SlideShare ist ein Scribd-Unternehmen logo

Coq Tutorial

T
tmiya

2011/04/23 Coq Tutorial at Formal Methods Forum

Technologie
1 von 82
Downloaden Sie, um offline zu lesen
Formal Methods Forum Coq @tmiya April 20,2011 @tmiya : Coq , 1
0. Coq Coq Coq Coq • • Coq • • @tmiya : Coq , 2
1. Coq Lightweight • ( ) • • • • • • ( ) • • • or @tmiya : Coq , 3
1. Coq Coq INRIA OCaml CIC = Calculus of Inductive Construction tactic tactic Coq Coq OCaml, Haskell, Scheme @tmiya : Coq , 4
2. Coq Coq Coqtop, CoqIDE CUI Coqtop / : % coqtop Welcome to Coq 8.3pl1 (December 2010) Coq < Eval compute in (2+3). = 5 : nat Coq < Quit. % Coq CoqIDE coqide @tmiya : Coq , 5
2. Coq Proof General : emacs Proof General ~/.emacs (load-file "***/ProofGeneral/generic/proof-site.el") proof-site.el Coq (*.v) Proof General @tmiya : Coq , 6
3. Coq Coq < Definition x := 1. (* x *) x is defined (* := *) Coq < Check x. (* x *) x : nat (* nat = *) Coq < Print x. (* x *) x = 1 : nat Coq < Definition x := 2. (* x *) Error: x already exists (* --> *) Reset x. Module ( ) @tmiya : Coq , 7
3. Coq 1 2 Coq < Definition f x y := x - y. (* f *) f is defined Coq < Check f. f : nat -> nat -> nat (* nat->(nat->nat) *) Coq < Definition f’ := f 3. (* f’ y = f 3 y *) f’ is defined Coq < Check f’. f’ : nat -> nat (* nat nat *) Coq < Eval compute in (f’ 1). (* f’ 1 = f 3 1 = 2 *) = 2 : nat ( @tmiya : Coq , 8
3. Coq Coq < Check (fun x => 2 * x). (* *) fun x : nat => 2 * x : nat -> nat Coq < Eval compute in ((fun x => 2 * x) 3). = 6 : nat Coq < Definition double := (fun x => 2 * x). double is defined (* double *) Coq . @tmiya : Coq , 9
3. Coq Coq < Definition twice(f:nat->nat):nat->nat := Coq < fun x => f (f x). twice is defined Coq < Definition add5(x:nat) := x + 5. add5 is defined Coq < Definition twice_add5 := twice add5. twice_add5 is defined Coq < Eval compute in (twice_add5 2). = 12 : nat @tmiya : Coq , 10
3.1. int, float Coq nat ( ) Weekday Coq < Inductive Weekday : Set := Coq < Sun | Mon | Tue | Wed | Thr | Fri | Sat. Coq < Check Sun. Sun (* Sun *) : Weekday (* Weekday *) Coq < Check Weekday. Weekday (* *) : Set (* Set *) Set @tmiya : Coq , 11
3.1. ( ) Coq < Definition nextday d := Coq < match d with Coq < | Sun => Mon : (* *) Coq < | Sat => Sun Coq < end. nextday is defined Coq < Check nextday. nextday (* *) : Weekday -> Weekday Coq < Eval compute in (nextday Mon). (* *) prevday @tmiya : Coq , 12
3.1. Bool Coq < Inductive Bool : Set := Coq < | tru : Bool Coq < | fls : Bool. Coq < Definition And(b1 b2:Bool):Bool := Coq < match b1,b2 with Coq < | tru,tru => tru Coq < | _,_ => fls Coq < end. Or, Not Eval @tmiya : Coq , 13
3.1. bool ( ) bool Coq < Print bool. Coq < Print andb. Coq < Print orb. Coq < Print negb. bool Coq < Print unit. @tmiya : Coq , 14
3.1. De Morgan (1) Coq < Theorem De_Morgan_1 : forall b1 b2, Coq < Not (And b1 b2) = Or (Not b1) (Not b2). 1 subgoal ============================ forall b1 b2 : Bool, Not (And b1 b2) = Or (Not b1) (Not b2) De_Morgan_1 < intros. 1 subgoal (* b1 b2 *) b1 : Bool b2 : Bool ============================ Not (And b1 b2) = Or (Not b1) (Not b2) @tmiya : Coq , 15
3.1. De Morgan (2) De_Morgan_1 < destruct b1; destruct b2. 4 subgoals (* b1 b2 *) ============================ Not (And tru tru) = Or (Not tru) (Not tru) subgoal 2 is: Not (And tru fls) = Or (Not tru) (Not fls) subgoal 3 is: Not (And fls tru) = Or (Not fls) (Not tru) subgoal 4 is: Not (And fls fls) = Or (Not fls) (Not fls) @tmiya : Coq , 16
3.1. De Morgan (3) De_Morgan_1 < simpl. 4 subgoals (* *) ============================ fls = fls (* *) De_Morgan_1 < reflexivity. 3 subgoals (* = *) ============================ Not (And tru fls) = Or (Not tru) (Not fls) subgoal 2 is: Not (And fls tru) = Or (Not fls) (Not tru) subgoal 3 is: Not (And fls fls) = Or (Not fls) (Not fls) @tmiya : Coq , 17
3.1. De Morgan (4) De_Morgan_1 < simpl; reflexivity. De_Morgan_1 < simpl; reflexivity. De_Morgan_1 < simpl; reflexivity. Proof completed. De_Morgan_1 < Qed. intros. destruct b1; destruct b2. simpl in |- *. reflexivity. simpl in |- *; reflexivity. simpl in |- *; reflexivity. simpl in |- *; reflexivity. De_Morgan_1 is defined Not (Or b1 b2) = And (Not b1) (Not b2) @tmiya : Coq , 18
3.1. 1. Yes, Maybe, No Bool3 2. Bool3 And3, Or3, Not3 3. ( ) De Morgan @tmiya : Coq , 19
3.2. nat nat ( ) Coq < Print nat. Inductive nat : Set := O : nat | S : nat -> nat O( O) 0 S nat nat Peano Coq < Eval compute in (S (S (S O))). = 3 : nat S (S (S O)) Coq 3 @tmiya : Coq , 20
3.2. nat n Coq < Fixpoint add(n m:nat):nat := Coq < match n with Coq < | O => m Coq < | S n’ => S (add n’ m) Coq < end. add is recursively defined (decreasing on 1st argument) Fixpoint ( O) 0 S nat 1 nat Peano Coq < Eval compute in (add (S (S O)) (S O)). = 3 : nat (call-by-value) @tmiya : Coq , 21
3.2. nat _,_ OK Coq < Fixpoint eq_nat(n m:nat):bool := Coq < match n,m with Coq < | O,O => true Coq < | S n’, S m’ => eq_nat n’ m’ Coq < | _,_ => false Coq < end. Coq < Eval compute in (eq_nat 3 3). le_nat le_nat n m n≤m Coq ( ) @tmiya : Coq , 22
3.2. Coq ( ) n ({struct n} Coq ) Coq < Fixpoint add’(n m:nat){struct n} := Coq < match n with Coq < | O => m Coq < | S n’ => S (add’ n’ m) Coq < end. add’ is recursively defined (decreasing on 1st argument) add’ 2 3 add’ add’ (S (S O)) 3 = S (add’ (S O) 3) = S (S (add’ O 3)) = S (S 3) = 5. @tmiya : Coq , 23
3.2. ( ) Coq ( )( ) Coq ( Coq ) Coq ( ) (Coq ) Coq @tmiya : Coq , 24
3.2. 1. mul add 2. mul fact 3. sub n=0 sub 0 m = 0 4. div3 Eval Fixpoint div3(n:nat) := match n with | S (S (S n’)) => S (div3 n’) | _ => O end. sub div n m Coq ( ) @tmiya : Coq , 25
3.3. cond c vt vf c:bool true vt false vf vt, vf Set A Coq < Definition cond{A:Set}(c:bool)(vt vf:A) := Coq < match c with Coq < | true => vt Coq < | false => vf Coq < end. Coq < Eval compute in (cond true 2 3). = 2 : nat Coq < Eval compute in (cond false false true). = true : bool {A:Set} cond A ( ) Coq < Eval compute in (@cond nat false 2 3). @tmiya : Coq , 26
3.3. option ( ) null option (Haskell Maybe ) ( Coq sumor ) Coq < Print option. Inductive option (A : Type) : Type := Some : A -> option A | None : option A Definition option_map {A B:Type} (f:A->B)(o:option A) := match o with | Some a => Some (f a) | None => None end. Coq < Eval compute in (option_map (fun x => x + 1) (Some 1)). @tmiya : Coq , 27
3.3. prod sum prod A B A B prod A B A * B ( x , y , .. , z ) (pair .. (pair x y) .. z) Coq < Check (2,true,3). (2, true, 3) : nat * bool * nat prod fst, snd sum A B A B Coq < Definition test_sum (s:sum nat bool) := Coq < match s with Coq < | inl n => n Coq < | inr true => 1 Coq < | inr false => 0 Coq < end. prod, sum Curry-Howard @tmiya : Coq , 28
3.3. List List List :: cons Type Set (Check Set. ) Coq < Require Import List. Coq < Print list. Inductive list (A : Type) : Type := nil : list A | cons : A -> list A -> list A Coq < Check (1::2::nil). 1 :: 2 :: nil : list nat @tmiya : Coq , 29
3.3. List List List nil x::xs Coq < Fixpoint append{A:Type}(xs ys:list A):= Coq < match xs with Coq < | nil => ys Coq < | x::xs’ => x::(append xs’ ys) Coq < end. Coq < Eval compute in (append (1::2::nil) (3::4::nil)). Coq < Fixpoint olast{A:Type}(xs:list A):option A := Coq < match xs with Coq < | nil => None Coq < | a::nil => Some a Coq < | _::xs’ => olast xs’ Coq < end. Coq < Eval compute in (olast (1::2::3::nil)). @tmiya : Coq , 30
3.3. List 1. len{A:Type}(xs:list A):nat Eval compute in (len (1::2::3::nil)). 2. list bool true true all_true(xs:list bool):bool nil true 3. x Some x None ohead{A:Type}(xs:list A):option A 4. s, n s :: s+1 :: ... :: (s+n-1) :: nil nat_list(s n:nat):list nat 5. reverse{A:Type}(xs:list A):list A append @tmiya : Coq , 31
4. Bool De Morgan P Q ¬(P ∧ Q) ¬P ∨ ¬Q F F T T F T T T T F T T T T F F Bool, nat Inductive (nat O S n ) Coq Prop ( ) @tmiya : Coq , 32
4. P P ¬P ( ) ab a, b √ √ √ 2 1. a = b = 2 a, b ab = 2 √ √2 √ 2. ab √ a = √2 , b = 2 √ a, b √ 2 √2 √ 2 2 √ 2 ab = ( 2 ) = 2 = 2 =2 √ √ 2 2 (P) (~P) ab a, b ab a, b @tmiya : Coq , 33
4. ( ) Modus Ponens A A B B (Γ = ( ) ) Γ A Γ A → B (→ ) Γ B ( )→ Coq B Hab : A → B apply Hab. tactic A Ha : A exact Ha. @tmiya : Coq , 34
4. Coq tactic tactic assumption. exact H. trivial. ... H : A ... ------------------------ A exact . A∈Γ ( ) Γ A @tmiya : Coq , 35
4.1. → → A → B (CUI A -> B ) A intro Ha. tactic Ha : A B Coq ... Γ, A B (→ ) Γ A→B H1 → H2 → · · · → Hn → B intros H1 H2 ... Hn. intro intro. intros. Coq → Modus Ponens tactic apply . @tmiya : Coq , 36
4.1. → → (1) tactic Set P Prop P P P p : P ( Set, Prop Type ) Section imp_sample. Variables P Q R : Prop. Theorem imp_sample : (P -> (Q -> R)) -> (P -> Q) -> P -> R. 1 subgoal ============================ (P -> Q -> R) -> (P -> Q) -> P -> R === tactic → intro(s) @tmiya : Coq , 37
4.1. → → (2) → intros tactic intro(s) imp_sample < intros pqr pq p. 1 subgoal pqr : P -> Q -> R pq : P -> Q p : P ============================ R R pqr apply pqr. @tmiya : Coq , 38
4.1. → → (3) R apply pqr. pqr P -> Q -> P Q imp_sample < apply pqr. 2 subgoals pqr : P -> Q -> R pq : P -> Q p : P ============================ P subgoal 2 is: Q P assumption. @tmiya : Coq , 39
4.1. → → (4) P assumption. Q imp_sample < assumption. 1 subgoal pqr : P -> Q -> R pq : P -> Q p : P ============================ Q Q @tmiya : Coq , 40
4.1. → → (5) imp_sample < apply pq. 1 subgoal pqr : P -> Q -> R pq : P -> Q p : P ============================ P imp_sample < assumption. Proof completed. imp_sample < Qed. Qed. @tmiya : Coq , 41
4.2. ∧ ∧ (1) P ∧Q P Q pq : P / Q destruct pq as [p q]. tactic p : P q : Q destruct pq. p,q Coq P ∧Q P Q P ∧Q split. tactic P / Q P, Q Coq < Variable P Q R:Prop. Coq < Theorem and_assoc : (P/Q)/R -> P/(Q/R). 1 subgoal ============================ (P / Q) / R -> P / Q / R @tmiya : Coq , 42
4.2. ∧ ∧ (2) intro → ∧ and_assoc < intro pqr. 1 subgoal pqr : (P / Q) / R ============================ P / Q / R and_assoc < destruct pqr as [[p q] r]. 1 subgoal p : P q : Q r : R ============================ P / Q / R @tmiya : Coq , 43
4.2. ∧ ∧ (3) assumption ; tactic split assumption and_assoc < split. 2 subgoals ============================ P subgoal 2 is: Q / R and_assoc < assumption. 1 subgoal ============================ Q / R and_assoc < split; assumption. Proof completed. and_assoc < Qed. @tmiya : Coq , 44
4.3. ∨ ∨ (1) P ∨Q P Q pq : P / Q destruct pq as [pq].— tactic p : P q : Q destruct pq. p,q Coq P ∨Q P Q P ∨Q left. right. tactic P Q Coq < Variable P Q R:Prop. Coq < Theorem or_assoc : (P/Q)/R -> P/(Q/R). 1 subgoal ============================ (P / Q) / R -> P / Q / R @tmiya : Coq , 45
4.3. ∨ ∨ (2) intro → ∨ and_assoc < intro pqr. or_assoc < destruct pqr as [[p|q]|r]. 3 subgoals p : P ============================ P / Q / R subgoal 2 is: P / Q / R subgoal 3 is: P / Q / R @tmiya : Coq , 46
4.3. ∨ ∨ (3) assumption or_assoc < left. 3 subgoals p : P ============================ P or_assoc < assumption. 2 subgoals q : Q ============================ P / Q / R or_assoc < right; left. 2 subgoals q : Q ============================ Q OK @tmiya : Coq , 47
4.4. ¬ ¬ (1) ¬P P → False False Inductive False : Prop := ~P intro p. p : P False H : False elim H. np : ~P elim np. P (¬¬P P ) ( ) @tmiya : Coq , 48
4.4. ¬ ¬ (2) Coq < Theorem neg_sample : ~(P / ~P). 1 subgoal ============================ ~ (P / ~ P) neg_sample < intro. 1 subgoal H : P / ~ P ============================ False @tmiya : Coq , 49
4.4. ¬ ¬ (3) neg_sample < destruct H as [p np]. 1 subgoal p : P np : ~ P ============================ False neg_sample < elim np. p : P np : ~ P ============================ P neg_sample < assumption. Proof completed. @tmiya : Coq , 50
4.4. ¬ Variable A B C D:Prop. Theorem ex4_1 : (A -> C) / (B -> D) / A / B -> C / D. Theorem ex4_2 : ~~~A -> ~A. Theorem ex4_3 : (A -> B) -> ~B -> ~A. Theorem ex4_4 : ((((A -> B) -> A) -> A) -> B) -> B. Theorem ex4_5 : ~~(A/~A). @tmiya : Coq , 51
5. Curry-Howard Curry-Howard (1) Theorem imp_sample’ : (P -> (Q -> R)) -> (P -> Q) -> P -> R. imp_sample’ < intros pqr pq p. imp_sample’ < Check pq. pq : P -> Q imp_sample’ < Check (pq p). pq p : Q pq P -> Q P Q pq p Q @tmiya : Coq , 52
5. Curry-Howard Curry-Howard (2) pqr, pq, p R exact tactic imp_sample’ < Check (pqr p (pq p)). pqr p (pq p) : R imp_sample’ < exact (pqr p (pq p)). Proof completed. imp_sample Print Coq < Print imp_sample. imp_sample = fun (pqr : P -> Q -> R) (pq : P -> Q) (p : P) => pqr p (pq p) : (P -> Q -> R) -> (P -> Q) -> P -> R @tmiya : Coq , 53
5. Curry-Howard Curry-Howard (3) P P P→Q P -> Q Γ P ΓP→Q (→ ) pq p Γ Q Γ, P Q (→ ) pq (p:P):Q Γ P→Q P ∧Q prod { (P,Q) inl P P ∨Q sum inr Q Curry-Howard Curry-Howard = Coq @tmiya : Coq , 54
5. Curry-Howard Curry-Howard (4) Coq ( ) Java (P → Q → R) → (P → Q) → P → R interface Fun<A,B> { public B apply(A a); } public class P {} public class Q {} public class R {} public class Proof { public R imp_sample(Fun<P,Fun<Q,R>> pqr, Fun<P,Q> pq, P p) { return pqr.apply(p).apply(pq.apply(p)); } } (Java prod sum ¬ Java ) @tmiya : Coq , 55
6. a:A P a (∀a : A, P a) : forall (a:A), P a a:A P a (∃a : A, P a) : exists (a:A), P a Coq P a:A P a:Prop A -> Prop Coq a:A P : A → Prop Coq < Definition iszero(n:nat):Prop := Coq < match n with Coq < | O => True Coq < | _ => False Coq < end. iszero is defined @tmiya : Coq , 56
6. ∀ (1) forall intro(s) forall x:X x:X -> Coq < Theorem sample_forall : forall (X:Type)(P Q:X->Prop)(x:X), P x -> (forall y:X, Q y) -> (P x / Q x). ============================ forall (X : Type) (P Q : X -> Prop) (x : X), P x -> (forall y : X, Q y) -> P x / Q x sample_forall < intros X P Q x px Hqy. X : Type P : X -> Prop Q : X -> Prop x : X px : P x Hqy : forall y : X, Q y ============================ P x / Q x @tmiya : Coq , 57
6. ∀ (2) forall y:X y X sample_forall < split. (* P x Q x *) sample_forall < assumption. (* P x px *) 1 subgoal X : Type P : X -> Prop Q : X -> Prop x : X px : P x Hqy : forall y : X, Q y ============================ Q x sample_forall < apply (Hqy x). (* Hqy y x *) Proof completed. @tmiya : Coq , 58
6.2. ∃ ∃ (1) Coq < Theorem sample_exists : forall (P Q:nat->Prop), Coq < (forall n, P n) -> (exists n, Q n) -> Coq < (exists n, P n / Q n). sample_exists < intros P Q Hpn Hqn. 1 subgoal P : nat -> Prop Q : nat -> Prop Hpn : forall n : nat, P n Hqn : exists n : nat, Q n ============================ exists n : nat, P n / Q n @tmiya : Coq , 59
6.2. ∃ ∃ (2) exists destruct sample_exists < intros P Q Hpn Hqn. P : nat -> Prop Q : nat -> Prop Hpn : forall n : nat, P n Hqn : exists n : nat, Q n ============================ exists n : nat, P n / Q n sample_exists < destruct Hqn as [n’ qn’]. P : nat -> Prop Q : nat -> Prop Hpn : forall n : nat, P n n’ : nat qn’ : Q n’ ============================ exists n : nat, P n / Q n @tmiya : Coq , 60
6.2. ∃ ∃ (3) exists x:X x:X exists x. sample_exists < destruct Hqn as [n’ qn’]. : Hpn : forall n : nat, P n n’ : nat qn’ : Q n’ ============================ exists n : nat, P n / Q n sample_exists < exists n’. : Hpn : forall n : nat, P n n’ : nat qn’ : Q n’ ============================ P n’ / Q n’ (* *) @tmiya : Coq , 61
6.2. ∃ Theorem ex5_1 : forall (A:Set)(P:A->Prop), (~ exists a, P a) -> (forall a, ~P a). Theorem ex5_2 : forall (A:Set)(P Q:A->Prop), (exists a, P a / Q a) -> (exists a, P a) / (exists a, Q a). Theorem ex5_3 : forall (A:Set)(P Q:A->Prop), (exists a, P a) / (exists a, Q a) -> (exists a, P a / Q a). Theorem ex5_4 : forall (A:Set)(R:A->A->Prop), (exists x, forall y, R x y) -> (forall y, exists x, R x y). Theorem ex5_5 : forall (A:Set)(R:A->A->Prop), (forall x y, R x y -> R y x) -> (forall x y z, R x y -> R y z -> R x z) -> (forall x, exists y, R x y) -> (forall x, R x x). @tmiya : Coq , 62
6.3. = = (1) eq (= ) Inductive eq (A : Type) (x : A) : A -> Prop := refl_equal : x = x Coq (nat bool ) (nat O Sn ) (S m Sn m=n ) ============================ n = n apply (refl_equal n). tactic reflexivity. @tmiya : Coq , 63
6.3. = = (2) plus Print plus. tactic simpl. Coq < Theorem plus_0_l : forall n, 0 + n = n. plus_0_l < intro n. n : nat ============================ 0 + n = n plus_0_l < simpl. n : nat ============================ n = n plus_0_l < reflexivity. Proof completed. @tmiya : Coq , 64
6.4. (1) ∀n : nat, n + 0 = n simpl. ============================ n + 0 = n plus_0_r < simpl. ============================ n + 0 = n plus n m n n 1. n = 0 n+0=n 2. n = n n+0=n n=Sn n+0=n @tmiya : Coq , 65
6.4. (2) n induction n as [|n’]. induction n. tactic Coq nat_ind (P ) Coq < Check nat_ind. nat_ind : forall P : nat -> Prop, P 0 -> (forall n : nat, P n -> P (S n)) -> forall n : nat, P n nat_ind nat O : nat S : nat -> nat Inductive bool bool_ind bool_ind : forall P : bool -> Prop, P true -> P false -> forall b : bool, P b @tmiya : Coq , 66
6.4. (3) induction n as [|n’]. n 0 S n’ reflexivity. OK (simpl. ) Coq < Theorem plus_0_r : forall n:nat, n + 0 = n. plus_0_r < induction n as [|n’]. 2 subgoals ============================ 0 + 0 = 0 subgoal 2 is: S n’ + 0 = S n’ plus_0_r < reflexivity. 1 subgoal n’ : nat IHn’ : n’ + 0 = n’ ============================ S n’ + 0 = S n’ @tmiya : Coq , 67
6.4. (4) n = S n’ n = n’ IHn’ S n’ + 0 = S n’ simpl. plus S (n’ + 0)= S n’ IHn’ n’ + 0 n’ rewrite IHn’. rewrite ============================ S n’ + 0 = S n’ plus_0_r < simpl. IHn’ : n’ + 0 = n’ ============================ S (n’ + 0) = S n’ plus_0_r < rewrite IHn’. IHn’ : n’ + 0 = n’ ============================ S n’ = S n’ @tmiya : Coq , 68
6.4. :m + n = n + m SearchAbout Coq < SearchAbout plus. plus_n_O: forall n : nat, n = n + 0 plus_O_n: forall n : nat, 0 + n = n plus_n_Sm: forall n m : nat, S (n + m) = n + S m plus_Sn_m: forall n m : nat, S n + m = S (n + m) mult_n_Sm: forall n m : nat, n * m + n = n * S m rewrite ( rewrite <- plus_n_Sm n’ m. rewrite H. H rewrite <- H. ) Theorem plus_comm : forall m n:nat, m + n = n + m. @tmiya : Coq , 69
6.4. (5) nat list A Theorem length_app : forall (A:Type)(l1 l2:list A), length (l1 ++ l2) = length l1 + length l2. list cons induction l1 as [|a l1’]. ( induction l1.) induction ( l2) intro 1. intros A l1 l2. induction l1 as [|a l1’]. 2. intros A l1. induction l1 as [|a l1’]. intro l2. IHl1’ (Coqtop Undo. ) @tmiya : Coq , 70
6.4. : (1) List append reverse Require Import List. Fixpoint append{A:Type}(l1 l2:list A):= match l1 with | nil => l2 | a::l1’ => a::(append l1’ l2) end. Fixpoint reverse{A:Type}(l:list A):= match l with | nil => nil | a::l’ => append (reverse l’) (a::nil) end. Theorem reverse_reverse : forall (A:Type)(l:list A), reverse (reverse l) = l. @tmiya : Coq , 71
6.4. : (2) reverse_reverse Lemma append_nil : forall (A:Type)(l:list A), append l nil = l. Lemma append_assoc : forall (A:Type)(l1 l2 l3:list A), append (append l1 l2) l3 = append l1 (append l2 l3). Lemma reverse_append : forall (A:Type)(l1 l2:list A), reverse (append l1 l2) = append (reverse l2) (reverse l1). @tmiya : Coq , 72
7. (1) Coq nat minus(n m:nat) n≤m 0 n−m+m =n ( ) sub Definition sub(m n:nat)(H:le n m) : {x:nat|x+n=m}. 1. H n≤m n≤m 2. x = m−n x +n = m ( ) @tmiya : Coq , 73
7. (2) Coq nat Arith Require Import Arith. (* Arith *) Definition sub(m n:nat)(H:le n m) : {x:nat|x+n=m}. 1 subgoal m : nat n : nat H : n <= m ============================ {x : nat | x + n = m} m, n intro generalize dependent sub < generalize dependent m. sub < generalize dependent n. ============================ forall n m : nat, n <= m -> {x : nat | x + n = m} @tmiya : Coq , 74
7. (3) eapply, erewrite apply, rewrite Qed. Defined. induction n as [|n’]. (* n=0 *) intros m H. exists m. eapply plus_0_r. (* n=S n’ *) induction m as [|m’]; intro H. (* m=0 *) assert(H’: ~(S n’ <= 0)). eapply le_Sn_0. elim H’. assumption. (* m=S m’ *) assert(H’: n’ <= m’). eapply le_S_n. assumption. assert(IH: {x:nat|x+n’=m’}). eapply IHn’. assumption. destruct IH as [x IH]. exists x. erewrite <- plus_n_Sm. rewrite IH. reflexivity. Defined. @tmiya : Coq , 75
7. (4) sub Print sub. sub OCaml minus Coq < Extraction sub. (** val sub : nat -> nat -> nat **) let rec sub m = function | O -> m | S n0 -> (match m with | O -> assert false (* absurd case *) | S n1 -> let iH = sub n1 n0 in Obj.magic iH) OCaml H @tmiya : Coq , 76
7. (5) H Theorem le_2_5 : le 2 5. Proof. repeat eapply le_n_S. repeat constructor. Qed. Eval compute in (sub 5 2 le_2_5). (* *) Eval compute in (proj1_sig (sub 5 2 le_2_5)). (* = 3:nat *) {x|x+n=m} x proj1_sig @tmiya : Coq , 77
7. minus sub minus Definition sub’(m n:nat)(H:le n m) : {x:nat|x+n=m}. Proof. (* minus *) Defined. Coq 1. minus minus 2. minus sub’ 3. refine tactic (refine ) 4. sub @tmiya : Coq , 78
8. Coq tactic (auto, ring, omega ) (Arith, List, String ) Haskell, OCaml (inversion, refine ) tactic Module @tmiya : Coq , 79
8. Interactive Theorem Proving and Program Development. Coq’Art: The Calculus of Inductive Constructions, Yves Berrot and Pierre Casteran (Springer-Verlag) : Coq Certified Programming with Dependent Types, Adam Chlipala (http://adam.chlipala.net/cpdt/) : Coq 2010 III (http://www.math.nagoya-u.ac.jp/~garrigue/lecture/ 2010_AW/index.html) : Garrigue PDF Coq in a Hurry, Yves Bertot (http://cel.archives-ouvertes.fr/docs/00/47/ 58/07/PDF/coq-hurry.pdf) : 2nd Asian-Pacific Summer School on Formal Methods (http://formes.asia/cms/coqschool/2010) : @tmiya : Coq , 80
8. Coq ProofCafe Coq CPDT Coq IT Coq Ruby, Clojure, Scala, Javascript Coq Coq http://coq.g.hatena.ne.jp/keyword/ProofCafe @tmiya : Coq , 81
8. Formal Methods Forum Coq ( ) ( ) Google group Coq 2010 Certified Programming with Dependent Types Coq Google group (http://groups.google.co.jp/group/fm-forum) Coq @tmiya : Coq , 82

Empfohlen

よくわかるCoqプログラミング
よくわかるCoqプログラミングよくわかるCoqプログラミング
よくわかるCoqプログラミングReal_analysis
 
Coqチュートリアル
CoqチュートリアルCoqチュートリアル
CoqチュートリアルYoshihiro Mizoguchi
 
書くネタがCoqしかない
書くネタがCoqしかない書くネタがCoqしかない
書くネタがCoqしかないMasaki Hara
 
純粋関数型アルゴリズム入門
純粋関数型アルゴリズム入門純粋関数型アルゴリズム入門
純粋関数型アルゴリズム入門Kimikazu Kato
 
証明プログラミング超入門
証明プログラミング超入門証明プログラミング超入門
証明プログラミング超入門Kyoko Kadowaki
 
ラムダ計算入門
ラムダ計算入門ラムダ計算入門
ラムダ計算入門Eita Sugimoto
 
証明プログラミング入門2
証明プログラミング入門2証明プログラミング入門2
証明プログラミング入門2Kyoko Kadowaki
 
定理証明支援系Coqについて
定理証明支援系Coqについて定理証明支援系Coqについて
定理証明支援系CoqについてYoshihiro Mizoguchi
 

Empfohlen

よくわかるCoqプログラミング
よくわかるCoqプログラミングよくわかるCoqプログラミング
よくわかるCoqプログラミングReal_analysis
 
Coqチュートリアル
CoqチュートリアルCoqチュートリアル
CoqチュートリアルYoshihiro Mizoguchi
 
書くネタがCoqしかない
書くネタがCoqしかない書くネタがCoqしかない
書くネタがCoqしかないMasaki Hara
 
純粋関数型アルゴリズム入門
純粋関数型アルゴリズム入門純粋関数型アルゴリズム入門
純粋関数型アルゴリズム入門Kimikazu Kato
 
証明プログラミング超入門
証明プログラミング超入門証明プログラミング超入門
証明プログラミング超入門Kyoko Kadowaki
 
ラムダ計算入門
ラムダ計算入門ラムダ計算入門
ラムダ計算入門Eita Sugimoto
 
証明プログラミング入門2
証明プログラミング入門2証明プログラミング入門2
証明プログラミング入門2Kyoko Kadowaki
 
定理証明支援系Coqについて
定理証明支援系Coqについて定理証明支援系Coqについて
定理証明支援系CoqについてYoshihiro Mizoguchi
 
自動定理証明の紹介
自動定理証明の紹介自動定理証明の紹介
自動定理証明の紹介Masahiro Sakai
 
「型の理論」と証明支援システム -- COQの世界
「型の理論」と証明支援システム -- COQの世界「型の理論」と証明支援システム -- COQの世界
「型の理論」と証明支援システム -- COQの世界maruyama097
 
ホモトピー型理論入門
ホモトピー型理論入門ホモトピー型理論入門
ホモトピー型理論入門k h
 
これだけ知っときゃなんとかなるVim
これだけ知っときゃなんとかなるVimこれだけ知っときゃなんとかなるVim
これだけ知っときゃなんとかなるVimarisu yano
 
文字列検索のいろいろ
文字列検索のいろいろ文字列検索のいろいろ
文字列検索のいろいろKazuma Mikami
 
勉強か?趣味か?人生か?―プログラミングコンテストとは
勉強か?趣味か?人生か?―プログラミングコンテストとは勉強か?趣味か?人生か?―プログラミングコンテストとは
勉強か?趣味か?人生か?―プログラミングコンテストとはTakuya Akiba
 
指数時間アルゴリズム入門
指数時間アルゴリズム入門指数時間アルゴリズム入門
指数時間アルゴリズム入門Yoichi Iwata
 
Rust、何もわからない...#7 VecDeque再訪
Rust、何もわからない...#7 VecDeque再訪Rust、何もわからない...#7 VecDeque再訪
Rust、何もわからない...#7 VecDeque再訪Yusuke Mori
 
Quine・難解プログラミングについて
Quine・難解プログラミングについてQuine・難解プログラミングについて
Quine・難解プログラミングについてmametter
 
RSA鍵生成脆弱性ROCAの紹介
RSA鍵生成脆弱性ROCAの紹介RSA鍵生成脆弱性ROCAの紹介
RSA鍵生成脆弱性ROCAの紹介MITSUNARI Shigeo
 
関数プログラミング入門
関数プログラミング入門関数プログラミング入門
関数プログラミング入門Hideyuki Tanaka
 
パターン認識第9章 学習ベクトル量子化
パターン認識第9章 学習ベクトル量子化パターン認識第9章 学習ベクトル量子化
パターン認識第9章 学習ベクトル量子化Miyoshi Yuya
 
プログラミングコンテストでのデータ構造 2 ~平衡二分探索木編~
プログラミングコンテストでのデータ構造 2 ~平衡二分探索木編~プログラミングコンテストでのデータ構造 2 ~平衡二分探索木編~
プログラミングコンテストでのデータ構造 2 ~平衡二分探索木編~Takuya Akiba
 
Intoduction to Homotopy Type Therory
Intoduction to Homotopy Type TheroryIntoduction to Homotopy Type Therory
Intoduction to Homotopy Type TheroryJack Fox
 
動的計画法を極める!
動的計画法を極める!動的計画法を極める!
動的計画法を極める!HCPC: 北海道大学競技プログラミングサークル
 
Code Contracts in .NET 4
Code Contracts in .NET 4Code Contracts in .NET 4
Code Contracts in .NET 4信之 岩永
 
圏とHaskellの型
圏とHaskellの型圏とHaskellの型
圏とHaskellの型KinebuchiTomo
 
これから Haskell を書くにあたって
これから Haskell を書くにあたってこれから Haskell を書くにあたって
これから Haskell を書くにあたってTsuyoshi Matsudate
 
楕円曲線入門 トーラスと楕円曲線のつながり
楕円曲線入門 トーラスと楕円曲線のつながり楕円曲線入門 トーラスと楕円曲線のつながり
楕円曲線入門 トーラスと楕円曲線のつながりMITSUNARI Shigeo
 
今からでも遅くないSmalltalk入門
今からでも遅くないSmalltalk入門今からでも遅くないSmalltalk入門
今からでも遅くないSmalltalk入門Masashi Umezawa
 
Coq for ML users
Coq for ML usersCoq for ML users
Coq for ML userstmiya
 
Proofsummit2011a
Proofsummit2011aProofsummit2011a
Proofsummit2011atmiya
 

Weitere ähnliche Inhalte

Was ist angesagt?

自動定理証明の紹介
自動定理証明の紹介自動定理証明の紹介
自動定理証明の紹介Masahiro Sakai
 
「型の理論」と証明支援システム -- COQの世界
「型の理論」と証明支援システム -- COQの世界「型の理論」と証明支援システム -- COQの世界
「型の理論」と証明支援システム -- COQの世界maruyama097
 
ホモトピー型理論入門
ホモトピー型理論入門ホモトピー型理論入門
ホモトピー型理論入門k h
 
これだけ知っときゃなんとかなるVim
これだけ知っときゃなんとかなるVimこれだけ知っときゃなんとかなるVim
これだけ知っときゃなんとかなるVimarisu yano
 
文字列検索のいろいろ
文字列検索のいろいろ文字列検索のいろいろ
文字列検索のいろいろKazuma Mikami
 
勉強か?趣味か?人生か?―プログラミングコンテストとは
勉強か?趣味か?人生か?―プログラミングコンテストとは勉強か?趣味か?人生か?―プログラミングコンテストとは
勉強か?趣味か?人生か?―プログラミングコンテストとはTakuya Akiba
 
指数時間アルゴリズム入門
指数時間アルゴリズム入門指数時間アルゴリズム入門
指数時間アルゴリズム入門Yoichi Iwata
 
Rust、何もわからない...#7 VecDeque再訪
Rust、何もわからない...#7 VecDeque再訪Rust、何もわからない...#7 VecDeque再訪
Rust、何もわからない...#7 VecDeque再訪Yusuke Mori
 
Quine・難解プログラミングについて
Quine・難解プログラミングについてQuine・難解プログラミングについて
Quine・難解プログラミングについてmametter
 
RSA鍵生成脆弱性ROCAの紹介
RSA鍵生成脆弱性ROCAの紹介RSA鍵生成脆弱性ROCAの紹介
RSA鍵生成脆弱性ROCAの紹介MITSUNARI Shigeo
 
関数プログラミング入門
関数プログラミング入門関数プログラミング入門
関数プログラミング入門Hideyuki Tanaka
 
パターン認識第9章 学習ベクトル量子化
パターン認識第9章 学習ベクトル量子化パターン認識第9章 学習ベクトル量子化
パターン認識第9章 学習ベクトル量子化Miyoshi Yuya
 
プログラミングコンテストでのデータ構造 2 ~平衡二分探索木編~
プログラミングコンテストでのデータ構造 2 ~平衡二分探索木編~プログラミングコンテストでのデータ構造 2 ~平衡二分探索木編~
プログラミングコンテストでのデータ構造 2 ~平衡二分探索木編~Takuya Akiba
 
Intoduction to Homotopy Type Therory
Intoduction to Homotopy Type TheroryIntoduction to Homotopy Type Therory
Intoduction to Homotopy Type TheroryJack Fox
 
Code Contracts in .NET 4
Code Contracts in .NET 4Code Contracts in .NET 4
Code Contracts in .NET 4信之 岩永
 
これから Haskell を書くにあたって
これから Haskell を書くにあたってこれから Haskell を書くにあたって
これから Haskell を書くにあたってTsuyoshi Matsudate
 
楕円曲線入門 トーラスと楕円曲線のつながり
楕円曲線入門 トーラスと楕円曲線のつながり楕円曲線入門 トーラスと楕円曲線のつながり
楕円曲線入門 トーラスと楕円曲線のつながりMITSUNARI Shigeo
 
今からでも遅くないSmalltalk入門
今からでも遅くないSmalltalk入門今からでも遅くないSmalltalk入門
今からでも遅くないSmalltalk入門Masashi Umezawa
 

Was ist angesagt? (20)

自動定理証明の紹介
自動定理証明の紹介自動定理証明の紹介
自動定理証明の紹介
 
「型の理論」と証明支援システム -- COQの世界
「型の理論」と証明支援システム -- COQの世界「型の理論」と証明支援システム -- COQの世界
「型の理論」と証明支援システム -- COQの世界
 
ホモトピー型理論入門
ホモトピー型理論入門ホモトピー型理論入門
ホモトピー型理論入門
 
これだけ知っときゃなんとかなるVim
これだけ知っときゃなんとかなるVimこれだけ知っときゃなんとかなるVim
これだけ知っときゃなんとかなるVim
 
文字列検索のいろいろ
文字列検索のいろいろ文字列検索のいろいろ
文字列検索のいろいろ
 
勉強か?趣味か?人生か?―プログラミングコンテストとは
勉強か?趣味か?人生か?―プログラミングコンテストとは勉強か?趣味か?人生か?―プログラミングコンテストとは
勉強か?趣味か?人生か?―プログラミングコンテストとは
 
指数時間アルゴリズム入門
指数時間アルゴリズム入門指数時間アルゴリズム入門
指数時間アルゴリズム入門
 
Rust、何もわからない...#7 VecDeque再訪
Rust、何もわからない...#7 VecDeque再訪Rust、何もわからない...#7 VecDeque再訪
Rust、何もわからない...#7 VecDeque再訪
 
Quine・難解プログラミングについて
Quine・難解プログラミングについてQuine・難解プログラミングについて
Quine・難解プログラミングについて
 
RSA鍵生成脆弱性ROCAの紹介
RSA鍵生成脆弱性ROCAの紹介RSA鍵生成脆弱性ROCAの紹介
RSA鍵生成脆弱性ROCAの紹介
 
関数プログラミング入門
関数プログラミング入門関数プログラミング入門
関数プログラミング入門
 
パターン認識第9章 学習ベクトル量子化
パターン認識第9章 学習ベクトル量子化パターン認識第9章 学習ベクトル量子化
パターン認識第9章 学習ベクトル量子化
 
プログラミングコンテストでのデータ構造 2 ~平衡二分探索木編~
プログラミングコンテストでのデータ構造 2 ~平衡二分探索木編~プログラミングコンテストでのデータ構造 2 ~平衡二分探索木編~
プログラミングコンテストでのデータ構造 2 ~平衡二分探索木編~
 
Intoduction to Homotopy Type Therory
Intoduction to Homotopy Type TheroryIntoduction to Homotopy Type Therory
Intoduction to Homotopy Type Therory
 
動的計画法を極める!
動的計画法を極める!動的計画法を極める!
動的計画法を極める!
 
Code Contracts in .NET 4
Code Contracts in .NET 4Code Contracts in .NET 4
Code Contracts in .NET 4
 
圏とHaskellの型
圏とHaskellの型圏とHaskellの型
圏とHaskellの型
 
これから Haskell を書くにあたって
これから Haskell を書くにあたってこれから Haskell を書くにあたって
これから Haskell を書くにあたって
 
楕円曲線入門 トーラスと楕円曲線のつながり
楕円曲線入門 トーラスと楕円曲線のつながり楕円曲線入門 トーラスと楕円曲線のつながり
楕円曲線入門 トーラスと楕円曲線のつながり
 
今からでも遅くないSmalltalk入門
今からでも遅くないSmalltalk入門今からでも遅くないSmalltalk入門
今からでも遅くないSmalltalk入門
 

Mehr von tmiya

Coq for ML users
Coq for ML usersCoq for ML users
Coq for ML userstmiya
 
Proofsummit2011a
Proofsummit2011aProofsummit2011a
Proofsummit2011atmiya
 
Coq Tutorial at Proof Summit 2011
Coq Tutorial at Proof Summit 2011Coq Tutorial at Proof Summit 2011
Coq Tutorial at Proof Summit 2011tmiya
 
Typeclass
TypeclassTypeclass
Typeclasstmiya
 
RegExp20110305
RegExp20110305RegExp20110305
RegExp20110305tmiya
 
Coq setoid 20110129
Coq setoid 20110129Coq setoid 20110129
Coq setoid 20110129tmiya
 
Coq Party 20101127
Coq Party 20101127Coq Party 20101127
Coq Party 20101127tmiya
 
Maude20100719
Maude20100719Maude20100719
Maude20100719tmiya
 
Formal methods20100529
Formal methods20100529Formal methods20100529
Formal methods20100529tmiya
 
Coq 20100208a
Coq 20100208aCoq 20100208a
Coq 20100208atmiya
 

Mehr von tmiya (10)

Coq for ML users
Coq for ML usersCoq for ML users
Coq for ML users
 
Proofsummit2011a
Proofsummit2011aProofsummit2011a
Proofsummit2011a
 
Coq Tutorial at Proof Summit 2011
Coq Tutorial at Proof Summit 2011Coq Tutorial at Proof Summit 2011
Coq Tutorial at Proof Summit 2011
 
Typeclass
TypeclassTypeclass
Typeclass
 
RegExp20110305
RegExp20110305RegExp20110305
RegExp20110305
 
Coq setoid 20110129
Coq setoid 20110129Coq setoid 20110129
Coq setoid 20110129
 
Coq Party 20101127
Coq Party 20101127Coq Party 20101127
Coq Party 20101127
 
Maude20100719
Maude20100719Maude20100719
Maude20100719
 
Formal methods20100529
Formal methods20100529Formal methods20100529
Formal methods20100529
 
Coq 20100208a
Coq 20100208aCoq 20100208a
Coq 20100208a
 

Kürzlich hochgeladen

The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsPixlogix Infotech
 
Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteDianaGray10
 
Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxArtificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxhariprasad279825
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity PlanDatabarracks
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.Curtis Poe
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsRizwan Syed
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLScyllaDB
 
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage CostLeverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage CostZilliz
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Commit University
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupFlorian Wilhelm
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubKalema Edgar
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024Lorenzo Miniero
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brandgvaughan
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Enterprise Knowledge
 
Search Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdfSearch Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdfRankYa
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr BaganFwdays
 
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):comworks
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationSlibray Presentation
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 

Kürzlich hochgeladen (20)

The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and Cons
 
Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test Suite
 
Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxArtificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptx
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity Plan
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL Certs
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQL
 
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage CostLeverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project Setup
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding Club
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brand
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024
 
Search Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdfSearch Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdf
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan
 
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck Presentation
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 

Coq Tutorial

  • 1. Formal Methods Forum Coq @tmiya April 20,2011 @tmiya : Coq , 1
  • 2. 0. Coq Coq Coq Coq • • Coq • • @tmiya : Coq , 2
  • 3. 1. Coq Lightweight • ( ) • • • • • • ( ) • • • or @tmiya : Coq , 3
  • 4. 1. Coq Coq INRIA OCaml CIC = Calculus of Inductive Construction tactic tactic Coq Coq OCaml, Haskell, Scheme @tmiya : Coq , 4
  • 5. 2. Coq Coq Coqtop, CoqIDE CUI Coqtop / : % coqtop Welcome to Coq 8.3pl1 (December 2010) Coq < Eval compute in (2+3). = 5 : nat Coq < Quit. % Coq CoqIDE coqide @tmiya : Coq , 5
  • 6. 2. Coq Proof General : emacs Proof General ~/.emacs (load-file "***/ProofGeneral/generic/proof-site.el") proof-site.el Coq (*.v) Proof General @tmiya : Coq , 6
  • 7. 3. Coq Coq < Definition x := 1. (* x *) x is defined (* := *) Coq < Check x. (* x *) x : nat (* nat = *) Coq < Print x. (* x *) x = 1 : nat Coq < Definition x := 2. (* x *) Error: x already exists (* --> *) Reset x. Module ( ) @tmiya : Coq , 7
  • 8. 3. Coq 1 2 Coq < Definition f x y := x - y. (* f *) f is defined Coq < Check f. f : nat -> nat -> nat (* nat->(nat->nat) *) Coq < Definition f’ := f 3. (* f’ y = f 3 y *) f’ is defined Coq < Check f’. f’ : nat -> nat (* nat nat *) Coq < Eval compute in (f’ 1). (* f’ 1 = f 3 1 = 2 *) = 2 : nat ( @tmiya : Coq , 8
  • 9. 3. Coq Coq < Check (fun x => 2 * x). (* *) fun x : nat => 2 * x : nat -> nat Coq < Eval compute in ((fun x => 2 * x) 3). = 6 : nat Coq < Definition double := (fun x => 2 * x). double is defined (* double *) Coq . @tmiya : Coq , 9
  • 10. 3. Coq Coq < Definition twice(f:nat->nat):nat->nat := Coq < fun x => f (f x). twice is defined Coq < Definition add5(x:nat) := x + 5. add5 is defined Coq < Definition twice_add5 := twice add5. twice_add5 is defined Coq < Eval compute in (twice_add5 2). = 12 : nat @tmiya : Coq , 10
  • 11. 3.1. int, float Coq nat ( ) Weekday Coq < Inductive Weekday : Set := Coq < Sun | Mon | Tue | Wed | Thr | Fri | Sat. Coq < Check Sun. Sun (* Sun *) : Weekday (* Weekday *) Coq < Check Weekday. Weekday (* *) : Set (* Set *) Set @tmiya : Coq , 11
  • 12. 3.1. ( ) Coq < Definition nextday d := Coq < match d with Coq < | Sun => Mon : (* *) Coq < | Sat => Sun Coq < end. nextday is defined Coq < Check nextday. nextday (* *) : Weekday -> Weekday Coq < Eval compute in (nextday Mon). (* *) prevday @tmiya : Coq , 12
  • 13. 3.1. Bool Coq < Inductive Bool : Set := Coq < | tru : Bool Coq < | fls : Bool. Coq < Definition And(b1 b2:Bool):Bool := Coq < match b1,b2 with Coq < | tru,tru => tru Coq < | _,_ => fls Coq < end. Or, Not Eval @tmiya : Coq , 13
  • 14. 3.1. bool ( ) bool Coq < Print bool. Coq < Print andb. Coq < Print orb. Coq < Print negb. bool Coq < Print unit. @tmiya : Coq , 14
  • 15. 3.1. De Morgan (1) Coq < Theorem De_Morgan_1 : forall b1 b2, Coq < Not (And b1 b2) = Or (Not b1) (Not b2). 1 subgoal ============================ forall b1 b2 : Bool, Not (And b1 b2) = Or (Not b1) (Not b2) De_Morgan_1 < intros. 1 subgoal (* b1 b2 *) b1 : Bool b2 : Bool ============================ Not (And b1 b2) = Or (Not b1) (Not b2) @tmiya : Coq , 15
  • 16. 3.1. De Morgan (2) De_Morgan_1 < destruct b1; destruct b2. 4 subgoals (* b1 b2 *) ============================ Not (And tru tru) = Or (Not tru) (Not tru) subgoal 2 is: Not (And tru fls) = Or (Not tru) (Not fls) subgoal 3 is: Not (And fls tru) = Or (Not fls) (Not tru) subgoal 4 is: Not (And fls fls) = Or (Not fls) (Not fls) @tmiya : Coq , 16
  • 17. 3.1. De Morgan (3) De_Morgan_1 < simpl. 4 subgoals (* *) ============================ fls = fls (* *) De_Morgan_1 < reflexivity. 3 subgoals (* = *) ============================ Not (And tru fls) = Or (Not tru) (Not fls) subgoal 2 is: Not (And fls tru) = Or (Not fls) (Not tru) subgoal 3 is: Not (And fls fls) = Or (Not fls) (Not fls) @tmiya : Coq , 17
  • 18. 3.1. De Morgan (4) De_Morgan_1 < simpl; reflexivity. De_Morgan_1 < simpl; reflexivity. De_Morgan_1 < simpl; reflexivity. Proof completed. De_Morgan_1 < Qed. intros. destruct b1; destruct b2. simpl in |- *. reflexivity. simpl in |- *; reflexivity. simpl in |- *; reflexivity. simpl in |- *; reflexivity. De_Morgan_1 is defined Not (Or b1 b2) = And (Not b1) (Not b2) @tmiya : Coq , 18
  • 19. 3.1. 1. Yes, Maybe, No Bool3 2. Bool3 And3, Or3, Not3 3. ( ) De Morgan @tmiya : Coq , 19
  • 20. 3.2. nat nat ( ) Coq < Print nat. Inductive nat : Set := O : nat | S : nat -> nat O( O) 0 S nat nat Peano Coq < Eval compute in (S (S (S O))). = 3 : nat S (S (S O)) Coq 3 @tmiya : Coq , 20
  • 21. 3.2. nat n Coq < Fixpoint add(n m:nat):nat := Coq < match n with Coq < | O => m Coq < | S n’ => S (add n’ m) Coq < end. add is recursively defined (decreasing on 1st argument) Fixpoint ( O) 0 S nat 1 nat Peano Coq < Eval compute in (add (S (S O)) (S O)). = 3 : nat (call-by-value) @tmiya : Coq , 21
  • 22. 3.2. nat _,_ OK Coq < Fixpoint eq_nat(n m:nat):bool := Coq < match n,m with Coq < | O,O => true Coq < | S n’, S m’ => eq_nat n’ m’ Coq < | _,_ => false Coq < end. Coq < Eval compute in (eq_nat 3 3). le_nat le_nat n m n≤m Coq ( ) @tmiya : Coq , 22
  • 23. 3.2. Coq ( ) n ({struct n} Coq ) Coq < Fixpoint add’(n m:nat){struct n} := Coq < match n with Coq < | O => m Coq < | S n’ => S (add’ n’ m) Coq < end. add’ is recursively defined (decreasing on 1st argument) add’ 2 3 add’ add’ (S (S O)) 3 = S (add’ (S O) 3) = S (S (add’ O 3)) = S (S 3) = 5. @tmiya : Coq , 23
  • 24. 3.2. ( ) Coq ( )( ) Coq ( Coq ) Coq ( ) (Coq ) Coq @tmiya : Coq , 24
  • 25. 3.2. 1. mul add 2. mul fact 3. sub n=0 sub 0 m = 0 4. div3 Eval Fixpoint div3(n:nat) := match n with | S (S (S n’)) => S (div3 n’) | _ => O end. sub div n m Coq ( ) @tmiya : Coq , 25
  • 26. 3.3. cond c vt vf c:bool true vt false vf vt, vf Set A Coq < Definition cond{A:Set}(c:bool)(vt vf:A) := Coq < match c with Coq < | true => vt Coq < | false => vf Coq < end. Coq < Eval compute in (cond true 2 3). = 2 : nat Coq < Eval compute in (cond false false true). = true : bool {A:Set} cond A ( ) Coq < Eval compute in (@cond nat false 2 3). @tmiya : Coq , 26
  • 27. 3.3. option ( ) null option (Haskell Maybe ) ( Coq sumor ) Coq < Print option. Inductive option (A : Type) : Type := Some : A -> option A | None : option A Definition option_map {A B:Type} (f:A->B)(o:option A) := match o with | Some a => Some (f a) | None => None end. Coq < Eval compute in (option_map (fun x => x + 1) (Some 1)). @tmiya : Coq , 27
  • 28. 3.3. prod sum prod A B A B prod A B A * B ( x , y , .. , z ) (pair .. (pair x y) .. z) Coq < Check (2,true,3). (2, true, 3) : nat * bool * nat prod fst, snd sum A B A B Coq < Definition test_sum (s:sum nat bool) := Coq < match s with Coq < | inl n => n Coq < | inr true => 1 Coq < | inr false => 0 Coq < end. prod, sum Curry-Howard @tmiya : Coq , 28
  • 29. 3.3. List List List :: cons Type Set (Check Set. ) Coq < Require Import List. Coq < Print list. Inductive list (A : Type) : Type := nil : list A | cons : A -> list A -> list A Coq < Check (1::2::nil). 1 :: 2 :: nil : list nat @tmiya : Coq , 29
  • 30. 3.3. List List List nil x::xs Coq < Fixpoint append{A:Type}(xs ys:list A):= Coq < match xs with Coq < | nil => ys Coq < | x::xs’ => x::(append xs’ ys) Coq < end. Coq < Eval compute in (append (1::2::nil) (3::4::nil)). Coq < Fixpoint olast{A:Type}(xs:list A):option A := Coq < match xs with Coq < | nil => None Coq < | a::nil => Some a Coq < | _::xs’ => olast xs’ Coq < end. Coq < Eval compute in (olast (1::2::3::nil)). @tmiya : Coq , 30
  • 31. 3.3. List 1. len{A:Type}(xs:list A):nat Eval compute in (len (1::2::3::nil)). 2. list bool true true all_true(xs:list bool):bool nil true 3. x Some x None ohead{A:Type}(xs:list A):option A 4. s, n s :: s+1 :: ... :: (s+n-1) :: nil nat_list(s n:nat):list nat 5. reverse{A:Type}(xs:list A):list A append @tmiya : Coq , 31
  • 32. 4. Bool De Morgan P Q ¬(P ∧ Q) ¬P ∨ ¬Q F F T T F T T T T F T T T T F F Bool, nat Inductive (nat O S n ) Coq Prop ( ) @tmiya : Coq , 32
  • 33. 4. P P ¬P ( ) ab a, b √ √ √ 2 1. a = b = 2 a, b ab = 2 √ √2 √ 2. ab √ a = √2 , b = 2 √ a, b √ 2 √2 √ 2 2 √ 2 ab = ( 2 ) = 2 = 2 =2 √ √ 2 2 (P) (~P) ab a, b ab a, b @tmiya : Coq , 33
  • 34. 4. ( ) Modus Ponens A A B B (Γ = ( ) ) Γ A Γ A → B (→ ) Γ B ( )→ Coq B Hab : A → B apply Hab. tactic A Ha : A exact Ha. @tmiya : Coq , 34
  • 35. 4. Coq tactic tactic assumption. exact H. trivial. ... H : A ... ------------------------ A exact . A∈Γ ( ) Γ A @tmiya : Coq , 35
  • 36. 4.1. → → A → B (CUI A -> B ) A intro Ha. tactic Ha : A B Coq ... Γ, A B (→ ) Γ A→B H1 → H2 → · · · → Hn → B intros H1 H2 ... Hn. intro intro. intros. Coq → Modus Ponens tactic apply . @tmiya : Coq , 36
  • 37. 4.1. → → (1) tactic Set P Prop P P P p : P ( Set, Prop Type ) Section imp_sample. Variables P Q R : Prop. Theorem imp_sample : (P -> (Q -> R)) -> (P -> Q) -> P -> R. 1 subgoal ============================ (P -> Q -> R) -> (P -> Q) -> P -> R === tactic → intro(s) @tmiya : Coq , 37
  • 38. 4.1. → → (2) → intros tactic intro(s) imp_sample < intros pqr pq p. 1 subgoal pqr : P -> Q -> R pq : P -> Q p : P ============================ R R pqr apply pqr. @tmiya : Coq , 38
  • 39. 4.1. → → (3) R apply pqr. pqr P -> Q -> P Q imp_sample < apply pqr. 2 subgoals pqr : P -> Q -> R pq : P -> Q p : P ============================ P subgoal 2 is: Q P assumption. @tmiya : Coq , 39
  • 40. 4.1. → → (4) P assumption. Q imp_sample < assumption. 1 subgoal pqr : P -> Q -> R pq : P -> Q p : P ============================ Q Q @tmiya : Coq , 40
  • 41. 4.1. → → (5) imp_sample < apply pq. 1 subgoal pqr : P -> Q -> R pq : P -> Q p : P ============================ P imp_sample < assumption. Proof completed. imp_sample < Qed. Qed. @tmiya : Coq , 41
  • 42. 4.2. ∧ ∧ (1) P ∧Q P Q pq : P / Q destruct pq as [p q]. tactic p : P q : Q destruct pq. p,q Coq P ∧Q P Q P ∧Q split. tactic P / Q P, Q Coq < Variable P Q R:Prop. Coq < Theorem and_assoc : (P/Q)/R -> P/(Q/R). 1 subgoal ============================ (P / Q) / R -> P / Q / R @tmiya : Coq , 42
  • 43. 4.2. ∧ ∧ (2) intro → ∧ and_assoc < intro pqr. 1 subgoal pqr : (P / Q) / R ============================ P / Q / R and_assoc < destruct pqr as [[p q] r]. 1 subgoal p : P q : Q r : R ============================ P / Q / R @tmiya : Coq , 43
  • 44. 4.2. ∧ ∧ (3) assumption ; tactic split assumption and_assoc < split. 2 subgoals ============================ P subgoal 2 is: Q / R and_assoc < assumption. 1 subgoal ============================ Q / R and_assoc < split; assumption. Proof completed. and_assoc < Qed. @tmiya : Coq , 44
  • 45. 4.3. ∨ ∨ (1) P ∨Q P Q pq : P / Q destruct pq as [pq].— tactic p : P q : Q destruct pq. p,q Coq P ∨Q P Q P ∨Q left. right. tactic P Q Coq < Variable P Q R:Prop. Coq < Theorem or_assoc : (P/Q)/R -> P/(Q/R). 1 subgoal ============================ (P / Q) / R -> P / Q / R @tmiya : Coq , 45
  • 46. 4.3. ∨ ∨ (2) intro → ∨ and_assoc < intro pqr. or_assoc < destruct pqr as [[p|q]|r]. 3 subgoals p : P ============================ P / Q / R subgoal 2 is: P / Q / R subgoal 3 is: P / Q / R @tmiya : Coq , 46
  • 47. 4.3. ∨ ∨ (3) assumption or_assoc < left. 3 subgoals p : P ============================ P or_assoc < assumption. 2 subgoals q : Q ============================ P / Q / R or_assoc < right; left. 2 subgoals q : Q ============================ Q OK @tmiya : Coq , 47
  • 48. 4.4. ¬ ¬ (1) ¬P P → False False Inductive False : Prop := ~P intro p. p : P False H : False elim H. np : ~P elim np. P (¬¬P P ) ( ) @tmiya : Coq , 48
  • 49. 4.4. ¬ ¬ (2) Coq < Theorem neg_sample : ~(P / ~P). 1 subgoal ============================ ~ (P / ~ P) neg_sample < intro. 1 subgoal H : P / ~ P ============================ False @tmiya : Coq , 49
  • 50. 4.4. ¬ ¬ (3) neg_sample < destruct H as [p np]. 1 subgoal p : P np : ~ P ============================ False neg_sample < elim np. p : P np : ~ P ============================ P neg_sample < assumption. Proof completed. @tmiya : Coq , 50
  • 51. 4.4. ¬ Variable A B C D:Prop. Theorem ex4_1 : (A -> C) / (B -> D) / A / B -> C / D. Theorem ex4_2 : ~~~A -> ~A. Theorem ex4_3 : (A -> B) -> ~B -> ~A. Theorem ex4_4 : ((((A -> B) -> A) -> A) -> B) -> B. Theorem ex4_5 : ~~(A/~A). @tmiya : Coq , 51
  • 52. 5. Curry-Howard Curry-Howard (1) Theorem imp_sample’ : (P -> (Q -> R)) -> (P -> Q) -> P -> R. imp_sample’ < intros pqr pq p. imp_sample’ < Check pq. pq : P -> Q imp_sample’ < Check (pq p). pq p : Q pq P -> Q P Q pq p Q @tmiya : Coq , 52
  • 53. 5. Curry-Howard Curry-Howard (2) pqr, pq, p R exact tactic imp_sample’ < Check (pqr p (pq p)). pqr p (pq p) : R imp_sample’ < exact (pqr p (pq p)). Proof completed. imp_sample Print Coq < Print imp_sample. imp_sample = fun (pqr : P -> Q -> R) (pq : P -> Q) (p : P) => pqr p (pq p) : (P -> Q -> R) -> (P -> Q) -> P -> R @tmiya : Coq , 53
  • 54. 5. Curry-Howard Curry-Howard (3) P P P→Q P -> Q Γ P ΓP→Q (→ ) pq p Γ Q Γ, P Q (→ ) pq (p:P):Q Γ P→Q P ∧Q prod { (P,Q) inl P P ∨Q sum inr Q Curry-Howard Curry-Howard = Coq @tmiya : Coq , 54
  • 55. 5. Curry-Howard Curry-Howard (4) Coq ( ) Java (P → Q → R) → (P → Q) → P → R interface Fun<A,B> { public B apply(A a); } public class P {} public class Q {} public class R {} public class Proof { public R imp_sample(Fun<P,Fun<Q,R>> pqr, Fun<P,Q> pq, P p) { return pqr.apply(p).apply(pq.apply(p)); } } (Java prod sum ¬ Java ) @tmiya : Coq , 55
  • 56. 6. a:A P a (∀a : A, P a) : forall (a:A), P a a:A P a (∃a : A, P a) : exists (a:A), P a Coq P a:A P a:Prop A -> Prop Coq a:A P : A → Prop Coq < Definition iszero(n:nat):Prop := Coq < match n with Coq < | O => True Coq < | _ => False Coq < end. iszero is defined @tmiya : Coq , 56
  • 57. 6. ∀ (1) forall intro(s) forall x:X x:X -> Coq < Theorem sample_forall : forall (X:Type)(P Q:X->Prop)(x:X), P x -> (forall y:X, Q y) -> (P x / Q x). ============================ forall (X : Type) (P Q : X -> Prop) (x : X), P x -> (forall y : X, Q y) -> P x / Q x sample_forall < intros X P Q x px Hqy. X : Type P : X -> Prop Q : X -> Prop x : X px : P x Hqy : forall y : X, Q y ============================ P x / Q x @tmiya : Coq , 57
  • 58. 6. ∀ (2) forall y:X y X sample_forall < split. (* P x Q x *) sample_forall < assumption. (* P x px *) 1 subgoal X : Type P : X -> Prop Q : X -> Prop x : X px : P x Hqy : forall y : X, Q y ============================ Q x sample_forall < apply (Hqy x). (* Hqy y x *) Proof completed. @tmiya : Coq , 58
  • 59. 6.2. ∃ ∃ (1) Coq < Theorem sample_exists : forall (P Q:nat->Prop), Coq < (forall n, P n) -> (exists n, Q n) -> Coq < (exists n, P n / Q n). sample_exists < intros P Q Hpn Hqn. 1 subgoal P : nat -> Prop Q : nat -> Prop Hpn : forall n : nat, P n Hqn : exists n : nat, Q n ============================ exists n : nat, P n / Q n @tmiya : Coq , 59
  • 60. 6.2. ∃ ∃ (2) exists destruct sample_exists < intros P Q Hpn Hqn. P : nat -> Prop Q : nat -> Prop Hpn : forall n : nat, P n Hqn : exists n : nat, Q n ============================ exists n : nat, P n / Q n sample_exists < destruct Hqn as [n’ qn’]. P : nat -> Prop Q : nat -> Prop Hpn : forall n : nat, P n n’ : nat qn’ : Q n’ ============================ exists n : nat, P n / Q n @tmiya : Coq , 60
  • 61. 6.2. ∃ ∃ (3) exists x:X x:X exists x. sample_exists < destruct Hqn as [n’ qn’]. : Hpn : forall n : nat, P n n’ : nat qn’ : Q n’ ============================ exists n : nat, P n / Q n sample_exists < exists n’. : Hpn : forall n : nat, P n n’ : nat qn’ : Q n’ ============================ P n’ / Q n’ (* *) @tmiya : Coq , 61
  • 62. 6.2. ∃ Theorem ex5_1 : forall (A:Set)(P:A->Prop), (~ exists a, P a) -> (forall a, ~P a). Theorem ex5_2 : forall (A:Set)(P Q:A->Prop), (exists a, P a / Q a) -> (exists a, P a) / (exists a, Q a). Theorem ex5_3 : forall (A:Set)(P Q:A->Prop), (exists a, P a) / (exists a, Q a) -> (exists a, P a / Q a). Theorem ex5_4 : forall (A:Set)(R:A->A->Prop), (exists x, forall y, R x y) -> (forall y, exists x, R x y). Theorem ex5_5 : forall (A:Set)(R:A->A->Prop), (forall x y, R x y -> R y x) -> (forall x y z, R x y -> R y z -> R x z) -> (forall x, exists y, R x y) -> (forall x, R x x). @tmiya : Coq , 62
  • 63. 6.3. = = (1) eq (= ) Inductive eq (A : Type) (x : A) : A -> Prop := refl_equal : x = x Coq (nat bool ) (nat O Sn ) (S m Sn m=n ) ============================ n = n apply (refl_equal n). tactic reflexivity. @tmiya : Coq , 63
  • 64. 6.3. = = (2) plus Print plus. tactic simpl. Coq < Theorem plus_0_l : forall n, 0 + n = n. plus_0_l < intro n. n : nat ============================ 0 + n = n plus_0_l < simpl. n : nat ============================ n = n plus_0_l < reflexivity. Proof completed. @tmiya : Coq , 64
  • 65. 6.4. (1) ∀n : nat, n + 0 = n simpl. ============================ n + 0 = n plus_0_r < simpl. ============================ n + 0 = n plus n m n n 1. n = 0 n+0=n 2. n = n n+0=n n=Sn n+0=n @tmiya : Coq , 65
  • 66. 6.4. (2) n induction n as [|n’]. induction n. tactic Coq nat_ind (P ) Coq < Check nat_ind. nat_ind : forall P : nat -> Prop, P 0 -> (forall n : nat, P n -> P (S n)) -> forall n : nat, P n nat_ind nat O : nat S : nat -> nat Inductive bool bool_ind bool_ind : forall P : bool -> Prop, P true -> P false -> forall b : bool, P b @tmiya : Coq , 66
  • 67. 6.4. (3) induction n as [|n’]. n 0 S n’ reflexivity. OK (simpl. ) Coq < Theorem plus_0_r : forall n:nat, n + 0 = n. plus_0_r < induction n as [|n’]. 2 subgoals ============================ 0 + 0 = 0 subgoal 2 is: S n’ + 0 = S n’ plus_0_r < reflexivity. 1 subgoal n’ : nat IHn’ : n’ + 0 = n’ ============================ S n’ + 0 = S n’ @tmiya : Coq , 67
  • 68. 6.4. (4) n = S n’ n = n’ IHn’ S n’ + 0 = S n’ simpl. plus S (n’ + 0)= S n’ IHn’ n’ + 0 n’ rewrite IHn’. rewrite ============================ S n’ + 0 = S n’ plus_0_r < simpl. IHn’ : n’ + 0 = n’ ============================ S (n’ + 0) = S n’ plus_0_r < rewrite IHn’. IHn’ : n’ + 0 = n’ ============================ S n’ = S n’ @tmiya : Coq , 68
  • 69. 6.4. :m + n = n + m SearchAbout Coq < SearchAbout plus. plus_n_O: forall n : nat, n = n + 0 plus_O_n: forall n : nat, 0 + n = n plus_n_Sm: forall n m : nat, S (n + m) = n + S m plus_Sn_m: forall n m : nat, S n + m = S (n + m) mult_n_Sm: forall n m : nat, n * m + n = n * S m rewrite ( rewrite <- plus_n_Sm n’ m. rewrite H. H rewrite <- H. ) Theorem plus_comm : forall m n:nat, m + n = n + m. @tmiya : Coq , 69
  • 70. 6.4. (5) nat list A Theorem length_app : forall (A:Type)(l1 l2:list A), length (l1 ++ l2) = length l1 + length l2. list cons induction l1 as [|a l1’]. ( induction l1.) induction ( l2) intro 1. intros A l1 l2. induction l1 as [|a l1’]. 2. intros A l1. induction l1 as [|a l1’]. intro l2. IHl1’ (Coqtop Undo. ) @tmiya : Coq , 70
  • 71. 6.4. : (1) List append reverse Require Import List. Fixpoint append{A:Type}(l1 l2:list A):= match l1 with | nil => l2 | a::l1’ => a::(append l1’ l2) end. Fixpoint reverse{A:Type}(l:list A):= match l with | nil => nil | a::l’ => append (reverse l’) (a::nil) end. Theorem reverse_reverse : forall (A:Type)(l:list A), reverse (reverse l) = l. @tmiya : Coq , 71
  • 72. 6.4. : (2) reverse_reverse Lemma append_nil : forall (A:Type)(l:list A), append l nil = l. Lemma append_assoc : forall (A:Type)(l1 l2 l3:list A), append (append l1 l2) l3 = append l1 (append l2 l3). Lemma reverse_append : forall (A:Type)(l1 l2:list A), reverse (append l1 l2) = append (reverse l2) (reverse l1). @tmiya : Coq , 72
  • 73. 7. (1) Coq nat minus(n m:nat) n≤m 0 n−m+m =n ( ) sub Definition sub(m n:nat)(H:le n m) : {x:nat|x+n=m}. 1. H n≤m n≤m 2. x = m−n x +n = m ( ) @tmiya : Coq , 73
  • 74. 7. (2) Coq nat Arith Require Import Arith. (* Arith *) Definition sub(m n:nat)(H:le n m) : {x:nat|x+n=m}. 1 subgoal m : nat n : nat H : n <= m ============================ {x : nat | x + n = m} m, n intro generalize dependent sub < generalize dependent m. sub < generalize dependent n. ============================ forall n m : nat, n <= m -> {x : nat | x + n = m} @tmiya : Coq , 74
  • 75. 7. (3) eapply, erewrite apply, rewrite Qed. Defined. induction n as [|n’]. (* n=0 *) intros m H. exists m. eapply plus_0_r. (* n=S n’ *) induction m as [|m’]; intro H. (* m=0 *) assert(H’: ~(S n’ <= 0)). eapply le_Sn_0. elim H’. assumption. (* m=S m’ *) assert(H’: n’ <= m’). eapply le_S_n. assumption. assert(IH: {x:nat|x+n’=m’}). eapply IHn’. assumption. destruct IH as [x IH]. exists x. erewrite <- plus_n_Sm. rewrite IH. reflexivity. Defined. @tmiya : Coq , 75
  • 76. 7. (4) sub Print sub. sub OCaml minus Coq < Extraction sub. (** val sub : nat -> nat -> nat **) let rec sub m = function | O -> m | S n0 -> (match m with | O -> assert false (* absurd case *) | S n1 -> let iH = sub n1 n0 in Obj.magic iH) OCaml H @tmiya : Coq , 76
  • 77. 7. (5) H Theorem le_2_5 : le 2 5. Proof. repeat eapply le_n_S. repeat constructor. Qed. Eval compute in (sub 5 2 le_2_5). (* *) Eval compute in (proj1_sig (sub 5 2 le_2_5)). (* = 3:nat *) {x|x+n=m} x proj1_sig @tmiya : Coq , 77
  • 78. 7. minus sub minus Definition sub’(m n:nat)(H:le n m) : {x:nat|x+n=m}. Proof. (* minus *) Defined. Coq 1. minus minus 2. minus sub’ 3. refine tactic (refine ) 4. sub @tmiya : Coq , 78
  • 79. 8. Coq tactic (auto, ring, omega ) (Arith, List, String ) Haskell, OCaml (inversion, refine ) tactic Module @tmiya : Coq , 79
  • 80. 8. Interactive Theorem Proving and Program Development. Coq’Art: The Calculus of Inductive Constructions, Yves Berrot and Pierre Casteran (Springer-Verlag) : Coq Certified Programming with Dependent Types, Adam Chlipala (http://adam.chlipala.net/cpdt/) : Coq 2010 III (http://www.math.nagoya-u.ac.jp/~garrigue/lecture/ 2010_AW/index.html) : Garrigue PDF Coq in a Hurry, Yves Bertot (http://cel.archives-ouvertes.fr/docs/00/47/ 58/07/PDF/coq-hurry.pdf) : 2nd Asian-Pacific Summer School on Formal Methods (http://formes.asia/cms/coqschool/2010) : @tmiya : Coq , 80
  • 81. 8. Coq ProofCafe Coq CPDT Coq IT Coq Ruby, Clojure, Scala, Javascript Coq Coq http://coq.g.hatena.ne.jp/keyword/ProofCafe @tmiya : Coq , 81
  • 82. 8. Formal Methods Forum Coq ( ) ( ) Google group Coq 2010 Certified Programming with Dependent Types Coq Google group (http://groups.google.co.jp/group/fm-forum) Coq @tmiya : Coq , 82