-
Notifications
You must be signed in to change notification settings - Fork 231
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Remove dependency on proof irrelevence axiom #230
base: master
Are you sure you want to change the base?
Remove dependency on proof irrelevence axiom #230
Conversation
In one case we replace proof_irrelevence with the weaker axiom from Eqdep. Eqdep is already (indirectly) required by Program.Equality, so this isn't a new dependency for this module.
Apologies for taking so long to acknowledge this proposal. It's instructive to see how to get rid of proof irrelevance and how it "costs" in terms of proof effort. Thanks a lot for your work pushing the proofs through! In the end I'm not sure yet what to conclude from this experiment. If we really want to avoid the proof irrelevance axiom, perhaps it would be better to use Boolean equalities in dependent types, i.e. replace But is it really worth getting rid of proof irrelevance? Currently CompCert uses functional extensionality and proof irrelevance axioms, and I thought those two axioms are uncontroversial (and possibly even provable in a future HoTT-infused Coq). |
Also: this set of axioms (functional extensionality + proof irrelevance) was agreed a long time ago with @andrew-appel as a common basis for CompCert and for VST. I see VST uses proof irrelevance quite a lot. |
I created this patch because I was trying to understand where CompCert was relying on proof irrelevance. In my experience, proof irrelevance is usually not necessary. I consider using proof irrelevance a kind of code smell because it means you are making computationally relevant data inaccessible, and there is a reasonable chance that later on you will decide you need that data accessible afterall. I was surprised when I saw CompCert was relying on it and I wanted to explore where it was needed. As you can see, my conclusion is that it isn't really needed at all and was, in fact, very easy to remove. Most of the places that CompCert uses proof irrelevence is for propositions that are already provably irrelevant. The only exception was the inductive definition of Regarding if it would be better "to use Boolean equalities in dependent types", I don't think that follows. The two definitions you suggest are isomorphic and each form has its advantages and disadvantages (which is why in SSReflect's library usually both forms of predicates, logical and computational, are defined and related to each other by a reflection principle). While the axioms used by CompCert are uncontroversial from a logical standpoint, the use of axioms get in the way of reduction and eliminate CIC's canonicity property. I suppose we are all hoping that a computational form of Univalance will be discovered to make functional extensionality reducible. OTOH I don't believe that proof irrelevance is something that will be provable with HOTT. I'm not an expert, but my understanding is that HOTT only has proof irrelevance for Generally speaking, I think it is good form to only use Regarding VST, because it is VST that depends on CompCert rather than vice versa, I feel that the fact that VST uses Proof Irrelevence doesn't obligate CompCert to also make use of Proof Irrelevence. I think a reasonable outcome here is to keep I agree that the argument to remove the use of proof-irrelevance isn't very strong. All the axioms used by CompCert, functional extensionality, Perhaps ultimately it is just aesthetically displeasing to depend on Axioms and if it is easy to remove the use of one of them, then maybe this is an improvement. However, not merging this PR seems to be reasonable choice if you think reducing axiom dependencies isn't worthwhile (though I still think your definition of |
Thanks for the extra explanations, very useful. I care much more about specifications than about proofs. CompCert tries hard to use the specification styles most appropriate for what needs to be specified. Quite often (as in PL mechanization in general) inductive predicates are best, but sometimes functions with results in Prop are clearer. For More generally, I certainly don't want to be forced into changing specifications just to get the uniqueness of proofs property. That's just a failure of proof engineering. I'll gladly take the smell of the proof irrelevance axiom instead. If I mentioned the SSR-style use of |
Your comments are fair. I believe that you will eventually come to regret accepting non-proof irrelevent definitions in However I think your decision here is reasonable, and I'm quiet happy you have considered my PR even if it is rejected. |
This is a small clean up that removes the already rare uses of the proof irrelevance axiom.