SlideShare una empresa de Scribd logo

Coq Tutorial

T
tmiya

2011/04/23 Coq Tutorial at Formal Methods Forum

Tecnología
1 de 82
Descargar para leer sin conexión
Formal Methods Forum Coq @tmiya April 20,2011 @tmiya : Coq , 1
0. Coq Coq Coq Coq • • Coq • • @tmiya : Coq , 2
1. Coq Lightweight • ( ) • • • • • • ( ) • • • or @tmiya : Coq , 3
1. Coq Coq INRIA OCaml CIC = Calculus of Inductive Construction tactic tactic Coq Coq OCaml, Haskell, Scheme @tmiya : Coq , 4
2. Coq Coq Coqtop, CoqIDE CUI Coqtop / : % coqtop Welcome to Coq 8.3pl1 (December 2010) Coq < Eval compute in (2+3). = 5 : nat Coq < Quit. % Coq CoqIDE coqide @tmiya : Coq , 5
2. Coq Proof General : emacs Proof General ~/.emacs (load-file "***/ProofGeneral/generic/proof-site.el") proof-site.el Coq (*.v) Proof General @tmiya : Coq , 6
3. Coq Coq < Definition x := 1. (* x *) x is defined (* := *) Coq < Check x. (* x *) x : nat (* nat = *) Coq < Print x. (* x *) x = 1 : nat Coq < Definition x := 2. (* x *) Error: x already exists (* --> *) Reset x. Module ( ) @tmiya : Coq , 7
3. Coq 1 2 Coq < Definition f x y := x - y. (* f *) f is defined Coq < Check f. f : nat -> nat -> nat (* nat->(nat->nat) *) Coq < Definition f’ := f 3. (* f’ y = f 3 y *) f’ is defined Coq < Check f’. f’ : nat -> nat (* nat nat *) Coq < Eval compute in (f’ 1). (* f’ 1 = f 3 1 = 2 *) = 2 : nat ( @tmiya : Coq , 8
3. Coq Coq < Check (fun x => 2 * x). (* *) fun x : nat => 2 * x : nat -> nat Coq < Eval compute in ((fun x => 2 * x) 3). = 6 : nat Coq < Definition double := (fun x => 2 * x). double is defined (* double *) Coq . @tmiya : Coq , 9
3. Coq Coq < Definition twice(f:nat->nat):nat->nat := Coq < fun x => f (f x). twice is defined Coq < Definition add5(x:nat) := x + 5. add5 is defined Coq < Definition twice_add5 := twice add5. twice_add5 is defined Coq < Eval compute in (twice_add5 2). = 12 : nat @tmiya : Coq , 10
3.1. int, float Coq nat ( ) Weekday Coq < Inductive Weekday : Set := Coq < Sun | Mon | Tue | Wed | Thr | Fri | Sat. Coq < Check Sun. Sun (* Sun *) : Weekday (* Weekday *) Coq < Check Weekday. Weekday (* *) : Set (* Set *) Set @tmiya : Coq , 11
3.1. ( ) Coq < Definition nextday d := Coq < match d with Coq < | Sun => Mon : (* *) Coq < | Sat => Sun Coq < end. nextday is defined Coq < Check nextday. nextday (* *) : Weekday -> Weekday Coq < Eval compute in (nextday Mon). (* *) prevday @tmiya : Coq , 12
3.1. Bool Coq < Inductive Bool : Set := Coq < | tru : Bool Coq < | fls : Bool. Coq < Definition And(b1 b2:Bool):Bool := Coq < match b1,b2 with Coq < | tru,tru => tru Coq < | _,_ => fls Coq < end. Or, Not Eval @tmiya : Coq , 13
3.1. bool ( ) bool Coq < Print bool. Coq < Print andb. Coq < Print orb. Coq < Print negb. bool Coq < Print unit. @tmiya : Coq , 14
3.1. De Morgan (1) Coq < Theorem De_Morgan_1 : forall b1 b2, Coq < Not (And b1 b2) = Or (Not b1) (Not b2). 1 subgoal ============================ forall b1 b2 : Bool, Not (And b1 b2) = Or (Not b1) (Not b2) De_Morgan_1 < intros. 1 subgoal (* b1 b2 *) b1 : Bool b2 : Bool ============================ Not (And b1 b2) = Or (Not b1) (Not b2) @tmiya : Coq , 15
3.1. De Morgan (2) De_Morgan_1 < destruct b1; destruct b2. 4 subgoals (* b1 b2 *) ============================ Not (And tru tru) = Or (Not tru) (Not tru) subgoal 2 is: Not (And tru fls) = Or (Not tru) (Not fls) subgoal 3 is: Not (And fls tru) = Or (Not fls) (Not tru) subgoal 4 is: Not (And fls fls) = Or (Not fls) (Not fls) @tmiya : Coq , 16
3.1. De Morgan (3) De_Morgan_1 < simpl. 4 subgoals (* *) ============================ fls = fls (* *) De_Morgan_1 < reflexivity. 3 subgoals (* = *) ============================ Not (And tru fls) = Or (Not tru) (Not fls) subgoal 2 is: Not (And fls tru) = Or (Not fls) (Not tru) subgoal 3 is: Not (And fls fls) = Or (Not fls) (Not fls) @tmiya : Coq , 17
3.1. De Morgan (4) De_Morgan_1 < simpl; reflexivity. De_Morgan_1 < simpl; reflexivity. De_Morgan_1 < simpl; reflexivity. Proof completed. De_Morgan_1 < Qed. intros. destruct b1; destruct b2. simpl in |- *. reflexivity. simpl in |- *; reflexivity. simpl in |- *; reflexivity. simpl in |- *; reflexivity. De_Morgan_1 is defined Not (Or b1 b2) = And (Not b1) (Not b2) @tmiya : Coq , 18
3.1. 1. Yes, Maybe, No Bool3 2. Bool3 And3, Or3, Not3 3. ( ) De Morgan @tmiya : Coq , 19
3.2. nat nat ( ) Coq < Print nat. Inductive nat : Set := O : nat | S : nat -> nat O( O) 0 S nat nat Peano Coq < Eval compute in (S (S (S O))). = 3 : nat S (S (S O)) Coq 3 @tmiya : Coq , 20
3.2. nat n Coq < Fixpoint add(n m:nat):nat := Coq < match n with Coq < | O => m Coq < | S n’ => S (add n’ m) Coq < end. add is recursively defined (decreasing on 1st argument) Fixpoint ( O) 0 S nat 1 nat Peano Coq < Eval compute in (add (S (S O)) (S O)). = 3 : nat (call-by-value) @tmiya : Coq , 21
3.2. nat _,_ OK Coq < Fixpoint eq_nat(n m:nat):bool := Coq < match n,m with Coq < | O,O => true Coq < | S n’, S m’ => eq_nat n’ m’ Coq < | _,_ => false Coq < end. Coq < Eval compute in (eq_nat 3 3). le_nat le_nat n m n≤m Coq ( ) @tmiya : Coq , 22
3.2. Coq ( ) n ({struct n} Coq ) Coq < Fixpoint add’(n m:nat){struct n} := Coq < match n with Coq < | O => m Coq < | S n’ => S (add’ n’ m) Coq < end. add’ is recursively defined (decreasing on 1st argument) add’ 2 3 add’ add’ (S (S O)) 3 = S (add’ (S O) 3) = S (S (add’ O 3)) = S (S 3) = 5. @tmiya : Coq , 23
3.2. ( ) Coq ( )( ) Coq ( Coq ) Coq ( ) (Coq ) Coq @tmiya : Coq , 24
3.2. 1. mul add 2. mul fact 3. sub n=0 sub 0 m = 0 4. div3 Eval Fixpoint div3(n:nat) := match n with | S (S (S n’)) => S (div3 n’) | _ => O end. sub div n m Coq ( ) @tmiya : Coq , 25
3.3. cond c vt vf c:bool true vt false vf vt, vf Set A Coq < Definition cond{A:Set}(c:bool)(vt vf:A) := Coq < match c with Coq < | true => vt Coq < | false => vf Coq < end. Coq < Eval compute in (cond true 2 3). = 2 : nat Coq < Eval compute in (cond false false true). = true : bool {A:Set} cond A ( ) Coq < Eval compute in (@cond nat false 2 3). @tmiya : Coq , 26
3.3. option ( ) null option (Haskell Maybe ) ( Coq sumor ) Coq < Print option. Inductive option (A : Type) : Type := Some : A -> option A | None : option A Definition option_map {A B:Type} (f:A->B)(o:option A) := match o with | Some a => Some (f a) | None => None end. Coq < Eval compute in (option_map (fun x => x + 1) (Some 1)). @tmiya : Coq , 27
3.3. prod sum prod A B A B prod A B A * B ( x , y , .. , z ) (pair .. (pair x y) .. z) Coq < Check (2,true,3). (2, true, 3) : nat * bool * nat prod fst, snd sum A B A B Coq < Definition test_sum (s:sum nat bool) := Coq < match s with Coq < | inl n => n Coq < | inr true => 1 Coq < | inr false => 0 Coq < end. prod, sum Curry-Howard @tmiya : Coq , 28
3.3. List List List :: cons Type Set (Check Set. ) Coq < Require Import List. Coq < Print list. Inductive list (A : Type) : Type := nil : list A | cons : A -> list A -> list A Coq < Check (1::2::nil). 1 :: 2 :: nil : list nat @tmiya : Coq , 29
3.3. List List List nil x::xs Coq < Fixpoint append{A:Type}(xs ys:list A):= Coq < match xs with Coq < | nil => ys Coq < | x::xs’ => x::(append xs’ ys) Coq < end. Coq < Eval compute in (append (1::2::nil) (3::4::nil)). Coq < Fixpoint olast{A:Type}(xs:list A):option A := Coq < match xs with Coq < | nil => None Coq < | a::nil => Some a Coq < | _::xs’ => olast xs’ Coq < end. Coq < Eval compute in (olast (1::2::3::nil)). @tmiya : Coq , 30
3.3. List 1. len{A:Type}(xs:list A):nat Eval compute in (len (1::2::3::nil)). 2. list bool true true all_true(xs:list bool):bool nil true 3. x Some x None ohead{A:Type}(xs:list A):option A 4. s, n s :: s+1 :: ... :: (s+n-1) :: nil nat_list(s n:nat):list nat 5. reverse{A:Type}(xs:list A):list A append @tmiya : Coq , 31
4. Bool De Morgan P Q ¬(P ∧ Q) ¬P ∨ ¬Q F F T T F T T T T F T T T T F F Bool, nat Inductive (nat O S n ) Coq Prop ( ) @tmiya : Coq , 32
4. P P ¬P ( ) ab a, b √ √ √ 2 1. a = b = 2 a, b ab = 2 √ √2 √ 2. ab √ a = √2 , b = 2 √ a, b √ 2 √2 √ 2 2 √ 2 ab = ( 2 ) = 2 = 2 =2 √ √ 2 2 (P) (~P) ab a, b ab a, b @tmiya : Coq , 33
4. ( ) Modus Ponens A A B B (Γ = ( ) ) Γ A Γ A → B (→ ) Γ B ( )→ Coq B Hab : A → B apply Hab. tactic A Ha : A exact Ha. @tmiya : Coq , 34
4. Coq tactic tactic assumption. exact H. trivial. ... H : A ... ------------------------ A exact . A∈Γ ( ) Γ A @tmiya : Coq , 35
4.1. → → A → B (CUI A -> B ) A intro Ha. tactic Ha : A B Coq ... Γ, A B (→ ) Γ A→B H1 → H2 → · · · → Hn → B intros H1 H2 ... Hn. intro intro. intros. Coq → Modus Ponens tactic apply . @tmiya : Coq , 36
4.1. → → (1) tactic Set P Prop P P P p : P ( Set, Prop Type ) Section imp_sample. Variables P Q R : Prop. Theorem imp_sample : (P -> (Q -> R)) -> (P -> Q) -> P -> R. 1 subgoal ============================ (P -> Q -> R) -> (P -> Q) -> P -> R === tactic → intro(s) @tmiya : Coq , 37
4.1. → → (2) → intros tactic intro(s) imp_sample < intros pqr pq p. 1 subgoal pqr : P -> Q -> R pq : P -> Q p : P ============================ R R pqr apply pqr. @tmiya : Coq , 38
4.1. → → (3) R apply pqr. pqr P -> Q -> P Q imp_sample < apply pqr. 2 subgoals pqr : P -> Q -> R pq : P -> Q p : P ============================ P subgoal 2 is: Q P assumption. @tmiya : Coq , 39
4.1. → → (4) P assumption. Q imp_sample < assumption. 1 subgoal pqr : P -> Q -> R pq : P -> Q p : P ============================ Q Q @tmiya : Coq , 40
4.1. → → (5) imp_sample < apply pq. 1 subgoal pqr : P -> Q -> R pq : P -> Q p : P ============================ P imp_sample < assumption. Proof completed. imp_sample < Qed. Qed. @tmiya : Coq , 41
4.2. ∧ ∧ (1) P ∧Q P Q pq : P / Q destruct pq as [p q]. tactic p : P q : Q destruct pq. p,q Coq P ∧Q P Q P ∧Q split. tactic P / Q P, Q Coq < Variable P Q R:Prop. Coq < Theorem and_assoc : (P/Q)/R -> P/(Q/R). 1 subgoal ============================ (P / Q) / R -> P / Q / R @tmiya : Coq , 42
4.2. ∧ ∧ (2) intro → ∧ and_assoc < intro pqr. 1 subgoal pqr : (P / Q) / R ============================ P / Q / R and_assoc < destruct pqr as [[p q] r]. 1 subgoal p : P q : Q r : R ============================ P / Q / R @tmiya : Coq , 43
4.2. ∧ ∧ (3) assumption ; tactic split assumption and_assoc < split. 2 subgoals ============================ P subgoal 2 is: Q / R and_assoc < assumption. 1 subgoal ============================ Q / R and_assoc < split; assumption. Proof completed. and_assoc < Qed. @tmiya : Coq , 44
4.3. ∨ ∨ (1) P ∨Q P Q pq : P / Q destruct pq as [pq].— tactic p : P q : Q destruct pq. p,q Coq P ∨Q P Q P ∨Q left. right. tactic P Q Coq < Variable P Q R:Prop. Coq < Theorem or_assoc : (P/Q)/R -> P/(Q/R). 1 subgoal ============================ (P / Q) / R -> P / Q / R @tmiya : Coq , 45
4.3. ∨ ∨ (2) intro → ∨ and_assoc < intro pqr. or_assoc < destruct pqr as [[p|q]|r]. 3 subgoals p : P ============================ P / Q / R subgoal 2 is: P / Q / R subgoal 3 is: P / Q / R @tmiya : Coq , 46
4.3. ∨ ∨ (3) assumption or_assoc < left. 3 subgoals p : P ============================ P or_assoc < assumption. 2 subgoals q : Q ============================ P / Q / R or_assoc < right; left. 2 subgoals q : Q ============================ Q OK @tmiya : Coq , 47
4.4. ¬ ¬ (1) ¬P P → False False Inductive False : Prop := ~P intro p. p : P False H : False elim H. np : ~P elim np. P (¬¬P P ) ( ) @tmiya : Coq , 48
4.4. ¬ ¬ (2) Coq < Theorem neg_sample : ~(P / ~P). 1 subgoal ============================ ~ (P / ~ P) neg_sample < intro. 1 subgoal H : P / ~ P ============================ False @tmiya : Coq , 49
4.4. ¬ ¬ (3) neg_sample < destruct H as [p np]. 1 subgoal p : P np : ~ P ============================ False neg_sample < elim np. p : P np : ~ P ============================ P neg_sample < assumption. Proof completed. @tmiya : Coq , 50
4.4. ¬ Variable A B C D:Prop. Theorem ex4_1 : (A -> C) / (B -> D) / A / B -> C / D. Theorem ex4_2 : ~~~A -> ~A. Theorem ex4_3 : (A -> B) -> ~B -> ~A. Theorem ex4_4 : ((((A -> B) -> A) -> A) -> B) -> B. Theorem ex4_5 : ~~(A/~A). @tmiya : Coq , 51
5. Curry-Howard Curry-Howard (1) Theorem imp_sample’ : (P -> (Q -> R)) -> (P -> Q) -> P -> R. imp_sample’ < intros pqr pq p. imp_sample’ < Check pq. pq : P -> Q imp_sample’ < Check (pq p). pq p : Q pq P -> Q P Q pq p Q @tmiya : Coq , 52
5. Curry-Howard Curry-Howard (2) pqr, pq, p R exact tactic imp_sample’ < Check (pqr p (pq p)). pqr p (pq p) : R imp_sample’ < exact (pqr p (pq p)). Proof completed. imp_sample Print Coq < Print imp_sample. imp_sample = fun (pqr : P -> Q -> R) (pq : P -> Q) (p : P) => pqr p (pq p) : (P -> Q -> R) -> (P -> Q) -> P -> R @tmiya : Coq , 53
5. Curry-Howard Curry-Howard (3) P P P→Q P -> Q Γ P ΓP→Q (→ ) pq p Γ Q Γ, P Q (→ ) pq (p:P):Q Γ P→Q P ∧Q prod { (P,Q) inl P P ∨Q sum inr Q Curry-Howard Curry-Howard = Coq @tmiya : Coq , 54
5. Curry-Howard Curry-Howard (4) Coq ( ) Java (P → Q → R) → (P → Q) → P → R interface Fun<A,B> { public B apply(A a); } public class P {} public class Q {} public class R {} public class Proof { public R imp_sample(Fun<P,Fun<Q,R>> pqr, Fun<P,Q> pq, P p) { return pqr.apply(p).apply(pq.apply(p)); } } (Java prod sum ¬ Java ) @tmiya : Coq , 55
6. a:A P a (∀a : A, P a) : forall (a:A), P a a:A P a (∃a : A, P a) : exists (a:A), P a Coq P a:A P a:Prop A -> Prop Coq a:A P : A → Prop Coq < Definition iszero(n:nat):Prop := Coq < match n with Coq < | O => True Coq < | _ => False Coq < end. iszero is defined @tmiya : Coq , 56
6. ∀ (1) forall intro(s) forall x:X x:X -> Coq < Theorem sample_forall : forall (X:Type)(P Q:X->Prop)(x:X), P x -> (forall y:X, Q y) -> (P x / Q x). ============================ forall (X : Type) (P Q : X -> Prop) (x : X), P x -> (forall y : X, Q y) -> P x / Q x sample_forall < intros X P Q x px Hqy. X : Type P : X -> Prop Q : X -> Prop x : X px : P x Hqy : forall y : X, Q y ============================ P x / Q x @tmiya : Coq , 57
6. ∀ (2) forall y:X y X sample_forall < split. (* P x Q x *) sample_forall < assumption. (* P x px *) 1 subgoal X : Type P : X -> Prop Q : X -> Prop x : X px : P x Hqy : forall y : X, Q y ============================ Q x sample_forall < apply (Hqy x). (* Hqy y x *) Proof completed. @tmiya : Coq , 58
6.2. ∃ ∃ (1) Coq < Theorem sample_exists : forall (P Q:nat->Prop), Coq < (forall n, P n) -> (exists n, Q n) -> Coq < (exists n, P n / Q n). sample_exists < intros P Q Hpn Hqn. 1 subgoal P : nat -> Prop Q : nat -> Prop Hpn : forall n : nat, P n Hqn : exists n : nat, Q n ============================ exists n : nat, P n / Q n @tmiya : Coq , 59
6.2. ∃ ∃ (2) exists destruct sample_exists < intros P Q Hpn Hqn. P : nat -> Prop Q : nat -> Prop Hpn : forall n : nat, P n Hqn : exists n : nat, Q n ============================ exists n : nat, P n / Q n sample_exists < destruct Hqn as [n’ qn’]. P : nat -> Prop Q : nat -> Prop Hpn : forall n : nat, P n n’ : nat qn’ : Q n’ ============================ exists n : nat, P n / Q n @tmiya : Coq , 60
6.2. ∃ ∃ (3) exists x:X x:X exists x. sample_exists < destruct Hqn as [n’ qn’]. : Hpn : forall n : nat, P n n’ : nat qn’ : Q n’ ============================ exists n : nat, P n / Q n sample_exists < exists n’. : Hpn : forall n : nat, P n n’ : nat qn’ : Q n’ ============================ P n’ / Q n’ (* *) @tmiya : Coq , 61
6.2. ∃ Theorem ex5_1 : forall (A:Set)(P:A->Prop), (~ exists a, P a) -> (forall a, ~P a). Theorem ex5_2 : forall (A:Set)(P Q:A->Prop), (exists a, P a / Q a) -> (exists a, P a) / (exists a, Q a). Theorem ex5_3 : forall (A:Set)(P Q:A->Prop), (exists a, P a) / (exists a, Q a) -> (exists a, P a / Q a). Theorem ex5_4 : forall (A:Set)(R:A->A->Prop), (exists x, forall y, R x y) -> (forall y, exists x, R x y). Theorem ex5_5 : forall (A:Set)(R:A->A->Prop), (forall x y, R x y -> R y x) -> (forall x y z, R x y -> R y z -> R x z) -> (forall x, exists y, R x y) -> (forall x, R x x). @tmiya : Coq , 62
6.3. = = (1) eq (= ) Inductive eq (A : Type) (x : A) : A -> Prop := refl_equal : x = x Coq (nat bool ) (nat O Sn ) (S m Sn m=n ) ============================ n = n apply (refl_equal n). tactic reflexivity. @tmiya : Coq , 63
6.3. = = (2) plus Print plus. tactic simpl. Coq < Theorem plus_0_l : forall n, 0 + n = n. plus_0_l < intro n. n : nat ============================ 0 + n = n plus_0_l < simpl. n : nat ============================ n = n plus_0_l < reflexivity. Proof completed. @tmiya : Coq , 64
6.4. (1) ∀n : nat, n + 0 = n simpl. ============================ n + 0 = n plus_0_r < simpl. ============================ n + 0 = n plus n m n n 1. n = 0 n+0=n 2. n = n n+0=n n=Sn n+0=n @tmiya : Coq , 65
6.4. (2) n induction n as [|n’]. induction n. tactic Coq nat_ind (P ) Coq < Check nat_ind. nat_ind : forall P : nat -> Prop, P 0 -> (forall n : nat, P n -> P (S n)) -> forall n : nat, P n nat_ind nat O : nat S : nat -> nat Inductive bool bool_ind bool_ind : forall P : bool -> Prop, P true -> P false -> forall b : bool, P b @tmiya : Coq , 66
6.4. (3) induction n as [|n’]. n 0 S n’ reflexivity. OK (simpl. ) Coq < Theorem plus_0_r : forall n:nat, n + 0 = n. plus_0_r < induction n as [|n’]. 2 subgoals ============================ 0 + 0 = 0 subgoal 2 is: S n’ + 0 = S n’ plus_0_r < reflexivity. 1 subgoal n’ : nat IHn’ : n’ + 0 = n’ ============================ S n’ + 0 = S n’ @tmiya : Coq , 67
6.4. (4) n = S n’ n = n’ IHn’ S n’ + 0 = S n’ simpl. plus S (n’ + 0)= S n’ IHn’ n’ + 0 n’ rewrite IHn’. rewrite ============================ S n’ + 0 = S n’ plus_0_r < simpl. IHn’ : n’ + 0 = n’ ============================ S (n’ + 0) = S n’ plus_0_r < rewrite IHn’. IHn’ : n’ + 0 = n’ ============================ S n’ = S n’ @tmiya : Coq , 68
6.4. :m + n = n + m SearchAbout Coq < SearchAbout plus. plus_n_O: forall n : nat, n = n + 0 plus_O_n: forall n : nat, 0 + n = n plus_n_Sm: forall n m : nat, S (n + m) = n + S m plus_Sn_m: forall n m : nat, S n + m = S (n + m) mult_n_Sm: forall n m : nat, n * m + n = n * S m rewrite ( rewrite <- plus_n_Sm n’ m. rewrite H. H rewrite <- H. ) Theorem plus_comm : forall m n:nat, m + n = n + m. @tmiya : Coq , 69
6.4. (5) nat list A Theorem length_app : forall (A:Type)(l1 l2:list A), length (l1 ++ l2) = length l1 + length l2. list cons induction l1 as [|a l1’]. ( induction l1.) induction ( l2) intro 1. intros A l1 l2. induction l1 as [|a l1’]. 2. intros A l1. induction l1 as [|a l1’]. intro l2. IHl1’ (Coqtop Undo. ) @tmiya : Coq , 70
6.4. : (1) List append reverse Require Import List. Fixpoint append{A:Type}(l1 l2:list A):= match l1 with | nil => l2 | a::l1’ => a::(append l1’ l2) end. Fixpoint reverse{A:Type}(l:list A):= match l with | nil => nil | a::l’ => append (reverse l’) (a::nil) end. Theorem reverse_reverse : forall (A:Type)(l:list A), reverse (reverse l) = l. @tmiya : Coq , 71
6.4. : (2) reverse_reverse Lemma append_nil : forall (A:Type)(l:list A), append l nil = l. Lemma append_assoc : forall (A:Type)(l1 l2 l3:list A), append (append l1 l2) l3 = append l1 (append l2 l3). Lemma reverse_append : forall (A:Type)(l1 l2:list A), reverse (append l1 l2) = append (reverse l2) (reverse l1). @tmiya : Coq , 72
7. (1) Coq nat minus(n m:nat) n≤m 0 n−m+m =n ( ) sub Definition sub(m n:nat)(H:le n m) : {x:nat|x+n=m}. 1. H n≤m n≤m 2. x = m−n x +n = m ( ) @tmiya : Coq , 73
7. (2) Coq nat Arith Require Import Arith. (* Arith *) Definition sub(m n:nat)(H:le n m) : {x:nat|x+n=m}. 1 subgoal m : nat n : nat H : n <= m ============================ {x : nat | x + n = m} m, n intro generalize dependent sub < generalize dependent m. sub < generalize dependent n. ============================ forall n m : nat, n <= m -> {x : nat | x + n = m} @tmiya : Coq , 74
7. (3) eapply, erewrite apply, rewrite Qed. Defined. induction n as [|n’]. (* n=0 *) intros m H. exists m. eapply plus_0_r. (* n=S n’ *) induction m as [|m’]; intro H. (* m=0 *) assert(H’: ~(S n’ <= 0)). eapply le_Sn_0. elim H’. assumption. (* m=S m’ *) assert(H’: n’ <= m’). eapply le_S_n. assumption. assert(IH: {x:nat|x+n’=m’}). eapply IHn’. assumption. destruct IH as [x IH]. exists x. erewrite <- plus_n_Sm. rewrite IH. reflexivity. Defined. @tmiya : Coq , 75
7. (4) sub Print sub. sub OCaml minus Coq < Extraction sub. (** val sub : nat -> nat -> nat **) let rec sub m = function | O -> m | S n0 -> (match m with | O -> assert false (* absurd case *) | S n1 -> let iH = sub n1 n0 in Obj.magic iH) OCaml H @tmiya : Coq , 76
7. (5) H Theorem le_2_5 : le 2 5. Proof. repeat eapply le_n_S. repeat constructor. Qed. Eval compute in (sub 5 2 le_2_5). (* *) Eval compute in (proj1_sig (sub 5 2 le_2_5)). (* = 3:nat *) {x|x+n=m} x proj1_sig @tmiya : Coq , 77
7. minus sub minus Definition sub’(m n:nat)(H:le n m) : {x:nat|x+n=m}. Proof. (* minus *) Defined. Coq 1. minus minus 2. minus sub’ 3. refine tactic (refine ) 4. sub @tmiya : Coq , 78
8. Coq tactic (auto, ring, omega ) (Arith, List, String ) Haskell, OCaml (inversion, refine ) tactic Module @tmiya : Coq , 79
8. Interactive Theorem Proving and Program Development. Coq’Art: The Calculus of Inductive Constructions, Yves Berrot and Pierre Casteran (Springer-Verlag) : Coq Certified Programming with Dependent Types, Adam Chlipala (http://adam.chlipala.net/cpdt/) : Coq 2010 III (http://www.math.nagoya-u.ac.jp/~garrigue/lecture/ 2010_AW/index.html) : Garrigue PDF Coq in a Hurry, Yves Bertot (http://cel.archives-ouvertes.fr/docs/00/47/ 58/07/PDF/coq-hurry.pdf) : 2nd Asian-Pacific Summer School on Formal Methods (http://formes.asia/cms/coqschool/2010) : @tmiya : Coq , 80
8. Coq ProofCafe Coq CPDT Coq IT Coq Ruby, Clojure, Scala, Javascript Coq Coq http://coq.g.hatena.ne.jp/keyword/ProofCafe @tmiya : Coq , 81
8. Formal Methods Forum Coq ( ) ( ) Google group Coq 2010 Certified Programming with Dependent Types Coq Google group (http://groups.google.co.jp/group/fm-forum) Coq @tmiya : Coq , 82

Recomendados

Coqチュートリアル
CoqチュートリアルCoqチュートリアル
CoqチュートリアルYoshihiro Mizoguchi
 
よくわかるCoqプログラミング
よくわかるCoqプログラミングよくわかるCoqプログラミング
よくわかるCoqプログラミングReal_analysis
 
ものまね鳥を愛でる 結合子論理と計算
ものまね鳥を愛でる 結合子論理と計算ものまね鳥を愛でる 結合子論理と計算
ものまね鳥を愛でる 結合子論理と計算Hiromi Ishii
 
「型の理論」と証明支援システム -- COQの世界
「型の理論」と証明支援システム -- COQの世界「型の理論」と証明支援システム -- COQの世界
「型の理論」と証明支援システム -- COQの世界maruyama097
 
純粋関数型アルゴリズム入門
純粋関数型アルゴリズム入門純粋関数型アルゴリズム入門
純粋関数型アルゴリズム入門Kimikazu Kato
 
書くネタがCoqしかない
書くネタがCoqしかない書くネタがCoqしかない
書くネタがCoqしかないMasaki Hara
 
自動定理証明の紹介
自動定理証明の紹介自動定理証明の紹介
自動定理証明の紹介Masahiro Sakai
 
中3女子でもわかる constexpr
中3女子でもわかる constexpr中3女子でもわかる constexpr
中3女子でもわかる constexprGenya Murakami
 

Recomendados

Coqチュートリアル
CoqチュートリアルCoqチュートリアル
CoqチュートリアルYoshihiro Mizoguchi
 
よくわかるCoqプログラミング
よくわかるCoqプログラミングよくわかるCoqプログラミング
よくわかるCoqプログラミングReal_analysis
 
ものまね鳥を愛でる 結合子論理と計算
ものまね鳥を愛でる 結合子論理と計算ものまね鳥を愛でる 結合子論理と計算
ものまね鳥を愛でる 結合子論理と計算Hiromi Ishii
 
「型の理論」と証明支援システム -- COQの世界
「型の理論」と証明支援システム -- COQの世界「型の理論」と証明支援システム -- COQの世界
「型の理論」と証明支援システム -- COQの世界maruyama097
 
純粋関数型アルゴリズム入門
純粋関数型アルゴリズム入門純粋関数型アルゴリズム入門
純粋関数型アルゴリズム入門Kimikazu Kato
 
書くネタがCoqしかない
書くネタがCoqしかない書くネタがCoqしかない
書くネタがCoqしかないMasaki Hara
 
自動定理証明の紹介
自動定理証明の紹介自動定理証明の紹介
自動定理証明の紹介Masahiro Sakai
 
中3女子でもわかる constexpr
中3女子でもわかる constexpr中3女子でもわかる constexpr
中3女子でもわかる constexprGenya Murakami
 
証明プログラミング超入門
証明プログラミング超入門証明プログラミング超入門
証明プログラミング超入門Kyoko Kadowaki
 
定理証明支援系Coqについて
定理証明支援系Coqについて定理証明支援系Coqについて
定理証明支援系CoqについてYoshihiro Mizoguchi
 
ホモトピー型理論入門
ホモトピー型理論入門ホモトピー型理論入門
ホモトピー型理論入門k h
 
ラムダ計算入門
ラムダ計算入門ラムダ計算入門
ラムダ計算入門Eita Sugimoto
 
JavaでCPUを使い倒す! ~Java 9 以降の CPU 最適化を覗いてみる~(NTTデータ テクノロジーカンファレンス 2019 講演資料、2019...
JavaでCPUを使い倒す! ~Java 9 以降の CPU 最適化を覗いてみる~(NTTデータ テクノロジーカンファレンス 2019 講演資料、2019...JavaでCPUを使い倒す! ~Java 9 以降の CPU 最適化を覗いてみる~(NTTデータ テクノロジーカンファレンス 2019 講演資料、2019...
JavaでCPUを使い倒す! ~Java 9 以降の CPU 最適化を覗いてみる~(NTTデータ テクノロジーカンファレンス 2019 講演資料、2019...NTT DATA Technology & Innovation
 
ゲーム開発者のための C++11/C++14
ゲーム開発者のための C++11/C++14ゲーム開発者のための C++11/C++14
ゲーム開発者のための C++11/C++14Ryo Suzuki
 
関数プログラミング入門
関数プログラミング入門関数プログラミング入門
関数プログラミング入門Hideyuki Tanaka
 
明日使えないすごいビット演算
明日使えないすごいビット演算明日使えないすごいビット演算
明日使えないすごいビット演算京大 マイコンクラブ
 
Rust、何もわからない...#7 VecDeque再訪
Rust、何もわからない...#7 VecDeque再訪Rust、何もわからない...#7 VecDeque再訪
Rust、何もわからない...#7 VecDeque再訪Yusuke Mori
 
Boost.勉強会 #21 札幌「C++1zにstring_viewが導入されてうれしいので紹介します」
Boost.勉強会 #21 札幌「C++1zにstring_viewが導入されてうれしいので紹介します」Boost.勉強会 #21 札幌「C++1zにstring_viewが導入されてうれしいので紹介します」
Boost.勉強会 #21 札幌「C++1zにstring_viewが導入されてうれしいので紹介します」Hiro H.
 
Constexpr 中3女子テクニック
Constexpr 中3女子テクニックConstexpr 中3女子テクニック
Constexpr 中3女子テクニックGenya Murakami
 
競技プログラミングにおけるコードの書き方とその利便性
競技プログラミングにおけるコードの書き方とその利便性競技プログラミングにおけるコードの書き方とその利便性
競技プログラミングにおけるコードの書き方とその利便性Hibiki Yamashiro
 
BoostAsioで可読性を求めるのは間違っているだろうか
BoostAsioで可読性を求めるのは間違っているだろうかBoostAsioで可読性を求めるのは間違っているだろうか
BoostAsioで可読性を求めるのは間違っているだろうかYuki Miyatake
 
プログラムを高速化する話Ⅱ 〜GPGPU編〜
プログラムを高速化する話Ⅱ 〜GPGPU編〜プログラムを高速化する話Ⅱ 〜GPGPU編〜
プログラムを高速化する話Ⅱ 〜GPGPU編〜京大 マイコンクラブ
 
C++ マルチスレッド 入門
C++ マルチスレッド 入門C++ マルチスレッド 入門
C++ マルチスレッド 入門京大 マイコンクラブ
 
関数型プログラミングのデザインパターンひとめぐり
関数型プログラミングのデザインパターンひとめぐり関数型プログラミングのデザインパターンひとめぐり
関数型プログラミングのデザインパターンひとめぐりKazuyuki TAKASE
 
代数的実数とCADの実装紹介
代数的実数とCADの実装紹介代数的実数とCADの実装紹介
代数的実数とCADの実装紹介Masahiro Sakai
 
SSE4.2の文字列処理命令の紹介
SSE4.2の文字列処理命令の紹介SSE4.2の文字列処理命令の紹介
SSE4.2の文字列処理命令の紹介MITSUNARI Shigeo
 
中3女子が狂える本当に気持ちのいい constexpr
中3女子が狂える本当に気持ちのいい constexpr中3女子が狂える本当に気持ちのいい constexpr
中3女子が狂える本当に気持ちのいい constexprGenya Murakami
 
ドキュメンテーションを加速するストレスフリーの作図ツール『blockdiag』 jus2011年6月勉強会
ドキュメンテーションを加速するストレスフリーの作図ツール『blockdiag』 jus2011年6月勉強会ドキュメンテーションを加速するストレスフリーの作図ツール『blockdiag』 jus2011年6月勉強会
ドキュメンテーションを加速するストレスフリーの作図ツール『blockdiag』 jus2011年6月勉強会Takayuki Shimizukawa
 
Coq for ML users
Coq for ML usersCoq for ML users
Coq for ML userstmiya
 
Proofsummit2011a
Proofsummit2011aProofsummit2011a
Proofsummit2011atmiya
 

Más contenido relacionado

La actualidad más candente

証明プログラミング超入門
証明プログラミング超入門証明プログラミング超入門
証明プログラミング超入門Kyoko Kadowaki
 
定理証明支援系Coqについて
定理証明支援系Coqについて定理証明支援系Coqについて
定理証明支援系CoqについてYoshihiro Mizoguchi
 
ホモトピー型理論入門
ホモトピー型理論入門ホモトピー型理論入門
ホモトピー型理論入門k h
 
ラムダ計算入門
ラムダ計算入門ラムダ計算入門
ラムダ計算入門Eita Sugimoto
 
JavaでCPUを使い倒す! ~Java 9 以降の CPU 最適化を覗いてみる~(NTTデータ テクノロジーカンファレンス 2019 講演資料、2019...
JavaでCPUを使い倒す! ~Java 9 以降の CPU 最適化を覗いてみる~(NTTデータ テクノロジーカンファレンス 2019 講演資料、2019...JavaでCPUを使い倒す! ~Java 9 以降の CPU 最適化を覗いてみる~(NTTデータ テクノロジーカンファレンス 2019 講演資料、2019...
JavaでCPUを使い倒す! ~Java 9 以降の CPU 最適化を覗いてみる~(NTTデータ テクノロジーカンファレンス 2019 講演資料、2019...NTT DATA Technology & Innovation
 
ゲーム開発者のための C++11/C++14
ゲーム開発者のための C++11/C++14ゲーム開発者のための C++11/C++14
ゲーム開発者のための C++11/C++14Ryo Suzuki
 
関数プログラミング入門
関数プログラミング入門関数プログラミング入門
関数プログラミング入門Hideyuki Tanaka
 
Rust、何もわからない...#7 VecDeque再訪
Rust、何もわからない...#7 VecDeque再訪Rust、何もわからない...#7 VecDeque再訪
Rust、何もわからない...#7 VecDeque再訪Yusuke Mori
 
Boost.勉強会 #21 札幌「C++1zにstring_viewが導入されてうれしいので紹介します」
Boost.勉強会 #21 札幌「C++1zにstring_viewが導入されてうれしいので紹介します」Boost.勉強会 #21 札幌「C++1zにstring_viewが導入されてうれしいので紹介します」
Boost.勉強会 #21 札幌「C++1zにstring_viewが導入されてうれしいので紹介します」Hiro H.
 
Constexpr 中3女子テクニック
Constexpr 中3女子テクニックConstexpr 中3女子テクニック
Constexpr 中3女子テクニックGenya Murakami
 
競技プログラミングにおけるコードの書き方とその利便性
競技プログラミングにおけるコードの書き方とその利便性競技プログラミングにおけるコードの書き方とその利便性
競技プログラミングにおけるコードの書き方とその利便性Hibiki Yamashiro
 
BoostAsioで可読性を求めるのは間違っているだろうか
BoostAsioで可読性を求めるのは間違っているだろうかBoostAsioで可読性を求めるのは間違っているだろうか
BoostAsioで可読性を求めるのは間違っているだろうかYuki Miyatake
 
プログラムを高速化する話Ⅱ 〜GPGPU編〜
プログラムを高速化する話Ⅱ 〜GPGPU編〜プログラムを高速化する話Ⅱ 〜GPGPU編〜
プログラムを高速化する話Ⅱ 〜GPGPU編〜京大 マイコンクラブ
 
関数型プログラミングのデザインパターンひとめぐり
関数型プログラミングのデザインパターンひとめぐり関数型プログラミングのデザインパターンひとめぐり
関数型プログラミングのデザインパターンひとめぐりKazuyuki TAKASE
 
代数的実数とCADの実装紹介
代数的実数とCADの実装紹介代数的実数とCADの実装紹介
代数的実数とCADの実装紹介Masahiro Sakai
 
SSE4.2の文字列処理命令の紹介
SSE4.2の文字列処理命令の紹介SSE4.2の文字列処理命令の紹介
SSE4.2の文字列処理命令の紹介MITSUNARI Shigeo
 
中3女子が狂える本当に気持ちのいい constexpr
中3女子が狂える本当に気持ちのいい constexpr中3女子が狂える本当に気持ちのいい constexpr
中3女子が狂える本当に気持ちのいい constexprGenya Murakami
 
ドキュメンテーションを加速するストレスフリーの作図ツール『blockdiag』 jus2011年6月勉強会
ドキュメンテーションを加速するストレスフリーの作図ツール『blockdiag』 jus2011年6月勉強会ドキュメンテーションを加速するストレスフリーの作図ツール『blockdiag』 jus2011年6月勉強会
ドキュメンテーションを加速するストレスフリーの作図ツール『blockdiag』 jus2011年6月勉強会Takayuki Shimizukawa
 

La actualidad más candente (20)

証明プログラミング超入門
証明プログラミング超入門証明プログラミング超入門
証明プログラミング超入門
 
定理証明支援系Coqについて
定理証明支援系Coqについて定理証明支援系Coqについて
定理証明支援系Coqについて
 
ホモトピー型理論入門
ホモトピー型理論入門ホモトピー型理論入門
ホモトピー型理論入門
 
ラムダ計算入門
ラムダ計算入門ラムダ計算入門
ラムダ計算入門
 
JavaでCPUを使い倒す! ~Java 9 以降の CPU 最適化を覗いてみる~(NTTデータ テクノロジーカンファレンス 2019 講演資料、2019...
JavaでCPUを使い倒す! ~Java 9 以降の CPU 最適化を覗いてみる~(NTTデータ テクノロジーカンファレンス 2019 講演資料、2019...JavaでCPUを使い倒す! ~Java 9 以降の CPU 最適化を覗いてみる~(NTTデータ テクノロジーカンファレンス 2019 講演資料、2019...
JavaでCPUを使い倒す! ~Java 9 以降の CPU 最適化を覗いてみる~(NTTデータ テクノロジーカンファレンス 2019 講演資料、2019...
 
ゲーム開発者のための C++11/C++14
ゲーム開発者のための C++11/C++14ゲーム開発者のための C++11/C++14
ゲーム開発者のための C++11/C++14
 
関数プログラミング入門
関数プログラミング入門関数プログラミング入門
関数プログラミング入門
 
明日使えないすごいビット演算
明日使えないすごいビット演算明日使えないすごいビット演算
明日使えないすごいビット演算
 
Rust、何もわからない...#7 VecDeque再訪
Rust、何もわからない...#7 VecDeque再訪Rust、何もわからない...#7 VecDeque再訪
Rust、何もわからない...#7 VecDeque再訪
 
Boost.勉強会 #21 札幌「C++1zにstring_viewが導入されてうれしいので紹介します」
Boost.勉強会 #21 札幌「C++1zにstring_viewが導入されてうれしいので紹介します」Boost.勉強会 #21 札幌「C++1zにstring_viewが導入されてうれしいので紹介します」
Boost.勉強会 #21 札幌「C++1zにstring_viewが導入されてうれしいので紹介します」
 
Constexpr 中3女子テクニック
Constexpr 中3女子テクニックConstexpr 中3女子テクニック
Constexpr 中3女子テクニック
 
競技プログラミングにおけるコードの書き方とその利便性
競技プログラミングにおけるコードの書き方とその利便性競技プログラミングにおけるコードの書き方とその利便性
競技プログラミングにおけるコードの書き方とその利便性
 
BoostAsioで可読性を求めるのは間違っているだろうか
BoostAsioで可読性を求めるのは間違っているだろうかBoostAsioで可読性を求めるのは間違っているだろうか
BoostAsioで可読性を求めるのは間違っているだろうか
 
プログラムを高速化する話Ⅱ 〜GPGPU編〜
プログラムを高速化する話Ⅱ 〜GPGPU編〜プログラムを高速化する話Ⅱ 〜GPGPU編〜
プログラムを高速化する話Ⅱ 〜GPGPU編〜
 
C++ マルチスレッド 入門
C++ マルチスレッド 入門C++ マルチスレッド 入門
C++ マルチスレッド 入門
 
関数型プログラミングのデザインパターンひとめぐり
関数型プログラミングのデザインパターンひとめぐり関数型プログラミングのデザインパターンひとめぐり
関数型プログラミングのデザインパターンひとめぐり
 
代数的実数とCADの実装紹介
代数的実数とCADの実装紹介代数的実数とCADの実装紹介
代数的実数とCADの実装紹介
 
SSE4.2の文字列処理命令の紹介
SSE4.2の文字列処理命令の紹介SSE4.2の文字列処理命令の紹介
SSE4.2の文字列処理命令の紹介
 
中3女子が狂える本当に気持ちのいい constexpr
中3女子が狂える本当に気持ちのいい constexpr中3女子が狂える本当に気持ちのいい constexpr
中3女子が狂える本当に気持ちのいい constexpr
 
ドキュメンテーションを加速するストレスフリーの作図ツール『blockdiag』 jus2011年6月勉強会
ドキュメンテーションを加速するストレスフリーの作図ツール『blockdiag』 jus2011年6月勉強会ドキュメンテーションを加速するストレスフリーの作図ツール『blockdiag』 jus2011年6月勉強会
ドキュメンテーションを加速するストレスフリーの作図ツール『blockdiag』 jus2011年6月勉強会
 

Más de tmiya

Coq for ML users
Coq for ML usersCoq for ML users
Coq for ML userstmiya
 
Proofsummit2011a
Proofsummit2011aProofsummit2011a
Proofsummit2011atmiya
 
Coq Tutorial at Proof Summit 2011
Coq Tutorial at Proof Summit 2011Coq Tutorial at Proof Summit 2011
Coq Tutorial at Proof Summit 2011tmiya
 
Typeclass
TypeclassTypeclass
Typeclasstmiya
 
RegExp20110305
RegExp20110305RegExp20110305
RegExp20110305tmiya
 
Coq setoid 20110129
Coq setoid 20110129Coq setoid 20110129
Coq setoid 20110129tmiya
 
Coq Party 20101127
Coq Party 20101127Coq Party 20101127
Coq Party 20101127tmiya
 
Maude20100719
Maude20100719Maude20100719
Maude20100719tmiya
 
Formal methods20100529
Formal methods20100529Formal methods20100529
Formal methods20100529tmiya
 
Coq 20100208a
Coq 20100208aCoq 20100208a
Coq 20100208atmiya
 

Más de tmiya (10)

Coq for ML users
Coq for ML usersCoq for ML users
Coq for ML users
 
Proofsummit2011a
Proofsummit2011aProofsummit2011a
Proofsummit2011a
 
Coq Tutorial at Proof Summit 2011
Coq Tutorial at Proof Summit 2011Coq Tutorial at Proof Summit 2011
Coq Tutorial at Proof Summit 2011
 
Typeclass
TypeclassTypeclass
Typeclass
 
RegExp20110305
RegExp20110305RegExp20110305
RegExp20110305
 
Coq setoid 20110129
Coq setoid 20110129Coq setoid 20110129
Coq setoid 20110129
 
Coq Party 20101127
Coq Party 20101127Coq Party 20101127
Coq Party 20101127
 
Maude20100719
Maude20100719Maude20100719
Maude20100719
 
Formal methods20100529
Formal methods20100529Formal methods20100529
Formal methods20100529
 
Coq 20100208a
Coq 20100208aCoq 20100208a
Coq 20100208a
 

Último

Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slidevu2urc
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationSafe Software
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsMaria Levchenko
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...apidays
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)Gabriella Davis
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsJoaquim Jorge
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processorsdebabhi2
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)wesley chun
 
Developing An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of BrazilDeveloping An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of BrazilV3cube
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century educationjfdjdjcjdnsjd
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonAnna Loughnan Colquhoun
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...DianaGray10
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfsudhanshuwaghmare1
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024The Digital Insurer
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CVKhem
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Miguel Araújo
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobeapidays
 

Último (20)

Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 
Developing An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of BrazilDeveloping An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of Brazil
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CV
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 

Coq Tutorial

  • 1. Formal Methods Forum Coq @tmiya April 20,2011 @tmiya : Coq , 1
  • 2. 0. Coq Coq Coq Coq • • Coq • • @tmiya : Coq , 2
  • 3. 1. Coq Lightweight • ( ) • • • • • • ( ) • • • or @tmiya : Coq , 3
  • 4. 1. Coq Coq INRIA OCaml CIC = Calculus of Inductive Construction tactic tactic Coq Coq OCaml, Haskell, Scheme @tmiya : Coq , 4
  • 5. 2. Coq Coq Coqtop, CoqIDE CUI Coqtop / : % coqtop Welcome to Coq 8.3pl1 (December 2010) Coq < Eval compute in (2+3). = 5 : nat Coq < Quit. % Coq CoqIDE coqide @tmiya : Coq , 5
  • 6. 2. Coq Proof General : emacs Proof General ~/.emacs (load-file "***/ProofGeneral/generic/proof-site.el") proof-site.el Coq (*.v) Proof General @tmiya : Coq , 6
  • 7. 3. Coq Coq < Definition x := 1. (* x *) x is defined (* := *) Coq < Check x. (* x *) x : nat (* nat = *) Coq < Print x. (* x *) x = 1 : nat Coq < Definition x := 2. (* x *) Error: x already exists (* --> *) Reset x. Module ( ) @tmiya : Coq , 7
  • 8. 3. Coq 1 2 Coq < Definition f x y := x - y. (* f *) f is defined Coq < Check f. f : nat -> nat -> nat (* nat->(nat->nat) *) Coq < Definition f’ := f 3. (* f’ y = f 3 y *) f’ is defined Coq < Check f’. f’ : nat -> nat (* nat nat *) Coq < Eval compute in (f’ 1). (* f’ 1 = f 3 1 = 2 *) = 2 : nat ( @tmiya : Coq , 8
  • 9. 3. Coq Coq < Check (fun x => 2 * x). (* *) fun x : nat => 2 * x : nat -> nat Coq < Eval compute in ((fun x => 2 * x) 3). = 6 : nat Coq < Definition double := (fun x => 2 * x). double is defined (* double *) Coq . @tmiya : Coq , 9
  • 10. 3. Coq Coq < Definition twice(f:nat->nat):nat->nat := Coq < fun x => f (f x). twice is defined Coq < Definition add5(x:nat) := x + 5. add5 is defined Coq < Definition twice_add5 := twice add5. twice_add5 is defined Coq < Eval compute in (twice_add5 2). = 12 : nat @tmiya : Coq , 10
  • 11. 3.1. int, float Coq nat ( ) Weekday Coq < Inductive Weekday : Set := Coq < Sun | Mon | Tue | Wed | Thr | Fri | Sat. Coq < Check Sun. Sun (* Sun *) : Weekday (* Weekday *) Coq < Check Weekday. Weekday (* *) : Set (* Set *) Set @tmiya : Coq , 11
  • 12. 3.1. ( ) Coq < Definition nextday d := Coq < match d with Coq < | Sun => Mon : (* *) Coq < | Sat => Sun Coq < end. nextday is defined Coq < Check nextday. nextday (* *) : Weekday -> Weekday Coq < Eval compute in (nextday Mon). (* *) prevday @tmiya : Coq , 12
  • 13. 3.1. Bool Coq < Inductive Bool : Set := Coq < | tru : Bool Coq < | fls : Bool. Coq < Definition And(b1 b2:Bool):Bool := Coq < match b1,b2 with Coq < | tru,tru => tru Coq < | _,_ => fls Coq < end. Or, Not Eval @tmiya : Coq , 13
  • 14. 3.1. bool ( ) bool Coq < Print bool. Coq < Print andb. Coq < Print orb. Coq < Print negb. bool Coq < Print unit. @tmiya : Coq , 14
  • 15. 3.1. De Morgan (1) Coq < Theorem De_Morgan_1 : forall b1 b2, Coq < Not (And b1 b2) = Or (Not b1) (Not b2). 1 subgoal ============================ forall b1 b2 : Bool, Not (And b1 b2) = Or (Not b1) (Not b2) De_Morgan_1 < intros. 1 subgoal (* b1 b2 *) b1 : Bool b2 : Bool ============================ Not (And b1 b2) = Or (Not b1) (Not b2) @tmiya : Coq , 15
  • 16. 3.1. De Morgan (2) De_Morgan_1 < destruct b1; destruct b2. 4 subgoals (* b1 b2 *) ============================ Not (And tru tru) = Or (Not tru) (Not tru) subgoal 2 is: Not (And tru fls) = Or (Not tru) (Not fls) subgoal 3 is: Not (And fls tru) = Or (Not fls) (Not tru) subgoal 4 is: Not (And fls fls) = Or (Not fls) (Not fls) @tmiya : Coq , 16
  • 17. 3.1. De Morgan (3) De_Morgan_1 < simpl. 4 subgoals (* *) ============================ fls = fls (* *) De_Morgan_1 < reflexivity. 3 subgoals (* = *) ============================ Not (And tru fls) = Or (Not tru) (Not fls) subgoal 2 is: Not (And fls tru) = Or (Not fls) (Not tru) subgoal 3 is: Not (And fls fls) = Or (Not fls) (Not fls) @tmiya : Coq , 17
  • 18. 3.1. De Morgan (4) De_Morgan_1 < simpl; reflexivity. De_Morgan_1 < simpl; reflexivity. De_Morgan_1 < simpl; reflexivity. Proof completed. De_Morgan_1 < Qed. intros. destruct b1; destruct b2. simpl in |- *. reflexivity. simpl in |- *; reflexivity. simpl in |- *; reflexivity. simpl in |- *; reflexivity. De_Morgan_1 is defined Not (Or b1 b2) = And (Not b1) (Not b2) @tmiya : Coq , 18
  • 19. 3.1. 1. Yes, Maybe, No Bool3 2. Bool3 And3, Or3, Not3 3. ( ) De Morgan @tmiya : Coq , 19
  • 20. 3.2. nat nat ( ) Coq < Print nat. Inductive nat : Set := O : nat | S : nat -> nat O( O) 0 S nat nat Peano Coq < Eval compute in (S (S (S O))). = 3 : nat S (S (S O)) Coq 3 @tmiya : Coq , 20
  • 21. 3.2. nat n Coq < Fixpoint add(n m:nat):nat := Coq < match n with Coq < | O => m Coq < | S n’ => S (add n’ m) Coq < end. add is recursively defined (decreasing on 1st argument) Fixpoint ( O) 0 S nat 1 nat Peano Coq < Eval compute in (add (S (S O)) (S O)). = 3 : nat (call-by-value) @tmiya : Coq , 21
  • 22. 3.2. nat _,_ OK Coq < Fixpoint eq_nat(n m:nat):bool := Coq < match n,m with Coq < | O,O => true Coq < | S n’, S m’ => eq_nat n’ m’ Coq < | _,_ => false Coq < end. Coq < Eval compute in (eq_nat 3 3). le_nat le_nat n m n≤m Coq ( ) @tmiya : Coq , 22
  • 23. 3.2. Coq ( ) n ({struct n} Coq ) Coq < Fixpoint add’(n m:nat){struct n} := Coq < match n with Coq < | O => m Coq < | S n’ => S (add’ n’ m) Coq < end. add’ is recursively defined (decreasing on 1st argument) add’ 2 3 add’ add’ (S (S O)) 3 = S (add’ (S O) 3) = S (S (add’ O 3)) = S (S 3) = 5. @tmiya : Coq , 23
  • 24. 3.2. ( ) Coq ( )( ) Coq ( Coq ) Coq ( ) (Coq ) Coq @tmiya : Coq , 24
  • 25. 3.2. 1. mul add 2. mul fact 3. sub n=0 sub 0 m = 0 4. div3 Eval Fixpoint div3(n:nat) := match n with | S (S (S n’)) => S (div3 n’) | _ => O end. sub div n m Coq ( ) @tmiya : Coq , 25
  • 26. 3.3. cond c vt vf c:bool true vt false vf vt, vf Set A Coq < Definition cond{A:Set}(c:bool)(vt vf:A) := Coq < match c with Coq < | true => vt Coq < | false => vf Coq < end. Coq < Eval compute in (cond true 2 3). = 2 : nat Coq < Eval compute in (cond false false true). = true : bool {A:Set} cond A ( ) Coq < Eval compute in (@cond nat false 2 3). @tmiya : Coq , 26
  • 27. 3.3. option ( ) null option (Haskell Maybe ) ( Coq sumor ) Coq < Print option. Inductive option (A : Type) : Type := Some : A -> option A | None : option A Definition option_map {A B:Type} (f:A->B)(o:option A) := match o with | Some a => Some (f a) | None => None end. Coq < Eval compute in (option_map (fun x => x + 1) (Some 1)). @tmiya : Coq , 27
  • 28. 3.3. prod sum prod A B A B prod A B A * B ( x , y , .. , z ) (pair .. (pair x y) .. z) Coq < Check (2,true,3). (2, true, 3) : nat * bool * nat prod fst, snd sum A B A B Coq < Definition test_sum (s:sum nat bool) := Coq < match s with Coq < | inl n => n Coq < | inr true => 1 Coq < | inr false => 0 Coq < end. prod, sum Curry-Howard @tmiya : Coq , 28
  • 29. 3.3. List List List :: cons Type Set (Check Set. ) Coq < Require Import List. Coq < Print list. Inductive list (A : Type) : Type := nil : list A | cons : A -> list A -> list A Coq < Check (1::2::nil). 1 :: 2 :: nil : list nat @tmiya : Coq , 29
  • 30. 3.3. List List List nil x::xs Coq < Fixpoint append{A:Type}(xs ys:list A):= Coq < match xs with Coq < | nil => ys Coq < | x::xs’ => x::(append xs’ ys) Coq < end. Coq < Eval compute in (append (1::2::nil) (3::4::nil)). Coq < Fixpoint olast{A:Type}(xs:list A):option A := Coq < match xs with Coq < | nil => None Coq < | a::nil => Some a Coq < | _::xs’ => olast xs’ Coq < end. Coq < Eval compute in (olast (1::2::3::nil)). @tmiya : Coq , 30
  • 31. 3.3. List 1. len{A:Type}(xs:list A):nat Eval compute in (len (1::2::3::nil)). 2. list bool true true all_true(xs:list bool):bool nil true 3. x Some x None ohead{A:Type}(xs:list A):option A 4. s, n s :: s+1 :: ... :: (s+n-1) :: nil nat_list(s n:nat):list nat 5. reverse{A:Type}(xs:list A):list A append @tmiya : Coq , 31
  • 32. 4. Bool De Morgan P Q ¬(P ∧ Q) ¬P ∨ ¬Q F F T T F T T T T F T T T T F F Bool, nat Inductive (nat O S n ) Coq Prop ( ) @tmiya : Coq , 32
  • 33. 4. P P ¬P ( ) ab a, b √ √ √ 2 1. a = b = 2 a, b ab = 2 √ √2 √ 2. ab √ a = √2 , b = 2 √ a, b √ 2 √2 √ 2 2 √ 2 ab = ( 2 ) = 2 = 2 =2 √ √ 2 2 (P) (~P) ab a, b ab a, b @tmiya : Coq , 33
  • 34. 4. ( ) Modus Ponens A A B B (Γ = ( ) ) Γ A Γ A → B (→ ) Γ B ( )→ Coq B Hab : A → B apply Hab. tactic A Ha : A exact Ha. @tmiya : Coq , 34
  • 35. 4. Coq tactic tactic assumption. exact H. trivial. ... H : A ... ------------------------ A exact . A∈Γ ( ) Γ A @tmiya : Coq , 35
  • 36. 4.1. → → A → B (CUI A -> B ) A intro Ha. tactic Ha : A B Coq ... Γ, A B (→ ) Γ A→B H1 → H2 → · · · → Hn → B intros H1 H2 ... Hn. intro intro. intros. Coq → Modus Ponens tactic apply . @tmiya : Coq , 36
  • 37. 4.1. → → (1) tactic Set P Prop P P P p : P ( Set, Prop Type ) Section imp_sample. Variables P Q R : Prop. Theorem imp_sample : (P -> (Q -> R)) -> (P -> Q) -> P -> R. 1 subgoal ============================ (P -> Q -> R) -> (P -> Q) -> P -> R === tactic → intro(s) @tmiya : Coq , 37
  • 38. 4.1. → → (2) → intros tactic intro(s) imp_sample < intros pqr pq p. 1 subgoal pqr : P -> Q -> R pq : P -> Q p : P ============================ R R pqr apply pqr. @tmiya : Coq , 38
  • 39. 4.1. → → (3) R apply pqr. pqr P -> Q -> P Q imp_sample < apply pqr. 2 subgoals pqr : P -> Q -> R pq : P -> Q p : P ============================ P subgoal 2 is: Q P assumption. @tmiya : Coq , 39
  • 40. 4.1. → → (4) P assumption. Q imp_sample < assumption. 1 subgoal pqr : P -> Q -> R pq : P -> Q p : P ============================ Q Q @tmiya : Coq , 40
  • 41. 4.1. → → (5) imp_sample < apply pq. 1 subgoal pqr : P -> Q -> R pq : P -> Q p : P ============================ P imp_sample < assumption. Proof completed. imp_sample < Qed. Qed. @tmiya : Coq , 41
  • 42. 4.2. ∧ ∧ (1) P ∧Q P Q pq : P / Q destruct pq as [p q]. tactic p : P q : Q destruct pq. p,q Coq P ∧Q P Q P ∧Q split. tactic P / Q P, Q Coq < Variable P Q R:Prop. Coq < Theorem and_assoc : (P/Q)/R -> P/(Q/R). 1 subgoal ============================ (P / Q) / R -> P / Q / R @tmiya : Coq , 42
  • 43. 4.2. ∧ ∧ (2) intro → ∧ and_assoc < intro pqr. 1 subgoal pqr : (P / Q) / R ============================ P / Q / R and_assoc < destruct pqr as [[p q] r]. 1 subgoal p : P q : Q r : R ============================ P / Q / R @tmiya : Coq , 43
  • 44. 4.2. ∧ ∧ (3) assumption ; tactic split assumption and_assoc < split. 2 subgoals ============================ P subgoal 2 is: Q / R and_assoc < assumption. 1 subgoal ============================ Q / R and_assoc < split; assumption. Proof completed. and_assoc < Qed. @tmiya : Coq , 44
  • 45. 4.3. ∨ ∨ (1) P ∨Q P Q pq : P / Q destruct pq as [pq].— tactic p : P q : Q destruct pq. p,q Coq P ∨Q P Q P ∨Q left. right. tactic P Q Coq < Variable P Q R:Prop. Coq < Theorem or_assoc : (P/Q)/R -> P/(Q/R). 1 subgoal ============================ (P / Q) / R -> P / Q / R @tmiya : Coq , 45
  • 46. 4.3. ∨ ∨ (2) intro → ∨ and_assoc < intro pqr. or_assoc < destruct pqr as [[p|q]|r]. 3 subgoals p : P ============================ P / Q / R subgoal 2 is: P / Q / R subgoal 3 is: P / Q / R @tmiya : Coq , 46
  • 47. 4.3. ∨ ∨ (3) assumption or_assoc < left. 3 subgoals p : P ============================ P or_assoc < assumption. 2 subgoals q : Q ============================ P / Q / R or_assoc < right; left. 2 subgoals q : Q ============================ Q OK @tmiya : Coq , 47
  • 48. 4.4. ¬ ¬ (1) ¬P P → False False Inductive False : Prop := ~P intro p. p : P False H : False elim H. np : ~P elim np. P (¬¬P P ) ( ) @tmiya : Coq , 48
  • 49. 4.4. ¬ ¬ (2) Coq < Theorem neg_sample : ~(P / ~P). 1 subgoal ============================ ~ (P / ~ P) neg_sample < intro. 1 subgoal H : P / ~ P ============================ False @tmiya : Coq , 49
  • 50. 4.4. ¬ ¬ (3) neg_sample < destruct H as [p np]. 1 subgoal p : P np : ~ P ============================ False neg_sample < elim np. p : P np : ~ P ============================ P neg_sample < assumption. Proof completed. @tmiya : Coq , 50
  • 51. 4.4. ¬ Variable A B C D:Prop. Theorem ex4_1 : (A -> C) / (B -> D) / A / B -> C / D. Theorem ex4_2 : ~~~A -> ~A. Theorem ex4_3 : (A -> B) -> ~B -> ~A. Theorem ex4_4 : ((((A -> B) -> A) -> A) -> B) -> B. Theorem ex4_5 : ~~(A/~A). @tmiya : Coq , 51
  • 52. 5. Curry-Howard Curry-Howard (1) Theorem imp_sample’ : (P -> (Q -> R)) -> (P -> Q) -> P -> R. imp_sample’ < intros pqr pq p. imp_sample’ < Check pq. pq : P -> Q imp_sample’ < Check (pq p). pq p : Q pq P -> Q P Q pq p Q @tmiya : Coq , 52
  • 53. 5. Curry-Howard Curry-Howard (2) pqr, pq, p R exact tactic imp_sample’ < Check (pqr p (pq p)). pqr p (pq p) : R imp_sample’ < exact (pqr p (pq p)). Proof completed. imp_sample Print Coq < Print imp_sample. imp_sample = fun (pqr : P -> Q -> R) (pq : P -> Q) (p : P) => pqr p (pq p) : (P -> Q -> R) -> (P -> Q) -> P -> R @tmiya : Coq , 53
  • 54. 5. Curry-Howard Curry-Howard (3) P P P→Q P -> Q Γ P ΓP→Q (→ ) pq p Γ Q Γ, P Q (→ ) pq (p:P):Q Γ P→Q P ∧Q prod { (P,Q) inl P P ∨Q sum inr Q Curry-Howard Curry-Howard = Coq @tmiya : Coq , 54
  • 55. 5. Curry-Howard Curry-Howard (4) Coq ( ) Java (P → Q → R) → (P → Q) → P → R interface Fun<A,B> { public B apply(A a); } public class P {} public class Q {} public class R {} public class Proof { public R imp_sample(Fun<P,Fun<Q,R>> pqr, Fun<P,Q> pq, P p) { return pqr.apply(p).apply(pq.apply(p)); } } (Java prod sum ¬ Java ) @tmiya : Coq , 55
  • 56. 6. a:A P a (∀a : A, P a) : forall (a:A), P a a:A P a (∃a : A, P a) : exists (a:A), P a Coq P a:A P a:Prop A -> Prop Coq a:A P : A → Prop Coq < Definition iszero(n:nat):Prop := Coq < match n with Coq < | O => True Coq < | _ => False Coq < end. iszero is defined @tmiya : Coq , 56
  • 57. 6. ∀ (1) forall intro(s) forall x:X x:X -> Coq < Theorem sample_forall : forall (X:Type)(P Q:X->Prop)(x:X), P x -> (forall y:X, Q y) -> (P x / Q x). ============================ forall (X : Type) (P Q : X -> Prop) (x : X), P x -> (forall y : X, Q y) -> P x / Q x sample_forall < intros X P Q x px Hqy. X : Type P : X -> Prop Q : X -> Prop x : X px : P x Hqy : forall y : X, Q y ============================ P x / Q x @tmiya : Coq , 57
  • 58. 6. ∀ (2) forall y:X y X sample_forall < split. (* P x Q x *) sample_forall < assumption. (* P x px *) 1 subgoal X : Type P : X -> Prop Q : X -> Prop x : X px : P x Hqy : forall y : X, Q y ============================ Q x sample_forall < apply (Hqy x). (* Hqy y x *) Proof completed. @tmiya : Coq , 58
  • 59. 6.2. ∃ ∃ (1) Coq < Theorem sample_exists : forall (P Q:nat->Prop), Coq < (forall n, P n) -> (exists n, Q n) -> Coq < (exists n, P n / Q n). sample_exists < intros P Q Hpn Hqn. 1 subgoal P : nat -> Prop Q : nat -> Prop Hpn : forall n : nat, P n Hqn : exists n : nat, Q n ============================ exists n : nat, P n / Q n @tmiya : Coq , 59
  • 60. 6.2. ∃ ∃ (2) exists destruct sample_exists < intros P Q Hpn Hqn. P : nat -> Prop Q : nat -> Prop Hpn : forall n : nat, P n Hqn : exists n : nat, Q n ============================ exists n : nat, P n / Q n sample_exists < destruct Hqn as [n’ qn’]. P : nat -> Prop Q : nat -> Prop Hpn : forall n : nat, P n n’ : nat qn’ : Q n’ ============================ exists n : nat, P n / Q n @tmiya : Coq , 60
  • 61. 6.2. ∃ ∃ (3) exists x:X x:X exists x. sample_exists < destruct Hqn as [n’ qn’]. : Hpn : forall n : nat, P n n’ : nat qn’ : Q n’ ============================ exists n : nat, P n / Q n sample_exists < exists n’. : Hpn : forall n : nat, P n n’ : nat qn’ : Q n’ ============================ P n’ / Q n’ (* *) @tmiya : Coq , 61
  • 62. 6.2. ∃ Theorem ex5_1 : forall (A:Set)(P:A->Prop), (~ exists a, P a) -> (forall a, ~P a). Theorem ex5_2 : forall (A:Set)(P Q:A->Prop), (exists a, P a / Q a) -> (exists a, P a) / (exists a, Q a). Theorem ex5_3 : forall (A:Set)(P Q:A->Prop), (exists a, P a) / (exists a, Q a) -> (exists a, P a / Q a). Theorem ex5_4 : forall (A:Set)(R:A->A->Prop), (exists x, forall y, R x y) -> (forall y, exists x, R x y). Theorem ex5_5 : forall (A:Set)(R:A->A->Prop), (forall x y, R x y -> R y x) -> (forall x y z, R x y -> R y z -> R x z) -> (forall x, exists y, R x y) -> (forall x, R x x). @tmiya : Coq , 62
  • 63. 6.3. = = (1) eq (= ) Inductive eq (A : Type) (x : A) : A -> Prop := refl_equal : x = x Coq (nat bool ) (nat O Sn ) (S m Sn m=n ) ============================ n = n apply (refl_equal n). tactic reflexivity. @tmiya : Coq , 63
  • 64. 6.3. = = (2) plus Print plus. tactic simpl. Coq < Theorem plus_0_l : forall n, 0 + n = n. plus_0_l < intro n. n : nat ============================ 0 + n = n plus_0_l < simpl. n : nat ============================ n = n plus_0_l < reflexivity. Proof completed. @tmiya : Coq , 64
  • 65. 6.4. (1) ∀n : nat, n + 0 = n simpl. ============================ n + 0 = n plus_0_r < simpl. ============================ n + 0 = n plus n m n n 1. n = 0 n+0=n 2. n = n n+0=n n=Sn n+0=n @tmiya : Coq , 65
  • 66. 6.4. (2) n induction n as [|n’]. induction n. tactic Coq nat_ind (P ) Coq < Check nat_ind. nat_ind : forall P : nat -> Prop, P 0 -> (forall n : nat, P n -> P (S n)) -> forall n : nat, P n nat_ind nat O : nat S : nat -> nat Inductive bool bool_ind bool_ind : forall P : bool -> Prop, P true -> P false -> forall b : bool, P b @tmiya : Coq , 66
  • 67. 6.4. (3) induction n as [|n’]. n 0 S n’ reflexivity. OK (simpl. ) Coq < Theorem plus_0_r : forall n:nat, n + 0 = n. plus_0_r < induction n as [|n’]. 2 subgoals ============================ 0 + 0 = 0 subgoal 2 is: S n’ + 0 = S n’ plus_0_r < reflexivity. 1 subgoal n’ : nat IHn’ : n’ + 0 = n’ ============================ S n’ + 0 = S n’ @tmiya : Coq , 67
  • 68. 6.4. (4) n = S n’ n = n’ IHn’ S n’ + 0 = S n’ simpl. plus S (n’ + 0)= S n’ IHn’ n’ + 0 n’ rewrite IHn’. rewrite ============================ S n’ + 0 = S n’ plus_0_r < simpl. IHn’ : n’ + 0 = n’ ============================ S (n’ + 0) = S n’ plus_0_r < rewrite IHn’. IHn’ : n’ + 0 = n’ ============================ S n’ = S n’ @tmiya : Coq , 68
  • 69. 6.4. :m + n = n + m SearchAbout Coq < SearchAbout plus. plus_n_O: forall n : nat, n = n + 0 plus_O_n: forall n : nat, 0 + n = n plus_n_Sm: forall n m : nat, S (n + m) = n + S m plus_Sn_m: forall n m : nat, S n + m = S (n + m) mult_n_Sm: forall n m : nat, n * m + n = n * S m rewrite ( rewrite <- plus_n_Sm n’ m. rewrite H. H rewrite <- H. ) Theorem plus_comm : forall m n:nat, m + n = n + m. @tmiya : Coq , 69
  • 70. 6.4. (5) nat list A Theorem length_app : forall (A:Type)(l1 l2:list A), length (l1 ++ l2) = length l1 + length l2. list cons induction l1 as [|a l1’]. ( induction l1.) induction ( l2) intro 1. intros A l1 l2. induction l1 as [|a l1’]. 2. intros A l1. induction l1 as [|a l1’]. intro l2. IHl1’ (Coqtop Undo. ) @tmiya : Coq , 70
  • 71. 6.4. : (1) List append reverse Require Import List. Fixpoint append{A:Type}(l1 l2:list A):= match l1 with | nil => l2 | a::l1’ => a::(append l1’ l2) end. Fixpoint reverse{A:Type}(l:list A):= match l with | nil => nil | a::l’ => append (reverse l’) (a::nil) end. Theorem reverse_reverse : forall (A:Type)(l:list A), reverse (reverse l) = l. @tmiya : Coq , 71
  • 72. 6.4. : (2) reverse_reverse Lemma append_nil : forall (A:Type)(l:list A), append l nil = l. Lemma append_assoc : forall (A:Type)(l1 l2 l3:list A), append (append l1 l2) l3 = append l1 (append l2 l3). Lemma reverse_append : forall (A:Type)(l1 l2:list A), reverse (append l1 l2) = append (reverse l2) (reverse l1). @tmiya : Coq , 72
  • 73. 7. (1) Coq nat minus(n m:nat) n≤m 0 n−m+m =n ( ) sub Definition sub(m n:nat)(H:le n m) : {x:nat|x+n=m}. 1. H n≤m n≤m 2. x = m−n x +n = m ( ) @tmiya : Coq , 73
  • 74. 7. (2) Coq nat Arith Require Import Arith. (* Arith *) Definition sub(m n:nat)(H:le n m) : {x:nat|x+n=m}. 1 subgoal m : nat n : nat H : n <= m ============================ {x : nat | x + n = m} m, n intro generalize dependent sub < generalize dependent m. sub < generalize dependent n. ============================ forall n m : nat, n <= m -> {x : nat | x + n = m} @tmiya : Coq , 74
  • 75. 7. (3) eapply, erewrite apply, rewrite Qed. Defined. induction n as [|n’]. (* n=0 *) intros m H. exists m. eapply plus_0_r. (* n=S n’ *) induction m as [|m’]; intro H. (* m=0 *) assert(H’: ~(S n’ <= 0)). eapply le_Sn_0. elim H’. assumption. (* m=S m’ *) assert(H’: n’ <= m’). eapply le_S_n. assumption. assert(IH: {x:nat|x+n’=m’}). eapply IHn’. assumption. destruct IH as [x IH]. exists x. erewrite <- plus_n_Sm. rewrite IH. reflexivity. Defined. @tmiya : Coq , 75
  • 76. 7. (4) sub Print sub. sub OCaml minus Coq < Extraction sub. (** val sub : nat -> nat -> nat **) let rec sub m = function | O -> m | S n0 -> (match m with | O -> assert false (* absurd case *) | S n1 -> let iH = sub n1 n0 in Obj.magic iH) OCaml H @tmiya : Coq , 76
  • 77. 7. (5) H Theorem le_2_5 : le 2 5. Proof. repeat eapply le_n_S. repeat constructor. Qed. Eval compute in (sub 5 2 le_2_5). (* *) Eval compute in (proj1_sig (sub 5 2 le_2_5)). (* = 3:nat *) {x|x+n=m} x proj1_sig @tmiya : Coq , 77
  • 78. 7. minus sub minus Definition sub’(m n:nat)(H:le n m) : {x:nat|x+n=m}. Proof. (* minus *) Defined. Coq 1. minus minus 2. minus sub’ 3. refine tactic (refine ) 4. sub @tmiya : Coq , 78
  • 79. 8. Coq tactic (auto, ring, omega ) (Arith, List, String ) Haskell, OCaml (inversion, refine ) tactic Module @tmiya : Coq , 79
  • 80. 8. Interactive Theorem Proving and Program Development. Coq’Art: The Calculus of Inductive Constructions, Yves Berrot and Pierre Casteran (Springer-Verlag) : Coq Certified Programming with Dependent Types, Adam Chlipala (http://adam.chlipala.net/cpdt/) : Coq 2010 III (http://www.math.nagoya-u.ac.jp/~garrigue/lecture/ 2010_AW/index.html) : Garrigue PDF Coq in a Hurry, Yves Bertot (http://cel.archives-ouvertes.fr/docs/00/47/ 58/07/PDF/coq-hurry.pdf) : 2nd Asian-Pacific Summer School on Formal Methods (http://formes.asia/cms/coqschool/2010) : @tmiya : Coq , 80
  • 81. 8. Coq ProofCafe Coq CPDT Coq IT Coq Ruby, Clojure, Scala, Javascript Coq Coq http://coq.g.hatena.ne.jp/keyword/ProofCafe @tmiya : Coq , 81
  • 82. 8. Formal Methods Forum Coq ( ) ( ) Google group Coq 2010 Certified Programming with Dependent Types Coq Google group (http://groups.google.co.jp/group/fm-forum) Coq @tmiya : Coq , 82