Concepts of programming languagesIdris

Žan Palčič, Stefan Koppier, Kevin Namink, Luca Scannapieco andXander van der Goot

Idris is a general purpose pure functional programming language withdependent types.

This language supports features that allow it to prove properties offunctions.

Development of Idris is led by Edwin Brady.

Its first stable release was in April 2017.

Table of contents

▶ Basics▶ Dependent types▶ Type driven programming▶ Using types to express properties of data▶ Expressing contracts in types▶ Conclusions▶ Questions

Basics▶ Pure functional▶ Strict▶ Syntax, similar to Haskell▶ Total functions▶ Dependent types

Pure functional

Following the definition from “Type driven development with Idris” in afunctional programming language:

▶ Programs are composed of functions▶ Program execution consists of evaluation of functions▶ Functions are a first-class language construct

And in a pure functional language:

▶ Functions don’t have side effects such as modifying globalvariables, throwing exceptions, or preforming console input oroutput.

▶ As a result, for any specific inputs, a function will always give thesame result.

Idris uses strict evaluation by default but has a Lazy keyword.

As example the ifThenElse function in the basic library:

ifThenElse : Bool -> (t: Lazy a) -> (e: Lazy a) -> aifThenElse True t e = tifThenElse False t e = e

Types are first class citizens.

StringOrInt : Bool -> TypeStringOrInt False -> StringStringOrInt True -> Int

Similarity to other languages

Idris is able to write tactic invocations to prove invariants at compiletime, similar to Coq.

It is also possible to interactively elaborate with a proof term, similar toEpigram and Agda

The syntax of Idris is very similar to Haskell.

Syntax differences with Haskell

▶ Colon▶ Type signature mandatory▶ Omission of “where” in module declarations▶ Dependent types


foo : Nat -> Nat


foo :: Nat -> Nat

Total functions

A way to prove properties of functions.

Idris can distinct between functions that are total and that are partial.Total functions are guaranteed to return a value in finite time for everywell-typed input.

▶ Total functions return a value in finite time.▶ Partial functions return a value if it doesn’t crash or enter an

infinite loop.

Examples are:

▶ The append function for finite lists is total.▶ The first function for a list is partial, it is not defined if the list is


Dependent types

Dependent types

Idris has dependent types, this means types can depend on other values.

The most clear example is the Vect type that is used for lists.

Dependent types

For example, appending a list of length 3 of strings with a list of length 4of strings:

▶ Simple programming languages would use a type AnyList.

▶ Generic programming languages would instead use List String.

▶ But using dependent types would use the types: Vect 3 Stringand Vect 4 String. And return a type Vect 7 String.

Type driven programming

Type driven programming▶ Type▶ Define▶ Refine

Interactive editing

Interactive editing

TypeDefining vectors:data Vect : Nat -> Type -> Type where

Nil : Vect Z a(::) : (x : a) -> (xs : Vect k a) -> Vect (S k) a

Interactive editing

DefineAppend function with vect data type:app : Vect n a -> Vect m a -> Vect (n + m) aapp Nil ys = ?append1app (x :: xs) ys = ?append2

Interactive editing

Refineapp : Vect n a -> Vect m a -> Vect (n + m) aapp Nil ys = ?append1app (x :: xs) ys = ?append2Holes are useful because they help us write functions incrementally. Wecan check the type of ?append2 and ?append1 to find:append1 : Vect m aappend2 : Vect (S (plus len m)) aor search on each of the holes resulting in this:

app : Vect n a -> Vect m a -> Vect (n + m) aapp Nil ys = ysapp (x :: xs) ys = x :: app xs ys

Interactive editing

Refineapp : Vect n a -> Vect m a -> Vect (n + m) aapp Nil ys = ?append1app (x :: xs) ys = ?append2Holes are useful because they help us write functions incrementally. Wecan check the type of ?append2 and ?append1 to find:append1 : Vect m aappend2 : Vect (S (plus len m)) aor search on each of the holes resulting in this:app : Vect n a -> Vect m a -> Vect (n + m) aapp Nil ys = ysapp (x :: xs) ys = x :: app xs ys

What if we can’t make guarantees at compile time?

▶ Dependent pairs

What if we can’t make guarantees at compile time?

What we’ve seen works for types which we know at compile time.

But what if the size of the vectors are not known at compile time?

For example, when we want the user to enter elements on the consoleuntil the empty string is entered.

readVect : IO (Vect n String)readVect =

do x <- getLineif x == ""

then return []else do xs <- readVect

return (x :: xs)

But this won’t type check.

Encapsulate Vect in a different type

data VectUnknown : Type -> Type whereMkVect : (n : Nat) -> Vect n a -> VectUnknown a

readVect : IO (VectUnknown String)readVect =

do x <- getLineif x == ""

then return (MkVect 0 [])else do MkVect n xs <- readVect

return (MkVect (1 + n) (x :: xs))

Now we can construct a VectUnknown which contains the size. As such,we don’t need to know the size of the vector, which we can use to let thevector type check correctly.

But this approach results in a lot of boilerplate code if we need to dothis for a lot of different types.

Encapsulate Vect in a different type

data VectUnknown : Type -> Type whereMkVect : (n : Nat) -> Vect n a -> VectUnknown a

readVect : IO (VectUnknown String)readVect =

do x <- getLineif x == ""

then return (MkVect 0 [])else do MkVect n xs <- readVect

return (MkVect (1 + n) (x :: xs))

Now we can construct a VectUnknown which contains the size. As such,we don’t need to know the size of the vector, which we can use to let thevector type check correctly.

But this approach results in a lot of boilerplate code if we need to dothis for a lot of different types.

Dependent pairs

The solution of this boilerplate code are dependent pairs, which is amore expressive form of a tuple. We can let the type of the secondelement be computed from the value of the first.

For example:

anyVect : (n : Nat ** Vect n String)anyVect = (3 ** ["Rod", "Jane", "Freddy"])

On a side note, we can even omit the explicit size of the vector, as thetype system can figure it out for us:

anyVect : (n : Nat ** Vect n String)anyVect = (_ ** ["Rod", "Jane", "Freddy"])

Dependent pairs

The solution of this boilerplate code are dependent pairs, which is amore expressive form of a tuple. We can let the type of the secondelement be computed from the value of the first.

For example:

anyVect : (n : Nat ** Vect n String)anyVect = (3 ** ["Rod", "Jane", "Freddy"])

On a side note, we can even omit the explicit size of the vector, as thetype system can figure it out for us:

anyVect : (n : Nat ** Vect n String)anyVect = (_ ** ["Rod", "Jane", "Freddy"])

Dependent pair of a number and a vector

Now we can express the same without using an explicitly defined datatype.

readVect : IO (n ** Vect n String)readVect =

do x <- getLineif x == ""

then return (_ ** [])else do (_ ** xs) <- readVect

return (_ ** (x :: xs))

Using types to express properties of data

Using types to express properties of data

Dependent types can be used to express properties of data.

▶ Types can express proofs.▶ Functions in combination with proofs can be used to express

additional properties.

Proofs arise naturally from using dependent types.

Requiring proofs

We want to check if a vector has the desired length and if so return itotherwise return Nothing.

A naive implementation could look like this:

exactLength : (len : Nat ) -> (input : Vect m a)-> Maybe (Vect len a)

exactLength {m} len input = if m == len thenJust inputelse Nothing

Error:Type mismatch between Vect m a (Type of input) and Vect lena (Expected type). Specifically: Type mismatch between m andlen

Requiring proofs

We want to check if a vector has the desired length and if so return itotherwise return Nothing.

A naive implementation could look like this:

exactLength : (len : Nat ) -> (input : Vect m a)-> Maybe (Vect len a)

exactLength {m} len input = if m == len thenJust inputelse Nothing

Error:Type mismatch between Vect m a (Type of input) and Vect lena (Expected type). Specifically: Type mismatch between m andlen

Requiring proofs

Idris has no way of knowing whether m and len are equal just by lookingat the types. This becomes more apparent if we rewrite it using a casestatement:

exactLength : (len : Nat ) -> (input : Vect m a) -> Maybe (Vect len a)exactLength {m} len input = case m == len of

True => Just inputFalse => Nothing

▶ Bool does not encode information about the variables m and len inits type.

Expressing proofs

Datatypedata EqNat : (num1 : Nat) -> (num2 : Nat) -> Type where

Same : (num : Nat) -> EqNat num num

Validthe (EqNat 3 3) (Same _)

Invalidthe (EqNat 3 4) (Same _)

Type mismatch between EqNat num num (Type of Same num)and EqNat 3 4 (Expected type)Specifically: Type mismatch between 0 and 1

To express whether two things are equal you can use the built-infunction (=).

data (=) : a -> b -> Type whereRefl: x = x

▶ Where refl stands for reflexive, being able to express that a type isequal to it self.

Using equality

To replace the comparison we define the function:

checkEqNat : (num1 : Nat) -> (num2 : Nat)-> Maybe (num1 = num2)

checkEqNat Z Z = Just ReflcheckEqNat Z (S k) = NothingcheckEqNat (S k) Z = NothingcheckEqNat (S k) (S j) = case checkEqNat k j of

Nothing => NothingJust prf => Just (cong prf)

Where cong is a helper function for the inductive step:

cong : {func : a -> b} -> x = y -> func x = func y

Basic implementation

Now we can write exactLength using checkEqNat

exactLength : (len : Nat ) -> (input : Vect m a)-> Maybe (Vect len a)

exactLength {m} len input = case checkEqNat ofJust prf => Just inputNothing => Nothing

Equality is not trivial

Lets reintroduce the earlier shown append function but with a slighttwist: changing the order of m and n.

app : Vect n a -> Vect m a -> Vect (m + n) aapp Nil ys = ysapp (x :: xs) ys = x :: app xs ys

Error:Type mismatch between Vect (k+1) elem and Vect (S k) elem(Expected type).

Operations are not assumed to be associative, commutative, etc. Youneed to use rewrite rules to introduces those rules.

Equality is not trivial

Lets reintroduce the earlier shown append function but with a slighttwist: changing the order of m and n.

app : Vect n a -> Vect m a -> Vect (m + n) aapp Nil ys = ysapp (x :: xs) ys = x :: app xs ys

Error:Type mismatch between Vect (k+1) elem and Vect (S k) elem(Expected type).

Operations are not assumed to be associative, commutative, etc. Youneed to use rewrite rules to introduces those rules.

Empty type

EqualityTo express equality we use (=) and Refl.the (2+2 = 4) (Refl)

InequalityTo express inequality we use the empty type Void.qm : (2 + 2 = 4 - 1) -> Voidqm Refl impossible

Empty type

EqualityTo express equality we use (=) and Refl.the (2+2 = 4) (Refl)

InequalityTo express inequality we use the empty type Void.qm : (2 + 2 = 4 - 1) -> Voidqm Refl impossible

Definition decidabilityA property of some values is decidable if you can always saywhether the property holds or not for specific values.

Decidability vs MaybeMaybe allows you to express whether two values are the same but youcan’t say the opposite. For this you need a data type for decidability:

data Dec: (prop : Type) -> Type whereYes : (prf : prop) -> Dec propNo : (contra : prop -> Void) -> Dec prop

Definition decidabilityA property of some values is decidable if you can always saywhether the property holds or not for specific values.

Decidability vs MaybeMaybe allows you to express whether two values are the same but youcan’t say the opposite. For this you need a data type for decidability:data Dec: (prop : Type) -> Type where

Yes : (prf : prop) -> Dec propNo : (contra : prop -> Void) -> Dec prop

Expressing contracts in types

Expressing contracts in types▶ Predicates to describe contracts for function inputs and outputs▶ Example of takeVect

What do we mean for predicates?

Dependent types like EqNat and =, which you saw before, are usedentirely for describing relationships between data.

If you can construct a value for a predicate, then you know the propertydescribed by that predicate must be true.

Assumptions and contracts

Who write a function may want to make assumptions on the input.

▶ Remove an element from a vector only under the assumption thatthe element is present in the vector

▶ Search for a value in a list only under the assumption that the listis ordered

▶ Run a database query only under the assumption that the inputshave been validated

They are basically contracts between who write the function and whocall it!

How to use these predicates

Idris allows to express relationships between data in types.

So, you can be explicit about the assumptions you’re making about theinputs to a function.

The type checker will do the work of checking these assumptions whenthe function is called.

Example of takeVect

We want to make a function that, given a vector v and a natural numbern, returns the first n elements of v.

Assumption: n must be smaller or equal than the length of v

Example of takeVect

We want to make a function that, given a vector v and a natural numbern, returns the first n elements of v.

Assumption: n must be smaller or equal than the length of v

This is a simple example

By forcing the length of v to be the sum of n and some Nat m.

takeVect : (n: Nat) -> (v: Vect (n+m) a) -> Vect n atakeVect Z xs = []takeVect (S k) (x :: xs) = x :: takeVect k xs

Let’s complicate things

Express the assumption as an extra parameter of the function.

Define a (dependent) type that describes the relationship between twoNat, the first smaller or equal than the second.

data LorE : Nat -> Nat -> Type whereBase : LorE Z nStep : LorE n m -> LorE (S n) (S m)

Let’s complicate things

Express the assumption as an extra parameter of the function.

Define a (dependent) type that describes the relationship between twoNat, the first smaller or equal than the second.

data LorE : Nat -> Nat -> Type whereBase : LorE Z nStep : LorE n m -> LorE (S n) (S m)

Creating a LorE instance

data LorE : Nat -> Nat -> Type whereBase : LorE Z nStep : LorE n m -> LorE (S n) (S m)

Creating the proof that 2 is smaller or equal than 4 is possible

prf: LorE 2 4prf = Step (Step Base)

Creating a LorE instance

data LorE : Nat -> Nat -> Type whereBase : LorE Z nStep : LorE n m -> LorE (S n) (S m)

Creating the proof that 4 is smaller or equal than 2 is impossible

fake_prf: LorE 4 2fake_prf = Step (Step (Step (Step Base)))

Type mismatch betweenLorE (S n) (S m) (Type of Step _)

andLorE 1 0 (Expected type)

Embedding the proof in the type of the function

takeVect : (m: Nat) -> (v: Vect n a) -> LorE m n -> Vect m atakeVect Z v Base = []takeVect (S k) (y :: xs) (Step x) = y :: (takeVect k xs x)

Calling the function

We need to construct the proof that 3 is smaller or equal than 7 and passit as third parameter of the function

takeVect 3 [1,2,3,4,5,6,7] (Step (Step (Step Base)))

Providing proofs is painful

The need to provide proofs explicitly like this can add a lot of noise toprograms and can harm readability.

Idris provides a special kind of implicit argument, marked with thekeyword auto, to reduce this noise.

The auto keyword

takeVect_auto : (m: Nat) -> (v: Vect n a)-> {auto prf: LorE m n} -> Vect m a

takeVect_auto Z v {prf = Base} = []takeVect_auto (S k) (y :: xs) {prf = (Step x)} = y :: (takeVect_auto k xs)

Now we can call the function without providing the proof.

takeVect_auto 3 [1,2,3,4,5,6,7]

Idris will look for the proof with the same mechanism it uses forexpression search in interactive editing.

▶ Familiar syntax, since Haskell is well known.▶ Produces code with proof of properties.▶ Dependent types


▶ Still in development, there are missing or not optimized libraries.▶ Dependent types have a steep learning curve

