From: Andrej Bauer <Andrej.Bauer@fmf.uni-lj.si>
To: caml-list@inria.fr
Cc: Arnaud Spiwack <aspiwack@lix.polytechnique.fr>
Subject: Re: [Caml-list] Unsoundness is essential
Date: Thu, 04 Oct 2007 17:04:25 +0200 [thread overview]
Message-ID: <470500F9.1080301@fmf.uni-lj.si> (raw)
In-Reply-To: <4704AAA8.9080602@lix.polytechnique.fr>
I too have a compulsive obsession to talk about logic, so here is my
contribution.
Logic is about details. It is only to be expected that in a willy-waving
competition on a mailing list like ours everyone will get something
wrong about such a tricky thing as Goedel's theorems (me included). For
example:
Christophe Raffalli:
> - first if a type system does not contain arithmetic nothing can be said
> (this implies ML), but in this case, the meaning of complete needs to be clarified.
> Indeed, there are complete type system ...
In logic complete usually means: for every sentence A the system proves
A or it proves not A. This has nothing to do with being able to
interpret arithmetic. We can define completeness without reference to
arithmetic.
(Presumably, a type system is complete if for every (closed) type A,
A is inhabited or A -> void is inhabited. At least this would be the
reading of completeness under propositions-as-types.)
Christophe Raffalli:
> - The 1st incompleteness theorem states that no theory containing
> arithmetic is complete.
No _sound_ theory interpreting arithmetic is complete.
Arnaud Spiwack wrote:
> Anyway, back to Mr. Gödel and his theorem. What he stated indeed is that
> truth and provability never coincide (provided we're talking of
> something at least as expressive as arithmetic).
Goedel's theorems say nothing directly about truth. This is a common
misconception.
Skaller started the discussion with a rerefence to Geodel, which he did
not attempt to use in a technically correct way. I think it would be
beneficial for this discussion to move away from explicit references to
Goedel.
We seem to be talking about two things:
a) Expressiveness of a type system vs. decidability of type-checking.
The main point is that the more expressive the type system the harder it
is to check types.
b) Safety guarantees for well-typed programs
A typical safety guarantee is expressed with the Preservation Lemma
("Types are preserved during evaluation") and Progress Lemma ("A typed
program is either a value or has a next evaluation step"). Together
these two imply, e.g., that there won't be a segmentation fault.
I think to some extent (b) is what skaller calls "soundness".
If I read skaller correctly, he made three points (please correct me if
not):
1) The safety properties of well-typed programs in C are none,
but Ocaml is not much better either, since it just pretends that
exceptions are safe. Therefore, to at least some degree the slogan "the
Ocaml type system guarantees safety" is not entirely and honestly true.
2) Morally inferior languages such as C and Python are popular because
people are not willing to write programs with their hands tied to their
backs by a typing system.
3) Skaller would rather have poor safety guarantees than an inexpressive
type system that ties his hands.
Goedel is dragged in only because his theorems tell us that the perfect
world does not exist, i.e., we cannot have decidable type checking of a
very expressive type system which also has sane safety properties.
Leaving Goedel aside for a moment, we can ask what a good practical
combination of expressiveness and safety would be. We have to give up at
least one of the three desired properties (expressiveness, decidability
of type checking, safety). Various languages make various choices, as
was already mentioned in this thread. Let me just say that the choice
made by C, i.e., to give up both expressiveness and safety in return for
easy type-checking is not as crazy as it may sound (imagine it's 1970,
your computer has 4kb of memory, everybody around you thinks of types as
hints to compilers about how many bytes of storage a variable will take,
and Martin-Lof is just an obscure Scandinavian mathematician and/or
philosopher that real programmers never heard of).
It seems to me that the evolution of theory-backed languages such as ML
and Haskell is reaching a point where people are willing to give up
decidability of type-checking (Haskell has done it). Skaller seems to
think that the only option is to give up safety, as well, with which I
disagree. We need _controlled_ unsafety.
My position is this:
i) Insist on good safety properties. If a program compiles without any
"ifs" and "buts", then it is safe (whatever that means). It the compiler
thinks the program might be unsafe it should try to compile anyhow, and
tell us why precisely it thinks it might be unsafe.
ii) Give programmers very expressive type systems so that they can write
things like
div : int * {x : int | not (x = 0)} -> int
and much more.
iii) Of course, by combining i) and ii) we must then give up
decidability of type-checking. We can compensate for that loss by
_making compilers more interactive_. The current model, where a compiler
either succeeds on its own or fails completely, is not going to take us
much further. People from the automated theorem proving community learnt
a while ago that the interaction between the human and the computer is
the way to go.
A compiler should be able to take hints on how to check types. The
result of compilation should be one of:
- everything is ok
- the program contains a grave typing error which prevents
the compiler from emitting sane code, compilation is aborted
- the compiler generates sane code but also emits a list of assertions
which need to be checked (by humans or otherwise) in order to
guarantee safety
If we had compilers like that, they would greatly encourage good
programming practices.
You can read the above as my manifesto, if you wish.
Best regards,
Andrej
next prev parent reply other threads:[~2007-10-04 15:04 UTC|newest]
Thread overview: 41+ messages / expand[flat|nested] mbox.gz Atom feed top
2007-10-03 8:35 Locally-polymorphic exceptions [was: folding over a file] oleg
2007-10-03 11:27 ` kirillkh
2007-10-03 11:48 ` [Caml-list] " Daniel de Rauglaudre
2007-10-03 12:19 ` kirillkh
2007-10-03 12:32 ` Daniel de Rauglaudre
2007-10-03 14:34 ` kirillkh
2007-10-03 20:39 ` Christophe Raffalli
2007-10-03 22:50 ` Unsoundness is essential skaller
2007-10-03 23:13 ` [Caml-list] " Jacques Carette
2007-10-04 1:24 ` skaller
2007-10-04 11:26 ` David Allsopp
2007-10-04 12:45 ` Vincent Hanquez
2007-10-04 15:07 ` skaller
2007-10-03 23:13 ` Vincent Aravantinos
2007-10-04 1:49 ` skaller
2007-10-03 23:28 ` Joshua D. Guttman
2007-10-04 1:52 ` skaller
2007-10-04 2:35 ` Brian Hurt
2007-10-04 7:46 ` Christophe Raffalli
2007-10-04 8:56 ` Arnaud Spiwack
2007-10-04 14:49 ` skaller
2007-10-04 15:00 ` Harrison, John R
2007-10-04 15:29 ` Andrej Bauer
2007-10-04 16:25 ` skaller
2007-10-04 18:17 ` Arnaud Spiwack
2007-10-04 20:54 ` skaller
2007-10-04 22:24 ` Arnaud Spiwack
2007-10-04 16:37 ` skaller
2007-10-04 18:59 ` Christophe Raffalli
2007-10-04 15:04 ` Andrej Bauer [this message]
2007-10-04 15:57 ` Christophe Raffalli
2007-10-04 16:03 ` skaller
2007-10-04 20:02 ` Ken Rose
2007-10-04 21:00 ` skaller
2007-10-04 15:31 ` Lukasz Stafiniak
2007-10-04 17:56 ` rossberg
2007-10-04 19:56 ` skaller
2007-10-04 21:07 ` rossberg
2007-10-04 22:23 ` skaller
2007-10-05 2:48 ` Bárður Árantsson
2007-10-04 2:16 ` Locally-polymorphic exceptions [was: folding over a file] oleg
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=470500F9.1080301@fmf.uni-lj.si \
--to=andrej.bauer@fmf.uni-lj.si \
--cc=Andrej.Bauer@andrej.com \
--cc=aspiwack@lix.polytechnique.fr \
--cc=caml-list@inria.fr \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).