adam@398
|
1 (* Copyright (c) 2008-2012, Adam Chlipala
|
adamc@118
|
2 *
|
adamc@118
|
3 * This work is licensed under a
|
adamc@118
|
4 * Creative Commons Attribution-Noncommercial-No Derivative Works 3.0
|
adamc@118
|
5 * Unported License.
|
adamc@118
|
6 * The license text is available at:
|
adamc@118
|
7 * http://creativecommons.org/licenses/by-nc-nd/3.0/
|
adamc@118
|
8 *)
|
adamc@118
|
9
|
adamc@118
|
10 (* begin hide *)
|
adamc@120
|
11 Require Import Eqdep JMeq List.
|
adamc@118
|
12
|
adam@314
|
13 Require Import CpdtTactics.
|
adamc@118
|
14
|
adamc@118
|
15 Set Implicit Arguments.
|
adamc@118
|
16 (* end hide *)
|
adamc@118
|
17
|
adamc@118
|
18
|
adamc@118
|
19 (** %\chapter{Reasoning About Equality Proofs}% *)
|
adamc@118
|
20
|
adam@294
|
21 (** In traditional mathematics, the concept of equality is usually taken as a given. On the other hand, in type theory, equality is a very contentious subject. There are at least three different notions of equality that are important, and researchers are actively investigating new definitions of what it means for two terms to be equal. Even once we fix a notion of equality, there are inevitably tricky issues that arise in proving properties of programs that manipulate equality proofs explicitly. In this chapter, I will focus on design patterns for circumventing these tricky issues, and I will introduce the different notions of equality as they are germane. *)
|
adamc@118
|
22
|
adamc@118
|
23
|
adamc@122
|
24 (** * The Definitional Equality *)
|
adamc@122
|
25
|
adam@435
|
26 (** We have seen many examples so far where proof goals follow "by computation." That is, we apply computational reduction rules to reduce the goal to a normal form, at which point it follows trivially. Exactly when this works and when it does not depends on the details of Coq's%\index{definitional equality}% _definitional equality_. This is an untyped binary relation appearing in the formal metatheory of CIC. CIC contains a typing rule allowing the conclusion [E : T] from the premise [E : T'] and a proof that [T] and [T'] are definitionally equal.
|
adamc@122
|
27
|
adam@364
|
28 The %\index{tactics!cbv}%[cbv] tactic will help us illustrate the rules of Coq's definitional equality. We redefine the natural number predecessor function in a somewhat convoluted way and construct a manual proof that it returns [0] when applied to [1]. *)
|
adamc@122
|
29
|
adamc@122
|
30 Definition pred' (x : nat) :=
|
adamc@122
|
31 match x with
|
adamc@122
|
32 | O => O
|
adamc@122
|
33 | S n' => let y := n' in y
|
adamc@122
|
34 end.
|
adamc@122
|
35
|
adamc@122
|
36 Theorem reduce_me : pred' 1 = 0.
|
adamc@218
|
37
|
adamc@124
|
38 (* begin thide *)
|
adam@364
|
39 (** CIC follows the traditions of lambda calculus in associating reduction rules with Greek letters. Coq can certainly be said to support the familiar alpha reduction rule, which allows capture-avoiding renaming of bound variables, but we never need to apply alpha explicitly, since Coq uses a de Bruijn representation%~\cite{DeBruijn}% that encodes terms canonically.
|
adamc@122
|
40
|
adam@364
|
41 The %\index{delta reduction}%delta rule is for unfolding global definitions. We can use it here to unfold the definition of [pred']. We do this with the [cbv] tactic, which takes a list of reduction rules and makes as many call-by-value reduction steps as possible, using only those rules. There is an analogous tactic %\index{tactics!lazy}%[lazy] for call-by-need reduction. *)
|
adamc@122
|
42
|
adamc@122
|
43 cbv delta.
|
adam@364
|
44 (** %\vspace{-.15in}%[[
|
adamc@122
|
45 ============================
|
adamc@122
|
46 (fun x : nat => match x with
|
adamc@122
|
47 | 0 => 0
|
adamc@122
|
48 | S n' => let y := n' in y
|
adamc@122
|
49 end) 1 = 0
|
adamc@122
|
50 ]]
|
adamc@122
|
51
|
adam@364
|
52 At this point, we want to apply the famous %\index{beta reduction}%beta reduction of lambda calculus, to simplify the application of a known function abstraction. *)
|
adamc@122
|
53
|
adamc@122
|
54 cbv beta.
|
adam@364
|
55 (** %\vspace{-.15in}%[[
|
adamc@122
|
56 ============================
|
adamc@122
|
57 match 1 with
|
adamc@122
|
58 | 0 => 0
|
adamc@122
|
59 | S n' => let y := n' in y
|
adamc@122
|
60 end = 0
|
adamc@122
|
61 ]]
|
adamc@122
|
62
|
adam@364
|
63 Next on the list is the %\index{iota reduction}%iota reduction, which simplifies a single [match] term by determining which pattern matches. *)
|
adamc@122
|
64
|
adamc@122
|
65 cbv iota.
|
adam@364
|
66 (** %\vspace{-.15in}%[[
|
adamc@122
|
67 ============================
|
adamc@122
|
68 (fun n' : nat => let y := n' in y) 0 = 0
|
adamc@122
|
69 ]]
|
adamc@122
|
70
|
adamc@122
|
71 Now we need another beta reduction. *)
|
adamc@122
|
72
|
adamc@122
|
73 cbv beta.
|
adam@364
|
74 (** %\vspace{-.15in}%[[
|
adamc@122
|
75 ============================
|
adamc@122
|
76 (let y := 0 in y) = 0
|
adamc@122
|
77 ]]
|
adamc@122
|
78
|
adam@364
|
79 The final reduction rule is %\index{zeta reduction}%zeta, which replaces a [let] expression by its body with the appropriate term substituted. *)
|
adamc@122
|
80
|
adamc@122
|
81 cbv zeta.
|
adam@364
|
82 (** %\vspace{-.15in}%[[
|
adamc@122
|
83 ============================
|
adamc@122
|
84 0 = 0
|
adam@302
|
85 ]]
|
adam@302
|
86 *)
|
adamc@122
|
87
|
adamc@122
|
88 reflexivity.
|
adamc@122
|
89 Qed.
|
adamc@124
|
90 (* end thide *)
|
adamc@122
|
91
|
adam@365
|
92 (** The [beta] reduction rule applies to recursive functions as well, and its behavior may be surprising in some instances. For instance, we can run some simple tests using the reduction strategy [compute], which applies all applicable rules of the definitional equality. *)
|
adam@365
|
93
|
adam@365
|
94 Definition id (n : nat) := n.
|
adam@365
|
95
|
adam@365
|
96 Eval compute in fun x => id x.
|
adam@365
|
97 (** %\vspace{-.15in}%[[
|
adam@365
|
98 = fun x : nat => x
|
adam@365
|
99 ]]
|
adam@365
|
100 *)
|
adam@365
|
101
|
adam@365
|
102 Fixpoint id' (n : nat) := n.
|
adam@365
|
103
|
adam@365
|
104 Eval compute in fun x => id' x.
|
adam@365
|
105 (** %\vspace{-.15in}%[[
|
adam@365
|
106 = fun x : nat => (fix id' (n : nat) : nat := n) x
|
adam@365
|
107 ]]
|
adam@365
|
108
|
adam@427
|
109 By running [compute], we ask Coq to run reduction steps until no more apply, so why do we see an application of a known function, where clearly no beta reduction has been performed? The answer has to do with ensuring termination of all Gallina programs. One candidate rule would say that we apply recursive definitions wherever possible. However, this would clearly lead to nonterminating reduction sequences, since the function may appear fully applied within its own definition, and we would naively "simplify" such applications immediately. Instead, Coq only applies the beta rule for a recursive function when _the top-level structure of the recursive argument is known_. For [id'] above, we have only one argument [n], so clearly it is the recursive argument, and the top-level structure of [n] is known when the function is applied to [O] or to some [S e] term. The variable [x] is neither, so reduction is blocked.
|
adam@365
|
110
|
adam@365
|
111 What are recursive arguments in general? Every recursive function is compiled by Coq to a %\index{Gallina terms!fix}%[fix] expression, for anonymous definition of recursive functions. Further, every [fix] with multiple arguments has one designated as the recursive argument via a [struct] annotation. The recursive argument is the one that must decrease across recursive calls, to appease Coq's termination checker. Coq will generally infer which argument is recursive, though we may also specify it manually, if we want to tweak reduction behavior. For instance, consider this definition of a function to add two lists of [nat]s elementwise: *)
|
adam@365
|
112
|
adam@365
|
113 Fixpoint addLists (ls1 ls2 : list nat) : list nat :=
|
adam@365
|
114 match ls1, ls2 with
|
adam@365
|
115 | n1 :: ls1' , n2 :: ls2' => n1 + n2 :: addLists ls1' ls2'
|
adam@365
|
116 | _, _ => nil
|
adam@365
|
117 end.
|
adam@365
|
118
|
adam@365
|
119 (** By default, Coq chooses [ls1] as the recursive argument. We can see that [ls2] would have been another valid choice. The choice has a critical effect on reduction behavior, as these two examples illustrate: *)
|
adam@365
|
120
|
adam@365
|
121 Eval compute in fun ls => addLists nil ls.
|
adam@365
|
122 (** %\vspace{-.15in}%[[
|
adam@365
|
123 = fun _ : list nat => nil
|
adam@365
|
124 ]]
|
adam@365
|
125 *)
|
adam@365
|
126
|
adam@365
|
127 Eval compute in fun ls => addLists ls nil.
|
adam@365
|
128 (** %\vspace{-.15in}%[[
|
adam@365
|
129 = fun ls : list nat =>
|
adam@365
|
130 (fix addLists (ls1 ls2 : list nat) : list nat :=
|
adam@365
|
131 match ls1 with
|
adam@365
|
132 | nil => nil
|
adam@365
|
133 | n1 :: ls1' =>
|
adam@365
|
134 match ls2 with
|
adam@365
|
135 | nil => nil
|
adam@365
|
136 | n2 :: ls2' =>
|
adam@365
|
137 (fix plus (n m : nat) : nat :=
|
adam@365
|
138 match n with
|
adam@365
|
139 | 0 => m
|
adam@365
|
140 | S p => S (plus p m)
|
adam@365
|
141 end) n1 n2 :: addLists ls1' ls2'
|
adam@365
|
142 end
|
adam@365
|
143 end) ls nil
|
adam@365
|
144 ]]
|
adam@365
|
145
|
adam@427
|
146 The outer application of the [fix] expression for [addLists] was only simplified in the first case, because in the second case the recursive argument is [ls], whose top-level structure is not known.
|
adam@365
|
147
|
adam@427
|
148 The opposite behavior pertains to a version of [addLists] with [ls2] marked as recursive. *)
|
adam@365
|
149
|
adam@365
|
150 Fixpoint addLists' (ls1 ls2 : list nat) {struct ls2} : list nat :=
|
adam@365
|
151 match ls1, ls2 with
|
adam@365
|
152 | n1 :: ls1' , n2 :: ls2' => n1 + n2 :: addLists' ls1' ls2'
|
adam@365
|
153 | _, _ => nil
|
adam@365
|
154 end.
|
adam@365
|
155
|
adam@427
|
156 (* begin hide *)
|
adam@437
|
157 (* begin thide *)
|
adam@437
|
158 Definition foo := (@eq, plus).
|
adam@437
|
159 (* end thide *)
|
adam@427
|
160 (* end hide *)
|
adam@427
|
161
|
adam@365
|
162 Eval compute in fun ls => addLists' ls nil.
|
adam@365
|
163 (** %\vspace{-.15in}%[[
|
adam@365
|
164 = fun ls : list nat => match ls with
|
adam@365
|
165 | nil => nil
|
adam@365
|
166 | _ :: _ => nil
|
adam@365
|
167 end
|
adam@365
|
168 ]]
|
adam@365
|
169
|
adam@365
|
170 We see that all use of recursive functions has been eliminated, though the term has not quite simplified to [nil]. We could get it to do so by switching the order of the [match] discriminees in the definition of [addLists'].
|
adam@365
|
171
|
adam@365
|
172 Recall that co-recursive definitions have a dual rule: a co-recursive call only simplifies when it is the discriminee of a [match]. This condition is built into the beta rule for %\index{Gallina terms!cofix}%[cofix], the anonymous form of [CoFixpoint].
|
adam@365
|
173
|
adam@365
|
174 %\medskip%
|
adam@365
|
175
|
adam@407
|
176 The standard [eq] relation is critically dependent on the definitional equality. The relation [eq] is often called a%\index{propositional equality}% _propositional equality_, because it reifies definitional equality as a proposition that may or may not hold. Standard axiomatizations of an equality predicate in first-order logic define equality in terms of properties it has, like reflexivity, symmetry, and transitivity. In contrast, for [eq] in Coq, those properties are implicit in the properties of the definitional equality, which are built into CIC's metatheory and the implementation of Gallina. We could add new rules to the definitional equality, and [eq] would keep its definition and methods of use.
|
adamc@122
|
177
|
adam@427
|
178 This all may make it sound like the choice of [eq]'s definition is unimportant. To the contrary, in this chapter, we will see examples where alternate definitions may simplify proofs. Before that point, I will introduce proof methods for goals that use proofs of the standard propositional equality "as data." *)
|
adamc@122
|
179
|
adamc@122
|
180
|
adamc@118
|
181 (** * Heterogeneous Lists Revisited *)
|
adamc@118
|
182
|
adam@427
|
183 (** One of our example dependent data structures from the last chapter was heterogeneous lists and their associated "cursor" type. The recursive version poses some special challenges related to equality proofs, since it uses such proofs in its definition of [fmember] types. *)
|
adamc@118
|
184
|
adamc@118
|
185 Section fhlist.
|
adamc@118
|
186 Variable A : Type.
|
adamc@118
|
187 Variable B : A -> Type.
|
adamc@118
|
188
|
adamc@118
|
189 Fixpoint fhlist (ls : list A) : Type :=
|
adamc@118
|
190 match ls with
|
adamc@118
|
191 | nil => unit
|
adamc@118
|
192 | x :: ls' => B x * fhlist ls'
|
adamc@118
|
193 end%type.
|
adamc@118
|
194
|
adamc@118
|
195 Variable elm : A.
|
adamc@118
|
196
|
adamc@118
|
197 Fixpoint fmember (ls : list A) : Type :=
|
adamc@118
|
198 match ls with
|
adamc@118
|
199 | nil => Empty_set
|
adamc@118
|
200 | x :: ls' => (x = elm) + fmember ls'
|
adamc@118
|
201 end%type.
|
adamc@118
|
202
|
adamc@118
|
203 Fixpoint fhget (ls : list A) : fhlist ls -> fmember ls -> B elm :=
|
adamc@118
|
204 match ls return fhlist ls -> fmember ls -> B elm with
|
adamc@118
|
205 | nil => fun _ idx => match idx with end
|
adamc@118
|
206 | _ :: ls' => fun mls idx =>
|
adamc@118
|
207 match idx with
|
adamc@118
|
208 | inl pf => match pf with
|
adam@426
|
209 | eq_refl => fst mls
|
adamc@118
|
210 end
|
adamc@118
|
211 | inr idx' => fhget ls' (snd mls) idx'
|
adamc@118
|
212 end
|
adamc@118
|
213 end.
|
adamc@118
|
214 End fhlist.
|
adamc@118
|
215
|
adamc@118
|
216 Implicit Arguments fhget [A B elm ls].
|
adamc@118
|
217
|
adam@427
|
218 (* begin hide *)
|
adam@437
|
219 (* begin thide *)
|
adam@427
|
220 Definition map := O.
|
adam@437
|
221 (* end thide *)
|
adam@427
|
222 (* end hide *)
|
adam@427
|
223
|
adamc@118
|
224 (** We can define a [map]-like function for [fhlist]s. *)
|
adamc@118
|
225
|
adamc@118
|
226 Section fhlist_map.
|
adamc@118
|
227 Variables A : Type.
|
adamc@118
|
228 Variables B C : A -> Type.
|
adamc@118
|
229 Variable f : forall x, B x -> C x.
|
adamc@118
|
230
|
adamc@118
|
231 Fixpoint fhmap (ls : list A) : fhlist B ls -> fhlist C ls :=
|
adamc@118
|
232 match ls return fhlist B ls -> fhlist C ls with
|
adamc@118
|
233 | nil => fun _ => tt
|
adamc@118
|
234 | _ :: _ => fun hls => (f (fst hls), fhmap _ (snd hls))
|
adamc@118
|
235 end.
|
adamc@118
|
236
|
adamc@118
|
237 Implicit Arguments fhmap [ls].
|
adamc@118
|
238
|
adam@427
|
239 (* begin hide *)
|
adam@437
|
240 (* begin thide *)
|
adam@427
|
241 Definition ilist := O.
|
adam@427
|
242 Definition get := O.
|
adam@427
|
243 Definition imap := O.
|
adam@437
|
244 (* end thide *)
|
adam@427
|
245 (* end hide *)
|
adam@427
|
246
|
adamc@118
|
247 (** For the inductive versions of the [ilist] definitions, we proved a lemma about the interaction of [get] and [imap]. It was a strategic choice not to attempt such a proof for the definitions that we just gave, because that sets us on a collision course with the problems that are the subject of this chapter. *)
|
adamc@118
|
248
|
adamc@118
|
249 Variable elm : A.
|
adamc@118
|
250
|
adamc@118
|
251 Theorem get_imap : forall ls (mem : fmember elm ls) (hls : fhlist B ls),
|
adamc@118
|
252 fhget (fhmap hls) mem = f (fhget hls mem).
|
adam@298
|
253 (* begin hide *)
|
adam@298
|
254 induction ls; crush; case a0; reflexivity.
|
adam@298
|
255 (* end hide *)
|
adam@364
|
256 (** %\vspace{-.2in}%[[
|
adamc@118
|
257 induction ls; crush.
|
adam@298
|
258 ]]
|
adamc@118
|
259
|
adam@364
|
260 %\vspace{-.15in}%In Coq 8.2, one subgoal remains at this point. Coq 8.3 has added some tactic improvements that enable [crush] to complete all of both inductive cases. To introduce the basics of reasoning about equality, it will be useful to review what was necessary in Coq 8.2.
|
adam@297
|
261
|
adam@297
|
262 Part of our single remaining subgoal is:
|
adamc@118
|
263 [[
|
adamc@118
|
264 a0 : a = elm
|
adamc@118
|
265 ============================
|
adamc@118
|
266 match a0 in (_ = a2) return (C a2) with
|
adam@426
|
267 | eq_refl => f a1
|
adamc@118
|
268 end = f match a0 in (_ = a2) return (B a2) with
|
adam@426
|
269 | eq_refl => a1
|
adamc@118
|
270 end
|
adamc@118
|
271 ]]
|
adamc@118
|
272
|
adam@426
|
273 This seems like a trivial enough obligation. The equality proof [a0] must be [eq_refl], since that is the only constructor of [eq]. Therefore, both the [match]es reduce to the point where the conclusion follows by reflexivity.
|
adamc@118
|
274 [[
|
adamc@118
|
275 destruct a0.
|
adamc@118
|
276 ]]
|
adamc@118
|
277
|
adam@364
|
278 <<
|
adam@364
|
279 User error: Cannot solve a second-order unification problem
|
adam@364
|
280 >>
|
adam@364
|
281
|
adamc@118
|
282 This is one of Coq's standard error messages for informing us that its heuristics for attempting an instance of an undecidable problem about dependent typing have failed. We might try to nudge things in the right direction by stating the lemma that we believe makes the conclusion trivial.
|
adamc@118
|
283 [[
|
adam@426
|
284 assert (a0 = eq_refl _).
|
adam@364
|
285 ]]
|
adamc@118
|
286
|
adam@364
|
287 <<
|
adam@426
|
288 The term "eq_refl ?98" has type "?98 = ?98"
|
adamc@118
|
289 while it is expected to have type "a = elm"
|
adam@364
|
290 >>
|
adamc@118
|
291
|
adamc@118
|
292 In retrospect, the problem is not so hard to see. Reflexivity proofs only show [x = x] for particular values of [x], whereas here we are thinking in terms of a proof of [a = elm], where the two sides of the equality are not equal syntactically. Thus, the essential lemma we need does not even type-check!
|
adamc@118
|
293
|
adam@427
|
294 Is it time to throw in the towel? Luckily, the answer is "no." In this chapter, we will see several useful patterns for proving obligations like this.
|
adamc@118
|
295
|
adam@407
|
296 For this particular example, the solution is surprisingly straightforward. The [destruct] tactic has a simpler sibling [case] which should behave identically for any inductive type with one constructor of no arguments.
|
adam@297
|
297 [[
|
adamc@118
|
298 case a0.
|
adam@297
|
299
|
adamc@118
|
300 ============================
|
adamc@118
|
301 f a1 = f a1
|
adamc@118
|
302 ]]
|
adamc@118
|
303
|
adam@297
|
304 It seems that [destruct] was trying to be too smart for its own good.
|
adam@297
|
305 [[
|
adamc@118
|
306 reflexivity.
|
adam@302
|
307 ]]
|
adam@364
|
308 %\vspace{-.2in}% *)
|
adamc@118
|
309 Qed.
|
adamc@124
|
310 (* end thide *)
|
adamc@118
|
311
|
adamc@118
|
312 (** It will be helpful to examine the proof terms generated by this sort of strategy. A simpler example illustrates what is going on. *)
|
adamc@118
|
313
|
adam@426
|
314 Lemma lemma1 : forall x (pf : x = elm), O = match pf with eq_refl => O end.
|
adamc@124
|
315 (* begin thide *)
|
adamc@118
|
316 simple destruct pf; reflexivity.
|
adamc@118
|
317 Qed.
|
adamc@124
|
318 (* end thide *)
|
adamc@118
|
319
|
adam@364
|
320 (** The tactic %\index{tactics!simple destruct}%[simple destruct pf] is a convenient form for applying [case]. It runs [intro] to bring into scope all quantified variables up to its argument. *)
|
adamc@118
|
321
|
adamc@118
|
322 Print lemma1.
|
adamc@218
|
323 (** %\vspace{-.15in}% [[
|
adamc@118
|
324 lemma1 =
|
adamc@118
|
325 fun (x : A) (pf : x = elm) =>
|
adamc@118
|
326 match pf as e in (_ = y) return (0 = match e with
|
adam@426
|
327 | eq_refl => 0
|
adamc@118
|
328 end) with
|
adam@426
|
329 | eq_refl => eq_refl 0
|
adamc@118
|
330 end
|
adamc@118
|
331 : forall (x : A) (pf : x = elm), 0 = match pf with
|
adam@426
|
332 | eq_refl => 0
|
adamc@118
|
333 end
|
adamc@218
|
334
|
adamc@118
|
335 ]]
|
adamc@118
|
336
|
adamc@118
|
337 Using what we know about shorthands for [match] annotations, we can write this proof in shorter form manually. *)
|
adamc@118
|
338
|
adamc@124
|
339 (* begin thide *)
|
adamc@118
|
340 Definition lemma1' :=
|
adamc@118
|
341 fun (x : A) (pf : x = elm) =>
|
adamc@118
|
342 match pf return (0 = match pf with
|
adam@426
|
343 | eq_refl => 0
|
adamc@118
|
344 end) with
|
adam@426
|
345 | eq_refl => eq_refl 0
|
adamc@118
|
346 end.
|
adamc@124
|
347 (* end thide *)
|
adamc@118
|
348
|
adam@398
|
349 (** Surprisingly, what seems at first like a _simpler_ lemma is harder to prove. *)
|
adamc@118
|
350
|
adam@426
|
351 Lemma lemma2 : forall (x : A) (pf : x = x), O = match pf with eq_refl => O end.
|
adamc@124
|
352 (* begin thide *)
|
adam@364
|
353 (** %\vspace{-.25in}%[[
|
adamc@118
|
354 simple destruct pf.
|
adam@364
|
355 ]]
|
adamc@205
|
356
|
adam@364
|
357 <<
|
adamc@118
|
358 User error: Cannot solve a second-order unification problem
|
adam@364
|
359 >>
|
adam@302
|
360 *)
|
adamc@118
|
361 Abort.
|
adamc@118
|
362
|
adamc@118
|
363 (** Nonetheless, we can adapt the last manual proof to handle this theorem. *)
|
adamc@118
|
364
|
adamc@124
|
365 (* begin thide *)
|
adamc@124
|
366 Definition lemma2 :=
|
adamc@118
|
367 fun (x : A) (pf : x = x) =>
|
adamc@118
|
368 match pf return (0 = match pf with
|
adam@426
|
369 | eq_refl => 0
|
adamc@118
|
370 end) with
|
adam@426
|
371 | eq_refl => eq_refl 0
|
adamc@118
|
372 end.
|
adamc@124
|
373 (* end thide *)
|
adamc@118
|
374
|
adamc@118
|
375 (** We can try to prove a lemma that would simplify proofs of many facts like [lemma2]: *)
|
adamc@118
|
376
|
adam@427
|
377 (* begin hide *)
|
adam@437
|
378 (* begin thide *)
|
adam@427
|
379 Definition lemma3' := O.
|
adam@437
|
380 (* end thide *)
|
adam@427
|
381 (* end hide *)
|
adam@427
|
382
|
adam@426
|
383 Lemma lemma3 : forall (x : A) (pf : x = x), pf = eq_refl x.
|
adamc@124
|
384 (* begin thide *)
|
adam@364
|
385 (** %\vspace{-.25in}%[[
|
adamc@118
|
386 simple destruct pf.
|
adam@364
|
387 ]]
|
adamc@205
|
388
|
adam@364
|
389 <<
|
adamc@118
|
390 User error: Cannot solve a second-order unification problem
|
adam@364
|
391 >>
|
adam@364
|
392 %\vspace{-.15in}%*)
|
adamc@218
|
393
|
adamc@118
|
394 Abort.
|
adamc@118
|
395
|
adamc@118
|
396 (** This time, even our manual attempt fails.
|
adamc@118
|
397 [[
|
adamc@118
|
398 Definition lemma3' :=
|
adamc@118
|
399 fun (x : A) (pf : x = x) =>
|
adam@426
|
400 match pf as pf' in (_ = x') return (pf' = eq_refl x') with
|
adam@426
|
401 | eq_refl => eq_refl _
|
adamc@118
|
402 end.
|
adam@364
|
403 ]]
|
adamc@118
|
404
|
adam@364
|
405 <<
|
adam@426
|
406 The term "eq_refl x'" has type "x' = x'" while it is expected to have type
|
adamc@118
|
407 "x = x'"
|
adam@364
|
408 >>
|
adamc@118
|
409
|
adam@427
|
410 The type error comes from our [return] annotation. In that annotation, the [as]-bound variable [pf'] has type [x = x'], referring to the [in]-bound variable [x']. To do a dependent [match], we _must_ choose a fresh name for the second argument of [eq]. We are just as constrained to use the "real" value [x] for the first argument. Thus, within the [return] clause, the proof we are matching on _must_ equate two non-matching terms, which makes it impossible to equate that proof with reflexivity.
|
adamc@118
|
411
|
adam@398
|
412 Nonetheless, it turns out that, with one catch, we _can_ prove this lemma. *)
|
adamc@118
|
413
|
adam@426
|
414 Lemma lemma3 : forall (x : A) (pf : x = x), pf = eq_refl x.
|
adamc@118
|
415 intros; apply UIP_refl.
|
adamc@118
|
416 Qed.
|
adamc@118
|
417
|
adamc@118
|
418 Check UIP_refl.
|
adamc@218
|
419 (** %\vspace{-.15in}% [[
|
adamc@118
|
420 UIP_refl
|
adam@426
|
421 : forall (U : Type) (x : U) (p : x = x), p = eq_refl x
|
adamc@118
|
422 ]]
|
adamc@118
|
423
|
adam@436
|
424 The theorem %\index{Gallina terms!UIP\_refl}%[UIP_refl] comes from the [Eqdep] module of the standard library. Do the Coq authors know of some clever trick for building such proofs that we have not seen yet? If they do, they did not use it for this proof. Rather, the proof is based on an _axiom_, the term [eq_rect_eq] below. *)
|
adam@427
|
425
|
adam@436
|
426 (* begin hide *)
|
adam@436
|
427 Import Eq_rect_eq.
|
adam@436
|
428 (* end hide *)
|
adamc@118
|
429 Print eq_rect_eq.
|
adamc@218
|
430 (** %\vspace{-.15in}% [[
|
adam@436
|
431 *** [ eq_rect_eq :
|
adam@436
|
432 forall (U : Type) (p : U) (Q : U -> Type) (x : Q p) (h : p = p),
|
adam@436
|
433 x = eq_rect p Q x p h ]
|
adamc@118
|
434 ]]
|
adamc@118
|
435
|
adam@427
|
436 The axiom %\index{Gallina terms!eq\_rect\_eq}%[eq_rect_eq] states a "fact" that seems like common sense, once the notation is deciphered. The term [eq_rect] is the automatically generated recursion principle for [eq]. Calling [eq_rect] is another way of [match]ing on an equality proof. The proof we match on is the argument [h], and [x] is the body of the [match]. The statement of [eq_rect_eq] just says that [match]es on proofs of [p = p], for any [p], are superfluous and may be removed. We can see this intuition better in code by asking Coq to simplify the theorem statement with the [compute] reduction strategy (which, by the way, applies all applicable rules of the definitional equality presented in this chapter's first section). *)
|
adam@427
|
437
|
adam@427
|
438 (* begin hide *)
|
adam@437
|
439 (* begin thide *)
|
adam@427
|
440 Definition False' := False.
|
adam@437
|
441 (* end thide *)
|
adam@427
|
442 (* end hide *)
|
adamc@118
|
443
|
adam@364
|
444 Eval compute in (forall (U : Type) (p : U) (Q : U -> Type) (x : Q p) (h : p = p),
|
adam@364
|
445 x = eq_rect p Q x p h).
|
adam@364
|
446 (** %\vspace{-.15in}%[[
|
adam@364
|
447 = forall (U : Type) (p : U) (Q : U -> Type) (x : Q p) (h : p = p),
|
adam@364
|
448 x = match h in (_ = y) return (Q y) with
|
adam@364
|
449 | eq_refl => x
|
adam@364
|
450 end
|
adam@364
|
451 ]]
|
adam@364
|
452
|
adam@427
|
453 Perhaps surprisingly, we cannot prove [eq_rect_eq] from within Coq. This proposition is introduced as an %\index{axioms}%axiom; that is, a proposition asserted as true without proof. We cannot assert just any statement without proof. Adding [False] as an axiom would allow us to prove any proposition, for instance, defeating the point of using a proof assistant. In general, we need to be sure that we never assert _inconsistent_ sets of axioms. A set of axioms is inconsistent if its conjunction implies [False]. For the case of [eq_rect_eq], consistency has been verified outside of Coq via "informal" metatheory%~\cite{AxiomK}%, in a study that also established unprovability of the axiom in CIC.
|
adamc@118
|
454
|
adamc@118
|
455 This axiom is equivalent to another that is more commonly known and mentioned in type theory circles. *)
|
adamc@118
|
456
|
adam@427
|
457 (* begin hide *)
|
adam@437
|
458 (* begin thide *)
|
adam@437
|
459 Definition Streicher_K' := UIP_refl__Streicher_K.
|
adam@437
|
460 (* end thide *)
|
adam@427
|
461 (* end hide *)
|
adam@427
|
462
|
adamc@118
|
463 Print Streicher_K.
|
adamc@124
|
464 (* end thide *)
|
adamc@218
|
465 (** %\vspace{-.15in}% [[
|
adamc@118
|
466 Streicher_K =
|
adamc@118
|
467 fun U : Type => UIP_refl__Streicher_K U (UIP_refl U)
|
adamc@118
|
468 : forall (U : Type) (x : U) (P : x = x -> Prop),
|
adam@426
|
469 P (eq_refl x) -> forall p : x = x, P p
|
adamc@118
|
470 ]]
|
adamc@118
|
471
|
adam@427
|
472 This is the unfortunately named %\index{axiom K}%"Streicher's axiom K," which says that a predicate on properly typed equality proofs holds of all such proofs if it holds of reflexivity. *)
|
adamc@118
|
473
|
adamc@118
|
474 End fhlist_map.
|
adamc@118
|
475
|
adam@436
|
476 (* begin hide *)
|
adam@437
|
477 (* begin thide *)
|
adam@436
|
478 Require Eqdep_dec.
|
adam@437
|
479 (* end thide *)
|
adam@436
|
480 (* end hide *)
|
adam@436
|
481
|
adam@364
|
482 (** It is worth remarking that it is possible to avoid axioms altogether for equalities on types with decidable equality. The [Eqdep_dec] module of the standard library contains a parametric proof of [UIP_refl] for such cases. To simplify presentation, we will stick with the axiom version in the rest of this chapter. *)
|
adam@364
|
483
|
adamc@119
|
484
|
adamc@119
|
485 (** * Type-Casts in Theorem Statements *)
|
adamc@119
|
486
|
adamc@119
|
487 (** Sometimes we need to use tricks with equality just to state the theorems that we care about. To illustrate, we start by defining a concatenation function for [fhlist]s. *)
|
adamc@119
|
488
|
adamc@119
|
489 Section fhapp.
|
adamc@119
|
490 Variable A : Type.
|
adamc@119
|
491 Variable B : A -> Type.
|
adamc@119
|
492
|
adamc@218
|
493 Fixpoint fhapp (ls1 ls2 : list A)
|
adamc@119
|
494 : fhlist B ls1 -> fhlist B ls2 -> fhlist B (ls1 ++ ls2) :=
|
adamc@218
|
495 match ls1 with
|
adamc@119
|
496 | nil => fun _ hls2 => hls2
|
adamc@119
|
497 | _ :: _ => fun hls1 hls2 => (fst hls1, fhapp _ _ (snd hls1) hls2)
|
adamc@119
|
498 end.
|
adamc@119
|
499
|
adamc@119
|
500 Implicit Arguments fhapp [ls1 ls2].
|
adamc@119
|
501
|
adamc@124
|
502 (* EX: Prove that fhapp is associative. *)
|
adamc@124
|
503 (* begin thide *)
|
adamc@124
|
504
|
adamc@119
|
505 (** We might like to prove that [fhapp] is associative.
|
adamc@119
|
506 [[
|
adamc@119
|
507 Theorem fhapp_ass : forall ls1 ls2 ls3
|
adamc@119
|
508 (hls1 : fhlist B ls1) (hls2 : fhlist B ls2) (hls3 : fhlist B ls3),
|
adamc@119
|
509 fhapp hls1 (fhapp hls2 hls3) = fhapp (fhapp hls1 hls2) hls3.
|
adam@364
|
510 ]]
|
adamc@119
|
511
|
adam@364
|
512 <<
|
adamc@119
|
513 The term
|
adamc@119
|
514 "fhapp (ls1:=ls1 ++ ls2) (ls2:=ls3) (fhapp (ls1:=ls1) (ls2:=ls2) hls1 hls2)
|
adamc@119
|
515 hls3" has type "fhlist B ((ls1 ++ ls2) ++ ls3)"
|
adamc@119
|
516 while it is expected to have type "fhlist B (ls1 ++ ls2 ++ ls3)"
|
adam@364
|
517 >>
|
adamc@119
|
518
|
adam@407
|
519 This first cut at the theorem statement does not even type-check. We know that the two [fhlist] types appearing in the error message are always equal, by associativity of normal list append, but this fact is not apparent to the type checker. This stems from the fact that Coq's equality is%\index{intensional type theory}% _intensional_, in the sense that type equality theorems can never be applied after the fact to get a term to type-check. Instead, we need to make use of equality explicitly in the theorem statement. *)
|
adamc@119
|
520
|
adamc@119
|
521 Theorem fhapp_ass : forall ls1 ls2 ls3
|
adamc@119
|
522 (pf : (ls1 ++ ls2) ++ ls3 = ls1 ++ (ls2 ++ ls3))
|
adamc@119
|
523 (hls1 : fhlist B ls1) (hls2 : fhlist B ls2) (hls3 : fhlist B ls3),
|
adamc@119
|
524 fhapp hls1 (fhapp hls2 hls3)
|
adamc@119
|
525 = match pf in (_ = ls) return fhlist _ ls with
|
adam@426
|
526 | eq_refl => fhapp (fhapp hls1 hls2) hls3
|
adamc@119
|
527 end.
|
adamc@119
|
528 induction ls1; crush.
|
adamc@119
|
529
|
adamc@119
|
530 (** The first remaining subgoal looks trivial enough:
|
adamc@119
|
531 [[
|
adamc@119
|
532 ============================
|
adamc@119
|
533 fhapp (ls1:=ls2) (ls2:=ls3) hls2 hls3 =
|
adamc@119
|
534 match pf in (_ = ls) return (fhlist B ls) with
|
adam@426
|
535 | eq_refl => fhapp (ls1:=ls2) (ls2:=ls3) hls2 hls3
|
adamc@119
|
536 end
|
adamc@119
|
537 ]]
|
adamc@119
|
538
|
adamc@119
|
539 We can try what worked in previous examples.
|
adamc@119
|
540 [[
|
adamc@119
|
541 case pf.
|
adam@364
|
542 ]]
|
adamc@119
|
543
|
adam@364
|
544 <<
|
adamc@119
|
545 User error: Cannot solve a second-order unification problem
|
adam@364
|
546 >>
|
adamc@119
|
547
|
adamc@119
|
548 It seems we have reached another case where it is unclear how to use a dependent [match] to implement case analysis on our proof. The [UIP_refl] theorem can come to our rescue again. *)
|
adamc@119
|
549
|
adamc@119
|
550 rewrite (UIP_refl _ _ pf).
|
adamc@119
|
551 (** [[
|
adamc@119
|
552 ============================
|
adamc@119
|
553 fhapp (ls1:=ls2) (ls2:=ls3) hls2 hls3 =
|
adamc@119
|
554 fhapp (ls1:=ls2) (ls2:=ls3) hls2 hls3
|
adam@302
|
555 ]]
|
adam@302
|
556 *)
|
adamc@119
|
557
|
adamc@119
|
558 reflexivity.
|
adamc@119
|
559
|
adamc@119
|
560 (** Our second subgoal is trickier.
|
adamc@119
|
561 [[
|
adamc@119
|
562 pf : a :: (ls1 ++ ls2) ++ ls3 = a :: ls1 ++ ls2 ++ ls3
|
adamc@119
|
563 ============================
|
adamc@119
|
564 (a0,
|
adamc@119
|
565 fhapp (ls1:=ls1) (ls2:=ls2 ++ ls3) b
|
adamc@119
|
566 (fhapp (ls1:=ls2) (ls2:=ls3) hls2 hls3)) =
|
adamc@119
|
567 match pf in (_ = ls) return (fhlist B ls) with
|
adam@426
|
568 | eq_refl =>
|
adamc@119
|
569 (a0,
|
adamc@119
|
570 fhapp (ls1:=ls1 ++ ls2) (ls2:=ls3)
|
adamc@119
|
571 (fhapp (ls1:=ls1) (ls2:=ls2) b hls2) hls3)
|
adamc@119
|
572 end
|
adamc@119
|
573
|
adamc@119
|
574 rewrite (UIP_refl _ _ pf).
|
adam@364
|
575 ]]
|
adamc@119
|
576
|
adam@364
|
577 <<
|
adamc@119
|
578 The term "pf" has type "a :: (ls1 ++ ls2) ++ ls3 = a :: ls1 ++ ls2 ++ ls3"
|
adamc@119
|
579 while it is expected to have type "?556 = ?556"
|
adam@364
|
580 >>
|
adamc@119
|
581
|
adamc@119
|
582 We can only apply [UIP_refl] on proofs of equality with syntactically equal operands, which is not the case of [pf] here. We will need to manipulate the form of this subgoal to get us to a point where we may use [UIP_refl]. A first step is obtaining a proof suitable to use in applying the induction hypothesis. Inversion on the structure of [pf] is sufficient for that. *)
|
adamc@119
|
583
|
adamc@119
|
584 injection pf; intro pf'.
|
adamc@119
|
585 (** [[
|
adamc@119
|
586 pf : a :: (ls1 ++ ls2) ++ ls3 = a :: ls1 ++ ls2 ++ ls3
|
adamc@119
|
587 pf' : (ls1 ++ ls2) ++ ls3 = ls1 ++ ls2 ++ ls3
|
adamc@119
|
588 ============================
|
adamc@119
|
589 (a0,
|
adamc@119
|
590 fhapp (ls1:=ls1) (ls2:=ls2 ++ ls3) b
|
adamc@119
|
591 (fhapp (ls1:=ls2) (ls2:=ls3) hls2 hls3)) =
|
adamc@119
|
592 match pf in (_ = ls) return (fhlist B ls) with
|
adam@426
|
593 | eq_refl =>
|
adamc@119
|
594 (a0,
|
adamc@119
|
595 fhapp (ls1:=ls1 ++ ls2) (ls2:=ls3)
|
adamc@119
|
596 (fhapp (ls1:=ls1) (ls2:=ls2) b hls2) hls3)
|
adamc@119
|
597 end
|
adamc@119
|
598 ]]
|
adamc@119
|
599
|
adamc@119
|
600 Now we can rewrite using the inductive hypothesis. *)
|
adamc@119
|
601
|
adamc@119
|
602 rewrite (IHls1 _ _ pf').
|
adamc@119
|
603 (** [[
|
adamc@119
|
604 ============================
|
adamc@119
|
605 (a0,
|
adamc@119
|
606 match pf' in (_ = ls) return (fhlist B ls) with
|
adam@426
|
607 | eq_refl =>
|
adamc@119
|
608 fhapp (ls1:=ls1 ++ ls2) (ls2:=ls3)
|
adamc@119
|
609 (fhapp (ls1:=ls1) (ls2:=ls2) b hls2) hls3
|
adamc@119
|
610 end) =
|
adamc@119
|
611 match pf in (_ = ls) return (fhlist B ls) with
|
adam@426
|
612 | eq_refl =>
|
adamc@119
|
613 (a0,
|
adamc@119
|
614 fhapp (ls1:=ls1 ++ ls2) (ls2:=ls3)
|
adamc@119
|
615 (fhapp (ls1:=ls1) (ls2:=ls2) b hls2) hls3)
|
adamc@119
|
616 end
|
adamc@119
|
617 ]]
|
adamc@119
|
618
|
adam@398
|
619 We have made an important bit of progress, as now only a single call to [fhapp] appears in the conclusion, repeated twice. Trying case analysis on our proofs still will not work, but there is a move we can make to enable it. Not only does just one call to [fhapp] matter to us now, but it also _does not matter what the result of the call is_. In other words, the subgoal should remain true if we replace this [fhapp] call with a fresh variable. The %\index{tactics!generalize}%[generalize] tactic helps us do exactly that. *)
|
adamc@119
|
620
|
adamc@119
|
621 generalize (fhapp (fhapp b hls2) hls3).
|
adamc@119
|
622 (** [[
|
adamc@119
|
623 forall f : fhlist B ((ls1 ++ ls2) ++ ls3),
|
adamc@119
|
624 (a0,
|
adamc@119
|
625 match pf' in (_ = ls) return (fhlist B ls) with
|
adam@426
|
626 | eq_refl => f
|
adamc@119
|
627 end) =
|
adamc@119
|
628 match pf in (_ = ls) return (fhlist B ls) with
|
adam@426
|
629 | eq_refl => (a0, f)
|
adamc@119
|
630 end
|
adamc@119
|
631 ]]
|
adamc@119
|
632
|
adamc@119
|
633 The conclusion has gotten markedly simpler. It seems counterintuitive that we can have an easier time of proving a more general theorem, but that is exactly the case here and for many other proofs that use dependent types heavily. Speaking informally, the reason why this kind of activity helps is that [match] annotations only support variables in certain positions. By reducing more elements of a goal to variables, built-in tactics can have more success building [match] terms under the hood.
|
adamc@119
|
634
|
adamc@119
|
635 In this case, it is helpful to generalize over our two proofs as well. *)
|
adamc@119
|
636
|
adamc@119
|
637 generalize pf pf'.
|
adamc@119
|
638 (** [[
|
adamc@119
|
639 forall (pf0 : a :: (ls1 ++ ls2) ++ ls3 = a :: ls1 ++ ls2 ++ ls3)
|
adamc@119
|
640 (pf'0 : (ls1 ++ ls2) ++ ls3 = ls1 ++ ls2 ++ ls3)
|
adamc@119
|
641 (f : fhlist B ((ls1 ++ ls2) ++ ls3)),
|
adamc@119
|
642 (a0,
|
adamc@119
|
643 match pf'0 in (_ = ls) return (fhlist B ls) with
|
adam@426
|
644 | eq_refl => f
|
adamc@119
|
645 end) =
|
adamc@119
|
646 match pf0 in (_ = ls) return (fhlist B ls) with
|
adam@426
|
647 | eq_refl => (a0, f)
|
adamc@119
|
648 end
|
adamc@119
|
649 ]]
|
adamc@119
|
650
|
adamc@119
|
651 To an experienced dependent types hacker, the appearance of this goal term calls for a celebration. The formula has a critical property that indicates that our problems are over. To get our proofs into the right form to apply [UIP_refl], we need to use associativity of list append to rewrite their types. We could not do that before because other parts of the goal require the proofs to retain their original types. In particular, the call to [fhapp] that we generalized must have type [(ls1 ++ ls2) ++ ls3], for some values of the list variables. If we rewrite the type of the proof used to type-cast this value to something like [ls1 ++ ls2 ++ ls3 = ls1 ++ ls2 ++ ls3], then the lefthand side of the equality would no longer match the type of the term we are trying to cast.
|
adamc@119
|
652
|
adam@398
|
653 However, now that we have generalized over the [fhapp] call, the type of the term being type-cast appears explicitly in the goal and _may be rewritten as well_. In particular, the final masterstroke is rewriting everywhere in our goal using associativity of list append. *)
|
adamc@119
|
654
|
adamc@119
|
655 rewrite app_ass.
|
adamc@119
|
656 (** [[
|
adamc@119
|
657 ============================
|
adamc@119
|
658 forall (pf0 : a :: ls1 ++ ls2 ++ ls3 = a :: ls1 ++ ls2 ++ ls3)
|
adamc@119
|
659 (pf'0 : ls1 ++ ls2 ++ ls3 = ls1 ++ ls2 ++ ls3)
|
adamc@119
|
660 (f : fhlist B (ls1 ++ ls2 ++ ls3)),
|
adamc@119
|
661 (a0,
|
adamc@119
|
662 match pf'0 in (_ = ls) return (fhlist B ls) with
|
adam@426
|
663 | eq_refl => f
|
adamc@119
|
664 end) =
|
adamc@119
|
665 match pf0 in (_ = ls) return (fhlist B ls) with
|
adam@426
|
666 | eq_refl => (a0, f)
|
adamc@119
|
667 end
|
adamc@119
|
668 ]]
|
adamc@119
|
669
|
adamc@119
|
670 We can see that we have achieved the crucial property: the type of each generalized equality proof has syntactically equal operands. This makes it easy to finish the proof with [UIP_refl]. *)
|
adamc@119
|
671
|
adamc@119
|
672 intros.
|
adamc@119
|
673 rewrite (UIP_refl _ _ pf0).
|
adamc@119
|
674 rewrite (UIP_refl _ _ pf'0).
|
adamc@119
|
675 reflexivity.
|
adamc@119
|
676 Qed.
|
adamc@124
|
677 (* end thide *)
|
adamc@119
|
678 End fhapp.
|
adamc@120
|
679
|
adamc@120
|
680 Implicit Arguments fhapp [A B ls1 ls2].
|
adamc@120
|
681
|
adam@364
|
682 (** This proof strategy was cumbersome and unorthodox, from the perspective of mainstream mathematics. The next section explores an alternative that leads to simpler developments in some cases. *)
|
adam@364
|
683
|
adamc@120
|
684
|
adamc@120
|
685 (** * Heterogeneous Equality *)
|
adamc@120
|
686
|
adam@407
|
687 (** There is another equality predicate, defined in the %\index{Gallina terms!JMeq}%[JMeq] module of the standard library, implementing%\index{heterogeneous equality}% _heterogeneous equality_. *)
|
adamc@120
|
688
|
adamc@120
|
689 Print JMeq.
|
adamc@218
|
690 (** %\vspace{-.15in}% [[
|
adamc@120
|
691 Inductive JMeq (A : Type) (x : A) : forall B : Type, B -> Prop :=
|
adamc@120
|
692 JMeq_refl : JMeq x x
|
adamc@120
|
693 ]]
|
adamc@120
|
694
|
adam@427
|
695 The identity [JMeq] stands for %\index{John Major equality}%"John Major equality," a name coined by Conor McBride%~\cite{JMeq}% as a sort of pun about British politics. The definition [JMeq] starts out looking a lot like the definition of [eq]. The crucial difference is that we may use [JMeq] _on arguments of different types_. For instance, a lemma that we failed to establish before is trivial with [JMeq]. It makes for prettier theorem statements to define some syntactic shorthand first. *)
|
adamc@120
|
696
|
adamc@120
|
697 Infix "==" := JMeq (at level 70, no associativity).
|
adamc@120
|
698
|
adam@426
|
699 (* EX: Prove UIP_refl' : forall (A : Type) (x : A) (pf : x = x), pf == eq_refl x *)
|
adamc@124
|
700 (* begin thide *)
|
adam@426
|
701 Definition UIP_refl' (A : Type) (x : A) (pf : x = x) : pf == eq_refl x :=
|
adam@426
|
702 match pf return (pf == eq_refl _) with
|
adam@426
|
703 | eq_refl => JMeq_refl _
|
adamc@120
|
704 end.
|
adamc@124
|
705 (* end thide *)
|
adamc@120
|
706
|
adamc@120
|
707 (** There is no quick way to write such a proof by tactics, but the underlying proof term that we want is trivial.
|
adamc@120
|
708
|
adamc@271
|
709 Suppose that we want to use [UIP_refl'] to establish another lemma of the kind we have run into several times so far. *)
|
adamc@120
|
710
|
adamc@120
|
711 Lemma lemma4 : forall (A : Type) (x : A) (pf : x = x),
|
adam@426
|
712 O = match pf with eq_refl => O end.
|
adamc@124
|
713 (* begin thide *)
|
adamc@121
|
714 intros; rewrite (UIP_refl' pf); reflexivity.
|
adamc@120
|
715 Qed.
|
adamc@124
|
716 (* end thide *)
|
adamc@120
|
717
|
adamc@120
|
718 (** All in all, refreshingly straightforward, but there really is no such thing as a free lunch. The use of [rewrite] is implemented in terms of an axiom: *)
|
adamc@120
|
719
|
adamc@120
|
720 Check JMeq_eq.
|
adamc@218
|
721 (** %\vspace{-.15in}% [[
|
adamc@120
|
722 JMeq_eq
|
adamc@120
|
723 : forall (A : Type) (x y : A), x == y -> x = y
|
adamc@218
|
724 ]]
|
adamc@120
|
725
|
adamc@218
|
726 It may be surprising that we cannot prove that heterogeneous equality implies normal equality. The difficulties are the same kind we have seen so far, based on limitations of [match] annotations.
|
adamc@120
|
727
|
adamc@120
|
728 We can redo our [fhapp] associativity proof based around [JMeq]. *)
|
adamc@120
|
729
|
adamc@120
|
730 Section fhapp'.
|
adamc@120
|
731 Variable A : Type.
|
adamc@120
|
732 Variable B : A -> Type.
|
adamc@120
|
733
|
adamc@120
|
734 (** This time, the naive theorem statement type-checks. *)
|
adamc@120
|
735
|
adamc@124
|
736 (* EX: Prove [fhapp] associativity using [JMeq]. *)
|
adamc@124
|
737
|
adamc@124
|
738 (* begin thide *)
|
adam@364
|
739 Theorem fhapp_ass' : forall ls1 ls2 ls3 (hls1 : fhlist B ls1) (hls2 : fhlist B ls2)
|
adam@364
|
740 (hls3 : fhlist B ls3),
|
adamc@120
|
741 fhapp hls1 (fhapp hls2 hls3) == fhapp (fhapp hls1 hls2) hls3.
|
adamc@120
|
742 induction ls1; crush.
|
adamc@120
|
743
|
adamc@120
|
744 (** Even better, [crush] discharges the first subgoal automatically. The second subgoal is:
|
adamc@120
|
745 [[
|
adamc@120
|
746 ============================
|
adam@297
|
747 (a0, fhapp b (fhapp hls2 hls3)) == (a0, fhapp (fhapp b hls2) hls3)
|
adamc@120
|
748 ]]
|
adamc@120
|
749
|
adam@297
|
750 It looks like one rewrite with the inductive hypothesis should be enough to make the goal trivial. Here is what happens when we try that in Coq 8.2:
|
adamc@120
|
751 [[
|
adamc@120
|
752 rewrite IHls1.
|
adam@364
|
753 ]]
|
adamc@120
|
754
|
adam@364
|
755 <<
|
adamc@120
|
756 Error: Impossible to unify "fhlist B ((ls1 ++ ?1572) ++ ?1573)" with
|
adamc@120
|
757 "fhlist B (ls1 ++ ?1572 ++ ?1573)"
|
adam@364
|
758 >>
|
adamc@120
|
759
|
adam@407
|
760 Coq 8.4 currently gives an error message about an uncaught exception. Perhaps that will be fixed soon. In any case, it is educational to consider a more explicit approach.
|
adam@297
|
761
|
adamc@120
|
762 We see that [JMeq] is not a silver bullet. We can use it to simplify the statements of equality facts, but the Coq type-checker uses non-trivial heterogeneous equality facts no more readily than it uses standard equality facts. Here, the problem is that the form [(e1, e2)] is syntactic sugar for an explicit application of a constructor of an inductive type. That application mentions the type of each tuple element explicitly, and our [rewrite] tries to change one of those elements without updating the corresponding type argument.
|
adamc@120
|
763
|
adamc@120
|
764 We can get around this problem by another multiple use of [generalize]. We want to bring into the goal the proper instance of the inductive hypothesis, and we also want to generalize the two relevant uses of [fhapp]. *)
|
adamc@120
|
765
|
adamc@120
|
766 generalize (fhapp b (fhapp hls2 hls3))
|
adamc@120
|
767 (fhapp (fhapp b hls2) hls3)
|
adamc@120
|
768 (IHls1 _ _ b hls2 hls3).
|
adam@364
|
769 (** %\vspace{-.15in}%[[
|
adamc@120
|
770 ============================
|
adamc@120
|
771 forall (f : fhlist B (ls1 ++ ls2 ++ ls3))
|
adamc@120
|
772 (f0 : fhlist B ((ls1 ++ ls2) ++ ls3)), f == f0 -> (a0, f) == (a0, f0)
|
adamc@120
|
773 ]]
|
adamc@120
|
774
|
adamc@120
|
775 Now we can rewrite with append associativity, as before. *)
|
adamc@120
|
776
|
adamc@120
|
777 rewrite app_ass.
|
adam@364
|
778 (** %\vspace{-.15in}%[[
|
adamc@120
|
779 ============================
|
adamc@120
|
780 forall f f0 : fhlist B (ls1 ++ ls2 ++ ls3), f == f0 -> (a0, f) == (a0, f0)
|
adamc@120
|
781 ]]
|
adamc@120
|
782
|
adamc@120
|
783 From this point, the goal is trivial. *)
|
adamc@120
|
784
|
adamc@120
|
785 intros f f0 H; rewrite H; reflexivity.
|
adamc@120
|
786 Qed.
|
adamc@124
|
787 (* end thide *)
|
adamc@121
|
788
|
adam@385
|
789 End fhapp'.
|
adam@385
|
790
|
adam@385
|
791 (** This example illustrates a general pattern: heterogeneous equality often simplifies theorem statements, but we still need to do some work to line up some dependent pattern matches that tactics will generate for us.
|
adam@385
|
792
|
adam@385
|
793 The proof we have found relies on the [JMeq_eq] axiom, which we can verify with a command%\index{Vernacular commands!Print Assumptions}% that we will discuss more in two chapters. *)
|
adam@385
|
794
|
adam@385
|
795 Print Assumptions fhapp_ass'.
|
adam@385
|
796 (** %\vspace{-.15in}%[[
|
adam@385
|
797 Axioms:
|
adam@385
|
798 JMeq_eq : forall (A : Type) (x y : A), x == y -> x = y
|
adam@385
|
799 ]]
|
adam@385
|
800
|
adam@385
|
801 It was the [rewrite H] tactic that implicitly appealed to the axiom. By restructuring the proof, we can avoid axiom dependence. A general lemma about pairs provides the key element. (Our use of [generalize] above can be thought of as reducing the proof to another, more complex and specialized lemma.) *)
|
adam@385
|
802
|
adam@385
|
803 Lemma pair_cong : forall A1 A2 B1 B2 (x1 : A1) (x2 : A2) (y1 : B1) (y2 : B2),
|
adam@385
|
804 x1 == x2
|
adam@385
|
805 -> y1 == y2
|
adam@385
|
806 -> (x1, y1) == (x2, y2).
|
adam@385
|
807 intros until y2; intros Hx Hy; rewrite Hx; rewrite Hy; reflexivity.
|
adam@385
|
808 Qed.
|
adam@385
|
809
|
adam@385
|
810 Hint Resolve pair_cong.
|
adam@385
|
811
|
adam@385
|
812 Section fhapp''.
|
adam@385
|
813 Variable A : Type.
|
adam@385
|
814 Variable B : A -> Type.
|
adam@385
|
815
|
adam@385
|
816 Theorem fhapp_ass'' : forall ls1 ls2 ls3 (hls1 : fhlist B ls1) (hls2 : fhlist B ls2)
|
adam@385
|
817 (hls3 : fhlist B ls3),
|
adam@385
|
818 fhapp hls1 (fhapp hls2 hls3) == fhapp (fhapp hls1 hls2) hls3.
|
adam@385
|
819 induction ls1; crush.
|
adam@385
|
820 Qed.
|
adam@385
|
821 End fhapp''.
|
adam@385
|
822
|
adam@385
|
823 Print Assumptions fhapp_ass''.
|
adam@385
|
824 (** <<
|
adam@385
|
825 Closed under the global context
|
adam@385
|
826 >>
|
adam@385
|
827
|
adam@385
|
828 One might wonder exactly which elements of a proof involving [JMeq] imply that [JMeq_eq] must be used. For instance, above we noticed that [rewrite] had brought [JMeq_eq] into the proof of [fhap_ass'], yet here we have also used [rewrite] with [JMeq] hypotheses while avoiding axioms! One illuminating exercise is comparing the types of the lemmas that [rewrite] uses under the hood to implement the rewrites. Here is the normal lemma for [eq] rewriting:%\index{Gallina terms!eq\_ind\_r}% *)
|
adam@385
|
829
|
adam@385
|
830 Check eq_ind_r.
|
adam@385
|
831 (** %\vspace{-.15in}%[[
|
adam@385
|
832 eq_ind_r
|
adam@385
|
833 : forall (A : Type) (x : A) (P : A -> Prop),
|
adam@385
|
834 P x -> forall y : A, y = x -> P y
|
adam@385
|
835 ]]
|
adam@385
|
836
|
adam@398
|
837 The corresponding lemma used for [JMeq] in the proof of [pair_cong] is %\index{Gallina terms!internal\_JMeq\_rew\_r}%[internal_JMeq_rew_r], which, confusingly, is defined by [rewrite] as needed, so it is not available for checking until after we apply it. *)
|
adam@385
|
838
|
adam@398
|
839 Check internal_JMeq_rew_r.
|
adam@385
|
840 (** %\vspace{-.15in}%[[
|
adam@398
|
841 internal_JMeq_rew_r
|
adam@385
|
842 : forall (A : Type) (x : A) (B : Type) (b : B)
|
adam@385
|
843 (P : forall B0 : Type, B0 -> Type), P B b -> x == b -> P A x
|
adam@385
|
844 ]]
|
adam@385
|
845
|
adam@398
|
846 The key difference is that, where the [eq] lemma is parametrized on a predicate of type [A -> Prop], the [JMeq] lemma is parameterized on a predicate of type more like [forall A : Type, A -> Prop]. To apply [eq_ind_r] with a proof of [x = y], it is only necessary to rearrange the goal into an application of a [fun] abstraction to [y]. In contrast, to apply [internal_JMeq_rew_r], it is necessary to rearrange the goal to an application of a [fun] abstraction to both [y] and _its type_. In other words, the predicate must be _polymorphic_ in [y]'s type; any type must make sense, from a type-checking standpoint. There may be cases where the former rearrangement is easy to do in a type-correct way, but the second rearrangement done naively leads to a type error.
|
adam@385
|
847
|
adam@398
|
848 When [rewrite] cannot figure out how to apply [internal_JMeq_rew_r] for [x == y] where [x] and [y] have the same type, the tactic can instead use an alternate theorem, which is easy to prove as a composition of [eq_ind_r] and [JMeq_eq]. *)
|
adam@385
|
849
|
adam@385
|
850 Check JMeq_ind_r.
|
adam@385
|
851 (** %\vspace{-.15in}%[[
|
adam@385
|
852 JMeq_ind_r
|
adam@385
|
853 : forall (A : Type) (x : A) (P : A -> Prop),
|
adam@385
|
854 P x -> forall y : A, y == x -> P y
|
adam@385
|
855 ]]
|
adam@385
|
856
|
adam@398
|
857 Ironically, where in the proof of [fhapp_ass'] we used [rewrite app_ass] to make it clear that a use of [JMeq] was actually homogeneously typed, we created a situation where [rewrite] applied the axiom-based [JMeq_ind_r] instead of the axiom-free [internal_JMeq_rew_r]!
|
adam@385
|
858
|
adam@385
|
859 For another simple example, consider this theorem that applies a heterogeneous equality to prove a congruence fact. *)
|
adam@385
|
860
|
adam@385
|
861 Theorem out_of_luck : forall n m : nat,
|
adam@385
|
862 n == m
|
adam@385
|
863 -> S n == S m.
|
adam@385
|
864 intros n m H.
|
adam@385
|
865
|
adam@385
|
866 (** Applying [JMeq_ind_r] is easy, as the %\index{tactics!pattern}%[pattern] tactic will transform the goal into an application of an appropriate [fun] to a term that we want to abstract. *)
|
adam@385
|
867
|
adam@385
|
868 pattern n.
|
adam@385
|
869 (** %\vspace{-.15in}%[[
|
adam@385
|
870 n : nat
|
adam@385
|
871 m : nat
|
adam@385
|
872 H : n == m
|
adam@385
|
873 ============================
|
adam@385
|
874 (fun n0 : nat => S n0 == S m) n
|
adam@385
|
875 ]]
|
adam@385
|
876 *)
|
adam@385
|
877 apply JMeq_ind_r with (x := m); auto.
|
adam@385
|
878
|
adam@398
|
879 (** However, we run into trouble trying to get the goal into a form compatible with [internal_JMeq_rew_r.] *)
|
adam@427
|
880
|
adam@385
|
881 Undo 2.
|
adam@385
|
882 (** %\vspace{-.15in}%[[
|
adam@385
|
883 pattern nat, n.
|
adam@385
|
884 ]]
|
adam@385
|
885 <<
|
adam@385
|
886 Error: The abstracted term "fun (P : Set) (n0 : P) => S n0 == S m"
|
adam@385
|
887 is not well typed.
|
adam@385
|
888 Illegal application (Type Error):
|
adam@385
|
889 The term "S" of type "nat -> nat"
|
adam@385
|
890 cannot be applied to the term
|
adam@385
|
891 "n0" : "P"
|
adam@385
|
892 This term has type "P" which should be coercible to
|
adam@385
|
893 "nat".
|
adam@385
|
894 >>
|
adam@385
|
895
|
adam@385
|
896 In other words, the successor function [S] is insufficiently polymorphic. If we try to generalize over the type of [n], we find that [S] is no longer legal to apply to [n]. *)
|
adam@385
|
897
|
adam@385
|
898 Abort.
|
adam@385
|
899
|
adam@427
|
900 (** Why did we not run into this problem in our proof of [fhapp_ass'']? The reason is that the pair constructor is polymorphic in the types of the pair components, while functions like [S] are not polymorphic at all. Use of such non-polymorphic functions with [JMeq] tends to push toward use of axioms. The example with [nat] here is a bit unrealistic; more likely cases would involve functions that have _some_ polymorphism, but not enough to allow abstractions of the sort we attempted above with [pattern]. For instance, we might have an equality between two lists, where the goal only type-checks when the terms involved really are lists, though everything is polymorphic in the types of list data elements. The {{http://www.mpi-sws.org/~gil/Heq/}Heq} library builds up a slightly different foundation to help avoid such problems. *)
|
adam@364
|
901
|
adamc@121
|
902
|
adamc@121
|
903 (** * Equivalence of Equality Axioms *)
|
adamc@121
|
904
|
adamc@124
|
905 (* EX: Show that the approaches based on K and JMeq are equivalent logically. *)
|
adamc@124
|
906
|
adamc@124
|
907 (* begin thide *)
|
adamc@272
|
908 (** Assuming axioms (like axiom K and [JMeq_eq]) is a hazardous business. The due diligence associated with it is necessarily global in scope, since two axioms may be consistent alone but inconsistent together. It turns out that all of the major axioms proposed for reasoning about equality in Coq are logically equivalent, so that we only need to pick one to assert without proof. In this section, we demonstrate this by showing how each of the previous two sections' approaches reduces to the other logically.
|
adamc@121
|
909
|
adamc@121
|
910 To show that [JMeq] and its axiom let us prove [UIP_refl], we start from the lemma [UIP_refl'] from the previous section. The rest of the proof is trivial. *)
|
adamc@121
|
911
|
adam@426
|
912 Lemma UIP_refl'' : forall (A : Type) (x : A) (pf : x = x), pf = eq_refl x.
|
adamc@121
|
913 intros; rewrite (UIP_refl' pf); reflexivity.
|
adamc@121
|
914 Qed.
|
adamc@121
|
915
|
adamc@121
|
916 (** The other direction is perhaps more interesting. Assume that we only have the axiom of the [Eqdep] module available. We can define [JMeq] in a way that satisfies the same interface as the combination of the [JMeq] module's inductive definition and axiom. *)
|
adamc@121
|
917
|
adamc@121
|
918 Definition JMeq' (A : Type) (x : A) (B : Type) (y : B) : Prop :=
|
adam@426
|
919 exists pf : B = A, x = match pf with eq_refl => y end.
|
adamc@121
|
920
|
adamc@121
|
921 Infix "===" := JMeq' (at level 70, no associativity).
|
adamc@121
|
922
|
adam@427
|
923 (** remove printing exists *)
|
adam@427
|
924
|
adamc@121
|
925 (** We say that, by definition, [x] and [y] are equal if and only if there exists a proof [pf] that their types are equal, such that [x] equals the result of casting [y] with [pf]. This statement can look strange from the standpoint of classical math, where we almost never mention proofs explicitly with quantifiers in formulas, but it is perfectly legal Coq code.
|
adamc@121
|
926
|
adamc@121
|
927 We can easily prove a theorem with the same type as that of the [JMeq_refl] constructor of [JMeq]. *)
|
adamc@121
|
928
|
adamc@121
|
929 Theorem JMeq_refl' : forall (A : Type) (x : A), x === x.
|
adam@426
|
930 intros; unfold JMeq'; exists (eq_refl A); reflexivity.
|
adamc@121
|
931 Qed.
|
adamc@121
|
932
|
adamc@121
|
933 (** printing exists $\exists$ *)
|
adamc@121
|
934
|
adamc@121
|
935 (** The proof of an analogue to [JMeq_eq] is a little more interesting, but most of the action is in appealing to [UIP_refl]. *)
|
adamc@121
|
936
|
adamc@121
|
937 Theorem JMeq_eq' : forall (A : Type) (x y : A),
|
adamc@121
|
938 x === y -> x = y.
|
adamc@121
|
939 unfold JMeq'; intros.
|
adamc@121
|
940 (** [[
|
adamc@121
|
941 H : exists pf : A = A,
|
adamc@121
|
942 x = match pf in (_ = T) return T with
|
adam@426
|
943 | eq_refl => y
|
adamc@121
|
944 end
|
adamc@121
|
945 ============================
|
adamc@121
|
946 x = y
|
adam@302
|
947 ]]
|
adam@302
|
948 *)
|
adamc@121
|
949
|
adamc@121
|
950 destruct H.
|
adamc@121
|
951 (** [[
|
adamc@121
|
952 x0 : A = A
|
adamc@121
|
953 H : x = match x0 in (_ = T) return T with
|
adam@426
|
954 | eq_refl => y
|
adamc@121
|
955 end
|
adamc@121
|
956 ============================
|
adamc@121
|
957 x = y
|
adam@302
|
958 ]]
|
adam@302
|
959 *)
|
adamc@121
|
960
|
adamc@121
|
961 rewrite H.
|
adamc@121
|
962 (** [[
|
adamc@121
|
963 x0 : A = A
|
adamc@121
|
964 ============================
|
adamc@121
|
965 match x0 in (_ = T) return T with
|
adam@426
|
966 | eq_refl => y
|
adamc@121
|
967 end = y
|
adam@302
|
968 ]]
|
adam@302
|
969 *)
|
adamc@121
|
970
|
adamc@121
|
971 rewrite (UIP_refl _ _ x0); reflexivity.
|
adamc@121
|
972 Qed.
|
adamc@121
|
973
|
adam@427
|
974 (** We see that, in a very formal sense, we are free to switch back and forth between the two styles of proofs about equality proofs. One style may be more convenient than the other for some proofs, but we can always interconvert between our results. The style that does not use heterogeneous equality may be preferable in cases where many results do not require the tricks of this chapter, since then the use of axioms is avoided altogether for the simple cases, and a wider audience will be able to follow those "simple" proofs. On the other hand, heterogeneous equality often makes for shorter and more readable theorem statements. *)
|
adamc@123
|
975
|
adamc@124
|
976 (* end thide *)
|
adamc@123
|
977
|
adamc@123
|
978
|
adamc@123
|
979 (** * Equality of Functions *)
|
adamc@123
|
980
|
adamc@123
|
981 (** The following seems like a reasonable theorem to want to hold, and it does hold in set theory. [[
|
adam@407
|
982 Theorem two_identities : (fun n => n) = (fun n => n + 0).
|
adamc@205
|
983 ]]
|
adamc@205
|
984
|
adam@407
|
985 Unfortunately, this theorem is not provable in CIC without additional axioms. None of the definitional equality rules force function equality to be%\index{extensionality of function equality}% _extensional_. That is, the fact that two functions return equal results on equal inputs does not imply that the functions are equal. We _can_ assert function extensionality as an axiom, and indeed the standard library already contains that axiom. *)
|
adamc@123
|
986
|
adam@407
|
987 Require Import FunctionalExtensionality.
|
adam@407
|
988 About functional_extensionality.
|
adam@407
|
989 (** %\vspace{-.15in}%[[
|
adam@407
|
990 functional_extensionality :
|
adam@407
|
991 forall (A B : Type) (f g : A -> B), (forall x : A, f x = g x) -> f = g
|
adam@407
|
992 ]]
|
adam@407
|
993 *)
|
adamc@123
|
994
|
adamc@123
|
995 (** This axiom has been verified metatheoretically to be consistent with CIC and the two equality axioms we considered previously. With it, the proof of [S_eta] is trivial. *)
|
adamc@123
|
996
|
adam@407
|
997 Theorem two_identities : (fun n => n) = (fun n => n + 0).
|
adamc@124
|
998 (* begin thide *)
|
adam@407
|
999 apply functional_extensionality; crush.
|
adamc@123
|
1000 Qed.
|
adamc@124
|
1001 (* end thide *)
|
adamc@123
|
1002
|
adam@427
|
1003 (** The same axiom can help us prove equality of types, where we need to "reason under quantifiers." *)
|
adamc@123
|
1004
|
adamc@123
|
1005 Theorem forall_eq : (forall x : nat, match x with
|
adamc@123
|
1006 | O => True
|
adamc@123
|
1007 | S _ => True
|
adamc@123
|
1008 end)
|
adamc@123
|
1009 = (forall _ : nat, True).
|
adamc@123
|
1010
|
adam@364
|
1011 (** There are no immediate opportunities to apply [ext_eq], but we can use %\index{tactics!change}%[change] to fix that. *)
|
adamc@123
|
1012
|
adamc@124
|
1013 (* begin thide *)
|
adamc@123
|
1014 change ((forall x : nat, (fun x => match x with
|
adamc@123
|
1015 | 0 => True
|
adamc@123
|
1016 | S _ => True
|
adamc@123
|
1017 end) x) = (nat -> True)).
|
adam@407
|
1018 rewrite (functional_extensionality (fun x => match x with
|
adam@407
|
1019 | 0 => True
|
adam@407
|
1020 | S _ => True
|
adam@407
|
1021 end) (fun _ => True)).
|
adamc@123
|
1022 (** [[
|
adamc@123
|
1023 2 subgoals
|
adamc@123
|
1024
|
adamc@123
|
1025 ============================
|
adamc@123
|
1026 (nat -> True) = (nat -> True)
|
adamc@123
|
1027
|
adamc@123
|
1028 subgoal 2 is:
|
adamc@123
|
1029 forall x : nat, match x with
|
adamc@123
|
1030 | 0 => True
|
adamc@123
|
1031 | S _ => True
|
adamc@123
|
1032 end = True
|
adam@302
|
1033 ]]
|
adam@302
|
1034 *)
|
adamc@123
|
1035
|
adamc@123
|
1036 reflexivity.
|
adamc@123
|
1037
|
adamc@123
|
1038 destruct x; constructor.
|
adamc@123
|
1039 Qed.
|
adamc@124
|
1040 (* end thide *)
|
adamc@127
|
1041
|
adam@407
|
1042 (** Unlike in the case of [eq_rect_eq], we have no way of deriving this axiom of%\index{functional extensionality}% _functional extensionality_ for types with decidable equality. To allow equality reasoning without axioms, it may be worth rewriting a development to replace functions with alternate representations, such as finite map types for which extensionality is derivable in CIC. *)
|