Mercurial > cpdt > repo

comparison src/Equality.v @ 456:848bf35f7f6c

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
Proofreading pass through Chapter 10
author Adam Chlipala <adam@chlipala.net>
date Tue, 28 Aug 2012 11:48:06 -0400
parents 0d66f1a710b8
children 4320c1a967c2
comparison
equal deleted inserted replaced
455:df0a45de158a 456:848bf35f7f6c
16 (* end hide *) 16 (* end hide *)
17 17
18 18
19 (** %\chapter{Reasoning About Equality Proofs}% *) 19 (** %\chapter{Reasoning About Equality Proofs}% *)
20 20
21 (** In traditional mathematics, the concept of equality is usually taken as a given. On the other hand, in type theory, equality is a very contentious subject. There are at least three different notions of equality that are important, and researchers are actively investigating new definitions of what it means for two terms to be equal. Even once we fix a notion of equality, there are inevitably tricky issues that arise in proving properties of programs that manipulate equality proofs explicitly. In this chapter, I will focus on design patterns for circumventing these tricky issues, and I will introduce the different notions of equality as they are germane. *) 21 (** In traditional mathematics, the concept of equality is usually taken as a given. On the other hand, in type theory, equality is a very contentious subject. There are at least three different notions of equality that are important in Coq, and researchers are actively investigating new definitions of what it means for two terms to be equal. Even once we fix a notion of equality, there are inevitably tricky issues that arise in proving properties of programs that manipulate equality proofs explicitly. In this chapter, I will focus on design patterns for circumventing these tricky issues, and I will introduce the different notions of equality as they are germane. *)
22 22
23 23
24 (** * The Definitional Equality *) 24 (** * The Definitional Equality *)
25 25
26 (** We have seen many examples so far where proof goals follow "by computation." That is, we apply computational reduction rules to reduce the goal to a normal form, at which point it follows trivially. Exactly when this works and when it does not depends on the details of Coq's%\index{definitional equality}% _definitional equality_. This is an untyped binary relation appearing in the formal metatheory of CIC. CIC contains a typing rule allowing the conclusion [E : T] from the premise [E : T'] and a proof that [T] and [T'] are definitionally equal. 26 (** We have seen many examples so far where proof goals follow "by computation." That is, we apply computational reduction rules to reduce the goal to a normal form, at which point it follows trivially. Exactly when this works and when it does not depends on the details of Coq's%\index{definitional equality}% _definitional equality_. This is an untyped binary relation appearing in the formal metatheory of CIC. CIC contains a typing rule allowing the conclusion [E : T] from the premise [E : T'] and a proof that [T] and [T'] are definitionally equal.
335 ]] 335 ]]
336 336
337 Using what we know about shorthands for [match] annotations, we can write this proof in shorter form manually. *) 337 Using what we know about shorthands for [match] annotations, we can write this proof in shorter form manually. *)
338 338
339 (* begin thide *) 339 (* begin thide *)
340 Definition lemma1' := 340 Definition lemma1' (x : A) (pf : x = elm) :=
341 fun (x : A) (pf : x = elm) => 341 match pf return (0 = match pf with
342 match pf return (0 = match pf with 342 | eq_refl => 0
343 | eq_refl => 0 343 end) with
344 end) with 344 | eq_refl => eq_refl 0
345 | eq_refl => eq_refl 0 345 end.
346 end.
347 (* end thide *) 346 (* end thide *)
348 347
349 (** Surprisingly, what seems at first like a _simpler_ lemma is harder to prove. *) 348 (** Surprisingly, what seems at first like a _simpler_ lemma is harder to prove. *)
350 349
351 Lemma lemma2 : forall (x : A) (pf : x = x), O = match pf with eq_refl => O end. 350 Lemma lemma2 : forall (x : A) (pf : x = x), O = match pf with eq_refl => O end.
690 (** %\vspace{-.15in}% [[ 689 (** %\vspace{-.15in}% [[
691 Inductive JMeq (A : Type) (x : A) : forall B : Type, B -> Prop := 690 Inductive JMeq (A : Type) (x : A) : forall B : Type, B -> Prop :=
692 JMeq_refl : JMeq x x 691 JMeq_refl : JMeq x x
693 ]] 692 ]]
694 693
695 The identity [JMeq] stands for %\index{John Major equality}%"John Major equality," a name coined by Conor McBride%~\cite{JMeq}% as a sort of pun about British politics. The definition [JMeq] starts out looking a lot like the definition of [eq]. The crucial difference is that we may use [JMeq] _on arguments of different types_. For instance, a lemma that we failed to establish before is trivial with [JMeq]. It makes for prettier theorem statements to define some syntactic shorthand first. *) 694 The identitifer [JMeq] stands for %\index{John Major equality}%"John Major equality," a name coined by Conor McBride%~\cite{JMeq}% as a sort of pun about British politics. The definition [JMeq] starts out looking a lot like the definition of [eq]. The crucial difference is that we may use [JMeq] _on arguments of different types_. For instance, a lemma that we failed to establish before is trivial with [JMeq]. It makes for prettier theorem statements to define some syntactic shorthand first. *)
696 695
697 Infix "==" := JMeq (at level 70, no associativity). 696 Infix "==" := JMeq (at level 70, no associativity).
698 697
699 (* EX: Prove UIP_refl' : forall (A : Type) (x : A) (pf : x = x), pf == eq_refl x *) 698 (* EX: Prove UIP_refl' : forall (A : Type) (x : A) (pf : x = x), pf == eq_refl x *)
700 (* begin thide *) 699 (* begin thide *)
823 Print Assumptions fhapp_ass''. 822 Print Assumptions fhapp_ass''.
824 (** << 823 (** <<
825 Closed under the global context 824 Closed under the global context
826 >> 825 >>
827 826
828 One might wonder exactly which elements of a proof involving [JMeq] imply that [JMeq_eq] must be used. For instance, above we noticed that [rewrite] had brought [JMeq_eq] into the proof of [fhap_ass'], yet here we have also used [rewrite] with [JMeq] hypotheses while avoiding axioms! One illuminating exercise is comparing the types of the lemmas that [rewrite] uses under the hood to implement the rewrites. Here is the normal lemma for [eq] rewriting:%\index{Gallina terms!eq\_ind\_r}% *) 827 One might wonder exactly which elements of a proof involving [JMeq] imply that [JMeq_eq] must be used. For instance, above we noticed that [rewrite] had brought [JMeq_eq] into the proof of [fhapp_ass'], yet here we have also used [rewrite] with [JMeq] hypotheses while avoiding axioms! One illuminating exercise is comparing the types of the lemmas that [rewrite] uses under the hood to implement the rewrites. Here is the normal lemma for [eq] rewriting:%\index{Gallina terms!eq\_ind\_r}% *)
829 828
830 Check eq_ind_r. 829 Check eq_ind_r.
831 (** %\vspace{-.15in}%[[ 830 (** %\vspace{-.15in}%[[
832 eq_ind_r 831 eq_ind_r
833 : forall (A : Type) (x : A) (P : A -> Prop), 832 : forall (A : Type) (x : A) (P : A -> Prop),
978 977
979 (** * Equality of Functions *) 978 (** * Equality of Functions *)
980 979
981 (** The following seems like a reasonable theorem to want to hold, and it does hold in set theory. 980 (** The following seems like a reasonable theorem to want to hold, and it does hold in set theory.
982 %\vspace{-.15in}%[[ 981 %\vspace{-.15in}%[[
983 Theorem two_identities : (fun n => n) = (fun n => n + 0). 982 Theorem two_funs : (fun n => n) = (fun n => n + 0).
984 ]] 983 ]]
985 %\vspace{-.15in}%Unfortunately, this theorem is not provable in CIC without additional axioms. None of the definitional equality rules force function equality to be%\index{extensionality of function equality}% _extensional_. That is, the fact that two functions return equal results on equal inputs does not imply that the functions are equal. We _can_ assert function extensionality as an axiom, and indeed the standard library already contains that axiom. *) 984 %\vspace{-.15in}%Unfortunately, this theorem is not provable in CIC without additional axioms. None of the definitional equality rules force function equality to be%\index{extensionality of function equality}% _extensional_. That is, the fact that two functions return equal results on equal inputs does not imply that the functions are equal. We _can_ assert function extensionality as an axiom, and indeed the standard library already contains that axiom. *)
986 985
987 Require Import FunctionalExtensionality. 986 Require Import FunctionalExtensionality.
988 About functional_extensionality. 987 About functional_extensionality.
990 functional_extensionality : 989 functional_extensionality :
991 forall (A B : Type) (f g : A -> B), (forall x : A, f x = g x) -> f = g 990 forall (A B : Type) (f g : A -> B), (forall x : A, f x = g x) -> f = g
992 ]] 991 ]]
993 *) 992 *)
994 993
995 (** This axiom has been verified metatheoretically to be consistent with CIC and the two equality axioms we considered previously. With it, the proof of [two_identities] is trivial. *) 994 (** This axiom has been verified metatheoretically to be consistent with CIC and the two equality axioms we considered previously. With it, the proof of [two_funs] is trivial. *)
996 995
997 Theorem two_identities : (fun n => n) = (fun n => n + 0). 996 Theorem two_funs : (fun n => n) = (fun n => n + 0).
998 (* begin thide *) 997 (* begin thide *)
999 apply functional_extensionality; crush. 998 apply functional_extensionality; crush.
1000 Qed. 999 Qed.
1001 (* end thide *) 1000 (* end thide *)
1002 1001
1006 | O => True 1005 | O => True
1007 | S _ => True 1006 | S _ => True
1008 end) 1007 end)
1009 = (forall _ : nat, True). 1008 = (forall _ : nat, True).
1010 1009
1011 (** There are no immediate opportunities to apply [ext_eq], but we can use %\index{tactics!change}%[change] to fix that. *) 1010 (** There are no immediate opportunities to apply [functional_extensionality], but we can use %\index{tactics!change}%[change] to fix that problem. *)
1012 1011
1013 (* begin thide *) 1012 (* begin thide *)
1014 change ((forall x : nat, (fun x => match x with 1013 change ((forall x : nat, (fun x => match x with
1015 | 0 => True 1014 | 0 => True
1016 | S _ => True 1015 | S _ => True