It is not always clear which of these representation techniques to apply in a particular situation, but I will try to summarize the pros and cons of each.
Inductive types are often the most pleasant to work with, after someone has spent the time implementing some basic library functions for them, using fancy match annotations. Many aspects of Coq’s logic and tactic support are specialized to deal with inductive types, and you may miss out if you use alternate encodings.
Recursive types usually involve much less initial effort, but they can be less convenient to use with proof automation. For instance, the simpl tactic (which is among the ingredients incrush) will sometimes be overzealous in simplifying uses of functions over recursive types. Consider a call get l f, where variable l has type filist A (S n). The type of l would be
simplified to an explicit pair type. In a proof involving many recursive types, this kind of unhelpful “simplification” can lead to rapid bloat in the sizes of subgoals. Even worse, it can prevent syntactic pattern-matching, like in cases wherefilist is expected but a pair type is found in the “simplified” version. The same problem applies to applications of recursive functions to values in recursive types: the recursive function call may “simplify” when the top-level structure of the type index but not the recursive value is known, because such functions are generally defined by recursion on the index, not the value.
Another disadvantage of recursive types is that they only apply to type families whose indices determine their “skeletons.” This is not true for all data structures; a good coun- terexample comes from the richly typed programming language syntax types we have used several times so far. The fact that a piece of syntax has typeNat tells us nothing about the tree structure of that syntax.
Finally, Coq type inference can be more helpful in constructing values in inductive types. Application of a particular constructor of that type tells Coq what to expect from the arguments, while, for instance, forming a generic pair does not make clear an intention to interpret the value as belonging to a particular recursive type. This downside can be mitigated to an extent by writing “constructor” functions for a recursive type, mirroring the definition of the corresponding inductive type.
Reflexive encodings of data types are seen relatively rarely. As our examples demon- strated, manipulating index values manually can lead to hard-to-read code. A normal in- ductive type is generally easier to work with, once someone has gone through the trouble of implementing an induction principle manually with the techniques we studied in Chap- ter 3. For small developments, avoiding that kind of coding can justify the use of reflexive data structures. There are also some useful instances of co-inductive definitions with nested data structures (e.g., lists of values in the co-inductive type) that can only be deconstructed effectively with reflexive encoding of the nested structures.
Chapter 10
Reasoning About Equality Proofs
In traditional mathematics, the concept of equality is usually taken as a given. On the other hand, in type theory, equality is a very contentious subject. There are at least three different notions of equality that are important in Coq, and researchers are actively investigating new definitions of what it means for two terms to be equal. Even once we fix a notion of equality, there are inevitably tricky issues that arise in proving properties of programs that manipulate equality proofs explicitly. In this chapter, I will focus on design patterns for circumventing these tricky issues, and I will introduce the different notions of equality as they are germane.
10.1
The Definitional Equality
We have seen many examples so far where proof goals follow “by computation.” That is, we apply computational reduction rules to reduce the goal to a normal form, at which point it follows trivially. Exactly when this works and when it does not depends on the details of Coq’s definitional equality. This is an untyped binary relation appearing in the formal metatheory of CIC. CIC contains a typing rule allowing the conclusion E : T from the premiseE : T’ and a proof that T and T’ are definitionally equal.
The cbvtactic will help us illustrate the rules of Coq’s definitional equality. We redefine the natural number predecessor function in a somewhat convoluted way and construct a manual proof that it returns 0 when applied to 1.
Definition pred’ (x : nat) := match x with
| O ⇒ O
| S n’ ⇒let y := n’ in y
end.
Theoremreduce me : pred’ 1 = 0.
CIC follows the traditions of lambda calculus in associating reduction rules with Greek letters. Coq can certainly be said to support the familiar alpha reduction rule, which allows capture-avoiding renaming of bound variables, but we never need to apply alpha explicitly,
since Coq uses a de Bruijn representation [11] that encodes terms canonically.
The delta rule is for unfolding global definitions. We can use it here to unfold the definition of pred’. We do this with the cbvtactic, which takes a list of reduction rules and makes as many call-by-value reduction steps as possible, using only those rules. There is an analogous tactic lazy for call-by-need reduction.
cbv delta.
============================ (fun x : nat⇒ match x with
| 0⇒ 0
| Sn’ ⇒ let y :=n’ in y
end) 1 = 0
At this point, we want to apply the famous beta reduction of lambda calculus, to simplify the application of a known function abstraction.
cbv beta. ============================ match 1 with | 0 ⇒ 0 | S n’ ⇒ lety := n’ in y end = 0
Next on the list is the iota reduction, which simplifies a singlematchterm by determining which pattern matches.
cbv iota.
============================ (fun n’ : nat ⇒ lety :=n’ in y) 0 = 0
Now we need another beta reduction. cbv beta.
============================ (let y := 0 in y) = 0
The final reduction rule is zeta, which replaces a let expression by its body with the appropriate term substituted.
cbv zeta.
============================ 0 = 0
reflexivity. Qed.
surprising in some instances. For instance, we can run some simple tests using the reduction strategy compute, which applies all applicable rules of the definitional equality.
Definition id (n : nat) := n. Eval compute in fun x ⇒ id x.
=fun x : nat ⇒x
Fixpoint id’ (n : nat) := n. Eval compute in fun x ⇒ id’ x.
=fun x : nat ⇒(fix id’ (n : nat) : nat:= n)x
By runningcompute, we ask Coq to run reduction steps until no more apply, so why do we see an application of a known function, where clearly no beta reduction has been performed? The answer has to do with ensuring termination of all Gallina programs. One candidate rule would say that we apply recursive definitions wherever possible. However, this would clearly lead to nonterminating reduction sequences, since the function may appear fully applied within its own definition, and we would naïvely “simplify” such applications immediately. Instead, Coq only applies the beta rule for a recursive function when the top-level structure of the recursive argument is known. For id’ above, we have only one argument n, so clearly it is the recursive argument, and the top-level structure of n is known when the function is applied to O or to some Se term. The variable x is neither, so reduction is blocked.
What are recursive arguments in general? Every recursive function is compiled by Coq to afixexpression, for anonymous definition of recursive functions. Further, everyfixwith multiple arguments has one designated as the recursive argument via a struct annotation. The recursive argument is the one that must decrease across recursive calls, to appease Coq’s termination checker. Coq will generally infer which argument is recursive, though we may also specify it manually, if we want to tweak reduction behavior. For instance, consider this definition of a function to add two lists of nats elementwise:
Fixpoint addLists(ls1 ls2 : list nat) : list nat:= match ls1, ls2 with
| n1 :: ls1’ , n2 :: ls2’ ⇒ n1 + n2 :: addLists ls1’ ls2’
| , ⇒ nil
end.
By default, Coq chooses ls1 as the recursive argument. We can see that ls2 would have been another valid choice. The choice has a critical effect on reduction behavior, as these two examples illustrate:
Eval compute in fun ls ⇒ addLists nil ls. =fun : list nat⇒ nil
Eval compute in fun ls ⇒ addLists ls nil. =fun ls : list nat⇒
(fix addLists (ls1 ls2 : list nat) : list nat:= match ls1 with | nil ⇒ nil | n1 :: ls1’ ⇒ match ls2 with | nil ⇒ nil | n2 :: ls2’ ⇒
(fixplus (n m : nat) : nat:= match n with | 0 ⇒ m | S p ⇒ S (plus p m) end) n1 n2 :: addListsls1’ ls2’ end end) ls nil
The outer application of the fix expression for addLists was only simplified in the first case, because in the second case the recursive argument is ls, whose top-level structure is not known.
The opposite behavior pertains to a version of addListswith ls2 marked as recursive. Fixpoint addLists’(ls1 ls2 : list nat) {struct ls2} : list nat:=
match ls1, ls2 with
| n1 :: ls1’ , n2 :: ls2’ ⇒ n1 + n2 :: addLists’ls1’ ls2’
| , ⇒ nil
end.
Eval compute in fun ls ⇒ addLists’ ls nil. =fun ls : list nat⇒ match ls with
| nil ⇒ nil
| :: ⇒ nil
end
We see that all use of recursive functions has been eliminated, though the term has not quite simplified to nil. We could get it to do so by switching the order of the match discriminees in the definition ofaddLists’.
Recall that co-recursive definitions have a dual rule: a co-recursive call only simplifies when it is the discriminee of a match. This condition is built into the beta rule for cofix, the anonymous form of CoFixpoint.
The standard eq relation is critically dependent on the definitional equality. The rela- tion eq is often called a propositional equality, because it reifies definitional equality as a proposition that may or may not hold. Standard axiomatizations of an equality predicate in first-order logic define equality in terms of properties it has, like reflexivity, symmetry, and transitivity. In contrast, foreq in Coq, those properties are implicit in the properties of the definitional equality, which are built into CIC’s metatheory and the implementation of
Gallina. We could add new rules to the definitional equality, andeqwould keep its definition and methods of use.
This all may make it sound like the choice of eq’s definition is unimportant. To the contrary, in this chapter, we will see examples where alternate definitions may simplify proofs. Before that point, I will introduce proof methods for goals that use proofs of the standard propositional equality “as data.”