Skip to content
Projects
Groups
Snippets
Help
Loading...
Help
Contribute to GitLab
Sign in
Toggle navigation
C
cpdt
Project
Project
Details
Activity
Cycle Analytics
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Charts
Issues
0
Issues
0
List
Board
Labels
Milestones
Merge Requests
0
Merge Requests
0
CI / CD
CI / CD
Pipelines
Jobs
Schedules
Charts
Wiki
Wiki
Snippets
Snippets
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Charts
Create a new issue
Jobs
Commits
Issue Boards
Open sidebar
research
cpdt
Commits
d2f328ef
Commit
d2f328ef
authored
Dec 09, 2010
by
Adam Chlipala
Browse files
Options
Browse Files
Download
Email Patches
Plain Diff
Fixes added while proofreading JFR camera-ready
parent
e693a66e
Changes
5
Show whitespace changes
Inline
Side-by-side
Showing
5 changed files
with
8 additions
and
9 deletions
+8
-9
DataStruct.v
src/DataStruct.v
+2
-3
Equality.v
src/Equality.v
+3
-3
MoreDep.v
src/MoreDep.v
+1
-1
StackMachine.v
src/StackMachine.v
+1
-1
Subset.v
src/Subset.v
+1
-1
No files found.
src/DataStruct.v
View file @
d2f328ef
...
@@ -792,8 +792,7 @@ Lemma cfoldCond_correct : forall t (default : exp' t)
...
@@ -792,8 +792,7 @@ Lemma cfoldCond_correct : forall t (default : exp' t)
induction
n
;
crush
;
induction
n
;
crush
;
match
goal
with
match
goal
with
|
[
IHn
:
forall
tests
bodies
,
_
,
tests
:
_
->
_
,
bodies
:
_
->
_
|-
_
]
=>
|
[
IHn
:
forall
tests
bodies
,
_
,
tests
:
_
->
_
,
bodies
:
_
->
_
|-
_
]
=>
generalize
(
IHn
(
fun
idx
=>
tests
(
Some
idx
))
(
fun
idx
=>
bodies
(
Some
idx
)))
;
specialize
(
IHn
(
fun
idx
=>
tests
(
Some
idx
))
(
fun
idx
=>
bodies
(
Some
idx
)))
clear
IHn
;
intro
IHn
end
;
end
;
repeat
(
match
goal
with
repeat
(
match
goal
with
|
[
|-
context
[
match
?
E
with
|
[
|-
context
[
match
?
E
with
...
@@ -844,7 +843,7 @@ Qed.
...
@@ -844,7 +843,7 @@ Qed.
Inductive
types
are
often
the
most
pleasant
to
work
with
,
after
someone
has
spent
the
time
implementing
some
basic
library
functions
for
them
,
using
fancy
[
match
]
annotations
.
Many
aspects
of
Coq
'
s
logic
and
tactic
support
are
specialized
to
deal
with
inductive
types
,
and
you
may
miss
out
if
you
use
alternate
encodings
.
Inductive
types
are
often
the
most
pleasant
to
work
with
,
after
someone
has
spent
the
time
implementing
some
basic
library
functions
for
them
,
using
fancy
[
match
]
annotations
.
Many
aspects
of
Coq
'
s
logic
and
tactic
support
are
specialized
to
deal
with
inductive
types
,
and
you
may
miss
out
if
you
use
alternate
encodings
.
Recursive
types
usually
involve
much
less
initial
effort
,
but
they
can
be
less
convenient
to
use
with
proof
automation
.
For
instance
,
the
[
simpl
]
tactic
(
which
is
among
the
ingredients
in
[
crush
])
will
sometimes
be
overzealous
in
simplifying
uses
of
functions
over
recursive
types
.
Consider
a
call
[
get
l
f
]
,
where
variable
[
l
]
has
type
[
filist
A
(
S
n
)]
.
The
type
of
[
l
]
would
be
simplified
to
an
explicit
pair
type
.
In
a
proof
involving
many
recursive
types
,
this
kind
of
unhelpful
%
``
%
#
"#simplification#"
#
%
''
%
can
lead
to
rapid
bloat
in
the
sizes
of
subgoals
.
Recursive
types
usually
involve
much
less
initial
effort
,
but
they
can
be
less
convenient
to
use
with
proof
automation
.
For
instance
,
the
[
simpl
]
tactic
(
which
is
among
the
ingredients
in
[
crush
])
will
sometimes
be
overzealous
in
simplifying
uses
of
functions
over
recursive
types
.
Consider
a
call
[
get
l
f
]
,
where
variable
[
l
]
has
type
[
filist
A
(
S
n
)]
.
The
type
of
[
l
]
would
be
simplified
to
an
explicit
pair
type
.
In
a
proof
involving
many
recursive
types
,
this
kind
of
unhelpful
%
``
%
#
"#simplification#"
#
%
''
%
can
lead
to
rapid
bloat
in
the
sizes
of
subgoals
.
Even
worse
,
it
can
prevent
syntactic
pattern
-
matching
,
like
in
cases
where
[
filist
]
is
expected
but
a
pair
type
is
found
in
the
%
``
%
#
"#simplified#"
#
%
''
%
version
.
Another
disadvantage
of
recursive
types
is
that
they
only
apply
to
type
families
whose
indices
determine
their
%
``
%
#
"#skeletons.#"
#
%
''
%
This
is
not
true
for
all
data
structures
;
a
good
counterexample
comes
from
the
richly
-
typed
programming
language
syntax
types
we
have
used
several
times
so
far
.
The
fact
that
a
piece
of
syntax
has
type
[
Nat
]
tells
us
nothing
about
the
tree
structure
of
that
syntax
.
Another
disadvantage
of
recursive
types
is
that
they
only
apply
to
type
families
whose
indices
determine
their
%
``
%
#
"#skeletons.#"
#
%
''
%
This
is
not
true
for
all
data
structures
;
a
good
counterexample
comes
from
the
richly
-
typed
programming
language
syntax
types
we
have
used
several
times
so
far
.
The
fact
that
a
piece
of
syntax
has
type
[
Nat
]
tells
us
nothing
about
the
tree
structure
of
that
syntax
.
...
...
src/Equality.v
View file @
d2f328ef
...
@@ -18,7 +18,7 @@ Set Implicit Arguments.
...
@@ -18,7 +18,7 @@ Set Implicit Arguments.
(
**
%
\
chapter
{
Reasoning
About
Equality
Proofs
}%
*
)
(
**
%
\
chapter
{
Reasoning
About
Equality
Proofs
}%
*
)
(
**
In
traditional
mathematics
,
the
concept
of
equality
is
usually
taken
as
a
given
.
On
the
other
hand
,
in
type
theory
,
equality
is
a
very
contentious
subject
.
There
are
at
least
three
different
notions
of
equality
that
are
important
,
and
researchers
are
actively
investigating
new
definitions
of
what
it
means
for
two
terms
to
be
equal
.
Even
once
we
fix
a
notion
of
equality
,
there
are
inevitably
tricky
issues
that
arise
in
proving
properties
of
programs
that
manipulate
equality
proofs
explicitly
.
In
this
chapter
,
we
will
focus
on
design
patterns
for
circumventing
these
tricky
issues
,
and
we
will
introduce
the
different
notions
of
equality
as
they
are
germane
.
*
)
(
**
In
traditional
mathematics
,
the
concept
of
equality
is
usually
taken
as
a
given
.
On
the
other
hand
,
in
type
theory
,
equality
is
a
very
contentious
subject
.
There
are
at
least
three
different
notions
of
equality
that
are
important
,
and
researchers
are
actively
investigating
new
definitions
of
what
it
means
for
two
terms
to
be
equal
.
Even
once
we
fix
a
notion
of
equality
,
there
are
inevitably
tricky
issues
that
arise
in
proving
properties
of
programs
that
manipulate
equality
proofs
explicitly
.
In
this
chapter
,
I
will
focus
on
design
patterns
for
circumventing
these
tricky
issues
,
and
I
will
introduce
the
different
notions
of
equality
as
they
are
germane
.
*
)
(
**
*
The
Definitional
Equality
*
)
(
**
*
The
Definitional
Equality
*
)
...
@@ -95,7 +95,7 @@ Qed.
...
@@ -95,7 +95,7 @@ Qed.
(
**
The
standard
[
eq
]
relation
is
critically
dependent
on
the
definitional
equality
.
[
eq
]
is
often
called
a
%
\
textit
{%
#
<
i
>
#
propositional
equality
#
</
i
>
#
%}%,
because
it
reifies
definitional
equality
as
a
proposition
that
may
or
may
not
hold
.
Standard
axiomatizations
of
an
equality
predicate
in
first
-
order
logic
define
equality
in
terms
of
properties
it
has
,
like
reflexivity
,
symmetry
,
and
transitivity
.
In
contrast
,
for
[
eq
]
in
Coq
,
those
properties
are
implicit
in
the
properties
of
the
definitional
equality
,
which
are
built
into
CIC
'
s
metatheory
and
the
implementation
of
Gallina
.
We
could
add
new
rules
to
the
definitional
equality
,
and
[
eq
]
would
keep
its
definition
and
methods
of
use
.
(
**
The
standard
[
eq
]
relation
is
critically
dependent
on
the
definitional
equality
.
[
eq
]
is
often
called
a
%
\
textit
{%
#
<
i
>
#
propositional
equality
#
</
i
>
#
%}%,
because
it
reifies
definitional
equality
as
a
proposition
that
may
or
may
not
hold
.
Standard
axiomatizations
of
an
equality
predicate
in
first
-
order
logic
define
equality
in
terms
of
properties
it
has
,
like
reflexivity
,
symmetry
,
and
transitivity
.
In
contrast
,
for
[
eq
]
in
Coq
,
those
properties
are
implicit
in
the
properties
of
the
definitional
equality
,
which
are
built
into
CIC
'
s
metatheory
and
the
implementation
of
Gallina
.
We
could
add
new
rules
to
the
definitional
equality
,
and
[
eq
]
would
keep
its
definition
and
methods
of
use
.
This
all
may
make
it
sound
like
the
choice
of
[
eq
]
'
s
definition
is
unimportant
.
To
the
contrary
,
in
this
chapter
,
we
will
see
examples
where
alternate
definitions
may
simplify
proofs
.
Before
that
point
,
we
will
introduce
effectiv
e
proof
methods
for
goals
that
use
proofs
of
the
standard
propositional
equality
%
``
%
#
"#as data.#"
#
%
''
%
*
)
This
all
may
make
it
sound
like
the
choice
of
[
eq
]
'
s
definition
is
unimportant
.
To
the
contrary
,
in
this
chapter
,
we
will
see
examples
where
alternate
definitions
may
simplify
proofs
.
Before
that
point
,
I
will
introduc
e
proof
methods
for
goals
that
use
proofs
of
the
standard
propositional
equality
%
``
%
#
"#as data.#"
#
%
''
%
*
)
(
**
*
Heterogeneous
Lists
Revisited
*
)
(
**
*
Heterogeneous
Lists
Revisited
*
)
...
@@ -482,7 +482,7 @@ The term "pf" has type "a :: (ls1 ++ ls2) ++ ls3 = a :: ls1 ++ ls2 ++ ls3"
...
@@ -482,7 +482,7 @@ The term "pf" has type "a :: (ls1 ++ ls2) ++ ls3 = a :: ls1 ++ ls2 ++ ls3"
]]
]]
We
have
made
an
important
bit
of
progress
,
as
now
only
a
single
call
to
[
fhapp
]
appears
in
the
conclusion
.
Trying
case
analysis
on
our
proofs
still
will
not
work
,
but
there
is
a
move
we
can
make
to
enable
it
.
Not
only
does
just
one
call
to
[
fhapp
]
matter
to
us
now
,
but
it
also
%
\
textit
{%
#
<
i
>
#
does
not
matter
what
the
result
of
the
call
is
#
</
i
>
#
%}%.
In
other
words
,
the
subgoal
should
remain
true
if
we
replace
this
[
fhapp
]
call
with
a
fresh
variable
.
The
[
generalize
]
tactic
helps
us
do
exactly
that
.
*
)
We
have
made
an
important
bit
of
progress
,
as
now
only
a
single
call
to
[
fhapp
]
appears
in
the
conclusion
,
repeated
twice
.
Trying
case
analysis
on
our
proofs
still
will
not
work
,
but
there
is
a
move
we
can
make
to
enable
it
.
Not
only
does
just
one
call
to
[
fhapp
]
matter
to
us
now
,
but
it
also
%
\
textit
{%
#
<
i
>
#
does
not
matter
what
the
result
of
the
call
is
#
</
i
>
#
%}%.
In
other
words
,
the
subgoal
should
remain
true
if
we
replace
this
[
fhapp
]
call
with
a
fresh
variable
.
The
[
generalize
]
tactic
helps
us
do
exactly
that
.
*
)
generalize
(
fhapp
(
fhapp
b
hls2
)
hls3
)
.
generalize
(
fhapp
(
fhapp
b
hls2
)
hls3
)
.
(
**
[[
(
**
[[
...
...
src/MoreDep.v
View file @
d2f328ef
...
@@ -665,7 +665,7 @@ Section insert.
...
@@ -665,7 +665,7 @@ Section insert.
(
**
The
balance
correctness
theorems
are
simple
first
-
order
logic
equivalences
,
where
we
use
the
function
[
projT2
]
to
project
the
payload
of
a
[
sigT
]
value
.
*
)
(
**
The
balance
correctness
theorems
are
simple
first
-
order
logic
equivalences
,
where
we
use
the
function
[
projT2
]
to
project
the
payload
of
a
[
sigT
]
value
.
*
)
Lemma
present_balance1
:
forall
n
(
a
:
rtree
n
)
(
y
:
nat
)
c2
(
b
:
rbtree
c2
n
)
,
Lemma
present_balance1
:
forall
n
(
a
:
rtree
n
)
(
y
:
nat
)
c2
(
b
:
rbtree
c2
n
)
,
present
z
(
projT2
(
balance1
a
y
b
))
present
z
(
projT2
(
balance1
a
y
b
))
<->
rpresent
z
a
\
/
z
=
y
\
/
present
z
b
.
<->
rpresent
z
a
\
/
z
=
y
\
/
present
z
b
.
destruct
a
;
present_balance
.
destruct
a
;
present_balance
.
...
...
src/StackMachine.v
View file @
d2f328ef
...
@@ -103,7 +103,7 @@ Definition binopDenote := fun b =>
...
@@ -103,7 +103,7 @@ Definition binopDenote := fun b =>
Languages
like
Haskell
and
ML
have
a
convenient
%
\
textit
{%
#
<
i
>
#
principal
typing
#
</
i
>
#
%}%
property
,
which
gives
us
strong
guarantees
about
how
effective
type
inference
will
be
.
Unfortunately
,
Coq
'
s
type
system
is
so
expressive
that
any
kind
of
%
``
%
#
"#complete#"
#
%
''
%
type
inference
is
impossible
,
and
the
task
even
seems
to
be
hard
heuristically
in
practice
.
Nonetheless
,
Coq
includes
some
very
helpful
heuristics
,
many
of
them
copying
the
workings
of
Haskell
and
ML
type
-
checkers
for
programs
that
fall
in
simple
fragments
of
Coq
'
s
language
.
Languages
like
Haskell
and
ML
have
a
convenient
%
\
textit
{%
#
<
i
>
#
principal
typing
#
</
i
>
#
%}%
property
,
which
gives
us
strong
guarantees
about
how
effective
type
inference
will
be
.
Unfortunately
,
Coq
'
s
type
system
is
so
expressive
that
any
kind
of
%
``
%
#
"#complete#"
#
%
''
%
type
inference
is
impossible
,
and
the
task
even
seems
to
be
hard
heuristically
in
practice
.
Nonetheless
,
Coq
includes
some
very
helpful
heuristics
,
many
of
them
copying
the
workings
of
Haskell
and
ML
type
-
checkers
for
programs
that
fall
in
simple
fragments
of
Coq
'
s
language
.
This
is
as
good
a
time
as
any
to
mention
the
preponderance
of
different
languages
associated
with
Coq
.
The
theoretical
foundation
of
Coq
is
a
formal
system
called
the
%
\
textit
{%
#
<
i
>
#
Calculus
of
Inductive
Constructions
(
CIC
)#
</
i
>
#
%}%,
which
is
an
extension
of
the
older
%
\
textit
{%
#
<
i
>
#
Calculus
of
Constructions
(
CoC
)#
</
i
>
#
%}%.
CIC
is
quite
a
spartan
foundation
,
which
is
helpful
for
proving
metatheory
but
not
so
helpful
for
real
development
.
Still
,
it
is
nice
to
know
that
it
has
been
proved
that
CIC
enjoys
properties
like
%
\
textit
{%
#
<
i
>
#
strong
normalization
#
</
i
>
#
%}%,
meaning
that
every
program
(
and
,
more
importantly
,
every
proof
term
)
terminates
;
and
%
\
textit
{%
#
<
i
>
#
relative
consistency
#
</
i
>
#
%}%
with
systems
like
versions
of
Zermelo
Fraenkel
set
theory
,
which
roughly
means
that
you
can
believe
that
Coq
proofs
mean
that
the
corresponding
propositions
are
%
``
%
#
"#really true,#"
#
%
''
%
if
you
believe
in
set
theory
.
This
is
as
good
a
time
as
any
to
mention
the
preponderance
of
different
languages
associated
with
Coq
.
The
theoretical
foundation
of
Coq
is
a
formal
system
called
the
%
\
textit
{%
#
<
i
>
#
Calculus
of
Inductive
Constructions
(
CIC
)#
</
i
>
#
%}%,
which
is
an
extension
of
the
older
%
\
textit
{%
#
<
i
>
#
Calculus
of
Constructions
(
CoC
)#
</
i
>
#
%}%.
CIC
is
quite
a
spartan
foundation
,
which
is
helpful
for
proving
metatheory
but
not
so
helpful
for
real
development
.
Still
,
it
is
nice
to
know
that
it
has
been
proved
that
CIC
enjoys
properties
like
%
\
textit
{%
#
<
i
>
#
strong
normalization
#
</
i
>
#
%}%,
meaning
that
every
program
(
and
,
more
importantly
,
every
proof
term
)
terminates
;
and
%
\
textit
{%
#
<
i
>
#
relative
consistency
#
</
i
>
#
%}%
with
systems
like
versions
of
Zermelo
-
Fraenkel
set
theory
,
which
roughly
means
that
you
can
believe
that
Coq
proofs
mean
that
the
corresponding
propositions
are
%
``
%
#
"#really true,#"
#
%
''
%
if
you
believe
in
set
theory
.
Coq
is
actually
based
on
an
extension
of
CIC
called
%
\
textit
{%
#
<
i
>
#
Gallina
#
</
i
>
#
%}%.
The
text
after
the
[
:=
]
and
before
the
period
in
the
last
code
example
is
a
term
of
Gallina
.
Gallina
adds
many
useful
features
that
are
not
compiled
internally
to
more
primitive
CIC
features
.
The
important
metatheorems
about
CIC
have
not
been
extended
to
the
full
breadth
of
these
features
,
but
most
Coq
users
do
not
seem
to
lose
much
sleep
over
this
omission
.
Coq
is
actually
based
on
an
extension
of
CIC
called
%
\
textit
{%
#
<
i
>
#
Gallina
#
</
i
>
#
%}%.
The
text
after
the
[
:=
]
and
before
the
period
in
the
last
code
example
is
a
term
of
Gallina
.
Gallina
adds
many
useful
features
that
are
not
compiled
internally
to
more
primitive
CIC
features
.
The
important
metatheorems
about
CIC
have
not
been
extended
to
the
full
breadth
of
these
features
,
but
most
Coq
users
do
not
seem
to
lose
much
sleep
over
this
omission
.
...
...
src/Subset.v
View file @
d2f328ef
...
@@ -84,7 +84,7 @@ Eval compute in pred_strong1 two_gt0.
...
@@ -84,7 +84,7 @@ Eval compute in pred_strong1 two_gt0.
]]
]]
One
aspect
in
particular
of
the
definition
of
[
pred_strong1
]
may
be
surprising
.
We
took
advantage
of
[
Definition
]
'
s
syntactic
sugar
for
defining
function
arguments
in
the
case
of
[
n
]
,
but
we
bound
the
proofs
later
with
explicit
[
fun
]
expressions
.
Let
us
see
what
happens
if
we
write
this
function
in
the
way
that
at
first
seems
most
natural
.
One
aspect
in
particular
of
the
definition
of
[
pred_strong1
]
may
be
surprising
.
We
took
advantage
of
[
Definition
]
'
s
syntactic
sugar
for
defining
function
arguments
in
the
case
of
[
n
]
,
but
we
bound
the
proofs
later
with
explicit
[
fun
]
expressions
.
Let
us
see
what
happens
if
we
write
this
function
in
the
way
that
at
first
seems
most
natural
.
[[
[[
Definition
pred_strong1
'
(
n
:
nat
)
(
pf
:
n
>
0
)
:
nat
:=
Definition
pred_strong1
'
(
n
:
nat
)
(
pf
:
n
>
0
)
:
nat
:=
...
...
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment