Reflection in Practice

Document Sample

```					Internal Deduction and
Decision Procedures of
the Four Colour Theorem

Georges Gonthier
Microsoft Research Cambridge
Joint Inria-Microsoft Research Center
150 years of history…
   1852 Conjecture (Guthrie → DeMorgan)
   1878 Publication (Cayley)
   1879 First proof (Kempe)
   1880 Second proof (Tait)
   1890 Rebuttal (Heawood)
   1891 Second rebuttal (Petersen)
   1913 Reducibility, connexity (Birkhoff)
   1922 Up to 25 regions (Franklin)
   1969 Discharging (Heesch)
   1976 Computer proof (Appel & Haken)
   1995 Streamlining (Robertson & al.)
   2005 Coq proof (Gonthier)


Script lines distribution

glue (14k)
proofs(17k)

definitions
• no ML code!             theorems
(4k)
• no user tactics!           (4k)


Computational reflection

t : term ⊦ f(t) = v → φ(t)

effective               fixed        logical
function                value       predicate

Replace deduction with computation.
Switch between reasoning about objects,
and reasoning about symbols.
Internalize deduction and decision procedures.


Reflection at every scale

 Large scale: decision procedure
→ reducibility proof
 Medium scale: deduction procedure

→ unavoidability proof
 Small scale: clerical operations

→ boolean connectives


Cons and Pros

   Slower execution        Reduced trust
   Reimplementation        Domain knowledge
   Correctness proofs      Natural encoding
   Limited language        No witnesses


Outline

 The Four Colour Theorem proof
 A Domain Specific model checker

 DS abstract interpretation

 A DS solver


Cubic maps

Euler formula
#sidesN=–6E = 2
2E/R
R+       - 12/R
the world’s a football


Colouring by induction

Configuration

ring
reducible


The proof in a nutshell

 Find a set of configurations such that:
(A) reducibility: Each one can be
coloured to match any planar ring
colouring.
(B) unavoidability: At least one
appears in any planar map.
 Verify that the combinatorics fit the
topology (graph theory + analysis).


Procedures of all kind

   Reducibility:
   Model checking (MDDs)
   Configurations:
   Abstract interpretation (code, trees)
   Unavoidability
   Solving & matching (intervals, zippers,
tries, alpha-beta)


Outline

 The Four Colour Theorem proof
 A Domain Specific model checker

 DS abstract interpretation

 A DS solver


Reflecting reducibility

   Setup
Variable cf : config.
Definition cfreducible : Prop := …
Definition check_reducible : bool := …
Lemma check_reducible_valid : check_reducible -> cfreducible.

   Usage
Lemma cfred232 : cfreducible (Config 11 33 37 H 2 H 13 Y 5 H 10
H 1 H 1 Y 3 H 11 Y 4 H 9 H 1 Y 3 H 9 Y 6 Y 1 Y 1 Y 3 Y 1 Y Y 1 Y).
Proof. apply check_reducible_valid; by compute. Qed.


Border colouring (Tait 1880)


Chord flips (Kempe 1879)
chromogram

colouring

•   )0

(                    •

)1

(
•


The reducibility game

configuration

erase borders           flip chords           flip chords
MATCH
(contract)           swap colours          swap colours

colour (rec)             recolour              recolour
get chords              get chords            get chords

context


Model checking colourings
winning
colourings
all        Ξ                                 Λ       all
0                 1                0

                Λi


flip            restrict Λ

Ξi                                Λi+
Λ                 1

compare with
Yes
any ?                                   Ξ, Λ      contract
D-reducible
colourings
No                No            No

decrement Ξ

Ξi+1                  
winning
Ξ        colourings

-1         swap
kempe


Coq code
Definition ktc_step closure kr :=
let: (ctu, gtp) := kr in
if ctree_empty ctu then kr else
let: Gtree_pair gtr gtu := gtp in
if gtree_empty gtr then kr else
if gtree_empty gtu then (Ctree_empty, empty_gtree_pair) else
let: Ctree_pair ctu' ctr :=
ctree_restrict h ctu (Ctr_some Bstack0 gtr Ctr_none) in
closure ctu' (ctree_rotlr ctr) gtu.

Definition ktc_step2c step (closure : ktc_fun) ctu ctr gtu :=
step (step (closure ctu ctr gtu)).

Definition ktc_dostep2c closure :=
ktc_step2c (ktc_step closure) closure.

Fixpoint kempe_tree_closure (d : nat) : ktc_fun :=
if d is S d' then ktc_dostep2c (kempe_tree_closure d') else
fun ctu ctr gtu =>
(ctu, gtree_restrict gtu (Gtr_some Bstack0 ctr Gtr_none)).


Decision trees

( •

( • )0 )1 (
( )1 • )1 • (    )0
3    3   17   4 6   1


More Coq code
Fixpoint ctree_restrict
(h : nat) (t : ctree) (r : ctree_restriction) {struct h}
: ctree_pair :=
match r, h, t with
| Ctr_none, _, _ =>
Ctree_pair t Ctree_empty
| _, S h', Ctree_node t1 t2 t3 =>
let rh' := ctree_restrict h' in
let rk r1 r2 r3 :=
ctree_cons_pairs (rh' t1 r1) (rh' t2 r2) (rh' t3 r3) in
ctr_split rk Ctr_none Ctr_none Ctr_none r
| _, O, Ctree_node lf1 lf2 lf3 =>
ctr_decr (ctree_leaf_pair lf1 lf2 lf3) lf1 lf2 lf3 r
| _, _, _ =>
ctree_empty_pair
end.


A correctness proof
Lemma cdecr_leaf : forall e lf1 lf2 lf3 r,
let t := ctree_cons lf1 lf2 lf3 in
let et := seq1 e in
ctree_proper 1 t ->
cdecr e lf1 lf2 lf3 r = ctree_leaf_of (ctree_sub t et - ctr_sub r et).
Proof.
move=> e lf1 lf2 lf3 r /= Ht.
elim: r => [|bs t r Hrec] in lf1 lf2 lf3 Ht |- *;
move: {Ht}(ctree_proper_leaf_of_val (ctree_proper_sel _ Ht)) => Hlf.
rewrite /= subn0 ctree_sub_cons.
by case: e (Hlf e); rewrite ctree_sel_cons.
rewrite /cdecr !ctr_decr_some -/(cdecr e) {}Hrec /=.
congr ctree_leaf_of; move: {Hlf}(Hlf e).
move: (ctree_sub (ctree_sel (ctree_cons lf1 lf2 lf3) e) seq0) => m.
rewrite ctree_sel_cons 2!ctree_sub_cons.
by case: e => //= Dlf;
rewrite /ctr_e_decr Dlf ctree_val_decr !ctree_sub_leaf_of -subn_sub.
apply ctree_cons_proper;
[ move: (Hlf Color1) | move: (Hlf Color2) | move: (Hlf Color3) ];
rewrite ctree_sel_cons /= => Dlf;
rewrite /ctr_e_decr Dlf ctree_val_decr; exact: ctree_leaf_of_proper.
Qed.


Assessment

   iterators instead of loops
   no caching
   no reordereing
   no sharing (except near leaves)
   longer code, shorter proofs
   performance:
C     Ocaml     8.0     8.1
1       x3     x320     x10


Outline

 The Four Colour Theorem proof
 A Domain Specific model checker

 DS abstract interpretation

 A DS solver


Interpreting configurations

 Configurations are encoded as a
construction program
 The mathematical semantics is given
by a standard interpretation
 The decision procedures use
nonstandard interpretations to extract
information


Building configurations

ring     ring       ring      ring

j

…

start   Rj step   Y step    H step

ring      ring     ring

U step    K step   A step


Building a square
H R3 Y Y

H
R3
start

Y

Y


Configuration semantics
A step   ring
start

ring

U step
K step     ring

ring


Colouring interpretation
b      c        c     bc               b

b                       b       c       b     c       c

U step            K step (b≠c)          A step

±1b           ∓1b         c       b       ±1b     ±1b

b                b       c         b        b

Y step           H step (b≠c)          H step


Contract interpretation
ring      ring      ring

no step   no step   U step

ring      ring      ring      ring     ring

K step    K step    no step   Y step   Y step

ring      ring      ring      ring

A step    no step   no step   U step


Coq code
Definition cpcolor1 s (f : colseq -> ctree) (et : colseq) :=
let f2 c et' := f (Seq c c & et') in
match s, et with
| CpR n, _ =>
f (rot n et)
| CpR', _ =>
if size et <= 1 then Ctree_empty else f (rotr 1 et)
| CpU, _ =>
ctree_union (f2 Color1 et) (ctree_union (f2 Color2 et) (f2 Color3 et))
| CpK, (Seq e1 e2 & et') =>
if e1 =d e2 then Ctree_empty else f (Adds (e1 +c e2) et')
| CpY, (Seq e1 & et') =>
let e2 := Eperm231 e1 in let e3 := Eperm312 e1 in
ctree_union (f (Seq e2 e3 & et')) (f (Seq e3 e2 & et'))
| CpH, (Seq e1 e2 & et') =>
if e1 =d e2 then
ctree_union (f2 (Eperm231 e1) et') (f2 (Eperm312 e1) et')
else f (Seq e2 e1 & et')
| CpA, (Seq e1 e2 & et') =>
if e1 =d e2 then f (if et' is Seq0 then et else et') else Ctree_empty
| _, _ => Ctree_empty
end.


Matching configurations


Spanning interpretation

kernel             kernel             kernel                kernel

outer                      outer             outer
ring                       ring              ring

kernel             kernel                               kernel       outer
kernel
ring
outer            kernel
ring


Assessment

 Code provides induction for
interpretation and proofs.
 Short programs.

 Long proofs (700 lines for cfcontract),
due to complex semantics.


Outline

 The Four Colour Theorem proof
 A Domain Specific model checker

 DS abstract interpretation

 A DS solver


Finding configurations

 Any non-trivial ring < 6 defines reducible
configurations (Birkhoff, 1913)
 If there are no small rings, then all 2-
neighborhoods are double rings

look for configurations
in 2-neighborhoods with
a low average arity


Parts and subparts
subpart   a part is a (zipper) list of subparts
[6+]      hat [6]           fan
[6]
fan
[5]
spoke
[5]         spoke
[5+]
[7]           hat [6]

[5+]                             spoke           [6+]
hub [8]
[6]                     parts are used:
[5+]                 [6-7]             [5+]            • to enumerate 2-neighbourhoods
[5-6]
• to specify arity averaging rules


Subpart semantics
spoke
spoke                                    hub                       ur
u

ul           u

hl                                                          ul
u

ur
h
ur
hat                       hr                            ul                       spoke

f0r                               spoke
hr
hl

f2l
h                             left step
f1l
f0r             right step
fan           f1r                                      f0l        fan                           subpart
f1l                f2r
unreachable dart
fan


Part algorithms

 Part match: fold interval merge
 Config match: walk spanning trees

 Config search: Davis-Putnam
enumeration of face triples
 Hub arity cap: Davis-Putnam
enumeration of part with alpha-beta
pruning


Coq code
Fixpoint check_dbound1_rec
(p : part) (rs : drules) (ns m : nat) {struct m}
: bool :=
if m is S m' then
if rs is Adds r rs' then
if size rs' < ns then true else
let p' := meet_part p r in
(let: SortDrules dns rs'' := sort_drules p' rs' in
if ns - dns is S ns' then check_dbound1_rec p' rs''
ns' m' else redp p')
&& check_dbound1_rec p rs' ns m'
else true
else false.

Definition check_dbound1 p ns :=
let: DruleFork rs _ _ := rf in
check_dbound1_rec p rs ns (size rs + 1).


Correctness theorems

(* Reducible. *)
Lemma succeed_by_reducibility : redpart qt p -> succeeds_in p0 p.

(* Hubcap T[j1,j2]<=b1 ... [] *)
Lemma succeed_by_hubcap :
let n := size_part p in
hubcap_cover n hc && hubcap_fit (redpart qt) (rf n) p hc ->
succeeds_in p0 p.

(* Pcase Ln_m: i[j] <= k. or Pcase Ln_m: i[j] > k. *)
Lemma succeed_by_split :
let pl := split_part i j k lo p in
let pr := split_part i j k (negb lo) p in
let p0l :=
if good_split i j k p0 then split_part i j k lo p0 else pl in
good_split i j k p -> succeeds_in p0l pl ->
(successful p0l -> succeeds_in p0 pr) -> succeeds_in p0 p.


Domain-specific tactics
Lemma exclude6 : reducibility -> excluded_arity 6.
Hred : reducibility
L3_1
Proof. : successful [] 7+ [] 6+ [] 7+ [] * [] * [] 7+ []
============================
move=> Hred; Presentation.
Check [] s[1] > []
Pcase L0_1: 7+ [] 6+ 6. 7+ [] * [] 6- [] 6- []
in [] 7+ s[3] [] 7+
Pcase L1_1: [] 6+ > 6. [] * [] * [] * []
...
Pcase: s[2] > 5.
> Pcase: s[4] > 6.
Pcase: s[5] > 6.
Hred : Pcase: s[4] > 5.
reducibility
Pcase: s[6] > []
L3_1 : successful [] 7+ 5. 6+ [] 7+ [] * [] * [] 7+ []
Hubcap T[1,2]<=0
============================ T[3,5]<=0 T[4,6]<=0 [].
7+ [] T[1,2]<=(-1) [] 6- [] 6- T[4,6]<=2 [].
Check []Hubcap 6+ [] 7+ [] 7+ T[3,5]<=(-1)[]
[] 7+ s[6] > 7+
in Pcase:[] 6+ [] 5. [] 7+ [] * [] * []
Hubcap T[1,2]<=0 T[3,5]<=(-2) T[4,6]<=2 [].
is:
subgoal 2Hubcap T[1,2]<=(-1) T[3,5]<=(-3) T[4,6]<=4 [].
[] 7+ L3_1: s[6] [] 6-
Check Pcase [] 6+ [] 7+ > 6. [] 6- [] 6- []
7+ [] s[4] 7+ []
in []Pcase: 6+ [] > 6. * [] * [] * []
...        Pcase: s[5] > 5.
Hubcap T[1,2]<=0 T[3,5]<=0 T[4,6]<=0 [].
Hubcap T[1,2]<=0 T[3,5]<=2 T[4,6]<=(-2) [].
...


Assessment

 Short algorithms, shallow programs
 Short proofs

 Interactive response time

 Ocaml time ≈ C time (better matching)

 Partial tactics ⇒ incompleteness bugs


Some conclusions

 Reflection provides effective proof
automation at all levels of reasoning.
 Sophisticated decision procedures
can be cast as functional programs.
 Domain knowledge can help run time
and decrease recoding effort.
 Correcteness proofs are typically
easy.



```
DOCUMENT INFO
Shared By:
Categories:
Tags:
Stats:
 views: 1 posted: 8/24/2011 language: English pages: 43
kala22