Lecture 4: Proofs about programs

(credits: Assia Mahboubi and Yves Bertot)

Proofs of programs in Coq

Now : We will see how to write specifications of programs written in Coq and how to prove them.

4 Coq programs can be seen as models of realistic programs and its formal proof as a dynamic documentation.

4 Coq programs can be translated (extracted) to realistic programming languages.

4 Coq programs can be executed efficiently, and this is a proof automation technique.

And there exist tools too to prove even imperative programs but it is much more intricate a problem.

Proofs about computation

4 Reason about functional correctness 4 State properties about computation results 4 Show consistency between several computations 4 Use the same tactics as for usual logical connectives 4 Add tactics to control computations and observation of data 4 Follow the structure of functions 4 Proving is akin to symbolic debugging 4 A proof is a guarantee that all cases have been covered 4 It is much stronger than a test!

First examples

Controlling execution

4 Replace formulas containing functions with other formulas

4 Manually with direct Coq control:

4change f1 with f2

4 Really checks that f1 and f2 are the same modulo computation

4 Manually with indirect control

4replace f1 with f2

4 Produces a side goal with the equality f1 = f2

4 Simply expand definitions

4unfold f, unfold f at 2

Functions and specifications

4 Each function should come with theorems about it. 4 In this course, sometimes called companion theorems. 4 They should be usable directly through apply when the conclusion of the goal fits. 4 Otherwise, they can be brought in the context using assert, e.g., assert (H := th a b c H1).

Reasoning about pattern-matching constructs

4 Pattern-matching typically describes alternative behaviors. 4 Reasoning on these functions goes by covering all cases. 4 Companion theorems describe the non trivial identities.

Examples with natural numbers

Lemma example3 : 7 = 3 + 4.
Proof.
  reflexivity.
Qed.
(* *)
Lemma example10 : forall n, n = 3 -> n + 7 = 10.
Proof.
  intros n.
  intros n_is_3.
  rewrite -> n_is_3.
  reflexivity.
Qed.
(* *)
Lemma example11 : forall n, 3 = n -> n + 7 = 10.
Proof.
  intros n.
  intros n_is_3.
  rewrite <- n_is_3.
  reflexivity.
Qed.
(* *)
Lemma example13 : forall (i : nat), i = 3 -> 2 * i = 6.
Proof.
  intros i.
  intros i_is_3.
  rewrite i_is_3.
  reflexivity.
Qed.
(* *)
Lemma example14 :
  forall (V W : nat -> Prop), 
    (forall (i : nat), V i -> W i) -> V 3 -> W 3.
Proof.
  intros V W.
  intros Vi_to_Wi.
  intros V3.
  apply Vi_to_Wi.
  exact V3.
Qed.

(* *)
  
Section ex15.
Variables P : Prop.

Lemma example15 :
  forall (V : nat -> Prop),
    (forall (i : nat), V i -> P) -> V 3 -> P.
Proof.
  intros V.
  intros Vi_to_P.
  intros V3.
  apply Vi_to_P with ( i := 3 ).
  exact V3.
Qed.

End ex15.
  
(* *)
Lemma example8 : exists (n : nat), n = 4.
Proof.
  exists (2 + 2).
  reflexivity.
Qed.
(* *)
Lemma example12 :
  forall (V W : nat -> Prop),
    (exists (i : nat), W i) ->
    (forall j, W j -> V j) ->
    exists (j : nat), V j.
Proof.
  intros V W.
  intros exiW.
  intros Wj_to_Vj.
  destruct exiW as [k Wk].
  exists k.
  apply Wj_to_Vj.
  exact Wk.
Qed.
(* *)
From Coq Require Import Bool Arith List.
Lemma example_arith : forall a b, a + (b + b) = (b + a) + b.
Proof.
  intros a b.
  Search (_ + _ + _).
  rewrite -> plus_assoc.
  Search (_ + _ = _ + _).
  rewrite -> (plus_comm a b).
  reflexivity.
Qed.

Tools

4 case is the basic constructs

4 generates one goal per constructor

4 the expression is replaced by constructor-values, in the conclusion

4 the argument to S becomes a universally quantified variable

4 destruct is more advanced and covers the context

4 like case, but nesting is authorized

4 the context is also modified

4 case_eq remembers in which case we are

4 the context is not modified (as in case)

4 remembering can be crucial

How to find Companion theorems

4 Search is your friend. 4 In general Search commands are your friends. 4 Search: use a predicate name Search le. 4 SearchRewrite: use patterns of expressions searchRewrite (_ + 0). 4 SearchPattern: use a pattern of the conclusion of the theorem (type Prop, usually) SearchPattern (_ * _ <= _ * _).

Recursive functions and induction

4 When a function is recursive, calls are usually made on direct subterms.

4 Companion theorems do not already exist, but have to be stated and proved by the user.

4 Induction hypotheses make up for the missing theorems.

4 The structure of the proof is imposed by the data-type.

Examples on recursive functions

From Coq Require Import Arith List.

Fixpoint evenb (n : nat) : bool :=
  match n with
  | 0 => true  | S p => negb (evenb p)
  end.

Definition is_zero (x : nat) :=
   match x with O => true | _ => false end.

Lemma is_zero_l1 :
  forall x, is_zero x = false -> x <> 0.
Proof.
  intros x.
  unfold is_zero.
  intros hyp.
  case_eq x.
  - intros x0. rewrite x0 in hyp. discriminate.
  - intros x' xx'. discriminate.
Qed.
(* *)
Lemma is_zero_l2 :
  forall x, is_zero x <> false -> x = 0.
Proof.
 intros x.
  unfold is_zero.
  intros hyp.
  destruct x as [ | x'].
  - reflexivity.
  - destruct hyp. reflexivity.
Qed.
(* *)
Fixpoint mult2 n :=
  match n with
  | 0 => 0
  | S p => S (S (mult2 p))
  end.

From Coq Require Import NPeano.

Lemma mult2_add : forall n, mult2 n = n + n.
Proof.
  induction n as [ | n' IHn'].
  - (* n = 0 *)
    reflexivity.
  - (* n = S n' *) 
    change (mult2 (S n')) with (S (S (mult2 n'))).
    rewrite IHn'.
    Search (S _ + _).
    Check NPeano.Nat.add_succ_l.
    Search (_ + S _).
    Check plus_n_Sm.
    rewrite plus_n_Sm.
    rewrite NPeano.Nat.add_succ_l.
    reflexivity.
Qed.
(* *)

Lemma mult2_evenb :
  forall n, evenb (mult2 n) = true.
Proof.
  induction n as [ | n' IHn'].
  - (* n = 0 *)
    reflexivity.
  - (* n = S n' *)
    change (mult2 (S n')) with (S (S (mult2 n'))).
    set (x := (S (mult2 n'))).
    change (evenb (S x)) with (negb (evenb x)).
    unfold x.
    change (evenb (S (mult2 n'))) with
    (negb (evenb (mult2 n'))).
    rewrite IHn'.
    reflexivity.
Qed.
  
(* I want lo 3 = 5::3::1::nil *)
(* I want lo 2 = 3::1::nil *)
(*        lo 1 = 1::nil *)
(*        l0 0 = nil *)
  
Fixpoint lo n :=
  match n with
  | O => nil
  | S p => 2 * p + 1:: lo p
  end.

Eval compute in lo 5.

Lemma lelo :
  forall n, length (lo n) = n.
Proof.
  induction n as [ | n IHn].
  - (* n = 0 *)
    reflexivity.
  - (* n = S n *)
    simpl.
    rewrite IHn.
    reflexivity.
Qed.
(* *)
Fixpoint sl (l : list nat) : nat :=
  match l with
  | nil => 0
  | a::l' => a + sl l'
  end.

Lemma sl_lo : forall n, sl (lo n) = n * n.
Proof.
  induction n as [| n IHn].
  - (* n = 0 *)
    reflexivity.
  - (* n = S n *)
    simpl.
    rewrite IHn.
    ring.
Qed.
(* *)
Fixpoint lo' (n m : nat) : list nat :=
  match n with
| 0 => nil
| S p => m :: lo' p (m + 2)
  end.

Definition lo2 n := lo' n 1.

Eval compute in (lo2 5, lo 5).

Lemma lelo' :
  forall n m, length (lo' n m) = n.
Proof.
  induction n as [| n IHn ].
  - (* n = 0 *)
    reflexivity.
  - (* n = S n *)
    simpl.
    intros m; rewrite IHn.
    reflexivity.
Qed.
(* *)
Lemma lelo2 : 
  forall n, length (lo2 n) = n.
Proof.
  intros n.
  unfold lo2. rewrite lelo'.
  reflexivity.
Qed.
(* *)
Lemma sl_lo' :
  forall n m, sl (lo' n (m + 1)) = n * m + n * n.
Proof.
  induction n as [ | n IHn].
  - (* n = 0 *)
    intros m.
    simpl.
    reflexivity.
  - (* n = S n' *)
    intros m.
    simpl.
    replace (m + 1 + 2) with ((m + 2) + 1).
    + rewrite IHn.
      ring.
    + ring.
Qed.
(* *)
Lemma sl_lo2 :
  forall n, sl (lo2 n) = n * n.
Proof.
  intros n; unfold lo2.
  replace 1 with (0 + 1).
  - rewrite sl_lo'.
    rewrite mult_0_r, NPeano.Nat.add_0_l.
    reflexivity.
  - rewrite NPeano.Nat.add_0_l.
    reflexivity.
Qed.

Proofs on functions on lists

4 Tactics case, destruct, case_eq also work

4 Induction on lists works like induction on natural numbers

4 nil plays the same role as 0: base case of proofs by induction

4 a::tl plays the same role as S

4 Induction hypothesis on tl

4 Fits with recursive calls on tl

Example proof on lists

A trick to control recursion

4 Add one-step unfolding theorems to recursive functions

4 Associate any definition

Fixpoint f x1 ...xn := body

with a (trivial) theorem f_step

forall x1 ...xn, f x1 ...xn =body

4 Use rewrite f_step instead of change, replace, or simpl

4 This provides a better control than simpl.

4 More concise than replace or change.

4 Note that unfold is not well-suited for recursive functions.

Theorem evenb_step: forall n, evenb n =
  match n with
  | 0 => true  | S p => negb (evenb p)
  end.
Proof.
  intros.
  destruct n.
  - simpl. auto.
  - auto.
Qed.
(* *)
Fixpoint f2s (n:nat):nat:=
  match n with
  | 0 => 0
  | S 0 => 0
  | S (S x) => f2s x
  end.
  
From Coq Require Import FunInd.
Functional Scheme f2s_ind:= Induction for f2s Sort Prop.

From Coq Require Import Lia.

Lemma evenb_correct1 :
  forall x : nat,  (exists y : nat, x = 2 * y) <->  evenb x = true.
Proof.
    intros.
    pattern x, (f2s x). apply f2s_ind.
    - (* n = 0 *)
      simpl. unfold iff. split.
      + intros. trivial.
      + intros. exists 0. ring.
    - (* n = S n0 *)
      unfold iff. split.
      + intros. destruct H. unfold mult in H.
        contradict H. lia.
      + intros. simpl in H. discriminate H.
    - (* n = S n0 *) 
      intros. unfold iff. split.
      + intros. rewrite evenb_step.
        rewrite evenb_step.
        Search (negb (negb _)).
        rewrite Bool.negb_involutive.
        rewrite <- H.
        destruct H0.
        exists (x1 - 1).
        clear H e0 e.
        unfold mult.
        replace (x1 - 1 + 0) with (x1 - 1).
        ++ replace (x1 - 1 + (x1 - 1)) with (((x1 + x1) - 1) -1).
           Search (_-_).
           rewrite (plus_minus (x1 + x1 -1) 1 x0). 
            { lia. } 
            { rewrite (plus_minus (x1 + x1) 1 (1 + x0)). 
                - lia.
                - unfold mult in H0.
                  Search (_ + 0).
                  rewrite <- plus_n_O in H0. 
                  rewrite <- H0. 
                  lia.
             }         
        ++ lia. lia. 
      + intros.
        rewrite evenb_step in H0.
        rewrite evenb_step in H0.
        rewrite Bool.negb_involutive in H0.
        rewrite <- H in H0.
        clear H e0 e.
        destruct H0.
        rewrite H.
        exists (S x1).
        lia.
Qed.