Certified Programming with Dependent Types: src/DataStruct.v annotate

annotate src/DataStruct.v @ 214:768889c969e9

Finish porting MoreDep

author	Adam Chlipala <adamc@hcoop.net>
date	Wed, 11 Nov 2009 12:21:28 -0500
parents	f05514cc6c0d
children	f8bcd33bdd91

rev	line source
adamc@105	1 (* Copyright (c) 2008, Adam Chlipala
adamc@105	2 *
adamc@105	3 * This work is licensed under a
adamc@105	4 * Creative Commons Attribution-Noncommercial-No Derivative Works 3.0
adamc@105	5 * Unported License.
adamc@105	6 * The license text is available at:
adamc@105	7 * http://creativecommons.org/licenses/by-nc-nd/3.0/
adamc@105	8 *)
adamc@105	9
adamc@105	10 (* begin hide *)
adamc@111	11 Require Import Arith List.
adamc@105	12
adamc@105	13 Require Import Tactics.
adamc@105	14
adamc@105	15 Set Implicit Arguments.
adamc@105	16 (* end hide *)
adamc@105	17
adamc@105	18
adamc@105	19 (** %\chapter{Dependent Data Structures}% *)
adamc@105	20
adamc@106	21 (** Our red-black tree example from the last chapter illustrated how dependent types enable static enforcement of data structure invariants. To find interesting uses of dependent data structures, however, we need not look to the favorite examples of data structures and algorithms textbooks. More basic examples like length-indexed and heterogeneous lists come up again and again as the building blocks of dependent programs. There is a surprisingly large design space for this class of data structure, and we will spend this chapter exploring it. *)
adamc@105	22
adamc@105	23
adamc@106	24 (** * More Length-Indexed Lists *)
adamc@106	25
adamc@106	26 (** We begin with a deeper look at the length-indexed lists that began the last chapter. *)
adamc@105	27
adamc@105	28 Section ilist.
adamc@105	29 Variable A : Set.
adamc@105	30
adamc@105	31 Inductive ilist : nat -> Set :=
adamc@105	32 \| Nil : ilist O
adamc@105	33 \| Cons : forall n, A -> ilist n -> ilist (S n).
adamc@105	34
adamc@106	35 (** We might like to have a certified function for selecting an element of an [ilist] by position. We could do this using subset types and explicit manipulation of proofs, but dependent types let us do it more directly. It is helpful to define a type family [index], where [index n] is isomorphic to [{m : nat \| m < n}]. Such a type family is also often called [Fin] or similar, standing for "finite." *)
adamc@106	36
adamc@113	37 (* EX: Define a function [get] for extracting an [ilist] element by position. *)
adamc@113	38
adamc@113	39 (* begin thide *)
adamc@105	40 Inductive index : nat -> Set :=
adamc@105	41 \| First : forall n, index (S n)
adamc@105	42 \| Next : forall n, index n -> index (S n).
adamc@105	43
adamc@106	44 (** [index] essentially makes a more richly-typed copy of the natural numbers. Every element is a [First] iterated through applying [Next] a number of times that indicates which number is being selected.
adamc@106	45
adamc@106	46 Now it is easy to pick a [Prop]-free type for a selection function. As usual, our first implementation attempt will not convince the type checker, and we will attack the deficiencies one at a time.
adamc@106	47
adamc@106	48 [[
adamc@106	49 Fixpoint get n (ls : ilist n) {struct ls} : index n -> A :=
adamc@106	50 match ls in ilist n return index n -> A with
adamc@106	51 \| Nil => fun idx => ?
adamc@106	52 \| Cons _ x ls' => fun idx =>
adamc@106	53 match idx with
adamc@106	54 \| First _ => x
adamc@106	55 \| Next _ idx' => get ls' idx'
adamc@106	56 end
adamc@106	57 end.
adamc@106	58
adamc@205	59 ]]
adamc@205	60
adamc@106	61 We apply the usual wisdom of delaying arguments in [Fixpoint]s so that they may be included in [return] clauses. This still leaves us with a quandary in each of the [match] cases. First, we need to figure out how to take advantage of the contradiction in the [Nil] case. Every [index] has a type of the form [S n], which cannot unify with the [O] value that we learn for [n] in the [Nil] case. The solution we adopt is another case of [match]-within-[return].
adamc@106	62
adamc@106	63 [[
adamc@106	64 Fixpoint get n (ls : ilist n) {struct ls} : index n -> A :=
adamc@106	65 match ls in ilist n return index n -> A with
adamc@106	66 \| Nil => fun idx =>
adamc@106	67 match idx in index n' return (match n' with
adamc@106	68 \| O => A
adamc@106	69 \| S _ => unit
adamc@106	70 end) with
adamc@106	71 \| First _ => tt
adamc@106	72 \| Next _ _ => tt
adamc@106	73 end
adamc@106	74 \| Cons _ x ls' => fun idx =>
adamc@106	75 match idx with
adamc@106	76 \| First _ => x
adamc@106	77 \| Next _ idx' => get ls' idx'
adamc@106	78 end
adamc@106	79 end.
adamc@106	80
adamc@205	81 ]]
adamc@205	82
adamc@106	83 Now the first [match] case type-checks, and we see that the problem with the [Cons] case is that the pattern-bound variable [idx'] does not have an apparent type compatible with [ls']. We need to use [match] annotations to make the relationship explicit. Unfortunately, the usual trick of postponing argument binding will not help us here. We need to match on both [ls] and [idx]; one or the other must be matched first. To get around this, we apply a trick that we will call "the convoy pattern," introducing a new function and applying it immediately, to satisfy the type checker.
adamc@106	84
adamc@106	85 [[
adamc@106	86 Fixpoint get n (ls : ilist n) {struct ls} : index n -> A :=
adamc@106	87 match ls in ilist n return index n -> A with
adamc@106	88 \| Nil => fun idx =>
adamc@106	89 match idx in index n' return (match n' with
adamc@106	90 \| O => A
adamc@106	91 \| S _ => unit
adamc@106	92 end) with
adamc@106	93 \| First _ => tt
adamc@106	94 \| Next _ _ => tt
adamc@106	95 end
adamc@106	96 \| Cons _ x ls' => fun idx =>
adamc@106	97 match idx in index n' return ilist (pred n') -> A with
adamc@106	98 \| First _ => fun _ => x
adamc@106	99 \| Next _ idx' => fun ls' => get ls' idx'
adamc@106	100 end ls'
adamc@106	101 end.
adamc@106	102
adamc@205	103 ]]
adamc@205	104
adamc@106	105 There is just one problem left with this implementation. Though we know that the local [ls'] in the [Next] case is equal to the original [ls'], the type-checker is not satisfied that the recursive call to [get] does not introduce non-termination. We solve the problem by convoy-binding the partial application of [get] to [ls'], rather than [ls'] by itself. *)
adamc@106	106
adamc@105	107 Fixpoint get n (ls : ilist n) {struct ls} : index n -> A :=
adamc@105	108 match ls in ilist n return index n -> A with
adamc@105	109 \| Nil => fun idx =>
adamc@105	110 match idx in index n' return (match n' with
adamc@105	111 \| O => A
adamc@105	112 \| S _ => unit
adamc@105	113 end) with
adamc@105	114 \| First _ => tt
adamc@105	115 \| Next _ _ => tt
adamc@105	116 end
adamc@105	117 \| Cons _ x ls' => fun idx =>
adamc@105	118 match idx in index n' return (index (pred n') -> A) -> A with
adamc@105	119 \| First _ => fun _ => x
adamc@105	120 \| Next _ idx' => fun get_ls' => get_ls' idx'
adamc@105	121 end (get ls')
adamc@105	122 end.
adamc@113	123 (* end thide *)
adamc@105	124 End ilist.
adamc@105	125
adamc@105	126 Implicit Arguments Nil [A].
adamc@113	127 (* begin thide *)
adamc@108	128 Implicit Arguments First [n].
adamc@113	129 (* end thide *)
adamc@105	130
adamc@108	131 (** A few examples show how to make use of these definitions. *)
adamc@108	132
adamc@108	133 Check Cons 0 (Cons 1 (Cons 2 Nil)).
adamc@108	134 (** [[
adamc@108	135
adamc@108	136 Cons 0 (Cons 1 (Cons 2 Nil))
adamc@108	137 : ilist nat 3
adamc@108	138 ]] *)
adamc@113	139 (* begin thide *)
adamc@108	140 Eval simpl in get (Cons 0 (Cons 1 (Cons 2 Nil))) First.
adamc@108	141 (** [[
adamc@108	142
adamc@108	143 = 0
adamc@108	144 : nat
adamc@108	145 ]] *)
adamc@108	146 Eval simpl in get (Cons 0 (Cons 1 (Cons 2 Nil))) (Next First).
adamc@108	147 (** [[
adamc@108	148
adamc@108	149 = 1
adamc@108	150 : nat
adamc@108	151 ]] *)
adamc@108	152 Eval simpl in get (Cons 0 (Cons 1 (Cons 2 Nil))) (Next (Next First)).
adamc@108	153 (** [[
adamc@108	154
adamc@108	155 = 2
adamc@108	156 : nat
adamc@108	157 ]] *)
adamc@113	158 (* end thide *)
adamc@108	159
adamc@108	160 (** Our [get] function is also quite easy to reason about. We show how with a short example about an analogue to the list [map] function. *)
adamc@107	161
adamc@105	162 Section ilist_map.
adamc@105	163 Variables A B : Set.
adamc@105	164 Variable f : A -> B.
adamc@105	165
adamc@105	166 Fixpoint imap n (ls : ilist A n) {struct ls} : ilist B n :=
adamc@105	167 match ls in ilist _ n return ilist B n with
adamc@105	168 \| Nil => Nil
adamc@105	169 \| Cons _ x ls' => Cons (f x) (imap ls')
adamc@105	170 end.
adamc@105	171
adamc@107	172 (** It is easy to prove that [get] "distributes over" [imap] calls. The only tricky bit is remembering to use the [dep_destruct] tactic in place of plain [destruct] when faced with a baffling tactic error message. *)
adamc@107	173
adamc@107	174 Theorem get_imap : forall n (idx : index n) (ls : ilist A n),
adamc@105	175 get (imap ls) idx = f (get ls idx).
adamc@113	176 (* begin thide *)
adamc@107	177 induction ls; dep_destruct idx; crush.
adamc@105	178 Qed.
adamc@113	179 (* end thide *)
adamc@105	180 End ilist_map.
adamc@107	181
adamc@107	182
adamc@107	183 (** * Heterogeneous Lists *)
adamc@107	184
adamc@107	185 (** Programmers who move to statically-typed functional languages from "scripting languages" often complain about the requirement that every element of a list have the same type. With fancy type systems, we can partially lift this requirement. We can index a list type with a "type-level" list that explains what type each element of the list should have. This has been done in a variety of ways in Haskell using type classes, and it we can do it much more cleanly and directly in Coq. *)
adamc@107	186
adamc@107	187 Section hlist.
adamc@107	188 Variable A : Type.
adamc@107	189 Variable B : A -> Type.
adamc@107	190
adamc@113	191 (* EX: Define a type [hlist] indexed by a [list A], where the type of each element is determined by running [B] on the corresponding element of the index list. *)
adamc@113	192
adamc@107	193 (** We parameterize our heterogeneous lists by a type [A] and an [A]-indexed type [B]. *)
adamc@107	194
adamc@113	195 (* begin thide *)
adamc@107	196 Inductive hlist : list A -> Type :=
adamc@107	197 \| MNil : hlist nil
adamc@107	198 \| MCons : forall (x : A) (ls : list A), B x -> hlist ls -> hlist (x :: ls).
adamc@107	199
adamc@107	200 (** We can implement a variant of the last section's [get] function for [hlist]s. To get the dependent typing to work out, we will need to index our element selectors by the types of data that they point to. *)
adamc@107	201
adamc@113	202 (* end thide *)
adamc@113	203 (* EX: Define an analogue to [get] for [hlist]s. *)
adamc@113	204
adamc@113	205 (* begin thide *)
adamc@107	206 Variable elm : A.
adamc@107	207
adamc@107	208 Inductive member : list A -> Type :=
adamc@107	209 \| MFirst : forall ls, member (elm :: ls)
adamc@107	210 \| MNext : forall x ls, member ls -> member (x :: ls).
adamc@107	211
adamc@107	212 (** Because the element [elm] that we are "searching for" in a list does not change across the constructors of [member], we simplify our definitions by making [elm] a local variable. In the definition of [member], we say that [elm] is found in any list that begins with [elm], and, if removing the first element of a list leaves [elm] present, then [elm] is present in the original list, too. The form looks much like a predicate for list membership, but we purposely define [member] in [Type] so that we may decompose its values to guide computations.
adamc@107	213
adamc@107	214 We can use [member] to adapt our definition of [get] to [hlists]. The same basic [match] tricks apply. In the [MCons] case, we form a two-element convoy, passing both the data element [x] and the recursor for the sublist [mls'] to the result of the inner [match]. We did not need to do that in [get]'s definition because the types of list elements were not dependent there. *)
adamc@107	215
adamc@107	216 Fixpoint hget ls (mls : hlist ls) {struct mls} : member ls -> B elm :=
adamc@107	217 match mls in hlist ls return member ls -> B elm with
adamc@107	218 \| MNil => fun mem =>
adamc@107	219 match mem in member ls' return (match ls' with
adamc@107	220 \| nil => B elm
adamc@107	221 \| _ :: _ => unit
adamc@107	222 end) with
adamc@107	223 \| MFirst _ => tt
adamc@107	224 \| MNext _ _ _ => tt
adamc@107	225 end
adamc@107	226 \| MCons _ _ x mls' => fun mem =>
adamc@107	227 match mem in member ls' return (match ls' with
adamc@107	228 \| nil => Empty_set
adamc@107	229 \| x' :: ls'' =>
adamc@107	230 B x' -> (member ls'' -> B elm) -> B elm
adamc@107	231 end) with
adamc@107	232 \| MFirst _ => fun x _ => x
adamc@107	233 \| MNext _ _ mem' => fun _ get_mls' => get_mls' mem'
adamc@107	234 end x (hget mls')
adamc@107	235 end.
adamc@113	236 (* end thide *)
adamc@107	237 End hlist.
adamc@108	238
adamc@113	239 (* begin thide *)
adamc@108	240 Implicit Arguments MNil [A B].
adamc@108	241 Implicit Arguments MCons [A B x ls].
adamc@108	242
adamc@108	243 Implicit Arguments MFirst [A elm ls].
adamc@108	244 Implicit Arguments MNext [A elm x ls].
adamc@113	245 (* end thide *)
adamc@108	246
adamc@108	247 (** By putting the parameters [A] and [B] in [Type], we allow some very higher-order uses. For instance, one use of [hlist] is for the simple heterogeneous lists that we referred to earlier. *)
adamc@108	248
adamc@108	249 Definition someTypes : list Set := nat :: bool :: nil.
adamc@108	250
adamc@113	251 (* begin thide *)
adamc@113	252
adamc@108	253 Example someValues : hlist (fun T : Set => T) someTypes :=
adamc@108	254 MCons 5 (MCons true MNil).
adamc@108	255
adamc@108	256 Eval simpl in hget someValues MFirst.
adamc@108	257 (** [[
adamc@108	258
adamc@108	259 = 5
adamc@108	260 : (fun T : Set => T) nat
adamc@108	261 ]] *)
adamc@108	262 Eval simpl in hget someValues (MNext MFirst).
adamc@108	263 (** [[
adamc@108	264
adamc@108	265 = true
adamc@108	266 : (fun T : Set => T) bool
adamc@108	267 ]] *)
adamc@108	268
adamc@108	269 (** We can also build indexed lists of pairs in this way. *)
adamc@108	270
adamc@108	271 Example somePairs : hlist (fun T : Set => T * T)%type someTypes :=
adamc@108	272 MCons (1, 2) (MCons (true, false) MNil).
adamc@108	273
adamc@113	274 (* end thide *)
adamc@113	275
adamc@113	276
adamc@108	277 ( A Lambda Calculus Interpreter *)
adamc@108	278
adamc@108	279 (** Heterogeneous lists are very useful in implementing interpreters for functional programming languages. Using the types and operations we have already defined, it is trivial to write an interpreter for simply-typed lambda calculus. Our interpreter can alternatively be thought of as a denotational semantics.
adamc@108	280
adamc@108	281 We start with an algebraic datatype for types. *)
adamc@108	282
adamc@108	283 Inductive type : Set :=
adamc@108	284 \| Unit : type
adamc@108	285 \| Arrow : type -> type -> type.
adamc@108	286
adamc@108	287 (** Now we can define a type family for expressions. An [exp ts t] will stand for an expression that has type [t] and whose free variables have types in the list [ts]. We effectively use the de Bruijn variable representation, which we will discuss in more detail in later chapters. Variables are represented as [member] values; that is, a variable is more or less a constructive proof that a particular type is found in the type environment. *)
adamc@108	288
adamc@108	289 Inductive exp : list type -> type -> Set :=
adamc@108	290 \| Const : forall ts, exp ts Unit
adamc@108	291
adamc@113	292 (* begin thide *)
adamc@108	293 \| Var : forall ts t, member t ts -> exp ts t
adamc@108	294 \| App : forall ts dom ran, exp ts (Arrow dom ran) -> exp ts dom -> exp ts ran
adamc@108	295 \| Abs : forall ts dom ran, exp (dom :: ts) ran -> exp ts (Arrow dom ran).
adamc@113	296 (* end thide *)
adamc@108	297
adamc@108	298 Implicit Arguments Const [ts].
adamc@108	299
adamc@108	300 (** We write a simple recursive function to translate [type]s into [Set]s. *)
adamc@108	301
adamc@108	302 Fixpoint typeDenote (t : type) : Set :=
adamc@108	303 match t with
adamc@108	304 \| Unit => unit
adamc@108	305 \| Arrow t1 t2 => typeDenote t1 -> typeDenote t2
adamc@108	306 end.
adamc@108	307
adamc@108	308 (** Now it is straightforward to write an expression interpreter. The type of the function, [expDenote], tells us that we translate expressions into functions from properly-typed environments to final values. An environment for a free variable list [ts] is simply a [hlist typeDenote ts]. That is, for each free variable, the heterogeneous list that is the environment must have a value of the variable's associated type. We use [hget] to implement the [Var] case, and we use [MCons] to extend the environment in the [Abs] case. *)
adamc@108	309
adamc@113	310 (* EX: Define an interpreter for [exp]s. *)
adamc@113	311
adamc@113	312 (* begin thide *)
adamc@108	313 Fixpoint expDenote ts t (e : exp ts t) {struct e} : hlist typeDenote ts -> typeDenote t :=
adamc@108	314 match e in exp ts t return hlist typeDenote ts -> typeDenote t with
adamc@108	315 \| Const _ => fun _ => tt
adamc@108	316
adamc@108	317 \| Var _ _ mem => fun s => hget s mem
adamc@108	318 \| App _ _ _ e1 e2 => fun s => (expDenote e1 s) (expDenote e2 s)
adamc@108	319 \| Abs _ _ _ e' => fun s => fun x => expDenote e' (MCons x s)
adamc@108	320 end.
adamc@108	321
adamc@108	322 (** Like for previous examples, our interpreter is easy to run with [simpl]. *)
adamc@108	323
adamc@108	324 Eval simpl in expDenote Const MNil.
adamc@108	325 (** [[
adamc@108	326
adamc@108	327 = tt
adamc@108	328 : typeDenote Unit
adamc@108	329 ]] *)
adamc@108	330 Eval simpl in expDenote (Abs (dom := Unit) (Var MFirst)) MNil.
adamc@108	331 (** [[
adamc@108	332
adamc@108	333 = fun x : unit => x
adamc@108	334 : typeDenote (Arrow Unit Unit)
adamc@108	335 ]] *)
adamc@108	336 Eval simpl in expDenote (Abs (dom := Unit)
adamc@108	337 (Abs (dom := Unit) (Var (MNext MFirst)))) MNil.
adamc@108	338 (** [[
adamc@108	339
adamc@108	340 = fun x _ : unit => x
adamc@108	341 : typeDenote (Arrow Unit (Arrow Unit Unit))
adamc@108	342 ]] *)
adamc@108	343 Eval simpl in expDenote (Abs (dom := Unit) (Abs (dom := Unit) (Var MFirst))) MNil.
adamc@108	344 (** [[
adamc@108	345
adamc@108	346 = fun _ x0 : unit => x0
adamc@108	347 : typeDenote (Arrow Unit (Arrow Unit Unit))
adamc@108	348 ]] *)
adamc@108	349 Eval simpl in expDenote (App (Abs (Var MFirst)) Const) MNil.
adamc@108	350 (** [[
adamc@108	351
adamc@108	352 = tt
adamc@108	353 : typeDenote Unit
adamc@108	354 ]] *)
adamc@108	355
adamc@113	356 (* end thide *)
adamc@113	357
adamc@108	358 (** We are starting to develop the tools behind dependent typing's amazing advantage over alternative approaches in several important areas. Here, we have implemented complete syntax, typing rules, and evaluation semantics for simply-typed lambda calculus without even needing to define a syntactic substitution operation. We did it all without a single line of proof, and our implementation is manifestly executable. In a later chapter, we will meet other, more common approaches to language formalization. Such approaches often state and prove explicit theorems about type safety of languages. In the above example, we got type safety, termination, and other meta-theorems for free, by reduction to CIC, which we know has those properties. *)
adamc@108	359
adamc@108	360
adamc@109	361 (** * Recursive Type Definitions *)
adamc@109	362
adamc@109	363 (** There is another style of datatype definition that leads to much simpler definitions of the [get] and [hget] definitions above. Because Coq supports "type-level computation," we can redo our inductive definitions as %\textit{%#<i>#recursive#</i>#%}% definitions. *)
adamc@109	364
adamc@113	365 (* EX: Come up with an alternate [ilist] definition that makes it easier to write [get]. *)
adamc@113	366
adamc@109	367 Section filist.
adamc@109	368 Variable A : Set.
adamc@109	369
adamc@113	370 (* begin thide *)
adamc@109	371 Fixpoint filist (n : nat) : Set :=
adamc@109	372 match n with
adamc@109	373 \| O => unit
adamc@109	374 \| S n' => A * filist n'
adamc@109	375 end%type.
adamc@109	376
adamc@109	377 (** We say that a list of length 0 has no contents, and a list of length [S n'] is a pair of a data value and a list of length [n']. *)
adamc@109	378
adamc@109	379 Fixpoint findex (n : nat) : Set :=
adamc@109	380 match n with
adamc@109	381 \| O => Empty_set
adamc@109	382 \| S n' => option (findex n')
adamc@109	383 end.
adamc@109	384
adamc@109	385 (** We express that there are no index values when [n = O], by defining such indices as type [Empty_set]; and we express that, at [n = S n'], there is a choice between picking the first element of the list (represented as [None]) or choosing a later element (represented by [Some idx], where [idx] is an index into the list tail). *)
adamc@109	386
adamc@109	387 Fixpoint fget (n : nat) : filist n -> findex n -> A :=
adamc@109	388 match n return filist n -> findex n -> A with
adamc@109	389 \| O => fun _ idx => match idx with end
adamc@109	390 \| S n' => fun ls idx =>
adamc@109	391 match idx with
adamc@109	392 \| None => fst ls
adamc@109	393 \| Some idx' => fget n' (snd ls) idx'
adamc@109	394 end
adamc@109	395 end.
adamc@109	396
adamc@109	397 (** Our new [get] implementation needs only one dependent [match], which just copies the stated return type of the function. Our choices of data structure implementations lead to just the right typing behavior for this new definition to work out. *)
adamc@113	398 (* end thide *)
adamc@109	399 End filist.
adamc@109	400
adamc@109	401 (** Heterogeneous lists are a little trickier to define with recursion, but we then reap similar benefits in simplicity of use. *)
adamc@109	402
adamc@113	403 (* EX: Come up with an alternate [hlist] definition that makes it easier to write [hget]. *)
adamc@113	404
adamc@109	405 Section fhlist.
adamc@109	406 Variable A : Type.
adamc@109	407 Variable B : A -> Type.
adamc@109	408
adamc@113	409 (* begin thide *)
adamc@109	410 Fixpoint fhlist (ls : list A) : Type :=
adamc@109	411 match ls with
adamc@109	412 \| nil => unit
adamc@109	413 \| x :: ls' => B x * fhlist ls'
adamc@109	414 end%type.
adamc@109	415
adamc@109	416 (** The definition of [fhlist] follows the definition of [filist], with the added wrinkle of dependently-typed data elements. *)
adamc@109	417
adamc@109	418 Variable elm : A.
adamc@109	419
adamc@109	420 Fixpoint fmember (ls : list A) : Type :=
adamc@109	421 match ls with
adamc@109	422 \| nil => Empty_set
adamc@109	423 \| x :: ls' => (x = elm) + fmember ls'
adamc@109	424 end%type.
adamc@109	425
adamc@109	426 (** The definition of [fmember] follows the definition of [findex]. Empty lists have no members, and member types for nonempty lists are built by adding one new option to the type of members of the list tail. While for [index] we needed no new information associated with the option that we add, here we need to know that the head of the list equals the element we are searching for. We express that with a sum type whose left branch is the appropriate equality proposition. Since we define [fmember] to live in [Type], we can insert [Prop] types as needed, because [Prop] is a subtype of [Type].
adamc@109	427
adamc@109	428 We know all of the tricks needed to write a first attempt at a [get] function for [fhlist]s.
adamc@109	429
adamc@109	430 [[
adamc@109	431
adamc@109	432 Fixpoint fhget (ls : list A) : fhlist ls -> fmember ls -> B elm :=
adamc@109	433 match ls return fhlist ls -> fmember ls -> B elm with
adamc@109	434 \| nil => fun _ idx => match idx with end
adamc@109	435 \| _ :: ls' => fun mls idx =>
adamc@109	436 match idx with
adamc@109	437 \| inl _ => fst mls
adamc@109	438 \| inr idx' => fhget ls' (snd mls) idx'
adamc@109	439 end
adamc@109	440 end.
adamc@109	441
adamc@205	442 ]]
adamc@205	443
adamc@109	444 Only one problem remains. The expression [fst mls] is not known to have the proper type. To demonstrate that it does, we need to use the proof available in the [inl] case of the inner [match]. *)
adamc@109	445
adamc@109	446 Fixpoint fhget (ls : list A) : fhlist ls -> fmember ls -> B elm :=
adamc@109	447 match ls return fhlist ls -> fmember ls -> B elm with
adamc@109	448 \| nil => fun _ idx => match idx with end
adamc@109	449 \| _ :: ls' => fun mls idx =>
adamc@109	450 match idx with
adamc@109	451 \| inl pf => match pf with
adamc@109	452 \| refl_equal => fst mls
adamc@109	453 end
adamc@109	454 \| inr idx' => fhget ls' (snd mls) idx'
adamc@109	455 end
adamc@109	456 end.
adamc@109	457
adamc@109	458 (** By pattern-matching on the equality proof [pf], we make that equality known to the type-checker. Exactly why this works can be seen by studying the definition of equality. *)
adamc@109	459
adamc@109	460 Print eq.
adamc@109	461 (** [[
adamc@109	462
adamc@109	463 Inductive eq (A : Type) (x : A) : A -> Prop := refl_equal : x = x
adamc@109	464 ]]
adamc@109	465
adamc@109	466 In a proposition [x = y], we see that [x] is a parameter and [y] is a regular argument. The type of the constructor [refl_equal] shows that [y] can only ever be instantiated to [x]. Thus, within a pattern-match with [refl_equal], occurrences of [y] can be replaced with occurrences of [x] for typing purposes. All examples of similar dependent pattern matching that we have seen before require explicit annotations, but Coq implements a special case of annotation inference for matches on equality proofs. *)
adamc@113	467 (* end thide *)
adamc@109	468 End fhlist.
adamc@110	469
adamc@111	470 Implicit Arguments fhget [A B elm ls].
adamc@111	471
adamc@110	472
adamc@110	473 (** * Data Structures as Index Functions *)
adamc@110	474
adamc@110	475 (** Indexed lists can be useful in defining other inductive types with constructors that take variable numbers of arguments. In this section, we consider parameterized trees with arbitrary branching factor. *)
adamc@110	476
adamc@110	477 Section tree.
adamc@110	478 Variable A : Set.
adamc@110	479
adamc@110	480 Inductive tree : Set :=
adamc@110	481 \| Leaf : A -> tree
adamc@110	482 \| Node : forall n, ilist tree n -> tree.
adamc@110	483 End tree.
adamc@110	484
adamc@110	485 (** Every [Node] of a [tree] has a natural number argument, which gives the number of child trees in the second argument, typed with [ilist]. We can define two operations on trees of naturals: summing their elements and incrementing their elements. It is useful to define a generic fold function on [ilist]s first. *)
adamc@110	486
adamc@110	487 Section ifoldr.
adamc@110	488 Variables A B : Set.
adamc@110	489 Variable f : A -> B -> B.
adamc@110	490 Variable i : B.
adamc@110	491
adamc@110	492 Fixpoint ifoldr n (ls : ilist A n) {struct ls} : B :=
adamc@110	493 match ls with
adamc@110	494 \| Nil => i
adamc@110	495 \| Cons _ x ls' => f x (ifoldr ls')
adamc@110	496 end.
adamc@110	497 End ifoldr.
adamc@110	498
adamc@110	499 Fixpoint sum (t : tree nat) : nat :=
adamc@110	500 match t with
adamc@110	501 \| Leaf n => n
adamc@110	502 \| Node _ ls => ifoldr (fun t' n => sum t' + n) O ls
adamc@110	503 end.
adamc@110	504
adamc@110	505 Fixpoint inc (t : tree nat) : tree nat :=
adamc@110	506 match t with
adamc@110	507 \| Leaf n => Leaf (S n)
adamc@110	508 \| Node _ ls => Node (imap inc ls)
adamc@110	509 end.
adamc@110	510
adamc@110	511 (** Now we might like to prove that [inc] does not decrease a tree's [sum]. *)
adamc@110	512
adamc@110	513 Theorem sum_inc : forall t, sum (inc t) >= sum t.
adamc@113	514 (* begin thide *)
adamc@110	515 induction t; crush.
adamc@110	516 (** [[
adamc@110	517
adamc@110	518 n : nat
adamc@110	519 i : ilist (tree nat) n
adamc@110	520 ============================
adamc@110	521 ifoldr (fun (t' : tree nat) (n0 : nat) => sum t' + n0) 0 (imap inc i) >=
adamc@110	522 ifoldr (fun (t' : tree nat) (n0 : nat) => sum t' + n0) 0 i
adamc@110	523 ]]
adamc@110	524
adamc@110	525 We are left with a single subgoal which does not seem provable directly. This is the same problem that we met in Chapter 3 with other nested inductive types. *)
adamc@110	526
adamc@110	527 Check tree_ind.
adamc@110	528 (** [[
adamc@110	529
adamc@110	530 tree_ind
adamc@110	531 : forall (A : Set) (P : tree A -> Prop),
adamc@110	532 (forall a : A, P (Leaf a)) ->
adamc@110	533 (forall (n : nat) (i : ilist (tree A) n), P (Node i)) ->
adamc@110	534 forall t : tree A, P t
adamc@110	535 ]]
adamc@110	536
adamc@110	537 The automatically-generated induction principle is too weak. For the [Node] case, it gives us no inductive hypothesis. We could write our own induction principle, as we did in Chapter 3, but there is an easier way, if we are willing to alter the definition of [tree]. *)
adamc@110	538 Abort.
adamc@110	539
adamc@110	540 Reset tree.
adamc@110	541
adamc@110	542 (** First, let us try using our recursive definition of [ilist]s instead of the inductive version. *)
adamc@110	543
adamc@110	544 Section tree.
adamc@110	545 Variable A : Set.
adamc@110	546
adamc@110	547 (** [[
adamc@110	548
adamc@110	549 Inductive tree : Set :=
adamc@110	550 \| Leaf : A -> tree
adamc@110	551 \| Node : forall n, filist tree n -> tree.
adamc@110	552
adamc@205	553 ]]
adamc@205	554
adamc@110	555 [[
adamc@110	556
adamc@110	557 Error: Non strictly positive occurrence of "tree" in
adamc@110	558 "forall n : nat, filist tree n -> tree"
adamc@110	559 ]]
adamc@110	560
adamc@110	561 The special-case rule for nested datatypes only works with nested uses of other inductive types, which could be replaced with uses of new mutually-inductive types. We defined [filist] recursively, so it may not be used for nested recursion.
adamc@110	562
adamc@110	563 Our final solution uses yet another of the inductive definition techniques introduced in Chapter 3, reflexive types. Instead of merely using [index] to get elements out of [ilist], we can %\textit{%#<i>#define#</i>#%}% [ilist] in terms of [index]. For the reasons outlined above, it turns out to be easier to work with [findex] in place of [index]. *)
adamc@110	564
adamc@110	565 Inductive tree : Set :=
adamc@110	566 \| Leaf : A -> tree
adamc@110	567 \| Node : forall n, (findex n -> tree) -> tree.
adamc@110	568
adamc@110	569 (** A [Node] is indexed by a natural number [n], and the node's [n] children are represented as a function from [findex n] to trees, which is isomorphic to the [ilist]-based representation that we used above. *)
adamc@110	570 End tree.
adamc@110	571
adamc@110	572 Implicit Arguments Node [A n].
adamc@110	573
adamc@110	574 (** We can redefine [sum] and [inc] for our new [tree] type. Again, it is useful to define a generic fold function first. This time, it takes in a function whose range is some [findex] type, and it folds another function over the results of calling the first function at every possible [findex] value. *)
adamc@110	575
adamc@110	576 Section rifoldr.
adamc@110	577 Variables A B : Set.
adamc@110	578 Variable f : A -> B -> B.
adamc@110	579 Variable i : B.
adamc@110	580
adamc@110	581 Fixpoint rifoldr (n : nat) : (findex n -> A) -> B :=
adamc@110	582 match n return (findex n -> A) -> B with
adamc@110	583 \| O => fun _ => i
adamc@110	584 \| S n' => fun get => f (get None) (rifoldr n' (fun idx => get (Some idx)))
adamc@110	585 end.
adamc@110	586 End rifoldr.
adamc@110	587
adamc@110	588 Implicit Arguments rifoldr [A B n].
adamc@110	589
adamc@110	590 Fixpoint sum (t : tree nat) : nat :=
adamc@110	591 match t with
adamc@110	592 \| Leaf n => n
adamc@110	593 \| Node _ f => rifoldr plus O (fun idx => sum (f idx))
adamc@110	594 end.
adamc@110	595
adamc@110	596 Fixpoint inc (t : tree nat) : tree nat :=
adamc@110	597 match t with
adamc@110	598 \| Leaf n => Leaf (S n)
adamc@110	599 \| Node _ f => Node (fun idx => inc (f idx))
adamc@110	600 end.
adamc@110	601
adamc@110	602 (** Now we are ready to prove the theorem where we got stuck before. We will not need to define any new induction principle, but it %\textit{%#<i>#will#</i>#%}% be helpful to prove some lemmas. *)
adamc@110	603
adamc@110	604 Lemma plus_ge : forall x1 y1 x2 y2,
adamc@110	605 x1 >= x2
adamc@110	606 -> y1 >= y2
adamc@110	607 -> x1 + y1 >= x2 + y2.
adamc@110	608 crush.
adamc@110	609 Qed.
adamc@110	610
adamc@110	611 Lemma sum_inc' : forall n (f1 f2 : findex n -> nat),
adamc@110	612 (forall idx, f1 idx >= f2 idx)
adamc@110	613 -> rifoldr plus 0 f1 >= rifoldr plus 0 f2.
adamc@110	614 Hint Resolve plus_ge.
adamc@110	615
adamc@110	616 induction n; crush.
adamc@110	617 Qed.
adamc@110	618
adamc@110	619 Theorem sum_inc : forall t, sum (inc t) >= sum t.
adamc@110	620 Hint Resolve sum_inc'.
adamc@110	621
adamc@110	622 induction t; crush.
adamc@110	623 Qed.
adamc@110	624
adamc@113	625 (* end thide *)
adamc@113	626
adamc@110	627 (** Even if Coq would generate complete induction principles automatically for nested inductive definitions like the one we started with, there would still be advantages to using this style of reflexive encoding. We see one of those advantages in the definition of [inc], where we did not need to use any kind of auxiliary function. In general, reflexive encodings often admit direct implementations of operations that would require recursion if performed with more traditional inductive data structures. *)
adamc@111	628
adamc@111	629 ( Another Interpreter Example *)
adamc@111	630
adamc@112	631 (** We develop another example of variable-arity constructors, in the form of optimization of a small expression language with a construct like Scheme's %\texttt{%#<tt>#cond#</tt>#%}%. Each of our conditional expressions takes a list of pairs of boolean tests and bodies. The value of the conditional comes from the body of the first test in the list to evaluate to [true]. To simplify the interpreter we will write, we force each conditional to include a final, default case. *)
adamc@112	632
adamc@112	633 Inductive type' : Type := Nat \| Bool.
adamc@111	634
adamc@111	635 Inductive exp' : type' -> Type :=
adamc@112	636 \| NConst : nat -> exp' Nat
adamc@112	637 \| Plus : exp' Nat -> exp' Nat -> exp' Nat
adamc@112	638 \| Eq : exp' Nat -> exp' Nat -> exp' Bool
adamc@111	639
adamc@112	640 \| BConst : bool -> exp' Bool
adamc@113	641 (* begin thide *)
adamc@112	642 \| Cond : forall n t, (findex n -> exp' Bool)
adamc@111	643 -> (findex n -> exp' t) -> exp' t -> exp' t.
adamc@113	644 (* end thide *)
adamc@111	645
adamc@112	646 (** A [Cond] is parameterized by a natural [n], which tells us how many cases this conditional has. The test expressions are represented with a function of type [findex n -> exp' Bool], and the bodies are represented with a function of type [findex n -> exp' t], where [t] is the overall type. The final [exp' t] argument is the default case.
adamc@112	647
adamc@112	648 We start implementing our interpreter with a standard type denotation function. *)
adamc@112	649
adamc@111	650 Definition type'Denote (t : type') : Set :=
adamc@111	651 match t with
adamc@112	652 \| Nat => nat
adamc@112	653 \| Bool => bool
adamc@111	654 end.
adamc@111	655
adamc@112	656 (** To implement the expression interpreter, it is useful to have the following function that implements the functionality of [Cond] without involving any syntax. *)
adamc@112	657
adamc@113	658 (* begin thide *)
adamc@111	659 Section cond.
adamc@111	660 Variable A : Set.
adamc@111	661 Variable default : A.
adamc@111	662
adamc@111	663 Fixpoint cond (n : nat) : (findex n -> bool) -> (findex n -> A) -> A :=
adamc@111	664 match n return (findex n -> bool) -> (findex n -> A) -> A with
adamc@111	665 \| O => fun _ _ => default
adamc@111	666 \| S n' => fun tests bodies =>
adamc@111	667 if tests None
adamc@111	668 then bodies None
adamc@111	669 else cond n'
adamc@111	670 (fun idx => tests (Some idx))
adamc@111	671 (fun idx => bodies (Some idx))
adamc@111	672 end.
adamc@111	673 End cond.
adamc@111	674
adamc@111	675 Implicit Arguments cond [A n].
adamc@113	676 (* end thide *)
adamc@111	677
adamc@112	678 (** Now the expression interpreter is straightforward to write. *)
adamc@112	679
adamc@111	680 Fixpoint exp'Denote t (e : exp' t) {struct e} : type'Denote t :=
adamc@111	681 match e in exp' t return type'Denote t with
adamc@111	682 \| NConst n =>
adamc@111	683 n
adamc@111	684 \| Plus e1 e2 =>
adamc@111	685 exp'Denote e1 + exp'Denote e2
adamc@111	686 \| Eq e1 e2 =>
adamc@111	687 if eq_nat_dec (exp'Denote e1) (exp'Denote e2) then true else false
adamc@111	688
adamc@111	689 \| BConst b =>
adamc@111	690 b
adamc@111	691 \| Cond _ _ tests bodies default =>
adamc@113	692 (* begin thide *)
adamc@111	693 cond
adamc@111	694 (exp'Denote default)
adamc@111	695 (fun idx => exp'Denote (tests idx))
adamc@111	696 (fun idx => exp'Denote (bodies idx))
adamc@113	697 (* end thide *)
adamc@111	698 end.
adamc@111	699
adamc@112	700 (** We will implement a constant-folding function that optimizes conditionals, removing cases with known-[false] tests and cases that come after known-[true] tests. A function [cfoldCond] implements the heart of this logic. The convoy pattern is used again near the end of the implementation. *)
adamc@112	701
adamc@113	702 (* begin thide *)
adamc@111	703 Section cfoldCond.
adamc@111	704 Variable t : type'.
adamc@111	705 Variable default : exp' t.
adamc@111	706
adamc@112	707 Fixpoint cfoldCond (n : nat)
adamc@112	708 : (findex n -> exp' Bool) -> (findex n -> exp' t) -> exp' t :=
adamc@112	709 match n return (findex n -> exp' Bool) -> (findex n -> exp' t) -> exp' t with
adamc@111	710 \| O => fun _ _ => default
adamc@111	711 \| S n' => fun tests bodies =>
adamc@204	712 match tests None return _ with
adamc@111	713 \| BConst true => bodies None
adamc@111	714 \| BConst false => cfoldCond n'
adamc@111	715 (fun idx => tests (Some idx))
adamc@111	716 (fun idx => bodies (Some idx))
adamc@111	717 \| _ =>
adamc@111	718 let e := cfoldCond n'
adamc@111	719 (fun idx => tests (Some idx))
adamc@111	720 (fun idx => bodies (Some idx)) in
adamc@112	721 match e in exp' t return exp' t -> exp' t with
adamc@112	722 \| Cond n _ tests' bodies' default' => fun body =>
adamc@111	723 Cond
adamc@111	724 (S n)
adamc@111	725 (fun idx => match idx with
adamc@112	726 \| None => tests None
adamc@111	727 \| Some idx => tests' idx
adamc@111	728 end)
adamc@111	729 (fun idx => match idx with
adamc@111	730 \| None => body
adamc@111	731 \| Some idx => bodies' idx
adamc@111	732 end)
adamc@111	733 default'
adamc@112	734 \| e => fun body =>
adamc@111	735 Cond
adamc@111	736 1
adamc@112	737 (fun _ => tests None)
adamc@111	738 (fun _ => body)
adamc@111	739 e
adamc@112	740 end (bodies None)
adamc@111	741 end
adamc@111	742 end.
adamc@111	743 End cfoldCond.
adamc@111	744
adamc@111	745 Implicit Arguments cfoldCond [t n].
adamc@113	746 (* end thide *)
adamc@111	747
adamc@112	748 (** Like for the interpreters, most of the action was in this helper function, and [cfold] itself is easy to write. *)
adamc@112	749
adamc@111	750 Fixpoint cfold t (e : exp' t) {struct e} : exp' t :=
adamc@111	751 match e in exp' t return exp' t with
adamc@111	752 \| NConst n => NConst n
adamc@111	753 \| Plus e1 e2 =>
adamc@111	754 let e1' := cfold e1 in
adamc@111	755 let e2' := cfold e2 in
adamc@204	756 match e1', e2' return _ with
adamc@111	757 \| NConst n1, NConst n2 => NConst (n1 + n2)
adamc@111	758 \| _, _ => Plus e1' e2'
adamc@111	759 end
adamc@111	760 \| Eq e1 e2 =>
adamc@111	761 let e1' := cfold e1 in
adamc@111	762 let e2' := cfold e2 in
adamc@204	763 match e1', e2' return _ with
adamc@111	764 \| NConst n1, NConst n2 => BConst (if eq_nat_dec n1 n2 then true else false)
adamc@111	765 \| _, _ => Eq e1' e2'
adamc@111	766 end
adamc@111	767
adamc@111	768 \| BConst b => BConst b
adamc@111	769 \| Cond _ _ tests bodies default =>
adamc@113	770 (* begin thide *)
adamc@111	771 cfoldCond
adamc@111	772 (cfold default)
adamc@111	773 (fun idx => cfold (tests idx))
adamc@111	774 (fun idx => cfold (bodies idx))
adamc@113	775 (* end thide *)
adamc@111	776 end.
adamc@111	777
adamc@113	778 (* begin thide *)
adamc@112	779 (** To prove our final correctness theorem, it is useful to know that [cfoldCond] preserves expression meanings. This lemma formalizes that property. The proof is a standard mostly-automated one, with the only wrinkle being a guided instantation of the quantifiers in the induction hypothesis. *)
adamc@112	780
adamc@111	781 Lemma cfoldCond_correct : forall t (default : exp' t)
adamc@112	782 n (tests : findex n -> exp' Bool) (bodies : findex n -> exp' t),
adamc@111	783 exp'Denote (cfoldCond default tests bodies)
adamc@111	784 = exp'Denote (Cond n tests bodies default).
adamc@111	785 induction n; crush;
adamc@111	786 match goal with
adamc@111	787 \| [ IHn : forall tests bodies, _, tests : _ -> _, bodies : _ -> _ \|- _ ] =>
adamc@111	788 generalize (IHn (fun idx => tests (Some idx)) (fun idx => bodies (Some idx)));
adamc@111	789 clear IHn; intro IHn
adamc@111	790 end;
adamc@111	791 repeat (match goal with
adamc@111	792 \| [ \|- context[match ?E with
adamc@111	793 \| NConst _ => _
adamc@111	794 \| Plus _ _ => _
adamc@111	795 \| Eq _ _ => _
adamc@111	796 \| BConst _ => _
adamc@111	797 \| Cond _ _ _ _ _ => _
adamc@111	798 end] ] => dep_destruct E
adamc@111	799 \| [ \|- context[if ?B then _ else _] ] => destruct B
adamc@111	800 end; crush).
adamc@111	801 Qed.
adamc@111	802
adamc@112	803 (** It is also useful to know that the result of a call to [cond] is not changed by substituting new tests and bodies functions, so long as the new functions have the same input-output behavior as the old. It turns out that, in Coq, it is not possible to prove in general that functions related in this way are equal. We treat this issue with our discussion of axioms in a later chapter. For now, it suffices to prove that the particular function [cond] is %\textit{%#<i>#extensional#</i>#%}%; that is, it is unaffected by substitution of functions with input-output equivalents. *)
adamc@112	804
adamc@111	805 Lemma cond_ext : forall (A : Set) (default : A) n (tests tests' : findex n -> bool)
adamc@111	806 (bodies bodies' : findex n -> A),
adamc@111	807 (forall idx, tests idx = tests' idx)
adamc@111	808 -> (forall idx, bodies idx = bodies' idx)
adamc@111	809 -> cond default tests bodies
adamc@111	810 = cond default tests' bodies'.
adamc@111	811 induction n; crush;
adamc@111	812 match goal with
adamc@111	813 \| [ \|- context[if ?E then _ else _] ] => destruct E
adamc@111	814 end; crush.
adamc@111	815 Qed.
adamc@111	816
adamc@112	817 (** Now the final theorem is easy to prove. We add our two lemmas as hints and perform standard automation with pattern-matching of subterms to destruct. *)
adamc@113	818 (* end thide *)
adamc@112	819
adamc@111	820 Theorem cfold_correct : forall t (e : exp' t),
adamc@111	821 exp'Denote (cfold e) = exp'Denote e.
adamc@113	822 (* begin thide *)
adamc@111	823 Hint Rewrite cfoldCond_correct : cpdt.
adamc@111	824 Hint Resolve cond_ext.
adamc@111	825
adamc@111	826 induction e; crush;
adamc@111	827 repeat (match goal with
adamc@111	828 \| [ \|- context[cfold ?E] ] => dep_destruct (cfold E)
adamc@111	829 end; crush).
adamc@111	830 Qed.
adamc@113	831 (* end thide *)
adamc@115	832
adamc@115	833
adamc@115	834 (** * Exercises *)
adamc@115	835
adamc@116	836 (** remove printing * *)
adamc@116	837
adamc@115	838 (** Some of the type family definitions from this chapter are duplicated in the [DepList] module of the book source. Only the recursive versions of length-indexed and heterogeneous lists are included, and they are renamed without the [f] prefixes, e.g., [ilist] in place of [filist].
adamc@115	839
adamc@115	840 %\begin{enumerate}%#<ol>#
adamc@115	841
adamc@128	842 %\item%#<li># Define a tree analogue of [hlist]. That is, define a parameterized type of binary trees with data at their leaves, and define a type family [htree] indexed by trees. The structure of an [htree] mirrors its index tree, with the type of each data element (which only occur at leaves) determined by applying a type function to the corresponding element of the index tree. Define a type standing for all possible paths from the root of a tree to leaves and use it to implement a function [tget] for extracting an element of an [htree] by path. Define a function [htmap2] for "mapping over two trees in parallel." That is, [htmap2] takes in two [htree]s with the same index tree, and it forms a new [htree] with the same index by applying a binary function pointwise.
adamc@115	843
adamc@129	844 Repeat this process so that you implement each definition for each of the three definition styles covered in this chapter: inductive, recursive, and index function.#</li>#
adamc@116	845
adamc@130	846 %\item%#<li># Write a dependently-typed interpreter for a simple programming language with ML-style pattern-matching, using one of the encodings of heterogeneous lists to represent the different branches of a [case] expression. (There are other ways to represent the same thing, but the point of this exercise is to practice using those heterogeneous list types.) The object language is defined informally by this grammar:
adamc@116	847
adamc@116	848 [[
adamc@116	849 t ::= bool \| t + t
adamc@116	850 p ::= x \| b \| inl p \| inr p
adamc@116	851 e ::= x \| b \| inl e \| inr e \| case e of [p => e]* \| _ => e
adamc@116	852 ]]
adamc@116	853
adamc@116	854 [x] stands for a variable, and [b] stands for a boolean constant. The production for [case] expressions means that a pattern-match includes zero or more pairs of patterns and expressions, along with a default case.
adamc@116	855
adamc@117	856 Your interpreter should be implemented in the style demonstrated in this chapter. That is, your definition of expressions should use dependent types and de Bruijn indices to combine syntax and typing rules, such that the type of an expression tells the types of variables that are in scope. You should implement a simple recursive function translating types [t] to [Set], and your interpreter should produce values in the image of this translation.#</li>#
adamc@116	857
adamc@115	858 #</ol>#%\end{enumerate}% *)

Mercurial > cpdt > repo

annotate src/DataStruct.v @ 214:768889c969e9