Subtype marks

1
Subtype marks

• Tamás Kozsik
• kto_at_elte.hu
• http//kto.web.elte.hu/
• Eötvös Loránd University, Budapest
• Central-European Functional Programming School
• Eötvös Loránd University, Budapest, Hungary
• 4-16 July, 2005

2
Contents

• Context
• Motivation
• Intuitive description of subtype marks
• Examples
• Discussion

3
Related topics at CEFP

• Time and safety critical applications (Kevin)
• Reason about programs (Máté)
• Refactor programs (Simon)
• Test programs (Pieter)

4
Fortune

• Beware of bugs in the above code I have only
  proved it correct, not tried it.
• (Donald Knuth)

5
Aims

• Safety critical applications
• Formal proof of correctness
• Reasoning about the code
• Theorem prover Type system
• Enyv Egyszeru NYelV
• Simple functional language
• Subtype marks

6
Proving correct

• Methodologies formal methods
• Program logics
• Formal semantics
• Software development tools
• Model checkers
• Proof systems
• Programming languages
• Alphard, Eiffel etc.

7
Invariant

• Widely used safety property
• Temporal logics
• Type invariant
• Property of legal values
• Restrict the type value set

8
Type systems?

• Uniqueness, strictness, concurrency
• Types with size information(Kevin Hammond /
  Hume)
• Types with shape information(Sven Bodo Scholz /
  SAC)
• Annotated types - invariants (Pieter Koopman,
  Diederik van Arkel)
• Dependent types

9
Motivation - 1

• fac Int -gt Int
• fac 0 1
• fac n n (fac (n-1))

10
Motivation - 2

• fac Int -gt Int
• fac n if (nlt0)
• (abort "Bad argument!")
• (f n)
• where f 0 1
• f n n (f (n-1))

11
Motivation - 3

• fac Int -gt Int
• // PRE only for non-negative arg.
• fac 0 1
• fac n n (fac (n-1))

12
Motivation - 4

• fac Nat -gt Nat
• fac 0 1
• fac n n (fac (n-1))

13
Motivation - 5

• fac IntN -gt IntN
• fac 0 1
• fac n n (fac (n-1))

14
Motivation - 6

• fac IntN -gt IntN
• fac 0 1
• fac n let nm1 IntN!,
• nm1 n-1
• in n (fac nm1)

15
Enyv

• Simple functional language
• Syntax similar to that of Clean
• Semantics graph rewrite systems
• Subtype marks
• Lets see some examples

16

• List a Nil Cons a (List a)
• Head List a -gt a
• Head (Cons x xs) x
• Tail List a -gt List a
• Tail (Cons x xs) xs
• Append List a -gt a -gt List a
• Append Nil x Cons x Nil
• Append (Cons y ys) x Cons y (Append ys x)
• Reverse List a -gt List a
• Reverse Nil Nil
• Reverse (Cons x xs) Append (Reverse xs) x

17

• Insert List Int -gt Int -gt List Int
• Insert Nil e Cons e Nil
• Insert ys(Cons x xs) e
• If (x lt e)
• (Cons x (Insert xs e))
• (Cons e ys)
• Sort List Int -gt List Int
• Sort Nil Nil
• Sort (Cons x xs) Insert (Sort xs) x

18

• Insert List Int -gt Int -gt List Int
• Insert Nil e Cons e Nil
• Insert (Cons x xs) e
• If (x lt e)
• (Cons x (Insert xs e))
• (Cons e (Cons x xs))
• Sort List Int -gt List Int
• Sort Nil Nil
• Sort (Cons x xs) Insert (Sort xs) x

19
Expressions and functions

• Expressions
• Variables
• Function and data constructor symbols
• Applications
• Let-expressions (recursive, let-rec)
• Functions
• Alternatives
• Pattern matching
• No block-structure, no modules, no macros

20
Types

• Algebraic type definitions
• Restricted parametric polymorphismtop-level
  universal quantification
• No existential quantification, no bounded
  polymorphism (type classes),no dynamics,no
  modules (no private types, no ADTs),no
  uniqueness,no generics

21
Subtype marks

• Type invariants
• Annotations attached to type constructors
• Richer type system
• Subtype polymorphism
• Connects the type system and a theorem prover

22
Non-empty lists C

• C List a ? true,false
• C(xs) (?y,ys xs Cons y ys)
• Definition used by a theorem prover
• Not used by the type system
• Denotational semantics for subtype marks

23
Non-empty lists C

• Nil gt List a
• Cons gt a -gt List a -gt ListC a
• Definition used by the type system
• Correctness proven by theorem prover
• Axiomatic semantics for subtype marks

24
Sorted lists S

• Nil gt ListS a
• Cons gt a -gt List a -gt List a
• Presence of subtype markthe value is known to
  have the property
• Absence of subtype markthe value is not known
  to have the property

25
Typing functions

• Preconditions
• Postconditions
• Propagation of properties

26
Precondition

• Head ListC a -gt a
• Head (Cons x xs) x
• Tail ListC a -gt List a
• Tail (Cons x xs) xs
• Useful for partial functions
• Not only for partial functions

27
Postconditions

• Append List a -gt a -gt ListC a
• Append Nil x Cons x Nil
• Append (Cons y ys) x Cons y (Append ys x)
• Head (Append x xs)

28
Pre- and postconditions

• fac IntN -gt IntN
• fac 0 1
• fac n let nm1 IntN!,
• nm1 n-1
• in n (fac nm1)

29
Propagation

• Reverse List a -gt List a
• Reverse ListC a -gt ListC a
• Reverse Nil Nil
• Reverse (Cons x xs) Append (Reverse xs) x
• More than one type
• Polymorphic notation?

30
Sorted lists

• Tail ListC a -gt List a
• Tail ListC,S a -gt ListS a
• Tail (Cons x xs) xs
• How to type this?

31
Data constructors

• Composition types expressions
• Decomposition types patterns
• Cons gt a -gt List a -gt ListC a
• Cons lt a -gt List a -gt ListC a
• Cons lt a -gt ListS a -gt ListC,S a

32
Typing Tail

• Cons lt a -gt List a -gt ListC a
• Cons lt a -gt ListS a -gt ListC,S a
• Tail ListC a -gt List a
• Tail ListC,S a -gt ListS a
• Tail (Cons x xs) xs

33
Subtype polymorphism

• Tail ListC a -gt List a
• Tail ListC,S a -gt ListS a
• Tail (Cons x xs) xs
• Tail ListC,S a -gt List a
• Tail ListC,S,X a -gt ListS a
• ...
• Weakening / subsumption

34
Why subtyping is needed?

• Reverse (Tail (Sort (Append xs x)))
• Append List a -gt a -gt ListC a
• Reverse List a -gt List a
• Reverse ListC a -gt ListC a
• Sort List Int -gt ListS Int
• Sort ListC Int -gt ListC,S Int
• Tail ListC a -gt List a
• Tail ListC,S a -gt ListS a
• Tail ListC,S a -gt List a

35
Variance

• Subtyping - substitution principle
• Co-variant return, contra-variant arguments
• Int -gt IntN Int -gt Int
• Int -gt Int IntN -gt Int
• IntN -gt IntN ? Int -gt Int

36
Subtyping is a partial order

• Reflexive, antisymmetric, transitive
• Int -gt IntN
• Int -gt Int IntN -gt IntN
• IntN -gt Int

37
Believe-me marks

• fac IntN -gt IntN
• fac 0 1
• fac n let nm1 IntN!,
• nm1 n-1
• in n (fac nm1)

38
Insertion sort

• Insert ListS Int -gt Int
• -gt ListS! Int
• Insert Nil e Cons e Nil
• Insert (Cons x xs) e
• If (x lt e ) (Cons x (Insert xs e))
• (Cons e (Cons x xs))
• Sort List Int -gt ListS Int
• Sort Nil Nil
• Sort (Cons x xs) Insert (Sort xs) x

39
Typing Sort

• Nil gt ListS a
• Insert ListS Int -gt Int
• -gt ListS! Int
• Sort List Int -gt ListS Int
• Sort Nil Nil
• Sort (Cons x xs) Insert (Sort xs) x

Recursion!
40
Typing Insert?

• Insert ListS Int -gt Int
• -gt ListS! Int
• Insert Nil e Cons e Nil
• Insert (Cons x xs) e
• If (x lt e ) (Cons x (Insert xs e))
• (Cons e (Cons x xs))
• Need the formula associated to S
• Need a theorem prover

41
Formula associated to S

• The list is sorted
• Sorted Nil True
• Sorted (Cons x Nil) True
• Sorted (Cons x xs(Cons y ys))
• x lt y Sorted xs

42
Proving Insert correct

• Insert ListS Int -gt Int
• -gt ListS! Int
• Sorted(xs) ? Sorted(Insert xs e)
• Sparkle
• (Sorted xs False) -gt
• (Sorted (Insert xs e) False)

43
Undefined

• Cons 1 (Cons 2 (Cons 3
• Cons 1/0 Nil
• Partially undefined values - laziness
• What if Sorted would be a partial function?
• Partial correctness

44
Polymorphic subtype marks

• Propagation of properties
• Reverse List a -gt List a
• Reverse ListC a -gt ListC a
• Reverse Nil Nil
• Reverse (Cons x xs) Append (Reverse xs) x
• Subtype mark variable
• Reverse ListpC a -gt ListpC a

45
Subtype mark variables

• Tail ListC,pS a -gt ListpS a
• Sort ListpC Int
• -gt ListpC,S Int
• Cons lt a -gt ListpS a
• -gt ListC,pS a

46
Complex numbers

• Complex Cart Real Real // Cartesian
• Polar Real Real // Polar
• Cart gt Real -gt Real -gt ComplexCart
• Cart lt Real -gt Real -gt ComplexCart
• Polar gt Real -gt Real -gt ComplexPolar
• Polar lt Real -gt Real -gt ComplexPolar

47
Complex numbers conversions

• polar Complex -gt ComplexPolar!
• polar (Cart re im)
• let delta if (imlt0.0) 1.0 0.0
• in Polar (sqrt (rere imim))
• ( (atan (im/re)) deltaPi )
• polar c c
• cart Complex -gt ComplexCart!
• cart (Polar r phi)
• Cart (r (cos phi)) (r (sin phi))
• cart c c

48
Complex numbers Cartesian

• addCC ComplexCart -gt ComplexCart
• -gt ComplexCart
• addCC (Cart re1 im1) (Cart re2 im2)
• Cart (re1re2) (im1im2)
• Similarly subCC, mulCC, divCC
• conjugate ComplexCart -gt ComplexCart
• conjugate (Cart re im) Cart re (0.0-im)

49
Complex numbers polar

• mulCP ComplexPolar -gt ComplexPolar
• -gt ComplexPolar
• mulCP (Polar r1 phi1) (Polar r2 phi2)
• Polar (r1r2) (phi1phi2)
• Similarly divCP
• absCP ComplexPolar -gt Real
• absCP (Polar r phi) r
• powCP ComplexPolar -gt Real
• -gt Complex(Polar)
• powCP (Polar r phi) x Polar (rx) (xphi)

50
Complex numbers full domain

• addC Complex -gt Complex
• -gt ComplexCart
• addC c1 c2 addCC (cart c1) (cart c2)
• mulC ComplexpPolar,cCart
• -gt ComplexpPolar,cCart
• -gt ComplexpPolar,cCart!
• mulC (Cart re1 im1) (Cart re2 im2)
• mulCC (Cart re1 im1) (Cart re2 im2)
• mulC c1 c2 mulCP (polar c1) (polar c2)

51
Integer numbers

• Example introducing a new conceptinequalities
• Strange algebraic representation
• Not efficient
• Enyv built-in type Int

52

• Integer Zero Succ Integer Pred Integer
• Add Zero y y
• Add (Succ x) y Add x (Succ y)
• Add (Pred x) y Add x (Pred y)
• Minus Zero Zero
• Minus (Succ x) Pred (Minus x)
• Minus (Pred x) Succ (Minus x)
• Substract x y Add x (Minus y)
• Multiply Zero y Zero
• Multiply (Succ x) y Add (Multiply x y) y
• Multiply (Pred x) y Substract (Multiply x y) y

53
Can and Nat

• Representation not surjective
• Integer Zero
• Succ Integer
• Pred Integer
• Canonical representation - Can
• built from Zero and (Succ xor Pred)
• Natural numbers - Nat

Succ (Pred Zero) Zero
54

• Canonic Integer -gt IntegerCan!
• Canonic x
• let pair CollectSuccPred x Zero Zero
• in Simplify (Fst pair) (Snd pair)
• CollectSuccPred Zero pos neg Pair pos neg
• CollectSuccPred (Succ x) pos neg
• CollectSuccPred x (Succ pos) neg
• CollectSuccPred (Pred x) pos neg
• CollectSuccPred x pos (Pred neg)
• Simplify Zero neg neg
• Simplify (Succ x) neg TryToSimplify neg x
• TryToSimplify Zero pos Succ pos
• TryToSimplify (Pred x) pos Simplify pos x

55

• Factorial x FactorialC (Canonic x)
• FactorialC Zero Succ Zero
• FactorialC (Succ x) Multiply (Succ x)
• (FactorialC x)
• Abs x AbsC (Canonic x)
• AbsC (Pred x) Succ (AbsC x)
• AbsC x x
• Less x y IsNegative (Compare x y)
• IsNegative IntegerCan -gt Boolean
• IsNegative (Pred x) True
• IsNegative x False
• Compare Integer -gt Integer -gt IntegerCan
• Compare x y Canonic (Substract x y)

56
Factorial

• Factorial IntegerNat -gt IntegerCan,Nat
• Factorial x FactorialC (Canonic x)
• FactorialC IntegerCan,Nat
• -gt IntegerCan,Nat
• FactorialC Zero Succ Zero
• FactorialC (Succ x) Multiply (Succ x)
• (FactorialC x)

57
Zero, Succ and Pred

• Integer Zero
• Succ Integer
• Pred Integer
• Zero gt IntegerCan,Nat
• Zero lt IntegerCan,Nat
• Pred gt Integer -gt Integer
• Pred lt IntegercCan,nNat
• -gt IntegercCan,nNat
• Succ gt IntegercCan,nNat
• -gt IntegerxCan,nNat (x,c) (x,n)
• Succ lt IntegercCan,cNat
• -gt IntegercCan,nNat

58
Decomposition type of Pred

• Pred lt IntegercCan,nNat
• -gt IntegercCan,nNat
• Pred lt Integer
• -gt Integer
• Pred lt IntegerNat
• -gt IntegerNat
• Pred lt IntegerCan
• -gt IntegerCan
• Pred lt IntegerCan,Nat
• -gt IntegerCan,Nat

Impossible!
59
Decomposition type of Succ

• Succ lt IntegercCan,cNat
• -gt IntegercCan,nNat
• Succ lt Integer
• -gt Integer
• Succ lt Integer
• -gt IntegerNat
• Succ lt IntegerCan,Nat
• -gt IntegerCan
• Succ lt IntegerCan,Nat
• -gt IntegerCan,Nat

Danger Succ (Pred Zero)
60
Composition type of Succ

• Succ gt IntegercCan,nNat
• -gt IntegerxCan,nNat (x,c) (x,n)
• Succ gt Integer
• -gt Integer
• Succ gt IntegerNat
• -gt IntegerNat
• Succ gt IntegerCan,Nat
• -gt IntegerCan,Nat

61
Inequalities

• Constraints on subtype mark variables
• Higher expressiveness
• (x,y)x requires yx can only be true if y is
  true, as well
• General technique to handle subtyping
• Uniqueness
• Hume

62
Add and Multiply

• Add IntegercCan,nNat
• -gt IntegercCan,nNat
• -gt IntegerxCan!,nNat! (x,c) (x,n)
• Add Zero y y
• Add (Succ x) y Add x (Succ y)
• Add (Pred x) y Add x (Pred y)
• Multiply has the same type

63
Factorial revisited

• Factorial IntegerNat -gt IntegerCan,Nat
• Factorial x FactorialC (Canonic x)
• FactorialC IntegerCan,Nat
• -gt IntegerCan,Nat
• FactorialC Zero Succ Zero
• FactorialC (Succ x) Multiply (Succ x)
• (FactorialC x)

Follows from the type of Multiply
64
Programming languages issues

• Interference with other concepts
• Type checking and type inference
• Logical connectives versus inequalities
• Specialization based on subtype marks

65
Logical connectives

• Would be natural to use (or, and, not)
• Higher complexity? (NP-hard?)
• Expressiveness?
• mulC ComplexpPolar,cCart
• -gt ComplexpPolar,cCart
• -gt ComplexpPolar,cCart
• mulC Complexp1Polar,cCart
• -gt Complexp2Polar,cCart
• -gt Complexp1p2Polar,cCart!

66
Specialization based on subtype marks

• FactorialC IntegerCan,Nat
• -gt IntegerCan,Nat
• Factorial IntegerNat
• -gt IntegerCan,Nat
• Factorial x FactorialC (Canonic x)
• Factorial IntegerCan,Nat
• -gt IntegerCan,Nat
• Factorial x FactorialC x

67
Software engineering issues

• Prototype compiler?
• Building into a real language
• IDE support
• Aspect-oriented approach
• Interactive compiler
• Theorem prover versus runtime checks

68
Dynamics and CPPCC

• Dynamics
• Mobile code carrying its own type
• Type checked (pattern matched) at consumer
• Certified-Proven-Properties-Carrying Code
• Mobile code carrying its specification(Property
  Certificate about proof)
• Property matched against requirements at consumer
• Subtype marks in between

69
Conclusions

• Simple and natural extention to type systems
• Connection to theorem provers
• Partial correctness of programs
• Library of functions with proven properties
• Several similar approaches
• Some are for specific properties
• Some are more expressive, but more complex
• Still many open questions

70
Homework

• Complex Cart Real Real
• Polar Real Real
• Both Real Real Real Real
• Both gt Real -gt Real -gt Real -gt Real
• -gt ComplexCart,Polar

71
Abs

• Abs Integer -gt IntegerCan,Nat
• Abs x AbsC (Canonic x)
• AbsC IntegerCan -gt IntegerCan,Nat!
• AbsC (Pred x) Succ (AbsC x)
• AbsC x x