safe functional reactive programming through dependent...
TRANSCRIPT
Motivation Outline DT in FRP FRP Type System Feedba k Loops Initialisation SummarySafe Fun tional Rea tive Programmingthrough Dependent TypesNeil S ulthorpe and Henrik NilssonS hool of Computer S ien eUniversity of NottinghamUnited Kingdom{nas,nhn}� s.nott.a .ukThe 14th International Conferen e on Fun tional ProgrammingEdinburgh, S otland31st August 2009Neil S ulthorpe and Henrik Nilsson Safe FRP through Dependent Types
Motivation Outline DT in FRP FRP Type System Feedba k Loops Initialisation SummaryRea tive ProgrammingRea tive Program: one that ontinually intera ts with itsenvironment, interleaving input and output in a timely manner.
Neil S ulthorpe and Henrik Nilsson Safe FRP through Dependent Types
Motivation Outline DT in FRP FRP Type System Feedba k Loops Initialisation SummaryRea tive ProgrammingRea tive Program: one that ontinually intera ts with itsenvironment, interleaving input and output in a timely manner.Examples: MP3 players, robot ontrollers, video games,aeroplane ontrol systems. . .
Neil S ulthorpe and Henrik Nilsson Safe FRP through Dependent Types
Motivation Outline DT in FRP FRP Type System Feedba k Loops Initialisation SummaryRea tive ProgrammingRea tive Program: one that ontinually intera ts with itsenvironment, interleaving input and output in a timely manner.Examples: MP3 players, robot ontrollers, video games,aeroplane ontrol systems. . .Contrast with transformational programs, whi h take all inputat the start of exe ution and produ e all output at the end(e.g. a ompiler).
Neil S ulthorpe and Henrik Nilsson Safe FRP through Dependent Types
Motivation Outline DT in FRP FRP Type System Feedba k Loops Initialisation SummaryMotivationExisting rea tive programming languages make a trade-o�:Stati safety guarantees vs Expressiveness
Neil S ulthorpe and Henrik Nilsson Safe FRP through Dependent Types
Motivation Outline DT in FRP FRP Type System Feedba k Loops Initialisation SummaryMotivationExisting rea tive programming languages make a trade-o�:Stati safety guarantees vs ExpressivenessMost emphasise safety guarantees:Absen e of deadlo k, absen e of run-time errors, et ...Often ru ial in rea tive domains.Neil S ulthorpe and Henrik Nilsson Safe FRP through Dependent Types
Motivation Outline DT in FRP FRP Type System Feedba k Loops Initialisation SummaryMotivationExisting rea tive programming languages make a trade-o�:Stati safety guarantees vs ExpressivenessMost emphasise safety guarantees:Absen e of deadlo k, absen e of run-time errors, et ...Often ru ial in rea tive domains.Fun tional Rea tive Programming (FRP):Very expressive.La ks many safety guarantees.Neil S ulthorpe and Henrik Nilsson Safe FRP through Dependent Types
Motivation Outline DT in FRP FRP Type System Feedba k Loops Initialisation SummaryMotivationExisting rea tive programming languages make a trade-o�:Stati safety guarantees vs ExpressivenessMost emphasise safety guarantees:Absen e of deadlo k, absen e of run-time errors, et ...Often ru ial in rea tive domains.Fun tional Rea tive Programming (FRP):Very expressive.La ks many safety guarantees.This work: using dependent types to get safety guaranteeswithin FRP without sa ri� ing expressiveness.Neil S ulthorpe and Henrik Nilsson Safe FRP through Dependent Types
Motivation Outline DT in FRP FRP Type System Feedba k Loops Initialisation SummaryOutline1 Motivation2 Outline3 Dependent Types in FRP4 Fun tional Rea tive Programming (FRP)5 New Type System6 Safe Feedba k Loops7 Safe Initialisation of Signals8 SummaryNeil S ulthorpe and Henrik Nilsson Safe FRP through Dependent Types
Motivation Outline DT in FRP FRP Type System Feedba k Loops Initialisation SummaryDependent Types in FRPA domain-spe i� dependent type system for FRP thatenfor es safety properties.
Neil S ulthorpe and Henrik Nilsson Safe FRP through Dependent Types
Motivation Outline DT in FRP FRP Type System Feedba k Loops Initialisation SummaryDependent Types in FRPA domain-spe i� dependent type system for FRP thatenfor es safety properties.A proof of the soundness of the type system, in the form of anAgda implementation.Neil S ulthorpe and Henrik Nilsson Safe FRP through Dependent Types
Motivation Outline DT in FRP FRP Type System Feedba k Loops Initialisation SummaryDependent Types in FRPA domain-spe i� dependent type system for FRP thatenfor es safety properties.A proof of the soundness of the type system, in the form of anAgda implementation.AgdaDependently typed language.Similarities with Haskell.Totality and termination he ks.Neil S ulthorpe and Henrik Nilsson Safe FRP through Dependent Types
Motivation Outline DT in FRP FRP Type System Feedba k Loops Initialisation SummaryDependent Types in FRPA domain-spe i� dependent type system for FRP thatenfor es safety properties.A proof of the soundness of the type system, in the form of anAgda implementation.In development: a Haskell implementation (using GHClanguage extensions).AgdaDependently typed language.Similarities with Haskell.Totality and termination he ks.Neil S ulthorpe and Henrik Nilsson Safe FRP through Dependent Types
Motivation Outline DT in FRP FRP Type System Feedba k Loops Initialisation SummaryFun tional Rea tive ProgrammingA fun tional approa h to rea tive programming.
Neil S ulthorpe and Henrik Nilsson Safe FRP through Dependent Types
Motivation Outline DT in FRP FRP Type System Feedba k Loops Initialisation SummaryFun tional Rea tive ProgrammingA fun tional approa h to rea tive programming.Usually a domain spe i� embedding inside an existingfun tional language (e.g. Haskell).
Neil S ulthorpe and Henrik Nilsson Safe FRP through Dependent Types
Motivation Outline DT in FRP FRP Type System Feedba k Loops Initialisation SummaryFun tional Rea tive ProgrammingA fun tional approa h to rea tive programming.Usually a domain spe i� embedding inside an existingfun tional language (e.g. Haskell).Fundamental on ept: time varying values alled signals.Signal A ≈ Time → ANeil S ulthorpe and Henrik Nilsson Safe FRP through Dependent Types
Motivation Outline DT in FRP FRP Type System Feedba k Loops Initialisation SummaryFun tional Rea tive ProgrammingA fun tional approa h to rea tive programming.Usually a domain spe i� embedding inside an existingfun tional language (e.g. Haskell).Fundamental on ept: time varying values alled signals.Signal A ≈ Time → AWe (following the FRP language Yampa) take signal fun tionsas the basi building blo ks of our language.Neil S ulthorpe and Henrik Nilsson Safe FRP through Dependent Types
Motivation Outline DT in FRP FRP Type System Feedba k Loops Initialisation SummaryFun tional Rea tive ProgrammingA fun tional approa h to rea tive programming.Usually a domain spe i� embedding inside an existingfun tional language (e.g. Haskell).Fundamental on ept: time varying values alled signals.Signal A ≈ Time → AWe (following the FRP language Yampa) take signal fun tionsas the basi building blo ks of our language.Signal fun tions are ( on eptually) fun tions mapping signalsto signals.SF A B ≈ Signal A → Signal BNeil S ulthorpe and Henrik Nilsson Safe FRP through Dependent Types
Motivation Outline DT in FRP FRP Type System Feedba k Loops Initialisation SummaryFun tional Rea tive ProgrammingA fun tional approa h to rea tive programming.Usually a domain spe i� embedding inside an existingfun tional language (e.g. Haskell).Fundamental on ept: time varying values alled signals.Signal A ≈ Time → AWe (following the FRP language Yampa) take signal fun tionsas the basi building blo ks of our language.Signal fun tions are ( on eptually) fun tions mapping signalsto signals.SF A B ≈ Signal A → Signal BExample: Robot ControllerRobotController = SF Sensor ControlValueNeil S ulthorpe and Henrik Nilsson Safe FRP through Dependent Types
Motivation Outline DT in FRP FRP Type System Feedba k Loops Initialisation SummarySignal Fun tionsAll signal fun tions are (temporally) ausal: urrent outputdoes not depend upon future input.
Neil S ulthorpe and Henrik Nilsson Safe FRP through Dependent Types
Motivation Outline DT in FRP FRP Type System Feedba k Loops Initialisation SummarySignal Fun tionsAll signal fun tions are (temporally) ausal: urrent outputdoes not depend upon future input.We build FRP programs by omposing signal fun tions to formsignal fun tion networks.Neil S ulthorpe and Henrik Nilsson Safe FRP through Dependent Types
Motivation Outline DT in FRP FRP Type System Feedba k Loops Initialisation SummarySignal Fun tionsAll signal fun tions are (temporally) ausal: urrent outputdoes not depend upon future input.We build FRP programs by omposing signal fun tions to formsignal fun tion networks.Implementing Signal Fun tionsIn pra tise, FRP implementations run signal fun tions over adis rete sequen e of time samples (syn hronously).This is hidden by the signal fun tion abstra tion.Neil S ulthorpe and Henrik Nilsson Safe FRP through Dependent Types
Motivation Outline DT in FRP FRP Type System Feedba k Loops Initialisation SummarySyn hronous Data-Flow NetworksExample: A Signal Fun tion Networkswitch
sf1sf5
sf4
sf2
sf3
Similar to the syn hronous data-�ow languages (Esterel,Lustre, Lu id Syn hrone et ...).FRP di�ers in that it allows dynami higher-order systemstru tures, but la ks some safety guarantees.Neil S ulthorpe and Henrik Nilsson Safe FRP through Dependent Types
Motivation Outline DT in FRP FRP Type System Feedba k Loops Initialisation SummarySyn hronous Data-Flow NetworksExample: A Signal Fun tion Networksf1
sf5
sf4
sf2
Similar to the syn hronous data-�ow languages (Esterel,Lustre, Lu id Syn hrone et ...).FRP di�ers in that it allows dynami higher-order systemstru tures, but la ks some safety guarantees.Neil S ulthorpe and Henrik Nilsson Safe FRP through Dependent Types
Motivation Outline DT in FRP FRP Type System Feedba k Loops Initialisation SummaryHybrid SignalsFRP is also hybrid: ontinuous-time and dis rete-time signals.
Neil S ulthorpe and Henrik Nilsson Safe FRP through Dependent Types
Motivation Outline DT in FRP FRP Type System Feedba k Loops Initialisation SummaryHybrid SignalsFRP is also hybrid: ontinuous-time and dis rete-time signals.We all dis rete-time signals event signals.
Neil S ulthorpe and Henrik Nilsson Safe FRP through Dependent Types
Motivation Outline DT in FRP FRP Type System Feedba k Loops Initialisation SummaryHybrid SignalsFRP is also hybrid: ontinuous-time and dis rete-time signals.We all dis rete-time signals event signals.Event signals are usually embedded in ontinuous-time signalsusing an option type:Event A = Signal (Maybe A)
Neil S ulthorpe and Henrik Nilsson Safe FRP through Dependent Types
Motivation Outline DT in FRP FRP Type System Feedba k Loops Initialisation SummaryHybrid SignalsFRP is also hybrid: ontinuous-time and dis rete-time signals.We all dis rete-time signals event signals.Event signals are usually embedded in ontinuous-time signalsusing an option type:Event A = Signal (Maybe A)Problems:Insu� iently abstra t to exploit their dis rete properties.Can lead to on eptual errors by the programmer.Neil S ulthorpe and Henrik Nilsson Safe FRP through Dependent Types
Motivation Outline DT in FRP FRP Type System Feedba k Loops Initialisation SummarySignal Ve torsSignal Ve tor: a heterogeneous ve tor of signals with the timedomain expli it in the type.
Neil S ulthorpe and Henrik Nilsson Safe FRP through Dependent Types
Motivation Outline DT in FRP FRP Type System Feedba k Loops Initialisation SummarySignal Ve torsSignal Ve tor: a heterogeneous ve tor of signals with the timedomain expli it in the type.Signal Des riptor: a type and time domain (C or E).
Neil S ulthorpe and Henrik Nilsson Safe FRP through Dependent Types
Motivation Outline DT in FRP FRP Type System Feedba k Loops Initialisation SummarySignal Ve torsSignal Ve tor: a heterogeneous ve tor of signals with the timedomain expli it in the type.Signal Des riptor: a type and time domain (C or E).Signal Ve tor Des riptor: a list of signal des riptors.
Neil S ulthorpe and Henrik Nilsson Safe FRP through Dependent Types
Motivation Outline DT in FRP FRP Type System Feedba k Loops Initialisation SummarySignal Ve torsSignal Ve tor: a heterogeneous ve tor of signals with the timedomain expli it in the type.Signal Des riptor: a type and time domain (C or E).Signal Ve tor Des riptor: a list of signal des riptors.Example: A Signal Ve tor Des riptor[C Bool,E (Tree Z),C R]
Neil S ulthorpe and Henrik Nilsson Safe FRP through Dependent Types
Motivation Outline DT in FRP FRP Type System Feedba k Loops Initialisation SummarySignal Ve torsSignal Ve tor: a heterogeneous ve tor of signals with the timedomain expli it in the type.Signal Des riptor: a type and time domain (C or E).Signal Ve tor Des riptor: a list of signal des riptors.Example: A Signal Ve tor Des riptor[C Bool,E (Tree Z),C R]Example: Some Primitive Signal Fun tionsnow : SF [ ] [E Unit]time : SF [ ] [C Time]edge : SF [C Bool] [E Unit]∫
: SF [C R] [C R]Neil S ulthorpe and Henrik Nilsson Safe FRP through Dependent Types
Motivation Outline DT in FRP FRP Type System Feedba k Loops Initialisation SummaryConstru ting Signal Fun tionsPrimitive Combinatorspure : (a → b) → SF [C a] [C b]
≫ : SF as bs → SF bs s → SF as s∗∗∗ : SF as s → SF bs ds → SF (as++ bs) ( s++ ds)loop : SF (as++ s) (bs++ ds) → SF ds s → SF as bsGraphi al Representations
sf1
∗∗∗
sf2
sf1
loop
sf2
pure
f
sf1
>>>
sf2Neil S ulthorpe and Henrik Nilsson Safe FRP through Dependent Types
Motivation Outline DT in FRP FRP Type System Feedba k Loops Initialisation SummaryConstru ting Signal Fun tionsExample: The after Signal Fun tionThe signal fun tion after t produ es an event at time t.after : Time → SF [ ] [E Unit]after t = time ≫ pure (> t) ≫ edgeedgetime ≥t
Neil S ulthorpe and Henrik Nilsson Safe FRP through Dependent Types
Motivation Outline DT in FRP FRP Type System Feedba k Loops Initialisation SummaryWell De�ned Feedba k Loops
Neil S ulthorpe and Henrik Nilsson Safe FRP through Dependent Types
Motivation Outline DT in FRP FRP Type System Feedba k Loops Initialisation SummaryWell De�ned Feedba k LoopsBadly de�ned feedba k loops an ause a program to diverge.
Neil S ulthorpe and Henrik Nilsson Safe FRP through Dependent Types
Motivation Outline DT in FRP FRP Type System Feedba k Loops Initialisation SummaryWell De�ned Feedba k LoopsBadly de�ned feedba k loops an ause a program to diverge.Feedba k loops are well de�ned if somewhere in the y le theyare broken by a de oupled signal fun tion.
Neil S ulthorpe and Henrik Nilsson Safe FRP through Dependent Types
Motivation Outline DT in FRP FRP Type System Feedba k Loops Initialisation SummaryWell De�ned Feedba k LoopsBadly de�ned feedba k loops an ause a program to diverge.Feedba k loops are well de�ned if somewhere in the y le theyare broken by a de oupled signal fun tion.De oupled signal fun tion: urrent output only depends uponits past inputs.Neil S ulthorpe and Henrik Nilsson Safe FRP through Dependent Types
Motivation Outline DT in FRP FRP Type System Feedba k Loops Initialisation SummaryWell De�ned Feedba k LoopsBadly de�ned feedba k loops an ause a program to diverge.Feedba k loops are well de�ned if somewhere in the y le theyare broken by a de oupled signal fun tion.De oupled signal fun tion: urrent output only depends uponits past inputs.Methods of de oupling: time delays, in�nitesimal delays, someprimitives (e.g. integration using the re tangle rule). . .Examples: LoopsDecoupled Loop
+ dup
delay 5
Instantaneous Loop
+ dup
+1Neil S ulthorpe and Henrik Nilsson Safe FRP through Dependent Types
Motivation Outline DT in FRP FRP Type System Feedba k Loops Initialisation SummaryExisting Approa hes to De ouplingRelying on the programmer to orre tly de�ne loops.Does not restri t expressiveness.Easy to introdu e bugs into programs.Most FRP variants take this approa h.Neil S ulthorpe and Henrik Nilsson Safe FRP through Dependent Types
Motivation Outline DT in FRP FRP Type System Feedba k Loops Initialisation SummaryExisting Approa hes to De ouplingRelying on the programmer to orre tly de�ne loops.Does not restri t expressiveness.Easy to introdu e bugs into programs.Most FRP variants take this approa h.Expli it use of a de oupling primitive in all re ursive de�nitions.Can be on�rmed as safe by the type he ker ( onservatively).Limits expressiveness (in parti ular, stru tural dynamism andhigher-order signal fun tions).Most syn hronous data-�ow languages take this approa h.Neil S ulthorpe and Henrik Nilsson Safe FRP through Dependent Types
Motivation Outline DT in FRP FRP Type System Feedba k Loops Initialisation SummaryOur Approa h: De oupledness in the TypesIndex signal fun tions by booleans to denote de oupledness.Primitive Combinators Indexed by De ouplednesspure : (a → b) → SF [C a] [C b] false≫ : SF as bs d1 → SF bs s d2 → SF as s (d1 ∨ d2)∗∗∗ : SF as s d1 → SF bs ds d2 → SF (as++ bs) ( s++ ds) (d1 ∧ d2)loop : SF (as++ s) (bs++ ds) d → SF ds s true → SF as bs d
sf1
loop
sf2Neil S ulthorpe and Henrik Nilsson Safe FRP through Dependent Types
Motivation Outline DT in FRP FRP Type System Feedba k Loops Initialisation SummaryOur Approa h: De oupledness in the TypesIndex signal fun tions by booleans to denote de oupledness.Primitive Combinators Indexed by De ouplednesspure : (a → b) → SF [C a] [C b] false≫ : SF as bs d1 → SF bs s d2 → SF as s (d1 ∨ d2)∗∗∗ : SF as s d1 → SF bs ds d2 → SF (as++ bs) ( s++ ds) (d1 ∧ d2)loop : SF (as++ s) (bs++ ds) d → SF ds s true → SF as bs dExamples: Primitive Signal Fun tions Indexed by De ouplednessnow : SF [ ] [E Unit] truetime : SF [ ] [C Time] trueedge : SF [C Bool] [E Unit] false
∫: SF [C R] [C R] ?Neil S ulthorpe and Henrik Nilsson Safe FRP through Dependent Types
Motivation Outline DT in FRP FRP Type System Feedba k Loops Initialisation SummaryUninitialised Signals
Neil S ulthorpe and Henrik Nilsson Safe FRP through Dependent Types
Motivation Outline DT in FRP FRP Type System Feedba k Loops Initialisation SummaryUninitialised SignalsThe Signal Fun tion preCon eptually an in�nitesimal time delay.De oupled.Initial output is unde�ned.Neil S ulthorpe and Henrik Nilsson Safe FRP through Dependent Types
Motivation Outline DT in FRP FRP Type System Feedba k Loops Initialisation SummaryUninitialised SignalsThe Signal Fun tion preCon eptually an in�nitesimal time delay.De oupled.Initial output is unde�ned.Initialisation Primitivespre : SF [C a] [C a] trueinitialise : a → SF [C a] [C a] falseiPre : a → SF [C a] [C a] trueNeil S ulthorpe and Henrik Nilsson Safe FRP through Dependent Types
Motivation Outline DT in FRP FRP Type System Feedba k Loops Initialisation SummaryUninitialised SignalsPrimitives updated with Initialisation Des riptorspure : (a → b) → SF [C i a] [C i b] falsepre : SF [C init a] [C unin a] trueinitialise : a → SF [C unin a] [C init a] falseiPre : a → SF [C init a] [C init a] trueBoolean Synonymsinit = trueunin = falseEvent signals are only de�ned at dis rete points in time, so there isno need to ensure initialisation.Neil S ulthorpe and Henrik Nilsson Safe FRP through Dependent Types
Motivation Outline DT in FRP FRP Type System Feedba k Loops Initialisation SummarySummaryFRP and syn hronous data-�ow languages make a trade-o�between expressiveness and safety.Dependent types allow us to have FRP with safety guarantees,while retaining dynami higher-order data-�ow.Examples:Absen e of instantaneous feedba k loops.Corre t initialisation of signals.See the paper for further details.
Neil S ulthorpe and Henrik Nilsson Safe FRP through Dependent Types