Relevance check in reflection #5734
Comments
|
I'd say the solution is just to add a call to agda/src/full/Agda/TypeChecking/Unquote.hs Line 787 in 60e2c7a Or is there are reason this would not be fixing the issue "systematically"? |
|
In this particular case, it seems fine to call By the way, we should add agda/src/full/Agda/TypeChecking/Unquote.hs Line 780 in 015759c instead, right? Both of inContext and extendContext should be allowed to add types involving erased variables…
|
|
One approach would be to let the reflection machinery generate code without any restrictions, and then check the generated code. I guess this is not how things are set up. |
It might be useful to have an operation checking a term in run-time mode, although I don't have any concrete application. |
L-TChen
changed the title
extendContext
The problem is not so much that there are restrictions on the generated code, but that arguments to built-in primitives such as |
|
If code generated by macros were not trusted but checked, then it would presumably be safe to allow unrestricted use of erased definitions in macros. If the generated code satisfies all typing rules, then it does not matter if some erased name is used as part of the (compile-time) computation that generates the code. It might still be nice to catch errors early, though. |
|
I'm not sure I understand what you are saying. Code generated by macros is already not trusted, as it always passes through the typechecker when it is unquoted. The only time you get an error "early" in the macro is when you use one of the TC primitives that take a term as input, but there it is really necessary to check that the input is well-formed because otherwise it could violate internal invariants of Agda. |
|
Perhaps what you are saying is that we could allow the definition of a macro itself to be erased? This seems true to me and would be a good idea, but it's unrelated on whether the generated code is trusted or checked. Edit: See #5744 |
My understanding is that the unquoting code is trusted: if you make a mistake in the wrong part of
Yes, the definition of a macro can be erased, as long as Agda checks that the generated code satisfies all typing rules (including rules related to erasure). |
|
Ah yes, you are correct that the code in the implementation of Agda responsible for unquoting needs to be correct. In principle it just constructs the abstract syntax by running the user macro and then passes this to the typechecker, so there is not much that can go wrong, but it calls the typechecker in the wrong way (e.g. by wrapping it in a Perhaps what you are imagining is that we would have a small core part of Agda that only exports the type of internal syntax as an abstract type, so it would be guaranteed that all syntax of this type is well-typed as long as this small core is correct. This is how some proof checkers are set up, but for Agda this is currently not the case. |
It is for reasons like this one that I wrote "That is perhaps to some degree unavoidable" above. Even with a fully verified type-checker, if you don't call the type-checker at all, or if you manipulate the source code incorrectly before you send it to the type-checker, then you can get incorrect results. |
|
Yes, this is a problem that cannot be solved by verifying the typechecker, but it can in principle be solved by a much more strict separation between trusted and untrusted parts of the typechecker than we have now. |
|
Seems to me that the main issue was fixed in 5485ecf, feel free to open a new issue if there is still a problem. |
While erased variables cannot be used during computation, they can be used to type-check. In particular, it should be fine to be referred to in a context. However, consider the following macro
m:When extending the context with the second variable
Ain the above telescope(("ℓ" , arg (arg-info visible (modality relevant quantity-0)) (def₀ (quote Level))) ∷ ("A" , vArg (agda-sort (set (var₀ 0)))) ∷ []), Agda throws an errorThe type checker should be in the compile-time mode, in this case, so the modality should be ignored. The question is, how this can be fixed systematically?
The text was updated successfully, but these errors were encountered: