Inductive types and pattern matching
In this chapter, you’ll learn how to define new types in F*. These types are called inductive types, or, more informally, datatypes. We’ll also learn how to define functions over these inductive types by pattern matching and to prove properties about them.
Note
We’ll only cover the most basic forms of inductive types here. In particular, the types we show here will not make use of indexing or any other form of dependent types—we’ll leave that for a later chapter.
Enumerations
We’ve seen that unit is the type with just one element () and
that bool is the type with two elements, true and false.
You can define your own types with an enumeration of elements, like so.
type three =
  | One_of_three : three
  | Two_of_three : three
  | Three_of_three : three
This introduces a new type three : Type, and three distinct
constants One_of_three : three, Two_of_three : three,
Three_of_three : three. These constants are also called
“constructors” or “data constructors”. The name of a constructor must
begin with an uppercase letter.
Note
In this case, it may seem redundant to have to write the type of
each constructor repeatedly—of course they’re all just constructors
of the type three. In this case, F* will allow you to just
write
type three =
  | One_of_three
  | Two_of_three
  | Three_of_three
As we start to use indexed types, each constructor can build a different instance of the defined type, so it will be important to have a way to specify the result type of each constructor. For uniformity, throughout this book, we’ll always annotate the types of constructors, even when not strictly necessary.
F* can prove that they are distinct and that these are the only terms
of type three.
let distinct = assert (One_of_three <> Two_of_three /\
                       Two_of_three <> Three_of_three /\
                       Three_of_three <> One_of_three)
let exhaustive (x:three) = assert (x = One_of_three \/
                                   x = Two_of_three \/
                                   x = Three_of_three)
To write functions that can analyze these new types, one uses the
match construct. The syntax of match in F* is very similar to
OCaml or F#. We’ll assume that you’re familiar with its basics. As we
go, we’ll learn about more advanced ways to use match.
Here are some examples.
let is_one (x:three)
  : bool
  = match x with
    | One_of_three -> true
    | _ -> false
let is_two (x:three)
  : bool
  = match x with
    | Two_of_three -> true
    | _ -> false
let is_three (x:three)
  : bool
  = match x with
    | Three_of_three -> true
    | _ -> false
Discriminators
These functions test whether x : three matches a given
constructor, returning a bool in each case. Since it’s so common
to write functions that test whether a value of an inductive type
matches one of its constructors, F* automatically generates these
functions for you. For example, instead of writing
let three_as_int (x:three)
  : int
  = if is_one x then 1
    else if is_two x then 2
    else 3
One can write:
let three_as_int' (x:three)
  : int
  = if One_of_three? x then 1
    else if Two_of_three? x then 2
    else 3
In other words, for every constructor T of an inductive type
t, F* generates a function named T? (called a “discriminator”)
which tests if a v:t matches T.
Exhaustiveness
Of course, an even more direct way of writing three_as_int is
let three_as_int'' (x:three)
  : int
  = match x with
    | One_of_three -> 1
    | Two_of_three -> 2
    | Three_of_three -> 3
Every time you use a match, F* will make sure to prove that you
are handling all possible cases. Try omitting one of the cases in
three_as_int above and see what happens.
Exhaustiveness checking in F* is a semantic check and can use the SMT solver to prove that all cases are handled appropriately. For example, you can write this:
let only_two_as_int (x:three { not (Three_of_three? x) })
  : int
  = match x with
    | One_of_three -> 1
    | Two_of_three -> 2
The refinement on the argument allows F* to prove that the
Three_of_three case in the pattern is not required, since that
branch would be unreachable anyway.
Tuples
The next step from enumerations is to define composite types, e.g., types that are made from pairs, triples, quadruples, etc. of other types. Here’s how
type tup2 (a:Type)  (b:Type) =
  | Tup2 : fst:a -> snd:b -> tup2 a b
type tup3 a b c =
  | Tup3 : fst:a -> snd:b -> thd:c -> tup3 a b c
The type definition for tup2 a b states that for any types a :
Type and b : Type, Tup2 : a -> b -> tup2 a b. That is,
Tup2 is a constructor of tup2, such that given x:a and
y:b, Tup2 x y : tup2 a b.
The other types tup3 and tup4 are similar—the type
annotations on the bound variables can be inferred.
These are inductive types with just one case—so the discriminators
Tup2?, Tup3?, and Tup4? aren’t particularly useful. But,
we need a way to extract, or project, the components of a tuple. You
can do that with a match.
let tup2_fst #a #b (x:tup2 a b)
  : a
  = match x with
    | Tup2 fst _ -> fst
let tup2_snd #a #b (x:tup2 a b)
  : b
  = match x with
    | Tup2 _ snd -> snd
let tup3_fst #a #b #c (x:tup3 a b c)
  : a
  = match x with
    | Tup3 fst _ _ -> fst
let tup3_snd #a #b #c (x:tup3 a b c)
  : b
  = match x with
    | Tup3 _ snd _ -> snd
let tup3_third #a #b #c (x:tup3 a b c)
  : c
  = match x with
    | Tup3 _ _ thd -> thd
Projectors
These projectors are common enough that F* auto-generates them for
you. In particular, for any data constructor T of type
x1:t1 -> ... -> xn:tn -> t, F* auto-generates the following function:
T?.xi : y:t{T? y} -> ti
That is, T?.xi is a function which when applied to a y:t in
case T? y, returns the xi component of T x1 ... xn.
In the case of our tup2 and tup3 types, we have
Tup2?.fst,Tup2?.snd
Tup3?.fst,Tup3?.snd,Tup3?.thd
Syntax for tuples
Since tuples are so common, the module FStar.Pervasives.Native.fst
defines tuple types up to arity 14. So, you shouldn’t have to define
tup2 and tup3 etc. by yourself.
The tuple types in FStar.Pervasives.Native come with syntactic
sugar.
- You can write - a & binstead of the- tup2 a b;- a & b & cinstead of- tup3 a b c; and so on, up to arity 14.
- You can write - x, yinstead of- Tup2 x y;- x, y, zinstead of- Tup3 x y z; an so on, up to arity 14.
- You can write - x._1,- x._2,- x._3, etc. to project the field- iof a tuple whose arity is at least- i.
That said, if you’re using tuples beyond arity 4 or 5, it’s probably a good idea to define a record, as we’ll see next—since it can be hard to remember what the components of a large tuple represent.
Records
A record is just a tuple with user-chosen names for its fields and with special syntax for constructing them and projecting their fields. Here’s an example.
type point3D = { x:int; y:int; z:int}
let origin = { y=0; x=0; z=0 }
let dot (p0 p1:point3D) = p0.x * p1.x + p0.y * p1.y + p0.z * p1.z
let translate_X (p:point3D) (shift:int) = { p with x = p.x + shift}
let is_origin (x:point3D) =
  match x with
  | {z=0;y=0;x=0} -> true
  | _ -> false
- A record type is defined using curly braces - {}. See- type point3D
- A record value is also constructed using curly braces, with an assignment for each field of the record. The fields need not be given in order. See - origin.
- To access the fields of a record, you can use the dot notation - p.x; See- dot, which computes a dot product using dot notation.
- Records also support the - withnotation to construct a new record whose fields are the same as the old record, except for those fields mentioned after the- with. That is,- translate_X p shiftreturns- { x = p.x + shift; y = p.y; z = p.z}.
- Records can also be used to pattern match a value. For example, in - is_origin, we match the fields of the record (in any order) against some patterns.
Options
Another common type from F*’s standard library is the option type,
which is useful to represent a possibly missing value.
Consider implementing a function to divide x / y, for two integers
x and y. This function cannot be defined when y is zero,
but it can be defined partially, by excluding the case where y =
0, as shown below. (Of course, one can also refine the domain of the
function to forbid y = 0, but we’re just trying to illustrate the
option type here.)
let try_divide (x y:int)
  : option int
  = if y = 0 then None else Some (x / y)
let divide (x:int) (y:int{y<>0}) = x / y
Like most other functional languages, F* does not have a null
value. Whenever a value may possibly be null, one typically uses
the option type, using None to signify null and Some v for
the non-null case.
Unions, or the either type
FStar.Pervasives also defines the either type, shown below.
type either a b =
  | Inl : v: a -> either a b
  | Inr : v: b -> either a b
The type either a b represents a value that could either be Inl
v with v:a, or Inr v with v:b. That is, either a b
is a tagged union of the a and b. It’s easy to write functions
to analyze the tag Inl (meaning it’s “in the left case”) or
Inr (“in the right case”) and compute with the underlying
values. Here’s an example:
let same_case #a #b #c #d (x:either a b) (y:either c d)
  : bool
  = match x, y with
    | Inl _, Inl _
    | Inr _, Inr _ -> true
    | _ -> false
let sum (x:either bool int) (y:either bool int{same_case x y})
  : z:either bool int{ Inl? z <==> Inl? x}
  = match x, y with
    | Inl xl, Inl yl -> Inl (xl || yl)
    | Inr xr, Inr yr -> Inr (xr + yr)
The same_case x y function decides if the two unions are both
simultaneously in the left or right case.
Then, in sum x y, with a refinement that x and y are in
the same case, we can handle just two cases (when they are both in
left, or both in right) and F* can prove that the case analysis is
exhaustive. In the left case, the underlying values are boolean, so we
combine them with ||; in the right case, the underlying values are
integers, so we combine them with +; and return them with the
appropriate tag. The type of the result z:either bool int{ Inl? z <==>
Inl? x} shows that the result has the same case as x (and hence
also y). We could have written the result type as z:either bool
int { same_case z x }.
Lists
All the types we’ve seen so far have been inductive only in a degenerate sense—the constructors do not refer to the types they construct. Now, for our first truly inductive type, a list.
Here’s the definition of list from Prims:
type list a =
  | Nil  : list a
  | Cons : hd:a -> tl:list a -> list a
The list type is available implicitly in all F* programs and we
have special (but standard) syntax for the list constructors:
- []is- Nil
- [v1; ...; vn]is- Cons v1 ... (Cons vn Nil)
- hd :: tlis- Cons hd tl.
You can always just write out the constructors like Nil and Cons
explicitly, if you find that useful (e.g., to partially apply Cons
hd : list a -> list a).
Length of a list
Let’s write some simple functions on lists, starting with computing the length of a list.
let rec length #a (l:list a)
  : nat
  = match l with
    | [] -> 0
    | _ :: tl -> 1 + length tl
The length function is recursive and implicitly polymorphic in a
type a. For any list l : list a, length l returns a
nat. The definition pattern matches on the list and calls
length recursively on the tail of list, until the [] case is
reached.
Exercises
Click here for the exercise file.
Here’s the definition of append, a function that concatenates two
lists. Can you give it a type that proves it always returns a list
whose length is the sum of the lengths of its arguments?
let rec append l1 l2
  = match l1 with
    | [] -> l2
    | hd :: tl -> hd :: append tl l2
Answer
val append (#a:Type) (l1 l2:list a)
  : l:list a { length l = length l1 + length l2 }