Introduction to Coinduction in Agda Part 1: Coinductive Programming

Jesper Cockx — Thu, 22 Jan 2026 00:00:00 UT

Jesper Cockx - Introduction to Coinduction in Agda Part 1: Coinductive Programming

Jesper Cockx

Introduction to Coinduction in Agda Part 1: Coinductive Programming

Posted by Jesper on January 22, 2026

This week I am staying at the welcoming University of Twente for the Dutch Winter School on Logic and Verification to teach a course on Agda. Since the overall theme of the school is cyclic structures and coinduction, I wanted to show off Agda’s capabilities in that area. However, it turns out that there is not a lot of introductory material on coinduction in Agda, and the Agda user manual on coinduction is also quite bare-bones (something that was already pointed out to me by the group of TU Delft bachelor students who did a project on coinduction in Agda last year). This is a big shame, since Agda’s approach to coinduction is quite unique and in my opinion much better than what other proof assistants have on offer (though I hear Isabelle’s support is quite good as well). So I want to rectify this situation by sharing an introductory tutorial series on coinduction in Agda here on my blog.

Perhaps some of you reading this are now thinking “coin-what?” Coinduction might sound like a scary thing involving lots of symbols and proofs (and it often is), but it is not my intention to go deep into the theoretical basis of coinduction, Rather I want to show how to use it in Agda with some practical examples. From this practical perspective, coinduction is just a principled way to program with infinite or cyclic structures such as streams and graphs in a total language like Agda. It’s not that Agda doesn’t allow you to define infinite lists, you just have to be honest about their inclusion when defining the type. And coinduction is precisely the way you can express that honesty.

I have three lectures at the winter school, so I’ll also divide this tutorial into three blog posts:

Coinductive programming (this post)
Coinductive proving
Case studies and applications

I assume you already know the basics of how to use Agda, which you can learn for example from my lecture notes on Programming and Proving in Agda. If you have any questions, corrections, or additions to this tutorial, please let me know via Zulip, the Fediverse, or good ol’ email.

Record types and copattern matching

Before I explain coinduction in Agda proper, we first need to understand the foundations that it is built upon, which are record types and copattern matching. First off, record types in Agda are just like we’d expect from other languages: a type bundling a of a number of fields into a single type. Apart from its fields, a record type can also optionally be given a constructor.

For example, we define a type of rectangles with fields for the height and the width:

record Rect : Set where
  constructor rect -- optional
  field
    height : ℕ
    width  : ℕ

To construct a value of a record type, we either use the record { ... } syntax with named fields or use the constructor directly (if we declared one):

square : ℕ → Rect
square x = record { height = x ; width = x }

square' : ℕ → Rect
square' x = rect x x

We can access the fields of a record value by using the projections Rect.height and Rect.width:

area : Rect → ℕ
area r = Rect.height r + Rect.width r

To avoid having to write the name of the record type in front of each projection, we open the record to bring projections into scope:

open Rect

perimeter : Rect → ℕ
perimeter r = 2 * height r + 2 * width r

We can also use projections in postfix notation by starting their name with a .:

rotate : Rect → Rect
rotate r = rect (r .width) (r .height)

Postfix notation is especially useful when working with nested record types since we can stack them without any parentheses. Postfix notation is also required when using the projection as a copattern in a pattern lambda (see below).

One way to think about record types is as a single-constructor data type with some syntactic sugar for the projections. However, there is a deeper and more fruitful way of looking at record types as being dual to data types. Where data types are defined by all the different ways of constructing an element, record types are defined by all the possible observations we can make of an element. To define a function that has a data type as an input, we should define it for each of the constructors of the data type (this is pattern matching). Dually, to define a function that has a record type as its output, we should define it for each of the projections of the record type. This is called copattern matching.

Concretely, to define a function by copattern matching we just define what should be the value of each of the projections applied to it. For example, below we define squash r by the values of its projections height (squash r) and width (squash r):

squash : Rect → Rect
height (squash r) = half (height r)
width  (squash r) = 2 * width r

Copattern matching can also be used together with postfix projections:

squeeze : Rect → Rect
squeeze r  .height  = 2 * (r .height)
squeeze r  .width   = half (r .width)

Finally, copattern matching can also be used in a pattern-matching lambda:

expand : Rect → Rect
expand r = λ where
  .height → 2 * r .height
  .width  → 2 * r .width

Since the lambda function itself is anonymous, there is nothing that the projection can be syntactically applied to, so the use of postfix notation in pattern lambdas is mandatory.

If the copattern notation does not yet make sense 100%, don’t worry. There’ll be many more examples once we define some coinductive record types.

Coinductive record types

The simplest example of a coinductive type is the type of streams, i.e. infinite lists of values of a given type. Concretely, in Agda we define streams as a record type that consists of a head element of type A and a tail which is another stream. Since the type Stream occurs recursively in its own definition, we have to indicate to Agda whether we want the type to only include finite values (inductive) or also infinite values (coinductive). In this case, we want to include infinite streams, since otherwise we would end up with an empty type.

module GuardedCoinduction where

  record Stream (A : Set) : Set where
    coinductive
    field
      head  : A
      tail  : Stream A
  open Stream

We use the projections to define functions on streams:

  firstTwo : Stream A → A × A
  firstTwo s = s .head , s .tail .head

  take : ℕ → Stream A → List A
  take zero    s = []
  take (suc n) s = s .head ∷ take n (s .tail)

  drop : ℕ → Stream A → Stream A
  drop zero     s  = s
  drop (suc n)  s  = drop n (s .tail)

If we have an existing stream we can use it to build new streams using the record syntax:

  _∷S_ : A → Stream A → Stream A
  x ∷S xs = record { head = x ; tail = xs }

  _++_ : List A → Stream A → Stream A
  []       ++ ys = ys
  (x ∷ xs) ++ ys = x ∷S (xs ++ ys)

However, if we try to define a new stream with a record constructor, Agda’s termination check fails:

  module BadZeroes where
    {-# NON_TERMINATING #-}
    zeroes : Stream ℕ
    zeroes = record { head = 0 ; tail = zeroes }

There is actually a good reason why Agda rejects this definition: with it, normalizing the expression zeroes will go into an infinite loop. Since Agda needs to reduce terms during type checking, this would mean that Agda’s type checker could loop forever as well, which we’d like to avoid.

To define a new stream, we have to use copatterns instead:

  zeroes : Stream ℕ
  zeroes .head = 0
  zeroes .tail = zeroes

The expression zeroes only reduces when projections are applied to it, thus there is no infinite loops created by this definition. The key point is that to compute each consecutive value in the stream zeroes, we need an additional application of tail. Hence Agda will only compute the stream for as far as we have asked for.

We generalize the definition of zeroes to repeat a given value:

  repeat : A → Stream A
  repeat x .head = x
  repeat x .tail = repeat x

Exercise. Define the lookup function on streams and prove that looking up any value in repeat x returns x:

  lookup : Stream A → ℕ → A
  lookup-repeat : (x : A) (n : ℕ) → lookup (repeat x) n ≡ x

Solution.

Going Vegan, or How I Ran All Out Of Excuses

Jesper Cockx — Sat, 03 Jan 2026 00:00:00 UT

Jesper Cockx - Going Vegan, or How I Ran All Out Of Excuses

Jesper Cockx

Going Vegan, or How I Ran All Out Of Excuses

Posted by Jesper on January 3, 2026

It’s been clear to me for a while now that our diet can have a big impact on climate change. Up until 2019, I consequently called myself a “flexitarian” and tried to avoid eating meat as long as doing so was not too inconvenient to myself or the people around me. That was until the 2019 EUTypes Summer School on Types for Programming and Verification in Ohrid (Macedonia), where the vegetarian options were truly appalling. Here I was in great admiration of the small number of brave and persistent vegetarians who bravely endured and kept improvising to find something edible. I realized that I could have a similar influence on other people, and this inspired me to take the next step and declare myself a vegetarian and stop eating meat and fish altogether.

In the years since then, I’ve been slowly gathering more reasons to avoid animal products and I’ve been slowly reducing the amount of them in my diet as a consequence. In particular, my brother and his wife were already fully vegan and they introduced me to new exciting flavors such as seitan and cashew cheese. I replaced my cow milk with oat or soy milk and stopped buying eggs. I also started to discover the joy of cooking dishes with tofu, beans, lentils, tempeh, seitan, jackfruit, and many other ingredients I’d never used before. However, even as I was trying to go fully vegan I noticed myself making many different excuses all the time:

“As long as I consume less animal products than others, I cannot be blamed.”
“I’m already vegetarian so no animals are killed for my food.”
“I just like cheese too much.”
“It would be awkward to tell my friends I’ve gone vegan.”
“It’s too hard to find restaurants with vegan options.”
“I don’t want to force my choices on my friends when they invite me for dinner.”
“I don’t know how to stay healthy on a vegan diet.”
“I forgot to send advance notice that I’d like a vegan option and now it’s either eating food with animal products or nothing.”

Writing down these excuses and doing some research, I found that on reflection none of them really held up. Either they did not provide sufficient justification, or they were just flat-out wrong. So after dragging my feet for way too long, I would like to take the start of 2026 as the opportunity to finally commit 100% to being vegan.

10 reasons for going vegan

One question that I get quite regularly and that might also be on your mind right now is: “why?” Why do I think it is so important to be vegan? It’s always a challenge to answer that question, not because I don’t have a reason but because I have too many. So let me give you my top 10 reasons for going vegan:

Animal farming is one of the biggest contributors to global warming.
It is also the main cause of deforestation and environmental collapse.
It is also the main cause of habitat loss and species extinction.
It is also the highest risk factor for the emergence of new pandemics such as Covid-19.
It also causes immense amounts of pain and suffering to billions of animals on a daily basis.
It also robs farmed animals of the right to live their lives in freedom and free from abuse and exploitation that they have as sentient beings.
Factory farms and industrial slaughterhouses are horrible places that not only exploit animals but the humans working in them and living around them too.
Plant-based products are more healthy than animal products.
It is easier to cook vegan food, as there is much lower risk of food poisoning.
There are tons of very tasty plant-based foods that I would probably never have tried otherwise.

I am not providing sources here, but many of the links at the bottom of this post do provide them. I am always happy to look them up for you on request.

To be honest, the real question should be ‘why are you not yet vegan?’ I understand that I’m speaking from a position of privilege and for some people there will be very good reasons why they can’t. Yet does that apply to you, the individual reading this? And if not, what are the objections or obstacles stopping you from going vegan? If you do some research on these, do they actually hold up or are they just excuses you tell to yourself?

At this point in writing this post, I do realize that I’m probably coming across as being terribly preachy and entitled, which I don’t particularly want. Yet at the same time, I genuinely think not transitioning to a more plant-based food system is one of the biggest mistakes that our current society is making (and yes, I do realize that’s saying a lot). Yet it’s rare for me to hear a honest and solid argument for why we are not correcting this mistake. While I don’t think this is the case, it’s possible that I’m living in a bubble and I’m wrong about all of this, so if you have some genuinely good counterarguments I would be really interested to hear them.

A few common objections and responses

To help with addressing many of the arguments that non-vegans have raised, I can highly recommend Ed Winter’s book How to Argue With a Meat Eater (and Win Every Time) that I finished reading recently. It starts with a chapter on how to communicate effectively by showing genuine curiosity and compassion, but the main bulk of the book is made up of a long list of all the different arguments that people use to argue against veganism, and a detailed and well-researched rebuttal of each of them. Despite the title, I believe it is also a very useful book for non-vegans who would like to challenge their beliefs. Below, I picked a few quotes here that I found most relevant or interesting, but the book has many, many more arguments and responses.

“Animal products taste good.”

Our sensory pleasure is not more important than the lives and experiences of the animals who are killed to satisfy our tastebuds.

“There are bad apples but animal farming isn’t like what we see in the exposés.”

Animal farming is not a case of a few bad apples acting cruelly - mistreatment and abuse is systemic.

Content warning: graphic descriptions of animal abuse

The good places to submit your papers

Jesper Cockx — Fri, 19 Dec 2025 00:00:00 UT

Jesper Cockx - The good places to submit your papers

Jesper Cockx

The good places to submit your papers

Posted by Jesper on December 19, 2025

This week, the ACM made the monumental(ly stupid) decision to replace the abstracts of papers on their Digital Library website by AI-written summaries. While this did not apply to all papers, and it was only visible to “premium members” (which includes anyone logging in from the network of a university that has an ACM subscription), it was not just annoying but actively harmful to science, as explained in much more detail in this blog post by Anil Madhavapeddy. Because of some significant backlash from the community, it was quickly decided to stop presenting the AI summaries as the default view and to add a disclaimer. Still, the fact that the people in charge at ACM decided this was a good idea in the first place should be pretty worrying to the computer science community.

Unfortunately, this is not the first time that the ACM has made some questionable decisions either. I can highly recommend reading this blog post by William Bowman if you want to understand more about the harmful decisions that have been made from a profit-seeking motive over the past few years.

So what can we do about this? Well, since the ACM is supposed to be a community of computer science researchers, it makes sense to try to argue for the ACM to adapt its policies and improve its organization so these decisions are made in a better (more democratic and less profit-seeking) way in the future. However, this approach has its limitations, as was already pointed out clearly in this Mathstodon post by Jon Sterling from 2023, which I will quote here in full:

I think it is so interesting that whenever anyone criticises ACM, someone comes out of the woodwork to say “ACM is a democracy of its membership, if you want to change it, vote or join a committee!”

We already tried that. Some of our very best researchers already serve on these committees and are doing their best to solve these problems, but there has been literally no change and no indication that changes are likely on many important issues (I recognise that some things have improved). If you are doubtful, ask yourself whether ACM is still farming out your papers’ typesetting to expensive and incompetent firms that replace your (somewhat) accessible vector-art mathematical figures with blurry screenshots in raster format…

If there were any way to resolve this through ACM’s democracy, that would have happened already. I have too much respect for the community members serving on the pertinent committees to conclude otherwise…

What is really happening is that people with legitimate complaints are being told to “feed the beast” — there is no better way to put someone out of action is to get them stuffed into a committee somewhere.

A more radical approach would be to vote with our feet and move away from ACM as the central point of organization of our community. I’m not (necessarily) calling for a full boycott, but we should at least be aware that a better way of publishing papers exist and support those alternatives by submitting papers to them and reviewing for them when we are in a position to do so. To make this process a little easier, I made a list of all the journals, conferences, and workshops that set the right example. In particular, I believe the following publishers are doing a great job at publishing open access papers in a way that is affordable (or even free) and transparent to authors and readers alike:

Besides being a publisher, Schloss Dagstuhl also runs the invaluable dblp bibliography website, which is currently looking for support. While Schloss Dagstuhl publishes papers independently, Episciences and OPA both rely heavily on arXiv (supported by Cornell, other universities and you) and HAL (supported by CNRS, Inria, and INRAE).

So without further ado, below are the good places to send your papers in the field of type theory, interactive theorem proving, and dependently typed programming. If you are in a different subfield of computer science, I encourage you to make your own list and publish it somewhere, I would be happy to link it here!

Journals

Logical Methods in Computer Science (LMCS)
- Published by Episciences
- Papers can be submitted at any time
The Journal of Functional Programming
- (Soon to be) published by Episciences (source)
- Submission is currently not possible due to the transfer from Cambridge University Press to Episciences
The Programming journal
- Independent arXiv overlay with diamond open access (no fees for readers or authors)
- Deadlines: 1 October, 1 February, and 1 June
- Accepted papers can be presented at the ‹Programming› conference

Conferences and workshops

The TYPES post-proceedings
- Published by Schloss Dagstuhl in the LIPIcs series
- Last deadline: 21 November 2025 (abstracts) / 5 December 2025 (full papers)
- Also open to papers that were not presented at the conference
The ECOOP conference
- Published by Schloss Dagstuhl in the LIPIcs series
- Next deadline: 27 November 2025 (round 1) / 12 February 2026 (round 2)
The FSCD conference
- Published by Schloss Dagstuhl in the LIPIcs series
- Next deadline: 23 January 2026 (abstracts) / 30 January 2026 (full papers)
The CSL conference
- Published by Schloss Dagstuhl in the LIPIcs series
- Last deadline: 15 July 2025 (abstracts) / 21 July 2025 (full papers)
The ITP conference
- Published by Schloss Dagstuhl in the LIPIcs series
- Next deadline: 12 February 2026 (abstracts) / 19 February 2026 (full papers)
The CALCO conference
- Published by Schloss Dagstuhl in the LIPIcs series
- Last deadline: 10 March 2025 (abstracts) / 13 March 2025 (full papers)
The MFPS conference
- Published by EpiSciences in the ENTICS series
- Next deadline: 5 March 2026
The MSFP workshop
- Published by OPA in the EPTCS series
- Last deadline: 26 April 2024 (abstract) / 30 April 2024 (full paper)
The LFMTP workshop
- Published by OPA in the EPTCS series
- Next deadline: 2 May 2026 (abstract) / 9 May 2026 (full paper)
The LSFA workshop
- Published by OPA in the EPTCS series
- Last deadline: 30 May 2025 (abstract) / 1 June 2025 (full paper)
The FROM symposium
- Published by OPA in the EPTCS series
- Last deadline: 22 June 2025

I would like to thank Meven, Jeremy, and Niels for their contributions to this list!

It was also suggested that I should add the ETAPS conferences (ESOP, FASE, FoSSaCS, and TACAS) to this list. While they are published by a large traditional publisher (Springer), they have a strong open access policy and have negotiated a reasonable rate (180€ per paper) which is fully covered by the conference registrations, so they are no direct costs for authors other than the conference registration (which is mandatory). Notably, SpringerLink does not include any “premium” features such as AI summaries. However, Niels pointed me to an interview with the CEO of Springer from January where he mentions AI as “one of his three strategic priorities”, so I take this with a large grain of salt. Personally, I would not hesitate to send a paper to one of the ETAPS conferences but I don’t think they really set an example of what publishing could be like the options I listed above.

On a personal note, curating this list was a positive way for me to deal with my frustration at AI anti-features being added to more and more services. It feels better to focus on examples of who is doing things right instead of everything that is going wrong. You might have noticed that I have not written anything on my blog here for over a year. I do still get messages from people who got something out of reading one of my older posts (especially the one on being autistic), for which I am really grateful. I hope to come back to blogging more frequently soon, and perhaps even write something about the causes of that hiatus in the next one. In the mean time, please follow me on the Fediverse for slightly more frequent updates!

Reflective journaling prompts

Jesper Cockx — Sun, 15 Sep 2024 00:00:00 UT

Jesper Cockx - Reflective journaling prompts

Jesper Cockx

Reflective journaling prompts

Posted by Jesper on September 15, 2024

This is a post about the practice of reflective journaling. I’m someone who likes to think about the world and myself and the relationship between the two, and writing down these thoughts makes them clearer and more concrete. However, sitting down in front of an empty page can be discouraging, and there is only so many times you can write about the feeling of sitting in front of an empty page before it gets really old. Journaling prompts are a great way to skip that part and get the ink flowing. So here is a list of prompts I’ve used over the past two years of (irregular) reflective journaling. You can easily find hundreds of prompts online (just search for `reflective journaling prompts’) and there’s nothing that makes these ones special, except that these are mine.

Look, it’s none of my business whether you keep a journal or not, but if you also like to journal or are open to the idea, feel free to give these a try. And if you have prompts of your own, feel free to share them with me!

What are some of the things you are curious about? How can you learn more about them?
What does courage mean to you? What is a situation where you showed real courage?
What is the thing that you most need to hear in this moment?
How is your relationship with your creativity? Would you like to be more creative? Are there any negative thoughts you have around creativity?
Think of one of the elements Air, Water, Earth or Fire. What does this element represent to you? What is there to be grateful for?
How do you feel about being in a position of power over another person? Does it feel good or bad, or both?
What objects are there around you? What is their history? What do they mean to you?
What are the things in your life you are trying to control, and are there any that you can let go of?
Don’t write anything today and don’t ask yourself any questions. Instead, just draw something silly for your own eyes only.
Are you keeping any secrets from the people close to you? Does keeping these secrets cause more suffering than spilling them would?
What are the things in your life you are unhappy about? Try telling yourself that these things are actually okay the way they are. How does that feel?
Do you have any recurring thoughts that you are trying to suppress? What would happen if you would just give them some space and listen to them?
Do you have an Inner Critic who always knows exactly what you did wrong and how everything is your fault? How is your relation with them?
Do you have an Inner Fanboy who reminds you of all the things you did well, how much you have grown, and whose lives are better because of you? How is your relation with them?
Do you have an Inner Rascal who just likes to do whatever they feel like, be crazy and play pranks on people? How is your relation with them?
Do you have an Inner Deity who quietly observes your life and watches over you, without any judgement? How is your relation with them?
Do you have an Inner Artist who lives in a world of fantasy and stories and colors and magic? How is your relation with them?
Do you have an Inner Warrior who is determined, defiant, fierce, and uncompromising? How is your relation with them?
Do you have an Inner Narrator who is continuously observing your thoughts and actions and turns them into a story? How is your relation with them?
Are you an emotional person? How do you react when you feel strong emotions? Do you push them away, or do you embrace them?
What are some things in your life that you could use help with? Are there any people in your life who you could ask for help with them?
How has your life influenced the lives of others living now and in the future, directly or indirectly?
How do you have conversations with others? Do you listen and ask questions? Do you think about what the other person needs?
What is something you worry about often? What is the worst thing that could happen if it comes to pass?
Is there an opposition between having self-compassion and wanting to grow into a stronger person, or can these two exist side by side?
When given a choice between a conflict with someone else and a conflict with your own values, which do you usually choose?
What are the things you consider yourself addicted to? What is their importance to you, and what do they allow you to get away from?
What would you do if you were free from expectations of other people and yourself?
Are there any projects where perfectionism is stopping you from continuing them? How can you take one messy and imperfect step towards finishing it?
What is intimacy to you? Why do we need it?
What is your style of leadership? In what parts of your life could you show more of it?
Are there any things from your past you keep blaming yourself for? Can you forgive yourself for them?
Do you think feeling uncertain is a good or a bad thing? Why?
Is there anything you miss about yourself when you were young? Can you find ways to bring them back into your life?
How do you deal with criticism from people close to you? Do you reject it or embrace it?
What does optimism mean to you? Is it a blind trust that things will go well, or the courage to believe that the things we do make a difference?
Is there anything about yourself that you consider abnormal? Do you view these things with shame or with pride?
Which groups, identities, or movements do you consider yourself a part of? How do they influence the way you think about yourself?
Are there aspects of your life where you feel “stuck”? Do you ever feel frustration or hopelessness about them? Is there someone who you can share these feelings with?
What are the values that you care most about, that you want to live by, and that you want to protect?
When you think about your future self, do you look at them with suspicion or with trust?
Is there anything you are currently angry or sad about? Can you recognize the source of love at the root of these feelings?
How can you tell the difference between things you really want and things that society expects of you? Is it even necessary to want anything?
What are things you enjoy talking about with others? Do you do so?
How can you make others feel safe and have trust in you? How do you give them space to think and listen?
When was the last time you used your imagination to dream of a brighter and kinder future? Did you share that dream with anyone?
Be quiet and listen. What do you hear right here and now in the present moment? What does it sound like?
What is your number one priority in life? What concrete things can you do to make sure it does not get buried beneath the daily routine?
Is it true that thoughts cannot hurt people? Or are we hurting ourselves by holding on to old thoughts about ourselves? Does the same hold for positive thoughts?
Imagine you are in a zombie apocalypse. What are the 100 things you want to do before you turn into a zombie? (This prompt brought to you by the Zom100 anime.)
What are the ways in which you take care of yourself? What are some ways you do not, but wish you would?
How can you help people who are stuck in their assumptions to rediscover their imagination?
Who is your ideal partner or best friend?
What does it mean to exist, apart from any assumptions or judgements or goals or desires?
In which ways have you grown or changed over the last month? The last year? The last ten years? Since you were a child?
Which parts of your parents and grandparents do you recognize in yourself? Is there any trauma that they were unable to heal and have passed on to you? Can you heal it in their stead?
Imagine you have the opportunity to meet a wise teacher, what questions would you ask them? Imagine someone came to you with these questions, how would you answer them?
Do you ever stop and listen to what is going on inside you? Do you accept what you hear and feel in that moment?
How often do you judge things as good or bad, happy or sad, loving or hating? Do you need to?
Imagine yourself camping out in nature. What do you see, hear, smell, feel, and taste?
Think of two opposite concepts, such as life and death, or interesting and boring, or love and hate. Are they really opposites, or can you find one in the other?
Imagine yourself 10, 20, or 30 years in the future. How have you changed? How do you look back on yourself now?
Is the opposite of love hate? Or is it ignorance, indifference, or the feeling of inevitability?
Where do you find inspiration? What can you do to become more inspired?
What stories do you tell about yourself? Where did these stories come from? Are there any stories that no longer apply and you could let go of?
Is there anything you are afraid of telling to someone close to you? What is missing for you to allow yourself to be more vulnerable?
Do you have any desires that you’d rather be rid of or you judge yourself for? What happens if you suspend that judgement for a moment and instead approach the desire with curiosity?
Do you consider yourself a humble person? What does humility mean to you? When is humility fake and when is it real?
How do you decide what is the right thing to do in any given situation? Do you follow your intuition or do you follow a moral framework?
Are there things in your life that you enjoy doing, but not so much as the things you value most? What would it take to let go of them?
How would your life be different if you did not have any plans or goals or ambitions? How would you spend your time differently?
Which person who is no longer in your life do you miss a lot? What are the things you learned from them?
What are your dreams for the future? Do your dreams make you feel empowered or overwhelmed? Are there dreams that no longer serve you?
What are the things you feel responsible for? Are they within your sphere of influence, or outside it? Where can you make a real difference?
When you are feeling down, what are the things that make you feel better again? How can you make them easier to remember at moments when you need them most?
What makes a story different from just a list of events? Why do we tell each other stories?
Think of a good friend you haven’t spoken to in a while, and write them a letter. Consider whether to send them this letter, or keep it to yourself.

On erasure annotations and agda2hs

Jesper Cockx — Tue, 30 Jul 2024 00:00:00 UT

Jesper Cockx - On erasure annotations and agda2hs

Jesper Cockx

On erasure annotations and agda2hs

Posted by Jesper on July 30, 2024

As I wrote in a previous blog post, agda2hs is a tool for producing verified and readable Haskell code by extracting it from a (lightly annotated) Agda program. In this blog post, I will dig a bit deeper into how agda2hs decides which parts of an Agda program to compile to Haskell, and which parts to drop. In the second part, I also want to dream a bit about how ornaments (or something like it) could help to reason in a principled way about some of the features of agda2hs that currently feel rather ad-hoc.

Erasure annotations in `agda2hs`

agda2hs relies heavily on erasure annotations (a.k.a. the 0 quantity from Quantitative Type Theory) to determine which parts of an Agda program should be preserved during compilation, and which parts are just “for show”, i.e. enforcing some kind of invariant that is not enforced statically on the Haskell side.

As an example, we can define a type of well-scoped syntax as follows:

data Term (@0 xs : List Name) : Set where
  TVar : (@0 x : Name) → Var x xs → Term xs
  TApp : Term xs → Term xs → Term xs
  TLam : (@0 x : Name) → Term (x ∷ xs) → Term xs

This translates to the following Haskell code:

data Term = TVar In | TApp Term Term | TLam Term

The big advantage we get out of these (erased) indices is that we can define functions that are guaranteed to respect the scope of terms by Agda’s type system, which are then translated to Haskell functions operating on this bare type of terms (which would be tricky to get right by hand). For example, a substitution function might have type

substTop : ∀ {@0 x xs} → Term xs → Term (x ∷ xs) → Term xs
substTop = ⋯

making it immediately obvious which term is substituted for which variable.

Using Agda’s erasure annotations for indicating which parts of the Agda program agda2hs should remove during its translation is nice for several reasons:

Agda ensures that we never accidentally use or pattern match on an argument that doesn’t appear in the generated Haskell code.
We can be very precise in which parts of the Agda code should (not) appear in the generated Haskell code, including for higher-order functions. For example, in the definition of if_then_else_ of agda2hs, the branches are provided erased proofs that the boolean condition is respectively True or False.
Since erasure annotations are part of the Agda type system, the information about which arguments of a type or function are erased is propagated automatically throughout the program.

Still, the fit is not perfect: agda2hs implements additional checks to ensure that not too many arguments are marked as erased. For example, the following datatype is perfectly valid Agda code

data Box (@0 a : Set) : Set where
  MkBox : a → Box a

but would translate to the following Haskell code with an out-of-scope type variable:

data Box = MkBox a

To avoid this problem, agda2hs requires that every type variable that appears in the generated Haskell code is not marked as erased.

Another subtler problem pops up if we allow erased type arguments to functions:

cast : {a b : Set} → @0 a ≡ b → a → b
cast refl x = x

which translates to the ill-typed Haskell

cast : a → b
cast x = x

The way agda2hs prevents this second example is by requiring additionally that no non-erased pattern variables are forced by pattern matching. In the example, the pattern match on refl forces the (implicit) pattern variable b to be equal to a, so the two rules together rule out this definition of cast.

These restrictions seem to do their job, but are hardly satisfactory. The root of the problem seems to be a mismatch between the intented use of erasure annotations and how agda2hs actually uses them: erasure annotations assume that the code is compiled to an untyped language and hence that all types can be safely erased, but agda2hs is compiling Agda code to a typed language. In other words, agda2hs uses erasure not to erase types, but merely to erase dependencies.

An interesting question would thus be whether we can have an alternative version of erasure annotations that do not assume by default that all types can be erased. A first step would be to change the typing rule for top-level type signatures so they cannot refer to erased things by default. But perhaps further changes are needed too. Alternatively, it would be interesting to investigate whether a different modality such as shape irrelevance would be a better fit for the purposes of agda2hs.

Erasing more than just arguments

Erasure annotations in Agda allow us to annotate arguments to functions, top-level definitions, parameters and indices to data types, arguments to constructors, and even specific constructors themselves. However, there are some things that we would like to annotate in agda2hs that go beyond the current capabilities of Agda. Let’s take a look at two examples.

Sometimes when working in a dependently typed language, we like to pair a value of some type a together with a proof of a property p of this value. Since we don’t want proofs to show up in our Haskell code, we mark it as erased:

record ∃ (a : Set) (@0 p : a → Set) : Set where
  constructor _⟨_⟩
  field
    value    : a
    @0 proof : p value
open ∃ public

For example, we could define the Var type from before as a natural number together with a proof that looking up the element of that position results in the given name:

--Var : Name → List Name → Set
Var x xs = ∃ Int λ n → xs !? n ≡ Just x

This is also known as a refinement type from systems such as Liquid Haskell, though Agda does not provide the same level of automation.

In the generated Haskell code, we would like values of this type to show up not as having type ∃ a, but simply as having type a. To make this translation type-preserving, constructor applications u ⟨ p ⟩ should be translated to u, and value x should be translated to x. We can accomplish this with a pragma marking ∃ as an unboxed record type (which is probably a bad name, suggestions for better names are welcome):

{-# COMPILE AGDA2HS ∃ unboxed #-}

The presence of unboxed types introduces an interesting prospect: we can have (potentially many) different Agda types that are all translated to the same Haskell type. But this also means that we can have functions that only manipulate the “proof part” of their input but leave the value intact. For example:

mapProof : ∀ {@0 p q : a → Set}
          → @0 (∀ {x} → p x → q x)
          → ∃ a p → ∃ a q
mapProof f (x ⟨ p ⟩) = x ⟨ f p ⟩

When compiled normally, this produces the rather boring definition mapProof x = x. What’s worse, sometimes functions like this need to do some pattern matching purely to put proofs in the right places. For example, we can attach a proof to a value nested in a Maybe as follows:

refineMaybe : ∀ {@0 p : a → Set}
            → (mx : Maybe a)
            → @0 (∀ {x} → mx ≡ Just x → p x)
            → Maybe (∃ a p)
refineMaybe Nothing f = Nothing
refineMaybe (Just x) f = Just (x ⟨ f refl ⟩)

This compiles to the rather unfortunate Haskell

refineMaybe :: Maybe a → Maybe a
refineMaybe Nothing = Nothing
refineMaybe (Just x) = Just x

To avoid having these identity functions showing up in the Haskell code, agda2hs allows you to mark a function as being “transparent”:

{-# COMPILE AGDA2HS mapProof transparent #-}
{-# COMPILE AGDA2HS refineMaybe transparent #-}

When checking a transparent function, agda2hs checks that it takes exactly one (non-erased) argument and that each clause returns this argument unchanged (after erasure). It then does not generate any Haskell code for this function, but instead replaces each application of this transparent function by its argument (and each lone appearance by id).

In my biased experience, unboxed record types and transparent functions are both very useful features of agda2hs, and we use them extensively in the implementation of Agda Core. However, they also feel like ad-hoc fixes to a deeper problem. A more fundamental solution would be to introduce a notion of ornaments to the language, and provide a mechanism to identify functions that only modify the “data-logic” of an argument but preserve the “data-structure”.

I am obviously speculating here, but I believe - at least for the purposes of agda2hs - ornaments would be at their most useful if they could also be integrated at the type level. Concretely, the type system should be aware of the structure of each type, and for each function whether it modifies the structure or just the logical parts (i.e. whether or not it is the identity function after erasing all proofs). How such a type system would work concretely, I leave as an exercise to the reader (or perhaps as a topic for a future blog post).

As always, feel free to send comments on the Agda Zulip, to @jesper@agda.club via any Fediverse portal, or email me at jesper@sikanda.be.

Functional Programming in the Netherlands

Jesper Cockx — Wed, 17 Jul 2024 00:00:00 UT

Jesper Cockx - Functional Programming in the Netherlands

Jesper Cockx

Functional Programming in the Netherlands

Posted by Jesper on July 17, 2024

Back in January of this year, I had the honor of hosting the `FP Dag’ – also known as the Dutch Functional Programming Day – here in Delft. Apart from several entertaining and thought-provoking talks, we also had a discussion around functional programming in education. During this discussion, I gathered input from the participants on four questions:

What courses about functional programming are we teaching in the Netherlands?
Which concepts are we teaching in these courses?
Which concepts should we be teaching (more)?
How could our FP education be improved?

Recently I stumbled upon my notes from that meeting and thought it would be interesting to share them, so here you go.

What FP courses are we teaching?

Here is a list of all the courses that people mentioned, plus a few more that I found afterwards. I only included courses for which I could find some evidence that they actually exist, like a course description. Universities make basic information frustratingly hard to find, so I might have missed some.

TU Delft

Concepts of Programming Languages (2nd year, using Scala)
Functional Programming (3rd year, using Haskell & Agda)
Formal Reasoning about Software (MSc, using Coq)
Advanced Functional Programming (MSc, using Haskell)

Radboud Universiteit

Logic and applications (1st year, using Coq)
Functional Programming (2nd year, using Haskell)
Type Theory and Coq (MSc, using Coq)
Program Verification with types and logic (MSc, using Coq)

University of Groningen

Functional Programming (2nd year, using Haskell)

TU Eindhoven

Functional Programming (3rd year, using Haskell)
Capita selecta Advanced Functional Programming (MSc, using Haskell)

Universiteit Twente

Functional Programming (3rd year, using Haskell)

Utrecht University

Functioneel Programmeren (2nd year, using Haskell)
Concurrency (2nd year, using Haskell)
Talen en compilers (3rd year, using Haskell)
Advanced Functional Programming (MSc, using Haskell and Agda)

Universiteit van Amsterdam

Theory of functional programming
Functional Programming (using Haskell)

Vrije Universiteit Amsterdam

Object-Oriented and Functional Programming (2nd year, using Scala)
Equational programming (3rd year, using Haskell)
Logical Verification (MSc, using Lean)

Open University

Concepten van programmeertalen (2nd year, using Haskell)
Functioneel programmeren (2nd year, using Haskell)

The main languages used seem to be Haskell and Scala, with a mix of Coq, Lean, and Agda for more verification-focused courses.

Which concepts are we teaching?

Basic FP techniques

Lambda calculus
Referential transparency / purity / immutability
Recursion
Currying and uncurrying
Higher-order functions
Static types and type inference
Parametric polymorphism
Algebraic datatypes and pattern matching
Type classes
Functors and monads
Laziness
Property-based testing (QuickCheck)

Advanced FP techniques

Datatype-generic programming
Embedded domain-specific languages
Task-oriented programming
Uniqueness types
Streaming and lazy IO
Lenses
Continuation-passing style
Array programming
Metaprogramming
Fusion

Program verification

Dependent types
Curry-Howard correspondence
Equational reasoning

Programming language theory related to functional programming

Parser combinators and generators
Homomorphisms
Folds and algebras / recursion schemes
Initial and final algebras
Lambda encodings of data
Lambda encodings of objects
Category theory
Combining static and dynamic typing

What concepts should we be teaching (more)?

Property-based testing
Generic programming
Continuation-passing style
Effect systems and free monads
Domain modeling using types
Reasoning about performance
Interacting with databases
Build systems
Concurrency
Functional reactive programming
Combining imperative and functional systems

Out of these, I’m especially interested to teach effect systems, domain modelling, concurrency, and FRP (and learn more about those topics myself!).

How could functional programming education be improved?

Easier installation of compilers and IDEs on university PCs
Better error messages
Better tools for automatic grading and feedback
Sharing curricula, lecture notes, exercises, …
Having more use cases from industry

So there you have it: a crowdsourced overview of some things we are teaching and some more things we could be teaching. I don’t have a proper conclusion, but I hope this will be interesting and useful for people studying and teaching functional programming around the world. It goes without saying that I think teaching functional programming is great and we should be doing even more of it! Speaking of which, I certainly got some inspiration for my new course on Advanced Functional Programming which I will teach for the first time in Q4 of the upcoming academic year.

If you have your own ideas or additions, let’s discuss on the Fediverse, or feel free to send me an email!

A love letter to TTRPGs

Jesper Cockx — Sun, 30 Jun 2024 00:00:00 UT

Jesper Cockx - A love letter to TTRPGs

Jesper Cockx

A love letter to TTRPGs

Posted by Jesper on June 30, 2024

While I mentioned my passion for tabletop role-playing games (TTRPGs) a few times before on this blog, I never dedicated a proper post to them. Let’s fix that!

In their essence, tabletop role-playing games are a kind of game where you and a few friends sit around a table and tell a story together. Traditionally, each player except for one embodies a single main character of the story, while one player (variously called the Game Master, Dungeon Master, Referee, Storyteller, Master of Ceremonies, or many other things) takes the role of all other characters and the world. The rules of the game help the players to create their characters and the game master to create the world.

Much of the actual game happens through a conversation between the players, describing or enacting how their characters respond to the situation they are in. The rules describe how to handle uncertain situations that can come up in the game, such as sneaking past a guard, piloting a spaceship, banishing a ghost, swinging a sword at an orc, or guessing a person’s secret feelings. However, unlike a typical board game, many things that happen in the story never require any of the game’s rules!

Why do I believe that TTRPGs are such a great and unique way to spend your time? Why would you play one, instead of - say - watching a series or going out for a beer? There are endless possible reasons, but here are my main ones:

To have an excuse to gather with friends regularly and do something fun together.
To immerse yourself in the game world and imagine how it would be to live there.
To exercise your creativity by coming up with characters, places, and stories.
To explore what it would be like to be a different person living in different circumstances.
To practice skills such as problem solving, conflict resolution, organization, and planning in a group.
To have fun exploring game mechanics, how they interact, and how to optimize them for a specific goal.
To collect new game books full of beautiful art and innovative mechanics.
To use the set of abstractions that make up a game to look at the world in a new way.

It’s hard to imagine another hobby that combines all of these aspects! In this world that sometimes feels like it’s nothing but gloom and doom, I feel there’s something special about a group of friends sitting around a table using their shared imaginations to come up with new worlds and stories.

In case you are curious or even eager to get started playing, here are a couple of games I can recommend:

Risus, a very short and simple RPG that you can get for free. It’s a universal system, which means it works for any kind of setting or story. Also, it has stick figures.
Quest, the game that you’d imagine Dungeons & Dragons to be if you never played it. You create fantasy characters, go on heroic quests, and roll a twenty-sided die. It pays a lot of attention to accessibility, so it’s perfect for first-time players and game masters.
Tales from the Loop, a game set in an alternate history ‘80 filled with strange technologies, where you play as teenagers trying to solve mysteries while dealing with the ruts of everyday life. Especially recommended for fans of the TV series ’Stranger Things’ and ‘Dark’, and ’80 vibes more generally.
Avatar Legends, the official game of Avatar: The Last Airbender and The Legend of Korra, where you play as young heroes trying to save the world while struggling with their principles and feelings. It’s unique in that the story revolves completely around the characters and their motivations rather than being made up by the game master!
Wanderhome, a peaceful game where you play as traveling animal-folk visiting different places as the seasons change. More than any of the games above, this one is pushing the definition of what a “game” even is. It is a GM-less game, so players have shared responsibility to embody other characters and the world itself. It challenges you to think about what kind of stories we tell each other, and what impact they have. It is beautiful and profound.

Of course this list heavily reflects my personal tastes, and you might enjoy something grittier such as Mörk Borg, something more futuristic such as Scum and Villainy, or something more gay such as Thirsty Sword Lesbians.

Note that I am not recommending what’s definitely the most well-known TTRPG, which is Dungeons and Dragons (D&D). One reason is that it already gets plenty of attention. But another reason is that compared to all the games above (except maybe Avatar Legends) it is just way way more complicated and time-consuming. I enjoyed playing D&D for many years, but now I have counted enough hit dice, 5-foot squares, spell slots, attribute points, and saving throws for a lifetime. I find that by having simpler rules, other games actually make more room for the parts that I enjoy the most: playing characters and telling stories. Still, there is plenty of fun to be had with it, so if a D&D group is all you can find then just go for it!

Finally, let me close this post with an open invitation to play a TTRPG together. Playing a game together with someone you haven’t played with before is always a great way to be surprised by new ideas and perspectives. I would be honored if you’d join me on an adventure! Just reach out to me in person, over email, or over on Mastodon at dice.camp.

Agda Core: The Dream and the Reality

Jesper Cockx — Sat, 11 May 2024 00:00:00 UT

Jesper Cockx - Agda Core: The Dream and the Reality

Jesper Cockx

Agda Core: The Dream and the Reality

Posted by Jesper on May 11, 2024

One important purpose of a type system (and especially a dependent type system) is to increase the trustworthiness of the objects the types are describing, whether those objects are programs or proofs. They do so by making the specification (or part of it) explicit and statically checking that the specification is implemented according to the rules. But then the question arises: how far can we trust the correctness of the type system itself? And what does it even mean for the type system to be correct, i.e. what is its specification?

With each line added to the implementation of Agda and each new bug discovered, this question becomes more and more relevant. The traditional answer to this question for most proof assistants as well as some programming languages (such as Haskell) is to define a core language that is much smaller and more trustworthy than the surface language implementation, and to translate the surface language into this core through a process called elaboration. However, this has not been the case for Agda, which instead has been defined only by its implementation. This has caused people to rightfully ask questions about what is precisely the type theory that Agda implements and how all of its features fit in to it.

This blog post is about Agda Core, a project to build a a formally specified core language for (a reasonable subset of) Agda together with a reference implementation of a type checker for it. If you have been following my work, you might know that I have been working on this project on and off for the past few years, yet the current version is still very much a work in progress. Hence, in the second part of this post, I will dive into a few examples of some of the more unexpected and interesting obstacles we encountered while trying to turn Agda Core from a dream into reality.

Agda Core: The Dream

Since Agda does not already have a core language, we have the opportunity to design one from scratch! In my previous post on the topic of core languages, I went deeper into the reasons for wanting a core language. Summarizing briefly, the main reasons are:

To reduce the trusted code base
To implement independent checkers
To enable meta-theoretic study
To decouple surface syntax from the internal language
To use as a basis for meta-programming
To use as a basis for exporting programs and proofs

From these six reasons, we can derive the main criteria our core language should satisfy:

It should have a formal specification of its static and dynamic semantics, so we can study it and implement independent checkers.
It should have a small type checker that can easily be verified to follow the specification, so we can use it as the main trusted component of a larger system.
It should support all features of the surface language, either directly or through elaboration, so that we can use it effectively for meta-programming and exporting proofs.

Apart from these three, one final goal I have is to implement everything in Agda itself. Agda is well suited for this kind of project that mixes specification and implementation. Doing everything in Agda also is an excellent stress test for Agda itself, and makes the end result more accessible to Agda users to read. Also, Agda is just a nice language.

Having set all our goals and having picked an implementation language, we can start implementing a very basic version of Agda Core! For now, we will leave out most of Agda’s interesting/crazy features and focus on the very basics: a dependently typed lambda calculus with a universe hierarchy, data types, and pattern matching. The main components we need are the following:

A definition of the syntax for expressions and declarations of data types and functions.
An executable specification of reduction.
A specification of the rules for typing and conversion.
An implementation of type checking and conversion checking that produces evidence that the output is well-typed according to the rules as specified.

The final bit here is really crucial: because we have a formal specification of the typing rules and the type checker outputs evidence of well-typedness, we do not need to worry about bugs in the type checker but only in the typing rules themselves. As the authors of the latest paper on MetaCoq say: we move from a Trusted Code Base (TCB) to a Trusted Theory Base (TTB) paradigm. This is really cool and more people should be following this paradigm. Apart from MetaCoq, the only other place where I’ve seen it is in the CakeML project.

This is a good point to talk about MetaCoq, since the comparison will inevitably come up. While some of the goals of MetaCoq and Agda Core are the same, they are really quite different in scope. Unlike MetaCoq, Agda Core is (currently) not meant to do formal proofs of metatheoretic properties such as confluence, subject reduction, strong normalization, canonicity, or consistency. Rather, the goal is to be ‘merely’ a formal specification of a possible core language together with a correct-by-construction type checker for it. The reason for this is simple: I was the only person working on Agda Core (recently I started getting help from my two PhD students) and I still want to work on other Agda-related projects, too. Meanwhile, MetaCoq is a long-term project with quite a few very smart people working on it. As you’ll see in the second half of this post, even with this somewhat smaller scope there are still plenty of interesting challenges to figure out!

The final thing we need is a way to take our type checker and actually compile and run it so we can use it for example to double-check the output of the main Agda type checker. Luckily (and in contrast to popular belief) it is possible to compile and run Agda programs. The standard way to do this would be to use Agda’s built-in GHC backend. Another option - which is the one I decided on - is to use agda2hs, an alternative backend that produces much more readable Haskell code that is guaranteed to contain no unsafeCoerces. In return, it requires you to write your Agda code in a Haskell-like style, and in particular use erasure annotations to make sure no dependent types end up in the compiled code. Erasure annotations play a similar role to Prop in Rocq: they allow you to be explicit about which parts of your Agda program are needed at runtime, and which parts are ‘just’ for ensuring correctness. In Agda Core, erasure annotations are applied liberally to scoping and typing information.

Agda Core: The Reality

When I started working on Agda Core, I had a plan very similar to the one outlined above (minus the agda2hs part, which did not yet exist). In my folly, I thought I would be able to finish a minimal bare-bones version of the whole pipeline relatively quickly. However, actually implementing Agda Core turned out to be far more challenging than I expected. One big reason for this was that I had just started in Delft, and saw my research time roughly cut in half compared to my PhD and postdoc years. While I might write more about that in another blog post, here I would like to focus on the more technical challenges: those related to the design of agda2hs as well as those caused by the infrastructure we rely on. Let us dive into some details.

Design challenge: Scoping of variables and defined symbols

In Agda’s surface syntax, there are various kinds of symbols that use the same namespace: variables, functions, datatypes, constructors, record fields, and postulates. Internally, variables are represented as de Bruijn indices, while top-level symbols are represented as globally unique names. We could certainly use the same choice for Agda Core, but as we are doing this in Agda there is also the option of defining a well-scoped syntax. In fact there are so many options that a while back I wrote a blog post to get a better understanding for myself.

After writing this blog post, I ended up writing my own library for representing scopes and related concepts based on the primitive notion of proof-relevant separation - see my TYPES ’23 abstract for some details or the source code for many more details. While I am reasonably happy with this library, this is definitely one part that took a lot of time and in hindsight a much simpler solution (e.g. simply representing scopes as lists of names) would have been good enough for a first prototype.

Design challenge: representing case trees

One of Agda’s most important and characteristic features is its support for dependent pattern matching. To add support for it to Agda Core, we need to choose which stage of the elaboration process to adopt:

The direct representation of definitions as a list of clauses is the most direct, but has very complicated typing rules and does not naturally allow for enforcing completeness. So it is not well suited for a core language.
On the other end of the spectrum are the eliminators associated to each datatype. While theoretically elegant and minimal, representing full dependent pattern matching in terms of them takes a lot of work - especially to encode the unification process - which leads to a complex elaboration and large proof terms (see my PhD thesis).
In between these two extremes, case trees are the representation used by Agda’s internal syntax. They strike a nice balance between theoretical elegance and efficiency, and are thus well suited for a core language for Agda.

Rather than creating a separate syntactic class for case trees like Agda does, Agda Core simply embeds each kind of node as a term constructor. In particular, there is a case construct representing a single pattern match. In contrast to case expressions in Rocq or Lean, these case expressions can do unification when the indices of the scrutinee are not fully general. For example, a case can pattern match on a value of type Vec A (suc n) with a single branch for the cons constructor _∷_.

Embedding case expressions into the syntax poses one problem, which is that they do not fit neatly into a bidirectional typing discipline. In particular, we can omit the type annotation of a case match (a.k.a. the “motive”) only if the scrutinee is a variable. However, “being a variable” is a property that is very much not stable under substitution, which would be rather unfortunate. At the moment, this is solved by always requiring a type annotation for each case expression. However, this is a decision I would like to come back to later to investigate further what other options there are.

One of the major flaws in the current implementation of Agda (which I also wrote about in a recent blog post) is that there is no good way to represent explicit sharing in the internal syntax of Agda, through let-bindings or otherwise. I decided to try to avoid this mistake in Agda Core and so added a let constructor to the syntax, even though it is not strictly necessary to represent the current implementation of Agda.

Little did I know that it is not enough to merely add sharing to the syntax, but that it should also be preserved during reduction (okay, maybe I should have predicted this one). Luckily there are good techniques for doing sharing-preserving reduction. In particular, I am fond of Peter Sestoft’s lazy abstract machine for striking a nice balance between simplicity and efficiency. It defines reduction on an abstract machine consisting of an environment of shared terms, a focus term currently being evaluated, and a stack of frames to continue reduction later. This is what I used as the basis for defining reduction for Agda Core.

This allows us to preserve sharing during reduction, but at some point we have to convert the abstract machine back into a regular term (unless you are okay with having these abstract machines in your typing judgement). At first I thought we could simply turn each shared term in the environment into a let-binding. However, often these shared terms are only there as intermediate results of computation and are not used in the final term. Thus my strategy resulted in lots and lots of unused let-bindings.

To make this approach practical we would need a procedure for garbage collection of unused let-bindings (and perhaps inlining of linear let-bindings). Implementing such a procedure in a well-scoped way seems like a rather challenging and time-consuming task which I have not yet attempted (though I’d like to try). So for now, converting from an abstract machine back to an expression instead relies on substitution rather than let-binding, destroying any sharing in the process.

Design challenge: dealing with non-termination

Another challenge that comes up when defining reduction and conversion is how to deal with the possibility of non-terminating terms. For reasons of modularity, we would like to define conversion separately from typing, so we don’t yet know that a term is well-typed when reducing it. Even if we did know it was well-typed, Agda Core currently does not include a termination checker (yet).

So either way, we need some way to deal with the possibility of non-termination. For declaring the conversion rules, this is straightforward: we simply ask for a proof that the reduction to weak-head normal form is terminating for a particular term.

In the implementation of the executable conversion checker we need to actually construct this evidence.

The simplest way to do this is to rely on a “fuel” argument that gives an upper bound on the number of reduction steps that will be tried. This is not very satisfactory because it means conversion checking (and hence type checking) can now fail on well-typed terms if they run out of fuel.
Another possibility would be to use a Delay monad to model potential non-termination, but Agda’s guardedness checker proved to be too restrictive (and its sized types too buggy) for this to work out.
For a while, I tried another solution that tried to compute in advance the set of terms that needed to be normalized for a given typing/conversion problem. However, this resulted essentially in running every typing and conversion check twice so I abandoned it.
In MetaCoq, they solve this instead by only calling reduction on well-typed terms and postulating strong normalization, however Agda Core currently lacks a termination check so this is not an option either.

So for a lack of better options, the type checking monad of Agda Core currently carries a global fuel value that is used for every conversion check.

Design challenge: Typed vs untyped conversion

One major difference between conversion checking in Agda and most other dependently typed languages is that it uses a typed notion of conversion. This means that Agda always keeps track of the type of two terms when comparing them (with the exception of comparing two types, for which Agda does not care about their type). As far as I know, this type information is actually used in three places:

When checking equality at a function type (and neither side of the equality is a neutral term), Agda will extend the context with a fresh variable and apply both sides of the equation to it.
When checking equality at a record type with eta-equality enabled (and neither side of the equality is a neutral term) Agda will compare the terms field-wise. For example, for a pair type it will compare the first components and the second components.
When checking equality at an definitionally irrelevant type (either the domain of an irrelevant function type, or a type in the Prop universe) Agda will regard any terms as equal.

Most of these uses of typed conversion are not really essential and could be solved instead by more syntax-directed rules (as demonstrated by Rocq and Lean). However, the one big exception is the eta unit type ⊤, which is defined as a record type with no fields. Since there are no fields, the conversion rule says that any two terms at this type are equal. This is the reason why this type is not supported in Rocq (I’m not sure about Lean), and it is the cause of quite a bit of complexity in the implementation of Agda.

Since the eta unit type is an important and unique feature of Agda, I would very much like to support it in Agda Core, too. Unfortunately, trying to making the conversion rules type-directed made them significantly more unweildy to write down as each conversion rule essentially becomes a two-sided version of the corresponding typing rule. This became too annoying so we reverted back to an untyped conversion judgement for the moment.

An alternative approach I would like to explore is to locally require a typing derivation whenever conversion uses eta-equality, which would make eta-equality much less invasive to the basic typing and conversion infrastructure. Actually it would be sufficient to require a re-typing derivation (i.e. a derivation that a term has a specific type, assuming that it is already well-typed) which could easiby be computed in the conversion checker. The main snag is that this would require the conversion judgement to maintain a local context for running the re-typing, which might not be possible without adding type annotations to lambda expressions which I was trying to avoid.

Infrastructure challenge: working with erasure annotations

Apart from the more conceptual design challenges I mentioned so far, we also encountered plenty of more technical challenges. Quite a few of these have to do with the @0 erasure annotations, which (if you remember) use to draw the line between the erasable specification of the Agda Core typing rules and the executable implementation of its type checker. Because of Agda issue #5703 the error messages when you forget an @0 are often horrendous: rather than a proper error message about a failed instantiation, you get a long list of mostly irrelevant unsolved constraints.

(As a side note, I tried to solve this issue for a while but got stuck because of an interaction between erasure and eta unit types via the occurs checker. A proper fix would require a type-directed reimplementation of the occurs checking and pruning algorithms used for solving higher-order unification problems. Alas, apart from being really tricky to do, my attempt also causes a performance regression significant enough for me to give up.)

The solution for working with erasure that I found to work is to not use @0 directly but instead define a record type Erased A with a single erased field of type A. We also found other types that are useful when working with erasure such as the type Rezz x that carries a runtime representation of the erased value x and three variants of the Σ type with different erasure annotations.

Infrastructure challenge: agda2hs woes

While I believe the choice to use agda2hs to compile Agda Core rather than Agda’s GHC backend was a sensible one, it is the first project of this size that uses agda2hs and it shows. In the process of making Agda Core compatible with agda2hs, we encountered numerous compilation bugs, missing features, and missing library functionality. The biggest limitation was perhaps the lack of support for module parameters, which we relied on heavily in Agda Core to represent the global scope of definitions and datatypes. A proper fix for all issues eventually required us to switch to a type-directed compilation (see #270 and #304). Do you start to notice a pattern?

So the bad news is that making Agda Core work with agda2hs took a lot of work to improving agda2hs. The good news is that agda2hs is now a much better and more robust tool than it was, so if you are curious I would definitely recommend trying it out!

Infrastructure challenge: awkward representations in Agda’s internal syntax

The final technical challenge I want to mention has to do with Agda’s implementation itself. As I mentioned in the first part of this post, our ultimate goal is to link up Agda Core as a backend to the implementation of Agda so it can be used to double-check the well-formedness of its output. Since Agda is implemented in Haskell and Agda Core can be translated to Haskell with agda2hs, this should be easy! Or well, possible at least.

Since this is currently the place where the most work still needs to be done, I am unsure which further technical challenges will pop up. But one challenge will definitely be to translate Agda’s internal case trees to iterated case statements in Agda Core. Agda’s case trees are optimized for efficient reduction and thus omit all typing information. For some reason they also use de Bruijn levels instead of de Bruijn indices and without even knowing the context size translating between the two is not straightforward.

The main cause of the problem here is that Agda builds a lot of typing information while type checking definitions by pattern matching but this information is not stored anywhere in the case tree. So perhaps the right thing to do is to add an intermediate typed representation of case trees to Agda’s pipeline. Such a representation could even be useful for other tools besides Agda Core, such as Agda2Dk and Agda’s own double-checker CheckInternal (which currently only handles terms but not case trees).

Conclusions

So, whew, now you have an idea of the overall goals of Agda Core as well as some of the challenges that we ran into while working on it. I am personally quite disappointed with how long it took to get to this point and how much work is still left to be done. Still, it has been a fascinating project and despite all of its shortcomings, I find Agda truly a very satisfying language to work with.

So rather than seeing all these difficulties as something negative, I would rather view them as pointing out places where there is still possibility for growth, both in the implementation of Agda and its ecosystem as well as our own knowledge and best practices of how to implement correct-by-construction type checkers. So what are we still waiting for? Let’s go and find out!

As always, comments on this blog post are welcome via Mastodon/Fediverse/ActivityPub at @jesper@agda.club, on the Agda Zulip, or via email to jesper@sikanda.be.

Oh, and the next blog post will be something short and sweet, I promise!

Ten Thinkers Who Shaped My Worldview

Jesper Cockx — Sun, 10 Mar 2024 00:00:00 UT

Jesper Cockx - Ten Thinkers Who Shaped My Worldview

Jesper Cockx

Ten Thinkers Who Shaped My Worldview

Posted by Jesper on March 10, 2024

I believe it is our responsibility as world citizens to help building a better world and to protect those who cannot easily protect themselves. However, our world has become so complex and confusing that it is often not clear how we can help. Well-intentioned action can miss their target or even have the opposite effect. Everyone is either trying to convince you that they are on the good side or accusing you of being on the bad side.

In the midst of this chaos, I take refuge in books, blog posts, and long podcasts. They do not hold all the answers either, but there are many nuggets of wisdom out there to be found. To highlight some of these nuggets, I would like to introduce you to ten of my favorite authors, bloggers, podcasters, activists, and visionaries. For each of them I also have a recommendation for a book or other piece of media for you to dive into. Some of these recommendations are works of fiction, but I promise each one of them has something important to say about our own world.

If there is one thing that connects all of these people, it is their optimism. Not optimism in the sense of “it will all be okay” (it won’t) but optimism in the sense of “it is not too late to make a difference” (it never is). Rather than just pointing out problems, they all point out solutions. So without further ado, here are ten people - in alphabetical order - whose ideas played a major role in the development of my current view on life and the world.

Ada Palmer

Recommendation. Too Like The Lightning (book 1 of the Terra Ignota series)

Those who fail to study history are doomed to repeat it. Yet by only dwelling in the past we might lose sight of how tomorrow could be different. Hence it is fitting that the first person on this list is a historian turned science fiction writer.

In particular, Ada Palmer’s Terra Ignota series is a work of political science fiction which clearly demonstrates her deep knowledge of the Renaissance, and the history of censorship in particular. While the books have flying cars and space elevators and kitchen trees growing any kind of food you want, it is not really about those things. Rather, it is about a society five centuries in our future, which feels as strange as our society would feel to someone from the 16th century. It has different norms, different taboos, a different interpretation of gender, different organizations, different politics, and different laws. And like all the best sci-fi, it gives the reader a new lens to look at our own society and question our assumptions on how these things should or even could be.

Audrey Tang

Recommendation. What we can learn from Taiwan’s experiments with how to do democracy (on the 80,000 Hours podcast)

Democracy is one of the greatest inventions of humankind, and yet it feels more fragile than ever. Are we doomed to slide back into autocracy or worse in the coming years and decades? I don’t think so, but then we will need to stop lamenting democracy’s inevitable demise and start updating it to the 21st century.

Audrey Tang is Taiwan’s minister of Digital Affairs and has big ideas on how to build a more direct, less polarized, and more digital democracy. What’s more, she has been putting these ideas into practice, through the g0v project (showing how existing government services could be improved) and the vTaiwan project (building new social media models to build consensus rather than disagreement on big political questions). Oh, and she is also the first transgender person in an executive position in Taiwanese government, and she is involved in several open-source projects, among which GHC. How could I not be a fan?

Becky Chambers

Recommendation. A Psalm for the Wild-Built (book 1 of the Monk and Robot series)

Another science fiction writer on my list? Well yes, but Becky Chambers’ sci-fi is of a different kind. She tells stories that are small, personal, philosophical, cozy, and real. Not real as in realistic, but real as in built from real people’s struggles and emotions.

In a pair of novella’s titled Monk and Robot (consisting of A Psalm for the Wild-Built and A Prayer for the Crown-Shy) she tells the story of a traveling monk who offers tea and kindness to the people they encounter, and a robot who has lived in the wilderness for a long time and has now returned with a simple question: “what do humans need?” Through this story, Becky shows us a different way we could relate to the natural world, technology, and each other. It is beautiful and thought-provoking, and I haven’t read anything else quite like it.

Brother Pháp Hữu

Recommendation. Space, Time, and the Ultimate Dimension (on the The Way Out Is In podcast)

At first, this spot on my list was reserved for Thich Nhat Hanh, the Zen master and peace activist who is often credited with “bringing mindfulness to the West”. In a sense, it still is. However, most of his lessons have not reached me directly but through one of his students.

Brother Pháp Hữu was a long-time student and attendant of Thich Nhat Hanh, and is the current abbot of the Plum Village Monastery in France. He is also the co-host of The Way Out Is In, a podcast about mindfulness, activism, self-care, leadership, community building, transforming our suffering, and finding happiness. During long conversations with journalist and leadership coach Jo Confino, they take deep questions about what it means to live as a human being and how to make a difference in the world. The answers to these questions draw upon the deep wisdom of thousands of years of Buddhist tradition, and update that wisdom to our present circumstances. Since the Plum Village tradition is one of engaged Buddhism, peace and climate activism are also regular topics on the podcast.

Cory Doctorow

Recommendation. Let the platforms burn

I first encountered Cory Doctorow through his 2008 book Little Brother, in which he tells a fictional story about a near-term future with constant surveillance, giant tech companies controlling the lives of people, and the decay of our civil rights. We now live in that world. Since then, he has written a collection of both fiction and non-fiction books on topics such as digital rights, copyright, surveillance capitalism, and climate change. You might also know him for being the one who coined the term enshittification to describe the process in which big companies inevitably evolve to mistreat their customers and business partners alike.

Computers and the internet are only small a part of our lives, but it has become so integral to many other parts. Hence I believe it is worth to fight for a free and open internet that works for us rather than the other way around. More than any other person I know, Cory Doctorow is the one who can tell us how to build it.

Jay Dragon

Recommendation. Wanderhome

Tabletop roleplaying games (TTRPGs) are one of my big hobbies and an important part of my life. If you’ve only heard about one TTRPG, it is probably Dungeons and Dragons, a game about heroic action and violent magic and exploring trapped dungeons and fighting big monsters and taking their treasure. However, there is so much more that TTRPGs can be, and nowhere is this demonstrated better than in the games designed by Jay Dragon.

Jay designs games that are playful, nonviolent, radically inclusive, and intensely emotional. Playing one of them is less like playing a board game and more like one of these elaborate games of make-believe you (or I, at least) played during the breaks at primary school. My favorite of Jay’s games is Wanderhome, a game where you play as animalfolk traveling through a beautiful pastoral country that was recently ravaged by war but is now at peace. It is a game where you tell stories about travel, meeting new people, helping each other, being vulnerable, and processing grief. Even if you have never played any TTRPG before and have no intention of playing one, it is still worth it to read through Wanderhome to absorb the vibes, enjoy the poetry, and admire the beautiful art and layout of the book. And it you ever do get the itch to play, just let me know.

Julia Galef

Recommendation. The Scout Mindset

The way we think about the world around us has large effects on how we treat that world, and how it will treat us in turn. Hence it makes sense to try to spot mistakes in our thinking and gradually come to more accurate beliefs. This is the idea at the root of the rationality community, probably best known from the Less Wrong community blog. A lot of ideas and projects - both good and bad - have arisen from this community (most notably Effective Altruism), but in a sense much of this obscures the core ideas of rationality which I believe are quite interesting and useful.

Julia Galef is one of the leaders of the rationality community who has been teaching these core ideas incessantly over years, and she has written them down in her book The Scout Mindset. In it’s essence, the book is about moving from a soldier’s mindset of “how can I best defeat my enemies” to a scout’s “how can we get the most accurate picture of reality?” The book is full of practical lessons about how you can apply the scout mindset to notice your own biases, make more accurate predictions, motivate yourself without self-deception, influence others without misleading, and escape from echo chambers. It is one of these books that I regularly think of in my daily life when I feel stuck or am faced with a difficult decision. If you ever wished that the world would just make more sense, then this book is for you.

Rob Hopkins

Recommendation. From What Is To What If

Rob Hopkins is the founder of the global Transition community, a network of grassroots organizations of people who are unhappy with how humanity is handling the current climate and ecological crises. Rather than getting angry and protest, these Transition Towns demonstrate that there are many solutions we can implement right now, if we can only imagine them. It started in 2006 with Transition Town Totnes in the UK, and there are now over 1000 groups in over 50 countries (it’s hard to find precise numbers).

In his book From What Is To What If, Rob writes about the vital importance of imagination in tackling the largest challenges of our time. After all, how can we solve a problem if we cannot even imagine how things might be different? The book vividly illustrates this role of imaginations through examples of how it made a real difference in education, healthcare, social media, politics, storytelling, and of course taking care of nature. Rob’s enthusiasm is infectious and will instantly cure you of your apathy or cynicism. Just imagine that.

Scott Alexander

Recommendations. My Presidential Platform, In Continued Defense of Effective Altruism, The Rise and Fall of Online Culture Wars, Idol Words

Scott Alexander is a psychiatrist and writes a very popular blog called Astral Codex Ten (formerly Star Slate Codex). He writes a continuous torrent of blog posts about psychology, society, politics, economics, philosophy, rationality, and effective altruism, mixed with the occasional quasi-comprehensible fictional story.

What makes his blog really special to me is Scott’s skill at nuance and careful thinking without getting pulled into easy stories on either side of a controversial topic. He consistently manages to question hidden assumptions and is never satisfied with easy answers. If there is one thing about Scott to critique is that he writes so damn much that it is really hard to keep up with all the different topics he writes about.

Thomas Piketty

Recommendation. A Brief History of Equality

Lots of ideas for a better future sound really nice and convincing, until you realize that they would never work in practice because of simple economics. So let’s talk about economics. The economy is what has more than doubled our average lifespan and increased our material standard of living beyond imagination over the past 150 years. Yet it is also the source of the increasingly large gap between the haves and the have-nots of this world. So talking about economics isn’t possible without also talking about inequality, and who better to talk about the economics of equality than Thomas Piketty?

Though many years of research, Piketty has traced the origins of wealth and inequality throughout history. He is probably most famous for his big book Capital in the 21st Century, however I found out about his ideas through the more recent and much more accessible A Brief History of Equality, as well as by reading his blog. What I admire most about Piketty is his ability to take seemingly radical ideas about how we could reshape our society and show them to be not just real options but actually the only reasonable course of action. Some of these ideas are a progressive wealth tax, paying reparations to formerly colonized countries, and a universal inheritance for every person when they turn 18. He shows us that while the economy that shapes much of our lives, it is us who shape the economy, and we have it within our reach to shape it for the better.

6 Reasons in favor of a core language, and 5 against

Jesper Cockx — Sat, 10 Feb 2024 00:00:00 UT

Jesper Cockx - 6 Reasons in favor of a core language, and 5 against

Jesper Cockx

6 Reasons in favor of a core language, and 5 against

Posted by Jesper on February 10, 2024

As a person who has worked quite a bit on Agda, I sometimes get the question why Agda does not have a proper core language. And it’s a valid question, given that most - if not all - closely related languages do have a (reasonably) well defined core language.

You might also have heard that I am working on implementing a core language for Agda - implementing it in Agda no less. The work on that is progressing slowly with fits and jumps, and I hope to tell you more about it soon. In the meantime, let’s look at some reasons why it would be a good idea to have a core language, and other reasons why it might not be such a good idea.

This post is mostly meant as an overview, not going very deep into any of the points. But I hope it’ll be useful as a reference and a starting point for further discussion.

PRO 1: It reduces the trusted code base

The first and most obvious reason why you would want a core language is known as the de Bruijn criterion: if we can separate the generation of a proof from its verification, then we only need to care about the soundness of the checker and not the rest of the system. Since a core language is typically quite small, it is much easier to trust its implementation through either manual inspection or formal analysis.

PRO 2: You can implement independent checkers

Related to the first point, even if you do not trust the result of the provided type checker for the core language, implementing an independent checker for a small core language is not a huge task: it will probably take days rather than years. One example of this is the Kontroli checker for the LambdaPi language. There are probably many other examples of independent checkers but (surprisingly?) I haven’t heard of them.

Update: Sebastian Ullrich writes:

Regarding existing external checkers, Chris Bailey has not only implemented one for Lean 4 in Rust but also written a whole book on how to do that https://ammkrn.github.io/type_checking_in_lean4/

PRO 3: You can’t do meta-theory without one

In the same line as the previous two, for the ultimate trustworthiness of your language you might want to develop its formal meta-theory either on paper or - ideally - in a proof assistant. You might prove basic properties such as confluence, type preservation (i.e. subject reduction), and progress, or tackle the big questions of logical soundness and strong normalization. Either way, you will not get very far doing this to a full-fledged surface language intended to be convenient to use, so having a core language is a must.

PRO 4: Syntactic sugar can be added without changing the backend

Moving on to the more practical benefits of a core language, it provides a nice separation between the front-end of your language (which elaborates into the core language) and the back-end (which takes the core and compiles it to something executable). In particular, you can easily add new syntactic features to the surface language, as long as they can be desugared into the existing core, all without ever touching the core or backend.

PRO 5: It serves as a basis for metaprogramming

Another practical benefit of a core language is that the AST of the core language is much simpler than that of the surface language, so it is much easier to analyze or transform code in it. This is particularly useful for user-facing features that generate or transform code, variously known as tactic languages, metaprogramming APIs, or compile-time reflection frameworks.

PRO 6: It enables easier export to other languages

As a final practical benefit of a well-defined core language, it makes exporting your programs and proofs to other languages a much more feasible task. I’m not saying it becomes trivial: proof export still requires a lot of work for aligning or encoding language constructs, typing features, and library concepts. But the progress on the EuroProofNet objectives shows that it is not impossible either!

CONTRA 1: You already have a core language

Even in a language that does not have an official core language (such as Agda), chances are that there will be something very much like a core language hiding in its implementation. In Agda’s case, that is its internal syntax - consisting among others of the Term and Defn types. It certainly doesn’t count as a full core language because it is not separated from the rest of the codebase (failing PRO 1), there is no independent checker for Defn (failing PRO 2, though there is one for Term), and I haven’t met anyone crazy enough to do meta-theory for it (failing PRO 3). Nevertheless it is still used as a target for syntactic sugar such as with-abstraction and pattern-matching lambdas (PRO 4), it is the basis of Agda’s reflection API (PRO 5), and it is used for exporting proofs to Dedukti and programs to Haskell (PRO 6). So building a true core language is more a matter of increasing trust rather than adding functionality.

CONTRA 2: Desugared code might be less efficient

While a small core language is good for increasing trust, making it too small can also mean we lose information that could help the compiler to produce more efficient code. While a sufficiently smart compiler could in theory reconstruct this information, in practice compilers are often not “sufficiently smart”. One example of this is the Equations plugin for Rocq, which compiles pattern matching definitions to primitive case statements. In this process, it bakes in a specific order of case analysis in the term and produces large terms witnessing the unification steps (or at least, it did so when I looked at it a couple of years back, it might have improved since). So if you want to output efficient code it might make sense to start from a less minimalist representation of the program.

CONTRA 3: Error messages become harder to read

Related to the previous point, if (some part of) our programs and proofs are only checked after they are translated to the core, then there is a risk that error messages will become harder to read as a result. This is not inevitable, as it is possible to carefully keep track of the origins of terms to they can be printed like the user wrote them, but that is not easy to do everywhere. In general, producing error messages for dependent type checkers that can actually be understood by someone unaware of the underlying type theory is very much an open problem, and one I would like to investigate more in the future.

Update. Jan de Muijnck-Hughes writes:

idris2 does a good job in translating core terms back into the surface language syntax. Also @d_christiansen implemented error reflection in idris1 and this allowed one to rewrite error messages for your eDSL in your surface language.

CONTRA 4: Non-sugar features become harder to add

While adding new syntactic sugar that can be desugared into the existing core language is relatively easy, a monolithic core language does make it much harder to experiment with new features that change the type theory itself. Examples of this are definitional proof irrelevance, rewrite rules, quantitative types, sized types, universe polymorphism, and of course cubical type theory. As anecdotal evidence, Agda has all of these features while Rocq only has some (definitional irrelevance and universe polymorphism), and those took much more effort to integrate. But there is also such a thing as feature bloat, so having higher friction against adding new features might actually sometimes be a good thing!

CONTRA 5: It distracts from other things

Perhaps my biggest hesitation against working towards a real core language for Agda is that it takes a lot of effort to build, especially since Agda was never really designed with a separate core in mind. This is effort that does not go towards other tasks that could end up having more impact towards the goal of actually having more (partially or fully) verified software. A few of these other tasks that might have a higher impact on the margin:

Increasing the user-friendliness and accessibility (since a core is useless if no-one is using your language).
Making the task of writing formal specifications easier (since proving something is useless if we are not proving the right thing).
Verifying the correctness of the elaboration process (since even a correct specification could be elaborated to a wrong statement in the core language).

None of these other goals invalidate the necessity of having a core language, but they do put it into perspective of the grander overall goal: to make it more likely that we mean what we say by improving our ability to say what we mean (thank you for that quote, Conor).

Conclusion

So these are the six reasons why I’m working on a core language for Agda, and five pitfalls I’m trying to be mindful of while doing so. Let me know if you agree with these reasons or not, which ones you think weigh the strongest, and if there are any others I missed! You can send comments on the Agda Zulip, to @jesper@agda.club via any Fediverse portal, or email me at jesper@sikanda.be.

Ten improvements to Agda's implementation

Jesper Cockx — Mon, 01 Jan 2024 00:00:00 UT

Jesper Cockx - Ten improvements to Agda's implementation

Jesper Cockx

Ten improvements to Agda's implementation

Posted by Jesper on January 1, 2024

Happy 2024! I have (foolishly) resolved to write one blog post per month in this new year, so expect more frequent and less polished posts in the coming year. To give myself a head start, here is the first of twelve blog posts.

To the surprise of no-one who has used Agda, there are many things that could be improved. However, it is easy to get lost in thinking about new features or bug fixes, and forget about more architectural changes that could improve the usability, maintainability, and efficiency of Agda. Hence here is a list of ten ways in which I believe the Agda language - as it currently exists - could be improved. I believe most of them would require a few weeks to a few months of dedicated developer time to implement (though as always take these estimations with a large grain of salt) and would be very worthwhile. Sadly, the days that I could just dedicate a few weeks to months to a refactoring seem to be over (though never say never), but if you are interested to work on any of these please reach out and I will help you to get started!

1. A modern API for IDE interaction

Agda’s interactive mode has always been one of its important and unique features, and still most other languages could learn a thing or two from how interactive case splitting works in Agda. However, the evolution of IDEs hasn’t stopped since and nowadays many things feel outdated (e.g. having to load a file manually) or are simply missing (e.g. automatic import management). Moreover, the way Agda’s interaction works conflicts with the LSP (which didn’t exist yet when Agda was released), making it very cumbersome to add support for Agda to more editors. An updated interaction model for Agda could make it easier to integrate Agda into more IDEs and to add new features that developers expect in 2024.

2. A hygienic and efficient reflection API

Agda’s reflection API is quite powerful and has a lot of potential for letting users implement their own tactics and interactive commands. However, it is being held back by its steep learning curve, its poor representation of variables, and its abysmal impact on performance. A more accessible and efficient implementation would open up many doors for libraries to provide more automation and convenience to their users.

3. Better diagnostics for unsolved metavariables

Many of the errors you get while writing Agda code have to do with unsolved metavariables and constraints. Currently it is a true art to track down these unsolved metavariables to the point in the code where they originated. Keeping track of the origins of metavariables and showing them to the user in a sensible format would go a long way towards giving concrete diagnostics for locating the source of these unsolved metavariables.

4. Discrimination trees and memoization for instance search

The current implementation of instance arguments in Agda uses a lookup table based on the head symbol of the return type of each instance candidate, but otherwise uses a linear search through all possible candidates. Worse, filtering out invalid candidates currently requires saving and rolling back the whole type-checking state of Agda, which is obviously not ideal for performance. A more rational implementation of instance search would use discrimination trees for narrowing down the valid instances, and use memoization of candidates during recursive instance search to avoid exponential or even non-terminating instance search.

5. Let bindings in the internal syntax

The internal syntax of Agda does not allow for representation of let-bindings or beta-redexes. This has some advantages for the parts of Agda working on the internal syntax, but comes with a heavy downside for efficiency, as all let-bindings and beta-redexes have to be inlined during elaboration to internal syntax. This destroys sharing and makes some error messages frustratingly difficult to read. A proper representation of let-bindings in the internal syntax would solve both problems.

6. A typeable internal representation of case trees

The internal representation of case trees in Agda has really annoyed me for a while, specifically how it deals with variables:

Arguments to the case tree are never explicitly introduced with a lambda or something similar, instead case trees are assumed to always take as many arguments as allowed by their type.
In contrast to the rest of Agda’s codebase, variables in a case tree are represented using de Bruijn levels instead of de Bruijn indices.
Dot patterns are counted as variables in the context, even though they are never used in the RHS.

Switching to a representation that fits better with the rest of Agda (using de Bruijn indices and explicitly introducing variables) would make it easier to double-check Agda’s internal syntax and to implement backends for typed languages.

7. Proper internal representation of `with` and `rewrite`

Left-hand side gadgets such as with and rewrite can be very useful to write Agda programs with fancy types without condemning yourself to writing excruciatingly complex helper functions. However, their current implementation is mere syntactic sugar for helper functions that Agda generates internally. That’s a sensible idea in principle but in practice it makes the feature very fragile and unpredictable. Having a proper notion of with in the internal representation of functions would make error messages easier to understand and the implementation easier to maintain.

8. Parametrized modules without lambda-lifting

The current implementation of parametrized modules in Agda uses lambda-lifting, i.e. internally module parameters are just extra arguments to each function call. When you open a module with specific parameters given, this means that those parameters are duplicated all through the internal syntax, causing slowdowns (sometimes exponentionally) and making it difficult to pretty-print terms in a way that the user recognizes. Having a proper notion of module parameters would make the implementation more efficient and easier to maintain.

(Yes, I realize that the last few improvements are basically “preserve more of the surface syntax in the internal syntax”, which has the disadvantage of increasing the size and complexity of the internal syntax. But I believe the tradeoff is worth it, as demonstrated by the many issues we’re having with the current desugarings.)

9. A clear separation between constraint solving and conversion checking

This might be surprising to those familiar with the implementation of the Rocq Prover (formerly known as Coq), but Agda has a single implementation of conversion checking and unification for constraint solving. This has the advantage of reducing code duplication, but the big disadvantage that the logic of constraint solving gets tangled up with the logic of conversion checking. This is bad because conversion checking needs to be part of the trusted core, but constraint solving doesn’t. A clearer separation between the two implementations would improve maintainability and trustworthiness of Agda.

10. Reduced reliance on MTL-style type classes

The Agda implementation makes heavy use of MTL-style type classes (it defines 43 in total, in addition to the existing ones from mtl). This gives a great degree of control over abstractions and even enables effect polymorphism which we actually use in some cases. Sadly however, GHC does not seem to be well equipped to optimize code in this style, especially across modules. At the moment we mitigate this by relying on two compiler flags (-fexpose-all-unfoldings and -fspecialise-aggressively) but this leads to slow compile times, large binaries, and does not actually solve the problem in all cases. After a few discussions with the Agda developer team, I’ve become convinced that it would be better to move away from MTL-style type classes and towards a more lightweight way of enforcing some abstraction barriers that does not impact compilation or runtime as much.

An Invitation to Mindfulness

Jesper Cockx — Sun, 24 Sep 2023 00:00:00 UT

Jesper Cockx - An Invitation to Mindfulness

Jesper Cockx

An Invitation to Mindfulness

Posted by Jesper on September 24, 2023

If you are anything like me, you often crave for a bit of peace and clarity in your busy stressful life. Perhaps you often feel distracted by hundreds of things clamoring for your attention, and find it difficult to determine what is actually important. And maybe you also occasionally wonder what you are doing in this world, and what you could do to live a more fulfilling life.

There is one thing that has helped me with all of these questions, perhaps more than all other hacks and advice I’ve read combined. You’ve heard of it already, it is called mindfulness. Yet while the word is pretty well-known, I see many people who could benefit from mindfulness but currently do not because they do not know where to start, or because they tried it and had a bad experience, or they just do not see the point.

Today I am here to tell you that for me and many others, mindfulness is indeed as good as people say, and there is no need to sit still for hours on end or to practice for many years to get its benefits. I invite you to try if it can be of use for you, too.

So what is mindfulness, really? It is many different things to many different people, which makes it difficult to define. But if I had to try, I would define mindfulness as the practice of paying close attention to your experiences, without making any judgement about them. It is not a difficult thing to do, and yet we usually go through our lives paying attention to nothing and judging everything. If you can simply stop doing that for a couple of minutes, you are practicing mindfulness.

Practicing mindfulness is not complicated: the easiest way is to sit down somewhere quiet, close your eyes, and pay close attention to your breath or any other sensation or feeling. Then just observe what happens in your body and your thoughts and your environment, without wanting to change anything about them. That’s really it, there is nothing else to it, and yet it can transform your life.

When you repeat this practice often enough, eventually you might start to notice more and subtler forms of experience. These experiences do not suddenly appear, but by practicing you become able to notice them more often. Eventually, you will notice the wrong ideas that we all have and that lie at the root of our confusion, and you will be able to transform them or dissolve them entirely.

This could be the end of this post, so if you feel like this is enough for you, you can stop reading and go practice. But if you are curious and still uncertain about what you should actually do, there are some more things that I’ve learned about mindfulness and would like to share.

Why practice mindfulness?

People practice mindfulness for all kinds of different reasons. Monks have practiced it for thousands of years for spiritual reasons, and psychologists have studied it as a tool for reducing stress and anxiety. I would personally classify the possible reasons to practice mindfulness into three categories: direct benefits, self-improvement, and curiosity.

Direct benefits:

Because it’s relaxing.
Because it feels good.
To reduce stress.
Because it makes you feel happier.
To let go of old habits.

Self-improvement:

To feel more gratitude for little things.
To become more compassionate.
To train your mind to become more focused and clearer.
To build the skill to notice your thoughts as they appear.
To become aware of your negative thought patterns and transform them into something more helpful.

Curiosity:

To discover more about how your mind works.
To gain more awareness of your needs and desires.
To investigate your implicit expectations and assumptions and put them to question.
To become more aware of your unconscious thoughts.
To become Enlightened (though I am still not sure what, if anything, this actually means).

You may have your own reasons for wanting to practice mindfulness, or you might start for one reason and discover another reason by practicing. This is all valid.

The wrong way to meditate

Some people will tell you that “there is no wrong way to do meditation” but in fact, there is. In particular, if you have a lot of anxiety, anger, or depressive thoughts, there is a risk that instead of just noticing these feelings you instead become engulfed by them. Eventually you stop noticing them entirely and you become them. If this happens, you can try to return your attention to your body and just notice how you are feeling. Another difficult but potentially rewarding option is to try integrating these negative feelings into your meditation practice. But if this does not work and the negative thoughts keep getting more intense, it is important to stop practicing and take care of yourself: go for a walk, listen to some music, take a nap, eat your favorite snack, call a friend, or do whatever else makes you feel better. There are many ways to practice mindfulness and perhaps this one was not the right one for you at this moment, that’s perfectly okay. Next time, perhaps try a guided meditation (I have a few recommendations for meditation apps at the bottom of this post) or try meditating at a different time or in a different environment. If you continue to struggle with negative thoughts triggered by mindfulness, you could also read Trauma-sensitive Mindfulness (I have not read it yet, but Matthew recommends it). In the end, it might also be the case that meditation simply isn’t the right thing for you at this point in your life, and that is okay too.

Seven common misconceptions

Apart from “there is no wrong way to meditate”, there are many other misconceptions that prevent some people from giving mindfulness a shot. Here is my attempt to rectify some of them:

The goal of mindfulness is not to stop having thoughts or feelings, but to notice that you are having them and to stop identifying with them or holding on to them.
Mindfulness is not inherently connected to religion or spirituality. It does not require any belief in the mystical or supernatural, and some of its benefits have been scientifically proven.
Mindfulness is not really about reducing stress or becoming happier, though these are a result of mindfulness for many people. In particular, even if your life is already happy and stress-free you can still find many benefits in mindfulness, such as deeper insight into your needs and goals in life.
You don’t need to practice mindfulness for long stretches at a time or regularly for many years to get its benefits. You can really just make your next breath a mindful one, and you will instantly become more relaxed.
You do not need to sit still to meditate, you can lie down or stand up or walk or move your body in any way you like, as long as you continue to pay attention to your perceptions. In fact, you can practice mindfulness at any moment of the day while doing something else. But especially at first, it is often easier to meditate when there are not too many distractions.
You do not need to focus on your breath to meditate, you can focus on other things such as the sounds around you, the feeling of your body, your visual field, a mental image of a good friend or loved one, an emotion, or your consciousness itself. Personally I had some success meditating by focusing completely on the sensations in my feet when other parts of my body were feeling sore. But focusing on the breath works well for many people, so it is recommended to try it first.
You do not need to force your breath into any particular rhythm to meditate. Stay away from any guided meditation that talks about “breathwork” or instructs you to breathe in a way that feels unnatural. If your breath is fast, just notice that it is fast. If your breath is slow, notice that it is slow. You do not need to change anything.

The Four Elements meditation

While you can be mindful without any help or guidance, following a guided meditation often makes it a bit easier to get in the right mindset. Doing it from time to time can also really help deepen your experience. So to get you started, here is a self-guided meditation that I’ve put together. I often use it during a silent meditation when I feel the need for some direction for my thoughts. It is build from five stages inspired by the four elements and the spirits. You can read all stages in advance, read each one individually after you finish the last one, or just pick a single one. It usually takes me around 15 minutes to go through all five, but your experience may vary. Also be aware that it might have the side-effect of making you think you are the Avatar, and if this happens I deny all responsibility.

Air. Take a deep breath. Notice how the air flows into your nose, fills your lungs, and raises your chest and belly. Slowly let it go. Continue following your breath for ten in- and out-breaths. Feel the oxygen reaching into every part of your lungs, and the carbondioxide flow back out through your nose. See if you can gently increase the length of your breath without forcing it. Like the air, you are empty but always present.

Water. Imagine refreshing water pouring gently on top of your head. Feel it flow down your forehead, your face, your ears, your lips, your chin. Let it flow further down along your throat and neck to your chest, down your hands and your fingertips. Down along your body to your stomach and your hips. Finally, through your legs to your knees and feet and every little toe. Like the water, you are always in motion, never the same as the moment before.

Earth. Notice the places where your body is touching your chair or the floor beneath you. Feel how the earth pulls you and holds you in place, inviting you to rest. Feel at the same time how the earth supports you and ensures you don’t fall, providing solidity and stability. Like the earth, each part of your body itself supports and holds the parts connected to it. Like the earth, you are allowed to just be without doing anything.

Fire. Feel the temperature of your body. Which places are warm, which ones are cold? Your toes, your ears, your nose, your armpits, your belly, your heart? Inside of you is a gentle warmth that is with you for as long as you are alive. It surrounds you like a soft blanket, protecting you from the cold outside. Feel how it gives you energy and movement and life. Feel how at the same time, it consumes you from the inside. Like the fire, you are constantly dying and being reborn in every moment.

Spirits. Pay attention to your thoughts themselves. Each thought is like a spirit creature: some are small and cute, others are scary or hidden away. Give each thought the time to manifest without judging it. Each thought has a reason for being there and wants the best for you, even if they are sometimes misguided. All they want is to be listened to and to be taken seriously. Embrace each of them like an old friend. Be grateful to each of them for being there for you. Like the spirits, the only thing you really need is to be listened to and to be loved.

Further resources

Finally, let me point you to some resources for the practice of mindfulness that I found helpful.

InsightTimer is a free app with a vast collection of guided meditations. There is a lot of really good content on here, but you will sometimes need to filter through some less useful stuff.
The Waking Up app is a more focused and in-depth app that uses the practice of “non-dual meditation”, also known as “no-effort meditation”. I started using it recently and found it very helpful. It is paid but you can get a 30 day trial through my referral link.
The Way Out Is In is a podcast about the practice of mindfulness featuring in-depth conversations between Brother Phap Huu, the abbot of Plum Village monastery in France, and journalist Jo Confino. Each episode also ends with a short guided meditation.
The Miracle of Mindfulness is the classic book written in 1975 by Zen master Thich Nhat Hanh, who is often credited with “bringing mindfulness to the West”. He has a large number of books on various topics, I particularly enjoyed Silence and am currently cracking my brain on Cracking the Walnut. If you are into (climate) activism, you might also enjoy Zen and the Art of Saving the Planet.
This blog post on meditation, insight, and rationality was one of the first things I read about mindfulness and explains the point of meditation from a rational perspective. While I don’t agree anymore with everything in it, it definitely helped me to get over that initial bump of confusion.

From time to time, someone will (re)discover their own way of practicing mindfulness and loudly shout that they have found the True Path to Happiness. Some of these that I’ve noticed so far: focusing, unmasking, self-love, meta-cognitive therapy, authentic relating, gratitude journaling, and immersive journaling games. If you find the framing of mindfulness as meditation not working for you, one of these might be a better fit.

As always, feel free to send any comments about this blog post to me via email or to @agdakx@types.pl.

Ten common writing issues in student papers

Jesper Cockx — Tue, 01 Aug 2023 00:00:00 UT

Jesper Cockx - Ten common writing issues in student papers

Jesper Cockx

Ten common writing issues in student papers

Posted by Jesper on August 1, 2023

Good writing is important, and it takes time to get it right. Over the last couple of months, I have been reading and giving feedback on way too many papers written by bachelor students, master students, PhD students, and people who should really know better. To help both my students and my future self, I am thus inspired to write down some of the issues that I encountered again and again. I tried to keep them short and sweet, but I might come back to this post and expand it if there is interest (just shoot me an email or a toot). Also, I included some links to other sources that I find helpful at the bottom.

Lack of context

When you write a paper you do so from a very specific context: you are at a specific university, working with a specific supervisor, working on a specific goal in mind. But if you want your paper to be read by people other than your supervisor or direct collaborators, you need to step outside of that context and think about questions that might be obvious to you. Where is this problem situated in the broader academic field? What are the questions that are considered hard or important in your sub-field? What kind of people would benefit if this problem were solved? What are commonly used techniques for working on these problems?

Lack of motivation

It’s just as important to explain why you are writing this paper as it is to describe what you did. In fact, it’s more important, as a reader who’s not convinced of the goal of the paper won’t read any further. Readers usually do not yet know about the problem you want to solve, so you do really need to explain what you want to accomplish, why this is important, why this is useful, … So motivation should be your first concern when writing the paper, and should ideally already be clear from the abstract.

Lack of focus

Your paper should have at its core a main idea for which you want to convince the reader of its importance. All other parts of your paper should be assessed through the lens of this main idea: if it does not contribute to it, then it’s often better to throw it out.

Lack of examples

Examples are always good, especially when the general case of the thing you are explaining is complex or general. They force you to be concrete and precise. Make sure that each example is as simple as it can be and does not rely on anything that is unexplained or not relevant to the thing it is an example of.

Lack of signposting

A good academic text needs to make its structure obvious. The reader should be able to navigate easily to the parts of the text that are most relevant to them. Of course some of this is accomplished by a proper structure of sections and subsections, but this on itself is not sufficient. Before jumping into the specific, you first need to explain the general thing. For example, if you have a section with three subsections identifying three different challenges, you should name the three challenges before the first subsection, and explain how they are connected.

This applies on the level of the whole paper as well as the level of an individual paragraph. When you explain a set of typing rules or some pseudocode, don’t just go through it from start to finish, but instead start from the high-level view of the overall structure and then zoom into details.

Keeping the reader in suspense

Your text is not a work of fiction so you don’t have to worry about keeping the reader in suspense. If the reader has gotten out of your paper what they need after the first two pages and stops reading, then that’s a success. So put the most important results and conclusions front and center in the introduction of your paper so readers don’t have to look for them.

Explaining all solutions that do not work before giving your solution

I understand the urge to explain all the previous attempts at solving the same problem and where they went wrong. However, this is both confusing to readers unfamiliar with the previous work (since they don’t want to learn about solutions that don’t work) and frustrating to people who do know it (since there’s nothing new for them). Instead the right place for such comparisons is in the related work section, which should come after the main technical part of the paper.

Assuming the reader already knows technical terms

If you use a technical term, then you should introduce it either by explaining what it is and/or by giving a citation to where the reader can find it. What exactly is a “technical term” is dependent on the audience but it’s good to err on the side of safety. Your text might be read by someone from a different research area, or by someone reading this in 30 years when the terminology has changed.

Assuming pictures or code blocks or inference rules are self-explanatory

Spoiler alert: they are not. Explain them in plain text.

Using imprecise or convoluted language

These are some more micro-level issues that seem inconsequential but can very much distract from the main point of the text. I recommend keeping a list of the ones that often appear in your own writing and doing a search-and-replace for them during proofreading.

Using comparatives without a point of comparison: writing that your approach is “more expressive”, “simpler”, “more secure”, … without mentioning what is the point of comparison.
Imprecise language such as “some”, “a lot”, “many”, “significantly”, “greatly”, “drastically”, “extremely”, “a number of”, “very”, “important”, “crucial”, “something like”, “things”, … Instead, be precise about what you observe and how it compares and let the reader judge for themselves.
Superfluous turns of phrase: “The reader might have noticed that…”, “We argue that…”, “Note that…”, “It is important that…”, “We say that…”, “We know that…”, “As previously mentioned…”, …
Using passive voice: “our approach was evaluated” instead of “we evaluate our approach”.
Using future or past tense where present tense would be just fine: “In this paper, we will show…” and “In this paper, we have shown…” are both needlessly wordy. “In this paper, we show” is more direct and works just fine.
Using words that serve to make the reader feel stupid: “simple”, “elementary”, “straightforward”, “basic”, “trivial”, “just”, “of course”, …
Demonstrative pronouns without a clear referent: “This is…”, “these things are…”

Other sources

Book: The Scientist’s Guide to Writing by Stephen Heard
Book: Trees, Maps, and Theorems by Jean-Luc Dumont
Video: How to write a great research paper by Simon Peyton Jones
Video: How to write papers so people can read them by Derek Dreyer
Video: How to explain things real good by Nicki Case
Web page: Writing tips by Eelco Visser
Blog post: Some Research Paper Writing Recommendations by Arie van Deursen
Blog post: My top ten presentation issues in other’s papers by Andreas Zeller

I'm Autistic, and that's okay

Jesper Cockx — Sat, 22 Apr 2023 00:00:00 UT

Jesper Cockx - I'm Autistic, and that's okay

Jesper Cockx

I'm Autistic, and that's okay

Posted by Jesper on April 22, 2023

I don’t expect this will be a surprise to people who know me, but at the same time I have never told most people. So I’m making it official now: I am Autistic (if you wonder about the capitalization of Autistic: please go read this post). I was officially diagnosed when I was around 18 years old, though even then it was not really a big surprise to me. Still, somehow I never felt like telling people about it. Recently I finished reading the book Unmasking Autism by Devon Price, which made me update my opinions on many of the concerns I used to have and made me comfortable with calling myself Autistic in public.

So why did I never tell anyone, even when I suspected they suspected? There are many reasons, which I guess are relatively common: I didn’t want to “put a label on myself”, I didn’t want to be treated differently, I didn’t want to burden the people around me, I didn’t feel like I was “autistic enough” , I was afraid to be mocked or bullied, … But the most important reason was that I didn’t want to view myself as disabled or less worthy than other people. Slowly over the years, I’ve come to the realization that this view is problematic, and it is actually okay to be Autistic (or otherwise disabled, or just different from others). Price’s book helped to dispel the left-over traces of that view in me.

As I mentioned, one of the reasons I used to have for not accepting myself as Autistic is that I didn’t feel “autistic enough” (whatever that means). However, while reading Price’s book I could recognize myself in a surprising number of feelings and behaviours. The book even mentions that thinking “oh, is that an Autistic thing too?” is itself a common Autistic experience! I used to think that being able to successfully hide some parts of my Autism (i.e. masking) meant that I was not disabled or suffering from it, but obviously being continuously exhausted from masking is itself a form of suffering.

My experience with having a wrong perception of Autism - despite being diagnosed as Autistic myself! - suggests that many people still do not have a good idea of the different ways in which people experience being Autistic. So to help other people to expand their concept of what it is like, here is a list of ten things that being Autistic means to me:

I can get completely absorbed by one of my “special interests”. My most enduring interest (apart from dependent type systems) is probably tabletop role-playing games and story games, which I like to play, collect, and analyze the rules of (according to my list, I have purchased physical books of 34 different RPGs, and digital versions of 55 more). Every now and then a new special interest comes up and causes me to spend anywhere from a few hours to a few months being completely absorbed in them.
I am constantly worrying about what is or isn’t “appropriate” in any given social context, and try to adapt to unspoken assumptions. This drains energy and often leaves me feeling exhausted.
I’ve been fidgeting with things for all my life. I’ve been bullied for it in school, reprimanded for it by my parents, and tried to suppress it when I’m afraid people will judge me for it.
I can’t count the number of times I’ve been called “sensitive”, “absent-minded”, “oblivious”, or “naive”, from when I was in primary school to today.
I often have difficulty prioritizing, making decisions, or getting a feeling of what I want to do. This leads to endless overthinking and often stops me from taking action at all.
I often find it hard to maintain a two-sided conversation, especially with people I don’t know well and/or don’t share many interests with.
I am endlessly curious and able to absorb large amounts of information and organize it in a more structured way.
In situations where I feel confident, I can be direct and even blunt in saying things that other people were being afraid to say or were having difficulty articulating.
I am often hesitant in a conversation to take initiative by asking questions or talking about things that interest me, instead biding my time and trying to mirror how other people are acting.
I keep most people in my life at a safe distance and avoid to talk about my personal feelings, out of fear people might find me too weird and distance themselves from me.

For many of these points, I have already been in the process of unmasking for a while now, so they may be less obvious to people who I’ve only got to know in recent years. This process of unmasking has been a very positive experience for me, and hence I want to encourage other people who (suspect they) are Autistic to try the same! I recommend you go read the book (here is a link to the local bookstore in The Hague where I bought it), and, if you feel comfortable, feel free to share your stories with me on Mastodon (@agdakx@types.pl or @dregntael@dice.camp) or send me a private message.

Don't worry (about writing Haskell), be happy (writing Agda instead)!

Jesper Cockx — Tue, 04 Oct 2022 00:00:00 UT

Jesper Cockx - Don't worry (about writing Haskell), be happy (writing Agda instead)!

Jesper Cockx

Don't worry (about writing Haskell), be happy (writing Agda instead)!

Posted by Jesper on October 4, 2022

As we all know, static type systems are great to ensure correctness of our programs. Sadly, in industry many people are forced to work in languages with a weak type system, such as Haskell. What should you do in such a situation? Quit your job? Give up and despair? Perhaps, but I have another suggestion that I’d like to explain in this post: use our tool agda2hs.

What is this agda2hs, I hear you asking? Agda2hs is a tool for producing verified and readable Haskell code by extracting it from a (lightly annotated) Agda program. This means you can write your code using Agda’s support for dependent types, interactive editing, and termination checking, and from this agda2hs will generate clean and simply typed Haskell code that looks like it was written by hand. Your boss will be amazed that all of your code is correct from the first try, and never even suspect that you secretly proved its correctness in Agda!

First steps: verifying list insertion

Let’s take a look at an example of how you can use agda2hs to produce provably correct Haskell code. Suppose we want to insert an element into a sorted list. That’s easy enough:

open import Haskell.Prelude

insert : {{Ord a}} → a → List a → List a
insert x [] = x ∷ []
insert x (y ∷ ys) =
  if x < y
  then x ∷ y ∷ ys
  else y ∷ insert x ys

The syntax is deliberately chosen to be very close to the corresponding Haskell syntax, except for the swapping of : and ::. I am using some definitions from the prelude that is included with agda2hs, in particular the Ord type. The double braces {{}} indicate an instance argument, which is Agda’s way of doing type classes.

To make agda2hs do its magic, there is just one more invocation needed:

{-# COMPILE AGDA2HS insert #-}

Now, calling agda2hs on this file produces the corresponding Haskell code:

insert :: Ord a => a -> [a] -> [a]
insert x [] = [x]
insert x (y : ys) = if x < y then x : (y : ys) else y : insert x ys

So far, so Haskell. But this looks awfully complicated, how can we ever know it is correct? Prove it, of course! One property that certainly needs to hold is that when we insert an element into a list, then that element should be in the resulting list.

data _∈_ (x : a) : List a → Set where
  here  : ∀ {ys}            → x ∈ (x ∷ ys)
  there : ∀ {y ys} → x ∈ ys → x ∈ (y ∷ ys)

insert-elem : ∀ {{_ : Ord a}} (x : a) (xs : List a)
            → x ∈ insert x xs
insert-elem x [] = here
insert-elem x (y ∷ ys) with x < y
... | True  = here
... | False = there (insert-elem x ys)

Of course this isn’t enough: defining insert x _ = x ∷ [] satisfies this specification. Following the ancient tradition, I leave identifying and proving the other properties of insertion as an exercise to the interested reader.

Intrinsic verification with `agda2hs`

The proof above is an example of extrinsic verification: we first write a simply-typed Haskell-like function and prove properties of it after-the-fact. Another style of proof that is sometimes easier to use is intrinsic verification: here we encode the properties directly in the type of our data, so it becomes impossible to write an incorrect function in the first place.

Avoiding the tired example of length-indexed vectors, let’s take a look instead at the type of height-indexed trees, i.e. trees that are indexed by the maximum length of the paths to their leaves. There are two ways to construct a height-indexed tree: Tip produces a tree of height 0, while Bin takes an element of type a and two subtrees, and produces a tree of height 1 + the maximum of the heights of the two subtrees.

maxNat : Nat → Nat → Nat
maxNat zero    n       = n
maxNat (suc m) zero    = suc m
maxNat (suc m) (suc n) = suc (maxNat m n)

data Tree (a : Set) : (@0 height : Nat) → Set where
  Tip : Tree a 0
  Bin : ∀ {@0 l r}
      → a → Tree a l → Tree a r → Tree a (suc (maxNat l r))
{-# COMPILE AGDA2HS Tree #-}

Since Haskell tends to get confused by terms appearing at the type level, we need some way to indicate to agda2hs that we do not want the second argument to Tree (the height : Nat) to be translated to Haskell. To do this, agda2hs makes use of the erasure annotations @0 that are built into Agda. The nice thing about these erasure annotations is that Agda will check that you never return or pattern match on an erased argument, so erasing them does not affect the computational behaviour of your program. The output is a simple Haskell implementation of binary trees:

data Tree a = Tip
            | Bin a (Tree a) (Tree a)

To implement functions on indexed datatypes, it is often needed to transport an element between two types when we know that their indices are provably equal. For this we can define the function transport (sometimes also called subst):

transport : (@0 p : @0 a → Set) {@0 m n : a}
          → @0 m ≡ n → p m → p n
transport p refl t = t
{-# COMPILE AGDA2HS transport #-}

That’s surely a lot of erasure annotations! In particular, the type operator p both needs to be erased itself, but also needs to accept erased inputs m and n so we can erase them as well. The result is that transport is compiled to a plain identity function:

transport :: p -> p
transport t = t

Now we can implement the mirror function which recursively flips the left and right subtrees at each node.

@0 max-comm : (@0 l r : Nat) → maxNat l r ≡ maxNat r l
max-comm zero    zero    = refl
max-comm zero    (suc r) = refl
max-comm (suc l) zero    = refl
max-comm (suc l) (suc r) = cong suc (max-comm l r)

mirror : ∀ {@0 h} → Tree a h → Tree a h
mirror Tip =  Tip
mirror {a = a} (Bin {l} {r} x lt rt)
  = transport (Tree a)
              (cong suc (max-comm r l))
              (Bin x (mirror rt) (mirror lt))
{-# COMPILE AGDA2HS mirror #-}

In the recursive branch of the mirror function, we need to convert a tree of type Tree a (suc (max r l)) to type Tree a (suc (max l r)). To do this, we transport by the proof of commutativity of max. We can now tell that mirror preserves the height of the tree by construction, simply from its type.

Running agda2hs on this function produces the following:

mirror :: Tree a -> Tree a
mirror Tip = Tip
mirror (Bin x lt rt) = transport (Bin x (mirror rt) (mirror lt))

While this is functional, the function transport still appears in the Haskell code! GHC is probably smart enough to inline this definition, but our boss might be able to tell that we’re not writing this code by hand.

To avoid this problem, agda2hs allows us to annotate functions as transparent if they become an identity function after erasing all @0 arguments:

{-# COMPILE AGDA2HS transport transparent #-}

With this change, agda2hs produces the code we want, and we are saved from our boss. Phew!

mirror :: Tree a -> Tree a
mirror Tip = Tip
mirror (Bin x lt rt) = Bin x (mirror rt) (mirror lt)

Making monads obey the law

At the moment of writing this blog post, agda2hs is still in its infancy, so it does not yet support all of Haskell’s main features. One especially glaring omission at the moment is the lack of support for do-notation:

headMaybe : List a → Maybe a
headMaybe [] = Nothing
headMaybe (x ∷ xs) = Just x
{-# COMPILE AGDA2HS headMaybe #-}

tailMaybe : List a → Maybe (List a)
tailMaybe [] = Nothing
tailMaybe (x ∷ xs) = Just xs
{-# COMPILE AGDA2HS tailMaybe #-}

third : List a → Maybe a
third xs = do
  ys ← tailMaybe xs
  zs ← tailMaybe ys
  z  ← headMaybe zs
  return z
{-# COMPILE AGDA2HS third #-}

While we can use do notation in Agda as shown in the example above, this is not preserved in the translation to Haskell:

headMaybe :: [a] -> Maybe a
headMaybe [] = Nothing
headMaybe (x : xs) = Just x

tailMaybe :: [a] -> Maybe [a]
tailMaybe [] = Nothing
tailMaybe (x : xs) = Just xs

third :: [a] -> Maybe a
third xs
  = tailMaybe xs >>=
      \ ys -> tailMaybe ys >>= \ zs -> headMaybe zs >>= return

Still, we can already do things that would not be possible in Haskell, e.g. prove the monad laws for each of our monads. To do this, we first declare a typeclass LawfulMonad that is parametrized by a Monad m instance and has three fields, one for each of the three monad laws:

record LawfulMonad (m : Set → Set)
                   {{iMonad : Monad m}} : Set₁ where
  field
    left-id : ∀ {a b} (x : a) (f : a → m b)
            → (return x >>= f) ≡ f x
    right-id : ∀ {a} (k : m a)
             → (k >>= return) ≡ k
    assoc : ∀ {a b c} (k : m a)
          → (f : a → m b) (g : b → m c)
          → ((k >>= f) >>= g) ≡ (k >>= (λ x → f x >>= g))
open LawfulMonad

We can then prove the monad laws for a monad by defining an instance of this class, for example for the Maybe monad:

instance
  _ : LawfulMonad Maybe
  _ = λ where
    .left-id  x        f   → refl
    .right-id Nothing      → refl
    .right-id (Just x)     → refl
    .assoc    Nothing  f g → refl
    .assoc    (Just x) f g → refl

Thanks to Agda’s built-in support for eta-equality on function types, proving the monad laws for the reader monad is especially straightforward:

instance
  _ : {r : Set} → LawfulMonad (λ a → (r → a))
  _ = λ where
    .left-id   x f   → refl
    .right-id  k     → refl
    .assoc     k f g → refl

Coinduction, sizes, and cubical, oh my!

Working with agda2hs can be quite nice since you have the full power of Agda at your disposal for writing proofs. As an example, let’s implement coinductive (infinite) streams, and prove fusion of subsequent maps on streams by using Cubical Agda! As a warning: this is very much still an experiment, so expect some rough edges. I’ve made a PR for improving compatibility between agda2hs and Cubical Agda, which should be merged soon.

First, to define coinductive types in agda2hs we need to import the Thunk type. This type is ‘transparent’ (i.e. not compiled to Haskell) but it is necessary to make Agda understand that this is really a coinductive structure, and it should do productivity checking rather than termination checking.

open import Haskell.Prim.Thunk

We can then use the Thunk type to mark constructor arguments that should be treated ‘lazily’:

data Stream (a : Set) (@0 i : Size) : Set where
  _:>_ : a → Thunk (Stream a) i → Stream a i
{-# COMPILE AGDA2HS Stream #-}

We make use of sized types to indicate the size of a stream, i.e. the depth to which the stream has been defined. This helps Agda’s productivity checker to determine that the functions for producing streams we will define below are productive. Since the size is marked as erased with @0, it does not appear in the Haskell code:

data Stream a = (:>) a (Stream a)

Defining functions that consume a stream is easy enough:

headS : Stream a ∞ → a
headS (x :> _) = x
{-# COMPILE AGDA2HS headS #-}

To force evaluation of a thunk, we use the syntax .force:

tailS : Stream a ∞ → Stream a ∞
tailS (_ :> xs) = xs .force
{-# COMPILE AGDA2HS tailS #-}

headS :: Stream a -> a
headS (x :> _) = x

tailS :: Stream a -> Stream a
tailS (_ :> xs) = xs

To define a function that produces a stream, we need to define the tail “lazily”. In Agda, that is done using the syntax λ where .force → ....

repeat : a → Stream a i
repeat x = x :> λ where .force → repeat x
{-# COMPILE AGDA2HS repeat #-}

The function is compiled as expected, and any trace of Thunk and force is gone:

repeat :: a -> Stream a
repeat x = x :> repeat x

Similarly, we define a map function on streams:

mapS  : (a → b) → Stream a i → Stream b i
mapS  f (x :> xs) =
  (f x) :> λ where .force → mapS f (xs .force)
{-# COMPILE AGDA2HS mapS #-}

mapS :: (a -> b) -> Stream a -> Stream b
mapS f (x :> xs) = f x :> mapS f xs

As an example, we can use this to implement the infinite stream of natural numbers:

nats : Stream Int i
nats = 0 :> λ where .force → mapS (λ x → 1 + x) nats
{-# COMPILE AGDA2HS nats #-}

Finally, let me make good on my promise and prove map fusion on streams by using Cubical Agda. Step one: import the PathP type and define the cubical equality type _=P_ in terms of it:

open import Agda.Primitive.Cubical using (PathP)

_=P_ : {a : Set ℓ} → (x y : a) → Set ℓ
_=P_ {a = a} = PathP (λ _ → a)

Step two: ~~draw the owl~~ prove the fusion:

mapS-fusion  : (f : a → b) (g : b → c) (s : Stream a i)
             →  mapS {i = i} g (mapS {i = i} f s)
             =P mapS {i = i} (λ x → g (f x)) s
mapS-fusion  f g (hd :> tl) i =
  (g (f hd)) :> λ where .force → mapS-fusion f g (tl .force) i

If you haven’t seen Cubical Agda being used for proving bisimilarity before, this probably looks like magic. But if it is magic, it is magic provided by Cubical Agda, not by agda2hs. The real magic is the fact that agda2hs does not even need to know anything about Cubical Agda for this proof to work!

If you want to try out agda2hs for yourself, you can get it from Github. If you are keen to see more examples and learn of the design and implementation of agda2hs, you can take a look at our recent paper at the Haskell Symposium. And if you have any comments or suggestions about this post, you can always send them to me on Mastodon or via email.

1001 Representations of Syntax with Binding

Jesper Cockx — Thu, 04 Nov 2021 00:00:00 UT

Jesper Cockx - 1001 Representations of Syntax with Binding

Jesper Cockx

1001 Representations of Syntax with Binding

Posted by Jesper on November 4, 2021

As a compiler developer or programming language researcher, one very common question is how to represent the syntax of a programming language in order to interpret, compile, analyze, optimize, and/or transform it.

One of the first lessons you learn is to not represent syntax as the literal string of characters written by the programmer, but rather convert it to an abstract syntax tree (AST). This has a number of advantages: it enforces structure on programs, makes the syntax easier to traverse and transform, erases irrelevant details (e.g. whitespace and comments), and allows for better separation of different intermediate states of the syntax.

However, syntax is in fact not a tree but a graph: names (of variables, functions, classes, modules, …) can point to potentially far-away locations in the program’s text. The way these work is that one occurrence of the name binds the name (aka the binder), and other occurrences of the same name mention the name, thus pointing to the binder.

Just as representing syntax as a string is not a good idea for most purposes, representing names as strings is usually not a good idea either. This will be clear to anyone who has ever implemented capture-avoiding substitution for lambda-terms with strings as variable names (and if you haven’t, I invite you to do so). Hence we would like to have a generic and universal way to represent the structure of binders-and-mentions, similar to how abstract syntax trees represent the structure of syntactical-constructs-and-their-components.

Unfortunately, in contrast to the case of abstract syntax, there are countless different techniques, frameworks, and meta-languages for dealing with name binding, none of which come close to be universally accepted or clearly superior to the others. For the compiler developer or PL researcher who just wants to define their syntax and move on to more interesting things, this is frustrating, to say the least. Make the wrong choice, and you are stuck with impossibly complex and buggy code for manipulating variables, or proving an endless stream of substitution lemmas, or figuring out too late that the thing you want to do is just not possible with the chosen representation of names.

In this post, I will give an overview of all the different techniques for implementing syntax with binders in Agda that I could find. With each technique, I will show how to use it in Agda to represent the syntax of (untyped) lambda calculus, and also explain briefly what the main motivation is for using it. I hope this will be useful to you for making an informed choice between these options.

Since there’s quite a few of them, I can only give a brief description of each representation in this post. If you want to learn more about any of them, you can find my full list of references on Researchr. Also, since this is a blog post and not a book, I will limit this overview to representations that can be defined and used in Agda or a similar dependently-typed functional language (e.g. Coq or Haskell), not in language features that could be added to Agda or in entire new languages built for this specific purpose. In particular, this means representations that require a (meta-)language with a built-in way to assign unique identifiers are ruled out.

Finally, in this post I will not consider the problem of name resolution, i.e. how to figure out which binder each occurrence of a name points to. Instead, I focus on how to represent and manipulate syntax where names are used correctly according to the rules of the language. You can think of this as finding a good representation of the output of name resolution, similar to how an AST is the output of parsing.

With these disclaimers in place, it is time to start with the first and possibly most ubiqitous representation: de Bruijn indices.

De Bruijn indices

De Bruijn indices are the most common nameless representation of name binding. A de Bruijn index represents a name by counting how many binders need to be skipped when traversing upwards through the AST before one reaches the name’s binding site.

Here is the definition of lambda terms using de Bruijn indices, and a representation of the term λ f. λ x. f x:

module DeBruijnSyntax where
  data Term : Set where
    var : ℕ → Term
    lam : Term → Term
    app : Term → Term → Term

  ex : Term
  ex = lam {-f-} (lam {-x-} (app (var {-f-} 1) (var {-x-} 0)))

De Bruijn syntax is used widely in the implementation and formalization of programming languages, especially with functional implementation languages. For example, Agda is implemented in Haskell and the internal syntax represents variables (but not other names) using de Bruijn indices.

The big advantage of de Bruijn syntax is that each lambda-expression has a unique representation and hence any two α-equivalent terms (e.g. λ x. x and λ y. y) are represented the same. It also leads to a more uniform and - arguably - more pleasant implementation of substitution than on syntax with strings for names. On the other hand, it is often quoted as a good “reverse Turing test” because most humans have a hard time grasping the meaning of a term and reasoning about them correctly.

A variation on de Bruijn indices are de Bruijn levels, which count the number of binders starting from the root node rather than from the occurrence of the name. This simplifies the implementation of some operations, but the assumption there exists a global ‘root node’ complicates others, so overall the choice between de Bruijn indices and levels is kind of a wash.

Locally nameless

One of the main problems with de Bruijn syntax is the absence of any actual names when constructing syntax. One possible solution is to distinguish between variables that are bound and those that are free, and note that only bound variables need to be anonymous. This leads to the class of syntax representations known as locally nameless.

module LocallyNameless where

  Name = String

  data Term : Set where
    bound : ℕ → Term
    free  : Name → Term
    lam   : Term → Term
    app   : Term → Term → Term

To mediate between bound and free variables (e.g. when going under a binder), we define operations for opening and closing a term:

  openUnder : ℕ → Name → Term → Term
  openUnder k x (bound n) =
    if does (k ℕ.≟ n) then free x else bound n
  openUnder k x (free y)  = free y
  openUnder k x (lam u)   = lam (openUnder (suc k) x u)
  openUnder k x (app u v) =
    app (openUnder k x u) (openUnder k x v)

  openT = openUnder 0

  closeUnder : ℕ → Name → Term → Term
  closeUnder k x (bound n) = bound n
  closeUnder k x (free y)  =
    if does (x String.≟ y) then bound k else free y
  closeUnder k x (lam u)   = lam (closeUnder (suc k) x u)
  closeUnder k x (app u v) =
    app (closeUnder k x u) (closeUnder k x v)

  closeT = closeUnder 0

Using closeT, we can write down variables as strings but convert them to de Bruijn indices on the fly:

  ex = lam (closeT "f" (
         lam (closeT "x" (
           app (free "f") (free "x")
         ))
       ))

  _ : ex ≡ lam (lam (app (bound 1) (bound 0)))
  _ = refl

There are many possible variants of the locally nameless style, where either the representation of either free or bound variables differs. For example, representing both free and bound variables as names (from two distinct types) leads to the locally named representation, which was actually introduced first. In the other direction, instead of representing free variables as strings one could instead represent them as de Bruijn levels, which results in an interesting combination of de Bruijn indices and de Bruijn levels.

Locally nameless syntax representations have been successfully used for doing formal metatheory in Coq, including the formalization of PCUIC for the MetaCoq project. However, using it successfully requires a lot of boilerplate for dealing with opening and closing of terms, which might be prohibiting unless the boilerplate can be generated automatically. Repeated opening and closing of terms might also introduce a performance bottleneck when this approach is used for a practical implementation and not just doing metatheory.

Nominal signatures

Next to the broad family of nameless representations based on de Bruijn’s representation, a wholly different way to think about names is by relying on nominal techniques. Very briefly speaking, this means we rely on the presence of one or more abstract sorts of atoms (i.e. names) together with an operation for swapping two atoms in a term and a predicate expressing freshness of an atom with respect to a term. On top of these, one can define a sort constructor for abstracting over a single atom/name (I am deliberately using the word ‘sort’ instead of ‘type’ since these are not regular Agda types). We can then use name abstraction directly to write down a signature of our syntax and its induction principle.

While nominal techniques provide a general approach to define and reason about syntax with binders, I actually hesitate to include it here because it seems to require special language support to use effectively, which Agda does not have. However, we can work around that problem by defining a record type that specifies an abstract interface for working with atoms and (nominal) sorts (here I simplify it to a single sort of atoms):

module Nominal where
  record Nominal : Set₂ where
    field
      Sort  : Set₁
      Atom  : Sort
      1ᵉ    : Sort
      _×ᵉ_  : Sort → Sort → Sort
      _→ᵉ_  : Sort → Sort → Set
      absᵉ  : Sort → Sort
      -- lots of axioms omitted
  open Nominal {{...}}

The interface first declares a type Sort of sorts, and a particular sort Atom of atoms. It also contains fields for the analogues of regular Agda type constructors on sorts, such as pairs, functions, and predicates. We then declare that for each sort A, we have another sort absᵉ A of elements of A abstracted over a single (unknown) name. Finally, although I didn’t write them here, if you would actually want to use this you would also need lots of other fields with axioms to specify freshness, as well as how to instantiate an element of absᵉ A with a fresh variable.

Once we have declared this abstract interface, we can use it to declare our syntax. Since Agda does not allow defining datatypes in an abstract type such as Sort, we once again resort to an abstract interface for declaring the syntax.

  module _ {{_ : Nominal}} where
    record Syntax : Set₁ where
      field
        Term : Sort
        var  : Atom →ᵉ Term
        app  : (Term ×ᵉ Term) →ᵉ Term
        lam  : (absᵉ Term) →ᵉ Term
        -- induction principle omitted

Since these interfaces are abstract, an important question is whether it is actually possible to implement them - otherwise they’d be pretty useless. The traditional way to do this relies on the presence of nominal sets - sets with built-in operations for swapping and freshness - for which I am not sure how easy they are to define in Agda. Luckily, we don’t have to, as there is an easier way to implement the Nominal and Syntax interfaces in terms of the “Namely, Painless” approach by Nicolas Pouillard (see the section on it further down below).

Higher-order abstract syntax

Instead of trying to find a good encoding of variables for our syntax, it is tempting to instead try to re-use the existing variable binding capabilities of our meta-language (Agda). This third approach (after nameless and nominal techniques) is known as higher-order abstract syntax. A naive attempt at using this in Agda goes as follows:

module ‶HOAS″ where
  {-# NO_POSITIVITY_CHECK #-}
  data Term : Set where
    lam : (Term → Term) → Term
    app : Term → Term → Term

  ex : Term
  ex = lam (λ f → lam (λ x → app f x))

There is no explicit case for variables in the syntax, instead variables are meta-level variables of type Term. The scoping discipline of the meta-language thus enforces that variables cannot be used outside of their scope, i.e. terms are well-scoped by construction. In addition, we get the nice property of de Bruijn syntax that any two α-equivalent terms are equal. Moreover, substitution can be implemented simply by function application on the meta-level.

But (and this is a very big but) this approach does not actually work. First of all, this type of terms is not strictly positive (as indicated by the big NO_POSITIVITY_CHECK pragma on top) and can in fact easily be exploited to define a non-normalizing term, thus breaking Agda’s termination guarantees. Another huge problem is that it is not possible to match on a term to see if it is a variable, so many algorithms on the syntax (such as checking syntactic equality) are simply impossible to implement. In addition, this representation allows defining so-called ‘exotic terms’ that pattern match on the syntactic structure of a variable, which should not be possible in the syntax of our language:

  exotic : Term
  exotic = lam (λ x → case x of λ where
                        (lam _)   → x
                        (app _ _) → lam (λ y → y))

Because of all these problems, most people would not consider this type to be ‘real’ HOAS, and instead reserve the term for languages that actually support a weak function space, such as Twelf, Beluga, or Dedukti.

A variant of HOAS that can be used effectively in a language without a weak function space is parametric higher-order abstract syntax (PHOAS). Instead of representing variables directly as meta-level variables of type Term, they are instead encoded as elements of an abstract type V, and there is an explicit constructor var for variables:

module PHOAS where
  data Term (V : Set) : Set where
    var : V → Term V
    lam : (V → Term V) → Term V
    app : Term V → Term V → Term V

  ex : ∀ {V} → Term V
  ex = lam (λ f → lam (λ x → app (var f) (var x)))

This type does not suffer from issues with positivity, it is possible to check whether a term is a variable, and exotic terms are ruled out since there is no way to pattern match on an element of the abstract type parameter V. Yet it preserves the good property that terms are well-scoped by construction and that α-equivalent terms are equal.

Still, just from the fact that it is a higher-order representation, PHOAS can be challenging to use in practice. In particular, defining simple operations involves coming up with clever ways to instantiate the parameter V; for example pretty-printing a term can be done by instantiating V to be String:

  pp : ℕ → Term String → String
  pp fresh (var x)    = x
  pp fresh (lam f)    =
    let name = "x" ++ ℕ.show fresh
    in  "λ " ++ name ++ ". " ++ pp (suc fresh) (f name)
  pp fresh (app u v)  = case u of λ where
    (var x) → x ++ " " ++ pp fresh v
    _       → "(" ++ pp fresh u ++ ") " ++ pp fresh v

  _ : pp 0 ex ≡ "λ x0. λ x1. x0 x1"
  _ = refl

Other algorithms might require functional extensionality or parametricity results to reason correctly about the behaviour of the syntax. Altogether, it seems to me these reasons imply PHOAS is less well suited for implementing actual algorithms on syntax, as opposed to purely doing metatheory (for which it was originally introduced).

Well-scoped de Bruijn indices

If all we want from PHOAS is the fact that terms are well-scoped by construction, there is actually a much easier way to obtain that guarantee with de Bruijn indices: we can simply index the type by the number n of variables that are in scope, and require that indices are elements of Fin n. This is known as well-scoped de Bruijn syntax.

module WellScopedDB where
  data Term (n : ℕ) : Set where
    var : Fin n → Term n
    lam : Term (1 + n) → Term n
    app : Term n → Term n → Term n

  ex : Term 0
  ex = lam {-f-} (
         lam {-x-} (
           app (var {-f-} (suc zero))
               (var {-x-} zero)
         )
       )

One could criticize this for relying on dependent types in the meta-language. However, we can obtain a variant of well-typed de Bruijn syntax that does not require the use of dependent types by indexing directly by the set of variables in scope:

module PoorMansWellScoped where
  data Term (V : Set) : Set where
    var : V → Term V
    lam : Term (Maybe V) → Term V
    app : Term V → Term V → Term V

  ex : Term ⊥
  ex = lam {-f-} (
         lam {-x-} (
           app (var {-f-} (just nothing))
               (var {-x-} nothing)
         )
       )

This provides the same guarantees as well-scoped de Bruijn syntax, but can be implemented in Haskell ’98. However, elements of nested Maybe types are a bit harder to manipulate than elements of type Fin, and may lead to worse performance if Fins end up being represented as machine integers. Also, you should just use a proper language that supports dependent types instead.

A more serious criticism I have against this representation is that while this representation makes it harder to write wrong transformations on syntax that mess up the variables, it does not really do anything to make good de Bruijn terms easier to produce or understand for humans. For example, a term of type Term 2 with two variables x and y in scope does not indicate whether x is var 0 and y is var 1 or vice versa.

Still, well-scoped de Bruijn syntax is used quite often in practice, for example in the generic-syntax library for Agda. In fact, this library goes beyond the subject of this blog post in many ways, by providing a generic universe of syntaxes with generic operations defined over them and by enforcing not just well-scopedness but also well-typedness. While these features are orthogonal to the topic of this blog post, I strongly encourage you to take a look at it.

Well-scoped names

One criticism we had of de Bruijn syntax is the fact that it is very hard to understand by humans, and this problem is not really solved by switching to the well-scoped variant. We can solve this problem by - instead of indexing by just the number of variables in scope - indexing by the scope itself, represented as a list of names. Variables then contain two pieces of data: a name and a proof that the name is in scope.

module WellScopedNames where
  open import Data.List.Membership.Propositional using (_∈_)
  open import Data.List.Relation.Unary.Any using (here; there)

  Scope = List String

  data Term (s : Scope) : Set where
    var : (x : String) → x ∈ s → Term s
    lam : (x : String) → Term (x ∷ s) → Term s
    app : Term s → Term s → Term s

  ex : Term []
  ex = lam "f" (
         lam "x" (
           app (var "f" (there (here refl)))
               (var "x" (here refl))
         )
       )

The result we get is a combination of named variables with well-scoped de Bruijn syntax. While the membership proofs are cumbersome to write by hand, it wouldn’t take much effort to implement a macro that constructs them automatically.

While there is no fundamental difference in the guarantees offered by this representation and well-scoped de Bruijn syntax, having the names around is more intuitive for the programmer and can help to avoid errors when changing the order of variables in scope. However, having the names around also means we lose one advantage of de Bruijn syntax: two α-equivalent terms can now be distinguished by looking at the names of the variables.

One other thing one should keep in mind when using this representation is that it allows referring to shadowed names. For example, it is perfectly fine to name both variables x in the previous example:

  ex' : Term []
  ex' = lam "x" (
          lam "x" (
            app (var "x" (there (here refl)))
                (var "x" (here refl))
          )
        )

The reason for this is that the membership proof x ∈ s is proof-relevant: it consists of a path to the position where the variable is bound in the scope. While this can be considered as either a feature or a bug, it does mean one has to be careful with pretty-printing, since a naive approach would print the above term as λ x. λ x. x x, which is not correct. If desired, we could instead use a more sophisticated representations of scopes that enforces freshness as an inductive-recursive type:

module WellScopedFresh where

  data FreshList (A : Set) : Set
  _#_ : {A : Set} → A → FreshList A → Set

  data FreshList A where
    []    : FreshList A
    _∷_<_> : (x : A) (xs : FreshList A) → x # xs → FreshList A

  x # [] = ⊤
  x # (y ∷ xs < _ >) = x ≢ y × (x # xs)

  data _∈_ {A : Set} (x : A) : FreshList A → Set where
    here  : ∀ {xs p} → x ∈ (x ∷ xs < p >)
    there : ∀ {y xs p} → x ∈ xs → x ∈ (y ∷ xs < p >)

  Scope = FreshList String

  data Term (s : Scope) : Set where
    var : (x : String) → x ∈ s → Term s
    lam : (x : String) (p : x # s)
        → Term (x ∷ s < p >) → Term s
    app : Term s → Term s → Term s

  ex : Term []
  ex = lam "f" f# (
         lam "x" x#f (
           app (var "f" (there here))
               (var "x" here)
         )
       )
    where
      f# : "f" # []
      f# = tt

      x#f : "x" # ("f" ∷ [] < f# >)
      x#f = (λ ()) , tt

As you can see, this approach ensures that the names we bind are fresh w.r.t. the current scope, at the cost of more complex types and having to produce freshness proofs (although this could also be automated).

Despite its limitations I feel that the simple version using a normal list of names strikes a nice balance between getting good static guarantees and being easy to use. This is also attested by the fact it is used in the bootstrapped implementation of Idris 2.

Nameless, Painless

When I explained the nominal approach to name binding, I made use of an abstract interface exposing the operations. While this was done out of necessity (since Agda does not have nominal types built-in), working with an abstract interface for name binding actually has other benefits: it allows us to avoid relying on the implementation details of names by hiding them from the interface, and it even allows swapping out a concrete implementation of variables for another one (perhaps one that’s more efficient).

This is what the paper “Nameless, Painless” does: it provides an abstract interface to well-scoped de Bruijn indices. The interface consists of an abstract type of Worlds (i.e. scopes), and for each world w a set of names Name w. In the concrete implementation of well-scoped de Bruijn syntax we gave above, these were implemented as World = ℕ and Name = Fin respectively.

module NamelessPainless where

  record NaPa : Set₁ where
    field
      World   : Set
      ∅       : World
      _↑1     : World → World
      Name    : World → Set
      _⊆_     : World → World → Set
      zeroᴺ   : ∀ {α} → Name (α ↑1)
      sucᴺ    : ∀ {α} → Name α → Name (α ↑1)
      _==ᴺ_   : ∀ {α} → Name α → Name α → Bool
      exportᴺ : ∀ {α} → Name (α ↑1) → Maybe (Name α)
      coerce  : ∀ {α β} → α ⊆ β → Name α → Name β
      ¬Name∅  : ¬ (Name ∅)


  open NaPa {{...}}

The operation _==ᴺ_ allows us to compare two names in the same scope, and the function exportᴺ allows us to do case analysis on whether a name is bound by the top-level binder or one beneath it.

To actually define a syntax that uses this interface, we parametrize our module with an instance argument of type NaPa:

  module _ {{_ : NaPa}} where

    data Term (w : World) : Set where
      var : Name w → Term w
      lam : Term (w ↑1) → Term w
      app : Term w → Term w → Term w

    ex : ∀ {w} → Term w
    ex = lam {-f-} (
           lam {-x-} (
             app (var {-f-} (sucᴺ zeroᴺ))
                 (var {-x-} zeroᴺ)
            )
          )

Apart from the benefits mentioned above, we also get additional free theorems as a result of being parametric over the implementation of scopes and names. For example, the paper shows that any world-polymorphic function commutes with renaming of the free variables.

Despite these apparent strengths, I have not seen this approach being used in practice. I’m not sure that’s because it has some important downsides, or just because it is not well known.

Abstract scope graphs

Scope graphs provide a very general interface for representing syntax with name binding and name resolution. Broadly speaking, nodes in a scope graph represent scopes, and edges determine reachability. Rather than formalize the full theory of scope graphs here, we can take the same approach as before and declare an abstract interface containing the pieces we need here (I apologize to my colleagues in Delft if I am horribly misrepresenting scope graphs):

module AbstractScopeGraphs where

  Name = String -- just for concreteness

  record ScopeGraph : Set₁ where
    field
      -- Structure of scope graphs we rely on:
      -- 1. a type of scopes (i.e. nodes in the graph)
      Scope : Set
      -- 2. a predicate expressing reachability + visibility
      _∈_   : Name → Scope → Set
      -- 3. Binding a name, shadowing all previous occurrences
      bind  : Name → Scope → Scope
      here  : ∀ {x s} → x ∈ bind x s
      there : ∀ {x y s} → x ≢ y → x ∈ s → x ∈ bind y s

  open ScopeGraph {{...}}

The definition of a scope graph relies on two core notions of reachability and visibility of a name in a scope. For simplicity both of them are combined into a single predicate _∈_ in this interface. We can then define our syntax using _∈_ and bind:

  module _ {{_ : ScopeGraph}} where

    data Term (s : Scope) : Set where
      var : (x : Name) → x ∈ s → Term s
      lam : (x : Name) → Term (bind x s) → Term s
      app : Term s → Term s → Term s

    ex : ∀ {s} → Term s
    ex {s} = lam "f" (
               lam "x" (
                 app (var "f" (there (λ ()) here))
                     (var "x" here)
               )
             )

The result is very similar to the approach using FreshList we defined above, except that now we use an abstract interface as in the Nameless, Painless approach. This means it is easier to extend the interface with more fine-grained notions (e.g. the distinction between reachability and visibility) that scope graphs allow us to model. It also allows us to scale up more easily to more complex name binding structures.

There’s still an issue that this approach shares with the FreshList approach: since the syntax of a lambda expression contains an element of type Name, it is possible to distinguish two α-equivalent names. Another possible drawback is that much of the generality of scope graphs is not actually needed, which might result in unneeded complexity (though the use of an abstract interface means this does not matter too much).

The ‘Namely, Painless’ approach

In his PhD thesis, Nicolas Pouillard (the main author of the “Nameless, Painless” paper) presents another interface for programming with names and binders called NomPa (for “Nominal, Painless”, I presume). In contrast to NaPa, it models syntax with named variables. Yet it avoids the problem discussed above, so α-equivalent terms are indistinguishable. The trick here is to have separate types for names and binders, and only expose equality checking of names in the interface:

module NamelyPainless where

  record NomPa : Set₁ where

    field
      World  : Set
      Name   : World → Set
      Binder : Set
      _◃_    : Binder → World → World

      zeroᴮ  : Binder
      sucᴮ   : Binder → Binder

      nameᴮ   : ∀ {α} b → Name (b ◃ α)
      binderᴺ : ∀ {α} → Name α → Binder

      ∅      : World
      ¬Name∅ : ¬ (Name ∅)

      _==ᴺ_   : ∀ {α} (x y : Name α) → Bool
      exportᴺ : ∀ {α b} → Name (b ◃ α)
              → Name (b ◃ ∅) ⊎ Name α

      _#_  : Binder → World → Set
      _#∅  : ∀ b → b # ∅
      suc# : ∀ {α b} → b # α → (sucᴮ b) # (b ◃ α)

      _⊆_     : World → World → Set
      coerceᴺ : ∀ {α b} → α ⊆ b → Name α → Name b
      ⊆-refl  : Reflexive _⊆_
      ⊆-trans : Transitive _⊆_
      ⊆-∅     : ∀ {α} → ∅ ⊆ α
      ⊆-◃     : ∀ {α β} b → α ⊆ β → (b ◃ α) ⊆ (b ◃ β)
      ⊆-#     : ∀ {α b} → b # α → α ⊆ (b ◃ α)

  open NomPa {{...}}

Note that names are bound to a specific world, so there is no way to compare names from different worlds.

  module Syntax {{_ : NomPa}} where

    data Term (w : World) : Set where
      var : Name w → Term w
      lam : (b : Binder) → Term (b ◃ w) → Term w
      app : Term w → Term w → Term w

    ex : Term ∅
    ex = lam fb (lam xb (app (var f) (var x)))
      where
        fb xb : Binder
        fb = zeroᴮ
        xb = sucᴮ zeroᴮ

        x-fresh : xb # (fb ◃ ∅)
        x-fresh = suc# (fb #∅)

        f = coerceᴺ (⊆-# x-fresh) (nameᴮ fb)
        x = nameᴮ xb

Just as with NaPa, we get nice free theorems by being parametric in the implementation of NomPa. For example, the parametricity theorem for _==ᴺ_ tells us that checking equality commutes with renaming, hence α-equivalent terms are indeed treated equally.

As promised earlier, NomPa can be used to implement the interface we previously used for nominal signatures:

  module NominalNomPa {{_ : NomPa}} where
    Sort : Set₁
    Sort = World → Set

    Atom : Sort
    Atom = Name

    1ᵉ : Sort
    1ᵉ _ = ⊤

    _×ᵉ_ : Sort → Sort → Sort
    (E₁ ×ᵉ E₂) a = E₁ a × E₂ a

    _→ᵉ_ : Sort → Sort → Set
    (E₁ →ᵉ E₂) = ∀ {a} → E₁ a → E₂ a

    Pred   : Sort → Set₁
    Pred E = ∀ {a} → E a → Set

    absᵉ : Sort → Sort
    (absᵉ E) a = Σ[ b ∈ Binder ] (E (b ◃ a))

    data Term : Sort where
      var : Atom →ᵉ Term
      app : (Term ×ᵉ Term) →ᵉ Term
      lam : (absᵉ Term) →ᵉ Term

To check that this indeed results in a valid implementation of the nominal interfaces we wrote down before, we can instantiate the interfaces elegantly using the little-known syntax for building record values from modules.

  instance
    nominal : {{_ : NomPa}} → Nominal.Nominal
    nominal = record { NominalNomPa }

    nominalSyntax : {{_ : NomPa}} → Nominal.Syntax
    nominalSyntax = record { NominalNomPa }

NomPa has all the desirable properties of the various approaches mentioned before, and can in fact be used to model these approaches. So, is it the ultimate approach to modelling name binding in Agda? Well, who knows, as once again I have not found anywhere it is actually used, despite it being published in 2012. My main worry is that the interface is quite large, and hence could be complicated to use in practice.

Co-de Bruijn indices

Since the invention of NomPa, there has been at least one more exciting development in the area of syntax with binders. In his 2018 paper “Everybody’s Got To Be Somewhere”, Conor McBride describes co-deBruijn syntax, a nameless representation where binding information is encoded completely in the structure of the terms rather than at the variables themselves. In particular, each term constructor remembers which variables are actually used by which subterm, removing the rest from the scope. When we arrive at a variable, all the unused variables have been removed from the scope, so there is but a single variable to pick.

Brutally stripping all the categorical concepts from the paper, one might end up with the following simplified type of scope coverings:

module CoDeBruijn where

  variable
    k l m n : ℕ

  data Cover : (k l m : ℕ) → Set where
    done   :               Cover      0       0       0
    left   : Cover k l m → Cover (suc k)      l  (suc m)
    right  : Cover k l m → Cover      k  (suc l) (suc m)
    both   : Cover k l m → Cover (suc k) (suc l) (suc m)

An element of type Cover k l m says for each of m variables whether they are used just in the left subterm, just in the right subterm, or in both subterms. The left and right subterms thus should have k and l variables in scope respectively. Crucially there is no case for neither, hence the slogan “everybody’s got to be somewhere”.

We can then define our well-scoped co-deBruijn syntax using Cover:

  data Term : ℕ → Set where
    var  : Term 1
    lam  : Term (suc n) → Term n
    lam' : Term n → Term n  -- argument is not used
    app  : Cover k l m → Term k → Term l → Term m

  ex : Term 0
  ex = lam {-f-} (
         lam {-x-} (
           app (right (left done))
               (var {-f-}) (var {-x-})
         )
       )

There are two constructors for lambda abstraction: one for functions that use their argument and one for functions that don’t (I’m sure there’s a more elegant way to do this, but this works).

The great advantage of using co-deBruijn syntax is that scopes are always maximally precise: there is never any need to strengthen a term to get rid of an unused variable. On the flip side, co-deBruijn syntax is even more unintuitive and difficult to understand for humans than regular de Bruijn syntax. Quoting the author: “Co-de-Bruijn representation is even less suited to human comprehension than de Bruijn syntax, but its informative precision makes it all the more useful for machines. Dependency checking is direct, so syntactic forms like vacuous functions or η-redexes are easy to spot.”

To make the syntax more comprehensible to mere mortals, we can do the same we did for de Bruijn syntax and represent scopes as lists of names:

module NamedCoDeBruijn where

  Name  = String
  Scope = List Name

  variable
    x y z    : Name
    xs ys zs : Scope

  data Cover : (xs ys zs : Scope) → Set where
    done   :                  Cover      []       []       []
    left   : Cover xs ys zs → Cover (z ∷ xs)      ys  (z ∷ zs)
    right  : Cover xs ys zs → Cover      xs  (z ∷ ys) (z ∷ zs)
    both   : Cover xs ys zs → Cover (z ∷ xs) (z ∷ ys) (z ∷ zs)

Doing this leads to a syntax that is much more pleasant to use (at least if we pick unique names):

  data Term : Scope → Set where
    var  : (x : Name) → Term (x ∷ [])
    lam  : (x : Name) → Term (x ∷ xs) → Term xs
    lam' : (x : Name) → Term xs → Term xs
    app  : Cover xs ys zs → Term xs → Term ys → Term zs

  ex : Term []
  ex = lam "f" (
         lam "x" (
           app (right (left done))
               (var "f") (var "x")
         )
       )

The remaining ugliness is the Cover proof needed at each application, however as before writing a macro that constructs these automatically should not be difficult.

One could imagine generalizing this further and defining an abstract interface like NomPa for working with co-deBruijn syntax. However, this post is plenty long as it is, so I’ll leave that as an exercise to the reader.

Overview and conclusion

The goal of this blog post was mainly to give an overview of the various different approaches one could use when defining syntax with binders in Agda. Below is a table summarizing with the approaches I described, plus the benefits they provide to the programmer:

First-order representation: does the representation avoid the use of meta-level functions as part of the data structure? If not, it can be difficult or impossible to do things like checking equality of terms or pretty-printing.
Named variables: When I write down a piece of syntax, are variables represented by their names or anonymously? This provides some measure of readability by humans.
Enforces α-equivalence: Does the representation enforce that two α-equivalent terms are treated in the same way?
Enforces well-scopedness: Does the representation enforce that names can only be used when they are in fact in scope?
No mixing of scopes: Does the representation enforce that a name that comes from one scope is not used in a different scope?
Abstract interface: Does the representation provide an abstract interface that can be instantiated in different ways?
Enforces freshness: Does the representation allow us to require that names must be fresh at certain positions in the syntax?
Strengthening is no-op: Can we remove unused names from the scope without having to change the syntax?

So here’s the full table:

	Bare	DeBr	LoNa	Nom	PHOAS	WTDB	WTDB+N	FreshL	NaPa	ASG	NomPa	CoDB	CoDB+N
First-order representation	X	X	X	X		X	X	X	X	X	X	X	X
Named variables	X		X	X	X		X	X		X	X		X
Enforces α-equivalence		X	X		X	X			X		X	X
Enforces well-scopedness					X	X	X	X	X	X	X	X	X
No mixing of scopes							X	X		X	X		X
Enforces freshness				X				X		X	X
Abstract interface				X					X	X	X
Strengthening is no-op	X											X	X

As a next step, it would be interesting to perform a comparison of (some of) these approaches on a practical application. My idea would be to define variants of the reflection syntax of Agda using a few different approaches (it currently uses de Bruijn syntax), and test which one makes macros easier to write. This would also allow a proper performance evaluation to see the effect of the variable representation on the performance of syntax transformations. And of course my (not so) secret goal is to eventually use one of these representations for the definition of Agda Core!

I’m very curious to hear your thoughts about this overview, whether I have missed any important criteria in this comparison, whether I have seriously misrepresented some of the approaches, whether I skipped one completely. In any of these cases, please let me know via Zulip, Twitter, or mail.

WITS '21: First International Workshop on the Implementation of Type Systems

Jesper Cockx — Fri, 15 Oct 2021 00:00:00 UT

Jesper Cockx - WITS '21: First International Workshop on the Implementation of Type Systems

Jesper Cockx

WITS '21: First International Workshop on the Implementation of Type Systems

Posted by Jesper on October 15, 2021

I am organizing the First International Workshop on the Implementation of Type Systems together with the one and only Richard Eisenberg. The goal of this workshop is to bring together the implementors of a variety of languages with advanced type systems. The main focus is on the practical issues that come up in the implementation of these systems, rather than the theoretical frameworks that underlie them. In particular, we want to encourage exchanging ideas between the communities around specific systems that would otherwise be accessible to only a very select group.

The workshop will be held on January 22, 2022, in Philadelphia, PA, United States, co-located with POPL. If you are working on the implementation of a cool type system or interested to do so, please consider submitting a proposal for a talk or a discussion at the workshop.

For more information, please visit our official webpage.

EuroProofNet: the European research network on digital proofs

Jesper Cockx — Fri, 15 Oct 2021 00:00:00 UT

Jesper Cockx - EuroProofNet: the European research network on digital proofs

Jesper Cockx

EuroProofNet: the European research network on digital proofs

Posted by Jesper on October 15, 2021

EuroProofNet is the European research network on digital proofs. It aims at boosting the interoperability and usability of proof systems. It gathers 190 researchers on proof systems and formal proofs, from 30 different countries.

Together with Catherine Dubois, I am leading the working group on Tools for Proof Systems Interoperability. In particular, we will coordinate developers of various proof systems (dependently typed ones like Coq and Agda, but also others such as Isabelle/HOL, Event-B, and TLA+) who want to translate proofs between these systems using the Dedukti logical framework as an intermediate language.

You can find more information about this and the other working groups on our website (still work-in-progress at the moment of writing). If you are interested to work on this, please consider applying to join the working group and/or get in touch!

The Taming of the Rew

Jesper Cockx — Thu, 07 Jan 2021 00:00:00 UT

Jesper Cockx - The Taming of the Rew

Jesper Cockx

The Taming of the Rew

Posted by Jesper on January 7, 2021

Back in 2019, I wrote two posts about user-definable rewrite rules in Agda (which have since then been rewritten into a TYPES paper) and promised a third one about how to make rewrite rules safe to use (or at least safer). At the time, I was hard at work together with Théo Winterhalter and Nicolas Tabareau from the Galinette group in Nantes to tackle the problem of checking safety of rewrite rules, and in particular trying to ensure subject reduction holds. Little did we know that the problem would turn out a lot trickier than I expected, so much that we did not make it in time for the ICFP 2020 deadline.

However, now I am very glad to say our paper The Taming of the Rew: A Type Theory With Computational Assumptions is to appear at POPL 2021 on January 20, in less than two weeks time. In fact, you can already read the paper as well as watch our talks (one 5 minute version by Théo and one 30 minute version by Théo and me). So in case you were still waiting for that post, go ahead and watch the talks or read the paper. And remember, when you do --rewriting in Agda don’t forget to also --confluence-check!

Mijn uitdaging voor jou in 2021: Doe zoveel goed als je kan

Jesper Cockx — Thu, 24 Dec 2020 00:00:00 UT

Jesper Cockx - Mijn uitdaging voor jou in 2021: Doe zoveel goed als je kan

Jesper Cockx

Mijn uitdaging voor jou in 2021: Doe zoveel goed als je kan

Posted by Jesper on December 24, 2020

(This post is also available in English.)

Deze post is iets heel anders dan wat ik hier normaal schrijf. Deze keer wil ik het hebben over een idee waarvan ik echt geloof dat het belangrijk is maar waar nog veel te weinig mensen van hebben gehoord, en ik dus graag met jullie wil delen. Ik heb op het einde ook een uitdaging voor je voor in 2021.

Als je een beetje op mij lijkt, heb je misschien ook dit terugkerend probleem: je leest, kijkt, of luistert naar het nieuws en leert over alle verschikkelijke dingen die gebeuren, zoals ziektes, armoede, de klimaatopwarming, en oorlogen. Dan denk je, was er maar iets dat ik kon doen om dat te stoppen en al dat lijden te voorkomen! Zeker in een jaar zoals 2020 voel ik meer dan ooit de drang om te helpen. Maar wat kunnen we toch doen?

Laten we onze opties overlopen. Je zou iets kunnen doneren of vrijwilligerswerk kunnen doen voor een goed doel in een gebied dat je belangrijk vindt, maar je bent niet zeker hoeveel impact dat heeft. Misschien beslis je om meer fairtradeproducten te kopen en je ecologische voetafdruk te verkleinen, maar je maakt je zorgen dat je zo alleen je eigen schuldgevoel afkoopt. Of je overweegt om in de politiek te gaan of activist te worden, maar je bent bang dat je stem zou verdrinken tussen alle luidere stemmen. Je zou voor minder wanhopig worden over je onvermogen om een verschil te maken. Maar wat als ik je zou vertellen dat er een andere manier is om een grote positieve impact te hebben op de wereld, een manier die geen grote opofferingen of veranderingen in je leven vereist, maar die nog veel te weinig mensen kennen? Maak kennis met effectief altruïsme.

Effectief altruïsme is zowel een idee als een wereldwijde beweging rond dit idee. Als idee gaat effectief altruïsme over het beantwoorden van een simpele vraag: hoe kunnen we de grootst mogelijke positieve impact hebben met een gegeven hoeveelheid middelen? Als een nerd die houdt van efficiëntie en dingen optimalizeren werd ik van deze vraag alleen al nieuwsgierig. Als beweging bestaat Effective Altruism (EA) uit vele mensen en organizaties die deze vraag proberen te beantwoorden voor verschillende gebieden, zoals wereldwijde gezondheidszorg, klimaatverandering, dierenwelzijn, en de langetermijntoekomst van de mensheid. Tegelijk proberen deze organizaties ook mensen te overtuigen om te doneren aan de beste goede doelen die ze hebben gevonden. Een ding wat ze níet doen is je vertellen hoeveel je moet doneren: je kan een effectieve altruïst zijn of je nu 5€ of 50% van je inkomen geeft (wat sommige mensen echt doen!)

Een reden waarom je zoveel impact kan hebben is dat je rijker bent dan je waarschijnlijk denkt: op deze pagina van Giving What We Can kan je berekenen hoe rijk je bent ten opzichte van de rest van de wereld. Volgens deze pagina kan je als typische westerling met een gemiddeld inkomen die 10% van zijn inkomen doneert aan de Against Malaria Foundation (of een even effectief goed doel) over de duur van je loopbaan tientallen mensenlevens redden. Dat is alsof je een superheld bent zonder al de spandex! (Niets tegen mensen die van spandex houden.) In domeinen waar impact moeilijker te meten is, zoals klimaatverandering of de langetermijntoekomst van de mensheid, is je impact mogelijk nog groter. Toen ik voor de eerste keer hoorde dat ik met een klein deel van mijn inkomen mensenlevens kon redden, voelde ik me enorm gemotiveerd, en vandaag voel ik die motivatie nog steeds.

Je zou je nu kunnen afvragen of het wel echt zo belangrijk is om de allerbeste goede doelen te vinden, in plaats van gewoon een goed doel te kiezen dat redelijk effectief is en waar je meer voeling mee hebt. Maar in feite zijn de beste goede doelen vaak 10x (en soms 100x) meer effectief dan het gemiddelde. Om klimaatverandering te bestrijden zou je bijvoorbeeld kunnen beslissen om je eigen CO2-uitstoot te compenseren, wat voor elke euro ongeveer 0.05 tot 0.1 ton CO2-uitstoot voorkomt (zie Gold Standard). Of je zou die euro in de plaats daarvan kunnen doneren aan de Coalition of Rainforest Nations of de Clean Air Task Force, wat volgens het onderzoek van Founder’s Pledge ruim een hele ton CO2-uitstoot voorkomt (10 à 20x zoveel). Nog een voorbeeld: de minst effectieve procedures om HIV/AIDS te bestrijden hebben minder dan 0.1 percent van het effect van de meest effectieve (bron: The Moral Imperative of Cost Effectiveness). Vergelijk dat maar eens met de tijd die je besteedt om online de beste prijs te vinden voor die nieuwe TV, wat misschien een verschil maakt van 10 of 20%. Het loont dus echt de moeite om het beste goede doel te vinden voor de zaken waar je iets om geeft!

Naast het zoeken naar de beste goede doelen binnen elk gebied, houdt effectief altruisme zich ook bezig met het uitzoeken in wélk gebied onze donaties het meeste effect hebben. Ter illustratie: je euro is meer waard in het zuiden. In andere woorden, je kan meer impact hebben op mensenlevens door te doneren aan gezondheidsorganizaties in ontwikkelingslanden dan aan armoedebestrijding in je eigen land. Om verschillende probleemgebieden met elkaar te vergelijken wordt er in EA over het algemeen gebruik gemaakt van drie criteria:

De schaal van het probleem. Hoe groot zijn de negatieve effecten van het probleem, en hoeveel mensen lijden eronder?
Verwaarloosdheid. Hoeveel extra ruimte is er voor meer mensen en middelen om aan dit probleem te werken?
Oplosbaarheid. Hoe groot is het effect van extra middelen in dit gebied?

Als een probleem erg groot, erg verwaarloosd, en erg oplosbaar is, dan is het waarschijnlijk ook een goede kandidaat om veel impact te kunnen hebben. Dit eenvoudige principe kan soms leiden tot onintuïtieve resultaten, zoals sommige effectieve altruïsten die beslissen om te werken aan onderzoek naar globale prioriteiten in plaats van klimaatverandering ondanks dat ze het tweede een groter probleem vinden, omdat er aan het eerste veel minder aandacht wordt besteed.

Eens we een probleemgebied hebben gekozen komt de moeilijke opdracht om de meest effectieve goede doelen in dit gebied te vinden en te vergelijken. Vaak is er een grote graad van onzekerheid bij het evalueren van impact. Bijvoorbeeld: helpt het echt om een stuk regenwoud te beschermen of betekent dit enkel dat een ander stuk regenwoud elders wordt neergekapt? Verder is het vaak ook lastig om verschillende vormen van impact te vergelijken: hoe vergelijken we bijvoorbeeld het effect van betere gezondheidszorg met verbeteringen in het onderwijs in ontwikkelingslanden? Gelukkig zijn er meerdere zeer hoog aangeschreven organizaties die zich als doel hebben gesteld om deze moeilijke vragen te beantwoorden:

GiveWell is de oudste en meest gerespecteerde organizatie in EA. Ze focust vooral op het evalueren van goede doelen voor gezondheidszorg en ontwikkelingshulp.
Founder’s Pledge moedigt ondernemers aan om te beloven om een deel van hun inkomsten te doneren aan effectieve goede doelen. Ze doen ook uitgebreid onderzoek naar effectieve goede doelen voor ontwikkelingshulp en klimaatverandering.
Het Centre for Effective Altruism biedt fondsen aan die donaties inzamelen voor verschillende gebieden, waaronder de langetermijntoekomst van de mensheid en de organizatie van de EA-beweging zelf.
Animal Charity Evaluators focust -zoals de naam al zegt- op het vinden van de beste goede doelen voor dierenwelzijn.
Giving Green is een nieuwe organizatie die de principes van effectief altruïsme toepast op klimaatverandering.

Als je een serieuze impact wil hebben met je geld maar niet zeker bent waar je best kan doneren, is het zeker geen slecht idee om het advies van een van de bovenstaande organizaties te volgen. Zelf doneer ik dit jaar aan drie van de Effective Altruism Funds: de Founder’s Pledge Climate Change Fund (80%), de Global Health and Development Fund (15%), en de Effective Altruism Infrastructure Fund (5%) (deze zijn momenteel belastingsaftrekbaar in de VS, VK, en Nederland, en hopelijk binnenkort ook in andere landen). Het geld in deze fondsen gaat uiteindelijk naar organizaties zoals Clean Air Task Force voor het promoten van schone technologie, Carbon180 voor onderzoek naar CO2-opvangst en opslag, Against Malaria Foundation voor de verdeling van anti-malarianetten, J-PAL voor innovatie in het bestuur van lage-inkomenlanden, en 80,000 Hours voor de begeleiding van mensen om de impact van hun carrière te vergroten. Het vult me met een warm gevoel om te leren over de verwezelijkingen van deze organizaties en om te weten dat ik meehelp met hun werk in de toekomst!

Een van de fijne dingen van EA is dat er enorm veel goedgeschreven ideeën te vinden zijn om te lezen of te luisteren (wel bijna uitsluitend in het engels). Dus in plaats van hier verder in de diepte te gaan, wil ik graag een paar startpunten aanbevelen om meer over effectief altruïsme te leren:

Een artikel van het Centre for Effective Altruism: Introduction to Effective Altruism
Het boek van William MacAskill: Doing Good Better
De TED Talk van Dan Pallotta: The Way We Think About Charity is Dead Wrong
Drie artikels van Giving What We Can: Charity Comparisons, Myths About Aid, en Best Charities to Donate To In 2020
Als je liever iets in het nederlands leest is er sinds kort ook de websites van Doneer Effectief (Nederland) en Effectief Altruïsme Vlaanderen.

Als je tot hier hebt gelezen en het me is gelukt om je te overtuigen, dan heb ik een uitdaging voor je om in 2021 méér goed te doen. Concreet is de uitdaging om op 99% van je normale inkomen te leven, en te beloven om de resterende 1% te doneren aan effectieve goede doelen. Één percent is weinig genoeg dat je het waarschijnlijk niet eens merkt, maar groot genoeg om echt iets fantastisch te doen (als je direct meer wil doneren mag dat natuurlijk ook!). Je kan deze belofte ook officiëel maken op de websites van Giving What We Can (wat ik sinds 2017 doe) of One for the World. Beide organizaties geven ook uitstekend advies over aan welke goede doelen je kan doneren.

Ongeacht of je mijn uitdaging nu opneemt of niet, hoop ik dat deze post je tenminste een beetje geïnteresseerd heeft gemaakt in effectief altruïsme, en dat je gemotiveerd bent om in 2021 zoveel goed te doen als je maar kan. Gelukkig nieuwjaar!

My challenge for you in 2021: Do the most good you can

Jesper Cockx — Thu, 24 Dec 2020 00:00:00 UT

Jesper Cockx - My challenge for you in 2021: Do the most good you can

Jesper Cockx

My challenge for you in 2021: Do the most good you can

Posted by Jesper on December 24, 2020

(Deze post is ook vertaald naar het nederlands.)

This post is quite different from the usual stuff I post here. It’s about an idea I believe is really important; not nearly enough people know about it, and I’d like to share with you. It’s also about a challenge I have for you for 2021. If you were hoping for an Agda post, I apologize! Meanwhile I hope you find this post interesting as well.

If you’re a bit like me, you may have this common problem: you read, watch, or listen to the news and learn about all the horrible things that are happening, such as diseases, poverty, climate change, and war. Then you wish there only was something you could do to stop that from happening and prevent all that suffering! Especially in a year like 2020, I feel the urge to help more strongly than ever. But what can we possibly do?

Let’s think through the options. You could decide to make a donation or volunteer for a charity in an area you care a lot about, but you’re unsure if that will have any impact. Maybe you start buying fair trade products and work on reducing your ecological footprint, but worry that you’re mostly buying off your own guilt. Perhaps you consider going into politics or becoming an activist, but you’re afraid that you would never be heard among all the louder voices. I sure have often felt desparate not being able to make a difference. But what if I told you there’s another way you can make a large positive impact on the world, one that does not require large sacrifices in your career or lifestyle, yet way too few people actually know about? Let me introduce you to effective altruism.

Effective altruism is both an idea and a global movement built around this idea. As an idea, effective altruism is about finding the answer to a simple question: how can we make the largest possible positive impact with a given amount of resources? As a nerd who likes efficiency and optimizing things, this question alone made me curious already. As a movement, Effective Altruism (EA) consists of many people and several organizations that try to answer this question for different areas, such as global health, climate change, animal welfare, and the long-term future of humanity. At the same time, these organizations also try to convince people to donate to the top charities they identified. However, one thing they don’t do is tell you to give any particular amount to effective charities: you can be an effective altruist whether you donate 5€ or 50% of your income (which some people actually do!).

One of the reasons why it is possible to make such a big impact is because you are probably richer than you realize: see this calculator by Giving What We Can to find out how rich you are compared to the rest of the world. According to this calculator, if you have an average job in a typical Western country and donate 10% of your income to the Against Malaria Foundation (or an equally effective charity), you will save dozens of lives over the course of your career. That is like being a superhero without the spandex! (Nothing against people who like spandex.) In cause areas that are harder to measure than global poverty and health -such as climate change or long-term future of humanity- your impact could very well be even higher. For me, when I first learned that I could save lives with just a small portion of my income, I felt really motivated, and I still do.

Now, you could wonder whether it is really that important to identify the absolute best charities, instead of just picking one that is reasonably effective. But in fact, the very best charities in an area are often 10x (and sometimes up to 100x) more effective than the average. To give a example, to help fighting climate change you could decide to offset your CO2 emissions, which means you prevent around 0.05-0.1 tons of CO2 for every 1€ (see Gold Standard). Meanwhile, according to the research by Founder’s Pledge that same euro can prevent well over a whole ton of CO2 emissions (10-20x as much) by donating it to their recommended charities such as the Coalition of Rainforest Nations and the Clean Air Task Force. As another example, the least effective HIV/AIDS intervention produces less than 0.1 percent of the value of the most effective (source: The Moral Imperative of Cost Effectiveness). Just compare that to the time you spend shopping around for better prices online when buying a new TV, which perhaps makes a difference of 10-20%. Compared to that, it really pays off to spend some time on finding the very best charity for the causes you care about!

In addition to finding the best organizations within each cause area, effective altruism is also about identifying the cause areas where our donations can make an outsized impact compared to others. For example, your dollar goes further overseas: we can have a bigger impact on more people’s lifes by working on global health than by trying to solve poverty in Western countries. To help with evaluating different problem areas, there are three main criteria that people within the EA movement generally agree upon:

Problem scale. How big are the negative effects of the problem, and how many people does it affect?
Neglectedness. How much room is there for more people and resources to work on this problem?
Tractability. How big is the effect of additional resources spent in this area?

The idea is that if a problem is very large, very neglected, and very tractable, then it is likely a good candidate for making a large impact. This simple framework can sometimes lead to non-obvious results, such as some effective altruists deciding to support global priorities research over work on climate change despite it being a smaller problem overall, because it is much more neglected.

Once a problem area is selected comes the difficult task of finding and comparing the most effective organizations working on that problem. Often there is a lot of uncertainty involved in estimating impact accurately. For example, does protecting a piece of rainforest really work or does it just mean a different piece of forest will be cut down somewhere else? It is also difficult to compare different forms of impact. For example, how do we compare the effects of preventing diseases to the effects of better education in third-world countries? Luckily there are several highly reputed organizations with the sole mission of answering these hard questions:

GiveWell is the oldest and most well-respected organization within EA. They mainly focus on evaluating charities within the area of global health and development.
Founder’s Pledge encourages entrepeneurs to pledge a part of their gains to effective charities. They also do extensive research on effective charities in various areas including climate change and global health and development.
The Centre for Effective Altruism offers various funds that collect donations to effective charities in various areas, including a.o. the long-term future of humanity and the infrastructure of the EA movement itself.
Animal Charity Evaluators focuses -as the name suggests- on identifying the most effective organizations in the area of animal wellfare.
Giving Green is a new organization that applies EA principles to the area of climate change.

If you want to make a real impact with your money but are unsure where to donate, you definitely could go worse than by following the advice of any of the above organizations. Myself, I’m donating this year to three of the Effective Altruism Funds: the Founder’s Pledge Climate Change Fund (80%), the Global Health and Development Fund (15%), and the Effective Altruism Infrastructure Fund (5%) (these funds are tax deductible in the US, UK, and Netherlands, and hopefully soon in other countries too). The money in these funds will end up at organizations such as Clean Air Task Force for advocacy for clean tech, Carbon180 for carbon removal solutions, Against Malaria Foundation for the distribution of insecticide-treated bednets, J-PAL for innovation in government of low-income countries, and 80,000 Hours for helping people maximize the impact of their careers. It fills me with a very warm feeling learning about all the things these organizations accomplish and knowing that I’m a part of what enables them to continue their work!

One of the nice things about the EA movement is that there are lots and lots of very well-articulated ideas you can read or listen to. So instead of going into more depth here, I will recommend some entry points to learn more about effective altruism:

Article by the Centre for Effective Altruism: Introduction to Effective Altruism
Book by William MacAskill: Doing Good Better
TED Talk by Dan Pallotta: The Way We Think About Charity is Dead Wrong
Three articles from Giving What We Can: Charity Comparisons, Myths About Aid, and Best Charities to Donate To In 2020

If you’ve read this far and I have managed to convince you, I have a challenge for you to increase the amount of good you do in the year 2021. Concretely, the challenge is to live on 99% of the money you would normally, and pledge to give the remaining 1% to highly effective charities. Just one percent is small enough that you will probably not even notice, yet large enough to do something really awesome (of course if you’d like to give more that’s even better!) If you want, you can make an official pledge on Giving What We Can (as I have since 2017) or One for the World. Both these organizations also provide some excellent advice on what effective charities to donate to.

Whether or not you decide to take the challenge, I hope this post has made you at least a bit interested in effective altruism, and that it will motivate you to do the most good you can in 2021. A happy new year!

An introduction to property-based testing with QuickCheck

Jesper Cockx — Thu, 17 Dec 2020 00:00:00 UT

Jesper Cockx - An introduction to property-based testing with QuickCheck

Jesper Cockx

An introduction to property-based testing with QuickCheck

Posted by Jesper on December 17, 2020

In February, I will be teaching a new course on Functional Programming at TU Delft. The course will mostly cover Haskell using Graham Hutton’s excellent book, though there will be a part on basic usage of dependent types in Agda towards the end as well. For the exercises, we will use the Delft-grown Weblab platform for letting the students code and run the automated tests using QuickCheck. Unfortunately for me, the book does not talk about QuickCheck at all. Fortunately for you, that means I decided to write a tutorial myself, which you can read here.

Of course there are many excellent QuickCheck tutorials out there already. However I found all of them either assumed too much Haskell knowledge (since I want to introduce QuickCheck as early as possible), skipped out on interesting parts (such as conditional and quantified properties), or were just not up-to-date with the latest version of QuickCheck (such as the new approach for generating random functions using Fun). So I hope this post closes a gap in the current menu of tutorials for at least a few people.

If you spot any errors or opportunities for improvement, please let me know. The students at TU Delft will be grateful!

Introduction

When you were first learning to program, at some point you were probably told about the importance of writing unit tests: small test cases that each test a small piece of functionality of your code. And while it is true that writing unit tests is important, it is also at the same time boring and difficult. It is boring because you need to write many separate unit tests for each piece of functionality, which all look more or less the same. And it is difficult because it is very easy to miss a certain combination of inputs for which the program crashes. Would it not be nice if we could just write down how the program should behave and have the test cases be generated automatically? That is precisely the approach of property-based testing.

In short, property-based testing is an approach to testing where you as the programmer write down properties that you expect to hold of your program. When running the tests, the test runner will generate a lot of different random input values, and then check that the property holds for all these (combinations of) input values. Compared to writing individual unit tests, property-based testing has several advantages:

You spend less time writing test code: a single property can often replace many hand-written test cases.
You get better coverage: by randomly generating inputs, QuickCheck will test lots of combinations you’d never test by hand.
You spend less time on diagnosis of errors: if a property fails to hold, QuickCheck will automatically produce a minimized counterexample.

QuickCheck is a tool for property-based testing of Haskell code. Since its introduction for Haskell in 1999, QuickCheck has become very popular as a testing framework and has been ported to many other programming languages such as C, C++, Java, JavaScript, Python, Scala, and many others (see https://en.wikipedia.org/wiki/QuickCheck for a more complete list). However, QuickCheck really benefits from the fact that Haskell is a pure language, so that is where the approach continues to be the most powerful.

This introduction will show you the basic usage of QuickCheck for testing properties of Haskell code, as well as how to use alternative random generators. All the functions that are used come from the module Test.QuickCheck from the QuickCheck package. This package can be installed using the Cabal package manager for Haskell by issuing the following command:

> cabal install QuickCheck

Basic usage of QuickCheck

To write a QuickCheck test case, all you have to do is define a Haskell function that defines a property of your program that you expect to hold. In the simplest case, a property is just a value of type Bool. For example, suppose we have written a simple Haskell function to calculate the distance between two integers:

distance :: Int -> Int -> Int
distance x y = abs (y-x)

We can then express the property that the distance between 3 and 5 equals 2:

prop_dist35 :: Bool
prop_dist35 = distance 3 5 == 2

By convention, names of QuickCheck properties always start with prop_. We can express more general properties by defining a function that returns a Bool:

-- The distance between any number and itself is always 0
prop_dist_self :: Int -> Bool
prop_dist_self x = distance x x == 0

-- The distance between x and y is equal to the distance between y and x
prop_dist_symmetric :: Int -> Int -> Bool
prop_dist_symmetric x y = distance x y == distance y x

When testing a property that takes one or more inputs, QuickCheck will randomly generate several inputs (100 by default) and check that the function returns True for all inputs.

The main function used to call QuickCheck is quickCheck, which is defined in the module Test.QuickCheck. To import it, you can either add import Test.QuickCheck at the top of your file or import it manually if you are working from GHCi. Assuming you have installed the QuickCheck package, you can then load the file and run tests by calling quickCheck:

> ghci
GHCi, version 8.10.2: https://www.haskell.org/ghc/  :? for help
Loaded package environment from ~/.ghc/x86_64-linux-8.10.2/environments/default
> :l QuickCheckExamples.hs
> quickCheck prop_dist35
+++ OK, passed 1 test.

QuickCheck tells us that everything is as it should be: it ran the test and got the result True. Since there are no inputs to the test, it is run only once. Let us try out some more properties!

> quickCheck prop_dist_self
+++ OK, passed 100 tests.
> quickCheck prop_dist_symmetric
+++ OK, passed 100 tests.

Huge success! For each of the tests, QuickCheck has generated 100 random inputs and verified that for each one the property returns True.

To get more information about the test inputs that are generated by QuickCheck, you can replace the function quickCheck with verboseCheck. This will print out each individual test case as it is generated. Try it out for yourself!

Shrinking counterexamples

What happens if there’s a mistake in our code? Say we forgot to write abs in the definition of distance?

> quickCheck prop_dist_symmetric
*** Failed! Falsified (after 2 tests):                  
0
1

QuickCheck has found a counterexample: if the first input x is 0 and the second input y is 1, then y-x is not equal to x-y.

When QuickCheck finds a counterexample, it will not always return the first one it encounters. Instead, QuickCheck will look for the smallest counterexample it can find. As an example, let us try to run QuickCheck on the (false) property stating that every list is sorted.

sorted :: Ord a => [a] -> Bool 
sorted (x:y:ys) = x <= y && sorted (y:ys)
sorted _        = True

-- A (false) property stating that every list is sorted
prop_sorted :: [Int] -> Bool
prop_sorted xs = sorted xs

> verboseCheck prop_sorted
Passed:  
[]

Passed: 
[]

Passed:  
[0]

Failed:  
[2,1,3]

Passed:                                 
[]

Passed:                                                 
[1,3]

Passed:                                                 
[2,3]

Failed:                                                 
[2,1]

...

*** Failed! Falsified (after 4 tests and 3 shrinks):    
[1,0]

The first list that is generated that is not sorted is [2,1,3]. Note that this will be a different list every time we run QuickCheck since it is randomly generated. However, QuickCheck does not stop there and instead tries smaller and smaller lists until it converges to a minimal counterexample: [1,0]. This process is called shrinking.

It is worth noting that despite the inherent randomness of QuickCheck, shrinking will often converge to one of a small set of minimal counterexamples. For example, if we run quickCheck many times on prop_sorted, we always end up with either [1,0] or [0,-1] as a counterexample.

The precise strategy that QuickCheck uses for shrinking counterexamples depends on the type of the counterexample:

For numeric types such as Int, QuickCheck will try a random number that is smaller in absolute value (i.e. closer to 0).
For booleans of type Bool, QuickCheck will try to replace True with False.
For tuple types (a,b), QuickCheck will try to shrink one of the components.
For list types, QuickCheck will try to either delete a random element from the list, or try to shrink one of the values in the list.

Testing many properties at once

Instead of running individual tests from GHCi, you can also combine all your tests in a main function:

main = do
  quickCheck prop_dist35
  quickCheck prop_dist_self
  quickCheck prop_dist_symmetric

This code makes use of Haskell do keyword that we will study in the chapter on monads. Once you have defined this main function, you can invoke it by calling runghc from the command line:

> runghc QuickcheckExamples.hs
+++ OK, passed 1 test.
+++ OK, passed 100 tests.
+++ OK, passed 100 tests.

Note that a file may only contain a single main function. In a realistic project, we would instead create a separate file that just defines all QuickCheck properties and puts them together in a main function.

Remark. When you are writing code in the WebLab instance for this course, you do not need to write a main function for QuickCheck tests: WebLab will automatically collect all functions in the Test tab whose name starts with prop_ and run quickCheck on each one.

Discovering properties to test

The biggest challenge in making effective use of QuickCheck lies in coming up with good properties to test. So let us take a look at some examples of good properties to test.

Roundtrip properties

When one function is an inverse to another function, we can create a property test for that. For example, we can test that reversing a list is its own inverse:

prop_reverse_reverse :: [Int] -> Bool
prop_reverse_reverse xs = reverse (reverse xs) == xs

As another example, we can test that inserting an element into a list and then deleting it again results in the same list:

insert :: Int -> [Int] -> [Int]
insert x [] = [x]
insert x (y:ys) | x <= y    = x:y:ys
                | otherwise = y:insert x ys

delete :: Int -> [Int] -> [Int]
delete x [] = []
delete x (y:ys) | x == y    = ys
                | otherwise = y:delete x ys

prop_insert_delete :: [Int] -> Int -> Bool
prop_insert_delete xs x = delete x (insert x xs) == xs

In general, it might take more than two functions to get back to the point where we started from. Any property of the form f (g (... (h x))) == x is called a roundtrip property.

Equivalent implementations

When we have two functions that should be functionally equivalent but have a different implementation, we can test that this is indeed the case. For example, we can test that a function qsort :: Ord a => [a] -> [a], we can define a property that tests it has the same behaviour as the builtin Haskell function sort:

prop_qsort_sort :: [Int] -> Bool
prop_qsort_sort xs = qsort xs == sort xs

If there is an alternative implementation available, defining a property of this kind is usually a very good idea since it can catch a broad range of errors in the implementation.

Another variant of this technique can be applied when you replace the implementation of a function with a new version (perhaps because it is more efficient or more general). In that case, you can keep the old code under a different name and add a property to test that both implementation produce the same result. This way you can make sure that the behaviour of the program has not changed by accident!

Warning. When testing a polymorphic function such as qsort, it seems attractive to also define a polymorphic test case:

prop_qsort_sort' :: Ord a => [a] -> Bool
prop_qsort_sort' xs = qsort xs == sort xs

However, this does not work as you might expect: by default, quickCheck will instantiate all type parameters to the empty tuple type (). So the property that quickCheck will actually test is prop_qsort_sort'' :: [()] -> Bool. Since a list of empty tuples [(),(),...,()] is always sorted, this test will always return True even if the function qsort does nothing! So in general it is a good idea to always give a concrete type (without type parameters) to property tests.

Algebraic laws

When we have a function that implements a certain idea from algebra, we can use the algebraic laws as inspiration for property tests. For example, suppose we have a function vAdd :: (Int,Int) -> (Int,Int) -> (Int,Int) that defines addition on two-dimensional vectors, we can test that it is commutative, associative, and has a neutral element:

prop_vAdd_commutative :: (Int,Int) -> (Int,Int) -> Bool
prop_vAdd_commutative v w = vAdd v w == vAdd w v

prop_vAdd_associative :: (Int,Int) -> (Int,Int) -> (Int,Int) -> Bool
prop_vAdd_associative u v w = vAdd (vAdd u v) w == vAdd u (vAdd v w)

prop_vAdd_neutral_left :: (Int,Int) -> Bool
prop_vAdd_neutral_left u = vAdd (0,0) u == u

prop_vAdd_neutral_right :: (Int,Int) -> Bool
prop_vAdd_neutral_right u = vAdd u (0,0) == u

As another example, some functions such as sorting functions are idempotent: applying them twice produces the same result as applying them just once.

prop_qsort_idempotent :: [Int] -> Bool
prop_qsort_idempotent xs = qsort (qsort xs) == qsort xs

Testing with different distributions

Often we want to test a certain property but it does not hold for all possible inputs. For example, let us try to test that each element in the result of replicate n x is equal to x (the function replicate :: Int -> a -> [a] is defined in the standard prelude).

prop_replicate :: Int -> Int -> Int -> Bool
prop_replicate n x i = replicate n x !! i == x

However, when we try to test this property we get an error:

> quickCheck prop_replicate
*** Failed! Exception: 'Prelude.!!: index too large' (after 1 test):
0
0
0

Oh no! QuickCheck generated a list of length 0, which means any index i is out of bounds. To resolve this problem, we could change the property so it always evaluates to True in case the index is out of bounds:

prop_replicate :: Int -> Int -> Int -> Bool
prop_replicate n x i = i < 0 || i >= n || replicate n x !! i == x

Now testing the property is successful:

> quickCheck prop_replicate
+++ OK, passed 100 tests.

However, this actually gives us a false sense of security: in the vast majority of the test cases that are generated, the index is out of bounds and thus nothing about the behaviour of replicate is tested. You can verify this by running verboseCheck on this property and counting the cases where i is in between 0 and n. In effect much fewer than 100 inputs are tested, so there is a high chance that mistakes go undetected.

We could try to counteract this by running more test cases. However, how many test cases is enough? Do we need 1000? 10000? What about if we want to test a property where it is even rarer that we generate a valid input, for example when a property only holds for sorted lists?

Instead of running more test cases, we can make sure that the test cases we generate are always valid. We will discuss two methods provided by the QuickCheck library that allow us to do this: conditional properties and quantified properties.

Conditional properties

The first way we can restrict the inputs that QuickCheck uses is by using a conditional property of the form

==>

For example, we can rewrite prop_replicate as follows:

prop_replicate :: Int -> Int -> Int -> Property
prop_replicate n x i = 
  (i >= 0 && i < n) ==> replicate n (x :: Int) !! i == x

Notice that the return type is no longer Bool but Property, a new type that is introduced by QuickCheck. Luckily we do not need to know much about this type in order to use QuickCheck; all we need to know is that we can use quickCheck to test functions that return a Property just like functions that return a Bool!

> quickCheck prop_replicate
+++ OK, passed 100 tests; 695 discarded.

What just happened? QuickCheck tests the property replicate n (x :: Int) !! i == x as before, but now it discards all test cases that do not satisfy the condition i >= 0 && i < n. In the output, we can see that it generated a total of 795 test cases, of which 695 were discarded and the remaining 100 passed successfully.

Conditional properties work well when there is a reasonable chance that a randomly generated input will satisfy the condition. However, it breaks down when valid inputs are very rare. For example, let us try to test that inserting an element into an ordered list again results in an ordered list:

prop_insert_sorted :: Int -> [Int] -> Property
prop_insert_sorted x xs = sorted xs ==> sorted (insert x xs)

If we ask QuickCheck to test this property, it gives up:

> quickCheck prop_insert_sorted
*** Gave up! Passed only 80 tests; 1000 discarded tests.

The lesson here is that we should not use conditional properties when the condition is very unlikely to be satisfied.

Quantified properties

Instead of first generating random values and then filtering out the ones that are not valid, we can instead use a different random generator that only generates valid inputs in the first place. For this purpose, QuickCheck allows us to define quantified properties by using custom random generators of type Gen a. For example, we can use the generator orderedList to generate a random ordered list. We can use random generators to define properties by using the function forAll:

prop_insert_sorted :: Int -> Property
prop_insert_sorted x = forAll orderedList (\xs -> sorted (insert x xs))

The first argument of forAll is the random generator. The second argument is a function that maps the result of the generator to the property we want to test (in other words, forAll is a higher-order function). Here we have given the function as a lambda expression \xs -> sorted (insert x xs). Note that the list xs is no longer an input to the overall property prop_insert_sorted, as it is already an argument to the lambda expression. Now if we run quickCheck again, we see that the tests now pass:

> quickCheck prop_insert_sorted
+++ OK, passed 100 tests.

You can also use verboseCheck to verify that all the generated lists are indeed sorted (do it!)

QuickCheck provides a long list of random generators that we can use to test our properties. Here are a few useful examples:

The generator choose will choose a random elements between two bounds. For example, choose (1,6) will generate a random number between 1 and 6 (both bounds included).
The generator elements will choose a random element from a given list of values. For example, elements ['a','e','i','o','u'] will generate a random vowel.
The generator frequency works like elements but allows you to give a weight to each option determining how likely it is that it is generated. For example, frequency [(99,True),(1,False)] will generate True 99% of the time and False 1% of the time.
The generator vector generates lists of a given length. For example, vector 42 generates random lists of length 42.
The generator shuffle generates lists with the same elements as a given list but in a random order. For example, shuffle [1..10] generates random lists containing the numbers 1 to 10.

You can find many other generators by looking at the module Test.QuickCheck. In addition, it is possible to define your own random generators, but this goes beyond the scope of this introduction.

If you want to play around with these random generators, you can use the function sample from GHCi to generate a couple of random values with the given generator:

> import Test.QuickCheck
> sample (shuffle [1..10])
[9,1,8,7,3,2,10,4,6,5]
[3,10,5,7,2,1,9,4,6,8]
[6,1,4,2,3,7,8,10,5,9]
[6,8,9,10,3,5,4,7,2,1]
[8,9,3,7,10,5,2,4,1,6]
[7,5,2,9,10,4,6,8,3,1]
[9,5,4,6,1,7,3,10,2,8]
[5,3,1,10,9,7,8,4,6,2]
[3,4,10,2,7,6,8,1,9,5]
[3,9,2,8,5,4,1,10,6,7]
[6,5,4,9,2,3,8,7,10,1]

Testing properties of functions

In addition of being able to generate values of basic types such as integers, booleans, and lists, QuickCheck can also generate random functions that you can use to write tests. However, for technical reasons related to shrinking, QuickCheck cannot directly generate an element of type, say, String -> Bool. Instead, QuickCheck introduces a new (generic) type Fun a b with two parameters a and b, as well as a function applyFun :: Fun a b -> a -> b.

For example, we can test that for any function p :: Int -> Bool, we have that p x == True for all elements of the list [ x | x <- xs , p x ]:

prop_filter :: Fun Int Bool -> [Int] -> Property
prop_filter p xs = 
      -- Filter elements not satisfying p.
  let ys = [ x | x <- xs , applyFun p x ]
      -- If any elements are left...  
  in  ys /= [] ==>          
        -- ...generate a random index i...               
        forAll (choose (0,length ys-1))
          -- ...and test if p (ys!!i) holds.    
          (\i -> applyFun p (ys!!i))

> quickCheck prop_filter
+++ OK, passed 100 tests; 41 discarded.

As another (silly) example, let us try to test the property that each function of type String -> Int produces the same result on at least two out of three values of "banana", "monkey", and "elephant":

prop_bananas :: Fun String Int -> Bool
prop_bananas f = 
  applyFun f "banana" == applyFun f "monkey" ||
  applyFun f "banana" == applyFun f "elephant" ||
  applyFun f "monkey" == applyFun f "elephant"

> quickCheck prop_bananas
*** Failed! Falsified (after 2 tests and 163 shrinks):     
{"banana"->0, "elephant"->1, _->2}

The function {"banana"->0, "elephant"->1, _->2} generated by QuickCheck maps "banana" to 0, "elephant" to 1, and all other strings to 2. As you can verify, this is indeed a counterexample to the property we defined. It might come as a surprise that QuickCheck is able to come up with this counterexample by itself!

Bonus: “Behind the scenes”

The content of this section is not required to use QuickCheck, but it might help you to get a deeper understanding of the types and type classes that make QuickCheck tick.

Let us start by trying to analyse the type of the function quickCheck:

quickCheck :: Testable prop => prop -> IO ()

It takes an argument of polymorphic type prop – which must satisfy the Testable typeclass – and produces an output of type IO (). Values of type IO () are interactive programs that we can run in GHCi or compile to an executable program; we will look into this type in more detail later in the course. Meanwhile, Testable is a typeclass just like other classes we have seen before: Eq, Ord, Show, Num, …

The Testable class determines what kind of properties can be tested by quickCheck, i.e. what types are valid inputs to quickCheck. It has the following relevant instances:

Bool is an instance of Testable, which is what allows us to run quickCheck on properties of type Bool.
Likewise, the type Property is an instance of Testable, so we can also run quickCheck on properties such as condition ==> prop and forAll gen (\x -> prop).
Finally, a function type a -> b is an instance of Testable provided b is an instance of type Testable and a is an instance of another class Arbitrary. This is what allows us to run quickCheck on properties that take one or more inputs that are randomly generated.

Next we have the Arbitrary typeclass. Types that are an instance of this typeclass have a ‘default’ random generator arbitrary :: Arbitrary a => Gen a. For example, Bool is an instance of Arbitrary with arbitrary = elements [True,False]. In addition, there is also a function shrink :: Arbitrary a => a -> [a] that computes a list of all ‘shrunk’ versions of a value.

When testing a property, QuickCheck will first generate random inputs using the arbitrary generator associated to the input type. It will then test the property by running it on the generated inputs. Finally, if it finds a counterexample it will try to shrink it step by step as long as the test keeps failing.

NWO Veni Grant on A Trustworthy and Extensible Core Language for Agda

Jesper Cockx — Wed, 11 Nov 2020 00:00:00 UT

Jesper Cockx - NWO Veni Grant on A Trustworthy and Extensible Core Language for Agda

Jesper Cockx

NWO Veni Grant on A Trustworthy and Extensible Core Language for Agda

Posted by Jesper on November 11, 2020

I’m very glad and humbled to announce that I received an NWO Veni Grant for my proposal “A Trustworthy and Extensible Core Language for Agda.” You can read the official announcement on the NWO website. Thanks to this grant I will be able to focus on the development of Agda Core during the coming three years. Below, you can find the abstract of the proposal:

As software takes an increasingly central position in our society, being able to trust the software we use likewise becomes more and more important. Programming languages based on dependent types – such as Coq and Agda – provide a strong answer to this demand: they allow programmers to state the expected properties of a program, and the computer checks that these properties are satisfied before the program is ever executed. Yet the implementations of these languages are themselves just pieces of software, so can we really trust them? The problem is exacerbated by the multitude of extensions to these languages that make them more expressive and easier to use, but at the same time increase the number of components that must be trusted.

The goal of this project is to develop a fundamental approach to ensure the trustworthiness of dependently typed programming languages by means of a small core language that is deeply embedded into the full language. Embedding the core language within the full language erases the gap between its specification and implementation, minimizing the amount of code we have to trust and enabling us to do a meta-theoretic study to increase our trust even further. An embedded core language is also useful in practice: we intend to explore its potential as the basis for meta-programming and proof exchange with other languages. Concretely, we will develop Agda Core, a small and trustworthy core language for Agda embedded within Agda itself. In the development of Agda Core we will pay special attention to extensibility, providing a solid foundation for formalizing Agda’s various extensions. Thus we provide the basis for the next generation of programming languages that make it easy to develop programs that do what they are supposed to do, and nothing else.

Announcement: I'm moving to Delft!

Jesper Cockx — Tue, 12 Nov 2019 00:00:00 UT

Jesper Cockx - Announcement: I'm moving to Delft!

Jesper Cockx

Announcement: I'm moving to Delft!

Posted by Jesper on November 12, 2019

I’m very glad to announce that starting on the 1st of December, I will join the programming languages group at TU Delft as an assistant professor! Some of my new colleagues are Eelco Visser, Robert Krebbers, Casper Bach Poulsen, Arjen Rouvoet, and Hendrik van Antwerpen. I’m looking forward to work with them, and of course I will continue to work on improving Agda.

In related news, I will soon be hiring a PhD student. So if you are interested to work on improving Agda and dependently typed programming in general, send me an email at jesper@sikanda.be (more information about the formalities will follow later).

Rewriting type theory

Jesper Cockx — Wed, 30 Oct 2019 00:00:00 UT

Jesper Cockx - Rewriting type theory

Jesper Cockx

Rewriting type theory

Posted by Jesper on October 30, 2019

This is the second in a series of three blog posts on rewrite rules in Agda. If you haven’t already, you can read the first post here. In that post, I gave several examples of how you can use rewrite rules in Agda to make your life easier and experiment with new extensions to type theory. This post goes into the nitty-gritty details of how to rewrite rules work in general, and how they interact with several other features of Agda.

Instead of starting with a full-fledged language like Agda, I first describe a small core language with the ability to declare new rewrite rules. After that, I’ll extend it with other features that you are used to from Agda, such as datatypes, record types with eta-equality, irrelevance, parametrized modules, implicit arguments and metavariables, and universe level polymorphism.

I apologize in advance if this post is a little dry compared to the previous one. However, I think it’s worth it to specify the algorithms we use in detail to give a deeper understanding of a feature. And when there’s ever some weird behaviour in the implementation of rewrite rules, the spec helps to determine whether it is a bug in the implementation or actually the intended semantics.

Rewriting type theory

Without further ado, let’s define our core rewriting type theory.

Syntax

The syntax has five constructors: variables, function symbols, lambdas, pi types, and universes.

\[ \begin{array}{lcll} u, v, A, B &::=& x\; \bar{u} & \text{(variable applied to arguments)} \\ & | & \fun{f}\; \bar{u} & \text{(function symbol applied to arguments)} \\ & | & \lambda x.\, u & \text{(lambda abstraction)} \\ & | & (x : A) \rightarrow B & \text{(dependent function type)} \\ & | & \ty{i} & \text{(\(i\)th universe)} \\ \end{array} \]

As in the internal syntax of Agda, there is no way to represent a \(\beta\)-redex in this syntax. Instead, substitution \(u\sigma\) is defined to eagerly reduce \(\beta\)-redexes on the fly.

Contexts are right-growing lists of variables annotated with their types.

\[ \begin{array}{lcll} \Gamma, \Delta &::=& \emp & \text{(empty context)} \\ & | & \Gamma (x : A) & \text{(context extension)} \\ \end{array} \]

Patterns \(p,q\) share their syntax with regular terms, but must satisfy some additional restrictions. To start with, the only allowed patterns are unapplied variables \(x\) and applications of function symbols to other patterns \(\fun{f}\; \bar{p}\). This allows us for example to declare rewrite rules like \(\fun{plus}\; x\; \con{zero} \rew x\) and \(\fun{plus}\; x\; (\con{suc}\; y) \rew \con{suc}\; (x + y)\).

Declarations

In this simple core language, there are two kinds of declarations: function symbols (corresponding to a postulate in Agda) and rewrite rules (corresponding to a postulate + a {-# REWRITE #-} pragma).

\[ \begin{array}{lcll} d &::=& \fun{f} : A & \text{(function symbol)} \\ & | & \forall \Delta. \fun{f}\; \bar{p} : A \rew v & \text{(rewrite rule)} \\ \end{array} \]

Since this is a blog post and not a full paper, I omit the typing and conversion rules. The only relevant bit are the rules for checking the validity of a rewrite rule:

Each variable in \(\Delta\) must occur exactly once in the pattern \(\bar{p}\) (we will later relax this to ‘at least once’).
The left- and right-hand side of the rewrite rule must be well-typed, i.e. \(\Delta \vdash \fun{f}\; \bar{p} : A\) and \(\Delta \vdash v : A\).
The left-hand side of the rewrite rule should be neutral, i.e. it should not reduce.

The first restriction is necessary because otherwise reduction would introduce variables that are not in scope, breaking well-scopedness of expressions (if you do not agree this is reasonable, you’re reading the wrong blog). Without the second restriction, it would be easy to define rewrite rules that break type preservation (though just well-typedness of rewrite rules is not sufficient, see the next post in this series). It is possible to go without the third restriction, but in practice this would mean that the rewrite rule would never be applied.

Reduction and matching

To reduce a term \(\fun{f}\; \bar{u}\), we look all the rewrite rules of \(\fun{f}\) to see if any of them apply (we assume a global signature \(\Sigma\) containing all declarations).

\[ \ru{(\forall \Delta. \fun{f}\; \bar{p} : A \rew v) \in \Sigma \qquad [\match {\bar u} {\bar p}] \Rightarrow \sigma} {\fun{f}\; \bar u \red v\sigma} \]

Matching a term \(u\) against a pattern \(p\) produces (if it succeeds) a substitution \(\sigma\) and is written \([\match u p] \Rightarrow \sigma\). In contrast to the first-match semantics of clauses of a regular definition by pattern matching, all rewrite rules are considered in parallel, so there is no need for separate notion of a failing match.

\[ \begin{gather*} \ru{}{[\match u x] \Rightarrow [\subst u x]} \qquad % \ru{[\match {\bar u} {\bar p}] \Rightarrow \sigma}{[\match {\fun{f}\; \bar u} {\fun{f}\; \bar p}] \Rightarrow \sigma} \\[2ex] % \ru{u \red^* v \qquad [\match v p] \Rightarrow \sigma}{[\match u p] \Rightarrow \sigma} \\[2ex] % \ru{}{[\match \emp \emp] \Rightarrow []} \qquad % \ru{[\match u p] \Rightarrow \sigma_1 \qquad [\match {\bar u} {\bar p}] \Rightarrow \sigma_2}{[\match {u;\bar u} {p;\bar p}] \Rightarrow \sigma_1 \uplus \sigma_2} \end{gather*} \]

Matching a term against a pattern variable produces a substitution that assigns the given value to the variable, while matching an expression \(\fun{f}\; \bar u\) against a pattern \(\fun{f}\; \bar{p}\) recursively matches the arguments \(\bar{u}\) against the patterns \(\bar{p}\), combining the results of each match by taking the disjoint union \(\sigma_1 \uplus \sigma_2\). Matching can also reduce the term being matched, which means matching and reduction are mutually recursive.

Higher-order rewriting

With the basic set of rewrite rules introduced in the previous section, you can already declare a surprisingly large number of rewrite rules for first-order algebraic structures. From the examples of the previous post in this series, it handles all of example 1, rules map-fuse and map-++ from example 2, all of example 3, rule //-beta from example 4, rules catch-true, catch-false, and catch-exc from example 5, and the rules dealing with Bool in example 6.

Most of the examples that don’t work yet are excluded because they use λ and/or function types in the pattern of a rewrite rule. This brings us to the issue of higher-order rewriting. See also issue #1563 on the Agda bug tracker for more examples where higher-order rewrite rules are needed. Although the metatheory of higher-order rewrite systems is notoriously complex, merely implementing it is much easier.

To support higher-order rewriting, we extend the pattern syntax beyond variables and function symbols. The following patterns are supported:

A lambda pattern \(\lambda x. p\)
A function type pattern \((x:p) \rightarrow q\)
A bound variable pattern \(x\; \bar p\), where \(x\) is a variable bound locally in the pattern by a lambda or function type

During matching it is important to keep the (rigid) bound variables separate from the (flexible) pattern variables. For this purpose, the matcher keeps a list \(\Phi\) of all rigid variables. This list is not touched by any of the previous rules, but any variables bound by a \(\lambda\) or a function type are added to it.

\[ \begin{gather*} \ru{\Phi, x \vdash [\match u p] \Rightarrow \sigma}{\Phi \vdash [\match {\lambda x.\, u} {\lambda x.\, p}] \Rightarrow \sigma} \\[2ex] % \ru{\Phi \vdash [\match A p] \Rightarrow \sigma_1 \qquad \Phi, x \vdash [\match B q] \Rightarrow \sigma_2}{\Phi \vdash [\match {(x : A) \rightarrow B} {(x : p) \rightarrow q}] \Rightarrow \sigma_1 \uplus \sigma_2} \\[2ex] % \ru{x \in \Phi \qquad \Phi \vdash [\match {\bar u} {\bar p}] \Rightarrow \sigma}{\Phi \vdash [\match {x\; \bar u} {x\; \bar p}] \Rightarrow \sigma} \\[2ex] \end{gather*} \]

Note the strong similarity between the third rule and the rule for matching a function symbol \(\fun{f}\). This is not a coincidence: both function symbols and bound variables act as rigid symbols that can be matched against.

The rules above extend the pattern syntax to allow for bound variables in patterns, and allow for rules such as map-id (i.e. map (λ x → x) xs ≡ xs). However, they do not yet constitute true higher-order rewriting (such as in rules raise-fun, cong-Π, and cong-λ). For this we also consider pattern variables applied to arguments.

As is well known, allowing arbitrary patterns as arguments to pattern variables makes matching undecidable (!), so it is customary to restrict patterns to Miller’s pattern fragment, where pattern variables must be applied to distinct, bound variables. Here is the general rule for matching against a pattern variable in the Miller fragment:

\[ \ru{FV(v) \cap \Phi \subseteq \bar{y}} {\Phi \vdash [\match v {x\; \bar{y}}] \Rightarrow [\subst {(\lambda \bar{y}. v)} x]} \]

Since all the arguments of \(x\) are variables, we can construct the lambda term \(\lambda \bar{y}.\, v\). To avoid having out-of-scope variables in the resulting substitution, we check that the free variables in \(v\) are included in \(\bar{y}\).

Eta-equality and record types

If you’ve been paying close attention, you may have noticed a flaw in the matching for \(\lambda\)-patterns: it does not respect \(\eta\)-equality. With \(\eta\)-equality for functions, any term \(u : (x : A) \rightarrow B\; x\) can always safely replaced with \(\lambda x.\, u\; x\), so it should also match a pattern \(\lambda x.\, p\). In this case fixing the problem is not hard since we can \(\eta\)-expand on the fly whenever we match something against a \(\lambda\)-pattern:

\[ \ru{\Phi, x \vdash [\match {u\; x} p] \Rightarrow \sigma} {\Phi \vdash [\match u {\lambda x.\, p}] \Rightarrow \sigma} \]

Unfortunately this is not enough to deal with \(\eta\)-equality in general. It’s possible that the pattern is underapplied as well, e.g. when we match a term of type \((x : A) \rightarrow B\; x\) against a pattern \(\fun{f}\; \bar{p}\) or \(x\; \bar{p}\).

To respect eta equality for functions and record types, we need to make matching type-directed! We also need contexts with the types of the free and bound variables. Thus we extend the matching judgement to \(\Gamma;\Phi \vdash [\match {u : A} {p}] \Rightarrow \sigma\) where \(A\) is the type of \(u\) (note: not necessarily the same as the type of \(p\)!) and \(\Gamma\) and \(\Phi\) are now contexts of pattern variables and bound variables respectively.

The type information is used by the matching algorithm to do on-the-fly \(\eta\)-expansion of functions whenever the type is a function type:

\[ \ru{\Gamma;\Phi(x:A) \vdash [\match {u\; x : B} {p\; x}] \Rightarrow \sigma} {\Gamma;\Phi \vdash [\match {u : (x : A) \rightarrow B} p] \Rightarrow \sigma} \]

Here \(p\; x\) is only defined if the result is actually a pattern, otherwise the rule cannot be applied. We may also reduce the type:

\[ \ru{A \red^* A' \qquad \Gamma;\Phi \vdash [\match {u : A'} p] \Rightarrow \sigma} {\Gamma;\Phi \vdash [\match {u : A} p] \Rightarrow \sigma} \]

\(\eta\) for records

Agda has \(\eta\)-equality not just for function types, but also for record types. For example, any term \(u : A \times B\) is definitionally equal to \((\field{fst}\; u , \field{snd}\; u)\). Since \(\eta\)-equality of records is a core rule of Agda, we extend the matching algorithm to deal with it (see issue #2979 and issue #3335). Luckily, since we now have a type-directed matching algorithm, it is easy to handle this rule.

Let \(\fun{R} : \ty{i}\) be a record type with fields \(\field{\pi_1} : A_1\), \(\ldots\), \(\field{\pi_n} : A_n\). Since records can be dependent, each type \(A_i\) may depend on the previous fields \(\field{\pi_1}\), \(\ldots\),\(\field{\pi_{i-1}}\). We have the following matching rule:

\[ \ru{\Gamma;\Phi \vdash [\match {\field{\pi_i}\; u : A_i'} {\field{\pi_i}\; p}] \Rightarrow \sigma \quad (i=1\cdots n)}{\Gamma;\Phi \vdash [\match {u : \fun{R}} p] \Rightarrow \sigma} \]

In this rule, the type \(A_i'\) is equal to \(A_i[\subst {\field{\pi_1}\; u} {\field{\pi_1}}, \cdots, \subst {\field{\pi_{i-1}}\; u} {\field{\pi_{i-1}}}]\).

In the case where \(n=0\), this rule says that a term of the unit record type \(\fun{\top}\) (with no fields) matches any pattern. So the matching algorithm even handles the notorious \(\eta\)-unit types!

Non-linearity and non-patterns

Sometimes it is useful to define rewrite rules with non-linear patterns, i.e. where a pattern variable occurs more than once. As an example, this allows us to postulate an equality proof trustMe : (x y : A) → x ≡ y with a rewrite rule trustMe x x ≡ refl. This can be used in a similar way to Agda’s built-in primTrustMe. Another example where non-linearity is used is the rule transportR-refl from example 4 in my previous post (it also needs irrelevance for Prop, see issue #3525 for more details).

Non-linear matching is actually an instance of a more general pattern I call a non-pattern. A non-pattern is an arbitrary term that matches another term if the terms are definitionally equal. Non-patterns allow embedding of arbitrary terms inside a pattern, but they cannot bind any variables. So even though we allow non-patterns, each pattern variable used in the rewrite rule still has to occur at least once in a pattern position.

Non-patterns are similar to inaccessible patterns (aka dot patterns in Agda) used in dependent pattern matching, with the important difference that inaccessible patterns are assumed to match whenever the rest of the pattern does, while non-patterns have to be checked.

For both non-linear patterns and non-patterns, the matching algorithm needs to decide whether two given terms are definitionally equal. This means reduction and matching are now mutually recursive with conversion checking.

Describing the full conversion checking algorithm of Agda would take us too far for this blog post, so let’s assume we have a (type-directed!) conversion judgement \(\Gamma \vdash u = v : A\). We extend the matching algorithm to also output a set of constraints \(\Psi = \{ \Phi_i \vdash u_i \ceq p_i\; |\; i = 1\cdots n \}\). The new judgement form of matching is now \(\Gamma;\Phi \vdash [\match {v : A} p] \Rightarrow \sigma ; \Psi\) (somehow I always end up with these crazy judgements with way too many arguments). We extend the matching algorithm with the ability to postpone a matching problem:

\[ \ru{} {\Gamma;\Phi \vdash [\match {v : A} p] \Rightarrow []; \{ \Phi \vdash v \ceq p : A \}} \]

All other rules just gather the set of constraints, taking the union whenever matching produces multiple sub-problems. When matching concludes, we check that all constraints actually hold before applying the rewrite rule:

\[ \ru{\begin{array}{c}\fun{f} : \Gamma \rightarrow A \in \Sigma \qquad (\forall\Delta. \fun{f}\; \bar{p} : B \rew v) \in \Sigma \\ [\match {\bar u : \Gamma[\bar u]} {\bar p}] \Rightarrow \sigma;\Psi \qquad \forall (\Phi \vdash v \ceq p : A) \in \Psi.\; \Phi \vdash v = p\sigma : A \end{array} } {\fun{f}\; \bar u \red v\sigma} \]

When checking a constraint we apply the final substitution \(\sigma\) to the pattern \(p\) but not to the term \(v\) or the type \(A\). This makes sense because the term being matched does not contain any pattern variables in the first place (and neither does its type).

A quick note on the implementation side: to actually change Agda to make the matching depend on conversion checking took quite some effort. The reason for this difficulty was that reduction and matching are running in one monad ReduceM, while conversion was running in another monad TCM (short for ‘type-checking monad’). In the new version after my refactoring, the conversion checker is now polymorphic in the monad it runs in. This means the same piece of code implements at the same time a pure, declarative conversion checker and a stateful constraint solver. I think this usage of effect polymorphism is pretty cool, and I don’t know many other production-ready languages besides Haskell where this would be possible.

Rewriting datatypes and constructors

Another important question is how rewrite rules interact with datatypes such as Bool, Nat, and _≡_. Can we simply add rewrite rules to (type and/or term) constructors? It turns out the answer is actually a bit more complicated.

If we allow rewriting of datatype constructors, you could (for example) postulate an equality proof of type Nat ≡ Bool and register it as a rewrite rule. However, this would mean \(\con{zero} : \data{Bool}\), violating an important internal invariant of Agda that any time we have \(\con{c}\; \bar{u} : \data{D}\) for a constructor \(\con{c}\) and a datatype \(\data{D}\), \(\con{c}\) is actually a constructor of \(\data{D}\) (see issue #3846). This is very unsafe even for the low standards of rewrite rules. For this reason, it’s not allowed to have rewrite rules on datatypes or record types. Sorry!

For constructors of datatypes there is no a priori reason why they cannot have rewrite rules attached to them. This would actually be useful to define a ‘definitional quotient type’ where some of the constructors may compute.

Unfortunately, there is another problem: internally, Agda does not store the constructor arguments corresponding to the parameters of the datatype. For example, the constructors [] and _∷_ of the List A type do not store the type A as an argument. This is actually really important for efficiency! However it means that rewrite rules on constructors cannot match against arguments in those positions, or bind pattern variables in them.

Currently, Agda enforces this restriction by requiring that for a rewrite rule on a constructor, the parameters need to be fully general, i.e. they must be distinct variables (see issue #3211). But this is not quite satisfactory yet, as shown by issue #3538, so if anyone knows a better criterion it would be welcome!

Irrelevance and Prop

An important feature of Agda that is (in my opinion) underused is definitional irrelevance, which comes in the two flavours of irrelevant function types .A → B and the universe Prop of definitionally proof-irrelevant propositions.

For rewrite rules with irrelevant parts in their patterns, we do not want matching to ever fail because this would mean a supposedly irrelevant term is not actually irrelevant. However, it should still be allowed to bind a variable in an irrelevant position, since we might want to use that variable in (irrelevant positions of) the right-hand side (see issue #2300). This means in irrelevant positions we allow:

pattern variables \(x\; \bar y\) where \(\bar y\) are all the bound variables in scope, and
non-patterns \(u\) that do not bind any variables.

Because of irrelevance, neither of these will ever produce a mismatch.

Together with the ability to have non-linear patterns, this allows us to have cool rewrite rules such as transportR-refl : transportR P refl x ≡ x where transportR : (P : A → Set ℓ) → x ≐ y → P x → P y and x ≐ y is the equality type in Prop. The constructor refl here is irrelevant, so this rule does not actually match against the constructor refl! Instead, Agda checks that the two arguments x and y are definitionally equal, and apply the rewrite rule if this is the case.

Universe level polymorphism

Universe level polymorphism allows Agda programmers to write definitions that are polymorphic in the universe level of a type parameter. Since the type Level of universe levels is a first-class type in Agda, it interacts natively with rewrite rules: patterns can bind variables of type Level just as any other type. This allows us for example to define rewrite rules such as map-id that work on level-polymorphic lists.

The type Level also supports two operations lsuc : Level → Level and _⊔_ : Level → Level → Level. These operations have a complex equational structure: _⊔_ is associative, commutative, and idempotent, and lsuc distributes over _⊔_, just to name a few of the laws (the actual implementation of the normalization of levels is worth a look). This causes trouble for the matching used for rewrite rules: how would one even determine whether a given level matches a ⊔ b when _⊔_ is commutative? Issue #2090 and issue #2299 show some of the things that would go wrong. For this reason it is not allowed to have rewrite rules that match against lsuc or _⊔_ (i.e. expressions containing these symbols are treated as non-patterns).

This restriction on patterns of type Levels is seems reasonable enough, but it causes trouble for certain rewrite rules. In particular, it is often not satisfied by rewrite rules that match on function types — like the cong-Π rule we used in the encoding of observational type theory last time, or like the problem described in issue #3971. The problem is that if A : Set ℓ₁ and B : Set ℓ₂, then the function type (x : A) → B has type Set (ℓ₁ ⊔ ℓ₂), so there is no sensible position to bind the variables ℓ₁ and ℓ₂.

To allow rewrite rules such as cong-Π, we need to think a little out of the box. It turns out that in the internal syntax of Agda, function types (x : A) → B are annotated with the sorts of A and B. So the ‘real’ function type of Agda looks more like (x : A : Set ℓ₁) → (B : Set ℓ₂). This means that if we allow rewrite rules to bind pattern variables in these hidden annotations, we are saved! The matching rule for function types now becomes:

\[ \ru{\begin{array}{c} \Gamma;\Phi \vdash [\match {A : \ty{\ell_1}} p] \Rightarrow \sigma_1; \Psi_1 \qquad \Gamma;\Phi \vdash [\match {\ell_1 : \level} q] \Rightarrow \sigma_2; \Psi_2 \\ \Gamma;\Phi(x:A) \vdash [\match {B : \ty{\ell_2}} r] \Rightarrow \sigma_3; \Psi_3 \qquad \Gamma;\Phi [\match {\ell_2 : \level} s] \Rightarrow \sigma_4; \Psi_4 \end{array} } {\begin{array}{l} \Gamma;\Phi \vdash [\match {(x : A : \ty{\ell_1}) \rightarrow (B : \ty{\ell_2})} {(x : p : \ty{q}) \rightarrow (r : \ty{s})}] \\ \qquad \Rightarrow (\sigma_1 \uplus \sigma_2 \uplus \sigma_3 \uplus \sigma_4);(\Psi_1 \cup \Psi_2 \cup \Psi_3 \cup \Psi_4) \end{array} } \]

That’s quite a mouthful, but sometimes that’s the price you have to pay to talk about real systems rather than toy examples!

Metavariables and constraint solving

To automatically fill in the values of implicit arguments, Agda inserts metavariables as their placeholders. These metavariables are then solved during typechecking by the constraint solver. As a rule, whenever you add a new feature to Agda, eventually it will cause something to go wrong in the constraint solver. This is certainly the case for rewrite rules. I’m in no position to give a full account of Agda’s constraint solver here, but let me discuss the most important ways it is impacted by rewrite rules.

Blocking tags

To do proper constraint solving, we need to know when a reduction is blocked on a particular metavariable. Usually it is possible to point out a single metavariable, but this is no longer the case when rewrite rules are involved:

With overlapping rewrite rules, it is possible to be blocked on a set of metavariables. For example, if we try to reduce the expression \(X + Y\) where \(X\) and \(Y\) are metavariables of type Nat and _+_ is the parallel version of addition as in example 1 of the previous post, then this expression might reduce further when either \(X\) or \(Y\) is instantiated to a constructor. So a postponed constraint involving this expression has to be woken up when \(X\) or \(Y\) is instantiated.
For higher-order matching, we check whether a particular variable occurs freely in the body of a lambda or pi. When metavariables are involved, a variable occurrence may be flexible: whether or not the variable occurs depends on the instantiation of a particular metavariable (see issue #1663). In this case we also remember the set of metavariables on which the flexible occurrence depends.
Likewise, when a rewrite rule with non-linear patterns or non-patterns is blocked on the conversion check because of an unsolved metavariable, we need to know what metavariable is causing the problem (see issue #1987 and issue #2302).

Currently, the Agda implementation uses only an approximation of the set of metavariables it encounters (i.e. only the first metavariable encountered). This is not too harmful because the current implementation of Agda is anyway quite generous in how often it retries to solve sleeping constraints. If in the future Agda would be changed to be more careful in letting sleeping constraints lie (which would be a good thing to do!), a more precise tracking of blocking metavariables would also be desirable.

Pruning and constructor-like symbols

When adding new rewrite rules, we also keep track of what symbols are constructor-like. This is important for the pruning phase of the constraint solver. For example, let’s say the constraint solver is trying to solve an equation \(X \ceq Y\; (\fun{f}\; x)\). Since the metavariable \(X\) does not depend on the variable \(x\), the constraint solver attempts to prune the dependency of \(Y\) on \(x\). If \(\fun{f}\) is a regular postulate without any rewrite rules, there is no way that \(Y\) could depend on \(\fun{f}\; x\) without depending on \(x\), so the dependency of \(Y\) on its first argument is pruned away. However, if there is a rewrite rule where \(f\) plays the role of a constructor — say a rule \(\fun{g}\; (\fun{f}\; y) \rew \con{true}\) — then the assignment \(X := \con{true}\) and \(Y := \lambda y.\, \fun{g}\; y\) is a valid solution to the constraint where \(Y\) does depend on its argument, so it should not be pruned away.

Parametrized modules and `where` blocks

In one sense, parametrized modules in Agda can be thought of as \(\lambda\)-lifting all the definitions inside the module: if a module with parameters \(\Gamma\) contains a definition of \(\fun{f} : A\), then the real type of \(\fun{f}\) is \(\Gamma \rightarrow A\). But this does not quite capture the intuition that definitions inside a parametrized module should be parametric in the parameters. So in a different sense module parameters are rigid symbols more alike to postulates than variables. For this reason, module parameters play a double role on the left-hand side of a rewrite rule:

As long as the parameter is in scope, it is treated as a non-pattern, so it has to match ‘on the nose’ (i.e. it cannot be instantiated by matching).
Once the parameter goes out of scope (i.e. at the end of the module), it is treated as a regular pattern variable that can be instantiated by matching.

This intuition of module parameters as rigid symbols also applies to Agda’s treatment of where blocks, which are nothing more than modules parametrized over the pattern variables of the clause (you can even give a name to the where module using the module M where syntax!) Here a ‘local’ rewrite rule in a where block should only apply for the specific arguments to the function that are used in the clause, not those of a recursive call (see issue #1652 for an example).

Conclusion

This post is my attempt at documenting all the weird interactions that come up when you try to integrate user-defined rewrite rules into a general-purpose dependently typed language. I also wanted to document the solutions that I came up with along the way. Of course, this is by no means the only way to do things, nor the best one. But at least it is a way that I found to work, so I thought it would be worth writing it down. I know at least some people who are using rewrite rules in exciting ways I didn’t anticipate, which makes me very glad!

This post was about the technology of how to add rewrite rules to Agda or similar languages. Using these rewrite rules is essentially building your own type theory, which means you have to do your own meta-theory to make sure everything is safe (for whatever notion of safe you like). But there are many use cases of rewrite rules that feel like they shouldn’t break any of the usual properties we expect from an Agda program. Can we carve out a usable fragment of rewrite rules that is guaranteed to do no harm? Stay tuned for the next and final post in this series!

Hack your type theory with rewrite rules

Jesper Cockx — Mon, 21 Oct 2019 00:00:00 UT

Jesper Cockx - Hack your type theory with rewrite rules

Jesper Cockx

Hack your type theory with rewrite rules

Posted by Jesper on October 21, 2019

This is the first in a series of three blog posts on rewrite rules in Agda. In contrast to my previous post, this post will decidedly non-introductory. Instead, we will have some fun by doing unsafe things and hacking things into the core reduction machinery of Agda.

The main part of this post will consist of several examples of how to use rewrite rules to go beyond the usual boundaries set by Agda and define your own computation rules. The next two posts in this series will go more into how rewrite rules work in general and the metatheory of type theory extended with rewrite rules.

Why rewrite rules?

The way I learned type theory from Simon Thompson’s book, each type former is defined by four sets of rules:

The formation rule (e.g. Bool : Set)
The introduction rules (e.g. true : Bool and false : Bool)
The elimination rules (e.g. if P : Bool → Set, b : Bool, pt : P true, and pf : P false, then if b then pt else pf : P b)
The computation rules (e.g. if true then pt else pf = pt and if false then pt else pf = pf)

Most of the time when we work in Agda, we don’t introduce new types by directly giving these rules. That would be very unsafe, as there’s no easy way for Agda to check that the given rules make sense. Instead, we can introduce new rules through schemes that are well-known to be safe, such as strictly positive datatypes and terminating functions by dependent pattern matching.

However, if you’re experimenting with adding new features to dependently typed languages or if you’re a heavy user of them, you might find working within these schemes a bit too restrictive. You might be tempted to use postulate to define new types and terms, or to turn off the safety checks for termination, positivity, and/or universe consistency. Yet there is one thing that cannot be simply added by using these tricks. This is exactly the one thing that breathes life into the type theory: the computation rules. This is the purpose of rewrite rules in Agda (as well as in some other languages like Dedukti): to allow the user of the language to extend the language’s notion of definitional equality with additional computation rules.

Concretely, given a proof (or a postulate) p : ∀ x₁ ... xₙ → f u₁ ... uₙ ≡ v, you can register it as a rewrite rule with a pragma {-# REWRITE p #-}. From this point on, Agda will automatically reduce instances of the left-hand side f u₁ ... uₙ (i.e. for specific values of x₁ ... xₙ) to the corresponding instance of v. To give a silly example, if f : A → A and p : ∀ x → f x ≡ x, then the rewrite rule will replace any application f u with u, effectively turning f into the identity function λ x → x.

There are some restrictions on what kind of equality proofs can be turned into rewrite rules, which I will go into more detail in the next post. Until then, I hope the examples in this post give a good idea of the kind of things that are possible.

One thing that is perhaps obvious but I want to stress nevertheless is that by design rewrite rules are a very unsafe feature of Agda. Compared to using postulate, rewrite rules don’t allow you to break soundness (at least not directly), but they can break core assumptions of Agda such as confluence of reduction and even type preservation. So each time you use a rewrite rule, make sure you know it is justified, or be prepared to suffer the consequences.

With the introduction out of the way, let’s jump into some examples of cool things you can do with rewrite rules.

Preliminaries

This whole post is written as a literate Agda file. As always, we some basic options and imports. For the purpose of this post, the two most important ones are the --rewriting flag and the import of Agda.Builtin.Equality.Rewrite, which are both required to make rewrite rules work. Meanwhile, the --prop flag enables Agda’s Prop universe (new in Agda 2.6.0), which we will use in some of the examples.

{-# OPTIONS --rewriting --prop #-}

open import Agda.Primitive
open import Agda.Builtin.Bool
open import Agda.Builtin.Nat
open import Agda.Builtin.List
open import Agda.Builtin.Equality
open import Agda.Builtin.Equality.Rewrite

As in the previous post, I will make heavy use of generalizable variables to make the code more readable. (Honestly, I’m not sure how I ever managed to write Agda code without them.)

variable
  ℓ ℓ₁ ℓ₂ ℓ₃ ℓ₄ : Level
  A B C       : Set ℓ
  P Q         : A → Set ℓ
  x y z       : A
  f g h       : (x : A) → P x
  b b₁ b₂ b₃  : Bool
  k l m n     : Nat
  xs ys zs    : List A

To avoid reliance on external libraries, we also need these two basic equality reasoning principles.

cong : (f : A → B) → x ≡ y → f x ≡ f y
cong f refl = refl

transport : (P : A → Set ℓ) → x ≡ y → P x → P y
transport P refl p = p

Example 1: Overlapping pattern matching

To start, let’s look at an example where rewrite rules can solve a problem that is encountered by almost every newcomer to Agda. This problem usually pops up as the question why 0 + m computes to m, but m + 0 does not (and similarly, (suc m) + n computes to suc (m + n) but m + (suc n) does not). This problem manifests for example when trying to prove commutativity of _+_ (the lack of highlighting means the code does not typecheck):

+comm : m + n ≡ n + m
+comm {m = zero}  = refl
+comm {m = suc m} = cong suc (+comm {m = m})

Here, Agda complains that n != n + zero of type Nat. The usual way to solve this problem is by proving the equations m + 0 ≡ m and m + (suc n) ≡ suc (m + n) and using an explicit rewrite statement in the main proof (N.B.: Agda’s rewrite keyword should not be confused with rewrite rules, which are added by a REWRITE pragma. Confusing, I know.)

This problem is something that has both frustrated and fascinated me from the very beginning I started working on type theory. During my master thesis, I worked on adding overlapping computation rules to make this problem go away without adding any explicit rewrite statements to the proof above.

By using rewrite rules, we can simulate the solution from our paper. First, we need to prove that the equations we want hold as propositional equalities:

zero+ : zero + n ≡ n
zero+ = refl

suc+ : (suc m) + n ≡ suc (m + n)
suc+ = refl

+zero : m + zero ≡ m
+zero {m = zero}  = refl
+zero {m = suc m} = cong suc +zero

+suc : m + (suc n) ≡ suc (m + n)
+suc {m = zero}  = refl
+suc {m = suc m} = cong suc +suc

We mark the equalities that are not already definitional as rewrite rules with a REWRITE pragma:

{-# REWRITE +zero +suc #-}

Now the proof of commutativity works exactly as we wrote before:

+comm : m + n ≡ n + m
+comm {m = zero}  = refl
+comm {m = suc m} = cong suc (+comm {m = m})

Note that there is no way to make this proof go through without rewrite rules: it is essential that _+_ computes both on its first and second arguments, but there’s no way to define _+_ in such a way using Agda’s regular pattern matching.

Example 2: New equations for neutral terms

The idea of extending existing functions with new computation rules has been taken much further in a very nice paper by Guillaume Allais, Conor McBride, and Pierre Boutillier titled New Equations for Neutral Terms. In this paper, they add new computation rules to classic functions on lists such as map, _++_, and fold. In Agda, we can prove these rules and then add them as rewrite rules (here I only show a subset of the rules in the paper):

map : (A → B) → List A → List B
map f []       = []
map f (x ∷ xs) = (f x) ∷ (map f xs)

infixr 5 _++_
_++_ : List A → List A → List A
[]       ++ ys = ys
(x ∷ xs) ++ ys = x ∷ (xs ++ ys)

map-id : map (λ x → x) xs ≡ xs
map-id {xs = []}     = refl
map-id {xs = x ∷ xs} = cong (_∷_ x) map-id

map-fuse : map f (map g xs) ≡ map (λ x → f (g x)) xs
map-fuse {xs = []}     = refl
map-fuse {xs = x ∷ xs} = cong (_∷_ _) map-fuse

map-++ : map f (xs ++ ys) ≡ (map f xs) ++ (map f ys)
map-++ {xs = []}     = refl
map-++ {xs = x ∷ xs} = cong (_∷_ _) (map-++ {xs = xs})

{-# REWRITE map-id map-fuse map-++ #-}

These rules look reasonably simple, but when used together they can be quite powerful. For example, below we show that the expression map swap (map swap xs ++ map swap ys) reduces directly to xs ++ ys, without doing any induction on the lists!

record _×_ (A B : Set) : Set where
  constructor _,_
  field
    fst : A
    snd : B
open _×_

swap : A × B → B × A
swap (x , y) = y , x

test₁ : map swap (map swap xs ++ map swap ys) ≡ xs ++ ys
test₁ = refl

To compute the left-hand side of the equation to the right-hand side, Agda makes use of map-++ (step₁), map-fuse (step₂), built-in eta-equality (step₃), the definition of swap (step₄), and finally the map-id rewrite rule (step₅).

-- Using map-++:
step₁ : map swap (map swap xs ++ map swap ys)
      ≡ map swap (map swap xs) ++ map swap (map swap ys)
step₁ = refl

-- Using map-fuse (likewise for ys)
step₂ : map swap (map swap xs)
      ≡ map (λ x → swap (swap x)) xs
step₂ = refl

-- Using eta-expansion
step₃ : map (λ x → swap (swap x)) xs
      ≡ map (λ x → swap (swap (fst x , snd x))) xs
step₃ = refl

-- Using definition of swap (2x)
step₄ : map (λ x → swap (swap (fst x , snd x))) xs
      ≡ map (λ x → (fst x , snd x)) xs
step₄ = refl

-- Using map-id (together with eta-contraction)
step₅ : map (λ x → (fst x , snd x)) xs ≡ xs
step₅ = refl

Example 3: Higher inductive types

The original motivation for adding rewrite rules to Agda had little to do with overlapping computation rules as in the previous examples. Instead, its purpose was to experiment with defining higher inductive types. In particular, it was meant as an alternative for people using clever (but horrible) hacks to make their higher inductive types compute.

A higher inductive type is like a regular inductive type D with some additional path constructors, which construct an element of the identity type a ≡ b where a : D and b : D. A classic example is the Circle type, which has one regular constructor base and one path constructor loop:

postulate
  Circle : Set
  base : Circle
  loop : base ≡ base

postulate
  Circle-elim : (P : Circle → Set ℓ)
    → (base* : P base)
    → (loop* : transport P loop base* ≡ base*)
    → (x : Circle) → P x
  elim-base : ∀ (P : Circle → Set ℓ) base* loop*
    → Circle-elim P base* loop* base ≡ base*
{-# REWRITE elim-base #-}

To specify the computation rule for Circle-elim applied to loop, we need the dependent version of cong, which is called apd in the book.

apd : (f : (x : A) → P x) (p : x ≡ y)
    → transport P p (f x) ≡ f y
apd f refl = refl

postulate
  elim-loop : ∀ (P : Circle → Set ℓ) base* loop*
    → apd (Circle-elim P base* loop*) loop ≡ loop*
{-# REWRITE elim-loop #-}

Interestingly, the type of elim-loop is not even well-formed unless we alreay have elim-base as a rewrite rule! So without rewrite rules, it is even difficult to state the computation rule of Circle-elim for loop.

Example 4: Quotient types

One of the well-known weak spots of intentional type theory is the poor handling of quotient types. One of the more promising attempts at adding quotients to Agda is by Guillaume Brunerie in the initiality project, which uses a combination of rewrite rules and Agda’s new (strict) Prop universe.

Before I can give the definition of the quotient type, we first need to define the Prop-valued equality type _≐_. We also define its corresponding notion of transport, which has to be postulated due to current limitations in the implementation of Prop. Luckily, we can actually make transportR compute in the expected way by postulating the expected computational behaviour and turning it into a rewrite rule.

data _≐_ {A : Set ℓ} (x : A) : A → Prop ℓ where
  refl : x ≐ x

postulate
  transportR : (P : A → Set ℓ) → x ≐ y → P x → P y
  transportR-refl : transportR P refl x ≡ x
{-# REWRITE transportR-refl #-}

Now we can define the quotient type _//_. Specifically, given a type A and a Prop-valued relation R : A → A → Prop, we construct the type A // R consisting of elements proj x where x : A and proj x ≡ proj y if and only if R x y.

variable
  R : A → A → Prop

postulate
  _//_    : (A : Set ℓ) (R : A → A → Prop) → Set ℓ
  proj    : A → A // R
  quot    : R x y → proj {R = R} x ≐ proj {R = R} y

The crucial element here is the elimination principle //-elim, which allows us to define functions that extract an element of A from a given element of A // R, as long as we have a proof quot* that the function behaves the same on proj x and proj y whenever R x y holds. The computation rule //-beta turns this definition of quotients into more than just a static blob of postulates by allowing //-elim to compute when it is applied to a proj x.

  //-elim : (P : A // R → Set ℓ)
    → (proj* : (x : A) → P (proj x))
    → (quot* : {x y : A} (r : R x y)
             → transportR P (quot r) (proj* x) ≐ proj* y)
    → (x : A // R) → P x
  //-beta : {R : A → A → Prop} (P : A // R → Set ℓ)
    → (proj* : (x : A) → P (proj x))
    → (quot* : {x y : A} (r : R x y)
             → transportR P (quot r) (proj* x) ≐ proj* y)
    → {u : A} → //-elim P proj* quot* (proj u) ≡ proj* u
  -- Note: The type of //-beta mysteriously does not
  -- check when I leave out the {R : A → A → Prop},
  -- I'm not sure what's up with that.
{-# REWRITE //-beta #-}

(As a side note, here is an interesting recent discussion on quotient types in Lean, Coq, and Agda.)

Example 5: Exceptional type theory

I have a secret to share with you: my first programming language was Java. While I don’t miss most parts of it, sometimes I just long to use a good unchecked exception in my pristine purely functional language. Luckily, my friends over at Inria in Nantes have written the aptly named paper Failure is Not an Option: An Exceptional Type Theory, which shows how to add exceptions to Coq. Through the exceptional power of rewrite rules, we can also encode their system in Agda.

First, we postulate a type Exc with any kinds of exceptions we might want to use (here we just have runtimeException for simplicity). We then add the possibility to raise an exception, producing an element of an arbitrary type A.

postulate
  Exc : Set
  runtimeException : Exc
  raise : Exc → A

By adding the appropriate rewrite rules for each type former, we can ensure that exceptions are propagated to the top-level. Below, I give two examples. For positive types such as Nat, exceptions are propagated outwards, while for negative types such as function types, exceptions are propagated inwards.

  raise-suc : {e : Exc} → suc (raise e) ≡ raise e

  raise-fun : {e : Exc}
    → raise {A = (x : A) → P x} e
    ≡ λ x → raise {A = P x} e

{-# REWRITE raise-suc raise-fun #-}

To complete the system, we can then add the ability to catch exceptions at specific types. This takes the shape of an eliminator with one additional method for handling the case where the element under scrutiny is of the form raise e.

postulate
  catch-Bool : (P : Bool → Set ℓ)
               (pt : P true) (pf : P false)
               (h : ∀ e → P (raise e))
             → (b : Bool) → P b

  catch-true  : ∀ (P : Bool → Set ℓ) pt pf h
              → catch-Bool P pt pf h true ≡ pt
  catch-false : ∀ (P : Bool → Set ℓ) pt pf h
              → catch-Bool P pt pf h false ≡ pf
  catch-exc   : ∀ (P : Bool → Set ℓ) pt pf h e
              → catch-Bool P pt pf h (raise e) ≡ h e

{-# REWRITE catch-true catch-false catch-exc #-}

In their paper, Pierre-Marie and Nicolas show how to build a safe version of exceptions on top of this system, using parametricity to enforce that all exceptions are caught locally. Please go read their paper if you want to know more!

Example 6: Observational equality

We can go even further in extending our type theory with new concepts using rewrite rules. For example, we can define type constructors that compute according to the type they are applied to. This is the core concept of observational type theory (OTT). OTT extends type theory with an observational equality type (here called _≅_) that computes acoording to the type of the elements being compared. For example, an equality proof of type (a , b) ≅ (c , d) is a pair of proofs, one of type a ≅ c and one of type b ≅ d.

OTT had a strong influence on the recent development of cubical type theory, which extends it with a proof-relevant notion of equality. Yet there are still some things that are possible in OTT but not in cubical, so we should not write it off yet. For example, OTT has definitional proof irrelevance, while it is not clear yet how this can be integrated into cubical (although XTT looks very promising).

Below, I define a small fragment of OTT by using rewrite rules in Agda. Since OTT has a proof-irrelevant equality type, I use Agda’s Prop to get the same effect.

First, we need some basic types in Prop:

record ⊤ {ℓ} : Prop ℓ where constructor tt

data   ⊥ {ℓ} : Prop ℓ where

record _∧_ (X : Prop ℓ₁) (Y : Prop ℓ₂) : Prop (ℓ₁ ⊔ ℓ₂) where
  constructor _,_
  field
    fst : X
    snd : Y
open _∧_

The central type is observational equality _≅_, which should compute according to the types of the elements being compared. Here I give the computation rules for Bool and for function types:

infix 6 _≅_
-- Observational equality
postulate
  _≅_ : {A : Set ℓ₁} {B : Set ℓ₂} → A → B → Prop (ℓ₁ ⊔ ℓ₂)

HEq = _≅_
syntax HEq {A = A} {B = B} x y = x ∈ A ≅ y ∈ B

postulate
  refl-Bool   : (Bool  ≅ Bool)  ≡ ⊤
  refl-true   : (true  ≅ true)  ≡ ⊤
  refl-false  : (false ≅ false) ≡ ⊤
  conflict-tf : (true  ≅ false) ≡ ⊥
  conflict-ft : (false ≅ true)  ≡ ⊥
{-# REWRITE refl-Bool refl-true refl-false
            conflict-tf conflict-ft #-}

postulate
  cong-Π : ((x : A) → P x) ≅ ((y : B) → Q y)
         ≡ (B ≅ A) ∧ ((x : A)(y : B) → y ≅ x → P x ≅ Q y)
  cong-λ : {A : Set ℓ₁} {B : Set ℓ₂}
    → {P : A → Set ℓ₃} {Q : B → Set ℓ₄}
    → (f : (x : A) → P x) (g : (y : B) → Q y)
    → ((λ x → f x) ≅ (λ y → g y))
    ≡ ((x : A) (y : B) (x≅y : x ≅ y) → f x ≅ g y)
{-# REWRITE cong-Π cong-λ #-}

To be able to actually reason about equality, OTT also has two more notions: coercion and cohesion. Coercion allows us to cast an element from one type to the other when we know both types are equal, and cohesion allows us to prove that coercion is computationally a no-op.

infix 10 _[_⟩ _||_

postulate
  _[_⟩    : A → A ≅ B → B         -- Coercion
  _||_    : (x : A) (Q : A ≅ B)
          → x ∈ A ≅ x [ Q ⟩ ∈ B   -- Coherence

Again, we need more rewrite rules to make sure coercion computes in the right way when applied to specific type constructors. Note that we don’t need rewrite rules for coherence, since the result is of type _ ≅ _ which is a Prop, so it anyway has no computational content.

Coercing an element from Bool to Bool is easy.

postulate
  coerce-Bool : b [ tt ⟩ ≡ b
{-# REWRITE coerce-Bool #-}

(Note that Bool ≅ Bool computes to ⊤, so any proof of it will be equal to tt by eta-equality.)

To coerce a function from (x : A) → P x to (y : B) → Q y we need to:

Coerce the input from y : B to x : A
Apply the function to get an element of type P x
Coerce the output back to an element of Q y

In the last step, we need to use coherence to show that x and y are (heterogeneously) equal.

postulate
  coerce-Π : {A : Set ℓ₁} {B : Set ℓ₂}
    → {P : A → Set ℓ₃} {Q : B → Set ℓ₄}
    → {f : (x : A) → P x}
    → (ΠAP≅ΠBQ : ((x : A) → P x) ≅ ((y : B) → Q y))
    → _≡_ {A = (y : B) → Q y} (f [ ΠAP≅ΠBQ ⟩) λ (y : B) →
        let B≅A : B ≅ A
            B≅A = fst ΠAP≅ΠBQ
            x   : A
            x   = y [ B≅A ⟩
            Px≅Qy : P x ≅ Q y
            Px≅Qy = snd ΠAP≅ΠBQ x y (_||_ {B = A} y B≅A)
        in f x [ Px≅Qy ⟩
{-# REWRITE coerce-Π #-}

Of course this is just a fragment of the whole system, but implementing all of OTT would go beyond the scope of this blog post. Hopefully this at least gives an idea how one could implement the full system.

Conclusion

With all these examples, I think this blog post has become long enough. If you read all the way to here, I hope you found at least one example that gave you the itch to try rewrite rules yourself. Be sure to let me know if you come up with other cool examples! And if you got interested in the exact workings of rewrite rules in Agda and how they are implemented, stay tuned for the next post in this series.

Formalize all the things (in Agda)

Jesper Cockx — Fri, 04 Oct 2019 00:00:00 UT

Jesper Cockx - Formalize all the things (in Agda)

Jesper Cockx

Formalize all the things (in Agda)

Posted by Jesper on October 4, 2019

I quite often hear from people that they are interested in learning Agda, and that’s great! However, I often feel there are not enough examples out there of how to use the different features of Agda to implement programs, enforce invariants in their types, and prove their properties. So in this blog post I hope to address exactly that problem.

The main goal of this example is to show off the dual purpose of Agda as a strongly typed programming language and as a proof assistant for formalizing mathematics. Since both purposes are part of the same language, each of them reinforces the other: we can prove properties of our programs, and we can write programs that produce proofs. In this example, we will see this power in action by (1) defining the mathematical structure of partial orders, (2) implementing a generic binary search trees and insertion of new elements into them, and (3) proving that this function is implemented correctly.

This blog post was based on a talk I gave at the Initial Types Club at Chalmers.

Preliminaries

For this post we keep the dependencies to a minimum so we don’t rely on the standard library. Instead, we import some of the built-in modules of Agda directly.

open import Agda.Primitive
open import Agda.Builtin.Bool
open import Agda.Builtin.Nat
open import Agda.Builtin.Equality

A variable declaration (since Agda 2.6.0) allows us to use variables without binding them explicitly. This means they are implicitly universally quantified in the types where they occur.

variable
  A B C : Set
  x y z : A
  k l m n : Nat

In the code that follows, we will use instance arguments to automatically construct some proofs. When working with instance arguments, the it function below is often very useful. All it does is ask Agda to please fill in the current argument by using a definition that is marked as an instance. (More about instance arguments later).

it : {{x : A}} → A
it {{x}} = x

(Unary) natural numbers are defined as the datatype Nat with two constructors zero : Nat and suc : Nat → Nat. We use the ones imported from Agda.Builtin.Nat because they allow us to write literal numerals as well as constructor forms.

_ : Nat
_ = zero + 7 * (suc 3 - 1)

(Definitions that are named _ are typechecked by Agda but cannot be used later on. This is often used to define examples or test cases).

We can define parametrized datatypes and functions by pattern matching on them. For example, here is the equivalent of Haskell’s Maybe type.

data Maybe (A : Set) : Set where
  just    : A → Maybe A
  nothing :     Maybe A

mapMaybe : (A → B) → (Maybe A → Maybe B)
mapMaybe f (just x) = just (f x)
mapMaybe f nothing = nothing

Note how A and B are implicitly quantified in the type of mapMaybe!

Quick recap on the Curry-Howard correspondence

The Curry-Howard correspondence is the core idea that allows us to use Agda as both a programming language and a proof assistant. Under the Curry-Howard correspondence, we can interpret logical propositions (A ∧ B, ¬A, A ⇒ B, …) as the types of all their possible proofs.

A proof of ‘A and B’ is a pair (x , y) of a proof x : A and an proof y : B.

record _×_ (A B : Set) : Set where
  constructor _,_
  field
    fst : A
    snd : B
open _×_

A proof of ‘A or B’ is either inl x for a proof x : A or inr y for a proof y : B.

data _⊎_ (A B : Set) : Set where
  inl : A → A ⊎ B
  inr : B → A ⊎ B

mapInl : (A → B) → A ⊎ C → B ⊎ C
mapInl f (inl x) = inl (f x)
mapInl f (inr y) = inr y

mapInr : (B → C) → A ⊎ B → A ⊎ C
mapInr f (inl x) = inl x
mapInr f (inr y) = inr (f y)

A proof of ‘A implies B’ is a transformation from proofs x : A to proofs of B, i.e. a function of type A → B.

‘true’ has exactly one proof tt : ⊤. We could define this as a datatype with a single constructor tt, but here we define it as a record type instead. This has the advantage that Agda will use eta-equality for elements of ⊤, i.e. x = y for any two variables x and y of type ⊤.

record ⊤ : Set where
  constructor tt     -- no fields

‘false’ has no proofs.

data ⊥ : Set where   -- no constructor

‘not A’ can be defined as ‘A implies false’.

¬_ : Set → Set
¬ A = A → ⊥

Examples

-- “If A then B implies A”
ex₁ : A → (B → A)
ex₁ = λ z _ → z

-- “If A and true then A or false”
ex₂ : (A × ⊤) → (A ⊎ ⊥)
ex₂ = λ z → inl (fst z)

-- “If A implies B and B implies C then A implies C”
ex₃ : (A → B) → (B → C) → (A → C)
ex₃ = λ f g z → g (f z)

-- “It is not the case that not (either A or not A)”
ex₄ : ¬ (¬ (A ⊎ (¬ A)))
ex₄ = λ f → f (inr (λ x → f (inl x)))

Since Agda’s logic is constructive, it is not possible to prove the direct version of ex₄ (A ⊎ (¬ A)).

Equality

To state many properties of our programs, we need the notion of equality. In Agda, equality is defined as the datatype _≡_ with one constructor refl : x ≡ x (imported from Agda.Builtin.Equality).

_ : x ≡ x
_ = refl

sym : x ≡ y → y ≡ x
sym refl = refl

trans : x ≡ y → y ≡ z → x ≡ z
trans refl refl = refl

cong : (f : A → B) → x ≡ y → f x ≡ f y
cong f refl = refl

subst : (P : A → Set) → x ≡ y → P x → P y
subst P refl p = p

Ordering natural numbers

The standard ordering on natural numbers can be defined as an indexed datatype with two indices of type Nat:

module Nat-≤ where

  data _≤_ : Nat → Nat → Set where
    ≤-zero :         zero  ≤ n
    ≤-suc  : m ≤ n → suc m ≤ suc n

  ≤-refl : n ≤ n
  ≤-refl {n = zero}  = ≤-zero
  ≤-refl {n = suc k} = ≤-suc ≤-refl

  ≤-trans : k ≤ l → l ≤ m → k ≤ m
  ≤-trans ≤-zero      l≤m         = ≤-zero
  ≤-trans (≤-suc k≤l) (≤-suc l≤m) =
    ≤-suc (≤-trans k≤l l≤m)

  ≤-antisym : m ≤ n → n ≤ m → m ≡ n
  ≤-antisym ≤-zero      ≤-zero      = refl
  ≤-antisym (≤-suc m≤n) (≤-suc n≤m) =
    cong suc (≤-antisym m≤n n≤m)

Now we can prove statements like 3 ≤ 5 as follows:

  _ : 3 ≤ 5
  _ = ≤-suc (≤-suc (≤-suc ≤-zero))

However, to prove an inequality like 9000 ≤ 9001 we would have to write 9000 ≤-suc constructors, which would get very tedious. Instead, we can use Agda’s instance arguments to automatically construct these kind of proofs.

To do this, we define an ‘instance’ that automatically constructs a proof of m ≤ n when m and n are natural number literals. A definition inst : A that is marked as an ‘instance’ will be used to automatically construct the implicit argument to functions with a type of the form {{x : A}} → B.

For efficiency reasons, we don’t mark the constructors ≤-zero and ≤-suc as instances directly. Instead, we make use of the efficient boolean comparison _<_ (imported from Agda.Builtin.Nat) to construct the instance when the precondition So (m < suc n) is satisfied.

  So : Bool → Set
  So false = ⊥
  So true  = ⊤

  instance
    ≤-dec : {p : So (m < suc n)} → m ≤ n
    ≤-dec {m = zero} {n = n} = ≤-zero
    ≤-dec {m = suc m} {n = suc n} {p = p} =
      ≤-suc (≤-dec {p = p})

  _ : 9000 ≤ 9001
  _ = it

Partial orders

We’d like to talk not just about orderings on concrete types like Nat, but also about the general concept of a ‘partial order’. For this purpose, we define a typeclass Ord that contains the type _≤_ and proofs of its properties.

record Ord (A : Set) : Set₁ where
  field
    _≤_       : A → A → Set
    ≤-refl    : x ≤ x
    ≤-trans   : x ≤ y → y ≤ z → x ≤ z
    ≤-antisym : x ≤ y → y ≤ x → x ≡ y

  _≥_ : A → A → Set
  x ≥ y = y ≤ x

Unlike in Haskell, typeclasses are not a primitive concept in Agda. Instead, we use the special syntax open Ord {{...}} to bring the fields of the record in scope as instance functions with a type of the form {A : Set}{{r : Ord A}} → .... Instance search will then kick in to find the right implementation of the typeclass automatically.

open Ord {{...}}

We now define some concrete instances of the typeclass using copattern matching

instance
  Ord-Nat : Ord Nat
  _≤_       {{Ord-Nat}} = Nat-≤._≤_
  ≤-refl    {{Ord-Nat}} = Nat-≤.≤-refl
  ≤-trans   {{Ord-Nat}} = Nat-≤.≤-trans
  ≤-antisym {{Ord-Nat}} = Nat-≤.≤-antisym

instance
  Ord-⊤ : Ord ⊤
  _≤_       {{Ord-⊤}} = λ _ _ → ⊤
  ≤-refl    {{Ord-⊤}} = tt
  ≤-trans   {{Ord-⊤}} = λ _ _ → tt
  ≤-antisym {{Ord-⊤}} = λ _ _ → refl

module Example (A : Set) {{A-≤ : Ord A}} where

  example : {x y z : A} → x ≤ y → y ≤ z → z ≤ x → x ≡ y
  example x≤y y≤z z≤x = ≤-antisym {A = A} x≤y (≤-trans {A = A} y≤z z≤x)

For working with binary search trees, we need to be able to decide for any two elements which is the bigger one, i.e. we need a total, decidable order.

data Tri {{_ : Ord A}} : A → A → Set where
  less    : {{x≤y : x ≤ y}} → Tri x y
  equal   : {{x≡y : x ≡ y}} → Tri x y
  greater : {{x≥y : x ≥ y}} → Tri x y

record TDO (A : Set) : Set₁ where
  field
    {{Ord-A}} : Ord A               -- superclass Ord
    tri       : (x y : A) → Tri x y

open TDO {{...}} public

triNat : (x y : Nat) → Tri x y
triNat zero zero = equal
triNat zero (suc y) = less
triNat (suc x) zero = greater
triNat (suc x) (suc y) with triNat x y
... | less    {{x≤y}} = less    {{x≤y = Nat-≤.≤-suc x≤y}}
... | equal   {{x≡y}} = equal   {{x≡y = cong suc x≡y}}
... | greater {{x≥y}} = greater {{x≥y = Nat-≤.≤-suc x≥y}}

instance
  TDO-Nat : TDO Nat
  Ord-A {{TDO-Nat}} = Ord-Nat
  tri   {{TDO-Nat}} = triNat

Binary search trees

In a dependently typed language, we can encode invariants of our data structures by using indexed datatypes. In this example, we will implement binary search trees by a lower and upper bound to the elements they contain (see How to Keep Your Neighbours in Order by Conor McBride).

Since the lower bound may be -∞ and the upper bound may be +∞, we start by providing a generic way to extend a partially ordered set with those two elements.

data [_]∞ (A : Set) : Set where
  -∞  :     [ A ]∞
  [_] : A → [ A ]∞
  +∞  :     [ A ]∞

variable
  lower upper : [ A ]∞

module Ord-[]∞ {A : Set} {{ A-≤ : Ord A}} where

  data _≤∞_ : [ A ]∞ → [ A ]∞ → Set where
    -∞-≤ :          -∞   ≤∞   y
    []-≤ : x ≤ y → [ x ] ≤∞ [ y ]
    +∞-≤ :           x   ≤∞  +∞

  []∞-refl : x ≤∞ x
  []∞-refl { -∞}   = -∞-≤
  []∞-refl {[ x ]} = []-≤ (≤-refl {A = A})
  []∞-refl { +∞}   = +∞-≤

  []∞-trans : x ≤∞ y → y ≤∞ z → x ≤∞ z
  []∞-trans -∞-≤       _          = -∞-≤
  []∞-trans ([]-≤ x≤y) ([]-≤ y≤z) = []-≤ (≤-trans {A = A} x≤y y≤z)
  []∞-trans _          +∞-≤       = +∞-≤

  []∞-antisym : x ≤∞ y → y ≤∞ x → x ≡ y
  []∞-antisym -∞-≤       -∞-≤       = refl
  []∞-antisym ([]-≤ x≤y) ([]-≤ y≤x) = cong [_] (≤-antisym x≤y y≤x)
  []∞-antisym +∞-≤       +∞-≤       = refl

  instance
    Ord-[]∞ : {{_ : Ord A}} → Ord [ A ]∞
    _≤_       {{Ord-[]∞}} = _≤∞_
    ≤-refl    {{Ord-[]∞}} = []∞-refl
    ≤-trans   {{Ord-[]∞}} = []∞-trans
    ≤-antisym {{Ord-[]∞}} = []∞-antisym

open Ord-[]∞ public

We define some instances to automatically construct inequality proofs.

module _ {{_ : Ord A}} where

  instance
    -∞-≤-I : {y : [ A ]∞} → -∞ ≤ y
    -∞-≤-I = -∞-≤

    +∞-≤-I : {x : [ A ]∞} → x ≤ +∞
    +∞-≤-I = +∞-≤

    []-≤-I : {x y : A} {{x≤y : x ≤ y}} → [ x ] ≤ [ y ]
    []-≤-I {{x≤y = x≤y}} = []-≤ x≤y

Now we are (finally) ready to define binary search trees.

data BST (A : Set) {{_ : Ord A}}
         (lower upper : [ A ]∞)  : Set where

  leaf : {{l≤u : lower ≤ upper}}
       → BST A lower upper

  node : (x : A)
       → BST A lower [ x ]
       → BST A [ x ] upper
       → BST A lower upper

_ : BST Nat -∞ +∞
_ = node 42
      (node 6    leaf leaf)
      (node 9000 leaf leaf)

Note how instances help by automatically filling in the proofs that the bounds are satisfied! Somewhat more explicitly, the tree looks as follows:

_ : BST Nat -∞ +∞
_ = node 42
      (node 6    (leaf {{l≤u = -∞≤6}})    (leaf {{l≤u = 6≤42}}))
      (node 9000 (leaf {{l≤u = 42≤9000}}) (leaf {{l≤u = 9000≤+∞}}))

  where
    -∞≤6 : -∞ ≤ [ 6 ]
    -∞≤6 = it

    6≤42 : [ 6 ] ≤ [ 42 ]
    6≤42 = it

    42≤9000 : [ 42 ] ≤ [ 9000 ]
    42≤9000 = it

    9000≤+∞ : [ 9000 ] ≤ +∞
    9000≤+∞ = it

Next up: defining a lookup function. The result of this function is not just a boolean true/false, but a proof that the element is indeed in the tree. A proof that x is in the tree t is either a proof that it is here, a proof that it is in the left subtree, or a proof that it is in the right subtree.

module Lookup {{_ : TDO A}} where

  data _∈_ {lower} {upper} (x : A) :
           (t : BST A lower upper) → Set where
    here  : ∀ {t₁ t₂} → x ≡ y  → x ∈ node y t₁ t₂
    left  : ∀ {t₁ t₂} → x ∈ t₁ → x ∈ node y t₁ t₂
    right : ∀ {t₁ t₂} → x ∈ t₂ → x ∈ node y t₁ t₂

The definition of lookup makes use of with-abstraction to inspect the result of the tri function on x and y.

  lookup : ∀ {lower} {upper}
         → (x : A) (t : BST A lower upper) → Maybe (x ∈ t)
  lookup x leaf = nothing
  lookup x (node y t₁ t₂) with tri x y
  ... | less    = mapMaybe left (lookup x t₁)
  ... | equal   = just (here it)
  ... | greater = mapMaybe right (lookup x t₂)

Similarly, we can define an insertion function. Here, we need to enforce the precondition that the element we want to insert is between the bounds (alternatively, we could have updated the bounds in the return type to ensure they include the inserted element).

module Insert {{_ : TDO A}} where

  insert : (x : A) (t : BST A lower upper)
         → {{l≤x : lower ≤ [ x ]}} {{x≤u : [ x ] ≤ upper}}
         → BST A lower upper
  insert x leaf = node x leaf leaf
  insert x (node y t₁ t₂) with tri x y
  ... | less    = node y (insert x t₁) t₂
  ... | equal   = node y t₁ t₂
  ... | greater = node y t₁ (insert x t₂)

To prove correctness of insertion, we have to show that y ∈ insert x t is equivalent to x ≡ y ⊎ y ∈ t. The proofs insert-sound₂ and insert-complete are a bit long because there are two elements x and y that can both independently be here, in the left subtree, or in the right subtree, so we have to distinguish 9 distinct cases. Let me know if you manage to find a shorter proof!

  open Lookup

  insert-sound :
    (x : A) (t : BST A lower upper)
    → {{_ : lower ≤ [ x ]}} {{_ : [ x ] ≤ upper}}
    → (x ≡ y) ⊎ (y ∈ t) → y ∈ insert x t
  insert-sound x t (inl refl) = insert-sound₁ x t

    where

      insert-sound₁ :
        (x : A) (t : BST A lower upper)
        → {{_ : lower ≤ [ x ]}} {{_ : [ x ] ≤ upper}}
        → x ∈ insert x t
      insert-sound₁ x leaf = here refl
      insert-sound₁ x (node y t₁ t₂) with tri x y
      insert-sound₁ x (node y t₁ t₂) | less    = left (insert-sound₁ x t₁)
      insert-sound₁ x (node y t₁ t₂) | equal   = here it
      insert-sound₁ x (node y t₁ t₂) | greater = right (insert-sound₁ x t₂)

  insert-sound x t (inr y∈t) = insert-sound₂ x t y∈t

    where

      insert-sound₂ :
        (x : A) (t : BST A lower upper)
        → {{_ : lower ≤ [ x ]}} {{_ : [ x ] ≤ upper}}
        → y ∈ t → y ∈ insert x t
      insert-sound₂ x (node y t₁ t₂) (here  refl) with tri x y
      ... | less    = here refl
      ... | equal   = here refl
      ... | greater = here refl
      insert-sound₂ x (node y t₁ t₂) (left  y∈t₁) with tri x y
      ... | less    = left (insert-sound₂ x t₁ y∈t₁)
      ... | equal   = left y∈t₁
      ... | greater = left y∈t₁
      insert-sound₂ x (node y t₁ t₂) (right y∈t₂) with tri x y
      ... | less    = right y∈t₂
      ... | equal   = right y∈t₂
      ... | greater = right (insert-sound₂ x t₂ y∈t₂)

  insert-complete :
    (x : A) (t : BST A lower upper)
    → {{_ : lower ≤ [ x ]}} {{_ : [ x ] ≤ upper}}
    → y ∈ insert x t → (x ≡ y) ⊎ (y ∈ t)
  insert-complete x leaf           (here refl) = inl refl
  insert-complete x (node y t₁ t₂) y∈t'       with tri x y
  insert-complete x (node y t₁ t₂) (here refl)   | less    = inr (here refl)
  insert-complete x (node y t₁ t₂) (here refl)   | equal   = inl it
  insert-complete x (node y t₁ t₂) (here refl)   | greater = inr (here refl)
  insert-complete x (node y t₁ t₂) (left y∈t₁')  | less    = mapInr left (insert-complete x t₁ y∈t₁')
  insert-complete x (node y t₁ t₂) (left  y∈t₁)  | equal   = inr (left y∈t₁)
  insert-complete x (node y t₁ t₂) (left  y∈t₁)  | greater = inr (left y∈t₁)
  insert-complete x (node y t₁ t₂) (right y∈t₂)  | less    = inr (right y∈t₂)
  insert-complete x (node y t₁ t₂) (right y∈t₂)  | equal   = inr (right y∈t₂)
  insert-complete x (node y t₁ t₂) (right y∈t₂') | greater = mapInr right (insert-complete x t₂ y∈t₂')

Of course, there are many more functions on search trees we could want to implement and prove correct: deletion, merging, flattening … Likewise, there are other invariants we might want to enforce in the type, such as being well-balanced. I strongly recommend to read Conor McBride’s paper on the topic, or try it yourself!

EUTYPES '19 Summer School in Ohrid

Jesper Cockx — Fri, 13 Sep 2019 00:00:00 UT

Jesper Cockx - EUTYPES '19 Summer School in Ohrid

Jesper Cockx

EUTYPES '19 Summer School in Ohrid

Posted by Jesper on September 13, 2019

I gave a course about Correct-by-Construction Programming in Agda at the EUTYPES summer school in Ohrid. The course materials are available here.

Writing Agda blog posts in literate markdown

Jesper Cockx — Tue, 09 Jul 2019 00:00:00 UT

Jesper Cockx - Writing Agda blog posts in literate markdown

Jesper Cockx

Writing Agda blog posts in literate markdown

Posted by Jesper on July 9, 2019

So you got to admit all the cool kids are doing it nowadays: writing blog posts in literate Agda. Do you want to join the club? Then you’ve come to the right place! In this blog post I’ll explain how to write a blog post (or any literate Agda code, really) as a markdown file and transform it into fancy highlighted and hyperlinked html. Don’t worry, it’s easy!

open import Agda.Builtin.Nat
open import Agda.Builtin.Equality

plus1 : (x : Nat) → x + 1 ≡ suc x
plus1 zero                    = refl
plus1 (suc x) rewrite plus1 x = refl

Writing the blog post

To start, you’ll first need to install Agda 2.6.0 or newer and Pandoc 2.2 or newer. Both can be installed from Cabal with cabal install agda-2.6.0.1 pandoc-2.2.1 (these versions work well with GHC 8.0, YMMV).

Next, create a file called blogpost.lagda.md and open it up in Emacs. Here, you write your text using standard markdown syntax. Any Agda code goes between triple backticks:

```
-- write your Agda code here
```

Bonus trick: to hide an Agda code block, just put it between html comments ().

You’ll notice that the agda2-mode for emacs is not automatically loaded when editing .lagda.md files. You can either load it manually (using M-x agda2-mode) or fix the problem once and for all by adding this line to your .emacs configuration:

(add-to-list 'auto-mode-alist '("\\.lagda.md\\'" . agda2-mode))

From markdown to html

Once you are finished with writing your blog post, first use Agda to convert the code parts to html:

agda --html --html-highlight=code blogpost.lagda.md

Here, the --html flag tells Agda to generate html from the file, and --html-highlight=code tells Agda not to touch the non-code parts of the file (these will be processed by Pandoc). You should now have a new directory called html containing the following:

A file blogpost.md
.html files for all the imported modules
A css stylesheet Agda.css

To complete the process, run Pandoc on the .md file like so:

pandoc html/blogpost.md -o blogpost.html

This tells Pandoc to convert the markdown file to html (it won’t touch the code since that’s already been converted by Agda).

If you want, you can go wild with any Pandoc extensions you want to use. Personally, I’m just using tex_math_dollars, tex_math_double_backslash and latex_macros (for using LaTeX commands in text).

Integrating with Hakyll

Since I’m building my website with Hakyll, I tried to integrate Agda into the Hakyll pipeline. Unfortunately, this did not go quite as smoothly as I expected: Hakyll is built around the paradigm of mapping one input file to one output file, but this does not match with how agda --html generates its output. For more details on the problem I had, see this post.

Instead, I currently run agda --html on all Agda blog posts as a preprocessing step to Hakyll. This does not work quite as seamlessly as I hoped since Hakyll does not automatically detect changes when running in watch mode, but it gets the job done. If you are also running Hakyll and you want to steal my method, feel free to take a look at it here. Also, if you know of a better method please let me know!

I hope you enjoyed this blogpost about the making of this blog, next time I will finally talk about the long-awaited topic of rewrite rules in Agda (I promise!)

Elaborating Dependent (Co)pattern Matching

Jesper Cockx — Sat, 22 Sep 2018 00:00:00 UT

Jesper Cockx - Elaborating Dependent (Co)pattern Matching

Jesper Cockx

Elaborating Dependent (Co)pattern Matching

Posted by Jesper on September 22, 2018

It has been a while since my last (and first) post, so here is a new one about this year’s ICFP paper by Andreas Abel and me, titled “Elaborating Dependent (Co)pattern Matching” (pdf). Dependent pattern matching and copattern matching is one of Agda’s coolest features. It is also a topic very close to my heart since I spend most of my PhD years on the topic.

My goal in this blog post is not to go into the theoretical details, you can find those in the paper. Instead, I want to go a bit more into the reasons why I think this work is important and some unexpected discoveries I made while working on the paper.

Prerequisites. I’ll assume you have used a proof assistant with dependent pattern matching (such as Agda, Idris, or the Equations package for Coq) at least a few times, but I won’t assume any knowledge about the Agda internals.

How to trust your type system

When we use a typechecker or a proof assistant, it is fundamentally because we don’t trust ourselves enough (or we can’t be bothered to) to check whether all the details of a program or proof make sense. Their usefulness thus depends directly on our ability to trust them. But why do we believe we can in fact trust them: is it based on science or on faith? I claim that currently, we are somewhere in between these two. Let me explain why.

A typical dependently typed programming language / proof assistant (be it Agda, Coq, Idris, or even Haskell) actually consists of two languages: a high-level surface language and a lower-level core language. The surface language usually has many convenience features such as implicit arguments, named variables, pattern matching, a tactic system, etc. On the other hand, the core language has none of these and is kept as small as possible on purpose. These core languages have often been studied in great detail for decades and (while there are still many new discoveries to be made) they lie firmly in the camp of science.

The process of translating from surface to core language is called elaboration. It includes many steps such as scope checking, type checking, higher-order unification for checking constraints and figuring out implicit arguments, and running tactics. The goals of elaboration are twofold:

to check that the user-written code (in the surface language) is correct, and
to generate the low-level program (in the core language) which can then be executed (if you are in the business of running your programs, that is).

In Agda, currently only a very small part of the core language can be typechecked independently, so we need to trust the elaboration process. This elaboration is a big, ugly mess of semi-imperative Haskell code with lots of unsafe features and no real specification. This is clearly not based on any rational science, only faith enables us to use Agda while keeping our sanity.

In other languages—such as Coq—the generated core can be checked independently, and in fact it is checked at every qed and defined. So should Agda follow Coq and get a proper core language? While I think this is a good idea (our paper actually takes a step in that direction), I don’t think that’s enough.

Suppose in extremis that the elaborator would translate every type to the unit type ⊤, and every term to the trivial proof tt. Then all the generated code is certainly type-correct, but it is as certainly not what we want! Of course, in reality mistakes in the elaboration process are never this blatant, but they still happen and may result in type-correct yet meaningless code being generated. The message is thus:

Even with a trusted core language and double-checking of all generated code, the elaborator is still part of the trusted kernel!

(If you’re using Coq or Agda just as a theorem prover and you don’t care about the actual proof term, you still have to trust the elaborator to preserve the meaning of the theorem statement, which can be a complex expression itself).

So if we must rely on the correctness of elaboration, what can we do to increase our trust in it? Well, eat our own dogfood and formally verify it of course. Unfortunately, the current state of Agda is pretty far from the point where it would be feasible to verify anything about it (remember it doesn’t even have a proper core language?). So the first step will be more modest: take a small part of the elaboration process, specify what properties it ought to have, and prove that they are indeed satisfied by this small part.

Elaborating pattern matching

Let’s get to the actual topic of the paper: dependent pattern matching. Dependent pattern matching provides a very convenient syntax for defining new functions (and, through the Curry-Howard correspondence, proofs) by case analysis and recursion. A big part of the power of dependent pattern matching comes from the unification algorithm it employs for specializing types to each specific case and to rule out impossible cases. This unification algorithm was the main topic of my PhD thesis, but here I want to talk about a different aspect.

Pattern matching is one of these features that are present in the surface language but are translated away by elaboration. In particular, the elaboration of a function by dependent pattern matching proceeds in two steps: first, the clauses written by the user are translated to a case tree, and then this case tree can be further translated to the primitive eliminators provided by the core language (for example CIC for Coq). Agda skips the second step and uses case trees directly in its internal language instead.

The second step of this translation has been studied extensively in the past: by Conor McBride, Healfdene Goguen and James McKinna for a type theory with UIP (uniqueness of identity proofs) and by me and Dominique Devriese in the general case. On the other hand, no-one ever really formalized or proved anything about the first step. You guessed it: that’s exactly what we do in our new paper.

In order to prove anything about the elaboration process, we need to formalize it in much greater detail than is usually done. Finding the right judgement forms was actually the main challenge when writing the paper; once we got them right most of the proofs followed naturally! At the same time, having a very precise description of the elaboration process helps a lot when actually implementing the algorithm for Agda. So formalizing elaboration is a big win from both the theoretical and the practical side of things!

For example, to prove that the case trees produced by elaboration are well-typed, it is necessary to have typing rules for case trees in the first place. However, this is not the case for the case trees currently used internally by Agda! In fact, they do not contain sufficient information to check them independently, which is one of the major obstacles preventing us from having a proper core language for Agda. In the future, I would like to refactor the representation of case trees in Agda to be closer to the well-typed case trees in our paper.

First-match semantics and the shortcut rule

An important goal in our paper is to prove that elaborating a definition by pattern matching preserves the meaning of the definition. In particular, if the arguments to the function match a certain clause, and they didn’t match any of the previous clauses, then this clause should fire – this is the so-called first-match semantics of pattern matching. In our paper, prove that our elaboration process preserves the first-match semantics of the clauses written by the user.

In a dependently typed language, we expect stronger properties from our programs than usual, in particular w.r.t. evaluation of open terms (i.e. terms with free variables). This poses interesting new questions when proving properties that involve evaluation. For example, consider Berry’s infamous majority function:

majority : Bool → Bool → Bool → Bool
majority true  true  true  = true
majority x     true  false = x
majority false y     true  = y
majority true  false z     = z
majority false false false = false

When evaluating majority x true false, can we safely skip the first clause and apply the second clause to conclude majority x true false = x? This so-called shortcut rule allows matching to proceed to the next clause when there’s a mismatch for one argument (in this case the third) even when matching for another argument (here the first) is still inconclusive.

However, it turns out this rule is not allowed if we want to preserve the first-match semantics in the translation to a case tree! For example, the obvious case tree for majority matches first on the first argument, which means majority x true false is a stuck term that does not evaluate to anything.

A more restricted version of the shortcut rule is left-to-right matching, where the arguments are matched (you’d never guess) from left to right, and a mismatch means going to the next clause immediately. This semantics adequately describes the behaviour of the case tree for majority and is the one that was (until recently) the one implemented in Agda.

But this restricted shortcut rule is also not preserved by the elaboration to a case tree. Here is an example for which the only valid case tree does not satisfy the first-match semantics with left-to-right matching:

f : (A : Set) → A → (A ≡ Bool) → Bool
f .Bool true refl = true
f _     _    _    = false

The function matches on both its second and third argument, but in a well-typed case tree the match on the third argument has to come before the second. Hence f Bool false p for a variable p does not evaluate to false but is stuck.

This actually caused a bug in Agda which allowed us to break subject reduction (see #2964). I only discovered this bug because I was writing the proof of preservation of first-match semantics and failed to make it work! Once we found the error, the problem was easy to fix by removing the shortcut rule in all forms.

In effect, our theorem says that the first-match semantics (without the shortcut rule) give a lower bound to the computational behaviour of any case tree produced by elaboration: the case has at least this computational behaviour, and possibly some more depending on the order of case splits. On the other hand, we could also give an upper bound to the computational behaviour of any case tree, in the form of some any-match semantics. The definition of any-match semantics and the proof that it is an upper bound is left as an exercise to the reader ;)

Conclusion

This post is getting pretty long so I’m going to stop here. If you cannot get enough, you’re in luck since there’s a whole paper for you! One thing that’s in the paper but I didn’t talk about here at all is copattern matching, as indicated by the `(co)’ in the paper title. Copatterns are very cool so maybe I’ll write something about them here later.

As always, if you have any questions or comments about this post, let me know on the Agda mailing list. See you next time, where I’ll hopefully talk about one of Agda’s most unsafe features: user-defined rewrite rules!

The Agda's New Sorts

Jesper Cockx — Thu, 03 May 2018 00:00:00 UT

Jesper Cockx - The Agda's New Sorts

Jesper Cockx

The Agda's New Sorts

Posted by Jesper on May 3, 2018

In the last few weeks, Sandro Stucki has given a couple of excellent presentations on pure type systems (pts’s) at the initial types club at Chalmers. Since I’ve been working on the implementation of Agda’s sorts system, and the new implementation is closely based on the theory of pure type systems, I thought it would be interesting to talk a bit about the implementation of these concepts used by Agda.

Prerequisites: a bit of experience with using Agda, basic knowledge of pure type systems (see section 5.2 of Barendregt’s classic).

Note: this post started as my personal notes to prepare for a talk at the initial types club, but then I realized it could make a nice blog post. Since this is kind of an experiment, please let me know if there’s something I can improve or if you’re just eager to have more posts about the development of Agda!

Agda’s universe hierarchy

Sorts (aka universes) are types whose members themselves are again types. They are a central element of Martin-Löf’s type theory and languages based on that theory, such as Agda. The prototypical example of a sort in Agda is Set, the universe of small types. Why do we need any sort other than Set, you ask? Well, to avoid inconsistency and undecidable typechecking we cannot have Set : Set (known as the type-in-type rule): Martin-Löf’s original type theory had a rule like this, but Girard showed that this is inconsistent (this is called Girard’s paradox). While Girard’s original paradox is quite complex, it’s easier to get a contradiction in Agda by (ab)using datatypes and structural recursion (example taken from a post by Andreas Abel on the Agda mailing list):

{-# OPTIONS --type-in-type #-}

data ⊥ : Set where

data D : Set where
  c : (f : (A : Set) → A → A) → D

empty : D → ⊥
empty (c f) = empty (f D (c f))

absurd : ⊥
absurd = empty (c λ A x → x)

See also this post by Liam O’Connor for a direct encoding of a similar inconsistency with type-in-type, Russell’s paradox (aka the Barber’s paradox).

To avoid these inconsistencies, Agda has an infinite hierarchy of sorts Set0 (= Set), Set1, Set2, … such that Set0 : Set1, Set1 : Set2, … Thus if we restrict Agda’s type system to just the sorts SetN and dependent function types (x : A) → B, we can think of it as a pure type system with the sorts given by natural numbers, axioms (n, n+1) and rules (m, n, m ⊔ n) (where ⊔ indicates the maximum). Unlike Coq, Agda has no cumulativity, so we have Set0 : Set1 and Set1 : Set2 but not Set0 : Set2. I’ll come back to the point of cumulativity at the end of this post.

Universe polymorphism

In practice, of course, things aren’t that simple. It turns out that defining the same functions and datatypes at different universe levels gets really old really quickly. To fix this, Agda has a feature called universe polymorphism. This feature exposes a new type Level : Set to the user, as well as primitive functions on levels lzero : Level, lsuc : Level → Level, and _⊔_ : Level → Level → Level. For each l : Level we get a new universe Set l, with the obvious rules (Set lzero = Set0, Set (lsuc lzero) = Set1, …) This allows us to define functions and datatypes for all universe levels at once, e.g. the polymorphic identity function:

id : (l : Level)(A : Set l)(x : A) → A
id l A x = x

This seems like a useful yet unexciting feature and indeed, if you’ve ever seen some non-trivial Agda code you have probably encountered it already. However, it has some big implications for Agda as a pure type system: it means that the sort of the codomain of a function type can now also depend on the value of the argument. This definitely does not fit into the framework of pure type systems anymore, so we’re entering uncharted lands. It also raises a number of practical questions about Agda’s sort system, such as:

Levels are now no longer just natural numbers but they can be arbitrary terms, in particular a level can be neutral (i.e. contain free variables). So how do we determine when two levels are equal?
The type of id is (l : Level) (A : Set l) (x : A) → A, but what is the sort of this type?

To answer the former question, Agda has a special-purpose solver to solve equalities and inequalities between arbitrary expressions of type Level, but I won’t say more about it here. The second question is what interests us here: since the sort of this type cannot be Set l for any level l, Agda introduces a new sort Setω which is different from any Set l, and it tells us that (l : Level) (A : Set l) (x : A) → A : Setω. So Setω can be thought of as a sort that’s bigger than Set l for any level l.

To extend the theory of pure type systems to universe polymorphism, we now need to consider ‘dependent pts rules’ of the form (x : _ : s1, s2, s3) where s2 can depend on the variable x. We do not care about the type of x, but only about the fact that this type should be in s1. Concretely, the new dependent pts rule for Setω is (x : _ : s , s' , Setω) whenever s' is dependent on x. On the other hand, when s' is not dependent on x we fall back to the regular ‘non-dependent’ pts rules.

Beyond the universe hierarchy

By introducing universe polymorphism, we also have a first example of a sort which is not in the universe hierarchy of Set l: Setω. It turns out that considering sorts different from any Set l can actually be very useful: we can encode some additional properties of a type in its sort, or we can restrict what the user is allowed to do with types of a certain sort by restricting the pts rules. Here are a few examples which I think would be very nice to have in Agda:

We could add a Prop sort to Agda which consists of definitionally proof-irrelevant types (in contrast to Prop in Coq, which is at best propositionally proof-irrelevant). See PropRezz.agda for a quick demo of the possibilities.
Sized types make use of a type Size to prove termination in a modular way, but there are some operations that are not permitted on function types ending in Size. These properties can be enforced by giving Size its own universe SizeUniv.
We could have a new option --omega-in-omega which makes Agda inconsistent by adding the axiom Setω : Setω, similar to --type-in-type but without collapsing the whole universe hierarchy. This should make it easier to do some ‘unsafe’ things which require --type-in-type without destroying compatibility with standard universe-polymorphic Agda code.
Similarly to Prop, we could also add a universe SSet of strict sets, i.e. types for which the identity type is a Prop. In particular, these types should satisfy the definitional K rule stating that any proof of x ≡ x is definitionally equal to refl.
Finally (and most ambitiously) it would be very interesting to add a sort of non-fibrant types to make Agda into a two-level type theory like Voevodsky’s Homotopy Type System (HTS). The basic idea is that the non-fibrant types serve as an internalization of the metatheory of the fibrant types, which allows us to do all kinds of crazy meta-level things in the language itself. In particular, the first level may satisfy univalence and the second level may satisfy UIP; by separating the sorts we can make sure that this doesn’t lead to inconsistencies. You can read more about two-level type systems in Formalisations Using Two-Level Type Theory by Danil Annenkov, Paolo Capriotti, and Nicolai Kraus.

Making room in Agda’s architecture for all of these new sorts was the main motivation for me to start working on a new implementation of Agda’s sort system.

Meta levels and meta sorts

When typechecking an Agda program, we frequently have to check that some expression is a valid type without knowing what sort it has. Up until recently, Agda always assumed that any unknown sort was of the form Set _l for some metavariable _l : Level. You may have noticed that Setω is already not of this form, so there used to be some hacks to make this assumption work anyway (specifically, the metavariable _l was instantiated with the ill-typed solution Setω and there was a computation rule Set Setω ---> Setω. It was horrible.)

To get rid of this assumption that any sort is of the form Set _, I added a new constructor to Agda’s internal representation of sorts for a sort metavariable or sort meta for short, representing an as of yet unknown sort. These sort metas can then be solved by the constraint solver just like regular (term) metas. Nice and tidy.

However, there’s a complication: we often have to determine the sort of a function type with domain in sort s1 and codomain in sort s2, when s1 and/or s2 are still unknown. For example, what’s the sort of (l : Level) → Set (_1 l) where _1 is a metavariable of type Level → Level? It could be e.g. Setω if _1 is the identity function, or Set if _1 is the constant function lzero. Similarly, we may want to get the sort ‘one level up’ from a given sort s, but s is still unknown. Introducing more new sort metas in those cases is not ideal, as we actually use those operations a lot, so we would get insane numbers of metavariables. Also, it would be quite tricky to keep track of all the dependencies between the different sort metas.

Instead, I opted to introduce two extra constructors PiSort s1 s2 and UnivSort s for the sort of a function type and the sort of another sort respectively (for the connoisseurs: PiSort is similar to the old DLub sort). These constructors do not represent new sorts but instead they compute to the right sort once their arguments are known. For example, PiSort Level (\l. Set l) evaluates to Setω, PiSort (Set l) (\_. Set l') evaluates to Set (l ⊔ l') and UnivSort (Set l) evaluates to Set (lsuc l). Not every PiSort or UnivSort is well-defined, for example Setω does not have a UnivSort since there is no bigger sort than Setω. So the PiSort and UnivSort constructors are accompanied by two new constraints HasBiggerSort s and HasPTSRule s1 s2. Constraints are Agda’s way of handling postponement of certain problems, such as the ValueCmp constraint which enforces two terms are equal. These two new constraints in particular ensure that no occurrence of PiSort or UnivSort will be stuck forever but each will compute to a proper sort eventually (or else Agda will report ‘unsolved constraints’).

So that’s it: the design of Agda’s new sort system. It has already been merged into the main Agda repository, so if you are still hungry for more details you can take a look there. Specifically:

Agda.Syntax.Internal: the Sort datatype used for the internal representation of sorts
Agda.TypeChecking.Substitute: basic functions defining the axioms and rules of Agda’s pts
Agda.TypeChecking.Conversion: solving equalities and inequalities between sorts
Agda.TypeChecking.Monad.Base: two new constraints HasBiggerSort and HasPTSRule were added to the Constraint datatype
Agda.TypeChecking.Sort: functions for solving these constraints

At the moment I’m working on implementing Prop for Agda and hopefully more new sorts will follow after that, so stay tuned!

Towards cumulativity for Agda?

One of the most requested features for Agda is cumulativity, i.e. the subtyping rule Set i <: Set j for i < j, so it would be amiss to talk about sorts in Agda without mentioning it. And indeed, there are many cases where cumulativity would make writing Agda code a lot easier and less frustrating! However, as far as I can tell no-one has really figured out how to combine Agda-style universe polymorphism with cumulativity, so it is still an open problem.

The closest working example is Coq, which sports both a cumulative hierarchy of universes and universe polymorphism (see this paper by Matthieu Sozeau and Nicolas Tabareau). But there are some limitations compared to what we would want to have in Agda:

Coq only allows top-level definitions to be quantified over levels, and thus it doesn’t require a sort like Setω. But in Agda we can quantify over universe-polymorphic types which are in Setω! See this code by Nils Anders Danielsson for an example where this is actually used.
Coq doesn’t guarantee the uniqueness of metavariable solutions, but this uniqueness is a core design principle of Agda. So we expect that simply adding cumulativity to Agda will result in lots and lots of unsolved metavariables, unless we have some way to mitigate this.

While my refactoring of the sort system certainly does not enable cumulativity directly, it allows for some new possibilities to experiment with. I’m planning to do some of this experimentation during the next Agda meeting in Göteborg 4 – 9 June 2018. So if you’re interested to work on this (or on any other part of Agda) you are very welcome to come and join us!

Jesper Cockx's Blog

Introduction to Coinduction in Agda Part 1: Coinductive Programming

Introduction to Coinduction in Agda Part 1: Coinductive Programming

Record types and copattern matching

Coinductive record types

Going Vegan, or How I Ran All Out Of Excuses

Going Vegan, or How I Ran All Out Of Excuses

10 reasons for going vegan

A few common objections and responses

“Animal products taste good.”

“There are bad apples but animal farming isn’t like what we see in the exposés.”

The good places to submit your papers

The good places to submit your papers

Journals

Conferences and workshops

Reflective journaling prompts

Reflective journaling prompts

On erasure annotations and agda2hs

On erasure annotations and agda2hs

Erasure annotations in agda2hs

Erasing more than just arguments

Functional Programming in the Netherlands

Functional Programming in the Netherlands

What FP courses are we teaching?

Which concepts are we teaching?

What concepts should we be teaching (more)?

How could functional programming education be improved?

A love letter to TTRPGs

A love letter to TTRPGs

Agda Core: The Dream and the Reality

Agda Core: The Dream and the Reality

Agda Core: The Dream

Agda Core: The Reality

Design challenge: Scoping of variables and defined symbols

Design challenge: representing case trees

Design challenge: Preserving sharing during reduction

Design challenge: dealing with non-termination

Design challenge: Typed vs untyped conversion

Infrastructure challenge: working with erasure annotations

Infrastructure challenge: agda2hs woes

Infrastructure challenge: awkward representations in Agda’s internal syntax

Conclusions

Ten Thinkers Who Shaped My Worldview

Ten Thinkers Who Shaped My Worldview

Ada Palmer

Audrey Tang

Becky Chambers

Brother Pháp Hữu

Cory Doctorow

Jay Dragon

Julia Galef

Rob Hopkins

Scott Alexander

Thomas Piketty

6 Reasons in favor of a core language, and 5 against

6 Reasons in favor of a core language, and 5 against

PRO 1: It reduces the trusted code base

PRO 2: You can implement independent checkers

PRO 3: You can’t do meta-theory without one

PRO 4: Syntactic sugar can be added without changing the backend

PRO 5: It serves as a basis for metaprogramming

PRO 6: It enables easier export to other languages

CONTRA 1: You already have a core language

CONTRA 2: Desugared code might be less efficient

CONTRA 3: Error messages become harder to read

CONTRA 4: Non-sugar features become harder to add

CONTRA 5: It distracts from other things

Conclusion

Ten improvements to Agda's implementation

Ten improvements to Agda's implementation

1. A modern API for IDE interaction

2. A hygienic and efficient reflection API

3. Better diagnostics for unsolved metavariables

4. Discrimination trees and memoization for instance search

5. Let bindings in the internal syntax

6. A typeable internal representation of case trees

7. Proper internal representation of with and rewrite

8. Parametrized modules without lambda-lifting

9. A clear separation between constraint solving and conversion checking

10. Reduced reliance on MTL-style type classes

Erasure annotations in `agda2hs`

7. Proper internal representation of `with` and `rewrite`

Intrinsic verification with `agda2hs`