Conversation
…mination
Task 2 (Informal Spec): formal-verification/specs/alphafilter_informal.md
- Precise pre/postconditions for AlphaFilter::update (first-order IIR filter)
- Documents the no-overshoot safety property (key autopilot invariant)
- Concrete examples, edge cases, open questions
Task 4+5 (Lean spec + proofs): formal-verification/lean/FVSquad/AlphaFilter.lean
- Lean 4 model of alphaUpdate over Rat
- 9 theorems proved: fixed_point, alpha_zero, alpha_one,
no_overshoot_up (both bounds), no_overshoot_down upper bound,
mono_sample, iterated zero case
- 3 sorry remain: alphaUpdate_ge_sample (mul-by-nonpositive),
alphaUpdate_mono_state (ring step), alphaIterate_formula succ case
Task 5 (Proof Assistance): formal-verification/lean/FVSquad/Deadzone.lean
- Eliminated both remaining sorry from deadzone_le_one (negative branch)
and deadzone_ge_neg_one by direct Rat arithmetic proofs
- Deadzone now has 12 proved theorems, 0 sorry
lake build: passed (Lean 4.29.0), 3 sorry remain in AlphaFilter.lean
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
github-actions Bot
added a commit
that referenced
this pull request
Apr 14, 2026
…ility critique update (run35) Task 5 (Proof Assistance): Add ExpoDeadzone.lean — formal specification and proofs for the combined expo(deadzone(v, dz), e) RC input pipeline. 8 theorems proved (0 sorry, lake build passes): - expodz_in_dz: inside-deadzone input → exactly 0 - expodz_in_range: output always ∈ [-1, 1] (unconditional) - expodz_zero: zero input → zero output for dz ≥ 0 - expodz_at_one / expodz_at_neg_one: ±1 are fixed points for dz ∈ [0, 1) - expodz_e0: e=0 (linear expo) reduces to pure deadzone - expodz_cubic: e=1 (full cubic expo) gives (deadzone v dz)³ - expodz_no_dz: dz=0 recovers exactly expoRat (no-deadzone degeneration) Proofs compose expo_* and deadzone_* theorems from prior Lean files, demonstrating compositional verification of the two-stage RC pipeline. Also registers ExpoDeadzone + MedianFilter + SuperExpo in FVSquad.lean. Task 7 (Proof Utility Critique): Update CRITIQUE.md to reflect current state: - 15 targets, 172 theorems, 166 proved, 6 sorry (WrapAngle wrapRat only) - Add SuperExpo, MedianFilter, ExpoDeadzone rows to proved-theorems table - Update gaps: add expodz_odd as next high-priority target - Add positive findings #10-12 (MedianFilter spike rejection, superexpo denom-positive safety, expo+deadzone composition correctness) - Update Known Sorry-Guarded section (14 files, 0 sorry except WrapAngle) > ✅ Proofs verified: lake build passed with Lean 4.29.0. 0 sorry in new file. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
github-actions Bot
added a commit
that referenced
this pull request
Apr 14, 2026
…ility critique update (run35) Task 5 (Proof Assistance): Add ExpoDeadzone.lean — formal specification and proofs for the combined expo(deadzone(v, dz), e) RC input pipeline. 8 theorems proved (0 sorry, lake build passes): - expodz_in_dz: inside-deadzone input → exactly 0 - expodz_in_range: output always ∈ [-1, 1] (unconditional) - expodz_zero: zero input → zero output for dz ≥ 0 - expodz_at_one / expodz_at_neg_one: ±1 are fixed points for dz ∈ [0, 1) - expodz_e0: e=0 (linear expo) reduces to pure deadzone - expodz_cubic: e=1 (full cubic expo) gives (deadzone v dz)³ - expodz_no_dz: dz=0 recovers exactly expoRat (no-deadzone degeneration) Proofs compose expo_* and deadzone_* theorems from prior Lean files, demonstrating compositional verification of the two-stage RC pipeline. Also registers ExpoDeadzone + MedianFilter + SuperExpo in FVSquad.lean. Task 7 (Proof Utility Critique): Update CRITIQUE.md to reflect current state: - 15 targets, 172 theorems, 166 proved, 6 sorry (WrapAngle wrapRat only) - Add SuperExpo, MedianFilter, ExpoDeadzone rows to proved-theorems table - Update gaps: add expodz_odd as next high-priority target - Add positive findings #10-12 (MedianFilter spike rejection, superexpo denom-positive safety, expo+deadzone composition correctness) - Update Known Sorry-Guarded section (14 files, 0 sorry except WrapAngle) > ✅ Proofs verified: lake build passed with Lean 4.29.0. 0 sorry in new file. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Overview
This PR delivers two completed tasks and contributes to a third:
Task 5 (Proof Assistance): Eliminates the 2 remaining
sorryinDeadzone.lean— the range-bound theoremsdeadzone_le_oneanddeadzone_ge_neg_oneare now fully proved.Deadzone.leannow has 12 proved theorems and 0 sorry.Task 2 (Informal Spec): Adds a precise informal specification for
AlphaFilter::updatedocumenting pre/postconditions, no-overshoot safety property, and open questions for maintainers.Task 4+5 (Lean Spec + Proofs): Adds
AlphaFilter.leanwith 9 proved theorems and 3 documentedsorry.Changes
formal-verification/lean/FVSquad/Deadzone.leanProves the two theorems that previously required
sorry:deadzone_le_one(negative branch): Whenx < 0and|x| > dz, the output is(x + dz)/(1 − dz) < 0 ≤ 1. Key steps:|x| = −xviaRat.abs_of_nonpos, thenx < −dzviaRat.neg_lt_neg_iff, then showx + dz < 0using the same pattern asdeadzone_neg.deadzone_ge_neg_one: Full case split: (1) in-deadzone → output = 0 ≥ −1; (2) positive branch → output > 0 ≥ −1; (3) negative branch → uses−(1−dz) ≤ x+dz(from−1 ≤ x, adddz) and the calc chain−1 = −(1−dz)·(1−dz)⁻¹ ≤ (x+dz)·(1−dz)⁻¹.formal-verification/specs/alphafilter_informal.md(new)Informal specification for
AlphaFilter::updateCalculation:new = (1−α)·old + α·sample(convex blend)min(state, sample) ≤ new_state ≤ max(state, sample)formal-verification/lean/FVSquad/AlphaFilter.lean(new)Lean 4 model over
Rat:Proved (9 theorems):
alphaUpdate_fixed: sample = state → no changealphaUpdate_alpha_zero: α=0 → state frozenalphaUpdate_alpha_one: α=1 → state = sample immediatelyalphaUpdate_le_sample/alphaUpdate_ge_state: no-overshoot upper/lower bound (upward case)alphaUpdate_no_overshoot_up: combinedstate ≤ new_state ≤ samplealphaUpdate_le_state: upper bound downward case (new_state ≤ state)alphaUpdate_mono_sample: monotone in sample inputalphaIterate_formula(base case):state₀ = target + (state₀ − target) · (1−α)⁰3
sorryremain (documented):alphaUpdate_ge_sample: needs multiply-by-nonpositive lemma (mul_le_mul_of_nonpos_right, not in stdlib without Mathlib)alphaUpdate_mono_state: ring step —(s₁−s₂)·(1−α) ≤ 0alphaIterate_formula(inductive step): ring manipulationVerification Status
Key Correctness Properties Proved
The no-overshoot upward case is the key safety property: when
state ≤ sample, the filter output strictly remains in[state, sample]— it never overshoots. This is critical for autopilot rate/attitude controllers where filter transients could destabilise the aircraft.🔬 This PR was created by Lean Squad automated formal verification.