Lean Theorem Prover Tom van Bussel June 14, 2017 Goals It aims to - PowerPoint PPT Presentation

Lean Theorem Prover Tom van Bussel June 14, 2017

Goals “It aims to bridge the gap between interactive and automated theorem proving, by situating automated tools and methods in a framework that supports user interaction and the construction of fully specified axiomatic proofs”

Background ◮ Developed at Microsoft Research and Carnegie Mellon University ◮ Original authors: ◮ Leonardo de Moura ◮ Soonho Kong ◮ Jeremy Avigad ◮ Floris van Doorn ◮ Jakob von Raumer Since then, many other people have worked on Lean

Background ◮ Calculus of Inductive Constructions ◮ Implemented in C++ ◮ Relatively small kernel of 6000 lines ◮ Additional features such as inductive type families implemented on top in 700 lines ◮ Proofs and tactics are written in Lean ◮ Emacs and VS Code plug-ins ◮ Browser version written in Javascript

Tactic-style proofs example (a b : Prop) : a /\ b -> b /\ a := 1 begin 2 intro h, 3 cases h, 4 split, 5 assumption, 6 assumption 7 end 8

Declarative proofs example (a b : Prop) : a /\ b -> b /\ a := 1 fun h, and.intro (and.right h) (and.left h) 2

Declarative proofs example (a b : Prop) : a /\ b -> b /\ a := 1 fun h, and.intro (and.right h) (and.left h) 2 example (a b : Prop) : a /\ b -> b /\ a := 1 assume h : a /\ b, 2 have ha : a, from and.left h, 3 have hb : b, from and.right h, 4 show b /\ a, from and.intro hb ha 5

Demo

Features ◮ Recursive equations ◮ Coercions ◮ Ad-hoc polymorphism notation a + b := add a b notation a + b := bor a b ◮ Type classes ◮ Haskell-style monads ◮ Namespaces open classical (renaming em -> excluded_middle) ◮ C++ code generation

Structures ◮ Special kind of inductive datatype with only one constructor ◮ Projections are generated automatically ◮ Subtyping/Inheritance structure prod (a b : Type) := 1 mk :: (fst : a) (snd : b) 2 3 structure has_mul (a : Type u) := 4 (mul : a -> a -> a) 5 6 structure semigroup [class] (A : Type) 7 extends has_mul A := 8 (mul_assoc : forall a b c, 9 mul (mul a b) c = mul a (mul b c)) 10

Types nat : Type Type : Type

Types nat : Type Type : Type Hierarchy of Types Type.{0} : Type.{1} : Type.{2} : Type.{3} : ... fun (A : Type.{u}) (a : A), a

Automation ◮ Implemented as tactics ◮ Resolution prover ◮ Isabelle’s auto ◮ SMT-like automation: Congruence closure, E-matching ◮ Superposition (similar to metis)

Small demo

Lean vs Coq Freek: “It has proof irrelevance, function extensionality, classical logic, even a choice operator as part of the standard setup (exactly which of those are hardwired in, and which ones are just conventionally available in the library, I don’t know.)”

Proof Irrelevance Proof irrelevance for Prop is built in. lemma proof_irrel {a : Prop} (h1 h2 : a) : h1 = h2 := rfl

Axiom of Choice class inductive nonempty (a : Sort u) : Prop | intro : a -> nonempty axiom choice {a : Sort u} : nonempty a -> a Hilbert’s epsilon operator noncomputable def epsilon {a : Sort u} [h : nonempty a] (p : a -> Prop) : a := ...

Function extensionality Function extensionality is proved from the quotient construction, which is also defined in the standard library and requires a few extra axioms. theorem funext {f1 f2 : forall x : a, b x} (h : forall x, f1 x = f2 x) : f1 = f2 := ...

Classical logic The law of excluded middle follows from Diaconescu’s lemma using function extensionality, propositional extensionality and the axiom of choice. theorem em : p \/ not p := ...

Demo

Additional information https://leanprover.github.io