我的书签
添加书签
移除书签Opaque definitions
Opaque definitions are a mechanism for controlling unfolding of Agda definitions, to help with both goal readability and performance. Like abstract definitions, opaque definitions will not unfold in general, but unlike abstract definitions, opacity can be selectively controlled at use-sites.
Our implementation of unfolding control is based on the theory introduced by Gratzer et. al. in Controlling unfolding in type theory, but handled entirely at the elaborator level, without a dependency on our (cubical) extension types.
Overview
Functions (and primitive functions) can be marked
opaque. Outside ofopaqueblocks, these behave like postulates.Opaque blocks, even in unrelated modules, can have
unfoldingclauses, which allow the user to list their choice of names that should be locally treated as transparent.Opaque definitions do not reduce in type signatures, even inside opaque blocks where they would otherwise be unfolded.
Unfolding opaque definitions
Consider an implementation of the integers as an abstract setoid: The underlying representation is given by pairs of natural numbers, representing a difference, but day-to-day, we would like to treat ℤ as its own type.
Our core module might define these operations:
module Integer whereopaqueℤ : Setℤ = Nat × Nat_≡ℤ_ : (x y : ℤ) → Set(p , n) ≡ℤ (p' , n') = (p + n') ≡ (p' + n)infix 10 _≡ℤ_0ℤ : ℤ0ℤ = 0 , 01ℤ : ℤ1ℤ = 1 , 0_+ℤ_ : (x y : ℤ) → ℤ(p , n) +ℤ (p' , n') = (p + p') , (n + n')_*ℤ_ : (x y : ℤ) → ℤ(a , b) *ℤ (c , d) = ((a * c) + (b * d)) , ((a * d) + (b * c))infixl 20 _+ℤ_infixl 30 _*ℤ_-ℤ_ : ℤ → ℤ-ℤ (p , n) = (n , p)
We’d now like to prove that the integers form a ring, under the _≡ℤ_ notion of equality. Some of the equations on natural numbers involved are pretty nasty, though, so this would be very hard to do without a solver for semiring equations. However, such a solver would also depend on reflection machinery, bloating the dependency tree of the Integer module for people who do not care about it provably forming a ring.
Fortunately, since ℤ is opaque rather than abstract, a different module, say Integer-ring, can provide its own proofs, in an opaque block that unfolds the definition of ℤ:
module Integer-ring whereopen Integeropaqueunfolding ℤdistlℤ : ∀ x y z → x *ℤ (y +ℤ z) ≡ℤ x *ℤ y +ℤ x *ℤ zdistlℤ (a , b) (c , d) (e , f) = use-nat-solver where postulateuse-nat-solver: a * (c + e) + b * (d + f) + (a * d + b * c + (a * f + b * e))≡ a * c + b * d + (a * e + b * f) + (a * (d + f) + b * (c + e))
Since the definition of distlℤ is in an opaque block with an unfolding ℤ clause, it sees through the opacity of ℤ, and of all names unfolded by ℤ’s opaque block (see below).
What actually unfolds?
When an opaque block is checked, Agda will compute ahead-of-time the set of names it is allowed to unfold. This set is per-block, not per-definition. An unfolding clause, if it mentions opaque names, will cause the unfolding sets associated with those names to be added to the current block.
The following illustrates the behaviour of these rules:
Unfolding any name in an opaque block will cause any of the other names in that block to be unfolded as well. Example:
module _ where privateopaquex : Naty : Natx = 3y = 4opaqueunfolding x_ : y ≡ 4_ = refl
Here, even though only
xwas asked for,yis also available for unfolding.Since the unfolding sets brought in by clauses are associated with the block, unfolding is transitive:
module _ where privateopaquex : Natx = 3opaqueunfolding xy : Naty = 4 + xopaqueunfolding y_ : y ≡ 7_ = refl
Opaque blocks which are lexically nested can also unfold the names of their parent blocks, even if the name is not in scope when the child block is defined:
module _ where privateopaquex : Natx = 3opaquey : Naty = 4_ : x ≡ 3_ = reflz : Natz = 5opaqueunfolding y_ : z ≡ 5_ = refl
This is because the
xandzare direct children of the sameopaqueblock: theopaqueblock that definesydoes not “split” its parent block.
Multiple unfolding clauses are supported, as well as unfolding more than one name per clause. The syntax for the latter is simply a space-separated list of names, which must refer to unambiguous functions:
module _ where privateopaquex : Natx = 3opaquey : Naty = 4opaquez : Natz = 5opaqueunfolding x yunfolding z_ : x + y + z ≡ 12_ = refl
Finally, unfolding clauses do not introduce new layout context, so that the following is legal: note that y appears to the left of x, but is still attached to the same unfolding clause. This allows the user their preference for how to lay out their unfolding sets:
opaqueunfolding xyunfolding z_ : x + y + z ≡ 12_ = refl
Having an unfolding clause appear after other definitions, or outside of opaque blocks, is a syntax error.
Note that unlike abstract blocks, which are treated on a per-module basis, opaque blocks will only unfold names according to the rules above:
module _ where privateopaquex : Natx = 3-- opaque-- _ : x ≡ 3-- _ = refl-- Fails with: x != 3 of type Nat
Unfolding in types
Note that unfolding clauses do not apply to the type signatures inside an opaque block. Much like for abstract blocks, this prevents leakage of implementation details, but it is also necessary to ensure that the types of names defined by the opaque block remain valid outside the opaque block. Consider:
opaqueS : Set₁S = Setfoo′ : Sfoo′ = Natopaqueunfolding foo′-- bar′ : foo′-- bar′ = 123-- Error: S should be a sort, but it isn't
If the definition of bar′ were allowed, we would have bar′ : foo′ in the context. Outside of the relevant opaque blocks, foo′ is not a type, for foo′ : S, and S is not a sort. In cases like this, using an auxiliary definition whose type is a sort is required:
-- Lift foo′ to a definition:ty′ : Setty′ = foo′bar′ : ty′bar′ = 123
Since ty′ : Set is manifestly a well-formed type, even outside of this opaque block, there is no problem in adding bar′ : ty′ to the context.
Bibliography
Daniel Gratzer, Jonathan Sterling, Carlo Angiuli, Thierry Coquand, and Lars Birkedal; “Controlling unfolding in type theory”.
