--- layout: post title: "Termination Checking" date: 2013-11-18 16:12 comments: true external-url: categories: termination author: Niki Vazou published: false demo: Termination.hs --- If you used liquidHaskell lately, you may have noticed some type errors that just make no sense. Well, that is not a bug, but a ... **termination checker** failing to prove that your function terminates. In this post, we present how you can use liquidHaskell to prove termination on simple recursive functions and explain why termination is required for sound type checking. Of course liquidHaskell would be useless if it required that all your functions do terminate. Instead, it just requires that non-terminating functions return unrefined results. We will shortly explain how one can turn off termination checking while preserve sound type checking. \begin{code} module Termination where import Prelude hiding (sum, (!!), repeat) import Data.List (lookup) import Data.Maybe (fromJust) import Language.Haskell.Liquid.Prelude (liquidAssert) \end{code} Termination Check with Refinement Types --------------------------------------- Consider a `Vec`tor that maps `Int`egers to `Val`ues: \begin{code} type Val = Int data Vec = V [(Int, Val)] (!!) :: Vec -> Int -> Val (V a) !! i = case i `lookup` a of {Just v -> v; _ -> 0} \end{code} Let `sum a i` add the `i` first elements of the vector `a`: \begin{code} sum :: Vec -> Int -> Val sum a 0 = 0 sum a i = (a !! (i-1)) + sum a (i-1) \end{code} Does `sum` terminate? We observe that if `i` is not `0` then `sum i` will call `sum (i-1)`, otherwise it will return. This reasoning suffices to convince ourselves that `sum i` terminates for every natural number `i`. Formally, we shown that `sum` terminates because a *well-founded metric* (i.e., the natural number `i`) is decreasing at each iteration. Thus, to ensure termination it suffices to restrict `i` on Natural numbers, which we can do with a liquid-type signature. \begin{code} {-@ sum :: Vec -> Nat -> Val @-} \end{code} LiquidHaskell will apply the same reasoning to prove `sum` terminates: Conventionally, to typecheck `sum` we would check the body assuming an environment `a:Vec`, `i:Nat`, `sum:Vec -> Nat -> Val` Instead, we *weaken* the environment to `a:Vec`, `i:Nat`, `sum:Vec -> {v:Nat| v < i} -> Val` Now, the type of `sum` stipulates that it *only* be recursively called with `Nat` (so well-founded) values that are *strictly less than* the current parameter `i`. Since its body typechecks in this environment, `sum` terminates for every `i` on `Nat`s. Choosing the correct argument ----------------------------- We saw that liquidHaskell can happily check that a Natural number is decreasing at each iteration; but it uses a naïve heuristic to choose which one. For this post we can assume that it always chooses *the first* Integer. So, a tail-recursive implementation of `sum`: \begin{code} {-@ sum' :: Vec -> Val -> Nat -> Val @-} sum' :: Vec -> Val -> Int -> Val sum' a acc 0 = acc + a!!0 sum' a acc i = sum' a (acc + a!!i) (i-1) \end{code} will fail, as liquidHaskell wants to prove that the `acc`umulator is the `Nat`ural number that decreases at each iteration. \begin{code}The remedy is simple. We can direct liquidHaskell to the correct argument `i` using a `Decrease` annotation: {-@ Decrease sum' 3 @-} \end{code} which directs liquidHaskell to check whether the *third* argument (i.e., `i`) is decreasing. With this hint, liquidHaskell will happily verify that `sum'` is indeed a terminating function. Lexicographic Termination ------------------------- Lets complicate the things a little bit. To do so, lets compute the `sum` of a 2D `Vec`tor: \begin{code} data Vec2D = V2D [((Int, Int), Val)] (!!!) :: Vec2D -> (Int,Int) -> Val (V2D a) !!! i = case i `lookup` a of {Just v -> v; _ -> 0} \end{code} Now we write a `sum2D a n m` function that computes the sum of the first `(n+1) (m+1)` elements of `a` \begin{code} {-@ sum2D :: Vec2D -> Nat -> Nat -> Val @-} sum2D :: Vec2D -> Int -> Int -> Val sum2D a n m = go n m where {-@ Decrease go 1 2 @-} go 0 0 = 0 go i j | j == 0 = a!!!(i, 0) + go (i-1) m | otherwise = a!!!(i, j) + go i (j-1) \end{code} Here there is no decreasing argument, if `j>0`, `j` decreases (line `139`), otherwise `i` decreases (line `138`). Though, liquidHaskell succeed in verifying that `sum2D` terminates and the reason is our `Decrease go 1 2` annotation. This annotation informs the tool that the decreasing measure is the *lexicographically ordered* pair `[i,j]`. LiquidHaskell will verify that this pair is indeed decreasing: at each iteration either `i` decreases (line `138`) or `i` remains the same and `j` decreases (line `139`). \begin{code}An alternative annotation to express the above decreasing measure is: {-@ go :: i:Nat -> j:Nat -> Val / [i, j] @-} \end{code} where after the type signature for `go` we write the list of lexicographic decreasing *expressions*. This mechanism, as we shall see, allows us to prove termination in functions where the decreasing measure in a *function* of the arguments. Decreasing expressions ---------------------- Back to our `1D` Vector, we now define a function `sumFromTo a lo hi` that sums the elements form `a!!lo` to `a!!hi`: \begin{code} {-@ sumFromTo :: Vec -> lo:Nat -> hi:{v:Nat|v>=lo} -> Val @-} sumFromTo :: Vec -> Int -> Int -> Val sumFromTo a lo hi = go lo hi where {-@ go :: lo:Nat -> hi:{v:Nat|v>=lo} -> Val / [hi-lo] @-} go lo hi | lo == hi = a!!lo | otherwise = a!!lo + go (lo+1) hi \end{code} No argument is decreasing in this function, but still it does terminate, as at each iteration `lo` is increased and execution will terminate when `lo` reaches `hi`. Here the decreasing measure is the expression `hi-lo`. LiquidHaskell has no way to generate such a measure, but, if the user generates it, i.e., by annotating `go`'s signature, liquidHaskell will happily check that `lo-hi` is indeed a well-founded measure (as it is a natural number) that decreases at each iteration. Powered with decreasing expressions and the `Decrease` hint, we can prove termination on a great number of functions ranging from ones defined on recursive data structures to mutual recursive ones. Of course, we can never prove termination on non-terminating functions that naturally exist on haskell source code. So, we postpone proving termination on more interesting functions and instead lets see how and when you can safely turn termination check off. Why is Termination Analysis Required ------------------------------------- Consider a no-terminating function: \begin{code} {-@ foo :: Int -> {v:Int | false} @-} foo :: Int -> Int foo n = foo n \end{code} According to the *partial correctness property* the type signature for `foo` means that any value `foo` returns will satisfy the result refinement `false`. Since `foo` never returns, it can return *none* value, thus it trivially satisfies its type. Now, in an environment where `false` (i.e., `foo`'s result) exists, liquidHaskell can prove anything, even the contradiction `0==1`: \begin{code} prop = liquidAssert ((\_ -> 0==1) (foo 0)) \end{code} This is totally valid under *eager* evaluation, where to execute the assertion one should first compute the argument `foo 0` which never returns. But, it is not valid under haskell's *lazy* semantics where execution ignores the unused argument, and fails. From the above discussion we see that partial correctness is not enough to verify Haskell's lazy code. To restore soundness we require *total correctness*, or that each function terminates. This explains why termination checking is set as default to liquidHaskell (as is in many other verifiers, like Coq or Agda.) Turning off Termination Checking -------------------------------- Of course, you cannot prove termination of functions like `repeat` \begin{code} {-@ repeat :: a -> [a] @-} repeat :: a -> [a] repeat a = a : repeat a \end{code} Instead, you can mark `repeat` as `Lazy` to disable termination for these functions: \begin{code} {-@ Lazy repeat @-} \end{code} But, be careful! By marking a function as `Lazy` *you* also guarantee that *the result type cannot contain inconsistencies*. In our previous example, liquidHaskell typechecked the unsafe `prop`, just because we marked `foo` (who's return type contains inconsistency) as `Lazy` \begin{code} {-@ Lazy foo @-} \end{code} Even though it is hard to decide if a type can contain inconsistencies, trivially *unrefined types* (or types refined to `true`) cannot ever be resolved to `false`. In other words, it is always safe to mark as `Lazy` functions with unrefined result. \begin{code} Finally, you have the option to totally disable termination checking, using the `no-termination` flag: {-@ LIQUID "--no-termination" @-} \end{code} Conclusion ---------- In this post, - We saw how to use liquidHaskell to prove termination of simple recursive functions, and - We learned why termination is required for sound type checking and when it is safe to deactivate it. Termination checking may sound a big demand, but soon we will see that liquidHaskell is powerful enough to prove termination on a great number of functions