safe functional reactive programming through dependent...

Motivation Outline Dependent Types FRP Type System Feedba k Loops Initialisation SummarySafe Fun tional Rea tive Programmingthrough Dependent TypesNeil S ulthorpe and Henrik NilssonS hool of Computer S ien eUniversity of NottinghamUnited Kingdom{nas,nhn}� s.nott.a .ukFun tional Programming Laboratory Away DayWorksop, England23rd June 2009Neil S ulthorpe and Henrik Nilsson Safe FRP through Dependent Types

Motivation Outline Dependent Types FRP Type System Feedba k Loops Initialisation SummaryRea tive ProgrammingRea tive Program: one that ontinually intera ts with itsenvironment, interleaving input and output in a timely manner.

Neil S ulthorpe and Henrik Nilsson Safe FRP through Dependent Types

Motivation Outline Dependent Types FRP Type System Feedba k Loops Initialisation SummaryRea tive ProgrammingRea tive Program: one that ontinually intera ts with itsenvironment, interleaving input and output in a timely manner.Examples: MP3 players, robot ontrollers, video games,aeroplane ontrol systems. . .


Motivation Outline Dependent Types FRP Type System Feedba k Loops Initialisation SummaryRea tive ProgrammingRea tive Program: one that ontinually intera ts with itsenvironment, interleaving input and output in a timely manner.Examples: MP3 players, robot ontrollers, video games,aeroplane ontrol systems. . .Contrast with transformational programs, whi h take all inputat the start of exe ution and produ e all output at the end(e.g. a ompiler).


Motivation Outline Dependent Types FRP Type System Feedba k Loops Initialisation SummaryMotivationExisting rea tive programming languages make a trade-o�between stati safety guarantees and expressiveness.


Motivation Outline Dependent Types FRP Type System Feedba k Loops Initialisation SummaryMotivationExisting rea tive programming languages make a trade-o�between stati safety guarantees and expressiveness.Most emphasise safety properties (su h as the absen e ofdeadlo k and run-time errors), whi h are often ru ial inrea tive domains.Neil S ulthorpe and Henrik Nilsson Safe FRP through Dependent Types

Motivation Outline Dependent Types FRP Type System Feedba k Loops Initialisation SummaryMotivationExisting rea tive programming languages make a trade-o�between stati safety guarantees and expressiveness.Most emphasise safety properties (su h as the absen e ofdeadlo k and run-time errors), whi h are often ru ial inrea tive domains.Fun tional Rea tive Programming (FRP) di�ers in that it isvery expressive, but la king in these guarantees.Neil S ulthorpe and Henrik Nilsson Safe FRP through Dependent Types

Motivation Outline Dependent Types FRP Type System Feedba k Loops Initialisation SummaryMotivationExisting rea tive programming languages make a trade-o�between stati safety guarantees and expressiveness.Most emphasise safety properties (su h as the absen e ofdeadlo k and run-time errors), whi h are often ru ial inrea tive domains.Fun tional Rea tive Programming (FRP) di�ers in that it isvery expressive, but la king in these guarantees.This work is about using dependent types to get some of thesesafety guarantees within FRP (without sa ri� ingexpressiveness).Neil S ulthorpe and Henrik Nilsson Safe FRP through Dependent Types

Motivation Outline Dependent Types FRP Type System Feedba k Loops Initialisation SummaryOutline1 Motivation2 Outline3 Dependent Types in FRP4 Fun tional Rea tive Programming (FRP)5 New Type System6 Safe Feedba k Loops7 Uninitialised Signals8 SummaryNeil S ulthorpe and Henrik Nilsson Safe FRP through Dependent Types

Motivation Outline Dependent Types FRP Type System Feedba k Loops Initialisation SummaryDependent Types in FRPA domain-spe i� dependent type system for FRP thatenfor es safety properties.


Motivation Outline Dependent Types FRP Type System Feedba k Loops Initialisation SummaryDependent Types in FRPA domain-spe i� dependent type system for FRP thatenfor es safety properties.An implementation, using this type system, in Agda.


Motivation Outline Dependent Types FRP Type System Feedba k Loops Initialisation SummaryDependent Types in FRPA domain-spe i� dependent type system for FRP thatenfor es safety properties.An implementation, using this type system, in Agda.Currently just a proof of on ept implementation.


Motivation Outline Dependent Types FRP Type System Feedba k Loops Initialisation SummaryDependent Types in FRPA domain-spe i� dependent type system for FRP thatenfor es safety properties.An implementation, using this type system, in Agda.Currently just a proof of on ept implementation.The implementation serves as a proof of the soundness of thetype system. (Agda he ks totality and termination.)


Motivation Outline Dependent Types FRP Type System Feedba k Loops Initialisation SummaryFun tional Rea tive ProgrammingA fun tional approa h to rea tive programming.


Motivation Outline Dependent Types FRP Type System Feedba k Loops Initialisation SummaryFun tional Rea tive ProgrammingA fun tional approa h to rea tive programming.Usually a domain spe i� embedding inside an existingfun tional language (e.g. Haskell).


Motivation Outline Dependent Types FRP Type System Feedba k Loops Initialisation SummaryFun tional Rea tive ProgrammingA fun tional approa h to rea tive programming.Usually a domain spe i� embedding inside an existingfun tional language (e.g. Haskell).Fundamental on ept: time varying values alled signals.Signal A ≈ Time → ANeil S ulthorpe and Henrik Nilsson Safe FRP through Dependent Types

Motivation Outline Dependent Types FRP Type System Feedba k Loops Initialisation SummaryFun tional Rea tive ProgrammingA fun tional approa h to rea tive programming.Usually a domain spe i� embedding inside an existingfun tional language (e.g. Haskell).Fundamental on ept: time varying values alled signals.Signal A ≈ Time → AWe (following the FRP language Yampa) take signal fun tionsas the basi building blo ks of our language.Neil S ulthorpe and Henrik Nilsson Safe FRP through Dependent Types

Motivation Outline Dependent Types FRP Type System Feedba k Loops Initialisation SummaryFun tional Rea tive ProgrammingA fun tional approa h to rea tive programming.Usually a domain spe i� embedding inside an existingfun tional language (e.g. Haskell).Fundamental on ept: time varying values alled signals.Signal A ≈ Time → AWe (following the FRP language Yampa) take signal fun tionsas the basi building blo ks of our language.Signal fun tions are ( on eptually) fun tions mapping signalsto signals.SF A B ≈ Signal A → Signal BNeil S ulthorpe and Henrik Nilsson Safe FRP through Dependent Types

Motivation Outline Dependent Types FRP Type System Feedba k Loops Initialisation SummaryFun tional Rea tive ProgrammingA fun tional approa h to rea tive programming.Usually a domain spe i� embedding inside an existingfun tional language (e.g. Haskell).Fundamental on ept: time varying values alled signals.Signal A ≈ Time → AWe (following the FRP language Yampa) take signal fun tionsas the basi building blo ks of our language.Signal fun tions are ( on eptually) fun tions mapping signalsto signals.SF A B ≈ Signal A → Signal BExample: Robot ControllerRobotController = SF Sensor ControlValueNeil S ulthorpe and Henrik Nilsson Safe FRP through Dependent Types

Motivation Outline Dependent Types FRP Type System Feedba k Loops Initialisation SummarySignal Fun tions Chara teristi sAll signal fun tions are (temporally) ausal: urrent outputdoes not depend upon future input.


Motivation Outline Dependent Types FRP Type System Feedba k Loops Initialisation SummarySignal Fun tions Chara teristi sAll signal fun tions are (temporally) ausal: urrent outputdoes not depend upon future input.We identify some subsets of the ausal signal fun tions:


Motivation Outline Dependent Types FRP Type System Feedba k Loops Initialisation SummarySignal Fun tions Chara teristi sAll signal fun tions are (temporally) ausal: urrent outputdoes not depend upon future input.We identify some subsets of the ausal signal fun tions:Stateless signals fun tions: urrent output only depends upon urrent input (e.g. square root).Neil S ulthorpe and Henrik Nilsson Safe FRP through Dependent Types

Motivation Outline Dependent Types FRP Type System Feedba k Loops Initialisation SummarySignal Fun tions Chara teristi sAll signal fun tions are (temporally) ausal: urrent outputdoes not depend upon future input.We identify some subsets of the ausal signal fun tions:Stateless signals fun tions: urrent output only depends upon urrent input (e.g. square root).Stateful signal fun tions: urrent output an depend upon pastand urrent input (e.g. integration).Neil S ulthorpe and Henrik Nilsson Safe FRP through Dependent Types

Motivation Outline Dependent Types FRP Type System Feedba k Loops Initialisation SummarySignal Fun tions Chara teristi sAll signal fun tions are (temporally) ausal: urrent outputdoes not depend upon future input.We identify some subsets of the ausal signal fun tions:Stateless signals fun tions: urrent output only depends upon urrent input (e.g. square root).Stateful signal fun tions: urrent output an depend upon pastand urrent input (e.g. integration).De oupled signal fun tions: urrent output only depends uponpast inputs (e.g. time delay).Neil S ulthorpe and Henrik Nilsson Safe FRP through Dependent Types

Motivation Outline Dependent Types FRP Type System Feedba k Loops Initialisation SummarySignal Fun tions Chara teristi sAll signal fun tions are (temporally) ausal: urrent outputdoes not depend upon future input.We identify some subsets of the ausal signal fun tions:Stateless signals fun tions: urrent output only depends upon urrent input (e.g. square root).Stateful signal fun tions: urrent output an depend upon pastand urrent input (e.g. integration).De oupled signal fun tions: urrent output only depends uponpast inputs (e.g. time delay).We ompose signal fun tions to form signal fun tion networks.Example: Composing Signal Fun tions∫

√

delay 3Neil S ulthorpe and Henrik Nilsson Safe FRP through Dependent Types

Motivation Outline Dependent Types FRP Type System Feedba k Loops Initialisation SummarySyn hronous Data-Flow NetworksExample: A Signal Fun tion Networkswitch

sf1sf5

sf4

sf2

sf3

Similar to the syn hronous data-�ow languages. (Esterel,Lustre, Lu id Syn hrone et ...)FRP di�ers in that it allows dynami higher-order systemstru tures, but la ks some of their safety guarantees.Neil S ulthorpe and Henrik Nilsson Safe FRP through Dependent Types

Motivation Outline Dependent Types FRP Type System Feedba k Loops Initialisation SummarySyn hronous Data-Flow NetworksExample: A Signal Fun tion Networksf1

sf5

sf4

sf2

Similar to the syn hronous data-�ow languages. (Esterel,Lustre, Lu id Syn hrone et ...)FRP di�ers in that it allows dynami higher-order systemstru tures, but la ks some of their safety guarantees.Neil S ulthorpe and Henrik Nilsson Safe FRP through Dependent Types

Motivation Outline Dependent Types FRP Type System Feedba k Loops Initialisation SummaryHybrid SignalsFRP is also hybrid: it has both ontinuous-time anddis rete-time signals.


Motivation Outline Dependent Types FRP Type System Feedba k Loops Initialisation SummaryHybrid SignalsFRP is also hybrid: it has both ontinuous-time anddis rete-time signals.We all dis rete-time signals event signals.


Motivation Outline Dependent Types FRP Type System Feedba k Loops Initialisation SummaryHybrid SignalsFRP is also hybrid: it has both ontinuous-time anddis rete-time signals.We all dis rete-time signals event signals.Event signals are usually (in FRP) embedded in ontinuous-time signals using an option type.Event A = Signal (Maybe A)


Motivation Outline Dependent Types FRP Type System Feedba k Loops Initialisation SummaryHybrid SignalsFRP is also hybrid: it has both ontinuous-time anddis rete-time signals.We all dis rete-time signals event signals.Event signals are usually (in FRP) embedded in ontinuous-time signals using an option type.Event A = Signal (Maybe A)However, this is insu� iently abstra t to be able to exploittheir dis rete properties, and an lead to on eptual errors onbehalf of the programmer.Neil S ulthorpe and Henrik Nilsson Safe FRP through Dependent Types

Motivation Outline Dependent Types FRP Type System Feedba k Loops Initialisation SummaryHybrid SignalsFRP is also hybrid: it has both ontinuous-time anddis rete-time signals.We all dis rete-time signals event signals.Event signals are usually (in FRP) embedded in ontinuous-time signals using an option type.Event A = Signal (Maybe A)However, this is insu� iently abstra t to be able to exploittheir dis rete properties, and an lead to on eptual errors onbehalf of the programmer.To address this, we introdu e signal ve tors: on eptuallyheterogeneous ve tors of signals that allows us to pre iselyidentify signals (and their time domains) in the types.Neil S ulthorpe and Henrik Nilsson Safe FRP through Dependent Types

Motivation Outline Dependent Types FRP Type System Feedba k Loops Initialisation SummarySignal Des riptorsDes riptor De�nitionsdata SigDes : Set whereE : Set → SigDes C : Set → SigDes SVDes : SetSVDes = List SigDes Example: A Signal Ve tor Des riptorsvdExample : SVDes svdExample = (C R :: E Bool :: C Z :: [ ])Neil S ulthorpe and Henrik Nilsson Safe FRP through Dependent Types

Motivation Outline Dependent Types FRP Type System Feedba k Loops Initialisation SummarySignal Fun tionsOriginal SF TypeSF : Set → Set → SetRevised SF TypeSF : SVDes → SVDes → SetNeil S ulthorpe and Henrik Nilsson Safe FRP through Dependent Types

Motivation Outline Dependent Types FRP Type System Feedba k Loops Initialisation SummarySignal Fun tionsOriginal SF TypeSF : Set → Set → SetRevised SF TypeSF : SVDes → SVDes → SetExample: Some Primitive Signal Fun tionsnow : SF [ ] [E Unit]time : SF [ ] [C Time]edge : SF [C Bool] [E Unit]∫

: SF [C R] [C R]Neil S ulthorpe and Henrik Nilsson Safe FRP through Dependent Types

Motivation Outline Dependent Types FRP Type System Feedba k Loops Initialisation SummaryConstru ting Signal Fun tionsPrimitive Combinatorspure : (a → b) → SF [C a] [C b]

≫ : SF as bs → SF bs s → SF as s∗∗∗ : SF as s → SF bs ds → SF (as++ bs) ( s++ ds)loop : SF (as++ s) (bs++ ds) → SF ds s → SF as bsGraphi al Representations

sf1

∗∗∗

sf2

sf1

loop

sf2

pure

f

sf1

>>>

sf2Neil S ulthorpe and Henrik Nilsson Safe FRP through Dependent Types

Motivation Outline Dependent Types FRP Type System Feedba k Loops Initialisation SummaryConstru ting Signal Fun tionsExample: The after Signal Fun tionThe signal fun tion after t produ es an event at time t.after : Time → SF [ ] [E Unit]after t = time ≫ pure ( 6 t) ≫ edgeedgetime ≥t


Motivation Outline Dependent Types FRP Type System Feedba k Loops Initialisation SummaryWell De�ned Feedba k Loops


Motivation Outline Dependent Types FRP Type System Feedba k Loops Initialisation SummaryWell De�ned Feedba k LoopsBadly de�ned feedba k loops an ause a program to diverge.


Motivation Outline Dependent Types FRP Type System Feedba k Loops Initialisation SummaryWell De�ned Feedba k LoopsBadly de�ned feedba k loops an ause a program to diverge.Feedba k loops are well de�ned if somewhere in the y le theyare broken by a de oupled signal fun tion.


Motivation Outline Dependent Types FRP Type System Feedba k Loops Initialisation SummaryWell De�ned Feedba k LoopsBadly de�ned feedba k loops an ause a program to diverge.Feedba k loops are well de�ned if somewhere in the y le theyare broken by a de oupled signal fun tion.Reminder: a signal fun tion is de oupled if its urrent outputonly depends upon its past inputs.Neil S ulthorpe and Henrik Nilsson Safe FRP through Dependent Types

Motivation Outline Dependent Types FRP Type System Feedba k Loops Initialisation SummaryWell De�ned Feedba k LoopsBadly de�ned feedba k loops an ause a program to diverge.Feedba k loops are well de�ned if somewhere in the y le theyare broken by a de oupled signal fun tion.Reminder: a signal fun tion is de oupled if its urrent outputonly depends upon its past inputs.Methods of de oupling: time delays, onstants, someprimitives (e.g. integration using the re tangle rule). . .Examples: LoopsDecoupled Loop

+ dup

delay 5

Instantaneous Loop

+ dup

+1Neil S ulthorpe and Henrik Nilsson Safe FRP through Dependent Types

Motivation Outline Dependent Types FRP Type System Feedba k Loops Initialisation SummaryExisting Approa hes to De ouplingRelying on the programmer to orre tly de�ne loops.Does not restri t expressiveness.Easy to introdu e bugs into programs.Most FRP variants take this approa h.Neil S ulthorpe and Henrik Nilsson Safe FRP through Dependent Types

Motivation Outline Dependent Types FRP Type System Feedba k Loops Initialisation SummaryExisting Approa hes to De ouplingRelying on the programmer to orre tly de�ne loops.Does not restri t expressiveness.Easy to introdu e bugs into programs.Most FRP variants take this approa h.Expli it use of a de oupling primitive in all re ursive de�nitions.Can be on�rmed as safe by the type he ker ( onservatively).Limits expressiveness ( annot use dynami or higher ordersignal fun tions for de oupling).Most syn hronous data-�ow languages take this approa h.Neil S ulthorpe and Henrik Nilsson Safe FRP through Dependent Types

Motivation Outline Dependent Types FRP Type System Feedba k Loops Initialisation SummaryOur Approa h: De oupledness in the TypesWe index signal fun tion types with a boolean to denote theirde oupledness.Primitive Combinators Indexed by De ouplednesspure : (a → b) → SF [C a] [C b] false≫ : SF as bs d1 → SF bs s d2 → SF as s (d1 ∨ d2)∗∗∗ : SF as s d1 → SF bs ds d2 → SF (as++ bs) ( s++ ds) (d1 ∧ d2)loop : SF (as++ s) (bs++ ds) d → SF ds s true → SF as bs d

sf1

loop

sf2Neil S ulthorpe and Henrik Nilsson Safe FRP through Dependent Types

Motivation Outline Dependent Types FRP Type System Feedba k Loops Initialisation SummaryOur Approa h: De oupledness in the TypesWe index signal fun tion types with a boolean to denote theirde oupledness.Primitive Combinators Indexed by De ouplednesspure : (a → b) → SF [C a] [C b] false≫ : SF as bs d1 → SF bs s d2 → SF as s (d1 ∨ d2)∗∗∗ : SF as s d1 → SF bs ds d2 → SF (as++ bs) ( s++ ds) (d1 ∧ d2)loop : SF (as++ s) (bs++ ds) d → SF ds s true → SF as bs dExamples: Primitive Signal Fun tions Indexed by De ouplednessnow : SF [ ] [E Unit] truetime : SF [ ] [C Time] trueedge : SF [C Bool] [E Unit] false

∫: SF [C R] [C R] ?Neil S ulthorpe and Henrik Nilsson Safe FRP through Dependent Types

Motivation Outline Dependent Types FRP Type System Feedba k Loops Initialisation SummaryUninitialised Signals


Motivation Outline Dependent Types FRP Type System Feedba k Loops Initialisation SummaryUninitialised SignalsThe de oupled signal fun tion pre introdu es an in�nitesimaltime delay in a ontinuous-time signal.But this also means the signal is initially unde�ned.Initialisation Primitivespre : SF [C a] [C a] trueinitialise : a → SF [C a] [C a] falseiPre : a → SF [C a] [C a] true


Motivation Outline Dependent Types FRP Type System Feedba k Loops Initialisation SummaryUninitialised SignalsBoolean SynonymsInit = Boolinit = trueunin = falseAdding Initialisation to Signal Des riptorsdata SigDes : Set whereE : Set → SigDes C : Init → Set → SigDes Note that event signals are only de�ned at dis rete points in time,so there is no need to initialise them.Neil S ulthorpe and Henrik Nilsson Safe FRP through Dependent Types

Motivation Outline Dependent Types FRP Type System Feedba k Loops Initialisation SummaryUninitialised SignalsPrimitives updated with Initialisation Des riptorspure : (a → b) → SF [C i a] [C i b] falsepre : SF [C init a] [C unin a] trueinitialise : a → SF [C unin a] [C init a] falseiPre : a → SF [C init a] [C init a] true


Motivation Outline Dependent Types FRP Type System Feedba k Loops Initialisation SummarySummaryFRP and syn hronous data-�ow languages make a trade-o�between expressiveness and safety.Dependent types allow us to have FRP with safety guarantees,while retaining dynami higher-order data-�ow.One su h safety guarantee is the absen e of instantaneousfeedba k loops.Another is that all signals (that require it) are orre tlyinitialised.See our paper for further details:http://www. s.nott.a .uk/∼nas/i fp09.pdfNeil S ulthorpe and Henrik Nilsson Safe FRP through Dependent Types

safe functional reactive programming through dependent...

Documents