Skip to content

Partially prove Procedure.typeCheckWF (5 of 9 fields)#453

Open
tautschnig wants to merge 7 commits intomainfrom
tautschnig/typeCheckWF-partial
Open

Partially prove Procedure.typeCheckWF (5 of 9 fields)#453
tautschnig wants to merge 7 commits intomainfrom
tautschnig/typeCheckWF-partial

Conversation

@tautschnig
Copy link
Contributor

@tautschnig tautschnig commented Feb 19, 2026

Replace the full 'by sorry' with a structured proof that establishes 5 of 9 WFProcedureProp fields from the type checker:

  • wfstmts: from Statement.typeCheckWF
  • ioDisjoint: from checkVariableScoping success
  • inputsNodup: from checkNoDuplicates success
  • outputsNodup: from checkNoDuplicates success
  • modNodup: from checkNoDuplicates success

The remaining 4 fields (wfloclnd, inputsLocl, outputsLocl, wfspec) are not currently enforced by the type checker and remain as sorry.

Kiro spent 21 minutes on this partial proof.

By submitting this pull request, I confirm that you can use, modify, copy, and redistribute this contribution, under the terms of your choice.

Replace the full 'by sorry' with a structured proof that establishes
5 of 9 WFProcedureProp fields from the type checker:

  - wfstmts: from Statement.typeCheckWF
  - ioDisjoint: from checkVariableScoping success
  - inputsNodup: from checkNoDuplicates success
  - outputsNodup: from checkNoDuplicates success
  - modNodup: from checkNoDuplicates success

The remaining 4 fields (wfloclnd, inputsLocl, outputsLocl, wfspec)
are not currently enforced by the type checker and remain as sorry.

To enable the proof, checkNoDuplicates and checkVariableScoping in
ProcedureType.lean are changed from private to public, with helper
lemmas extracting the relevant properties from their success.

Kiro spent 21 minutes on this partial proof.
Copilot AI review requested due to automatic review settings February 19, 2026 09:14
@tautschnig tautschnig requested a review from a team as a code owner February 19, 2026 09:14
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR replaces a blanket by sorry for Procedure.typeCheckWF with a structured proof that derives several WFProcedureProp fields directly from the successful execution path of Procedure.typeCheck, leaving the remaining fields as sorry because the type checker does not currently enforce them.

Changes:

  • Added local helper theorems to extract Nodup and input/output disjointness properties from successful checkNoDuplicates / checkVariableScoping.
  • Implemented a partial Procedure.typeCheckWF proof that constructs 5 of 9 WFProcedureProp fields, with 4 fields still admitted via sorry.
  • Changed checkNoDuplicates and checkVariableScoping in ProcedureType.lean from private to public to support the proof.

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 2 comments.

File Description
Strata/Languages/Core/ProcedureWF.lean Adds helper extraction lemmas and a partial Procedure.typeCheckWF proof building a WFProcedureProp.
Strata/Languages/Core/ProcedureType.lean Exposes internal typechecker helper functions (checkNoDuplicates, checkVariableScoping) by removing private.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
@tautschnig tautschnig marked this pull request as draft February 19, 2026 09:48
The previous commit introduced two issues in Procedure.typeCheckWF:

1. Used 'private lemma' which is not a valid keyword in Lean 4.27.0
   (lemma is a Mathlib alias, not available here).

2. The bind-peeling strategy with Except.bind_eq_ok_of_ok only handled
   3 of the ~9 sequential binds in Procedure.typeCheck, leaving
   unsolved goals.

Restore the working approach: set_option maxHeartbeats/maxRecDepth
with 'repeat (split at H <;> try contradiction)' to handle all binds
automatically.
Address PR review comment: restore 'private' on checkNoDuplicates and
checkVariableScoping in ProcedureType.lean to reduce module API surface.

Move the corresponding _ok theorems (checkNoDuplicates_ok,
checkVariableScoping_ok) into ProcedureType.lean where they can access
the private defs, and export them as public theorems. ProcedureWF.lean
now uses these exported theorems instead of duplicating the proofs.
@tautschnig tautschnig marked this pull request as ready for review February 19, 2026 10:25
@tautschnig tautschnig enabled auto-merge February 19, 2026 10:39
@tautschnig tautschnig assigned aqjune-aws and unassigned aqjune-aws Feb 19, 2026
aqjune-aws
aqjune-aws previously approved these changes Feb 20, 2026
Copy link
Contributor

@aqjune-aws aqjune-aws left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I approved this pull request because the added theorems looked useful and the partial proofs looked ok (one more approval would be necessary, though).

Address PR comment: everything after 'intro h' in the proof can be
replaced with grind.
Address PR comment: maxHeartbeats and maxRecDepth options are not
needed for this proof and make things brittle.
@joehendrix
Copy link
Contributor

Generally I'd recommend finishing proofs before submitting PRs. I don't think we waste time reviewing LLM failures to finish tasks.

Copy link
Contributor

@joehendrix joehendrix left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

See comment

@tautschnig
Copy link
Contributor Author

Generally I'd recommend finishing proofs before submitting PRs. I don't think we waste time reviewing LLM failures to finish tasks.

What are you taking as an "LLM failure" here? The fact that 4 proofs were left unproven? If so: those actually require changes in the type checker to enable their proof. See #452 for the full resolution, this was just my attempt to break this up into reviewable chunks. If something else is your definition of "LLM failure," then please explain.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

5 participants