The optional external LLL provider. lll probes an @[extern] hook for
an independent native reducer, marshals the basis, and certifies the
returned candidate with certCheck; absence or rejection falls through
to the exact lllNative path. The provider is acceleration only.
External LLL provider #
Optional runtime hook for an external reducer (e.g. fpLLL) reached through the
C FFI shim in HexLLL/ffi/. A provider is installed either by the explicit
Lean loader Hex.lll.loadProvider (which dlopens a named shared library) or,
for a provider linked into the process, by a one-shot static-symbol probe;
there is no environment-variable read and no implicit dlopen.
providerAvailable reports whether a provider is currently installed; when none
is present, or a returned candidate fails validation, callers fall back to the
verified native reducer lllNative. The provider is acceleration only and is
never part of the trusted path — every candidate it returns is checked before
use. See SPEC/hex-lll.md for the dispatch and certification details.
Install the external provider from the shared library at path: dlopen
the library, resolve lean_fplll_lll_reduce from it, and set the process
provider slot. Returns true on success and false when the library cannot be
loaded or the symbol is missing (the loader diagnostic is written to stderr).
This is the raw FFI entry point behind the public Hex.lll.loadProvider.
Equations
- One or more equations did not get rendered due to their size.
Instances For
Equations
Equations
Instances For
Diagnostic counters for attempts to use the external LLL provider.
absent counts calls made when the provider is unavailable, providerError
counts provider-level failures, rejected counts structurally invalid provider
responses, and accepted counts responses decoded into a Candidate.
Instances For
Equations
- One or more equations did not get rendered due to their size.
Instances For
Equations
Equations
- One or more equations did not get rendered due to their size.
- Hex.Internal.LLLProvider.instBEqDiagnostics.beq x✝¹ x✝ = false
Instances For
Equations
Equations
- One or more equations did not get rendered due to their size.
Instances For
Equations
- Hex.Internal.LLLProvider.instBEqOutcome.beq x✝ y✝ = (x✝.ctorIdx == y✝.ctorIdx)
Instances For
Increment the diagnostic counter matching outcome.
Equations
- Hex.Internal.LLLProvider.bump d Hex.Internal.LLLProvider.Outcome.absent = { absent := d.absent + 1, providerError := d.providerError, rejected := d.rejected, accepted := d.accepted }
- Hex.Internal.LLLProvider.bump d Hex.Internal.LLLProvider.Outcome.providerError = { absent := d.absent, providerError := d.providerError + 1, rejected := d.rejected, accepted := d.accepted }
- Hex.Internal.LLLProvider.bump d Hex.Internal.LLLProvider.Outcome.rejected = { absent := d.absent, providerError := d.providerError, rejected := d.rejected + 1, accepted := d.accepted }
- Hex.Internal.LLLProvider.bump d Hex.Internal.LLLProvider.Outcome.accepted = { absent := d.absent, providerError := d.providerError, rejected := d.rejected, accepted := d.accepted + 1 }
Instances For
Reset the external-provider diagnostics counters to zero. Test and bench harnesses use this to isolate one run's provider availability, rejection, and acceptance counts.
Equations
Instances For
Read the external-provider diagnostics accumulated since the last
resetDiagnostics. The snapshot is the observability hook for deciding whether
the external reducer was absent, failed, returned malformed data, or supplied a
candidate accepted by the decoder.
Instances For
Increment the external-provider diagnostic counter for outcome. This is
the IO entry point used by provider calls; pure LLL code uses
withRecordOutcome to record the same classifications without changing its
surface type.
Equations
Instances For
Decode the external reducer's flat integer response into a structured
Candidate. The decoder checks the status word, row/column headers, inverse
flag, and total payload length before slicing out the reduced basis,
transformation, and optional inverse; any mismatch returns none, so malformed
provider output cannot enter the certified path.
Equations
- One or more equations did not get rendered due to their size.
Instances For
Try to obtain an LLL candidate from the external provider. The call records
why no candidate was used (absent, provider error, or rejected flat payload)
and returns some candidate only after validateFlat accepts the provider's
response shape.
Equations
- One or more equations did not get rendered due to their size.
Instances For
Side-effecting companion of recordOutcome callable from pure code.
Definitionally k, so kernel reduction and proofs treat it as identity on the
continuation. The @[implemented_by] attribute redirects compiled code to a
side-effecting implementation that bumps diagnosticsRef via unsafeBaseIO
before returning k, giving us the diagnostic tally that the SPEC requires
without forcing lll into IO. The pattern mirrors Init.Util.withPtrEq.
Equations
Instances For
Pure-facing wrapper that records one external-provider outcome in compiled
code and otherwise returns k. This lets the public reducer stay pure while
compiled runs still populate diagnosticsRef for provider observability.
Equations
Instances For
Size-reduction bound requested from the external reducer, strictly
stronger than the η = 11/20 the checker certifies.
The dispatch asks the reducer for a (requestedDelta δ, requestedEta)-reduced
basis but certifies it against the public (δ, 11/20). The two differ on
purpose. certCheck's reducedness clause is decided by a fixed-precision
enclosure pass that resolves open inequalities only by margin; a candidate
whose |μ| sits arbitrarily close to 11/20 would leave the enclosure
straddling its threshold and force the exact fallback. Requesting
requestedEta < 11/20 instead guarantees a correctly-functioning reducer
lands every size-reduction inequality a macroscopic 11/20 − requestedEta
clear of the certified bound, so the enclosure decides it.
requestedEta must stay > 1/2 (the reducer's hard floor) and < 11/20.
Its exact value is untrusted: certification is against the exact (δ, 11/20),
so the requested bound is outside the trusted story entirely (the
"reliability is empirical, soundness is not" clause). Varying it within
(1/2, 11/20) only trades reducer work against enclosure margin; it cannot
make a non-reduced basis certify. The value 107/200 sits a gap of 3/200
below 11/20 and 7/200 above 1/2: a narrow gap from the certified bound
keeps the small amount of extra work the stronger request costs the reducer
inside measurement noise, while still clearing the bound by a margin the
enclosure resolves. It is a Rat, forwarded to the reducer through
ratToFloat like requestedDelta, so the design constant and the certified
bound are comparable rationals.
Equations
- Hex.Internal.LLLProvider.requestedEta = 107 / 200
Instances For
Lovász parameter requested from the external reducer: a fixed 1/100
margin above the caller's δ, but never past the midpoint (δ + 1)/2
between δ and 1.
Mirrors requestedEta: the dispatch certifies the candidate against the
caller's exact δ but asks the reducer for the stronger requestedDelta δ,
so a correctly-functioning reducer clears every Lovász inequality by a
positive margin (requestedDelta δ − δ)·d[i+1]² and the enclosure decides it
rather than straddling.
The midpoint cap is what keeps the request strictly between δ and 1 over
the whole public surface δ ≤ 1. For δ ≤ 49/50 the 1/100 term wins and
the margin is the full 1/100; for 49/50 < δ < 1 the midpoint wins and the
margin is (1 − δ)/2, still positive, so δ < requestedDelta δ < 1 holds for
every δ < 1. At the boundary δ = 1 the midpoint is 1: no value is both
> δ and < 1, so the request equals the certified δ and the prophylactic
gap is unavoidably lost — a candidate the reducer cannot strengthen there
falls back through certification to the native path, which stays sound.
The Lovász condition governs how many swaps the reducer performs, so the
requested δ drives the extra work the stronger request costs; the small
1/100 margin keeps that cost inside measurement noise while still giving the
enclosure a decisive gap.
Untrusted, exactly as requestedEta: the certificate is checked against the
exact δ, never against this value, so the margin may vary without touching
soundness.
Instances For
Bundled output of the shape/cert pipeline: the reduced basis B',
the two integer transforms, and a proof that they pass Hex.certCheck at
(δ, 11/20). Bundling the proof inside the option lets the extraction lemma
read it off as a projection.
Equations
- Hex.Internal.LLLProvider.CertifiedTriple B δ = ((B' : Hex.Matrix Int n m) ×' (U : Hex.Matrix Int n n) ×' (V : Hex.Matrix Int n n) ×' Hex.certCheck B B' U V δ (11 / 20) = true)
Instances For
Pure shape/cert pipeline run on a flat provider payload. Validates the
header, reshapes the reduced basis and the two transforms, and runs
Hex.certCheck at η = 11/20. Returns the bundled certified triple on
acceptance and none on any failure.
Equations
- One or more equations did not get rendered due to their size.
Instances For
Pure certified-dispatch core. Gates on providerAvailable () first so the
native path pays only the cached probe; marshals input and certifies the
candidate when the provider is present; updates the diagnostic tally via
withRecordOutcome on each outcome.
Returns the certified reduced basis B' on acceptance and none on absent /
provider error / shape rejection / certificate rejection. The Mathlib-free
correctness hook is dispatch_some_certCheck.
Equations
- One or more equations did not get rendered due to their size.
Instances For
An accepted dispatch result exhibits the integer transforms witnessing
certCheck B B' U V δ (11/20) = true. The property-level extraction
((same lattice, B'.independent, isLLLReduced B' δ (11/20))) is certCheck's
soundness theorem in HexLLLMathlib.