Isabelle/HOLandCoqbothsupportcodingnewproofmanipulationsinMLinwaysthatcannotleadtotheacceptanceofinvalidproofs.Additionally,Coqincludesadomain-specificlanguageforcodingdecisionproceduresinnormalCoqsourcecode,withnoneedtobreakoutintoML.ThislanguageiscalledLtac,andIthinkofitastheunsungherooftheproofassistantworld.NotonlydoesLtacpreventyoufrommakingfatalmistakes,italsoincludesanumberofnovelprogrammingconstructswhichcombinetomakea%``%#"#proof by decision procedure#"#%''%styleverypleasant.Wewillmeetthesefeaturesinthechapterstocome.
%\index{Isabelle/HOL}%Isabelle/HOLandCoqbothsupportcodingnewproofmanipulationsinMLinwaysthatcannotleadtotheacceptanceofinvalidproofs.Additionally,Coqincludesadomain-specificlanguageforcodingdecisionproceduresinnormalCoqsourcecode,withnoneedtobreakoutintoML.Thislanguageiscalled%\index{Ltac}%Ltac,andIthinkofitastheunsungherooftheproofassistantworld.NotonlydoesLtacpreventyoufrommakingfatalmistakes,italsoincludesanumberofnovelprogrammingconstructswhichcombinetomakea%``%#"#proof by decision procedure#"#%''%styleverypleasant.Wewillmeetthesefeaturesinthechapterstocome.
@@ -151,11 +149,11 @@ The critical ingredient for this technique, many of whose instances are referred
...
@@ -151,11 +149,11 @@ The critical ingredient for this technique, many of whose instances are referred
(***WhyNotaDifferentDependentlyTypedLanguage?*)
(***WhyNotaDifferentDependentlyTypedLanguage?*)
(**
(**
ThelogicandprogramminglanguagebehindCoqbelongstoatype-theoryecosystemwithagoodnumberofotherthrivingmembers.%Agda\footnote{\url{http://appserv.cs.chalmers.se/users/ulfn/wiki/agda.php}}%#<a href="http://appserv.cs.chalmers.se/users/ulfn/wiki/agda.php">Agda</a># and %Epigram\footnote{\url{http://www.e-pig.org/}}%#<a href="http://www.e-pig.org/">Epigram</a># are the most developed tools among the alternatives to Coq, and there are others that are earlier in their lifecycles. All of the languages in this family feel sort of like different historical offshoots of Latin. The hardest conceptual epiphanies are, for the most part, portable among all the languages. Given this, why choose Coq for certified programming?
ThelogicandprogramminglanguagebehindCoqbelongstoatype-theoryecosystemwithagoodnumberofotherthrivingmembers.%\index{Agda}Agda\footnote{\url{http://appserv.cs.chalmers.se/users/ulfn/wiki/agda.php}}%#<a href="http://appserv.cs.chalmers.se/users/ulfn/wiki/agda.php">Agda</a># and %\index{Epigram}Epigram\footnote{\url{http://www.e-pig.org/}}%#<a href="http://www.e-pig.org/">Epigram</a># are the most developed tools among the alternatives to Coq, and there are others that are earlier in their lifecycles. All of the languages in this family feel sort of like different historical offshoots of Latin. The hardest conceptual epiphanies are, for the most part, portable among all the languages. Given this, why choose Coq for certified programming?
@@ -164,7 +162,7 @@ On the other hand, Agda, Epigram, and similar tools have less implementation bag
...
@@ -164,7 +162,7 @@ On the other hand, Agda, Epigram, and similar tools have less implementation bag
(**
(**
Incomparisonswithitscompetitors,Coqisoftenderidedforpromotingunreadableproofs.Itisveryeasytowriteproofscriptsthatmanipulateproofgoalsimperatively,withnostructuretoaidreaders.Suchdevelopmentsarenightmarestomaintain,andtheycertainlydonotmanagetoconvey%``%#"#why the theorem is true#"#%''%toanyonebuttheoriginalauthor.Oneadditional(andnotinsignificant)purposeofthisbookistoshowwhyitisunfairandunproductivetodismissCoqbasedontheexistenceofsuchdevelopments.
Incomparisonswithitscompetitors,Coqisoftenderidedforpromotingunreadableproofs.Itisveryeasytowriteproofscriptsthatmanipulateproofgoalsimperatively,withnostructuretoaidreaders.Suchdevelopmentsarenightmarestomaintain,andtheycertainlydonotmanagetoconvey%``%#"#why the theorem is true#"#%''%toanyonebuttheoriginalauthor.Oneadditional(andnotinsignificant)purposeofthisbookistoshowwhyitisunfairandunproductivetodismissCoqbasedontheexistenceofsuchdevelopments.
IbelievethatagoodgraphicalinterfacetoCoqiscrucialforusingitproductively.Iusethe%ProofGeneral\footnote{\url{http://proofgeneral.inf.ed.ac.uk/}}%#<a href="http://proofgeneral.inf.ed.ac.uk/">Proof General</a># mode for Emacs, which supports a number of other proof assistants besides Coq. There is also the standalone CoqIDE program developed by the Coq team. I like being able to combine certified programming and proving with other kinds of work inside the same full-featured editor, and CoqIDE has had a good number of crashes and other annoying bugs in recent history, though I hear that it is improving. In the initial part of this book, I will reference Proof General procedures explicitly, in introducing how to use Coq, but most of the book will be interface-agnostic, so feel free to use CoqIDE if you prefer it. The one issue with CoqIDE, regarding running through the book source, is that I will sometimes begin a proof attempt but cancel it with the Coq [Abort] or #<span class="inlinecode"><span class="id" type="keyword">#%\coqdockw{%Restart%}%#</span></span># commands, which CoqIDE does not support. It would be bad form to leave such commands lying around in a real, finished development, but I find these commands helpful in writing single source files that trace a user's thought process in designing a proof.
%\index{graphicalinterfacestoCoq}%IbelievethatagoodgraphicalinterfacetoCoqiscrucialforusingitproductively.Iusethe%\index{ProofGeneral}ProofGeneral\footnote{\url{http://proofgeneral.inf.ed.ac.uk/}}%#<a href="http://proofgeneral.inf.ed.ac.uk/">Proof General</a># mode for Emacs, which supports a number of other proof assistants besides Coq. There is also the standalone %\index{CoqIDE}%CoqIDE program developed by the Coq team. I like being able to combine certified programming and proving with other kinds of work inside the same full-featured editor, and CoqIDE has had a good number of crashes and other annoying bugs in recent history, though I hear that it is improving. In the initial part of this book, I will reference Proof General procedures explicitly, in introducing how to use Coq, but most of the book will be interface-agnostic, so feel free to use CoqIDE if you prefer it. The one issue with CoqIDE, regarding running through the book source, is that I will sometimes begin a proof attempt but cancel it with the Coq [Abort] or #<span class="inlinecode"><span class="id" type="keyword">#%\coqdockw{%Restart%}%#</span></span># commands, which CoqIDE does not support. It would be bad form to leave such commands lying around in a real, finished development, but I find these commands helpful in writing single source files that trace a user's thought process in designing a proof.
(**Thoughapencil-and-paperproofmightclockoutatthispoint,writing%``%#"#by a routine induction on [e],#"#%''%itturnsoutnottomakesensetoattackthisproofdirectly.Weneedtousethestandardtrickof%\textit{%#<i>#strengtheningtheinductionhypothesis#</i>#%}%.Wedothatbyprovinganauxiliarylemma:
(**Thoughapencil-and-paperproofmightclockoutatthispoint,writing%``%#"#by a routine induction on [e],#"#%''%itturnsoutnottomakesensetoattackthisproofdirectly.Weneedtousethestandardtrickof%\emph{%#<i>#strengtheningtheinductionhypothesis#</i>#%}%.Wedothatbyprovinganauxiliarylemma: