provably.lean4¶
Lean4 backend — generate and check Lean4 proofs from @verified contracts.
HAS_LEAN4¶
bool — True if the lean command is available on $PATH.
LEAN4_VERSION¶
str — version string from lean --version, or "" if Lean4 is not installed.
verify_with_lean4()¶
Verify a function using Lean4 instead of (or in addition to) Z3. Returns a
ProofCertificate with z3_version set to "lean4:<version>".
from provably import verify_with_lean4
def clamp(val: float, lo: float, hi: float) -> float:
if val < lo: return lo
elif val > hi: return hi
else: return val
cert = verify_with_lean4(
clamp,
pre=lambda val, lo, hi: lo <= hi,
post=lambda val, lo, hi, result: (result >= lo) & (result <= hi),
)
cert.status # Status.VERIFIED (if Lean4 closes the proof)
cert.z3_version # "lean4:leanprover/lean4:v4.x.0"
cert.solver_time_ms # wall-clock ms in lean
| Parameter | Type | Default | Description |
|---|---|---|---|
func |
Callable |
required | The function to verify |
pre |
Callable \| None |
None |
Precondition lambda |
post |
Callable \| None |
None |
Postcondition lambda |
timeout_s |
float |
60.0 |
Lean4 type-check timeout in seconds |
When Lean4 is not installed, returns a SKIPPED certificate with an installation hint.
export_lean4()¶
Export a @verified function as a Lean4 theorem file. Returns the Lean4 source
code as a string. Optionally writes to a file.
from provably import export_lean4
lean_code = export_lean4(
clamp,
pre=lambda val, lo, hi: lo <= hi,
post=lambda val, lo, hi, result: (result >= lo) & (result <= hi),
output_path="clamp.lean",
)
print(lean_code)
# -- Auto-generated by provably.lean4
# import Mathlib.Tactic
# noncomputable def clamp_impl ...
# theorem clamp_verified ...
| Parameter | Type | Default | Description |
|---|---|---|---|
func |
Callable |
required | The function to export |
pre |
Callable \| None |
None |
Precondition lambda |
post |
Callable \| None |
None |
Postcondition lambda |
output_path |
str \| Path \| None |
None |
Write Lean4 source to this path |
Does not require Lean4 to be installed (generates code only).
Pipeline¶
The Lean4 backend follows the same flow as the Z3 backend:
- Parse function AST + contracts
- Generate Lean4
noncomputable deffrom the function body - Generate
theorem ... := by unfold; split_ifs <;> nlinarith - Write to a temp
.leanfile - Run
leanto type-check - Return
ProofCertificatewith outcome
Limitations¶
- Same arithmetic subset as Z3 translator (no recursion, no data structures)
- Transcendental functions (
exp,cos,log) are axiomatized - For-loop unrolling produces verbose Lean4 proofs
- Slower than Z3 (compiles to native code)
- Requires Lean4 + Mathlib for
nlinarithtactic
Installation¶
# Install elan (Lean4 version manager)
brew install elan-init # macOS
# or: curl -sSf https://raw.githubusercontent.com/leanprover/elan/master/elan-init.sh | sh
# Set stable toolchain
elan default stable
provably.lean4 ¶
Lean4 backend — generate and check Lean4 proofs from @verified contracts.
Translates Python functions with pre/post conditions into Lean4 theorem statements + tactic proofs. The Lean4 type checker then serves as an independent verification oracle (cross-checking Z3 results).
Pipeline
- Parse function AST + contracts (same as Z3 backend)
- Generate Lean4 theorem statement from pre/post
- Generate tactic proof sketch (nlinarith/omega/simp/linarith)
- Write to temp .lean file
- Run
leanto type-check - Return ProofCertificate with status and lean4 proof text
Requirements
- Lean4 installed (via elan):
brew install elan-init && elan default stable - No Mathlib needed for basic arithmetic theorems (uses Lean4 stdlib)
Limitations
- Only supports the same arithmetic subset as the Z3 translator
- Transcendental functions (exp, cos, log) are axiomatized
- For-loop unrolling produces verbose proofs
- Slower than Z3 (compiles to native code)
Classes¶
Functions¶
check_lean4_proof ¶
Write Lean4 code to a temp file and check it.
Returns (success, output).
Source code in src/provably/lean4.py
export_lean4 ¶
export_lean4(func: Any, pre: Any | None = None, post: Any | None = None, output_path: str | Path | None = None) -> str
Export a @verified function as a Lean4 theorem file.
Returns the Lean4 source code. Optionally writes to output_path.
Source code in src/provably/lean4.py
549 550 551 552 553 554 555 556 557 558 559 560 561 562 563 564 565 566 567 568 569 570 571 572 573 574 575 576 577 578 579 580 581 582 583 584 585 586 587 588 589 590 591 592 593 594 595 596 597 598 599 600 601 602 603 604 605 606 607 608 609 610 611 612 613 614 615 616 617 618 619 620 621 622 623 624 625 626 627 628 629 630 631 632 633 634 635 636 637 | |
generate_lean4_theorem ¶
generate_lean4_theorem(func_name: str, param_names: list[str], param_types: dict[str, type], pre_str: str | None, post_str: str | None, source: str) -> str
Generate a complete Lean4 file with theorem statement + proof attempt.
Uses the Z3 string representations of pre/post conditions translated to Lean4 syntax.
Source code in src/provably/lean4.py
verify_with_lean4 ¶
verify_with_lean4(func: Any, pre: Any | None = None, post: Any | None = None, timeout_s: float = 60.0) -> ProofCertificate
Verify a function using Lean4 instead of (or in addition to) Z3.
Same interface as verify_function but uses Lean4 type checker.
Source code in src/provably/lean4.py
395 396 397 398 399 400 401 402 403 404 405 406 407 408 409 410 411 412 413 414 415 416 417 418 419 420 421 422 423 424 425 426 427 428 429 430 431 432 433 434 435 436 437 438 439 440 441 442 443 444 445 446 447 448 449 450 451 452 453 454 455 456 457 458 459 460 461 462 463 464 465 466 467 468 469 470 471 472 473 474 475 476 477 478 479 480 481 482 483 484 485 486 487 488 489 490 491 492 493 494 495 496 497 498 499 500 501 502 503 504 505 506 507 508 509 510 511 512 513 514 515 516 517 518 519 520 521 522 523 524 525 526 527 528 529 530 531 532 533 534 535 536 537 538 539 540 541 542 543 544 545 546 | |