Mercurial > cpdt > repo
comparison src/Coinductive.v @ 292:2c88fc1dbe33
A pass of double-quotes and LaTeX operator beautification
| author | Adam Chlipala <adam@chlipala.net> |
|---|---|
| date | Wed, 10 Nov 2010 16:31:04 -0500 |
| parents | 4146889930c5 |
| children | 7b38729be069 |
comparison
equal
deleted
inserted
replaced
| 291:da9ccc6bf572 | 292:2c88fc1dbe33 |
|---|---|
| 31 | 31 |
| 32 This would leave us with [bad tt] as a proof of [P]. | 32 This would leave us with [bad tt] as a proof of [P]. |
| 33 | 33 |
| 34 There are also algorithmic considerations that make universal termination very desirable. We have seen how tactics like [reflexivity] compare terms up to equivalence under computational rules. Calls to recursive, pattern-matching functions are simplified automatically, with no need for explicit proof steps. It would be very hard to hold onto that kind of benefit if it became possible to write non-terminating programs; we would be running smack into the halting problem. | 34 There are also algorithmic considerations that make universal termination very desirable. We have seen how tactics like [reflexivity] compare terms up to equivalence under computational rules. Calls to recursive, pattern-matching functions are simplified automatically, with no need for explicit proof steps. It would be very hard to hold onto that kind of benefit if it became possible to write non-terminating programs; we would be running smack into the halting problem. |
| 35 | 35 |
| 36 One solution is to use types to contain the possibility of non-termination. For instance, we can create a "non-termination monad," inside which we must write all of our general-recursive programs. This is a heavyweight solution, and so we would like to avoid it whenever possible. | 36 One solution is to use types to contain the possibility of non-termination. For instance, we can create a %``%#"#non-termination monad,#"#%''% inside which we must write all of our general-recursive programs. This is a heavyweight solution, and so we would like to avoid it whenever possible. |
| 37 | 37 |
| 38 Luckily, Coq has special support for a class of lazy data structures that happens to contain most examples found in Haskell. That mechanism, %\textit{%#<i>#co-inductive types#</i>#%}%, is the subject of this chapter. *) | 38 Luckily, Coq has special support for a class of lazy data structures that happens to contain most examples found in Haskell. That mechanism, %\textit{%#<i>#co-inductive types#</i>#%}%, is the subject of this chapter. *) |
| 39 | 39 |
| 40 | 40 |
| 41 (** * Computing with Infinite Data *) | 41 (** * Computing with Infinite Data *) |
| 326 | 326 |
| 327 ]] *) | 327 ]] *) |
| 328 Abort. | 328 Abort. |
| 329 (* end thide *) | 329 (* end thide *) |
| 330 | 330 |
| 331 (** The standard [auto] machinery sees that our goal matches an assumption and so applies that assumption, even though this violates guardedness. One usually starts a proof like this by [destruct]ing some parameter and running a custom tactic to figure out the first proof rule to apply for each case. Alternatively, there are tricks that can be played with "hiding" the co-inductive hypothesis. *) | 331 (** The standard [auto] machinery sees that our goal matches an assumption and so applies that assumption, even though this violates guardedness. One usually starts a proof like this by [destruct]ing some parameter and running a custom tactic to figure out the first proof rule to apply for each case. Alternatively, there are tricks that can be played with %``%#"#hiding#"#%''% the co-inductive hypothesis. *) |
| 332 | 332 |
| 333 | 333 |
| 334 (** * Simple Modeling of Non-Terminating Programs *) | 334 (** * Simple Modeling of Non-Terminating Programs *) |
| 335 | 335 |
| 336 (** We close the chapter with a quick motivating example for more complex uses of co-inductive types. We will define a co-inductive semantics for a simple assembly language and use that semantics to prove that assembly programs always run forever. This basic technique can be combined with typing judgments for more advanced languages, where some ill-typed programs can go wrong, but no well-typed programs go wrong. | 336 (** We close the chapter with a quick motivating example for more complex uses of co-inductive types. We will define a co-inductive semantics for a simple assembly language and use that semantics to prove that assembly programs always run forever. This basic technique can be combined with typing judgments for more advanced languages, where some ill-typed programs can go wrong, but no well-typed programs go wrong. |
| 385 | Step : forall pc r pc' r', | 385 | Step : forall pc r pc' r', |
| 386 exec pc r (prog pc) pc' r' | 386 exec pc r (prog pc) pc' r' |
| 387 -> safe pc' r' | 387 -> safe pc' r' |
| 388 -> safe pc r. | 388 -> safe pc r. |
| 389 | 389 |
| 390 (** Now we can prove that any starting address and register bank lead to safe infinite execution. Recall that proofs of existentially-quantified formulas are all built with a single constructor of the inductive type [ex]. This means that we can use [destruct] to "open up" such proofs. In the proof below, we want to perform this opening up on an appropriate use of the [exec_total] lemma. This lemma's conclusion begins with two existential quantifiers, so we want to tell [destruct] that it should not stop at the first quantifier. We accomplish our goal by using an %\textit{%#<i>#intro pattern#</i>#%}% with [destruct]. Consult the Coq manual for the details of intro patterns; the specific pattern [[? [? ?]]] that we use here accomplishes our goal of destructing both quantifiers at once. *) | 390 (** Now we can prove that any starting address and register bank lead to safe infinite execution. Recall that proofs of existentially-quantified formulas are all built with a single constructor of the inductive type [ex]. This means that we can use [destruct] to %``%#"#open up#"#%''% such proofs. In the proof below, we want to perform this opening up on an appropriate use of the [exec_total] lemma. This lemma's conclusion begins with two existential quantifiers, so we want to tell [destruct] that it should not stop at the first quantifier. We accomplish our goal by using an %\textit{%#<i>#intro pattern#</i>#%}% with [destruct]. Consult the Coq manual for the details of intro patterns; the specific pattern [[? [? ?]]] that we use here accomplishes our goal of destructing both quantifiers at once. *) |
| 391 | 391 |
| 392 Theorem always_safe : forall pc rs, | 392 Theorem always_safe : forall pc rs, |
| 393 safe pc rs. | 393 safe pc rs. |
| 394 cofix; intros; | 394 cofix; intros; |
| 395 destruct (exec_total pc rs (prog pc)) as [? [? ?]]; | 395 destruct (exec_total pc rs (prog pc)) as [? [? ?]]; |
| 410 %\item%#<li># Define a co-inductive type of infinite trees carrying data of a fixed parameter type. Each node should contain a data value and two child trees.#</li># | 410 %\item%#<li># Define a co-inductive type of infinite trees carrying data of a fixed parameter type. Each node should contain a data value and two child trees.#</li># |
| 411 %\item%#<li># Define a function [everywhere] for building a tree with the same data value at every node.#</li># | 411 %\item%#<li># Define a function [everywhere] for building a tree with the same data value at every node.#</li># |
| 412 %\item%#<li># Define a function [map] for building an output tree out of two input trees by traversing them in parallel and applying a two-argument function to their corresponding data values.#</li># | 412 %\item%#<li># Define a function [map] for building an output tree out of two input trees by traversing them in parallel and applying a two-argument function to their corresponding data values.#</li># |
| 413 %\item%#<li># Define a tree [falses] where every node has the value [false].#</li># | 413 %\item%#<li># Define a tree [falses] where every node has the value [false].#</li># |
| 414 %\item%#<li># Define a tree [true_false] where the root node has value [true], its children have value [false], all nodes at the next have the value [true], and so on, alternating boolean values from level to level.#</li># | 414 %\item%#<li># Define a tree [true_false] where the root node has value [true], its children have value [false], all nodes at the next have the value [true], and so on, alternating boolean values from level to level.#</li># |
| 415 %\item%#<li># Prove that [true_false] is equal to the result of mapping the boolean "or" function [orb] over [true_false] and [falses]. You can make [orb] available with [Require Import Bool.]. You may find the lemma [orb_false_r] from the same module helpful. Your proof here should not be about the standard equality [=], but rather about some new equality relation that you define.#</li># | 415 %\item%#<li># Prove that [true_false] is equal to the result of mapping the boolean %``%#"#or#"#%''% function [orb] over [true_false] and [falses]. You can make [orb] available with [Require Import Bool.]. You may find the lemma [orb_false_r] from the same module helpful. Your proof here should not be about the standard equality [=], but rather about some new equality relation that you define.#</li># |
| 416 #</ol>#%\end{enumerate}% #</li># | 416 #</ol>#%\end{enumerate}% #</li># |
| 417 | 417 |
| 418 #</ol>#%\end{enumerate}% *) | 418 #</ol>#%\end{enumerate}% *) |