Certified Programming with Dependent Types: src/Equality.v annotate

annotate src/Equality.v @ 121:61e5622b1195

Interconvertibility

author	Adam Chlipala <adamc@hcoop.net>
date	Sat, 18 Oct 2008 14:55:52 -0400
parents	39c7894b3f7f
children	7cbf0376702f

rev	line source
adamc@118	1 (* Copyright (c) 2008, Adam Chlipala
adamc@118	2 *
adamc@118	3 * This work is licensed under a
adamc@118	4 * Creative Commons Attribution-Noncommercial-No Derivative Works 3.0
adamc@118	5 * Unported License.
adamc@118	6 * The license text is available at:
adamc@118	7 * http://creativecommons.org/licenses/by-nc-nd/3.0/
adamc@118	8 *)
adamc@118	9
adamc@118	10 (* begin hide *)
adamc@120	11 Require Import Eqdep JMeq List.
adamc@118	12
adamc@118	13 Require Import Tactics.
adamc@118	14
adamc@118	15 Set Implicit Arguments.
adamc@118	16 (* end hide *)
adamc@118	17
adamc@118	18
adamc@118	19 (** %\chapter{Reasoning About Equality Proofs}% *)
adamc@118	20
adamc@118	21 (** In traditional mathematics, the concept of equality is usually taken as a given. On the other hand, in type theory, equality is a very contentious subject. There are at least three different notions of equality that are important, and researchers are actively investigating new definitions of what it means for two terms to be equal. Even once we fix a notion of equality, there are inevitably tricky issues that arise in proving properties of programs that manipulate equality proofs explicitly. In this chapter, we will focus on design patterns for circumventing these tricky issues, and we will introduce the different notions of equality as they are germane. *)
adamc@118	22
adamc@118	23
adamc@118	24 (** * Heterogeneous Lists Revisited *)
adamc@118	25
adamc@118	26 (** One of our example dependent data structures from the last chapter was heterogeneous lists and their associated "cursor" type. *)
adamc@118	27
adamc@118	28 Section fhlist.
adamc@118	29 Variable A : Type.
adamc@118	30 Variable B : A -> Type.
adamc@118	31
adamc@118	32 Fixpoint fhlist (ls : list A) : Type :=
adamc@118	33 match ls with
adamc@118	34 \| nil => unit
adamc@118	35 \| x :: ls' => B x * fhlist ls'
adamc@118	36 end%type.
adamc@118	37
adamc@118	38 Variable elm : A.
adamc@118	39
adamc@118	40 Fixpoint fmember (ls : list A) : Type :=
adamc@118	41 match ls with
adamc@118	42 \| nil => Empty_set
adamc@118	43 \| x :: ls' => (x = elm) + fmember ls'
adamc@118	44 end%type.
adamc@118	45
adamc@118	46 Fixpoint fhget (ls : list A) : fhlist ls -> fmember ls -> B elm :=
adamc@118	47 match ls return fhlist ls -> fmember ls -> B elm with
adamc@118	48 \| nil => fun _ idx => match idx with end
adamc@118	49 \| _ :: ls' => fun mls idx =>
adamc@118	50 match idx with
adamc@118	51 \| inl pf => match pf with
adamc@118	52 \| refl_equal => fst mls
adamc@118	53 end
adamc@118	54 \| inr idx' => fhget ls' (snd mls) idx'
adamc@118	55 end
adamc@118	56 end.
adamc@118	57 End fhlist.
adamc@118	58
adamc@118	59 Implicit Arguments fhget [A B elm ls].
adamc@118	60
adamc@118	61 (** We can define a [map]-like function for [fhlist]s. *)
adamc@118	62
adamc@118	63 Section fhlist_map.
adamc@118	64 Variables A : Type.
adamc@118	65 Variables B C : A -> Type.
adamc@118	66 Variable f : forall x, B x -> C x.
adamc@118	67
adamc@118	68 Fixpoint fhmap (ls : list A) : fhlist B ls -> fhlist C ls :=
adamc@118	69 match ls return fhlist B ls -> fhlist C ls with
adamc@118	70 \| nil => fun _ => tt
adamc@118	71 \| _ :: _ => fun hls => (f (fst hls), fhmap _ (snd hls))
adamc@118	72 end.
adamc@118	73
adamc@118	74 Implicit Arguments fhmap [ls].
adamc@118	75
adamc@118	76 (** For the inductive versions of the [ilist] definitions, we proved a lemma about the interaction of [get] and [imap]. It was a strategic choice not to attempt such a proof for the definitions that we just gave, because that sets us on a collision course with the problems that are the subject of this chapter. *)
adamc@118	77
adamc@118	78 Variable elm : A.
adamc@118	79
adamc@118	80 Theorem get_imap : forall ls (mem : fmember elm ls) (hls : fhlist B ls),
adamc@118	81 fhget (fhmap hls) mem = f (fhget hls mem).
adamc@118	82 induction ls; crush.
adamc@118	83
adamc@118	84 (** Part of our single remaining subgoal is:
adamc@118	85
adamc@118	86 [[
adamc@118	87
adamc@118	88 a0 : a = elm
adamc@118	89 ============================
adamc@118	90 match a0 in (_ = a2) return (C a2) with
adamc@118	91 \| refl_equal => f a1
adamc@118	92 end = f match a0 in (_ = a2) return (B a2) with
adamc@118	93 \| refl_equal => a1
adamc@118	94 end
adamc@118	95 ]]
adamc@118	96
adamc@118	97 This seems like a trivial enough obligation. The equality proof [a0] must be [refl_equal], since that is the only constructor of [eq]. Therefore, both the [match]es reduce to the point where the conclusion follows by reflexivity.
adamc@118	98
adamc@118	99 [[
adamc@118	100
adamc@118	101 destruct a0.
adamc@118	102
adamc@118	103 [[
adamc@118	104 User error: Cannot solve a second-order unification problem
adamc@118	105 ]]
adamc@118	106
adamc@118	107 This is one of Coq's standard error messages for informing us that its heuristics for attempting an instance of an undecidable problem about dependent typing have failed. We might try to nudge things in the right direction by stating the lemma that we believe makes the conclusion trivial.
adamc@118	108
adamc@118	109 [[
adamc@118	110
adamc@118	111 assert (a0 = refl_equal _).
adamc@118	112
adamc@118	113 [[
adamc@118	114 The term "refl_equal ?98" has type "?98 = ?98"
adamc@118	115 while it is expected to have type "a = elm"
adamc@118	116 ]]
adamc@118	117
adamc@118	118 In retrospect, the problem is not so hard to see. Reflexivity proofs only show [x = x] for particular values of [x], whereas here we are thinking in terms of a proof of [a = elm], where the two sides of the equality are not equal syntactically. Thus, the essential lemma we need does not even type-check!
adamc@118	119
adamc@118	120 Is it time to throw in the towel? Luckily, the answer is "no." In this chapter, we will see several useful patterns for proving obligations like this.
adamc@118	121
adamc@118	122 For this particular example, the solution is surprisingly straightforward. [destruct] has a simpler sibling [case] which should behave identically for any inductive type with one constructor of no arguments. *)
adamc@118	123
adamc@118	124 case a0.
adamc@118	125 (** [[
adamc@118	126
adamc@118	127 ============================
adamc@118	128 f a1 = f a1
adamc@118	129 ]]
adamc@118	130
adamc@118	131 It seems that [destruct] was trying to be too smart for its own good. *)
adamc@118	132
adamc@118	133 reflexivity.
adamc@118	134 Qed.
adamc@118	135
adamc@118	136 (** It will be helpful to examine the proof terms generated by this sort of strategy. A simpler example illustrates what is going on. *)
adamc@118	137
adamc@118	138 Lemma lemma1 : forall x (pf : x = elm), O = match pf with refl_equal => O end.
adamc@118	139 simple destruct pf; reflexivity.
adamc@118	140 Qed.
adamc@118	141
adamc@118	142 (** [simple destruct pf] is a convenient form for applying [case]. It runs [intro] to bring into scope all quantified variables up to its argument. *)
adamc@118	143
adamc@118	144 Print lemma1.
adamc@118	145
adamc@118	146 (** [[
adamc@118	147
adamc@118	148 lemma1 =
adamc@118	149 fun (x : A) (pf : x = elm) =>
adamc@118	150 match pf as e in (_ = y) return (0 = match e with
adamc@118	151 \| refl_equal => 0
adamc@118	152 end) with
adamc@118	153 \| refl_equal => refl_equal 0
adamc@118	154 end
adamc@118	155 : forall (x : A) (pf : x = elm), 0 = match pf with
adamc@118	156 \| refl_equal => 0
adamc@118	157 end
adamc@118	158 ]]
adamc@118	159
adamc@118	160 Using what we know about shorthands for [match] annotations, we can write this proof in shorter form manually. *)
adamc@118	161
adamc@118	162 Definition lemma1' :=
adamc@118	163 fun (x : A) (pf : x = elm) =>
adamc@118	164 match pf return (0 = match pf with
adamc@118	165 \| refl_equal => 0
adamc@118	166 end) with
adamc@118	167 \| refl_equal => refl_equal 0
adamc@118	168 end.
adamc@118	169
adamc@118	170 (** Surprisingly, what seems at first like a %\textit{%#<i>#simpler#</i>#%}% lemma is harder to prove. *)
adamc@118	171
adamc@118	172 Lemma lemma2 : forall (x : A) (pf : x = x), O = match pf with refl_equal => O end.
adamc@118	173 (** [[
adamc@118	174
adamc@118	175 simple destruct pf.
adamc@118	176
adamc@118	177 [[
adamc@118	178
adamc@118	179 User error: Cannot solve a second-order unification problem
adamc@118	180 ]] *)
adamc@118	181 Abort.
adamc@118	182
adamc@118	183 (** Nonetheless, we can adapt the last manual proof to handle this theorem. *)
adamc@118	184
adamc@118	185 Definition lemma2' :=
adamc@118	186 fun (x : A) (pf : x = x) =>
adamc@118	187 match pf return (0 = match pf with
adamc@118	188 \| refl_equal => 0
adamc@118	189 end) with
adamc@118	190 \| refl_equal => refl_equal 0
adamc@118	191 end.
adamc@118	192
adamc@118	193 (** We can try to prove a lemma that would simplify proofs of many facts like [lemma2]: *)
adamc@118	194
adamc@118	195 Lemma lemma3 : forall (x : A) (pf : x = x), pf = refl_equal x.
adamc@118	196 (** [[
adamc@118	197
adamc@118	198 simple destruct pf.
adamc@118	199
adamc@118	200 [[
adamc@118	201
adamc@118	202 User error: Cannot solve a second-order unification problem
adamc@118	203 ]] *)
adamc@118	204 Abort.
adamc@118	205
adamc@118	206 (** This time, even our manual attempt fails.
adamc@118	207
adamc@118	208 [[
adamc@118	209
adamc@118	210 Definition lemma3' :=
adamc@118	211 fun (x : A) (pf : x = x) =>
adamc@118	212 match pf as pf' in (_ = x') return (pf' = refl_equal x') with
adamc@118	213 \| refl_equal => refl_equal _
adamc@118	214 end.
adamc@118	215
adamc@118	216 [[
adamc@118	217
adamc@118	218 The term "refl_equal x'" has type "x' = x'" while it is expected to have type
adamc@118	219 "x = x'"
adamc@118	220 ]]
adamc@118	221
adamc@118	222 The type error comes from our [return] annotation. In that annotation, the [as]-bound variable [pf'] has type [x = x'], refering to the [in]-bound variable [x']. To do a dependent [match], we %\textit{%#<i>#must#</i>#%}% choose a fresh name for the second argument of [eq]. We are just as constrained to use the "real" value [x] for the first argument. Thus, within the [return] clause, the proof we are matching on %\textit{%#<i>#must#</i>#%}% equate two non-matching terms, which makes it impossible to equate that proof with reflexivity.
adamc@118	223
adamc@118	224 Nonetheless, it turns out that, with one catch, we %\textit{%#<i>#can#</i>#%}% prove this lemma. *)
adamc@118	225
adamc@118	226 Lemma lemma3 : forall (x : A) (pf : x = x), pf = refl_equal x.
adamc@118	227 intros; apply UIP_refl.
adamc@118	228 Qed.
adamc@118	229
adamc@118	230 Check UIP_refl.
adamc@118	231 (** [[
adamc@118	232
adamc@118	233 UIP_refl
adamc@118	234 : forall (U : Type) (x : U) (p : x = x), p = refl_equal x
adamc@118	235 ]]
adamc@118	236
adamc@118	237 [UIP_refl] comes from the [Eqdep] module of the standard library. Do the Coq authors know of some clever trick for building such proofs that we have not seen yet? If they do, they did not use it for this proof. Rather, the proof is based on an %\textit{%#<i>#axiom#</i>#%}%. *)
adamc@118	238
adamc@118	239 Print eq_rect_eq.
adamc@118	240 (** [[
adamc@118	241
adamc@118	242 eq_rect_eq =
adamc@118	243 fun U : Type => Eq_rect_eq.eq_rect_eq U
adamc@118	244 : forall (U : Type) (p : U) (Q : U -> Type) (x : Q p) (h : p = p),
adamc@118	245 x = eq_rect p Q x p h
adamc@118	246 ]]
adamc@118	247
adamc@118	248 [eq_rect_eq] states a "fact" that seems like common sense, once the notation is deciphered. [eq_rect] is the automatically-generated recursion principle for [eq]. Calling [eq_rect] is another way of [match]ing on an equality proof. The proof we match on is the argument [h], and [x] is the body of the [match]. [eq_rect_eq] just says that [match]es on proofs of [p = p], for any [p], are superfluous and may be removed.
adamc@118	249
adamc@118	250 Perhaps surprisingly, we cannot prove [eq_rect_eq] from within Coq. This proposition is introduced as an axiom; that is, a proposition asserted as true without proof. We cannot assert just any statement without proof. Adding [False] as an axiom would allow us to prove any proposition, for instance, defeating the point of using a proof assistant. In general, we need to be sure that we never assert %\textit{%#<i>#inconsistent#</i>#%}% sets of axioms. A set of axioms is inconsistent if its conjunction implies [False]. For the case of [eq_rect_eq], consistency has been verified outside of Coq via "informal" metatheory.
adamc@118	251
adamc@118	252 This axiom is equivalent to another that is more commonly known and mentioned in type theory circles. *)
adamc@118	253
adamc@118	254 Print Streicher_K.
adamc@118	255 (** [[
adamc@118	256
adamc@118	257 Streicher_K =
adamc@118	258 fun U : Type => UIP_refl__Streicher_K U (UIP_refl U)
adamc@118	259 : forall (U : Type) (x : U) (P : x = x -> Prop),
adamc@118	260 P (refl_equal x) -> forall p : x = x, P p
adamc@118	261 ]]
adamc@118	262
adamc@118	263 This is the unfortunately-named "Streicher's axiom K," which says that a predicate on properly-typed equality proofs holds of all such proofs if it holds of reflexivity. *)
adamc@118	264
adamc@118	265 End fhlist_map.
adamc@118	266
adamc@119	267
adamc@119	268 (** * Type-Casts in Theorem Statements *)
adamc@119	269
adamc@119	270 (** Sometimes we need to use tricks with equality just to state the theorems that we care about. To illustrate, we start by defining a concatenation function for [fhlist]s. *)
adamc@119	271
adamc@119	272 Section fhapp.
adamc@119	273 Variable A : Type.
adamc@119	274 Variable B : A -> Type.
adamc@119	275
adamc@119	276 Fixpoint fhapp (ls1 ls2 : list A) {struct ls1}
adamc@119	277 : fhlist B ls1 -> fhlist B ls2 -> fhlist B (ls1 ++ ls2) :=
adamc@119	278 match ls1 return fhlist _ ls1 -> _ -> fhlist _ (ls1 ++ ls2) with
adamc@119	279 \| nil => fun _ hls2 => hls2
adamc@119	280 \| _ :: _ => fun hls1 hls2 => (fst hls1, fhapp _ _ (snd hls1) hls2)
adamc@119	281 end.
adamc@119	282
adamc@119	283 Implicit Arguments fhapp [ls1 ls2].
adamc@119	284
adamc@119	285 (** We might like to prove that [fhapp] is associative.
adamc@119	286
adamc@119	287 [[
adamc@119	288
adamc@119	289 Theorem fhapp_ass : forall ls1 ls2 ls3
adamc@119	290 (hls1 : fhlist B ls1) (hls2 : fhlist B ls2) (hls3 : fhlist B ls3),
adamc@119	291 fhapp hls1 (fhapp hls2 hls3) = fhapp (fhapp hls1 hls2) hls3.
adamc@119	292
adamc@119	293 [[
adamc@119	294
adamc@119	295 The term
adamc@119	296 "fhapp (ls1:=ls1 ++ ls2) (ls2:=ls3) (fhapp (ls1:=ls1) (ls2:=ls2) hls1 hls2)
adamc@119	297 hls3" has type "fhlist B ((ls1 ++ ls2) ++ ls3)"
adamc@119	298 while it is expected to have type "fhlist B (ls1 ++ ls2 ++ ls3)"
adamc@119	299 ]]
adamc@119	300
adamc@119	301 This first cut at the theorem statement does not even type-check. We know that the two [fhlist] types appearing in the error message are always equal, by associativity of normal list append, but this fact is not apparent to the type checker. This stems from the fact that Coq's equality is %\textit{%#<i>#intensional#</i>#%}%, in the sense that type equality theorems can never be applied after the fact to get a term to type-check. Instead, we need to make use of equality explicitly in the theorem statement. *)
adamc@119	302
adamc@119	303 Theorem fhapp_ass : forall ls1 ls2 ls3
adamc@119	304 (pf : (ls1 ++ ls2) ++ ls3 = ls1 ++ (ls2 ++ ls3))
adamc@119	305 (hls1 : fhlist B ls1) (hls2 : fhlist B ls2) (hls3 : fhlist B ls3),
adamc@119	306 fhapp hls1 (fhapp hls2 hls3)
adamc@119	307 = match pf in (_ = ls) return fhlist _ ls with
adamc@119	308 \| refl_equal => fhapp (fhapp hls1 hls2) hls3
adamc@119	309 end.
adamc@119	310 induction ls1; crush.
adamc@119	311
adamc@119	312 (** The first remaining subgoal looks trivial enough:
adamc@119	313
adamc@119	314 [[
adamc@119	315
adamc@119	316 ============================
adamc@119	317 fhapp (ls1:=ls2) (ls2:=ls3) hls2 hls3 =
adamc@119	318 match pf in (_ = ls) return (fhlist B ls) with
adamc@119	319 \| refl_equal => fhapp (ls1:=ls2) (ls2:=ls3) hls2 hls3
adamc@119	320 end
adamc@119	321 ]]
adamc@119	322
adamc@119	323 We can try what worked in previous examples.
adamc@119	324
adamc@119	325 [[
adamc@119	326 case pf.
adamc@119	327
adamc@119	328 [[
adamc@119	329
adamc@119	330 User error: Cannot solve a second-order unification problem
adamc@119	331 ]]
adamc@119	332
adamc@119	333 It seems we have reached another case where it is unclear how to use a dependent [match] to implement case analysis on our proof. The [UIP_refl] theorem can come to our rescue again. *)
adamc@119	334
adamc@119	335 rewrite (UIP_refl _ _ pf).
adamc@119	336 (** [[
adamc@119	337
adamc@119	338 ============================
adamc@119	339 fhapp (ls1:=ls2) (ls2:=ls3) hls2 hls3 =
adamc@119	340 fhapp (ls1:=ls2) (ls2:=ls3) hls2 hls3
adamc@119	341 ]] *)
adamc@119	342
adamc@119	343 reflexivity.
adamc@119	344
adamc@119	345 (** Our second subgoal is trickier.
adamc@119	346
adamc@119	347 [[
adamc@119	348
adamc@119	349 pf : a :: (ls1 ++ ls2) ++ ls3 = a :: ls1 ++ ls2 ++ ls3
adamc@119	350 ============================
adamc@119	351 (a0,
adamc@119	352 fhapp (ls1:=ls1) (ls2:=ls2 ++ ls3) b
adamc@119	353 (fhapp (ls1:=ls2) (ls2:=ls3) hls2 hls3)) =
adamc@119	354 match pf in (_ = ls) return (fhlist B ls) with
adamc@119	355 \| refl_equal =>
adamc@119	356 (a0,
adamc@119	357 fhapp (ls1:=ls1 ++ ls2) (ls2:=ls3)
adamc@119	358 (fhapp (ls1:=ls1) (ls2:=ls2) b hls2) hls3)
adamc@119	359 end
adamc@119	360 ]]
adamc@119	361
adamc@119	362
adamc@119	363 [[
adamc@119	364
adamc@119	365 rewrite (UIP_refl _ _ pf).
adamc@119	366
adamc@119	367 [[
adamc@119	368 The term "pf" has type "a :: (ls1 ++ ls2) ++ ls3 = a :: ls1 ++ ls2 ++ ls3"
adamc@119	369 while it is expected to have type "?556 = ?556"
adamc@119	370 ]]
adamc@119	371
adamc@119	372 We can only apply [UIP_refl] on proofs of equality with syntactically equal operands, which is not the case of [pf] here. We will need to manipulate the form of this subgoal to get us to a point where we may use [UIP_refl]. A first step is obtaining a proof suitable to use in applying the induction hypothesis. Inversion on the structure of [pf] is sufficient for that. *)
adamc@119	373
adamc@119	374 injection pf; intro pf'.
adamc@119	375 (** [[
adamc@119	376
adamc@119	377 pf : a :: (ls1 ++ ls2) ++ ls3 = a :: ls1 ++ ls2 ++ ls3
adamc@119	378 pf' : (ls1 ++ ls2) ++ ls3 = ls1 ++ ls2 ++ ls3
adamc@119	379 ============================
adamc@119	380 (a0,
adamc@119	381 fhapp (ls1:=ls1) (ls2:=ls2 ++ ls3) b
adamc@119	382 (fhapp (ls1:=ls2) (ls2:=ls3) hls2 hls3)) =
adamc@119	383 match pf in (_ = ls) return (fhlist B ls) with
adamc@119	384 \| refl_equal =>
adamc@119	385 (a0,
adamc@119	386 fhapp (ls1:=ls1 ++ ls2) (ls2:=ls3)
adamc@119	387 (fhapp (ls1:=ls1) (ls2:=ls2) b hls2) hls3)
adamc@119	388 end
adamc@119	389 ]]
adamc@119	390
adamc@119	391 Now we can rewrite using the inductive hypothesis. *)
adamc@119	392
adamc@119	393 rewrite (IHls1 _ _ pf').
adamc@119	394 (** [[
adamc@119	395
adamc@119	396 ============================
adamc@119	397 (a0,
adamc@119	398 match pf' in (_ = ls) return (fhlist B ls) with
adamc@119	399 \| refl_equal =>
adamc@119	400 fhapp (ls1:=ls1 ++ ls2) (ls2:=ls3)
adamc@119	401 (fhapp (ls1:=ls1) (ls2:=ls2) b hls2) hls3
adamc@119	402 end) =
adamc@119	403 match pf in (_ = ls) return (fhlist B ls) with
adamc@119	404 \| refl_equal =>
adamc@119	405 (a0,
adamc@119	406 fhapp (ls1:=ls1 ++ ls2) (ls2:=ls3)
adamc@119	407 (fhapp (ls1:=ls1) (ls2:=ls2) b hls2) hls3)
adamc@119	408 end
adamc@119	409 ]]
adamc@119	410
adamc@119	411 We have made an important bit of progress, as now only a single call to [fhapp] appears in the conclusion. Trying case analysis on our proofs still will not work, but there is a move we can make to enable it. Not only does just one call to [fhapp] matter to us now, but it also %\textit{%#<i>#does not matter what the result of the call is#</i>#%}%. In other words, the subgoal should remain true if we replace this [fhapp] call with a fresh variable. The [generalize] tactic helps us do exactly that. *)
adamc@119	412
adamc@119	413 generalize (fhapp (fhapp b hls2) hls3).
adamc@119	414 (** [[
adamc@119	415
adamc@119	416 forall f : fhlist B ((ls1 ++ ls2) ++ ls3),
adamc@119	417 (a0,
adamc@119	418 match pf' in (_ = ls) return (fhlist B ls) with
adamc@119	419 \| refl_equal => f
adamc@119	420 end) =
adamc@119	421 match pf in (_ = ls) return (fhlist B ls) with
adamc@119	422 \| refl_equal => (a0, f)
adamc@119	423 end
adamc@119	424 ]]
adamc@119	425
adamc@119	426 The conclusion has gotten markedly simpler. It seems counterintuitive that we can have an easier time of proving a more general theorem, but that is exactly the case here and for many other proofs that use dependent types heavily. Speaking informally, the reason why this kind of activity helps is that [match] annotations only support variables in certain positions. By reducing more elements of a goal to variables, built-in tactics can have more success building [match] terms under the hood.
adamc@119	427
adamc@119	428 In this case, it is helpful to generalize over our two proofs as well. *)
adamc@119	429
adamc@119	430 generalize pf pf'.
adamc@119	431 (** [[
adamc@119	432
adamc@119	433 forall (pf0 : a :: (ls1 ++ ls2) ++ ls3 = a :: ls1 ++ ls2 ++ ls3)
adamc@119	434 (pf'0 : (ls1 ++ ls2) ++ ls3 = ls1 ++ ls2 ++ ls3)
adamc@119	435 (f : fhlist B ((ls1 ++ ls2) ++ ls3)),
adamc@119	436 (a0,
adamc@119	437 match pf'0 in (_ = ls) return (fhlist B ls) with
adamc@119	438 \| refl_equal => f
adamc@119	439 end) =
adamc@119	440 match pf0 in (_ = ls) return (fhlist B ls) with
adamc@119	441 \| refl_equal => (a0, f)
adamc@119	442 end
adamc@119	443 ]]
adamc@119	444
adamc@119	445 To an experienced dependent types hacker, the appearance of this goal term calls for a celebration. The formula has a critical property that indicates that our problems are over. To get our proofs into the right form to apply [UIP_refl], we need to use associativity of list append to rewrite their types. We could not do that before because other parts of the goal require the proofs to retain their original types. In particular, the call to [fhapp] that we generalized must have type [(ls1 ++ ls2) ++ ls3], for some values of the list variables. If we rewrite the type of the proof used to type-cast this value to something like [ls1 ++ ls2 ++ ls3 = ls1 ++ ls2 ++ ls3], then the lefthand side of the equality would no longer match the type of the term we are trying to cast.
adamc@119	446
adamc@119	447 However, now that we have generalized over the [fhapp] call, the type of the term being type-cast appears explicitly in the goal and %\textit{%#<i>#may be rewritten as well#</i>#%}%. In particular, the final masterstroke is rewriting everywhere in our goal using associativity of list append. *)
adamc@119	448
adamc@119	449 rewrite app_ass.
adamc@119	450 (** [[
adamc@119	451
adamc@119	452 ============================
adamc@119	453 forall (pf0 : a :: ls1 ++ ls2 ++ ls3 = a :: ls1 ++ ls2 ++ ls3)
adamc@119	454 (pf'0 : ls1 ++ ls2 ++ ls3 = ls1 ++ ls2 ++ ls3)
adamc@119	455 (f : fhlist B (ls1 ++ ls2 ++ ls3)),
adamc@119	456 (a0,
adamc@119	457 match pf'0 in (_ = ls) return (fhlist B ls) with
adamc@119	458 \| refl_equal => f
adamc@119	459 end) =
adamc@119	460 match pf0 in (_ = ls) return (fhlist B ls) with
adamc@119	461 \| refl_equal => (a0, f)
adamc@119	462 end
adamc@119	463 ]]
adamc@119	464
adamc@119	465 We can see that we have achieved the crucial property: the type of each generalized equality proof has syntactically equal operands. This makes it easy to finish the proof with [UIP_refl]. *)
adamc@119	466
adamc@119	467 intros.
adamc@119	468 rewrite (UIP_refl _ _ pf0).
adamc@119	469 rewrite (UIP_refl _ _ pf'0).
adamc@119	470 reflexivity.
adamc@119	471 Qed.
adamc@119	472 End fhapp.
adamc@120	473
adamc@120	474 Implicit Arguments fhapp [A B ls1 ls2].
adamc@120	475
adamc@120	476
adamc@120	477 (** * Heterogeneous Equality *)
adamc@120	478
adamc@120	479 (** There is another equality predicate, defined in the [JMeq] module of the standard library, implementing %\textit{%#<i>#heterogeneous equality#</i>#%}%. *)
adamc@120	480
adamc@120	481 Print JMeq.
adamc@120	482 (** [[
adamc@120	483
adamc@120	484 Inductive JMeq (A : Type) (x : A) : forall B : Type, B -> Prop :=
adamc@120	485 JMeq_refl : JMeq x x
adamc@120	486 ]]
adamc@120	487
adamc@120	488 [JMeq] stands for "John Major equality," a name coined by Conor McBride as a sort of pun about British politics. [JMeq] starts out looking a lot like [eq]. The crucial difference is that we may use [JMeq] %\textit{%#<i>#on arguments of different types#</i>#%}%. For instance, a lemma that we failed to establish before is trivial with [JMeq]. It makes for prettier theorem statements to define some syntactic shorthand first. *)
adamc@120	489
adamc@120	490 Infix "==" := JMeq (at level 70, no associativity).
adamc@120	491
adamc@121	492 Definition UIP_refl' (A : Type) (x : A) (pf : x = x) : pf == refl_equal x :=
adamc@120	493 match pf return (pf == refl_equal _) with
adamc@120	494 \| refl_equal => JMeq_refl _
adamc@120	495 end.
adamc@120	496
adamc@120	497 (** There is no quick way to write such a proof by tactics, but the underlying proof term that we want is trivial.
adamc@120	498
adamc@121	499 Suppose that we want to use [UIP_refl'] to establish another lemma of the kind of we have run into several times so far. *)
adamc@120	500
adamc@120	501 Lemma lemma4 : forall (A : Type) (x : A) (pf : x = x),
adamc@120	502 O = match pf with refl_equal => O end.
adamc@121	503 intros; rewrite (UIP_refl' pf); reflexivity.
adamc@120	504 Qed.
adamc@120	505
adamc@120	506 (** All in all, refreshingly straightforward, but there really is no such thing as a free lunch. The use of [rewrite] is implemented in terms of an axiom: *)
adamc@120	507
adamc@120	508 Check JMeq_eq.
adamc@120	509 (** [[
adamc@120	510
adamc@120	511 JMeq_eq
adamc@120	512 : forall (A : Type) (x y : A), x == y -> x = y
adamc@120	513 ]] *)
adamc@120	514
adamc@120	515 (** It may be surprising that we cannot prove that heterogeneous equality implies normal equality. The difficulties are the same kind we have seen so far, based on limitations of [match] annotations.
adamc@120	516
adamc@120	517 We can redo our [fhapp] associativity proof based around [JMeq]. *)
adamc@120	518
adamc@120	519 Section fhapp'.
adamc@120	520 Variable A : Type.
adamc@120	521 Variable B : A -> Type.
adamc@120	522
adamc@120	523 (** This time, the naive theorem statement type-checks. *)
adamc@120	524
adamc@120	525 Theorem fhapp_ass' : forall ls1 ls2 ls3
adamc@120	526 (hls1 : fhlist B ls1) (hls2 : fhlist B ls2) (hls3 : fhlist B ls3),
adamc@120	527 fhapp hls1 (fhapp hls2 hls3) == fhapp (fhapp hls1 hls2) hls3.
adamc@120	528 induction ls1; crush.
adamc@120	529
adamc@120	530 (** Even better, [crush] discharges the first subgoal automatically. The second subgoal is:
adamc@120	531
adamc@120	532 [[
adamc@120	533
adamc@120	534 ============================
adamc@120	535 (a0,
adamc@120	536 fhapp (B:=B) (ls1:=ls1) (ls2:=ls2 ++ ls3) b
adamc@120	537 (fhapp (B:=B) (ls1:=ls2) (ls2:=ls3) hls2 hls3)) ==
adamc@120	538 (a0,
adamc@120	539 fhapp (B:=B) (ls1:=ls1 ++ ls2) (ls2:=ls3)
adamc@120	540 (fhapp (B:=B) (ls1:=ls1) (ls2:=ls2) b hls2) hls3)
adamc@120	541 ]]
adamc@120	542
adamc@120	543 It looks like one rewrite with the inductive hypothesis should be enough to make the goal trivial.
adamc@120	544
adamc@120	545 [[
adamc@120	546
adamc@120	547 rewrite IHls1.
adamc@120	548
adamc@120	549 [[
adamc@120	550
adamc@120	551 Error: Impossible to unify "fhlist B ((ls1 ++ ?1572) ++ ?1573)" with
adamc@120	552 "fhlist B (ls1 ++ ?1572 ++ ?1573)"
adamc@120	553 ]]
adamc@120	554
adamc@120	555 We see that [JMeq] is not a silver bullet. We can use it to simplify the statements of equality facts, but the Coq type-checker uses non-trivial heterogeneous equality facts no more readily than it uses standard equality facts. Here, the problem is that the form [(e1, e2)] is syntactic sugar for an explicit application of a constructor of an inductive type. That application mentions the type of each tuple element explicitly, and our [rewrite] tries to change one of those elements without updating the corresponding type argument.
adamc@120	556
adamc@120	557 We can get around this problem by another multiple use of [generalize]. We want to bring into the goal the proper instance of the inductive hypothesis, and we also want to generalize the two relevant uses of [fhapp]. *)
adamc@120	558
adamc@120	559 generalize (fhapp b (fhapp hls2 hls3))
adamc@120	560 (fhapp (fhapp b hls2) hls3)
adamc@120	561 (IHls1 _ _ b hls2 hls3).
adamc@120	562 (** [[
adamc@120	563
adamc@120	564 ============================
adamc@120	565 forall (f : fhlist B (ls1 ++ ls2 ++ ls3))
adamc@120	566 (f0 : fhlist B ((ls1 ++ ls2) ++ ls3)), f == f0 -> (a0, f) == (a0, f0)
adamc@120	567 ]]
adamc@120	568
adamc@120	569 Now we can rewrite with append associativity, as before. *)
adamc@120	570
adamc@120	571 rewrite app_ass.
adamc@120	572 (** [[
adamc@120	573
adamc@120	574 ============================
adamc@120	575 forall f f0 : fhlist B (ls1 ++ ls2 ++ ls3), f == f0 -> (a0, f) == (a0, f0)
adamc@120	576 ]]
adamc@120	577
adamc@120	578 From this point, the goal is trivial. *)
adamc@120	579
adamc@120	580 intros f f0 H; rewrite H; reflexivity.
adamc@120	581 Qed.
adamc@120	582 End fhapp'.
adamc@121	583
adamc@121	584
adamc@121	585 (** * Equivalence of Equality Axioms *)
adamc@121	586
adamc@121	587 (** Assuming axioms (like axiom K and [JMeq_eq]) is a hazardous business. The due diligence associated with it is necessarily global in scope, since two axioms may be consistent alone but inconsistent together. It turns out that all of the major axioms proposed for reasoning about equality in Coq are logically equivalent, so that we only need to pick one to assert without proof. In this section, we demonstrate this by showing how each the previous two sections' approaches reduces to the other logically.
adamc@121	588
adamc@121	589 To show that [JMeq] and its axiom let us prove [UIP_refl], we start from the lemma [UIP_refl'] from the previous section. The rest of the proof is trivial. *)
adamc@121	590
adamc@121	591 Lemma UIP_refl'' : forall (A : Type) (x : A) (pf : x = x), pf = refl_equal x.
adamc@121	592 intros; rewrite (UIP_refl' pf); reflexivity.
adamc@121	593 Qed.
adamc@121	594
adamc@121	595 (** The other direction is perhaps more interesting. Assume that we only have the axiom of the [Eqdep] module available. We can define [JMeq] in a way that satisfies the same interface as the combination of the [JMeq] module's inductive definition and axiom. *)
adamc@121	596
adamc@121	597 Definition JMeq' (A : Type) (x : A) (B : Type) (y : B) : Prop :=
adamc@121	598 exists pf : B = A, x = match pf with refl_equal => y end.
adamc@121	599
adamc@121	600 Infix "===" := JMeq' (at level 70, no associativity).
adamc@121	601
adamc@121	602 (** We say that, by definition, [x] and [y] are equal if and only if there exists a proof [pf] that their types are equal, such that [x] equals the result of casting [y] with [pf]. This statement can look strange from the standpoint of classical math, where we almost never mention proofs explicitly with quantifiers in formulas, but it is perfectly legal Coq code.
adamc@121	603
adamc@121	604 We can easily prove a theorem with the same type as that of the [JMeq_refl] constructor of [JMeq]. *)
adamc@121	605
adamc@121	606 (** remove printing exists *)
adamc@121	607 Theorem JMeq_refl' : forall (A : Type) (x : A), x === x.
adamc@121	608 intros; unfold JMeq'; exists (refl_equal A); reflexivity.
adamc@121	609 Qed.
adamc@121	610
adamc@121	611 (** printing exists $\exists$ *)
adamc@121	612
adamc@121	613 (** The proof of an analogue to [JMeq_eq] is a little more interesting, but most of the action is in appealing to [UIP_refl]. *)
adamc@121	614
adamc@121	615 Theorem JMeq_eq' : forall (A : Type) (x y : A),
adamc@121	616 x === y -> x = y.
adamc@121	617 unfold JMeq'; intros.
adamc@121	618 (** [[
adamc@121	619
adamc@121	620 H : exists pf : A = A,
adamc@121	621 x = match pf in (_ = T) return T with
adamc@121	622 \| refl_equal => y
adamc@121	623 end
adamc@121	624 ============================
adamc@121	625 x = y
adamc@121	626 ]] *)
adamc@121	627
adamc@121	628 destruct H.
adamc@121	629 (** [[
adamc@121	630
adamc@121	631 x0 : A = A
adamc@121	632 H : x = match x0 in (_ = T) return T with
adamc@121	633 \| refl_equal => y
adamc@121	634 end
adamc@121	635 ============================
adamc@121	636 x = y
adamc@121	637 ]] *)
adamc@121	638
adamc@121	639 rewrite H.
adamc@121	640 (** [[
adamc@121	641
adamc@121	642 x0 : A = A
adamc@121	643 ============================
adamc@121	644 match x0 in (_ = T) return T with
adamc@121	645 \| refl_equal => y
adamc@121	646 end = y
adamc@121	647 ]] *)
adamc@121	648
adamc@121	649 rewrite (UIP_refl _ _ x0); reflexivity.
adamc@121	650 Qed.
adamc@121	651
adamc@121	652 (** We see that, in a very formal sense, we are free to switch back and forth between the two styles of proofs about equality proofs. One style may be more convenient than the other for some proofs, but we can always intercovert between our results. The style that does not use heterogeneous equality may be preferable in cases where many results do not require the tricks of this chapter, since then the use of axioms is avoided altogether for the simple cases, and a wider audience will be able to follow those "simple" proofs. On the other hand, heterogeneous equality often makes for shorter and more readable theorem statements. *)

Mercurial > cpdt > repo

annotate src/Equality.v @ 121:61e5622b1195