
A Lisp Way to Type Theory and Formal Proofs (2017) [pdf] - pmoriarty
https://www.european-lisp-symposium.org/static/2017/peschanski.pdf
======
nickpsecurity
Looks neat but no mention of ACL2 in project about LISP and proving? Come on,
now! I wonder if the author investigated it. If so, why not use it or improve
it. So far, it's one of most successful in terms of industrial use with SPIN
being other one (TLA+ doing similar stuff now).

[https://www.cs.utexas.edu/users/moore/acl2/](https://www.cs.utexas.edu/users/moore/acl2/)

Far as TCB, Jared Davis, who used ACL2 on x86 processors, built a self-
verifying prover for a logic going in ACL2's direction. It was verified to
assembly using Magnus Myreen's techniques.

[https://www.cs.utexas.edu/~jared/milawa/Web/](https://www.cs.utexas.edu/~jared/milawa/Web/)

~~~
codebje
SPIN and TLA+ aren't proof assistants at all - they're model checkers, that
is, they simulate a model some number of times and check that the desired
properties hold in all explored states. Obviously this means they're not
providing a guarantee that the properties hold for all states: there's no
proof, only evidence. This doesn't mean they're useless, but it does mean
they're not proof assistants.

ACL2 is a proof assistant, at least, but it's not based in type theory, so
that's probably why they didn't use or improve it. ACL2 looks like it's
specifically intended to aid in proving theorems about models of software
systems, as well, which probably makes its logic system a bit clunky to use
when expressing theorems about mathematical structures.

~~~
pron
1\. TLA+ is a language. TLA+ specifications can be verified with either a
model checker or a proof assistant. TLA+'s proof language is one of the most
elegant I've seen.

2\. A model checker most certainly provides 100% guarantees. This is why it's
called a model-checker: it checks that a system's Kripke structure is a
model[1] (i.e. a satisfying assignment) for a formula. It's just that model
checkers often fail to check infinite state spaces and so people often check a
finite instance of a specification. While model checkers have occasionally
found errors in (informal but peer-reviewed) "proofs", I am not aware of any
cases to the converse (obviously, when a finite instance was used for an
infinite-state system). Both model checkers and deductive proofs have
limitations and are generally complementary, but currently model checkers are
considered to be much more scalable.

Also, model checkers don't "simulate a model some number of times." (the
model-checking algorithm for temporal logic won the Turing award for its
inventors). Even in finite state cases, model checkers check temporal formulas
on infinite behaviors (e.g. that every request is eventually matched by a
response).

[1]:
[https://en.wikipedia.org/wiki/Model_theory](https://en.wikipedia.org/wiki/Model_theory)

~~~
grumdan
Some model checkers are bounded model checkers, for example CBMC, a bounded
model checker for C. In practice this sometimes means they only unroll loops a
certain number of times, so they might miss assertion violations occurring in
later iterations of a loop. You're right though that there are model checkers
that are not bounded and these do provide guarantees.

~~~
pron
Yes, as their name suggests, bounded model checkers check _bounded_ models
rather than models. In the literature, bounded models are virtually never
mentioned unqualified (i.e., a bounded model checking algorithm won't be
presented as a model checking algorithm).

------
tluyben2
The book[0] mentioned is excellent if you are interested in this kind of
thing. It is available on Kindle too.

[0] [https://www.cambridge.org/core/books/type-theory-and-
formal-...](https://www.cambridge.org/core/books/type-theory-and-formal-
proof/0472640AAD34E045C7F140B46A57A67C)

------
fredokun
Author here. If you are interested I talked about type theory at
euroclojure'16\. The video is there:
[https://m.youtube.com/watch?v=5YTCY7wm0Nw](https://m.youtube.com/watch?v=5YTCY7wm0Nw)

... And it's not really clojure-specific except if you want to try LaTTe:

[https://github.com/latte-central/LaTTe](https://github.com/latte-
central/LaTTe)

------
agumonkey
Oh, Dr Peschanski. If you're interested he was also into random trees
[https://github.com/fredokun/arbogen](https://github.com/fredokun/arbogen)

~~~
fredokun
If you're interested... A tutorial about this topic... It's clojurescript in
the browser but I think the algorithmic explanations do not require any lisp
knowledge...

(Edit missing link)

[https://github.com/fredokun/talk-
clojureD-2018/blob/master/R...](https://github.com/fredokun/talk-
clojureD-2018/blob/master/README.md)

~~~
agumonkey
Hello, didn't see that talk, thanks

