuralInduction.List a)==. (StructuralInduction.List a)N <> x 194: (StructuralInduction.List a) -> (StructuralInduction.List a) -> (StructuralInduction.List a)==. x 195: *** QED
This proof was trivial, because left identity is satisfied
by the way we defined (<>)
.
Next, we prove right identity of empty
.
204: {-@ rightId :: x:List a -> { x <> empty == x } @-} 205: x1:(StructuralInduction.List a) -> {VV : () | <> x1 empty == x1}rightId N 206: = (StructuralInduction.List (GHC.Prim.Any *))N <> empty 207: (StructuralInduction.List (GHC.Prim.Any *)) -> (StructuralInduction.List (GHC.Prim.Any *)) -> (StructuralInduction.List (GHC.Prim.Any *))==. N 208: *** QED 209: 210: rightId (C x xs) 211: = (StructuralInduction.List a)(x1:(StructuralInduction.List a) -> {v : (StructuralInduction.List a) | tl v == x1 && hd v == x && select_C_2 v == x1 && select_C_1 v == x && (is_C v <=> true) && (is_N v <=> false) && length v == 1 + length x1 && v == StructuralInduction.C x x1}C x xs) <> empty 212: (StructuralInduction.List a) -> (StructuralInduction.List a) -> (StructuralInduction.List a)==. x1:(StructuralInduction.List a) -> {v : (StructuralInduction.List a) | tl v == x1 && hd v == x && select_C_2 v == x1 && select_C_1 v == x && (is_C v <=> true) && (is_N v <=> false) && length v == 1 + length x1 && v == StructuralInduction.C x x1}C x ((StructuralInduction.List a)xs <> empty) 213: (StructuralInduction.List a) -> (StructuralInduction.List a) -> () -> (StructuralInduction.List a)==. x1:(StructuralInduction.List a) -> {v : (StructuralInduction.List a) | tl v == x1 && hd v == x && select_C_2 v == x1 && select_C_1 v == x && (is_C v <=> true) && (is_N v <=> false) && length v == 1 + length x1 && v == StructuralInduction.C x x1}C x xs ∵ {VV : () | <> xs empty == xs}rightId xs 214: *** QED
This proof is more tricky, as it requires structural induction which is
encoded in LH proofs simply as recursion. LH ensures that the inductive
hypothesis is appropriately applied by checking that the recursive proof is
total and terminating. In the rightId
case, for termination, Liquid Haskell
checked that length xs < length (C x xs)
.
It turns out that we can prove lots of properties about lists using structural induction, encoded in Haskell as
- case splitting,
- recursive calls, and
- rewriting,
To see a last example, lets prove the associativity of (<>)
.
233: {-@ associativity :: x:List a -> y:List a -> z:List a 234: -> { x <> (y <> z) == (x <> y) <> z } @-} 235: x1:(StructuralInduction.List a) -> x2:(StructuralInduction.List a) -> x3:(StructuralInduction.List a) -> {VV : () | <> x1 (<> x2 x3) == <> (<> x1 x2) x3}associativity N (StructuralInduction.List a)y (StructuralInduction.List a)z 236: = (StructuralInduction.List a)N <> ({v : (StructuralInduction.List a) | v == <> y z && v == (if is_N y then z else StructuralInduction.C (select_C_1 y) (<> (select_C_2 y) z)) && v == <> y z}y <> z) 237: (StructuralInduction.List a) -> (StructuralInduction.List a) -> (StructuralInduction.List a)==. {v : (StructuralInduction.List a) | v == <> y z && v == (if is_N y then z else StructuralInduction.C (select_C_1 y) (<> (select_C_2 y) z)) && v == <> y z}y <> z 238: (StructuralInduction.List a) -> (StructuralInduction.List a) -> (StructuralInduction.List a)==. (StructuralInduction.List a)((StructuralInduction.List a)N <> y) <> z 239: *** QED 240: 241: associativity (C x xs) y z 242: = (StructuralInduction.List a)(x1:(StructuralInduction.List a) -> {v : (StructuralInduction.List a) | tl v == x1 && hd v == x && select_C_2 v == x1 && select_C_1 v == x && (is_C v <=> true) && (is_N v <=> false) && length v == 1 + length x1 && v == StructuralInduction.C x x1}C x xs) <> ({v : (StructuralInduction.List a) | v == <> y z && v == (if is_N y then z else StructuralInduction.C (select_C_1 y) (<> (select_C_2 y) z)) && v == <> y z}y <> z) 243: (StructuralInduction.List a) -> (StructuralInduction.List a) -> (StructuralInduction.List a)==. x1:(StructuralInduction.List a) -> {v : (StructuralInduction.List a) | tl v == x1 && hd v == x && select_C_2 v == x1 && select_C_1 v == x && (is_C v <=> true) && (is_N v <=> false) && length v == 1 + length x1 && v == StructuralInduction.C x x1}C x ((StructuralInduction.List a)xs <> ({v : (StructuralInduction.List a) | v == <> y z && v == (if is_N y then z else StructuralInduction.C (select_C_1 y) (<> (select_C_2 y) z)) && v == <> y z}y <> z)) 244: (StructuralInduction.List a) -> (StructuralInduction.List a) -> () -> (StructuralInduction.List a)==. x1:(StructuralInduction.List a) -> {v : (StructuralInduction.List a) | tl v == x1 && hd v == x && select_C_2 v == x1 && select_C_1 v == x && (is_C v <=> true) && (is_N v <=> false) && length v == 1 + length x1 && v == StructuralInduction.C x x1}C x ((StructuralInduction.List a)({v : (StructuralInduction.List a) | v == <> xs y && v == (if is_N xs then y else StructuralInduction.C (select_C_1 xs) (<> (select_C_2 xs) y)) && v == <> xs y}xs <> y) <> z) ∵ x1:(StructuralInduction.List a) -> x2:(StructuralInduction.List a) -> x3:(StructuralInduction.List a) -> {VV : () | <> x1 (<> x2 x3) == <> (<> x1 x2) x3}associativity xs y z 245: (StructuralInduction.List a) -> (StructuralInduction.List a) -> (StructuralInduction.List a)==. (StructuralInduction.List a)(x1:(StructuralInduction.List a) -> {v : (StructuralInduction.List a) | tl v == x1 && hd v == x && select_C_2 v == x1 && select_C_1 v == x && (is_C v <=> true) && (is_N v <=> false) && length v == 1 + length x1 && v == StructuralInduction.C x x1}C x ({v : (StructuralInduction.List a) | v == <> xs y && v == (if is_N xs then y else StructuralInduction.C (select_C_1 xs) (<> (select_C_2 xs) y)) && v == <> xs y}xs <> y)) <> z 246: (StructuralInduction.List a) -> (StructuralInduction.List a) -> (StructuralInduction.List a)==. (StructuralInduction.List a)((StructuralInduction.List a)(x1:(StructuralInduction.List a) -> {v : (StructuralInduction.List a) | tl v == x1 && hd v == x && select_C_2 v == x1 && select_C_1 v == x && (is_C v <=> true) && (is_N v <=> false) && length v == 1 + length x1 && v == StructuralInduction.C x x1}C x xs) <> y) <> z 247: *** QED
The above proof of associativity reifies the paper and pencil proof by structural induction.
With that, we can safely conclude that our user defined list is a monoid!
Conclusion¶
We saw how Refinement Reflection can be used to
- specify properties of
ADTs
, - naturally encode structural inductive proofs of these properties, and
- have these proofs machine checked by Liquid Haskell.
Why is this useful? Because the theorems we prove refer to your Haskell functions! Thus you (or in the future, the compiler) can use properties like monoid or monad laws to optimize your Haskell code. In the future, we will present examples of code optimizations using monoid laws. Stay tuned!