Mercurial > cpdt > repo
comparison src/Predicates.v @ 48:b262252669ce
First-order logic
| author | Adam Chlipala <adamc@hcoop.net> |
|---|---|
| date | Sat, 27 Sep 2008 16:10:53 -0400 |
| parents | be4efaee371f |
| children | 827d7e8a7d9e |
comparison
equal
deleted
inserted
replaced
| 47:be4efaee371f | 48:b262252669ce |
|---|---|
| 39 The essence of the argument is roughly this: to an engineer, not all functions of type [A -> B] are created equal, but all proofs of a proposition [P -> Q] are. This idea is known as %\textit{%#<i>#proof irrelevance#</i>#%}%, and its formalizations in logics prevent us from distinguishing between alternate proofs of the same proposition. Proof irrelevance is compatible with, but not derivable in, Gallina. Apart from this theoretical concern, I will argue that it is most effective to do engineering with Coq by employing different techniques for programs versus proofs. Most of this book is organized around that distinction, describing how to program, by applying standard functional programming techniques in the presence of dependent types; and how to prove, by writing custom Ltac decision procedures. | 39 The essence of the argument is roughly this: to an engineer, not all functions of type [A -> B] are created equal, but all proofs of a proposition [P -> Q] are. This idea is known as %\textit{%#<i>#proof irrelevance#</i>#%}%, and its formalizations in logics prevent us from distinguishing between alternate proofs of the same proposition. Proof irrelevance is compatible with, but not derivable in, Gallina. Apart from this theoretical concern, I will argue that it is most effective to do engineering with Coq by employing different techniques for programs versus proofs. Most of this book is organized around that distinction, describing how to program, by applying standard functional programming techniques in the presence of dependent types; and how to prove, by writing custom Ltac decision procedures. |
| 40 | 40 |
| 41 With that perspective in mind, this chapter is sort of a mirror image of the last chapter, introducing how to define predicates with inductive definitions. We will point out similarities in places, but much of the effective Coq user's bag of tricks is disjoint for predicates versus "datatypes." This chapter is also a covert introduction to dependent types, which are the foundation on which interesting inductive predicates are built, though we will rely on tactics to build dependently-typed proof terms for us for now. A future chapter introduces more manual application of dependent types. *) | 41 With that perspective in mind, this chapter is sort of a mirror image of the last chapter, introducing how to define predicates with inductive definitions. We will point out similarities in places, but much of the effective Coq user's bag of tricks is disjoint for predicates versus "datatypes." This chapter is also a covert introduction to dependent types, which are the foundation on which interesting inductive predicates are built, though we will rely on tactics to build dependently-typed proof terms for us for now. A future chapter introduces more manual application of dependent types. *) |
| 42 | 42 |
| 43 | 43 |
| 44 (** * Propositional logic *) | 44 (** * Propositional Logic *) |
| 45 | 45 |
| 46 (** Let us begin with a brief tour through the definitions of the connectives for propositional logic. We will work within a Coq section that provides us with a set of propositional variables. In Coq parlance, these are just terms of type [Prop.] *) | 46 (** Let us begin with a brief tour through the definitions of the connectives for propositional logic. We will work within a Coq section that provides us with a set of propositional variables. In Coq parlance, these are just terms of type [Prop.] *) |
| 47 | 47 |
| 48 Section Propositional. | 48 Section Propositional. |
| 49 Variables P Q R : Prop. | 49 Variables P Q R : Prop. |
| 285 Hence the distinction between [bool] and [Prop]. Programs of type [bool] are computational by construction; we can always run them to determine their results. Many [Prop]s are undecidable, and so we can write more expressive formulas with [Prop]s than with [bool]s, but the inevitable consequence is that we cannot simply "run a [Prop] to determine its truth." | 285 Hence the distinction between [bool] and [Prop]. Programs of type [bool] are computational by construction; we can always run them to determine their results. Many [Prop]s are undecidable, and so we can write more expressive formulas with [Prop]s than with [bool]s, but the inevitable consequence is that we cannot simply "run a [Prop] to determine its truth." |
| 286 | 286 |
| 287 Constructive logic lets us define all of the logical connectives in an aesthetically-appealing way, with orthogonal inductive definitions. That is, each connective is defined independently using a simple, shared mechanism. Constructivity also enables a trick called %\textit{%#<i>#program extraction#</i>#%}%, where we write programs by phrasing them as theorems to be proved. Since our proofs are just functional programs, we can extract executable programs from our final proofs, which we could not do as naturally with classical proofs. | 287 Constructive logic lets us define all of the logical connectives in an aesthetically-appealing way, with orthogonal inductive definitions. That is, each connective is defined independently using a simple, shared mechanism. Constructivity also enables a trick called %\textit{%#<i>#program extraction#</i>#%}%, where we write programs by phrasing them as theorems to be proved. Since our proofs are just functional programs, we can extract executable programs from our final proofs, which we could not do as naturally with classical proofs. |
| 288 | 288 |
| 289 We will see more about Coq's program extraction facility in a later chapter. However, I think it is worth interjecting another warning at this point, following up on the prior warning about taking the Curry-Howard correspondence too literally. It is possible to write programs by theorem-proving methods in Coq, but hardly anyone does it. It is almost always most useful to maintain the distinction between programs and proofs. If you write a program by proving a theorem, you are likely to run into algorithmic inefficiencies that you introduced in your proof to make it easier to prove. It is a shame to have to worry about such situations while proving tricky theorems, and it is a happy state of affairs that you almost certainly will not need to, with the ideal of extracting programs from proofs being confined mostly to theoretical studies. *) | 289 We will see more about Coq's program extraction facility in a later chapter. However, I think it is worth interjecting another warning at this point, following up on the prior warning about taking the Curry-Howard correspondence too literally. It is possible to write programs by theorem-proving methods in Coq, but hardly anyone does it. It is almost always most useful to maintain the distinction between programs and proofs. If you write a program by proving a theorem, you are likely to run into algorithmic inefficiencies that you introduced in your proof to make it easier to prove. It is a shame to have to worry about such situations while proving tricky theorems, and it is a happy state of affairs that you almost certainly will not need to, with the ideal of extracting programs from proofs being confined mostly to theoretical studies. *) |
| 290 | |
| 291 | |
| 292 (** * First-Order Logic *) | |
| 293 | |
| 294 (** The [forall] connective of first-order logic, which we have seen in many examples so far, is built into Coq. Getting ahead of ourselves a bit, we can see it as the dependent function type constructor. In fact, implication and universal quantification are just different syntactic shorthands for the same Coq mechanism. A formula [P -> Q] is equivalent to [forall x : P, Q], where [x] does not appear in [Q]. That is, the "real" type of the implication says "for every proof of [P], there exists a proof of [Q]." | |
| 295 | |
| 296 Existential quantification is defined in the standard library. *) | |
| 297 | |
| 298 Print ex. | |
| 299 (** [[ | |
| 300 | |
| 301 Inductive ex (A : Type) (P : A -> Prop) : Prop := | |
| 302 ex_intro : forall x : A, P x -> ex P | |
| 303 ]] *) | |
| 304 | |
| 305 (** [ex] is parameterized by the type [A] that we quantify over, and by a predicate [P] over [A]s. We prove an existential by exhibiting some [x] of type [A], along with a proof of [P x]. As usual, there are tactics that save us from worrying about the low-level details most of the time. *) | |
| 306 | |
| 307 Theorem exist1 : exists x : nat, x + 1 = 2. | |
| 308 (** remove printing exists*) | |
| 309 (** We can start this proof with a tactic [exists], which should not be confused with the formula constructor shorthand of the same name. (In the PDF version of this document, the reverse 'E' appears instead of the text "exists.") *) | |
| 310 exists 1. | |
| 311 | |
| 312 (** The conclusion is replaced with a version using the existential witness that we announced. *) | |
| 313 | |
| 314 (** [[ | |
| 315 | |
| 316 ============================ | |
| 317 1 + 1 = 2 | |
| 318 ]] *) | |
| 319 | |
| 320 reflexivity. | |
| 321 Qed. | |
| 322 | |
| 323 (** printing exists $\exists$ *) | |
| 324 | |
| 325 (** We can also use tactics to reason about existential hypotheses. *) | |
| 326 | |
| 327 Theorem exist2 : forall n m : nat, (exists x : nat, n + x = m) -> n <= m. | |
| 328 (** We start by case analysis on the proof of the existential fact. *) | |
| 329 destruct 1. | |
| 330 (** [[ | |
| 331 | |
| 332 n : nat | |
| 333 m : nat | |
| 334 x : nat | |
| 335 H : n + x = m | |
| 336 ============================ | |
| 337 n <= m | |
| 338 ]] *) | |
| 339 | |
| 340 (** The goal has been replaced by a form where there is a new free variable [x], and where we have a new hypothesis that the body of the existential holds with [x] substituted for the old bound variable. From here, the proof is just about arithmetic and is easy to automate. *) | |
| 341 | |
| 342 crush. | |
| 343 Qed. | |
| 344 | |
| 345 | |
| 346 (* begin hide *) | |
| 347 (* In-class exercises *) | |
| 348 | |
| 349 Theorem forall_exists_commute : forall (A B : Type) (P : A -> B -> Prop), | |
| 350 (exists x : A, forall y : B, P x y) -> (forall y : B, exists x : A, P x y). | |
| 351 Admitted. | |
| 352 | |
| 353 (* end hide *) | |
| 354 | |
| 355 | |
| 356 (** The tactic [intuition] has a first-order cousin called [firstorder]. [firstorder] proves many formulas when only first-order reasoning is needed, and it tries to perform first-order simplifications in any case. First-order reasoning is much harder than propositional reasoning, so [firstorder] is much more likely than [intuition] to get stuck in a way that makes it run for long enough to be useless. *) |