Abstract
Library authors often are faced with a design choice: should a function with preconditions be implemented as a partial function, or by returning a failure condition on incorrect use? Neither option is ideal. Partial functions lead to frustrating run-time errors. Failure conditions must be checked at the use-site, placing an unfair tax on the users who have ensured that the function's preconditions were correctly met.
In this paper, we introduce an API design concept called ``ghosts of departed proofs'' based on the following observation: sophisticated preconditions can be encoded in Haskell's type system with no run-time overhead, by using proofs that inhabit phantom type parameters attached to newtype wrappers. The user expresses correctness arguments by constructing proofs to inhabit these phantom types. Critically, this technique allows the library user to decide when and how to validate that the API's preconditions are met.
The ``ghosts of departed proofs'' approach to API design can achieve many of the benefits of dependent types and refinement types, yet only requires some minor and well-understood extensions to Haskell 2010. We demonstrate the utility of this approach through a series of case studies, showing how to enforce novel invariants for lists, maps, graphs, shared memory regions, and more.
- B. Abrams. The pit of success. https://blogs.msdn.microsoft.com/ brada/2003/10/02/the-pit-of-success/ , 2003. Accessed: 2018-06-04.Google Scholar
- L. Augustsson. Cayenne—a language with dependent types. In International School on Advanced Functional Programming , pages 240–267. Springer, 1998. Google Scholar
Digital Library
- A. Bove and P. Dybjer. Dependent types at work. In Language engineering and rigorous software development , pages 57–99. Springer, 2009. Google Scholar
Digital Library
- J. Breitner, R. A. Eisenberg, S. Peyton Jones, and S. Weirich. Safe zerocost coercions for Haskell. SIGPLAN Not., 49(9):189–202, Aug. 2014. ISSN 0362-1340. Google Scholar
Digital Library
- M. Fluet and R. Pucella. Phantom types and subtyping. J. Funct. Program. , 16(6):751–791, Nov. 2006. ISSN 0956-7968. Google Scholar
Digital Library
- T. Freeman and F. Pfenning. Refinement types for ML. In Proceedings of the ACM SIGPLAN 1991 Conference on Programming Language Design and Implementation , PLDI ’91, pages 268–277, New York, NY, USA, 1991. ACM. ISBN 0-89791-428-7. Google Scholar
Digital Library
- O. Kiselyov and C.-c. Shan. Functional pearl: Implicit configurations– or, type classes reflect the values of types. In Proceedings of the 2004 ACM SIGPLAN workshop on Haskell , pages 33–44. ACM, 2004. Google Scholar
Digital Library
- O. Kiselyov and C.-c. Shan. Lightweight static capabilities. Electron. Notes Theor. Comput. Sci. , 174(7):79–104, June 2007. ISSN 1571-0661. Google Scholar
Digital Library
- J. Launchbury and S. L. Peyton Jones. Lazy functional state threads. In ACM SIGPLAN Notices, volume 29, pages 24–35. ACM, 1994. Google Scholar
Digital Library
- G. T. Leavens, A. L. Baker, and C. Ruby. JML: A notation for detailed design. In Behavioral Specifications of Businesses and Systems, pages 175–188. Springer, 1999.Google Scholar
- D. Leijen. wxHaskell: A portable and concise GUI library for Haskell. In Proceedings of the 2004 ACM SIGPLAN Workshop on Haskell, Haskell ’04, pages 57–68, New York, NY, USA, 2004. ACM. ISBN 1-58113-850-4. Google Scholar
Digital Library
- D. Leijen and E. Meijer. Domain specific embedded compilers. In Proceedings of the 2nd Conference on Conference on Domain-Specific Languages - Volume 2 , DSL’99, pages 9–9, Berkeley, CA, USA, 1999. USENIX Association. URL http://dl.acm.org/citation.cfm?id=1267936.1267945. Google Scholar
Digital Library
- M. Noonan. Ghosts of departed proofs. http://www.github.com/ matt-noonan/gdp-paper/ , 2018. Accessed: 2018-06-03.Google Scholar
- M. Noonan. The gdp library. http://hackage.haskell.org/package/gdp , 2018. Accessed: 2018-06-03.Google Scholar
- R. M. Smullyan. First-order logic. Courier Corporation, 1995.Google Scholar
- A. Spector-Zabusky, J. Breitner, C. Rizkallah, and S. Weirich. Total Haskell is reasonable Coq. In Proceedings of the 7th ACM SIGPLAN International Conference on Certified Programs and Proofs , pages 14–27. ACM, 2018. Google Scholar
Digital Library
- J. Stolarek, S. Peyton Jones, and R. A. Eisenberg. Injective type families for Haskell. In Proceedings of the 2015 ACM SIGPLAN Symposium on Haskell , Haskell ’15, pages 118–128, New York, NY, USA, 2015. ACM. ISBN 978-1-4503-3808-0. Google Scholar
Digital Library
- A. Timany, L. Stefanesco, M. Krogh-Jespersen, and L. Birkedal. A logical relation for monadic encapsulation of state: Proving contextual equivalences in the presence of runST. Proceedings of the ACM on Programming Languages , 2(POPL):64, 2017. Google Scholar
Digital Library
- N. Vazou. Liquid Haskell: Haskell as a theorem prover. University of California, San Diego, 2016.Google Scholar
- N. Volkov. Announcing the refinement types library. http:// nikita-volkov.github.io/refined/ , 2016. Accessed: 2018-05-30.Google Scholar
- D. Vytiniotis, S. P. Jones, T. Schrijvers, and M. Sulzmann. OutsideIn(x): Modular type inference with local assumptions. Journal of functional programming , 21(4-5):333–412, 2011. Google Scholar
Digital Library
- P. Wadler. Linear types can change the world! In Programming Concepts and Methods . North, 1990.Google Scholar
Index Terms
Ghosts of departed proofs (functional pearl)
Recommendations
Ghosts of departed proofs (functional pearl)
Haskell 2018: Proceedings of the 11th ACM SIGPLAN International Symposium on HaskellLibrary authors often are faced with a design choice: should a function with preconditions be implemented as a partial function, or by returning a failure condition on incorrect use? Neither option is ideal. Partial functions lead to frustrating run-...
Boxy types: inference for higher-rank types and impredicativity
ICFP '06: Proceedings of the eleventh ACM SIGPLAN international conference on Functional programmingLanguages with rich type systems are beginning to employ a blend of type inference and type checking, so that the type inference engine is guided by programmer-supplied type annotations. In this paper we show, for the first time, how to combine the ...
Handling loops in bounded model checking of C programs via k-induction
The first attempts to apply the k-induction method to software verification are only recent. In this paper, we present a novel proof by induction algorithm, which is built on the top of a symbolic context-bounded model checker and uses an iterative ...







Comments