[Agda] Agda Observational equality using primUnsafeTrustMe?
Thorsten Altenkirch
txa at Cs.Nott.AC.UK
Fri Jan 7 18:05:45 CET 2011
Hi Dominique,
I have been thinking about something like this but didn't realize it could be done so easily. I think this is an interesting idea.
It certainly breaks a number of things, e.g. subject reduction. But does it break termination?
Conor was always opposed to any such tricks because it breaks a number of things in the implementation. But he can talk for himself.
Cheers,
Thorsten
On 7 Jan 2011, at 14:56, Dominique Devriese wrote:
> Hi all,
>
> I'm fascinated by the issue of observational equality and
> extensionality in Agda. I've read with interest Altenkirch, McBride
> and Swierstra's 2007 PLPV paper "Observational Equality Now". What
> I've been thinking about is the relation between their solution and
> Agda's primTrustMe's construct. Clearly, the latter is not concerned
> with heterogeneous equality which Altenkirch et al work with, but this
> difference does not seem fundamental.
>
> More fundamentally, primTrustMe induces a check during reduction (not
> type-checking) that its value arguments are definitionally equal,
> which of course prevents it from being used in the proof of (for
> example) extensional equality of functions. I'm wondering about what
> happens if I just remove this reduction-time equality checking
> (similar to how I understand the MAlonzo compiler handles
> primTrustMe?). Clearly this is unsafe, but unsafety seems expected
> when adding axioms to a theory? It intuitively feels safe to do for
> properties that do not make the theory inconsistent (make bottom
> provable).
>
> To better understand this, I've done a quick-and-dirty experiment
> implementation in the Agda codebase (patch attached if anyone is
> interested, darcs diff -u for readability). What it does is add a
> primUnsafeTrustMe primitive that is identical to primTrustMe except
> for the removed reduction-time equality check. At first sight, it does
> allow to formulate and exploit function extensionality while retaining
> canonicity. I'm also attaching a test.agda file with some very simple
> experiment code about this.
>
> I'm trying to better understand the practical of theoretical
> consequences of such a change. I'm not well versed in dependent type
> theory, or its implementation aspects, so I hope a discussion on this
> list might help clarify some points? Some specific questions I'm
> thinking about:
>
> * I have the intuition that primUnsafeTrustMe should be safe if you only
> use it to prove propositions that do not make the theory
> inconsistent, like function extensionality. Any thoughts?
> * If someone were to use primUnsafeTrustMe to prove inconsistent
> propositions, then I would expect anything can happen (crash compiler,
> "launch the missiles"), but this feels similar to Haskell's unsafePerformIO
> primitive. Any further thoughts?
> * Does such a change produce any undesirable interactions with other
> parts of Agda?
> * Any thoughts on how this would extend to heterogeneous equality and
> coercions? A primUnsafeTrustMeHet primitive doesn't seem fundamentally
> different?
>
> Hoping for an interesting discussion ;)
> Dominique
> <agda-primUnsafeTrustMe.patch><test.agda>_______________________________________________
> Agda mailing list
> Agda at lists.chalmers.se
> https://lists.chalmers.se/mailman/listinfo/agda
More information about the Agda
mailing list