Documentation for the Idris Language Version 0.99 Contents 1 The Idris Tutorial 2 2 Frequently Asked Questions 61 3 The Effects Tutorial 66 4 Theorem Proving 98 5 Language Reference 109 6 Tutorials on the Idris Language 173 Note: The documentation for Idris has been published under the Creative Commons CC0 License. As such to the extent possible under law, The Idris Community has waived all copyright and related or neighboring rights to Documentation for Idris. More information concerning the CC0 can be found online at: http://creativecommons.org/publicdomain/zero/1.0/ 1 CHAPTER 1 The Idris Tutorial This is the Idris Tutorial. It will teach you about programming in the Idris Language. Note: The documentation for Idris has been published under the Creative Commons CC0 License. As such to the extent possible under law, The Idris Community has waived all copyright and related or neighboring rights to Documentation for Idris. More information concerning the CC0 can be found online at: http://creativecommons.org/publicdomain/zero/1.0/ 1.1 Introduction In conventional programming languages, there is a clear distinction between types and values. For example, in Haskell, the following are types, representing integers, characters, lists of characters, and lists of any value respectively: • Int, Char, [Char], [a] Correspondingly, the following values are examples of inhabitants of those types: • 42, ’a’, "Hello world!", [2,3,4,5,6] In a language with dependent types, however, the distinction is less clear. Dependent types allow types to “depend” on values — in other words, types are a first class language construct and can be manipulated like any other value. The standard example is the type of lists of a given length 1 , Vect n a, where a is the element type and n is the length of the list and can be an arbitrary term. When types can contain values, and where those values describe properties, for example the length of a list, the type of a function can begin to describe its own properties. Take for example the concatenation of two lists. This operation has the property that the resulting list’s length is the sum of the lengths of the two input lists. We can therefore give the following type to the app function, which concatenates vectors: app : Vect n a -> Vect m a -> Vect (n + m) a This tutorial introduces Idris, a general purpose functional programming language with dependent types. The goal of the Idris project is to build a dependently typed language suitable for verifiable general pur- pose programming. To this end, Idris is a compiled language which aims to generate efficient executable code. It also has a lightweight foreign function interface which allows easy interaction with external C 1 Typically, and perhaps confusingly, referred to in the dependently typed programming literature as “vectors” 2 CHAPTER 1. THE IDRIS TUTORIAL v0.99 libraries. 1.1.1 Intended Audience This tutorial is intended as a brief introduction to the language, and is aimed at readers already familiar with a functional language such as Haskell or OCaml. In particular, a certain amount of familiarity with Haskell syntax is assumed, although most concepts will at least be explained briefly. The reader is also assumed to have some interest in using dependent types for writing and verifying systems software. 1.1.2 Example Code This tutorial includes some example code, which has been tested with against Idris. These files are available with the Idris distribution, so that you can try them out easily. They can be found under samples. It is, however, strongly recommended that you type them in yourself, rather than simply loading and reading them. 1.2 Getting Started 1.2.1 Prerequisites Before installing Idris, you will need to make sure you have all of the necessary libraries and tools. You will need: • A fairly recent Haskell platform. Version 2013.2.0.0 should be sufficiently recent, though it is better to be completely up to date. • The GNU Multiple Precision Arithmetic Library (GMP) is available from MacPorts/Homebrew and all major Linux distributions. 1.2.2 Downloading and Installing The easiest way to install Idris, if you have all of the prerequisites, is to type: cabal update; cabal install idris This will install the latest version released on Hackage, along with any dependencies. If, however, you would like the most up to date development version you can find it, as well as build instructions, on GitHub at: https://github.com/idris-lang/Idris-dev. If you haven’t previously installed anything using Cabal, then Idris may not be on your path. Should the Idris executable not be found please ensure that you have added ~/.cabal/bin to your $PATH environment variable. Mac OS X users may find they need to add ~/Library/Haskell/bin instead, and Windows users will typically find that Cabal installs programs in %HOME%\AppData\Roaming\cabal\bin. To check that installation has succeeded, and to write your first Idris program, create a file called hello.idr containing the following text: module Main main : IO () main = putStrLn "Hello world" 3 CHAPTER 1. THE IDRIS TUTORIAL v0.99 If you are familiar with Haskell, it should be fairly clear what the program is doing and how it works, but if not, we will explain the details later. You can compile the program to an executable by entering idris hello.idr -o hello at the shell prompt. This will create an executable called hello, which you can run: $ idris hello.idr -o hello $ ./hello Hello world Please note that the dollar sign $ indicates the shell prompt! Some useful options to the Idris command are: • -o prog to compile to an executable called prog. • --check type check the file and its dependencies without starting the interactive environment. • --package pkg add package as dependency, e.g. --package contrib to make use of the contrib package. • --help display usage summary and command line options. 1.2.3 The Interactive Environment Entering idris at the shell prompt starts up the interactive environment. You should see something like the following: $ idris ____ __ _ / _/___/ /____(_)____ / // __ / ___/ / ___/ Version 0.99 _/ // /_/ / / / (__ ) http://www.idris-lang.org/ /___/\__,_/_/ /_/____/ Type :? for help Idris> This gives a ghci style interface which allows evaluation of, as well as type checking of, expressions; theorem proving, compilation; editing; and various other operations. The command :? gives a list of supported commands. Below, we see an example run in which hello.idr is loaded, the type of main is checked and then the program is compiled to the executable hello. Type checking a file, if successful, creates a bytecode version of the file (in this case hello.ibc) to speed up loading in future. The bytecode is regenerated if the source file changes. $ idris hello.idr ____ __ _ / _/___/ /____(_)____ / // __ / ___/ / ___/ Version 0.99 _/ // /_/ / / / (__ ) http://www.idris-lang.org/ /___/\__,_/_/ /_/____/ Type :? for help Type checking ./hello.idr *hello> :t main Main.main : IO () *hello> :c hello *hello> :q Bye bye $ ./hello Hello world 4 CHAPTER 1. THE IDRIS TUTORIAL v0.99 1.3 Types and Functions 1.3.1 Primitive Types Idris defines several primitive types: Int, Integer and Double for numeric operations, Char and String for text manipulation, and Ptr which represents foreign pointers. There are also several data types declared in the library, including Bool, with values True and False. We can declare some constants with these types. Enter the following into a file Prims.idr and load it into the Idris interactive environment by typing idris Prims.idr: module Prims x : Int x = 42 foo : String foo = "Sausage machine" bar : Char bar = 'Z' quux : Bool quux = False An Idris file consists of an optional module declaration (here module Prims) followed by an optional list of imports and a collection of declarations and definitions. In this example no imports have been specified. However Idris programs can consist of several modules and the definitions in each module each have their own namespace. This is discussed further in Section Modules and Namespaces (page 28)). When writing Idris programs both the order in which definitions are given and indentation are significant. Functions and data types must be defined before use, incidentally each definition must have a type declaration, for example see x : Int, foo : String, from the above listing. New declarations must begin at the same level of indentation as the preceding declaration. Alternatively, a semicolon ; can be used to terminate declarations. A library module prelude is automatically imported by every Idris program, including facilities for IO, arithmetic, data structures and various common functions. The prelude defines several arithmetic and comparison operators, which we can use at the prompt. Evaluating things at the prompt gives an answer, and the type of the answer. For example: *prims> 6*6+6 42 : Integer *prims> x == 6*6+6 True : Bool All of the usual arithmetic and comparison operators are defined for the primitive types. They are overloaded using interfaces, as we will discuss in Section Interfaces (page 21) and can be extended to work on user defined types. Boolean expressions can be tested with the if...then...else construct, for example: *prims> if x == 6 * 6 + 6 then "The answer!" else "Not the answer" "The answer!" : String 1.3.2 Data Types Data types are declared in a similar way and with similar syntax to Haskell. Natural numbers and lists, for example, can be declared as follows: 5 CHAPTER 1. THE IDRIS TUTORIAL v0.99 data Nat = Z | S Nat -- Natural numbers -- (zero and successor) data List a = Nil | (::) a (List a) -- Polymorphic lists The above declarations are taken from the standard library. Unary natural numbers can be either zero (Z), or the successor of another natural number (S k). Lists can either be empty (Nil) or a value added to the front of another list (x :: xs). In the declaration for List, we used an infix operator ::. New operators such as this can be added using a fixity declaration, as follows: infixr 10 :: Functions, data constructors and type constructors may all be given infix operators as names. They may be used in prefix form if enclosed in brackets, e.g. (::). Infix operators can use any of the symbols: :+-*\/=.?|&><!@$%^~# Some operators built from these symbols can’t be user defined. These are :, =>, ->, <-, =, ?=, |, **, ==>, \, %, ~, ?, and !. 1.3.3 Functions Functions are implemented by pattern matching, again using a similar syntax to Haskell. The main difference is that Idris requires type declarations for all functions, using a single colon : (rather than Haskell’s double colon ::). Some natural number arithmetic functions can be defined as follows, again taken from the standard library: -- Unary addition plus : Nat -> Nat -> Nat plus Z y = y plus (S k) y = S (plus k y) -- Unary multiplication mult : Nat -> Nat -> Nat mult Z y = Z mult (S k) y = plus y (mult k y) The standard arithmetic operators + and * are also overloaded for use by Nat, and are implemented using the above functions. Unlike Haskell, there is no restriction on whether types and function names must begin with a capital letter or not. Function names (plus and mult above), data constructors (Z, S, Nil and ::) and type constructors (Nat and List) are all part of the same namespace. By convention, however, data types and constructor names typically begin with a capital letter. We can test these functions at the Idris prompt: Idris> plus (S (S Z)) (S (S Z)) 4 : Nat Idris> mult (S (S (S Z))) (plus (S (S Z)) (S (S Z))) 12 : Nat Note: When displaying an element of Nat such as (S (S (S (S Z)))), Idris displays it as 4. The result of plus (S (S Z)) (S (S Z)) is actually (S (S (S (S Z)))) which is the natural number 4. This can be checked at the Idris prompt: Idris> (S (S (S (S Z)))) 4 : Nat Like arithmetic operations, integer literals are also overloaded using interfaces, meaning that we can also test the functions as follows: 6 CHAPTER 1. THE IDRIS TUTORIAL v0.99 Idris> plus 2 2 4 : Nat Idris> mult 3 (plus 2 2) 12 : Nat You may wonder, by the way, why we have unary natural numbers when our computers have perfectly good integer arithmetic built in. The reason is primarily that unary numbers have a very convenient structure which is easy to reason about, and easy to relate to other data structures as we will see later. Nevertheless, we do not want this convenience to be at the expense of efficiency. Fortunately, Idris knows about the relationship between Nat (and similarly structured types) and numbers. This means it can optimise the representation, and functions such as plus and mult. where clauses Functions can also be defined locally using where clauses. For example, to define a function which reverses a list, we can use an auxiliary function which accumulates the new, reversed list, and which does not need to be visible globally: reverse : List a -> List a reverse xs = revAcc [] xs where revAcc : List a -> List a -> List a revAcc acc [] = acc revAcc acc (x :: xs) = revAcc (x :: acc) xs Indentation is significant — functions in the where block must be indented further than the outer function. Note: Scope Any names which are visible in the outer scope are also visible in the where clause (unless they have been redefined, such as xs here). A name which appears only in the type will be in scope in the where clause if it is a parameter to one of the types, i.e. it is fixed across the entire structure. As well as functions, where blocks can include local data declarations, such as the following where MyLT is not accessible outside the definition of foo: foo : Int -> Int foo x = case isLT of Yes => x*2 No => x*4 where data MyLT = Yes | No isLT : MyLT isLT = if x < 20 then Yes else No In general, functions defined in a where clause need a type declaration just like any top level function. However, the type declaration for a function f can be omitted if: • f appears in the right hand side of the top level definition • The type of f can be completely determined from its first application So, for example, the following definitions are legal: even : Nat -> Bool even Z = True even (S k) = odd k where 7 CHAPTER 1. THE IDRIS TUTORIAL v0.99 odd Z = False odd (S k) = even k test : List Nat test = [c (S 1), c Z, d (S Z)] where c x = 42 + x d y = c (y + 1 + z y) where z w = y + w 1.3.4 Dependent Types First Class Types In Idris, types are a first class language construct, meaning that they can be computed and manipulated (and passed to functions) just like any other language construct. For example, we could write a function which computes a type: isSingleton : Bool -> Type isSingleton True = Nat isSingleton False = List Nat This function calculates the appropriate type from a Bool which flags whether the type should be a singleton or not. We can use this function to calculate a type anywhere that a type can be used. For example, it can be used to calculate a return type: mkSingle : (x : Bool) -> isSingleton x mkSingle True = 0 mkSingle False = [] Or it can be used to have varying input types. The following function calculates either the sum of a list of Nat, or returns the given Nat, depending on whether the singleton flag is true: sum : (single : Bool) -> isSingleton single -> Nat sum True x = x sum False [] = 0 sum False (x :: xs) = x + sum False xs Vectors A standard example of a dependent data type is the type of “lists with length”, conventionally called vectors in the dependent type literature. They are available as part of the Idris library, by importing Data.Vect, or we can declare them as follows: data Vect : Nat -> Type -> Type where Nil : Vect Z a (::) : a -> Vect k a -> Vect (S k) a Note that we have used the same constructor names as for List. Ad-hoc name overloading such as this is accepted by Idris, provided that the names are declared in different namespaces (in practice, normally in different modules). Ambiguous constructor names can normally be resolved from context. This declares a family of types, and so the form of the declaration is rather different from the simple type declarations above. We explicitly state the type of the type constructor Vect — it takes a Nat and a type as an argument, where Type stands for the type of types. We say that Vect is indexed over Nat and parameterised by Type. Each constructor targets a different part of the family of types. Nil can only be used to construct vectors with zero length, and :: to construct vectors with non-zero length. In 8 CHAPTER 1. THE IDRIS TUTORIAL v0.99 the type of ::, we state explicitly that an element of type a and a tail of type Vect k a (i.e., a vector of length k) combine to make a vector of length S k. We can define functions on dependent types such as Vect in the same way as on simple types such as List and Nat above, by pattern matching. The type of a function over Vect will describe what happens to the lengths of the vectors involved. For example, ++, defined as follows, appends two Vect: (++) : Vect n a -> Vect m a -> Vect (n + m) a (++) Nil ys = ys (++) (x :: xs) ys = x :: xs ++ ys The type of (++) states that the resulting vector’s length will be the sum of the input lengths. If we get the definition wrong in such a way that this does not hold, Idris will not accept the definition. For example: (++) : Vect n a -> Vect m a -> Vect (n + m) a (++) Nil ys = ys (++) (x :: xs) ys = x :: xs ++ xs -- BROKEN When run through the Idris type checker, this results in the following: $ idris vbroken.idr --check vbroken.idr:9:23:When elaborating right hand side of Vect.++: When elaborating an application of constructor Vect.::: Type mismatch between Vect (k + k) a (Type of xs ++ xs) and Vect (plus k m) a (Expected type) Specifically: Type mismatch between plus k k and plus k m This error message suggests that there is a length mismatch between two vectors — we needed a vector of length k + m, but provided a vector of length k + k. The Finite Sets Finite sets, as the name suggests, are sets with a finite number of elements. They are available as part of the Idris library, by importing Data.Fin, or can be declared as follows: data Fin : Nat -> Type where FZ : Fin (S k) FS : Fin k -> Fin (S k) From the signature, we can see that this is a type constructor that takes a Nat, and produces a type. So this is not a set in the sense of a collection that is a container of objects, rather it is the canonical set of unnamed elements, as in “the set of 5 elements,” for example. Effectively, it is a type that captures integers that fall into the range of zero to (n - 1) where n is the argument used to instantiate the Fin type. For example, Fin 5 can be thought of as the type of integers between 0 and 4. Let us look at the constructors in greater detail. FZ is the zeroth element of a finite set with S k elements; FS n is the n+1th element of a finite set with S k elements. Fin is indexed by a Nat, which represents the number of elements in the set. Since we can’t construct an element of an empty set, neither constructor targets Fin Z. As mentioned above, a useful application of the Fin family is to represent bounded natural numbers. 9 CHAPTER 1. THE IDRIS TUTORIAL v0.99 Since the first n natural numbers form a finite set of n elements, we can treat Fin n as the set of integers greater than or equal to zero and less than n. For example, the following function which looks up an element in a Vect, by a bounded index given as a Fin n, is defined in the prelude: index : Fin n -> Vect n a -> a index FZ (x :: xs) = x index (FS k) (x :: xs) = index k xs This function looks up a value at a given location in a vector. The location is bounded by the length of the vector (n in each case), so there is no need for a run-time bounds check. The type checker guarantees that the location is no larger than the length of the vector, and of course no less than zero. Note also that there is no case for Nil here. This is because it is impossible. Since there is no element of Fin Z, and the location is a Fin n, then n can not be Z. As a result, attempting to look up an element in an empty vector would give a compile time type error, since it would force n to be Z. Implicit Arguments Let us take a closer look at the type of index: index : Fin n -> Vect n a -> a It takes two arguments, an element of the finite set of n elements, and a vector with n elements of type a. But there are also two names, n and a, which are not declared explicitly. These are implicit arguments to index. We could also write the type of index as: index : {a:Type} -> {n:Nat} -> Fin n -> Vect n a -> a Implicit arguments, given in braces {} in the type declaration, are not given in applications of index; their values can be inferred from the types of the Fin n and Vect n a arguments. Any name beginning with a lower case letter which appears as a parameter or index in a type declaration, which is not applied to any arguments, will always be automatically bound as an implicit argument. Implicit arguments can still be given explicitly in applications, using {a=value} and {n=value}, for example: index {a=Int} {n=2} FZ (2 :: 3 :: Nil) In fact, any argument, implicit or explicit, may be given a name. We could have declared the type of index as: index : (i:Fin n) -> (xs:Vect n a) -> a It is a matter of taste whether you want to do this — sometimes it can help document a function by making the purpose of an argument more clear. Furthermore, {} can be used to pattern match on the left hand side, i.e. {var = pat} gets an implicit variable and attempts to pattern match on “pat”; For example : isEmpty : Vect n a -> Bool isEmpty {n = Z} _ = True isEmpty {n = S k} _ = False “using” notation Sometimes it is useful to provide types of implicit arguments, particularly where there is a dependency ordering, or where the implicit arguments themselves have dependencies. For example, we may wish to 10 CHAPTER 1. THE IDRIS TUTORIAL v0.99 state the types of the implicit arguments in the following definition, which defines a predicate on vectors (this is also defined in Data.Vect, under the name Elem): data IsElem : a -> Vect n a -> Type where Here : {x:a} -> {xs:Vect n a} -> IsElem x (x :: xs) There : {x,y:a} -> {xs:Vect n a} -> IsElem x xs -> IsElem x (y :: xs) An instance of IsElem x xs states that x is an element of xs. We can construct such a predicate if the required element is Here, at the head of the vector, or There, in the tail of the vector. For example: testVec : Vect 4 Int testVec = 3 :: 4 :: 5 :: 6 :: Nil inVect : IsElem 5 Main.testVec inVect = There (There Here) Important: Implicit Arguments and Scope Within the type signature the typechecker will treat all variables that start with an lowercase letter and are not applied to something else as an implicit variable. To get the above code example to compile you will need to provide a qualified name for testVec. In the example above, we have assumed that the code lives within the Main module. If the same implicit arguments are being used a lot, it can make a definition difficult to read. To avoid this problem, a using block gives the types and ordering of any implicit arguments which can appear within the block: using (x:a, y:a, xs:Vect n a) data IsElem : a -> Vect n a -> Type where Here : IsElem x (x :: xs) There : IsElem x xs -> IsElem x (y :: xs) Note: Declaration Order and mutual blocks In general, functions and data types must be defined before use, since dependent types allow functions to appear as part of types, and type checking can rely on how particular functions are defined (though this is only true of total functions; see Section Totality Checking (page 41))). However, this restriction can be relaxed by using a mutual block, which allows data types and functions to be defined simultaneously: mutual even : Nat -> Bool even Z = True even (S k) = odd k odd : Nat -> Bool odd Z = False odd (S k) = even k In a mutual block, first all of the type declarations are added, then the function bodies. As a result, none of the function types can depend on the reduction behaviour of any of the functions in the block. 1.3.5 I/O Computer programs are of little use if they do not interact with the user or the system in some way. The difficulty in a pure language such as Idris — that is, a language where expressions do not have side-effects 11 CHAPTER 1. THE IDRIS TUTORIAL v0.99 — is that I/O is inherently side-effecting. Therefore in Idris, such interactions are encapsulated in the type IO: data IO a -- IO operation returning a value of type a We’ll leave the definition of IO abstract, but effectively it describes what the I/O operations to be executed are, rather than how to execute them. The resulting operations are executed externally, by the run-time system. We’ve already seen one IO program: main : IO () main = putStrLn "Hello world" The type of putStrLn explains that it takes a string, and returns an element of the unit type () via an I/O action. There is a variant putStr which outputs a string without a newline: putStrLn : String -> IO () putStr : String -> IO () We can also read strings from user input: getLine : IO String A number of other I/O operations are defined in the prelude, for example for reading and writing files, including: data File -- abstract data Mode = Read | Write | ReadWrite openFile : (f : String) -> (m : Mode) -> IO (Either FileError File) closeFile : File -> IO () fGetLine : (h : File) -> IO (Either FileError String) fPutStr : (h : File) -> (str : String) -> IO (Either FileError ()) fEOF : File -> IO Bool Note that several of these return Either, since they may fail. 1.3.6 “do” notation I/O programs will typically need to sequence actions, feeding the output of one computation into the input of the next. IO is an abstract type, however, so we can’t access the result of a computation directly. Instead, we sequence operations with do notation: greet : IO () greet = do putStr "What is your name? " name <- getLine putStrLn ("Hello " ++ name) The syntax x <- iovalue executes the I/O operation iovalue, of type IO a, and puts the result, of type a into the variable x. In this case, getLine returns an IO String, so name has type String. Indentation is significant — each statement in the do block must begin in the same column. The pure operation allows us to inject a value directly into an IO operation: pure : a -> IO a As we will see later, do notation is more general than this, and can be overloaded. 12 CHAPTER 1. THE IDRIS TUTORIAL v0.99 1.3.7 Laziness Normally, arguments to functions are evaluated before the function itself (that is, Idris uses eager eval- uation). However, this is not always the best approach. Consider the following function: ifThenElse : Bool -> a -> a -> a; ifThenElse True t e = t; ifThenElse False t e = e; This function uses one of the t or e arguments, but not both (in fact, this is used to implement the if...then...else construct as we will see later. We would prefer if only the argument which was used was evaluated. To achieve this, Idris provides a Lazy data type, which allows evaluation to be suspended: data Lazy : Type -> Type where Delay : (val : a) -> Lazy a Force : Lazy a -> a A value of type Lazy a is unevaluated until it is forced by Force. The Idris type checker knows about the Lazy type, and inserts conversions where necessary between Lazy a and a, and vice versa. We can therefore write ifThenElse as follows, without any explicit use of Force or Delay: ifThenElse : Bool -> Lazy a -> Lazy a -> a; ifThenElse True t e = t; ifThenElse False t e = e; 1.3.8 Codata Types Codata types are like regular data types, except that they allow for us to define infinite data structures. More precisely, for a type T, each of its constructor arguments of type T are transformed into a coinductive parameter Inf T. This makes each of the T arguments lazy, and allows infinite data structures of type T to be built. One example of a codata type is Stream, which is defined as follows. codata Stream : Type -> Type where (::) : (e : a) -> Stream a -> Stream a This gets translated into the following by the compiler. data Stream : Type -> Type where (::) : (e : a) -> Inf (Stream a) -> Stream a The following is an example of how the codata type Stream can be used to form an infinite data structure. In this case we are creating an infinite stream of ones. ones :: Stream Nat ones = 1 :: ones It is important to note that codata does not allow the creation of infinite mutually recursive data structures. For example the following will create an infinite loop and cause a stack overflow. mutual codata Blue a = B a (Red a) codata Red a = R a (Blue a) mutual blue : Blue Nat blue = B 1 red red : Red Nat red = R 1 blue 13 CHAPTER 1. THE IDRIS TUTORIAL v0.99 mutual findB : (a -> Bool) -> Blue a -> a findB f (B x r) = if f x then x else findR f r findR : (a -> Bool) -> Red a -> a findR f (R x b) = if f x then x else findB f b main : IO () main = do printLn $ findB (== 1) blue To fix this we must add explicit Inf declarations to the constructor parameter types, since codata will not add it to constructor parameters of a different type from the one being defined. For example, the following outputs “1”. mutual data Blue : Type -> Type where B : a -> Inf (Red a) -> Blue a data Red : Type -> Type where R : a -> Inf (Blue a) -> Red a mutual blue : Blue Nat blue = B 1 red red : Red Nat red = R 1 blue mutual findB : (a -> Bool) -> Blue a -> a findB f (B x r) = if f x then x else findR f r findR : (a -> Bool) -> Red a -> a findR f (R x b) = if f x then x else findB f b main : IO () main = do printLn $ findB (== 1) blue 1.3.9 Useful Data Types Idris includes a number of useful data types and library functions (see the libs/ directory in the distri- bution). This chapter describes a few of these. The functions described here are imported automatically by every Idris program, as part of Prelude.idr. List and Vect We have already seen the List and Vect data types: data List a = Nil | (::) a (List a) data Vect : Nat -> Type -> Type where Nil : Vect Z a (::) : a -> Vect k a -> Vect (S k) a Note that the constructor names are the same for each — constructor names (in fact, names in general) can be overloaded, provided that they are declared in different namespaces (see Section Modules and Namespaces (page 28)), and will typically be resolved according to their type. As syntactic sugar, any type with the constructor names Nil and :: can be written in list form. For example: 14 CHAPTER 1. THE IDRIS TUTORIAL v0.99 • [] means Nil • [1,2,3] means 1 :: 2 :: 3 :: Nil The library also defines a number of functions for manipulating these types. map is overloaded both for List and Vect and applies a function to every element of the list or vector. map : (a -> b) -> List a -> List b map f [] = [] map f (x :: xs) = f x :: map f xs map : (a -> b) -> Vect n a -> Vect n b map f [] = [] map f (x :: xs) = f x :: map f xs For example, given the following vector of integers, and a function to double an integer: intVec : Vect 5 Int intVec = [1, 2, 3, 4, 5] double : Int -> Int double x = x * 2 the function map can be used as follows to double every element in the vector: *usefultypes> show (map double intVec) "[2, 4, 6, 8, 10]" : String For more details of the functions available on List and Vect, look in the library files: • libs/prelude/Prelude/List.idr • libs/base/Data/List.idr • libs/base/Data/Vect.idr • libs/base/Data/VectType.idr Functions include filtering, appending, reversing, and so on. Also remember that Idris is still in devel- opment, so if you don’t see the function you need, please feel free to add it and submit a patch! Aside: Anonymous functions and operator sections There are actually neater ways to write the above expression. One way would be to use an anonymous function: *usefultypes> show (map (\x => x * 2) intVec) "[2, 4, 6, 8, 10]" : String The notation \x => val constructs an anonymous function which takes one argument, x and returns the expression val. Anonymous functions may take several arguments, separated by commas, e.g. \x, y, z => val. Arguments may also be given explicit types, e.g. \x : Int => x * 2, and can pattern match, e.g. \(x, y) => x + y. We could also use an operator section: *usefultypes> show (map (* 2) intVec) "[2, 4, 6, 8, 10]" : String (*2) is shorthand for a function which multiplies a number by 2. It expands to \x => x * 2. Similarly, (2*) would expand to \x => 2 * x. 15 CHAPTER 1. THE IDRIS TUTORIAL v0.99 Maybe Maybe describes an optional value. Either there is a value of the given type, or there isn’t: data Maybe a = Just a | Nothing Maybe is one way of giving a type to an operation that may fail. For example, looking something up in a List (rather than a vector) may result in an out of bounds error: list_lookup : Nat -> List a -> Maybe a list_lookup _ Nil = Nothing list_lookup Z (x :: xs) = Just x list_lookup (S k) (x :: xs) = list_lookup k xs The maybe function is used to process values of type Maybe, either by applying a function to the value, if there is one, or by providing a default value: maybe : Lazy b -> Lazy (a -> b) -> Maybe a -> b Note that the types of the first two arguments are wrapped in Lazy. Since only one of the two arguments will actually be used, we mark them as Lazy in case they are large expressions where it would be wasteful to compute and then discard them. Tuples Values can be paired with the following built-in data type: data Pair a b = MkPair a b As syntactic sugar, we can write (a, b) which, according to context, means either Pair a b or MkPair a b. Tuples can contain an arbitrary number of values, represented as nested pairs: fred : (String, Int) fred = ("Fred", 42) jim : (String, Int, String) jim = ("Jim", 25, "Cambridge") *usefultypes> fst jim "Jim" : String *usefultypes> snd jim (25, "Cambridge") : (Int, String) *usefultypes> jim == ("Jim", (25, "Cambridge")) True : Bool Dependent Pairs Dependent pairs allow the type of the second element of a pair to depend on the value of the first element. Traditionally, these are referred to as “sigma types”: data DPair : (a : Type) -> (P : a -> Type) -> Type where MkDPair : {P : a -> Type} -> (x : a) -> P x -> DPair a P Again, there is syntactic sugar for this. (a : A ** P) is the type of a pair of A and P, where the name a can occur inside P. ( a ** p ) constructs a value of this type. For example, we can pair a number with a Vect of a particular length. 16 CHAPTER 1. THE IDRIS TUTORIAL v0.99 vec : (n : Nat ** Vect n Int) vec = (2 ** [3, 4]) If you like, you can write it out the long way, the two are precisely equivalent. vec : DPair Nat (\n => Vect n Int) vec = MkDPair 2 [3, 4] The type checker could of course infer the value of the first element from the length of the vector. We can write an underscore _ in place of values which we expect the type checker to fill in, so the above definition could also be written as: vec : (n : Nat ** Vect n Int) vec = (_ ** [3, 4]) We might also prefer to omit the type of the first element of the pair, since, again, it can be inferred: vec : (n ** Vect n Int) vec = (_ ** [3, 4]) One use for dependent pairs is to return values of dependent types where the index is not necessarily known in advance. For example, if we filter elements out of a Vect according to some predicate, we will not know in advance what the length of the resulting vector will be: filter : (a -> Bool) -> Vect n a -> (p ** Vect p a) If the Vect is empty, the result is easy: filter p Nil = (_ ** []) In the :: case, we need to inspect the result of a recursive call to filter to extract the length and the vector from the result. To do this, we use with notation, which allows pattern matching on intermediate values: filter p (x :: xs) with (filter p xs) | ( _ ** xs' ) = if (p x) then ( _ ** x :: xs' ) else ( _ ** xs' ) We will see more on with notation later. Records Records are data types which collect several values (the record’s fields) together. Idris provides syntax for defining records and automatically generating field access and update functions. Unlike the syntax used for data structures, records in Idris follow a different syntax to that seen with Haskell. For example, we can represent a person’s name and age in a record: record Person where constructor MkPerson firstName, middleName, lastName : String age : Int fred : Person fred = MkPerson "Fred" "Joe" "Bloggs" 30 The constructor name is provided using the constructor keyword, and the fields are then given which are in an indented block following the where keyword (here, firstName, middleName, lastName, and age). You can declare multiple fields on a single line, provided that they have the same type. The field names can be used to access the field values: 17 CHAPTER 1. THE IDRIS TUTORIAL v0.99 *record> firstName fred "Fred" : String *record> age fred 30 : Int *record> :t firstName firstName : Person -> String We can also use the field names to update a record (or, more precisely, produce a copy of the record with the given fields updated): *record> record { firstName = "Jim" } fred MkPerson "Jim" "Joe" "Bloggs" 30 : Person *record> record { firstName = "Jim", age $= (+ 1) } fred MkPerson "Jim" "Joe" "Bloggs" 31 : Person The syntax record { field = val, ... } generates a function which updates the given fields in a record. = assigns a new value to a field, and $= applies a function to update its value. Each record is defined in its own namespace, which means that field names can be reused in multiple records. Records, and fields within records, can have dependent types. Updates are allowed to change the type of a field, provided that the result is well-typed. record Class where constructor ClassInfo students : Vect n Person className : String It is safe to update the students field to a vector of a different length because it will not affect the type of the record: addStudent : Person -> Class -> Class addStudent p c = record { students = p :: students c } c *record> addStudent fred (ClassInfo [] "CS") ClassInfo [MkPerson "Fred" "Joe" "Bloggs" 30] "CS" : Class Nested record update Idris also provides a convenient syntax for accessing and updating nested records. For example, if a field is accessible with the expression c (b (a x)), it can be updated using the following syntax: record { a->b->c = val } x This returns a new record, with the field accessed by the path a->b->c set to val. The syntax is first class, i.e. record { a->b->c = val } itself has a function type. Symmetrically, the field can also be accessed with the following syntax: record { a->b->c } x Dependent Records Records can also be dependent on values. Records parameters, which are not subject to field updates. The parameters appear as arguments to the resulting type, and are written following the record type name. For example, a pair type could be defined as follows: 18 CHAPTER 1. THE IDRIS TUTORIAL v0.99 record Prod a b where constructor Times fst : a snd : b Using the class record from the original introduction to records. The size of the class can be restricted using a Vect and the size promoted to the type level by parameterising the record with the size. For example: record SizedClass (size : Nat) where constructor SizedClassInfo students : Vect size Person className : String Note that it is no longer possible to use the addStudent function from earlier, since that would change the size of the class. A function to add a student must now specify in the type that the size of the class has been increased by one. As the size is specified using natural numbers, the new value can be incremented using the S constructor. addStudent : Person -> SizedClass n -> SizedClass (S n) addStudent p c = SizedClassInfo (p :: students c) (className c) 1.3.10 More Expressions let bindings Intermediate values can be calculated using let bindings: mirror : List a -> List a mirror xs = let xs' = reverse xs in xs ++ xs' We can do simple pattern matching in let bindings too. For example, we can extract fields from a record as follows, as well as by pattern matching at the top level: data Person = MkPerson String Int showPerson : Person -> String showPerson p = let MkPerson name age = p in name ++ " is " ++ show age ++ " years old" List comprehensions Idris provides comprehension notation as a convenient shorthand for building lists. The general form is: [ expression | qualifiers ] This generates the list of values produced by evaluating the expression, according to the conditions given by the comma separated qualifiers. For example, we can build a list of Pythagorean triples as follows: pythag : Int -> List (Int, Int, Int) pythag n = [ (x, y, z) | z <- [1..n], y <- [1..z], x <- [1..y], x*x + y*y == z*z ] The [a..b] notation is another shorthand which builds a list of numbers between a and b. Alternatively [a,b..c] builds a list of numbers between a and c with the increment specified by the difference between 19 CHAPTER 1. THE IDRIS TUTORIAL v0.99 a and b. This works for type Nat, Int and Integer, using the enumFromTo and enumFromThenTo function from the prelude. case expressions Another way of inspecting intermediate values of simple types is to use a case expression. The following function, for example, splits a string into two at a given character: splitAt : Char -> String -> (String, String) splitAt c x = case break (== c) x of (x, y) => (x, strTail y) break is a library function which breaks a string into a pair of strings at the point where the given function returns true. We then deconstruct the pair it returns, and remove the first character of the second string. A case expression can match several cases, for example, to inspect an intermediate value of type Maybe a. Recall list_lookup which looks up an index in a list, returning Nothing if the index is out of bounds. We can use this to write lookup_default, which looks up an index and returns a default value if the index is out of bounds: lookup_default : Nat -> List a -> a -> a lookup_default i xs def = case list_lookup i xs of Nothing => def Just x => x If the index is in bounds, we get the value at that index, otherwise we get a default value: *usefultypes> lookup_default 2 [3,4,5,6] (-1) 5 : Integer *usefultypes> lookup_default 4 [3,4,5,6] (-1) -1 : Integer Restrictions: The case construct is intended for simple analysis of intermediate expressions to avoid the need to write auxiliary functions, and is also used internally to implement pattern matching let and lambda bindings. It will only work if: • Each branch matches a value of the same type, and returns a value of the same type. • The type of the result is “known”. i.e. the type of the expression can be determined without type checking the case-expression itself. 1.3.11 Totality A total function is a function that terminates for all possible inputs, or one that is guaranteed to produce some output before making a recursive call. For example, Idris’ head function is total for all lists: Idris> :t Prelude.List.head head : (l : List a) -> {auto ok : NonEmpty l} -> a The {auto ok : NonEmpty l} tells us that Idris won’t compile if we try to call head on an empty list. The implementation is as follows: ||| Get the first element of a non-empty list ||| @ ok proof that the list is non-empty head : (l : List a) -> {auto ok : NonEmpty l} -> a head [] {ok=IsNonEmpty} impossible head (x::xs) {ok=p} = x 20 CHAPTER 1. THE IDRIS TUTORIAL v0.99 (Note that this implementation is in contrast to Haskell’s head, which is not total and will fail at runtime rather than compile time.) The following Idris code will compile: module Main main : IO () main = do let x : Integer = head [1,2,3] print x And will print 1. However, the same code with head [] won’t compile: test.idr:5:26:When checking right hand side of main with expected type IO () When checking argument ok to function Prelude.List.head: Can't find a value of type NonEmpty [] We can’t bind and print x because head [] doesn’t type check. However, we might imagine a function, unsafeHead, that is identical to Idris’ head function except that it is not total: it will error out at runtime if called on an empty list. (This is similar to the behavior of Haskell’s head function.) unsafeHead might look like this: -- Unsafe head example! unsafeHead : List a -> a unsafeHead (x::xs) = x And although it typechecks and compiles, it will not reduce (that is, evaluation of the function will cause it to change): unsafe> the Integer $ unsafeHead [1, 2, 3] 1 : Integer unsafe> the Integer $ unsafeHead [] unsafeHead [] : Integer Functions that are not total are known as partial functions. As mentioned in the note about mutual blocks, non-total definitions aren’t reduced when type checking because they are not well-defined for all possible inputs. 1.4 Interfaces We often want to define functions which work across several different data types. For example, we would like arithmetic operators to work on Int, Integer and Double at the very least. We would like == to work on the majority of data types. We would like to be able to display different types in a uniform way. To achieve this, we use interfaces, which are similar to type classes in Haskell or traits in Rust. To define an interface, we provide a collection of overloadable functions. A simple example is the Show interface, which is defined in the prelude and provides an interface for converting values to String: interface Show a where show : a -> String This generates a function of the following type (which we call a method of the Show interface): show : Show a => a -> String We can read this as: “under the constraint that a has an implementation of Show, take an input a and 21 CHAPTER 1. THE IDRIS TUTORIAL v0.99 return a String.” An implementation of an interface is defined by giving definitions of the methods of the interface. For example, the Show implementation for Nat could be defined as: Show Nat where show Z = "Z" show (S k) = "s" ++ show k Idris> show (S (S (S Z))) "sssZ" : String Only one implementation of an interface can be given for a type — implementations may not overlap. Implementation declarations can themselves have constraints. To help with resolution, the arguments of an implementation must be constructors (either data or type constructors), variables or constants (i.e. you cannot give an implementation for a function). For example, to define a Show implementation for vectors, we need to know that there is a Show implementation for the element type, because we are going to use it to convert each element to a String: Show a => Show (Vect n a) where show xs = "[" ++ show' xs ++ "]" where show' : Vect n a -> String show' Nil = "" show' (x :: Nil) = show x show' (x :: xs) = show x ++ ", " ++ show' xs 1.4.1 Default Definitions The library defines an Eq interface which provides methods for comparing values for equality or inequality, with implementations for all of the built-in types: interface Eq a where (==) : a -> a -> Bool (/=) : a -> a -> Bool To declare an implementation for a type, we have to give definitions of all of the methods. For example, for an implementation of Eq for Nat: Eq Nat where Z == Z = True (S x) == (S y) = x == y Z == (S y) = False (S x) == Z = False x /= y = not (x == y) It is hard to imagine many cases where the /= method will be anything other than the negation of the result of applying the == method. It is therefore convenient to give a default definition for each method in the interface declaration, in terms of the other method: interface Eq a where (==) : a -> a -> Bool (/=) : a -> a -> Bool x /= y = not (x == y) x == y = not (x /= y) A minimal complete implementation of Eq requires either == or /= to be defined, but does not require both. If a method definition is missing, and there is a default definition for it, then the default is used instead. 22 CHAPTER 1. THE IDRIS TUTORIAL v0.99 1.4.2 Extending Interfaces Interfaces can also be extended. A logical next step from an equality relation Eq is to define an ordering relation Ord. We can define an Ord interface which inherits methods from Eq as well as defining some of its own: data Ordering = LT | EQ | GT interface Eq a => Ord a where compare : a -> a -> Ordering (<) : a -> a -> Bool (>) : a -> a -> Bool (<=) : a -> a -> Bool (>=) : a -> a -> Bool max : a -> a -> a min : a -> a -> a The Ord interface allows us to compare two values and determine their ordering. Only the compare method is required; every other method has a default definition. Using this we can write functions such as sort, a function which sorts a list into increasing order, provided that the element type of the list is in the Ord interface. We give the constraints on the type variables left of the fat arrow =>, and the function type to the right of the fat arrow: sort : Ord a => List a -> List a Functions, interfaces and implementations can have multiple constraints. Multiple constraints are written in brackets in a comma separated list, for example: sortAndShow : (Ord a, Show a) => List a -> String sortAndShow xs = show (sort xs) 1.4.3 Functors and Applicatives So far, we have seen single parameter interfaces, where the parameter is of type Type. In general, there can be any number of parameters (even zero), and the parameters can have any type. If the type of the parameter is not Type, we need to give an explicit type declaration. For example, the Functor interface is defined in the prelude: interface Functor (f : Type -> Type) where map : (m : a -> b) -> f a -> f b A functor allows a function to be applied across a structure, for example to apply a function to every element in a List: Functor List where map f [] = [] map f (x::xs) = f x :: map f xs Idris> map (*2) [1..10] [2, 4, 6, 8, 10, 12, 14, 16, 18, 20] : List Integer Having defined Functor, we can define Applicative which abstracts the notion of function application: infixl 2 <*> interface Functor f => Applicative (f : Type -> Type) where pure : a -> f a (<*>) : f (a -> b) -> f a -> f b 23 CHAPTER 1. THE IDRIS TUTORIAL v0.99 1.4.4 Monads and do-notation The Monad interface allows us to encapsulate binding and computation, and is the basis of do-notation introduced in Section “do” notation (page 12). It extends Applicative as defined above, and is defined as follows: interface Applicative m => Monad (m : Type -> Type) where (>>=) : m a -> (a -> m b) -> m b Inside a do block, the following syntactic transformations are applied: • x <- v; e becomes v >>= (\x => e) • v; e becomes v >>= (\_ => e) • let x = v; e becomes let x = v in e IO has an implementation of Monad, defined using primitive functions. We can also define an implemen- tation for Maybe, as follows: Monad Maybe where Nothing >>= k = Nothing (Just x) >>= k = k x Using this we can, for example, define a function which adds two Maybe Int, using the monad to encapsulate the error handling: m_add : Maybe Int -> Maybe Int -> Maybe Int m_add x y = do x' <- x -- Extract value from x y' <- y -- Extract value from y pure (x' + y') -- Add them This function will extract the values from x and y, if they are both available, or return Nothing if one or both are not (“fail fast”). Managing the Nothing cases is achieved by the >>= operator, hidden by the do notation. *ifaces> m_add (Just 20) (Just 22) Just 42 : Maybe Int *ifaces> m_add (Just 20) Nothing Nothing : Maybe Int Pattern Matching Bind Sometimes we want to pattern match immediately on the result of a function in do notation. For example, let’s say we have a function readNumber which reads a number from the console, returning a value of the form Just x if the number is valid, or Nothing otherwise: readNumber : IO (Maybe Nat) readNumber = do input <- getLine if all isDigit (unpack input) then pure (Just (cast input)) else pure Nothing If we then use it to write a function to read two numbers, returning Nothing if neither are valid, then we would like to pattern match on the result of readNumber: readNumbers : IO (Maybe (Nat, Nat)) readNumbers = do x <- readNumber 24 CHAPTER 1. THE IDRIS TUTORIAL v0.99 case x of Nothing => pure Nothing Just x_ok => do y <- readNumber case y of Nothing => pure Nothing Just y_ok => pure (Just (x_ok, y_ok)) If there’s a lot of error handling, this could get deeply nested very quickly! So instead, we can combine the bind and the pattern match in one line. For example, we could try pattern matching on values of the form Just x_ok: readNumbers : IO (Maybe (Nat, Nat)) readNumbers = do Just x_ok <- readNumber Just y_ok <- readNumber pure (Just (x_ok, y_ok)) There is still a problem, however, because we’ve now omitted the case for Nothing so readNumbers is no longer total! We can add the Nothing case back as follows: readNumbers : IO (Maybe (Nat, Nat)) readNumbers = do Just x_ok <- readNumber | Nothing => pure Nothing Just y_ok <- readNumber | Nothing => pure Nothing pure (Just (x_ok, y_ok)) The effect of this version of readNumbers is identical to the first (in fact, it is syntactic sugar for it and directly translated back into that form). The first part of each statement (Just x_ok <- and Just y_ok <-) gives the preferred binding - if this matches, execution will continue with the rest of the do block. The second part gives the alternative bindings, of which there may be more than one. !-notation In many cases, using do-notation can make programs unnecessarily verbose, particularly in cases such as m_add above where the value bound is used once, immediately. In these cases, we can use a shorthand version, as follows: m_add : Maybe Int -> Maybe Int -> Maybe Int m_add x y = pure (!x + !y) The notation !expr means that the expression expr should be evaluated and then implicitly bound. Conceptually, we can think of ! as being a prefix function with the following type: (!) : m a -> a Note, however, that it is not really a function, merely syntax! In practice, a subexpression !expr will lift expr as high as possible within its current scope, bind it to a fresh name x, and replace !expr with x. Expressions are lifted depth first, left to right. In practice, !-notation allows us to program in a more direct style, while still giving a notational clue as to which expressions are monadic. For example, the expression: let y = 42 in f !(g !(print y) !x) is lifted to: let y = 42 in do y' <- print y x' <- x g' <- g y' x' 25 CHAPTER 1. THE IDRIS TUTORIAL v0.99 f g' Monad comprehensions The list comprehension notation we saw in Section More Expressions (page 19) is more general, and applies to anything which has an implementation of both Monad and Alternative: interface Applicative f => Alternative (f : Type -> Type) where empty : f a (<|>) : f a -> f a -> f a In general, a comprehension takes the form [ exp | qual1, qual2, ..., qualn ] where quali can be one of: • A generator x <- e • A guard, which is an expression of type Bool • A let binding let x = e To translate a comprehension [exp | qual1, qual2, ..., qualn], first any qualifier qual which is a guard is translated to guard qual, using the following function: guard : Alternative f => Bool -> f () Then the comprehension is converted to do notation: do { qual1; qual2; ...; qualn; pure exp; } Using monad comprehensions, an alternative definition for m_add would be: m_add : Maybe Int -> Maybe Int -> Maybe Int m_add x y = [ x' + y' | x' <- x, y' <- y ] 1.4.5 Idiom brackets While do notation gives an alternative meaning to sequencing, idioms give an alternative meaning to application. The notation and larger example in this section is inspired by Conor McBride and Ross Paterson’s paper “Applicative Programming with Effects” 1 . First, let us revisit m_add above. All it is really doing is applying an operator to two values extracted from Maybe Int. We could abstract out the application: m_app : Maybe (a -> b) -> Maybe a -> Maybe b m_app (Just f) (Just a) = Just (f a) m_app _ _ = Nothing Using this, we can write an alternative m_add which uses this alternative notion of function application, with explicit calls to m_app: m_add' : Maybe Int -> Maybe Int -> Maybe Int m_add' x y = m_app (m_app (Just (+)) x) y Rather than having to insert m_app everywhere there is an application, we can use idiom brackets to do the job for us. To do this, we can give Maybe an implementation of Applicative as follows, where <*> 1 Conor McBride and Ross Paterson. 2008. Applicative programming with effects. J. Funct. Program. 18, 1 (January 2008), 1-13. DOI=10.1017/S0956796807006326 http://dx.doi.org/10.1017/S0956796807006326 26 CHAPTER 1. THE IDRIS TUTORIAL v0.99 is defined in the same way as m_app above (this is defined in the Idris library): Applicative Maybe where pure = Just (Just f) <*> (Just a) = Just (f a) _ <*> _ = Nothing Using <*> we can use this implementation as follows, where a function application [| f a1 ...an |] is translated into pure f <*> a1 <*> ... <*> an: m_add' : Maybe Int -> Maybe Int -> Maybe Int m_add' x y = [| x + y |] An error-handling interpreter Idiom notation is commonly useful when defining evaluators. McBride and Paterson describe such an evaluator 1 , for a language similar to the following: data Expr = Var String -- variables | Val Int -- values | Add Expr Expr -- addition Evaluation will take place relative to a context mapping variables (represented as Strings) to Int values, and can possibly fail. We define a data type Eval to wrap an evaluator: data Eval : Type -> Type where MkEval : (List (String, Int) -> Maybe a) -> Eval a Wrapping the evaluator in a data type means we will be able to provide implementations of interfaces for it later. We begin by defining a function to retrieve values from the context during evaluation: fetch : String -> Eval Int fetch x = MkEval (\e => fetchVal e) where fetchVal : List (String, Int) -> Maybe Int fetchVal [] = Nothing fetchVal ((v, val) :: xs) = if (x == v) then (Just val) else (fetchVal xs) When defining an evaluator for the language, we will be applying functions in the context of an Eval, so it is natural to give Eval an implementation of Applicative. Before Eval can have an implementation of Applicative it is necessary for Eval to have an implementation of Functor: Functor Eval where map f (MkEval g) = MkEval (\e => map f (g e)) Applicative Eval where pure x = MkEval (\e => Just x) (<*>) (MkEval f) (MkEval g) = MkEval (\x => app (f x) (g x)) where app : Maybe (a -> b) -> Maybe a -> Maybe b app (Just fx) (Just gx) = Just (fx gx) app _ _ = Nothing Evaluating an expression can now make use of the idiomatic application to handle errors: eval : Expr -> Eval Int eval (Var x) = fetch x eval (Val x) = [| x |] eval (Add x y) = [| eval x + eval y |] 27 CHAPTER 1. THE IDRIS TUTORIAL v0.99 runEval : List (String, Int) -> Expr -> Maybe Int runEval env e = case eval e of MkEval envFn => envFn env 1.4.6 Named Implementations It can be desirable to have multiple implementations of an interface for the same type, for example to provide alternative methods for sorting or printing values. To achieve this, implementations can be named as follows: [myord] Ord Nat where compare Z (S n) = GT compare (S n) Z = LT compare Z Z = EQ compare (S x) (S y) = compare @{myord} x y This declares an implementation as normal, but with an explicit name, myord. The syntax compare @{myord} gives an explicit implementation to compare, otherwise it would use the default implementation for Nat. We can use this, for example, to sort a list of Nat in reverse. Given the following list: testList : List Nat testList = [3,4,1] We can sort it using the default Ord implementation, then the named implementation myord as follows, at the Idris prompt: *named_impl> show (sort testList) "[sO, sssO, ssssO]" : String *named_impl> show (sort @{myord} testList) "[ssssO, sssO, sO]" : String 1.4.7 Determining Parameters When an interface has more than one parameter, it can help resolution if the parameters used to find an implementation are restricted. For example: interface Monad m => MonadState s (m : Type -> Type) | m where get : m s put : s -> m () In this interface, only m needs to be known to find an implementation of this interface, and s can then be determined from the implementation. This is declared with the | m after the interface declaration. We call m a determining parameter of the MonadState interface, because it is the parameter used to find an implementation. 1.5 Modules and Namespaces An Idris program consists of a collection of modules. Each module includes an optional module decla- ration giving the name of the module, a list of import statements giving the other modules which are to be imported, and a collection of declarations and definitions of types, interfaces and functions. For example, the listing below gives a module which defines a binary tree type BTree (in a file Btree.idr): module Btree 28 CHAPTER 1. THE IDRIS TUTORIAL v0.99 data BTree a = Leaf | Node (BTree a) a (BTree a) insert : Ord a => a -> BTree a -> BTree a insert x Leaf = Node Leaf x Leaf insert x (Node l v r) = if (x < v) then (Node (insert x l) v r) else (Node l v (insert x r)) toList : BTree a -> List a toList Leaf = [] toList (Node l v r) = Btree.toList l ++ (v :: Btree.toList r) toTree : Ord a => List a -> BTree a toTree [] = Leaf toTree (x :: xs) = insert x (toTree xs) Then, this gives a main program (in a file bmain.idr) which uses the Btree module to sort a list: module Main import Btree main : IO () main = do let t = toTree [1,8,2,7,9,3] print (Btree.toList t) The same names can be defined in multiple modules. This is possible because in practice names are qualified with the name of the module. The names defined in the Btree module are, in full: • Btree.BTree • Btree.Leaf • Btree.Node • Btree.insert • Btree.toList • Btree.toTree If names are otherwise unambiguous, there is no need to give the fully qualified name. Names can be disambiguated either by giving an explicit qualification, or according to their type. There is no formal link between the module name and its filename, although it is generally advisable to use the same name for each. An import statement refers to a filename, using dots to separate directories. For example, import foo.bar would import the file foo/bar.idr, which would conventionally have the module declaration module foo.bar. The only requirement for module names is that the main module, with the main function, must be called Main—although its filename need not be Main.idr. 1.5.1 Export Modifiers Idris allows for fine-grained control over the visibility of a module’s contents. By default, all names defined in a module are kept private. This aides in specification of a minimal interface and for internal details to be left hidden. Idris allows for functions, types, and interfaces to be marked as: private, export, or public export. Their general meaning is as follows: • private meaning that it’s not exported at all. This is the default. • export meaning that its top level type is exported. 29 CHAPTER 1. THE IDRIS TUTORIAL v0.99 • public export meaning that the entire definition is exported. A further restriction in modifying the visibility is that definitions must not refer to anything within a lower level of visibility. For example, public export definitions cannot use private names, and export types cannot use private names. This is to prevent private names leaking into a module’s interface. Meaning for Functions • export the type is exported • public export the type and definition are exported, and the definition can be used after it is imported. In other words, the definition itself is considered part of the module’s interface. The long name public export is intended to make you think twice about doing this. Note: Type synonyms in Idris are created by writing a function. When setting the visibility for a module, it might be a good idea to public export all type synonyms if they are to be used outside the module. Otherwise, Idris won’t know what the synonym is a synonym for. Meaning for Data Types For data types, the meanings are: • export the type constructor is exported • public export the type constructor and data constructors are exported Meaning for Interfaces For interfaces, the meanings are: • export the interface name is exported • public export the interface name, method names and default definitions are exported BTree Revisited For our BTree module, it makes sense for the tree data type and the functions to be exported as export, as we see below: module BTree export data BTree a = Leaf | Node (BTree a) a (BTree a) export insert : Ord a => a -> BTree a -> BTree a insert x Leaf = Node Leaf x Leaf insert x (Node l v r) = if (x < v) then (Node (insert x l) v r) else (Node l v (insert x r)) export toList : BTree a -> List a toList Leaf = [] 30 CHAPTER 1. THE IDRIS TUTORIAL v0.99 toList (Node l v r) = Btree.toList l ++ (v :: Btree.toList r) export toTree : Ord a => List a -> BTree a toTree [] = Leaf toTree (x :: xs) = insert x (toTree xs) %access Directive Finally, the default export mode can be changed with the %access directive, for example: module Btree %access export data BTree a = Leaf | Node (BTree a) a (BTree a) insert : Ord a => a -> BTree a -> BTree a insert x Leaf = Node Leaf x Leaf insert x (Node l v r) = if (x < v) then (Node (insert x l) v r) else (Node l v (insert x r)) toList : BTree a -> List a toList Leaf = [] toList (Node l v r) = Btree.toList l ++ (v :: Btree.toList r) toTree : Ord a => List a -> BTree a toTree [] = Leaf toTree (x :: xs) = insert x (toTree xs) In this case, any function with no access modifier will be exported as export, rather than left private. Propagating Inner Module API’s Additionally, a module can re-export a module it has imported, by using the public modifier on an import. For example: module A import B import public C public a : AType a = ... The module A will export the name a, as well as any public or abstract names in module C, but will not re-export anything from module B. 1.5.2 Explicit Namespaces Defining a module also defines a namespace implicitly. However, namespaces can also be given explicitly. This is most useful if you wish to overload names within the same module: module Foo namespace x test : Int -> Int 31 CHAPTER 1. THE IDRIS TUTORIAL v0.99 test x = x * 2 namespace y test : String -> String test x = x ++ x This (admittedly contrived) module defines two functions with fully qualified names foo.x.test and foo.y.test, which can be disambiguated by their types: *foo> test 3 6 : Int *foo> test "foo" "foofoo" : String 1.5.3 Parameterised blocks Groups of functions can be parameterised over a number of arguments using a parameters declaration, for example: parameters (x : Nat, y : Nat) addAll : Nat -> Nat addAll z = x + y + z The effect of a parameters block is to add the declared parameters to every function, type and data constructor within the block. Specifically, adding the parameters to the front of the argument list. Outside the block, the parameters must be given explicitly. The addAll function, when called from the REPL, will thus have the following type signature. *params> :t addAll addAll : Nat -> Nat -> Nat -> Nat and the following definition. addAll : (x : Nat) -> (y : Nat) -> (z : Nat) -> Nat addAll x y z = x + y + z Parameters blocks can be nested, and can also include data declarations, in which case the parameters are added explicitly to all type and data constructors. They may also be dependent types with implicit arguments: parameters (y : Nat, xs : Vect x a) data Vects : Type -> Type where MkVects : Vect y a -> Vects a append : Vects a -> Vect (x + y) a append (MkVects ys) = xs ++ ys To use Vects or append outside the block, we must also give the xs and y arguments. Here, we can use placeholders for the values which can be inferred by the type checker: *params> show (append _ _ (MkVects _ [1,2,3] [4,5,6])) "[1, 2, 3, 4, 5, 6]" : String 1.6 Packages Idris includes a simple build system for building packages and executables from a named package de- scription file. These files can be used with the Idris compiler to manage the development process . 32 CHAPTER 1. THE IDRIS TUTORIAL v0.99 1.6.1 Package Descriptions A package description includes the following: • A header, consisting of the keyword package followed by the package name. Package names can be any valid Idris identifier. The iPKG format also takes a quoted version that accepts any valid filename. • Fields describing package contents, <field> = <value> At least one field must be the modules field, where the value is a comma separated list of mod- ules. For example, given an idris package maths that has modules Maths.idr, Maths.NumOps.idr, Maths.BinOps.idr, and Maths.HexOps.idr, the corresponding package file would be: package maths modules = Maths , Maths.NumOps , Maths.BinOps , Maths.HexOps Other examples of package files can be found in the libs directory of the main Idris repository, and in third-party libraries. More details including a complete listing of available fields can be found in Packages (page 113). 1.6.2 Using Package files Given an Idris package file maths.ipkg it can be used with the Idris compiler as follows: • idris --build maths.ipkg will build all modules in the package • idris --install maths.ipkg will install the package, making it accessible by other Idris libraries and programs. • idris --clean maths.ipkg will delete all intermediate code and executable files generated when building. • idris --mkdoc maths.ipkg will build HTML documentation for your package in the folder maths_doc in your project’s root directory. • idris --checkpkg maths.ipkg will type check all modules in the package only. This differs from build that type checks and generates code. • idris --testpkg maths.ipkg will compile and run any embedded tests you have specified in the tests parameter. More information about testing is given in the next section. Once the maths package has been installed, the command line option --package maths makes it acces- sible (abbreviated to -p maths). For example: idris -p maths Main.idr 1.7 Testing Idris Packages The integrated build system includes a simple testing framework. This framework collects functions listed in the ipkg file under tests. All test functions must return IO (). When you enter idris --testpkg yourmodule.ipkg, the build system creates a temporary file in a 33 CHAPTER 1. THE IDRIS TUTORIAL v0.99 fresh environment on your machine by listing the tests functions under a single main function. It compiles this temporary file to an executable and then executes it. The tests themselves are responsible for reporting their success or failure. Test functions commonly use putStrLn to report test results. The test framework does not impose any standards for reporting and consequently does not aggregate test results. For example, lets take the following list of functions that are defined in a module called NumOps for a sample package maths. module Maths.NumOps double : Num a => a -> a double a = a + a triple : Num a => a -> a triple a = a + double a A simple test module, with a qualified name of Test.NumOps can be declared as module Test.NumOps import Maths.NumOps assertEq : Eq a => (given : a) -> (expected : a) -> IO () assertEq g e = if g == e then putStrLn "Test Passed" else putStrLn "Test Failed" assertNotEq : Eq a => (given : a) -> (expected : a) -> IO () assertNotEq g e = if not (g == e) then putStrLn "Test Passed" else putStrLn "Test Failed" testDouble : IO () testDouble = assertEq (double 2) 4 testTriple : IO () testTriple = assertNotEq (triple 2) 5 The functions assertEq and assertNotEq are used to run expected passing, and failing, equality tests. The actual tests are testDouble and testTriple, and are declared in the maths.ipkg file as follows: package maths modules = Maths.NumOps , Test.NumOps tests = Test.NumOps.testDouble , Test.NumOps.testTriple The testing framework can then be invoked using idris --testpkg maths.ipkg: > idris --testpkg maths.ipkg Type checking ./Maths/NumOps.idr Type checking ./Test/NumOps.idr Type checking /var/folders/63/np5g0d5j54x1s0z12rf41wxm0000gp/T/idristests144128232716531729.idr Test Passed Test Passed Note how both tests have reported success by printing Test Passed as we arranged for with the assertEq and assertNoEq functions. 34 CHAPTER 1. THE IDRIS TUTORIAL v0.99 1.8 Example: The Well-Typed Interpreter In this section, we’ll use the features we’ve seen so far to write a larger example, an interpreter for a simple functional programming language, with variables, function application, binary operators and an if...then...else construct. We will use the dependent type system to ensure that any programs which can be represented are well-typed. 1.8.1 Representing Languages First, let us define the types in the language. We have integers, booleans, and functions, represented by Ty: data Ty = TyInt | TyBool | TyFun Ty Ty We can write a function to translate these representations to a concrete Idris type — remember that types are first class, so can be calculated just like any other value: interpTy : Ty -> Type interpTy TyInt = Integer interpTy TyBool = Bool interpTy (TyFun A T) = interpTy A -> interpTy T We’re going to define a representation of our language in such a way that only well-typed programs can be represented. We’ll index the representations of expressions by their type, and the types of local variables (the context). The context can be represented using the Vect data type, and as it will be used regularly it will be represented as an implicit argument. To do so we define everything in a using block (keep in mind that everything after this point needs to be indented so as to be inside the using block): using (G:Vect n Ty) Expressions are indexed by the types of the local variables, and the type of the expression itself: data Expr : Vect n Ty -> Ty -> Type The full representation of expressions is: data HasType : (i : Fin n) -> Vect n Ty -> Ty -> Type where Stop : HasType FZ (t :: G) t Pop : HasType k G t -> HasType (FS k) (u :: G) t data Expr : Vect n Ty -> Ty -> Type where Var : HasType i G t -> Expr G t Val : (x : Integer) -> Expr G TyInt Lam : Expr (a :: G) t -> Expr G (TyFun a t) App : Expr G (TyFun a t) -> Expr G a -> Expr G t Op : (interpTy a -> interpTy b -> interpTy c) -> Expr G a -> Expr G b -> Expr G c If : Expr G TyBool -> Lazy (Expr G a) -> Lazy (Expr G a) -> Expr G a The code above makes use of the Vect and Fin types from the Idris standard library. We import them because they are not provided in the prelude: import Data.Vect import Data.Fin Since expressions are indexed by their type, we can read the typing rules of the language from the definitions of the constructors. Let us look at each constructor in turn. 35 CHAPTER 1. THE IDRIS TUTORIAL v0.99 We use a nameless representation for variables — they are de Bruijn indexed. Variables are represented by a proof of their membership in the context, HasType i G T, which is a proof that variable i in context G has type T. This is defined as follows: data HasType : (i : Fin n) -> Vect n Ty -> Ty -> Type where Stop : HasType FZ (t :: G) t Pop : HasType k G t -> HasType (FS k) (u :: G) t We can treat Stop as a proof that the most recently defined variable is well-typed, and Pop n as a proof that, if the nth most recently defined variable is well-typed, so is the n+1th. In practice, this means we use Stop to refer to the most recently defined variable, Pop Stop to refer to the next, and so on, via the Var constructor: Var : HasType i G t -> Expr G t So, in an expression \x,\y. x y, the variable x would have a de Bruijn index of 1, represented as Pop Stop, and y 0, represented as Stop. We find these by counting the number of lambdas between the definition and the use. A value carries a concrete representation of an integer: Val : (x : Integer) -> Expr G TyInt A lambda creates a function. In the scope of a function of type a -> t, there is a new local variable of type a, which is expressed by the context index: Lam : Expr (a :: G) t -> Expr G (TyFun a t) Function application produces a value of type t given a function from a to t and a value of type a: App : Expr G (TyFun a t) -> Expr G a -> Expr G t We allow arbitrary binary operators, where the type of the operator informs what the types of the arguments must be: Op : (interpTy a -> interpTy b -> interpTy c) -> Expr G a -> Expr G b -> Expr G c Finally, If expressions make a choice given a boolean. Each branch must have the same type, and we will evaluate the branches lazily so that only the branch which is taken need be evaluated: If : Expr G TyBool -> Lazy (Expr G a) -> Lazy (Expr G a) -> Expr G a 1.8.2 Writing the Interpreter When we evaluate an Expr, we’ll need to know the values in scope, as well as their types. Env is an environment, indexed over the types in scope. Since an environment is just another form of list, albeit with a strongly specified connection to the vector of local variable types, we use the usual :: and Nil constructors so that we can use the usual list syntax. Given a proof that a variable is defined in the context, we can then produce a value from the environment: data Env : Vect n Ty -> Type where Nil : Env Nil (::) : interpTy a -> Env G -> Env (a :: G) lookup : HasType i G t -> Env G -> interpTy t 36 CHAPTER 1. THE IDRIS TUTORIAL v0.99 lookup Stop (x :: xs) = x lookup (Pop k) (x :: xs) = lookup k xs Given this, an interpreter is a function which translates an Expr into a concrete Idris value with respect to a specific environment: interp : Env G -> Expr G t -> interpTy t The complete interpreter is defined as follows, for reference. For each constructor, we translate it into the corresponding Idris value: interp env (Var i) = lookup i env interp env (Val x) = x interp env (Lam sc) = \x => interp (x :: env) sc interp env (App f s) = interp env f (interp env s) interp env (Op op x y) = op (interp env x) (interp env y) interp env (If x t e) = if interp env x then interp env t else interp env e Let us look at each case in turn. To translate a variable, we simply look it up in the environment: interp env (Var i) = lookup i env To translate a value, we just return the concrete representation of the value: interp env (Val x) = x Lambdas are more interesting. In this case, we construct a function which interprets the scope of the lambda with a new value in the environment. So, a function in the object language is translated to an Idris function: interp env (Lam sc) = \x => interp (x :: env) sc For an application, we interpret the function and its argument and apply it directly. We know that interpreting f must produce a function, because of its type: interp env (App f s) = interp env f (interp env s) Operators and conditionals are, again, direct translations into the equivalent Idris constructs. For oper- ators, we apply the function to its operands directly, and for If, we apply the Idris if...then...else construct directly. interp env (Op op x y) = op (interp env x) (interp env y) interp env (If x t e) = if interp env x then interp env t else interp env e 1.8.3 Testing We can make some simple test functions. Firstly, adding two inputs \x. \y. y + x is written as follows: add : Expr G (TyFun TyInt (TyFun TyInt TyInt)) add = Lam (Lam (Op (+) (Var Stop) (Var (Pop Stop)))) More interestingly, a factorial function fact (e.g. \x. if (x == 0) then 1 else (fact (x-1) * x)), can be written as: 37 CHAPTER 1. THE IDRIS TUTORIAL v0.99 fact : Expr G (TyFun TyInt TyInt) fact = Lam (If (Op (==) (Var Stop) (Val 0)) (Val 1) (Op (*) (App fact (Op (-) (Var Stop) (Val 1))) (Var Stop))) 1.8.4 Running To finish, we write a main program which interprets the factorial function on user input: main : IO () main = do putStr "Enter a number: " x <- getLine printLn (interp [] fact (cast x)) Here, cast is an overloaded function which converts a value from one type to another if possible. Here, it converts a string to an integer, giving 0 if the input is invalid. An example run of this program at the Idris interactive environment is: $ idris interp.idr ____ __ _ / _/___/ /____(_)____ / // __ / ___/ / ___/ Version 0.99 _/ // /_/ / / / (__ ) http://www.idris-lang.org/ /___/\__,_/_/ /_/____/ Type :? for help Type checking ./interp.idr *interp> :exec Enter a number: 6 720 *interp> Aside: cast The prelude defines an interface Cast which allows conversion between types: interface Cast from to where cast : from -> to It is a multi-parameter interface, defining the source type and object type of the cast. It must be possible for the type checker to infer both parameters at the point where the cast is applied. There are casts defined between all of the primitive types, as far as they make sense. 1.9 Views and the “with” rule 1.9.1 Dependent pattern matching Since types can depend on values, the form of some arguments can be determined by the value of others. For example, if we were to write down the implicit length arguments to (++), we’d see that the form of the length argument was determined by whether the vector was empty or not: (++) : Vect n a -> Vect m a -> Vect (n + m) a (++) {n=Z} [] ys = ys (++) {n=S k} (x :: xs) ys = x :: xs ++ ys 38 CHAPTER 1. THE IDRIS TUTORIAL v0.99 If n was a successor in the [] case, or zero in the :: case, the definition would not be well typed. 1.9.2 The with rule — matching intermediate values Very often, we need to match on the result of an intermediate computation. Idris provides a construct for this, the with rule, inspired by views in Epigram 1 , which takes account of the fact that matching on a value in a dependently typed language can affect what we know about the forms of other values. In its simplest form, the with rule adds another argument to the function being defined, e.g. we have already seen a vector filter function, defined as follows: filter : (a -> Bool) -> Vect n a -> (p ** Vect p a) filter p [] = ( _ ** [] ) filter p (x :: xs) with (filter p xs) | ( _ ** xs' ) = if (p x) then ( _ ** x :: xs' ) else ( _ ** xs' ) Here, the with clause allows us to deconstruct the result of filter p xs. Effectively, it adds this value as an extra argument, which we place after the vertical bar. If the intermediate computation itself has a dependent type, then the result can affect the forms of other arguments — we can learn the form of one value by testing another. For example, a Nat is either even or odd. If it’s even it will be the sum of two equal Nat. Otherwise, it is the sum of two equal Nat plus one: data Parity : Nat -> Type where Even : Parity (n + n) Odd : Parity (S (n + n)) We say Parity is a view of Nat. It has a covering function which tests whether it is even or odd and constructs the predicate accordingly. parity : (n:Nat) -> Parity n We’ll come back to the definition of parity shortly. We can use it to write a function which converts a natural number to a list of binary digits (least significant first) as follows, using the with rule: natToBin : Nat -> List Bool natToBin Z = Nil natToBin k with (parity k) natToBin (j + j) | Even = False :: natToBin j natToBin (S (j + j)) | Odd = True :: natToBin j The value of the result of parity k affects the form of k, because the result of parity k depends on k. So, as well as the patterns for the result of the intermediate computation (Even and odd) right of the |, we also write how the results affect the other patterns left of the |. Note that there is a function in the patterns (+) and repeated occurrences of j—this is allowed because another argument has determined the form of these patterns. We will return to this function in Section Provisional Definitions (page 43) to complete the definition of parity. 1.9.3 With and proofs To use a dependent pattern match for theorem proving, it is sometimes necessary to explicitly construct the proof resulting from the pattern match. To do this, you can postfix the with clause with proof p and the proof generated by the pattern match will be in scope and named p. For example: 1 Conor McBride and James McKinna. 2004. The view from the left. J. Funct. Program. 14, 1 (January 2004), 69-111. DOI=10.1017/S0956796803004829 http://dx.doi.org/10.1017/S0956796803004829ñ 39 CHAPTER 1. THE IDRIS TUTORIAL v0.99 data Foo = FInt Int | FBool Bool optional : Foo -> Maybe Int optional (FInt x) = Just x optional (FBool b) = Nothing isFInt : (foo:Foo) -> Maybe (x : Int ** (optional foo = Just x)) isFInt foo with (optional foo) proof p isFInt foo | Nothing = Nothing -- here, p : Nothing = optional foo isFInt foo | (Just x) = Just (x ** Refl) -- here, p : Just x = optional foo 1.10 Theorem Proving 1.10.1 Equality Idris allows propositional equalities to be declared, allowing theorems about programs to be stated and proved. Equality is built in, but conceptually has the following definition: data (=) : a -> b -> Type where Refl : x = x Equalities can be proposed between any values of any types, but the only way to construct a proof of equality is if values actually are equal. For example: fiveIsFive : 5 = 5 fiveIsFive = Refl twoPlusTwo : 2 + 2 = 4 twoPlusTwo = Refl 1.10.2 The Empty Type There is an empty type, ⊥, which has no constructors. It is therefore impossible to construct an element of the empty type, at least without using a partially defined or general recursive function (see Section Totality Checking (page 41) for more details). We can therefore use the empty type to prove that something is impossible, for example zero is never equal to a successor: disjoint : (n : Nat) -> Z = S n -> Void disjoint n p = replace {P = disjointTy} p () where disjointTy : Nat -> Type disjointTy Z = () disjointTy (S k) = Void There is no need to worry too much about how this function works — essentially, it applies the library function replace, which uses an equality proof to transform a predicate. Here we use it to transform a value of a type which can exist, the empty tuple, to a value of a type which can’t, by using a proof of something which can’t exist. Once we have an element of the empty type, we can prove anything. void is defined in the library, to assist with proofs by contradiction. void : Void -> a 40 CHAPTER 1. THE IDRIS TUTORIAL v0.99 1.10.3 Simple Theorems When type checking dependent types, the type itself gets normalised. So imagine we want to prove the following theorem about the reduction behaviour of plus: plusReduces : (n:Nat) -> plus Z n = n We’ve written down the statement of the theorem as a type, in just the same way as we would write the type of a program. In fact there is no real distinction between proofs and programs. A proof, as far as we are concerned here, is merely a program with a precise enough type to guarantee a particular property of interest. We won’t go into details here, but the Curry-Howard correspondence 1 explains this relationship. The proof itself is trivial, because plus Z n normalises to n by the definition of plus: plusReduces n = Refl It is slightly harder if we try the arguments the other way, because plus is defined by recursion on its first argument. The proof also works by recursion on the first argument to plus, namely n. plusReducesZ : (n:Nat) -> n = plus n Z plusReducesZ Z = Refl plusReducesZ (S k) = cong (plusReducesZ k) cong is a function defined in the library which states that equality respects function application: cong : {f : t -> u} -> a = b -> f a = f b We can do the same for the reduction behaviour of plus on successors: plusReducesS : (n:Nat) -> (m:Nat) -> S (plus n m) = plus n (S m) plusReducesS Z m = Refl plusReducesS (S k) m = cong (plusReducesS k m) Even for trivial theorems like these, the proofs are a little tricky to construct in one go. When things get even slightly more complicated, it becomes too much to think about to construct proofs in this ‘batch mode’. Idris provides interactive editing capabilities, which can help with building proofs. For more details on building proofs interactively in an editor, see Theorem Proving (page 98). 1.10.4 Totality Checking If we really want to trust our proofs, it is important that they are defined by total functions — that is, a function which is defined for all possible inputs and is guaranteed to terminate. Otherwise we could construct an element of the empty type, from which we could prove anything: -- making use of 'hd' being partially defined empty1 : Void empty1 = hd [] where hd : List a -> a hd (x :: xs) = x -- not terminating empty2 : Void empty2 = empty2 1 Timothy G. Griffin. 1989. A formulae-as-type notion of control. In Proceedings of the 17th ACM SIGPLAN- SIGACT symposium on Principles of programming languages (POPL ‘90). ACM, New York, NY, USA, 47-58. DOI=10.1145/96709.96714 http://doi.acm.org/10.1145/96709.96714 41 CHAPTER 1. THE IDRIS TUTORIAL v0.99 Internally, Idris checks every definition for totality, and we can check at the prompt with the :total command. We see that neither of the above definitions is total: *theorems> :total empty1 possibly not total due to: empty1#hd not total as there are missing cases *theorems> :total empty2 possibly not total due to recursive path empty2 Note the use of the word “possibly” — a totality check can, of course, never be certain due to the undecidability of the halting problem. The check is, therefore, conservative. It is also possible (and indeed advisable, in the case of proofs) to mark functions as total so that it will be a compile time error for the totality check to fail: total empty2 : Void empty2 = empty2 Type checking ./theorems.idr theorems.idr:25:empty2 is possibly not total due to recursive path empty2 Reassuringly, our proof in Section The Empty Type (page 40) that the zero and successor constructors are disjoint is total: *theorems> :total disjoint Total The totality check is, necessarily, conservative. To be recorded as total, a function f must: • Cover all possible inputs • Be well-founded — i.e. by the time a sequence of (possibly mutually) recursive calls reaches f again, it must be possible to show that one of its arguments has decreased. • Not use any data types which are not strictly positive • Not call any non-total functions Directives and Compiler Flags for Totality By default, Idris allows all well-typed definitions, whether total or not. However, it is desirable for functions to be total as far as possible, as this provides a guarantee that they provide a result for all possible inputs, in finite time. It is possible to make total functions a requirement, either: • By using the --total compiler flag. • By adding a %default total directive to a source file. All definitions after this will be required to be total, unless explicitly flagged as partial. All functions after a %default total declaration are required to be total. Correspondingly, after a %default partial declaration, the requirement is relaxed. Finally, the compiler flag --warnpartial causes to print a warning for any undeclared partial function. Totality checking issues Please note that the totality checker is not perfect! Firstly, it is necessarily conservative due to the undecidability of the halting problem, so many programs which are total will not be detected as such. Secondly, the current implementation has had limited effort put into it so far, so there may still be cases where it believes a function is total which is not. Do not rely on it for your proofs yet! 42 CHAPTER 1. THE IDRIS TUTORIAL v0.99 Hints for totality In cases where you believe a program is total, but Idris does not agree, it is possible to give hints to the checker to give more detail for a termination argument. The checker works by ensuring that all chains of recursive calls eventually lead to one of the arguments decreasing towards a base case, but sometimes this is hard to spot. For example, the following definition cannot be checked as total because the checker cannot decide that filter (<= x) xs will always be smaller than (x :: xs): qsort : Ord a => List a -> List a qsort [] = [] qsort (x :: xs) = qsort (filter (< x) xs) ++ (x :: qsort (filter (>= x) xs)) The function assert_smaller, defined in the Prelude, is intended to address this problem: assert_smaller : a -> a -> a assert_smaller x y = y It simply evaluates to its second argument, but also asserts to the totality checker that y is structurally smaller than x. This can be used to explain the reasoning for totality if the checker cannot work it out itself. The above example can now be written as: total qsort : Ord a => List a -> List a qsort [] = [] qsort (x :: xs) = qsort (assert_smaller (x :: xs) (filter (< x) xs)) ++ (x :: qsort (assert_smaller (x :: xs) (filter (>= x) xs))) The expression assert_smaller (x :: xs) (filter (<= x) xs) asserts that the result of the filter will always be smaller than the pattern (x :: xs). In more extreme cases, the function assert_total marks a subexpression as always being total: assert_total : a -> a assert_total x = x In general, this function should be avoided, but it can be very useful when reasoning about primitives or externally defined functions (for example from a C library) where totality can be shown by an external argument. 1.11 Provisional Definitions Sometimes when programming with dependent types, the type required by the type checker and the type of the program we have written will be different (in that they do not have the same normal form), but nevertheless provably equal. For example, recall the parity function: data Parity : Nat -> Type where Even : Parity (n + n) Odd : Parity (S (n + n)) We’d like to implement this as follows: parity : (n:Nat) -> Parity n parity Z = Even {n=Z} parity (S Z) = Odd {n=Z} parity (S (S k)) with (parity k) 43 CHAPTER 1. THE IDRIS TUTORIAL v0.99 parity (S (S (j + j))) | Even = Even {n=S j} parity (S (S (S (j + j)))) | Odd = Odd {n=S j} This simply states that zero is even, one is odd, and recursively, the parity of k+2 is the same as the parity of k. Explicitly marking the value of n is even and odd is necessary to help type inference. Unfortunately, the type checker rejects this: viewsbroken.idr:12:10:When elaborating right hand side of ViewsBroken.parity: Type mismatch between Parity (plus (S j) (S j)) and Parity (S (S (plus j j))) Specifically: Type mismatch between plus (S j) (S j) and S (S (plus j j)) The type checker is telling us that (j+1)+(j+1) and 2+j+j do not normalise to the same value. This is because plus is defined by recursion on its first argument, and in the second value, there is a successor symbol on the second argument, so this will not help with reduction. These values are obviously equal — how can we rewrite the program to fix this problem? 1.11.1 Provisional definitions Provisional definitions help with this problem by allowing us to defer the proof details until a later point. There are two main reasons why they are useful. • When prototyping, it is useful to be able to test programs before finishing all the details of proofs. • When reading a program, it is often much clearer to defer the proof details so that they do not distract the reader from the underlying algorithm. Provisional definitions are written in the same way as ordinary definitions, except that they introduce the right hand side with a ?= rather than =. We define parity as follows: parity : (n:Nat) -> Parity n parity Z = Even {n=Z} parity (S Z) = Odd {n=Z} parity (S (S k)) with (parity k) parity (S (S (j + j))) | Even ?= Even {n=S j} parity (S (S (S (j + j)))) | Odd ?= Odd {n=S j} When written in this form, instead of reporting a type error, Idris will insert a hole standing for a theorem which will correct the type error. Idris tells us we have two proof obligations, with names generated from the module and function names: *views> :m Global holes: [views.parity_lemma_2,views.parity_lemma_1] The first of these has the following type: *views> :p views.parity_lemma_1 ---------------------------------- (views.parity_lemma_1) -------- {hole0} : (j : Nat) -> (Parity (plus (S j) (S j))) -> Parity (S (S (plus j j))) -views.parity_lemma_1> 44 CHAPTER 1. THE IDRIS TUTORIAL v0.99 The two arguments are j, the variable in scope from the pattern match, and value, which is the value we gave in the right hand side of the provisional definition. Our goal is to rewrite the type so that we can use this value. We can achieve this using the following theorem from the prelude: plusSuccRightSucc : (left : Nat) -> (right : Nat) -> S (left + right) = left + (S right) We need to use compute again to unfold the definition of plus: -views.parity_lemma_1> compute ---------------------------------- (views.parity_lemma_1) -------- {hole0} : (j : Nat) -> (Parity (S (plus j (S j)))) -> Parity (S (S (plus j j))) After applying intros we have: -views.parity_lemma_1> intros j : Nat value : Parity (S (plus j (S j))) ---------------------------------- (views.parity_lemma_1) -------- {hole2} : Parity (S (S (plus j j))) Then we apply the plusSuccRightSucc rewrite rule, symmetrically, to j and j, giving: -views.parity_lemma_1> rewrite sym (plusSuccRightSucc j j) j : Nat value : Parity (S (plus j (S j))) ---------------------------------- (views.parity_lemma_1) -------- {hole3} : Parity (S (plus j (S j))) sym is a function, defined in the library, which reverses the order of the rewrite: sym : l = r -> r = l sym Refl = Refl We can complete this proof using the trivial tactic, which finds value in the premises. The proof of the second lemma proceeds in exactly the same way. We can now test the natToBin function from Section The with rule — matching intermediate values (page 39) at the prompt. The number 42 is 101010 in binary. The binary digits are reversed: *views> show (natToBin 42) "[False, True, False, True, False, True]" : String 1.11.2 Suspension of Disbelief Idris requires that proofs be complete before compiling programs (although evaluation at the prompt is possible without proof details). Sometimes, especially when prototyping, it is easier not to have to do this. It might even be beneficial to test programs before attempting to prove things about them — if testing finds an error, you know you had better not waste your time proving something! Therefore, Idris provides a built-in coercion function, which allows you to use a value of the incorrect types: 45 CHAPTER 1. THE IDRIS TUTORIAL v0.99 believe_me : a -> b Obviously, this should be used with extreme caution. It is useful when prototyping, and can also be appropriate when asserting properties of external code (perhaps in an external C library). The “proof” of views.parity_lemma_1 using this is: views.parity_lemma_2 = proof { intro; intro; exact believe_me value; } The exact tactic allows us to provide an exact value for the proof. In this case, we assert that the value we gave was correct. 1.11.3 Example: Binary numbers Previously, we implemented conversion to binary numbers using the Parity view. Here, we show how to use the same view to implement a verified conversion to binary. We begin by indexing binary numbers over their Nat equivalent. This is a common pattern, linking a representation (in this case Binary) with a meaning (in this case Nat): data Binary : Nat -> Type where BEnd : Binary Z BO : Binary n -> Binary (n + n) BI : Binary n -> Binary (S (n + n)) BO and BI take a binary number as an argument and effectively shift it one bit left, adding either a zero or one as the new least significant bit. The index, n + n or S (n + n) states the result that this left shift then add will have to the meaning of the number. This will result in a representation with the least significant bit at the front. Now a function which converts a Nat to binary will state, in the type, that the resulting binary number is a faithful representation of the original Nat: natToBin : (n:Nat) -> Binary n The Parity view makes the definition fairly simple — halving the number is effectively a right shift after all — although we need to use a provisional definition in the Odd case: natToBin : (n:Nat) -> Binary n natToBin Z = BEnd natToBin (S k) with (parity k) natToBin (S (j + j)) | Even = BI (natToBin j) natToBin (S (S (j + j))) | Odd ?= BO (natToBin (S j)) The problem with the Odd case is the same as in the definition of parity, and the proof proceeds in the same way: natToBin_lemma_1 = proof { intro; intro; rewrite sym (plusSuccRightSucc j j); trivial; } To finish, we’ll implement a main program which reads an integer from the user and outputs it in binary. 46 CHAPTER 1. THE IDRIS TUTORIAL v0.99 main : IO () main = do putStr "Enter a number: " x <- getLine print (natToBin (fromInteger (cast x))) For this to work, of course, we need a Show implementation for Binary n: Show (Binary n) where show (BO x) = show x ++ "0" show (BI x) = show x ++ "1" show BEnd = "" 1.12 Interactive Editing By now, we have seen several examples of how Idris’ dependent type system can give extra confidence in a function’s correctness by giving a more precise description of its intended behaviour in its type. We have also seen an example of how the type system can help with EDSL development by allowing a programmer to describe the type system of an object language. However, precise types give us more than verification of programs — we can also exploit types to help write programs which are correct by construction. The Idris REPL provides several commands for inspecting and modifying parts of programs, based on their types, such as case splitting on a pattern variable, inspecting the type of a hole, and even a basic proof search mechanism. In this section, we explain how these features can be exploited by a text editor, and specifically how to do so in Vim. An interactive mode for Emacs is also available. 1.12.1 Editing at the REPL The REPL provides a number of commands, which we will describe shortly, which generate new program fragments based on the currently loaded module. These take the general form :command [line number] [name] That is, each command acts on a specific source line, at a specific name, and outputs a new program fragment. Each command has an alternative form, which updates the source file in-place: :command! [line number] [name] When the REPL is loaded, it also starts a background process which accepts and responds to REPL commands, using idris --client. For example, if we have a REPL running elsewhere, we can execute commands such as: $ idris --client ':t plus' Prelude.Nat.plus : Nat -> Nat -> Nat $ idris --client '2+2' 4 : Integer A text editor can take advantage of this, along with the editing commands, in order to provide interactive editing support. 1.12.2 Editing Commands 47 CHAPTER 1. THE IDRIS TUTORIAL v0.99 :addclause The :addclause n f command (abbreviated :ac n f) creates a template definition for the function named f declared on line n. For example, if the code beginning on line 94 contains: vzipWith : (a -> b -> c) -> Vect n a -> Vect n b -> Vect n c then :ac 94 vzipWith will give: vzipWith f xs ys = ?vzipWith_rhs The names are chosen according to hints which may be given by a programmer, and then made unique by the machine by adding a digit if necessary. Hints can be given as follows: %name Vect xs, ys, zs, ws This declares that any names generated for types in the Vect family should be chosen in the order xs, ys, zs, ws. :casesplit The :casesplit n x command, abbreviated :cs n x, splits the pattern variable x on line n into the various pattern forms it may take, removing any cases which are impossible due to unification errors. For example, if the code beginning on line 94 is: vzipWith : (a -> b -> c) -> Vect n a -> Vect n b -> Vect n c vzipWith f xs ys = ?vzipWith_rhs then :cs 96 xs will give: vzipWith f [] ys = ?vzipWith_rhs_1 vzipWith f (x :: xs) ys = ?vzipWith_rhs_2 That is, the pattern variable xs has been split into the two possible cases [] and x :: xs. Again, the names are chosen according to the same heuristic. If we update the file (using :cs!) then case split on ys on the same line, we get: vzipWith f [] [] = ?vzipWith_rhs_3 That is, the pattern variable ys has been split into one case [], Idris having noticed that the other possible case y :: ys would lead to a unification error. :addmissing The :addmissing n f command, abbreviated :am n f, adds the clauses which are required to make the function f on line n cover all inputs. For example, if the code beginning on line 94 is vzipWith : (a -> b -> c) -> Vect n a -> Vect n b -> Vect n c vzipWith f [] [] = ?vzipWith_rhs_1 then :am 96 vzipWith gives: vzipWith f (x :: xs) (y :: ys) = ?vzipWith_rhs_2 48 CHAPTER 1. THE IDRIS TUTORIAL v0.99 That is, it notices that there are no cases for non-empty vectors, generates the required clauses, and eliminates the clauses which would lead to unification errors. :proofsearch The :proofsearch n f command, abbreviated :ps n f, attempts to find a value for the hole f on line n by proof search, trying values of local variables, recursive calls and constructors of the required family. Optionally, it can take a list of hints, which are functions it can try applying to solve the hole. For example, if the code beginning on line 94 is: vzipWith : (a -> b -> c) -> Vect n a -> Vect n b -> Vect n c vzipWith f [] [] = ?vzipWith_rhs_1 vzipWith f (x :: xs) (y :: ys) = ?vzipWith_rhs_2 then :ps 96 vzipWith_rhs_1 will give [] This works because it is searching for a Vect of length 0, of which the empty vector is the only pos- sibility. Similarly, and perhaps surprisingly, there is only one possibility if we try to solve :ps 97 vzipWith_rhs_2: f x y :: (vzipWith f xs ys) This works because vzipWith has a precise enough type: The resulting vector has to be non-empty (a ::); the first element must have type c and the only way to get this is to apply f to x and y; finally, the tail of the vector can only be built recursively. :makewith The :makewith n f command, abbreviated :mw n f, adds a with to a pattern clause. For example, recall parity. If line 10 is: parity (S k) = ?parity_rhs then :mw 10 parity will give: parity (S k) with (_) parity (S k) | with_pat = ?parity_rhs If we then fill in the placeholder _ with parity k and case split on with_pat using :cs 11 with_pat we get the following patterns: parity (S (plus n n)) | even = ?parity_rhs_1 parity (S (S (plus n n))) | odd = ?parity_rhs_2 Note that case splitting has normalised the patterns here (giving plus rather than +). In any case, we see that using interactive editing significantly simplifies the implementation of dependent pattern matching by showing a programmer exactly what the valid patterns are. 1.12.3 Interactive Editing in Vim The editor mode for Vim provides syntax highlighting, indentation and interactive editing support using the commands described above. Interactive editing is achieved using the following editor commands, each of which update the buffer directly: 49 CHAPTER 1. THE IDRIS TUTORIAL v0.99 • \d adds a template definition for the name declared on the current line (using :addclause). • \c case splits the variable at the cursor (using :casesplit). • \m adds the missing cases for the name at the cursor (using :addmissing). • \w adds a with clause (using :makewith). • \o invokes a proof search to solve the hole under the cursor (using :proofsearch). • \p invokes a proof search with additional hints to solve the hole under the cursor (using :proofsearch). There are also commands to invoke the type checker and evaluator: • \t displays the type of the (globally visible) name under the cursor. In the case of a hole, this displays the context and the expected type. • \e prompts for an expression to evaluate. • \r reloads and type checks the buffer. Corresponding commands are also available in the Emacs mode. Support for other editors can be added in a relatively straightforward manner by using idris –client. 1.13 Syntax Extensions Idris supports the implementation of Embedded Domain Specific Languages (EDSLs) in several ways 1 . One way, as we have already seen, is through extending do notation. Another important way is to allow extension of the core syntax. In this section we describe two ways of extending the syntax: syntax rules and dsl notation. 1.13.1 syntax rules We have seen if...then...else expressions, but these are not built in. Instead, we can define a function in the prelude as follows (we have already seen this function in Section Laziness (page 13)): ifThenElse : (x:Bool) -> Lazy a -> Lazy a -> a; ifThenElse True t e = t; ifThenElse False t e = e; and then extend the core syntax with a syntax declaration: syntax if [test] then [t] else [e] = ifThenElse test t e; The left hand side of a syntax declaration describes the syntax rule, and the right hand side describes its expansion. The syntax rule itself consists of: • Keywords — here, if, then and else, which must be valid identifiers • Non-terminals — included in square brackets, [test], [t] and [e] here, which stand for arbi- trary expressions. To avoid parsing ambiguities, these expressions cannot use syntax extensions at 1 Edwin Brady and Kevin Hammond. 2012. Resource-Safe systems programming with embedded domain specific languages. In Proceedings of the 14th international conference on Practical Aspects of Declarative Languages (PADL‘12), Claudio Russo and Neng-Fa Zhou (Eds.). Springer-Verlag, Berlin, Heidelberg, 242-257. DOI=10.1007/978-3-642-27694- 1_18 http://dx.doi.org/10.1007/978-3-642-27694-1_18 50 CHAPTER 1. THE IDRIS TUTORIAL v0.99 the top level (though they can be used in parentheses). • Names — included in braces, which stand for names which may be bound on the right hand side. • Symbols — included in quotations marks, e.g. :=. This can also be used to include reserved words in syntax rules, such as let or in. The limitations on the form of a syntax rule are that it must include at least one symbol or keyword, and there must be no repeated variables standing for non-terminals. Any expression can be used, but if there are two non-terminals in a row in a rule, only simple expressions may be used (that is, variables, constants, or bracketed expressions). Rules can use previously defined rules, but may not be recursive. The following syntax extensions would therefore be valid: syntax [var] ":=" [val] = Assign var val; syntax [test] "?" [t] ":" [e] = if test then t else e; syntax select [x] from [t] "where" [w] = SelectWhere x t w; syntax select [x] from [t] = Select x t; Syntax macros can be further restricted to apply only in patterns (i.e., only on the left hand side of a pattern match clause) or only in terms (i.e. everywhere but the left hand side of a pattern match clause) by being marked as pattern or term syntax rules. For example, we might define an interval as follows, with a static check that the lower bound is below the upper bound using so: data Interval : Type where MkInterval : (lower : Double) -> (upper : Double) -> so (lower < upper) -> Interval We can define a syntax which, in patterns, always matches oh for the proof argument, and in terms requires a proof term to be provided: pattern syntax "[" [x] "..." [y] "]" = MkInterval x y oh term syntax "[" [x] "..." [y] "]" = MkInterval x y ?bounds_lemma In terms, the syntax [x...y] will generate a proof obligation bounds_lemma (possibly renamed). Finally, syntax rules may be used to introduce alternative binding forms. For example, a for loop binds a variable on each iteration: syntax for {x} in [xs] ":" [body] = forLoop xs (\x => body) main : IO () main = do for x in [1..10]: putStrLn ("Number " ++ show x) putStrLn "Done!" Note that we have used the {x} form to state that x represents a bound variable, substituted on the right hand side. We have also put in in quotation marks since it is already a reserved word. 1.13.2 dsl notation The well-typed interpreter in Section Example: The Well-Typed Interpreter (page 35) is a simple example of a common programming pattern with dependent types. Namely: describe an object language and its type system with dependent types to guarantee that only well-typed programs can be represented, then program using that representation. Using this approach we can, for example, write programs for serialising binary data 2 or running concurrent processes safely 3 . 2 Edwin C. Brady. 2011. IDRIS —: systems programming meets full dependent types. In Proceedings of the 5th ACM workshop on Programming languages meets program verification (PLPV ‘11). ACM, New York, NY, USA, 43-54. DOI=10.1145/1929529.1929536 http://doi.acm.org/10.1145/1929529.1929536 3 Edwin Brady and Kevin Hammond. 2010. Correct-by-Construction Concurrency: Using Dependent Types to Verify Implementations of Effectful Resource Usage Protocols. Fundam. Inf. 102, 2 (April 2010), 145-176. 51 CHAPTER 1. THE IDRIS TUTORIAL v0.99 Unfortunately, the form of object language programs makes it rather hard to program this way in practice. Recall the factorial program in Expr for example: fact : Expr G (TyFun TyInt TyInt) fact = Lam (If (Op (==) (Var Stop) (Val 0)) (Val 1) (Op (*) (App fact (Op (-) (Var Stop) (Val 1))) (Var Stop))) Since this is a particularly useful pattern, Idris provides syntax overloading 1 to make it easier to program in such object languages: mkLam : TTName -> Expr (t::g) t' -> Expr g (TyFun t t') mkLam _ body = Lam body dsl expr variable = Var index_first = Stop index_next = Pop lambda = mkLam A dsl block describes how each syntactic construct is represented in an object language. Here, in the expr language, any variable is translated to the Var constructor, using Pop and Stop to construct the de Bruijn index (i.e., to count how many bindings since the variable itself was bound); and any lambda is translated to a Lam constructor. The mkLam function simply ignores its first argument, which is the name that the user chose for the variable. It is also possible to overload let and dependent function syntax (pi) in this way. We can now write fact as follows: fact : Expr G (TyFun TyInt TyInt) fact = expr (\x => If (Op (==) x (Val 0)) (Val 1) (Op (*) (app fact (Op (-) x (Val 1))) x)) In this new version, expr declares that the next expression will be overloaded. We can take this further, using idiom brackets, by declaring: (<*>) : (f : Lazy (Expr G (TyFun a t))) -> Expr G a -> Expr G t (<*>) f a = App f a pure : Expr G a -> Expr G a pure = id Note that there is no need for these to be part of an implementation of Applicative, since idiom bracket notation translates directly to the names <*> and pure, and ad-hoc type-directed overloading is allowed. We can now say: fact : Expr G (TyFun TyInt TyInt) fact = expr (\x => If (Op (==) x (Val 0)) (Val 1) (Op (*) [| fact (Op (-) x (Val 1)) |] x)) With some more ad-hoc overloading and use of interfaces, and a new syntax rule, we can even go as far as: syntax "IF" [x] "THEN" [t] "ELSE" [e] = If x t e fact : Expr G (TyFun TyInt TyInt) fact = expr (\x => IF x == 0 THEN 1 ELSE [| fact (x - 1) |] * x) http://dl.acm.org/citation.cfm?id=1883636 52 CHAPTER 1. THE IDRIS TUTORIAL v0.99 1.14 Miscellany In this section we discuss a variety of additional features: • auto, implicit, and default arguments; • literate programming; • interfacing with external libraries through the foreign function • interface; • type providers; • code generation; and • the universe hierarchy. 1.14.1 Auto implicit arguments We have already seen implicit arguments, which allows arguments to be omitted when they can be inferred by the type checker, e.g. index : {a:Type} -> {n:Nat} -> Fin n -> Vect n a -> a In other situations, it may be possible to infer arguments not by type checking but by searching the context for an appropriate value, or constructing a proof. For example, the following definition of head which requires a proof that the list is non-empty: isCons : List a -> Bool isCons [] = False isCons (x :: xs) = True head : (xs : List a) -> (isCons xs = True) -> a head (x :: xs) _ = x If the list is statically known to be non-empty, either because its value is known or because a proof already exists in the context, the proof can be constructed automatically. Auto implicit arguments allow this to happen silently. We define head as follows: head : (xs : List a) -> {auto p : isCons xs = True} -> a head (x :: xs) = x The auto annotation on the implicit argument means that Idris will attempt to fill in the implicit argument by searching for a value of the appropriate type. It will try the following, in order: • Local variables, i.e. names bound in pattern matches or let bindings, with exactly the right type. • The constructors of the required type. If they have arguments, it will search recursively up to a maximum depth of 100. • Local variables with function types, searching recursively for the arguments. • Any function with the appropriate return type which is marked with the %hint annotation. In the case that a proof is not found, it can be provided explicitly as normal: head xs {p = ?headProof} 53 CHAPTER 1. THE IDRIS TUTORIAL v0.99 More generally, we can fill in implicit arguments with a default value by annotating them with default. The definition above is equivalent to: head : (xs : List a) -> {default proof { trivial; } p : isCons xs = True} -> a head (x :: xs) = x 1.14.2 Implicit conversions Idris supports the creation of implicit conversions, which allow automatic conversion of values from one type to another when required to make a term type correct. This is intended to increase convenience and reduce verbosity. A contrived but simple example is the following: implicit intString : Int -> String intString = show test : Int -> String test x = "Number " ++ x In general, we cannot append an Int to a String, but the implicit conversion function intString can convert x to a String, so the definition of test is type correct. An implicit conversion is implemented just like any other function, but given the implicit modifier, and restricted to one explicit argument. Only one implicit conversion will be applied at a time. That is, implicit conversions cannot be chained. Implicit conversions of simple types, as above, are however discouraged! More commonly, an implicit conversion would be used to reduce verbosity in an embedded domain specific language, or to hide details of a proof. Such examples are beyond the scope of this tutorial. 1.14.3 Literate programming Like Haskell, Idris supports literate programming. If a file has an extension of .lidr then it is assumed to be a literate file. In literate programs, everything is assumed to be a comment unless the line begins with a greater than sign >, for example: > module literate This is a comment. The main program is below > main : IO () > main = putStrLn "Hello literate world!\n" An additional restriction is that there must be a blank line between a program line (beginning with >) and a comment line (beginning with any other character). 1.14.4 Foreign function calls For practical programming, it is often necessary to be able to use external libraries, particularly for interfacing with the operating system, file system, networking, et cetera. Idris provides a lightweight foreign function interface for achieving this, as part of the prelude. For this, we assume a certain amount of knowledge of C and the gcc compiler. First, we define a datatype which describes the external types we can handle: data FTy = FInt | FFloat | FChar | FString | FPtr | FUnit Each of these corresponds directly to a C type. Respectively: int, double, char, char*, void* and void. There is also a translation to a concrete Idris type, described by the following function: 54 CHAPTER 1. THE IDRIS TUTORIAL v0.99 interpFTy : FTy -> Type interpFTy FInt = Int interpFTy FFloat = Double interpFTy FChar = Char interpFTy FString = String interpFTy FPtr = Ptr interpFTy FUnit = () A foreign function is described by a list of input types and a return type, which can then be converted to an Idris type: ForeignTy : (xs:List FTy) -> (t:FTy) -> Type A foreign function is assumed to be impure, so ForeignTy builds an IO type, for example: Idris> ForeignTy [FInt, FString] FString Int -> String -> IO String : Type Idris> ForeignTy [FInt, FString] FUnit Int -> String -> IO () : Type We build a call to a foreign function by giving the name of the function, a list of argument types and the return type. The built in construct mkForeign converts this description to a function callable by Idris: data Foreign : Type -> Type where FFun : String -> (xs:List FTy) -> (t:FTy) -> Foreign (ForeignTy xs t) mkForeign : Foreign x -> x Note that the compiler expects mkForeign to be fully applied to build a complete foreign function call. For example, the putStr function is implemented as follows, as a call to an external function putStr defined in the run-time system: putStr : String -> IO () putStr x = mkForeign (FFun "putStr" [FString] FUnit) x Include and linker directives Foreign function calls are translated directly to calls to C functions, with appropriate conversion between the Idris representation of a value and the C representation. Often this will require extra libraries to be linked in, or extra header and object files. This is made possible through the following directives: • %lib target x — include the libx library. If the target is C this is equivalent to pass- ing the -lx option to gcc. If the target is Java the library will be interpreted as a groupId:artifactId:packaging:version dependency coordinate for maven. • %include target x — use the header file or import x for the given back end target. • %link target x.o — link with the object file x.o when using the given back end target. • %dynamic x.so — dynamically link the interpreter with the shared object x.so. Testing foreign function calls Normally, the Idris interpreter (used for typechecking and at the REPL) will not perform IO actions. Additionally, as it neither generates C code nor compiles to machine code, the %lib, %include and %link directives have no effect. IO actions and FFI calls can be tested using the special REPL command :x 55 CHAPTER 1. THE IDRIS TUTORIAL v0.99 EXPR, and C libraries can be dynamically loaded in the interpreter by using the :dynamic command or the %dynamic directive. For example: Idris> :dynamic libm.so Idris> :x unsafePerformIO ((mkForeign (FFun "sin" [FFloat] FFloat)) 1.6) 0.9995736030415051 : Double 1.14.5 Type Providers Idris type providers, inspired by F#’s type providers, are a means of making our types be “about” something in the world outside of Idris. For example, given a type that represents a database schema and a query that is checked against it, a type provider could read the schema of a real database during type checking. Idris type providers use the ordinary execution semantics of Idris to run an IO action and extract the result. This result is then saved as a constant in the compiled code. It can be a type, in which case it is used like any other type, or it can be a value, in which case it can be used as any other value, including as an index in types. Type providers are still an experimental extension. To enable the extension, use the %language directive: %language TypeProviders A provider p for some type t is simply an expression of type IO (Provider t). The %provide directive causes the type checker to execute the action and bind the result to a name. This is perhaps best illustrated with a simple example. The type provider fromFile reads a text file. If the file consists of the string Int, then the type Int will be provided. Otherwise, it will provide the type Nat. strToType : String -> Type strToType "Int" = Int strToType _ = Nat fromFile : String -> IO (Provider Type) fromFile fname = do Right str <- readFile fname | Left err => pure (Provide Void) pure (Provide (strToType (trim str))) We then use the %provide directive: %provide (T1 : Type) with fromFile "theType" foo : T1 foo = 2 If the file named theType consists of the word Int, then foo will be an Int. Otherwise, it will be a Nat. When Idris encounters the directive, it first checks that the provider expression fromFile theType has type IO (Provider Type). Next, it executes the provider. If the result is Provide t, then T1 is defined as t. Otherwise, the result is an error. Our datatype Provider t has the following definition: data Provider a = Error String | Provide a We have already seen the Provide constructor. The Error constructor allows type providers to return useful error messages. The example in this section was purposefully simple. More complex type provider implementations, including a statically-checked SQLite binding, are available in an external collection 1 . 1 https://github.com/david-christiansen/idris-type-providers 56 CHAPTER 1. THE IDRIS TUTORIAL v0.99 1.14.6 C Target The default target of Idris is C. Compiling via : $ idris hello.idr -o hello is equivalent to : $ idris --codegen C hello.idr -o hello When the command above is used, a temporary C source is generated, which is then compiled into an executable named hello. In order to view the generated C code, compile via : $ idris hello.idr -S -o hello.c To turn optimisations on, use the %flag C pragma within the code, as is shown below : module Main %flag C "-O3" factorial : Int -> Int factorial 0 = 1 factorial n = n * (factorial (n-1)) main : IO () main = do putStrLn $ show $ factorial 3 1.14.7 JavaScript Target Idris is capable of producing JavaScript code that can be run in a browser as well as in the NodeJS environment or alike. One can use the FFI to communicate with the JavaScript ecosystem. Code Generation Code generation is split into two separate targets. To generate code that is tailored for running in the browser issue the following command: $ idris --codegen javascript hello.idr -o hello.js The resulting file can be embedded into your HTML just like any other JavaScript code. Generating code for NodeJS is slightly different. Idris outputs a JavaScript file that can be directly executed via node. $ idris --codegen node hello.idr -o hello $ ./hello Hello world Take into consideration that the JavaScript code generator is using console.log to write text to stdout, this means that it will automatically add a newline to the end of each string. This behaviour does not show up in the NodeJS code generator. 57 CHAPTER 1. THE IDRIS TUTORIAL v0.99 Using the FFI To write a useful application we need to communicate with the outside world. Maybe we want to manipulate the DOM or send an Ajax request. For this task we can use the FFI. Since most JavaScript APIs demand callbacks we need to extend the FFI so we can pass functions as arguments. The JavaScript FFI works a little bit differently than the regular FFI. It uses positional arguments to directly insert our arguments into a piece of JavaScript code. One could use the primitive addition of JavaScript like so: module Main primPlus : Int -> Int -> IO Int primPlus a b = mkForeign (FFun "%0 + %1" [FInt, FInt] FInt) a b main : IO () main = do a <- primPlus 1 1 b <- primPlus 1 2 print (a, b) Notice that the %n notation qualifies the position of the n-th argument given to our foreign function starting from 0. When you need a percent sign rather than a position simply use %% instead. Passing functions to a foreign function is very similar. Let’s assume that we want to call the following function from the JavaScript world: function twice(f, x) { return f(f(x)); } We obviously need to pass a function f here (we can infer it from the way we use f in twice, it would be more obvious if JavaScript had types). The JavaScript FFI is able to understand functions as arguments when you give it something of type FFunction. The following example code calls twice in JavaScript and returns the result to our Idris program: module Main twice : (Int -> Int) -> Int -> IO Int twice f x = mkForeign ( FFun "twice(%0,%1)" [FFunction FInt FInt, FInt] FInt ) f x main : IO () main = do a <- twice (+1) 1 print a The program outputs 3, just like we expected. Including external JavaScript files Whenever one is working with JavaScript one might want to include external libraries or just some functions that she or he wants to call via FFI which are stored in external files. The JavaScript and NodeJS code generators understand the %include directive. Keep in mind that JavaScript and NodeJS are handled as different code generators, therefore you will have to state which one you want to target. This means that you can include different files for JavaScript and NodeJS in the same Idris source file. 58 CHAPTER 1. THE IDRIS TUTORIAL v0.99 So whenever you want to add an external JavaScript file you can do this like so: For NodeJS: %include Node "path/to/external.js" And for use in the browser: %include JavaScript "path/to/external.js" The given files will be added to the top of the generated code. Including NodeJS modules The NodeJS code generator can also include modules with the %lib directive. %lib Node "fs" This directive compiles into the following JavaScript var fs = require("fs"); Shrinking down generated JavaScript Idris can produce very big chunks of JavaScript code. However, the generated code can be minified using the closure-compiler from Google. Any other minifier is also suitable but closure-compiler offers advanced compilation that does some aggressive inlining and code elimination. Idris can take full advantage of this compilation mode and it’s highly recommended to use it when shipping a JavaScript application written in Idris. 1.14.8 Cumulativity Since values can appear in types and vice versa, it is natural that types themselves have types. For example: *universe> :t Nat Nat : Type *universe> :t Vect Vect : Nat -> Type -> Type But what about the type of Type? If we ask Idris it reports *universe> :t Type Type : Type 1 If Type were its own type, it would lead to an inconsistency due to Girard’s paradox , so internally there is a hierarchy of types (or universes): Type : Type 1 : Type 2 : Type 3 : ... Universes are cumulative, that is, if x : Type n we can also have that x : Type m, as long as n < m. The typechecker generates such universe constraints and reports an error if any inconsistencies are found. Ordinarily, a programmer does not need to worry about this, but it does prevent (contrived) programs such as the following: 59 CHAPTER 1. THE IDRIS TUTORIAL v0.99 myid : (a : Type) -> a -> a myid _ x = x idid : (a : Type) -> a -> a idid = myid _ myid The application of myid to itself leads to a cycle in the universe hierarchy — myid’s first argument is a Type, which cannot be at a lower level than required if it is applied to itself. 1.15 Further Reading Further information about Idris programming, and programming with dependent types in general, can be obtained from various sources: • The Idris web site (http://www.idris-lang.org/) and by asking questions on the mailing list. • The IRC channel #idris, on chat.freenode.net. • The wiki (https://github.com/idris-lang/Idris-dev/wiki/) has further user provided in- formation, in particular: – https://github.com/idris-lang/Idris-dev/wiki/Manual – https://github.com/idris-lang/Idris-dev/wiki/Language-Features • Examining the prelude and exploring the samples in the distribution. The Idris source can be found online at: https://github.com/idris-lang/Idris-dev. • Existing projects on the Idris Hackers web space: http://idris-hackers.github.io. • Various papers (e.g. 1 , 2 , and 3 ). Although these mostly describe older versions of Idris. 1 Edwin Brady and Kevin Hammond. 2012. Resource-Safe systems programming with embedded domain specific languages. In Proceedings of the 14th international conference on Practical Aspects of Declarative Languages (PADL‘12), Claudio Russo and Neng-Fa Zhou (Eds.). Springer-Verlag, Berlin, Heidelberg, 242-257. DOI=10.1007/978-3-642-27694- 1_18 http://dx.doi.org/10.1007/978-3-642-27694-1_18 2 Edwin C. Brady. 2011. IDRIS —: systems programming meets full dependent types. In Proceedings of the 5th ACM workshop on Programming languages meets program verification (PLPV ‘11). ACM, New York, NY, USA, 43-54. DOI=10.1145/1929529.1929536 http://doi.acm.org/10.1145/1929529.1929536 3 Edwin C. Brady and Kevin Hammond. 2010. Scrapping your inefficient engine: using partial evaluation to improve domain-specific language implementation. In Proceedings of the 15th ACM SIGPLAN international confer- ence on Functional programming (ICFP ‘10). ACM, New York, NY, USA, 297-308. DOI=10.1145/1863543.1863587 http://doi.acm.org/10.1145/1863543.1863587 60 CHAPTER 2 Frequently Asked Questions 2.1 What are the differences between Agda and Idris? Like Idris, Agda is a functional language with dependent types, supporting dependent pattern matching. Both can be used for writing programs and proofs. However, Idris has been designed from the start to emphasise general purpose programming rather than theorem proving. As such, it supports interop- erability with systems libraries and C programs, and language constructs for domain specific language implementation. It also includes higher level programming constructs such as interfaces (similar to type classes) and do notation. Idris supports multiple back ends (C and JavaScript by default, with the ability to add more via plugins) and has a reference run time system, written in C, with a garbage collector and built-in message passing concurrency. 2.2 Is Idris production ready? Idris is primarily a research tool for exploring the possibilities of software development with dependent types, meaning that the primary goal is not (yet) to make a system which could be used in production. As such, there are a few rough corners, and lots of missing libraries. Nobody is working on Idris full time, and we don’t have the resources at the moment to polish the system on our own. Therefore, we don’t recommend building your business around it! Having said that, contributions which help towards making Idris suitable for use in production would be very welcome - this includes (but is not limited to) extra library support, polishing the run-time system (and ensuring it is robust), providing and maintaining a JVM back end, etc. 2.3 Why does Idris use eager evaluation rather than lazy? Idris uses eager evaluation for more predictable performance, in particular because one of the longer term goals is to be able to write efficient and verified low level code such as device drivers and network infrastructure. Furthermore, the Idris type system allows us to state precisely the type of each value, and therefore the run-time form of each value. In a lazy language, consider a value of type Int: thing : Int What is the representation of thing at run-time? Is it a bit pattern representing an integer, or is it a pointer to some code which will compute an integer? In Idris, we have decided that we would like to make this distinction precise, in the type: 61 CHAPTER 2. FREQUENTLY ASKED QUESTIONS v0.99 thing_val : Int thing_comp : Lazy Int Here, it is clear from the type that thing_val is guaranteed to be a concrete Int, whereas thing_comp is a computation which will produce an Int. 2.4 How can I make lazy control structures? You can make control structures using the special Lazy type. For example, if...then...else... in Idris expands to an application of a function named ifThenElse. The default implementation for Booleans is defined as follows in the library: ifThenElse : Bool -> (t : Lazy a) -> (e : Lazy a) -> a ifThenElse True t e = t ifThenElse False t e = e The type Lazy a for t and e indicates that those arguments will only be evaluated if they are used, that is, they are evaluated lazily. 2.5 Evaluation at the REPL doesn’t behave as I expect. What’s going on? Being a fully dependently typed language, Idris has two phases where it evaluates things, compile-time and run-time. At compile-time it will only evaluate things which it knows to be total (i.e. terminating and covering all possible inputs) in order to keep type checking decidable. The compile-time evaluator is part of the Idris kernel, and is implemented in Haskell using a HOAS (higher order abstract syntax) style representation of values. Since everything is known to have a normal form here, the evaluation strategy doesn’t actually matter because either way it will get the same answer, and in practice it will do whatever the Haskell run-time system chooses to do. The REPL, for convenience, uses the compile-time notion of evaluation. As well as being easier to implement (because we have the evaluator available) this can be very useful to show how terms evaluate in the type checker. So you can see the difference between: Idris> \n, m => (S n) + m \n => \m => S (plus n m) : Nat -> Nat -> Nat Idris> \n, m => n + (S m) \n => \m => plus n (S m) : Nat -> Nat -> Nat 2.6 Why can’t I use a function with no arguments in a type? If you use a name in a type which begins with a lower case letter, and which is not applied to any arguments, then Idris will treat it as an implicitly bound argument. For example: append : Vect n ty -> Vect m ty -> Vect (n + m) ty Here, n, m, and ty are implicitly bound. This rule applies even if there are functions defined elsewhere with any of these names. For example, you may also have: 62 CHAPTER 2. FREQUENTLY ASKED QUESTIONS v0.99 ty : Type ty = String Even in this case, ty is still considered implicitly bound in the definition of append, rather than making the type of append equivalent to... append : Vect n String -> Vect m String -> Vect (n + m) String ...which is probably not what was intended! The reason for this rule is so that it is clear just from looking at the type of append, and no other context, what the implicitly bound names are. If you want to use an unapplied name in a type, you have two options. You can either explicitly qualify it, for example, if ty is defined in the namespace Main you can do the following: append : Vect n Main.ty -> Vect m Main.ty -> Vect (n + m) Main.ty Alternatively, you can use a name which does not begin with a lower case letter, which will never be implicitly bound: Ty : Type Ty = String append : Vect n Ty -> Vect m Ty -> Vect (n + m) Ty As a convention, if a name is intended to be used as a type synonym, it is best for it to begin with a capital letter to avoid this restriction. 2.7 I have an obviously terminating program, but Idris says it possi- bly isn’t total. Why is that? Idris can’t decide in general whether a program is terminating due to the undecidability of the Halting Problem. It is possible, however, to identify some programs which are definitely terminating. Idris does this using “size change termination” which looks for recursive paths from a function back to itself. On such a path, there must be at least one argument which converges to a base case. • Mutually recursive functions are supported • However, all functions on the path must be fully applied. In particular, higher order applications are not supported • Idris identifies arguments which converge to a base case by looking for recursive calls to syntactically smaller arguments of inputs. e.g. k is syntactically smaller than S (S k) because k is a subterm of S (S k), but (k, k) is not syntactically smaller than (S k, S k). If you have a function which you believe to be terminating, but Idris does not, you can either restructure the program, or use the assert_total function. 2.8 When will Idris be self-hosting? It’s not a priority, though not a bad idea in the long run. It would be a worthwhile effort in the short term to implement libraries to support self-hosting, such as a good parsing library. 63 CHAPTER 2. FREQUENTLY ASKED QUESTIONS v0.99 2.9 Does Idris have universe polymorphism? What is the type of Type? Rather than universe polymorphism, Idris has a cumulative hierarchy of universes; Type : Type 1, Type 1 : Type 2, etc. Cumulativity means that if x : Type n and n <= m, then x : Type m. Universe levels are always inferred by Idris, and cannot be specified explicitly. The REPL command :type Type 1 will result in an error, as will attempting to specify the universe level of any type. 2.10 Why does Idris use Double instead of Float64? Historically the C language and many other languages have used the names Float and Double to repre- sent floating point numbers of size 32 and 64 respectively. Newer languages such as Rust and Julia have begun to follow the naming scheme described in IEEE Standard for Floating-Point Arithmetic (IEEE 754). This describes single and double precision numbers as Float32 and Float64; the size is described in the type name. Due to developer familiarity with the older naming convention, and choice by the developers of Idris, Idris uses the C style convention. That is, the name Double is used to describe double precision numbers, and Idris does not support 32 bit floats at present. 2.11 What is -ffreestanding? The freestanding flag is used to build Idris binaries which have their libs and compiler in a relative path. This is useful for building binaries where the install directory is unknown at build time. When passing this flag, the IDRIS_LIB_DIR environment variable needs to be set to the path where the Idris libs reside relative to the idris executable. The IDRIS_TOOLCHAIN_DIR environment variable is optional, if that is set, Idris will use that path to find the C compiler. Example: IDRIS_LIB_DIR="./libs" IDRIS_TOOLCHAIN_DIR="./mingw/bin" CABALFLAGS="-fffi -ffreestanding -frelease" make 2.12 What does the name ‘Idris’ mean? British people of a certain age may be familiar with this singing dragon. If that doesn’t help, maybe you can invent a suitable acronym :-) . 2.13 Will there be support for Unicode characters for operators? There are several reasons why we should not support Unicode operators: • It’s hard to type (this is important if you’re using someone else’s code, for example). Various editors have their own input methods, but you have to know what they are. • Not every piece of software easily supports it. Rendering issues have been noted on some mobile email clients, terminal-based IRC clients, web browsers, etc. There are ways to resolve these rendering issues but they provide a barrier to entry to using Idris. 64 CHAPTER 2. FREQUENTLY ASKED QUESTIONS v0.99 • Even if we leave it out of the standard library (which we will in any case!) as soon as people start using it in their library code, others have to deal with it. • Too many characters look too similar. We had enough trouble with confusion between 0 and O without worrying about all the different kinds of colons and brackets. • There seems to be a tendency to go over the top with use of Unicode. For example, using sharp and flat for delay and force (or is it the other way around?) in Agda seems gratuitous. We don’t want to encourage this sort of thing, when words are often better. With care, Unicode operators can make things look pretty but so can lhs2TeX. Perhaps in a few years time things will be different and software will cope better and it will make sense to revisit this. For now, however, Idris will not be offering arbitrary Unicode symbols in operators. This seems like an instance of Wadler’s Law in action. This answer is based on Edwin Brady’s response in the following pull request. 2.14 Where can I find more answers? There is an Unofficial FAQ on the wiki on GitHub which answers more technical questions and may be updated more often. 65 CHAPTER 3 The Effects Tutorial A tutorial on the Effects package in Idris. Note: The documentation for Idris has been published under the Creative Commons CC0 License. As such to the extent possible under law, The Idris Community has waived all copyright and related or neighbouring rights to Documentation for Idris. More information concerning the CC0 can be found online at: http://creativecommons.org/publicdomain/zero/1.0/ 3.1 Introduction Pure functional languages with dependent types such as Idris support reasoning about programs directly in the type system, promising that we can know a program will run correctly (i.e. according to the specification in its type) simply because it compiles. Realistically, though, things are not so simple: programs have to interact with the outside world, with user input, input from a network, mutable state, and so on. In this tutorial I will introduce the library, which is included with the distribution and supports programming and reasoning with side-effecting programs, supporting mutable state, interaction with the outside world, exceptions, and verified resource management. This tutorial assumes familiarity with pure programming in Idris, as described in Sections 1–6 of the main tutorial 1 . The examples presented are tested with Idris and can be found in the examples directory of the Idris repository. Consider, for example, the following introductory function which illustrates the kind of properties which can be expressed in the type system: vadd : Vect n Int -> Vect n Int -> Vect n Int vadd [] [] = [] vadd (x :: xs) (y :: ys) = x + y :: vadd xs ys This function adds corresponding elements in a pair of vectors. The type guarantees that the vectors will contain only elements of type Int, and that the input lengths and the output length all correspond. A natural question to ask here, which is typically neglected by introductory tutorials, is “How do I turn this into a program?” That is, given some lists entered by a user, how do we get into a position to be able to apply the vadd function? Before doing so, we will have to: • Read user input, either from the keyboard, a file, or some other input device. 1 You do not, however, need to know what a monad is! 66 CHAPTER 3. THE EFFECTS TUTORIAL v0.99 • Check that the user inputs are valid, i.e. contain only Int and are the same length, and report an error if not. • Write output The complete program will include side-effects for I/O and error handling, before we can get to the pure core functionality. In this tutorial, we will see how Idris supports side-effects. Furthermore, we will see how we can use the dependent type system to reason about stateful and side-effecting programs. We will return to this specific example later. 3.1.1 Hello world To give an idea of how programs with effects look in , here is the ubiquitous “Hello world” program, written using the Effects library: module Main import Effects import Effect.StdIO hello : Eff () [STDIO] hello = putStrLn “Hello world!” main : IO () main = run hello As usual, the entry point is main. All main has to do is invoke the hello function which supports the STDIO effect for console I/O, and returns the unit value. All programs using the Effects library must import Effects. The details of the Eff type will be presented in the remainder of this tutorial. To compile and run this program, Idris needs to be told to include the Effects package, using the -p effects flag (this flag is required for all examples in this tutorial): idris hello.idr -o hello -p effects ./hello Hello world! 3.1.2 Outline The tutorial is structured as follows: first, in Section State (page 67), we will discuss state management, describing why it is important and introducing the effects library to show how it can be used to manage state. This section also gives an overview of the syntax of effectful programs. Section Simple Effects (page 74) then introduces a number of other effects a program may have: I/O; Exceptions; Random Numbers; and Non-determinism, giving examples for each, and an extended example combining several effects in one complete program. Section Dependent Effects (page 82) introduces dependent effects, showing how states and resources can be managed in types. Section Creating New Effects (page 86) shows how new effects can be implemented. Section Example: A “Mystery Word” Guessing Game (page 90) gives an extended example showing how to implement a “mystery word” guessing game, using effects to describe the rules of the game and ensure they are implemented accurately. References to further reading are given in Section Further Reading (page 95). 3.2 State Many programs, even pure programs, can benefit from locally mutable state. For example, consider a program which tags binary tree nodes with a counter, by an inorder traversal (i.e. counting depth first, left to right). This would perform something like the following: 67 CHAPTER 3. THE EFFECTS TUTORIAL v0.99 We can describe binary trees with the following data type BTree and testTree to represent the example input above: data BTree a = Leaf | Node (BTree a) a (BTree a) testTree : BTree String testTree = Node (Node Leaf "Jim" Leaf) "Fred" (Node (Node Leaf "Alice" Leaf) "Sheila" (Node Leaf "Bob" Leaf)) Then our function to implement tagging, beginning to tag with a specific value i, has the following type: treeTag : (i : Int) -> BTree a -> BTree (Int, a) 3.2.1 First attempt Naïvely, we can implement treeTag by implementing a helper function which propagates a counter, returning the result of the count for each subtree: treeTagAux : (i : Int) -> BTree a -> (Int, BTree (Int, a)) treeTagAux i Leaf = (i, Leaf) treeTagAux i (Node l x r) = let (i', l') = treeTagAux i l in let x' = (i', x) in let (i'', r') = treeTagAux (i' + 1) r in (i'', Node l' x' r') treeTag : (i : Int) -> BTree a -> BTree (Int, a) treeTag i x = snd (treeTagAux i x) This gives the expected result when run at the REPL prompt: *TreeTag> treeTag 1 testTree Node (Node Leaf (1, "Jim") Leaf) (2, "Fred") (Node (Node Leaf (3, "Alice") Leaf) (4, "Sheila") (Node Leaf (5, "Bob") Leaf)) : BTree (Int, String) 68 CHAPTER 3. THE EFFECTS TUTORIAL v0.99 This works as required, but there are several problems when we try to scale this to larger programs. It is error prone, because we need to ensure that state is propagated correctly to the recursive calls (i.e. passing the appropriate i or i’). It is hard to read, because the functional details are obscured by the state propagation. Perhaps most importantly, there is a common programming pattern here which should be abstracted but instead has been implemented by hand. There is local mutable state (the counter) which we have had to make explicit. 3.2.2 Introducing Effects Idris provides a library, Effects 3 , which captures this pattern and many others involving effectful computation 1 . An effectful program f has a type of the following form: f : (x1 : a1) -> (x2 : a2) -> ... -> Eff t effs That is, the return type gives the effects that f supports (effs, of type List EFFECT) and the type the computation returns t. So, our treeTagAux helper could be written with the following type: treeTagAux : BTree a -> Eff (BTree (Int, a)) [STATE Int] That is, treeTagAux has access to an integer state, because the list of available effects includes STATE Int. STATE is declared as follows in the module Effect.State (that is, we must import Effect.State to be able to use it): STATE : Type -> EFFECT It is an effect parameterised by a type (by convention, we write effects in all capitals). The treeTagAux function is an effectful program which builds a new tree tagged with Ints, and is implemented as follows: treeTagAux Leaf = pure Leaf treeTagAux (Node l x r) = do l' <- treeTagAux l i <- get put (i + 1) r' <- treeTagAux r pure (Node l' (i, x) r') There are several remarks to be made about this implementation. Essentially, it hides the state, which can be accessed using get and updated using put, but it introduces several new features. Specifically, it uses do-notation, binding variables with <-, and a pure function. There is much to be said about these features, but for our purposes, it suffices to know the following: • do blocks allow effectful operations to be sequenced. • x <- e binds the result of an effectful operation e to a variable x. For example, in the above code, treeTagAux l is an effectful operation returning BTree (Int, a), so l’ has type BTree (Int, a). • pure e turns a pure value e into the result of an effectful operation. The get and put functions read and write a state t, assuming that the STATE t effect is available. They have the following types, polymorphic in the state t they manage: get : Eff t [STATE t] put : t -> Eff () [STATE t] 3 Edwin Brady. 2013. Programming and reasoning with algebraic effects and dependent types. SIGPLAN Not. 48, 9 (September 2013), 133-144. DOI=10.1145/2544174.2500581 http://dl.acm.org/citation.cfm?doid=2544174.2500581 1 The earlier paper 3 describes the essential implementation details, although the library presented there is an earlier version which is less powerful than that presented in this tutorial. 69 CHAPTER 3. THE EFFECTS TUTORIAL v0.99 A program in Eff can call any other function in Eff provided that the calling function supports at least the effects required by the called function. In this case, it is valid for treeTagAux to call both get and put because all three functions support the STATE Int effect. Programs in Eff are run in some underlying computation context, using the run or runPure function. Using runPure, which runs an effectful program in the identity context, we can write the treeTag function as follows, using put to initialise the state: treeTag : (i : Int) -> BTree a -> BTree (Int, a) treeTag i x = runPure (do put i treeTagAux x) We could also run the program in an impure context such as IO, without changing the definition of treeTagAux, by using run instead of runPure: treeTagAux : BTree a -> Eff (BTree (Int, a)) [STATE Int] ... treeTag : (i : Int) -> BTree a -> IO (BTree (Int, a)) treeTag i x = run (do put i treeTagAux x) Note that the definition of treeTagAux is exactly as before. For reference, this complete program (including a main to run it) is shown in Listing [introprog]. module Main import Effects import Effect.State data BTree a = Leaf | Node (BTree a) a (BTree a) Show a => Show (BTree a) where show Leaf = "[]" show (Node l x r) = "[" ++ show l ++ " " ++ show x ++ " " ++ show r ++ "]" testTree : BTree String testTree = Node (Node Leaf "Jim" Leaf) "Fred" (Node (Node Leaf "Alice" Leaf) "Sheila" (Node Leaf "Bob" Leaf)) treeTagAux : BTree a -> Eff (BTree (Int, a)) [STATE Int] treeTagAux Leaf = pure Leaf treeTagAux (Node l x r) = do l' <- treeTagAux l i <- get put (i + 1) r' <- treeTagAux r pure (Node l' (i, x) r') treeTag : (i : Int) -> BTree a -> BTree (Int, a) treeTag i x = runPure (do put i; treeTagAux x) main : IO () main = print (treeTag 1 testTree) 70 CHAPTER 3. THE EFFECTS TUTORIAL v0.99 3.2.3 Effects and Resources Each effect is associated with a resource, which is initialised before an effectful program can be run. For example, in the case of STATE Int the corresponding resource is the integer state itself. The types of runPure and run show this (slightly simplified here for illustrative purposes): runPure : {env : Env id xs} -> Eff a xs -> a run : Applicative m => {env : Env m xs} -> Eff a xs -> m a The env argument is implicit, and initialised automatically where possible using default values given by implementations of the following interface: interface Default a where default : a Implementations of Default are defined for all primitive types, and many library types such as List, Vect, Maybe, pairs, etc. However, where no default value exists for a resource type (for example, you may want a STATE type for which there is no Default implementation) the resource environment can be given explicitly using one of the following functions: runPureInit : Env id xs -> Eff a xs -> a runInit : Applicative m => Env m xs -> Eff a xs -> m a To be well-typed, the environment must contain resources corresponding exactly to the effects in xs. For example, we could also have implemented treeTag by initialising the state as follows: treeTag : (i : Int) -> BTree a -> BTree (Int, a) treeTag i x = runPureInit [i] (treeTagAux x) 3.2.4 Labelled Effects What if we have more than one state, especially more than one state of the same type? How would get and put know which state they should be referring to? For example, how could we extend the tree tagging example such that it additionally counts the number of leaves in the tree? One possibility would be to change the state so that it captured both of these values, e.g.: treeTagAux : BTree a -> Eff (BTree (Int, a)) [STATE (Int, Int)] Doing this, however, ties the two states together throughout (as well as not indicating which integer is which). It would be nice to be able to call effectful programs which guaranteed only to access one of the states, for example. In a larger application, this becomes particularly important. The library therefore allows effects in general to be labelled so that they can be referred to explicitly by a particular name. This allows multiple effects of the same type to be included. We can count leaves and update the tag separately, by labelling them as follows: treeTagAux : BTree a -> Eff (BTree (Int, a)) ['Tag ::: STATE Int, 'Leaves ::: STATE Int] The ::: operator allows an arbitrary label to be given to an effect. This label can be any type—it is simply used to identify an effect uniquely. Here, we have used a symbol type. In general ’name introduces a new symbol, the only purpose of which is to disambiguate values 2 . When an effect is labelled, its operations are also labelled using the :- operator. In this way, we can say explicitly which state we mean when using get and put. The tree tagging program which also counts leaves can be written as follows: 2 In practice, ’name simply introduces a new empty type 71 CHAPTER 3. THE EFFECTS TUTORIAL v0.99 treeTagAux Leaf = do 'Leaves :- update (+1) pure Leaf treeTagAux (Node l x r) = do l' <- treeTagAux l i <- 'Tag :- get 'Tag :- put (i + 1) r' <- treeTagAux r pure (Node l' (i, x) r') The update function here is a combination of get and put, applying a function to the current state. update : (x -> x) -> Eff () [STATE x] Finally, our top level treeTag function now returns a pair of the number of leaves, and the new tree. Resources for labelled effects are initialised using the := operator (reminiscent of assignment in an imperative language): treeTag : (i : Int) -> BTree a -> (Int, BTree (Int, a)) treeTag i x = runPureInit ['Tag := i, 'Leaves := 0] (do x' <- treeTagAux x leaves <- 'Leaves :- get pure (leaves, x')) To summarise, we have: • ::: to convert an effect to a labelled effect. • :- to convert an effectful operation to a labelled effectful operation. • := to initialise a resource for a labelled effect. Or, more formally with their types (slightly simplified to account only for the situation where available effects are not updated): (:::) : lbl -> EFFECT -> EFFECT (:-) : (l : lbl) -> Eff a [x] -> Eff a [l ::: x] (:=) : (l : lbl) -> res -> LRes l res Here, LRes is simply the resource type associated with a labelled effect. Note that labels are polymorphic in the label type lbl. Hence, a label can be anything—a string, an integer, a type, etc. 3.2.5 !-notation In many cases, using do-notation can make programs unnecessarily verbose, particularly in cases where the value bound is used once, immediately. The following program returns the length of the String stored in the state, for example: stateLength : Eff Nat [STATE String] stateLength = do x <- get pure (length x) This seems unnecessarily verbose, and it would be nice to program in a more direct style in these cases. provides !-notation to help with this. The above program can be written instead as: stateLength : Eff Nat [STATE String] stateLength = pure (length !get) The notation !expr means that the expression expr should be evaluated and then implicitly bound. Conceptually, we can think of ! as being a prefix function with the following type: 72 CHAPTER 3. THE EFFECTS TUTORIAL v0.99 (!) : Eff a xs -> a Note, however, that it is not really a function, merely syntax! In practice, a subexpression !expr will lift expr as high as possible within its current scope, bind it to a fresh name x, and replace !expr with x. Expressions are lifted depth first, left to right. In practice, !-notation allows us to program in a more direct style, while still giving a notational clue as to which expressions are effectful. For example, the expression: let y = 42 in f !(g !(print y) !x) is lifted to: let y = 42 in do y' <- print y x' <- x g' <- g y' x' f g' 3.2.6 The Type Eff Underneath, Eff is an overloaded function which translates to an underlying type EffM: EffM : (m : Type -> Type) -> (t : Type) -> (List EFFECT) -> (t -> List EFFECT) -> Type This is more general than the types we have been writing so far. It is parameterised over an underlying computation context m, a result type t as we have already seen, as well as a List EFFECT and a function type t -> List EFFECT. These additional parameters are the list of input effects, and a list of output effects, computed from the result of an effectful operation. That is: running an effectful program can change the set of effects available! This is a particularly powerful idea, and we will see its consequences in more detail later. Some examples of operations which can change the set of available effects are: • Updating a state containing a dependent type (for example adding an element to a vector). • Opening a file for reading is an effect, but whether the file really is open afterwards depends on whether the file was successfully opened. • Closing a file means that reading from the file should no longer be possible. While powerful, this can make uses of the EffM type hard to read. Therefore the library provides an overloaded function Eff There are the following three versions: SimpleEff.Eff : (t : Type) -> (input_effs : List EFFECT) -> Type TransEff.Eff : (t : Type) -> (input_effs : List EFFECT) -> (output_effs : List EFFECT) -> Type DepEff.Eff : (t : Type) -> (input_effs : List EFFECT) -> (output_effs_fn : x -> List EFFECT) -> Type So far, we have used only the first version, SimpleEff.Eff, which is defined as follows: Eff : (x : Type) -> (es : List EFFECT) -> Type Eff x es = {m : Type -> Type} -> EffM m x es (\v => es) i.e. the set of effects remains the same on output. This suffices for the STATE example we have seen so far, and for many useful side-effecting programs. We could also have written treeTagAux with the expanded type: 73 CHAPTER 3. THE EFFECTS TUTORIAL v0.99 treeTagAux : BTree a -> EffM m (BTree (Int, a)) [STATE Int] (\x => [STATE Int]) Later, we will see programs which update effects: Eff a xs xs' which is expanded to EffM m a xs (\_ => xs') i.e. the set of effects is updated to xs’ (think of a transition in a state machine). There is, for example, a version of put which updates the type of the state: putM : y -> Eff () [STATE x] [STATE y] Also, we have: Eff t xs (\res => xs') which is expanded to EffM m t xs (\res => xs') i.e. the set of effects is updated according to the result of the operation res, of type t. Parameterising EffM over an underlying computation context allows us to write effectful programs which are specific to one context, and in some cases to write programs which extend the list of effects available using the new function, though this is beyond the scope of this tutorial. 3.3 Simple Effects So far we have seen how to write programs with locally mutable state using the STATE effect. To recap, we have the definitions below in a module Effect.State module Effect.State STATE : Type -> EFFECT get : Eff x [STATE x] put : x -> Eff () [STATE x] putM : y -> Eff () [STATE x] [STATE y] update : (x -> x) -> Eff () [STATE x] Handler State m where { ... } The last line, Handler State m where { ... }, means that the STATE effect is usable in any com- putation context m. That is, a program which uses this effect and returns something of type a can be evaluated to something of type m a using run, for any m. The lower case State is a data type describing the operations which make up the STATE effect itself—we will go into more detail about this in Section Creating New Effects (page 86). In this section, we will introduce some other supported effects, allowing console I/O, exceptions, random number generation and non-deterministic programming. For each effect we introduce, we will begin with a summary of the effect, its supported operations, and the contexts in which it may be used, like that above for STATE, and go on to present some simple examples. At the end, we will see some examples of programs which combine multiple effects. All of the effects in the library, including those described in this section, are summarised in Appendix 74 CHAPTER 3. THE EFFECTS TUTORIAL v0.99 Effects Summary (page 95). 3.3.1 Console I/O Console I/O is supported with the STDIO effect, which allows reading and writing characters and strings to and from standard input and standard output. Notice that there is a constraint here on the computation context m, because it only makes sense to support console I/O operations in a context where we can perform (or at the very least simulate) console I/O: module Effect.StdIO STDIO : EFFECT putChar : Char -> Eff () [STDIO] putStr : String -> Eff () [STDIO] putStrLn : String -> Eff () [STDIO] getStr : Eff String [STDIO] getChar : Eff Char [STDIO] Handler StdIO IO where { ... } Handler StdIO (IOExcept a) where { ... } Examples A program which reads the user’s name, then says hello, can be written as follows: hello : Eff () [STDIO] hello = do putStr "Name? " x <- getStr putStrLn ("Hello " ++ trim x ++ "!") We use trim here to remove the trailing newline from the input. The resource associated with STDIO is simply the empty tuple, which has a default value (), so we can run this as follows: main : IO () main = run hello In hello we could also use !-notation instead of x <- getStr, since we only use the string that is read once: hello : Eff () [STDIO] hello = do putStr "Name? " putStrLn ("Hello " ++ trim !getStr ++ "!") More interestingly, we can combine multiple effects in one program. For example, we can loop, counting the number of people we’ve said hello to: hello : Eff () [STATE Int, STDIO] hello = do putStr "Name? " putStrLn ("Hello " ++ trim !getStr ++ "!") update (+1) putStrLn ("I've said hello to: " ++ show !get ++ " people") hello The list of effects given in hello means that the function can call get and put on an integer state, and any functions which read and write from the console. To run this, main does not need to be changed. 75 CHAPTER 3. THE EFFECTS TUTORIAL v0.99 Aside: Resource Types To find out the resource type of an effect, if necessary (for example if we want to initialise a resource explicitly with runInit rather than using a default value with run) we can run the resourceType function at the REPL: *ConsoleIO> resourceType STDIO () : Type *ConsoleIO> resourceType (STATE Int) Int : Type 3.3.2 Exceptions The EXCEPTION effect is declared in module Effect.Exception. This allows programs to exit immedi- ately with an error, or errors to be handled more generally: module Effect.Exception EXCEPTION : Type -> EFFECT raise : a -> Eff b [EXCEPTION a] Handler (Exception a) Maybe where { ... } Handler (Exception a) List where { ... } Handler (Exception a) (Either a) where { ... } Handler (Exception a) (IOExcept a) where { ... } Show a => Handler (Exception a) IO where { ... } Example Suppose we have a String which is expected to represent an integer in the range 0 to n. We can write a function parseNumber which returns an Int if parsing the string returns a number in the appropriate range, or throws an exception otherwise. Exceptions are parameterised by an error type: data Error = NotANumber | OutOfRange parseNumber : Int -> String -> Eff Int [EXCEPTION Error] parseNumber num str = if all isDigit (unpack str) then let x = cast str in if (x >=0 && x <= num) then pure x else raise OutOfRange else raise NotANumber Programs which support the EXCEPTION effect can be run in any context which has some way of throwing errors, for example, we can run parseNumber in the Either Error context. It returns a value of the form Right x if successful: *Exception> the (Either Error Int) $ run (parseNumber 42 "20") Right 20 : Either Error Int Or Left e on failure, carrying the appropriate exception: *Exception> the (Either Error Int) $ run (parseNumber 42 "50") Left OutOfRange : Either Error Int 76 CHAPTER 3. THE EFFECTS TUTORIAL v0.99 *Exception> the (Either Error Int) $ run (parseNumber 42 "twenty") Left NotANumber : Either Error Int In fact, we can do a little bit better with parseNumber, and have it return a proof that the integer is in the required range along with the integer itself. One way to do this is define a type of bounded integers, Bounded: Bounded : Int -> Type Bounded x = (n : Int ** So (n >= 0 && n <= x)) Recall that So is parameterised by a Bool, and only So True is inhabited. We can use choose to construct such a value from the result of a dynamic check: data So : Bool -> Type = Oh : So True choose : (b : Bool) -> Either (So b) (So (not b)) We then write parseNumber using choose rather than an if/then/else construct, passing the proof it returns on success as the boundedness proof: parseNumber : (x : Int) -> String -> Eff (Bounded x) [EXCEPTION Error] parseNumber x str = if all isDigit (unpack str) then let num = cast str in case choose (num >=0 && num <= x) of Left p => pure (num ** p) Right p => raise OutOfRange else raise NotANumber 3.3.3 Random Numbers Random number generation is also implemented by the library, in module Effect.Random: module Effect.Random RND : EFFECT srand : Integer -> Eff () [RND] rndInt : Integer -> Integer -> Eff Integer [RND] rndFin : (k : Nat) -> Eff (Fin (S k)) [RND] Handler Random m where { ... } Random number generation is considered side-effecting because its implementation generally relies on some external source of randomness. The default implementation here relies on an integer seed, which can be set with srand. A specific seed will lead to a predictable, repeatable sequence of random numbers. There are two functions which produce a random number: • rndInt, which returns a random integer between the given lower and upper bounds. • rndFin, which returns a random element of a finite set (essentially a number with an up- per bound given in its type). Example We can use the RND effect to implement a simple guessing game. The guess function, given a target number, will repeatedly ask the user for a guess, and state whether the guess is too high, too low, or correct: 77 CHAPTER 3. THE EFFECTS TUTORIAL v0.99 guess : Int -> Eff () [STDIO] For reference, the code for guess is given below: guess : Int -> Eff () [STDIO] guess target = do putStr "Guess: " case run {m=Maybe} (parseNumber 100 (trim !getStr)) of Nothing => do putStrLn "Invalid input" guess target Just (v ** _) => case compare v target of LT => do putStrLn "Too low" guess target EQ => putStrLn "You win!" GT => do putStrLn "Too high" guess target Note that we use parseNumber as defined previously to read user input, but we don’t need to list the EXCEPTION effect because we use a nested run to invoke parseNumber, independently of the calling effectful program. To invoke this, we pick a random number within the range 0–100, having set up the random number generator with a seed, then run guess: game : Eff () [RND, STDIO] game = do srand 123456789 guess (fromInteger !(rndInt 0 100)) main : IO () main = run game If no seed is given, it is set to the default value. For a less predictable game, some better source of randomness would be required, for example taking an initial seed from the system time. To see how to do this, see the SYSTEM effect described in Effects Summary (page 95). 3.3.4 Non-determinism The listing below gives the definition of the non-determinism effect, which allows a program to choose a value non-deterministically from a list of possibilities in such a way that the entire computation succeeds: import Effects import Effect.Select SELECT : EFFECT select : List a -> Eff a [SELECT] Handler Selection Maybe where { ... } Handler Selection List where { ... } Example The SELECT effect can be used to solve constraint problems, such as finding Pythagorean triples. The idea is to use select to give a set of candidate values, then throw an exception for any combination of values which does not satisfy the constraint: 78 CHAPTER 3. THE EFFECTS TUTORIAL v0.99 triple : Int -> Eff (Int, Int, Int) [SELECT, EXCEPTION String] triple max = do z <- select [1..max] y <- select [1..z] x <- select [1..y] if (x * x + y * y == z * z) then pure (x, y, z) else raise "No triple" This program chooses a value for z between 1 and max, then values for y and x. In operation, after a select, the program executes the rest of the do-block for every possible assignment, effectively searching depth-first. If the list is empty (or an exception is thrown) execution fails. There are handlers defined for Maybe and List contexts, i.e. contexts which can capture failure. De- pending on the context m, triple will either return the first triple it finds (if in Maybe context) or all triples in the range (if in List context). We can try this as follows: main : IO () main = do print $ the (Maybe _) $ run (triple 100) print $ the (List _) $ run (triple 100) 3.3.5 vadd revisited We now return to the vadd program from the introduction. Recall the definition: vadd : Vect n Int -> Vect n Int -> Vect n Int vadd [] [] = [] vadd (x :: xs) (y :: ys) = x + y :: vadd xs ys Using , we can set up a program so that it reads input from a user, checks that the input is valid (i.e both vectors contain integers, and are the same length) and if so, pass it on to vadd. First, we write a wrapper for vadd which checks the lengths and throw an exception if they are not equal. We can do this for input vectors of length n and m by matching on the implicit arguments n and m and using decEq to produce a proof of their equality, if they are equal: vadd_check : Vect n Int -> Vect m Int -> Eff (Vect m Int) [EXCEPTION String] vadd_check {n} {m} xs ys with (decEq n m) vadd_check {n} {m=n} xs ys | (Yes Refl) = pure (vadd xs ys) vadd_check {n} {m} xs ys | (No contra) = raise "Length mismatch" To read a vector from the console, we implement a function of the following type: read_vec : Eff (p ** Vect p Int) [STDIO] This returns a dependent pair of a length, and a vector of that length, because we cannot know in advance how many integers the user is going to input. We can use -1 to indicate the end of input: read_vec : Eff (p ** Vect p Int) [STDIO] read_vec = do putStr "Number (-1 when done): " case run (parseNumber (trim !getStr)) of Nothing => do putStrLn "Input error" read_vec Just v => if (v /= -1) then do (_ ** xs) <- read_vec pure (_ ** v :: xs) else pure (_ ** []) where parseNumber : String -> Eff Int [EXCEPTION String] parseNumber str 79 CHAPTER 3. THE EFFECTS TUTORIAL v0.99 = if all (\x => isDigit x || x == '-') (unpack str) then pure (cast str) else raise "Not a number" This uses a variation on parseNumber which does not require a number to be within range. Finally, we write a program which reads two vectors and prints the result of pairwise addition of them, throwing an exception if the inputs are of differing lengths: do_vadd : Eff () [STDIO, EXCEPTION String] do_vadd = do putStrLn "Vector 1" (_ ** xs) <- read_vec putStrLn "Vector 2" (_ ** ys) <- read_vec putStrLn (show !(vadd_check xs ys)) By having explicit lengths in the type, we can be sure that vadd is only being used where the lengths of inputs are guaranteed to be equal. This does not stop us reading vectors from user input, but it does require that the lengths are checked and any discrepancy is dealt with gracefully. 3.3.6 Example: An Expression Calculator To show how these effects can fit together, let us consider an evaluator for a simple expression language, with addition and integer values. data Expr = Val Integer | Add Expr Expr An evaluator for this language always returns an Integer, and there are no situations in which it can fail! eval : Expr -> Integer eval (Val x) = x eval (Add l r) = eval l + eval r If we add variables, however, things get more interesting. The evaluator will need to be able to access the values stored in variables, and variables may be undefined. data Expr = Val Integer | Var String | Add Expr Expr To start, we will change the type of eval so that it is effectful, and supports an exception effect for throwing errors, and a state containing a mapping from variable names (as String) to their values: Env : Type Env = List (String, Integer) eval : Expr -> Eff Integer [EXCEPTION String, STATE Env] eval (Val x) = pure x eval (Add l r) = pure $ !(eval l) + !(eval r) Note that we are using !-notation to avoid having to bind subexpressions in a do block. Next, we add a case for evaluating Var: eval (Var x) = case lookup x !get of Nothing => raise $ "No such variable " ++ x Just val => pure val This retrieves the state (with get, supported by the STATE Env effect) and raises an exception if the 80 CHAPTER 3. THE EFFECTS TUTORIAL v0.99 variable is not in the environment (with raise, supported by the EXCEPTION String effect). To run the evaluator on a particular expression in a particular environment of names and their values, we can write a function which sets the state then invokes eval: runEval : List (String, Integer) -> Expr -> Maybe Integer runEval args expr = run (eval' expr) where eval' : Expr -> Eff Integer [EXCEPTION String, STATE Env] eval' e = do put args eval e We have picked Maybe as a computation context here; it needs to be a context which is available for every effect supported by eval. In particular, because we have exceptions, it needs to be a context which supports exceptions. Alternatively, Either String or IO would be fine, for example. What if we want to extend the evaluator further, with random number generation? To achieve this, we add a new constructor to Expr, which gives a random number up to a maximum value: data Expr = Val Integer | Var String | Add Expr Expr | Random Integer Then, we need to deal with the new case, making sure that we extend the list of events to include RND. It doesn’t matter where RND appears in the list, as long as it is present: eval : Expr -> Eff Integer [EXCEPTION String, RND, STATE Env] eval (Random upper) = rndInt 0 upper For test purposes, we might also want to print the random number which has been generated: eval (Random upper) = do val <- rndInt 0 upper putStrLn (show val) pure val If we try this without extending the effects list, we would see an error something like the following: Expr.idr:28:6:When elaborating right hand side of eval: Can't solve goal SubList [STDIO] [(EXCEPTION String), RND, (STATE (List (String, Integer)))] In other words, the STDIO effect is not available. We can correct this simply by updating the type of eval to include STDIO. eval : Expr -> Eff Integer [STDIO, EXCEPTION String, RND, STATE Env] Note: Using STDIO will restrict the number of contexts in which eval can be run to those which support STDIO, such as IO. Once effect lists get longer, it can be a good idea instead to encapsulate sets of effects in a type synonym. This is achieved as follows, simply by defining a function which computes a type, since types are first class in Idris: EvalEff : Type -> Type EvalEff t = Eff t [STDIO, EXCEPTION String, RND, STATE Env] eval : Expr -> EvalEff Integer 81 CHAPTER 3. THE EFFECTS TUTORIAL v0.99 3.4 Dependent Effects In the programs we have seen so far, the available effects have remained constant. Sometimes, however, an operation can change the available effects. The simplest example occurs when we have a state with a dependent type—adding an element to a vector also changes its type, for example, since its length is explicit in the type. In this section, we will see how the library supports this. Firstly, we will see how states with dependent types can be implemented. Secondly, we will see how the effects can depend on the result of an effectful operation. Finally, we will see how this can be used to implement a type-safe and resource-safe protocol for file management. 3.4.1 Dependent States Suppose we have a function which reads input from the console, converts it to an integer, and adds it to a list which is stored in a STATE. It might look something like the following: readInt : Eff () [STATE (List Int), STDIO] readInt = do let x = trim !getStr put (cast x :: !get) But what if, instead of a list of integers, we would like to store a Vect, maintaining the length in the type? readInt : Eff () [STATE (Vect n Int), STDIO] readInt = do let x = trim !getStr put (cast x :: !get) This will not type check! Although the vector has length n on entry to readInt, it has length S n on exit. The library allows us to express this as follows: readInt : Eff ()[STATE (Vect n Int), STDIO] [STATE (Vect (S n) Int), STDIO] readInt = do let x = trim !getStr putM (cast x :: !get) The type Eff a xs xs’ means that the operation begins with effects xs available, and ends with effects xs’ available. We have used putM to update the state, where the M suffix indicates that the type is being updated as well as the value. It has the following type: putM : y -> Eff () [STATE x] [STATE y] 3.4.2 Result-dependent Effects Often, whether a state is updated could depend on the success or otherwise of an operation. In our readInt example, we might wish to update the vector only if the input is a valid integer (i.e. all digits). As a first attempt, we could try the following, returning a Bool which indicates success: readInt : Eff Bool [STATE (Vect n Int), STDIO] [STATE (Vect (S n) Int), STDIO] readInt = do let x = trim !getStr case all isDigit (unpack x) of False => pure False True => do putM (cast x :: !get) pure True Unfortunately, this will not type check because the vector does not get extended in both branches of the case! 82 CHAPTER 3. THE EFFECTS TUTORIAL v0.99 MutState.idr:18:19:When elaborating right hand side of Main.case block in readInt: Unifying n and S n would lead to infinite value Clearly, the size of the resulting vector depends on whether or not the value read from the user was valid. We can express this in the type: readInt : Eff Bool [STATE (Vect n Int), STDIO] (\ok => if ok then [STATE (Vect (S n) Int), STDIO] else [STATE (Vect n Int), STDIO]) readInt = do let x = trim !getStr case all isDigit (unpack x) of False => pureM False True => do putM (cast x :: !get) pureM True Using pureM rather than pure allows the output effects to be calculated from the value given. Its type is: pureM : (val : a) -> EffM m a (xs val) xs When using readInt, we will have to check its return value in order to know what the new set of effects is. For example, to read a set number of values into a vector, we could write the following: readN : (n : Nat) -> Eff () [STATE (Vect m Int), STDIO] [STATE (Vect (n + m) Int), STDIO] readN Z = pure () readN {m} (S k) = case !readInt of True => rewrite plusSuccRightSucc k m in readN k False => readN (S k) The case analysis on the result of readInt means that we know in each branch whether reading the integer succeeded, and therefore how many values still need to be read into the vector. What this means in practice is that the type system has verified that a necessary dynamic check (i.e. whether reading a value succeeded) has indeed been done. Note: Only case will work here. We cannot use if/then/else because the then and else branches must have the same type. The case construct, however, abstracts over the value being inspected in the type of each branch. 3.4.3 File Management A practical use for dependent effects is in specifying resource usage protocols and verifying that they are executed correctly. For example, file management follows a resource usage protocol with the following (informally specified) requirements: • It is necessary to open a file for reading before reading it • Opening may fail, so the programmer should check whether opening was successful • A file which is open for reading must not be written to, and vice versa • When finished, an open file handle should be closed • When a file is closed, its handle should no longer be used 83 CHAPTER 3. THE EFFECTS TUTORIAL v0.99 These requirements can be expressed formally in , by creating a FILE_IO effect parameterised over a file handle state, which is either empty, open for reading, or open for writing. The FILE_IO effect’s definition is given below. Note that this effect is mainly for illustrative purposes—typically we would also like to support random access files and better reporting of error conditions. module Effect.File import Effects import Control.IOExcept FILE_IO : Type -> EFFECT data OpenFile : Mode -> Type open : (fname : String) -> (m : Mode) -> Eff Bool [FILE_IO ()] (\res => [FILE_IO (case res of True => OpenFile m False => ())]) close : Eff () [FILE_IO (OpenFile m)] [FILE_IO ()] readLine : Eff String [FILE_IO (OpenFile Read)] writeLine : String -> Eff () [FILE_IO (OpenFile Write)] eof : Eff Bool [FILE_IO (OpenFile Read)] Handler FileIO IO where { ... } In particular, consider the type of open: open : (fname : String) -> (m : Mode) -> Eff Bool [FILE_IO ()] (\res => [FILE_IO (case res of True => OpenFile m False => ())]) This returns a Bool which indicates whether opening the file was successful. The resulting state depends on whether the operation was successful; if so, we have a file handle open for the stated purpose, and if not, we have no file handle. By case analysis on the result, we continue the protocol accordingly. readFile : Eff (List String) [FILE_IO (OpenFile Read)] readFile = readAcc [] where readAcc : List String -> Eff (List String) [FILE_IO (OpenFile Read)] readAcc acc = if (not !eof) then readAcc (!readLine :: acc) else pure (reverse acc) Given a function readFile, above, which reads from an open file until reaching the end, we can write a program which opens a file, reads it, then displays the contents and closes it, as follows, correctly following the protocol: dumpFile : String -> Eff () [FILE_IO (), STDIO] dumpFile name = case !(open name Read) of True => do putStrLn (show !readFile) close False => putStrLn ("Error!") The type of dumpFile, with FILE_IO () in its effect list, indicates that any use of the file resource will follow the protocol correctly (i.e. it both begins and ends with an empty resource). If we fail to follow the protocol correctly (perhaps by forgetting to close the file, failing to check that open succeeded, or opening the file for writing) then we will get a compile-time error. For example, changing open name 84 CHAPTER 3. THE EFFECTS TUTORIAL v0.99 Read to open name Write yields a compile-time error of the following form: FileTest.idr:16:18:When elaborating right hand side of Main.case block in testFile: Can't solve goal SubList [(FILE_IO (OpenFile Read))] [(FILE_IO (OpenFile Write)), STDIO] In other words: when reading a file, we need a file which is open for reading, but the effect list contains a FILE_IO effect carrying a file open for writing. 3.4.4 Pattern-matching bind It might seem that having to test each potentially failing operation with a case clause could lead to ugly code, with lots of nested case blocks. Many languages support exceptions to improve this, but unfor- tunately exceptions may not allow completely clean resource management—for example, guaranteeing that any open which did succeed has a corresponding close. Idris supports pattern-matching bindings, such as the following: dumpFile : String -> Eff () [FILE_IO (), STDIO] dumpFile name = do True <- open name Read putStrLn (show !readFile) close This also has a problem: we are no longer dealing with the case where opening a file failed! The solution is to extend the pattern-matching binding syntax to give brief clauses for failing matches. Here, for example, we could write: dumpFile : String -> Eff () [FILE_IO (), STDIO] dumpFile name = do True <- open name Read | False => putStrLn "Error" putStrLn (show !readFile) close This is exactly equivalent to the definition with the explicit case. In general, in a do-block, the syntax: do pat <- val | <alternatives> p is desugared to do x <- val case x of pat => p <alternatives> There can be several alternatives, separated by a vertical bar |. For example, there is a SYSTEM effect which supports reading command line arguments, among other things (see Appendix Effects Summary (page 95)). To read command line arguments, we can use getArgs: getArgs : Eff (List String) [SYSTEM] A main program can read command line arguments as follows, where in the list which is returned, the first element prog is the executable name and the second is an expected argument: emain : Eff () [SYSTEM, STDIO] emain = do [prog, arg] <- getArgs putStrLn $ "Argument is " ++ arg {- ... rest of function ... -} 85 CHAPTER 3. THE EFFECTS TUTORIAL v0.99 Unfortunately, this will not fail gracefully if no argument is given, or if too many arguments are given. We can use pattern matching bind alternatives to give a better (more informative) error: emain : Eff () [SYSTEM, STDIO] emain = do [prog, arg] <- getArgs | [] => putStrLn "Can't happen!" | [prog] => putStrLn "No arguments!" | _ => putStrLn "Too many arguments!" putStrLn $ "Argument is " ++ arg {- ... rest of function ... -} If getArgs does not return something of the form [prog, arg] the alternative which does match is executed instead, and that value returned. 3.5 Creating New Effects We have now seen several side-effecting operations provided by the Effects library, and examples of their use in Section Simple Effects (page 74). We have also seen how operations may modify the available effects by changing state in Section Dependent Effects (page 82). We have not, however, yet seen how these operations are implemented. In this section, we describe how a selection of the available effects are implemented, and show how new effectful operations may be provided. 3.5.1 State Effects are described by algebraic data types, where the constructors describe the operations provided when the effect is available. Stateful operations are described as follows: data State : Effect where Get : State a a (\x => a) Put : b -> State () a (\x => b) Effect itself is a type synonym, giving the required type for an effect signature: Effect : Type Effect = (result : Type) -> (input_resource : Type) -> (output_resource : result -> Type) -> Type Each effect is associated with a resource. The second argument to an effect signature is the resource type on input to an operation, and the third is a function which computes the resource type on output. Here, it means: • Get takes no arguments. It has a resource of type a, which is not updated, and running the Get operation returns something of type a. • Put takes a b as an argument. It has a resource of type a on input, which is updated to a resource of type b. Running the Put operation returns the element of the unit type. The effects library provides an overloaded function sig which can make effect signatures more concise, particularly when the result has no effect on the resource type. For State, we can write: data State : Effect where Get : sig State a a Put : b -> sig State () a b There are four versions of sig, depending on whether we are interested in the resource type, and whether we are updating the resource. Idris will infer the appropriate version from usage. 86 CHAPTER 3. THE EFFECTS TUTORIAL v0.99 NoResourceEffect.sig : Effect -> Type -> Type NoUpdateEffect.sig : Effect -> (ret : Type) -> (resource : Type) -> Type UpdateEffect.sig : Effect -> (ret : Type) -> (resource_in : Type) -> (resource_out : Type) -> Type DepUpdateEffect.sig : Effect -> (ret : Type) -> (resource_in : Type) -> (resource_out : ret -> Type) -> Type In order to convert State (of type Effect) into something usable in an effects list, of type EFFECT, we write the following: STATE : Type -> EFFECT STATE t = MkEff t State MkEff constructs an EFFECT by taking the resource type (here, the t which parameterises STATE) and the effect signature (here, State). For reference, EFFECT is declared as follows: data EFFECT : Type where MkEff : Type -> Effect -> EFFECT Recall that to run an effectful program in Eff, we use one of the run family of functions to run the program in a particular computation context m. For each effect, therefore, we must explain how it is executed in a particular computation context for run to work in that context. This is achieved with the following interface: interface Handler (e : Effect) (m : Type -> Type) where handle : resource -> (eff : e t resource resource') -> ((x : t) -> resource' x -> m a) -> m a We have already seen some implementation declarations in the effect summaries in Section Simple Effects (page 74). An implementation of Handler e m means that the effect declared with signature e can be run in computation context m. The handle function takes: • The resource on input (so, the current value of the state for State) • The effectful operation (either Get or Put x for State) • A continuation, which we conventionally call k, and should be passed the result value of the operation, and an updated resource. There are two reasons for taking a continuation here: firstly, this is neater because there are multiple return values (a new resource and the result of the operation); secondly, and more importantly, the continuation can be called zero or more times. A Handler for State simply passes on the value of the state, in the case of Get, or passes on a new state, in the case of Put. It is defined the same way for all computation contexts: Handler State m where handle st Get k = k st st handle st (Put n) k = k () n This gives enough information for Get and Put to be used directly in Eff programs. It is tidy, however, to define top level functions in Eff, as follows: get : Eff x [STATE x] get = call Get put : x -> Eff () [STATE x] put val = call (Put val) 87 CHAPTER 3. THE EFFECTS TUTORIAL v0.99 putM : y -> Eff () [STATE x] [STATE y] putM val = call (Put val) An implementation detail (aside): The call function converts an Effect to a function in Eff, given a proof that the effect is available. This proof can be constructed automatically by , since it is essentially an index into a statically known list of effects: call : {e : Effect} -> (eff : e t a b) -> {auto prf : EffElem e a xs} -> Eff t xs (\v => updateResTy v xs prf eff) This is the reason for the Can’t solve goal error when an effect is not available: the implicit proof prf has not been solved automatically because the required effect is not in the list of effects xs. Such details are not important for using the library, or even writing new effects, however. Summary The following listing summarises what is required to define the STATE effect: data State : Effect where Get : sig State a a Put : b -> sig State () a b STATE : Type -> EFFECT STATE t = MkEff t State Handler State m where handle st Get k = k st st handle st (Put n) k = k () n get : Eff x [STATE x] get = call Get put : x -> Eff () [STATE x] put val = call (Put val) putM : y -> Eff () [STATE x] [STATE y] putM val = call (Put val) 3.5.2 Console I/O Then listing below gives the definition of the STDIO effect, including handlers for IO and IOExcept. We omit the definition of the top level Eff functions, as this merely invoke the effects PutStr, GetStr, PutCh and GetCh directly. Note that in this case, the resource is the unit type in every case, since the handlers merely apply the IO equivalents of the effects directly. data StdIO : Effect where PutStr : String -> sig StdIO () GetStr : sig StdIO String PutCh : Char -> sig StdIO () GetCh : sig StdIO Char Handler StdIO IO where handle () (PutStr s) k = do putStr s; k () () handle () GetStr k = do x <- getLine; k x () 88 CHAPTER 3. THE EFFECTS TUTORIAL v0.99 handle () (PutCh c) k = do putChar c; k () () handle () GetCh k = do x <- getChar; k x () Handler StdIO (IOExcept a) where handle () (PutStr s) k = do ioe_lift $ putStr s; k () () handle () GetStr k = do x <- ioe_lift $ getLine; k x () handle () (PutCh c) k = do ioe_lift $ putChar c; k () () handle () GetCh k = do x <- ioe_lift $ getChar; k x () STDIO : EFFECT STDIO = MkEff () StdIO 3.5.3 Exceptions The listing below gives the definition of the Exception effect, including two of its handlers for Maybe and List. The only operation provided is Raise. The key point to note in the definitions of these handlers is that the continuation k is not used. Running Raise therefore means that computation stops with an error. data Exception : Type -> Effect where Raise : a -> sig (Exception a) b Handler (Exception a) Maybe where handle _ (Raise e) k = Nothing Handler (Exception a) List where handle _ (Raise e) k = [] EXCEPTION : Type -> EFFECT EXCEPTION t = MkEff () (Exception t) 3.5.4 Non-determinism The following listing gives the definition of the Select effect for writing non-deterministic programs, including a handler for List context which returns all possible successful values, and a handler for Maybe context which returns the first successful value. data Selection : Effect where Select : List a -> sig Selection a Handler Selection Maybe where handle _ (Select xs) k = tryAll xs where tryAll [] = Nothing tryAll (x :: xs) = case k x () of Nothing => tryAll xs Just v => Just v Handler Selection List where handle r (Select xs) k = concatMap (\x => k x r) xs SELECT : EFFECT SELECT = MkEff () Selection Here, the continuation is called multiple times in each handler, for each value in the list of possible values. In the List handler, we accumulate all successful results, and in the Maybe handler we try the first value in the list, and try later values only if that fails. 89 CHAPTER 3. THE EFFECTS TUTORIAL v0.99 3.5.5 File Management Result-dependent effects are no different from non-dependent effects in the way they are implemented. The listing below illustrates this for the FILE_IO effect. The syntax for state transitions { x ==> {res} x’ }, where the result state x’ is computed from the result of the operation res, follows that for the equivalent Eff programs. data FileIO : Effect where Open : (fname: String) -> (m : Mode) -> sig FileIO Bool () (\res => case res of True => OpenFile m False => ()) Close : sig FileIO () (OpenFile m) ReadLine : sig FileIO String (OpenFile Read) WriteLine : String -> sig FileIO () (OpenFile Write) EOF : sig FileIO Bool (OpenFile Read) Handler FileIO IO where handle () (Open fname m) k = do h <- openFile fname m if !(validFile h) then k True (FH h) else k False () handle (FH h) Close k = do closeFile h k () () handle (FH h) ReadLine k = do str <- fread h k str (FH h) handle (FH h) (WriteLine str) k = do fwrite h str k () (FH h) handle (FH h) EOF k = do e <- feof h k e (FH h) FILE_IO : Type -> EFFECT FILE_IO t = MkEff t FileIO Note that in the handler for Open, the types passed to the continuation k are different depending on whether the result is True (opening succeeded) or False (opening failed). This uses validFile, defined in the Prelude, to test whether a file handler refers to an open file or not. 3.6 Example: A “Mystery Word” Guessing Game In this section, we will use the techniques and specific effects discussed in the tutorial so far to implement a larger example, a simple text-based word-guessing game. In the game, the computer chooses a word, which the player must guess letter by letter. After a limited number of wrong guesses, the player loses 1 . We will implement the game by following these steps: 1. Define the game state, in enough detail to express the rules 2. Define the rules of the game (i.e. what actions the player may take, and how these actions affect the game state) 3. Implement the rules of the game (i.e. implement state updates for each action) 4. Implement a user interface which allows a player to direct actions 1 Readers may recognise this game by the name “Hangman”. 90 CHAPTER 3. THE EFFECTS TUTORIAL v0.99 Step 2 may be achieved by defining an effect which depends on the state defined in step 1. Then step 3 involves implementing a Handler for this effect. Finally, step 4 involves implementing a program in Eff using the newly defined effect (and any others required to implement the interface). 3.6.1 Step 1: Game State First, we categorise the game states as running games (where there are a number of guesses available, and a number of letters still to guess), or non-running games (i.e. games which have not been started, or games which have been won or lost). data GState = Running Nat Nat | NotRunning Notice that at this stage, we say nothing about what it means to make a guess, what the word to be guessed is, how to guess letters, or any other implementation detail. We are only interested in what is necessary to describe the game rules. We will, however, parameterise a concrete game state Mystery over this data: data Mystery : GState -> Type 3.6.2 Step 2: Game Rules We describe the game rules as a dependent effect, where each action has a precondition (i.e. what the game state must be before carrying out the action) and a postcondition (i.e. how the action affects the game state). Informally, these actions with the pre- and postconditions are: Guess Guess a letter in the word. • Precondition: The game must be running, and there must be both guesses still available, and letters still to be guessed. • Postcondition: If the guessed letter is in the word and not yet guessed, reduce the number of letters, otherwise reduce the number of guesses. Won Declare victory • Precondition: The game must be running, and there must be no letters still to be guessed. • Postcondition: The game is no longer running. Lost Accept defeat • Precondition: The game must be running, and there must be no guesses left. • Postcondition: The game is no longer running. NewWord Set a new word to be guessed • Precondition: The game must not be running. • Postcondition: The game is running, with 6 guesses available (the choice of 6 is somewhat arbitrary here) and the number of unique letters in the word still to be guessed. Get Get a string representation of the game state. This is for display purposes; there are no pre- or postconditions. We can make these rules precise by declaring them more formally in an effect signature: 91 CHAPTER 3. THE EFFECTS TUTORIAL v0.99 data MysteryRules : Effect where Guess : (x : Char) -> sig MysteryRules Bool (Mystery (Running (S g) (S w))) (\inword => if inword then Mystery (Running (S g) w) else Mystery (Running g (S w))) Won : sig MysteryRules () (Mystery (Running g 0)) (Mystery NotRunning) Lost : sig MysteryRules () (Mystery (Running 0 g)) (Mystery NotRunning) NewWord : (w : String) -> sig MysteryRules () (Mystery NotRunning) (Mystery (Running 6 (length (letters w)))) Get : sig MysteryRules String (Mystery h) This description says nothing about how the rules are implemented. In particular, it does not specify how to tell whether a guessed letter was in a word, just that the result of Guess depends on it. Nevertheless, we can still create an EFFECT from this, and use it in an Eff program. Implementing a Handler for MysteryRules will then allow us to play the game. MYSTERY : GState -> EFFECT MYSTERY h = MkEff (Mystery h) MysteryRules 3.6.3 Step 3: Implement Rules To implement the rules, we begin by giving a concrete definition of game state: data Mystery : GState -> Type where Init : Mystery NotRunning GameWon : (word : String) -> Mystery NotRunning GameLost : (word : String) -> Mystery NotRunning MkG : (word : String) -> (guesses : Nat) -> (got : List Char) -> (missing : Vect m Char) -> Mystery (Running guesses m) If a game is NotRunning, that is either because it has not yet started (Init) or because it is won or lost (GameWon and GameLost, each of which carry the word so that showing the game state will reveal the word to the player). Finally, MkG captures a running game’s state, including the target word, the letters successfully guessed, and the missing letters. Using a Vect for the missing letters is convenient since its length is used in the type. To initialise the state, we implement the following functions: letters, which returns a list of unique letters in a String (ignoring spaces) and initState which sets up an initial state considered valid as a postcondition for NewWord. letters : String -> List Char initState : (x : String) -> Mystery (Running 6 (length (letters x))) When checking if a guess is in the vector of missing letters, it is convenient to return a proof that the guess is in the vector, using isElem below, rather than merely a Bool: data IsElem : a -> Vect n a -> Type where First : IsElem x (x :: xs) Later : IsElem x xs -> IsElem x (y :: xs) isElem : DecEq a => (x : a) -> (xs : Vect n a) -> Maybe (IsElem x xs) 92 CHAPTER 3. THE EFFECTS TUTORIAL v0.99 The reason for returning a proof is that we can use it to remove an element from the correct position in a vector: shrink : (xs : Vect (S n) a) -> IsElem x xs -> Vect n a We leave the definitions of letters, init, isElem and shrink as exercises. Having implemented these, the Handler implementation for MysteryRules is surprisingly straightforward: Handler MysteryRules m where handle (MkG w g got []) Won k = k () (GameWon w) handle (MkG w Z got m) Lost k = k () (GameLost w) handle st Get k = k (show st) st handle st (NewWord w) k = k () (initState w) handle (MkG w (S g) got m) (Guess x) k = case isElem x m of Nothing => k False (MkG w _ got m) (Just p) => k True (MkG w _ (x :: got) (shrink m p)) Each case simply involves directly updating the game state in a way which is consistent with the declared rules. In particular, in Guess, if the handler claims that the guessed letter is in the word (by passing True to k), there is no way to update the state in such a way that the number of missing letters or number of guesses does not follow the rules. 3.6.4 Step 4: Implement Interface Having described the rules, and implemented state transitions which follow those rules as an effect handler, we can now write an interface for the game which uses the MYSTERY effect: game : Eff () [MYSTERY (Running (S g) w), STDIO] [MYSTERY NotRunning, STDIO] The type indicates that the game must start in a running state, with some guesses available, and eventually reach a not-running state (i.e. won or lost). The only way to achieve this is by correctly following the stated rules. Note that the type of game makes no assumption that there are letters to be guessed in the given word (i.e. it is w rather than S w). This is because we will be choosing a word at random from a vector of String, and at no point have we made it explicit that those String are non-empty. Finally, we need to initialise the game by picking a word at random from a list of candidates, setting it as the target using NewWord, then running game: runGame : Eff () [MYSTERY NotRunning, RND, SYSTEM, STDIO] runGame = do srand !time let w = index !(rndFin _) words call $ NewWord w game putStrLn !(call Get) We use the system time (time from the SYSTEM effect; see Appendix Effects Summary (page 95)) to initialise the random number generator, then pick a random Fin to index into a list of words. For example, we could initialise a word list as follows: words : ?wtype words = with Vect ["idris","agda","haskell","miranda", "java","javascript","fortran","basic", "coffeescript","rust"] 93 CHAPTER 3. THE EFFECTS TUTORIAL v0.99 wtype = proof search Note: Rather than have to explicitly declare a type with the vector’s length, it is convenient to give a hole ?wtype and let Idris’s proof search mechanism find the type. This is a limited form of type inference, but very useful in practice. A possible complete implementation of game is presented below: game : Eff () [MYSTERY (Running (S g) w), STDIO] [MYSTERY NotRunning, STDIO] game {w=Z} = Won game {w=S _} = do putStrLn !Get putStr "Enter guess: " let guess = trim !getStr case choose (not (guess == "")) of (Left p) => processGuess (strHead' guess p) (Right p) => do putStrLn "Invalid input!" game where processGuess : Char -> Eff () [MYSTERY (Running (S g) (S w)), STDIO] [MYSTERY NotRunning, STDIO] processGuess {g} {w} c = case !(Main.Guess c) of True => do putStrLn "Good guess!" case w of Z => Won (S k) => game False => do putStrLn "No, sorry" case g of Z => Lost (S k) => game 3.6.5 Discussion Writing the rules separately as an effect, then an implementation which uses that effect, ensures that the implementation must follow the rules. This has practical applications in more serious contexts; MysteryRules for example can be though of as describing a protocol that a game player most follow, or alternative a precisely-typed API. In practice, we wouldn’t really expect to write rules first then implement the game once the rules were complete. Indeed, I didn’t do so when constructing this example! Rather, I wrote down a set of likely rules making any assumptions explicit in the state transitions for MysteryRules. Then, when implementing game at first, any incorrect assumption was caught as a type error. The following errors were caught during development: • Not realising that allowing NewWord to be an arbitrary string would mean that game would have to deal with a zero-length word as a starting state. • Forgetting to check whether a game was won before recursively calling processGuess, thus acci- dentally continuing a finished game. • Accidentally checking the number of missing letters, rather than the number of remaining guesses, when checking if a game was lost. These are, of course, simple errors, but were caught by the type checker before any testing of the game. 94 CHAPTER 3. THE EFFECTS TUTORIAL v0.99 3.7 Further Reading This tutorial has given an introduction to writing and reasoning about side-effecting programs in Idris, using the Effects library. More details about the implementation of the library, such as how run works, how handlers are invoked, etc, are given in a separate paper 1 . Some libraries and programs which use Effects can be found in the following places: • https://github.com/edwinb/SDL-idris — some bindings for the SDL media library, supporting graphics in particular. • https://github.com/edwinb/idris-demos — various demonstration programs, including several ex- amples from this tutorial, and a “Space Invaders” game. • https://github.com/SimonJF/IdrisNet2 — networking and socket libraries. • https://github.com/edwinb/Protocols — a high level communication protocol description lan- guage. The inspiration for the Effects library was Bauer and Pretnar’s Eff language 2 , which describes a language based on algebraic effects and handlers. Other recent languages and libraries have also been built on this ideas, for example 3 and 4 . The theoretical foundations are also well-studied see 5 , 6 , 7 , 8 . 3.8 Effects Summary This appendix gives interfaces for the core effects provided by the library. 3.8.1 EXCEPTION module Effect.Exception import Effects import System import Control.IOExcept EXCEPTION : Type -> EFFECT raise : a -> Eff b [EXCEPTION a] Handler (Exception a) Maybe where { ... } 1 Edwin Brady. 2013. Programming and reasoning with algebraic effects and dependent types. SIGPLAN Not. 48, 9 (September 2013), 133-144. DOI=10.1145/2544174.2500581 https://dl.acm.org/citation.cfm?doid=2544174.2500581 2 Andrej Bauer, Matija Pretnar, Programming with algebraic effects and handlers, Journal of Logical and Algebraic Methods in Programming, Volume 84, Issue 1, January 2015, Pages 108-123, ISSN 2352-2208, http://math.andrej.com/wp- content/uploads/2012/03/eff.pdf 3 Ben Lippmeier. 2009. Witnessing Purity, Constancy and Mutability. In Proceedings of the 7th Asian Symposium on Programming Languages and Systems (APLAS ‘09), Zhenjiang Hu (Ed.). Springer-Verlag, Berlin, Heidelberg, 95-110. DOI=10.1007/978-3-642-10672-9_9 http://link.springer.com/chapter/10.1007%2F978-3-642-10672-9_9 4 Ohad Kammar, Sam Lindley, and Nicolas Oury. 2013. Handlers in action. SIGPLAN Not. 48, 9 (September 2013), 145-158. DOI=10.1145/2544174.2500590 https://dl.acm.org/citation.cfm?doid=2544174.2500590 5 Martin Hyland, Gordon Plotkin, John Power, Combining effects: Sum and tensor, Theo- retical Computer Science, Volume 357, Issues 1–3, 25 July 2006, Pages 70-99, ISSN 0304-3975, (https://www.sciencedirect.com/science/article/pii/S0304397506002659) 6 Paul Blain Levy. 2004. Call-By-Push-Value: A Functional/Imperative Synthesis (Semantics Structures in Computa- tion, V. 2). Kluwer Academic Publishers, Norwell, MA, USA. 7 Plotkin, Gordon, and Matija Pretnar. “Handlers of algebraic effects.” Programming Languages and Systems. Springer Berlin Heidelberg, 2009. 80-94. 8 Pretnar, Matija. “Logic and handling of algebraic effects.” (2010). 95 CHAPTER 3. THE EFFECTS TUTORIAL v0.99 Handler (Exception a) List where { ... } Handler (Exception a) (Either a) where { ... } Handler (Exception a) (IOExcept a) where { ... } Show a => Handler (Exception a) IO where { ... } 3.8.2 FILE_IO module Effect.File import Effects import Control.IOExcept FILE_IO : Type -> EFFECT data OpenFile : Mode -> Type open : (fname : String) -> (m : Mode) -> Eff Bool [FILE_IO ()] (\res => [FILE_IO (case res of True => OpenFile m False => ())]) close : Eff () [FILE_IO (OpenFile m)] [FILE_IO ()] readLine : Eff String [FILE_IO (OpenFile Read)] writeLine : String -> Eff () [FILE_IO (OpenFile Write)] eof : Eff Bool [FILE_IO (OpenFile Read)] Handler FileIO IO where { ... } 3.8.3 RND module Effect.Random import Effects import Data.Vect import Data.Fin RND : EFFECT srand : Integer -> Eff m () [RND] rndInt : Integer -> Integer -> Eff m Integer [RND] rndFin : (k : Nat) -> Eff m (Fin (S k)) [RND] Handler Random m where { ... } 3.8.4 SELECT module Effect.Select import Effects SELECT : EFFECT select : List a -> Eff m a [SELECT] 96 CHAPTER 3. THE EFFECTS TUTORIAL v0.99 Handler Selection Maybe where { ... } Handler Selection List where { ... } 3.8.5 STATE module Effect.State import Effects STATE : Type -> EFFECT get : Eff m x [STATE x] put : x -> Eff m () [STATE x] putM : y -> Eff m () [STATE x] [STATE y] update : (x -> x) -> Eff m () [STATE x] Handler State m where { ... } 3.8.6 STDIO module Effect.StdIO import Effects import Control.IOExcept STDIO : EFFECT putChar : Handler StdIO m => Char -> Eff m () [STDIO] putStr : Handler StdIO m => String -> Eff m () [STDIO] putStrLn : Handler StdIO m => String -> Eff m () [STDIO] getStr : Handler StdIO m => Eff m String [STDIO] getChar : Handler StdIO m => Eff m Char [STDIO] Handler StdIO IO where { ... } Handler StdIO (IOExcept a) where { ... } 3.8.7 SYSTEM module Effect.System import Effects import System import Control.IOExcept SYSTEM : EFFECT getArgs : Handler System e => Eff e (List String) [SYSTEM] time : Handler System e => Eff e Int [SYSTEM] getEnv : Handler System e => String -> Eff e (Maybe String) [SYSTEM] Handler System IO where { ... } Handler System (IOExcept a) where { ... } 97 CHAPTER 4 Theorem Proving A tutorial on theorem proving in Idris. Note: The documentation for Idris has been published under the Creative Commons CC0 License. As such to the extent possible under law, The Idris Community has waived all copyright and related or neighboring rights to Documentation for Idris. More information concerning the CC0 can be found online at: http://creativecommons.org/publicdomain/zero/1.0/ 4.1 Running example: Addition of Natural Numbers Throughout this tutorial, we will be working with the following function, defined in the Idris prelude, which defines addition on natural numbers: plus : Nat -> Nat -> Nat plus Z m = m plus (S k) m = S (plus k m) It is defined by the above equations, meaning that we have for free the properties that adding m to zero always results in m, and that adding m to any non-zero number S k always results in S (plus k m). We can see this by evaluation at the Idris REPL (i.e. the prompt, the read-eval-print loop): Idris> \m => plus Z m \m => m : Nat -> Nat Idris> \k,m => plus (S k) m \k => \m => S (plus k m) : Nat -> Nat -> Nat Note that unlike many other language REPLs, the Idris REPL performs evaluation on open terms, meaning that it can reduce terms which appear inside lambda bindings, like those above. Therefore, we can introduce unknowns k and m as lambda bindings and see how plus reduces. The plus function has a number of other useful properties, for example: • It is commutative, that is for all Nat inputs n and m, we know that plus n m = plus m n. • It is associative, that is for all Nat inputs n, m and p, we know that plus n (plus m p) = plus (plus m n) p. We can use these properties in an Idris program, but in order to do so we must prove them. 98 CHAPTER 4. THEOREM PROVING v0.99 4.1.1 Equality Proofs Idris has a built-in propositional equality type, conceptually defined as follows: data (=) : a -> b -> Type where Refl : x = x Note that this must be built-in, rather than defined in the library, because = is a reserved operator — you cannot define this directly in your own code. It is propositional equality, where the type states that any two values in different types a and b may be proposed to be equal. There is only one way to prove equality, however, which is by reflexivity (Refl). We have a type for propositional equality here, and correspondingly a program inhabiting an instance of this type can be seen as a proof of the corresponding proposition 1 . So, trivially, we can prove that 4 equals 4: four_eq : 4 = 4 four_eq = Refl However, trying to prove that 4 = 5 results in failure: four_eq_five : 4 = 5 four_eq_five = Refl The type 4 = 5 is a perfectly valid type, but is uninhabited, so when trying to type check this definition, Idris gives the following error: When elaborating right hand side of four_eq_five: Type mismatch between x = x (Type of Refl) and 4 = 5 (Expected type) Type checking equality proofs An important step in type checking Idris programs is unification, which attempts to resolve implicit arguments such as the implicit argument x in Refl. As far as our understanding of type checking proofs is concerned, it suffices to know that unifying two terms involves reducing both to normal form then trying to find an assignment to implicit arguments which will make those normal forms equal. When type checking Refl, Idris requires that the type is of the form x = x, as we see from the type of Refl. In the case of four_eq_five, Idris will try to unify the expected type 4 = 5 with the type of Refl, x = x, notice that a solution requires that x be both 4 and 5, and therefore fail. Since type checking involves reduction to normal form, we can write the following equalities directly: twoplustwo_eq_four : 2 + 2 = 4 twoplustwo_eq_four = Refl plus_reduces_Z : (m : Nat) -> plus Z m = m plus_reduces_Z m = Refl plus_reduces_Sk : (k, m : Nat) -> plus (S k) m = S (plus k m) plus_reduces_Sk k m = Refl 1 This is known as the Curry-Howard correspondence. 99 CHAPTER 4. THEOREM PROVING v0.99 4.1.2 Heterogeneous Equality Equality in Idris is heterogeneous, meaning that we can even propose equalities between values in different types: idris_not_php : 2 = "2" Obviously, in Idris the type 2 = "2" is uninhabited, and one might wonder why it is useful to be able to propose equalities between values in different types. However, with dependent types, such equalities can arise naturally. For example, if two vectors are equal, their lengths must be equal: vect_eq_length : (xs : Vect n a) -> (ys : Vect m a) -> (xs = ys) -> n = m In the above declaration, xs and ys have different types because their lengths are different, but we would still like to draw a conclusion about the lengths if they happen to be equal. We can define vect_eq_length as follows: vect_eq_length xs xs Refl = Refl By matching on Refl for the third argument, we know that the only valid value for ys is xs, because they must be equal, and therefore their types must be equal, so the lengths must be equal. Alternatively, we can put an underscore for the second xs, since there is only one value which will type check: vect_eq_length xs _ Refl = Refl 4.1.3 Properties of plus Using the (=) type, we can now state the properties of plus given above as Idris type declarations: plus_commutes : (n, m : Nat) -> plus n m = plus m n plus_assoc : (n, m, p : Nat) -> plus n (plus m p) = plus (plus n m) p Both of these properties (and many others) are proved for natural number addition in the Idris stan- dard library, using (+) from the Num interface rather than using plus directly. They have the names plusCommutative and plusAssociative respectively. In the remainder of this tutorial, we will explore several different ways of proving plus_commutes (or, to put it another way, writing the function.) We will also discuss how to use such equality proofs, and see where the need for them arises in practice. 4.2 Inductive Proofs Before embarking on proving plus_commutes in Idris itself, let us consider the overall structure of a proof of some property of natural numbers. Recall that they are defined recursively, as follows: data Nat : Type where Z : Nat S : Nat -> Nat A total function over natural numbers must both terminate, and cover all possible inputs. Idris checks functions for totality by checking that all inputs are covered, and that all recursive calls are on structurally smaller values (so recursion will always reach a base case). Recalling plus: 100 CHAPTER 4. THEOREM PROVING v0.99 plus : Nat -> Nat -> Nat plus Z m = m plus (S k) m = S (plus k m) This is total because it covers all possible inputs (the first argument can only be Z or S k for some k, and the second argument m covers all possible Nat) and in the recursive call, k is structurally smaller than S k so the first argument will always reach the base case Z in any sequence of recursive calls. In some sense, this resembles a mathematical proof by induction (and this is no coincidence!). For some property P of a natural number x, we can show that P holds for all x if: • P holds for zero (the base case). • Assuming that P holds for k, we can show P also holds for S k (the inductive step). In plus, the property we are trying to show is somewhat trivial (for all natural numbers x, there is a Nat which need not have any relation to x). However, it still takes the form of a base case and an inductive step. In the base case, we show that there is a Nat arising from plus n m when n = Z, and in the inductive step we show that there is a Nat arising when n = S k and we know we can get a Nat inductively from plus k m. We could even write a function capturing all such inductive definitions: nat_induction : (P : Nat -> Type) -> -- Property to show (P Z) -> -- Base case ((k : Nat) -> P k -> P (S k)) -> -- Inductive step (x : Nat) -> -- Show for all x P x nat_induction P p_Z p_S Z = p_Z nat_induction P p_Z p_S (S k) = p_S k (nat_induction P p_Z p_S k) Using nat_induction, we can implement an equivalent inductive version of plus: plus_ind : Nat -> Nat -> Nat plus_ind n m = nat_induction (\x => Nat) m -- Base case, plus_ind Z m (\k, k_rec => S k_rec) -- Inductive step plus_ind (S k) m -- where k_rec = plus_ind k m n To prove that plus n m = plus m n for all natural numbers n and m, we can also use induction. Either we can fix m and perform induction on n, or vice versa. We can sketch an outline of a proof; performing induction on n, we have: • Property P is \x => plus x m = plus m x. • Show that P holds in the base case and inductive step: – Base case: P Z, i.e. plus Z m = plus m Z, which reduces to m = plus m Z due to the definition of plus. – Inductive step: Inductively, we know that P k holds for a specific, fixed k, i.e. plus k m = plus m k (the induction hypothesis). Given this, show P (S k), i.e. plus (S k) m = plus m (S k), which reduces to S (plus k m) = plus m (S k). From the induction hypothesis, we can rewrite this to S (plus m k) = plus m (S k). To complete the proof we therefore need to show that m = plus m Z for all natural numbers m, and that S (plus m k) = plus m (S k) for all natural numbers m and k. Each of these can also be proved by induction, this time on m. 101 CHAPTER 4. THEOREM PROVING v0.99 We are now ready to embark on a proof of commutativity of plus formally in Idris. 4.3 Pattern Matching Proofs In this section, we will provide a proof of plus_commutes directly, by writing a pattern matching def- inition. We will use interactive editing features extensively, since it is significantly easier to produce a proof when the machine can give the types of intermediate values and construct components of the proof itself. The commands we will use are summarised below. Where we refer to commands directly, we will use the Vim version, but these commands have a direct mapping to Emacs commands. Command Vim Emacs Explanation binding binding Check type \t C-c C-t Show type of identifier or hole under the cursor. Proof search \o C-c C-a Attempt to solve hole under the cursor by applying simple proof search. Make new \d C-c C-s Add a template definition for the type defined under the definition cursor. Make lemma \l C-c C-e Add a top level function with a type which solves the hole under the cursor. Split cases \c C-c C-c Create new constructor patterns for each possible case of the variable under the cursor. 4.3.1 Creating a Definition To begin, create a file pluscomm.idr containing the following type declaration: plus_commutes : (n : Nat) -> (m : Nat) -> n + m = m + n To create a template definition for the proof, press \d (or the equivalent in your editor of choice) on the line with the type declaration. You should see: plus_commutes : (n : Nat) -> (m : Nat) -> n + m = m + n plus_commutes n m = ?plus_commutes_rhs To prove this by induction on n, as we sketched in Section sect-inductive, we begin with a case split on n (press \c with the cursor over the n in the definition.) You should see: plus_commutes : (n : Nat) -> (m : Nat) -> n + m = m + n plus_commutes Z m = ?plus_commutes_rhs_1 plus_commutes (S k) m = ?plus_commutes_rhs_2 If we inspect the types of the newly created holes, plus_commutes_rhs_1 and plus_commutes_rhs_2, we see that the type of each reflects that n has been refined to Z and S k in each respective case. Pressing \t over plus_commutes_rhs_1 shows: m : Nat -------------------------------------- plus_commutes_rhs_1 : m = plus m 0 Note that Z renders as 0 because the pretty printer renders natural numbers as integer literals for readability. Similarly, for plus_commutes_rhs_2: k : Nat m : Nat -------------------------------------- plus_commutes_rhs_2 : S (plus k m) = plus m (S k) 102 CHAPTER 4. THEOREM PROVING v0.99 It is a good idea to give these slightly more meaningful names: plus_commutes : (n : Nat) -> (m : Nat) -> n + m = m + n plus_commutes Z m = ?plus_commutes_Z plus_commutes (S k) m = ?plus_commutes_S 4.3.2 Base Case We can create a separate lemma for the base case interactively, by pressing \l with the cursor over plus_commutes_Z. This yields: plus_commutes_Z : m = plus m 0 plus_commutes : (n : Nat) -> (m : Nat) -> n + m = m + n plus_commutes Z m = plus_commutes_Z plus_commutes (S k) m = ?plus_commutes_S That is, the hole has been filled with a call to a top level function plus_commutes_Z. The argument m has been made implicit because it can be inferred from context when it is applied. Unfortunately, we cannot prove this lemma directly, since plus is defined by matching on its first argument, and here plus m 0 has a specific value for its second argument (in fact, the left hand side of the equality has been reduced from plus 0 m.) Again, we can prove this by induction, this time on m. First, create a template definition with \d: plus_commutes_Z : m = plus m 0 plus_commutes_Z = ?plus_commutes_Z_rhs Since we are going to write this by induction on m, which is implicit, we will need to bring m into scope manually: plus_commutes_Z : m = plus m 0 plus_commutes_Z {m} = ?plus_commutes_Z_rhs Now, case split on m with \c: plus_commutes_Z : m = plus m 0 plus_commutes_Z {m = Z} = ?plus_commutes_Z_rhs_1 plus_commutes_Z {m = (S k)} = ?plus_commutes_Z_rhs_2 Checking the type of plus_commutes_Z_rhs_1 shows the following, which is easily proved by reflection: -------------------------------------- plus_commutes_Z_rhs_1 : 0 = 0 For such trivial proofs, we can let write the proof automatically by pressing \o with the cursor over plus_commutes_Z_rhs_1. This yields: plus_commutes_Z : m = plus m 0 plus_commutes_Z {m = Z} = Refl plus_commutes_Z {m = (S k)} = ?plus_commutes_Z_rhs_2 For plus_commutes_Z_rhs_2, we are not so lucky: k : Nat -------------------------------------- plus_commutes_Z_rhs_2 : S k = S (plus k 0) Inductively, we should know that k = plus k 0, and we can get access to this inductive hypothesis by making a recursive call on k, as follows: 103 CHAPTER 4. THEOREM PROVING v0.99 plus_commutes_Z : m = plus m 0 plus_commutes_Z {m = Z} = Refl plus_commutes_Z {m = (S k)} = let rec = plus_commutes_Z {m=k} in ?plus_commutes_Z_rhs_2 For plus_commutes_Z_rhs_2, we now see: k : Nat rec : k = plus k (fromInteger 0) -------------------------------------- plus_commutes_Z_rhs_2 : S k = S (plus k 0) Again, the fromInteger 0 is merely due to Nat having an implementation of the Num interface. So we know that k = plus k 0, but how do we use this to update the goal to S k = S k? To achieve this, Idris provides a replace function as part of the prelude: *pluscomm> :t replace replace : (x = y) -> P x -> P y Given a proof that x = y, and a property P which holds for x, we can get a proof of the same property for y, because we know x and y must be the same. In practice, this function can be a little tricky to use because in general the implicit argument P can be hard to infer by unification, so Idris provides a high level syntax which calculates the property and applies replace: rewrite prf in expr If we have prf : x = y, and the required type for expr is some property of x, the rewrite ... in syntax will search for x in the required type of expr and replace it with y. Concretely, in our example, we can say: plus_commutes_Z {m = (S k)} = let rec = plus_commutes_Z {m=k} in rewrite rec in ?plus_commutes_Z_rhs_2 Checking the type of plus_commutes_Z_rhs_2 now gives: k : Nat rec : k = plus k (fromInteger 0) _rewrite_rule : plus k 0 = k -------------------------------------- plus_commutes_Z_rhs_2 : S (plus k 0) = S (plus k 0) Using the rewrite rule rec (which we can see in the context here as _rewrite_rule 1 , the goal type has been updated with k replaced by plus k 0. Alternatively, we could have applied the rewrite in the other direction using the sym function: *pluscomm> :t sym sym : (l = r) -> r = l plus_commutes_Z {m = (S k)} = let rec = plus_commutes_Z {m=k} in rewrite sym rec in ?plus_commutes_Z_rhs_2 In this case, inspecting the type of the hole gives: k : Nat rec : k = plus k (fromInteger 0) _rewrite_rule : k = plus k 0 1 Note that the left and right hand sides of the equality have been swapped, because replace takes a proof of x=y and the property for x, not y. 104 CHAPTER 4. THEOREM PROVING v0.99 -------------------------------------- plus_commutes_Z_rhs_2 : S k = S k Either way, we can use proof search (\o) to complete the proof, giving: plus_commutes_Z : m = plus m 0 plus_commutes_Z {m = Z} = Refl plus_commutes_Z {m = (S k)} = let rec = plus_commutes_Z {m=k} in rewrite rec in Refl The base case is now complete. 4.3.3 Inductive Step Our main theorem, plus_commutes should currently be in the following state: plus_commutes : (n : Nat) -> (m : Nat) -> n + m = m + n plus_commutes Z m = plus_commutes_Z plus_commutes (S k) m = ?plus_commutes_S Looking again at the type of plus_commutes_S, we have: k : Nat m : Nat -------------------------------------- plus_commutes_S : S (plus k m) = plus m (S k) Conveniently, by induction we can immediately tell that plus k m = plus m k, so let us rewrite directly by making a recursive call to plus_commutes. We add this directly, by hand, as follows: plus_commutes : (n : Nat) -> (m : Nat) -> n + m = m + n plus_commutes Z m = plus_commutes_Z plus_commutes (S k) m = rewrite plus_commutes k m in ?plus_commutes_S Checking the type of plus_commutes_S now gives: k : Nat m : Nat _rewrite_rule : plus m k = plus k m -------------------------------------- plus_commutes_S : S (plus m k) = plus m (S k) The good news is that m and k now appear in the correct order. However, we still have to show that the successor symbol S can be moved to the front in the right hand side of this equality. This remaining lemma takes a similar form to the plus_commutes_Z; we begin by making a new top level lemma with \l. This gives: plus_commutes_S : (k : Nat) -> (m : Nat) -> S (plus m k) = plus m (S k) Unlike the previous case, k and m are not made implicit because we cannot in general infer arguments to a function from its result. Again, we make a template definition with \d: plus_commutes_S : (k : Nat) -> (m : Nat) -> S (plus m k) = plus m (S k) plus_commutes_S k m = ?plus_commutes_S_rhs Again, this is defined by induction over m, since plus is defined by matching on its first argument. The complete definition is: 105 CHAPTER 4. THEOREM PROVING v0.99 total plus_commutes_S : (k : Nat) -> (m : Nat) -> S (plus m k) = plus m (S k) plus_commutes_S k Z = Refl plus_commutes_S k (S j) = rewrite plus_commutes_S k j in Refl All holes have now been solved. The total annotation means that we require the final function to pass the totality checker; i.e. it will terminate on all possible well-typed inputs. This is important for proofs, since it provides a guarantee that the proof is valid in all cases, not just those for which it happens to be well-defined. Now that plus_commutes has a total annotation, we have completed the proof of commutativity of addition on natural numbers. 4.4 DEPRECATED: Interactive Theorem Proving Warning: The interactive theorem-proving interface documented here has been deprecated in favor of Elaborator Reflection (page 157). Idris also supports interactive theorem proving via tactics. This is generally not recommended to be used directly, but rather used as a mechanism for building proof automation which is beyond the scope of this tutorial. In this section, we briefly discus tactics. One way to write proofs interactively is to write the general structure of the proof, and use the interactive mode to complete the details. Consider the following definition, proved in Theorem Proving (page 40): plusReduces : (n:Nat) -> plus Z n = n We’ll be constructing the proof by induction, so we write the cases for Z and S, with a recursive call in the S case giving the inductive hypothesis, and insert holes for the rest of the definition: plusReducesZ' : (n:Nat) -> n = plus n Z plusReducesZ' Z = ?plusredZ_Z plusReducesZ' (S k) = let ih = plusReducesZ' k in ?plusredZ_S On running , two global names are created, plusredZ_Z and plusredZ_S, with no definition. We can use the :m command at the prompt to find out which holes are still to be solved (or, more precisely, which functions exist but have no definitions), then the :t command to see their types: *theorems> :m Global holes: [plusredZ_S,plusredZ_Z] *theorems> :t plusredZ_Z plusredZ_Z : Z = plus Z Z *theorems> :t plusredZ_S plusredZ_S : (k : Nat) -> (k = plus k Z) -> S k = plus (S k) Z The :p command enters interactive proof mode, which can be used to complete the missing definitions. *theorems> :p plusredZ_Z ---------------------------------- (plusredZ_Z) -------- {hole0} : Z = plus Z Z 106 CHAPTER 4. THEOREM PROVING v0.99 This gives us a list of premises (above the line; there are none here) and the current goal (below the line; named {hole0} here). At the prompt we can enter tactics to direct the construction of the proof. In this case, we can normalise the goal with the compute tactic: -plusredZ_Z> compute ---------------------------------- (plusredZ_Z) -------- {hole0} : Z = Z Now we have to prove that Z equals Z, which is easy to prove by Refl. To apply a function, such as Refl, we use refine which introduces subgoals for each of the function’s explicit arguments (Refl has none): -plusredZ_Z> refine Refl plusredZ_Z: no more goals Here, we could also have used the trivial tactic, which tries to refine by Refl, and if that fails, tries to refine by each name in the local context. When a proof is complete, we use the qed tactic to add the proof to the global context, and remove the hole from the unsolved holes list. This also outputs a trace of the proof: -plusredZ_Z> qed plusredZ_Z = proof compute refine Refl *theorems> :m Global holes: [plusredZ_S] The :addproof command, at the interactive prompt, will add the proof to the source file (effectively in an appendix). Let us now prove the other required lemma, plusredZ_S: *theorems> :p plusredZ_S ---------------------------------- (plusredZ_S) -------- {hole0} : (k : Nat) -> (k = plus k Z) -> S k = plus (S k) Z In this case, the goal is a function type, using k (the argument accessible by pattern matching) and ih — the local variable containing the result of the recursive call. We can introduce these as premises using the intro tactic twice (or intros, which introduces all arguments as premises). This gives: k : Nat ih : k = plus k Z ---------------------------------- (plusredZ_S) -------- {hole2} : S k = plus (S k) Z Since plus is defined by recursion on its first argument, the term plus (S k) Z in the goal can be simplified, so we use compute. k : Nat ih : k = plus k Z ---------------------------------- (plusredZ_S) -------- {hole2} : S k = S (plus k Z) We know, from the type of ih, that k = plus k Z, so we would like to use this knowledge to replace plus k Z in the goal with k. We can achieve this with the rewrite tactic: -plusredZ_S> rewrite ih k : Nat ih : k = plus k Z 107 CHAPTER 4. THEOREM PROVING v0.99 ---------------------------------- (plusredZ_S) -------- {hole3} : S k = S k -plusredZ_S> The rewrite tactic takes an equality proof as an argument, and tries to rewrite the goal using that proof. Here, it results in an equality which is trivially provable: -plusredZ_S> trivial plusredZ_S: no more goals -plusredZ_S> qed plusredZ_S = proof { intros; rewrite ih; trivial; } Again, we can add this proof to the end of our source file using the :addproof command at the interactive prompt. 108 CHAPTER 5 Language Reference This is the reference guide for the Idris Language. It documents the language specification and internals. This will tell you how Idris works, for using it you should read the Idris Tutorial. Note: The documentation for Idris has been published under the Creative Commons CC0 License. As such to the extent possible under law, The Idris Community has waived all copyright and related or neighboring rights to Documentation for Idris. More information concerning the CC0 can be found online at: http://creativecommons.org/publicdomain/zero/1.0/ 5.1 Code Generation Targets Idris has been designed such that the compiler can generate code for different backends upon request. By default Idris generates a C backend when generating an executable. Included within the standard Idris installation are backends for Javascript and Node.js. However, there are third-party code generators out there. Below we describe some of these backends and how you can use them when compiling your Idris code. If you want to write your own codegen for your language there is a stub project on GitHub that can help point you in the right direction. 5.1.1 Official Backends C Language Javascript To generate code that is tailored for running in the browser issue the following command: $ idris --codegen javascript hello.idr -o hello.js Generating code for NodeJS is slightly different. Idris outputs a JavaScript file that can be directly executed via node. $ idris --codegen node hello.idr -o hello $ ./hello Hello world 109 CHAPTER 5. LANGUAGE REFERENCE v0.99 Idris can produce very big chunks of JavaScript code (hello world weighs in at 1500 lines). However, the generated code can be minified using the closure-compiler from Google. java -jar compiler.jar --compilation_level ADVANCED_OPTIMIZATIONS --js hello.js Node.js 5.1.2 Third Party Note: These are third-party code generations and may have bit-rotted or do not work with current versions of Idris. Please speak to the project’s maintainors if there are any problems. CIL (.NET, Mono, Unity) idris --codegen cil Main.idr -o HelloWorld.exe \ && mono HelloWorld.exe The resulting assemblies can also be used with .NET or Unity. Requires idris-cil. Erlang Available online Java Available online idris hello.idr --codegen java -o hello.jar Note: The resulting .jar is automatically prefixed by a header including an .sh script to allow executing it directly. JVM Available online LLVM Available online Malfunction Available online 110 CHAPTER 5. LANGUAGE REFERENCE v0.99 Ocaml Available online PHP Available online Python Available online Ruby Available online WS Available online 5.2 Documenting Idris Code Idris documentation comes in two major forms: comments, which exist for a reader’s edification and are ignored by the compiler, and inline API documentation, which the compiler parses and stores for future reference. To consult the documentation for a declaration f, write :doc f at the REPL or use the appropriate command in your editor (C-c C-d in Emacs, <LocalLeader>h in Vim). 5.2.1 Comments Use comments to explain why code is written the way that it is. Idris’s comment syntax is the same as that of Haskell: lines beginning with -- are comments, and regions bracketed by {- and -} are comments even if they extend across multiple lines. These can be used to comment out lines of code or provide simple documentation for the readers of Idris code. 5.2.2 Inline Documentation Idris also supports a comprehensive and rich inline syntax for Idris code to be generated. This syntax also allows for named parameters and variables within type signatures to be individually annotated using a syntax similar to Javadoc parameter annotations. Documentation always comes before the declaration being documented. Inline documentation applies to either top-level declarations or to constructors. Documentation for specific arguments to constructors, type constructors, or functions can be associated with these arguments using their names. The inline documentation for a declaration is an unbroken string of lines, each of which begins with ||| (three pipe symbols). The first paragraph of the documentation is taken to be an overview, and in some contexts, only this overview will be shown. After the documentation for the declaration as a whole, it 111 CHAPTER 5. LANGUAGE REFERENCE v0.99 is possible to associate documentation with specific named parameters, which can either be explicitly name or the results of converting free variables to implicit parameters. Annotations are the same as with Javadoc annotations, that is for the named parameter (n : T), the corresponding annotation is ||| @ n Some description that is placed before the declaration. Documentation is written in Markdown, though not all contexts will display all possible formatting (for example, images are not displayed when viewing documentation in the REPL, and only some terminals render italics correctly). A comprehensive set of examples is given below. ||| Modules can also be documented. module Docs ||| Add some numbers. ||| ||| Addition is really great. This paragraph is not part of the overview. ||| Still the same paragraph. Lists are also nifty: ||| * Really nifty! ||| * Yep! ||| * The name `add` is a **bold** choice ||| @ n is the recursive param ||| @ m is not add : (n, m : Nat) -> Nat add Z m = m add (S n) m = S (add n m) ||| Append some vectors ||| @ a the contents of the vectors ||| @ xs the first vector (recursive param) ||| @ ys the second vector (not analysed) appendV : (xs : Vect n a) -> (ys : Vect m a) -> Vect (add n m) a appendV [] ys = ys appendV (x::xs) ys = x :: appendV xs ys ||| Here's a simple datatype data Ty = ||| Unit UNIT | ||| Functions ARR Ty Ty ||| Points to a place in a typing context data Elem : Vect n Ty -> Ty -> Type where Here : {ts : Vect n Ty} -> Elem (t::ts) t There : {ts : Vect n Ty} -> Elem ts t -> Elem (t'::ts) t ||| A more interesting datatype ||| @ n the number of free variables ||| @ ctxt a typing context for the free variables ||| @ ty the type of the term data Term : (ctxt : Vect n Ty) -> (ty : Ty) -> Type where ||| The constructor of the unit type ||| More comment ||| @ ctxt the typing context UnitCon : {ctxt : Vect n Ty} -> Term ctxt UNIT ||| Function application ||| @ f the function to apply ||| @ x the argument App : {ctxt : Vect n Ty} -> (f : Term ctxt (ARR t1 t2)) -> (x : Term ctxt t1) -> Term ctxt t2 ||| Lambda 112 CHAPTER 5. LANGUAGE REFERENCE v0.99 ||| @ body the function body Lam : {ctxt : Vect n Ty} -> (body : Term (t1::ctxt) t2) -> Term ctxt (ARR t1 t2) ||| Variables ||| @ i de Bruijn index Var : {ctxt : Vect n Ty} -> (i : Elem ctxt t) -> Term ctxt t ||| A computation that may someday finish codata Partial : Type -> Type where ||| A finished computation ||| @ value the result Now : (value : a) -> Partial a ||| A not-yet-finished computation ||| @ rest the remaining work Later : (rest : Partial a) -> Partial a ||| We can document records, including their fields and constructors record Yummy where ||| Make a yummy constructor MkYummy ||| What to eat food : String 5.3 Packages Idris includes a simple system for building packages from a package description file. These files can be used with the Idris compiler to manage the development process of your Idris programmes and packages. 5.3.1 Package Descriptions A package description includes the following: • A header, consisting of the keyword package followed by the package name. Package names can be any valid Idris identifier. The iPKG format also takes a quoted version that accepts any valid filename. • Fields describing package contents, <field> = <value> At least one field must be the modules field, where the value is a comma separated list of modules. For example, a library test which has two modules foo.idr and bar.idr as source files would be written as follows: package foo modules = foo, bar Other examples of package files can be found in the libs directory of the main Idris repository, and in third-party libraries. Metadata From Idris v0.12 the iPKG format supports additional metadata associated with the package. The added fields are: 113 CHAPTER 5. LANGUAGE REFERENCE v0.99 • brief = "<text>", a string literal containing a brief description of the package. • version = <text>, a version string to associate with the package. • readme = <file>, location of the README file. • license = <text>, a string description of the licensing information. • author = <text>, the author information. • maintainer = <text>, Maintainer information. • homepage = <url>, the website associated with the package. • sourceloc = <url>, the location of the DVCS where the source can be found. • bugtracker = <url>, the location of the project’s bug tracker. Common Fields Other common fields which may be present in an ipkg file are: • sourcedir = <dir>, which takes the directory (relative to the current directory) which contains the source. Default is the current directory. • executable = <output>, which takes the name of the executable file to generate. Executable names can be any valid Idris identifier. the iPKG format also takes a quoted version that accepts any valid filename. • main = <module>, which takes the name of the main module, and must be present if the executable field is present. • opts = "<idris options>", which allows options to be passed to Idris. • pkgs = <pkg name> (’,’ <pkg name>)+, a comma separated list of package names that the Idris package requires. Binding to C In more advanced cases, particularly to support creating bindings to external C libraries, the following options are available: • makefile = <file>, which specifies a Makefile, to be built before the Idris modules, for example to support linking with a C library. • libs = <libs>, which takes a comma separated list of libraries which must be present for the package to be usable. • objs = <objs>, which takes a comma separated list of additional files to be installed (object files, headers), perhaps generated by the Makefile. Testing For testing Idris packages there is a rudimentary testing harness, run in the IO context. The iPKG file is used to specify the functions used for testing. The following option is available: • tests = <test functions>, which takes the qualified names of all test functions to be run. 114 CHAPTER 5. LANGUAGE REFERENCE v0.99 Important: The modules containing the test functions must also be added to the list of modules. 5.3.2 Using Package files Given an Idris package file text.ipkg it can be used with the Idris compiler as follows: • idris --build test.ipkg will build all modules in the package • idris --install test.ipkg will install the package, making it accessible by other Idris libraries and programs. • idris --clean test.ipkg will delete all intermediate code and executable files generated when building. • idris --mkdoc test.ipkg will build HTML documentation for your package in the folder test_doc in your project’s root directory. • idris --checkpkg test.ipkg will type check all modules in the package only. This differs from build that type checks and generates code. • idris --testpkg test.ipkg will compile and run any embedded tests you have specified in the tests parameter. Once the test package has been installed, the command line option --package test makes it accessible (abbreviated to -p test). For example: idris -p test Main.idr 5.4 Uniqueness Types Uniqueness Types are an experimental feature available from Idris 0.9.15. A value with a unique type is guaranteed to have at most one reference to it at run-time, which means that it can safely be updated in-place, reducing the need for memory allocation and garbage collection. The motivation is that we would like to be able to write reactive systems, programs which run in limited memory environments, device drivers, and any other system with hard real-time requirements, ideally while giving up as little high level conveniences as possible. They are inspired by linear types, Uniqueness Types in the Clean programming language, and ownership types and borrowed pointers in the Rust programming language. Some things we hope to be able to do eventually with uniqueness types include: • Safe, pure, in-place update of arrays, lists, etc • Provide guarantees of correct resource usage, state transitions, etc • Provide guarantees that critical program fragments will never allocate 5.4.1 Using Uniqueness If x : T and T : UniqueType, then there is at most one reference to x at any time during run-time execution. For example, we can declare the type of unique lists as follows: 115 CHAPTER 5. LANGUAGE REFERENCE v0.99 data UList : Type -> UniqueType where Nil : UList a (::) : a -> UList a -> UList a If we have a value xs : UList a, then there is at most one reference to xs at run-time. The type checker preserves this guarantee by ensuring that there is at most one reference to any value of a unique type in a pattern clause. For example, the following function definition would be valid: umap : (a -> b) -> UList a -> UList b umap f [] = [] umap f (x :: xs) = f x :: umap f xs In the second clause, xs is a value of a unique type, and only appears once on the right hand side, so this clause is valid. Not only that, since we know there can be no other reference to the UList a argument, we can reuse its space for building the result! The compiler is aware of this, and compiles this definition to an in-place update of the list. The following function definition would not be valid (even assuming an implementation of ++), however, since xs appears twice: dupList : UList a -> UList a dupList xs = xs ++ xs This would result in a shared pointer to xs, so the typechecker reports: unique.idr:12:5:Unique name xs is used more than once If we explicitly copy, however, the typechecker is happy: dup : UList a -> UList a dup [] = [] dup (x :: xs) = x :: x :: dup xs Note that it’s fine to use x twice, because a is a Type, rather than a UniqueType. There are some other restrictions on where a UniqueType can appear, so that the uniqueness property is preserved. In particular, the type of the function type, (x : a) -> b depends on the type of a or b - if either is a UniqueType, then the function type is also a UniqueType. Then, in a data declaration, if the type constructor builds a Type, then no constructor can have a UniqueType. For example, the following definition is invalid, since it would embed a unique value in a possible non-unique value: data BadList : UniqueType -> Type where Nil : {a : UniqueType} -> BadList a (::) : {a : UniqueType} -> a -> BadList a -> BadList a Finally, types may be polymorphic in their uniqueness, to a limited extent. Since Type and UniqueType are different types, we are limited in how much we can use polymorphic functions on unique types. For example, if we have function composition defined as follows: (.) : {a, b, c : Type} -> (b -> c) -> (a -> b) -> a -> c (.) f g x = f (g x) And we have some functions over unique types: foo : UList a -> UList b bar : UList b -> UList c Then we cannot compose foo and bar as bar . foo, because UList does not compute a Type! Instead, we can define composition as follows: 116 CHAPTER 5. LANGUAGE REFERENCE v0.99 (.) : {a, b, c : Type*} -> (b -> c) -> (a -> b) -> a -> c (.) f g x = f (g x) The Type* type stands for either unique or non-unique types. Since such a function may be passed a UniqueType, any value of type Type* must also satisfy the requirement that it appears at most once on the right hand side. Borrowed Types It quickly becomes obvious when working with uniqueness types that having only one reference at a time can be painful. For example, what if we want to display a list before updating it? showU : Show a => UList a -> String showU xs = "[" ++ showU' xs ++ "]" where showU' : UList a -> String showU' [] = "" showU' [x] = show x showU' (x :: xs) = show x ++ ", " ++ showU' xs This is a valid definition of showU, but unfortunately it consumes the list! So the following function would be invalid: printAndUpdate : UList Int -> IO () printAndUpdate xs = do putStrLn (showU xs) let xs' = umap (*2) xs -- xs no longer available! putStrLn (showU xs') Still, one would hope to be able to display a unique list without problem, since it merely inspects the list; there are no updates. We can achieve this, using the notion of borrowing. A Borrowed type is a Unique type which can be inspected at the top level (by pattern matching, or by lending to another function) but no further. This ensures that the internals (i.e. the arguments to top level patterns) will not be passed to any function which will update them. Borrowed converts a UniqueType to a BorrowedType. It is defined as follows (along with some additional rules in the typechecker): data Borrowed : UniqueType -> BorrowedType where Read : {a : UniqueType} -> a -> Borrowed a implicit lend : {a : UniqueType} -> a -> Borrowed a lend x = Read x A value can be “lent” to another function using lend. Arguments to lend are not counted by the type checker as a reference to a unique value, therefore a value can be lent as many times as desired. Using this, we can write showU as follows: showU : Show a => Borrowed (UList a) -> String showU xs = "[" ++ showU' xs ++ "]" where showU' : Borrowed (UList a) -> String showU' [] = "" showU' [x] = show x showU' (Read (x :: xs)) = show x ++ ", " ++ showU' (lend xs) Unlike a unique value, a borrowed value may be referred to as many times as desired. However, there is a restriction on how a borrowed value can be used. After all, much like a library book or your neighbour’s lawnmower, if a function borrows a value it is expected to return it in exactly the condition in which it was received! The restriction is that when a Borrowed type is matched, any pattern variables under the Read which 117 CHAPTER 5. LANGUAGE REFERENCE v0.99 have a unique type may not be referred to at all on the right hand side (unless they are themselves lent to another function). Uniqueness information is stored in the type, and in particular in function types. Once we’re in a unique context, any new function which is constructed will be required to have unique type, which prevents the following sort of bad program being implemented: foo : UList Int -> IO () foo xs = do let f = \x : Int => showU xs putStrLn $ free xs putStrLn $ f 42 pure () Since lend is implicit, in practice for functions to lend and borrow values merely requires the argument to be marked as Borrowed. We can therefore write showU as follows: showU : Show a => Borrowed (UList a) -> String showU xs = "[" ++ showU' xs ++ "]" where showU' : Borrowed (UList a) -> String showU' [] = "" showU' [x] = show x showU' (x :: xs) = show x ++ ", " ++ showU' xs Problems/Disadvantages/Still to do... This is a work in progress, there is lots to do. The most obvious problem is the loss of abstraction. On the one hand, we have more precise control over memory usage with UniqueType and BorrowedType, but they are not in general compatible with functions polymorphic over Type. In the short term, we can start to write reactive and low memory systems with this, but longer term it would be nice to support more abstraction. We also haven’t checked any of the metatheory, so this could all be fatally flawed! The implementation is based to a large extent on Uniqueness Typing Simplified, by de Vries et al, so there is reason to believe things should be fine, but we still have to do the work. Much as there are with linear types, there are some annoyances when trying to prove properties of functions with unique types (for example, what counts as a use of a value). Since we require at most one use of a value, rather than exactly one, this seems to be less of an issue in practice, but still needs thought. 5.5 New Foreign Function Interface Ever since Idris has had multiple backends compiling to different target languages on potentially different platforms, we have had the problem that the foreign function interface (FFI) was written under the assumption of compiling to C. As a result, it has been hard to write generic code for multiple targets, or even to be sure that if code compiles that it will run on the expected target. As of 0.9.17, Idris will have a new foreign function interface (FFI) which is aware of multiple targets. Users who are working with the default code generator can happily continue writing programs as before with no changes, but if you are writing bindings for an external library, writing a back end, or working with a non-C back end, there are some things you will need to be aware of, which this page describes. 118 CHAPTER 5. LANGUAGE REFERENCE v0.99 5.5.1 The IO’ monad, and main The IO monad exists as before, but is now specific to the C backend (or, more precisely, any backend whose foreign function calls are compatible with C.) Additionally, there is now an IO’ monad, which is parameterised over a FFI descriptor: data IO' : (lang : FFI) -> Type -> Type The Prelude defines two FFI descriptors which are imported automatically, for C and JavaScript/Node, and defines IO to use the C FFI and JS_IO to use the JavaScript FFI: FFI_C : FFI FFI_JS : FFI IO : Type -> Type IO a = IO' FFI_C a JS_IO : Type -> Type JS_IO a = IO' FFI_JS a As before, the entry point to an Idris program is main, but the type of main can now be any implemen- tation of IO’, e.g. the following are both valid: main : IO () main : JS_IO () The FFI descriptor includes details about which types can be marshalled between the foreign language and Idris, and the “target” of a foreign function call (typically just a String representation of the function’s name, but potentially something more complicated such as an external library file or even a URL). 5.5.2 FFI descriptors An FFI descriptor is a record containing a predicate which holds when a type can be marshalled, and the type of the target of a foreign call: record FFI where constructor MkFFI ffi_types : Type -> Type ffi_fn : Type For C, this is: ||| Supported C integer types public export data C_IntTypes : Type -> Type where C_IntChar : C_IntTypes Char C_IntNative : C_IntTypes Int C_IntBits8 : C_IntTypes Bits8 C_IntBits16 : C_IntTypes Bits16 C_IntBits32 : C_IntTypes Bits32 C_IntBits64 : C_IntTypes Bits64 ||| Supported C function types public export data C_FnTypes : Type -> Type where C_Fn : C_Types s -> C_FnTypes t -> C_FnTypes (s -> t) C_FnIO : C_Types t -> C_FnTypes (IO' FFI_C t) C_FnBase : C_Types t -> C_FnTypes t ||| Supported C foreign types 119 CHAPTER 5. LANGUAGE REFERENCE v0.99 public export data C_Types : Type -> Type where C_Str : C_Types String C_Float : C_Types Double C_Ptr : C_Types Ptr C_MPtr : C_Types ManagedPtr C_Unit : C_Types () C_Any : C_Types (Raw a) C_FnT : C_FnTypes t -> C_Types (CFnPtr t) C_IntT : C_IntTypes i -> C_Types i ||| A descriptor for the C FFI. See the constructors of `C_Types` ||| and `C_IntTypes` for the concrete types that are available. %error_reverse public export FFI_C : FFI FFI_C = MkFFI C_Types String String 5.5.3 Foreign calls To call a foreign function, the foreign function is used. For example: do_fopen : String -> String -> IO Ptr do_fopen f m = foreign FFI_C "fileOpen" (String -> String -> IO Ptr) f m The foreign function takes an FFI description, a function name (the type is given by the ffi_fn field of FFI_C here), and a function type, which gives the expected types of the remaining arguments. Here, we’re calling an external function fileOpen which takes, in the C, a char* file name, a char* mode, and returns a file pointer. It is the job of the C back end to convert Idris String to C char* and vice versa. The argument types and return type given here must be present in the fn_types predicate of the FFI_C description for the foreign call to be valid. Note The arguments to foreign must be known at compile time, because the foreign calls are generated statically. The %inline directive on a function can be used to give hints to help this, for example a shorthand for calling external JavaScript functions: %inline jscall : (fname : String) -> (ty : Type) -> {auto fty : FTy FFI_JS [] ty} -> ty jscall fname ty = foreign FFI_JS fname ty C callbacks It is possible to pass an Idris function to a C function taking a function pointer by using CFnPtr in the function type. The Idris function is passed to MkCFnPtr in the arguments. The example below shows declaring the C standard library function qsort which takes a pointer to a comparison function. myComparer : Ptr -> Ptr -> Int myComparer = ... qsort : Ptr -> Int -> Int -> IO () test2 data elems elsize = foreign FFI_C "qsort" (Ptr -> Int -> Int -> CFnPtr (Ptr -> Ptr -> Int) -> IO ()) data elems elsize (MkCFnPtr myComparer) There are a few limitations to callbacks in the C FFI. The foreign function can’t take the function to 120 CHAPTER 5. LANGUAGE REFERENCE v0.99 make a callback of as an argument. This will give a compilation error: -- This does not work example : (Int -> ()) -> IO () example f = foreign FFI_C "callbacker" (CFnPtr (Int -> ()) -> IO ()) f The other big limitation is that it doesn’t support IO functions. Use unsafePerformIO to wrap them (i.e. to make an IO function usable as a callback, change the return type from IOr to r, and change the = do to = unsafePerformIO $ do). There are two special function names: %wrapper returns the function pointer that wraps an Idris function. This is useful if the function pointer isn’t taken by a C function directly but should be inserted into a data structure. A foreign declaration using %wrapper must return IO Ptr. -- this returns the C function pointer to a qsort comparer example_wrapper : IO Ptr example_wrapper = foreign FFI_C "%wrapper" (CFnPtr (Ptr -> Ptr -> Int) -> IO Ptr) (MkCFnPtr myComparer) %dynamic calls a C function pointer with some arguments. This is useful if a C function returns or data structure contains a C function pointer, for example structs of function pointers are common in object-oriented C such as in COM or the Linux kernel. The function type contains an extra Ptr at the start for the function pointer. %dynamic can be seen as a pseudo-function that calls the function in the first argument, passing the remaining arguments to it. -- we have a pointer to a function with the signature int f(int), call it example_dynamic : Ptr -> Int -> IO Int example_dynamic fn x = foreign FFI_C "%dynamic" (Ptr -> Int -> IO Int) fn x If the foreign name is prefixed by a &, it is treated as a pointer to the global variable with the following name. The type must be just IO Ptr. -- access the global variable errno errno : IO Ptr errno = foreign FFI_C "&errno" (IO Ptr) For more complicated interactions with C (such as reading and setting fields of a C struct), there is a module CFFI available in the contrib package. FFI implementation In order to write bindings to external libraries, the details of how foreign works are unnecessary — you simply need to know that foreign takes an FFI descriptor, the function name, and its type. It is instructive to look a little deeper, however: The type of foreign is as follows: foreign : (ffi : FFI) -> (fname : ffi_fn f) -> (ty : Type) -> {auto fty : FTy ffi [] ty} -> ty The important argument here is the implicit fty, which contains a proof (FTy) that the given type is valid according to the FFI description ffi: data FTy : FFI -> List Type -> Type -> Type where FRet : ffi_types f t -> FTy f xs (IO' f t) FFun : ffi_types f s -> FTy f (s :: xs) t -> FTy f xs (s -> t) 121 CHAPTER 5. LANGUAGE REFERENCE v0.99 Notice that this uses the ffi_types field of the FFI descriptor — these arguments to FRet and FFun give explicit proofs that the type is valid in this FFI. For example, the above do_fopen builds the following implicit proof as the fty argument to foreign: FFun C_Str (FFun C_Str (FRet C_Ptr)) 5.5.4 Compiling foreign calls (This section assumes some knowledge of the Idris internals.) When writing a back end, we now need to know how to compile foreign. We’ll skip the details here of how a foreign call reaches the intermediate representation (the IR), though you can look in IO.idr in the prelude package to see a bit more detail — a foreign call is implemented by the primitive function mkForeignPrim. The important part of the IR as defined in Lang.hs is the following constructor: data LExp = ... | LForeign FDesc -- Function descriptor FDesc -- Return type descriptor [(FDesc, LExp)] So, a foreign call appears in the IR as the LForeign constructor, which takes a function descriptor (of a type given by the ffi_fn field in the FFI descriptor), a return type descriptor (given by an application of FTy), and a list of arguments with type descriptors (also given by an application of FTy). An FDesc describes an application of a name to some arguments, and is really just a simplified subset of an LExp: data FDesc = FCon Name | FStr String | FUnknown | FApp Name [FDesc] There are corresponding structures in the lower level IRs, such as the defunctionalised, simplified and bytecode forms. Our do_fopen example above arrives in the LExp form as: LForeign (FStr "fileOpen") (FCon (sUN "C_Ptr")) [(FCon (sUN "C_Str"), f), (FCon (sUN "C_Str"), m)] (Assuming that f and m stand for the LExp representations of the arguments.) This information should be enough for any back end to marshal the arguments and return value appropriately. Note: When processing FDesc, be aware that there may be implicit arguments, which have not been erased. For example, C_IntT has an implicit argument i, so will appear in an FDesc as something of the form FApp (sUN "C_IntT") [i, t] where i is the implicit argument (which can be ignored) and t is the descriptor of the integer type. See CodegenC.hs, specifically the function toFType, to see how this works in practice. 5.5.5 JavaScript FFI descriptor The JavaScript FFI descriptor is a little more complex, because the JavaScript FFI supports marshalling functions. It is defined as follows: 122 CHAPTER 5. LANGUAGE REFERENCE v0.99 mutual data JsFn t = MkJsFn t data JS_IntTypes : Type -> Type where JS_IntChar : JS_IntTypes Char JS_IntNative : JS_IntTypes Int data JS_FnTypes : Type -> Type where JS_Fn : JS_Types s -> JS_FnTypes t -> JS_FnTypes (s -> t) JS_FnIO : JS_Types t -> JS_FnTypes (IO' l t) JS_FnBase : JS_Types t -> JS_FnTypes t data JS_Types : Type -> Type where JS_Str : JS_Types String JS_Float : JS_Types Double JS_Ptr : JS_Types Ptr JS_Unit : JS_Types () JS_FnT : JS_FnTypes a -> JS_Types (JsFn a) JS_IntT : JS_IntTypes i -> JS_Types i The reason for wrapping function types in a JsFn is to help the proof search when building FTy. We hope to improve proof search eventually, but for the moment it works much more reliably if the indices are disjoint! An example of using this appears in IdrisScript when setting timeouts: setTimeout : (() -> JS_IO ()) -> (millis : Int) -> JS_IO Timeout setTimeout f millis = do timeout <- jscall "setTimeout(%0, %1)" (JsFn (() -> JS_IO ()) -> Int -> JS_IO Ptr) (MkJsFn f) millis pure $ MkTimeout timeout 5.6 Syntax Guide Examples are mostly adapted from the Idris tutorial. 5.6.1 Source File Structure Source files consist of: 1. An optional Module Header (page 124). 2. Zero or more Imports (page 124). 3. Zero or more declarations, e.g. Variables (page 124), Data types (page 125), etc. For example: module MyModule -- module header import Data.Vect -- an import %default total -- a directive foo : Nat -- a declaration foo = 5 123 CHAPTER 5. LANGUAGE REFERENCE v0.99 Module Header A file can start with a module header, introduced by the module keyword: module Semantics Module names can be hierarchical, with parts separated by .: module Semantics.Transform Each file can define only a single module, which includes everything defined in that file. Like with declarations, a docstring (page 128) can be used to provide documentation for a module: ||| Implementation of predicate transformer semantics. module Semantics.Transform Imports An import makes the names in another module available for use by the current module: import Data.Vect All the declarations in an imported module are available for use in the file. In a case where a name is ambiguous — e.g. because it is imported from multiple modules, or appears in multiple visible namespaces — the ambiguity can be resolved using Qualified Names (page 128). (Often, the compiler can resolve the ambiguity for you, using the types involved.) Imported modules can be given aliases to make qualified names more compact: import Data.Vect as V Note that names made visible by import are not, by default, re-exported to users of the module being written. This can be done using import public: import public Data.Vect 5.6.2 Variables A variable is always defined by defining its type on one line, and its value on the next line, using the syntax <id> : <type> <id> = <value> Examples x : Int x = 100 hello : String hello = "hello" 5.6.3 Types In Idris, types are first class values. So a type declaration is the same as just declaration of a variable whose type is Type. In Idris, variables that denote a type need not be capitalised. Example: 124 CHAPTER 5. LANGUAGE REFERENCE v0.99 MyIntType : Type MyIntType = Int a more interesting example: MyListType : Type MyListType = List Int While capitalising types is not required, the rules for generating implicit arguments mean it is often a good idea. Data types Idris provides two kinds of syntax for defining data types. The first, Haskell style syntax, defines a regular algebraic data type. For example data Either a b = Left a | Right b or data List a = Nil | (::) a (List a) The second, more general kind of data type, is defined using Agda or GADT style syntax. This syntax defines a data type that is parameterised by some values (in the Vect example, a value of type Nat and a value of type Type). data Vect : Nat -> Type -> Type where Nil : Vect Z a (::) : (x : a) -> (xs : Vect n a) -> Vect (S n) a 5.6.4 Operators Arithmetic x + y x - y x * y x / y (x * y) + (a / b) Equality and Relational x == y x /= y x >= y x > y x <= y x < y Conditional x && y x || y not x 125 CHAPTER 5. LANGUAGE REFERENCE v0.99 5.6.5 Conditionals If Then Else if <test> then <true> else <false> Case Expressions case <test> of <case 1> => <expr> <case 2> => <expr> ... otherwise => <expr> 5.6.6 Functions Named Named functions are defined in the same way as variables, with the type followed by the definition. <id> : <argument type> -> <return type> <id> arg = <expr> Example plusOne : Int -> Int plusOne x = x + 1 Functions can also have multiple inputs, for example makeHello : String -> String -> String makeHello first last = "hello, my name is " ++ first ++ " " ++ last Functions can also have named arguments. This is required if you want to annotate parameters in a docstring. The following shows the same makeHello function as above, but with named parameters which are also annotated in the docstring ||| Makes a string introducing a person ||| @first The person's first name ||| @last The person's last name makeHello : (first : String) -> (last : String) -> String makeHello first last = "hello, my name is " ++ first ++ " " ++ last Like Haskell, Idris functions can be defined by pattern matching. For example sum : List Int -> Int sum [] = 0 sum (x :: xs) = x + (sum xs) Similarly case analysis looks like answerString : Bool -> String answerString False = "Wrong answer" answerString True = "Correct answer" 126 CHAPTER 5. LANGUAGE REFERENCE v0.99 Dependent Functions Dependent functions are functions where the type of the return value depends on the input value. In order to define a dependent function, named parameters must be used, since the parameter will appear in the return type. For example, consider zeros : (n : Nat) -> Vect n Int zeros Z = [] zeros (S k) = 0 :: (zeros k) In this example, the return type is Vect n Int which is an expression which depends on the input parameter n. Anonymous Arguments in anonymous functions are separated by comma. (\x => <expr>) (\x, y => <expr>) Modifiers Visibility public export export private Totality total implicit partial covering Options %export %hint %no_implicit %error_handler %error_reverse %assert_total %reflection %specialise [<name list>] 5.6.7 Misc 127 CHAPTER 5. LANGUAGE REFERENCE v0.99 Qualified Names If multiple declarations with the same name are visible, using the name can result in an ambiguous situation. The compiler will attempt to resolve the ambiguity using the types involved. If it’s unable — for example, because the declarations with the same name also have the same type signatures — the situation can be cleared up using a qualified name. A qualified name has the symbol’s namespace prefixed, separated by a .: Data.Vect.length This would specifically reference a length declaration from Data.Vect. Qualified names can be written using two different shorthands: 1. Names in modules that are imported (page 124) using an alias can be qualified by the alias. 2. The name can be qualified by the shortest unique suffix of the namespace in question. For example, the length case above can likely be shortened to Vect.length. Comments -- Single Line {- Multiline -} ||| Docstring (goes before definition) Multi line String literals foo = """ this is a string literal""" 5.6.8 Directives %lib <path> %link <path> %flag <path> %include <path> %hide <function> %freeze <name> %access <accessibility> %default <totality> %logging <level 0--11> %dynamic <list of libs> %name <list of names> %error_handlers <list of names> %language <extension> 5.7 Erasure By Usage Analysis This work stems from this feature proposal (obsoleted by this page). Beware that the information in the proposal is out of date — and sometimes even in direct contradiction with the eventual implementation. 128 CHAPTER 5. LANGUAGE REFERENCE v0.99 5.7.1 Motivation Traditional dependently typed languages (Agda, Coq) are good at erasing proofs (either via irrelevance or an extra universe). half : (n : Nat) -> Even n -> Nat half Z EZ = Z half (S (S n)) (ES pf) = S (half n pf) For example, in the above snippet, the second argument is a proof, which is used only to convince the compiler that the function is total. This proof is never inspected at runtime and thus can be erased. In this case, the mere existence of the proof is sufficient and we can use irrelevance-related methods to achieve erasure. However, sometimes we want to erase indices and this is where the traditional approaches stop being useful, mainly for reasons described in the original proposal. uninterleave : {n : Nat} -> Vect (n * 2) a -> (Vect n a, Vect n a) uninterleave [] = ([] , []) uninterleave (x :: y :: rest) with (unzipPairs rest) | (xs, ys) = (x :: xs, y :: ys) Notice that in this case, the second argument is the important one and we would like to get rid of the n instead, although the shape of the program is generally the same as in the previous case. There are methods described by Brady, McBride and McKinna in [BMM04] (page 181) to remove the indices from data structures, exploiting the fact that functions operating on them either already have a copy of the appropriate index or the index can be quickly reconstructed if needed. However, we often want to erase the indices altogether, from the whole program, even in those cases where reconstruction is not possible. The following two sections describe two cases where doing so improves the runtime performance asymp- totically. Binary numbers • O(n) instead of O(log n) Consider the following Nat-indexed type family representing binary numbers: data Bin : Nat -> Type where N : Bin 0 O : {n : Nat} -> Bin n -> Bin (0 + 2*n) I : {n : Nat} -> Bin n -> Bin (1 + 2*n) These are supposed to be (at least asymptotically) fast and memory-efficient because their size is loga- rithmic compared to the numbers they represent. Unfortunately this is not the case. The problem is that these binary numbers still carry the unary indices with them, performing arithmetic on the indices whenever arithmetic is done on the binary numbers themselves. Hence the real representation of the number 15 looks like this: I -> I -> I -> I -> N S S S Z S S Z S S S Z S S 129 CHAPTER 5. LANGUAGE REFERENCE v0.99 S Z The used memory is actually linear, not logarithmic and therefore we cannot get below O(n) with time complexities. One could argue that Idris in fact compiles Nat via GMP but that’s a moot point for two reasons: • First, whenever we try to index our data structures with anything else than Nat, the compiler is not going to come to the rescue. • Second, even with Nat, the GMP integers are still there and they slow the runtime down. This ought not to be the case since the Nat are never used at runtime and they are only there for typechecking purposes. Hence we should get rid of them and get runtime code similar to what a idris programmer would write. U-views of lists • O(n^2) instead of O(n) Consider the type of U-views of lists: data U : List a -> Type where nil : U [] one : (z : a) -> U [z] two : {xs : List a} -> (x : a) -> (u : U xs) -> (y : a) -> U (x :: xs ++ [y]) For better intuition, the shape of the U-view of [x0,x1,x2,z,y2,y1,y0] looks like this: x0 y0 (two) x1 y1 (two) x2 y1 (two) z (one) When recursing over this structure, the values of xs range over [x0,x1,x2,z,y2,y1,y0], [x1,x2,z,y2,y1], [x2,z,y2], [z]. No matter whether these lists are stored or built on demand, they take up a quadratic amount of memory (because they cannot share nodes), and hence it takes a quadratic amount of time just to build values of this index alone. But the reasonable expectation is that operations with U-views take linear time — so we need to erase the index xs if we want to achieve this goal. 5.7.2 Changes to Idris Usage analysis is run at every compilation and its outputs are used for various purposes. This is actually invisible to the user but it’s a relatively big and important change, which enables the new features. Everything that is found to be unused is erased. No annotations are needed, just don’t use the thing and it will vanish from the generated code. However, if you wish, you can use the dot annotations to get a warning if the thing is accidentally used. “Being used” in this context means that the value of the “thing” may influence run-time behaviour of the program. (More precisely, it is not found to be irrelevant to the run-time behaviour by the usage analysis algorithm.) “Things” considered for removal by erasure include: 130 CHAPTER 5. LANGUAGE REFERENCE v0.99 • function arguments • data constructor fields (including record fields and dictionary fields of interface implementations) For example, Either often compiles to the same runtime representation as Bool. Constructor field removal sometimes combines with the newtype optimisation to have quite a strong effect. There is a new compiler option --warnreach, which will enable warnings coming from erasure. Since we have full usage analysis, we can compile even those programs that violate erasure annotations – it’s just that the binaries may run slower than expected. The warnings will be enabled by default in future versions of Idris (and possibly turned to errors). However, in this transitional period, we chose to keep them on-demand to avoid confusion until better documentation is written. Case-tree elaboration tries to avoid using dotted “things” whenever possible. (NB. This is not yet perfect and it’s being worked on: https://gist.github.com/ziman/10458331) Postulates are no longer required to be collapsible. They are now required to be unused instead. 5.7.3 Changes to the language You can use dots to mark fields that are not intended to be used at runtime. data Bin : Nat -> Type where N : Bin 0 O : .{n : Nat} -> Bin n -> Bin (0 + 2*n) I : .{n : Nat} -> Bin n -> Bin (1 + 2*n) If these fields are found to be used at runtime, the dots will trigger a warning (with --warnreach). Note that free (unbound) implicits are dotted by default so, for example, the constructor O can be defined as: O : Bin n -> Bin (0 + 2*n) and this is actually the preferred form. If you have a free implicit which is meant to be used at runtime, you have to change it into an (undotted) {bound : implicit}. You can also put dots in types of functions to get more guarantees. half : (n : Nat) -> .(pf : Even n) -> Nat and free implicits are automatically dotted here, too. 5.7.4 What it means Dot annotations serve two purposes: • influence case-tree elaboration to avoid dotted variables • trigger warnings when a dotted variable is used However, there’s no direct connection between being dotted and being erased. The compiler erases everything it can, dotted or not. The dots are there mainly to help the programmer (and the compiler) refrain from using the values they want to erase. 131 CHAPTER 5. LANGUAGE REFERENCE v0.99 5.7.5 How to use it Ideally, few or no extra annotations are needed – in practice, it turns out that having free implicits automatically dotted is enough to get good erasure. Therefore, just compile with --warnreach to see warnings if erasure cannot remove parts of the program. However, those programs that have been written without runtime behaviour in mind, will need some help to get in the form that compiles to a reasonable binary. Generally, it’s sufficient to follow erasure warnings (which may be sometimes unhelpful at the moment). 5.7.6 Benchmarks • source: https://github.com/ziman/idris-benchmarks • results: http://ziman.functor.sk/erasure-bm/ It can be clearly seen that asymptotics are improved by erasure. 5.7.7 Shortcomings You can’t get warnings in libraries because usage analysis starts from Main.main. This will be solved by the planned %default_usage pragma. Usage warnings are quite bad and unhelpful at the moment. We should include more information and at least translate argument numbers to their names. There is no decent documentation yet. This wiki page is the first one. There is no generally accepted terminology. We switch between “dotted”, “unused”, “erased”, “ir- relevant”, “inaccessible”, while each has a slightly different meaning. We need more consistent and understandable naming. If the same type is used in both erased and non-erased context, it will retain its fields to accommodate the least common denominator – the non-erased context. This is particularly troublesome in the case of the type of (dependent) pairs, where it actually means that no erasure would be performed. We should probably locate disjoint uses of data types and split them into “sub-types”. There are three different flavours of dependent types now: Sigma (nothing erased), Exists (first component erased), Subset (second component erased). Case-tree building does not avoid dotted values coming from pattern-matched constructors (https://gist.github.com/ziman/10458331). This is to be fixed soon. (Fixed.) Higher-order function arguments and opaque functional variables are considered to be using all their arguments. To work around this, you can force erasure via the type system, using the Erased wrapper: https://github.com/idris-lang/Idris-dev/blob/master/libs/base/Data/Erased.idr Interface methods are considered to be using the union of all their implementations. In other words, an argument of a method is unused only if it is unused in every implementation of the method that occurs in the program. 5.7.8 Planned features • Fixes to the above shortcomings in general. 132 CHAPTER 5. LANGUAGE REFERENCE v0.99 • Improvements to the case-tree elaborator so that it properly avoids dotted fields of data constructors. Done. • Compiler pragma %default_usage used/unused and per-function overrides used and unused, which allow the programmer to mark the return value of a function as used, even if the function is not used in main (which is the case when writing library code). These annotations will help library writers discover usage violations in their code before it is actually published and used in compiled programs. 5.7.9 Troubleshooting My program is slower The patch introducing erasure by usage analysis also disabled some optimisations that were in place before; these are subsumed by the new erasure. However, in some erasure-unaware programs, where erasure by usage analysis does not exercise its full potential (but the old optimisations would have worked), certain slowdown may be observed (up to ~10% according to preliminary benchmarking), due to retention and computation of information that should not be necessary at runtime. A simple check whether this is the case is to compile with --warnreach. If you see warnings, there is some unnecessary code getting compiled into the binary. The solution is to change the code so that there are no warnings. Usage warnings are unhelpful This is a known issue and we are working on it. For now, see the section How to read and resolve erasure warnings (page 134). There should be no warnings in this function A possible cause is non-totality of the function (more precisely, non-coverage). If a function is non- covering, the program needs to inspect all arguments in order to detect coverage failures at runtime. Since the function inspects all its arguments, nothing can be erased and this may transitively cause usage violations. The solution is to make the function total or accept the fact that it will use its arguments and remove some dots from the appropriate constructor fields and function arguments. (Please note that this is not a shortcoming of erasure and there is nothing we can do about it.) Another possible cause is the currently imperfect case-tree elaboration, which does not avoid dotted constructor fields (see https://gist.github.com/ziman/10458331). You can either rephrase the function or wait until this is fixed, hopefully soon. Fixed. The compiler refuses to recognise this thing as erased You can force anything to be erased by wrapping it in the Erased monad. While this program triggers usage warnings, f : (g : Nat -> Nat) -> .(x : Nat) -> Nat f g x = g x -- WARNING: g uses x the following program does not: 133 CHAPTER 5. LANGUAGE REFERENCE v0.99 f : (g : Erased Nat -> Nat) -> .(x : Nat) -> Nat f g x = g (Erase x) -- OK 5.7.10 How to read and resolve erasure warnings Example 1 Consider the following program: vlen : Vect n a -> Nat vlen {n = n} xs = n sumLengths : List (Vect n a) -> Nat sumLengths [] = 0 sumLengths (v :: vs) = vlen v + sumLengths vs main : IO () main = print . sumLengths $ [[0,1],[2,3]] When you compile it using --warnreach, there is one warning: Main.sumLengths: inaccessible arguments reachable: n (no more information available) The warning does not contain much detail at this point so we can try compiling with --dumpcases cases.txt and look up the compiled definition in cases.txt: Main.sumLengths {e0} {e1} {e2} = case {e2} of | Prelude.List.::({e6}) => LPlus (ATInt ITBig)({e0}, Main.sumLengths({e0}, ____, {e6})) | Prelude.List.Nil() => 0 The reason for the warning is that sumLengths calls vlen, which gets inlined. The second clause of sumLengths then accesses the variable n, compiled as {e0}. Since n is a free implicit, it is automatically considered dotted and this triggers the warning. A solution would be either making the argument n a bound implicit parameter to indicate that we wish to keep it at runtime, sumLengths : {n : Nat} -> List (Vect n a) -> Nat or fixing vlen to not use the index: vlen : Vect n a -> Nat vlen [] = Z vlen (x :: xs) = S (vlen xs) Which solution is appropriate depends on the usecase. Example 2 Consider the following program manipulating value-indexed binary numbers. data Bin : Nat -> Type where N : Bin Z O : Bin n -> Bin (0 + n + n) I : Bin n -> Bin (1 + n + n) 134 CHAPTER 5. LANGUAGE REFERENCE v0.99 toN : (b : Bin n) -> Nat toN N = Z toN (O {n} bs) = 0 + n + n toN (I {n} bs) = 1 + n + n main : IO () main = print . toN $ I (I (O (O (I N)))) In the function toN, we attempted to “cheat” and instead of traversing the whole structure, we just projected the value index n out of constructors I and O. However, this index is a free implicit, therefore it is considered dotted. Inspecting it then produces the following warnings when compiling with --warnreach: Main.I: inaccessible arguments reachable: n from Main.toN arg# 1 Main.O: inaccessible arguments reachable: n from Main.toN arg# 1 We can see that the argument n of both I and O is used in the function toN, argument 1. At this stage of development, warnings only contain argument numbers, not names; this will hopefully be fixed. When numbering arguments, we go from 0, taking free implicits first, left-to-right; then the bound arguments. The function toN has therefore in fact two arguments: n (argument 0) and b (argument 1). And indeed, as the warning says, we project the dotted field from b. Again, one solution is to fix the function toN to calculate its result honestly; the other one is to accept that we carry a Nat with every constructor of Bin and make it a bound implicit: O : {n : Nat} -> Bin n -> Bin (0 + n + n) I : {n : Nat} -> bin n -> Bin (1 + n + n) 5.7.11 References 5.8 The IDE Protocol The Idris REPL has two modes of interaction: a human-readable syntax designed for direct use in a terminal, and a machine-readable syntax designed for using Idris as a backend for external tools. 5.8.1 Protocol Overview The communication protocol is of asynchronous request-reply style: a single request from the client is handled by Idris at a time. Idris waits for a request on its standard input stream, and outputs the answer or answers to standard output. The result of a request can be either success, failure, or intermediate output; and furthermore, before the result is delivered, there might be additional meta-messages. A reply can consist of multiple messages: any number of messages to inform the user about the progress of the request or other informational output, and finally a result, either ok or error. The wire format is the length of the message in characters, encoded in 6 characters hexadecimal, followed by the message encoded as S-expression (sexp). Additionally, each request includes a unique integer (counting upwards), which is repeated in all messages corresponding to that request. An example interaction from loading the file /home/hannes/empty.idr looks as follows on the wire:: 135 CHAPTER 5. LANGUAGE REFERENCE v0.99 00002a((:load-file "/home/hannes/empty.idr") 1) 000039(:write-string "Type checking /home/hannes/empty.idr" 1) 000025(:set-prompt "/home/hannes/empty" 1) 000032(:return (:ok "Loaded /home/hannes/empty.idr") 1) The first message is the request from idris-mode to load the specific file, which length is hex 2a, dec- imal 42 (including the newline at the end). The request identifier is set to 1. The first message from Idris is to write the string Type checking /home/hannes/empty.idr, another is to set the prompt to */home/hannes/empty. The answer, starting with :return is ok, and additional information is that the file was loaded. There are three atoms in the wire language: numbers, strings, and symbols. The only compound object is a list, which is surrounded by parenthesis. The syntax is: A ::= NUM | '"' STR '"' | ':' ALPHA+ S ::= A | '(' S* ')' | nil where NUM is either 0 or a positive integer, ALPHA is an alphabetical character, and STR is the contents of a string, with " escaped by a backslash. The atom nil is accepted instead of () for compatibility with some regexp pretty-printing routines. The state of the Idris process is mainly the active file, which needs to be kept synchronised between the editor and Idris. This is achieved by the already seen :load-file command. The available commands include: (:load-file FILENAME) Load the named file. (:interpret STRING) Interpret STRING at the Idris REPL, returning a highlighted result. (:repl-completions STRING) Return the result of tab-completing STRING as a REPL com- mand. (:type-of STRING) Return the type of the name, written with Idris syntax in the STRING. The reply may contain highlighting information. (:case-split LINE NAME) Generate a case-split for the pattern variable NAME on program line LINE. The pattern-match cases to be substituted are returned as a string with no highlighting. (:add-clause LINE NAME) Generate an initial pattern-match clause for the function de- clared as NAME on program line LINE. The initial clause is returned as a string with no highlighting. (:add-proof-clause LINE NAME) Add a clause driven by the <== syntax. (:add-missing LINE NAME) Add the missing cases discovered by totality checking the func- tion declared as NAME on program line LINE. The missing clauses are returned as a string with no highlighting. (:make-with LINE NAME) Create a with-rule pattern match template for the clause of func- tion NAME on line LINE. The new code is returned with no highlighting. (:make-case LINE NAME) Create a case pattern match template for the clause of function NAME on line LINE. The new code is returned with no highlighting. (:make-lemma LINE NAME) Create a top level function with a type which solves the hole named NAME on line LINE. (:proof-search LINE NAME HINTS) Attempt to fill out the holes on LINE named NAME by proof search. HINTS is a possibly-empty list of additional things to try while searching. 136 CHAPTER 5. LANGUAGE REFERENCE v0.99 (:docs-for NAME) Look up the documentation for NAME, and return it as a highlighted string. (:metavariables WIDTH) List the currently-active holes, with their types pretty-printed with WIDTH columns. (:who-calls NAME) Get a list of callers of NAME. (:calls-who NAME) Get a list of callees of NAME. (:browse-namespace NAMESPACE) Return the contents of NAMESPACE, like :browse at the command-line REPL. (:normalise-term TM) Return a highlighted string consisting of the results of normalising the serialised term TM (which would previously have been sent as the tt-term property of a string). (:show-term-implicits TM) Return a highlighted string consisting of the results of mak- ing all arguments in serialised term TM (which would previously have been sent as the tt-term property of a string) explicit. (:hide-term-implicits TM) Return a highlighted string consisting of the results of mak- ing all arguments in serialised term TM (which would previously have been sent as the tt-term property of a string) follow their usual implicitness setting. (:elaborate-term TM) Return a highlighted string consisting of the the core language term corresponding to serialised term TM (which would previously have been sent as the tt-term property of a string). (:print-definition NAME) Return the definition of NAME as a highlighted string. (:repl-completions NAME) Search names, types and documentations which contain NAME. (:version UID) Return the version information of the Idris compiler. Possible replies include a normal final reply:: (:return (:ok SEXP [HIGHLIGHTING])) (:return (:error String [HIGHLIGHTING])) A normal intermediate reply:: (:output (:ok SEXP [HIGHLIGHTING])) (:output (:error String [HIGHLIGHTING])) Informational and/or abnormal replies:: (:write-string String) (:set-prompt String) (:warning (FilePath (LINE COL) (LINE COL) String [HIGHLIGHTING])) Proof mode replies:: (:start-proof-mode) (:write-proof-state [String] [HIGHLIGHTING]) (:end-proof-mode) (:write-goal String) 137 CHAPTER 5. LANGUAGE REFERENCE v0.99 5.8.2 Output Highlighting Idris mode supports highlighting the output from Idris. In reality, this highlighting is controlled by the Idris compiler. Some of the return forms from Idris support an optional extra parameter: a list mapping spans of text to metadata about that text. Clients can then use this list both to highlight the displayed output and to enable richer interaction by having more metadata present. For example, the Emacs mode allows right-clicking identifiers to get a menu with access to documentation and type signatures. A particular semantic span is a three element list. The first element of the list is the index at which the span begins, the second element is the number of characters included in the span, and the third is the semantic data itself. The semantic data is a list of lists. The head of each list is a key that denotes what kind of metadata is in the list, and the tail is the metadata itself. The following keys are available: name gives a reference to the fully-qualified Idris name implicit provides a Boolean value that is True if the region is the name of an implicit argument decor describes the category of a token, which can be type, function, data, keyword, or bound. source-loc states that the region refers to a source code location. Its body is a collection of key-value pairs, with the following possibilities: filename provides the filename start provides the line and column that the source location starts at as a two-element tail end provides the line and column that the source location ends at as a two-element tail text-formatting provides an attribute of formatted text. This is for use with natural-language text, not code, and is presently emitted only from inline documentation. The potential values are bold, italic, and underline. link-href provides a URL that the corresponding text is a link to. quasiquotation states that the region is quasiquoted. antiquotation states that the region is antiquoted. tt-term A serialised representation of the Idris core term corresponding to the region of text. 5.8.3 Source Code Highlighting Idris supports instructing editors how to colour their code. When elaborating source code or REPL input, Idris will locate regions of the source code corresponding to names, and emit information about these names using the same metadata as output highlighting. These messages will arrive as replies to the command that caused elaboration to occur, such as :load-file or :interpret. They have the format:: (:output (:ok (:highlight-source POSNS))) where POSNS is a list of positions to highlight. Each of these is a two-element list whose first element is a position (encoded as for the source-loc property above) and whose second element is highlighting metadata in the same format used for output. 138 CHAPTER 5. LANGUAGE REFERENCE v0.99 5.9 Semantic Highlighting & Pretty Printing Since v0.9.18 Idris comes with support for semantic highlighting. When using the REPL or IDE support, Idris will highlight your code accordingly to its meaning within the Idris structure. A precursor to semantic highlighting support is the pretty printing of definitions to console, LaTeX, or HTML. The default styling scheme used was inspired by Conor McBride’s own set of stylings, informally known as Conor Colours. 5.9.1 Legend The concepts and their default stylings are as follows: Idris Term HTML LaTeX IDE/REPL Bound Variable Purple Magenta Keyword Bold Underlined Function Green Green Type Blue Blue Data Red Red Implicit Italic Purple Italic Magenta 5.9.2 Pretty Printing Idris also supports the pretty printing of code to HTML and LaTeX using the commands: • :pp <latex|html> <width> <function name> • :pprint <latex|html> <width> <function name> 5.9.3 Customisation If you are not happy with the colours used, the VIM and Emacs editor support allows for customisation of the colours. When pretty printing Idris code as LaTeX and HTML, commands and a CSS style are provided. The colours used by the REPL can be customised through the initialisation script. 5.9.4 Further Information Please also see the Idris Extras project for links to editor support, and pre-made style files for LaTeX and HTML. 5.10 DEPRECATED: Tactics and Theorem Proving Warning: The interactive theorem-proving interface documented here has been deprecated in favor of Elaborator Reflection (page 157). Idris supports interactive theorem proving, and the analyse of context through holes. To list all unproven holes, use the command :m. This will display their qualified names and the expected types. To interac- 139 CHAPTER 5. LANGUAGE REFERENCE v0.99 tively prove a holes, use the command :p name where name is the hole. Once the proof is complete, the command :a will append it to the current module. Once in the interactive prover, the following commands are available: 5.10.1 Basic commands • :q - Quits the prover (gives up on proving current lemma). • :abandon - Same as :q • :state - Displays the current state of the proof. • :term - Displays the current proof term complete with its yet-to-be-filled holes (is only really useful for debugging). • :undo - Undoes the last tactic. • :qed - Once the interactive theorem prover tells you “No more goals,” you get to type this in celebration! (Completes the proof and exits the prover) 5.10.2 Commonly Used Tactics Compute • compute - Normalises all terms in the goal (note: does not normalise assumptions) ---------- Goal: ---------- (Vect (S (S Z + (S Z) + (S n))) Nat) -> Vect (S (S (S (S n)))) Nat -lemma> compute ---------- Goal: ---------- (Vect (S (S (S (S n)))) Nat) -> Vect (S (S (S (S n)))) Nat -lemma> Exact • exact - Provide a term of the goal type directly. ---------- Goal: ---------- Nat -lemma> exact Z lemma: No more goals. -lemma> Refine • refine - Use a name to refine the goal. If the name needs arguments, introduce them as new goals. Trivial • trivial - Satisfies the goal using an assumption that matches its type. 140 CHAPTER 5. LANGUAGE REFERENCE v0.99 ---------- Assumptions: ---------- value : Nat ---------- Goal: ---------- Nat -lemma> trivial lemma: No more goals. -lemma> Intro • intro - If your goal is an arrow, turns the left term into an assumption. ---------- Goal: ---------- Nat -> Nat -> Nat -lemma> intro ---------- Assumptions: ---------- n : Nat ---------- Goal: ---------- Nat -> Nat -lemma> You can also supply your own name for the assumption: ---------- Goal: ---------- Nat -> Nat -> Nat -lemma> intro number ---------- Assumptions: ---------- number : Nat ---------- Goal: ---------- Nat -> Nat Intros • intros - Exactly like intro, but it operates on all left terms at once. ---------- Goal: ---------- Nat -> Nat -> Nat -lemma> intros ---------- Assumptions: ---------- n : Nat m : Nat ---------- Goal: ---------- Nat -lemma> let • let - Introduces a new assumption; you may use current assumptions to define the new one. ---------- Assumptions: ---------- n : Nat ---------- Goal: ---------- BigInt -lemma> let x = toIntegerNat n ---------- Assumptions: ---------- n : Nat x = toIntegerNat n: BigInt ---------- Goal: ---------- 141 CHAPTER 5. LANGUAGE REFERENCE v0.99 BigInt -lemma> rewrite • rewrite - Takes an expression with an equality type (x = y), and replaces all instances of x in the goal with y. Is often useful in combination with ‘sym’. ---------- Assumptions: ---------- n : Nat a : Type value : Vect Z a ---------- Goal: ---------- Vect (mult n Z) a -lemma> rewrite sym (multZeroRightZero n) ---------- Assumptions: ---------- n : Nat a : Type value : Vect Z a ---------- Goal: ---------- Vect Z a -lemma> induction • induction - (Note that this is still experimental and you may get strange results and error messages. We are aware of these and will finish the implementation eventually!) Prove the goal by induction. Each constructor of the datatype becomes a goal. Constructors with recursive arguments become induction steps, while simple constructors become base cases. Note that this only works for datatypes that have eliminators: a datatype definition must have the %elim modifier. sourceLocation • sourceLocation - Solve the current goal with information about the location in the source code where the tactic was invoked. This is mostly for embedded DSLs and programmer tools like assertions that need to know where they are called. See Language.Reflection.SourceLocation for more information. 5.10.3 Less commonly-used tactics • applyTactic - Apply a user-defined tactic. This should be a function of type List (TTName, Binder TT) -> TT -> Tactic, where the first argument represents the proof context and the sec- ond represents the goal. If your tactic will produce a proof term directly, use the Exact constructor from Tactic. • attack - ? • equiv - Replaces the goal with a new one that is convertible with the old one • fill - ? • focus - ? • mrefine - Refining by matching against a type 142 CHAPTER 5. LANGUAGE REFERENCE v0.99 • reflect - ? • solve - Takes a guess with the correct type and fills a hole with it, closing a proof obligation. This happens automatically in the interactive prover, so solve is really only relevant in tactic scripts used for helping implicit argument resolution. • try - ? 5.11 The Idris REPL Idris comes with a REPL. 5.11.1 Evaluation Being a fully dependently typed language, Idris has two phases where it evaluates things, compile-time and run-time. At compile-time it will only evaluate things which it knows to be total (i.e. terminating and covering all possible inputs) in order to keep type checking decidable. The compile-time evaluator is part of the Idris kernel, and is implemented in Haskell using a HOAS (higher order abstract syntax) style representation of values. Since everything is known to have a normal form here, the evaluation strategy doesn’t actually matter because either way it will get the same answer, and in practice it will do whatever the Haskell run-time system chooses to do. The REPL, for convenience, uses the compile-time notion of evaluation. As well as being easier to implement (because we have the evaluator available) this can be very useful to show how terms evaluate in the type checker. So you can see the difference between: Idris> \n, m => (S n) + m \n => \m => S (plus n m) : Nat -> Nat -> Nat Idris> \n, m => n + (S m) \n => \m => plus n (S m) : Nat -> Nat -> Nat 5.11.2 Customisation Idris supports initialisation scripts. Initialisation scripts When the Idris REPL starts up, it will attempt to open the file repl/init in Idris’s application data direc- tory. The application data directory is the result of the Haskell function call getAppUserDataDirectory "idris", which on most Unix-like systems will return $HOME/.idris and on various versions of Windows will return paths such as C:/Documents And Settings/user/Application Data/appName. The file repl/init is a newline-separate list of REPL commands. Not all commands are supported in initialisation scripts — only the subset that will not interfere with the normal operation of the REPL. In particular, setting colours, display options such as showing implicits, and log levels are supported. Example initialisation script :colour prompt white italic bold :colour implicit magenta italic 143 CHAPTER 5. LANGUAGE REFERENCE v0.99 5.11.3 The REPL Commands The current set of supported commands are: Command Arguments Purpose <expr> Evaluate an expression :t :type <expr> Check the type of an expression :core <expr> View the core language representation of a term :miss :missing <name> Show missing clauses :doc <name> Show internal documentation :mkdoc <namespace> Generate IdrisDoc for namespace(s) and dependencies :apropos [<package list>] <name> Search names, types, and documentation :s :search [<package list>] <expr> Search for values by type :wc :whocalls <name> List the callers of some name :cw :callswho <name> List the callees of some name :browse <namespace> List the contents of some namespace :total <name> Check the totality of a name :r :reload Reload current file :l :load <filename> Load a new file :cd <filename> Change working directory :module <module> Import an extra module :e :edit Edit current file using $EDITOR or $VISUAL :m :metavars Show remaining proof obligations (holes) :p :prove <hole> Prove a hole :a :addproof <name> Add proof to source file :rmproof <name> Remove proof from proof stack :showproof <name> Show proof :proofs Show available proofs :x <expr> Execute IO actions resulting from an expression using the interpre :c :compile <filename> Compile to an executable [codegen] <filename> :exec :execute [<expr>] Compile to an executable and run :dynamic <filename> Dynamically load a C library (similar to %dynamic) :dynamic List dynamically loaded C libraries :? :h :help Display this help text :set <option> Set an option (errorcontext, showimplicits, originalerrors, autosolv :unset <option> Unset an option :color :colour <option> Turn REPL colours on or off; set a specific colour :consolewidth auto|infinite|<number> Set the width of the console :printerdepth <number-or-blank> Set the maximum pretty-printing depth, or infinite if nothing spec :q :quit Exit the Idris system :w :warranty Displays warranty information :let (<top-level-declaration>)... Evaluate a declaration, such as a function definition, instance imp :unlet :undefine (<name>)... Remove the listed repl definitions, or all repl definitions if no nam :printdef <name> Show the definition of a function :pp :pprint <option> <number> <name> Pretty prints an Idris function in either LaTeX or HTML and for 5.11.4 Using the REPL Getting help The command :help (or :h or :?) prints a short summary of the available commands. 144 CHAPTER 5. LANGUAGE REFERENCE v0.99 Quitting Idris If you would like to leave Idris, simply use :q or :quit. Evaluating expressions To evaluate an expression, simply type it. If Idris is unable to infer the type, it can be helpful to use the operator the to manually provide one, as Idris’s syntax does not allow for direct type annotations. Examples of the include: Idris> the Nat 4 4 : Nat Idris> the Int 4 4 : Int Idris> the (List Nat) [1,2] [1,2] : List Nat Idris> the (Vect _ Nat) [1,2] [1,2] : Vect 2 Nat This may not work in cases where the expression still involves ambiguous names. The name can be disambiguated by using the with keyword: Idris> sum [1,2,3] When elaborating an application of function Prelude.Foldable.sum: Can't disambiguate name: Prelude.List.::, Prelude.Stream.::, Prelude.Vect.:: Idris> with List sum [1,2,3] 6 : Integer Adding let bindings To add a let binding to the REPL, use :let. It’s likely you’ll also need to provide a type annotation. :let also works for other declarations as well, such as data. Idris> :let x : String; x = "hello" Idris> x "hello" : String Idris> :let y = 10 Idris> y 10 : Integer Idris> :let data Foo : Type where Bar : Foo Idris> Bar Bar : Foo Getting type information To ask Idris for the type of some expression, use the :t command. Additionally, if used with an overloaded name, Idris will provide all overloadings and their types. To ask for the type of an infix operator, surround it in parentheses. Idris> :t "foo" "foo" : String Idris> :t plus Prelude.Nat.plus : Nat -> Nat -> Nat Idris> :t (++) Builtins.++ : String -> String -> String 145 CHAPTER 5. LANGUAGE REFERENCE v0.99 Prelude.List.++ : (List a) -> (List a) -> List a Prelude.Vect.++ : (Vect m a) -> (Vect n a) -> Vect (m + n) a Idris> :t plus 4 plus (Builtins.fromInteger 4) : Nat -> Nat You can also ask for basic information about interfaces with :doc: Idris> :doc Monad Interface Monad Parameters: m Methods: (>>=) : Monad m => m a -> (a -> m b) -> m b infixl 5 Instances: Monad id Monad PrimIO Monad IO Monad Maybe ... Other documentation is also available from :doc: Idris> :doc (+) Prelude.Interfaces.(+) : Num ty => ty -> ty -> ty infixl 8 The function is Total Idris> :doc Vect Data type Prelude.Vect.Vect : Nat -> Type -> Type Arguments: Nat Type Constructors: Prelude.Vect.Nil : (a : Type) -> Vect 0 a Prelude.Vect.:: : (a : Type) -> (n : Nat) -> a -> (Vect n a) -> Vect (S n) a infixr 7 Arguments: a Vect n a Idris> :doc Monad Interface Monad Parameters: m Methods: (>>=) : Monad m => m a -> (a -> m b) -> m b 146 CHAPTER 5. LANGUAGE REFERENCE v0.99 Also called bind. infixl 5 The function is Total join : Monad m => m (m a) -> m a Also called flatten or mu The function is Total Implementations: Monad (IO' ffi) Monad Stream Monad Provider Monad Elab Monad PrimIO Monad Maybe Monad (Either e) Monad List Finding things The command :apropos searches names, types, and documentation for some string, and prints the results. For example: Idris> :apropos eq eqPtr : Ptr -> Ptr -> IO Bool eqSucc : (left : Nat) -> (right : Nat) -> (left = right) -> S left = S right S preserves equality lemma_both_neq : ((x = x') -> _|_) -> ((y = y') -> _|_) -> ((x, y) = (x', y')) -> _|_ lemma_fst_neq_snd_eq : ((x = x') -> _|_) -> (y = y') -> ((x, y) = (x', y)) -> _|_ lemma_snd_neq : (x = x) -> ((y = y') -> _|_) -> ((x, y) = (x, y')) -> _|_ lemma_x_eq_xs_neq : (x = y) -> ((xs = ys) -> _|_) -> (x :: xs = y :: ys) -> _|_ lemma_x_neq_xs_eq : ((x = y) -> _|_) -> (xs = ys) -> (x :: xs = y :: ys) -> _|_ lemma_x_neq_xs_neq : ((x = y) -> _|_) -> ((xs = ys) -> _|_) -> (x :: xs = y :: ys) -> _|_ prim__eqB16 : Bits16 -> Bits16 -> Int prim__eqB16x8 : Bits16x8 -> Bits16x8 -> Bits16x8 prim__eqB32 : Bits32 -> Bits32 -> Int prim__eqB32x4 : Bits32x4 -> Bits32x4 -> Bits32x4 prim__eqB64 : Bits64 -> Bits64 -> Int prim__eqB64x2 : Bits64x2 -> Bits64x2 -> Bits64x2 prim__eqB8 : Bits8 -> Bits8 -> Int 147 CHAPTER 5. LANGUAGE REFERENCE v0.99 prim__eqB8x16 : Bits8x16 -> Bits8x16 -> Bits8x16 prim__eqBigInt : Integer -> Integer -> Int prim__eqChar : Char -> Char -> Int prim__eqFloat : Double -> Double -> Int prim__eqInt : Int -> Int -> Int prim__eqString : String -> String -> Int prim__syntactic_eq : (a : Type) -> (b : Type) -> (x : a) -> (y : b) -> Maybe (x = y) sequence : Traversable t => Applicative f => (t (f a)) -> f (t a) sequence_ : Foldable t => Applicative f => (t (f a)) -> f () Eq : Type -> Type The Eq interface defines inequality and equality. GTE : Nat -> Nat -> Type Greater than or equal to LTE : Nat -> Nat -> Type Proofs that n is less than or equal to m gte : Nat -> Nat -> Bool Boolean test than one Nat is greater than or equal to another lte : Nat -> Nat -> Bool Boolean test than one Nat is less than or equal to another ord : Char -> Int Convert the number to its ASCII equivalent. replace : (x = y) -> (P x) -> P y Perform substitution in a term according to some equality. sym : (l = r) -> r = l Symmetry of propositional equality trans : (a = b) -> (b = c) -> a = c Transitivity of propositional equality :search does a type-based search, in the spirit of Hoogle. See Type-directed search (:search) for more details. Here is an example: Idris> :search a -> b -> a = Prelude.Basics.const : a -> b -> a Constant function. Ignores its second argument. = assert_smaller : a -> b -> b Assert to the totality checker than y is always structurally smaller than x (which is typically a pattern argument) > malloc : Int -> a -> a > Prelude.pow : Num a => a -> Nat -> a 148 CHAPTER 5. LANGUAGE REFERENCE v0.99 > Prelude.Interfaces.(*) : Num a => a -> a -> a > Prelude.Interfaces.(+) : Num a => a -> a -> a ... (More results) :search can also look for dependent types: Idris> :search plus (S n) n = plus n (S n) < Prelude.Nat.plusSuccRightSucc : (left : Nat) -> (right : Nat) -> S (left + right) = left + S right Loading and reloading Idris code The command :l File.idr will load File.idr into the currently-running REPL, and :r will reload the last file that was loaded. Totality All Idris definitions are checked for totality. The command :total <NAME> will display the result of that check. If a definition is not total, this may be due to an incomplete pattern match. If that is the case, :missing or :miss will display the missing cases. Editing files The command :e launches your default editor on the current module. After control returns to Idris, the file is reloaded. Invoking the compiler The current module can be compiled to an executable using the command :c <FILENAME> or :compile <FILENAME>. This command allows to specify codegen, so for example JavaScript can be generated using :c javascript <FILENAME>. The :exec command will compile the program to a temporary file and run the resulting executable. IO actions Unlike GHCI, the Idris REPL is not inside of an implicit IO monad. This means that a special command must be used to execute IO actions. :x tm will execute the IO action tm in an Idris interpreter. Dynamically loading C libraries Sometimes, an Idris program will depend on external libraries written in C. In order to use these libraries from the Idris interpreter, they must first be dynamically loaded. This is achieved through the %dynamic <LIB> directive in Idris source files or through the :dynamic <LIB> command at the REPL. The current set of dynamically loaded libraries can be viewed by executing :dynamic with no arguments. These libraries are available through the Idris FFI in type providers (page ??) and :exec. 149 CHAPTER 5. LANGUAGE REFERENCE v0.99 5.11.5 Colours Idris terms are available in amazing colour! By default, the Idris REPL uses colour to distinguish between data constructors, types or type constructors, operators, bound variables, and implicit arguments. This feature is available on all POSIX-like systems, and there are plans to allow it to work on Windows as well. If you do not like the default colours, they can be turned off using the command :colour off and, when boredom strikes, they can be re-enabled using the command :colour on To modify a colour, use the command :colour <CATEGORY> <OPTIONS> where <CATEGORY is one of keyword, boundvar, implicit, function, type, data, or prompt, and is a space-separated list drawn from the colours and the font options. The available colours are default, black, yellow, cyan, red, blue, white, green, and magenta. If more than one colour is specified, the last one takes precedence. The available options are dull and vivid, bold and nobold, italic and noitalic, underline and nounderline, forming pairs of opposites. The colour default refers to your terminal’s default colour. The colours used at startup can be changed using REPL initialisation scripts. Colour can be disabled at startup by the --nocolour command-line option. 5.12 Compilation and Logging This section provides information about the Idris compilation process, and provides details over how you can follow the process through logging. 5.12.1 Compilation Process Idris follows the following compilation process: 1. Parsing 2. Type Checking (a) Elaboration (b) Coverage (c) Unification (d) Totality Checking (e) Erasure 3. Code Generation (a) Defunctionalisation (b) Inlining 150 CHAPTER 5. LANGUAGE REFERENCE v0.99 (c) Resolving variables (d) Code Generation 5.12.2 Type Checking Only With Idris you can ask it to terminate the compilation process after type checking has completed. This is achieved through use of either: • The command line options – --check for files – --checkpkg for packages • The REPL command: :check Use of this option will still result in the generation of the Idris binary .ibc files, and is suitable if you do not wish to generate code from one of the supported backends. 5.12.3 Logging Output The internal operation of Idris is captured using a category based logger. Currently, the logging infras- tructure has support for the following categories: • Parser • Elaborator • Code generation • Erasure • Coverage Checking • IBC generation These categories are specified using the command-line option: --logging-categories CATS, where CATS is a quoted colon seperated string of the categories you want to see. By default if this option is not specified all categories are allowed. Sub-categories have yet to be defined but will be in the future, especially for the elaborator. Further, the verbosity of logging can be controlled by specifying a logging level between: 1 to 10 using the command-line option: --log <level>. • Level 0: Show no logging output. Default level • Level 1: High level details of the compilation process. • Level 2: Provides details of the coverage checking, and further details the elaboration process specifically: Interface, Clauses, Data, Term, and Types, • Level 3: Provides details of compilation of the IRTS, erasure, parsing, case splitting, and further details elaboration of: Implementations, Providers, and Values. • Level 4: Provides further details on: Erasure, Coverage Checking, Case splitting, and elaboration of clauses. 151 CHAPTER 5. LANGUAGE REFERENCE v0.99 • Level 5: Provides details on the prover, and further details elaboration (adding declarations) and compilation of the IRTS. • Level 6: Further details elaboration and coverage checking. • Level 7: • Level 8: • Level 9: • Level 10: Further details elaboration. 5.12.4 Environment Variables Several paths set by default within the Idris compiler can be overridden through environment variables. The provided variables are: • IDRIS_CC Change the C compiler used by the C backend. • IDRIS_CFLAGS Change the C flags passed to the C compiler. • TARGET Change the target directory i.e. data dir where Idris installs files when installing using Cabal/Stack. • IDRIS_LIBRARY_PATH Change the location of where installed packages are found/installed. • IDRIS_DOC_PATH Change the location of where generated idrisdoc for packages are installed. Note: In versions of Idris prior to 0.12.3 the environment variables IDRIS_LIBRARY_PATH and TARGET were both used to affect the installation of single packages and direct where Idris installed its data. The meaning of these variables has changed, and command line options are preferred when changing where individual packages are installed. The CLI option –ibcsubdir can be used to direct where generated IBC files are placed. However, this means Idris will install files in a non-standard location separate from the rest of the installed packages. The CLI option –idrispath <dir> allows you to add a directory to the library search path; this option can be used multiple times and can be shortened to -i <dir>. Similary, the –sourcepath <dir> option can be used to add directories to the source search path. There is no shortened version for this option as -s is a reserved flag. Further, Idris also supports options to augment the paths used, and pass options to the code generator backend. The option –cg-opt <ARG> can be used to pass options to the code generator. The format of <ARG> is dependent on the selected backend. 5.13 Idris’ Internals Note: this is still a fairly raw set of notes taken by David Christiansen at Edwin’s presentation at the 2013 Idris Developers Meeting. They’re in the process of turning into a useful guide - feel free to contribute. This document assumes that you are already familiar with Idris. It is intended for those who want to work on the internals. People looking to develop new back ends may want to look at [[Idris back end IRs|Idris-back-end-IRs]] 152 CHAPTER 5. LANGUAGE REFERENCE v0.99 5.13.1 Core/TT.hs Idris is compiled to a simple, explicit core language. This core language is called TT because it looks a bit like a Π. It’s a minimal language, with a locally nameless representation. That is, local variables are represented with de Bruijn indices and globally-defined constants are represented with names. The TT datatype uses a trick that is common in the Idris code: it is polymorphic over the type of names stored in it, and it derives Functor. This allows fmap to be used as a general-purpose traversal. There is a general construction for binders, used for 𝜆, Π, and let-bindings. These are distinguished using a BinderType. During compilation, some terms (especially types) will be erased. This is represented using the Erased constructor of TT. A handy trick when generating TT terms is to insert Erased where a term is uniquely determined, as the typechecker will fill it out. The constructor Proj is a result of the optimizer. It is used to extract a specific constructor argument, in a more economical way than defining a new pattern-matching operation. The datatype Raw represents terms that have not yet been typechecked. The typechecker converts a Raw to a TT if it can. 5.13.2 Core/CaseTree.hs Case trees are used to represent top-level pattern-matching definitions in the TT language. Just as with the TT datatype, the deriving Functor trick is used with SC and CaseAlt to get GHC to generate a function for mapping over contained terms. Constructor cases (ConCase in CaseAlt) refer to numbered constructors. Every constructor is numbered 0,1,2,. . . . At this stage in the compiler, the tags are datatype-local. After defunctionalization, however, they are made globally unique. The n+1 patterns (SucCase) and hacky-seeming things are to make code fast – please ask before “cleaning up” the representation. 5.13.3 Core/Evaluate.hs This module contains the main evaluator for Idris. The evaluator is used both at the REPL and during type checking, where normalised terms need to be compared for equality. A key datatype in the evaluator is a context. Contexts are mappings from global names to their values, but they are organized to make type-directed disambiguation quick. In particular, the main part of a name that a user might type is used as the key, and its values are maps from namespaces to actual values. The datatype Def represents a definition in the global context. All global names map to this structure. Type and Term are both synonyms for TT. Datatypes are represented by a TyDecl with the appropriate NameType. A Function is a global constant term with an annotated type, Operator represents primitives implemented in Haskell, and CaseOp rep- resents ordinary pattern-matching definitions. CaseOp has four versions for different purposes, and all are saved because that’s easiest. CaseInfo: the tc_dictionary is because it’s a type class dictionary which makes totality checking easier. 153 CHAPTER 5. LANGUAGE REFERENCE v0.99 The normalise* functions give different behaviors - but normalise is the most common. normaliseC - “resolved” means with names converted to de Bruijn indices as appropriate. normaliseAll - reduce everything, even if it’s non-total normaliseTrace - special-purpose for debugging simplify - reduce the things that are small - the list argument is the things to not reduce. 5.13.4 Core/Typecheck.hs Standard stuff. Hopefully no changes are necessary. 5.13.5 Core/Elaborate.hs Idris definitions are elaborated one by one and turned into the corresponding TT. This is done with a tactic language as an EDSL in the Elab monad (or Elab’ when there’s a custom state). Lots of plumbing for errors. All elaboration is relative to a global context. The string in the pair returned by elaborate is log information. See JFP paper, but the names don’t necessarily map to each other. The paper is the “idealized version” without logging, additional state, etc. All the tactics take Raws, typechecking happens there. claim (x : t) assumes a new x : t. PLEASE TIDY THINGS UP! proofSearch flag to try’ is whether the failure came from a human (so fail) or from a machine (so continue) Idris-level syntax for providing alternatives explicitly: (| x, y, z |) try x, y, z in order, and take the first that succeeds. 5.13.6 Core/ProofState.hs 5.13.7 Core/Unify.hs Deals with unification. Unification can reply with: - this works - this can never work - this will work if these other unification problems work out (eg unifying f x with 1) match_unify: same thing as unification except it’s just matching name against name, term against term. x + y matches to 0 + y with x = 0. Used for <== syntax as well as type class resolution. 5.13.8 Idris/AbsSyntaxTree.hs PTerm is the datatype of Idris syntax. P is for Program. Each PTerm turns into a TT term by applying a series of tactics. 154 CHAPTER 5. LANGUAGE REFERENCE v0.99 IState is the major interpreter state. The global context is the tt_ctxt field. Ctxt maps possibly ambiguous names to their referents. 5.13.9 Idris/ElabDecls.hs This is where the actual elaboration from PTerm to TT happens. 5.13.10 Idris/ElabTerm.hs build is the function that creates a Raw. All the “junk” is to deal with things like metavars and so forth. It has to remember what names are still to be defined, and it doesn’t yet know the type (filled in by unificaiton later). Also case expressions have to turn into top-level functions. resolveTC is type class resolution. 5.14 Core Language Features • Full-spectrum dependent types • Strict evaluation (plus Lazy : Type -> Type type constructor for explicit laziness) • Lambda, Pi (forall), Let bindings • Pattern matching definitions • Export modifiers public, abstract, private • Function options partial, total • where clauses • “magic with” • Implicit arguments (in top level types) • “Bound” implicit arguments {n : Nat} -> {a : Type} -> Vect n a • “Unbound” implicit arguments — Vect n a is equivalent to the above in a type, n and a are implicitly bound. This applies to names beginning with a lower case letter in an argument position. • ‘Tactic’ implicit arguments, which are solved by running a tactic script or giving a default argument, rather than by unification. • Unit type (), empty type Void • Tuples (desugaring to nested pairs) • Dependent pair syntax (x : T ** P x) (there exists an x of type T such that P x) • Inline case expressions • Heterogeneous equality • do notation 155 CHAPTER 5. LANGUAGE REFERENCE v0.99 • Idiom brackets • Interfaces (like type classes), supporting default methods and dependencies between methods • rewrite prf in expr • Metavariables • Inline proof/tactic scripts • Implicit coercion • codata • Also Inf : Type -> Type type constructor for mixed data/codata. In fact codata is imple- mented by putting recursive arguments under Inf. • syntax rules for defining pattern and term syntactic sugar • these are used in the standard library to define if ... then ... else expressions and an Agda-style preorder reasoning syntax. • Uniqueness typing using the UniqueType universe. • Partial evaluation by %static argument annotations. • Error message reflection • Eliminators • Label types ’name • %logging n • %unifyLog 5.15 Language Extensions 5.15.1 Type Providers Idris type providers are a way to get the type system to reflect observations about the world outside of Idris. Similarly to F# type providers, they cause effectful computations to run during type checking, returning information that the type checker can use when checking the rest of the program. While F# type providers are based on code generation, Idris type providers use only the ordinary execution semantics of Idris to generate the information. A type provider is simply a term of type IO (Provider t), where Provider is a data type with con- structors for a successful result and an error. The type t can be either Type (the type of types) or a concrete type. Then, a type provider p is invoked using the syntax %provide (x : t) with p. When the type checker encounters this line, the IO action p is executed. Then, the resulting term is extracted from the IO monad. If it is Provide y for some y : t, then x is bound to y for the remainder of typechecking and in the compiled code. If execution fails, a generic error is reported and type checking terminates. If the resulting term is Error e for some string e, then type checking fails and the error e is reported to the user. Example Idris type providers can be seen at this repository. More detailed descriptions are available in David Christiansen’s WGP ‘13 paper and M.Sc. thesis. 156 CHAPTER 5. LANGUAGE REFERENCE v0.99 5.16 Elaborator Reflection The Idris elaborator is responsible for converting high-level Idris code into the core language. It is implemented as a kind of embedded tactic language in Haskell, where tactic scripts are written in an elaboration monad that provides error handling and a proof state. For details, see Edwin Brady’s 2013 paper in the Journal of Functional Programming. Elaborator reflection makes the elaboration type as well as a selection of its tactics available to Idris code. This means that metaprograms written in Idris can have complete control over the elaboration process, generating arbitrary code, and they have access to all of the facilities available in the elaborator, such as higher-order unification, type checking, and emitting auxiliary definitions. 5.16.1 The Elaborator State The elaborator state contains information about the ongoing elaboration process. In particular, it con- tains a goal type, which is to be filled by an under-construction proof term. The proof term can contain holes, each of which has a scope in which it is valid and a type. Some holes may additionally contain guesses, which can be substituted in the scope of the hole. The holes are tracked in a hole queue, and one of them is focused. In addition to the goal type, proof term, and holes, the elaborator state contains a collection of unsolved unification problems that can affect elaboration. The elaborator state is not directly available to Idris programs. Instead, it is modified through the use of tactics, which are operations that affect the elaborator state. A tactic that returns a value of type a, potentially modifying the elaborator state, has type Elab a. The default tactics are all in the namespace Language.Reflection.Elab.Tactics. 5.16.2 Running Elaborator Scripts On their own, tactics have no effect. The meta-operation %runElab script runs script in the current elaboration context. For example, the following script constructs the identity function at type Nat: idNat : Nat -> Nat idNat = %runElab (do intro `{{x}} fill (Var `{{x}}) solve) On the right-hand side, the Idris elaborator has the goal Nat -> Nat. When it encounters the %runElab directive, it fulfills this goal by running the provided script. The first tactic, intro, constructs a lambda that binds the name x. The name argument is optional because a default name can be taken from the function type. Now, the proof term is of the form \x : Nat => {hole}. The second tactic, fill, fills this hole with a guess, giving the term \x : Nat => {hole≈x}. Finally, the solve tactic instantiates the guess, giving the result \x : Nat => x. Because elaborator scripts are ordinary Idris expressions, it is also possible to use them in multiple contexts. Note that there is nothing Nat-specific about the above script. We can generate identity functions at any concrete type using the same script: mkId : Elab () mkId = do intro `{{x}} fill (Var `{{x}}) solve idNat : Nat -> Nat idNat = %runElab mkId idUnit : () -> () 157 CHAPTER 5. LANGUAGE REFERENCE v0.99 idUnit = %runElab mkId idString : String -> String idString = %runElab mkId 5.16.3 Interactively Building Elab Scripts You can build an Elab script interactively at the REPL. Use the command :metavars, or :m for short, to list the available holes. Then, issue the :elab <hole> command at the REPL to enter the elaboration shell. At the shell, you can enter proof tactics to alter the proof state. You can view the system-provided tactics prior to entering the shell by issuing the REPL command :browse Language.Reflection.Elab.Tactics. When you have discharged all goals, you can complete the proof using the :qed command and receive in return an elaboration script that fills the hole. The interactive elaboration shell accepts a limited number of commands, including a subset of the commands understood by the normal Idris REPL as well as some elaboration-specific commands. General-purpose commands: • :eval <EXPR>, or :e <EXPR> for short, evaluates the provided expression and prints the result. • :type <EXPR>, or :t <EXPR> for short, prints the provided expression together with its type. • :search <TYPE> searches for definitions having the provided type. • :doc <NAME> searches for definitions with the provided name and prints their documentation. Commands for viewing the proof state: • :state displays the current state of the term being constructed. It lists both other goals and the current goal. • :term displays the current proof term as well as its yet-to-be-filled holes. Commands for manipulating the proof state: • :undo undoes the effects of the last tactic. • :abandon gives up on proving the current lemma and quits the elaboration shell. • :qed finishes the script and exits the elaboration shell. The shell will only accept this command once it reports, “No more goals.” On exit, it will print out the finished elaboration script for you to copy into your program. 5.16.4 Failure Some tactics may fail. For example, intro will fail if the focused hole does not have a function type, solve will fail if the current hole does not contain a guess, and fill will fail if the term to be filled in has the wrong type. Scripts can also fail explicitly using the fail tactic. To account for failure, there is an Alternative implementation for Elab. The <|> operator first tries the script to its left. If that script fails, any changes that it made to the state are undone and the right argument is executed. If the first argument succeeds, then the second argument is not executed. 158 CHAPTER 5. LANGUAGE REFERENCE v0.99 5.16.5 Querying the Elaboration State Elab includes operations to query the elaboration state, allowing scripts to use information about their environment to steer the elaboration process. The ordinary Idris bind syntax can be used to propagate this information. For example, a tactic that solves the current goal when it is the unit type might look like this: triv : Elab () triv = do compute g <- getGoal case (snd g) of `(() : Type) => do fill `(() : ()) solve otherGoal => fail [ TermPart otherGoal , TextPart "is not trivial" ] The tactic compute normalises the type of its goal with respect to the current context. While not strictly necessary, this allows triv to be used in contexts where the triviality of the goal is not immediately apparent. Then, getGoal is used, and its result is bound to g. Because it returns a pair consisting of the current goal’s name and type, we case-split on its second projection. If the goal type turns out to have been the unit type, we fill using the unit constructor and solve the goal. Otherwise, we fail with an error message informing the user that the current goal is not trivial. Additionally, the elaboration state can be dumped into an error message with the debug tactic. A variant, debugMessage, allows arbitrary messages to be included with the state, allowing for a kind of “printf debugging” of elaboration scripts. The message format used by debugMessage is the same for errors produced by the error reflection mechanism, allowing the re-use of the Idris pretty-printer when rendering messages. 5.16.6 Changing the Global Context Elab scripts can modify the global context during execution. Just as the Idris elaborator produces auxil- iary definitions to implement features such as where-blocks and case expressions, user elaboration scripts may need to define functions. Furthermore, this allows Elab reflection to be used to implement features such as interface deriving. The operations declareType, defineFunction, and addImplementation allow Elab scripts to modify the global context. 5.16.7 Using Idris’s Features The Idris compiler has a number of ways to automate the construction of terms. On its own, the Elab state and its interactions with the unifier allow implicits to be solved using unification. Additional operations use further features of Idris. In particular, resolveTC solves the current goal using interface resolution, search invokes the proof search mechanism, and sourceLocation finds the context in the original file at which the elaboration script is invoked. 5.16.8 Recursive Elaboration The elaboration mechanism can be invoked recursively using the runElab tactic. This tactic takes a goal type and an elaboration script as arguments and runs the script in a fresh lexical environment to create an inhabitant of the provided goal type. This is primarily useful for code generation, particularly for generating pattern-matching clauses, where variable scope needs to be one that isn’t the present local context. 159 CHAPTER 5. LANGUAGE REFERENCE v0.99 5.16.9 Learn More While this documentation is still incomplete, elaboration reflection works in Idris today. As you wait for the completion of the documentation, the list of built-in tactics can be obtained using the :browse command in an Idris REPL or the corresponding feature in one of the graphical IDE clients to explore the Language.Reflection.Elab.Tactics namespace. All of the built-in tactics contain documentation strings. 5.17 Type Directed Search :search Idris’ :search command searches for terms according to their approximate type signature (much like Hoogle for Haskell). For example: Idris> :search e -> List e -> List e = Prelude.List.(::) : a -> List a -> List a Cons cell = Prelude.List.intersperse : a -> List a -> List a Insert some separator between the elements of a list. > Prelude.List.delete : Eq a => a -> List a -> List a < assert_smaller : a -> b -> b Assert to the totality checker than y is always structurally smaller than x (which is typically a pattern argument) < Prelude.Basics.const : a -> b -> a Constant function. Ignores its second argument. The best results are listed first. As we can see, (::) and intersperse are exact matches; the = symbol to the left of those results tells us the types of (::) and intersperse are effectively the same as the type that was searched. The next result is delete, whose type is more specific than the type that was searched; that’s indicated by the > symbol. If we had a function with the signature e -> List e -> List e, we could have given it the type Eq a => a -> List a -> List a, but not necessarily the other way around. The final two results, assert_smaller and const, have types more general than the type that was searched, and so they have < symbols to their left. For example, e -> List e -> List e would be a valid type for assert_smaller. The correspondence for const is more complicated than any of the four previous results. :search shows this result because we could change the order of the arguments! That is, the following definition would be legal: f : e -> List e -> List e f x xs = const xs x 5.17.1 About :search results :search’s functionality is based on the notion of type isomorphism. Informally, two types are isomorphic if we can identify terms of one type exactly with terms of the other. For example, we can consider the types Nat -> a -> List a and a -> Nat -> List a to be isomorphic, because if we have f : Nat -> a -> List a, then flip f : a -> Nat -> List a. Similarly, if g : a -> Nat -> List a, then flip g : Nat -> a -> List a. With :search, we create a partial order on types; that is, given two types A and B, we may choose to say 160 CHAPTER 5. LANGUAGE REFERENCE v0.99 that A <= B, A >= B, or both (in which case we say A == B), or neither. For :search, we say that A >= B if all of the terms inhabiting A correspond to terms of B, but it need not necessarily be the case that all the terms of B correspond to terms of A. Here’s an example: a -> a >= Nat -> Nat The left-hand type has just a single inhabitant, id, which corresponds to the term id {a = Nat}, which has the right-hand type. However, there are various terms inhabiting the right-hand type (such as S) which cannot correspond with terms of type a -> a. We can consider the partial order for :search to be, in some sense, inductively generated by several classes of “edits” which are described below. Possible edits Here is a simple approximate list of the edits that are possible in :search. They are not entirely formal, and do not necessarily reflect the :search command’s actual behavior. For example, the argument application rule may be used directly on arguments that are bound after other arguments, without using several applications of the argument transposition rule. • Argument transposition A : Type B : Type a : A, b : B |- M : Type ---------------------------------------------------------------------------- (x : A) -> (y : B) -> [x,y/a,b]M == (y : B) -> (x : A) -> [x,y/a,b]M Score: 1 point Example: a -> Vect n a -> Vect (S n) a == Vect n a -> a -> Vect (S n) a Note that in order for it to make sense to change the order of arguments, neither of the arguments’ types may depend on the value bound by the other argument! • Symmetry of equality A = B : Type t : Type |- M : Type ---------------------------------------- [A = B/t]M == [B = A/t]M Score: 1 point Example: (x,y,z : Nat) -> x + (y + z) = (x + y) + z == (x,y,z : Nat) -> (x + y) + z = x + (y + z) Note that this rule means that we can flip equalities anywhere they occur (i.e., not only in the return type). • Argument application e : A |- M : Type y1 : T1, ..., yn : Tn |- x : A ----------------------------------------------------------------- (z : A) -> [z/e]M >= (y1 : T1) -> ... -> (yn :Tn) -> [x/e]M Score: <= : 3 points, >= : 9 points Examples: 161 CHAPTER 5. LANGUAGE REFERENCE v0.99 a -> a >= Nat -> Nat a -> a >= List e -> List e Vect k (Fin k) >= Vect 5 (Fin 5) Note that the n shown in the scheme above may be 0; that is, there are no Pi terms to be added on the right side. For example, that’s the case for the first example shown above. This is probably the most important, and most widely used, rule of all. • Type class application C : Type -> TypeClass , y1 : T1, ..., yn : Tn |- A : Type, instance : C A , t : Type |- M : Type ----------------------------------------------------------------- C a => [a/t]M >= (y1 : T1) -> ... -> (yn : Tn) -> [A/t]M Score: <= : 4 points, >= : 12 points Examples Ord a => a >= Int Show (List e) => List e -> String >= Show a => List a -> String This rule is used by looking at the instances for a particular type class. While the scheme is shown only for single-parameter type classes, it naturally generalizes to multi-parameter type classes. This rule is particularly useful in conjunction with argument application. Again, note that the n in the scheme above may be 0. • Type class introduction t : Type |- M : Type C : Type -> TypeClass ----------------------------------------------- (t : Type) -> M >= C t => M Score: <= : 2 points, >= : 6 points Example: a -> a -> Bool >= Eq a => a -> a -> Bool Scoring and listing search results When a type S is searched, the type is compared against the types of all of the terms which are currently in context. When :search compares two types S and T, it essentially tries to find a chain of inequalities R1 R2 Rn Rn+1 S <= A1 <= ... <= An <= T using the edit rules listed above. It also tries to find chains going the other way (i.e., showing S >= T) as well. Each rule has an associated score which indicates how drastic of a change the rule corresponds to. These scores are listed above. Note that for the rules which are not symmetric, the score depends on the direction in which the rule is used. Finding types which are more general that the searched typed (S <= T) is preferred to finding types which are less general. The score for the entire chain is, at minimum, the sum of the scores of the individual rules (some non- linear interactions may be added). The :search function tries to find the chain between S and T which results in the lowest score, and this is the score associated to the search result for T. Search results are listed in order of ascending score. The symbol which is shown along with the search result reflects the type of the chain which resulted in the minimum score. 162 CHAPTER 5. LANGUAGE REFERENCE v0.99 5.17.2 Implementation of :search Practically, naive and undirected application of the rules enumerated above is not possible; not only is this obviously inefficient, but the two application rules (particularly argument application) are really impossible to use without context given by other types. Therefore, we use a heuristic algorithm that is meant to be practical, though it might not find ways to relate two types which may actually be related by the rules listed above. Suppose we wish to match two types, S and T. We think of the problem as a non-deterministic state machine. There is a State datatype which keeps track of how well we’ve matched S and T so far. It contains: • Names of argument variables (Pi-bound variables) in either type which have yet to be matched • A directed acyclic graph (DAG) of arguments (Pi-bindings) for S and T which have yet to be matched • A list of typeclass constraints for S and T which have yet to be matched • A record of the rules which have been used so far to get to this point A function nextSteps : State -> [State] finds the next states which may follow from a given state. Some states, where everything has been matched, are considered final. The algorithm can be roughly broken down into multiple stages; if we start from having two types, S and T, which we wish to match, they are as follows: 1. For each of S and T, split the types up into their return types and directed acyclic graphs of the arguments, where there is an edge from argument A to argument B if the term bound in A appears in the type of B. The topological sorts of the DAG represent all the possible ways in which the arguments may be permuted. 2. For type T, recursively find (saturated) uses of the = type constructor and produce a list of modified versions of T containing all possible flips of the = constructor (this corresponds to the symmetry of equality rule). 3. For each modified type for T, try to unify the return type of the modified T with S, considering arguments from both S and T to be holes, so that the unifier may match pieces of the two types. For each modified version of T where this succeeds, an initial State can be made. The arguments and typeclasses are updated accordingly with the results of unification. The remainder of the algorithm involves applying nextSteps to these states until either no states remain (corresponding to no path from S to T) or a final state is found. nextSteps also has several stages: 4. Try to unify arguments of S with arguments of T, much like is done with the return types. We work “backwards” through the arguments: we try matching all remaining arguments of S which lack outgoing edges in the DAG of remaining arguments (that is, the bound value doesn’t appear in the type of any other remaining arguments) with the all of the corresponding remaining arguments of T. This is done recursively until no arguments remain for both S and T; otherwise, we give up at this point. This step corresponds to application of the argument application rule, as well as the argument transposition rule. 5. Now, we try to match the type classes. First, we take all possible subsets of type class constraints for S and T. So if S and T have a total of n type class constraints, this produces 2^n states for every state, and this quickly becomes infeasible as n grows large. This is probably the biggest bottleneck of the algorithm at the moment. This step corresponds to applications of the type class introduction rule. 6. Try to match type class constraints for S with those for T. We attempt to unify each type class constraint for S with each constraint for T. This may result in applications of the type class appli- cation rule. Once we are unable to match any more type class constraints between S and T, we proceed to the final step. 163 CHAPTER 5. LANGUAGE REFERENCE v0.99 7. Try instantiating type classes with their instances (in either S or T). This corresponds to applications of the type class application rule. After instantiating a type class, we hopefully open up more opportunities to match typeclass constraints of S with those of T, so we return to the previous step. The code for :search is located in the Idris.TypeSearch module. Aggregating results The search for chains of rules/edits which relate two types can be viewed as a shortest path problem where nodes correspond to types and edges correspond to rules relating two types. The weights or distances on each edge correspond to the score of each rule. We then may imagine that we have a single start node, our search type S, and several final nodes: all of the types for terms which are currently in context. The problem, then, is to find the shortest paths (where they exist) to all of the final nodes. In particular, we wish to find the “closest” types (those with the minimum score) first, as we’d like to display them first. This problem nicely maps to usage of Dijkstra’s algorithm. We search for all types simultaneously so we can find the closest ones with the minimum amount of work. In practice, this results in using a priority queue of priority queues. We first ask “which goal type should we work on next?”, and then ask “which state should we expand upon next?” By using this strategy, the best results can be shown quickly, even if it takes a bit of time to find worse results (or at least rule them out). 5.17.3 Miscellaneous Notes Whether arguments are explicit or implicit does not affect search results. 5.18 Static Arguments and Partial Evaluation As of version 0.9.15, Idris has support for partial evaluation of statically known arguments. This involves creating specialised versions of functions with arguments annotated as [static]. (This is an implementation of the partial evaluator described in this ICFP 2010 paper. Please refer to this for more precise definitions of what follows.) Partial evaluation is switched on by default. It can be disabled with the --no-partial-eval flag. 5.18.1 Introductory Example Consider the power function over natural numbers, defined as follows (we’ll call it my_pow since pow already exists in the Prelude): my_pow : Nat -> Nat -> Nat my_pow x Z = 1 my_pow x (S k) = mult x (my_pow x k) This is implemented by recursion on the second argument, and we can evaluate the definition further if the second argument is known, even if the first isn’t. For example, we can build a function at the REPL to cube a number as follows: *pow> \x => my_pow x 3 \x => mult x (mult x (mult x 1)) : Nat -> Nat 164 CHAPTER 5. LANGUAGE REFERENCE v0.99 *pow> it 3 27 : Nat Note that in the resulting function the recursion has been eliminated, since my_pow is implemented by recursion on the known argument. We have no such luck if the first argument is known and the second isn’t: *pow> \x => my_pow 2 x \x => my_pow 2 x : Nat -> Nat Now, consider the following definition which calculates x^2 + 1: powFn : Nat -> Nat powFn x = plus (my_pow x (S (S Z))) (S Z) Since the second argument to my_pow here is statically known, it seems a shame to have to make the recursive calls every time. However, Idris will not in general inline recursive definitions, in particular since they may diverge or duplicate work without some deeper analysis. We can, however, give Idris some hints that here we really would like to create a specialised version of my_pow. Automatic specialisation of pow The trick is to mark the statically known arguments with the [static] flag: my_pow : Nat -> [static] Nat -> Nat my_pow k Z = 1 my_pow k (S j) = mult k (my_pow k j) When an argument is annotated in this way, Idris will try to create a specialised version whenever it accounts a call with a concrete value (i.e. a constant, constructor form, or globally defined function) in a [static] position. If my_pow is defined this way, and powFn defined as above, we can see the effect by typing :printdef powFn at the REPL: *pow> :printdef powFn powFn : Nat -> Nat powFn x = plus (PE_my_pow_3f3e5ad8 x) 1 What is this mysterious PE_my_pow_3f3e5ad8? It’s a specialised power function where the statically known argument has been specialised away. The name is generated from a hash of the specialised arguments, and we can see its definition with :printdef too: *petest> :printdef PE_my_pow_3f3e5ad8 PE_my_pow_3f3e5ad8 : Nat -> Nat PE_my_pow_3f3e5ad8 (0arg) = mult (0arg) (mult (0arg) (PE_fromInteger_7ba9767f 1)) The (0arg) is an internal argument name (programmers can’t give variable names beginning with a digit after all). Notice also that there is a specialised version of fromInteger for Nats, since type class dictionaries are themselves a particularly common case of statically known arguments! 5.18.2 Specialising Type Classes Type class dictionaries are very often statically known, so Idris automatically marks any type class con- straint as [static] and builds specialised versions of top level functions where the class is instantiated. For example, given: 165 CHAPTER 5. LANGUAGE REFERENCE v0.99 calc : Int -> Int calc x = (x * x) + x If we print this definition, we’ll see a specialised version of + is used: *petest> :printdef calc calc : Int -> Int calc x = PE_+_954510b4 (PE_*_954510b4 x x) x More interestingly, consider vadd which adds corresponding elements in a vector of anything numeric: vadd : Num a => Vect n a -> Vect n a -> Vect n a vadd [] [] = [] vadd (x :: xs) (y :: ys) = x + y :: vadd xs ys If we use this on something concrete as follows... test : List Int -> List Int test xs = let xs' = fromList xs in toList $ vadd xs' xs' ...then in fact, we get a specialised version of vadd in the definition of test, and indeed the specialised version of toList: test : List Int -> List Int test xs = let xs' = fromList xs in PE_toList_888ae67 (PE_vadd_33f98d3d xs' xs') Here’s the specialised version of vadd: PE_vadd_33f98d3d : Vect n Int -> Vect n Int -> Vect n Int PE_vadd_33f98d3d [] [] = [] PE_vadd_33f98d3d (x :: xs) (y :: ys) = ((PE_+_954510b4 x y) :: (PE_vadd_33f98d3d xs ys)) Note that the recursive structure has been preserved, and the recursive call to vadd has been replaced with a recursive call to the specialised version. We’ve also got the same specialised version of + that we had above in calc. 5.18.3 Specialising Higher Order Functions Another case where partial evaluation can be useful is in automatically making specialised versions of higher order functions. Unlike type class dictionaries, this is not done automatically, but we might consider writing map as follows: my_map : [static] (a -> b) -> List a -> List b my_map f [] = [] my_map f (x :: xs) = f x :: my_map f xs Then using my_map will yield specialised versions, for example to double every value in a list of Ints we could write: doubleAll : List Int -> List Int doubleAll xs = my_map (*2) xs This would yield a specialised version of my_map, used in doubleAll as follows: doubleAll : List Int -> List Int doubleAll xs = PE_my_map_1f8225c4 xs 166 CHAPTER 5. LANGUAGE REFERENCE v0.99 PE_my_map_1f8225c4 : List Int -> List Int PE_my_map_1f8225c4 [] = [] PE_my_map_1f8225c4 (x :: xs) = ((PE_*_954510b4 x 2) :: (PE_my_map_1f8225c4 xs)) 5.18.4 Specialising Interpreters A particularly useful situation where partial evaluation becomes effective is in defining an interpreter for a well-typed expression language, defined as follows (see the Idris tutorial, section 4 for more details on how this works): data Expr : Vect n Ty -> Ty -> Type where Var : HasType i gamma t -> Expr gamma t Val : (x : Int) -> Expr gamma TyInt Lam : Expr (a :: gamma) t -> Expr gamma (TyFun a t) App : Lazy (Expr gamma (TyFun a t)) -> Expr gamma a -> Expr gamma t Op : (interpTy a -> interpTy b -> interpTy c) -> Expr gamma a -> Expr gamma Expr gamma c If : Expr gamma TyBool -> Expr gamma a -> Expr gamma a -> Expr gamma a dsl expr lambda = Lam variable = Var index_first = stop index_next = pop We can write a couple of test functions in this language as follows, using the dsl notation to overload lambdas; first a function which multiplies two inputs: eMult : Expr gamma (TyFun TyInt (TyFun TyInt TyInt)) eMult = expr (\x, y => Op (*) x y) Then, a function which calculates the factorial of its input: eFac : Expr gamma (TyFun TyInt TyInt) eFac = expr (\x => If (Op (==) x (Val 0)) (Val 1) (App (App eMult (App eFac (Op (-) x (Val 1)))) x)) The interpreter’s type is written as follows, marking the expression to be evaluated as [static]: interp : (env : Env gamma) -> [static] (e : Expr gamma t) -> interpTy t This means that if we write an Idris program to calculate a factorial by calling interp on eFac, the resulting definition will be specialised, partially evaluating away the interpreter: runFac : Int -> Int runFac x = interp [] eFac x We can see that the call to interp has been partially evaluated away as follows: *interp> :printdef runFac runFac : Int -> Int runFac x = PE_interp_ed1429e [] x If we look at PE_interp_ed1429e we’ll see that it follows exactly the structur of eFac, with the interpreter evaluated away: *interp> :printdef PE_interp_ed1429e PE_interp_ed1429e : Env gamma -> Int -> Int PE_interp_ed1429e (3arg) = \x => 167 CHAPTER 5. LANGUAGE REFERENCE v0.99 boolElim (x == 0) (Delay 1) (Delay (PE_interp_b5c2d0ff (x :: (3arg)) (PE_interp_ed1429e (x :: (3arg)) (x - 1)) x)) For the sake of readability, I have simplified this slightly: what you will really see also includes specialised versions of ==, - and fromInteger. Note that PE_interp_ed1429e, which represents eFac has become a recursive function following the structure of eFac. There is also a call to PE_interp_b5c2d0ff which is a specialised interpeter for eMult. These definitions arise because the partial evaluator will only specialise a definition by a specific concrete argument once, then it is cached for future use. So any future applications of interp on eFac will also be translated to PE_interp_ed1429e. The specialised version of eMult, without any simplification for readability, is: PE_interp_b5c2d0ff : Env gamma -> Int -> Int -> Int PE_interp_b5c2d0ff (3arg) = \x => \x1 => PE_*_954510b4 x x1 5.19 Miscellaneous Things we have yet to classify, or are two small to justify their own page. 5.19.1 The Unifier Log If you’re having a hard time debugging why the unifier won’t accept something (often while debugging the compiler itself), try applying the special operator %unifyLog to the expression in question. This will cause the type checker to spit out all sorts of informative messages. 5.19.2 Namespaces and type-directed disambiguation Names can be defined in separate namespaces, and disambiguated by type. An expression with NAME EXPR will privilege the namespace NAME in the expression EXPR. For example: Idris> with List [[1,2],[3,4],[5,6]] [[1, 2], [3, 4], [5, 6]] : List (List Integer) Idris> with Vect [[1,2],[3,4],[5,6]] [[1, 2], [3, 4], [5, 6]] : Vect 3 (Vect 2 Integer) Idris> [[1,2],[3,4],[5,6]] Can't disambiguate name: Prelude.List.::, Prelude.Stream.::, Prelude.Vect.:: 5.19.3 Alternatives The syntax (| option1, option2, option3, ... |) type checks each of the options in turn until one of them works. This is used, for example, when translating integer literals. Idris> the Nat (| "foo", Z, (-3) |) 0 : Nat This can also be used to give simple automated proofs, for example: trying some constructors of proofs. 168 CHAPTER 5. LANGUAGE REFERENCE v0.99 syntax Trivial = (| oh, refl |) 5.19.4 Totality checking assertions All definitions are checked for coverage (i.e. all well-typed applications are handled) and either for termination (i.e. all well-typed applications will eventually produce an answer) or, if returning codata, for productivity (in practice, all recursive calls are constructor guarded). Obviously, termination checking is undecidable. In practice, the termination checker looks for size change - every cycle of recursive calls must have a decreasing argument, such as a recursive argument of a strictly positive data type. There are two built-in functions which can be used to give the totality checker a hint: • assert_total x asserts that the expression x is terminating and covering, even if the totality checker cannot tell. This can be used for example if x uses a function which does not cover all inputs, but the caller knows that the specific input is covered. • assert_smaller p x asserts that the expression x is structurally smaller than the pattern p. For example, the following function is not checked as total: qsort : Ord a => List a -> List a qsort [] = [] qsort (x :: xs) = qsort (filter (<= x) xs) ++ (x :: qsort (filter (>= x) xs))) This is because the checker cannot tell that filter will always produce a value smaller than the pattern x :: xs for the recursive call to qsort. We can assert that this will always be true as follows: total qsort : Ord a => List a -> List a qsort [] = [] qsort (x :: xs) = qsort (assert_smaller (x :: xs) (filter (<= x) xs)) ++ (x :: qsort (assert_smaller (x :: xs) (filter (>= x) xs)))) 5.19.5 C heap Idris has two heaps where objects can be allocated: 169 CHAPTER 5. LANGUAGE REFERENCE v0.99 FP heap C heap Cheney-collected Mark-and-sweep-collected Garbage collections touches only live objects. Garbage collection has to traverse all registered items. Ideal for FP-style rapid allocation of lots of Ideal for C-style allocation of a few big buffers. small short-lived pieces of memory, such as data constructors. Finalizers are impossible to support Items have finalizers that are called on reasonably. deallocation. Data is copied all the time (when collecting Copying does not happen. garbage, modifying data, registering managed pointers, etc.) Contains objects of various types. Contains C heap items: (void *) pointers with finalizers. A finalizer is a routine that deallocates the resources associated with the item. Fixed set of object types. The data pointer may point to anything, as long as the finalizer cleans up correctly. Not suitable for C resources and arbitrary Suitable for C resources and arbitrary pointers. pointers. Values form a compact memory block. Items are kept in a linked list. Any Idris value, most notably ManagedPtr. Items represented by the Idris type CData. Data of ManagedPtr allocated in C, buffer Data allocated in C, pointer copied into the C then copied into the FP heap. heap. Allocation and reallocation not possible from Allocated and reallocate freely in C, registering the C code (without having a reference to the allocated items in the FFI. VM). Everything is copied instead. The FP heap is the primary heap. It may contain values of type CData, which are references to items in the C heap. A C heap item contains a (void *) pointer and the corresponding finalizer. Once a C heap item is no longer referenced from the FP heap, it is marked as unused and the next GC sweep will call its finalizer and deallocate it. There is no Idris interface for CData other than its type and FFI. Usage from C code • Although not enforced in code, CData is meant to be opaque and non-RTS code (such as libraries or C bindings) should access only its (void *) field called data. • Feel free to mutate both the pointer data (eg. after calling realloc) and the memory it points to. However, keep in mind that this must not break Idris’s referential transparency. • WARNING! If you call cdata_allocate or cdata_manage, the resulting CData object must be returned from your FFI function so that it is inserted in the C heap by the RTS. Otherwise the memory will be leaked. some_allocating_fun : Int -> IO CData some_allocating_fun i = foreign FFI_C "some_allocating_fun" (Int -> IO CData) i other_fun : CData -> Int -> IO Int other_fun cd i = foreign FFI_C "other_fun" (CData -> Int -> IO Int) cd i #include "idris_rts.h" static void finalizer(void * data) { MyStruct * ptr = (MyStruct *) data; free_something(ptr->something); 170 CHAPTER 5. LANGUAGE REFERENCE v0.99 free(ptr); } CData some_allocating_fun(int arg) { void * data = (void *) malloc(...); // ... return cdata_manage(data, finalizer); } int other_fun(CData cd, int arg) { int result = foo(cd->data); return result; } 5.19.6 Preorder reasoning This syntax is defined in the module Syntax.PreorderReasoning in the base package. It provides a syntax for composing proofs of reflexive-transitive relations, using overloadable functions called step and qed. This module also defines step and qed functions allowing the syntax to be used for demonstrating equality. Here is an example: import Syntax.PreorderReasoning multThree : (a, b, c : Nat) -> a * b * c = c * a * b multThree a b c = (a * b * c) ={ sym (multAssociative a b c) }= (a * (b * c)) ={ cong (multCommutative b c) }= (a * (c * b)) ={ multAssociative a c b }= (a * c * b) ={ cong {f = (* b)} (multCommutative a c) }= (c * a * b) QED Note that the parentheses are required – only a simple expression can be on the left of ={ }= or QED. Also, when using preorder reasoning syntax to prove things about equality, remember that you can only relate the entire expression, not subexpressions. This might occasionally require the use of cong. Finally, although equality is the most obvious application of preorder reasoning, it can be used for any reflexive-transitive relation. Something like step1 ={ just1 }= step2 ={ just2 }= end QED is translated to (step step1 just1 (step step2 just2 (qed end))), selecting the appropriate defini- tions of step and qed through the normal disambiguation process. The standard library, for example, also contains an implementation of preorder reasoning on isomorphisms. 5.19.7 Pattern matching on Implicit Arguments Pattern matching is only allowed on implicit arguments when they are referred by name, e.g. foo : {n : Nat} -> Nat foo {n = Z} = Z foo {n = S k} = k or foo : {n : Nat} -> Nat foo {n = n} = n The latter could be shortened to the following: 171 CHAPTER 5. LANGUAGE REFERENCE v0.99 foo : {n : Nat} -> Nat foo {n} = n That is, {x} behaves like {x=x}. 5.19.8 Existence of an implementation In order to show that an implementation of some interface is defined for some type, one could use the %implementation keyword: foo : Num Nat foo = %implementation 5.19.9 ‘match’ application ty <== name applies the function name in such a way that it has the type ty, by matching ty against the function’s type. This can be used in proofs, for example: plus_comm : (n : Nat) -> (m : Nat) -> (n + m = m + n) -- Base case (Z + m = m + Z) <== plus_comm = rewrite ((m + Z = m) <== plusZeroRightNeutral) ==> (Z + m = m) in refl -- Step case (S k + m = m + S k) <== plus_comm = rewrite ((k + m = m + k) <== plus_comm) in rewrite ((S (m + k) = m + S k) <== plusSuccRightSucc) in refl 5.19.10 Reflection Including %reflection functions and quoteGoal x by fn in t, which applies fn to the expected type of the current expression, and puts the result in x which is in scope when elaborating t. 5.19.11 Bash Completion Use of optparse-applicative allows Idris to support Bash completion. You can obtain the completion script for Idris using the following command: idris --bash-completion-script `which idris` To enable completion for the lifetime of your current session, run the following command: source <(idris --bash-completion-script `which idris`) To enable completion permenatly you must either: • Modify your bash init script with the above command. • Add the completion script to the appropriate bash_completion.d/ folder on your machine. 172 CHAPTER 6 Tutorials on the Idris Language Tutorials submitted by community members. Note: The documentation for Idris has been published under the Creative Commons CC0 License. As such to the extent possible under law, The Idris Community has waived all copyright and related or neighboring rights to Documentation for Idris. More information concerning the CC0 can be found online at: http://creativecommons.org/publicdomain/zero/1.0/ 6.1 Type Providers in Idris Type providers in Idris are simple enough, but there are a few caveats to using them that it would be worthwhile to go through the basic steps. We also go over foreign functions, because these will often be used with type providers. 6.1.1 The use case First, let’s talk about why we might want type providers. There are a number of reasons to use them and there are other examples available around the net, but in this tutorial we’ll be using them to port C’s struct stat to Idris. Why do we need type providers? Well, Idris’s FFI needs to know the types of the things it passes to and from C, but the fields of a struct stat are implementation-dependent types that cannot be relied upon. We don’t just want to hard-code these types into our program... so we’ll use a type provider to find them at compile time! 6.1.2 A simple example First, let’s go over a basic usage of type providers, because foreign functions can be confusing but it’s important to remember that providers themselves are simple. A type provider is simply an IO action that returns a value of this type: data Provider a = Provide a | Error String Looks familiar? Provider is just Either a String, given a slightly more descriptive name. 173 CHAPTER 6. TUTORIALS ON THE IDRIS LANGUAGE v0.99 Remember though, type providers we use in our program must be IO actions. Let’s write a simple one now: module Provider -- Asks nicely for the user to supply the size of C's size_t type on this -- machine getSizeT : IO (Provider Int) getSizeT = do putStrLn "I'm sorry, I don't know how big size_t is. Can you tell me, in bytes?" resp <- getLine case readInt resp of Just sizeTSize => pure (Provide sizeTSize) Nothing => pure (Error "I'm sorry, I don't understand.") -- the readInt function is left as an exercise We assume that whoever’s compiling the library knows the size of size_t, so we’ll just ask them! (Don’t worry, we’ll get it ourselves later.) Then, if their response can be converted to an integer, we present Provide sizeTSize as the result of our IO action; or if it can’t, we signal a failure. (This will then become a compile-time error.) Now we can use this IO action as a type provider: module Main -- to gain access to the IO action we're using as a provider import Provider -- TypeProviders is an extension, so we'll enable it %language TypeProviders -- And finally, use the provider! -- Note that the parentheses are mandatory. %provide (sizeTSize : Int) with getSizeT -- From now on it's just a normal program where `sizeTSize` is available -- as a top-level constant main : IO () main = do putStr "Look! I figured out how big size_t is! It's " putStr (show sizeTSize) putStr " bytes!" Yay! We... asked the user something at compile time? That’s not very good, actually. Our library is going to be difficult to compile! This is hardly a step up from having them edit in the size of size_t themselves! Don’t worry, there’s a better way. 6.1.3 Foreign Functions It’s actually pretty easy to write a C function that figures out the size of size_t: int sizeof_size_t() { return sizeof(size_t); } (Why an int and not a size_t? The FFI needs to know how to receive the return value of this function and translate it into an Idris value. If we knew how to do this for values of C type size_t, we wouldn’t need to write this function at all! If we really wanted to be safe from overflow, we could use an array of multiple integers, but the SIZE of size_t is never going to be a 65535 byte integer.) So now we can get the size of size_t as long as we’re in C code. We’d like to be able to use this from Idris. Can we do this? It turns out we can. 174 CHAPTER 6. TUTORIALS ON THE IDRIS LANGUAGE v0.99 foreign With foreign, we can turn a C function into an IO action. It works like this: getSizeT : IO Int getSizeT = foreign FFI_C "sizeof_size_t" (IO Int) Pretty simple. foreign takes a specification of what function it needs to call and that function’s return type. Running foreign functions This is all well and good for writing code that will typecheck. To actually run the code, we’ll need to do just a bit more work. Exactly what we need to do depends on whether we want to interpret or compile our code. In the interpreter If we want to call our foreign functions from interpreted code (such as the REPL or a type provider), we need to dynamically link a library containing the symbols we need. This is pretty easy to do with the %dynamic directive: %dynamic "./filename.so" Note that the leading ”./” is important: currently, the string you provide is interpreted as by dlopen(), which on Unix does not search in the current directory by default. If you use the ”./”, the library will be searched for in the directory from which you run idris (not the location of the file you’re running!). Of course, if you’re using functions from an installed library rather than something you wrote yourself, the ”./” is not necessary. In an executable If we want to run our code from an executable, we can statically link instead. We’ll use the %include and %link directives: %include C "filename.h" %link C "filename.o" Note the extra argument to the directive! We specify that we’re linking a C header and library. Also, unlike %dynamic, these directives search in the current directory by default. (That is, the directory from which we run idris.) 6.1.4 Putting it all together So, at the beginning of this article I said we’d use type providers to port struct stat to Idris. The relevant part is just translating all the mysterious typedef’d C types into Idris types, and that’s what we’ll do here. First, let’s write a C file containing functions that we’ll bind to. /* stattypes.c */ # include <sys/stat.h> int sizeof_dev_t() { return sizeof(dev_t); } 175 CHAPTER 6. TUTORIALS ON THE IDRIS LANGUAGE v0.99 int sizeof_ino_t() { return sizeof(ino_t); } /* lots more functions like this */ Next, an Idris file to define our providers: -- Providers.idr module Providers %dynamic "./stattypes.so" sizeOfDevT : IO Int sizeOfDevT = foreign FFI_C "sizeof_dev_t" (IO Int) {- lots of similar functions -} -- Indicates how many bits are used to represent various system -- stat types. data BitWidth = B8 | B16 | B32 | B64 implementation Show BitWidth where show B8 = "8 bits" show B16 = "16 bits" show B32 = "32 bits" show B64 = "64 bits" -- Now we have an integer, but we want a Provider BitWidth. -- Since our sizeOf* functions are ordinary IO actions, we -- can just map over them. bytesToType : Int -> Provider BitWidth bytesToType 1 = Provide B8 -- "8 bit value" bytesToType 2 = Provide B16 bytesToType 4 = Provide B32 bytesToType 8 = Provide B64 bytesToType _ = Error "Unrecognised integral type." getDevT : IO (Provider BitWidth) getDevT = map bytesToType sizeOfDevT {- lots of similar functions -} Finally, we’ll write one more idris file where we use the type providers: -- Main.idr module Main import Providers %language TypeProviders %provide (DevTBitWidth : BitWidth) with getDevT -- We can now use DevTBitWidth in our program! main : IO () main = putStrLn $ "size of dev_t: " ++ show DevTBitWidth 6.2 The Interactive Theorem Prover This short guide contributed by a community member illustrates how to prove associativity of addition on Nat using the interactive theorem prover. First we define a module Foo.idr module Foo 176 CHAPTER 6. TUTORIALS ON THE IDRIS LANGUAGE v0.99 plusAssoc : plus n (plus m o) = plus (plus n m) o plusAssoc = ?rhs We wish to perform induction on n. First we load the file into the Idris REPL as follows: $ idris Foo.idr We will be given the following prompt, in future releases the version string will differ: ____ __ _ / _/___/ /____(_)____ / // __ / ___/ / ___/ Version 0.9.18.1 _/ // /_/ / / / (__ ) http://www.idris-lang.org/ /___/\__,_/_/ /_/____/ Type :? for help Idris is free software with ABSOLUTELY NO WARRANTY. For details type :warranty. Type checking ./Foo.idr Metavariables: Foo.rhs *Foo> 6.2.1 Explore the Context We start the interactive session by asking Idris to prove the hole rhs using the command :p rhs. Idris by default will show us the initial context. This looks as follows: *Foo> :p rhs ---------- Goal: ---------- { hole 0 }: (n : Nat) -> (m : Nat) -> (o : Nat) -> plus n (plus m o) = plus (plus n m) o 6.2.2 Application of Intros We first apply the intros tactic: -Foo.rhs> intros ---------- Other goals: ---------- { hole 2 } { hole 1 } { hole 0 } ---------- Assumptions: ---------- n : Nat m : Nat o : Nat ---------- Goal: ---------- { hole 3 }: plus n (plus m o) = plus (plus n m) o 6.2.3 Induction on n Then apply induction on to n: -Foo.rhs> induction n ---------- Other goals: ---------- 177 CHAPTER 6. TUTORIALS ON THE IDRIS LANGUAGE v0.99 elim_S0 { hole 2 } { hole 1 } { hole 0 } ---------- Assumptions: ---------- n : Nat m : Nat o : Nat ---------- Goal: ---------- elim_Z0: plus Z (plus m o) = plus (plus Z m) o 6.2.4 Compute -Foo.rhs> compute ---------- Other goals: ---------- elim_S0 { hole 2 } { hole 1 } { hole 0 } ---------- Assumptions: ---------- n : Nat m : Nat o : Nat ---------- Goal: ---------- elim_Z0: plus m o = plus m o 6.2.5 Trivial -Foo.rhs> trivial ---------- Other goals: ---------- { hole 2 } { hole 1 } { hole 0 } ---------- Assumptions: ---------- n : Nat m : Nat o : Nat ---------- Goal: ---------- elim_S0: (n__0 : Nat) -> (plus n__0 (plus m o) = plus (plus n__0 m) o) -> plus (S n__0) (plus m o) = plus (plus (S n__0) m) o 6.2.6 Intros -Foo.rhs> intros ---------- Other goals: ---------- { hole 4 } elim_S0 { hole 2 } { hole 1 } { hole 0 } ---------- Assumptions: ---------- n : Nat 178 CHAPTER 6. TUTORIALS ON THE IDRIS LANGUAGE v0.99 m : Nat o : Nat n__0 : Nat ihn__0 : plus n__0 (plus m o) = plus (plus n__0 m) o ---------- Goal: ---------- { hole 5 }: plus (S n__0) (plus m o) = plus (plus (S n__0) m) o 6.2.7 Compute -Foo.rhs> compute ---------- Other goals: ---------- { hole 4 } elim_S0 { hole 2 } { hole 1 } { hole 0 } ---------- Assumptions: ---------- n : Nat m : Nat o : Nat n__0 : Nat ihn__0 : plus n__0 (plus m o) = plus (plus n__0 m) o ---------- Goal: ---------- { hole 5 }: S (plus n__0 (plus m o)) = S (plus (plus n__0 m) o) 6.2.8 Rewrite -Foo.rhs> rewrite ihn__0 ---------- Other goals: ---------- { hole 5 } { hole 4 } elim_S0 { hole 2 } { hole 1 } { hole 0 } ---------- Assumptions: ---------- n : Nat m : Nat o : Nat n__0 : Nat ihn__0 : plus n__0 (plus m o) = plus (plus n__0 m) o ---------- Goal: ---------- { hole 6 }: S (plus n__0 (plus m o)) = S (plus n__0 (plus m o)) 6.2.9 Trivial -Foo.rhs> trivial rhs: No more goals. -Foo.rhs> qed Proof completed! Foo.rhs = proof intros induction n 179 CHAPTER 6. TUTORIALS ON THE IDRIS LANGUAGE v0.99 compute trivial intros compute rewrite ihn__0 trivial Two goals were created: one for Z and one for S. Here we have proven associativity, and assembled a tactic based proof script. This proof script can be added to Foo.idr. 180 Bibliography [BMM04] Edwin Brady, Conor McBride, James McKinna: Inductive families need not store their indices 181