ImaginethatCoqhadacceptedourdefinition,andconsiderhowwemightevaluate[approxbad1].Wewouldbetryingtocalculatethefirstelementinthestream[bad].However,itisnothardtoseethatthedefinitionof[bad]"begs the question":unfoldingthedefinitionof[tl],weseethatweessentiallysay"define [bad] to equal itself"!Ofcoursesuchanequationadmitsnosinglewell-definedsolution,whichdoesnotfitwellwiththedeterminismofGallinareduction.
ImaginethatCoqhadacceptedourdefinition,andconsiderhowwemightevaluate[approxbad1].Wewouldbetryingtocalculatethefirstelementinthestream[bad].However,itisnothardtoseethatthedefinitionof[bad]"begs the question":unfoldingthedefinitionof[tl],weseethatweessentiallysay"define [bad] to equal itself"!Ofcoursesuchanequationadmitsnosinglewell-definedsolution,whichdoesnotfitwellwiththedeterminismofGallinareduction.
@@ -130,7 +130,7 @@ On the other hand, Agda, Epigram, and similar tools have less implementation bag
...
@@ -130,7 +130,7 @@ On the other hand, Agda, Epigram, and similar tools have less implementation bag
(**
(**
Incomparisonswithitscompetitors,Coqisoftenderidedforpromotingunreadableproofs.Itisveryeasytowriteproofscriptsthatmanipulateproofgoalsimperatively,withnostructuretoaidreaders.Suchdevelopmentsarenightmarestomaintain,andtheycertainlydonotmanagetoconvey"why the theorem is true"toanyonebuttheoriginalauthor.Oneadditional(andnotinsignificant)purposeofthisbookistoshowwhyitisunfairandunproductivetodismissCoqbasedontheexistenceofsuchdevelopments.
Incomparisonswithitscompetitors,Coqisoftenderidedforpromotingunreadableproofs.Itisveryeasytowriteproofscriptsthatmanipulateproofgoalsimperatively,withnostructuretoaidreaders.Suchdevelopmentsarenightmarestomaintain,andtheycertainlydonotmanagetoconvey"why the theorem is true"toanyonebuttheoriginalauthor.Oneadditional(andnotinsignificant)purposeofthisbookistoshowwhyitisunfairandunproductivetodismissCoqbasedontheexistenceofsuchdevelopments.
%\index{graphicalinterfacestoCoq}%IbelievethatagoodgraphicalinterfacetoCoqiscrucialforusingitproductively.Iusethe%\index{ProofGeneral}%{{http://proofgeneral.inf.ed.ac.uk/}Proof General} mode for Emacs, which supports a number of other proof assistants besides Coq. There is also the standalone %\index{CoqIDE}%CoqIDE program developed by the Coq team. I like being able to combine certified programming and proving with other kinds of work inside the same full-featured editor, and CoqIDE has had a good number of crashes and other annoying bugs in recent history, though I hear that it is improving. In the initial part of this book, I will reference Proof General procedures explicitly, in introducing how to use Coq, but most of the book will be interface-agnostic, so feel free to use CoqIDE if you prefer it. The one issue with CoqIDE, regarding running through the book source, is that I will sometimes begin a proof attempt but cancel it with the Coq [Abort] or #<span class="inlinecode"><span class="id" type="keyword">#%\coqdockw{%Restart%}%#</span></span># commands, which CoqIDE does not support. It would be bad form to leave such commands lying around in a real, finished development, but I find these commands helpful in writing single source files that trace a user's thought process in designing a proof.
%\index{graphicalinterfacestoCoq}%IbelievethatagoodgraphicalinterfacetoCoqiscrucialforusingitproductively.Iusethe%\index{ProofGeneral}%{{http://proofgeneral.inf.ed.ac.uk/}Proof General} mode for Emacs, which supports a number of other proof assistants besides Coq. There is also the standalone %\index{CoqIDE}%CoqIDE program developed by the Coq team. I like being able to combine certified programming and proving with other kinds of work inside the same full-featured editor. In the initial part of this book, I will reference Proof General procedures explicitly, in introducing how to use Coq, but most of the book will be interface-agnostic, so feel free to use CoqIDE if you prefer it. The one issue with CoqIDE, regarding running through the book source, is that I will sometimes begin a proof attempt but cancel it with the Coq [Abort] or #<span class="inlinecode"><span class="id" type="keyword">#%\coqdockw{%Restart%}%#</span></span># commands, which CoqIDE does not support. It would be bad form to leave such commands lying around in a real, finished development, but I find these commands helpful in writing single source files that trace a user's thought process in designing a proof.
Forexpertsinfunctionalprogrammingorformalmethods,learningtouseCoqisnothard,inasense.TheCoqmanual%~\cite{CoqManual}%,thetextbookbyBertotandCast%\'%eran%~\cite{CoqArt}%,andPierceetal.'s%\emph{%SoftwareFoundations%}\footnote{\url{http://www.cis.upenn.edu/~bcpierce/sf/}}% have helped many people become productive Coq users. However, I believe that the best ways to manage significant Coq developments are far from settled. In this book, I mean to propose my own techniques, and, rather than treating them as advanced material for a final chapter or two, I employ them from the very beginning. After a first chapter showing off what can be done with dependent types, I retreat into simpler programming styles for the first part of the book. I adopt the other main thrust of the book, Ltac proof automation, more or less from the very start of the technical exposition.
Hencethedistinctionbetween[bool]and[Prop].Programsoftype[bool]arecomputationalbyconstruction;wecanalwaysrunthemtodeterminetheirresults.Many[Prop]sareundecidable,andsowecanwritemoreexpressiveformulaswith[Prop]sthanwith[bool]s,buttheinevitableconsequenceisthatwecannotsimply"run a [Prop] to determine its truth."
Hencethedistinctionbetween[bool]and[Prop].Programsoftype[bool]arecomputationalbyconstruction;wecanalwaysrunthemtodeterminetheirresults.Many[Prop]sareundecidable,andsowecanwritemoreexpressiveformulaswith[Prop]sthanwith[bool]s,buttheinevitableconsequenceisthatwecannotsimply"run a [Prop] to determine its truth."