Skip to content
Projects
Groups
Snippets
Help
Loading...
Help
Contribute to GitLab
Sign in
Toggle navigation
C
cpdt
Project
Project
Details
Activity
Cycle Analytics
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Charts
Issues
0
Issues
0
List
Board
Labels
Milestones
Merge Requests
0
Merge Requests
0
CI / CD
CI / CD
Pipelines
Jobs
Schedules
Charts
Wiki
Wiki
Snippets
Snippets
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Charts
Create a new issue
Jobs
Commits
Issue Boards
Open sidebar
research
cpdt
Commits
296d3c0d
Commit
296d3c0d
authored
Jul 30, 2012
by
Adam Chlipala
Browse files
Options
Browse Files
Download
Email Patches
Plain Diff
Vertical spacing pass, through end of Subset
parent
7df920f6
Changes
3
Show whitespace changes
Inline
Side-by-side
Showing
3 changed files
with
37 additions
and
51 deletions
+37
-51
Coinductive.v
src/Coinductive.v
+5
-5
Predicates.v
src/Predicates.v
+19
-26
Subset.v
src/Subset.v
+13
-20
No files found.
src/Coinductive.v
View file @
296d3c0d
...
@@ -29,7 +29,7 @@ We spent some time in the last chapter discussing the %\index{Curry-Howard corre
...
@@ -29,7 +29,7 @@ We spent some time in the last chapter discussing the %\index{Curry-Howard corre
Fixpoint
bad
(
u
:
unit
)
:
P
:=
bad
u
.
Fixpoint
bad
(
u
:
unit
)
:
P
:=
bad
u
.
]]
]]
This
would
leave
us
with
[
bad
tt
]
as
a
proof
of
[
P
]
.
%
\
smallskip
{}%
This
would
leave
us
with
[
bad
tt
]
as
a
proof
of
[
P
]
.
There
are
also
algorithmic
considerations
that
make
universal
termination
very
desirable
.
We
have
seen
how
tactics
like
[
reflexivity
]
compare
terms
up
to
equivalence
under
computational
rules
.
Calls
to
recursive
,
pattern
-
matching
functions
are
simplified
automatically
,
with
no
need
for
explicit
proof
steps
.
It
would
be
very
hard
to
hold
onto
that
kind
of
benefit
if
it
became
possible
to
write
non
-
terminating
programs
;
we
would
be
running
smack
into
the
halting
problem
.
There
are
also
algorithmic
considerations
that
make
universal
termination
very
desirable
.
We
have
seen
how
tactics
like
[
reflexivity
]
compare
terms
up
to
equivalence
under
computational
rules
.
Calls
to
recursive
,
pattern
-
matching
functions
are
simplified
automatically
,
with
no
need
for
explicit
proof
steps
.
It
would
be
very
hard
to
hold
onto
that
kind
of
benefit
if
it
became
possible
to
write
non
-
terminating
programs
;
we
would
be
running
smack
into
the
halting
problem
.
...
@@ -167,14 +167,13 @@ Section map'.
...
@@ -167,14 +167,13 @@ Section map'.
Variables
A
B
:
Type
.
Variables
A
B
:
Type
.
Variable
f
:
A
->
B
.
Variable
f
:
A
->
B
.
(
*
begin
thide
*
)
(
*
begin
thide
*
)
(
**
[[
(
**
%
\
vspace
{-
.15
in
}%
[[
CoFixpoint
map
'
(
s
:
stream
A
)
:
stream
B
:=
CoFixpoint
map
'
(
s
:
stream
A
)
:
stream
B
:=
match
s
with
match
s
with
|
Cons
h
t
=>
interleave
(
Cons
(
f
h
)
(
map
'
t
))
(
Cons
(
f
h
)
(
map
'
t
))
|
Cons
h
t
=>
interleave
(
Cons
(
f
h
)
(
map
'
t
))
(
Cons
(
f
h
)
(
map
'
t
))
end
.
end
.
]]
]]
%
\
vspace
{-
.15
in
}%
We
get
another
error
message
about
an
unguarded
recursive
call
.
*
)
We
get
another
error
message
about
an
unguarded
recursive
call
.
*
)
End
map
'
.
End
map
'
.
...
@@ -378,9 +377,10 @@ Qed.
...
@@ -378,9 +377,10 @@ Qed.
Theorem
ones_eq
'
:
stream_eq
ones
ones
'
.
Theorem
ones_eq
'
:
stream_eq
ones
ones
'
.
cofix
;
crush
.
cofix
;
crush
.
(
**
[[
(
**
%
\
vspace
{-
.25
in
}%
[[
Guarded
.
Guarded
.
]]
]]
%
\
vspace
{-
.25
in
}%
*
)
*
)
Abort
.
Abort
.
...
...
src/Predicates.v
View file @
296d3c0d
...
@@ -35,18 +35,17 @@ Reset unit.
...
@@ -35,18 +35,17 @@ Reset unit.
(
**
The
so
-
called
%
\
index
{
Curry
-
Howard
correspondence
}
``
%
#
"#Curry-Howard correspondence#"
#
%
''
~
\
cite
{
Curry
,
Howard
}%
states
a
formal
connection
between
functional
programs
and
mathematical
proofs
.
In
the
last
chapter
,
we
snuck
in
a
first
introduction
to
this
subject
in
Coq
.
Witness
the
close
similarity
between
the
types
[
unit
]
and
[
True
]
from
the
standard
library
:
*
)
(
**
The
so
-
called
%
\
index
{
Curry
-
Howard
correspondence
}
``
%
#
"#Curry-Howard correspondence#"
#
%
''
~
\
cite
{
Curry
,
Howard
}%
states
a
formal
connection
between
functional
programs
and
mathematical
proofs
.
In
the
last
chapter
,
we
snuck
in
a
first
introduction
to
this
subject
in
Coq
.
Witness
the
close
similarity
between
the
types
[
unit
]
and
[
True
]
from
the
standard
library
:
*
)
Print
unit
.
Print
unit
.
(
**
[[
(
**
%
\
vspace
{-
.15
in
}%
[[
Inductive
unit
:
Set
:=
tt
:
unit
Inductive
unit
:
Set
:=
tt
:
unit
]]
]]
*
)
*
)
Print
True
.
Print
True
.
(
**
[[
(
**
%
\
vspace
{-
.15
in
}%
[[
Inductive
True
:
Prop
:=
I
:
True
Inductive
True
:
Prop
:=
I
:
True
]]
]]
*
)
(
**
Recall
that
[
unit
]
is
the
type
with
only
one
value
,
and
[
True
]
is
the
proposition
that
always
holds
.
Despite
this
superficial
difference
between
the
two
concepts
,
in
both
cases
we
can
use
the
same
inductive
definition
mechanism
.
The
connection
goes
further
than
this
.
We
see
that
we
arrive
at
the
definition
of
[
True
]
by
replacing
[
unit
]
by
[
True
]
,
[
tt
]
by
[
I
]
,
and
[
Set
]
by
[
Prop
]
.
The
first
two
of
these
differences
are
superficial
changes
of
names
,
while
the
third
difference
is
the
crucial
one
for
separating
programs
from
proofs
.
A
term
[
T
]
of
type
[
Set
]
is
a
type
of
programs
,
and
a
term
of
type
[
T
]
is
a
program
.
A
term
[
T
]
of
type
[
Prop
]
is
a
logical
proposition
,
and
its
proofs
are
of
type
[
T
]
.
Chapter
12
goes
into
more
detail
about
the
theoretical
differences
between
[
Prop
]
and
[
Set
]
.
For
now
,
we
will
simply
follow
common
intuitions
about
what
a
proof
is
.
%
\
smallskip
{}%
Recall
that
[
unit
]
is
the
type
with
only
one
value
,
and
[
True
]
is
the
proposition
that
always
holds
.
Despite
this
superficial
difference
between
the
two
concepts
,
in
both
cases
we
can
use
the
same
inductive
definition
mechanism
.
The
connection
goes
further
than
this
.
We
see
that
we
arrive
at
the
definition
of
[
True
]
by
replacing
[
unit
]
by
[
True
]
,
[
tt
]
by
[
I
]
,
and
[
Set
]
by
[
Prop
]
.
The
first
two
of
these
differences
are
superficial
changes
of
names
,
while
the
third
difference
is
the
crucial
one
for
separating
programs
from
proofs
.
A
term
[
T
]
of
type
[
Set
]
is
a
type
of
programs
,
and
a
term
of
type
[
T
]
is
a
program
.
A
term
[
T
]
of
type
[
Prop
]
is
a
logical
proposition
,
and
its
proofs
are
of
type
[
T
]
.
Chapter
12
goes
into
more
detail
about
the
theoretical
differences
between
[
Prop
]
and
[
Set
]
.
For
now
,
we
will
simply
follow
common
intuitions
about
what
a
proof
is
.
The
type
[
unit
]
has
one
value
,
[
tt
]
.
The
type
[
True
]
has
one
proof
,
[
I
]
.
Why
distinguish
between
these
two
types
?
Many
people
who
have
read
about
Curry
-
Howard
in
an
abstract
context
and
not
put
it
to
use
in
proof
engineering
answer
that
the
two
types
in
fact
_
should
not_
be
distinguished
.
There
is
a
certain
aesthetic
appeal
to
this
point
of
view
,
but
I
want
to
argue
that
it
is
best
to
treat
Curry
-
Howard
very
loosely
in
practical
proving
.
There
are
Coq
-
specific
reasons
for
preferring
the
distinction
,
involving
efficient
compilation
and
avoidance
of
paradoxes
in
the
presence
of
classical
math
,
but
I
will
argue
that
there
is
a
more
general
principle
that
should
lead
us
to
avoid
conflating
programming
and
proving
.
The
type
[
unit
]
has
one
value
,
[
tt
]
.
The
type
[
True
]
has
one
proof
,
[
I
]
.
Why
distinguish
between
these
two
types
?
Many
people
who
have
read
about
Curry
-
Howard
in
an
abstract
context
and
not
put
it
to
use
in
proof
engineering
answer
that
the
two
types
in
fact
_
should
not_
be
distinguished
.
There
is
a
certain
aesthetic
appeal
to
this
point
of
view
,
but
I
want
to
argue
that
it
is
best
to
treat
Curry
-
Howard
very
loosely
in
practical
proving
.
There
are
Coq
-
specific
reasons
for
preferring
the
distinction
,
involving
efficient
compilation
and
avoidance
of
paradoxes
in
the
presence
of
classical
math
,
but
I
will
argue
that
there
is
a
more
general
principle
that
should
lead
us
to
avoid
conflating
programming
and
proving
.
...
@@ -84,12 +83,11 @@ We have also already seen the definition of [True]. For a demonstration of a lo
...
@@ -84,12 +83,11 @@ We have also already seen the definition of [True]. For a demonstration of a lo
(
**
There
is
also
a
predicate
[
False
]
,
which
is
the
Curry
-
Howard
mirror
image
of
[
Empty_set
]
from
the
last
chapter
.
*
)
(
**
There
is
also
a
predicate
[
False
]
,
which
is
the
Curry
-
Howard
mirror
image
of
[
Empty_set
]
from
the
last
chapter
.
*
)
Print
False
.
Print
False
.
(
**
[[
(
**
%
\
vspace
{-
.15
in
}%
[[
Inductive
False
:
Prop
:=
Inductive
False
:
Prop
:=
]]
]]
We
can
conclude
anything
from
[
False
]
,
doing
case
analysis
on
a
proof
of
[
False
]
in
the
same
way
we
might
do
case
analysis
on
,
say
,
a
natural
number
.
Since
there
are
no
cases
to
consider
,
any
such
case
analysis
succeeds
immediately
in
proving
the
goal
.
*
)
%
\
smallskip
{}%
We
can
conclude
anything
from
[
False
]
,
doing
case
analysis
on
a
proof
of
[
False
]
in
the
same
way
we
might
do
case
analysis
on
,
say
,
a
natural
number
.
Since
there
are
no
cases
to
consider
,
any
such
case
analysis
succeeds
immediately
in
proving
the
goal
.
*
)
Theorem
False_imp
:
False
->
2
+
2
=
5.
Theorem
False_imp
:
False
->
2
+
2
=
5.
(
*
begin
thide
*
)
(
*
begin
thide
*
)
...
@@ -129,10 +127,9 @@ We have also already seen the definition of [True]. For a demonstration of a lo
...
@@ -129,10 +127,9 @@ We have also already seen the definition of [True]. For a demonstration of a lo
(
**
%
\
vspace
{-
.15
in
}%
[[
(
**
%
\
vspace
{-
.15
in
}%
[[
not
=
fun
A
:
Prop
=>
A
->
False
not
=
fun
A
:
Prop
=>
A
->
False
:
Prop
->
Prop
:
Prop
->
Prop
]]
]]
We
see
that
[
not
]
is
just
shorthand
for
implication
of
[
False
]
.
We
can
use
that
fact
explicitly
in
proofs
.
The
syntax
[
~
P
]
expands
to
[
not
P
]
.
*
)
%
\
smallskip
{}%
We
see
that
[
not
]
is
just
shorthand
for
implication
of
[
False
]
.
We
can
use
that
fact
explicitly
in
proofs
.
The
syntax
[
~
P
]
expands
to
[
not
P
]
.
*
)
Theorem
arith_neq
'
:
~
(
2
+
2
=
5
)
.
Theorem
arith_neq
'
:
~
(
2
+
2
=
5
)
.
(
*
begin
thide
*
)
(
*
begin
thide
*
)
...
@@ -150,12 +147,11 @@ We have also already seen the definition of [True]. For a demonstration of a lo
...
@@ -150,12 +147,11 @@ We have also already seen the definition of [True]. For a demonstration of a lo
(
**
We
also
have
conjunction
,
which
we
introduced
in
the
last
chapter
.
*
)
(
**
We
also
have
conjunction
,
which
we
introduced
in
the
last
chapter
.
*
)
Print
and
.
Print
and
.
(
**
[[
(
**
%
\
vspace
{-
.15
in
}%
[[
Inductive
and
(
A
:
Prop
)
(
B
:
Prop
)
:
Prop
:=
conj
:
A
->
B
->
A
/
\
B
Inductive
and
(
A
:
Prop
)
(
B
:
Prop
)
:
Prop
:=
conj
:
A
->
B
->
A
/
\
B
]]
]]
The
interested
reader
can
check
that
[
and
]
has
a
Curry
-
Howard
equivalent
called
%
\
index
{
Gallina
terms
!
prod
}%
[
prod
]
,
the
type
of
pairs
.
However
,
it
is
generally
most
convenient
to
reason
about
conjunction
using
tactics
.
An
explicit
proof
of
commutativity
of
[
and
]
illustrates
the
usual
suspects
for
such
tasks
.
The
operator
[
/
\
]
is
an
infix
shorthand
for
[
and
]
.
*
)
%
\
smallskip
{}%
The
interested
reader
can
check
that
[
and
]
has
a
Curry
-
Howard
equivalent
called
%
\
index
{
Gallina
terms
!
prod
}%
[
prod
]
,
the
type
of
pairs
.
However
,
it
is
generally
most
convenient
to
reason
about
conjunction
using
tactics
.
An
explicit
proof
of
commutativity
of
[
and
]
illustrates
the
usual
suspects
for
such
tasks
.
The
operator
[
/
\
]
is
an
infix
shorthand
for
[
and
]
.
*
)
Theorem
and_comm
:
P
/
\
Q
->
Q
/
\
P
.
Theorem
and_comm
:
P
/
\
Q
->
Q
/
\
P
.
...
@@ -174,7 +170,8 @@ We have also already seen the definition of [True]. For a demonstration of a lo
...
@@ -174,7 +170,8 @@ We have also already seen the definition of [True]. For a demonstration of a lo
Every
proof
of
a
conjunction
provides
proofs
for
both
conjuncts
,
so
we
get
a
single
subgoal
reflecting
that
.
We
can
proceed
by
splitting
this
subgoal
into
a
case
for
each
conjunct
of
[
Q
/
\
P
]
.%
\
index
{
tactics
!
split
}%
*
)
Every
proof
of
a
conjunction
provides
proofs
for
both
conjuncts
,
so
we
get
a
single
subgoal
reflecting
that
.
We
can
proceed
by
splitting
this
subgoal
into
a
case
for
each
conjunct
of
[
Q
/
\
P
]
.%
\
index
{
tactics
!
split
}%
*
)
split
.
split
.
(
**
2
subgoals
(
**
[[
2
subgoals
H
:
P
H
:
P
H0
:
Q
H0
:
Q
...
@@ -197,13 +194,12 @@ subgoal 2 is
...
@@ -197,13 +194,12 @@ subgoal 2 is
(
**
Coq
disjunction
is
called
%
\
index
{
Gallina
terms
!
or
}%
[
or
]
and
abbreviated
with
the
infix
operator
[
\
/
]
.
*
)
(
**
Coq
disjunction
is
called
%
\
index
{
Gallina
terms
!
or
}%
[
or
]
and
abbreviated
with
the
infix
operator
[
\
/
]
.
*
)
Print
or
.
Print
or
.
(
**
[[
(
**
%
\
vspace
{-
.15
in
}%
[[
Inductive
or
(
A
:
Prop
)
(
B
:
Prop
)
:
Prop
:=
Inductive
or
(
A
:
Prop
)
(
B
:
Prop
)
:
Prop
:=
or_introl
:
A
->
A
\
/
B
|
or_intror
:
B
->
A
\
/
B
or_introl
:
A
->
A
\
/
B
|
or_intror
:
B
->
A
\
/
B
]]
]]
We
see
that
there
are
two
ways
to
prove
a
disjunction
:
prove
the
first
disjunct
or
prove
the
second
.
The
Curry
-
Howard
analogue
of
this
is
the
Coq
%
\
index
{
Gallina
terms
!
sum
}%
[
sum
]
type
.
We
can
demonstrate
the
main
tactics
here
with
another
proof
of
commutativity
.
*
)
%
\
smallskip
{}%
We
see
that
there
are
two
ways
to
prov
a
disjunction
:
prove
the
first
disjunct
or
prove
the
second
.
The
Curry
-
Howard
analogue
of
this
is
the
Coq
%
\
index
{
Gallina
terms
!
sum
}%
[
sum
]
type
.
We
can
demonstrate
the
main
tactics
here
with
another
proof
of
commutativity
.
*
)
Theorem
or_comm
:
P
\
/
Q
->
Q
\
/
P
.
Theorem
or_comm
:
P
\
/
Q
->
Q
\
/
P
.
...
@@ -372,13 +368,12 @@ We will see more about Coq's program extraction facility in a later chapter. Ho
...
@@ -372,13 +368,12 @@ We will see more about Coq's program extraction facility in a later chapter. Ho
%
\
index
{
existential
quantification
}
\
index
{
Gallina
terms
!
exists
}
\
index
{
Gallina
terms
!
ex
}%
Existential
quantification
is
defined
in
the
standard
library
.
*
)
%
\
index
{
existential
quantification
}
\
index
{
Gallina
terms
!
exists
}
\
index
{
Gallina
terms
!
ex
}%
Existential
quantification
is
defined
in
the
standard
library
.
*
)
Print
ex
.
Print
ex
.
(
**
[[
(
**
%
\
vspace
{-
.15
in
}%
[[
Inductive
ex
(
A
:
Type
)
(
P
:
A
->
Prop
)
:
Prop
:=
Inductive
ex
(
A
:
Type
)
(
P
:
A
->
Prop
)
:
Prop
:=
ex_intro
:
forall
x
:
A
,
P
x
->
ex
P
ex_intro
:
forall
x
:
A
,
P
x
->
ex
P
]]
]]
The
family
[
ex
]
is
parameterized
by
the
type
[
A
]
that
we
quantify
over
,
and
by
a
predicate
[
P
]
over
[
A
]
s
.
We
prove
an
existential
by
exhibiting
some
[
x
]
of
type
[
A
]
,
along
with
a
proof
of
[
P
x
]
.
As
usual
,
there
are
tactics
that
save
us
from
worrying
about
the
low
-
level
details
most
of
the
time
.
We
use
the
equality
operator
[
=
]
,
which
,
depending
on
the
settings
in
which
they
learned
logic
,
different
people
will
say
either
is
or
is
not
part
of
first
-
order
logic
.
For
our
purposes
,
it
is
.
*
)
%
\
smallskip
{}%
The
family
[
ex
]
is
parameterized
by
the
type
[
A
]
that
we
quantify
over
,
and
by
a
predicate
[
P
]
over
[
A
]
s
.
We
prove
an
existential
by
exhibiting
some
[
x
]
of
type
[
A
]
,
along
with
a
proof
of
[
P
x
]
.
As
usual
,
there
are
tactics
that
save
us
from
worrying
about
the
low
-
level
details
most
of
the
time
.
We
use
the
equality
operator
[
=
]
,
which
,
depending
on
the
settings
in
which
they
learned
logic
,
different
people
will
say
either
is
or
is
not
part
of
first
-
order
logic
.
For
our
purposes
,
it
is
.
*
)
Theorem
exist1
:
exists
x
:
nat
,
x
+
1
=
2.
Theorem
exist1
:
exists
x
:
nat
,
x
+
1
=
2.
(
*
begin
thide
*
)
(
*
begin
thide
*
)
...
@@ -464,12 +459,11 @@ The definition of [isZero] differs in an important way from all of the other ind
...
@@ -464,12 +459,11 @@ The definition of [isZero] differs in an important way from all of the other ind
For
instance
,
our
definition
[
isZero
]
makes
the
predicate
provable
only
when
the
argument
is
[
0
]
.
We
can
see
that
the
concept
of
equality
is
somehow
implicit
in
the
inductive
definition
mechanism
.
The
way
this
is
accomplished
is
similar
to
the
way
that
logic
variables
are
used
in
%
\
index
{
Prolog
}%
Prolog
,
and
it
is
a
very
powerful
mechanism
that
forms
a
foundation
for
formalizing
all
of
mathematics
.
In
fact
,
though
it
is
natural
to
think
of
inductive
types
as
folding
in
the
functionality
of
equality
,
in
Coq
,
the
true
situation
is
reversed
,
with
equality
defined
as
just
another
inductive
type
!%
\
index
{
Gallina
terms
!
eq
}
\
index
{
Gallina
terms
!
refl
\
_
equal
}%
*
)
For
instance
,
our
definition
[
isZero
]
makes
the
predicate
provable
only
when
the
argument
is
[
0
]
.
We
can
see
that
the
concept
of
equality
is
somehow
implicit
in
the
inductive
definition
mechanism
.
The
way
this
is
accomplished
is
similar
to
the
way
that
logic
variables
are
used
in
%
\
index
{
Prolog
}%
Prolog
,
and
it
is
a
very
powerful
mechanism
that
forms
a
foundation
for
formalizing
all
of
mathematics
.
In
fact
,
though
it
is
natural
to
think
of
inductive
types
as
folding
in
the
functionality
of
equality
,
in
Coq
,
the
true
situation
is
reversed
,
with
equality
defined
as
just
another
inductive
type
!%
\
index
{
Gallina
terms
!
eq
}
\
index
{
Gallina
terms
!
refl
\
_
equal
}%
*
)
Print
eq
.
Print
eq
.
(
**
[[
(
**
%
\
vspace
{-
.15
in
}%
[[
Inductive
eq
(
A
:
Type
)
(
x
:
A
)
:
A
->
Prop
:=
eq_refl
:
x
=
x
Inductive
eq
(
A
:
Type
)
(
x
:
A
)
:
A
->
Prop
:=
eq_refl
:
x
=
x
]]
]]
Behind
the
scenes
,
uses
of
infix
[
=
]
are
expanded
to
instances
of
[
eq
]
.
We
see
that
[
eq
]
has
both
a
parameter
[
x
]
that
is
fixed
and
an
extra
unnamed
argument
of
the
same
type
.
The
type
of
[
eq
]
allows
us
to
state
any
equalities
,
even
those
that
are
provably
false
.
However
,
examining
the
type
of
equality
'
s
sole
constructor
[
eq_refl
]
,
we
see
that
we
can
only
_
prove_
equality
when
its
two
arguments
are
syntactically
equal
.
This
definition
turns
out
to
capture
all
of
the
basic
properties
of
equality
,
and
the
equality
-
manipulating
tactics
that
we
have
seen
so
far
,
like
[
reflexivity
]
and
[
rewrite
]
,
are
implemented
treating
[
eq
]
as
just
another
inductive
type
with
a
well
-
chosen
definition
.
Another
way
of
stating
that
definition
is
:
equality
is
defined
as
the
least
reflexive
relation
.
%
\
smallskip
{}%
Behind
the
scenes
,
uses
of
infix
[
=
]
are
expanded
to
instances
of
[
eq
]
.
We
see
that
[
eq
]
has
both
a
parameter
[
x
]
that
is
fixed
and
an
extra
unnamed
argument
of
the
same
type
.
The
type
of
[
eq
]
allows
us
to
state
any
equalities
,
even
those
that
are
provably
false
.
However
,
examining
the
type
of
equality
'
s
sole
constructor
[
eq_refl
]
,
we
see
that
we
can
only
_
prove_
equality
when
its
two
arguments
are
syntactically
equal
.
This
definition
turns
out
to
capture
all
of
the
basic
properties
of
equality
,
and
the
equality
-
manipulating
tactics
that
we
have
seen
so
far
,
like
[
reflexivity
]
and
[
rewrite
]
,
are
implemented
treating
[
eq
]
as
just
another
inductive
type
with
a
well
-
chosen
definition
.
Another
way
of
stating
that
definition
is
:
equality
is
defined
as
the
least
reflexive
relation
.
Returning
to
the
example
of
[
isZero
]
,
we
can
see
how
to
work
with
hypotheses
that
use
this
predicate
.
*
)
Returning
to
the
example
of
[
isZero
]
,
we
can
see
how
to
work
with
hypotheses
that
use
this
predicate
.
*
)
...
@@ -535,10 +529,9 @@ Check isZero_ind.
...
@@ -535,10 +529,9 @@ Check isZero_ind.
(
**
%
\
vspace
{-
.15
in
}%
[[
(
**
%
\
vspace
{-
.15
in
}%
[[
isZero_ind
isZero_ind
:
forall
P
:
nat
->
Prop
,
P
0
->
forall
n
:
nat
,
isZero
n
->
P
n
:
forall
P
:
nat
->
Prop
,
P
0
->
forall
n
:
nat
,
isZero
n
->
P
n
]]
]]
In
our
last
proof
script
,
[
destruct
]
chose
to
instantiate
[
P
]
as
[
fun
n
=>
S
n
+
S
n
=
S
(
S
(
S
(
S
n
)))]
.
You
can
verify
for
yourself
that
this
specialization
of
the
principle
applies
to
the
goal
and
that
the
hypothesis
[
P
0
]
then
matches
the
subgoal
we
saw
generated
.
If
you
are
doing
a
proof
and
encounter
a
strange
transmutation
like
this
,
there
is
a
good
chance
that
you
should
go
back
and
replace
a
use
of
[
destruct
]
with
[
inversion
]
.
*
)
%
\
smallskip
{}%
In
our
last
proof
script
,
[
destruct
]
chose
to
instantiate
[
P
]
as
[
fun
n
=>
S
n
+
S
n
=
S
(
S
(
S
(
S
n
)))]
.
You
can
verify
for
yourself
that
this
specialization
of
the
principle
applies
to
the
goal
and
that
the
hypothesis
[
P
0
]
then
matches
the
subgoal
we
saw
generated
.
If
you
are
doing
a
proof
and
encounter
a
strange
transmutation
like
this
,
there
is
a
good
chance
that
you
should
go
back
and
replace
a
use
of
[
destruct
]
with
[
inversion
]
.
*
)
(
*
begin
hide
*
)
(
*
begin
hide
*
)
...
@@ -685,6 +678,7 @@ Theorem even_plus : forall n m, even n -> even m -> even (n + m).
...
@@ -685,6 +678,7 @@ Theorem even_plus : forall n m, even n -> even m -> even (n + m).
[[
[[
IHn
:
forall
m
:
nat
,
even
n
->
even
m
->
even
(
n
+
m
)
IHn
:
forall
m
:
nat
,
even
n
->
even
m
->
even
(
n
+
m
)
]]
]]
Unfortunately
,
the
goal
mentions
[
n0
]
where
it
would
need
to
mention
[
n
]
to
match
[
IHn
]
.
We
could
keep
looking
for
a
way
to
finish
this
proof
from
here
,
but
it
turns
out
that
we
can
make
our
lives
much
easier
by
changing
our
basic
strategy
.
Instead
of
inducting
on
the
structure
of
[
n
]
,
we
should
induct
_
on
the
structure
of
one
of
the
[
even
]
proofs_
.
This
technique
is
commonly
called
%
\
index
{
rule
induction
}%
_
rule
induction_
in
programming
language
semantics
.
In
the
setting
of
Coq
,
we
have
already
seen
how
predicates
are
defined
using
the
same
inductive
type
mechanism
as
datatypes
,
so
the
fundamental
unity
of
rule
induction
with
"normal"
induction
is
apparent
.
Unfortunately
,
the
goal
mentions
[
n0
]
where
it
would
need
to
mention
[
n
]
to
match
[
IHn
]
.
We
could
keep
looking
for
a
way
to
finish
this
proof
from
here
,
but
it
turns
out
that
we
can
make
our
lives
much
easier
by
changing
our
basic
strategy
.
Instead
of
inducting
on
the
structure
of
[
n
]
,
we
should
induct
_
on
the
structure
of
one
of
the
[
even
]
proofs_
.
This
technique
is
commonly
called
%
\
index
{
rule
induction
}%
_
rule
induction_
in
programming
language
semantics
.
In
the
setting
of
Coq
,
we
have
already
seen
how
predicates
are
defined
using
the
same
inductive
type
mechanism
as
datatypes
,
so
the
fundamental
unity
of
rule
induction
with
"normal"
induction
is
apparent
.
...
@@ -788,8 +782,7 @@ Lemma even_contra' : forall n', even n' -> forall n, n' = S (n + n) -> False.
...
@@ -788,8 +782,7 @@ Lemma even_contra' : forall n', even n' -> forall n, n' = S (n + n) -> False.
At
this
point
it
is
useful
to
use
a
theorem
from
the
standard
library
,
which
we
also
proved
with
a
different
name
in
the
last
chapter
.
We
can
search
for
a
theorem
that
allows
us
to
rewrite
terms
of
the
form
[
x
+
S
y
]
.
*
)
At
this
point
it
is
useful
to
use
a
theorem
from
the
standard
library
,
which
we
also
proved
with
a
different
name
in
the
last
chapter
.
We
can
search
for
a
theorem
that
allows
us
to
rewrite
terms
of
the
form
[
x
+
S
y
]
.
*
)
SearchRewrite
(
_
+
S
_
)
.
SearchRewrite
(
_
+
S
_
)
.
(
**
%
\
vspace
{-
.15
in
}%
[[
(
**
[[
plus_n_Sm
:
forall
n
m
:
nat
,
S
(
n
+
m
)
=
n
+
S
m
plus_n_Sm
:
forall
n
m
:
nat
,
S
(
n
+
m
)
=
n
+
S
m
]]
]]
*
)
*
)
...
...
src/Subset.v
View file @
296d3c0d
...
@@ -83,12 +83,11 @@ Eval compute in pred_strong1 two_gt0.
...
@@ -83,12 +83,11 @@ Eval compute in pred_strong1 two_gt0.
(
**
%
\
vspace
{-
.15
in
}%
[[
(
**
%
\
vspace
{-
.15
in
}%
[[
=
1
=
1
:
nat
:
nat
]]
]]
One
aspect
in
particular
of
the
definition
of
[
pred_strong1
]
may
be
surprising
.
We
took
advantage
of
[
Definition
]
'
s
syntactic
sugar
for
defining
function
arguments
in
the
case
of
[
n
]
,
but
we
bound
the
proofs
later
with
explicit
[
fun
]
expressions
.
Let
us
see
what
happens
if
we
write
this
function
in
the
way
that
at
first
seems
most
natural
.
%
\
smallskip
{}%
One
aspect
in
particular
of
the
definition
of
[
pred_strong1
]
may
be
surprising
.
We
took
advantage
of
[
Definition
]
'
s
syntactic
sugar
for
defining
function
arguments
in
the
case
of
[
n
]
,
but
we
bound
the
proofs
later
with
explicit
[
fun
]
expressions
.
Let
us
see
what
happens
if
we
write
this
function
in
the
way
that
at
first
seems
most
natural
.
[[
%
\
vspace
{-
.15
in
}%
[[
Definition
pred_strong1
'
(
n
:
nat
)
(
pf
:
n
>
0
)
:
nat
:=
Definition
pred_strong1
'
(
n
:
nat
)
(
pf
:
n
>
0
)
:
nat
:=
match
n
with
match
n
with
|
O
=>
match
zgtz
pf
with
end
|
O
=>
match
zgtz
pf
with
end
...
@@ -152,10 +151,9 @@ Print sig.
...
@@ -152,10 +151,9 @@ Print sig.
(
**
%
\
vspace
{-
.15
in
}%
[[
(
**
%
\
vspace
{-
.15
in
}%
[[
Inductive
sig
(
A
:
Type
)
(
P
:
A
->
Prop
)
:
Type
:=
Inductive
sig
(
A
:
Type
)
(
P
:
A
->
Prop
)
:
Type
:=
exist
:
forall
x
:
A
,
P
x
->
sig
P
exist
:
forall
x
:
A
,
P
x
->
sig
P
]]
]]
The
family
[
sig
]
is
a
Curry
-
Howard
twin
of
[
ex
]
,
except
that
[
sig
]
is
in
[
Type
]
,
while
[
ex
]
is
in
[
Prop
]
.
That
means
that
[
sig
]
values
can
survive
extraction
,
while
[
ex
]
proofs
will
always
be
erased
.
The
actual
details
of
extraction
of
[
sig
]
s
are
more
subtle
,
as
we
will
see
shortly
.
%
\
smallskip
{}%
The
family
[
sig
]
is
a
Curry
-
Howard
twin
of
[
ex
]
,
except
that
[
sig
]
is
in
[
Type
]
,
while
[
ex
]
is
in
[
Prop
]
.
That
means
that
[
sig
]
values
can
survive
extraction
,
while
[
ex
]
proofs
will
always
be
erased
.
The
actual
details
of
extraction
of
[
sig
]
s
are
more
subtle
,
as
we
will
see
shortly
.
We
rewrite
[
pred_strong1
]
,
using
some
syntactic
sugar
for
subset
types
.
*
)
We
rewrite
[
pred_strong1
]
,
using
some
syntactic
sugar
for
subset
types
.
*
)
...
@@ -301,10 +299,9 @@ match n as n0 return (n0 > 0 -> {m : nat | n0 = S m}) with
...
@@ -301,10 +299,9 @@ match n as n0 return (n0 > 0 -> {m : nat | n0 = S m}) with
exist
(
fun
m
:
nat
=>
S
n
'
=
S
m
)
n
'
(
eq_refl
(
S
n
'
))
exist
(
fun
m
:
nat
=>
S
n
'
=
S
m
)
n
'
(
eq_refl
(
S
n
'
))
end
end
:
forall
n
:
nat
,
n
>
0
->
{
m
:
nat
|
n
=
S
m
}
:
forall
n
:
nat
,
n
>
0
->
{
m
:
nat
|
n
=
S
m
}
]]
]]
We
see
the
code
we
entered
,
with
some
proofs
filled
in
.
The
first
proof
obligation
,
the
second
argument
to
[
False_rec
]
,
is
filled
in
with
a
nasty
-
looking
proof
term
that
we
can
be
glad
we
did
not
enter
by
hand
.
The
second
proof
obligation
is
a
simple
reflexivity
proof
.
*
)
%
\
smallskip
{}%
We
see
the
code
we
entered
,
with
some
proofs
filled
in
.
The
first
proof
obligation
,
the
second
argument
to
[
False_rec
]
,
is
filled
in
with
a
nasty
-
looking
proof
term
that
we
can
be
glad
we
did
not
enter
by
hand
.
The
second
proof
obligation
is
a
simple
reflexivity
proof
.
*
)
Eval
compute
in
pred_strong4
two_gt0
.
Eval
compute
in
pred_strong4
two_gt0
.
(
**
%
\
vspace
{-
.15
in
}%
[[
(
**
%
\
vspace
{-
.15
in
}%
[[
...
@@ -312,7 +309,7 @@ Eval compute in pred_strong4 two_gt0.
...
@@ -312,7 +309,7 @@ Eval compute in pred_strong4 two_gt0.
:
{
m
:
nat
|
2
=
S
m
}
:
{
m
:
nat
|
2
=
S
m
}
]]
]]
A
tactic
modifier
called
%
\
index
{
tactics
!
abstract
}%
[
abstract
]
can
be
helpful
for
producing
shorter
terms
,
by
automatically
abstracting
subgoals
into
named
lemmas
.
*
)
%
\
smallskip
{}%
A
tactic
modifier
called
%
\
index
{
tactics
!
abstract
}%
[
abstract
]
can
be
helpful
for
producing
shorter
terms
,
by
automatically
abstracting
subgoals
into
named
lemmas
.
*
)
(
*
begin
thide
*
)
(
*
begin
thide
*
)
Definition
pred_strong4
'
:
forall
n
:
nat
,
n
>
0
->
{
m
:
nat
|
n
=
S
m
}.
Definition
pred_strong4
'
:
forall
n
:
nat
,
n
>
0
->
{
m
:
nat
|
n
=
S
m
}.
...
@@ -361,7 +358,7 @@ Eval compute in pred_strong5 two_gt0.
...
@@ -361,7 +358,7 @@ Eval compute in pred_strong5 two_gt0.
:
{
m
:
nat
|
2
=
S
m
}
:
{
m
:
nat
|
2
=
S
m
}
]]
]]
One
other
alternative
is
worth
demonstrating
.
Recent
Coq
versions
include
a
facility
called
%
\
index
{
Program
}%
[
Program
]
that
streamlines
this
style
of
definition
.
Here
is
a
complete
implementation
using
[
Program
]
.%
\
index
{
Vernacular
commands
!
Obligation
Tactic
}
\
index
{
Vernacular
commands
!
Program
Definition
}%
*
)
%
\
smallskip
{}%
One
other
alternative
is
worth
demonstrating
.
Recent
Coq
versions
include
a
facility
called
%
\
index
{
Program
}%
[
Program
]
that
streamlines
this
style
of
definition
.
Here
is
a
complete
implementation
using
[
Program
]
.%
\
index
{
Vernacular
commands
!
Obligation
Tactic
}
\
index
{
Vernacular
commands
!
Program
Definition
}%
*
)
Obligation
Tactic
:=
crush
.
Obligation
Tactic
:=
crush
.
...
@@ -379,7 +376,7 @@ Eval compute in pred_strong6 two_gt0.
...
@@ -379,7 +376,7 @@ Eval compute in pred_strong6 two_gt0.
:
{
m
:
nat
|
2
=
S
m
}
:
{
m
:
nat
|
2
=
S
m
}
]]
]]
In
this
case
,
we
see
that
the
new
definition
yields
the
same
computational
behavior
as
before
.
*
)
%
\
smallskip
{}%
In
this
case
,
we
see
that
the
new
definition
yields
the
same
computational
behavior
as
before
.
*
)
(
**
*
Decidable
Proposition
Types
*
)
(
**
*
Decidable
Proposition
Types
*
)
...
@@ -423,9 +420,8 @@ Eval compute in eq_nat_dec 2 3.
...
@@ -423,9 +420,8 @@ Eval compute in eq_nat_dec 2 3.
=
No
=
No
:
{
2
=
3
}
+
{
2
<>
3
}
:
{
2
=
3
}
+
{
2
<>
3
}
]]
]]
*
)
(
**
Note
that
the
%
\
coqdocnotation
{%
#
<
tt
>
#
Yes
#
</
tt
>
#
%}%
and
%
\
coqdocnotation
{%
#
<
tt
>
#
No
#
</
tt
>
#
%}%
notations
are
hiding
proofs
establishing
the
correctness
of
the
outputs
.
%
\
smallskip
{}%
Note
that
the
%
\
coqdocnotation
{%
#
<
tt
>
#
Yes
#
</
tt
>
#
%}%
and
%
\
coqdocnotation
{%
#
<
tt
>
#
No
#
</
tt
>
#
%}%
notations
are
hiding
proofs
establishing
the
correctness
of
the
outputs
.
Our
definition
extracts
to
reasonable
OCaml
code
.
*
)
Our
definition
extracts
to
reasonable
OCaml
code
.
*
)
...
@@ -532,9 +528,8 @@ Eval compute in In_dec eq_nat_dec 3 (1 :: 2 :: nil).
...
@@ -532,9 +528,8 @@ Eval compute in In_dec eq_nat_dec 3 (1 :: 2 :: nil).
=
No
=
No
:
{
In
3
(
1
::
2
::
nil
)
}
+
{~
In
3
(
1
::
2
::
nil
)
}
:
{
In
3
(
1
::
2
::
nil
)
}
+
{~
In
3
(
1
::
2
::
nil
)
}
]]
]]
*
)
(
**
[
In_dec
]
has
a
reasonable
extraction
to
OCaml
.
*
)
%
\
smallskip
{}%
[
In_dec
]
has
a
reasonable
extraction
to
OCaml
.
*
)
Extraction
In_dec
.
Extraction
In_dec
.
(
*
end
thide
*
)
(
*
end
thide
*
)
...
@@ -601,16 +596,15 @@ Eval compute in pred_strong7 0.
...
@@ -601,16 +596,15 @@ Eval compute in pred_strong7 0.
:
{{
m
|
0
=
S
m
}}
:
{{
m
|
0
=
S
m
}}
]]
]]
Because
we
used
[
maybe
]
,
one
valid
implementation
of
the
type
we
gave
[
pred_strong7
]
would
return
[
??
]
in
every
case
.
We
can
strengthen
the
type
to
rule
out
such
vacuous
implementations
,
and
the
type
family
%
\
index
{
Gallina
terms
!
sumor
}%
[
sumor
]
from
the
standard
library
provides
the
easiest
starting
point
.
For
type
[
A
]
and
proposition
[
B
]
,
[
A
+
{
B
}
]
desugars
to
[
sumor
A
B
]
,
whose
values
are
either
values
of
[
A
]
or
proofs
of
[
B
]
.
*
)
%
\
smallskip
{}%
Because
we
used
[
maybe
]
,
one
valid
implementation
of
the
type
we
gave
[
pred_strong7
]
would
return
[
??
]
in
every
case
.
We
can
strengthen
the
type
to
rule
out
such
vacuous
implementations
,
and
the
type
family
%
\
index
{
Gallina
terms
!
sumor
}%
[
sumor
]
from
the
standard
library
provides
the
easiest
starting
point
.
For
type
[
A
]
and
proposition
[
B
]
,
[
A
+
{
B
}
]
desugars
to
[
sumor
A
B
]
,
whose
values
are
either
values
of
[
A
]
or
proofs
of
[
B
]
.
*
)
Print
sumor
.
Print
sumor
.
(
**
%
\
vspace
{-
.15
in
}%
[[
(
**
%
\
vspace
{-
.15
in
}%
[[
Inductive
sumor
(
A
:
Type
)
(
B
:
Prop
)
:
Type
:=
Inductive
sumor
(
A
:
Type
)
(
B
:
Prop
)
:
Type
:=
inleft
:
A
->
A
+
{
B
}
|
inright
:
B
->
A
+
{
B
}
inleft
:
A
->
A
+
{
B
}
|
inright
:
B
->
A
+
{
B
}
]]
]]
*
)
(
**
We
add
notations
for
easy
use
of
the
[
sumor
]
constructors
.
The
second
notation
is
specialized
to
[
sumor
]
s
whose
[
A
]
parameters
are
instantiated
with
regular
subset
types
,
since
this
is
how
we
will
use
[
sumor
]
below
.
*
)
%
\
smallskip
{}%
We
add
notations
for
easy
use
of
the
[
sumor
]
constructors
.
The
second
notation
is
specialized
to
[
sumor
]
s
whose
[
A
]
parameters
are
instantiated
with
regular
subset
types
,
since
this
is
how
we
will
use
[
sumor
]
below
.
*
)
Notation
"!!"
:=
(
inright
_
_
)
.
Notation
"!!"
:=
(
inright
_
_
)
.
Notation
"[|| x ||]"
:=
(
inleft
_
[
x
])
.
Notation
"[|| x ||]"
:=
(
inleft
_
[
x
])
.
...
@@ -781,9 +775,8 @@ Eval simpl in typeCheck (Plus (Nat 1) (Bool false)).
...
@@ -781,9 +775,8 @@ Eval simpl in typeCheck (Plus (Nat 1) (Bool false)).
=
??
=
??
:
{{
t
|
hasType
(
Plus
(
Nat
1
)
(
Bool
false
))
t
}}
:
{{
t
|
hasType
(
Plus
(
Nat
1
)
(
Bool
false
))
t
}}
]]
]]
*
)
(
**
The
type
checker
also
extracts
to
some
reasonable
OCaml
code
.
*
)
%
\
smallskip
{}%
The
type
checker
also
extracts
to
some
reasonable
OCaml
code
.
*
)
Extraction
typeCheck
.
Extraction
typeCheck
.
...
@@ -936,4 +929,4 @@ Eval simpl in typeCheck' (Plus (Nat 1) (Bool false)).
...
@@ -936,4 +929,4 @@ Eval simpl in typeCheck' (Plus (Nat 1) (Bool false)).
{
(
forall
t
:
type
,
~
hasType
(
Plus
(
Nat
1
)
(
Bool
false
))
t
)
}
{
(
forall
t
:
type
,
~
hasType
(
Plus
(
Nat
1
)
(
Bool
false
))
t
)
}
]]
]]
The
results
of
simplifying
calls
to
[
typeCheck
'
]
look
deceptively
similar
to
the
results
for
[
typeCheck
]
,
but
now
the
types
of
the
results
provide
more
information
.
*
)
%
\
smallskip
{}%
The
results
of
simplifying
calls
to
[
typeCheck
'
]
look
deceptively
similar
to
the
results
for
[
typeCheck
]
,
but
now
the
types
of
the
results
provide
more
information
.
*
)
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment