Meta-Theory: Clarify transitive coherence #173
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
I tried to prove the “weak transitive coherence” that we claim in Coq:
Theorem transitive_coherence:
forall ta tb tc v1,
ta <: tb ->
tb <: tc ->
v1 :: ta ->
coerce tb tc (coerce ta tb v1) [= coerce ta tc v1.
where [= allows more null on the left than on the right. I believed this
holds, but the proof doesn't go through.
A counter example is `bool <: opt bool <: opt opt bool`.
Coercing `true` in two steps goes via `opt true` to `opt opt true`.
Coercing directly goes to `null`, because the “constituent-to-opt” rule
`t <: opt t'` requires that `t'` is a non-opt type.
We added that restriction in 30f719f for the reasons discussed
in #135 (comment)
This PR just updates the prose to not claim wrong things.
(This is a good humbling reminder about how easy it is to go wrong when
one does not do formal proofs.)
chenyan-dfinity
approved these changes
Feb 1, 2021
nomeata
added a commit
that referenced
this pull request
Apr 23, 2021
…ence (#171) A revamp of the Coq development: * It models the subtype-checking on decoding (#168). Looks good * It connects MiniCandid to the IDL-Soundness theorem. The main work here is the subtyping-compositonality lemma. ``` If t1 <: t2 and s1 in t1 <: s2 in t2 then s1 <: s2. ``` With this in place, instantiating the “canonical subtyping” proof there works nicely. * It proves transitive coherence with regard to the relaxed relation as per #173 * Mild coqdoc’ifiacation. I’d like to eventually render these to HTML and host them somewhere. It’s very annoying that Github Action artifacts, even if they are HTML, are not directly accessible with the browser. Maybe setup Github pages? It is still a Mini-Candid with a limited set of types, but I think it has all the interesting ones to cover the corner cases. Even adding vectors adds a lot of technical noise with little additional insight (see #154.)
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
I tried to prove the “weak transitive coherence” that we claim in Coq:
where [= allows more null on the left than on the right. I believed this
holds, but the proof doesn't go through.
A counter example is
bool <: opt bool <: opt opt bool.Coercing
truein two steps goes viaopt truetoopt opt true.Coercing directly goes to
null, because the “constituent-to-opt” rulet <: opt t'requires thatt'is a non-opt type.We added that restriction in 30f719f for the reasons discussed
in #135 (comment)
This PR just updates the prose to not claim wrong things.
(This is a good humbling reminder about how easy it is to go wrong when
one does not do formal proofs.)