suzanne.soy/racket
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
a665239689
racket/collects/scribblings/guide/contracts-first-extended-example.scrbl
Asumu Takikawa 798344d2c6 Additional guide fix by Lee Duhem 
Relevant to PR 13034
2012-08-17 01:45:07 -04:00

289 lines
10 KiB
Racket
Raw Blame History

#lang scribble/doc
@(require scribble/manual scribble/core scribble/eval
"guide-utils.rkt" "contracts-utils.rkt"
(only-in racket/list argmax)
(for-label racket/contract))
@;(require "shared.rkt" (only-in racket/list argmax))
@title[#:tag "contracts-first"]{Contracts: A Thorough Example}
This section develops several different flavors of contracts for one and
the same example: Racket's @racket[argmax] function. According to
its Racket documentation, the function consumes a procedure @racket[proc] and
a non-empty list of values, @racket[lst]. It
@nested[#:style 'inset]{
returns the @emph{first} element in the list @racket[lst] that maximizes
the result of @racket[proc].}
The emphasis on @emph{first} is ours.
Examples:
@interaction[#:eval ((make-eval-factory (list 'racket)))
(argmax add1 (list 1 2 3))
(argmax sqrt (list .4 .9 .16))
(argmax second '((a 2) (b 3) (c 4) (d 1) (e 4)))
]
Here is the simplest possible contract for this function:
@racketmod[#:file @tt{version 1}
racket
(define (argmax f lov) ...)
(provide
(contract-out
[argmax (-> (-> any/c real?) (and/c pair? list?) any/c)]))
]
This contract captures two essential conditions of the informal
description of @racket[argmax]:
@itemlist[
@item{the given function must produce numbers that are comparable according
to @racket[<]. In particular, the contract @racket[(-> any/c number?)]
would not do, because @racket[number?] also recognizes complex numbers in
Racket.}
@item{the given list must contain at least one item.}
]
When combined with the name, the contract explains the behavior of
@racket[argmax] at the same level as an ML function type in a
module signature (except for the non-empty list aspect).
Contracts may communicate significantly more than a type signature,
however. Take a look at this second contract for @racket[argmax]:
@racketmod[#:file @tt{version 2}
racket
(define (argmax f lov) ...)
(provide
(contract-out
[argmax
(->i ([f (-> any/c real?)] [lov (and/c pair? list?)]) ()
(r (f lov)
(lambda (r)
(define f@r (f r))
(for/and ([v lov]) (>= f@r (f v))))))]))
]
It is a @emph{dependent} contract that names the two arguments and uses
the names to impose a predicate on the result. This predicate computes
@racket[(f r)] -- where @racket[r] is the result of @racket[argmax] -- and
then validates that this value is greater than or equal to all values
of @racket[f] on the items of @racket[lov].
Is it possible that @racket[argmax] could cheat by returning a random value
that accidentally maximizes @racket[f] over all elements of @racket[lov]?
With a contract, it is possible to rule out this possibility:
@racketmod[#:file @tt{version 2 rev. a}
racket
(define (argmax f lov) ...)
(provide
(contract-out
[argmax
(->i ([f (-> any/c real?)] [lov (and/c pair? list?)]) ()
(r (f lov)
(lambda (r)
(define f@r (f r))
(and (memq r lov)
(for/and ([v lov]) (>= f@r (f v)))))))]))
]
The @racket[memq] function ensures that @racket[r] is @emph{intensionally equal}
@margin-note*{That is, "pointer equality" for those who prefer to think at
the hardware level.} to one of the members of @racket[lov]. Of course, a
moment's worth of reflection shows that it is impossible to make up such a
value. Functions are opaque values in Racket and without applying a
function, it is impossible to determine whether some random input value
produces an output value or triggers some exception. So we ignore this
possibility from here on.
Version 2 formulates the overall sentiment of @racket[argmax]'s
documentation, but it fails to bring across that the result is the
@emph{first} element of the given list that maximizes the given function
@racket[f]. Here is a version that communicates this second aspect of
the informal documentation:
@racketmod[#:file @tt{version 3}
racket
(define (argmax f lov) ...)
(provide
(contract-out
[argmax
(->i ([f (-> any/c real?)] [lov (and/c pair? list?)]) ()
(r (f lov)
(lambda (r)
(define f@r (f r))
(and (for/and ([v lov]) (>= f@r (f v)))
(eq? (first (memf (lambda (v) (= (f v) f@r)) lov))
r)))))]))
]
That is, the @racket[memf] function determines the first element of
@racket[lov] whose value under @racket[f] is equal to @racket[r]'s value
under @racket[f]. If this element is intensionally equal to @racket[r],
the result of @racket[argmax] is correct.
This second refinement step introduces two problems. First, both conditions
recompute the values of @racket[f] for all elements of @racket[lov]. Second,
the contract is now quite difficult to read. Contracts should have a concise
formulation that a client can comprehend with a simple scan. Let us
eliminate the readability problem with two auxiliary functions that have
reasonably meaningful names:
@(define dominates1
@multiarg-element['tt]{@list{
@racket[f@r] is greater or equal to all @racket[(f v)] for @racket[v] in @racket[lov]}})
@(define first?1
@multiarg-element['tt]{
@list{@racket[r] is @racket[eq?] to the first element @racket[v] of @racket[lov]
for which @racket[(pred? v)]}})
@; ---------------------------------------------------------------------------------------------------
@racketmod[#:file @tt{version 3 rev. a}
racket
(define (argmax f lov) ...)
(provide
(contract-out
[argmax
(->i ([f (-> any/c real?)] [lov (and/c pair? list?)]) ()
(r (f lov)
(lambda (r)
(define f@r (f r))
(and (is-first-max? r f@r f lov)
(dominates-all f@r f lov)))))]))
@code:comment{where}
@code:comment{@#,dominates1}
(define (dominates-all f@r f lov)
(for/and ([v lov]) (>= f@r (f v))))
@code:comment{@#,first?1}
(define (is-first-max? r f@r f lov)
(eq? (first (memf (lambda (v) (= (f v) f@r)) lov)) r))
]
The names of the two predicates express their functionality and, in
principle, render it unnecessary to read their definitions.
This step leaves us with the problem of the newly introduced inefficiency.
To avoid the recomputation of @racket[(f v)] for all @racket[v] on
@racket[lov], we change the contract so that it computes these values and
reuses them as needed:
@(define dominates2
@multiarg-element['tt]{@list{
@racket[f@r] is greater or equal to all @racket[f@v] in @racket[flov]}})
@(define first?2
@multiarg-element['tt]{
@list{@racket[r] is @racket[(first x)] for the first
@racket[x] in @racket[lov+flov] s.t. @racket[(= (second x) f@r)]}})
@racketmod[#:file @tt{version 3 rev. b}
racket
(define (argmax f lov) ...)
(provide
(contract-out
[argmax
(->i ([f (-> any/c real?)] [lov (and/c pair? list?)]) ()
(r (f lov)
(lambda (r)
(define f@r (f r))
(define flov (map f lov))
(and (is-first-max? r f@r (map list lov flov))
(dominates-all f@r flov)))))]))
@code:comment{where}
@code:comment{@#,dominates2}
(define (dominates-all f@r flov)
(for/and ([f@v flov]) (>= f@r f@v)))
@code:comment{@#,first?2}
(define (is-first-max? r f@r lov+flov)
(define fst (first lov+flov))
(if (= (second fst) f@r)
(eq? (first fst) r)
(is-first-max? r f@r (rest lov+flov))))
]
Now the predicate on the result once again computes all values of @racket[f]
for elements of @racket[lov] once.
@margin-note{The word "eager" comes from the literature on the linguistics
of contracts.}
Version 3 may still be too eager when it comes to calling @racket[f]. While
Racket's @racket[argmax] always calls @racket[f] no matter how many items
@racket[lov] contains, let us imagine for illustrative purposes that our
own implementation first checks whether the list is a singleton. If so,
the first element would be the only element of @racket[lov] and in that
case there would be no need to compute @racket[(f r)].
@margin-note*{The @racket[argmax] of Racket implicitly argues that it not
only promises the first value that maximizes @racket[f] over @racket[lov]
but also that @racket[f] produces/produced a value for the result.}
As a matter of fact, since @racket[f] may diverge or raise an exception
for some inputs, @racket[argmax] should avoid calling @racket[f] when
possible.
The following contract demonstrates how a higher-order dependent contract
needs to be adjusted so as to avoid being over-eager:
@racketmod[#:file @tt{version 4}
racket
(define (argmax f lov)
(if (empty? (rest lov))
(first lov)
...))
(provide
(contract-out
[argmax
(->i ([f (-> any/c real?)] [lov (and/c pair? list?)]) ()
(r (f lov)
(lambda (r)
(cond
[(empty? (rest lov)) (eq? (first lov) r)]
[else
(define f@r (f r))
(define flov (map f lov))
(and (is-first-max? r f@r (map list lov flov))
(dominates-all f@r flov))]))))]))
@code:comment{where}
@code:comment{@#,dominates2}
(define (dominates-all f@r lov) ...)
@code:comment{@#,first?2}
(define (is-first-max? r f@r lov+flov) ...)
]
Note that such considerations don't apply to the world of first-order
contracts. Only a higher-order (or lazy) language forces the programmer to
express contracts with such precision.
The problem of diverging or exception-raising functions should alert the
reader to the even more general problem of functions with side-effects. If
the given function @racket[f] has visible effects -- say it logs its calls
to a file -- then the clients of @racket[argmax] will be able to observe
two sets of logs for each call to @racket[argmax]. To be precise, if the
list of values contains more than one element, the log will contain two
calls of @racket[f] per value on @racket[lov]. If @racket[f] is expensive
to compute, doubling the calls imposes a high cost.
To avoid this cost and to signal problems with overly eager contracts, a
contract system could record the i/o of contracted function arguments and
use these hashtables in the dependency specification. This is a topic of
on-going research in PLT. Stay tuned.
@;{one could randomly check some element here, instead of all of them and
thus ensure 'correctness' at 1/(length a) probability}
Reference in New Issue View Git Blame Copy Permalink