Slide 1

Internal Deduction and Decision Procedures of the Four Colour Theorem Georges Gonthier Microsoft Research Cambridge Joint Inria-Microsoft Research Center Slide 2 150 years of history 1852 Conjecture (Guthrie DeMorgan) 1878 Publication (Cayley) 1879 First proof (Kempe) 1880 Second proof (Tait) 1890 Rebuttal (Heawood) 1891 Second rebuttal (Petersen) 1913 Reducibility, connexity (Birkhoff) 1922 Up to 25 regions (Franklin) 1969 Discharging (Heesch) 1976 Computer proof (Appel & Haken) 1995 Streamlining (Robertson & al.) 2005 Coq proof (Gonthier) Slide 3 Script lines distribution no ML code! no user tactics! Slide 4 Computational reflection t : term f(t) = v (t) effective function logical predicate Replace deduction with computation. Switch between reasoning about objects, and reasoning about symbols. fixed value Internalize deduction and decision procedures. Slide 5 Reflection at every scale Large scale: decision procedure reducibility proof Medium scale: deduction procedure unavoidability proof Small scale: clerical operations boolean connectives Slide 6 Cons and Pros Slower execution Reimplementation Correctness proofs Limited language Reduced trust Domain knowledge Natural encoding No witnesses Slide 7 Outline The Four Colour Theorem proof A Domain Specific model checker DS abstract interpretation A DS solver Slide 8 Cubic maps Euler formula R + N E = 2 2E/R = 6 - 12/R the worlds a football #sides Slide 9 Colouring by induction Configuration reducible ring Slide 10 The proof in a nutshell Find a set of configurations such that: (A) reducibility: Each one can be coloured to match any planar ring colouring. (B) unavoidability: At least one appears in any planar map. Verify that the combinatorics fit the topology (graph theory + analysis). 10,000 cases 1,000,000,000 cases Slide 11 Procedures of all kind Reducibility: Model checking (MDDs) Configurations: Abstract interpretation (code, trees) Unavoidability Solving & matching (intervals, zippers, tries, alpha-beta) Slide 12 Outline The Four Colour Theorem proof A Domain Specific model checker DS abstract interpretation A DS solver Slide 13 Reflecting reducibility Setup Variable cf : config. Definition cfreducible : Prop := Definition check_reducible : bool := Lemma check_reducible_valid : check_reducible -> cfreducible. Usage Lemma cfred232 : cfreducible (Config 11 33 37 H 2 H 13 Y 5 H 10 H 1 H 1 Y 3 H 11 Y 4 H 9 H 1 Y 3 H 9 Y 6 Y 1 Y 1 Y 3 Y 1 Y Y 1 Y). Proof. apply check_reducible_valid; by compute. Qed. 20,000,000 cases Slide 14 Border colouring (Tait 1880) Slide 15 Chord flips (Kempe 1879) ( )0)0 )1)1 ( chromogram colouring Slide 16 The reducibility game erase borders (contract) flip chords swap colours flip chords swap colours MATCH colour (rec) get chords recolour get chords recolour get chords {coulourings} coulouring chromogram configuration context Slide 17 Model checking colourings 1 00 00 ii ii i+1i+1 Yes No i+1 , restrict decrement any ? No kempe winning colourings flip swap compare with contract colourings D-reducible winning colourings all Slide 18 Coq code Definition ktc_step closure kr := let: (ctu, gtp) := kr in if ctree_empty ctu then kr else let: Gtree_pair gtr gtu := gtp in if gtree_empty gtr then kr else if gtree_empty gtu then (Ctree_empty, empty_gtree_pair) else let: Ctree_pair ctu' ctr := ctree_restrict h ctu (Ctr_some Bstack0 gtr Ctr_none) in closure ctu' (ctree_rotlr ctr) gtu. Definition ktc_step2c step (closure : ktc_fun) ctu ctr gtu := step (step (closure ctu ctr gtu)). Definition ktc_dostep2c closure := ktc_step2c (ktc_step closure) closure. Fixpoint kempe_tree_closure (d : nat) : ktc_fun := if d is S d' then ktc_dostep2c (kempe_tree_closure d') else fun ctu ctr gtu => (ctu, gtree_restrict gtu (Gtr_some Bstack0 ctr Gtr_none)). Slide 19 Decision trees ( (( )0)0 ( ( )0)0 )1)1 )1)1 )1)1 3 3 4 6 17 1 Slide 20 More Coq code Fixpoint ctree_restrict (h : nat) (t : ctree) (r : ctree_restriction) {struct h} : ctree_pair := match r, h, t with | Ctr_none, _, _ => Ctree_pair t Ctree_empty | _, S h', Ctree_node t1 t2 t3 => let rh' := ctree_restrict h' in let rk r1 r2 r3 := ctree_cons_pairs (rh' t1 r1) (rh' t2 r2) (rh' t3 r3) in ctr_split rk Ctr_none Ctr_none Ctr_none r | _, O, Ctree_node lf1 lf2 lf3 => ctr_decr (ctree_leaf_pair lf1 lf2 lf3) lf1 lf2 lf3 r | _, _, _ => ctree_empty_pair end. Slide 21 A correctness proof Lemma cdecr_leaf : forall e lf1 lf2 lf3 r, let t := ctree_cons lf1 lf2 lf3 in let et := seq1 e in ctree_proper 1 t -> cdecr e lf1 lf2 lf3 r = ctree_leaf_of (ctree_sub t et - ctr_sub r et). Proof. move=> e lf1 lf2 lf3 r /= Ht. elim: r => [|bs t r Hrec] in lf1 lf2 lf3 Ht |- *; move: {Ht}(ctree_proper_leaf_of_val (ctree_proper_sel _ Ht)) => Hlf. rewrite /= subn0 ctree_sub_cons. by case: e (Hlf e); rewrite ctree_sel_cons. rewrite /cdecr !ctr_decr_some -/(cdecr e) {}Hrec /=. congr ctree_leaf_of; move: {Hlf}(Hlf e). move: (ctree_sub (ctree_sel (ctree_cons lf1 lf2 lf3) e) seq0) => m. rewrite ctree_sel_cons 2!ctree_sub_cons. by case: e => //= Dlf; rewrite /ctr_e_decr Dlf ctree_val_decr !ctree_sub_leaf_of -subn_sub. apply ctree_cons_proper; [ move: (Hlf Color1) | move: (Hlf Color2) | move: (Hlf Color3) ]; rewrite ctree_sel_cons /= => Dlf; rewrite /ctr_e_decr Dlf ctree_val_decr; exact: ctree_leaf_of_proper. Qed. Slide 22 Assessment iterators instead of loops no caching no reordereing no sharing (except near leaves) longer code, shorter proofs performance: COcaml8.08.1 1x3x320x10 Slide 23 Outline The Four Colour Theorem proof A Domain Specific model checker DS abstract interpretation A DS solver Slide 24 Interpreting configurations Configurations are encoded as a construction program The mathematical semantics is given by a standard interpretation The decision procedures use nonstandard interpretations to extract information Slide 25 Building configurations start ring Y step ring H step ring R j step j U step ring A step ring K step Slide 26 Building a square R3R3 H Y Y start H R 3 Y Y Slide 27 Configuration semantics start ring A step ring U step ring K step ring Slide 28 Colouring interpretation b b c c b b c c b b c c b c b c b 1 b 1 b U stepK step (bc)A step Y stepH step (bc)H step b b 1 b Slide 29 Contract interpretation ring U step ring no step ring no step ring no step ring K step ring K step ring Y step ring Y step ring A step ring no step ring no step ring U step Slide 30 Coq code Definition cpcolor1 s (f : colseq -> ctree) (et : colseq) := let f2 c et' := f (Seq c c & et') in match s, et with | CpR n, _ => f (rot n et) | CpR', _ => if size etctree_union (f2 Color1 et) (ctree_union (f2 Color2 et) (f2 Color3 et)) | CpK, (Seq e1 e2 & et') => if e1 =d e2 then Ctree_empty else f (Adds (e1 +c e2) et') | CpY, (Seq e1 & et') => let e2 := Eperm231 e1 in let e3 := Eperm312 e1 in ctree_union (f (Seq e2 e3 & et')) (f (Seq e3 e2 & et')) | CpH, (Seq e1 e2 & et') => if e1 =d e2 then ctree_union (f2 (Eperm231 e1) et') (f2 (Eperm312 e1) et') else f (Seq e2 e1 & et') | CpA, (Seq e1 e2 & et') => if e1 =d e2 then f (if et' is Seq0 then et else et') else Ctree_empty | _, _ => Ctree_empty end. Slide 31 Matching configurations Slide 32 Spanning interpretation outer ring outer ring outer ring outer ring kernel Slide 33 Assessment Code provides induction for interpretation and proofs. Short programs. Long proofs (700 lines for cfcontract), due to complex semantics. Slide 34 Outline The Four Colour Theorem proof A Domain Specific model checker DS abstract interpretation A DS solver Slide 35 Finding configurations Any non-trivial ring < 6 defines reducible configurations (Birkhoff, 1913) If there are no small rings, then all 2- neighborhoods are double rings look for configurations in 2-neighborhoods with a low average arity Slide 36 Parts and subparts hub spoke hat fan hat fan subpart [8] [6] [7] [5] [6] [5] [6+] [5+] [6-7] [5-6] [5+] parts are used: to enumerate 2-neighbourhoods to specify arity averaging rules a part is a (zipper) list of subparts Slide 37 Subpart semantics Slide 38 Part algorithms Part match: fold interval merge Config match: walk spanning trees Config search: Davis-Putnam enumeration of face triples Hub arity cap: Davis-Putnam enumeration of part with alpha-beta pruning Slide 39 Coq code Fixpoint check_dbound1_rec (p : part) (rs : drules) (ns m : nat) {struct m} : bool := if m is S m' then if rs is Adds r rs' then if size rs' < ns then true else let p' := meet_part p r in (let: SortDrules dns rs'' := sort_drules p' rs' in if ns - dns is S ns' then check_dbound1_rec p' rs'' ns' m' else redp p') && check_dbound1_rec p rs' ns m' else true else false. Definition check_dbound1 p ns := let: DruleFork rs _ _ := rf in check_dbound1_rec p rs ns (size rs + 1). Slide 40 Correctness theorems (* Reducible. *) Lemma succeed_by_reducibility : redpart qt p -> succeeds_in p0 p. (* Hubcap T[j1,j2] succeeds_in p0 p. (* Pcase Ln_m: i[j] k. *) Lemma succeed_by_split : let pl := split_part i j k lo p in let pr := split_part i j k (negb lo) p in let p0l := if good_split i j k p0 then split_part i j k lo p0 else pl in good_split i j k p -> succeeds_in p0l pl -> (successful p0l -> succeeds_in p0 pr) -> succeeds_in p0 p. Slide 41 Domain-specific tactics Lemma exclude6 : reducibility -> excluded_arity 6. Proof. move=> Hred; Presentation. Pcase L0 _ 1: s[1] > 6. Pcase L1 _ 1: s[3] > 6. Pcase: s[2] > 5. Pcase: s[5] > 6. Pcase: s[4] > 5. Pcase: s[6] > 5. Hubcap T[1,2]