Lean Theorem Prover Tom van Bussel June 14, 2017
Goals “It aims to bridge the gap between interactive and automated theorem proving, by situating automated tools and methods in a framework that supports user interaction and the construction of fully specified axiomatic proofs”
Background ◮ Developed at Microsoft Research and Carnegie Mellon University ◮ Original authors: ◮ Leonardo de Moura ◮ Soonho Kong ◮ Jeremy Avigad ◮ Floris van Doorn ◮ Jakob von Raumer Since then, many other people have worked on Lean
Background ◮ Calculus of Inductive Constructions ◮ Implemented in C++ ◮ Relatively small kernel of 6000 lines ◮ Additional features such as inductive type families implemented on top in 700 lines ◮ Proofs and tactics are written in Lean ◮ Emacs and VS Code plug-ins ◮ Browser version written in Javascript
Tactic-style proofs example (a b : Prop) : a /\ b -> b /\ a := 1 begin 2 intro h, 3 cases h, 4 split, 5 assumption, 6 assumption 7 end 8
Declarative proofs example (a b : Prop) : a /\ b -> b /\ a := 1 fun h, and.intro (and.right h) (and.left h) 2
Declarative proofs example (a b : Prop) : a /\ b -> b /\ a := 1 fun h, and.intro (and.right h) (and.left h) 2 example (a b : Prop) : a /\ b -> b /\ a := 1 assume h : a /\ b, 2 have ha : a, from and.left h, 3 have hb : b, from and.right h, 4 show b /\ a, from and.intro hb ha 5
Demo
Features ◮ Recursive equations ◮ Coercions ◮ Ad-hoc polymorphism notation a + b := add a b notation a + b := bor a b ◮ Type classes ◮ Haskell-style monads ◮ Namespaces open classical (renaming em -> excluded_middle) ◮ C++ code generation
Structures ◮ Special kind of inductive datatype with only one constructor ◮ Projections are generated automatically ◮ Subtyping/Inheritance structure prod (a b : Type) := 1 mk :: (fst : a) (snd : b) 2 3 structure has_mul (a : Type u) := 4 (mul : a -> a -> a) 5 6 structure semigroup [class] (A : Type) 7 extends has_mul A := 8 (mul_assoc : forall a b c, 9 mul (mul a b) c = mul a (mul b c)) 10
Types nat : Type Type : Type
Types nat : Type Type : Type Hierarchy of Types Type.{0} : Type.{1} : Type.{2} : Type.{3} : ... fun (A : Type.{u}) (a : A), a
Automation ◮ Implemented as tactics ◮ Resolution prover ◮ Isabelle’s auto ◮ SMT-like automation: Congruence closure, E-matching ◮ Superposition (similar to metis)
Small demo
Lean vs Coq Freek: “It has proof irrelevance, function extensionality, classical logic, even a choice operator as part of the standard setup (exactly which of those are hardwired in, and which ones are just conventionally available in the library, I don’t know.)”
Proof Irrelevance Proof irrelevance for Prop is built in. lemma proof_irrel {a : Prop} (h1 h2 : a) : h1 = h2 := rfl
Axiom of Choice class inductive nonempty (a : Sort u) : Prop | intro : a -> nonempty axiom choice {a : Sort u} : nonempty a -> a Hilbert’s epsilon operator noncomputable def epsilon {a : Sort u} [h : nonempty a] (p : a -> Prop) : a := ...
Function extensionality Function extensionality is proved from the quotient construction, which is also defined in the standard library and requires a few extra axioms. theorem funext {f1 f2 : forall x : a, b x} (h : forall x, f1 x = f2 x) : f1 = f2 := ...
Classical logic The law of excluded middle follows from Diaconescu’s lemma using function extensionality, propositional extensionality and the axiom of choice. theorem em : p \/ not p := ...
Demo
Additional information https://leanprover.github.io
Recommend
More recommend
