programming with dependent types passing fad or useful
play

Programming with dependent types: passing fad or useful tool? - PowerPoint PPT Presentation

Dec 04, 2023 •362 likes •585 views

Programming with dependent types: passing fad or useful tool? Xavier Leroy INRIA Paris-Rocquencourt IFIP WG 2.8, 2009-06 X. Leroy (INRIA) Dependently-typed programming 2009-06 1 / 22 Dependent types In a very general sense: all frameworks

  1. Programming with dependent types: passing fad or useful tool? Xavier Leroy INRIA Paris-Rocquencourt IFIP WG 2.8, 2009-06 X. Leroy (INRIA) Dependently-typed programming 2009-06 1 / 22

  2. Dependent types In a very general sense: all frameworks enabling programmers to Write functional programs; State logical properties about them; Prove these properties with machine assistance. Examples: most proof assistants (HOL, Isabelle/HOL, Coq, Agda, . . . ) Unquestionably a Very Very Good Thing. X. Leroy (INRIA) Dependently-typed programming 2009-06 2 / 22

  3. Dependent types In a narrower sense: all frameworks enabling programmers to Include logical propositions within data and function types; Include proof terms within data and functions. Foundations: Martin-L¨ of’s type theory. Examples: Coq, Agda, Epigram (general); Dependent ML (restricted). This talk: an experience report on using / not using dependent types when programming and verifying functional programs in Coq. X. Leroy (INRIA) Dependently-typed programming 2009-06 3 / 22

  4. Dependent function types in Coq Functions can take proof terms as arguments. . . div: forall (a: Z) (b: Z), b <> 0 -> Z. This function must be called with 3 arguments: 2 integers a , b and a proof that b <> 0 . X. Leroy (INRIA) Dependently-typed programming 2009-06 4 / 22

  5. Dependent data types in Coq The “subset” type: { x : T | P x } Data of this type are pairs of an x of type T and a proof that the proposition P x holds. (With P : T -> Prop .) proj1_sig: {x: T | P x} -> T proj2_sig: forall (p: {x: T | P x}), P (proj1_sig x) Examples: Definition Zstar : Type := { x : Z | x <> 0 }. Definition Zplus : Type := { x : Z | x >= 0 }. X. Leroy (INRIA) Dependently-typed programming 2009-06 5 / 22

  6. Dependent data types in Coq More generally: dependent record types. Record cfg: Type := mk_cfg { graph: nat -> option instruction; entrypoint: nat; lastnode: nat; entrypoint_exists: graph entrypoint <> None; graph_finite: forall n, n > lastnode -> graph n = None } X. Leroy (INRIA) Dependently-typed programming 2009-06 6 / 22

  7. Dependent data types in Coq The primitive notion: inductive definitions where constructors receive dependent function types. Inductive sig (A: Type) (P: A -> Prop) : Type := | exist: forall (x: A), P x -> sig A P. Definition proj1_sig (A: Type) (P: A -> Prop) (s: sig A P) : A := match s with exist x p => x end. X. Leroy (INRIA) Dependently-typed programming 2009-06 7 / 22

  8. Putting all together The general shape of a function with precondition P and postcondition Q : forall ( x 1 : A 1 ) . . . ( x n : A n ) , P x 1 . . . x n → { y : B | Q x 1 . . . x n y } Example: divrem: forall (a b: Z), b > 0 -> { qr: Z * Z | 0 <= snd(qr) < b /\ a = b * fst(qr) + snd(qr) } X. Leroy (INRIA) Dependently-typed programming 2009-06 8 / 22

  9. Using dependently-typed functions The hard way: write proof terms by hand. Lemma square_nonzero_pos: forall (y: Z), y <> 0 -> y * y > 0. Proof. (* interactive proof *) Qed. Definition f (x: Z) (y: Z) (nonzero: y <> 0) : Z := fst (proj1_sig (divrem x (y*y) (square_nonzero_pos y nonzero))). X. Leroy (INRIA) Dependently-typed programming 2009-06 9 / 22

  10. Using dependently-typed functions The easier way: Matthieu Sozeau’s Program mechanism. Program Definition f (x: Z) (y: Z) (nonzero: y <> 0) : Z := fst (divrem x (y*y) _ ). Next Obligation. (* interactive proof of Z -> forall y : Z, y <> 0 -> y * y > 0 *) Qed. X. Leroy (INRIA) Dependently-typed programming 2009-06 10 / 22

  11. My practical experience Dependent types work great to automatically propagate invariants Attached to data structures (standard); In conjunction with monads (new!). In most other cases, plain functions + separate theorems about them are generally more convenient. X. Leroy (INRIA) Dependently-typed programming 2009-06 11 / 22

  12. Attaching invariants to data structures The example of AVL trees: Inductive tree: Type := | Leaf: tree | Node: tree -> A -> tree -> tree. Inductive bst: tree -> Prop := ... (* to be a binary search tree *) Inductive avl: tree -> Prop := ... (* to be balanced according to the AVL criterion *) X. Leroy (INRIA) Dependently-typed programming 2009-06 12 / 22

  13. Attaching invariants to data structures Need to prove that all base operations over trees preserve the bst and avl invariants: Definition add (x: A) (t: tree) : tree := ... Lemma add_invariant: forall x t, bst t /\ avl t -> bst (add x t) /\ avl (add x t). Problem: users must also prove that their functions using the base operations preserves these invariants. Without strong proof automation, this entails a lot of manual proof. X. Leroy (INRIA) Dependently-typed programming 2009-06 13 / 22

  14. Dependent types to the rescue An internal implementation using plain data structures: Inductive raw_tree: Type := ... Inductive bst: raw_tree -> Prop := ... Inductive avl: raw_tree -> Prop := ... Definition raw_add (x: A) (t: raw_tree) : raw_tree := ... Lemma raw_add_invariant: forall x t, bst t /\ avl t -> bst (raw_add x t) /\ avl (raw_add x t). An external interface using a subset type, guaranteeing that the invariant always holds in well-typed user code: Definition tree : Type := { t: raw_tree | bst t /\ avl t }. Definition add (x: A) (t: tree) : tree := match t with exist rt INV => exist (raw_add x rt) (raw_add_invariant x rt INV) end. X. Leroy (INRIA) Dependently-typed programming 2009-06 14 / 22

  15. Attaching invariants to monadic computations Example: incremental construction of a control-flow graph by successive additions of nodes. A job for the state monad! Record cfg : Type := mk_cfg { graph: nat -> option instr; nextnode: nat; wf: forall n, n >= nextnode -> graph n = Node }. Definition mon (A: Type) : Type := cfg -> A * cfg. Definition ret (A: Type) (x: A) : mon A := fun s => (x, s). Definition bind (A B: Type) (x: mon A) (f: A -> mon B): mon B := fun s => let (r, s’) := x s in f r s’. Program Definition add (i: instr) : mon nat := fun s => (nextnode s, mk_cfg (update (graph s) (nextnode s) (Some i)) (nextnode s + 1) _). X. Leroy (INRIA) Dependently-typed programming 2009-06 15 / 22

  16. Monotone evolution of the state Crucial property: nodes are added to the CFG, but existing nodes are never modified. Definition cfg_incl (s1 s2: cfg) : Prop := nextnode s1 <= nextnode s2 /\ forall n i, graph s1 n = Some i -> graph s2 n = Some i. Easy to prove that ret , bind , add satisfy this property: Lemma add_incr: forall s i n s’, add i s = (n, s’) -> cfg_incl s s’. But users need to prove that similar properties hold for all the functions they define using this monad . . . X. Leroy (INRIA) Dependently-typed programming 2009-06 16 / 22

  17. Dependent types to the rescue Attach an invariant to the monad (new!): Definition mon (A: Type) : Type := forall (s: cfg), { r: A * cfg | cfg_incl s (snd r) } The definitions of the monad operations include some proofs (for ret and bind : reflexivity and transitivity of cfg_incl , respectively). Then, the cfg_incl property comes for free for all user code written with this monad! X. Leroy (INRIA) Dependently-typed programming 2009-06 17 / 22

  18. What doesn’t work well with dependent types Issue 1: Where to put preconditions? div: forall (a b: Z), b <> 0 -> Z div: Z -> { b: Z | b <> 0 } -> Z No best choice between these two presentations. X. Leroy (INRIA) Dependently-typed programming 2009-06 18 / 22

  19. What doesn’t work well with dependent types Issue 2: what properties shoud be attached to the result of a function? what properties should be stated separately? Extreme example: very basic functions such as list append have a huge number of properties of interest app nil l = l app l nil = l app (app l1 l2) l3 = app l1 (app l2 l3) app l1 l2 = l2 -> l1 = nil rev (app l1 l2) = app (rev l2) (rev l1) length (app l1 l2) = length l1 + length l2 In x (app l1 l2) <-> In x l1 \/ In x l2 ... If we were to give a dependent type to app , which of these should be attached to the result? (Assuming they can be attached at all – not true for associativity, e.g.) X. Leroy (INRIA) Dependently-typed programming 2009-06 19 / 22

  20. What properties should be attached to the result of a general-purpose function? Sensible answer: none! Almost sensible answer: an inductive predicate describing the recursion pattern of the function. Inductive p_app: list A -> list A -> list A -> Prop := | p_app_nil: forall l, p_app nil l l | p_app_cons: forall l1 l2 l3 a, p_app l1 l2 l3 -> p_app (a :: l1) l2 (a :: l3). Fixpoint app (l1 l2: list A): { l | p_app l1 l2 l } := ... Enables replacing some reasoning over the function app by reasoning over the inductive predicate p_app . For app , nothing is gained. Sometimes useful for more complex recursion patterns, though. X. Leroy (INRIA) Dependently-typed programming 2009-06 20 / 22

Recommend

Message Passing Programming with MPI Message Passing Programming with MPI 1 What is MPI?

Message Passing Programming with MPI Message Passing Programming with MPI 1 What is MPI?

Message Passing Programming with MPI Message Passing Programming with MPI 1 What is MPI? Message Passing Programming with MPI 2 MPI Forum First message-passing interface standard. Sixty people from forty different organisations.

1.61k views • 113 slides
Message Passing Programming with MPI What is MPI? Message Passing Programming with MPI 1

Message Passing Programming with MPI What is MPI? Message Passing Programming with MPI 1

Message Passing Programming with MPI What is MPI? Message Passing Programming with MPI 1 Message Passing Programming with MPI 2 MPI Forum Goals and Scope of MPI First message-passing interface standard. MPIs prime goals are:

511 views • 29 slides
Message-Passing Programming with MPI Message-Passing Concepts Overview This lecture will

Message-Passing Programming with MPI Message-Passing Concepts Overview This lecture will

Message-Passing Programming with MPI Message-Passing Concepts Overview This lecture will cover message passing model SPMD communication modes collective communications Programming Models Message-Passing Serial Programming

406 views • 28 slides
Effpi concurrent programming with dependent behavioural types Alceste Scalas with Elias Benussi

Effpi concurrent programming with dependent behavioural types Alceste Scalas with Elias Benussi

Effpi concurrent programming with dependent behavioural types Alceste Scalas with Elias Benussi &amp; Nobuko Yoshida VeTSS PhD school / FMATS workshop Microsoft Research Cambridge, 25 September 2018 Problem Introduction Calculus Types

870 views • 57 slides
Dependent Types in Haskell What is Dependent Type Theory? are types, proofs are programs

Dependent Types in Haskell What is Dependent Type Theory? are types, proofs are programs

Stephanie Weirich University of Pennsylvania https://github.com/sweirich/dth @fancytypes Dependent Types in Haskell What is Dependent Type Theory? are types, proofs are programs Originally, logical foundation for mathematics

840 views • 39 slides
Programming with Dependent Types Interactive programs and Coalgebras Anton Setzer Swansea

Programming with Dependent Types Interactive programs and Coalgebras Anton Setzer Swansea

Programming with Dependent Types Interactive programs and Coalgebras Anton Setzer Swansea University, Swansea, UK 14 August 2012 1/ 50 A Brief Introduction into ML Type Theory Interactive Programs in Dependent Type Theory Weakly Final

621 views • 50 slides
Positively Dependent Types Dan Licata and Robert Harper Carnegie Mellon University 1 Dans

Positively Dependent Types Dan Licata and Robert Harper Carnegie Mellon University 1 Dans

Positively Dependent Types Dan Licata and Robert Harper Carnegie Mellon University 1 Dans thesis New dependently typed programming language for programming with binding and scope Applications: Domain-specific logics for reasoning about

809 views • 67 slides
Message Passing Programming Introduction to MPI What is MPI? MPI Forum First

Message Passing Programming Introduction to MPI What is MPI? MPI Forum First

Message Passing Programming Introduction to MPI What is MPI? MPI Forum First message-passing interface standard. Sixty people from forty different organisations. Users and vendors represented, from the US and Europe. Two-year

526 views • 18 slides
A Linear Dependent Type Theory Zhaohui Luo Yu Zhang Royal Holloway Institute of Software

A Linear Dependent Type Theory Zhaohui Luo Yu Zhang Royal Holloway Institute of Software

A Linear Dependent Type Theory Zhaohui Luo Yu Zhang Royal Holloway Institute of Software University of London Chinese Academy of Sciences Linear types and dependent types Linear types (Girard 1987): A - B Dependent types

518 views • 13 slides
Toward dependent choice: a classical sequent calculus with dependent types Hugo Herbelin 1 ,

Toward dependent choice: a classical sequent calculus with dependent types Hugo Herbelin 1 ,

Curry-Howard Axiom of Dependent Choice Sequent calculus State of the art Toward dependent choice: a classical sequent calculus with dependent types Hugo Herbelin 1 , Etienne Miquey 1,2 1 Team r 2 (INRIA), PPS, Universit e

404 views • 24 slides
Programming Introduction to MPI What is MPI? 2 MPI Forum First message-passing interface

Programming Introduction to MPI What is MPI? 2 MPI Forum First message-passing interface

Message Passing Programming Introduction to MPI What is MPI? 2 MPI Forum First message-passing interface standard. Sixty people from forty different organisations. Users and vendors represented, from the US and Europe. Two-year

302 views • 18 slides
Compiling Dependent Types Much recent focus on verified compilation of dependently typed

Compiling Dependent Types Much recent focus on verified compilation of dependently typed

CPS Translation of Dependent Types Amal Ahmed Northeastern University Work in progress, with Nick Rioux and William Bowman Compiling Dependent Types Much recent focus on verified compilation of dependently typed languages: Coqonut, CertiCoq

708 views • 44 slides
I DRIS : Systems Programming with Dependent Types Edwin Brady eb@cs.st-andrews.ac.uk University

I DRIS : Systems Programming with Dependent Types Edwin Brady eb@cs.st-andrews.ac.uk University

I DRIS : Systems Programming with Dependent Types Edwin Brady eb@cs.st-andrews.ac.uk University of St Andrews DTP 2011, August 27th 2011 DTP 2011, August 27th 2011 p.1 Introduction A constant problem: Writing a correct computer

932 views • 51 slides
CSE-505: Programming Languages Lecture 21 Synchronous Message-Passing and Concurrent ML Zach

CSE-505: Programming Languages Lecture 21 Synchronous Message-Passing and Concurrent ML Zach

CSE-505: Programming Languages Lecture 21 Synchronous Message-Passing and Concurrent ML Zach Tatlock 2016 Message Passing Threads communicate via send and receive along channels instead of read and write of references Not so

626 views • 13 slides
Introduction to Parallel Computing Irene Moulitsas Programming using the Message-Passing

Introduction to Parallel Computing Irene Moulitsas Programming using the Message-Passing

Introduction to Parallel Computing Irene Moulitsas Programming using the Message-Passing Paradigm MPI Background MPI : Message Passing Interface Began in Supercomputing 92 Vendors IBM, Intel, Cray Library writers PVM

876 views • 38 slides
Towards Unification for Dependent Types Ningning Xie , Bruno C. d. S. Oliveira The University of

Towards Unification for Dependent Types Ningning Xie , Bruno C. d. S. Oliveira The University of

Towards Unification for Dependent Types Ningning Xie , Bruno C. d. S. Oliveira The University of Hong Kong June 2017 N. Xie, B.C.d.S. Oliveira Towards Unification for Dependent Types TFP 2017 1 / 26 Outline Motivation and Background 1

1k views • 78 slides
DOT: Dependent Object Types Semester Project, Spring 2012 Nada Amin EPFL Nada Amin (EPFL) DOT:

DOT: Dependent Object Types Semester Project, Spring 2012 Nada Amin EPFL Nada Amin (EPFL) DOT:

DOT: Dependent Object Types Semester Project, Spring 2012 Nada Amin EPFL Nada Amin (EPFL) DOT: Dependent Object Types 1 / 21 Introduction What is DOT? DOT: Dependent Object Types type-theoretic foundation of Scala and languages like it

346 views • 21 slides
Depending on equations A proof-relevant framework for unification in dependent type theory

Depending on equations A proof-relevant framework for unification in dependent type theory

Depending on equations A proof-relevant framework for unification in dependent type theory Jesper Cockx DistriNet KU Leuven 3 September 2017 Unification for dependent types Unification is used for many purposes: logic programming, type

1.97k views • 151 slides
PASSING POINTERS TO FUNCTIONS CSSE 120 Rose-Hulman Institute of Technology Parameter Passing

PASSING POINTERS TO FUNCTIONS CSSE 120 Rose-Hulman Institute of Technology Parameter Passing

POINTERS IN C, PASSING POINTERS TO FUNCTIONS CSSE 120 Rose-Hulman Institute of Technology Parameter Passing Styles Most programming languages offer several means of passing parameters. We have seen pass-by-value, in which the

415 views • 22 slides
Message passing and channels INF4140 - Models of concurrency Message passing and channels Fall

Message passing and channels INF4140 - Models of concurrency Message passing and channels Fall

Message passing and channels INF4140 - Models of concurrency Message passing and channels Fall 2016 17. Oct. 2016 Outline Course overview: Part I: concurrent programming; programming with shared variables Part II: distributed

847 views • 41 slides
Dependent Object Types Towards a foundation for Scalas type system Nada Amin, Tiark Rompf,

Dependent Object Types Towards a foundation for Scalas type system Nada Amin, Tiark Rompf,

Dependent Object Types Towards a foundation for Scalas type system Nada Amin, Tiark Rompf, Adriaan Moors, Martin Odersky Microsoft Research July 2, 2013 1 DOT: Dependent Object Types The DOT calculus proposes a new type-theoretic foundation

275 views • 15 slides
MiniAgda: Integrating Sized and Dependent Types Andreas Abel, sec 1-2 Loes Habermehl Luuk

MiniAgda: Integrating Sized and Dependent Types Andreas Abel, sec 1-2 Loes Habermehl Luuk

MiniAgda: Integrating Sized and Dependent Types Andreas Abel, sec 1-2 Loes Habermehl Luuk Verkleij 1 Untyped Termination Checking In dependent type theories underlying Coq and Agda, all programs need to be total: All functions defined by

357 views • 25 slides
Lecture 5: Message Passing &amp; Other Communication Mechanisms (SR &amp; Java) Intro:

Lecture 5: Message Passing &amp; Other Communication Mechanisms (SR &amp; Java) Intro:

Lecture 5: Message Passing &amp; Other Communication Mechanisms (SR &amp; Java) Intro: Synchronous &amp; Asynchronous Message Passing Types of Processes in Message Passing Examples Asynchronous Sorting Network Filter (SR)

914 views • 50 slides
Programming Memory allocation and ordering Fortran array syntax MPI derived types enable

Programming Memory allocation and ordering Fortran array syntax MPI derived types enable

Message-Passing Programming Memory allocation and ordering Fortran array syntax MPI derived types enable strided data to be sent/received - no explicit copy in/out required For Fortran - why not use Fortran array syntax? Some

69 views • 5 slides

More recommend