Misusing the Type System for & Ian Dees @undees PNSQC 2015 - - PowerPoint PPT Presentation

Misusing the Type System for &

Ian Dees • @undees PNSQC 2015

Brewing for Maintainability

Our contaminants:

M e m

• r

y l e a k s Data corruption Failing regression tests C r a s h e s Poor repeatability S e c u r i t y b r e a c h e s

Traditional remedies:

Code review Unit tests Exploratory testing “Just be careful”

Another proposal:

Lean on the type system

Agenda:

• 1. Ways you may already be using types
• 2. Denotational design
• 3. Applying the ideas in the real world

• 1. Ways you may already


be using types:

Memory leaks

Sandwich* makeSandwich(); Sandwich* sandwich = makeSandwich(); // who cleans up?

shared_ptr<Sandwich> makeSandwich(); auto sandwich = makeSandwich(); // cleanup is automatic!

$ find . -name \*.cpp | xargs grep new

Crashes

int findSandwich(string name); int found = findSandwich("cheese"); cout << Sandwiches[found] << endl;

// returns -1 if not found int findSandwich(string name); int found = findSandwich("cheese"); cout << Sandwiches[found] << endl; 


• ptional<size_t> findSandwich(string name);

auto found = findSandwich("cheese"); cout << Sandwiches[found] << endl; // WON'T COMPILE! ^^^^^

• ptional<size_t> findSandwich(string name);

auto found = findSandwich("cheese"); if (found) { cout << Sandwiches[*found] << endl; }

Making errors
 inexpressible

• 2. Denotational Design

–Conal Elliott,
 “Denotational design with type class morphisms”

“When designing software, in addition to innovating in your implementations, relate them to precise and familiar semantic models.”

–Conal Elliott,
 “Denotational design with type class morphisms”

“When designing software, in addition to innovating in your implementations, relate them to precise and familiar semantic models.”

In other words…

• 1. Sketch your design in clear notation
• 2. Implement it in your “day job” language

In other words…

• 1. Sketch your design in (some kind of) clear notation
• 2. Implement it in your “day job” language

What kind of clear notation?

Math

(or a sufficiently math-y programming language)

Meet Idris

Haskell’s cousin

• - A cousin of Haskell

• - A cousin of Haskell

twice x = 2 * x

• - A cousin of Haskell

twice : Int -> Int twice x = 2 * x

• - A cousin of Haskell

twice : Int -> Int twice x = 2 * x twice 42 —-> 84 : Int

Dependently typed

Types can be inputs
 to functions

• - Types can be inputs to functions

isNumeric : Type -> Bool isNumeric Int = True isNumeric String = False

• - Types can be inputs to functions

isNumeric : Type -> Bool isNumeric Int = True isNumeric String = False isNumeric Int

• -> True : Bool

Types can depend


• n values

• - Idris, before we add dependent types

data Vec : Type -> Type where Nil : Vec a (::) : a -> Vec a -> Vec a
 


• - Idris, before we add dependent types

data Vec : Type -> Type where Nil : Vec a (::) : a -> Vec a -> Vec a
 
 False :: True :: (the (Vec Bool) Nil)

• -> [False,True] : Vec Bool

// C++ template <typename T> class vec { public: static vec<T> nil; vec<T> insert(T); };

• - Idris

data Vec : Nat -> Type -> Type where Nil : Vec Z a (::) : a -> Vec k a -> Vec (S k) a

// C++ template <size_t k, typename T> class vec { public: static vec<0, T> nil; vec<k + 1, T> insert(T); };

(an aside on numbers)

• - Peano numbers

Z --> 0 S Z --> 1 ("successor to zero") S (S Z) --> 2 ("successor to successor
 to zero")

42

…is syntactic sugar for …

S (S (S (S (S (S (S (S (S (S (S (S (S (S (S (S (S (S (S (S (S (S (S (S (S (S (S (S (S (S (S (S (S (S (S (S (S (S (S (S (S (S Z))))))))))))))))
 ))))))))))))))))))))))) ))

add : Vec n a -> Vec m a -> Vec (n + m) a

add : Vec n a -> Vec m a -> Vec (n + m) a add Nil ys = ys add (x :: xs) ys = x :: (add xs ys)

Y

• u can do math

• n meaning

Proofs

add : Nat -> Nat -> Nat add Z y = y add (S x) y = S (add x y)

How would we check that addition is commutative? (x + y = y + x)

Tests?

3 + 2

• -> 5 : Integer

2 + 3

• -> 5 : Integer

–Philip Wadler,
 “Propositions as Types”

“For each proof of a given proposition, there is a program of the corresponding type—and vice versa.”

Proofs are programs

• - Given natural numbers x and y,
• - x + y equals y + x

• - Given natural numbers x and y,
• - x + y equals y + x

addCommutes : (x : Nat) -> (y : Nat) -> plus x y = plus y x

Proof by induction

Base case
 “It’s true for zero” Inductive step
 “If it’s true for x, then it’s true for x + 1”

addCommutes Z y = ?base addCommutes (S x) y = let hypothesis = addCommutes x y in ?inductive

$ idris math.idr > :m Global metavariables: [Math.inductive,Math.base]

> :p base

• --------- Goal: ----------

{ hole 0 }: (y : Nat) -> y = plus y Z

> :p base

• --------- Goal: ----------

{ hole 0 }: (y : Nat) -> y = plus y Z

> intros

• --------- Other goals: ----------

{ hole 0 }

• --------- Assumptions: ----------

y : Nat

• --------- Goal: ----------

{ hole 1 }: y = plus y Z

> intros

• --------- Other goals: ----------

{ hole 0 }

• --------- Assumptions: ----------

y : Nat

• --------- Goal: ----------

{ hole 1 }: y = plus y Z

• - https://github.com/idris-lang/Idris-dev/blob/master/libs/

• - prelude/Prelude/Nat.idr

total plusZeroRightNeutral : (left : Nat) -> left + 0 = left

> rewrite (plusZeroRightNeutral y)

• --------- Other goals: ----------

{ hole 1 } { hole 0 }

• --------- Assumptions: ----------

y : Nat

• --------- Goal: ----------

{ hole 2 }: plus y Z = plus y Z

> rewrite (plusZeroRightNeutral y)

• --------- Other goals: ----------

{ hole 1 } { hole 0 }

• --------- Assumptions: ----------

y : Nat

• --------- Goal: ----------

{ hole 2 }: plus y Z = plus y Z

> trivial base: No more goals. > qed Proof completed! Math.base = proof intros rewrite (plusZeroRightNeutral y) trivial

And now , for the inductive step

> :m Global metavariables: [Math.inductive]

> :p inductive

• --------- Goal: ----------

{ hole 0 }: (x : Nat) -> (y : Nat) -> (plus x y = plus y x) -> S (plus x y) = plus y (S x)

> :p inductive

• --------- Goal: ----------

{ hole 0 }: (x : Nat) -> (y : Nat) -> (plus x y = plus y x) -> S (plus x y) = plus y (S x)

> intros

• --------- Other goals: ----------

{ hole 2 } { hole 1 } { hole 0 }

• --------- Assumptions: ----------

x : Nat y : Nat hypothesis : plus x y = plus y x

• --------- Goal: ----------

{ hole 3 }: S (plus x y) = plus y (S x)

> intros

• --------- Other goals: ----------

{ hole 2 } { hole 1 } { hole 0 }

• --------- Assumptions: ----------

x : Nat y : Nat hypothesis : plus x y = plus y x

• --------- Goal: ----------

{ hole 3 }: S (plus x y) = plus y (S x)

• - https://github.com/idris-lang/Idris-dev/blob/master/libs/

• - prelude/Prelude/Nat.idr

total plusSuccRightSucc :
 (left : Nat) ->
 (right : Nat) ->
 S (left + right) = left + (S right)

> rewrite (plusSuccRightSucc y x)

• --------- Other goals: ----------

{ hole 3 } { hole 2 } { hole 1 } { hole 0 }

• --------- Assumptions: ----------

x : Nat y : Nat hypothesis : plus x y = plus y x

• --------- Goal: ----------

{ hole 4 }: S (plus x y) = S (plus y x)

> rewrite (plusSuccRightSucc y x)

• --------- Other goals: ----------

{ hole 3 } { hole 2 } { hole 1 } { hole 0 }

• --------- Assumptions: ----------

x : Nat y : Nat hypothesis : plus x y = plus y x

• --------- Goal: ----------

{ hole 4 }: S (plus x y) = S (plus y x)

> rewrite (plusSuccRightSucc y x)

• --------- Other goals: ----------

{ hole 3 } { hole 2 } { hole 1 } { hole 0 }

• --------- Assumptions: ----------

x : Nat y : Nat hypothesis : plus x y = plus y x

• --------- Goal: ----------

{ hole 4 }: S (plus x y) = S (plus y x)

> rewrite hypothesis

• --------- Other goals: ----------

{ hole 4 } { hole 3 } { hole 2 } { hole 1 } { hole 0 }

• --------- Assumptions: ----------

x : Nat y : Nat hypothesis : plus x y = plus y x

• --------- Goal: ----------

{ hole 5 }: S (plus x y) = S (plus x y)

> rewrite hypothesis

• --------- Other goals: ----------

{ hole 4 } { hole 3 } { hole 2 } { hole 1 } { hole 0 }

• --------- Assumptions: ----------

x : Nat y : Nat hypothesis : plus x y = plus y x

• --------- Goal: ----------

{ hole 5 }: S (plus x y) = S (plus x y)

> trivial inductive: No more goals. > qed Proof completed! Math.inductive = proof intros rewrite (plusSuccRightSucc y x) rewrite hypothesis trivial

• 3. Applying the ideas


in the real world

Mission:
 Edit audio clips

class Audio { public: };

class Audio { public: size_t count() const; };

class Audio { public: size_t count() const; int16_t operator[](size_t i) const; int16_t& operator[](size_t i); };

class Audio { public: size_t count() const; int16_t operator[](size_t i) const; int16_t& operator[](size_t i); double timeAtZero() const; double sampleRate() const; };

class Audio { public: size_t count() const; int16_t operator[](size_t i) const; int16_t& operator[](size_t i); double timeAtZero() const; double sampleRate() const; double verticalScale() const; };

Audio audio; double time = 0.5; size_t index = (time - audio.timeAtZero()) / audio.sampleRate();

Audio audio; double time = 0.5; size_t index = (time - audio.timeAtZero()) / audio.sampleRate(); int16_t value = audio[index]; double level = static_cast<double>(value) * audio.verticalScale();

class Audio { public: size_t count() const; int16_t operator[](size_t i) const; int16_t& operator[](size_t i); double timeAtZero() const; double sampleRate() const; double verticalScale() const; };

class Audio { public: size_t count() const; int16_t operator[](size_t i) const; int16_t& operator[](size_t i); double timeAtZero() const; double sampleRate() const; double verticalScale() const; std::string fileName() const; std::string comments() const; bool isStereo() const; void loadFromFile(const std::string& filename); void saveToFile(const std::string& filename); };

What is an audio clip?

Sound changing
 continuously


• ver time

Sketch in Idris:

Audio : (a : Type) -> Type Audio a = (Float -> a)

Audio : (a : Type) -> Type Audio a = (Float -> Maybe a)

template <typename T> class Audio { boost::optional<T> operator()(double t); };

double time = 0.5; auto level = audio(time);

How would we clip out an excerpt?

clip : (Audio a) -> Float -> Float -> (Audio a)

template <typename T> Audio<T> clip(Audio<T>, double, double);

Mission:
 Define a matrix type

template <typename T> class Matrix { public: T operator()(size_t row, size_t col); };

Matrix<double> m(3, 5); size_t const x = 4; size_t const y = 0; cout << m(x, y) << endl; // wrong order!

Denotational design

• 1. Sketch your design in Idris
• 2. Implement it in C++

Matrix : Nat -> Nat -> Type -> Type get : Nat -> Nat -> Matrix rows cols a -> a

Matrix : Nat -> Nat -> Type -> Type get : (Fin rows) -> (Fin cols) -> Matrix rows cols a -> a

If only we had a finite number type in C++!

template <size_t R, size_t C, typename T> class Matrix { public: T operator()(Fin<R> row, Fin<C> col); };

Back to the drawing board

Make the row and column
 two different types

Matrix : Nat -> Nat -> Type -> Type get : (Fin rows) -> (Fin cols) -> Matrix rows cols a -> a

data Row a = aRow a data Col a = aCol a Matrix : Nat -> Nat -> Type -> Type get : (Fin rows) -> (Fin cols) -> Matrix rows cols a -> a

data Row a = aRow a data Col a = aCol a Matrix : Nat -> Nat -> Type -> Type get : (Fin rows) -> (Fin cols) -> Matrix rows cols a -> a

data Row a = aRow a data Col a = aCol a Matrix : Nat -> Nat -> Type -> Type get : (Fin rows) -> (Fin cols) -> Matrix rows cols a -> a

data Row a = aRow a data Col a = aCol a Matrix : Nat -> Nat -> Type -> Type get : Row (Fin rows) -> Col (Fin cols) -> Matrix rows cols a -> a

class Row { public: explicit Row(size_t value) : value_(value) {}

• perator size_t() { return value_; }

private: size_t value_; };

class Row { public: explicit Row(size_t value) : value_(value) {}

• perator size_t() { return value_; }

private: size_t value_; };

class Row { public: explicit Row(size_t value) : value_(value) {}

• perator size_t() { return value_; }

private: size_t value_; };

template <typename T> class Matrix { public: T operator()(size_t row, size_t col); };

template <typename T> class Matrix { public: T operator()(Row row, Col col); };

Hard to mix up
 rows and columns!

Further exploration

The Intellectual Ascent to Agda

David Sankel
 C++Now 2013
 https://youtu.be/vy5C-mlUQ1w

Enjoy the conference!

Image credits

https://www.flickr.com/photos/hodgers/450003437 https://www.flickr.com/photos/jakerust/16649943478 https://www.flickr.com/photos/lendog64/5387445643 https://media2.giphy.com/media/EldfH1VJdbrwY/200.gif https://www.flickr.com/photos/ladybeames/2896787167 https://www.flickr.com/photos/jamesvela/12316917853

Fine print

This document and the information herein (including any information that may be incorporated by reference) is provided for informational purposes only and should not be construed as an offer, commitment, promise or

• bligation on behalf of New Relic, Inc. (“New Relic”) to sell securities or deliver any product, material, code,

functionality, or other feature. Any information provided hereby is proprietary to New Relic and may not be replicated or disclosed without New Relic’s express written permission. Such information may contain forward- looking statements within the meaning of federal securities laws. Any statement that is not a historical fact or refers to expectations, projections, future plans, objectives, estimates, goals, or other characterizations of future events is a forward-looking statement. These forward-looking statements can often be identified as such because the context of the statement will include words such as “believes,” “anticipates,” “expects” or words of similar

• import. Actual results may differ materially from those expressed in these forward-looking statements, which speak
• nly as of the date hereof, and are subject to change at any time without notice. Existing and prospective investors,

customers and other third parties transacting business with New Relic are cautioned not to place undue reliance on this forward-looking information. The achievement or success of the matters covered by such forward-looking statements are based on New Relic’s current assumptions, expectations, and beliefs and are subject to substantial risks, uncertainties, assumptions, and changes in circumstances that may cause the actual results, performance, or achievements to differ materially from those expressed or implied in any forward-looking statement. Further information on factors that could affect such forward-looking statements is included in the filings we make with the SEC from time to time. Copies of these documents may be obtained by visiting New Relic’s Investor Relations website at ir.newrelic.com or the SEC’s website at www.sec.gov. New Relic assumes no obligation and does not intend to update these forward-looking statements, except as required by law. New Relic makes no warranties, expressed or implied, in this document or otherwise, with respect to the information provided.