## Chasing bottoms: A case study in program verification in the presence of partial and infinite values (2004)

### Cached

### Download Links

- [www.cs.chalmers.se]
- [www.cs.nott.ac.uk]
- [www.cse.chalmers.se]
- DBLP

### Other Repositories/Bibliography

Venue: | In MPC 2004, volume 3125 of LNCS |

Citations: | 9 - 2 self |

### BibTeX

@INPROCEEDINGS{Danielsson04chasingbottoms:,

author = {Nils Anders Danielsson and Patrik Jansson},

title = {Chasing bottoms: A case study in program verification in the presence of partial and infinite values},

booktitle = {In MPC 2004, volume 3125 of LNCS},

year = {2004},

pages = {85--109},

publisher = {Springer}

}

### OpenURL

### Abstract

Abstract. This work is a case study in program verification: We have written a simple parser and a corresponding pretty-printer in a nonstrict functional programming language with lifted pairs and functions (Haskell). A natural aim is to prove that the programs are, in some sense, each other’s inverses. The presence of partial and infinite values in the domains makes this exercise interesting, and having lifted types adds an extra spice to the task. We have tackled the problem in different ways, and this is a report on the merits of those approaches. More specifically, we first describe a method for testing properties of programs in the presence of partial and infinite values. By testing before proving we avoid wasting time trying to prove statements that are not valid. Then we prove that the programs we have written are in fact (more or less) inverses using first fixpoint induction and then the approximation lemma. 1

### Citations

323 | QuickCheck: A Lightweight Tool for Random Testing of Haskell Programs
- Classen, Hughes
(Show Context)
Citation Context ... use a separate tool then we necessarily have to use some impure extension, e.g. exception handling [11]. Furthermore it would be nice if we could perform these tests in pure code, such as QuickCheck =-=[2]-=- properties (see below). This can only be accomplished by using the decidedly unsafe function unsafePerformIO :: IO a → a [1, 11]. The resulting function isBottom :: a → Bool 1 has to be used with car... |

292 | Why Functional Programming Matters
- Hughes
- 1989
(Show Context)
Citation Context ...re or less) inverses using first fixpoint induction and then the approximation lemma. 1 Introduction Infinite values are commonly used in (non-strict) functional programs, often to improve modularity =-=[5]-=-. Partial values are seldom used explicitly, but they are still present in all non-trivial Haskell programs because of non-termination, pattern match failures, calls to the error function etc. Unfortu... |

142 | Scrap your boilerplate: a practical design pattern for generic programming
- Lämmel, Jones
- 2003
(Show Context)
Citation Context ...nd ( ˆ⊑) are prime candidates for generalisation. We have implemented them using type classes; instances are generated automatically using the “Scrap Your Boilerplate” approach to generic programming =-=[9]-=-. QuickCheck is a library for defining and testing properties of Haskell functions [2]. By using the framework developed above we can now give QuickCheck implementations of properties (1) and (2): pro... |

38 | Free theorems in the presence of seq
- Johann, Voigtländer
- 2004
(Show Context)
Citation Context ... of the monadic identity laws fails to hold for some standard Monad instances in Haskell, such as the state “monad.” The existence of a polymorphic seq also weakens Haskell’s parametricity properties =-=[8]-=-, but that does not directly affect us because our functions are not polymorphic. Another caveat, also related to seq, is that f = λTrue x → x is not identical to f ′ = λTrue → λx → x. By careful insp... |

25 | Polytypic data conversion programs
- Jansson, Jeuring
- 2002
(Show Context)
Citation Context ...s around are a simple pretty-printer and a corresponding parser. Jansson and Jeuring define several more complex (polytypic) pretty-printers and parsers and prove them correct for total, finite input =-=[7]-=-. The case study in this paper uses cut down versions of those programs ⋆ This work is partially funded by the Swedish Foundation for Strategic Research as part of the research programme “Cover — Comb... |

21 | A static semantics for Haskell
- Faxén
- 2002
(Show Context)
Citation Context ...this method has not been formally verified to work; there is not even a formal semantics for the language to verify it against. (We should mention that some work has been done on the static semantics =-=[3]-=-.) Nevertheless we will follow this approach, taking some caveats into account (see below). Although our aim is to explore what a proof would look like when all issues related to partial and infinite ... |

13 | The generic approximation lemma
- Hutton, Gibbons
- 2001
(Show Context)
Citation Context ...artial and infinite input we will test the properties before we try to prove them. How do we test infinite input in finite time? An approach which seems to work fine is to use the approximation lemma =-=[6]-=-. For T the function approx is defined as follows (Nat is a data type for natural numbers): data Nat = Zero | Succ Nat approx :: Nat → T → T approx (Succ n) = λt → case t of L → L B l r → B (approx n ... |

5 | Monadic Corecursion — Definition, Fusion Laws, and Applications - Pardo - 1998 |

2 |
Chakravarty et al. The Haskell 98 Foreign Function Interface 1.0, An Addendum to the Haskell 98 Report, 2003. Available online at http://www.haskell. org/definition
- Manuel
- 2000
(Show Context)
Citation Context ...d be nice if we could perform these tests in pure code, such as QuickCheck [2] properties (see below). This can only be accomplished by using the decidedly unsafe function unsafePerformIO :: IO a → a =-=[1, 11]-=-. The resulting function isBottom :: a → Bool 1 has to be used with care; it only detects a ⊥ that results in an exception. However, that is enough for our purposes, since pattern match failures, erro... |

2 |
Proof methods for corecursive programs, submitted
- Gibbons, Hutton
- 2000
(Show Context)
Citation Context ...artial and infinite values. We use random testing (Sect. 5) and two proof methods, fixpoint induction (Sect. 7) and the approximation lemma (Sect. 8), both described in Gibbons’ and Hutton’s tutorial =-=[4]-=-. The programs that our case study revolves around are a simple pretty-printer and a corresponding parser. Jansson and Jeuring define several more complex (polytypic) pretty-printers and parsers and p... |