Proof Summit 2011                   Coq                        @tmiya                   September 25, 2011@tmiya : Coq   ,...
0.       Coq               Coq               Coq               Coq                   •                   • Coq            ...
1.                     Coq               Lightweight                   •         (   )                   •                ...
1.                   CoqCoq                           INRIA          OCaml                             CIC = Calculus of I...
2. CoqCoq                           Coqtop, CoqIDE       CUI           Coqtop        /   :       % coqtop       Welcome to...
2. CoqProof General : emacs       Proof General                    ~/.emacs       (load-file "***/ProofGeneral/generic/pro...
3. Coq       Coq < Definition x := 1.        (* x        *)       x is defined                    (*        :=            ...
3. Coq                                                        1       2       Coq < Definition f x y := x - y. (*        f...
3. Coq       Coq < Check (fun x => 2 * x).           (*      *)       fun x : nat => 2 * x            : nat -> nat       C...
3. Coq       Coq < Definition twice(f:nat->nat):nat->nat :=       Coq <   fun x => f (f x).       twice is defined       C...
3.1.                                           int, float                   Coq               nat               (          ...
3.1.                                              (                      )       Coq < Definition nextday d :=       Coq <...
3.1.Bool       Coq < Inductive Bool : Set :=       Coq < | tru : Bool       Coq < | fls : Bool.       Coq     <   Definiti...
3.1.                           bool                               (   ) bool       Coq     <   Print   bool.       Coq    ...
3.1.De Morgan                              (1)       Coq < Theorem De_Morgan_1 : forall b1 b2,       Coq < Not (And b1 b2)...
3.1.De Morgan                              (2)       De_Morgan_1 < destruct b1; destruct b2.       4 subgoals (* b1 b2    ...
3.1.De Morgan                               (3)       De_Morgan_1 < simpl.       4 subgoals (*                    *)      ...
3.1.De Morgan                                  (4)       De_Morgan_1 < simpl; reflexivity.       De_Morgan_1 < simpl; refl...
3.1.          1. Yes, Maybe, No                  Bool3          2. Bool3         And3, Or3, Not3          3. ( )          ...
3.2.                   nat                   nat                       (               )       Coq < Print nat.       Indu...
3.2.       nat                                         n       Coq     < Fixpoint add(n m:nat):nat :=       Coq     < matc...
3.2.       nat                                       _,_                                          OK       Coq     <   Fix...
3.2.       Coq                                 (              )                                       n       ({struct n} ...
3.2.                         (         )       Coq                                  ( )(                                 )...
3.2.          1.                mul       add          2. mul                            fact          3.                s...
3.3.                           cond c vt vf                c:bool   true       vt          false        vf        vt, vf  ...
3.3.option                        (    )                   null                                      option   (Haskell   M...
3.3.prod                sum       prod A B           A     B       prod A B         A * B            ( x , y , .. , z )   ...
3.3.List                                 List         List                                                ::   cons       ...
3.3.List       List                                    List   nil   x::xs       Coq     <   Fixpoint append{A:Type}(xs ys:...
3.3.                   List          1.                           len{A:Type}(xs:list A):nat                      Eval com...
4.               Bool          De Morgan                         P   Q   ¬(P ∧ Q)   ¬P ∨ ¬Q                         F   F ...
4.                                                          P            P      ¬P                                      ( ...
4.                                                       (         )                                                   Mod...
4.       Coq                    tactic                               tactic    assumption.                   exact H.     ...
4.1. →                        →                        A → B (CUI            A -> B        )                    A         ...
4.1. →               →                            (1)                               tactic                         Set    ...
4.1. →                →                     (2)               →             intros               tactic       intro(s)    ...
4.1. →               →                   (3)               R            apply pqr.              pqr       P -> Q ->       ...
4.1. →               →                   (4)                       P    assumption.   Q       imp_sample < assumption.    ...
4.1. →               →                    (5)       imp_sample < apply pq.       1 subgoal           pqr : P -> Q -> R    ...
4.2. ∧∧                         (1)                    P ∧Q                    P     Q                      pq : P / Q    ...
4.2. ∧∧                      (2)               intro         →                  ∧       and_assoc < intro pqr.       1 sub...
4.2. ∧∧                        (3)                                        assumption           ;    tactic          split ...
4.3. ∨∨                         (1)                   P ∨Q                P                         Q                     ...
4.3. ∨∨                      (2)               intro         →                 ∨       and_assoc < intro pqr.       or_ass...
4.3. ∨∨                  (3)                                        assumption       or_assoc < left.       3 subgoals    ...
4.4. ¬¬                        (1)                        ¬P     P → False               False       Inductive False : Pro...
4.4. ¬¬                  (2)       Coq < Theorem neg_sample : ~(P / ~P).       1 subgoal         =========================...
4.4. ¬¬                  (3)       neg_sample < destruct H as [p np].       1 subgoal         p : P         np : ~ P      ...
4.4. ¬       Variable A B C D:Prop.       Theorem ex4_1 : (A -> C) / (B -> D) / A / B -> C / D.       Theorem ex4_2 : ~~~A...
5. Curry-HowardCurry-Howard                 (1)       Theorem imp_sample’ : (P -> (Q -> R)) -> (P -> Q) -> P -> R.       i...
5. Curry-HowardCurry-Howard                (2)       pqr, pq, p            R             exact tactic       imp_sample’ < ...
5. Curry-HowardCurry-Howard                  (3)                              P                             P             ...
5. Curry-HowardCurry-Howard             (4)                                  Coq             (           )                ...
6.                    a:A         P a (∀a : A, P a) : forall (a:A), P a                   a:A          P a (∃a : A, P a) :...
6.∀                       (1)                    forall        intro(s)            forall x:X               x:X ->       C...
6.∀                        (2)                   forall y:X         y            X       sample_forall < split. (*        ...
6.2. ∃∃                    (1)       Coq < Theorem sample_exists : forall (P Q:nat->Prop),       Coq < (forall n, P n) -> ...
6.2. ∃∃                           (2)                   exists             destruct       sample_exists < intros P Q Hpn H...
6.2. ∃∃                  (3)               exists x:X                      x:X       exists x.       sample_exists < destr...
6.2. ∃       Theorem ex5_1 : forall (A:Set)(P:A->Prop),         (~ exists a, P a) -> (forall a, ~P a).       Theorem ex5_2...
6.3. ==                       (1)                                              eq (=            )       Inductive eq (A : ...
6.3. ==                   (2)                                     plus          Print plus.                               ...
6.4.                   (1)                   ∀n : nat, n + 0 = n              simpl.           ===========================...
6.4.                   (2)       n                                   induction n as [|n’].       induction n.             ...
6.4.                   (3)       induction n as [|n’].               n    0   S n’                               reflexivi...
6.4.                   (4)       n = S n’                n = n’                   IHn’       S n’ + 0 = S n’              ...
6.4.               :m + n = n + m                   SearchAbout       Coq < SearchAbout plus.       plus_n_O: forall n : n...
6.4.                   (5)                                     nat                     list A       Theorem length_app : f...
6.4.               :                    (1)       List                          append               reverse       Require...
6.4.               :                    (2)                                   reverse_reverse       Lemma append_nil : for...
7.                   (1)                                     Coq             nat                           minus(n m:nat) ...
7.                   (2)       Coq                                       exists                         nat               ...
7.                   (3)                              eapply, erewrite       apply, rewrite          Qed.         Defined....
7.                   (4)                         sub     Print sub.                               sub     OCaml           ...
7.                   (5)                                        H       Theorem le_2_5 : le 2 5.       Proof. repeat eappl...
7.                   minus               sub           minus       Definition sub’(m n:nat)(H:le n m) : {x:nat|x+n=m}.    ...
8.                        Coq                              tactic         (auto, ring, omega   )                          ...
8.               Interactive Theorem Proving and Program Development. Coq’Art:               The Calculus of Inductive Con...
8.Coq                  ProofCafe                                                       Coq     CPDT       Coq             ...
8.                        Formal Methods Forum       Coq                                          (    )                  ...
Upcoming SlideShare
Loading in …5
×

Coq Tutorial at Proof Summit 2011

2,436 views
2,327 views

Published on

Published in: Technology

Coq Tutorial at Proof Summit 2011

  1. 1. Proof Summit 2011 Coq @tmiya September 25, 2011@tmiya : Coq , 1
  2. 2. 0. Coq Coq Coq Coq • • Coq • •@tmiya : Coq , 2
  3. 3. 1. Coq Lightweight • ( ) • • • • • • ( ) • • • or@tmiya : Coq , 3
  4. 4. 1. CoqCoq INRIA OCaml CIC = Calculus of Inductive Construction tactic tactic Coq Coq OCaml, Haskell, Scheme@tmiya : Coq , 4
  5. 5. 2. CoqCoq Coqtop, CoqIDE CUI Coqtop / : % coqtop Welcome to Coq 8.3pl1 (December 2010) Coq < Eval compute in (2+3). = 5 : nat Coq < Quit. % Coq CoqIDE coqide@tmiya : Coq , 5
  6. 6. 2. CoqProof General : emacs Proof General ~/.emacs (load-file "***/ProofGeneral/generic/proof-site.el") proof-site.el Coq (*.v) Proof General@tmiya : Coq , 6
  7. 7. 3. Coq Coq < Definition x := 1. (* x *) x is defined (* := *) Coq < Check x. (* x *) x : nat (* nat = *) Coq < Print x. (* x *) x = 1 : nat Coq < Definition x := 2. (* x *) Error: x already exists (* --> *) Reset x. Module ( )@tmiya : Coq , 7
  8. 8. 3. Coq 1 2 Coq < Definition f x y := x - y. (* f *) f is defined Coq < Check f. f : nat -> nat -> nat (* nat->(nat->nat) *) Coq < Definition f’ := f 3. (* f’ y = f 3 y *) f’ is defined Coq < Check f’. f’ : nat -> nat (* nat nat *) Coq < Eval compute in (f’ 1). (* f’ 1 = f 3 1 = 2 *) = 2 : nat (@tmiya : Coq , 8
  9. 9. 3. Coq Coq < Check (fun x => 2 * x). (* *) fun x : nat => 2 * x : nat -> nat Coq < Eval compute in ((fun x => 2 * x) 3). = 6 : nat Coq < Definition double := (fun x => 2 * x). double is defined (* double *) Coq .@tmiya : Coq , 9
  10. 10. 3. Coq Coq < Definition twice(f:nat->nat):nat->nat := Coq < fun x => f (f x). twice is defined Coq < Definition add5(x:nat) := x + 5. add5 is defined Coq < Definition twice_add5 := twice add5. twice_add5 is defined Coq < Eval compute in (twice_add5 2). = 12 : nat@tmiya : Coq , 10
  11. 11. 3.1. int, float Coq nat ( ) Weekday Coq < Inductive Weekday : Set := Coq < Sun | Mon | Tue | Wed | Thr | Fri | Sat. Coq < Check Sun. Sun (* Sun *) : Weekday (* Weekday *) Coq < Check Weekday. Weekday (* *) : Set (* Set *) Set@tmiya : Coq , 11
  12. 12. 3.1. ( ) Coq < Definition nextday d := Coq < match d with Coq < | Sun => Mon : (* *) Coq < | Sat => Sun Coq < end. nextday is defined Coq < Check nextday. nextday (* *) : Weekday -> Weekday Coq < Eval compute in (nextday Mon). (* *) prevday@tmiya : Coq , 12
  13. 13. 3.1.Bool Coq < Inductive Bool : Set := Coq < | tru : Bool Coq < | fls : Bool. Coq < Definition And(b1 b2:Bool):Bool := Coq < match b1,b2 with Coq < | tru,tru => tru Coq < | _,_ => fls Coq < end. Or, Not Eval@tmiya : Coq , 13
  14. 14. 3.1. bool ( ) bool Coq < Print bool. Coq < Print andb. Coq < Print orb. Coq < Print negb. bool Coq < Print unit.@tmiya : Coq , 14
  15. 15. 3.1.De Morgan (1) Coq < Theorem De_Morgan_1 : forall b1 b2, Coq < Not (And b1 b2) = Or (Not b1) (Not b2). 1 subgoal ============================ forall b1 b2 : Bool, Not (And b1 b2) = Or (Not b1) (Not b2) De_Morgan_1 < intros. 1 subgoal (* b1 b2 *) b1 : Bool b2 : Bool ============================ Not (And b1 b2) = Or (Not b1) (Not b2)@tmiya : Coq , 15
  16. 16. 3.1.De Morgan (2) De_Morgan_1 < destruct b1; destruct b2. 4 subgoals (* b1 b2 *) ============================ Not (And tru tru) = Or (Not tru) (Not tru) subgoal 2 is: Not (And tru fls) = Or (Not tru) (Not fls) subgoal 3 is: Not (And fls tru) = Or (Not fls) (Not tru) subgoal 4 is: Not (And fls fls) = Or (Not fls) (Not fls)@tmiya : Coq , 16
  17. 17. 3.1.De Morgan (3) De_Morgan_1 < simpl. 4 subgoals (* *) ============================ fls = fls (* *) De_Morgan_1 < reflexivity. 3 subgoals (* = *) ============================ Not (And tru fls) = Or (Not tru) (Not fls) subgoal 2 is: Not (And fls tru) = Or (Not fls) (Not tru) subgoal 3 is: Not (And fls fls) = Or (Not fls) (Not fls)@tmiya : Coq , 17
  18. 18. 3.1.De Morgan (4) De_Morgan_1 < simpl; reflexivity. De_Morgan_1 < simpl; reflexivity. De_Morgan_1 < simpl; reflexivity. Proof completed. De_Morgan_1 < Qed. intros. destruct b1; destruct b2. simpl in |- *. reflexivity. simpl in |- *; reflexivity. simpl in |- *; reflexivity. simpl in |- *; reflexivity. De_Morgan_1 is defined Not (Or b1 b2) = And (Not b1) (Not b2)@tmiya : Coq , 18
  19. 19. 3.1. 1. Yes, Maybe, No Bool3 2. Bool3 And3, Or3, Not3 3. ( ) De Morgan@tmiya : Coq , 19
  20. 20. 3.2. nat nat ( ) Coq < Print nat. Inductive nat : Set := O : nat | S : nat -> nat O( O) 0 S nat nat Peano Coq < Eval compute in (S (S (S O))). = 3 : nat S (S (S O)) Coq 3@tmiya : Coq , 20
  21. 21. 3.2. nat n Coq < Fixpoint add(n m:nat):nat := Coq < match n with Coq < | O => m Coq < | S n’ => S (add n’ m) Coq < end. add is recursively defined (decreasing on 1st argument) Fixpoint ( O) 0 S nat 1 nat Peano Coq < Eval compute in (add (S (S O)) (S O)). = 3 : nat (call-by-value)@tmiya : Coq , 21
  22. 22. 3.2. nat _,_ OK Coq < Fixpoint eq_nat(n m:nat):bool := Coq < match n,m with Coq < | O,O => true Coq < | S n’, S m’ => eq_nat n’ m’ Coq < | _,_ => false Coq < end. Coq < Eval compute in (eq_nat 3 3). le_nat le_nat n m n≤m Coq ( )@tmiya : Coq , 22
  23. 23. 3.2. Coq ( ) n ({struct n} Coq ) Coq < Fixpoint add’(n m:nat){struct n} := Coq < match n with Coq < | O => m Coq < | S n’ => S (add’ n’ m) Coq < end. add’ is recursively defined (decreasing on 1st argument) add’ 2 3 add’ add’ (S (S O)) 3 = S (add’ (S O) 3) = S (S (add’ O 3)) = S (S 3) = 5.@tmiya : Coq , 23
  24. 24. 3.2. ( ) Coq ( )( ) Coq ( Coq ) Coq ( ) (Coq ) Coq@tmiya : Coq , 24
  25. 25. 3.2. 1. mul add 2. mul fact 3. sub n=0 sub 0 m = 0 4. div3 Eval Fixpoint div3(n:nat) := match n with | S (S (S n’)) => S (div3 n’) | _ => O end. sub div n m Coq ( )@tmiya : Coq , 25
  26. 26. 3.3. cond c vt vf c:bool true vt false vf vt, vf Set A Coq < Definition cond{A:Set}(c:bool)(vt vf:A) := Coq < match c with Coq < | true => vt Coq < | false => vf Coq < end. Coq < Eval compute in (cond true 2 3). = 2 : nat Coq < Eval compute in (cond false false true). = true : bool {A:Set} cond A ( ) Coq < Eval compute in (@cond nat false 2 3).@tmiya : Coq , 26
  27. 27. 3.3.option ( ) null option (Haskell Maybe ) ( Coq sumor ) Coq < Print option. Inductive option (A : Type) : Type := Some : A -> option A | None : option A Definition option_map {A B:Type} (f:A->B)(o:option A) := match o with | Some a => Some (f a) | None => None end. Coq < Eval compute in (option_map (fun x => x + 1) (Some 1)).@tmiya : Coq , 27
  28. 28. 3.3.prod sum prod A B A B prod A B A * B ( x , y , .. , z ) (pair .. (pair x y) .. z) Coq < Check (2,true,3). (2, true, 3) : nat * bool * nat prod fst, snd sum A B A B Coq < Definition test_sum (s:sum nat bool) := Coq < match s with Coq < | inl n => n Coq < | inr true => 1 Coq < | inr false => 0 Coq < end. prod, sum Curry-Howard@tmiya : Coq , 28
  29. 29. 3.3.List List List :: cons Type Set (Check Set. ) Coq < Require Import List. Coq < Print list. Inductive list (A : Type) : Type := nil : list A | cons : A -> list A -> list A Coq < Check (1::2::nil). 1 :: 2 :: nil : list nat@tmiya : Coq , 29
  30. 30. 3.3.List List List nil x::xs Coq < Fixpoint append{A:Type}(xs ys:list A):= Coq < match xs with Coq < | nil => ys Coq < | x::xs’ => x::(append xs’ ys) Coq < end. Coq < Eval compute in (append (1::2::nil) (3::4::nil)). Coq < Fixpoint olast{A:Type}(xs:list A):option A := Coq < match xs with Coq < | nil => None Coq < | a::nil => Some a Coq < | _::xs’ => olast xs’ Coq < end. Coq < Eval compute in (olast (1::2::3::nil)).@tmiya : Coq , 30
  31. 31. 3.3. List 1. len{A:Type}(xs:list A):nat Eval compute in (len (1::2::3::nil)). 2. list bool true true all_true(xs:list bool):bool nil true 3. x Some x None ohead{A:Type}(xs:list A):option A 4. s, n s :: s+1 :: ... :: (s+n-1) :: nil nat_list(s n:nat):list nat 5. reverse{A:Type}(xs:list A):list A append@tmiya : Coq , 31
  32. 32. 4. Bool De Morgan P Q ¬(P ∧ Q) ¬P ∨ ¬Q F F T T F T T T T F T T T T F F Bool, nat Inductive (nat O S n ) Coq Prop ( )@tmiya : Coq , 32
  33. 33. 4. P P ¬P ( ) ab a, b √ √ √ 2 1. a = b = 2 a, b ab = 2 √ √2 √ 2. ab √ a = √2 , b = 2 √ a, b √ 2 √2 √ 2 2 √ 2 ab = ( 2 ) = 2 = 2 =2 √ √ 2 2 (P) (~P) ab a, b ab a, b@tmiya : Coq , 33
  34. 34. 4. ( ) Modus Ponens A A B B (Γ = ( ) ) Γ A Γ A → B (→ ) Γ B ( )→ Coq B Hab : A → B apply Hab. tactic A Ha : A exact Ha.@tmiya : Coq , 34
  35. 35. 4. Coq tactic tactic assumption. exact H. trivial. ... H : A ... ------------------------ A exact . A∈Γ ( ) Γ A@tmiya : Coq , 35
  36. 36. 4.1. → → A → B (CUI A -> B ) A intro Ha. tactic Ha : A B Coq ... Γ, A B (→ ) Γ A→B H1 → H2 → · · · → Hn → B intros H1 H2 ... Hn. intro intro. intros. Coq → Modus Ponens tactic apply .@tmiya : Coq , 36
  37. 37. 4.1. → → (1) tactic Set P Prop P P P p : P ( Set, Prop Type ) Section imp_sample. Variables P Q R : Prop. Theorem imp_sample : (P -> (Q -> R)) -> (P -> Q) -> P -> R. 1 subgoal ============================ (P -> Q -> R) -> (P -> Q) -> P -> R === tactic → intro(s)@tmiya : Coq , 37
  38. 38. 4.1. → → (2) → intros tactic intro(s) imp_sample < intros pqr pq p. 1 subgoal pqr : P -> Q -> R pq : P -> Q p : P ============================ R R pqr apply pqr.@tmiya : Coq , 38
  39. 39. 4.1. → → (3) R apply pqr. pqr P -> Q -> P Q imp_sample < apply pqr. 2 subgoals pqr : P -> Q -> R pq : P -> Q p : P ============================ P subgoal 2 is: Q P assumption.@tmiya : Coq , 39
  40. 40. 4.1. → → (4) P assumption. Q imp_sample < assumption. 1 subgoal pqr : P -> Q -> R pq : P -> Q p : P ============================ Q Q@tmiya : Coq , 40
  41. 41. 4.1. → → (5) imp_sample < apply pq. 1 subgoal pqr : P -> Q -> R pq : P -> Q p : P ============================ P imp_sample < assumption. Proof completed. imp_sample < Qed. Qed.@tmiya : Coq , 41
  42. 42. 4.2. ∧∧ (1) P ∧Q P Q pq : P / Q destruct pq as [p q]. tactic p : P q : Q destruct pq. p,q Coq P ∧Q P Q P ∧Q split. tactic P / Q P, Q Coq < Variable P Q R:Prop. Coq < Theorem and_assoc : (P/Q)/R -> P/(Q/R). 1 subgoal ============================ (P / Q) / R -> P / Q / R@tmiya : Coq , 42
  43. 43. 4.2. ∧∧ (2) intro → ∧ and_assoc < intro pqr. 1 subgoal pqr : (P / Q) / R ============================ P / Q / R and_assoc < destruct pqr as [[p q] r]. 1 subgoal p : P q : Q r : R ============================ P / Q / R@tmiya : Coq , 43
  44. 44. 4.2. ∧∧ (3) assumption ; tactic split assumption and_assoc < split. 2 subgoals ============================ P subgoal 2 is: Q / R and_assoc < assumption. 1 subgoal ============================ Q / R and_assoc < split; assumption. Proof completed. and_assoc < Qed.@tmiya : Coq , 44
  45. 45. 4.3. ∨∨ (1) P ∨Q P Q pq : P / Q destruct pq as [pq].— tactic p : P q : Q destruct pq. p,q Coq P ∨Q P Q P ∨Q left. right. tactic P Q Coq < Variable P Q R:Prop. Coq < Theorem or_assoc : (P/Q)/R -> P/(Q/R). 1 subgoal ============================ (P / Q) / R -> P / Q / R@tmiya : Coq , 45
  46. 46. 4.3. ∨∨ (2) intro → ∨ and_assoc < intro pqr. or_assoc < destruct pqr as [[p|q]|r]. 3 subgoals p : P ============================ P / Q / R subgoal 2 is: P / Q / R subgoal 3 is: P / Q / R@tmiya : Coq , 46
  47. 47. 4.3. ∨∨ (3) assumption or_assoc < left. 3 subgoals p : P ============================ P or_assoc < assumption. 2 subgoals q : Q ============================ P / Q / R or_assoc < right; left. 2 subgoals q : Q ============================ Q OK@tmiya : Coq , 47
  48. 48. 4.4. ¬¬ (1) ¬P P → False False Inductive False : Prop := ~P intro p. p : P False H : False elim H. np : ~P elim np. P (¬¬P P ) ( )@tmiya : Coq , 48
  49. 49. 4.4. ¬¬ (2) Coq < Theorem neg_sample : ~(P / ~P). 1 subgoal ============================ ~ (P / ~ P) neg_sample < intro. 1 subgoal H : P / ~ P ============================ False@tmiya : Coq , 49
  50. 50. 4.4. ¬¬ (3) neg_sample < destruct H as [p np]. 1 subgoal p : P np : ~ P ============================ False neg_sample < elim np. p : P np : ~ P ============================ P neg_sample < assumption. Proof completed.@tmiya : Coq , 50
  51. 51. 4.4. ¬ Variable A B C D:Prop. Theorem ex4_1 : (A -> C) / (B -> D) / A / B -> C / D. Theorem ex4_2 : ~~~A -> ~A. Theorem ex4_3 : (A -> B) -> ~B -> ~A. Theorem ex4_4 : ((((A -> B) -> A) -> A) -> B) -> B. Theorem ex4_5 : ~~(A/~A).@tmiya : Coq , 51
  52. 52. 5. Curry-HowardCurry-Howard (1) Theorem imp_sample’ : (P -> (Q -> R)) -> (P -> Q) -> P -> R. imp_sample’ < intros pqr pq p. imp_sample’ < Check pq. pq : P -> Q imp_sample’ < Check (pq p). pq p : Q pq P -> Q P Q pq p Q@tmiya : Coq , 52
  53. 53. 5. Curry-HowardCurry-Howard (2) pqr, pq, p R exact tactic imp_sample’ < Check (pqr p (pq p)). pqr p (pq p) : R imp_sample’ < exact (pqr p (pq p)). Proof completed. imp_sample Print Coq < Print imp_sample. imp_sample = fun (pqr : P -> Q -> R) (pq : P -> Q) (p : P) => pqr p (pq p) : (P -> Q -> R) -> (P -> Q) -> P -> R@tmiya : Coq , 53
  54. 54. 5. Curry-HowardCurry-Howard (3) P P P→Q P -> Q Γ P ΓP→Q (→ ) pq p Γ Q Γ, P Q (→ ) pq (p:P):Q Γ P→Q P ∧Q prod { (P,Q) inl P P ∨Q sum inr Q Curry-Howard Curry-Howard = Coq@tmiya : Coq , 54
  55. 55. 5. Curry-HowardCurry-Howard (4) Coq ( ) Java (P → Q → R) → (P → Q) → P → R interface Fun<A,B> { public B apply(A a); } public class P {} public class Q {} public class R {} public class Proof { public R imp_sample(Fun<P,Fun<Q,R>> pqr, Fun<P,Q> pq, P p) { return pqr.apply(p).apply(pq.apply(p)); } } (Java prod sum ¬ Java )@tmiya : Coq , 55
  56. 56. 6. a:A P a (∀a : A, P a) : forall (a:A), P a a:A P a (∃a : A, P a) : exists (a:A), P a Coq P a:A P a:Prop A -> Prop Coq a:A P : A → Prop Coq < Definition iszero(n:nat):Prop := Coq < match n with Coq < | O => True Coq < | _ => False Coq < end. iszero is defined@tmiya : Coq , 56
  57. 57. 6.∀ (1) forall intro(s) forall x:X x:X -> Coq < Theorem sample_forall : forall (X:Type)(P Q:X->Prop)(x:X), P x -> (forall y:X, Q y) -> (P x / Q x). ============================ forall (X : Type) (P Q : X -> Prop) (x : X), P x -> (forall y : X, Q y) -> P x / Q x sample_forall < intros X P Q x px Hqy. X : Type P : X -> Prop Q : X -> Prop x : X px : P x Hqy : forall y : X, Q y ============================ P x / Q x@tmiya : Coq , 57
  58. 58. 6.∀ (2) forall y:X y X sample_forall < split. (* P x Q x *) sample_forall < assumption. (* P x px *) 1 subgoal X : Type P : X -> Prop Q : X -> Prop x : X px : P x Hqy : forall y : X, Q y ============================ Q x sample_forall < apply (Hqy x). (* Hqy y x *) Proof completed.@tmiya : Coq , 58
  59. 59. 6.2. ∃∃ (1) Coq < Theorem sample_exists : forall (P Q:nat->Prop), Coq < (forall n, P n) -> (exists n, Q n) -> Coq < (exists n, P n / Q n). sample_exists < intros P Q Hpn Hqn. 1 subgoal P : nat -> Prop Q : nat -> Prop Hpn : forall n : nat, P n Hqn : exists n : nat, Q n ============================ exists n : nat, P n / Q n@tmiya : Coq , 59
  60. 60. 6.2. ∃∃ (2) exists destruct sample_exists < intros P Q Hpn Hqn. P : nat -> Prop Q : nat -> Prop Hpn : forall n : nat, P n Hqn : exists n : nat, Q n ============================ exists n : nat, P n / Q n sample_exists < destruct Hqn as [n’ qn’]. P : nat -> Prop Q : nat -> Prop Hpn : forall n : nat, P n n’ : nat qn’ : Q n’ ============================ exists n : nat, P n / Q n@tmiya : Coq , 60
  61. 61. 6.2. ∃∃ (3) exists x:X x:X exists x. sample_exists < destruct Hqn as [n’ qn’]. : Hpn : forall n : nat, P n n’ : nat qn’ : Q n’ ============================ exists n : nat, P n / Q n sample_exists < exists n’. : Hpn : forall n : nat, P n n’ : nat qn’ : Q n’ ============================ P n’ / Q n’ (* *)@tmiya : Coq , 61
  62. 62. 6.2. ∃ Theorem ex5_1 : forall (A:Set)(P:A->Prop), (~ exists a, P a) -> (forall a, ~P a). Theorem ex5_2 : forall (A:Set)(P Q:A->Prop), (exists a, P a / Q a) -> (exists a, P a) / (exists a, Q a). Theorem ex5_3 : forall (A:Set)(P Q:A->Prop), (exists a, P a) / (exists a, Q a) -> (exists a, P a / Q a). Theorem ex5_4 : forall (A:Set)(R:A->A->Prop), (exists x, forall y, R x y) -> (forall y, exists x, R x y). Theorem ex5_5 : forall (A:Set)(R:A->A->Prop), (forall x y, R x y -> R y x) -> (forall x y z, R x y -> R y z -> R x z) -> (forall x, exists y, R x y) -> (forall x, R x x).@tmiya : Coq , 62
  63. 63. 6.3. == (1) eq (= ) Inductive eq (A : Type) (x : A) : A -> Prop := refl_equal : x = x Coq (nat bool ) (nat O Sn ) (S m Sn m=n ) ============================ n = n apply (refl_equal n). tactic reflexivity.@tmiya : Coq , 63
  64. 64. 6.3. == (2) plus Print plus. tactic simpl. Coq < Theorem plus_0_l : forall n, 0 + n = n. plus_0_l < intro n. n : nat ============================ 0 + n = n plus_0_l < simpl. n : nat ============================ n = n plus_0_l < reflexivity. Proof completed.@tmiya : Coq , 64
  65. 65. 6.4. (1) ∀n : nat, n + 0 = n simpl. ============================ n + 0 = n plus_0_r < simpl. ============================ n + 0 = n plus n m n n 1. n = 0 n+0=n 2. n = n n+0=n n=Sn n+0=n@tmiya : Coq , 65
  66. 66. 6.4. (2) n induction n as [|n’]. induction n. tactic Coq nat_ind (P ) Coq < Check nat_ind. nat_ind : forall P : nat -> Prop, P 0 -> (forall n : nat, P n -> P (S n)) -> forall n : nat, P n nat_ind nat O : nat S : nat -> nat Inductive bool bool_ind bool_ind : forall P : bool -> Prop, P true -> P false -> forall b : bool, P b@tmiya : Coq , 66
  67. 67. 6.4. (3) induction n as [|n’]. n 0 S n’ reflexivity. OK (simpl. ) Coq < Theorem plus_0_r : forall n:nat, n + 0 = n. plus_0_r < induction n as [|n’]. 2 subgoals ============================ 0 + 0 = 0 subgoal 2 is: S n’ + 0 = S n’ plus_0_r < reflexivity. 1 subgoal n’ : nat IHn’ : n’ + 0 = n’ ============================ S n’ + 0 = S n’@tmiya : Coq , 67
  68. 68. 6.4. (4) n = S n’ n = n’ IHn’ S n’ + 0 = S n’ simpl. plus S (n’ + 0)= S n’ IHn’ n’ + 0 n’ rewrite IHn’. rewrite ============================ S n’ + 0 = S n’ plus_0_r < simpl. IHn’ : n’ + 0 = n’ ============================ S (n’ + 0) = S n’ plus_0_r < rewrite IHn’. IHn’ : n’ + 0 = n’ ============================ S n’ = S n’@tmiya : Coq , 68
  69. 69. 6.4. :m + n = n + m SearchAbout Coq < SearchAbout plus. plus_n_O: forall n : nat, n = n + 0 plus_O_n: forall n : nat, 0 + n = n plus_n_Sm: forall n m : nat, S (n + m) = n + S m plus_Sn_m: forall n m : nat, S n + m = S (n + m) mult_n_Sm: forall n m : nat, n * m + n = n * S m rewrite ( rewrite <- plus_n_Sm n’ m. rewrite H. H rewrite <- H. ) Theorem plus_comm : forall m n:nat, m + n = n + m.@tmiya : Coq , 69
  70. 70. 6.4. (5) nat list A Theorem length_app : forall (A:Type)(l1 l2:list A), length (l1 ++ l2) = length l1 + length l2. list cons induction l1 as [|a l1’]. ( induction l1.) induction ( l2) intro 1. intros A l1 l2. induction l1 as [|a l1’]. 2. intros A l1. induction l1 as [|a l1’]. intro l2. IHl1’ (Coqtop Undo. )@tmiya : Coq , 70
  71. 71. 6.4. : (1) List append reverse Require Import List. Fixpoint append{A:Type}(l1 l2:list A):= match l1 with | nil => l2 | a::l1’ => a::(append l1’ l2) end. Fixpoint reverse{A:Type}(l:list A):= match l with | nil => nil | a::l’ => append (reverse l’) (a::nil) end. Theorem reverse_reverse : forall (A:Type)(l:list A), reverse (reverse l) = l.@tmiya : Coq , 71
  72. 72. 6.4. : (2) reverse_reverse Lemma append_nil : forall (A:Type)(l:list A), append l nil = l. Lemma append_assoc : forall (A:Type)(l1 l2 l3:list A), append (append l1 l2) l3 = append l1 (append l2 l3). Lemma reverse_append : forall (A:Type)(l1 l2:list A), reverse (append l1 l2) = append (reverse l2) (reverse l1).@tmiya : Coq , 72
  73. 73. 7. (1) Coq nat minus(n m:nat) n≤m 0 n−m+m =n ( ) sub Definition sub(m n:nat)(H:le n m) : {x:nat|x+n=m}. 1. H n≤m n≤m 2. x = m−n x +n = m ( exists x:nat, x+n=m. )@tmiya : Coq , 73
  74. 74. 7. (2) Coq exists nat Arith Require Import Arith. (* Arith *) Definition sub(m n:nat)(H:le n m) : {x:nat|x+n=m}. m : nat n : nat H : n <= m ============================ {x : nat | x + n = m} m, n intro generalize dependent sub < generalize dependent m. sub < generalize dependent n. ============================ forall n m : nat, n <= m -> {x : nat | x + n = m}@tmiya : Coq , 74
  75. 75. 7. (3) eapply, erewrite apply, rewrite Qed. Defined. m n H induction n as [|n’]. (* n=0. m - n = m - 0 = m. exists m *) intros m H. exists m. eapply plus_0_r. (* n=S n’ *) induction m as [|m’]; intro H. (* m=0. m - n = 0 - (S n’) < 0 *) assert(H’: ~(S n’ <= 0)). eapply le_Sn_0. elim H’. assumption. (* m=S m’. S m’- S n’ = m’ - n’. IHn’ *) assert(H’: n’ <= m’). eapply le_S_n. assumption. assert(IH: {x:nat|x+n’=m’}). eapply IHn’. assumption. destruct IH as [x IH]. exists x. erewrite <- plus_n_Sm. rewrite IH. reflexivity. Defined.@tmiya : Coq , 75
  76. 76. 7. (4) sub Print sub. sub OCaml minus Coq < Extraction sub. (** val sub : nat -> nat -> nat **) let rec sub m = function | O -> m | S n0 -> (match m with | O -> assert false (* absurd case *) | S n1 -> let iH = sub n1 n0 in Obj.magic iH) OCaml H@tmiya : Coq , 76
  77. 77. 7. (5) H Theorem le_2_5 : le 2 5. Proof. repeat eapply le_n_S. repeat constructor. Qed. Eval compute in (sub 5 2 le_2_5). (* *) Eval compute in (proj1_sig (sub 5 2 le_2_5)). (* = 3:nat *) {x|x+n=m} x proj1_sig@tmiya : Coq , 77
  78. 78. 7. minus sub minus Definition sub’(m n:nat)(H:le n m) : {x:nat|x+n=m}. Proof. (* minus *) Defined. Coq 1. minus minus 2. minus sub’ 3. refine tactic (refine ) 4. sub@tmiya : Coq , 78
  79. 79. 8. Coq tactic (auto, ring, omega ) (Arith, List, String ) Haskell, OCaml (inversion, refine ) tactic Module@tmiya : Coq , 79
  80. 80. 8. Interactive Theorem Proving and Program Development. Coq’Art: The Calculus of Inductive Constructions, Yves Berrot and Pierre Casteran (Springer-Verlag) : Coq Certified Programming with Dependent Types, Adam Chlipala (http://adam.chlipala.net/cpdt/) : Coq 2010 III (http://www.math.nagoya-u.ac.jp/~garrigue/lecture/ 2010_AW/index.html) : Garrigue PDF Coq in a Hurry, Yves Bertot (http://cel.archives-ouvertes.fr/docs/00/47/ 58/07/PDF/coq-hurry.pdf) : 2nd Asian-Pacific Summer School on Formal Methods (http://formes.asia/cms/coqschool/2010) :@tmiya : Coq , 80
  81. 81. 8.Coq ProofCafe Coq CPDT Coq IT Coq Ruby, Clojure, Scala, Javascript Coq Coq http://coq.g.hatena.ne.jp/keyword/ProofCafe@tmiya : Coq , 81
  82. 82. 8. Formal Methods Forum Coq ( ) ( ) Google group Coq 2010 Certified Programming with Dependent Types Coq Google group (http://groups.google.co.jp/group/fm-forum) Coq@tmiya : Coq , 82

×