The Coq Proof Assistant

Similar documents
Predicate Logic. Bow-Yaw Wang. Institute of Information Science Academia Sinica, Taiwan. November 22, 2017

Summer Review Packet AP Calculus

Natural Deduction for Propositional Logic

Introduction to Z3. Bow-Yaw Wang. December 19, Institute of Information Science Academia Sinica, Taiwan

Propositions and Proofs

Manual of Logical Style

Normal Forms of Propositional Logic

Negation introduction

Iv roman numerals. Cari untuk: Cari Cari

1. 4 2y 1 2 = x = x 1 2 x + 1 = x x + 1 = x = 6. w = 2. 5 x

Discrete Structures. Lecture Notes for CSE 191. Matthew G. Knepley

5 Years (10 Semester) Integrated UG/PG Program in Physics & Electronics

Deductive Systems. Lecture - 3

Methods for Marsh Futures Area of Interest (AOI) Elevation Zone Delineation

Beyond First-Order Logic

Preface to the First Edition. xxvii 0.1 Set-theoretic Notation xxvii 0.2 Proof by Induction xxix 0.3 Equivalence Relations and Equivalence Classes xxx

Automating Interactive Theorem Proving with Coq and Ltac. by Oron Propp and Alex Sekula Mentored by Drew Haven PRIMES

Natural Deduction. Formal Methods in Verification of Computer Systems Jeremy Johnson

A Revised Denotational Semantics for the Dataflow Algebra. A. J. Cowling

Analyse et Conception Formelle. Lesson 4. Proofs with a proof assistant

Propositional Logic. CS 3234: Logic and Formal Systems. Martin Henz and Aquinas Hobor. August 26, Generated on Tuesday 31 August, 2010, 16:54

Factorizations of b n ±1, Up to High Powers. Third Edition. John Brillhart, D. H. Lehmer J. L. Selfridge, Bryant Tuckerman, and S. S. Wagstaff, Jr.

Logic for Computer Science - Week 4 Natural Deduction

15414/614 Optional Lecture 1: Propositional Logic

Lecture Notes on Quantification

Handout: Proof of the completeness theorem

Lecture 2. Logic Compound Statements Conditional Statements Valid & Invalid Arguments Digital Logic Circuits. Reading (Epp s textbook)

Introduction to Isabelle/HOL

Interactive Theorem Provers

Shareholding as a % of total no. of shares (calculated as per SCRR, 1957) Number of Voting Rights held in each class of securities

MAT063 and MAT065 FINAL EXAM REVIEW FORM 1R x

CSCI.6962/4962 Software Verification Fundamental Proof Methods in Computer Science (Arkoudas and Musser) Chapter p. 1/33

CITS2211 Discrete Structures Proofs

EP elements in rings

Theory of Computation

Part Two: The Basic Components of the SOFL Specification Language

Recursion and Intro to Coq

c 2011 JOSHUA DAVID JOHNSTON ALL RIGHTS RESERVED

Chromatically Unique Bipartite Graphs With Certain 3-independent Partition Numbers III ABSTRACT

CIS 500: Software Foundations

15414/614 Optional Lecture 3: Predicate Logic

Acyclicity and Finite Linear Extendability: a Formal and Constructive Equivalence

KE/Tableaux. What is it for?

I) Simplifying fractions: x x. 1) 1 1 y x. 1 1 x 1. 4 x. 13x. x y xy. x 2. Factoring: 10) 13) 12) III) Solving: x 9 Prime (using only) 11)

Proof Calculus for Partial Correctness

Summer Review Packet. for students entering. IB Math SL

Main Issues in Computer Mathematics. Henk Barendregt Brouwer Institute Radboud University Nijmegen, The Netherlands

Packet #1: Logic & Proofs. Applied Discrete Mathematics

Applied Logic for Computer Scientists. Answers to Some Exercises

Real-Time Software Transactional Memory: Contention Managers, Time Bounds, and Implementations

Acyclicity and Finite Linear Extendability: a Formal and Constructive Equivalence

Analytical formulas for calculating the extremal ranks and inertias of A + BXB when X is a fixed-rank Hermitian matrix

NICTA Advanced Course. Theorem Proving Principles, Techniques, Applications

Logic Overview, I. and T T T T F F F T F F F F

The Curry-Howard Isomorphism

BIOLOGY YEAR AT A GLANCE RESOURCE ( )

BIOLOGY YEAR AT A GLANCE RESOURCE ( ) REVISED FOR HURRICANE DAYS

CS5371 Theory of Computation. Lecture 5: Automata Theory III (Non-regular Language, Pumping Lemma, Regular Expression)

Warm-Up Problem. Is the following true or false? 1/35

Using the Prover I: Lee Pike. June 3, NASA Langley Formal Methods Group Using the Prover I:

logical verification lecture program extraction and prop2

Type Systems as a Foundation for Reliable Computing

Proof. Theorems. Theorems. Example. Example. Example. Part 4. The Big Bang Theory

Logic and Proofs. (A brief summary)

TECHNISCHE UNIVERSITEIT EINDHOVEN Faculteit Wiskunde en Informatica. Final examination Logic & Set Theory (2IT61/2IT07/2IHT10) (correction model)

CSCI.6962/4962 Software Verification Fundamental Proof Methods in Computer Science (Arkoudas and Musser) Chapter 5 p. 1/60

Program-ing in Coq. Matthieu Sozeau under the direction of Christine Paulin-Mohring

Interpolation and Polynomial Approximation I

Propositions and Proofs

PHIL12A Section answers, 28 Feb 2011

The Natural Deduction Pack

Mathematical Reasoning. The Foundation of Algorithmics

INF3170 Logikk Spring Homework #8 For Friday, March 18

Topic 2060 Gibbs Energies; Salt Solutions; Aqueous Mixtures The solubilities of chemical substance j in two liquids l

Marie Duží

CS Lecture 19: Logic To Truth through Proof. Prof. Clarkson Fall Today s music: Theme from Sherlock

Inductive Predicates

SKETCHY NOTES FOR WEEKS 7 AND 8

Example ( x.(p(x) Q(x))) ( x.p(x) x.q(x)) premise. 2. ( x.(p(x) Q(x))) -elim, 1 3. ( x.p(x) x.q(x)) -elim, x. P(x) x.

Foundations of Mathematics MATH 220 FALL 2017 Lecture Notes

Chapter 4: Classical Propositional Semantics

COMP 182 Algorithmic Thinking. Proofs. Luay Nakhleh Computer Science Rice University

Discrete Mathematics

First order Logic ( Predicate Logic) and Methods of Proof

SUMMER VACATION ASSIGNMENT (MAY- JUNE 2015) CLASS X

Logic of Information p.45

Math 3336: Discrete Mathematics Practice Problems for Exam I

Today s Lecture 2/25/10. Truth Tables Continued Introduction to Proofs (the implicational rules of inference)

An Introduction to Proof Assistants

Transient Analysis of Single Phase Transformer Using State Model

Discrete Mathematics

Model for Dredging a Horizontal Trapezoidal Open Channel with Hydraulic Jump

Adam Blank Spring 2017 CSE 311. Foundations of Computing I

NOVUM ORGANON RENOVATUM

Modal Logic. UIT2206: The Importance of Being Formal. Martin Henz. March 19, 2014

Vector and Matrix Norms I

Introduction to Metalogic

Fixed Term Employment Contracts. in an Equilibrium Search Model

Logic. Definition [1] A logic is a formal language that comes with rules for deducing the truth of one proposition from the truth of another.

2. The Logic of Compound Statements Summary. Aaron Tan August 2017

Transcription:

The Coq Proof Assistant Bow-Yaw Wang Institute of Information Science Academia Sinica, Taiwan October 15, 2018 Bow-Yaw Wang (Academia Sinica) The Coq Proof Assistant October 15, 2018 1 / 59

Outline 1 The Coq Proof Assistant Bow-Yaw Wang (Academia Sinica) The Coq Proof Assistant October 15, 2018 2 / 59

The Coq Proof Assistant Coq is a proof assistant which checks every proof steps. It has been developed by Institut national de recherche en informatique et en automatique (INRIA) at France since 1984. It is used to check the proofs of the four color theorem (September 2004) and Feit-Thompson theorem (September 2012). It is also used in the CompCert project to formally verify an optimizing C compiler for PowerPC, ARM, and 32-bit x86 processors (2005). Coq is available on various platforms. The contents of this lecture are borrowed from Coq Tutorial. Bow-Yaw Wang (Academia Sinica) The Coq Proof Assistant October 15, 2018 3 / 59

Using Coq We start up and exit Coq as follows. $ coqtop Welcome to Coq 8.3 pl4 ( April 2012) Coq < Quit. $ Bow-Yaw Wang (Academia Sinica) The Coq Proof Assistant October 15, 2018 4 / 59

Prop, Set, and Type A sort classifies specifications. a logical proposition has the sort Prop; a mathematical collection has the sort Set; and an abstract type has the sort Type. Every Coq expression has a sort. Coq < Check False. False : Prop Coq < Check nat. nat : Set Coq < Check O. 0 : nat Bow-Yaw Wang (Academia Sinica) The Coq Proof Assistant October 15, 2018 5 / 59

Basic Proof Tactics I Let us do some simple proofs. We first set up our context. Coq < Section Simple. Coq < Hypothesis P Q : Prop. P is assumed Q is assumed In this code, we start a section called Simple. We also make two hypotheses. Both P and Q are logical propositions. Bow-Yaw Wang (Academia Sinica) The Coq Proof Assistant October 15, 2018 6 / 59

Basic Proof Tactics II We first show P P. Coq < Lemma one_ line : P -> P. P : Prop Q : Prop P -> P We declare a lemma called one line. Coq asks us to show P P from the hypotheses P and Q. Bow-Yaw Wang (Academia Sinica) The Coq Proof Assistant October 15, 2018 7 / 59

Basic Proof Tactics III The tactic intros introduces new hypotheses with the given name. one_ line < intros HP. P : Prop Q : Prop HP : P P How does intros compare to the i rule? Bow-Yaw Wang (Academia Sinica) The Coq Proof Assistant October 15, 2018 8 / 59

Basic Proof Tactics IV The tactic exact uses the named hypothesis. one_ line < exact HP. Proof completed. The command Qed finishes up the lemma. one_ line < Qed. intros HP. exact HP. one_ line is defined Bow-Yaw Wang (Academia Sinica) The Coq Proof Assistant October 15, 2018 9 / 59

Basic Proof Tactics V We can check our new lemma and print its proof. Coq < Check one_ line. one_ line : P -> P Coq < Print one_ line. one_ line = fun HP : P => HP : P -> P Observe how our proof is represented in Coq. Bow-Yaw Wang (Academia Sinica) The Coq Proof Assistant October 15, 2018 10 / 59

Basic Proof Tactics VI Tactics start with lowercase letters such as intros and exact. We use tactics to construct formal proofs. Commands on the other hand start with uppercase letters such as Quit, Section, Lemma, Qed, Print. We use commands to operate Coq. Bow-Yaw Wang (Academia Sinica) The Coq Proof Assistant October 15, 2018 11 / 59

Basic Proof Tactics VII Let us prove P (P Q) Q. Coq < Lemma MP : P -> ( P -> Q) -> Q. P : Prop Q : Prop P -> (P -> Q) -> Q MP < intros HP HI. P : Prop Q : Prop HP : P HI : P -> Q Q Bow-Yaw Wang (Academia Sinica) The Coq Proof Assistant October 15, 2018 12 / 59

Basic Proof Tactics VIII The tactic apply matches the conclusion with the named hypothesis and lists unresolved conditions. MP < apply HI. P : Prop Q : Prop HP : P HI : P -> Q P MP < exact HP. Proof completed. How does apply compare to e? Bow-Yaw Wang (Academia Sinica) The Coq Proof Assistant October 15, 2018 13 / 59

Basic Proof Tactics IX Let us finish up the lemma and see the proof term. MP < Qed. intros HP HI. apply HI. exact HP. MP is defined Coq < Print MP. MP = fun ( HP : P) ( HI : P -> Q) => HI HP : P -> (P -> Q) -> Q Bow-Yaw Wang (Academia Sinica) The Coq Proof Assistant October 15, 2018 14 / 59

Basic Proof Tactics X Let us prove P Q Q P. Coq < Lemma conj_ comm : P /\ Q -> Q /\ P. P : Prop Q : Prop P /\ Q -> Q /\ P conj_ comm < intros conj. P : Prop Q : Prop conj : P /\ Q Q /\ P Bow-Yaw Wang (Academia Sinica) The Coq Proof Assistant October 15, 2018 15 / 59

Basic Proof Tactics XI The tactic elim eliminates a named hypothesis. conj_ comm < elim conj. P : Prop Q : Prop conj : P /\ Q P -> Q -> Q /\ P Observe that P Q is decomposed into P and Q. How does elim compare to e 1 and e 2? Bow-Yaw Wang (Academia Sinica) The Coq Proof Assistant October 15, 2018 16 / 59

Basic Proof Tactics XII We introduce two more hypotheses HP and HQ. conj_ comm < intros HP HQ. P : Prop Q : Prop conj : P /\ Q HP : P HQ : Q Q /\ P Now we can use the hypotheses HP and HQ. Bow-Yaw Wang (Academia Sinica) The Coq Proof Assistant October 15, 2018 17 / 59

Basic Proof Tactics XIII The tactic split splits a conjunction into two. conj_ comm < split. 2 subgoals P : Prop Q : Prop conj : P /\ Q HP : P HQ : Q Q subgoal 2 is: P How does split compare to i? Bow-Yaw Wang (Academia Sinica) The Coq Proof Assistant October 15, 2018 18 / 59

Basic Proof Tactics XIV We use hypotheses to prove the lemma. conj_ comm < exact HQ. P : Prop Q : Prop conj : P /\ Q HP : P HQ : Q P conj_ comm < exact HP. Proof completed. Bow-Yaw Wang (Academia Sinica) The Coq Proof Assistant October 15, 2018 19 / 59

Basic Proof Tactics XV Let us finish up the lemma and see its proof term. conj_ comm < Qed. intros conj. elim conj. intros HP HQ. split. exact HQ. exact HP. conj_ comm is defined Coq < Print conj_ comm. conj_ comm = fun conj0 : P /\ Q => and_ind ( fun (HP : P) (HQ : Q) => conj HQ HP) conj0 : P /\ Q -> Q /\ P Bow-Yaw Wang (Academia Sinica) The Coq Proof Assistant October 15, 2018 20 / 59

Basic Proof Tactics XVI Let us try to prove P Q Q P. Coq < Lemma disj_ comm : P \/ Q -> Q \/ P. P : Prop Q : Prop P \/ Q -> Q \/ P disj_ comm < intros disj. P : Prop Q : Prop disj : P \/ Q Q \/ P Bow-Yaw Wang (Academia Sinica) The Coq Proof Assistant October 15, 2018 21 / 59

Basic Proof Tactics XVII We eliminate the hypothesis disj. disj_ comm < elim disj. 2 subgoals P : Prop Q : Prop disj : P \/ Q P -> Q \/ P subgoal 2 is: Q -> Q \/ P How does elim compare to e? Bow-Yaw Wang (Academia Sinica) The Coq Proof Assistant October 15, 2018 22 / 59

Basic Proof Tactics XVIII We next introduce a new hypothesis P. disj_ comm < intros HP. 2 subgoals P : Prop Q : Prop disj : P \/ Q HP : P Q \/ P subgoal 2 is: Q -> Q \/ P Bow-Yaw Wang (Academia Sinica) The Coq Proof Assistant October 15, 2018 23 / 59

Basic Proof Tactics XIX The tactic right selects the left operand in a disjunction. disj_ comm < right. 2 subgoals P : Prop Q : Prop disj : P \/ Q HP : P P subgoal 2 is: Q -> Q \/ P How does right compare to i 2? Bow-Yaw Wang (Academia Sinica) The Coq Proof Assistant October 15, 2018 24 / 59

Basic Proof Tactics XX The tactic assumption searches an exact hypothesis for the conclusion. disj_ comm < assumption. P : Prop Q : Prop disj : P \/ Q Q -> Q \/ P We can combine a sequence of tactics by semicolon (;). disj_ comm < intros HQ; left ; assumption. Proof completed. Bow-Yaw Wang (Academia Sinica) The Coq Proof Assistant October 15, 2018 25 / 59

Basic Proof Tactics XXI We finish up the lemma and print our proof. disj_ comm < Qed. intros disj. elim disj. intros HP. right. assumption. intros HQ; left ; assumption. disj_ comm is defined Coq < Print disj_ comm. disj_ comm = fun disj : P \/ Q => or_ind ( fun HP : P => or_ intror Q HP) ( fun HQ : Q => or_ introl P HQ) disj : P \/ Q -> Q \/ P Bow-Yaw Wang (Academia Sinica) The Coq Proof Assistant October 15, 2018 26 / 59

Basic Proof Tactics XXII Let us prove a lemma about double negation: P P. Coq < Lemma PNNP : P -> ~~ P. P : Prop Q : Prop P -> ~ ~ P PNNP < intros HP. P : Prop Q : Prop HP : P ~ ~ P Bow-Yaw Wang (Academia Sinica) The Coq Proof Assistant October 15, 2018 27 / 59

Basic Proof Tactics XXIII In Coq, P is a shorthand for P. We use red to expand a toplevel shorthand. PNNP < red. P : Prop Q : Prop HP : P ~ P -> False Bow-Yaw Wang (Academia Sinica) The Coq Proof Assistant October 15, 2018 28 / 59

Basic Proof Tactics XXIV We introduce another hypothesis P. PNNP < intros HNP. P : Prop Q : Prop HP : P HNP : ~ P False How does this intros compare to i? Bow-Yaw Wang (Academia Sinica) The Coq Proof Assistant October 15, 2018 29 / 59

Basic Proof Tactics XXV We have P and P. The tactic absurd P exploits the contraction. PNNP < absurd P. 2 subgoals P : Prop Q : Prop HP : P HNP : ~ P ~ P subgoal 2 is: P How does absurd compare to e? Bow-Yaw Wang (Academia Sinica) The Coq Proof Assistant October 15, 2018 30 / 59

Basic Proof Tactics XXVI The tactic trivial performs a simple proof search. PNNP < trivial. P : Prop Q : Prop HP : P HNP : ~ P P PNNP < trivial. Proof completed. Bow-Yaw Wang (Academia Sinica) The Coq Proof Assistant October 15, 2018 31 / 59

Basic Proof Tactics XXVII Let us finish up the lemma, conclude the section, and check it. PNNP < Qed. intros HP. red. intros HNP. absurd P. trivial. trivial. PNNP is defined Coq < End Simple. Coq < Check PNNP. PNNP : forall P : Prop, P -> ~ ~ P Note the hypothesis P is generalized after closing the section. Bow-Yaw Wang (Academia Sinica) The Coq Proof Assistant October 15, 2018 32 / 59

Basic Proof Tactics XXVIII Coq actually provides a complete tactic tauto. Coq < Hypotheses P Q R S : Prop. P is assumed Q is assumed R is assumed S is assumed Coq < Hypothesis H0 : (P /\ Q) -> R. H0 is assumed Coq < Hypothesis H1 : R -> S. H1 is assumed Coq < Hypothesis H2 : Q /\ ~S. H2 is assumed Coq < Lemma homework : ~P. P : Prop Q : Prop R : Prop S : Prop H0 : P /\ Q -> R H1 : R -> S H2 : Q /\ ~ S ~ P homework < tauto. Proof completed. Bow-Yaw Wang (Academia Sinica) The Coq Proof Assistant October 15, 2018 33 / 59

Basic Proof Tactics XXIX Coq in fact uses intuitionistic logic. Coq < Goal forall P : Prop, P \/ ~P. forall P : Prop, P \/ ~ P Unnamed_thm < tauto. Toplevel input, characters 0-5: > tauto. > ^^^^^ Error : tauto failed. Goal declares an unnamed lemma. To do classical logic, add Coq < Require Import Classical. Coq < Check classic. classic : forall P : Prop, P \/ ~ P Bow-Yaw Wang (Academia Sinica) The Coq Proof Assistant October 15, 2018 34 / 59

More Proof Tactics I Let us set up a section for predicate logic. Coq < Section Easy. Coq < Hypothesis D : Set. D is assumed Coq < Hypothesis R : D -> D -> Prop. R is assumed In a new section, we declare a set D and a binary predicate symbol R. Let us set up a subsection where R is symmetric and transitive. Coq < Section R_sym_trans. Coq < Hypothesis R_symmetric : forall x y : D, R x y -> R y x. R_symmetric is assumed Coq < Hypothesis R_transitive : forall x y z : D, R x y -> R y z -> R x z. R_transitive is assumed Bow-Yaw Wang (Academia Sinica) The Coq Proof Assistant October 15, 2018 35 / 59

More Proof Tactics II Let us prove x D( y D, (Rxy) Rxx). Coq < Lemma refl_if : forall x : D, ( exists y, R x y) -> R x x. D : Set R : D -> D -> Prop R_symmetric : forall x y : D, R x y -> R y x R_transitive : forall x y z : D, R x y -> R y z -> R x z forall x : D, ( exists y : D, R x y) -> R x x Our predicate logic formula is written as forall x : D, (exists y, R x y) -> R x x. Observe that we did not specify y D but Coq infers it anyway. Bow-Yaw Wang (Academia Sinica) The Coq Proof Assistant October 15, 2018 36 / 59

More Proof Tactics III The tactic intros again introduces a new hypothesis. refl_if < intros x. D : Set R : D -> D -> Prop R_symmetric : forall x y : D, R x y -> R y x R_transitive : forall x y z : D, R x y -> R y z -> R x z x : D ( exists y : D, R x y) -> R x x How does it compare to i? Bow-Yaw Wang (Academia Sinica) The Coq Proof Assistant October 15, 2018 37 / 59

More Proof Tactics IV We introduce another hypothesis y D(Rxy). refl_if < intros Ey. D : Set R : D -> D -> Prop R_symmetric : forall x y : D, R x y -> R y x R_transitive : forall x y z : D, R x y -> R y z -> R x z x : D Ey : exists y : D, R x y R x x This is simply i. Bow-Yaw Wang (Academia Sinica) The Coq Proof Assistant October 15, 2018 38 / 59

More Proof Tactics V Let us eliminate y D(Rxy). refl_if < elim Ey. D : Set R : D -> D -> Prop R_symmetric : forall x y : D, R x y -> R y x R_transitive : forall x y z : D, R x y -> R y z -> R x z x : D Ey : exists y : D, R x y forall x0 : D, R x x0 -> R x x How does elim compare to e? Bow-Yaw Wang (Academia Sinica) The Coq Proof Assistant October 15, 2018 39 / 59

More Proof Tactics VI We get the instance of y D(Rxy) by intros. refl_if < intros y Rxy. D : Set R : D -> D -> Prop R_symmetric : forall x y : D, R x y -> R y x R_transitive : forall x y z : D, R x y -> R y z -> R x z x : D Ey : exists y : D, R x y y : D Rxy : R x y R x x Now elim and intros look really like e. Bow-Yaw Wang (Academia Sinica) The Coq Proof Assistant October 15, 2018 40 / 59

More Proof Tactics VII We apply the hypothesis R transitive. refl_if < apply R_transitive with y. 2 subgoals D : Set R : D -> D -> Prop R_symmetric : forall x y : D, R x y -> R y x R_transitive : forall x y z : D, R x y -> R y z -> R x z x : D Ey : exists y : D, R x y y : D Rxy : R x y R x y subgoal 2 is: R y x Note that we need to give the hint y. How does apply compare to e? Bow-Yaw Wang (Academia Sinica) The Coq Proof Assistant October 15, 2018 41 / 59

More Proof Tactics VIII The first subgoal is trivial. refl_if < trivial. D : Set R : D -> D -> Prop R_symmetric : forall x y : D, R x y -> R y x R_transitive : forall x y z : D, R x y -> R y z -> R x z x : D Ey : exists y : D, R x y y : D Rxy : R x y R y x Bow-Yaw Wang (Academia Sinica) The Coq Proof Assistant October 15, 2018 42 / 59

More Proof Tactics IX For the other subgoal, we apply xy D(Rxy Ryx). refl_if < apply R_symmetric. D : Set R : D -> D -> Prop R_symmetric : forall x y : D, R x y -> R y x R_transitive : forall x y z : D, R x y -> R y z -> R x z x : D Ey : exists y : D, R x y y : D Rxy : R x y R x y Now the goal is trivial. refl_if < trivial. Proof completed. Bow-Yaw Wang (Academia Sinica) The Coq Proof Assistant October 15, 2018 43 / 59

More Proof Tactics X Let us finish up the lemma and see the proof term. refl_if < Qed. intros x. intros Ey. elim Ey. intros y Rxy. apply R_transitive with y. trivial. apply R_symmetric. trivial. refl_if is defined Coq < Print refl_if. refl_if = fun ( x : D) ( Ey : exists y : D, R x y) => ex_ind ( fun (y : D) ( Rxy : R x y) => R_transitive x y x Rxy ( R_symmetric x y Rxy )) Ey : forall x : D, ( exists y : D, R x y) -> R x x Bow-Yaw Wang (Academia Sinica) The Coq Proof Assistant October 15, 2018 44 / 59

Smullyan s Drinkers Paradox I We will prove Smullyan s drinkers paradox: in any non-empty bar, there is a person such that she drinks then everyone drinks. Let us set up the context. Coq < Section DrinkersParadox. Coq < Require Import Classical. Coq < Hypothesis bar : Set. bar is assumed Coq < Hypothesis Joe : bar. Joe is assumed Coq < Hypothesis drinks : bar -> Prop. drinks is assumed Note that Joe is in the bar. Bow-Yaw Wang (Academia Sinica) The Coq Proof Assistant October 15, 2018 45 / 59

Smullyan s Drinkers Paradox II Here is what we want to prove. Coq < Lemma drinker : exists x : bar, drinks x -> forall y : bar, drinks y. bar : Set Joe : bar drinks : bar -> Prop exists x : bar, drinks x -> forall y : bar, drinks y Bow-Yaw Wang (Academia Sinica) The Coq Proof Assistant October 15, 2018 46 / 59

Smullyan s Drinkers Paradox III By LEM, we have ( x bar( drinks x)) ( x bar( drinks x)). We consider the two cases. drinker < Check ( classic ( exists x : bar, ~ drinks x)). classic ( exists x : bar, ~ drinks x) : ( exists x : bar, ~ drinks x) \/ ~ ( exists x : bar, ~ drinks x) drinker < elim ( classic ( exists x : bar, ~ drinks x)). 2 subgoals bar : Set Joe : bar drinks : bar -> Prop ( exists x : bar, ~ drinks x) -> exists x : bar, drinks x -> forall y : bar, drinks y subgoal 2 is: ~ ( exists x : bar, ~ drinks x) -> exists x : bar, drinks x -> forall y : bar, drinks y Bow-Yaw Wang (Academia Sinica) The Coq Proof Assistant October 15, 2018 47 / 59

Smullyan s Drinkers Paradox IV We introduce the hypothesis non drinker. drinker < intros non_drinker. 2 subgoals bar : Set Joe : bar drinks : bar -> Prop non_drinker : exists x : bar, ~ drinks x exists x : bar, drinks x -> forall y : bar, drinks y subgoal 2 is: ~ ( exists x : bar, ~ drinks x) -> exists x : bar, drinks x -> forall y : bar, drinks y Bow-Yaw Wang (Academia Sinica) The Coq Proof Assistant October 15, 2018 48 / 59

Smullyan s Drinkers Paradox V We eliminate non drinker and obtain an instance. drinker < elim non_drinker ; intros Jane Jane_non_drinker. 2 subgoals bar : Set Joe : bar drinks : bar -> Prop non_drinker : exists x : bar, ~ drinks x Jane : bar Jane_non_drinker : ~ drinks Jane exists x : bar, drinks x -> forall y : bar, drinks y subgoal 2 is: ~ ( exists x : bar, ~ drinks x) -> exists x : bar, drinks x -> forall y : bar, drinks y Bow-Yaw Wang (Academia Sinica) The Coq Proof Assistant October 15, 2018 49 / 59

Smullyan s Drinkers Paradox VI The tactic exists uses a term as a witness to an existential formula. drinker < exists Jane. 2 subgoals bar : Set Joe : bar drinks : bar -> Prop non_drinker : exists x : bar, ~ drinks x Jane : bar Jane_non_drinker : ~ drinks Jane drinks Jane -> forall y : bar, drinks y subgoal 2 is: ~ ( exists x : bar, ~ drinks x) -> exists x : bar, drinks x -> forall y : bar, drinks y How does exists compare to i? Bow-Yaw Wang (Academia Sinica) The Coq Proof Assistant October 15, 2018 50 / 59

Smullyan s Drinkers Paradox VII Observe that we have a contradiction. The tactic tauto will do. drinker < tauto. bar : Set Joe : bar drinks : bar -> Prop ~ ( exists x : bar, ~ drinks x) -> exists x : bar, drinks x -> forall y : bar, drinks y Bow-Yaw Wang (Academia Sinica) The Coq Proof Assistant October 15, 2018 51 / 59

Smullyan s Drinkers Paradox VIII We introduce a hypothesis for the other subgoal. drinker < intros no_non_drinker. bar : Set Joe : bar drinks : bar -> Prop no_non_drinker : ~ ( exists x : bar, ~ drinks x) exists x : bar, drinks x -> forall y : bar, drinks y Bow-Yaw Wang (Academia Sinica) The Coq Proof Assistant October 15, 2018 52 / 59

Smullyan s Drinkers Paradox IX Joe is our witness. drinker < exists Joe. bar : Set Joe : bar drinks : bar -> Prop no_non_drinker : ~ ( exists x : bar, ~ drinks x) drinks Joe -> forall y : bar, drinks y We introduce more hypotheses. drinker < intros Joe_drinker y. bar : Set Joe : bar drinks : bar -> Prop no_non_drinker : ~ ( exists x : bar, ~ drinks x) Joe_drinker : drinks Joe y: bar drinks y Bow-Yaw Wang (Academia Sinica) The Coq Proof Assistant October 15, 2018 53 / 59

Smullyan s Drinkers Paradox X For y bar, we have drinks y drinks y by LEM. drinker < elim ( classic ( drinks y)). 2 subgoals bar : Set Joe : bar drinks : bar -> Prop no_non_drinker : ~ ( exists x : bar, ~ drinks x) Joe_drinker : drinks Joe y : bar drinks y -> drinks y subgoal 2 is: ~ drinks y -> drinks y Bow-Yaw Wang (Academia Sinica) The Coq Proof Assistant October 15, 2018 54 / 59

Smullyan s Drinkers Paradox XI The first subgoal is easy. drinker < tauto. bar : Set Joe : bar drinks : bar -> Prop no_non_drinker : ~ ( exists x : bar, ~ drinks x) Joe_drinker : drinks Joe y : bar ~ drinks y -> drinks y Bow-Yaw Wang (Academia Sinica) The Coq Proof Assistant October 15, 2018 55 / 59

Smullyan s Drinkers Paradox XII We introduce a hypothesis that y does not drink. drinker < intros y_non_drinker. bar : Set Joe : bar drinks : bar -> Prop no_non_drinker : ~ ( exists x : bar, ~ drinks x) Joe_drinker : drinks Joe y : bar y_non_drinker : ~ drinks y drinks y Bow-Yaw Wang (Academia Sinica) The Coq Proof Assistant October 15, 2018 56 / 59

Smullyan s Drinkers Paradox XIII This is contradictory to no non drinker. drinker < absurd ( exists x, ~ drinks x). 2 subgoals bar : Set Joe : bar drinks : bar -> Prop no_non_drinker : ~ ( exists x : bar, ~ drinks x) Joe_drinker : drinks Joe y : bar y_non_drinker : ~ drinks y ~ ( exists x : bar, ~ drinks x) subgoal 2 is: exists x : bar, ~ drinks x Bow-Yaw Wang (Academia Sinica) The Coq Proof Assistant October 15, 2018 57 / 59

Smullyan s Drinkers Paradox XIV Again, the first subgoal is trivial. The second subgoal has a witness y. drinker < trivial. bar : Set Joe : bar drinks : bar -> Prop no_non_drinker : ~ ( exists x : bar, ~ drinks x) Joe_drinker : drinks Joe y : bar y_non_drinker : ~ drinks y exists x : bar, ~ drinks x drinker < exists y; trivial. Proof completed. Bow-Yaw Wang (Academia Sinica) The Coq Proof Assistant October 15, 2018 58 / 59

Smullyan s Drinkers Paradox XV Let us finish up the lemma and see its proof term. drinker < Qed. (* proof script skipped *) Coq < Print drinker. drinker = or_ind ( fun non_drinker : exists x : bar, ~ drinks x => ex_ind (fun (Jane : bar ) ( Jane_non_drinker : ~ drinks Jane ) => ex_intro ( fun x : bar => drinks x -> forall y : bar, drinks y) Jane ( fun H : drinks Jane => let H0 := Jane_non_drinker H in False_ind ( forall y : bar, drinks y) H0 )) non_drinker ) (fun no_non_drinker : ~ ( exists x : bar, ~ drinks x) => ex_intro ( fun x : bar => drinks x -> forall y : bar, drinks y) Joe ( fun (_ : drinks Joe ) (y : bar ) => or_ind ( fun H : drinks y => H) ( fun y_non_drinker : ~ drinks y => False_ind ( drinks y) ( let H := ex_intro ( fun x : bar => ~ drinks x) y y_non_drinker in ( let H0 := no_non_drinker in fun H1 : exists x : bar, ~ drinks x => H0 H1) H)) ( classic ( drinks y )))) ( classic ( exists x : bar, ~ drinks x)) : exists x : bar, drinks x -> forall y : bar, drinks y Bow-Yaw Wang (Academia Sinica) The Coq Proof Assistant October 15, 2018 59 / 59

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback