Decouple Invariants From Data {#recursive}
==========================================
{#asd}
-------
Recursive Structures
--------------------
Lets see another example of decoupling...
\begin{code}
{-# LANGUAGE NoMonomorphismRestriction #-}
module List (insertSort) where
{-@ LIQUID "--no-termination" @-}
mergeSort :: Ord a => [a] -> [a]
insertSort :: (Ord a) => [a] -> L a
slist :: L Int
slist' :: L Int
iGoUp, iGoDn, iDiff :: [Int]
infixr `C`
\end{code}
Decouple Invariants From Recursive Data
=======================================
Recall: Lists
-------------
\begin{code}
data L a = N
| C { hd :: a, tl :: L a }
\end{code}
Recall: Refined Constructors
----------------------------
Define **increasing** Lists with strengthened constructors:
\begin{code}
data L a where
N :: L a
C :: hd:a -> tl: L {v:a | hd <= v} -> L a
\end{code}
Problem: Decreasing Lists?
--------------------------
What if we need *both* [increasing *and* decreasing lists?](http://hackage.haskell.org/package/base-4.7.0.0/docs/src/Data-List.html#sort)
[Separate (indexed) types](http://web.cecs.pdx.edu/~sheard/Code/QSort.html) get quite complicated ...
Abstract That Refinement!
-------------------------
\begin{code}
{-@ data L a a -> Prop>
= N
| C { hd :: a, tl :: L
a
} @-}
\end{code}
`p` is a **binary relation** between two `a` values
Definition relates `hd` with **all** the elements of `tl`
Recursive: `p` holds for **every pair** of elements!
Example
-------
Consider a list with *three* or more elements
\begin{code}
x1 `C` x2 `C` x3 `C` rest :: L a
\end{code}
Example: Unfold Once
--------------------
\begin{code}
x1 :: a
x2 `C` x3 `C` rest :: L
a
\end{code}
Example: Unfold Twice
---------------------
\begin{code}
x1 :: a
x2 :: a
x3 `C` rest :: L
a
\end{code}
Example: Unfold Thrice
----------------------
\begin{code}
x1 :: a
x2 :: a
x3 :: a
rest :: L
a
\end{code}
Note how `p` holds between **every pair** of elements in the list.
A Concrete Example
------------------
That was a rather *abstract*!
How can we *use* fact that `p` holds between *every pair*?
**Instantiate** `p` with a *concrete* refinement
Example: Increasing Lists
-------------------------
**Instantiate** `p` with a *concrete* refinement
\begin{code}
{-@ type IncL a = L <{\hd v -> hd <= v}> a @-}
\end{code}
Refinement says: `hd` less than **every** `v` in tail,
i.e., `IncL` denotes **increasing** lists.
Example: Increasing Lists
-------------------------
LiquidHaskell *verifies* that `slist` is indeed increasing...
\begin{code}
{-@ slist :: IncL Int @-}
slist = 1 `C` 6 `C` 12 `C` N
\end{code}
... and *protests* that `slist'` is not:
\begin{code}
{-@ slist' :: IncL Int @-}
slist' = 6 `C` 1 `C` 12 `C` N
\end{code}
Insertion Sort
--------------
\begin{code}
{-@ insertSort :: (Ord a) => [a] -> IncL a @-}
insertSort = foldr insert N
insert y N = y `C` N
insert y (x `C` xs)
| y < x = y `C` (x `C` xs)
| otherwise = x `C` insert y xs
\end{code}
(Mouseover `insert` to see inferred type.)
Checking GHC Lists
------------------
Demo:
Above applies to GHC's List definition:
\begin{code}
data [a] a -> Prop>
= []
| (:) { h :: a, tl :: [a
]
}
\end{code}
Checking GHC Lists
------------------
Increasing Lists
\begin{code}
{-@ type Incs a = [a]<{\h v -> h <= v}> @-}
{-@ iGoUp :: Incs Int @-}
iGoUp = [1,2,3]
\end{code}
Checking GHC Lists
------------------
Decreasing Lists
\begin{code}
{-@ type Decs a = [a]<{\h v -> h >= v}> @-}
{-@ iGoDn :: Decs Int @-}
iGoDn = [3,2,1]
\end{code}
Checking GHC Lists
------------------
Duplicate-free Lists
\begin{code}
{-@ type Difs a = [a]<{\h v -> h /= v}> @-}
{-@ iDiff :: Difs Int @-}
iDiff = [1,3,2]
\end{code}
Checking GHC Lists
------------------
Now we can check all the usual list sorting algorithms
Demo: List Sorting
Phew!
-----
Lets see one last example...
[[Skip]](#/1/32)
Example: Binary Trees
---------------------
... `Map` from keys of type `k` to values of type `a`
Implemented, in `Data.Map` as a binary tree:
\begin{code}
data Map k a = Tip
| Bin Size k a (Map k a) (Map k a)
type Size = Int
\end{code}
Two Abstract Refinements
------------------------
- `l` : relates root `key` with `left`-subtree keys
- `r` : relates root `key` with `right`-subtree keys
\begin{code}
{-@ data Map k a < l :: k -> k -> Prop
, r :: k -> k -> Prop >
= Tip
| Bin (sz :: Size) (key :: k) (val :: a)
(left :: Map (k) a)
(right :: Map (k) a) @-}
\end{code}
Ex: Binary Search Trees
-----------------------
Keys are *Binary-Search* Ordered
\begin{code}
{-@ type BST k a =
Map <{\r v -> v < r },
{\r v -> v > r }>
k a @-}
\end{code}
Ex: Minimum Heaps
-----------------
Root contains *minimum* value
\begin{code}
{-@ type MinHeap k a =
Map <{\r v -> r <= v},
{\r v -> r <= v}>
k a @-}
\end{code}
Ex: Maximum Heaps
-----------------
Root contains *maximum* value
\begin{code}
{-@ type MaxHeap k a =
Map <{\r v -> r >= v},
{\r v -> r >= v}>
k a @-}
\end{code}
Example: Data.Map
-----------------
Standard Key-Value container
- 1300+ non-comment lines
- `insert`, `split`, `merge`,...
- Rotation, Rebalance,...
SMT & inference crucial for [verification](https://github.com/ucsd-progsys/liquidhaskell/blob/master/benchmarks/esop2013-submission/Base.hs)
Recap: Abstract Refinements
---------------------------
Decouple invariants from **functions**
+ `max`
+ `loop`
+ `foldr`
Decouple invariants from **data**
+ `Vector`
+ `List`
+ `Tree`
Recap
-----
1. Refinements: Types + Predicates
2. Subtyping: SMT Implication
3. Measures: Strengthened Constructors
4. **Abstract:** Refinements over functions and data
5. Er, what about Haskell's **lazy evaluation**?
[[continue...]](09_Laziness.lhs.slides.html)