In dependently-typed languages like Agda, it is possible to prove correctness of a function with respect to some propositional specification, represented as a type. One approach to program correctness adds the constraint that all specifications are of the form