Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Higher-order constants can be used to prove false #147

Closed
chaudhuri opened this issue Jun 10, 2023 · 6 comments
Closed

Higher-order constants can be used to prove false #147

chaudhuri opened this issue Jun 10, 2023 · 6 comments
Assignees
Labels

Comments

@chaudhuri
Copy link
Member

chaudhuri commented Jun 10, 2023

This is a slightly edited summary of an email from @gnadathur97:


Sebastiaan Joosten, a lecturer in my department, was able to write the following definitions in Abella without even getting a warning:

Type naive (set -> prop) -> set.

Define setmember : set -> set -> prop by
  setmember S (naive P) := P S.

Define nomember_of_itself : set -> prop by
  nomember_of_itself S := setmember S S -> false.

[T]he following clauses are instances of the clauses in these definitions:

setmember (naive nomember_of_itself) (naive nomember_of_itself) :=
  nomember_of_itself (naive nomember_of_itself).

nomember_of_itself (naive nomember_of_itself) :=
  setmember (naive nomember_of_itself) (naive nomember_of_itself) -> false.

Not surprisingly, Sebastiaan was able to generate a proof of false from the definitions.

@chaudhuri chaudhuri added the bug label Jun 10, 2023
@chaudhuri chaudhuri self-assigned this Jun 10, 2023
@chaudhuri
Copy link
Member Author

This is not completely fixed. Negative instances of prop can be hidden with polymorphic types.

@chaudhuri chaudhuri reopened this Jun 12, 2023
@sjcjoosten
Copy link

sjcjoosten commented Jun 12, 2023

I managed to minimize the script and the proof I found, the idea is still based on Russel's paradox in naive set theory (hence the names):

Kind set type.
Type naive (set -> prop) -> set.

Define nomember_of_itself : set -> prop by
  nomember_of_itself (naive S) := S (naive S) -> false.

Theorem nomember_of_itself : nomember_of_itself (naive nomember_of_itself) -> false.
  intros. case H1. backchain H2.

Theorem oops: false.
  assert (nomember_of_itself (naive nomember_of_itself) -> false) -> false.
    intros. backchain H1. apply H1 to nomember_of_itself.

(Edit: tested in commit #74770b6d1dff51084c3ec5d73b86d9293047bfaf, and as expected also this shortened proof no longer works there, unless prop is hidden inside polymorphism.)

@chaudhuri
Copy link
Member Author

No, it still works if you have Type naive (set -> A) -> set.

As I understand it, @gnadathur97's suggestion is to instead prevent definitions such as nomember_of_itself because it has a parameter S whose type contains prop.

For now I will just add a warning for this kind of definition. Preventing such definitions will break some existing examples that use "higher-order" definitions that were used as a shortcut to a decent module system in Abella.

@sjcjoosten
Copy link

I'm pleased to hear that the solution will be to generate warnings somewhere along the way: it's nice to be able to experiment with parameters that contain prop.

chaudhuri added a commit that referenced this issue Jun 12, 2023
@chaudhuri
Copy link
Member Author

The new version just emits a warning and lists all the higher-order parameters. Not yet sure which scenarios are definitely errors and which are in some kind of grey area.

@chaudhuri
Copy link
Member Author

Closing this. Please comment if you discover anything else strange.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Development

No branches or pull requests

2 participants