Georges Gonthier Reflection, of all shapes and sizes

Georges Gonthier

Reflection,of all shapes and sizes

What is reflection?

Computing/reasoning with text rather than mathematical objects.

Add(Pow(Var “x”, 2), …) Add(Pow(Add …, 2), 1)

quotation interpretation

computation

𝑥2+2𝑥+2>0 (𝑥+1)2+1>0reflection

The many sizes of reflection

• Large scale: prove lemma/assertion– Computer Algebra: ring tactic, SOS– 4CT reducibility, Flyspeck tame graphs, …

• Medium scale: perform major proof step– 4CT unavoidability, coprime cycle coherence

• Small scale: minor proof step, notation– Peano arithmetic, Boolean evaluation– Algebraic overloading, lemma overloading

Interpretation

• Usually internal (interpreter in theory)• Validation requires interpretation of a

justification trail, except– If the output is not directly related to the input

(medium-scale reflection).– If the computation is internal, and proved

correct (not as hard as it is believed to be).– The output can be validated directly, e.g.,

algebra, linear optimization.

Computation

• For big-scale reflection, often external for performance reasons.

• Internal computation is “safer” in that it limits TCB (iterates computation).

• Performance can be recovered by specialized/simplified algorithms.

• Trust can be recovered from evidence trails.

Quotation

• The “essence” of reflection; often external.• Generic support conflicts with abstraction.• Not needed if the formal objects are

syntactic (Booleans, Peano integers).• Not needed if the formalization includes

interpretation.• Can be done with syntax overloading.• Can be done with type unification.

Large-scale reflection: reducibility

• SetupVariable cf : config.

Definition cfreducible : Prop := …

Definition check_reducible : bool := …

Lemma check_reducible_valid : check_reducible -> cfreducible.

• UsageLemma cfred232 : cfreducible (Config 11 33 37 H 2 H 13 Y 5 H 10

H 1 H 1 Y 3 H 11 Y 4 H 9 H 1 Y 3 H 9 Y 6 Y 1 Y 1 Y 3 Y 1 Y Y 1 Y).

Proof. apply check_reducible_valid; by compute. Qed.20,000,000 cases

Internal decision procedureDefinition ktc_step closure kr := let: (ctu, gtp) := kr in if ctree_empty ctu then kr else let: GtreePair gtr gtu := gtp in if gtree_empty gtr then kr else if gtree_empty gtu then (CtreeEmpty, empty_gtree_pair) else let: CtreePair ctu' ctr := ctree_restrict h ctu (CtrCons Bstack0 gtr CtrNil) in closure ctu' (ctree_rotlr ctr) gtu.

Definition ktc_step2c step (closure : ktc_fun) ctu ctr gtu := step (step (closure ctu ctr gtu)).

Definition ktc_dostep2c closure := ktc_step2c (ktc_step closure) closure.

Fixpoint Kempe_tree_closure d : ktc_fun := if d is d'.+1 then ktc_dostep2c (Kempe_tree_closure d') else fun ctu ctr gtu => (ctu, gtree_restrict gtu (GtrCons Bstack0 ctr GtrNil)).

Theorem Kempe_tree_closure_correct d ctu ctr gtu : let ktr0 Q := Q ctu ctr GtreeEmpty gtu in let ktrp := ktr_prop (Kempe_tree_closure d ctu ctr gtu) in ktr0 Kempe_valid -> [/\ ktrp Kempe_valid & forall sz, ktr0 (Kempe_complete (3 ^ d + sz)) -> ktrp (Kempe_complete sz.+1)].Proof.elim: d => [|d IHd] /= in ctu ctr gtu *. move Dctrr: (GtrCons _ ctr _) => ctrr [[ctu_ok Dctu] Dctr Dgtr Dgtu closedP]. move: (gtree_restrict_partition gtu ctrr) (gtree_mem0_restrict gtu ctrr). case: (gtree_restrict gtu ctrr) => gtr gtu' /= Pgt Pgtr. split=> [|sz [ctu_lt_sz ctr_closed]]. split=> // [|w gt_w | w gt_w | w gt'w Dw]; first split=> // et.

… 94 lines …Qed.

Small scale reflection for Peano

• Set

• So:– 0 <= m is true– m < 0 is false– m < n.+1 ≡ m.+1 <= n.+1 is m <= n.

• Works with if, &&, size : seq T -> nat, …

Definition leq m n := m – n == 0.Notation “m <= n“ := (leq m n).Notation “m < n“ := (m.+1 <= n).

Reflection: bool vs. Prop

boolconcrete

computable

Propabstractprovable

_ = true

unstructured proofstruth tables

structured proofsdeduction rules

b1 && b2 P1 /\ P2

b1 b2 b1 && b2 T T T T F F F T F F F F

P1 P2P1 /\ P2

b1 /\ b2andP

≝ if b1 then b2 else false

b1 b2b1 /\ b2

Text to formal text Theorem Ptype_embedding : forall M K, M \in 'M_'P -> \kappa(M).-Hall(M) K -> exists2 Mstar, Mstar \in 'M_'P /\ gval Mstar \notin M :^: G & let Kstar := 'C_(M`_\sigma)(K) in let Z := K <*> Kstar in let Zhat := Z :\: (K :|: Kstar) in [/\ (*a*) {in 'E^1(K), forall X, 'M('C(X)) = [set Mstar]}, (*b*) \kappa(Mstar).-Hall(Mstar) Kstar /\ \sigma(M).-Hall(Mstar) Kstar, (*c*) 'C_(Mstar`_\sigma)(Kstar) = K /\ \kappa(M) =i \tau1(M), (*d*) [/\ cyclic Z, M :&: Mstar = Z, {in K^#, forall x, 'C_M[x] = Z}, {in Kstar^#, forall y, 'C_Mstar[y] =

Z} & {in K^# & Kstar^#, forall x y, 'C[x * y] = Z}]& [/\ (*e*) [/\ trivIset (Zhat :^: G), 'N(Zhat) = Z, {in ~: M, forall g, [disjoint Zhat & M :^ g]} & (#|G|%:R / 2%:R < #|class_support Zhat G|%:R :> qnum)%R ], (*f*) M \in 'M_'P2 /\ prime #|K| \/ Mstar \in 'M_'P2 /\ prime #|Kstar|, (*g*) {in 'M_'P, forall H, gval H \in M :^: G :|: Mstar :^: G} & (*h*) M^`(1) ><| K = M]].

Parametric overloading

• Generic product:

x * y

Structure gType := GroupType { gSort : Type; mulg : gSort → gSort →gSort; ...}

Variables (gT : gType) (x y : gSort gT).Infix “*“ := (mulg _).

mulg ?1 x y.

≡ gSort TgSort ?1

T

T

Coercion gSort : gType >-> Sortclass.

Ad hoc retrofitting

• Specific product

coset H x * coset H y

gSort ?1 ≡ coset_of H

fun gT => let: gType T _ … := gT in T

Definition coset_gType H := GType (coset_of H) ....

Canonical coset_gType.

gSort (coset_gType H) ≡ coset_of H

≡ mulg (coset_gType H) …

Algebra interface hierarchyEquality

Choice

Ring

UnitRingComRing

Zmodule

ComUnitRing

Lmodule

AlgebraVector

Falgebra

Addidive

Rmorphism Linear

LRmorphism

Nested class structuresFinGroup.type

Finite.type

sort

mulg, ...

enum, ...mixin

mixin

FinGroup.classsort Finite.type

sort

enum, ...class =mixin

gT ≡ FinGroup.sort gT

Coercion FinGroup.finType

Canonical Finroup.finType

FinGroup.finType

≡ Finite.sort (FinGroup.finType gT)

Linear operator interface

• Encapsulate f (λv) = λ(f v) Module Linear.Section ClassDef.Variables (R : ringType) (U V : lmodType R).Definition mixin_of (f : U -> V) := forall a, {morph f : u / a *: u}.Record class_of f : Prop := Class {base : additive f; mixin : mixin_of f}.Structure map := Pack {apply :> U -> V; class : class_of apply}.Structure additive cT := Additive (base (class cT)).End Linear.

General linear operators

• Encapsulate f (λv) = λσ(f v) Module Linear….Variables (R : ringType) (U : lmodType R) (V : zmodType).Variable (s : R -> V -> V). Definition mixin_of (f : U -> V) := forall a, {morph f : u / a *: u >-> s a u}.Record class_of f : Prop := Class {base : additive f; mixin : mixin_of f}.Structure map := Pack {apply :> Type; class : class_of apply}.…

(* horner_morph mulCx_nu P := (map nu P).[x] *)Fact …: scalable_for (nu \; *%R) (horner_morph mulCx_nu).

General linearity

• Rewrite f (λv) = λσ(f v) in both directionsVariables (R : ringType) (U : lmodType R) (V : zmodType).Variables (s : R -> V -> V) (S : ringType) (h : S -> V -> V).Variable h_law : Scale.law h.

Lemma linearZ c a (h_c := Scale.op h_law c) (f : Linear.map_for U s a h_c) u : f (a *: u) = h_c (Linear.wrap f u).

Interfacing matricesboolEquality

nat

seq

Finite 'I_nbigop Ei

i ←r & P(i)

Choice

Zmodule

Ring

ComRing

Field

{ffun D -> R}

matrix‘M[R]_(m, n)

Inductive matrix := Matrix of {ffun 'I_m * 'I_n -> R}.

• In math:

S = A + ∑i Bi is direct

iff rank S = rank A + ∑i rank Bi

• In Coq:

Lemma mxdirectP :

forall n (S : 'M_n) (E : mxsum_expr S S),

reflect (\rank E = mxsum_rank E) (mxdirect E).

• This is generic in the shape of S

Direct sums

Circular inequalities

have Bfree_if: forall ZxH, ZxH \in clPqH^# -> \rank <<B (b ZxH)>> <= #|ZxH| ?= iff row_free (B (b ZxH)) by…have B1_if: \rank <<B (b 1%g)>> <= 1 ?= iff (<<B (b 1%g)>> == mxvec 1%:M)%MS by …have rankEP: \rank (1%:M : 'A[F]_q) = (\sum_(ZxH \in clPqH) #|ZxH|)%N by ...have cl1: 1%g \in clPqH by …have{B1_if Bfree_if}:= leqif_add B1_if (leqif_sum Bfree_if).case/(leqif_trans (mxrank_sum_leqif _)) => _ /=.rewrite -{1}(big_setD1 _ cl1) sumB {}rankEP (big_setD1 1%g) // cards1 eqxx.move/esym; case/and3P=> dxB; move/eqmxP=> defB1; move/forall_inP=> /= Bfree.

Lemma leqif_trans : forall m1 m2 m3 c1 c2, m1 <= m2 ?= iff c1 -> m2 <= m3 ?= iff c2 -> m1 <= m3 ?= iff c1 && c2.

Lemma leqif_add : forall m1 n1 c1 m2 n2 c2, m1 <= n1 ?= iff c1 -> m2 <= n2 ?= iff c2 -> m1 + m2 <= n1 + n2 ?= iff c1 && c2.

Lemma mxrank_sum_leqif : forall m n (S : mxsum_expr m n), \rank (unwrap S) <= unwrap (mxsum_rank S) ?= iff mxdirect (unwrap S).

Bfree_if : forall ZxH : {set coset_of Z}, ZxH \in clPqH^# -> \rank <<B (b ZxH)>> <= #|ZxH| ?= iff row_free (B (b ZxH)) B1_if : \rank <<B (b 1%g)>> <= 1 ?= iff (<<B (b 1%g)>> == mxvec 1%:M)%MS rankEP : \rank 1%:M = (\sum_(ZxH \in clPqH) #|ZxH|)%N cl1 : 1%g \in clPqH

============================ ...

rankEP : \rank 1%:M = (\sum_(ZxH \in clPqH) #|ZxH|)%N cl1 : 1%g \in clPqH ============================\rank <<B (b 1%g)>> + \sum_(i \in clPqH^#) \rank <<B (b i)>> <= 1 + \sum_(i \in clPqH^#) #|i| ?= iff (<<B (b 1%g)>> == mxvec 1%:M)%MS && (forallb i, (i \in clPqH^#) ==> row_free (B (b i))) ->

…

rankEP : \rank 1%:M = (\sum_(ZxH \in clPqH) #|ZxH|)%N cl1 : 1%g \in clPqH ============================ (\rank (<<B (b 1%g)>> + \sum_(i \in clPqH^#) <<B (b i)>>) == (1 + \sum_(i \in clPqH^#) #|i|)%N) = [&& mxdirect (<<B (b 1%g)>> + \sum_(i \in clPqH^#) <<B (b i)>>), (<<B (b 1%g)>> == mxvec 1%:M)%MS & forallb i, (i \in clPqH^#) ==> row_free (B (b i))] ->

…

rankEP : \rank 1%:M = (\sum_(ZxH \in clPqH) #|ZxH|)%N cl1 : 1%g \in clPqH ============================ true = [&& mxdirect (<<B (b 1%g)>> + \sum_(i \in clPqH^#) <<B (b i)>>), (<<B (b 1%g)>> == mxvec 1%:M)%MS & forallb i, (i \in clPqH^#) ==> row_free (B (b i))] ->

…

rankEP : \rank 1%:M = (\sum_(ZxH \in clPqH) #|ZxH|)%N cl1 : 1%g \in clPqH dxB : mxdirect (<<B (b 1%g)>> + \sum_(i \in clPqH^#) <<B (b i)>>) defB1 : (<<B (b 1%g)>> :=: mxvec 1%:M)%MS Bfree : forall x : {set coset_of Z}, x \in clPqH^# -> row_free (B (b x)) ============================

…

Presentations

• D2n ≈ Grp (x, y : x2n-1, y2, xy = x-1)

• SD2n ≈ Grp (x, y : x2n-1, y2, xy = x2n-2-1)

• Q2n ≈ Grp (x, y : x2n-1, y2 = x2n-2, xy = x-1)

Lemma Grp_dihedral : 'D_m \isog Grp (x : y : (x ^+ q, y ^+ 2, x ^ y = x^-1)).

... but this is not constructive (Post) !

• In the Feit-Thompson proof of the Odd Order theorem, one need to extend an isometry from a submodule of the virtual characters of to those of , to all characters of .

• Characters are traces of ℂ matrix representations. Here so characters in are -roots of unity.

Coprime cycle coherence

• The submodule is generated by 1 and the ; set .

• Is the obvious solution

unique?

A dot product matrix puzzle

𝛽𝑖𝑗

𝛽1 𝑗

𝛽𝑖1

𝛽11=1

=1= 0

=3

Medium scale reflection

Definition sym_match s th1 th2 := let: Sym si sj sk := s in let: (ri, rj, rk) := (th_bbox th1, th_dim th1) in let is_sym r s := uniq s && all (gtn r) s in let match_cl cl2 := let: (i2, j2, kvs2) := cl2 in let ij := (nth ri si i2, nth rj sj j2) in let match_lit kvs1 kv := (nth rk sk kv.1, kv.2) \in kvs1 in let match_cl1 cl1 := let: (ij1, kvs1) := cl1 in (ij1 == ij) && all (match_lit kvs1) kvs2 in uniq (unzip1 kvs2) && has match_cl1 th1 in [&& is_sym ri si, is_sym rj sj, is_sym rk sk & all match_cl th2].

• Reflection is a versatile theorem proving technique.

• Reflection takes different forms for different problem sizes.

• Internal reflection can work even at large scale.

• Shallow embeddings work well at small scale.

Conclusions