Advanced Features of Type Systems - Concepts of ... · Limitations of Dependent Types in Idris iotaTR: (n:Nat) ->VectmNat-> Vect(m+n)Nat iotaTRZacc=acc iotaTR(Sn)acc=iotaTRn(Sn::acc)

Advanced Features of Type SystemsConcepts of Programming Languages—CoPL’15

Sebastian Hungerecker

Institute for Software Engineering and Programming Languages

February 8, 2016

Sebastian Hungerecker February 8, 2016 1

Introduction

I Type systems turn wrong behavior into errorsI Static type systems turn run-time into compile-time errorsI Advanced features catch even more errors at compile time


Topics

Dependent Types

Refinement Types

Uniqueness Types


Dependent Types

Types depend on values.

data Foo: Int -> Type where ...baz: (bar: Int) -> Foo bar

⇒ More information about types

⇒ More properties can be expressedFor example: Index out of bounds


ADT in Idris

data Nat : Type whereZ : NatS : Nat -> Nat

Usage

i: Nat = S (S (S Z))

-- with more sugar:i: Nat = 3

Z = 0S Z = 1

S (S Z) = 2. . .


Dependent Types in Idris

data Vect : Nat -> Type -> Type whereNil : Vect Z a(::) : a -> Vect n a -> Vect (S n) a

Usage

myVect: Vect 3 Int = 1 :: 2 :: 3 :: Nil--> compiles fine

myVect: Vect 2 Int = 1 :: 2 :: 3 :: Nil--> compile error


Example: Sequential Vector (ι Function)

iotaHelper : (n: Nat) -> Vect n NatiotaHelper Z = NiliotaHelper (S m) = (S m) :: iotaHelper m

iota : (n: Nat) -> Vect n Natiota n = reverse (iotaHelper n)

Usage

iota 5--> (1 :: 2 :: 3 :: 4 :: 5 :: Nil): Vect 5 Nat


Static Range Checking of Indices

data Fin : Nat -> Type whereFZ : {n: Nat} -> Fin (S n)FS : {n: Nat} -> Fin n -> Fin (S n)

Usage

i: Fin 2 = 0i: Fin 2 = 1--> compile fine

i: Fin 2 = 2--> compile error

FZ = 0FS FZ = 1

FS (FS FZ) = 2. . .


Safe Vector Access

index : Fin n -> Vect n a -> aindex FZ (x :: xs) = xindex (FS k) (x :: xs) = index k xs

Usage

myVect: Vect 2 Nat = 1 :: 2 :: Nil

index 1 myVect--> 2

index 2 myVect--> compile error

∀n > 1. Fin n

∀n > 2. Fin n


Safe Vector Access

index : Fin n -> Vect n a -> aindex FZ (x :: xs) = xindex (FS k) (x :: xs) = index k xs

Usage

myVect: Vect 2 Nat = 1 :: 2 :: Nil

index 1 myVect--> 2

index 2 myVect--> compile error

∀n > 1. Fin n

∀n > 2. Fin n


Converting Numbers to Indices

natToFin : (x: Nat) -> (n: Nat) -> Maybe (Fin n)natToFin Z (S j) = Just FZnatToFin (S k) (S j) with (natToFin k j)

| Just k' = Just (FS k')| Nothing = Nothing

natToFin _ Z = Nothing

Usage

natToFin 2 3--> Just 2: Maybe (Fin 3)

natToFin 3 3--> Nothing


Example Continuation: A “Real” Application

main : IO ()main = do {input <- getLinen: Nat = cast inputsquares = map (\x => x*x) (iota n)print squaresinput2 <- getLinei: Nat = cast input2case natToFin i n of

Just idx => print (index idx squares)Nothing => putStrLn "Number too large"

}


Cat


Limitations of Dependent Types in Idris

iotaTR : (n: Nat) -> Vect m Nat ->Vect (m+n) Nat

iotaTR Z acc = acciotaTR (S n) acc = iotaTR n (S n :: acc)

iota : (n: Nat) -> Vect n Natiota n = iotaTR n Nil

Type mismatch betweenVect m Nat (Type of acc)

and Vect (m + 0) Nat (Expected type)

Specifically: Type mismatch betweenm

and m + 0


Limitations of Dependent Types in Idris

iotaTR : (n: Nat) -> Vect m Nat ->Vect (m+n) Nat

iotaTR Z acc = acciotaTR (S n) acc = iotaTR n (S n :: acc)

iota : (n: Nat) -> Vect n Natiota n = iotaTR n Nil

Type mismatch betweenVect m Nat (Type of acc)

and Vect (m + 0) Nat (Expected type)

Specifically: Type mismatch betweenm

and m + 0


Why?

Huh?m 6=m+0?

Definition of +

Z + r = r(S l) + r = S (l + r)

ThusI 0+x= x is trivialI x+0 = x needs to be proven


Overcoming Limitations of Dependent Types in Idris

iotaTR : {m: Nat} -> (n: Nat) ->Vect m Nat -> Vect (m+n) Nat

iotaTR {m} n acc =case n ofZ =>

rewrite plusZeroRightNeutral min acc

(S n') =>rewrite sym (plusSuccRightSucc m n')in iotaTR n' (n :: acc)

iota : (n: Nat) -> Vect n Natiota n = iotaTR n []


Theorem Proving

plusSuccRightSucc : Claim(l : Nat) -> (r : Nat) -> ∀` ∈ N.∀r ∈ N.

S (l + r) = l + (S r) S(` + r) = ` + S(r)Induction Basis

plusSuccRightSucc Z r = S(0 + r) = 0 + S(r)refl follows from definition

Inductive StepplusSuccRightSucc (S l) r = S

(S(`) + r

)=Y

let inductiveHypot = Inductive HypothesisplusSuccRightSucc l r S(` + r) = ` + S(r)

in proof {

intros; YDef= S

(S(` + r)

)rewrite inductiveHypot;

IH= S(` + S(r)

)trivial; Def= S(`) + S(r)

}

0+ r = r

S(`)+ r = S(`+ r)


Theorem Proving

plusSuccRightSucc : Claim(l : Nat) -> (r : Nat) -> ∀` ∈ N.∀r ∈ N.

S (l + r) = l + (S r) S(` + r) = ` + S(r)Induction Basis

plusSuccRightSucc Z r = S(0 + r) = 0 + S(r)refl follows from definition

Inductive StepplusSuccRightSucc (S l) r = S

(S(`) + r

)=Y

let inductiveHypot = Inductive HypothesisplusSuccRightSucc l r S(` + r) = ` + S(r)

in proof {

intros; YDef= S

(S(` + r)

)rewrite inductiveHypot;

IH= S(` + S(r)

)trivial; Def= S(`) + S(r)

}

0+ r = r

S(`)+ r = S(`+ r)


Refinement Types

I Dependent ADTs cool, but cumbersomeI Combine types with predicatestype t2 = {x:t | p(x)}

I Automated SMT solver instead of manual theorem proving


Qube Types

Built-In TypesI Integers: intI Integer vectors: intvec nI Arrays: [elementType | shapeVector]

Usage

let i: int = 42let iv: intvec 3 = [13, 23, 42]let tensor: [int | [2, 2, 3] ] =

[ 1, 2, 3,4, 5, 6,

7, 8, 9,10, 11, 12

| [2, 2, 3] ]


Qube Types

Refinement Types

type nat = { i: int | 0 <= i }type index n:nat = { i: nat | i < n }

type natvec n:nat ={ iv: intvec n | ∀ i ∈ iv. 0 <= i }

type indexvec n:nat sv:(natvec n) ={ nv: natvec n | ∀ i,s ∈ nv,sv. i < s }


Qube Types

Usage

let n: nat = 42 -- Workslet n2: nat = -5 -- Error !(-5 >= 0)

let idx: index n = 41 -- Workslet idx2: index n = 43 -- Error !(43 < 42)

let shape: natvec 3 = [2,2,3] -- Workslet iv: indexvec 3 shape =[0, 1, 2] -- Works

let iv2: indexvec 3 shape =[2, 1, 0] -- Error !(2 < 2)

let iv3: indexvec 3 [3,2,2] =[2, 1, 0] -- Works


Safe Array Access

I Array access: array.[ iv ]

I array: [ T | shape ]

I iv: indexvec r shape where r is the length of shape

Usage

tensor.[ iv ] -- Workstensor.[ iv3 ] -- Error


Uniqueness Types

And now forsomethingcompletelydifferent. . .


Uniqueness Types

I Value can’t be used more than onceI Operations need to produce new value


Example: File Handling

type file

fopen(name: string): unique filefwrite(text:string, f: unique file): unique filefclose(f: unique file): void

Usage

let f = fopen("foo.txt")let f = fwrite(f, "bar")fclose(f)

fwrite(f, "baz")--> Error: f has already been consumed


Example: File Handling

type file

fopen(name: string): unique filefwrite(text:string, f: unique file): unique filefclose(f: unique file): void

Usage

let f = fopen("foo.txt")let f = fwrite(f, "bar")fclose(f)fwrite(f, "baz")--> Error: f has already been consumed


Conclusion

I Type systems turn wrong behavior into errorsI Static type systems turn run-time into compile-time errors

⇒ Cost: (sometimes) have to write down type informationI Advanced features catch even more errors at compile time

⇒ Cost: even more type information required


Outlook Express

What else can be guarenteed through types?I NullPointerExceptions through option typesI Validity of generated XML by translating XML schemas to type

hierachiesI SQL queries through row typesI Transactionality through monadsI Termination through dependent types & theorem proving


Documents

Advanced Features of Type Systems - Concepts of ... · Limitations of Dependent Types in Idris iotaTR: (n:Nat) ->VectmNat-> Vect(m+n)Nat iotaTRZacc=acc iotaTR(Sn)acc=iotaTRn(Sn::acc)