Skip to content

Commit

Permalink
Addressed second half of Nil's feedback
Browse files Browse the repository at this point in the history
  • Loading branch information
@MatthewDaggitt
MatthewDaggitt committed Nov 5, 2024
1 parent 0a92ce7 commit f71151a
Show file tree
Hide file tree
Showing 2 changed files with 131 additions and 58 deletions.
149 changes: 108 additions & 41 deletions paper/paper.bib
View file
Original file line number Diff line number Diff line change
Expand Up @@ -5,6 +5,7 @@ @Book{plfa22.08
month = aug,
url = {https://plfa.inf.ed.ac.uk/22.08/},
}

@mastersthesis{ivardeBruin2023,
author = {Ivar {de Bruin}},
title = {Improving {Agda}'s module system},
Expand Down Expand Up @@ -54,11 +55,20 @@ @article{DBLP:journals/jfp/VezzosiMA21
}

@inproceedings{norell2009dependently,
title={Dependently typed programming in {Agda}},
author={Norell, Ulf},
booktitle={Proceedings of the 4th international workshop on Types in language design and implementation},
pages={1--2},
year={2009}
author = {Norell, Ulf},
title = {Dependently typed programming in {Agda}},
year = {2009},
isbn = {9781605584201},
publisher = {Association for Computing Machinery},
address = {New York, NY, USA},
url = {https://doi.org/10.1145/1481861.1481862},
doi = {10.1145/1481861.1481862},
booktitle = {Proceedings of the 4th International Workshop on Types in Language Design and Implementation},
pages = {1–2},
numpages = {2},
keywords = {programming, dependent types},
location = {Savannah, GA, USA},
series = {TLDI '09}
}

@inproceedings{hu2021categories,
Expand Down Expand Up @@ -97,39 +107,69 @@ @article{florence2019esterel
}

@article{bach2017intrinsically,
title={Intrinsically-typed definitional interpreters for imperative languages},
author={Bach Poulsen, Casper and Rouvoet, Arjen and Tolmach, Andrew and Krebbers, Robbert and Visser, Eelco},
journal={Proceedings of the ACM on Programming Languages},
volume={2},
number={POPL},
pages={1--34},
year={2017},
publisher={ACM New York, NY, USA}
author = {Bach Poulsen, Casper and Rouvoet, Arjen and Tolmach, Andrew and Krebbers, Robbert and Visser, Eelco},
title = {Intrinsically-typed definitional interpreters for imperative languages},
year = {2017},
issue_date = {January 2018},
publisher = {Association for Computing Machinery},
address = {New York, NY, USA},
volume = {2},
number = {POPL},
url = {https://doi.org/10.1145/3158104},
doi = {10.1145/3158104},
journal = {Proc. ACM Program. Lang.},
month = dec,
articleno = {16},
numpages = {34},
keywords = {type safety, scope graphs, mechanized semantics, dependent types, definitional interpreters, Java, Agda}
}

@inproceedings{pizani2018pi,
title={Pi-ware: Hardware description and verification in agda},
author={Pizani Flor, Jo{\~a}o Paulo and Swierstra, Wouter and Sijsling, Yorick},
booktitle={21st International Conference on Types for Proofs and Programs (TYPES 2018)},
year={2018},
organization={Schloss-Dagstuhl-Leibniz Zentrum f{\"u}r Informatik}
@InProceedings{pizani2018pi,
author = {Pizani Flor, Jo\~{a}o Paulo and Swierstra, Wouter and Sijsling, Yorick},
title = {{Pi-Ware: Hardware Description and Verification in Agda}},
booktitle = {21st International Conference on Types for Proofs and Programs (TYPES 2015)},
pages = {9:1--9:27},
series = {Leibniz International Proceedings in Informatics (LIPIcs)},
ISBN = {978-3-95977-030-9},
ISSN = {1868-8969},
year = {2018},
volume = {69},
editor = {Uustalu, Tarmo},
publisher = {Schloss Dagstuhl -- Leibniz-Zentrum f{\"u}r Informatik},
address = {Dagstuhl, Germany},
URL = {https://drops.dagstuhl.de/entities/document/10.4230/LIPIcs.TYPES.2015.9},
URN = {urn:nbn:de:0030-drops-84791},
doi = {10.4230/LIPIcs.TYPES.2015.9},
annote = {Keywords: dependently typed programming, Agda, EDSL, hardware description languages, functional programming}
}

@article{daggitt2023routing,
title={Formally verified convergence of policy-rich dbf routing protocols},
author={Daggitt, Matthew L and Griffin, Timothy G},
journal={IEEE/ACM Transactions on Networking},
author={Daggitt, Matthew L. and Griffin, Timothy G.},
journal={IEEE/ACM Transactions on Networking},
title={Formally Verified Convergence of Policy-Rich {DBF} Routing Protocols},
year={2023},
publisher={IEEE}
volume={32},
number={2},
pages={1645-1660},
keywords={Routing protocols;Protocols;Mathematical models;Routing;Convergence;Libraries;Filtering;Vector routing protocols;algebra;convergence;formal verification;Agda},
doi={10.1109/TNET.2023.3326336}
}
@inproceedings{carette2020leveraging,
title={Leveraging the information contained in theory presentations},
author={Carette, Jacques and Farmer, William M and Sharoda, Yasmine},
booktitle={Intelligent Computer Mathematics: 13th International Conference, CICM 2020, Bertinoro, Italy, July 26--31, 2020, Proceedings 13},
pages={55--70},
year={2020},
organization={Springer}
author = {Carette, Jacques and Farmer, William M. and Sharoda, Yasmine},
title = {Leveraging the Information Contained in Theory Presentations},
year = {2020},
isbn = {978-3-030-53517-9},
publisher = {Springer-Verlag},
address = {Berlin, Heidelberg},
url = {https://doi.org/10.1007/978-3-030-53518-6_4},
doi = {10.1007/978-3-030-53518-6_4},
booktitle = {Intelligent Computer Mathematics: 13th International Conference, CICM 2020, Bertinoro, Italy, July 26–31, 2020, Proceedings},
pages = {55–70},
numpages = {16},
keywords = {Formal library, Algebraic hierarchy},
location = {Bertinoro, Italy}
}

@book{paulson1994isabelle,
Expand All @@ -153,21 +193,37 @@ @misc{coq2024manual
howpublished = "\url{https://coq.inria.fr/doc/V8.19.0/refman}"
}

@inproceedings{van2020maintaining,
title={Maintaining a library of formal mathematics},
author={{van Doorn}, Floris and Ebner, Gabriel and Lewis, Robert Y},
booktitle={International Conference on Intelligent Computer Mathematics},
pages={251--267},
year={2020},
organization={Springer}
@InProceedings{van2020maintaining,
author="van Doorn, Floris
and Ebner, Gabriel
and Lewis, Robert Y.",
editor="Benzm{\"u}ller, Christoph
and Miller, Bruce",
title="Maintaining a Library of Formal Mathematics",
booktitle="Intelligent Computer Mathematics",
year="2020",
publisher="Springer International Publishing",
address="Cham",
pages="251--267",
abstract="The Lean mathematical library mathlib is developed by a community of users with very different backgrounds and levels of experience. To lower the barrier of entry for contributors and to lessen the burden of reviewing contributions, we have developed a number of tools for the library which check proof developments for subtle mistakes in the code and generate documentation suited for our varied audience.",
isbn="978-3-030-53518-6"
}


@inproceedings{allais2019generic,
title={Generic level polymorphic n-ary functions},
author={Allais, Guillaume},
booktitle={Proceedings of the 4th ACM SIGPLAN International Workshop on Type-Driven Development},
pages={14--26},
year={2019}
author = {Allais, Guillaume},
title = {Generic level polymorphic n-ary functions},
year = {2019},
isbn = {9781450368155},
publisher = {Association for Computing Machinery},
address = {New York, NY, USA},
url = {https://doi.org/10.1145/3331554.3342604},
doi = {10.1145/3331554.3342604},
pages = {14–26},
numpages = {13},
keywords = {Agda, Arity-generic programming, Dependent types, Universe polymorphism},
location = {Berlin, Germany},
series = {TyDe 2019}
}


Expand Down Expand Up @@ -219,3 +275,14 @@ @inproceedings{cohen2020hierarchy
pages={34--1},
year={2020}
}

@article{devriese2011bright,
title={On the bright side of type classes: instance arguments in Agda},
author={Devriese, Dominique and Piessens, Frank},
journal={ACM SIGPLAN Notices},
volume={46},
number={9},
pages={143--155},
year={2011},
publisher={ACM New York, NY, USA}
}
40 changes: 23 additions & 17 deletions paper/paper.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -101,7 +101,7 @@ Through the Curry-Howard lens [@DBLP:journals/cacm/Wadler15],
these types and programs can be seen respectively as theorem
statements and proofs.

This paper presents the Agda standard library (hereafter: `agda-stdlib` [@agda-stdlib]), which offers many of the fundamental definitions and results necessary for users to quickly begin developing Agda programs and proofs.
This paper presents the Agda standard library (hereafter: `agda-stdlib` [@agda-stdlib-v2.0]), which offers fundamental definitions and results necessary for users to quickly begin developing Agda programs and proofs.
Unlike the standard libraries of traditional programming languages, `agda-stdlib` provides not only standard utilities and data structures, but also a substantial portion of the basic discrete mathematics essential for proving the correctness of programs.

# Statement of need
Expand Down Expand Up @@ -152,34 +152,36 @@ On the contrary, "coinfective" options affect the import*ed* modules; these are
This categorisation enables libraries to integrate safe Agda code with code that uses unsafe operating system calls, while maintaining the safety guarantees of the former.

Second, the development of `agda-stdlib` motivated adding the ability to attach custom messages to definitions, which are then displayed by the compiler when the definitions are used. This enabled the implementation of deprecation warnings amongst other features, and lets end-users more easily evolve their code alongside new versions of `agda-stdlib`.
Thirdly, `agda-stdlib` has been used as a test bed for the design of co-inductive data types, as evidenced by the three different otions of co-inductive data present in the library.

# Design

Designing a standard library for an ITP such as Agda presents several challenges.

Firstly, as discussed, `agda-stdlib` contains much of the foundational mathematics used to prove program correctness.
Firstly, as discussed, `agda-stdlib` contains much of the basic mathematics useful for proving program correctness.
While the focus on discrete mathematics and algebra reflects the bias in its user base towards programming language theory, organising this material into a coherent and logical structure is difficult, though some recent efforts exist in this direction [@carette2020leveraging,@cohen2020hierarchy].
There is constant tension between being as general as possible (e.g., defining operations over general algebraic structures) and providing clear, straightforward, and intuitive definitions (e.g., defining operations concretely over integers).
Additionally, there is a persistent temptation to introduce new representations of existing mathematical objects that are easier to work with for a particular application, which comes at the cost of duplicating the theory for the new representation.
Theorem provers like Isabelle [@paulson1994isabelle] and Coq [@coq2024manual] approach these problems by having very minimal standard libraries and encouraging the use of external libraries developed by the community, which reduces the emphasis on ensuring the existence of canonical definitions for certain concepts, at the cost of lack of interoperability between various packages.
On the other hand, like `agda-stdlib`, MathLib [@van2020maintaining] for Lean aims to provide a repository of canonical definitions.
Theorem provers like Isabelle [@paulson1994isabelle] and Coq [@coq2024manual] have very minimal standard libraries and encouraging the use of external libraries developed by the community, which reduces the emphasis on ensuring the existence of canonical definitions for certain concepts, at the cost of lack of interoperability between various packages.
On the other hand, like `agda-stdlib`, MathLib [@van2020maintaining] for Lean provides a repository of canonical definitions.
Philisophically, `agda-stdlib` is more closely aligned with the approach of the MathLib community, and aims to provide canonical definitions for mathematical objects and introduce new representations only sparingly.

A second challenge is that Agda was the first major ITP to fully embrace dependently-typed programming as the default.
With the exception of Idris, a more recent entrant to the field [@brady2013idris], other major theorem provers either do not support dependent types or encourage their use only sparingly.
With the exception of Idris, a more recent entrant to the field [@brady2013idris], either other major theorem provers do not support dependent types or their communities and libraries encourage their use only sparingly.
In contrast, nearly everything in `agda-stdlib` makes use of dependent types, with correctness-related invariants being closely integrated with definitions.
For example, we can specify that `reverse` defined on length-indexed vectors is length-preserving *by virtue of its type*.
Furthermore, most proofs consist of evidence-bearing terms for the relevant types, rather than being "irrelevant".
As a result, the library provides relatively sophisticated features like polymorphic n-ary functions [@allais2019generic], regular expressions which provide proof of membership when compiled and applied, and proof-carrying `All` and `Any` predicates for containers.
While this provides powerful tools for users, learning how to design such a large-scale, dependently-typed library is an ongoing journey. The Agda standard library is the first such to tackle this challenge.
Relatedly, `agda-stdlib` has been used as a test bed for the design of the Agda language itself, as evidenced by the library's inclusion of three different notions of co-inductive data types.

Agda’s unique support for dependently-parameterised modules [@ivardeBruin2023] has also significantly influenced the library’s design.
Although type classes are a common mechanism for creating interfaces and overloading syntax in other functional languages such as Haskell [@haskell2010], and other ITPs like Coq and Lean's MathLib use them extensively as a core feature of their design, the developers of `agda-stdlib` has so far found little need to exploit such an approach.
While Agda supports a very general form of instance search, the ability to use qualified, parameterised modules appears to reduce the need for it compared to the languages mentioned above.
Additionally, parameterised modules enable the safe and scalable embedding of non-constructive mathematics into a constructive system.
Since Agda is entirely constructive, the vast majority of `agda-stdlib` is also constructive.
Non-constructive methods, such as classical reasoning, can be achieved by passing the relevant axioms as module parameters.
This enables users to write provably "safe" non-constructive code, i.e. without having to *postulate* such axioms.
Furthermore, most proofs consist of evidence-bearing terms for the relevant types and therefore can themselves be computed on.
By using dependent types, the library provides sophisticated features like polymorphic n-ary functions [@allais2019generic] and regular expressions which provide proof of membership when compiled and applied.
While widespread use of dependent types provides powerful tools for users, learning how to design a large, dependently-typed library is an ongoing journey, and we believe the Agda standard library has been one of the first such standard libraries to tackle the challenge.

Unlike other ITPs, Agda’s module system [@ivardeBruin2023] supports module parameters whose type is dependent on earlier module parameters and this has also significantly influenced the design of `agda-stdlib`.
Many functional languages, such as Haskell [@haskell2010], and ITP libraries, like Lean's MathLib, use type classes as the primary mechanism for creating interfaces and overloading syntax.
While Agda supports a more general form of type-classes via instances [@devriese2011bright], we have found that the use of qualified, dependently-parameterised modules can reproduce most of the abstraction capabilities of type-classes.
The main benefits are that it allows users to explicitly describe which objects are being used to instantiate the abstract code and reduces the risk of time-consuming searches at type-checking time.
The main drawback is that users needs to use qualified imports when instantiating the abstract code twice in the same scope.
Another benefit of parameterised modules is we have found that they facilitate the safe and scalable embedding of non-constructive mathematics into a largely constructive standard library.
In particular, non-constructive operations, such as classical reasoning, can be made available by passing them as module parameters, allowing code access to them throughout the module.
This enables users to write non-constructive code, without either having to postulate the axioms (which would incompatible with the `--safe` flag), or explicitly pass them through as arguments to every function in the module.

# Testing

Expand Down Expand Up @@ -215,4 +217,8 @@ without whom Agda itself would not exist.

The authors of this paper are listed approximately in order of contribution to the library. A full list of contributors to `agda-stdlib` may be found in the `LICENCE` in the GitHub source tree.

# Funding and conflicts of interest

The authors of this paper have received no funding to work on the library, and have no conflicts of interest.

# References

0 comments on commit f71151a

Please sign in to comment.