> {-@ LIQUID "--no-termination" @-}
> {-@ LIQUID "--short-names" @-}
>
> module Basics where
>
> import Prelude hiding (head, max)
> import qualified Data.ByteString.Char8 as B
> import qualified Data.ByteString.Unsafe as B
> import Data.List (find)
> import Language.Haskell.Liquid.Prelude
Well-typed programs can't go wrong.
> dog = B.pack "dog"
< λ> B.unsafeIndex dog 2
< 103
< λ> B.unsafeIndex dog 10
< 0
< λ> B.unsafeIndex dog 10000000000
< segmentation fault
That's no good, it would be nice if the type system could prevent us from doing
that. Today I'm going to present our experience in designing such a type system,
and in using it to verify over 10KLoC of real Haskell code.
Refinement Types
================
We'll start with a lightning tour of LiquidHaskell before getting into the
gritty benchmarks.
A refinment type is a Haskell type where each component of the type is annotated
with a predicate from an SMT-decidable logic. For example,
< {v:Int | v >= 0 && v < 100}
describes the set of `Int`s that are between 0 and 100. We'll make heavy use of
*aliases* to simplify the types, e.g.
> {-@ predicate Btwn Lo N Hi = Lo <= N && N < Hi @-}
> {-@ type Rng Lo Hi = {v:Int | Btwn Lo v Hi} @-}
< Rng 0 100
is equivalent to the first type.
To double check note that,
> {-@ okRange :: [Rng 0 100] @-}
> okRange = [1,10,30] :: [Int]
but, of course,
> {-@ badRange :: [Rng 0 100] @-}
> badRange = [1,10,300] :: [Int]
We can describe a function's *contract* by refining its input and output types
with our desired pre- and post-conditions.
> {-@ range :: lo:Int -> hi:{Int | lo <= hi} -> [Rng lo hi] @-}
This type tells us that `range` accepts two `Int`s, the second being larger than
the first, and returns a `[Int]` where all of the elements are between `lo` and
`hi`. Now if we implement `range`
> range :: Int -> Int -> [Int]
> range lo hi
> | lo <= hi = lo : range (lo + 1) hi
> | otherwise = []
LiquidHaskell complains that `lo` is not *strictly* less than `hi`!
Fortunately, that's easily fixed, we'll just replace the `<=` in the guard with `<`.
> {-@ range' :: lo:Int -> hi:{Int | lo <= hi} -> [Rng lo hi] @-}
> range' :: Int -> Int -> [Int]
> range' lo hi
> | lo < hi = lo : range' (lo + 1) hi
> | otherwise = []
Holes
-----
Typing out the base Haskell types can be tedious, especially since GHC will
infer them. So we use `_` to represent a *type-hole*, which LiquidHaskell will
automatically fill in by asking GHC. For example, if we wrote a function
`rangeFind` with type
< (Int -> Bool) -> Int -> Int -> Maybe Int
we could write the refined type
> {-@ rangeFind :: _ -> lo:_ -> hi:{_ | lo <= hi} -> Maybe (Rng lo hi) @-}
> rangeFind f lo hi = find f $ range lo hi
Note that in order for `rangeFind` to type-check, LiquidHaskell has to infer
that `find` returns a `Maybe (Rng lo hi)` (show off liquid-pos-tip), which it
does by instantiating `find`s type parameter `a` with `Rng lo hi`.
Ok, we can talk about Integers, what about arbitrary, user-defined datatypes?
Measures
========
Let's go one step further with `range` and reason about the length of the
resulting list. Given that
< range 0 2 == [0,1]
and
< range 1 1 == []
it looks like the length of the output list should be `hi - lo`, but how do we
express that in LiquidHaskell?
(Instead of defining an index that is baked into the type definition)
we'll define a *measure*, which you can think of as a *view* of the datatype.
< {-@ measure len :: [a] -> Int
< len ([]) = 0
< len (x:xs) = 1 + (len xs)
< @-}
Measures look like Haskell functions, but they're *not*. They are a very
restricted subset of inductively-defined Haskell functions with a single
equation per data constructor. LiquidHaskell translates measures into refined
types for the data constructors, e.g.
< [] :: {v:[a] | len v = 0}
< (:) :: _ -> xs:_ -> {v:[a] | len v = len xs + 1}
ASIDE: another great spot to show off liquid-pos-tip.
NV: state that measures are uninterpreted functions into logic
> mylist = 1 : []
LiquidHaskell's interpretation of measures is a key distinction from indexed
data types, because we can define multiple measures independently of the actual
type definition, and LiquidHaskell will just conjoin the refinements arising
from the individual measures.
ASIDE: perhaps quickly show by defining `measure null` as a throwaway.
With our measure in hand we can now specify our final type for `range`
> {-@ range'' :: lo:Int -> hi:{Int | lo <= hi} -> {v:[Rng lo hi] | len v = hi - lo } @-}
Notice that we don't need to change the implementation at all, LiquidHaskell
accepts it as is!
> range'' :: Int -> Int -> [Int]
> range'' lo hi
> | lo < hi = lo : range'' (lo + 1) hi
> | otherwise = []
We can also give precise specifications to, e.g., `append`
> {-@ append :: xs:_ -> ys:_ -> {v:_ | len v = len xs + len ys} @-}
> append [] ys = ys
> append (x:xs) ys = x : append xs ys
Refined Data Types
------------------
Sometimes we *want* every instance of a type to satisfy some invariant. Every
row in a `CSV` table should have the same number of columns.
NV: Universal invariants that we get by type polymorphism is not trivial,
so maybe give a simple type like [{v:Int | v > 0}]
before going into [ListL a cols]
> data CSV a = CSV { cols :: [String], rows :: [[a]] }
> {-@ type ListL a L = {v:[a] | len v = len L} @-}
> {-@ data CSV a = CSV { cols :: [String], rows :: [ListL a cols] } @-}
Since the invariant is *baked into* the refined type definition, LiquidHaskell
will reject *any* `CSV` value that does not satisfy the invariant.
> good_2 = CSV [ "Month", "Days"]
> [ ["Jan", "31"]
> , ["Feb", "28"] ]
> bad_2 = CSV [ "Month", "Days"]
> [ ["Jan", "31"]
> , ["Feb"] ]
RJ:BEGIN-CUT
Refined Type-Classes
--------------------
Perhaps there's a common interface that we want multiple data types to support,
e.g. random-access. Many such interfaces have protocols that define how to
*safely* use the interface, like "don't index out-of-bounds". We can describe
these protocols in LiquidHaskell by packaging the functions into a type-class
and giving it a refined definition.
> class Indexable f where
> size :: f a -> Int
> at :: f a -> Int -> a
>
> {-@
> class Indexable f where
> size :: forall a. xs:f a -> {v:Nat | v = sz xs}
> at :: forall a. xs:f a -> {v:Nat | v < sz xs} -> a
> @-}
This poses a bit of a problem though, how do we define the `sz` measure?
Measures have to be defined for a specific datatype so LiquidHaskell can refine
the constructors. We'll work around this issue by introducing *type-indexed*
measures.
> {-@ class measure sz :: forall a. a -> Int @-}
> {-@ instance measure sz :: [a] -> Int
> sz ([]) = 0
> sz (x:xs) = 1 + (sz xs)
> @-}
> {-@ invariant {v:[a] | sz v >= 0} @-}
Apart from allowing definitions for multiple types, class measures work just
like regular measures, i.e. they're translated into refined data constructor
types.
If we go ahead and define an instance for lists,
> instance Indexable [] where
> size [] = 0
> size (x:xs) = 1 + size xs
>
> (x:xs) `at` 0 = x
> (x:xs) `at` i = xs `at` (i-1)
LiquidHaskell will verify that our implementation matches the class
specification.
Clients of a type-class get to assume that the instances have been defined
correctly, i.e. LiquidHaskell will happily prove that
> sum :: (Indexable f) => f Int -> Int
> sum xs = go 0
> where
> go i | i < size xs = xs `at` i + go (i+1)
> | otherwise = 0
is safe for **all** instances of `Indexable`.
Abstract Refinements
--------------------
All of the examples so far have used *concrete* refinements, but sometimes
we just want to say that *some* property will be preserved by the function, e.g.
> max :: Int -> Int -> Int
> max x y = if x > y then x else y
>
> {-@ xPos :: {v: _ | v > 0} @-}
> xPos = max 10 13
>
> {-@ xNeg :: {v: _ | v < 0} @-}
> xNeg = max (0-5) (0-8)
>
> {-@ xEven :: {v: _ | v mod 2 == 0} @-}
> xEven = max 4 (0-6)
Since `max` returns one of it's arguments, we know that if *both* inputs share
some property, then *so will the output*. In LiquidHaskell we can express this
by abstracting over the refinements.
> {-@ max :: forall <p :: Int -> Prop>.
> Int<p> -> Int<p> -> Int<p>
> @-}
RJ:END-CUT
Now that we've covered the basics of using LiquidHaskell, let's take a look at
our first experiment: proving functions total.