Verify the late-failing implementation of lookup

in issue haskell/containers#794 and PR
haskell/containers#800 an alternative
implementation of `lookup` is proposed which checks if the key is as
expected only when reaching the leaf. This means less branching in the
success case or when the lookup key shares long prefixes with existing
values, but may do more work when the lookup key is far away from
existing keys.

Not saying that it’s particularly doubtful that the changed code is
correct, but since we have the machinery, why not verify it? So here we
go, and yes, it goes through.

I don’t think we need to merge the PR like this, and can probably wait
for the code to reach a containers release, and then include it there.

Also, this PR currently contains a bunch of local hacks that I used to
get going again (now that I use NixOS), which need to be removed, merged
separately, or made obsolete by better changes to the setup.

Author: nomeata

common.mk

@@ -1,23 +1,25 @@
 HAVE_STACK := $(shell command -v stack 2> /dev/null)
 
-ifdef HAVE_STACK
-ifdef FOREIGN_HS_TO_COQ
-ifndef HS_TO_COQ_DIR
-$(error "Using `hs-to-coq/common.mk' outside the hs-to-coq directory requires setting `HS_TO_COQ_DIR'")
-endif
-HS_TO_COQ = $(shell cd $(HS_TO_COQ_DIR) && stack exec env | perl -ne 'print "$$1/hs-to-coq\n" if /^PATH=([^:]+)/')
-else
-HS_TO_COQ = stack exec hs-to-coq --
-endif
-else
-ifndef FOREIGN_HS_TO_COQ
-$(error "Using `hs-to-coq/common.mk' outside the hs-to-coq directory requires `stack'")
-endif
-ifeq ($(HS_TO_COQ_COVERAGE),True)
-	CABAL_OPTS = --enable-coverage
-endif
-TOP := $(dir $(abspath $(lastword $(MAKEFILE_LIST))))
-HS_TO_COQ = cabal new-run --project-file=$(TOP)/cabal.project  -v0 $(CABAL_OPTS) exe:hs-to-coq --
-endif
+# ifdef HAVE_STACK
+# ifdef FOREIGN_HS_TO_COQ
+# ifndef HS_TO_COQ_DIR
+# $(error "Using `hs-to-coq/common.mk' outside the hs-to-coq directory requires setting `HS_TO_COQ_DIR'")
+# endif
+# HS_TO_COQ = $(shell cd $(HS_TO_COQ_DIR) && stack exec env | perl -ne 'print "$$1/hs-to-coq\n" if /^PATH=([^:]+)/')
+# else
+# HS_TO_COQ = stack exec hs-to-coq --
+# endif
+# else
+# ifndef FOREIGN_HS_TO_COQ
+# $(error "Using `hs-to-coq/common.mk' outside the hs-to-coq directory requires `stack'")
+# endif
+# ifeq ($(HS_TO_COQ_COVERAGE),True)
+# 	CABAL_OPTS = --enable-coverage
+# endif
+# TOP := $(dir $(abspath $(lastword $(MAKEFILE_LIST))))
+# HS_TO_COQ = cabal new-run --project-file=$(TOP)/cabal.project  -v0 $(CABAL_OPTS) exe:hs-to-coq --
+# endif
+
+HS_TO_COQ = /home/jojo/uni/UPenn/hs-to-coq/result/bin/hs-to-coq
 
 SHELL = bash

default.nix

@@ -7,11 +7,11 @@
 #   nix-build -A haskellPackages.hs-to-coq
 # After building, you can run result/bin/hs-to-coq
 
-{ coqPackages ? "coqPackages_8_8"
+{ coqPackages ? "coqPackages_8_10"
 , ghcVersion  ? "ghc882"
 
-, rev    ? "1fe82110febdf005d97b2927610ee854a38a8f26"
-, sha256 ? "08x6saa7iljyq2m0j6p9phy0v17r3p8l7vklv7y7gvhdc7a85ppi"
+, rev    ? "4c2e7becf1c942553dadd6527996d25dbf5a7136"
+, sha256 ? "10dzi5xizgm9b3p5k963h5mmp0045nkcsabqyarpr7mj151f6jpm"
 
 , pkgs   ? import (builtins.fetchTarball {
     url = "https://github.com/NixOS/nixpkgs/archive/${rev}.tar.gz";
@@ -46,7 +46,7 @@ let
 
       env = pkgs.buildEnv { name = name; paths = buildInputs; };
       passthru = {
-        compatibleCoqVersions = v: builtins.elem v [ "8.6" "8.7" "8.8" ];
+        compatibleCoqVersions = v: builtins.elem v [ "8.6" "8.7" "8.8" "8.10" ];
      };
     };
   };

examples/containers/Makefile

@@ -47,7 +47,7 @@ SRC_FILE_Data/IntSet/InternalWord = containers/Data/IntSet/Internal.hs
 TEST_MODULES = \
 
 # generated from drop-in/
-DROPIN =
+DROPIN = FastLookup
 
 # also generated from drop-in/
 SPECIAL_MODULES =
@@ -142,16 +142,16 @@ $(VFILES_MAN): $(OUT)/%.v : manual/%.v
 	lndir ../manual $(OUT)/
 
 
-$(VFILES_DROPIN): $(OUT)/%.v : module-edits/%/edits edits module-edits/%/preamble.v drop-in/%.hs $(OUT)/README.md
-	$(HS_TO_COQ) -e module-edits/$*/edits \
-	             -e edits \
-	       -o $(OUT) \
-	       -N \
-	       -p module-edits/$*/preamble.v \
-	       --ghc -icontainers \
-	       --ghc -icontainers/dist-install/build \
-	       -Icontainers/include \
-	       drop-in/$*.hs
+.SECONDEXPANSION:
+$(VFILES_DROPIN): $(OUT)/%.v : $$(wildcard module-edits/$$*/preamble.v) $$(wildcard module-edits/$$*/midamble.v)  $$(wildcard module-edits/$$*/edits) $$(wildcard module-edits/$$*/flags) edits drop-in/$$*.hs
+	$(HS_TO_COQ) $(addprefix -e , $(wildcard module-edits/$*/edits)) \
+	             $(addprefix -p , $(wildcard module-edits/$*/preamble.v)) \
+	             $(addprefix --midamble , $(wildcard module-edits/$*/midamble.v)) \
+	             $(addprefix `cat , $(addsuffix ` , $(wildcard module-edits/$*/flags))) \
+		     $(HS_TO_COQ_OPTS) \
+	             -o $(OUT) \
+	             drop-in/$*.hs
+	test -e $@
 
 clean:
 	rm -rf $(OUT) $(HS_SPEC)

examples/containers/drop-in/FastLookup.hs

@@ -0,0 +1,16 @@
+{-# LANGUAGE BangPatterns #-}
+
+module FastLookup where
+
+import Data.IntMap.Internal
+import Prelude hiding (lookup)
+
+fastLookup :: Key -> IntMap a -> Maybe a
+fastLookup !k = go
+  where
+    go (Bin _p m l r) | zero k m  = go l
+                      | otherwise = go r
+    go (Tip kx x) | k == kx   = Just x
+                  | otherwise = Nothing
+    go Nil = Nothing
+

examples/containers/lib/FastLookup.h2ci

@@ -0,0 +1 @@
+{}

examples/containers/lib/FastLookup.v

@@ -0,0 +1,43 @@
+(* Default settings (from HsToCoq.Coq.Preamble) *)
+
+Generalizable All Variables.
+
+Unset Implicit Arguments.
+Set Maximal Implicit Insertion.
+Unset Strict Implicit.
+Unset Printing Implicit Defensive.
+
+Require Coq.Program.Tactics.
+Require Coq.Program.Wf.
+
+(* Converted imports: *)
+
+Require Data.IntMap.Internal.
+Require Data.IntSet.Internal.
+Require GHC.Base.
+Import GHC.Base.Notations.
+
+(* No type declarations to convert. *)
+
+(* Converted value declarations: *)
+
+Definition fastLookup {a : Type}
+   : Data.IntSet.Internal.Key -> Data.IntMap.Internal.IntMap a -> option a :=
+  fun k =>
+    let fix go arg_0__
+      := match arg_0__ with
+         | Data.IntMap.Internal.Bin _p m l r =>
+             if Data.IntSet.Internal.zero k m : bool then go l else
+             go r
+         | Data.IntMap.Internal.Tip kx x =>
+             if k GHC.Base.== kx : bool then Some x else
+             None
+         | Data.IntMap.Internal.Nil => None
+         end in
+    go.
+
+(* External variables:
+     None Some Type bool option Data.IntMap.Internal.Bin Data.IntMap.Internal.IntMap
+     Data.IntMap.Internal.Nil Data.IntMap.Internal.Tip Data.IntSet.Internal.Key
+     Data.IntSet.Internal.zero GHC.Base.op_zeze__
+*)

examples/containers/lib/_CoqProject

@@ -3,4 +3,4 @@
 Utils/Containers/Internal/PtrEquality.v CTZ.v BitTerminationProofs.v Test/QuickCheck/Property.v Test/QuickCheck/Arbitrary.v Test/QuickCheck/Gen.v IntWord.v
 Data/Set/Internal.v Utils/Containers/Internal/BitUtil.v Data/IntSet/Internal.v Data/IntSet/InternalWord.v Data/IntMap/Internal.v Data/Map/Internal.v IntSetValidity.v
 
-
+FastLookup.v

examples/containers/module-edits/FastLookup/edits

@@ -0,0 +1,20 @@
+rename type GHC.Types.Int = Coq.Numbers.BinNums.N
+
+# `complement x` does not work at type `N`, as the complement of a natural
+# number is negative. But in this module, all uses of `complement` are meant to be
+# 64bit numbers anyways, so we can complement just these bits.
+rewrite forall x, (Data.Bits.complement x) = (complement' x)
+
+rewrite forall x, (x Data.Bits..&. Data.IntSet.Internal.prefixBitMask) = Coq.NArith.BinNat.N.ldiff x Data.IntSet.Internal.suffixBitMask
+
+# Share bit stuff with IntSet
+rename value Data.IntMap.Internal.mask = Data.IntSet.Internal.mask
+skip Data.IntSet.Internal.mask
+rename value Data.IntMap.Internal.zero = Data.IntSet.Internal.zero
+skip Data.IntSet.Internal.zero
+
+
+# Local issue on Joachim’s PC?
+rename type  GHC.Maybe.Maybe   = option
+rename value GHC.Maybe.Just    = Some
+rename value GHC.Maybe.Nothing = None

examples/containers/theories/IntMapProofs.v

@@ -646,6 +646,28 @@ Proof.
   Nomega.
 Qed.
 
+(* Sometimes the code does not check nomatch first. But we still
+   want a similar lemma.
+*)
+Lemma zero_without_nomatch:
+  forall {a} i r (P : a -> Prop) left right,
+  (0 < rBits r)%N ->
+  (inRange i (halfRange r false) = false -> inRange i (halfRange r true) = false -> P left) ->
+  (inRange i (halfRange r false) = false -> inRange i (halfRange r true) = false -> P right) ->
+  (inRange i (halfRange r false) = true -> inRange i (halfRange r true) = false -> P left) ->
+  (inRange i (halfRange r false) = false -> inRange i (halfRange r true) = true -> P right) ->
+  P (if zero i (rMask r) then left else right).
+Proof.
+  intros.
+  (* I’m lazy, so I’ll reduce it to the previous lemma. *)
+  erewrite <- ssrbool.if_same.
+  apply nomatch_zero; try assumption.
+  intro.
+  destruct (zero i (rMask r));
+    [apply H0|apply H1];
+    eapply inRange_isSubrange_false; try apply H4;
+    apply isSubrange_halfRange; assumption.
+Qed.
 
 (** *** Verification of [equal] *)
 
@@ -755,6 +777,34 @@ Proof.
 Qed.
 
 
+(* Verification of the fast-lookup function propoesd in 
+    https://github.com/haskell/containers/pull/800 *)
+
+Require Import FastLookup.
+
+Lemma fastLookup_Desc:
+ forall {a}{s : IntMap a}{r f i}, Desc s r f -> fastLookup i s = f i.
+Proof.
+ intros ????? HD.
+ induction HD; subst.
+ * simpl.
+   unfoldMethods.
+   rewrite H.
+   destruct (i =? k) eqn:Ei; simpl; auto.
+ * rewrite H4. clear H4.
+   simpl fastLookup.
+   rewrite IHHD1 IHHD2. clear IHHD1 IHHD2.
+   apply zero_without_nomatch; [apply H|..]; intros.
+   + rewrite (Desc_outside HD2) ; last inRange_false.
+     rewrite oro_None_r. reflexivity.
+   + rewrite (Desc_outside HD1) ; last inRange_false.
+     rewrite oro_None_l. reflexivity.
+   + rewrite (Desc_outside HD2) ; last inRange_false.
+     rewrite oro_None_r. reflexivity.
+   + rewrite (Desc_outside HD1) ; last inRange_false.
+     rewrite oro_None_l. reflexivity.
+Qed.
+
 (* For the sake of simplicity, we are writing a new findWithdefault that returns an option *)
 
 Definition findWithDefaultOption {a} (def : a) (k : Key) (s : IntMap a) :=