We should allow the user to write something like:

{-@ assume foo :: t_foo @-}
foo = real-definition-of-foo

while then in the rest of the module just use the type t_foo for foo
without checking the real-definition actually has the type.

Right now, this works if foo is imported from elsewhere (modular reasoning
etc. we don't check imported definitions) OR if we use undefined as the real
definition.

Would be nice to just allow assume without raising warnings...

See tests/todo/TypeAlias.hs, which crashes because Bare.tyCompat checks for syntactic equality without expanding type synonyms, so we get

Bar Int /= Foo Int Int

even though Bar is defined as type Bar = Foo Int

Simply adding calls to expand[R]TypeSynonyms in tyCompat only delays the crash, instead manifesting as an out-of-bounds index in Constraint.splitCIndexed.

@nikivazou any thoughts on what might be the simplest fix? It looks to me that rewriting expandRTypeSynonyms to not drop refinements would work, but would also be quite painful..

This usually takes time, so I just add it in the after deadline todo list

Fixpoint is throwing the following exception on tests/pos/ListElem.hs using the current master of liquid-fixpoint and liquidhaskell..

z3Pred: error converting (Prop(VV) <=> Set_mem(~A0, listElts([~A1])))
Fatal error: exception Failure("Ast.sortcheck_app: type args not fully instantiated Set_mem([~A0; listElts([~A1])])")

This might actually belong in ucsd-progsys/liquid-fixpoint, but the failing test is in liquidhaskell...

Hi Niki --

can you (do a pull on master) and then run

liquid tests/pos/mapTvCrash.hs

It throws an error:

****************************** ERROR *****************************
Bare.mapTyVars: cannot handle lq_tmp_db0:(GHC.Ptr.FunPtr ((GHC.Ptr.Ptr a) -> (GHC.Types.IO ())))
-> a
****************************** ERROR *****************************

I think it is some unhandled case in mapTyVars (in Bare.hs).

Can you take a look, since I don't know what that function is doing.

RJ.

Multiple recursive functions can be alive the same time. See

radicals :: Int -> [a]
radicals n = [ foo (radicals n) i | i <- [1..]]

foo = undefine

Now, the checker assumes only one recursive function

see tests/pos/fixme.hs for a runnable version.

insert :: Ord k => k -> a -> Map k a -> Map k a
insert = go
  where
    go :: Ord k => k -> a -> Map k a -> Map k a
    go kx x Tip = singleton kx x
    go kx x (Bin sz ky y l r) =
        case compare kx ky of
                  -- Bin ky y (go kx x l) r 
            LT -> balanceL ky y (go kx x l) r
            GT -> balanceR ky y l (go kx x r)
            EQ -> Bin sz kx x l r

go is given a duplicated class constraint (forall k a. Ord k => forall k a. Ord k => ...) which prevents the termination checker from finding the decreasing parameter (Map k a).

There are two things to do here:

1. Fix the TranformRec pass so it no longer makes these strange types.
2. Fix the termination checker to be more robust against strange types.

Failed constraints coming from instances of type class methods highlight have bogus associated code-spans, namely they always seem to highlight the instance declaration instead of the method (see tests/neg/Class2.hs).

I suspect that this is due to the auto-generated nature of the actual core-binds we get from GHC...

the relevant files should be tucked inside the cabal directory. (cf. nanojs prelude.spec)

The code (without user specified type signature)

isEven 0 = True
isEven n = isEven  $ n - 1

crashes with

argExpr: isEven @ a $dEq $dNum

We're currently limited in what we can say about a method of a type-class because we don't have a way of abstracting measures, e.g. consider a type-class for computing the size of a container.

class Sized (s :: * -> *) where
  size :: s a -> Int

How would we annotate size? We don't have a generic notion of size in liquidhaskell, nor should we since not all types have a sensible definition for size. I propose to add measures to type-classes, e.g.

class Sized (s :: * -> *) where
  {-@ class measure size :: s a -> Int @-}

  {-@ size :: Sized s => x:s a -> {v:Int | v = (size x)} @-}
  size :: s a -> Int

instance Sized [] where
  {-@ instance measure size [] = len @-}
  size = length

I have a more complete example that also includes client code using the type-class in tests/todo/Class.hs.

Constraint.hs has gotten huge. We should split it into the CG monad API, in a separate CGMonad.hs and the actual constraint generation code that traverses the CoreExpr and does the splitting.)

See:

tests/todo/err8.hs
tests/todo/err12.hs

Should gracefully exit (with the line number etc. as with ghc/parse/etc. errors), i.e. the "CRASH" errors, as with

tests/todo/err9.hs

not the ERROR ERROR ERROR business.

see:

tests/todo/aliasConst.hs
tests/todo/err9.hs

@nikivazou why is tests/pos/tup0.hs failing (the 2nd signature fails, not the first...)

any clue?

Only base types are allowed to appear in the type of a measure, but this is less accurate than it could be, e.g. when dealing with measures that denote the size of a value.

measure len :: [a] -> Int
len []     = 0
len (x:xs) = 1 + len xs

Since the type only specifies that len returns an Int, we need to additionally define an invariant on Int.

invariant {v:[a] | (len v) >= 0}

This is a bit tedious when what we really want to write is just

measure len :: [a] -> Nat
len []     = 0
len (x:xs) = 1 + len xs

Perhaps there's a good reason to disallow refinements in the return type of a measure, but it isn't apparent to me.

A couple patterns I noticed while working on text which are just noise and make it harder to parse out the minimal inferred type:

1. Some mathematical simplification is possible, e.g. (v <= ((tlen x) - (tlen empty))) could be simplified to (v <= (tlen x)) because empty :: {v:Text | (tlen v) = 0}. Or perhaps you have (v < x + y) && (v < y + x) when we only need one of the conjuncts (this has a nasty interaction with pattern 3).
2. Some logical simplification is possible, e.g. ((tlen empty) > 0) => FOO can be removed entirely because the antecedent is false. I can't actually find an instance of this pattern at the moment so perhaps it's already been fixed, but I'm leaving it here just in case.
3. Some refinements are duplicated due to the eta* vars, e.g. (x = 0) && (eta_B1 = 0) where x == eta_B1. It would be nice to track these aliases somehow and prefer the name that is actually used in the source.

These things may seem minor but they add up. I have seen inferred types that span half of my screen, which are often full of this kind of noise.

The following code crashes with error

panic! (the 'impossible' happened)

data F a = F a

-- give F two parameters instead of one
{-@ foo :: a -> F a b @-} 
foo :: a -> F a
foo = undefined

instead of giving a type mismatch error

See:

• tests/neg/StrictPair0.hs
• tests/neg/StrictPair1.hs

The first uses "built-in" tuples, the second a new "hand-rolled" Pair constructor.

BOTH are obviously unsafe, but somehow the second one is marked SAFE!

Similarly, the "pos" tests have the wrong behavior. (Works for regular tuples, not for defined type)

• tests/pos/StrictPair0.hs
• tests/pos/StrictPair1.hs

(In general, looks like those refinements are being ignored...)

Any idea what's going on?

they can be really annoying during development..

Sometimes I want to look at the Core that GHC generates and the scc annotations are really noisy.

Right now we let generic measures apply to any a, but we probably want to have some constraints, e.g. instead of

class measure size :: a -> Int

we might want to say

class measure size :: Sized s => s a -> Int

and then check that the instance definitions have a valid instantiation of s.

We'll probably also want to add some notion of constraint to fixpoint at some point to prevent a lot of pointless qualifier instantiations too.

See tests/todo/Eval.hs

In the definition of measure free the last line has a sort-error as it is not a well-formed Prop.

If you change the last line of the above to:

free (Let x e1 e2) = {v | (Set_cup (free e1) (Set_dif (free e2) (Set_sng x)))}

then the program is safe. Otherwise the measure is malformed, and oddness
ensues, but liquidhaskell does not crash, it silently drops the measure.
We should report any malformed measure as an error, and stop...

[hsenv]rjhala@ubuntu:~/research/liquid/liquidhaskell (master)$ liquid --notermination tests/todo/Eval.hs > log
WARNING: prune unsorted reft:
(? Set_cup([free([e1#a1eW]);
        Set_dif([free([e2#a1eX]); Set_sng([x#a1eV])])]))
BExp Set_cup([free([e1#a1eW]);
     Set_dif([free([e2#a1eX]); Set_sng([x#a1eV])])]) with non-propositional type  Set_Set ([GHC.Types.Char])

@gridaphobe if you run tests/pos/fixme0.hs you will see there is a bizarre type error:

Specified Liquid Type Does Not Match Haskell Type
Haskell: Goo.cnt :: forall a a. (GHC.Classes.Eq a, GHC.Num.Num a, GHC.Num.Num a) => a -> a
Liquid : Goo.cnt :: forall a a. dummy.tests.pos.fixme0.hs.4.12:(GHC.Types.Int) -> (GHC.Types.Int)

The bizarre thing is the

forall a a. Int -> Int

shown for the Liquid. Why is the forall a a. there? Why ANY forall? Why the duplicates? At any rate, can you fix it? Thanks! RJ.

See tests/todo/aliasError.hs

Instead of barfing:

safeZip called on non-eq-sized lists (nxs = 3, nys = 2) : expandRPApp: EApp Rng [ECon (I 0),ECon (I 10)]

we should produce, at the very least something like:

malformed alias application (Rng 0 10)` on line XXX column YYY

http://goto.ucsd.edu:8090/index.html#?demo=permalink%2F1380410092.hs

TWO mysteries:

1. why is 'goon' not type checking? (I suppose I can download an older version to see if this is something new).
2. why is 'rev' raising a type error inside the recursive call to 'go' ?

Looks like we've introduced some bugs somewhere...?

see: [tests/neg/Eval.hs]

tests/pos/deepmeas0.hs is failing with another one of these type mismatch errors where the tyvars are reversed between liquidhaskell and ghc.. We can prevent the error by providing an explicit type signature for klookup, but this is getting to be rather annoying.

We need a more general solution for determining the equality of GHC and liquidhaskell types.

Eg,

foo = ...
  where
    bar :: [a] -> Int -> a
    {-@ bar :: xs:[a] -> {v:Int | v = (len xs)} -> a @-}
    bar = ...

With no need to specify the inferred properties of xs.

Subtyping in user signatures is more expensive that checking, so maybe we should let checking be the default and annotate where subtyping is expected.

@nikivazou why is the tests/neg/qsloop.hs proved "safe" without the --notermination?

That is, why is the function proved terminating? It patently does not terminate, e.g. if you run it with the input [1,2,3] ?

Problem:
tests/pos/deepmeas0.hs fails because we merge all measures into a single datacons for [] and : which is malformed here due to the deep-measure definition.

Solution:

• Typecheck measure definitions BEFORE converting into DataCon.
• Typecheck raw DATACON definitions in ISOLATION

Earlier we commenting the DATACON typechecks out to enable deepmeasures but that allows glitches in the datacon specifications to silently creep in and be ignored.

In Language.Haskell.Liquid.Prelude.hs there are many pointer-related functions,
eg

{-@ isNullPtr :: p:(Ptr a) -> {v:Bool | ((Prop v) <=> (isNullPtr p)) } @-}
isNullPtr :: Ptr a -> Bool
isNullPtr p = (p == nullPtr)

So, when I import Prelude I get the isNullPtr qualifier which most probably won't need.

Can I move these functions to another place, maybe Language.Haskell.Liquid.Foreign.hs?

The following code

{-@ listElem :: y:a -> zs:[a] -> {v:Bool | (Prop(v) <=> Set_mem(y, (listElts(zs))))} @-}
listElem ::  a -> [a] -> Bool
listElem = undefined

Crashes with a z3 error:

z3Pred: error converting (Prop(VV) <=> Set_mem(~A0, listElts([~A1])))
Fatal error: exception Failure("Ast.sortcheck_app: type args not fully instantiated Set_mem([~A0; listElts([~A1])])")

When typechecking the measure definitions, we don't check the result type,

see tests/todo/Measure.hs

The following snippet makes liquidhaskell crash

module Encoding where

import Data.ByteString as B
import Data.ByteString.Internal as B
import Data.Text.Internal (Text(..), safe, textP)
import Data.Word (Word8)
import Foreign.C.Types (CSize)
import Foreign.ForeignPtr (withForeignPtr, ForeignPtr)
import Foreign.Ptr (Ptr, minusPtr, plusPtr)


-- | Encode text using UTF-8 encoding.
encodeUtf8 :: Text -> ByteString
encodeUtf8 (Text arr off len) = inlinePerformIO $ do
  let size0 = max len 4
  mallocByteString size0 >>= start size0 off 0
 where
--  start :: Int -> Int -> Int -> ForeignPtr Word8 -> IO ByteString
  start size n0 m0 fp = withForeignPtr fp $ go n0 m0
   where
      offLen = off + len
      go n m ptr
        | n == offLen = return (PS fp 0 m)
        | otherwise = do
            let ensure k act
                  | size-m >= k = act
                  | otherwise = do
                      let newSize = size
                      fp' <- mallocByteString newSize
                      start newSize n m fp'
                {-# INLINE ensure #-}
            ensure 4 $ return $ PS fp 0 m

The issue seems to be that we don't have a case for handling Coercions in Language.Haskell.Liquid.ANFTransform.normalize. For this case, we can work around it by uncommenting the type or removing the INLINE annotation.

I have used GHC 7.4.2 and ocaml 4.00.1 on an x86_64 Fedora 18 system to install liquid-fixedpoint (3817defc18ef6413627fe7ec897f90960060bf2b) and liquid haskell (0593c52). But am unable to get the system to cleanly build any examples - perhaps this is due to my own error?

For example:

$ liquid LiquidArray.hs
© Copyright 2009-12 Regents of the University of California.
All Rights Reserved.
liquid ["LiquidArray.hs"]

paths = ["./","/home/tommd/dev/liquidhaskell/include"]
parseSpec: LiquidArray.hs for module LiquidArray
getSpecs: [("Prelude","/home/tommd/dev/liquidhaskell/include/Prelude.spec")]
parseSpec: /home/tommd/dev/liquidhaskell/include/Prelude.spec for module Prelude
parseSpec: /home/tommd/dev/liquidhaskell/include/GHC/Base.spec for module GHC.Base
parseSpec: /home/tommd/dev/liquidhaskell/include/GHC/List.lhs for module GHC.List
parseSpec: /home/tommd/dev/liquidhaskell/include/GHC/Classes.spec for module GHC.Classes
parseSpec: /home/tommd/dev/liquidhaskell/include/GHC/Prim.spec for module GHC.Prim
parseSpec: /home/tommd/dev/liquidhaskell/include/GHC/Types.spec for module GHC.Types
liquid: mkTopLevEnv: not interpreted main:LiquidArray

and this means the tests fail:

...
exec: liquid ../web/demos/lenMapReduce.hs
liquid: mkTopLevEnv: not interpreted main:ListLengths
0.208691 seconds
FAILURE :( (../web/demos/lenMapReduce.hs)

Let me know if I can provide any other useful information. Feel free to close/pbkc if that's the case.

Since we have both .spec and .hs files in include/, the import directive can give the impression that you can import a .hs from a .spec. This is not the case, .hs imports are all handled by GHC in the depanal phase. Furthermore, the only reason to put a .hs file into the include directory is to add new Haskell functions, which would then have to be imported by the original source file anyway.

I suggest we scrap the import directive since it serves no purpose other than to let spec files include other spec files, but the Haskell module system already solves this problem. We should instead grab the entire module graph from GHC (not the local modules that are exposed by getModuleGraph) and parse the specs that are part of the graph. It's not immediately clear to me how to get the whole graph, but it must be possible somehow..

As an alternative, I would suggest making it an explicit error to import a .hs file from a .spec file.

@nikivazou when you have time can you take a look at Data.Text.Lazy.isInfixOf in my text branch? It (and a few other functions) are crashing with the following type of error:

checkTycon cconsCaselq_anf__d4R0type: exists [z:{VV#2976 : (Data.Text.Fusion.Internal.Stream {VV#2974 : (GHC.Types.Char) | k_2975[f:=isSingleton#r226][g:=stream#r3zS][x:=needle#a4nX] && k_2983[lq_tmp_x2986:=needle#a4nX][VV#2982:=VV#2974][f:=isSingleton#r226][g:=stream#r3zS][x:=needle#a4nX]}) | k_2977[f:=isSingleton#r226][g:=stream#r3zS][x:=needle#a4nX] && k_2985[lq_tmp_x2986:=needle#a4nX][VV#2984:=VV#2976][f:=isSingleton#r226][g:=stream#r3zS][x:=needle#a4nX]}].{VV#2978 : (GHC.Types.Bool) | k_2979[f:=isSingleton#r226][g:=stream#r3zS][x:=needle#a4nX] && k_2989[lq_tmp_x2990:=z][VV#2988:=VV#2978][f:=isSingleton#r226][g:=stream#r3zS][x:=needle#a4nX]}

This appears to be due to the recent addition of the existential in the refinement for (.). I've commented out the refinement for the time being, so I'm not blocked, but it would be nice to know why this is happening.

I would like to write

{-@ data List a = N | C (head:a) (tail:(List a)) 
                deriving (Len, Cmp, Fields) 
  @-}

and get the measure definitions

• for Len derivation

measure dlenList :: (List a) -> Int
  dlenList N        = 0
  dlenList (C x xs) = 1 + dlenList xs

• for Cmp derivation

measure isN :: (List a) -> Prop
  isN N = true
  isN _ = false

measure isC :: (List a) -> Prop
  isN (C _ _) = true
  isN _       = false

• for Fields derivation

measure head :: (List a) -> a
  head (C x xs) = x

measure tail :: (List a) -> (List a)
  tail (C x xs) = xs

If you find more interesting "measure Classes" please add them

Some notes:

• Both Cmp and Fields depend on the names of data constructors,
  but Len is not

  so the user should write

  {v : List a | len v = 12}` and `{v : Tree a | len v = 12}
  

  and get it translated to

{v : List a | dlenList v = 12}` and `{v : Tree a | dlenTree v = 12

(and make the inverse translation while printing the types)

• This is not only for usability but also for soundness.
  There is the question of what happens if the user defines the measures in a wrong way.
  Ie.,

  measure isN :: (List a) -> Prop
   isNull N = false
   isNull _ = true

Now this questions goes down to what happens if a user defines a monadic instance that does
not satisfy monadic laws, which seems more reasonable.

• With this we also have a size measure for termination
  so, we don't have to explicitly provide it the definition

type alias duplications not reported, see:

tests/pos/typeAliasDup.hs

If you run

liquid tests/pos/tyfam0.hs

from here https://github.com/ucsd-progsys/liquidhaskell/blob/master/tests/pos/tyfam0.hs

then we get a GHC panic. Perhaps has to do with this call:

https://github.com/ucsd-progsys/liquidhaskell/blob/master/Language/Haskell/Liquid/RefType.hs#L704

but I'm not sure, am building a prof version to get a backtrace. Any clues?

Consider the following (in tests/todo/LazyVar.hs)

{-@ foo :: a -> Bool @-}
{-@ bar :: [a] -> Nat -> a @-}
bar :: [a] -> Int -> a
bar xs i
  | i < l && foo x = x
  | otherwise      = undefined
  where
    l = length xs
    {-@ LAZYVAR x @-}
    x = xs !! i

This should be deemed safe because x wil not be demanded unless i < l evaluates to True.

This type has bad syntax, but it appears to cause the LiquidHaskell to crash:

{-@ one :: (Num a) => {v:a | (1:a) <= v} @-}                                    
one :: Num a => a                                                               
one = 1

output:

liquid: Printf.printf: bad formatting char t

1. [1..100] has { len xs > 0 }, maybe add { len xs <= 100 }
2. add MAX_INT constant, so I can define Int predicate (n < MAX_INT) and make "length" safe on infinite lists

see the type signature of empty at benchmarks / esop2013-submission / Array.hs

where

{-@ empty :: forall <p :: Int -> a -> Prop>. Vec <{\v -> 0=1}, p> a @-}

is printed as

<{\v -> 0=1}, p> a @-}

What is refsymbols used for?
Why is it in the CG State monad (global) and not in an environment (local)?

Also (in bsplitC) it is a terrible idea to call variables map... (bit like redefining +)
Please pick a more suitable name. I would suggest one but I'm not sure what's going
on with refsymbols.

In Data/Vector/Algorithms/Radix.hs the class method

size :: (Radix e) => e -> Int

clashes with the parameter

size :: Int

of the function sort and causes a haskell-liquid type mismatch.

currently hacked to rename the parameter, but should
obviously fix, probably, by not using ALL bound variables
in a module, just the ones corresponding to function names
during name resolution.

(Having a bit of trouble generating a minimal test)

Generalize the termination specifications to allow sequences of Refinement Expressions.

For example:

foo :: n:Nat -> m:Nat -> Nat/[n+m]
foo n m  
  | cond1 = 0
  | cond2 = foo (n-1) m
  | cond3 = foo (n+1) (m-2)

Note that this generalizes the current setup nicely,
because instead of specifying the NUMBER (position)
of the decreasing argument, you can just NAME it:

foo :: n:Nat -> m:Nat -> Nat/[m]

Furthermore, we could support the lexicographic
business by simply allowing sequences

foo :: n:Nat -> m:Nat -> Nat/[n, m, n+m]

etc.

So the deal would be that the 'termination list' is
a sequence of LiquidHaskell Expr. The trick would
be to generalize the termination checker to accept
the above which should be possible...

@nikivazou says: Do you want to constraint this list to integers? Should we say

foo :: ls : [a] -> a/[ls]

OR

foo :: ls : [a] -> a/[len ls]

Btw, this is exactly what Xi is doing, for each rec function he defines a size that should be decreasing.

@gridaphobe says:

Yes, it seems like a good idea to accept any expression whose type has an associated termination measure. The benefit is that this approach allows both signatures, they would simply be equivalent. You could also write more interesting sizes like

foo :: xs:[a] -> ys:[a] -> a/[xs ++ ys]

SUGGESTION: Capitalizing all tokens and allow the old ones to be lower case for compatibility ( @ranjitjhala , @gridaphobe what do you think? ):

• "assume" -> "assume" | "ASSUME"
• "assert" -> "assert" | "ASSERT"
• "measure" -> "measure" | "MEASURE"
• "import" -> "import" | "IMPORT"
• "data" -> "data" | "DATA"
• "include" -> "include" | "INCLUDE"
• "invariant" -> "invariant" | "INVARIANT"
• "type" -> "type" | "TYPE"
• "predicate" -> "predicate" | "PREDICATE"
• "embed" -> "embed" | "EMBED"
• "qualif" -> "qualif" | "QUALIF"
• "Decrease" -> "DECREASE"
• "LAZYVAR"
• "Strict" [Replaced by "Lazy"]
• "Lazy" -> "LAZY"
• "LIQUID"