Mercurial > cpdt > repo
comparison src/Reflection.v @ 445:0650420c127b
Finished vertical spacing
| author | Adam Chlipala <adam@chlipala.net> |
|---|---|
| date | Wed, 01 Aug 2012 17:31:56 -0400 |
| parents | 8077352044b2 |
| children | b6c47e6d43dc |
comparison
equal
deleted
inserted
replaced
| 444:0d66f1a710b8 | 445:0650420c127b |
|---|---|
| 42 even_256 = | 42 even_256 = |
| 43 Even_SS | 43 Even_SS |
| 44 (Even_SS | 44 (Even_SS |
| 45 (Even_SS | 45 (Even_SS |
| 46 (Even_SS | 46 (Even_SS |
| 47 | |
| 48 ]] | 47 ]] |
| 49 | 48 |
| 50 %\noindent%...and so on. This procedure always works (at least on machines with infinite resources), but it has a serious drawback, which we see when we print the proof it generates that 256 is even. The final proof term has length super-linear in the input value. Coq's implicit arguments mechanism is hiding the values given for parameter [n] of [Even_SS], which is why the proof term only appears linear here. Also, proof terms are represented internally as syntax trees, with opportunity for sharing of node representations, but in this chapter we will measure proof term size as simple textual length or as the number of nodes in the term's syntax tree, two measures that are approximately equivalent. Sometimes apparently large proof terms have enough internal sharing that they take up less memory than we expect, but one avoids having to reason about such sharing by ensuring that the size of a sharing-free version of a term is low enough. | 49 %\noindent%...and so on. This procedure always works (at least on machines with infinite resources), but it has a serious drawback, which we see when we print the proof it generates that 256 is even. The final proof term has length super-linear in the input value. Coq's implicit arguments mechanism is hiding the values given for parameter [n] of [Even_SS], which is why the proof term only appears linear here. Also, proof terms are represented internally as syntax trees, with opportunity for sharing of node representations, but in this chapter we will measure proof term size as simple textual length or as the number of nodes in the term's syntax tree, two measures that are approximately equivalent. Sometimes apparently large proof terms have enough internal sharing that they take up less memory than we expect, but one avoids having to reason about such sharing by ensuring that the size of a sharing-free version of a term is low enough. |
| 51 | 50 |
| 52 Superlinear evenness proof terms seem like a shame, since we could write a trivial and trustworthy program to verify evenness of constants. The proof checker could simply call our program where needed. | 51 Superlinear evenness proof terms seem like a shame, since we could write a trivial and trustworthy program to verify evenness of constants. The proof checker could simply call our program where needed. |
| 64 (* end hide *) | 63 (* end hide *) |
| 65 | 64 |
| 66 Print partial. | 65 Print partial. |
| 67 (** %\vspace{-.15in}% [[ | 66 (** %\vspace{-.15in}% [[ |
| 68 Inductive partial (P : Prop) : Set := Proved : P -> [P] | Uncertain : [P] | 67 Inductive partial (P : Prop) : Set := Proved : P -> [P] | Uncertain : [P] |
| 69 | |
| 70 ]] | 68 ]] |
| 71 | 69 |
| 72 A [partial P] value is an optional proof of [P]. The notation [[P]] stands for [partial P]. *) | 70 A [partial P] value is an optional proof of [P]. The notation [[P]] stands for [partial P]. *) |
| 73 | 71 |
| 74 Local Open Scope partial_scope. | 72 Local Open Scope partial_scope. |
| 172 (** %\vspace{-.15in}% [[ | 170 (** %\vspace{-.15in}% [[ |
| 173 true_galore = | 171 true_galore = |
| 174 fun H : True /\ True => | 172 fun H : True /\ True => |
| 175 and_ind (fun _ _ : True => or_introl (True /\ (True -> True)) I) H | 173 and_ind (fun _ _ : True => or_introl (True /\ (True -> True)) I) H |
| 176 : True /\ True -> True \/ True /\ (True -> True) | 174 : True /\ True -> True \/ True /\ (True -> True) |
| 177 | |
| 178 ]] | 175 ]] |
| 179 | 176 |
| 180 As we might expect, the proof that [tauto] builds contains explicit applications of natural deduction rules. For large formulas, this can add a linear amount of proof size overhead, beyond the size of the input. | 177 As we might expect, the proof that [tauto] builds contains explicit applications of natural deduction rules. For large formulas, this can add a linear amount of proof size overhead, beyond the size of the input. |
| 181 | 178 |
| 182 To write a reflective procedure for this class of goals, we will need to get into the actual "reflection" part of "proof by reflection." It is impossible to case-analyze a [Prop] in any way in Gallina. We must%\index{reification}% _reify_ [Prop] into some type that we _can_ analyze. This inductive type is a good candidate: *) | 179 To write a reflective procedure for this class of goals, we will need to get into the actual "reflection" part of "proof by reflection." It is impossible to case-analyze a [Prop] in any way in Gallina. We must%\index{reification}% _reify_ [Prop] into some type that we _can_ analyze. This inductive type is a good candidate: *) |
| 238 Theorem true_galore' : (True /\ True) -> (True \/ (True /\ (True -> True))). | 235 Theorem true_galore' : (True /\ True) -> (True \/ (True /\ (True -> True))). |
| 239 obvious. | 236 obvious. |
| 240 Qed. | 237 Qed. |
| 241 | 238 |
| 242 Print true_galore'. | 239 Print true_galore'. |
| 243 | |
| 244 (** %\vspace{-.15in}% [[ | 240 (** %\vspace{-.15in}% [[ |
| 245 true_galore' = | 241 true_galore' = |
| 246 tautTrue | 242 tautTrue |
| 247 (TautImp (TautAnd TautTrue TautTrue) | 243 (TautImp (TautAnd TautTrue TautTrue) |
| 248 (TautOr TautTrue (TautAnd TautTrue (TautImp TautTrue TautTrue)))) | 244 (TautOr TautTrue (TautAnd TautTrue (TautImp TautTrue TautTrue)))) |