You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: Manual/Elaboration.lean
+1-1Lines changed: 1 addition & 1 deletion
Original file line number
Diff line number
Diff line change
@@ -100,7 +100,7 @@ Roughly speaking, Lean's processing of a source file can be divided into the fol
100
100
101
101
: Kernel Checking
102
102
103
-
Lean's {tech (key := "trust")}[trusted] kernel checks the output of the elaborator to ensure that it follows the rules of the type theory.
103
+
Lean's {tech (key := "trust")}[trusted] {deftech (key := "Lean kernel")}[kernel] checks the output of the elaborator to ensure that it follows the rules of the type theory.
Ataminimum,theLeankerneloranalternativekernelsuchas [`nanoda`](https://github.com/ammkrn/nanoda_lib) has to be trusted.
45
+
Ataminimum,theLean{tech}[kernel] or an alternative kernel such as [`nanoda`](https://github.com/ammkrn/nanoda_lib) has to be trusted.
46
46
47
47
* Regarding the correctness of the statement, it is important to distinguish the question “does the theoremhaveavalidproof”from “whatdoesthetheoremstatementmean”.
48
48
Nomatterwhatsoftwareisusedandhowtrustedtheenvironmentis,atheoremismeaningfulonlyifitsauthor(s) and user(s) are certain that its statement mathematically expresses its intended informal meaning.
@@ -71,7 +71,7 @@ While working interactively with Lean, once the theorem is proved, blue double c
71
71
72
72
## Significance
73
73
74
-
The blue ticks indicate that the theoremstatementhasbeensuccessfullyelaborated,accordingtothesyntaxandtypeclassinstancesdefinedinthecurrentfileanditsimports,andthattheLeankernelhasacceptedaproofofthattheoremstatementthatfollowsfromthedefinitions,theoremsandaxiomsdeclaredinthecurrentfileanditsimports.
74
+
The blue ticks indicate that the theoremstatementhasbeensuccessfullyelaborated,accordingtothesyntaxandtypeclassinstancesdefinedinthecurrentfileanditsimports,andthattheLean{tech}[kernel] has accepted a proof of that theoremstatementthatfollowsfromthedefinitions,theoremsandaxiomsdeclaredinthecurrentfileanditsimports.
75
75
76
76
## Trust
77
77
@@ -151,7 +151,7 @@ Build your project using {lake}`build`, run `lean4checker --fresh` on the module
151
151
152
152
## Significance
153
153
154
-
The `lean4checker` tool reads the declarations and proofs as they are stored by `lean` during building (the {tech}[`.olean` files]), and replays them through the kernel.
154
+
The `lean4checker` tool reads the declarations and proofs as they are stored by `lean` during building (the {tech}[`.olean` files]), and replays them through the {tech}[kernel].
155
155
It trusts that the {tech}[`.olean` files] are structurally correct.
156
156
157
157
## Trust
@@ -163,7 +163,7 @@ This check is meaningful if one believes the authors of the imported libraries t
163
163
:::listBullet "🛡️"
164
164
(In addition to the list above)
165
165
166
-
* Bugs in Lean’s core handling of the kernel’s state (e.g. due to parallel proof processing, or import handling)
166
+
* Bugs in Lean’s core handling of the {tech}[kernel]’s state (e.g. due to parallel proof processing, or import handling)
167
167
* Meta-programs or tactics intentionally bypassing that state (e.g. using low-level functionality to add unchecked theorems)
168
168
:::
169
169
@@ -195,7 +195,7 @@ In a trusted environment, write the theorem *statement* (the “challenge”), a
195
195
196
196
Comparator will build the proof in a sandboxed environment, to protect against {tech}[malicious] code in the build step.
197
197
The proof term is exported to a serialized format.
198
-
Outside the sandbox and out of the reach of possibly malicious code, it validates the exported format, replays the proofs using both Lean's kernel and/or an external checker and also ensures that the proved theoremstatementsmatchthoseinthetrustedchallengefile.
198
+
Outside the sandbox and out of the reach of possibly malicious code, it validates the exported format, replays the proofs using both Lean's {tech}[kernel] and/or an external checker and also ensures that the proved theoremstatementsmatchthoseinthetrustedchallengefile.
199
199
200
200
## Trust
201
201
@@ -212,7 +212,7 @@ This check is meaningful if the theorem statement in the trusted challenge file
212
212
213
213
## Comments
214
214
215
-
At the time of writing, `comparator` supports using the official Lean kernel and the external checker [`nanoda`](https://github.com/ammkrn/nanoda_lib), which is developed independently and implemented in Rust. The [Lean Kernel Arena](https://arena.lean-lang.org/) features more external checkers that can be used manually for even more confidence.
215
+
At the time of writing, `comparator` supports using the official Lean {tech}[kernel] and the external checker [`nanoda`](https://github.com/ammkrn/nanoda_lib), which is developed independently and implemented in Rust. The [Lean Kernel Arena](https://arena.lean-lang.org/) features more external checkers that can be used manually for even more confidence.
216
216
217
217
# Remaining Issues
218
218
@@ -233,12 +233,12 @@ tag := "validating-trustCompiler"
233
233
%%%
234
234
235
235
Lean supports proofs by native evaluation.
236
-
This is used by the {tactic}`decide`{keywordOf Lean.Parser.Tactic.decide}` +native` tactic or internally by specific tactics ({tactic}`bv_decide` in particular) and produces proof terms that call compiled Lean code to do a calculation that is then trusted by the kernel.
236
+
This is used by the {tactic}`decide`{keywordOf Lean.Parser.Tactic.decide}` +native` tactic or internally by specific tactics ({tactic}`bv_decide` in particular) and produces proof terms that call compiled Lean code to do a calculation that is then trusted by the {tech}[kernel].
237
237
238
238
Specific uses wrapped in {tech}[honest] tactics (e.g. {tactic}`bv_decide`) are generally trustworthy.
239
239
The trusted code base is larger (it includes Lean's compilation toolchain and library annotations in the standard library), but still fixed and vetted.
240
240
241
-
General use ({tactic}`decide`{keywordOf Lean.Parser.Tactic.decide}` +native` or direct use of {name}`Lean.ofReduceBool`) can be used to create invalid proofs whenever the native evaluation of a term disagrees with the kernel's evaluation.
241
+
General use ({tactic}`decide`{keywordOf Lean.Parser.Tactic.decide}` +native` or direct use of {name}`Lean.ofReduceBool`) can be used to create invalid proofs whenever the native evaluation of a term disagrees with the {tech}[kernel]'s evaluation.
242
242
In particular, for every {attr}`implemented_by`/{attr}`extern` attribute in libraries it becomes part of the trusted code base that the replacement is semantically equivalent.
243
243
244
244
All these uses show up as an axiom {name}`Lean.trustCompiler`in {keywordOf Lean.Parser.Command.printAxioms}`#print axioms`.
0 commit comments