SlideShare uma empresa Scribd logo

Coq Tutorial

T
tmiya

2011/04/23 Coq Tutorial at Formal Methods Forum

Tecnologia
1 de 82
Baixar para ler offline
Formal Methods Forum Coq @tmiya April 20,2011 @tmiya : Coq , 1
0. Coq Coq Coq Coq • • Coq • • @tmiya : Coq , 2
1. Coq Lightweight • ( ) • • • • • • ( ) • • • or @tmiya : Coq , 3
1. Coq Coq INRIA OCaml CIC = Calculus of Inductive Construction tactic tactic Coq Coq OCaml, Haskell, Scheme @tmiya : Coq , 4
2. Coq Coq Coqtop, CoqIDE CUI Coqtop / : % coqtop Welcome to Coq 8.3pl1 (December 2010) Coq < Eval compute in (2+3). = 5 : nat Coq < Quit. % Coq CoqIDE coqide @tmiya : Coq , 5
2. Coq Proof General : emacs Proof General ~/.emacs (load-file "***/ProofGeneral/generic/proof-site.el") proof-site.el Coq (*.v) Proof General @tmiya : Coq , 6
3. Coq Coq < Definition x := 1. (* x *) x is defined (* := *) Coq < Check x. (* x *) x : nat (* nat = *) Coq < Print x. (* x *) x = 1 : nat Coq < Definition x := 2. (* x *) Error: x already exists (* --> *) Reset x. Module ( ) @tmiya : Coq , 7
3. Coq 1 2 Coq < Definition f x y := x - y. (* f *) f is defined Coq < Check f. f : nat -> nat -> nat (* nat->(nat->nat) *) Coq < Definition f’ := f 3. (* f’ y = f 3 y *) f’ is defined Coq < Check f’. f’ : nat -> nat (* nat nat *) Coq < Eval compute in (f’ 1). (* f’ 1 = f 3 1 = 2 *) = 2 : nat ( @tmiya : Coq , 8
3. Coq Coq < Check (fun x => 2 * x). (* *) fun x : nat => 2 * x : nat -> nat Coq < Eval compute in ((fun x => 2 * x) 3). = 6 : nat Coq < Definition double := (fun x => 2 * x). double is defined (* double *) Coq . @tmiya : Coq , 9
3. Coq Coq < Definition twice(f:nat->nat):nat->nat := Coq < fun x => f (f x). twice is defined Coq < Definition add5(x:nat) := x + 5. add5 is defined Coq < Definition twice_add5 := twice add5. twice_add5 is defined Coq < Eval compute in (twice_add5 2). = 12 : nat @tmiya : Coq , 10
3.1. int, float Coq nat ( ) Weekday Coq < Inductive Weekday : Set := Coq < Sun | Mon | Tue | Wed | Thr | Fri | Sat. Coq < Check Sun. Sun (* Sun *) : Weekday (* Weekday *) Coq < Check Weekday. Weekday (* *) : Set (* Set *) Set @tmiya : Coq , 11
3.1. ( ) Coq < Definition nextday d := Coq < match d with Coq < | Sun => Mon : (* *) Coq < | Sat => Sun Coq < end. nextday is defined Coq < Check nextday. nextday (* *) : Weekday -> Weekday Coq < Eval compute in (nextday Mon). (* *) prevday @tmiya : Coq , 12
3.1. Bool Coq < Inductive Bool : Set := Coq < | tru : Bool Coq < | fls : Bool. Coq < Definition And(b1 b2:Bool):Bool := Coq < match b1,b2 with Coq < | tru,tru => tru Coq < | _,_ => fls Coq < end. Or, Not Eval @tmiya : Coq , 13
3.1. bool ( ) bool Coq < Print bool. Coq < Print andb. Coq < Print orb. Coq < Print negb. bool Coq < Print unit. @tmiya : Coq , 14
3.1. De Morgan (1) Coq < Theorem De_Morgan_1 : forall b1 b2, Coq < Not (And b1 b2) = Or (Not b1) (Not b2). 1 subgoal ============================ forall b1 b2 : Bool, Not (And b1 b2) = Or (Not b1) (Not b2) De_Morgan_1 < intros. 1 subgoal (* b1 b2 *) b1 : Bool b2 : Bool ============================ Not (And b1 b2) = Or (Not b1) (Not b2) @tmiya : Coq , 15
3.1. De Morgan (2) De_Morgan_1 < destruct b1; destruct b2. 4 subgoals (* b1 b2 *) ============================ Not (And tru tru) = Or (Not tru) (Not tru) subgoal 2 is: Not (And tru fls) = Or (Not tru) (Not fls) subgoal 3 is: Not (And fls tru) = Or (Not fls) (Not tru) subgoal 4 is: Not (And fls fls) = Or (Not fls) (Not fls) @tmiya : Coq , 16
3.1. De Morgan (3) De_Morgan_1 < simpl. 4 subgoals (* *) ============================ fls = fls (* *) De_Morgan_1 < reflexivity. 3 subgoals (* = *) ============================ Not (And tru fls) = Or (Not tru) (Not fls) subgoal 2 is: Not (And fls tru) = Or (Not fls) (Not tru) subgoal 3 is: Not (And fls fls) = Or (Not fls) (Not fls) @tmiya : Coq , 17
3.1. De Morgan (4) De_Morgan_1 < simpl; reflexivity. De_Morgan_1 < simpl; reflexivity. De_Morgan_1 < simpl; reflexivity. Proof completed. De_Morgan_1 < Qed. intros. destruct b1; destruct b2. simpl in |- *. reflexivity. simpl in |- *; reflexivity. simpl in |- *; reflexivity. simpl in |- *; reflexivity. De_Morgan_1 is defined Not (Or b1 b2) = And (Not b1) (Not b2) @tmiya : Coq , 18
3.1. 1. Yes, Maybe, No Bool3 2. Bool3 And3, Or3, Not3 3. ( ) De Morgan @tmiya : Coq , 19
3.2. nat nat ( ) Coq < Print nat. Inductive nat : Set := O : nat | S : nat -> nat O( O) 0 S nat nat Peano Coq < Eval compute in (S (S (S O))). = 3 : nat S (S (S O)) Coq 3 @tmiya : Coq , 20
3.2. nat n Coq < Fixpoint add(n m:nat):nat := Coq < match n with Coq < | O => m Coq < | S n’ => S (add n’ m) Coq < end. add is recursively defined (decreasing on 1st argument) Fixpoint ( O) 0 S nat 1 nat Peano Coq < Eval compute in (add (S (S O)) (S O)). = 3 : nat (call-by-value) @tmiya : Coq , 21
3.2. nat _,_ OK Coq < Fixpoint eq_nat(n m:nat):bool := Coq < match n,m with Coq < | O,O => true Coq < | S n’, S m’ => eq_nat n’ m’ Coq < | _,_ => false Coq < end. Coq < Eval compute in (eq_nat 3 3). le_nat le_nat n m n≤m Coq ( ) @tmiya : Coq , 22
3.2. Coq ( ) n ({struct n} Coq ) Coq < Fixpoint add’(n m:nat){struct n} := Coq < match n with Coq < | O => m Coq < | S n’ => S (add’ n’ m) Coq < end. add’ is recursively defined (decreasing on 1st argument) add’ 2 3 add’ add’ (S (S O)) 3 = S (add’ (S O) 3) = S (S (add’ O 3)) = S (S 3) = 5. @tmiya : Coq , 23
3.2. ( ) Coq ( )( ) Coq ( Coq ) Coq ( ) (Coq ) Coq @tmiya : Coq , 24
3.2. 1. mul add 2. mul fact 3. sub n=0 sub 0 m = 0 4. div3 Eval Fixpoint div3(n:nat) := match n with | S (S (S n’)) => S (div3 n’) | _ => O end. sub div n m Coq ( ) @tmiya : Coq , 25
3.3. cond c vt vf c:bool true vt false vf vt, vf Set A Coq < Definition cond{A:Set}(c:bool)(vt vf:A) := Coq < match c with Coq < | true => vt Coq < | false => vf Coq < end. Coq < Eval compute in (cond true 2 3). = 2 : nat Coq < Eval compute in (cond false false true). = true : bool {A:Set} cond A ( ) Coq < Eval compute in (@cond nat false 2 3). @tmiya : Coq , 26
3.3. option ( ) null option (Haskell Maybe ) ( Coq sumor ) Coq < Print option. Inductive option (A : Type) : Type := Some : A -> option A | None : option A Definition option_map {A B:Type} (f:A->B)(o:option A) := match o with | Some a => Some (f a) | None => None end. Coq < Eval compute in (option_map (fun x => x + 1) (Some 1)). @tmiya : Coq , 27
3.3. prod sum prod A B A B prod A B A * B ( x , y , .. , z ) (pair .. (pair x y) .. z) Coq < Check (2,true,3). (2, true, 3) : nat * bool * nat prod fst, snd sum A B A B Coq < Definition test_sum (s:sum nat bool) := Coq < match s with Coq < | inl n => n Coq < | inr true => 1 Coq < | inr false => 0 Coq < end. prod, sum Curry-Howard @tmiya : Coq , 28
3.3. List List List :: cons Type Set (Check Set. ) Coq < Require Import List. Coq < Print list. Inductive list (A : Type) : Type := nil : list A | cons : A -> list A -> list A Coq < Check (1::2::nil). 1 :: 2 :: nil : list nat @tmiya : Coq , 29
3.3. List List List nil x::xs Coq < Fixpoint append{A:Type}(xs ys:list A):= Coq < match xs with Coq < | nil => ys Coq < | x::xs’ => x::(append xs’ ys) Coq < end. Coq < Eval compute in (append (1::2::nil) (3::4::nil)). Coq < Fixpoint olast{A:Type}(xs:list A):option A := Coq < match xs with Coq < | nil => None Coq < | a::nil => Some a Coq < | _::xs’ => olast xs’ Coq < end. Coq < Eval compute in (olast (1::2::3::nil)). @tmiya : Coq , 30
3.3. List 1. len{A:Type}(xs:list A):nat Eval compute in (len (1::2::3::nil)). 2. list bool true true all_true(xs:list bool):bool nil true 3. x Some x None ohead{A:Type}(xs:list A):option A 4. s, n s :: s+1 :: ... :: (s+n-1) :: nil nat_list(s n:nat):list nat 5. reverse{A:Type}(xs:list A):list A append @tmiya : Coq , 31
4. Bool De Morgan P Q ¬(P ∧ Q) ¬P ∨ ¬Q F F T T F T T T T F T T T T F F Bool, nat Inductive (nat O S n ) Coq Prop ( ) @tmiya : Coq , 32
4. P P ¬P ( ) ab a, b √ √ √ 2 1. a = b = 2 a, b ab = 2 √ √2 √ 2. ab √ a = √2 , b = 2 √ a, b √ 2 √2 √ 2 2 √ 2 ab = ( 2 ) = 2 = 2 =2 √ √ 2 2 (P) (~P) ab a, b ab a, b @tmiya : Coq , 33
4. ( ) Modus Ponens A A B B (Γ = ( ) ) Γ A Γ A → B (→ ) Γ B ( )→ Coq B Hab : A → B apply Hab. tactic A Ha : A exact Ha. @tmiya : Coq , 34
4. Coq tactic tactic assumption. exact H. trivial. ... H : A ... ------------------------ A exact . A∈Γ ( ) Γ A @tmiya : Coq , 35
4.1. → → A → B (CUI A -> B ) A intro Ha. tactic Ha : A B Coq ... Γ, A B (→ ) Γ A→B H1 → H2 → · · · → Hn → B intros H1 H2 ... Hn. intro intro. intros. Coq → Modus Ponens tactic apply . @tmiya : Coq , 36
4.1. → → (1) tactic Set P Prop P P P p : P ( Set, Prop Type ) Section imp_sample. Variables P Q R : Prop. Theorem imp_sample : (P -> (Q -> R)) -> (P -> Q) -> P -> R. 1 subgoal ============================ (P -> Q -> R) -> (P -> Q) -> P -> R === tactic → intro(s) @tmiya : Coq , 37
4.1. → → (2) → intros tactic intro(s) imp_sample < intros pqr pq p. 1 subgoal pqr : P -> Q -> R pq : P -> Q p : P ============================ R R pqr apply pqr. @tmiya : Coq , 38
4.1. → → (3) R apply pqr. pqr P -> Q -> P Q imp_sample < apply pqr. 2 subgoals pqr : P -> Q -> R pq : P -> Q p : P ============================ P subgoal 2 is: Q P assumption. @tmiya : Coq , 39
4.1. → → (4) P assumption. Q imp_sample < assumption. 1 subgoal pqr : P -> Q -> R pq : P -> Q p : P ============================ Q Q @tmiya : Coq , 40
4.1. → → (5) imp_sample < apply pq. 1 subgoal pqr : P -> Q -> R pq : P -> Q p : P ============================ P imp_sample < assumption. Proof completed. imp_sample < Qed. Qed. @tmiya : Coq , 41
4.2. ∧ ∧ (1) P ∧Q P Q pq : P / Q destruct pq as [p q]. tactic p : P q : Q destruct pq. p,q Coq P ∧Q P Q P ∧Q split. tactic P / Q P, Q Coq < Variable P Q R:Prop. Coq < Theorem and_assoc : (P/Q)/R -> P/(Q/R). 1 subgoal ============================ (P / Q) / R -> P / Q / R @tmiya : Coq , 42
4.2. ∧ ∧ (2) intro → ∧ and_assoc < intro pqr. 1 subgoal pqr : (P / Q) / R ============================ P / Q / R and_assoc < destruct pqr as [[p q] r]. 1 subgoal p : P q : Q r : R ============================ P / Q / R @tmiya : Coq , 43
4.2. ∧ ∧ (3) assumption ; tactic split assumption and_assoc < split. 2 subgoals ============================ P subgoal 2 is: Q / R and_assoc < assumption. 1 subgoal ============================ Q / R and_assoc < split; assumption. Proof completed. and_assoc < Qed. @tmiya : Coq , 44
4.3. ∨ ∨ (1) P ∨Q P Q pq : P / Q destruct pq as [pq].— tactic p : P q : Q destruct pq. p,q Coq P ∨Q P Q P ∨Q left. right. tactic P Q Coq < Variable P Q R:Prop. Coq < Theorem or_assoc : (P/Q)/R -> P/(Q/R). 1 subgoal ============================ (P / Q) / R -> P / Q / R @tmiya : Coq , 45
4.3. ∨ ∨ (2) intro → ∨ and_assoc < intro pqr. or_assoc < destruct pqr as [[p|q]|r]. 3 subgoals p : P ============================ P / Q / R subgoal 2 is: P / Q / R subgoal 3 is: P / Q / R @tmiya : Coq , 46
4.3. ∨ ∨ (3) assumption or_assoc < left. 3 subgoals p : P ============================ P or_assoc < assumption. 2 subgoals q : Q ============================ P / Q / R or_assoc < right; left. 2 subgoals q : Q ============================ Q OK @tmiya : Coq , 47
4.4. ¬ ¬ (1) ¬P P → False False Inductive False : Prop := ~P intro p. p : P False H : False elim H. np : ~P elim np. P (¬¬P P ) ( ) @tmiya : Coq , 48
4.4. ¬ ¬ (2) Coq < Theorem neg_sample : ~(P / ~P). 1 subgoal ============================ ~ (P / ~ P) neg_sample < intro. 1 subgoal H : P / ~ P ============================ False @tmiya : Coq , 49
4.4. ¬ ¬ (3) neg_sample < destruct H as [p np]. 1 subgoal p : P np : ~ P ============================ False neg_sample < elim np. p : P np : ~ P ============================ P neg_sample < assumption. Proof completed. @tmiya : Coq , 50
4.4. ¬ Variable A B C D:Prop. Theorem ex4_1 : (A -> C) / (B -> D) / A / B -> C / D. Theorem ex4_2 : ~~~A -> ~A. Theorem ex4_3 : (A -> B) -> ~B -> ~A. Theorem ex4_4 : ((((A -> B) -> A) -> A) -> B) -> B. Theorem ex4_5 : ~~(A/~A). @tmiya : Coq , 51
5. Curry-Howard Curry-Howard (1) Theorem imp_sample’ : (P -> (Q -> R)) -> (P -> Q) -> P -> R. imp_sample’ < intros pqr pq p. imp_sample’ < Check pq. pq : P -> Q imp_sample’ < Check (pq p). pq p : Q pq P -> Q P Q pq p Q @tmiya : Coq , 52
5. Curry-Howard Curry-Howard (2) pqr, pq, p R exact tactic imp_sample’ < Check (pqr p (pq p)). pqr p (pq p) : R imp_sample’ < exact (pqr p (pq p)). Proof completed. imp_sample Print Coq < Print imp_sample. imp_sample = fun (pqr : P -> Q -> R) (pq : P -> Q) (p : P) => pqr p (pq p) : (P -> Q -> R) -> (P -> Q) -> P -> R @tmiya : Coq , 53
5. Curry-Howard Curry-Howard (3) P P P→Q P -> Q Γ P ΓP→Q (→ ) pq p Γ Q Γ, P Q (→ ) pq (p:P):Q Γ P→Q P ∧Q prod { (P,Q) inl P P ∨Q sum inr Q Curry-Howard Curry-Howard = Coq @tmiya : Coq , 54
5. Curry-Howard Curry-Howard (4) Coq ( ) Java (P → Q → R) → (P → Q) → P → R interface Fun<A,B> { public B apply(A a); } public class P {} public class Q {} public class R {} public class Proof { public R imp_sample(Fun<P,Fun<Q,R>> pqr, Fun<P,Q> pq, P p) { return pqr.apply(p).apply(pq.apply(p)); } } (Java prod sum ¬ Java ) @tmiya : Coq , 55
6. a:A P a (∀a : A, P a) : forall (a:A), P a a:A P a (∃a : A, P a) : exists (a:A), P a Coq P a:A P a:Prop A -> Prop Coq a:A P : A → Prop Coq < Definition iszero(n:nat):Prop := Coq < match n with Coq < | O => True Coq < | _ => False Coq < end. iszero is defined @tmiya : Coq , 56
6. ∀ (1) forall intro(s) forall x:X x:X -> Coq < Theorem sample_forall : forall (X:Type)(P Q:X->Prop)(x:X), P x -> (forall y:X, Q y) -> (P x / Q x). ============================ forall (X : Type) (P Q : X -> Prop) (x : X), P x -> (forall y : X, Q y) -> P x / Q x sample_forall < intros X P Q x px Hqy. X : Type P : X -> Prop Q : X -> Prop x : X px : P x Hqy : forall y : X, Q y ============================ P x / Q x @tmiya : Coq , 57
6. ∀ (2) forall y:X y X sample_forall < split. (* P x Q x *) sample_forall < assumption. (* P x px *) 1 subgoal X : Type P : X -> Prop Q : X -> Prop x : X px : P x Hqy : forall y : X, Q y ============================ Q x sample_forall < apply (Hqy x). (* Hqy y x *) Proof completed. @tmiya : Coq , 58
6.2. ∃ ∃ (1) Coq < Theorem sample_exists : forall (P Q:nat->Prop), Coq < (forall n, P n) -> (exists n, Q n) -> Coq < (exists n, P n / Q n). sample_exists < intros P Q Hpn Hqn. 1 subgoal P : nat -> Prop Q : nat -> Prop Hpn : forall n : nat, P n Hqn : exists n : nat, Q n ============================ exists n : nat, P n / Q n @tmiya : Coq , 59
6.2. ∃ ∃ (2) exists destruct sample_exists < intros P Q Hpn Hqn. P : nat -> Prop Q : nat -> Prop Hpn : forall n : nat, P n Hqn : exists n : nat, Q n ============================ exists n : nat, P n / Q n sample_exists < destruct Hqn as [n’ qn’]. P : nat -> Prop Q : nat -> Prop Hpn : forall n : nat, P n n’ : nat qn’ : Q n’ ============================ exists n : nat, P n / Q n @tmiya : Coq , 60
6.2. ∃ ∃ (3) exists x:X x:X exists x. sample_exists < destruct Hqn as [n’ qn’]. : Hpn : forall n : nat, P n n’ : nat qn’ : Q n’ ============================ exists n : nat, P n / Q n sample_exists < exists n’. : Hpn : forall n : nat, P n n’ : nat qn’ : Q n’ ============================ P n’ / Q n’ (* *) @tmiya : Coq , 61
6.2. ∃ Theorem ex5_1 : forall (A:Set)(P:A->Prop), (~ exists a, P a) -> (forall a, ~P a). Theorem ex5_2 : forall (A:Set)(P Q:A->Prop), (exists a, P a / Q a) -> (exists a, P a) / (exists a, Q a). Theorem ex5_3 : forall (A:Set)(P Q:A->Prop), (exists a, P a) / (exists a, Q a) -> (exists a, P a / Q a). Theorem ex5_4 : forall (A:Set)(R:A->A->Prop), (exists x, forall y, R x y) -> (forall y, exists x, R x y). Theorem ex5_5 : forall (A:Set)(R:A->A->Prop), (forall x y, R x y -> R y x) -> (forall x y z, R x y -> R y z -> R x z) -> (forall x, exists y, R x y) -> (forall x, R x x). @tmiya : Coq , 62
6.3. = = (1) eq (= ) Inductive eq (A : Type) (x : A) : A -> Prop := refl_equal : x = x Coq (nat bool ) (nat O Sn ) (S m Sn m=n ) ============================ n = n apply (refl_equal n). tactic reflexivity. @tmiya : Coq , 63
6.3. = = (2) plus Print plus. tactic simpl. Coq < Theorem plus_0_l : forall n, 0 + n = n. plus_0_l < intro n. n : nat ============================ 0 + n = n plus_0_l < simpl. n : nat ============================ n = n plus_0_l < reflexivity. Proof completed. @tmiya : Coq , 64
6.4. (1) ∀n : nat, n + 0 = n simpl. ============================ n + 0 = n plus_0_r < simpl. ============================ n + 0 = n plus n m n n 1. n = 0 n+0=n 2. n = n n+0=n n=Sn n+0=n @tmiya : Coq , 65
6.4. (2) n induction n as [|n’]. induction n. tactic Coq nat_ind (P ) Coq < Check nat_ind. nat_ind : forall P : nat -> Prop, P 0 -> (forall n : nat, P n -> P (S n)) -> forall n : nat, P n nat_ind nat O : nat S : nat -> nat Inductive bool bool_ind bool_ind : forall P : bool -> Prop, P true -> P false -> forall b : bool, P b @tmiya : Coq , 66
6.4. (3) induction n as [|n’]. n 0 S n’ reflexivity. OK (simpl. ) Coq < Theorem plus_0_r : forall n:nat, n + 0 = n. plus_0_r < induction n as [|n’]. 2 subgoals ============================ 0 + 0 = 0 subgoal 2 is: S n’ + 0 = S n’ plus_0_r < reflexivity. 1 subgoal n’ : nat IHn’ : n’ + 0 = n’ ============================ S n’ + 0 = S n’ @tmiya : Coq , 67
6.4. (4) n = S n’ n = n’ IHn’ S n’ + 0 = S n’ simpl. plus S (n’ + 0)= S n’ IHn’ n’ + 0 n’ rewrite IHn’. rewrite ============================ S n’ + 0 = S n’ plus_0_r < simpl. IHn’ : n’ + 0 = n’ ============================ S (n’ + 0) = S n’ plus_0_r < rewrite IHn’. IHn’ : n’ + 0 = n’ ============================ S n’ = S n’ @tmiya : Coq , 68
6.4. :m + n = n + m SearchAbout Coq < SearchAbout plus. plus_n_O: forall n : nat, n = n + 0 plus_O_n: forall n : nat, 0 + n = n plus_n_Sm: forall n m : nat, S (n + m) = n + S m plus_Sn_m: forall n m : nat, S n + m = S (n + m) mult_n_Sm: forall n m : nat, n * m + n = n * S m rewrite ( rewrite <- plus_n_Sm n’ m. rewrite H. H rewrite <- H. ) Theorem plus_comm : forall m n:nat, m + n = n + m. @tmiya : Coq , 69
6.4. (5) nat list A Theorem length_app : forall (A:Type)(l1 l2:list A), length (l1 ++ l2) = length l1 + length l2. list cons induction l1 as [|a l1’]. ( induction l1.) induction ( l2) intro 1. intros A l1 l2. induction l1 as [|a l1’]. 2. intros A l1. induction l1 as [|a l1’]. intro l2. IHl1’ (Coqtop Undo. ) @tmiya : Coq , 70
6.4. : (1) List append reverse Require Import List. Fixpoint append{A:Type}(l1 l2:list A):= match l1 with | nil => l2 | a::l1’ => a::(append l1’ l2) end. Fixpoint reverse{A:Type}(l:list A):= match l with | nil => nil | a::l’ => append (reverse l’) (a::nil) end. Theorem reverse_reverse : forall (A:Type)(l:list A), reverse (reverse l) = l. @tmiya : Coq , 71
6.4. : (2) reverse_reverse Lemma append_nil : forall (A:Type)(l:list A), append l nil = l. Lemma append_assoc : forall (A:Type)(l1 l2 l3:list A), append (append l1 l2) l3 = append l1 (append l2 l3). Lemma reverse_append : forall (A:Type)(l1 l2:list A), reverse (append l1 l2) = append (reverse l2) (reverse l1). @tmiya : Coq , 72
7. (1) Coq nat minus(n m:nat) n≤m 0 n−m+m =n ( ) sub Definition sub(m n:nat)(H:le n m) : {x:nat|x+n=m}. 1. H n≤m n≤m 2. x = m−n x +n = m ( ) @tmiya : Coq , 73
7. (2) Coq nat Arith Require Import Arith. (* Arith *) Definition sub(m n:nat)(H:le n m) : {x:nat|x+n=m}. 1 subgoal m : nat n : nat H : n <= m ============================ {x : nat | x + n = m} m, n intro generalize dependent sub < generalize dependent m. sub < generalize dependent n. ============================ forall n m : nat, n <= m -> {x : nat | x + n = m} @tmiya : Coq , 74
7. (3) eapply, erewrite apply, rewrite Qed. Defined. induction n as [|n’]. (* n=0 *) intros m H. exists m. eapply plus_0_r. (* n=S n’ *) induction m as [|m’]; intro H. (* m=0 *) assert(H’: ~(S n’ <= 0)). eapply le_Sn_0. elim H’. assumption. (* m=S m’ *) assert(H’: n’ <= m’). eapply le_S_n. assumption. assert(IH: {x:nat|x+n’=m’}). eapply IHn’. assumption. destruct IH as [x IH]. exists x. erewrite <- plus_n_Sm. rewrite IH. reflexivity. Defined. @tmiya : Coq , 75
7. (4) sub Print sub. sub OCaml minus Coq < Extraction sub. (** val sub : nat -> nat -> nat **) let rec sub m = function | O -> m | S n0 -> (match m with | O -> assert false (* absurd case *) | S n1 -> let iH = sub n1 n0 in Obj.magic iH) OCaml H @tmiya : Coq , 76
7. (5) H Theorem le_2_5 : le 2 5. Proof. repeat eapply le_n_S. repeat constructor. Qed. Eval compute in (sub 5 2 le_2_5). (* *) Eval compute in (proj1_sig (sub 5 2 le_2_5)). (* = 3:nat *) {x|x+n=m} x proj1_sig @tmiya : Coq , 77
7. minus sub minus Definition sub’(m n:nat)(H:le n m) : {x:nat|x+n=m}. Proof. (* minus *) Defined. Coq 1. minus minus 2. minus sub’ 3. refine tactic (refine ) 4. sub @tmiya : Coq , 78
8. Coq tactic (auto, ring, omega ) (Arith, List, String ) Haskell, OCaml (inversion, refine ) tactic Module @tmiya : Coq , 79
8. Interactive Theorem Proving and Program Development. Coq’Art: The Calculus of Inductive Constructions, Yves Berrot and Pierre Casteran (Springer-Verlag) : Coq Certified Programming with Dependent Types, Adam Chlipala (http://adam.chlipala.net/cpdt/) : Coq 2010 III (http://www.math.nagoya-u.ac.jp/~garrigue/lecture/ 2010_AW/index.html) : Garrigue PDF Coq in a Hurry, Yves Bertot (http://cel.archives-ouvertes.fr/docs/00/47/ 58/07/PDF/coq-hurry.pdf) : 2nd Asian-Pacific Summer School on Formal Methods (http://formes.asia/cms/coqschool/2010) : @tmiya : Coq , 80
8. Coq ProofCafe Coq CPDT Coq IT Coq Ruby, Clojure, Scala, Javascript Coq Coq http://coq.g.hatena.ne.jp/keyword/ProofCafe @tmiya : Coq , 81
8. Formal Methods Forum Coq ( ) ( ) Google group Coq 2010 Certified Programming with Dependent Types Coq Google group (http://groups.google.co.jp/group/fm-forum) Coq @tmiya : Coq , 82

Recomendados

Coqチュートリアル
CoqチュートリアルCoqチュートリアル
CoqチュートリアルYoshihiro Mizoguchi
 
「型の理論」と証明支援システム -- COQの世界
「型の理論」と証明支援システム -- COQの世界「型の理論」と証明支援システム -- COQの世界
「型の理論」と証明支援システム -- COQの世界maruyama097
 
純粋関数型アルゴリズム入門
純粋関数型アルゴリズム入門純粋関数型アルゴリズム入門
純粋関数型アルゴリズム入門Kimikazu Kato
 
書くネタがCoqしかない
書くネタがCoqしかない書くネタがCoqしかない
書くネタがCoqしかないMasaki Hara
 
よくわかるCoqプログラミング
よくわかるCoqプログラミングよくわかるCoqプログラミング
よくわかるCoqプログラミングReal_analysis
 
定理証明支援系Coqについて
定理証明支援系Coqについて定理証明支援系Coqについて
定理証明支援系CoqについてYoshihiro Mizoguchi
 
Introduction to Categorical Programming (Revised)
Introduction to Categorical Programming (Revised)Introduction to Categorical Programming (Revised)
Introduction to Categorical Programming (Revised)Masahiro Sakai
 
自動定理証明の紹介
自動定理証明の紹介自動定理証明の紹介
自動定理証明の紹介Masahiro Sakai
 

Recomendados

Coqチュートリアル
CoqチュートリアルCoqチュートリアル
CoqチュートリアルYoshihiro Mizoguchi
 
「型の理論」と証明支援システム -- COQの世界
「型の理論」と証明支援システム -- COQの世界「型の理論」と証明支援システム -- COQの世界
「型の理論」と証明支援システム -- COQの世界maruyama097
 
純粋関数型アルゴリズム入門
純粋関数型アルゴリズム入門純粋関数型アルゴリズム入門
純粋関数型アルゴリズム入門Kimikazu Kato
 
書くネタがCoqしかない
書くネタがCoqしかない書くネタがCoqしかない
書くネタがCoqしかないMasaki Hara
 
よくわかるCoqプログラミング
よくわかるCoqプログラミングよくわかるCoqプログラミング
よくわかるCoqプログラミングReal_analysis
 
定理証明支援系Coqについて
定理証明支援系Coqについて定理証明支援系Coqについて
定理証明支援系CoqについてYoshihiro Mizoguchi
 
Introduction to Categorical Programming (Revised)
Introduction to Categorical Programming (Revised)Introduction to Categorical Programming (Revised)
Introduction to Categorical Programming (Revised)Masahiro Sakai
 
自動定理証明の紹介
自動定理証明の紹介自動定理証明の紹介
自動定理証明の紹介Masahiro Sakai
 
AtCoder Beginner Contest 004 解説
AtCoder Beginner Contest 004 解説AtCoder Beginner Contest 004 解説
AtCoder Beginner Contest 004 解説AtCoder Inc.
 
証明プログラミング入門2
証明プログラミング入門2証明プログラミング入門2
証明プログラミング入門2Kyoko Kadowaki
 
機械学習モデルのハイパパラメータ最適化
機械学習モデルのハイパパラメータ最適化機械学習モデルのハイパパラメータ最適化
機械学習モデルのハイパパラメータ最適化gree_tech
 
証明プログラミング超入門
証明プログラミング超入門証明プログラミング超入門
証明プログラミング超入門Kyoko Kadowaki
 
単語・句の分散表現の学習
単語・句の分散表現の学習単語・句の分散表現の学習
単語・句の分散表現の学習Naoaki Okazaki
 
Rolling hash
Rolling hashRolling hash
Rolling hashHCPC: 北海道大学競技プログラミングサークル
 
SATySFi 最近の発展と目下実装中の変更
SATySFi 最近の発展と目下実装中の変更SATySFi 最近の発展と目下実装中の変更
SATySFi 最近の発展と目下実装中の変更T. Suwa
 
すごい constexpr たのしくレイトレ!
すごい constexpr たのしくレイトレ!すごい constexpr たのしくレイトレ!
すごい constexpr たのしくレイトレ!Genya Murakami
 
最小カットを使って「燃やす埋める問題」を解く
最小カットを使って「燃やす埋める問題」を解く最小カットを使って「燃やす埋める問題」を解く
最小カットを使って「燃やす埋める問題」を解くshindannin
 
暗号文のままで計算しよう - 準同型暗号入門 -
暗号文のままで計算しよう - 準同型暗号入門 -暗号文のままで計算しよう - 準同型暗号入門 -
暗号文のままで計算しよう - 準同型暗号入門 -MITSUNARI Shigeo
 
連続最適化勉強会
連続最適化勉強会連続最適化勉強会
連続最適化勉強会shima o
 
constexpr関数はコンパイル時処理。これはいい。実行時が霞んで見える。cpuの嬌声が聞こえてきそうだ
constexpr関数はコンパイル時処理。これはいい。実行時が霞んで見える。cpuの嬌声が聞こえてきそうだconstexpr関数はコンパイル時処理。これはいい。実行時が霞んで見える。cpuの嬌声が聞こえてきそうだ
constexpr関数はコンパイル時処理。これはいい。実行時が霞んで見える。cpuの嬌声が聞こえてきそうだGenya Murakami
 
プログラミングコンテストでのデータ構造 2 ~平衡二分探索木編~
プログラミングコンテストでのデータ構造 2 ~平衡二分探索木編~プログラミングコンテストでのデータ構造 2 ~平衡二分探索木編~
プログラミングコンテストでのデータ構造 2 ~平衡二分探索木編~Takuya Akiba
 
[DL輪読会]xDeepFM: Combining Explicit and Implicit Feature Interactions for Reco...
[DL輪読会]xDeepFM: Combining Explicit and Implicit Feature Interactions for Reco...[DL輪読会]xDeepFM: Combining Explicit and Implicit Feature Interactions for Reco...
[DL輪読会]xDeepFM: Combining Explicit and Implicit Feature Interactions for Reco...Deep Learning JP
 
Numpy scipyで独立成分分析
Numpy scipyで独立成分分析Numpy scipyで独立成分分析
Numpy scipyで独立成分分析Shintaro Fukushima
 
π計算
π計算π計算
π計算Yuuki Takano
 
文脈自由文法の話
文脈自由文法の話文脈自由文法の話
文脈自由文法の話kogecoo
 
スパースモデリング入門
スパースモデリング入門スパースモデリング入門
スパースモデリング入門Hideo Terada
 
EMアルゴリズム
EMアルゴリズムEMアルゴリズム
EMアルゴリズムSotetsu KOYAMADA(小山田創哲)
 
バンディットアルゴリズム入門と実践
バンディットアルゴリズム入門と実践バンディットアルゴリズム入門と実践
バンディットアルゴリズム入門と実践智之 村上
 
Coq for ML users
Coq for ML usersCoq for ML users
Coq for ML userstmiya
 
Proofsummit2011a
Proofsummit2011aProofsummit2011a
Proofsummit2011atmiya
 

Mais conteúdo relacionado

Mais procurados

AtCoder Beginner Contest 004 解説
AtCoder Beginner Contest 004 解説AtCoder Beginner Contest 004 解説
AtCoder Beginner Contest 004 解説AtCoder Inc.
 
証明プログラミング入門2
証明プログラミング入門2証明プログラミング入門2
証明プログラミング入門2Kyoko Kadowaki
 
機械学習モデルのハイパパラメータ最適化
機械学習モデルのハイパパラメータ最適化機械学習モデルのハイパパラメータ最適化
機械学習モデルのハイパパラメータ最適化gree_tech
 
証明プログラミング超入門
証明プログラミング超入門証明プログラミング超入門
証明プログラミング超入門Kyoko Kadowaki
 
単語・句の分散表現の学習
単語・句の分散表現の学習単語・句の分散表現の学習
単語・句の分散表現の学習Naoaki Okazaki
 
SATySFi 最近の発展と目下実装中の変更
SATySFi 最近の発展と目下実装中の変更SATySFi 最近の発展と目下実装中の変更
SATySFi 最近の発展と目下実装中の変更T. Suwa
 
すごい constexpr たのしくレイトレ!
すごい constexpr たのしくレイトレ!すごい constexpr たのしくレイトレ!
すごい constexpr たのしくレイトレ!Genya Murakami
 
最小カットを使って「燃やす埋める問題」を解く
最小カットを使って「燃やす埋める問題」を解く最小カットを使って「燃やす埋める問題」を解く
最小カットを使って「燃やす埋める問題」を解くshindannin
 
暗号文のままで計算しよう - 準同型暗号入門 -
暗号文のままで計算しよう - 準同型暗号入門 -暗号文のままで計算しよう - 準同型暗号入門 -
暗号文のままで計算しよう - 準同型暗号入門 -MITSUNARI Shigeo
 
連続最適化勉強会
連続最適化勉強会連続最適化勉強会
連続最適化勉強会shima o
 
constexpr関数はコンパイル時処理。これはいい。実行時が霞んで見える。cpuの嬌声が聞こえてきそうだ
constexpr関数はコンパイル時処理。これはいい。実行時が霞んで見える。cpuの嬌声が聞こえてきそうだconstexpr関数はコンパイル時処理。これはいい。実行時が霞んで見える。cpuの嬌声が聞こえてきそうだ
constexpr関数はコンパイル時処理。これはいい。実行時が霞んで見える。cpuの嬌声が聞こえてきそうだGenya Murakami
 
プログラミングコンテストでのデータ構造 2 ~平衡二分探索木編~
プログラミングコンテストでのデータ構造 2 ~平衡二分探索木編~プログラミングコンテストでのデータ構造 2 ~平衡二分探索木編~
プログラミングコンテストでのデータ構造 2 ~平衡二分探索木編~Takuya Akiba
 
[DL輪読会]xDeepFM: Combining Explicit and Implicit Feature Interactions for Reco...
[DL輪読会]xDeepFM: Combining Explicit and Implicit Feature Interactions for Reco...[DL輪読会]xDeepFM: Combining Explicit and Implicit Feature Interactions for Reco...
[DL輪読会]xDeepFM: Combining Explicit and Implicit Feature Interactions for Reco...Deep Learning JP
 
Numpy scipyで独立成分分析
Numpy scipyで独立成分分析Numpy scipyで独立成分分析
Numpy scipyで独立成分分析Shintaro Fukushima
 
文脈自由文法の話
文脈自由文法の話文脈自由文法の話
文脈自由文法の話kogecoo
 
スパースモデリング入門
スパースモデリング入門スパースモデリング入門
スパースモデリング入門Hideo Terada
 
バンディットアルゴリズム入門と実践
バンディットアルゴリズム入門と実践バンディットアルゴリズム入門と実践
バンディットアルゴリズム入門と実践智之 村上
 

Mais procurados (20)

AtCoder Beginner Contest 004 解説
AtCoder Beginner Contest 004 解説AtCoder Beginner Contest 004 解説
AtCoder Beginner Contest 004 解説
 
証明プログラミング入門2
証明プログラミング入門2証明プログラミング入門2
証明プログラミング入門2
 
機械学習モデルのハイパパラメータ最適化
機械学習モデルのハイパパラメータ最適化機械学習モデルのハイパパラメータ最適化
機械学習モデルのハイパパラメータ最適化
 
証明プログラミング超入門
証明プログラミング超入門証明プログラミング超入門
証明プログラミング超入門
 
単語・句の分散表現の学習
単語・句の分散表現の学習単語・句の分散表現の学習
単語・句の分散表現の学習
 
Rolling hash
Rolling hashRolling hash
Rolling hash
 
SATySFi 最近の発展と目下実装中の変更
SATySFi 最近の発展と目下実装中の変更SATySFi 最近の発展と目下実装中の変更
SATySFi 最近の発展と目下実装中の変更
 
すごい constexpr たのしくレイトレ!
すごい constexpr たのしくレイトレ!すごい constexpr たのしくレイトレ!
すごい constexpr たのしくレイトレ!
 
最小カットを使って「燃やす埋める問題」を解く
最小カットを使って「燃やす埋める問題」を解く最小カットを使って「燃やす埋める問題」を解く
最小カットを使って「燃やす埋める問題」を解く
 
暗号文のままで計算しよう - 準同型暗号入門 -
暗号文のままで計算しよう - 準同型暗号入門 -暗号文のままで計算しよう - 準同型暗号入門 -
暗号文のままで計算しよう - 準同型暗号入門 -
 
連続最適化勉強会
連続最適化勉強会連続最適化勉強会
連続最適化勉強会
 
constexpr関数はコンパイル時処理。これはいい。実行時が霞んで見える。cpuの嬌声が聞こえてきそうだ
constexpr関数はコンパイル時処理。これはいい。実行時が霞んで見える。cpuの嬌声が聞こえてきそうだconstexpr関数はコンパイル時処理。これはいい。実行時が霞んで見える。cpuの嬌声が聞こえてきそうだ
constexpr関数はコンパイル時処理。これはいい。実行時が霞んで見える。cpuの嬌声が聞こえてきそうだ
 
プログラミングコンテストでのデータ構造 2 ~平衡二分探索木編~
プログラミングコンテストでのデータ構造 2 ~平衡二分探索木編~プログラミングコンテストでのデータ構造 2 ~平衡二分探索木編~
プログラミングコンテストでのデータ構造 2 ~平衡二分探索木編~
 
[DL輪読会]xDeepFM: Combining Explicit and Implicit Feature Interactions for Reco...
[DL輪読会]xDeepFM: Combining Explicit and Implicit Feature Interactions for Reco...[DL輪読会]xDeepFM: Combining Explicit and Implicit Feature Interactions for Reco...
[DL輪読会]xDeepFM: Combining Explicit and Implicit Feature Interactions for Reco...
 
Numpy scipyで独立成分分析
Numpy scipyで独立成分分析Numpy scipyで独立成分分析
Numpy scipyで独立成分分析
 
π計算
π計算π計算
π計算
 
文脈自由文法の話
文脈自由文法の話文脈自由文法の話
文脈自由文法の話
 
スパースモデリング入門
スパースモデリング入門スパースモデリング入門
スパースモデリング入門
 
EMアルゴリズム
EMアルゴリズムEMアルゴリズム
EMアルゴリズム
 
バンディットアルゴリズム入門と実践
バンディットアルゴリズム入門と実践バンディットアルゴリズム入門と実践
バンディットアルゴリズム入門と実践
 

Mais de tmiya

Coq for ML users
Coq for ML usersCoq for ML users
Coq for ML userstmiya
 
Proofsummit2011a
Proofsummit2011aProofsummit2011a
Proofsummit2011atmiya
 
Coq Tutorial at Proof Summit 2011
Coq Tutorial at Proof Summit 2011Coq Tutorial at Proof Summit 2011
Coq Tutorial at Proof Summit 2011tmiya
 
Typeclass
TypeclassTypeclass
Typeclasstmiya
 
RegExp20110305
RegExp20110305RegExp20110305
RegExp20110305tmiya
 
Coq setoid 20110129
Coq setoid 20110129Coq setoid 20110129
Coq setoid 20110129tmiya
 
Coq Party 20101127
Coq Party 20101127Coq Party 20101127
Coq Party 20101127tmiya
 
Maude20100719
Maude20100719Maude20100719
Maude20100719tmiya
 
Formal methods20100529
Formal methods20100529Formal methods20100529
Formal methods20100529tmiya
 
Coq 20100208a
Coq 20100208aCoq 20100208a
Coq 20100208atmiya
 

Mais de tmiya (10)

Coq for ML users
Coq for ML usersCoq for ML users
Coq for ML users
 
Proofsummit2011a
Proofsummit2011aProofsummit2011a
Proofsummit2011a
 
Coq Tutorial at Proof Summit 2011
Coq Tutorial at Proof Summit 2011Coq Tutorial at Proof Summit 2011
Coq Tutorial at Proof Summit 2011
 
Typeclass
TypeclassTypeclass
Typeclass
 
RegExp20110305
RegExp20110305RegExp20110305
RegExp20110305
 
Coq setoid 20110129
Coq setoid 20110129Coq setoid 20110129
Coq setoid 20110129
 
Coq Party 20101127
Coq Party 20101127Coq Party 20101127
Coq Party 20101127
 
Maude20100719
Maude20100719Maude20100719
Maude20100719
 
Formal methods20100529
Formal methods20100529Formal methods20100529
Formal methods20100529
 
Coq 20100208a
Coq 20100208aCoq 20100208a
Coq 20100208a
 

Último

Digital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxDigital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxLoriGlavin3
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024Lonnie McRorey
 
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxA Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxLoriGlavin3
 
Advanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionAdvanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionDilum Bandara
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxNavinnSomaal
 
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxPasskey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxLoriGlavin3
 
What is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfWhat is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfMounikaPolabathina
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024Stephanie Beckett
 
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024BookNet Canada
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebUiPathCommunity
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr BaganFwdays
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfAddepto
 
The State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxThe State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxLoriGlavin3
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubKalema Edgar
 
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024BookNet Canada
 
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .Alan Dix
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity PlanDatabarracks
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsPixlogix Infotech
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 

Último (20)

Digital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxDigital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024
 
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxA Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
 
Advanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionAdvanced Computer Architecture – An Introduction
Advanced Computer Architecture – An Introduction
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptx
 
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxPasskey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
 
What is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfWhat is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdf
 
DMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special EditionDMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special Edition
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024
 
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio Web
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdf
 
The State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxThe State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptx
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding Club
 
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
 
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity Plan
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and Cons
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 

Coq Tutorial

  • 1. Formal Methods Forum Coq @tmiya April 20,2011 @tmiya : Coq , 1
  • 2. 0. Coq Coq Coq Coq • • Coq • • @tmiya : Coq , 2
  • 3. 1. Coq Lightweight • ( ) • • • • • • ( ) • • • or @tmiya : Coq , 3
  • 4. 1. Coq Coq INRIA OCaml CIC = Calculus of Inductive Construction tactic tactic Coq Coq OCaml, Haskell, Scheme @tmiya : Coq , 4
  • 5. 2. Coq Coq Coqtop, CoqIDE CUI Coqtop / : % coqtop Welcome to Coq 8.3pl1 (December 2010) Coq < Eval compute in (2+3). = 5 : nat Coq < Quit. % Coq CoqIDE coqide @tmiya : Coq , 5
  • 6. 2. Coq Proof General : emacs Proof General ~/.emacs (load-file "***/ProofGeneral/generic/proof-site.el") proof-site.el Coq (*.v) Proof General @tmiya : Coq , 6
  • 7. 3. Coq Coq < Definition x := 1. (* x *) x is defined (* := *) Coq < Check x. (* x *) x : nat (* nat = *) Coq < Print x. (* x *) x = 1 : nat Coq < Definition x := 2. (* x *) Error: x already exists (* --> *) Reset x. Module ( ) @tmiya : Coq , 7
  • 8. 3. Coq 1 2 Coq < Definition f x y := x - y. (* f *) f is defined Coq < Check f. f : nat -> nat -> nat (* nat->(nat->nat) *) Coq < Definition f’ := f 3. (* f’ y = f 3 y *) f’ is defined Coq < Check f’. f’ : nat -> nat (* nat nat *) Coq < Eval compute in (f’ 1). (* f’ 1 = f 3 1 = 2 *) = 2 : nat ( @tmiya : Coq , 8
  • 9. 3. Coq Coq < Check (fun x => 2 * x). (* *) fun x : nat => 2 * x : nat -> nat Coq < Eval compute in ((fun x => 2 * x) 3). = 6 : nat Coq < Definition double := (fun x => 2 * x). double is defined (* double *) Coq . @tmiya : Coq , 9
  • 10. 3. Coq Coq < Definition twice(f:nat->nat):nat->nat := Coq < fun x => f (f x). twice is defined Coq < Definition add5(x:nat) := x + 5. add5 is defined Coq < Definition twice_add5 := twice add5. twice_add5 is defined Coq < Eval compute in (twice_add5 2). = 12 : nat @tmiya : Coq , 10
  • 11. 3.1. int, float Coq nat ( ) Weekday Coq < Inductive Weekday : Set := Coq < Sun | Mon | Tue | Wed | Thr | Fri | Sat. Coq < Check Sun. Sun (* Sun *) : Weekday (* Weekday *) Coq < Check Weekday. Weekday (* *) : Set (* Set *) Set @tmiya : Coq , 11
  • 12. 3.1. ( ) Coq < Definition nextday d := Coq < match d with Coq < | Sun => Mon : (* *) Coq < | Sat => Sun Coq < end. nextday is defined Coq < Check nextday. nextday (* *) : Weekday -> Weekday Coq < Eval compute in (nextday Mon). (* *) prevday @tmiya : Coq , 12
  • 13. 3.1. Bool Coq < Inductive Bool : Set := Coq < | tru : Bool Coq < | fls : Bool. Coq < Definition And(b1 b2:Bool):Bool := Coq < match b1,b2 with Coq < | tru,tru => tru Coq < | _,_ => fls Coq < end. Or, Not Eval @tmiya : Coq , 13
  • 14. 3.1. bool ( ) bool Coq < Print bool. Coq < Print andb. Coq < Print orb. Coq < Print negb. bool Coq < Print unit. @tmiya : Coq , 14
  • 15. 3.1. De Morgan (1) Coq < Theorem De_Morgan_1 : forall b1 b2, Coq < Not (And b1 b2) = Or (Not b1) (Not b2). 1 subgoal ============================ forall b1 b2 : Bool, Not (And b1 b2) = Or (Not b1) (Not b2) De_Morgan_1 < intros. 1 subgoal (* b1 b2 *) b1 : Bool b2 : Bool ============================ Not (And b1 b2) = Or (Not b1) (Not b2) @tmiya : Coq , 15
  • 16. 3.1. De Morgan (2) De_Morgan_1 < destruct b1; destruct b2. 4 subgoals (* b1 b2 *) ============================ Not (And tru tru) = Or (Not tru) (Not tru) subgoal 2 is: Not (And tru fls) = Or (Not tru) (Not fls) subgoal 3 is: Not (And fls tru) = Or (Not fls) (Not tru) subgoal 4 is: Not (And fls fls) = Or (Not fls) (Not fls) @tmiya : Coq , 16
  • 17. 3.1. De Morgan (3) De_Morgan_1 < simpl. 4 subgoals (* *) ============================ fls = fls (* *) De_Morgan_1 < reflexivity. 3 subgoals (* = *) ============================ Not (And tru fls) = Or (Not tru) (Not fls) subgoal 2 is: Not (And fls tru) = Or (Not fls) (Not tru) subgoal 3 is: Not (And fls fls) = Or (Not fls) (Not fls) @tmiya : Coq , 17
  • 18. 3.1. De Morgan (4) De_Morgan_1 < simpl; reflexivity. De_Morgan_1 < simpl; reflexivity. De_Morgan_1 < simpl; reflexivity. Proof completed. De_Morgan_1 < Qed. intros. destruct b1; destruct b2. simpl in |- *. reflexivity. simpl in |- *; reflexivity. simpl in |- *; reflexivity. simpl in |- *; reflexivity. De_Morgan_1 is defined Not (Or b1 b2) = And (Not b1) (Not b2) @tmiya : Coq , 18
  • 19. 3.1. 1. Yes, Maybe, No Bool3 2. Bool3 And3, Or3, Not3 3. ( ) De Morgan @tmiya : Coq , 19
  • 20. 3.2. nat nat ( ) Coq < Print nat. Inductive nat : Set := O : nat | S : nat -> nat O( O) 0 S nat nat Peano Coq < Eval compute in (S (S (S O))). = 3 : nat S (S (S O)) Coq 3 @tmiya : Coq , 20
  • 21. 3.2. nat n Coq < Fixpoint add(n m:nat):nat := Coq < match n with Coq < | O => m Coq < | S n’ => S (add n’ m) Coq < end. add is recursively defined (decreasing on 1st argument) Fixpoint ( O) 0 S nat 1 nat Peano Coq < Eval compute in (add (S (S O)) (S O)). = 3 : nat (call-by-value) @tmiya : Coq , 21
  • 22. 3.2. nat _,_ OK Coq < Fixpoint eq_nat(n m:nat):bool := Coq < match n,m with Coq < | O,O => true Coq < | S n’, S m’ => eq_nat n’ m’ Coq < | _,_ => false Coq < end. Coq < Eval compute in (eq_nat 3 3). le_nat le_nat n m n≤m Coq ( ) @tmiya : Coq , 22
  • 23. 3.2. Coq ( ) n ({struct n} Coq ) Coq < Fixpoint add’(n m:nat){struct n} := Coq < match n with Coq < | O => m Coq < | S n’ => S (add’ n’ m) Coq < end. add’ is recursively defined (decreasing on 1st argument) add’ 2 3 add’ add’ (S (S O)) 3 = S (add’ (S O) 3) = S (S (add’ O 3)) = S (S 3) = 5. @tmiya : Coq , 23
  • 24. 3.2. ( ) Coq ( )( ) Coq ( Coq ) Coq ( ) (Coq ) Coq @tmiya : Coq , 24
  • 25. 3.2. 1. mul add 2. mul fact 3. sub n=0 sub 0 m = 0 4. div3 Eval Fixpoint div3(n:nat) := match n with | S (S (S n’)) => S (div3 n’) | _ => O end. sub div n m Coq ( ) @tmiya : Coq , 25
  • 26. 3.3. cond c vt vf c:bool true vt false vf vt, vf Set A Coq < Definition cond{A:Set}(c:bool)(vt vf:A) := Coq < match c with Coq < | true => vt Coq < | false => vf Coq < end. Coq < Eval compute in (cond true 2 3). = 2 : nat Coq < Eval compute in (cond false false true). = true : bool {A:Set} cond A ( ) Coq < Eval compute in (@cond nat false 2 3). @tmiya : Coq , 26
  • 27. 3.3. option ( ) null option (Haskell Maybe ) ( Coq sumor ) Coq < Print option. Inductive option (A : Type) : Type := Some : A -> option A | None : option A Definition option_map {A B:Type} (f:A->B)(o:option A) := match o with | Some a => Some (f a) | None => None end. Coq < Eval compute in (option_map (fun x => x + 1) (Some 1)). @tmiya : Coq , 27
  • 28. 3.3. prod sum prod A B A B prod A B A * B ( x , y , .. , z ) (pair .. (pair x y) .. z) Coq < Check (2,true,3). (2, true, 3) : nat * bool * nat prod fst, snd sum A B A B Coq < Definition test_sum (s:sum nat bool) := Coq < match s with Coq < | inl n => n Coq < | inr true => 1 Coq < | inr false => 0 Coq < end. prod, sum Curry-Howard @tmiya : Coq , 28
  • 29. 3.3. List List List :: cons Type Set (Check Set. ) Coq < Require Import List. Coq < Print list. Inductive list (A : Type) : Type := nil : list A | cons : A -> list A -> list A Coq < Check (1::2::nil). 1 :: 2 :: nil : list nat @tmiya : Coq , 29
  • 30. 3.3. List List List nil x::xs Coq < Fixpoint append{A:Type}(xs ys:list A):= Coq < match xs with Coq < | nil => ys Coq < | x::xs’ => x::(append xs’ ys) Coq < end. Coq < Eval compute in (append (1::2::nil) (3::4::nil)). Coq < Fixpoint olast{A:Type}(xs:list A):option A := Coq < match xs with Coq < | nil => None Coq < | a::nil => Some a Coq < | _::xs’ => olast xs’ Coq < end. Coq < Eval compute in (olast (1::2::3::nil)). @tmiya : Coq , 30
  • 31. 3.3. List 1. len{A:Type}(xs:list A):nat Eval compute in (len (1::2::3::nil)). 2. list bool true true all_true(xs:list bool):bool nil true 3. x Some x None ohead{A:Type}(xs:list A):option A 4. s, n s :: s+1 :: ... :: (s+n-1) :: nil nat_list(s n:nat):list nat 5. reverse{A:Type}(xs:list A):list A append @tmiya : Coq , 31
  • 32. 4. Bool De Morgan P Q ¬(P ∧ Q) ¬P ∨ ¬Q F F T T F T T T T F T T T T F F Bool, nat Inductive (nat O S n ) Coq Prop ( ) @tmiya : Coq , 32
  • 33. 4. P P ¬P ( ) ab a, b √ √ √ 2 1. a = b = 2 a, b ab = 2 √ √2 √ 2. ab √ a = √2 , b = 2 √ a, b √ 2 √2 √ 2 2 √ 2 ab = ( 2 ) = 2 = 2 =2 √ √ 2 2 (P) (~P) ab a, b ab a, b @tmiya : Coq , 33
  • 34. 4. ( ) Modus Ponens A A B B (Γ = ( ) ) Γ A Γ A → B (→ ) Γ B ( )→ Coq B Hab : A → B apply Hab. tactic A Ha : A exact Ha. @tmiya : Coq , 34
  • 35. 4. Coq tactic tactic assumption. exact H. trivial. ... H : A ... ------------------------ A exact . A∈Γ ( ) Γ A @tmiya : Coq , 35
  • 36. 4.1. → → A → B (CUI A -> B ) A intro Ha. tactic Ha : A B Coq ... Γ, A B (→ ) Γ A→B H1 → H2 → · · · → Hn → B intros H1 H2 ... Hn. intro intro. intros. Coq → Modus Ponens tactic apply . @tmiya : Coq , 36
  • 37. 4.1. → → (1) tactic Set P Prop P P P p : P ( Set, Prop Type ) Section imp_sample. Variables P Q R : Prop. Theorem imp_sample : (P -> (Q -> R)) -> (P -> Q) -> P -> R. 1 subgoal ============================ (P -> Q -> R) -> (P -> Q) -> P -> R === tactic → intro(s) @tmiya : Coq , 37
  • 38. 4.1. → → (2) → intros tactic intro(s) imp_sample < intros pqr pq p. 1 subgoal pqr : P -> Q -> R pq : P -> Q p : P ============================ R R pqr apply pqr. @tmiya : Coq , 38
  • 39. 4.1. → → (3) R apply pqr. pqr P -> Q -> P Q imp_sample < apply pqr. 2 subgoals pqr : P -> Q -> R pq : P -> Q p : P ============================ P subgoal 2 is: Q P assumption. @tmiya : Coq , 39
  • 40. 4.1. → → (4) P assumption. Q imp_sample < assumption. 1 subgoal pqr : P -> Q -> R pq : P -> Q p : P ============================ Q Q @tmiya : Coq , 40
  • 41. 4.1. → → (5) imp_sample < apply pq. 1 subgoal pqr : P -> Q -> R pq : P -> Q p : P ============================ P imp_sample < assumption. Proof completed. imp_sample < Qed. Qed. @tmiya : Coq , 41
  • 42. 4.2. ∧ ∧ (1) P ∧Q P Q pq : P / Q destruct pq as [p q]. tactic p : P q : Q destruct pq. p,q Coq P ∧Q P Q P ∧Q split. tactic P / Q P, Q Coq < Variable P Q R:Prop. Coq < Theorem and_assoc : (P/Q)/R -> P/(Q/R). 1 subgoal ============================ (P / Q) / R -> P / Q / R @tmiya : Coq , 42
  • 43. 4.2. ∧ ∧ (2) intro → ∧ and_assoc < intro pqr. 1 subgoal pqr : (P / Q) / R ============================ P / Q / R and_assoc < destruct pqr as [[p q] r]. 1 subgoal p : P q : Q r : R ============================ P / Q / R @tmiya : Coq , 43
  • 44. 4.2. ∧ ∧ (3) assumption ; tactic split assumption and_assoc < split. 2 subgoals ============================ P subgoal 2 is: Q / R and_assoc < assumption. 1 subgoal ============================ Q / R and_assoc < split; assumption. Proof completed. and_assoc < Qed. @tmiya : Coq , 44
  • 45. 4.3. ∨ ∨ (1) P ∨Q P Q pq : P / Q destruct pq as [pq].— tactic p : P q : Q destruct pq. p,q Coq P ∨Q P Q P ∨Q left. right. tactic P Q Coq < Variable P Q R:Prop. Coq < Theorem or_assoc : (P/Q)/R -> P/(Q/R). 1 subgoal ============================ (P / Q) / R -> P / Q / R @tmiya : Coq , 45
  • 46. 4.3. ∨ ∨ (2) intro → ∨ and_assoc < intro pqr. or_assoc < destruct pqr as [[p|q]|r]. 3 subgoals p : P ============================ P / Q / R subgoal 2 is: P / Q / R subgoal 3 is: P / Q / R @tmiya : Coq , 46
  • 47. 4.3. ∨ ∨ (3) assumption or_assoc < left. 3 subgoals p : P ============================ P or_assoc < assumption. 2 subgoals q : Q ============================ P / Q / R or_assoc < right; left. 2 subgoals q : Q ============================ Q OK @tmiya : Coq , 47
  • 48. 4.4. ¬ ¬ (1) ¬P P → False False Inductive False : Prop := ~P intro p. p : P False H : False elim H. np : ~P elim np. P (¬¬P P ) ( ) @tmiya : Coq , 48
  • 49. 4.4. ¬ ¬ (2) Coq < Theorem neg_sample : ~(P / ~P). 1 subgoal ============================ ~ (P / ~ P) neg_sample < intro. 1 subgoal H : P / ~ P ============================ False @tmiya : Coq , 49
  • 50. 4.4. ¬ ¬ (3) neg_sample < destruct H as [p np]. 1 subgoal p : P np : ~ P ============================ False neg_sample < elim np. p : P np : ~ P ============================ P neg_sample < assumption. Proof completed. @tmiya : Coq , 50
  • 51. 4.4. ¬ Variable A B C D:Prop. Theorem ex4_1 : (A -> C) / (B -> D) / A / B -> C / D. Theorem ex4_2 : ~~~A -> ~A. Theorem ex4_3 : (A -> B) -> ~B -> ~A. Theorem ex4_4 : ((((A -> B) -> A) -> A) -> B) -> B. Theorem ex4_5 : ~~(A/~A). @tmiya : Coq , 51
  • 52. 5. Curry-Howard Curry-Howard (1) Theorem imp_sample’ : (P -> (Q -> R)) -> (P -> Q) -> P -> R. imp_sample’ < intros pqr pq p. imp_sample’ < Check pq. pq : P -> Q imp_sample’ < Check (pq p). pq p : Q pq P -> Q P Q pq p Q @tmiya : Coq , 52
  • 53. 5. Curry-Howard Curry-Howard (2) pqr, pq, p R exact tactic imp_sample’ < Check (pqr p (pq p)). pqr p (pq p) : R imp_sample’ < exact (pqr p (pq p)). Proof completed. imp_sample Print Coq < Print imp_sample. imp_sample = fun (pqr : P -> Q -> R) (pq : P -> Q) (p : P) => pqr p (pq p) : (P -> Q -> R) -> (P -> Q) -> P -> R @tmiya : Coq , 53
  • 54. 5. Curry-Howard Curry-Howard (3) P P P→Q P -> Q Γ P ΓP→Q (→ ) pq p Γ Q Γ, P Q (→ ) pq (p:P):Q Γ P→Q P ∧Q prod { (P,Q) inl P P ∨Q sum inr Q Curry-Howard Curry-Howard = Coq @tmiya : Coq , 54
  • 55. 5. Curry-Howard Curry-Howard (4) Coq ( ) Java (P → Q → R) → (P → Q) → P → R interface Fun<A,B> { public B apply(A a); } public class P {} public class Q {} public class R {} public class Proof { public R imp_sample(Fun<P,Fun<Q,R>> pqr, Fun<P,Q> pq, P p) { return pqr.apply(p).apply(pq.apply(p)); } } (Java prod sum ¬ Java ) @tmiya : Coq , 55
  • 56. 6. a:A P a (∀a : A, P a) : forall (a:A), P a a:A P a (∃a : A, P a) : exists (a:A), P a Coq P a:A P a:Prop A -> Prop Coq a:A P : A → Prop Coq < Definition iszero(n:nat):Prop := Coq < match n with Coq < | O => True Coq < | _ => False Coq < end. iszero is defined @tmiya : Coq , 56
  • 57. 6. ∀ (1) forall intro(s) forall x:X x:X -> Coq < Theorem sample_forall : forall (X:Type)(P Q:X->Prop)(x:X), P x -> (forall y:X, Q y) -> (P x / Q x). ============================ forall (X : Type) (P Q : X -> Prop) (x : X), P x -> (forall y : X, Q y) -> P x / Q x sample_forall < intros X P Q x px Hqy. X : Type P : X -> Prop Q : X -> Prop x : X px : P x Hqy : forall y : X, Q y ============================ P x / Q x @tmiya : Coq , 57
  • 58. 6. ∀ (2) forall y:X y X sample_forall < split. (* P x Q x *) sample_forall < assumption. (* P x px *) 1 subgoal X : Type P : X -> Prop Q : X -> Prop x : X px : P x Hqy : forall y : X, Q y ============================ Q x sample_forall < apply (Hqy x). (* Hqy y x *) Proof completed. @tmiya : Coq , 58
  • 59. 6.2. ∃ ∃ (1) Coq < Theorem sample_exists : forall (P Q:nat->Prop), Coq < (forall n, P n) -> (exists n, Q n) -> Coq < (exists n, P n / Q n). sample_exists < intros P Q Hpn Hqn. 1 subgoal P : nat -> Prop Q : nat -> Prop Hpn : forall n : nat, P n Hqn : exists n : nat, Q n ============================ exists n : nat, P n / Q n @tmiya : Coq , 59
  • 60. 6.2. ∃ ∃ (2) exists destruct sample_exists < intros P Q Hpn Hqn. P : nat -> Prop Q : nat -> Prop Hpn : forall n : nat, P n Hqn : exists n : nat, Q n ============================ exists n : nat, P n / Q n sample_exists < destruct Hqn as [n’ qn’]. P : nat -> Prop Q : nat -> Prop Hpn : forall n : nat, P n n’ : nat qn’ : Q n’ ============================ exists n : nat, P n / Q n @tmiya : Coq , 60
  • 61. 6.2. ∃ ∃ (3) exists x:X x:X exists x. sample_exists < destruct Hqn as [n’ qn’]. : Hpn : forall n : nat, P n n’ : nat qn’ : Q n’ ============================ exists n : nat, P n / Q n sample_exists < exists n’. : Hpn : forall n : nat, P n n’ : nat qn’ : Q n’ ============================ P n’ / Q n’ (* *) @tmiya : Coq , 61
  • 62. 6.2. ∃ Theorem ex5_1 : forall (A:Set)(P:A->Prop), (~ exists a, P a) -> (forall a, ~P a). Theorem ex5_2 : forall (A:Set)(P Q:A->Prop), (exists a, P a / Q a) -> (exists a, P a) / (exists a, Q a). Theorem ex5_3 : forall (A:Set)(P Q:A->Prop), (exists a, P a) / (exists a, Q a) -> (exists a, P a / Q a). Theorem ex5_4 : forall (A:Set)(R:A->A->Prop), (exists x, forall y, R x y) -> (forall y, exists x, R x y). Theorem ex5_5 : forall (A:Set)(R:A->A->Prop), (forall x y, R x y -> R y x) -> (forall x y z, R x y -> R y z -> R x z) -> (forall x, exists y, R x y) -> (forall x, R x x). @tmiya : Coq , 62
  • 63. 6.3. = = (1) eq (= ) Inductive eq (A : Type) (x : A) : A -> Prop := refl_equal : x = x Coq (nat bool ) (nat O Sn ) (S m Sn m=n ) ============================ n = n apply (refl_equal n). tactic reflexivity. @tmiya : Coq , 63
  • 64. 6.3. = = (2) plus Print plus. tactic simpl. Coq < Theorem plus_0_l : forall n, 0 + n = n. plus_0_l < intro n. n : nat ============================ 0 + n = n plus_0_l < simpl. n : nat ============================ n = n plus_0_l < reflexivity. Proof completed. @tmiya : Coq , 64
  • 65. 6.4. (1) ∀n : nat, n + 0 = n simpl. ============================ n + 0 = n plus_0_r < simpl. ============================ n + 0 = n plus n m n n 1. n = 0 n+0=n 2. n = n n+0=n n=Sn n+0=n @tmiya : Coq , 65
  • 66. 6.4. (2) n induction n as [|n’]. induction n. tactic Coq nat_ind (P ) Coq < Check nat_ind. nat_ind : forall P : nat -> Prop, P 0 -> (forall n : nat, P n -> P (S n)) -> forall n : nat, P n nat_ind nat O : nat S : nat -> nat Inductive bool bool_ind bool_ind : forall P : bool -> Prop, P true -> P false -> forall b : bool, P b @tmiya : Coq , 66
  • 67. 6.4. (3) induction n as [|n’]. n 0 S n’ reflexivity. OK (simpl. ) Coq < Theorem plus_0_r : forall n:nat, n + 0 = n. plus_0_r < induction n as [|n’]. 2 subgoals ============================ 0 + 0 = 0 subgoal 2 is: S n’ + 0 = S n’ plus_0_r < reflexivity. 1 subgoal n’ : nat IHn’ : n’ + 0 = n’ ============================ S n’ + 0 = S n’ @tmiya : Coq , 67
  • 68. 6.4. (4) n = S n’ n = n’ IHn’ S n’ + 0 = S n’ simpl. plus S (n’ + 0)= S n’ IHn’ n’ + 0 n’ rewrite IHn’. rewrite ============================ S n’ + 0 = S n’ plus_0_r < simpl. IHn’ : n’ + 0 = n’ ============================ S (n’ + 0) = S n’ plus_0_r < rewrite IHn’. IHn’ : n’ + 0 = n’ ============================ S n’ = S n’ @tmiya : Coq , 68
  • 69. 6.4. :m + n = n + m SearchAbout Coq < SearchAbout plus. plus_n_O: forall n : nat, n = n + 0 plus_O_n: forall n : nat, 0 + n = n plus_n_Sm: forall n m : nat, S (n + m) = n + S m plus_Sn_m: forall n m : nat, S n + m = S (n + m) mult_n_Sm: forall n m : nat, n * m + n = n * S m rewrite ( rewrite <- plus_n_Sm n’ m. rewrite H. H rewrite <- H. ) Theorem plus_comm : forall m n:nat, m + n = n + m. @tmiya : Coq , 69
  • 70. 6.4. (5) nat list A Theorem length_app : forall (A:Type)(l1 l2:list A), length (l1 ++ l2) = length l1 + length l2. list cons induction l1 as [|a l1’]. ( induction l1.) induction ( l2) intro 1. intros A l1 l2. induction l1 as [|a l1’]. 2. intros A l1. induction l1 as [|a l1’]. intro l2. IHl1’ (Coqtop Undo. ) @tmiya : Coq , 70
  • 71. 6.4. : (1) List append reverse Require Import List. Fixpoint append{A:Type}(l1 l2:list A):= match l1 with | nil => l2 | a::l1’ => a::(append l1’ l2) end. Fixpoint reverse{A:Type}(l:list A):= match l with | nil => nil | a::l’ => append (reverse l’) (a::nil) end. Theorem reverse_reverse : forall (A:Type)(l:list A), reverse (reverse l) = l. @tmiya : Coq , 71
  • 72. 6.4. : (2) reverse_reverse Lemma append_nil : forall (A:Type)(l:list A), append l nil = l. Lemma append_assoc : forall (A:Type)(l1 l2 l3:list A), append (append l1 l2) l3 = append l1 (append l2 l3). Lemma reverse_append : forall (A:Type)(l1 l2:list A), reverse (append l1 l2) = append (reverse l2) (reverse l1). @tmiya : Coq , 72
  • 73. 7. (1) Coq nat minus(n m:nat) n≤m 0 n−m+m =n ( ) sub Definition sub(m n:nat)(H:le n m) : {x:nat|x+n=m}. 1. H n≤m n≤m 2. x = m−n x +n = m ( ) @tmiya : Coq , 73
  • 74. 7. (2) Coq nat Arith Require Import Arith. (* Arith *) Definition sub(m n:nat)(H:le n m) : {x:nat|x+n=m}. 1 subgoal m : nat n : nat H : n <= m ============================ {x : nat | x + n = m} m, n intro generalize dependent sub < generalize dependent m. sub < generalize dependent n. ============================ forall n m : nat, n <= m -> {x : nat | x + n = m} @tmiya : Coq , 74
  • 75. 7. (3) eapply, erewrite apply, rewrite Qed. Defined. induction n as [|n’]. (* n=0 *) intros m H. exists m. eapply plus_0_r. (* n=S n’ *) induction m as [|m’]; intro H. (* m=0 *) assert(H’: ~(S n’ <= 0)). eapply le_Sn_0. elim H’. assumption. (* m=S m’ *) assert(H’: n’ <= m’). eapply le_S_n. assumption. assert(IH: {x:nat|x+n’=m’}). eapply IHn’. assumption. destruct IH as [x IH]. exists x. erewrite <- plus_n_Sm. rewrite IH. reflexivity. Defined. @tmiya : Coq , 75
  • 76. 7. (4) sub Print sub. sub OCaml minus Coq < Extraction sub. (** val sub : nat -> nat -> nat **) let rec sub m = function | O -> m | S n0 -> (match m with | O -> assert false (* absurd case *) | S n1 -> let iH = sub n1 n0 in Obj.magic iH) OCaml H @tmiya : Coq , 76
  • 77. 7. (5) H Theorem le_2_5 : le 2 5. Proof. repeat eapply le_n_S. repeat constructor. Qed. Eval compute in (sub 5 2 le_2_5). (* *) Eval compute in (proj1_sig (sub 5 2 le_2_5)). (* = 3:nat *) {x|x+n=m} x proj1_sig @tmiya : Coq , 77
  • 78. 7. minus sub minus Definition sub’(m n:nat)(H:le n m) : {x:nat|x+n=m}. Proof. (* minus *) Defined. Coq 1. minus minus 2. minus sub’ 3. refine tactic (refine ) 4. sub @tmiya : Coq , 78
  • 79. 8. Coq tactic (auto, ring, omega ) (Arith, List, String ) Haskell, OCaml (inversion, refine ) tactic Module @tmiya : Coq , 79
  • 80. 8. Interactive Theorem Proving and Program Development. Coq’Art: The Calculus of Inductive Constructions, Yves Berrot and Pierre Casteran (Springer-Verlag) : Coq Certified Programming with Dependent Types, Adam Chlipala (http://adam.chlipala.net/cpdt/) : Coq 2010 III (http://www.math.nagoya-u.ac.jp/~garrigue/lecture/ 2010_AW/index.html) : Garrigue PDF Coq in a Hurry, Yves Bertot (http://cel.archives-ouvertes.fr/docs/00/47/ 58/07/PDF/coq-hurry.pdf) : 2nd Asian-Pacific Summer School on Formal Methods (http://formes.asia/cms/coqschool/2010) : @tmiya : Coq , 80
  • 81. 8. Coq ProofCafe Coq CPDT Coq IT Coq Ruby, Clojure, Scala, Javascript Coq Coq http://coq.g.hatena.ne.jp/keyword/ProofCafe @tmiya : Coq , 81
  • 82. 8. Formal Methods Forum Coq ( ) ( ) Google group Coq 2010 Certified Programming with Dependent Types Coq Google group (http://groups.google.co.jp/group/fm-forum) Coq @tmiya : Coq , 82