Newsgroups: comp.lang.scheme
Path: cantaloupe.srv.cs.cmu.edu!bb3.andrew.cmu.edu!nntp.sei.cmu.edu!news.cis.ohio-state.edu!math.ohio-state.edu!uwm.edu!news-res.gsl.net!news.gsl.net!news.mathworks.com!newsfeed.internetmci.com!in3.uu.net!news.biu.ac.il!discus.technion.ac.il!news!qobi
From: qobi@eesun.technion.ac.il (Jeffrey Mark Siskind)
Subject: Re: Scheme vs ML, the last word :)
Reply-To: Qobi@EE.Technion.AC.IL
Organization: Technion, Israel Institute of Technology
Date: Mon, 12 Aug 1996 08:28:16 GMT
Message-ID: <QOBI.96Aug12112816@eesun.technion.ac.il>
In-Reply-To: shriram@europa.cs.rice.edu's message of 07 Aug 1996 19:06:06 GMT
X-Nntp-Posting-Host: eesun.technion.ac.il
References: <SHRIRAM.96Aug7140606@europa.cs.rice.edu>
Sender: news@discus.technion.ac.il (News system)
Lines: 46

In article <SHRIRAM.96Aug7140606@europa.cs.rice.edu> shriram@europa.cs.rice.edu (Shriram Krishnamurthi) writes:

   For example, the indexing into
   vectors, the extraction of the first element in a list, division, and
   probably a few more things are checked at run-time in BOTH languages.

The above statement is very important. Building a theorem prover that can
reason about the above kinds of potential run-time errors (and other kinds of
program flaws that don't manifest themselves in any errors at all, whether
they be compile time or run time) will require a calculus that goes beyond
what people normally consider to be `type' systems.

   3. Hence, what we really want is a supplemental theorem prover.  The system
   should be supplemental so that we can ignore it for small programs. Its
   purpose is to determine for all computational primitives whether or not its
   arguments are in the appropriate class. If not, the theorem prover flags
   the appropriate sites in the program and, ideally, explains the reasoning
   why it flagged the site. If the programmer accepts the explanation, he must
   look for a bug---because he acknowledged its existence; if he rejects it
   because he has a proof that is outside of the range of the theorem
   proofer's capabilities, he can run the program anyway.

One might say that if the programmer should not be allowed to reject the
compiler warning for if she has a proof that is outside the range of the
theorem prover's capabilities she should be given a language that is
sufficiently expressive to allow her to communicate the proof to the compiler
and the compiler should check the proof.

   4. Now we can say this: R*S Scheme is a statically typed language that
   has taken this view of theorem proving to an extreme. It provides a
   programming language and no theorem prover. It doesn't even provide a
   language in which we can specify hints for the theorem prover, although one
   could argue that we can build such an annotation language trivially with
   the macro system.

I wouldn't classify the above analyses as `trivial' and simply a matter of
using the macro system. The proper way of going about this is to design a
logic that is sufficiently expressive to communicate the notions we use in
programming languages, merge that logic with a programming language, and
augment those two with a proof text language. And then implement the whole
thing and study how easy it is to use such a tool. There is some work that in
fact does this. See Robert Givan's Ph.D. thesis which uses David McAllester's
Ontic system in precisely this fashion.
-- 

    Jeff (home page http://tochna.technion.ac.il/~qobi)
