Extended (Noncomputable) Interval Evaluation #

This file implements the noncomputable interval evaluator for LeanCert.Core.Expr, supporting exp with floor/ceil bounds and partial evaluation for inv/log.

Main definitions #

evalInterval - Noncomputable interval evaluator supporting exp
evalInterval_correct - Correctness theorem for extended evaluation
evalInterval? - Partial (Option-returning) evaluator with inv/log support
evalInterval?_correct - Correctness theorem for partial evaluation

Design notes #

The extended evaluator uses Real.exp with floor/ceil bounds, which requires noncomputability. For computability, use evalIntervalCore instead.

The partial evaluator evalInterval? returns none when:

The denominator interval for inv contains zero
The argument interval for log is not strictly positive
The argument for atanh is not in (-1, 1)

When it returns some I, correctness is guaranteed.

Extended interval evaluation (noncomputable, supports exp) #

source

noncomputable def LeanCert.Engine.evalInterval (e : Core.Expr) (ρ : IntervalEnv) :

Core.IntervalRat

Noncomputable interval evaluator supporting exp.

For supported expressions (const, var, add, mul, neg, sin, cos, exp), this computes correct interval bounds with a fully-verified proof.

For unsupported expressions (inv, log), returns a default interval. Do not rely on results for expressions containing inv or log. Use evalInterval? for partial functions like inv and log.

This evaluator is NONCOMPUTABLE due to exp using Real.exp with floor/ceil.

Equations

LeanCert.Engine.evalInterval (LeanCert.Core.Expr.const q) ρ = LeanCert.Core.IntervalRat.singleton q
LeanCert.Engine.evalInterval (LeanCert.Core.Expr.var idx) ρ = ρ idx
LeanCert.Engine.evalInterval (e₁.add e₂) ρ = (LeanCert.Engine.evalInterval e₁ ρ).add (LeanCert.Engine.evalInterval e₂ ρ)
LeanCert.Engine.evalInterval (e₁.mul e₂) ρ = (LeanCert.Engine.evalInterval e₁ ρ).mul (LeanCert.Engine.evalInterval e₂ ρ)
LeanCert.Engine.evalInterval e_2.neg ρ = (LeanCert.Engine.evalInterval e_2 ρ).neg
LeanCert.Engine.evalInterval e_2.inv ρ = default
LeanCert.Engine.evalInterval e_2.exp ρ = (LeanCert.Engine.evalInterval e_2 ρ).expInterval
LeanCert.Engine.evalInterval e_2.sin ρ = LeanCert.Engine.sinInterval (LeanCert.Engine.evalInterval e_2 ρ)
LeanCert.Engine.evalInterval e_2.cos ρ = LeanCert.Engine.cosInterval (LeanCert.Engine.evalInterval e_2 ρ)
LeanCert.Engine.evalInterval e_2.log ρ = default
LeanCert.Engine.evalInterval e_2.atan ρ = LeanCert.Engine.atanInterval (LeanCert.Engine.evalInterval e_2 ρ)
LeanCert.Engine.evalInterval e_2.arsinh ρ = LeanCert.Engine.arsinhInterval (LeanCert.Engine.evalInterval e_2 ρ)
LeanCert.Engine.evalInterval e_2.atanh ρ = default
LeanCert.Engine.evalInterval e_2.sinc ρ = { lo := -1, hi := 1, le := LeanCert.Engine.evalInterval._proof_1 }
LeanCert.Engine.evalInterval e_2.erf ρ = { lo := -1, hi := 1, le := LeanCert.Engine.evalInterval._proof_1 }
LeanCert.Engine.evalInterval e_2.sinh ρ = default
LeanCert.Engine.evalInterval e_2.cosh ρ = default
LeanCert.Engine.evalInterval e_2.tanh ρ = default
LeanCert.Engine.evalInterval e_2.sqrt ρ = (LeanCert.Engine.evalInterval e_2 ρ).sqrtInterval
LeanCert.Engine.evalInterval LeanCert.Core.Expr.pi ρ = LeanCert.Engine.piInterval

Instances For

source

theorem LeanCert.Engine.evalInterval_correct (e : Core.Expr) (hsupp : ExprSupported e) (ρ_real : ℕ → ℝ) (ρ_int : IntervalEnv) (hρ : envMem ρ_real ρ_int) :

Core.Expr.eval ρ_real e ∈ evalInterval e ρ_int

Fundamental correctness theorem for extended evaluation.

This theorem is FULLY PROVED (no sorry, no axioms) for supported expressions. The hsupp hypothesis ensures we only consider expressions in the verified subset.

Convenience functions #

Note: evalIntervalCore now uses Taylor series for exp/sin/cos, which gives different (often tighter) intervals than evalInterval's floor/ceil bounds. Both are correct, but they are not necessarily equal.

For purely algebraic expressions (const, var, add, mul, neg), both evaluators give identical results.

source

noncomputable def LeanCert.Engine.evalInterval1 (e : Core.Expr) (I : Core.IntervalRat) :

Core.IntervalRat

Noncomputable single-variable evaluation for extended expressions

Equations

LeanCert.Engine.evalInterval1 e I = LeanCert.Engine.evalInterval e fun (x : ℕ) => I

Instances For

source

theorem LeanCert.Engine.evalInterval1_correct (e : Core.Expr) (hsupp : ExprSupported e) (x : ℝ) (I : Core.IntervalRat) (hx : x ∈ I) :

Core.Expr.eval (fun (x_1 : ℕ) => x) e ∈ evalInterval1 e I

Correctness for single-variable extended evaluation

Partial interval evaluation with inv support #

source

def LeanCert.Engine.evalIntervalLogDepth :

ℕ

Partial (Option-returning) interval evaluator supporting inv.

For expressions with inv, this evaluator returns none if the denominator interval contains zero, and some I with a correct enclosure otherwise.

This allows safe interval evaluation of expressions like 1/x when we can verify the denominator is bounded away from zero.

For expressions without inv, this always returns some with the same result as evalInterval.

Equations

LeanCert.Engine.evalIntervalLogDepth = 60

Instances For

source

def LeanCert.Engine.evalIntervalExpDepth :

ℕ

Equations

LeanCert.Engine.evalIntervalExpDepth = 30

Instances For

source

def LeanCert.Engine.evalInterval? (e : Core.Expr) (ρ : IntervalEnv) :

Option Core.IntervalRat

Equations

One or more equations did not get rendered due to their size.
LeanCert.Engine.evalInterval? (LeanCert.Core.Expr.const q) ρ = some (LeanCert.Core.IntervalRat.singleton q)
LeanCert.Engine.evalInterval? (LeanCert.Core.Expr.var idx) ρ = some (ρ idx)
LeanCert.Engine.evalInterval? (e₁.add e₂) ρ = match LeanCert.Engine.evalInterval? e₁ ρ, LeanCert.Engine.evalInterval? e₂ ρ with | some I₁, some I₂ => some (I₁.add I₂) | x, x_1 => none
LeanCert.Engine.evalInterval? (e₁.mul e₂) ρ = match LeanCert.Engine.evalInterval? e₁ ρ, LeanCert.Engine.evalInterval? e₂ ρ with | some I₁, some I₂ => some (I₁.mul I₂) | x, x_1 => none
LeanCert.Engine.evalInterval? e_2.neg ρ = match LeanCert.Engine.evalInterval? e_2 ρ with | some I => some I.neg | none => none
LeanCert.Engine.evalInterval? e_2.exp ρ = match LeanCert.Engine.evalInterval? e_2 ρ with | some I => some (I.expComputable LeanCert.Engine.evalIntervalExpDepth) | none => none
LeanCert.Engine.evalInterval? e_2.sin ρ = match LeanCert.Engine.evalInterval? e_2 ρ with | some I => some (LeanCert.Engine.sinInterval I) | none => none
LeanCert.Engine.evalInterval? e_2.cos ρ = match LeanCert.Engine.evalInterval? e_2 ρ with | some I => some (LeanCert.Engine.cosInterval I) | none => none
LeanCert.Engine.evalInterval? e_2.atan ρ = match LeanCert.Engine.evalInterval? e_2 ρ with | some I => some (LeanCert.Engine.atanInterval I) | none => none
LeanCert.Engine.evalInterval? e_2.arsinh ρ = match LeanCert.Engine.evalInterval? e_2 ρ with | some I => some (LeanCert.Engine.arsinhInterval I) | none => none
LeanCert.Engine.evalInterval? e_2.atanh ρ = none
LeanCert.Engine.evalInterval? e_2.sinc ρ = match LeanCert.Engine.evalInterval? e_2 ρ with | some val => some { lo := -1, hi := 1, le := LeanCert.Engine.evalInterval._proof_1 } | none => none
LeanCert.Engine.evalInterval? e_2.erf ρ = match LeanCert.Engine.evalInterval? e_2 ρ with | some val => some { lo := -1, hi := 1, le := LeanCert.Engine.evalInterval._proof_1 } | none => none
LeanCert.Engine.evalInterval? e_2.sinh ρ = match LeanCert.Engine.evalInterval? e_2 ρ with | some I => some (LeanCert.Engine.sinhInterval I) | none => none
LeanCert.Engine.evalInterval? e_2.cosh ρ = match LeanCert.Engine.evalInterval? e_2 ρ with | some I => some (LeanCert.Engine.coshInterval I) | none => none
LeanCert.Engine.evalInterval? e_2.tanh ρ = match LeanCert.Engine.evalInterval? e_2 ρ with | some I => some (LeanCert.Engine.tanhInterval I) | none => none
LeanCert.Engine.evalInterval? e_2.sqrt ρ = match LeanCert.Engine.evalInterval? e_2 ρ with | some I => some I.sqrtInterval | none => none
LeanCert.Engine.evalInterval? LeanCert.Core.Expr.pi ρ = some LeanCert.Engine.piInterval

Instances For

source

theorem LeanCert.Engine.evalInterval?_correct (e : Core.Expr) (hsupp : ExprSupportedWithInv e) (ρ_int : IntervalEnv) (I : Core.IntervalRat) (hsome : evalInterval? e ρ_int = some I) (ρ_real : ℕ → ℝ) (hρ : envMem ρ_real ρ_int) :

Core.Expr.eval ρ_real e ∈ I

Main correctness theorem for evalInterval? (approach 1 from plan).

When evalInterval? returns some I:

The expression evaluates to a value in I for all ρ_real ∈ ρ_int
All inv denominators along the evaluation are guaranteed nonzero (because their intervals don't contain zero)

This follows your suggestion to keep ExprSupported syntactic and add separate semantic hypotheses. The key insight is that if evalInterval? succeeds (returns Some), the interval arithmetic has already verified that no denominator interval contains zero.

source