inductive properties (2) - francesco zappa nardelli
TRANSCRIPT
![Page 1: Inductive properties (2) - Francesco Zappa Nardelli](https://reader036.vdocuments.site/reader036/viewer/2022071612/6156f664a097e25c764f7013/html5/thumbnails/1.jpg)
Inductive properties (2)
Inductive properties (2)
Assia Mahboubi, Pierre Casteran, Yves BertotParis, Beijing, Bordeaux, Suzhou
16 novembre 2011
1 / 1
![Page 2: Inductive properties (2) - Francesco Zappa Nardelli](https://reader036.vdocuments.site/reader036/viewer/2022071612/6156f664a097e25c764f7013/html5/thumbnails/2.jpg)
Inductive properties (2)
Inversion Techniques
Inversion Techniques
Let us consider the following theorem.
Lemma le_n_0 : forall n:nat, n <= 0 -> n = 0.
Proof.
intros n H; induction H.
two subgoals :
n : nat============================n = n
reflexivity.
2 / 1
![Page 3: Inductive properties (2) - Francesco Zappa Nardelli](https://reader036.vdocuments.site/reader036/viewer/2022071612/6156f664a097e25c764f7013/html5/thumbnails/3.jpg)
Inductive properties (2)
Inversion Techniques
1 subgoal
n : natm : natH : n <= mIHle : n = m (* P m *)============================n = S m (* P (S m) *)
Abort.
The induction H tactic call applied the induction principle le indwith P := fun m : nat ⇒n = m.
3 / 1
![Page 4: Inductive properties (2) - Francesco Zappa Nardelli](https://reader036.vdocuments.site/reader036/viewer/2022071612/6156f664a097e25c764f7013/html5/thumbnails/4.jpg)
Inductive properties (2)
Inversion Techniques
How did we solve this problem in good old times ?We could prove the following “inversion lemma” (a kind ofreciprocal of the constructors).
Lemma le_inv : forall n p: nat,
n <= p ->
n = p \/ exists q:nat, p = S q /\ n <= q.
Proof.
intros n p H; destruct H.
2 subgoals
n : nat============================n = n \/ (exists q : nat, n = S q /\ n <= q)
left;reflexivity.
4 / 1
![Page 5: Inductive properties (2) - Francesco Zappa Nardelli](https://reader036.vdocuments.site/reader036/viewer/2022071612/6156f664a097e25c764f7013/html5/thumbnails/5.jpg)
Inductive properties (2)
Inversion Techniques
1 subgoal
n : natm : natH : n <= m============================n = S m \/ (exists q : nat, S m = S q /\ n <= q)
right; exists m;split;trivial.
Qed.
Note that le inv is an expression of the minimality of le, withexplicit equalities that can be used with injection and discriminate.
5 / 1
![Page 6: Inductive properties (2) - Francesco Zappa Nardelli](https://reader036.vdocuments.site/reader036/viewer/2022071612/6156f664a097e25c764f7013/html5/thumbnails/6.jpg)
Inductive properties (2)
Inversion Techniques
Let’s come back to our initial lemma
Lemma le_n_0_old_times : forall n:nat, n <= 0 -> n = 0.
Proof.
intros n H;
destruct (le_inv _ _ H) as [H0 | [q [Hq Hq0]]].
2 subgoals
n : natH : n <= 0H0 : n = 0============================n = 0
...assumption.
6 / 1
![Page 7: Inductive properties (2) - Francesco Zappa Nardelli](https://reader036.vdocuments.site/reader036/viewer/2022071612/6156f664a097e25c764f7013/html5/thumbnails/7.jpg)
Inductive properties (2)
Inversion Techniques
1 subgoaln : natH : n <= 0q : natHq : 0 = S qHq0 : n <= q============================n = 0discriminate Hq.
Qed.
7 / 1
![Page 8: Inductive properties (2) - Francesco Zappa Nardelli](https://reader036.vdocuments.site/reader036/viewer/2022071612/6156f664a097e25c764f7013/html5/thumbnails/8.jpg)
Inductive properties (2)
Inversion Techniques
The inversion tactic
The inversion tactic derives all the necessary conditions to aninductive hypothesis. If no condition can realize this hypothesis,the goal is proved by ex falso quod libet. See also : inversion clear
Lemma foo : ~(1 <= 0).
Proof.
intro h;inversion h.
Qed.
8 / 1
![Page 9: Inductive properties (2) - Francesco Zappa Nardelli](https://reader036.vdocuments.site/reader036/viewer/2022071612/6156f664a097e25c764f7013/html5/thumbnails/9.jpg)
Inductive properties (2)
Inversion Techniques
The inversion tactic
The inversion tactic derives all the necessary conditions to aninductive hypothesis. If no condition can realize this hypothesis,the goal is proved by ex falso quod libet. See also : inversion clear
Lemma foo : ~(1 <= 0).
Proof.
intro h;inversion h.
Qed.
9 / 1
![Page 10: Inductive properties (2) - Francesco Zappa Nardelli](https://reader036.vdocuments.site/reader036/viewer/2022071612/6156f664a097e25c764f7013/html5/thumbnails/10.jpg)
Inductive properties (2)
Inversion Techniques
Lemma le_n_0 : forall n, n <= 0 -> n = 0.
Proof.
intros n H;inversion H.
1 subgoal
n : natH : n <= 0H0 : n = 0============================0 = 0
trivial.
Qed.
10 / 1
![Page 11: Inductive properties (2) - Francesco Zappa Nardelli](https://reader036.vdocuments.site/reader036/viewer/2022071612/6156f664a097e25c764f7013/html5/thumbnails/11.jpg)
Inductive properties (2)
Inversion Techniques
Lemma le_Sn_Sp_inv: forall n p, S n <= S p -> n <= p.
Proof.
intros n p H; inversion H.
2 subgoals
n : natp : natH : S n <= S pH1 : n = p============================p <= p
...constructor.
11 / 1
![Page 12: Inductive properties (2) - Francesco Zappa Nardelli](https://reader036.vdocuments.site/reader036/viewer/2022071612/6156f664a097e25c764f7013/html5/thumbnails/12.jpg)
Inductive properties (2)
Inversion Techniques
1 subgoal
n : natp : natH : S n <= S pm : natH1 : S n <= pH0 : m = p============================n <= p
Require Import Le.
apply le_trans with (S n); repeat constructor; assumption.
Qed.
12 / 1
![Page 13: Inductive properties (2) - Francesco Zappa Nardelli](https://reader036.vdocuments.site/reader036/viewer/2022071612/6156f664a097e25c764f7013/html5/thumbnails/13.jpg)
Inductive properties (2)
Comparison with other kinds of predicate definitions
Comparison with other kinds of predicate definitionsLet us consider le again. Several other definitions can be given forthis mathematical concept.
First, we could use the plus function.
Definition Le (n p : nat) : Prop :=
exists q:nat, q + n = p.
We can also give a recursive predicate :
Fixpoint LE (n p: nat): Prop :=
match n, p with 0, _ => True
| S _, 0 => False
| S n’, S p’ => LE n’ p’
end.
Both definitions are equivalent to Coq’s le (exercise).
13 / 1
![Page 14: Inductive properties (2) - Francesco Zappa Nardelli](https://reader036.vdocuments.site/reader036/viewer/2022071612/6156f664a097e25c764f7013/html5/thumbnails/14.jpg)
Inductive properties (2)
Comparison with other kinds of predicate definitions
Comparison with other kinds of predicate definitionsLet us consider le again. Several other definitions can be given forthis mathematical concept.First, we could use the plus function.
Definition Le (n p : nat) : Prop :=
exists q:nat, q + n = p.
We can also give a recursive predicate :
Fixpoint LE (n p: nat): Prop :=
match n, p with 0, _ => True
| S _, 0 => False
| S n’, S p’ => LE n’ p’
end.
Both definitions are equivalent to Coq’s le (exercise).
14 / 1
![Page 15: Inductive properties (2) - Francesco Zappa Nardelli](https://reader036.vdocuments.site/reader036/viewer/2022071612/6156f664a097e25c764f7013/html5/thumbnails/15.jpg)
Inductive properties (2)
Comparison with other kinds of predicate definitions
Comparison with other kinds of predicate definitionsLet us consider le again. Several other definitions can be given forthis mathematical concept.First, we could use the plus function.
Definition Le (n p : nat) : Prop :=
exists q:nat, q + n = p.
We can also give a recursive predicate :
Fixpoint LE (n p: nat): Prop :=
match n, p with 0, _ => True
| S _, 0 => False
| S n’, S p’ => LE n’ p’
end.
Both definitions are equivalent to Coq’s le (exercise).15 / 1
![Page 16: Inductive properties (2) - Francesco Zappa Nardelli](https://reader036.vdocuments.site/reader036/viewer/2022071612/6156f664a097e25c764f7013/html5/thumbnails/16.jpg)
Inductive properties (2)
Comparison with other kinds of predicate definitions
Predicates and boolean functions
Let us consider the following function :
Fixpoint leb n m : bool :=
match n, m with
|0, _ => true
|S i, S j => leb i j
| _, _ => false
end.
16 / 1
![Page 17: Inductive properties (2) - Francesco Zappa Nardelli](https://reader036.vdocuments.site/reader036/viewer/2022071612/6156f664a097e25c764f7013/html5/thumbnails/17.jpg)
Inductive properties (2)
Comparison with other kinds of predicate definitions
le or leb ?
Compute leb 5 45.
= true : bool
Lemma L5_45 : 5 <= 45.
Proof.
repeat constructor.
Qed.
Just try Print L5 45. !
17 / 1
![Page 18: Inductive properties (2) - Francesco Zappa Nardelli](https://reader036.vdocuments.site/reader036/viewer/2022071612/6156f664a097e25c764f7013/html5/thumbnails/18.jpg)
Inductive properties (2)
Comparison with other kinds of predicate definitions
le or leb ?
Compute leb 5 45.
= true : bool
Lemma L5_45 : 5 <= 45.
Proof.
repeat constructor.
Qed.
Just try Print L5 45. !
18 / 1
![Page 19: Inductive properties (2) - Francesco Zappa Nardelli](https://reader036.vdocuments.site/reader036/viewer/2022071612/6156f664a097e25c764f7013/html5/thumbnails/19.jpg)
Inductive properties (2)
Comparison with other kinds of predicate definitions
We can build a bridge between both aspects by proving thefollowing theorems :
Lemma le_leb_iff : forall n p, n <= p <-> leb n p = true.
Lemma lt_leb_iff : forall n p, n < p <-> leb p n = false.
(* Proofs left as exercise *)
19 / 1
![Page 20: Inductive properties (2) - Francesco Zappa Nardelli](https://reader036.vdocuments.site/reader036/viewer/2022071612/6156f664a097e25c764f7013/html5/thumbnails/20.jpg)
Inductive properties (2)
Comparison with other kinds of predicate definitions
Lemma L: 0 <= 47.
Proof.
rewrite le_leb_iff.
1 subgoal
============================leb 0 47 = true
reflexivity.
Qed.
20 / 1
![Page 21: Inductive properties (2) - Francesco Zappa Nardelli](https://reader036.vdocuments.site/reader036/viewer/2022071612/6156f664a097e25c764f7013/html5/thumbnails/21.jpg)
Inductive properties (2)
Comparison with other kinds of predicate definitions
Lemma leb_Sn_n : forall n p, leb n (n + p)= true.
Proof.
intros n p;rewrite <- le_leb_iff.
1 subgoal
n : natp : nat============================n <= n + pSearchPattern (_ <= _ + _).
apply le_plus_l;auto.
Qed.
21 / 1
![Page 22: Inductive properties (2) - Francesco Zappa Nardelli](https://reader036.vdocuments.site/reader036/viewer/2022071612/6156f664a097e25c764f7013/html5/thumbnails/22.jpg)
Inductive properties (2)
A Polymorphic example
A more abstract example
Section transitive_closures.
Definition relation (A : Type) := A -> A -> Prop.
Variables (A : Type)(R : relation A).
(* the transitive closure of R is the least
relation ... *)
Inductive clos_trans : relation A :=
(* ... that contains R *)
| t_step : forall x y : A, R x y -> clos_trans x y
(* ... and is transitive *)
| t_trans : forall x y z : A,
clos_trans x y -> clos_trans y z
-> clos_trans x z.
22 / 1
![Page 23: Inductive properties (2) - Francesco Zappa Nardelli](https://reader036.vdocuments.site/reader036/viewer/2022071612/6156f664a097e25c764f7013/html5/thumbnails/23.jpg)
Inductive properties (2)
A Polymorphic example
If some relation R is transitive, then its transitive closure isincluded in R :
Hypothesis Rtrans :
forall x y z, R x y -> R y z -> R x z.
Lemma trans_clos_trans : forall a1 a2,
clos_trans a1 a2 -> R a1 a2.
Proof.
intros a1 a2 H; induction H.
2 subgoalsx : Ay : AH : R x y============================R x y . . .
exact H.23 / 1
![Page 24: Inductive properties (2) - Francesco Zappa Nardelli](https://reader036.vdocuments.site/reader036/viewer/2022071612/6156f664a097e25c764f7013/html5/thumbnails/24.jpg)
Inductive properties (2)
A Polymorphic example
x : Ay : Az : AH : clos trans x yH0 : clos trans y zIHclos trans1 : R x yIHclos trans2 : R y z============================R x z
apply Rtrans with y; assumption.
Qed.
24 / 1
![Page 25: Inductive properties (2) - Francesco Zappa Nardelli](https://reader036.vdocuments.site/reader036/viewer/2022071612/6156f664a097e25c764f7013/html5/thumbnails/25.jpg)
Inductive properties (2)
A Polymorphic example
End transitive_closures.
Check trans_clos_trans.
trans clos trans: forall (A : Type) (R : relation A),
(forall x y z : A, R x y -> R y z -> R x z) ->forall a1 a2 : A, clos trans A R a1 a2 -> R a1 a2
Implicit Arguments clos_trans [A].
Implicit Arguments trans_clos_trans [A].
Check (trans_clos_trans le le_trans).
trans clos trans nat le le trans: forall a1 a2 : nat, clos trans le a1 a2 -> a1 <= a2
25 / 1
![Page 26: Inductive properties (2) - Francesco Zappa Nardelli](https://reader036.vdocuments.site/reader036/viewer/2022071612/6156f664a097e25c764f7013/html5/thumbnails/26.jpg)
Inductive properties (2)
A Polymorphic example
End transitive_closures.
Check trans_clos_trans.
trans clos trans: forall (A : Type) (R : relation A),
(forall x y z : A, R x y -> R y z -> R x z) ->forall a1 a2 : A, clos trans A R a1 a2 -> R a1 a2
Implicit Arguments clos_trans [A].
Implicit Arguments trans_clos_trans [A].
Check (trans_clos_trans le le_trans).
trans clos trans nat le le trans: forall a1 a2 : nat, clos trans le a1 a2 -> a1 <= a2
26 / 1
![Page 27: Inductive properties (2) - Francesco Zappa Nardelli](https://reader036.vdocuments.site/reader036/viewer/2022071612/6156f664a097e25c764f7013/html5/thumbnails/27.jpg)
Inductive properties (2)
Inductive definitions and functions
Inductive definitions and functions
It is sometimes very difficult to represent a function f : A -> B
as a Coq function, for instance because of the :
I Undecidability (or hard proof) of termination
I Undecidability of the domain characterization
This situation often arises when studying the semantic ofprogramming languages.
In that case, describing functions as inductive relations is reallyefficient.
27 / 1
![Page 28: Inductive properties (2) - Francesco Zappa Nardelli](https://reader036.vdocuments.site/reader036/viewer/2022071612/6156f664a097e25c764f7013/html5/thumbnails/28.jpg)
Inductive properties (2)
Inductive definitions and functions
Definition odd n := ∼even n.
Inductive syracuse_steps : nat -> nat -> Prop :=
done : syracuse_steps 1 1
|even_case : forall n p,even n ->
syracuse_steps (div2 n) p ->
syracuse_steps n (S p)
|odd_case : forall n p , odd n ->
syracuse_steps (S(n+n+n)) p ->
syracuse_steps n (S p).
ExerciseProve the proposition syracuse steps 5 6.
28 / 1
![Page 29: Inductive properties (2) - Francesco Zappa Nardelli](https://reader036.vdocuments.site/reader036/viewer/2022071612/6156f664a097e25c764f7013/html5/thumbnails/29.jpg)
Inductive properties (2)
Specifying programs with inductive predicates
Specifying programs with inductive predicates
Programs are computational objects.Inductive types provide structured specifications.How to get the best of both worlds ?
By combining programs with inductive specifications.
29 / 1
![Page 30: Inductive properties (2) - Francesco Zappa Nardelli](https://reader036.vdocuments.site/reader036/viewer/2022071612/6156f664a097e25c764f7013/html5/thumbnails/30.jpg)
Inductive properties (2)
Specifying programs with inductive predicates
Specifying programs with inductive predicates
Programs are computational objects.Inductive types provide structured specifications.How to get the best of both worlds ?By combining programs with inductive specifications.
30 / 1
![Page 31: Inductive properties (2) - Francesco Zappa Nardelli](https://reader036.vdocuments.site/reader036/viewer/2022071612/6156f664a097e25c764f7013/html5/thumbnails/31.jpg)
Inductive properties (2)
Specifying programs with inductive predicates
Specifying programs with inductive predicates
Let us consider a datatype for comparison w.r.t. some decidabletotal order. This type already exists in the Standard Library.
Inductive Comparison : Type := Lt | Eq | Gt.
We can easily specify whether some value of this type is consistentwith an arithmetic inequality, through a three place predicate.
Inductive compare_spec (n p:nat) : Comparison -> Type :=
| lt_spec : forall Hlt : n < p, compare_spec n p Lt
| eq_spec : forall Heq : n = p, compare_spec n p Eq
| gt_spec : forall Hgt : p < n, compare_spec n p Gt.
31 / 1
![Page 32: Inductive properties (2) - Francesco Zappa Nardelli](https://reader036.vdocuments.site/reader036/viewer/2022071612/6156f664a097e25c764f7013/html5/thumbnails/32.jpg)
Inductive properties (2)
Specifying programs with inductive predicates
We can specify whether some comparison function is correct :
Definition cmp_correct (cmp : nat -> nat -> Comparison) :=
forall n p, compare_spec n p (cmp n p).
In order to understand specifications like compare_spec, let usopen a section :
Section On_compare_spec.
Variable cmp : nat -> nat -> Comparison.
Hypothesis cmpP : cmp_correct cmp.
32 / 1
![Page 33: Inductive properties (2) - Francesco Zappa Nardelli](https://reader036.vdocuments.site/reader036/viewer/2022071612/6156f664a097e25c764f7013/html5/thumbnails/33.jpg)
Inductive properties (2)
Specifying programs with inductive predicates
How to use compare_specLet us consider a goal of the form P n p (cmp n p) whereP : nat→nat→Comparison→Prop.A call to the tactic destruct (cmpP n p) produces three subgoals :
Hlt : n < p
===============================
P n p Lt
Heq : n = p
==============================
P n p Eq
Hgt : p < n
==============================
P n p Gt
33 / 1
![Page 34: Inductive properties (2) - Francesco Zappa Nardelli](https://reader036.vdocuments.site/reader036/viewer/2022071612/6156f664a097e25c764f7013/html5/thumbnails/34.jpg)
Inductive properties (2)
Specifying programs with inductive predicates
Example
Let us define functions for computing the greatest [lowest] of thonumbers :
Definition maxn n p :=
match cmp n p with Lt => p | _ => n end.
Definition minn n p :=
match cmp n p with Lt => n | _ => p end.
Proofs of properties of maxn and minn can use this pattern, whichwill give values to maxn n p, and generate hypotheses of the formn < p, n = p, and p < n.
34 / 1
![Page 35: Inductive properties (2) - Francesco Zappa Nardelli](https://reader036.vdocuments.site/reader036/viewer/2022071612/6156f664a097e25c764f7013/html5/thumbnails/35.jpg)
Inductive properties (2)
Specifying programs with inductive predicates
Lemma le_maxn: forall n p, n <= maxn n p.
Proof.
intros n p; unfold maxn;destruct (cmpP n p).
3 subgoals
cmpP : cmp correct cmp...Hlt : n < p============================n <= p
subgoal 2 is:n <= n
subgoal 3 is:n <= n
Ecah one of the three subgoals is solved with auto with arith.35 / 1
![Page 36: Inductive properties (2) - Francesco Zappa Nardelli](https://reader036.vdocuments.site/reader036/viewer/2022071612/6156f664a097e25c764f7013/html5/thumbnails/36.jpg)
Inductive properties (2)
Specifying programs with inductive predicates
The following proofs use the same pattern :
Lemma maxn_comm : forall n p, maxn n p = maxn p n.
Proof.
intros n p; unfold maxn;
destruct (cmpP n p), (cmpP p n); omega.
Qed.
Lemma maxn_le: forall n p q,
n <= q -> p <= q -> maxn n p <= q.
Proof.
intros n p; unfold maxn; destruct (cmpP n p);
auto with arith.
Qed.
36 / 1
![Page 37: Inductive properties (2) - Francesco Zappa Nardelli](https://reader036.vdocuments.site/reader036/viewer/2022071612/6156f664a097e25c764f7013/html5/thumbnails/37.jpg)
Inductive properties (2)
Specifying programs with inductive predicates
Lemma min_plus_maxn : forall n p,
minn n p + maxn n p = n + p.
Proof.
intros n p; unfold maxn, minn; destruct (cmpP n p);
auto with arith.
Qed.
37 / 1
![Page 38: Inductive properties (2) - Francesco Zappa Nardelli](https://reader036.vdocuments.site/reader036/viewer/2022071612/6156f664a097e25c764f7013/html5/thumbnails/38.jpg)
Inductive properties (2)
Specifying programs with inductive predicates
Definition compare_rev (c:Comparison) :=
match c with
| Lt => Gt
| Eq => Eq
| Gt => Lt
end.
Lemma cmp_rev : forall n p,
cmp n p = compare_rev (cmp p n).
Proof.
intros n p; destruct (cmpP n p);destruct (cmpP p n) ;
trivial;try discriminate;intros; elimtype False; omega.
Qed.
38 / 1
![Page 39: Inductive properties (2) - Francesco Zappa Nardelli](https://reader036.vdocuments.site/reader036/viewer/2022071612/6156f664a097e25c764f7013/html5/thumbnails/39.jpg)
Inductive properties (2)
Specifying programs with inductive predicates
Lemma cmp_antiym : forall n p,
cmp n p = cmp p n -> n = p.
Proof.
intros n p;rewrite cmp_rev;
destruct (cmpP p n);auto ;try discriminate.
Qed.
Notice that all the proofs above use only the specification of acomparison function and not a concrete definition.
39 / 1
![Page 40: Inductive properties (2) - Francesco Zappa Nardelli](https://reader036.vdocuments.site/reader036/viewer/2022071612/6156f664a097e25c764f7013/html5/thumbnails/40.jpg)
Inductive properties (2)
Specifying programs with inductive predicates
We are now able to provide an implementation of a comparisonfunction, and prove its correctness :
End On_compare_spec.
Fixpoint compare (n m:nat) : Comparison :=
match n, m with | 0,0 => Eq
| 0, S _ => Lt
| S _, 0 => Gt
| S p, S q => compare p q
end.
40 / 1
![Page 41: Inductive properties (2) - Francesco Zappa Nardelli](https://reader036.vdocuments.site/reader036/viewer/2022071612/6156f664a097e25c764f7013/html5/thumbnails/41.jpg)
Inductive properties (2)
Specifying programs with inductive predicates
Lemma compareP : cmp_correct compare.
Proof.
red;induction n;destruct p;simpl;auto;
try (constructor;auto with arith).
destruct (IHn p);constructor;auto with arith.
Qed.
Check maxn_comm _ compareP.
: forall n p : nat, maxn compare n p = maxn compare p n
41 / 1
![Page 42: Inductive properties (2) - Francesco Zappa Nardelli](https://reader036.vdocuments.site/reader036/viewer/2022071612/6156f664a097e25c764f7013/html5/thumbnails/42.jpg)
Inductive properties (2)
Road-map
What you think is not what you get
An odd alternative definition of le :
Inductive alter_le (n : nat) : nat -> Prop :=
| alter_le_n : alter_le n n
| alter_le_S : forall m : nat, alter_le n m ->
alter_le n (S m)
| alter_dummy : alter_le n (S n).
The third constructor is useless ! It may increase the size of theproofs by induction.
42 / 1
![Page 43: Inductive properties (2) - Francesco Zappa Nardelli](https://reader036.vdocuments.site/reader036/viewer/2022071612/6156f664a097e25c764f7013/html5/thumbnails/43.jpg)
Inductive properties (2)
Road-map
What you think is not what you get
An odd alternative definition of le :
Inductive alter_le (n : nat) : nat -> Prop :=
| alter_le_n : alter_le n n
| alter_le_S : forall m : nat, alter_le n m ->
alter_le n (S m)
| alter_dummy : alter_le n (S n).
The third constructor is useless ! It may increase the size of theproofs by induction.
43 / 1
![Page 44: Inductive properties (2) - Francesco Zappa Nardelli](https://reader036.vdocuments.site/reader036/viewer/2022071612/6156f664a097e25c764f7013/html5/thumbnails/44.jpg)
Inductive properties (2)
Road-map
Advice for crafting useful inductive definitions
I Constructors are “axioms” : they should be intuitively true...
I Constructors should as often as possible deal with mutuallyexclusive cases, to ease proofs by induction ;
I When an argument always appears with the same value, makeit a parameter
I Test your predicate on negative and positive cases !
44 / 1
![Page 45: Inductive properties (2) - Francesco Zappa Nardelli](https://reader036.vdocuments.site/reader036/viewer/2022071612/6156f664a097e25c764f7013/html5/thumbnails/45.jpg)
Inductive properties (2)
A last example : The toy programming language
A last example : The toy programming language
Lemma Assigned_inv1 : forall v w e,
Assigned_in v (assign w e) ->
v=w.
Proof.
intros v w e H; inversion H. ...
Lemma Assigned_inv2 : forall v s1 s2,
Assigned_in v (sequence s1 s2) ->
Assigned_in v s1 \/ Assigned_in v s2.
Proof.
intros v s1 s2 H; inversion H. ...
45 / 1
![Page 46: Inductive properties (2) - Francesco Zappa Nardelli](https://reader036.vdocuments.site/reader036/viewer/2022071612/6156f664a097e25c764f7013/html5/thumbnails/46.jpg)
Inductive properties (2)
A last example : The toy programming language
We can also define a boolean function for testing equality onvariables :
Require Import Bool.
Definition var_eqb (v w : toy_Var) :=
match v,w with X, X => true
| Y, Y => true
| Z, Z => true
| _, _ => false
end.
46 / 1
![Page 47: Inductive properties (2) - Francesco Zappa Nardelli](https://reader036.vdocuments.site/reader036/viewer/2022071612/6156f664a097e25c764f7013/html5/thumbnails/47.jpg)
Inductive properties (2)
A last example : The toy programming language
We define a boolean test for the “assigned” property :
Fixpoint assigned_inb (v:toy_Var)(s:toy_Statement) :=
match s with
| assign w _ => var_eqb v w
| sequence s1 s2 =>
assigned_inb v s1 || assigned_inb v s2
| simple_loop e s => assigned_inb v s
end.
47 / 1
![Page 48: Inductive properties (2) - Francesco Zappa Nardelli](https://reader036.vdocuments.site/reader036/viewer/2022071612/6156f664a097e25c764f7013/html5/thumbnails/48.jpg)
Inductive properties (2)
A last example : The toy programming language
Bridge lemmas
Lemma Assigned_In_OK : forall v s,
Assigned_in v s ->
assigned_inb v s = true.
Proof.
intros v s H;induction H;simpl;...
Lemma Assigned_In_OK_R :
forall v s, assigned_inb v s = true ->
Assigned_in v s.
Proof.
induction s;simpl.
...
48 / 1
![Page 49: Inductive properties (2) - Francesco Zappa Nardelli](https://reader036.vdocuments.site/reader036/viewer/2022071612/6156f664a097e25c764f7013/html5/thumbnails/49.jpg)
Inductive properties (2)
A last example : The toy programming language
A small program
X := 0;
Y := 1;
Do Z times {
X := X + 1;
Y := Y * X
}
49 / 1
![Page 50: Inductive properties (2) - Francesco Zappa Nardelli](https://reader036.vdocuments.site/reader036/viewer/2022071612/6156f664a097e25c764f7013/html5/thumbnails/50.jpg)
Inductive properties (2)
A last example : The toy programming language
Definition factorial_Z_program :=
sequence (assign X (const 0))
(sequence
(assign Y (const 1))
(simple_loop (variable Z)
(sequence
(assign X
(toy_op toy_plus (variable X) (const 1)))
(assign Y
(toy_op toy_mult (variable Y) (variable X)))))).
50 / 1
![Page 51: Inductive properties (2) - Francesco Zappa Nardelli](https://reader036.vdocuments.site/reader036/viewer/2022071612/6156f664a097e25c764f7013/html5/thumbnails/51.jpg)
Inductive properties (2)
A last example : The toy programming language
Lemma Z_unassigned : ∼(Assigned_in Z factorial_Z_program).
Proof.
intro H;assert (H0 := Assigned_In_OK _ _ H).
1 subgoal
H : Assigned in Z factorial Z programH0 : assigned inb Z factorial Z program = true============================False
simpl in H0;discriminate H0.
Qed.
51 / 1