Documentation

Mathlib.Tactic.Linarith.Verification

Deriving a proof of false #

linarith uses an untrusted oracle to produce a certificate of unsatisfiability. It needs to do some proof reconstruction work to turn this into a proof term. This file implements the reconstruction.

Main declarations #

The public facing declaration in this file is proveFalseByLinarith.

source
ink
def Qq.ofNatQ {u : Lean.Level} (α : let u := u; Qq.QQ (Lean.Expr.sort (Lean.Level.succ u))) :
Qq.QQ (Lean.Expr.app (Lean.Expr.const `Semiring [u]) α)Qq.QQ α

Typesafe conversion of n : ℕ to Q($α).

Equations
  • One or more equations did not get rendered due to their size.
source
ink
def Qq.inferTypeQ' (e : Lean.Expr) :
Lean.MetaM ((u : Lean.Level) × (α : let u := u; Q(Type u)) × Q(«$α»))

Analogue of inferTypeQ, but that gets universe levels right for our application.

Equations
  • One or more equations did not get rendered due to their size.

Auxiliary functions for assembling proofs #

source
ink
def Linarith.mulExpr' {u : Lean.Level} (n : ) {α : let u := u; Qq.QQ (Lean.Expr.sort (Lean.Level.succ u))} (inst : Qq.QQ (Lean.Expr.app (Lean.Expr.const `Semiring [u]) α)) (e : Qq.QQ α) :
Qq.QQ α

A typesafe version of mulExpr.

Equations
  • One or more equations did not get rendered due to their size.
source
ink
def Linarith.mulExpr (n : ) (e : Lean.Expr) :
Lean.MetaM Lean.Expr

mulExpr n e creates an Expr representing n*e. When elaborated, the coefficient will be a native numeral of the same type as e.

Equations
  • One or more equations did not get rendered due to their size.
source
ink
def Linarith.addExprs' {u : Lean.Level} {α : let u := u; Qq.QQ (Lean.Expr.sort (Lean.Level.succ u))} (_inst : Qq.QQ (Lean.Expr.app (Lean.Expr.const `AddMonoid [u]) α)) :
List (Qq.QQ α)Qq.QQ α

A type-safe analogue of addExprs.

Equations
  • One or more equations did not get rendered due to their size.
source
ink
def Linarith.addExprs'.go {u : Lean.Level} {α : let u := u; Qq.QQ (Lean.Expr.sort (Lean.Level.succ u))} (_inst : Qq.QQ (Lean.Expr.app (Lean.Expr.const `AddMonoid [u]) α)) (p : Qq.QQ α) :
List (Qq.QQ α)Qq.QQ α

Inner loop for addExprs'.

Equations
source
ink
def Linarith.addExprs :
List Lean.ExprLean.MetaM Lean.Expr

addExprs L creates an Expr representing the sum of the elements of L, associated left.

Equations
  • One or more equations did not get rendered due to their size.
source
ink
def Linarith.addIneq :
Linarith.IneqLinarith.IneqLean.Name × Linarith.Ineq

If our goal is to add together two inequalities t1 R1 0 and t2 R2 0, addIneq R1 R2 produces the strength of the inequality in the sum R, along with the name of a lemma to apply in order to conclude t1 + t2 R 0.

Equations
  • One or more equations did not get rendered due to their size.
source
ink
def Linarith.mkLTZeroProof :
List (Lean.Expr × )Lean.MetaM Lean.Expr

mkLTZeroProof coeffs pfs takes a list of proofs of the form tᵢ Rᵢ 0, paired with coefficients cᵢ. It produces a proof that ∑cᵢ * tᵢ R 0∑cᵢ * tᵢ R 0, where R is as strong as possible.

Equations
  • One or more equations did not get rendered due to their size.
source
ink
def Linarith.mkLTZeroProof.step (c : Linarith.Ineq) (pf : Lean.Expr) (npf : Lean.Expr) (coeff : ) :
Lean.MetaM (Linarith.Ineq × Lean.Expr)

step c pf npf coeff assumes that pf is a proof of t1 R1 0 and npf is a proof of t2 R2 0. It uses mkSingleCompZeroOf to prove t1 + coeff*t2 R 0, and returns R along with this proof.

Equations
  • One or more equations did not get rendered due to their size.
source
ink
def Linarith.leftOfIneqProof (prf : Lean.Expr) :
Lean.MetaM Lean.Expr

If prf is a proof of t R s, leftOfIneqProof prf returns t.

Equations
source
ink
def Linarith.typeOfIneqProof (prf : Lean.Expr) :
Lean.MetaM Lean.Expr

If prf is a proof of t R s, typeOfIneqProof prf returns the type of t.

Equations
source
ink
def Linarith.mkNegOneLtZeroProof (tp : Lean.Expr) :
Lean.MetaM Lean.Expr

mkNegOneLtZeroProof tp returns a proof of -1 < 0, where the numerals are natively of type tp.

Equations
source
ink
def Linarith.addNegEqProofs :
List Lean.ExprLean.MetaM (List Lean.Expr)

addNegEqProofs l inspects the list of proofs l for proofs of the form t = 0. For each such proof, it adds a proof of -t = 0 to the list.

Equations
source
ink
def Linarith.proveEqZeroUsing (tac : Lean.Elab.Tactic.TacticM Unit) (e : Lean.Expr) :
Lean.MetaM Lean.Expr

proveEqZeroUsing tac e tries to use tac to construct a proof of e = 0.

Equations
  • One or more equations did not get rendered due to their size.

The main method #

source
ink
def Linarith.proveFalseByLinarith (cfg : Linarith.LinarithConfig) :
Lean.MVarIdList Lean.ExprLean.MetaM Lean.Expr

proveFalseByLinarith is the main workhorse of linarith. Given a list l of proofs of tᵢ Rᵢ 0, it tries to derive a contradiction from l and use this to produce a proof of False.

An oracle is used to search for a certificate of unsatisfiability. In the current implementation, this is the Fourier Motzkin elimination routine in Elimination.lean, but other oracles could easily be swapped in.

The returned certificate is a map m from hypothesis indices to natural number coefficients. If our set of hypotheses has the form {tᵢ Rᵢ 0}, then the elimination process should have guaranteed that 1.\ ∑ (m i)*tᵢ = 0∑ (m i)*tᵢ = 0, with at least one i such that m i > 0 and Rᵢ is <.

We have also that 2.\ ∑ (m i)*tᵢ < 0∑ (m i)*tᵢ < 0, since for each i, (m i)*tᵢ ≤ 0≤ 0 and at least one is strictly negative. So we conclude a contradiction 0 < 0.

It remains to produce proofs of (1) and (2). (1) is verified by calling the discharger tactic of the LinarithConfig object, which is typically ring. We prove (2) by folding over the set of hypotheses.

Equations
  • One or more equations did not get rendered due to their size.