VIEWS: 1 PAGES: 43 POSTED ON: 8/24/2011
Internal Deduction and Decision Procedures of the Four Colour Theorem Georges Gonthier Microsoft Research Cambridge Joint Inria-Microsoft Research Center 150 years of history… 1852 Conjecture (Guthrie → DeMorgan) 1878 Publication (Cayley) 1879 First proof (Kempe) 1880 Second proof (Tait) 1890 Rebuttal (Heawood) 1891 Second rebuttal (Petersen) 1913 Reducibility, connexity (Birkhoff) 1922 Up to 25 regions (Franklin) 1969 Discharging (Heesch) 1976 Computer proof (Appel & Haken) 1995 Streamlining (Robertson & al.) 2005 Coq proof (Gonthier) Script lines distribution glue (14k) proofs(17k) definitions • no ML code! theorems (4k) • no user tactics! (4k) Computational reflection t : term ⊦ f(t) = v → φ(t) effective fixed logical function value predicate Replace deduction with computation. Switch between reasoning about objects, and reasoning about symbols. Internalize deduction and decision procedures. Reflection at every scale Large scale: decision procedure → reducibility proof Medium scale: deduction procedure → unavoidability proof Small scale: clerical operations → boolean connectives Cons and Pros Slower execution Reduced trust Reimplementation Domain knowledge Correctness proofs Natural encoding Limited language No witnesses Outline The Four Colour Theorem proof A Domain Specific model checker DS abstract interpretation A DS solver Cubic maps Euler formula #sidesN=–6E = 2 2E/R R+ - 12/R the world’s a football Colouring by induction Configuration ring reducible The proof in a nutshell Find a set of configurations such that: (A) reducibility: Each one can be coloured to match any planar ring colouring. (B) unavoidability: At least one appears in any planar map. Verify that the combinatorics fit the topology (graph theory + analysis). Procedures of all kind Reducibility: Model checking (MDDs) Configurations: Abstract interpretation (code, trees) Unavoidability Solving & matching (intervals, zippers, tries, alpha-beta) Outline The Four Colour Theorem proof A Domain Specific model checker DS abstract interpretation A DS solver Reflecting reducibility Setup Variable cf : config. Definition cfreducible : Prop := … Definition check_reducible : bool := … Lemma check_reducible_valid : check_reducible -> cfreducible. Usage Lemma cfred232 : cfreducible (Config 11 33 37 H 2 H 13 Y 5 H 10 H 1 H 1 Y 3 H 11 Y 4 H 9 H 1 Y 3 H 9 Y 6 Y 1 Y 1 Y 3 Y 1 Y Y 1 Y). Proof. apply check_reducible_valid; by compute. Qed. Border colouring (Tait 1880) Chord flips (Kempe 1879) chromogram colouring • )0 ( • )1 ( • The reducibility game configuration erase borders flip chords flip chords MATCH (contract) swap colours swap colours colour (rec) recolour recolour get chords get chords get chords context Model checking colourings winning colourings all Ξ Λ all 0 1 0 Λi flip restrict Λ Ξi Λi+ Λ 1 compare with Yes any ? Ξ, Λ contract D-reducible colourings No No No decrement Ξ Ξi+1 winning Ξ colourings -1 swap kempe Coq code Definition ktc_step closure kr := let: (ctu, gtp) := kr in if ctree_empty ctu then kr else let: Gtree_pair gtr gtu := gtp in if gtree_empty gtr then kr else if gtree_empty gtu then (Ctree_empty, empty_gtree_pair) else let: Ctree_pair ctu' ctr := ctree_restrict h ctu (Ctr_some Bstack0 gtr Ctr_none) in closure ctu' (ctree_rotlr ctr) gtu. Definition ktc_step2c step (closure : ktc_fun) ctu ctr gtu := step (step (closure ctu ctr gtu)). Definition ktc_dostep2c closure := ktc_step2c (ktc_step closure) closure. Fixpoint kempe_tree_closure (d : nat) : ktc_fun := if d is S d' then ktc_dostep2c (kempe_tree_closure d') else fun ctu ctr gtu => (ctu, gtree_restrict gtu (Gtr_some Bstack0 ctr Gtr_none)). Decision trees ( • ( • )0 )1 ( ( )1 • )1 • ( )0 3 3 17 4 6 1 More Coq code Fixpoint ctree_restrict (h : nat) (t : ctree) (r : ctree_restriction) {struct h} : ctree_pair := match r, h, t with | Ctr_none, _, _ => Ctree_pair t Ctree_empty | _, S h', Ctree_node t1 t2 t3 => let rh' := ctree_restrict h' in let rk r1 r2 r3 := ctree_cons_pairs (rh' t1 r1) (rh' t2 r2) (rh' t3 r3) in ctr_split rk Ctr_none Ctr_none Ctr_none r | _, O, Ctree_node lf1 lf2 lf3 => ctr_decr (ctree_leaf_pair lf1 lf2 lf3) lf1 lf2 lf3 r | _, _, _ => ctree_empty_pair end. A correctness proof Lemma cdecr_leaf : forall e lf1 lf2 lf3 r, let t := ctree_cons lf1 lf2 lf3 in let et := seq1 e in ctree_proper 1 t -> cdecr e lf1 lf2 lf3 r = ctree_leaf_of (ctree_sub t et - ctr_sub r et). Proof. move=> e lf1 lf2 lf3 r /= Ht. elim: r => [|bs t r Hrec] in lf1 lf2 lf3 Ht |- *; move: {Ht}(ctree_proper_leaf_of_val (ctree_proper_sel _ Ht)) => Hlf. rewrite /= subn0 ctree_sub_cons. by case: e (Hlf e); rewrite ctree_sel_cons. rewrite /cdecr !ctr_decr_some -/(cdecr e) {}Hrec /=. congr ctree_leaf_of; move: {Hlf}(Hlf e). move: (ctree_sub (ctree_sel (ctree_cons lf1 lf2 lf3) e) seq0) => m. rewrite ctree_sel_cons 2!ctree_sub_cons. by case: e => //= Dlf; rewrite /ctr_e_decr Dlf ctree_val_decr !ctree_sub_leaf_of -subn_sub. apply ctree_cons_proper; [ move: (Hlf Color1) | move: (Hlf Color2) | move: (Hlf Color3) ]; rewrite ctree_sel_cons /= => Dlf; rewrite /ctr_e_decr Dlf ctree_val_decr; exact: ctree_leaf_of_proper. Qed. Assessment iterators instead of loops no caching no reordereing no sharing (except near leaves) longer code, shorter proofs performance: C Ocaml 8.0 8.1 1 x3 x320 x10 Outline The Four Colour Theorem proof A Domain Specific model checker DS abstract interpretation A DS solver Interpreting configurations Configurations are encoded as a construction program The mathematical semantics is given by a standard interpretation The decision procedures use nonstandard interpretations to extract information Building configurations ring ring ring ring j … start Rj step Y step H step ring ring ring U step K step A step Building a square H R3 Y Y H R3 start Y Y Configuration semantics A step ring start ring U step K step ring ring Colouring interpretation b c c bc b b b c b c c U step K step (b≠c) A step ±1b ∓1b c b ±1b ±1b b b c b b Y step H step (b≠c) H step Contract interpretation ring ring ring no step no step U step ring ring ring ring ring K step K step no step Y step Y step ring ring ring ring A step no step no step U step Coq code Definition cpcolor1 s (f : colseq -> ctree) (et : colseq) := let f2 c et' := f (Seq c c & et') in match s, et with | CpR n, _ => f (rot n et) | CpR', _ => if size et <= 1 then Ctree_empty else f (rotr 1 et) | CpU, _ => ctree_union (f2 Color1 et) (ctree_union (f2 Color2 et) (f2 Color3 et)) | CpK, (Seq e1 e2 & et') => if e1 =d e2 then Ctree_empty else f (Adds (e1 +c e2) et') | CpY, (Seq e1 & et') => let e2 := Eperm231 e1 in let e3 := Eperm312 e1 in ctree_union (f (Seq e2 e3 & et')) (f (Seq e3 e2 & et')) | CpH, (Seq e1 e2 & et') => if e1 =d e2 then ctree_union (f2 (Eperm231 e1) et') (f2 (Eperm312 e1) et') else f (Seq e2 e1 & et') | CpA, (Seq e1 e2 & et') => if e1 =d e2 then f (if et' is Seq0 then et else et') else Ctree_empty | _, _ => Ctree_empty end. Matching configurations Spanning interpretation kernel kernel kernel kernel outer outer outer ring ring ring kernel kernel kernel outer kernel ring outer kernel ring Assessment Code provides induction for interpretation and proofs. Short programs. Long proofs (700 lines for cfcontract), due to complex semantics. Outline The Four Colour Theorem proof A Domain Specific model checker DS abstract interpretation A DS solver Finding configurations Any non-trivial ring < 6 defines reducible configurations (Birkhoff, 1913) If there are no small rings, then all 2- neighborhoods are double rings look for configurations in 2-neighborhoods with a low average arity Parts and subparts subpart a part is a (zipper) list of subparts [6+] hat [6] fan [6] fan [5] spoke [5] spoke [5+] [7] hat [6] [5+] spoke [6+] hub [8] [6] parts are used: [5+] [6-7] [5+] • to enumerate 2-neighbourhoods [5-6] • to specify arity averaging rules Subpart semantics spoke spoke hub ur u ul u hl ul u ur h ur hat hr ul spoke f0r spoke hr hl f2l h left step f1l f0r right step fan f1r f0l fan subpart f1l f2r unreachable dart fan Part algorithms Part match: fold interval merge Config match: walk spanning trees Config search: Davis-Putnam enumeration of face triples Hub arity cap: Davis-Putnam enumeration of part with alpha-beta pruning Coq code Fixpoint check_dbound1_rec (p : part) (rs : drules) (ns m : nat) {struct m} : bool := if m is S m' then if rs is Adds r rs' then if size rs' < ns then true else let p' := meet_part p r in (let: SortDrules dns rs'' := sort_drules p' rs' in if ns - dns is S ns' then check_dbound1_rec p' rs'' ns' m' else redp p') && check_dbound1_rec p rs' ns m' else true else false. Definition check_dbound1 p ns := let: DruleFork rs _ _ := rf in check_dbound1_rec p rs ns (size rs + 1). Correctness theorems (* Reducible. *) Lemma succeed_by_reducibility : redpart qt p -> succeeds_in p0 p. (* Hubcap T[j1,j2]<=b1 ... [] *) Lemma succeed_by_hubcap : let n := size_part p in hubcap_cover n hc && hubcap_fit (redpart qt) (rf n) p hc -> succeeds_in p0 p. (* Pcase Ln_m: i[j] <= k. or Pcase Ln_m: i[j] > k. *) Lemma succeed_by_split : let pl := split_part i j k lo p in let pr := split_part i j k (negb lo) p in let p0l := if good_split i j k p0 then split_part i j k lo p0 else pl in good_split i j k p -> succeeds_in p0l pl -> (successful p0l -> succeeds_in p0 pr) -> succeeds_in p0 p. Domain-specific tactics Lemma exclude6 : reducibility -> excluded_arity 6. Hred : reducibility L3_1 Proof. : successful [] 7+ [] 6+ [] 7+ [] * [] * [] 7+ [] ============================ move=> Hred; Presentation. Check [] s[1] > [] Pcase L0_1: 7+ [] 6+ 6. 7+ [] * [] 6- [] 6- [] in [] 7+ s[3] [] 7+ Pcase L1_1: [] 6+ > 6. [] * [] * [] * [] ... Pcase: s[2] > 5. > Pcase: s[4] > 6. Pcase: s[5] > 6. Hred : Pcase: s[4] > 5. reducibility Pcase: s[6] > [] L3_1 : successful [] 7+ 5. 6+ [] 7+ [] * [] * [] 7+ [] Hubcap T[1,2]<=0 ============================ T[3,5]<=0 T[4,6]<=0 []. 7+ [] T[1,2]<=(-1) [] 6- [] 6- T[4,6]<=2 []. Check []Hubcap 6+ [] 7+ [] 7+ T[3,5]<=(-1)[] [] 7+ s[6] > 7+ in Pcase:[] 6+ [] 5. [] 7+ [] * [] * [] Hubcap T[1,2]<=0 T[3,5]<=(-2) T[4,6]<=2 []. is: subgoal 2Hubcap T[1,2]<=(-1) T[3,5]<=(-3) T[4,6]<=4 []. [] 7+ L3_1: s[6] [] 6- Check Pcase [] 6+ [] 7+ > 6. [] 6- [] 6- [] 7+ [] s[4] 7+ [] in []Pcase: 6+ [] > 6. * [] * [] * [] ... Pcase: s[5] > 5. Hubcap T[1,2]<=0 T[3,5]<=0 T[4,6]<=0 []. Hubcap T[1,2]<=0 T[3,5]<=2 T[4,6]<=(-2) []. ... Assessment Short algorithms, shallow programs Short proofs Interactive response time Ocaml time ≈ C time (better matching) Partial tactics ⇒ incompleteness bugs Some conclusions Reflection provides effective proof automation at all levels of reasoning. Sophisticated decision procedures can be cast as functional programs. Domain knowledge can help run time and decrease recoding effort. Correcteness proofs are typically easy.