Torturing rustc by Emulating HKTs, Causing an Inductive Cycle and Borking the Compiler

Induction beyond natural numbers #

Okay that’s nice, but what does have that to do with whatever we are doing earlier?

Well okay, we need to generalize the concept of mathematical induction to work beyond natural numbers. How do we use induction in stuff that aren’t integers? Researching about this topic led me to structural induction, which could be related, so I’ll try talking about it here.

Structural induction is a way to prove some property holds for a structure like lists, strings, and structures. Just like normal induction, structural induction has a base case and an inductive step. We can emulate the creation of such structures by recursively defining them.

Natural numbers could be defined recursively as follows:

• Base case: $1 \in \N$
• Recursive step: if $k \in \N$ then $k + 1 \in \N$

Integers:

• Base case: $0 \in \Z$
• Recursive step: if $x \in \Z$ then $x + 1 \in \Z$ and $x - 1 \in \Z$

Since these structures are defined inductively, we could prove some properties about them via induction too.

Let’s use this example from a random pdf I found on the internet:

Let $S$ be a set where:

• Base case: $6 \in S$, and $15 \in S$
• Recursive step: if $x, y \in S$, then $x + y \in S$

Now, let’s say we want to prove the property that all the elements in the set $S$ is divisible by 3. How do we do that? By induction of course!

As is tradition, let’s consider the base case first.

Is 6 divisible by 3? Yeah. Is 15 divisible by 3? Yup. Do we need to elaborate on that? No? Thank god. I thought I have to prove 1 + 1 = 2 or something. Anyways.

Let’s consider the inductive step:

For all numbers $x$ and $y$, we assume that $3 | x$ and $3 | y$.^{† †} That’s notation for “3 divides x”. Personally I think it looks backwards. Because of that, we can represent $x = 3n$ for some integer $n$, and same for the other with $y = 3m$ for some integer $m$. Therefore, applying the recursive step gives us $x + y = 3n + 3m = 3(n + m)$. Wait, since $x + y$ takes the form $3p$ where $p = n + m$, then it must be that $3 | x + y$.

By the power of induction, we have proved that all the elements of set $S$ are divisible by 3.

…

Okay but what all of that have to do with anyth—

That moment when Curry and Howard did a joint yaoi slay and caused a motherquake measuring 9.9 on the cunter scale #

Why are we talking about proofs in the first place?

Well.

Haskell Curry^{† †} yes that haskell and that curry in FP parlance and William Alvin Howard realized something and that is there is a connection between mathematical proofs and computer programs. To be more specific, both of them are isomorphic to each other. In fact, there is a direct correspondence between logic terminologies and programming terminologies. See the table below, taken from Wikipedia:

Unfortunately, teaching about this in a detour section of an article about HKTs is kinda uhhhh. So I’ll let you watch this video first. Remember to come back!

You will.

The self-indulgent Lean 4 part of the article #

Oh you’re back?

Hell yeah.

So this part is me trying out Lean 4 for the first for the following reasons:

1. I want to have an excuse to try out Lean 4.
2. lol
3. Since Curry-Howard Isomorphism states that proofs == programs, I want to try rewriting the proof above as a program in Lean 4.
4. I tried writing the proof in Rust, but then I got bitten by the conflicting trait implementation error. Curse you Rust!

So let’s start!

First, we have to define the set $S$ in Lean. How do we do that? We make a type, using the inductive keyword:

inductive S where
  | six     : S
  | fifteen : S
  | step    : S → S → S

six and fifteen are our base cases. It is a type constructor that takes nothing and returns an S. step is our recursive step, where it is a constructor that takes two instances of S and return an S.

Surprisingly, there’s a rust analogue for this: the enum! You can rewrite this in rust as follows:

enum S {
  Six,
  Fifteen,
  Step(Box<S>, Box<S>),
}

Next step, we define a way to convert S to a natural number. We use natural numbers because uhhhhh I did the natural numbers game and that’s the only number set I know.

def toNat (s : S) : Nat := match s with
  | six           => 6
  | fifteen       => 15
  | step    s1 s2 => toNat s1 + toNat s2

(s : S) is our argument list and : Nat is the return part of the definition. It’s similar to this:

fn to_nat(s: S) -> u32 {
  match s {
    S::Six => 6,
    S::Fifteen => 15,
    S::Step(s1, s2) => to_nat(*s1) + to_nat(*s2),
  }
}

Then, we define a proposition. This is the part where theorem provers and programming languages diverge a bit. Well not really. But sorta kinda. What am I saying.

Propositions are types.

In Lean, you can define the “divisible by 3” proposition as so:

def Threeven (i : Nat) := ∃ k, i = 3 * k

Let’s translate this.

We define a new proposition Threeven which takes in a natural number i. We state that given a number i that is Threeven, there exists a number k (that’s what we mean by ∃ k) where i = 3 * k.

If we wanna prove that i is threeven, then we just need to provide a value for k such as k * 3 equals i.

That seems easy!

So let’s try proving the base cases using this.

We use the theorem keyword to, well, introduce a theorem.

theorem three_divides_six : Threeven 6 :=
  have h : 6 = 3 * 2 := by simp
  Exists.intro 2 h

Yes I blatantly copied this from learnxinyminutes.

We introduce a hypothesis h that 6 = 3 * 2, then we simplify it to 6 = 6, which is trivially true. This is the part where I’m not sure what is happening, but my intuition tells me that Exists.intro 2 h applies with k := 2 and h := i = 3 * k. Since they match up together when i := 6, then the goals have been solved and the program typechecks.

We repeat this for the other base case.

theorem three_divides_fifteen : Threeven 15 :=
  have h : 15 = 3 * 5 := by simp
  Exists.intro 5 h

Now this is the part where I got stuck. I didn’t know how to prove the recursive step of the theorem:

theorem three_divides_threeven_plus_threeven
  (a : Nat) (b : Nat)
  (ha : Threeven a) (hb : Threeven b) : Threeven (a + b) :=

Translating this, we say that:

1. The theorem three_divides_threeven_plus_threeven
2. accepts two natural numbers a and b,
3. and two hypotheses ha where a is threeven,
4. and hb where b is also threeven,
5. where we must prove that the sum of a and b is also a threeven.

I do have experience in the natural numbers game, but I don’t have experience in proving existentials.

So of course I asked rustaceans about this on Discord.

Thankfully, pitust and Sabrina was kind enough to help me with this.

First, I could’ve rewrote the above theorems as:

theorem three_divides_six : Threeven 6 := by exists 2
theorem three_divides_fifteen : Threeven 15 := by exists 5

Thank you tactics mode. Why didn’t I think of that.

Then, pitust gave the answer to three_divides_threeven_plus_threeven with this:

theorem three_divides_threeven_plus_threeven
  (a : Nat) (b : Nat)
  (ha : Threeven a) (hb : Threeven b) : Threeven (a + b) := by
    obtain ⟨a', ha⟩ := ha
    obtain ⟨b', hb⟩ := hb
    exists a' + b'
    rw [ha, hb, Nat.mul_add]

This is the first time I’ve seen obtain, so hopefully this explanation sounds good enough.

First, by entering tactics mode, we get a tactic state with a goal.

a b : Nat
ha : Threeven a
hb : Threeven b
⊢ Threeven (a + b)

Our goal is that given a and b as natural numbers and ha and hb being the hypotheses that the two numbers are threeven, then we must meet the goal that a + b is also threeven. (This tactic state appears when you put your text cursor after the word by)

After that, we use obtain, which is kinda like unpacking the Threeven a hypothesis into its parts. What are its parts, exactly?

Remember the definition: def Threeven (i : Nat) := ∃ k, i = 3 * k

The two parts here are the natural number k and the proposition i = 3 * k. So we split Threeven from k to a' and i = 3 * k to ha.

Our proof state now looks like:

a b : Nat
hb : Threeven b
a' : Nat
ha : a = 3 * a'
⊢ Threeven (a + b)

Let’s do the same for hb. Now we get:

a b a' : Nat
ha : a = 3 * a'
b' : Nat
hb : b = 3 * b'
⊢ Threeven (a + b)

Since the goal state of our theorem is an existential, we can use the exists to substitute k with anything we want. Here, we substitute a' + b' into the goal.

a b a' : Nat
ha : a = 3 * a'
b' : Nat
hb : b = 3 * b'
⊢ a + b = 3 * (a' + b')

Now it’s a matter of rewriting the goal. Yes that’s what rw stands for.

We can rewrite a to 3 * a' and b to 3 * 3b' with rw [ha, hb] to get this goal state

a b a' : Nat
ha : a = 3 * a'
b' : Nat
hb : b = 3 * b'
⊢ 3 * a' + 3 * b' = 3 * (a' + b')

Of course, the last step would be us expanding 3 * (a' + b') via the distributive property of numbers. This is spelled out as rw [Nat.mul_add]. Why is it called that? Because a * (b + c) has a * first then + next. mul_add. Yup. That’s creative naming.

After the last statement, we get:

a b a' : Nat
ha : a = 3 * a'
b' : Nat
hb : b = 3 * b'
⊢ 3 * a' + 3 * b' = 3 * a' + 3 * b'

Notice how both sides are the exact same. As such the goal is met and the theorem typechecks. Hell yeah!

Now here is the fun stuff. We can use these theorems to prove that the statement “all elements of $S$ are divisible by 3”.

Let’s define this theorem right now.

theorem S.is_threeven (s : S) : Threeven s.toNat :=

pitust helpfully tells me I could use that S.is_threeven for ease. I also redefined toNat to be defined on S. Anyways.

This theorem states that all elements of S are threeven. I’m not sure how that theorem implies that as spelled out, but apparently it is a feature of calculus of constructions. I’m not really sure what that means. pitust says:

if you have a function which maps a value of type S into a proof that something is true for that value, then by definition that thing is true for all values of that type

I don’t know what that means.

Anyways.

This is the part where the first part of this section is leading up to.

Induction.

We do proof by induction on s:

theorem S.is_threeven (s : S) : Threeven s.toNat := by
  induction s with

and then we pattern match on s.

theorem S.is_threeven (s : S) : Threeven s.toNat := by
  induction s with
  | six => apply three_divides_six
  | fifteen => apply three_divides_fifteen
  | step a b ha hb => ...

Both six and fifteen base cases are self-explanatory, we just proved them earlier. We just have to apply them here.

step is a bit cute. With induction, we not only pattern match on its variables, but also its propositions. What are these proposition you ask?

That a and b are threevens.

This is The Big Assumption. That we know is True. By Assumption.

Starting with this branch we get the state:

case step
a b : S
ha : Threeven a.toNat
hb : Threeven b.toNat
⊢ Threeven (a.step b).toNat

First we rewrite (a.step b).toNat with its definition via rw [S.toNat], giving us:

a b : S
ha : Threeven a.toNat
hb : Threeven b.toNat
⊢ Threeven (a.toNat + b.toNat)

Wow, that awfully looks like our three_divides_threeven_plus_threeven theorem. Let’s apply it.

  | step a b ha hb =>
    rw [S.toNat]
    apply three_divides_threeven_plus_threeven

Gives us:

case step.ha
a b : S
ha : Threeven a.toNat
hb : Threeven b.toNat
⊢ Threeven a.toNat

case step.hb
a b : S
ha : Threeven a.toNat
hb : Threeven b.toNat
⊢ Threeven b.toNat

What the hell?

At first, I found this confusing, but thankfully Sabrina explained this to me:

apply matches up the type of the result of the proposition with the goal, and then looks at what hypotheses you need to prove to get there it creates new goals for each of those hypotheses

So since the goal matches with the result of the sum of threevens theorem, then it’s up to us to prove the hypotheses we defined instead of the result itself. That’s nice. Because our hypotheses is much simpler that our original goal, we can exploit those instead.

We got two cases: step.ha and step.hb. What do you know, the goal is the exact same as ha. Let’s use exact ha. And same for exact hb.

The final theorem:

theorem S.is_threeven (s : S) : Threeven s.toNat := by
  induction s with
  | six => apply three_divides_six
  | fifteen => apply three_divides_fifteen
  | step a b ha hb =>
    rw [S.toNat]
    apply three_divides_threeven_plus_threeven
    · exact ha
    · exact hb

Nice! I don’t know what the dot is for.

Here’s the full program if you are wondering.

inductive S where
  | six     : S
  | fifteen : S
  | step    : S → S → S

def S.toNat (s : S) : Nat := match s with
  | six           => 6
  | fifteen       => 15
  | step    s1 s2 => toNat s1 + toNat s2

def Threeven (i : Nat) := ∃ k, i = 3 * k

theorem three_divides_six : Threeven 6 := by exists 2

theorem three_divides_fifteen : Threeven 15 := by exists 5

theorem three_divides_threeven_plus_threeven
  (a : Nat) (b : Nat)
  (ha : Threeven a) (hb : Threeven b) : Threeven (a + b) := by
    obtain ⟨a', ha⟩ := ha
    obtain ⟨b', hb⟩ := hb
    exists a' + b'
    rw [ha, hb, Nat.mul_add]

theorem S.is_threeven (s : S) : Threeven s.toNat := by
  induction s with
  | six => apply three_divides_six
  | fifteen => apply three_divides_fifteen
  | step a b ha hb =>
    rw [S.toNat]
    apply three_divides_threeven_plus_threeven
    · exact ha
    · exact hb

This proof is mathematically sound and valid and correct or whatever because the Lean compiler stopped yelling at me for “incomplete goals”. So uh.

QED.

Here’s the part where we return to that Discord convo and explain what inductive cycles are #

It is important to note that the default Rust trait solving is inductive. According to this page, proving something is true by induction must happen without any cycles.

So to inductively prove a goal there should be a finite proof tree.

For example, for the bound Vec<Vec<Vec<Vec<i32>>>>: Debug to hold, the tree would look like as follows:

• Vec<Vec<Vec<Vec<i32>>>>: Debug is provable
  • Vec<Vec<Vec<i32>>>: Debug is provable
    • Vec<Vec<i32>>: Debug is provable
      • Vec<i32>: Debug is provable
        • i32: Debug is provable (which it is, we have an impl for that)

Let’s check if Vec<SomeRandomStruct>: Debug holds, assuming SomeRandomStruct doesn’t implement any trait.

• Vec<SomeRandomStruct>: Debug is provable
  • SomeRandomStruct: Debug is provable (which it isn’t)

The trait resolver can return a success or an error depending on the outcome of proving a bound holds.

However, let’s give an example of a recursive type.

struct List<T> {
    value: T,
    next: Option<Box<List<T>>>,
}

To prove that List<T>: Send, we need to construct a proof tree first, checking each part:

• List<T>: Send is provable
  • T: Send is provable
  • Option<Box<List<T>>>: Send is provable
    • Box<List<T>>: Send is provable
      • List<T>: Send is prova—wait huh

Wait. This tree is infinitely large. It’s not well-founded.

We can have a proof tree that is theoretically infinite.

To note, recursive does not mean infinite. Sometimes recursive things eventually end if there’s a base case.

So this isn’t reliant on induction. This requires something else.

And that’s

To coinductively prove a goal the provided proof tree may be infinite.

So since infinite proof trees are fine, then it is sufficient for coinductive traits as long as there is a cycle and there are no other requirements needed.

Given List<i32>, we have the proof tree as follows:

• List<i32>: Send is provable
  • i32: Send is provable (yes, i32 is Send)
  • Option<Box<List<i32>>>: Send is provable
    • Box<List<i32>>: Send is provable
      • List<i32>: Send is provable (uh, that’s a cycle)

Since the two terminal branches here are i32: Send and List<i32>: Send, then we can say that List<i32> is Send as Send is a coinductive trait.

According to the rustc-dev guide, only auto-traits, Sized, and WF-goals^{† †} Not sure what this means. Does it mean “well-formed”? are coinductive.

What about other traits?

Well.

The Coinductive Disaster #

Let’s return to the actual original context.

After a little bit of time, I made the MRE even more minimal:

use std::marker::PhantomData;

trait Wrap {
    type Wrapper<T>;
}

#[derive(Debug, PartialEq)]
struct Noop;

impl Wrap for Noop {
    type Wrapper<T> = T;
}

#[derive(Debug, PartialEq)]
struct Foo<W: Wrap>(PhantomData<W::Wrapper<Foo<W>>>);

fn main() {
    let (x, y) = (Foo::<Noop>(PhantomData), Foo::<Noop>(PhantomData));
    dbg!(x == y);
}

So here’s the thing. Expanding the derives, cleaning up, and ignoring Debug we get:

impl PartialEq for Noop {
    fn eq(&self, other: &Noop) -> bool { true }
}

impl<W: PartialEq + Wrap> PartialEq for Foo<W>
where
    W::Wrapper<Foo<W>>: PartialEq
{
    fn eq(&self, other: &Foo<W>) -> bool { self.0 == other.0 }
}

Let’s check if Foo<Noop>: PartialEq holds:

• Foo<Noop>: PartialEq is provable
  • PhantomData<Noop::Wrapper<Foo<Noop>>>: PartialEq is provable
    • Noop::Wrapper<Foo<Noop>>: PartialEq is provable
      • Foo<Noop>: PartialEq is provable (uh, oh. A cycle!)

And since PartialEq is not a coinductive trait, then we cannot use this proof tree to declare that Foo<Noop>: PartialEq holds. We just cannot

Do they plan to support this?

Well I mean yeah. In the next generation solver.

It’s just that there are bugs.

After some trial and error, Helix found an ICE using the next-solver. Using the options -Copt-level=0 -Znext-solver=globally on rustc (godbolt link):

use std::marker::PhantomData;

pub trait Wrap {
    type Wrapper<T: PartialEq>: PartialEq;
}

#[derive(Debug, PartialEq)]
pub struct Noop;

impl Wrap for Noop {
    type Wrapper<T: PartialEq> = T;
}

#[derive(Debug, PartialEq)]
pub struct Foo<W: Wrap + PartialEq>(PhantomData<W::Wrapper<Foo<W>>>);

fn foo<W: Wrap + PartialEq>(x: &Foo<W>) {
    let _ = x == x;
}

pub fn main(x: &Foo<Noop>) {
    foo::<Noop>(x);
}

We get:

error: internal compiler error: /rustc-dev/b41f22de2a13a0babd28771e96feef4c309f54aa/compiler/rustc_middle/src/ty/instance.rs:569:21: failed to resolve instance for <&Foo<Noop> as PartialEq>::eq
  --> <source>:18:13
   |
18 |     let _ = x == x;
   |             ^^^^^^


thread 'rustc' (3) panicked at /rustc-dev/b41f22de2a13a0babd28771e96feef4c309f54aa/compiler/rustc_middle/src/ty/instance.rs:569:21:
Box<dyn Any>
stack backtrace:
   0:     0x77442855c54b - <<std[f377252fd1978e75]::sys::backtrace::BacktraceLock>::print::DisplayBacktrace as core[40ef8ddb62afa269]::fmt::Display>::fmt
   1:     0x774428c1f288 - core[40ef8ddb62afa269]::fmt::write
   2:     0x774428573556 - <std[f377252fd1978e75]::sys::stdio::unix::Stderr as std[f377252fd1978e75]::io::Write>::write_fmt
   ...

Okay I’m not gonna copy paste all of that.

But that’s crazy. I was that close to borking the compiler.

Anyways.

Helix did add a reply on his original issue, so all is well in the end.

I mean.

I still can’t use HKTs tho.

…

Goodbye Wrap trait. I will miss you!

This gave me hope though:

However, we’re currently also working on strenghening/formalizing our cycle semantics, and my current expectation is that the instantiated impl should soundly hold:

impl Trait for Thing<Identity> where Thing<Identity>: Trait {}