Certified Programming with Dependent Types: src/Match.v comparison

comparison src/Match.v @ 141:ce4cc7fa9b2b

Templatize Match

author	Adam Chlipala <adamc@hcoop.net>
date	Mon, 27 Oct 2008 10:31:57 -0400
parents	8cce3247496b
children	cbf2f74a5130

comparison

equal deleted inserted replaced

-:8cce3247496b
+:ce4cc7fa9b2b
 The basic hints for [auto] and [eauto] are [Hint Immediate lemma], asking to try solving a goal immediately by applying the premise-free lemma; [Resolve lemma], which does the same but may add new premises that are themselves to be subjects of proof search; [Constructor type], which acts like [Resolve] applied to every constructor of an inductive type; and [Unfold ident], which tries unfolding [ident] when it appears at the head of a proof goal.  Each of these [Hint] commands may be used with a suffix, as in [Hint Resolve lemma : my_db].  This adds the hint only to the specified database, so that it would only be used by, for instance, [auto with my_db].  An additional argument to [auto] specifies the maximum depth of proof trees to search in depth-first order, as in [auto 8] or [auto 8 with my_db].  The default depth is 5.
 All of these [Hint] commands can be issued alternatively with a more primitive hint kind, [Extern].  A few examples should do best to explain how [Hint Extern] works. *)
 Theorem bool_neq : true <> false.
+(* begin thide *)
 auto.
 (** [crush] would have discharged this goal, but the default hint database for [auto] contains no hint that applies. *)
 Abort.
 (** It is hard to come up with a [bool]-specific hint that is not just a restatement of the theorem we mean to prove.  Luckily, a simpler form suffices. *)
 Hint Extern 1 (_ <> _) => congruence.
 Theorem bool_neq : true <> false.
 auto.
 Qed.
+(* end thide *)
 (** Our hint says: "whenever the conclusion matches the pattern [_ <> _], try applying [congruence]."  The [1] is a cost for this rule.  During proof search, whenever multiple rules apply, rules are tried in increasing cost order, so it pays to assign high costs to relatively expensive [Extern] hints.
 [Extern] hints may be implemented with the full Ltac language.  This example shows a case where a hint uses a [match]. *)
 Variables P Q : A -> Prop.
 Hypothesis both : forall x, P x /\ Q x.
 Theorem forall_and : forall z, P z.
+(* begin thide *)
 crush.
 (** [crush] makes no progress beyond what [intros] would have accomplished.  [auto] will not apply the hypothesis [both] to prove the goal, because the conclusion of [both] does not unify with the conclusion of the goal.  However, we can teach [auto] to handle this kind of goal. *)
 Hint Extern 1 (P ?X) =>
 match goal with
 | [ H : forall x, P x /\ _ |- _ ] => apply (proj1 (H X))
 end.
 auto.
 Qed.
+(* end thide *)
 (** We see that an [Extern] pattern may bind unification variables that we use in the associated tactic.  [proj1] is a function from the standard library for extracting a proof of [R] from a proof of [R /\ S]. *)
 End forall_and.
 (** After our success on this example, we might get more ambitious and seek to generalize the hint to all possible predicates [P].
 Section garden_path.
 Variable P : A -> Prop.
 Variable g : A -> A.
 Hypothesis f_g : forall x, P x -> f x = g x.
+(* begin thide *)
 Hint Rewrite f_g using assumption : my_db.
+(* end thide *)
 Lemma f_f_f' : forall x, f (f (f x)) = f x.
+(* begin thide *)
 intros; autorewrite with my_db; reflexivity.
 Qed.
+(* end thide *)
 (** [autorewrite] will still use [f_g] when the generated premise is among our assumptions. *)
 Lemma f_f_f_g : forall x, P x -> f (f x) = g x.
+(* begin thide *)
 intros; autorewrite with my_db; reflexivity.
+(* end thide *)
 Qed.
 End garden_path.
 (** It can also be useful to use the [autorewrite with db in *] form, which does rewriting in hypotheses, as well as in the conclusion. *)
 Lemma in_star : forall x y, f (f (f (f x))) = f (f y)
 -> f x = f (f (f y)).
+(* begin thide *)
 intros; autorewrite with my_db in *; assumption.
+(* end thide *)
 Qed.
 End autorewrite.
 (** We have already seen many examples of Ltac programs.  In the rest of this chapter, we attempt to give a more principled introduction to the important features and design patterns.
 One common use for [match] tactics is identification of subjects for case analysis, as we see in this tactic definition. *)
+(* begin thide *)
 Ltac find_if :=
 match goal with
 | [ |- if ?X then _ else _ ] => destruct X
 end.
+(* end thide *)
 (** The tactic checks if the conclusion is an [if], [destruct]ing the test expression if so.  Certain classes of theorem are trivial to prove automatically with such a tactic. *)
 Theorem hmm : forall (a b c : bool),
 if a
 then True
 else True
 else if c
 then True
 else True.
+(* begin thide *)
 intros; repeat find_if; constructor.
 Qed.
+(* end thide *)
 (** The [repeat] that we use here is called a %\textit{%#<i>#tactical#</i>#%}%, or tactic combinator.  The behavior of [repeat t] is to loop through running [t], running [t] on all generated subgoals, running [t] on %\textit{%#<i>#their#</i>#%}% generated subgoals, and so on.  When [t] fails at any point in this search tree, that particular subgoal is left to be handled by later tactics.  Thus, it is important never to use [repeat] with a tactic that always succeeds.
 Another very useful Ltac building block is %\textit{%#<i>#context patterns#</i>#%}%. *)
+(* begin thide *)
 Ltac find_if_inside :=
 match goal with
 | [ |- context[if ?X then _ else _] ] => destruct X
 end.
+(* end thide *)
 (** The behavior of this tactic is to find any subterm of the conclusion that is an [if] and then [destruct] the test expression.  This version subsumes [find_if]. *)
 Theorem hmm' : forall (a b c : bool),
 if a
 then True
 else True
 else if c
 then True
 else True.
+(* begin thide *)
 intros; repeat find_if_inside; constructor.
 Qed.
+(* end thide *)
 (** We can also use [find_if_inside] to prove goals that [find_if] does not simplify sufficiently. *)
-Theorem duh2 : forall (a b : bool),
+Theorem hmm2 : forall (a b : bool),
 (if a then 42 else 42) = (if b then 42 else 42).
+(* begin thide *)
 intros; repeat find_if_inside; reflexivity.
 Qed.
+(* end thide *)
 (** Many decision procedures can be coded in Ltac via "[repeat match] loops."  For instance, we can implement a subset of the functionality of [tauto]. *)
+(* begin thide *)
 Ltac my_tauto :=
 repeat match goal with
 	   | [ H : ?P |- ?P ] => exact H
 	   | [ |- True ] => constructor
 	   | [ H1 : ?P -> ?Q, H2 : ?P |- _ ] =>
 	     let H := fresh "H" in
 	       generalize (H1 H2); clear H1; intro H
 	 end.
+(* end thide *)
 (** Since [match] patterns can share unification variables between hypothesis and conclusion patterns, it is easy to figure out when the conclusion matches a hypothesis.  The [exact] tactic solves a goal completely when given a proof term of the proper type.
 It is also trivial to implement the "introduction rules" for a few of the connectives.  Implementing elimination rules is only a little more work, since we must bind a name for a hypothesis to [destruct].
 Section propositional.
 Variables P Q R : Prop.
 Theorem propositional : (P \/ Q \/ False) /\ (P -> Q) -> True /\ Q.
+(* begin thide *)
 my_tauto.
 Qed.
+(* end thide *)
 End propositional.
 (** It was relatively easy to implement modus ponens, because we do not lose information by clearing every implication that we use.  If we want to implement a similarly-complete procedure for quantifier instantiation, we need a way to ensure that a particular proposition is not already included among our hypotheses.  To do that effectively, we first need to learn a bit more about the semantics of [match].
 It is tempting to assume that [match] works like it does in ML.  In fact, there are a few critical differences in its behavior.  One is that we may include arbitrary expressions in patterns, instead of being restricted to variables and constructors.  Another is that the same variable may appear multiple times, inducing an implicit equality constraint.
 Theorem m1 : True.
 match goal with
 | [ |- _ ] => intro
 | [ |- True ] => constructor
 end.
-Qed.
+(* begin thide *)
+Qed.
+(* end thide *)
 (** The first case matches trivially, but its body tactic fails, since the conclusion does not begin with a quantifier or implication.  In a similar ML match, that would mean that the whole pattern-match fails.  In Coq, we backtrack and try the next pattern, which also matches.  Its body tactic succeeds, so the overall tactic succeeds as well.
 The example shows how failure can move to a different pattern within a [match].  Failure can also trigger an attempt to find %\textit{%#<i>#a different way of matching a single pattern#</i>#%}%.  Consider another example: *)
 Q
 ]]
 By applying [pose], a convenient debugging tool for "leaking information out of [match]es," we see that this [match] first tries binding [H] to [H1], which cannot be used to prove [Q].  Nonetheless, the following variation on the tactic succeeds at proving the goal: *)
+(* begin thide *)
 match goal with
 | [ H : _ |- _ ] => exact H
 end.
 Qed.
+(* end thide *)
 (** The tactic first unifies [H] with [H1], as before, but [exact H] fails in that case, so the tactic engine searches for more possible values of [H].  Eventually, it arrives at the correct value, so that [exact H] and the overall tactic succeed. *)
 (** Now we are equipped to implement a tactic for checking that a proposition is not among our hypotheses: *)
+(* begin thide *)
 Ltac notHyp P :=
 match goal with
 | [ _ : P |- _ ] => fail 1
 | _ =>
 match P with
 | ?P1 /\ ?P2 => first [ notHyp P1 | notHyp P2 | fail 2 ]
 | _ => idtac
 end
 end.
+(* end thide *)
 (** We use the equality checking that is built into pattern-matching to see if there is a hypothesis that matches the proposition exactly.  If so, we use the [fail] tactic.  Without arguments, [fail] signals normal tactic failure, as you might expect.  When [fail] is passed an argument [n], [n] is used to count outwards through the enclosing cases of backtracking search.  In this case, [fail 1] says "fail not just in this pattern-matching branch, but for the whole [match]."  The second case will never be tried when the [fail 1] is reached.
 This second case, used when [P] matches no hypothesis, checks if [P] is a conjunction.  Other simplifications may have split conjunctions into their component formulas, so we need to check that at least one of those components is also not represented.  To achieve this, we apply the [first] tactical, which takes a list of tactics and continues down the list until one of them does not fail.  The [fail 2] at the end says to [fail] both the [first] and the [match] wrapped around it.
 The body of the [?P1 /\ ?P2] case guarantees that, if it is reached, we either succeed completely or fail completely.  Thus, if we reach the wildcard case, [P] is not a conjunction.  We use [idtac], a tactic that would be silly to apply on its own, since its effect is to succeed at doing nothing.  Nonetheless, [idtac] is a useful placeholder for cases like what we see here.
 With the non-presence check implemented, it is easy to build a tactic that takes as input a proof term and adds its conclusion as a new hypothesis, only if that conclusion is not already present, failing otherwise. *)
+(* begin thide *)
 Ltac extend pf :=
 let t := type of pf in
 notHyp t; generalize pf; intro.
+(* end thide *)
 (** We see the useful [type of] operator of Ltac.  This operator could not be implemented in Gallina, but it is easy to support in Ltac.  We end up with [t] bound to the type of [pf].  We check that [t] is not already present.  If so, we use a [generalize]/[intro] combo to add a new hypothesis proved by [pf].
 With these tactics defined, we can write a tactic [completer] for adding to the context all consequences of a set of simple first-order formulas. *)
+(* begin thide *)
 Ltac completer :=
 repeat match goal with
 | [ |- _ /\ _ ] => constructor
 	   | [ H : _ /\ _ |- _ ] => destruct H
 | [ H : ?P -> ?Q, H' : ?P |- _ ] =>
 | [ |- forall x, _ ] => intro
 | [ H : forall x, ?P x -> _, H' : ?P ?X |- _ ] =>
 extend (H X H')
 end.
+(* end thide *)
 (** We use the same kind of conjunction and implication handling as previously.  Note that, since [->] is the special non-dependent case of [forall], the fourth rule handles [intro] for implications, too.
 In the fifth rule, when we find a [forall] fact [H] with a premise matching one of our hypotheses, we add the appropriate instantiation of [H]'s conclusion, if we have not already added it.
 Hypothesis H1 : forall x, P x -> Q x /\ R x.
 Hypothesis H2 : forall x, R x -> S x.
 Theorem fo : forall x, P x -> S x.
+(* begin thide *)
 completer.
 (** [[
 x : A
 H : P x
 S x
 ]] *)
 assumption.
 Qed.
+(* end thide *)
 End firstorder.
 (** We narrowly avoided a subtle pitfall in our definition of [completer].  Let us try another definition that even seems preferable to the original, to the untrained eye. *)
+(* begin thide *)
 Ltac completer' :=
 repeat match goal with
 | [ |- _ /\ _ ] => constructor
 	   | [ H : _ /\ _ |- _ ] => destruct H
 | [ H : ?P -> _, H' : ?P |- _ ] =>
 | [ |- forall x, _ ] => intro
 | [ H : forall x, ?P x -> _, H' : ?P ?X |- _ ] =>
 extend (H X H')
 end.
+(* end thide *)
 (** The only difference is in the modus ponens rule, where we have replaced an unused unification variable [?Q] with a wildcard.  Let us try our example again with this version: *)
 Section firstorder'.
 Variable A : Set.
 Hypothesis H1 : forall x, P x -> Q x /\ R x.
 Hypothesis H2 : forall x, R x -> S x.
 Theorem fo' : forall x, P x -> S x.
+(* begin thide *)
 (** [[
 completer'.
 Coq loops forever at this point.  What went wrong? *)
 Abort.
+(* end thide *)
 End firstorder'.
 (** A few examples should illustrate the issue.  Here we see a [match]-based proof that works fine: *)
 Theorem t1 : forall x : nat, x = x.
 match goal with
 | [ |- forall x, _ ] => trivial
 end.
-Qed.
+(* begin thide *)
+Qed.
+(* end thide *)
 (** This one fails. *)
+(* begin thide *)
 Theorem t1' : forall x : nat, x = x.
 (** [[
 match goal with
 | [ |- forall x, ?P ] => trivial
 [[
 User error: No matching clauses for match goal
 ]] *)
 Abort.
+(* end thide *)
 (** The problem is that unification variables may not contain locally-bound variables.  In this case, [?P] would need to be bound to [x = x], which contains the local quantified variable [x].  By using a wildcard in the earlier version, we avoided this restriction.
 The Coq 8.2 release includes a special pattern form for a unification variable with an explicit set of free variables.  That unification variable is then bound to a function from the free variables to the "real" value.  In Coq 8.1 and earlier, there is no such workaround.
 No matter which version you use, it is important to be aware of this restriction.  As we have alluded to, the restriction is the culprit behind the infinite-looping behavior of [completer'].  We unintentionally match quantified facts with the modus ponens rule, circumventing the "already present" check and leading to different behavior. *)
 (** * Functional Programming in Ltac *)
+(* EX: Write a list length function in Ltac. *)
 (** Ltac supports quite convenient functional programming, with a Lisp-with-syntax kind of flavor.  However, there are a few syntactic conventions involved in getting programs to be accepted.  The Ltac syntax is optimized for tactic-writing, so one has to deal with some inconveniences in writing more standard functional programs.
 To illustrate, let us try to write a simple list length function.  We start out writing it just like in Gallina, simply replacing [Fixpoint] (and its annotations) with [Ltac].
 Error: The reference S was not found in the current environment
 ]]
 The problem is that Ltac treats the expression [S (length ls')] as an invocation of a tactic [S] with argument [length ls'].  We need to use a special annotation to "escape into" the Gallina parsing nonterminal. *)
+(* begin thide *)
 Ltac length ls :=
 match ls with
 | nil => O
 | _ :: ?ls' => constr:(S (length ls'))
 end.
 n := 3 : nat
 ============================
 False
 ]] *)
 Abort.
+(* end thide *)
+(* EX: Write a list map function in Ltac. *)
 (** We can also use anonymous function expressions and local function definitions in Ltac, as this example of a standard list [map] function shows. *)
+(* begin thide *)
 Ltac map T f :=
 let rec map' ls :=
 match ls with
 | nil => constr:(@nil T)
 | ?x :: ?ls' =>
 l := (1, 1) :: (2, 2) :: (3, 3) :: nil : list (nat * nat)
 ============================
 False
 ]] *)
 Abort.
+(* end thide *)
 (** * Recursive Proof Search *)
 (** Deciding how to instantiate quantifiers is one of the hardest parts of automated first-order theorem proving.  For a given problem, we can consider all possible bounded-length sequences of quantifier instantiations, applying only propositional reasoning at the end.  This is probably a bad idea for almost all goals, but it makes for a nice example of recursive proof search procedures in Ltac.
 We can consider the maximum "dependency chain" length for a first-order proof.  We define the chain length for a hypothesis to be 0, and the chain length for an instantiation of a quantified fact to be one greater than the length for that fact.  The tactic [inster n] is meant to try all possible proofs with chain length at most [n]. *)
+(* begin thide *)
 Ltac inster n :=
 intuition;
 match n with
 | S ?n' =>
 match goal with
 | [ H : forall x : ?T, _, x : ?T |- _ ] => generalize (H x); inster n'
 end
 end.
+(* end thide *)
 (** [inster] begins by applying propositional simplification.  Next, it checks if any chain length remains.  If so, it tries all possible ways of instantiating quantified hypotheses with properly-typed local variables.  It is critical to realize that, if the recursive call [inster n'] fails, then the [match goal] just seeks out another way of unifying its pattern against proof state.  Thus, this small amount of code provides an elegant demonstration of how backtracking [match] enables exhaustive search.
 We can verify the efficacy of [inster] with two short examples.  The built-in [firstorder] tactic (with no extra arguments) is able to prove the first but not the second. *)
 imp.
 Qed.
 (** The first order of business in crafting our [matcher] tactic will be auxiliary support for searching through formula trees.  The [search_prem] tactic implements running its tactic argument [tac] on every subformula of an [imp] premise.  As it traverses a tree, [search_prem] applies some of the above lemmas to rewrite the goal to bring different subformulas to the head of the goal.  That is, for every subformula [P] of the implication premise, we want [P] to "have a turn," where the premise is rearranged into the form [P /\ Q] for some [Q].  The tactic [tac] should expect to see a goal in this form and focus its attention on the first conjunct of the premise. *)
+(* begin thide *)
 Ltac search_prem tac :=
 let rec search P :=
 tac
 || (apply and_True_prem; tac)
 || match P with
 intros;
 repeat search_prem ltac:(apply False_prem || (apply ex_prem; intro));
 repeat search_conc ltac:(apply True_conc || eapply ex_conc
 || search_prem ltac:(apply Match));
 try apply imp_True.
+(* end thide *)
 (** Our tactic succeeds at proving a simple example. *)
 Theorem t2 : forall P Q : Prop,
 Q /\ (P /\ False) /\ P --> P /\ Q.
 (ex_conc (fun x0 : nat => P x0) x
 (Match (P:=P x) (imp_True (P:=True))))))))
 : forall (P : nat -> Prop) (Q : Prop),
 (exists x : nat, P x /\ Q) --> Q /\ (exists x : nat, P x)
 ]] *)

Mercurial > cpdt > repo

comparison src/Match.v @ 141:ce4cc7fa9b2b