diff options
Diffstat (limited to 'doc')
46 files changed, 23826 insertions, 0 deletions
diff --git a/doc/.cvsignore b/doc/.cvsignore new file mode 100644 index 000000000..261566e34 --- /dev/null +++ b/doc/.cvsignore @@ -0,0 +1,26 @@ +*.blg +*.ind +*.ilg +*.v.tex +*.pdf +euclid.ml +heapsort.ml +avl.ml +*.bbl +www +coq-docs-html +Reference-Manual.atoc +Reference-Manual.tacidx Reference-Manual.tacind Reference-Manual.comind +Reference-Manual.comidx Reference-Manual.errind Reference-Manual.erridx +Reference-Manual.sh +Anomalies.dvi.gz Anomalies.ps.gz Changes.dvi.gz Changes.ps.gz Library.dvi.gz Library.ps.gz Reference-Manual-addendum.ps.gz Reference-Manual-all.dvi.gz Reference-Manual-all.ps.gz Reference-Manual-base.ps.gz Tutorial.dvi.gz Tutorial.ps.gz +Reference-Manual-base.dvi.gz +Reference-Manual-addendum.dvi.gz +Tutorial.pdf.gz +Reference-Manual.pdf.gz +Library.pdf.gz +Changes.pdf.gz +auto +all-ps-docs.tar +doc-html.tar.gz +all-ps-docs.tar.gz diff --git a/doc/AddRefMan-pre.tex b/doc/AddRefMan-pre.tex new file mode 100644 index 000000000..2f0b52834 --- /dev/null +++ b/doc/AddRefMan-pre.tex @@ -0,0 +1,46 @@ +\addtocontents{sh}{BEGINADDENDUM=\thepage} +\coverpage{Addenddum to the Reference Manual}{\ } +\addcontentsline{toc}{part}{Additionnal documentation} +\setheaders{Presentation of the Addendum} +\section*{Presentation of the Addendum} + +Here you will find several pieces of additional documentation for the +\Coq\ Reference Manual. Each of this chapters is concentrated on a +particular topic, that should interest only a fraction of the \Coq\ +users : that's the reason why they are apart from the Reference +Manual. + +\begin{description} + +\item[Cases] This chapter details the use of generalized pattern-matching. + It is contributed by Cristina Cornes. + +\item[Coercion] This chapter details the use of the coercion mechanism. + It is contributed by Amokrane Saïbi. + +\item[Extraction] This chapter explains how to extract in practice ML + files from $\FW$ terms. + +\item[Natural] This chapter is due to Yann Coscoy. It is the user + manual of the tools he wrote for printing proofs in natural + language. At this time, French and English languages are supported. + +\item[Omega] \texttt{Omega}, written by Pierre Crégut, solves a whole + class of arithmetic problems. + +\item[Program] The \texttt{Program} technology intends to inverse the + extraction mechanism. It allows the developments of certified + programs in \Coq. This chapter is due to Catherine Parent. + +\item[Ring] \texttt{Ring} is a tactic to do AC rewriting. This + chapter explains how to use it and how it works. + +\end{description} + +\atableofcontents + + +%%% Local Variables: +%%% mode: latex +%%% TeX-master: "Reference-Manual" +%%% End: diff --git a/doc/Anomalies.tex b/doc/Anomalies.tex new file mode 100755 index 000000000..8e23fa602 --- /dev/null +++ b/doc/Anomalies.tex @@ -0,0 +1,34 @@ +\documentclass[11pt]{article} + +\input{./title} + +\title{Known bugs of {\sf Coq} V6.2} +\author{\ } +\begin{document} +\maketitle + +\begin{itemize} + +\item {\tt Program} may fail to build pattern in {\tt Cases} +expressions. Instead an old style {\tt Case} expression without +patterns is generated. + +\item The option {\tt Set Printing Synth} sometimes fails to decide if +a elimination predicates is synthetisable. If a term printed without +the elimination predicate is not correctly re-interpreted by Coq, then +turn off the {\tt Printing Synth} mode. + +\item {\tt Unfold} and {\tt Pattern} may incorrectly number the +occurrences of constants or subterms when {\tt Cases} expression are involved. + +\item \texttt{Transparent} and \texttt{Opaque} are not synchronous + with the \texttt{Reset} mecanism. If a constant was transparent at + point \texttt{A}, if you set it opaque and do \texttt{Reset A}, it + is still opaque and that may cause problems if you try to replay + tactic scripts between \texttt{A} and the current point. + +\end{itemize} + +\end{document} + +% $Id$ diff --git a/doc/Cases.tex b/doc/Cases.tex new file mode 100644 index 000000000..559c9e15b --- /dev/null +++ b/doc/Cases.tex @@ -0,0 +1,610 @@ +\achapter{ML-style pattern-matching}\defaultheaders +\aauthor{Cristina Cornes} + +\label{Mult-Cases-full} +\ttindex{Cases} +\index{ML-like patterns} + +This section describes the full form of pattern-matching in {\Coq} terms. + +The current implementation contains two strategies, one for compiling +non-dependent case and another one for dependent case. + +\asection{Patterns}\label{implementation} +The full syntax of {\tt Cases} is presented in figure \ref{cases-grammar}. +Identifiers in patterns are either constructor names or variables. Any +identifier that is not the constructor of an inductive or coinductive +type is considered to be a variable. A variable name cannot occur more +than once in a given pattern. + +If a pattern has the form $(c~\vec{x})$ where $c$ is a constructor +symbol and $\vec{x}$ is a linear vector of variables, it is called +{\em simple}: it is the kind of pattern recognized by the basic +version of {\tt Cases}. If a pattern is +not simple we call it {\em nested}. + +A variable pattern matches any value, and the identifier is bound to +that value. The pattern ``\texttt{\_}'' (called ``don't care'' or +``wildcard'' symbol) also matches any value, but does not binds anything. It +may occur an arbitrary number of times in a pattern. Alias patterns +written \texttt{(}{\sl pattern} \texttt{as} {\sl identifier}\texttt{)} are +also accepted. This pattern matches the same values as {\sl pattern} +does and {\sl identifier} is bound to the matched value. A list of +patterns is also considered as a pattern and is called {\em multiple +pattern}. + +Note also the annotation is mandatory when the sequence of equation is +empty. + +\begin{figure}[t] +\fbox{\parbox{\linewidth}{ +\begin{tabular}{rcl} +{\nestedpattern} & := & {\ident} \\ + & $|$ & \_ \\ + & $|$ & \texttt{(} {\ident} \nelist{\nestedpattern}{} \texttt{)} \\ + & $|$ & \texttt{(} {\nestedpattern} \texttt{as} {\ident} \texttt{)} \\ + & $|$ & \texttt{(} {\nestedpattern} \texttt{,} {\nestedpattern} \texttt{)} \\ + & $|$ & \texttt{(} {\nestedpattern} \texttt{)} \\ + &&\\ + +{\multpattern} & := & \nelist{nested\_pattern}{} \\ + && \\ + +{\exteqn} & := & {\multpattern} \texttt{=>} {\term} \\ + && \\ + +{\term} & := & + \zeroone{\annotation} \texttt{Cases} \nelist{\term}{} \texttt{of} + \sequence{\exteqn}{$|$} \texttt{end} \\ +\end{tabular} +}} +\caption{Extended Cases syntax} +\label{cases-grammar} +\end{figure} + +Since extended {\tt Cases} expressions are compiled into the primitive +ones, the expressiveness of the theory remains the same. Once the +stage of parsing has finished only simple patterns remain. An easy way +to see the result of the expansion is by printing the term with +\texttt{Print} if the term is a constant, or using the command +\texttt{Check}. + +The extended \texttt{Cases} still accepts an optional {\em elimination +predicate} enclosed between brackets \texttt{<>}. Given a pattern +matching expression, if all the right hand sides of \texttt{=>} ({\em +rhs} in short) have the same type, then this term can be sometimes +synthesized, and so we can omit the \texttt{<>}. Otherwise we have +toprovide the predicate between \texttt{<>} as for the basic +\texttt{Cases}. + +Let us illustrate through examples the different aspects of extended +pattern matching. Consider for example the function that computes the +maximum of two natural numbers. We can write it in primitive syntax +by: + +\begin{coq_example} +Fixpoint max [n,m:nat] : nat := + Cases n of + O => m + | (S n') => Cases m of + O => (S n') + | (S m') => (S (max n' m')) + end + end. +\end{coq_example} + +Using multiple patterns in the definition allows to write: + +\begin{coq_example} +Reset max. +Fixpoint max [n,m:nat] : nat := + Cases n m of + O _ => m + | (S n') O => (S n') + | (S n') (S m') => (S (max n' m')) + end. +\end{coq_example} + +which will be compiled into the previous form. + +The strategy examines patterns from left to right. A \texttt{Cases} expression +is generated {\bf only} when there is at least one constructor in the +column of patterns. For example: + +\begin{coq_example} +Check [x:nat]<nat>Cases x of y => y end. +\end{coq_example} + +We can also use ``\texttt{as} patterns'' to associate a name to a +sub-pattern: + +\begin{coq_example} +Reset max. +Fixpoint max [n:nat] : nat -> nat := + [m:nat] Cases n m of + O _ => m + | ((S n') as N) O => N + | (S n') (S m') => (S (max n' m')) + end. +\end{coq_example} + +Here is now an example of nested patterns: + +\begin{coq_example} +Fixpoint even [n:nat] : bool := + Cases n of + O => true + | (S O) => false + | (S (S n')) => (even n') + end. +\end{coq_example} + +This is compiled into: + +\begin{coq_example} +Print even. +\end{coq_example} + +In the previous examples patterns do not conflict with, but +sometimes it is comfortable to write patterns that admits a non +trivial superposition. Consider +the boolean function \texttt{lef} that given two natural numbers +yields \texttt{true} if the first one is less or equal than the second +one and \texttt{false} otherwise. We can write it as follows: + +\begin{coq_example} +Fixpoint lef [n,m:nat] : bool := + Cases n m of + O x => true + | x O => false + | (S n) (S m) => (lef n m) + end. +\end{coq_example} + +Note that the first and the second multiple pattern superpose because +the couple of values \texttt{O O} matches both. Thus, what is the result +of the function on those values? To eliminate ambiguity we use the +{\em textual priority rule}: we consider patterns ordered from top to +bottom, then a value is matched by the pattern at the $ith$ row if and +only if is not matched by some pattern of a previous row. Thus in the +example, +\texttt{O O} is matched by the first pattern, and so \texttt{(lef O O)} +yields \texttt{true}. + +Another way to write this function is: + +\begin{coq_example} +Reset lef. +Fixpoint lef [n,m:nat] : bool := + Cases n m of + O x => true + | (S n) (S m) => (lef n m) + | _ _ => false + end. +\end{coq_example} + + +Here the last pattern superposes with the first two. Because +of the priority rule, the last pattern +will be used only for values that do not match neither the first nor +the second one. + +Terms with useless patterns are accepted by the +system. For example, +\begin{coq_example} +Check [x:nat]Cases x of O => true | (S _) => false | x => true end. +\end{coq_example} + +is accepted even though the last pattern is never used. +Beware, the +current implementation rises no warning message when there are unused +patterns in a term. + + + +\asection{About patterns of parametric types} +When matching objects of a parametric type, constructors in patterns +{\em do not expect} the parameter arguments. Their value is deduced +during expansion. + +Consider for example the polymorphic lists: + +\begin{coq_example} +Inductive List [A:Set] :Set := + nil:(List A) +| cons:A->(List A)->(List A). +\end{coq_example} + +We can check the function {\em tail}: + +\begin{coq_example} +Check [l:(List nat)]Cases l of + nil => (nil nat) + | (cons _ l') => l' + end. +\end{coq_example} + + +When we use parameters in patterns there is an error message: +\begin{coq_example} +Check [l:(List nat)]Cases l of + (nil nat) => (nil nat) + | (cons nat _ l') => l' + end. +\end{coq_example} + + + +\asection{Matching objects of dependent types} +The previous examples illustrate pattern matching on objects of +non-dependent types, but we can also +use the expansion strategy to destructure objects of dependent type. +Consider the type \texttt{listn} of lists of a certain length: + +\begin{coq_example} +Inductive listn : nat-> Set := + niln : (listn O) +| consn : (n:nat)nat->(listn n) -> (listn (S n)). +\end{coq_example} + +\asubsection{Understanding dependencies in patterns} +We can define the function \texttt{length} over \texttt{listn} by: + +\begin{coq_example} +Definition length := [n:nat][l:(listn n)] n. +\end{coq_example} + +Just for illustrating pattern matching, +we can define it by case analysis: +\begin{coq_example} +Reset length. +Definition length := [n:nat][l:(listn n)] + Cases l of + niln => O + | (consn n _ _) => (S n) + end. +\end{coq_example} + +We can understand the meaning of this definition using the +same notions of usual pattern matching. + +Now suppose we split the second pattern of \texttt{length} into two +cases so to give an +alternative definition using nested patterns: +\begin{coq_example} +Definition length1:= [n:nat] [l:(listn n)] + Cases l of + niln => O + | (consn n _ niln) => (S n) + | (consn n _ (consn _ _ _)) => (S n) + end. +\end{coq_example} + +It is obvious that \texttt{length1} is another version of +\texttt{length}. We can also give the following definition: +\begin{coq_example} +Definition length2:= [n:nat] [l:(listn n)] + Cases l of + niln => O + | (consn n _ niln) => (S O) + | (consn n _ (consn m _ _)) => (S (S m)) + end. +\end{coq_example} + +If we forget that \texttt{listn} is a dependent type and we read these +definitions using the usual semantics of pattern matching, we can conclude +that \texttt{length1} +and \texttt{length2} are different functions. +In fact, they are equivalent +because the pattern \texttt{niln} implies that \texttt{n} can only match +the value $0$ and analogously the pattern \texttt{consn} determines that \texttt{n} can +only match values of the form $(S~v)$ where $v$ is the value matched by +\texttt{m}. + +The converse is also true. If +we destructure the length value with the pattern \texttt{O} then the list +value should be $niln$. +Thus, the following term \texttt{length3} corresponds to the function +\texttt{length} but this time defined by case analysis on the dependencies instead of on the list: + +\begin{coq_example} +Definition length3 := [n:nat] [l: (listn n)] + Cases l of + niln => O + | (consn O _ _) => (S O) + | (consn (S n) _ _) => (S (S n)) + end. +\end{coq_example} + +When we have nested patterns of dependent types, the semantics of +pattern matching becomes a little more difficult because +the set of values that are matched by a sub-pattern may be conditioned by the +values matched by another sub-pattern. Dependent nested patterns are +somehow constrained patterns. +In the examples, the expansion of +\texttt{length1} and \texttt{length2} yields exactly the same term + but the +expansion of \texttt{length3} is completely different. \texttt{length1} and +\texttt{length2} are expanded into two nested case analysis on +\texttt{listn} while \texttt{length3} is expanded into a case analysis on +\texttt{listn} containing a case analysis on natural numbers inside. + + +In practice the user can think about the patterns as independent and +it is the expansion algorithm that cares to relate them. \\ + + +\asubsection{When the elimination predicate must be provided} +The examples given so far do not need an explicit elimination predicate +between \texttt{<>} because all the rhs have the same type and the +strategy succeeds to synthesize it. +Unfortunately when dealing with dependent patterns it often happens +that we need to write cases where the type of the rhs are +different instances of the elimination predicate. +The function \texttt{concat} for \texttt{listn} +is an example where the branches have different type +and we need to provide the elimination predicate: + +\begin{coq_example} +Fixpoint concat [n:nat; l:(listn n)] + : (m:nat) (listn m) -> (listn (plus n m)) + := [m:nat][l':(listn m)] + <[n:nat](listn (plus n m))>Cases l of + niln => l' + | (consn n' a y) => (consn (plus n' m) a (concat n' y m l')) + end. +\end{coq_example} + +Recall that a list of patterns is also a pattern. So, when +we destructure several terms at the same time and the branches have +different type we need to provide +the elimination predicate for this multiple pattern. + +For example, an equivalent definition for \texttt{concat} (even though with a useless extra pattern) would have +been: + +\begin{coq_example} +Reset concat. +Fixpoint concat [n:nat; l:(listn n)] : (m:nat) (listn m) -> (listn (plus n m)) +:= [m:nat][l':(listn m)] + <[n,_:nat](listn (plus n m))>Cases l l' of + niln x => x + | (consn n' a y) x => (consn (plus n' m) a (concat n' y m x)) + end. +\end{coq_example} + +Note that this time, the predicate \texttt{[n,\_:nat](listn (plus n + m))} is binary because we +destructure both \texttt{l} and \texttt{l'} whose types have arity one. +In general, if we destructure the terms $e_1\ldots e_n$ +the predicate will be of arity $m$ where $m$ is the sum of the +number of dependencies of the type of $e_1, e_2,\ldots e_n$ +(the $\lambda$-abstractions +should correspond from left to right to each dependent argument of the +type of $e_1\ldots e_n$). +When the arity of the predicate (i.e. number of abstractions) is not +correct Coq rises an error message. For example: + +\begin{coq_example} +Fixpoint concat [n:nat; l:(listn n)] + : (m:nat) (listn m) -> (listn (plus n m)) := + [m:nat][l':(listn m)] + <[n:nat](listn (plus n m))>Cases l l' of + | niln x => x + | (consn n' a y) x => (consn (plus n' m) a (concat n' y m x)) + end. +\end{coq_example} + +\asection{Using pattern matching to write proofs} +In all the previous examples the elimination predicate does not depend +on the object(s) matched. The typical case where this is not possible +is when we write a proof by induction or a function that yields an +object of dependent type. An example of proof using \texttt{Cases} in +given in section \ref{Refine-example} + +For example, we can write +the function \texttt{buildlist} that given a natural number +$n$ builds a list length $n$ containing zeros as follows: + +\begin{coq_example} +Fixpoint buildlist [n:nat] : (listn n) := + <[n:nat](listn n)>Cases n of + O => niln + | (S n) => (consn n O (buildlist n)) + end. +\end{coq_example} + +We can also use multiple patterns whenever the elimination predicate has +the correct arity. + +Consider the following definition of the predicate less-equal +\texttt{Le}: + +\begin{coq_example} +Inductive LE : nat->nat->Prop := + LEO: (n:nat)(LE O n) +| LES: (n,m:nat)(LE n m) -> (LE (S n) (S m)). +\end{coq_example} + +We can use multiple patterns to write the proof of the lemma + \texttt{(n,m:nat) (LE n m)\/(LE m n)}: + +\begin{coq_example} +Fixpoint dec [n:nat] : (m:nat)(LE n m) \/ (LE m n) := + [m:nat] <[n,m:nat](LE n m) \/ (LE m n)>Cases n m of + O x => (or_introl ? (LE x O) (LEO x)) + | x O => (or_intror (LE x O) ? (LEO x)) + | ((S n) as N) ((S m) as M) => + Cases (dec n m) of + (or_introl h) => (or_introl ? (LE M N) (LES n m h)) + | (or_intror h) => (or_intror (LE N M) ? (LES m n h)) + end + end. +\end{coq_example} +In the example of \texttt{dec} the elimination predicate is binary +because we destructure two arguments of \texttt{nat} that is a +non-dependent type. Note the first \texttt{Cases} is dependent while the +second is not. + +In general, consider the terms $e_1\ldots e_n$, +where the type of $e_i$ is an instance of a family type +$[\vec{d_i}:\vec{D_i}]T_i$ ($1\leq i +\leq n$). Then to write \texttt{<}${\cal P}$\texttt{>Cases} $e_1\ldots +e_n$ \texttt{of} \ldots \texttt{end}, the +elimination predicate ${\cal P}$ should be of the form: +$[\vec{d_1}:\vec{D_1}][x_1:T_1]\ldots [\vec{d_n}:\vec{D_n}][x_n:T_n]Q.$ + +The user can also use \texttt{Cases} in combination with the tactic +\texttt{Refine} (see section \ref{Refine}) to build incomplete proofs +beginning with a \texttt{Cases} construction. + +\asection{When does the expansion strategy fail ?}\label{limitations} +The strategy works very like in ML languages when treating +patterns of non-dependent type. +But there are new cases of failure that are due to the presence of +dependencies. + +The error messages of the current implementation may be sometimes +confusing. When the tactic fails because patterns are somehow +incorrect then error messages refer to the initial expression. But the +strategy may succeed to build an expression whose sub-expressions are +well typed when the whole expression is not. In this situation the +message makes reference to the expanded expression. We encourage +users, when they have patterns with the same outer constructor in +different equations, to name the variable patterns in the same +positions with the same name. +E.g. to write {\small\texttt{(cons n O x) => e1}} +and {\small\texttt{(cons n \_ x) => e2}} instead of +{\small\texttt{(cons n O x) => e1}} and +{\small\texttt{(cons n' \_ x') => e2}}. +This helps to maintain certain name correspondence between the +generated expression and the original. + +Here is a summary of the error messages corresponding to each situation: + +\begin{itemize} +\item patterns are incorrect (because constructors are not applied to + the correct number of the arguments, because they are not linear or + they are wrongly typed) +\begin{itemize} +\item \sverb{In pattern } {\sl term} \sverb{the constructor } {\sl + ident} \sverb{expects } {\sl num} \sverb{arguments} + +\item \sverb{The variable } {\sl ident} \sverb{is bound several times + in pattern } {\sl term} + +\item \sverb{Constructor pattern: } {\sl term} \sverb{cannot match + values of type } {\sl term} +\end{itemize} + +\item the pattern matching is not exhaustive +\begin{itemize} +\item \sverb{This pattern-matching is not exhaustive} +\end{itemize} +\item the elimination predicate provided to \texttt{Cases} has not the + expected arity + +\begin{itemize} +\item \sverb{The elimination predicate } {\sl term} \sverb{should be + of arity } {\sl num} \sverb{(for non dependent case) or } {\sl + num} \sverb{(for dependent case)} +\end{itemize} + +\item the whole expression is wrongly typed, or the synthesis of + implicit arguments fails (for example to find the elimination + predicate or to resolve implicit arguments in the rhs). + + + There are {\em nested patterns of dependent type}, the elimination + predicate corresponds to non-dependent case and has the form + $[x_1:T_1]...[x_n:T_n]T$ and {\bf some} $x_i$ occurs {\bf free} in + $T$. Then, the strategy may fail to find out a correct elimination + predicate during some step of compilation. In this situation we + recommend the user to rewrite the nested dependent patterns into + several \texttt{Cases} with {\em simple patterns}. + + In all these cases we have the following error message: + + \begin{itemize} + \item {\tt Expansion strategy failed to build a well typed case + expression. There is a branch that mismatches the expected + type. The risen \\ type error on the result of expansion was:} + \end{itemize} + +\item because of nested patterns, it may happen that even though all + the rhs have the same type, the strategy needs dependent elimination + and so an elimination predicate must be provided. The system warns + about this situation, trying to compile anyway with the + non-dependent strategy. The risen message is: +\begin{itemize} +\item {\tt Warning: This pattern matching may need dependent + elimination to be compiled. I will try, but if fails try again + giving dependent elimination predicate.} +\end{itemize} + +\item there are {\em nested patterns of dependent type} and the + strategy builds a term that is well typed but recursive calls in fix + point are reported as illegal: +\begin{itemize} +\item {\tt Error: Recursive call applied to an illegal term ...} +\end{itemize} + +This is because the strategy generates a term that is correct w.r.t. +to the initial term but which does not pass the guard condition. In +this situation we recommend the user to transform the nested dependent +patterns into {\em several \texttt{Cases} of simple patterns}. Let us +explain this with an example. Consider the following definition of a +function that yields the last element of a list and \texttt{O} if it is +empty: + +\begin{coq_example} + Fixpoint last [n:nat; l:(listn n)] : nat := + Cases l of + (consn _ a niln) => a + | (consn m _ x) => (last m x) | niln => O + end. +\end{coq_example} + +It fails because of the priority between patterns, we know that this +definition is equivalent to the following more explicit one (which +fails too): + +\begin{coq_example*} + Fixpoint last [n:nat; l:(listn n)] : nat := + Cases l of + (consn _ a niln) => a + | (consn n _ (consn m b x)) => (last n (consn m b x)) + | niln => O + end. +\end{coq_example*} + +Note that the recursive call {\tt (last n (consn m b x))} is not +guarded. When treating with patterns of dependent types the strategy +interprets the first definition of \texttt{last} as the second +one\footnote{In languages of the ML family the first definition would + be translated into a term where the variable \texttt{x} is shared in + the expression. When patterns are of non-dependent types, Coq + compiles as in ML languages using sharing. When patterns are of + dependent types the compilation reconstructs the term as in the + second definition of \texttt{last} so to ensure the result of + expansion is well typed.}. Thus it generates a term where the +recursive call is rejected by the guard condition. + +You can get rid of this problem by writing the definition with +\emph{simple patterns}: + +\begin{coq_example} + Fixpoint last [n:nat; l:(listn n)] : nat := + <[_:nat]nat>Cases l of + (consn m a x) => Cases x of niln => a | _ => (last m x) end + | niln => O + end. +\end{coq_example} + +\end{itemize} + + +%%% Local Variables: +%%% mode: latex +%%% TeX-master: "Reference-Manual" +%%% End: diff --git a/doc/Changes.tex b/doc/Changes.tex new file mode 100755 index 000000000..4eac45633 --- /dev/null +++ b/doc/Changes.tex @@ -0,0 +1,160 @@ +\documentclass[11pt]{article} +\usepackage[latin1]{inputenc} +\usepackage[T1]{fontenc} + +\input{./title} +\input{./macros} + +\begin{document} + +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +% Changes 6.3 ===> 6.3.1 +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +\shorttitle{Changes from {\Coq} V6.3 to {\Coq} V6.3.1} + +This document describes the main differences between Coq V6.3 and +V6.3.1. This new version of Coq is characterized by fixed bugs, and +improvement of implicit arguments synthesis and speed in tactic +applications. + +\section{Changes overview} + +\subsection{Tactics} + + \begin{itemize} + + \item \texttt {Tauto} has been unable for a time to deal with +hypotheses with 2 imbricated implications. Now it should work. +\texttt {Intuition} now removes true, and therefore useless, +hypotheses.\\ + + \item Several bugs of the {\texttt Program} are fixed (but some + automatically generated names have changed and may lead to + incompatibilities). + + \item Bug with negative index in bindings fixed. + + \item Speed improvement: redondant checks when applying a tactic + have been turned off. For some tactics that don't make themselves + the expected verifications, it may result in incorrect proofs + detected only at Qed/Save time. In this last case, you can turn on + the -tac-debug flag to coqtop. + + \item The ``?'' in goals are now instantiated as soon as an instance + is known for them. + + \end{itemize} + +\subsection{Toplevel commands} + +\begin{description} + +\item Bug in \texttt{Time} fixed. + +\end{description} + +\subsection{Language} + + \begin{description} \item[Type reconstruction] The algorithm to + solve incomplete information in terms has been improved + furthermore. In particular question marks can be put in in place of + the type of abstracted variables and in Cases expressions. + + \item[Guarded cofixpoints] A weakness in the guardness condition + when a cofixpoint refers to another one has been corrected. + WARNING: the new criterion may refuse some olderly accepted + Cofixpoint definitions which actually are valid but for a reason + difficult to detect automatically. + + \item[Extraction] A bug was limiting the number of propositional + singleton inductive types (such has ``eq'') for which elimination + towards Set is valid. + + \end{description} + +\subsection{Incompatibilities} + + You could have to modify your vernacular source for the following + reasons: + + \begin{itemize} + + \item Some names of variables generated by the \texttt{Program} have + changed. + + \item {\texttt Intuition} now remove trye hypotheses. + + \item In all cases, the ``.vo'' files are not compatible and should + be recompiled. + + \end{itemize} + +\section{New users contributions} + + \begin{description} + + \item[Binary Decision Diagrams] provided by Kumar Verma (Dyade) + + \item[A distributed reference counter] (part of a + garbage collector) provided by Jean Duprat (ENS-Lyon) + +\end{description} + +\section{Installation procedure} + +\subsection{Uninstalling Coq} + +\paragraph{Warning} +It is strongly recommended to clean-up the V6.3 Coq library directory +before you install the new version. +Use the option to coqtop \texttt{-uninstall} that will remove +the binaries and the library files of Coq V6.3 on a Unix system. + +\subsection{OS Issues -- Requirements} + +\subsubsection{Unix users} +You need Objective Caml version 2.01 or later, and the corresponding +Camlp4 version to compile the system. Both are available by anonymous ftp +at: \\ +\verb|ftp://ftp.inria.fr/Projects/Cristal|. +\bigskip + +\noindent +Binary distributions are available for the following architectures: + +\bigskip +\begin{tabular}{l|c|r} +{\bf OS } & {\bf Processor} & {name of the package}\\ +\hline +Linux & 80386 and higher & coq-6.3.1-Linux-i386.tar.gz \\ +Solaris & Sparc & coq-6.3.1-solaris-sparc.tar.gz\\ +Digital & Alpha & coq-6.3.1-OSF1-alpha.tar.gz\\ +\end{tabular} +\bigskip + +There is also rpm packages for Linux. + +\bigskip + +If your configuration is in the above list, you don't need to install +Caml and Camlp4 and to compile the system: +just download the package and install the binaries in the right place. + +\subsubsection{MS Windows users} + +A binary distribution is available for PC under MS Windows 95/98/NT. +The package is named coq-6.3.1-win.zip. + +For installation information see the +files INSTALL.win and README.win. + +\end{document} + +% Local Variables: +% mode: LaTeX +% TeX-master: t +% End: + + +% $Id$ + diff --git a/doc/ChangesV6-2.tex b/doc/ChangesV6-2.tex new file mode 100755 index 000000000..1485f4914 --- /dev/null +++ b/doc/ChangesV6-2.tex @@ -0,0 +1,921 @@ +\documentclass[11pt]{article} +\usepackage[latin1]{inputenc} +\usepackage[T1]{fontenc} + +\input{./title} +\input{./macros} + +\begin{document} + +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +% Changes 6.1 ===> 6.2 +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +\coverpage{Changes from {\Coq} V6.1 to {\Coq} V6.2}{\ } + +This document describes the main differences between Coq V6.1 and +V6.2. This new version of Coq is characterized by an acceleration of +parsing, loading and reduction, by a more user-friendly syntax, and by +new tactics and management tools. +We refer to the reference manual +for a more precise description of the new features. + +See the ASCII file \texttt{CHANGES} available by FTP with \Coq\ for +the minor changes of the bug-fix releases 6.2.1 and 6.2.2. + + +\section{Changes overview} + +\begin{itemize} + +\item \textbf{Syntax} + +\begin{description} + + \item[New syntax for defining parsing and pretty-printing rules.]{\ + + The \texttt{Grammar} and + \texttt{Syntax} declarations are more readable and more symmetric.} + + \item[\texttt{Cases} vs \texttt{Case}]{\ + + The constructions defined by cases are + now printed with the ML-style \texttt{Cases} syntax. The + \texttt{Case} syntax should no longer be used.} + + \item[New syntax for the existential and universal quantifiers.]{\ + + \texttt{(EX x:A | P)}, \texttt{(EX x| P)}, \texttt{(EX x:A | P \& + Q)}, \texttt{(EX x | P \& Q)}, + \texttt{(ALL x:A | P)} and + \texttt{(ALL x | P)} are alternative + syntax for \texttt{(Ex [x:A]P)}, \texttt{(Ex2 [x:A]P [x:A]Q)} + and \texttt{(All [x:A]P)}, the syntax \texttt{<A>Ex(P), + <A>Ex(P,Q)} and \texttt{<A>All(P)} are no longer supported.} + + \item[Natural syntax for the ... naturals.]{\ + + With the {\tt Arith} theory, you can + now type \texttt{(3)} for \texttt{(S (S (S O)))}}. + + \item[Natural syntax for expressions of integer arithmetic.]{\ + + With the {\tt ZArith} theory, you can + type e.g. \texttt{`3 <= x - 4 < 7`}.} + +\end{description} + +\item \textbf{Tactics} + + \begin{itemize} + + \item New mechanism to define parameterized tactics (see + section~\ref{parameterised}). + + \item New tactic \texttt{Decompose} to decompose a + complex proposition in atomic ones (see + section~\ref{decompose}). + + \item New tactics \texttt{Decide Equality} and + \texttt{Compare} for deciding the equality of two + inductive objects. + + \item \texttt{Intros} has been extended such that it takes arguments + denoting patterns and accordingly to this patterns, performs decomposition of arguments ranging + over inductive definitions as well as introduction (see section~\ref{intros}). + + \item \texttt{Tauto} is extended to + work also on connectives defined by the user and on informative + types (see section~\ref{tauto}). + + \item The {\bf equality} tactics, especially \texttt{Rewrite}, + \texttt{Transitivity}, \texttt{Symmetry} and \texttt{Reflexivity}, + works now independently of the universe that the equality + inhabits (see section~\ref{equality}). + + \item New experimental tactic \texttt{Refine}: a kind of + \texttt{Exact} with typed holes that are transformed into + subgoals (see + section~\ref{refine}). + + \item The tactical \texttt{Abstract} allow to automatically + divide a big proof into smaller lemmas. It may improve the + efficiency of the \texttt{Save} procedure (see section~\ref{abstract}). + + \item The tactics \texttt{Rewrite} and \texttt{Rewrite in} now + accept bindings as tactics \texttt{Apply} and \texttt{Elim}. + + \item The tactic \texttt{Rewrite} now fails when no rewriting can be + done. So you must use \texttt{Try Rewrite} to get the old behavior. + + \end{itemize} + +\item \textbf{New toplevel commands.} + + \begin{description} + + \item[Precise location of errors.]{\ + + At toplevel, when possible, \Coq\ + underlines the portion of erroneous vernac source. When compiling, + it tells the line and characters where the error took place. The + output is compatible with the \texttt{next-error} mechanism of GNU + Emacs.} + + \item[New reduction functions.]{\ + A more precise control on what is reduced is now + possible in tactics. All toplevel reductions are performed through the + \texttt{Eval} command. The commands \texttt{Compute} and + \texttt{Simplify} do not exist any longer, they are replaced by + the commands \texttt{Eval Compute in} and \texttt{Eval Simpl in}. + In addition, + \texttt{Eval} now takes into consideration the hypotheses of the + current goal in order to type-check the term to be reduced + (see section~\ref{reductions}).} + + \end{description} + +\item \textbf{Libraries} + + \begin{description} + + \item[Arithmetic on Z.]{\ + + Pierre Cr\'egut's arithmetical library on integers (the set Z) is now + integrated to the standard library. + \texttt{ZArith} contains basic + definitions, theorems, and syntax rules that allow users of \texttt{ZArith} + to write formulas such as $3+(x*y) < z \le 3+(x*y+1)$ in the + natural way~(see section~\ref{zarith}). + } + + \item[\texttt{SearchIsos} : a tool to search through the standard library]{ + + The \texttt{SearchIsos} tool se\-arches terms by their + types and modulo type isomorphisms. There are two ways to use + \texttt{SearchIsos}: + + \begin{itemize} + \item Search a theorem in the current environment with the new + \texttt{SearchIsos} command in an interactive session + \item Search a theorem in the whole Library using the external tool + \texttt{coqtop -searchisos} + \end{itemize} } + + \item The \texttt{Locate} vernac command can now locate the + module in which a term is defined in a \texttt{coqtop} session. You can + also ask for the exact location of a file or a module that lies + somewhere in the load path. + +\end{description} + +\item \textbf{Extraction} + + \begin{description} + + \item Extraction to Haskell available + + \end{description} + +\item \textbf{Improved Coq efficiency} + + \begin{description} + + \item[Parsing] + + Thanks to a new grammar implementation based on Daniel de + Rauglaudre's Camlp4 system, parsing is now several times faster. The + report of syntax errors is more precise. + + \item[Cleaning up the tactics source]{\ + + Source code of the tactics has been revisited, so that the user can + implement his/her own tactics more easily. The internal ML names + for tactics have been normalized, and they are organized in + different files. See chapter ``Writing your own tactics'' in the + Coq reference manual.} + + \end{description} + +\item \textbf{Incompatibilities} + + You could have to modify your vernacular source for the following + reasons: + + \begin{itemize} + + \item You use the name \texttt{Sum} which is now a keyword. + \item You use the syntax \texttt{<A>Ex(P)}, \texttt{<A>Ex2(P,Q)} or + \texttt{<A>All(P)}. + + \item You use Coq \texttt{Grammar} or \texttt{Syntax} commands. + In this case, see section + \ref{parsing-printing} to know how to modify your parsing or printing + rules. + + \item You use Coq \texttt{Call} to apply a tactic abbreviation + declared using \texttt{Tactic Definition}. These tactics can be + directly called, just remove the \texttt{Call} prefix. + + \item \texttt{Require} semantics. The Coq V6.1 \texttt{Require} + command did not behave as described in the reference manual. + It has been corrected.\\ + The Coq V6.2 behavior is now the following. + Assume a file \texttt{A} containing a + command \texttt{Require B} is compiled. Then the command + \texttt{Require A} loads the module \texttt{B} but the definitions + in \texttt{B} are not visible. In order to see theses definitions, + a further \texttt{Require B} is + needed or you should write \texttt{Require Export B} instead of + \texttt{Require B} inside the file \texttt{A}. \\ + The Coq V6.1 behavior of \texttt{Require} was equivalent to the + Coq V6.2 \texttt{Require Export} command. + \item \texttt{Print Hint} now works only in proof mode and displays + the hints that apply to the current goal. \texttt{Print Hint *} + works as the old \texttt{Print Hint} command and displays the complete + hints table. + + \end{itemize} + + In addition, it is strongly recommended to use now the {\tt Cases} + pattern-matching operator rather than the intended to disappear {\tt + Case} operator. + +\item \textbf{Documentation} + The Reference Manual has been rearranged and + updated. The chapters on syntactic extensions, and user-defined + tactics have been completely rewritten. + + \begin{itemize} + \item We made a big effort to make the Reference Manual better and + more precise. The paper documentation is now divided in three + parts: + \begin{enumerate} + \item The Reference Manual, that documents the language (part I), + a brief explanation of each command and tactic (part II), the + users extensions for syntax and tactics (part III), the tools + (part IV); + + \item The Addendum to Reference Manual (part V), that contains + more detailed explanations about extraction, printing proofs in + natural language, tactics such as Omega, Ring and Program, + coercions and Cases compilation. + + \item The Tutorial, an introduction to Coq for the new user, that + has not much changed + \end{enumerate} + + \item The Hyper-Text documentation has been much improved. Please + check our web page \verb!http://pauillac.inria.fr/coq!. It is + possible to perform searches in the standard Library by name or by + type (with SearchIsos), and of course to read the HTML version + of the documentation. + \end{itemize} + +\end{itemize} + +\section{New tactics} + + +\subsection{Proof of imperative programs} + +A new tactic to establish correctness and termination of imperative +(and functional) programs is now available, in the \Coq\ module +\texttt{Programs}. This tactic, called \texttt{Correctness}, is +described in the chapter 18 of the \Coq\ Reference Manual. + + +\subsection{Defining parameterized tactics} +\label{parameterised} +It is possible to define tactics macros, taking terms as arguments +using the \texttt{Tactic Definition} command. + +These macros can be called directly (in Coq V6.1, a prefix +\texttt{Call} was used). +Example: + +\begin{coq_example*} +Tactic Definition DecideEq [$a $b] := + [<:tactic:< + Destruct $a; + Destruct $b; + Auto; + (Left;Discriminate) Orelse (Right;Discriminate)>>]. +Inductive Set Color := Blue:Color | White:Color | Red:Color | Black:Color. +\end{coq_example*} + +\begin{coq_example} +Theorem eqColor: (c1,c2:Color){c1=c2}+{~c1=c2}. +DecideEq c1 c2. +\end{coq_example} +\begin{coq_example*} +Qed. +\end{coq_example*} + +\subsection{Intros}\label{intros} +The tactic \texttt{Intros} can now take a pattern as argument. A +pattern is either +\begin{itemize} +\item a variable +\item a list of patterns : $p_1~\ldots~p_n$ +\item a disjunction of patterns : $[p_1~|~~\ldots~|~p_n]$ +\item a conjunction of patterns : $(p_1,\ldots,p_n)$ +\end{itemize} + +The behavior of \texttt{Intros} is defined inductively over the +structure of the pattern given as argument: +\begin{itemize} +\item introduction on a variable behaves like before; +\item introduction over a +list of patterns $p_1~\ldots~p_n$ is equivalent to the sequence of +introductions over the patterns namely : +\texttt{Intros $p_1$;\ldots; Intros $p_n$}, the goal should start with +at least $n$ products; +\item introduction over a +disjunction of patterns $[p_1~|~~\ldots~|~p_n]$, it +introduces a new variable $X$, its type should be an inductive definition with $n$ +constructors, then it performs a case analysis over $X$ +(which generates $n$ subgoals), it +clears $X$ and performs on each generated subgoals the corresponding +\texttt{Intros}~$p_i$ tactic; +\item introduction over a +conjunction of patterns $(p_1,\ldots,p_n)$, it +introduces a new variable $X$, its type should be an inductive definition with $1$ +constructor with (at least) $n$ arguments, then it performs a case analysis over $X$ +(which generates $1$ subgoal with at least $n$ products), it +clears $X$ and performs an introduction over the list of patterns $p_1~\ldots~p_n$. +\end{itemize} +\begin{coq_example} +Lemma intros_test : (A,B,C:Prop)(A\/(B/\C))->(A->C)->C. +Intros A B C [a|(b,c)] f. +Apply (f a). +Proof c. +\end{coq_example} +\subsection{Refine}\label{refine} +This tactics takes a term with holes as argument. + +It is still experimental and not automatically loaded. It can +be dynamically loaded if you use the byte-code version of Coq; +with the version in native code, you have to use the \texttt{-full} option. + +\Example +\begin{coq_example*} +Require Refine. +Inductive Option: Set := Fail : Option | Ok : bool->Option. +\end{coq_example} +\begin{coq_example} +Definition get: (x:Option)~x=Fail->bool. +Refine + [x:Option]<[x:Option]~x=Fail->bool>Cases x of + Fail => ? + | (Ok b) => [_:?]b end. +Intros;Absurd Fail=Fail;Trivial. +\end{coq_example} +\begin{coq_example*} +Defined. +\end{coq_example*} + +\subsection{Decompose}\label{decompose} +This tactic allows to recursively decompose a +complex proposition in order to obtain atomic ones. +Example: + +\begin{coq_eval} +Reset Initial. +\end{coq_eval} +\begin{coq_example} +Lemma ex1: (A,B,C:Prop)(A/\B/\C \/ B/\C \/ C/\A) -> C. +Intros A B C H; Decompose [and or] H; Assumption. +\end{coq_example} +\begin{coq_example*} +Qed. +\end{coq_example*} + + +\subsection{Tauto}\label{tauto} +This tactic has been extended to work also on +connectives defined by the user as well as on informative types. +Example: + +\begin{coq_example*} +Inductive AND4 [A:Set;B,C,D:Prop] : Set := + tuple4 : A->B->C->D->(AND4 A B C D). +\end{coq_example*} +\begin{coq_example} +Lemma ex2: (B,C,D:Prop)(AND4 nat B C D)->(AND4 nat C D B). +Tauto. +\end{coq_example} +\begin{coq_example*} +Qed. +\end{coq_example*} + +\subsection{Tactics about Equality}\label{equality} +\texttt{Rewrite}, \texttt{Transitivity}, \texttt{Symmetry}, +\texttt{Reflexivity} and other tactics associated to equality predicates work +now independently of the universe that the equality inhabits. +Example: + +\begin{coq_example*} +Inductive EQ [A:Type] : Type->Prop := reflEQ : (EQ A A). +\end{coq_example*} +\begin{coq_example} +Lemma sym_EQ: (A,B:Type)(EQ A B)->(EQ B A). +Intros;Symmetry;Assumption. +\end{coq_example} +\begin{coq_example*} +Qed. +\end{coq_example*} + +\begin{coq_example} +Lemma trans_idT: (A,B:Type)(A===Set)->(B===Set)->A===B. +Intros A B X Y;Rewrite X;Symmetry;Assumption. +\end{coq_example} +\begin{coq_example*} +Qed. +\end{coq_example*} + + +\subsection{The tactical \texttt{Abstract}}~\label{abstract} +From outside, typing \texttt{Abstract \tac} is the same that +typing \tac. If \tac{} completely solves the current goal, it saves an auxiliary lemma called +{\ident}\texttt{\_subproof}\textit{n} where {\ident} is the name of the +current goal and \textit{n} is chosen so that this is a fresh +name. This lemma is a proof of the current goal, generalized over the +local hypotheses. + +This tactical is useful with tactics such that \texttt{Omega} and +\texttt{Discriminate} that generate big proof terms. With that tool +the user can avoid the explosion at time of the \texttt{Save} command +without having to cut ``by hand'' the proof in smaller lemmas. + +\begin{Variants} +\item \texttt{Abstract {\tac} using {\ident}}. Gives explicitly the + name of the auxiliary lemma. +\end{Variants} +\begin{coq_example*} +Lemma abstract_test : (A,B:Prop)A/\B -> A\/B. +\end{coq_example*} +\begin{coq_example} +Intros. +Abstract Tauto using sub_proof. +Check sub_proof. +\end{coq_example} +\begin{coq_example*} +Qed. +\end{coq_example*} +\begin{coq_example} +Print abstract_test. +\end{coq_example} + + +\subsection{Conditional $tac$ Rewrite $c$} +This tactics acts as \texttt{Rewrite} and applies a given tactic on the +subgoals corresponding to conditions of the rewriting. +See the Reference Manual for more details. + + +\section{Changes in concrete syntax} + +\subsection{The natural grammar for arithmetic} +\label{zarith} +There is a new syntax of signed integer arithmetic. However the +syntax delimiters were \verb=[|= and \verb=|]= in the beta-version. In +the final release of 6.2, it's two back-quotes \texttt{`} and \texttt{`}. + +Here is an example: +\begin{coq_eval} +Reset Initial. +\end{coq_eval} + +\begin{coq_example*} +Require ZArith. +Variables x,y,z:Z. +Variables f,g:Z->Z. +\end{coq_example*} +\begin{coq_example} +Check ` 23 + (f x)*45 - 34 `. +Check Zplus_sym. +Check ` x < (g y) <= z+3 `. +Check ` 3+ [if true then ` 4 ` else (f x)] `. +SearchIsos (x,y,z:Z) ` x+(y+z) = (x+y)+z `. +\end{coq_example} + +\begin{coq_eval} +Reset x. +\end{coq_eval} + +Arithmetic expressions are enclosed between \verb=`= and \verb=`=. It can +be: +\begin{itemize} +\item integers +\item any of the operators \verb|+|, \verb|-| and \verb|*| +\item functional application +\item any of the relations \verb|<|, \verb|<=|, \verb|>=|, \verb|>|, +\verb|=| and \verb|<>| +\end{itemize} + +Inside an arithmetic expression, you can type an arbitrary Coq +expression provided it is escaped with \verb|[ ]|. There is also +shortcuts such as $x < y \le z$ which means $x<y \wedge y \le z$. + +\begin{coq_example} +Lemma ex3 : (x:Z)` x>0 ` -> ` x <= 2*x <= 4*x `. +Split. +\end{coq_example} +\begin{coq_eval} +Abort. +\end{coq_eval} +\subsection{The new \texttt{Grammar} and \texttt{Syntax}} +\label{parsing-printing} + +The leading idea in the {\tt Grammar} and {\tt Syntax} command syntax +changes is to unify and simplify them. + +\subsubsection{Syntax changes for \texttt{Grammar} declarations (parsing rules)} + +Each \texttt{Grammar} rule now needs to be named, as \texttt{Syntax} +rules do. Although they are just comments, it is advised to use distinct +names for rules. + +The syntax of an ordinary grammar rule is now: + +\[ +\texttt{Grammar}~\textit{GrammarName}~\textit{EntryName}~\texttt{:=}~ + \textit{RuleName}~ \texttt{[} \textit{Pattern} \texttt{] -> [} \textit{Action} +\texttt{]}. +\] +\paragraph{Parametric rules} + +Parametric grammars does not exist any longer. Their main use was to +write left associative rules. For that, there is a simplest way based +on a new grammar builder \texttt{LEFTA} (and grammar builder +\texttt{RIGHTA} and \texttt{NONA} as well). + +For instance, the grammar in V6.1 style + +\begin{verbatim} +Grammar natural fact := + [ final($c) factprod[[$c]]($r) ] -> [$r]. + +Grammar natural factprod[$p] := + [ ] -> [$p] +| [ "*" final($c) factprod[[<<(mult $p $c)>>]]($r)] -> [$r]. +\end{verbatim} +should now be written +\begin{verbatim} +Grammar natural fact := + LEFTA + fact_final [ final($c) ] -> [$c] + | fact_prod [ final($p) "*" final($c) ] -> [ <<(mult $p $c)>> ]. +\end{verbatim} + +\subsubsection{Internal abstract syntax tree (ast) changes} + +The syntax of internal abstract syntax tree (ast) has also been +modified. Most users, which only uses \verb|<<| ... \verb|>>| in the +right-hand side of the grammar rules are not concerned with that. +For the others, it should be noted that now there are two kinds of +production for grammar rules: ast and lists of asts. + +A rule that produces a list of asts should be declared of this type by +inserting ``\texttt{:List}'' just after the grammar name. + +The ast constructors \verb!$CONS!, \verb!$NIL!, \verb!$APPEND!, +\verb!$PRIM!, \verb!SOME! and \verb!$OPER! do not +exist any longer. A simple juxtaposition is used to build ast lists. +For an empty +list, just put nothing. The old \verb!($OPER{Foo} ($CONS $c1 $c2))! +becomes \verb!(Foo $c1 $c2)!. The old \verb!$SLAML! is now \verb!$SLAM!. + +The constructor \verb!$LIST! has a new meaning. It serves to cast an +ast list variable into an ast. + +For instance, the following grammar rules in V6.1 style: +\begin{verbatim} +Grammar vernac eqns := + [ "|" ne_command_list($ts) "=>" command($u) eqns($es) ] + -> [($CONS ($OPER{COMMANDLIST} ($CONS $u $ts)) $es)]. +| [ ] -> [($LIST)] + +with vernac := + [ "Foo" "Definition" identarg($idf) command($c) ":=" eqns($eqs) "." ] + -> [($OPER{FooDefinition} ($CONS $idf ($CONS $c $eqs)))] +\end{verbatim} +can be written like this in V6.2 +\begin{verbatim} +Grammar vernac eqns : List := + eqns_cons [ "|" ne_command_list($ts) "=>" command($u) eqns($es) ] + -> [ (COMMANDLIST $u ($LIST $ts)) ($LIST $es)] +| eqns_nil [ ] -> [ ]. + +with vernac := + rec_def [ "Foo" "Definition" identarg($idf) command($c) ":=" eqns($eqs) "." ] + -> [(FooDefinition $idf $c ($LIST $eqs))]. +\end{verbatim} + + +\subsubsection{Syntax changes for \texttt{Syntax} declarations + (printing rules)} + +The new syntax for printing rules follows the one for parsing rules. In +addition, there are indications of associativity, precedences and +formatting. + +Rules are classified by strength: the keyword is \verb-level-. The +non-terminal items are written in a simplest way: a non-terminal +\verb!<$t:dummy-name:*>! is now just written \verb!$t!. For left or +right associativity, the modifiers \verb!:L! or + \verb!:E! have to be given as in \verb!$t:E!. The expression \verb!$t:L! prints the +ast \verb!$t! with a level strictly lower than the current one. +The expression \verb!$t:E! calls the printer with the same level. Thus, for left +associative operators, the left term must be called with \verb!:E!, and the +right one with \verb!:L!. It is the opposite for the right associative +operators. Non associative operators use \verb!:L! for both sub-terms. + +For instance, the following rules in V6.1 syntax + +\begin{verbatim} +Syntax constr Zplus <<(Zplus $n1 $n2)>> 8 + [<hov 0> "`" <$nn1:"dummy":E> "+" <$n2:"dummy":L> "`" ] + with $nn1 := (ZEXPR $n1) $nn2 := (ZEXPR $n2). + +Syntax constr Zminus <<(Zminus $n1 $n2)>> 8 + [<hov 0> "`" <$nn1:"dummy":E> "-" <$n2:"dummy":L> "`" ] + with $nn1 := (ZEXPR $n1) $nn2 := (ZEXPR $n2). + +Syntax constr Zmult <<(Zmult $n1 $n2)>> 7 + [<hov 0> "`" <$nn1:"dummy":E> "*" <$n2:"dummy":L> "`" ] + with $nn1 := (ZEXPR $n1) $nn2 := (ZEXPR $n2). +\end{verbatim} +are now written +\begin{verbatim} +Syntax constr + + level 8: + Zplus [<<(Zplus $n1 $n2)>>] + -> [ [<hov 0> "`"(ZEXPR $n1):E "+"(ZEXPR $n2):L "`"] ] + | Zminus [<<(Zminus $n1 $n2)>>] + -> [ [<hov 0> "`"(ZEXPR $n1):E "-"(ZEXPR $n2):L "`"] ] + ; + + level 7: + Zmult [<<(Zmult $n1 $n2)>>] + -> [ [<hov 0> "`"(ZEXPR $n1):E "*"(ZEXPR $n2):L "`"] ] + . +\end{verbatim} + +\section{How to use \texttt{SearchIsos}} + +As shown in the overview, \texttt{SearchIsos} is made up of two tools: new +commands integrated in Coq and a separated program. + +\subsection{In the {\Coq} toplevel} + +Under \Coq, \texttt{SearchIsos} is called upon with the following command: + +\begin{tabbing} +\ \ \ \ \=\kill +\>{\tt SearchIsos} {\it term}. +\end{tabbing} + +This command displays the full name (modules, sections and identifiers) of all +the constants, variables, inductive types and constructors of inductive types +of the current context (not necessarily in the specialized +buffers) whose type is equal to {\it term} up to isomorphisms. These +isomorphisms of types are characterized by the contextual part of a theory +which is a generalization of the axiomatization for the typed lambda-calculus +associated with the Closed Cartesian Categories taking into account +polymorphism and dependent types. + +\texttt{SearchIsos} is twined with two other commands which allow to have some +informations about the search time: + +\begin{tabbing} +\ \ \ \ \=\kill +\>{\tt Time}.\\ +\>{\tt UnTime}. +\end{tabbing} + +As expected, these two commands respectively sets and disconnects the Time +Search Display mode. + +The following example shows a possibility of use: + +\begin{coq_eval} +Reset Initial. +\end{coq_eval} +\begin{coq_example} +Time. +Variables A,B:Set. +Hypothesis H0:(x:A)(y:B)(x=x/\y=y). +SearchIsos (b:B)(a:A)(b=b/\a=a). +\end{coq_example} + +For more informations, see the sections 5.6.7, 5.6.8 and 5.6.9 in the Reference +Manual. + +\subsection{In the whole library hierarchy} + +To extend the search to a {\Coq} library, you must use \textsf{Coq\_SearchIsos} +which is an independent tool compared to {\Coq} and can be invoked by the shell +command as follows: + +\begin{tabbing} +\ \ \ \ \=\kill +\>{\tt coqtop -searchisos} +\end{tabbing} + +Under this new toplevel (which contains your {\Coq} library), the three +commands {\tt SearchIsos}, {\tt Time} and {\tt UnTime} (described previously) +are then available and have always the same behavior. + +Likewise, this little sample (about the Euclidean division) shows a possible +request to the standard library of {\Coq}: + +\begin{verbatim} +Coq_SearchIsos < Time. + +Coq_SearchIsos < SearchIsos (b,a:nat)(gt b O) +Coq_SearchIsos < ->{q:nat&{r:nat|a=(plus (mult q b) r)/\(gt b r)}}. +#Div#--* [div1 : (b:nat)(gt b (0))->(a:nat)(diveucl a b)] +#Div#--* [div2 : (b:nat)(gt b (0))->(a:nat)(diveucl a b)] +#Euclid_proof#--* [eucl_dev : (b:nat)(gt b (0))->(a:nat)(diveucl a b)] +#Euclid_proof#--* [quotient : +(b:nat) + (gt b (0)) + ->(a:nat){q:nat | (EX r:nat | a=(plus (mult q b) r)/\(gt b r))}] +#Euclid_proof#--* [modulo : +(b:nat) + (gt b (0)) + ->(a:nat){r:nat | (EX q:nat | a=(plus (mult q b) r)/\(gt b r))}] +Finished transaction in 4 secs (2.27u,0s) +\end{verbatim} + +For more informations about \textsf{Coq\_SearchIsos}, see the section 15.4 in +the Reference Manual. + +\section{The new reduction functions} \label{reductions} + +\subsection{\texttt{Cbv}, \texttt{Lazy}} +The usual reduction or conversion tactics are \verb!Red!, \verb!Hnf!, +\verb!Simpl!, \verb!Unfold!, \verb!Change! and \verb!Pattern!. It is +now possible to normalize a goal with a parametric reduction function, +by specifying which of $\beta$,$\delta$ and $\iota$ must be +performed. In the case of $\delta$, a list of identifiers to unfold, +or a list of identifiers not to unfold, may follow. Moreover, two +strategies are available: a call-by-value reduction, efficient for +computations, and a lazy reduction, i.e. a call-by-name strategy with +sharing of reductions. + +To apply a reduction tactic, use one of the two strategies +\texttt{Cbv} for call-by value or \texttt{Lazy} for lazy reduction +applied to one or more ``flags'' designing which reduction to perform +\texttt{Beta} for $\beta$-reduction, \texttt{Iota} for +$\iota$-reduction (reduction of \texttt{Cases}) and \texttt{Delta} for +$\delta$-reduction (expansion of constants). + +The function \verb!Compute! is simply an alias for +\verb!Cbv Beta Delta Iota!. + +The following tactic applies on the current goal, +the $\beta\iota$-reduction, and +$\delta$-reduction of any constants except \verb!minus!, using the +call-by-value strategy. +\begin{verbatim} +Cbv Beta Iota Delta - [ minus ] +\end{verbatim} + +\subsection{\texttt{Fold}} +A specific function \verb!Fold! was designed: +\verb!Fold! takes as argument a list of +terms. These terms are reduced using \verb!Red!, and the result is +replaced by the expanded term. For example, +\begin{coq_example*} +Require Arith. +Lemma ex4 : (n:nat)(le (S O) n)->(le (S n) (plus n n)). +Intros. +\end{coq_example*} +\begin{coq_example} +Fold (plus (1) n). +\end{coq_example} +\begin{coq_eval} +Abort. +\end{coq_eval} + +\subsection{\texttt{Eval}} + +The reduction may be applied to a given term (not only the goal) with +the vernac command \verb!Eval!. +The syntax is: +\[\texttt{Eval}~ \textit{ReductionFunction}~ \texttt{in}~ +\textit{term}.\] +To compute the reduced value of $t$ using the reduction strategy +\textit{ReductionFunction}. + +It may happen that the term to be +reduced depends on hypothesis introduced in a goal. The default +behavior is that the term is interpreted in the current goal (if +any). \texttt{Eval} can take an extra argument specifying an +alternative goal. + +Here are a few examples of reduction commands: +\begin{coq_example} +Eval Simpl in [n:nat]n=(plus O n). +\end{coq_example} +Simplifies the expression. +\begin{coq_example*} +Lemma ex5 : O=O /\ (x:nat)x=x. +Split; Intros. +\end{coq_example*} +\begin{coq_example} +Eval 2 Lazy Beta Delta [ mult ] Iota in ([n:nat](mult n (plus n x)) (3)). +\end{coq_example} + +$\beta\iota$-reduces the given term and $\delta$-reduces \verb+mult+ in the +context of the second goal. + +\begin{coq_example} +Eval Compute in `18446744073709551616 * 18446744073709551616`. +\end{coq_example} + +Computes $2^{128}$. + +\section{Installation procedure} + +\subsection{Uninstalling Coq} + +\paragraph{Warning} +It is strongly recommended to clean-up the V6.1 Coq library directory +by hand, before you install the new version. +\paragraph{Uninstalling Coq V6.2} +There is a new option to coqtop \texttt{-uninstall} that will remove +the the binaries and the library files of Coq V6.2 on a Unix system. + + +\subsection{OS Issues -- Requirements} + +\subsubsection{Unix users} +You need Objective Caml version 1.06 or 1.07, and Camlp4 version 1.07.2 +to compile the system. Both are available by anonymous ftp +at: + +\bigskip +\verb|ftp://ftp.inria.fr/Projects/Cristal|. +\bigskip + +\noindent +Binary distributions are available for the following architectures: + +\bigskip +\begin{tabular}{l|c|r} +{\bf OS } & {\bf Processor} & {name of the package}\\ +\hline +Linux & 80386 and higher & coq-6.2-linux-i386.tar.gz \\ +Solaris & Sparc & coq-6.2-solaris-sparc.tar.gz\\ +Digital & Alpha & coq-6.2-OSF1.tar.gz\\ +\end{tabular} +\bigskip + +If your configuration is in the above list, you don't need to install +Caml and Camlp4 and to compile the system: +just download the package and install the binaries in the right place. + +\subsubsection{MS Windows users} + +The MS Windows version will be soon available. + +%users will get the 6.2 version at the same time than +%Unix users ! +%A binary distribution is available for Windows 95/NT. Windows 3.1 +%users may run the binaries if they install the Win32s module, freely +%available at \verb|ftp.inria.fr|. + +\section{Credits} + +The new parsing mechanism and the new syntax for extensible grammars +and pretty-printing rules are from Bruno Barras and Daniel de +Rauglaudre. + +The rearrangement of tactics, the extension of \texttt{Tauto}, \texttt{Intros} and +equality tactics, and the tactic definition mechanism are from Eduardo +Gim\'enez. Jean-Christophe Filli\^atre designed and implemented the +tactic \texttt{Refine} and the tactic \texttt{Correctness}. + +Bruno Barras improved the reduction functions and introduced new +uniform commands for reducing a goal or an expression. David Delahaye +designed and implemented {\tt SearchIsos}. + +Patrick Loiseleur introduced syntax rules to +manipulate natural numbers and binary integers expression. +Hugo Herbelin improved the loading mechanism and contributed to a more +user-friendly syntax. + +\end{document} + +% Local Variables: +% mode: LaTeX +% TeX-master: t +% End: + + +% $Id$ + diff --git a/doc/ChangesV6-3.tex b/doc/ChangesV6-3.tex new file mode 100644 index 000000000..8e43a258c --- /dev/null +++ b/doc/ChangesV6-3.tex @@ -0,0 +1,302 @@ +\documentclass[11pt]{article} +\usepackage[latin1]{inputenc} +\usepackage[T1]{fontenc} + +\input{./title} +\input{./macros} + +\begin{document} + +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +% Changes 6.2 ===> 6.3 +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +\shorttitle{Changes from {\Coq} V6.2 to {\Coq} V6.3} + +This document describes the main differences between Coq V6.2 and +V6.3. This new version of Coq is characterized by new tactics and a +more flexible guard condition in fixpoints definitions. +We refer to the reference manual +for a more precise description of the new features. + +%See the ASCII file \texttt{CHANGES} available by FTP with \Coq\ for +%the minor changes of the bug-fix releases 6.2.1 and 6.2.2. + + +\section{Changes overview} + +\subsection{New Tactics} + + \begin{itemize} + + \item The \texttt{AutoRewrite} tactic uses a set of theorems + as rewrite rules that are applied sequentially in order to + solve the goal. This tactic is still experimental and subject to changes. + + \item \texttt{First} and \texttt{Solve} are two tacticals which + apply to a sequence of + tactics written \texttt{[ \textit{tac}$_1$ | ... | + \textit{tac}$_n$ ]}. + \texttt{First} applies the first tactic in the given list + which does not fail while + \texttt{Solve} applies the first tactic in the list + which completely solves the goal. + + \item \texttt{Quote} this new tactic does automatic inversion of + interpretation function for people using Barengregt's so-called + `2-level approach'. See examples in \texttt{theories/DEMOS/DemoQuote.v}. + + \item \texttt{Change} \textit{term} \texttt{in} \textit{hyp} is now + available. + + \item \texttt{Move} \textit{hyp} \texttt{after} \textit{hyp} allows + to reorder the hypotheses of the local context. + + \end{itemize} + +\subsection{Changes in existing tactics} + + \begin{itemize} + + \item \texttt{Intro} or \texttt{Intros} with explicit names + will force an head reduction of the goal in case it does not start + with a product. \\ + +\texttt{Intro} or \texttt{Intros} without explicit names + generate automatically names for the hypothesis or + variable to be introduced. The algorithm to generate these names + has been slightly changed, this may be a source of incompatibility in the + proofs script. + + The new variant \texttt{Intro \textit{ident} after \textit{hyp}} allows to + tell the place where an hypothesis is introduced in the context. + + \item \texttt{Auto} the structure of the hints databases for the Auto + tactic was changed in version V6.2.3. + In version V6.3, the following new features were added to Auto~: + \begin{itemize} + \item \texttt{Print} \textit{HintDbname} prints out the contents of + a the hint database \textit{HintDbname}; + \item \texttt{Constructors} \textit{Indname} is a new hint + tactic which is equivalent to introduce the \texttt{Resolve} + hint tactic for each + constructor of the \textit{Indname} inductive definition. + \end{itemize} + + \item \texttt{Induction} \textit{var} now also performs induction on + a variable \textit{var} of the local context. This extension is + more ``user-friendly'' in the sense it generalizes automatically + above the other hypotheses dependent on the original variable. It + does not duplicate any longer the name of the variable to which it + applies. It should avantageously replaces "Elim" on an + hypothesis/variable or a typical sequence "Generalize" followed by + "Induction" on the generalized variable. But this extension is + experimental and susceptible of change in next releases. + + \item \texttt{Let} \textit{ident} \texttt{:=} \textit{term} + \texttt{in} \textit{occurlist} \textit{hyps} replaces the given + occurrences of \texttt{term} in the hypotheses \textit{hyps} (or in + the goal) by the variable \textit{ident} and keep the equality + \textit{ident=term} in the context. This is actually a variant of + \texttt{Generalize} which keeps track of the original term. As the + new \texttt{Induction} to which it can be combined, it is susceptible + of change in next releases. + + \item The \texttt{Ring} tactic has been extended and + works now also when the ring is in the \Type{} sort. + + \item The tactic \texttt{Correctness} has been improved. + \end{itemize} + +\subsection{New toplevel commands} + +\begin{description} + +\item[\texttt{Time}] Any vernacular command (including invocation of + tactics) can be prefixed by the word \texttt{Time}; then the time + spent is printed after having executed the command. For example : + \texttt{Time Save.} or \texttt{Time Omega.} + +\item[\texttt{Focus} $n$] It is now possible to focus on a specific + goal using the command \texttt{Focus} $n$, with $n$ being the + range of the selected subgoal. All the tactics will be applied to + this goal and only the subgoals inherited from the selected goal + are displayed. When the subgoal is completed, the message + \texttt{"Subtree proved"} is printed out then the focus goes back + to the initial goal and the corresponding remaining subgoals are + printed out. The focus commands are reseted by the + \texttt{Undo} command or \texttt{Unfocus}. \texttt{Focus} + without argument keeps its old meaning to only disply the first + subgoal. + +\item[Evaluation in Definition] It is now possible to apply a + reduction function to a term inside a definition. Just replace the + term to be defined by + \[ \texttt{Eval}~ \textit{reduction-function}~ \texttt{in}~ + \textit{term}\] + at the right hand side of the \texttt{:=} sign in a definition. + + \end{description} + +\subsection{Language extensions} + \begin{description} + \item[Type reconstruction] The algorithm to solve incomplete + information in terms has been improved. In particular + question marks can be put + in place of the type of universally quantified variables. + \item[Guarded fixpoints] The condition for well-formed + fixpoints has been extended, it is now possible to define + structural fixpoints for positive inductive definitions with + nested recursion (like \texttt{Inductive term : Set := cons : (list term)->term}) + \end{description} + +\subsection{Libraries} + + \begin{description} + + \item[Reals] The library of real numbers has been extended and + obeys to the same naming convention than + ARITH and ZARITH: addition is \texttt{Rplus}, theorems stating commutativity are + postfixed by \texttt{\_sym} like \texttt{plus\_sym}, + \texttt{Rmult\_sym}, etc. The tactic \texttt{Ring} has been + instantiated on the reals; one can use it to normalize polynomial + expressions over the reals. + +The library \texttt{Reals} + has been completed by a definition of limit, derivative + and by others properties and functions. +\end{description} + + +\subsection{Documentation} + +The documentation includes now an index of errors. + +\section{Incompatibilities} + + You could have to modify your vernacular source for the following + reasons: + + \begin{itemize} + + \item Some names of variables have changed. Typically, a sequence + "Generalize n; Induction n" should become a "Generalize n; Induction n0", + or better, simply "Induction n" since Induction now works with + hypotheses of the context and generalizes automatically. + + \item In the library ZArith, "Zinv" has been renamed as "Zopp", in + order to be coherent with the Reals library. Theorems whose name + includes "Zinv" have been renamed too. A global search-and-replace + of "Zinv" by "Zopp" should be sufficient to update user's + developments. + + \item In the library Reals, some names has been changed. + In the file README of the library, there is a script which can be + used to update user's developments. + + \item The definition of Exists has changed in LISTS/Streams. + + \end{itemize} + +\section{New contributions} +We integrated new contributions : +\begin{description} +\item[Finite sets and graphs] +This contribution is due to J. Goubault-Larrecq from Dyade + (INRIA-Bull). It contains a +development of finite sets implemented efficiently +as trees indexed by binary numbers. This representation is used to +implement graphs corresponding to arithmetic formulas and prove the +correctness of a decision procedure testing the satisfiability of +formula by detecting cycles of positive weigth in the graph +\item[$\pi$-calculus] A development of $\pi$-calculus due to +I. Scagnetto from University of Udine. +\item[The three gap theorem] A Proof of the Three Gap Theorem + (Steinhaus Conjecture) by M. Mayero from INRIA Rocquencourt. +\item[Floating point numbers] An axiomatisation of the IEEE 754 +norm for Floating point numbers done by P. Loiseleur fron LRI Orsay. +\item[Algebra] Basic notions of algebra designed by L. Pottier from + INRIA Sophia-Antipolis. +\item[Heapsort] A proof of an imperative version of the + Heapsort sorting algorithm developed by J-C. Filli\^atre from +LRI Orsay. + +\end{description} + +\section{Installation procedure} + +\subsection{Uninstalling Coq} + +\paragraph{Warning} +It is strongly recommended to clean-up the V6.2 Coq library directory +before you install the new version. +Use the option to coqtop \texttt{-uninstall} that will remove +the binaries and the library files of Coq V6.2 on a Unix system. + +\subsection{OS Issues -- Requirements} + +\subsubsection{Unix users} +You need Objective Caml version 2.01 or 2.02, and the corresponding +Camlp4 version to compile the system. Both are available by anonymous ftp +at: \\ +\verb|ftp://ftp.inria.fr/Projects/Cristal|. +\bigskip + +\noindent +Binary distributions are available for the following architectures: + +\bigskip +\begin{tabular}{l|c|r} +{\bf OS } & {\bf Processor} & {name of the package}\\ +\hline +Linux & 80386 and higher & coq-6.3-linux-i386.tar.gz \\ +Solaris & Sparc & coq-6.3-solaris-sparc.tar.gz\\ +Digital & Alpha & coq-6.3-OSF1.tar.gz\\ +\end{tabular} +\bigskip + +If your configuration is in the above list, you don't need to install +Caml and Camlp4 and to compile the system: +just download the package and install the binaries in the right place. + +\subsubsection{MS Windows users} + +A binary distribution is available for PC under MS Windows 95/98/NT. +The package is named coq-6.3-win.zip. + +For installation information see the +files INSTALL.win and README.win. + + +%users will get the 6.2 version at the same time than +%Unix users ! +%A binary distribution is available for Windows 95/NT. Windows 3.1 +%users may run the binaries if they install the Win32s module, freely +%available at \verb|ftp.inria.fr|. + +\section{Credits} +B. Barras extended the unification algorithm to complete partial terms +and solved various tricky bugs related to universes.\\ +D. Delahaye developed the \texttt{AutoRewrite} tactic. He also designed the new +behavior of \texttt{Intro} and provided the tacticals \texttt{First} and +\texttt{Solve}.\\ +J.-C. Filli\^atre developed the \texttt{Correctness} tactic.\\ +E. Gim\'enez extended the guard condition in fixpoints.\\ +H. Herbelin designed the new syntax for definitions and extended the +\texttt{Induction} tactic.\\ +P. Loiseleur developed the \texttt{Quote} tactic and +the new design of the \texttt{Auto} +tactic, he also introduced the index of +errors in the documentation.\\ +C. Paulin wrote the \texttt{Focus} command and introduced +the reduction functions in definitions, this last feature +was proposed by J.-F. Monin from CNET Lannion. +\end{document} + +% Local Variables: +% mode: LaTeX +% TeX-master: t +% End: + + +% $Id$ + diff --git a/doc/Coercion.tex b/doc/Coercion.tex new file mode 100644 index 000000000..009d524ab --- /dev/null +++ b/doc/Coercion.tex @@ -0,0 +1,436 @@ +\achapter{Implicit Coercions} +\aauthor{Amokrane Saïbi} + +\label{Coercions-full} +\index{Coercions!presentation} + +\asection{General Presentation} + +This section describes the inheritance mechanism of {\Coq}. In {\Coq} with +inheritance, we are not interested in adding any expressive power to +our theory, but only convenience. Given a term, possibly not typable, +we are interested in the problem of determining if it can be well +typed modulo insertion of appropriate coercions. We allow to write: + +\begin{itemize} +\item $(f~a)$ where $f:(x:A)B$ and $a:A'$ when $A'$ can + be seen in some sense as a subtype of $A$. +\item $x:A$ when $A$ is not a type, but can be seen in + a certain sense as a type: set, group, category etc. +\item $(f~a)$ when $f$ is not a function, but can be seen in a certain sense + as a function: bijection, functor, any structure morphism etc. +\end{itemize} + +\asection{Classes} +\index{Coercions!classes} + A class with $n$ parameters is any defined name with a type +$(x_1:A_1)..(x_n:A_n)s$ where $s$ is a sort. Thus a class with +parameters is considered as a single class and not as a family of +classes. An object of a class $C$ is any term of type $(C~t_1 +.. t_n)$. In addition to these user-classes, we have two abstract +classes: + +\begin{itemize} +\item {\tt SORTCLASS}, the class of sorts; + its objects are the terms whose type is a sort. +\item {\tt FUNCLASS}, the class of functions; + its objects are all the terms with a functional + type, i.e. of form $(x:A)B$. +\end{itemize} + +\asection{Coercions} +\index{Coercions!FUNCLASS} +\index{Coercions!SORTCLASS} + A name $f$ can be declared as a coercion between a source user-class +$C$ with $n$ parameters and a target class $D$ if one of these +conditions holds: + +\begin{itemize} +\item $D$ is a user-class, then the type of $f$ must have the form + $(x_1:A_1)..(x_n:A_n)(y:(C~x_1..x_n)) (D~u_1..u_m)$ where $m$ + is the number of parameters of $D$. +\item $D$ is {\tt FUNCLASS}, then the type of $f$ must have the form + $(x_1:A_1)..(x_n:A_n)(y:(C~x_1..x_n))(x:A)B$. +\item $D$ is {\tt SORTCLASS}, then the type of $f$ must have the form + $(x_1:A_1)..(x_n:A_n)(y:(C~x_1..x_n))s$. +\end{itemize} + +We then write $f:C \mbox{\texttt{>->}} D$. The restriction on the type +of coercions is called {\em the uniform inheritance condition}. +Remark that the abstract classes {\tt FUNCLASS} and {\tt SORTCLASS} +cannot be source classes. + + To coerce an object $t:(C~t_1..t_n)$ of $C$ towards $D$, we have to +apply the coercion $f$ to it; the obtained term $(f~t_1..t_n~t)$ is +then an object of $D$. + +\asubsection{Identity Coercions} +\index{Coercions!identity} + + Identity coercions are special cases of coercions used to go around +the uniform inheritance condition. Let $C$ and $D$ be two classes +with respectively $n$ and $m$ parameters and +$f:(x_1:T_1)..(x_k:T_k)(y:(C~u_1..u_n))(D~v_1..v_m)$ a function which +does not verify the uniform inheritance condition. To declare $f$ as +coercion, one has first to declare a subclass $C'$ of $C$: + +$$C' := [x_1:T_1]..[x_k:T_k](C~u_1..u_n)$$ + +\noindent We then define an {\em identity coercion} between $C'$ and $C$: +\begin{eqnarray*} +Id\_C'\_C & := & [x_1:T_1]..[x_k:T_k][y:(C'~x_1..x_k)]\\ + & & (y::(C~u_1..u_n)) +\end{eqnarray*} + +We can now declare $f$ as coercion from $C'$ to $D$, since we can +``cast'' its type as +$(x_1:T_1)..(x_k:T_k)(y:(C'~x_1..x_k))(D~v_1..v_m)$.\\ The identity +coercions have a special status: to coerce an object $t:(C'~t_1..t_k)$ +of $C'$ towards $C$, we have not to insert explicitly $Id\_C'\_C$ +since $(Id\_C'\_C~t_1..t_k~t)$ is convertible with $t$. However we +``rewrite'' the type of $t$ to become an object of $C$; in this case, +it becomes $(C~u_1^*..u_k^*)$ where each $u_i^*$ is the result of the +substitution in $u_i$ of the variables $x_j$ by $t_j$. + + +\asection{Inheritance Graph} +\index{Coercions!inheritance graph} +Coercions form an inheritance graph with classes as nodes. We call +{\em path coercion} an ordered list of coercions between two nodes of +the graph. A class $C$ is said to be a subclass of $D$ if there is a +coercion path in the graph from $C$ to $D$; we also say that $C$ +inherits from $D$. Our mechanism supports multiple inheritance since a +class may inherit from several classes, contrary to simple inheritance +where a class inherits from at most one class. However there must be +at most one path between two classes. If this is not the case, only +the oldest one is {\em valid} and the others are ignored. So the order +of declaration of coercions is important. + +We extend notations for coercions to path coercions. For instance +$[f_1;..;f_k]:C \mbox{\texttt{>->}} D$ is the coercion path composed +by the coercions $f_1..f_k$. The application of a path-coercion to a +term consists of the successive application of its coercions. + +\asection{Commands} + +\asubsection{\tt Class {\ident}.}\comindex{Class} +Declares the name {\ident} as a new class. + +\begin{ErrMsgs} +\item {\ident} \errindex{not declared} +\item {\ident} \errindex{is already a class} +\item \errindex{Type of {\ident} does not end with a sort} +\end{ErrMsgs} + +\asubsection{\tt Class Local {\ident}.} +Declares the name {\ident} as a new local class to the current section. + +\asubsection{\tt Coercion {\ident} : {\ident$_1$} >-> {\ident$_2$}.} +\comindex{Coercion} + +Declares the name {\ident} as a coercion between {\ident$_1$} and +{\ident$_2$}. The classes {\ident$_1$} and {\ident$_2$} are first +declared if necessary. + +\begin{ErrMsgs} +\item {\ident} \errindex{not declared} +\item {\ident} \errindex{is already a coercion} +\item \errindex{FUNCLASS cannot be a source class} +\item \errindex{SORTCLASS cannot be a source class} +\item \errindex{Does not correspond to a coercion} \\ + {\ident} is not a function. +\item \errindex{We do not find the source class {\ident$_1$}} +\item {\ident} \errindex{does not respect the inheritance uniform condition} +\item \errindex{The target class does not correspond to {\ident$_2$}} +\end{ErrMsgs} + + When the coercion {\ident} is added to the inheritance graph, non +valid path coercions are ignored; they are signaled by a warning. +\\[0.3cm] +\noindent {\bf Warning :} +\begin{enumerate} +\item \begin{tabbing} +{\tt Ambiguous paths: }\= $[f_1^1;..;f_{n_1}^1] : C_1\mbox{\tt >->}D_1$\\ + \> ... \\ + \>$[f_1^m;..;f_{n_m}^m] : C_m\mbox{\tt >->}D_m$ + \end{tabbing} +\end{enumerate} + +\asubsection{\tt Coercion Local {\ident}:{\ident$_1$} >-> +{\ident$_2$}.} + +Declares the name {\ident} as a local coercion to the current section. + + +\asubsection{\tt Identity Coercion {\ident}:{\ident$_1$} >-> {\ident$_2$}.} + +We check that {\ident$_1$} is a constant with a value of the form +$[x_1:T_1]..[x_n:T_n](\mbox{\ident}_2~t_1..t_m)$ where $m$ is the +number of parameters of \ident$_2$. Then we define an identity +function with the type +$(x_1:T_1)..(x_n:T_n)(y:(\mbox{\ident}_1~x_1..x_n)) +({\mbox{\ident}_2}~t_1..t_m)$, and we declare it as an identity +coercion between {\ident$_1$} and {\ident$_2$}. + +\begin{ErrMsgs} +\item \errindex{Clash with previous constant {\ident}} +\item {\ident$_1$} \errindex{must be a transparent constant} +\end{ErrMsgs} + +\asubsection +{\tt Identity Coercion Local {\ident}:{\ident$_1$} >-> {\ident$_2$}.} + +Declares the name {\ident} as a local identity coercion to the current section. + +\asubsection{\tt Print Classes.} +\comindex{Print Classes} +Print the list of declared classes in the current context. + +\asubsection{\tt Print Coercions.} +\comindex{Print Coercions} +Print the list of declared coercions in the current context. + +\asubsection{\tt Print Graph.} +\comindex{Print Graph} +Print the list of valid path coercions in the current context. + +\asection{Coercions and Pretty-Printing} + + To every declared coercion $f$, we automatically define an +associated pretty-printing rule, also named $f$, to hide the coercion +applications. Thus $(f~t_1..t_n~t)$ is printed as $t$ where $n$ is the +number of parameters of the source class of $f$. The user can change +this behavior just by overwriting the rule $f$ by a new one with the +same name (see chapter~\ref{Addoc-syntax} for more details about +pretty-printing rules). If $f$ is a coercion to {\tt FUNCLASS}, +another pretty-printing rule called $f1$ is also generated. This last +rule prints $(f~t_1..t_n~t_{n+1}..t_m)$ as $(f~t_{n+1}..t_m)$. + + In the following examples, we changed the coercion pretty-printing +rules to show the inserted coercions. + + +\asection{Inheritance Mechanism -- Examples} + + There are three situations: + +\begin{itemize} +\item $(f~a)$ is ill-typed where $f:(x:A)B$ and $a:A'$. If there is a + path coercion between $A'$ and $A$, $(f~a)$ is transformed into + $(f~a')$ where $a'$ is the result of the application of this + path coercion to $a$. + +%\begin{\small} +\begin{coq_example} +Variables C:nat->Set; D:nat->bool->Set; E:bool->Set. +Variable f : (n:nat)(C n) -> (D (S n) true). +Coercion f : C >-> D. +Variable g : (n:nat)(b:bool)(D n b) -> (E b). +Coercion g : D >-> E. +Variable c : (C O). +Variable T : (E true) -> nat. +Check (T c). +\end{coq_example} +%\end{small} + +We give now an example using identity coercions. + +%\begin{small} +\begin{coq_example} +Definition D' := [b:bool](D (S O) b). +Identity Coercion IdD'D : D' >-> D. +Print IdD'D. +Variable d' : (D' true). +Check (T d'). +\end{coq_example} +%\end{small} + + + In the case of functional arguments, we use the monotonic rule of +sub-typing. Approximatively, to coerce $t:(x:A)B$ towards $(x:A')B'$, +one have to coerce $A'$ towards $A$ and $B$ towards $B'$. An example +is given below: + +%\begin{small} +\begin{coq_example} +Variables A,B:Set; h:A->B. +Coercion h : A >-> B. +Variable U : (A -> (E true)) -> nat. +Variable t : B -> (C O). +Check (U t). +\end{coq_example} +%\end{small} + + Remark the changes in the result following the modification of the +previous example. + +%\begin{small} +\begin{coq_example} +Variable U' : ((C O) -> B) -> nat. +Variable t' : (E true) -> A. +Check (U' t'). +\end{coq_example} +%\end{small} + +\item An assumption $x:A$ when $A$ is not a type, is ill-typed. It is + replaced by $x:A'$ where $A'$ is the result of the application + to $A$ of the path coercion between the class of $A$ and {\tt + SORTCLASS} if it exists. This case occurs in the abstraction + $[x:A]t$, universal quantification $(x:A)B$, global variables + and parameters of (co-)inductive definitions and functions. In + $(x:A)B$, such a path coercion may be applied to $B$ also if + necessary. + +%\begin{small} +\begin{coq_example} +Variable Graph : Type. +Variable Node : Graph -> Type. +Coercion Node : Graph >-> SORTCLASS. +Variable G : Graph. +Variable Arrows : G -> G -> Type. +Check Arrows. +Variable fg : G -> G. +Check fg. +\end{coq_example} +%\end{small} + + +\item $(f~a)$ is ill-typed because $f:A$ is not a function. The term + $f$ is replaced by the term obtained by applying to $f$ the path + coercion between $A$ and {\tt FUNCLASS} if it exists. + +%\begin{small} +\begin{coq_example} +Variable bij : Set -> Set -> Set. +Variable ap : (A,B:Set)(bij A B) -> A -> B. +Coercion ap : bij >-> FUNCLASS. +Variable b : (bij nat nat). +Check (b O). +\end{coq_example} +%\end{small} + +Let us see the resulting graph of this session. + +%\begin{small} +\begin{coq_example} +Print Graph. +\end{coq_example} +%\end{small} + +\end{itemize} + + +\asection{Classes as Records} +\index{Coercions!and records} +We allow the definition of {\em Structures with Inheritance} (or +classes as records) by extending the existing {\tt Record} macro +(see section~\ref{Record}). Its new syntax is: + +\begin{center} +\begin{tabular}{l} +{\tt Record \zeroone{>}{\ident} [ {\params} ] : {\sort} := \zeroone{\ident$_0$} \verb+{+} \\ +~~~~\begin{tabular}{l} + {\tt \ident$_1$ $[$:$|$:>$]$ \term$_1$ ;} \\ + ... \\ + {\tt \ident$_n$ $[$:$|$:>$]$ \term$_n$ \verb+}+. } + \end{tabular} +\end{tabular} +\end{center} +The identifier {\ident} is the name of the defined record and {\sort} +is its type. The identifier {\ident$_0$} is the name of its +constructor. The identifiers {\ident$_1$}, .., {\ident$_n$} are the +names of its fields and {\term$_1$}, .., {\term$_n$} their respective +types. The alternative {\tt $[$:$|$:>$]$} is ``{\tt :}'' or ``{\tt +:>}''. If {\tt {\ident$_i$}:>{\term$_i$}}, then {\ident$_i$} is +automatically declared as coercion from {\ident} to the class of +{\term$_i$}. Remark that {\ident$_i$} always verifies the uniform +inheritance condition. The keyword +{\tt Structure}\comindex{Structure} is a synonym of {\tt +Record}. + + +\asection{Coercions and Sections} +\index{Coercions!and sections} + The inheritance mechanism is compatible with the section +mechanism. The global classes and coercions defined inside a section +are redefined after its closing, using their new value and new +type. The classes and coercions which are local to the section are +simply forgotten (no warning message is printed). +Coercions with a local source class or a local target class, and +coercions which do no more verify the uniform inheritance condition +are also forgotten. + +\asection{Examples} + +\begin{itemize} +\item Coercion between inductive types + +\begin{coq_example} +Definition bool_in_nat := [b:bool]if b then O else (S O). +Coercion bool_in_nat : bool >-> nat. +Check O=true. +\end{coq_example} + +\Warning +\item \verb|Check true=O.| fails. This is ``normal'' behaviour of +coercions. To validate \verb|true=O|, the coercion is searched from +\verb=nat= to \verb=bool=. There is no one. + +\item Coercion to a sort + +\begin{coq_eval} +Reset Graph. +\end{coq_eval} +\begin{coq_example} +Variable Graph : Type. +Variable Node : Graph -> Type. +Coercion Node : Graph >-> SORTCLASS. +Variable G : Graph. +Variable Arrows : G -> G -> Type. +Check Arrows. +Variable fg : G -> G. +Check fg. +\end{coq_example} + +\item Coercion to a function + +\begin{coq_example} +Variable bij : Set -> Set -> Set. +Variable ap : (A,B:Set)(bij A B) -> A -> B. +Coercion ap : bij >-> FUNCLASS. +Variable b : (bij nat nat). +Check (b O). +\end{coq_example} + +\item Transitivity of coercion +\begin{coq_eval} +Reset C. +\end{coq_eval} +\begin{coq_example} +Variables C : nat -> Set; D : nat -> bool -> Set; E : bool -> Set. +Variable f : (n:nat)(C n) -> (D (S n) true). +Coercion f : C >-> D. +Variable g : (n:nat)(b:bool)(D n b) -> (E b). +Coercion g : D >-> E. +Variable c : (C O). +Variable T : (E true) -> nat. +Check (T c). +\end{coq_example} + +\item Identity coercion + +\begin{coq_example} +Definition D' := [b:bool](D (S O) b). +Identity Coercion IdD'D : D' >-> D. +Print IdD'D. +Variable d' : (D' true). +Check (T d'). +\end{coq_example} + +\end{itemize} + + +%%% Local Variables: +%%% mode: latex +%%% TeX-master: "Reference-Manual" +%%% End: diff --git a/doc/Extraction.tex b/doc/Extraction.tex new file mode 100755 index 000000000..cb9949d97 --- /dev/null +++ b/doc/Extraction.tex @@ -0,0 +1,557 @@ +\achapter{Execution of extracted programs in Caml and Haskell} +\label{CamlHaskellExtraction} +\aauthor{Benjamin Werner and Jean-Christophe Filliâtre} +\index{Extraction} + +It is possible to use \Coq\ to build certified and relatively +efficient programs, extracting them from the proofs of their +specifications. The extracted objects are terms of \FW, and can be +obtained at the \Coq\ toplevel with the command {\tt Extraction} +(see \ref{Extraction}). + +We present here a \Coq\ module, {\tt Extraction}, which translates the +extracted terms to ML dialects, namely Caml Light, Objective Caml and +Haskell. In the following, we will not refer to a particular dialect +when possible and ``ML'' will be used to refer to any of the target +dialects. + +One builds effective programs in an \FW\ toplevel (actually the \Coq\ +toplevel) which contains the extracted objects and in which one can +import ML objects. Indeed, in order to instantiate and realize \Coq\ +type and term variables, it is possible to import ML +objects in the \FW\ toplevel, as inductive types or axioms. + +\Rem +The current mechanism of extraction of effective programs +from \Coq\ proofs slightly differs from the one in the versions of +\Coq\ anterior to the version V5.8. In these versions, there were an +explicit toplevel for the language {\sf Fml}. Moreover, it was not +possible to import ML objects in this {\sf Fml} toplevel. + + +%\section{Extraction facilities} +% +%(* TO DO *) +% + +\medskip +In the first part of this document we describe the commands of the +{\tt Extraction} module, and we give some examples in the second part. + + +\asection{The {\tt Extraction} module} +\label{Extraction} + +This section explains how to import ML objects, to realize axioms and +finally to generate ML code from the extracted programs of \FW. + +These features do not belong to the core system, and appear as an +independent module called {\tt Extraction.v} (which is compiled during the +installation of the system). So the first thing to do is to load this +module: + +\begin{coq_example*} +Require Extraction. +\end{coq_example*} + +\asubsection{Generating executable ML code} +\comindex{Write Caml File} +\comindex{Write CamlLight File} +\comindex{Write Haskell File} +The \Coq\ commands to generate ML code are: +\begin{center}\begin{tabular}{ll} + {\tt Write Caml File "\str" [ \ident$_1$ \dots\ \ident$_n$ ] + {\it options}.} + & ({\em for Objective Caml\/}) \\ + {\tt Write CamlLight File "\str" [ \ident$_1$ \dots\ \ident$_n$ ] + {\it options}.} & \\ + {\tt Write Haskell File "\str" [ \ident$_1$ \dots\ \ident$_n$ ] + {\it options}.} & \\ +\end{tabular}\end{center} +where \str\ is the name given to the file to be produced (the suffix +{\tt .ml} is added if necessary), and \ident$_1$ \dots\ \ident$_n$ the +names of the constants to be extracted. This list does not need to be +exhaustive: it is automatically completed into a complete and minimal +environment. Remaining axioms are translated into exceptions, and a +warning is printed in that case. In particular, this will be the case +for {\tt False\_rec}. (We will see below how to realize axioms). + +\paragraph{Optimizations.} +Since Caml Light and Objective Caml are strict languages, the extracted +code has to be optimized in order to be efficient (for instance, when +using induction principles we do not want to compute all the recursive +calls but only the needed ones). So an optimization routine will be +called each time the user want to generate Caml programs. Essentially, +it performs constants expansions and reductions. Therefore some +constants will not appear in the resulting Caml program (A warning is +printed for each such constant). To avoid this, just put the constant +name in the previous list \ident$_1$ \dots\ \ident$_n$ and it will not +be expanded. Moreover, three options allow the user to control the +expansion strategy : +\begin{description} + \item[\texttt{noopt}] : specifies not to do any optimization. + \item[\texttt{exact}] : specifies to extract exactly the given + objects (no recursivity). + \item[\texttt{expand [ \ident$_1$ \dots\ \ident$_n$ ]}] : + forces the expansion of the constants \ident$_1$ \dots\ \ident$_n$ + (when it is possible). +\end{description} + + +\asubsection{Realizing axioms} +\comindex{Link} + +It is possible to assume some axioms while developing a proof. Since +these axioms can be any kind of proposition or object type, they may +perfectly well have some computational content. But a program must be +a closed term, and of course the system cannot guess the program which +realizes an axiom. Therefore, it is possible to tell the system +what program (an \FW\ term actually) corresponds to a given \Coq\ +axiom. The command is {\tt Link} and the syntax: +$$\mbox{\tt Link \ident\ := Fwterm.}$$ +where \ident\ is the name of the axiom to realize and Fwterm\ the +term which realizes it. The system checks that this term has the same +type as the axiom \ident, and returns an error if not. This command +attaches a body to an axiom, and can be seen as a transformation of an +axiom into a constant. + +These semantical attachments have to be done {\em before} generating +the ML code. All type variables must be realized, and term variables +which are not realized will be translated into exceptions. + +\Example Let us illustrate this feature on a small +example. Assume that you have a type variable {\tt A} of type \Set: + +\begin{coq_example*} +Parameter A : Set. +\end{coq_example*} + +and that your specification proof assumes that there is an order +relation {\em inf} over that type (which has no computational +content), and that this relation is total and decidable: + +\begin{coq_example*} +Parameter inf : A -> A -> Prop. +Axiom inf_total : (x,y:A) {(inf x y)}+{(inf y x)}. +\end{coq_example*} + +Now suppose that we want to use this specification proof on natural +numbers; this means {\tt A} has to be instantiated by {\tt nat} +and the axiom {\tt inf\_total} will be realized, for instance, using the +order relation {\tt le} on that type and the decidability lemma +{\tt le\_lt\_dec}. Here is how to proceed: + +\begin{coq_example*} +Require Compare_dec. +\end{coq_example*} +\begin{coq_example} +Link A := nat. +Link inf_total := le_lt_dec. +\end{coq_example} + +\Warning There is no rollback on the command {\tt Link}, that +is the semantical attachments are not forgotten when doing a {\tt Reset}, +or a {\tt Restore State} command. This will be corrected in a later +version. + +\asubsection{Importing ML objects} +In order to realize axioms and to instantiate programs on real data +types, like {\tt int}, {\tt string}, \dots\ or more complicated data +structures, one want to import existing ML objects in the \FW\ +environment. The system provides such features, through the commands +{\tt ML Import Constant} and {\tt ML Import Inductive}. +The first one imports an ML +object as a new axiom and the second one adds a new inductive +definition corresponding to an ML inductive type. + +\paragraph{Warning.} +In the case of Caml dialects, the system would be able to check the +correctness of the imported objects by looking into the interfaces +files of Caml modules ({\tt .mli} files), but this feature is not yet +implemented. So one must be careful when declaring the types of the +imported objects. + +\paragraph{Caml names.} +When referencing a Caml object, you can use strings instead of +identifiers. Therefore you can use the double +underscore notation \verb!module__name! (Caml Light objects) +or the dot notation \verb!module.name! (Objective Caml objects) +to precise the module in which lies the object. + + +\asubsection{Importing inductive types} +\comindex{ML Import Inductive} + +The \Coq\ command to import an ML inductive type is: +$$\mbox{\tt ML Import Inductive \ident\ [\ident$_1$ \dots\ \ident$_n$] == % +{\em <Inductive Definition>}.}$$ +where \ident\ is the name of the ML type, \ident$_1$ \dots\ +\ident$_n$ the name of its constructors, and {\tt\em<Inductive + Definition>} the corresponding \Coq\ inductive definition +(see \ref{Inductive} in the Reference Manual for the syntax of +inductive definitions). + +This command inserts the {\tt\em<Inductive Definition>} in the \FW\ +environment, without elimination principles. From that moment, it is +possible to use that type like any other \FW\ object, and in +particular to use it to realize axioms. The names \ident\ \ident$_1$ +\dots\ \ident$_n$ may be different from the names given in the +inductive definition, in order to avoid clash with previous +constants, and are restored when generating the ML code. + +\noindent One can also import mutual inductive types with the command: +$$\begin{array}{rl} + \mbox{\tt ML Import Inductive} & + \mbox{\tt\ident$_1$ [\ident$^1_1$ \dots\ \ident$^1_{n_1}$]} \\ + & \dots \\ + & \mbox{\tt\ident$_k$ [\ident$^k_1$ \dots\ \ident$^k_{n_k}$]} \\ + & \qquad \mbox{\tt== {\em<Mutual Inductive Definition>}.} + \end{array}$$ %$$ + +\begin{Examples} +\item Let us show for instance how to import the + type {\tt bool} of Caml Light booleans: + +\begin{coq_example} +ML Import Inductive bool [ true false ] == + Inductive BOOL : Set := TRUE : BOOL + | FALSE : BOOL. +\end{coq_example} + +Here we changed the names because the type {\tt bool} is already +defined in the initial state of \Coq. + + \item Assuming that one defined the mutual inductive types {\tt +tree} and {\tt forest} in a Caml Light module, one can import them +with the command: + +\begin{coq_example} +ML Import Inductive tree [node] forest [empty cons] == + Mutual [A:Set] Inductive + tree : Set := node : A -> (forest A) -> (tree A) + with + forest : Set := empty : (forest A) + | cons : (tree A) -> (forest A) -> (forest A). +\end{coq_example} + + \item One can import the polymorphic type of Caml Light lists with +the command: +\begin{coq_example} +ML Import Inductive list [nil cons] == + Inductive list [A:Set] : Set := nil : (list A) + | cons : A->(list A)->(list A). +\end{coq_example} + +\Rem One would have to re-define {\tt nil} and {\tt cons} at +the top of its program because these constructors have no name in Caml Light. +\end{Examples} + +\asubsection{Importing terms and abstract types} +\comindex{ML Import Constant} + +The other command to import an ML object is: +$$\mbox{\tt ML Import Constant \ident$_{ML}$\ == \ident\ : Fwterm.}$$ +where \ident$_{ML}$\ is the name of the ML object and Fwterm\ its type in +\FW. This command defines an axiom in \FW\ of name \ident\ and type +Fwterm. + +\Example To import the type {\tt int} of Caml Light +integers, and the $<$ binary relation on this type, just do +\begin{coq_example} +ML Import Constant int == int : Set. +ML Import Constant lt_int == lt_int : int -> int -> BOOL. +\end{coq_example} +assuming that the Caml Light type {\tt bool} is already imported (with the +name {\tt BOOL}, as above). + + +\asubsection{Direct use of ML\ objects} +\comindex{Extract Constant} +\comindex{Extract Inductive} + +Sometimes the user do not want to extract \Coq\ objects to new ML code +but wants to use already existing ML objects. For instance, it is the +case for the booleans, which already exist in ML: the user do not want +to extract the \Coq\ inductive type \texttt{bool} to a new type for +booleans, but wants to use the primitive boolean of ML. + +The command \texttt{Extract} fulfills this requirement. +It allows the user to declare constant and inductive types which will not be +extracted but replaced by ML objects. The syntax is the following +$$ +\begin{tabular}{l} + \mbox{\tt Extract Constant \ident\ => \ident'.} \\ + \mbox{\tt Extract Inductive \ident\ + => \ident' [ \ident'$_1$ \dots \ident'$_n$ ].} +\end{tabular} +$$ %$$ +where \ident\/ is the name of the \Coq\ object and the prime identifiers +the name of the corresponding ML objects (the names between brackets +are the names of the constructors). +Mutually recursive types are declared one by one, in any order. + +\Example +Typical examples are the following: +\begin{coq_example} +Extract Inductive unit => unit [ "()" ]. +Extract Inductive bool => bool [ true false ]. +Extract Inductive sumbool => bool [ true false ]. +\end{coq_example} + + +\asubsection{Differences between \Coq\ and ML type systems} + +\subsubsection{ML types that are not \FW\ types} + +Some ML recursive types have no counterpart in the type system of +\Coq, like types using the record construction, or non positive types +like +\begin{verbatim} +# type T = C of T->T;; +\end{verbatim} +In that case, you cannot import those types as inductive types, and +the only way to do is to import them as abstract types (with {\tt ML +Import}) together with the corresponding building and de-structuring +functions (still with {\tt ML Import Constant}). + + +\subsubsection{Programs that are not ML-typable} + +On the contrary, some extracted programs in \FW\ are not typable in +ML. There are in fact two cases which can be problematic: +\begin{itemize} + \item If some part of the program is {\em very} polymorphic, there + may be no ML type for it. In that case the extraction to ML works + all right but the generated code may be refused by the ML + type-checker. A very well known example is the {\em distr-pair} + function: +$$\mbox{\tt +Definition dp := [A,B:Set][x:A][y:B][f:(C:Set)C->C](f A x,f B y). +}$$ +In Caml Light, for instance, the extracted term is +\verb!let dp x y f = pair((f x),(f y))! and has type +$$\mbox{\tt +dp : 'a -> 'a -> ('a -> 'b) -> ('b,'b) prod +}$$ +which is not its original type, but a restriction. + + \item Some definitions of \FW\ may have no counterpart in ML. This + happens when there is a quantification over types inside the type + of a constructor; for example: +$$\mbox{\tt +Inductive anything : Set := dummy : (A:Set)A->anything. +}$$ +which corresponds to the definition of ML dynamics. +\end{itemize} + +The first case is not too problematic: it is still possible to run the +programs by switching off the type-checker during compilation. Unless +you misused the semantical attachment facilities you should never get +any message like ``segmentation fault'' for which the extracted code +would be to blame. To switch off the Caml type-checker, use the +function {\tt obj\_\_magic} which gives the type {\tt 'a} to any +object; but this implies changing a little the extracted code by hand. + +The second case is fatal. If some inductive type cannot be translated +to ML, one has to change the proof (or possibly to ``cheat'' by +some low-level manipulations we would not describe here). + +We have to say, though, that in most ``realistic'' programs, these +problems do not occur. For example all the programs of the library are +accepted by Caml type-checker except {\tt Higman.v}\footnote{Should + you obtain a not ML-typable program out of a self developed example, + we would be interested in seeing it; so please mail us the example at + {\em coq@pauillac.inria.fr}}. + + +\asection{Some examples} + +We present here few examples of extractions, taken from the {\tt +theories} library of \Coq\ (into the {\tt PROGRAMS} directory). We +choose Caml Light as target language, but all can be done in the other +dialects with slight modifications. + + +\asubsection{Euclidean division} + +The file {\tt Euclid\_prog} contains the proof of Euclidean division +(theorem {\tt eucl\_dev}). The natural numbers defined in the example +files are unary integers defined by two constructors $O$ and $S$: +\begin{coq_example*} +Inductive nat : Set := O : nat | S : nat -> nat. +\end{coq_example*} + +To use the proof, we begin by loading the module {\tt Extraction} and the +file into the \Coq\ environment: + +\begin{coq_eval} +Reset Initial. +AddPath "../theories/DEMOS/PROGRAMS". +\end{coq_eval} +\begin{coq_example*} +Require Extraction. +Require Euclid_prog. +\end{coq_example*} + +This module contains a theorem {\tt eucl\_dev}, and its extracted term +is of type {\tt (b:nat)(a:nat) (di\-veucl a b)}, where {\tt diveucl} is a +type for the pair of the quotient and the modulo. +We can now extract this program to Caml Light: + +\begin{coq_example} +Write CamlLight File "euclid" [ eucl_dev ]. +\end{coq_example} + +This produces a file {\tt euclid.ml} containing all the necessary +definitions until {\tt let eucl\_dev = ..}. Let us play the resulting program: + +\begin{verbatim} +# include "euclid";; +# eucl_dev (S (S O)) (S (S (S (S (S O)))));; +- : diveucl = divex (S (S O), S O) +\end{verbatim} +It is easier to test on Caml Light integers: +\begin{verbatim} +# let rec nat_of = function 0 -> O + | n -> S (nat_of (pred n));; +# let rec int_of = function O -> 0 + | S p -> succ (int_of p);; +# let div a b = match eucl_dev (nat_of b) (nat_of a) with + divex(q,r) -> (int_of q, int_of r);; +div : int -> int -> int * int = <fun> +# div 173 15;; +- : int * int = 11, 8 +\end{verbatim} + +\asubsection{Heapsort} + +Let us see a more complicated example. The file {\tt Heap\_prog.v} +contains the proof of an efficient list sorting algorithm described by +Bjerner. Is is an adaptation of the well-known {\em heapsort} +algorithm to functional languages. We first load the files: + +\begin{coq_eval} +Reset Initial. +\end{coq_eval} +\begin{coq_example*} +Require Extraction. +Require Heap_prog. +\end{coq_example*} + +As we saw it above we have to instantiate or realize by hand some of +the \Coq\ variables, which are in this case the type of the elements +to sort ({\tt List\_Dom}, defined in {\tt List.v}) and the +decidability of the order relation ({\tt inf\_total}). We proceed as +in section \ref{Extraction}: + +\begin{coq_example} +ML Import Constant int == int : Set. +Link List_Dom := int. +ML Import Inductive bool [ true false ] == + Inductive BOOL : Set := TRUE : BOOL + | FALSE : BOOL. +ML Import Constant lt_int == lt_int : int->int->BOOL. +Link inf_total := + [x,y:int]Cases (lt_int x y) of + TRUE => left + | FALSE => right + end. +\end{coq_example} + +Then we extract the Caml Light program + +\begin{coq_example} +Write CamlLight File "heapsort" [ heapsort ]. +\end{coq_example} +and test it +\begin{verbatim} + +# include "heapsort";; +# let rec listn = function 0 -> nil + | n -> cons(random__int 10000,listn (pred n));; +# heapsort (listn 10);; +- : list = cons (136, cons (760, cons (1512, cons (2776, cons (3064, +cons (4536, cons (5768, cons (7560, cons (8856, cons (8952, nil)))))))))) +\end{verbatim} + +Some tests on longer lists (100000 elements) show that the program is +quite efficient for Caml code. + +\asubsection{Balanced trees} + +The file {\tt Avl\_prog.v} contains the proof of insertion in binary +balanced trees (AVL). Here we choose to instantiate such trees on the +type {\tt string} of Caml Light (for instance to get efficient +dictionary); as above we must realize the decidability of the order +relation. It gives the following commands: + +\begin{coq_eval} +Reset Initial. +\end{coq_eval} +\begin{coq_example*} +Require Extraction. +Require Avl_prog. +\end{coq_example*} +\begin{coq_eval} +Pwd. +\end{coq_eval} +\begin{coq_example} +ML Import Constant string == string : Set. +ML Import Inductive bool [ true false ] == + Inductive BOOL : Set := TRUE : BOOL + | FALSE : BOOL. +ML Import Constant lt_string == lt_string : string->string->BOOL. +Link a := string. +Link inf_dec := + [x,y:string]Cases (lt_string x y) of + TRUE => left + | FALSE => right + end. +Write CamlLight File "avl" [rot_d rot_g rot_gd insert]. +\end{coq_example} + +Notice that we do not want the constants {\tt rot\_d}, {\tt rot\_g} +and {\tt rot\_gd} to be expanded in the function {\tt insert}, and +that is why we added them in the list of required functions. It makes +the resulting program clearer, even if it becomes less efficient. + +Let us insert random words in an initially empty tree to check that it +remains balanced: +\begin{verbatim} +% camllight +# include "avl";; +# let add a t = match insert a t with + h_eq x -> x + | h_plus x -> x ;; +# let rdmw () = let s = create_string 5 in + for i = 0 to 4 do + set_nth_char s i (char_of_int (97+random__int 26)) + done ; s ;; +# let rec built = function 0 -> nil + | n -> add (rdmw()) (built (pred n));; +# built 10;; +- : abe = node ("ogccy", node ("gmygy", node ("cwqug", node ("cjyrc", nil, ... + + +# let rec size = function + nil -> 0 + | node(_,t1,t2,_) -> 1+(max (size t1) (size t2)) ;; +# let rec check = function + nil -> true + | node(_,a1,a2,_) -> + let t1 = size a1 and t2 =size a2 in + if abs(t1-t2)>1 then false else (check a1) & (check a2) ;; + +# check (built 100);; +- : bool = true +\end{verbatim} + + +\section{Bugs} + +Surely there are still bugs in the {\tt Extraction} module. +You can send your bug reports directly to the author +(at \textsf{Jean-Christophe.Filliatre$@$lri.fr}) or to the \Coq\ +mailing list (at \textsf{coq$@$pauillac.inria.fr}). + +% $Id$ diff --git a/doc/Library.tex b/doc/Library.tex new file mode 100755 index 000000000..bb9ef22c1 --- /dev/null +++ b/doc/Library.tex @@ -0,0 +1,57 @@ +\documentclass[11pt]{article} + +\input{./title} +\input{./macros} +\input{./library/macros} + +\begin{document} + +\coverpage{The standard library}% +{\ } + +\tableofcontents + +\newpage +\section*{The \Coq\ standard library} + +This document is a short description of the \Coq\ standard library. +This library comes with the system as a complement of the core library +(the {\bf INIT} library ; see the Reference Manual for a description +of this library). It provides a set of modules directly available +through the \verb!Require! command. + +The standard library is composed of the following subdirectories: + +\medskip +\begin{tabular}{lp{10cm}} + {\bf LOGIC} & Classical logic and dependent equality \\ + {\bf ARITH} & Basic Peano arithmetic \\ + {\bf ZARITH} & Binary integers \\ + {\bf BOOL} & Booleans (basic functions and results) \\ + {\bf LISTS} & Monomorphic and polymorphic lists (basic functions and + results), Streams (infinite sequences defined with co-inductive + types) \\ + {\bf SETS} & Sets (classical, constructive, finite, infinite, powerset, + etc.) \\ + {\bf RELATIONS} & Relations (definitions and basic results). There is + a subdirectory about well-founded relations ({\bf WELLFOUNDED}) \\ + {\bf SORTING} & Axiomatizations of sorts \\ + {\bf REALS} & Axiomatization of Real Numbers (classical, basic functions + and results, integer part and fractional part, require ZARITH + library) +\end{tabular} +\medskip + +Each of these subdirectories contains a set of modules, whose +specifications ({\sf Gallina} files) have +been roughly, and automatically, pasted in the following pages. There +is also a version of this document in HTML format on the WWW, which +you can access from the \Coq\ home page at +\texttt{http://pauillac.inria.fr/coq/coq-eng.html}. + + +\input{library/libdoc.tex} + +\end{document} + +% $Id$ diff --git a/doc/Makefile b/doc/Makefile new file mode 100644 index 000000000..611e38d3e --- /dev/null +++ b/doc/Makefile @@ -0,0 +1,273 @@ +# To compile documentation, you need the following tools: +# Dvi: latex (latex2e), bibtex, makeindex, dviselect (package RPM dviutils) +# Ps: dvips, psutils (ftp://ftp.dcs.ed.ac.uk/pub/ajcd/psutils.tar.gz) +# Pdf: pdflatex +# Html: +# - hevea: http://para.inria.fr/~maranget/hevea/ +# - htmlSplit: http://coq.inria.fr/~delahaye +# Rapports INRIA: dviselect, rrkit (par Michel Mauny) + +include ../config + +LATEX=latex +BIBTEX=bibtex +MAKEINDEX=makeindex +PDFLATEX=pdflatex +DOCCOQTOP="../bin/$(ARCH)/coqtop -full -bindir ../bin/$(ARCH)/ -libdir ../" +DOCCOQC=../bin/$(ARCH)/coqc -full -bindir ../bin/$(ARCH)/ -libdir ../ +COQTEX=../bin/$(ARCH)/coq-tex -image $(DOCCOQTOP) -v -sl -small +TEXINPUTS=$(COQTOP)/tools/coq-tex:/usr/local/lib/rrkit/RRINPUTSDIR:.: +ZLIBS=-I ../src/lib/util -I ../src/parsing -I ../src/meta -I ../src/constr \ + -I ../src/typing -I ../src/proofs -I ../src/env -I ../src/tactics \ + -I ../tactics + +INPUTS=./macros.tex ./title.tex ./headers.tex ./Reference-Manual.tex + +LIBFILES=library/Logic.tex library/Datatypes.tex library/Peano.tex \ + library/Wf.tex library/Specif.tex + +REFMANCOQTEXFILES=\ + RefMan-gal.v.tex RefMan-ext.v.tex RefMan-tac.v.tex \ + RefMan-cic.v.tex RefMan-lib.v.tex RefMan-tacex.v.tex \ + RefMan-syn.v.tex RefMan-ppr.v.tex RefMan-tus.v.tex + +COQTEXFILES= Cases.v.tex Coercion.v.tex Extraction.v.tex Program.v.tex\ + Omega.v.tex Natural.v.tex Changes.v.tex Tutorial.v.tex Polynom.v.tex \ + Programs.v.tex + +REFMANFILES= Reference-Manual.tex RefMan-pre.tex RefMan-int.tex \ + RefMan-pro.tex RefMan-oth.tex \ + RefMan-com.tex RefMan-uti.tex RefMan-add.tex \ + $(REFMANCOQTEXFILES) + +REFMAN=Reference-Manual + +#VERSION=V6.3.1 +VERSION=POSITIONNEZ-CETTE-VARIABLE +FTPDOCDIR=/net/pauillac/infosystems/ftp/coq/coq/$(VERSION)/doc +WWWDOCDIR=/net/pauillac/infosystems/www/coq/doc + +FTPDOCS=Changes.dvi.gz Changes.ps.gz \ + Reference-Manual-base.ps.gz Reference-Manual-base.dvi.gz \ + Reference-Manual-addendum.ps.gz Reference-Manual-addendum.dvi.gz\ + Reference-Manual-all.ps.gz Reference-Manual-all.dvi.gz\ + Library.dvi.gz Library.ps.gz\ + Tutorial.dvi.gz Tutorial.ps.gz\ + README all-ps-docs.tar.gz + +FTPHTMLDOCS=doc-html.tar.gz + +######################### +# Principal targets +######################## + +all: demos-programs all-dvi all-pdf + +coq-part: $(REFMANCOQTEXFILES) $(COQTEXFILES) demos-programs library/libdoc.tex + +latex-part: all-dvi + +all-dvi: Tutorial.v.dvi Reference-Manual.dvi Library.dvi Changes.v.dvi + +all-pdf: Tutorial.v.pdf Reference-Manual.pdf Library.pdf Changes.v.pdf + +all-ps: Tutorial.v.ps Reference-Manual.ps Library.ps Changes.v.ps + +all-html: Tutorial.v.html Reference-Manual.html Changes.v.html + + +# dvips et dviselect existent sur loupiac +distrib: + make clean-coq demos-programs + make clean-latex all-dvi all-ps all-pdf compress-latex + make clean-html all-html doc-html.tar.gz html-www + +compress-latex: + sh Reference-Manual.sh + mv -f Reference-Manual.ps Reference-Manual-all.ps + mv -f Tutorial.v.ps Tutorial.ps + mv -f Tutorial.v.dvi Tutorial.dvi + mv -f Reference-Manual.dvi Reference-Manual-all.dvi + mv -f Changes.v.ps Changes.ps + mv -f Changes.v.dvi Changes.dvi + - mv -f Tutorial.v.pdf Tutorial.pdf + - mv -f Changes.v.pdf Changes.pdf + tar cf all-ps-docs.tar Reference-Manual-base.ps \ + Reference-Manual-addendum.ps Changes.ps Tutorial.ps Library.ps + gzip *.ps + gzip *.dvi + gzip *.pdf + gzip all-ps-docs.tar + +Tutorial.v.html: Tutorial.v.tex + hevea ./book-html.sty ./coq-html.sty ./Tutorial.v.tex + +Changes.v.html: Changes.v.tex + hevea ./Changes.v.tex + +Reference-Manual.html: + hevea ./book-html.sty ./coq-html.sty ./Reference-Manual.tex + +doc-html.tar.gz: all-html + - $(MKDIR) coq-docs-html + rm -rf coq-docs-html/* + cp Tutorial.v.html coq-docs-html/tutorial.html + cp Changes.v.html coq-docs-html/changes.html + cp Reference-Manual.html coq-docs-html + (cd coq-docs-html;\ + htmlsplit -N -T "The Coq Proof Assistant Reference Manual"\ + ./Reference-Manual.html; rm ./Reference-Manual.html) + cp cover.html coq-docs-html + tar cf doc-html.tar coq-docs-html + gzip doc-html.tar + +# Pour le site de Coq. +html-www: all-html + - $(MKDIR) www + rm -rf www/* + cp Tutorial.v.html www/tutorial.html + cp Changes.v.html www/changes.html + cp Reference-Manual.html www + (cd www;\ + htmlsplit -N -T "The Coq Proof Assistant Reference Manual"\ + -n ../icons/next.gif -p ../icons/prev.gif -r ../icons/root.gif\ + -s ../icons/sub.gif ./Reference-Manual.html;\ + rm ./Reference-Manual.html) + cp cover.html www + + +clean-refman: + rm -f Reference-Manual.toc Reference-Manual.idx Reference-Manual.atoc\ + Reference-Manual.aux Reference-Manual.bbl Reference-Manual.blg\ + Reference-Manual.ilg Reference-Manual.ind\ + Reference-Manual.tacidx Reference-Manual.tacind\ + Reference-Manual.comidx Reference-Manual.comind\ + Reference-Manual.erridx Reference-Manual.errind\ + Reference-Manual.dvi Reference-Manual.ps\ + Reference-Manual.sh\ + $(REFMANFILES:.tex=.aux) $(REFMANFILES:.tex=.log)\ + $(COQTEXFILES:.tex=.aux) $(COQTEXFILES:.tex=.log) + +clean-latex: clean-refman + rm -f *.dvi *.aux *.log *.bbl *.blg *.ps *.toc *.idx *~ *.ilg *.ind\ + *.dvi.gz *.ps.gz *.pdf *.pdf.gz + +clean-coq: + rm -f *.v.tex avl.ml heapsort.ml euclid.ml library/libdoc.tex *.cm[io] + +clean: clean-coq clean-latex + +clean-html: + rm -f Tutorial.v.html Changes.v.html Reference-Manual.html + +cleanall: clean clean-html + +######################### +# Implicit rules +######################### + +.SUFFIXES: .dvi .tex .v.tex .ps .pdf + +.tex.dvi: + $(LATEX) $< + $(LATEX) $< + +.tex.pdf: + $(PDFLATEX) $< + $(PDFLATEX) $< + +.tex.v.tex: + $(COQTEX) $< + +.dvi.ps: + dvips -o $@ $< + + +########################## +# Dependencies +########################## + +Library.dvi: $(INPUTS) library/libdoc.tex Library.tex +Library.pdf: $(INPUTS) library/libdoc.tex Library.tex + +library/libdoc.tex: + (cd ../theories ; make doc) + +demos-programs: + (cd ../theories/DEMOS/PROGRAMS ; make all) + +Recursive-Definition.v.tex: ./title.tex Recursive-Definition.tex + +Tutorial.v.dvi: ./title.tex Tutorial.tex +Tutorial.v.pdf: ./title.tex Tutorial.tex + +RefMan-ppr.v.tex: ../tactics/eqdecide.cmo + +RefMan-tus.v.tex: ../tactics/EqDecide.vo ../tactics/eqdecide.cmo + +Reference-Manual.ps: Reference-Manual.dvi + +Reference-Manual.dvi: $(INPUTS) $(REFMANFILES) $(COQTEXFILES) biblio.bib + rm -f Reference-Manual.sh + $(LATEX) Reference-Manual + rm Reference-Manual.sh + $(BIBTEX) Reference-Manual + $(LATEX) Reference-Manual + rm Reference-Manual.sh + $(BIBTEX) Reference-Manual + $(LATEX) Reference-Manual + rm Reference-Manual.sh + $(MAKEINDEX) Reference-Manual + $(MAKEINDEX) Reference-Manual.tacidx -o Reference-Manual.tacind + $(MAKEINDEX) Reference-Manual.comidx -o Reference-Manual.comind + $(MAKEINDEX) Reference-Manual.erridx -o Reference-Manual.errind + $(LATEX) Reference-Manual + rm Reference-Manual.sh + $(LATEX) Reference-Manual + +Reference-Manual.pdf: Reference-Manual.dvi + rm -f Reference-Manual.sh + $(PDFLATEX) Reference-Manual.tex + +quick: $(INPUTS) $(REFMANFILES) $(COQTEXFILES) biblio.bib + rm -f Reference-Manual.sh + $(LATEX) Reference-Manual + + +################### +# RT +################### +# Fabrication d'un RT INRIA (utilise rrkit de Michel Mauny) +Reference-Manual-RT.dvi: Reference-Manual.dvi RefMan-cover.tex + dviselect -i Reference-Manual.dvi -o RefMan-body.dvi 3: + $(LATEX) RefMan-cover.tex + set a=`tail -1 Reference-Manual.log`;\ + set a=expr \("$$a" : '.*(\(.*\) pages.*'\) % 2;\ + if test "$$a = 0";\ + then rrkit RefMan-cover.dvi RefMan-body.dvi Reference-Manual-RT.dvi;\ + else rrkit -odd RefMan-cover.dvi RefMan-body.dvi Reference-Manual-RT.dvi;\ + fi + +# Fabrication d'un RT INRIA (utilise rrkit de Michel Mauny) +Tutorial-RT.dvi : Tutorial.v.dvi Tutorial-cover.tex + dviselect -i Tutorial.v.dvi -o Tutorial-body.dvi 3: + $(LATEX) Tutorial-cover.tex + set a=`tail -1 Tutorial.v.log`;\ + set a=expr \("$$a" : '.*(\(.*\) pages.*'\) % 2;\ + if test "$$a = 0";\ + then rrkit Tutorial-cover.dvi Tutorial-body.dvi Tutorial-RT.dvi;\ + else rrkit -odd Tutorial-cover.dvi Tutorial-body.dvi Tutorial-RT.dvi;\ + fi + +################ doc ftp and www installation ############ +doc-ftp-www-install: doc-ftp-install doc-www-install + +doc-ftp-install: + - mkdir $(FTPDOCDIR) + cp $(ALLFTPDOCS) $(FTPHTMLDOCS) $(FTPDOCDIR) + chmod g+w $(FTPDOCDIR)/* + +doc-www-install: + (cd $(WWWDOCDIR); rm -f node*.html main*.html toc.html \ + tutorial.html changes.html cover.html) + cp www/* $(WWWDOCDIR) diff --git a/doc/Natural.tex b/doc/Natural.tex new file mode 100755 index 000000000..69dfab87c --- /dev/null +++ b/doc/Natural.tex @@ -0,0 +1,425 @@ +\achapter{\texttt{Natural} : proofs in natural language} +\aauthor{Yann Coscoy} + +\asection{Introduction} + +\Natural~ is a package allowing the writing of proofs in natural +language. For instance, the proof in \Coq~of the induction principle on pairs +of natural numbers looks like this: + +\begin{coq_example*} +Require Natural. +\end{coq_example*} +\begin{coq_example} +Print nat_double_ind. +\end{coq_example} + +Piping it through the \Natural~pretty-printer gives: + +\comindex{Print Natural} +\begin{coq_example} +Print Natural nat_double_ind. +\end{coq_example} + +\asection{Activating \Natural} + +To enable the printing of proofs in natural language, you should +type under \texttt{coqtop} or \texttt{coqtop -full} the command + +\begin{coq_example*} +Require Natural. +\end{coq_example*} + +By default, proofs are transcripted in english. If you wish to print them +in French, set the French option by + +\comindex{Set Natural} +\begin{coq_example*} +Set Natural French. +\end{coq_example*} + +If you want to go back to English, type in + +\begin{coq_example*} +Set Natural English. +\end{coq_example*} + +Currently, only \verb=French= and \verb=English= are available. + +You may see for example the natural transcription of the proof of +the induction principle on pairs of natural numbers: + +\begin{coq_example*} +Print Natural nat_double_ind. +\end{coq_example*} + +You may also show in natural language the current proof in progress: + +\comindex{Show Natural} +\begin{coq_example} +Goal (n:nat)(le O n). +Induction n. +Show Natural Proof. +\end{coq_example} + +\subsection*{Restrictions} + +For \Natural, a proof is an object of type a proposition (i.e. an +object of type something of type {\tt Prop}). Only proofs are written +in natural language when typing {\tt Print Natural \ident}. All other +objects (the objects of type something which is of type {\tt Set} or +{\tt Type}) are written as usual $\lambda$-terms. + +\asection{Customizing \Natural} + +The transcription of proofs in natural language is mainly a paraphrase of +the formal proofs, but some specific hints in the transcription +can be given. +Three kinds of customization are available. + +\asubsection{Implicit proof steps} + +\subsubsection*{Implicit lemmas} + +Applying a given lemma or theorem \verb=lem1= of statement, say $A +\Rightarrow B$, to an hypothesis, say $H$ (assuming $A$) produces the +following kind of output translation: + +\begin{verbatim} +... +Using lem1 with H we get B. +... +\end{verbatim} + +But sometimes, you may prefer not to see the explicit invocation to +the lemma. You may prefer to see: + +\begin{verbatim} +... +With H we have A. +... +\end{verbatim} + +This is possible by declaring the lemma as implicit. You should type: + +\comindex{Add Natural} +\begin{coq_example*} +Add Natural Implicit lem1. +\end{coq_example*} + +By default, the lemmas \verb=proj1=, \verb=proj2=, \verb=sym_equal= +and \verb=sym_eqT= are declared implicit. To remove a lemma or a theorem +previously declared as implicit, say \verb=lem1=, use the command + +\comindex{Remove Natural} +\begin{coq_example*} +Remove Natural Implicit lem1. +\end{coq_example*} + +To test if the lemma or theorem \verb=lem1= is, or is not, +declared as implicit, type + +\comindex{Test Natural} +\begin{coq_example*} +Test Natural Implicit lem1. +\end{coq_example*} + +\subsubsection*{Implicit proof constructors} + +Let \verb=constr1= be a proof constructor of a given inductive +proposition (or predicate) +\verb=Q= (of type \verb=Prop=). Assume \verb=constr1= proves +\verb=(x:A)(P x)->(Q x)=. Then, applying \verb=constr1= to an hypothesis, +say \verb=H= (assuming \verb=(P a)=) produces the following kind of output: + +\begin{verbatim} +... +By the definition of Q, with H we have (Q a). +... +\end{verbatim} + +But sometimes, you may prefer not to see the explicit invocation to +this constructor. You may prefer to see: + +\begin{verbatim} +... +With H we have (Q a). +... +\end{verbatim} + +This is possible by declaring the constructor as implicit. You should +type, as before: + +\comindex{Add Natural Implicit} +\begin{coq_example*} +Add Natural Implicit constr1. +\end{coq_example*} + +By default, the proposition (or predicate) constructors + +\verb=conj=, \verb=or_introl=, \verb=or_intror=, \verb=ex_intro=, +\verb=exT_intro=, \verb=refl_equal=, \verb=refl_eqT= and \verb=exist= + +\noindent are declared implicit. Note that declaring implicit the +constructor of a datatype (i.e. an inductive type of type \verb=Set=) +has no effect. + +As above, you can remove or test a constant declared implicit. + +\subsubsection*{Implicit inductive constants} + +Let \verb=Ind= be an inductive type (either a proposition (or a +predicate) -- on \verb=Prop= --, or a datatype -- on \verb=Set=). +Suppose the proof proceeds by induction on an hypothesis \verb=h= +proving \verb=Ind= (or more generally \verb=(Ind A1 ... An)=). The +following kind of output is produced: + +\begin{verbatim} +... +With H, we will prove A by induction on the definition of Ind. +Case 1. ... +Case 2. ... +... +\end{verbatim} + +But sometimes, you may prefer not to see the explicit invocation to +\verb=Ind=. You may prefer to see: + +\begin{verbatim} +... +We will prove A by induction on H. +Case 1. ... +Case 2. ... +... +\end{verbatim} + +This is possible by declaring the inductive type as implicit. You should +type, as before: + +\comindex{Add Natural Implicit} +\begin{coq_example*} +Add Natural Implicit Ind. +\end{coq_example*} + +This kind of parameterization works for any inductively defined +proposition (or predicate) or datatype. Especially, it works whatever +the definition is recursive or purely by cases. + +By default, the data type \verb=nat= and the inductive connectives +\verb=and=, \verb=or=, \verb=sig=, \verb=False=, \verb=eq=, +\verb=eqT=, \verb=ex= and \verb=exT= are declared implicit. + +As above, you can remove or test a constant declared implicit. Use +{\tt Remove Natural Contractible $id$} or {\tt Test Natural +Contractible $id$}. + +\asubsection{Contractible proof steps} + +\subsubsection*{Contractible lemmas or constructors} + +Some lemmas, theorems or proof constructors of inductive predicates are +often applied in a row and you obtain an output of this kind: + +\begin{verbatim} +... +Using T with H1 and H2 we get P. + * By H3 we have Q. + Using T with theses results we get R. +... +\end{verbatim} + +where \verb=T=, \verb=H1=, \verb=H2= and \verb=H3= prove statements +of the form \verb=(X,Y:Prop)X->Y->(L X Y)=, \verb=A=, \verb=B= and \verb=C= +respectively (and thus \verb=R= is \verb=(L (L A B) C)=). + +You may obtain a condensed output of the form + +\begin{verbatim} +... +Using T with H1, H2, and H3 we get R. +... +\end{verbatim} + +by declaring \verb=T= as contractible: + +\comindex{Add Natural Contractible} +\begin{coq_example*} +Add Natural Contractible T. +\end{coq_example*} + +By default, the lemmas \verb=proj1=, \verb=proj2= and the proof +constructors \verb=conj=, \verb=or_introl=, \verb=or_intror= are +declared contractible. As for implicit notions, you can remove or +test a lemma or constructor declared contractible. + +\subsubsection*{Contractible induction steps} + +Let \verb=Ind= be an inductive type. When the proof proceeds by +induction in a row, you may obtain an output of this kind: + +\begin{verbatim} +... +We have (Ind A (Ind B C)). +We use definition of Ind in a study in two cases. +Case 1: We have A. +Case 2: We have (Ind B C). + We use definition of Ind in a study of two cases. + Case 2.1: We have B. + Case 2.2: We have C. +... +\end{verbatim} + +You may prefer to see + +\begin{verbatim} +... +We have (Ind A (Ind B C)). +We use definition of Ind in a study in three cases. +Case 1: We have A. +Case 2: We have B. +Case 3: We have C. +... +\end{verbatim} + +This is possible by declaring \verb=Ind= as contractible: + +\begin{coq_example*} +Add Natural Contractible T. +\end{coq_example*} + +By default, only \verb=or= is declared as a contractible inductive +constant. +As for implicit notions, you can remove or test an inductive notion declared +contractible. + +\asubsection{Transparent definitions} + +``Normal'' definitions are all constructions except proofs and proof constructors. + +\subsubsection*{Transparent non inductive normal definitions} + +When using the definition of a non inductive constant, say \verb=D=, the +following kind of output is produced: + +\begin{verbatim} +... +We have proved C which is equivalent to D. +... +\end{verbatim} + +But you may prefer to hide that D comes from the definition of C as +follows: + +\begin{verbatim} +... +We have prove D. +... +\end{verbatim} + +This is possible by declaring \verb=C= as transparent: + +\comindex{Add Natural Transparent} +\begin{coq_example*} +Add Natural Transparent D. +\end{coq_example*} + +By default, only \verb=not= (normally written \verb=~=) is declared as +a non inductive transparent definition. +As for implicit and contractible definitions, you can remove or test a +non inductive definition declared transparent. +Use \texttt{Remove Natural Transparent} \ident or +\texttt{Test Natural Transparent} \ident. + +\subsubsection*{Transparent inductive definitions} + +Let \verb=Ind= be an inductive proposition (more generally: a +predicate \verb=(Ind x1 ... xn)=). Suppose the definition of +\verb=Ind= is non recursive and built with just +one constructor proving something like \verb=A -> B -> Ind=. +When coming back to the definition of \verb=Ind= the +following kind of output is produced: + +\begin{verbatim} +... +Assume Ind (H). + We use H with definition of Ind. + We have A and B. + ... +\end{verbatim} + +When \verb=H= is not used a second time in the proof, you may prefer +to hide that \verb=A= and \verb=B= comes from the definition of +\verb=Ind=. You may prefer to get directly: + +\begin{verbatim} +... +Assume A and B. +... +\end{verbatim} + +This is possible by declaring \verb=Ind= as transparent: + +\begin{coq_example*} +Add Natural Transparent Ind. +\end{coq_example*} + +By default, \verb=and=, \verb=or=, \verb=ex=, \verb=exT=, \verb=sig= +are declared as inductive transparent constants. As for implicit and +contractible constants, you can remove or test an inductive +constant declared transparent. + +As for implicit and contractible constants, you can remove or test an +inductive constant declared transparent. + +\asubsection{Extending the maximal depth of nested text} + +The depth of nested text is limited. To know the current depth, do: + +\comindex{Set Natural Depth} +\begin{coq_example} +Set Natural Depth. +\end{coq_example} + +To change the maximal depth of nested text (for instance to 125) do: + +\begin{coq_example} +Set Natural Depth 125. +\end{coq_example} + +\asubsection{Restoring the default parameterization} + +The command \verb=Set Natural Default= sets back the parameterization tables of +\Natural~ to their default values, as listed in the above sections. +Moreover, the language is set back to English and the max depth of +nested text is set back to its initial value. + +\asubsection{Printing the current parameterization} + +The commands {\tt Print Natural Implicit}, {\tt Print Natural +Contractible} and {\tt Print \\ Natural Transparent} print the list of +constructions declared {\tt Implicit}, {\tt Contractible}, +{\tt Transparent} respectively. + +\asubsection{Interferences with \texttt{Reset}} + +The customization of \texttt{Natural} is dependent of the \texttt{Reset} +command. If you reset the environment back to a point preceding an +\verb=Add Natural ...= command, the effect of the command will be +erased. Similarly, a reset back to a point before a +\verb=Remove Natural ... = command invalidates the removal. + +\asection{Error messages} + +An error occurs when trying to \verb=Print=, to \verb=Add=, to +\verb=Test=, or to \verb=remove= an undefined ident. Similarly, an +error occurs when trying to set a language unknown from \Natural. +Errors may also occur when trying to parameterize the printing of +proofs: some parameterization are effectively forbidden. +Note that to \verb=Remove= an ident absent from a table or to +\verb=Add= to a table an already present ident does not lead to an +error. + +%%% Local Variables: +%%% mode: latex +%%% TeX-master: "Reference-Manual" +%%% End: diff --git a/doc/Omega.tex b/doc/Omega.tex new file mode 100755 index 000000000..286c151c4 --- /dev/null +++ b/doc/Omega.tex @@ -0,0 +1,223 @@ +\achapter{\texttt{Omega}: a solver of quantifier-free problems in +Presburger Arithmetic} +\aauthor{Pierre Crégut} + +\asection{Description of {\tt Omega}} +\tacindex{Omega} +\label{description} + +{\tt Omega}~solves a goal in Presburger arithmetic, ie a universally +quantified formula made of equations and inequations. Equations may +be specified either on the type \verb=nat= of natural numbers or on +the type \verb=Z= of binary-encoded integer numbers. Formulas on +\verb=nat= are automatically injected into \verb=Z=. The procedure +may use any hypothesis of the current proof session to solve the goal. + +Multiplication is handled by {\tt Omega}~but only goals where at +least one of the two multiplicands of products is a constant are +solvable. This is the restriction meaned by ``Presburger arithmetic''. + +If the tactic cannot solve the goal, it fails with an error message. +In any case, the computation eventually stops. + +\asubsection{Arithmetical goals recognized by {\tt Omega}} + +{\tt Omega}~applied only to quantifier-free formulas built from the +connectors + +\begin{quote} +\verb=/\, \/, ~, ->= +\end{quote} + +on atomic formulas. Atomic formulas are built from the predicates + +\begin{quote} +\verb!=, le, lt, gt, ge! +\end{quote} + + on \verb=nat= or from the predicates + +\begin{quote} +\verb!=, <, <=, >, >=! +\end{quote} + + on \verb=Z=. In expressions of type \verb=nat=, {\tt Omega}~recognizes + +\begin{quote} +\verb!plus, minus, mult, pred, S, O! +\end{quote} + +and in expressions of type \verb=Z=, {\tt Omega}~recognizes + +\begin{quote} +\verb!+,_,*, Zs!, and constants. +\end{quote} + +All expressions of type \verb=nat= or \verb=Z= not built on these +operators are considered abstractly as if they +were arbitrary variables of type \verb=nat= or \verb=Z=. + +\asubsection{Messages from {\tt Omega}} +\label{errors} + +When {\tt Omega}~does not solve the goal, one of the following errors +is generated: + +\begin{ErrMsgs} +\item \errindex{Omega can't solve this system}\\ + This may happen if your goal is not quantifier-free (if it is + universally quantified, try {\tt Intros} first; if it contains + existentials quantifiers too, {\tt Omega}\ is not strong enough to solve your + goal). This may happen also if your goal contains arithmetical + operators unknown from {\tt Omega}. Finally, your goal may be really + wrong ! + +\item \errindex{Omega: Not a quantifier-free goal}\\ + If your goal is universally quantified, you should first apply {\tt + Intro} as many time as needed. + +\item \errindex{Omega: Unrecognized predicate or connective:{\rm\sl ident}} + +\item \errindex{Omega: Unrecognized atomic proposition:{\rm\sl prop}} + +\item \errindex{Omega: Can't solve a goal with proposition variables} + +\item \errindex{Omega: Unrecognized proposition} + +\item \errindex{Omega: Can't solve a goal with non-linear products} + +\item \errindex{Omega: Can't solve a goal with equality on {\rm\sl type}} + +\end{ErrMsgs} + +%% Ce code est débranché pour l'instant +%% +% \asubsection{Control over the output} +% There are some flags that can be set to get more information on the procedure + +% \begin{itemize} +% \item \verb=Time= to get the time used by the procedure +% \item \verb=System= to visualize the normalized systems. +% \item \verb=Action= to visualize the actions performed by the OMEGA +% procedure (see \ref{technical}). +% \end{itemize} + +% \comindex{Set Omega Time} +% \comindex{UnSet Omega Time} +% \comindex{Switch Omega Time} +% \comindex{Set Omega System} +% \comindex{UnSet Omega System} +% \comindex{Switch Omega System} +% \comindex{Set Omega Action} +% \comindex{UnSet Omega Action} +% \comindex{Switch Omega Action} + + Use {\tt Set Omega {\rm\sl flag}} to set the flag + {\rm\sl flag}. Use {\tt Unset Omega {\rm\sl flag}} to unset it and +{\tt Switch Omega {\rm\sl flag}} to toggle it. + +\section{Using {\tt Omega}} + +The tactic {\tt Omega}~does not belong to the core system. It should be +loaded by + +\begin{coq_example*} +Require Omega. +\end{coq_example*} + +\example{} + +\begin{coq_example} +Goal (m,n:Z) ~ `1+2*m = 2*n`. +Intros; Omega. +\end{coq_example} +\begin{coq_eval} +Abort. +\end{coq_eval} + +\example{} + +\begin{coq_example} +Goal (z:Z)`z>0` -> `2*z + 1 > z`. +Intro; Omega. +\end{coq_example} + +Other examples can be found in \verb+$COQLIB/theories/DEMOS/OMEGA+. + +\asection{Technical data} +\label{technical} + +\asubsection{Overview of the tactic} +\begin{itemize} + +\item The goal is negated twice and the first negation is introduced as an + hypothesis. +\item Hypothesis are decomposed in simple equations or inequations. Multiple + goals may result from this phase. +\item Equations and inequations over \verb=nat= are translated over + \verb=Z=, multiple goals may result from the translation of + substraction. +\item Equations and inequations are normalized. +\item Goals are solved by the {\it OMEGA} decision procedure. +\item The script of the solution is replayed. + +\end{itemize} + +\asubsection{Overview of the {\it OMEGA} decision procedure} + +The {\it OMEGA} decision procedure involved in the {\tt Omega}~tactic uses +a small subset of the decision procedure presented in + +\begin{quote} + "The Omega Test: a fast and practical integer programming +algorithm for dependence analysis", William Pugh, Communication of the +ACM , 1992, p 102-114. +\end{quote} + +Here is an overview. +The reader is refered to the original paper for more information. + +\begin{itemize} + +\item Equations and inequations are normalized by division by the GCD of their + coefficients. +\item Equations are eliminated, using the Banerjee test to get a coefficient + equal to one. +\item Note that each inequation defines a half space in the space of real value + of the variables. +\item Inequations are solved by projecting on the hyperspace defined by + cancelling one of the variable. + They are partitioned according to the sign of + the coefficient of the eliminated variable. Pairs of inequations from + different classes define a new edge in the projection. +\item Redundant inequations are eliminated or merged in new equations that can + be eliminated by the Banerjee test. +\item The last two steps are iterated until a contradiction is reached + (success) or there is no more variable to eliminate (failure). + +\end{itemize} + +It may happen that there is a real solution and no integer one. The last +steps of the Omega procedure (dark shadow) are not implemented, so the +decision procedure is only partial. + +\asection{Bugs} + +\begin{itemize} +\item The simplification procedure is very dumb and this results in + many redundant cases to explore. + +\item Much too slow. + +\item Certainely plenty other bugs !! You can report them to + +\begin{quote} + \verb=Pierre.Cregut@cnet.francetelecom.fr= +\end{quote} + +\end{itemize} + +%%% Local Variables: +%%% mode: latex +%%% TeX-master: "Reference-Manual" +%%% End: diff --git a/doc/Polynom.tex b/doc/Polynom.tex new file mode 100644 index 000000000..858b2d67a --- /dev/null +++ b/doc/Polynom.tex @@ -0,0 +1,500 @@ +\achapter{The \texttt{Ring} tactic} +\aauthor{Patrick Loiseleur and Samuel Boutin} +\label{Ring} +\tacindex{Ring} + +This chapter presents the \texttt{Ring} tactic. + +\asection{What does this tactic?} + +\texttt{Ring} does associative-commutative rewriting in ring and semi-ring +structures. Assume you have two binary functions $\oplus$ and $\otimes$ +that are associative and commutative, with $\oplus$ distributive on +$\otimes$, and two constants 0 and 1 that are unities for $\oplus$ and +$\otimes$. A \textit{polynomial} is an expression built on variables $V_0, V_1, +\dots$ and constants by application of $\oplus$ and $\otimes$. + +Let an {\it ordered product} be a product of variables $V_{i_1} \otimes +\ldots \otimes V_{i_n}$ verifying $i_1 \le i_2 \le \dots \le i_n$. Let a +\textit{monomial} be the product of a constant (possibly equal to 1, in +which case we omit it) and an ordered product. We can order the +monomials by the lexicographic order on products of variables. Let a +\textit{canonical sum} be an ordered sum of monomials that are all +different, i.e. each monomial in the sum is strictly less than the +following monomial according to the lexicographic order. It is an easy +theorem to show that every polynomial is equivalent (modulo the ring +properties) to exactly one canonical sum. This canonical sum is called +the \textit{normal form} of the polynomial. So what does \texttt{Ring}? It +normalizes polynomials over any ring or semi-ring structure. The basic +utility of \texttt{Ring} is to simplify ring expressions, so that the user +does not have to deal manually with the theorems of associativity and +commutativity. + +\begin{Examples} +\item In the ring of integers, the normal form of +$x (3 + yx + 25(1 - z)) + zx$ is $28x + (-24)xz + xxy$. +\item For the classical propositional calculus (or the boolean rings) + the normal form is what logicians call \textit{disjunctive normal + form}: every formula is equivalent to a disjunction of + conjunctions of atoms. (Here $\oplus$ is $\vee$, $\otimes$ is + $\wedge$, variables are atoms and the only constants are T and F) +\end{Examples} + +\asection{The variables map} + +It is frequent to have an expression built with + and + $\times$, but rarely on variables only. +Let us associate a number to each subterm of a ring +expression in the \gallina\ language. For example in the ring +\texttt{nat}, consider the expression: + +\begin{quotation} +\begin{verbatim} +(plus (mult (plus (f (5)) x) x) + (mult (if b then (4) else (f (3))) (2))) +\end{verbatim} +\end{quotation} + +\noindent As a ring expression, is has 3 subterms. Give each subterm a +number in an arbitrary order: + +\begin{tabular}{ccl} +0 & $\mapsto$ & \verb|if b then (4) else (f (3))| \\ +1 & $\mapsto$ & \verb|(f (5))| \\ +2 & $\mapsto$ & \verb|x| \\ +\end{tabular} + +\noindent Then normalize the ``abstract'' polynomial + +$$((V_1 \otimes V_2) \oplus V_2) \oplus (V_0 \otimes 2) $$ + +\noindent In our example the normal form is: + +$$(2 \otimes V_0) \oplus (V_1 \otimes V_2) \oplus (V_2 \otimes V_2)$$ + +\noindent Then substitute the variables by their values in the variables map to +get the concrete normal polynomial: + +\begin{quotation} +\begin{verbatim} +(plus (mult (2) (if b then (4) else (f (3)))) + (plus (mult (f (5)) x) (mult x x))) +\end{verbatim} +\end{quotation} + +\asection{Is it automatic?} + +Yes, building the variables map and doing the substitution after +normalizing is automatically done by the tactic. So you can just forget +this paragraph and use the tactic according to your intuition. + +\asection{Concrete usage in \Coq} + +Under a session launched by \texttt{coqtop} or \texttt{coqtop -full}, +load the \texttt{Ring} files with the command: + +\begin{quotation} +\begin{verbatim} +Require Ring. +\end{verbatim} +\end{quotation} + +It does not work under \texttt{coqtop -opt} because the compiled ML +objects used by the tactic are not linked in this binary image, and +dynamic loading of native code is not possible in \ocaml. + +In order to use \texttt{Ring} on naturals, load \texttt{ArithRing} +instead; for binary integers, load the module \texttt{ZArithRing}. + +Then, to normalize the terms $term_1$, \dots, $term_n$ in +the current subgoal, use the tactic: + +\begin{quotation} +\texttt{Ring} $term_1$ \dots{} $term_n$ +\end{quotation} +\tacindex{Ring} + +Then the tactic guesses the type of given terms, the ring theory to +use, the variables map, and replace each term with its normal form. +The variables map is common to all terms + +\Warning \texttt{Ring $term_1$; Ring $term_2$} is not equivalent to +\texttt{Ring $term_1$ $term_2$}. In the latter case the variables map +is shared between the two terms, and common subterm $t$ of $term_1$ +and $term_2$ will have the same associated variable number. + +\begin{ErrMsgs} +\item \errindex{All terms must have the same type} +\item \errindex{Don't know what to do with this goal} +\item \errindex{No Declared Ring Theory for \term.}\\ + \texttt{Use Add [Semi] Ring to declare it}\\ + That happens when all terms have the same type \term, but there is + no declared ring theory for this set. See below. +\end{ErrMsgs} + +\begin{Variants} +\item \texttt{Ring}\\ + That works if the current goal is an equality between two + polynomials. It will normalize both sides of the + equality, solve it if the normal forms are equal and in other cases + try to simplify the equality using \texttt{congr\_eqT} and \texttt{refl\_equal} + to reduce $x + y = x + z$ to $y = z$ and $x * z = x * y$ to $y = z$. + + \ErrMsg\errindex{This goal is not an equality} + +\end{Variants} + +\asection{Add a ring structure} + +It can be done in the \Coq toplevel (No ML file to edit and to link +with \Coq). First, \texttt{Ring} can handle two kinds of structure: +rings and semi-rings. Semi-rings are like rings without an opposite to +addition. Their precise specification (in \gallina) can be found in +the file + +\begin{quotation} +\begin{verbatim} +tactics/contrib/polynom/Ring_theory.v +\end{verbatim} +\end{quotation} + +The typical example of ring is \texttt{Z}, the typical +example of semi-ring is \texttt{nat}. + +The specification of a +ring is divided in two parts: first the record of constants +($\oplus$, $\otimes$, 1, 0, $\ominus$) and then the theorems +(associativity, commutativity, etc.). + +\begin{small} +\begin{flushleft} +\begin{verbatim} +Section Theory_of_semi_rings. + +Variable A : Type. +Variable Aplus : A -> A -> A. +Variable Amult : A -> A -> A. +Variable Aone : A. +Variable Azero : A. +(* There is also a "weakly decidable" equality on A. That means + that if (A_eq x y)=true then x=y but x=y can arise when + (A_eq x y)=false. On an abstract ring the function [x,y:A]false + is a good choice. The proof of A_eq_prop is in this case easy. *) +Variable Aeq : A -> A -> bool. + +Record Semi_Ring_Theory : Prop := +{ SR_plus_sym : (n,m:A)[| n + m == m + n |]; + SR_plus_assoc : (n,m,p:A)[| n + (m + p) == (n + m) + p |]; + + SR_mult_sym : (n,m:A)[| n*m == m*n |]; + SR_mult_assoc : (n,m,p:A)[| n*(m*p) == (n*m)*p |]; + SR_plus_zero_left :(n:A)[| 0 + n == n|]; + SR_mult_one_left : (n:A)[| 1*n == n |]; + SR_mult_zero_left : (n:A)[| 0*n == 0 |]; + SR_distr_left : (n,m,p:A) [| (n + m)*p == n*p + m*p |]; + SR_plus_reg_left : (n,m,p:A)[| n + m == n + p |] -> m==p; + SR_eq_prop : (x,y:A) (Is_true (Aeq x y)) -> x==y +}. +\end{verbatim} +\end{flushleft} +\end{small} + +\begin{small} +\begin{flushleft} +\begin{verbatim} +Section Theory_of_rings. + +Variable A : Type. + +Variable Aplus : A -> A -> A. +Variable Amult : A -> A -> A. +Variable Aone : A. +Variable Azero : A. +Variable Aopp : A -> A. +Variable Aeq : A -> A -> bool. + + +Record Ring_Theory : Prop := +{ Th_plus_sym : (n,m:A)[| n + m == m + n |]; + Th_plus_assoc : (n,m,p:A)[| n + (m + p) == (n + m) + p |]; + Th_mult_sym : (n,m:A)[| n*m == m*n |]; + Th_mult_assoc : (n,m,p:A)[| n*(m*p) == (n*m)*p |]; + Th_plus_zero_left :(n:A)[| 0 + n == n|]; + Th_mult_one_left : (n:A)[| 1*n == n |]; + Th_opp_def : (n:A) [| n + (-n) == 0 |]; + Th_distr_left : (n,m,p:A) [| (n + m)*p == n*p + m*p |]; + Th_eq_prop : (x,y:A) (Is_true (Aeq x y)) -> x==y +}. +\end{verbatim} +\end{flushleft} +\end{small} + +To define a ring structure on A, you must provide an addition, a +multiplication, an opposite function and two unities 0 and 1. + +You must then prove all theorems that make +(A,Aplus,Amult,Aone,Azero,Aeq) +a ring structure, and pack them with the \verb|Build_Ring_Theory| +constructor. + +Finally to register a ring the syntax is: + +\comindex{Add Ring} +\begin{quotation} + \texttt{Add Ring} \textit{A Aplus Amult Aone Azero Ainv Aeq T} + \texttt{[} \textit{c1 \dots cn} \texttt{].} +\end{quotation} + +\noindent where \textit{A} is a term of type \texttt{Set}, +\textit{Aplus} is a term of type \texttt{A->A->A}, +\textit{Amult} is a term of type \texttt{A->A->A}, +\textit{Aone} is a term of type \texttt{A}, +\textit{Azero} is a term of type \texttt{A}, +\textit{Ainv} is a term of type \texttt{A->A}, +\textit{Aeq} is a term of type \texttt{A->bool}, +\textit{T} is a term of type +\texttt{(Ring\_Theory }\textit{A Aplus Amult Aone Azero Ainv + Aeq}\texttt{)}. +The arguments \textit{c1 \dots cn}, +are the names of constructors which define closed terms: a +subterm will be considered as a constant if it is either one of the +terms \textit{c1 \dots cn} or the application of one of these terms to +closed terms. For \texttt{nat}, the given constructors are \texttt{S} +and \texttt{O}, and the closed terms are \texttt{O}, \texttt{(S O)}, +\texttt{(S (S O))}, \ldots + +\begin{Variants} +\item \texttt{Add Semi Ring} \textit{A Aplus Amult Aone Azero Aeq T} + \texttt{[} \textit{c1 \dots\ cn} \texttt{].}\comindex{Add Semi + Ring}\\ + There are two differences with the \texttt{Add Ring} command: + there is no inverse function and the term $T$ must be of type + \texttt{(Semi\_Ring\_Theory }\textit{A Aplus Amult Aone Azero + Aeq}\texttt{)}. + +\item \texttt{Add Abstract Ring} \textit{A Aplus Amult Aone Azero Ainv + Aeq T}\texttt{.}\comindex{Add Abstract Ring}\\ + This command should be used for when the operations of rings are not + computable; for example the real numbers of + \texttt{theories/REALS/}. Here $0+1$ is not beta-reduced to $1$ but + you still may want to \textit{rewrite} it to $1$ using the ring + axioms. The argument \texttt{Aeq} is not used; a good choice for + that function is \verb+[x:A]false+. + +\item \texttt{Add Abstract Semi Ring} \textit{A Aplus Amult Aone Azero + Aeq T}\texttt{.}\comindex{Add Abstract Semi Ring}\\ + +\end{Variants} + +\begin{ErrMsgs} +\item \errindex{Not a valid (semi)ring theory}.\\ + That happens when the typing condition does not hold. +\end{ErrMsgs} + +Currently, the hypothesis is made than no more than one ring structure +may be declared for a given type in \texttt{Set} or \texttt{Type}. +This allows automatic detection of the theory used to achieve the +normalization. On popular demand, we can change that and allow several +ring structures on the same set. + +The table of theories of \texttt{Ring} is compatible with the \Coq\ +sectioning mechanism. If you declare a Ring inside a section, the +declaration will be thrown away when closing the section. +And when you load a compiled file, all the \texttt{Add Ring} +commands of this file that are not inside a section will be loaded. + +The typical example of ring is \texttt{Z}, and the typical example of +semi-ring is \texttt{nat}. Another ring structure is defined on the +booleans. + +\Warning Only the ring of booleans is loaded by default with the +\texttt{Ring} module. To load the ring structure for \texttt{nat}, +load the module \texttt{ArithRing}, and for \texttt{Z}, +load the module \texttt{ZArithRing}. + + +\asection{How does it work?} + +The code of \texttt{Ring} a good example of tactic written using +\textit{reflection} (or \textit{internalization}, it is +synonymous). What is reflection? Basically, it is writing \Coq\ tactics +in \Coq, rather than in \ocaml. From the philosophical point of view, +it is using the ability of the Calculus of Constructions to speak and +reason about itself. +For the \texttt{Ring} tactic we used +\Coq\ as a programming language and also as a proof environment to build a +tactic and to prove it correctness. + +The interested reader is strongly advised to have a look at the file +\texttt{Ring\_normalize.v}. Here a type for polynomials is defined: + +\begin{small} +\begin{flushleft} +\begin{verbatim} +Inductive Type polynomial := + Pvar : idx -> polynomial +| Pconst : A -> polynomial +| Pplus : polynomial -> polynomial -> polynomial +| Pmult : polynomial -> polynomial -> polynomial +| Popp : polynomial -> polynomial. +\end{verbatim} +\end{flushleft} +\end{small} + +There is also a type to represent variables maps, and an +interpretation function, that maps a variables map and a polynomial to an +element of the concrete ring: + +\begin{small} +\begin{flushleft} +\begin{verbatim} +Definition polynomial_simplify := [...] +Definition interp : (varmap A) -> (polynomial A) -> A := [...] +\end{verbatim} +\end{flushleft} +\end{small} + +A function to normalize polynomials is defined, and the big theorem is +its correctness w.r.t interpretation, that is: + +\begin{small} +\begin{flushleft} +\begin{verbatim} +Theorem polynomial_simplify_correct : (v:(varmap A))(p:polynomial) + (interp v (polynomial_simplify p)) + ==(interp v p). +\end{verbatim} +\end{flushleft} +\end{small} + +(The actual code is slightly more complex: for efficiency, +there is a special datatype to represent normalized polynomials, +i.e. ``canonical sums''. But the idea is still the same). + +So now, what is the scheme for a normalization proof? Let \texttt{p} +be the polynomial expression that the user wants to normalize. First a +little piece of ML code guesses the type of \texttt{p}, the ring +theory \texttt{T} to use, an abstract polynomial \texttt{ap} and a +variables map \texttt{v} such that \texttt{p} is +$\beta\delta\iota$-equivalent to \verb|(interp v ap)|. Then we +replace it by \verb|(interp v (polynomial_simplify ap))|, using the +main correctness theorem and we reduce it to a concrete expression +\texttt{p'}, which is the concrete normal form of +\texttt{p}. This is summarized in this diagram: + +\medskip +\begin{tabular}{rcl} +\texttt{p} & $\rightarrow_{\beta\delta\iota}$ + & \texttt{(interp v ap)} \\ + & & $=_{\mathrm{(by\ the\ main\ correctness\ theorem)}}$ \\ +\texttt{p'} + & $\leftarrow_{\beta\delta\iota}$ + & \texttt{(interp v (polynomial\_simplify ap))} +\end{tabular} +\medskip + +The user do not see the right part of the diagram. +From outside, the tactic behaves like a +$\beta\delta\iota$ simplification extended with AC rewriting rules. +Basically, the proof is only the application of the main +correctness theorem to well-chosen arguments. + +\asection{History of \texttt{Ring}} + +First Samuel Boutin designed the tactic \texttt{ACDSimpl}. +This tactic did lot of rewriting. But the proofs +terms generated by rewriting were too big for \Coq's type-checker. +Let us see why: + +\begin{coq_eval} +Require ZArith. +\end{coq_eval} +\begin{coq_example} +Goal (x,y,z:Z)`x + 3 + y + y*z = x + 3 + y + z*y`. +\end{coq_example} +\begin{coq_example*} +Intros; Rewrite (Zmult_sym y z); Reflexivity. +Save toto. +\end{coq_example*} +\begin{coq_example} +Print toto. +\end{coq_example} + +At each step of rewriting, the whole context is duplicated in the proof +term. Then, a tactic that does hundreds of rewriting generates huge proof +terms. Since \texttt{ACDSimpl} was too slow, Samuel Boutin rewrote it +using reflection (see his article in TACS'97 \cite{Bou97}). Later, the +stuff was rewritten by Patrick +Loiseleur: the new tactic does not any more require \texttt{ACDSimpl} +to compile and it makes use of $\beta\delta\iota$-reduction +not only to replace the rewriting steps, but also to achieve the +interleaving of computation and +reasoning (see \ref{DiscussReflection}). He also wrote a +few ML code for the \texttt{Add Ring} command, that allow to register +new rings dynamically. + +Proofs terms generated by \texttt{Ring} are quite small, they are +linear in the number of $\oplus$ and $\otimes$ operations in the +normalized terms. Type-checking those terms requires some time because it +makes a large use of the conversion rule, but +memory requirements are much smaller. + +\asection{Discussion} +\label{DiscussReflection} + +Efficiency is not the only motivation to use reflection +here. \texttt{Ring} also deals with constants, it rewrites for example the +expression $34 + 2*x -x + 12$ to the expected result $x + 46$. For the +tactic \texttt{ACDSimpl}, the only constants were 0 and 1. So the +expression $34 + 2*(x - 1) + 12$ is interpreted as +$V_0 \oplus V_1 \otimes (V_2 \ominus 1) \oplus V_3$, +with the variables mapping +$\{V_0 \mt 34; V_1 \mt 2; V_2 \mt x; V_3 \mt 12 \}$. Then it is +rewritten to $34 - x + 2*x + 12$, very far from the expected +result. Here rewriting is not sufficient: you have to do some kind of +reduction (some kind of \textit{computation}) to achieve the +normalization. + +The tactic \texttt{Ring} is not only faster than a classical one: +using reflection, we get for free integration of computation and +reasoning that would be very complex to implement in the classic fashion. + +Is it the ultimate way to write tactics? +The answer is: yes and no. The \texttt{Ring} tactic +uses intensively the conversion +rule of \CIC, that is replaces proof by computation the most as it is +possible. It can be useful in all situations where a classical tactic +generates huge proof terms. Symbolic Processing and Tautologies are +in that case. But there are also tactics like \texttt{Auto} or +\texttt{Linear}: that do many complex computations, using side-effects +and backtracking, and generate + a small proof term. Clearly, it would be a non-sense to +replace them by tactics using reflection. + +Another argument against the reflection is that \Coq, as a +programming language, has many nice features, like dependent types, +but is very far from the +speed and the expressive power of \ocaml. Wait a minute! With \Coq\ +it is possible to extract ML code from \CIC\ terms, right? So, why not +to link the extracted code with \Coq\ to inherit the benefits of the +reflection and the speed of ML tactics? That is called \textit{total + reflection}, and is still an active research subject. With these +technologies it will become possible to bootstrap the type-checker of +\CIC, but there is still some work to achieve that goal. + +Another brilliant idea from Benjamin Werner: reflection could be used +to couple a external tool (a rewriting program or a model checker) +with \Coq. We define (in \Coq) a type of terms, a type of +\emph{traces}, and prove a correction theorem that states that +\emph{replaying traces} is safe w.r.t some interpretation. Then we let +the external tool do every computation (using side-effects, +backtracking, exception, or others features that are not available in +pure lambda calculus) to produce the trace: now we replay the trace in +Coq{}, and apply the correction lemma. So internalization seems to be +the best way to import \dots{} external proofs! + + +%%% Local Variables: +%%% mode: latex +%%% TeX-master: "Reference-Manual" +%%% End: diff --git a/doc/Program.tex b/doc/Program.tex new file mode 100644 index 000000000..9fd6080b8 --- /dev/null +++ b/doc/Program.tex @@ -0,0 +1,850 @@ +\achapter{The Program Tactic} +\aauthor{Catherine Parent} +\label{Addoc-program} + +The facilities described in this document pertain to a special aspect of +the \Coq\ system: how to associate to a functional program, whose +specification is written in \gallina, a proof of its correctness. + +This methodology is based on the Curry-Howard isomorphism between +functional programs and constructive proofs. This isomorphism allows +the synthesis of a functional program from the constructive part of its +proof of correctness. That is, it is possible to analyze a \Coq\ proof, +to erase all its non-informative parts (roughly speaking, removing the +parts pertaining to sort \Prop, considered as comments, to keep only the +parts pertaining to sort \Set). + +This {\sl realizability interpretation} +was defined by Christine Paulin-Mohring in her PhD dissertation +\cite{Moh89b}, and +implemented as a {\sl program extraction} facility in previous versions of +\Coq~ by Benjamin Werner (see \cite{COQ93}). +However, the corresponding certified program +development methodology was very awkward: the user had to understand very +precisely the extraction mechanism in order to guide the proof construction +towards the desired algorithm. The facilities described in this chapter +attempt to do the reverse: i.e. to try and generate the proof of correctness +from the program itself, given as argument to a specialized tactic. +This work is based on the PhD dissertation of +Catherine Parent (see \cite{CPar95}) + +\asection{Developing certified programs: Motivations} +\label{program_proving} + +We want to develop certified programs automatically proved by the +system. That is to say, instead of giving a specification, an +interactive proof and then extracting a program, the user gives the +program he wants to prove and the corresponding specification. Using +this information, an automatic proof is developed which solves the +``informative'' goals without the help of the user. When the proof is +finished, the extracted program is guaranteed to be correct and +corresponds to the one given by the user. The tactic uses the fact +that the extracted program is a skeleton of its corresponding proof. + +\asection{Using {\tt Program}} +The user has to give two things: the specification (given as usual by +a goal) and the program (see section \ref{program-syntax}). Then, this program +is associated to the current goal (to know which specification it +corresponds to) and the user can use different tactics to develop an +automatic proof. + +\asubsection{\tt Realizer \term.} +\tacindex{Realizer} +\label{Realizer} +This command attaches a program {\term} to the current goal. This is a +necessary step before applying the first time the tactic {\tt +Program}. The syntax of programs is given in section \ref{program-syntax}. +If a program is already attached to the current subgoal, {\tt +Realizer} can be also used to change it. + +\asubsection{\tt Show Program.} +\comindex{Show Program}\label{Show Program} +The command \verb=Show Program= shows the program associated to the +current goal. The variant \verb=Show Program n= shows the program associated to +the nth subgoal. + +\asubsection{\tt Program.} +\tacindex{Program}\label{Program} +This tactics tries to build a proof of the current subgoal from the +program associated to the current goal. This tactic performs +\verb=Intros= then either one \verb=Apply= or one \verb=Elim= +depending on the syntax of the program. The \verb=Program= tactic +generates a list of subgoals which can be either logical or +informative. Subprograms are automatically attached to the informative +subgoals. + +When attached program are not automatically generated, an initial program +has to be given by {\tt Realizer}. + +\begin{ErrMsgs} +\item \errindex{No program associated to this subgoal}\\ +You need to attach a program to the current goal by using {\tt Realizer}. +Perhaps, you already attached a program but a {\tt Restart} or an +{\tt Undo} has removed it. +\item \errindex{Type of program and informative extraction of goal do not coincide} +\item \errindex{Cannot attach a realizer to a logical goal}\\ +The current goal is non informative (it lives in the world {\tt Prop} +of propositions or {\tt Type} of abstract sets) while it should lives +in the world {\tt Set} of computational objects. +\item \errindex{Perhaps a term of the Realizer is not an FW + term}\texttt{ and you then have to replace it by its extraction}\\ +Your program contains non informative subterms. +\end{ErrMsgs} + +\begin{Variants} +\item{\tt Program\_all.} + \tacindex{Program\_all}\label{Program_all}\\ + This tactic is equivalent to the composed tactic + \verb=Repeat (Program OrElse Auto)=. It repeats the \verb=Program= + tactic on every informative subgoal and tries the \verb=Auto= tactic + on the logical subgoals. Note that the work of the \verb=Program= + tactic is considered to be finished when all the informative subgoals + have been solved. This implies that logical lemmas can stay at the end + of the automatic proof which have to be solved by the user. +\item {\tt Program\_Expand} + \tacindex{Program\_Expand}\label{Program_Expand}\\ + The \verb=Program_Expand= tactic transforms the current program into + the same program with the head constant expanded. This tactic + particularly allows the user to force a program to be reduced before + each application of the \verb=Program= tactic. + + \begin{ErrMsgs} + \item \errindex{Not reducible}\\ + The head of the program is not a constant or is an opaque constant. + need to attach a program to the current goal by using {\tt Realizer}. + Perhaps, you already attached a program but a {\tt Restart} or an + {\tt Undo} has removed it. + \end{ErrMsgs} +\end{Variants} + +\asubsection{Hints for {\tt Program}} + +\begin{description} +\item[Mutual inductive types] The \verb=Program= tactic can deal with + mutual inductive types. But, this needs the use of + annotations. Indeed, when associating a mutual fixpoint program to a + specification, the specification is associated to the first (the + outermost) function defined by the fixpoint. But, the specifications + to be associated to the other functions cannot be automatically + derived. They have to be explicitly given by the user as + annotations. See section \ref{program-ex-mutual} for an example. + +\item[Constants] The \verb=Program= tactic is very sensitive to the + status of constants. Constants can be either opaque (their body + cannot be viewed) or transparent. The best of way of doing is to + leave constants opaque (this is the default). If it is needed after, + it is best to use the \verb=Transparent= command {\bf after} having + used the \verb=Program= tactic. +\end{description} + +\asection{Syntax for programs} +\label{program-syntax} +\asubsection{Pure programs} +The language to express programs is called \real\footnote{It + corresponds to \FW\ plus inductive definitions}. Programs are +explicitly typed\footnote{This information is not strictly needed but + was useful for type checking in a first experiment.} like terms +extracted from proofs. Some extra expressions have been added to have +a simpler syntax. + +This is the raw form of what we call pure programs. But, in fact, it +appeared that this simple type of programs is not sufficient. Indeed, +all the logical part useful for the proof is not contained in these +programs. That is why annotated programs are introduced. + +\asubsection{Annotated programs} +The notion of annotation introduces in a program a logical assertion +that will be used for the proof. The aim of the \verb=Program= tactic +is to start from a specification and a program and to generate +subgoals either logical or associated with programs. However, to find +the good specification for subprograms is not at all trivial in +general. For instance, if we have to find an invariant for a loop, or +a well founded order in a recursive call. + +So, annotations add in a program the logical part which is needed for +the proof and which cannot be automatically retrieved. This allows the +system to do proofs it could not do otherwise. + +For this, a particular syntax is needed which is the following: since +they are specifications, annotations follow the same internal syntax +as \Coq~terms. We indicate they are annotations by putting them +between \verb={= and \verb=}= and preceding them with \verb=:: ::=. +Since annotations are \Coq~terms, they can involve abstractions over +logical propositions that have to be declared. Annotated-$\lambda$ +have to be written between \verb=[{= and \verb=}]=. +Annotated-$\lambda$ can be seen like usual $\lambda$-bindings but +concerning just annotations and not \Coq~programs. + +\asubsection{Recursive Programs} +Programs can be recursively defined using the following syntax: \verb=<={\it + type-of-the-result}\verb=> rec= \index{rec@{\tt rec}} {\it + name-of-the-induction-hypothesis} \verb=:: :: {= {\it + well-founded-order-of-the-recursion} \verb=}= and then the body of +the program (see section \ref{program-examples}) which must always begin with +an abstraction [x:A] where A is the type of the arguments of the +function (also on which the ordering relation acts). + +\asubsection{Implicit arguments} + +A synthesis of implicit arguments has been added in order to +allow the user to write a minimum of types in a program. Then, it is +possible not to write a type inside a program term. This type has then +to be automatically synthesized. For this, it is necessary to indicate +where the implicit type to be synthesized appears. The syntax is the +current one of implicit arguments in \Coq: the question mark +\verb+?+. + +This synthesis of implicit arguments is not possible everywhere in a +program. In fact, the synthesis is only available inside a +\verb+Match+, a \verb+Cases+ or a \verb+Fix+ construction (where +\verb+Fix+ is a syntax for defining fixpoints). + +\asubsection{Grammar} +The grammar for programs is described in figure \ref{pgm-syntax}. + +\begin{figure} +\begin{tabular}{lcl} +{\pg} & ::= & {\ident}\\ + & $|$ & {\tt ?} \\ + & $|$ & {\tt [} {\ident} {\tt :} {\pg} {\tt ]} {\pg} \\ + & $|$ & {\tt [} {\ident} {\tt ]} {\pg} \\ + & $|$ & {\tt (} {\ident} {\tt :} {\pg} {\tt )} {\pg} \\ + & $|$ & {\tt (} {\pgs} {\tt )} \\ + & $|$ & {\tt Match} {\pg} {\tt with} {\pgs} {\tt end} \\ + & $|$ & \verb=<={\pg}\verb=>={\tt Match} {\pg} {\tt with} {\pgs} {\tt end} \\ + & $|$ & {\tt Cases} {\pg} {\tt of} \sequence{\eqn} {|} {\tt end} \\ + & $|$ & \verb=<={\pg}\verb=>={\tt Cases} {\pg} {\tt of} + \sequence{\eqn} {|} {\tt end} \\ + & $|$ & {\tt Fix} {\ident} \verb.{.\nelist{\fixpg}{with} \verb.}. \\ + & $|$ & {\tt Cofix} {\ident} \{{\ident} {\tt :} {\pg} {\tt :=} {\pg} + {\tt with} {\ldots} {\tt with} {\ident} {\tt :} {\pg} {\tt :=} {\pg}\} \\ + & $|$ & {\pg} {\tt ::} {\tt ::} \{ {\term} \} \\ + & $|$ & {\tt [\{} {\ident} {\tt :} {\term} {\tt \}]} {\pg} \\ + & $|$ & {\tt let} + {\tt (} {\ident} {\tt ,} {\ldots} {\tt ,} {\ident} {\tt ,} {\dots} + {\tt ,} {\ident} {\tt )} {\tt =} {\pg} {\tt in} {\pg} \\ +% & $|$ & \verb=<={\pg}\verb=>={\tt let} {\tt (} {\ident} {\tt ,} {\ldots} {\tt +% ,} {\ident} {\tt :} {\pg} {\tt ;} {\ldots} {\tt ;} {\ident} {\tt ,} +% {\ldots} {\tt ,} {\ident} {\tt :} {\pg} {\tt )} {\tt =} {\pg} {\tt +% in} {\pg} \\ + & $|$ & \verb=<={\pg}\verb=>={\tt let} {\tt (} {\ident} {\tt ,} + {\ldots} {\tt ,} {\ldots} {\tt ,} {\ident} {\tt )} {\tt =} {\pg} {\tt + in} {\pg} \\ + & $|$ & {\tt if} {\pg} {\tt then} {\pg} {\tt else} {\pg} \\ + & $|$ & \verb=<={\pg}\verb=>={\tt if} {\pg} {\tt then} {\pg} {\tt + else} {\pg} \\ + & $|$ & \verb=<={\pg}\verb=>={\tt rec} {\ident} {\tt ::} {\tt ::} \{ \term \} + {\tt [} {\ident} {\tt :} {\pg} {\tt ]} {\pg} \\ + {\pgs} & ::= & \pg \\ + & $|$ & {\pg} {\pgs}\\ +{\fixpg} & ::= & {\ident} {\tt [} \nelist{\typedidents}{;} {\tt ]} {\tt :} {\pg} {\tt :=} {\pg} \\ + & $|$ & {\ident} {\tt /} {\num} {\tt :} {\pg} {\tt :=} {\pg} {\tt ::} {\tt ::} \{ {\term} \} \\ +{\simplepattern} & ::= & {\ident} \\ + & $|$ & \verb!(! \nelist{\ident}{} \verb!)! \\ +{\eqn} & ::= & {\simplepattern} ~\verb!=>! ~\pg \\ +\end{tabular} +\caption{Syntax of annotated programs} +\label{pgm-syntax} +\end{figure} + +As for {\Coq} terms (see section \ref{term}), {\tt (}{\pgs}{\tt )} +associates to the left. The syntax of {\term} is the one in section. +The infix annotation operator \verb!:: ::! binds more than the +abstraction and product constructions. +\ref{term}. + +The reference to an identifier of the \Coq\ context (in particular a +constant) inside a program of the +language \real\ is a reference to its extracted contents. + +\asection{Examples} +\label{program-examples} +\asubsection{Ackermann Function} +Let us give the specification of Ackermann's function. We want to +prove that for every $n$ and $m$, there exists a $p$ such that +$ack(n,m)=p$ with: + +\begin{eqnarray*} +ack(0,n) & = & n+1 \\ +ack(n+1,0) & = & ack(n,1) \\ +ack(n+1,m+1) & = & ack(n,ack(n+1,m)) +\end{eqnarray*} + +An ML program following this specification can be: + +\begin{verbatim} +let rec ack = function + 0 -> (function m -> Sm) + | Sn -> (function 0 -> ack n 1 + | Sm -> ack n (ack Sn m)) +\end{verbatim} + +Suppose we give the following definition in \Coq~of a ternary relation +\verb=(Ack n m p)= in a Prolog like form representing $p=ack(n,m)$: + +\begin{coq_example*} +Inductive Ack : nat->nat->nat->Prop := + AckO : (n:nat)(Ack O n (S n)) + | AcknO : (n,p:nat)(Ack n (S O) p)->(Ack (S n) O p) + | AckSS : (n,m,p,q:nat)(Ack (S n) m q)->(Ack n q p) + ->(Ack (S n) (S m) p). +\end{coq_example*} +Then the goal is to prove that $\forall n,m .\exists p.(Ack~n~m~p)$, so +the specification is: + +\verb!(n,m:nat){p:nat|(Ack n m p)}!. +The associated {\real} program corresponding to the above ML program can be defined as a fixpoint: +\begin{coq_example*} +Fixpoint ack_func [n:nat] : nat -> nat := + Cases n of + O => [m:nat](S m) + | (S n') => Fix ack_func2 {ack_func2 [m:nat] : nat := + Cases m of + O => (ack_func n' (S O)) + | (S m') => (ack_func n' (ack_func2 m')) + end} + end. +\end{coq_example*} +The program is associated by using \verb=Realizer ack_func=. The +program is automatically expanded. Each realizer which is a constant +is automatically expanded. Then, by repeating the \verb=Program= +tactic, three logical lemmas are generated and are easily solved by +using the property Ack0, Ackn0 and AckSS. +\begin{coq_eval} +Goal (n,m:nat){p:nat|(Ack n m p)}. +Realizer ack_func. +\end{coq_eval} +\begin{coq_example} +Repeat Program. +\end{coq_example} + + +\asubsection{Euclidean Division} +This example shows the use of {\bf recursive programs}. Let us +give the specification of the euclidean division algorithm. We want to +prove that for $a$ and $b$ ($b>0$), there exist $q$ and $r$ such that +$a=b*q+r$ and $b>r$. + +An ML program following this specification can be: +\begin{verbatim} +let div b a = divrec a where rec divrec = function + if (b<=a) then let (q,r) = divrec (a-b) in (Sq,r) + else (0,a) +\end{verbatim} +Suppose we give the following definition in \Coq~which describes what +has to be proved, ie, $\exists q \exists r.~(a=b*q+r \wedge ~b>r)$: +\begin{coq_eval} +Abort. +Require Arith. +\end{coq_eval} +\begin{coq_example*} +Inductive diveucl [a,b:nat] : Set + := divex : (q,r:nat)(a=(plus (mult q b) r))->(gt b r) + ->(diveucl a b). +\end{coq_example*} +The decidability of the ordering relation has to be proved first, by +giving the associated function of type \verb!nat->nat->bool!: +\begin{coq_example*} +Theorem le_gt_dec : (n,m:nat){(le n m)}+{(gt n m)}. +Realizer Fix le_gt_bool {le_gt_bool [n:nat] : nat -> bool := + Cases n of + | O => [m:nat]true + | (S n') => [m:nat]Cases m of + | O => false + | (S m') => (le_gt_bool n' m') + end + end}. +Program_all. +Save. +\end{coq_example*} +Then the specification is \verb!(b:nat)(gt b O)->(a:nat)(diveucl a b)!. +The associated program corresponding to the ML program will be: +\begin{coq_eval} +Definition lt := [n,m:nat](gt m n). +Theorem eucl_dev : (b:nat)(gt b O)->(a:nat)(diveucl a b). +\end{coq_eval} +\begin{coq_example*} +Realizer + [b:nat](<nat*nat>rec div :: :: { lt } + [a:nat]if (le_gt_dec b a) + then let (q,r) = (div (minus a b)) + in ((S q),r) + else (O,a)). +\end{coq_example*} +Where \verb=lt= is the well-founded ordering relation defined by: +\begin{coq_example} +Print lt. +\end{coq_example} +Note the syntax for recursive programs as explained before. The +\verb=rec= construction needs 4 arguments: the type result of the +function (\verb=nat*nat= because it returns two natural numbers) +between \verb=<= and \verb=>=, the name of the induction hypothesis +(which can be used for recursive calls), the ordering relation +\verb=lt= (as an annotation because it is a specification), and the +program itself which must begin with a $\lambda$-abstraction. The +specification of \verb=le_gt_dec= is known because it is a previous +lemma. +The term \verb!(le_gt_dec b a)! is seen by the \verb!Program! tactic +as a term of type \verb!bool! which satisfies the specification +\verb!{(le a b)}+{(gt a b)}!. +The tactics \verb=Program_all= or \verb=Program= can be used, and the +following logical lemmas are obtained: +\begin{coq_example} +Repeat Program. +\end{coq_example} +The subgoals 4, 5 and 6 are resolved by \verb=Auto= (if you use +\verb=Program_all= they don't appear, because \verb=Program_all= tries +to apply \verb=Auto=). The other ones have to be solved by the user. + + +\asubsection{Insertion sort} +This example shows the use of {\bf annotations}. Let us give the +specification of a sorting algorithm. We want to prove that for a +sorted list of natural numbers $l$ and a natural number $a$, we can +build another sorted list $l'$, containing all the elements of $l$ +plus $a$. + +An ML program implementing the insertion sort and following this +specification can be: +\begin{verbatim} +let sort a l = sortrec l where rec sortrec = function + [] -> [a] + | b::l' -> if a<b then a::b::l' else b::(sortrec l') +\end{verbatim} +Suppose we give the following definitions in \Coq: + +First, the decidability of the ordering relation: +\begin{coq_eval} +Restore State Initial. +Require Le. +Require Gt. +\end{coq_eval} +\begin{coq_example*} +Fixpoint inf_dec [n:nat] : nat -> bool := +[m:nat]Cases n of + O => true + | (S n') => Cases m of + O => false + | (S m') => (inf_dec n' m') + end + end. +\end{coq_example*} + +The definition of the type \verb=list=: +\begin{coq_example*} +Inductive list : Set := nil : list | cons : nat -> list -> list. +\end{coq_example*} + +We define the property for an element \verb=x= to be {\bf in} a list +\verb=l= as the smallest relation such that: $\forall a \forall +l~(In~x~l) \Ra (In~x~(a::l))$ and $\forall l~(In~x~(x::l))$. +\begin{coq_example*} +Inductive In [x:nat] : list->Prop + := Inl : (a:nat)(l:list)(In x l) -> (In x (cons a l)) + | Ineq : (l:list)(In x (cons x l)). +\end{coq_example*} + +A list \verb=t'= is equivalent to a list \verb=t= with one added +element \verb=y= iff: $(\forall x~(In~x~t) \Ra (In~x~t'))$ and +$(In~y~t')$ and $\forall x~(In~x~t') \Ra ((In~x~t) \vee y=x)$. The +following definition implements this ternary conjunction. +\begin{coq_example*} +Inductive equiv [y:nat;t,t':list]: Prop := + equiv_cons : + ((x:nat)(In x t)->(In x t')) + -> (In y t') + ->((x:nat)(In x t')->((In x t)\/y=x)) + -> (equiv y t t'). +\end{coq_example*} + +Definition of the property of list to be sorted, still defined +inductively: +\begin{coq_example*} +Inductive sorted : list->Prop + := sorted_nil : (sorted nil) + | sorted_trans : (a:nat)(sorted (cons a nil)) + | sorted_cons : (a,b:nat)(l:list)(sorted (cons b l)) -> (le a b) + -> (sorted (cons a (cons b l))). +\end{coq_example*} +Then the specification is:\\ +\verb!(a:nat)(l:list)(sorted l)->{l':list|(equiv a l l')&(sorted l')}!. + +The associated \real\ program corresponding to the ML program will be: +\begin{coq_eval} +Lemma toto : (a:nat)(l:list)(sorted l)->{l':list|(equiv a l l')&(sorted l')}. +\end{coq_eval} +\begin{coq_example*} +Realizer + Fix list_insert{list_insert [a:nat; l:list] : list := + Cases l of + | nil => (cons a nil) + | (cons b m) => + if (inf_dec b a) :: :: { {(le b a)}+{(gt b a)} } + then (cons b (list_insert a m)) + else (cons a (cons b m)) + end}. +\end{coq_example*} +% Realizer [a:nat][l:list] +% Match l with +% (cons a nil) +% [b,m,H]if (inf_dec b a) :: :: { {(le b a)}+{(gt b a)} } +% then (cons b H) +% else (cons a (cons b m)) +% end. +Note that we have defined \verb=inf_dec= as the program realizing the +decidability of the ordering relation on natural numbers. But, it has +no specification, so an annotation is needed to give this +specification. This specification is used and then the decidability of +the ordering relation on natural numbers has to be proved using the +index program. + +Suppose \verb=Program_all= is used, a few logical +lemmas are obtained (which have to be solved by the user): +\begin{coq_example} +Program_all. +\end{coq_example} + + +\asubsection{Quicksort} +This example shows the use of {\bf programs using previous +programs}. Let us give the specification of Quicksort. We want to +prove that for a list of natural numbers $l$, we can build a sorted +list $l'$, which is a permutation of the previous one. + +An ML program following this specification can be: +\begin{verbatim} +let rec quicksort l = function + [] -> [] + | a::m -> let (l1,l2) = splitting a m in + let m1 = quicksort l1 and + let m2 = quicksort l2 in m1@[a]@m2 +\end{verbatim} +Where \verb=splitting= is defined by: +\begin{verbatim} +let rec splitting a l = function + [] -> ([],[]) + | b::m -> let (l1,l2) = splitting a m in + if a<b then (l1,b::l2) + else (b::l1,l2) +\end{verbatim} +Suppose we give the following definitions in \Coq: + +Declaration of the ordering relation: +\begin{coq_eval} +Restore State Initial. +Require List. +Require Gt. +\end{coq_eval} +\begin{coq_example*} +Variable inf : A -> A -> Prop. +Definition sup := [x,y:A]~(inf x y). +Hypothesis inf_sup : (x,y:A){(inf x y)}+{(sup x y)}. +\end{coq_example*} +Definition of the concatenation of two lists: +\begin{coq_eval} +Save State toto. +\end{coq_eval} +\begin{coq_example*} +Fixpoint app [l:list] : list -> list + := [m:list]Cases l of + nil => m + | (cons a l1) => (cons a (app l1 m)) end. +\end{coq_example*} +\begin{coq_eval} +Restore State toto. +\end{coq_eval} +Definition of the permutation of two lists: +\begin{coq_eval} +Definition mil := [a:A][l,m:list](app l (cons a m)) : A->list->list->list. +Lemma mil_app : (a:A)(l,m,n:list)(mil a l (app m n))=(app (mil a l m) n). + Intros. + Unfold mil. + Elim (ass_app l (cons a m) n). + Auto. +Save. +\end{coq_eval} +\begin{coq_example*} +Inductive permut : list->list->Prop := + permut_nil : (permut nil nil) + |permut_tran : (l,m,n:list)(permut l m)->(permut m n)->(permut l n) + |permut_cmil : (a:A)(l,m,n:list) + (permut l (app m n))->(permut (cons a l) (mil a m n)) + |permut_milc : (a:A)(l,m,n:list) + (permut (app m n) l)->(permut (mil a m n) (cons a l)). +\end{coq_example*} +\begin{coq_eval} +Hints Resolve permut_nil permut_cmil permut_milc. +Lemma permut_cons : (a:A)(l,m:list)(permut l m)->(permut (cons a l) (cons a m)). + Intros. + Change (permut (cons a l) (mil a nil m)). + Auto. +Save. +Hints Resolve permut_cons. +Lemma permut_refl : (l:list)(permut l l). + Induction l ; Auto. +Save. +Hints Resolve permut_refl. +Lemma permut_sym : (l,m:list)(permut l m)->(permut m l). + Intros l m h1 ; Elim h1 ; Auto. + Intros l0 m0 n h2 h3 h4 h5. + Apply permut_tran with m0 ; Auto. +Save. +Hints Immediate permut_sym. +Lemma permut_app1 : (m1,n1,l:list)(permut m1 n1)->(permut (app l m1) (app l n1)). + Intros ; Elim l ; Simpl ; Auto. +Save. +Hints Resolve permut_app1. +Lemma permut_app_mil : (a:A)(l1,m1,l2,m2,n2:list) + (permut (app l1 m1) (app (app l2 m2) n2)) + -> (permut (app (cons a l1) m1) (app (mil a l2 m2) n2)). + Intros ; Simpl. + Elim (mil_app a l2 m2 n2). + Apply permut_cmil. + Elim (app_ass l2 m2 n2) ; Auto. +Save. +Hints Resolve permut_app_mil. +Lemma permut_app_app : (m1,m2,n1,n2 :list) + (permut m1 n1)->(permut m2 n2)->(permut (app m1 m2) (app n1 n2)). + Intros m1 m2 n1 n2 h1 h2. + Elim h1 ; Intros. + Exact h2. + Apply permut_tran with (app m n2) ; Auto. + Apply permut_tran with (app m m2) ; Auto. + Auto. + Apply permut_sym ; Auto. +Save. +Hints Resolve permut_app_app. +Lemma permut_app : (m,m1,m2,n1,n2 :list)(permut m1 n1)->(permut m2 n2)-> + (permut m (app m1 m2))->(permut m (app n1 n2)). + Intros. + Apply permut_tran with (app m1 m2) ; Auto. +Save. +\end{coq_eval} +The definitions \verb=inf_list= and \verb=sup_list= allow to know if +an element is lower or greater than all the elements of a list: +\begin{coq_example*} +Section Rlist_. +Variable R : A->Prop. +Inductive Rlist : list -> Prop := + Rnil : (Rlist nil) + | Rcons : (x:A)(l:list)(R x)->(Rlist l)->(Rlist (cons x l)). +\end{coq_example*} +\begin{coq_eval} +Hints Resolve Rnil Rcons. +Lemma Rlist_app : (m,n:list)(Rlist m)->(Rlist n)->(Rlist (app m n)). + Intros m n h1 h2 ; Elim h1 ; Simpl ; Auto. +Save. +Hints Resolve Rlist_app. +Section Rlist_cons_. +Variable a : A. +Variable l : list. +Hypothesis Rc : (Rlist (cons a l)). +Lemma Rlist_cons : (R a)/\(Rlist l). + Inversion_clear Rc; Auto. +Save. +End Rlist_cons_. +Section Rlist_append. +Variable n,m : list. +Lemma Rlist_appd : (Rlist (app n m))->((Rlist n)/\(Rlist m)). +Elim n ; Simpl; Auto. +Intros a y h1 h2. +Elim (Rlist_cons a (app y m)) ; Auto. +Intros h3 h4; Elim h1 ; Auto. +Save. +End Rlist_append. +Hints Resolve Rlist_appd. +Lemma Rpermut : (m,n:list)(permut m n)->(Rlist m)->(Rlist n). + Intros m n h1 ; Elim h1 ; Unfold mil ; Auto. + Intros a l m0 n0 h2 h3 h4. + Elim (Rlist_cons a l); Auto. + Intros h5 h6; Elim (Rlist_appd m0 n0); Auto. + Intros a l m0 n0 h2 h3 h4. + Elim (Rlist_appd m0 (cons a n0)) ; Auto. + Intros h5 h6; Elim (Rlist_cons a n0) ; Auto. +Save. +\end{coq_eval} +\begin{coq_example*} +End Rlist_. +Hints Resolve Rnil Rcons. +\end{coq_example*} +\begin{coq_eval} +Hints Resolve Rlist_app. +\end{coq_eval} +\begin{coq_example*} +Section Inf_Sup. +Hypothesis x : A. +Hypothesis l : list. +Definition inf_list := (Rlist (inf x) l). +Definition sup_list := (Rlist (sup x) l). +End Inf_Sup. +\end{coq_example*} +\begin{coq_eval} +Hints Unfold inf_list sup_list. +\end{coq_eval} +Definition of the property of a list to be sorted: +\begin{coq_example*} +Inductive sort : list->Prop := + sort_nil : (sort nil) + | sort_mil : (a:A)(l,m:list)(sup_list a l)->(inf_list a m) + ->(sort l)->(sort m)->(sort (mil a l m)). +\end{coq_example*} +\begin{coq_eval} +Hints Resolve sort_nil sort_mil. +Lemma permutapp : (a0:A)(y,l1,l2:list)(permut y (app l1 l2))->(permut (cons a0 y) (app l1 (cons a0 l2))). +Intros. +Exact (permut_cmil a0 y l1 l2 H). +Save. +Hints Resolve permutapp. +Lemma sortmil : (a:A)(x,x0,l1,l2:list)(sup_list a l1)->(inf_list a l2)->(sort x)->(sort x0)->(permut l1 x)->(permut l2 x0)->(sort (mil a x x0)). +Intros. +Apply sort_mil ; Auto. +Unfold sup_list ; Apply Rpermut with l1 ; Auto. +Unfold inf_list ; Apply Rpermut with l2 ; Auto. +Save. +\end{coq_eval} + +\noindent Then the goal to prove is +$\forall l~\exists m~(sort~m) \wedge (permut~l~m)$ and the specification is + +\verb!(l:list){m:list|(sort m)&(permut l m)!. + +\noindent Let us first prove a preliminary lemma. Let us define \verb=ltl= a +well-founded ordering relation. + +\begin{coq_example*} +Definition ltl := [l,m:list](gt (length m) (length l)). +\end{coq_example*} +\begin{coq_eval} +Hints Unfold ltl. +Lemma ltl_cons : (a,a0:A)(l1,y:list)(ltl l1 (cons a y))->(ltl l1 (cons a (cons a0 y))). +Unfold ltl; Simpl; Auto. +Save. +Hints Resolve ltl_cons. +Lemma ltl_cons_cons : (a,a0:A)(l2,y:list)(ltl l2 (cons a y))->(ltl (cons a0 l2) (cons a (cons a0 y))). +Unfold ltl; Simpl; Auto with arith.. +Save. +Hints Resolve ltl_cons_cons. +Require Wf_nat. +\end{coq_eval} +Let us then give a definition of \verb=Splitting_spec= corresponding +to\\ +$\exists l_1 \exists l_2.~(sup\_list~a~l_1) \wedge (inf\_list~a~l_2) +\wedge (l \equiv l_1@l_2) \wedge (ltl~l_1~(a::l)) \wedge +(ltl~l2~(a::l))$ and a theorem on this definition. +\begin{coq_example*} +Inductive Splitting_spec [a:A; l:list] : Set := + Split_intro : (l1,l2:list)(sup_list a l1)->(inf_list a l2) + ->(permut l (app l1 l2)) + ->(ltl l1 (cons a l))->(ltl l2 (cons a l)) + ->(Splitting_spec a l). +\end{coq_example*} +\begin{coq_example*} +Theorem Splitting : (a:A)(l:list)(Splitting_spec a l). +Realizer + Fix split {split [a:A;l:list] : list*list := + Cases l of + | nil => (nil,nil) + | (cons b m) => let (l1,l2) = (split a m) in + if (inf_sup a b) + then (* inf a b *) (l1,(cons b l2)) + else (* sup a b *) ((cons b l1),l2) + end}. +Program_all. +Simpl; Auto. +Save. +\end{coq_example*} +% Realizer [a:A][l:list] +% Match l with +% (* nil *) (nil,nil) +% (* cons *) [b,m,ll]let (l1,l2) = ll in +% if (inf_sup a b) +% then (* inf a b *) (l1,(cons b l2)) +% else (* sup a b *) ((cons b l1),l2) +% end. + +The associated {\real} program to the specification we wanted to first +prove and corresponding to the ML program will be: +\begin{coq_example*} +Lemma Quicksort: (l:list){m:list|(sort m)&(permut l m)}. +Realizer <list>rec quick :: :: { ltl } + [l:list]Cases l of + nil => nil + | (cons a m) => let (l1,l2) = (Splitting a m) in + (mil a (quick l1) (quick l2)) + end. +\end{coq_example*} +Then \verb=Program_all= gives the following logical lemmas (they have +to be resolved by the user): +\begin{coq_example} +Program_all. +\end{coq_example} +\begin{coq_eval} +Abort. +\end{coq_eval} + +\asubsection{Mutual Inductive Types} +\label{program-ex-mutual} +This example shows the use of {\bf mutual inductive types} with +\verb=Program=. Let us give the specification of trees and forest, and +two predicate to say if a natural number is the size of a tree or a +forest. + +\begin{coq_example*} +Section TreeForest. + +Variable A : Set. + +Mutual Inductive + tree : Set := node : A -> forest -> tree +with forest : Set := empty : forest + | cons : tree -> forest -> forest. + +Mutual Inductive Tree_Size : tree -> nat -> Prop := + Node_Size : (n:nat)(a:A)(f:forest)(Forest_Size f n) + ->(Tree_Size (node a f) (S n)) +with Forest_Size : forest -> nat -> Prop := + Empty_Size : (Forest_Size empty O) +| Cons_Size : (n,m:nat)(t:tree)(f:forest) + (Tree_Size t n) + ->(Forest_Size f m) + ->(Forest_Size (cons t f) (plus n m)). + +Hints Resolve Node_Size Empty_Size Cons_Size. +\end{coq_example*} + +Then, let us associate the two mutually dependent functions to compute +the size of a forest and a tree to the the following specification: + +\begin{coq_example*} +Theorem tree_size_prog : (t:tree){n:nat | (Tree_Size t n)}. + +Realizer [t:tree] +(Fix tree_size{ + tree_size [t:tree] : nat := let (a,f) = t in (S (forest_size f)) + with forest_size /1 : forest -> nat + := ([f:forest]Cases f of + empty => O + | (cons t f') => (plus (tree_size t) (forest_size f')) + end) + :: :: {(f:forest) {n:nat | (Forest_Size f n)}}} + t). +\end{coq_example*} + +It is necessary to add an annotation for the \verb=forest_size= +function. Indeed, the global specification corresponds to the +specification of the \verb=tree_size= function and the specification +of \verb=forest_size= cannot be automatically inferred from the +initial one. + +Then, the \verb=Program_all= tactic can be applied: +\begin{coq_example} +Program_all. +Save. +\end{coq_example} + +% $Id$ + +%%% Local Variables: +%%% mode: latex +%%% TeX-master: "Reference-Manual" +%%% End: diff --git a/doc/Programs.tex b/doc/Programs.tex new file mode 100644 index 000000000..e92dd5931 --- /dev/null +++ b/doc/Programs.tex @@ -0,0 +1,931 @@ +\achapter{Proof of imperative programs} +\aauthor{Jean-Christophe Filliâtre} +\label{Addoc-programs} +\index{Imperative programs!proof of} +\comindex{Correctness} + +%%%%%%%%%%%%%%%% +% Introduction % +%%%%%%%%%%%%%%%% + +This chapter describes a new tactic +to prove the correctness and termination of imperative +programs annotated in a Floyd-Hoare logic style. +This tactic is provided in the \Coq\ module \texttt{Programs}, +which does not belong to the initial state of \Coq. So you must import +it when necessary, with the following command: +$$ +\mbox{\texttt{Require Programs.}} +$$ +If you want to use this tactic with the native-code version of \Coq, +you will have to run the version of \Coq\ with all the tactics, through +the command +$$ +\mbox{\texttt{coqtop -full}} +$$ +\emph{Be aware that this tactic is still very experimental}. + + +%%%%%%%%%%%%%%%%%%%%% +% comment ça marche % +%%%%%%%%%%%%%%%%%%%%% + +\asection{How it works} + +Before going on into details and syntax, let us give a quick overview +of how that tactic works. +Its behavior is the following: you give a +program annotated with logical assertions and the tactic will generate +a bundle of subgoals, called \emph{proof obligations}. Then, if you +prove all those proof obligations, you will establish the correctness and the +termination of the program. +The implementation currently supports traditional imperative programs +with references and arrays on arbitrary purely functional datatypes, +local variables, functions with call-by-value and call-by-variable +arguments, and recursive functions. + +Although it behaves as an implementation of Floyd-Hoare logic, it is not. +The idea of the underlying mechanism is to translate the imperative +program into a partial proof of a proposition of the kind +$$ +\forall \vec{x}. P(\vec{x}) + \Rightarrow \exists(\vec{y},v). Q(\vec{x},\vec{y},v) +$$ +where $P$ and $Q$ stand for the pre- and post-conditions of the +program, $\vec{x}$ and $\vec{y}$ the variables used and modified by +the program and $v$ its result. +Then this partial proof is given to the tactic \texttt{Refine} +(see~\ref{Refine}, page~\pageref{Refine}), which effect is to generate as many +subgoals as holes in the partial proof term. + +\medskip + +The syntax to invoke the tactic is the following: +$$ +\mbox{\tt Correctness} ~~ ident ~~ annotated\_program. +$$ +Notice that this is not exactly a \emph{tactic}, since it does not +apply to a goal. To be more rigorous, it is the combination of a +vernacular command (which creates the goal from the annotated program) +and a tactic (which partially solves it, leaving some proof +obligations to the user). + +Whereas \texttt{Correctness} is not a tactic, the following syntax is +available: +$$ +\mbox{\tt Correctness} ~~ ident ~~ annotated\_program ~ ; ~ tactic. +$$ +In that case, the given tactic is applied on any proof +obligation generated by the first command. + + +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +% Syntaxe de programmes annotes % +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% + +\asection{Syntax of annotated programs} + +\asubsection{Programs} + +The syntax of programs is given in figure~\ref{fig:ProgramsSyntax}. +Basically, the programming language is a purely functional kernel +with an addition of references and arrays on purely functional values. +If you do not consider the logical assertions, the syntax coincide +with \ocaml\ syntax, except for elements of arrays which are written +$t[i]$. In particular, the dereference of a mutable variable $x$ is +written $!x$ and assignment is written \verb!:=! +(for instance, the increment of the variable $x$ will +be written \verb@x := !x + 1@). +Actually, that syntax does not really matters, since it would +be extracted later to real concrete syntax, in different programming +languages. + +\begin{figure}[htbp] + \begin{center} + \leavevmode +$$ +\begin{array}{lrl} + prog & ::= & \verb!{! ~ predicate ~ \verb!}! * + ~ statement ~ [ \verb!{! ~ predicate ~ \verb!}! ] \\ + + & & \\[0.1em] + + statement + & ::= & expression \\ + & | & identifier ~ \verb!:=! ~ prog \\ + & | & identifier ~ \verb![! ~ expression ~ \verb!]! + ~ \verb!:=! ~ prog \\ + & | & \verb!let! ~ identifier ~ \verb!=! ~ \verb!ref! ~ + prog ~ \verb!in! ~ prog \\ + & | & \verb!if! ~ prog ~ \verb!then! ~ prog + ~ [ \verb!else! ~ prog ] \\ + & | & \verb!while! ~ prog ~ \verb!do! + ~ loop\_annot ~ block ~ \verb!done! \\ + & | & \verb!begin! ~ block ~ \verb!end! \\ + & | & \verb!let! ~ identifier ~ \verb!=! ~ prog ~ + \verb!in! ~ prog \\ + & | & \verb!fun! ~ binders ~ \verb!->! ~ prog \\ + & | & \verb!let! ~ \verb!rec! ~ identifier ~ binder ~ \verb!:! + ~ value\_type \\ + & & ~~ \verb!{! ~ \verb!variant! ~ wf\_arg ~ \verb!}! + ~ \verb!=! ~ prog ~ [ \verb!in! ~ prog ] \\ + & | & \verb!(! ~ prog ~~ prog ~ \verb!)! \\ + + & & \\[1em] + + expression + & ::= & identifier \\ + & | & \verb@!@ ~ identifier \\ + & | & identifier ~ \verb![! ~ expression ~ \verb!]! \\ + & | & integer \\ + & | & \verb!(! ~ expression+ \verb!)! \\ + + & & \\[1em] + + block & ::= & block\_statement ~ [ ~ \verb!;! ~ block ~ ] \\ + + & & \\[0.1em] + + block\_statement + & ::= & prog \\ + & | & \verb!label! ~ identifier \\ + & | & \verb!assert! ~ \verb!{! ~ predicate ~ \verb!}! \\ + + & & \\[1em] + + binders & ::= & \verb!(! ~ identifier,\dots,identifier ~ \verb!:! + ~ value\_type ~ \verb!)! + \\ + + & & \\[1em] + + loop\_annot + & ::= & \verb!{! ~ \verb!invariant! ~ predicate ~ + \verb!variant! ~ wf\_arg ~ \verb!}! \\ + & & \\[0.1em] + + wf\_arg & ::= & cic\_term ~ [ \verb!for! ~ cic\_term ] \\ + + & & \\[0.1em] + + predicate & ::= & cci\_term ~ [ \verb!as! ~ identifier ] \\ + + \end{array} +$$ + \caption{Syntax of annotated programs} + \label{fig:ProgramsSyntax} + \end{center} +\end{figure} + + +\paragraph{Syntactic sugar.} + +\begin{itemize} + \item \textbf{Boolean expressions:} + + Boolean expressions appearing in programs (and in particular in + \kw{if} and \kw{while} tests) are arbitrary programs of type \texttt{bool}. + In order to make programs more readable, some syntactic sugar is + provided for the usual logical connectives and the usual order + relations over type \texttt{Z}, with the following syntax: + $$ + \begin{array}{lrl} + prog + & ::= & prog ~ \verb!and! ~ prog \\ + & | & prog ~ \verb!or! ~ prog \\ + & | & \verb!not! ~ prog \\ + & | & expression ~ order\_relation ~ expression \\[1em] + order\_relation + & ::= & \verb!>! ~|~ \verb!>=! ~|~ \verb!<! ~|~ \verb!<=! + ~|~ \verb!=! ~|~ \verb!<>! \\ + \end{array} + $$ + where the order relations have the strongest precedences, + \verb!not! has a stronger precedence than \verb!and!, + and \verb!and! a stronger precedence than \verb!or!. + + Order relations in other types, like \texttt{lt}, \texttt{le}, \dots in + type \texttt{nat}, should be explicited as described in the + paragraph about \emph{Boolean expressions}, page~\pageref{prog:booleans}. + + \item \textbf{Arithmetical expressions:} + + Some syntactic sugar is provided for the usual arithmetic operator + over type \texttt{Z}, with the following syntax: + $$ + \begin{array}{lrl} + prog + & ::= & prog ~ \verb!*! ~ prog \\ + & | & prog ~ \verb!+! ~ prog \\ + & | & prog ~ \verb!-! ~ prog \\ + & | & \verb!-! ~ prog + \end{array} + $$ + where the unary operator \texttt{-} has the strongest precedence, + and \texttt{*} a stronger precedence than \texttt{+} and \texttt{-}. + + Operations in other arithmetical types (such as type \texttt{nat}) + must be explicitly written as applications, like + \texttt{(plus~a~b)}, \texttt{(pred~a)}, etc. + + \item \texttt{if $b$ then $p$} is a shortcut for + \texttt{if $b$ then $p$ else tt}, where \texttt{tt} is the + constant of type \texttt{unit}; + + \item Values in type \texttt{Z} + may be directly written as integers : 0,1,12546,\dots + Negative integers are not recognized and must be written + as \texttt{(Zinv $x$)}; + + \item Multiple application may be written $(f~a_1~\dots~a_n)$, + which must be understood as left-associa\-tive + i.e. as $(\dots((f~a_1)~a_2)\dots~a_n)$. +\end{itemize} + + +\paragraph{Restrictions.} + +You can notice some restrictions with respect to real ML programs: +\begin{enumerate} + \item Binders in functions (recursive or not) are explicitly typed, + and the type of the result of a recursive function is also given. + This is due to the lack of type inference. + + \item Full expressions are not allowed on left-hand side of assignment, but + only variables. Therefore, you can not write +\begin{verbatim} + (if b then x else y) := 0 +\end{verbatim} + But, in most cases, you can rewrite + them into acceptable programs. For instance, the previous program + may be rewritten into the following one: +\begin{verbatim} + if b then x := 0 else y := 0 +\end{verbatim} +\end{enumerate} + + + +%%%%%%%%%%%%%%% +% Type system % +%%%%%%%%%%%%%%% + +\asubsection{Typing} + +The types of annotated programs are split into two kinds: the types of +\emph{values} and the types of \emph{computations}. Those two types +families are recursively mutually defined with the following concrete syntax: +$$ +\begin{array}{lrl} + value\_type + & ::= & cic\_term \\ + & | & {cic\_term} ~ \verb!ref! \\ + & | & \verb!array! ~ cic\_term ~ \verb!of! ~ cic\_term \\ + & | & \verb!fun! ~ \verb!(! ~ x \verb!:! value\_type ~ \verb!)!\!+ + ~ computation\_type \\ + & & \\ + computation\_type + & ::= & \verb!returns! ~ identifier \verb!:! value\_type \\ + & & [\verb!reads! ~ identifier,\ldots,identifier] + ~ [\verb!writes! ~ identifier,\ldots,identifier] \\ + & & [\verb!pre! ~ predicate] ~ [\verb!post! ~ predicate] \\ + & & \verb!end! \\ + & & \\ + predicate + & ::= & cic\_term \\ + & & \\ +\end{array} +$$ + +The typing is mostly the one of ML, without polymorphism. +The user should notice that: +\begin{itemize} + \item Arrays are indexed over the type \texttt{Z} of binary integers + (defined in the module \texttt{ZArith}); + + \item Expressions must have purely functional types, and can not be + references or arrays (but, of course, you can pass mutables to + functions as call-by-variable arguments); + + \item There is no partial application. +\end{itemize} + + +%%%%%%%%%%%%%%%%%% +% Specifications % +%%%%%%%%%%%%%%%%%% + +\asubsection{Specification} + +The specification part of programs is made of different kind of +annotations, which are terms of sort \Prop\ in the Calculus of Inductive +Constructions. + +Those annotations can refer to the values of the variables +directly by their names. \emph{There is no dereference operator ``!'' in +annotations}. Annotations are read with the \Coq\ parser, so you can +use all the \Coq\ syntax to write annotations. For instance, if $x$ +and $y$ are references over integers (in type \texttt{Z}), you can write the +following annotation +$$ +\mbox{\texttt{\{ `0 < x <= x+y` \}}} +$$ +In a post-condition, if necessary, you can refer to the value of the variable +$x$ \emph{before} the evaluation with the notation $x@$. +Actually, it is possible to refer to the value of a variable at any +moment of the evaluation with the notation $x@l$, +provided that $l$ is a \emph{label} previously inserted in your program +(see below the paragraph about labels). + +You have the possibility to give some names to the annotations, with +the syntax +$$ +\texttt{\{ \emph{annotation} as \emph{identifier} \}} +$$ +and then the annotation will be given this name in the proof +obligations. +Otherwise, fresh names are given automatically, of the kind +\texttt{Post3}, \texttt{Pre12}, \texttt{Test4}, etc. +You are encouraged to give explicit names, in order not to have to +modify your proof script when your proof obligations change (for +instance, if you modify a part of the program). + + +\asubsubsection{Pre- and post-conditions} + +Each program, and each of its sub-programs, may be annotated by a +pre-condition and/or a post-condition. +The pre-condition is an annotation about the values of variables +\emph{before} the evaluation, and the post-condition is an annotation +about the values of variables \emph{before} and \emph{after} the +evaluation. Example: +$$ +\mbox{\texttt{\{ `0 < x` \} x := (Zplus !x !x) \{ `x@ < x` \}}} +$$ +Moreover, you can assert some properties of the result of the evaluation +in the post-condition, by referring to it through the name \emph{result}. +Example: +$$ +\mbox{\texttt{(Zs (Zplus !x !x)) \{ (Zodd result) \}}} +$$ + + +\asubsubsection{Loops invariants and variants} + +Loop invariants and variants are introduced just after the \kw{do} +keyword, with the following syntax: +$$ +\begin{array}{l} + \kw{while} ~ B ~ \kw{do} \\ + ~~~ \{ ~ \kw{invariant} ~ I ~~~ \kw{variant} ~ \phi ~ \kw{for} ~ R ~ + \} \\ + ~~~ block \\ + \kw{done} +\end{array} +$$ + +The invariant $I$ is an annotation about the values of variables +when the loop is entered, since $B$ has no side effects ($B$ is a +purely functional expression). Of course, $I$ may refer to values of +variables at any moment before the entering of the loop. + +The variant $\phi$ must be given in order to establish the termination of +the loop. The relation $R$ must be a term of type $A\rightarrow +A\rightarrow\Prop$, where $\phi$ is of type $A$. +When $R$ is not specified, then $\phi$ is assumed to be of type +\texttt{Z} and the usual order relation on natural number is used. + + +\asubsubsection{Recursive functions} + +The termination of a recursive function is justified in the same way as +loops, using a variant. This variant is introduced with the following syntax +$$ +\kw{let} ~ \kw{rec} ~ f ~ (x_1:V_1)\dots(x_n:V_n) : V + ~ \{ ~ \kw{variant} ~ \phi ~ \kw{for} ~ R ~ \} = prog +$$ +and is interpreted as for loops. Of course, the variant may refer to +the bound variables $x_i$. +The specification of a recursive function is the one of its body, $prog$. +Example: +$$ +\kw{let} ~ \kw{rec} ~ fact ~ (x:Z) : Z ~ \{ ~ \kw{variant} ~ x \} = + \{ ~ x\ge0 ~ \} ~ \dots ~ \{ ~ result=x! ~ \} +$$ + + +\asubsubsection{Assertions inside blocks} + +Assertions may be inserted inside blocks, with the following syntax +$$ +\kw{begin} ~ block\_statements \dots; ~ \kw{assert} ~ \{ ~ P ~ \}; + ~ block\_statements \dots ~ \kw{end} +$$ +The annotation $P$ may refer to the values of variables at any labels +known at this moment of evaluation. + + +\asubsubsection{Inserting labels in your program} + +In order to refer to the values of variables at any moment of +evaluation of the program, you may put some \emph{labels} inside your +programs. Actually, it is only necessary to insert them inside blocks, +since this is the only place where side effects can appear. The syntax +to insert a label is the following: +$$ +\kw{begin} ~ block\_statements \dots; ~ \kw{label} ~ L; + ~ block\_statements \dots ~ \kw{end} +$$ +Then it is possible to refer to the value of the variable $x$ at step +$L$ with the notation $x@L$. + +There is a special label $0$ which is automatically inserted at the +beginning of the program. Therefore, $x@0$ will always refer to the +initial value of the variable $x$. + +\medskip + +Notice that this mechanism allows the user to get rid of the so-called +\emph{auxiliary variables}, which are usually widely used in +traditional frameworks to refer to previous values of variables. + + +%%%%%%%%%%%% +% booléens % +%%%%%%%%%%%% + +\asubsubsection{Boolean expressions}\label{prog:booleans} + +As explained above, boolean expressions appearing in \kw{if} and +\kw{while} tests are arbitrary programs of type \texttt{bool}. +Actually, there is a little restriction: a test can not do some side +effects. +Usually, a test if annotated in such a way: +$$ + B ~ \{ \myifthenelse{result}{T}{F} \} +$$ +(The \textsf{if then else} construction in the annotation is the one +of \Coq\ !) +Here $T$ and $F$ are the two propositions you want to get in the two +branches of the test. +If you do not annotate a test, then $T$ and $F$ automatically become +$B=\kw{true}$ and $B=\kw{false}$, which is the usual annotation in +Floyd-Hoare logic. + +But you should take advantages of the fact that $T$ and $F$ may be +arbitrary propositions, or you can even annotate $B$ with any other +kind of proposition (usually depending on $result$). + +As explained in the paragraph about the syntax of boolean expression, +some syntactic sugar is provided for usual order relations over type +\texttt{Z}. When you write $\kw{if} ~ x<y ~ \dots$ in your program, +it is only a shortcut for $\kw{if} ~ (\texttt{Z\_lt\_ge\_bool}~x~y) ~ \dots$, +where \texttt{Z\_lt\_ge\_bool} is the proof of +$\forall x,y:\texttt{Z}. \exists b:\texttt{bool}. + (\myifthenelse{b}{x<y}{x\ge y})$ +i.e. of a program returning a boolean with the expected post-condition. +But you can use any other functional expression of such a type. +In particular, the Programs standard library comes +with a bunch of decidability theorems on type \texttt{nat}: +$$ +\begin{array}{ll} + zerop\_bool & : \forall n:\kw{nat}.\exists b:\texttt{bool}. + \myifthenelse{b}{n=0}{0<n} \\ + nat\_eq\_bool & : \forall n,m:\kw{nat}.\exists b:\texttt{bool}. + \myifthenelse{b}{n=m}{n\not=m} \\ + le\_lt\_bool & : \forall n,m:\kw{nat}.\exists b:\texttt{bool}. + \myifthenelse{b}{n\le m}{m<n} \\ + lt\_le\_bool & : \forall n,m:\kw{nat}.\exists b:\texttt{bool}. + \myifthenelse{b}{n<m}{m\le n} \\ +\end{array} +$$ +which you can combine with the logical connectives. + +It is often the case that you have a decidability theorem over some +type, as for instance a theorem of decidability of equality over some +type $S$: +$$ +S\_dec : (x,y:S)\sumbool{x=y}{\neg x=y} +$$ +Then you can build a test function corresponding to $S\_dec$ using the +operator \texttt{bool\_of\_sumbool} provided with the +\texttt{Prorgams} module, in such a way: +$$ +\texttt{Definition} ~ S\_bool ~ \texttt{:=} + [x,y:S](\texttt{bool\_of\_sumbool} ~ ? ~ ? ~ (S\_dec ~ x ~ y)) +$$ +Then you can use the test function $S\_bool$ in your programs, +and you will get the hypothesis $x=y$ and $\neg x=y$ in the corresponding +branches. +Of course, you can do the same for any function returning some result +in the constructive sum $\sumbool{A}{B}$. + + +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +% variables locales et globales % +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% + +\asection{Local and global variables} + +\asubsection{Global variables} +\comindex{Global Variable} + +You can declare a new global variable with the following command +$$ +\mbox{\texttt{Global Variable}} ~~ x ~ : ~ value\_type. +$$ +where $x$ may be a reference, an array or a function. +\Example +\begin{verbatim} +Parameter N : Z. +Global Variable x : Z ref. +Correctness foo { `x < N` } begin x := (Zmult 2 !x) end { `x < 2*N` }. +\end{verbatim} + +\comindex{Show Programs} +Each time you complete a correctness proof, the corresponding program is +added to the programs environment. You can list the current programs +environment with the command +$$ +\mbox{\texttt{Show Programs.}} +$$ + + +\asubsection{Local variables} + +Local variables are introduced with the following syntax +$$ +\mbox{\texttt{let}} ~ x ~ = ~ \mbox{\texttt{ref}} ~ e_1 +~ \mbox{\texttt{in}} ~ e_2 +$$ +where the scope of $x$ is exactly the program $e_2$. +Notice that, as usual in ML, local variables must be +initialized (here with $e_1$). + +When specifying a program including local variables, you have to take +care about their scopes. Indeed, the following two programs are not +annotated in the same way: +\begin{itemize} + \item $\kw{let} ~ x = e_1 ~ \kw{in} ~ e_2 ~ \spec{Q}$ \\ + The post-condition $Q$ applies to $e_2$, and therefore $x$ may + appear in $Q$; + + \item $(\kw{let} ~ x = e_1 ~ \kw{in} ~ e_2) ~ \spec{Q}$ \\ + The post-condition $Q$ applies to the whole program, and therefore + the local variable $x$ may \emph{not} appear in $Q$ (it is beyond + its scope). +\end{itemize} + + +%%%%%%%%%%%%%%%%% +% Function call % +%%%%%%%%%%%%%%%%% + +\asection{Function call} + +Still following the syntax of ML, the function application is written +$(f ~ a_1 ~ \ldots ~ a_n)$, where $f$ is a function and the $a_i$'s +its arguments. Notice that $f$ and the $a_i$'s may be annotated +programs themselves. + +In the general case, $f$ is a function already specified (either with +\texttt{Global Variable} or with a proof of correctness) and has a +pre-condition $P_f$ and a post-condition $Q_f$. + +As expected, a proof obligation is generated, which correspond to +$P_f$ applied to the values of the arguments, once they are evaluated. + +Regarding the post-condition of $f$, there are different possible cases: +\begin{itemize} + \item either you did not annotate the function call, writing directly + $$(f ~ a_1 ~ \ldots ~ a_n)$$ + and then the post-condition of $f$ is added automatically + \emph{if possible}: indeed, if some arguments of $f$ make side-effects + this is not always possible. In that case, you have to put a + post-condition to the function call by yourself; + + \item or you annotated it with a post-condition, say $Q$: + $$(f ~ a_1 ~ \ldots ~ a_n) ~ \spec{Q}$$ + then you will have to prove that $Q$ holds under the hypothesis that + the post-condition $Q_f$ holds (where both are + instantiated by the results of the evaluation of the $a_i$). + Of course, if $Q$ is exactly the post-condition of $f$ then + the corresponding proof obligation will be automatically + discharged. +\end{itemize} + + +%%%%%%%%%%%% +% Libraries % +%%%%%%%%%%%% + +\asection{Libraries} +\index{Imperative programs!libraries} + +The tactic comes with some libraries, useful to write programs and +specifications. +The first set of libraries is automatically loaded with the module +\texttt{Programs}. Among them, you can find the modules: +\begin{description} + \item[ProgWf]: this module defines a family of relations $Zwf$ on type + \texttt{Z} by + $$(Zwf ~ c) = \lambda x,y. c\le x \land c \le y \land x < y$$ + and establishes that this relation is well-founded for all $c$ + (lemma \texttt{Zwf\_well\_founded}). This lemma is automatically + used by the tactic \texttt{Correctness} when necessary. + When no relation is given for the variant of a loop or a recursive + function, then $(Zwf~0)$ is used \emph{i.e.} the usual order + relation on positive integers. + + \item[Arrays]: this module defines an abstract type \texttt{array} + for arrays, with the corresponding operations \texttt{new}, + \texttt{access} and \texttt{store}. Access in a array $t$ at index + $i$ may be written \texttt{$t$\#[$i$]} in \Coq, and in particular + inside specifications. + This module also provides some axioms to manipulate arrays + expression, among which \texttt{store\_def\_1} and + \texttt{store\_def\_2} allow you to simplify expressions of the + kind \texttt{(access (store $t$ $i$ $v$) $j$)}. +\end{description} + +\noindent Other useful modules, which are not automatically loaded, are the +following: +\begin{description} + \item[Exchange]: this module defines a predicate \texttt{(exchange + $t$ $t'$ $i$ $j$)} which means that elements of indexes $i$ and + $j$ are swapped in arrays $t$ and $t'$, and other left unchanged. + This modules also provides some lemmas to establish this property + or conversely to get some consequences of this property. + + \item[Permut]: this module defines the notion of permutation between + two arrays, on a segment of the arrays (\texttt{sub\_permut}) or + on the whole array (\texttt{permut}). + Permutations are inductively defined as the smallest equivalence + relation containing the transpositions (defined in the module + \texttt{Exchange}). + + \item[Sorted]: this module defines the property for an array to be + sorted, on the whole array (\texttt{sorted\_array}) or on a segment + (\texttt{sub\_sorted\_array}). It also provides a few lemmas to + establish this property. +\end{description} + + + +%%%%%%%%%%%%%% +% Extraction % +%%%%%%%%%%%%%% + +\asection{Extraction} +\index{Imperative programs!extraction of} + +Once a program is proved, one usually wants to run it, and that's why +this implementation comes with an extraction mechanism. +For the moment, there is only extraction to \ocaml\ code. +This functionality is provided by the following module: +$$ +\mbox{\texttt{Require ProgramsExtraction.}} +$$ +This extraction facility extends the extraction of functional programs +(see chapter~\ref{CamlHaskellExtraction}), on which it is based. +Indeed, the extraction of functional terms (\Coq\ objects) is first +performed by the module \texttt{Extraction}, and the extraction of +imperative programs comes after. +Therefore, we have kept the same syntax as for functional terms: +$$ +\mbox{\tt Write Caml File "\str" [ \ident$_1$ \dots\ \ident$_n$ ].} +$$ +where \str\ is the name given to the file to be produced (the suffix +{\tt .ml} is added if necessary), and \ident$_1$ \dots\ \ident$_n$ the +names of the objects to be extracted. +That list may contain functional and imperative objects, and does not need +to be exhaustive. + +Of course, you can use the extraction facilities described in +chapter~\ref{CamlHaskellExtraction}, namely the \texttt{ML Import}, +\texttt{Link} and \texttt{Extract} commands. + + +\paragraph{The case of integers} +There is no use of the \ocaml\ native integers: indeed, it would not be safe +to use the machine integers while the correctness proof is done +with unbounded integers (\texttt{nat}, \texttt{Z} or whatever type). +But since \ocaml\ arrays are indexed over the type \texttt{int} +(the machine integers) arrays indexes are converted from \texttt{Z} +to \texttt{int} when necessary (the conversion is very fast: due +to the binary representation of integers in type \texttt{Z}, it +will never exceed thirty elementary steps). + +And it is also safe, since the size of a \ocaml\ array can not be greater +than the maximum integer ($2^{30}-1$) and since the correctness proof +establishes that indexes are always within the bounds of arrays +(Therefore, indexes will never be greater than the maximum integer, +and the conversion will never produce an overflow). + + +%%%%%%%%%%%% +% Examples % +%%%%%%%%%%%% + +\asection{Examples}\label{prog:examples} + +\asubsection{Computation of $X^n$} + +As a first example, we prove the correctness of a program computing +$X^n$ using the following equations: +$$ +\left\{ +\begin{array}{lcl} +X^{2n} & = & (X^n)^2 \\ +X^{2n+1} & = & X \times (X^n)^2 +\end{array} +\right. +$$ +If $x$ and $n$ are variables containing the input and $y$ a variable that will +contain the result ($x^n$), such a program may be the following one: +\begin{center} + \begin{minipage}{8cm} + \begin{tabbing} + AA\=\kill + $m$ := $!x$ ; $y$ := $1$ ; \\ + \kw{while} $!n \not= 0$ \kw{do} \\ + \> \kw{if} $(odd ~ !n)$ \kw{then} $y$ := $!y \times !m$ ;\\ + \> $m$ := $!m \times !m$ ; \\ + \> $n$ := $!n / 2$ \\ + \kw{done} \\ + \end{tabbing} + \end{minipage} +\end{center} + + +\paragraph{Specification part.} + +Here we choose to use the binary integers of \texttt{ZArith}. +The exponentiation $X^n$ is defined, for $n \ge 0$, in the module +\texttt{Zpower}: +\begin{coq_example*} +Require ZArith. +Require Zpower. +\end{coq_example*} + +In particular, the module \texttt{ZArith} loads a module \texttt{Zmisc} +which contains the definitions of the predicate \texttt{Zeven} and +\texttt{Zodd}, and the function \texttt{Zdiv2}. +This module \texttt{ProgBool} also contains a test function +\texttt{Zeven\_odd\_bool} of type +$\forall n. \exists b. \myifthenelse{b}{(Zeven~n)}{(Zodd~n)}$ +derived from the proof \texttt{Zeven\_odd\_dec}, +as explained in section~\ref{prog:booleans}: + +\begin{coq_eval} +Require Ring. +\end{coq_eval} + + +\paragraph{Correctness part.} + +Then we come to the correctness proof. We first import the \Coq\ +module \texttt{Programs}: +\begin{coq_example*} +Require Programs. +\end{coq_example*} +\begin{coq_eval} +Definition Zsquare := [n:Z](Zmult n n). +Definition Zdouble := [n:Z]`2*n`. +\end{coq_eval} + +Then we introduce all the variables needed by the program: +\begin{coq_example*} +Parameter x : Z. +Global Variable n,m,y : Z ref. +\end{coq_example*} + +At last, we can give the annotated program: +\begin{coq_example} +Correctness i_exp + { `n >= 0` } + begin + m := x; y := 1; + while !n > 0 do + { invariant (Zpower x n@0)=(Zmult y (Zpower m n)) /\ `n >= 0` + variant n } + (if not (Zeven_odd_bool !n) then y := (Zmult !y !m)) + { (Zpower x n@0) = (Zmult y (Zpower m (Zdouble (Zdiv2 n)))) }; + m := (Zsquare !m); + n := (Zdiv2 !n) + done + end + { y=(Zpower x n@0) } +. +\end{coq_example} + +The proof obligations require some lemmas involving \texttt{Zpower} and +\texttt{Zdiv2}. You can find the whole proof in the \Coq\ standard +library (see below). +Let us make some quick remarks about this program and the way it was +written: +\begin{itemize} + \item The name \verb!n@0! is used to refer to the initial value of + the variable \verb!n!, as well inside the loop invariant as in + the post-condition; + + \item Purely functional expressions are allowed anywhere in the + program and they can use any purely informative \Coq\ constants; + That is why we can use \texttt{Zmult}, \texttt{Zsquare} and + \texttt{Zdiv2} in the programs even if they are not other functions + previously introduced as programs. +\end{itemize} + + +\asubsection{A recursive program} + +To give an example of a recursive program, let us rewrite the previous +program into a recursive one. We obtain the following program: +\begin{center} + \begin{minipage}{8cm} + \begin{tabbing} + AA\=AA\=AA\=\kill + \kw{let} \kw{rec} $exp$ $x$ $n$ = \\ + \> \kw{if} $n = 0$ \kw{then} \\ + \> \> 1 \\ + \> \kw{else} \\ + \> \> \kw{let} $y$ = $(exp ~ x ~ (n/2))$ \kw{in} \\ + \> \> \kw{if} $(even ~ n)$ \kw{then} $y\times y$ + \kw{else} $x\times (y\times y)$ \\ + \end{tabbing} + \end{minipage} +\end{center} + +This recursive program, once it is annotated, is given to the +tactic \texttt{Correctness}: +\begin{coq_eval} +Reset n. +\end{coq_eval} +\begin{coq_example} +Correctness r_exp + let rec exp (x:Z) (n:Z) : Z { variant n } = + { `n >= 0` } + (if n = 0 then + 1 + else + let y = (exp x (Zdiv2 n)) in + (if (Zeven_odd_bool n) then + (Zmult y y) + else + (Zmult x (Zmult y y))) { result=(Zpower x n) } + ) + { result=(Zpower x n) } +. +\end{coq_example} + +You can notice that the specification is simpler in the recursive case: +we only have to give the pre- and post-conditions --- which are the same +as for the imperative version --- but there is no annotation +corresponding to the loop invariant. +The other two annotations in the recursive program are added for the +recursive call and for the test inside the \textsf{let in} construct +(it can not be done automatically in general, +so the user has to add it by himself). + + +\asubsection{Other examples} + +You will find some other examples with the distribution of the system +\Coq, in the sub-directory \verb!tactics/programs/EXAMPLES! of the +\Coq\ standard library. Those examples are mostly programs to compute +the factorial and the exponentiation in various ways (on types \texttt{nat} +or \texttt{Z}, in imperative way or recursively, with global +variables or as functions, \dots). + +There are also some bigger correctness developments in the +\Coq\ contributions, which are available on the web page +\verb!coq.inria.fr/contribs!. +for the moment, you can find: +\begin{itemize} + \item A proof of \emph{insertion sort} by Nicolas Magaud, ENS Lyon; + \item A proof of \emph{quicksort} and \emph{find} by the author. +\end{itemize} + + +%%%%%%%%%%%%%%% +% BUG REPORTS % +%%%%%%%%%%%%%%% + +\asection{Bugs} + +\begin{itemize} + \item There is no discharge mechanism for programs; so you + \emph{cannot} do a program's proof inside a section (actually, + you can do it, but your program will not exist anymore after having + closed the section). +\end{itemize} + +Surely there are still many bugs in this implementation. +Please send bug reports to \textsf{Jean-Christophe.Filliatre$@$lri.fr}. +Don't forget to send the version of \Coq\ used (given by +\texttt{coqtop -v}) and a script producing the bug. + + +%%% Local Variables: +%%% mode: latex +%%% TeX-master: "Reference-Manual" +%%% End: diff --git a/doc/README b/doc/README new file mode 100755 index 000000000..832e6167c --- /dev/null +++ b/doc/README @@ -0,0 +1,45 @@ +You can get the whole documentation of Coq in the tar file all-ps-docs.tar. + +You can also get separately each document. The documentation of Coq +V6.3.1 is divided into the following documents : + + * Tutorial.ps: An introduction to the use of the Coq Proof Assistant; + + * Reference-Manual-base.ps: 215 pp., includes + + - the description of Gallina, the language of Coq + - the description of the Vernacular, the commands of Coq + - the description of each tactic + - chapters about Grammar/Syntax extentions and Writing tactics + - index on tactics, commands and error messages + + * Reference-Manual-addendum.ps, 75 pp., includes more detailed + explanations and examples about the following topics: + + - the extended Cases (C.Cornes) + - the Coercions (A. Saïbi) + - the tactic Omega (P. Crégut) + - printing proofs in natural language (Y. Coscoy) + - the tactic Ring (S. Boutin and P. Loiseleur) + - the Program tactic (C. Parent) + - the Correctness tactic (J.-C. Filliâtre) + - the extraction features (J.-C. Filliâtre) + + Index, page and chapter numbers are shared by the two documents, in + order to make cross-references possible. There is also a on the ftp + server a Postscript file Reference-Manual-all.ps that contains the two + documents (base and addendum). + + * Library.ps: A description of the Coq standard library; + + * Changes.ps: A description of the differences between the + versions V6.3 and V6.3.1; + + * rectypes.ps : A tutorial on recursive types by Eduardo Gimenez + +Documentation is also available in the DVI format (you can get the DVI docs +separately or in the tar file all-dvi.docs.tar). + +The Reference Manual and the Tutorial are also available in HTML format +(online at http://coq.inria.fr or by ftp in the file doc-html.tar.gz). + diff --git a/doc/Recursive-Definition.tex b/doc/Recursive-Definition.tex new file mode 100755 index 000000000..77774d9fa --- /dev/null +++ b/doc/Recursive-Definition.tex @@ -0,0 +1,251 @@ +\documentstyle[]{article} +\input{title} + +\newcommand{\xx}{\noindent} +\newcommand{\Coq}{{\sf Coq}} + +\begin{document} + +\coverpage{Users friendly {\tt Recursive Definition}}{Pascal MANOURY} + +This command allows to define functions in +the following syntax : +\begin{verbatim} +Recursive Definition f [X1:U1;..;Xk:Uk] : T1-> .. -> Tn -> T := + p11 .. p1n => t1 +... +|pm1 .. pmn => tm. +\end{verbatim} +This definition schema must be understood as : +\begin{itemize} +\item {\tt f} is the name of the constant we want +to define; +\item {\tt (X1:U1)..(Xk:Uk) T1-> .. -> Tn -> T} +is its intended type; +\item {\tt p11 .. p1n => t1 | ... |pm1 .. pmn => tm.} +describe its beha\-viour in terms of patterns. +We +call the {\sl patterns clauses} this part of the {\tt Recursive Definition}. +\end{itemize} +The semantics of the {\tt Recursive Definition} +is to +define the new constant {\tt f} as a term (say {\tt F}) of +the intended type providing that {\tt F} has the intended +computational behavior expressed in the {\sl patterns +clauses}. Moreover, a {\tt Recursive Definition} states and +proves all equational theorems corresponding to {\sl +patterns clauses}. In other words, a {\tt Recursive Definition} is +equivalent to : +\begin{verbatim} +Definition f : (X1:U1)..(Xk:Uk) T1-> .. -> Tn -> T := F. +Theorem f_eq1 : (X1:U1)..(Xk:Uk)(x11:V11)..(x1l:V1l)(F X1 .. Xk p11 .. p1n)=t1. +Intros; Unfold F; Simpl; Trivial. Save. +... +Theorem f_eqm : (X1:U1)..(Xk:Uk)(xm1:Vm1)..(xml:Vml)(F X1 .. Xk pm1 .. pmn)=tm. +Intros; Unfold F; Simpl; Trivial. Save. +\end{verbatim} +For instance, one can write : +\begin{coq_example} +Recursive Definition Ack : nat -> nat -> nat := + O m => (S m) + |(S n) O => (Ack n (S O)) + |(S n) (S m) => (Ack n (Ack (S n) m)). +\end{coq_example} + +Unfortunately, the problem of finding a term (of \Coq) +satisfying a set of {\sl patterns clauses} does not always have a +solution, as shown by the following example~:\\ +\centerline {\tt Recursive Definition fix : +nat -> nat := n => (fix n).} +The point is that, in \Coq, any term {\tt F} of type {\tt +nat -> nat} represents a function which always terminates +and it is easy to see that the function {\tt fix} never +terminates. This general property of \Coq's terms is called +{\it strong normalization}. + +\xx +The fact that a syntactically correct {\tt Recursive +Definition} as the one of {\tt fix} does not correspond to any +term in \Coq~ points out that we cannot content with the {\it +syntactical level} of the declaration to obtain a term, but we +have to lift up onto the {\it logical level} to ensure that +the aimed function satisfies such a strong property as +termination. And here comes the difficulty, since the termination +problem is known to be undecidable in general. + +\xx +In fact, termination is the main logical property we +have to face with. Then the main job of the {\tt Recursive +Definition} is to build a proof of {\tt (X1:U1)..(Xk:Uk) +T1-> .. -> Tn -> T} understood as a termination proof of the +aimed function.\\ +Let's see how it works on the Ackermann's function example +: +\begin{coq_eval} +Restore State Initial. +\end{coq_eval} +\begin{coq_example} +Theorem Ack : nat -> nat -> nat. +Intro n; Elim n. +Intro m; Exact (S m). +Intros p Ack_n m; Elim m. +Exact (Ack_n (S O)). +Intros q Ack_Sn_m; Exact (Ack_n Ack_Sn_m). +Save. +\end{coq_example} +One can check that the term {\tt Ack} ({\it eg} : the above +proof of {\tt nat -> nat -> nat}) actually satisfies +the intended {\sl patterns clauses} of Ackermann's +function. + +\xx +Such a proof is {\em automatically} synthesized by a +{specialized strategy} which was originally designed for the +{\sf ProPre} programming language. It has been adapted for +the \Coq's framework. For a short description of the {\sf +ProPre} programming language, we refer the reader to +\cite{MPSI}. For details +concerning the original proof search strategy, we refer the +reader to \cite{MSAR}. For theoretical settings of the +method involved in {\sf ProPre}, we refer the reader to +\cite{KRPA} and \cite{PARI}. + +\xx +We list bellow some correct and incorrect usages of +the {\tt Recursive Definition} feature. + +\subsection*{Correct {\tt Recursive Definition}'s} +\begin{coq_example*} +Recursive Definition IfSet [X:Set] : bool -> X -> X -> X := + true x y => x + |false x y => y. +Recursive Definition equal_nat : nat -> nat -> bool := + O O => true + |O (S m) => false + |(S n) O => false + |(S n) (S m) => (equal_nat n m). +Recursive Definition less_equal : nat -> nat -> bool := + O m => true + |(S n) O => false + |(S n) (S m) => (less_equal n m). +Inductive Set bintree := + Le : bintree + |Br : nat -> bintree -> bintree -> bintree. +Recursive Definition ins_bsr [n:nat] : bintree -> bintree := + Le => (Br n Le Le) + |(Br m a1 a2) + => (IfSet bintree (less_equal n m) (Br m (ins_bsr n a1) a2) + (Br m a1 (ins_bsr n a2))). +Inductive list [X:Set] : Set := + Nil : (list X) + |Cons : X -> (list X) -> (list X). +Recursive Definition append [X:Set;ys:(list X)] : (list X) -> (list X) := + (Nil X) => ys + |(Cons X x xs) => (Cons X x (append X ys xs)). +Recursive Definition soml : (list nat) -> nat := + (Nil nat) => O + |(Cons nat O x) => (soml x) + |(Cons nat (S n) x) => (S (soml (Cons nat n x))). +Recursive Definition sorted_list : (list nat) -> Prop := + (Nil nat) => True + |(Cons nat n (Nil nat)) => True +|(Cons nat n (Cons nat m x)) + => (<bool>(less_equal n m)=true) /\ (sorted_list (Cons nat m x)). +\end{coq_example*} + +\subsection*{Incorrect {\tt Recursive Definition}'s} +\begin{coq_example} +Recursive Definition equal_list : (list nat) -> (list nat) -> bool := + (Nil nat) (Nil nat) => true + |(Nil nat) (Cons nat n y) => false + |(Cons nat n x) (Nil nat) => false + |(Cons nat n x) (Cons nat n y) => (equal_list x y). +\end{coq_example} +As explains the error message, a same pattern variable can't be used +more than one time. +\begin{coq_example} +Recursive Definition min : nat -> nat -> nat := + O m => m + |n O => n + |(S n) (S m) => (S (min n m)). +\end{coq_example} +We do not allow the various left members of {\sl patterns clauses} to +overlap. +\begin{coq_example} +Recursive Definition wrong_equal : nat -> nat -> bool := + O O => true + |(S n) (S m) => (wrong_equal n m). +\end{coq_example} +As we need to prove that the function is totally defined, we need an +exhaustive pattern matching of the inputs. +\begin{coq_example} +Recursive Definition div2 : nat -> nat := + O => O + |(S O) => O + |(S (S n)) => (S (div2 n)). +\end{coq_example} +The strategy makes use of structural induction to search a proof of +{\tt nat -> nat}, then it can only accept arguments decreasing in one +step ({\it eg} from {\tt (S n)} to {\tt n}) which is not the case +here. +\begin{coq_example} +Recursive Definition wrong_fact : nat -> nat := + n => (IfSet nat (equal_nat n O) (S O) (mult n (wrong_fact (pred n)))). +\end{coq_example} +This error comes from the fact that the strategy doesn't recognize +that the {\tt IfSet} is used as matching on naturals and that, when +{\tt n} is not {\tt O}, {\tt (pred n)} is less than {\tt n}. Indeed, +matching must be explicit and decreasing too. +\begin{coq_example} +Recursive Definition heap_merge : bintree -> bintree -> bintree := + Le b => b + |(Br n a1 a2) Le => (Br n a1 a2) + |(Br n a1 a2) (Br m b1 b2) + => (IfSet bintree + (less_equal n m) + (Br n (heap_merge a1 a2) (Br m b1 b2)) + (Br m (Br n a1 a2) (heap_merge b1 b2))). +\end{coq_example} +This failure of the strategy is due to the fact than with simple +structural induction one can't get any induction hypothesis for both +inductive calls {\tt (heap\_merge a1 a2)} and {\tt (heap\_merge b1 + b2)}. + + +\begin{thebibliography}{9999} +\bibitem{KRPA} J.L Krivine, M. Parigot + {\it Programming with proofs} ; in SCT 87 (1987), +Wendish-Rietz ; in EIK 26 (1990) pp 146-167. + +\bibitem{MPSI} P. Manoury, M. Parigot, M. Simonot {\it {\sf +ProPre} : a programming language with proofs} ; in +proceedings LPAR 92, LNAI 624. + +\bibitem{MSTH} P. Manoury and M. Simonot {\it Des preuves +de totalit\'e de fonctions comme synth\`ese de +programmes} ; Phd Thesis, Universit\'e Paris 7, December +1992. + +\bibitem{MSAR} P. Manoury and M. Simonot {\it +Automatizing termination proof of recursively defined +functions} ; to appear in TCS. + +\bibitem{PARI} M. Parigot {\it Recursive programming with +proofs} ; in TCS 94 (1992) pp 335-356. + +\bibitem{PAUL} C. Paulin-Mohring {\it Inductive +Definitions in the System Coq - Rules and properties} ; +proceedings TLCA 93, LNCS 664 (1993). + +\bibitem{WERN} B. Werner {\it Une th\'eorie des +constructions inductives} ; Phd Thesis, Universit\'e Paris +7, May 1994. + +\end{thebibliography} + +\end{document} + + + + +% $Id$ diff --git a/doc/RefMan-add.tex b/doc/RefMan-add.tex new file mode 100755 index 000000000..d04d1468f --- /dev/null +++ b/doc/RefMan-add.tex @@ -0,0 +1,54 @@ +\chapter{List of additional documentation}\label{Addoc} + +\section{Tutorials}\label{Tutorial} +A companion volume to this reference manual, the \Coq\ Tutorial, is +aimed at gently introducing new users to developing proofs in \Coq\ +without assuming prior knowledge of type theory. In a second step, the +user can read also the tutorial on recursive types (document {\tt +RecTutorial.ps}). + +\section{The \Coq\ standard library}\label{Addoc-library} +A brief description of the \Coq\ standard library is given in the additional +document {\tt Library.dvi}. + +\section{Installation and un-installation procedures}\label{Addoc-install} +A \verb!INSTALL! file in the distribution explains how to install +\Coq. + +\section{{\tt Extraction} of programs}\label{Addoc-extract} +{\tt Extraction} is a package offering some special facilities to +extract ML program files. It is described in the separate document +{\tt Extraction.dvi} +\index{Extraction of programs} + +\section{Proof printing in {\tt Natural} language}\label{Addoc-natural} +{\tt Natural} is a tool to print proofs in natural language. +It is described in the separate document {\tt Natural.dvi}. +\index{Natural@{\tt Print Natural}} +\index{Printing in natural language} + +\section{The {\tt Omega} decision tactic}\label{Addoc-omega} +{\bf Omega} is a tactic to automatically solve arithmetical goals in +Presburger arithmetic (i.e. arithmetic without multiplication). +It is described in the separate document {\tt Omega.dvi}. +\index{Omega@{\tt Omega}} + +\section{Simplification on rings}\label{Addoc-polynom} +A documentation of the package {\tt polynom} (simplification on rings) +can be found in the document {\tt Polynom.dvi} +\index{Polynom@{\tt Polynom}} +\index{Simplification on rings} + +%\section{Anomalies}\label{Addoc-anomalies} +%The separate document {\tt Anomalies.*} gives a list of known +%anomalies and bugs of the system. Before communicating us an +%anomalous behavior, please check first whether it has been already +%reported in this document. + +% $Id$ + + +%%% Local Variables: +%%% mode: latex +%%% TeX-master: "Reference-Manual" +%%% End: diff --git a/doc/RefMan-cas.tex b/doc/RefMan-cas.tex new file mode 100755 index 000000000..f48242fae --- /dev/null +++ b/doc/RefMan-cas.tex @@ -0,0 +1,671 @@ +%\documentstyle[11pt,../tools/coq-tex/coq,fullpage]{article} + +%\pagestyle{plain} + +%\begin{document} +%\nocite{Augustsson85,wadler87,HuetLevy79,MaSi94,maranget94,Laville91,saidi94,dowek93,Leroy90,puel-suarez90} + +%\input{title} +%\input{macros} +%\coverpage{The Macro \verb+Cases+}{Cristina Cornes} +%\pagestyle{plain} +\chapter{The Macro {\tt Cases}}\label{Cases}\index{Cases@{\tt Cases}} + +\marginparwidth 0pt \oddsidemargin 0pt \evensidemargin 0pt \marginparsep 0pt +\topmargin 0pt \textwidth 6.5in \textheight 8.5in + + +\verb+Cases+ is an extension to the concrete syntax of Coq that allows +to write case expressions using patterns in a syntax close to that of ML languages. +This construction is just a macro that is +expanded during parsing into a sequence of the primitive construction + \verb+Case+. +The current implementation contains two strategies, one for compiling +non-dependent case and another one for dependent case. +\section{Patterns}\label{implementation} +A pattern is a term that indicates the {\em shape} of a value, i.e. a +term where the variables can be seen as holes. When a value is +matched against a pattern (this is called {\em pattern matching}) +the pattern behaves as a filter, and associates a sub-term of the value +to each hole (i.e. to each variable pattern). + + +The syntax of patterns is presented in figure \ref{grammar}\footnote{ +Notation: \{$P$\}$^*$ denotes zero or more repetitions of $P$ and + \{$P$\}$^+$ denotes one or more repetitions of $P$. {\sl command} is the +non-terminal corresponding to terms in Coq.}. +Patterns are built up from constructors and variables. Any identifier +that is not a constructor of an inductive or coinductive type is +considered to be +a variable. Identifiers in patterns should be linear except for +the ``don't care'' pattern denoted by ``\verb+_+''. +We can use patterns to build more complex patterns. +We call {\em simple pattern} a variable or a pattern of the form +$(c~\vec{x})$ where $c$ is a constructor symbol and $\vec{x}$ is a +linear vector of variables. If a pattern is +not simple we call it {\em nested}. + + +A variable pattern matches any value, and the +identifier is bound to that value. The pattern ``\verb+_+'' also matches +any value, but it is not binding. Alias patterns written \verb+(+{\sl pattern} \verb+as+ {\sl +identifier}\verb+)+ are also accepted. This pattern matches the same values as +{\sl pattern} does and +{\sl identifier} is bound to the matched value. +A list of patterns is also considered as a pattern and is called {\em +multiple pattern}. + +\begin{figure}[t] +\begin{center} +\begin{sl} +\begin{tabular}{|l|}\hline \\ +\begin{tabular}{rcl}%\hline && \\ +simple\_pattern & := & pattern \verb+as+ identifier \\ + &$|$ & pattern \verb+,+ pattern \\ + &$|$ & pattern pattern\_list \\ && \\ + +pattern & := & identifier $|$ \verb+(+ simple\_pattern \verb+)+ \\ &&\\ + + +equation & := & \{pattern\}$^+$ ~\verb+=>+ ~term \\ && \\ + +ne\_eqn\_list & := & \verb+|+$^{opt}$ equation~ \{\verb+|+ equation\}$^*$ \\ &&\\ + +eqn\_list & := & \{~equation~ \{\verb+|+ equation\}$^*$~\}$^*$\\ &&\\ + + +term & := & +\verb+Cases+ \{term \}$^+$ \verb+of+ ne\_eqn\_list \verb+end+ \\ +&$|$ & \verb+<+term\verb+>+ \verb+Cases+ \{ term \}$^+$ +\verb+of+ eqn\_list \verb+end+ \\&& %\\ \hline +\end{tabular} \\ \hline +\end{tabular} +\end{sl} \end{center} +\caption{Macro Cases syntax.} +\label{grammar} +\end{figure} + + +Pattern matching improves readability. Compare for example the term +of the function {\em is\_zero} of natural +numbers written with patterns and the one written in primitive +concrete syntax (note that the first bar \verb+|+ is optional)~: + +\begin{center} +\begin{small} +\begin{tabular}{l} +\verb+[n:nat] Cases n of | O => true | _ => false end+,\\ +\verb+[n:nat] Case n of true [_:nat]false end+. +\end{tabular} +\end{small} +\end{center} + +In Coq pattern matching is compiled into the primitive constructions, +thus the expressiveness of the theory remains the same. Once the stage +of parsing has finished patterns disappear. An easy way to see the +result of the expansion is by printing the term with \texttt{Print} if +the term is a constant, or +using the command \texttt{Check} that displays +the term with its type : + +\begin{coq_example} +Check [n:nat] Cases n of O => true | _ => false end. +\end{coq_example} + + +\verb+Cases+ accepts optionally an infix term enclosed between +brackets \verb+<>+ that we +call the {\em elimination predicate}. +This term is the same argument as the one expected by the primitive +\verb+Case+. Given a pattern matching +expression, if all the right hand sides of \verb+=>+ ({\em rhs} in +short) have the same type, then this term +can be sometimes synthesized, and so we can omit the \verb+<>+. +Otherwise we have to +provide the predicate between \verb+<>+ as for the primitive \verb+Case+. + +Let us illustrate through examples the different aspects of pattern matching. +Consider for example the function that computes the maximum of two +natural numbers. We can write it in primitive syntax by: +\begin{coq_example} +Fixpoint max [n,m:nat] : nat := + Case n of + (* O *) m + (* S n' *) [n':nat]Case m of + (* O *) (S n') + (* S m' *) [m':nat](S (max n' m')) + end + end. +\end{coq_example} + +Using patterns in the definitions gives: + +\begin{coq_example} +Reset max. +Fixpoint max [n,m:nat] : nat := + Cases n of + O => m + | (S n') => Cases m of + O => (S n') + | (S m') => (S (max n' m')) + end + end. +\end{coq_example} + +Another way to write this definition is to use a multiple pattern to + match \verb+n+ and \verb+m+: + +\begin{coq_example} +Reset max. +Fixpoint max [n,m:nat] : nat := + Cases n m of + O _ => m + | (S n') O => (S n') + | (S n') (S m') => (S (max n' m')) + end. +\end{coq_example} + + +The strategy examines patterns +from left to right. A case expression is generated {\bf only} when there is at least one constructor in the column of patterns. +For example, +\begin{coq_example} +Check [x:nat]<nat>Cases x of y => y end. +\end{coq_example} + + + +We can also use ``\verb+as+ patterns'' to associate a name to a +sub-pattern: + +\begin{coq_example} +Reset max. +Fixpoint max [n:nat] : nat -> nat := + [m:nat] Cases n m of + O _ => m + | ((S n') as N) O => N + | (S n') (S m') => (S (max n' m')) + end. +\end{coq_example} + + +In the previous examples patterns do not conflict with, but +sometimes it is comfortable to write patterns that admits a non +trivial superposition. Consider +the boolean function $lef$ that given two natural numbers +yields \verb+true+ if the first one is less or equal than the second +one and \verb+false+ otherwise. We can write it as follows: + +\begin{coq_example} +Fixpoint lef [n,m:nat] : bool := + Cases n m of + O x => true + | x O => false + | (S n) (S m) => (lef n m) + end. +\end{coq_example} + +Note that the first and the second multiple pattern superpose because the couple of +values \verb+O O+ matches both. Thus, what is the result of the +function on those values? +To eliminate ambiguity we use the {\em textual priority rule}: we +consider patterns ordered from top to bottom, then a value is matched +by the pattern at the $ith$ row if and only if is not matched by some +pattern of a previous row. Thus in the example, +\verb+O O+ is matched by the first pattern, and so \verb+(lef O O)+ +yields \verb+true+. + +Another way to write this function is: + +\begin{coq_example} +Reset lef. +Fixpoint lef [n,m:nat] : bool := + Cases n m of + O x => true + | (S n) (S m) => (lef n m) + | _ _ => false + end. +\end{coq_example} + + +Here the last pattern superposes with the first two. Because +of the priority rule, the last pattern +will be used only for values that do not match neither the first nor +the second one. + +Terms with useless patterns are accepted by the +system. For example, +\begin{coq_example} +Check [x:nat]Cases x of O => true | (S _) => false | x => true end. +\end{coq_example} + +is accepted even though the last pattern is never used. +Beware, the +current implementation rises no warning message when there are unused +patterns in a term. + + + + +\subsection{About patterns of parametric types} +When matching objects of a parametric type, constructors in patterns +{\em do not expect} the parameter arguments. Their value is deduced +during expansion. + +Consider for example the polymorphic lists: + +\begin{coq_example} +Inductive List [A:Set] :Set := + nil:(List A) +| cons:A->(List A)->(List A). +\end{coq_example} + +We can check the function {\em tail}: + +\begin{coq_example} +Check [l:(List nat)]Cases l of + nil => (nil nat) + | (cons _ l') => l' + end. +\end{coq_example} + + +When we use parameters in patterns there is an error message: +\begin{coq_example} +Check [l:(List nat)]Cases l of + (nil nat) => (nil nat) + | (cons nat _ l') => l' + end. +\end{coq_example} + + + +\subsection{Matching objects of dependent types} +The previous examples illustrate pattern matching on objects of +non-dependent types, but we can also +use the macro to destructure objects of dependent type. +Consider the type \verb+listn+ of lists of a certain length: + +\begin{coq_example} +Inductive listn : nat-> Set := + niln : (listn O) +| consn : (n:nat)nat->(listn n) -> (listn (S n)). +\end{coq_example} + +\subsubsection{Understanding dependencies in patterns} +We can define the function \verb+length+ over \verb+listn+ by : + +\begin{coq_example} +Definition length := [n:nat][l:(listn n)] n. +\end{coq_example} + +Just for illustrating pattern matching, +we can define it by case analysis: +\begin{coq_example} +Reset length. +Definition length := [n:nat][l:(listn n)] + Cases l of + niln => O + | (consn n _ _) => (S n) + end. +\end{coq_example} + +We can understand the meaning of this definition using the +same notions of usual pattern matching. + +Now suppose we split the second pattern of \verb+length+ into two +cases so to give an +alternative definition using nested patterns: +\begin{coq_example} +Definition length1:= [n:nat] [l:(listn n)] + Cases l of + niln => O + | (consn n _ niln) => (S n) + | (consn n _ (consn _ _ _)) => (S n) + end. +\end{coq_example} + +It is obvious that \verb+length1+ is another version of +\verb+length+. We can also give the following definition: +\begin{coq_example} +Definition length2:= [n:nat] [l:(listn n)] + Cases l of + niln => O + | (consn n _ niln) => (S O) + | (consn n _ (consn m _ _)) => (S (S m)) + end. +\end{coq_example} + +If we forget that \verb+listn+ is a dependent type and we read these +definitions using the usual semantics of pattern matching, we can conclude +that \verb+length1+ +and \verb+length2+ are different functions. +In fact, they are equivalent +because the pattern \verb+niln+ implies that \verb+n+ can only match +the value $0$ and analogously the pattern \verb+consn+ determines that \verb+n+ can +only match values of the form $(S~v)$ where $v$ is the value matched by +\verb+m+. + + +The converse is also true. If +we destructure the length value with the pattern \verb+O+ then the list +value should be $niln$. +Thus, the following term \verb+length3+ corresponds to the function +\verb+length+ but this time defined by case analysis on the dependencies instead of on the list: + +\begin{coq_example} +Definition length3 := [n:nat] [l: (listn n)] + Cases l of + niln => O + | (consn O _ _) => (S O) + | (consn (S n) _ _) => (S (S n)) + end. +\end{coq_example} + +When we have nested patterns of dependent types, the semantics of +pattern matching becomes a little more difficult because +the set of values that are matched by a sub-pattern may be conditioned by the +values matched by another sub-pattern. Dependent nested patterns are +somehow constrained patterns. +In the examples, the expansion of +\verb+length1+ and \verb+length2+ yields exactly the same term + but the +expansion of \verb+length3+ is completely different. \verb+length1+ and +\verb+length2+ are expanded into two nested case analysis on +\verb+listn+ while \verb+length3+ is expanded into a case analysis on +\verb+listn+ containing a case analysis on natural numbers inside. + + +In practice the user can think about the patterns as independent and +it is the expansion algorithm that cares to relate them. \\ + + +\subsubsection{When the elimination predicate must be provided} +The examples given so far do not need an explicit elimination predicate +between \verb+<>+ because all the rhs have the same type and the +strategy succeeds to synthesize it. +Unfortunately when dealing with dependent patterns it often happens +that we need to write cases where the type of the rhs are +different instances of the elimination predicate. +The function \verb+concat+ for \verb+listn+ +is an example where the branches have different type +and we need to provide the elimination predicate: + +\begin{coq_example} +Fixpoint concat [n:nat; l:(listn n)] :(m:nat) (listn m) -> (listn (plus n m)) + := [m:nat][l':(listn m)] + <[n:nat](listn (plus n m))>Cases l of + niln => l' + | (consn n' a y) => (consn (plus n' m) a (concat n' y m l')) + end. +\end{coq_example} + +Recall that a list of patterns is also a pattern. So, when +we destructure several terms at the same time and the branches have +different type we need to provide +the elimination predicate for this multiple pattern. + +For example, an equivalent definition for \verb+concat+ (even though with a useless extra pattern) would have +been: + +\begin{coq_example} +Reset concat. +Fixpoint concat [n:nat; l:(listn n)] : (m:nat) (listn m) -> (listn (plus n m)) +:= [m:nat][l':(listn m)] + <[n,_:nat](listn (plus n m))>Cases l l' of + niln x => x + | (consn n' a y) x => (consn (plus n' m) a (concat n' y m x)) + end. +\end{coq_example} + +Note that this time, the predicate \verb+[n,_:nat](listn (plus n m))+ is binary because we +destructure both \verb+l+ and \verb+l'+ whose types have arity one. +In general, if we destructure the terms $e_1\ldots e_n$ +the predicate will be of arity $m$ where $m$ is the sum of the +number of dependencies of the type of $e_1, e_2,\ldots e_n$ (the $\lambda$-abstractions +should correspond from left to right to each dependent argument of the +type of $e_1\ldots e_n$). +When the arity of the predicate (i.e. number of abstractions) is not +correct Coq rises an error message. For example: + +\begin{coq_example} +Fixpoint concat [n:nat; l:(listn n)] : (m:nat) (listn m) -> (listn (plus n m)) := +[m:nat][l':(listn m)] + <[n:nat](listn (plus n m))>Cases l l' of + niln x => x + | (consn n' a y) x => (consn (plus n' m) a (concat n' y m x)) + end. +\end{coq_example} + + +\subsection{Using pattern matching to write proofs} +In all the previous examples the elimination predicate does not depend on the object(s) matched. +The typical case where this is not possible is when we write a proof by +induction or a function that yields an object of dependent type. + +For example, we can write +the function \verb+buildlist+ that given a natural number +$n$ builds a list length $n$ containing zeros as follows: + +\begin{coq_example} +Fixpoint buildlist [n:nat] : (listn n) := + <[n:nat](listn n)>Cases n of + O => niln + | (S n) => (consn n O (buildlist n)) + end. +\end{coq_example} + +We can also use multiple patterns whenever the elimination predicate has +the correct arity. + +Consider the following definition of the predicate less-equal +\verb+Le+: + +\begin{coq_example} +Inductive Le : nat->nat->Prop := + LeO: (n:nat)(Le O n) +| LeS: (n,m:nat)(Le n m) -> (Le (S n) (S m)). +\end{coq_example} + +We can use multiple patterns to write the proof of the lemma + \verb+(n,m:nat) (Le n m)\/(Le m n)+: + +\begin{coq_example} +Fixpoint dec [n:nat] : (m:nat)(Le n m) \/ (Le m n) := + [m:nat] <[n,m:nat](Le n m) \/ (Le m n)>Cases n m of + O x => (or_introl ? (Le x O) (LeO x)) + | x O => (or_intror (Le x O) ? (LeO x)) + | ((S n) as N) ((S m) as M) => + Cases (dec n m) of + (or_introl h) => (or_introl ? (Le M N) (LeS n m h)) + | (or_intror h) => (or_intror (Le N M) ? (LeS m n h)) + end + end. +\end{coq_example} +In the example of \verb+dec+ the elimination predicate is binary +because we destructure two arguments of \verb+nat+ that is a +non-dependent type. Note the first \verb+Cases+ is dependent while the +second is not. + +In general, consider the terms $e_1\ldots e_n$, +where the type of $e_i$ is an instance of a family type +$[\vec{d_i}:\vec{D_i}]T_i$ ($1\leq i +\leq n$). Then to write \verb+<+${\cal P}$\verb+>Cases+ $e_1\ldots +e_n$ \verb+of+ \ldots \verb+end+, the +elimination predicate ${\cal P}$ should be of the form: +$[\vec{d_1}:\vec{D_1}][x_1:T_1]\ldots [\vec{d_n}:\vec{D_n}][x_n:T_n]Q.$ + + + + +\section{Extending the syntax of pattern} +The primitive syntax for patterns considers only those patterns containing +symbols of constructors and variables. Nevertheless, we +may define our own syntax for constructors and may be interested in +using this syntax to write patterns. +Because not any term is a pattern, the fact of extending the terms +syntax does not imply the extension of pattern syntax. Thus, +the grammar of patterns should be explicitly extended whenever we +want to use a particular syntax for a constructor. +The grammar rules for the macro \verb+Cases+ (and thus for patterns) +are defined in the file \verb+Multcase.v+ in the directory +\verb+src/syntax+. To extend the grammar of patterns +we need to extend the non-terminals corresponding to patterns +(we refer the reader to chapter of grammar extensions). + + +We have already extended the pattern syntax so as to note +the constructor \verb+pair+ of cartesian product with "( , )" in patterns. +This allows for example, to write the first projection +of pairs as follows: +\begin{coq_example} +Definition fst := [A,B:Set][H:A*B] Cases H of (x,y) => x end. +\end{coq_example} +The grammar presented in figure \ref{grammar} actually +contains this extension. + +\section{When does the expansion strategy fail?}\label{limitations} +The strategy works very like in ML languages when treating +patterns of non-dependent type. +But there are new cases of failure that are due to the presence of +dependencies. + +The error messages of the current implementation may be +sometimes confusing. +When the tactic fails because patterns are somehow incorrect then +error messages refer to the initial expression. But the strategy +may succeed to build an expression whose sub-expressions are well typed but +the whole expression is not. In this situation the message makes +reference to the expanded expression. +We encourage users, when they have patterns with the same outer constructor in different equations, to name the variable patterns in the same positions with the same name. +E.g. to write {\small\verb+(cons n O x) => e1+} and {\small\verb+(cons n \_ x) => e2+} instead of +{\small\verb+(cons n O x) => e1+} and {\small\verb+(cons n' \_ x') => e2+}. This helps to maintain certain name correspondence between the generated expression and the original. + + +Here is a summary of the error messages corresponding to each situation: +\begin{itemize} +\item patterns are incorrect (because constructors are not +applied to the correct number of the arguments, because they are not linear or they are +wrongly typed) +\begin{itemize} +\item \sverb{In pattern } {\sl term} \sverb{the constructor } {\sl ident} +\sverb{expects } {\sl num} \sverb{arguments} + +\item \sverb{The variable } {\sl ident} \sverb{is bound several times in pattern } {\sl term} + +\item \sverb{Constructor pattern: } {\sl term} \sverb{cannot match values of type } {\sl term} +\end{itemize} + +\item the pattern matching is not exhaustive +\begin{itemize} +\item \sverb{This pattern-matching is not exhaustive} +\end{itemize} +\item the elimination predicate provided to \verb+Cases+ has not the expected arity + +\begin{itemize} +\item \sverb{The elimination predicate } {\sl term} \sverb{should be +of arity } {\sl num} \sverb{(for non dependent case) or } {\sl num} \sverb{(for dependent case)} +\end{itemize} + + \item the whole expression is wrongly typed, or the synthesis of implicit arguments fails (for example to find +the elimination predicate or to resolve implicit arguments in the rhs). + + +There are {\em nested patterns of dependent type}, the +elimination predicate corresponds to non-dependent case and has the form $[x_1:T_1]...[x_n:T_n]T$ +and {\bf some} $x_i$ occurs {\bf free} in +$T$. Then, the strategy may fail to find out a correct elimination +predicate during some step of compilation. +In this situation we recommend the user to rewrite the nested +dependent patterns into several \verb+Cases+ with {\em simple patterns}. + +In all these cases we have the following error message: + + \begin{itemize} + \item + {\tt Expansion strategy failed to build a well typed case expression. + There is a branch that mismatches the expected type. + The risen type error on the result of expansion was:} + \end{itemize} + +\item because of nested patterns, it may happen that even though all +the rhs have the same type, the strategy needs +dependent elimination and so an elimination predicate must be +provided. The system +warns about this situation, trying to compile anyway with the +non-dependent strategy. The risen message is: +\begin{itemize} +\item {\tt Warning: This pattern matching may need dependent elimination to be compiled. +I will try, but if fails try again giving dependent elimination predicate.} +\end{itemize} + +\item there are {\em nested patterns of dependent type} and the strategy +builds a term that is well typed but recursive +calls in fix point are reported as illegal: +\begin{itemize} +\item {\tt Error: Recursive call applied to an illegal term ...} +\end{itemize} + +This is because the strategy generates a term that is correct +w.r.t. to the initial term but which does not pass the guard condition. +In this situation we recommend the user to transform the nested dependent +patterns into {\em several \verb+Cases+ of simple patterns}. +Let us explain this with an example. +Consider the following defintion of a function that yields the last +element of a list and \verb+O+ if it is empty: + +\begin{coq_example} +Fixpoint last [n:nat; l:(listn n)] : nat := +Cases l of + (consn _ a niln) => a + | (consn m _ x) => (last m x) + | niln => O + end. +\end{coq_example} + +It fails because of the priority between patterns, we know that this +definition is equivalent to the following more explicit one (which +fails too): + +\begin{coq_example*} +Fixpoint last [n:nat; l:(listn n)] : nat := +Cases l of + (consn _ a niln) => a + | (consn n _ (consn m b x)) => (last n (consn m b x)) + | niln => O + end. +\end{coq_example*} + +Note that the recursive call \sverb{(last n (consn m b x)) } is not +guarded. When treating with patterns of dependent types the strategy +interprets the first definition of \texttt{last} as the second +onefootnote{In languages of the ML family +the first definition would be translated into a term where the +variable \texttt{x} is shared in the expression. When +patterns are of non-dependent types, Coq compiles as in ML languages +using sharing. When patterns are of dependent types the compilation +reconstructs the term as in the second definition of \texttt{last} so to +ensure the result of expansion is well typed.}. +Thus it generates a +term where the recursive call is rejected by the +guard condition. + +You can get rid of this problem by writing the definition with \emph{simple +patterns}: + +\begin{coq_example} +Fixpoint last [n:nat; l:(listn n)] : nat := +<[_:nat]nat>Cases l of + (consn m a x) => Cases x of + niln => a + | _ => (last m x) + end + | niln => O + end. +\end{coq_example} + + +\end{itemize} + +%\end{document} + diff --git a/doc/RefMan-cic.tex b/doc/RefMan-cic.tex new file mode 100755 index 000000000..51bbc506a --- /dev/null +++ b/doc/RefMan-cic.tex @@ -0,0 +1,1233 @@ +\chapter{The Calculus of Inductive Constructions} +\label{Cic} +\index{Cic@\textsc{CIC}} +\index{Calculus of (Co)Inductive Constructions} + +The underlying formal language of {\Coq} is the {\em Calculus of +(Co)Inductive Constructions}\index{Calculus of (Co)Inductive Constructions} +(\CIC\ in short). It is presented in this chapter. + +In \CIC\, all objects have a {\em type}. There are types for functions (or +programs), there are atomic types (especially datatypes)... but also +types for proofs and types for the types themselves. +Especially, any object handled in the formalism must belong to a +type. For instance, the statement {\it ``for all x, P''} is not +allowed in type theory; you must say instead: {\it ``for all x +belonging to T, P''}. The expression {\it ``x belonging to T''} is +written {\it ``x:T''}. One also says: {\it ``x has type T''}. +The terms of {\CIC} are detailed in section \ref{Terms}. + +In \CIC\, there is an internal reduction mechanism. In particular, it +allows to decide if two programs are {\em intentionally} equal (one +says {\em convertible}). Convertibility is presented in section +\ref{convertibility}. + +The remaining sections are concerned with the type-checking of terms. +The beginner can skip them. + +The reader seeking a background on the {\CIC} may read several +papers. Giménez~\cite{Gim98} +provides an introduction to inductive and coinductive +definitions in Coq, Werner~\cite{Wer94} and Paulin-Mohring~\cite{Moh97} are the +most recent theses on the +{\CIC}. Coquand-Huet~\cite{CoHu85a,CoHu85b,CoHu86} introduces the +Calculus of Constructions. Coquand-Paulin~\cite{CoPa89} introduces +inductive definitions. The {\CIC} is a formulation of type theory +including the possibility of inductive +constructions. Barendregt~\cite{Bar91} studies the modern form of type +theory. + +\section{The terms}\label{Terms} + +In most type theories, one usually makes a syntactic distinction +between types and terms. This is not the case for \CIC\ which defines +both types and terms in the same syntactical structure. This is +because the type-theory itself forces terms and types to be defined in +a mutual recursive way and also because similar constructions can be +applied to both terms and types and consequently can share the same +syntactic structure. + +For instance the type of functions will have several meanings. Assume +\nat\ is the type of natural numbers then $\nat\ra\nat$ is the type of +functions from \nat\ to \nat, $\nat \ra \Prop$ is the type of unary +predicates over the natural numbers. For instance $[x:\nat](x=x)$ will +represent a predicate $P$, informally written in mathematics +$P(x)\equiv x=x$. If $P$ has type $\nat \ra \Prop$, $(P~x)$ is a +proposition, furthermore $(x:\nat)(P~x)$ will represent the type of +functions which associate to each natural number $n$ an object of +type $(P~n)$ and consequently represent proofs of the formula +``$\forall x.P(x)$''. + +\subsection{Sorts}\label{Sorts} +\index{Sorts} +Types are seen as terms of the language and then should belong to +another type. The type of a type is always a constant of the language +called a sort. + +The two basic sorts in the language of \CIC\ are \Set\ and \Prop. + +The sort \Prop\ intends to be the type of logical propositions. If +$M$ is a logical proposition then it denotes a class, namely the class +of terms representing proofs of $M$. An object $m$ belonging to $M$ +witnesses the fact that $M$ is true. An object of type \Prop\ is +called a {\em proposition}. + +The sort \Set\ intends to be the type of specifications. This includes +programs and the usual sets such as booleans, naturals, lists +etc. + +These sorts themselves can be manipulated as ordinary terms. +Consequently sorts also should be given a type. Because assuming +simply that \Set\ has type \Set\ leads to an inconsistent theory, we +have infinitely many sorts in the language of \CIC\ . These are, in +addition to \Set\ and \Prop\, a hierarchy of universes \Type$(i)$ +for any integer $i$. We call \Sort\ the set of sorts +which is defined by: +\[\Sort \equiv \{\Prop,\Set,\Type(i)| i \in \NN\} \] +\index{Type@{\Type}} +\index{Prop@{\Prop}} +\index{Set@{\Set}} +The sorts enjoy the following properties: {\Prop:\Type(0)} and + {\Type$(i)$:\Type$(i+1)$}. + +The user will never mention explicitly the index $i$ when referring to +the universe \Type$(i)$. One only writes \Type. The +system itself generates for each instance of \Type\ a new +index for the universe and checks that the constraints between these +indexes can be solved. From the user point of view we consequently +have {\sf Type :Type}. + +We shall make precise in the typing rules the constraints between the +indexes. + +\medskip +\Rem +The extraction mechanism is not compatible with this universe +hierarchy. It is supposed to work only on terms which are explicitly +typed in the Calculus of Constructions without universes and with +Inductive Definitions at the Set level and only a small elimination. +In other cases, extraction may generate a dummy answer and sometimes +failed. To avoid failure when developing proofs, an error while +extracting the computational contents of a proof will not stop the +proof but only give a warning. + + +\subsection{Constants} +Besides the sorts, the language also contains constants denoting +objects in the environment. These constants may denote previously +defined objects but also objects related to inductive definitions +(either the type itself or one of its constructors or destructors). + +\medskip\noindent {\bf Remark. } In other presentations of \CIC, +the inductive objects are not seen as +external declarations but as first-class terms. Usually the +definitions are also completely ignored. This is a nice theoretical +point of view but not so practical. An inductive definition is +specified by a possibly huge set of declarations, clearly we want to +share this specification among the various inductive objects and not +to duplicate it. So the specification should exist somewhere and the +various objects should refer to it. We choose one more level of +indirection where the objects are just represented as constants and +the environment gives the information on the kind of object the +constant refers to. + +\medskip +Our inductive objects will be manipulated as constants declared in the +environment. This roughly corresponds to the way they are actually +implemented in the \Coq\ system. It is simple to map this presentation +in a theory where inductive objects are represented by terms. + +\subsection{Language} + +\paragraph{Types.} + +Roughly speaking types can be separated into atomic and composed +types. + +An atomic type of the {\em Calculus of Inductive Constructions} is +either a sort or is built from a type variable or an inductive +definition applied to some terms. + +A composed type will be a product $(x:T)U$ with $T$ and $U$ two types. + +\paragraph{Terms.} +A term is either a type or a term variable or a term constant of the +environment. + +As usual in $\lambda$-calculus, we combine objects using abstraction +and application. + +More precisely the language of the {\em Calculus of Inductive + Constructions} is built with the following rules: + +\begin{enumerate} +\item the sorts {\sf Set, Prop, Type} are terms. +\item constants of the environment are terms. +\item variables are terms. +\item if $x$ is a variable and $T$, $U$ are terms then $(x:T)U$ is a + term. If $x$ occurs in $U$, $(x:T)U$ reads as {\it ``for all x of + type T, U''}. As $U$ depends on $x$, one says that $(x:T)U$ is a + {\em dependent product}. If $x$ doesn't occurs in $U$ then $(x:T)U$ + reads as {\it ``if T then U''}. A non dependent product can be + written: $T \rightarrow U$. +\item if $x$ is a variable and $T$, $U$ are terms then $[x:T]U$ is a + term. This is a notation for the $\lambda$-abstraction of + $\lambda$-calculus\index{lambda-calculus@$\lambda$-calculus} + \cite{Bar81}. The term $[x:T]U$ is a function which maps elements of + $T$ to $U$. +\item if $T$ and $U$ are terms then $(T\ U)$ is a term. The term $(T\ + U)$ reads as {\it ``T applied to U''}. +\end{enumerate} + +\paragraph{Notations.} Application associates to the left such that +$(t~t_1\ldots t_n)$ represents $(\ldots (t~t_1)\ldots t_n)$. The +products and arrows associate to the right such that $(x:A)B\ra C\ra +D$ represents $(x:A)(B\ra (C\ra D))$. One uses sometimes $(x,y:A)B$ or +$[x,y:A]B$ to denote the abstraction or product of several variables +of the same type. The equivalent formulation is $(x:A)(y:A)B$ or +$[x:A][y:A]B$ +\paragraph{Free variables.} +The notion of free variables is defined as usual. In the expressions +$[x:T]U$ and $(x:T)U$ the occurrences of $x$ in $U$ are bound. They +are represented by de Bruijn indexes in the internal structure of +terms. + +\paragraph{Substitution.} \index{Substitution} +The notion of substituting a term $T$ to free occurrences of a +variable $x$ in a term $U$ is defined as usual. The resulting term +will be written $\subst{U}{x}{T}$. + + +\section{Typed terms}\label{Typed-terms} +As objects of type theory, terms are subjected to {\em type + discipline}. The well typing of a term depends on a set of +declarations of variables we call a {\em context}. A context $\Gamma$ +is written $[x_1:T_1;..; x_n:T_n]$ where the $x_i$'s are distinct +variables and the $T_i$'s are terms. If $\Gamma$ contains some $x:T$, +we write $(x:T)\in\Gamma$ and also $x \in\Gamma$. Contexts must be +themselves {\em well formed}. The notation $\Gamma::(y:T)$ denotes +the context $[x_1:T_1;..;x_n:T_n;y:T]$. The notation $[]$ denotes the +empty context. +\index{Context} + +We define the inclusion of two contexts $\Gamma$ and $\Delta$ (written +as $\Gamma \subset \Delta$) as the property, for all variable $x$ and +type $T$, if $(x:T) \in \Gamma$ then $(x:T)\in \Delta$. We write +$|\Delta|$ for the length of the context $\Delta$ which is $n$ if +$\Delta$ is $[x_1:T_1;..; x_n:T_n]$. + +A variable $x$ is said to be free in $\Gamma$ if $\Gamma$ contains a +declaration $y:T$ such that $x$ is free in $T$. + +\paragraph{Environment.}\index{Environment} +Because we are manipulating constants, we also need to consider an +environment $E$. We shall give afterwards the rules for introducing +new objects in the environment. For the typing relation of terms, it +is enough to introduce two notions. One which says if a name is +defined in the environment we shall write $c \in E$ and the other one +which gives the type of this constant in $E$. We shall write $(c : T) +\in E$. + +In the following, we assume $E$ is a valid environment. We define +simultaneously two judgments. The first one \WTEG{t}{T} means the +term $t$ is well-typed and has type $T$ in the environment $E$ and +context $\Gamma$. The second judgment \WFE{\Gamma} means that the +environment $E$ is well-formed and the context $\Gamma$ is a valid +context in this environment. It also means a third property which +makes sure that any constant in $E$ was defined in an environment +which is included in $\Gamma$ +\footnote{This requirement could be relaxed if we instead introduced + an explicit mechanism for instantiating constants. At the external + level, the Coq engine works accordingly to this view that all the + definitions in the environment were built in a sub-context of the + current context.}. + +A term $t$ is well typed in an environment $E$ iff there exists a +context $\Gamma$ and a term $T$ such that the judgment \WTEG{t}{T} can +be derived from the following rules. +\begin{itemize}\label{Typing-rules}\index{Typing rules} +\item [W-E] \inference{\WF{[]}{[]}} +\item [W-$s$] +\inference{\frac{\WTEG{T}{s}~~~~s\in \Sort~~~~x \not\in + \Gamma \cup E}{\WFE{\Gamma::(x:T)}}} +\item [Ax] \index{Typing rules!Ax} +\inference{\frac{\WFE{\Gamma}}{\WTEG{\Prop}{\Type(p)}}~~~~~ +\frac{\WFE{\Gamma}}{\WTEG{\Set}{\Type(q)}}}\\[3mm] +\inference{\frac{\WFE{\Gamma}~~~~i<j}{\WTEG{\Type(i)}{\Type(j)}}} +\item[Var]\index{Typing rules!Var} + \inference{\frac{ \WFE{\Gamma}~~~~~(x:T)\in\Gamma}{\WTEG{x}{T}}} +\item[Const] \index{Typing rules!Const} +\inference{\frac{\WFE{\Gamma}~~~~(c:T) \in E}{\WTEG{c}{T}}} +\item [Prod] \index{Typing rules!Prod} +\inference{\frac{\WTEG{T}{s_1}~~~~ + \WTE{\Gamma::(x:T)}{U}{s_2}~~~s_1\in\{\Prop, \Set\}~\mbox{or}~ + s_2\in\{\Prop, \Set\}} + { \WTEG{(x:T)U}{s_2}}} \\[3mm] +\inference{\frac{\WTEG{T}{\Type(i)}~~~~ + \WTE{\Gamma::(x:T)}{U}{\Type(j)}~~~i\leq + k~~~j \leq k}{ \WTEG{(x:T)U}{\Type(k)}}} +\item [Lam]\index{Typing rules!Lam} +\inference{\frac{\WTEG{(x:T)U}{s}~~~~ \WTE{\Gamma::(x:T)}{t}{U}} + {\WTEG{[x:T]t}{(x:T)U}}} +\item [App]\index{Typing rules!App} + \inference{\frac{\WTEG{t}{(x:U)T}~~~~\WTEG{u}{U}} + {\WTEG{(t\ u)}{\subst{T}{x}{u}}}} +\end{itemize} + +\section{Conversion rules} +\index{Conversion rules} +\label{conv-rules} +\paragraph{$\beta$-reduction.} +\label{beta}\index{beta-reduction@$\beta$-reduction} + +We want to be able to identify some terms as we can identify the +application of a function to a given argument with its result. For +instance the identity function over a given type $T$ can be written +$[x:T]x$. We want to identify any object $a$ (of type $T$) with the +application $([x:T]x~a)$. We define for this a {\em reduction} (or a +{\em conversion}) rule we call $\beta$: +\[ ([x:T]t~u) \triangleright_{\beta} \subst{t}{x}{u} \] + +We say that $\subst{t}{x}{u}$ is the {\em $\beta$-contraction} of +$([x:T]t~u)$ and, conversely, that $([x:T]t~u)$ is the {\em + $\beta$-expansion} of $\subst{t}{x}{u}$. + +According to $\beta$-reduction, terms of the {\em Calculus of + Inductive Constructions} enjoy some fundamental properties such as +confluence, strong normalization, subject reduction. These results are +theoretically of great importance but we will not detail them here and +refer the interested reader to \cite{Coq85}. + +\paragraph{$\iota$-reduction.} +\label{iota}\index{iota-reduction@$\iota$-reduction} +A specific conversion rule is associated to the inductive objects in +the environment. We shall give later on (section \ref{iotared}) the +precise rules but it just says that a destructor applied to an object +built from a constructor behaves as expected. This reduction is +called $\iota$-reduction and is more precisely studied in +\cite{Moh93,Wer94}. + + +\paragraph{$\delta$-reduction.} +\label{convertibility} +\label{delta}\index{delta-reduction@$\delta$-reduction} +In the environment we also have constants representing abbreviations +for terms. It is legal to identify a constant with its value. This +reduction will be precised in section \ref{deltared} where we define +well-formed environments. This reduction will be called +$\delta$-reduction. + +\paragraph{Convertibility.} +\index{beta-conversion@$\beta$-conversion}\index{iota-conversion@$\iota$-conversion}\index{delta-conversion@$\delta$-conversion} + + +Let us write $t \triangleright u$ for the relation $t$ reduces to $u$ +with one of the previous reduction $\beta,\iota$ or $\delta$. + +We say that two terms $t_1$ and $t_2$ are {\em convertible} (or {\em + equivalent)} iff there exists a term $u$ such that $t_1 +\triangleright \ldots \triangleright u$ and $t_2 \triangleright \ldots +\triangleright u$. We note $t_1 \convert t_2$. + +The convertibility relation allows to introduce a new typing rule +which says that two convertible well-formed types have the same +inhabitants. + +At the moment, we did not take into account one rule between universes +which says that any term in a universe of index $i$ is also a term in +the universe of index $i+1$. This property is included into the +conversion rule by extending the equivalence relation of +convertibility into an order inductively defined by: +\begin{enumerate} +\item if $M\convert N$ then $M\leconvert N$, +\item if $i \leq j$ then $\Type(i)\leconvert\Type(j)$, +\item if $T \convert U$ and $M\leconvert N$ then $(x:T)M\leconvert + (x:U)N$. +\end{enumerate} + +The conversion rule is now exactly: + +\begin{itemize}\label{Conv} +\item [Conv]\index{Typing rules!Conv} + \inference{ + \frac{\WTEG{U}{S}~~~~\WTEG{t}{T}~~~~T \leconvert U}{\WTEG{t}{U}}} +\end{itemize} + + +\paragraph{$\eta$-conversion.}\label{eta}\index{eta-conversion@$\eta$-conversion}\index{eta-reduction@$\eta$-reduction} +An other important rule is the $\eta$-conversion. It is to identify +terms over a dummy abstraction of a variable followed by an +application of this variable. Let $T$ be a type, $t$ be a term in +which the variable $x$ doesn't occurs free. We have +\[ [x:T](t\ x) \triangleright t \] +Indeed, as $x$ doesn't occurs free in $t$, for any $u$ one +applies to $[x:T](t\ x)$, it $\beta$-reduces to $(t\ u)$. So +$[x:T](t\ x)$ and $t$ can be identified. + +\Rem The $\eta$-reduction is not taken into account in the +convertibility rule of \Coq. + +\paragraph{Normal form.}\index{Normal form}\label{Normal-form}\label{Head-normal-form}\index{Head normal form} +A term which cannot be any more reduced is said to be in {\em normal + form}. There are several ways (or strategies) to apply the reduction +rule. Among them, we have to mention the {\em head reduction} which +will play an important role (see chapter \ref{Tactics}). Any term can +be written as $[x_1:T_1]\ldots[x_k:T_k](t_0\ t_1\ldots t_n)$ where +$t_0$ is not an application. We say then that $t_0$ is the {\em head + of $t$}. If we assume that $t_0$ is $[x:T]u_0$ then one step of +$\beta$-head reduction of $t$ is: +\[[x_1:T_1]\ldots[x_k:T_k]([x:T]u_0\ t_1\ldots t_n) +~\triangleright ~ [x_1:T_1]\ldots[x_k:T_k](\subst{u_0}{x}{t_1}\ t_2 \ldots t_n)\] +Iterating the process of head reduction until the head of the reduced +term is no more an abstraction leads to the {\em $\beta$-head normal + form} of $t$: +\[ t \triangleright \ldots \triangleright [x_1:T_1]\ldots[x_k:T_k](v\ u_1 +\ldots u_m)\] +where $v$ is not an abstraction (nor an application). Note that the +head normal form must not be confused with the normal form since some +$u_i$ can be reducible. + +Similar notions of head-normal forms involving $\delta$ and $\iota$ +reductions or any combination of those can also be defined. + +\section{Definitions in environments}\label{Cic-definitions} +We now give the rules for manipulating objects in the environment. +Because a constant can depend on previously introduced constants, the +environment will be an ordered list of declarations. When specifying +an inductive definition, several objects will be introduced at the +same time. So any object in the environment will define one or more +constants. + +In this presentation we introduce two different sorts of objects in +the environment. The first one is ordinary definitions which give a +name to a particular well-formed term, the second one is inductive +definitions which introduce new inductive objects. + +\subsection{Rules for definitions} + +\paragraph{Adding a new definition.} +The simplest objects in the environment are definitions which can be +seen as one possible mechanism for abbreviation. + +A definition will be represented in the environment as +\Def{\Gamma}{c}{t}{T} which means that $c$ is a constant which is +valid in the context $\Gamma$ whose value is $t$ and type is $T$. + +\paragraph{$\delta$-reduction.} \label{deltared} +If \Def{\Gamma}{c}{t}{T} is in the environment $E$ then in this +environment the $\delta$-reduc\-tion $c \triangleright_{\delta} t$ is +introduced. + +The rule for adding a new definition is simple: + +\begin{description} +\item[Def] \inference{\frac{\WTEG{t}{T}~~~c \notin E\cup \Gamma} + {\WF{E;\Def{\Gamma}{c}{t}{T}}{\Gamma}}} +\end{description} + +\subsection{Derived rules} + +From the original rules of the type system, one can derive new rules +which change the context of definition of objects in the environment. +Because these rules correspond to elementary operations in the \Coq\ +engine used in the discharge mechanism at the end of a section, we +state them explicitly. + +\paragraph{Mechanism of substitution.} + +One rule which can be proved valid, is to replace a term $c$ by its +value in the environment. As we defined the substitution of a term for +a variable in a term, one can define the substitution of a term for a +constant. One easily extends this substitution to contexts and +environments. + +\paragraph{Substitution Property:} +\inference{\frac{\WF{E;\Def{\Gamma}{c}{t}{T}; F}{\Delta}} + {\WF{E; \subst{F}{c}{t}}{\subst{\Delta}{c}{t}}}} + + +\paragraph{Abstraction.} + +One can modify the context of definition of a constant $c$ by +abstracting a constant with respect to the last variable $x$ of its +defining context. For doing that, we need to check that the constants +appearing in the body of the declaration do not depend on $x$, we need +also to modify the reference to the constant $c$ in the environment +and context by explicitly applying this constant to the variable $x$. +Because of the rules for building environments and terms we know the +variable $x$ is available at each stage where $c$ is mentioned. + +\paragraph{Abstracting property:} + \inference{\frac{\WF{E; \Def{\Gamma::(x:U)}{c}{t}{T}; + F}{\Delta}~~~~\WFE{\Gamma}} + {\WF{E;\Def{\Gamma}{c}{[x:U]t}{(x:U)T}; + \subst{F}{c}{(c~x)}}{\subst{\Delta}{c}{(c~x)}}}} + +\paragraph{Pruning the context.} +We said the judgment \WFE{\Gamma} means that the defining contexts of +constants in $E$ are included in $\Gamma$. If one abstracts or +substitutes the constants with the above rules then it may happen +that the context $\Gamma$ is now bigger than the one needed for +defining the constants in $E$. Because defining contexts are growing +in $E$, the minimum context needed for defining the constants in $E$ +is the same as the one for the last constant. One can consequently +derive the following property. + +\paragraph{Pruning property:} +\inference{\frac{\WF{E; \Def{\Delta}{c}{t}{T}}{\Gamma}} + {\WF{E;\Def{\Delta}{c}{t}{T}}{\Delta}}} + + +\section{Inductive Definitions}\label{Cic-inductive-definitions} + +A (possibly mutual) inductive definition is specified by giving the +names and the type of the inductive sets or families to be +defined and the names and types of the constructors of the inductive +predicates. An inductive declaration in the environment can +consequently be represented with two contexts (one for inductive +definitions, one for constructors). + +Stating the rules for inductive definitions in their general form +needs quite tedious definitions. We shall try to give a concrete +understanding of the rules by precising them on running examples. We +take as examples the type of natural numbers, the type of +parameterized lists over a type $A$, the relation which state that +a list has some given length and the mutual inductive definition of trees and +forests. + +\subsection{Representing an inductive definition} +\subsubsection{Inductive definitions without parameters} +As for constants, inductive definitions can be defined in a non-empty +context. \\ +We write \NInd{\Gamma}{\Gamma_I}{\Gamma_C} an inductive +definition valid in a context $\Gamma$, a +context of definitions $\Gamma_I$ and a context of constructors +$\Gamma_C$. +\paragraph{Examples.} +The inductive declaration for the type of natural numbers will be: +\[\NInd{}{\nat:\Set}{\nO:\nat,\nS:\nat\ra\nat}\] +In a context with a variable $A:\Set$, the lists of elements in $A$ is +represented by: +\[\NInd{A:\Set}{\List:\Set}{\Nil:\List,\cons : A \ra \List \ra + \List}\] + Assuming + $\Gamma_I$ is $[I_1:A_1;\ldots;I_k:A_k]$, and $\Gamma_C$ is + $[c_1:C_1;\ldots;c_n:C_n]$, the general typing rules are: + +\bigskip +\inference{\frac{\NInd{\Gamma}{\Gamma_I}{\Gamma_C} \in E + ~~j=1\ldots k}{(I_j:A_j) \in E}} + +\inference{\frac{\NInd{\Gamma}{\Gamma_I}{\Gamma_C} \in E + ~~~~i=1.. n} + {(c_i:\subst{C_i}{I_j}{I_j}_{j=1\ldots k})\in E}} + +\subsubsection{Inductive definitions with parameters} + +We have to slightly complicate the representation above in order to handle +the delicate problem of parameters. +Let us explain that on the example of \List. As they were defined +above, the type \List\ can only be used in an environment where we +have a variable $A:\Set$. Generally one want to consider lists of +elements in different types. For constants this is easily done by abstracting +the value over the parameter. In the case of inductive definitions we +have to handle the abstraction over several objects. + +One possible way to do that would be to define the type \List\ +inductively as being an inductive family of type $\Set\ra\Set$: +\[\NInd{}{\List:\Set\ra\Set}{\Nil:(A:\Set)(\List~A),\cons : (A:\Set)A + \ra (\List~A) \ra (\List~A)}\] +There are drawbacks to this point of view. The +information which says that $(\List~\nat)$ is an inductively defined +\Set\ has been lost. +%\footnote{ +%The interested reader may look at the compare the above definition with the two +%following ones which have very different logical meaning:\\ +%$\NInd{}{\List:\Set}{\Nil:\List,\cons : (A:\Set)A +% \ra \List \ra \List}$ \\ +%$\NInd{}{\List:\Set\ra\Set}{\Nil:(A:\Set)(\List~A),\cons : (A:\Set)A +% \ra (\List~A\ra A) \ra (\List~A)}$.} + +In the system, we keep track in the syntax of the context of +parameters. The idea of these parameters is that they can be +instantiated and still we have an inductive definition for which we +know the specification. + +Formally the representation of an inductive declaration +will be +\Ind{\Gamma}{\Gamma_P}{\Gamma_I}{\Gamma_C} for an inductive +definition valid in a context $\Gamma$ with parameters $\Gamma_P$, a +context of definitions $\Gamma_I$ and a context of constructors +$\Gamma_C$. +The occurrences of the variables of $\Gamma_P$ in the contexts +$\Gamma_I$ and $\Gamma_C$ are bound. + +The definition \Ind{\Gamma}{\Gamma_P}{\;\Gamma_I}{\Gamma_C\;} will be +well-formed exactly when \NInd{\Gamma,\Gamma_P}{\;\Gamma_I}{\Gamma_C\;} is. +If $\Gamma_P$ is $[p_1:P_1;\ldots;p_r:P_r]$, an object in +\Ind{\Gamma}{\Gamma_P}{\Gamma_I}{\Gamma_C} applied to $q_1,\ldots,q_r$ +will behave as the corresponding object of +\NInd{\Gamma}{\substs{\Gamma_I}{p_i}{q_i}{i=1..r}}{\substs{\Gamma_C}{p_i}{q_i}{i=1..r}}. + +\paragraph{Examples} +The declaration for parameterized lists is: +\[\Ind{}{A:\Set}{\List:\Set}{\Nil:\List,\cons : A \ra \List \ra + \List}\] + +The declaration for the length of lists is: +\[\Ind{}{A:\Set}{\Length:(\List~A)\ra \nat\ra\Prop} + {\LNil:(\Length~(\Nil~A)~\nO),\\ + \LCons :(a:A)(l:(\List~A))(n:\nat)(\Length~l~n)\ra (\Length~(\cons~A~a~l)~(\nS~n))}\] + +The declaration for a mutual inductive definition of forests and trees is: +\[\NInd{[]}{\tree:\Set,\forest:\Set} + {\node:\forest \ra \tree, + \emptyf:\forest,\consf:\tree \ra \forest \ra \forest\-}\] + +These representations are the ones obtained as the result of the \Coq\ +declaration: +\begin{coq_example*} +Inductive Set nat := O : nat | S : nat -> nat. +Inductive list [A : Set] : Set := + nil : (list A) | cons : A -> (list A) -> (list A). +\end{coq_example*} +\begin{coq_example*} +Inductive Length [A:Set] : (list A) -> nat -> Prop := + Lnil : (Length A (nil A) O) + | Lcons : (a:A)(l:(list A))(n:nat) + (Length A l n)->(Length A (cons A a l) (S n)). +Mutual Inductive tree : Set := node : forest -> tree +with forest : Set := emptyf : forest | consf : tree -> forest -> forest. +\end{coq_example*} +The inductive declaration in \Coq\ is slightly different from the one +we described theoretically. The difference is that in the type of +constructors the inductive definition is explicitly applied to the +parameters variables. The \Coq\ type-checker verifies that all +parameters are applied in the correct manner in each recursive call. +In particular, the following definition will not be accepted because +there is an occurrence of \List\ which is not applied to the parameter +variable: +\begin{coq_example} +Inductive list [A : Set] : Set := + nil : (list A) | cons : A -> (list A->A) -> (list A). +\end{coq_example} + +\subsection{Types of inductive objects} +We have to give the type of constants in an environment $E$ which +contains an inductive declaration. + +\begin{description} +\item[Ind-Const] Assuming $\Gamma_P$ is $[p_1:P_1;\ldots;p_r:P_r]$, + $\Gamma_I$ is $[I_1:A_1;\ldots;I_k:A_k]$, and $\Gamma_C$ is + $[c_1:C_1;\ldots;c_n:C_n]$, + +\inference{\frac{\Ind{\Gamma}{\Gamma_P}{\Gamma_I}{\Gamma_C} \in E + ~~j=1\ldots k}{(I_j:(p_1:P_1)\ldots(p_r:P_r)A_j) \in E}} + +\inference{\frac{\Ind{\Gamma}{\Gamma_P}{\Gamma_I}{\Gamma_C} \in E + ~~~~i=1.. n} + {(c_i:(p_1:P_1)\ldots(p_r:P_r)\subst{C_i}{I_j}{(I_j~p_1\ldots + p_r)}_{j=1\ldots k})\in E}} +\end{description} + +\paragraph{Example.} +We have $(\List:\Set \ra \Set), (\cons:(A:\Set)A\ra(\List~A)\ra +(\List~A))$, \\ +$(\Length:(A:\Set)(\List~A)\ra\nat\ra\Prop)$, $\tree:\Set$ and $\forest:\Set$. + +From now on, we write $\ListA$ instead of $(\List~A)$ and $\LengthA$ +for $(\Length~A)$. + +%\paragraph{Parameters.} +%%The parameters introduce a distortion between the inside specification +%%of the inductive declaration where parameters are supposed to be +%%instantiated (this representation is appropriate for checking the +%%correctness or deriving the destructor principle) and the outside +%%typing rules where the inductive objects are seen as objects +%%abstracted with respect to the parameters. + +%In the definition of \List\ or \Length\, $A$ is a parameter because +%what is effectively inductively defined is $\ListA$ or $\LengthA$ for +%a given $A$ which is constant in the type of constructors. But when +%we define $(\LengthA~l~n)$, $l$ and $n$ are not parameters because the +%constructors manipulate different instances of this family. + +\subsection{Well-formed inductive definitions} +We cannot accept any inductive declaration because some of them lead +to inconsistent systems. We restrict ourselves to definitions which +satisfy a syntactic criterion of positivity. Before giving the formal +rules, we need a few definitions: + +\paragraph{Definitions}\index{Positivity}\label{Positivity} + +A type $T$ is an {\em arity of sort $s$}\index{Arity} +if it converts to the sort $s$ or to a +product $(x:T)U$ with $U$ an arity of sort $s$. (For instance $A\ra +\Set$ or $(A:\Prop)A\ra \Prop$ are arities of sort respectively \Set\ +and \Prop). +A {\em type of constructor of $I$}\index{Type of constructor} + is either a term $(I~t_1\ldots ~t_n)$ or +$(x:T)C$ with $C$ a {\em type of constructor of $I$}. + +\smallskip + +The type of constructor $T$ will be said to {\em satisfy the positivity +condition} for a constant $X$ in the following cases: + +\begin{itemize} +\item $T=(X~t_1\ldots ~t_n)$ and $X$ does not occur free in +any $t_i$ +\item $T=(x:T)U$ and $X$ occurs only strictly positively in $T$ and +the type $U$ satisfies the positivity condition for $X$ +\end{itemize} + +The constant $X$ {\em occurs strictly positively} in $T$ in the +following cases: + +\begin{itemize} +\item $X$ does not occur in $T$ +\item $T$ converts to $(X~t_1 \ldots ~t_n)$ and $X$ does not occur in any of $t_i$ +\item $T$ converts to $(x:U)V$ and $X$ does not occur in type $U$ but occurs strictly +positively in type $V$ +\item $T$ converts to $(I~a_1 \ldots ~a_m ~ t_1 \ldots ~t_p)$ where $I$ is the name of an +inductive declaration of the form $\Ind{\Gamma}{[p_1:P_1;\ldots;p_m:P_m]}{[I:A]}{[c_1:C_1;\ldots;c_n:C_n]}$ +(in particular, it is not mutually defined and it has $m$ parameters) +and $X$ does not occur in any of the $t_i$, and +the types of constructor $C_i\{p_j/a_j\}_{j=1\ldots m}$ of $I$ +satisfy the imbricated positivity condition for $X$ +%\item more generally, when $T$ is not a type, $X$ occurs strictly +%positively in $T[x:U]u$ if $X$ does not occur in $U$ but occurs +%strictly positively in $u$ +\end{itemize} + +The type constructor $T$ of $I$ {\em satisfies the imbricated +positivity condition} for a constant $X$ in the following +cases: + +\begin{itemize} +\item $T=(I~t_1\ldots ~t_n)$ and $X$ does not occur in +any $t_i$ +\item $T=(x:T)U$ and $X$ occurs only strictly positively in $T$ and +the type $U$ satisfies the imbricated positivity condition for $X$ +\end{itemize} + +\paragraph{Example} +$X$ occurs strictly positively in $A\ra X$ or $X*A$ or $({\tt list} +X)$ but not in $X \ra A$ or $(X \ra A)\ra A$ assuming the notion of +product and lists were already defined. Assuming $X$ has arity ${\tt +nat \ra Prop}$ and {\tt ex} is inductively defined existential +quantifier, the occurrence of $X$ in ${\tt (ex~ nat~ [n:nat](X~ n))}$ is +also strictly positive.\\ + +\paragraph{Correctness rules.} +We shall now describe the rules allowing the introduction of a new +inductive definition. + +\begin{description} +\item[W-Ind] Let $E$ be an environment and + $\Gamma,\Gamma_P,\Gamma_I,\Gamma_C$ are contexts such that + $\Gamma_I$ is $[I_1:A_1;\ldots;I_k:A_k]$ and $\Gamma_C$ is + $[c_1:C_1;\ldots;c_n:C_n]$. \\[3mm] +\inference{ + \frac{ + (\WTE{\Gamma;\Gamma_P}{A_j}{s'_j})_{j=1\ldots k} + ~~ (\WTE{\Gamma;\Gamma_P;\Gamma_I}{C_i}{s_{p_i}})_{i=1\ldots n} +} + {\WF{E;\Ind{\Gamma}{\Gamma_P}{\Gamma_I}{\Gamma_C}}{\Gamma}}}\\ +providing the following side conditions hold: +\begin{itemize} +\item $k>0$, $I_j$, $c_i$ are different names for $j=1\ldots k$ and $i=1\ldots n$, +\item for $j=1\ldots k$ we have $A_j$ is an arity of sort $s_j$ and $I_j + \notin \Gamma \cup E$, +\item for $i=1\ldots n$ we have $C_i$ is a type of constructor of + $I_{p_i}$ which satisfies the positivity condition for $I_1 \ldots I_k$ + and $c_i \notin \Gamma \cup E$. +\end{itemize} +\end{description} +One can remark that there is a constraint between the sort of the +arity of the inductive type and the sort of the type of its +constructors which will always be satisfied for impredicative sorts +(\Prop\ or \Set) but may generate constraints between universes. + + +%We shall assume for the following definitions that, if necessary, we +%annotated the type of constructors such that we know if the argument +%is recursive or not. We shall write the type $(x:_R T)C$ if it is +%a recursive argument and $(x:_P T)C$ if the argument is not recursive. + +\subsection{Destructors} +The specification of inductive definitions with arities and +constructors is quite natural. But we still have to say how to use an +object in an inductive type. + +This problem is rather delicate. There are actually several different +ways to do that. Some of them are logically equivalent but not always +equivalent from the computational point of view or from the user point +of view. + +From the computational point of view, we want to be able to define a +function whose domain is an inductively defined type by using a +combination of case analysis over the possible constructors of the +object and recursion. + +Because we need to keep a consistent theory and also we prefer to keep +a strongly normalising reduction, we cannot accept any sort of +recursion (even terminating). So the basic idea is to restrict +ourselves to primitive recursive functions and functionals. + +For instance, assuming a parameter $A:\Set$ exists in the context, we +want to build a function \length\ of type $\ListA\ra \nat$ which +computes the length of the list, so such that $(\length~\Nil) = \nO$ +and $(\length~(\cons~A~a~l)) = (\nS~(\length~l))$. We want these +equalities to be recognized implicitly and taken into account in the +conversion rule. + +From the logical point of view, we have built a type family by giving +a set of constructors. We want to capture the fact that we do not +have any other way to build an object in this type. So when trying to +prove a property $(P~m)$ for $m$ in an inductive definition it is +enough to enumerate all the cases where $m$ starts with a different +constructor. + +In case the inductive definition is effectively a recursive one, we +want to capture the extra property that we have built the smallest +fixed point of this recursive equation. This says that we are only +manipulating finite objects. This analysis provides induction +principles. + +For instance, in order to prove $(l:\ListA)(\LengthA~l~(\length~l))$ +it is enough to prove: + +\noindent $(\LengthA~\Nil~(\length~\Nil))$ and + +\smallskip +$(a:A)(l:\ListA)(\LengthA~l~(\length~l)) \ra +(\LengthA~(\cons~A~a~l)~(\length~(\cons~A~a~l)))$. +\smallskip + +\noindent which given the conversion equalities satisfied by \length\ is the +same as proving: +$(\LengthA~\Nil~\nO)$ and $(a:A)(l:\ListA)(\LengthA~l~(\length~l)) \ra +(\LengthA~(\cons~A~a~l)~(\nS~(\length~l)))$. + +One conceptually simple way to do that, following the basic scheme +proposed by Martin-L\"of in his Intuitionistic Type Theory, is to +introduce for each inductive definition an elimination operator. At +the logical level it is a proof of the usual induction principle and +at the computational level it implements a generic operator for doing +primitive recursion over the structure. + +But this operator is rather tedious to implement and use. We choose in +this version of Coq to factorize the operator for primitive recursion +into two more primitive operations as was first suggested by Th. Coquand +in~\cite{Coq92}. One is the definition by case +analysis. The second one is a definition by guarded fixpoints. + +\subsubsection{The {\tt Cases\ldots of \ldots end} construction.} +\label{Caseexpr} +\index{Cases@{\tt Cases\ldots of\ldots end}} + +The basic idea of this destructor operation is that we have an object +$m$ in an inductive type $I$ and we want to prove a property $(P~m)$ +which in general depends on $m$. For this, it is enough to prove the +property for $m = (c_i~u_1\ldots u_{p_i})$ for each constructor of $I$. + +This proof will be denoted by a generic term: +\[\Case{P}{m}{(c_1~x_{11}~...~x_{1p_1}) \mbox{\tt =>} f_1 \ldots +(c_n~x_{n1}~|~...~|~x_{np_n}) \mbox{\tt =>} f_n }\] +In this expression, if $m$ is a term built from a constructor +$(c_i~u_1\ldots u_{p_i})$ then the expression will behave as it is specified +with $i$-th branch and will reduce to $f_i$ where the $x_{i1}$\ldots $x_{ip_i}$ are +replaced by the $u_1\ldots u_p$ according to +the $\iota$-reduction.\\ + +This is the basic idea which is generalized to the case where $I$ is +an inductively defined $n$-ary relation (in which case the property +$P$ to be proved will be a $n+1$-ary relation). + +\paragraph{Non-dependent elimination.} +When defining a function by case analysis, we build an object of type $I +\ra C$ and the minimality principle on an inductively defined logical +predicate of type $A \ra \Prop$ is often used to prove a property +$(x:A)(I~x)\ra (C~x)$. This is a particular case of the dependent +principle that we stated before with a predicate which does not depend +explicitly on the object in the inductive definition. + +For instance, a function testing whether a list is empty +can be +defined as: + +\[[l:\ListA]\Case{[H:\ListA]\bool}{l}{\Nil~ \mbox{\tt =>}~\true~ |~ (\cons~a~m)~ \mbox{\tt =>}~\false}\] +\noindent {\bf Remark. } In the system \Coq\ the expression above, can be +written without mentioning +the dummy abstraction: +\Case{\bool}{l}{\Nil~ \mbox{\tt =>}~\true~ |~ (\cons~a~m)~ + \mbox{\tt =>}~ \false} + +\paragraph{Allowed elimination sorts.} +\index{Elimination sorts} + +An important question for building the typing rule for {\tt Case} is +what can be the type of $P$ with respect to the type of the inductive +definitions. + +Remembering that the elimination builds an object in $(P~m)$ from an +object in $m$ in type $I$ it is clear that we cannot allow any combination. + +For instance we cannot in general have $I$ has type \Prop\ +and $P$ has type $I\ra \Set$, because it will mean to build an informative +proof of type $(P~m)$ doing a case analysis over a non-computational +object that will disappear in the extracted program. +But the other way is safe +with respect to our interpretation we can have $I$ a computational +object and $P$ a non-computational one, it just corresponds to proving a +logical property of a computational object. + +Also if $I$ is in one of the sorts \{\Prop, \Set\}, one cannot in +general allow an elimination over a bigger sort such as \Type. +But this operation is safe whenever $I$ is a {\em small + inductive} type, which means that all the types of constructors of +$I$ are small with the following definition:\\ +$(I~t_1\ldots t_s)$ is a {\em small type of constructor} and $(x:T)C$ is a +small type of constructor if $C$ is and if $T$ has type \Prop\ or +\Set. +\index{Small inductive type} + +We call this particular elimination which gives the possibility to +compute a type by induction on the structure of a term, a {\em strong + elimination}\index{Strong elimination}. + + +We define now a relation \compat{I:A}{B} between an inductive +definition $I$ of type $A$, an arity $B$ which says that an object in +the inductive definition $I$ can be eliminated for proving a property +$P$ of type $B$. + +The \compat{I:A}{B} is defined as the smallest relation satisfying the +following rules: + +\begin{description} +\item[Prod] \inference{\frac{\compat{(I~x):A'}{B'}} + {\compat{I:(x:A)A'}{(x:A)B'}}} +\item[\Prop] \inference{\compat{I:\Prop}{I\ra\Prop}~~~~~ + \frac{I \mbox{~is a singleton definition}}{\compat{I:\Prop}{I\ra \Set}}} + +\item[\Set] \inference{\frac{s \in + \{\Prop, \Set\}}{\compat{I:\Set}{I\ra s}} +~~~~\frac{I \mbox{~is a small inductive definition}~~~~s \in + \{\Type(i)\}} + {\compat{I:\Set}{I\ra s}}} +\item[\Type] \inference{\frac{ + s \in \{\Prop,\Set,\Type(j)\}}{\compat{I:\Type(i)}{I\ra s}}} +\end{description} + +\paragraph{Notations.} +We write \compat{I}{B} for \compat{I:A}{B} where $A$ is the type of +$I$. + +%\paragraph{Warning: strong elimination} +%\index{Elimination!Strong elimination} +%In previous versions of Coq, for a small inductive definition, only the +%non-informative strong elimination on \Type\ was allowed, because +%strong elimination on \Typeset\ was not compatible with the current +%extraction procedure. In this version, strong elimination on \Typeset\ +%is accepted but a dummy element is extracted from it and may generate +%problems if extracted terms are explicitly used such as in the +%{\tt Program} tactic or when extracting ML programs. + +\paragraph{Singleton elimination} +\index{Elimination!Singleton elimination} + +A {\em singleton definition} has always an informative content, +even if it is a proposition. + +A {\em singleton +definition} has only one constructor and all the argument of this +constructor are non informative. In that case, there is a canonical +way to interpret the informative extraction on an object in that type, +such that the elimination on sort $s$ is legal. Typical examples are +the conjunction of non-informative propositions and the equality. In +that case, the term \verb!eq_rec! which was defined as an axiom, is +now a term of the calculus. +\begin{coq_example} +Print eq_rec. +Extraction eq_rec. +\end{coq_example} + +\paragraph{Type of branches.} +Let $c$ be a term of type $C$, we assume $C$ is a type of constructor +for an inductive definition $I$. Let $P$ be a term that represents the +property to be proved. +We assume $r$ is the number of parameters. + +We define a new type \CI{c:C}{P} which represents the type of the +branch corresponding to the $c:C$ constructor. +\[ +\begin{array}{ll} +\CI{c:(I_i~p_1\ldots p_r\ t_1 \ldots t_p)}{P} &\equiv (P~t_1\ldots ~t_p~c) \\[2mm] +\CI{c:(x: T)C}{P} &\equiv (x:T)\CI{(c~x):C}{P} +\end{array} +\] +We write \CI{c}{P} for \CI{c:C}{P} with $C$ the type of $c$. + +\paragraph{Examples.} +For $\ListA$ the type of $P$ will be $\ListA\ra s$ for $s \in +\{\Prop,\Set,\Type(i)\}$. \\ +$ \CI{(\cons~A)}{P} \equiv +(a:A)(l:\ListA)(P~(\cons~A~a~l))$. + +For $\LengthA$, the type of $P$ will be +$(l:\ListA)(n:\nat)(\LengthA~l~n)\ra \Prop$ and the expression +\CI{(\LCons~A)}{P} is defined as:\\ +$(a:A)(l:\ListA)(n:\nat)(h:(\LengthA~l~n))(P~(\cons~A~a~l)~(\nS~n)~(\LCons~A~a~l~n~l))$.\\ +If $P$ does not depend on its third argument, we find the more natural +expression:\\ +$(a:A)(l:\ListA)(n:\nat)(\LengthA~l~n)\ra(P~(\cons~A~a~l)~(\nS~n))$. + +\paragraph{Typing rule.} + +Our very general destructor for inductive definition enjoys the +following typing rule (we write {\Case{P}{c}{[x_{11}:T_{11}]\ldots[x_{1p_1}:T_{1p_1}]f_1\ldots [x_{n1}:T_{n1}]\ldots[x_{np_n}:T_{np_n}f_n} for \Case{P}{m}{(c_1~x_{11}~...~x_{1p_1}) \mbox{\tt =>} f_1 \ldots +(c_n~x_{n1}~|~...~|~x_{np_n}) \mbox{\tt =>} f_n }}): + +\begin{description} +\item[Case] \label{elimdep} \index{Typing rules!Case} +\inference{ +\frac{\WTEG{c}{(I~q_1\ldots q_r~t_1\ldots t_s)}~~ + \WTEG{P}{B}~~\compat{(I~q_1\ldots q_r)}{B} + ~~ +(\WTEG{f_i}{\CI{(c_{p_i}~q_1\ldots q_r)}{P}})_{i=1\ldots l}} +{\WTEG{\Case{P}{c}{f_1\ldots f_l}}{(P\ t_1\ldots t_s\ c)}}}%\\[3mm] + +provided $I$ is an inductive type in a declaration +\Ind{\Delta}{\Gamma_P}{\Gamma_I}{\Gamma_C} with $|\Gamma_P| = r$, +$\Gamma_C = [c_1:C_1;\ldots;c_n:C_n]$ and $c_{p_1}\ldots c_{p_l}$ are the +only constructors of $I$. +\end{description} + +\paragraph{Example.} +For \List\ and \Length\ the typing rules for the {\tt Case} expression +are (writing just $t:M$ instead of \WTEG{t}{M}, the environment and +context being the same in all the judgments). + +\[\frac{l:\ListA~~P:\ListA\ra s~~~f_1:(P~(\Nil~A))~~ + f_2:(a:A)(l:\ListA)(P~(\cons~A~a~l))} + {\Case{P}{l}{f_1~f_2}:(P~l)}\] + +\[\frac{ + \begin{array}[b]{c} +H:(\LengthA~L~N) \\ P:(l:\ListA)(n:\nat)(\LengthA~l~n)\ra + \Prop\\ + f_1:(P~(\Nil~A)~\nO~\LNil) \\ + f_2:(a:A)(l:\ListA)(n:\nat)(h:(\LengthA~l~n))(P~(\cons~A~a~n)~(\nS~n)~(\LCons~A~a~l~n~h)) + \end{array}} + {\Case{P}{H}{f_1~f_2}:(P~L~N~H)}\] + +\paragraph{Definition of $\iota$-reduction.}\label{iotared} +\index{iota-reduction@$\iota$-reduction} +We still have to define the $\iota$-reduction in the general case. + +A $\iota$-redex is a term of the following form: +\[\Case{P}{(c_{p_i}~q_1\ldots q_r~a_1\ldots a_m)}{f_1\ldots + f_l}\] +with $c_{p_i}$ the $i$-th constructor of the inductive type $I$ with $r$ +parameters. + +The $\iota$-contraction of this term is $(f_i~a_1\ldots a_m)$ leading +to the general reduction rule: +\[ \Case{P}{(c_{p_i}~q_1\ldots q_r~a_1\ldots a_m)}{f_1\ldots + f_n} \triangleright_{\iota} (f_i~a_1\ldots a_m) \] + +\subsection{Fixpoint definitions} +\label{Fix-term} \index{Fix@{\tt Fix}} +The second operator for elimination is fixpoint definition. +This fixpoint may involve several mutually recursive definitions. +The basic syntax for a recursive set of declarations is +\[\Fix{}{f_1:A_1:=t_1 \ldots f_n:A_n:=t_n}\] +The terms are obtained by projections from this set of declarations +and are written $\Fix{f_i}{f_1:A_1:=t_1 \ldots f_n:A_n:=t_n}$ + +\subsubsection{Typing rule} +The typing rule is the expected one for a fixpoint. + +\begin{description} +\item[Fix] \index{Typing rules!Fix} +\inference{\frac{(\WTEG{A_i}{s_i})_{i=1\ldots n}~~~~ + (\WTE{\Gamma,f_1:A_1,\ldots,f_n:A_n}{t_i}{A_i})_{i=1\ldots n}} + {\WTEG{\Fix{f_i}{f_1:A_1:=t_1 \ldots f_n:A_n:=t_n}}{A_i}}} +\end{description} + +Any fixpoint definition cannot be accepted because non-normalizing terms +will lead to proofs of absurdity. + +The basic scheme of recursion that should be allowed is the one needed for +defining primitive +recursive functionals. In that case the fixpoint enjoys special +syntactic restriction, namely one of the arguments belongs to an +inductive type, the function starts with a case analysis and recursive +calls are done on variables coming from patterns and representing subterms. + +For instance in the case of natural numbers, a proof of the induction +principle of type +\[(P:\nat\ra\Prop)(P~\nO)\ra((n:\nat)(P~n)\ra(P~(\nS~n)))\ra(n:\nat)(P~n)\] +can be represented by the term: +\[\begin{array}{l} +[P:\nat\ra\Prop][f:(P~\nO)][g:(n:\nat)(P~n)\ra(P~(\nS~n))]\\ +\Fix{h}{h:(n:\nat)(P~n):=[n:\nat]\Case{P}{n}{f~[p:\nat](g~p~(h~p))}} +\end{array} +\] + +Before accepting a fixpoint definition as being correctly typed, we +check that the definition is ``guarded''. A precise analysis of this +notion can be found in~\cite{Gim94}. + +The first stage is to precise on which argument the fixpoint will be +decreasing. The type of this argument should be an inductive +definition. + +For doing this the syntax of fixpoints is extended and becomes + \[\Fix{f_i}{f_1/k_1:A_1:=t_1 \ldots f_n/k_n:A_n:=t_n}\] +where $k_i$ are positive integers. +Each $A_i$ should be a type (reducible to a term) starting with at least +$k_i$ products $(y_1:B_1)\ldots (y_{k_i}:B_{k_i}) A'_i$ and $B_{k_i}$ +being an instance of an inductive definition. + +Now in the definition $t_i$, if $f_j$ occurs then it should be applied +to at least $k_j$ arguments and the $k_j$-th argument should be +syntactically recognized as structurally smaller than $y_{k_i}$ + + +The definition of being structurally smaller is a bit technical. +One needs first to define the notion of +{\em recursive arguments of a constructor}\index{Recursive arguments}. +For an inductive definition \Ind{\Gamma}{\Gamma_P}{\Gamma_I}{\Gamma_C}, +the type of a constructor $c$ have the form +$(p_1:P_1)\ldots(p_r:P_r)(x_1:T_1)\ldots (x_r:T_r)(I_j~p_1\ldots +p_r~t_1\ldots t_s)$ the recursive arguments will correspond to $T_i$ in +which one of the $I_l$ occurs. + + +The main rules for being structurally smaller are the following:\\ +Given a variable $y$ of type an inductive +definition in a declaration +\Ind{\Gamma}{\Gamma_P}{\Gamma_I}{\Gamma_C} +where $\Gamma_I$ is $[I_1:A_1;\ldots;I_k:A_k]$, and $\Gamma_C$ is + $[c_1:C_1;\ldots;c_n:C_n]$. +The terms structurally smaller than $y$ are: +\begin{itemize} +\item $(t~u), [x:u]t$ when $t$ is structurally smaller than $y$ . +\item \Case{P}{c}{f_1\ldots f_n} when each $f_i$ is structurally + smaller than $y$. \\ + If $c$ is $y$ or is structurally smaller than $y$, its type is an inductive + definition $I_p$ part of the inductive + declaration corresponding to $y$. + Each $f_i$ corresponds to a type of constructor $C_q \equiv + (y_1:B_1)\ldots (y_k:B_k)(I~a_1\ldots a_k)$ and can consequently be + written $[y_1:B'_1]\ldots [y_k:B'_k]g_i$. + ($B'_i$ is obtained from $B_i$ by substituting parameters variables) + the variables $y_j$ occurring + in $g_i$ corresponding to recursive arguments $B_i$ (the ones in + which one of the $I_l$ occurs) are structurally smaller than $y$. +\end{itemize} +The following definitions are correct, we enter them using the +{\tt Fixpoint} command as described in section~\ref{Fixpoint} and show +the internal representation. +\begin{coq_example} +Fixpoint plus [n:nat] : nat -> nat := + [m:nat]Case n of m [p:nat](S (plus p m)) end. +Print plus. +Fixpoint lgth [A:Set;l:(list A)] : nat := + Case l of O [a:A][l':(list A)](S (lgth A l')) end. +Print lgth. +Fixpoint sizet [t:tree] : nat + := Case t of [f:forest](S (sizef f)) end +with sizef [f:forest] : nat + := Case f of O [t:tree][f:forest](plus (sizet t) (sizef f)) end. +Print sizet. +\end{coq_example} + + +\subsubsection{Reduction rule} +\index{iota-reduction@$\iota$-reduction} +Let $F$ be the set of declarations: $f_1/k_1:A_1:=t_1 \ldots +f_n/k_n:A_n:=t_n$. +The reduction for fixpoints is: +\[ (\Fix{f_i}{F}~a_1\ldots +a_{k_i}) \triangleright_{\iota} \substs{t_i}{f_k}{\Fix{f_k}{F}}{k=1\ldots n}\] +when $a_{k_i}$ starts with a constructor. +This last restriction is needed in order to keep strong normalization +and corresponds to the reduction for primitive recursive operators. + +We can illustrate this behavior on examples. +\begin{coq_example} +Goal (n,m:nat)(plus (S n) m)=(S (plus n m)). +Reflexivity. +Abort. +Goal (f:forest)(sizet (node f))=(S (sizef f)). +Reflexivity. +Abort. +\end{coq_example} +But assuming the definition of a son function from \tree\ to \forest: +\begin{coq_example} + Definition sont : tree -> forest := [t]Case t of [f]f end. +\end{coq_example} +The following is not a conversion but can be proved after a case analysis. +\begin{coq_example} +Goal (t:tree)(sizet t)=(S (sizef (sont t))). +(* this one fails *) +Reflexivity. +Destruct t. +Reflexivity. +\end{coq_example} +\begin{coq_eval} +Abort. +\end{coq_eval} + +\subsubsection{The {\tt Match \ldots with \ldots end} expression} +\label{Matchexpr} +%\paragraph{A unary {\tt Match\ldots with \ldots end}.} +\index{Match...with...end@{\tt Match \ldots with \ldots end}} +The {\tt Match} operator which was a primitive notion in older +presentations of the Calculus of Inductive Constructions is now just a +macro definition which generates the good combination of {\tt Case} +and {\tt Fix} operators in order to generate an operator for primitive +recursive definitions. It always considers an inductive definition as +a single inductive definition. + +The following examples illustrates this feature. +\begin{coq_example} +Definition nat_pr : (C:Set)C->(nat->C->C)->nat->C + :=[C,x,g,n]Match n with x g end. +Print nat_pr. +\end{coq_example} +\begin{coq_example} +Definition forest_pr + : (C:Set)C->(tree->forest->C->C)->forest->C + := [C,x,g,n]Match n with x g end. +\end{coq_example} + +% Cet exemple faisait error (HH le 12/12/96), j'ai change pour une +% version plus simple +%\begin{coq_example} +%Definition forest_pr +% : (P:forest->Set)(P emptyf)->((t:tree)(f:forest)(P f)->(P (consf t f))) +% ->(f:forest)(P f) +% := [C,x,g,n]Match n with x g end. +%\end{coq_example} + +The principles of mutual induction can be automatically generated +using the {\tt Scheme} command described in section~\ref{Scheme}. + +\section{Coinductive types} +The implementation contains also coinductive definitions, which are +types inhabited by infinite objects. +%They are described inchapter~\ref{Coinductives}. + +% $Id$ + +%%% Local Variables: +%%% mode: latex +%%% TeX-master: "Reference-Manual" +%%% End: + + diff --git a/doc/RefMan-coi.tex b/doc/RefMan-coi.tex new file mode 100755 index 000000000..7de3e69fe --- /dev/null +++ b/doc/RefMan-coi.tex @@ -0,0 +1,400 @@ +%\documentstyle[11pt,../tools/coq-tex/coq]{article} +%\input{title} + +%\include{macros} +%\begin{document} + +%\coverpage{Co-inductive types in Coq}{Eduardo Gim\'enez} +\chapter{Co-inductive types in Coq}\label{Coinductives} + +%\begin{abstract} +{\it Co-inductive} types are types whose elements may not be well-founded. +A formal study of the Calculus of Constructions extended by +co-inductive types has been presented +in \cite{Gim94}. It is based on the notion of +{\it guarded definitions} introduced by Th. Coquand +in \cite{Coquand93}. The implementation is by E. Gim\'enez. +%\end{abstract} + +\section{A short introduction to co-inductive types} + +We assume that the reader is rather familiar with inductive types. +These types are characterized by their {\it constructors}, which can be +regarded as the basic methods from which the elements +of the type can be built up. It is implicit in the definition +of an inductive type that +its elements are the result of a {\it finite} number of +applications of its constructors. Co-inductive types arise from +relaxing this implicit condition and admitting that an element of +the type can also be introduced by a non-ending (but effective) process +of construction defined in terms of the basic methods which characterize the +type. So we could think in the wider notion of types defined by +constructors (let us call them {\it recursive types}) and classify +them into inductive and co-inductive ones, depending on whether or not +we consider non-ending methods as admissible for constructing elements +of the type. Note that in both cases we obtain a ``closed type'', all whose +elements are pre-determined in advance (by the constructors). When we +know that $a$ is an element of a recursive type (no matter if it is +inductive or co-inductive) what we know is that it is the result of applying +one of the basic forms of construction allowed for the type. +So the more primitive way of eliminating an element of a recursive type is +by case analysis, i.e. by considering through which constructor it could have +been introduced. In the case of inductive sets, the additional knowledge that +constructors can be applied only a finite number of times provide +us with a more powerful way of eliminating their elements, say, +the principle of +induction. This principle is obviously not valid for co-inductive types, +since it is just the expression of this extra knowledge attached to inductive +types. + + +An example of a co-inductive type is the type of infinite sequences formed with +elements of type $A$, or streams for shorter. In Coq, +it can be introduced using the \verb!CoInductive! command~: +\begin{coq_example} +CoInductive Set Stream [A:Set] := cons : A->(Stream A)->(Stream A). +\end{coq_example} + +The syntax of this command is the same as the +command \verb!Inductive! (cf. section +\ref{gal_Inductive_Definitions}). +Definition of mutually coinductive types are possible. + +As was already said, there are not principles of +induction for co-inductive sets, the only way of eliminating these +elements is by case analysis. +In the example of streams, this elimination principle can be +used for instance to define the well known +destructors on streams $\hd : (\Str\;A)\rightarrow A$ +and $\tl: (\Str\;A)\rightarrow (\Str\;A)$ : +\begin{coq_example} +Section Destructors. +Variable A : Set. +Definition hd := [x:(Stream A)]Cases x of (cons a s) => a end. +Definition tl := [x:(Stream A)]Cases x of (cons a s) => s end. +\end{coq_example} +\begin{coq_example*} +End Destructors. +\end{coq_example*} + +\subsection{Non-ending methods of construction} + +At this point the reader should have realized that we have left unexplained +what is a ``non-ending but effective process of +construction'' of a stream. In the widest sense, a +method is a non-ending process of construction if we can eliminate the +stream that it introduces, in other words, if we can reduce +any case analysis on it. In this sense, the following ways of +introducing a stream are not acceptable. +\begin{center} +$\zeros = (\cons\;\nat\;\nO\;(\tl\;\zeros))\;\;:\;\;(\Str\;\nat)$\\[12pt] +$\filter\;(\cons\;A\;a\;s) = \si\;\;(P\;a)\;\;\alors\;\;(\cons\;A\;a\;(\filter\;s))\;\;\sinon\;\;(\filter\;s) )\;\;:\;\;(\Str\;A)$ +\end{center} +\noindent The former it is not valid since the stream can not be eliminated +to obtain its tail. In the latter, a stream is naively defined as +the result of erasing from another (arbitrary) stream +all the elements which does not verify a certain property $P$. This +does not always makes sense, for example it does not when all the elements +of the stream verify $P$, in which case we can not eliminate it to +obtain its head\footnote{Note that there is no notion of ``the empty +stream'', a stream is always infinite and build by a \texttt{cons}.}. +On the contrary, the following definitions are acceptable methods for +constructing a stream~: +\begin{center} +$\zeros = (\cons\;\nat\;\nO\;\zeros)\;\;:\;\;(\Str\;\nat)\;\;\;(*)$\\[12pt] +$(\from\;n) = (\cons\;\nat\;n\;(\from\;(\nS\;n)))\;:\;(\Str\;\nat)$\\[12pt] +$\alter = (\cons\;\bool\;\true\;(\cons\;\bool\;\false\;\alter))\;:\;(\Str\;\bool)$. +\end{center} +\noindent The first one introduces a stream containing all the natural numbers +greater than a given one, and the second the stream which infinitely +alternates the booleans true and false. + +In general it is not evident to realise when a definition can +be accepted or not. However, there is a class of definitions that +can be easily recognised as being valid : those +where (1) all the recursive calls of the method are done +after having explicitly mentioned which is (at least) the first constructor +to start building the element, and (2) no other +functions apart from constructors are applied to recursive calls. +This class of definitions is usually +referred as {\it guarded-by-constructors} +definitions \cite{Coquand93,Gim94}. +The methods $\from$ +and $\alter$ are examples of definitions which are guarded by constructors. +The definition of function $\filter$ is not, because there is no +constructor to guard +the recursive call in the {\it else} branch. Neither is the one of +$\zeros$, since there is function applied to the recursive call +which is not a constructor. However, there is a difference between +the definition of $\zeros$ and $\filter$. The former may be seen as a +wrong way of characterising an object which makes sense, and it can +be reformulated in an admissible way using the equation (*). On the contrary, +the definition of +$\filter$ can not be patched, since is the idea itself +of traversing an infinite +construction searching for an element whose existence is not ensured +which does not make sense. + + + +Guarded definitions are exactly the kind of non-ending process of +construction which are allowed in Coq. The way of introducing +a guarded definition in Coq is using the special command +{\tt CoFixpoint}. This command verifies that the definition introduces an +element of a co-inductive type, and checks if it is guarded by constructors. +If we try to +introduce the definitions above, $\from$ and $\alter$ will be accepted, +while $\zeros$ and $\filter$ will be rejected giving some explanation +about why. +\begin{coq_example} +CoFixpoint zeros : (Stream nat) := (cons nat O (tl nat zeros)). +CoFixpoint zeros : (Stream nat) := (cons nat O zeros). +CoFixpoint from : nat->(Stream nat) := [n:nat](cons nat n (from (S n))). +\end{coq_example} + +As in the \verb!Fixpoint! command (cf. section~\ref{Fixpoint}), it is possible +to introduce a block of mutually dependent methods. The general syntax +for this case is : + +{\tt CoFixpoint {\ident$_1$} :{\term$_1$} := {\term$_1'$}\\ + with\\ + \mbox{}\hspace{0.1cm} $\ldots$ \\ + with {\ident$_m$} : {\term$_m$} := {\term$_m'$}} + + +\subsection{Non-ending methods and reduction} + +The elimination of a stream introduced by a \verb!CoFixpoint! definition +is done lazily, i.e. its definition can be expanded only when it occurs +at the head of an application which is the argument of a case expression. +Isolately it is considered as a canonical expression which +is completely evaluated. We can test this using the command \verb!Compute! +to calculate the normal forms of some terms~: +\begin{coq_example} +Eval Compute in (from O). +Eval Compute in (hd nat (from O)). +Eval Compute in (tl nat (from O)). +\end{coq_example} +\noindent Thus, the equality +$(\from\;n)\equiv(\cons\;\nat\;n\;(\from \; (\S\;n)))$ +does not hold as definitional one. Nevertheless, it can be proved +as a propositional equality, in the sense of Leibniz's equality. +The version {\it à la Leibniz} of the equality above follows from +a general lemma stating that eliminating and then re-introducing a stream +yields the same stream. +\begin{coq_example} +Lemma unfold_Stream : + (x:(Stream nat))(x=(Cases x of (cons a s) => (cons nat a s) end)). +\end{coq_example} + +\noindent The proof is immediate from the analysis of +the possible cases for $x$, which transforms +the equality in a trivial one. + +\begin{coq_example} +Destruct x. +Trivial. +\end{coq_example} +\begin{coq_eval} +Save. +\end{coq_eval} +The application of this lemma to $(\from\;n)$ puts this +constant at the head of an application which is an argument +of a case analysis, forcing its expansion. +We can test the type of this application using Coq's command \verb!Check!, +which infers the type of a given term. +\begin{coq_example} +Check [n:nat](unfold_Stream (from n)). +\end{coq_example} + \noindent Actually, The elimination of $(\from\;n)$ has actually +no effect, because it is followed by a re-introduction, +so the type of this application is in fact +definitionally equal to the +desired proposition. We can test this computing +the normal form of the application above to see its type. +\begin{coq_example} +Transparent unfold_Stream. +Eval Compute in [n:nat](unfold_Stream (from n)). +\end{coq_example} + + +\section{Reasoning about infinite objects} + +At a first sight, it might seem that +case analysis does not provide a very powerful way +of reasoning about infinite objects. In fact, what we can prove about +an infinite object using +only case analysis is just what we can prove unfolding its method +of construction a finite number of times, which is not always +enough. Consider for example the following method for appending +two streams~: +\begin{coq_example} +Variable A:Set. +CoFixpoint conc : (Stream A)->(Stream A)->(Stream A) + := [s1,s2:(Stream A)](cons A (hd A s1) (conc (tl A s1) s2)). +\end{coq_example} + +Informally speaking, we expect that for all pair of streams $s_1$ and $s_2$, +$(\conc\;s_1\;s_2)$ +defines the ``the same'' stream as $s_1$, +in the sense that if we would be able to unfold the definition +``up to the infinite'', we would obtain definitionally equal normal forms. +However, no finite unfolding of the definitions gives definitionally +equal terms. Their equality can not be proved just using case analysis. + + +The weakness of the elimination principle proposed for infinite objects +contrast with the power provided by the inductive +elimination principles, but it is not actually surprising. It just means +that we can not expect to prove very interesting things about infinite +objects doing finite proofs. To take advantage of infinite objects we +have to consider infinite proofs as well. For example, +if we want to catch up the equality between $(\conc\;s_1\;s_2)$ and +$s_1$ we have to introduce first the type of the infinite proofs +of equality between streams. This is a +co-inductive type, whose elements are build up from a +unique constructor, requiring a proof of the equality of the +heads of the streams, and an (infinite) proof of the equality +of their tails. + +\begin{coq_example} +CoInductive EqSt : (Stream A)->(Stream A)->Prop := + eqst : (s1,s2:(Stream A)) + (hd A s1)=(hd A s2)-> + (EqSt (tl A s1) (tl A s2))->(EqSt s1 s2). +\end{coq_example} +\noindent Now the equality of both streams can be proved introducing +an infinite object of type + +\noindent $(\EqSt\;s_1\;(\conc\;s_1\;s_2))$ by a \verb!CoFixpoint! +definition. +\begin{coq_example} +CoFixpoint eqproof : (s1,s2:(Stream A))(EqSt s1 (conc s1 s2)) + := [s1,s2:(Stream A)] + (eqst s1 (conc s1 s2) + (refl_equal A (hd A (conc s1 s2))) (eqproof (tl A s1) s2)). +\end{coq_example} +\begin{coq_eval} +Reset eqproof. +\end{coq_eval} +\noindent Instead of giving an explicit definition, +we can use the proof editor of Coq to help us in +the construction of the proof. +A tactic \verb!Cofix! allows to place a \verb!CoFixpoint! definition +inside a proof. +This tactic introduces a variable in the context which has +the same type as the current goal, and its application stands +for a recursive call in the construction of the proof. If no name is +specified for this variable, the name of the lemma is chosen by +default. +%\pagebreak + +\begin{coq_example} +Lemma eqproof : (s1,s2:(Stream A))(EqSt s1 (conc s1 s2)). +Cofix. +\end{coq_example} + +\noindent An easy (and wrong!) way of finishing the proof is just to apply the +variable \verb!eqproof!, which has the same type as the goal. + +\begin{coq_example} +Intros. +Apply eqproof. +\end{coq_example} + +\noindent The ``proof'' constructed in this way +would correspond to the \verb!CoFixpoint! definition +\begin{coq_example*} +CoFixpoint eqproof : (s1:(Stream A))(s2:(Stream A))(EqSt s1 (conc s1 s2)) + := eqproof. +\end{coq_example*} + +\noindent which is obviously non-guarded. This means that +we can use the proof editor to +define a method of construction which does not make sense. However, +the system will never accept to include it as part of the theory, +because the guard condition is always verified before saving the proof. + +\begin{coq_example} +Qed. +\end{coq_example} + +\noindent Thus, the user must be careful in the +construction of infinite proofs +with the tactic \verb!Cofix!. Remark that once it has been used +the application of tactics performing automatic proof search in +the environment (like for example \verb!Auto!) +could introduce unguarded recursive calls in the proof. +The command \verb!Guarded! allows to verify +if the guarded condition has been violated +during the construction of the proof. This command can be +applied even if the proof term is not complete. + + + +\begin{coq_example} +Restart. +Cofix. +Auto. +Guarded. +Undo. +Guarded. +\end{coq_example} + +\noindent To finish with this example, let us restart from the +beginning and show how to construct an admissible proof~: + +\begin{coq_example} +Restart. +Cofix. +\end{coq_example} + +%\pagebreak + +\begin{coq_example} +Intros. +Apply eqst. +Trivial. +Simpl. +Apply eqproof. +Qed. +\end{coq_example} + + +\section{Experiments with co-inductive types} + +Some examples involving co-inductive types are available with +the distributed system, in the theories library and in the contributions +of the Lyon site. Here we present a short description of their contents~: +\begin{itemize} +\item Directory \verb!theories/LISTS! : + \begin{itemize} + \item File \verb!Streams.v! : The type of streams and the +extensional equality between streams. + \end{itemize} + +\item Directory \verb!contrib/Lyon/COINDUCTIVES! : + \begin{itemize} + \item Directory \verb!ARITH! : An arithmetic where $\infty$ +is an explicit constant of the language instead of a metatheoretical notion. + \item Directory \verb!STREAM! : + \begin{itemize} + \item File \verb!Examples! : +Several examples of guarded definitions, as well as +of frequent errors in the introduction of a stream. A different +way of defining the extensional equality of two streams, +and the proofs showing that it is equivalent to the one in \verb!theories!. + \item File \verb!Alter.v! : An example showing how +an infinite proof introduced by a guarded definition can be also described +using an operator of co-recursion \cite{Gimenez95b}. + \end{itemize} +\item Directory \verb!PROCESSES! : A proof of the alternating +bit protocol based on Pra\-sad's Calculus of Broadcasting Systems \cite{Prasad93}, +and the verification of an interpreter for this calculus. +See \cite{Gimenez95b} for a complete description about this development. + \end{itemize} +\end{itemize} + +%\end{document} + +% $Id$ diff --git a/doc/RefMan-com.tex b/doc/RefMan-com.tex new file mode 100755 index 000000000..88cf650a1 --- /dev/null +++ b/doc/RefMan-com.tex @@ -0,0 +1,251 @@ +\chapter{The \Coq~commands}\label{Addoc-coqc} +\ttindex{coqtop} +\ttindex{coqc} + +There are two \Coq~commands: + +\bigskip +\begin{tabular}{l@{\quad:\quad}l} + -- {\tt coqtop} & The \Coq\ toplevel (interactive mode) ; \\[1em] + -- {\tt coqc} & The \Coq\ compiler (batch compilation). +\end{tabular} +\bigskip + +The options are (basically) the same for the two commands, and +roughly described below. You can also look at the \verb!man! pages of +\verb!coqtop! and \verb!coqc! for more details. + + +\section{Interactive use ({\tt coqtop})} +In the interactive mode, also known as the \Coq~toplevel, the user can develop his theories and proofs +step by step. The \Coq~toplevel is ran by the +command {\tt coqtop}. This toplevel is based on a Caml toplevel (to +allow the dynamic link of tactics). You can switch to the Caml +toplevel with the command \verb!Drop.!, and come back to the +\Coq~toplevel with the command \verb!Coqtoplevel.go();;!. + +\index{byte-code} +\index{native code} +\label{binary-images} +They are three different binary images of \Coq: the byte-code one, +the native-code one and the full native-code one. When invoking +\verb!coqtop!, the byte-code version of the system is used. The +command \verb!coqtop -opt! runs a native-code version of the +\Coq~system, and the command \verb!coqtop -full! a native-code version +with the implementation code of all the tactics (that is with the code +of the tactics \verb!Linear!, \verb!Ring! and \verb!Omega! which then +can be required by \verb=Require=) and tools (\verb!Extraction! and +\verb!Natural! which again become available through the command +\verb=Require=). Those toplevels are significantly faster than the +byte-code one. Notice that it is no longer possible to access the +Caml toplevel, neither to load tactics. + +The command \verb!coqtop -searchisos! runs the search tool {\sf +Coq\_SearchIsos} (see section~\ref{coqsearchisos}, +page~\pageref{coqsearchisos}) and, as the \Coq~system, can be combined with the +option \verb!-opt!. + +\section{Batch compilation ({\tt coqc})} +The {\tt coqc} command takes a name {\em file} as argument. Then it +looks for a vernacular file named {\em file}{\tt .v}, and tries to +compile it into a {\em file}{\tt .vo} file (See ~\ref{compiled}). +With the \verb!-i! option, it compiles the specification module {\em +file}{\tt .vi}. + +\Warning The name {\em file} must be a regular {\Coq} identifier, as +defined in the section \ref{lexical}. It +must only contain letters, digits or underscores +(\_). Thus it can be \verb+/bar/foo/toto.v+ but not +\verb+/bar/foo/to-to+ . + +Notice that the \verb!-opt! and \verb!-full! options are still +available with \verb!coqc! and allow you to compile \Coq\ files with +an efficient version of the system. + + +\section{Resource file} +\index{Resource file} + +When \Coq\ is launched, with either {\tt coqtop} or {\tt coqc}, the +resource file \verb:$HOME/.coqrc.6.2.4: is loaded, where \verb:$HOME: is +the home directory of the user. If this file is not found, then the +file \verb:$HOME/.coqrc: is searched. You can also specify an +arbitrary name for the resource file (see option \verb:-init-file: +below), or the name of another user to load the resource file of +someone else (see option \verb:-user:). + +This file may contain, for instance, \verb:AddPath: commands to add +directories to the load path of \Coq. You can use the environment +variable \verb:$COQLIB: which refer to the \Coq\ +library. Remember that the +default load path already contains the following directories: +\begin{verbatim} + . + $CAMLP4LIB + $COQLIB/tactics/tcc + $COQLIB/tactics/programs/EXAMPLES + $COQLIB/tactics/programs + $COQLIB/tactics/contrib/polynom + $COQLIB/tactics/contrib/omega + $COQLIB/tactics/contrib/natural + $COQLIB/tactics/contrib/linear + $COQLIB/tactics/contrib/extraction + $COQLIB/tactics/contrib/acdsimpl/simplify_rings + $COQLIB/tactics/contrib/acdsimpl/simplify_naturals + $COQLIB/tactics/contrib/acdsimpl/acd_simpl_def + $COQLIB/tactics/contrib/acdsimpl + $COQLIB/tactics/contrib + $COQLIB/theories/ZARITH + $COQLIB/theories/TREES + $COQLIB/theories/TESTS + $COQLIB/theories/SORTING + $COQLIB/theories/SETS + $COQLIB/theories/RELATIONS/WELLFOUNDED + $COQLIB/theories/RELATIONS + $COQLIB/theories/LOGIC + $COQLIB/theories/LISTS + $COQLIB/theories/INIT + $COQLIB/theories/DEMOS/PROGRAMS + $COQLIB/theories/DEMOS/OMEGA + $COQLIB/theories/DEMOS + $COQLIB/theories/BOOL + $COQLIB/theories/REALS + $COQLIB/theories/ARITH + $COQLIB/tactics + $COQLIB/states +\end{verbatim} + +It is possible to skip the loading of the resource file with the +option \verb:-q:. + +\section{Environment variables} +\label{EnvVariables} +\index{Environment variables} + +There are 3 environment variables used by the \Coq\ system. +\verb:$COQBIN: for the directory where the binaries are, +\verb:$COQLIB: for the directory whrer the standard library is, and +\verb:$COQTOP: for the directory of the sources. The latter is useful +only for developpers that are writing there own tactics using +\texttt{do\_Makeffile} (see \ref{Makefile}). If \verb:$COQBIN: or +\verb:$COQLIB: are not defined, \Coq\ will use the default values +(choosen at installation time). So these variables are useful onlt if +you move the \Coq\ binaries and library after installation. + +\section{Options} +\index{Options of the command line} + +The following command-line options are recognized by the commands {\tt + coqc} and {\tt coqtop}: + +\begin{description} +\item[{\tt -opt}]\ \\ + Run the native-code version of \Coq{} (or {\sf Coq\_SearchIsos} for {\tt +coqtop}). + +\item[{\tt -full}]\ \\ + Run a native-code version of {\Coq} with all tactics. + +\item[{\tt -I} {\em directory}, {\tt -include} {\em directory}]\ \\ + Add {\em directory} to the searched directories when looking for a + file. + +\item[{\tt -R} {\em directory}]\ \\ + Add recursively {\em directory} to the searched directories when looking for + a file. + +\item[{\tt -is} {\em file}, {\tt -inputstate} {\em file}]\ \\ + Cause \Coq~to use the state put in the file {\em file} as its input + state. The default state is {\em tactics.coq}. + Mainly useful to build the standard input state. + +\item[{\tt -nois}]\ \\ + Cause \Coq~to begin with an empty state. Mainly useful to build the + standard input state. + +\item[{\tt -notactics}]\ \\ + Forbid the dynamic loading of tactics, and start on the input state + {\em state.coq}. + +\item[{\tt -init-file} {\em file}]\ \\ + Take {\em file} as resource file, instead of {\tt \$HOME/.coqrc.6.2.4}. + +\item[{\tt -q}]\ \\ + Cause \Coq~not to load the resource file. + +\item[{\tt -user} {\em username}]\ \\ + Take resource file of user {\em username} (that is + \verb+~+{\em username}{\tt /.coqrc.6.2.4}) instead of yours. + +\item[{\tt -load-ml-source} {\em file}]\ \\ + Load the Caml source file {\em file}. + +\item[{\tt -load-ml-object} {\em file}]\ \\ + Load the Caml object file {\em file}. + +\item[{\tt -load-vernac-source} {\em file}]\ \\ + Load \Coq~file {\em file}{\tt .v} + +\item[{\tt -load-vernac-object} {\em file}]\ \\ + Load \Coq~compiled file {\em file}{\tt .vo} + +%\item[{\tt -preload} {\em file}]\ \\ +%Add {\em file}{\tt .vo} to the files to be loaded and opened +%before making the initial state. +% +\item[{\tt -require} {\em file}]\ \\ + Load \Coq~compiled file {\em file}{\tt .vo} and import it ({\tt + Require} {\em file}). + +\item[{\tt -batch}]\ \\ + Batch mode : exit just after arguments parsing. This option is only + used by {\tt coqc}. + +\item[{\tt -debug}]\ \\ + Switch on the debug flag. + +\item[{\tt -emacs}]\ \\ + Tells \Coq\ it is executed under Emacs. + +\item[{\tt -db}]\ \\ + Launch \Coq\ under the Objective Caml debugger (provided that \Coq\ + has been compiled for debugging; see next chapter). + +\item[{\tt -image} {\em file}]\ \\ + This option sets the binary image to be used to be {\em file} + instead of the standard one. Not of general use. + +\item[{\tt -bindir} {\em directory}]\ \\ + It is equivalent to do \texttt{export COQBIN=}{\em directory} + before lauching \Coq. + +\item[{\tt -libdir} {\em file}]\ \\ + It is equivalent to do \texttt{export COQLIB=}{\em directory} + before lauching \Coq. + + +\item[{\tt -where}]\ \\ + Print the \Coq's standard library location and exit. + +\item[{\tt -v}]\ \\ + Print the \Coq's version and exit. + +\item[{\tt -h}, {\tt --help}]\ \\ + Print a short usage and exit. +\end{description} + +{\tt coqtop} owns an additional option: + +\begin{description} +\item[{\tt -searchisos}]\ \\ + Launch the {\sf Coq\_SearchIsos} toplevel + (see section~\ref{coqsearchisos}, page~\pageref{coqsearchisos}). +\end{description} + +See the manual pages for more details. +% $Id$ + +%%% Local Variables: +%%% mode: latex +%%% TeX-master: "Reference-Manual" +%%% End: diff --git a/doc/RefMan-cover.tex b/doc/RefMan-cover.tex new file mode 100644 index 000000000..d5a832eed --- /dev/null +++ b/doc/RefMan-cover.tex @@ -0,0 +1,48 @@ +\documentstyle[RRcover]{book} + % L'utilisation du style `french' force le résumé français à + % apparaître en premier. + +\RRtitle{Manuel de r\'ef\'erence du syst\`eme Coq \\ version V6.3} +\RRetitle{The Coq Proof Assistant \\ Reference Manual \\ Version 6.3 +\thanks +{This research was partly supported by ESPRIT Basic Research +Action ``Types'' and by the GDR ``Programmation'' co-financed by MRE-PRC and CNRS.} +} +\RRauthor{Bruno Barras, Samuel Boutin, Cristina Cornes, +Judica\"el Courant, Jean-Christophe Filli\^atre, Eduardo Gim\'enez, +Hugo Herbelin, G\'erard Huet, C\'esar Mu\~noz, Chetan Murthy, +Catherine Parent, Christine Paulin-Mohring, +Amokrane Sa{\"\i}bi, Benjamin Werner} +\authorhead{} +\titlehead{Coq V6.2 Reference Manual} +\RRtheme{2} +\RRprojet{Coq} +\RRNo{0123456789} +\RRdate{May 1997} +%\RRpages{} +\URRocq + +\RRresume{Coq est un syst\`eme permettant le d\'eveloppement et la +v\'erification de preuves formelles dans une logique d'ordre +sup\'erieure incluant un riche langage de d\'efinitions de fonctions. +Ce document constitue le manuel de r\'ef\'erence de la version V6.1 +qui est distribu\'ee par ftp anonyme aux adresses +ftp.inria.fr:/INRIA/Projects/coq/V6.1 et +ftp.ens-lyon.fr:/pub/LIP/COQ/V6.1} + +\RRmotcle{Coq, Syst\`eme d'aide \`a la preuve, Preuves formelles, +Calcul des Constructions Inductives} + + +\RRabstract{Coq is a proof assistant based on a higher-order logic +allowing powerful definitions of functions. +Coq V6.1 is available by anonymous +ftp at ftp.inria.fr:/INRIA/Projects/coq/V6.1 and +ftp.ens-lyon.fr:/pub/LIP/COQ/V6.1} + +\RRkeyword{Coq, Proof Assistant, Formal Proofs, Calculus of Inductives +Constructions} + +\begin{document} +\makeRT +\end{document} diff --git a/doc/RefMan-ext.tex b/doc/RefMan-ext.tex new file mode 100644 index 000000000..7811dfcd5 --- /dev/null +++ b/doc/RefMan-ext.tex @@ -0,0 +1,747 @@ +\chapter{Extensions of {\sf Gallina}} +\label{Gallina-extension}\index{Gallina} + +{\gallina} is the kernel language of {\Coq}. We describe here extensions of +the Gallina's syntax. + +\section{Record types}\comindex{Record} +\label{Record} + +The \verb+Record+ function is a macro allowing +the definition of records as is done in many programming languages. +Its syntax is described on figure \ref{record-syntax}. + +\begin{figure} +\begin{tabular}{|lcl|} +\hline +{\sentence} & ::= & {\record}\\ + & & \\ +{\record} & ::= & {\tt Record} {\ident} {\tt [} {\params} {\tt ] :} {\sort} + \verb.:=. \zeroone{\ident} \verb!{! + \zeroone{\nelist{\field}{;}} + \verb!}! \verb:.:\\ + & & \\ +{\field} & ::= & {\ident} \verb.:. {\term} \\ +\hline +\end{tabular} +\caption{Syntax for the definition of {\tt Record}} +\label{record-syntax} +\end{figure} + +\noindent In the command +``{\tt Record} {\ident} {\tt [} {\params} {\tt ]} \texttt{:} + {\sort} := {\ident$_0$} \verb+{+ + {\ident$_1$} \texttt{:} {\term$_1$}; + \dots + {\ident$_n$} \texttt{:} {\term$_n$} \verb+}+.'', +the identifier {\ident} is the name of the defined record and {\sort} +is its type. The identifier {\ident$_0$} is the name of its +constructor. The identifiers {\ident$_1$}, .., {\ident$_n$} are the +names of its fields and {\term$_1$}, .., {\term$_n$} their respective +types. Records can have parameters. + +\Example +The set of rational numbers may be defined as: +\begin{coq_eval} +Restore State Initial. +\end{coq_eval} +\begin{coq_example} +Record Rat : Set := mkRat { + top : nat; + bottom : nat; + Rat_cond : (gt bottom O) }. +\end{coq_example} + +A field may depend on other fields appearing before it. +For instance in the above example, the field +\verb+Rat_cond+ depends on the field \verb+bottom+. Thus the order of +the fields is important. + +Let us now see the work done by the {\tt Record} macro. +First the macro generates a inductive definition +with just one constructor: + +\medskip +\noindent +{\tt Inductive {\ident} [ {\params} ] : {\sort} := \\ +\mbox{}\hspace{0.4cm} {\ident$_0$} : ({\ident$_1$}:{\term$_1$}) .. +({\ident$_n$}:{\term$_n$})({\ident} {\rm\sl params}).} +\medskip + +To build an object of type {\ident}, one should provide the +constructor {\ident$_0$} with $n$ terms filling the fields of +the record. + +Let us define the rational $1/2$. + +\begin{coq_example*} +Theorem two_is_positive : (gt (S (S O)) O). +Repeat Constructor. +Save. +Definition half := (mkRat (S O) (S (S O)) two_is_positive). +\end{coq_example*} +\begin{coq_example} +Check half. +\end{coq_example} + +The macro generates also, when it is possible, the projection +functions for destructuring an object of type {\ident}. +These projection functions have the same name that the corresponding +field. In our example: + +\begin{coq_example} +Eval Compute in (top half). +Eval Compute in (bottom half). +Eval Compute in (Rat_cond half). +\end{coq_example} +\begin{coq_eval} +Restore State Initial. +\end{coq_eval} + +\begin{Warnings} +\item {\tt Warning: {\ident$_i$} cannot be defined.}\\ + It can happens that the definition of a projection is impossible. + This message is followed by an explanation of this impossibility. + There may be three reasons: + \begin{enumerate} + \item The name {\ident$_i$} already exists in the environment (see + section \ref{Axiom}). + \item The body of {\ident$_i$} uses a incorrect elimination for + {\ident} (see sections \ref{Fixpoint} and \ref{Caseexpr}). + \item {\tt The projections [ {\rm\sl idents} ] were not defined.}\\ + The body of {\term$_i$} uses the projections {\rm\sl idents} + which are not defined for one of these three reasons listed here. + \end{enumerate} +\end{Warnings} + +\begin{ErrMsgs} +\item \errindex{A record cannot be recursive}\\ + The record name {\ident} appears in the type of its fields. + + During the definition of the one-constructor inductive definition, + all the errors of inductive definitions, as described in section + \ref{gal_Inductive_Definitions}, may occur. +\end{ErrMsgs} + +\begin{Variants} +\item +\noindent +{\tt Record {\ident} [ {\rm\sl params} ] : {\sort} := \verb+{+ \\ +\mbox{}\hspace{0.4cm} {\ident$_1$} : {\term$_1$}; \\ +\mbox{}\hspace{0.4cm} ... \\ +\mbox{}\hspace{0.4cm} {\ident$_n$} : {\term$_n$} \verb+}+.}\\ + +One can omit the constructor name in which case the system will use +the name {\tt Build\_{\ident}}. +\end{Variants} + +\section{Variants and extensions of {\tt Cases}} +\label{ExtensionsOfCases} +\index{Cases@{\tt Cases\ldots of\ldots end}} + +\subsection{ML-style pattern-matching} +\index{ML-like patterns} +\label{Mult-Cases} + +The basic version of \verb+Cases+ allows pattern-matching on simple +patterns. As an extension, multiple and nested patterns are +allowed, as in ML-like languages. + +The extension just acts as a macro that is expanded during parsing +into a sequence of {\tt Cases} on simple patterns. Especially, a +construction defined using the extended {\tt Cases} is printed under +its expanded form. + +The syntax of the extended {\tt Cases} is presented in figure +\ref{ecases-grammar}. +Note the annotation is mandatory when the sequence of equation is +empty. + +\begin{figure}[t] +\begin{tabular}{|rcl|} +\hline +{\nestedpattern} & := & {\ident} \\ + & $|$ & \_ \\ + & $|$ & \texttt{(} {\ident} \nelist{\nestedpattern}{} \texttt{)} \\ + & $|$ & \texttt{(} {\nestedpattern} \texttt{as} {\ident} \texttt{)} \\ + & $|$ & \texttt{(} {\nestedpattern} \texttt{,} {\nestedpattern} \texttt{)} \\ + & $|$ & \texttt{(} {\nestedpattern} \texttt{)} \\ + &&\\ + +{\multpattern} & := & \nelist{nested\_pattern}{} \\ + && \\ + +{\exteqn} & := & {\multpattern} \texttt{=>} {\term} \\ + && \\ + +{\term} & := & + \zeroone{\annotation} \texttt{Cases} \nelist{\term}{} \texttt{of} +\sequence{\exteqn}{$|$} \texttt{end} \\ +\hline +\end{tabular} +\caption{extended Cases syntax.} +\label{ecases-grammar} +\end{figure} + +\SeeAlso chapter \ref{Mult-Cases-full}. + +\subsection{Pattern-matching on boolean values: the {\tt if} expression} +\index{if@{\tt if ... then ... else}} + +For inductive types isomorphic to the boolean types (i.e. two +constructors without arguments), it is possible to use a {\tt if +... then ... else} notation. This enriches the syntax of terms as follows: + +\medskip +\begin{tabular}{rcl} +term & := & \zeroone{\annotation} {\tt if} {\term} {\tt then} {\term} {\tt else} {\term}\\ +\end{tabular} +\medskip + +For instance, the definition + +\begin{coq_example} +Definition not := [b:bool] Cases b of true => false | false => true end. +\end{coq_example} + +can be alternatively written + +\begin{coq_eval} +Reset not. +\end{coq_eval} +\begin{coq_example} +Definition not := [b:bool] if b then false else true. +\end{coq_example} + +\subsection{Irrefutable patterns: the destructuring {\tt let}} +\index{let in@{\tt let ... in}} +\label{Letin} + +Terms in an inductive type having only one constructor, say {\tt foo}, have +necessarily the form \texttt{(foo ...)}. In this case, the {\tt Cases} +construction can be replaced by a {\tt let ... in ...} construction. +This enriches the syntax of terms as follows: + +\medskip +\begin{tabular}{rcl} + & $|$ & \zeroone{\annotation} {\tt let (} \nelist{\ident}{,} {\tt ) =} {\term} {\tt in} {\term} \\ +\end{tabular} +\medskip + +For instance, the definition + +\begin{coq_example} +Definition fst := [A,B:Set][H:A*B] Cases H of (pair x y) => x end. +\end{coq_example} + +can be alternatively written + +\begin{coq_eval} +Reset fst. +\end{coq_eval} +\begin{coq_example} +Definition fst := [A,B:Set][p:A*B] let (x,_) = p in x. +\end{coq_example} + +The pretty-printing of a definition by cases on a irrefutable pattern +can either be done using {\tt Cases} or the {\tt let} +construction (see section \ref{printing-options}). + +\subsection{Options for pretty-printing of {\tt Cases}} +\label{printing-options} + +There are three options controlling the pretty-printing of {\tt Cases} +expressions. + +\subsubsection{Printing of wildcard pattern} +\comindex{Set Printing Wildcard} +\comindex{Unset Printing Wildcard} +\comindex{Print Printing Wildcard} + +Some variables in a pattern may not occur in the right-hand side of +the pattern-matching clause. There are options to control the +display of these variables. + +\subsubsection{\tt Set Printing Wildcard.} + The variables having no occurrences +in the right-hand side of the pattern-matching clause are just +printed using the wildcard symbol ``{\tt \_}''. + +\subsubsection{\tt Unset Printing Wildcard.} +The variables, even useless, are printed using their usual name. But some +non dependent variables have no name. These ones are still printed +using a ``{\tt \_}''. + +\subsubsection{\tt Print Printing Wildcard.} +This tells if the wildcard +printing mode is on or off. The default is to print wildcard for +useless variables. + +\subsubsection{Printing of the elimination predicate} +\comindex{Set Printing Synth} +\comindex{Unset Printing Synth} +\comindex{Print Printing Synth} + +In most of the cases, the type of the result of a matched term is +mechanically synthesizable. Especially, if the result type does not +depend of the matched term. + +\subsubsection{\tt Set Printing Synth.} +The result type is not printed +when it is easily synthesizable. + +\subsubsection{\tt Unset Printing Synth.} +This forces the result type to be always printed (and then between +angle brackets). + +\subsubsection{\tt Print Printing Synth.} +This tells if the non-printing +of synthesizable types is on or off. The default is to not print +synthesizable types. + +\subsubsection{Printing matching on irrefutable pattern} +\comindex{Add Printing Let {\ident}} +\comindex{Remove Printing Let {\ident}} +\comindex{Test Printing Let {\ident}} +\comindex{Print Printing Let} + +If an inductive type has just one constructor, +pattern-matching can be written using {\tt let} ... {\tt =} +... {\tt in}~... + +\subsubsection{\tt Add Printing Let {\ident}.} +This adds {\ident} to the list +of inductive types for which pattern-matching is written using a {\tt +let} expression. + +\subsubsection{\tt Remove Printing Let {\ident}.} +This removes {\ident} from this list. + +\subsubsection{\tt Test Printing Let {\ident}.} +This tells if {\ident} belongs +to the list. + +\subsubsection{\tt Print Printing Let.} +This prints the list of inductive types +for which pattern-matching is written using a {\tt +let} expression. + +The table of inductive types for which pattern-matching is written +using a {\tt let} expression is managed synchronously. This means that +it is sensible to the command {\tt Reset}. + + +\subsubsection{Printing matching on booleans} +\comindex{Add Printing If {\ident}} +\comindex{Remove Printing If {\ident}} +\comindex{Test Printing If {\ident}} +\comindex{Print Printing If} + +If an inductive type is isomorphic to the boolean type, +pattern-matching can be written using {\tt if} ... {\tt then} +... {\tt else} ... + +\subsubsection{\tt Add Printing If {\ident}.} +This adds {\ident} to the list +of inductive types for which pattern-matching is written using an {\tt +if} expression. + +\subsubsection{\tt Remove Printing If {\ident}.} +This removes {\ident} from this list. + +\subsubsection{\tt Test Printing If {\ident}.} +This tells if {\ident} belongs +to the list. + +\subsubsection{\tt Print Printing If.} +This prints the list of inductive types +for which pattern-matching is written using an {\tt +if} expression. + +The table of inductive types for which pattern-matching is written +using an {\tt if} expression is managed synchronously. This means that +it is sensible to the command {\tt Reset}. + +\subsubsection{Example} + +This example emphasizes what the printing options offer. + +\begin{coq_example} +Test Printing Let prod. +Print fst. +Remove Printing Let prod. +Unset Printing Synth. +Unset Printing Wildcard. +Print snd. +\end{coq_example} + +\subsection{Still not dead old notations} + +The following variant of {\tt Cases} is inherited from older version +of {\Coq}. + +\medskip +\begin{tabular}{lcl} +{\term} & ::= & {\annotation} {\tt Match} {\term} {\tt with} {\terms} {\tt end}\\ +\end{tabular} +\medskip + +This syntax is a macro generating a combination of {\tt Cases} with {\tt +Fix} implementing a combinator for primitive recursion equivalent to +the {\tt Match} construction of \Coq\ V5.8. It is provided only for +sake of compatibility with \Coq\ V5.8. It is recommended to avoid it. +(see section~\ref{Matchexpr}). + +There is also a notation \texttt{Case} that is the +ancestor of \texttt{Cases}. Again, it is still in the code for +compatibility with old versions but the user should not use it. + +\section{Forced type} + +In some cases, one want to assign a particular type to a term. The +syntax to force the type of a term is the following: + +\medskip +\begin{tabular}{lcl} +{\term} & ::= & {\tt (} {\term} {\tt ::} {\term} {\tt )}\\ +\end{tabular} +\medskip + +It forces the first term to be of type the second term. The +type must be compatible with +the term. More precisely it must be either a type convertible to +the automatically inferred type (see chapter \ref{Cic}) or a type +coercible to it, (see \ref{Coercions}). When the type of a +whole expression is forced, it is usually not necessary to give the types of +the variables involved in the term. + +Example: + +\begin{coq_example} +Definition ID := (X:Set) X -> X. +Definition id := (([X][x]x) :: ID). +Check id. +\end{coq_example} + +\section{Local definitions} +\index{let in@{\tt let ... in}} +In addition to the destructuring {\tt let} (see section +\ref{Letin}), there is a possibility to define local terms inside a +bigger term. +There are currently two equivalent syntaxes for that: + +\medskip +\begin{tabular}{lcl} +{\term} & ::= & {\tt let} {\ident} {\tt =} {\term} {\tt in} {\term}\\ + & $|$ & {\tt [} {\ident} {\tt =} {\term} {\tt ]} {\term} +\end{tabular} +\medskip + +\section{Section mechanism}\index{Sections}\label{Section} +The sectioning mechanism allows to organize a proof in structured +sections. Then local declarations become available (see section +\ref{Simpl-definitions}). + +\subsection{\tt Section {\ident}}\comindex{Section} +This command is used to open a section named {\ident}. + + +\begin{Variants} +\comindex{Chapter} +\item{\tt Chapter {\ident}}\\ + Same as {\tt Section {\ident}} +\end{Variants} + +\subsection{\tt End {\ident}}\comindex{End} +This command closes the section named {\ident}. When a section is +closed, all local declarations are discharged. This means that all +global objects defined in the section are {\it closed} (in the sense +of $\lambda$-calculus) with as many abstractions as there were local +declarations in the section explicitly occurring in the term. A local +object in the section is not exported and its value will be +substituted in the other definitions. + +Here is an example : +\begin{coq_example} +Section s1. +Variables x,y : nat. +Local y' := y. +Definition x' := (S x). +Print x'. +End s1. +Print x'. +\end{coq_example} +Note the difference between the value of {\tt x'} inside section {\tt + s1} and outside. + +\begin{ErrMsgs} +\item \errindex{Section {\ident} does not exist (or is already closed)} +\item \errindex{Section {\ident} is not the innermost section} +\end{ErrMsgs} + +\begin{Remarks} +\item Most commands, like {\tt Hint \ident} or {\tt Syntactic + Definition} which appear inside a section are cancelled when the +section is closed. +\item Usually, all identifiers must be distinct. +However, a name already used in a closed section (see \ref{Section}) +can be reused. In this case, the old name is no longer accessible. +\item A module implicitly open a section. Be careful not to name a +module with an identifier already used in the module (see \ref{compiled}). +\end{Remarks} + +\section{Implicit arguments}\index{implicit arguments} + +The {\Coq} system allows to skip during a function application certain +arguments that can be automatically inferred from the other +arguments. Such arguments are called {\em implicit}. Typical implicit +arguments are the type arguments in polymorphic functions. + +The user can force a subterm to be guessed by replacing it by +{\tt ?}. If possible, the correct subterm will be automatically generated. + +\ErrMsg +\begin{enumerate} +\item \errindex{There is an unknown subterm I cannot solve} \\ + {\Coq} was not able to deduce an instantiation of a ``?''. +\end{enumerate} + +In addition, there are two ways to systematically avoid to write +``{\tt ?}'' where a term can be automatically inferred. + +The first mode is automatic. Switching to this mode forces some +easy-to-infer subterms to always be implicit. +The command to use the second mode is {\tt Syntactic +Definition}. + +\subsection{Auto-detection of implicit arguments} +\label{Auto-implicit} + +There is an automatic mode to declare as implicit some arguments of +constants and variables which have a functional type. In this mode, +to every declared object (even inductive types and theirs constructors) is +associated the list of the positions of its implicit arguments. These +implicit arguments correspond to the arguments which can be deduced +from the following ones. Thus when one applies these functions to +arguments, one can omit the implicit ones. They are then automatically +replaced by symbols ``?'', to be inferred by the mechanism of +synthesis of implicit arguments. + +\subsubsection{\tt Implicit Arguments {\switch}.} +\comindex{Implicit Arguments} +\label{Implicit Arguments} + +If {\switch} is {\tt On} then the command switches on the automatic +mode. If {\switch} is {\tt Off} then the command switches off the +automatic mode. The mode {\tt Off} is the default mode. + +The computation of implicit arguments takes account of the +unfolding of constants. For instance, the variable {\tt p} below has +a type {\tt (Transitivity R)} which is reducible to {\tt (x,y:U)(R x +y) -> (z:U)(R y z) -> (R x z)}. As the variables {\tt x}, {\tt y} and +{\tt z} appear in the body of the type, they are said implicit; they +correspond respectively to the positions {\tt 1}, {\tt 2} and {\tt 4}. + +\begin{coq_example*} +Implicit Arguments On. +Variable X : Type. +Definition Relation := X -> X -> Prop. +Definition Transitivity := [R:Relation] + (x,y:X)(R x y) -> (z:X)(R y z) -> (R x z). +Variables R:Relation; p:(Transitivity R). +\end{coq_example*} +\begin{coq_example} +Print p. +\end{coq_example} +\begin{coq_example*} +Variables a,b,c:X; r1:(R a b); r2:(R b c). +\end{coq_example*} +\begin{coq_example} +Check (p r1 r2). +\end{coq_example} + +\subsubsection{Explicit Applications} + +The mechanism of synthesis of implicit arguments is not complete, so +we have sometimes to give explicitly certain implicit arguments of an +application. The syntax is {\tt $i$!}{\term} where $i$ is the position +of an implicit argument and {\term} is its corresponding explicit +term. The number $i$ is called {\em explicitation number}. We can +also give all the arguments of an application, we have then to write +{\tt (!{\ident}~{\term}$_1$..{\term}$_n$)}. + +\ErrMsg +\begin{enumerate} +\item \errindex{Bad explicitation number} +\end{enumerate} + +\Example + +\begin{coq_example} +Check (p r1 4!c). +Check (!p a b r1 c r2). +\end{coq_example} + +\subsubsection{Implicit Arguments and Pretty-Printing} + +The basic pretty-printing rules hide the implicit arguments of an +application. However an implicit argument {\term} of an application +which is not followed by any explicit argument is printed as follows +$i!${\term} where $i$ is its position. + +\subsection{User-defined implicit arguments: {\tt Syntactic definition}} +\comindex{Syntactic Definition} +\label{Syntactic-Definition} + +The syntactic definitions define syntactic constants, i.e. give a name +to a term possibly untyped but syntactically correct. Their syntax +is: + +\begin{center} +\verb+Syntactic Definition+ $name$ \verb+:=+ $term$ \verb+.+ \\ +\end{center} + +Syntactic definitions behave like macros: every occurrence of a +syntactic constant in an expression is immediately replaced by its +body. + +Let us extend our functional language with the definition of the +identity function: + +\begin{coq_eval} +Implicit Arguments Off. +Reset Initial. +\end{coq_eval} +\begin{coq_example} +Definition explicit_id := [A:Set][a:A]a. +\end{coq_example} + +\index{questionmark@{\texttt{?}}} +We declare also a syntactic definition {\tt id}: + +\begin{coq_example} +Syntactic Definition id := (explicit_id ?). +\end{coq_example} + +The term {\tt (explicit\_id ?)} is untyped since the implicit +arguments cannot be synthesized. There is no type check during this +definition. Let us see what happens when we use a syntactic constant +in an expression like in the following example. + +\begin{coq_example} +Check (id O). +\end{coq_example} + +\noindent First the syntactic constant {\tt id} is replaced by its +body {\tt (explicit\_id ?)} in the expression. Then the resulting +expression is evaluated by the typechecker, which fills in +``\verb+?+'' place-holders. + +The standard usage of syntactic definitions is to give names to terms +applied to implicit arguments ``\verb+?+''. In this case, a special +command is provided: + +\begin{center} +\verb+Syntactic Definition+ $name$ \verb+:=+ $term$ \verb+|+ $n$ \verb+.+ \\ +\end{center} + +\noindent The body of the syntactic constant is $term$ applied to $n$ +place-holders ``\verb+?+''. + +We can define a new syntactic definition {\tt id1} for {\tt + explicit\_id} using this command. We changed the name of the +syntactic constant in order to avoid a name conflict with {\tt id}. + +\begin{coq_example} +Syntactic Definition id1 := explicit_id | 1. +\end{coq_example} + +The new syntactic constant {\tt id1} has the same behavior as {\tt + id}: + +\begin{coq_example} +Check (id1 O). +\end{coq_example} + + +\begin{Warnings} +\item Syntactic constants defined inside a section are no longer + available after closing the section. +\item You cannot see the body of a syntactic constant with a {\tt + Print} command. +\end{Warnings} + +\section{Implicit Coercions} +\label{Coercions}\index{Coercions} + +Coercions can be used to implicitly inject terms from one ``class'' in +which they reside into another one. A {\em class} is either a sort +(denoted by the keyword SORTCLASS), a product type (denoted by the +keyword FUNCLASS) or an inductive type (denoted by its name). + +Then the user is able to apply an +object that is not a function, but can be coerced to a function, and +more generally to consider that a term of type A is of type B provided +that there is a declared coercion between A and B. + +\subsection{\tt Class {\ident}.}\comindex{Class} +Declares the name {\ident} as a new class. + +\begin{Variant} +\item {\tt Class Local {\ident}.} \\ +Declares the name {\ident} as a new local class to the current section. +\end{Variant} + +\subsection{\tt Coercion {\ident} : {\ident$_1$} >-> {\ident$_2$}.} +\comindex{Coercion} + +Declares the name {\ident} as a coercion between {\ident$_1$} and +{\ident$_2$}. The classes {\ident$_1$} and {\ident$_2$} are first +declared if necessary. + +\begin{Variants} +\item {\tt Coercion Local {\ident} : {\ident$_1$} >-> {\ident$_2$}.}\comindex{Coercion Local}\\ +Declares the name {\ident} as a coercion local to the current section. + +\item {\tt Identity Coercion {\ident}:{\ident$_1$} >-> + {\ident$_2$}.}\comindex{Identity Coercion}\\ +Coerce an inductive type to a subtype of it. + +\item {\tt Identity Coercion Local {\ident}:{\ident$_1$} >-> {\ident$_2$}.} \\ +Idem but locally to the current section. + +\item {\tt Coercion {\ident} := {\term}}\comindex{Coercion}\\ + This defines {\ident} just like \texttt{Definition {\ident} := + {\term}}, and then declares {\ident} as a coercion between it + source and its target. + +\item {\tt Coercion {\ident} := {\term} : {\type}}\\ + This defines {\ident} just like + \texttt{Definition {\ident} : {\type} := {\term}}, and then + declares {\ident} as a coercion between it source and its target. + +\item {\tt Coercion Local {\ident} := {\term}}\comindex{Local Coercion}\\ + This defines {\ident} just like \texttt{Local {\ident} := + {\term}}, and then declares {\ident} as a coercion between it + source and its target. + +\end{Variants} + +\subsection{Displaying available coercions} + +\subsubsection{\tt Print Classes.}\comindex{Print Classes} +Print the list of declared classes in the current context. + +\subsubsection{\tt Print Coercions.}\comindex{Print Coercions} +Print the list of declared coercions in the current context. + +\subsubsection{\tt Print Graph.}\comindex{Print Graph} +Print the list of valid path coercions in the current context. + +\SeeAlso the technical chapter \ref{Coercions-full} on coercions. + +%%% Local Variables: +%%% mode: latex +%%% TeX-master: "Reference-Manual" +%%% TeX-master: "Reference-Manual" +%%% End: diff --git a/doc/RefMan-gal.tex b/doc/RefMan-gal.tex new file mode 100644 index 000000000..ac7182630 --- /dev/null +++ b/doc/RefMan-gal.tex @@ -0,0 +1,1209 @@ +\chapter{The {\sf Gallina} specification language} +\label{Gallina}\index{Gallina} + +This chapter describes \gallina, the specification language of Coq. +It allows to develop mathematical theories and to prove specifications +of programs. The theories are built from axioms, hypotheses, +parameters, lemmas, theorems and definitions of constants, functions, +predicates and sets. The syntax of logical objects involved in +theories is described in section \ref{term}. The language of +commands, called {\em The Vernacular} is described in section +\ref{Vernacular}. + +In Coq, logical objects are typed to ensure their logical +correctness. The rules implemented by the typing algorithm are described in +chapter \ref{Cic}. + +\subsection*{About the grammars in the manual} + +Grammars are presented in Backus-Naur form (BNF). Terminal symbols are +set in {\tt typewriter font}. In addition, there are special +notations for regular expressions. + +An expression enclosed in square brackets \zeroone{\ldots} means at +most one occurrence of this expression (this corresponds to an +optional component). + +The notation ``\nelist{\gensymbol}{sep}'' stands for a non empty +sequence of expressions parsed by the ``{\gensymbol}'' entry and +separated by the literal ``{\tt sep}''\footnote{This is similar to the +expression ``{\gensymbol} $\{$ {\tt sep} {\gensymbol} $\}$'' in +standard BNF, or``{\gensymbol} $($ {\tt sep} {\gensymbol} $)$*'' in +the syntax of regular expressions.}. + +Similarly, the notation ``\nelist{\gensymbol}{}'' stands for a non +empty sequence of expressions parsed by the ``{\gensymbol}'' entry, +without any separator between. + +At the end, the notation ``\sequence{\gensymbol}{\tt sep}'' stands for a +possibly empty sequence of expressions parsed by the ``{\gensymbol}'' entry, +separated by the literal ``{\tt sep}''. + +\section{Lexical conventions} +\label{lexical}\index{Lexical conventions} + +\paragraph{Blanks} +Space, newline and horizontal tabulation are considered as blanks. +Blanks are ignored but they separate tokens. + +\paragraph{Comments} + +Comments in {\Coq} are enclosed between {\tt (*} and {\tt + *)}\index{Comments}, and can be nested. Comments are treated as +blanks. + +\paragraph{Identifiers} + +Identifiers, written {\ident}, are sequences of letters, digits, +\verb!_!, \verb!$! %$ +and \verb!'!, that do not start with a digit or \verb!'!. That is, +they are recognized by the following lexical class: + +\index{ident@\ident} +\begin{center} +\begin{tabular}{rcl} +{\firstletter} & ::= & \ml{a..z}\op\ml{A..Z}\op\ml{\_}\op\ml{\$} \\ +{\subsequentletter} & ::= & \ml{a..z}\op\ml{A..Z}\op\ml{0..9}\op\ml{\_}\op\ml{\$}\op\ml{'} \\ +{\ident} & ::= & {\firstletter}\sequencewithoutblank{\subsequentletter}{}\\ +\end{tabular} +\end{center} +Identifiers can contain at most 80 characters, and all characters are +meaningful. In particular, identifiers are case-sensitive. + +\paragraph{Natural numbers and integers} +Numerals are sequences of digits. Integers are numerals optionally preceded by a minus sign. + +\index{num@{\num}} +\begin{center} +\begin{tabular}{r@{\quad::=\quad}l} +{\digit} & \ml{0..9} \\ +{\num} & \nelistwithoutblank{\digit}{} \\ +{\integer} & \zeroone{\ml{-}}{\num} \\ +\end{tabular} +\end{center} + +\paragraph{Strings} +Strings are delimited by \verb!"! (double quote), and enclose a +sequence of any characters different from \verb!"! and \verb!\!, or +one of the following sequences +\begin{center} +\begin{tabular}{|l|l|} +\hline +Sequence & Character denoted \\ +\hline +\verb"\\" & backslash (\verb"\") \\ +\verb'\"' & double quote (\verb'"') \\ +\verb"\n" & newline (LF) \\ +\verb"\r" & return (CR) \\ +\verb"\t" & horizontal tabulation (TAB) \\ +\verb"\b" & backspace (BS) \\ +\verb"\"$ddd$ & the character with ASCII code $ddd$ in decimal \\ +\hline +\end{tabular} +\end{center} +Strings can be split on several lines using a backslash (\verb!\!) at +the end of each line, just before the newline. For instance, + +\begin{flushleft} +\begin{small} +\begin{verbatim} +AddPath "$COQLIB/\ +contrib/Rocq/LAMBDA". +\end{verbatim} +\end{small} +\end{flushleft} + +is correctly parsed, and equivalent to + +\begin{coq_example*} +AddPath "$COQLIB/contrib/Rocq/LAMBDA". +\end{coq_example*} + +\paragraph{Keywords} +The following identifiers are reserved keywords, and cannot be +employed otherwise: +\begin{center} +\begin{tabular}{lllll} +\verb!as! & +\verb!end! & +\verb!in! & +\verb!of! & +\verb!using! \\ +\verb!with! & +\verb!Axiom! & +\verb!Cases! & +\verb!CoFixpoint! & +\verb!CoInductive!\\ +\verb!Compile! & +\verb!Definition! & +\verb!Fixpoint! & +\verb!Grammar! & +\verb!Hypothesis! \\ +\verb!Inductive! & +\verb!Load! & +%%\verb!Orelse! & +\verb!Parameter! & +\verb!Proof! & +\verb!Prop! \\ +\verb!Qed! & +\verb!Quit! & +\verb!Set! & +\verb!Syntax! & +\verb!Theorem! \\ +\verb!Type! & +\verb!Variable! & & & +\end{tabular} +\end{center} + +Although they are not considered as keywords, it is not advised to use +words of the following list as identifiers: +\begin{center} +\begin{tabular}{lllll} +\verb!Add! & +\verb!AddPath! & +\verb!Abort! & +\verb!Abstraction!& +\verb!All! \\ +\verb!Begin! & +\verb!Cd! & +\verb!Chapter! & +\verb!Check! & +\verb!Compute! \\ +% \verb!Conjectures! \\ que dans Show Conjectures sans conflit avec ident +\verb!Defined! & +\verb!DelPath! & +\verb!Drop! & +\verb!End! & +\verb!Eval! \\ +% \verb!Explain! n'est pas documente +\verb!Extraction! & +\verb!Fact! & +\verb!Focus! & +% \verb!for! n'intervient que pour Scheme ... Induction ... sans conflit +% \verb!Go! n'est pas documente et semble peu robuste aux erreurs +\verb!Goal! & +\verb!Guarded! \\ +\verb!Hint! & +\verb!Immediate! & +\verb!Induction! & +\verb!Infix! & +\verb!Inspect! \\ +\verb!Lemma! & +\verb!Let! & +\verb!LoadPath! & +\verb!Local! & +\verb!Minimality! \\ +\verb!ML! & +\verb!Module! & +\verb!Modules! & +\verb!Mutual! & +% \verb!Node! que dans Show Node sans conflit avec ident +\verb!Opaque! \\ +\verb!Parameters! & +\verb!Print! & +\verb!Pwd! & +\verb!Remark! & +\verb!Remove! \\ +\verb!Require! & +\verb!Reset! & +\verb!Restart! & +\verb!Restore! & +\verb!Resume! \\ +\verb!Save! & +\verb!Scheme! & +% \verb!Script! que dans Show Script sans conflit avec ident +\verb!Search! & +\verb!Section! & +\verb!Show! \\ +\verb!Silent! & +\verb!State! & +\verb!States! & +\verb!Suspend! & +\verb!Syntactic! \\ +\verb!Test! & +\verb!Transparent!& +% \verb!Tree! que dans Show Tree et Explain Proof Tree sans conflit avec id +\verb!Undo! & +\verb!Unset! & +\verb!Unfocus! \\ +\verb!Variables! & +\verb!Write! & & & +\end{tabular} +\end{center} + +\paragraph{Special tokens} +The following sequences of characters are special tokens: +\begin{center} +\begin{tabular}{lllllll} +\verb!|! & +\verb!:! & +\verb!:=! & +\verb!=! & +\verb!>! & +\verb!>>! & +\verb!<>! \\ +\verb!<<! & +\verb!<! & +\verb!->! & +\verb!;! & +\verb!#! & +\verb!*! & +\verb!,! \\ +\verb!?! & +\verb!@! & +\verb!::! & +\verb!/! & +\verb!<-! & +\verb!=>! & +\end{tabular} +\end{center} + +Lexical ambiguities are resolved according to the ``longest match'' +rule: when a sequence of non alphanumerical characters can be decomposed +into several different ways, then the first token is the longest +possible one (among all tokens defined at this moment), and so on. + +\section{Terms}\label{term}\index{Terms} +\subsection{Syntax of terms} + +Figure \ref{term-syntax} describes the basic set of terms which form +the {\em Calculus +of Inductive Constructions} (also called \CIC). The formal +presentation of {\CIC} is given in chapter \ref{Cic}. Extensions of +this syntax are given in chapter +\ref{Gallina-extension}. How to customize the syntax is described in +chapter \ref{Addoc-syntax}. + +\begin{figure}[htb] +\begin{tabular}{|lcl|} +\hline +{\term} & ::= & \ident\\ + & $|$ & \sort \\ + & $|$ & {\term} {\tt ->} {\term} \\ + & $|$ & {\tt (} {\nelist{\typedidents}{;}} {\tt )} {\term}\\ + & $|$ & {\tt [} {\nelist{\idents}{;}} {\tt ]} {\term}\\ + & $|$ & {\tt (} \nelist{\term}{} {\tt )}\\ + & $|$ & {\tt \zeroone{\annotation}} {\tt Cases} {\term} {\tt of} + \sequence{\eqn}{|} {\tt end}\\ + & $|$ & {\tt Fix} {\ident} \verb.{. \nelist{\fixpointbody}{with} \verb.}.\\ + & $|$ & {\tt CoFix} {\ident} \verb.{. \nelist{\cofixpointbody}{with} \verb.}.\\ + & & \\ +{\sort} & ::= & {\tt Prop} \\ + & $|$ & {\tt Set} \\ + & $|$ & {\tt Type} \\ + & & \\ +{\annotation} & ::= & \verb!<! {\term} \verb!>!\\ + & & \\ +{\typedidents} & ::= & \nelist{\ident}{,} {\tt :} {\term}\\ +{\idents} & ::= & \nelist{\ident}{,} \zeroone{{\tt :} {\term}}\\ + & & \\ +{\fixpointbody} & ::= & {\ident} {\tt [} \nelist{\typedidents}{;} {\tt ]}\verb.:. + {\term} \verb.:=. {\term} \\ +{\cofixpointbody} & ::= & {\ident} \verb.:. + {\term} \verb.:=. {\term} \\ + & &\\ +{\simplepattern} & ::= & {\ident} \\ + & $|$ & \verb!(! \nelist{\ident}{} \verb!)! \\ +{\eqn} & ::= & {\simplepattern} ~\verb!=>! ~\term \\ +\hline +\end{tabular} +\caption{Syntax of terms} +\label{term-syntax} +\index{term@{\term}} +\index{sort@{\sort}} +\end{figure} + +%%%%%%% +\subsection{Identifiers} + +Identifiers denotes either {\em variables}, {\em constants}, +{\em inductive types} or {\em constructors of inductive types}. + +\subsection{Sorts}\index{Sorts} +\index{Type@{\Type}} +\index{Set@{\Set}} +\index{Prop@{\Prop}} +\index{Sorts} +\label{Gallina-sorts} + +There are three sorts \Set, \Prop\ and \Type. + +\begin{itemize} +\item \Prop\ is the universe of {\em logical propositions}. +The logical propositions themselves are typing the proofs. +We denote propositions by {\form}. This constitutes a semantic +subclass of the syntactic class {\term}. +\index{form@{\form}} +\item \Set\ is is the universe of {\em program +types} or {\em specifications}. +The specifications themselves are typing the programs. +We denote specifications by {\specif}. This constitutes a semantic +subclass of the syntactic class {\term}. +\index{specif@{\specif}} +\item {\Type} is the type of {\Set} and {\Prop} +\end{itemize} + +\noindent More on sorts can be found in section \ref{Sorts}. + +\subsection{Types} + +{\Coq} terms are typed. {\Coq} types are recognized by the same +syntactic class as {\term}. We denote by {\type} the semantic subclass +of types inside the syntactic class {\term}. +\index{type@{\type}} + +\subsection{Abstractions} +\index{abstractions} + +The expression ``{\tt [} {\ident} {\tt :} \type {\tt ]} +{\term}'' denotes the {\em abstraction} of the variable {\ident} +of type {\type}, over the term {\term}. + +One can abstract several variables successively: +the notation {\tt [} {\ident$_{1}$} {\tt ,} {\ldots} {\tt ,} +{\ident$_{n}$} {\tt :} \type {\tt ]} {\term} stands for +{\tt [} {\ident$_{1}$} {\tt :} \type {\tt ](} {\ldots} +{\tt ([} {\ident$_{n}$} {\tt :} \type {\tt ]} {\term} {\tt )} +\ldots {\tt )} and the notation {\tt [} {\typedidents$_{1}$} {\tt ;} +{\ldots} {\tt ;} {\typedidents$_{m}$} {\tt ]} {\term} is a shorthand +for {\tt [}~{\typedidents$_{1}$} {\tt ](} {\ldots} {\tt ([} +{\typedidents$_{m}$} {\tt ]} {\term} {\tt )}\\ {\tt [} {\ident$_{1}$} +{\tt ,} {\ldots} {\tt ,} {\ident$_{n}$} {\tt :} \type {\tt ]} {\term}. + +\medskip +\Rem The types of variables may be omitted in an +abstraction when they can be synthetized by the system. + +\subsection{Products} +\index{products} + +The expression ``{\tt (}~{\ident} {\tt :} \type {\tt )} +{\term}'' denotes the {\em product} of the variable {\ident} +of type {\type}, over the term {\term}. + +Similarly, the expression {\tt (} {\ident$_{1}$} {\tt ,} {\ldots} {\tt +,} {\ident$_{n}$} {\tt :} \type {\tt )} {\term} is equivalent to {\tt +(} {\ident$_{1}$} {\tt :} \type {\tt )(} {\ldots} {\tt ((} +{\ident$_{n}$} {\tt :} \type {\tt )} {\term} {\tt )} \ldots {\tt )} +and the expression {\tt (} {\typedidents$_{1}$} {\tt ;} {\ldots} {\tt +;} {\typedidents$_{m}$} {\tt )} {\term} is a equivalent to {\tt +(}~{\typedidents$_{1}$} {\tt )(} {\ldots} {\tt ((} +{\typedidents$_{m}$} {\tt )} {\term} {\tt )} \ldots {\tt )} + +\subsection{Applications} +\index{applications} + +{\tt (}\term$_0$ \term$_1${\tt)} denotes the application of + term \term$_0$ to \term$_1$. + +The expression {\tt (}\term$_0$ \term$_1$ ... \term$_n${\tt)} +denotes the application of the term \term$_0$ to the arguments +\term$_1$ ... then \term$_n$. It is equivalent to {\tt (} {\ldots} +{\tt (} {\term$_0$} {\term$_1$} {\tt )} {\ldots} {\term$_n$} {\tt )}: +associativity is to the left. + +\subsection{Definition by case analysis} +\index{Cases@{\tt Cases\ldots of\ldots end}} + +In a simple pattern \verb!(! \nelist{\ident}{} \verb!)!, the first {\ident} +is intended to be a constructor. + +The expression {\tt \zeroone{\annotation}} {\tt Cases} {\term$_0$} {\tt of} +{\pattern$_1$} {\tt =>} {\term$_1$} {\tt $|$} {\ldots} {\tt $|$} +{\pattern$_n$} {\tt =>} {\term$_n$} {\tt end}, denotes a +{\em pattern-matching} over the term {\term$_0$} (expected to be of an +inductive type). + +The {\annotation} is the resulting type of the whole {\tt Cases} +expression. Most of the time, when this type is the same as the +types of all the {\term$_i$}, the annotation is not needed\footnote{except +if no equation is given, to match the term in an empty type, e.g. the +type \texttt{False}}. The annotation has to be given when the +resulting type of the whole {\tt Cases} depends on the actual {\term$_0$} +matched. + + +\subsection{Recursive functions} +\index{Fix@{Fix \ident$_i$\{\dots\}}} + +The expression {\tt Fix} {\ident$_i$} \verb.{. \ident$_1$ {\tt [} +\binders$_1$ {\tt ] :} {\type$_1$} \texttt{:=} \term$_1$ +{\tt with} {\ldots} +{\tt with} \ident$_n$ {\tt [} \binders$_n$~{\tt{]} :} {\type$_n$} +\texttt{:=} \term$_n$ \verb.}. denotes +the $i$th component of a block of functions defined by mutual +well-founded recursion. + +The expression {\tt CoFix} {\ident$_i$} \verb.{. \ident$_1$ +{\tt :} {\type$_1$} {\tt with} {\ldots} {\tt with} +\ident$_n$ {\tt [} \binders$_n$ {\tt ] :} {\type$_n$} \verb.}. denotes +the $i$th component of a block of terms defined by a mutual guarded recursion. + +\section{\em The Vernacular} +\label{Vernacular} + +Figure \ref{sentences-syntax} describes {\em The Vernacular} which is the +language of commands of \gallina. A sentence of the vernacular +language, like in many natural languages, begins with a capital letter +and ends with a dot. +\begin{figure} +\label{sentences-syntax} +\begin{tabular}{|lcl|} +\hline +{\sentence} & ::= & {\declaration} \\ + & $|$ & {\definition} \\ + & $|$ & {\statement} \\ + & $|$ & {\inductive} \\ + & $|$ & {\fixpoint} \\ + & $|$ & {\statement} ~~ {\proof} \\ + & & \\ +{\params} & ::= & \nelist{\typedidents}{;} \\ + & & \\ +{\declaration} & ::= & + {\tt Axiom} {\ident} \verb.:. {\term} \verb:.: \\ + & $|$ & {\declarationkeyword} {\params} \verb:.: \\ + & & \\ +{\declarationkeyword} & ::= & +{\tt Parameter} $|$ {\tt Parameters} \\ + & $|$ & {\tt Variable} $|$ {\tt Variables} \\ + & $|$ & {\tt Hypothesis} $|$ {\tt Hypotheses}\\ + & & \\ + +{\definition} & ::= & + {\tt Definition} {\ident} \zeroone{{\tt :} {\term}} \verb.:=. {\term} \verb:.: \\ + & $|$ & {\tt Local} {\ident} \zeroone{{\tt :} {\term}} \verb.:=. {\term} \verb:.: \\ + & & \\ + +{\inductive} & ::= & + \zeroone{\texttt{Mutual}} {\tt Inductive} \nelist{\inductivebody}{with} + \verb:.: \\ + & $|$ & + \zeroone{\texttt{Mutual}} {\tt CoInductive} \nelist{\inductivebody}{with} + \verb:.: \\ + & & \\ +{\inductivebody} & ::= & +{\ident} \zeroone{{\tt [} {\params} {\tt ]}} \verb.:. {\term} + \verb.:=. + \sequence{\constructor}{|} \\ + & & \\ +{\constructor} & ::= & {\ident} \verb.:. {\term} \\ + & &\\ + +{\fixpoint} & ::= & {\tt Fixpoint} \nelist{\fixpointbody}{with} + \verb:.: \\ +& $|$ & {\tt CoFixpoint} \nelist{\cofixpointbody}{with} + \verb:.: \\ + & &\\ + +{\statement} & ::= & {\tt Theorem} {\ident} {\tt :} {\term} \verb:.: \\ + & $|$ & {\tt Lemma} {\ident} {\tt :} {\term} \verb:.: \\ + & $|$ & {\tt Definition} {\ident} {\tt :} {\term} \verb:.: \\ + & & \\ + +{\proof} & ::= & {\tt Proof} {\tt .} {\dots} {\tt Qed} {\tt .}\\ + & $|$ & {\tt Proof} {\tt .} {\dots} {\tt Defined} {\tt .}\\ +\hline +\end{tabular} +\caption{Syntax of sentences} +\end{figure} +The different kinds of command are described hereafter. They all suppose +that the terms occurring in the sentences are well-typed. + +\subsection{Declarations}\index{Declarations}\label{Declarations} +The declaration mechanism allows the user to specify his own basic +objects. Declared objects play the role of axioms or parameters in +mathematics. A declared object is an {\ident} associated to a \term. A +declaration is accepted by {\Coq} iff this {\term} is a correct type +in the current context of the declaration and \ident\ was +not previously defined in the same module. This {\term} +is considered to be the type, or specification, of the \ident. + +\subsubsection{{\tt Axiom {\ident} : {\term}}.} +\comindex{Axiom} +\label{Axiom} +This command links {\term} to the name {\ident} as its specification in the +global context. The fact asserted by {\term} is thus assumed +as a postulate. + +\begin{ErrMsgs} +\item \errindex{Clash with previous constant {\ident}} +\end{ErrMsgs} + +\begin{Variants} +\item {\tt Parameter {\ident} : {\term}.} + \comindex{Parameter}\\ + Is equivalent to {\tt Axiom {\ident} : {\term}} +\item {\tt Parameter \nelist{\nelist{\ident}{,} : {\term}}{;} {\tt .}} \\ +% Is equivalent to {\tt Axiom {\lident} : {\term}} + Links the {\term}'s to the names comprising the lists \nelist{\nelist{\ident}{,} : {\term}}{;}. +\end{Variants} + +\noindent {\bf Remark: } It is possible to replace {\tt Parameter} by +{\tt Parameters} when more than one parameter are given. + +\subsubsection{{\tt Variable {\ident} : {\term}}.}\comindex{Variable} +\comindex{Variables} +This command links {\term} to the name {\ident} in the context of the +current section (see \ref{Section} for a description of the section +mechanism). The name {\ident} will be unknown when the current +section will be closed. One says that the variable is {\em + discharged}. Using the {\tt Variable} command out of any section is +equivalent to {\tt Axiom}. + +\begin{ErrMsgs} +\item \errindex{Clash with previous constant {\ident}} +\end{ErrMsgs} + +\begin{Variants} +\item {\tt Variable \nelist{\nelist{\ident}{,}:{\term}}{;} {\tt .}}\\ + Links {\term} to the + names comprising the list \nelist{\nelist{\ident}{,}:{\term}}{;} +\item {\tt Hypothesis \nelist{\nelist{\ident}{,} $\;$:$\;$ {\term}}{;} {\tt + .}} \comindex{Hypothesis}\\ % Ligne trop longue + \texttt{Hypothsis} is a synonymous of \texttt{Variable} +\end{Variants} + +\noindent {\bf Remark: } It is possible to replace {\tt Variable} by +{\tt Variables} and \ml{Hypothesis} by {\tt Hypotheses} + when more than one variable or one hypothesis are given. + +It is advised to use the keywords \verb:Axiom: and \verb:Hypothesis: +for logical postulates (i.e. when the assertion {\term} is of sort +\verb:Prop:), and to use the keywords \verb:Parameter: and +\verb:Variable: in other cases (corresponding to the declaration of an +abstract mathematical entity). + +\subsection{Definitions}\index{Definitions}\label{Simpl-definitions} +Definitions differ from declarations since they allow to give a name +to a term whereas declarations were just giving a type to a name. That +is to say that the name of a defined object can be replaced at any +time by its definition. This replacement is called +$\delta$-conversion\index{delta-reduction@$\delta$-reduction} (see section +\ref{delta}). A defined object is accepted by the system iff the +defining term is well-typed in the current context of the definition. +Then the type of the name is the type of term. The defined name is +called a {\em constant}\index{Constant} and one says that {\it the + constant is added to the environment}\index{Environment}. + +A formal presentation of constants and environments is given in +section \ref{Cic-definitions}. + + +\subsubsection{\tt Definition {\ident} := {\term}.} +\comindex{Definition} +This command binds the value {\term} to the name {\ident} in the +environment, provided that {\term} is well-typed. + +\begin{ErrMsgs} +\item \errindex{Clash with previous constant {\ident}} +\end{ErrMsgs} + +\begin{Variants} +\item {\tt Definition {\ident} : {\term$_1$} := {\term$_2$}.} It + checks that the type of {\term$_2$} is definitionally equal to + {\term$_1$}, and registers {\ident} as being of type {\term$_1$}, + and bound to value {\term$_2$}. +\end{Variants} + +\begin{ErrMsgs} +\item \errindex{In environment \dots the term: {\term$_2$} does not have type + {\term$_1$}}.\\ + \texttt{Actually, it has type {\term$_3$}}. +\end{ErrMsgs} + +\SeeAlso sections \ref{Opaque}, \ref{Transparent}, \ref{Unfold} + +\subsubsection{\tt Local {\ident} := {\term}.}\comindex{Local} +This command binds the value {\term} to the name {\ident} in the +environment of the current section. The name {\ident} will be unknown +when the current section will be closed and all occurrences of +{\ident} in persistent objects (such as theorems) defined within the +section will be replaced by \term. One can say that the {\tt Local} +definition is a kind of {\em macro}. + +\begin{ErrMsgs} +\item \errindex{Clash with previous constant {\ident}} +\end{ErrMsgs} + +\begin{Variants} +\item {\tt Local {\ident} : {\term$_1$} := {\term$_2$}.} +\end{Variants} + +\SeeAlso \ref{Section} (section mechanism), \ref{Opaque}, +\ref{Transparent} (opaque/transparent constants), \ref{Unfold} + +% Let comme forme de Definition n'existe plus +% +%\subsubsection{\tt Let {\ident} := {\term}.} +%\comindex{Let} + +%This command makes definition that are stronger than \texttt{Local}, +%and weaker than \texttt{Definition}. The name {\ident} will be kown in the +%current section and after having closed the current section, but will +%be unknown after closing the section above the current section. + +%\begin{Variants} +%\item {\tt Local {\ident} : {\term$_1$} := {\term$_2$}.} +%\end{Variants} + +%\SeeAlso \ref{Section} + +\subsection{Inductive definitions} +\index{Inductive definitions} \label{gal_Inductive_Definitions} +\comindex{Inductive}\label{Inductive} + +We gradually explain simple inductive types, simple +annotated inductive types, simple parametric inductive types, +mutually inductive types. We explain also co-inductive types. + +\subsubsection{Simple inductive types} + +The definition of a simple inductive type has the following form: + +\medskip +{\tt +\begin{tabular}{l} +Inductive {\ident} : {\sort} := \\ +\begin{tabular}{clcl} + & {\ident$_1$} &:& {\type$_1$} \\ + | & {\ldots} && \\ + | & {\ident$_n$} &:& {\type$_n$} +\end{tabular} +\end{tabular} +} +\medskip + +The name {\ident} is the name of the inductively defined type and +{\sort} is the universes where it lives. +The names {\ident$_1$}, {\ldots}, {\ident$_n$} +are the names of its constructors and {\type$_1$}, {\ldots}, +{\type$_n$} their respective types. The types of the constructors have +to satisfy a {\em positivity condition} (see section \ref{Positivity}) +for {\ident}. This condition ensures the soundness of the inductive +definition. If this is the case, the constants {\ident}, +{\ident$_1$}, {\ldots}, {\ident$_n$} are added to the environment with +their respective types. Accordingly to the universe where +the inductive type lives({\it e.g.} its type {\sort}), {\Coq} provides a +number of destructors for {\ident}. Destructors are named +{\ident}{\tt\_ind}, {\ident}{\tt \_rec} or {\ident}{\tt \_rect} which +respectively correspond to elimination principles on {\tt Prop}, {\tt +Set} and {\tt Type}. The type of the destructors expresses structural +induction/recursion principles over objects of {\ident}. We give below +two examples of the use of the {\tt Inductive} definitions. + +The set of natural numbers is defined as: +\begin{coq_example} +Inductive nat : Set := O : nat | S : nat -> nat. +\end{coq_example} + +The type {\tt nat} is defined as the least \verb:Set: containing {\tt + O} and closed by the {\tt S} constructor. The constants {\tt nat}, +{\tt O} and {\tt S} are added to the environment. + +Now let us have a look at the elimination principles. They are three : +{\tt nat\_ind}, {\tt nat\_rec} and {\tt nat\_rect}. The type of {\tt + nat\_ind} is: +\begin{coq_example} +Check nat_ind. +\end{coq_example} + +This is the well known structural induction principle over natural +numbers, i.e. the second-order form of Peano's induction principle. +It allows to prove some universal property of natural numbers ({\tt +(n:nat)(P n)}) by induction on {\tt n}. Recall that {\tt (n:nat)(P n)} +is \gallina's syntax for the universal quantification $\forall +n:nat\cdot P(n).$\\ The types of {\tt nat\_rec} and {\tt nat\_rect} +are similar, except that they pertain to {\tt (P:nat->Set)} and {\tt +(P:nat->Type)} respectively . They correspond to primitive induction +principles (allowing dependent types) respectively over sorts +\verb:Set: and \verb:Type:. The constant {\ident}{\tt \_ind} is always +provided, whereas {\ident}{\tt \_rec} and {\ident}{\tt \_rect} can be +impossible to derive (for example, when {\ident} is a proposition). + +\subsubsection{Simple annotated inductive types} + +In an annotated inductive types, the universe where the inductive +type is defined is no longer a simple sort, but what is called an +arity, which is a type whose conclusion is a sort. + +As an example of annotated inductive types, let us define the +$even$ predicate: + +\begin{coq_example} +Inductive even : nat->Prop := + | even_0 : (even O) + | even_SS : (n:nat)(even n)->(even (S (S n))). +\end{coq_example} + +The type {\tt nat->Prop} means that {\tt even} is a unary predicate +(inductively defined) over natural numbers. The type of its two +constructors are the defining clauses of the predicate {\tt even}. The +type of {\tt even\_ind} is: + +\begin{coq_example} +Check even_ind. +\end{coq_example} + +From a mathematical point of view it asserts that the natural numbers +satisfying the predicate {\tt even} are exactly the naturals satisfying +the clauses {\tt even\_0} or {\tt even\_SS}. This is why, when we want +to prove any predicate {\tt P} over elements of {\tt even}, it is +enough to prove it for {\tt O} and to prove that if any natural number +{\tt n} satisfies {\tt P} its double successor {\tt (S (S n))} +satisfies also {\tt P}. This is indeed analogous to the structural +induction principle we got for {\tt nat}. + +\begin{ErrMsgs} +\item \errindex{Non strictly positive occurrence of {\ident} in {\type}} +\item \errindex{Type of Constructor not well-formed} +\end{ErrMsgs} + +\begin{Variants} +\item {\tt Inductive {\ident} [ {\params} ] : {\term} := + {\ident$_1$}:{\term$_1$} | {\ldots} | {\ident$_n$}:\term$_n$.}\\ Allows + to define parameterized inductive types.\\ + For instance, one can define + parameterized lists as: +\begin{coq_example*} +Inductive list [X:Set] : Set := + Nil : (list X) | Cons : X->(list X)->(list X). +\end{coq_example*} +Notice that, in the type of {\tt Nil} and {\tt Cons}, we write {\tt + (list X)} and not just {\tt list}.\\ The constants {\tt Nil} and +{\tt Cons} will have respectively types: + +\begin{coq_example} +Check Nil. +\end{coq_example} +and + +\begin{coq_example} +Check Cons. +\end{coq_example} + +Types of destructors will be also quantified with {\tt (X:Set)}. +\item {\tt Inductive {\sort} {\ident} := +{\ident$_1$}:{\term$_1$} | {\ldots} | {\ident$_n$}:\term$_n$.}\\ +with {\sort} being one of {\tt Prop, Type, Set} is +equivalent to \\ {\tt Inductive {\ident} : {\sort} := + {\ident$_1$}:{\term$_1$} | {\ldots} | {\ident$_n$}:\term$_n$.} +\item {\tt Inductive {\sort} {\ident} [ {\params} ]:= +{\ident$_1$}:{\term$_1$} | {\ldots} | {\ident$_n$}:\term$_n$.}\\ + Same as before but with parameters. +\end{Variants} + +\SeeAlso sections \ref{Cic-inductive-definitions}, \ref{Elim} + +\subsubsection{Mutually inductive types} +\comindex{Mutual Inductive}\label{Mutual-Inductive} + +The definition of a block of mutually inductive types has the form: + +\medskip +{\tt +\begin{tabular}{l} +Inductive {\ident$_1$} : {\type$_1$} := \\ +\begin{tabular}{clcl} + & {\ident$_1^1$} &:& {\type$_1^1$} \\ + | & {\ldots} && \\ + | & {\ident$_{n_1}^1$} &:& {\type$_{n_1}^1$} +\end{tabular} \\ +with\\ +~{\ldots} \\ +with {\ident$_m$} : {\type$_m$} := \\ +\begin{tabular}{clcl} + & {\ident$_1^m$} &:& {\type$_1^m$} \\ + | & {\ldots} \\ + | & {\ident$_{n_m}^m$} &:& {\type$_{n_m}^m$}. +\end{tabular} +\end{tabular} +} +\medskip + +\noindent {\bf Remark: } The word {\tt Mutual} can be optionally +inserted in front of {\tt Inductive}. + +It has the same semantics as the above {\tt Inductive} definition for +each \ident$_1$, {\ldots}, \ident$_m$. All names \ident$_1$, {\ldots}, +\ident$_m$ and \ident$_1^1$, \dots, \ident$_{n_m}^m$ are +simultaneously added to the environment. Then +well-typing of constructors can be checked. Each one of the +\ident$_1$, {\ldots}, \ident$_m$ can be used on its own. + +It is also possible to parameterize these inductive definitions. +However, parameters correspond to a local +context in which the whole set of inductive declarations is done. For +this reason, the parameters must be strictly the same for each +inductive types The extented syntax is: + +\medskip +{\tt +Inductive {{\ident$_1$} [{\rm\sl params} ] : {\type$_1$} := \\ +\mbox{}\hspace{0.4cm} {\ident$_1^1$} : {\type$_1^1$} \\ +\mbox{}\hspace{0.1cm}| .. \\ +\mbox{}\hspace{0.1cm}| {\ident$_{n_1}^1$} : {\type$_{n_1}^1$} \\ +with\\ +\mbox{}\hspace{0.1cm} .. \\ +with {\ident$_m$} [{\rm\sl params} ] : {\type$_m$} := \\ +\mbox{}\hspace{0.4cm}{\ident$_1^m$} : {\type$_1^m$} \\ +\mbox{}\hspace{0.1cm}| .. \\ +\mbox{}\hspace{0.1cm}| {\ident$_{n_m}^m$} : {\type$_{n_m}^m$}. +}} +\medskip + +\Example +The typical example of a mutual inductive data type is the one for +trees and forests. We assume given two types $A$ and $B$ as variables. +It can be declared the following way. + +\begin{coq_example*} +Variables A,B:Set. +Inductive tree : Set := node : A -> forest -> tree +with forest : Set := + | leaf : B -> forest + | cons : tree -> forest -> forest. +\end{coq_example*} + +This declaration generates automatically six induction +principles. They are respectively +called {\tt tree\_rec}, {\tt tree\_ind}, {\tt + tree\_rect}, {\tt forest\_rec}, {\tt forest\_ind}, {\tt + forest\_rect}. These ones are not the most general ones but are +just the induction principles corresponding to each inductive part +seen as a single inductive definition. + +To illustrate this point on our example, we give the types of {\tt + tree\_rec} and {\tt forest\_rec}. + +\begin{coq_example} +Check tree_rec. +Check forest_rec. +\end{coq_example} + +Assume we want to parameterize our mutual inductive definitions with +the two type variables $A$ and $B$, the declaration should be done the +following way: + +\begin{coq_eval} +Reset tree. +\end{coq_eval} +\begin{coq_example*} +Inductive + tree [A,B:Set] : Set := node : A -> (forest A B) -> (tree A B) +with forest [A,B:Set] : Set := leaf : B -> (forest A B) + | cons : (tree A B) -> (forest A B) -> (forest A B). +\end{coq_example*} +\begin{coq_eval} +Save State toto. +\end{coq_eval} + +Assume we define an inductive definition inside a section. When the +section is closed, the variables declared in the section and occurring +free in the declaration are added as parameters to the inductive +definition. + +\SeeAlso \ref{Section} + +\subsubsection{Co-inductive types} +\comindex{CoInductive} + +The objects of an inductive type are well-founded with respect to the +constructors of the type. In other words, such objects contain only a +{\it finite} number constructors. Co-inductive types arise from +relaxing this condition, and admitting types whose objects contain an +infinity of constructors. Infinite objects are introduced by a +non-ending (but effective) process of construction, defined in terms +of the constructors of the type. + +An example of a co-inductive type is the type of infinite sequences of +natural numbers, usually called streams. It can be introduced in \Coq\ +using the \texttt{CoInductive} command: +\begin{coq_example} +CoInductive Set Stream := Seq : nat->Stream->Stream. +\end{coq_example} + +The syntax of this command is the same as the command \texttt{Inductive} +(cf. section \ref{gal_Inductive_Definitions}). Notice that no +principle of induction is derived from the definition of a +co-inductive type, since such principles only make sense for inductive +ones. For co-inductive ones, the only elimination principle is case +analysis. For example, the usual destructors on streams +\texttt{hd:Stream->nat} and \texttt{tl:Str->Str} can be defined as +follows: +\begin{coq_example} +Definition hd := [x:Stream]Cases x of (Seq a s) => a end. +Definition tl := [x:Stream]Cases x of (Seq a s) => s end. +\end{coq_example} + +Definition of co-inductive predicates and blocks of mutually +co-inductive definitions are also allowed. An example of a +co-inductive predicate is the extensional equality on streams: + +\begin{coq_example} +CoInductive EqSt : Stream->Stream->Prop := + eqst : (s1,s2:Stream) + (hd s1)=(hd s2)-> + (EqSt (tl s1) (tl s2))->(EqSt s1 s2). +\end{coq_example} + +In order to prove the extensionally equality of two streams $s_1$ and +$s_2$ we have to construct and infinite proof of equality, that is, +an infinite object of type $(\texttt{EqSt}\;s_1\;s_2)$. We will see +how to introduce infinite objects in section \ref{CoFixpoint}. + +\subsection{Definition of recursive functions} + +\subsubsection{\tt Fixpoint {\ident} [ \ident$_1$ : \type$_1$ ] : +\type$_0$ := \term$_0$} +\comindex{Fixpoint}\label{Fixpoint} + +This command allows to define inductive objects using a fixed point +construction. The meaning of this declaration is to define {\it +ident} a recursive function with one argument \ident$_1$ of type +\term$_1$ such that ({\it ident}~\ident$_1$) has type \type$_0$ and is +equivalent to the expression \term$_0$. The type of the {\ident} is +consequently {(\ident$_1$ : \type$_1$)\type$_0$} and the value is +equivalent to [\ident$_1$ : \type$_1$]\term$_0$. The argument +{\ident$_1$} (of type {\type$_1$}) is called the {\em recursive +variable} of {\ident}. Its type should be an inductive definition. + +To be accepted, a {\tt Fixpoint} definition has to satisfy some +syntactical constraints on this recursive variable. They are needed to +ensure that the {\tt Fixpoint} definition always terminates. For +instance, one can define the addition function as : + +\begin{coq_example} +Fixpoint add [n:nat] : nat->nat + := [m:nat]Cases n of O => m | (S p) => (S (add p m)) end. +\end{coq_example} + +The {\tt Cases} operator matches a value (here \verb:n:) with the +various constructors of its (inductive) type. The remaining arguments +give the respective values to be returned, as functions of the +parameters of the corresponding constructor. Thus here when \verb:n: +equals \verb:O: we return \verb:m:, and when \verb:n: equals +\verb:(S p): we return \verb:(S (add p m)):. + +The {\tt Cases} operator is formally described +in detail in section \ref{Caseexpr}. The system recognizes that in +the inductive call {\tt (add p m)} the first argument actually +decreases because it is a {\em pattern variable} coming from {\tt Cases + n of}. + +\begin{Variants} +\item {\tt Fixpoint {\ident} [ {\params} ] : \type$_0$ := +\term$_0$.}\\ + It declares a list of identifiers with their type + usable in the type \type$_0$ and the definition body \term$_0$ + and the last identifier in {\params} is the recursion variable. +\item {\tt Fixpoint {\ident$_1$} [ {\params$_1$} ] : + {\type$_1$} := {\term$_1$}\\ + with {\ldots} \\ + with {\ident$_m$} [ {\params$_m$} ] : {\type$_m$} := + {\type$_m$}}\\ + Allows to define simultaneously {\ident$_1$}, {\ldots}, + {\ident$_m$}. +\end{Variants} + +\Example The following definition is not correct and generates an +error message: + +\begin{coq_example} +Fixpoint wrongplus [n:nat] : nat->nat + := [m:nat]Cases m of O => n | (S p) => (S (wrongplus n p)) end. +\end{coq_example} + +because the declared decreasing argument {\tt n} actually does not +decrease in the recursive call. The function computing the addition +over the second argument should rather be written: + +\begin{coq_example*} +Fixpoint plus [n,m:nat] : nat + := Cases m of O => n | (S p) => (S (plus n p)) end. +\end{coq_example*} + +The ordinary match operation on natural numbers can be mimicked in the +following way. +\begin{coq_example*} +Fixpoint nat_match [C:Set;f0:C;fS:nat->C->C;n:nat] : C + := Cases n of O => f0 | (S p) => (fS p (nat_match C f0 fS p)) end. +\end{coq_example*} +The recursive call may not only be on direct subterms of the recursive +variable {\tt n} but also on a deeper subterm and we can directly +write the function {\tt mod2} which gives the remainder modulo 2 of a +natural number. +\begin{coq_example*} +Fixpoint mod2 [n:nat] : nat + := Cases n of + O => O + | (S p) => Cases p of O => (S O) | (S q) => (mod2 q) end + end. +\end{coq_example*} +In order to keep the strong normalisation property, the fixed point +reduction will only be performed when the argument in position of the +recursive variable (whose type should be in an inductive definition) +starts with a constructor. + +The {\tt Fixpoint} construction enjoys also the {\tt with} extension +to define functions over mutually defined inductive types or more +generally any mutually recursive definitions. + +\Example +The size of trees and forests can be defined the following way: +\begin{coq_eval} +Restore State Initial. +Variables A,B:Set. +Inductive tree : Set := node : A -> forest -> tree +with forest : Set := leaf : B -> forest + | cons : tree -> forest -> forest. +\end{coq_eval} +\begin{coq_example*} +Fixpoint tree_size [t:tree] : nat := + Cases t of (node a f) => (S (forest_size f)) end +with forest_size [f:forest] : nat := + Cases f of (leaf b) => (S O) + | (cons t f') => (plus (tree_size t) (forest_size f')) + end. +\end{coq_example*} +A generic command {\tt Scheme} is useful to build automatically various +mutual induction principles. It is described in section \ref{Scheme}. + +\subsubsection{{\tt CoFixpoint} {\ident} : +\type$_0$ := \term$_0$.}\comindex{CoFixpoint}\label{CoFixpoint} + +The {\tt CoFixpoint} command introduces a method for constructing an +infinite object of a coinduc\-tive type. For example, the stream +containing all natural numbers can be introduced applying the +following method to the number \texttt{O}: + +\begin{coq_example*} +CoInductive Set Stream := Seq : nat->Stream->Stream. +Definition hd := [x:Stream]Cases x of (Seq a s) => a end. +Definition tl := [x:Stream]Cases x of (Seq a s) => s end. +\end{coq_example*} +\begin{coq_example} +CoFixpoint from : nat->Stream := [n:nat](Seq n (from (S n))). +\end{coq_example} + +Oppositely to recursive ones, there is no decreasing argument in a +co-recursive definition. To be admissible, a method of construction +must provide at least one extra constructor of the infinite object for +each iteration. A syntactical guard condition is imposed on +co-recursive definitions in order to ensure this: each recursive call +in the definition must be protected by at least one constructor, and +only by constructors. That is the case in the former definition, where +the single recursive call of \texttt{from} is guarded by an +application of \texttt{Seq}. On the contrary, the following recursive +function does not satisfy the guard condition: + +\begin{coq_example*} +CoFixpoint filter : (nat->bool)->Stream->Stream := + [p:nat->bool] + [s:Stream] + if (p (hd s)) then (Seq (hd s) (filter p (tl s))) + else (filter p (tl s)). +\end{coq_example*} + +\noindent Notice that the definition contains an unguarded recursive +call of \texttt{filter} on the \texttt{else} branch of the test. + +The elimination of co-recursive definition is done lazily, i.e. the +definition is expanded only when it occurs at the head of an +application which is the argument of a case expression. Isolate, it +is considered as a canonical expression which is completely +evaluated. We can test this using the command \texttt{Eval}, +which computes the normal forms of a term: + +\begin{coq_example} +Eval Compute in (from O). +Eval Compute in (hd (from O)). +Eval Compute in (tl (from O)). +\end{coq_example} + +As in the \texttt{Fixpoint} command (cf. section~\ref{Fixpoint}), it +is possible to introduce a block of mutually dependent methods. The +general syntax for this case is: + +{\tt CoFixpoint {\ident$_1$} :{\type$_1$} := {\term$_1$}\\ + with\\ + \mbox{}\hspace{0.1cm} $\ldots$ \\ + with {\ident$_m$} : {\type$_m$} := {\term$_m$}} + +\subsection{Statement and proofs} + +A statement claims a goal of which the proof is then interactively done +using tactics. More on the proof editing mode, statements and proofs can be +found in chapter \ref{Proof-handling}. + +\subsubsection{\tt Theorem {\ident} : {\type}.} +\comindex{Theorem} +This command binds {\type} to the name {\ident} in the +environment, provided that a proof of {\type} is next given. + +After a statement, Coq needs a proof. + +\begin{Variants} + +\item {\tt Lemma {\ident} : {\type}.}\comindex{Lemma}\\ +It is a synonymous of \texttt{Theorem} +\item {\tt Remark {\ident} : {\type}.}\comindex{Remark}\\ +Same as {\tt Theorem} except +that if this statement is in a section then the name {\ident} will be unknown +when the current section (see \ref{Section}) will be closed. All +proofs of persistent objects (such as theorems) referring to {\ident} +within the section will be replaced by the proof of {\ident}. +\item {\tt Definition {\ident} : {\type}.} \\ +Allow to define a term of type {\type} using the proof editing mode. It +behaves as {\tt Theorem} except the defined term will be transparent (see +\ref{Transparent}, \ref{Unfold}). +\end{Variants} + +\subsubsection{{\tt Proof} {\tt .} \dots {\tt Qed} {\tt .}} + +A proof starts by the keyword {\tt Proof}. Then {\Coq} enters the +proof editing mode until the proof is completed. The proof editing +mode essentially contains tactics that are described in chapter +\ref{Tactics}. Besides tactics, there are commands to manage the proof +editing mode. They are described in chapter \ref{Proof-handling}. When +the proof is completed it should be validated and put in the +environment using the keyword {\tt Qed}. +\medskip + +\ErrMsg +\begin{enumerate} +\item \errindex{Clash with previous constant {\ident}} +\end{enumerate} + +\begin{Remarks} +\item Several statements can be simultaneously opened. +\item Not only other statements but any vernacular command can be given +within the proof editing mode. In this case, the command is +understood as if it would have been given before the statements still to be +proved. +\item {\tt Proof} is recommended but can currently be omitted. On the +opposite, {\tt Qed} is mandatory to validate a proof. +\end{Remarks} + +\begin{Variants} +\item {\tt Proof} {\tt .} \dots {\tt Defined} {\tt .}\\ + \comindex{Proof} + Same as {\tt Proof} {\tt .} \dots {\tt Qed} {\tt .} but it is + intended to surround a definition built using the proof-editing mode. +\item {\tt Proof} {\tt .} \dots {\tt Save.}\\ + Same as {\tt Proof} {\tt .} \dots {\tt Qed} {\tt .} +\item {\tt Goal} \type \dots {\tt Save} \ident \\ + Same as {\tt Lemma} \ident {\tt :} \type \dots {\tt Save.} + This is intended to be used in the interactive mode. Conversely to named + lemmas, anonymous goals cannot be nested. +\end{Variants} +\comindex{Proof} +\comindex{Qed} +\comindex{Save} +\comindex{Goal} + +% Local Variables: +% mode: LaTeX +% TeX-master: "Reference-Manual" +% End: + +% $Id$ diff --git a/doc/RefMan-ind.tex b/doc/RefMan-ind.tex new file mode 100755 index 000000000..6ac276d85 --- /dev/null +++ b/doc/RefMan-ind.tex @@ -0,0 +1,493 @@ + +%\documentstyle[11pt]{article} +%\input{title} + +%\include{macros} +%\makeindex + +%\begin{document} +%\coverpage{The module {\tt Equality}}{Cristina CORNES} + +%\tableofcontents + +\chapter{Tactics for inductive types and families} +\label{Addoc-equality} + +This chapter details a few special tactics useful for inferring facts +from inductive hypotheses. They can be considered as tools that +macro-generate complicated uses of the basic elimination tactics for +inductive types. + +Sections \ref{inversion_introduction} to \ref{inversion_using} present +inversion tactics and section \ref{scheme} describes +a command {\tt Scheme} for automatic generation of induction schemes +for mutual inductive types. + +%\end{document} +%\documentstyle[11pt]{article} +%\input{title} + +%\begin{document} +%\coverpage{Module Inv: Inversion Tactics}{Cristina CORNES} + +\section{Generalities about inversion} +\label{inversion_introduction} +When working with (co)inductive predicates, we are very often faced to +some of these situations: +\begin{itemize} +\item we have an inconsistent instance of an inductive predicate in the + local context of hypotheses. Thus, the current goal can be trivially + proved by absurdity. + +\item we have a hypothesis that is an instance of an inductive + predicate, and the instance has some variables whose constraints we + would like to derive. +\end{itemize} + +The inversion tactics are very useful to simplify the work in these +cases. Inversion tools can be classified in three groups: +\begin{enumerate} +\item tactics for inverting an instance without stocking the inversion + lemma in the context: + (\texttt{Dependent}) \texttt{Inversion} and + (\texttt{Dependent}) \texttt{Inversion\_clear}. +\item commands for generating and stocking in the context the inversion + lemma corresponding to an instance: \texttt{Derive} + (\texttt{Dependent}) \texttt{Inversion}, \texttt{Derive} + (\texttt{Dependent}) \texttt{Inversion\_clear}. +\item tactics for inverting an instance using an already defined + inversion lemma: \texttt{Inversion \ldots using}. +\end{enumerate} + +These tactics work for inductive types of arity $(\vec{x}:\vec{T})s$ +where $s \in \{Prop,Set,Type\}$. Sections \ref{inversion_primitive}, +\ref{inversion_derivation} and \ref{inversion_using} +describe respectively each group of tools. + +As inversion proofs may be large in size, we recommend the user to +stock the lemmas whenever the same instance needs to be inverted +several times.\\ + +Let's consider the relation \texttt{Le} over natural numbers and the +following variables: + +\begin{coq_eval} +Restore State Initial. +\end{coq_eval} + +\begin{coq_example*} +Inductive Le : nat->nat->Set := + LeO : (n:nat)(Le O n) | LeS : (n,m:nat) (Le n m)-> (Le (S n) (S m)). +Variable P:nat->nat->Prop. +Variable Q:(n,m:nat)(Le n m)->Prop. +\end{coq_example*} + +For example purposes we defined \verb+Le: nat->nat->Set+ + but we may have defined +it \texttt{Le} of type \verb+nat->nat->Prop+ or \verb+nat->nat->Type+. + + +\section{Inverting an instance} +\label{inversion_primitive} +\subsection{The non dependent case} +\begin{itemize} + +\item \texttt{Inversion\_clear} \ident~\\ +\index{Inversion-clear@{\tt Inversion\_clear}} + Let the type of \ident~ in the local context be $(I~\vec{t})$, + where $I$ is a (co)inductive predicate. Then, + \texttt{Inversion} applied to \ident~ derives for each possible + constructor $c_i$ of $(I~\vec{t})$, {\bf all} the necessary + conditions that should hold for the instance $(I~\vec{t})$ to be + proved by $c_i$. Finally it erases \ident~ from the context. + + + +For example, consider the goal: +\begin{coq_eval} +Lemma ex : (n,m:nat)(Le (S n) m)->(P n m). +Intros. +\end{coq_eval} + +\begin{coq_example} +Show. +\end{coq_example} + +To prove the goal we may need to reason by cases on \texttt{H} and to + derive that \texttt{m} is necessarily of +the form $(S~m_0)$ for certain $m_0$ and that $(Le~n~m_0)$. +Deriving these conditions corresponds to prove that the +only possible constructor of \texttt{(Le (S n) m)} is +\texttt{LeS} and that we can invert the +\texttt{->} in the type of \texttt{LeS}. +This inversion is possible because \texttt{Le} is the smallest set closed by +the constructors \texttt{LeO} and \texttt{LeS}. + + +\begin{coq_example} +Inversion_clear H. +\end{coq_example} + +Note that \texttt{m} has been substituted in the goal for \texttt{(S m0)} +and that the hypothesis \texttt{(Le n m0)} has been added to the +context. + +\item \texttt{Inversion} \ident~\\ +\index{Inversion@{\tt Inversion}} + This tactic differs from {\tt Inversion\_clear} in the fact that + it adds the equality constraints in the context and + it does not erase the hypothesis \ident. + + +In the previous example, {\tt Inversion\_clear} +has substituted \texttt{m} by \texttt{(S m0)}. Sometimes it is +interesting to have the equality \texttt{m=(S m0)} in the +context to use it after. In that case we can use \texttt{Inversion} that +does not clear the equalities: + +\begin{coq_example*} +Undo. +\end{coq_example*} +\begin{coq_example} +Inversion H. +\end{coq_example} + +\begin{coq_eval} +Undo. +\end{coq_eval} + +Note that the hypothesis \texttt{(S m0)=m} has been deduced and +\texttt{H} has not been cleared from the context. + +\end{itemize} + +\begin{Variants} + +\item \texttt{Inversion\_clear } \ident~ \texttt{in} \ident$_1$ \ldots + \ident$_n$\\ +\index{Inversion_clear...in@{\tt Inversion\_clear...in}} + Let \ident$_1$ \ldots \ident$_n$, be identifiers in the local context. This + tactic behaves as generalizing \ident$_1$ \ldots \ident$_n$, and then performing + {\tt Inversion\_clear}. + +\item \texttt{Inversion } \ident~ \texttt{in} \ident$_1$ \ldots \ident$_n$\\ +\index{Inversion ... in@{\tt Inversion ... in}} + Let \ident$_1$ \ldots \ident$_n$, be identifiers in the local context. This + tactic behaves as generalizing \ident$_1$ \ldots \ident$_n$, and then performing + \texttt{Inversion}. + + +\item \texttt{Simple Inversion} \ident~ \\ +\index{Simple Inversion@{\tt Simple Inversion}} + It is a very primitive inversion tactic that derives all the necessary + equalities but it does not simplify + the constraints as \texttt{Inversion} and + {\tt Inversion\_clear} do. + +\end{Variants} + + +\subsection{The dependent case} +\begin{itemize} +\item \texttt{Dependent Inversion\_clear} \ident~\\ +\index{Dependent Inversion-clear@{\tt Dependent Inversion\_clear}} + Let the type of \ident~ in the local context be $(I~\vec{t})$, + where $I$ is a (co)inductive predicate, and let the goal depend both on + $\vec{t}$ and \ident. Then, + \texttt{Dependent Inversion\_clear} applied to \ident~ derives + for each possible constructor $c_i$ of $(I~\vec{t})$, {\bf all} the + necessary conditions that should hold for the instance $(I~\vec{t})$ to be + proved by $c_i$. It also substitutes \ident~ for the corresponding + term in the goal and it erases \ident~ from the context. + + +For example, consider the goal: +\begin{coq_eval} +Lemma ex_dep : (n,m:nat)(H:(Le (S n) m))(Q (S n) m H). +Intros. +\end{coq_eval} + +\begin{coq_example} +Show. +\end{coq_example} + +As \texttt{H} occurs in the goal, we may want to reason by cases on its +structure and so, we would like inversion tactics to +substitute \texttt{H} by the corresponding term in constructor form. +Neither \texttt{Inversion} nor {\tt Inversion\_clear} make such a +substitution. To have such a behavior we use the dependent inversion tactics: + +\begin{coq_example} +Dependent Inversion_clear H. +\end{coq_example} + +Note that \texttt{H} has been substituted by \texttt{(LeS n m0 l)} and +\texttt{m} by \texttt{(S m0)}. + + +\end{itemize} + +\begin{Variants} + +\item \texttt{Dependent Inversion\_clear } \ident~ \texttt{ with } \term\\ +\index{Dependent Inversion_clear...with@{\tt Dependent Inversion\_clear...with}} + \noindent Behaves as \texttt{Dependent Inversion\_clear} but allows to give + explicitly the good generalization of the goal. It is useful when + the system fails to generalize the goal automatically. If + \ident~ has type $(I~\vec{t})$ and $I$ has type + $(\vec{x}:\vec{T})s$, then \term~ must be of type + $I:(\vec{x}:\vec{T})(I~\vec{x})\rightarrow s'$ where $s'$ is the + type of the goal. + + + +\item \texttt{Dependent Inversion} \ident~\\ +\index{Dependent Inversion@{\tt Dependent Inversion}} + This tactic differs from \texttt{Dependent Inversion\_clear} in the fact that + it also adds the equality constraints in the context and + it does not erase the hypothesis \ident~. + +\item \texttt{Dependent Inversion } \ident~ \texttt{ with } \term \\ +\index{Dependent Inversion...with@{\tt Dependent Inversion...with}} + Analogous to \texttt{Dependent Inversion\_clear .. with..} above. +\end{Variants} + + + +\section{Deriving the inversion lemmas} +\label{inversion_derivation} +\subsection{The non dependent case} + +The tactics (\texttt{Dependent}) \texttt{Inversion} and (\texttt{Dependent}) +{\tt Inversion\_clear} work on a +certain instance $(I~\vec{t})$ of an inductive predicate. At each +application, they inspect the given instance and derive the +corresponding inversion lemma. If we have to invert the same +instance several times it is recommended to stock the lemma in the +context and to reuse it whenever we need it. + +The families of commands \texttt{Derive Inversion}, \texttt{Derive +Dependent Inversion}, \texttt{Derive} \\ {\tt Inversion\_clear} and \texttt{Derive Dependent Inversion\_clear} +allow to generate inversion lemmas for given instances and sorts. Next +section describes the tactic \texttt{Inversion}$\ldots$\texttt{using} that refines the +goal with a specified inversion lemma. + +\begin{itemize} + +\item \texttt{Derive Inversion\_clear} \ident~ \texttt{with} + $(\vec{x}:\vec{T})(I~\vec{t})$ \texttt{Sort} \sort~ \\ +\index{Derive Inversion_clear...with@{\tt Derive Inversion\_clear...with}} + Let $I$ be an inductive predicate and $\vec{x}$ the variables + occurring in $\vec{t}$. This command generates and stocks + the inversion lemma for the sort \sort~ corresponding to the instance + $(\vec{x}:\vec{T})(I~\vec{t})$ with the name \ident~ in the {\bf + global} environment. When applied it is equivalent to have + inverted the instance with the tactic {\tt Inversion\_clear}. + + + For example, to generate the inversion lemma for the instance + \texttt{(Le (S n) m)} and the sort \texttt{Prop} we do: +\begin{coq_example} +Derive Inversion_clear leminv with (n,m:nat)(Le (S n) m) Sort Prop. +\end{coq_example} + +Let us inspect the type of the generated lemma: +\begin{coq_example} +Check leminv. +\end{coq_example} + + + +\end{itemize} + +%\variants +%\begin{enumerate} +%\item \verb+Derive Inversion_clear+ \ident$_1$ \ident$_2$ \\ +%\index{Derive Inversion_clear@{\tt Derive Inversion\_clear}} +% Let \ident$_1$ have type $(I~\vec{t})$ in the local context ($I$ +% an inductive predicate). Then, this command has the same semantics +% as \verb+Derive Inversion_clear+ \ident$_2$~ \verb+with+ +% $(\vec{x}:\vec{T})(I~\vec{t})$ \verb+Sort Prop+ where $\vec{x}$ are the free +% variables of $(I~\vec{t})$ declared in the local context (variables +% of the global context are considered as constants). +%\item \verb+Derive Inversion+ \ident$_1$~ \ident$_2$~\\ +%\index{Derive Inversion@{\tt Derive Inversion}} +% Analogous to the previous command. +%\item \verb+Derive Inversion+ $num$ \ident~ \ident~ \\ +%\index{Derive Inversion@{\tt Derive Inversion}} +% This command behaves as \verb+Derive Inversion+ \ident~ {\it +% namehyp} performed on the goal number $num$. +% +%\item \verb+Derive Inversion_clear+ $num$ \ident~ \ident~ \\ +%\index{Derive Inversion_clear@{\tt Derive Inversion\_clear}} +% This command behaves as \verb+Derive Inversion_clear+ \ident~ +% \ident~ performed on the goal number $num$. +%\end{enumerate} + + + +A derived inversion lemma is adequate for inverting the instance +with which it was generated, \texttt{Derive} applied to +different instances yields different lemmas. In general, if we generate +the inversion lemma with +an instance $(\vec{x}:\vec{T})(I~\vec{t})$ and a sort $s$, the inversion lemma will +expect a predicate of type $(\vec{x}:\vec{T})s$ as first argument. \\ + +\begin{Variant} +\item \texttt{Derive Inversion} \ident~ \texttt{with} + $(\vec{x}:\vec{T})(I~\vec{t})$ \texttt{Sort} \sort\\ +\index{Derive Inversion...with@{\tt Derive Inversion...with}} + Analogous of \texttt{Derive Inversion\_clear .. with ..} but + when applied it is equivalent to having + inverted the instance with the tactic \texttt{Inversion}. +\end{Variant} + +\subsection{The dependent case} +\begin{itemize} +\item \texttt{Derive Dependent Inversion\_clear} \ident~ \texttt{with} + $(\vec{x}:\vec{T})(I~\vec{t})$ \texttt{Sort} \sort~ \\ +\index{Derive Dependent Inversion\_clear...with@{\tt Derive Dependent Inversion\_clear...with}} + Let $I$ be an inductive predicate. This command generates and stocks + the dependent inversion lemma for the sort \sort~ corresponding to the instance + $(\vec{x}:\vec{T})(I~\vec{t})$ with the name \ident~ in the {\bf + global} environment. When applied it is equivalent to having + inverted the instance with the tactic \texttt{Dependent Inversion\_clear}. +\end{itemize} + +\begin{coq_example} +Derive Dependent Inversion_clear leminv_dep + with (n,m:nat)(Le (S n) m) Sort Prop. +\end{coq_example} + +\begin{coq_example} +Check leminv_dep. +\end{coq_example} + +\begin{Variants} +\item \texttt{Derive Dependent Inversion} \ident~ \texttt{with} + $(\vec{x}:\vec{T})(I~\vec{t})$ \texttt{Sort} \sort~ \\ +\index{Derive Dependent Inversion...with@{\tt Derive Dependent Inversion...with}} + Analogous to \texttt{Derive Dependent Inversion\_clear}, but when + applied it is equivalent to having + inverted the instance with the tactic \texttt{Dependent Inversion}. + +\end{Variants} + +\section{Using already defined inversion lemmas} +\label{inversion_using} +\begin{itemize} +\item \texttt{Inversion} \ident \texttt{ using} \ident$'$ \\ +\index{Inversion...using@{\tt Inversion...using}} + Let \ident~ have type $(I~\vec{t})$ ($I$ an inductive + predicate) in the local context, and \ident$'$ be a (dependent) inversion + lemma. Then, this tactic refines the current goal with the specified + lemma. + + +\begin{coq_eval} +Abort. +\end{coq_eval} + +\begin{coq_example} +Show. +\end{coq_example} +\begin{coq_example} +Inversion H using leminv. +\end{coq_example} + + +\end{itemize} +\variant +\begin{enumerate} +\item \texttt{Inversion} \ident~ \texttt{using} \ident$'$ \texttt{in} \ident$_1$\ldots \ident$_n$\\ +\index{Inversion...using...in@{\tt Inversion...using...in}} +This tactic behaves as generalizing \ident$_1$\ldots \ident$_n$, +then doing \texttt{Use Inversion} \ident~\ident$'$. +\end{enumerate} + +\section{\tt Scheme ...}\index{Scheme@{\tt Scheme}}\label{Scheme} +\label{scheme} +The {\tt Scheme} command is a high-level tool for generating +automatically (possibly mutual) induction principles for given types +and sorts. Its syntax follows the schema : + +\noindent +{\tt Scheme {\ident$_1$} := Induction for \term$_1$ Sort {\sort$_1$} \\ + with\\ + \mbox{}\hspace{0.1cm} .. \\ + with {\ident$_m$} := Induction for {\term$_m$} Sort + {\sort$_m$}}\\ +\term$_1$ \ldots \term$_m$ are different inductive types belonging to +the same package of mutual inductive definitions. This command +generates {\ident$_1$}\ldots{\ident$_m$} to be mutually recursive +definitions. Each term {\ident$_i$} proves a general principle +of mutual induction for objects in type {\term$_i$}. + +\Example +The definition of principle of mutual induction for {\tt tree} and +{\tt forest} over the sort {\tt Set} is defined by the command: +\begin{coq_eval} +Restore State Initial. +Variables A,B:Set. +Mutual Inductive tree : Set := node : A -> forest -> tree +with forest : Set := leaf : B -> forest + | cons : tree -> forest -> forest. +\end{coq_eval} +\begin{coq_example*} +Scheme tree_forest_rec := Induction for tree Sort Set +with forest_tree_rec := Induction for forest Sort Set. +\end{coq_example*} +You may now look at the type of {\tt tree\_forest\_rec} : +\begin{coq_example} +Check tree_forest_rec. +\end{coq_example} +This principle involves two different predicates for {\tt trees} and +{\tt forests}; it also has three premises each one corresponding to a +constructor of one of the inductive definitions. + +The principle {\tt tree\_forest\_rec} shares exactly the same +premises, only the conclusion now refers to the property of forests. +\begin{coq_example} +Check forest_tree_rec. +\end{coq_example} + +\begin{Variant} +\item {\tt Scheme {\ident$_1$} := Minimality for \term$_1$ Sort {\sort$_1$} \\ + with\\ + \mbox{}\hspace{0.1cm} .. \\ + with {\ident$_m$} := Minimality for {\term$_m$} Sort + {\sort$_m$}}\\ +Same as before but defines a non-dependent elimination principle more +natural in case of inductively defined relations. +\end{Variant} + +\Example +With the predicates {\tt odd} and {\tt even} inductively defined as: +\begin{coq_eval} +Restore State Initial. +\end{coq_eval} +\begin{coq_example*} +Mutual Inductive odd : nat->Prop := + oddS : (n:nat)(even n)->(odd (S n)) +with even : nat -> Prop := + evenO : (even O) + | evenS : (n:nat)(odd n)->(even (S n)). +\end{coq_example*} +The following command generates a powerful elimination +principle: +\begin{coq_example*} +Scheme odd_even := Minimality for odd Sort Prop +with even_odd := Minimality for even Sort Prop. +\end{coq_example*} +The type of {\tt odd\_even} for instance will be: +\begin{coq_example} +Check odd_even. +\end{coq_example} +The type of {\tt even\_odd} shares the same premises but the +conclusion is {\tt (n:nat)(even n)->(Q n)}. + + + +%\end{document} + +% $Id$ diff --git a/doc/RefMan-int.tex b/doc/RefMan-int.tex new file mode 100755 index 000000000..d874f7cdb --- /dev/null +++ b/doc/RefMan-int.tex @@ -0,0 +1,127 @@ +\setheaders{Introduction} +\chapter*{Introduction} + +This document is the Reference Manual of version V6.2.4 of the \Coq\ +proof assistant. A companion volume, the \Coq\ Tutorial, is provided +for the beginners. It is advised to read the Tutorial first. + +The system \Coq\ is designed to write formal specifications, +programs and to verify that programs are correct with respect to their +specification. It provides a specification language named \gallina. Terms of +\gallina\ can represent programs as well as properties of these +programs and proofs of these properties. Using the so-called +\textit{Curry-Howard isomorphism}, programs, properties and proofs are +formalized the same +language called \textit{Calculus of Inductive Constructions}, that is +a $\lambda$-calculus with a rich type system. +All logical judgments in \Coq\ are typing judgments. The very heart of the Coq +system is the type-checking algorithm that checks the correctness of +proofs, in other words that checks that a program complies to its +specification. \Coq\ also provides an interactive proof assistant to +build proofs using specific programs called \textit{tactics}. + +All services of the \Coq\ proof assistant are accessible by +interpretation of a command language called \textit{the vernacular}. + +\Coq\ has an interactive mode in which commands are interpreted as the +user types them in from the keyboard and a compiled mode where +commands are processed from a file. Other modes of interaction with +\Coq\ are possible, through an emacs shell window, or through a +customized interface with the Centaur environment (CTCoq). These +facilities are not documented here. + +\begin{itemize} +\item The interactive mode may be used as a debugging mode in which + the user can develop his theories and proofs step by step, + backtracking if needed and so on. The interactive mode is run with + the {\tt coqtop} command from the operating system (which we shall + assume to be some variety of UNIX in the rest of this document). +\item The compiled mode acts as a proof checker taking a file + containing a whole development in order to ensure its correctness. + Moreover, \Coq's compiler provides an output file containing a + compact representation of its input. The compiled mode is run with + the {\tt coqc} command from the operating system. Its use is + documented in chapter \ref{Addoc-coqc}. +\end{itemize} + +\section*{How to read this book} + +This is a Reference Manual, not a User Manual, then it is not made for a +continuous reading. However, it has some structure that is explained +below. + +\begin{itemize} +\item The first part describes the specification language, + Gallina. The chapters \ref{Gallina} and \ref{Gallina-extension} + describe the concrete syntax as well as the meaning of programs, + theorems and proofs in the Calculus of Inductive Construction. The + chapter \ref{Theories} describes the standard library of \Coq. The + chapter \ref{Cic} is a mathematical description of the formalism. + +\item The second part describes the proof engine. It is divided in + three chapters. Chapter \ref{Vernacular-commands} presents + all commands (we call them \textit{vernacular commands}) that are not + directly related to interactive proving: requests to the environment, + complete or partial evaluation, loading and compiling files. How to + start and stop proofs, do multiple proofs in parallel is explained + in the chapter \ref{Proof-handling}. In chapter \ref{Tactics}, + all commands that realize one or more steps of the proof are + presented: we call them \textit{tactics}. + +\item The third part describes how to extend the system in two ways: + adding parsing and pretty-printing rules (chapter + \ref{Addoc-syntax}) and writing new tactics (chapter + \ref{WritingTactics}) + + +\item In the fourth part more practical tools are documented. First in + the chapter \ref{Addoc-coqc} the usage of \texttt{coqc} (batch mode) + and \texttt{coqtop} (interactive mode) with their options is + described. Then (in chapter \ref{Utilities}) + various utilities that come with the \Coq\ distribution are presented. +\end{itemize} + +At the end of the document, after the global index, the user can find +a tactic index and a vernacular command index. + +\section*{List of additionnal documentation} + +This manual contains not all the documentation the user may need about +Coq. Various informations can be found in the following documents: + +\begin{description} + +\item[Tutorial] + A companion volume to this reference manual, the \Coq\ Tutorial, is + aimed at gently introducing new users to developing proofs in \Coq\ + without assuming prior knowledge of type theory. In a second step, the + user can read also the tutorial on recursive types (document {\tt + RecTutorial.ps}). + +\item[Addendum] The fifth part (the Addendum) of the Reference Manual + is distributed as a separate document. It contains more + detailed documentation and examples about some specific aspects of the + system that may interest only certain users. It shares the indexes, + the page numbers and + the bibliography with the Reference Manual. If you see in one of the + indexes a page number that is outside the Reference Manual, it refers + to the Addendum. + +\item[Installation] A text file INSTALL that comes with the sources + explains how to install \Coq. A file UNINSTALL explains how + uninstall or move it. + +\item[The \Coq\ standard library] +A commented version of sources of the \Coq\ standard library +(including only the specifications, the proofs are removed) +is given in the additional document {\tt Library.ps}. + +\end{description} + + +% $Id$ + +%%% Local Variables: +%%% mode: latex +%%% TeX-master: "Reference-Manual" +%%% End: diff --git a/doc/RefMan-lib.tex b/doc/RefMan-lib.tex new file mode 100755 index 000000000..6af0f55cf --- /dev/null +++ b/doc/RefMan-lib.tex @@ -0,0 +1,883 @@ +\chapter{The {\Coq} library} +\index{Theories}\label{Theories} + +The \Coq\ library is structured into three parts: + +\begin{description} +\item[The initial library:] it contains + elementary logical notions and datatypes. It constitutes the + basic state of the system directly available when running + \Coq; + +\item[The standard library:] general-purpose libraries containing + various developments of \Coq\ axiomatizations about sets, lists, + sorting, arithmetic, etc. This library comes with the system and its + modules are directly accessible through the \verb!Require! command + (see~\ref{Require}); + +\item[User contributions:] Other specification and proof developments + coming from the \Coq\ users' community. These libraries are no + longer distributed with the system. They are available by anonymous + FTP (see section \ref{Contributions}). +\end{description} + +This chapter briefly reviews these libraries. + +\section{The basic library} +\label{Prelude} + +This section lists the basic notions and results which are directly +available in the standard \Coq\ system +\footnote{These constructions are defined in the +{\tt Prelude} module in directory {\tt theories/INIT} at the {\Coq} +root directory; this includes the modules +% {\tt Core} l'inexplicable let +{\tt Logic}, +{\tt Datatypes}, +{\tt Specif}, +{\tt Peano}, +and {\tt Wf} +plus the module {\tt Logic\_Type}}. + +\subsection{Logic} \label{Logic} + +The basic library of {\Coq} comes with the definitions of standard +(intuitionistic) logical connectives (they are defined as inductive +constructions). They are equipped with an appealing syntax enriching the +(subclass {\form}) of the syntactic class {\term}. The syntax +extension +\footnote{This syntax is defined in module {\tt LogicSyntax}} + is shown on figure \ref{formulas-syntax}. + +\begin{figure} +\label{formulas-syntax} +\begin{center} +\begin{tabular}{|lclr|} +\hline +{\form} & ::= & {\tt True} & ({\tt True})\\ + & $|$ & {\tt False} & ({\tt False})\\ + & $|$ & {\verb|~|} {\form} & ({\tt not})\\ + & $|$ & {\form} {\tt /$\backslash$} {\form} & ({\tt and})\\ + & $|$ & {\form} {\tt $\backslash$/} {\form} & ({\tt or})\\ + & $|$ & {\form} {\tt ->} {\form} & (\em{primitive implication})\\ + & $|$ & {\form} {\tt <->} {\form} & ({\tt iff})\\ + & $|$ & {\tt (} {\ident} {\tt :} {\type} {\tt )} + {\form} & (\em{primitive for all})\\ + & $|$ & {\tt ( ALL} {\ident} \zeroone{{\tt :} {\specif}} {\tt |} + {\form} {\tt )} & ({\tt all})\\ + & $|$ & {\tt ( EX} {\ident} \zeroone{{\tt :} {\specif}} {\tt + |} {\form} {\tt )} & ({\tt ex})\\ + & $|$ & {\tt ( EX} {\ident} \zeroone{{\tt :} {\specif}} {\tt + |} {\form} {\tt \&} {\form} {\tt )} & ({\tt ex2})\\ + & $|$ & {\term} {\tt =} {\term} & ({\tt eq})\\ +\hline +\end{tabular} +\end{center} + +\medskip + +\noindent Remark: The implication is not defined but primitive +(it is a non-dependent product of a proposition over another proposition). +There is also a primitive universal quantification (it is a +dependent product over a proposition). The primitive universal +quantification allows both first-order and higher-order +quantification. There is no need to +use the notation {\tt ( ALL} {\ident} \zeroone{{\tt :} {\specif}} {\tt +|} {\form} {\tt )} propositions), except to have a notation dual of +the notation for first-order existential quantification. +\caption{Syntax of formulas} +\end{figure} + +\subsubsection{Propositional Connectives} \label{Connectives} +\index{Connectives} + +First, we find propositional calculus connectives: +\ttindex{True} +\ttindex{I} +\ttindex{False} +\ttindex{not} +\ttindex{and} +\ttindex{conj} +\ttindex{proj1} +\ttindex{proj2} + +\begin{coq_example*} +Inductive True : Prop := I : True. +Inductive False : Prop := . +Definition not := [A:Prop] A->False. +Inductive and [A,B:Prop] : Prop := conj : A -> B -> A/\B. +Section Projections. +Variables A,B : Prop. +Theorem proj1 : A/\B -> A. +Theorem proj2 : A/\B -> B. +\end{coq_example*} +\begin{coq_eval} +Abort. +Abort. +\end{coq_eval} +\ttindex{or} +\ttindex{or\_introl} +\ttindex{or\_intror} +\ttindex{iff} +\ttindex{IF} +\begin{coq_example*} +End Projections. +Inductive or [A,B:Prop] : Prop + := or_introl : A -> A\/B + | or_intror : B -> A\/B. +Definition iff := [P,Q:Prop] (P->Q) /\ (Q->P). +Definition IF := [P,Q,R:Prop] (P/\Q) \/ (~P/\R). +\end{coq_example*} + +\subsubsection{Quantifiers} \label{Quantifiers} +\index{Quantifiers} + +Then we find first-order quantifiers: +\ttindex{all} +\ttindex{All} +\ttindex{ex} +\ttindex{Ex} +\ttindex{EX} +\ttindex{ex\_intro} +\ttindex{ex2} +\ttindex{Ex2} +\ttindex{ex\_intro2} + +\begin{coq_example*} +Definition all := [A:Set][P:A->Prop](x:A)(P x). +Inductive ex [A:Set;P:A->Prop] : Prop + := ex_intro : (x:A)(P x)->(ex A P). +Inductive ex2 [A:Set;P,Q:A->Prop] : Prop + := ex_intro2 : (x:A)(P x)->(Q x)->(ex2 A P Q). +\end{coq_example*} + +The following abbreviations are allowed: +\begin{center} + \begin{tabular}[h]{|l|r|} + \hline + \verb+(ALL x:A | P)+ & \verb+(all A [x:A]P)+ \\ + \verb+(ALL x | P)+ & \verb+(all A [x:A]P)+ \\ + \verb+(EX x:A | P)+ & \verb+(ex A [x:A]P)+ \\ + \verb+(EX x | P)+ & \verb+(ex A [x:A]P)+ \\ + \verb+(EX x:A | P & Q)+ & \verb+(ex2 A [x:A]P [x:A]Q)+ \\ + \verb+(EX x | P & Q)+ & \verb+(ex2 A [x:A]P [x:A]Q)+ \\ + \hline + \end{tabular} +\end{center} + +The type annotation \texttt{:A} can be omitted when \texttt{A} can be +synthesized by the system. + +\subsubsection{Equality} \label{Equality} +\index{Equality} + +Then, we find equality, defined as an inductive relation. That is, +given a \verb:Set: \verb:A: and an \verb:x: of type \verb:A:, the +predicate \verb:(eq A x): is the smallest which contains \verb:x:. +This definition, due to Christine Paulin-Mohring, is equivalent to +define \verb:eq: as the smallest reflexive relation, and it is also +equivalent to Leibniz' equality. + +\ttindex{eq} +\ttindex{refl\_equal} + +\begin{coq_example*} +Inductive eq [A:Set;x:A] : A->Prop + := refl_equal : (eq A x x). +\end{coq_example*} + +\subsubsection{Lemmas} \label{PreludeLemmas} +Finally, a few easy lemmas are provided. + +\ttindex{absurd} + +\begin{coq_example*} +Theorem absurd : (A:Prop)(C:Prop) A -> ~A -> C. +\end{coq_example*} +\begin{coq_eval} +Abort. +\end{coq_eval} +\ttindex{sym\_equal} +\ttindex{trans\_equal} +\ttindex{f\_equal} +\ttindex{sym\_not\_equal} +\begin{coq_example*} +Section equality. + Variable A,B : Set. + Variable f : A->B. + Variable x,y,z : A. + Theorem sym_equal : x=y -> y=x. + Theorem trans_equal : x=y -> y=z -> x=z. + Theorem f_equal : x=y -> (f x)=(f y). + Theorem sym_not_equal : ~(x=y) -> ~(y=x). +\end{coq_example*} +\begin{coq_eval} +Abort. +Abort. +Abort. +Abort. +\end{coq_eval} +\ttindex{eq\_ind\_r} +\ttindex{eq\_rec\_r} +\begin{coq_example*} +End equality. +Definition eq_ind_r : (A:Set)(x:A)(P:A->Prop)(P x)->(y:A)y=x->(P y). +Definition eq_rec_r : (A:Set)(x:A)(P:A->Set)(P x)->(y:A)y=x->(P y). +\end{coq_example*} +\begin{coq_eval} +Abort. +Abort. +\end{coq_eval} +\begin{coq_example*} +Immediate sym_equal sym_not_equal. +\end{coq_example*} + +\subsection{Datatypes} \label{Datatypes} + +In the basic library, we find the definition\footnote{They are in {\tt +Datatypes.v}} +of the basic data-types of programming, +again defined as inductive constructions over the sort +\verb:Set:. Some of them come with a special syntax shown on figure +\ref{specif-syntax}. + +\subsubsection{Programming} \label{Programming} +\index{Programming} +\index{Datatypes} + +\ttindex{unit} +\ttindex{tt} +\ttindex{bool} +\ttindex{true} +\ttindex{false} +\ttindex{nat} +\ttindex{O} +\ttindex{S} + +\begin{coq_example*} +Inductive unit : Set := tt : unit. +Inductive bool : Set := true : bool + | false : bool. +Inductive nat : Set := O : nat + | S : nat->nat. +\end{coq_example*} + +Note that zero is the letter \verb:O:, and {\sl not} the numeral +\verb:0:. + +We then define the disjoint sum of \verb:A+B: of two sets \verb:A: and +\verb:B:, and their product \verb:A*B:. +\ttindex{sum} +\ttindex{A+B} +\ttindex{+} +\ttindex{inl} +\ttindex{inr} +\ttindex{prod} +\ttindex{A*B} +\ttindex{*} +\ttindex{pair} +\ttindex{fst} +\ttindex{snd} +\ttindex{Fst} +\ttindex{Snd} + +\begin{coq_example*} +Inductive sum [A,B:Set] : Set + := inl : A -> A+B + | inr : B -> A+B. +Inductive prod [A,B:Set] : Set := pair : A -> B -> A*B. +Section projections. + Variables A,B:Set. + Definition fst := [H:A*B] Cases H of (x,y) => x end. + Definition snd := [H:A*B] Cases H of (x,y) => y end. +End projections. +Syntactic Definition Fst := (fst ? ?). +Syntactic Definition Snd := (snd ? ?). +\end{coq_example*} + +\subsection{Specification} + +The following notions\footnote{They are defined in module {\tt +Specif.v}} allows to build new datatypes and specifications. +They are available with the syntax shown on +figure \ref{specif-syntax}\footnote{This syntax can be found in the module +{\tt SpecifSyntax.v}}. + +For instance, given \verb|A:Set| and \verb|P:A->Prop|, the construct +\verb+{x:A | (P x)}+ (in abstract syntax \verb+(sig A P)+) is a +\verb:Set:. We may build elements of this set as \verb:(exist x p): +whenever we have a witness \verb|x:A| with its justification +\verb|p:(P x)|. + +From such a \verb:(exist x p): we may in turn extract its witness +\verb|x:A| (using an elimination construct such as \verb:Cases:) but +{\sl not} its justification, which stays hidden, like in an abstract +data type. In technical terms, one says that \verb:sig: is a ``weak +(dependent) sum''. A variant \verb:sig2: with two predicates is also +provided. + +\index{\{x:A "| (P x)\}} +\index{"|} +\ttindex{sig} +\ttindex{exist} +\ttindex{sig2} +\ttindex{exist2} + +\begin{coq_example*} +Inductive sig [A:Set;P:A->Prop] : Set + := exist : (x:A)(P x) -> (sig A P). +Inductive sig2 [A:Set;P,Q:A->Prop] : Set + := exist2 : (x:A)(P x) -> (Q x) -> (sig2 A P Q). +\end{coq_example*} + +A ``strong (dependent) sum'' \verb+{x:A & (P x)}+ may be also defined, +when the predicate \verb:P: is now defined as a \verb:Set: +constructor. + +\ttindex{\{x:A \& (P x)\}} +\ttindex{\&} +\ttindex{sigS} +\ttindex{existS} +\ttindex{projS1} +\ttindex{projS2} +\ttindex{sigS2} +\ttindex{existS2} + +\begin{coq_example*} +Inductive sigS [A:Set;P:A->Set] : Set + := existS : (x:A)(P x) -> (sigS A P). +Section projections. + Variable A:Set. + Variable P:A->Set. + Definition projS1 := [H:(sigS A P)] let (x,h) = H in x. + Definition projS2 := [H:(sigS A P)]<[H:(sigS A P)](P (projS1 H))> + let (x,h) = H in h. +End projections. +Inductive sigS2 [A:Set;P,Q:A->Set] : Set + := existS2 : (x:A)(P x) -> (Q x) -> (sigS2 A P Q). +\end{coq_example*} + +A related non-dependent construct is the constructive sum +\verb"{A}+{B}" of two propositions \verb:A: and \verb:B:. +\label{sumbool} +\ttindex{sumbool} +\ttindex{left} +\ttindex{right} +\ttindex{\{A\}+\{B\}} + +\begin{coq_example*} +Inductive sumbool [A,B:Prop] : Set + := left : A -> ({A}+{B}) + | right : B -> ({A}+{B}). +\end{coq_example*} + +This \verb"sumbool" construct may be used as a kind of indexed boolean +data type. An intermediate between \verb"sumbool" and \verb"sum" is +the mixed \verb"sumor" which combines \verb"A:Set" and \verb"B:Prop" +in the \verb"Set" \verb"A+{B}". +\ttindex{sumor} +\ttindex{inleft} +\ttindex{inright} +\ttindex{A+\{B\}} + +\begin{coq_example*} +Inductive sumor [A:Set;B:Prop] : Set + := inleft : A -> (A+{B}) + | inright : B -> (A+{B}). +\end{coq_example*} + +\begin{figure} +\label{specif-syntax} +\begin{center} +\begin{tabular}{|lclr|} +\hline +{\specif} & ::= & {\specif} {\tt *} {\specif} & ({\tt prod})\\ + & $|$ & {\specif} {\tt +} {\specif} & ({\tt sum})\\ + & $|$ & {\specif} {\tt + \{} {\specif} {\tt \}} & ({\tt sumor})\\ + & $|$ & {\tt \{} {\specif} {\tt \} + \{} {\specif} {\tt \}} & + ({\tt sumbool})\\ + & $|$ & {\tt \{} {\ident} {\tt :} {\specif} {\tt |} {\form} {\tt \}} + & ({\tt sig})\\ + & $|$ & {\tt \{} {\ident} {\tt :} {\specif} {\tt |} {\form} {\tt \&} + {\form} {\tt \}} & ({\tt sig2})\\ + & $|$ & {\tt \{} {\ident} {\tt :} {\specif} {\tt \&} {\specif} {\tt + \}} & ({\tt sigS})\\ + & $|$ & {\tt \{} {\ident} {\tt :} {\specif} {\tt \&} {\specif} {\tt + \&} {\specif} {\tt \}} & ({\tt sigS2})\\ + & & & \\ +{\term} & ::= & {\tt (} {\term} {\tt ,} {\term} {\tt )} & ({\tt pair})\\ +\hline +\end{tabular} +\caption{Syntax of datatypes and specifications} +\end{center} +\end{figure} + +We may define variants of the axiom of choice, like in Martin-Löf's +Intuitionistic Type Theory. +\ttindex{Choice} +\ttindex{Choice2} +\ttindex{bool\_choice} + +\begin{coq_example*} +Lemma Choice : (S,S':Set)(R:S->S'->Prop)((x:S){y:S'|(R x y)}) + -> {f:S->S'|(z:S)(R z (f z))}. +Lemma Choice2 : (S,S':Set)(R:S->S'->Set)((x:S){y:S' & (R x y)}) + -> {f:S->S' & (z:S)(R z (f z))}. +Lemma bool_choice : (S:Set)(R1,R2:S->Prop)((x:S){(R1 x)}+{(R2 x)}) -> + {f:S->bool | (x:S)( ((f x)=true /\ (R1 x)) + \/ ((f x)=false /\ (R2 x)))}. +\end{coq_example*} +\begin{coq_eval} +Abort. +Abort. +Abort. +\end{coq_eval} + +The next construct builds a sum between a data type \verb|A:Set| and +an exceptional value encoding errors: + +\ttindex{Exc} +\ttindex{value} +\ttindex{error} + +\begin{coq_example*} +Inductive Exc [A:Set] : Set := value : A->(Exc A) + | error : (Exc A). +\end{coq_example*} + + +This module ends with one axiom and theorems, +relating the sorts \verb:Set: and +\verb:Prop: in a way which is consistent with the realizability +interpretation. +\ttindex{False\_rec} +\ttindex{eq\_rec} +\ttindex{Except} +\ttindex{absurd\_set} +\ttindex{and\_rec} + +\begin{coq_example*} +Axiom False_rec : (P:Set)False->P. +Definition except := False_rec. +Syntactic Definition Except := (except ?). +Theorem absurd_set : (A:Prop)(C:Set)A->(~A)->C. +Theorem and_rec : (A,B:Prop)(C:Set)(A->B->C)->(A/\B)->C. +\end{coq_example*} +\begin{coq_eval} +Abort. +Abort. +\end{coq_eval} + +\subsection{Basic Arithmetics} + +The basic library includes a few elementary properties of natural numbers, +together with the definitions of predecessor, addition and +multiplication\footnote{This is in module {\tt Peano.v}}. +\ttindex{eq\_S} +\ttindex{pred} +\ttindex{pred\_Sn} +\ttindex{eq\_add\_S} +\ttindex{not\_eq\_S} +\ttindex{IsSucc} +\ttindex{O\_S} +\ttindex{n\_Sn} +\ttindex{plus} +\ttindex{plus\_n\_O} +\ttindex{plus\_n\_Sm} +\ttindex{mult} +\ttindex{mult\_n\_O} +\ttindex{mult\_n\_Sm} + +\begin{coq_example*} +Theorem eq_S : (n,m:nat) n=m -> (S n)=(S m). +\end{coq_example*} +\begin{coq_eval} +Abort. +\end{coq_eval} +\begin{coq_example*} +Definition pred : nat->nat + := [n:nat](<nat>Cases n of O => O + | (S u) => u end). +Theorem pred_Sn : (m:nat) m=(pred (S m)). +Theorem eq_add_S : (n,m:nat) (S n)=(S m) -> n=m. +Immediate eq_add_S. +Theorem not_eq_S : (n,m:nat) ~(n=m) -> ~((S n)=(S m)). +\end{coq_example*} +\begin{coq_eval} +Abort. +Abort. +Abort. +\end{coq_eval} +\begin{coq_example*} +Definition IsSucc : nat->Prop + := [n:nat](<Prop>Cases n of O => False + | (S p) => True end). +Theorem O_S : (n:nat) ~(O=(S n)). +Theorem n_Sn : (n:nat) ~(n=(S n)). +\end{coq_example*} +\begin{coq_eval} +Abort. +Abort. +\end{coq_eval} +\begin{coq_example*} +Fixpoint plus [n:nat] : nat -> nat := + [m:nat](<nat>Cases n of + O => m + | (S p) => (S (plus p m)) end). +Lemma plus_n_O : (n:nat) n=(plus n O). +Lemma plus_n_Sm : (n,m:nat) (S (plus n m))=(plus n (S m)). +\end{coq_example*} +\begin{coq_eval} +Abort. +Abort. +\end{coq_eval} +\begin{coq_example*} +Fixpoint mult [n:nat] : nat -> nat := + [m:nat](<nat> Cases n of O => O + | (S p) => (plus m (mult p m)) end). +Lemma mult_n_O : (n:nat) O=(mult n O). +Lemma mult_n_Sm : (n,m:nat) (plus (mult n m) n)=(mult n (S m)). +\end{coq_example*} +\begin{coq_eval} +Abort. +Abort. +\end{coq_eval} + +Finally, it gives the definition of the usual orderings \verb:le:, +\verb:lt:, \verb:ge:, and \verb:gt:. +\ttindex{le} +\ttindex{le\_n} +\ttindex{le\_S} +\ttindex{lt} +\ttindex{ge} +\ttindex{gt} + +\begin{coq_example*} +Inductive le [n:nat] : nat -> Prop + := le_n : (le n n) + | le_S : (m:nat)(le n m)->(le n (S m)). +Definition lt := [n,m:nat](le (S n) m). +Definition ge := [n,m:nat](le m n). +Definition gt := [n,m:nat](lt m n). +\end{coq_example*} + +Properties of these relations are not initially known, but may be +required by the user from modules \verb:Le: and \verb:Lt:. Finally, +\verb:Peano: gives some lemmas allowing pattern-matching, and a double +induction principle. + +\ttindex{nat\_case} +\ttindex{nat\_double\_ind} + +\begin{coq_example*} +Theorem nat_case : (n:nat)(P:nat->Prop)(P O)->((m:nat)(P (S m)))->(P n). +\end{coq_example*} +\begin{coq_eval} +Abort. +\end{coq_eval} +\begin{coq_example*} +Theorem nat_double_ind : (R:nat->nat->Prop) + ((n:nat)(R O n)) -> ((n:nat)(R (S n) O)) + -> ((n,m:nat)(R n m)->(R (S n) (S m))) + -> (n,m:nat)(R n m). +\end{coq_example*} +\begin{coq_eval} +Abort. +\end{coq_eval} + +\subsection{Well-founded recursion} + +The basic library contains the basics of well-founded recursion and +well-founded induction\footnote{This is defined in module {\tt Wf.v}}. +\index{Well foundedness} +\index{Recursion} +\index{Well founded induction} +\ttindex{Acc} +\ttindex{Acc\_inv} +\ttindex{Acc\_rec} +\ttindex{well\_founded} + +\begin{coq_example*} +Chapter Well_founded. +Variable A : Set. +Variable R : A -> A -> Prop. +Inductive Acc : A -> Prop + := Acc_intro : (x:A)((y:A)(R y x)->(Acc y))->(Acc x). +Lemma Acc_inv : (x:A)(Acc x) -> (y:A)(R y x) -> (Acc y). +\end{coq_example*} +\begin{coq_eval} +Destruct 1; Trivial. +Defined. +\end{coq_eval} +\begin{coq_example*} +Section AccRec. +Variable P : A -> Set. +Variable F : (x:A)((y:A)(R y x)->(Acc y))->((y:A)(R y x)->(P y))->(P x). +Fixpoint Acc_rec [x:A;a:(Acc x)] : (P x) + := (F x (Acc_inv x a) [y:A][h:(R y x)](Acc_rec y (Acc_inv x a y h))). +End AccRec. +Definition well_founded := (a:A)(Acc a). +Theorem well_founded_induction : + well_founded -> + (P:A->Set)((x:A)((y:A)(R y x)->(P y))->(P x))->(a:A)(P a). +\end{coq_example*} +\begin{coq_eval} +Abort. +\end{coq_eval} +\begin{coq_example*} +End Well_founded. +\end{coq_example*} +\begin{coq_example*} + Section Wf_inductor. +Variable A:Set. +Variable R:A->A->Prop. +Theorem well_founded_ind : + (well_founded A R) -> + (P:A->Prop)((x:A)((y:A)(R y x)->(P y))->(P x))->(a:A)(P a). +\end{coq_example*} +\begin{coq_eval} +Abort. +\end{coq_eval} +\begin{coq_example*} +End Wf_inductor. +\end{coq_example*} + + +\subsection{Accessing the {\Type} level} + +The basic library includes the definitions\footnote{This is in module +{\tt Logic\_Type.v}} of logical quantifiers axiomatized at the +\verb:Type: level. + +\ttindex{allT} +\ttindex{AllT} +\ttindex{inst} +\ttindex{gen} +\ttindex{exT} +\ttindex{ExT} +\ttindex{EXT} +\ttindex{exT\_intro} +\ttindex{ExT2} +\ttindex{exT2} +\ttindex{EmptyT} +\ttindex{UnitT} +\ttindex{notT} + +\begin{coq_example*} +Definition allT := [A:Type][P:A->Prop](x:A)(P x). + +Section universal_quantification. +Variable A : Type. +Variable P : A->Prop. +Theorem inst : (x:A)(ALLT x | (P x))->(P x). +Theorem gen : (B:Prop)(f:(y:A)B->(P y))B->(allT ? P). +\end{coq_example*} +\begin{coq_eval} +Abort. +Abort. +\end{coq_eval} +\begin{coq_example*} +End universal_quantification. +Inductive exT [A:Type;P:A->Prop] : Prop + := exT_intro : (x:A)(P x)->(exT A P). + +Inductive exT2 [A:Type;P,Q:A->Prop] : Prop + := exT_intro2 : (x:A)(P x)->(Q x)->(exT2 A P Q). +\end{coq_example*} + +It defines also Leibniz equality \verb:x==y: when \verb:x: and +\verb:y: belong to \verb+A:Type+. +\ttindex{eqT} +\ttindex{refl\_eqT} +\ttindex{sum\_eqT} +\ttindex{sym\_not\_eqT} +\ttindex{trans\_eqT} +\ttindex{congr\_eqT} +\ttindex{eqT\_ind\_r} +\ttindex{eqT\_rec\_r} + +\begin{coq_example*} +Inductive eqT [A:Type;x:A] : A -> Prop + := refl_eqT : (eqT A x x). +Section Equality_is_a_congruence. +Variables A,B : Type. +Variable f : A->B. + Variable x,y,z : A. + Lemma sym_eqT : (x==y) -> (y==x). + Lemma trans_eqT : (x==y) -> (y==z) -> (x==z). + Lemma congr_eqT : (x==y)->((f x)==(f y)). +\end{coq_example*} +\begin{coq_eval} +Abort. +Abort. +Abort. +\end{coq_eval} +\begin{coq_example*} +End Equality_is_a_congruence. +Immediate sym_eqT sym_not_eqT. +Definition eqT_ind_r: (A:Type)(x:A)(P:A->Prop)(P x)->(y:A)y==x -> (P y). +\end{coq_example*} +\begin{coq_eval} +Abort. +\end{coq_eval} + +The figure \ref{formulas-syntax-type} presents the syntactic notations +corresponding to the main definitions +\footnote{This syntax is defined in module {\tt Logic\_TypeSyntax}} + +\begin{figure} +\label{formulas-syntax-type} +\begin{center} +\begin{tabular}{|lclr|} +\hline +{\form} & ::= & {\tt ( ALLT} {\ident} \zeroone{{\tt :} {\specif}} {\tt |} + {\form} {\tt )} & ({\tt allT})\\ + & $|$ & {\tt ( EXT} {\ident} \zeroone{{\tt :} {\specif}} {\tt + |} {\form} {\tt )} & ({\tt exT})\\ + & $|$ & {\tt ( EXT} {\ident} \zeroone{{\tt :} {\specif}} {\tt + |} {\form} {\tt \&} {\form} {\tt )} & ({\tt exT2})\\ + & $|$ & {\term} {\tt ==} {\term} & ({\tt eqT})\\ +\hline +\end{tabular} +\end{center} +\caption{Syntax of first-order formulas in the type universe} +\end{figure} + +At the end, it defines datatypes at the {\Type} level. + +\begin{coq_example*} +Inductive EmptyT: Type :=. +Inductive UnitT : Type := IT : UnitT. +Definition notT := [A:Type] A->EmptyT. + +Inductive identityT [A:Type; a:A] : A->Type := + refl_identityT : (identityT A a a). +\end{coq_example*} + + +\section{The standard library} + +\subsection{Survey} + +The rest of the standard library is structured into the following +subdirectories: + +\begin{tabular}{lp{12cm}} + {\bf LOGIC} & Classical logic and dependent equality \\ + {\bf ARITH} & Basic Peano arithmetic \\ + {\bf ZARITH} & Basic integer arithmetic \\ + {\bf BOOL} & Booleans (basic functions and results) \\ + {\bf LISTS} & Monomorphic and polymorphic lists (basic functions and + results), Streams (infinite sequences defined with co-inductive + types) \\ + {\bf SETS} & Sets (classical, constructive, finite, infinite, power set, + etc.) \\ + {\bf RELATIONS} & Relations (definitions and basic results). There is + a subdirectory about well-founded relations ({\bf WELLFOUNDED}) \\ + {\bf SORTING} & Various sorting algorithms \\ + {\bf REALS} & Axiomatization of Real Numbers (classical, basic functions + and results, integer part and fractional part, + requires the \textbf{ZARITH} library) +\end{tabular} +\medskip + +These directories belong to the initial load path of the system, and +the modules they provide are compiled at installation time. So they +are directly accessible with the command \verb!Require! (see +chapter~\ref{Other-commands}). + +The different modules of the \Coq\ standard library are described in the +additional document \verb!Library.dvi!. They are also accessible on the WWW +through the \Coq\ homepage +\footnote{\texttt{http://coq.inria.fr}}. + +\subsection{Notations for integer arithmetics} +\index{Arithmetical notations} + +On figure \ref{zarith-syntax} is described the syntax of expressions +for integer arithmetics. It is provided by requiring the module {\tt ZArith}. + +\ttindex{+} +\ttindex{*} +\ttindex{-} + +The {\tt +} and {\tt -} binary operators bind less than the {\tt *} operator +which binds less than the {\tt |}~...~{\tt |} and {\tt -} unary +operators which bind less than the others constructions. +All the binary operators are left associative. The {\tt [}~...~{\tt ]} +allows to escape the {\zarith} grammar. + +\begin{figure} +\begin{center} +\begin{tabular}{|lcl|} +\hline +{\form} & ::= & {\tt `} {\zarithformula} {\tt `}\\ + & & \\ +{\term} & ::= & {\tt `} {\zarith} {\tt `}\\ + & & \\ +{\zarithformula} & ::= & {\zarith} {\tt =} {\zarith} \\ + & $|$ & {\zarith} {\tt <=} {\zarith} \\ + & $|$ & {\zarith} {\tt <} {\zarith} \\ + & $|$ & {\zarith} {\tt >=} {\zarith} \\ + & $|$ & {\zarith} {\tt >} {\zarith} \\ + & $|$ & {\zarith} {\tt =} {\zarith} {\tt =} {\zarith} \\ + & $|$ & {\zarith} {\tt <=} {\zarith} {\tt <=} {\zarith} \\ + & $|$ & {\zarith} {\tt <=} {\zarith} {\tt <} {\zarith} \\ + & $|$ & {\zarith} {\tt <} {\zarith} {\tt <=} {\zarith} \\ + & $|$ & {\zarith} {\tt <} {\zarith} {\tt <} {\zarith} \\ + & $|$ & {\zarith} {\tt <>} {\zarith} \\ + & $|$ & {\zarith} {\tt ?} {\tt =} {\zarith} \\ + & & \\ +{\zarith} & ::= & {\zarith} {\tt +} {\zarith} \\ + & $|$ & {\zarith} {\tt -} {\zarith} \\ + & $|$ & {\zarith} {\tt *} {\zarith} \\ + & $|$ & {\tt |} {\zarith} {\tt |} \\ + & $|$ & {\tt -} {\zarith} \\ + & $|$ & {\ident} \\ + & $|$ & {\tt [} {\term} {\tt ]} \\ + & $|$ & {\tt (} \nelist{\zarith}{} {\tt )} \\ + & $|$ & {\tt (} \nelist{\zarith}{,} {\tt )} \\ + & $|$ & {\integer} \\ +\hline +\end{tabular} +\end{center} +\label{zarith-syntax} +\caption{Syntax of expressions in integer arithmetics} +\end{figure} + +\subsection{Notations for Peano's arithmetic (\texttt{nat})} +\index{Peano's arithmetic notations} + +After having required the module \texttt{Arith}, the user can type the +naturals using decimal notation. That is he can write \texttt{(3)} +for \texttt{(S (S (S O)))}. The number must be between parentheses. +This works also in the left hand side of a \texttt{Cases} expression +(see for example section \ref{Refine-example}). + +\section{Users' contributions} +\index{Contributions} +\label{Contributions} + +Numerous users' contributions have been collected and are available on +the WWW at the following address: \verb!pauillac.inria.fr/coq/contribs!. +On this web page, you have a list of all contributions with +informations (author, institution, quick description, etc.) and the +possibility to download them one by one. +There is a small search engine to look for keywords in all contributions. +You will also find informations on how to submit a new contribution. + +The users' contributions may also be obtained by anonymous FTP from site +\verb:ftp.inria.fr:, in directory \verb:INRIA/coq/: and +searchable on-line at + +\begin{quotation} + \texttt{http://coq.inria.fr/contribs-eng.html} +\end{quotation} + +% $Id$ + + +%%% Local Variables: +%%% mode: latex +%%% TeX-master: t +%%% End: diff --git a/doc/RefMan-oth.tex b/doc/RefMan-oth.tex new file mode 100644 index 000000000..88f460497 --- /dev/null +++ b/doc/RefMan-oth.tex @@ -0,0 +1,613 @@ +\chapter{Vernacular commands} +\label{Vernacular-commands} +\label{Other-commands} + +\section{Displaying} + +\subsection{\tt Print {\ident}.}\comindex{Print} +This command displays on the screen informations about the declared or +defined object {\ident}. + +\begin{ErrMsgs} +\item {\ident} \errindex{not declared} +\end{ErrMsgs} + +\begin{Variants} +\item {\tt Print Proof {\ident}.}\comindex{Print Proof}\\ +In case \ident\ corresponds to an opaque theorem defined in a section, +it is stored on a special unprintable form and displayed as +{\tt <recipe>}. {\tt Print Proof} forces the printable form of \ident\ +to be computed and displays it. +\end{Variants} + +\subsection{\tt Print All.}\comindex{Print All} +This command displays informations about the current state of the +environment, including sections and modules. + +\begin{Variants} +\item {\tt Inspect \num.}\comindex{Inspect}\\ +This command displays the {\num} last objects of the current +environment, including sections and modules. +\item {\tt Print Section {\ident}.}\comindex{Print Section}\\ +should correspond to a currently open section, this command +displays the objects defined since the beginning of this section. +\item {\tt Print.}\comindex{Print}\\ +This command displays the axioms and variables declarations in the +environment as well as the constants defined since the last variable +was introduced. +\end{Variants} + +\section{Requests to the environment} + +\subsection{\tt Check {\term}.} +\label{Check} +\comindex{Check} +This command displays the type of {\term}. When called in proof mode, +the term is checked in the local context of the current subgoal. + +\begin{Variants} +\item \texttt{Check {\num} {\term}}\\ + Displays the type of {\term} in the context of the {\num}-th + subgoal. +\end{Variants} + +\subsection{\tt Eval {\rm\sl convtactic} in {\term}.} +\comindex{Eval} + +This command performs the specified reduction on {\term}, and displays +the resulting term with its type. The term to be reduced may depend on +hypothesis introduced in the first subgoal (if a proof is in +progress). + +\begin{Variants} +\item \texttt{Eval {\num} {\rm\sl convtactic} in {\term}.}\\ + Evaluates {\term} in the context of the {\num}-th subgoal. +\end{Variants} + +\SeeAlso section~\ref{Conversion-tactics}. + +\subsection{\tt Extraction \ident.} +\label{ExtractionIdent} +\comindex{Extraction} +This command displays the \FW-term extracted from {\ident}. The name +{\ident} must refer to a defined constant or a theorem. The \FW-term +is extracted from the term defining {\ident} when {\ident} is a +defined constant, or from the proof-term when {\ident} is a +theorem. The extraction is processed according to the distinction +between {\Set} and {\Prop}; that is to say, between logical and +computational content (see section \ref{Sorts}). + +\begin{ErrMsgs} +\item \errindex{Non informative term} +\end{ErrMsgs} + +\SeeAlso chapter \ref{Extraction} + +\subsection{\tt Opaque \ident$_1$ \dots \ident$_n$.} +\comindex{Opaque}\label{Opaque} +This command forbids the unfolding of the constants \ident$_1$ \dots +\ident$_n$ by tactics using $\delta$-conversion. Unfolding a constant +is replacing it by its definition. + +By default, {\tt Theorem} and its alternatives are stamped as {\tt + Opaque}. This is to keep with the usual mathematical practice of +{\em proof irrelevance}: what matters in a mathematical development is +the sequence of lemma statements, not their actual proofs. This +distinguishes lemmas from the usual defined constants, whose actual +values are of course relevant in general. + +\SeeAlso sections \ref{Conversion-tactics}, \ref{Automatizing}, +\ref{Theorem} + +\begin{ErrMsgs} +\item \ident\ \errindex{does not exist.}\\ + There is no constant in the environment named + \ident. Nevertheless, if you asked \texttt{Opaque foo bar} + and if \texttt{bar} does not exist, \texttt{foo} is set opaque. +\end{ErrMsgs} + +\subsection{\tt Transparent \ident$_1$ \dots \ident$_n$.} +\comindex{Transparent}\label{Transparent} +This command is the converse of {\tt Opaque}. By default, {\tt + Definition} and {\tt Local} declare objects as {\tt Transparent}. + +\Warning {\tt Transparent} and \texttt{Opaque} are brutal and +not synchronous +with the reset mechanism. If a constant was transparent at point A, if +you set it opaque at point B and reset to point A, you return to state +of point A with the difference that the constant is still opaque. This +can cause changes in tactic scripts behavior. + +%TODO: expliquer le rapport avec les sections + +\begin{ErrMsgs} +\item \errindex{Can not set transparent.}\\ + It is a constant from a required module or a parameter. +\item {\ident} \errindex{does not exist.}\\ + There is no constant in the environment named + \ident. Nevertheless, if you give the command \verb|Transparent foo bar.| + and if \texttt{bar} does not exist, \texttt{foo} is set opaque. +\end{ErrMsgs} + +\SeeAlso sections \ref{Conversion-tactics}, \ref{Automatizing}, +\ref{Theorem} + +\subsection{\tt Search {\ident}.}\comindex{Search} +This command displays the name and type of all theorems of the current +context whose statement's conclusion has the form {\tt ({\ident} t1 .. + tn)}. This command is useful to remind the user of the name of +library lemmas. + +\subsection{\tt SearchIsos {\term}.}\comindex{SearchIsos} +\label{searchisos} +\texttt{SearchIsos} searches terms by their type modulo isomorphism. +This command displays the full name of all constants, variables, +inductive types, and inductive constructors of the current +context whose type is isomorphic to {\term} modulo the contextual part of the +following axiomatization (the mutual inductive types with one constructor, +without implicit arguments, and for which projections exist, are regarded as a +sequence of $\sa{}$): + +\begin{tabbing} +\ \ \ \ \=11.\ \=\kill +\>1.\>$A=B\mx{ if }A\stackrel{\bt{}\io{}}{\lra{}}B$\\ +\>2.\>$\sa{}x:A.B=\sa{}y:A.B[x\la{}y]\mx{ if }y\not\in{}FV(\sa{}x:A.B)$\\ +\>3.\>$\Pi{}x:A.B=\Pi{}y:A.B[x\la{}y]\mx{ if }y\not\in{}FV(\Pi{}x:A.B)$\\ +\>4.\>$\sa{}x:A.B=\sa{}x:B.A\mx{ if }x\not\in{}FV(A,B)$\\ +\>5.\>$\sa{}x:(\sa{}y:A.B).C=\sa{}x:A.\sa{}y:B[y\la{}x].C[x\la{}(x,y)]$\\ +\>6.\>$\Pi{}x:(\sa{}y:A.B).C=\Pi{}x:A.\Pi{}y:B[y\la{}x].C[x\la{}(x,y)]$\\ +\>7.\>$\Pi{}x:A.\sa{}y:B.C=\sa{}y:(\Pi{}x:A.B).(\Pi{}x:A.C[y\la{}(y\sm{}x)]$\\ +\>8.\>$\sa{}x:A.unit=A$\\ +\>9.\>$\sa{}x:unit.A=A[x\la{}tt]$\\ +\>10.\>$\Pi{}x:A.unit=unit$\\ +\>11.\>$\Pi{}x:unit.A=A[x\la{}tt]$ +\end{tabbing} + +For more informations about the exact working of this command, see +\cite{Del97}. + +\section{Loading files} + +\Coq\ offers the possibility of loading different +parts of a whole development stored in separate files. Their contents +will be loaded as if they were entered from the keyboard. This means +that the loaded files are ASCII files containing sequences of commands +for \Coq's toplevel. This kind of file is called a {\em script} for +\Coq\index{Script file}. The standard (and default) extension of +\Coq's script files is {\tt .v}. + +\subsection{\tt Load {\ident}.} +\comindex{Load}\label{Load} +This command loads the file named {\ident}{\tt .v}, searching +successively in each of the directories specified in the {\em + loadpath}. (see section \ref{loadpath}) + +\begin{Variants} +\item {\tt Load {\str}.}\label{Load-str}\\ + Loads the file denoted by the string {\str}, where {\str} is any + complete filename. Then the \verb.~. and {\tt ..} + abbreviations are allowed as well as shell variables. If no + extension is specified, \Coq\ will use the default extension {\tt + .v} +\item {\tt Load Verbose {\ident}.}, + {\tt Load Verbose {\str}}\\ + \comindex{Load Verbose} + Display, while loading, the answers of \Coq\ to each command + (including tactics) contained in the loaded file + \SeeAlso section \ref{Begin-Silent} +\end{Variants} + +\begin{ErrMsgs} +\item \errindex{Can't find file {\ident} on loadpath} +\end{ErrMsgs} + +\section{Compiled files}\label{compiled}\index{Compiled files} + +This feature allows to build files for a quick loading. When loaded, +the commands contained in a compiled file will not be {\em replayed}. +In particular, proofs will not be replayed. This avoids a useless +waste of time. + +\Rem A module containing an open section cannot be compiled. + +\subsection{\tt Compile Module {\ident}.} +\index{Modules} +\comindex{Compile Module} +\index{.vo files} +This command loads the file +{\ident}{\tt .v} and plays the script it contains. Declarations, +definitions and proofs it contains are {\em "packaged"} in a compiled +form: the {\em module} named {\ident}. +A file {\ident}{\tt .vo} is then created. +The file {\ident}{\tt .v} is searched according to the +current loadpath. +The {\ident}{\tt .vo} is then written in the directory where +{\ident}{\tt .v} was found. + +\begin{Variants} +\item \texttt{Compile Module {\ident} {\str}.}\\ + Uses the file {\str}{\tt .v} or {\str} if the previous one does not + exist to build the module {\ident}. In this case, {\str} is any + string giving a filename in the UNIX sense (see section + \ref{Load-str}). + \Warning The given filename can not contain other caracters than + the caracters of \Coq's identifiers : letters or digits or the + underscore symbol ``\_''. + +\item \texttt{Compile Module Specification {\ident}.}\\ + \comindex{Compile Module Specification} + Builds a specification module: only the types of terms are stored + in the module. The bodies (the proofs) are {\em not} written + in the module. In that case, the file created is {\ident}{\tt .vi}. + This is only useful when proof terms take too much place in memory + and are not necessary. + +\item \texttt{Compile Verbose Module {\ident}.}\\ + \comindex{Compile Verbose Module} + Verbose version of Compile: shows the contents of the file being + compiled. +\end{Variants} + +These different variants can be combined. + + +\begin{ErrMsgs} +\item \texttt{You cannot open a module when there are things other than}\\ + \texttt{Modules and Imports in the context.}\\ + The only commands allowed before a {Compile Module} command are {\tt + Require},\\ + {\tt Read Module} and {\tt Import}. Actually, The normal way to + compile modules is by the {\tt coqc} command (see chapter + \ref{Addoc-coqc}). +\end{ErrMsgs} + +\SeeAlso sections \ref{Opaque}, \ref{loadpath}, chapter +\ref{Addoc-coqc} + +\subsection{\tt Read Module {\ident}.}\comindex{Read Module} +Loads the module stored in the file {\ident}, but does not open it: +its contents is invisible to the user. The implementation file +({\ident}{\tt.vo}) is searched first, then the specification file +({\ident}{\tt.vi}) in case of failure. + +\subsection{\tt Require {\ident}.} +\comindex{Require} +\label{Require} +This command loads and opens (imports) the module stored in the file +{\ident}. The implementation file ({\ident}{\tt .vo}) is searched first, +then the specification file ({\ident}{\tt .vi}) in case of failure. +If the module required has already been loaded, \Coq\ +simply opens it (as {\tt Import {\ident}} would do it). +If the module required is already loaded and open, \Coq\ +displays the following warning: {\tt {\ident} already imported}. + +If a module {\it A} contains a command {\tt Require} {\it B} then the +command {\tt Require} {\it A} loads the module {\it B} but does not +open it (See the {\tt Require Export} variant below). + +\begin{Variants} +\item {\tt Require Export {\ident}.}\\ + \comindex{Require Export} + This command acts as {\tt Require} {\ident}. But if a module {\it + A} contains a command {\tt Require Export} {\it B}, then the + command {\tt Require} {\it A} opens the module {\it B} as if the + user would have typed {\tt Require}{\it B}. +\item {\tt Require $[$ Implementation $|$ Specification $]$ {\ident}.}\\ + \comindex{Require Implementation} + \comindex{Require Specification} + Is the same as {\tt Require}, but specifying explicitly the + implementation ({\tt.vo} file) or the specification ({\tt.vi} + file). +\item {\tt Require {\ident} {\str}.}\\ + Specifies the file to load as being {\str}, instead of + {\ident}. The opened module is still {\ident} and therefore + must have been loaded. +\item {\tt Require {\ident} {\str}.}\\ + Specifies the file to load as being {\str}, instead of + {\ident}. The opened module is still {\ident}. +\end{Variants} + +These different variants can be combined. + +\begin{ErrMsgs} +\item \errindex{Can't find module toto on loadpath}\\ + The command did not find the file {\tt toto.vo}. Either {\tt + toto.v} exists but is not compiled or {\tt toto.vo} is in a directory + which is not in your {\tt LoadPath} (see section \ref{loadpath}). +\item \errindex{Bad magic number}\\ + \index{Bad-magic-number@{\tt Bad Magic Number}} + The file {\tt{\ident}.vo} was found but either it is not a \Coq\ + compiled module, or it was compiled with an older and incompatible + version of \Coq. +\end{ErrMsgs} + +\SeeAlso chapter \ref{Addoc-coqc} + +\subsection{\tt Print Modules.} +\comindex{Print Modules} +This command shows the currently loaded and currently opened +(imported) modules. + +\subsection{\tt Declare ML Module {\str$_1$} .. {\str$_n$}.} +\comindex{Declare ML Module} +This commands loads the Objective Caml compiled files {\str$_1$} \dots +{\str$_n$} (dynamic link). It is mainly used to load tactics +dynamically (see chapter \ref{WritingTactics}). The files are +searched into the current Objective Caml loadpath (see the command {\tt +Add ML Path} in the section \ref{loadpath}). Loading of Objective Caml +files is only possible under the bytecode version of {\tt coqtop} +(i.e. not using options {\tt -opt} or {\tt -full} -- see chapter +\ref{Addoc-coqc}). + +\subsection{\tt Print ML Modules.}\comindex{Print ML Modules} +This print the name of all \ocaml modules loaded with \texttt{Declare + ML Module}. To know from where these module were loaded, the user +should use the command \texttt{Locate File} (\pageref{Locate File}) + +\section{Loadpath} +\label{loadpath}\index{Loadpath} + +There are currently two loadpaths in \Coq. A loadpath where seeking +{\Coq} files (extensions {\tt .v} or {\tt .vo} or {\tt .vi}) and one where +seeking Objective Caml files. The default loadpath contains the +directory ``\texttt{.}'' denoting the current directory, so there also +commands to print and change the current working directory. + +\subsection{\tt Pwd.}\comindex{Pwd}\label{Pwd} +This command displays the current working directory. + +\subsection{\tt Cd {\str}.}\comindex{Cd} +This command changes the current directory according to {\str} +which can be any valid path. + +\begin{Variants} +\item {\tt Cd.}\\ + Is equivalent to {\tt Pwd.} +\end{Variants} + +\subsection{\tt AddPath {\str}.}\comindex{AddPath} +This command adds the path {\str} to the current \Coq\ loadpath. + +\subsection{\tt AddRecPath {\str}.}\comindex{AddRecPath} +This command adds the directory {\str} and all its subdirectories +to the current \Coq\ loadpath. + +\subsection{\tt DelPath {\str}.}\comindex{DelPath} +This command removes the path {\str} from the current \Coq\ loadpath. + +\subsection{\tt Print LoadPath.}\comindex{Print LoadPath} +This command displays the current \Coq\ loadpath. + +\subsection{\tt Add ML Path {\str}.}\comindex{Add ML Path} +This command adds the path {\str} to the current Objective Caml loadpath (see +the command {\tt Declare ML Module} in the section \ref{compiled}). + +\subsection{\tt Add Rec ML Path {\str}.}\comindex{Add Rec ML Path} +This command adds the directory {\str} and all its subdirectories +to the current Objective Caml loadpath (see +the command {\tt Declare ML Module} in the section \ref{compiled}). + +\subsection{\tt Print ML Path {\str}.}\comindex{Print ML Path} +This command displays the current Objective Caml loadpath. +This command makes sense only under the bytecode version of {\tt +oqtop}, i.e. not using {\tt -opt} or {\tt -full} options (see the +command {\tt Declare ML Module} in the section +\ref{compiled}). + +\subsection{\tt Locate File {\str}.}\comindex{Locate + File}\label{Locate File} +This command displays the location of file {\str} in the current loadpath. +Typically, {\str} is a \texttt{.cmo} or \texttt{.vo} or \texttt{.v} file. + +\subsection{\tt Locate Library {\ident}.} +\comindex{Locate Library} +This command displays the location of the \Coq\ module {\ident} in the current +loadpath. Is is equivalent to {\tt Locate File "}{\ident}{\tt .vo".} + +\subsection{\tt Locate {\ident}.}\comindex{Locate} +This command displays the full name of the identifier {\ident} +and consequently the \Coq\ module in which it is defined. + +\section{States and Reset} + +\subsection{\tt Reset \ident.} +\comindex{Reset} +This command removes all the objects in the environment since \ident\ +was introduced, including \ident. \ident\ may be the name of a defined +or declared object as well as the name of a section. One cannot reset +over the name of a module or of an object inside a module. + +\begin{ErrMsgs} +\item \errindex{cannot reset to a nonexistent object} +\end{ErrMsgs} + +\subsection{\tt Save State \ident.} +\comindex{Save State} +Saves the current state of the development (mainly the defined +objects) such that one can go back at this point if necessary. + +\begin{Variants} +\item {\tt Save State \ident\ \str.} \\ + Associates to the state of name {\tt ident} the string {\str} as a + comment. +\end{Variants} + +\subsection{\tt Print States.} +\comindex{Print States} + +Prints the names of the currently saved states with the associated +comment. The state {\tt Initial} is automatically built by the system +and can not be removed. + +\subsection{\tt Restore State \ident.} +\comindex{Restore State} +Restores the set of known objects in the state {\ident}. + +\begin{Variants} +\item {\tt Reset Initial.}\comindex{Reset Initial}\\ + Is equivalent to {\tt Restore State Initial} and goes back to the + initial state (like after the command {\tt coqtop}). +\end{Variants} + +\subsection{\tt Remove State \ident.} +\comindex{Remove State} +Remove the state \ident\ from the states list. + +\subsection{\tt Write States \str.} +\comindex{Write States} +Writes the current list of states into a UNIX file \str{\tt .coq} for +use in a further session. This file can be given as the {\tt + inputstate} argument of the commands {\tt coqtop} and {\tt coqc}. A +command {\tt Restore State \ident} is necessary afterwards to choose +explicitly which state to use (the default is to use the last saved state). + +\begin{Variants} +\item {\tt Write States \ident} The suffix \texttt{.coq} is implicit, + and the state is saved in the current directory (see \pageref{Pwd}). +\end{Variants} + +\section{Syntax facilities} + +We present quickly in this section some syntactic facilities. +We will only sketch them here and refer the +interested reader to chapter \ref{Addoc-syntax} for more details and +examples. + +\subsection{\tt Implicit Arguments $[$ On $|$ Off $]$.} +\comindex{Implicit Arguments On} +\comindex{Implicit Arguments Off} + +These commands sets and unsets the implicit argument mode. This mode +forces not explicitly give some arguments (typically type arguments in +polymorphic functions) which are deductible from the other arguments. + +\SeeAlso section \ref{Auto-implicit} + +\subsection{\tt Syntactic Definition {\ident} := \term.} +\comindex{Syntactic Definition} +\ttindex{?} +This command defines {\ident} as an +abbreviation with implicit arguments. Implicit arguments are denoted +in {\term} by {\tt ?} and they will have to be synthesized by the +system. + +\Rem Since it may contain don't care variables {\tt ?}, the argument +{\term} cannot be typechecked at +definition time. But each of its subsequent usages will be. + +\SeeAlso section \ref{Syntactic-Definition} + + +\subsection{\tt Syntax {\ident} {\rm\sl syntax-rules}.} +\comindex{Syntax}\index{Pretty printing} +This command addresses the extensible +pretty-printing mechanism of \Coq. It allows {\ident$_2$} to be +pretty-printed as specified in {\rm\sl syntax-rules}. Many examples +of the {\tt Syntax} command usage may be found in the {\tt + PreludeSyntax} file (see directory {\tt \$COQLIB/theories/INIT}). + +\SeeAlso chapter \ref{Addoc-syntax} + +\subsection{\tt Grammar \ident$_1$ \ident$_2$ := {\rm\sl + grammar-rule}.} +\comindex{Grammar}\index{Extensive grammars} +This command allows to give explicitly new grammar rules for parsing +the user's own notation. It may be used instead of the {\tt Syntactic +Definition} pragma. It can also be used by an advanced \Coq's user +who programs his own tactics. + +\SeeAlso chapters \ref{Addoc-syntax}, +\ref{WritingTactics} + +\subsection{\tt{Infix} {\num} {\str} {\ident}.}\comindex{Infix} + +This command declares a prefix operator {\ident} as infix, with the +syntax {\term} {\str} {\term}. {\num} is the precedence associated to +the operator; it must lie between 1 and 10. The infix operator \str\ +associates to the left. {\str} must be a legal token. Both grammar +and pretty-print rules are automatically generated for {\str}. + +\begin{Variants} +\item \texttt{Infix {\rm\sl assoc} {\num} {\str} {\ident}.} \\ + Declares {\ident} as an infix operator with an alternate + associativity. {\rm\sl assoc} may be one of {\tt LEFTA}, {\tt + RIGHTA} and {\tt NONA}. The default is {\tt LEFTA}. When an + associativity is given, the precedence level must lie between 6 and + 9. +\end{Variants} + +% Distfix not documented. + +\section{Miscellaneous} + +\subsection{\tt Quit.}\comindex{Quit} +This command permits to quit \Coq. + +\subsection{\tt Drop.}\comindex{Drop}\label{Drop} + +This is used mostly as a debug facility by \Coq's implementors +and does not concern the casual user. +This command permits to leave {\Coq} temporarily and enter the +Objective Caml toplevel. The Objective Caml command: + +\begin{flushleft} +\begin{verbatim} +#use "include.ml";; +\end{verbatim} +\end{flushleft} + +\noindent add the right loadpaths and loads some toplevel printers for +all abstract types of \Coq - section\_path, identfifiers, terms, judgements, +\dots. You can also use the file \texttt{base\_include.ml} instead, +that loads only the pretty-printers for section\_paths and +identfifiers. See section \ref{test-and-debug} more information on the +usage of the toplevel. You can return back to \Coq{} with the command: + +\begin{flushleft} +\begin{verbatim} +go();; +\end{verbatim} +\end{flushleft} + +\begin{Warnings} +\item It only works if the bytecode version of {\Coq} was +invoked. It does not work if {\Coq} was invoked with the option +{\tt -opt} or {\tt -full} (see \pageref{binary-images}). +\item You must have downloaded the \emph{source code} of \Coq{} (not the + binary distribution), to have compiled \Coq{} and to set the + environment variable \texttt{COQTOP} to the right value (see + \ref{EnvVariables}) +\end{Warnings} + +\subsection{\tt Begin Silent.} +\comindex{Begin Silent} +\label{Begin-Silent} +\index{Silent mode} +This command turns off the normal displaying. + +\subsection{\tt End Silent.}\comindex{End Silent} +This command turns the normal display on. + +\subsection{\tt Time.}\comindex{Time} +\label{time} +This commands turns on the Time Search Display mode. The Time Search Display +mode shows the user and system times for the {\tt SearchIsos} requests. + +\subsection{\tt Untime.}\comindex{Untime} +This commands turns off the Time Search Display mode (see section~\ref{time}). + +%\subsection{\tt Explain ...} +%Not yet documented. + +%\subsection{\tt Go ...} +%Not yet documented. + +%\subsection{\tt Abstraction ...} +%Not yet documented. + +% $Id$ + +%%% Local Variables: +%%% mode: latex +%%% TeX-master: "Reference-Manual" +%%% End: diff --git a/doc/RefMan-pre.tex b/doc/RefMan-pre.tex new file mode 100755 index 000000000..36346b88c --- /dev/null +++ b/doc/RefMan-pre.tex @@ -0,0 +1,293 @@ +\setheaders{Credits} +\chapter*{Credits} +%\addcontentsline{toc}{section}{Credits} + +{\Coq} is a proof assistant for higher-order logic, allowing the +development of computer programs consistent with their formal +specification. It is the result of about ten years of research of the +Coq project. We shall briefly survey here three main aspects: the +{\sl logical language} in which we write our axiomatizations and +specifications, the {\sl proof assistant} which allows the development +of verified mathematical proofs, and the {\sl program extractor} which +synthesizes computer programs obeying their formal specifications, +written as logical assertions in the language. + +The logical language used by {\Coq} is a variety of type theory, +called the {\sl Calculus of Inductive Constructions}. Without going +back to Leibniz and Boole, we can date the creation of what is now +called mathematical logic to the work of Frege and Peano at the turn +of the century. The discovery of antinomies in the free use of +predicates or comprehension principles prompted Russell to restrict +predicate calculus with a stratification of {\sl types}. This effort +culminated with {\sl Principia Mathematica}, the first systematic +attempt at a formal foundation of mathematics. A simplification of +this system along the lines of simply typed $\lambda$-calculus +occurred with Church's {\sl Simple Theory of Types}. The +$\lambda$-calculus notation, originally used for expressing +functionality, could also be used as an encoding of natural deduction +proofs. This Curry-Howard isomorphism was used by N. de Bruijn in the +{\sl Automath} project, the first full-scale attempt to develop and +mechanically verify mathematical proofs. This effort culminated with +Jutting's verification of Landau's {\sl Grundlagen} in the 1970's. +Exploiting this Curry-Howard isomorphism, notable achievements in +proof theory saw the emergence of two type-theoretic frameworks; the +first one, Martin-L\"of's {\sl Intuitionistic Theory of Types}, +attempts a new foundation of mathematics on constructive principles. +The second one, Girard's polymorphic $\lambda$-calculus $F_\omega$, is +a very strong functional system in which we may represent higher-order +logic proof structures. Combining both systems in a higher-order +extension of the Automath languages, T. Coquand presented in 1985 the +first version of the {\sl Calculus of Constructions}, CoC. This strong +logical system allowed powerful axiomatizations, but direct inductive +definitions were not possible, and inductive notions had to be defined +indirectly through functional encodings, which introduced +inefficiencies and awkwardness. The formalism was extended in 1989 by +T. Coquand and C. Paulin with primitive inductive definitions, leading +to the current {\sl Calculus of Inductive Constructions}. This +extended formalism is not rigorously defined here. Rather, numerous +concrete examples are discussed. We refer the interested reader to +relevant research papers for more information about the formalism, its +meta-theoretic properties, and semantics. However, it should not be +necessary to understand this theoretical material in order to write +specifications. It is possible to understand the Calculus of Inductive +Constructions at a higher level, as a mixture of predicate calculus, +inductive predicate definitions presented as typed PROLOG, and +recursive function definitions close to the language ML. + +Automated theorem-proving was pioneered in the 1960's by Davis and +Putnam in propositional calculus. A complete mechanization (in the +sense of a semi-decision procedure) of classical first-order logic was +proposed in 1965 by J.A. Robinson, with a single uniform inference +rule called {\sl resolution}. Resolution relies on solving equations +in free algebras (i.e. term structures), using the {\sl unification + algorithm}. Many refinements of resolution were studied in the +1970's, but few convincing implementations were realized, except of +course that PROLOG is in some sense issued from this effort. A less +ambitious approach to proof development is computer-aided +proof-checking. The most notable proof-checkers developed in the +1970's were LCF, designed by R. Milner and his colleagues at U. +Edinburgh, specialized in proving properties about denotational +semantics recursion equations, and the Boyer and Moore theorem-prover, +an automation of primitive recursion over inductive data types. While +the Boyer-Moore theorem-prover attempted to synthesize proofs by a +combination of automated methods, LCF constructed its proofs through +the programming of {\sl tactics}, written in a high-level functional +meta-language, ML. + +The salient feature which clearly distinguishes our proof assistant +from say LCF or Boyer and Moore's, is its possibility to extract +programs from the constructive contents of proofs. This computational +interpretation of proof objects, in the tradition of Bishop's +constructive mathematics, is based on a realizability interpretation, +in the sense of Kleene, due to C. Paulin. The user must just mark his +intention by separating in the logical statements the assertions +stating the existence of a computational object from the logical +assertions which specify its properties, but which may be considered +as just comments in the corresponding program. Given this information, +the system automatically extracts a functional term from a consistency +proof of its specifications. This functional term may be in turn +compiled into an actual computer program. This methodology of +extracting programs from proofs is a revolutionary paradigm for +software engineering. Program synthesis has long been a theme of +research in artificial intelligence, pioneered by R. Waldinger. The +Tablog system of Z. Manna and R. Waldinger allows the deductive +synthesis of functional programs from proofs in tableau form of their +specifications, written in a variety of first-order logic. Development +of a systematic {\sl programming logic}, based on extensions of +Martin-L\"of's type theory, was undertaken at Cornell U. by the Nuprl +team, headed by R. Constable. The first actual program extractor, PX, +was designed and implemented around 1985 by S. Hayashi from Kyoto +University. It allows the extraction of a LISP program from a proof +in a logical system inspired by the logical formalisms of S. Feferman. +Interest in this methodology is growing in the theoretical computer +science community. We can foresee the day when actual computer systems +used in applications will contain certified modules, automatically +generated from a consistency proof of their formal specifications. We +are however still far from being able to use this methodology in a +smooth interaction with the standard tools from software engineering, +i.e. compilers, linkers, run-time systems taking advantage of special +hardware, debuggers, and the like. We hope that {\Coq} can be of use +to researchers interested in experimenting with this new methodology. + +A first implementation of CoC was started in 1984 by G. Huet and T. +Coquand. Its implementation language was CAML, a functional +programming language from the ML family designed at INRIA in +Rocquencourt. The core of this system was a proof-checker for CoC seen +as a typed $\lambda$-calculus, called the {\sl Constructive Engine}. +This engine was operated through a high-level notation permitting the +declaration of axioms and parameters, the definition of mathematical +types and objects, and the explicit construction of proof objects +encoded as $\lambda$-terms. A section mechanism, designed and +implemented by G. Dowek, allowed hierarchical developments of +mathematical theories. This high-level language was called the {\sl + Mathematical Vernacular}. Furthermore, an interactive {\sl Theorem + Prover} permitted the incremental construction of proof trees in a +top-down manner, subgoaling recursively and backtracking from +dead-alleys. The theorem prover executed tactics written in CAML, in +the LCF fashion. A basic set of tactics was predefined, which the +user could extend by his own specific tactics. This system (Version +4.10) was released in 1989. Then, the system was extended to deal +with the new calculus with inductive types by C. Paulin, with +corresponding new tactics for proofs by induction. A new standard set +of tactics was streamlined, and the vernacular extended for tactics +execution. A package to compile programs extracted from proofs to +actual computer programs in CAML or some other functional language was +designed and implemented by B. Werner. A new user-interface, relying +on a CAML-X interface by D. de Rauglaudre, was designed and +implemented by A. Felty. It allowed operation of the theorem-prover +through the manipulation of windows, menus, mouse-sensitive buttons, +and other widgets. This system (Version 5.6) was released in 1991. + +Coq was ported to the new implementation Caml-light of X. Leroy and D. +Doligez by D. de Rauglaudre (Version 5.7) in 1992. A new version of +Coq was then coordinated by C. Murthy, with new tools designed by C. +Parent to prove properties of ML programs (this methodology is dual to +program extraction) and a new user-interaction loop. This system +(Version 5.8) was released in May 1993. A Centaur interface CTCoq was +then developed by Y. Bertot from the Croap project from +INRIA-Sophia-Antipolis. + +In parallel, G. Dowek and H. Herbelin developed a new proof engine, +allowing the general manipulation of existential variables +consistently with dependent types in an experimental version of Coq +(V5.9). + +The version V5.10 of Coq is based on a generic system for +manipulating terms with binding operators due to Chet Murthy. A new +proof engine allows the parallel development of partial proofs for +independent subgoals. The structure of these proof trees is a mixed +representation of derivation trees for the Calculus of Inductive +Constructions with abstract syntax trees for the tactics scripts, +allowing the navigation in a proof at various levels of details. The +proof engine allows generic environment items managed in an +object-oriented way. This new architecture, due to C. Murthy, +supports several new facilities which make the system easier to extend +and to scale up: + +\begin{itemize} +\item User-programmable tactics are allowed +\item It is possible to separately verify development modules, and to + load their compiled images without verifying them again - a quick + relocation process allows their fast loading +\item A generic parsing scheme allows user-definable notations, with a + symmetric table-driven pretty-printer +\item Syntactic definitions allow convenient abbreviations +\item A limited facility of meta-variables allows the automatic + synthesis of certain type expressions, allowing generic notations + for e.g. equality, pairing, and existential quantification. +\end{itemize} + +In the Fall of 1994, C. Paulin-Mohring replaced the structure of +inductively defined types and families by a new structure, allowing +the mutually recursive definitions. P. Manoury implemented a +translation of recursive definitions into the primitive recursive +style imposed by the internal recursion operators, in the style of the +ProPre system. C. Mu{\~n}oz implemented a decision procedure for +intuitionistic propositional logic, based on results of R. Dyckhoff. +J.C. Filli{\^a}tre implemented a decision procedure for first-order +logic without contraction, based on results of J. Ketonen and R. +Weyhrauch. Finally C. Murthy implemented a library of inversion +tactics, relieving the user from tedious definitions of ``inversion +predicates''. + +\begin{flushright} +Rocquencourt, Feb. 1st 1995\\ +Gérard Huet +\end{flushright} + +\section*{Credits: addendum for version 6.1} +%\addcontentsline{toc}{section}{Credits: addendum for version V6.1} + +The present version 6.1 of Coq is based on the V5.10 architecture. It +was ported to the new language Objective Caml by Bruno Barras. The +underlying framework has slightly changed and allows more conversions +between sorts. + +The new version provides powerful tools for easier developments. + +Cristina Cornes designed an extension of the Coq syntax to allow +definition of terms using a powerful pattern-matching analysis in the +style of ML programs. + +Amokrane Saïbi wrote a mechanism to simulate +inheritance between types families extending a proposal by Peter +Aczel. He also developed a mechanism to automatically compute which +arguments of a constant may be inferred by the system and consequently +do not need to be explicitly written. + +Yann Coscoy designed a command which explains a proof term using +natural language. Pierre Cr{\'e}gut built a new tactic which solves +problems in quantifier-free Presburger Arithmetic. Both +functionalities have been integrated to the Coq system by Hugo +Herbelin. + +Samuel Boutin designed a tactic for simplification of commutative +rings using a canonical set of rewriting rules and equality modulo +associativity and commutativity. + +Finally the organisation of the \Coq\ distribution has been supervised +by Jean-Christophe Filliâtre with the help of Judicaël Courant +and Bruno Barras. + +\begin{flushright} +Lyon, Nov. 18th 1996\\ +Christine Paulin +\end{flushright} +\newpage + +\section*{Credits: addendum for version 6.2} +%\addcontentsline{toc}{section}{Credits: addendum for version V6.2} + +In version 6.2 of Coq, the parsing is done using camlp4, a +preprocessor and pretty-printer for CAML designed by Daniel de +Rauglaudre at INRIA. Daniel de Rauglaudre made the first adaptation +of Coq for camlp4, this work was continued by Bruno Barras who also +changed the structure of Coq abstract syntax trees and the primitives +to manipulate them. The result of +these changes is a faster parsing procedure with greatly improved +syntax-error messages. The user-interface to introduce grammar or +pretty-printing rules has also changed. + +Eduardo Giménez redesigned the internal +tactic libraries, giving uniform names +to Caml functions corresponding to Coq tactic names. + +Bruno Barras wrote new more efficient reductions functions. + +Hugo Herbelin introduced more uniform notations in the Coq +specification language : the +definitions by fixpoints and pattern-matching have a more readable +syntax. +Patrick Loiseleur introduced user-friendly notations for arithmetic +expressions. + +New tactics were introduced: Eduardo Giménez improved a mechanism to +introduce macros for tactics, and designed special tactics for +(co)inductive definitions; Patrick Loiseleur designed a tactic to +simplify polynomial expressions in an arbitrary commutative ring which +generalizes the previous tactic implemented by Samuel Boutin. +Jean-Christophe Filli\^atre introduced a tactic for refining a goal, +using a proof term with holes as a proof scheme. + +David Delahaye designed the \textsf{SearchIsos} tool to search an +object in the library given its type (up to isomorphism). + +Henri Laulhère produced the Coq distribution for the Windows environment. + +Finally, Hugo Herbelin was the main coordinator of the Coq documentation with +principal contributions by Bruno Barras, David Delahaye, +Jean-Christophe Filli\^atre, Eduardo +Giménez, Hugo Herbelin and Patrick Loiseleur. + +\begin{flushright} +Orsay, May 4th 1998\\ +Christine Paulin +\end{flushright} + +% $Id$ + +%%% Local Variables: +%%% mode: latex +%%% TeX-master: "Reference-Manual" +%%% End: + diff --git a/doc/RefMan-pro.tex b/doc/RefMan-pro.tex new file mode 100755 index 000000000..c9bc4e4d9 --- /dev/null +++ b/doc/RefMan-pro.tex @@ -0,0 +1,291 @@ +\chapter{Proof handling} +\index{Proof editing} +\label{Proof-handling} + +In \Coq's proof editing mode all top-level commands documented in +chapter \ref{Vernacular-commands} remain available +and the user has access to specialized commands dealing with proof +development pragmas documented in this section. He can also use some +other specialized commands called {\em tactics}. They are the very +tools allowing the user to deal with logical reasoning. They are +documented in chapter \ref{Tactics}.\\ +When switching in editing proof mode, the prompt +\index{Prompt} +{\tt Coq <} is changed into {\tt {\ident} <} where {\ident} is the +declared name of the theorem currently edited. + +At each stage of a proof development, one has a list of goals to +prove. Initially, the list consists only in the theorem itself. After +having applied some tactics, the list of goals contains the subgoals +generated by the tactics. + +To each subgoal is associated a number of +hypotheses we call the {\em \index*{local context}} of the goal. +Initially, the local context is empty. It is enriched by the use of +certain tactics (see mainly section \ref{Intro}). + +When a proof is achieved the message {\tt Subtree proved!} is +displayed. One can then store this proof as a defined constant in the +environment. Because there exists a correspondence between proofs and +terms of $\lambda$-calculus, known as the {\em Curry-Howard +isomorphism} \cite{How80,Bar91,Gir89,Hue89}, \Coq~ stores proofs as +terms of {\sc Cic}. Those terms are called {\em proof + terms}\index{Proof term}. + +It is possible to edit several proofs at the same time: see section +\ref{Resume} + +\ErrMsg When one attempts to use a proof editing command out of the +proof editing mode, \Coq~ raises the error message : {\tt No focused + proof}. + +\section{Switching on/off the proof editing mode} + +\subsection{\tt Goal {\form}.} +\comindex{Goal}\label{Goal} +This command switches \Coq~ to editing proof mode and sets {\form} as +the original goal. It associates the name {\tt Unnamed\_thm} to +that goal. + +\begin{ErrMsgs} +\item \errindex{Proof objects can only be abstracted} +\item \errindex{A goal should be a type} +\item \errindex{repeated goal not permitted in refining mode} +\end{ErrMsgs} + +\SeeAlso section \ref{Theorem} + +\subsection{\tt Qed.}\comindex{Qed}\label{Qed} +This command is available in interactive editing proof mode when the +proof is completed. Then {\tt Qed} extracts a proof term from the +proof script, switches back to {\Coq} top-level and attaches the +extracted proof term to the declared name of the original goal. This +name is added to the environment as an {\tt Opaque} constant. + +\begin{ErrMsgs} +\item \errindex{Attempt to save an incomplete proof} +\item \errindex{Clash with previous constant ...}\\ + The implicit name is already defined. You have then to provide + explicitly a new name (see variant 2 below). +\item Sometimes an error occurs when building the proof term, +because tactics do not enforce completely the term construction +constraints. + +The user should also be aware of the fact that since the proof term is +completely rechecked at this point, one may have to wait a while when +the proof is large. In some exceptional cases one may even incur a +memory overflow. +\end{ErrMsgs} + +\begin{Variants} +\item {\tt Save.}\comindex{Save}\ + Is equivalent to {\tt Qed}. +\item {\tt Save {\ident}.}\\ + Forces the name of the original goal to be {\ident}. +\item {\tt Save Theorem {\ident}.} \\ + Is equivalent to {\tt Save {\ident}.} +\item {\tt Save Remark {\ident}.}\\ + Defines the proved term as a local constant that will not exist + anymore after the end of the current section. +\item {\tt Defined.}\comindex{Defined} \label{Defined} \\ + Defines the proved term as a transparent constant. +\end{Variants} + +\subsection{\tt Theorem {\ident} : {\form}.}\comindex{Theorem}\label{Theorem} +This command switches to interactive editing proof mode and declares +{\ident} as being the name of the original goal {\form}. When declared +as a {\tt Theorem}, the name {\ident} is known at all section levels: +{\tt Theorem} is a {\sl global} lemma. + +\ErrMsg (see section \ref{Goal}) + +\begin{Variants} +\item {\tt Lemma {\ident} : {\form}.}\comindex{Lemma}\\ + It is equivalent to {\tt Theorem {\ident} : {\form}.} +\item {\tt Remark {\ident} : {\form}.}\comindex{Remark}\\ + Analogous to {\tt Theorem} except that {\ident} will be unknown + after closing the current section. All proofs of persistent objects + (such as theorems) referring to {\ident} within the section will be + replaced by the proof of {\ident}. +\item {\tt Fact {\ident} : {\form}.}\comindex{Fact}\\ + Analogous to {\tt Theorem} except that {\ident} is known after + closing the current section but + will be unknown after closing the section which is above the current section. +\item {\tt Definition {\ident} : {\form}.} +\comindex{Definition}\\ + Analogous to {\tt Theorem}, intended to be used in conjunction with + {\tt Defined} (see \ref{Defined}) in order to define a + transparent constant. +\end{Variants} + +\subsection{\tt Proof {\term}.}\comindex{Proof} +This command applies in proof editing mode. It is equivalent to {\tt + Exact {\term}; Save.} That is, you have to give the full proof in +one gulp, as a proof term (see section \ref{Exact}). + +\begin{Variants} +\item{\tt Proof.} is a noop which is useful to delimit the sequence of +tactic commands which start a proof, after a {\tt Theorem} command. +It is a good practice to use {\tt Proof.} as an opening parenthesis, +closed in the script with a closing {\tt Qed.} +\end{Variants} + +\subsection{\tt Abort.}\comindex{Abort} +This command cancels the current proof development, switching back to +the previous proof development, or to the \Coq\ toplevel if no other +proof was edited. + +\begin{ErrMsgs} +\item \errindex{No focused proof}\texttt{ (No proof-editing in progress)} +\end{ErrMsgs} + +\begin{Variants} +\item {\tt Abort {\ident}.}\\ + Aborts the editing of the proof named {\ident}. +\item {\tt Abort All.}\\ + Aborts all current goals, switching back to the \Coq\ toplevel. +\end{Variants} + +\subsection{\tt Suspend.}\comindex{Suspend} +This command applies in proof editing mode. It switches back to the +\Coq\ toplevel, but without canceling the current proofs. + +\subsection{\tt Resume.} +\comindex{Resume}\label{Resume} +This commands switches back to the editing of the last edited proof. + +\begin{ErrMsgs} +\item \errindex{No proof-editing in progress} +\end{ErrMsgs} + +\begin{Variants} +\item {\tt Resume {\ident}.}\\ + Restarts the editing of the proof named {\ident}. This can be used + to navigate between currently edited proofs. +\end{Variants} + +\begin{ErrMsgs} +\item \errindex{No such proof} +\end{ErrMsgs} + +\section{Navigation in the proof tree} + +\subsection{\tt Undo.}\comindex{Undo} +This command cancels the effect of the last tactic command. Thus, it +backtracks one step. + +\begin{ErrMsgs} +\item \errindex{No focused proof (No proof-editing in progress)} +\item \errindex{Undo stack would be exhausted} +\end{ErrMsgs} + +\begin{Variants} +\item {\tt Undo {\num}.}\\ + Repeats {\tt Undo} {\num} times. +\end{Variants} + +\subsection{\tt Set Undo {\num}.}\comindex{Set Undo} +This command changes the maximum number of {\tt Undo}'s that will be +possible when doing a proof. It only affects proofs started after +this command, such that if you want to change the current undo limit +inside a proof, you should first restart this proof. + +\subsection{\tt Unset Undo.}\comindex{Unset Undo} +This command resets the default number of possible {\tt Undo} commands +(which is currently 12). + +\subsection{\tt Restart.}\comindex{Restart} +This command restores the proof editing process to the original goal. + +\begin{ErrMsgs} +\item \errindex{No focused proof to restart} +\end{ErrMsgs} + +\subsection{\tt Focus.}\comindex{Focus} +Will focus the attention on the first subgoal to prove, the remaining +subgoals will no more be printed after the application of a tactic. +This is useful when there are many current subgoals which clutter your +screen. + +\subsection{\tt Unfocus.}\comindex{Unfocus} +Turns off the focus mode. + + +\section{Displaying information} + +\subsection{\tt Show.}\comindex{Show}\label{Show} +This command displays the current goals. + +\begin{Variants} +\item {\tt Show {\num}.}\\ + Displays only the {\num}-th subgoal.\\ +\begin{ErrMsgs} +\errindex{No such goal} +\errindex{No focused proof} +\end{ErrMsgs} + +\item {\tt Show Implicits.}\comindex{Show Implicits}\\ + Displays the current goals, printing the implicit arguments of + constants. + +\item {\tt Show Implicits {\num}.}\\ + Same as above, only displaying the {\num}-th subgoal. + +\item {\tt Show Script.}\comindex{Show Script}\\ + Displays the whole list of tactics applied from the beginning + of the current proof. + This tactics script may contain some holes (subgoals not yet proved). + They are printed as \verb!<Your Tactic Text here>!. + +\item {\tt Show Tree.}\comindex{Show Tree}\\ +This command can be seen as a more structured way of +displaying the state of the proof than that +provided by {\tt Show Script}. Instead of just giving +the list of tactics that have been applied, it +shows the derivation tree constructed by then. +Each node of the tree contains the conclusion +of the corresponding sub-derivation (i.e. a +goal with its corresponding local context) and +the tactic that has generated all the +sub-derivations. The leaves of this tree are +the goals which still remain to be proved. + +%\item {\tt Show Node}\comindex{Show Node}\\ +% Not yet documented + +\item {\tt Show Proof.}\comindex{Show Proof}\\ +It displays the proof term generated by the +tactics that have been applied. +If the proof is not completed, this term contain holes, +which correspond to the sub-terms which are still to be +constructed. These holes appear as a question mark indexed +by an integer, and applied to the list of variables in +the context, since it may depend on them. +The types obtained by abstracting away the context from the +type of each hole-placer are also printed. + +\item {\tt Show Conjectures.}\comindex{Show Conjectures}\\ +It prints the list of the names of all the theorems that +are currently being proved. +As it is possible to start proving a previous lemma during +the proof of a theorem, this list may contain several +names. +\end{Variants} + +\subsection{\tt Set Hyps\_limit {\num}.} +\comindex{Set Hyps\_limit} +This command sets the maximum number of hypotheses displayed in +goals after the application of a tactic. +All the hypotheses remains usable in the proof development. + +\subsection{\tt Unset Hyps\_limit.} +\comindex{Unset Hyps\_limit} +This command goes back to the default mode which is to print all +available hypotheses. + +% $Id$ + +%%% Local Variables: +%%% mode: latex +%%% TeX-master: "Reference-Manual" +%%% End: diff --git a/doc/RefMan-syn.tex b/doc/RefMan-syn.tex new file mode 100755 index 000000000..9b79c5c57 --- /dev/null +++ b/doc/RefMan-syn.tex @@ -0,0 +1,1716 @@ +\chapter{Syntax extensions} +\label{Addoc-syntax} + +In this chapter, we introduce advanced commands to modify the way +{\Coq} parses and prints objects, i.e. the translations between the +concrete and internal representations of terms and commands. As in +most compilers, there is an intermediate structure called {\em Abstract +Syntax Tree} (AST). Parsing a term is done in two steps\footnote{ + We omit the lexing step, which simply translates a character stream + into a token stream. If this translation fails, this is a + \emph{Lexical error}. +}: +\begin{enumerate} +\item An AST is build from the input (a stream of tokens), following + grammar rules. This step consists in deciding whether the input + belongs to the language or not. If it is, the parser transforms the + expression into an AST. If not, this is a syntax error. An expression + belongs to the language if there exists a sequence of grammar rules + that recognizes it. This task is delegated to {\camlpppp}. See the + Reference Manual~\cite{ddr98} for details on the parsing + technology. The transformation to AST is performed by executing + successively the {\sl actions} bound to these rules. + +\item The AST is translated into the internal representation of + commands and terms. At this point, we detect unbound variables and + determine the exact section-path of every global value. Then, the term + may be typed, computed,~\ldots +\end{enumerate} +The printing process is the reverse: commands or terms are first +translated into AST's, and then the pretty-printer translates this AST +into a printing orders stream, according to printing rules. + +In {\Coq}, only the translations between AST's and the concrete +representation are extendable. One can modify the set of grammar and +printing rules, but one cannot change the way AST's are interpreted in +the internal level. + +In the following section, we describe the syntax of AST expressions, +involved in both parsing and printing. The next two sections deal with +extendable grammars and pretty-printers. + +\section{Abstract syntax trees (AST)} +\index{AST} +\index{Abstract syntax tree} + +\label{astsyntax} + +The AST expressions are conceptually divided into two classes: +\emph{constructive expressions} (those that can be used in parsing +rules) and \emph{destructive expressions} (those that can be used in +pretty printing rules). In the following we give the concrete syntax +of expressions and some examples of their usage. + +The BNF grammar {\sl ast} in Fig.~\ref{astexpr} defines the syntax +of both constructive and destructive expressions. The lexical +conventions are the same as in section~\ref{lexical}. Let us first +describe the features common to constructive and destructive +expressions. + +\begin{figure} +\begin{center} +\begin{tabular}{|rclr|} +\hline +{\sl ast} & ::= & {\sl meta} & (metavariable) \\ +& $|$ & {\ident} & (variable)\\ +& $|$ & {\integer} & (positive integer)\\ +& $|$ & {\sl string} & (quoted string) \\ +& $|$ & {\sl path} & (section-path) \\ +& $|$ & \verb+{+ {\ident} \verb+}+ & (identifier) \\ +& $|$ & \verb+[+ {\sl name} \verb+]+ {\sl ast} & (abstraction) \\ +& $|$ & \verb+(+ {\ident}~~\sequence{{\sl ast}}{} \verb+)+ + & (application node)\\ +& $|$ & \verb+(+ {\sl special-tok}~~{\sl meta} \verb+)+ + & (special-operator) \\ +& $|$ & \verb+'+ {\sl ast} & (quoted ast) \\ +& $|$ & {\sl quotation} & \\ + +{\sl meta} & ::= & \verb+$+{\ident} & \\ +{\sl path} & ::= & \nelist{{\tt\#}{\ident}}{} \verb+.+ {\sl kind} & \\ +{\sl kind} & ::= & \verb+cci+ $~|~$\verb+fw+ $~|~$ \verb+obj+ & \\ +{\sl name} & ::= & \verb+<>+ ~$|$~ {\ident} ~$\mid$~ {\sl meta} & \\ + +{\sl special-tok} & ::= & + \verb+$LIST+~$|$~\verb+$VAR+~$|$~\verb+$NUM+~$|$~% + \verb+$STR+~$|$~\verb+$PATH+~$|$~\verb+$ID+ & \\ + +{\sl quotation}& ::= & + \verb+<<+ ~{\sl meta-command}~ \verb+>>+ & \\ +& $|$ & \verb+<:command:<+ ~{\sl meta-command}~ \verb+>>+ & \\ +& $|$ & \verb+<:vernac:<+ ~{\sl meta-vernac}~ \verb+>>+ & \\ +& $|$ & \verb+<:tactic:<+ ~{\sl meta-tactic}~ \verb+>>+ & \\ +\hline +\end{tabular} +\end{center} +\caption{Syntax of AST expressions}\label{astexpr} +\end{figure} + +\subsubsection{Atomic AST} + +An atomic AST can be either a variable, a natural number, a quoted +string, a section path or an identifier. They are the basic components +of an AST. + +\subsubsection{Metavariable} +\index{Metavariable} + +As we will see later, metavariables may denote an AST or an AST list. +So, we introduce two types of variables: \verb+Ast+ and +\verb+List+. The type of variables is checked statically: an +expression referring to undefined metavariables, or using metavariables +with an inappropriate type, will be rejected. + +Metavariables are used to perform substitutions in constructive +expressions: they are replaced by their value in a given +environment. They are also involved in the pattern matching operation: +metavariables in destructive patterns create new bindings in the +environment. + +\subsubsection{Application node} + +Note that the AST syntax is rather general, since application nodes +may be labelled by an arbitrary identifier (but not a metavariable), +and operators have no fixed arity. This enables the extensibility of +the system. + +Nevertheless there are some application nodes that have some special +meaning for the system. They are build on \verb+(+{\sl +special-tok}~{\sl meta}\verb+)+, and cannot be confused with regular +nodes since {\sl special-tok} begins with a \verb+$+. There is a +description of these nodes below. + +\subsubsection{Abstraction} + +The equality on AST's is the $\alpha$-conversion, i.e. two AST's are +equal if only they are the same up to renaming of bound variables +(thus, \verb+[x]x+ is equal to \verb+[y]y+). This makes the difference +between variables and identifiers clear: the former may be bound by +abstractions, whereas identifiers cannot be bound. To illustrate this, +\verb+[x]{x}+ is equal to \verb+[y]{x}+, but not to \verb+[y]{y}+. + +The binding structure of AST is used to represent the binders in the +terms of {\Coq}: the product \verb+(x:$A)$B+ is mapped to the AST +\verb+(PROD $A [x]$B)+, whereas the non dependent product +\verb+$A->$B+ is mapped to \verb+(PROD $A [<>]$B)+ (\verb+[<>]t+ is an +anonymous abstraction). + +Metavariables can appear in abstractions. In that case, the value of +the metavariable must be a variable (or a list of variables). If not, +a run-time error is raised. + +\subsubsection{Quoted AST} +\index{Quoted AST} + +The \verb+'+$t$ construction means that the AST $t$ should not be +interpreted at all. The main effect is that metavariables occurring in +it cannot be substituted or considered as binding in patterns. + +\subsubsection{Quotations} +\index{Quotations} + +The non terminal symbols {\sl meta-command}, {\sl meta-vernac} and +{\sl meta-tactic} stand, respectively, for the syntax of commands, +vernacular phrases and tactics. The prefix {\sl meta-} is just to +emphasize that the expression may refer to metavariables. + +Indeed, if the AST to generate corresponds to a term that already has +a syntax, one can call a grammar to parse it and to return the AST +result. For instance, \verb+<<(eq ? $f $g)>>+ denotes the AST which is +the application (in the sense of CIC) of the constant {\tt eq} to +three arguments. It is coded as an AST node labelled {\tt APPLIST} +with four arguments. + +This term is parsable by \verb+command command+ grammar. This grammar +is invoked on this term to generate an AST by putting the term between +``\verb+<<+'' and ``\verb+>>+''. + +We can also invoke the initial grammars of several other predefined +entries (see section~\ref{predefined-grammars} for a description of +these grammars). + +\begin{itemize} +\item \verb|<< t >>| parses {\tt t} with {\tt command command} grammar +(terms of CIC). +\item \verb|<:command:< t >>| parses {\tt t} with {\tt command command} + grammar (same as \verb|<< t >>|). +\item \verb|<:vernac:< t >>| parses {\tt t} with {\tt vernac vernac} + grammar (vernacular commands). +\item \verb|<:tactic:< t >>| parses {\tt t} with {\tt tactic tactic} + grammar (tactic expressions). +\end{itemize} + +\Warning +One cannot invoke other grammars than those described. + +\subsubsection{Special operators in constructive expressions} + +The expressions \verb+($LIST $x)+ injects the AST list variable +{\tt\$x} in an AST position. For example, an application node is +composed of an identifier followed by a list of AST's that are glued +together. Each of these expressions must denote an AST. If we want to +insert an AST list, one has to use the \verb+$LIST+ operator. Assume +the variable \verb+$idl+ is bound to the list \verb+[x y z]+, the +expression \verb+(Intros ($LIST $idl) a b c)+ will build the AST +\verb+(Intros x y z a b c)+. Note that \verb+$LIST+ does not occur in +the result. + +% Ameliorer le style! +Since we know the type of variables, the \verb+$LIST+ is not really +necessary. We enforce this annotation to stress on the fact that the +variable will be substituted by an arbitrary number of AST's. + +The other special operators ({\tt\$VAR}, {\tt\$NUM}, {\tt\$STR}, +{\tt\$PATH} and {\tt\$ID}) are forbidden. + +\subsubsection{Special operators in destructive expressions (AST patterns)} +\label{patternsyntax} +\index{AST patterns} + +% pas encore implante (serait utile pour afficher les LAMBDALIST et +% PRODLIST). +%\item \verb+($SLAM $l body)+ is used to denote an abstraction where +% the elements of the list variable \verb+$l+ are the variables +% simultaneously abstracted in \verb+body+. +% The production to recognize a lambda abstraction of the form +% $[x_1,\ldots,x_n:T]body$ use the operator \verb+$SLAM+: + +A pattern is an AST expression, in which some metavariables can +appear. In a given environment a pattern matches any AST which is +equal (w.r.t $\alpha$-conversion) to the value of the pattern in an +extension of the current environment. The result of the matching is +precisely this extended environment. This definition allows +non-linear patterns (i.e. patterns in which a variable occurs several +times). + +For instance, the pattern \verb+(PAIR $x $x)+ matches any AST which is +a node labelled {\tt PAIR} applied to two identical arguments, and +binds this argument to {\tt\$x}. If {\tt\$x} was already bound, the +arguments must also be equal to the current value of {\tt\$x}. + +The ``wildcard pattern'' \verb+$_+ is not a regular metavariable: it +matches any term, but does not bind any variable. The pattern +\verb+(PAIR $_ $_)+ matches any {\tt PAIR} node applied to two +arguments. + +The {\tt\$LIST} operator still introduces list variables. Typically, +when a metavariable appears as argument of an application, one has to +say if it must match \emph{one} argument (binding an AST variable), or +\emph{all} the arguments (binding a list variable). Let us consider +the patterns \verb+(Intros $id)+ and \verb+(Intros ($LIST $idl))+. The +former matches nodes with \emph{exactly} one argument, which is bound +in the AST variable {\tt\$id}. On the other hand, the latter pattern +matches any AST node labelled {\tt Intros}, and it binds the +\emph{list} of its arguments to the list variable {\tt\$idl}. The +{\tt\$LIST} pattern must be the last item of a list pattern, because +it would make the pattern matching operation more complicated. The +pattern \verb+(Intros ($LIST $idl) $lastid)+ is not accepted. + +The other special operators allows checking what kind of leaf we +are destructing: +\begin{itemize} +\item{\tt\$VAR} matches only variables +\item{\tt\$NUM} matches natural numbers +\item{\tt\$STR} matches quoted strings +\item{\tt\$PATH} matches section-paths +\item{\tt\$ID} matches identifiers +\end{itemize} +\noindent For instance, the pattern \verb+(DO ($NUM $n) $tc)+ matches +\verb+(DO 5 (Intro))+, and creates the bindings ({\tt\$n},5) and +({\tt\$tc},\verb+(Intro)+). The pattern matching would fail on +\verb+(DO "5" (Intro))+. + +\section{Extendable grammars} +\label{Grammar} +\index{Extendable Grammars} +\comindex{Grammar} + +Grammar rules can be added with the {\tt Grammar} command. This +command is just an interface towards {\camlpppp}, providing the +semantic actions so that they build the expected AST. A simple grammar +command has the following syntax: \index{Grammar@{\tt Grammar}} + +\begin{center} +\texttt{Grammar}~\textsl{entry}~\textsl{nonterminal}~\texttt{:=}~% +\textsl{rule-name}~\textsl{LMP}~\verb+->+~\textsl{action}~\texttt{.} +\end{center} + +The components have the following meaning: +\begin{itemize} +\item a grammar name: defined by a parser entry and a non-terminal. + Non-terminals are packed in an \emph{entry} (also called + universe). One can have two non-terminals of the same name if they + are in different entries. A non-terminal can have the same name as + its entry. +\item a rule (sometimes called production), formed by a name, a left + member of production and an action, which generalizes constructive + expressions. +\end{itemize} + +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +\begin{figure} +\begin{center} +\begin{tabular}{|rcl|} +\hline +{\sl grammar} & ::= & + \verb+Grammar+~{\sl entry}~\nelist{{\sl gram-entry}}{with} \\ +{\sl entry}& ::= & {\ident} \\ +{\sl gram-entry} & ::= & + {\sl rule-name}~\zeroone{{\tt :}~{\sl entry-type}}~\verb+:=+~% +% [{\sl assoc}]~ +\sequence{{\sl production}}{|} \\ +{\sl rule-name} & ::= & {\ident} \\ +{\sl entry-type} & ::= & \verb+Ast+~$|$~\verb+List+ \\ +%{\sl assoc} & ::= & \verb+LEFTA+~$|$~\verb+RIGHTA+~$|$~\verb+NONA+ \\ +% parler de l'associativite ? +% Cela n'a pas vraiment de sens si toutes les re`gles sont dans un +% meme +% niveau. +{\sl production} & ::= & + {\sl rule-name}~\verb+[+~\sequence{{\sl prod-item}}{}~\verb+] ->+ + ~{\sl action}\\ +{\sl rule-name} & ::= & {\sl ident} \\ +{\sl prod-item} & ::= & {\sl string} \\ +& | & \zeroone{{\sl entry}~{\tt :}}~{\sl entry-name}~% + \zeroone{{\tt (}~{\sl meta}~{\tt )}} \\ +{\sl action} & ::= & + \verb+[+~\sequence{{\sl ast}}{}~\verb+]+ \\ +& | & \verb+let+~{\sl pattern}~\verb+=+~{\sl action}~% + \verb+in+~{\sl action} \\ +& | & {\tt case}~{\sl action}~\zeroone{{\tt :}~{\sl entry-type}}~{\tt of}~% + \sequence{{\sl case}}{|}~{\tt esac} \\ +{\sl case} & ::= & \sequence{{\sl pattern}}{}~\verb+->+~{\sl action} \\ +{\sl pattern} & ::= & {\sl ast} \\ +\hline +\end{tabular} +\end{center} +\caption{Syntax of the grammar extension command}\label{grammarsyntax} +\end{figure} +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% + +The exact syntax of the {\tt Grammar} command is defined +in Fig.~\ref{grammarsyntax}. +It is possible to extend a grammar with several rules at once. +$$ +\begin{array}{rcc} +\verb+Grammar+~~entry~~nonterminal + & \verb+:=+ & production_1 \\ + & \verb+|+ & \vdots \\ + & \verb+|+ & production_n \verb+.+ \\ +\end{array} +$$ +Productions are entered in reverse order (i.e. $production_n$ before +$production_1$), so that the first rules have priority over the last +ones. The set of rules can be read as an usual pattern matching. + +\noindent Also, we can extend several grammars of a given universe at +the same time. The order of non-terminals does not matter since they +extend different grammars. +$$ +\begin{array}{rcccc} +\verb+Grammar+ & entry & nonterminal_1 + & \verb+:=+ & production_1^1 \\ + && & \verb+|+ & \vdots \\ + && & \verb+|+ & production_{n_1}^1 \\ + & \verb+with+ & \vdots && \\ + & \verb+with+ & nonterminal_p + & \verb+:=+ & production_1^p \\ + && & \verb+|+ & \vdots \\ + && & \verb+|+ & production_{n_p}^p \verb+.+ \\ +\end{array} +$$ + + +\subsection{Grammar entries} +\index{Grammar entries} +\label{predefined-grammars} + +Let us describe the four predefined entries. Each of them (except {\tt +prim}) possesses an initial grammar for starting the parsing process. + +\begin{itemize} +\item \verb+prim+ : it is the entry of the primitive grammars. Most of + them cannot be defined by the extendable grammar mechanism. They are + encoded inside the system. The entry contains the following + non-terminals: + +\begin{itemize} +\item \verb+var+ : variable grammar. Parses an identifier and builds +an AST which is a variable. +\item \verb+ident+ : identifier grammar. Parses an identifier and +builds an AST which is an identifier such as \verb+{x}+. +\item \verb+number+ : number grammar. Parses a positive integer. +\item \verb+string+ : string grammar. Parses a quoted string. +\item \verb+path+ : section path grammar. +\item \verb+ast+ : AST grammar. +\item \verb+astpat+ : AST pattern grammar. +\item \verb+astact+ : action grammar. +\end{itemize} + +The primitive grammars are used as the other grammars; for instance +the variables of terms are parsed by \verb+prim:var($id)+. + +\item \verb+command+ : it is the term entry. It allows to have a + pretty syntax for terms. Its initial grammar is {\tt command + command}. This entry contains several non-terminals, among them {\tt + command0} to {\tt command10} which stratify the terms according to + priority levels (\verb+0+ to \verb+10+). These priority levels allow + us also to specify the order of associativity of operators. + +% Ce serait bien si on etait capables de donner une table avec les +% niveaux de priorite de chaque operateur... + +\item \verb+vernac+ : it is the vernacular command entry, with {\tt + vernac vernac} as initial grammar. Thanks to it, the developers can + define the syntax of new commands they add to the system. As to + users, they can change the syntax of the predefined vernacular + commands. + +\item \verb+tactic+ : it is the tactic entry with {\tt tactics tactic} + as initial grammar. This entry allows to define the syntax of new + tactics. See chapter~\ref{WritingTactics} about user-defined tactics + for more details. + +\end{itemize} + +The user can define new entries and new non-terminals, using the +grammar extension command. A grammar does not have to be explicitly +defined. But the grammars in the left member of rules must all be +defined, possibly by the current grammar command. It may be convenient +to define an empty grammar, just so that it may be called by other +grammars, and extend this empty grammar later. Assume that the {\tt +command command13} does not exist. The next command defines it with +zero productions. + +\begin{coq_example*} +Grammar command command13 := . +\end{coq_example*} + +The grammars of new entries do not have an initial grammar. To use +them, they must be called (directly or indirectly) by grammars of +predefined entries. We give an example of a (direct) call of the +grammar {\tt newentry nonterm} by {\tt command command}. This +following rule allows to use the syntax \verb+a&b+ for the conjunction +\verb+a/\b+. + +\begin{coq_example} +Grammar newentry nonterm := + ampersand [ "&" command:command($c) ] -> [$c]. +Grammar command command := + new_and [ command8($a) newentry:nonterm($b) ] -> [<<$a/\$b>>]. +\end{coq_example} + + +\subsection{Left member of productions (LMP)} + +A LMP is composed of a combination of terminals (enclosed between +double quotes) and grammar calls specifying the entry. It is enclosed +between ``\verb+[+'' and ``\verb+]+''. The empty LMP, represented by +\verb+[ ]+, corresponds to $\epsilon$ in formal language theory. + +A grammar call is done by \verb+entry:nonterminal($id)+ where: +\begin{itemize} +\item \verb+entry+ and \verb+nonterminal+ + specifies the entry of the grammar, and the non-terminal. +\item \verb+$id+ is a metavariable that will receive the AST or AST + list resulting from the call to the grammar. +\end{itemize} + +The elements \verb+entry+ and \verb+$id+ are optional. The grammar +entry can be omitted if it is the same as the entry of the +non-terminal we are extending. Also, \verb+$id+ is omitted if we do +not want to get back the AST result. Thus a grammar call can be +reduced to a non-terminal. + +Each terminal must contain exactly one token. This token does not need +to be already defined. If not, it will be automatically +added. Nevertheless, any string cannot be a token (e.g. blanks should +not appear in tokens since parsing would then depend on +indentation). We introduce the notion of \emph{valid token}, as a +sequence, without blanks, of characters taken from the following list: +\begin{center} +\verb"< > / \ - + = ; , | ! @ # % ^ & * ( ) ? : ~ $ _ ` ' a..z A..Z 0..9" +\end{center} +that do not start with a character from +\begin{center} +\verb!$ _ a..z A..Z ' 0..9! +\end{center} + +When an LMP is used in the parsing process of an expression, it is +analyzed from left to right. Every token met in the LMP should +correspond to the current token of the expression. As for the grammars +calls, they are performed in order to recognize parts of the initial +expression. + +\Warning +Unlike destructive expressions, if a variable appears several times in +the LMP, the last binding hides the previous ones. Comparison can be +performed only in the actions. + + +\firstexample +\example{Defining a syntax for inequality} + +The rule below allows us to use the syntax \verb+t1#t2+ for the term +\verb+~t1=t2+. + +\begin{coq_example} +Grammar command command1 := + not_eq [ command0($a) "#" command0($b) ] -> [<<~($a=$b)>>]. +\end{coq_example} + +The level $1$ of the grammar of terms is extended with one rule named +\texttt{not\_eq}. When this rule is selected, its LMP calls the +grammar \verb+command+ \verb+command0+. This grammar recognizes a term +that it binds to the metavariable \verb+$a+. Then it meets the token +``\verb+#+'' and finally it calls the grammar \verb+command+ +\verb+command0+. This grammar returns the recognized term in +\verb+$b+. The action constructs the term \verb+~($a=$b)+. Note that +we use the command quotation on the right-hand side. + +\Warning +Metavariables are identifiers preceded by the ``\verb+$+'' symbol. +They cannot be replaced by identifiers. For instance, if we enter a +rule with identifiers and not metavariables, an error occurs: + +\begin{coq_example} +Grammar command command1 := + not_eq [ command0(a) "#" command0(b) ] -> [<<~(a=b)>>]. +\end{coq_example} + +For instance, let us give the statement of the symmetry of \verb+#+: + +\begin{coq_example} +Goal (A:Set)(a,b:A) a#b -> b#a. +\end{coq_example} + +\begin{coq_eval} +Abort. +\end{coq_eval} + +Conversely, one can force \verb+~a=b+ to be printed \verb=a#b= by +giving pretty-printing rules. This is explained in section \ref{Syntax}. + +\example{Redefining vernac commands} + +Thanks to the following rule, ``{\tt |- term.}'' will have the same +effect as ``{\tt Goal term.}''. + +\begin{coq_eval} +Save State no_thesis. +\end{coq_eval} + +\begin{coq_example} +Grammar vernac vernac := + thesis [ "|" "-" command:command($term) "." ] + -> [<:vernac:<Goal $term.>>]. +\end{coq_example} + +\noindent This rule allows putting blanks between the bar and the +dash, as in + +\begin{coq_example} +| - (A:Prop)A->A. +\end{coq_example} + +\begin{coq_eval} +Restore State no_thesis. +\end{coq_eval} + +\noindent Assuming the previous rule has not been entered, we can +forbid blanks with a rule that declares ``\verb+|-+'' as a single +token: + +\begin{coq_example} +Grammar vernac vernac := + thesis [ "|-" command:command($term) "." ] + -> [<:vernac:<Goal $term.>>]. +| - (A:Prop)A->A. +\end{coq_example} + +\noindent If both rules were entered, we would have three tokens +\verb+|+, \verb+-+ and \verb+|-+. The lexical ambiguity on the string +\verb+|-+ is solved according to the longest match rule (see lexical +conventions page~\pageref{lexical}), i.e. \verb+|-+ would be one single +token. To enforce the use of the first rule, a blank must be inserted +between the bar and the dash. + + +\Rem +The vernac commands should always be terminated by a period. When a +syntax error is detected, the top-level discards its input until it +reaches a period token, and then resumes parsing. + +\example{Redefining tactics} + +We can give names to repetitive tactic sequences. Thus in this example +``{\tt IntSp}'' will correspond to the tactic {\tt Intros} followed by +{\tt Split}. + +\begin{coq_example} +Grammar tactic simple_tactic := + intros_split [ "IntSp" ] -> [<:tactic:<Intros; Split>>]. +\end{coq_example} + +Let us check that this works. + +\begin{coq_example} +Goal (A,B:Prop)A/\B -> B/\A. +IntSp. +\end{coq_example} +\begin{coq_eval} +Abort. +\end{coq_eval} + +Note that the same result can be obtained in a simpler way with {\tt +Tactic Definition} (see page~\pageref{TacticDefinition}). However, +this macro can only define tactics which arguments are terms. + + +\example{Priority, left and right associativity of operators} + +The disjunction has a higher priority than conjunction. Thus +\verb+A/\B\/C+ will be parsed as \verb+(A/\B)\/C+ and not as +\verb+A/\(B\/C)+. The priority is done by putting the rule for the +disjunction in a higher level than that of conjunction: conjunction is +defined in the non-terminal {\tt command6} and disjunction in {\tt +command7} (see file {\tt Logic.v} in the library). Notice that +the character ``\verb+\+'' must be doubled (see lexical conventions +for quoted strings on page~\pageref{lexical}). + +\begin{coq_example*} +Grammar command command6 := + and [ command5($c1) "/\\" command6($c2) ] -> [<<(and $c1 $c2)>>]. +Grammar command command7 := + or [ command6($c1) "\\/" command7($c2) ] -> [<<(or $c1 $c2)>>]. +\end{coq_example*} + +Thus conjunction and disjunction associate to the right since in both +cases the priority of the right term (resp. {\tt command6} and {\tt +command7}) is higher than the priority of the left term (resp. {\tt +command5} and {\tt command6}). The left member of a conjunction cannot +be itself a conjunction, unless you enclose it inside parenthesis. + +The left associativity is done by calling recursively the +non-terminal. {\camlpppp} deals with this recursion by first trying +the non-left-recursive rules. Here is an example taken from the +standard library, defining a syntax for the addition on integers: + +\begin{coq_example*} +Grammar znatural expr := + expr_plus [ expr($p) "+" expr($c) ] -> [<<(Zplus $p $c)>>]. +\end{coq_example*} + + + +\subsection{Actions} +\label{GramAction} +\index{Grammar Actions} + +Every rule should generate an AST corresponding to the syntactic +construction that it recognizes. This generation is done by an +action. Thus every rule is associated to an action. The syntax has +been defined in Fig.~\ref{grammarsyntax}. We give some examples. + +\subsubsection{Simple actions} + +A simple action is an AST enclosed between ``\verb+[+'' and +``\verb+]+''. It simply builds the AST by interpreting it as a +constructive expression in the environment defined by the LMP. This +case has been illustrated in all the previous examples. We will later +see that grammars can also return AST lists. + + +\subsubsection{Local definitions} + +When an action should generate a big term, we can use +\texttt{let}~\textsl{pattern}~\texttt{=}~\textsl{action}$_1$~% +\texttt{in}~\textsl{action}$_2$\index{let@{\tt let}} expressions to +construct it progressively. The action \textsl{action}$_1$ is first +computed, then it is matched against \textsl{pattern} which may bind +metavariables, and the result is the evaluation of \textsl{action}$_2$ +in this new context. + +\example{} + +\noindent From the syntax \verb|t1*+t2|, we generate the term +{\tt (plus (plus t1 t2) (mult t1 t2))}. + +\begin{coq_example} +Grammar command command1 := + mult_plus [ command0($a) "*" "+" command0($b) ] + -> let $p1=[<<(plus $a $b)>>] in + let $p2=[<<(mult $a $b)>>] in + [<<(plus $p1 $p2)>>]. +\end{coq_example} + +Let us give an example with this syntax: + +\begin{coq_example} +Goal (O*+O)=O. +\end{coq_example} +\begin{coq_eval} +Abort. +\end{coq_eval} + +\subsubsection{Conditional actions} + +We recall the syntax of conditional actions: + +\begin{center} +\texttt{case}~\textsl{action}~\texttt{of}~% +\textsl{pattern}$_1$~\verb+->+~\textsl{action}$_1$~% +\texttt{|}~$\cdots$~\texttt{|}~% +\textsl{pattern}$_n$~\verb+->+~\textsl{action}$_n$~% +\texttt{esac} +\end{center}\index{case@@{\tt case}} + +The action to execute is chosen according to the value of +\textsl{action}. The matching is performed from left to right. The +selected action is the one associated to the first pattern that +matches the value of \textsl{action}. This matching operation will +bind the metavariables appearing in the selected pattern. The pattern +matching does need being exhaustive, and no warning is emitted. When the +pattern matching fails a message reports in which grammar rule the +failure happened. + +\example{Overloading the ``$+$'' operator} + +The internal representation of an expression such as {\tt A+B} depends +on the shape of {\tt A} and {\tt B}: +\begin{itemize} +\item \verb/{P}+{Q}/ uses {\tt sumbool} +\item otherwise,\verb/A+{Q}/ uses {\tt sumor} +\item otherwise, \verb/A+B/ uses {\tt sum}. +\end{itemize} +The trick is to build a temporary AST: \verb/{A}/ generates the node +\verb/(SQUASH A)/. When we parse \verb/A+B/, we remove the {\tt +SQUASH} in {\tt A} and {\tt B}: + +\begin{coq_example*} +Grammar command command1 := + squash [ "{" lcommand($lc) "}" ] -> [(SQUASH $lc)]. +Grammar command lassoc_command4 := + squash_sum + [ lassoc_command4($c1) "+" lassoc_command4($c2) ] -> + case [$c2] of + (SQUASH $T2) -> + case [$c1] of + (SQUASH $T1) -> [<<(sumbool $T1 $T2)>>] + | $_ -> [<<(sumor $c1 $T2)>>] + esac + | $_ -> [<<(sum $c1 $c2)>>] + esac. +\end{coq_example*} + +\noindent The problem is that sometimes, the intermediate {\tt SQUASH} +node cannot re-shaped, then we have a very specific error: + +\begin{coq_example} +Check {True}. +\end{coq_example} + + +\example{Comparisons and non-linear patterns} + +The patterns may be non-linear: when an already bound metavariable +appears in a pattern, the value yielded by the pattern matching must +be equal, up to renaming of bound variables, to the current +value. Note that this does not apply to the wildcard \verb+$_+. For +example, we can compare two arguments: + +\begin{coq_example} +Grammar command command10 := + refl_equals [ command9($c1) "||" command9($c2) ] -> + case [$c1] of $c2 -> [<<(refl_equal ? $c2)>>] esac. +Check ([x:nat]x || [y:nat]y). +\end{coq_example} + +\noindent The metavariable \verb+$c1+ is bound to \verb+[x:nat]x+ and +\verb+$c2+ to \verb+[y:nat]y+. Since these two values are equal, the +pattern matching succeeds. It fails when the two terms are not equal: + +\begin{coq_example} +Check ([x:nat]x || [z:bool]z). +\end{coq_example} + + + +\subsection{Grammars of type {\tt List}} + +Assume we want to define an non-terminal {\tt ne\_identarg\_list} that +parses an non-empty list of identifiers. If the grammars could only +return AST's, we would have to define it this way: + +\begin{coq_example*} +Grammar tactic my_ne_ident_list := + ident_list_cons [ identarg($id) my_ne_ident_list($l) ] -> + case [$l] of + (IDENTS ($LIST $idl)) -> [(IDENTS $id ($LIST $idl))] + esac +| ident_list_single [ identarg($id) ] -> [(IDENTS $id)]. +\end{coq_example*} + +But it would be inefficient: every time an identifier is read, we +remove the ``boxing'' operator {\tt IDENTS}, and put it back once the +identifier is inserted in the list. + +To avoid these awkward trick, we allow grammars to return AST +lists. Hence grammars have a type ({\tt Ast} or {\tt List}), just like +AST's do. Type-checking can be done statically. + +The simple actions can produce lists by putting a list of constructive +expressions one beside the other. As usual, the {\tt\$LIST} operator +allows to inject AST list variables. + +\begin{coq_example*} +Grammar tactic ne_identarg_list : List := + ne_idl_cons [ identarg($id) ne_identarg_list($idl) ] + -> [ $id ($LIST $idl) ] +| ne_idl_single [ identarg($id) ] -> [ $id ]. +\end{coq_example*} + +Note that the grammar type must be recalled in every extension +command, or else the system could not discriminate between a single +AST and an AST list with only one item. If omitted, the default type +is {\tt Ast}. The following command fails because {\tt +ne\_identarg\_list} is already defined with type {\tt List} but the +{\tt Grammar} command header assumes its type is {\tt Ast}. + +\begin{coq_example} +Grammar tactic ne_identarg_list := + list_two [ identarg($id1) identarg($id2) ] -> [ $id1 $id2 ]. +\end{coq_example} + +All rules of a same grammar must have the same type. For instance, the +following rule is refused because the \verb+command command1+ grammar +has been already defined with type {\tt Ast}, and cannot be extended +with a rule returning AST lists. + +\begin{coq_example} +Grammar command command1 := + carret_list [ command0($c1) "^" command0($c2)] -> [ $c1 $c2 ]. +\end{coq_example} + + +\subsection{Limitations} + +The extendable grammar mechanism have four serious limitations. The +first two are inherited from {\camlpppp}. +\begin{itemize} +\item Grammar rules are factorized syntactically: {\camlpppp} does not + try to expand non-terminals to detect further factorizations. The + user must perform the factorization himself. +\item The grammar is not checked to be \emph{LL(1)}\index{LL(1)} when + adding a rule. If it is not LL(1), the parsing may fail on an input + recognized by the grammar, because selecting the appropriate rule + may require looking several tokens ahead. {\camlpppp} always selects + the most recent rule (and all those that factorize with it) + accepting the current token. +\item There is no command to remove a grammar rule. However there is a + trick to do it. It is sufficient to execute the ``{\tt Reset}'' + command on a constant defined before the rule we want to remove. + Thus we retrieve the state before the definition of the constant, + then without the grammar rule. This trick does not apply to grammar + extensions done in {\ocaml}. +\item Grammar rules defined inside a section are automatically removed + after the end of this section: they are available only inside it. +\end{itemize} + +The command {\tt Print Grammar} prints the rules of a grammar. It is +displayed by {\camlpppp}. So, the actions are not printed, and the +recursive calls are printed \verb+SELF+\index{SELF@{\tt SELF}}. It is +sometimes useful if the user wants to understand why parsing fails, or +why a factorization was not done as expected.\index{Print Grammar@{\tt +Print Grammar}} + +\begin{coq_example} +Print Grammar command command8. +\end{coq_example} + +\subsubsection{Getting round the lack of factorization} +The first limitation may require a non-trivial work, and may lead to +ugly grammars, hardly extendable. Sometimes, we can use a trick to +avoid these troubles. The problem arises in the {\gallina} syntax, to +make {\camlpppp} factorize the rules for application and product. The +natural grammar would be: + +\begin{coq_example} +Grammar command command0 := + parenthesis [ "(" command10($c) ")" ] -> [$c] +| product [ "(" prim:var($id) ":" command($c1) ")" command0($c2) ] -> + [(PROD $c1 [$id]$c2)] +with command10 := + application [ command91($c1) ne_command91_list($lc) ] -> + [(APPLIST $c1 ($LIST $lc))] +| inject_com91 [ command91($c) ] -> [$c]. +Check (x:nat)nat. +\end{coq_example} + +But the factorization does not work, thus the product rule is never +selected since identifiers match the {\tt command10} grammar. The +trick is to parse the ident as a {\tt command10} and check \emph{a +posteriori} that the command is indeed an identifier: + +\begin{coq_example} +Grammar command command0 := + product [ "(" command10($c) ":" command($c1) ")" command0($c2) ] -> + [(PROD $c1 [$c]$c2)]. +Check (x:nat)nat. +\end{coq_example} + +\noindent We could have checked it explicitly with a {\tt case} in +the right-hand side of the rule, but the error message in the +following example would not be as relevant: + +\begin{coq_example} +Check (S O:nat)nat. +\end{coq_example} + +\noindent This trick is not similar to the {\tt SQUASH} node in which +we could not detect the error while parsing. Here, the error pops out +when trying to build an abstraction of {\tt\$c2} over the value of +{\tt\$c}. Since it is not bound to a variable, the right-hand side of +the product grammar rule fails. + +\section{Writing your own pretty printing rules} +\label{Syntax} +\comindex{Syntax} + +There is a mechanism for extending the +vernacular's printer by adding, in the interactive +toplevel, new printing rules. The printing rules are stored into a +table and will be recovered at the moment of the printing by the +vernacular's printer. + +The user can print new constants, tactics and vernacular phrases +with his desired syntax. The printing rules +for new constants should be written {\em after} the definition of the +constants. The rules should be +outside a section if the user wants them to be exported. + +The printing rules corresponding to the heart of the system (primitive +tactics, commands and the vernacular language) are defined, +respectively, in the files {\tt PPTactic.v} and {\tt PPCommand.v} +(in the directory {\tt src/syntax}). These files are automatically +loaded in the initial state. The user is not expected to modify these +files unless he dislikes the way primitive things are printed, in +which case he will have to compile the system after doing the +modifications. + +When the system fails to find a suitable printing rule, a tag +\verb+#GENTERM+\index{GENTERM@{\tt\#GENTERM}} appears in the message. + +In the following we give some examples showing how to write the +printing rules for the non-terminal and terminal symbols of a +grammar. We will test them frequently by inspecting the error +messages. Then, we give the grammar of printing rules and a +description of its semantics. + + +\subsection{The Printing Rules} +\subsubsection{The printing of non terminals} + +The printing is the inverse process of parsing. While a grammar rule +maps an input stream of characters +into an AST, a printing +rule maps an AST into an output stream of printing orders. +So given a certain grammar rule, the printing rule +is generally obtained by inverting the grammar rule. + +Like grammar rules, it is possible to define several rules at the same +time. The exact syntax for complex rules is described +in~\ref{syntaxsyntax}. A simple printing rule is of the form: + +\begin{center} +\verb+Syntax+ ~{\sl universe} +~\verb+level+ ~{\sl precedence}~\verb+:+~{\sl name} +~\verb+[+~{\sl pattern}~\verb+] -> [+~{\sl printing-orders}~\verb+].+ +\end{center} + +where : +\begin{itemize} +\item {\it universe} is an identifier denoting the universe of the AST to + be printed. There is a correspondence between the universe of the + grammar rule used to generate the AST and the one of the printing + rule: + +\begin{center} +\begin{tabular}{|c|c|}\hline +{\em Univ. Grammar} & {\em Univ. Printing} \\ \hline +tactic & tactic \\ \hline +command & constr \\ \hline +\end{tabular} +\end{center} + + The vernac universe has no equivalent in pretty-printing since + vernac phrases are never printed by the system. Error messages are + reported by re-displaying what the user entered. + +\item {\it precedence} is positive integer indicating the precedence + of the rule. In general the precedence for tactics is 0. The + universe of commands is implicitly stratified by the hierarchy of + the parsing rules. We have non terminals \textit{command0}, + \textit{command1}, \ldots, \textit{command10}. + The idea is that objects parsed with the non terminal + $command_i$ have precedence $i$. In most of the cases we fix the + precedence of the printing rules for commands to be the same number + of the non terminal with which it is parsed. + + A precedence may also be a triple of integers. The triples are + ordered in lexicographic order, and the level $n$ is equal to {\tt + [$n~0~0$]}. + +\item {\it name} is the name of the + printing rule. A rule is identified by both its universe and name, + if there are two rules with both the same name and universe, then + the last one overrides the former. + +\item {\it pattern} is a pattern that matches the AST to be + printed. The syntax of patterns is very similar to the grammar for ASTs. + A description of their syntax is given in section + \ref{patternsyntax}. + +\item {\it printing-orders} is the sequence of orders indicating the + concrete layout of the printer. +\end{itemize} + +\firstexample + +\example{Syntax for user-defined tactics.} + +The first usage of the \texttt{Syntax} command might be the printing +order for a user-defined tactic: + +\begin{coq_example*} +Declare ML Module "eqdecide". +Syntax tactic level 0: + ComparePP [(Compare $com1 $com2)] -> + ["Compare" [1 2] $com1 [1 2] $com2]. +\end{coq_example*} + +% meme pas vrai +If such a printing rule is not given, a disgraceful \verb+#GENTERM+ +will appear when typing \texttt{Show Script} or \texttt{Save}. For +a tactic macro defined by a \texttt{Tactic Definition} command, a +printing rule is automatically generated so the user don't have to +write one. + +\example{Defining the syntax for new constants.} + +Let's define the constant \verb+Xor+ in Coq: + +\begin{coq_example*} +Definition Xor := [A,B:Prop] A/\~B \/ ~A/\B. +\end{coq_example*} + +Given this definition, we want to use the syntax of \verb+A X B+ +to denote \verb+(Xor A B)+. To do that we give the grammar rule: + +\begin{coq_example} +Grammar command command7 := + Xor [ command6($c1) "X" command7($c2) ] -> [<<(Xor $c1 $c2)>>]. +\end{coq_example} + +Note that the operator is associative to the right. +Now \verb+True X False+ is well parsed: + +\begin{coq_example} +Goal True X False. +\end{coq_example} + +To have it well printed we extend the printer: + +\begin{coq_example} +Syntax constr level 7: + Pxor [<<(Xor $t1 $t2)>>] -> [ $t1:L " X " $t2:E ]. +\end{coq_example} + +and now we have the desired syntax: + +\begin{coq_example} +Show. +\end{coq_example} + +Let's comment the rule: +\begin{itemize} +\item \verb+constr+ is the universe of the printing rule. + +\item \verb+7+ is the rule's precedence and it is the same one than the + parsing production (command7). + +\item \verb+Pxor+ is the name of the printing rule. + +\item \verb+<<(Xor $t1 $t2)>>+ is the pattern of the AST to be + printed. Between \verb+<< >>+ we are allowed to use the syntax of + command instead of syntax of ASTs. + Metavariables may occur in the pattern but preceded by + \verb+$+. + +\item \verb+$t1:L " X " $t2:E+ are the printing + orders, it tells to print the value of \verb+$t1+ then the symbol + \verb+X+ and then the value of \verb+$t2+. + + The \verb+L+ in the little box \verb+$t1:L+ indicates not + to put parentheses around the value of \verb+$t1+ if its precedence + is {\bf less} than the rule's one. An \verb+E+ instead of the + \verb+L+ would mean not to put parentheses around the value of + \verb+$t1+ if its the precedence is {\bf less or equal} than the + rule's one. + + The associativity of the operator can be expressed in the following + way: + + \verb&$t1:L " X " $t2:E& associates the operator to the right. + + \verb&$t1:E " X " $t2:L& associates to the left. + + \verb&$t1:L " X " $t2:L& is non-associative. + +\end{itemize} + +Note that while grammar rules are related by the name of non-terminals +(such as {\tt command6} and {\tt command7}) printing rules are +isolated. The {\tt Pxor} rule tells how to print an {\tt Xor} +expression but not how to print its subterms. The printer looks up +recursively the rules for the values of \verb+$t1+ and \verb+$t2+. The +selection of the printing rules is strictly determined by the +structure of the AST to be printed. + +This could have been defined with the {\tt Infix} command. + + +\example{Forcing to parenthesize a new syntactic construction} + +You can force to parenthesize a new syntactic construction by fixing +the precedence of its printing rule to a number greater than 9. For +example a possible printing rule for the {\tt Xor} connector in the prefix +notation would be: + +\begin{coq_example*} +Syntax constr level 10: + ex_imp [<<(Xor $t1 $t2)>>] -> [ "X " $t1:L " " $t2:L ]. +\end{coq_example*} + +No explicit parentheses are contained in the rule, nevertheless, when +using the connector, the parentheses are automatically written: + +\begin{coq_example} +Show. +\end{coq_example} + +A precedence higher than 9 ensures that the AST value will be +parenthesized by default in either the empty context or if it occurs +in a context where the instructions are of the form +\verb+$t:L+ or \verb+$t:E+. + + +\example{Dealing with list patterns in the syntax rules} + +The following productions extend the parser to recognize a +tactic called \verb+MyIntros+ that receives a list of identifiers as +argument as the primitive \verb+Intros+ tactic does: + +\begin{coq_example*} +Grammar tactic simple_tactic := + my_intros [ "MyIntros" ne_identarg_list($idl) ] -> + [(MyIntrosWith ($LIST $idl))]. +\end{coq_example*} + +To define the printing rule for \verb+MyIntros+ it is necessary to +define the printing rule for the non terminal \verb+ne_identarg_list+. +In grammar productions the dependency between the non terminals is +explicit. This is not the case for printing rules, where the +dependency between the rules is determined by the structure of the +pattern. So, the way to make explicit the relation between printing +rules is by adding structure to the patterns. + +\begin{coq_example} +Syntax tactic level 0: + myintroswith [(MyIntrosWith ($LIST $L))] -> + [ "MyIntros " (NEIDENTARGLIST ($LIST $L)) ]. +\end{coq_example} + +This rule says to print the string \verb+MyIntros+ and then to print +the value of \\ +\verb+(NEIDENTARGLIST ($LIST $L))+. + +\begin{coq_example} +Syntax tactic level 0: + ne_identarg_list_cons [(NEIDENTARGLIST $id ($LIST $l))] + -> [ $id " " (NEIDENTARGLIST ($LIST $l)) ] +| ne_identarg_list_single [(NEIDENTARGLIST $id)] -> [ $id ]. +\end{coq_example} + + +The first rule says how to print a non-empty list, while the second +one says how to print the list with exactly one element. Note that the +pattern structure of the binding in the first rule ensures its use in +a recursive way. + +Like the order of grammar productions, the order of printing rules +\emph{does matter}. In case of two rules whose patterns superpose +each other the {\bf last} rule is always chosen. In the example, if +the last two rules were written in the inverse order the printing will +not work, because only the rule {\sl ne\_identarg\_list\_cons} would +be recursively retrieved and there is no rule for the empty list. +Other possibilities would have been to write a rule for the empty list +instead of the {\sl ne\_identarg\_list\_single} rule, + +\begin{coq_example} +Syntax tactic level 0: + ne_identarg_list_nil [(NEIDENTARGLIST)] -> [ ]. +\end{coq_example} + +This rule indicates to do nothing in case of the empty list. In this +case there is no superposition between patterns (no critical pairs) +and the order is not relevant. But a useless space would be printed +after the last identifier. + +\example{Defining constants with arbitrary number of arguments} + +Sometimes the constants we define may have an arbitrary number of +arguments, the typical case are polymorphic functions. Let's consider +for example the functional composition operator. The following rule +extends the parser: + +\begin{coq_example*} +Definition explicit_comp := [A,B,C:Set][f:A->B][g:B->C][a:A](g (f a)). +Grammar command command6 := + expl_comp [command5($c1) "o" command6($c2) ] -> + [<<(explicit_comp ? ? ? $c1 $c2)>>]. +\end{coq_example*} + +Our first idea is to write the printing rule just by ``inverting'' the +production: + +\begin{coq_example} +Syntax constr level 6: + expl_comp [<<(explicit_comp ? ? ? $f $g)>>] -> [ $f:L "o" $g:L ]. +\end{coq_example} + +This rule is not correct: \verb+?+ is an ordinary AST (indeed, it is +the AST \verb|(XTRA "ISEVAR")|), and does not behave as the +``wildcard'' pattern \verb|$_|. Here is a correct version of this +rule: + +\begin{coq_example*} +Syntax constr level 6: + expl_comp [<<(explicit_comp $_ $_ $_ $f $g)>>] -> [ $f:L "o" $g:L ]. +\end{coq_example*} + +Let's test the printing rule: + +\begin{coq_example} +Definition Id := [A:Set][x:A]x. +Check (Id nat) o (Id nat). +Check ((Id nat)o(Id nat) O). +\end{coq_example} + +In the first case the rule was used, while in the second one the +system failed to match the pattern of the rule with the AST of +\verb+((Id nat)o(Id nat) O)+. +Internally the AST of this term is the same as the AST of the +term \verb+(explicit_comp nat nat nat (Id nat) (Id nat) O)+. +When the system retrieves our rule it tries to match an application of +six arguments with an application of five arguments (the AST of +\verb+(explicit_comp $_ $_ $_ $f $g)+). Then, the matching fails and +the term is printed using the rule for application. + +Note that the idea of adding a new rule for \verb+explicit_comp+ for +the case of six arguments does not solve the problem, because of the +polymorphism, we can always build a term with one argument more. The +rules for application deal with the problem of having an arbitrary +number of arguments by using list patterns. Let's see these rules: + +\begin{coq_example*} +Syntax constr level 10: + app [(APPLIST $H ($LIST $T))] -> + [ [<hov 0> $H:E (APPTAIL ($LIST $T)):E ] ] + +| apptailcons [(APPTAIL $H ($LIST $T))] -> + [ [1 1] $H:L (APPTAIL ($LIST $T)):E ] +| apptailnil [(APPTAIL)] -> [ ]. +\end{coq_example*} + +The first rule prints the operator of the application, and the second +prints the list of its arguments. Then, one solution to our problem is +to specialize the first rule of the application to the cases where the +operator is \verb+explicit_comp+ and the list pattern has {\bf at +least} five arguments: + +\begin{coq_example*} +Syntax constr level 10: + expl_comp + [(APPLIST <<explicit_comp>> $_ $_ $_ $f $g ($LIST $l))] + -> [ [<hov 0> $f:L "o" $g:L (APPTAIL ($LIST $l)) ] ]. +\end{coq_example*} + +Now we can see that this rule works for any application of the +operator: + +\begin{coq_example} +Check ((Id nat) o (Id nat) O). +Check ((Id nat->nat) o (Id nat->nat) [x:nat]x O). +\end{coq_example} + +In the examples presented by now, the rules have no information about +how to deal with indentation, break points and spaces, the printer +will write everything in the same line without spaces. To indicate the +concrete layout of the patterns, there's a simple language of printing +instructions that will be described in the following section. + + +\subsubsection{The printing of terminals} +The user is not expected to write the printing rules for terminals, +this is done automatically. Primitive printing is done for +identifiers, strings, paths, numbers. For example : + +\begin{coq_example*} +Grammar vernac vernac := + mycd [ "MyCd" prim:string($dir) "." ] -> [(MYCD $dir)]. +Syntax vernac level 0: + mycd [(MYCD $dir)] -> [ "MyCd " $dir ]. +\end{coq_example*} + +There is no more need to encapsulate the \verb+$dir+ meta-variable +with the \verb+$PRIM+ or the \verb+$STR+ operator as in the version +6.1. However, the pattern \verb+(MYCD ($STR $dir))+ would be safer, +because the rule would not be selected to print an ill-formed AST. The +name of default primitive printer is the {\ocaml} function {\tt +print\_token}. If the user wants a particular terminal to be printed +by another printer, he may specify it in the right part of the +rule. Example: + +% Pas encore possible! $num est un id, pas un entier. +%Syntax tactic level 0 : +% do_pp [<<Do $num $tactic>>] +% -> [ "Do " $num:"my_printer" [1 1] $tactic ]. +\begin{coq_example*} +Syntax tactic level 0 : + do_pp [(DO ($NUM $num) $tactic)] + -> [ "Do " $num:"my_printer" [1 1] $tactic ]. +\end{coq_example*} + +The printer \textit{my\_printer} must have been installed as shown +below. + +\subsubsection{Primitive printers} + +Writing and installing primitive pretty-printers requires to have the +sources of the system like writing tactics. + +A primitive pretty-printer is an \ocaml\ function of type +\begin{verbatim} + Esyntax.std_printer -> CoqAst.t -> Pp.std_ppcmds +\end{verbatim} +The first +argument is the global printer, it can be called for example by the +specific printer to print subterms. The second argument is the AST to +print, and the result is a stream of printing orders like : + +\begin{itemize} +\item \verb+'sTR"+\textit{string}\verb+"+ to print the string + \textit{string} +\item \verb+'bRK +\textit{num1 num2} that has the same semantics than + \verb+[+ \textit{num1 num2} \verb+]+ in the print rules. +\item \verb+'sPC+ to leave a blank space +\item \verb+'iNT+ $n$ to print the integer $n$ +\item \ldots +\end{itemize} + +There is also commands to make boxes (\verb+h+ or \verb+hv+, described +in file {\tt src/lib/util/pp.mli}). Once the printer is written, it +must be registered by the command : +\begin{verbatim} + Esyntax.Ppprim.add ("name",my_printer);; +\end{verbatim} +\noindent +Then, in the toplevel, after having loaded the right {\ocaml} module, +it can be used in the right hand side of printing orders using the +syntax \verb+$truc:"name"+. + +The real name and the registered name of a pretty-printer does not +need to be the same. However, it can be nice and simple to give the +same name. + +\subsection{Syntax for pretty printing rules} +\label{syntaxsyntax} + +This section describes the syntax for printing rules. The +metalanguage conventions are the same as those specified for the +definition of the {\sl pattern}'s syntax in section \ref{patternsyntax}. +The grammar of printing rules is the following: + +\begin{center} +\begin{tabular}{|rcl|} \hline +{\sl printing-rule} & ::= & + \verb+Syntax+~{\ident}~~\nelist{{\sl level}}{;} \\ +{\sl level} & ::= & \verb+level+~{\sl precedence}~\verb+:+ + ~\nelist{{\sl rule}}{|} \\ +{\sl precedence} & ::= & + {\integer} ~$|$~ \verb+[+~\integer~\integer~\integer~\verb+]+ \\ +{\sl rule} & ::= & + {\sl ident}~\verb+[+~{\sl pattern}~\verb+] -> [+% + ~\sequence{{\sl printing-order}}{}~\verb+]+ \\ +{\sl printing-order} & ::= & \verb+FNL+ \\ + &$|$& {\sl string} \\ + &$|$& \verb+[+~\integer~\integer~\verb+]+ \\ + &$|$& \verb+[+~box~\sequence{{\sl printing-order}}{}~\verb+]+ \\ + &$|$& {\sl ast}~\zeroone{{\tt :}~{\sl prim-printer}}~% + \zeroone{{\tt :}~{\sl paren-rel}}\\ +{\sl box} & ::= & \verb+<+~{\sl box-type}~\integer~\verb+>+\\ +{\sl box-type} & ::= & ~\verb+hov+~$|$~\verb+hv+~$|$~\verb+v+~$|$~\verb+h+\\ +{\sl paren-rel} & ::= & \verb+L+~$|$~\verb+E+ \\ +{\sl prim-printer} & ::= & {\sl string} \\ +{\sl pattern} & ::= & {\sl ast} \\ +\hline +\end{tabular} +\end{center} + +As already stated, the order of rules in a given level is relevant +(the last ones override the previous ones). + + +\subsubsection{Pretty grammar structures} +The basic structure is the printing order sequence. Each order has a +printing effect and they are sequentially executed. The orders can +be: +\begin{itemize} +\item printing orders +\item printing boxes +\end{itemize} + +\paragraph{Printing orders} +Printing orders can be of the form: +\begin{itemize} +\item \verb+"+{\sl string}\verb+"+ prints the {\sl string}. +\item \verb+FNL+ force a new line. + +\item \texttt{\$t:}\textsl{paren-rel} or + \texttt{\$t:}\textsl{prim-printer}\texttt{:}\textsl{paren-rel} + + {\sl ast} is used to build an AST in current context. The printer + looks up the adequate printing rule and applies recursively this + method. The optional field {\it prim-printer} is a string with the + name primitive pretty-printer to call (The name is not the name of + the {\ocaml} function, but the name given to {\tt + Esyntax.Ppprim.add}). Recursion of the printing is determined by + the pattern's structure. {\it paren-rel} is the following: + +\begin{tabular}{cl} + +\verb+L+ & + if $t$ 's precedence is {\bf less} than the rule's one, then no + parentheses \\ + & around $t$ are written. \\ +\verb+E+ & + if $t$ 's precedence is {\bf less or equal} than the rule's one + then no parentheses \\ + & around $t$ are written. \\ +{\it none} & {\bf never} write parentheses around $t$. +\\\\ +\end{tabular} +\end{itemize} + +\paragraph{Printing boxes} +The concept of formatting boxes is used to describe the concrete +layout of patterns: a box may contain many objects which are orders or +sub\-boxes sequences separated by break\-points; the box wraps around +them an imaginary rectangle. +\begin{enumerate} +\item {\bf Box types} + + The type of boxes specifies the way the components of the box will + be displayed and may be: +\begin{itemize} +\item \verb+h+ : to catenate objects horizontally. +\item \verb+v+ : to catenate objects vertically. +\item \verb+hv+ : to catenate objects as with an ``h box'' but an + automatic vertical folding is applied when the horizontal + composition does not fit into the width of the associated output + device. + +\item \verb+hov+ : to catenate objects horizontally but if the + horizontal composition does not fit, a vertical composition will be + applied, trying to catenate horizontally as many objects as possible. +\end{itemize} + +The type of the box can be followed by a {\it n} offset value, which +is the offset added to the current indentation when breaking lines +inside the box. + + +\item {\bf Boxes syntax} + + A box is described by a sequence surrounded by \verb+[ ]+. The first + element of the sequence is the box type: this type surrounded by the + symbols \verb+< >+ is one of the words \verb+hov+, \verb+hv+, + \verb+v+, \verb+v+ followed by an offset. The default offset is 0 + and the default box type is \verb+h+. + +\item {\bf Break\-points} + + In order to specify where the pretty-printer is allowed to break, + one of the following break-points may be used: + +\begin{itemize} +\item \verb+[0 0]+ is a simple break-point, if the line is not broken + here, no space is included (``Cut''). +\item \verb+[1 0]+ if the line is not broken then a space is printed + (``Spc''). +\item \verb+[i j]+ if the line is broken, the value $j$ is added to the + current indentation for the following line; otherwise $i$ blank spaces + are inserted (``Brk''). +\end{itemize} + +\noindent {\bf Examples :} +It is interesting to test printing rules on ``small'' and ``large'' +expressions in order to see how the break of lines and indentation are +managed. Let's define two constants and make a \verb+Print+ of them to +test the rules. Here are some examples of rules for our constant +\verb+Xor+: + +\begin{coq_example*} +Definition A := True X True. +Definition B := True X True X True X True X True X True X True + X True X True X True X True X True X True. +\end{coq_example*} +\begin{coq_example*} +Syntax constr level 6: + Pxor [<<(Xor $t1 $t2)>>] -> [ $t1:L " X " $t2:E ]. +\end{coq_example*} + + +This rule prints everything in the same line exceeding the line's +width. + +% Avec coq-tex, le bord de l'e'cran n'est pas mate'rialise'. +%\begin{coq_example} +%Print B. +%\end{coq_example} + +\begin{small} +\begin{flushleft} +\verb!Coq < Print B.!\\ +\texttt{\textit{B~=~}}\\ +\texttt{\textit{True~X~True~X~True~X~True~X~True~X~True~X~True~X~True~X~True~X~True~X~Tru}}\\ +\texttt{\textit{e~X~True~X~True}}\\ +\texttt{\textit{~~~~~:~Prop}}\\ +\end{flushleft} +\end{small} + +Let's add some break-points in order to force the printer to break the +line before the operator: + +\begin{coq_example*} +Syntax constr level 6: + Pxor [<<(Xor $t1 $t2)>>] -> [ $t1:L [0 1] " X " $t2:E ]. +\end{coq_example*} + +\begin{coq_example} +Print B. +\end{coq_example} + +The line was correctly broken but there is no indentation at all. To +deal with indentation we use a printing box: + +\begin{coq_example*} +Syntax constr level 6: + Pxor [<<(Xor $t1 $t2)>>] -> + [ [<hov 0> $t1:L [0 1] " X " $t2:E ] ]. +\end{coq_example*} + +With this rule the printing of A is correct, an the printing of B is +indented. + +\begin{coq_example} +Print B. +\end{coq_example} + +If we had chosen the mode \verb+v+ instead of \verb+hov+ : + +\begin{coq_example*} +Syntax constr level 6: + Pxor [<<(Xor $t1 $t2)>>] -> [ [<v 0> $t1:L [0 1] " X " $t2:E ] ]. +\end{coq_example*} + +We would have obtained a vertical presentation: + +\begin{coq_example} +Print A. +\end{coq_example} + +The difference between the presentation obtained with the \verb+hv+ +and \verb+hov+ type box is not evident at first glance. Just for +clarification purposes let's compare the result of this silly rule +using an \verb+hv+ and a \verb+hov+ box type: + +\begin{coq_example*} +Syntax constr level 6: + Pxor [<<(Xor $t1 $t2)>>] -> + [ [<hv 0> "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX" + [0 0] "----------------------------------------" + [0 0] "ZZZZZZZZZZZZZZZZ" ] ]. +\end{coq_example*} +\begin{coq_example} +Print A. +\end{coq_example} +\begin{coq_example*} +Syntax constr level 6: + Pxor [<<(Xor $t1 $t2)>>] -> + [ [<hov 0> "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX" + [0 0] "----------------------------------------" + [0 0] "ZZZZZZZZZZZZZZZZ" ] ]. +\end{coq_example*} +\begin{coq_example} +Print A. +\end{coq_example} + +In the first case, as the three strings to be printed do not fit in +the line's width, a vertical presentation is applied. In the second +case, a vertical presentation is applied, but as the last two strings +fit in the line's width, they are printed in the same line. + + +\end{enumerate} + +\subsection{Debugging the printing rules} + + By now, there is almost no semantic check of printing rules in the + system. To find out where the problem is, there are two + possibilities: to analyze the rules looking for the most common + errors or to work in the toplevel tracing the ml code of the + printer. +When the system can't find the proper rule to print an Ast, it prints +\verb+#GENTERM+ \textit{ast}. If you added no printing rule, + it's probably a bug and you can send it to the \Coq\ team. + +\subsubsection{Most common errors} +Here are some considerations that may help to get rid of simple +errors: + +\begin{itemize} +\item make sure that the rule you want to use is not defined in + previously closed section. +\item make sure that {\bf all} non-terminals of your grammar have + their corresponding printing rules. + +\item make sure that the set of printing rules for a certain non + terminal covers all the space of AST values for that non terminal. + +\item the order of the rules is important. If there are two rules + whose patterns superpose (they have common instances) then it is + always the most recent rule that will be retrieved. +\item if there are two rules with the same name and universe the last + one overrides the first one. The system always warns you about + redefinition of rules. +\end{itemize} + +\subsubsection{Tracing the {\ocaml} code of the printer} +Some of the conditions presented above are not easy to verify when +dealing with many rules. In that case tracing the code helps to +understand what is happening. The printers are in the file {\tt +src/typing/printer}. There you will find the functions: + +\begin{itemize} +\item {\tt gencompr} : the printer of commands +\item {\tt gentacpr} : the printer of tactics +\end{itemize} + +These printers are defined in terms of a general printer {\tt +genprint} (this function is located in {\tt src/parsing/esyntax.ml}) +and by instantiating it with the adequate parameters. {\tt genprint} +waits for: the universe to which this AST belongs ({\it tactic}, {\it +constr}), a default printer, the precedence of the AST inherited from +the caller rule and the AST to print. {\tt genprint} looks for a rule +whose pattern matches the AST, and executes in order the printing +orders associated to this rule. Subterms are printed by recursively +calling the generic printer. If no rule matches the AST, the default +printer is used. + +An AST of a universe may have subterms that belong to another +universe. For instance, let $v$ be the AST of the tactic +expression \verb+MyTactic O+. The function {\tt gentacpr} is called +to print $v$. This function instantiates the general printer {\tt +genprint} with the universe {\it tactic}. Note that $v$ has a subterm +$c$ corresponding to the AST of \verb+O+ ($c$ belongs to the universe +{\it constr}). {\tt genprint} will try recursively to print all +subterms of $v$ as belonging to the same universe of $v$. If this is +not possible, because the subterm belongs to another universe, then +the default printer that was given as argument to {\tt genprint} is +applied. The default printer is responsible for changing the universe +in a proper way calling the suitable printer for $c$. + +\medskip\noindent {\bf Technical Remark.} In the file +\verb+PPTactic.v+, there are some rules that do not arise from the +inversion of a parsing rule. They are strongly related to the way the +printing is implemented. + +\begin{coq_example*} +Syntax tactic level 8: + constr [(COMMAND $c)] -> [ (PPUNI$COMMAND $c):E ]. +\end{coq_example*} + +As an AST of tactic may have subterms that are commands, these rules +allow the printer of tactic to change the universe. The +\verb+PPUNI$COMMAND+ is a special identifier used for this +purpose. They are used in the code of the default printer that {\tt +gentacpr} gives to {\tt genprint}. + + +% $Id$ + +%%% Local Variables: +%%% mode: latex +%%% TeX-master: "Reference-Manual" +%%% End: diff --git a/doc/RefMan-tac.tex b/doc/RefMan-tac.tex new file mode 100644 index 000000000..68a50bce7 --- /dev/null +++ b/doc/RefMan-tac.tex @@ -0,0 +1,2172 @@ +\chapter{Tactics} +\index{Tactics} +\label{Tactics} + +A deduction rule is a link between some (unique) formula, that we call +the {\em conclusion} and (several) formul{\ae} that we call the {\em +premises}. Indeed, a deduction rule can be read in two ways. The first +one has the shape: {\it ``if I know this and this then I can deduce +this''}. For instance, if I have a proof of $A$ and a proof of $B$ +then I have a proof of $A \wedge B$. This is forward reasoning from +premises to conclusion. The other way says: {\it ``to prove this I +have to prove this and this''}. For instance, to prove $A \wedge B$, I +have to prove $A$ and I have to prove $B$. This is backward reasoning +which proceeds from conclusion to premises. We say that the conclusion +is {\em the goal}\index{goal} to prove and premises are {\em the +subgoals}\index{subgoal}. The tactics implement {\em backward +reasoning}. When applied to a goal, a tactic replaces this goal with +the subgoals it generates. We say that a tactic reduces a goal to its +subgoal(s). + +Each (sub)goal is denoted with a number. The current goal is numbered +1. By default, a tactic is applied to the current goal, but one can +address a particular goal in the list by writing {\sl n:\tac} which +means {\it ``apply tactic {\tac} to goal number {\sl n}''}. +We can show the list of subgoals by typing {\tt Show} (see section +\ref{Show}). + +Since not every rule applies to a given statement, every tactic cannot be +used to reduce any goal. In other words, before applying a tactic to a +given goal, the system checks that some {\em preconditions} are +satisfied. If it is not the case, the tactic raises an error message. + +Tactics are build from tacticals and atomic tactics. There are, at +least, three levels of atomic tactics. The simplest one implements +basic rules of the logical framework. The second level is the one of +{\em derived rules} which are built by combination of other +tactics. The third one implements heuristics or decision procedures to +build a complete proof of a goal. +%Here is a table of all existing atomic tactics in \Coq: +%\index{atomic tactics} +%\label{atomic-tactics-table} + +\section{Syntax of tactics and tacticals} +\label{tactic-syntax} +\index{tactic@{\tac}} + +A tactic is +applied as an ordinary command. If the tactic does not +address the first subgoal, the command may be preceded by the +wished subgoal number. See figure~\ref{InvokeTactic} for the syntax of +tactic invocation and tacticals. + +\medskip + +\begin{figure} +\begin{center} +\begin{tabular}{|lcl|} +\hline +{\tac} & ::= & \atomictac\\ + & $|$ & {\tt (} {\tac} {\tt )} \\ + & $|$ & {\tac} {\tt Orelse} {\tac}\\ + & $|$ & {\tt Repeat} \tac \\ + & $|$ & {\tt Do} {\num} {\tac} \\ + & $|$ & {\tt Info} \tac \\ + & $|$ & {\tt Try} \tac \\ + & $|$ & {\tt First [} {\tac}{\tt\ | \dots\ | }{\tac} {\tt ]} \\ + & $|$ & {\tt Solve [} {\tac}{\tt\ | \dots\ | }{\tac} {\tt ]} \\ + & $|$ & {\tt Abstract} {\tac} \\ + & $|$ & {\tt Abstract} {\tac} {\tt using} {\ident}\\ + & $|$ & {\tac} {\tt ;} {\tac}\\ + & $|$ & {\tac} {\tt ;[} {\tac} \tt \verb=|= + \dots\ \verb=|= {\tac} {\tt ]} \\ +{\commandtac} & ::= & {\num} {\tt :} {\tac} {\tt .}\\ + & $|$ & {\tac} {\tt .}\\ +\hline +\end{tabular} +\end{center} +\caption{Invocation of tactics and tacticals}\label{InvokeTactic} +\end{figure} + +\begin{Remarks} +\item The infix tacticals {\tt Orelse} and ``\dots\ {\tt ;} \dots'' are +associative. +The tactical {\tt Orelse} binds more than the prefix tacticals +{\tt Try}, {\tt Repeat}, {\tt Do}, {\tt Info} and {\tt Abstract} which +themselves bind more than +the postfix tactical ``{\tt \dots\ ;[ \dots\ ]}'' which +binds more than ``\dots\ {\tt ;} \dots''. + +\noindent For instance + +\noindent {\tt Try Repeat \tac$_1$ Orelse + \tac$_2$;\tac$_3$;[\tac$_{31}$|\dots|\tac$_{3n}$);\tac$_4$)} + +\noindent is understood as + +\noindent {\tt (Try (Repeat (\tac$_1$ Orelse \tac$_2$))); + ((\tac$_3$;[\tac$_{31}$|\dots|\tac$_{3n}$]);\tac$_4$)}. + +\item An {\atomictac} is any of the tactics listed below. +\end{Remarks} + +\section{Explicit proof as a term} + +\subsection{\tt Exact \term} +\tacindex{Exact} +\label{Exact} +This tactic applies to any goal. It gives directly the exact proof +term of the goal. Let {\T} be our goal, let {\tt p} be a term of type +{\tt U} then {\tt Exact p} succeeds iff {\tt T} and {\tt U} are +convertible (see section \ref{conv-rules}). + +\begin{ErrMsgs} +\item \errindex{Not an exact proof} +\end{ErrMsgs} + + +\subsection{\tt Refine \term} +\tacindex{Refine} +\label{Refine} +\index{?@{\texttt{?}}} + +\Rem You need first to require the module {\tt Refine} to use this tactic. + +\noindent +This tactic allows to give an exact proof but still with some +holes. The holes are noted ``\texttt{?}''. + +\begin{ErrMsgs} +\item \errindex{invalid argument}: + the tactic \texttt{Refine} doesn't know what to do + with the term you gave. +\item \texttt{Refine passed ill-formed term}: the term you gave is not + a valid proof (not easy to debug in general). + This message may also occur in higher-level tactics, which call + \texttt{Refine} internally. +\item \errindex{There is an unknown subterm I cannot solve}: + there is a hole in the term you gave + which type cannot be inferred. Put a cast around it. +\end{ErrMsgs} + +This tactic is currently given as an experiment. An example of use is given +in section \ref{Refine-example}. + +\section{Basics} +\index{Typing rules} +Tactics presented in this section implement the basic typing rules of +{\sc Cic} given in chapter \ref{Cic}. + +\subsection{{\tt Assumption}} +\tacindex{Assumption} +This tactic applies to any goal. It implements the +``Var''\index{Typing rules!Var} rule given in section +\ref{Typed-terms}. It looks in the local context for an hypothesis +which type is equal to the goal. If it is the case, the subgoal is +proved. Otherwise, it fails. + +\begin{ErrMsgs} +\item \errindex{No such assumption} +\end{ErrMsgs} + +\subsection{\tt Clear {\ident}.}\tacindex{Clear} +This tactic erases the hypothesis named {\ident} in the local context +of the current goal. Then {\ident} is no more displayed and no more +usable in the proof development. + +\begin{ErrMsgs} +\item {\ident} \errindex{is not among the assumptions.} +\end{ErrMsgs} + +\subsection{\tt Move {\ident$_1$} after {\ident$_2$}.}\tacindex{Move} +This moves the hypothesis named {\ident$_1$} in the local context +after the hypothesis named {\ident$_2$}. + +If {\ident$_1$} comes before {\ident$_2$} in the order of dependences, +then all hypotheses between {\ident$_1$} and {\ident$_2$} which +(possibly indirectly) depend on {\ident$_1$} are moved also. + +If {\ident$_1$} comes after {\ident$_2$} in the order of dependences, +then all hypotheses between {\ident$_1$} and {\ident$_2$} which +(possibly indirectly)) occur in {\ident$_1$} are moved also. + +\begin{ErrMsgs} +\item \errindex{Cannot move {\ident$_1$} after {\ident$_2$}: + it occurs in {\ident$_2$}} +\item \errindex{Cannot move {\ident$_1$} after {\ident$_2$}: + it depends on {\ident$_2$}} +\end{ErrMsgs} + +\subsection{\tt Intro} +\tacindex{Intro} +\label{Intro} +This tactic applies to a goal which is a product. It implements the +``Lam''\index{Typing rules!Lam} rule given in section +\ref{Typed-terms}. Actually, only one subgoal will be generated since the +other one can be automatically checked. + +If the current goal is a dependent product {\tt (x:T)U} and +{\tt x} is a name that does not exist in the current context, then +{\tt Intro} puts {\tt x:T} in the local context. Otherwise, it puts +{\tt x}{\it n}{\tt :T} where {\it n} is such that {\tt x}{\it n} is a +fresh name. The new subgoal is {\tt U}. If the {\tt x} has been +renamed {\tt x}{\it n} then it is replaced by {\tt x}{\it n} in {\tt +U}. + +If the goal is a non dependent product T -> U, then it +puts in the local context either {\tt H}{\it n}{\tt :T} +(if {\tt T} is {\tt Set} or {\tt Prop}) or {\tt X}{\it n}{\tt :T} (if +the type of {\tt T} is {\tt Type}) or {\tt l}{\it n}{\tt :T} with {\it l} +the first letter of the type of x. {\it n} is such that {\tt H}{\it + n} or {\tt X}{\it n} {\tt l}{\it n} or are fresh identifiers. +In both cases the new subgoal is {\tt U}. + +If the goal is not a product, the tactic {\tt Intro} applies the tactic +{\tt Red} until the tactic {\tt Intro} can be applied or the goal is not +reducible. + +\begin{ErrMsgs} +\item \errindex{No product even after head-reduction} +\end{ErrMsgs} + +\Warning: \texttt{{\ident}$_1$ is already used; changed to {\ident}$_2$} + +\begin{Variants} +\item {\tt Intros}\tacindex{Intros}\\ + Repeats {\tt Intro} until it meets the head-constant. It never reduces + head-constants and it never fails. + +\item {\tt Intro {\ident}}\\ + Applies {\tt Intro} but forces {\ident} to be the name of the + introduced hypothesis. + + \ErrMsg \errindex{name {\ident} is already bound } + + \Rem {\tt Intro} doesn't check the whole current context. Actually, + identifiers declared or defined in required modules can be used as + {\ident} and, in this case, the old {\ident} of the module is no + more reachable. + +\item {\tt Intros \ident$_1$ \dots\ \ident$_n$} \\ + Is equivalent to the composed tactic {\tt Intro \ident$_1$; \dots\ ; Intro + \ident$_n$}.\\ +More generally, the \texttt{Intros} tactic takes a pattern as argument + in order to introduce names for components of an inductive + definition, it will be explained in~\ref{Intros-pattern}. +\item {\tt Intros until {\ident}} + \tacindex{Intros until}\\ + Repeats {\tt Intro} until it meets a premise of the goal having form + {\tt (} {\ident}~{\tt :}~{\term} {\tt )} + and discharges the variable named {\ident} of + the current goal. + + \ErrMsg \errindex{No such hypothesis in current goal}\\ + +\item {\tt Intros until {\num}} + \tacindex{Intros until}\\ + Repeats {\tt Intro} until the {\num}-th non-dependant premise. For instance, + on the subgoal \verb+(x,y:nat)x=y->(z:nat)h=x->z=y+ the tactic + \texttt{Intros until 2} is equivalent to \texttt{Intros x y H z H0} (assuming + \texttt{x, y, H, z} and \texttt{H0} do not already occur in context). + + \ErrMsg \errindex{No such hypothesis in current goal}\\ + Happens when {\num} is 0 or is greater than the number of non-dependant + products of the goal. + +\item {\tt Intro after \ident} + \tacindex{Intro after}\\ + Applies {\tt Intro} but puts the introduced + hypothesis after the hypothesis \ident{} in the hypotheses. + +\begin{ErrMsgs} +\item \errindex{No product even after head-reduction} +\item \errindex{No such hypothesis} : {\ident} +\end{ErrMsgs} + +\item {\tt Intro \ident$_1$ after \ident$_2$} + \tacindex{Intro ... after}\\ + Behaves as previously but \ident$_1$ is the name of the introduced + hypothesis. + It is equivalent to {\tt Intro \ident$_1$; Move \ident$_1$ after \ident$_2$}. + +\begin{ErrMsgs} +\item \errindex{No product even after head-reduction} +\item \errindex{No such hypothesis} : {\ident} +\end{ErrMsgs} +\end{Variants} + +\subsection{\tt Apply \term} +\tacindex{Apply}\label{Apply} +This tactic applies to any goal. +The argument {\term} is a term well-formed in the local context. +The tactic {\tt Apply} tries to match the +current goal against the conclusion of the type of {\term}. If it +succeeds, then the tactic returns as many subgoals as the +instantiations of the premises of the type of +{\term}. + +\begin{ErrMsgs} +\item \errindex{Impossible to unify \dots\ with \dots} \\ + Since higher order unification is undecidable, the {\tt Apply} + tactic may fail when you think it should work. In this case, if you + know that the conclusion of {\term} and the current goal are + unifiable, you can help the {\tt Apply} tactic by transforming your + goal with the {\tt Change} or {\tt Pattern} tactics (see sections + \ref{Pattern}, \ref{Change}). + +\item \errindex{Cannot refine to conclusions with meta-variables}\\ + This occurs when some instantiations of premises of {\term} are not + deducible from the unification. This is the case, for instance, when + you want to apply a transitivity property. In this case, you have to + use one of the variants below: +\end{ErrMsgs} + +\begin{Variants} +\item{\tt Apply {\term} with {\term$_1$} \dots\ {\term$_n$}} + \tacindex{Apply \dots\ with}\\ + Provides {\tt Apply} with explicit instantiations for all dependent + premises of the type of {\term} which do not occur in the + conclusion and consequently cannot be found by unification. Notice + that {\term$_1$} \dots\ {\term$_n$} must be given according to the order + of these dependent premises of the type of {\term}. + + \ErrMsg \errindex{Not the right number of missing arguments} + +\item{\tt Apply {\term} with {\vref$_1$} := {\term$_1$} \dots\ {\vref$_n$} + := {\term$_n$}} \\ + This also provides {\tt Apply} with values for instantiating + premises. But variables are referred by names and non dependent + products by order (see syntax in the section~\ref{Binding-list}). + +\item{\tt EApply \term}\tacindex{EApply}\label{EApply}\\ + The tactic {\tt EApply} behaves as {\tt Apply} but does not fail when + no instantiation are deducible for some variables in the premises. + Rather, it turns these variables into so-called existential variables + which are variables still to instantiate. An existential variable is + identified by a name of the form {\tt ?$n$} where $n$ is a number. + The instantiation is intended to be found later in the proof. + + An example of use of {\tt EApply} is given in section + \ref{EApply-example}. + +\item{\tt LApply {\term}} \tacindex{LApply} \\ + + This tactic applies to any goal, say {\tt G}. The argument {\term} + has to be well-formed in the current context, its type being + reducible to a non-dependent product {\tt A -> B} with {\tt B} + possibly containing products. Then it generates two subgoals {\tt + B->G} and {\tt A}. Applying {\tt LApply H} (where {\tt H} has type + {\tt A->B} and {\tt B} does not start with a product) does the same + as giving the sequence {\tt Cut B. 2:Apply H.} where {\tt Cut} is + described below. + + \Warning Be careful, when {\term} contains more than one non + dependent product the tactic {\tt LApply} only takes into account the + first product. + +\end{Variants} + +\subsection{\tt Let {\ident} {\tt :=} {\term} {\tt in} + {\tt Goal}}\tacindex{Let} + +This replaces {\term} by {\ident} in the goal and add the +equality {\ident {\tt =} \term} in the local context. + +\begin{Variants} +\item {\tt Let {\ident$_0$} {\tt :=} {\term} {\tt in} {\ident$_1$}} + +This behaves the same but substitutes {\term} not in the goal but in +the hypothesis named {\ident$_1$}. + +\item {\tt Let {\ident$_0$} {\tt :=} {\term} {\tt in} {\num$_1$} \dots\ +{\num$_n$} {\ident$_1$}} + +This notation allows to specify which occurrences of the hypothesis +named {\ident$_1$} (or the goal if {\ident$_1$} is +the word {\tt Goal}) should be substituted. The occurrences are numbered +from left to right. A negative occurrence number means an occurrence +which should not be substituted. + +\item {\tt Let {\ident$_0$} {\tt :=} {\term} {\tt in} {\num$_1^1$} \dots\ +{\num$_{n_1}^1$} {\ident$_1$} \dots {\num$_1^m$} \dots\ +{\num$_{n_m}^m$} {\ident$_m$}} + +This is the general form. It substitutes {\term} at occurrences +{\num$_1^i$} \dots\ {\num$_{n_i}^i$} of hypothesis {\ident$_i$}. One +of the {\ident}'s may be the word {\tt Goal}. +\end{Variants} + +\subsection{\tt Cut {\form}}\tacindex{Cut} +This tactic applies to any goal. It implements the +``App''\index{Typing rules!App} rule given in section +\ref{Typed-terms}. {\tt Cut U} transforms the current goal \texttt{T} +into the two following subgoals: {\tt U -> T} and \texttt{U}. + +\begin{ErrMsgs} +\item \errindex{Not a proposition or a type}\\ + Arises when the argument {\form} is neither of type {\tt Prop}, {\tt + Set} nor {\tt Type}. +\end{ErrMsgs} + +% +% PAS CLAIR; +% DEVRAIT AU MOINS FAIRE UN INTRO; +% DEVRAIT ETRE REMPLACE PAR UN LET; +% MESSAGE D'ERREUR STUPIDE +% POURQUOI Specialize trans_equal ECHOUE ? +%\begin{Variants} +%\item {\tt Specialize \term} +% \tacindex{Specialize} \\ +% The argument {\tt t} should be a well-typed +% term of type {\tt T}. This tactics is to make a cut of a +% proposition when you have already the proof of this proposition +% (for example it is a theorem applied to variables of local +% context). It is equivalent to {\tt Cut T. 2:Exact t}. +% +%\item {\tt Specialize {\term} with \vref$_1$ := {\term$_1$} \dots +% \vref$_n$ := \term$_n$} +% \tacindex{Specialize \dots\ with} \\ +% It is to provide the tactic with some explicit values to instantiate +% premises of {\term} (see section \ref{Binding-list}). +% Some other premises are inferred using type information and +% unification. The resulting well-formed +% term being {\tt (\term~\term'$_1$\dots\term'$_k$)} +% this tactic behaves as is used as +% {\tt Specialize (\term~\term'$_1$\dots\term'$_k$)} \\ +% +% \ErrMsg {\tt Metavariable wasn't in the metamap} \\ +% Arises when the information provided in the bindings list is not +% sufficient. +%\item {\tt Specialize {\num} {\term} with \vref$_1$ := {\term$_1$} \dots\ +% \vref$_n$:= \term$_n$}\\ +% The behavior is the same as before but only \num\ premises of +% \term\ will be kept. +%\end{Variants} + +\subsection{\tt Generalize \term} +\tacindex{Generalize}\label{Generalize} +This tactic applies to any goal. It generalizes the conclusion w.r.t. one +subterm of it. For example: + +\begin{coq_eval} +Goal (x,y:nat) (le O (plus (plus x y) y)). +Intros. +\end{coq_eval} +\begin{coq_example} +Show. +Generalize (plus (plus x y) y). +\end{coq_example} + +\begin{coq_eval} +Abort. +\end{coq_eval} + +If the goal is $G$ and $t$ is a subterm of type $T$ +in the goal, then {\tt Generalize} \textit{t} replaces the goal by {\tt +(x:$T$)$G'$} where $G'$ is obtained from $G$ by replacing all +occurrences of $t$ by {\tt x}. The name of the variable (here {\tt x}) +is chosen accordingly to $T$. + +\begin{Variants} +\item {\tt Generalize \term$_1$ \dots\ \term$_n$} \\ + Is equivalent to {\tt Generalize \term$_n$; \dots\ ; Generalize + \term$_1$}. Note that the sequence of \term$_i$'s are processed from + $n$ to $1$. + +\item {\tt Generalize Dependent \term} \\ +\tacindex{Generalize Dependent} + This generalizes {\term} but + also {\em all} hypotheses which depend on {\term}. + +\end{Variants} + +\subsection{\tt Change \term} +\tacindex{Change}\label{Change} +This tactic applies to any goal. It implements the rule +``Conv''\index{Typing rules!Conv} given in section \ref{Conv}. +{\tt Change U} replaces the current goal \T\ with a \U\ providing +that \U\ is well-formed and that \T\ and \U\ are +convertible. + +\begin{ErrMsgs} +\item \errindex{convert-concl rule passed non-converting term} +\end{ErrMsgs} + +\begin{Variants} +\item {\tt Change {\term} in {\ident}}\\ + \tacindex{Change \dots\ in} + This applies the {\tt Change} tactic not to the goal but to the + hypothesis {\ident}. +\end{Variants} + +\SeeAlso \ref{Conversion-tactics} + +\subsection{Bindings list} +\index{Binding list}\label{Binding-list} +\index[tactic]{Binding list} +A bindings list is generally used after the keyword {\tt with} in +tactics. The general shape of a bindings list is {\tt \vref$_1$ := + \term$_1$ \dots\ \vref$_n$ := \term$_n$} where {\vref} is either an +{\ident} or a {\num}. It is used to provide a tactic with a list of +values (\term$_1$, \dots, \term$_n$) that have to be substituted +respectively to \vref$_1$, \dots, \vref$_n$. For all $i \in [1\dots\ n]$, if +\vref$_i$ is \ident$_i$ then it references the dependent product {\tt + \ident$_i$:T} (for some type \T); if \vref$_i$ is \num$_i$ then it +references the \num$_i$-th non dependent premise. + +A bindings list can also be a simple list of terms {\tt \term$_1$ +\term$_2$ \dots\term$_n$}. In that case the references to which these +terms correspond are determined by the tactic. In case of {\tt Elim +\term} (see section \ref{Elim}) the terms should correspond to all the dependent products in +the type of \term\ while in the case of {\tt Apply \term} only the +dependent products which are not bound in the conclusion of the type +are given. + + +\section{Negation and contradiction} + +\subsection{\tt Absurd \term} +\tacindex{Absurd}\label{Absurd} + +This tactic applies to any goal. The argument {\term} is any +proposition {\tt P} of type {\tt Prop}. This tactic applies {\tt +False} elimination, that is it deduces the current goal from {\tt False}, +and generates as +subgoals {\tt $\sim$P} and {\tt P}. It is very useful in proofs by +cases, where some cases are impossible. In most cases, +\texttt{P} or $\sim$\texttt{P} is one of the hypotheses of the local +context. + +\subsection{\tt Contradiction} +\label{Contradiction} +\tacindex{Contradiction} + +This tactic applies to any goal. The {\tt Contradiction} tactic +attempts to find in the current context (after all {\tt Intros}) one +which is equivalent to {\tt False}. It permits to prune irrelevant +cases. This tactic is a macro for the tactics sequence {\tt Intros; + ElimType False; Assumption}. + +\begin{ErrMsgs} +\item \errindex{No such assumption} +\end{ErrMsgs} + + +\section{Conversion tactics} +\index{Conversion tactics} +\index[tactic]{Conversion tactics} +\label{Conversion-tactics} + +This set of tactics implements different specialized usages of the +tactic \texttt{Change}. + +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +%voir reduction__conv_x : histoires d'univers. +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% + +\subsection{{\tt Cbv} \flag$_1$ \dots\ \flag$_n$, {\tt Lazy} \flag$_1$ +\dots\ \flag$_n$ and {\tt Compute}} +\tacindex{Cbv}\tacindex{Lazy} + +These parameterized reduction tactics apply to any goal and perform +the normalization of the goal according to the specified flags. Since +the reduction considered in \Coq\ include $\beta$ (reduction of +functional application), $\delta$ (unfolding +of transparent constants, see \ref{Transparent}) +and $\iota$ (reduction of {\tt Cases}, {\tt Fix} and {\tt +CoFix} expressions), every flag is one of {\tt Beta}, {\tt Delta}, +{\tt Iota}, {\tt [\ident$_1$\ldots\ident$_k$]} and +{\tt -[\ident$_1$\ldots\ident$_k$]}. +The last two flags give the list of +constants to unfold, or the list of constants not to unfold. These two +flags can occur only after the {\tt Delta} flag. The goal may be +normalized with two strategies: {\em lazy} ({\tt Lazy} tactic), or +{\em call-by-value} ({\tt Cbv} tactic). + +The lazy strategy is a call-by-need strategy, with sharing of +reductions: the arguments of a function call are partially evaluated +only when necessary, but if an argument is used several times, it is +computed only once. This reduction is efficient for reducing +expressions with dead code. For instance, the proofs of a proposition +$\exists_T ~x. P(x)$ reduce to a pair of a witness $t$, and a proof +that $t$ verifies the predicate $P$. Most of the time, $t$ may be +computed without computing the proof of $P(t)$, thanks to the lazy +strategy. + +The call-by-value strategy is the one used in ML languages: the +arguments of a function call are evaluated first, using a weak +reduction (no reduction under the $\lambda$-abstractions). Despite the +lazy strategy always performs fewer reductions than the call-by-value +strategy, the latter should be preferred for evaluating purely +computational expressions (i.e. with few dead code). + +\begin{Variants} +\item {\tt Compute}\\ + \tacindex{Compute} + This tactic is an alias for {\tt Cbv Beta Delta Iota}. +\end{Variants} + +\begin{ErrMsgs} +\item \errindex{Delta must be specified before}\\ + A list of constants appeared before the {\tt Delta} flag. +\end{ErrMsgs} + + +\subsection{{\tt Red}} +\tacindex{Red} +This tactic applies to a goal which have form {\tt (x:T1)\dots(xk:Tk)(c + t1 \dots\ tn)} where {\tt c} is a constant. If {\tt c} is transparent +then it replaces {\tt c} with its definition (say {\tt t}) and then +reduces {\tt (t t1 \dots\ tn)} according to $\beta\iota$-reduction rules. + +\begin{ErrMsgs} +\item \errindex{Term not reducible} +\end{ErrMsgs} + +\subsection{{\tt Hnf}} +\tacindex{Hnf} +This tactic applies to any goal. It replaces the current goal with its +head normal form according to the $\beta\delta\iota$-reduction +rules. {\tt Hnf} does not produce a real head normal form but either a +product or an applicative term in head normal form or a variable. + +\Example +The term \verb+(n:nat)(plus (S n) (S n))+ is not reduced by {\tt Hnf}. + +\Rem The $\delta$ rule will only be applied to transparent constants +(i.e. which have not been frozen with an {\tt Opaque} command; see +section \ref{Opaque}). + +\subsection{\tt Simpl} +\tacindex{Simpl} +This tactic applies to any goal. The +tactic {\tt Simpl} first applies $\beta\iota$-reduction rule. +Then it expands transparent constants and tries to reduce {\tt T'} +according, once more, to +$\beta\iota$ rules. But when the $\iota$ rule is not applicable then +possible $\delta$-reductions are not applied. For instance trying to +use {\tt Simpl} on {\tt (plus n O)=n} will change nothing. + +\subsection{\tt Unfold \ident} +\tacindex{Unfold}\label{Unfold} +This tactic applies to any goal. The argument {\ident} must be the +name of a defined transparent constant (see section +\ref{Simpl-definitions} and \ref{Transparent}). +The tactic {\tt Unfold} applies the +$\delta$ rule to each occurrence of {\ident} in the current goal and +then replaces it with its $\beta\iota$-normal form. + +\Warning If the constant is opaque, nothing will happen and no warning +is printed. +\begin{ErrMsgs} +\item {\ident} \errindex{does not occur} +\end{ErrMsgs} + +\begin{Variants} +\item {\tt Unfold {\ident}$_1$ \dots\ \ident$_n$}\\ + \tacindex{Unfold \dots\ in} + Replaces {\em simultaneously} {\ident}$_1$, \dots, {\ident}$_n$ with + their definitions and replaces the current goal with its + $\beta\iota$ normal form. +\item {\tt Unfold \num$_1^1$ \dots\ \num$_i^1$ {\ident}$_1$ \dots\ \num$_1^n$ + \dots\ \num$_j^n$ \ident$_n$}\\ + The lists \num$_1^1$, \dots, \num$_i^1$ and \num$_1^n$, \dots, \num$_j^n$ + are to specify the occurrences of {\ident}$_1$, \dots, \ident$_n$ to be + unfolded. Occurrences are located from left to right in the linear + notation of terms.\\ + \ErrMsg {\tt bad occurrence numbers of {\ident}$_i$} +\end{Variants} + +\subsection{{\tt Fold} \term} +\tacindex{Fold} + +This tactic applies to any goal. \term\ is reduced using the {\tt Red} +tactic. Every occurrence of the resulting term in the goal is then +substituted for \term. + +\begin{Variants} +\item {\tt Fold} \term$_1$ \dots\ \term$_n$ \\ + Equivalent to {\tt Fold} \term$_1${\tt;}\ldots{\tt; Fold} \term$_n$. +\end{Variants} + +\subsection{{\tt Pattern {\term}}} +\tacindex{Pattern}\label{Pattern} +This command applies to any goal. The argument {\term} must be a free +subterm of the current goal. The command {\tt Pattern} performs +$\beta$-expansion (the inverse of $\bt$-reduction) +of the current goal (say \T) by +\begin{enumerate} +\item replacing all occurrences of {\term} in {\T} with a fresh variable +\item abstracting this variable +\item applying the abstracted goal to {\term} +\end{enumerate} +For instance, if the current goal {\T} is {\tt (P t)} when {\tt t} does not occur in +{\tt P} then {\tt Pattern t} transforms it into {\tt ([x:A](P x) t)}. This +command has to be used, for instance, when an {\tt Apply} command +fails on matching. + +\begin{Variants} +\item {\tt Pattern {\num$_1$} \dots\ {\num$_n$} {\term}}\\ + Only the occurrences {\num$_1$} \dots\ {\num$_n$} of {\term} will be + considered for $\beta$-expansion. Occurrences are located from left + to right. +\item {\tt Pattern {\num$_1^1$} \dots\ {\num$_{n_1}^1$} {\term$_1$} \dots + {\num$_1^m$} \dots\ {\num$_{n_m}^m$} {\term$_m$}}\\ + Will process occurrences \num$_1^1$, \dots, \num$_i^1$ of \term$_1$, + \dots, \num$_1^m$, \dots, \num$_j^m$ of \term$_m$ starting from \term$_m$. + Starting from a goal {\tt (P t$_1$\dots\ t$_m$)} with the {\tt + t$_i$} which do not occur in $P$, the tactic {\tt Pattern + t$_1$\dots\ t$_m$} generates the equivalent goal {\tt + ([x$_1$:A$_1$]\dots\ [x$_m$:A$_m$](P x$_1$\dots\ x$_m$) + t$_1$\dots\ t$_m$)}.\\ + If $t_i$ occurs in one of the generated types A$_j$ these + occurrences will also be considered and possibly abstracted. +\end{Variants} + +\subsection{Conversion tactics applied to hypotheses} + +{\convtactic} {\tt in} \ident$_1$ \dots\ \ident$_n$ \\ +Applies the conversion tactic {\convtactic} to the +hypotheses \ident$_1$, \ldots, \ident$_n$. The tactic {\convtactic} is +any of the conversion tactics listed in this section. + +\begin{ErrMsgs} +\item \errindex{No such hypothesis} : {\ident}. +\end{ErrMsgs} + + +\section{Introductions} +Introduction tactics address goals which are inductive constants. +They are used when one guesses that the goal can be obtained with one +of its constructors' type. + +\subsection{\tt Constructor \num} +\label{Constructor} +\tacindex{Constructor} +This tactic applies to a goal such +that the head of its conclusion is an inductive constant (say {\tt + I}). The argument {\num} must be less or equal to the numbers of +constructor(s) of {\tt I}. Let {\tt ci} be the {\tt i}-th constructor +of {\tt I}, then {\tt Constructor i} is equivalent to {\tt Intros; + Apply ci}. + +\begin{ErrMsgs} +\item \errindex{Not an inductive product} +\item \errindex{Not enough Constructors} +\end{ErrMsgs} + +\begin{Variants} +\item \texttt{Constructor} This tries \texttt{Constructor 1} then + \texttt{Constructor 2}, \dots\ , then \texttt{Constructor} \textit{n} + where \textit{n} if the number of constructors of the head of the + goal. +\item {\tt Constructor \num~with} {\bindinglist} + \tacindex{Constructor \dots\ with}\\ + Let {\tt ci} be the {\tt i}-th constructor of {\tt I}, then {\tt + Constructor i with \bindinglist} is equivalent to {\tt Intros; Apply ci + with \bindinglist}. + + \Warning the terms in the \bindinglist\ are checked + in the context where {\tt Constructor} is executed and not in the + context where {\tt Apply} is executed (the introductions are not + taken into account). +\item {\tt Split}\tacindex{Split}\\ + Applies if {\tt I} has only one constructor, typically in the case + of conjunction $A\wedge B$. It is equivalent to {\tt Constructor 1}. +\item {\tt Exists {\bindinglist}}\tacindex{Exists} \\ + Applies if {\tt I} has only one constructor, for instance in the + case of existential quantification $\exists x\cdot P(x)$. + It is equivalent to {\tt Intros; Constructor 1 with \bindinglist}. +\item {\tt Left}\tacindex{Left}, {\tt Right}\tacindex{Right}\\ + Apply if {\tt I} has two constructors, for instance in the case of + disjunction $A\vee B$. They are respectively equivalent to {\tt + Constructor 1} and {\tt Constructor 2}. +\item {\tt Left \bindinglist}, {\tt Right \bindinglist}, + {\tt Split \bindinglist} \\ + Are equivalent to the corresponding {\tt Constructor $i$ with \bindinglist}. +\end{Variants} + +\section{Eliminations (Induction and Case Analysis)} +Elimination tactics are useful to prove statements by induction or +case analysis. +Indeed, they make use of the elimination (or induction) principles +generated with inductive definitions (see section +\ref{Cic-inductive-definitions}). + +\subsection{\tt Elim \term} +\tacindex{Elim}\label{Elim} +This tactic applies to any goal. The type of the argument +{\term} must be an inductive constant. Then according to the type of +the goal, the tactic {\tt Elim} chooses the right destructor and +applies it (as in the case of the {\tt Apply} tactic). For instance, +assume that our proof context contains {\tt n:nat}, assume that our +current goal is {\tt T} of type {\tt Prop}, then +{\tt Elim n} is equivalent to {\tt Apply nat\_ind with n:=n}. + +\begin{ErrMsgs} +\item \errindex{Not an inductive product} +\item \errindex{Cannot refine to conclusions with meta-variables}\\ As {\tt + Elim} uses {\tt Apply}, see section \ref{Apply} and the variant + {\tt Elim \dots\ with \dots} below. +\end{ErrMsgs} + +\begin{Variants} +\item {\tt Elim \term} also works when the type of {\term} starts with + products and the head symbol is an inductive definition. In that + case the tactic tries both to find an object in the inductive + definition and to use this inductive definition for elimination. In + case of non-dependent products in the type, subgoals are generated + corresponding to the hypotheses. In the case of dependent products, + the tactic will try to find an instance for which the elimination + lemma applies. + +\item {\tt Elim {\term} with \term$_1$ \dots\ \term$_n$} + \tacindex{Elim \dots\ with} \\ + Allows the user to give explicitly the values for dependent + premises of the elimination schema. All arguments must be given.\\ + \ErrMsg \errindex{Not the right number of dependent arguments} +\item{\tt Elim {\term} with {\vref$_1$} := {\term$_1$} \dots\ {\vref$_n$} + := {\term$_n$}} \\ + Provides also {\tt Elim} with values for instantiating premises by + associating explicitly variables (or non dependent products) with + their intended instance. +\item{\tt Elim {\term$_1$} using {\term$_2$}} +\tacindex{Elim \dots\ using} \\ + Allows the user to give explicitly an elimination predicate + {\term$_2$} which is not the standard one for the underlying + inductive type of {\term$_1$}. Each of the {\term$_1$} and {\term$_2$} is + either a simple term or a term with a bindings list (see + \ref{Binding-list}). +\item {\tt ElimType \form}\tacindex{ElimType}\\ + The argument {\form} must be inductively defined. {\tt ElimType I} + is equivalent to {\tt Cut I. Intro H{\rm\sl n}; Elim H{\rm\sl n}; + Clear H{\rm\sl n}} + Therefore the hypothesis {\tt H{\rm\sl n}} will not appear in the + context(s) of the subgoal(s).\\ + Conversely, if {\tt t} is a term of (inductive) type {\tt I} and + which does not occur in the goal then + {\tt Elim t} is equivalent to {\tt ElimType I; 2: Exact t.} + + \ErrMsg \errindex{Impossible to unify \dots\ with \dots} \\ Arises when + {\form} needs to be applied to parameters. + +\item {\tt Induction \ident}\tacindex{Induction}\\ + When {\ident} is a quantified variable of the goal, this is + equivalent to {\tt Intros until {\ident}; Pattern {\ident}; Elim + {\ident}} + + Otherwise, it behaves as a ``user-friendly'' version of {\tt Elim + \ident}: it does not duplicate {\ident} after induction and it + automatically generalizes the hypotheses dependent on {\ident} or + dependent on some atomic arguments of the inductive type of {\ident}. + +\item {\tt Induction {\num}}\\ + Is analogous to {\tt Induction {\ident}} but for the {\num}-th + non-dependent premise of the goal. +\end{Variants} + +\subsection{\tt Case \term}\label{Case}\tacindex{Case} +The tactic {\tt Case} is used to perform case +analysis without recursion. The type of {\term} must be inductively defined. + +\begin{Variants} +\item {\tt Case {\term} with \term$_1$ \dots\ \term$_n$} + \tacindex{Case \dots\ with}\\ + Analogous to {\tt Elim \dots\ with} above. +\item {\tt Destruct \ident}\tacindex{Destruct}\\ + Is equivalent to the tactical {\tt Intros Until \ident; Case \ident}. +\item {\tt Destruct {\num}}\\ + Is equivalent to {\tt Destruct {\ident}} but for the {\num}-th non + dependent premises of the goal. +\end{Variants} + +\subsection{\tt Intros \pattern}\label{Intros-pattern}\tacindex{Intros} + +The tactic {\tt Intros} applied to a pattern performs both +introduction of variables and case analysis in order to give names to +components of an hypothesis. + +A pattern is either: +\begin{itemize} +\item a variable +\item a list of patterns: $p_1~\ldots~p_n$ +\item a disjunction of patterns: {\tt [}$p_1$ {\tt |} {\ldots} {\tt +|} $p_n$ {\tt ]} +\item a conjunction of patterns: {\tt (} $p_1$ {\tt ,} {\ldots} {\tt +,} $p_n$ {\tt )} +\end{itemize} + +The behavior of \texttt{Intros} is defined inductively over the +structure of the pattern given as argument: +\begin{itemize} +\item introduction on a variable behaves like described in~\ref{Intro}; +\item introduction over a +list of patterns $p_1~\ldots~p_n$ is equivalent to the sequence of +introductions over the patterns namely: +\texttt{Intros $p_1$;\ldots; Intros $p_n$}, the goal should start with +at least $n$ products; +\item introduction over a +disjunction of patterns $[p_1~|~~\ldots~|~p_n]$, it +introduces a new variable $X$, its type should be an inductive +definition with $n$ +constructors, then it performs a case analysis over $X$ +(which generates $n$ subgoals), it +clears $X$ and performs on each generated subgoals the corresponding +\texttt{Intros}~$p_i$ tactic; +\item introduction over a +conjunction of patterns $(p_1,\ldots,p_n)$, it +introduces a new variable $X$, its type should be an inductive +definition with $1$ +constructor with (at least) $n$ arguments, then it performs a case +analysis over $X$ +(which generates $1$ subgoal with at least $n$ products), it +clears $X$ and performs an introduction over the list of patterns $p_1~\ldots~p_n$. +\end{itemize} +\begin{coq_example} +Lemma intros_test : (A,B,C:Prop)(A\/(B/\C))->(A->C)->C. +Intros A B C [a|(b,c)] f. +Apply (f a). +Proof c. +\end{coq_example} + +%\subsection{\tt FixPoint \dots}\tacindex{Fixpoint} +%Not yet documented. + +\subsection {\tt Double Induction \num$_1$ \num$_2$} +\tacindex{Double Induction} +This tactic applies to any goal. If the \num$_1$th and \num$_2$th +premises of the goal have an inductive type, then this tactic +performs double induction on these premises. +For instance, if the current goal is \verb+(n,m:nat)(P n m)+ then, +{\tt Double Induction 1 2} yields the four cases with their respective +inductive hypothesis. In particular the case for +\verb+(P (S n) (S m))+ +with the inductive hypothesis about both \verb+n+ and \verb+m+. + +\subsection{\tt Decompose [ {\ident} \dots\ {\idents} ] \term} +\label{Decompose} +\tacindex{Decompose} +This tactic allows to recursively decompose a +complex proposition in order to obtain atomic ones. +Example: + +\begin{coq_eval} +Reset Initial. +\end{coq_eval} +\begin{coq_example} +Lemma ex1: (A,B,C:Prop)(A/\B/\C \/ B/\C \/ C/\A) -> C. +Intros A B C H; Decompose [and or] H; Assumption. +\end{coq_example} +\begin{coq_example*} +Qed. +\end{coq_example*} + +\begin{Variants} + +\item {\tt Decompose Sum \term}\tacindex{Decompose Sum} + This decomposes sum types (like \texttt{or}). +\item {\tt Decompose Record \term}\tacindex{Decompose Record} + This decomposes record types (inductive types with one constructor, + like \texttt{and} and \texttt{exists} and those defined with the + \texttt{Record} macro, see p. \pageref{Record}). +\end{Variants} + +\section{Equality} +These tactics use the equality {\tt +eq:(A:Set)A->A->Prop} defined in file {\tt Logic.v} and the equality +{\tt eqT:(A:Type)A->A->Prop} defined in file {\tt +Logic\_Type.v} (see section \ref{Equality}). They +are simply written {\tt t=u} and {\tt t==u}, +respectively. In the following, the notation {\tt +t=u} will represent either one of these two +equalities. + +\subsection{\tt Rewrite \term} +\label{Rewrite} +\tacindex{Rewrite} +This tactic applies to any goal. The type of {\term} +must have the form + +\texttt{(x$_1$:A$_1$) \dots\ (x$_n$:A$_n$)}\term$_1${\tt =}\term$_2$. + +\noindent Then {\tt Rewrite \term} replaces every occurrence of +\term$_1$ by \term$_2$ in the goal. Some of the variables x$_1$ are +solved by unification, and some of the types \texttt{A}$_1$, \dots, +\texttt{A}$_n$ become new subgoals. + +\Rem In case the type of +\term$_1$ contains occurrences of variables bound in the +type of \term, the tactic tries first to find a subterm of the goal +which matches this term in order to find a closed instance \term$'_1$ +of \term$_1$, and then all instances of \term$'_1$ will be replaced. + +\begin{ErrMsgs} +\item \errindex{No equality here} +\item \errindex{Failed to progress}\\ +This happens if \term$_1$ does not occur in the goal. +\end{ErrMsgs} + +\begin{Variants} +\item {\tt Rewrite -> {\term}}\tacindex{Rewrite ->}\\ + Is equivalent to {\tt Rewrite \term} + +\item {\tt Rewrite <- {\term}}\tacindex{Rewrite <-}\\ + Uses the equality \term$_1${\tt=}\term$_2$ from right to left + +\item {\tt Rewrite {\term} in {\ident}} + \tacindex{Rewrite \dots\ in}\\ + Analogous to {\tt Rewrite {\term}} but rewriting is done in the + hypothesis named {\ident}. + +\item {\tt Rewrite -> {\term} in {\ident}} + \tacindex{Rewrite -> \dots\ in}\\ + Behaves as {\tt Rewrite {\term} in {\ident}}. + +\item {\tt Rewrite <- {\term} in {\ident}}\\ + \tacindex{Rewrite <- \dots\ in} + Uses the equality \term$_1${\tt=}\term$_2$ from right to left to + rewrite in the hypothesis named {\ident}. +\end{Variants} + + +\subsection{\tt CutRewrite -> \term$_1$ = \term$_2$} +\label{CutRewrite} +\tacindex{CutRewrite} + +This tactic acts like {\tt Replace {\term$_1$} with {\term$_2$}} +(see below). + +\subsection{\tt Replace {\term$_1$} with {\term$_2$}} +\tacindex{Replace \dots\ with} +This tactic applies to any goal. It replaces all free occurrences of +{\term$_1$} in the current goal with {\term$_2$} and generates the +equality {\term$_2$}{\tt =}{\term$_1$} as a subgoal. It is equivalent +to {\tt Cut \term$_1$=\term$_2$; Intro H{\sl n}; Rewrite H{\sl n}; + Clear H{\sl n}}. + +%N'existe pas... +%\begin{Variants} +% +%\item {\tt Replace {\term$_1$} with {\term$_2$} in \ident} +% This replaces {\term$_1$} with {\term$_2$} in the hypothesis named +% \ident, and generates the subgoal {\term$_2$}{\tt =}{\term$_1$}. +% \begin{ErrMsgs} +% \item \errindex{No such hypothesis} +% \end{ErrMsgs} +% +%\end{Variants} + +\subsection{\tt Reflexivity} +\label{Reflexivity} +\tacindex{Reflexivity} +This tactic applies to a goal which has the form {\tt t=u}. It checks +that {\tt t} and {\tt u} are convertible and then solves the goal. +It is equivalent to {\tt Apply refl\_equal} (or {\tt Apply + refl\_equalT} for an equality in the \Type universe). + +\begin{ErrMsgs} +\item \errindex{Not a predefined equality} +\item \errindex{Impossible to unify \dots\ With ..} +\end{ErrMsgs} + +\subsection{\tt Symmetry}\tacindex{Symmetry} +This tactic applies to a goal which have form {\tt t=u} +(resp. \texttt{t==u}) and changes it into {\tt u=t} (resp. \texttt{u==t}). + +\subsection{\tt Transitivity \term}\tacindex{Transitivity} +This tactic applies to a goal which have form {\tt t=u} +and transforms it into the two subgoals +{\tt t={\term}} and {\tt {\term}=u}. + +\section{Equality and inductive sets} +We describe in this section some special purpose +tactics dealing with equality and inductive sets or +types. These tactics use the equalities {\tt +eq:(A:Set)A->A->Prop} defined in file {\tt Logic.v} +and {\tt eqT:(A:Type)A->A->Prop} defined in file +{\tt Logic\_Type.v} (see section \ref{Equality}). +They are written {\tt t=u} and {\tt t==u}, +respectively. In the following, unless it is stated +otherwise, the notation {\tt t=u} will represent +either one of these two equalities. + +\subsection{\tt Decide Equality} +\label{DecideEquality} +\tacindex{Decide Equality} +This tactic solves a goal of the form +$(x,y:R)\{x=y\}+\{\verb|~|x=y\}$, where $R$ is an inductive type +such that its constructors do not take proofs or functions as +arguments, nor objects in dependent types. + +\begin{Variants} +\item {\tt Decide Equality {\term}$_1$ {\term}$_2$ }.\\ + Solves a goal of the form {\tt \{}\term$_1${\tt =}\term$_2${\tt +\}+\{\verb|~|}\term$_1${\tt =}\term$_2${\tt \}}. +\end{Variants} + +\subsection{\tt Compare \term$_1$ \term$_2$} +\tacindex{Compare} +This tactic compares two given objects \term$_1$ and \term$_2$ +of an inductive datatype. If $G$ is the current goal, it leaves the sub-goals +\term$_1${\tt =}\term$_2$ {\tt ->} $G$ and \verb|~|\term$_1${\tt =}\term$_2$ +{\tt ->} $G$. The type +of \term$_1$ and \term$_2$ must satisfy the same restrictions as in the tactic +\texttt{Decide Equality}. + +\subsection {\tt Discriminate {\ident}} +\label{Discriminate} +\tacindex{Discriminate} +This tactic proves any goal from an absurd +hypothesis stating that two structurally different terms of an +inductive set are equal. For example, from the hypothesis {\tt (S (S + O))=(S O)} we can derive by absurdity any proposition. Let {\ident} +be a hypothesis of type {\tt{\term$_1$} = {\term$_2$}} in the local +context, {\term$_1$} and {\term$_2$} being elements of an inductive set. +To build the proof, the tactic traverses the normal +forms\footnote{Recall: opaque constants will not be expanded by + $\delta$ reductions} of {\term$_1$} and {\term$_2$} looking for a +couple of subterms {\tt u} and {\tt w} ({\tt u} subterm of the normal +form of {\term$_1$} and {\tt w} subterm of the normal form of +{\term$_2$}), placed at the same positions and whose +head symbols are two different constructors. If such a couple of subterms +exists, then the proof of the current goal is completed, +otherwise the tactic fails. + +\begin{ErrMsgs} +\item {\ident} \errindex{Not a discriminable equality} + occurs when the type of + the specified hypothesis is an equation but does not verify the + expected preconditions. +\item {\ident }\errindex{Not an equation} occurs when the type of the specified + hypothesis is not an equation. +\end{ErrMsgs} + + +\begin{Variants} +\item {\tt Discriminate}\tacindex{Discriminate} \\ + It applies to a goal of the form {\tt + \verb=~={\term$_1$}={\term$_2$}} and it is equivalent to: + {\tt Unfold not; Intro {\ident}} ; {\tt Discriminate + {\ident}}. + + \begin{ErrMsgs} + \item \errindex{goal does not satisfy the expected preconditions}. + \item \errindex{Not a discriminable equality} + \end{ErrMsgs} + +\item {\tt Simple Discriminate} + \tacindex{Simple Discriminate} \\ + This tactic applies to a goal which has the form + \verb=~=\term$_1$=\term$_2$ where {\term$_1$} and {\term$_2$} + belong to an inductive set and $=$ denotes the equality \texttt{eq}. + This tactic proves trivial disequalities such as + {\verb.~O=(S n).} It checks that the head symbols of the head normal + forms of {\term$_1$} and {\term$_2$} are not the same constructor. + When this is the case, the current goal is solved. + + \begin{ErrMsgs} + \item \errindex{Not a discriminable equality} + \end{ErrMsgs} + +\end{Variants} + +\subsection{\tt Injection {\ident}} +\label{Injection} +\tacindex{Injection} +The {\tt Injection} tactic is based on the fact that constructors of +inductive sets are injections. That means that if $c$ is a constructor +of an inductive set, and if $(c~\vec{t_1})$ and $(c~\vec{t_2})$ are two +terms that are equal then $~\vec{t_1}$ and $~\vec{t_2}$ are equal +too. + +If {\ident} is an hypothesis of type {\tt {\term$_1$} = {\term$_2$}}, +then {\tt Injection} behaves as applying injection as deep as possible to +derive the equality of all the subterms of {\term$_1$} and {\term$_2$} +placed in the same positions. For example, from the hypothesis {\tt (S + (S n))=(S (S (S m))} we may derive {\tt n=(S m)}. To use this +tactic {\term$_1$} and {\term$_2$} should be elements of an inductive +set and they should be neither explicitly equal, nor structurally +different. We mean by this that, if {\tt n$_1$} and {\tt n$_2$} are +their respective normal forms, then: +\begin{itemize} +\item {\tt n$_1$} and {\tt n$_2$} should not be syntactically equal, +\item there must not exist any couple of subterms {\tt u} and {\tt w}, + {\tt u} subterm of {\tt n$_1$} and {\tt w} subterm of {\tt n$_2$} , + placed in the same positions and having different constructors as + head symbols. +\end{itemize} +If these conditions are satisfied, then, the tactic derives the +equality of all the subterms of {\term$_1$} and {\term$_2$} placed in +the same positions and puts them as antecedents of the current goal. + +\Example Consider the following goal: + +\begin{coq_example*} +Inductive list : Set := + nil: list | cons: nat-> list -> list. +Variable P : list -> Prop. +\end{coq_example*} +\begin{coq_eval} +Lemma ex: (l:list)(n:nat)(P nil)->(cons n l)=(cons O nil)->(P l). +Intros l n H H0. +\end{coq_eval} +\begin{coq_example} +Show. +Injection H0. +\end{coq_example} +\begin{coq_eval} +Abort. +\end{coq_eval} + +Beware that \texttt{Injection} yields always an equality in a sigma type +whenever the injected object has a dependent type. + +\begin{ErrMsgs} +\item {\ident} \errindex{is not a projectable equality} + occurs when the type of + the hypothesis $id$ does not verify the preconditions. +\item \errindex{Not an equation} occurs when the type of the + hypothesis $id$ is not an equation. +\end{ErrMsgs} + + +\begin{Variants} +\item{\tt Injection}\tacindex{Injection} \\ + If the current goal is of the form {\tt \verb=~={\term$_1$}={\term$_2$}}, + the tactic computes the head normal form + of the goal and then behaves as the sequence: {\tt Unfold not; Intro + {\ident}; Injection {\ident}}. \\ + + \ErrMsg \errindex{goal does not satisfy the expected preconditions} +\end{Variants} + +\subsection{\tt Simplify\_eq {\ident}} +\tacindex{Simplify\_eq} +\label{Simplify-eq} +Let {\ident} be the name of an hypothesis of type {\tt + {\term$_1$}={\term$_2$}} in the local context. If {\term$_1$} and +{\term$_2$} are structurally different (in the sense described for the +tactic {\tt Discriminate}), then the tactic {\tt Simplify\_eq} behaves as {\tt + Discriminate {\ident}} otherwise it behaves as {\tt Injection + {\ident}}. + +\begin{Variants} +\item{\tt Simplify\_eq} +If the current goal has form $\verb=~=t_1=t_2$, then this tactic does +\texttt{Hnf; Intro {\ident}; Simplify\_eq {\ident}}. +\end{Variants} + +\subsection{\tt Dependent Rewrite -> {\ident}} +\tacindex{Dependent Rewrite ->} +\label{Dependent-Rewrite} +This tactic applies to any goal. If \ident\ has type +\verb+(existS A B a b)=(existS A B a' b')+ +in the local context (i.e. each term of the +equality has a sigma type $\{ a:A~ \&~(B~a)\}$) this tactic rewrites +\verb+a+ into \verb+a'+ and \verb+b+ into \verb+b'+ in the current +goal. This tactic works even if $B$ is also a sigma type. This kind +of equalities between dependent pairs may be derived by the injection +and inversion tactics. + +\begin{Variants} +\item{\tt Dependent Rewrite <- {\ident}} +\tacindex{Dependent Rewrite <-} \\ +Analogous to {\tt Dependent Rewrite ->} but uses the equality from +right to left. +\end{Variants} + +\section{Inversion} +\label{Inversion} + +\subsection{\tt Inversion {\ident}}\tacindex{Inversion} + +Let the type of \ident~ in the local context be $(I~\vec{t})$, +where $I$ is a (co)inductive predicate. Then, +\texttt{Inversion} applied to \ident~ derives for each possible +constructor $c_i$ of $(I~\vec{t})$, {\bf all} the necessary +conditions that should hold for the instance $(I~\vec{t})$ to be +proved by $c_i$. + +\begin{Variants} +\item \texttt{Inversion\_clear} \ident\\ + \tacindex{Inversion\_clear} + That does \texttt{Inversion} and then erases \ident~ from the + context. +\item \texttt{Inversion } \ident~ \texttt{in} \ident$_1$ \dots\ \ident$_n$\\ + \tacindex{Inversion \dots\ in} + Let \ident$_1$ \dots\ \ident$_n$, be identifiers in the local context. This + tactic behaves as generalizing \ident$_1$ \dots\ \ident$_n$, and + then performing \texttt{Inversion}. +\item \texttt{Inversion\_clear} \ident~ \texttt{in} \ident$_1$ \ldots + \ident$_n$\\ + \tacindex{Inversion\_clear \dots\ in} + Let \ident$_1$ \dots\ \ident$_n$, be identifiers in the local context. This + tactic behaves as generalizing \ident$_1$ \dots\ \ident$_n$, and + then performing {\tt Inversion\_clear}. +\item \texttt{Dependent Inversion} \ident~\\ + \tacindex{Dependent Inversion} + That must be used when \ident\ appears in the current goal. + It acts like \texttt{Inversion} and then substitutes \ident\ for the + corresponding term in the goal. +\item \texttt{Dependent Inversion\_clear} \ident~\\ + \tacindex{Dependent Inversion\_clear} + Like \texttt{Dependant Inversion}, except that \ident~ is cleared + from the local context. +\item \texttt{Dependent Inversion } \ident~ \texttt{ with } \term \\ + \tacindex{Dependent Inversion \dots\ with} + This variant allow to give the good generalization of the goal. It + is useful when the system fails to generalize the goal automatically. If + \ident~ has type $(I~\vec{t})$ and $I$ has type + $(\vec{x}:\vec{T})s$, then \term~ must be of type + $I:(\vec{x}:\vec{T})(I~\vec{x})\rightarrow s'$ where $s'$ is the + type of the goal. +\item \texttt{Dependent Inversion\_clear } \ident~ \texttt{ with } \term\\ + \tacindex{Dependent Inversion\_clear \dots\ with} + Like \texttt{Dependant Inversion \dots\ with} but clears \ident from + the local context. +\item \texttt{Inversion} \ident \texttt{ using} \ident$'$ \\ + \tacindex{Inversion \dots\ using} + Let \ident~ have type $(I~\vec{t})$ ($I$ an inductive + predicate) in the local context, and \ident$'$ be a (dependent) inversion + lemma. Then, this tactic refines the current goal with the specified + lemma. +\item \texttt{Inversion} \ident~ \texttt{using} \ident$'$ + \texttt{in} \ident$_1$\dots\ \ident$_n$\\ + \tacindex{Inversion \dots\ using \dots\ in} + This tactic behaves as generalizing \ident$_1$\dots\ \ident$_n$, + then doing \texttt{Inversion}\ident~\texttt{using} \ident$'$. +\item \texttt{Simple Inversion} \ident~\\ + \tacindex{Simple Inversion} + It is a very primitive inversion tactic that derives all the necessary + equalities but it does not simplify the constraints as + \texttt{Inversion} do. +\end{Variants} + +\SeeAlso \ref{Inversion-examples} for detailed examples + +\subsection{\tt Derive Inversion \ident~ with + $(\vec{x}:\vec{T})(I~\vec{t})$ Sort \sort} +\label{Derive-Inversion} +\comindex{Derive Inversion} +\index[tactic]{Derive Inversion@{\tt Derive Inversion}} + +This command generates an inversion principle for the +\texttt{Inversion \dots\ using} tactic. +Let $I$ be an inductive predicate and $\vec{x}$ the variables +occurring in $\vec{t}$. This command generates and stocks the +inversion lemma for the sort \sort~ corresponding to the instance +$(\vec{x}:\vec{T})(I~\vec{t})$ with the name \ident~ in the {\bf +global} environment. When applied it is equivalent to have inverted +the instance with the tactic {\tt Inversion}. + +\begin{Variants} +\item \texttt{Derive Inversion\_clear} \ident~ \texttt{with} + \comindex{Derive Inversion\_clear} + $(\vec{x}:\vec{T})(I~\vec{t})$ \texttt{Sort} \sort~ \\ + \index{Derive Inversion\_clear \dots\ with} + When applied it is equivalent to having + inverted the instance with the tactic \texttt{Inversion} + replaced by the tactic \texttt{Inversion\_clear}. +\item \texttt{Derive Dependent Inversion} \ident~ \texttt{with} + $(\vec{x}:\vec{T})(I~\vec{t})$ \texttt{Sort} \sort~\\ + \comindex{Derive Dependent Inversion} + When applied it is equivalent to having + inverted the instance with the tactic \texttt{Dependent Inversion}. +\item \texttt{Derive Dependent Inversion\_clear} \ident~ \texttt{with} + $(\vec{x}:\vec{T})(I~\vec{t})$ \texttt{Sort} \sort~\\ + \comindex{Derive Dependent Inversion\_clear} + When applied it is equivalent to having + inverted the instance with the tactic \texttt{Dependent Inversion\_clear}. +\end{Variants} + +\SeeAlso \ref{Inversion-examples} for examples + +\subsection{\texttt{Quote} \ident}\tacindex{Quote} +\index[default]2-level approach + +This kind of inversion has nothing to do with the tactic +\texttt{Inversion} above. This tactic does \texttt{Change (\ident\ + t)}, where \texttt{t} is a term build in order to ensure the +convertibility. In other words, it does inversion of the function +\ident. This function must be a fixpoint on a simple recursive +datatype: see \ref{Quote-examples} for the full details. + +\begin{ErrMsgs} +\item \errindex{Quote: not a simple fixpoint}\\ + Happens when \texttt{Quote} is not able to perform inversion properly. +\end{ErrMsgs} + +\begin{Variants} +\item \texttt{Quote {\ident} [ \ident$_1$ \dots \ident$_n$ ]}\\ + All terms that are build only with \ident$_1$ \dots \ident$_n$ will be + considered by \texttt{Quote} as constants rather than variables. +\end{Variants} + +\SeeAlso file \texttt{theories/DEMOS/DemoQuote.v} in the distribution + +\section{Automatizing} +\label{Automatizing} + +\subsection{\tt Auto} +\tacindex{Auto} +This tactic implements a Prolog-like resolution procedure to solve the +current goal. It first tries to solve the goal using the {\tt + Assumption} tactic, then it reduces the goal to an atomic one using +{\tt Intros} and introducing the newly generated hypotheses as hints. +Then it looks at the list of tactics associated to the head symbol of +the goal and tries to apply one of them (starting from the tactics +with lower cost). This process is recursively applied to the generated +subgoals. + +By default, Auto only uses the hypotheses of the current goal and the +hints of the database named "core". + +\begin{Variants} +\item {\tt Auto \num}\\ + Forces the search depth to be \num. The maximal search depth is 5 by default. +\item {\tt Auto with \ident$_1$ \dots\ \ident$_n$}\\ + Uses the hint databases $\ident_1$ \dots\ $\ident_n$ in addition to + the database "core". See section \ref{Hints-databases} for the list + of pre-defined databases and the way to create or extend a database. + This option can be combined with the previous one. +\item {\tt Auto with *}\\ + Uses all existing hint databases, minus the special database + "v62". See section \ref{Hints-databases} +\item {\tt Trivial}\tacindex{Trivial}\\ + This tactic is a restriction of {\tt Auto} that is not recursive and + tries only hints which cost is 0. Typically it solves trivial + equalities like $X=X$. +\item \texttt{Trivial with \ident$_1$ \dots\ \ident$_n$}\\ +\item \texttt{Trivial with *}\\ +\end{Variants} + +\Rem {\tt Auto} either solves completely the goal or else leave it +intact. \texttt{Auto} and \texttt{Trivial} never fail. + +\SeeAlso section \ref{Hints-databases} + +\subsection{\tt EAuto}\tacindex{EAuto}\label{EAuto} + +This tactic generalizes {\tt Auto}. In contrast with +the latter, {\tt EAuto} uses unification of the goal +against the hints rather than pattern-matching +(in other words, it uses {\tt EApply} instead of +{\tt Apply}). +As a consequence, {\tt EAuto} can solve such a goal: + +\begin{coq_example} +Hints Resolve ex_intro. +Goal (P:nat->Prop)(P O)->(EX n | (P n)). +EAuto. +\end{coq_example} +\begin{coq_eval} +Abort. +\end{coq_eval} + +Note that {\tt ex\_intro} should be declared as an +hint. + +\SeeAlso section \ref{Hints-databases} + +\subsection{\tt Prolog [ \term$_1$ \dots\ \term$_n$ ] \num} +\tacindex{Prolog}\label{Prolog} +This tactic, implemented by Chet Murthy, is based upon the concept of +existential variables of Gilles Dowek, stating that resolution is a +kind of unification. It tries to solve the current goal using the {\tt + Assumption} tactic, the {\tt Intro} tactic, and applying hypotheses +of the local context and terms of the given list {\tt [ \term$_1$ + \dots\ \term$_n$\ ]}. It is more powerful than {\tt Auto} since it +may apply to any theorem, even those of the form {\tt (x:A)(P x) -> Q} +where {\tt x} does not appear free in {\tt Q}. The maximal search +depth is {\tt \num}. + +\begin{ErrMsgs} +\item \errindex{Prolog failed}\\ + The Prolog tactic was not able to prove the subgoal. +\end{ErrMsgs} + +\subsection{\tt Tauto}\tacindex{Tauto}\label{Tauto} +This tactic, due to César Mu\~noz \cite{Mun94}, implements a +decision procedure for intuitionistic propositional calculus based on +the contraction-free sequent calculi LJT* of R. Dyckhoff \cite{Dyc92}. +Note tha + t {\tt Tauto} succeeds on any instance of an intuitionistic +tautological proposition. For instance it succeeds on +\verb!(x:nat)(P:nat->Prop)x=O\/(P x)->~x=O->(P x)! +while {\tt Auto} fails. + +\subsection{\tt Intuition} +\tacindex{Intuition}\label{Intuition} + +The tactic \verb1Intuition1 takes advantage of the search-tree builded +by the decision procedure involved in the tactic {\tt Tauto}. It uses +this information to generate a set of subgoals equivalent to the +original one (but simpler than it) and applies the tactic +{\tt Auto with *} to them \cite{Mun94}. At the end, {\tt Intuition} +performs {\tt Intros}. + +For instance, the tactic {\tt Intuition} applied to the goal +\begin{verbatim} +((x:nat)(P x))/\B->((y:nat)(P y))/\(P O)\/B/\(P O) +\end{verbatim} +internally replaces it by the equivalent one: +\begin{verbatim} +((x:nat)(P x) -> B -> (P O)) +\end{verbatim} +and then uses {\tt Auto with *} which completes the proof. + +\subsection{\tt Linear}\tacindex{Linear}\label{Linear} +The tactic \texttt{Linear}, due to Jean-Christophe Filliâatre +\cite{Fil94}, implements a decision procedure for {\em Direct + Predicate Calculus}, that is first-order Gentzen's Sequent Calculus +without contraction rules \cite{KeWe84,BeKe92}. Intuitively, a +first-order goal is provable in Direct Predicate Calculus if it can be +proved using each hypothesis at most once. + +Unlike the previous tactics, the \texttt{Linear} tactic does not belong +to the initial state of the system, and it must be loaded explicitly +with the command + +\begin{coq_example*} +Require Linear. +\end{coq_example*} + +For instance, assuming that \texttt{even} and \texttt{odd} are two +predicates on natural numbers, and \texttt{a} of type \texttt{nat}, the +tactic \texttt{Linear} solves the following goal + +\begin{coq_eval} +Variables even,odd : nat -> Prop. +Variable a:nat. +\end{coq_eval} + +\begin{coq_example*} +Lemma example : (even a) + -> ((x:nat)((even x)->(odd (S x)))) + -> (EX y | (odd y)). +\end{coq_example*} + +You can find examples of the use of \texttt{Linear} in +\texttt{theories/DEMOS/DemoLinear.v}. +\begin{coq_eval} +Abort. +\end{coq_eval} + +\begin{Variants} +\item {\tt Linear with \ident$_1$ \dots\ \ident$_n$}\\ + \tacindex{Linear with} + Is equivalent to apply first {\tt Generalize \ident$_1$ \dots + \ident$_n$} (see section \ref{Generalize}) then the \texttt{Linear} + tactic. So one can use axioms, lemmas or hypotheses of the local + context with \texttt{Linear} in this way. +\end{Variants} + +\begin{ErrMsgs} +\item \errindex{Not provable in Direct Predicate Calculus} +\item \errindex{Found $n$ classical proof(s) but no intuitionistic one}\\ + The decision procedure looks actually for classical proofs of the + goals, and then checks that they are intuitionistic. In that case, + classical proofs have been found, which do not correspond to + intuitionistic ones. +\end{ErrMsgs} + +\subsection{\tt Omega} +\tacindex{Omega} +\label{Omega} + +The tactic \texttt{Omega}, due to Pierre Crégut, +is an automatic decision procedure for Prestburger +arithmetic. It solves quantifier-free +formulae build with \verb|~|, \verb|\/|, \verb|/\|, +\verb|->| on top of equations and inequations on +both the type \texttt{nat} of natural numbers and \texttt{Z} of binary +integers. This tactic must be loaded by the command \texttt{Require + Omega}. See the additional documentation about \texttt{Omega}. + +\subsection{\tt Ring \term$_1$ \dots\ \term$_n$} +\tacindex{Ring} +\comindex{Add Ring} +\comindex{Add Semi Ring} + +This tactic, written by Samuel Boutin and Patrick Loiseleur, +does AC rewriting on every +ring. The tactic must be loaded by \texttt{Require Ring} under +\texttt{coqtop} or \texttt{coqtop -full}. +The ring must be declared in the \texttt{Add Ring} +command (see \ref{Ring}). The ring of booleans is predefined; if one +wants to use the tactic on \texttt{nat} one must do \texttt{Require + ArithRing}; for \texttt{Z}, do \texttt{Require ZArithRing}. + +\term$_1$, \dots, \term$_n$ must be subterms of the goal +conclusion. \texttt{Ring} normalize these terms +w.r.t. associativity and commutativity and replace them by their +normal form. + +\begin{Variants} +\item \texttt{Ring} When the goal is an equality $t_1=t_2$, it + acts like \texttt{Ring} $t_1$ $t_2$ and then simplifies or solves + the equality. + +\item \texttt{NatRing} is a tactic macro for \texttt{Repeat Rewrite + S\_to\_plus\_one; Ring}. The theorem \texttt{S\_to\_plus\_one} is a + proof that \texttt{(n:nat)(S n)=(plus (S O) n)}. + +\end{Variants} + +\Example +\begin{coq_example*} +Require ZArithRing. +Goal (a,b,c:Z)`(a+b+c)*(a+b+c) + = a*a + b*b + c*c + 2*a*b + 2*a*c + 2*b*c`. +\end{coq_example*} +\begin{coq_example} +Intros; Ring. +\end{coq_example} +\begin{coq_eval} +Reset Initial. +\end{coq_eval} + +You can have a look at the files \texttt{Ring.v}, +\texttt{ArithRing.v}, \texttt{ZarithRing.v} to see examples of the +\texttt{Add Ring} command. + +\SeeAlso \ref{Ring} for more detailed explanations about this tactic + +\subsection{\tt AutoRewrite [{\rewrule} {\dots} {\rewrule}]} +\tacindex{AutoRewrite} + +This tactic carries out rewritings according the given rewriting +rules. + +A \emph{rewriting rule} is, by definition, a list of terms which type is an +equality, each term being followed by the keyword \texttt{LR} (for +left-to-right) or \texttt{RL} (for right-to-left): + +\begin{tabular}{rcl} +\rewrule & ::= & \texttt{[{\term} {\switch} {\dots} {\term} {\switch} ]}\\ +\switch & ::= & \texttt{LR}\\ +\switch & | & \texttt{RL} \\ +\end{tabular} + +\texttt{AutoRewrite} tries each rewriting of each rule, until +it succeeds; then the rewriting is processed and \texttt{AutoRewrite} +tries again all rewritings from the first one. This tactic may not +terminate and warnings are produced every 100 rewritings. + +\begin{Variants} +\item {\tt AutoRewrite [\ident$_1$\dots\ \ident$_n$] +Step=[\tac$_1$|...|\tac$_m$]}\\ +Each time a rewriting rule is successful, it tries to solve with the tactics of +{\tt Step}. + +\item {\tt AutoRewrite [{\rewrule} {\dots} {\rewrule}] +Step=[\tac$_1$|...|\tac$_m$] with Solve}\\ +This is equivalent to the previous variant. + +\item{\tt AutoRewrite [{\rewrule} {\dots} {\rewrule}] +Step=[\tac$_1$|...|\tac$_m$] with Use}\\ +Each time a rewriting rule is successful, it tries to apply a tactic of {\tt +Step}. + +\item{\tt AutoRewrite [{\rewrule} {\dots} {\rewrule}] +Step=[\tac$_1$|...|\tac$_m$] with All}\\ +Each time a rewriting rule is successful, it tries to solve with the tactics of +{\tt Step}, if it fails, it tries to apply a tactic of {\tt Step}. In fact, it +behaves like the {\tt Solve} switch first and the {\tt Use} switch next in case +of failure. + +\item {\tt AutoRewrite [{\rewrule} {\dots} {\rewrule}] +Rest=[\tac$_1$|...|\tac$_m$]}\\ +If subgoals are generated by a conditional rewriting, it tries to solve each of +them with the tactics in {\tt Rest}. + +\item {\tt AutoRewrite [{\rewrule} {\dots} {\rewrule}] +Rest=[\tac$_1$|...|\tac$_m$] with Solve}\\ +This is equivalent to the previous variant. + +\item {\tt AutoRewrite [{\rewrule} {\dots} {\rewrule}] +Rest=[\tac$_1$|...|\tac$_m$] with Cond}\\ +Each time subgoals are generated by a successful conditional rewriting, it +tries to solve all of them, if it fails, it considers that the rewriting rule +fails and takes the next one in the bases. + +\item {\tt AutoRewrite [{\rewrule} {\dots} {\rewrule}] Depth=\num}\\ +Produces a warning giving the number of rewritings carried out every {\num} +rewritings. +\end{Variants} + +The three options {\tt Step}, {\tt Solve} et {\tt Depth} can be combined. + +\subsection{\tt HintRewrite {\ident} {\rewrule}}\comindex{HintRewrite} + +This vernacular command makes an alias for a rewriting rule. +Then, instead of \texttt{AutoRewrite [{\rewrule} \dots ]} you can +type: \texttt{AutoRewrite [{\ident} \dots ]} + +This vernacular command is synchronous with the section mechanism (see +\ref{Section}): when closing a section, all aliases created by +\texttt{HintRewrite} in that section are lost. Conversely, when +loading a module, all \texttt{HintRewrite} declarations at the global +level of that module are loaded. + +\SeeAlso \ref{AutoRewrite-example} for examples showing the use of +this tactic. + +\SeeAlso file \texttt{theories/DEMOS/DemoAutoRewrite.v} + +\section{Developing certified programs} +\label{program} +This section is devoted to powerful tools that \Coq~ provides to +develop certified programs. We just mention below the main features of +those tools and refer the reader to chapter \ref{Addoc-program} and +references \cite{CPar93,CPar95} for more details and examples. + +\subsection{\tt Realizer \term}\tacindex{Realizer} +This command associates the term {\term} to the current goal. The +{\term}'s syntax is described in the chapter \ref{Addoc-program}. +It is an extension of the basic syntax for \Coq's terms. The {\tt + Realizer} is used as a hint by the {\tt Program} tactic described +below. The term {\term} intends to be the program extracted from the +proof we want to develop. + +\SeeAlso chapter \ref{Addoc-program}, section \ref{Extraction} + +\subsection{\tt Program}\tacindex{Program} +This tactic tries to make a one step inference according to the +structure of the {\tt Realizer} associated to the current goal. + +\begin{Variants} +\item {\tt Program\_all}\tacindex{Program\_all}\\ + Is equivalent to {\tt Repeat (Program Orelse Auto with *)} (see section + \ref{Tacticals}). +\end{Variants} + +\SeeAlso chapter \ref{Addoc-program} + +\section{The hints databases for Auto and EAuto} +\index{Hints databases}\label{Hints-databases} +The hints for Auto and EAuto have been reorganized since \Coq{} +6.2.3. They are stored in several databases. Each databases maps head +symbols to list of hints. One can use the command \texttt{Print Hint \ident} +to display the hints associated to the head symbol \ident{} +(see \ref{PrintHint}). Each hint has a name, +a cost that is an nonnegative integer, and a pattern. The hint is +tried by \texttt{Auto} if the conclusion of current goal matches its +pattern, and after hints with a lower cost. The general command to add +a hint to a database is: + +\comindex{Hint} +\begin{quotation} + \texttt{Hint \textsl{name} : \textsl{database} := \textsl{hint\_definition}} +\end{quotation} + +\noindent where {\sl hint\_definition} is one of the following expressions: + +\begin{itemize} +\item \texttt{Resolve} {\term} \index[command]{Hints!Resolve}\\ + This command adds {\tt Apply {\term}} to the hint list + with the head symbol of the type of \term. The cost of that hint is + the number of subgoals generated by {\tt Apply {\term}}. + + In case the inferred type of \term\ does not start with a product the + tactic added in the hint list is {\tt Exact {\term}}. In case this + type can be reduced to a type starting with a product, the tactic {\tt + Apply {\term}} is also stored in the hints list. + + If the inferred type of \term\ does contain a dependent + quantification on a predicate, it is added to the hint list of {\tt + EApply} instead of the hint list of {\tt Apply}. In this case, a + warning is printed since the hint is only used by the tactic {\tt + EAuto} (see \ref{EAuto}). A typical example of hint that is used + only by \texttt{EAuto} is a transitivity lemma. + + \begin{ErrMsgs} + \item \errindex{Bound head variable} \\ + The head symbol of the type of {\term} is a bound variable such + that this tactic cannot be associated to a constant. + \item \term\ \errindex{cannot be used as a hint} \\ + The type of \term\ contains products over variables which do not + appear in the conclusion. A typical example is a transitivity axiom. + In that case the {\tt Apply} tactic fails, and thus is useless. + \end{ErrMsgs} + +\item \texttt{Immediate {\term}} \index[command]{Hints!Immediate}\\ + + This command adds {\tt Apply {\term}; Trivial} to the hint list + associated with the head symbol of the type of \ident in the given + database. This tactic will fail if all the subgoals generated by + {\tt Apply {\term}} are + not solved immediately by the {\tt Trivial} tactic which only tries + tactics with cost $0$. + + This command is useful for theorems such that the symmetry of equality + or $n+1=m+1 \rightarrow n=m$ that we may like to introduce with a + limited use in order to avoid useless proof-search. + + The cost of this tactic (which never generates subgoals) is always 1, + so that it is not used by {\tt Trivial} itself. + + \begin{ErrMsgs} + \item \errindex{Bound head variable}\\ + \item \term\ \errindex{cannot be used as a hint} \\ + \end{ErrMsgs} + +\item \texttt{Constructors} {\ident}\index[command]{Hint!Constructors}\\ + + If {\ident} is an inductive type, this command adds all its + constructors as hints of type \texttt{Resolve}. Then, when the + conclusion of current goal has the form \texttt{({\ident} \dots)}, + \texttt{Auto} will try to apply each constructor. + + \begin{ErrMsgs} + \item {\ident} \errindex{is not an inductive type} + \item {\ident} \errindex{not declared} + \end{ErrMsgs} + +\item \texttt{Unfold} {\ident}\index[command]{Hint!Unfold}\\ + This adds the tactic {\tt Unfold {\ident}} to the hint list + that will only be used when the head constant of the goal is \ident. + Its cost is 4. + +\item \texttt{Extern \num\ \pattern\ }\textsl{tactic}\index[command]{Hints!Extern}\\ + This hint type is to extend Auto with tactics other than + \texttt{Apply} and \texttt{Unfold}. For that, we must specify a + cost, a pattern and a tactic to execute. Here is an example: + +\begin{quotation} +\begin{verbatim} +Hint discr : core := Extern 4 ~(?=?) Discriminate. +\end{verbatim} +\end{quotation} + + Now, when the head of the goal is a disequality, \texttt{Auto} will + try \texttt{Discriminate} if it does not succeed to solve the goal + with hints with a cost less than 4. + + One can even use some sub-patterns of the pattern in the tactic + script. A sub-pattern is a question mark followed by a number like + \texttt{?1} or \texttt{?2}. Here is an example: + +\begin{coq_example*} +Require EqDecide. +Require PolyList. +\end{coq_example*} +\begin{coq_example} +Hint eqdec1 : eqdec := Extern 5 {?1=?2}+{~ (?1=?2)} + Generalize ?1 ?2; Decide Equality. + +Goal (a,b:(list nat*nat)){a=b}+{~a=b}. +Info Auto with eqdec. +\end{coq_example} +\begin{coq_eval} +Abort. +\end{coq_eval} + +\end{itemize} + +\Rem There is currently (in the \coqversion\ release) no way to do +pattern-matching on hypotheses. + +\begin{Variants} +\item \texttt{Hint \ident\ : \ident$_1$ \dots\ \ident$_n$ := + \textsl{hint\_expression}}\\ + This syntax allows to put the same hint in several databases. + + \Rem The current implementation of \texttt{Auto} has no + optimization about hint duplication: + if the same hint is present in two databases + given as arguments to \texttt{Auto}, it will be tried twice. We + recommend to put the same hint in two different databases only if you + never use those databases together. + +\item\texttt{Hint \ident\ := \textsl{hint\_expression}}\\ + If no database name is given, the hint is registered in the "core" + database. + + \Rem We do not recommend to put hints in this database in your + developpements, except when the \texttt{Hint} command + is inside a section. In this case the hint will be thrown when + closing the section (see \ref{Hint-and-Section}) + +\end{Variants} + +There are shortcuts that allow to define several goal at once: + +\begin{itemize} +\item \comindex{Hints Resolve}\texttt{Hints Resolve \ident$_1$ \dots\ \ident$_n$ : \ident.}\\ + This command is a shortcut for the following ones: + \begin{quotation} + \noindent\texttt{Hint \ident$_1$ : \ident\ := Resolve \ident$_1$}\\ + \dots\\ + \texttt{Hint \ident$_1$ : \ident := Resolve \ident$_1$} + \end{quotation} + Notice that the hint name is the same that the theorem given as + hint. +\item \comindex{Hints Immediate}\texttt{Hints Immediate \ident$_1$ \dots\ \ident$_n$ : \ident.}\\ +\item \comindex{Hints Unfold}\texttt{Hints Unfold \ident$_1$ \dots\ \ident$_n$ : \ident.}\\ +\end{itemize} + +%\begin{Warnings} +% \item \texttt{Overriding hint named \dots\ in database \dots} +%\end{Warnings} + +\subsection{Hint databases defined in the \Coq\ standard library} + +Several hint databases are defined in the \Coq\ standard +library. There is no systematic relation between the directories of the +library and the databases. + +\begin{description} +\item[core] This special database is automatically used by + \texttt{Auto}. It contains only basic lemmas about negation, + conjunction, and so on from. Most of the hints in this database come + from the \texttt{INIT} and \texttt{LOGIC} directories. + +\item[arith] This databases contains all lemmas about Peano's + arithmetic proven in the directories \texttt{INIT} and + \texttt{ARITH} + +\item[zarith] contains lemmas about binary signed integers from the + directories \texttt{theories/ZARITH} and + \texttt{tactics/contrib/Omega}. It contains also a hint with a high + cost that calls Omega. + +\item[bool] contains lemmas about booleans, mostly from directory + \texttt{theories/BOOL}. + +\item[datatypes] is for lemmas about about lists, trees, streams and so on that + are proven in \texttt{LISTS}, \texttt{TREES} subdirectories. + +\item[sets] contains lemmas about sets and relations from the + directory \texttt{SETS} and \texttt{RELATIONS}. +\end{description} + +There is also a special database called "v62". It contains all things that are +currently hinted in the 6.2.x releases. It will not be extended later. It is +not included in the hint databases list used in the "Auto with *" tactic. + +The only purpose of the database "v62" is to ensure compatibility for +old developpements with further versions of Coq. +If you have a developpement that used to compile with 6.2.2 and that not +compiles with 6.2.4, try to replace "Auto" with "Auto with v62" using the +script documented below. This will ensure your developpement will compile +will further releases of Coq. + +To write a new developpement, or to update a developpement not finished yet, +you are strongly advised NOT to use this database, but the pre-defined +databases. Furthermore, you are advised not to put your own Hints in the +"core" database, but use one or several databases specific to your +developpement. + +\subsection{\tt Print Hint} +\label{PrintHint} +\comindex{Print Hint} +\index[tactic]{Hints!\texttt{Print Hint}} +This command displays all hints that apply to the current goal. It +fails if no proof is being edited, while the two variants can be used at +every moment. + +\begin{Variants} +\item {\tt Print Hint {\ident} }\\ + This command displays only tactics associated with \ident\ in the + hints list. This is independent of the goal being edited, to this + command will not fail if no goal is being edited. + +\item {\tt Print Hint *}\\ + This command displays all declared hints. +\end{Variants} + + +\subsection{Hints and sections} +\label{Hint-and-Section} + +Like grammar rules and structures for the \texttt{Ring} tactic, things +added by the \texttt{Hint} command will be erased when closing a +section. + +Conversely, when the user does \texttt{Require A.}, all hints +of the module \texttt{A} that are not defined inside a section are +loaded. + +\section{Tacticals} +\index[tactic]{Tacticals}\index{Tacticals}\label{Tacticals} +We describe in this section how to combine the tactics provided by the +system to write synthetic proof scripts called {\em tacticals}. The +tacticals are built using tactic operators we present below. + +\subsection{\tt Idtac} +\tacindex{Idtac} +\index{Tacticals!Idtac@{\tt Idtac}} The constant {\tt Idtac} is the +identity tactic: it leaves any goal unchanged. + +\subsection{\tt Fail} +\tacindex{Fail} +\index{Tacticals!Fail@{\tt Fail}} + +The tactic {\tt Fail} is the always-failing tactic: it does not solve +any goal. It is useful for defining other tacticals. + +\subsection{\tt Do {\num} {\tac}} +\tacindex{Do} +\index{Tacticals!Do@{\tt Do}} +This tactic operator repeats {\num} times the tactic {\tac}. It fails +when it is not possible to repeat {\num} times the tactic. + +\subsection{\tt \tac$_1$ {\tt Orelse} \tac$_2$} +\tacindex{Orelse} +\index{Tacticals!Orelse@{\tt Orelse}} +The tactical \tac$_1$ {\tt Orelse} \tac$_2$ tries to apply \tac$_1$ +and, in case of a failure, applies \tac$_2$. It associates to the +left. + +\subsection{\tt Repeat {\tac}} +\index[tactic]{Repeat@{\tt Repeat}} +\index{Tacticals!Repeat@{\tt Repeat}} + +This tactic operator repeats {\tac} as long as it does not fail. + +\subsection{\tt {\tac}$_1$ {\tt ;} \tac$_2$} +\index{;@{\tt ;}} +\index[tactic]{;@{\tt ;}} +\index{Tacticals!yy@{\tt {\tac$_1$};\tac$_2$}} +This tactic operator is a generalized composition for sequencing. The +tactical {\tac}$_1$ {\tt ;} \tac$_2$ first applies \tac$_1$ and +then applies \tac$_2$ to any +subgoal generated by \tac$_1$. {\tt ;} associates to the left. + +\subsection{\tt \tac$_0$; [ \tac$_1$ | \dots\ | \tac$_n$ ]} +\index[tactic]{;[]@{\tt ;[\ldots$\mid$\ldots$\mid$\ldots]}} +\index{;[]@{\tt ;[\ldots$\mid$\ldots$\mid$\ldots]}} +\index{Tacticals!zz@{\tt {\tac$_0$};[{\tac$_1$}$\mid$\ldots$\mid$\tac$_n$]}} + +This tactic operator is a generalization of the precedent tactics +operator. The tactical {\tt \tac$_0$ ; [ \tac$_1$ | \dots\ | \tac$_n$ ]} +first applies \tac$_0$ and then +applies \tac$_i$ to the i-th subgoal generated by \tac$_0$. It fails if +$n$ is not the exact number of remaining subgoals. + +\subsection{\tt Try {\tac}} +\tacindex{Try} +\index{Tacticals!Try@{\tt Try}} +This tactic operator applies tactic \tac, and catches the possible +failure of \tac. It never fails. + +\subsection{\tt First [ \tac$_0$ | \dots\ | \tac$_n$ ]} +\tacindex{First} +\index{Tacticals!First@{\tt First}} + +This tactic operator tries to apply the tactics \tac$_i$ with $i=0\ldots{}n$, +starting from $i=0$, until one of them does not fail. It fails if all the +tactics fail. + +\begin{ErrMsgs} +\item \errindex{No applicable tactic.} +\end{ErrMsgs} + +\subsection{\tt Solve [ \tac$_0$ | \dots\ | \tac$_n$ ]} +\tacindex{Solve} +\index{Tacticals!First@{\tt Solve}} + +This tactic operator tries to solve the current goal with the tactics \tac$_i$ +with $i=0\ldots{}n$, starting from $i=0$, until one of them solves. It fails if +no tactic can solve. + +\begin{ErrMsgs} +\item \errindex{Cannot solve the goal.} +\end{ErrMsgs} + +\subsection{\tt Info {\tac}} +\tacindex{Info} +\index{Tacticals!Info@{\tt Info}} +This is not really a tactical. For elementary tactics, this is +equivalent to \tac. For complex tactic like \texttt{Auto}, it displays +the operations performed by the tactic. + +\subsection{\tt Abstract {\tac}} +\tacindex{Abstract} +\index{Tacticals!Abstract@{\tt Abstract}} +From outside, typing \texttt{Abstract \tac} is the same that +typing \tac. Internally it saves an auxiliary lemma called +{\ident}\texttt{\_subproof}\textit{n} where {\ident} is the name of the +current goal and \textit{n} is chosen so that this is a fresh name. + +This tactical is useful with tactics such \texttt{Omega} or +\texttt{Discriminate} that generate big proof terms. With that tool +the user can avoid the explosion at time of the \texttt{Save} command +without having to cut ``by hand'' the proof in smaller lemmas. + +\begin{Variants} +\item \texttt{Abstract {\tac} using {\ident}}.\\ + Give explicitly the name of the auxiliary lemma. +\end{Variants} + +\section{Generation of induction principles with {\tt Scheme}} +\label{Scheme} +\comindex{Scheme} + +The {\tt Scheme} command is a high-level tool for generating +automatically (possibly mutual) induction principles for given types +and sorts. Its syntax follows the schema: + +\noindent +{\tt Scheme {\ident$_1$} := Induction for \ident'$_1$ Sort {\sort$_1$} \\ + with\\ + \mbox{}\hspace{0.1cm} \dots\ \\ + with {\ident$_m$} := Induction for {\ident'$_m$} Sort + {\sort$_m$}}\\ + +\ident'$_1$ \dots\ \ident'$_m$ are different inductive type +identifiers belonging to +the same package of mutual inductive definitions. This command +generates {\ident$_1$}\dots{} {\ident$_m$} to be mutually recursive +definitions. Each term {\ident$_i$} proves a general principle +of mutual induction for objects in type {\term$_i$}. + + +\begin{Variants} +\item {\tt Scheme {\ident$_1$} := Minimality for \ident'$_1$ Sort {\sort$_1$} \\ + with\\ + \mbox{}\hspace{0.1cm} \dots\ \\ + with {\ident$_m$} := Minimality for {\ident'$_m$} Sort + {\sort$_m$}}\\ + Same as before but defines a non-dependent elimination principle more + natural in case of inductively defined relations. +\end{Variants} + +\SeeAlso \ref{Scheme-examples} + +\section{Simple tactic macros} +\index[tactic]{tactic macros} +\index{tactic macros} +\comindex{Tactic Definition} +\label{TacticDefinition} + +A simple example has more value than a long explanation: + +\begin{coq_example*} +Tactic Definition Solve := [<:tactic:<Simpl; Intros; Auto>>]. +Tactic Definition ElimBoolRewrite [$b $H1 $H2] := + [<:tactic:<Elim $b; + [Intros; Rewrite $H1; EAuto | Intros; Rewrite $H2; EAuto ]>>]. +\end{coq_example*} + +Those tactic definitions are just macros, they behave like the +syntactic definitions in the tactic world. The right side of the +definition is an AST (see page~\pageref{astsyntax}), +but you can type a command if you +enclose it between \verb|<< >>| or \verb|<:command:< >>|, and you can +type a tactic script (the most frequent case) if you enclose it +between \verb|<:tactic:< >>|. + +The tactics macros are synchronous with the \Coq\ section mechanism: +a \texttt{Tactic Definition} is deleted from the current environment +when you close the section (see also \ref{Section}) +where it was defined. If you want that a +tactic macro defined in a module is usable in the modules that +require it, you should put it outside of any section. + +This command is designed to be simple, so the user who wants to do +complicate things with it should better read the chapter +\ref{WritingTactics} about the user-defined tactics. + + +% $Id$ + +%%% Local Variables: +%%% mode: latex +%%% TeX-master: "Reference-Manual" +%%% TeX-master: "Reference-Manual" +%%% End: + + + diff --git a/doc/RefMan-tacex.tex b/doc/RefMan-tacex.tex new file mode 100644 index 000000000..e41c76ff4 --- /dev/null +++ b/doc/RefMan-tacex.tex @@ -0,0 +1,668 @@ +\chapter{Detailed examples of tactics} +\label{Tactics-examples} + +This chapter presents detailed examples of certain tactics, to +illustrate their behavior. + +\section{\tt Refine} +\tacindex{Refine} +\label{Refine-example} + +This tactic applies to any goal. It behaves like {\tt Exact} with a +big difference : the user can leave some holes (denoted by \texttt{?} or +{\tt (?::}{\it type}{\tt )}) in the term. +{\tt Refine} will generate as many +subgoals as they are holes in the term. The type of holes must be +either synthesized by the system or declared by an +explicit cast like \verb|(?::nat->Prop)|. This low-level +tactic can be useful to advanced users. + +\firstexample +\example{} + +\begin{coq_example*} +Require Refine. +Inductive Option: Set := Fail : Option | Ok : bool->Option. +\end{coq_example} +\begin{coq_example} +Definition get: (x:Option)~x=Fail->bool. +Refine + [x:Option]<[x:Option]~x=Fail->bool>Cases x of + Fail => ? + | (Ok b) => [_:?]b end. +Intros;Absurd Fail=Fail;Trivial. +\end{coq_example} +\begin{coq_example*} +Defined. +\end{coq_example*} + +\example{Using Refine to build a poor-man's ``Cases'' tactic} +\texttt{Refine} is actually the only way for the user to do +a proof with the same structure as a {\tt Cases} definition. Actually, +the tactics \texttt{Case} (see \ref{Case}) and \texttt{Elim} (see +\ref{Elim}) only allow one step of elementary induction. + +\begin{coq_example*} +Require Bool. +Require Arith. +\end{coq_example*} +%\begin{coq_eval} +%Abort. +%\end{coq_eval} +\begin{coq_example} +Definition one_two_or_five := [x:nat] + Cases x of + (1) => true + | (2) => true + | (5) => true + | _ => false + end. +Goal (x:nat)(Is_true (one_two_or_five x)) -> x=(1)\/x=(2)\/x=(5). +\end{coq_example} + +A traditional script would be the following: + +\begin{coq_example*} +Destruct x. +Tauto. +Destruct n. +Auto. +Destruct n0. +Auto. +Destruct n1. +Tauto. +Destruct n2. +Tauto. +Destruct n3. +Auto. +Intros; Inversion H. +\end{coq_example*} + +With the tactic \texttt{Refine}, it becomes quite shorter: + +\begin{coq_example*} +Restart. +Require Refine. +\end{coq_example*} +\begin{coq_example} +Refine [x:nat] + <[y:nat](Is_true (one_two_or_five y))->(y=(1)\/y=(2)\/y=(5))> + Cases x of + (1) => [H]? + | (2) => [H]? + | (5) => [H]? + | _ => [H](False_ind ? H) + end; Auto. +\end{coq_example} +\begin{coq_eval} +Abort. +\end{coq_eval} + +\section{\tt EApply} +\tacindex{EApply} +\label{EApply-example} +\Example +Assume we have a relation on {\tt nat} which is transitive: + +\begin{coq_example*} +Variable R:nat->nat->Prop. +Hypothesis Rtrans : (x,y,z:nat)(R x y)->(R y z)->(R x z). +Variables n,m,p:nat. +Hypothesis Rnm:(R n m). +Hypothesis Rmp:(R m p). +\end{coq_example*} + +Consider the goal {\tt (R n p)} provable using the transitivity of +{\tt R}: + +\begin{coq_example*} +Goal (R n p). +\end{coq_example*} + +The direct application of {\tt Rtrans} with {\tt Apply} fails because +no value for {\tt y} in {\tt Rtrans} is found by {\tt Apply}: + +\begin{coq_example} +Apply Rtrans. +\end{coq_example} + +A solution is to rather apply {\tt (Rtrans n m p)}. + +\begin{coq_example} +Apply (Rtrans n m p). +\end{coq_example} + +\begin{coq_eval} + Undo. +\end{coq_eval} + +More elegantly, {\tt Apply Rtrans with y:=m} allows to only mention +the unknown {\tt m}: + +\begin{coq_example} +Apply Rtrans with y:=m. +\end{coq_example} + +\begin{coq_eval} + Undo. +\end{coq_eval} + +Another solution is to mention the proof of {\tt (R x y)} in {\tt +Rtrans}... + +\begin{coq_example} +Apply Rtrans with 1:=Rnm. +\end{coq_example} + +\begin{coq_eval} + Undo. +\end{coq_eval} + +... or the proof of {\tt (R y z)}: + +\begin{coq_example} +Apply Rtrans with 2:=Rmp. +\end{coq_example} + +\begin{coq_eval} + Undo. +\end{coq_eval} + +On the opposite, one can use {\tt EApply} which postpone the problem +of finding {\tt m}. Then one can apply the hypotheses {\tt Rnm} and {\tt +Rmp}. This instantiates the existential variable and completes the proof. + +\begin{coq_example} +EApply Rtrans. +Apply Rnm. +Apply Rmp. +\end{coq_example} + +\begin{coq_eval} + Reset R. +\end{coq_eval} + +\section{{\tt Scheme}} +\comindex{Scheme} +\label{Scheme-examples} + +\firstexample +\example{Induction scheme for \texttt{tree} and \texttt{forest}} + +The definition of principle of mutual induction for {\tt tree} and +{\tt forest} over the sort {\tt Set} is defined by the command: + +\begin{coq_eval} +Restore State Initial. +Variables A,B:Set. +Mutual Inductive tree : Set := node : A -> forest -> tree +with forest : Set := leaf : B -> forest + | cons : tree -> forest -> forest. +\end{coq_eval} + +\begin{coq_example*} +Scheme tree_forest_rec := Induction for tree Sort Set +with forest_tree_rec := Induction for forest Sort Set. +\end{coq_example*} + +You may now look at the type of {\tt tree\_forest\_rec}: + +\begin{coq_example} +Check tree_forest_rec. +\end{coq_example} + +This principle involves two different predicates for {\tt trees} and +{\tt forests}; it also has three premises each one corresponding to a +constructor of one of the inductive definitions. + +The principle {\tt tree\_forest\_rec} shares exactly the same +premises, only the conclusion now refers to the property of forests. + +\begin{coq_example} +Check forest_tree_rec. +\end{coq_example} + +\example{Predicates {\tt odd} and {\tt even} on naturals} + +Let {\tt odd} and {\tt even} be inductively defined as: + +\begin{coq_eval} +Restore State Initial. +\end{coq_eval} + +\begin{coq_example*} +Mutual Inductive odd : nat->Prop := + oddS : (n:nat)(even n)->(odd (S n)) +with even : nat -> Prop := + evenO : (even O) + | evenS : (n:nat)(odd n)->(even (S n)). +\end{coq_example*} + +The following command generates a powerful elimination +principle: + +\begin{coq_example*} +Scheme odd_even := Minimality for odd Sort Prop +with even_odd := Minimality for even Sort Prop. +\end{coq_example*} + +The type of {\tt odd\_even} for instance will be: + +\begin{coq_example} +Check odd_even. +\end{coq_example} + +The type of {\tt even\_odd} shares the same premises but the +conclusion is {\tt (n:nat)(even n)->(Q n)}. + + +\section{{\tt Inversion}} +\tacindex{Inversion} +\label{Inversion-examples} + +\subsection*{Generalities about inversion} + +When working with (co)inductive predicates, we are very often faced to +some of these situations: +\begin{itemize} +\item we have an inconsistent instance of an inductive predicate in the + local context of hypotheses. Thus, the current goal can be trivially + proved by absurdity. +\item we have a hypothesis that is an instance of an inductive + predicate, and the instance has some variables whose constraints we + would like to derive. +\end{itemize} + +The inversion tactics are very useful to simplify the work in these +cases. Inversion tools can be classified in three groups: + +\begin{enumerate} +\item tactics for inverting an instance without stocking the inversion + lemma in the context; this includes the tactics + (\texttt{Dependent}) \texttt{Inversion} and + (\texttt{Dependent}) \texttt{Inversion\_clear}. +\item commands for generating and stocking in the context the inversion + lemma corresponding to an instance; this includes \texttt{Derive} + (\texttt{Dependent}) \texttt{Inversion} and \texttt{Derive} + (\texttt{Dependent}) \texttt{Inversion\_clear}. +\item tactics for inverting an instance using an already defined + inversion lemma; this includes the tactic \texttt{Inversion \ldots using}. +\end{enumerate} + +As inversion proofs may be large in size, we recommend the user to +stock the lemmas whenever the same instance needs to be inverted +several times. + +\firstexample +\example{Non-dependent inversion} + +Let's consider the relation \texttt{Le} over natural numbers and the +following variables: + +\begin{coq_eval} +Restore State Initial. +\end{coq_eval} + +\begin{coq_example*} +Inductive Le : nat->nat->Set := + LeO : (n:nat)(Le O n) | LeS : (n,m:nat) (Le n m)-> (Le (S n) (S m)). +Variable P:nat->nat->Prop. +Variable Q:(n,m:nat)(Le n m)->Prop. +\end{coq_example*} + +For example, consider the goal: + +\begin{coq_eval} +Lemma ex : (n,m:nat)(Le (S n) m)->(P n m). +Intros. +\end{coq_eval} + +\begin{coq_example} +Show. +\end{coq_example} + +To prove the goal we may need to reason by cases on \texttt{H} and to + derive that \texttt{m} is necessarily of +the form $(S~m_0)$ for certain $m_0$ and that $(Le~n~m_0)$. +Deriving these conditions corresponds to prove that the +only possible constructor of \texttt{(Le (S n) m)} is +\texttt{LeS} and that we can invert the +\texttt{->} in the type of \texttt{LeS}. +This inversion is possible because \texttt{Le} is the smallest set closed by +the constructors \texttt{LeO} and \texttt{LeS}. + +\begin{coq_example} +Inversion_clear H. +\end{coq_example} + +Note that \texttt{m} has been substituted in the goal for \texttt{(S m0)} +and that the hypothesis \texttt{(Le n m0)} has been added to the +context. + +Sometimes it is +interesting to have the equality \texttt{m=(S m0)} in the +context to use it after. In that case we can use \texttt{Inversion} that +does not clear the equalities: + +\begin{coq_example*} +Undo. +\end{coq_example*} + +\begin{coq_example} +Inversion H. +\end{coq_example} + +\begin{coq_eval} +Undo. +\end{coq_eval} + +\example{Dependent Inversion} + +Let us consider the following goal: + +\begin{coq_eval} +Lemma ex_dep : (n,m:nat)(H:(Le (S n) m))(Q (S n) m H). +Intros. +\end{coq_eval} + +\begin{coq_example} +Show. +\end{coq_example} + +As \texttt{H} occurs in the goal, we may want to reason by cases on its +structure and so, we would like inversion tactics to +substitute \texttt{H} by the corresponding term in constructor form. +Neither \texttt{Inversion} nor {\tt Inversion\_clear} make such a +substitution. +To have such a behavior we use the dependent inversion tactics: + +\begin{coq_example} +Dependent Inversion_clear H. +\end{coq_example} + +Note that \texttt{H} has been substituted by \texttt{(LeS n m0 l)} and +\texttt{m} by \texttt{(S m0)}. + +\example{using already defined inversion lemmas} + +\begin{coq_eval} +Abort. +\end{coq_eval} + +For example, to generate the inversion lemma for the instance +\texttt{(Le (S n) m)} and the sort \texttt{Prop} we do: + +\begin{coq_example*} +Derive Inversion_clear leminv with (n,m:nat)(Le (S n) m) Sort Prop. +\end{coq_example*} + +\begin{coq_example} +Check leminv. +\end{coq_example} + +Then we can use the proven inversion lemma: + +\begin{coq_example} +Show. +\end{coq_example} + +\begin{coq_example} +Inversion H using leminv. +\end{coq_example} + +\begin{coq_eval} +Reset Initial. +\end{coq_eval} + +\section{\tt AutoRewrite} +\label{AutoRewrite-example} + +\Example +Here is a basic use of {\tt AutoRewrite} with the Ackermann function: + +\begin{coq_example*} +Require Arith. + +Variable Ack:nat->nat->nat. + +Axiom Ack0:(m:nat)(Ack (0) m)=(S m). +Axiom Ack1:(n:nat)(Ack (S n) (0))=(Ack n (1)). +Axiom Ack2:(n,m:nat)(Ack (S n) (S m))=(Ack n (Ack (S n) m)). +\end{coq_example*} + +\begin{coq_example} +HintRewrite base0 [ Ack0 LR + Ack1 LR + Ack2 LR]. + +Lemma ResAck0:(Ack (2) (1))=(5). +AutoRewrite [base0] Step=[Reflexivity]. +\end{coq_example} + +\begin{coq_eval} +Reset Initial. +\end{coq_eval} + +\Example +The Mac Carthy function shows a more complex case: + +\begin{coq_example*} +Require Omega. + +Variable g:nat->nat->nat. + +Axiom g0:(m:nat)(g (0) m)=m. +Axiom g1: + (n,m:nat)(gt n (0))->(gt m (100))-> + (g n m)=(g (pred n) (minus m (10))). +Axiom g2: + (n,m:nat)(gt n (0))->(le m (100))->(g n m)=(g (S n) (plus m (11))). +\end{coq_example*} + +\begin{coq_example} +HintRewrite base1 [ g0 LR g1 LR]. +HintRewrite base2 [g2 LR]. + +Lemma Resg0:(g (1) (90))=(91). +AutoRewrite [base1 base2] + Step=[Simpl|Reflexivity] with All + Rest=[Omega] with Cond + Depth=10. +\end{coq_example} +\begin{coq_eval} +Abort. +\end{coq_eval} + +\begin{coq_eval} +Lemma maccarthy_90 : + (g0:(m:nat)(g (0) m)=m) + (g1:(n,m:nat)(gt n (0))->(gt m (100))-> (g n m)=(g (pred n) (minus m (10)))) + (g2:(n,m:nat)(gt n (0))->(le m (100))->(g n m)=(g (S n) (plus m (11)))) + (g (1) (90))=(91). + Intros. +\end{coq_eval} + +One can also give the full base definition instead of a name. This is +useful to do rewritings with the hypotheses of current goal: + +\begin{coq_example} + Show. + AutoRewrite [[g0 LR g1 LR] [g2 LR]] + Step=[Simpl|Reflexivity] with All + Rest=[Omega] with Cond + Depth=10. +\end{coq_example} + +\begin{coq_eval} +Abort. +\end{coq_eval} + +\section{\tt Quote} +\tacindex{Quote} +\label{Quote-examples} + +The tactic \texttt{Quote} allows to use Barendregt's so-called +2-level approach without writing any ML code. Suppose you have a +language \texttt{L} of +'abstract terms' and a type \texttt{A} of 'concrete terms' +and a function \texttt{f : L -> A}. If \texttt{L} is a simple +inductive datatype and \texttt{f} a simple fixpoint, \texttt{Quote f} +will replace the head of current goal a convertible term with the form +\texttt{(f t)}. \texttt{L} must have a constructor of type: \texttt{A + -> L}. + +Here is an example: + +\begin{coq_example} +Require Quote. +Parameters A,B,C:Prop. +Inductive Type formula := +| f_and : formula -> formula -> formula (* binary constructor *) +| f_or : formula -> formula -> formula +| f_not : formula -> formula (* unary constructor *) +| f_true : formula (* 0-ary constructor *) +| f_const : Prop -> formula. (* contructor for constants *) + +Fixpoint interp_f [f:formula] : Prop := + Cases f of + | (f_and f1 f2) => (interp_f f1)/\(interp_f f2) + | (f_or f1 f2) => (interp_f f1)\/(interp_f f2) + | (f_not f1) => ~(interp_f f1) + | f_true => True + | (f_const c) => c + end. + +Goal A/\(A\/True)/\~B/\(A <-> A). +Quote interp_f. +\end{coq_example} + +The algorithm to perform this inversion is: try to match the +term with right-hand sides expression of \texttt{f}. If there is a +match, apply the corresponding left-hand side and call yourself +recursively on sub-terms. If there is no match, we are at a leaf: +return the corresponding constructor (here \texttt{f\_const}) applied +to the term. + +\begin{ErrMsgs} +\item \errindex{Quote: not a simple fixpoint} + Happens when \texttt{Quote} is not able to perform inversion properly. +\end{ErrMsgs} + +\subsection{Introducing variables map} + +The normal use of \texttt{Quote} is to make proofs by reflection: one +defines a function \texttt{simplify : formula -> formula} and proves a +theorem \texttt{simplify\_ok: (f:formula)(interp\_f (simplify f)) -> + (interp\_f f)}. Then, one can simplify formulas by doing: + +\begin{quotation} +\begin{verbatim} + Quote interp_f. + Apply simplify_ok. + Compute. +\end{verbatim} +\end{quotation} + +But there is a problem with leafs: in the example above one cannot +write a function that implements, for example, the logical simplifications +$A \wedge A \ra A$ or $A \wedge \neg A \ra \texttt{False}$. This is +because the \Prop{} is impredicative. + +It is better to use that type of formulas: + +\begin{coq_eval} +Reset formula. +\end{coq_eval} +\begin{coq_example} +Inductive Set formula := +| f_and : formula -> formula -> formula +| f_or : formula -> formula -> formula +| f_not : formula -> formula +| f_true : formula +| f_atom : index -> formula. (* contructor for variables *) +\end{coq_example*} + +\texttt{index} is defined in module \texttt{Quote}. Equality on that +type is decidable so we are able to simplify $A \wedge A$ into $A$ at +the abstract level. + +When there are variables, there are bindings, and \texttt{Quote} +provides also a type \texttt{(varmap A)} of bindings from +\texttt{index} to any set \texttt{A}, and a function +\texttt{varmap\_find} to search in such maps. The interpretation +function has now another argument, a variables map: + +\begin{coq_example} + Fixpoint interp_f [vm:(varmap Prop); f:formula] : Prop := + Cases f of + | (f_and f1 f2) => (interp_f vm f1)/\(interp_f vm f2) + | (f_or f1 f2) => (interp_f vm f1)\/(interp_f vm f2) + | (f_not f1) => ~(interp_f vm f1) + | f_true => True + | (f_atom i) => (varmap_find True i vm) + end. +\end{coq_example} + +\noindent\texttt{Quote} handles this second case properly: + +\begin{coq_example} +Goal A/\(B\/A)/\(A\/~B). +Quote interp_f. +\end{coq_example} + +It builds \texttt{vm} and \texttt{t} such that \texttt{(f vm t)} is +convertible with the conclusion of current goal. + +\subsection{Combining variables and constants} + +One can have both variables and constants in abstracts terms; that is +the case, for example, for the \texttt{Ring} tactic (chapter +\ref{Ring}). Then one must provide to Quote a list of +\emph{constructors of constants}. For example, if the list is +\texttt{[O S]} then closed natural numbers will be considered as +constants and other terms as variables. + +Example: + +\begin{coq_eval} +Reset formula. +\end{coq_eval} +\begin{coq_example*} +Inductive Type formula := +| f_and : formula -> formula -> formula +| f_or : formula -> formula -> formula +| f_not : formula -> formula +| f_true : formula +| f_const : Prop -> formula (* constructor for constants *) +| f_atom : index -> formula. (* constructor for variables *) + +Fixpoint interp_f [vm:(varmap Prop); f:formula] : Prop := + Cases f of + | (f_and f1 f2) => (interp_f vm f1)/\(interp_f vm f2) + | (f_or f1 f2) => (interp_f vm f1)\/(interp_f vm f2) + | (f_not f1) => ~(interp_f vm f1) + | f_true => True + | (f_const c) => c + | (f_atom i) => (varmap_find True i vm) + end. + +Goal A/\(A\/True)/\~B/\(C<->C). +\end{coq_example*} + +\begin{coq_example} +Quote interp_f [A B]. +Undo. Quote interp_f [B C iff]. +\end{coq_example} + +\Warning This tactic is new and experimental. Since function inversion +is undecidable in general case, don't expect miracles from it ! + +\SeeAlso file \texttt{theories/DEMOS/DemoQuote.v} +\SeeAlso comments of source file \texttt{tactics/contrib/polynom/quote.ml} +\SeeAlso the tactic \texttt{Ring} (chapter \ref{Ring}) + + +%%% Local Variables: +%%% mode: latex +%%% TeX-master: "Reference-Manual" +%%% End: diff --git a/doc/RefMan-tus.tex b/doc/RefMan-tus.tex new file mode 100755 index 000000000..e4867bf24 --- /dev/null +++ b/doc/RefMan-tus.tex @@ -0,0 +1,1790 @@ +%\documentclass[11pt]{article} +%\usepackage{fullpage,euler} +%\usepackage[latin1]{inputenc} +%\begin{document} +%\title{Writing ad-hoc Tactics in Coq} +%\author{} +%\date{} +%\maketitle +%\tableofcontents +%\clearpage + +\chapter{Writing ad-hoc Tactics in Coq} +\label{WritingTactics} + +\section{Introduction} + +\Coq\ is an open proof environment, in the sense that the collection of +proof strategies offered by the system can be extended by the user. +This feature has two important advantages. First, the user can develop +his/her own ad-hoc proof procedures, customizing the system for a +particular domain of application. Second, the repetitive and tedious +aspects of the proofs can be abstracted away implementing new tactics +for dealing with them. For example, this may be useful when a theorem +needs several lemmas which are all proven in a similar but not exactly +the same way. Let us illustrate this with an example. + +Consider the problem of deciding the equality of two booleans. The +theorem establishing that this is always possible is state by +the following theorem: + +\begin{coq_example*} +Theorem decideBool : (x,y:bool){x=y}+{~x=y}. +\end{coq_example*} + +The proof proceeds by case analysis on both $x$ and $y$. This yields +four cases to solve. The cases $x=y=\textsl{true}$ and +$x=y=\textsl{false}$ are immediate by the reflexivity of equality. + +The other two cases follow by discrimination. The following script +describes the proof: + +\begin{coq_example*} +Destruct x. + Destruct y. + Left ; Reflexivity. + Right; Discriminate. + Destruct y. + Right; Discriminate. + Left ; Reflexivity. +\end{coq_example*} +\begin{coq_eval} +Abort. +\end{coq_eval} + +Now, consider the theorem stating the same property but for the +following enumerated type: + +\begin{coq_example*} +Inductive Set Color := Blue:Color | White:Color | Red:Color. +Theorem decideColor : (c1,c2:Color){c1=c2}+{~c1=c2}. +\end{coq_example*} + +This theorem can be proven in a very similar way, reasoning by case +analysis on $c_1$ and $c_2$. Once more, each of the (now six) cases is +solved either by reflexivity or by discrimination: + +\begin{coq_example*} +Destruct c1. + Destruct c2. + Left ; Reflexivity. + Right ; Discriminate. + Right ; Discriminate. + Destruct c2. + Right ; Discriminate. + Left ; Reflexivity. + Right ; Discriminate. + Destruct c2. + Right ; Discriminate. + Right ; Discriminate. + Left ; Reflexivity. +\end{coq_example*} +\begin{coq_eval} +Abort. +\end{coq_eval} + +If we face the same theorem for an enumerated datatype corresponding +to the days of the week, it would still follow a similar pattern. In +general, the general pattern for proving the property +$(x,y:R)\{x=y\}+\{\neg x =y\}$ for an enumerated type $R$ proceeds as +follow: +\begin{enumerate} +\item Analyze the cases for $x$. +\item For each of the sub-goals generated by the first step, analyze +the cases for $y$. +\item The remaining subgoals follow either by reflexivity or +by discrimination. +\end{enumerate} + +Let us describe how this general proof procedure can be introduced in +\Coq. + +\section{Tactic Macros} + +The simplest way to introduce it is to define it as new a +\textsl{tactic macro}, as follows: + +\begin{coq_example*} +Tactic Definition DecideEq [$a $b] := + [<:tactic:<Destruct $a; + Destruct $b; + (Left;Reflexivity) Orelse (Right;Discriminate)>>]. +\end{coq_example*} + +The general pattern of the proof is abstracted away using the +tacticals ``\texttt{;}'' and \texttt{Orelse}, and introducing two +parameters for the names of the arguments to be analyzed. + +Once defined, this tactic can be called like any other tactic, just +supplying the list of terms corresponding to its real arguments. Let us +revisit the proof of the former theorems using the new tactic +\texttt{DecideEq}: + +\begin{coq_example*} +Theorem decideBool : (x,y:bool){x=y}+{~x=y}. +DecideEq x y. +Defined. +\end{coq_example*} +\begin{coq_example*} +Theorem decideColor : (c1,c2:Color){c1=c2}+{~c1=c2}. +DecideEq c1 c2. +Defined. +\end{coq_example*} + +In general, the command \texttt{Tactic Definition} associates a name +to a parameterized tactic expression, built up from the tactics and +tacticals that are already available. The general syntax rule for this +command is the following: + +\begin{tabbing} +\texttt{Tactic Definition} \textit{tactic-name} \= +\texttt{[}\$$id_1\ldots \$id_n$\texttt{]}\\ +\> := \texttt{[<:tactic:<} \textit{tactic-expression} \verb+>>]+ +\end{tabbing} + +This command provides a quick but also very primitive mechanism for +introducing new tactics. It does not support recursive definitions, +and the arguments of a tactic macro are restricted to term +expressions. Moreover, there is no static checking of the definition +other than the syntactical one. Any error in the definition of the +tactic ---for instance, a call to an undefined tactic--- will not be +noticed until the tactic is called. + +%This command provides a very primitive mechanism for introducing new +%tactics. The arguments of a tactic macro are restricted to term +%expressions. Hence, it is not possible to define higher order tactics +%with this command. Also, there is no static checking of the definition +%other than syntactical. If the tactic contain errors in its definition +%--for instance, a call to an undefined tactic-- this will be noticed +%during the tactic call. + +Let us illustrate the weakness of this way of introducing new tactics +trying to extend our proof procedure to work on a larger class of +inductive types. Consider for example the decidability of equality +for pairs of booleans and colors: + +\begin{coq_example*} +Theorem decideBoolXColor : (p1,p2:bool*Color){p1=p2}+{~p1=p2}. +\end{coq_example*} + +The proof still proceeds by a double case analysis, but now the +constructors of the type take two arguments. Therefore, the sub-goals +that can not be solved by discrimination need further considerations +about the equality of such arguments: + +\begin{coq_example} + Destruct p1; + Destruct p2; Try (Right;Discriminate);Intros. +\end{coq_example} + +The half of the disjunction to be chosen depends on whether or not +$b=b_0$ and $c=c_0$. These equalities can be decided automatically +using the previous lemmas about booleans and colors. If both +equalities are satisfied, then it is sufficient to rewrite $b$ into +$b_0$ and $c$ into $c_0$, so that the left half of the goal follows by +reflexivity. Otherwise, the right half follows by first contraposing +the disequality, and then applying the invectiveness of the pairing +constructor. + +As the cases associated to each argument of the pair are very similar, +a tactic macro can be introduced to abstract this part of the proof: + +\begin{coq_example*} +Hints Resolve decideBool decideColor. +Tactic Definition SolveArg [$t1 $t2] := + [<:tactic:< + ElimType {$t1=$t2}+{~$t1=$t2}; + [(Intro equality;Rewrite equality;Clear equality) | + (Intro diseq; Right; Red; Intro absurd; + Apply diseq;Injection absurd;Trivial) | + Auto]>>]. +\end{coq_example*} + +This tactic is applied to each corresponding pair of arguments of the +arguments, until the goal can be solved by reflexivity: + +\begin{coq_example*} +SolveArg b b0; + SolveArg c c0; + Left; Reflexivity. +Defined. +\end{coq_example*} + +Therefore, a more general strategy for deciding the property +$(x,y:R)\{x=y\}+\{\neg x =y\}$ on $R$ can be sketched as follows: +\begin{enumerate} +\item Eliminate $x$ and then $y$. +\item Try discrimination to solve those goals where $x$ and $y$ has +been introduced by different constructors. +\item If $x$ and $y$ have been introduced by the same constructor, +then iterate the tactic \textsl{SolveArg} for each pair of +arguments. +\item Finally, solve the left half of the goal by reflexivity. +\end{enumerate} + +The implementation of this stronger proof strategy needs to perform a +term decomposition, in order to extract the list of arguments of each +constructor. It also requires the introduction of recursively defined +tactics, so that the \textsl{SolveArg} can be iterated on the lists of +arguments. These features are not supported by the \texttt{Tactic +Definition} command. One possibility could be extended this command in +order to introduce recursion, general parameter passing, +pattern-matching, etc, but this would quickly lead us to introduce the +whole \ocaml{} into \Coq\footnote{This is historically true. In fact, +\ocaml{} is a direct descendent of ML, a functional programming language +conceived language for programming the tactics of the theorem prover +LCF.}. Instead of doing this, we prefer to give to the user the +possibility of writing his/her own tactics directly in \ocaml{}, and then +to link them dynamically with \Coq's code. This requires a minimal +knowledge about \Coq's implementation. The next section provides an +overview of \Coq's architecture. + +%It is important to point out that the introduction of a new tactic +%never endangers the correction of the theorems proven in the extended +%system. In order to understand why, let us introduce briefly the system +%architecture. + +\section{An Overview of \Coq's Architecture} + +The implementation of \Coq\ is based on eight \textsl{logical +modules}. By ``module'' we mean here a logical piece of code having a +conceptual unity, that may concern several \ocaml{} files. By the sake of +organization, all the \ocaml{} files concerning a logical module are +grouped altogether into the same sub-directory. The eight modules +are: + +\begin{tabular}{lll} +1. & The logical framework & (directory \texttt{src/generic})\\ +2. & The language of constructions & (directory \texttt{src/constr})\\ +3. & The type-checker & (directory \texttt{src/typing})\\ +4. & The proof engine & (directory \texttt{src/proofs})\\ +5. & The language of basic tactics & (directory \texttt{src/tactics})\\ +6. & The vernacular interpreter & (directory \texttt{src/env})\\ +7. & The parser and the pretty-printer & (directory \texttt{src/parsing})\\ +8. & The standard library & (directory \texttt{src/lib}) +\end{tabular} + +\vspace{1em} + +The following sections briefly present each of the modules above. +This presentation is not intended to be a complete description of \Coq's +implementation, but rather a guideline to be read before taking a look +at the sources. For each of the modules, we also present some of its +most important functions, which are sufficient to implement a large +class of tactics. + + +\subsection{The Logical Framework} +\label{LogicalFramework} + +At the very heart of \Coq there is a generic untyped language for +expressing abstractions, applications and global constants. This +language is used as a meta-language for expressing the terms of the +Calculus of Inductive Constructions. General operations on terms like +collecting the free variables of an expression, substituting a term for +a free variable, etc, are expressed in this language. + +The meta-language \texttt{'op term} of terms has seven main +constructors: +\begin{itemize} +\item $(\texttt{VAR}\;id)$, a reference to a global identifier called $id$; +\item $(\texttt{Rel}\;n)$, a bound variable, whose binder is the $nth$ + binder up in the term; +\item $\texttt{DLAM}\;(x,t)$, a deBruijn's binder on the term $t$; +\item $\texttt{DLAMV}\;(x,vt)$, a deBruijn's binder on all the terms of + the vector $vt$; +\item $(\texttt{DOP0}\;op)$, a unary operator $op$; +\item $\texttt{DOP2}\;(op,t_1,t_2)$, the application of a binary +operator $op$ to the terms $t_1$ and $t_2$; +\item $\texttt{DOPN} (op,vt)$, the application of an n-ary operator $op$ to the +vector of terms $vt$. +\end{itemize} + +In this meta-language, bound variables are represented using the +so-called deBrujin's indexes. In this representation, an occurrence of +a bound variable is denoted by an integer, meaning the number of +binders that must be traversed to reach its own +binder\footnote{Actually, $(\texttt{Rel}\;n)$ means that $(n-1)$ binders +have to be traversed, since indexes are represented by strictly +positive integers.}. On the other hand, constants are referred by its +name, as usual. For example, if $A$ is a variable of the current +section, then the lambda abstraction $[x:A]x$ of the Calculus of +Constructions is represented in the meta-language by the term: + +\begin{displaymath} +(DOP2 (Lambda,(Var\;A),DLAM (x,(Rel\;1))) +\end{displaymath} + +In this term, $Lambda$ is a binary operator. Its first argument +correspond to the type $A$ of the bound variable, while the second is +a body of the abstraction, where $x$ is bound. The name $x$ is just kept +to pretty-print the occurrences of the bound variable. + +%Similarly, the product +%$(A:Prop)A$ of the Calculus of Constructions is represented by the +%term: +%\begin{displaumath} +%DOP2 (Prod, DOP0 (Sort (Prop Null)), DLAM (Name \#A, Rel 1)) +%\end{displaymath} + +The following functions perform some of the most frequent operations +on the terms of the meta-language: +\begin{description} +\fun{val Generic.subst1 : 'op term -> 'op term -> 'op term} + {$(\texttt{subst1}\;t_1\;t_2)$ substitutes $t_1$ for + $\texttt{(Rel}\;1)$ in $t_2$.} +\fun{val Generic.occur\_var : identifier -> 'op term -> bool} + {Returns true when the given identifier appears in the term, + and false otherwise.} +\fun{val Generic.eq\_term : 'op term -> 'op term -> bool} + {Implements $\alpha$-equality for terms.} +\fun{val Generic.dependent : 'op term -> 'op term -> bool} + {Returns true if the first term is a sub-term of the second.} +%\fun{val Generic.subst\_var : identifier -> 'op term -> 'op term} +% { $(\texttt{subst\_var}\;id\;t)$ substitutes the deBruijn's index +% associated to $id$ to every occurrence of the term +% $(\texttt{VAR}\;id)$ in $t$.} +\end{description} + +\subsubsection{Identifiers, names and sections paths.} + +Three different kinds of names are used in the meta-language. They are +all defined in the \ocaml{} file \texttt{Names}. + +\paragraph{Identifiers.} The simplest kind of names are +\textsl{identifiers}. An identifier is a string possibly indexed by an +integer. They are used to represent names that are not unique, like +for example the name of a variable in the scope of a section. The +following operations can be used for handling identifiers: + +\begin{description} +\fun{val Names.make\_ident : string -> int -> identifier} + {The value $(\texttt{make\_ident}\;x\;i)$ creates the + identifier $x_i$. If $i=-1$, then the identifier has + is created with no index at all.} +\fun{val Names.repr\_ident : identifier -> string * int} + {The inverse operation of \texttt{make\_ident}: + it yields the string and the index of the identifier.} +\fun{val Names.lift\_ident : identifier -> identifier} + {Increases the index of the identifier by one.} +\fun{val Names.next\_ident\_away : \\ +\qquad identifier -> identifier list -> identifier} + {\\ Generates a new identifier with the same root string than the + given one, but with a new index, different from all the indexes of + a given list of identifiers.} +\fun{val Names.id\_of\_string : string -> + identifier} + {Creates an identifier from a string.} +\fun{val Names.string\_of\_id : identifier -> string} + {The inverse operation: transforms an identifier into a string} +\end{description} + +\paragraph{Names.} A \textsl{name} is either an identifier or the +special name \texttt{Anonymous}. Names are used as arguments of +binders, in order to pretty print bound variables. +The following operations can be used for handling names: + +\begin{description} +\fun{val Names.Name: identifier -> Name} + {Constructs a name from an identifier.} +\fun{val Names.Anonymous : Name} + {Constructs a special, anonymous identifier, like the variable abstracted + in the term $[\_:A]0$.} +\fun{val + Names.next\_name\_away\_with\_default : \\ \qquad + string->name->identifier list->identifier} +{\\ If the name is not anonymous, then this function generates a new + identifier different from all the ones in a given list. Otherwise, it + generates an identifier from the given string.} +\end{description} + +\paragraph{Section paths.} +\label{SectionPaths} +A \textsl{section-path} is a global name to refer to an object without +ambiguity. It can be seen as a sort of filename, where open sections +play the role of directories. Each section path is formed by three +components: a \textsl{directory} (the list of open sections); a +\textsl{basename} (the identifier for the object); and a \textsl{kind} +(either CCI for the terms of the Calculus of Constructions, FW for the +the terms of $F_\omega$, or OBJ for other objects). For example, the +name of the following constant: +\begin{verbatim} + Section A. + Section B. + Section C. + Definition zero := O. +\end{verbatim} + +is internally represented by the section path: + +$$\underbrace{\mathtt{\#A\#B\#C}}_{\mbox{dirpath}} +\underbrace{\mathtt{\tt \#zero}}_{\mbox{basename}} +\underbrace{\mathtt{\tt .cci}_{\;}}_{\mbox{kind}}$$ + +When one of the sections is closed, a new constant is created with an +updated section-path,a nd the old one is no longer reachable. In our +example, after closing the section \texttt{C}, the new section-path +for the constant {\tt zero} becomes: +\begin{center} +\texttt{ \#A\#B\#zero.cci} +\end{center} + +The following operations can be used to handle section paths: + +\begin{description} +\fun{val Names.string\_of\_path : section\_path -> string} + {Transforms the section path into a string.} +\fun{val Names.path\_of\_string : string -> section\_path} + {Parses a string an returns the corresponding section path.} +\fun{val Names.basename : section\_path -> identifier} + {Provides the basename of a section path} +\fun{val Names.dirpath : section\_path -> string list} + {Provides the directory of a section path} +\fun{val Names.kind\_of\_path : section\_path -> path\_kind} + {Provides the kind of a section path} +\end{description} + +\subsubsection{Signatures} + +A \textsl{signature} is a mapping associating different informations +to identifiers (for example, its type, its definition, etc). The +following operations could be useful for working with signatures: + +\begin{description} +\fun{val Names.ids\_of\_sign : 'a signature -> identifier list} + {Gets the list of identifiers of the signature.} +\fun{val Names.vals\_of\_sign : 'a signature -> 'a list} + {Gets the list of values associated to the identifiers of the signature.} +\fun{val Names.lookup\_glob1 : \\ \qquad +identifier -> 'a signature -> (identifier * + 'a)} + {\\ Gets the value associated to a given identifier of the signature.} +\end{description} + + +\subsection{The Terms of the Calculus of Constructions} + +The language of the Calculus of Inductive Constructions described in +Chapter \ref{Cic} is implemented on the top of the logical framework, +instantiating the parameter $op$ of the meta-language with a +particular set of operators. In the implementation this language is +called \texttt{constr}, the language of constructions. + +% The only difference +%with respect to the one described in Section \ref{} is that the terms +%of \texttt{constr} may contain \textsl{existential variables}. An +%existential variable is a place holder representing a part of the term +%that is still to be constructed. Such ``open terms'' are necessary +%when building proofs interactively. + +\subsubsection{Building Constructions} + +The user does not need to know the choices made to represent +\texttt{constr} in the meta-language. They are abstracted away by the +following constructor functions: + +\begin{description} +\fun{val Term.mkRel : int -> constr} + {$(\texttt{mkRel}\;n)$ represents deBrujin's index $n$.} + +\fun{val Term.mkVar : identifier -> constr} + {$(\texttt{mkVar}\;id)$ + represents a global identifier named $id$, like a variable + inside the scope of a section, or a hypothesis in a proof}. + +\fun{val Term.mkExistential : constr} + {\texttt{mkExistential} represents an implicit sub-term, like the question + marks in the term \texttt{(pair ? ? O true)}.} + +%\fun{val Term.mkMeta : int -> constr} +% {$(\texttt{mkMeta}\;n)$ represents an existential variable, whose +% name is the integer $n$.} + +\fun{val Term.mkProp : constr} + {$\texttt{mkProp}$ represents the sort \textsl{Prop}.} + +\fun{val Term.mkSet : constr} + {$\texttt{mkSet}$ represents the sort \textsl{Set}.} + +\fun{val Term.mkType : Impuniv.universe -> constr} + {$(\texttt{mkType}\;u)$ represents the term + $\textsl{Type}(u)$. The universe $u$ is represented as a + section path indexed by an integer. } + +\fun{val Term.mkConst : section\_path -> constr array -> constr} + {$(\texttt{mkConst}\;c\;v)$ represents a constant whose name is + $c$. The body of the constant is stored in a global table, + accessible through the name of the constant. The array of terms + $v$ corresponds to the variables of the environment appearing in + the body of the constant when it was defined. For instance, a + constant defined in the section \textsl{Foo} containing the + variable $A$, and whose body is $[x:Prop\ra Prop](x\;A)$ is + represented inside the scope of the section by + $(\texttt{mkConst}\;\texttt{\#foo\#f.cci}\;[| \texttt{mkVAR}\;A + |])$. Once the section is closed, the constant is represented by + the term $(\texttt{mkConst}\;\#f.cci\;[| |])$, and its body + becomes $[A:Prop][x:Prop\ra Prop](x\;A)$}. + +\fun{val Term.mkMutInd : section\_path -> int -> constr array ->constr} + {$(\texttt{mkMutInd}\;c\;i)$ represents the $ith$ type + (starting from zero) of the block of mutually dependent + (co)inductive types, whose first type is $c$. Similarly to the + case of constants, the array of terms represents the current + environment of the (co)inductive type. The definition of the type + (its arity, its constructors, whether it is inductive or co-inductive, etc.) + is stored in a global hash table, accessible through the name of + the type.} + +\fun{val Term.mkMutConstruct : \\ \qquad section\_path -> int -> int -> constr array + ->constr} {\\ $(\texttt{mkMutConstruct}\;c\;i\;j)$ represents the + $jth$ constructor of the $ith$ type of the block of mutually + dependent (co)inductive types whose first type is $c$. The array + of terms represents the current environment of the (co)inductive + type.} + +\fun{val Term.mkCast : constr -> constr -> constr} + {$(\texttt{mkCast}\;t\;T)$ represents the annotated term $t::T$ in + \Coq's syntax.} + +\fun{val Term.mkProd : name ->constr ->constr -> constr} + {$(\texttt{mkProd}\;x\;A\;B)$ represents the product $(x:A)B$. + The free ocurrences of $x$ in $B$ are represented by deBrujin's + indexes.} + +\fun{val Term.mkNamedProd : identifier -> constr -> constr -> constr} + {$(\texttt{produit}\;x\;A\;B)$ represents the product $(x:A)B$, + but the bound occurrences of $x$ in $B$ are denoted by + the identifier $(\texttt{mkVar}\;x)$. The function automatically + changes each occurrences of this identifier into the corresponding + deBrujin's index.} + +\fun{val Term.mkArrow : constr -> constr -> constr} + {$(\texttt{arrow}\;A\;B)$ represents the type $(A\rightarrow B)$.} + +\fun{val Term.mkLambda : name -> constr -> constr -> constr} + {$(\texttt{mkLambda}\;x\;A\;b)$ represents the lambda abstraction + $[x:A]b$. The free ocurrences of $x$ in $B$ are represented by deBrujin's + indexes.} + +\fun{val Term.mkNamedLambda : identifier -> constr -> constr -> constr} + {$(\texttt{lambda}\;x\;A\;b)$ represents the lambda abstraction + $[x:A]b$, but the bound occurrences of $x$ in $B$ are denoted by + the identifier $(\texttt{mkVar}\;x)$. } + +\fun{val Term.mkAppLA : constr array -> constr} + {$(\texttt{mkAppLA}\;t\;[|t_1\ldots t_n|])$ represents the application + $(t\;t_1\;\ldots t_n)$.} + +\fun{val Term.mkMutCaseA : \\ \qquad + case\_info -> constr ->constr + ->constr array -> constr} + {\\ $(\texttt{mkMutCaseA}\;r\;P\;m\;[|f_1\ldots f_n|])$ + represents the term \Case{P}{m}{f_1\ldots f_n}. The first argument + $r$ is either \texttt{None} or $\texttt{Some}\;(c,i)$, where the + pair $(c,i)$ refers to the inductive type that $m$ belongs to.} + +\fun{val Term.mkFix : \\ \qquad +int array->int->constr array->name + list->constr array->constr} + {\\ $(\texttt{mkFix}\;[|k_1\ldots k_n |]\;i\;[|A_1\ldots + A_n|]\;[|f_1\ldots f_n|]\;[|t_1\ldots t_n|])$ represents the term + $\Fix{f_i}{f_1/k_1:A_1:=t_1 \ldots f_n/k_n:A_n:=t_n}$} + +\fun{val Term.mkCoFix : \\ \qquad + int -> constr array -> name list -> + constr array -> constr} + {\\ $(\texttt{mkCoFix}\;i\;[|A_1\ldots + A_n|]\;[|f_1\ldots f_n|]\;[|t_1\ldots t_n|])$ represents the term + $\CoFix{f_i}{f_1:A_1:=t_1 \ldots f_n:A_n:=t_n}$. There are no + decreasing indexes in this case.} +\end{description} + +\subsubsection{Decomposing Constructions} + +Each of the construction functions above has its corresponding +(partial) destruction function, whose name is obtained changing the +prefix \texttt{mk} by \texttt{dest}. In addition to these functions, a +concrete datatype \texttt{kindOfTerm} can be used to do pattern +matching on terms without dealing with their internal representation +in the meta-language. This concrete datatype is described in the \ocaml{} +file \texttt{term.mli}. The following function transforms a construction +into an element of type \texttt{kindOfTerm}: + +\begin{description} +\fun{val Term.kind\_of\_term : constr -> kindOfTerm} + {Destructs a term of the language \texttt{constr}, +yielding the direct components of the term. Hence, in order to do +pattern matching on an object $c$ of \texttt{constr}, it is sufficient +to do pattern matching on the value $(\texttt{kind\_of\_term}\;c)$.} +\end{description} + +Part of the information associated to the constants is stored in +global tables. The following functions give access to such +information: + +\begin{description} +\fun{val Termenv.constant\_value : constr -> constr} + {If the term denotes a constant, projects the body of a constant} +\fun{Termenv.constant\_type : constr -> constr} + {If the term denotes a constant, projects the type of the constant} +\fun{val mind\_arity : constr -> constr} + {If the term denotes an inductive type, projects its arity (i.e., + the type of the inductive type).} +\fun{val Termenv.mis\_is\_finite : mind\_specif -> bool} + {Determines whether a recursive type is inductive or co-inductive.} +\fun{val Termenv.mind\_nparams : constr -> int} + {If the term denotes an inductive type, projects the number of + its general parameters.} +\fun{val Termenv.mind\_is\_recursive : constr -> bool} + {If the term denotes an inductive type, + determines if the type has at least one recursive constructor. } +\fun{val Termenv.mind\_recargs : constr -> recarg list array array} + {If the term denotes an inductive type, returns an array $v$ such + that the nth element of $v.(i).(j)$ is + \texttt{Mrec} if the $nth$ argument of the $jth$ constructor of + the $ith$ type is recursive, and \texttt{Norec} if it is not.}. +\end{description} + +\subsection{The Type Checker} +\label{TypeChecker} + +The third logical module is the type checker. It concentrates two main +tasks concerning the language of constructions. + +On one hand, it contains the type inference and type-checking +functions. The type inference function takes a term +$a$ and a signature $\Gamma$, and yields a term $A$ such that +$\Gamma \vdash a:A$. The type-checking function takes two terms $a$ +and $A$ and a signature $\Gamma$, and determines whether or not +$\Gamma \vdash a:A$. + +On the other hand, this module is in charge of the compilation of +\Coq's abstract syntax trees into the language \texttt{constr} of +constructions. This compilation seeks to eliminate all the ambiguities +contained in \Coq's abstract syntax, restoring the information +necessary to type-check it. It concerns at least the following steps: +\begin{enumerate} +\item Compiling the pattern-matching expressions containing +constructor patterns, wild-cards, etc, into terms that only +use the primitive \textsl{Case} described in Chapter \ref{Cic} +\item Restoring type coercions and synthesizing the implicit arguments +(the one denoted by question marks in +{\Coq} syntax: cf section \ref{Coercions}). +\item Transforming the named bound variables into deBrujin's indexes. +\item Classifying the global names into the different classes of +constants (defined constants, constructors, inductive types, etc). +\end{enumerate} + +\subsection{The Proof Engine} + +The fourth stage of \Coq's implementation is the \textsl{proof engine}: +the interactive machine for constructing proofs. The aim of the proof +engine is to construct a top-down derivation or \textsl{proof tree}, +by the application of \textsl{tactics}. A proof tree has the following +general structure:\\ + +\begin{displaymath} +\frac{\Gamma \vdash ? = t(?_1,\ldots?_n) : G} + {\hspace{3ex}\frac{\displaystyle \Gamma_1 \vdash ?_1 = t_1(\ldots) : G_1} + {\stackrel{\vdots}{\displaystyle {\Gamma_{i_1} \vdash ?_{i_1} + : G_{i_1}}}}(tac_1) + \;\;\;\;\;\;\;\;\; + \frac{\displaystyle \Gamma_n \vdash ?_n = t_n(\ldots) : G_n} + {\displaystyle \stackrel{\vdots}{\displaystyle {\Gamma_{i_m} \vdash ?_{i_m} : + G_{i_m}}}}(tac_n)} (tac) +\end{displaymath} + + +\noindent Each node of the tree is called a \textsl{goal}. A goal +is a record type containing the following three fields: +\begin{enumerate} +\item the conclusion $G$ to be proven; +\item a typing signature $\Gamma$ for the free variables in $G$; +\item if the goal is an internal node of the proof tree, the +definition $t(?_1,\ldots?_n)$ of an \textsl{existential variable} +(i.e. a possible undefined constant) $?$ of type $G$ in terms of the +existential variables of the children sub-goals. If the node is a +leaf, the existential variable maybe still undefined. +\end{enumerate} + +Once all the existential variables have been defined the derivation is +completed, and a construction can be generated from the proof tree, +replacing each of the existential variables by its definition. This +is exactly what happens when one of the commands +\texttt{Qed}, \texttt{Save} or \texttt{Defined} is invoked +(cf. Section \ref{Qed}). The saved theorem becomes a defined constant, +whose body is the proof object generated. + +\paragraph{Important:} Before being added to the +context, the proof object is type-checked, in order to verify that it is +actually an object of the expected type $G$. Hence, the correctness +of the proof actually does not depend on the tactics applied to +generate it or the machinery of the proof engine, but only on the +type-checker. In other words, extending the system with a potentially +bugged new tactic never endangers the consistency of the system. + +\subsubsection{What is a Tactic?} +\label{WhatIsATactic} +%Let us now explain what is a tactic, and how the user can introduce +%new ones. + +From an operational point of view, the current state of the proof +engine is given by the mapping $emap$ from existential variables into +goals, plus a pointer to one of the leaf goals $g$. Such a pointer +indicates where the proof tree will be refined by the application of a +\textsl{tactic}. A tactic is a function from the current state +$(g,emap)$ of the proof engine into a pair $(l,val)$. The first +component of this pair is the list of children sub-goals $g_1,\ldots +g_n$ of $g$ to be yielded by the tactic. The second one is a +\textsl{validation function}. Once the proof trees $\pi_1,\ldots +\pi_n$ for $g_1,\ldots g_n$ have been completed, this validation +function must yield a proof tree $(val\;\pi_1,\ldots \pi_n)$ deriving +$g$. + +Tactics can be classified into \textsl{primitive} ones and +\textsl{defined} ones. Primitive tactics correspond to the five basic +operations of the proof engine: + +\begin{enumerate} +\item Introducing a universally quantified variable into the local +context of the goal. +\item Defining an undefined existential variable +\item Changing the conclusion of the goal for another +--definitionally equal-- term. +\item Changing the type of a variable in the local context for another +definitionally equal term. +\item Erasing a variable from the local context. +\end{enumerate} + +\textsl{Defined} tactics are tactics constructed by combining these +primitive operations. Defined tactics are registered in a hash table, +so that they can be introduced dynamically. In order to define such a +tactic table, it is necessary to fix what a \textsl{possible argument} +of a tactic may be. The type \texttt{tactic\_arg} of the possible +arguments for tactics is a union type including: +\begin{itemize} +\item quoted strings; +\item integers; +\item identifiers; +\item lists of identifiers; +\item plain terms, represented by its abstract syntax tree; +\item well-typed terms, represented by a construction; +\item a substitution for bound variables, like the +substitution in the tactic \\$\texttt{Apply}\;t\;\texttt{with}\;x:=t_1\ldots +x_n:=t_n$, (cf. Section \ref{Apply}); +\item a reduction expression, denoting the reduction strategy to be +followed. +\end{itemize} +Therefore, for each function $tac:a \rightarrow tactic$ implementing a +defined tactic, an associated dynamic tactic $tacargs\_tac: +\texttt{tactic\_arg}\;list \rightarrow tactic$ calling $tac$ must be +written. The aim of the auxiliary function $tacargs\_tac$ is to inject +the arguments of the tactic $tac$ into the type of possible arguments +for a tactic. + +The following function can be used for registering and calling a +defined tactic: + +\begin{description} +\fun{val Tacmach.add\_tactic : \\ \qquad +string -> (tactic\_arg list ->tactic) -> unit} + {\\ Registers a dynamic tactic with the given string as access index.} +\fun{val Tacinterp.vernac\_tactic : string*tactic\_arg list -> tactic} + {Interprets a defined tactic given by its entry in the + tactics table with a particular list of possible arguments.} +\fun{val Tacinterp.vernac\_interp : CoqAst.t -> tactic} + {Interprets a tactic expression formed combining \Coq's tactics and + tacticals, and described by its abstract syntax tree.} +\end{description} + +When programming a new tactic that calls an already defined tactic +$tac$, we have the choice between using the \ocaml{} function +implementing $tac$, or calling the tactic interpreter with the name +and arguments for interpreting $tac$. In the first case, a tactic call +will left the trace of the whole implementation of $tac$ in the proof +tree. In the second, the implementation of $tac$ will be hidden, and +only an invocation of $tac$ will be recalled (cf. the example of +Section \ref{ACompleteExample}. The following combinators can be used +to hide the implementation of a tactic: + +\begin{verbatim} +type 'a hiding_combinator = string -> ('a -> tactic) -> ('a -> tactic) +val Tacmach.hide_atomic_tactic : string -> tactic -> tactic +val Tacmach.hide_constr_tactic : constr hiding_combinator +val Tacmach.hide_constrl_tactic : (constr list) hiding_combinator +val Tacmach.hide_numarg_tactic : int hiding_combinator +val Tacmach.hide_ident_tactic : identifier hiding_combinator +val Tacmach.hide_identl_tactic : identifier hiding_combinator +val Tacmach.hide_string_tactic : string hiding_combinator +val Tacmach.hide_bindl_tactic : substitution hiding_combinator +val Tacmach.hide_cbindl_tactic : + (constr * substitution) hiding_combinator +\end{verbatim} + +These functions first register the tactic by a side effect, and then +yield a function calling the interpreter with the registered name and +the right injection into the type of possible arguments. + +\subsection{Tactics and Tacticals Provided by \Coq} + +The fifth logical module is the library of tacticals and basic tactics +provided by \Coq. This library is distributed into the directories +\texttt{tactics} and \texttt{src/tactics}. The former contains those +basic tactics that make use of the types contained in the basic state +of \Coq. For example, inversion or rewriting tactics are in the +directory \texttt{tactics}, since they make use of the propositional +equality type. Those tactics which are independent from the context +--like for example \texttt{Cut}, \texttt{Intros}, etc-- are defined in +the directory \texttt{src/tactics}. This latter directory also +contains some useful tools for programming new tactics, referred in +Section \ref{SomeUsefulToolsforWrittingTactics}. + +In practice, it is very unusual that the list of sub-goals and the +validation function of the tactic must be explicitly constructed by +the user. In most of the cases, the implementation of a new tactic +consists in supplying the appropriate arguments to the basic tactics +and tacticals. + +\subsubsection{Basic Tactics} + +The file \texttt{Tactics} contain the implementation of the basic +tactics provided by \Coq. The following tactics are some of the most +used ones: + +\begin{verbatim} +val Tactics.intro : tactic +val Tactics.assumption : tactic +val Tactics.clear : identifier list -> tactic +val Tactics.apply : constr -> constr substitution -> tactic +val Tactics.one_constructor : int -> constr substitution -> tactic +val Tactics.simplest_elim : constr -> tactic +val Tactics.elimType : constr -> tactic +val Tactics.simplest_case : constr -> tactic +val Tactics.caseType : constr -> tactic +val Tactics.cut : constr -> tactic +val Tactics.reduce : redexpr -> tactic +val Tactics.exact : constr -> tactic +val Auto.auto : int option -> tactic +val Auto.trivial : tactic +\end{verbatim} + +The functions hiding the implementation of these tactics are defined +in the module \texttt{Hiddentac}. Their names are prefixed by ``h\_''. + +\subsubsection{Tacticals} +\label{OcamlTacticals} + +The following tacticals can be used to combine already existing +tactics: + +\begin{description} +\fun{val Tacticals.tclIDTAC : tactic} + {The identity tactic: it leaves the goal as it is.} + +\fun{val Tacticals.tclORELSE : tactic -> tactic -> tactic} + {Tries the first tactic and in case of failure applies the second one.} + +\fun{val Tacticals.tclTHEN : tactic -> tactic -> tactic} + {Applies the first tactic and then the second one to each generated subgoal.} + +\fun{val Tacticals.tclTHENS : tactic -> tactic list -> tactic} + {Applies a tactic, and then applies each tactic of the tactic list to the + corresponding generated subgoal.} + +\fun{val Tacticals.tclTHENL : tactic -> tactic -> tactic} + {Applies the first tactic, and then applies the second one to the last + generated subgoal.} + +\fun{val Tacticals.tclREPEAT : tactic -> tactic} + {If the given tactic succeeds in producing a subgoal, then it + is recursively applied to each generated subgoal, + and so on until it fails. } + +\fun{val Tacticals.tclFIRST : tactic list -> tactic} + {Tries the tactics of the given list one by one, until one of them + succeeds.} + +\fun{val Tacticals.tclTRY : tactic -> tactic} + {Tries the given tactic and in case of failure applies the {\tt + tclIDTAC} tactical to the original goal.} + +\fun{val Tacticals.tclDO : int -> tactic -> tactic} + {Applies the tactic a given number of times.} + +\fun{val Tacticals.tclFAIL : tactic} + {The always failing tactic: it raises a {\tt UserError} exception.} + +\fun{val Tacticals.tclPROGRESS : tactic -> tactic} + {Applies the given tactic to the current goal and fails if the + tactic leaves the goal unchanged} + +\fun{val Tacticals.tclNTH\_HYP : int -> (constr -> tactic) -> tactic} + {Applies a tactic to the nth hypothesis of the local context. + The last hypothesis introduced correspond to the integer 1.} + +\fun{val Tacticals.tclLAST\_HYP : (constr -> tactic) -> tactic} + {Applies a tactic to the last hypothesis introduced.} + +\fun{val Tacticals.tclCOMPLETE : tactic -> tactic} + {Applies a tactic and fails if the tactic did not solve completely the + goal} + +\fun{val Tacticals.tclMAP : ('a -> tactic) -> 'a list -> tactic} + {Applied to the function \texttt{f} and the list \texttt{[x\_1; + ... ; x\_n]}, this tactical applies the tactic + \texttt{tclTHEN (f x1) (tclTHEN (f x2) ... ))))}} + +\fun{val Tacicals.tclIF : (goal sigma -> bool) -> tactic -> tactic -> tactic} + {If the condition holds, apply the first tactic; otherwise, + apply the second one} + +\end{description} + + +\subsection{The Vernacular Interpreter} + +The sixth logical module of the implementation corresponds to the +interpreter of the vernacular phrases of \Coq. These phrases may be +expressions from the \gallina{} language (definitions), general +directives (setting commands) or tactics to be applied by the proof +engine. + +\subsection{The Parser and the Pretty-Printer} +\label{PrettyPrinter} + +The last logical module is the parser and pretty printer of \Coq, +which is the interface between the vernacular interpreter and the +user. They translate the chains of characters entered at the input +into abstract syntax trees, and vice versa. Abstract syntax trees are +represented by labeled n-ary trees, and its type is called +\texttt{CoqAst.t}. For instance, the abstract syntax tree associated +to the term $[x:A]x$ is: + +\begin{displaymath} +\texttt{Node} + ((0,6), "LAMBDA", + [\texttt{Nvar}~((3, 4),"A");~\texttt{Slam}~((0,6),~Some~"x",~\texttt{Nvar}~((5,6),"x"))]) +\end{displaymath} + +The numbers correspond to \textsl{locations}, used to point to some +input line and character positions in the error messages. As it was +already explained in Section \ref{TypeChecker}, this term is then +translated into a construction term in order to be typed. + +The parser of \Coq\ is implemented using \camlpppp. The lexer and the data +used by \camlpppp\ to generate the parser lay in the directory +\texttt{src/parsing}. This directory also contains \Coq's +pretty-printer. The printing rules lay in the directory +\texttt{src/syntax}. The different entries of the grammar are +described in the module \texttt{Pcoq.Entry}. Let us present here two +important functions of this logical module: + +\begin{description} +\fun{val Pcoq.parse\_string : 'a Grammar.Entry.e -> string -> 'a} + {Parses a given string, trying to recognize a phrase + corresponding to some entry in the grammar. If it succeeds, + it yields a value associated to the grammar entry. For example, + applied to the entry \texttt{Pcoq.Command.command}, this function + parses a term of \Coq's language, and yields a value of type + \texttt{CoqAst.t}. When applied to the entry + \texttt{Pcoq.Vernac.vernac}, it parses a vernacular command and + returns the corresponding Ast.} +\fun{val gentermpr : \\ \qquad +path\_kind -> constr assumptions -> constr -> std\_ppcmds} + {\\ Pretty-prints a well-typed term of certain kind (cf. Section + \ref{SectionPaths}) under its context of typing assumption.} +\fun{val gentacpr : CoqAst.t -> std\_ppcmds} + {Pretty-prints a given abstract syntax tree representing a tactic + expression.} +\end{description} + +\subsection{The General Library} + +In addition to the ones laying in the standard library of \ocaml{}, +several useful modules about lists, arrays, sets, mappings, balanced +trees, and other frequently used data structures can be found in the +directory \texttt{lib}. Before writing a new one, check if it is not +already there! + +\subsubsection{The module \texttt{Std}} +This module in the directory \texttt{src/lib/util} is opened by almost +all modules of \Coq{}. Among other things, it contains a definition of +the different kinds of errors used in \Coq{} : + +\begin{description} +\fun{exception UserError of string * std\_ppcmds} + {This is the class of ``users exceptions''. Such errors arise when + the user attempts to do something illegal, for example \texttt{Intro} + when the current goal conclusion is not a product.} + +\fun{val Std.error : string -> 'a} + {For simple error messages} +\fun{val Std.errorlabstrm : string -> std\_ppcmds -> 'a} + {See section \ref{PrettyPrinter} : this can be used if the user + want to display a term or build a complex error message} + +\fun{exception Anomaly of string * std\_ppcmds} + {This for reporting bugs or things that should not + happen. The tacticals \texttt{tclTRY} and + \texttt{tclTRY} described in section \ref{OcamlTacticals} catch the + exceptions of type \texttt{UserError}, but they don't catch the + anomalies. So, in your code, don't raise any anomaly, unless you + know what you are doing. We also recommend to avoid constructs + such as \texttt{try ... with \_ -> ...} : such constructs can trap + an anomaly and make the debugging process harder.} + +\fun{val Std.anomaly : string -> 'a}{} +\fun{val Std.anomalylabstrm : string -> std\_ppcmds -> 'a}{} +\end{description} + +\section{The tactic writer mini-HOWTO} + +\subsection{How to add a vernacular command} + +The command to register a vernacular command can be found +in module \texttt{Vernacinterp}: + +\begin{verbatim} +val vinterp_add : string * (vernac_arg list -> unit -> unit) -> unit;; +\end{verbatim} + +The first argument is the name, the second argument is a function that +parses the arguments and returns a function of type +\texttt{unit}$\rightarrow$\texttt{unit} that do the job. + +In this section we will show how to add a vernacular command +\texttt{CheckCheck} that print a type of a term and the type of its +type. + +File \texttt{dcheck.ml}: + +\begin{verbatim} +open Vernacinterp;; +open Trad;; +let _ = + vinterp_add + ("DblCheck", + function [VARG_COMMAND com] -> + (fun () -> + let evmap = Evd.mt_evd () + and sign = Termenv.initial_sign () in + let {vAL=c;tYP=t;kIND=k} = + fconstruct_with_univ evmap sign com in + Pp.mSGNL [< Printer.prterm c; 'sTR ":"; + Printer.prterm t; 'sTR ":"; + Printer.prterm k >] ) + | _ -> bad_vernac_args "DblCheck") +;; +\end{verbatim} + +Like for a new tactic, a new syntax entry must be created. + +File \texttt{DCheck.v}: + +\begin{verbatim} +Declare ML Module "dcheck.ml". + +Grammar vernac vernac := + dblcheck [ "CheckCheck" comarg($c) ] -> [(DblCheck $c)]. +\end{verbatim} + +We are now able to test our new command: + +\begin{verbatim} +Coq < Require DCheck. +Coq < CheckCheck O. +O:nat:Set +\end{verbatim} + +Most Coq vernacular commands are registered in the module + \verb+src/env/vernacentries.ml+. One can see more examples here. + +\subsection{How to keep a hashtable synchronous with the reset mechanism} + +This is far more tricky. Some vernacular commands modify some +sort of state (for example by adding something in a hashtable). One +wants that \texttt{Reset} has the expected behavior with this +commands. + +\Coq{} provides a general mechanism to do that. \Coq{} environments +contains objects of three kinds: CCI, FW and OBJ. CCI and FW are for +constants of the calculus. OBJ is a dynamically extensible datatype +that contains sections, tactic definitions, hints for auto, and so +on. + +The simplest example of use of such a mechanism is in file +\verb+src/proofs/macros.ml+ (which implements the \texttt{Tactic + Definition} command). Tactic macros are stored in the imperative +hashtable \texttt{mactab}. There are two functions freeze and unfreeze +to make a copy of the table and to restore the state of table from the +copy. Then this table is declared using \texttt{Library.declare\_summary}. + +What does \Coq{} with that ? \Coq{} defines synchronization points. +At each synchronisation point, the declared tables are frozen (that +is, a copy of this tables is stored). + +When \texttt{Reset }$i$ is called, \Coq{} goes back to the first +synchronisation point that is above $i$ and ``replays'' all objects +between that point +and $i$. It will re-declare constants, re-open section, etc. + +So we need to declare a new type of objects, TACTIC-MACRO-DATA. To +``replay'' on object of that type is to add the corresponding tactic +macro to \texttt{mactab} + +So, now, we can say that \texttt{mactab} is synchronous with the Reset +mechanism$^{\mathrm{TM}}$. + +Notice that this works for hash tables but also for a single integer +(the Undo stack size, modified by the \texttt{Set Undo} command, for +example). + +\subsection{The right way to access to Coq constants from your ML code} + +With their long names, Coq constants are stored using: + +\begin{itemize} +\item a section path +\item an identifier +\end{itemize} + +The identifier is exactly the identifier that is used in \Coq{} to +denote the constant; the section path can be known using the +\texttt{Locate} command: + +\begin{coq_example} + Locate S. + Locate nat. + Locate eq. +\end{coq_example} + +Now it is easy to get a constant by its name and section path: + + +\begin{verbatim} +let constant sp id = + Machops.global_reference (Names.gLOB (Termenv.initial_sign ())) + (Names.path_of_string sp) (Names.id_of_string id);; +\end{verbatim} + + +The only issue is that if one cannot put: + + +\begin{verbatim} +let coq_S = constant "#Datatypes#nat.cci" "S";; +\end{verbatim} + + +in his tactic's code. That is because this sentence is evaluated +\emph{before} the module \texttt{Datatypes} is loaded. The solution is +to use the lazy evaluation of \ocaml{}: + + +\begin{verbatim} +let coq_S = lazy (constant "#Datatypes#nat.cci" "S");; + +... (Lazy.force coq_S) ... +\end{verbatim} + + +Be sure to call always Lazy.force behind a closure -- i.e. inside a +function body or behind the \texttt{lazy} keyword. + +One can see examples of that technique in the source code of \Coq{}, +for example +\verb+tactics/contrib/polynom/ring.ml+ or +\verb+tactics/contrib/polynom/coq_omega.ml+. + +\section{Some Useful Tools for Writing Tactics} +\label{SomeUsefulToolsforWrittingTactics} +When the implementation of a tactic is not a straightforward +combination of tactics and tacticals, the module \texttt{Tacmach} +provides several useful functions for handling goals, calling the +type-checker, parsing terms, etc. This module is intended to be +the interface of the proof engine for the user. + +\begin{description} +\fun{val Tacmach.pf\_hyps : goal sigma -> constr signature} + {Projects the local typing context $\Gamma$ from a given goal $\Gamma\vdash ?:G$.} +\fun{val pf\_concl : goal sigma -> constr} + {Projects the conclusion $G$ from a given goal $\Gamma\vdash ?:G$.} +\fun{val Tacmach.pf\_nth\_hyp : goal sigma -> int -> identifier * + constr} + {Projects the $ith$ typing constraint $x_i:A_i$ from the local + context of the given goal.} +\fun{val Tacmach.pf\_fexecute : goal sigma -> constr -> judgement} + {Given a goal whose local context is $\Gamma$ and a term $a$, this + function infers a type $A$ and a kind $K$ such that the judgement + $a:A:K$ is valid under $\Gamma$, or raises an exception if there + is no such judgement. A judgement is just a record type containing + the three terms $a$, $A$ and $K$.} +\fun{val Tacmach.pf\_infexecute : \\ + \qquad +goal sigma -> constr -> judgement * information} + {\\ In addition to the typing judgement, this function also extracts + the $F_{\omega}$ program underlying the term.} +\fun{val Tacmach.pf\_type\_of : goal sigma -> constr -> constr} + {Infers a term $A$ such that $\Gamma\vdash a:A$ for a given term + $a$, where $\Gamma$ is the local typing context of the goal.} +\fun{val Tacmach.pf\_check\_type : goal sigma -> constr -> constr -> bool} + {This function yields a type $A$ if the two given terms $a$ and $A$ verify $\Gamma\vdash + a:A$ in the local typing context $\Gamma$ of the goal. Otherwise, + it raises an exception.} +\fun{val Tacmach.pf\_constr\_of\_com : goal sigma -> CoqAst.t -> constr} + {Transforms an abstract syntax tree into a well-typed term of the + language of constructions. Raises an exception if the term cannot + be typed.} +\fun{val Tacmach.pf\_constr\_of\_com\_sort : goal sigma -> CoqAst.t -> constr} + {Transforms an abstract syntax tree representing a type into + a well-typed term of the language of constructions. Raises an + exception if the term cannot be typed.} +\fun{val Tacmach.pf\_parse\_const : goal sigma -> string -> constr} + {Constructs the constant whose name is the given string.} +\fun{val +Tacmach.pf\_reduction\_of\_redexp : \\ + \qquad goal sigma -> red\_expr -> constr -> constr} + {\\ Applies a certain kind of reduction function, specified by an + element of the type red\_expr.} +\fun{val Tacmach.pf\_conv\_x : goal sigma -> constr -> constr -> bool} + {Test whether two given terms are definitionally equal.} +\end{description} + +\subsection{Patterns} +\label{Patterns} + +The \ocaml{} file \texttt{Pattern} provides a quick way for describing a +term pattern and performing second-order, binding-preserving, matching +on it. Patterns are described using an extension of \Coq's concrete +syntax, where the second-order meta-variables of the pattern are +denoted by indexed question marks. + +Patterns may depend on constants, and therefore only to make have +sense when certain theories have been loaded. For this reason, they +are stored with a \textsl{module-marker}, telling us which modules +have to be open in order to use the pattern. The following functions +can be used to store and retrieve patterns form the pattern table: + +\begin{description} +\fun{val Pattern.make\_module\_marker : string list -> module\_mark} + {Constructs a module marker from a list of module names.} +\fun{val Pattern.put\_pat : module\_mark -> string -> marked\_term} + {Constructs a pattern from a parseable string containing holes + and a module marker.} +\fun{val Pattern.somatches : constr -> marked\_term-> bool} + {Tests if a term matches a pattern.} +\fun{val dest\_somatch : constr -> marked\_term -> constr list} + {If the term matches the pattern, yields the list of sub-terms + matching the occurrences of the pattern variables (ordered from + left to right). Raises a \texttt{UserError} exception if the term + does not match the pattern.} +\fun{val Pattern.soinstance : marked\_term -> constr list -> constr} + {Substitutes each hole in the pattern + by the corresponding term of the given the list.} +\end{description} + +\paragraph{Warning:} Sometimes, a \Coq\ term may have invisible +sub-terms that the matching functions are nevertheless sensible to. +For example, the \Coq\ term $(?_1,?_2)$ is actually a shorthand for +the expression $(\texttt{pair}\;?\;?\;?_1\;?_2)$. +Hence, matching this term pattern +with the term $(\texttt{true},\texttt{O})$ actually yields the list +$[?;?;\texttt{true};\texttt{O}]$ as result (and \textbf{not} +$[\texttt{true};\texttt{O}]$, as could be expected). + +\subsection{Patterns on Inductive Definitions} + +The module \texttt{Pattern} also includes some functions for testing +if the definition of an inductive type satisfies certain +properties. Such functions may be used to perform pattern matching +independently from the name given to the inductive type and the +universe it inhabits. They yield the value $(\texttt{Some}\;r::l)$ if +the input term reduces into an application of an inductive type $r$ to +a list of terms $l$, and the definition of $r$ satisfies certain +conditions. Otherwise, they yield the value \texttt{None}. + +\begin{description} +\fun{val Pattern.match\_with\_non\_recursive\_type : constr list option} + {Tests if the inductive type $r$ has no recursive constructors} +\fun{val Pattern.match\_with\_disjunction : constr list option} + {Tests if the inductive type $r$ is a non-recursive type + such that all its constructors have a single argument.} +\fun{val Pattern.match\_with\_conjunction : constr list option} + {Tests if the inductive type $r$ is a non-recursive type + with a unique constructor.} +\fun{val Pattern.match\_with\_empty\_type : constr list option} + {Tests if the inductive type $r$ has no constructors at all} +\fun{val Pattern.match\_with\_equation : constr list option} + {Tests if the inductive type $r$ has a single constructor + expressing the property of reflexivity for some type. For + example, the types $a=b$, $A\mbox{==}B$ and $A\mbox{===}B$ satisfy + this predicate.} +\end{description} + +\subsection{Elimination Tacticals} + +It is frequently the case that the subgoals generated by an +elimination can all be solved in a similar way, possibly parametrized +on some information about each case, like for example: +\begin{itemize} +\item the inductive type of the object being eliminated; +\item its arguments (if it is an inductive predicate); +\item the branch number; +\item the predicate to be proven; +\item the number of assumptions to be introduced by the case +\item the signature of the branch, i.e., for each argument of +the branch whether it is recursive or not. +\end{itemize} + +The following tacticals can be useful to deal with such situations. +They + +\begin{description} +\fun{val Elim.simple\_elimination\_then : \\ \qquad +(branch\_args -> tactic) -> constr -> tactic} + {\\ Performs the default elimination on the last argument, and then + tries to solve the generated subgoals using a given parametrized + tactic. The type branch\_args is a record type containing all + information mentioned above.} +\fun{val Elim.simple\_case\_then : \\ \qquad +(branch\_args -> tactic) -> constr -> tactic} + {\\ Similarly, but it performs case analysis instead of induction.} +\end{description} + +\section{A Complete Example} +\label{ACompleteExample} + +In order to illustrate the implementation of a new tactic, let us come +back to the problem of deciding the equality of two elements of an +inductive type. + +\subsection{Preliminaries} + +Let us call \texttt{newtactic} the directory that will contain the +implementation of the new tactic. In this directory will lay two +files: a file \texttt{eqdecide.ml}, containing the \ocaml{} sources that +implements the tactic, and a \Coq\ file \texttt{Eqdecide.v}, containing +its associated grammar rules and the commands to generate a module +that can be loaded dynamically from \Coq's toplevel. + +To compile our project, we will create a \texttt{Makefile} with the +command \texttt{do\_Makefile} (see section \ref{Makefile}) : + +\begin{quotation} + \texttt{do\_Makefile eqdecide.ml EqDecide.v > Makefile}\\ + \texttt{touch .depend}\\ + \texttt{make depend} +\end{quotation} + +We must have kept the sources of \Coq{} somewhere and to set an +environment variable \texttt{COQTOP} that points to that directory. + +\subsection{Implementing the Tactic} + +The file \texttt{eqdecide.ml} contains the implementation of the +tactic in \ocaml{}. Let us recall the main steps of the proof strategy +for deciding the proposition $(x,y:R)\{x=y\}+\{\neg x=y\}$ on the +inductive type $R$: +\begin{enumerate} +\item Eliminate $x$ and then $y$. +\item Try discrimination to solve those goals where $x$ and $y$ has +been introduced by different constructors. +\item If $x$ and $y$ have been introduced by the same constructor, + then analyze one by one the corresponding pairs of arguments. + If they are equal, rewrite one into the other. If they are + not, derive a contradiction from the invectiveness of the + constructor. +\item Once all the arguments have been rewritten, solve the left half +of the goal by reflexivity. +\end{enumerate} + +In the sequel we implement these steps one by one. We start opening +the modules necessary for the implementation of the tactic: + +\begin{verbatim} +open Names +open Term +open Tactics +open Tacticals +open Hiddentac +open Equality +open Auto +open Pattern +open Names +open Termenv +open Std +open Proof_trees +open Tacmach +\end{verbatim} + +The first step of the procedure can be straightforwardly implemented as +follows: + +\begin{verbatim} +let clear_last = (tclLAST_HYP (fun c -> (clear_one (destVar c))));; +\end{verbatim} + +\begin{verbatim} +let mkBranches = + (tclTHEN intro + (tclTHEN (tclLAST_HYP h_simplest_elim) + (tclTHEN clear_last + (tclTHEN intros + (tclTHEN (tclLAST_HYP h_simplest_case) + (tclTHEN clear_last + intros))))));; +\end{verbatim} + +Notice the use of the tactical \texttt{tclLAST\_HYP}, which avoids to +give a (potentially clashing) name to the quantified variables of the +goal when they are introduced. + +The second step of the procedure is implemented by the following +tactic: + +\begin{verbatim} +let solveRightBranch = (tclTHEN simplest_right discrConcl);; +\end{verbatim} + +In order to illustrate how the implementation of a tactic can be +hidden, let us do it with the tactic above: + +\begin{verbatim} +let h_solveRightBranch = + hide_atomic_tactic "solveRightBranch" solveRightBranch +;; +\end{verbatim} + +As it was already mentioned in Section \ref{WhatIsATactic}, the +combinator \texttt{hide\_atomic\_tactic} first registers the tactic +\texttt{solveRightBranch} in the table, and returns a tactic which +calls the interpreter with the used to register it. Hence, when the +tactical \texttt{Info} is used, our tactic will just inform that +\texttt{solveRightBranch} was applied, omitting all the details +corresponding to \texttt{simplest\_right} and \texttt{discrConcl}. + + + +The third step requires some auxiliary functions for constructing the +type $\{c_1=c_2\}+\{\neg c_1=c_2\}$ for a given inductive type $R$ and +two constructions $c_1$ and $c_2$, and for generalizing this type over +$c_1$ and $c_2$: + +\begin{verbatim} +let mmk = make_module_marker ["#Logic.obj";"#Specif.obj"];; +let eqpat = put_pat mmk "eq";; +let sumboolpat = put_pat mmk "sumbool";; +let notpat = put_pat mmk "not";; +let eq = get_pat eqpat;; +let sumbool = get_pat sumboolpat;; +let not = get_pat notpat;; + +let mkDecideEqGoal rectype c1 c2 g = + let equality = mkAppL [eq;rectype;c1;c2] in + let disequality = mkAppL [not;equality] + in mkAppL [sumbool;equality;disequality] +;; +let mkGenDecideEqGoal rectype g = + let hypnames = ids_of_sign (pf_hyps g) in + let xname = next_ident_away (id_of_string "x") hypnames + and yname = next_ident_away (id_of_string "y") hypnames + in (mkNamedProd xname rectype + (mkNamedProd yname rectype + (mkDecideEqGoal rectype (mkVar xname) (mkVar yname) g))) +;; +\end{verbatim} + +The tactic will depend on the \Coq modules \texttt{Logic} and +\texttt{Specif}, since we use the constants corresponding to +propositional equality (\texttt{eq}), computational disjunction +(\texttt{sumbool}), and logical negation (\texttt{not}), defined in +that modules. This is specified creating the module maker +\texttt{mmk} (cf. Section \ref{Patterns}). + +The third step of the procedure can be divided into three sub-steps. +Assume that both $x$ and $y$ have been introduced by the same +constructor. For each corresponding pair of arguments of that +constructor, we have to consider whether they are equal or not. If +they are equal, the following tactic is applied to rewrite one into +the other: + +\begin{verbatim} +let eqCase tac = + (tclTHEN intro + (tclTHEN (tclLAST_HYP h_rewriteLR) + (tclTHEN clear_last + tac))) +;; +\end{verbatim} + + +If they are not equal, then the goal is contraposed and a +contradiction is reached form the invectiveness of the constructor: + +\begin{verbatim} +let diseqCase = + let diseq = (id_of_string "diseq") in + let absurd = (id_of_string "absurd") + in (tclTHEN (intro_using diseq) + (tclTHEN h_simplest_right + (tclTHEN red_in_concl + (tclTHEN (intro_using absurd) + (tclTHEN (h_simplest_apply (mkVar diseq)) + (tclTHEN (h_injHyp absurd) + trivial )))))) +;; +\end{verbatim} + +In the tactic above we have chosen to name the hypotheses because +they have to be applied later on. This introduces a potential risk +of name clashing if the context already contains other hypotheses +also named ``diseq'' or ``absurd''. + +We are now ready to implement the tactic \textsl{SolveArg}. Given the +two arguments $a_1$ and $a_2$ of the constructor, this tactic cuts the +goal with the proposition $\{a_1=a_2\}+\{\neg a_1=a_2\}$, and then +applies the tactics above to each of the generated cases. If the +disjunction cannot be solved automatically, it remains as a sub-goal +to be proven. + +\begin{verbatim} +let solveArg a1 a2 tac g = + let rectype = pf_type_of g a1 in + let decide = mkDecideEqGoal rectype a1 a2 g + in (tclTHENS (h_elimType decide) + [(eqCase tac);diseqCase;default_auto]) g +;; +\end{verbatim} + +The following tactic implements the third and fourth steps of the +proof procedure: + +\begin{verbatim} +let conclpatt = put_pat mmk "{<?1>?2=?3}+{?4}" +;; +let solveLeftBranch rectype g = + let (_::(lhs::(rhs::_))) = + try (dest_somatch (pf_concl g) conclpatt) + with UserError ("somatch",_)-> error "Unexpected conclusion!" in + let nparams = mind_nparams rectype in + let getargs l = snd (chop_list nparams (snd (decomp_app l))) in + let rargs = getargs rhs + and largs = getargs lhs + in List.fold_right2 + solveArg largs rargs (tclTHEN h_simplest_left h_reflexivity) g +;; +\end{verbatim} + +Notice the use of a pattern to decompose the goal and obtain the +inductive type and the left and right hand sides of the equality. A +certain number of arguments correspond to the general parameters of +the type, and must be skipped over. Once the corresponding list of +arguments \texttt{rargs} and \texttt{largs} have been obtained, the +tactic \texttt{solveArg} is iterated on them, leaving a disjunction +whose left half can be solved by reflexivity. + +The following tactic joints together the three steps of the +proof procedure: + +\begin{verbatim} +let initialpatt = put_pat mmk "(x,y:?1){<?1>x=y}+{~(<?1>x=y)}" +;; +let decideGralEquality g = + let (typ::_) = try (dest_somatch (pf_concl g) initialpatt) + with UserError ("somatch",_) -> + error "The goal does not have the expected form" in + let headtyp = hd_app (pf_compute g typ) in + let rectype = match (kind_of_term headtyp) with + IsMutInd _ -> headtyp + | _ -> error ("This decision procedure only" + " works for inductive objects") + in (tclTHEN mkBranches + (tclORELSE h_solveRightBranch (solveLeftBranch rectype))) g +;; +;; +\end{verbatim} + +The tactic above can be specialized in two different ways: either to +decide a particular instance $\{c_1=c_2\}+\{\neg c_1=c_2\}$ of the +universal quantification; or to eliminate this property and obtain two +subgoals containing the hypotheses $c_1=c_2$ and $\neg c_1=c_2$ +respectively. + +\begin{verbatim} +let decideGralEquality = + (tclTHEN mkBranches (tclORELSE h_solveRightBranch solveLeftBranch)) +;; +let decideEquality c1 c2 g = + let rectype = pf_type_of g c1 in + let decide = mkGenDecideEqGoal rectype g + in (tclTHENS (cut decide) [default_auto;decideGralEquality]) g +;; +let compare c1 c2 g = + let rectype = pf_type_of g c1 in + let decide = mkDecideEqGoal rectype c1 c2 g + in (tclTHENS (cut decide) + [(tclTHEN intro + (tclTHEN (tclLAST_HYP simplest_case) + clear_last)); + decideEquality c1 c2]) g +;; +\end{verbatim} + +Next, for each of the tactics that will have an entry in the grammar +we construct the associated dynamic one to be registered in the table +of tactics. This function can be used to overload a tactic name with +several similar tactics. For example, the tactic proving the general +decidability property and the one proving a particular instance for +two terms can be grouped together with the following convention: if +the user provides two terms as arguments, then the specialized tactic +is used; if no argument is provided then the general tactic is invoked. + +\begin{verbatim} +let dyn_decideEquality args g = + match args with + [(COMMAND com1);(COMMAND com2)] -> + let c1 = pf_constr_of_com g com1 + and c2 = pf_constr_of_com g com2 + in decideEquality c1 c2 g + | [] -> decideGralEquality g + | _ -> error "Invalid arguments for dynamic tactic" +;; +add_tactic "DecideEquality" dyn_decideEquality +;; + +let dyn_compare args g = + match args with + [(COMMAND com1);(COMMAND com2)] -> + let c1 = pf_constr_of_com g com1 + and c2 = pf_constr_of_com g com2 + in compare c1 c2 g + | _ -> error "Invalid arguments for dynamic tactic" +;; +add_tactic "Compare" tacargs_compare +;; +\end{verbatim} + +This completes the implementation of the tactic. We turn now to the +\Coq file \texttt{Eqdecide.v}. + + +\subsection{The Grammar Rules} + +Associated to the implementation of the tactic there is a \Coq\ file +containing the grammar and pretty-printing rules for the new tactic, +and the commands to generate an object module that can be then loaded +dynamically during a \Coq\ session. In order to generate an ML module, +the \Coq\ file must contain a +\texttt{Declare ML module} command for all the \ocaml{} files concerning +the implementation of the tactic --in our case there is only one file, +the file \texttt{eqdecide.ml}: + +\begin{verbatim} +Declare ML Module "eqdecide". +\end{verbatim} + +The following grammar and pretty-printing rules are +self-explanatory. We refer the reader to the Section \ref{Grammar} for +the details: + +\begin{verbatim} +Grammar tactic simple_tactic := + EqDecideRuleG1 + [ "Decide" "Equality" comarg($com1) comarg($com2)] -> + [(DecideEquality $com1 $com2)] +| EqDecideRuleG2 + [ "Decide" "Equality" ] -> + [(DecideEquality)] +| CompareRule + [ "Compare" comarg($com1) comarg($com2)] -> + [(Compare $com1 $com2)]. + +Syntax tactic level 0: + EqDecideRulePP1 + [(DecideEquality)] -> + ["Decide" "Equality"] +| EqDecideRulePP2 + [(DecideEquality $com1 $com2)] -> + ["Decide" "Equality" $com1 $com2] +| ComparePP + [(Compare $com1 $com2)] -> + ["Compare" $com1 $com2]. +\end{verbatim} + + +\paragraph{Important:} The names used to label the abstract syntax tree +in the grammar rules ---in this case ``DecideEquality'' and +``Compare''--- must be the same as the name used to register the +tactic in the tactics table. This is what makes the links between the +input entered by the user and the tactic executed by the interpreter. + +\subsection{Loading the Tactic} + +Once the module \texttt{EqDecide.v} has been compiled, the tactic can +be dynamically loaded using the \texttt{Require} command. + +\begin{coq_example} +Require EqDecide. +Goal (x,y:nat){x=y}+{~x=y}. +Decide Equality. +\end{coq_example} + +The implementation of the tactic can be accessed through the +tactical \texttt{Info}: +\begin{coq_example} +Undo. +Info Decide Equality. +\end{coq_example} +\begin{coq_eval} +Abort. +\end{coq_eval} + +Remark that the task performed by the tactic \texttt{solveRightBranch} +is not displayed, since we have chosen to hide its implementation. + +\section{Testing and Debugging your Tactic} +\label{test-and-debug} + +When your tactic does not behave as expected, it is possible to trace +it dynamically from \Coq. In order to do this, you have first to leave +the toplevel of \Coq, and come back to the \ocaml{} interpreter. This can +be done using the command \texttt{Drop} (cf. Section \ref{Drop}). Once +in the \ocaml{} toplevel, load the file \texttt{tactics/include.ml}. +This file installs several pretty printers for proof trees, goals, +terms, abstract syntax trees, names, etc. It also contains the +function \texttt{go:unit -> unit} that enables to go back to \Coq's +toplevel. + +The modules \texttt{Tacmach} and \texttt{Pfedit} contain some basic +functions for extracting information from the state of the proof +engine. Such functions can be used to debug your tactic if +necessary. Let us mention here some of them: + +\begin{description} +\fun{val get\_pftreestate : unit -> pftreestate} + {Projects the current state of the proof engine.} +\fun{val proof\_of\_pftreestate : pftreestate -> proof} + {Projects the current state of the proof tree. A pretty-printer + displays it in a readable form. } +\fun{val top\_goal\_of\_pftreestate : pftreestate -> goal sigma} + {Projects the goal and the existential variables mapping from + the current state of the proof engine.} +\fun{val nth\_goal\_of\_pftreestate : int -> pftreestate -> goal sigma} + {Projects the goal and mapping corresponding to the $nth$ subgoal + that remains to be proven} +\fun{val traverse : int -> pftreestate -> pftreestate} + {Yields the children of the node that the current state of the + proof engine points to.} +\fun{val solve\_nth\_pftreestate : \\ \qquad +int -> tactic -> pftreestate -> pftreestate} + {\\ Provides the new state of the proof engine obtained applying + a given tactic to some unproven sub-goal.} +\end{description} + +Finally, the traditional \ocaml{} debugging tools like the directives +\texttt{trace} and \texttt{untrace} can be used to follow the +execution of your functions. Frequently, a better solution is to use +the \ocaml{} debugger, see Chapter \ref{Utilities}. + + +%\end{document} diff --git a/doc/RefMan-uti.tex b/doc/RefMan-uti.tex new file mode 100755 index 000000000..cd266d4cf --- /dev/null +++ b/doc/RefMan-uti.tex @@ -0,0 +1,292 @@ +\chapter{Utilities}\label{Utilities} + +The distribution provides utilities to simplify some tedious works +beside proof development, tactics writing or documentation. + +\section{Building a toplevel extended with user tactics} +\label{Coqmktop}\index{Coqmktop@{\tt coqmktop}} + +The native-code version of \Coq\ cannot dynamically load user tactics +using Objective Caml code. It is possible to build a toplevel of \Coq, +with Objective Caml code statically linked, with the tool {\tt + coqmktop}. + +For example, one can build a native-code \Coq\ toplevel extended with a tactic +which source is in {\tt tactic.ml} with the command +\begin{verbatim} + % coqmktop -opt -o mytop.out tactic.cmx +\end{verbatim} +where {\tt tactic.ml} has been compiled with the native-code +compiler {\tt ocamlopt}. This command generates an image of \Coq\ +called {\tt mytop.out}. One can run this new toplevel with the command +{\tt coqtop -image mytop.out}. + +A basic example is the native-code version of \Coq\ ({\tt coqtop + -opt}), which can be generated by {\tt coqmktop -opt -o coqopt.out}. + +See the man page of {\tt coqmktop} for more details and options. + + +\paragraph{Application: how to use the Objective Caml debugger with Coq.} +\index{Debugger} + +One useful application of \texttt{coqmktop} is to build a \Coq\ toplevel in +order to debug your tactics with the Objective Caml debugger. +You need to have configured and compiled \Coq\ for debugging +(see the file \texttt{INSTALL} included in the distribution). +Then, you must compile the Caml modules of your tactic with the +option \texttt{-g} (with the bytecode compiler) and build a stand-alone +bytecode toplevel with the following command: + +\begin{quotation} +\texttt{\% coqmktop -g -o coq-debug}~\emph{<your \texttt{.cmo} files>} +\end{quotation} + + +To launch the \ocaml debugger with the image you need to execute it in +an environment which correctly sets the \texttt{COQLIB} variable. +Moreover, you have to indicate the directories in which +\texttt{ocamldebug} should search for Caml modules. + +A possible solution is to use a wrapper around \texttt{ocamldebug} +which detects the executables containing the word \texttt{coq}. In +this case, the debugger is called with the required additional +arguments. In other cases, the debugger is simply called without additional +arguments. Such a wrapper can be found in the \texttt{tools/dev} +subdirectory of the sources. + +\section{Modules dependencies}\label{Dependencies}\index{Dependencies} + \index{Coqdep@{\tt coqdep}} + +In order to compute modules dependencies (so to use {\tt make}), +\Coq\ comes with an appropriate tool, {\tt coqdep}. + +{\tt coqdep} computes inter-module dependencies for \Coq\ and +\ocaml\ programs, and prints the dependencies on the standard +output in a format readable by make. When a directory is given as +argument, it is recursively looked at. + +Dependencies of \Coq\ modules are computed by looking at {\tt Require} +commands ({\tt Require}, {\tt Requi\-re Export}, {\tt Require Import}, +{\tt Require Implementation}), but also at the command {\tt Declare ML Module}. + +Dependencies of \ocaml\ modules are computed by looking at +\verb!open! commands and the dot notation {\em module.value}. + +See the man page of {\tt coqdep} for more details and options. + + +\section{Creating a {\tt Makefile} for \Coq\ modules} +\label{Makefile} +\index{Makefile@{\tt Makefile}} +\index{DoMakefile@{\tt do\_Makefile}} + +When a proof development becomes large and is split into several files, +it becomes crucial to use a tool like {\tt make} to compile \Coq\ +modules. + +The writing of a generic and complete {\tt Makefile} may seem tedious +and that's why \Coq\ provides a tool to automate its creation, +{\tt do\_Makefile}. Given the files to compile, the command {\tt +do\_Makefile} prints a +{\tt Makefile} on the standard output. So one has just to run the +command: + +\begin{quotation} +\texttt{\% do\_Makefile} {\em file$_1$.v \dots\ file$_n$.v} \texttt{> Makefile} +\end{quotation} + +The resulted {\tt Makefile} has a target {\tt depend} which computes the +dependencies and puts them in a separate file {\tt .depend}, which is +included by the {\tt Makefile}. +Therefore, you should create such a file before the first invocation +of make. You can for instance use the command + +\begin{quotation} +\texttt{\% touch .depend} +\end{quotation} + +Then, to initialize or update the modules dependencies, type in: + +\begin{quotation} +\texttt{\% make depend} +\end{quotation} + +There is a target {\tt all} to compile all the files {\em file$_1$ +\dots\ file$_n$}, and a generic target to produce a {\tt .vo} file from +the corresponding {\tt .v} file (so you can do {\tt make} {\em file}{\tt.vo} +to compile the file {\em file}{\tt.v}). + +{\tt do\_Makefile} can also handle the case of ML files and +subdirectories. For more options type + +\begin{quotation} +\texttt{\% do\_Makefile --help} +\end{quotation} + +\Warning To compile a project containing \ocaml{} files you must keep +the sources of \Coq{} somewhere and have an environment variable named +\texttt{COQTOP} that points to that directory. + +\section{{\sf Coq\_SearchIsos}: information retrieval in a \Coq\ proofs +library} +\label{coqsearchisos} +\index{Coq\_SearchIsos@{\sf Coq\_SearchIsos}} + +In the \Coq\ distribution, there is also a separated and independent tool, +called {\sf Coq\_SearchIsos}, which allows the search in accordance with {\tt +SearchIsos}\index{SearchIsos@{\tt SearchIsos}} (see section~\ref{searchisos}) +in a \Coq\ proofs library. More precisely, this program begins, once launched +by {\tt coqtop -searchisos}\index{coqtopsearchisos@{\tt +coqtop -searchisos}}, loading lightly (by using specifications functions) +all the \Coq\ objects files ({\tt .vo}) accessible by the {\tt LoadPath} (see +section~\ref{loadpath}). Next, a prompt appears and four commands are then +available: + +\begin{description} +\item [{\tt SearchIsos}]\ \\ + Scans the fixed context. +\item [{\tt Time}]\index{Time@{\tt Time}}\ \\ + Turns on the Time Search Display mode (see section~\ref{time}). +\item [{\tt Untime}]\index{Untime@{\tt Untime}}\ \\ + Turns off the Time Search Display mode (see section~\ref{time}). +\item [{\tt Quit}]\index{Quit@{\tt Quit}}\ \\ + Ends the {\tt coqtop -searchisos} session. +\end{description} + +When running {\tt coqtop -searchisos} you can use the two options: + +\begin{description} +\item[{\tt -opt}]\ \\ + Runs the native-code version of {\sf Coq\_SearchIsos}. + +\item[{\tt -image} {\em file}]\ \\ + This option sets the binary image to be used to be {\em file} + instead of the standard one. Not of general use. +\end{description} + + +\section{\Coq\ and \LaTeX}\label{Latex} + \index{Latex@{\LaTeX}} + +\subsection{Embedded \Coq\ phrases inside \LaTeX\ documents} + \index{Coqtex@{\tt coq-tex}} + +When writing a documentation about a proof development, one may want +to insert \Coq\ phrases inside a \LaTeX\ document, possibly together with +the corresponding answers of the system. We provide a +mechanical way to process such \Coq\ phrases embedded in \LaTeX\ files: the +{\tt coq-tex} filter. This filter extracts Coq phrases embedded in +LaTeX files, evaluates them, and insert the outcome of the evaluation +after each phrase. + +Starting with a file {\em file}{\tt.tex} containing \Coq\ phrases, +the {\tt coq-tex} filter produces a file named {\em file}{\tt.v.tex} with +the \Coq\ outcome. + +There are options to produce the \Coq\ parts in smaller font, italic, +between horizontal rules, etc. +See the man page of {\tt coq-tex} for more details. + +\medskip\noindent {\bf Remark.} This Reference Manual and the Tutorial +have been completely produced with {\tt coq-tex}. + + +\subsection{Pretty printing \Coq\ listings with \LaTeX} + \index{Coq2latex@{\tt coq2latex}} + +\verb!coq2latex! is a tool for printing \Coq\ listings using \LaTeX\ : +keywords are printed in bold face, comments in italic, some tokens +are printed in a nicer way (\verb!->! becomes $\rightarrow$, etc.) +and indentations are kept at the beginning of lines. +Line numbers are printed in the right margin, every 10 lines. + +In regular mode, the command + +\begin{flushleft} +~~~~~\texttt{\% coq2latex {\rm\em file}} +\end{flushleft} + +\noindent produces a \LaTeX\ file which is sent to the \verb!latex! command, +and the result to the \verb!dvips! command. + +It is also possible to get the \LaTeX\ file, DVI file or PostSCript +file, on the standard output or in a file. See the man page of {\tt +coq2latex} for more details and options. + + +\section{\Coq\ and HTML}\label{Html}\index{HTML} + \index{Coq2html@{\tt coq2html}} + +As for \LaTeX, it is also possible to pretty print \Coq\ listing with +HTML. The document looks like the \LaTeX\ one, with links added when +possible : links to other \Coq\ modules in {\tt Require} commands, and +links to identifiers defined in other modules (when they are found in a +path given with {\tt -I} options). + +In regular mode, the command + +\begin{flushleft} +~~~~~\texttt{\% coq2html {\rm\em file}.v} +\end{flushleft} + +\noindent produces an HTML document {{\em file}{\tt .html}}. + +See the man page of {\tt coq2html} for more details and options. + + +\section{\Coq\ and \emacs}\label{Emacs}\index{Emacs} + +\Coq\ comes with a Major mode for \emacs, {\tt coq.el}. This mode provides +syntax highlighting (assuming your \emacs\ library provides +{\tt hilit19.el}) and also a rudimentary indentation facility +in the style of the Caml \emacs\ mode. + +Add the following lines to your \verb!.emacs! file: + +\begin{verbatim} + (setq auto-mode-alist (cons '("\\.v$" . coq-mode) auto-mode-alist)) + (autoload 'coq-mode "coq" "Major mode for editing Coq vernacular." t) +\end{verbatim} + +The \Coq\ major mode is triggered by visiting a file with extension {\tt .v}, +or manually with the command \verb!M-x coq-mode!. +It gives you the correct syntax table for +the \Coq\ language, and also a rudimentary indentation facility: +\begin{itemize} + \item pressing {\sc Tab} at the beginning of a line indents the line like + the line above; + + \item extra {\sc Tab}s increase the indentation level + (by 2 spaces by default); + + \item M-{\sc Tab} decreases the indentation level. +\end{itemize} + + +\section{Module specification}\label{gallina}\index{Gallina@{\tt gallina}} + +Given a \Coq\ vernacular file, the {\tt gallina} filter extracts its +specification (inductive types declarations, definitions, type of +lemmas and theorems), removing the proofs parts of the file. The \Coq\ +file {\em file}{\tt.v} gives birth to the specification file +{\em file}{\tt.g} (where the suffix {\tt.g} stands for {\sf Gallina}). + +See the man page of {\tt gallina} for more details and options. + + +\section{Man pages}\label{ManPages}\index{Man pages} + +There are man pages for the commands {\tt coqtop}, {\tt coqc}, {\tt coqmktop}, +{\tt coqdep}, {\tt gallina},\linebreak{} {\tt coq-tex}, {\tt +coq2latex} and {\tt coq2html}. Man pages are installed at installation time +(see installation instructions in file {\tt INSTALL}, step 6). + +\addtocontents{sh}{ENDREFMAN=\thepage} + +% $Id$ + +%%% Local Variables: +%%% mode: latex +%%% TeX-master: t +%%% End: diff --git a/doc/Reference-Manual.tex b/doc/Reference-Manual.tex new file mode 100644 index 000000000..1250a580e --- /dev/null +++ b/doc/Reference-Manual.tex @@ -0,0 +1,84 @@ +\documentclass[11pt,a4paper]{book} +\usepackage[T1]{fontenc} +\usepackage[latin1]{inputenc} +\usepackage{verbatim} +\usepackage{palatino} + +\makeatletter + +%\includeonly{Polynom.v} + +\input{./macros.tex}% extension .tex pour htmlgen +\input{./title.tex}% extension .tex pour htmlgen +\input{./headers.tex}% extension .tex pour htmlgen + +\makeatother + +\begin{document} +\tophtml{} +\coverpage{Reference Manual}{Bruno~Barras, Samuel~Boutin, + Cristina~Cornes, Judicaël~Courant, Yann~Coscoy, David~Delahaye, + Daniel~de~Rauglaudre, Jean-Christophe~Filliâtre, Eduardo~Giménez, + Hugo~Herbelin, Gérard~Huet, Henri~Laulhère, César~Muñoz, + Chetan~Murthy, Catherine~Parent-Vigouroux, Patrick~Loiseleur, + Christine~Paulin-Mohring, Amokrane~Saïbi, Benjamin~Werner} + +%\defaultheaders +\include{RefMan-int}% Introduction +\include{RefMan-pre}% Credits + +\tableofcontents + +\part{The language} +\defaultheaders +\include{RefMan-gal.v}% Gallina +\include{RefMan-ext.v}% Gallina extensions +\include{RefMan-lib.v}% The coq library +\include{RefMan-cic.v}% The Calculus of Constructions + +\part{The proof engine} +\include{RefMan-oth}% Vernacular commands +\include{RefMan-pro}% Proof handling +\include{RefMan-tac.v}% Tactics and tacticals +\include{RefMan-tacex.v}% Detailed Examples of tactics + +\part{User extensions} +\include{RefMan-syn.v}% The Syntax and the Grammad commands +\include{RefMan-tus.v}% Writing tactics + +\part{Practical tools} +\include{RefMan-com}% The coq commands (coqc coqtop) +\include{RefMan-uti}% utilities (gallina, do_Makefile, etc) + +\include{AddRefMan-pre}% +\include{Cases.v}% +\include{Coercion.v}% +\include{Natural.v}% +\include{Omega.v}% +\include{Program.v}% +\include{Programs.v}% = preuve de pgms imperatifs +\include{Extraction.v}% +\include{Polynom.v}% = Ring + +\addtocontents{sh}{ENDADDENDUM=\thepage} + +\nocite{*} +\bibliographystyle{plain} +\bibliography{biblio} +\addtocontents{sh}{psselect -q -p-$ENDREFMAN,$BEGINBIBLIO- Reference-Manual.ps Reference-Manual-base.ps} +\addtocontents{sh}{psselect -q -p$BEGINADDENDUM-$ENDADDENDUM Reference-Manual.ps Reference-Manual-addendum.ps} +\addtocontents{sh}{dviselect -i Reference-Manual.dvi -o Reference-Manual-base.dvi 1-$ENDREFMAN $BEGINBIBLIO-} +\addtocontents{sh}{dviselect -i Reference-Manual.dvi -o Reference-Manual-addendum.dvi $BEGINADDENDUM-$ENDADDENDUM} + +\printindex + +\printindex[tactic] + +\printindex[command] + +\printindex[error] + +\end{document} + + +% $Id$ diff --git a/doc/Tutorial-cover.tex b/doc/Tutorial-cover.tex new file mode 100644 index 000000000..832739c3e --- /dev/null +++ b/doc/Tutorial-cover.tex @@ -0,0 +1,50 @@ +\documentstyle[RRcover]{book} + % L'utilisation du style `french' force le résumé français à + % apparaître en premier. +\RRetitle{ +The Coq Proof Assistant \\ A Tutorial \\ Version 6.1 +\thanks{This research was partly supported by ESPRIT Basic Research +Action ``Types'' and by the GDR ``Programmation'' co-financed by MRE-PRC and CNRS.} +} +\RRtitle{Coq \\ Une introduction \\ V6.1 } +\RRauthor{G\'erard Huet, Gilles Kahn and Christine Paulin-Mohring} +\RRtheme{2} +\RRprojet{{Coq +\\[15pt] +{INRIA Rocquencourt} +{\hskip -5.25pt} +~~{\bf ---}~~ + \def\thefootnote{\arabic{footnote}\hss} +{CNRS - ENS Lyon} +\footnote[1]{LIP URA 1398 du CNRS, +46 All\'ee d'Italie, 69364 Lyon CEDEX 07, France.} +{\hskip -14pt}}} + +%\RRNo{0123456789} +\RRNo{0204} +\RRdate{Ao\^ut 1997} + +\URRocq +\RRresume{Coq est un syst\`eme permettant le d\'eveloppement et la +v\'erification de preuves formelles dans une logique d'ordre +sup\'erieure incluant un riche langage de d\'efinitions de fonctions. +Ce document constitue une introduction pratique \`a l'utilisation de +la version V6.1 qui est distribu\'ee par ftp anonyme aux adresses +ftp.inria.fr:/INRIA/Projects/coq/V6.1 et +ftp.ens-lyon.fr:/pub/LIP/COQ/V6.1} + +\RRmotcle{Coq, Syst\`eme d'aide \`a la preuve, Preuves formelles, Calcul +des Constructions Inductives} + +\RRabstract{Coq is a proof assistant based on a higher-order logic +allowing powerful definitions of functions. This document is a +tutorial for the version V6.1 of Coq. This version is available by +anonymous ftp at ftp.inria.fr:/INRIA/Projects/coq/V6.1 and +ftp.ens-lyon.fr:/pub/LIP/COQ/V6.1} + +\RRkeyword{Coq, Proof Assistant, Formal Proofs, Calculus of Inductives +Constructions} + +\begin{document} +\makeRT +\end{document} diff --git a/doc/Tutorial.tex b/doc/Tutorial.tex new file mode 100755 index 000000000..a2459384c --- /dev/null +++ b/doc/Tutorial.tex @@ -0,0 +1,1563 @@ +\documentclass[11pt]{book} +\usepackage[T1]{fontenc} +\usepackage[latin1]{inputenc} +\usepackage{palatino} + +\input{./macros.tex} +\input{./title.tex} + +%\makeindex + +\begin{document} +\coverpage{A Tutorial}{Gérard Huet, Gilles Kahn and Christine Paulin-Mohring} + +%\tableofcontents + +\chapter*{Getting started} + +\Coq\ is a Proof Assistant for a Logical Framework known as the Calculus +of Inductive Constructions. It allows the interactive construction of +formal proofs, and also the manipulation of functional programs +consistently with their specifications. It runs as a computer program +on many architectures, and mainly on Unix machines. It is available +with a variety of user interfaces. The present document does not attempt +to present a comprehensive view of all the possibilities of \Coq, but rather +to present in the most elementary manner a tutorial on the basic +specification language, called Gallina, in which formal axiomatisations +may be developed, and on the main proof tools. + +We assume here that the potential user has installed \Coq~ on his workstation, +that he calls \Coq~ from a standard teletype-like shell window, and that +he does not use any special interface such as Emacs or Centaur. +Instructions on installation procedures, as well as more comprehensive +documentation, may be found in the standard distribution of \Coq, +which may be obtained by anonymous FTP from site \verb:ftp.inria.fr:, +directory \verb:INRIA/coq/V6.3.1:. + +In the following, all examples preceded by the prompting sequence +\verb:Coq < : represent user input, terminated by a period. The +following lines usually show \Coq's answer as it appears on the users's +screen. The sequence of such examples is a valid \Coq~ session, unless +otherwise specified. This version of the tutorial has been prepared +on a SPARC station running UNIX. +The standard invocation of \Coq\ delivers a message such as: + +\begin{small} +\begin{flushleft} +\begin{verbatim} +unix: coqtop +Welcome to Coq V6.3.1 (December 1999) + +Coq < +\end{verbatim} +\end{flushleft} +\end{small} + +The first line gives a banner stating the precise version of \Coq~ +used. You should always return this banner when you report an +anomaly to our hotline \verb:coq@pauillac.inria.fr:. +%The next lines are warnings which may be safely ignored for the time being. + +\chapter{Basic Predicate Calculus} + +\section{An overview of the specification language Gallina} + +A formal development in Gallina consists in a sequence of {\sl declarations} +and {\sl definitions}. You may also send \Coq~ {\sl commands} which are +not really part of the formal development, but correspond to information +requests, or service routine invocations. For instance, the command: +\begin{verbatim} +Coq < Quit. +\end{verbatim} +terminates the current session. + +\subsection{Declarations} + +A declaration associates a {\sl name} with +a {\sl specification}. +A name corresponds roughly to an identifier in a programming +language, i.e. to a string of letters, digits, and a few ASCII symbols like +underscore (\verb"_") and prime (\verb"'"), starting with a letter. +We use case distinction, so that the names \verb"A" and \verb"a" are distinct. +Certain strings are reserved as key-words of \Coq, and thus are forbidden +as user identifiers. + +A specification is a formal expression which classifies the notion which is +being declared. There are basically three kinds of specifications: +{\sl logical propositions}, {\sl mathematical collections}, and +{\sl abstract types}. They are classified by the three basic sorts +of the system, called respectively \verb:Prop:, \verb:Set:, and +\verb:Type:, which are themselves atomic abstract types. + +Every valid expression $e$ in Gallina is associated with a specification, +itself a valid expression, called its {\sl type} $\tau(E)$. We write +$e:\tau(E)$ for the judgement that $e$ is of type $E$. +%CP Le role de \tau n'est pas clair. +You may request \Coq~ to return to you the type of a valid expression by using +the command \verb:Check:: + +\begin{coq_example} +Check O. +\end{coq_example} + +Thus we know that the identifier \verb:O: (the name `O', not to be +confused with the numeral `0' which is not a proper identifier!) is +known in the current context, and that its type is the specification +\verb:nat:. This specification is itself classified as a mathematical +collection, as we may readily check: + +\begin{coq_example} +Check nat. +\end{coq_example} + +The specification \verb:Set: is an abstract type, one of the basic +sorts of the Gallina language, whereas the notions $nat$ and $O$ are +axiomatised notions which are defined in the arithmetic prelude, +automatically loaded when running the \Coq\ system. + +With what we already know, we may now enter in the system a declaration, +corresponding to the informal mathematics {\sl let n be a natural number}: + +\begin{coq_example} +Variable n:nat. +\end{coq_example} + +If we want to translate a more precise statement, such as +{\sl let n be a positive natural number}, +we have to add another declaration, which will declare explicitly the +hypothesis \verb:Pos_n:, with specification the proper logical +proposition: +\begin{coq_example} +Hypothesis Pos_n : (gt n O). +\end{coq_example} + +Indeed we may check that the relation \verb:gt: is known with the right type +in the current context: + +\begin{coq_example} +Check gt. +\end{coq_example} + +which tells us that \verb:gt: is a function expecting two arguments of +type \verb:nat: in order to build a logical proposition. +What happens here is similar to what we are used to in a functional +programming language: we may compose the (specification) type \verb:nat: +with the (abstract) type \verb:Prop: of logical propositions through the +arrow function constructor, in order to get a functional type +\verb:nat->Prop:: +\begin{coq_example} +Check nat->Prop. +\end{coq_example} +which may be composed again with \verb:nat: in order to obtain the +type \verb:nat->nat->Prop: of binary relations over natural numbers. +Actually \verb:nat->nat->Prop: is an abbreviation for +\verb:nat->(nat->Prop):. + +Functional notions may be composed in the usual way. An expression $f$ +of type $A\ra B$ may be applied to an expression $e$ of type $A$ in order +to form the expression $(f~e)$ of type $B$. Here we get that +the expression \verb:(gt n): is well-formed of type \verb:nat->Prop:, +and thus that the expression \verb:(gt n O):, which abbreviates +\verb:((gt n) O):, is a well-formed proposition. +\begin{coq_example} +Check (gt n O). +\end{coq_example} + +\subsection{Definitions} + +The initial prelude contains a few arithmetic definitions: +\verb:nat: is defined as a mathematical collection (type \verb:Set:), constants +\verb:O:, \verb:S:, \verb:plus:, are defined as objects of types +respectively \verb:nat:, \verb:nat->nat:, and \verb:nat->nat->nat:. +You may introduce new definitions, which link a name to a well-typed value. +For instance, we may introduce the constant \verb:one: as being defined +to be equal to the successor of zero: +\begin{coq_example} +Definition one := (S O). +\end{coq_example} +We may optionally indicate the required type: +\begin{coq_example} +Definition two : nat := (S one). +\end{coq_example} + +Actually \Coq~ allows several possible syntaxes: +\begin{coq_example} +Definition three := (S two) : nat. +\end{coq_example} + +Here is a way to define the doubling function, which expects an +argument \verb:m: of type \verb:nat: in order to build its result as +\verb:(plus m m):: + +\begin{coq_example} +Definition double := [m:nat](plus m m). +\end{coq_example} +The abstraction brackets are explained as follows. The expression +\verb+[x:A]e+ is well formed of type \verb+A->B+ in a context +whenever the expression \verb+e+ is well-formed of type \verb+B+ in +the given context to which we add the declaration that \verb+x+ +is of type \verb+A+. Here $x$ is a bound, or dummy variable in +the expression \verb+[x:A]e+. For instance we could as well have +defined \verb:double: as \verb+[n:nat](plus n n)+. + +Bound (local) variables and free (global) variables may be mixed. +For instance, we may define the function which adds the constant \verb:n: +to its argument as +\begin{coq_example} +Definition add_n := [m:nat](plus m n). +\end{coq_example} +However, note that here we may not rename the formal argument $m$ into $n$ +without capturing the free occurrence of $n$, and thus changing the meaning +of the defined notion. + +Binding operations are well known for instance in logic, where they +are called quantifiers. +Thus we may universally quantify a proposition such as $m>0$ in order +to get a universal proposition $\forall m\cdot m>0$. Indeed this +operator is available in \Coq, with the following syntax: +\verb+(m:nat)(gt m O)+. Similarly to the case of the functional abstraction +binding, we are obliged to declare explicitly the type of the quantified +variable. We check: +\begin{coq_example} +Check (m:nat)(gt m O). +\end{coq_example} + +\section{Introduction to the proof engine: Minimal Logic} + +In the following, we are going to consider various propositions, built +from atomic propositions $A, B, C$. This may be done easily, by +introducing these atoms as global variables declared of type \verb:Prop:. +It is easy to declare several names with the same specification: +\begin{coq_example} +Variables A,B,C:Prop. +\end{coq_example} + +We shall consider simple implications, such as $A\ra B$, read as +``$A$ implies $B$''. Remark that we overload the arrow symbol, which +has been used above as the functionality type constructor, and which +may be used as well as propositional connective: +\begin{coq_example} +Check A->B. +\end{coq_example} + +Let us now embark on a simple proof. We want to prove the easy tautology +$((A\ra (B\ra C))\ra (A\ra B)\ra (A\ra C)$. +We enter the proof engine by the command +\verb:Goal:, followed by the conjecture we want to verify: +\begin{coq_example} +Goal (A->(B->C))->(A->B)->(A->C). +\end{coq_example} + +The system displays the current goal below a double line, local hypotheses +(there are none initially) being displayed above the line. We call +the combination of local hypotheses with a goal a {\sl judgement}. +The new prompt \verb:Unnamed_thm <: indicates that we are now in an inner +loop of the system, in proof mode. New commands are available in this +mode, such as {\sl tactics}, which are proof combining primitives. +A tactic operates on the current goal by attempting to construct a proof +of the corresponding judgement, possibly from proofs of some +hypothetical judgements, which are then added to the current +list of conjectured judgements. +For instance, the \verb:Intro: tactic is applicable to any judgement +whose goal is an implication, by moving the proposition to the left +of the application to the list of local hypotheses: +\begin{coq_example} +Intro H. +\end{coq_example} + +%{\bf Warning} to users of \Coq~ previous versions: The display of a sequent in +%older versions of \Coq~ is inverse of this convention: the goal is displayed +%above the double line, the hypotheses below. + +Several introductions may be done in one step: +\begin{coq_example} +Intros H' HA. +\end{coq_example} + +We notice that $C$, the current goal, may be obtained from hypothesis +\verb:H:, provided the truth of $A$ and $B$ are established. +The tactic \verb:Apply: implements this piece of reasoning: +\begin{coq_example} +Apply H. +\end{coq_example} + +We are now in the situation where we have two judgements as conjectures +that remain to be proved. Only the first is listed in full, for the +others the system displays only the corresponding subgoal, without its +local hypotheses list. Remark that \verb:Apply: has kept the local +hypotheses of its father judgement, which are still available for +the judgements it generated. + +In order to solve the current goal, we just have to notice that it is +exactly available as hypothesis $HA$: +\begin{coq_example} +Exact HA. +\end{coq_example} + +Now $H'$ applies: +\begin{coq_example} +Apply H'. +\end{coq_example} + +And we may now conclude the proof as before, with \verb:Exact HA.: +Actually, we may not bother with the name \verb:HA:, and just state that +the current goal is solvable from the current local assumptions: +\begin{coq_example} +Assumption. +\end{coq_example} + +The proof is now finished. We may either discard it, by using the +command \verb:Abort: which returns to the standard \Coq~ toplevel loop +without further ado, or else save it as a lemma in the current context, +under name say \verb:trivial_lemma:: +\begin{coq_example} +Save trivial_lemma. +\end{coq_example} + +As a comment, the system shows the proof script listing all tactic +commands used in the proof. % ligne blanche apres Exact HA?? + +Let us redo the same proof with a few variations. First of all we may name +the initial goal as a conjectured lemma: +\begin{coq_example} +Lemma distr_impl : (A->(B->C))->(A->B)->(A->C). +\end{coq_example} + +%{\bf Warning} to users of \Coq~ older versions: In order to enter the proof +%engine, at this point a dummy \verb:Goal.: command had to be typed in. + +Next, we may omit the names of local assumptions created by the introduction +tactics, they can be automatically created by the proof engine as new +non-clashing names. +\begin{coq_example} +Intros. +\end{coq_example} + +The \verb:Intros: tactic, with no arguments, effects as many individual +applications of \verb:Intro: as is legal. + +Then, we may compose several tactics together in sequence, or in parallel, +through {\sl tacticals}, that is tactic combinators. The main constructions +are the following: +\begin{itemize} +\item $T_1 ; T_2$ (read $T_1$ then $T_2$) applies tactic $T_1$ to the current +goal, and then tactic $T_2$ to all the subgoals generated by $T_1$. +\item $T; [T_1 | T_2 | ... | T_n]$ applies tactic $T$ to the current +goal, and then tactic $T_1$ to the first newly generated subgoal, +..., $T_n$ to the nth. +\end{itemize} + +We may thus complete the proof of \verb:distr_impl: with one composite tactic: +\begin{coq_example} +Apply H; [Assumption | Apply H0; Assumption]. +\end{coq_example} + +Let us now save lemma \verb:distr_impl:: +\begin{coq_example} +Save. +\end{coq_example} + +Here \verb:Save: needs no argument, since we gave the name \verb:distr_impl: +in advance; +it is however possible to override the given name by giving a different +argument to command \verb:Save:. + +Actually, such an easy combination of tactics \verb:Intro:, \verb:Apply: +and \verb:Assumption: may be found completely automatically by an automatic +tactic, called \verb:Auto:, without user guidance: +\begin{coq_example} +Lemma distr_imp : (A->(B->C))->(A->B)->(A->C). +Auto. +\end{coq_example} + +This time, we do not save the proof, we just discard it with the \verb:Abort: +command: + +\begin{coq_example} +Abort. +\end{coq_example} + +At any point during a proof, we may use \verb:Abort: to exit the proof mode +and go back to Coq's main loop. We may also use \verb:Restart: to restart +from scratch the proof of the same lemma. We may also use \verb:Undo: to +backtrack one step, and more generally \verb:Undo n: to +backtrack n steps. + +We end this section by showing a useful command, \verb:Inspect n.:, +which inspects the global \Coq~ environment, showing the last \verb:n: declared +notions: % Attention ici ?? +\begin{coq_example} +Inspect 3. +\end{coq_example} + +The declarations, whether global parameters or axioms, are shown preceded by +\verb:***:; definitions and lemmas are stated with their specification, but +their value (or proof-term) is omitted. + +\section{Propositional Calculus} + +\subsection{Conjunction} + +We have seen that how \verb:Intro: and \verb:Apply: tactics could be combined +in order to prove implicational statements. More generally, \Coq~ favors a style +of reasoning, called {\sl Natural Deduction}, which decomposes reasoning into +so called {\sl introduction rules}, which tell how to prove a goal whose main +operator is a given propositional connective, and {\sl elimination rules}, +which tell how to use an hypothesis whose main operator is the propositional +connective. Let us show how to use these ideas for the propositional connectives +\verb:/\: and \verb:\/:. + +\begin{coq_example} +Lemma and_commutative : A /\ B -> B /\ A. +Intro. +\end{coq_example} + +We make use of the conjunctive hypothesis \verb:H: with the \verb:Elim: tactic, +which breaks it into its components: +\begin{coq_example} +Elim H. +\end{coq_example} + +We now use the conjuction introduction tactic \verb:Split:, which splits the +conjunctive goal into the two subgoals: +\begin{coq_example} +Split. +\end{coq_example} + +and the proof is now trivial. Indeed, the whole proof is obtainable as follows: +\begin{coq_example} +Restart. +Intro H; Elim H; Auto. +Save. +\end{coq_example} + +The tactic \verb:Auto: succeeded here because it knows as a hint the +conjunction introduction operator \verb+conj+ +\begin{coq_example} +Check conj. +\end{coq_example} + +Actually, the tactic \verb+Split+ is just an abbreviation for \verb+Apply conj.+ + +What we have just seen is that the \verb:Auto: tactic is more powerful than +just a simple application of local hypotheses; it tries to apply as well +lemmas which have been specified as hints. A +\verb:Hints Resolve: command registers a +lemma as a hint to be used from now on by the \verb:Auto: tactic, whose power +may thus be incrementally augmented. + +\subsection{Disjunction} + +In a similar fashion, let us consider disjunction: + +\begin{coq_example} +Lemma or_commutative : A \/ B -> B \/ A. +Intro H; Elim H. +\end{coq_example} + +Let us prove the first subgoal in detail. We use \verb:Intro: in order to +be left to prove \verb:B\/A: from \verb:A:: + +\begin{coq_example} +Intro HA. +\end{coq_example} + +Here the hypothesis \verb:H: is not needed anymore. We could choose to +actually erase it with the tactic \verb:Clear:; in this simple proof it +does not really matter, but in bigger proof developments it is useful to +clear away unnecessary hypotheses which may clutter your screen. +\begin{coq_example} +Clear H. +\end{coq_example} + +The disjunction connective has two introduction rules, since \verb:P\/Q: +may be obtained from \verb:P: or from \verb:Q:; the two corresponding +proof constructors are called respectively \verb:or_introl: and +\verb:or_intror:; they are applied to the current goal by tactics +\verb:Left: and \verb:Right: respectively. For instance: +\begin{coq_example} +Right. +Trivial. +\end{coq_example} +%CP Documenter Trivial ou mettre Assumption. + +As before, all these tedious elementary steps may be performed automatically, +as shown for the second symmetric case: + +\begin{coq_example} +Auto. +\end{coq_example} + +However, \verb:Auto: alone does not succeed in proving the full lemma, because +it does not try any elimination step. +It is a bit disappointing that \verb:Auto: is not able to prove automatically +such a simple tautology. The reason is that we want to keep +\verb:Auto: efficient, so that it is always effective to use. + +\subsection{Tauto} + +A complete tactic for propositional +tautologies is indeed available in \Coq~ as the \verb:Tauto: tactic. +%In order to get this facility, we have to import a library module +%called ``Dyckhoff'': +\begin{coq_example} +Restart. +Tauto. +Save. +\end{coq_example} + +It is possible to inspect the actual proof tree constructed by \verb:Tauto:, +using a standard command of the system, which prints the value of any notion +currently defined in the context: +\begin{coq_example} +Print or_commutative. +\end{coq_example} + +It is not easy to understand the notation for proof terms without a few +explanations. The square brackets, such as \verb+[HH1:A\/B]+, correspond +to \verb:Intro HH1:, whereas a subterm such as +\verb:(or_intror: \linebreak \verb:B A HH6): +corresponds to the sequence \verb:Apply or_intror; Exact HH6:. The extra +arguments \verb:B: and \verb:A: correspond to instanciations to the generic +combinator \verb:or_intror:, which are effected automatically by the tactic +\verb:Apply: when pattern-matching a goal. The specialist will of course +recognize our proof term as a $\lambda$-term, used as notation for the +natural deduction proof term through the Curry-Howard isomorphism. The +naive user of \Coq~ may safely ignore these formal details. + +Let us exercise the \verb:Tauto: tactic on a more complex example: +\begin{coq_example} +Lemma distr_and : A->(B/\C) -> (A->B /\ A->C). +Tauto. +Save. +\end{coq_example} + +\subsection{Classical reasoning} + +\verb:Tauto: always comes back with an answer. Here is an example where it +fails: +\begin{coq_example} +Lemma Peirce : ((A->B)->A)->A. +Try Tauto. +\end{coq_example} + +Note the use of the \verb:Try: tactical, which does nothing if its tactic +argument fails. + +This may come as a surprise to someone familiar with classical reasoning. +Peirce's lemma is true in Boolean logic, i.e. it evaluates to \verb:true: for +every truth-assignment to \verb:A: and \verb:B:. Indeed the double negation +of Peirce's law may be proved in \Coq~ using \verb:Tauto:: +\begin{coq_example} +Abort. +Lemma NNPeirce : ~~(((A->B)->A)->A). +Tauto. +Save. +\end{coq_example} + +In classical logic, the double negation of a proposition is equivalent to this +proposition, but in the constructive logic of \Coq~ this is not so. If you +want to use classical logic in \Coq, you have to import explicitly the +\verb:Classical: module, which will declare the axiom \verb:classic: +of excluded middle, and classical tautologies such as de Morgan's laws. +The \verb:Require: command is used to import a module from \Coq's library: +\begin{coq_example} +Require Classical. +Check NNPP. +\end{coq_example} + +and it is now easy (although admittedly not the most direct way) to prove +a classical law such as Peirce's: +\begin{coq_example} +Lemma Peirce : ((A->B)->A)->A. +Apply NNPP; Tauto. +Save. +\end{coq_example} + +Here is one more example of propositional reasoning, in the shape of +a scottish puzzle. A private club has the following rules: +\begin{enumerate} +\item Every non-scottish member wears red socks +\item Every member wears a kilt or doesn't wear red socks +\item The married members don't go out on sunday +\item A member goes out on sunday if and only if he is scottish +\item Every member who wears a kilt is scottish and married +\item Every scottish member wears a kilt +\end{enumerate} +Now, we show that these rules are so strict that no one can be accepted. +\begin{coq_example} +Section club. +Variable Scottish, RedSocks, WearKilt, Married, GoOutSunday : Prop. +Hypothesis rule1 : ~Scottish -> RedSocks. +Hypothesis rule2 : WearKilt \/ ~RedSocks. +Hypothesis rule3 : Married -> ~GoOutSunday. +Hypothesis rule4 : GoOutSunday <-> Scottish. +Hypothesis rule5 : WearKilt -> (Scottish /\ Married). +Hypothesis rule6 : Scottish -> WearKilt. +Lemma NoMember : False. +Tauto. +Save. +End club. +\end{coq_example} + +\section{Predicate Calculus} + +Let us now move into predicate logic, and first of all into first-order +predicate calculus. The essence of predicate calculus is that to try to prove +theorems in the most abstract possible way, without using the definitions of +the mathematical notions, but by formal manipulations of uninterpreted +function and predicate symbols. + +\subsection{Sections and signatures} + +Usually one works in some domain of discourse, over which range the individual +variables and function symbols. In \Coq~ we speak in a language with a rich +variety of types, so me may mix several domains of discourse, in our +multi-sorted language. For the moment, we just do a few exercises, over a +domain of discourse \verb:D: axiomatised as a \verb:Set:, and we consider two +predicate symbols \verb:P: and \verb:R: over \verb:D:, of arities +respectively 1 and 2. Such abstract entities may be entered in the context +as global variables. But we must be careful about the pollution of our +global environment by such declarations. For instance, we have already +polluted our \Coq~ session by declaring the variables +\verb:n:, \verb:Pos_n:, \verb:A:, \verb:B:, and \verb:C:. If we want to revert to the clean state of +our initial session, we may use the \Coq~ \verb:Reset: command, which returns +to the state just prior the given global notion. +\begin{coq_example} +Reset n. +\end{coq_example} +%CP-Parler de Reset Initial. + +We shall now declare a new \verb:Section:, which will allow us to define +notions local to a well-delimited scope. We start by assuming a domain of +discourse \verb:D:, and a binary relation \verb:R: over \verb:D:: +\begin{coq_example} +Section Predicate_calculus. +Variable D:Set. +Variable R: D -> D -> Prop. +\end{coq_example} + +As a simple example of predicate calculus reasoning, let us assume +that relation \verb:R: is symmetric and transitive, and let us show that +\verb:R: is reflexive in any point \verb:x: which has an \verb:R: successor. +Since we do not want to make the assumptions about \verb:R: global axioms of +a theory, but rather local hypotheses to a theorem, we open a specific +section to this effect. +\begin{coq_example} +Section R_sym_trans. +Hypothesis R_symmetric : (x,y:D) (R x y) -> (R y x). +Hypothesis R_transitive : (x,y,z:D) (R x y) -> (R y z) -> (R x z). +\end{coq_example} + +Remark the syntax \verb+(x:D)+ which stands for universal quantification +$\forall x : D$. + +\subsection{Existential quantification} + +We now state our lemma, and enter proof mode. +\begin{coq_example} +Lemma refl_if : (x:D)(EX y | (R x y)) -> (R x x). +\end{coq_example} + +Remark that the hypotheses which are local to the currently opened sections +are listed as local hypotheses to the current goals. +The rationale is that these hypotheses are going to be discharged, as we +shall see, when we shall close the corresponding sections. + +Note the functional syntax for existential quantification. The existential +quantifier is built from the operator \verb:ex:, which expects a +predicate as argument: +\begin{coq_example} +Check ex. +\end{coq_example} +and the notation \verb+(EX x | (P x))+ is just concrete syntax for +\verb+(ex D [x:D](P x))+. +Existential quantification is handled in \Coq~ in a similar +fashion to the connectives \verb:/\: and \verb:\/: : it is introduced by +the proof combinator \verb:ex_intro:, which is invoked by the specific +tactic \verb:Exists:, and its elimination provides a witness \verb+a:D+ to +\verb:P:, together with an assumption \verb+h:(P a)+ that indeed \verb+a+ +verifies \verb:P:. Let us see how this works on this simple example. +\begin{coq_example} +Intros x x_Rlinked. +\end{coq_example} + +Remark that \verb:Intro: treats universal quantification in the same way +as the premisses of implications. Renaming of bound variables occurs +when it is needed; for instance, had we started with \verb:Intro y:, +we would have obtained the goal: +\begin{coq_eval} +Undo. +\end{coq_eval} +\begin{coq_example} +Intro y. +\end{coq_example} +\begin{coq_eval} +Undo. +Intros x x_Rlinked. +\end{coq_eval} + +Let us now use the existential hypothesis \verb:x_Rlinked: to +exhibit an R-successor y of x. This is done in two steps, first with +\verb:Elim:, then with \verb:Intros: + +\begin{coq_example} +Elim x_Rlinked. +Intros y Rxy. +\end{coq_example} + +Now we want to use \verb:R_transitive:. The \verb:Apply: tactic will know +how to match \verb:x: with \verb:x:, and \verb:z: with \verb:x:, but needs +help on how to instanciate \verb:y:, which appear in the hypotheses of +\verb:R_transitive:, but not in its conclusion. We give the proper hint +to \verb:Apply: in a \verb:with: clause, as follows: +\begin{coq_example} +Apply R_transitive with y. +\end{coq_example} + +The rest of the proof is routine: +\begin{coq_example} +Assumption. +Apply R_symmetric; Assumption. +\end{coq_example} +\begin{coq_example*} +Save. +\end{coq_example*} + +Let us now close the current section. +\begin{coq_example} +End R_sym_trans. +\end{coq_example} + +Here \Coq's printout is a warning that all local hypotheses have been +discharged in the statement of \verb:refl_if:, which now becomes a general +theorem in the first-order language declared in section +\verb:Predicate_calculus:. In this particular example, the use of section +\verb:R_sym_trans: has not been really significant, since we could have +instead stated theorem \verb:refl_if: in its general form, and done +basically the same proof, obtaining \verb:R_symmetric: and +\verb:R_transitive: as local hypotheses by initial \verb:Intros: rather +than as global hypotheses in the context. But if we had pursued the +theory by proving more theorems about relation \verb:R:, +we would have obtained all general statements at the closing of the section, +with minimal dependencies on the hypotheses of symmetry and transitivity. + +\subsection{Paradoxes of classical predicate calculus} + +Let us illustrate this feature by pursuing our \verb:Predicate_calculus: +section with an enrichment of our language: we declare a unary predicate +\verb:P: and a constant \verb:d:: +\begin{coq_example} +Variable P:D->Prop. +Variable d:D. +\end{coq_example} + +We shall now prove a well-known fact from first-order logic: a universal +predicate is non-empty, or in other terms existential quantification +follows from universal quantification. +\begin{coq_example} +Lemma weird : ((x:D)(P x)) -> (EX a | (P a)). +Intro UnivP. +\end{coq_example} + +First of all, notice the pair of parentheses around \verb+(x:D)(P x)+ in +the statement of lemma \verb:weird:. +If we had ommitted them, \Coq's parser would have interpreted the +statement as a truly trivial fact, since we would +postulate an \verb:x: verifying \verb:(P x):. Here the situation is indeed +more problematic. If we have some element in \verb:Set: \verb:D:, we may +apply \verb:UnivP: to it and conclude, otherwise we are stuck. Indeed +such an element \verb:d: exists, but this is just by virtue of our +new signature. This points out a subtle difference between standard +predicate calculus and \Coq. In standard first-order logic, +the equivalent of lemma \verb:weird: always holds, +because such a rule is wired in the inference rules for quantifiers, the +semantic justification being that the interpretation domain is assumed to +be non-empty. Whereas in \Coq, where types are not assumed to be +systematically inhabited, lemma \verb:weird: only holds in signatures +which allow the explicit construction of an element in the domain of +the predicate. + +Let us conclude the proof, in order to show the use of the \verb:Exists: +tactic: +\begin{coq_example} +Exists d; Trivial. +Save. +\end{coq_example} + +Another fact which illustrates the sometimes disconcerting rules of +classical +predicate calculus is Smullyan's drinkers' paradox: ``In any non-empty +bar, there is a person such that if she drinks, then everyone drinks''. +We modelize the bar by Set \verb:D:, drinking by predicate \verb:P:. +We shall need classical reasoning. Instead of loading the \verb:Classical: +module as we did above, we just state the law of excluded middle as a +local hypothesis schema at this point: +\begin{coq_example} +Hypothesis EM : (A:Prop) A \/ ~A. +Lemma drinker : (EX x | (P x) -> (x:D)(P x)). +\end{coq_example} +The proof goes by cases on whether or not +there is someone who does not drink. Such reasoning by cases proceeds +by invoking the excluded middle principle, via \verb:Elim: of the +proper instance of \verb:EM:: +\begin{coq_example} +Elim (EM (EX x | ~(P x))). +\end{coq_example} + +We first look at the first case. Let Tom be the non-drinker: +\begin{coq_example} +Intro Non_drinker; Elim Non_drinker; Intros Tom Tom_does_not_drink. +\end{coq_example} + +We conclude in that case by considering Tom, since his drinking leads to +a contradiction: +\begin{coq_example} +Exists Tom; Intro Tom_drinks. +\end{coq_example} + +There are several ways in which we may eliminate a contradictory case; +a simple one is to use the \verb:Absurd: tactic as follows: +\begin{coq_example} +Absurd (P Tom); Trivial. +\end{coq_example} + +We now proceed with the second case, in which actually any person will do; +such a John Doe is given by the non-emptyness witness \verb:d:: +\begin{coq_example} +Intro No_nondrinker; Exists d; Intro d_drinks. +\end{coq_example} + +Now we consider any Dick in the bar, and reason by cases according to its +drinking or not: +\begin{coq_example} +Intro Dick; Elim (EM (P Dick)); Trivial. +\end{coq_example} + +The only non-trivial case is again treated by contradiction: +\begin{coq_example} +Intro Dick_does_not_drink; Absurd (EX x | ~(P x)); Trivial. +Exists Dick; Trivial. +Save. +\end{coq_example} + +Now, let us close the main section: +\begin{coq_example} +End Predicate_calculus. +\end{coq_example} + +Remark how the three theorems are completely generic is the most general +fashion; +the domain \verb:D: is discharged in all of them, \verb:R: is discharged in +\verb:refl_if: only, \verb:P: is discharged only in \verb:weird: and +\verb:drinker:, along with the hypothesis that \verb:D: is inhabited. +Finally, the excluded middle hypothesis is discharged only in +\verb:drinker:. + +Note that the name \verb:d: has vanished as well from +the statements of \verb:weird: and \verb:drinker:, +since \Coq's prettyprinter replaces +systematically a quantification such as \verb+(d:D)E+, where \verb:d: +does not occur in \verb:E:, by the functional notation \verb:D->E:. +Similarly the name \verb:EM: does not appear in \verb:drinker:. + +Actually, universal quantification, implication, +as well as function formation, are +all special cases of one general construct of type theory called +{\sl dependent product}. This is the mathematical construction +corresponding to an indexed family of functions. A function +$f\in \Pi x:D\cdot Cx$ maps an element $x$ of its domain $D$ to its +(indexed) codomain $Cx$. Thus a proof of $\forall x:D\cdot Px$ is +a function mapping an element $x$ of $D$ to a proof of proposition $Px$. + + +\subsection{Flexible use of local assumptions} + +Very often during the course of a proof we want to retrieve a local +assumption and reintroduce it explicitly in the goal, for instance +in order to get a more general induction hypothesis. The tactic +\verb:Generalize: is what is needed here: + +\begin{coq_example} +Variable P,Q:nat->Prop. Variable R: nat->nat->Prop. +Lemma PQR : (x,y:nat)((R x x)->(P x)->(Q x))->(P x)->(R x y)->(Q x). +Intros. +Generalize H0. +\end{coq_example} + +Sometimes it may be convenient to use a lemma, although we do not have +a direct way to appeal to such an already proven fact. The tactic \verb:Cut: +permits to use the lemma at this point, keeping the corresponding proof +obligation as a new subgoal: +\begin{coq_example} +Cut (R x x); Trivial. +\end{coq_example} +%CP pourquoi ne pas montrer les deux sous-buts engendres par Cut. + +\subsection{Equality} + +The basic equality provided in \Coq~ is Leibniz equality, noted infix like +\verb+x=y+, when \verb:x: and \verb:y: are two expressions of +type the same Set. The replacement of \verb:x: by \verb:y: in any +term is effected by a variety of tactics, such as \verb:Rewrite: +and \verb:Replace:. + +Let us give a few examples of equality replacement. Let us assume that +some arithmetic function \verb:f: is null in zero: +\begin{coq_example} +Variable f:nat->nat. +Hypothesis foo : (f O)=O. +\end{coq_example} + +We want to prove the following conditional equality: +\begin{coq_example*} +Lemma L1 : (k:nat)k=O->(f k)=k. +\end{coq_example*} + +As usual, we first get rid of local assumptions with \verb:Intro:: +\begin{coq_example} +Intros k E. +\end{coq_example} + +Let us now use equation \verb:E: as a left-to-right rewriting: +\begin{coq_example} +Rewrite E. +\end{coq_example} +This replaced both occurrences of \verb:k: by \verb:O:. + +\medskip +{\bf Warning} to users of \Coq~ old versions: In \Coq V5.8 only the second +occurrence of \verb:k: would have been replaced, and we would have had +to use \verb:Rewrite: twice in order to get the same effect. +\medskip + +%Actually, it is possible to rewrite both occurrences of \verb:k: at the +%same time, provided one abstracts \verb:k: in the goal with tactic +%\verb:Pattern:. Let us go back two steps: +%\begin{coq_example} +%L1 < Undo 2. +%1 subgoal +% +% k : nat +% E : k=O +% ============================ +% (f k)=k +% +%L1 < Pattern k. +%1 subgoal +% +% k : nat +% E : k=O +% ============================ +% ([n:nat](f n)=n k) +%\end{coq_example} +%What just happened is that \verb:Pattern: replaced the goal +%\verb:(f k)=k: by the equivalent one: +%\verb+([n:nat](f n)=n k)+, which has the form \verb+(P k)+, with +%\verb+P+ the predicate which maps \verb+n+ to proposition +%\verb+(f n)=n+. The two goals are equivalent in the sense that +%\verb+([n:nat](f n)=n k)+ {\sl reduces} to \verb:(f k)=k: +%by the following computation rule: +%$$ ([x:A]M~N) \leftarrow M\{x/N\} \eqno \beta$$ +%We may now proceed with our rewriting: +%\begin{coq_example} +%L1 < Rewrite E. +%1 subgoal +% +% k : nat +% E : k=O +% ============================ +% (f O)=O + +Now \verb:Apply foo: will finish the proof: + +\begin{coq_example} +Apply foo. +Save. +\end{coq_example} + +When one wants to rewrite an equality in a right to left fashion, we should +use \verb:Rewrite <- E: rather than \verb:Rewrite E: or the equivalent +\verb:Rewrite -> E:. +Let us now illustrate the tactic \verb:Replace:. +\begin{coq_example} +Lemma L2 : (f (f O))=O. +Replace (f O) with O. +\end{coq_example} +What happened here is that the replacement left the first subgoal to be +proved, but another proof obligation was generated by the \verb:Replace: +tactic, as the second subgoal. The first subgoal is solved immediately +by appying lemma \verb:foo:; the second one too, provided we apply first +symmetry of equality, for instance with tactic \verb:Symmetry:: +\begin{coq_example} +Apply foo. +Symmetry; Apply foo. +Save. +\end{coq_example} + +\subsection{Predicate calculus over Type} + +We just explained the basis of first-order reasoning in the universe +of mathematical Sets. Similar reasoning is available at the level of +abstract Types. In order to develop such abtract reasoning, one must +load the library \verb:Logic_Type:. + +\begin{coq_example} +Require Logic_Type. +\end{coq_example} + +New proof combinators are now available, such as the existential +quantification \verb:exT: over a Type, available with syntax +\verb:(EXT x | (P x)):. The corresponding introduction +combinator may be invoked by the tactic \verb:Exists: as above. +\begin{coq_example} +Check exT_intro. +\end{coq_example} + +Similarly, equality over Type is available, with notation +\verb:M==N:. The equality tactics process \verb:==: in the same way +as \verb:=:. + +\section{Using definitions} + +The development of mathematics does not simply proceed by logical +argumentation from first principles: definitions are used in an essential way. +A formal development proceeds by a dual process of abstraction, where one +proves abstract statements in predicate calculus, and use of definitions, +which in the contrary one instanciates general statements with particular +notions in order to use the structure of mathematical values for the proof of +more specialised properties. + +\subsection{Unfolding definitions} + +Assume that we want to develop the theory of sets represented as characteristic +predicates over some universe \verb:U:. For instance: +%CP Une petite explication pour le codage de element ? +\begin{coq_example} +Variable U:Type. +Definition set := U->Prop. +Definition element := [x:U][S:set](S x). +Definition subset := [A,B:set](x:U)(element x A)->(element x B). +\end{coq_example} + +Now, assume that we have loaded a module of general properties about +relations over some abstract type \verb:T:, such as transitivity: + +\begin{coq_example} +Definition transitive := [T:Type][R:T->T->Prop] + (x,y,z:T)(R x y)->(R y z)->(R x z). +\end{coq_example} + +Now, assume that we want to prove that \verb:subset: is a \verb:transitive: +relation. +\begin{coq_example} +Lemma subset_transitive : (transitive set subset). +\end{coq_example} + +In order to make any progress, one needs to use the definition of +\verb:transitive:. The \verb:Unfold: tactic, which replaces all occurrences of a +defined notion by its definition in the current goal, may be used here. +\begin{coq_example} +Unfold transitive. +\end{coq_example} + +Now, we must unfold \verb:subset:: +\begin{coq_example} +Unfold subset. +\end{coq_example} +Now, unfolding \verb:element: would be a mistake, because indeed a simple proof +can be found by \verb:Auto:, keeping \verb:element: an abstract predicate: +\begin{coq_example} +Auto. +\end{coq_example} + +Many variations on \verb:Unfold: are provided in \Coq. For instance, +we may selectively unfold one designated occurrence: +\begin{coq_example} +Undo 2. +Unfold 2 subset. +\end{coq_example} + +One may also unfold a definition in a given local hypothesis, using the +\verb:in: notation: +\begin{coq_example} +Intros. +Unfold subset in H. +\end{coq_example} + +Finally, the tactic \verb:Red: does only unfolding of the head occurrence +of the current goal: +\begin{coq_example} +Red. +Auto. Save. +\end{coq_example} + + +\subsection{Principle of proof irrelevance} + +Even though in principle the proof term associated with a verified lemma +corresponds to a defined value of the corresponding specification, such +definitions cannot be unfolded in \Coq: a lemma is considered an {\sl opaque} +definition. This conforms to the mathematical tradition of {\sl proof +irrelevance}: the proof of a logical proposition does not matter, and the +mathematical justification of a logical development relies only on +{\sl provability} of the lemmas used in the formal proof. + +Conversely, ordinary mathematical definitions can be unfolded at will, they +are {\sl transparent}. It is possible to enforce the reverse convention by +declaring a definition as {\sl opaque} or a lemma as {\sl transparent}. + +\chapter{Induction} + +\section{Data Types as Inductively Defined Mathematical Collections} + +All the notions which were studied until now pertain to traditional +mathematical logic. Specifications of objects were abstract properties +used in reasoning more or less constructively; we are now entering +the realm of inductive types, which specify the existence of concrete +mathematical constructions. + +\subsection{Booleans} + +Let us start with the collection of booleans, as they are specified +in the \Coq's \verb:Prelude: module: +\begin{coq_example} +Inductive bool : Set := true : bool | false : bool. +\end{coq_example} + +Such a declaration defines several objects at once. First, a new +\verb:Set: is declared, with name \verb:bool:. Then the {\sl constructors} +of this \verb:Set: are declared, called \verb:true: and \verb:false:. +Those are analogous to introduction rules of the new Set \verb:bool:. +Finally, a specific elimination rule for \verb:bool: is now available, which +permits to reason by cases on \verb:bool: values. Three instances are +indeed defined as new combinators in the global context: \verb:bool_ind:, +a proof combinator corresponding to reasoning by cases, +\verb:bool_rec:, an if-then-else programming construct, +and \verb:bool_rect:, a similar combinator at the level of types. +Indeed: +\begin{coq_example} +Check bool_ind. +Check bool_rec. +Check bool_rect. +\end{coq_example} + +Let us for instance prove that every Boolean is true or false. +\begin{coq_example} +Lemma duality : (b:bool)(b=true \/ b=false). +Intro b. +\end{coq_example} + +We use the knowledge that \verb:b: is a \verb:bool: by calling tactic +\verb:Elim:, which is this case will appeal to combinator \verb:bool_ind: +in order to split the proof according to the two cases: +\begin{coq_example} +Elim b. +\end{coq_example} + +It is easy to conclude in each case: +\begin{coq_example} +Left; Trivial. +Right; Trivial. +\end{coq_example} + +Indeed, the whole proof can be done with the combination of the +\verb:Induction: tactic, which combines \verb:Intro: and \verb:Elim:, +with good old \verb:Auto:: +\begin{coq_example} +Restart. +Induction b; Auto. +Save. +\end{coq_example} + +\subsection{Natural numbers} + +Similarly to Booleans, natural numbers are defined in the \verb:Prelude: +module with constructors \verb:S: and \verb:O:: +\begin{coq_example} +Inductive nat : Set := O : nat | S : nat->nat. +\end{coq_example} + +The elimination principles which are automatically generated are Peano's +induction principle, and a recursion operator: +\begin{coq_example} +Check nat_ind. +Check nat_rec. +\end{coq_example} + +Let us start by showing how to program the standard primitive recursion +operator \verb:prim_rec: from the more general \verb:nat_rec:: +\begin{coq_example} +Definition prim_rec := (nat_rec [i:nat]nat). +\end{coq_example} + +That is, instead of computing for natural \verb:i: an element of the indexed +\verb:Set: \verb:(P i):, \verb:prim_rec: computes uniformly an element of +\verb:nat:. Let us check the type of \verb:prim_rec:: +\begin{coq_example} +Check prim_rec. +\end{coq_example} + +Oops! Instead of the expected type \verb+nat->(nat->nat->nat)->nat->nat+ we +get an apparently more complicated expression. Indeed the type of +\verb:prim_rec: is equivalent by rule $\beta$ to its expected type; this may +be checked in \Coq~ by command \verb:Eval Cbv Beta:, which $\beta$-reduces +an expression to its {\sl normal form}: +\begin{coq_example} +Eval Cbv Beta in + ([_:nat]nat O) + ->((y:nat)([_:nat]nat y)->([_:nat]nat (S y))) + ->(n:nat)([_:nat]nat n). +\end{coq_example} + +Let us now show how to program addition with primitive recursion: +\begin{coq_example} +Definition addition := [n,m:nat](prim_rec m [p:nat][rec:nat](S rec) n). +\end{coq_example} + +That is, we specify that \verb+(addition n m)+ computes by cases on \verb:n: +according to its main constructor; when \verb:n=O:, we get \verb:m:; + when \verb:n=(S p):, we get \verb:(S rec):, where \verb:rec: is the result +of the recursive computation \verb+(addition p m)+. Let us verify it by +asking \Coq~to compute for us say $2+3$: +\begin{coq_example} +Eval Compute in (addition (S (S O)) (S (S (S O)))). +\end{coq_example} + +Actually, we do not have to do all explicitly. {\Coq} provides a +special syntax {\tt Fixpoint/Cases} for generic primitive recursion, +and we could thus have defined directly addition as: + +\begin{coq_example} +Fixpoint plus [n:nat] : nat -> nat := + [m:nat]Cases n of + O => m + | (S p) => (S (plus p m)) + end. +\end{coq_example} + +For the rest of the session, we shall clean up what we did so far with +types \verb:bool: and \verb:nat:, in order to use the initial definitions +given in \Coq's \verb:Prelude: module, and not to get confusing error +messages due to our redefinitions. We thus revert to the state before +our definition of \verb:bool: with the \verb:Reset: command: +\begin{coq_example} +Reset bool. +\end{coq_example} + + +\subsection{Simple proofs by induction} +%CP Pourquoi ne pas commencer par des preuves d'egalite entre termes +% convertibles. + +Let us now show how to do proofs by structural induction. We start with easy +properties of the \verb:plus: function we just defined. Let us first +show that $n=n+0$. +\begin{coq_example} +Lemma plus_n_O : (n:nat)n=(plus n O). +Intro n; Elim n. +\end{coq_example} + +What happened was that \verb:Elim n:, in order to construct a \verb:Prop: +(the initial goal) from a \verb:nat: (i.e. \verb:n:), appealed to the +corresponding induction principle \verb:nat_ind: which we saw was indeed +excactly Peano's induction scheme. Pattern-matching instanciated the +corresponding predicate \verb:P: to \verb+[n:nat]n=(plus n O)+, and we get +as subgoals the corresponding instanciations of the base case \verb:(P O): , +and of the inductive step \verb+(y:nat)(P y)->(P (S y))+. +In each case we get an instance of function \verb:plus: in which its second +argument starts with a constructor, and is thus amenable to simplification +by primitive recursion. The \Coq~tactic \verb:Simpl: can be used for +this purpose: +\begin{coq_example} +Simpl. +Auto. +\end{coq_example} + +We proceed in the same way for the base step: +\begin{coq_example} +Simpl; Auto. +Save. +\end{coq_example} + +Here \verb:Auto: succeded, because it used as a hint lemma \verb:eq_S:, +which say that successor preserves equality: +\begin{coq_example} +Check eq_S. +\end{coq_example} + +Actually, let us see how to declare our lemma \verb:plus_n_O: as a hint +to be used by \verb:Auto:: +\begin{coq_example} +Hints Resolve plus_n_O. +\end{coq_example} + +We now proceed to the similar property concerning the other constructor +\verb:S:: +\begin{coq_example} +Lemma plus_n_S : (n,m:nat)(S (plus n m))=(plus n (S m)). +\end{coq_example} + +We now go faster, remembering that tactic \verb:Induction: does the +necessary \verb:Intros: before applying \verb:Elim:. Factoring simplification +and automation in both cases thanks to tactic composition, we prove this +lemma in one line: +\begin{coq_example} +Induction n; Simpl; Auto. +Save. +Hints Resolve plus_n_S. +\end{coq_example} + +Let us end this exercise with the commutativity of \verb:plus:: + +\begin{coq_example} +Lemma plus_com : (n,m:nat)(plus n m)=(plus m n). +\end{coq_example} + +Here we have a choice on doing an induction on \verb:n: or on \verb:m:, the +situation being symmetric. For instance: +\begin{coq_example} +Induction m; Simpl; Auto. +\end{coq_example} + +Here \verb:Auto: succeded on the base case, thanks to our hint \verb:plus_n_O:, +but the induction step requires rewriting, which \verb:Auto: does not handle: + +\begin{coq_example} +Intros m' E; Rewrite <- E; Auto. +Save. +\end{coq_example} + +%CP - non ce n'est pas un bon exemple de Immediate. +%A symmetric lemma such \verb:plus_com: should not be declared as a hint, +%because \verb:Auto: would lose time by applying it repeatedly without progress. +%A variant of command \verb:Hint:, called \verb:Immediate:, allows a restricted +%use of such lemmas: +%\begin{coq_example} +%Immediate plus_com. +%\end{coq_example} + +\subsection{Discriminate} + +It is also possible to define new propositions by primitive recursion. +Let us for instance define the predicate which discriminates between +the constructors \verb:O: and \verb:S:: it computes to \verb:False: +when its argument is \verb:O:, and to \verb:True: when its argument is +of the form \verb:(S n):: +\begin{coq_example} +Definition Is_S + := [n:nat]Cases n of O => False | (S p) => True end. +\end{coq_example} + +Now we may use the computational power of \verb:Is_S: in order to prove +trivially that \verb:(Is_S (S n)):: +\begin{coq_example} +Lemma S_Is_S : (n:nat)(Is_S (S n)). +Simpl; Trivial. +Save. +\end{coq_example} + +But we may also use it to transform a \verb:False: goal into +\verb:(Is_S O):. Let us show a particularly important use of this feature; +we want to prove that \verb:O: and \verb:S: construct different values, one +of Peano's axioms: +\begin{coq_example} +Lemma no_confusion : (n:nat)~(O=(S n)). +\end{coq_example} + +First of all, we replace negation by its definition, by reducing the +goal with tactic \verb:Red:; then we get contradiction by successive +\verb:Intros:: +\begin{coq_example} +Red; Intros n H. +\end{coq_example} + +Now we use our trick: +\begin{coq_example} +Change (Is_S O). +\end{coq_example} + +Now we use equality in order to get a subgoal which computes out to +\verb:True:, which finishes the proof: +\begin{coq_example} +Rewrite H; Trivial. +Simpl; Trivial. +\end{coq_example} + +Actually, a specific tactic \verb:Discriminate: is provided +to produce mechanically such proofs, without the need for the user to define +explicitly the relevant discrimination predicates: + +\begin{coq_example} +Restart. +Intro n; Discriminate. +Save. +\end{coq_example} + + +\section{Logic programming} + +In the same way as we defined standard data-types above, we +may define inductive families, and for instance inductive predicates. +Here is the definition of predicate $\le$ over type \verb:nat:, as +given in \Coq's \verb:Prelude: module: +\begin{coq_example*} +Inductive le [n:nat] : nat -> Prop + := le_n : (le n n) + | le_S : (m:nat)(le n m)->(le n (S m)). +\end{coq_example*} + +This definition introduces a new predicate \verb+le:nat->nat->Prop+, +and the two constructors \verb:le_n: and \verb:le_S:, which are the +defining clauses of \verb:le:. That is, we get not only the ``axioms'' +\verb:le_n: and \verb:le_S:, but also the converse property, that +\verb:(le n m): if and only if this statement can be obtained as a +consequence of these defining clauses; that is, \verb:le: is the +minimal predicate verifying clauses \verb:le_n: and \verb:le_S:. This is +insured, as in the case of inductive data types, by an elimination principle, +which here amounts to an induction principle \verb:le_ind:, stating this +minimality property: +\begin{coq_example} +Check le. +Check le_ind. +\end{coq_example} + +Let us show how proofs may be conducted with this principle. +First we show that $n\le m \Rightarrow n+1\le m+1$: +\begin{coq_example} +Lemma le_n_S : (n,m:nat)(le n m)->(le (S n) (S m)). +Intros n m n_le_m. +Elim n_le_m. +\end{coq_example} + +What happens here is similar to the behaviour of \verb:Elim: on natural +numbers: it appeals to the relevant induction principle, here \verb:le_ind:, +which generates the two subgoals, which may then be solved easily +%as if ``backchaining'' the current goal +with the help of the defining clauses of \verb:le:. +\begin{coq_example} +Apply le_n; Trivial. +Intros; Apply le_S; Trivial. +\end{coq_example} + +Now we know that it is a good idea to give the defining clauses as hints, +so that the proof may proceed with a simple combination of +\verb:Induction: and \verb:Auto:. +\begin{coq_example} +Restart. +Hints Resolve le_n le_S. +\end{coq_example} + +We have a slight problem however. We want to say ``Do an induction on +hypothesis \verb:(le n m):'', but we have no explicit name for it. What we +do in this case is to say ``Do an induction on the first unnamed hypothesis'', +as follows. +\begin{coq_example} +Induction 1; Auto. +Save. +\end{coq_example} + +Here is a more tricky problem. Assume we want to show that +$n\le 0 \Rightarrow n=0$. This reasoning ought to follow simply from the +fact that only the first defining clause of \verb:le: applies. +\begin{coq_example} +Lemma tricky : (n:nat)(le n O)->n=O. +\end{coq_example} + +However, here trying something like \verb:Induction 1: would lead +nowhere (try it and see what happens). +An induction on \verb:n: would not be convenient either. +What we must do here is analyse the definition of \verb"le" in order +to match hypothesis \verb:(le n O): with the defining clauses, to find +that only \verb:le_n: applies, whence the result. +This analysis may be performed by the ``inversion'' tactic +\verb:Inversion_clear: as follows: +\begin{coq_example} +Intros n H; Inversion_clear H. +Trivial. +Save. +\end{coq_example} + +\chapter{Modules} + +\section{Opening library modules} + +When you start \Coq~ without further requirements in the command line, +you get a bare system with few libraries loaded. As we saw, a standard +prelude module provides the standard logic connectives, and a few +arithmetic notions. If you want to load and open other modules from +the library, you have to use the \verb"Require" command, as we saw for +classical logic above. For instance, if you want more arithmetic +constructions, you should request: +\begin{coq_example*} +Require Arith. +\end{coq_example*} + +Such a command looks for a (compiled) module file \verb:Arith.vo: +on the current \verb:LoadPath:. This loadpath may be changed +with the commands \verb:AddPath: and \verb:DelPath:. + +The loading of such a compiled file is quick, because the corresponding +development is not typechecked again. This is a great saving compared +to previous versions of our proof assistant. + +If you want to recursively import modules which are required for module +M, you should use \verb:Require Export M:. + +{\bf Warning} \Coq~ does not yet provides parametric modules. + +\section{Creating your own modules} + +You may create your own modules, by writing \Coq~ commands in a file, +say \verb:my_module.v:. Such a module may be simply loaded in the current +context, with command \verb:Load my_module:. It may also be compiled, +using the command \verb:Compile Module my_module: directly at the +\Coq~ toplevel, or else in ``batch'' mode, using the UNIX command +\verb:coqc:. Compiling the module \verb:my_module.v: creates a +file \verb:my_module.vo: that can be reloaded with command +\verb:Require my_module:. + +%CP- Non compatible avec la version distribuee. +%Compiling a module creates actually 2 files in the current version: +%\verb:my_module.vi: and \verb:my_module.vo:. This last file is +%bigger, because it stores the value of opaque constants, such as the +%proofs of lemmas. If you want to be able to turn such constants as +%transparent constants (whose definition may be unfolded), you must +%use the command \verb:Require Implementation my_module:. + +\section{Managing the context} + +It is often difficult to remember the names of all lemmas and +definitions available in the current context, especially if large +libraries have been loaded. A convenient \verb:Search: command +is available to lookup all known facts +concerning a given predicate. For instance, if you want to know all the +known lemmas about the less or equal relation, juste ask: +\begin{coq_example} +Search le. +\end{coq_example} + +A new and more convenient search tool is \textsf{SearchIsos}. The +argument to give is a type and it searches in the current context all +constants having the same type modulo certain notion of +\textit{isomorphism}. For example~: + +\begin{coq_example} +Require Arith. +SearchIsos nat -> nat -> Prop. +SearchIsos (x,y,z:nat)(le x y) -> (le y z) -> (le x z). +\end{coq_example} + +\section{Now you are on your own} + +This tutorial is necessarily incomplete. If you wish to pursue serious +proving in \Coq, you should now get your hands on \Coq's Reference Manual, +which contains a complete description of all the tactics we saw, +plus many more. +You also should look in the library of developed theories which is distributed +with \Coq, in order to acquaint yourself with various proof techniques. + + +\end{document} + +% $Id$ diff --git a/doc/biblio.bib b/doc/biblio.bib new file mode 100755 index 000000000..2e97d1e07 --- /dev/null +++ b/doc/biblio.bib @@ -0,0 +1,895 @@ + +@STRING{toappear="To appear"} +@STRING{lncs="Lecture Notes in Computer Science"} + +@INPROCEEDINGS{Aud91, + AUTHOR = {Ph. Audebaud}, + BOOKTITLE = {Proceedings of the sixth Conf. on Logic in Computer Science.}, + PUBLISHER = {IEEE}, + TITLE = {Partial {Objects} in the {Calculus of Constructions}}, + YEAR = {1991} +} + +@PHDTHESIS{Aud92, + AUTHOR = {Ph. Audebaud}, + SCHOOL = {{Universit\'e} Bordeaux I}, + TITLE = {Extension du Calcul des Constructions par Points fixes}, + YEAR = {1992} +} + +@INPROCEEDINGS{Audebaud92b, + AUTHOR = {Ph. Audebaud}, + BOOKTITLE = {{Proceedings of the 1992 Workshop on Types for Proofs and Programs}}, + EDITOR = {{B. Nordstr\"om and K. Petersson and G. Plotkin}}, + NOTE = {Also Research Report LIP-ENS-Lyon}, + PAGES = {pp 21--34}, + TITLE = {{CC+ : an extension of the Calculus of Constructions with fixpoints}}, + YEAR = {1992} +} + +@INPROCEEDINGS{Augustsson85, + AUTHOR = {L. Augustsson}, + TITLE = {{Compiling Pattern Matching}}, + BOOKTITLE = {Conference Functional Programming and +Computer Architecture}, + YEAR = {1985} +} + +@ARTICLE{BaCo85, + AUTHOR = {J.L. Bates and R.L. Constable}, + JOURNAL = {ACM transactions on Programming Languages and Systems}, + TITLE = {Proofs as {Programs}}, + VOLUME = {7}, + YEAR = {1985} +} + +@BOOK{Bar81, + AUTHOR = {H.P. Barendregt}, + PUBLISHER = {North-Holland}, + TITLE = {The Lambda Calculus its Syntax and Semantics}, + YEAR = {1981} +} + +@TECHREPORT{Bar91, + AUTHOR = {H. Barendregt}, + INSTITUTION = {Catholic University Nijmegen}, + NOTE = {In Handbook of Logic in Computer Science, Vol II}, + NUMBER = {91-19}, + TITLE = {Lambda {Calculi with Types}}, + YEAR = {1991} +} + +@BOOK{Bastad92, + EDITOR = {B. Nordstr\"om and K. Petersson and G. Plotkin}, + PUBLISHER = {Available by ftp at site ftp.inria.fr}, + TITLE = {Proceedings of the 1992 Workshop on Types for Proofs and Programs}, + YEAR = {1992} +} + +@ARTICLE{BeKe92, + AUTHOR = {G. Bellin and J. Ketonen}, + JOURNAL = {Theoretical Computer Science}, + PAGES = {115--142}, + TITLE = {A decision procedure revisited : Notes on direct logic, linear logic and its implementation}, + VOLUME = {95}, + YEAR = {1992} +} + +@BOOK{Bee85, + AUTHOR = {M.J. Beeson}, + PUBLISHER = {Springer-Verlag}, + TITLE = {Foundations of Constructive Mathematics, Metamathematical Studies}, + YEAR = {1985} +} + +@BOOK{Bis67, + AUTHOR = {E. Bishop}, + PUBLISHER = {McGraw-Hill}, + TITLE = {Foundations of Constructive Analysis}, + YEAR = {1967} +} + +@BOOK{BoMo79, + AUTHOR = {R.S. Boyer and J.S. Moore}, + KEY = {BoMo79}, + PUBLISHER = {Academic Press}, + SERIES = {ACM Monograph}, + TITLE = {A computational logic}, + YEAR = {1979} +} + +@MASTERSTHESIS{Bou92, + AUTHOR = {S. Boutin}, + MONTH = sep, + SCHOOL = {{Universit\'e Paris 7}}, + TITLE = {Certification d'un compilateur {ML en Coq}}, + YEAR = {1992} +} + +@inproceedings{Bou97, + title = {Using reflection to build efficient and certified decision procedure +s}, + author = {S. Boutin}, + booktitle = {TACS'97}, + editor = {Martin Abadi and Takahashi Ito}, + publisher = {LNCS, Springer-Verlag}, + volume=1281, + PS={http://pauillac.inria.fr/~boutin/public_w/submitTACS97.ps.gz}, + year = {1997} +} + +@PhdThesis{Bou97These, + author = {S. Boutin}, + title = {Réflexions sur les quotients}, + school = {Paris 7}, + year = 1997, + type = {thèse d'Université}, + month = apr +} + +@ARTICLE{Bru72, + AUTHOR = {N.J. de Bruijn}, + JOURNAL = {Indag. Math.}, + TITLE = {{Lambda-Calculus Notation with Nameless Dummies, a Tool for Automatic Formula Manipulation, with Application to the Church-Rosser Theorem}}, + VOLUME = {34}, + YEAR = {1972} +} + + +@INCOLLECTION{Bru80, + AUTHOR = {N.J. de Bruijn}, + BOOKTITLE = {to H.B. Curry : Essays on Combinatory Logic, Lambda Calculus and Formalism.}, + EDITOR = {J.P. Seldin and J.R. Hindley}, + PUBLISHER = {Academic Press}, + TITLE = {A survey of the project {Automath}}, + YEAR = {1980} +} + +@TECHREPORT{COQ93, + AUTHOR = {G. Dowek and A. Felty and H. Herbelin and G. Huet and C. Murthy and C. Parent and C. Paulin-Mohring and B. Werner}, + INSTITUTION = {INRIA}, + MONTH = may, + NUMBER = {154}, + TITLE = {{The Coq Proof Assistant User's Guide Version 5.8}}, + YEAR = {1993} +} + +@TECHREPORT{CPar93, + AUTHOR = {C. Parent}, + INSTITUTION = {Ecole {Normale} {Sup\'erieure} de {Lyon}}, + MONTH = oct, + NOTE = {Also in~\cite{Nijmegen93}}, + NUMBER = {93-29}, + TITLE = {Developing certified programs in the system {Coq}- {The} {Program} tactic}, + YEAR = {1993} +} + +@PHDTHESIS{CPar95, + AUTHOR = {C. Parent}, + SCHOOL = {Ecole {Normale} {Sup{\'e}rieure} de {Lyon}}, + TITLE = {{Synth\`ese de preuves de programmes dans le Calcul des Constructions Inductives}}, + YEAR = {1995} +} + +@BOOK{Caml, + AUTHOR = {P. Weis and X. Leroy}, + PUBLISHER = {InterEditions}, + TITLE = {Le langage Caml}, + YEAR = {1993} +} + +@TECHREPORT{CoC89, + AUTHOR = {Projet Formel}, + INSTITUTION = {INRIA}, + NUMBER = {110}, + TITLE = {{The Calculus of Constructions. Documentation and user's guide, Version 4.10}}, + YEAR = {1989} +} + +@INPROCEEDINGS{CoHu85a, + AUTHOR = {Th. Coquand and G. Huet}, + ADDRESS = {Linz}, + BOOKTITLE = {EUROCAL'85}, + PUBLISHER = {Springer-Verlag}, + SERIES = {LNCS}, + TITLE = {{Constructions : A Higher Order Proof System for Mechanizing Mathematics}}, + VOLUME = {203}, + YEAR = {1985} +} + +@INPROCEEDINGS{CoHu85b, + AUTHOR = {Th. Coquand and G. Huet}, + BOOKTITLE = {Logic Colloquium'85}, + EDITOR = {The Paris Logic Group}, + PUBLISHER = {North-Holland}, + TITLE = {{Concepts Math\'ematiques et Informatiques formalis\'es dans le Calcul des Constructions}}, + YEAR = {1987} +} + +@ARTICLE{CoHu86, + AUTHOR = {Th. Coquand and G. Huet}, + JOURNAL = {Information and Computation}, + NUMBER = {2/3}, + TITLE = {The {Calculus of Constructions}}, + VOLUME = {76}, + YEAR = {1988} +} + +@INPROCEEDINGS{CoPa89, + AUTHOR = {Th. Coquand and C. Paulin-Mohring}, + BOOKTITLE = {Proceedings of Colog'88}, + EDITOR = {P. Martin-L{\"o}f and G. Mints}, + PUBLISHER = {Springer-Verlag}, + SERIES = {LNCS}, + TITLE = {Inductively defined types}, + VOLUME = {417}, + YEAR = {1990} +} + +@BOOK{Con86, + AUTHOR = {R.L. {Constable et al.}}, + PUBLISHER = {Prentice-Hall}, + TITLE = {{Implementing Mathematics with the Nuprl Proof Development System}}, + YEAR = {1986} +} + +@PHDTHESIS{Coq85, + AUTHOR = {Th. Coquand}, + MONTH = jan, + SCHOOL = {Universit\'e Paris~7}, + TITLE = {Une Th\'eorie des Constructions}, + YEAR = {1985} +} + +@INPROCEEDINGS{Coq86, + AUTHOR = {Th. Coquand}, + ADDRESS = {Cambridge, MA}, + BOOKTITLE = {Symposium on Logic in Computer Science}, + PUBLISHER = {IEEE Computer Society Press}, + TITLE = {{An Analysis of Girard's Paradox}}, + YEAR = {1986} +} + +@INPROCEEDINGS{Coq90, + AUTHOR = {Th. Coquand}, + BOOKTITLE = {Logic and Computer Science}, + EDITOR = {P. Oddifredi}, + NOTE = {INRIA Research Report 1088, also in~\cite{CoC89}}, + PUBLISHER = {Academic Press}, + TITLE = {{Metamathematical Investigations of a Calculus of Constructions}}, + YEAR = {1990} +} + +@INPROCEEDINGS{Coq92, + AUTHOR = {Th. Coquand}, + BOOKTITLE = {in \cite{Bastad92}}, + TITLE = {{Pattern Matching with Dependent Types}}, + YEAR = {1992}, + crossref = {Bastad92} +} + +@INPROCEEDINGS{Coquand93, + AUTHOR = {Th. Coquand}, + BOOKTITLE = {in \cite{Nijmegen93}}, + TITLE = {{Infinite Objects in Type Theory}}, + YEAR = {1993}, + crossref = {Nijmegen93} +} + +@MASTERSTHESIS{Cou94a, + AUTHOR = {J. Courant}, + MONTH = sep, + SCHOOL = {DEA d'Informatique, ENS Lyon}, + TITLE = {Explicitation de preuves par r{\'e}currence implicite}, + YEAR = {1994} +} + +@MASTERSTHESIS{Del97, + AUTHOR = {D. Delahaye}, + MONTH = sep, + SCHOOL = {DEA S{\'e}mantique, Preuves et Programmation, Paris 6}, + TITLE = {Search2: un outil de recherche dans une biblioth\`eque de preuves Coq modulo isomorphismes}, + YEAR = {1997} +} + +@TECHREPORT{Dow90, + AUTHOR = {G. Dowek}, + INSTITUTION = {INRIA}, + NUMBER = {1283}, + TITLE = {{Naming and Scoping in a Mathematical Vernacular}}, + TYPE = {Research Report}, + YEAR = {1990} +} + +@ARTICLE{Dow91a, + AUTHOR = {G. Dowek}, + JOURNAL = {{Compte Rendu de l'Acad\'emie des Sciences}}, + NOTE = {(The undecidability of Third Order Pattern Matching in Calculi with Dependent Types or Type Constructors)}, + NUMBER = {12}, + PAGES = {951--956}, + TITLE = {{L'Ind\'ecidabilit\'e du Filtrage du Troisi\`eme Ordre dans les Calculs avec Types D\'ependants ou Constructeurs de Types}}, + VOLUME = {I, 312}, + YEAR = {1991} +} + +@INPROCEEDINGS{Dow91b, + AUTHOR = {G. Dowek}, + BOOKTITLE = {Proceedings of Mathematical Foundation of Computer Science}, + NOTE = {Also INRIA Research Report}, + PAGES = {151--160}, + PUBLISHER = {Springer-Verlag}, + SERIES = {LNCS}, + TITLE = {{A Second Order Pattern Matching Algorithm in the Cube of Typed {$\lambda$}-calculi}}, + VOLUME = {520}, + YEAR = {1991} +} + +@PHDTHESIS{Dow91c, + AUTHOR = {G. Dowek}, + MONTH = dec, + SCHOOL = {{Universit\'e Paris 7}}, + TITLE = {{D\'emonstration automatique dans le Calcul des Constructions}}, + YEAR = {1991} +} + +@UNPUBLISHED{Dow92a, + AUTHOR = {G. Dowek}, + NOTE = {To appear in Theoretical Computer Science}, + TITLE = {{The Undecidability of Pattern Matching in Calculi where Primitive Recursive Functions are Representable}}, + YEAR = {1992} +} + +@ARTICLE{Dow94a, + AUTHOR = {G. Dowek}, + JOURNAL = {Annals of Pure and Applied Logic}, + VOLUME = {69}, + PAGES = {135--155}, + TITLE = {Third order matching is decidable}, + YEAR = {1994} +} + +@INPROCEEDINGS{Dow94b, + AUTHOR = {G. Dowek}, + BOOKTITLE = {Proceedings of the second international conference on typed lambda calculus and applications}, + TITLE = {{Lambda-calculus, Combinators and the Comprehension Schema}}, + YEAR = {1995} +} + +@INPROCEEDINGS{Dyb91, + AUTHOR = {P. Dybjer}, + BOOKTITLE = {Logical Frameworks}, + EDITOR = {G. Huet and G. Plotkin}, + PAGES = {59--79}, + PUBLISHER = {Cambridge University Press}, + TITLE = {{Inductive sets and families in {Martin-L{\"o}f's Type Theory} and their set-theoretic semantics : An inversion principle for {Martin-L\"of's} type theory}}, + VOLUME = {14}, + YEAR = {1991} +} + +@ARTICLE{Dyc92, + AUTHOR = {Roy Dyckhoff}, + JOURNAL = {The Journal of Symbolic Logic}, + MONTH = sep, + NUMBER = {3}, + TITLE = {Contraction-free sequent calculi for intuitionistic logic}, + VOLUME = {57}, + YEAR = {1992} +} + +@MASTERSTHESIS{Fil94, + AUTHOR = {J.-C. Filli\^atre}, + MONTH = sep, + SCHOOL = {DEA d'Informatique, ENS Lyon}, + TITLE = {Une proc\'edure de d\'ecision pour le {C}alcul des {P}r\'edicats {D}irect. {E}tude et impl\'ementation dans le syst\`eme {C}oq}, + YEAR = {1994} +} + +@TECHREPORT{Filliatre95, + AUTHOR = {J.-C. Filli\^atre}, + INSTITUTION = {LIP-ENS-Lyon}, + TITLE = {{A decision procedure for Direct Predicate Calculus}}, + TYPE = {Research report}, + NUMBER = {96--25}, + YEAR = {1995} +} + +@UNPUBLISHED{Fle90, + AUTHOR = {E. Fleury}, + MONTH = jul, + NOTE = {Rapport de Stage}, + TITLE = {Implantation des algorithmes de {Floyd et de Dijkstra} dans le {Calcul des Constructions}}, + YEAR = {1990} +} + +@INPROCEEDINGS{Gim94, + AUTHOR = {E. Gim\'enez}, + BOOKTITLE = {Types'94 : Types for Proofs and Programs}, + NOTE = {Extended version in LIP research report 95-07, ENS Lyon}, + PUBLISHER = {Springer-Verlag}, + SERIES = {LNCS}, + TITLE = {{Codifying guarded definitions with recursive schemes}}, + VOLUME = {996}, + YEAR = {1994} +} + +@TechReport{Gim98, + author = {E. Giménez}, + title = {A Tutorial on Recursive Types in Coq}, + institution = {INRIA}, + year = 1998, + month = mar +} + +@INPROCEEDINGS{Gimenez95b, + AUTHOR = {E. Gim\'enez}, + BOOKTITLE = {Workshop on Types for Proofs and Programs}, + SERIES = {LNCS}, + NUMBER = {1158}, + PAGES = {135-152}, + TITLE = {An application of co-Inductive types in Coq: + verification of the Alternating Bit Protocol}, + EDITORS = {S. Berardi and M. Coppo}, + PUBLISHER = {Springer-Verlag}, + YEAR = {1995} +} + +@INPROCEEDINGS{Gir70, + AUTHOR = {J.-Y. Girard}, + BOOKTITLE = {Proceedings of the 2nd Scandinavian Logic Symposium}, + PUBLISHER = {North-Holland}, + TITLE = {Une extension de l'interpr\'etation de {G\"odel} \`a l'analyse, et son application \`a l'\'elimination des coupures dans l'analyse et la th\'eorie des types}, + YEAR = {1970} +} + +@PHDTHESIS{Gir72, + AUTHOR = {J.-Y. Girard}, + SCHOOL = {Universit\'e Paris~7}, + TITLE = {Interpr\'etation fonctionnelle et \'elimination des coupures de l'arithm\'etique d'ordre sup\'erieur}, + YEAR = {1972} +} + + + +@BOOK{Gir89, + AUTHOR = {J.-Y. Girard and Y. Lafont and P. Taylor}, + PUBLISHER = {Cambridge University Press}, + SERIES = {Cambridge Tracts in Theoretical Computer Science 7}, + TITLE = {Proofs and Types}, + YEAR = {1989} +} + +@TechReport{Har95, + author = {John Harrison}, + title = {Metatheory and Reflection in Theorem Proving: A Survey and Critique}, + institution = {SRI International Cambridge Computer Science Research Centre,}, + year = 1995, + type = {Technical Report}, + number = {CRC-053}, + abstract = {http://www.cl.cam.ac.uk/users/jrh/papers.html} +} + +@MASTERSTHESIS{Hir94, + AUTHOR = {D. Hirschkoff}, + MONTH = sep, + SCHOOL = {DEA IARFA, Ecole des Ponts et Chauss\'ees, Paris}, + TITLE = {{Ecriture d'une tactique arithm\'etique pour le syst\`eme Coq}}, + YEAR = {1994} +} + +@INCOLLECTION{How80, + AUTHOR = {W.A. Howard}, + BOOKTITLE = {to H.B. Curry : Essays on Combinatory Logic, Lambda Calculus and Formalism.}, + EDITOR = {J.P. Seldin and J.R. Hindley}, + NOTE = {Unpublished 1969 Manuscript}, + PUBLISHER = {Academic Press}, + TITLE = {The Formulae-as-Types Notion of Constructions}, + YEAR = {1980} +} + + + +@INPROCEEDINGS{Hue87, + AUTHOR = {G. Huet}, + BOOKTITLE = {Programming of Future Generation Computers}, + EDITOR = {K. Fuchi and M. Nivat}, + NOTE = {Also in Proceedings of TAPSOFT87, LNCS 249, Springer-Verlag, 1987, pp 276--286}, + PUBLISHER = {Elsevier Science}, + TITLE = {Induction Principles Formalized in the {Calculus of Constructions}}, + YEAR = {1988} +} + +@INPROCEEDINGS{Hue88, + AUTHOR = {G. Huet}, + BOOKTITLE = {A perspective in Theoretical Computer Science. Commemorative Volume for Gift Siromoney}, + EDITOR = {R. Narasimhan}, + NOTE = {Also in~\cite{CoC89}}, + PUBLISHER = {World Scientific Publishing}, + TITLE = {{The Constructive Engine}}, + YEAR = {1989} +} + +@BOOK{Hue89, + EDITOR = {G. Huet}, + PUBLISHER = {Addison-Wesley}, + SERIES = {The UT Year of Programming Series}, + TITLE = {Logical Foundations of Functional Programming}, + YEAR = {1989} +} + +@INPROCEEDINGS{Hue92, + AUTHOR = {G. Huet}, + BOOKTITLE = {Proceedings of 12th FST/TCS Conference, New Delhi}, + PAGES = {229--240}, + PUBLISHER = {Springer Verlag}, + SERIES = {LNCS}, + TITLE = {{The Gallina Specification Language : A case study}}, + VOLUME = {652}, + YEAR = {1992} +} + +@ARTICLE{Hue94, + AUTHOR = {G. Huet}, + JOURNAL = {J. Functional Programming}, + PAGES = {371--394}, + PUBLISHER = {Cambridge University Press}, + TITLE = {Residual theory in $\lambda$-calculus: a formal development}, + VOLUME = {4,3}, + YEAR = {1994} +} + +@INCOLLECTION{HuetLevy79, + AUTHOR = {G. Huet and J.-J. L\'{e}vy}, + TITLE = {Call by Need Computations in Non-Ambigous +Linear Term Rewriting Systems}, + NOTE = {Also research report 359, INRIA, 1979}, + BOOKTITLE = {Computational Logic, Essays in Honor of +Alan Robinson}, + EDITOR = {J.-L. Lassez and G. Plotkin}, + PUBLISHER = {The MIT press}, + YEAR = {1991} +} + +@ARTICLE{KeWe84, + AUTHOR = {J. Ketonen and R. Weyhrauch}, + JOURNAL = {Theoretical Computer Science}, + PAGES = {297--307}, + TITLE = {A decidable fragment of {P}redicate {C}alculus}, + VOLUME = {32}, + YEAR = {1984} +} + +@BOOK{Kle52, + AUTHOR = {S.C. Kleene}, + PUBLISHER = {North-Holland}, + SERIES = {Bibliotheca Mathematica}, + TITLE = {Introduction to Metamathematics}, + YEAR = {1952} +} + +@BOOK{Kri90, + AUTHOR = {J.-L. Krivine}, + PUBLISHER = {Masson}, + SERIES = {Etudes et recherche en informatique}, + TITLE = {Lambda-calcul {types et mod\`eles}}, + YEAR = {1990} +} + +@BOOK{LE92, + EDITOR = {G. Huet and G. Plotkin}, + PUBLISHER = {Cambridge University Press}, + TITLE = {Logical Environments}, + YEAR = {1992} +} + +@BOOK{LF91, + EDITOR = {G. Huet and G. Plotkin}, + PUBLISHER = {Cambridge University Press}, + TITLE = {Logical Frameworks}, + YEAR = {1991} +} + +@ARTICLE{Laville91, + AUTHOR = {A. Laville}, + TITLE = {Comparison of Priority Rules in Pattern +Matching and Term Rewriting}, + JOURNAL = {Journal of Symbolic Computation}, + VOLUME = {11}, + PAGES = {321--347}, + YEAR = {1991} +} + +@INPROCEEDINGS{LePa94, + AUTHOR = {F. Leclerc and C. Paulin-Mohring}, + BOOKTITLE = {{Types for Proofs and Programs, Types' 93}}, + EDITOR = {H. Barendregt and T. Nipkow}, + PUBLISHER = {Springer-Verlag}, + SERIES = {LNCS}, + TITLE = {{Programming with Streams in Coq. A case study : The Sieve of Eratosthenes}}, + VOLUME = {806}, + YEAR = {1994} +} + +@TECHREPORT{Leroy90, + AUTHOR = {X. Leroy}, + TITLE = {The {ZINC} experiment: an economical implementation +of the {ML} language}, + INSTITUTION = {INRIA}, + NUMBER = {117}, + YEAR = {1990} +} + +@BOOK{MaL84, + AUTHOR = {{P. Martin-L\"of}}, + PUBLISHER = {Bibliopolis}, + SERIES = {Studies in Proof Theory}, + TITLE = {Intuitionistic Type Theory}, + YEAR = {1984} +} + +@ARTICLE{MaSi94, + AUTHOR = {P. Manoury and M. Simonot}, + JOURNAL = {TCS}, + TITLE = {Automatizing termination proof of recursively defined function}, + YEAR = {To appear} +} + +@INPROCEEDINGS{Moh89a, + AUTHOR = {C. Paulin-Mohring}, + ADDRESS = {Austin}, + BOOKTITLE = {Sixteenth Annual ACM Symposium on Principles of Programming Languages}, + MONTH = jan, + PUBLISHER = {ACM}, + TITLE = {Extracting ${F}_{\omega}$'s programs from proofs in the {Calculus of Constructions}}, + YEAR = {1989} +} + +@PHDTHESIS{Moh89b, + AUTHOR = {C. Paulin-Mohring}, + MONTH = jan, + SCHOOL = {{Universit\'e Paris 7}}, + TITLE = {Extraction de programmes dans le {Calcul des Constructions}}, + YEAR = {1989} +} + +@INPROCEEDINGS{Moh93, + AUTHOR = {C. Paulin-Mohring}, + BOOKTITLE = {Proceedings of the conference Typed Lambda Calculi and Applications}, + EDITOR = {M. Bezem and J.-F. Groote}, + NOTE = {Also LIP research report 92-49, ENS Lyon}, + NUMBER = {664}, + PUBLISHER = {Springer-Verlag}, + SERIES = {LNCS}, + TITLE = {{Inductive Definitions in the System Coq - Rules and Properties}}, + YEAR = {1993} +} + +@BOOK{Moh97, + AUTHOR = {C. Paulin-Mohring}, + MONTH = jan, + PUBLISHER = {{ENS Lyon}}, + TITLE = {{Le syst\`eme Coq. \mbox{Th\`ese d'habilitation}}}, + YEAR = {1997} +} + +@MASTERSTHESIS{Mun94, + AUTHOR = {C. Mu{\~n}oz}, + MONTH = sep, + SCHOOL = {DEA d'Informatique Fondamentale, Universit\'e Paris 7}, + TITLE = {D\'emonstration automatique dans la logique propositionnelle intuitionniste}, + YEAR = {1994} +} + +@PHDTHESIS{Mun97d, + AUTHOR = "C. Mu{\~{n}}oz", + TITLE = "Un calcul de substitutions pour la repr\'esentation + de preuves partielles en th\'eorie de types", + SCHOOL = {Universit\'e Paris 7}, + YEAR = "1997", + Note = {Version en anglais disponible comme rapport de + recherche INRIA RR-3309}, + Type = {Th\`ese de Doctorat} +} + +@BOOK{Nijmegen93, + EDITOR = {H. Barendregt and T. Nipkow}, + PUBLISHER = {Springer-Verlag}, + SERIES = {LNCS}, + TITLE = {Types for Proofs and Programs}, + VOLUME = {806}, + YEAR = {1994} +} + +@BOOK{NoPS90, + AUTHOR = {B. {Nordstr\"om} and K. Peterson and J. Smith}, + BOOKTITLE = {Information Processing 83}, + PUBLISHER = {Oxford Science Publications}, + SERIES = {International Series of Monographs on Computer Science}, + TITLE = {Programming in {Martin-L\"of's} Type Theory}, + YEAR = {1990} +} + +@ARTICLE{Nor88, + AUTHOR = {B. {Nordstr\"om}}, + JOURNAL = {BIT}, + TITLE = {Terminating General Recursion}, + VOLUME = {28}, + YEAR = {1988} +} + +@BOOK{Odi90, + EDITOR = {P. Odifreddi}, + PUBLISHER = {Academic Press}, + TITLE = {Logic and Computer Science}, + YEAR = {1990} +} + +@INPROCEEDINGS{PaMS92, + AUTHOR = {M. Parigot and P. Manoury and M. Simonot}, + ADDRESS = {St. Petersburg, Russia}, + BOOKTITLE = {Logic Programming and automated reasoning}, + EDITOR = {A. Voronkov}, + MONTH = jul, + NUMBER = {624}, + PUBLISHER = {Springer-Verlag}, + SERIES = {LNCS}, + TITLE = {{ProPre : A Programming language with proofs}}, + YEAR = {1992} +} + +@ARTICLE{PaWe92, + AUTHOR = {C. Paulin-Mohring and B. Werner}, + JOURNAL = {Journal of Symbolic Computation}, + PAGES = {607--640}, + TITLE = {{Synthesis of ML programs in the system Coq}}, + VOLUME = {15}, + YEAR = {1993} +} + +@ARTICLE{Par92, + AUTHOR = {M. Parigot}, + JOURNAL = {Theoretical Computer Science}, + NUMBER = {2}, + PAGES = {335--356}, + TITLE = {{Recursive Programming with Proofs}}, + VOLUME = {94}, + YEAR = {1992} +} + +@INPROCEEDINGS{Parent95b, + AUTHOR = {C. Parent}, + BOOKTITLE = {{Mathematics of Program Construction'95}}, + PUBLISHER = {Springer-Verlag}, + SERIES = {LNCS}, + TITLE = {{Synthesizing proofs from programs in +the Calculus of Inductive Constructions}}, + VOLUME = {947}, + YEAR = {1995} +} + +@INPROCEEDINGS{Prasad93, + AUTHOR = {K.V. Prasad}, + BOOKTITLE = {{Proceedings of CONCUR'93}}, + PUBLISHER = {Springer-Verlag}, + SERIES = {LNCS}, + TITLE = {{Programming with broadcasts}}, + VOLUME = {715}, + YEAR = {1993} +} + +@TECHREPORT{Rou92, + AUTHOR = {J. Rouyer}, + INSTITUTION = {INRIA}, + MONTH = nov, + NUMBER = {1795}, + TITLE = {{D{\'e}veloppement de l'Algorithme d'Unification dans le Calcul des Constructions}}, + YEAR = {1992} +} + +@TECHREPORT{Saibi94, + AUTHOR = {A. Sa\"{\i}bi}, + INSTITUTION = {INRIA}, + MONTH = dec, + NUMBER = {2345}, + TITLE = {{Axiomatization of a lambda-calculus with explicit-substitutions in the Coq System}}, + YEAR = {1994} +} + +@MASTERSTHESIS{Ter92, + AUTHOR = {D. Terrasse}, + MONTH = sep, + SCHOOL = {IARFA}, + TITLE = {{Traduction de TYPOL en COQ. Application \`a Mini ML}}, + YEAR = {1992} +} + +@TECHREPORT{ThBeKa92, + AUTHOR = {L. Th\'ery and Y. Bertot and G. Kahn}, + INSTITUTION = {INRIA Sophia}, + MONTH = may, + NUMBER = {1684}, + TITLE = {Real theorem provers deserve real user-interfaces}, + TYPE = {Research Report}, + YEAR = {1992} +} + +@BOOK{TrDa89, + AUTHOR = {A.S. Troelstra and D. van Dalen}, + PUBLISHER = {North-Holland}, + SERIES = {Studies in Logic and the foundations of Mathematics, volumes 121 and 123}, + TITLE = {Constructivism in Mathematics, an introduction}, + YEAR = {1988} +} + +@PHDTHESIS{Wer94, + AUTHOR = {B. Werner}, + SCHOOL = {Universit\'e Paris 7}, + TITLE = {Une th\'eorie des constructions inductives}, + TYPE = {Th\`ese de Doctorat}, + YEAR = {1994} +} + +@UNPUBLISHED{ddr98, + AUTHOR = {D. de Rauglaudre}, + TITLE = {Camlp4 version 1.07.2}, + YEAR = {1998}, + NOTE = {In Camlp4 distribution} +} + +@ARTICLE{dowek93, + AUTHOR = {G. Dowek}, + TITLE = {{A Complete Proof Synthesis Method for the Cube of Type Systems}}, + JOURNAL = {Journal Logic Computation}, + VOLUME = {3}, + NUMBER = {3}, + PAGES = {287--315}, + MONTH = {June}, + YEAR = {1993} +} + +@INPROCEEDINGS{manoury94, + AUTHOR = {P. Manoury}, + TITLE = {{A User's Friendly Syntax to Define +Recursive Functions as Typed $\lambda-$Terms}}, + BOOKTITLE = {{Types for Proofs and Programs, TYPES'94}}, + SERIES = {LNCS}, + VOLUME = {996}, + MONTH = jun, + YEAR = {1994} +} + +@TECHREPORT{maranget94, + AUTHOR = {L. Maranget}, + INSTITUTION = {INRIA}, + NUMBER = {2385}, + TITLE = {{Two Techniques for Compiling Lazy Pattern Matching}}, + YEAR = {1994} +} + +@INPROCEEDINGS{puel-suarez90, + AUTHOR = {L.Puel and A. Su\'arez}, + BOOKTITLE = {{Conference Lisp and Functional Programming}}, + SERIES = {ACM}, + PUBLISHER = {Springer-Verlag}, + TITLE = {{Compiling Pattern Matching by Term +Decomposition}}, + YEAR = {1990} +} + +@MASTERSTHESIS{saidi94, + AUTHOR = {H. Saidi}, + MONTH = sep, + SCHOOL = {DEA d'Informatique Fondamentale, Universit\'e Paris 7}, + TITLE = {R\'esolution d'\'equations dans le syst\`eme T + de G\"odel}, + YEAR = {1994} +} + +@INCOLLECTION{wadler87, + AUTHOR = {P. Wadler}, + TITLE = {Efficient Compilation of Pattern Matching}, + BOOKTITLE = {The Implementation of Functional Programming +Languages}, + EDITOR = {S.L. Peyton Jones}, + PUBLISHER = {Prentice-Hall}, + YEAR = {1987} +} diff --git a/doc/book-html.sty b/doc/book-html.sty new file mode 100644 index 000000000..0592e622d --- /dev/null +++ b/doc/book-html.sty @@ -0,0 +1,133 @@ +\newcounter {part} +\newcounter {chapter} +\newcounter {section}[chapter] +\newcounter {subsection}[section] +\newcounter {subsubsection}[subsection] +\newcounter {paragraph}[subsubsection] +\newcounter {subparagraph}[paragraph] +\renewcommand \thepart {\Roman{part}} +\renewcommand \thesection {\thechapter.\arabic{section}} +\renewcommand\thesubsection {\thesection.\arabic{subsection}} +\renewcommand\thesubsubsection{\thesubsection .\arabic{subsubsection}} +\renewcommand\theparagraph {\thesubsubsection.\arabic{paragraph}} +\renewcommand\thesubparagraph {\theparagraph.\arabic{subparagraph}} +\newcommand{\partname}{Part} +\newcommand{\chaptername}{Chapter} +%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +\newcommand{\appendix}{% +\renewcommand{\chaptername}{Appendix}% +\setcounter{chapter}{0}% +\renewcommand{\thechapter}{\Alph{chapter}}% +} +\newcounter{figure}[chapter] +\renewcommand{\thefigure}{\thechapter.\arabic{figure}} + +\newcommand{\part}[1]{% +\@print{<!--CUT PART-->} +\@open{H1}{ALIGN=center} +\stepcounter{part} +\partname:~\thepart\\ +#1 +\@close{H1} +} +\newcommand{\part*}[1]{% +\@print{<!--CUT CHAPTER-->} +\@open{H1}{ALIGN=center} +#1 +\@close{H1} +} + +\newcommand{\chapter}[1]{% +\@print{<!--CUT CHAPTER-->} +\@open{H1}{} +\stepcounter{chapter} +\chaptername~\thechapter: #1 +\@close{H1} +} +\newcommand{\chapter*}[1]{% +\@print{<!--CUT CHAPTER-->} +\@open{H1}{} +#1 +\@close{H1} +} + +\newcommand{\section}[1]{% +\@print{<!--CUT SECTION-->} +\@open{H2}{} +\stepcounter{section} +\thesection~#1 +\@close{H2} +} +\newcommand{\section*}[1]{% +\@print{<!--CUT SECTION-->} +\@open{H2}{} +#1 +\@close{H2} +} + + +\newcommand{\subsection}[1]{% +\@open{H3}{} +\stepcounter{subsection} +\thesubsection~#1 +\@close{H3} +} +\newcommand{\subsection*}[1]{% +\@open{H3}{} +#1 +\@close{H3} +} + + +\newcommand{\subsubsection}[1]{% +\@open{H4}{} +% \stepcounter{subsubsection} +% \thesubsubsection~ +#1 +\@close{H4} +} +\newcommand{\subsubsection*}[1]{% +\@open{H4}{} +#1 +\@close{H4} +} + +\newcommand{\paragraph}[1]{% +\@open{H5}{} +% \stepcounter{paragraph} +% \theparagraph~ +#1 +\@close{H5} +} +\newcommand{\paragraph*}[1]{% +\@open{H5}{} +#1 +\@close{H5} +} + +\renewenvironment{thebibliography}[1]{% +\@print{ +<!--CUT BIBLIOGRAPHY--> +} +\@open{H1}{} +\bibname\@close{H1}\@open{DL}{}}{% + +\@close{DL} +} +\renewcommand{\bibitem}[1]{\item[{\purple[\@bibref{#1}]\label{#1}}]} +\renewcommand{\index}[2][default]{\@index[#1]{#2}} +\renewcommand{\printindex}[1][default]{% +\@print{ +<!--CUT INDEX--> +} +\@printindex[#1] +} + +\renewcommand{\addtocontents}[2]{} + +\newcommand{\tophtml}{% +\@print{ +<!--CUT TOP--> +}} + +\newcommand{\atableofcontents}{} diff --git a/doc/coq-html.sty b/doc/coq-html.sty new file mode 100644 index 000000000..2793fdc2a --- /dev/null +++ b/doc/coq-html.sty @@ -0,0 +1,6 @@ +\def\sf{\purple} +\def\textsf#1{{\sf #1}} +\newcommand{\inference}[1]{$${#1}$$} +\newcommand{\NInd}[3]{\mbox{{\sf Ind}$(#1)(#2:=#3\,)$}} +\newcommand{\Ind}[4]{\mbox{{\sf Ind}$(#1)[#2](#3:=#4\,)$}} +\renewcommand{\medskip}{\\} diff --git a/doc/headers.tex b/doc/headers.tex new file mode 100644 index 000000000..11664861f --- /dev/null +++ b/doc/headers.tex @@ -0,0 +1,86 @@ +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +% File title.tex +% Pretty Headers +% And commands for multiple indexes +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +\usepackage{fancyhdr} + +\setlength{\headheight}{14pt} + +\pagestyle{fancyplain} + +\newcommand{\coqfooter}{\tiny Coq Reference Manual, V\coqversion{}, \today} + +\cfoot{} +\lfoot[{\coqfooter}]{} +\rfoot[]{{\coqfooter}} + +\newcommand{\setheaders}[1]{ +\rhead[\fancyplain{}{\textbf{#1}}]{\fancyplain{}{\thepage}} +\lhead[\fancyplain{}{\thepage}]{\fancyplain{}{\textbf{#1}}} +} +\newcommand{\defaultheaders}{ +\rhead[\fancyplain{}{\leftmark}]{\fancyplain{}{\thepage}} +\lhead[\fancyplain{}{\thepage}]{\fancyplain{}{\rightmark}} +} + +\renewcommand{\chaptermark}[1]{\markboth{{\bf \thechapter~#1}}{}} +\renewcommand{\sectionmark}[1]{\markright{\thesection~#1}} +\renewcommand{\contentsname}{% +\protect\setheaders{Table of contents}Table of contents} +\renewcommand{\bibname}{\protect\setheaders{Bibliography}% +\protect\addtocontents{sh}{BEGINBIBLIO=\thepage}% +\protect\addcontentsline{toc}{chapter}{Bibliography}Bibliography} + +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +% For the Addendum table of contents +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +\newcommand{\atableofcontents}{\section*{Contents}\@starttoc{atoc}} +\newcommand{\aauthor}[1]{{\LARGE \bf #1} \bigskip \bigskip \bigskip} +\newcommand{\achapter}[1]{ + \chapter{#1}\addcontentsline{atoc}{chapter}{#1}} +\newcommand{\asection}[1]{ + \section{#1}\addcontentsline{atoc}{section}{#1}} +\newcommand{\asubsection}[1]{ + \subsection{#1}\addcontentsline{atoc}{subsection}{#1}} +\newcommand{\asubsubsection}[1]{ + \subsubsection{#1}\addcontentsline{atoc}{subsubsection}{#1}} + +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +% Reference-Manual.sh is generated to cut the Postscript +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +\@starttoc{sh} + +%%%%%%%%%%%%%%%%%%%%%%%%%%%% +% Commands for indexes +%%%%%%%%%%%%%%%%%%%%%%%%%%%% +\usepackage{index} +\makeindex +\newindex{tactic}{tacidx}{tacind}{% +\protect\setheaders{Tactics Index}% +\protect\addcontentsline{toc}{chapter}{Tactics Index}Tactics Index} + +\newindex{command}{comidx}{comind}{% +\protect\setheaders{Vernacular Commands Index}% +\protect\addcontentsline{toc}{chapter}{Vernacular Commands Index}% +Vernacular Commands Index} + +\newindex{error}{erridx}{errind}{% +\protect\setheaders{Index of Error Messages}% +\protect\addcontentsline{toc}{chapter}{Index of Error Messages}Index of Error Messages} + +\renewindex{default}{idx}{ind}{% +\protect\addcontentsline{toc}{chapter}{Global Index}% +\protect\setheaders{Global Index}Global Index} + +\newcommand{\tacindex}[1]{% +\index{#1@\texttt{#1}}\index[tactic]{#1@\texttt{#1}}} +\newcommand{\comindex}[1]{% +\index{#1@\texttt{#1}}\index[command]{#1@\texttt{#1}}} +\newcommand{\errindex}[1]{\texttt{#1}\index[error]{#1}} +\newcommand{\ttindex}[1]{\index{#1@\texttt{#1}}} + +%%% Local Variables: +%%% mode: latex +%%% TeX-master: "Reference-Manual" +%%% End: diff --git a/doc/macros.tex b/doc/macros.tex new file mode 100755 index 000000000..3ccfbbddd --- /dev/null +++ b/doc/macros.tex @@ -0,0 +1,334 @@ +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +% MACROS FOR THE REFERENCE MANUAL OF COQ % +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% + +\newcommand{\coqversion}{6.3.1} + +% For commentaries (define \com as {} for the release manual) +%\newcommand{\com}[1]{{\it(* #1 *)}} +\newcommand{\com}[1]{} + +%%%%%%%%%%%%%%%%%%%%%%% +% Formatting commands % +%%%%%%%%%%%%%%%%%%%%%%% + +\newcommand{\ErrMsg}{\medskip \noindent {\bf Error message: }} +\newcommand{\ErrMsgx}{\medskip \noindent {\bf Error messages: }} +\newcommand{\variant}{\medskip \noindent {\bf Variant: }} +\newcommand{\variants}{\medskip \noindent {\bf Variants: }} +\newcommand{\SeeAlso}{\medskip \noindent {\bf See also: }} +\newcommand{\Rem}{\medskip \noindent {\bf Remark: }} +\newcommand{\Rems}{\medskip \noindent {\bf Remarks: }} +\newcommand{\Example}{\medskip \noindent {\bf Example: }} +\newcommand{\Warning}{\medskip \noindent {\bf Warning: }} +\newcommand{\Warns}{\medskip \noindent {\bf Warnings: }} +\newcounter{ex} +\newcommand{\firstexample}{\setcounter{ex}{1}} +\newcommand{\example}[1]{ +\medskip \noindent \textbf{Example \arabic{ex}: }\textit{#1} +\addtocounter{ex}{1}} + +\newenvironment{Variant}{\variant\begin{enumerate}}{\end{enumerate}} +\newenvironment{Variants}{\variants\begin{enumerate}}{\end{enumerate}} +\newenvironment{ErrMsgs}{\ErrMsgx\begin{enumerate}}{\end{enumerate}} +\newenvironment{Remarks}{\Rems\begin{enumerate}}{\end{enumerate}} +\newenvironment{Warnings}{\Warns\begin{enumerate}}{\end{enumerate}} +\newenvironment{Examples}{\medskip\noindent{\bf Examples:} +\begin{enumerate}}{\end{enumerate}} + +\newcommand{\rr}{\raggedright} + +\newcommand{\tinyskip}{\rule{0mm}{4mm}} + +\newcommand{\bd}{\noindent\bf} +\newcommand{\sbd}{\vspace{8pt}\noindent\bf} +\newcommand{\sdoll}[1]{\begin{small}$ #1~ $\end{small}} +\newcommand{\sdollnb}[1]{\begin{small}$ #1 $\end{small}} +\newcommand{\kw}[1]{\textsf{#1}} +\newcommand{\spec}[1]{\{\,#1\,\}} + +% Building regular expressions +\newcommand{\zeroone}[1]{{\sl [}#1{\sl ]}} +%\newcommand{\zeroonemany}[1]{$\{$#1$\}$*} +%\newcommand{\onemany}[1]{$\{$#1$\}$+} +\newcommand{\nelist}[2]{{#1} {\tt #2} {\ldots} {\tt #2} {#1}} +\newcommand{\sequence}[2]{{\sl [}{#1} {\tt #2} {\ldots} {\tt #2} {#1}{\sl ]}} +\newcommand{\nelistwithoutblank}[2]{#1{\tt #2}\ldots{\tt #2}#1} +\newcommand{\sequencewithoutblank}[2]{$[$#1{\tt #2}\ldots{\tt #2}#1$]$} + +% Used for RefMan-gal +\newcommand{\ml}[1]{\hbox{\tt{#1}}} +\newcommand{\op}{\,|\,} + +%%%%%%%%%%%%%%%%%%%%%%%% +% Trademarks and so on % +%%%%%%%%%%%%%%%%%%%%%%%% + +\newcommand{\Coq}{{\sf Coq}} +\newcommand{\ocaml}{{\sf Objective Caml}} +\newcommand{\camlpppp}{{\sf Camlp4}} +\newcommand{\emacs}{{\sf GNU Emacs}} +\newcommand{\gallina}{\textsf{Gallina}} +\newcommand{\CIC}{\mbox{\sc Cic}} +\newcommand{\FW}{\mbox{$F_{\omega}$}} + +%%%%%%%%%%%%%%%%%%% +% Name of tactics % +%%%%%%%%%%%%%%%%%%% + +\newcommand{\Natural}{\mbox{\tt Natural}} + +%%%%%%%%%%%%%%%%% +% \rm\sl series % +%%%%%%%%%%%%%%%%% + +\newcommand{\Fwterm}{\textrm{\textsl{Fwterm}}} +\newcommand{\Index}{\textrm{\textsl{index}}} +\newcommand{\abbrev}{\textrm{\textsl{abbreviation}}} +\newcommand{\annotation}{\textrm{\textsl{annotation}}} +\newcommand{\atomictac}{\textrm{\textsl{atomic\_tactic}}} +\newcommand{\binders}{\textrm{\textsl{bindings}}} +\newcommand{\binder}{\textrm{\textsl{binding}}} +\newcommand{\bindinglist}{\textrm{\textsl{bindings\_list}}} +\newcommand{\cast}{\textrm{\textsl{cast}}} +\newcommand{\cofixpointbody}{\textrm{\textsl{cofix\_body}}} +\newcommand{\coinductivebody}{\textrm{\textsl{coind\_body}}} +\newcommand{\commandtac}{\textrm{\textsl{tactic\_invocation}}} +\newcommand{\constructor}{\textrm{\textsl{constructor}}} +\newcommand{\convtactic}{\textrm{\textsl{conv\_tactic}}} +\newcommand{\declarationkeyword}{\textrm{\textsl{declaration\_keyword}}} +\newcommand{\declaration}{\textrm{\textsl{declaration}}} +\newcommand{\definition}{\textrm{\textsl{definition}}} +\newcommand{\digit}{\textrm{\textsl{digit}}} +\newcommand{\eqn}{\textrm{\textsl{equation}}} +\newcommand{\exteqn}{\textrm{\textsl{ext\_eqn}}} +\newcommand{\field}{\textrm{\textsl{field}}} +\newcommand{\firstletter}{\textrm{\textsl{first\_letter}}} +\newcommand{\fixpg}{\textrm{\textsl{fix\_pgm}}} +\newcommand{\fixpointbody}{\textrm{\textsl{fix\_body}}} +\newcommand{\fixpoint}{\textrm{\textsl{fixpoint}}} +\newcommand{\flag}{\textrm{\textsl{flag}}} +\newcommand{\form}{\textrm{\textsl{form}}} +\newcommand{\gensymbol}{\textrm{\textsl{symbol}}} +\newcommand{\idents}{\textrm{\textsl{idents}}} +\newcommand{\ident}{\textrm{\textsl{ident}}} +\newcommand{\inductivebody}{\textrm{\textsl{ind\_body}}} +\newcommand{\inductive}{\textrm{\textsl{inductive}}} +\newcommand{\integer}{\textrm{\textsl{integer}}} +\newcommand{\multpattern}{\textrm{\textsl{mult\_pattern}}} +\newcommand{\mutualcoinductive}{\textrm{\textsl{mutual\_coinductive}}} +\newcommand{\mutualinductive}{\textrm{\textsl{mutual\_inductive}}} +\newcommand{\nestedpattern}{\textrm{\textsl{nested\_pattern}}} +\newcommand{\num}{\textrm{\textsl{num}}} +\newcommand{\params}{\textrm{\textsl{params}}} +\newcommand{\pattern}{\textrm{\textsl{pattern}}} +\newcommand{\pat}{\textrm{\textsl{pat}}} +\newcommand{\pgs}{\textrm{\textsl{pgms}}} +\newcommand{\pg}{\textrm{\textsl{pgm}}} +\newcommand{\proof}{\textrm{\textsl{proof}}} +\newcommand{\record}{\textrm{\textsl{record}}} +\newcommand{\rewrule}{\textrm{\textsl{rewriting\_rule}}} +\newcommand{\sentence}{\textrm{\textsl{sentence}}} +\newcommand{\simplepattern}{\textrm{\textsl{simple\_pattern}}} +\newcommand{\sort}{\textrm{\textsl{sort}}} +\newcommand{\specif}{\textrm{\textsl{specif}}} +\newcommand{\statement}{\textrm{\textsl{statement}}} +\newcommand{\str}{\textrm{\textsl{string}}} +\newcommand{\subsequentletter}{\textrm{\textsl{subsequent\_letter}}} +\newcommand{\switch}{\textrm{\textsl{switch}}} +\newcommand{\tac}{\textrm{\textsl{tactic}}} +\newcommand{\terms}{\textrm{\textsl{terms}}} +\newcommand{\term}{\textrm{\textsl{term}}} +\newcommand{\typedidents}{\textrm{\textsl{typed\_idents}}} +\newcommand{\type}{\textrm{\textsl{type}}} +\newcommand{\vref}{\textrm{\textsl{ref}}} +\newcommand{\zarithformula}{\textrm{\textsl{zarith\_formula}}} +\newcommand{\zarith}{\textrm{\textsl{zarith}}} + +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +% \mbox{\sf } series for roman text in maths formulas % +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% + +\newcommand{\alors}{\mbox{\textsf{then}}} +\newcommand{\alter}{\mbox{\textsf{alter}}} +\newcommand{\bool}{\mbox{\textsf{bool}}} +\newcommand{\conc}{\mbox{\textsf{conc}}} +\newcommand{\cons}{\mbox{\textsf{cons}}} +\newcommand{\consf}{\mbox{\textsf{consf}}} +\newcommand{\emptyf}{\mbox{\textsf{emptyf}}} +\newcommand{\EqSt}{\mbox{\textsf{EqSt}}} +\newcommand{\false}{\mbox{\textsf{false}}} +\newcommand{\filter}{\mbox{\textsf{filter}}} +\newcommand{\forest}{\mbox{\textsf{forest}}} +\newcommand{\from}{\mbox{\textsf{from}}} +\newcommand{\hd}{\mbox{\textsf{hd}}} +\newcommand{\Length}{\mbox{\textsf{Length}}} +\newcommand{\length}{\mbox{\textsf{length}}} +\newcommand{\LengthA}{\mbox {\textsf{Length\_A}}} +\newcommand{\List}{\mbox{\textsf{List}}} +\newcommand{\ListA}{\mbox{\textsf{List\_A}}} +\newcommand{\LNil}{\mbox{\textsf{Lnil}}} +\newcommand{\LCons}{\mbox{\textsf{Lcons}}} +\newcommand{\nat}{\mbox{\textsf{nat}}} +\newcommand{\nO}{\mbox{\textsf{O}}} +\newcommand{\nS}{\mbox{\textsf{S}}} +\newcommand{\node}{\mbox{\textsf{node}}} +\newcommand{\Nil}{\mbox{\textsf{nil}}} +\newcommand{\Prop}{\mbox{\textsf{Prop}}} +\newcommand{\Set}{\mbox{\textsf{Set}}} +\newcommand{\si}{\mbox{\textsf{if}}} +\newcommand{\sinon}{\mbox{\textsf{else}}} +\newcommand{\Str}{\mbox{\textsf{Stream}}} +\newcommand{\tl}{\mbox{\textsf{tl}}} +\newcommand{\tree}{\mbox{\textsf{tree}}} +\newcommand{\true}{\mbox{\textsf{true}}} +\newcommand{\Type}{\mbox{\textsf{Type}}} +\newcommand{\unfold}{\mbox{\textsf{unfold}}} +\newcommand{\zeros}{\mbox{\textsf{zeros}}} + +%%%%%%%%% +% Misc. % +%%%%%%%%% +\newcommand{\T}{\texttt{T}} +\newcommand{\U}{\texttt{U}} +\newcommand{\real}{\textsf{Real}} +\newcommand{\Spec}{\textit{Spec}} +\newcommand{\Data}{\textit{Data}} +\newcommand{\In} {{\textbf{in }}} +\newcommand{\AND} {{\textbf{and}}} +\newcommand{\If}{{\textbf{if }}} +\newcommand{\Else}{{\textbf{else }}} +\newcommand{\Then} {{\textbf{then }}} +\newcommand{\Let}{{\textbf{let }}} +\newcommand{\Where}{{\textbf{where rec }}} +\newcommand{\Function}{{\textbf{function }}} +\newcommand{\Rec}{{\textbf{rec }}} + +%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +% Math commands and symbols % +%%%%%%%%%%%%%%%%%%%%%%%%%%%%% + +\newcommand{\la}{\leftarrow} +\newcommand{\ra}{\rightarrow} +\newcommand{\Ra}{\Rightarrow} +\newcommand{\rt}{\Rightarrow} +\newcommand{\lla}{\longleftarrow} +\newcommand{\lra}{\longrightarrow} +\newcommand{\Llra}{\Longleftrightarrow} +\newcommand{\mt}{\mapsto} +\newcommand{\ov}{\overrightarrow} +\newcommand{\wh}{\widehat} +\newcommand{\up}{\uparrow} +\newcommand{\dw}{\downarrow} +\newcommand{\nr}{\nearrow} +\newcommand{\se}{\searrow} +\newcommand{\sw}{\swarrow} +\newcommand{\nw}{\nwarrow} + +\newcommand{\vm}[1]{\vspace{#1em}} +\newcommand{\vx}[1]{\vspace{#1ex}} +\newcommand{\hm}[1]{\hspace{#1em}} +\newcommand{\hx}[1]{\hspace{#1ex}} +\newcommand{\sm}{\mbox{ }} +\newcommand{\mx}{\mbox} + +\newcommand{\nq}{\neq} +\newcommand{\eq}{\equiv} +\newcommand{\fa}{\forall} +\newcommand{\ex}{\exists} +\newcommand{\impl}{\rightarrow} +\newcommand{\Or}{\vee} +\newcommand{\And}{\wedge} +\newcommand{\ms}{\models} +\newcommand{\bw}{\bigwedge} +\newcommand{\ts}{\times} +\newcommand{\cc}{\circ} +\newcommand{\es}{\emptyset} +\newcommand{\bs}{\backslash} +\newcommand{\vd}{\vdash} +\newcommand{\lan}{{\langle }} +\newcommand{\ran}{{\rangle }} + +\newcommand{\al}{\alpha} +\newcommand{\bt}{\beta} +\newcommand{\io}{\iota} +\newcommand{\lb}{\lambda} +\newcommand{\sg}{\sigma} +\newcommand{\sa}{\Sigma} +\newcommand{\om}{\Omega} +\newcommand{\tu}{\tau} + +%%%%%%%%%%%%%%%%%%%%%%%%% +% Custom maths commands % +%%%%%%%%%%%%%%%%%%%%%%%%% + +\newcommand{\sumbool}[2]{\{#1\}+\{#2\}} +\newcommand{\myifthenelse}[3]{\kw{if} ~ #1 ~\kw{then} ~ #2 ~ \kw{else} ~ #3} +\newcommand{\fun}[2]{\item[]{\tt {#1}}. \quad\\ #2} +\newcommand{\WF}[2]{\mbox{${\cal W\!F}(#1)[#2]$}} +\newcommand{\WFE}[1]{\WF{E}{#1}} +\newcommand{\WT}[4]{\mbox{$#1[#2] \vdash #3 : #4$}} +\newcommand{\WTE}[3]{\WT{E}{#1}{#2}{#3}} +\newcommand{\WTEG}[2]{\WTE{\Gamma}{#1}{#2}} +\newcommand{\CI}[2]{\mbox{$\{#1\}^{#2}$}} +\newcommand{\CIP}[3]{\mbox{$\{#1\}_{#2}^{#3}$}} +\newcommand{\CIPV}[1]{\CIP{#1}{I_1.. I_k}{P_1.. P_k}} +\newcommand{\CIPI}[1]{\CIP{#1}{I}{P}} +\newcommand{\CIF}[1]{\mbox{$\{#1\}_{f_1.. f_n}$}} +\newcommand{\NInd}[3]{\mbox{{\sf Ind}$(#1)(\begin{array}[t]{l}#2:=#3 + \,)\end{array}$}} +\newcommand{\Ind}[4]{\mbox{{\sf Ind}$(#1)[#2](\begin{array}[t]{l}#3:=#4 + \,)\end{array}$}} +\newcommand{\Def}[4]{\mbox{{\sf Def}$(#1)(#2:=#3:#4)$}} +\newcommand{\Match}[3]{\mbox{$<\!#1\!>\!{\mbox{\tt Match}}~#2~{\mbox{\tt with}}~#3~{\mbox{\tt end}}$}} +\newcommand{\Case}[3]{\mbox{$<\!#1\!>\!{\mbox{\tt Cases}}~#2~{\mbox{\tt of}}~#3~{\mbox{\tt end}}$}} +\newcommand{\Fix}[2]{\mbox{\tt Fix}~#1\{#2\}} +\newcommand{\CoFix}[2]{\mbox{\tt CoFix}~#1\{#2\}} +\newcommand{\With}[2]{\mbox{\tt ~with~}} +\newcommand{\subst}[3]{#1\{#2/#3\}} +\newcommand{\substs}[4]{#1\{(#2/#3)_{#4}\}} +\newcommand{\Sort}{\mbox{$\cal S$}} +\newcommand{\convert}{=_{\beta\delta\iota}} +\newcommand{\leconvert}{\leq_{\beta\delta\iota}} +\newcommand{\NN}{\mbox{I\hspace{-7pt}N}} +\newcommand{\inference}[1]{$${#1}$$} +\newcommand{\compat}[2]{\mbox{$[#1|#2]$}} +\newcommand{\tristackrel}[3]{\mathrel{\mathop{#2}\limits_{#3}^{#1}}} + +\newbox\tempa +\newbox\tempb +\newdimen\tempc +\newcommand{\mud}[1]{\hfil $\displaystyle{\mathstrut #1}$\hfil} +\newcommand{\rig}[1]{\hfil $\displaystyle{#1}$} +\newcommand{\irulehelp}[3]{\setbox\tempa=\hbox{$\displaystyle{\mathstrut #2}$}% + \setbox\tempb=\vbox{\halign{##\cr + \mud{#1}\cr + \noalign{\vskip\the\lineskip} + \noalign{\hrule height 0pt} + \rig{\vbox to 0pt{\vss\hbox to 0pt{${\; #3}$\hss}\vss}}\cr + \noalign{\hrule} + \noalign{\vskip\the\lineskip} + \mud{\copy\tempa}\cr}} + \tempc=\wd\tempb + \advance\tempc by \wd\tempa + \divide\tempc by 2 } +\newcommand{\irule}[3]{{\irulehelp{#1}{#2}{#3} + \hbox to \wd\tempa{\hss \box\tempb \hss}}} + +\newcommand{\sverb}[1]{\tt #1} +\newcommand{\mover}[2]{{#1\over #2}} +\newcommand{\jd}[2]{#1 \vdash #2} +\newcommand{\mathline}[1]{\[#1\]} +\newcommand{\zrule}[2]{#2: #1} +\newcommand{\orule}[3]{#3: {\mover{#1}{#2}}} +\newcommand{\trule}[4]{#4: \mover{#1 \qquad #2} {#3}} +\newcommand{\thrule}[5]{#5: {\mover{#1 \qquad #2 \qquad #3}{#4}}} + + +% $Id$ + + +%%% Local Variables: +%%% mode: latex +%%% TeX-master: "Reference-Manual" +%%% End: diff --git a/doc/title.tex b/doc/title.tex new file mode 100755 index 000000000..816f0fd53 --- /dev/null +++ b/doc/title.tex @@ -0,0 +1,77 @@ +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +% File title.tex +% Page formatting commands +% Macro \coverpage +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% + +%\setlength{\marginparwidth}{0pt} +%\setlength{\oddsidemargin}{0pt} +%\setlength{\evensidemargin}{0pt} +%\setlength{\marginparsep}{0pt} +%\setlength{\topmargin}{0pt} +%\setlength{\textwidth}{16.9cm} +%\setlength{\textheight}{22cm} +\usepackage{fullpage} + +\newcommand{\printingdate}{\today} +\newcommand{\isdraft}{\Large\bf\today\\[20pt]} +%\newcommand{\isdraft}{\vspace{20pt}} + +%To show the top for the toc in html +\newcommand{\tophtml}{} + +\newcommand{\coverpage}[2]{ +\thispagestyle{empty} +\begin{center} +\begin{Huge} +\begin{bf} +The Coq Proof Assistant\\ +\vspace{12pt} + #1\\ +\end{bf} +\end{Huge} +\vspace{20pt} +\isdraft +{\Large \bf Version \coqversion} +\footnote[1]{This research was partly supported by ESPRIT Basic Research +Action ``Types'' and by the GDR ``Programmation'' co-financed by MRE-PRC and CNRS.}\\ +\vspace{120pt} +{\bf #2}\\ +\vfill +{\Large \bf Coq Project}\\ +\vspace{15pt} +\end{center} + +\newpage +\vspace*{520pt} +\thispagestyle{empty} +\begin{flushleft} +{\large{V6.3.1, +\printingdate}}\\[20pt] +{\large{\copyright INRIA 1999}}\\ +\end{flushleft} +\newpage} + +\newcommand{\shorttitle}[1]{ +\begin{center} +\begin{huge} +\begin{bf} +The Coq Proof Assistant\\ +\vspace{10pt} + #1\\ +\end{bf} +\end{huge} +\end{center} +\vspace{5pt} +} + +% Local Variables: +% mode: LaTeX +% TeX-master: "" +% End: + +% $Id$ + + + + |