[POPLmark] Experience report with Twelf
Karl Crary
crary at cs.cmu.edu
Mon Aug 29 11:56:37 EDT 2005
Hi Stephanie and others,
I'm coming into this discussion late, but I wanted to make some remarks
about this:
Stephanie Weirich wrote:
>1) No polymorphism for logical operators
>
>
>
I really don't think this is a serious issue, at least once one gets
used to Twelf. The sort of equality-utilization lemma you refer to is
quite typical, and I don't find it troubling at all. With the help of
an emacs macro, I can define and prove those lemmas in just a few
seconds; not much more time than it would take to run a tactic. Of
course, that's only the first time; after that you have the lemma available.
The upcoming module system is supposed to eliminate the need for this,
but frankly, I find polymorphism to be such a non-issue that I'm not in
any special hurry for it.
>2) Constructive logic and logic programming
>
>
>
I'm fairly suspicious about this point. Classical logic really
shouldn't be helping you in any significant way, and if it is, I suspect
you're proving the wrong thing. In this case, I think that either your
operational semantics is mis-specified or your safety proof is
incomplete, depending on what viewpoint you want to take.
Type safety means that a well-typed program will execute successfully
until it terminates. This means that if the program has not terminated,
then a transitition exists and a machine can find it. Usually the
specification of the operational semantics makes it obvious that a
machine can find whatever transition that exists, so we focus
exclusively on the former. However, if the operational semantics
requires the machine to decide an undecidable problem, than that
language is *not* type safe.
So I claim that either your operational semantics should explicitly give
an algorithm for deciding subtyping, or you need to prove that subtyping
is decidable. Either way, classical logic won't be of any help.
(As an aside, I'm also suspicious of the semantic foundations of
classical Coq. The semantics of the Calculus of Constructions are
completely well understood. For Inductive Constructions they are a lot
less accessible, but I believe they are also well established. Of
Induction Constructions + excluded middle I know nothing -- but perhaps
someone will give me a reference.)
>3) HOAS, non-modularity and strengthening
>
>
>
I think Michael has already shown how to make this issue go away in your
proof, but I wanted to make a larger point. I believe that issue arose
at all only because you made the class table (which includes all the
code) a parameter to everything, thereby making exp subordinate to other
types that it shouldn't be subordinate to. A better design would be to
make the subtyping relation the general parameter, and then check that
the subtyping relation is compatible with the class table. If you did
that, you wouldn't have had the problematic subordination edge in the
first place.
That's not the point. The point is that a language design that seemed
perfectly reasonable on paper turned out to be subtly flawed once we
went to formalize the metatheory. This underlines something a point
I've made before: it's a mistake to take the paper design as written in
stone when we start formalization. If we do that, we can fail to
observe significant possibilities for improvement that we would have
discovered in the course of formalization.
>4) Bottom-up vs. top-down
>
>
>
The %trustme directive is implemented in the latest CVS version. That
should give you what you want.
-- Karl
More information about the Poplmark
mailing list