expr_larger

This has been processed with:

ocamlorn --library stdlib.mli \ --library expr_larger.in.ml --input expr_larger.in.ml --lifting expr_larger.lif.ml \ > expr_larger.out.ml

A small interpreter

We will write an interpreter for a small programming language.

We first assume a few definitions to manipulate identifiers and environments

type id = Identifier type 'a list = Nil | Cons of 'a * 'a list type 'a option = None | Some of 'a type bool = True | False val equal : 'a -> 'a -> bool val fail : 'a -> 'b let assoc x l = match l with | Nil -> None | Cons ((y, v), l) -> (match equal x y with True -> Some v | False -> None) (* val assoc : 'a -> ('a * 'b) list -> 'b option *)

We start by writing the type of expressions for a language with asbtractions and tuples. We only consider one element tuples, single field, but just to make the example and the code shorter, and changing them to pairs would not raise any difficulty.

Then, we write an evaluator for this type, using environments:

The evaluator distinguishes type (or scope) errors in the program, where it returns None, and internal errors when the expression returned by the evaluator is not a value. In this case, the evaluator raises an exception by calling fail ().

We should soon realize that we mistakenly implemented dynamic scoping: the result of evaluating an abstraction should not be an abstraction but a closure that holds the lexical environment of the abstraction.

This examples show how ornaments can be used to fix this problem, and use automatic transformations of the code as much as possible, leaving to the programmer just a small manual transformation to eventually fix the bug. Notice that fixing a but will always require a manual step, since the semantics of the base program cannot be changed by ornamentation alone.

Undoing our mistakes

In the current implementation, the expressions taken by the evaluator and the values it returns are not separated. Before we can fix the problem, we first implement this separation. For that purpose, we write a new datatype value of values

type value = | VAbs of id * expr | VTup of value

and a partial ornament that lifts abstractions and tupples to values and is undefined on other cases:

This ornament can be used to transform the evaluator to make explicit the fact that it only returns values:

let eval' = lifting eval : (id * expr_value) list -> expr -> expr_value option

We get the following program.

Note that all fail () have been removed, automatically! This works because we are just making explicit an invariant that what implicit. In particular, the semantics has not been changed.

The next step is to change abstractions appearing in values to closure: we define a new type val' of where functions are represented as closures.

type value' = | VClosure' of id * (id * value') list * expr | VTup' of value'

To apply this transformation in the code mecanically, we define an ornament that renames VAbs to VClosure' and adds an environment:

type ornament value_value' : value => value' with | VAbs(x, e) => VClosure'(x, _, e) | VTup(v) => VTup'(v) when v : value_value'

Since, adding closure has an extra field, we expect the lifting of eval to be partial. The advanced programmer would see that there should be only one source of partiality which is the replacement of VAbs(x, e) by Vclosure' (x, _, e) in which case, the current environment env should fill the hole. Hence she may directly write

let eval'' = lifting eval' with | ornament * <- value_value', @id | * <- env

where * stand for every patch occurrence.

A prudent programmer may first ask for a partial lifting to see the occurrences where patches are needed:

let eval'' = lifting eval' with | ornament * <- value_value', @id

As expected

She can then write the patch that will fix the single hole #35 with env as done below. At this point, it is easying to imagine an interactive tool that would point her to the occurrence of the hole in the partial lifing code which she would fill with env and then automatically adapt the partial patch into the following code:

let eval'' = lifting eval' with | ornament * <- value_value', @id | #35 <- env

Notice that env in this case, env is the only variable in context of the expected type. It does not mean that env is the only possible patch, but the obvious choice. Hence, an interactive tool could make the suggestion for us, which we would just need to confirm—or if we are quite confident, we could request such obvious patched to be automatically filled for us

let eval'' = lifting eval' with | ornament * <- value_value', @id | * <- try obvious (* not implemented yet *)

Another solution, possibly more robust to changes in the base code, would be to use example-based code inference and write the following patch:

let eval'' = lifting eval' : (id * value_value') list -> expr -> value_value' option with * <- try eval env (VAbs (_, _)) = Some (Closure (_, env, _)) (* Not implemented *)

In all cases, we get the following code:

We only used ornamentation so far. Therefore, we know the behaviour of the code has been preserved (even though we adding a new field). The final step to fix the bug has to change the semantics and must be done manually: instead of passing the dynamic environment to the code of a function, we pass the environment closure_env stored in the closure (line 10).

Another path

Another path is possible: we first define an enriched type of expressions that contain both applications and closures.

Then, we lift the eval function. We evaluating an Abs we choose to always construct a closure.

let eval' = lifting eval : (id * expr_expr') list -> expr_expr' -> expr_expr' option with | ornament * <- @id | #51 <- Right env

We get the following output:

We can then manually edit the relevant case (line 17):

Finally, we can cleanup by separating expressions and values:

And apply the refactoring:

let eval'' = lifting eval' : (id * expr'_value') list -> expr'_expr -> expr'_value' option

We again get the desired program: