coq

问题 I have a string a and on comparison with string b , if equals has an string c , else has string x . I know in the hypothesis that fun x <= fun c . How do I prove this below statement? fun is some function which takes in string and returns nat . fun (if a == b then c else x) <= S (fun c) The logic seems obvious but I am unable to split the if statements in coq. Any help would be appreciated. Thanks! 回答1: If you can write an if-then-else statement, it means that the test expression a == b is in

问题 I have some equalities ( = ) and unequalities ( <> ) in the hypotheses such as: e : x2 = x1 n : x3 <> x1 I want to use tactics like assumption , but sometimes the expected (un)equality in the goal is in the other direction like: x1 = x2 x1 <> x3 My question is: Is it possible to automatically introduce the symmetric forms of (un)equality above into the hypotheses? If not, is it possible to use Notation to write a tactical to do this. So far, I can do this manually like this: assert (x1 = x2)

问题 I have a question similar to Decomposing equality of constructors coq, however, my equality contains a match expression. Consider the example (which is nonsensical, but just used for clarification): Fixpoint positive (n : nat) := match n with | O => Some O | S n => match positive n with | Some n => Some (S n) | None => None (* Note that this never happens *) end end. Lemma positiveness : forall n : nat, Some (S n) = positive (S n). Proof. intro. simpl. At this point, with n : nat in the

问题 I tried to define the reciprocal of a nonzero rational number, imitating the answers in my another question. I tried to delay the proof, but it seems that I misunderstood. The following is my code: 1) Integers: define z (= a - b) as a pair (a, b) which is in a setoid with the equiv rel (a, b) ~ (c, d) <-> a + d = b + c Definition Z_eq (z w: integer): Prop := match z with | (z1, z2) => match w with | (w1, w2) => z1 + w2 = z2 + w1 end end. Add Parametric Relation: integer Z_eq reflexivity

问题 Yo! I need a random stream of nats with guaranteed subset types, like this stream will only give 0 < nat < 10 . Anyone up for helping me with this? I found this function for generating random numbers: CoFixpoint rand (seed n1 n2 : Z) : Stream Z := let seed' := Zmod seed n2 in Cons seed' (rand (seed' * n1) n1 n2). I want to replace Z with any subset type, e.g. Definition Z_gt0 := { Z | Z > 0}. So we have: CoFixpoint rand (seed n1 n2 : Z_gt0) : Stream Z_gt0 := let seed' := Zmod seed n2 in Cons

问题 I'm trying to prove a simple induction on two lists, and for some reason Coq writes the induction hypothesis wrong. Here is my proof: Lemma eqb_list_true_iff_left_to_right : forall A (eqb : A -> A -> bool), (forall a1 a2, eqb a1 a2 = true <-> a1 = a2) -> forall l1 l2, eqb_list eqb l1 l2 = true -> l1 = l2. Proof. intros A eqb H1. induction l1 as [|a1 l1' IHl1'] eqn:E1. - induction l2 as [|a2 l2' IHl2'] eqn:E2. + reflexivity. + intros H2. simpl in H2. discriminate H2. - (* where did l1 = l1'

问题 I have the following version of isPrime written (and proved) in Coq. It takes around 30 seconds for Compute (isPrime 330) to finish on my machine. The extracted Haskell code takes around 1 second to verify that 9767 is prime. According to a comment in this post, the timing difference means nothing, but I wonder why is that? and is there any other way to predict performance when extracting Coq code? after all, sometimes performance does matter, and it's quite hard to change Coq source once you

问题 I'm trying to implement a function that simply counts the number of occurrences of some nat in a bag (just a synonym for a list). This is what I want to do, but it doesn't work: Require Import Coq.Lists.List. Import ListNotations. Definition bag := list nat. Fixpoint count (v:nat) (s:bag) : nat := match s with | nil => O | v :: t => S (count v t) | _ :: t => count v t end. Coq says that the final clause is redundant, i.e., it just treats v as a name for the head instead of the specific v that

问题 If a function take Z as arguments, it should also be possible to take any subset of Z , right? For example, Zmod takes two Z and return Z . Can I improve on this method with subset types without reimplementing it? I want this: Definition Z_gt0 := {z | z > 0}. Definition mymod (n1 n2 : Z_gt0) := Zmod n1 n2. But Coq complains that n1 is expected to have type Z , of course. How can I make it work with Z_gt0 ? Coerce? This question is related to my other one here: Random nat stream and subset

问题 I want to prove some facts about imperative object-oriented program. How can I represent a heterogeneous object graph in Coq? My main problem is that edges are implicit - each node consists of an integer label modelling object address and a data structure that models object state. So implicit edges are formed by fields inside data structure that model object pointers and contain address label of another node in a graph. To ensure that my graph is valid, adding new node to the graph must