On Thu, Jul 14, 2016 at 01:27:25AM -0700, Gavin Mendel-Gleason wrote:
>
> I'd be very keen on discussing these 4 - and indeed what would constitute a
> sufficient basis of prerequisites for understanding the differences between
> them.
>
> *Warning: random opining follows*
>
> "Real world" programming is currently a long way from the use of dependent
> types, and as someone who has spent a fair bit of time programming in
> industry, I view this as a bad thing. So many problems that I encountered
> could have been solved once and for all by types (SQL injection attacks
> spring to mind, but also a host of other safety issues) However, there are
> good reasons for not employing languages of dependent types, and that's
> that the costs (largely in human labour) of using them are simply too high
> at present. I'd like to see type theory tools deployed in such a way that
> this is no longer the case.
I was tinkering with this stuff in the 80's and got so far as proving
a merge sort ws correct, but the machine resources available to me
were insufficient to continue the work.
>
> While I'm interested in the mathematical foundations, and I think it's
> often the case that mathematical elegance has its own utility even in
> practice, I lean more towards the programming praxis angle.
I agree.
> I'd be curious to see where dependent types have been deployed in practice
> already, but also imagining how they might be feasibly deployed and what
> sort of tool-chain would be necessary to make this a reality.
>
> One thing that particularly impressed me of late was F-star. While It's a
> bit irritating that you don't get to interact with the theorem prover
> directly and have to attempt to coax it in the right direction, it does
> have a lot of the things that I think will prove essential for broadening
> the appeal and deployment. For instance, a graded hierarchy from quick and
> dirty imperative, right up to pure functional - and all made visible in
> the type system.
My system was purely functional, based on the Martin-Lof type theory,
The syntax vaguely resembled that of a progrmming language, with
let-clauses, lots of explicit type specifications attached to
expressions using colons, and so forth. I delineratesly did not try
to do anything like a Milner-Hindley type inference system because
dealing with type dependencies was already trouble enough.
the really hard part was determining whether two types were equa, so
that a value of one type could be used as value of another (equal)
type. That, of course is unsolvable, so I had nechanisms whereby the
programmer could guide the proof.
> And while I'm in the rhythm of ranting, I'll go ahead and wager that the
> following features will prove important:
>
> 1. You can start with something akin to one of these modern lisp like
> languages (garbage collected, dynamically typed but with effects, ala
> python / javascript) or perhaps something of the ML family (garbage
> collected, statically typed but with effects ala F#) and "turn up" the type
> checking for regions of the code that you want to lock down, right up to
> the point that you have a full dependent type system at your disposal.
Have a look at typed racket. It's an implementation of a Scheme
dialect with a strong typing discipline optionally imposed on it. The
mechanisms used to securely interface the type-checked code with the
unchecked code is particularly interesting.
Unfortunately, typed Scheme does not do dependent types.
>
> I think this will turn out to be important because: A) for significant
> amounts of code, the specification is not actually known yet and will only
> be found as it is explored, B) the code changes too fast for a very careful
> typing discipline to be desirable and C) because sometimes correctness just
> matters less than getting the damn thing limping.
This is exactly correct. You want full formal verification only where
you need it enough to be able to afford it.
>
> Maybe we really can just go full fledged with "pure" functional programs
> but I'm a bit skeptical that using monad transformers should be necessary
> to add a debugging print statement when using exceptions. If it goes this
> route I think it's going to have to force the user to pay less for the
> price of admission. Perhaps this can be done with suitably cool approaches
> at the type level.
>
> 2. That you have facilities for automating the boring parts of the proof
> (at the very least).
I had some of that for equalilty proving, but not enough. For most
type checking I used a context-dependent type propagation mechanism
similaar to that of Algol 68.
>
> I just spent some wicked stupid amount of time doing an obviously banal and
> decidable proof in Agda by hand - I started using reflection and writing a
> prover and gave up proving the prover produced the appropriate type after
> wasting 4 hours when the program to write the program started exceeding the
> size and time of the boring proof. This should have been 10 minutes max
> playing with some tactic language.
Nothing in my system was interactive. There was no tactic language.
>
> 3. Proof of concept. [not really a feature... but]
>
> The system should be developed with a view to early deployment. This can
> help to hone the theoretical approach under the stress of practice. It's
> often very hard to choose from among a number of potentially beautiful
> approaches without the guide of necessity. My guess is that these problems
> should be where the cost of disaster is higher than the cost of programmer
> time. I work with databases a lot and their implementation, and query
> optimisers etc. are all things which might be amenable to a more formal
> approach.
Exactly.
-- hendrik