Zulip Chat Archive
Stream: general
Topic: About native_decide
Alfredo Moreira-Rosa (Sep 07 2025 at 12:47):
I just discovered native_decide (before was doing the same using an elab evalExpr).
I've almost created a kernel verified automated proof for a decidable equivalence, but meanwhile i'm using native_decide and it's nice to have this option while working on the formal proof.
And so, i have two questions.
- i see that
native_decideis not allowed in mathlib. So i guess it's considered harmful even if not trying to exploit the already identified hacks people have found ? - i'm curious if there could be a subset of lean (that prevents using the already discovered hacks) that could be activated through a flag to have a more trusted
native_decide?
(deleted) (Sep 07 2025 at 13:36):
Yeah native_decide can be used to hack Lean, so all uses of native_decide are banned.
Weiyi Wang (Sep 07 2025 at 13:36):
I think it is hard to define the boundary of "subset without known hacks" (or rather, the boundary is already decided: things without native_decide vs with native_decide).
(deleted) (Sep 07 2025 at 13:37):
Currently, there is no version of native_decide that is less hackable, so we have to make do with decide. Even though there are things that can't be solved with decide.
(deleted) (Sep 07 2025 at 13:37):
Yi is right.
(deleted) (Sep 07 2025 at 13:38):
But don't despair! simp might be magical enough to do what you need
Henrik Böving (Sep 07 2025 at 13:39):
Weiyi Wang said:
I think it is hard to define the boundary of "subset without known hacks" (or rather, the boundary is already decided: things without native_decide vs with native_decide).
That's a bit too pessimistic. If you e.g. have a system for proof by reflection where you control all the code that actually gets executed within the native_decide call and only the input is under control of the attacker things can very much turn out to be fine.
Alfredo Moreira-Rosa (Sep 07 2025 at 13:39):
yes, i'm halfway through my automated proof, exactly using simp and custom simpsets , so in the mean time i just make lean show a warning message when it's used :
image.png
Weiyi Wang (Sep 07 2025 at 13:43):
Henrik Böving said:
Weiyi Wang said:
I think it is hard to define the boundary of "subset without known hacks" (or rather, the boundary is already decided: things without native_decide vs with native_decide).
That's a bit too pessimistic. If you e.g. have a system for proof by reflection where you control all the code that actually gets executed within the
native_decidecall and only the input is under control of the attacker things can very much turn out to be fine.
I agree with you when I use native_decidein my personal project. If I were to put the position of a mathlib maintainer, I would be more pessimistic: the idea that "mathlib could be wrong because of native_decide" is contagious, even if it isn't true
Weiyi Wang (Sep 07 2025 at 13:45):
(I realized I posted this in the context of mathlib because OP mentioned it. But I agree with you if we are talking about projects in general)
Alfredo Moreira-Rosa (Sep 07 2025 at 18:11):
Just finished my automated proof! no more native_decide, it served me well :)
image.png
Alfredo Moreira-Rosa (Sep 07 2025 at 18:13):
But it's about 10 times slower :sweat_smile:
Violeta Hernández (Sep 08 2025 at 05:47):
(off-topic, but i believe "kinetic" is the word you're looking for)
Alfredo Moreira-Rosa (Sep 08 2025 at 06:06):
Yes, I'm french, we have our own words :grinning_face_with_smiling_eyes:
Siddhartha Gadgil (Sep 08 2025 at 11:44):
For completeness, there is decide +kernel which is more powerful than decide but trusted.
Alfredo Moreira-Rosa (Sep 16 2025 at 11:42):
So an alternative question, is decide +kernel considered an ok proof ?
Alfredo Moreira-Rosa (Sep 16 2025 at 11:47):
an example for a dimensional analysis check :
theorem not_e_equal_mc_dim_check (E : WithDim Dimension.Energy) (m : WithDim Dimension.Mass) :
¬ 𝒟 E = 𝒟 (m * c) := by
simp_dim
decide +kernel
Alfredo Moreira-Rosa (Sep 16 2025 at 11:49):
does this generate terms that an external checker can check ?
Eric Wieser (Sep 16 2025 at 11:50):
It should do, the kernel is the bit that external checkers implement
Kyle Miller (Sep 17 2025 at 00:48):
Both decide and decide +kernel for a goal t is the same as doing of_decide_eq_true (id (Eq.refl true) : decide t = true); the only difference is that +kernel sends the term to the kernel for checking immediately.
If you use show_term, you'll see something like not_e_equal_mc_dim_check._proof_1_1. The way decide +kernel works is that it wraps up this of_decide_eq_true proof as an auxiliary theorem and sends it to the kernel for checking. Without +kernel, it will additionally use the elaborator typechecker.
The decide +kernel tactic is nearly always faster than decide if it succeeds. If it fails, decide is potentially faster (it respects definition transparency, so might unfold less). Since decide is frequently attempted in automation, for example the trivial tactic, so failing fast is important.
Last updated: Dec 20 2025 at 21:32 UTC