New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Implement contracts for records #169
Conversation
🎉 All dependencies have been resolved ! |
00837b0
to
9bad547
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think that it will be hard to support any introspection function on the type of a record while maintaining parametricity.
It is likely that the Right Thing™ to do is simply to prevent inspecting the list of fields in a record which is sealed.
I remember, though, that the reason why we went the sealing route for arbitrary variables had to do with some pragmatic constraints, I'm not sure we want to actually enforce parametricity at all cost (valuable though it is). Maybe it was mostly about not having to pass an explicit type application when using a polymorphic function.
I do like the idea of a bit array representing the available fields. It's cheap and avoid manipulating the shape of the record.
h.insert(i.clone(), inst_var); | ||
let inst_tail = RichTerm::app( | ||
RichTerm::app( | ||
RichTerm::var("forall_tail".to_string()), |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
What's happening here? I can't quite follow.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
So, h
was a hashtable mapping type variables a, b, ...
in the environment to the corresponding polymorphic contracts. Said contracts are built with the appropriate information when entering a forall
, so that when encountering a type variable occurrence later, one can get the corresponding contract from h
. Now we need a second type of polymorphic contract, namely a contract for polymorphic tails { ... | a}
to be available, so it is added to this table. Rereading this it's a bit silly to build these contracts in advance just to clone them when they are needed. I should just store the polarity and the unique identifier sy
, which are enough to generate corresponding contracts when needed. Let's keep it like that in this PR: it will be taken care of in a related coming cleaning PR (which goal is to address your remark).
Yes, I'm not sure allowing the inspection of fields is that bad. One thing I didn't mention is that sealing is also a simple solution to enforce basic soundness and to reject functions like Revisiting this PR, I'm not sure it's the ideal implementation. The contract also allocates quite a bit. Let's roll with this for now, and open an issue with a clear presentation of the different solutions and trade-offs. |
7943a54
to
26a7e3c
Compare
Close #157. Partly address #158. Implement contracts for record types. Uses the same kind of "sealing" technique as for polymorphic types to preserve parametric: it forbids the inspection of a polymorphic tail.
Dynamic sealing
Dynamic sealing is the technique used to prevent a function claiming to be polymorphic in some arguments to inspect them, which would violate parametricity. For non-record types, a contract for a polymorphic type, say
forall a. a -> a -> a
conceals each argument using a special language construct,Wapped(id, term)
, that seals a term and store an identifier relative to the corresponding type variable (herea
).The same kind of mechanism is required for records. Take a polymorphic type
forall r. {foo : Num | r} -> Num
. A function of this type must not be able to access the polymorphic tailr
: for example,fun x => if hasField "bar" then 0 else x.foo
violates parametricity. As for standard polymorphism, the contract of such a function must seals the additional fields of the argument, and restores them when a value "exits" the function (is given as an argument to another function or returned).Proposed implementation
This PR proposes to put the additional fields to seal in a separate record, which is then wrapped as for non record polymorphic types, and put in a special field of the value. Concretely, take:
The contract turns the arguments to
{foo = 1; foo2 = "b"; _%wrapped = Wrapped(sym, {bar = true; baz = "a"}}
which is then handed to the function. The function removes thefoo
fields, which gives{foo2 = "b"; _%wrapped = ... }
. Then the contract checks that the resulting records has only the fieldfoo2
(ignoring_%wrapped
), extract and try to unwrap the value inside _%wrapped, and then merge it with the non polymorphic part, givingmerge {foo2 = "b"} {bar = true; baz = "a"}
which is the desired{foo2 = "b"; bar = true; baz = "a"}
. Note thatPros
Cons
_%wrapped
field is not completely hidden from the function. It will still show up in the result ofhasField
orfieldsOf
, and can be accessed via the dynamic field access operator. It won't violate parametricity though, as it is always there anyway and its content itself is protected by theWrapped
constructor. This does not concern other functions or subcontracts since the original contract will take care of sealing/unsealing a the function boundaries. It can be mitigated by making an ad hoc check inside functions handling record to make it invisible, though this loses a bit the non invasiveness of this approach.Alternatives
New construct: Add a new node to the AST,
SealedRecord(term, sealed)
. This requires to duplicate most of the code handling records to work on a sealed record. Another solution is to augment all standard records with anOption<Term>
field containing a potential sealed part. This also requires to adapt some code. Both requires to add primitive operators to construct and deconstruct such records.Map on fields: Instead of taking apart all the fields of the tail and put them in a separate record, we could just map the sealing operation on each one of them. The difference with the proposed approach is that such fields still appear in the result
hasField
orfieldsOf
. That is, a polymorphic function would be able to inspect the full structure of its argument, although not the content. I don't really know if this is a violation of parametricity: the functionhasField
has already this property itself if typed asforall r. { | r} -> Bool
.Summary
what it does
stdlib/contracts.ncl
to handle static record types, using the sealing technique described above.contract_open
function ofTypes
.what it does not