Skip to content

Commit 8b9f1ad

Browse files
committed
doc: turn "kernel" into a deftech and use it
Turn "Kernel Checking" of Elaboration into the definition of kernel and refer to the definition in Validating Proofs
1 parent 5d349db commit 8b9f1ad

2 files changed

Lines changed: 9 additions & 9 deletions

File tree

Manual/Elaboration.lean

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -100,7 +100,7 @@ Roughly speaking, Lean's processing of a source file can be divided into the fol
100100

101101
: Kernel Checking
102102

103-
Lean's {tech (key := "trust")}[trusted] kernel checks the output of the elaborator to ensure that it follows the rules of the type theory.
103+
Lean's {tech (key := "trust")}[trusted] {deftech (key := "Lean kernel")}[kernel] checks the output of the elaborator to ensure that it follows the rules of the type theory.
104104

105105
: Compilation
106106

Manual/ValidatingProofs.lean

Lines changed: 8 additions & 8 deletions
Original file line numberDiff line numberDiff line change
@@ -42,7 +42,7 @@ The steps needed to rule out a misleading proof depend on the author's {deftech}
4242

4343
* Regarding the verification software, Lean takes {ref "elaboration-compilation"}[a number of steps] to process a theorem and its proof.
4444
Different uses correspond to trusting different steps of this pipeline.
45-
At a minimum, the Lean kernel or an alternative kernel such as [`nanoda`](https://github.com/ammkrn/nanoda_lib) has to be trusted.
45+
At a minimum, the Lean {tech}[kernel] or an alternative kernel such as [`nanoda`](https://github.com/ammkrn/nanoda_lib) has to be trusted.
4646

4747
* Regarding the correctness of the statement, it is important to distinguish the question “does the theorem have a valid proof” fromwhat does the theorem statement mean”.
4848
No matter what software is used and how trusted the environment is, a theorem is meaningful only if its author(s) and user(s) are certain that its statement mathematically expresses its intended informal meaning.
@@ -71,7 +71,7 @@ While working interactively with Lean, once the theorem is proved, blue double c
7171

7272
## Significance
7373

74-
The blue ticks indicate that the theorem statement has been successfully elaborated, according to the syntax and type class instances defined in the current file and its imports, and that the Lean kernel has accepted a proof of that theorem statement that follows from the definitions, theorems and axioms declared in the current file and its imports.
74+
The blue ticks indicate that the theorem statement has been successfully elaborated, according to the syntax and type class instances defined in the current file and its imports, and that the Lean {tech}[kernel] has accepted a proof of that theorem statement that follows from the definitions, theorems and axioms declared in the current file and its imports.
7575

7676
## Trust
7777

@@ -151,7 +151,7 @@ Build your project using {lake}`build`, run `lean4checker --fresh` on the module
151151

152152
## Significance
153153

154-
The `lean4checker` tool reads the declarations and proofs as they are stored by `lean` during building (the {tech}[`.olean` files]), and replays them through the kernel.
154+
The `lean4checker` tool reads the declarations and proofs as they are stored by `lean` during building (the {tech}[`.olean` files]), and replays them through the {tech}[kernel].
155155
It trusts that the {tech}[`.olean` files] are structurally correct.
156156

157157
## Trust
@@ -163,7 +163,7 @@ This check is meaningful if one believes the authors of the imported libraries t
163163
:::listBullet "🛡️"
164164
(In addition to the list above)
165165

166-
* Bugs in Lean’s core handling of the kernel’s state (e.g. due to parallel proof processing, or import handling)
166+
* Bugs in Lean’s core handling of the {tech}[kernel]’s state (e.g. due to parallel proof processing, or import handling)
167167
* Meta-programs or tactics intentionally bypassing that state (e.g. using low-level functionality to add unchecked theorems)
168168
:::
169169

@@ -195,7 +195,7 @@ In a trusted environment, write the theorem *statement* (the “challenge”), a
195195

196196
Comparator will build the proof in a sandboxed environment, to protect against {tech}[malicious] code in the build step.
197197
The proof term is exported to a serialized format.
198-
Outside the sandbox and out of the reach of possibly malicious code, it validates the exported format, replays the proofs using both Lean's kernel and/or an external checker and also ensures that the proved theorem statements match those in the trusted challenge file.
198+
Outside the sandbox and out of the reach of possibly malicious code, it validates the exported format, replays the proofs using both Lean's {tech}[kernel] and/or an external checker and also ensures that the proved theorem statements match those in the trusted challenge file.
199199

200200
## Trust
201201

@@ -212,7 +212,7 @@ This check is meaningful if the theorem statement in the trusted challenge file
212212

213213
## Comments
214214

215-
At the time of writing, `comparator` supports using the official Lean kernel and the external checker [`nanoda`](https://github.com/ammkrn/nanoda_lib), which is developed independently and implemented in Rust. The [Lean Kernel Arena](https://arena.lean-lang.org/) features more external checkers that can be used manually for even more confidence.
215+
At the time of writing, `comparator` supports using the official Lean {tech}[kernel] and the external checker [`nanoda`](https://github.com/ammkrn/nanoda_lib), which is developed independently and implemented in Rust. The [Lean Kernel Arena](https://arena.lean-lang.org/) features more external checkers that can be used manually for even more confidence.
216216

217217
# Remaining Issues
218218

@@ -233,12 +233,12 @@ tag := "validating-trustCompiler"
233233
%%%
234234

235235
Lean supports proofs by native evaluation.
236-
This is used by the {tactic}`decide`{keywordOf Lean.Parser.Tactic.decide}` +native` tactic or internally by specific tactics ({tactic}`bv_decide` in particular) and produces proof terms that call compiled Lean code to do a calculation that is then trusted by the kernel.
236+
This is used by the {tactic}`decide`{keywordOf Lean.Parser.Tactic.decide}` +native` tactic or internally by specific tactics ({tactic}`bv_decide` in particular) and produces proof terms that call compiled Lean code to do a calculation that is then trusted by the {tech}[kernel].
237237

238238
Specific uses wrapped in {tech}[honest] tactics (e.g. {tactic}`bv_decide`) are generally trustworthy.
239239
The trusted code base is larger (it includes Lean's compilation toolchain and library annotations in the standard library), but still fixed and vetted.
240240

241-
General use ({tactic}`decide`{keywordOf Lean.Parser.Tactic.decide}` +native` or direct use of {name}`Lean.ofReduceBool`) can be used to create invalid proofs whenever the native evaluation of a term disagrees with the kernel's evaluation.
241+
General use ({tactic}`decide`{keywordOf Lean.Parser.Tactic.decide}` +native` or direct use of {name}`Lean.ofReduceBool`) can be used to create invalid proofs whenever the native evaluation of a term disagrees with the {tech}[kernel]'s evaluation.
242242
In particular, for every {attr}`implemented_by`/{attr}`extern` attribute in libraries it becomes part of the trusted code base that the replacement is semantically equivalent.
243243

244244
All these uses show up as an axiom {name}`Lean.trustCompiler` in {keywordOf Lean.Parser.Command.printAxioms}`#print axioms`.

0 commit comments

Comments
 (0)