Docstoc

Reflection in Practice

Document Sample
Reflection in Practice Powered By Docstoc
					Internal Deduction and
Decision Procedures of
the Four Colour Theorem

Georges Gonthier
Microsoft Research Cambridge
Joint Inria-Microsoft Research Center
150 years of history…
   1852 Conjecture (Guthrie → DeMorgan)
   1878 Publication (Cayley)
   1879 First proof (Kempe)
   1880 Second proof (Tait)
   1890 Rebuttal (Heawood)
   1891 Second rebuttal (Petersen)
   1913 Reducibility, connexity (Birkhoff)
   1922 Up to 25 regions (Franklin)
   1969 Discharging (Heesch)
   1976 Computer proof (Appel & Haken)
   1995 Streamlining (Robertson & al.)
   2005 Coq proof (Gonthier)




                                              
  Script lines distribution



                                      glue (14k)
            proofs(17k)



                                   definitions
• no ML code!             theorems
                                       (4k)
• no user tactics!           (4k)




                                                   
Computational reflection

          t : term ⊦ f(t) = v → φ(t)


   effective               fixed        logical
   function                value       predicate




Replace deduction with computation.
Switch between reasoning about objects,
and reasoning about symbols.
Internalize deduction and decision procedures.

                                                   
Reflection at every scale

 Large scale: decision procedure
→ reducibility proof
 Medium scale: deduction procedure

→ unavoidability proof
 Small scale: clerical operations

→ boolean connectives



                                      
Cons and Pros

   Slower execution        Reduced trust
   Reimplementation        Domain knowledge
   Correctness proofs      Natural encoding
   Limited language        No witnesses




                                           
Outline

 The Four Colour Theorem proof
 A Domain Specific model checker

 DS abstract interpretation

 A DS solver




                                    
     Cubic maps




Euler formula
#sidesN=–6E = 2
 2E/R
  R+       - 12/R
 the world’s a football

                          
Colouring by induction

             Configuration




             ring
                        reducible




                                    
The proof in a nutshell

 Find a set of configurations such that:
  (A) reducibility: Each one can be
  coloured to match any planar ring
  colouring.
  (B) unavoidability: At least one
  appears in any planar map.
 Verify that the combinatorics fit the
  topology (graph theory + analysis).

                                        
Procedures of all kind

   Reducibility:
       Model checking (MDDs)
   Configurations:
       Abstract interpretation (code, trees)
   Unavoidability
       Solving & matching (intervals, zippers,
        tries, alpha-beta)


                                                
Outline

 The Four Colour Theorem proof
 A Domain Specific model checker

 DS abstract interpretation

 A DS solver




                                    
    Reflecting reducibility

   Setup
    Variable cf : config.
    Definition cfreducible : Prop := …
    Definition check_reducible : bool := …
    Lemma check_reducible_valid : check_reducible -> cfreducible.

   Usage
    Lemma cfred232 : cfreducible (Config 11 33 37 H 2 H 13 Y 5 H 10
      H 1 H 1 Y 3 H 11 Y 4 H 9 H 1 Y 3 H 9 Y 6 Y 1 Y 1 Y 3 Y 1 Y Y 1 Y).
    Proof. apply check_reducible_valid; by compute. Qed.




                                                                       
Border colouring (Tait 1880)




                           
        Chord flips (Kempe 1879)
chromogram

 colouring



                          •   )0

                  (                    •

             )1


                                   (
                      •


                                           
      The reducibility game

                           configuration

erase borders           flip chords           flip chords
                                                                   MATCH
  (contract)           swap colours          swap colours




        colour (rec)             recolour              recolour
        get chords              get chords            get chords


                              context


                                                                           
Model checking colourings
                            winning
                           colourings
      all        Ξ                                 Λ       all
                 0                 1                0




                                                   Λi
                                   

                       flip            restrict Λ


                 Ξi                                Λi+
                                   Λ                 1

                                                                               compare with
                                                          Yes
                               any ?                                   Ξ, Λ      contract
                                                                               D-reducible
                                                                                 colourings
            No                No            No


                     decrement Ξ


             Ξi+1                  
                                             winning
                                   Ξ        colourings

                               -1         swap
                                                                kempe




                                                                                              
Coq code
Definition ktc_step closure kr :=
  let: (ctu, gtp) := kr in
  if ctree_empty ctu then kr else
  let: Gtree_pair gtr gtu := gtp in
  if gtree_empty gtr then kr else
  if gtree_empty gtu then (Ctree_empty, empty_gtree_pair) else
  let: Ctree_pair ctu' ctr :=
    ctree_restrict h ctu (Ctr_some Bstack0 gtr Ctr_none) in
  closure ctu' (ctree_rotlr ctr) gtu.

Definition ktc_step2c step (closure : ktc_fun) ctu ctr gtu :=
  step (step (closure ctu ctr gtu)).

Definition ktc_dostep2c closure :=
  ktc_step2c (ktc_step closure) closure.

Fixpoint kempe_tree_closure (d : nat) : ktc_fun :=
  if d is S d' then ktc_dostep2c (kempe_tree_closure d') else
  fun ctu ctr gtu =>
   (ctu, gtree_restrict gtu (Gtr_some Bstack0 ctr Gtr_none)).


                                                                
    Decision trees


                                 ( •

                           ( • )0 )1 (
                        ( )1 • )1 • (    )0
3    3   17   4 6   1




                                              
More Coq code
Fixpoint ctree_restrict
   (h : nat) (t : ctree) (r : ctree_restriction) {struct h}
  : ctree_pair :=
  match r, h, t with
  | Ctr_none, _, _ =>
    Ctree_pair t Ctree_empty
  | _, S h', Ctree_node t1 t2 t3 =>
    let rh' := ctree_restrict h' in
    let rk r1 r2 r3 :=
      ctree_cons_pairs (rh' t1 r1) (rh' t2 r2) (rh' t3 r3) in
    ctr_split rk Ctr_none Ctr_none Ctr_none r
  | _, O, Ctree_node lf1 lf2 lf3 =>
    ctr_decr (ctree_leaf_pair lf1 lf2 lf3) lf1 lf2 lf3 r
  | _, _, _ =>
    ctree_empty_pair
  end.




                                                                
A correctness proof
Lemma cdecr_leaf : forall e lf1 lf2 lf3 r,
 let t := ctree_cons lf1 lf2 lf3 in
 let et := seq1 e in
 ctree_proper 1 t ->
   cdecr e lf1 lf2 lf3 r = ctree_leaf_of (ctree_sub t et - ctr_sub r et).
Proof.
move=> e lf1 lf2 lf3 r /= Ht.
elim: r => [|bs t r Hrec] in lf1 lf2 lf3 Ht |- *;
  move: {Ht}(ctree_proper_leaf_of_val (ctree_proper_sel _ Ht)) => Hlf.
  rewrite /= subn0 ctree_sub_cons.
  by case: e (Hlf e); rewrite ctree_sel_cons.
rewrite /cdecr !ctr_decr_some -/(cdecr e) {}Hrec /=.
congr ctree_leaf_of; move: {Hlf}(Hlf e).
  move: (ctree_sub (ctree_sel (ctree_cons lf1 lf2 lf3) e) seq0) => m.
  rewrite ctree_sel_cons 2!ctree_sub_cons.
  by case: e => //= Dlf;
     rewrite /ctr_e_decr Dlf ctree_val_decr !ctree_sub_leaf_of -subn_sub.
apply ctree_cons_proper;
 [ move: (Hlf Color1) | move: (Hlf Color2) | move: (Hlf Color3) ];
 rewrite ctree_sel_cons /= => Dlf;
 rewrite /ctr_e_decr Dlf ctree_val_decr; exact: ctree_leaf_of_proper.
Qed.



                                                                      
Assessment

   iterators instead of loops
   no caching
   no reordereing
   no sharing (except near leaves)
   longer code, shorter proofs
   performance:
      C     Ocaml     8.0     8.1
      1       x3     x320     x10

                                      
Outline

 The Four Colour Theorem proof
 A Domain Specific model checker

 DS abstract interpretation

 A DS solver




                                    
Interpreting configurations

 Configurations are encoded as a
  construction program
 The mathematical semantics is given
  by a standard interpretation
 The decision procedures use
  nonstandard interpretations to extract
  information


                                       
Building configurations

  ring     ring       ring      ring

              j



             …


  start   Rj step   Y step    H step


           ring      ring     ring




          U step    K step   A step


                                       
Building a square
  H R3 Y Y

   H
             R3
                      start

                              Y

                  Y




                                  
Configuration semantics
                          A step   ring
  start


            ring




   U step
                          K step     ring




                   ring




                                            
Colouring interpretation
 b      c        c     bc               b




 b                       b       c       b     c       c


     U step            K step (b≠c)          A step

 ±1b           ∓1b         c       b       ±1b     ±1b




            b                b       c         b        b


        Y step           H step (b≠c)          H step


                                                             
Contract interpretation
      ring      ring      ring




    no step   no step   U step

      ring      ring      ring      ring     ring




    K step    K step    no step   Y step   Y step

      ring      ring      ring      ring




    A step    no step   no step   U step



                                                    
Coq code
Definition cpcolor1 s (f : colseq -> ctree) (et : colseq) :=
  let f2 c et' := f (Seq c c & et') in
  match s, et with
  | CpR n, _ =>
    f (rot n et)
  | CpR', _ =>
    if size et <= 1 then Ctree_empty else f (rotr 1 et)
  | CpU, _ =>
    ctree_union (f2 Color1 et) (ctree_union (f2 Color2 et) (f2 Color3 et))
  | CpK, (Seq e1 e2 & et') =>
    if e1 =d e2 then Ctree_empty else f (Adds (e1 +c e2) et')
  | CpY, (Seq e1 & et') =>
    let e2 := Eperm231 e1 in let e3 := Eperm312 e1 in
    ctree_union (f (Seq e2 e3 & et')) (f (Seq e3 e2 & et'))
  | CpH, (Seq e1 e2 & et') =>
    if e1 =d e2 then
       ctree_union (f2 (Eperm231 e1) et') (f2 (Eperm312 e1) et')
    else f (Seq e2 e1 & et')
  | CpA, (Seq e1 e2 & et') =>
    if e1 =d e2 then f (if et' is Seq0 then et else et') else Ctree_empty
  | _, _ => Ctree_empty
  end.



                                                                      
Matching configurations




                          
Spanning interpretation

kernel             kernel             kernel                kernel




   outer                      outer             outer
    ring                       ring              ring




kernel             kernel                               kernel       outer
                                       kernel
                                                                     ring
           outer            kernel
           ring




                                                                             
Assessment

 Code provides induction for
  interpretation and proofs.
 Short programs.

 Long proofs (700 lines for cfcontract),
  due to complex semantics.




                                        
Outline

 The Four Colour Theorem proof
 A Domain Specific model checker

 DS abstract interpretation

 A DS solver




                                    
     Finding configurations

 Any non-trivial ring < 6 defines reducible
  configurations (Birkhoff, 1913)
 If there are no small rings, then all 2-
  neighborhoods are double rings

                       look for configurations
                       in 2-neighborhoods with
                       a low average arity

                                               
Parts and subparts
                                               subpart   a part is a (zipper) list of subparts
       [6+]      hat [6]           fan
                                 [6]
                                           fan
                                         [5]
              spoke
               [5]         spoke
  [5+]
                           [7]           hat [6]



[5+]                             spoke           [6+]
              hub [8]
                                  [6]                     parts are used:
   [5+]                 [6-7]             [5+]            • to enumerate 2-neighbourhoods
              [5-6]
                                                          • to specify arity averaging rules




                                                                                            
      Subpart semantics
                                                                                            spoke
                    spoke                                    hub                       ur
                                                                            u

                                     ul           u

                     hl                                                          ul
                                                                   u

                                            ur
                h
                                                                       ur
hat                       hr                            ul                       spoke

        f0r                               spoke
                                                                            hr
                                                             hl

              f2l
                                                                        h                             left step
                                                                                                f1l
                                                                                      f0r             right step
      fan           f1r                                      f0l        fan                           subpart
                               f1l                f2r
                                                                                                      unreachable dart
                                          fan


                                                                                                                   
Part algorithms

 Part match: fold interval merge
 Config match: walk spanning trees

 Config search: Davis-Putnam
  enumeration of face triples
 Hub arity cap: Davis-Putnam
  enumeration of part with alpha-beta
  pruning


                                        
Coq code
Fixpoint check_dbound1_rec
   (p : part) (rs : drules) (ns m : nat) {struct m}
  : bool :=
  if m is S m' then
    if rs is Adds r rs' then
      if size rs' < ns then true else
      let p' := meet_part p r in
      (let: SortDrules dns rs'' := sort_drules p' rs' in
       if ns - dns is S ns' then check_dbound1_rec p' rs''
   ns' m' else redp p')
      && check_dbound1_rec p rs' ns m'
    else true
  else false.

Definition check_dbound1 p ns :=
  let: DruleFork rs _ _ := rf in
  check_dbound1_rec p rs ns (size rs + 1).



                                                        
Correctness theorems

(* Reducible. *)
Lemma succeed_by_reducibility : redpart qt p -> succeeds_in p0 p.

(* Hubcap T[j1,j2]<=b1 ... [] *)
Lemma succeed_by_hubcap :
  let n := size_part p in
  hubcap_cover n hc && hubcap_fit (redpart qt) (rf n) p hc ->
   succeeds_in p0 p.

(* Pcase Ln_m: i[j] <= k. or Pcase Ln_m: i[j] > k. *)
Lemma succeed_by_split :
 let pl := split_part i j k lo p in
 let pr := split_part i j k (negb lo) p in
 let p0l :=
   if good_split i j k p0 then split_part i j k lo p0 else pl in
 good_split i j k p -> succeeds_in p0l pl ->
   (successful p0l -> succeeds_in p0 pr) -> succeeds_in p0 p.




                                                                    
Domain-specific tactics
Lemma exclude6 : reducibility -> excluded_arity 6.
  Hred : reducibility
  L3_1
Proof. : successful [] 7+ [] 6+ [] 7+ [] * [] * [] 7+ []
  ============================
move=> Hred; Presentation.
   Check [] s[1] > []
Pcase L0_1: 7+ [] 6+ 6. 7+ [] * [] 6- [] 6- []
       in [] 7+ s[3] [] 7+
  Pcase L1_1: [] 6+ > 6. [] * [] * [] * []
  ...
      Pcase: s[2] > 5.
> Pcase: s[4] > 6.
        Pcase: s[5] > 6.
  Hred : Pcase: s[4] > 5.
          reducibility
            Pcase: s[6] > []
  L3_1 : successful [] 7+ 5. 6+ [] 7+ [] * [] * [] 7+ []
               Hubcap T[1,2]<=0
  ============================ T[3,5]<=0 T[4,6]<=0 [].
             7+ [] T[1,2]<=(-1) [] 6- [] 6- T[4,6]<=2 [].
   Check []Hubcap 6+ [] 7+ [] 7+ T[3,5]<=(-1)[]
          [] 7+ s[6] > 7+
       in Pcase:[] 6+ [] 5. [] 7+ [] * [] * []
            Hubcap T[1,2]<=0 T[3,5]<=(-2) T[4,6]<=2 [].
           is:
subgoal 2Hubcap T[1,2]<=(-1) T[3,5]<=(-3) T[4,6]<=4 [].
        [] 7+ L3_1: s[6] [] 6-
 Check Pcase [] 6+ [] 7+ > 6. [] 6- [] 6- []
           7+ [] s[4] 7+ []
     in []Pcase: 6+ [] > 6. * [] * [] * []
 ...        Pcase: s[5] > 5.
               Hubcap T[1,2]<=0 T[3,5]<=0 T[4,6]<=0 [].
            Hubcap T[1,2]<=0 T[3,5]<=2 T[4,6]<=(-2) [].
 ...



                                                            
Assessment

 Short algorithms, shallow programs
 Short proofs

 Interactive response time

 Ocaml time ≈ C time (better matching)

 Partial tactics ⇒ incompleteness bugs




                                     
Some conclusions

 Reflection provides effective proof
  automation at all levels of reasoning.
 Sophisticated decision procedures
  can be cast as functional programs.
 Domain knowledge can help run time
  and decrease recoding effort.
 Correcteness proofs are typically
  easy.

                                       

				
DOCUMENT INFO
Shared By:
Categories:
Tags:
Stats:
views:1
posted:8/24/2011
language:English
pages:43
kala22 kala22
About