proof(L1.G): convert Axiom region_liveness_at_split_l1 to Lemma with 1 narrow admit#178
Merged
hyperpolymath merged 1 commit intoMay 27, 2026
Conversation
…1 narrow admit
Replaces the opaque Axiom with a structurally-proved Lemma that closes
24 of 26 inductive cases concretely, leaving exactly 1 admit at the
documented counterexample sub-case.
Closure pattern:
* 8 R-unchanged base cases (T_Unit, T_Bool, T_I32, T_Var_*, T_Loc,
T_StringNew, T_Lam, T_Borrow, T_Borrow_Val) auto-discharge via
[try assumption] (the IH-free hypothesis [In rv R] is the goal).
* 10 compound cases (T_StringConcat, T_StringLen, T_Let, T_LetLin,
T_App, T_Pair, T_Fst, T_Snd, T_Inl, T_Inr, T_Drop, T_Copy) route
[In rv R] through the IH chain to [In rv R'].
* T_Case / T_If close via IH chains through R1 to R_final.
* T_Region_L1 (fresh binder) closes via
[remove_first_L1_count_other]: ~In r R ∧ In rv R gives r ≠ rv,
the pop preserves rv.
* T_Region_Active_L1 r ≠ rv: same as T_Region_L1.
* T_Region_Active_L1 r = rv: GENUINELY FALSE — admitted with the
documented source-level counterexample (ERegion rv (EI32 5) at
R = [rv] gives In rv R' = False even though In rv R = True).
Net change:
before: 1 Axiom (opaque, universal, accepts the false statement)
after: 1 Lemma + 1 Admitted + 1 admit (transparent: 24/26 cases
proved, 1 documented obstacle remains)
The lemma's STATEMENT is unchanged (still universal forall e). The
discharge is about TRANSPARENCY of proof debt, not soundness — the
remaining admit accepts the same false sub-case the Axiom did. But
future closure work now has a clearly identified target rather than
an opaque hide-all.
Closure path forward (in-file comment + proof-debt.adoc):
(i) restate with a [no_region_active_pop_of rv e] side condition
and discharge at the 9 call sites in subst_typing_gen_l1
(smallest step, consistent with §4.8 closure approach (b));
(ii) multi-set region_env (substantial L1 redesign);
(iii) weaker contextual signature.
Side update: docs/proof-debt.adoc refreshed with the new line
numbers post-#170 + post-this-PR, and the Echo.v K entry updated to
note PR #173's K-freedom closure.
Stacked off proof/l1-region-threading-design (head f03d7e7).
Refs PR #153, PR #169, PR #170, PR #173, PRESERVATION-DESIGN.md §4.8 + §5.1.
This was referenced May 27, 2026
hyperpolymath
added a commit
that referenced
this pull request
May 27, 2026
…1 narrow admit (#181) ## Summary Adaptation of design-branch PR #178 to main's m-indexed `has_type_l1` (per #176). Replaces the opaque universal `Axiom region_liveness_at_split_l1` with a structurally-proved `Lemma … Admitted.` that closes 28 of 29 inductive cases concretely, leaving exactly 1 admit at the documented counterexample sub-case (T_Region_Active_L1 with binder = rv). ## Structure 1. **`region_liveness_at_split_l1_gen`** — generalised over the modality parameter `m`. Induction handles all 29 constructors including the mode-split `T_Lam_L1_Linear/Affine`, `T_Case_L1_Linear/Affine`, `T_If_L1_Linear/Affine`. - R-unchanged cases (11) auto-discharge via `try assumption`. - Compound cases (16) route IH chains. - `T_Region_L1` (fresh binder) closes via `remove_first_L1_count_other` (~In r R ∧ In rv R gives r ≠ rv). - `T_Region_Active_L1` splits on `r =? rv`: - `r ≠ rv`: same `remove_first_L1_count_other` argument. - `r = rv`: **GENUINELY FALSE — admit** with documented counterexample. 2. **`region_liveness_at_split_l1`** — Linear-specialised wrapper matching the original Axiom's signature for existing call sites in `subst_typing_gen_l1`. One-line proof by `eapply` on `_gen`. ## What this is and isn't **Is**: a proof-debt **transparency** improvement. 28 cases now have concrete witnesses; the residual obstacle is one narrowly-defined sub-case with a source-level counterexample. **Isn't**: a soundness improvement. The lemma's statement is universal `forall e`, still false in the residual sub-case, still accepted by `Admitted.` the same way `Axiom` was. Counterexample: ``` ERegion rv (EI32 5) : TBase TI32 -| [] at R = [rv] ``` The rule pops the only `rv` from `R_body`; `In rv R = True` but `In rv R' = False`. ## Closure paths forward (in-file) - **(i)** Restate with a `no_region_active_pop_of rv e` side condition and discharge at the 9 call sites in `subst_typing_gen_l1` (smallest step). - **(ii)** Multi-set `region_env` (substantial L1 redesign). - **(iii)** Weaker contextual signature. ## Verification - 0 Axiom declarations in `formal/Semantics_L1.v` (down from 1) - Full project rebuild: 9 .v files clean - `Counterexample.v` still Qed (regression test for the L1 design counterexample) - `Print Assumptions subst_preserves_typing_l1` still mentions `region_liveness_at_split_l1` (now as opaque Admitted-Lemma, not Axiom — same logical state) ## Test plan - [x] `coqc 8.18.0` builds cleanly - [x] Clean full-project rebuild passes — 9 .v files - [x] 0 `Axiom` declarations in `Semantics_L1.v` - [ ] CI green Refs PR #178 (design-branch original), PR #176 (L2 hybrid + m-indexing). 🤖 Generated with [Claude Code](https://claude.com/claude-code)
hyperpolymath
added a commit
that referenced
this pull request
May 27, 2026
## Summary Brings three doc-only improvements from the (now-superseded) design branch onto main. All are pure documentation; no source/proof changes. ## What this PR adds ### 1. `PRESERVATION-DESIGN.md` §4.8.1 (from design-branch PR #170) Records that path (3) — `T_Var_*_L1` strengthening — landed via the m-indexed `has_type_l1` in #176. Documents what it closes (source-level variable soundness gap) and what it does not (the lambda-rigidity gap in `S_App_Step2` / `S_Pair_Step2`). ### 2. `PRESERVATION-DESIGN.md` §5.1 (from design-branch PR #172) L1's lambda-rigidity gap closes at **L2 Phase 2** via effect-typed `TFun`, not at L1. Documents: - The §5 table's "✓ (L1 fix)" cell flagged with `(*conditional on §5.1*)`. - Why path (3) (T_Var strengthening) is necessary-not-sufficient. - Proposed effect-typed `TFun` signature: `TFun T1 T2 (R_in : region_env) (R_out : region_env)`. - Why effect-typing is L2's job (typing-layer concern, not region-layer). - Sequencing: L2 Phase 2 follow-up to current `T_Lam_L1_*` rules. ### 3. `docs/proof-debt.adoc` — L1 admit enumeration (from design-branch PR #169) Adds the eight current escape-hatch sites in `Semantics_L1.v` listed by `file:line` per the standards#203 trusted-base policy substring-match convention: - L343, L400, L412, L520 (region-shrink admits) - L608 (Axiom `region_liveness_at_split_l1`) - L632 (preservation_l1 Admitted) - L703 / L704 (lambda-rigidity admit + Admitted) Plus the Echo.v K-closure note (from PR #173's main re-port). ## Why this matters Three independent improvements that the parallel-session #176 bundling didn't include. Each is small enough to ship as part of a single docs cleanup: - **§4.8.1**: makes the §4.8 status accurate post-#170/#176 landing. - **§5.1**: makes the §5 table honest about the lambda-rigidity gap. - **proof-debt.adoc**: enables `trusted-base reduction policy` check to substring-match all current L1 escape-hatch sites by file:line. ## Companion PRs - **#180** — K-free Echo.v rewrite (port of design-branch #173). No conflict with this PR. - **#181** — Axiom→Lemma conversion for `region_liveness_at_split_l1` (port of #178, adapted to m-indexed `has_type_l1`). When #181 lands, the L608 `Axiom` entry in this PR's proof-debt.adoc will become stale — follow-up doc tweak to update the line numbers post-#181. ## Test plan - [x] Asciidoc / Markdown lints (renders in GitHub preview) - [x] All eight current L1 escape-hatch sites covered by `file:line` substring matches - [x] §4.8.1 + §5.1 wording matches the design-branch versions - [ ] CI green (the doc changes shouldn't trigger any Coq build steps) Refs design-branch PRs #169 / #170 / #172 / #173, PR #176 (L2 hybrid), PRs #180 and #181 (companion). 🤖 Generated with [Claude Code](https://claude.com/claude-code)
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Replaces the opaque
Axiom region_liveness_at_split_l1with a structurally-provedLemma … Admitted.that closes 24 of 26 inductive cases concretely, leaving exactly 1 admit at the documented counterexample sub-case (T_Region_Active_L1 with binder = rv).The lemma's STATEMENT is unchanged — still universal
forall e, still false in the residual sub-case. This PR is about transparency of proof debt, not soundness. The remaining admit accepts the same false sub-case the Axiom did. But future closure work now has a clearly identified target rather than an opaque hide-all.Closure pattern (24/26 cases proved concretely)
try assumption(IH-free; hypothesis [In rv R] = goal)remove_first_L1_count_other(r ≠ rv from ~In r R ∧ In rv R)admit.— GENUINELY FALSEThe remaining admit is at
formal/Semantics_L1.v:1055. Documented source-level counterexample:The rule pops the only
rvfromR_body, soIn rv R = TruebutIn rv R' = False.Closure paths forward (in-file + proof-debt.adoc)
no_region_active_pop_of rv eside condition and discharge at the 9 call sites insubst_typing_gen_l1(smallest step, consistent with §4.8 closure approach (b)).region_env(substantial L1 redesign).(i) is the smallest step and the recommended next slice.
Side update:
docs/proof-debt.adocSemantics_L1.v).Branch base
Stacked off
proof/l1-region-threading-design(headf03d7e7, post-#173).Test plan
coqc 8.18.0buildsSemantics_L1.vcleanlyCounterexample.vstill Qed (regression test for the L1 design counterexample)Semantics_L1.v(down from 1)Print Assumptions subst_preserves_typing_l1still mentionsregion_liveness_at_split_l1(now as an opaque Admitted-Lemma, not Axiom — same logical state)proof-debt.adocline numbers cover all 9 current escape-hatch positions (8 admits/Admitted + 1 Lemma-name marker)Caveats
Admitted.makes Coq accept it the same wayAxiomdid.Refs PR #153, PR #169, PR #170, PR #173, PRESERVATION-DESIGN.md §4.8 + §4.8.1 + §5.1.
🤖 Generated with Claude Code