RFC: Unicode strings and characters

[robin-aws]

Resolves #12. Resolves dafny-lang/dafny#413.

Tagging those I suspect will be interested: @dafny-lang/dafny-core @mschlaipfer @txiang61 @seanmcl @indolering @alex-chew @seebees

Revision 2: Besides general clarification, I decided to drop support for the old \uXXXX UTF-16 code unit escape sequence with /unicodeChar:1, as keeping the support was creating confusion even though it was technically possible.

[RustanLeino]

Great! Let's do it!

Also, the write-up is especially nice.

I suggest an explicit mention, somewhere, that the design omits any "byte access" into string. This is on purpose, because we want to encourage Dafny users to work at the higher level of seq<char>, not dealing with the underlying representation. In places where the bytes are of importance, it is possible to write a string-to-byte-sequence function in Dafny.

[RustanLeino]

This line ought to give an error with /unicodeChar:1, since \ud83d is not a legal character.

[robin-aws]

Turns out I'm on board with that after all. :)

[RustanLeino]

Is the "up to" just for char literals? If it were to apply also to string, then does "\ua0" mean the 1-character string containing the ASCII character 160, or does it mean the 2-character string containing the ASCII characters 16 and 48?

Oh, are the curly braces required?

[robin-aws]

"\ua0" is currently not legal, and would remain not legal, because uXXXX escapes require exactly 4 characters, to avoid this exact ambiguity.

"\u{a0}" would mean the 1-char string containing the ASCII character 160.

(And as I type this I am leaning closer to making it "\U{a0}" instead :) )

[RustanLeino]

I propose we forbid this under /unicodeChar:1. After all, neither \ud83d nor \ude0e falls into the numeric ranges of the new char.

[robin-aws]

I didn't see a reason to reject valid string literals using the existing escape pattern, personally. I can make this clearer in the proposal, but we can keep both forms with these semantics:

1. \uXXXX - UTF-16 code unit, incorrect use of surrogates rejected by the parser.
2. \u{X}...\u{XXXXXX} - Unicode scalar value, surrogate range values rejected by the parser.

There is precedent for supporting both, as Go allows both \uXXXX and \UXXXXXXXX. I liked the variable-length syntax of \u{X..X} (also used by Swift) better personally, as exactly requiring exactly eight digits just means the first two will always be 00 :)

I'm open to using U for the second form if it helps reduce confusion though.

[robin-aws]

Note we should avoid any implication that a single escape sequence produces a single "character", since neither form can produce 🇨🇦 that way. We will only know that a single u{X..X} sequence will produce a single char (and that's not ultimately that meaningful anyway).

[robin-aws]

Revision 2 now says we only have \U{XXXXXX} with /unicodeChar:1

[robin-aws]

Also I realized that in Go \uXXXX still specifies Unicode code points rather than UTF-16 code units, that is, it rejects surrogate code points (and hence dafny-lang/dafny#1980 :)

[RustanLeino]

Yes!

[RustanLeino]

Use half-open intervals.

[robin-aws]

The only reason I used closed intervals throughout is because that's what the Unicode standard itself does. It's always irked me, but as a result the constant 0xDFFF tends to be much more well-known than 0xE000.

I will absolutely use half-open intervals here as it will probably verify more efficiently, and I'm happy to change the proposal accordingly if it would help readability.

[robin-aws]

Ended up going with half-open intervals for consistency.

[RustanLeino]

Continue using half-open intervals: [0xD800, 0xE000).

[RustanLeino]

Use half-open intervals, here and throughout: [0, 0x11_0000).

[RustanLeino]

We should document and officially support the way to get to these conversion routines from Dafny. More precisely, we should give the :extern declarations one needs to write in the Dafny source to get to these routines. For C#, that may be:

type {:extern} NativeString
function {:extern "Dafny.ConvertStringToNative"} StringToNative(s: string): NativeString
function {:extern "Dafny.ConvertNativeToString"} NativeToString(s': NativeString): string

[cpitclaudel]

These functions are not total: not all C# or Javascript strings will be representable in /unicodeChar:1.

[robin-aws]

I would specifically recommend against having any NativeString type, because it won't behave consistently across runtimes. I'm recommending instead having these adaptors defined in each runtime independently, so they can either trust the underlying native string semantics or check for and reject invalid values as appropriate. I'll expand the detail on those adaptors and make this clearer.

[cpitclaudel]

Great work. Some high-level comments / worries

I would like to see more details about the following:

• Interop: since the new string type won't be able to represent all UTF-16 code unit sequences, it would be nice to think ahead of how we will deal with ill-formed input (I'm especially thinking of Javascript strings coming from user inputs on a webpage, or windows file system paths). In particular, Rustan's proposed native string conversion functions are partial. Will we have them return Result values?
• String literals. Are we going to keep using the current UTF-16 based model? The \u codes in Dafny assume UTF-16 AFAICT.
• Conversions to/from sequences. I'm not sure it's the best to keep string as a seq<char>. In particular, it prevents us from defining member functions on the type string. We could support the as operator for casting to a seq<char> cheaply.
• I'm not sure caching decoding to UTF-32 is efficient. We could simply cache a few (string, index) → offset pairs… even possibly as a global map (not attached to every string object).

[cpitclaudel]

I think it would be worth trying to align this document's terminology with the standard Unicode terms. IIRC Unicode string refers to a sequence of code units (ie after encoding), so the first part is valid (it's not a valid unicode string), but the second part is unclear ("has no valid encoding")

[robin-aws]

You're right, and unfortunately I can't find any standard terminology for the abstract "sequence of scalar values" concept that is ultimately what I want string to represent.

[cpitclaudel]

But C# and Javascript don't use UTF-16, since they don't enforce well-formedness.

[robin-aws]

Fine :) Qualified a bit here but will address this more concretely in the Runtime section.

[cpitclaudel]

Up to this point the document hasn't addressed the representation of string literals, so I'm having trouble parsing the example. What does this string represent with unicodeChar:1?

[robin-aws]

I pulled a fair bit of content specifically on string literals to the early parts of this section, hopefully it helps!

[robin-aws]

Hopefully not supporting \uXXXX with \unicodeChar:1 any longer helps clear this up.

[cpitclaudel]

These functions are not total: not all C# or Javascript strings will be representable in /unicodeChar:1.

[cpitclaudel]

How do the rune-based API behave when given an int outside of the range of valid scalar values?

[cpitclaudel]

What is a binary value?

[cpitclaudel]

I don't understand this part:

operates on bytes as character

[cpitclaudel]

This seems overly optimistic to me WRT string literals, but I'm not sure how we plan to handle them. At the moment they are sequences of characters mixed with UTF16 code units (possibly ill-formed), right? It would be good to specify what happens to them in /unicodeChar:1

[robin-aws]

I think this is moot now but let me know otherwise.

[cpitclaudel]

There will be code that we won't be able to port (code using string literals with unpaired surrogates), but that's fine

[robin-aws]

Yup, the worst case scenario will be code using string to carry such data, which the conversion utility (or verification with /unicodeChar:1) will reject, and the code will have to be rewritten to use seq<uint16> instead. I'm definitely okay with that, especially as I think it's much more likely such code will be unaware of the issue with unpaired surrogates rather than intentionally using the current definition of string to allow them.

[cpitclaudel]

Automatically converting old-style \u strings to new-style \u{} strings would be useful :)

[robin-aws]

That's a fair point, and although I've clarified I don't intend to drop \u (just reject invalid sequences of them), even so that conversion utility would be very easy to implement.

[robin-aws]

Now that I'm dropping \u I agree and will definitely provide a conversion utility.

[cpitclaudel]

Can we discuss how easy it will be for external code to wrap a native string type to give it Dafny's string API? It would be nice if one could implement ISequence<char> using C# strings (plus some sanity checks), to save on conversions.

[robin-aws]

I'm going to rewrite the Compilation/Runtime section to be more clear about this (as I intended that to address exactly this point, but I don't think it's clear enough yet)

[robin-aws]

I THINK this should have enough detail but let me know otherwise.

[cpitclaudel]

As one last high-level comment: The debate on whether string should be seq<char> or its own type would be moot if seq<char> was a trait instead of a type. Then string could be a separate type that implements seq<char>. I wonder how easy that change would be with @RustanLeino's new type system (part of the issue is knowing how to deal with empty sequences).

[keyboardDrummer]

The section describes downsides of having a standalone string type, but what are the upsides?

I think one aspect to consider is managing expectations. If you have type string = seq<char>, then what performance expectations will the user have of accessing individual characters of that string, and do those align with what we're providing?

With a custom string type, you can define a fresh performance contract, such as that accessing a specific character may be linear time. With that, you would be free to encode the Dafny type nativestring using native strings. I don't think that's the right thing to do, but it seems like a benefit of this approach that isn't mentioned. Or you could have a type nativestring that doesn't have an API for accessing individual characters, that way users that are processing strings but only in a simple fashion, can keep using native strings instead of the memory heavy, have to be converted when using external code, Dafny strings.

[cpitclaudel]

Expanding on the comment about Windows path and Javascript strings:

• Scheme has had a notion of OS strings for a while: https://www.s48.org/1.8/manual/manual-Z-H-6.html#node_sec_5.15 . Its internals on Windows are essentially WTF-8.

• [Here]'s the rust thread that leads to the introduction of OS strings there.

This is relevant to the discussion of adding arguments to main, too: we'll have to consider whether main takes strings or OS strings.

[davidcok]

What has been fixed? The Coco/R parser?

[robin-aws]

This section is intended to describe the desired end state for Dafny users, so it's describing a future state. :)

I'm saying I can see where the issue is (specifically in our copy of Scanner.frame, which is creating a Buffer when it should be creating a UTF8Buffer) so I'm proposing we fix that.

[robin-aws]

FYI this part has been actually fixed now: dafny-lang/dafny#2717 :)

[cpitclaudel]

This is better but still ambiguous. Maybe it's enough to say that strings literals are as in Dafny 3, except for the fact that unpaired surrogates are disallowed?

[robin-aws]

That's only true w.r.t. what literals are permitted in source text though (with the added \U{X..X} escape sequence), not how they are represented at runtime. I do want to say that, unlike in Dafny 3, users shouldn't assume a string literal becomes a sequence where every ASCII character or \u escape sequence literally becomes an individual element of that sequence. I want to call out that if you compile your program to Go, for example, your literal will likely become a Go string value wrapped as a Dafny.Sequence<rune>.

[robin-aws]

Again I'm hoping that dropping support for \u makes this clearer.

[keyboardDrummer]

Could you specify in more details what the limitations of a NativeString type would be?

I imagine it would be a subset of a collection type with linear time access, like

type NativeString = x: LinkedListTrait<char> | ValidInAllRuntimes(x)

The LinkedList would warn users against doing random access on individual characters, since that may take linear time depending on the runtime.

There would be some native methods on NativeString like Concat(right: NativeString): NativeString (linear in total length) and Take(n: nat): NativeString (linear in n). Something like SubString(start: nat, length: nat) might not exist because that would be linear not just in length but also in start, which is surprising.