\def\Program{\textsc{Program}} \def\Russel{\textsc{Russel}} \achapter{The \Program{} tactic} \label{Program} \aauthor{Matthieu Sozeau} \index{Program} \begin{flushleft} \em The status of \Program is experimental. \end{flushleft} We present here the \Coq\ \Program tactic commands, used to build certified \Coq programs, elaborating them from their algorithmic skeleton and a rich specification. It can be sought of as a dual of extraction \ref{Extraction}. The languages available as input are currently restricted to \Coq's term language, but may be extended to \ocaml{}, \textsc{Haskell} and others in the future. Input terms and types are typed in an extended system (\Russel) and interpreted into \Coq\ terms. The interpretation process may produce some proof obligations which need to be resolved to create the final term. \asection{Elaborating programs} \comindex{Program Fixpoint} The next two commands are similar to they standard counterparts \ref{Simpl-definitions} and \ref{Fixpoint} in that they define constants. However, they may require the user to prove some goals to construct the final definitions. \section{\tt Program Definition {\ident} := {\term}. \comindex{Program Definition}\label{ProgramDefinition}} This command types the value {\term} in \Russel and generate subgoals corresponding to proof obligations. Once solved, it binds the final \Coq\ term to the name {\ident} in the environment. \begin{ErrMsgs} \item \errindex{{\ident} already exists} \end{ErrMsgs} \begin{Variants} \item {\tt Program Definition {\ident} {\tt :}{\term$_1$} := {\term$_2$}.}\\ It interprets the type {\term$_1$}, potentially generating proof obligations to be resolved. Once done with them, we have a \Coq\ type {\term$_1'$}. It then checks that the type of the interpretation of {\term$_2$} is coercible to {\term$_1'$}, and registers {\ident} as being of type {\term$_1'$} once the set of obligations generated during the interpretation of {\term$_2$} and the aforementioned coercion derivation are solved. \item {\tt Program Definition {\ident} {\binder$_1$}\ldots{\binder$_n$} {\tt :}\term$_1$ {\tt :=} {\term$_2$}.}\\ This is equivalent to \\ {\tt Program Definition\,{\ident}\,{\tt :\,forall}\,% {\binder$_1$}\ldots{\binder$_n$}{\tt ,}\,\term$_1$\,{\tt :=}}\,% {\tt fun}\,{\binder$_1$}\ldots{\binder$_n$}\,{\tt =>}\,{\term$_2$}\,% {\tt .} \end{Variants} \begin{ErrMsgs} \item \errindex{In environment {\dots} the term: {\term$_2$} does not have type {\term$_1$}}.\\ \texttt{Actually, it has type {\term$_3$}}. \end{ErrMsgs} \SeeAlso Sections \ref{Opaque}, \ref{Transparent}, \ref{unfold} \section{\tt Program Fixpoint {\ident} {\params} {\tt \{order\}} : type$_0$ := \term$_0$ \comindex{Program Fixpoint} \label{ProgramFixpoint}} This command allows to define objects using a fixed point construction. The meaning of this declaration is to define {\it ident} a recursive function with arguments specified by {\binder$_1$}\ldots{\binder$_n$} such that {\it ident} applied to arguments corresponding to these binders has type \type$_0$, and is equivalent to the expression \term$_0$. The type of the {\ident} is consequently {\tt forall {\params} {\tt,} \type$_0$} and the value is equivalent to {\tt fun {\params} {\tt =>} \term$_0$}. There are two ways to define fixpoints with \Program{}, structural and well-founded recursion. \subsection{\tt Program Fixpoint {\ident} {\params} {\tt \{struct} \ident$_0$ {\tt \}} : type$_0$ := \term$_0$ \comindex{Program Fixpoint Struct} \label{ProgramFixpointStruct}} To be accepted, a structural {\tt Fixpoint} definition has to satisfy some syntactical constraints on a special argument called the decreasing argument. They are needed to ensure that the {\tt Fixpoint} definition always terminates. The point of the {\tt \{struct \ident {\tt \}}} annotation is to let the user tell the system which argument decreases along the recursive calls. This annotation may be left implicit for fixpoints with one argument. For instance, one can define the identity function on naturals as : \begin{coq_example} Program Fixpoint id (n : nat) : { x : nat | x = n } := match n with | O => O | S p => S (id p) end. \end{coq_example} The {\tt match} operator matches a value (here \verb:n:) with the various constructors of its (inductive) type. The remaining arguments give the respective values to be returned, as functions of the parameters of the corresponding constructor. Thus here when \verb:n: equals \verb:O: we return \verb:0:, and when \verb:n: equals \verb:(S p): we return \verb:(S (id p)):. The {\tt match} operator is formally described in detail in Section~\ref{Caseexpr}. The system recognizes that in the inductive call {\tt (id p)} the argument actually decreases because it is a {\em pattern variable} coming from {\tt match n with}.

Here again, proof obligations may be generated. In our example, we would have one for each branch:
\begin{coq_example}
Show.
\end{coq_example} 