Conversation
Adds a new `tlaps` job to both the push (main.yml) and pull request (pr.yml) GitHub Actions workflows. The job downloads the TLAPS 1.6.0-pre release from tlaplus/tlapm and runs `tlapm` on every modules/*_proofs.tla file, ensuring the proofs of the theorems in FoldsTheorems, FunctionTheorems, FiniteSetsExtTheorems and SequencesExtTheorems remain valid as the modules evolve. The job runs as a matrix on ubuntu-latest (x86_64-linux-gnu) and macos-latest (arm64-darwin), the two platforms for which the 1.6.0-pre release ships a tlapm binary. All proof files are checked even if one fails so a single regression does not mask others. [CI] Signed-off-by: Markus Alexander Kuppe <github.com@lemmster.de>
The first case of THEOREM Fun_NatBijSingleton was discharged by a single
one-liner
BY 1..1 = {1} DEF Bijection, Surjection
which asks the default SMT pipeline to simultaneously unfold Bijection =
Injection \cap Surjection, expand the set comprehension defining
Surjection, instantiate the nested \A t \in S : \E s \in 1..1 : f[s] = t
and witness the outer \E s : S = {s}. This worked with the bundled
provers shipped with the macOS arm64 build of TLAPS 1.6.0-pre but failed
with the Linux x86_64 build, which ships different Z3/Zenon/Isabelle
binaries and runs on a slower CI runner. The same input file even
produced a different obligation count on the two platforms (771 vs.
732), so relying on a single SMT step for this obligation is inherently
fragile.
Rewrite the case as five small steps that any backend can close: extract
the typing and surjection facts from the definitions, derive f[1] \in S,
prove \A t \in S : t = f[1] by PICKing the (unique) index in 1..1, then
WITNESS f[1]. No backend has to invent the existential witness or
reason about set intersection at the same time as a quantified
comprehension, so the proof is robust across tlapm builds and timeout
budgets.
All 795 obligations of FunctionTheorems_proofs continue to check locally
with `tlapm --cleanfp`.
[Proofs]
Signed-off-by: Markus Alexander Kuppe <github.com@lemmster.de>
THEOREM MaxInterval and THEOREM MinInterval in FiniteSetsExtTheorems_proofs were both discharged by a single BY DEF Max (resp. BY DEF Min) After unfolding, the obligation contains the raw CHOOSE that defines Max/Min, e.g. (CHOOSE x \in a..b : \A y \in a..b : x >= y) = b To close that in one shot, a backend has to reason about CHOOSE uniqueness while simultaneously doing arithmetic on the interval a..b. Zenon has very limited support for CHOOSE and reported "exhausted search space" with the macOS arm64 build of TLAPS 1.6.0-pre, while another bundled prover happened to find the proof on Linux. Either way, relying on a CHOOSE-savvy backend for these two facts is fragile across tlapm builds. Rewrite both proofs to go through the existing MaxInt / MinInt introduction rules of the same module, which already hide the CHOOSE behind ASSUME S \in SUBSET Int, x \in S, \A y \in S : x >= y PROVE Max(S) = x interface. Each new proof supplies the two trivial arithmetic side conditions (b \in a..b and \A y \in a..b : b >= y, and the symmetric pair for Min) so that no backend ever sees the CHOOSE. All 419 obligations of FiniteSetsExtTheorems_proofs continue to check locally with `tlapm --cleanfp`. [Proofs] Signed-off-by: Markus Alexander Kuppe <github.com@lemmster.de>
Member
Author
|
@muenchnerkindl This PR was primarily generated by Claude Opus 4.7. I’ve reviewed it and believe it’s in good shape for your review. |
Contributor
|
Hi @lemmy, thanks for this contribution! I suggest to generalize the first theorem so that it only requires the function to be constant over the set that is summed over (cf. push). What do you think? |
Add SumFunctionOnSetConst and SumFunctionConst stating that summing a constant function over a finite set equals the constant times the cardinality of the set, together with corresponding proofs and an example in the doc comments. [Feature] Signed-off-by: Markus Alexander Kuppe <github.com@lemmster.de> Signed-off-by: Stephan Merz <stephan.merz@loria.fr> Signed-off-by: Markus Alexander Kuppe <github.com@lemmster.de>
Member
Author
Thanks @muenchnerkindl, I squashed your commit into mine and removed the commented code. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Adds two new theorems to
FunctionTheoremsfor summing a constant function over a finite set:SumFunctionOnSetConst— for any finiteSand constantk,FoldFunctionOnSet(+, 0, [x \in S |-> k], S) = k * Cardinality(S).SumFunctionConst— the same fact stated forFoldFunctionon a function whose domain is finite.Both come with full TLAPS proofs in
FunctionTheorems_proofsand a short example in the doc comments.Supporting changes
To make sure these (and the other
*_proofs.tlamodules) stay valid as the library evolves, this PR also:tlapsGitHub Actions job tomain.ymlandpr.ymlthat downloads the TLAPS 1.6.0-pre release fromtlaplus/tlapmand runstlapmon everymodules/*_proofs.tlafile. The job runs as a matrix onubuntu-latest(x86_64-linux-gnu) andmacos-latest(arm64-darwin) and checks all proof files even when one fails, so a single regression doesn't mask others.Fun_NatBijSingleton(singleton case) inFunctionTheorems_proofsno longer asks the SMT pipeline to unfoldBijection/Surjectionand invent the existential witness in one step; it extracts typing/surjection facts, derivesf[1] \in S, proves uniqueness viaPICKon1..1, andWITNESSesf[1].MaxInterval/MinIntervalinFiniteSetsExtTheorems_proofsno longer rely on a backend reasoning about the rawCHOOSEfromMax/Minwhile doing arithmetic ona..b; they go through the existingMaxInt/MinIntintroduction rules with the trivial side conditions supplied explicitly.All 795 obligations of
FunctionTheorems_proofsand 419 obligations ofFiniteSetsExtTheorems_proofscontinue to check locally withtlapm --cleanfp.[Feature][Proofs][CI]