--
You received this message because you are subscribed to the Google Groups "Metamath" group.
To unsubscribe from this group and stop receiving emails from it, send an email to metamath+u...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/metamath/CAFXXJSt_99WS9eusOuNv9iL%2BF665_APRLJQ9jVUqXzxer1GCZA%40mail.gmail.com.
A question: when translating to Lean, do you have to depend on classical logic (ie "open classical"), or are you somehow able to avoid that?
--On Wed, Jul 29, 2020 at 10:11 AM Mario Carneiro <di....@gmail.com> wrote:--Mario CarneiroFor those who might be interested, I just presented MM0 at the CICM conference, and the video is now on youtube:(It occurs to me that I should have announced this *before* the talk, in case folks were interested in registering for free in order to attend directly. You can still ask questions here if you want.)
https://youtu.be/CxS0ONDfWJg
You received this message because you are subscribed to the Google Groups "Metamath" group.
To unsubscribe from this group and stop receiving emails from it, send an email to metamath+u...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/metamath/CAFXXJSt_99WS9eusOuNv9iL%2BF665_APRLJQ9jVUqXzxer1GCZA%40mail.gmail.com.
You received this message because you are subscribed to the Google Groups "Metamath" group.
To unsubscribe from this group and stop receiving emails from it, send an email to metamath+u...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/metamath/CADBEgNM6WD4rYwrFqJQ1sE5z%3DL%2BZAy2b7h5jyEqd0%2Bug%2BSaoeQ%40mail.gmail.com.
Hi Mario,Very nice talk, thank you for posting it.Is it ok to ask some basic questions? It is a really nice project you are doing and I would love to understand it, however I am afraid I am not so strong in all this stuff. Feel free not to answer if you are busy, that is no problem, if it's ok I'll just write what I think and then maybe you could tell me where I have got confused?So I understand about metamath. You have some hypotheses and a theorem and a list of substitutions which use rules from the database or hypotheses to establish the theorem. I also understand that there is a question around whether you can trust the verifier, so we have 5 independent ones to improve that.I think I also get a little of the idea of formal verification for programs, so you have some abstract model of a computation system (like x86) and using that you prove that, if the hardware executes the model accurately, that the program will give the output you want. Like maybe some function called Prime(X) which returns 0 for primes and 1 for non-primes, you could prove that, if this terminates, the answer will be correct. However I guess there is still the problem of trusting the verifier (whether human or machine). I also have never seen a verification of a program so if you know any beginner materials on it I'd be interested.I think you're trying to combine both of these right? From what I understand of your system there's MM0, which is a verifier, which takes and mm0 and mmb files and checks if the proof is correct. I assume this is much like the metamath verifiers? Then there is MM1 which is a tool for generating mm0 and mmb files which is not verified but it doesn't matter because it's output is checked so how the output was generated is not important.And then there is MMC which is a language which compiles programs and also creates proofs of the correctness of those programs? So if I write some program, like Prime(X), the compiler will output some machine code and also a proof that Prime(X) does what it is specified to do, on x86, up to the assumption that the hardware executes the model correctly? And the idea is to write the MM0 verifier in MMC so that it is verified during the compilation process which gives confidence in it?
If that is all reasonably correct I guess where I am confused is how you are doing this reflexive verification.I would have thought, naively, that for justifying any program, X, you have 3 options. Firstly you can assume X is valid. Secondly you can use Y to justify X, the problem of this is that it's then justifications all the way down. Thirdly you can use X to justify X, as in if the program is a program verifier then you can feed it into itself and if it says it's good then it's good.However I don't understand how that's not circular? For example consider the verifier: For all input return "this program is verified." That has the ability to verify itself and will come out with a positive response however I don't think it's really established anything particularly meaningful. I guess I can't see on a philosophical level how you can get out of that trap.
Is it more of a strengthening exercise where you can't be sure that it's verified but the probability of MMC having a mistake and then MM0 having a mistake becomes super low or something?
If you're interested in answering, and I can totally understand if you're not, could you go easy on me when explaining? I get easily confused. Thanks, Jon.
Thanks so much for your nice response Mario. I think the work you’re doing is really awesome and I’m very thankful that you would take your time to explain things to me. I feel similarly with everyone else in this community, I’m so impressed by everyone here.I dig the idea that each independent check decreases the probability of being wrong, so I can see how formal proofs in multiple proof assistants on multiple machines makes it unlikely that MM0 is flawed, that makes a lot of sense. I also see why having MM0 be as small as possible is very good. I also guess there are philosophical problems around creating something provably logically infallible.Can I ask about how MMC proofs work? So I had a little look at formal verification for software and it showed techniques like exhaustively searching the state space or using automated induction, are you thinking along these lines where the computer will run a standard algorithm for each program?
Or is it more like an MM proof where there are explicit steps? For example Prime(X) is the sort of function which I can’t really imagine checking in an automated way as there are so many inputs, though maybe there is some nice induction depending on how it works (a sieve of Eratosthenes might be amenable to an inductive proof for example).
Does the user have to specify the steps themselves or can the compiler help generate them or is it a totally different system? If MMC produces proofs which are checkable by MM0 does that mean they are similar to MM proofs in style? It’s interesting to me that MM0 can check both MM proofs and x86 proofs and yet remain small, that is very intriguing.
If so there has been a lot of work to build up the set.mm database of proofs, is there a similar process to build up MMC functions and their associated proofs? For example given a verified addition function you could build a multiplication function and then a function for the multiplication of matrices or something.
I think these formal methods are obviously the future of mathematics so it’s really cool to be able to watch them develop. I also think there may be interesting applications to The AI Control Problem, for example letting an AI expand its capabilities iff it can prove the expanded system is constrained in the same way it is constrained itself. There is some similar paradigm to what you are doing about a system verifying itself (or it's offspring). This sounds like it might make it feasible to control an arbitrarily sophisticated system which is cool because without control there are a lot of worries. I asked Stuart Russel about it in a Reddit AMA and he said he’s considered formal proofs as a method for AI Control which is interesting. I’ve watched enough Stargate SG-1 to know I don’t want to have to deal with replicators.
Awesome Mario, thanks for the response, it takes me a few days to respond because I have to think a lot ha ha.I can see how fully symbolic proofs are better. I can also see how you arrived at this place if separation logic has been implemented in COQ and HOL, it feels like a big step from MM.It makes sense too that x86 can be formally specified. I think it’s really clever that the compiler can progressively refine the proof down to lower levels, this lets the humans just read the high level stuff which is cool. Do you have the x86 definitions in a file somewhere? I’d be interested to see them, though may well not understand.
Can I ask what the relationship between MM1 and MMC is? For example if I am writing a program in MMC can I use MM1 to help me produce the high level proof for the program or is MM1 more a tool for making MM0 proofs only? I imagine some sort of proof assistant for MMC would be helpful.
I am also curious as to what else you want to use MMC for, it feels like you’re building a whole, very sophisticated, programming language just to write one program in it (MM0). Do you have other ideas for projects? I can imagine there are a lot of applications for things like aerospace, cryptography and finance etc where people need really robust code.
How far through implementing all this are you? I know you’ve done quite a lot of it which is impressive. What are your next steps?
Also do you want any help? I am 99% sure I don’t have any skills which could be of use to you and I am trying to help with the OpenAI proof assistant a bit when I have energy so I don’t think I will be able to help much. However I do love this field so want to get more into it and if others are reading this they may be interested too.
Mostly I’d just like to be encouraging, what you’re doing is incredible. I think formal methods are definitely the future.