Parametricity for Haskell with Imprecise Error Semantics Florian - - PowerPoint PPT Presentation

Parametricity for Haskell with Imprecise Error Semantics

Florian Stenger1 and Janis Voigtl¨ ander

Technische Universit¨ at Dresden

TLCA’09

= Applications

1Supported by the DFG under grant VO 1512/1-1.

Parametricity for Haskell with Imprecise Error Semantics

Florian Stenger1 and Janis Voigtl¨ ander

Technische Universit¨ at Dresden

TLCA’09

= Applications

1Supported by the DFG under grant VO 1512/1-1.

Reasoning in Haskell: An Example

takeWhile :: (α → Bool) → [α] → [α] takeWhile p [ ] = [ ] takeWhile p (a : as) | p a = a : (takeWhile p as) | otherwise = [ ]

1

Reasoning in Haskell: An Example

takeWhile :: (α → Bool) → [α] → [α] takeWhile p [ ] = [ ] takeWhile p (a : as) | p a = a : (takeWhile p as) | otherwise = [ ] map :: (α → β) → [α] → [β] map f [ ] = [ ] map f (a : as) = (f a) : (map f as)

1

Reasoning in Haskell: An Example

takeWhile :: (α → Bool) → [α] → [α] takeWhile p [ ] = [ ] takeWhile p (a : as) | p a = a : (takeWhile p as) | otherwise = [ ] map :: (α → β) → [α] → [β] map f [ ] = [ ] map f (a : as) = (f a) : (map f as) For every choice of p, f , and l: takeWhile p (map f l) = map f (takeWhile (p ◦ f ) l) Provable by induction.

1

Reasoning in Haskell: An Example

takeWhile :: (α → Bool) → [α] → [α] takeWhile p [ ] = [ ] takeWhile p (a : as) | p a = a : (takeWhile p as) | otherwise = [ ] map :: (α → β) → [α] → [β] map f [ ] = [ ] map f (a : as) = (f a) : (map f as) For every choice of p, f , and l: takeWhile p (map f l) = map f (takeWhile (p ◦ f ) l) Provable by induction. Or as a “free theorem” [Wadler, FPCA’89].

1

Reasoning in Haskell: An Example

takeWhile :: (α → Bool) → [α] → [α] map :: (α → β) → [α] → [β] map f [ ] = [ ] map f (a : as) = (f a) : (map f as) For every choice of p, f , and l: takeWhile p (map f l) = map f (takeWhile (p ◦ f ) l) Provable by induction. Or as a “free theorem” [Wadler, FPCA’89].

1

Reasoning in Haskell: An Example

takeWhile :: (α → Bool) → [α] → [α] filter :: (α → Bool) → [α] → [α] map :: (α → β) → [α] → [β] map f [ ] = [ ] map f (a : as) = (f a) : (map f as) For every choice of p, f , and l: takeWhile p (map f l) = map f (takeWhile (p ◦ f ) l) filter p (map f l) = map f (filter (p ◦ f ) l)

1

Reasoning in Haskell: An Example

takeWhile :: (α → Bool) → [α] → [α] filter :: (α → Bool) → [α] → [α] g :: (α → Bool) → [α] → [α] map :: (α → β) → [α] → [β] map f [ ] = [ ] map f (a : as) = (f a) : (map f as) For every choice of p, f , and l: takeWhile p (map f l) = map f (takeWhile (p ◦ f ) l) filter p (map f l) = map f (filter (p ◦ f ) l) g p (map f l) = map f (g (p ◦ f ) l)

1

Errors in Haskell

2

Errors in Haskell

◮ let average l = div (sum l) (length l)

in average [ ]

2

Errors in Haskell

◮ let average l = div (sum l) (length l)

in average [ ]

◮ let tail (a : as) = as

in tail [ ]

2

Errors in Haskell

◮ let average l = div (sum l) (length l)

in average [ ]

◮ let tail (a : as) = as

in tail [ ]

◮ if · · · then error “some string” else · · ·

2

Errors in Haskell

◮ let average l = div (sum l) (length l)

in average [ ]

◮ let tail (a : as) = as

in tail [ ]

◮ if · · · then error “some string” else · · · ◮ let loop = loop

in loop

2

Errors in Haskell

◮ let average l = div (sum l) (length l)

in average [ ]

◮ let tail (a : as) = as

in tail [ ]

◮ if · · · then error “some string” else · · · ◮ let loop = loop

in loop Traditionally, all error causes subsumed under “⊥”.

2

Errors in Haskell

◮ let average l = div (sum l) (length l)

in average [ ]

◮ let tail (a : as) = as

in tail [ ]

◮ if · · · then error “some string” else · · · ◮ let loop = loop

in loop Traditionally, all error causes subsumed under “⊥”. Better, explicit distinction. Like: Ok v : nonerroneous Bad “· · · ” : finitely failing ⊥ : nonterminating

2

Naive Propagation of Errors

◮ tail [1/0, 2.5] Ok ((Ok 2.5) : (Ok [ ]))

3

Naive Propagation of Errors

◮ tail [1/0, 2.5] Ok ((Ok 2.5) : (Ok [ ])) ◮ (λx → 3) (error “· · · ”) Ok 3

3

Naive Propagation of Errors

◮ tail [1/0, 2.5] Ok ((Ok 2.5) : (Ok [ ])) ◮ (λx → 3) (error “· · · ”) Ok 3 ◮ (error s) (· · · ) Bad s

3

Naive Propagation of Errors

◮ tail [1/0, 2.5] Ok ((Ok 2.5) : (Ok [ ])) ◮ (λx → 3) (error “· · · ”) Ok 3 ◮ (error s) (· · · ) Bad s ◮ case (error s) of {· · · } Bad s

3

Naive Propagation of Errors

◮ tail [1/0, 2.5] Ok ((Ok 2.5) : (Ok [ ])) ◮ (λx → 3) (error “· · · ”) Ok 3 ◮ (error s) (· · · ) Bad s ◮ case (error s) of {· · · } Bad s ◮ (error s1) + (error s2) ???

3

Naive Propagation of Errors

◮ tail [1/0, 2.5] Ok ((Ok 2.5) : (Ok [ ])) ◮ (λx → 3) (error “· · · ”) Ok 3 ◮ (error s) (· · · ) Bad s ◮ case (error s) of {· · · } Bad s ◮ (error s1) + (error s2) ???

Dependence on evaluation order leads to considerably less freedom for implementors to rearrange computations, to optimise!

3

Imprecise Error Semantics [Peyton Jones et al., PLDI’99]

Basic idea: Ok v : nonerroneous Bad {· · · } : finitely failing, nondeterministic ⊥ : nonterminating

4

Imprecise Error Semantics [Peyton Jones et al., PLDI’99]

Basic idea: Ok v : nonerroneous Bad {· · · } : finitely failing, nondeterministic ⊥ : nonterminating Definedness order: Ok Bad ⊥

4

Imprecise Error Semantics [Peyton Jones et al., PLDI’99]

Basic idea: Ok v : nonerroneous Bad {· · · } : finitely failing, nondeterministic ⊥ : nonterminating Definedness order: Ok Bad ⊥

Bad e2 Bad e1 e2 ⊆ e1

4

Imprecise Error Semantics [Peyton Jones et al., PLDI’99]

Actual Propagation of Errors:

◮ (error s1) + (error s2) Bad {s1, s2}

5

Imprecise Error Semantics [Peyton Jones et al., PLDI’99]

Actual Propagation of Errors:

◮ (error s1) + (error s2) Bad {s1, s2} ◮ 3 + (error s) Bad {s}

5

Imprecise Error Semantics [Peyton Jones et al., PLDI’99]

Actual Propagation of Errors:

◮ (error s1) + (error s2) Bad {s1, s2} ◮ 3 + (error s) Bad {s} ◮ loop + (error s) ⊥

5

Imprecise Error Semantics [Peyton Jones et al., PLDI’99]

Actual Propagation of Errors:

◮ (error s1) + (error s2) Bad {s1, s2} ◮ 3 + (error s) Bad {s} ◮ loop + (error s) ⊥ ◮ (error s1) (error s2) Bad {s1, s2}

5

Imprecise Error Semantics [Peyton Jones et al., PLDI’99]

Actual Propagation of Errors:

◮ (error s1) + (error s2) Bad {s1, s2} ◮ 3 + (error s) Bad {s} ◮ loop + (error s) ⊥ ◮ (error s1) (error s2) Bad {s1, s2} ◮ (λx → 3) (error s) Ok 3

5

Imprecise Error Semantics [Peyton Jones et al., PLDI’99]

Actual Propagation of Errors:

◮ (error s1) + (error s2) Bad {s1, s2} ◮ 3 + (error s) Bad {s} ◮ loop + (error s) ⊥ ◮ (error s1) (error s2) Bad {s1, s2} ◮ (λx → 3) (error s) Ok 3 ◮ case (error s1) of {(x, y) → error s2} Bad {s1, s2}

5

Impact on Program Equivalence

“Normally”: takeWhile p (map f l) = map f (takeWhile (p ◦ f ) l) where: takeWhile :: (α → Bool) → [α] → [α] takeWhile p [ ] = [ ] takeWhile p (a : as) | p a = a : (takeWhile p as) | otherwise = [ ] map :: (α → β) → [α] → [β] map f [ ] = [ ] map f (a : as) = (f a) : (map f as)

6

Impact on Program Equivalence

“Normally”: takeWhile p (map f l) = map f (takeWhile (p ◦ f ) l) where: takeWhile :: (α → Bool) → [α] → [α] takeWhile p [ ] = [ ] takeWhile p (a : as) | p a = a : (takeWhile p as) | otherwise = [ ] map :: (α → β) → [α] → [β] map f [ ] = [ ] map f (a : as) = (f a) : (map f as) But now: takeWhile null (map tail (error s)) = map tail (takeWhile (null ◦ tail) (error s))

6

Impact on Program Equivalence

“Normally”: takeWhile p (map f l) = map f (takeWhile (p ◦ f ) l) where: takeWhile :: (α → Bool) → [α] → [α] takeWhile p [ ] = [ ] takeWhile p (a : as) | p a = a : (takeWhile p as) | otherwise = [ ] map :: (α → β) → [α] → [β] map f [ ] = [ ] map f (a : as) = (f a) : (map f as) But now: takeWhile null (map tail (error s)) s = map tail (takeWhile (null ◦ tail) (error s)) s or “empty list”

6

Impact on Program Equivalence

Because: takeWhile (null ◦ tail) (error s) Bad {s, “empty list”} where: takeWhile p [ ] = [ ] takeWhile p (a : as) | p a = a : (takeWhile p as) | otherwise = [ ] tail [ ] = error “empty list” tail (a : as) = as null [ ] = True null (a : as) = False

7

Impact on Program Equivalence

Because: takeWhile (null ◦ tail) (error s) Bad {s, “empty list”} where: takeWhile p [ ] = [ ] takeWhile p (a : as) | p a = a : (takeWhile p as) | otherwise = [ ] tail [ ] = error “empty list” tail (a : as) = as null [ ] = True null (a : as) = False

7

Impact on Program Equivalence

Because: takeWhile (null ◦ tail) (error s) Bad {s, “empty list”} where: takeWhile p [ ] = [ ] takeWhile p (a : as) | p a = a : (takeWhile p as) | otherwise = [ ] tail [ ] = error “empty list” tail (a : as) = as null [ ] = True null (a : as) = False

7

Impact on Program Equivalence

Because: takeWhile (null ◦ tail) (error s) Bad {s, “empty list”} where: takeWhile p [ ] = [ ] takeWhile p (a : as) | p a = a : (takeWhile p as) | otherwise = [ ] tail [ ] = error “empty list” tail (a : as) = as null [ ] = True null (a : as) = False

7

Impact on Program Equivalence

Because: takeWhile (null ◦ tail) (error s) Bad {s, “empty list”} where: takeWhile p [ ] = [ ] takeWhile p (a : as) | p a = a : (takeWhile p as) | otherwise = [ ] tail [ ] = error “empty list” tail (a : as) = as null [ ] = True null (a : as) = False

7

Impact on Program Equivalence

Because: takeWhile (null ◦ tail) (error s) Bad {s, “empty list”} where: takeWhile p [ ] = [ ] takeWhile p (a : as) | p a = a : (takeWhile p as) | otherwise = [ ] tail [ ] = error “empty list” tail (a : as) = as null [ ] = True null (a : as) = False

7

Impact on Program Equivalence

Because: takeWhile (null ◦ tail) (error s) Bad {s, “empty list”} where: takeWhile p [ ] = [ ] takeWhile p (a : as) | p a = a : (takeWhile p as) | otherwise = [ ] tail [ ] = error “empty list” tail (a : as) = as null [ ] = True null (a : as) = False

7

Impact on Program Equivalence

Because: takeWhile (null ◦ tail) (error s) Bad {s, “empty list”} while: takeWhile null (map tail (error s)) Bad {s} where: takeWhile p [ ] = [ ] takeWhile p (a : as) | p a = a : (takeWhile p as) | otherwise = [ ] map f [ ] = [ ] map f (a : as) = (f a) : (map f as) null [ ] = True null (a : as) = False

7

Impact on Program Equivalence

Because: takeWhile (null ◦ tail) (error s) Bad {s, “empty list”} while: takeWhile null (map tail (error s)) Bad {s} where: takeWhile p [ ] = [ ] takeWhile p (a : as) | p a = a : (takeWhile p as) | otherwise = [ ] map f [ ] = [ ] map f (a : as) = (f a) : (map f as) null [ ] = True null (a : as) = False

7

Impact on Program Equivalence

Because: takeWhile (null ◦ tail) (error s) Bad {s, “empty list”} while: takeWhile null (map tail (error s)) Bad {s} where: takeWhile p [ ] = [ ] takeWhile p (a : as) | p a = a : (takeWhile p as) | otherwise = [ ] map f [ ] = [ ] map f (a : as) = (f a) : (map f as) null [ ] = True null (a : as) = False

7

Impact on Program Equivalence

Because: takeWhile (null ◦ tail) (error s) Bad {s, “empty list”} while: takeWhile null (map tail (error s)) Bad {s} where: takeWhile p [ ] = [ ] takeWhile p (a : as) | p a = a : (takeWhile p as) | otherwise = [ ] map f [ ] = [ ] map f (a : as) = (f a) : (map f as) null [ ] = True null (a : as) = False

7

Impact on Program Equivalence

Because: takeWhile (null ◦ tail) (error s) Bad {s, “empty list”} while: takeWhile null (map tail (error s)) Bad {s} where: takeWhile p [ ] = [ ] takeWhile p (a : as) | p a = a : (takeWhile p as) | otherwise = [ ] map f [ ] = [ ] map f (a : as) = (f a) : (map f as) null [ ] = True null (a : as) = False

7

Impact on Program Equivalence

Because: takeWhile (null ◦ tail) (error s) Bad {s, “empty list”} while: takeWhile null (map tail (error s)) Bad {s} where: takeWhile p [ ] = [ ] takeWhile p (a : as) | p a = a : (takeWhile p as) | otherwise = [ ] map f [ ] = [ ] map f (a : as) = (f a) : (map f as) null [ ] = True null (a : as) = False

7

Impact on Program Equivalence

Because: takeWhile (null ◦ tail) (error s) Bad {s, “empty list”} while: takeWhile null (map tail (error s)) Bad {s} Thus: takeWhile null (map tail (error s)) = map tail (takeWhile (null ◦ tail) (error s))

7

Impact on Program Equivalence

Because: takeWhile (null ◦ tail) (error s) Bad {s, “empty list”} while: takeWhile null (map tail (error s)) Bad {s} Thus: takeWhile null (map tail (error s)) = map tail (takeWhile (null ◦ tail) (error s)) Now, imagine this in the following program context: catchJust errorCalls (evaluate · · ·) (λs → if s == “empty list” then return [[42]] else return [ ])

7

How to Revise Free Theorems?

[Wadler, FPCA’89] : for every g :: (α → Bool) → [α] → [α], g p (map f l) = map f (g (p ◦ f ) l)

8

How to Revise Free Theorems?

[Wadler, FPCA’89] : for every g :: (α → Bool) → [α] → [α], g p (map f l) = map f (g (p ◦ f ) l)

◮ if f strict.

8

How to Revise Free Theorems?

[Wadler, FPCA’89] : for every g :: (α → Bool) → [α] → [α], g p (map f l) = map f (g (p ◦ f ) l)

◮ if f strict.

[Johann & V., POPL’04] : in presence of seq, if additionally:

◮ p = ⊥ and ◮ f total.

8

How to Revise Free Theorems?

[Wadler, FPCA’89] : for every g :: (α → Bool) → [α] → [α], g p (map f l) = map f (g (p ◦ f ) l)

◮ if f strict (f ⊥ = ⊥).

[Johann & V., POPL’04] : in presence of seq, if additionally:

◮ p = ⊥ and ◮ f total (∀x = ⊥. f x = ⊥).

8

How to Revise Free Theorems?

[Wadler, FPCA’89] : for every g :: (α → Bool) → [α] → [α], g p (map f l) = map f (g (p ◦ f ) l)

◮ if f strict (f ⊥ = ⊥).

[Johann & V., POPL’04] : in presence of seq, if additionally:

◮ p = ⊥ and ◮ f total (∀x = ⊥. f x = ⊥).

What are corresponding conditions “in real”? Ok Bad ⊥

8

Sweat and Tears . . .

. . . provide full formalisation of the semantic setup

9

Sweat and Tears . . .

. . . provide full formalisation of the semantic setup . . . enter general proof of parametricity theorem

9

Sweat and Tears . . .

. . . provide full formalisation of the semantic setup . . . enter general proof of parametricity theorem . . . consider the interesting induction cases

9

Sweat and Tears . . .

. . . provide full formalisation of the semantic setup . . . enter general proof of parametricity theorem . . . consider the interesting induction cases . . . identify appropriate restrictions on the level of relations

9

Sweat and Tears . . .

. . . provide full formalisation of the semantic setup . . . enter general proof of parametricity theorem . . . consider the interesting induction cases . . . identify appropriate restrictions on the level of relations . . . adapt relational actions

9

Sweat and Tears . . .

. . . provide full formalisation of the semantic setup . . . enter general proof of parametricity theorem . . . consider the interesting induction cases . . . identify appropriate restrictions on the level of relations . . . adapt relational actions . . . complete general proof

9

Sweat and Tears . . .

. . . provide full formalisation of the semantic setup . . . enter general proof of parametricity theorem . . . consider the interesting induction cases . . . identify appropriate restrictions on the level of relations . . . adapt relational actions . . . complete general proof . . . transfer restrictions to the level of functions

9

Sweat and Tears . . .

. . . provide full formalisation of the semantic setup . . . enter general proof of parametricity theorem . . . consider the interesting induction cases . . . identify appropriate restrictions on the level of relations . . . adapt relational actions . . . complete general proof . . . transfer restrictions to the level of functions . . . apply to concrete functions

9

. . . Application to takeWhile

For every g :: (α → Bool) → [α] → [α], g p (map f l) = map f (g (p ◦ f ) l)

10

. . . Application to takeWhile

For every g :: (α → Bool) → [α] → [α], g p (map f l) = map f (g (p ◦ f ) l) provided

◮ p and f are nonerroneous,

Ok Bad ⊥

f p

10

. . . Application to takeWhile

For every g :: (α → Bool) → [α] → [α], g p (map f l) = map f (g (p ◦ f ) l) provided

◮ p and f are nonerroneous, ◮ f ⊥ = ⊥,

Ok Bad ⊥

f p f

10

. . . Application to takeWhile

For every g :: (α → Bool) → [α] → [α], g p (map f l) = map f (g (p ◦ f ) l) provided

◮ p and f are nonerroneous, ◮ f ⊥ = ⊥, ◮ f acts as identity on erroneous values, and

Ok Bad ⊥

f p f f f f

10

. . . Application to takeWhile

For every g :: (α → Bool) → [α] → [α], g p (map f l) = map f (g (p ◦ f ) l) provided

◮ p and f are nonerroneous, ◮ f ⊥ = ⊥, ◮ f acts as identity on erroneous values, and ◮ f maps nonerroneous values to nonerroneous values.

Ok Bad ⊥

f p f f f f f

10

Conclusion

Types:

◮ constrain the behaviour of programs ◮ thus lead to interesting theorems about programs

11

Conclusion

Types:

◮ constrain the behaviour of programs ◮ thus lead to interesting theorems about programs

In a “real” language:

◮ interaction with language features can be quite nontrivial ◮ here: finite failures, imprecise semantics as in implementations

11

Conclusion

Types:

◮ constrain the behaviour of programs ◮ thus lead to interesting theorems about programs

In a “real” language:

◮ interaction with language features can be quite nontrivial ◮ here: finite failures, imprecise semantics as in implementations

Not in the paper (but [Stenger & V., Technical Report]):

◮ inequational free theorems under weaker restrictions

11

Conclusion

Types:

◮ constrain the behaviour of programs ◮ thus lead to interesting theorems about programs

In a “real” language:

◮ interaction with language features can be quite nontrivial ◮ here: finite failures, imprecise semantics as in implementations

Not in the paper (but [Stenger & V., Technical Report]):

◮ inequational free theorems under weaker restrictions ◮ dealing with exceptions in a limited way

11

Conclusion

Types:

◮ constrain the behaviour of programs ◮ thus lead to interesting theorems about programs

In a “real” language:

◮ interaction with language features can be quite nontrivial ◮ here: finite failures, imprecise semantics as in implementations

Not in the paper (but [Stenger & V., Technical Report]):

◮ inequational free theorems under weaker restrictions ◮ dealing with exceptions in a limited way

Push further:

◮ proper exception handling in the IO monad

11

Conclusion

Types:

◮ constrain the behaviour of programs ◮ thus lead to interesting theorems about programs

In a “real” language:

◮ interaction with language features can be quite nontrivial ◮ here: finite failures, imprecise semantics as in implementations

Not in the paper (but [Stenger & V., Technical Report]):

◮ inequational free theorems under weaker restrictions ◮ dealing with exceptions in a limited way

Push further:

◮ proper exception handling in the IO monad ◮ nondeterminism generally, not just on errors

11

Conclusion

Types:

◮ constrain the behaviour of programs ◮ thus lead to interesting theorems about programs

In a “real” language:

◮ interaction with language features can be quite nontrivial ◮ here: finite failures, imprecise semantics as in implementations

Not in the paper (but [Stenger & V., Technical Report]):

◮ inequational free theorems under weaker restrictions ◮ dealing with exceptions in a limited way

Push further:

◮ proper exception handling in the IO monad ◮ nondeterminism generally, not just on errors ◮ systematic study of impact on other reasoning techniques

11

References I

• P. Johann and J. Voigtl¨

ander. Free theorems in the presence of seq. In Principles of Programming Languages, Proceedings, pages 99–110. ACM Press, 2004.

• P. Johann and J. Voigtl¨

ander. A family of syntactic logical relations for the semantics of Haskell-like languages. Information and Computation, 207(2):341–368, 2009.

• A. Moran, S.B. Lassen, and S.L. Peyton Jones.

Imprecise exceptions, Co-inductively. In Higher Order Operational Techniques in Semantics, Proceedings, volume 26 of ENTCS, pages 122–141. Elsevier, 1999.

12

References II

S.L. Peyton Jones, A. Reid, C.A.R. Hoare, S. Marlow, and F. Henderson. A semantics for imprecise exceptions. In Programming Language Design and Implementation, Proceedings, pages 25–36. ACM Press, 1999.

• F. Stenger and J. Voigtl¨

ander. Parametricity for Haskell with imprecise error semantics. Technical Report TUD-FI08-08, Technische Universit¨ at Dresden, 2008.

• P. Wadler.

Theorems for free! In Functional Programming Languages and Computer Architecture, Proceedings, pages 347–359. ACM Press, 1989.

13