\begin{code}
{-@ LIQUID "--no-termination" @-}
module SimpleRefinements where
import Language.Haskell.Liquid.Prelude
import Prelude hiding (abs, max)
-- boring haskell type sigs
zero :: Int
zero' :: Int
safeDiv :: Int -> Int -> Int
abs :: Int -> Int
nats :: L Int
range :: Int -> Int -> L Int
\end{code}
Simple Refinement Types
=======================
Types + Predicates
------------------
Example: Integers equal to `0`
------------------------------
\begin{code}
{-@ type Zero = {v:Int | v = 0} @-}
{-@ zero :: Zero @-}
zero = 0
\end{code}
Refinement types via special comments `{-@ ... @-}`
Demo
Refinements Are Predicates
==========================
From A Decidable Logic
----------------------
1. Expressions
2. Predicates
**Refinement Logic: QF-UFLIA**
Quant.-Free. Uninterpreted Functions and Linear Arithmetic
Expressions
-----------
\begin{spec}
e := x, y, z,... -- variable
| 0, 1, 2,... -- constant
| (e + e) -- addition
| (e - e) -- subtraction
| (c * e) -- linear multiplication
| (f e1 ... en) -- uninterpreted function
\end{spec}
Predicates
----------
\begin{spec}
p := e -- atom
| e1 == e2 -- equality
| e1 < e2 -- ordering
| (p && p) -- and
| (p || p) -- or
| (not p) -- negation
\end{spec}
Refinement Types
----------------
\begin{spec}
b := Int
| Bool
| ... -- base types
| a, b, c -- type variables
t := {x:b | p} -- refined base
| x:t -> t -- refined function
\end{spec}
Subtyping Judgment
------------------
$$\boxed{\Gamma \vdash t_1 \preceq t_2}$$
Where **environment** $\Gamma$ is a sequence of binders
$$\Gamma \defeq \overline{\bindx{x_i}{t_i}}$$
Hence, we can type:
\begin{code}
{-@ zero' :: Nat @-}
zero' = zero -- zero :: Zero <: Nat
\end{code}
Contracts: Function Types
=========================
{#as}
------
Pre-Conditions
--------------
\begin{code}
safeDiv n d = n `div` d -- crashes if d==0
\end{code}
**Requires** non-zero input divisor `d`
\begin{code}
{-@ type NonZero = {v:Int | v /= 0} @-}
\end{code}
Specify pre-condition as **input type**
\begin{code}
{-@ safeDiv :: n:Int -> d:NonZero -> Int @-}
\end{code}
Precondition: `safeDiv`
-----------------------
Specify pre-condition as **input type**
\begin{spec}
{-@ safeDiv :: n:Int -> d:NonZero -> Int @-}
\end{spec}
Precondition is checked at **call-site**
\begin{code}
{-@ bad :: Nat -> Int @-}
bad n = 10 `safeDiv` n
\end{code}
Precondition: `safeDiv`
-----------------------
Specify pre-condition as **input type**
\begin{spec}
{-@ safeDiv :: n:Int -> d:NonZero -> Int @-}
\end{spec}
Precondition is checked at **call-site**
\begin{code}
{-@ ok :: Nat -> Int @-}
ok n = 10 `safeDiv` (n+1)
\end{code}
Precondition: `safeDiv`
-----------------------
Specify pre-condition as **input type**
\begin{spec}
{-@ safeDiv :: n:Int -> d:NonZero -> Int @-}
\end{spec}
Precondition is checked at **call-site**
\begin{spec}
{-@ ok :: Nat -> Int @-}
ok n = 10 `safeDiv` (n+1)
\end{spec}
**Verifies As**
$$(0 \leq n) \Rightarrow (v = n+1) \Rightarrow (v \not = 0)$$
Post-Conditions
---------------
**Ensures** output is a `Nat` greater than input `x`.
\begin{code}
abs x | 0 <= x = x
| otherwise = 0 - x
\end{code}
Specify post-condition as **output type**
\begin{code}
{-@ abs :: x:Int -> {v:Nat | x <= v} @-}
\end{code}
**Dependent Function Types**
Outputs *refer to* inputs
Postcondition: `abs`
--------------------
Specify post-condition as **output type**
\begin{spec}
{-@ abs :: x:Int -> {v:Nat | x <= v} @-}
abs x | 0 <= x = x
| otherwise = 0 - x
\end{spec}
Postcondition is checked at **return-site**
Postcondition: `abs`
--------------------
Specify post-condition as **output type**
\begin{spec}
{-@ abs :: x:Int -> {v:Nat | x <= v} @-}
abs x | 0 <= x = x
| otherwise = 0 - x
\end{spec}
**Verified As**
$$\begin{array}{rll}
\bindx{x}{\Int},\bindx{\_}{0 \leq x} & \vdash \reftx{v}{v = x} & \subty \reftx{v}{0 \leq v \wedge x \leq v} \\
\bindx{x}{\Int},\bindx{\_}{0 \not \leq x} & \vdash \reftx{v}{v = 0 - x} & \subty \reftx{v}{0 \leq v \wedge x \leq v} \\
\end{array}$$
Postcondition: `abs`
--------------------
Specify post-condition as **output type**
\begin{spec}
{-@ abs :: x:Int -> {v:Nat | x <= v} @-}
abs x | 0 <= x = x
| otherwise = 0 - x
\end{spec}
**Verified As**
$$\begin{array}{rll}
(0 \leq x) & \Rightarrow (v = x) & \Rightarrow (0 \leq v \wedge x \leq v) \\
(0 \not \leq x) & \Rightarrow (v = 0 - x) & \Rightarrow (0 \leq v \wedge x \leq v) \\
\end{array}$$
{#inference}
=============
From Checking To Inference
--------------------------
**So far**
How to **check** code against given signature
**Next**
How to **infer** signatures from code
From Checking To Inference
--------------------------
Step 3. Solve (`abs`)
---------------------
Least-fixpoint over abstract domain
**Predicate Abstraction**
Conjunction of predicates from (finite) ground set $\quals$
+ Obtain $\quals$ via CEGAR
+ Or use other domains
[[Houdini](http://dl.acm.org/citation.cfm?id=730008), [HMC](http://goto.ucsd.edu/~rjhala/papers/hmc.html)]
Recipe Scales Up
----------------
**1. Templates** $\rightarrow$ **2. Horn Constraints** $\rightarrow$ **3. Fixpoint**
+ Define type *checker* and get *inference* for free
+ Scales to Collections, HOFs, Polymorphism
**Next:** Collections
{#universalinvariants}
=======================
Types = Universal Invariants
----------------------------
(Notoriously hard with *pure* SMT)
Types Yield Universal Invariants
================================
Example: Lists
--------------
\begin{code}
infixr `C`
\end{code}
\begin{code}
data L a = N -- Empty
| C a (L a) -- Cons
\end{code}
How to **specify** every element in `nats` is non-negative?
\begin{code}
nats = 0 `C` 1 `C` 3 `C` N
\end{code}
Example: Lists
--------------
How to **specify** every element in `nats` is non-negative?
\begin{spec}
nats = 0 `C` 1 `C` 2 `C` N
\end{spec}
**Logic**
$$\forall x \in \mathtt{nats}. 0 \leq x$$
VCs over **quantified formulas** ... *challenging* for SMT
Example: Lists
--------------
How to **specify** every element in `nats` is non-negative?
\begin{spec}
nats = 0 `C` 1 `C` 2 `C` N
\end{spec}
**Refinement Types**
\begin{code}
{-@ nats :: L Nat @-}
\end{code}
+
Type *implicitly* has quantification
+
Sub-typing *eliminates* quantifiers
+
Robust verification via *quantifier-free* VCs
Example: Lists
--------------
How to **verify** ?
\begin{spec}
{-@ nats :: L Nat @-}
nats = l0
where
l0 = 0 `C` l1 -- Nat `C` L Nat >>> L Nat
l1 = 1 `C` l2 -- Nat `C` L Nat >>> L Nat
l2 = 2 `C` l3 -- Nat `C` L Nat >>> L Nat
l3 = N -- L Nat
\end{spec}
Example: `range`
----------------
`(range i j)` returns `Int`s **between** `i` and `j`
Example: `range`
----------------
`(range i j)` returns `Int`s **between** `i` and `j`
\begin{code}
{-@ type Btwn I J = { v:_ | I<=v && v
\begin{code}
{-@ range :: i:Int -> j:Int -> L (Btwn i j) @-}
range i j = go i
where
go n | n < j = n `C` go (n + 1)
| otherwise = N
\end{code}
**Note:** Type of `go` is automatically inferred
Example: Indexing Into List
---------------------------
\begin{code}
(!) :: L a -> Int -> a
(C x _) ! 0 = x
(C _ xs) ! i = xs ! (i - 1)
_ ! _ = liquidError "Oops!"
\end{code}
(Mouseover to view type of `liquidError`)
To ensure safety, *require* `i` between `0` and list **length**
Need way to **measure** the length of a list [[continue...]](02_Measures.lhs.slides.html)