adam@398
|
1 (* Copyright (c) 2008-2010, 2012, Adam Chlipala
|
adamc@193
|
2 *
|
adamc@193
|
3 * This work is licensed under a
|
adamc@193
|
4 * Creative Commons Attribution-Noncommercial-No Derivative Works 3.0
|
adamc@193
|
5 * Unported License.
|
adamc@193
|
6 * The license text is available at:
|
adamc@193
|
7 * http://creativecommons.org/licenses/by-nc-nd/3.0/
|
adamc@193
|
8 *)
|
adamc@193
|
9
|
adamc@193
|
10 (* begin hide *)
|
adamc@195
|
11 Require Import String List.
|
adamc@193
|
12
|
adam@314
|
13 Require Import CpdtTactics DepList.
|
adamc@193
|
14
|
adamc@193
|
15 Set Implicit Arguments.
|
adamc@193
|
16 (* end hide *)
|
adamc@193
|
17
|
adam@408
|
18 (** printing ~> $\leadsto$ *)
|
adam@408
|
19
|
adamc@193
|
20
|
adamc@219
|
21 (** %\chapter{Generic Programming}% *)
|
adamc@193
|
22
|
adam@408
|
23 (** %\index{generic programming}% _Generic programming_ makes it possible to write functions that operate over different types of data. %\index{parametric polymorphism}%Parametric polymorphism in ML and Haskell is one of the simplest examples. ML-style %\index{module systems}%module systems%~\cite{modules}% and Haskell %\index{type classes}%type classes%~\cite{typeclasses}% are more flexible cases. These language features are often not as powerful as we would like. For instance, while Haskell includes a type class classifying those types whose values can be pretty-printed, per-type pretty-printing is usually either implemented manually or implemented via a %\index{deriving clauses}%[deriving] clause%~\cite{deriving}%, which triggers ad-hoc code generation. Some clever encoding tricks have been used to achieve better within Haskell and other languages, but we can do%\index{datatype-generic programming}% _datatype-generic programming_ much more cleanly with dependent types. Thanks to the expressive power of CIC, we need no special language support.
|
adamc@193
|
24
|
adamc@219
|
25 Generic programming can often be very useful in Coq developments, so we devote this chapter to studying it. In a proof assistant, there is the new possibility of generic proofs about generic programs, which we also devote some space to. *)
|
adamc@193
|
26
|
adamc@195
|
27 (** * Reflecting Datatype Definitions *)
|
adamc@193
|
28
|
adam@408
|
29 (** The key to generic programming with dependent types is%\index{universe types}% _universe types_. This concept should not be confused with the idea of _universes_ from the metatheory of CIC and related languages. Rather, the idea of universe types is to define inductive types that provide _syntactic representations_ of Coq types. We cannot directly write CIC programs that do case analysis on types, but we _can_ case analyze on reflected syntactic versions of those types.
|
adamc@219
|
30
|
adam@358
|
31 Thus, to begin, we must define a syntactic representation of some class of datatypes. In this chapter, our running example will have to do with basic algebraic datatypes, of the kind found in ML and Haskell, but without additional bells and whistles like type parameters and mutually recursive definitions.
|
adamc@219
|
32
|
adamc@219
|
33 The first step is to define a representation for constructors of our datatypes. *)
|
adamc@219
|
34
|
adamc@198
|
35 (* EX: Define a reflected representation of simple algebraic datatypes. *)
|
adamc@198
|
36
|
adamc@198
|
37 (* begin thide *)
|
adamc@193
|
38 Record constructor : Type := Con {
|
adamc@193
|
39 nonrecursive : Type;
|
adamc@193
|
40 recursive : nat
|
adamc@193
|
41 }.
|
adamc@193
|
42
|
adam@286
|
43 (** The idea is that a constructor represented as [Con T n] has [n] arguments of the type that we are defining. Additionally, all of the other, non-recursive arguments can be encoded in the type [T]. When there are no non-recursive arguments, [T] can be [unit]. When there are two non-recursive arguments, of types [A] and [B], [T] can be [A * B]. We can generalize to any number of arguments via tupling.
|
adamc@219
|
44
|
adamc@219
|
45 With this definition, it as easy to define a datatype representation in terms of lists of constructors. *)
|
adamc@219
|
46
|
adamc@193
|
47 Definition datatype := list constructor.
|
adamc@193
|
48
|
adamc@219
|
49 (** Here are a few example encodings for some common types from the Coq standard library. While our syntax type does not support type parameters directly, we can implement them at the meta level, via functions from types to [datatype]s. *)
|
adamc@219
|
50
|
adamc@193
|
51 Definition Empty_set_dt : datatype := nil.
|
adamc@193
|
52 Definition unit_dt : datatype := Con unit 0 :: nil.
|
adamc@193
|
53 Definition bool_dt : datatype := Con unit 0 :: Con unit 0 :: nil.
|
adamc@193
|
54 Definition nat_dt : datatype := Con unit 0 :: Con unit 1 :: nil.
|
adamc@193
|
55 Definition list_dt (A : Type) : datatype := Con unit 0 :: Con A 1 :: nil.
|
adamc@219
|
56
|
adam@358
|
57 (** The type [Empty_set] has no constructors, so its representation is the empty list. The type [unit] has one constructor with no arguments, so its one reflected constructor indicates no non-recursive data and [0] recursive arguments. The representation for [bool] just duplicates this single argumentless constructor. We get from [bool] to [nat] by changing one of the constructors to indicate 1 recursive argument. We get from [nat] to [list] by adding a non-recursive argument of a parameter type [A].
|
adamc@219
|
58
|
adamc@219
|
59 As a further example, we can do the same encoding for a generic binary tree type. *)
|
adamc@219
|
60
|
adamc@198
|
61 (* end thide *)
|
adamc@193
|
62
|
adamc@193
|
63 Section tree.
|
adamc@193
|
64 Variable A : Type.
|
adamc@193
|
65
|
adamc@193
|
66 Inductive tree : Type :=
|
adamc@193
|
67 | Leaf : A -> tree
|
adamc@193
|
68 | Node : tree -> tree -> tree.
|
adamc@193
|
69 End tree.
|
adamc@193
|
70
|
adamc@198
|
71 (* begin thide *)
|
adamc@193
|
72 Definition tree_dt (A : Type) : datatype := Con A 0 :: Con unit 2 :: nil.
|
adamc@193
|
73
|
adam@398
|
74 (** Each datatype representation stands for a family of inductive types. For a specific real datatype and a reputed representation for it, it is useful to define a type of _evidence_ that the datatype is compatible with the encoding. *)
|
adamc@219
|
75
|
adamc@193
|
76 Section denote.
|
adamc@193
|
77 Variable T : Type.
|
adamc@219
|
78 (** This variable stands for the concrete datatype that we are interested in. *)
|
adamc@193
|
79
|
adamc@193
|
80 Definition constructorDenote (c : constructor) :=
|
adamc@193
|
81 nonrecursive c -> ilist T (recursive c) -> T.
|
adam@358
|
82 (** We write that a constructor is represented as a function returning a [T]. Such a function takes two arguments, which pack together the non-recursive and recursive arguments of the constructor. We represent a tuple of all recursive arguments using the length-indexed list type %\index{Gallina terms!ilist}%[ilist] that we met in Chapter 8. *)
|
adamc@193
|
83
|
adamc@193
|
84 Definition datatypeDenote := hlist constructorDenote.
|
adam@358
|
85 (** Finally, the evidence for type [T] is a %\index{Gallina terms!hlist}%heterogeneous list, including a constructor denotation for every constructor encoding in a datatype encoding. Recall that, since we are inside a section binding [T] as a variable, [constructorDenote] is automatically parameterized by [T]. *)
|
adamc@219
|
86
|
adamc@193
|
87 End denote.
|
adamc@198
|
88 (* end thide *)
|
adamc@193
|
89
|
adamc@219
|
90 (** Some example pieces of evidence should help clarify the convention. First, we define some helpful notations, providing different ways of writing constructor denotations. There is really just one notation, but we need several versions of it to cover different choices of which variables will be used in the body of a definition. %The ASCII \texttt{\textasciitilde{}>} from the notation will be rendered later as $\leadsto$.% *)
|
adamc@219
|
91
|
adamc@193
|
92 Notation "[ ! , ! ~> x ]" := ((fun _ _ => x) : constructorDenote _ (Con _ _)).
|
adamc@193
|
93 Notation "[ v , ! ~> x ]" := ((fun v _ => x) : constructorDenote _ (Con _ _)).
|
adamc@219
|
94 Notation "[ ! , r ~> x ]" := ((fun _ r => x) : constructorDenote _ (Con _ _)).
|
adamc@219
|
95 Notation "[ v , r ~> x ]" := ((fun v r => x) : constructorDenote _ (Con _ _)).
|
adamc@193
|
96
|
adamc@198
|
97 (* begin thide *)
|
adamc@193
|
98 Definition Empty_set_den : datatypeDenote Empty_set Empty_set_dt :=
|
adamc@216
|
99 HNil.
|
adamc@193
|
100 Definition unit_den : datatypeDenote unit unit_dt :=
|
adamc@216
|
101 [!, ! ~> tt] ::: HNil.
|
adamc@193
|
102 Definition bool_den : datatypeDenote bool bool_dt :=
|
adamc@216
|
103 [!, ! ~> true] ::: [!, ! ~> false] ::: HNil.
|
adamc@193
|
104 Definition nat_den : datatypeDenote nat nat_dt :=
|
adamc@219
|
105 [!, ! ~> O] ::: [!, r ~> S (hd r)] ::: HNil.
|
adamc@193
|
106 Definition list_den (A : Type) : datatypeDenote (list A) (list_dt A) :=
|
adamc@219
|
107 [!, ! ~> nil] ::: [x, r ~> x :: hd r] ::: HNil.
|
adamc@193
|
108 Definition tree_den (A : Type) : datatypeDenote (tree A) (tree_dt A) :=
|
adamc@219
|
109 [v, ! ~> Leaf v] ::: [!, r ~> Node (hd r) (hd (tl r))] ::: HNil.
|
adamc@198
|
110 (* end thide *)
|
adamc@194
|
111
|
adam@358
|
112 (** Recall that the [hd] and [tl] calls above operate on richly typed lists, where type indices tell us the lengths of lists, guaranteeing the safety of operations like [hd]. The type annotation attached to each definition provides enough information for Coq to infer list lengths at appropriate points. *)
|
adam@358
|
113
|
adamc@195
|
114
|
adamc@195
|
115 (** * Recursive Definitions *)
|
adamc@195
|
116
|
adamc@198
|
117 (* EX: Define a generic [size] function. *)
|
adamc@198
|
118
|
adam@408
|
119 (** We built these encodings of datatypes to help us write datatype-generic recursive functions. To do so, we will want a reflected representation of a%\index{recursion schemes}% _recursion scheme_ for each type, similar to the [T_rect] principle generated automatically for an inductive definition of [T]. A clever reuse of [datatypeDenote] yields a short definition. *)
|
adamc@219
|
120
|
adamc@198
|
121 (* begin thide *)
|
adamc@194
|
122 Definition fixDenote (T : Type) (dt : datatype) :=
|
adamc@194
|
123 forall (R : Type), datatypeDenote R dt -> (T -> R).
|
adamc@194
|
124
|
adamc@219
|
125 (** The idea of a recursion scheme is parameterized by a type and a reputed encoding of it. The principle itself is polymorphic in a type [R], which is the return type of the recursive function that we mean to write. The next argument is a hetergeneous list of one case of the recursive function definition for each datatype constructor. The [datatypeDenote] function turns out to have just the right definition to express the type we need; a set of function cases is just like an alternate set of constructors where we replace the original type [T] with the function result type [R]. Given such a reflected definition, a [fixDenote] invocation returns a function from [T] to [R], which is just what we wanted.
|
adamc@219
|
126
|
adamc@219
|
127 We are ready to write some example functions now. It will be useful to use one new function from the [DepList] library included in the book source. *)
|
adamc@219
|
128
|
adamc@219
|
129 Check hmake.
|
adamc@219
|
130 (** %\vspace{-.15in}% [[
|
adamc@219
|
131 hmake
|
adamc@219
|
132 : forall (A : Type) (B : A -> Type),
|
adam@358
|
133 (forall x : A, B x) -> forall ls : list A, hlist B ls
|
adamc@219
|
134 ]]
|
adamc@219
|
135
|
adam@358
|
136 The function [hmake] is a kind of [map] alternative that goes from a regular [list] to an [hlist]. We can use it to define a generic size function that counts the number of constructors used to build a value in a datatype. *)
|
adamc@219
|
137
|
adamc@194
|
138 Definition size T dt (fx : fixDenote T dt) : T -> nat :=
|
adamc@194
|
139 fx nat (hmake (B := constructorDenote nat) (fun _ _ r => foldr plus 1 r) dt).
|
adamc@194
|
140
|
adamc@219
|
141 (** Our definition is parameterized over a recursion scheme [fx]. We instantiate [fx] by passing it the function result type and a set of function cases, where we build the latter with [hmake]. The function argument to [hmake] takes three arguments: the representation of a constructor, its non-recursive arguments, and the results of recursive calls on all of its recursive arguments. We only need the recursive call results here, so we call them [r] and bind the other two inputs with wildcards. The actual case body is simple: we add together the recursive call results and increment the result by one (to account for the current constructor). This [foldr] function is an [hlist]-specific version defined in the [DepList] module.
|
adamc@219
|
142
|
adamc@219
|
143 It is instructive to build [fixDenote] values for our example types and see what specialized [size] functions result from them. *)
|
adamc@219
|
144
|
adamc@194
|
145 Definition Empty_set_fix : fixDenote Empty_set Empty_set_dt :=
|
adamc@194
|
146 fun R _ emp => match emp with end.
|
adamc@194
|
147 Eval compute in size Empty_set_fix.
|
adamc@219
|
148 (** %\vspace{-.15in}% [[
|
adamc@219
|
149 = fun emp : Empty_set => match emp return nat with
|
adamc@219
|
150 end
|
adamc@219
|
151 : Empty_set -> nat
|
adamc@219
|
152 ]]
|
adamc@219
|
153
|
adamc@219
|
154 Despite all the fanciness of the generic [size] function, CIC's standard computation rules suffice to normalize the generic function specialization to exactly what we would have written manually. *)
|
adamc@194
|
155
|
adamc@194
|
156 Definition unit_fix : fixDenote unit unit_dt :=
|
adamc@216
|
157 fun R cases _ => (hhd cases) tt INil.
|
adamc@194
|
158 Eval compute in size unit_fix.
|
adamc@219
|
159 (** %\vspace{-.15in}% [[
|
adamc@219
|
160 = fun _ : unit => 1
|
adamc@219
|
161 : unit -> nat
|
adamc@219
|
162 ]]
|
adamc@219
|
163
|
adamc@219
|
164 Again normalization gives us the natural function definition. We see this pattern repeated for our other example types. *)
|
adamc@194
|
165
|
adamc@194
|
166 Definition bool_fix : fixDenote bool bool_dt :=
|
adamc@194
|
167 fun R cases b => if b
|
adamc@216
|
168 then (hhd cases) tt INil
|
adamc@216
|
169 else (hhd (htl cases)) tt INil.
|
adamc@194
|
170 Eval compute in size bool_fix.
|
adamc@219
|
171 (** %\vspace{-.15in}% [[
|
adamc@219
|
172 = fun b : bool => if b then 1 else 1
|
adamc@219
|
173 : bool -> nat
|
adam@302
|
174 ]]
|
adam@302
|
175 *)
|
adamc@194
|
176
|
adamc@194
|
177 Definition nat_fix : fixDenote nat nat_dt :=
|
adamc@194
|
178 fun R cases => fix F (n : nat) : R :=
|
adamc@194
|
179 match n with
|
adamc@216
|
180 | O => (hhd cases) tt INil
|
adamc@216
|
181 | S n' => (hhd (htl cases)) tt (ICons (F n') INil)
|
adamc@194
|
182 end.
|
adamc@219
|
183
|
adamc@219
|
184 (** To peek at the [size] function for [nat], it is useful to avoid full computation, so that the recursive definition of addition is not expanded inline. We can accomplish this with proper flags for the [cbv] reduction strategy. *)
|
adamc@219
|
185
|
adamc@194
|
186 Eval cbv beta iota delta -[plus] in size nat_fix.
|
adamc@219
|
187 (** %\vspace{-.15in}% [[
|
adamc@219
|
188 = fix F (n : nat) : nat := match n with
|
adamc@219
|
189 | 0 => 1
|
adamc@219
|
190 | S n' => F n' + 1
|
adamc@219
|
191 end
|
adamc@219
|
192 : nat -> nat
|
adam@302
|
193 ]]
|
adam@302
|
194 *)
|
adamc@194
|
195
|
adamc@194
|
196 Definition list_fix (A : Type) : fixDenote (list A) (list_dt A) :=
|
adamc@194
|
197 fun R cases => fix F (ls : list A) : R :=
|
adamc@194
|
198 match ls with
|
adamc@216
|
199 | nil => (hhd cases) tt INil
|
adamc@216
|
200 | x :: ls' => (hhd (htl cases)) x (ICons (F ls') INil)
|
adamc@194
|
201 end.
|
adamc@194
|
202 Eval cbv beta iota delta -[plus] in fun A => size (@list_fix A).
|
adamc@219
|
203 (** %\vspace{-.15in}% [[
|
adamc@219
|
204 = fun A : Type =>
|
adamc@219
|
205 fix F (ls : list A) : nat :=
|
adamc@219
|
206 match ls with
|
adamc@219
|
207 | nil => 1
|
adamc@219
|
208 | _ :: ls' => F ls' + 1
|
adamc@219
|
209 end
|
adamc@219
|
210 : forall A : Type, list A -> nat
|
adam@302
|
211 ]]
|
adam@302
|
212 *)
|
adamc@194
|
213
|
adamc@194
|
214 Definition tree_fix (A : Type) : fixDenote (tree A) (tree_dt A) :=
|
adamc@194
|
215 fun R cases => fix F (t : tree A) : R :=
|
adamc@194
|
216 match t with
|
adamc@216
|
217 | Leaf x => (hhd cases) x INil
|
adamc@216
|
218 | Node t1 t2 => (hhd (htl cases)) tt (ICons (F t1) (ICons (F t2) INil))
|
adamc@194
|
219 end.
|
adamc@194
|
220 Eval cbv beta iota delta -[plus] in fun A => size (@tree_fix A).
|
adamc@219
|
221 (** %\vspace{-.15in}% [[
|
adamc@219
|
222 = fun A : Type =>
|
adamc@219
|
223 fix F (t : tree A) : nat :=
|
adamc@219
|
224 match t with
|
adamc@219
|
225 | Leaf _ => 1
|
adamc@219
|
226 | Node t1 t2 => F t1 + (F t2 + 1)
|
adamc@219
|
227 end
|
adamc@219
|
228 : forall A : Type, tree A -> n
|
adam@302
|
229 ]]
|
adam@302
|
230 *)
|
adamc@198
|
231 (* end thide *)
|
adamc@195
|
232
|
adamc@195
|
233
|
adamc@195
|
234 (** ** Pretty-Printing *)
|
adamc@195
|
235
|
adamc@219
|
236 (** It is also useful to do generic pretty-printing of datatype values, rendering them as human-readable strings. To do so, we will need a bit of metadata for each constructor. Specifically, we need the name to print for the constructor and the function to use to render its non-recursive arguments. Everything else can be done generically. *)
|
adamc@219
|
237
|
adamc@195
|
238 Record print_constructor (c : constructor) : Type := PI {
|
adamc@195
|
239 printName : string;
|
adamc@195
|
240 printNonrec : nonrecursive c -> string
|
adamc@195
|
241 }.
|
adamc@195
|
242
|
adamc@219
|
243 (** It is useful to define a shorthand for applying the constructor [PI]. By applying it explicitly to an unknown application of the constructor [Con], we help type inference work. *)
|
adamc@219
|
244
|
adamc@195
|
245 Notation "^" := (PI (Con _ _)).
|
adamc@195
|
246
|
adamc@219
|
247 (** As in earlier examples, we define the type of metadata for a datatype to be a heterogeneous list type collecting metadata for each constructor. *)
|
adamc@219
|
248
|
adamc@195
|
249 Definition print_datatype := hlist print_constructor.
|
adamc@195
|
250
|
adamc@219
|
251 (** We will be doing some string manipulation here, so we import the notations associated with strings. *)
|
adamc@219
|
252
|
adamc@219
|
253 Local Open Scope string_scope.
|
adamc@219
|
254
|
adamc@219
|
255 (** Now it is easy to implement our generic printer, using another function from [DepList.] *)
|
adamc@219
|
256
|
adamc@219
|
257 Check hmap.
|
adamc@219
|
258 (** %\vspace{-.15in}% [[
|
adamc@219
|
259 hmap
|
adamc@219
|
260 : forall (A : Type) (B1 B2 : A -> Type),
|
adamc@219
|
261 (forall x : A, B1 x -> B2 x) ->
|
adamc@219
|
262 forall ls : list A, hlist B1 ls -> hlist B2 ls
|
adam@302
|
263 ]]
|
adam@302
|
264 *)
|
adamc@195
|
265
|
adamc@195
|
266 Definition print T dt (pr : print_datatype dt) (fx : fixDenote T dt) : T -> string :=
|
adamc@195
|
267 fx string (hmap (B1 := print_constructor) (B2 := constructorDenote string)
|
adamc@195
|
268 (fun _ pc x r => printName pc ++ "(" ++ printNonrec pc x
|
adamc@195
|
269 ++ foldr (fun s acc => ", " ++ s ++ acc) ")" r) pr).
|
adamc@195
|
270
|
adamc@219
|
271 (** Some simple tests establish that [print] gets the job done. *)
|
adamc@219
|
272
|
adamc@216
|
273 Eval compute in print HNil Empty_set_fix.
|
adamc@219
|
274 (** %\vspace{-.15in}% [[
|
adamc@219
|
275 = fun emp : Empty_set => match emp return string with
|
adamc@219
|
276 end
|
adamc@219
|
277 : Empty_set -> string
|
adam@302
|
278 ]]
|
adam@302
|
279 *)
|
adamc@219
|
280
|
adamc@216
|
281 Eval compute in print (^ "tt" (fun _ => "") ::: HNil) unit_fix.
|
adamc@219
|
282 (** %\vspace{-.15in}% [[
|
adamc@219
|
283 = fun _ : unit => "tt()"
|
adamc@219
|
284 : unit -> string
|
adam@302
|
285 ]]
|
adam@302
|
286 *)
|
adamc@219
|
287
|
adamc@195
|
288 Eval compute in print (^ "true" (fun _ => "")
|
adamc@195
|
289 ::: ^ "false" (fun _ => "")
|
adamc@216
|
290 ::: HNil) bool_fix.
|
adamc@219
|
291 (** %\vspace{-.15in}% [[
|
adamc@219
|
292 = fun b : bool => if b then "true()" else "false()"
|
adamc@219
|
293 : bool -> s
|
adam@302
|
294 ]]
|
adam@302
|
295 *)
|
adamc@195
|
296
|
adamc@195
|
297 Definition print_nat := print (^ "O" (fun _ => "")
|
adamc@195
|
298 ::: ^ "S" (fun _ => "")
|
adamc@216
|
299 ::: HNil) nat_fix.
|
adamc@195
|
300 Eval cbv beta iota delta -[append] in print_nat.
|
adamc@219
|
301 (** %\vspace{-.15in}% [[
|
adamc@219
|
302 = fix F (n : nat) : string :=
|
adamc@219
|
303 match n with
|
adamc@219
|
304 | 0%nat => "O" ++ "(" ++ "" ++ ")"
|
adamc@219
|
305 | S n' => "S" ++ "(" ++ "" ++ ", " ++ F n' ++ ")"
|
adamc@219
|
306 end
|
adamc@219
|
307 : nat -> string
|
adam@302
|
308 ]]
|
adam@302
|
309 *)
|
adamc@219
|
310
|
adamc@195
|
311 Eval simpl in print_nat 0.
|
adamc@219
|
312 (** %\vspace{-.15in}% [[
|
adamc@219
|
313 = "O()"
|
adamc@219
|
314 : string
|
adam@302
|
315 ]]
|
adam@302
|
316 *)
|
adamc@219
|
317
|
adamc@195
|
318 Eval simpl in print_nat 1.
|
adamc@219
|
319 (** %\vspace{-.15in}% [[
|
adamc@219
|
320 = "S(, O())"
|
adamc@219
|
321 : string
|
adam@302
|
322 ]]
|
adam@302
|
323 *)
|
adamc@219
|
324
|
adamc@195
|
325 Eval simpl in print_nat 2.
|
adamc@219
|
326 (** %\vspace{-.15in}% [[
|
adamc@219
|
327 = "S(, S(, O()))"
|
adamc@219
|
328 : string
|
adam@302
|
329 ]]
|
adam@302
|
330 *)
|
adamc@195
|
331
|
adamc@195
|
332 Eval cbv beta iota delta -[append] in fun A (pr : A -> string) =>
|
adamc@195
|
333 print (^ "nil" (fun _ => "")
|
adamc@195
|
334 ::: ^ "cons" pr
|
adamc@216
|
335 ::: HNil) (@list_fix A).
|
adamc@219
|
336 (** %\vspace{-.15in}% [[
|
adamc@219
|
337 = fun (A : Type) (pr : A -> string) =>
|
adamc@219
|
338 fix F (ls : list A) : string :=
|
adamc@219
|
339 match ls with
|
adamc@219
|
340 | nil => "nil" ++ "(" ++ "" ++ ")"
|
adamc@219
|
341 | x :: ls' => "cons" ++ "(" ++ pr x ++ ", " ++ F ls' ++ ")"
|
adamc@219
|
342 end
|
adamc@219
|
343 : forall A : Type, (A -> string) -> list A -> string
|
adam@302
|
344 ]]
|
adam@302
|
345 *)
|
adamc@219
|
346
|
adamc@195
|
347 Eval cbv beta iota delta -[append] in fun A (pr : A -> string) =>
|
adamc@195
|
348 print (^ "Leaf" pr
|
adamc@195
|
349 ::: ^ "Node" (fun _ => "")
|
adamc@216
|
350 ::: HNil) (@tree_fix A).
|
adamc@219
|
351 (** %\vspace{-.15in}% [[
|
adamc@219
|
352 = fun (A : Type) (pr : A -> string) =>
|
adamc@219
|
353 fix F (t : tree A) : string :=
|
adamc@219
|
354 match t with
|
adamc@219
|
355 | Leaf x => "Leaf" ++ "(" ++ pr x ++ ")"
|
adamc@219
|
356 | Node t1 t2 =>
|
adamc@219
|
357 "Node" ++ "(" ++ "" ++ ", " ++ F t1 ++ ", " ++ F t2 ++ ")"
|
adamc@219
|
358 end
|
adamc@219
|
359 : forall A : Type, (A -> string) -> tree A -> string
|
adam@302
|
360 ]]
|
adam@302
|
361 *)
|
adamc@196
|
362
|
adam@428
|
363 (* begin hide *)
|
adam@437
|
364 (* begin thide *)
|
adam@428
|
365 Definition append' := append.
|
adam@437
|
366 (* end thide *)
|
adam@428
|
367 (* end hide *)
|
adam@428
|
368
|
adam@358
|
369 (** Some of these simplified terms seem overly complex because we have turned off simplification of calls to [append], which is what uses of the [++] operator desugar to. Selective [++] simplification would combine adjacent string literals, yielding more or less the code we would write manually to implement this printing scheme. *)
|
adam@358
|
370
|
adamc@196
|
371
|
adamc@196
|
372 (** ** Mapping *)
|
adamc@196
|
373
|
adamc@219
|
374 (** By this point, we have developed enough machinery that it is old hat to define a generic function similar to the list [map] function. *)
|
adamc@219
|
375
|
adamc@219
|
376 Definition map T dt (dd : datatypeDenote T dt) (fx : fixDenote T dt) (f : T -> T)
|
adamc@219
|
377 : T -> T :=
|
adamc@196
|
378 fx T (hmap (B1 := constructorDenote T) (B2 := constructorDenote T)
|
adamc@196
|
379 (fun _ c x r => f (c x r)) dd).
|
adamc@196
|
380
|
adamc@196
|
381 Eval compute in map Empty_set_den Empty_set_fix.
|
adamc@219
|
382 (** %\vspace{-.15in}% [[
|
adamc@219
|
383 = fun (_ : Empty_set -> Empty_set) (emp : Empty_set) =>
|
adamc@219
|
384 match emp return Empty_set with
|
adamc@219
|
385 end
|
adamc@219
|
386 : (Empty_set -> Empty_set) -> Empty_set -> Empty_set
|
adam@302
|
387 ]]
|
adam@302
|
388 *)
|
adamc@219
|
389
|
adamc@196
|
390 Eval compute in map unit_den unit_fix.
|
adamc@219
|
391 (** %\vspace{-.15in}% [[
|
adamc@219
|
392 = fun (f : unit -> unit) (_ : unit) => f tt
|
adamc@219
|
393 : (unit -> unit) -> unit -> unit
|
adam@302
|
394 ]]
|
adam@302
|
395 *)
|
adamc@219
|
396
|
adamc@196
|
397 Eval compute in map bool_den bool_fix.
|
adamc@219
|
398 (** %\vspace{-.15in}% [[
|
adamc@219
|
399 = fun (f : bool -> bool) (b : bool) => if b then f true else f false
|
adamc@219
|
400 : (bool -> bool) -> bool -> bool
|
adam@302
|
401 ]]
|
adam@302
|
402 *)
|
adamc@219
|
403
|
adamc@196
|
404 Eval compute in map nat_den nat_fix.
|
adamc@219
|
405 (** %\vspace{-.15in}% [[
|
adamc@219
|
406 = fun f : nat -> nat =>
|
adamc@219
|
407 fix F (n : nat) : nat :=
|
adamc@219
|
408 match n with
|
adamc@219
|
409 | 0%nat => f 0%nat
|
adamc@219
|
410 | S n' => f (S (F n'))
|
adamc@219
|
411 end
|
adamc@219
|
412 : (nat -> nat) -> nat -> nat
|
adam@302
|
413 ]]
|
adam@302
|
414 *)
|
adamc@219
|
415
|
adamc@196
|
416 Eval compute in fun A => map (list_den A) (@list_fix A).
|
adamc@219
|
417 (** %\vspace{-.15in}% [[
|
adamc@219
|
418 = fun (A : Type) (f : list A -> list A) =>
|
adamc@219
|
419 fix F (ls : list A) : list A :=
|
adamc@219
|
420 match ls with
|
adamc@219
|
421 | nil => f nil
|
adamc@219
|
422 | x :: ls' => f (x :: F ls')
|
adamc@219
|
423 end
|
adamc@219
|
424 : forall A : Type, (list A -> list A) -> list A -> list A
|
adam@302
|
425 ]]
|
adam@302
|
426 *)
|
adamc@219
|
427
|
adamc@196
|
428 Eval compute in fun A => map (tree_den A) (@tree_fix A).
|
adamc@219
|
429 (** %\vspace{-.15in}% [[
|
adamc@219
|
430 = fun (A : Type) (f : tree A -> tree A) =>
|
adamc@219
|
431 fix F (t : tree A) : tree A :=
|
adamc@219
|
432 match t with
|
adamc@219
|
433 | Leaf x => f (Leaf x)
|
adamc@219
|
434 | Node t1 t2 => f (Node (F t1) (F t2))
|
adamc@219
|
435 end
|
adamc@219
|
436 : forall A : Type, (tree A -> tree A) -> tree A -> tree A
|
adam@302
|
437 ]]
|
adam@302
|
438 *)
|
adamc@196
|
439
|
adam@358
|
440 (** These [map] functions are just as easy to use as those we write by hand. Can you figure out the input-output pattern that [map_nat S] displays in these examples? *)
|
adam@358
|
441
|
adamc@196
|
442 Definition map_nat := map nat_den nat_fix.
|
adamc@196
|
443 Eval simpl in map_nat S 0.
|
adamc@219
|
444 (** %\vspace{-.15in}% [[
|
adamc@219
|
445 = 1%nat
|
adamc@219
|
446 : nat
|
adam@302
|
447 ]]
|
adam@302
|
448 *)
|
adamc@219
|
449
|
adamc@196
|
450 Eval simpl in map_nat S 1.
|
adamc@219
|
451 (** %\vspace{-.15in}% [[
|
adamc@219
|
452 = 3%nat
|
adamc@219
|
453 : nat
|
adam@302
|
454 ]]
|
adam@302
|
455 *)
|
adamc@219
|
456
|
adamc@196
|
457 Eval simpl in map_nat S 2.
|
adamc@219
|
458 (** %\vspace{-.15in}% [[
|
adamc@219
|
459 = 5%nat
|
adamc@219
|
460 : nat
|
adam@302
|
461 ]]
|
adam@302
|
462 *)
|
adamc@196
|
463
|
adam@358
|
464 (** We get [map_nat S n] = [2 * n + 1], because the mapping process adds an extra [S] at every level of the inductive tree that defines a natural, including at the last level, the [O] constructor. *)
|
adam@358
|
465
|
adamc@196
|
466
|
adamc@196
|
467 (** * Proving Theorems about Recursive Definitions *)
|
adamc@196
|
468
|
adamc@219
|
469 (** We would like to be able to prove theorems about our generic functions. To do so, we need to establish additional well-formedness properties that must hold of pieces of evidence. *)
|
adamc@219
|
470
|
adamc@196
|
471 Section ok.
|
adamc@196
|
472 Variable T : Type.
|
adamc@196
|
473 Variable dt : datatype.
|
adamc@196
|
474
|
adamc@196
|
475 Variable dd : datatypeDenote T dt.
|
adamc@196
|
476 Variable fx : fixDenote T dt.
|
adamc@196
|
477
|
adamc@219
|
478 (** First, we characterize when a piece of evidence about a datatype is acceptable. The basic idea is that the type [T] should really be an inductive type with the definition given by [dd]. Semantically, inductive types are characterized by the ability to do induction on them. Therefore, we require that the usual induction principle is true, with respect to the constructors given in the encoding [dd]. *)
|
adamc@219
|
479
|
adamc@196
|
480 Definition datatypeDenoteOk :=
|
adamc@196
|
481 forall P : T -> Prop,
|
adamc@196
|
482 (forall c (m : member c dt) (x : nonrecursive c) (r : ilist T (recursive c)),
|
adamc@215
|
483 (forall i : fin (recursive c), P (get r i))
|
adamc@196
|
484 -> P ((hget dd m) x r))
|
adamc@196
|
485 -> forall v, P v.
|
adamc@196
|
486
|
adam@408
|
487 (** This definition can take a while to digest. The quantifier over [m : member c dt] is considering each constructor in turn; like in normal induction principles, each constructor has an associated proof case. The expression [hget dd m] then names the constructor we have selected. After binding [m], we quantify over all possible arguments (encoded with [x] and [r]) to the constructor that [m] selects. Within each specific case, we quantify further over [i : fin (recursive c)] to consider all of our induction hypotheses, one for each recursive argument of the current constructor.
|
adamc@219
|
488
|
adamc@219
|
489 We have completed half the burden of defining side conditions. The other half comes in characterizing when a recursion scheme [fx] is valid. The natural condition is that [fx] behaves appropriately when applied to any constructor application. *)
|
adamc@219
|
490
|
adamc@196
|
491 Definition fixDenoteOk :=
|
adamc@196
|
492 forall (R : Type) (cases : datatypeDenote R dt)
|
adamc@196
|
493 c (m : member c dt)
|
adamc@196
|
494 (x : nonrecursive c) (r : ilist T (recursive c)),
|
adamc@216
|
495 fx cases ((hget dd m) x r)
|
adamc@216
|
496 = (hget cases m) x (imap (fx cases) r).
|
adamc@219
|
497
|
adamc@219
|
498 (** As for [datatypeDenoteOk], we consider all constructors and all possible arguments to them by quantifying over [m], [x], and [r]. The lefthand side of the equality that follows shows a call to the recursive function on the specific constructor application that we selected. The righthand side shows an application of the function case associated with constructor [m], applied to the non-recursive arguments and to appropriate recursive calls on the recursive arguments. *)
|
adamc@219
|
499
|
adamc@196
|
500 End ok.
|
adamc@196
|
501
|
adamc@219
|
502 (** We are now ready to prove that the [size] function we defined earlier always returns positive results. First, we establish a simple lemma. *)
|
adamc@196
|
503
|
adam@359
|
504 (* begin thide *)
|
adamc@196
|
505 Lemma foldr_plus : forall n (ils : ilist nat n),
|
adamc@196
|
506 foldr plus 1 ils > 0.
|
adamc@216
|
507 induction ils; crush.
|
adamc@196
|
508 Qed.
|
adamc@198
|
509 (* end thide *)
|
adamc@196
|
510
|
adamc@197
|
511 Theorem size_positive : forall T dt
|
adamc@197
|
512 (dd : datatypeDenote T dt) (fx : fixDenote T dt)
|
adamc@197
|
513 (dok : datatypeDenoteOk dd) (fok : fixDenoteOk dd fx)
|
adamc@196
|
514 (v : T),
|
adamc@196
|
515 size fx v > 0.
|
adamc@198
|
516 (* begin thide *)
|
adamc@219
|
517 unfold size; intros.
|
adamc@219
|
518 (** [[
|
adamc@219
|
519 ============================
|
adamc@219
|
520 fx nat
|
adamc@219
|
521 (hmake
|
adamc@219
|
522 (fun (x : constructor) (_ : nonrecursive x)
|
adamc@219
|
523 (r : ilist nat (recursive x)) => foldr plus 1%nat r) dt) v > 0
|
adamc@219
|
524 ]]
|
adamc@219
|
525
|
adamc@219
|
526 Our goal is an inequality over a particular call to [size], with its definition expanded. How can we proceed here? We cannot use [induction] directly, because there is no way for Coq to know that [T] is an inductive type. Instead, we need to use the induction principle encoded in our hypothesis [dok] of type [datatypeDenoteOk dd]. Let us try applying it directly.
|
adamc@219
|
527 [[
|
adamc@219
|
528 apply dok.
|
adam@358
|
529 ]]
|
adam@358
|
530 %\vspace{-.3in}%
|
adam@358
|
531 <<
|
adamc@219
|
532 Error: Impossible to unify "datatypeDenoteOk dd" with
|
adamc@219
|
533 "fx nat
|
adamc@219
|
534 (hmake
|
adamc@219
|
535 (fun (x : constructor) (_ : nonrecursive x)
|
adamc@219
|
536 (r : ilist nat (recursive x)) => foldr plus 1%nat r) dt) v > 0".
|
adam@358
|
537 >>
|
adamc@219
|
538
|
adam@360
|
539 Matching the type of [dok] with the type of our conclusion requires more than simple first-order unification, so [apply] is not up to the challenge. We can use the %\index{tactics!pattern}%[pattern] tactic to get our goal into a form that makes it apparent exactly what the induction hypothesis is. *)
|
adamc@219
|
540
|
adamc@219
|
541 pattern v.
|
adam@358
|
542 (** %\vspace{-.15in}%[[
|
adamc@219
|
543 ============================
|
adamc@219
|
544 (fun t : T =>
|
adamc@219
|
545 fx nat
|
adamc@219
|
546 (hmake
|
adamc@219
|
547 (fun (x : constructor) (_ : nonrecursive x)
|
adamc@219
|
548 (r : ilist nat (recursive x)) => foldr plus 1%nat r) dt) t > 0) v
|
adam@302
|
549 ]]
|
adam@302
|
550 *)
|
adamc@219
|
551
|
adamc@219
|
552 apply dok; crush.
|
adam@358
|
553 (** %\vspace{-.15in}%[[
|
adamc@219
|
554 H : forall i : fin (recursive c),
|
adamc@219
|
555 fx nat
|
adamc@219
|
556 (hmake
|
adamc@219
|
557 (fun (x : constructor) (_ : nonrecursive x)
|
adamc@219
|
558 (r : ilist nat (recursive x)) => foldr plus 1%nat r) dt)
|
adamc@219
|
559 (get r i) > 0
|
adamc@219
|
560 ============================
|
adamc@219
|
561 hget
|
adamc@219
|
562 (hmake
|
adamc@219
|
563 (fun (x0 : constructor) (_ : nonrecursive x0)
|
adamc@219
|
564 (r0 : ilist nat (recursive x0)) => foldr plus 1%nat r0) dt) m x
|
adamc@219
|
565 (imap
|
adamc@219
|
566 (fx nat
|
adamc@219
|
567 (hmake
|
adamc@219
|
568 (fun (x0 : constructor) (_ : nonrecursive x0)
|
adamc@219
|
569 (r0 : ilist nat (recursive x0)) =>
|
adamc@219
|
570 foldr plus 1%nat r0) dt)) r) > 0
|
adamc@219
|
571 ]]
|
adamc@219
|
572
|
adamc@219
|
573 An induction hypothesis [H] is generated, but we turn out not to need it for this example. We can simplify the goal using a library theorem about the composition of [hget] and [hmake]. *)
|
adamc@219
|
574
|
adamc@219
|
575 rewrite hget_hmake.
|
adam@358
|
576 (** %\vspace{-.15in}%[[
|
adamc@219
|
577 ============================
|
adamc@219
|
578 foldr plus 1%nat
|
adamc@219
|
579 (imap
|
adamc@219
|
580 (fx nat
|
adamc@219
|
581 (hmake
|
adamc@219
|
582 (fun (x0 : constructor) (_ : nonrecursive x0)
|
adamc@219
|
583 (r0 : ilist nat (recursive x0)) =>
|
adamc@219
|
584 foldr plus 1%nat r0) dt)) r) > 0
|
adamc@219
|
585 ]]
|
adamc@219
|
586
|
adamc@219
|
587 The lemma we proved earlier finishes the proof. *)
|
adamc@219
|
588
|
adamc@219
|
589 apply foldr_plus.
|
adamc@219
|
590
|
adamc@219
|
591 (** Using hints, we can redo this proof in a nice automated form. *)
|
adamc@219
|
592
|
adamc@219
|
593 Restart.
|
adamc@219
|
594
|
adam@375
|
595 Hint Rewrite hget_hmake.
|
adamc@196
|
596 Hint Resolve foldr_plus.
|
adamc@196
|
597
|
adamc@197
|
598 unfold size; intros; pattern v; apply dok; crush.
|
adamc@196
|
599 Qed.
|
adamc@198
|
600 (* end thide *)
|
adamc@197
|
601
|
adamc@219
|
602 (** It turned out that, in this example, we only needed to use induction degenerately as case analysis. A more involved theorem may only be proved using induction hypotheses. We will give its proof only in unautomated form and leave effective automation as an exercise for the motivated reader.
|
adamc@219
|
603
|
adamc@219
|
604 In particular, it ought to be the case that generic [map] applied to an identity function is itself an identity function. *)
|
adamc@219
|
605
|
adamc@197
|
606 Theorem map_id : forall T dt
|
adamc@197
|
607 (dd : datatypeDenote T dt) (fx : fixDenote T dt)
|
adamc@197
|
608 (dok : datatypeDenoteOk dd) (fok : fixDenoteOk dd fx)
|
adamc@197
|
609 (v : T),
|
adamc@197
|
610 map dd fx (fun x => x) v = v.
|
adamc@198
|
611 (* begin thide *)
|
adamc@219
|
612 (** Let us begin as we did in the last theorem, after adding another useful library equality as a hint. *)
|
adamc@219
|
613
|
adam@375
|
614 Hint Rewrite hget_hmap.
|
adamc@197
|
615
|
adamc@197
|
616 unfold map; intros; pattern v; apply dok; crush.
|
adam@358
|
617 (** %\vspace{-.15in}%[[
|
adamc@219
|
618 H : forall i : fin (recursive c),
|
adamc@219
|
619 fx T
|
adamc@219
|
620 (hmap
|
adamc@219
|
621 (fun (x : constructor) (c : constructorDenote T x)
|
adamc@219
|
622 (x0 : nonrecursive x) (r : ilist T (recursive x)) =>
|
adamc@219
|
623 c x0 r) dd) (get r i) = get r i
|
adamc@219
|
624 ============================
|
adamc@219
|
625 hget dd m x
|
adamc@219
|
626 (imap
|
adamc@219
|
627 (fx T
|
adamc@219
|
628 (hmap
|
adamc@219
|
629 (fun (x0 : constructor) (c0 : constructorDenote T x0)
|
adamc@219
|
630 (x1 : nonrecursive x0) (r0 : ilist T (recursive x0)) =>
|
adamc@219
|
631 c0 x1 r0) dd)) r) = hget dd m x r
|
adamc@219
|
632 ]]
|
adamc@197
|
633
|
adamc@219
|
634 Our goal is an equality whose two sides begin with the same function call and initial arguments. We believe that the remaining arguments are in fact equal as well, and the [f_equal] tactic applies this reasoning step for us formally. *)
|
adamc@219
|
635
|
adamc@197
|
636 f_equal.
|
adam@358
|
637 (** %\vspace{-.15in}%[[
|
adamc@219
|
638 ============================
|
adamc@219
|
639 imap
|
adamc@219
|
640 (fx T
|
adamc@219
|
641 (hmap
|
adamc@219
|
642 (fun (x0 : constructor) (c0 : constructorDenote T x0)
|
adamc@219
|
643 (x1 : nonrecursive x0) (r0 : ilist T (recursive x0)) =>
|
adamc@219
|
644 c0 x1 r0) dd)) r = r
|
adamc@219
|
645 ]]
|
adamc@219
|
646
|
adamc@219
|
647 At this point, it is helpful to proceed by an inner induction on the heterogeneous list [r] of recursive call results. We could arrive at a cleaner proof by breaking this step out into an explicit lemma, but here we will do the induction inline to save space.*)
|
adamc@219
|
648
|
adamc@219
|
649 induction r; crush.
|
adamc@219
|
650
|
adam@428
|
651 (* begin hide *)
|
adam@437
|
652 (* begin thide *)
|
adam@428
|
653 Definition pred' := pred.
|
adam@437
|
654 (* end thide *)
|
adam@428
|
655 (* end hide *)
|
adam@428
|
656
|
adamc@219
|
657 (** The base case is discharged automatically, and the inductive case looks like this, where [H] is the outer IH (for induction over [T] values) and [IHn] is the inner IH (for induction over the recursive arguments).
|
adamc@219
|
658 [[
|
adamc@219
|
659 H : forall i : fin (S n),
|
adamc@219
|
660 fx T
|
adamc@219
|
661 (hmap
|
adamc@219
|
662 (fun (x : constructor) (c : constructorDenote T x)
|
adamc@219
|
663 (x0 : nonrecursive x) (r : ilist T (recursive x)) =>
|
adamc@219
|
664 c x0 r) dd)
|
adamc@219
|
665 (match i in (fin n') return ((fin (pred n') -> T) -> T) with
|
adamc@219
|
666 | First n => fun _ : fin n -> T => a
|
adamc@219
|
667 | Next n idx' => fun get_ls' : fin n -> T => get_ls' idx'
|
adamc@219
|
668 end (get r)) =
|
adamc@219
|
669 match i in (fin n') return ((fin (pred n') -> T) -> T) with
|
adamc@219
|
670 | First n => fun _ : fin n -> T => a
|
adamc@219
|
671 | Next n idx' => fun get_ls' : fin n -> T => get_ls' idx'
|
adamc@219
|
672 end (get r)
|
adamc@219
|
673 IHr : (forall i : fin n,
|
adamc@219
|
674 fx T
|
adamc@219
|
675 (hmap
|
adamc@219
|
676 (fun (x : constructor) (c : constructorDenote T x)
|
adamc@219
|
677 (x0 : nonrecursive x) (r : ilist T (recursive x)) =>
|
adamc@219
|
678 c x0 r) dd) (get r i) = get r i) ->
|
adamc@219
|
679 imap
|
adamc@219
|
680 (fx T
|
adamc@219
|
681 (hmap
|
adamc@219
|
682 (fun (x : constructor) (c : constructorDenote T x)
|
adamc@219
|
683 (x0 : nonrecursive x) (r : ilist T (recursive x)) =>
|
adamc@219
|
684 c x0 r) dd)) r = r
|
adamc@219
|
685 ============================
|
adamc@219
|
686 ICons
|
adamc@219
|
687 (fx T
|
adamc@219
|
688 (hmap
|
adamc@219
|
689 (fun (x0 : constructor) (c0 : constructorDenote T x0)
|
adamc@219
|
690 (x1 : nonrecursive x0) (r0 : ilist T (recursive x0)) =>
|
adamc@219
|
691 c0 x1 r0) dd) a)
|
adamc@219
|
692 (imap
|
adamc@219
|
693 (fx T
|
adamc@219
|
694 (hmap
|
adamc@219
|
695 (fun (x0 : constructor) (c0 : constructorDenote T x0)
|
adamc@219
|
696 (x1 : nonrecursive x0) (r0 : ilist T (recursive x0)) =>
|
adamc@219
|
697 c0 x1 r0) dd)) r) = ICons a r
|
adamc@219
|
698 ]]
|
adamc@219
|
699
|
adamc@219
|
700 We see another opportunity to apply [f_equal], this time to split our goal into two different equalities over corresponding arguments. After that, the form of the first goal matches our outer induction hypothesis [H], when we give type inference some help by specifying the right quantifier instantiation. *)
|
adamc@219
|
701
|
adamc@219
|
702 f_equal.
|
adamc@219
|
703 apply (H First).
|
adam@358
|
704 (** %\vspace{-.15in}%[[
|
adamc@219
|
705 ============================
|
adamc@219
|
706 imap
|
adamc@219
|
707 (fx T
|
adamc@219
|
708 (hmap
|
adamc@219
|
709 (fun (x0 : constructor) (c0 : constructorDenote T x0)
|
adamc@219
|
710 (x1 : nonrecursive x0) (r0 : ilist T (recursive x0)) =>
|
adamc@219
|
711 c0 x1 r0) dd)) r = r
|
adamc@219
|
712 ]]
|
adamc@219
|
713
|
adamc@219
|
714 Now the goal matches the inner IH [IHr]. *)
|
adamc@219
|
715
|
adamc@219
|
716 apply IHr; crush.
|
adam@358
|
717 (** %\vspace{-.15in}%[[
|
adamc@219
|
718 i : fin n
|
adamc@219
|
719 ============================
|
adamc@219
|
720 fx T
|
adamc@219
|
721 (hmap
|
adamc@219
|
722 (fun (x0 : constructor) (c0 : constructorDenote T x0)
|
adamc@219
|
723 (x1 : nonrecursive x0) (r0 : ilist T (recursive x0)) =>
|
adamc@219
|
724 c0 x1 r0) dd) (get r i) = get r i
|
adamc@219
|
725 ]]
|
adamc@219
|
726
|
adamc@219
|
727 We can finish the proof by applying the outer IH again, specialized to a different [fin] value. *)
|
adamc@219
|
728
|
adamc@216
|
729 apply (H (Next i)).
|
adamc@197
|
730 Qed.
|
adamc@198
|
731 (* end thide *)
|
adam@358
|
732
|
adam@358
|
733 (** The proof involves complex subgoals, but, still, few steps are required, and then we may reuse our work across a variety of datatypes. *)
|