(** * Functional Programming in Coq ----- ## Topics: - types and functions - theorems and proofs - lists - options ## ----- _Mega super hyper serious tip_: You absolutely must step through this file interactively in Coq to understand what's going on. Observe what happens to the proof state and in the output window. Just reading this file in your browser does not suffice! (**********************************************************************) ** Types and functions Let's start by doing some basic functional programming in Coq. We'll define a type which represents the days of the week. *) Inductive day : Type := | sun : day | mon : day | tue : day | wed : day | thu : day | fri : day | sat : day. (** You'll note some differences from OCaml: - The definition starts with the keyword [Inductive] instead of the keyword [type]. - [day] has a type itself, [Type]. Essentially this is saying that [day] is a type. - The definition uses [:=] instead of [=]. - Every constructor is explicitly given the type [day]. Later we'll see that constructors can have more complicated types. - The definition must end with a period. *) (** Here's a function that returns the next day after its input. *) Let next_day d := match d with | sun => mon | mon => tue | tue => wed | wed => thu | thu => fri | fri => sat | sat => sun end. (** Again, there are some small differences from OCaml: - The [Let] keyword is capitalized. - The pattern match must end with the [end] keyword. - The branches use [=>] instead of [->] to separate the pattern from the value to be returned. Although we can use [Let] in Coq, it's usually more idiomatic to write [Definition] instead, because [Let] is actually substituted away. We could instead write the following: *) Definition prev_day d := match d with | sun => sat | mon => sun | tue => mon | wed => tue | thu => wed | fri => thu | sat => fri end. (**********************************************************************) (** ** Theorems and proofs Now let's prove some small theorems about programs that use days. First, let's prove that applying [next_day] to [tue] evaluates to [wed]. If you were going to do that with a more informal proof in natural language, your first instinct might be to say "it's obvious." That's kind of what the proof below does. *) Theorem wed_after_tue : next_day tue = wed. Proof. auto. Qed. (** [auto] is a _tactic_ that searches for a proof. Tactics are the commands written between [Proof] and [Qed]; they manipulate the _proof state_, which is all the _subgoals_ that need to be proved before the proof is finished. We can see the proof [auto] found by printing the theorem: *) Print wed_after_tue. (** The output of that is [wed_after_tue = eq_refl : next_day tue = wed], which indicates that [wed_after_tue] is equal to [eq_refl] and proves that [next_day tue = wed]. Here, [eq_refl] is something from the Coq standard library that says equality is _reflexive_, and that computation may be performed on either side of the equality to reduce the expression that appears there to a simpler expression. *) (** Rarely, though, is a theorem so simple that it can immediately be proved by searching for a proof. Usually we need to provide Coq with more explicit guidance. A more careful informal proof of the theorem might read "[next_day tue] evaluates to [wed]. So the equality to be proved reduces to [wed = wed]. That trivially holds." That is essentially the proof that strategy that is followed below: *) Theorem wed_after_tue' : next_day tue = wed. Proof. simpl. trivial. Qed. (** Printing the theorem shows that it's still the same proof that is found by [auto]. *) Print wed_after_tue'. (** The output of that is [wed_after_tue' = eq_refl : next_day tue = wed]. *) (** Next, let's prove that the day of the week never repeats. That is, the day after a given day [d] is never equal to [d]. *) Theorem day_never_repeats : forall d : day, next_day d <> d. (** Again, you might say "that's obvious." But in this case, it's not obvious enough for [auto] to find a proof. *) Proof. auto. (** So here's a better strategy: consider all the possible values that [d] could have: [sun], [mon], etc. Now consider instantiating what the theorem says for each: - [next_day sun <> sun] - [next_day mon <> mon] - etc. In each case, if we reduce the expression on the left to a value, we get an inequality that's more obviously true: - [mon <> sun] - [tue <> mon] - etc. The reason that [mon <> sun] is that they are different constructors of an inductive (i.e., variant) type, and different constructors can never be equal. This is a proof strategy that Coq will understand. To implement it, we need two new tactics: - [destruct] is a tactic that considers all the possible ways to construct an inductive type. - [discriminate] is a tactic that proves different constructors cannot be equal. *) intros d. destruct d. simpl. discriminate. simpl. discriminate. simpl. discriminate. simpl. discriminate. simpl. discriminate. simpl. discriminate. simpl. discriminate. Qed. (** The first step of this proof, [intros d], _introduces_ [d]. Think of it like saying "let [d] be some arbitrary [day]." The second step of the proof, [destruct d], instructs Coq to do case analysis on [d]. The next seven lines apply [simpl] then [discriminate] 7 times, once for each possible day in the case analysis. That repetition of the same tactic is rather ugly. First, we don't actually need to use [simpl]. In fact, [discriminate] will do simplification itself, as will many other tactics. Second, instead of writing [discriminate] 7 times, we could instead write [all: discriminate]. That means to use [discriminate] on all the remaining _subgoals_ in the proof. *) Theorem day_never_repeats' : forall d : day, next_day d <> d. Proof. intros d. destruct d. all: discriminate. Qed. (** Another way to structure that proof is with the semicolon _tactical_, which chains together tactics. The tactic [t1; t2] means to apply tactic [t1], then further apply tactic [t2] to all the subgoals generated by [t1]. *) Theorem day_never_repeats'' : forall d : day, next_day d <> d. Proof. intros d. destruct d; discriminate. Qed. (** Now let's prove that if the day after [d] is [tue], then [d] must be [mon]. To express that implication in a theorem we use the symbol [->], where [A -> B] means that if [A] is true, then so is [B]. *) Theorem mon_preceds_tues : forall d : day, next_day d = tue -> d = mon. (** Why does that theorem hold? An informal argument by case analysis would say that of all the 7 possible values of [d], 6 of them immediately fail to make [next_day d = true] hold, In fact, only [d=mon] does. So for each of the 7 cases, we either have a contradiction, _or_ we have a trivial equality. In Coq, we can express that proof as follows, where we use a new tactical [||] for "or". *) Proof. intros d next_day_is_tue. destruct d. all: discriminate || trivial. Qed. (** Let's pick apart that proof. - The first line introduces two assumptions into the proof: that [d] is a [day], and that [next_day d = tue]. The latter is the _antecedent_ of the implication that is being proved, i.e., the [P] in [P -> Q]; [Q] is called the _consequent_. We chose the name [next_day_is_tue] to record that assumption. Idiomatically, Coq programmers will often use short names like [H] for these kinds of _hypotheses_. - The second line does the case analysis on [d] as we did before. - The third line says to use [discriminate || trivial] on all the subgoals. That works like a short-circuit OR in OCaml: if [discriminate] fails to find a proof of the subgoal, then [trivial] will be used to find the proof instead. *) (**********************************************************************) (** ** Lists The Coq standard library includes lists. Some parts of the list library are already included by default, but not all are. To load the full list library, we need to issue the following commands: *) Require Import List. Import ListNotations. (** Coq lists are defined in essentially the same way as OCaml lists. A list is may contain any number of elements, and each element must have the same type. The empty list is represented with [nil], and [cons] creates a new list out of an element and an already existing list. The standard library defines lists as follows: *) Module MyList. Inductive list (A : Type) : Type := | nil : list A | cons : A -> list A -> list A. End MyList. (** (We wrapped that definition in its own [Module] so that, in the rest of this file, [list] still means the [list] in the standard library as opposed to the one we just defined ourselves.) *) (** Let's compare that to a similar OCaml definition of lists: << type 'a list = nil | cons of 'a * 'a list >> The ['a] is a type variable in the OCaml definition. Similarly, in the Coq definition, [list (A : Type) : Type] indicates that [list] is parameterized on a type [A]. Hence Coq's [list] is a type constructor just like OCaml's [list] is. In fact, if we check the type of [list], this becomes even clearer: *) Check list. (** << list : Type -> Type >> That is, [list] takes a type as input and returns a type as output. Also, notice the branches: << | nil : list A | cons : A -> list A -> list A. >> These say that [nil] already has type [list A], for any [A], and that [cons] is a _function_ that takes an [A] and a [list A] and returns a [list A]. So Coq's [cons] is truly a function, unlike OCaml's. (In OCaml you can't, for example, pass a constructor name to a function.) We can use pattern matching to code functions that take lists as inputs, just like in OCaml. *) Definition is_empty (A : Type) (lst : list A) := match lst with | nil => true | cons _ _ => false end. (** In [is_empty], we have explicitly given type annotations on two arguments. The first argument, [A], is the type of the list elements. The second argument, [lst], has type [list A]. OCaml never made us explicitly write down the element type as an input to functions, because the language is engineered to guarantee that type inference can always figure out those types. Coq's type system, however, is _vastly_ more expressive that OCaml's, hence type inference is a hard problem in Coq. Coq is therefore more strict about writing these things down. Like in OCaml, we can use syntactic sugar for lists, writing [[]] for [nil] and [::] for [cons]: *) Definition is_empty_sugar (A : Type) (lst : list A) := match lst with | [] => true | _::_ => false end. (** If we want to compute with [is_empty], we have to supply the type argument: *) Compute is_empty nat [1]. Compute is_empty nat []. (** In the second computation above, it wouldn't matter what type we pass in because the list is empty, but we do have to provide _some_ type as an argument. There are various ways in Coq of making this type argument something that the compiler infers, instead of the programmer having to provide. These are called _implicit arguments_. Here's one way to make an argument implicit: *) Definition is_empty' {A : Type} (lst : list A) := match lst with | [] => true | _::_ => false end. Compute is_empty' [1]. (** We put the [A:Type] parameter in braces instead of parentheses. This tells Coq that the argument should be inferred. As you can see, we didn't provide it in the example usage. In fact, Coq would reject [is_empty' nat [1]], because once we've made the argument implicit, we're actually not even allowed to provide it. If for some reason we really did need to explicitly provide an implicit argument, we could do that by prefixing the name of the function with [@]. For example: *) Compute @is_empty' nat [1]. (** To define recursive functions on lists, instead of OCaml's [let rec], Coq uses [Fixpoint] as a keyword. That perhaps-cryptic name comes from programming languages theory, where recursion can be defined as a so-called _fixed point_ of a function. Here is a definition of [length] for lists, and an example usage. Again, we do this in its own module to avoid clashing with the standard library's definition of [length]. *) Module MyLength. Fixpoint length {A : Type} (lst : list A) := match lst with | nil => 0 | _::t => 1 + length t end. Compute length [1;2]. End MyLength. (**********************************************************************) (** ** Options In the Coq standard library, options are defined as follows. (Once more we wrap the definition in its own module to avoid clashing with the standard library's own definition.) *) Module MyOption. Inductive option (A:Type) : Type := | Some : A -> option A | None : option A. End MyOption. (** Coq options are essentially the same as OCaml's. [Some] is a function that given a value of type [A], constructs an option containing that value. [None] is already a value that has type [option A] for any [A]. Here is a function [hd_opt]. It returns the head of a list, wrapped in [Some]. If the list is empty, it returns [None]. *) Definition hd_opt {A : Type} (lst : list A) : option A := match lst with | nil => None | x :: _ => Some x end. Compute hd_opt [1]. Compute @hd_opt nat []. (** The first of those example usages returns [Some 1 : option nat], and the second returns [None : option nat]. In the second, we are forced to explicitly provide the type argument, because Coq can't infer from just the empty list what kind of option it should be: should it be [option nat]? [option bool]? or something else? *) (** Now let's prove something about [hd_opt]: when applied to a list of length 0, it returns [None]. Informally, that holds because there are two possibilities of how a list is constructed: - if the list is [nil], then its length is certainly 0, and evaluation of [hd_opt]'s pattern match will choose the branch that returns [None]. - if the list is constructed with [cons], then its length is at least 1. That contradicts the assumption that its length is 0. The proof below uses exactly that reasoning. *) Theorem length0_implies_hdopt_is_none : forall A : Type, forall lst : list A, length lst = 0 -> hd_opt lst = None. Proof. intros A lst length_lst_is_0. destruct lst. trivial. discriminate. Qed. (** The first line of that proof, which uses the [intros] tactic, introduces three assumptions into the proof: That [A] is a type, that [lst] has type [list A], and that the length of [lst] is 0. The second line does the case analysis on [lst]: is it [nil] or [cons]? The next two tactics handle each of those cases. - The first case, where the list is [nil], is handled by [trivial], which finds a proof that [hd_opt nil = None]. It succeeds in doing that by first doing some computation, which reduces [hd_opt nil] to [None], then showing that [None = None] because equality is reflexive. - The second case, where the list is [cons], is handled by [discriminate], which finds a contradiction while trying to prove that [hd_opt (a :: lst) = None]. Of course, that equality is untrue: [hd_opt (a :: lst)] is actually [Some a]. So [discriminate] looks in the hypotheses of the proof and finds one that claims [length (a :: lst) = 0]. Of course, that's untrue, because [length (a :: lst)] is [1 + length lst], which is at least 1, and [1 <> 0]. The [discriminate] tactic detects that contradiction. You might recall from CS 2800 that from an assumption of [false], you are allowed to conclude anything. That's the reasoning being used here. When there are a few cases in a proof, as there were (two) in the previous proof, sometimes Coq programmers use _bullets_ to make the structure of their proofs apparent to readers. The bullets also help with _focusing_ the programmer's attention on the proof state during the process of constructing the proof. The bullets in the proof below, written [-], cause all but one subgoal to disappear. After a subgoal has been proved, the proof state reads "There are unfocused goals." The next bullet causes the next unfocused goal to become focused. This is probably best understood by stepping through the following proof in Coq and observing what happens to the proof state when each bullet is processed. *) Theorem length0_implies_hdopt_is_none' : forall A : Type, forall lst : list A, length lst = 0 -> hd_opt lst = None. Proof. intros A lst length_lst_is_0. destruct lst. - trivial. - discriminate. Qed. (** The characters [+] and [*] can also be used as bullets, as can [--], [---], etc. (**********************************************************************) ** Summary Coq is a functional programming language. It contains many of the same features as OCaml. In fact, Coq is implemented in OCaml. Coq is also a proof assistant. We can write programs and prove theorems about those programs. Coq searches for those proofs, and we guide its search with tactics. ** Terms and concepts - antecedent - case analysis - consequent - constructor - definition - fixpoint - function - goal - hypothesis - implicit argument - inductive type - proof search - proof state - reflexivity of equality - tactic - tactical - theorem ** Tactics - [auto] - [destruct] - [discriminate] - [intros] - [simpl] - [trivial] - tacticals: [all], [||], [;], [-], [*], [+] ** Further reading - _Software Foundations, Volume 1: Logical Foundations_. # Chapter 1: Basics.# - _Interactive Theorem Proving and Program Development_. Chapters 1 through 4. Available # online from the Cornell library#. *)