Tutorial

icon

44

pages

icon

English

icon

Documents

Le téléchargement nécessite un accès à la bibliothèque YouScribe Tout savoir sur nos offres

icon

44

pages

icon

English

icon

Documents

Le téléchargement nécessite un accès à la bibliothèque YouScribe Tout savoir sur nos offres

TheCoqProofAssistantATutorialFebruary8,20071Versionv8.1GérardHuet,GillesKahnandChristinePaulin MohringLogiCalProject1ThisresearchwaspartlysupportedbyISTworkinggroup“Types”Vv8.1,February8,2007cINRIA1999 2004(C OQ versions7.x)c2004 2006(C OQ v8.x)GettingstartedCOQ isaProofAssistantforaLogicalFrameworkknownastheCalculusofInductiveConstructions. Itallows the interactive construction of formal proofs, and also the manipulation of functional programsconsistentlywiththeirspecifications. Itrunsasacomputerprogramonmanyarchitectures. Itisavailablewithavarietyofuserinterfaces. ThepresentdocumentdoesnotattempttopresentacomprehensiveviewofallthepossibilitiesofCOQ,butrathertopresentinthemostelementarymanneratutorialonthebasicspecification language, called Gallina, in which formal axiomatisations may be developed, and on themain proof tools. For more advanced information, the reader could refer to the COQ Reference ManualortheCoq’Art,anewbookbyY.BertotandP.Castéranonpracticalusesofthe COQ system.Coq can be used from a standard teletype like shell window but preferably through the graphical1userinterfaceCoqIde .Instructionsoninstallationprocedures,aswellasmorecomprehensivedocumentation,maybefoundinthestandarddistributionofCOQ,whichmaybeobtainedfromCOQwebsitehttp://coq.inria.fr.In the following, we assume that COQ is called from a standard teletype like shell window. AllexamplesprecededbythepromptingsequenceCoq < representuserinput,terminatedbyaperiod ...
Voir icon arrow

Publié par

Langue

English

TheCoqProofAssistant
ATutorial
February8,2007
1Versionv8.1
GérardHuet,GillesKahnandChristinePaulin Mohring
LogiCalProject
1ThisresearchwaspartlysupportedbyISTworkinggroup“Types”Vv8.1,February8,2007
cINRIA1999 2004(C OQ versions7.x)
c2004 2006(C OQ v8.x)Gettingstarted
COQ isaProofAssistantforaLogicalFrameworkknownastheCalculusofInductiveConstructions. It
allows the interactive construction of formal proofs, and also the manipulation of functional programs
consistentlywiththeirspecifications. Itrunsasacomputerprogramonmanyarchitectures. Itisavailable
withavarietyofuserinterfaces. Thepresentdocumentdoesnotattempttopresentacomprehensiveview
ofallthepossibilitiesofCOQ,butrathertopresentinthemostelementarymanneratutorialonthebasic
specification language, called Gallina, in which formal axiomatisations may be developed, and on the
main proof tools. For more advanced information, the reader could refer to the COQ Reference Manual
ortheCoq’Art,anewbookbyY.BertotandP.Castéranonpracticalusesofthe COQ system.
Coq can be used from a standard teletype like shell window but preferably through the graphical
1userinterfaceCoqIde .
Instructionsoninstallationprocedures,aswellasmorecomprehensivedocumentation,maybefound
inthestandarddistributionofCOQ,whichmaybeobtainedfromCOQwebsitehttp://coq.inria.fr.
In the following, we assume that COQ is called from a standard teletype like shell window. All
examplesprecededbythepromptingsequenceCoq < representuserinput,terminatedbyaperiod.
ThefollowinglinesusuallyshowCOQ’sanswerasitappearsontheusersscreen. Whenusedfroma
graphical user interface such as CoqIde, the prompt is not displayed: user input is given in one window
and COQ’sanswersaredisplayedinadifferentwindow.
The sequence of such examples is a valid COQ session, unless otherwise specified. This version
of the tutorial has been prepared on a PC workstation running Linux. The standard invocation of COQ
deliversamessagesuchas:
unix:~> coqtop
Welcome to Coq 8.0 (Mar 2004)
Coq <
The first line gives a banner stating the precise version of COQ used. You should always return
thisbannerwhenyoureportananomalytoourhot line coq bugs@pauillac.inria.fr oronourbug
trackingsystem:http//coq.inria.fr/bin/coq bugs:
1Alternativegraphicalinterfacesexist: ProofGeneralandPcoq.
34Chapter1
BasicPredicateCalculus
1.1 AnoverviewofthespecificationlanguageGallina
A formal development in Gallina consists in a sequence of declarations and definitions. You may also
sendCOQ commandswhicharenotreallypartoftheformaldevelopment,butcorrespondtoinformation
requests,orserviceroutineinvocations. Forinstance,thecommand:
Coq < Quit.
terminatesthecurrentsession.
1.1.1 Declarations
A declaration associates a name with a specification. A name corresponds roughly to an identifier in a
programming language, i.e. to a string of letters, digits, and a few ASCII symbols like underscore (_)
and prime (’), starting with a letter. We use case distinction, so that the names A and a are distinct.
Certainstringsarereservedaskey wordsof C OQ,andthusareforbiddenasuseridentifiers.
A specification is a formal expression which classifies the notion which is being declared. There
are basically three kinds of specifications: logical propositions, mathematical collections, and abstract
types. Theyareclassifiedbythethreebasicsortsofthesystem,calledrespectivelyProp,Set,andType,
whicharethemselvesatomicabstracttypes.
EveryvalidexpressioneinGallinaisassociatedwithaspecification,itselfavalidexpression,called
its typeτ(E). Wewritee:τ(E)forthejudgmentthateisoftypeE. Youmayrequest COQ toreturnto
youthetypeofavalidexpressionbyusingthecommandCheck:
Coq < Check O.
0
: nat
Thus we know that the identifier O (the name ‘O’, not to be confused with the numeral ‘0’ which is
not a proper identifier!) is known in the current context, and that its type is the specification nat. This
specificationisitselfclassifiedasamathematicalcollection,aswemayreadilycheck:
Coq < Check nat.
nat
: Set
ThespecificationSetisanabstracttype,oneofthebasicsortsoftheGallinalanguage,whereasthe
notions nat and O are notions which are defined in the arithmetic prelude, automatically loaded when
runningthe COQ system.
5Westartbyintroducingaso calledsectionname. Theroleofsectionsistostructurethemodelisation
by limiting the scope of parameters, hypotheses and definitions. It will also give a convenient way to
resetpartofthedevelopment.
Coq < Section Declaration.
Withwhatwealreadyknow,wemaynowenterinthesystemadeclaration,correspondingtotheinformal
mathematics let n be a natural number.
Coq < Variable n : nat.
n is assumed
Ifwewanttotranslateamoreprecisestatement,suchas let n be a positive natural number,wehave
to add another declaration, which will declare explicitly the hypothesis Pos_n, with specification the
properlogicalproposition:
Coq < Hypothesis Pos_n : (gt n 0).
Pos_n is assumed
Indeedwemaycheckthattherelationgtisknownwiththerighttypeinthecurrentcontext:
Coq < Check gt.
gt
: nat > nat > Prop
which tells us that gt is a function expecting two arguments of type nat in order to build a log
ical proposition. What happens here is similar to what we are used to in a functional programming
language: we may compose the (specification) type nat with the (abstract) type Prop of logical propo
sitionsthroughthearrowfunctionconstructor,inordertogetafunctionaltypenat >Prop :
Coq < Check (nat > Prop).
nat > Prop
: Type
whichmaybecomposedagainwithnatinordertoobtainthetypenat >nat >Prop ofbinaryrelations
overnaturalnumbers. Actuallynat >nat >Prop isanabbreviationfornat >(nat >Prop) .
Functional notions may be composed in the usual way. An expression f of type A→ B may be
appliedtoanexpressioneoftypeAinordertoformtheexpression(f e)oftypeB. Herewegetthatthe
expression (gt n) is well formed of type nat >Prop , and thus that the expression (gt n O), which
abbreviates((gt n) O),isawell formedproposition.
Coq < Check gt n O.
n > 0
: Prop
1.1.2 Definitions
The initial prelude contains a few arithmetic definitions: nat is defined as a mathematical collection
(type Set), constants O, S, plus, are defined as objects of types respectively nat, nat >nat , and
nat >nat >nat . You may introduce new definitions, which link a name to a well typed value. For
instance,wemayintroducetheconstantoneasbeingdefinedtobeequaltothesuccessorofzero:
Coq < Definition one := (S O).
one is defined
Wemayoptionallyindicatetherequiredtype:
6Coq < Definition two : nat := S one.
two is defined
Actually COQ allowsseveralpossiblesyntaxes:
Coq < Definition three : nat := S two.
three is defined
Here is a way to define the doubling function, which expects an argument m of type nat in order to
builditsresultas(plus m m):
Coq < Definition double (m:nat) := plus m m.
double is defined
Thisdefinitionintroducestheconstantdoubledefinedastheexpressionfun m:nat => plus m m. The
abstraction introduced by fun is explained as follows. The e fun x:A => e is well formed
of type A >B in a context whenever the expression e is well formed of type B in the given context to
whichweaddthedeclarationthatxisoftypeA.Herexisabound,ordummyvariableintheexpression
fun x:A => e. Forinstancewecouldaswellhavedefineddoubleasfun n:nat => (plus n n).
Bound (local) variables and free (global) variables may be mixed. For instance, we may define the
functionwhichaddstheconstantntoitsargumentas
Coq < Definition add_n (m:nat) := plus m n.
add_n is defined
However, note that here we may not rename the formal argument m into n without capturing the free
occurrenceofn,andthuschangingthemeaningofthedefinednotion.
Binding operations are well known for instance in logic, where they are called quantifiers. Thus we
mayuniversallyquantifyapropositionsuchasm >0inordertogetauniversalproposition∀m·m >0.
IndeedthisoperatorisavailableinCOQ,withthefollowingsyntax: forall m:nat, gt m O.Similarly
to the case of the functional abstraction binding, we are obliged to declare explicitly the type of the
quantifiedvariable. Wecheck:
Coq < Check (forall m:nat, gt m 0).
forall m : nat, m > 0
: Prop
Wemayclean upthedevelopmentbyremovingthecontentsofthecurrentsection:
Coq < Reset Declaration.
1.2 Introductiontotheproofengine: MinimalLogic
In the following, we are going to consider various propositions, built from atomic propositions A,B,C.
Thismaybedoneeasily,byintroducingtheseatomsasglobalvariablesdeclaredoftypeProp. Itiseasy
todeclareseveralnameswiththesamespecification:
Coq < Section Minimal_Logic.
Coq < Variables A B C : Prop.
A is assumed
B is assumed
C is
We shall consider simple implications, such as A→ B, read as “A implies B”. Remark that we
overload the arrowsymbol, whichhasbeen used above as the functionality type constructor, and which
maybeusedaswellaspropositionalconnective:
7Coq < Check (A > B).
A > B
: Prop
Let us now embark on a simple proof. We want to prove the easy tautology ((A→ (B→C))→
(A→B)→(A→C). We enter the proof engine by the command Goal, followed by the conjecture we
wanttoverify:
Coq < Goal (A > B > C) > (A > B) > A > C.
1 subgoal
A : Prop
B : Prop
C :
============================

Voir icon more