Skip to content

Partially prove Procedure.typeCheckWF (5 of 9 fields)#453

Open
tautschnig wants to merge 7 commits intomainfrom
tautschnig/typeCheckWF-partial
Open

Partially prove Procedure.typeCheckWF (5 of 9 fields)#453
tautschnig wants to merge 7 commits intomainfrom
tautschnig/typeCheckWF-partial

Conversation

@tautschnig
Copy link
Contributor

@tautschnig tautschnig commented Feb 19, 2026
edited
Loading

Replace the full 'by sorry' with a structured proof that establishes 5 of 9 WFProcedureProp fields from the type checker:

  • wfstmts: from Statement.typeCheckWF
  • ioDisjoint: from checkVariableScoping success
  • inputsNodup: from checkNoDuplicates success
  • outputsNodup: from checkNoDuplicates success
  • modNodup: from checkNoDuplicates success

The remaining 4 fields (wfloclnd, inputsLocl, outputsLocl, wfspec) are not currently enforced by the type checker and remain as sorry.

Kiro spent 21 minutes on this partial proof.

By submitting this pull request, I confirm that you can use, modify, copy, and redistribute this contribution, under the terms of your choice.

@tautschnig
Partially prove Procedure.typeCheckWF (5 of 9 fields)
2ba4b2e 
Replace the full 'by sorry' with a structured proof that establishes
5 of 9 WFProcedureProp fields from the type checker:

  - wfstmts: from Statement.typeCheckWF
  - ioDisjoint: from checkVariableScoping success
  - inputsNodup: from checkNoDuplicates success
  - outputsNodup: from checkNoDuplicates success
  - modNodup: from checkNoDuplicates success

The remaining 4 fields (wfloclnd, inputsLocl, outputsLocl, wfspec)
are not currently enforced by the type checker and remain as sorry.

To enable the proof, checkNoDuplicates and checkVariableScoping in
ProcedureType.lean are changed from private to public, with helper
lemmas extracting the relevant properties from their success.

Kiro spent 21 minutes on this partial proof.
Copilot AI review requested due to automatic review settings February 19, 2026 09:14
@tautschnig tautschnig requested a review from a team as a code owner February 19, 2026 09:14
Copilot AI reviewed Feb 19, 2026
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR replaces a blanket by sorry for Procedure.typeCheckWF with a structured proof that derives several WFProcedureProp fields directly from the successful execution path of Procedure.typeCheck, leaving the remaining fields as sorry because the type checker does not currently enforce them.

Changes:

  • Added local helper theorems to extract Nodup and input/output disjointness properties from successful checkNoDuplicates / checkVariableScoping.
  • Implemented a partial Procedure.typeCheckWF proof that constructs 5 of 9 WFProcedureProp fields, with 4 fields still admitted via sorry.
  • Changed checkNoDuplicates and checkVariableScoping in ProcedureType.lean from private to public to support the proof.

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 2 comments.

File Description
Strata/Languages/Core/ProcedureWF.lean Adds helper extraction lemmas and a partial Procedure.typeCheckWF proof building a WFProcedureProp.
Strata/Languages/Core/ProcedureType.lean Exposes internal typechecker helper functions (checkNoDuplicates, checkVariableScoping) by removing private.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@tautschnig
Update Strata/Languages/Core/ProcedureWF.lean
c10f896 
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
@tautschnig tautschnig marked this pull request as draft February 19, 2026 09:48
@tautschnig
Fix ProcedureWF build failure from c10f896
dfdfc99 
The previous commit introduced two issues in Procedure.typeCheckWF:

1. Used 'private lemma' which is not a valid keyword in Lean 4.27.0
   (lemma is a Mathlib alias, not available here).

2. The bind-peeling strategy with Except.bind_eq_ok_of_ok only handled
   3 of the ~9 sequential binds in Procedure.typeCheck, leaving
   unsolved goals.

Restore the working approach: set_option maxHeartbeats/maxRecDepth
with 'repeat (split at H <;> try contradiction)' to handle all binds
automatically.
@tautschnig
Keep checkNoDuplicates/checkVariableScoping private, export _ok theorems
070f43f 
Address PR review comment: restore 'private' on checkNoDuplicates and
checkVariableScoping in ProcedureType.lean to reduce module API surface.

Move the corresponding _ok theorems (checkNoDuplicates_ok,
checkVariableScoping_ok) into ProcedureType.lean where they can access
the private defs, and export them as public theorems. ProcedureWF.lean
now uses these exported theorems instead of duplicating the proofs.
@tautschnig tautschnig marked this pull request as ready for review February 19, 2026 10:25
@tautschnig tautschnig enabled auto-merge February 19, 2026 10:39
@tautschnig tautschnig assigned aqjune-aws and unassigned aqjune-aws Feb 19, 2026
joscoh
joscoh reviewed Feb 19, 2026
View reviewed changes
aqjune-aws
aqjune-aws previously approved these changes Feb 20, 2026
View reviewed changes
Copy link
Contributor

@aqjune-aws aqjune-aws left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I approved this pull request because the added theorems looked useful and the partial proofs looked ok (one more approval would be necessary, though).

@tautschnig
checkNoDuplicates_ok: replace split/simp_all chain with grind
f90b23a 
Address PR comment: everything after 'intro h' in the proof can be
replaced with grind.
@tautschnig
typeCheckWF: remove unnecessary set_option directives
7457eae 
Address PR comment: maxHeartbeats and maxRecDepth options are not
needed for this proof and make things brittle.
@tautschnig
Merge remote-tracking branch 'origin/main' into tautschnig/typeCheckW…
e95a319 
…F-partial
@joehendrix
Copy link
Contributor

joehendrix commented Feb 24, 2026

Generally I'd recommend finishing proofs before submitting PRs. I don't think we waste time reviewing LLM failures to finish tasks.

joehendrix
joehendrix requested changes Feb 24, 2026
View reviewed changes
Copy link
Contributor

@joehendrix joehendrix left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

See comment

@tautschnig
Copy link
Contributor Author

tautschnig commented Feb 24, 2026

Generally I'd recommend finishing proofs before submitting PRs. I don't think we waste time reviewing LLM failures to finish tasks.

What are you taking as an "LLM failure" here? The fact that 4 proofs were left unproven? If so: those actually require changes in the type checker to enable their proof. See #452 for the full resolution, this was just my attempt to break this up into reviewable chunks. If something else is your definition of "LLM failure," then please explain.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@joehendrix joehendrix joehendrix requested changes

@joscoh joscoh joscoh approved these changes

@aqjune-aws aqjune-aws Awaiting requested review from aqjune-aws

Requested changes must be addressed to merge this pull request.

Assignees

@aqjune-aws aqjune-aws

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

5 participants

@tautschnig @joehendrix @joscoh @aqjune-aws