Embed Size (px)
Citation preview
Georges Gonthier
Reflection,of all shapes and sizes
What is reflection?
Computing/reasoning with text rather than mathematical objects.
Add(Pow(Var “x”, 2), …) Add(Pow(Add …, 2), 1)
quotation interpretation
computation
𝑥2+2𝑥+2>0 (𝑥+1)2+1>0reflection
The many sizes of reflection
• Large scale: prove lemma/assertion– Computer Algebra: ring tactic, SOS– 4CT reducibility, Flyspeck tame graphs, …
• Medium scale: perform major proof step– 4CT unavoidability, coprime cycle coherence
• Small scale: minor proof step, notation– Peano arithmetic, Boolean evaluation– Algebraic overloading, lemma overloading
Interpretation
• Usually internal (interpreter in theory)• Validation requires interpretation of a
justification trail, except– If the output is not directly related to the input
(medium-scale reflection).– If the computation is internal, and proved
correct (not as hard as it is believed to be).– The output can be validated directly, e.g.,
algebra, linear optimization.
Computation
• For big-scale reflection, often external for performance reasons.
• Internal computation is “safer” in that it limits TCB (iterates computation).
• Performance can be recovered by specialized/simplified algorithms.
• Trust can be recovered from evidence trails.
Quotation
• The “essence” of reflection; often external.• Generic support conflicts with abstraction.• Not needed if the formal objects are
syntactic (Booleans, Peano integers).• Not needed if the formalization includes
interpretation.• Can be done with syntax overloading.• Can be done with type unification.
Large-scale reflection: reducibility
• SetupVariable cf : config.
Definition cfreducible : Prop := …
Definition check_reducible : bool := …
Lemma check_reducible_valid : check_reducible -> cfreducible.
• UsageLemma cfred232 : cfreducible (Config 11 33 37 H 2 H 13 Y 5 H 10
H 1 H 1 Y 3 H 11 Y 4 H 9 H 1 Y 3 H 9 Y 6 Y 1 Y 1 Y 3 Y 1 Y Y 1 Y).
Proof. apply check_reducible_valid; by compute. Qed.20,000,000 cases
Internal decision procedureDefinition ktc_step closure kr := let: (ctu, gtp) := kr in if ctree_empty ctu then kr else let: GtreePair gtr gtu := gtp in if gtree_empty gtr then kr else if gtree_empty gtu then (CtreeEmpty, empty_gtree_pair) else let: CtreePair ctu' ctr := ctree_restrict h ctu (CtrCons Bstack0 gtr CtrNil) in closure ctu' (ctree_rotlr ctr) gtu.
Definition ktc_step2c step (closure : ktc_fun) ctu ctr gtu := step (step (closure ctu ctr gtu)).
Definition ktc_dostep2c closure := ktc_step2c (ktc_step closure) closure.
Fixpoint Kempe_tree_closure d : ktc_fun := if d is d'.+1 then ktc_dostep2c (Kempe_tree_closure d') else fun ctu ctr gtu => (ctu, gtree_restrict gtu (GtrCons Bstack0 ctr GtrNil)).
Theorem Kempe_tree_closure_correct d ctu ctr gtu : let ktr0 Q := Q ctu ctr GtreeEmpty gtu in let ktrp := ktr_prop (Kempe_tree_closure d ctu ctr gtu) in ktr0 Kempe_valid -> [/\ ktrp Kempe_valid & forall sz, ktr0 (Kempe_complete (3 ^ d + sz)) -> ktrp (Kempe_complete sz.+1)].Proof.elim: d => [|d IHd] /= in ctu ctr gtu *. move Dctrr: (GtrCons _ ctr _) => ctrr [[ctu_ok Dctu] Dctr Dgtr Dgtu closedP]. move: (gtree_restrict_partition gtu ctrr) (gtree_mem0_restrict gtu ctrr). case: (gtree_restrict gtu ctrr) => gtr gtu' /= Pgt Pgtr. split=> [|sz [ctu_lt_sz ctr_closed]]. split=> // [|w gt_w | w gt_w | w gt'w Dw]; first split=> // et.
… 94 lines …Qed.
Small scale reflection for Peano
• Set
• So:– 0 <= m is true– m < 0 is false– m < n.+1 ≡ m.+1 <= n.+1 is m <= n.
• Works with if, &&, size : seq T -> nat, …
Definition leq m n := m – n == 0.Notation “m <= n“ := (leq m n).Notation “m < n“ := (m.+1 <= n).
Reflection: bool vs. Prop
boolconcrete
computable
Propabstractprovable
_ = true
unstructured proofstruth tables
structured proofsdeduction rules
b1 && b2 P1 /\ P2
b1 b2 b1 && b2 T T T T F F F T F F F F
P1 P2P1 /\ P2
b1 /\ b2andP
≝ if b1 then b2 else false
b1 b2b1 /\ b2
Text to formal text Theorem Ptype_embedding : forall M K, M \in 'M_'P -> \kappa(M).-Hall(M) K -> exists2 Mstar, Mstar \in 'M_'P /\ gval Mstar \notin M :^: G & let Kstar := 'C_(M`_\sigma)(K) in let Z := K <*> Kstar in let Zhat := Z :\: (K :|: Kstar) in [/\ (*a*) {in 'E^1(K), forall X, 'M('C(X)) = [set Mstar]}, (*b*) \kappa(Mstar).-Hall(Mstar) Kstar /\ \sigma(M).-Hall(Mstar) Kstar, (*c*) 'C_(Mstar`_\sigma)(Kstar) = K /\ \kappa(M) =i \tau1(M), (*d*) [/\ cyclic Z, M :&: Mstar = Z, {in K^#, forall x, 'C_M[x] = Z}, {in Kstar^#, forall y, 'C_Mstar[y] =
Z} & {in K^# & Kstar^#, forall x y, 'C[x * y] = Z}]& [/\ (*e*) [/\ trivIset (Zhat :^: G), 'N(Zhat) = Z, {in ~: M, forall g, [disjoint Zhat & M :^ g]} & (#|G|%:R / 2%:R < #|class_support Zhat G|%:R :> qnum)%R ], (*f*) M \in 'M_'P2 /\ prime #|K| \/ Mstar \in 'M_'P2 /\ prime #|Kstar|, (*g*) {in 'M_'P, forall H, gval H \in M :^: G :|: Mstar :^: G} & (*h*) M^`(1) ><| K = M]].
Parametric overloading
• Generic product:
x * y
Structure gType := GroupType { gSort : Type; mulg : gSort → gSort →gSort; ...}
Variables (gT : gType) (x y : gSort gT).Infix “*“ := (mulg _).
mulg ?1 x y.
≡ gSort TgSort ?1
T
T
Coercion gSort : gType >-> Sortclass.
Ad hoc retrofitting
• Specific product
coset H x * coset H y
gSort ?1 ≡ coset_of H
fun gT => let: gType T _ … := gT in T
Definition coset_gType H := GType (coset_of H) ....
Canonical coset_gType.
gSort (coset_gType H) ≡ coset_of H
≡ mulg (coset_gType H) …
Algebra interface hierarchyEquality
Choice
Ring
UnitRingComRing
Zmodule
ComUnitRing
Lmodule
AlgebraVector
Falgebra
Addidive
Rmorphism Linear
LRmorphism
Nested class structuresFinGroup.type
Finite.type
sort
mulg, ...
enum, ...mixin
mixin
FinGroup.classsort Finite.type
sort
enum, ...class =mixin
gT ≡ FinGroup.sort gT
Coercion FinGroup.finType
Canonical Finroup.finType
FinGroup.finType
≡ Finite.sort (FinGroup.finType gT)
Linear operator interface
• Encapsulate f (λv) = λ(f v) Module Linear.Section ClassDef.Variables (R : ringType) (U V : lmodType R).Definition mixin_of (f : U -> V) := forall a, {morph f : u / a *: u}.Record class_of f : Prop := Class {base : additive f; mixin : mixin_of f}.Structure map := Pack {apply :> U -> V; class : class_of apply}.Structure additive cT := Additive (base (class cT)).End Linear.
General linear operators
• Encapsulate f (λv) = λσ(f v) Module Linear….Variables (R : ringType) (U : lmodType R) (V : zmodType).Variable (s : R -> V -> V). Definition mixin_of (f : U -> V) := forall a, {morph f : u / a *: u >-> s a u}.Record class_of f : Prop := Class {base : additive f; mixin : mixin_of f}.Structure map := Pack {apply :> Type; class : class_of apply}.…
(* horner_morph mulCx_nu P := (map nu P).[x] *)Fact …: scalable_for (nu \; *%R) (horner_morph mulCx_nu).
General linearity
• Rewrite f (λv) = λσ(f v) in both directionsVariables (R : ringType) (U : lmodType R) (V : zmodType).Variables (s : R -> V -> V) (S : ringType) (h : S -> V -> V).Variable h_law : Scale.law h.
Lemma linearZ c a (h_c := Scale.op h_law c) (f : Linear.map_for U s a h_c) u : f (a *: u) = h_c (Linear.wrap f u).
Interfacing matricesboolEquality
nat
seq
Finite 'I_nbigop Ei
i ←r & P(i)
Choice
Zmodule
Ring
ComRing
Field
{ffun D -> R}
matrix‘M[R]_(m, n)
Inductive matrix := Matrix of {ffun 'I_m * 'I_n -> R}.
• In math:
S = A + ∑i Bi is direct
iff rank S = rank A + ∑i rank Bi
• In Coq:
Lemma mxdirectP :
forall n (S : 'M_n) (E : mxsum_expr S S),
reflect (\rank E = mxsum_rank E) (mxdirect E).
• This is generic in the shape of S
Direct sums
Circular inequalities
have Bfree_if: forall ZxH, ZxH \in clPqH^# -> \rank <<B (b ZxH)>> <= #|ZxH| ?= iff row_free (B (b ZxH)) by…have B1_if: \rank <<B (b 1%g)>> <= 1 ?= iff (<<B (b 1%g)>> == mxvec 1%:M)%MS by …have rankEP: \rank (1%:M : 'A[F]_q) = (\sum_(ZxH \in clPqH) #|ZxH|)%N by ...have cl1: 1%g \in clPqH by …have{B1_if Bfree_if}:= leqif_add B1_if (leqif_sum Bfree_if).case/(leqif_trans (mxrank_sum_leqif _)) => _ /=.rewrite -{1}(big_setD1 _ cl1) sumB {}rankEP (big_setD1 1%g) // cards1 eqxx.move/esym; case/and3P=> dxB; move/eqmxP=> defB1; move/forall_inP=> /= Bfree.
Lemma leqif_trans : forall m1 m2 m3 c1 c2, m1 <= m2 ?= iff c1 -> m2 <= m3 ?= iff c2 -> m1 <= m3 ?= iff c1 && c2.
Lemma leqif_add : forall m1 n1 c1 m2 n2 c2, m1 <= n1 ?= iff c1 -> m2 <= n2 ?= iff c2 -> m1 + m2 <= n1 + n2 ?= iff c1 && c2.
Lemma mxrank_sum_leqif : forall m n (S : mxsum_expr m n), \rank (unwrap S) <= unwrap (mxsum_rank S) ?= iff mxdirect (unwrap S).
Bfree_if : forall ZxH : {set coset_of Z}, ZxH \in clPqH^# -> \rank <<B (b ZxH)>> <= #|ZxH| ?= iff row_free (B (b ZxH)) B1_if : \rank <<B (b 1%g)>> <= 1 ?= iff (<<B (b 1%g)>> == mxvec 1%:M)%MS rankEP : \rank 1%:M = (\sum_(ZxH \in clPqH) #|ZxH|)%N cl1 : 1%g \in clPqH
============================ ...
rankEP : \rank 1%:M = (\sum_(ZxH \in clPqH) #|ZxH|)%N cl1 : 1%g \in clPqH ============================\rank <<B (b 1%g)>> + \sum_(i \in clPqH^#) \rank <<B (b i)>> <= 1 + \sum_(i \in clPqH^#) #|i| ?= iff (<<B (b 1%g)>> == mxvec 1%:M)%MS && (forallb i, (i \in clPqH^#) ==> row_free (B (b i))) ->
…
rankEP : \rank 1%:M = (\sum_(ZxH \in clPqH) #|ZxH|)%N cl1 : 1%g \in clPqH ============================ (\rank (<<B (b 1%g)>> + \sum_(i \in clPqH^#) <<B (b i)>>) == (1 + \sum_(i \in clPqH^#) #|i|)%N) = [&& mxdirect (<<B (b 1%g)>> + \sum_(i \in clPqH^#) <<B (b i)>>), (<<B (b 1%g)>> == mxvec 1%:M)%MS & forallb i, (i \in clPqH^#) ==> row_free (B (b i))] ->
…
rankEP : \rank 1%:M = (\sum_(ZxH \in clPqH) #|ZxH|)%N cl1 : 1%g \in clPqH ============================ true = [&& mxdirect (<<B (b 1%g)>> + \sum_(i \in clPqH^#) <<B (b i)>>), (<<B (b 1%g)>> == mxvec 1%:M)%MS & forallb i, (i \in clPqH^#) ==> row_free (B (b i))] ->
…
rankEP : \rank 1%:M = (\sum_(ZxH \in clPqH) #|ZxH|)%N cl1 : 1%g \in clPqH dxB : mxdirect (<<B (b 1%g)>> + \sum_(i \in clPqH^#) <<B (b i)>>) defB1 : (<<B (b 1%g)>> :=: mxvec 1%:M)%MS Bfree : forall x : {set coset_of Z}, x \in clPqH^# -> row_free (B (b x)) ============================
…
Presentations
• D2n ≈ Grp (x, y : x2n-1, y2, xy = x-1)
• SD2n ≈ Grp (x, y : x2n-1, y2, xy = x2n-2-1)
• Q2n ≈ Grp (x, y : x2n-1, y2 = x2n-2, xy = x-1)
Lemma Grp_dihedral : 'D_m \isog Grp (x : y : (x ^+ q, y ^+ 2, x ^ y = x^-1)).
... but this is not constructive (Post) !
• In the Feit-Thompson proof of the Odd Order theorem, one need to extend an isometry from a submodule of the virtual characters of to those of , to all characters of .
• Characters are traces of ℂ matrix representations. Here so characters in are -roots of unity.
Coprime cycle coherence
• The submodule is generated by 1 and the ; set .
• Is the obvious solution
unique?
A dot product matrix puzzle
𝛽𝑖𝑗
𝛽1 𝑗
𝛽𝑖1
𝛽11=1
=1= 0
=3
Medium scale reflection
Definition sym_match s th1 th2 := let: Sym si sj sk := s in let: (ri, rj, rk) := (th_bbox th1, th_dim th1) in let is_sym r s := uniq s && all (gtn r) s in let match_cl cl2 := let: (i2, j2, kvs2) := cl2 in let ij := (nth ri si i2, nth rj sj j2) in let match_lit kvs1 kv := (nth rk sk kv.1, kv.2) \in kvs1 in let match_cl1 cl1 := let: (ij1, kvs1) := cl1 in (ij1 == ij) && all (match_lit kvs1) kvs2 in uniq (unzip1 kvs2) && has match_cl1 th1 in [&& is_sym ri si, is_sym rj sj, is_sym rk sk & all match_cl th2].
• Reflection is a versatile theorem proving technique.
• Reflection takes different forms for different problem sizes.
• Internal reflection can work even at large scale.
• Shallow embeddings work well at small scale.
Conclusions
