Download presentation

Presentation is loading. Please wait.

Published byJayden Ballard Modified over 3 years ago

1
Internal Deduction and Decision Procedures of the Four Colour Theorem Georges Gonthier Microsoft Research Cambridge Joint Inria-Microsoft Research Center

2
150 years of history… 1852 Conjecture (Guthrie DeMorgan) 1878 Publication (Cayley) 1879 First proof (Kempe) 1880 Second proof (Tait) 1890 Rebuttal (Heawood) 1891 Second rebuttal (Petersen) 1913 Reducibility, connexity (Birkhoff) 1922 Up to 25 regions (Franklin) 1969 Discharging (Heesch) 1976 Computer proof (Appel & Haken) 1995 Streamlining (Robertson & al.) 2005 Coq proof (Gonthier)

3
Script lines distribution no ML code! no user tactics!

4
Computational reflection t : term f(t) = v φ(t) effective function logical predicate Replace deduction with computation. Switch between reasoning about objects, and reasoning about symbols. fixed value Internalize deduction and decision procedures.

5
Reflection at every scale Large scale: decision procedure reducibility proof Medium scale: deduction procedure unavoidability proof Small scale: clerical operations boolean connectives

6
Cons and Pros Slower execution Reimplementation Correctness proofs Limited language Reduced trust Domain knowledge Natural encoding No witnesses

7
Outline The Four Colour Theorem proof A Domain Specific model checker DS abstract interpretation A DS solver

8
Cubic maps Euler formula R + N – E = 2 2E/R = 6 - 12/R the worlds a football #sides

9
Colouring by induction Configuration reducible ring

10
The proof in a nutshell Find a set of configurations such that: (A) reducibility: Each one can be coloured to match any planar ring colouring. (B) unavoidability: At least one appears in any planar map. Verify that the combinatorics fit the topology (graph theory + analysis). 10,000 cases 1,000,000,000 cases

11
Procedures of all kind Reducibility: Model checking (MDDs) Configurations: Abstract interpretation (code, trees) Unavoidability Solving & matching (intervals, zippers, tries, alpha-beta)

12
Outline The Four Colour Theorem proof A Domain Specific model checker DS abstract interpretation A DS solver

13
Reflecting reducibility Setup Variable cf : config. Definition cfreducible : Prop := … Definition check_reducible : bool := … Lemma check_reducible_valid : check_reducible -> cfreducible. Usage Lemma cfred232 : cfreducible (Config 11 33 37 H 2 H 13 Y 5 H 10 H 1 H 1 Y 3 H 11 Y 4 H 9 H 1 Y 3 H 9 Y 6 Y 1 Y 1 Y 3 Y 1 Y Y 1 Y). Proof. apply check_reducible_valid; by compute. Qed. 20,000,000 cases

14
Border colouring (Tait 1880)

15
Chord flips (Kempe 1879) ( )0)0 )1)1 ( chromogram colouring

16
The reducibility game erase borders (contract) flip chords swap colours flip chords swap colours MATCH colour (rec) get chords recolour get chords recolour get chords {coulourings} coulouring chromogram configuration context

17
Model checking colourings 1 Ξ0Ξ0 Λ0Λ0 ΛiΛi ΞiΞi Λ Ξ Λi+1Λi+1 Yes No Ξ i+1 Ξ, Λ restrict Λ decrement Ξ any ? No kempe winning colourings flip swap compare with contract colourings D-reducible winning colourings all

18
Coq code Definition ktc_step closure kr := let: (ctu, gtp) := kr in if ctree_empty ctu then kr else let: Gtree_pair gtr gtu := gtp in if gtree_empty gtr then kr else if gtree_empty gtu then (Ctree_empty, empty_gtree_pair) else let: Ctree_pair ctu' ctr := ctree_restrict h ctu (Ctr_some Bstack0 gtr Ctr_none) in closure ctu' (ctree_rotlr ctr) gtu. Definition ktc_step2c step (closure : ktc_fun) ctu ctr gtu := step (step (closure ctu ctr gtu)). Definition ktc_dostep2c closure := ktc_step2c (ktc_step closure) closure. Fixpoint kempe_tree_closure (d : nat) : ktc_fun := if d is S d' then ktc_dostep2c (kempe_tree_closure d') else fun ctu ctr gtu => (ctu, gtree_restrict gtu (Gtr_some Bstack0 ctr Gtr_none)).

19
Decision trees ( (( )0)0 ( ( )0)0 )1)1 )1)1 )1)1 3 3 4 6 17 1

20
More Coq code Fixpoint ctree_restrict (h : nat) (t : ctree) (r : ctree_restriction) {struct h} : ctree_pair := match r, h, t with | Ctr_none, _, _ => Ctree_pair t Ctree_empty | _, S h', Ctree_node t1 t2 t3 => let rh' := ctree_restrict h' in let rk r1 r2 r3 := ctree_cons_pairs (rh' t1 r1) (rh' t2 r2) (rh' t3 r3) in ctr_split rk Ctr_none Ctr_none Ctr_none r | _, O, Ctree_node lf1 lf2 lf3 => ctr_decr (ctree_leaf_pair lf1 lf2 lf3) lf1 lf2 lf3 r | _, _, _ => ctree_empty_pair end.

21
A correctness proof Lemma cdecr_leaf : forall e lf1 lf2 lf3 r, let t := ctree_cons lf1 lf2 lf3 in let et := seq1 e in ctree_proper 1 t -> cdecr e lf1 lf2 lf3 r = ctree_leaf_of (ctree_sub t et - ctr_sub r et). Proof. move=> e lf1 lf2 lf3 r /= Ht. elim: r => [|bs t r Hrec] in lf1 lf2 lf3 Ht |- *; move: {Ht}(ctree_proper_leaf_of_val (ctree_proper_sel _ Ht)) => Hlf. rewrite /= subn0 ctree_sub_cons. by case: e (Hlf e); rewrite ctree_sel_cons. rewrite /cdecr !ctr_decr_some -/(cdecr e) {}Hrec /=. congr ctree_leaf_of; move: {Hlf}(Hlf e). move: (ctree_sub (ctree_sel (ctree_cons lf1 lf2 lf3) e) seq0) => m. rewrite ctree_sel_cons 2!ctree_sub_cons. by case: e => //= Dlf; rewrite /ctr_e_decr Dlf ctree_val_decr !ctree_sub_leaf_of -subn_sub. apply ctree_cons_proper; [ move: (Hlf Color1) | move: (Hlf Color2) | move: (Hlf Color3) ]; rewrite ctree_sel_cons /= => Dlf; rewrite /ctr_e_decr Dlf ctree_val_decr; exact: ctree_leaf_of_proper. Qed.

22
Assessment iterators instead of loops no caching no reordereing no sharing (except near leaves) longer code, shorter proofs performance: COcaml8.08.1 1x3x320x10

23
Outline The Four Colour Theorem proof A Domain Specific model checker DS abstract interpretation A DS solver

24
Interpreting configurations Configurations are encoded as a construction program The mathematical semantics is given by a standard interpretation The decision procedures use nonstandard interpretations to extract information

25
Building configurations start ring Y step ring H step ring R j step j … U step ring A step ring K step

26
Building a square R3R3 H Y Y start H R 3 Y Y

27
Configuration semantics start ring A step ring U step ring K step ring

28
Colouring interpretation b b c c b b c c b b c c b c b c b 1 b ± 1 b U stepK step (bc)A step Y stepH step (bc)H step b b ± 1 b

29
Contract interpretation ring U step ring no step ring no step ring no step ring K step ring K step ring Y step ring Y step ring A step ring no step ring no step ring U step

30
Coq code Definition cpcolor1 s (f : colseq -> ctree) (et : colseq) := let f2 c et' := f (Seq c c & et') in match s, et with | CpR n, _ => f (rot n et) | CpR', _ => if size et <= 1 then Ctree_empty else f (rotr 1 et) | CpU, _ => ctree_union (f2 Color1 et) (ctree_union (f2 Color2 et) (f2 Color3 et)) | CpK, (Seq e1 e2 & et') => if e1 =d e2 then Ctree_empty else f (Adds (e1 +c e2) et') | CpY, (Seq e1 & et') => let e2 := Eperm231 e1 in let e3 := Eperm312 e1 in ctree_union (f (Seq e2 e3 & et')) (f (Seq e3 e2 & et')) | CpH, (Seq e1 e2 & et') => if e1 =d e2 then ctree_union (f2 (Eperm231 e1) et') (f2 (Eperm312 e1) et') else f (Seq e2 e1 & et') | CpA, (Seq e1 e2 & et') => if e1 =d e2 then f (if et' is Seq0 then et else et') else Ctree_empty | _, _ => Ctree_empty end.

31
Matching configurations

32
Spanning interpretation outer ring outer ring outer ring outer ring kernel

33
Assessment Code provides induction for interpretation and proofs. Short programs. Long proofs (700 lines for cfcontract), due to complex semantics.

34
Outline The Four Colour Theorem proof A Domain Specific model checker DS abstract interpretation A DS solver

35
Finding configurations Any non-trivial ring < 6 defines reducible configurations (Birkhoff, 1913) If there are no small rings, then all 2- neighborhoods are double rings look for configurations in 2-neighborhoods with a low average arity

36
Parts and subparts hub spoke hat fan hat fan subpart [8] [6] [7] [5] [6] [5] [6+] [5+] [6-7] [5-6] [5+] parts are used: to enumerate 2-neighbourhoods to specify arity averaging rules a part is a (zipper) list of subparts

37
Subpart semantics

38
Part algorithms Part match: fold interval merge Config match: walk spanning trees Config search: Davis-Putnam enumeration of face triples Hub arity cap: Davis-Putnam enumeration of part with alpha-beta pruning

39
Coq code Fixpoint check_dbound1_rec (p : part) (rs : drules) (ns m : nat) {struct m} : bool := if m is S m' then if rs is Adds r rs' then if size rs' < ns then true else let p' := meet_part p r in (let: SortDrules dns rs'' := sort_drules p' rs' in if ns - dns is S ns' then check_dbound1_rec p' rs'' ns' m' else redp p') && check_dbound1_rec p rs' ns m' else true else false. Definition check_dbound1 p ns := let: DruleFork rs _ _ := rf in check_dbound1_rec p rs ns (size rs + 1).

40
Correctness theorems (* Reducible. *) Lemma succeed_by_reducibility : redpart qt p -> succeeds_in p0 p. (* Hubcap T[j1,j2]<=b1... [] *) Lemma succeed_by_hubcap : let n := size_part p in hubcap_cover n hc && hubcap_fit (redpart qt) (rf n) p hc -> succeeds_in p0 p. (* Pcase Ln_m: i[j] k. *) Lemma succeed_by_split : let pl := split_part i j k lo p in let pr := split_part i j k (negb lo) p in let p0l := if good_split i j k p0 then split_part i j k lo p0 else pl in good_split i j k p -> succeeds_in p0l pl -> (successful p0l -> succeeds_in p0 pr) -> succeeds_in p0 p.

41
Domain-specific tactics Lemma exclude6 : reducibility -> excluded_arity 6. Proof. move=> Hred; Presentation. Pcase L0 _ 1: s[1] > 6. Pcase L1 _ 1: s[3] > 6. Pcase: s[2] > 5. Pcase: s[5] > 6. Pcase: s[4] > 5. Pcase: s[6] > 5. Hubcap T[1,2]<=0 T[3,5]<=0 T[4,6]<=0 []. Hubcap T[1,2]<=(-1) T[3,5]<=(-1) T[4,6]<=2 []. Pcase: s[6] > 5. Hubcap T[1,2]<=0 T[3,5]<=(-2) T[4,6]<=2 []. Hubcap T[1,2]<=(-1) T[3,5]<=(-3) T[4,6]<=4 []. Pcase L3 _ 1: s[6] > 6. Pcase: s[4] > 6. Pcase: s[5] > 5. Hubcap T[1,2]<=0 T[3,5]<=0 T[4,6]<=0 []. Hubcap T[1,2]<=0 T[3,5]<=2 T[4,6]<=(-2) [].... Hred : reducibility L3_1 : successful [] 7+ [] 6+ [] 7+ [] * [] * [] 7+ [] ============================ Check [] 7+ [] 6+ [] 7+ [] * [] 6- [] 6- [] in [] 7+ [] 6+ [] 7+ [] * [] * [] * []... > Pcase: s[4] > 6. Hred : reducibility L3_1 : successful [] 7+ [] 6+ [] 7+ [] * [] * [] 7+ [] ============================ Check [] 7+ [] 6+ [] 7+ [] 7+ [] 6- [] 6- [] in [] 7+ [] 6+ [] 7+ [] 7+ [] * [] * [] subgoal 2 is: Check [] 7+ [] 6+ [] 7+ [] 6- [] 6- [] 6- [] in [] 7+ [] 6+ [] 7+ [] * [] * [] * []...

42
Assessment Short algorithms, shallow programs Short proofs Interactive response time Ocaml time C time (better matching) Partial tactics incompleteness bugs

43
Some conclusions Reflection provides effective proof automation at all levels of reasoning. Sophisticated decision procedures can be cast as functional programs. Domain knowledge can help run time and decrease recoding effort. Correcteness proofs are typically easy.

Similar presentations

© 2017 SlidePlayer.com Inc.

All rights reserved.

Ads by Google