(** * Basics: Functional Programming in Coq *) (* ################################################################# *) (** * Introduction *) (** The functional style of programming is founded on simple, everyday mathematical intuitions: If a procedure or method has no side effects, then (ignoring efficiency) all we need to understand about it is how it maps inputs to outputs. *) (* ################################################################# *) (** * Data and Functions *) (* ================================================================= *) (** ** Enumerated Types *) (** - Few built-in data types - We define suitable data types ourselves *) (* ================================================================= *) (** ** Days of the Week *) Inductive day : Type := | monday | tuesday | wednesday | thursday | friday | saturday | sunday. Definition next_weekday (d:day) : day := match d with | monday => tuesday | tuesday => wednesday | wednesday => thursday | thursday => friday | friday => monday | saturday => monday | sunday => monday end. (** Type annotations are good practice *) Compute (next_weekday friday). (* ==> monday : day *) Compute (next_weekday (next_weekday saturday)). (* ==> tuesday : day *) (** We can record what we _expect_ the result to be in the form of a Coq example: *) Example test_next_weekday: (next_weekday (next_weekday saturday)) = tuesday. Proof. simpl. reflexivity. Qed. (** Code extraction: translation from Coq to Haskell/Ocaml/Scheme *) (** Tells Coq to use the [String] module from the standard library. *) From Coq Require Export String. (* ================================================================= *) (** ** Booleans *) Inductive bool : Type := | true | false. (** Functions over booleans can be defined in the same way as above: *) Definition negb (b:bool) : bool := match b with | true => false | false => true end. Definition andb (b1:bool) (b2:bool) : bool := match b1 with | true => b2 | false => false end. Definition orb (b1:bool) (b2:bool) : bool := match b1 with | true => true | false => b2 end. (** Standard library already contains booleans and functions and lemmas *) Example test_orb1: (orb true false) = true. Proof. simpl. reflexivity. Qed. Example test_orb2: (orb false false) = false. Proof. simpl. reflexivity. Qed. Example test_orb3: (orb false true) = true. Proof. simpl. reflexivity. Qed. Example test_orb4: (orb true true) = true. Proof. simpl. reflexivity. Qed. (** Introduce infix syntax *) Notation "x && y" := (andb x y). Notation "x || y" := (orb x y). Example test_orb5: false || false || true = true. Proof. simpl. reflexivity. Qed. (** If then else *) Definition negb' (b:bool) : bool := if b then false else true. Definition andb' (b1:bool) (b2:bool) : bool := if b1 then b2 else false. Definition orb' (b1:bool) (b2:bool) : bool := if b1 then true else b2. (** **** Exercise: 1 star, standard (nandb) The [Admitted] command can be used as a placeholder for an incomplete proof. We use it in exercises to indicate the parts that we're leaving for you -- i.e., your job is to replace [Admitted]s with real proofs. Remove "[Admitted.]" and complete the definition of the following function; then make sure that the [Example] assertions below can each be verified by Coq. (I.e., fill in each proof, following the model of the [orb] tests above, and make sure Coq accepts it.) The function should return [true] if either or both of its inputs are [false]. *) Definition nandb (b1:bool) (b2:bool) : bool (* REPLACE THIS LINE WITH ":= _your_definition_ ." *). Admitted. Example test_nandb1: (nandb true false) = true. (* FILL IN HERE *) Admitted. Example test_nandb2: (nandb false false) = true. (* FILL IN HERE *) Admitted. Example test_nandb3: (nandb false true) = true. (* FILL IN HERE *) Admitted. Example test_nandb4: (nandb true true) = false. (* FILL IN HERE *) Admitted. (** [] *) (** **** Exercise: 1 star, standard (andb3) Do the same for the [andb3] function below. This function should return [true] when all of its inputs are [true], and [false] otherwise. *) Definition andb3 (b1:bool) (b2:bool) (b3:bool) : bool (* REPLACE THIS LINE WITH ":= _your_definition_ ." *). Admitted. Example test_andb31: (andb3 true true true) = true. (* FILL IN HERE *) Admitted. Example test_andb32: (andb3 false true true) = false. (* FILL IN HERE *) Admitted. Example test_andb33: (andb3 true false true) = false. (* FILL IN HERE *) Admitted. Example test_andb34: (andb3 true true false) = false. (* FILL IN HERE *) Admitted. (** [] *) (* ================================================================= *) (** ** Types *) Check true. (* ===> true : bool *) (** If the thing after [Check] is followed by a colon and a type declaration, Coq will verify that the type of the expression matches the given type and halt with an error if not. *) Check true : bool. Check (negb true) : bool. Check negb : bool -> bool. (* ================================================================= *) (** ** New Types from Old *) Inductive rgb : Type := | red | green | blue. Inductive color : Type := | black | white | primary (p : rgb). (** An [Inductive] definition does two things: - defines a set of new _constructors_. E.g., [red], [primary], [true], [false], [monday], etc. are constructors. - It groups them into a new named type, like [bool], [rgb], or [color]. *) (** Any color must be black, white, or primary of something *) Definition monochrome (c : color) : bool := match c with | black => true | white => true | primary p => false end. Definition isred (c : color) : bool := match c with | black => false | white => false | primary red => true | primary _ => false end. (* ================================================================= *) (** ** Modules *) Module Playground. Definition foo : rgb := blue. End Playground. Definition foo : bool := true. Check Playground.foo : rgb. Check foo : bool. (* ================================================================= *) (** ** Tuples *) Module TuplePlayground. Inductive bit : Type := | B1 | B0. Inductive nybble : Type := | bits (b0 b1 b2 b3 : bit). Check (bits B1 B0 B1 B0) : nybble. (** The [bits] constructor acts as a wrapper for its contents. *) Definition all_zero (nb : nybble) : bool := match nb with | (bits B0 B0 B0 B0) => true | (bits _ _ _ _) => false end. Compute (all_zero (bits B1 B0 B1 B0)). (* ===> false : bool *) Compute (all_zero (bits B0 B0 B0 B0)). (* ===> true : bool *) End TuplePlayground. (* ================================================================= *) (** ** Numbers *) Module NatPlayground. (** Our first infinite data type *) Inductive nat : Type := | O | S (n : nat). (** 0 is represented by [O], 1 by [S O], 2 by [S (S O)], and so on. *) (** Essentially the same as nat *) Inductive otherNat : Type := | stop | tick (foo : otherNat). Definition pred (n : nat) : nat := match n with | O => O | S n' => n' end. (** From here, [nat] refers back to the type from the standard library. *) End NatPlayground. (** Coq magic to print natural numbers *) Check (S (S (S (S O)))). (* ===> 4 : nat *) Definition minustwo (n : nat) : nat := match n with | O => O | S O => O | S (S n') => n' end. Compute (minustwo 4). (* ===> 2 : nat *) Check S : nat -> nat. Check pred : nat -> nat. Check minustwo : nat -> nat. (** Recursion *) Fixpoint even (n:nat) : bool := match n with | O => true | S O => false | S (S n') => even n' end. Definition odd (n:nat) : bool := negb (even n). Example test_odd1: odd 1 = true. Proof. simpl. reflexivity. Qed. Example test_odd2: odd 4 = false. Proof. simpl. reflexivity. Qed. Module NatPlayground2. Fixpoint plus (n : nat) (m : nat) : nat := match n with | O => m | S n' => S (plus n' m) end. Compute (plus 3 2). (* ===> 5 : nat *) (* [plus 3 2] i.e. [plus (S (S (S O))) (S (S O))] ==> [S (plus (S (S O)) (S (S O)))] by the second clause of the [match] ==> [S (S (plus (S O) (S (S O))))] by the second clause of the [match] ==> [S (S (S (plus O (S (S O)))))] by the second clause of the [match] ==> [S (S (S (S (S O))))] by the first clause of the [match] i.e. [5] *) Fixpoint mult (n m : nat) : nat := match n with | O => O | S n' => plus m (mult n' m) end. Example test_mult1: (mult 3 3) = 9. Proof. simpl. reflexivity. Qed. (** We can match two expressions at once by putting a comma between them: *) Fixpoint minus (n m:nat) : nat := match n, m with | O , _ => O | S _ , O => n | S n', S m' => minus n' m' end. End NatPlayground2. Fixpoint exp (base power : nat) : nat := match power with | O => S O | S p => mult base (exp base p) end. (** **** Exercise: 1 star, standard (factorial) Recall the standard mathematical factorial function: factorial(0) = 1 factorial(n) = n * factorial(n-1) (if n>0) Translate this into Coq. Make sure you put a [:=] between the header we've provided and your definition. If you see an error like "The reference factorial was not found in the current environment," it means you've forgotten the [:=]. *) Fixpoint factorial (n:nat) : nat (* REPLACE THIS LINE WITH ":= _your_definition_ ." *). Admitted. Example test_factorial1: (factorial 3) = 6. (* FILL IN HERE *) Admitted. Example test_factorial2: (factorial 5) = (mult 10 12). (* FILL IN HERE *) Admitted. (** [] *) Notation "x + y" := (plus x y) (at level 50, left associativity) : nat_scope. Notation "x - y" := (minus x y) (at level 50, left associativity) : nat_scope. Notation "x * y" := (mult x y) (at level 40, left associativity) : nat_scope. Check ((0 + 1) + 1) : nat. (** Testing for equality *) Fixpoint eqb (n m : nat) : bool := match n with | O => match m with | O => true | S m' => false end | S n' => match m with | O => false | S m' => eqb n' m' end end. Fixpoint leb (n m : nat) : bool := match n with | O => true | S n' => match m with | O => false | S m' => leb n' m' end end. Example test_leb1: leb 2 2 = true. Proof. simpl. reflexivity. Qed. Example test_leb2: leb 2 4 = true. Proof. simpl. reflexivity. Qed. Example test_leb3: leb 4 2 = false. Proof. simpl. reflexivity. Qed. Notation "x =? y" := (eqb x y) (at level 70) : nat_scope. Notation "x <=? y" := (leb x y) (at level 70) : nat_scope. Example test_leb3': (4 <=? 2) = false. Proof. simpl. reflexivity. Qed. (** [=] vs [=?] [x = y] is a logical _claim_ ("proposition") that we can try to prove [x =? y] is a boolean _expression_ whose value (either [true] or [false]) we can compute. *) (** **** Exercise: 1 star, standard (ltb) The [ltb] function tests natural numbers for [l]ess-[t]han, yielding a [b]oolean. Instead of making up a new [Fixpoint] for this one, define it in terms of a previously defined function. (It can be done with just one previously defined function, but you can use two if you want.) *) Definition ltb (n m : nat) : bool (* REPLACE THIS LINE WITH ":= _your_definition_ ." *). Admitted. Notation "x n + n = m + m. Proof. (* move both quantifiers into the context: *) intros n m. (* move the hypothesis into the context: *) intros H. (* rewrite the goal using the hypothesis: *) rewrite -> H. reflexivity. Qed. (** **** Exercise: 1 star, standard (plus_id_exercise) Remove "[Admitted.]" and fill in the proof. (Note that the theorem has _two_ hypotheses -- [n = m] and [m = o] -- each to the left of an implication arrow.) *) Theorem plus_id_exercise : forall n m o : nat, n = m -> m = o -> n + m = m + o. Proof. (* FILL IN HERE *) Admitted. (** [] *) Check mult_n_O. (* ===> forall n : nat, 0 = n * 0 *) Check mult_n_Sm. (* ===> forall n m : nat, n * m + n = n * S m *) Theorem mult_n_0_m_0 : forall p q : nat, (p * 0) + (q * 0) = 0. Proof. intros p q. rewrite <- mult_n_O. rewrite <- mult_n_O. reflexivity. Qed. (** **** Exercise: 1 star, standard (mult_n_1) Use [mult_n_Sm] and [mult_n_0] to prove the following theorem. (Recall that [1] is [S O].) *) Theorem mult_n_1 : forall p : nat, p * 1 = p. Proof. (* FILL IN HERE *) Admitted. (** [] *) (* ################################################################# *) (** * Proof by Case Analysis *) Theorem plus_1_neq_0_firsttry : forall n : nat, (n + 1) =? 0 = false. Proof. intros n. simpl. (* does nothing! *) Abort. Theorem plus_1_neq_0 : forall n : nat, (n + 1) =? 0 = false. Proof. intros n. destruct n as [| n'] eqn:E. - reflexivity. - reflexivity. Qed. Theorem negb_involutive : forall b : bool, negb (negb b) = b. Proof. intros b. destruct b eqn:E. - reflexivity. - reflexivity. Qed. Theorem andb_commutative : forall b c, andb b c = andb c b. Proof. intros b c. destruct b eqn:Eb. - destruct c eqn:Ec. + reflexivity. + reflexivity. - destruct c eqn:Ec. + reflexivity. + reflexivity. Qed. Theorem andb_commutative' : forall b c, andb b c = andb c b. Proof. intros b c. destruct b eqn:Eb. { destruct c eqn:Ec. { reflexivity. } { reflexivity. } } { destruct c eqn:Ec. { reflexivity. } { reflexivity. } } Qed. Theorem andb3_exchange : forall b c d, andb (andb b c) d = andb (andb b d) c. Proof. intros b c d. destruct b eqn:Eb. - destruct c eqn:Ec. { destruct d eqn:Ed. - reflexivity. - reflexivity. } { destruct d eqn:Ed. - reflexivity. - reflexivity. } - destruct c eqn:Ec. { destruct d eqn:Ed. - reflexivity. - reflexivity. } { destruct d eqn:Ed. - reflexivity. - reflexivity. } Qed. (** **** Exercise: 2 stars, standard (andb_true_elim2) Prove the following claim, marking cases (and subcases) with bullets when you use [destruct]. Hint: You will eventually need to destruct both booleans, as in the theorems above. But its best to delay introducing the hypothesis until after you have an opportunity to simplify it. Hint 2: When you reach a contradiction in the hypotheses, focus on how to [rewrite] with that contradiction. *) Theorem andb_true_elim2 : forall b c : bool, andb b c = true -> c = true. Proof. (* FILL IN HERE *) Admitted. (** [] *) (** Shorter *) Theorem plus_1_neq_0' : forall n : nat, (n + 1) =? 0 = false. Proof. intros [|n]. - reflexivity. - reflexivity. Qed. Theorem andb_commutative'' : forall b c, andb b c = andb c b. Proof. intros [] []. - reflexivity. - reflexivity. - reflexivity. - reflexivity. Qed. (** **** Exercise: 1 star, standard (zero_nbeq_plus_1) *) Theorem zero_nbeq_plus_1 : forall n : nat, 0 =? (n + 1) = false. Proof. (* FILL IN HERE *) Admitted. (** [] *) (* ################################################################# *) (** * More Exercises *) (* ================================================================= *) (** ** Warmups *) (** **** Exercise: 1 star, standard (identity_fn_applied_twice) Use the tactics you have learned so far to prove the following theorem about boolean functions. *) Theorem identity_fn_applied_twice : forall (f : bool -> bool), (forall (x : bool), f x = x) -> forall (b : bool), f (f b) = b. Proof. (* FILL IN HERE *) Admitted. (** [] *) (** **** Exercise: 1 star, standard (negation_fn_applied_twice) Now state and prove a theorem [negation_fn_applied_twice] similar to the previous one but where the second hypothesis says that the function [f] has the property that [f x = negb x]. *) (* FILL IN HERE *) (* Do not modify the following line: *) Definition manual_grade_for_negation_fn_applied_twice : option (nat*string) := None. (** (The last definition is used by the autograder.) [] *) (** **** Exercise: 3 stars, standard, optional (andb_eq_orb) Prove the following theorem. (Hint: This can be a bit tricky, depending on how you approach it. You will probably need both [destruct] and [rewrite], but destructing everything in sight is not the best way.) *) Theorem andb_eq_orb : forall (b c : bool), (andb b c = orb b c) -> b = c. Proof. (* FILL IN HERE *) Admitted. (** [] *)