Georges Gonthier Reflection, of all shapes and sizes
What is reflection? Computing/reasoning with text rather than mathematical objects. Add(Pow(Var “x”, 2), …)Add(Pow(Add …, 2), 1) quotation interpretation computation reflection
The many sizes of reflection Large scale: prove lemma/assertion –Computer Algebra: ring tactic, SOS –4CT reducibility, Flyspeck tame graphs, … Medium scale: perform major proof step –4CT unavoidability, coprime cycle coherence Small scale: minor proof step, notation –Peano arithmetic, Boolean evaluation –Algebraic overloading, lemma overloading
Interpretation Usually internal (interpreter in theory) Validation requires interpretation of a justification trail, except –If the output is not directly related to the input (medium-scale reflection). –If the computation is internal, and proved correct (not as hard as it is believed to be). –The output can be validated directly, e.g., algebra, linear optimization.
Computation For big-scale reflection, often external for performance reasons. Internal computation is “safer” in that it limits TCB (iterates computation). Performance can be recovered by specialized/simplified algorithms. Trust can be recovered from evidence trails.
Quotation The “essence” of reflection; often external. Generic support conflicts with abstraction. Not needed if the formal objects are syntactic (Booleans, Peano integers). Not needed if the formalization includes interpretation. Can be done with syntax overloading. Can be done with type unification.
Large-scale reflection: reducibility Setup Variable cf : config. Definition cfreducible : Prop := … Definition check_reducible : bool := … Lemma check_reducible_valid : check_reducible -> cfreducible. Usage Lemma cfred232 : cfreducible (Config H 2 H 13 Y 5 H 10 H 1 H 1 Y 3 H 11 Y 4 H 9 H 1 Y 3 H 9 Y 6 Y 1 Y 1 Y 3 Y 1 Y Y 1 Y). Proof. apply check_reducible_valid; by compute. Qed. 20,000,000 cases
Internal decision procedure Definition ktc_step closure kr := let: (ctu, gtp) := kr in if ctree_empty ctu then kr else let: GtreePair gtr gtu := gtp in if gtree_empty gtr then kr else if gtree_empty gtu then (CtreeEmpty, empty_gtree_pair) else let: CtreePair ctu' ctr := ctree_restrict h ctu (CtrCons Bstack0 gtr CtrNil) in closure ctu' (ctree_rotlr ctr) gtu. Definition ktc_step2c step (closure : ktc_fun) ctu ctr gtu := step (step (closure ctu ctr gtu)). Definition ktc_dostep2c closure := ktc_step2c (ktc_step closure) closure. Fixpoint Kempe_tree_closure d : ktc_fun := if d is d'.+1 then ktc_dostep2c (Kempe_tree_closure d') else fun ctu ctr gtu => (ctu, gtree_restrict gtu (GtrCons Bstack0 ctr GtrNil)). Theorem Kempe_tree_closure_correct d ctu ctr gtu : let ktr0 Q := Q ctu ctr GtreeEmpty gtu in let ktrp := ktr_prop (Kempe_tree_closure d ctu ctr gtu) in ktr0 Kempe_valid -> [/\ ktrp Kempe_valid & forall sz, ktr0 (Kempe_complete (3 ^ d + sz)) -> ktrp (Kempe_complete sz.+1)]. Proof. elim: d => [|d IHd] /= in ctu ctr gtu *. move Dctrr: (GtrCons _ ctr _) => ctrr [[ctu_ok Dctu] Dctr Dgtr Dgtu closedP]. move: (gtree_restrict_partition gtu ctrr) (gtree_mem0_restrict gtu ctrr). case: (gtree_restrict gtu ctrr) => gtr gtu' /= Pgt Pgtr. split=> [|sz [ctu_lt_sz ctr_closed]]. split=> // [|w gt_w | w gt_w | w gt'w Dw]; first split=> // et. … 94 lines … Qed.
Small scale reflection for Peano Set So: –0 <= m is true –m < 0 is false –m < n.+1 ≡ m.+1 <= n.+1 is m <= n. Works with if, &&, size : seq T -> nat, … Definition leq m n := m – n == 0. Notation “m <= n“ := (leq m n). Notation “m < n“ := (m.+1 <= n).
Reflection: bool vs. Prop bool concrete computable Prop abstract provable _ = true unstructured proofs truth tables structured proofs deduction rules b1 && b2 P1 /\ P2 b1 b2 b1 && b2 T T T T F F F T F F F F P1 P2 P1 /\ P2 b1 /\ b2 andP ≝ if b1 then b2 else false b1 b2 b1 /\ b2
Text to formal text Theorem Ptype_embedding : forall M K, M \in 'M_'P -> \kappa(M).-Hall(M) K -> exists2 Mstar, Mstar \in 'M_'P /\ gval Mstar \notin M :^: G & let Kstar := 'C_(M`_\sigma)(K) in let Z := K Kstar in let Zhat := Z :\: (K :|: Kstar) in [/\ (*a*) {in 'E^1(K), forall X, 'M('C(X)) = [set Mstar]}, (*b*) \kappa(Mstar).-Hall(Mstar) Kstar /\ \sigma(M).-Hall(Mstar) Kstar, (*c*) 'C_(Mstar`_\sigma)(Kstar) = K /\ \kappa(M) =i \tau1(M), (*d*) [/\ cyclic Z, M :&: Mstar = Z, {in K^#, forall x, 'C_M[x] = Z}, {in Kstar^#, forall y, 'C_Mstar[y] = Z} & {in K^# & Kstar^#, forall x y, 'C[x * y] = Z}] & [/\ (*e*) [/\ trivIset (Zhat :^: G), 'N(Zhat) = Z, {in ~: M, forall g, [disjoint Zhat & M :^ g]} & (#|G|%:R / 2%:R qnum)%R ], (*f*) M \in 'M_'P2 /\ prime #|K| \/ Mstar \in 'M_'P2 /\ prime #|Kstar|, (*g*) {in 'M_'P, forall H, gval H \in M :^: G :|: Mstar :^: G} & (*h*) M^`(1) ><| K = M]].
Parametric overloading Generic product: x * y Structure gType := GroupType { gSort : Type; mulg : gSort → gSort →gSort;...} Variables (gT : gType) (x y : gSort gT). Infix “*“ := (mulg _). mulg ? 1 x y. ≡ gSort T gSort ? 1 T T Coercion gSort : gType >-> Sortclass.
Ad hoc retrofitting Specific product coset H x * coset H y gSort ? 1 ≡ coset_of H fun gT => let: gType T _ … := gT in T Definition coset_gType H := GType (coset_of H).... Canonical coset_gType. gSort (coset_gType H) ≡ coset_of H ≡ mulg (coset_gType H) …
Algebra interface hierarchy Equality Choice Ring UnitRing ComRing Zmodule ComUnitRing Lmodule Algebra Vector Falgebra Addidive Rmorphism Linear LRmorphism
Nested class structures FinGroup.type Finite.type sort mulg,... enum,... mixin FinGroup.class sort Finite.type sort enum,... class =mixin gT ≡ FinGroup.sort gT Coercion FinGroup.finType Canonical Finroup.finType FinGroup.finType ≡ Finite.sort (FinGroup.finType gT)
Linear operator interface Encapsulate f (λv) = λ(f v) Module Linear. Section ClassDef. Variables (R : ringType) (U V : lmodType R). Definition mixin_of (f : U -> V) := forall a, {morph f : u / a *: u}. Record class_of f : Prop := Class {base : additive f; mixin : mixin_of f}. Structure map := Pack {apply :> U -> V; class : class_of apply}. Structure additive cT := Additive (base (class cT)). End Linear.
General linear operators Encapsulate f (λv) = λ σ (f v) Module Linear…. Variables (R : ringType) (U : lmodType R) (V : zmodType). Variable (s : R -> V -> V). Definition mixin_of (f : U -> V) := forall a, {morph f : u / a *: u >-> s a u}. Record class_of f : Prop := Class {base : additive f; mixin : mixin_of f}. Structure map := Pack {apply :> Type; class : class_of apply}. … (* horner_morph mulCx_nu P := (map nu P).[x] *) Fact …: scalable_for (nu \; *%R) (horner_morph mulCx_nu).
General linearity Rewrite f (λv) = λ σ (f v) in both directions Variables (R : ringType) (U : lmodType R) (V : zmodType). Variables (s : R -> V -> V) (S : ringType) (h : S -> V -> V). Variable h_law : Scale.law h. Lemma linearZ c a (h_c := Scale.op h_law c) (f : Linear.map_for U s a h_c) u : f (a *: u) = h_c (Linear.wrap f u).
Interfacing matrices bool Equality nat seq Finite 'I_n bigop E i i ←r & P(i) Choice Zmodule Ring ComRing Field {ffun D -> R} matrix ‘M[R]_(m, n) Inductive matrix := Matrix of {ffun 'I_m * 'I_n -> R}.
In math: S = A + ∑ i B i is direct iff rank S = rank A + ∑ i rank B i In Coq: Lemma mxdirectP : forall n (S : 'M_n) (E : mxsum_expr S S), reflect (\rank E = mxsum_rank E) (mxdirect E). This is generic in the shape of S Direct sums
Circular inequalities have Bfree_if: forall ZxH, ZxH \in clPqH^# -> \rank > <= #|ZxH| ?= iff row_free (B (b ZxH)) by… have B1_if: \rank > > == mxvec 1%:M)%MS by … have rankEP: \rank (1%:M : 'A[F]_q) = (\sum_(ZxH \in clPqH) #|ZxH|)%N by... have cl1: 1%g \in clPqH by … have{B1_if Bfree_if}:= leqif_add B1_if (leqif_sum Bfree_if). case/(leqif_trans (mxrank_sum_leqif _)) => _ /=. rewrite -{1}(big_setD1 _ cl1) sumB {}rankEP (big_setD1 1%g) // cards1 eqxx. move/esym; case/and3P=> dxB; move/eqmxP=> defB1; move/forall_inP=> /= Bfree. Lemma leqif_trans : forall m1 m2 m3 c1 c2, m1 m2 m1 <= m3 ?= iff c1 && c2. Lemma leqif_add : forall m1 n1 c1 m2 n2 c2, m1 m2 m1 + m2 <= n1 + n2 ?= iff c1 && c2. Lemma mxrank_sum_leqif : forall m n (S : mxsum_expr m n), \rank (unwrap S) <= unwrap (mxsum_rank S) ?= iff mxdirect (unwrap S). Bfree_if : forall ZxH : {set coset_of Z}, ZxH \in clPqH^# -> \rank > <= #|ZxH| ?= iff row_free (B (b ZxH)) B1_if : \rank > > == mxvec 1%:M)%MS rankEP : \rank 1%:M = (\sum_(ZxH \in clPqH) #|ZxH|)%N cl1 : 1%g \in clPqH ============================... rankEP : \rank 1%:M = (\sum_(ZxH \in clPqH) #|ZxH|)%N cl1 : 1%g \in clPqH ============================ \rank > + \sum_(i \in clPqH^#) \rank > <= 1 + \sum_(i \in clPqH^#) #|i| ?= iff ( > == mxvec 1%:M)%MS && (forallb i, (i \in clPqH^#) ==> row_free (B (b i))) -> … rankEP : \rank 1%:M = (\sum_(ZxH \in clPqH) #|ZxH|)%N cl1 : 1%g \in clPqH ============================ (\rank ( > + \sum_(i \in clPqH^#) >) == (1 + \sum_(i \in clPqH^#) #|i|)%N) = [&& mxdirect ( > + \sum_(i \in clPqH^#) >), ( > == mxvec 1%:M)%MS & forallb i, (i \in clPqH^#) ==> row_free (B (b i))] -> … rankEP : \rank 1%:M = (\sum_(ZxH \in clPqH) #|ZxH|)%N cl1 : 1%g \in clPqH ============================ true = [&& mxdirect ( > + \sum_(i \in clPqH^#) >), ( > == mxvec 1%:M)%MS & forallb i, (i \in clPqH^#) ==> row_free (B (b i))] -> … rankEP : \rank 1%:M = (\sum_(ZxH \in clPqH) #|ZxH|)%N cl1 : 1%g \in clPqH dxB : mxdirect ( > + \sum_(i \in clPqH^#) >) defB1 : ( > :=: mxvec 1%:M)%MS Bfree : forall x : {set coset_of Z}, x \in clPqH^# -> row_free (B (b x)) ============================ …
Presentations D 2 n ≈ Grp (x, y : x 2 n-1, y 2, x y = x -1 ) SD 2 n ≈ Grp (x, y : x 2 n-1, y 2, x y = x 2 n-2 -1 ) Q 2 n ≈ Grp (x, y : x 2 n-1, y 2 = x 2 n-2, x y = x -1 ) Lemma Grp_dihedral : 'D_m \isog Grp (x : y : (x ^+ q, y ^+ 2, x ^ y = x^-1)).... but this is not constructive (Post) !
Coprime cycle coherence
A dot product matrix puzzle
Medium scale reflection Definition sym_match s th1 th2 := let: Sym si sj sk := s in let: (ri, rj, rk) := (th_bbox th1, th_dim th1) in let is_sym r s := uniq s && all (gtn r) s in let match_cl cl2 := let: (i2, j2, kvs2) := cl2 in let ij := (nth ri si i2, nth rj sj j2) in let match_lit kvs1 kv := (nth rk sk kv.1, kv.2) \in kvs1 in let match_cl1 cl1 := let: (ij1, kvs1) := cl1 in (ij1 == ij) && all (match_lit kvs1) kvs2 in uniq (unzip1 kvs2) && has match_cl1 th1 in [&& is_sym ri si, is_sym rj sj, is_sym rk sk & all match_cl th2].
Reflection is a versatile theorem proving technique. Reflection takes different forms for different problem sizes. Internal reflection can work even at large scale. Shallow embeddings work well at small scale. Conclusions