Zulip Chat Archive
Stream: general
Topic: Veil framework discussion thread
George Pîrlea (Apr 14 2025 at 15:39):
Discussion thread for Veil. See the announcement at #announce > Veil: A Framework for Automated and Interactive Verification
Shreyas Srinivas (Apr 14 2025 at 16:01):
Why is proof reconstruction turned off by default?
Shreyas Srinivas (Apr 14 2025 at 16:05):
More specifically, how is the SMT's output checked when there is no proof reconstruction?
George Pîrlea (Apr 14 2025 at 16:11):
@Shreyas Srinivas When proof reconstruction is off, the SMT solver's output is simply trusted rather than checked. This is similar to existing non-foundational verifiers. We keep it off by default since it's quite slow (>5x slowdown) and currently a bit brittle for the goals we generate (we'll report this upstream to lean-smt). We're hoping to be able to change this default in the future, though.
Shreyas Srinivas (Apr 14 2025 at 16:13):
okay, so the TCB is Lean's kernel + SMT solver (z3/cvc5?)
George Pîrlea (Apr 14 2025 at 16:17):
Yes. We use CVC5 by default and fall back to Z3 when the former times out. (This is configurable using set_option veil.smt.solver and veil.smt.retryOnUnknown)
Shreyas Srinivas (Apr 14 2025 at 16:18):
@Sasha Rubin and @Ashvni Narayanan you might be interested in this
Shreyas Srinivas (Apr 14 2025 at 17:18):
Related question : how well can SMT discharged goals (for want of a better word) mix with manually proved goals? I am asking this because being able to take SMT proofs at face value means that you don’t necessarily have a sorry free theorem for it from lean’s perspective.
Shreyas Srinivas (Apr 14 2025 at 17:19):
Turning on proof reconstruction should let you add theorem declarations with proofs to the environment and let you freely mix autoproved theorems with manually proved theorems.
George Pîrlea (Apr 14 2025 at 22:19):
It's very easy to mix goals proven interactively and those proven with SMT. All goals that Veil generates are just standard Lean theorems that we add to the environment. For example, instead of using the #check_invariants command, you can do #check_invariants? and see exactly what's being proven behind the scenes.
If you really care about not trusting SMT solvers, you really should use Veil with proof reconstruction at all times, yes. But, again, as proof reconstruction improves in upstream projects, we're hoping to change the default.
George Pîrlea (Apr 14 2025 at 22:22):
I'd be curious to hear if you have specific projects you'd want to try Veil on where this is a major concern.
Shreyas Srinivas (Apr 14 2025 at 22:22):
This isn’t about trust. If you generated a lean theorem but no proof, what are you actually assigning to this declaration?
Shreyas Srinivas (Apr 14 2025 at 22:23):
Is it an assumption that is added to the environment?
Shreyas Srinivas (Apr 14 2025 at 22:23):
Like adding a variable statement in a section?
George Pîrlea (Apr 14 2025 at 22:24):
It's a theorem whose body is by sorry.
Shreyas Srinivas (Apr 14 2025 at 22:24):
Ah, so a lean project using Veil won’t be sorry free
Shreyas Srinivas (Apr 14 2025 at 22:27):
The problem with this approach is that a large project would have a number of theorems, many auto generated by lean and some handwritten. When reviewing such a project it won’t be sufficient to look for occurrences of sorry by using #print_axioms or checking the output of lake build. One would have to manually check that the only sorrys are coming from the SMT generated proofs
Shreyas Srinivas (Apr 14 2025 at 22:30):
Also I think #print axioms will show sorryAx as one of the axioms but won’t be able to tell you whether the sorry is one of the by sorrys generated by Veil or a sorry inserted manually during the proof development and forgotten
George Pîrlea (Apr 14 2025 at 22:35):
Ah, that's a good point. Thank you! We should introduce our own version of sorry such that it's easier to distinguish in #print axioms. (I think lean-auto does something like this.)
But just to point it out, it's difficult to miss that Veil without proof reconstruction uses sorry — there are warnings printed during compilation similar to how Lean sorry works. For instance, #check_invariants in the tutorial prints "Trusting the SMT solver for 12 theorems."
Shreyas Srinivas (Apr 14 2025 at 22:38):
Okay that’s a good sign. Nevertheless from a UX perspective sorry comes with some bells and whistles (for example yellow squiggly lines) and some output lines in the output of lake build. This makes no distinction between user inserted and automatically inserted sorries. As someone writing proofs, this will be a nightmare for me to make sure I haven’t left any forgotten sorries lying around
Shreyas Srinivas (Apr 14 2025 at 22:44):
A slightly better idea might be to replicate the axiom command, let’s call it smt_assumption and replicate #print_axioms for this, calling it #print SMT assumptions
Shreyas Srinivas (Apr 14 2025 at 22:44):
The latter takes a theorem and prints out the smt_assumptions it uses
George Pîrlea (Apr 14 2025 at 22:44):
Maybe I'm misunderstanding, but you still get all of this (the squiggly lines, etc.) with Veil. You always have to issue a command (e.g. #check_invariants) to generate and prove theorems — it doesn't do it "behind your back". Here's what it looks like:
Shreyas Srinivas (Apr 14 2025 at 22:47):
In a large proof development I don’t see how it will be easy to separate the use of smt theorems from user theorems containing sorries. I am thinking about this from a debugging perspective.
Shreyas Srinivas (Apr 14 2025 at 23:05):
In my suggestion about SMT_assumption, you could also just define an SMT_assumption attribute, tag all the generated theorems with this attribute. The #print SMT assumptions <theorem> command simply prints all uses of theorems with this attribute, in a manner similar to #print axioms
Shreyas Srinivas (Apr 14 2025 at 23:06):
That way, even if someone turns on proof reconstruction, one can track the uses of SMT proven theorems. only the by sorry part needs to be replaced by the proof as is happening now (I guess)
Last updated: May 02 2025 at 03:31 UTC