Updated Pure definition in the metatheory (#6964)

Author: ramsay-t

plutus-executables/test/certifier/Spec.hs

@@ -125,6 +125,7 @@ srcTests =
   -- , "len"
   -- TODO: uncomment when "Haskell ByteString != Agda String" issue is fixed
   -- , "MinBS"
+    , "AA2-CSE"
   ]
 
 makeExampleTests :: [ String ] -> [ TestTree ]

plutus-executables/test/certifier/UPLC/AA2-CSE.uplc

@@ -0,0 +1,55 @@
+(program
+  1.1.0
+  [
+    [
+      [
+        (force (force (delay (delay (lam f-2 (lam x-3 [ f-2 x-3 ]))))))
+        (builtin addInteger)
+      ]
+      [
+        (lam
+          x0-0
+          [
+            (lam
+              x2-2
+              [
+                [
+                  (builtin multiplyInteger)
+                  [
+                    [ (builtin divideInteger) (con integer 1) ]
+                    (con integer 0)
+                  ]
+                ]
+                (con integer 0)
+              ]
+            )
+            [
+              [
+                (builtin lessThanEqualsInteger)
+                (con integer 0)
+              ]
+              (con integer 0)
+            ]
+          ]
+        )
+          (con integer 1)
+      ]
+    ]
+    [
+      (lam x0-0 x0-0)
+      [
+        (lam
+          x1-1
+          [
+            [
+              (builtin multiplyInteger)
+              (con integer 0)
+            ]
+            [ [ (builtin divideInteger) (con integer 1) ] (con integer 0) ]
+          ]
+        )
+        (con integer 1)
+      ]
+    ]
+  ]
+)

plutus-metatheory/plutus-metatheory.cabal

@@ -347,6 +347,7 @@ library
     MAlonzo.Code.Untyped
     MAlonzo.Code.Untyped.CEK
     MAlonzo.Code.Untyped.CEKWithCost
+    MAlonzo.Code.Untyped.Purity
     MAlonzo.Code.Untyped.RenamingSubstitution
     MAlonzo.Code.Utils
     MAlonzo.Code.Utils.Decidable
@@ -355,7 +356,6 @@ library
     MAlonzo.Code.VerifiedCompilation
     MAlonzo.Code.VerifiedCompilation.Certificate
     MAlonzo.Code.VerifiedCompilation.Equality
-    MAlonzo.Code.VerifiedCompilation.Purity
     MAlonzo.Code.VerifiedCompilation.UCaseOfCase
     MAlonzo.Code.VerifiedCompilation.UCaseReduce
     MAlonzo.Code.VerifiedCompilation.UCSE
@@ -641,7 +641,7 @@ library
     MAlonzo.Code.Utils.Reflection
     MAlonzo.RTE
     MAlonzo.RTE.Float
-    MAlonzo.Code.VerifiedCompilation.Purity
+    MAlonzo.Code.Untyped.Purity
     MAlonzo.Code.VerifiedCompilation.UCSE
     MAlonzo.Code.VerifiedCompilation.UFloatDelay
 

plutus-metatheory/src/Builtin.lagda.md

@@ -340,6 +340,10 @@ sig n⋆ n♯ (t₃ ∷ t₂ ∷ t₁) tᵣ
 
 open SugaredSignature using (signature) public
 
+-- The number of type arguments expected
+arity₀ : Builtin → ℕ
+arity₀ b = (Sig.fv⋆ (signature b)) Data.Nat.+ (Sig.fv♯ (signature b))
+
 -- The arity of a builtin, according to its signature.
 arity : Builtin → ℕ
 arity b = length (Sig.args (signature b))

plutus-metatheory/src/Untyped/Purity.lagda.md

@@ -0,0 +1,197 @@
+---
+title: VerifiedCompilation.Purity
+layout: page
+---
+
+# Definitions of Purity for Terms
+```
+module Untyped.Purity where
+
+```
+## Imports
+
+```
+open import Untyped using (_⊢; case; builtin; _·_; force; `; ƛ; delay; con; constr; error)
+open import Relation.Nullary using (Dec; yes; no; ¬_; _×-dec_)
+open import Builtin using (Builtin; arity; arity₀)
+open import Utils as U using (Maybe;nothing;just)
+open import RawU using (TmCon)
+open import Data.Product using (_,_; _×_)
+open import Data.Nat using (ℕ; zero; suc; _>_; _>?_)
+open import Data.List using (List; _∷_; [])
+open import Data.List.Relation.Unary.All using (All)
+open import Data.Maybe using (Maybe; just; nothing; from-just)
+open import Data.Maybe.Properties using (just-injective)
+open import Agda.Builtin.Equality using (_≡_; refl)
+open import Relation.Nullary.Negation using (contradiction)
+open import Relation.Binary.PropositionalEquality.Core using (trans; _≢_; subst; sym; cong)
+open import Data.Empty using (⊥)
+open import Function.Base using (case_of_)
+open import Untyped.CEK using (lookup?)
+open import VerifiedCompilation.UntypedViews using (isDelay?; isTerm?; isLambda?; isdelay; isterm; islambda)
+-- FIXME: This moves to Untyped.Reduction in a PR #7008...
+open import VerifiedCompilation.UCaseReduce using (iterApp)
+```
+## Saturation
+
+The `sat` function is used to measure whether a builtin at the bottom of a
+sub-tree of `force` and applications is now saturated and ready to reduce.
+
+```
+-- TODO: This code will move to Untyped.Reduction once we merge
+-- PR #7008.
+
+data Arity : Set where
+  no-builtin : Arity
+  want : ℕ → ℕ → Arity
+
+-- This is a Phil Wadler approved hack...
+postulate
+  interleave-error : ∀ {A : Set} → A
+
+sat : {X : Set} → X ⊢ → Arity
+sat (` x) = no-builtin
+sat (ƛ t) = no-builtin
+sat (t · t₁) with sat t
+... | no-builtin = no-builtin
+... | want zero zero = want zero zero -- This will reduce the left first...
+... | want zero (suc a₁) = want zero a₁
+... | want (suc a₀) a₁ = interleave-error
+sat (force t) with sat t
+... | no-builtin = no-builtin
+... | want zero a₁ = interleave-error
+... | want (suc a₀) a₁ = want a₀ a₁
+sat (delay t) = no-builtin
+sat (con x) = no-builtin
+sat (constr i xs) = no-builtin
+sat (case t ts) = no-builtin
+-- We assume no spontaneously reducing builtins!
+sat (builtin b) = want (arity₀ b) (arity b)
+sat error = no-builtin
+
+data Pure {X : Set} : (X ⊢) → Set where
+    force : {t : X ⊢} → Pure t → Pure (force (delay t))
+
+    constr : {i : ℕ} {xs : List (X ⊢)} → All Pure xs → Pure (constr i xs)
+
+    -- case applied to constr would reduce, and possibly be pure.
+    case : {i : ℕ} {t : X ⊢}{vs ts : List (X ⊢)}
+           → lookup? i ts ≡ just t
+           → Pure (iterApp t vs)
+           → Pure (case (constr i vs) ts)
+    -- case applied to anything else is Unknown
+
+    -- This assumes there are no builtins with arity 0
+    -- Or, if there are, they can just be replaced by a
+    -- constant before this stage!
+    builtin : {b : Builtin} → Pure (builtin b)
+
+    -- To be pure, a term needs to be still unsaturated
+    -- after it has been force'd or had something applied
+    -- hence, unsat-builtin₀ and unsat-builtin₁ have
+    -- (suc (suc _)) requirements.
+    unsat-builtin₀ : {t : X ⊢} {a₀ a₁ : ℕ}
+            → sat t ≡ want (suc (suc a₀)) a₁
+            → Pure t
+            → Pure (force t)
+
+    -- unsat-builtin₀₋₁ handles the case where
+    -- we consume the last type argument but
+    -- still have some unsaturated term args.
+    unsat-builtin₀₋₁ : {t : X ⊢} {a₁ : ℕ}
+            → sat t ≡ want (suc zero) (suc a₁)
+            → Pure t
+            → Pure (force t)
+
+    unsat-builtin₁ : {t t₁ : X ⊢} {a₁ : ℕ}
+            → sat t ≡ want zero (suc (suc a₁))
+            → Pure t
+            → Pure t₁
+            → Pure (t · t₁)
+
+    -- This is deliberately not able to cover all applications
+    -- ƛ (error) · t -- not pure
+    -- ƛ ƛ (error) · t · n -- not pure
+    -- ƛ ƛ ( (` nothing) · (` just nothing) ) · (ƛ error) · t -- not pure
+    -- Double application is considered impure (Unknown) by
+    -- the Haskell implementation at the moment.
+    app : {l : Maybe X ⊢} {r : X ⊢}
+            → Pure l
+            → Pure r
+            → Pure ((ƛ l) · r)
+
+    var : {v : X} → Pure (` v)
+    delay : {t : X ⊢} → Pure (delay t)
+    ƛ : {t : (Maybe X) ⊢} → Pure (ƛ t)
+    con : {c : TmCon} → Pure (con c)
+    -- errors are not pure ever.
+
+isPure? : {X : Set} → (t : X ⊢) → Dec (Pure t)
+
+allPure? : {X : Set} → (ts : List (X ⊢)) → Dec (All Pure ts)
+allPure? [] = yes All.[]
+allPure? (t ∷ ts) with (isPure? t) ×-dec (allPure? ts)
+... | yes (p , ps) = yes (p All.∷ ps)
+... | no ¬p = no λ { (px All.∷ x) → ¬p (px , x) }
+
+{-# TERMINATING #-}
+isPure? (` x) = yes var
+isPure? (ƛ t) = yes ƛ
+isPure? (l · r) with isLambda? (isTerm?) l
+... | yes (islambda (isterm l₁)) with (isPure? l₁) ×-dec (isPure? r)
+...   | yes (pl , pr) = yes (app pl pr)
+...   | no ¬pl-pr = no λ { (app pl pr) → ¬pl-pr (pl , pr) }
+isPure? (l · r) | no ¬lambda with sat l in sat-l
+... | no-builtin = no (λ { (unsat-builtin₁ sat-l₁ pl pr) → contradiction (trans (sym sat-l) sat-l₁) (λ ()) ; (app xx xx₁) → ¬lambda (islambda (isterm _)) })
+... | want zero zero = no (λ { (unsat-builtin₁ sat-l₁ xx xx₁) → contradiction ((trans (sym sat-l) sat-l₁)) (λ ()) })
+... | want zero (suc zero) = no (λ { (unsat-builtin₁ sat-l₁ xx xx₁) → contradiction ((trans (sym sat-l) sat-l₁)) (λ ()) })
+... | want (suc x) x₁ = no (λ { (unsat-builtin₁ sat-l₁ xx xx₁) → contradiction ((trans (sym sat-l) sat-l₁)) (λ ()) })
+... | want zero (suc (suc a₁)) with (isPure? l) ×-dec (isPure? r)
+...   | yes (pl , pr) = yes (unsat-builtin₁ sat-l pl pr)
+...   | no ¬pl-pr = no (λ { (unsat-builtin₁ x xx xx₁) → ¬pl-pr (xx , xx₁) })
+isPure? (force t) with isDelay? (isTerm?) t
+... | no ¬delay with sat t in sat-t
+...   | no-builtin = no (λ {
+                     (force xx) → ¬delay (isdelay (isterm _)) ;
+                     (unsat-builtin₀ sat-t₁ pt) → contradiction (trans (sym sat-t) sat-t₁) λ ();
+                     (unsat-builtin₀₋₁ sat-t₁ pt) → contradiction (trans (sym sat-t) sat-t₁) λ ()
+                     })
+...   | want zero x₁ = no λ {
+                     (unsat-builtin₀ sat-t₁ pt) → contradiction (trans (sym sat-t) sat-t₁) (λ ());
+                     (unsat-builtin₀₋₁ sat-t₁ pt) → contradiction (trans (sym sat-t) sat-t₁) λ ()
+                     }
+... | want (suc zero) zero = no λ {
+                     (unsat-builtin₀ sat-t₁ pt) → contradiction (trans (sym sat-t) sat-t₁) (λ ());
+                     (unsat-builtin₀₋₁ sat-t₁ pt) → contradiction (trans (sym sat-t) sat-t₁) λ ()
+                     }
+... | want (suc zero) (suc x₁) with isPure? t
+...    | no ¬pt = no λ { (unsat-builtin₀ x xx) → ¬pt xx ; (unsat-builtin₀₋₁ x xx) → ¬pt xx }
+...    | yes pt = yes (unsat-builtin₀₋₁ sat-t pt)
+isPure? (force t) | no ¬delay | want (suc (suc x)) x₁ with isPure? t
+...     | no ¬pt = no λ {(unsat-builtin₀ x pt) → ¬pt pt; (unsat-builtin₀₋₁ x xx) → ¬pt xx}
+...     | yes pt = yes (unsat-builtin₀ sat-t pt)
+isPure? (force t) | yes (isdelay (isterm tt)) with isPure? tt
+...    | yes p = yes (force p)
+...    | no ¬p = no λ { (force x) → ¬p x }
+isPure? (delay t) = yes delay
+isPure? (con x) = yes con
+isPure? (constr i xs) with allPure? xs
+... | yes pp = yes (constr pp)
+... | no ¬pp = no λ { (constr x) → ¬pp x }
+isPure? (case (` x) ts) =  no λ ()
+isPure? (case (ƛ t) ts) =  no λ ()
+isPure? (case (t · t₁) ts) =  no λ ()
+isPure? (case (force t) ts) =  no λ ()
+isPure? (case (delay t) ts) =  no λ ()
+isPure? (case (con x) ts) =  no λ ()
+isPure? (case (constr i vs) ts) with lookup? i ts in lookup-i
+... | nothing = no λ { (case lookup≡just pt·vs) → contradiction (trans (sym lookup-i) lookup≡just) λ () }
+... | just t with isPure? (iterApp t vs)
+...   | yes pt·vs = yes (case lookup-i pt·vs)
+...   | no ¬p = no λ { (case lookup≡just pt·vs) → contradiction (subst (λ x → Pure (iterApp x vs)) (just-injective (trans (sym lookup≡just) lookup-i)) pt·vs) ¬p }
+isPure? (case (case t ts₁) ts) = no λ ()
+isPure? (case (builtin b) ts) = no λ ()
+isPure? (case error ts) = no λ ()
+isPure? (builtin b) = yes builtin
+isPure? error = no λ ()
+```

plutus-metatheory/src/VerifiedCompilation.lagda.md

@@ -54,6 +54,7 @@ import Relation.Unary as Unary using (Decidable)
 import Agda.Builtin.Int
 import Relation.Nary as Nary using (Decidable)
 open import VerifiedCompilation.Certificate using (ProofOrCE; ce; proof; pcePointwise; MatchOrCE; SimplifierTag)
+open import Agda.Builtin.Sigma using (Σ; _,_)
 ```
 
 ## Compiler optimisation traces
@@ -167,14 +168,19 @@ traverseEitherList f ((tag , before , after) ∷ xs) with f before
 data Cert : Set₂ where
   cert
     : {X : Set} {result : List (SimplifierTag × (X ⊢) × (X ⊢))} {{_ : DecEq X}}
-    → ProofOrCE(Trace {X} result)
+    → ProofOrCE (Trace {X} result)
     → Cert
 
 runCertifier : List (SimplifierTag × Untyped × Untyped) → Maybe Cert
 runCertifier rawInput with traverseEitherList (toWellScoped {⊥}) rawInput
 ... | inj₁ _ = nothing
 ... | inj₂ inputTrace = just (cert (isTrace? inputTrace))
 
+getCE : {A B : Set} → Maybe Cert → Maybe (Σ _ \A → (Σ _ \B → (SimplifierTag × A × B)))
+getCE nothing = nothing
+getCE (just (cert (proof _))) = nothing
+getCE (just (cert (ce _ {X} {X'} t b a))) = just (X , X' , t , b , a)
+
 open import Data.Bool.Base using (Bool; false; true)
 open import Agda.Builtin.Equality using (_≡_; refl)
 

plutus-metatheory/src/VerifiedCompilation/Purity.lagda.md

@@ -24,9 +24,8 @@ open Eq using (_≡_; refl)
 open import Data.Empty using (⊥)
 open import Agda.Builtin.Maybe using (Maybe; just; nothing)
 open import Untyped.RenamingSubstitution using (_[_])
-open import VerifiedCompilation.Purity using (UPure; isUPure?)
+open import Untyped.Purity using (Pure; isPure?)
 open import VerifiedCompilation.Certificate using (ProofOrCE; ce; proof; pcePointwise; MatchOrCE; cseT)
-
 ```
 ## Translation Relation
 
@@ -40,7 +39,9 @@ back in would yield the original expression.
 ```
 data UCSE : Relation where
   cse : {X : Set} {{ _ : DecEq X}} {x' : Maybe X ⊢} {x e : X ⊢}
-    → UPure X e
+    -- TODO: This should ensure that the term that is moved
+    -- is still evaluated. The Haskell does this by never moving
+    -- across ƛ , delay, or case.
     → Translation UCSE x (x' [ e ])
     → UCSE x ((ƛ x') · e)
 
@@ -58,11 +59,9 @@ isUntypedCSE? : {X : Set} {{_ : DecEq X}} → MatchOrCE (Translation UCSE {X})
 {-# TERMINATING #-}
 isUCSE? : {X : Set} {{_ : DecEq X}} → MatchOrCE (UCSE {X})
 isUCSE? ast ast' with (isApp? (isLambda? isTerm?) isTerm?) ast'
-... | no ¬match = ce (λ { (cse x x₁) → ¬match (isapp (islambda (isterm _)) (isterm _))}) cseT ast ast'
+... | no ¬match = ce (λ { (cse pt) → ¬match (isapp (islambda (isterm _)) (isterm _))}) cseT ast ast'
 ... | yes (isapp (islambda (isterm x')) (isterm e)) with (isUntypedCSE? ast (x' [ e ]))
-... | ce ¬p t b a = ce (λ { (cse x x₁) → ¬p x₁}) t b a
-... | proof p with (isUPure? e)
-...   | yes upure = proof (cse upure p)
-...   | no ¬p = ce (λ z → ¬p (UPure.FIXME e)) cseT ast ast'
+...   | ce ¬p t b a = ce (λ { (cse pt) → ¬p pt}) t b a
+...   | proof p = proof (cse p)
 isUntypedCSE? = translation? cseT isUCSE?
 ```