Proof assistants as a tool for thought
Transcript of Proof assistants as a tool for thought
![Page 1: Proof assistants as a tool for thought](https://reader031.fdocuments.net/reader031/viewer/2022013001/61ca626b26b61b01f45249e5/html5/thumbnails/1.jpg)
Proof assistants as a tool for thought
Katherine Ye
Tools for thought workshop, March ’16
@hypotext
![Page 2: Proof assistants as a tool for thought](https://reader031.fdocuments.net/reader031/viewer/2022013001/61ca626b26b61b01f45249e5/html5/thumbnails/2.jpg)
circa 1700
![Page 3: Proof assistants as a tool for thought](https://reader031.fdocuments.net/reader031/viewer/2022013001/61ca626b26b61b01f45249e5/html5/thumbnails/3.jpg)
Disputants unable to agree would not waste much time in futile argument...
Leibniz (Harrison)
![Page 4: Proof assistants as a tool for thought](https://reader031.fdocuments.net/reader031/viewer/2022013001/61ca626b26b61b01f45249e5/html5/thumbnails/4.jpg)
Calculemus!
![Page 5: Proof assistants as a tool for thought](https://reader031.fdocuments.net/reader031/viewer/2022013001/61ca626b26b61b01f45249e5/html5/thumbnails/5.jpg)
1. universal language2. calculus for reasoning
![Page 6: Proof assistants as a tool for thought](https://reader031.fdocuments.net/reader031/viewer/2022013001/61ca626b26b61b01f45249e5/html5/thumbnails/6.jpg)
Proof assistant: Coq
![Page 7: Proof assistants as a tool for thought](https://reader031.fdocuments.net/reader031/viewer/2022013001/61ca626b26b61b01f45249e5/html5/thumbnails/7.jpg)
1. universal language2. calculus for reasoning
![Page 8: Proof assistants as a tool for thought](https://reader031.fdocuments.net/reader031/viewer/2022013001/61ca626b26b61b01f45249e5/html5/thumbnails/8.jpg)
1. universal language2. calculus for reasoning
3. rich environment
![Page 9: Proof assistants as a tool for thought](https://reader031.fdocuments.net/reader031/viewer/2022013001/61ca626b26b61b01f45249e5/html5/thumbnails/9.jpg)
High-assurance cryptographyNew foundations for math
Program synthesisVerifying hardwareProofs as stories
Formally verifying that God exists...
![Page 10: Proof assistants as a tool for thought](https://reader031.fdocuments.net/reader031/viewer/2022013001/61ca626b26b61b01f45249e5/html5/thumbnails/10.jpg)
![Page 11: Proof assistants as a tool for thought](https://reader031.fdocuments.net/reader031/viewer/2022013001/61ca626b26b61b01f45249e5/html5/thumbnails/11.jpg)
Example 1:math, induction
Credit to “Software Foundations,” Pierce et al.
![Page 12: Proof assistants as a tool for thought](https://reader031.fdocuments.net/reader031/viewer/2022013001/61ca626b26b61b01f45249e5/html5/thumbnails/12.jpg)
Say we want to prove something about
adding natural numbers.
![Page 13: Proof assistants as a tool for thought](https://reader031.fdocuments.net/reader031/viewer/2022013001/61ca626b26b61b01f45249e5/html5/thumbnails/13.jpg)
Inductive nat : Set := | O : nat | S : nat -‐> nat.
Fixpoint plus (x y : nat) := match x with | O => y | S x' => S (plus x' y) end.
Natural number = either 0
or 1 + a nat
![Page 14: Proof assistants as a tool for thought](https://reader031.fdocuments.net/reader031/viewer/2022013001/61ca626b26b61b01f45249e5/html5/thumbnails/14.jpg)
Inductive nat : Set := | O : nat | S : nat -‐> nat.
Fixpoint plus (x y : nat) := match x with | O => y | S x' => S (plus x' y) end.
0 + y = y(1 + x’) + y = 1 + (x’ + y)
![Page 15: Proof assistants as a tool for thought](https://reader031.fdocuments.net/reader031/viewer/2022013001/61ca626b26b61b01f45249e5/html5/thumbnails/15.jpg)
Inductive nat : Set := | O : nat | S : nat -‐> nat.
Fixpoint plus (x y : nat) := match x with | O => y | S x' => S (plus x' y) end.
(* O = 0, S O = 1, S (S O) = 2 *)Eval compute in (plus O O). (* 0 + 0 = 0 *)
“Unit tests”
![Page 16: Proof assistants as a tool for thought](https://reader031.fdocuments.net/reader031/viewer/2022013001/61ca626b26b61b01f45249e5/html5/thumbnails/16.jpg)
Inductive nat : Set := | O : nat | S : nat -‐> nat.
Fixpoint plus (x y : nat) := match x with | O => y | S x' => S (plus x' y) end.
![Page 17: Proof assistants as a tool for thought](https://reader031.fdocuments.net/reader031/viewer/2022013001/61ca626b26b61b01f45249e5/html5/thumbnails/17.jpg)
“Unit tests” aren't enough. Now we want prove that our
computational `plus` satisfies the properties of the mathematical +.
![Page 18: Proof assistants as a tool for thought](https://reader031.fdocuments.net/reader031/viewer/2022013001/61ca626b26b61b01f45249e5/html5/thumbnails/18.jpg)
Theorem add0_left_id : forall (n : nat), plus O n = n.Proof. intros n. simpl. reflexivity.Qed.
0 is a left identity
![Page 19: Proof assistants as a tool for thought](https://reader031.fdocuments.net/reader031/viewer/2022013001/61ca626b26b61b01f45249e5/html5/thumbnails/19.jpg)
Theorem add0_left_id : forall (n : nat), plus O n = n.Proof. intros n. simpl. reflexivity.Qed.
Fixpoint plus (x y : nat) := match x with | O => y | S x' => S (plus x' y) end.
By definition
![Page 20: Proof assistants as a tool for thought](https://reader031.fdocuments.net/reader031/viewer/2022013001/61ca626b26b61b01f45249e5/html5/thumbnails/20.jpg)
Theorem add0_left_id : forall (n : nat), plus O n = n.Proof. intros n. simpl. reflexivity.Qed.
Fixpoint plus (x y : nat) := match x with | O => y | S x' => S (plus x' y) end.
![Page 21: Proof assistants as a tool for thought](https://reader031.fdocuments.net/reader031/viewer/2022013001/61ca626b26b61b01f45249e5/html5/thumbnails/21.jpg)
0 is a right identityFixpoint plus (x y : nat) := match x with | O => y | S x' => S (plus x' y) end.
![Page 22: Proof assistants as a tool for thought](https://reader031.fdocuments.net/reader031/viewer/2022013001/61ca626b26b61b01f45249e5/html5/thumbnails/22.jpg)
![Page 23: Proof assistants as a tool for thought](https://reader031.fdocuments.net/reader031/viewer/2022013001/61ca626b26b61b01f45249e5/html5/thumbnails/23.jpg)
![Page 24: Proof assistants as a tool for thought](https://reader031.fdocuments.net/reader031/viewer/2022013001/61ca626b26b61b01f45249e5/html5/thumbnails/24.jpg)
![Page 25: Proof assistants as a tool for thought](https://reader031.fdocuments.net/reader031/viewer/2022013001/61ca626b26b61b01f45249e5/html5/thumbnails/25.jpg)
![Page 26: Proof assistants as a tool for thought](https://reader031.fdocuments.net/reader031/viewer/2022013001/61ca626b26b61b01f45249e5/html5/thumbnails/26.jpg)
![Page 27: Proof assistants as a tool for thought](https://reader031.fdocuments.net/reader031/viewer/2022013001/61ca626b26b61b01f45249e5/html5/thumbnails/27.jpg)
![Page 28: Proof assistants as a tool for thought](https://reader031.fdocuments.net/reader031/viewer/2022013001/61ca626b26b61b01f45249e5/html5/thumbnails/28.jpg)
![Page 29: Proof assistants as a tool for thought](https://reader031.fdocuments.net/reader031/viewer/2022013001/61ca626b26b61b01f45249e5/html5/thumbnails/29.jpg)
![Page 30: Proof assistants as a tool for thought](https://reader031.fdocuments.net/reader031/viewer/2022013001/61ca626b26b61b01f45249e5/html5/thumbnails/30.jpg)
![Page 31: Proof assistants as a tool for thought](https://reader031.fdocuments.net/reader031/viewer/2022013001/61ca626b26b61b01f45249e5/html5/thumbnails/31.jpg)
Exercise for the reader:
Theorem plus_commutativity :forall (n m : nat), plus n m = plus m n.
![Page 32: Proof assistants as a tool for thought](https://reader031.fdocuments.net/reader031/viewer/2022013001/61ca626b26b61b01f45249e5/html5/thumbnails/32.jpg)
Example 2: large real-world
verification
![Page 33: Proof assistants as a tool for thought](https://reader031.fdocuments.net/reader031/viewer/2022013001/61ca626b26b61b01f45249e5/html5/thumbnails/33.jpg)
![Page 34: Proof assistants as a tool for thought](https://reader031.fdocuments.net/reader031/viewer/2022013001/61ca626b26b61b01f45249e5/html5/thumbnails/34.jpg)
1. Functional correctness (logic, program analysis)
2. Security (math, probability, program analysis)
![Page 35: Proof assistants as a tool for thought](https://reader031.fdocuments.net/reader031/viewer/2022013001/61ca626b26b61b01f45249e5/html5/thumbnails/35.jpg)
![Page 36: Proof assistants as a tool for thought](https://reader031.fdocuments.net/reader031/viewer/2022013001/61ca626b26b61b01f45249e5/html5/thumbnails/36.jpg)
5+ months of work by 4 authors
~15,000 lines of Coq code, most of which will not be read by other people
![Page 37: Proof assistants as a tool for thought](https://reader031.fdocuments.net/reader031/viewer/2022013001/61ca626b26b61b01f45249e5/html5/thumbnails/37.jpg)
Time for cognitive dissonance!
![Page 38: Proof assistants as a tool for thought](https://reader031.fdocuments.net/reader031/viewer/2022013001/61ca626b26b61b01f45249e5/html5/thumbnails/38.jpg)
The house believes that Coq is an incredible
tool for thought.
![Page 39: Proof assistants as a tool for thought](https://reader031.fdocuments.net/reader031/viewer/2022013001/61ca626b26b61b01f45249e5/html5/thumbnails/39.jpg)
The house believes that Coq is a terrible tool
for thought.
![Page 40: Proof assistants as a tool for thought](https://reader031.fdocuments.net/reader031/viewer/2022013001/61ca626b26b61b01f45249e5/html5/thumbnails/40.jpg)
The house believes that Coq is an incredible
tool for thought.
![Page 41: Proof assistants as a tool for thought](https://reader031.fdocuments.net/reader031/viewer/2022013001/61ca626b26b61b01f45249e5/html5/thumbnails/41.jpg)
Built on top of:
written notation
![Page 42: Proof assistants as a tool for thought](https://reader031.fdocuments.net/reader031/viewer/2022013001/61ca626b26b61b01f45249e5/html5/thumbnails/42.jpg)
Built on top of:
written notationtext editors
![Page 43: Proof assistants as a tool for thought](https://reader031.fdocuments.net/reader031/viewer/2022013001/61ca626b26b61b01f45249e5/html5/thumbnails/43.jpg)
Built on top of:
written notationtext editorsGallina
![Page 44: Proof assistants as a tool for thought](https://reader031.fdocuments.net/reader031/viewer/2022013001/61ca626b26b61b01f45249e5/html5/thumbnails/44.jpg)
Built on top of:
written notationtext editorsGallinaLtac
![Page 45: Proof assistants as a tool for thought](https://reader031.fdocuments.net/reader031/viewer/2022013001/61ca626b26b61b01f45249e5/html5/thumbnails/45.jpg)
Built on top of:
written notationtext editorsGallinaLtacchecker
![Page 46: Proof assistants as a tool for thought](https://reader031.fdocuments.net/reader031/viewer/2022013001/61ca626b26b61b01f45249e5/html5/thumbnails/46.jpg)
Built on top of:
written notationtext editorsGallinaLtaccheckerREPL/IDE
![Page 47: Proof assistants as a tool for thought](https://reader031.fdocuments.net/reader031/viewer/2022013001/61ca626b26b61b01f45249e5/html5/thumbnails/47.jpg)
Started from the bottom, now we here
![Page 48: Proof assistants as a tool for thought](https://reader031.fdocuments.net/reader031/viewer/2022013001/61ca626b26b61b01f45249e5/html5/thumbnails/48.jpg)
Proof entrepreneur: fail fast,
minimum viable proof...
![Page 49: Proof assistants as a tool for thought](https://reader031.fdocuments.net/reader031/viewer/2022013001/61ca626b26b61b01f45249e5/html5/thumbnails/49.jpg)
Proof state bookkeeping: assumptions, definitions, goals
![Page 50: Proof assistants as a tool for thought](https://reader031.fdocuments.net/reader031/viewer/2022013001/61ca626b26b61b01f45249e5/html5/thumbnails/50.jpg)
Computation, evaluation, automation
![Page 51: Proof assistants as a tool for thought](https://reader031.fdocuments.net/reader031/viewer/2022013001/61ca626b26b61b01f45249e5/html5/thumbnails/51.jpg)
Try
Brain says:this isn’t right... I think
Fail Fix
Maybe right?
Maybe right?
![Page 52: Proof assistants as a tool for thought](https://reader031.fdocuments.net/reader031/viewer/2022013001/61ca626b26b61b01f45249e5/html5/thumbnails/52.jpg)
Try
Coq says:This is locally wrong!
Wrong type /Can’t prove it /
Can’t use tactic /Strange computation
Fail Fix
![Page 53: Proof assistants as a tool for thought](https://reader031.fdocuments.net/reader031/viewer/2022013001/61ca626b26b61b01f45249e5/html5/thumbnails/53.jpg)
Sketching with lemmas
![Page 54: Proof assistants as a tool for thought](https://reader031.fdocuments.net/reader031/viewer/2022013001/61ca626b26b61b01f45249e5/html5/thumbnails/54.jpg)
Goal
Lemma 1 Lemma 2
Lemma 4 Lemma 5
Lemma 3
Coq: OK!
admitted admitted admitted
admitted
admitted admitted
Coq: OK! Coq: OK!
Coq: OK! Coq: OK!
![Page 55: Proof assistants as a tool for thought](https://reader031.fdocuments.net/reader031/viewer/2022013001/61ca626b26b61b01f45249e5/html5/thumbnails/55.jpg)
Goal
Lemma 1 Lemma 2
Lemma 4 Lemma 5
Lemma 3
Coq: OK!
QED
Coq: OK! Coq: OK!
Coq: OK! Coq: OK!
QED QED
QED
QED QED
![Page 56: Proof assistants as a tool for thought](https://reader031.fdocuments.net/reader031/viewer/2022013001/61ca626b26b61b01f45249e5/html5/thumbnails/56.jpg)
Math as a game
![Page 57: Proof assistants as a tool for thought](https://reader031.fdocuments.net/reader031/viewer/2022013001/61ca626b26b61b01f45249e5/html5/thumbnails/57.jpg)
You don’t have to remember all the rules
yourself.
![Page 58: Proof assistants as a tool for thought](https://reader031.fdocuments.net/reader031/viewer/2022013001/61ca626b26b61b01f45249e5/html5/thumbnails/58.jpg)
x + 20 = y
x = y - 20
![Page 59: Proof assistants as a tool for thought](https://reader031.fdocuments.net/reader031/viewer/2022013001/61ca626b26b61b01f45249e5/html5/thumbnails/59.jpg)
x + 20 = yx + 20 - 20 = y - 20
x = y - 20
![Page 60: Proof assistants as a tool for thought](https://reader031.fdocuments.net/reader031/viewer/2022013001/61ca626b26b61b01f45249e5/html5/thumbnails/60.jpg)
Civilization advances by extending the number of important operations which can be performed without thinking about them. Whitehead
![Page 61: Proof assistants as a tool for thought](https://reader031.fdocuments.net/reader031/viewer/2022013001/61ca626b26b61b01f45249e5/html5/thumbnails/61.jpg)
Goal: beat the level.Proof state: inventory.
Tactics: moves.Checker: walls.
![Page 62: Proof assistants as a tool for thought](https://reader031.fdocuments.net/reader031/viewer/2022013001/61ca626b26b61b01f45249e5/html5/thumbnails/62.jpg)
![Page 63: Proof assistants as a tool for thought](https://reader031.fdocuments.net/reader031/viewer/2022013001/61ca626b26b61b01f45249e5/html5/thumbnails/63.jpg)
We need Coq in order to keep doing math.
![Page 64: Proof assistants as a tool for thought](https://reader031.fdocuments.net/reader031/viewer/2022013001/61ca626b26b61b01f45249e5/html5/thumbnails/64.jpg)
A technical argument by a trusted author ... is hardly ever checked in detail.
VoevodskyFields medalist
![Page 65: Proof assistants as a tool for thought](https://reader031.fdocuments.net/reader031/viewer/2022013001/61ca626b26b61b01f45249e5/html5/thumbnails/65.jpg)
The only real long-term solution to the problem is to start using computers in the verification of mathematical reasoning.
VoevodskyFields medalist
![Page 66: Proof assistants as a tool for thought](https://reader031.fdocuments.net/reader031/viewer/2022013001/61ca626b26b61b01f45249e5/html5/thumbnails/66.jpg)
We need proofs that are less error-prone and more ... mechanically verifiable.
Bellarecryptographer
![Page 67: Proof assistants as a tool for thought](https://reader031.fdocuments.net/reader031/viewer/2022013001/61ca626b26b61b01f45249e5/html5/thumbnails/67.jpg)
Many proofs in cryptography have become essentially unverifiable. Our field may be approaching a crisis of rigor.
Bellarecryptographer
(100+ citations!)
![Page 68: Proof assistants as a tool for thought](https://reader031.fdocuments.net/reader031/viewer/2022013001/61ca626b26b61b01f45249e5/html5/thumbnails/68.jpg)
1. Programmer affordances2. Math as a game3. “Crisis of rigor”
Pro-Coq:
![Page 69: Proof assistants as a tool for thought](https://reader031.fdocuments.net/reader031/viewer/2022013001/61ca626b26b61b01f45249e5/html5/thumbnails/69.jpg)
The house believes that Coq is a terrible tool
for thought.
![Page 70: Proof assistants as a tool for thought](https://reader031.fdocuments.net/reader031/viewer/2022013001/61ca626b26b61b01f45249e5/html5/thumbnails/70.jpg)
Calculemus?
![Page 71: Proof assistants as a tool for thought](https://reader031.fdocuments.net/reader031/viewer/2022013001/61ca626b26b61b01f45249e5/html5/thumbnails/71.jpg)
Games are designed for humans to solve.
Math isn’t!
![Page 72: Proof assistants as a tool for thought](https://reader031.fdocuments.net/reader031/viewer/2022013001/61ca626b26b61b01f45249e5/html5/thumbnails/72.jpg)
What could go wrong?
![Page 73: Proof assistants as a tool for thought](https://reader031.fdocuments.net/reader031/viewer/2022013001/61ca626b26b61b01f45249e5/html5/thumbnails/73.jpg)
Your theorem is: too specific, so you need to generalizestraight-up wrong, so you need a counterexampletrue, but you need to be creativetrue, but you discarded the One Ring
![Page 74: Proof assistants as a tool for thought](https://reader031.fdocuments.net/reader031/viewer/2022013001/61ca626b26b61b01f45249e5/html5/thumbnails/74.jpg)
Your theorem is: too specific, so you need to generalizestraight-up wrong, so you need a counterexampletrue, but you need to be creativetrue, but you discarded the One Ring
![Page 75: Proof assistants as a tool for thought](https://reader031.fdocuments.net/reader031/viewer/2022013001/61ca626b26b61b01f45249e5/html5/thumbnails/75.jpg)
Your theorem is: too specific, so you need to generalizestraight-up wrong, so you need a counterexampletrue, but you need to be creativetrue, but you discarded the One Ring
![Page 76: Proof assistants as a tool for thought](https://reader031.fdocuments.net/reader031/viewer/2022013001/61ca626b26b61b01f45249e5/html5/thumbnails/76.jpg)
Your theorem is: too specific, so you need to generalizestraight-up wrong, so you need a counterexampletrue, but you need to be creativetrue, but you discarded the One Ring
![Page 77: Proof assistants as a tool for thought](https://reader031.fdocuments.net/reader031/viewer/2022013001/61ca626b26b61b01f45249e5/html5/thumbnails/77.jpg)
![Page 78: Proof assistants as a tool for thought](https://reader031.fdocuments.net/reader031/viewer/2022013001/61ca626b26b61b01f45249e5/html5/thumbnails/78.jpg)
Work on paper first, then in computer :(
![Page 79: Proof assistants as a tool for thought](https://reader031.fdocuments.net/reader031/viewer/2022013001/61ca626b26b61b01f45249e5/html5/thumbnails/79.jpg)
Coq blindfolds the intuition.We’re not “Coq natives”!
![Page 80: Proof assistants as a tool for thought](https://reader031.fdocuments.net/reader031/viewer/2022013001/61ca626b26b61b01f45249e5/html5/thumbnails/80.jpg)
Built on top of:
written notationtext editorsGallinaLtaccheckerIDE
![Page 81: Proof assistants as a tool for thought](https://reader031.fdocuments.net/reader031/viewer/2022013001/61ca626b26b61b01f45249e5/html5/thumbnails/81.jpg)
Started from the bottom...now we’re back.
![Page 82: Proof assistants as a tool for thought](https://reader031.fdocuments.net/reader031/viewer/2022013001/61ca626b26b61b01f45249e5/html5/thumbnails/82.jpg)
Try
Coq says:This is locally wrong!
Wrong type /Can’t prove it /
Can’t use tactic /Strange computation
Fail FixTry
Fail Fix
Try
Fail Fix
Fail Fix
Try
Fix
Coq says:This is locally wrong!
Wrong type /Can’t prove it /
Can’t use tactic /Strange computation
Coq says:This is locally wrong!
Wrong type /Can’t prove it /
Can’t use tactic /Strange computation
Coq says:This is locally wrong!
Wrong type /Can’t prove it /
Can’t use tactic /Strange computation
Coq says:This is locally wrong!
Wrong type /Can’t prove it /
Can’t use tactic /Strange computation
Try
Coq says:This is locally wrong!
Wrong type /Can’t prove it /
Can’t use tactic /Strange computation
Coq says:This is locally wrong!
Wrong type /Can’t prove it /
Can’t use tactic /Strange computation
Coq says:This is locally wrong!
Wrong type /Can’t prove it /
Can’t use tactic /Strange computation
????
![Page 83: Proof assistants as a tool for thought](https://reader031.fdocuments.net/reader031/viewer/2022013001/61ca626b26b61b01f45249e5/html5/thumbnails/83.jpg)
REPLs are aliveand make us reactive
![Page 84: Proof assistants as a tool for thought](https://reader031.fdocuments.net/reader031/viewer/2022013001/61ca626b26b61b01f45249e5/html5/thumbnails/84.jpg)
Try
Brain says:this isn’t right...
I think.
Fail Fix
![Page 85: Proof assistants as a tool for thought](https://reader031.fdocuments.net/reader031/viewer/2022013001/61ca626b26b61b01f45249e5/html5/thumbnails/85.jpg)
Paper is calmand makes us active
![Page 86: Proof assistants as a tool for thought](https://reader031.fdocuments.net/reader031/viewer/2022013001/61ca626b26b61b01f45249e5/html5/thumbnails/86.jpg)
Paper forces us to figure out what’s going on,
formulate a hypothesis
![Page 87: Proof assistants as a tool for thought](https://reader031.fdocuments.net/reader031/viewer/2022013001/61ca626b26b61b01f45249e5/html5/thumbnails/87.jpg)
So, Coq makes proofs harder to write.
![Page 88: Proof assistants as a tool for thought](https://reader031.fdocuments.net/reader031/viewer/2022013001/61ca626b26b61b01f45249e5/html5/thumbnails/88.jpg)
...and harder to read!
![Page 89: Proof assistants as a tool for thought](https://reader031.fdocuments.net/reader031/viewer/2022013001/61ca626b26b61b01f45249e5/html5/thumbnails/89.jpg)
“write-only”
![Page 90: Proof assistants as a tool for thought](https://reader031.fdocuments.net/reader031/viewer/2022013001/61ca626b26b61b01f45249e5/html5/thumbnails/90.jpg)
![Page 91: Proof assistants as a tool for thought](https://reader031.fdocuments.net/reader031/viewer/2022013001/61ca626b26b61b01f45249e5/html5/thumbnails/91.jpg)
what are we trying to prove??
![Page 92: Proof assistants as a tool for thought](https://reader031.fdocuments.net/reader031/viewer/2022013001/61ca626b26b61b01f45249e5/html5/thumbnails/92.jpg)
Check fcf_oracle_eq_until_bad.Locate fcf_oracle_eq_until_bad.
![Page 93: Proof assistants as a tool for thought](https://reader031.fdocuments.net/reader031/viewer/2022013001/61ca626b26b61b01f45249e5/html5/thumbnails/93.jpg)
Why applied with these arguments?
![Page 94: Proof assistants as a tool for thought](https://reader031.fdocuments.net/reader031/viewer/2022013001/61ca626b26b61b01f45249e5/html5/thumbnails/94.jpg)
What are all of these subgoals?
![Page 95: Proof assistants as a tool for thought](https://reader031.fdocuments.net/reader031/viewer/2022013001/61ca626b26b61b01f45249e5/html5/thumbnails/95.jpg)
What hypothesis did I use?
![Page 96: Proof assistants as a tool for thought](https://reader031.fdocuments.net/reader031/viewer/2022013001/61ca626b26b61b01f45249e5/html5/thumbnails/96.jpg)
Wait, that proved the theorem???!!
![Page 97: Proof assistants as a tool for thought](https://reader031.fdocuments.net/reader031/viewer/2022013001/61ca626b26b61b01f45249e5/html5/thumbnails/97.jpg)
No sense of hierarchy, importance, narrative. Where’s the intuition?
![Page 98: Proof assistants as a tool for thought](https://reader031.fdocuments.net/reader031/viewer/2022013001/61ca626b26b61b01f45249e5/html5/thumbnails/98.jpg)
Written by computers, for computers
![Page 99: Proof assistants as a tool for thought](https://reader031.fdocuments.net/reader031/viewer/2022013001/61ca626b26b61b01f45249e5/html5/thumbnails/99.jpg)
Intuition Intuition
Proof
![Page 100: Proof assistants as a tool for thought](https://reader031.fdocuments.net/reader031/viewer/2022013001/61ca626b26b61b01f45249e5/html5/thumbnails/100.jpg)
Intuition Intuition
Proof
Ok Ok
???
![Page 101: Proof assistants as a tool for thought](https://reader031.fdocuments.net/reader031/viewer/2022013001/61ca626b26b61b01f45249e5/html5/thumbnails/101.jpg)
The role of the human is not to understand,
but to trust.
![Page 102: Proof assistants as a tool for thought](https://reader031.fdocuments.net/reader031/viewer/2022013001/61ca626b26b61b01f45249e5/html5/thumbnails/102.jpg)
Text is a double-edged sword.
![Page 103: Proof assistants as a tool for thought](https://reader031.fdocuments.net/reader031/viewer/2022013001/61ca626b26b61b01f45249e5/html5/thumbnails/103.jpg)
Powerful ways to manipulate and search
text...
![Page 104: Proof assistants as a tool for thought](https://reader031.fdocuments.net/reader031/viewer/2022013001/61ca626b26b61b01f45249e5/html5/thumbnails/104.jpg)
...but not pictures.
![Page 105: Proof assistants as a tool for thought](https://reader031.fdocuments.net/reader031/viewer/2022013001/61ca626b26b61b01f45249e5/html5/thumbnails/105.jpg)
Machine Checkable Pictorial Mathematics
Proof by ASCII art
![Page 106: Proof assistants as a tool for thought](https://reader031.fdocuments.net/reader031/viewer/2022013001/61ca626b26b61b01f45249e5/html5/thumbnails/106.jpg)
The house believes that Coq is an incredible
tool for thought.
![Page 107: Proof assistants as a tool for thought](https://reader031.fdocuments.net/reader031/viewer/2022013001/61ca626b26b61b01f45249e5/html5/thumbnails/107.jpg)
Programmers’ affordances: precise language, instant feedback (correctness
checking, REPL)
![Page 108: Proof assistants as a tool for thought](https://reader031.fdocuments.net/reader031/viewer/2022013001/61ca626b26b61b01f45249e5/html5/thumbnails/108.jpg)
“You don’t have to know all the rules.”
![Page 109: Proof assistants as a tool for thought](https://reader031.fdocuments.net/reader031/viewer/2022013001/61ca626b26b61b01f45249e5/html5/thumbnails/109.jpg)
Our only hope.
![Page 110: Proof assistants as a tool for thought](https://reader031.fdocuments.net/reader031/viewer/2022013001/61ca626b26b61b01f45249e5/html5/thumbnails/110.jpg)
The house believes that Coq is a terrible tool
for thought.
![Page 111: Proof assistants as a tool for thought](https://reader031.fdocuments.net/reader031/viewer/2022013001/61ca626b26b61b01f45249e5/html5/thumbnails/111.jpg)
By computers, for computers.
![Page 112: Proof assistants as a tool for thought](https://reader031.fdocuments.net/reader031/viewer/2022013001/61ca626b26b61b01f45249e5/html5/thumbnails/112.jpg)
Destroys intuition.
![Page 113: Proof assistants as a tool for thought](https://reader031.fdocuments.net/reader031/viewer/2022013001/61ca626b26b61b01f45249e5/html5/thumbnails/113.jpg)
Built on top of:
written notationtext editorsGallinaLtaccheckerIDE
![Page 114: Proof assistants as a tool for thought](https://reader031.fdocuments.net/reader031/viewer/2022013001/61ca626b26b61b01f45249e5/html5/thumbnails/114.jpg)
How can we make proof assistants
“intuition assistants”?
![Page 115: Proof assistants as a tool for thought](https://reader031.fdocuments.net/reader031/viewer/2022013001/61ca626b26b61b01f45249e5/html5/thumbnails/115.jpg)
Incremental improvements
![Page 116: Proof assistants as a tool for thought](https://reader031.fdocuments.net/reader031/viewer/2022013001/61ca626b26b61b01f45249e5/html5/thumbnails/116.jpg)
Visualize theorem dependency tree
![Page 117: Proof assistants as a tool for thought](https://reader031.fdocuments.net/reader031/viewer/2022013001/61ca626b26b61b01f45249e5/html5/thumbnails/117.jpg)
![Page 118: Proof assistants as a tool for thought](https://reader031.fdocuments.net/reader031/viewer/2022013001/61ca626b26b61b01f45249e5/html5/thumbnails/118.jpg)
“Explanatory,” human-readable proofs:
diff proof states
![Page 119: Proof assistants as a tool for thought](https://reader031.fdocuments.net/reader031/viewer/2022013001/61ca626b26b61b01f45249e5/html5/thumbnails/119.jpg)
Translate proofs into Englishor a better tactic language
![Page 120: Proof assistants as a tool for thought](https://reader031.fdocuments.net/reader031/viewer/2022013001/61ca626b26b61b01f45249e5/html5/thumbnails/120.jpg)
A Declarative Language For The Coq Proof Assistant, Corbineau
![Page 121: Proof assistants as a tool for thought](https://reader031.fdocuments.net/reader031/viewer/2022013001/61ca626b26b61b01f45249e5/html5/thumbnails/121.jpg)
Different interfaces for different areas of math
![Page 122: Proof assistants as a tool for thought](https://reader031.fdocuments.net/reader031/viewer/2022013001/61ca626b26b61b01f45249e5/html5/thumbnails/122.jpg)
One visual interface: Ancient Greek Geometry
![Page 123: Proof assistants as a tool for thought](https://reader031.fdocuments.net/reader031/viewer/2022013001/61ca626b26b61b01f45249e5/html5/thumbnails/123.jpg)
Calculemus is necessary—but not sufficient!
![Page 124: Proof assistants as a tool for thought](https://reader031.fdocuments.net/reader031/viewer/2022013001/61ca626b26b61b01f45249e5/html5/thumbnails/124.jpg)
Thanks!Katherine Ye@hypotext
![Page 125: Proof assistants as a tool for thought](https://reader031.fdocuments.net/reader031/viewer/2022013001/61ca626b26b61b01f45249e5/html5/thumbnails/125.jpg)
Appendix
![Page 126: Proof assistants as a tool for thought](https://reader031.fdocuments.net/reader031/viewer/2022013001/61ca626b26b61b01f45249e5/html5/thumbnails/126.jpg)
Example 3: program equivalence
![Page 127: Proof assistants as a tool for thought](https://reader031.fdocuments.net/reader031/viewer/2022013001/61ca626b26b61b01f45249e5/html5/thumbnails/127.jpg)
![Page 128: Proof assistants as a tool for thought](https://reader031.fdocuments.net/reader031/viewer/2022013001/61ca626b26b61b01f45249e5/html5/thumbnails/128.jpg)
![Page 129: Proof assistants as a tool for thought](https://reader031.fdocuments.net/reader031/viewer/2022013001/61ca626b26b61b01f45249e5/html5/thumbnails/129.jpg)
![Page 130: Proof assistants as a tool for thought](https://reader031.fdocuments.net/reader031/viewer/2022013001/61ca626b26b61b01f45249e5/html5/thumbnails/130.jpg)
![Page 131: Proof assistants as a tool for thought](https://reader031.fdocuments.net/reader031/viewer/2022013001/61ca626b26b61b01f45249e5/html5/thumbnails/131.jpg)
![Page 132: Proof assistants as a tool for thought](https://reader031.fdocuments.net/reader031/viewer/2022013001/61ca626b26b61b01f45249e5/html5/thumbnails/132.jpg)
![Page 133: Proof assistants as a tool for thought](https://reader031.fdocuments.net/reader031/viewer/2022013001/61ca626b26b61b01f45249e5/html5/thumbnails/133.jpg)
![Page 134: Proof assistants as a tool for thought](https://reader031.fdocuments.net/reader031/viewer/2022013001/61ca626b26b61b01f45249e5/html5/thumbnails/134.jpg)
![Page 135: Proof assistants as a tool for thought](https://reader031.fdocuments.net/reader031/viewer/2022013001/61ca626b26b61b01f45249e5/html5/thumbnails/135.jpg)
![Page 136: Proof assistants as a tool for thought](https://reader031.fdocuments.net/reader031/viewer/2022013001/61ca626b26b61b01f45249e5/html5/thumbnails/136.jpg)
![Page 137: Proof assistants as a tool for thought](https://reader031.fdocuments.net/reader031/viewer/2022013001/61ca626b26b61b01f45249e5/html5/thumbnails/137.jpg)
![Page 138: Proof assistants as a tool for thought](https://reader031.fdocuments.net/reader031/viewer/2022013001/61ca626b26b61b01f45249e5/html5/thumbnails/138.jpg)