I have an abstract syntax for Presburger arithmetic, along with a fixpoint function determining a given formula's propositional denotation (you can see it here: https://gist.github.com/d4hines/d9a0c674f324cab46d2cf0967bde1ac3).
I'd like to prove that the truth value of any given formula is decidable. Since it's Presburger arithmetic, I know it must decidable. I've heard that the decision procedures for Presburger arithmetic are very complicated. I'd like to reuse the existing one in Coq.
How can I do this?
Thanks!
There are a few reasons why lia will not be of great help to you.
A small true goal like exists x : Z, 2 < x < 4 is not solved by lia: this tactic is not complete for Prestburger arithmetic
Even if lia was complete for Presburger, it would act as an oracle: giving you an answer every time you need one for a true formula. But when presented with a false formula, lia only says to Coq I can't do it, it does not say I have a proof that this can't be done. In other words, the information that a proof procedure is complete may not be stored in the Coq system as a Coq readable proof.
Related
How to deal with with the division in a goal?
Because I have a goal which is clearly true... However I cannot use lia and I think that this is related to the division.
2 ^ k / 2 ≤ 2 ^ k
Bellow is my COQ screen:
There is no automation for division on naturals - they don't even form a field. But the corresponding lemmas are not hard to find with Search:
Require Import Lia.
Goal forall k:N, 2 ^ k / 2 <= 2 ^ k.
Proof.
intros k.
Search (?a/?b <= ?a/?c).
Search (_/1).
rewrite <- N.div_1_r.
apply N.div_le_compat_l.
lia.
Qed.
If you have really complicated terms, you can embed the goal into reals using floor (a/b) for integer a/b and then use coq-interval. The embedding is easy to automate and coq-interval is quite powerful for proving real inequalities, but it might choke if you have more than a few floors. You can combine it with coq-gappa then to get rid of the floors. It gets quite involved then, but still fully automated. But be aware that it might not be able to prove very tight inequalities, since it uses real analysis.
Nia (Require Import Psatz), as suggested by Ana, can't solve this (and I honestly stopped trying it).
Division on natural numbers is not as easy to manage as on rationals or reals (think 1 / 3). One way out of this could be to try to reframe your constraints with multiplication instead; for instance, n < m / p can sometimes be handled as n * p < m. Otherwise, using a library for rationals could be a solution.
I am a little confused whether the injectivity of the successor function defined on natural numbers in Coq is an axiom? According to Wikipedia/Peano axioms, it is an axiom (7). When I look at Coq.Init.Peano manual page I see the following:
Definition eq_add_S n m (H: S n = S m): n = m := f_equal pred H.
Hint Immediate eq_add_S: core.
and it looks like an axiom (?) but what confused me was that in the top of that page it said:
It states various lemmas and theorems about natural numbers, including Peano's axioms of arithmetic (in Coq, these are provable)
This sentence is a bit ambiguous no?
The command you saw is actually a proof of the injectivity of the S constructor. More precisely, it says that the successor function is injective because it has an inverse: the predecessor function (pred). (In Coq, axioms are generally introduced with the keyword Axiom.)
You seem to be confused by what I think are two related senses of the word "axiom." The broader sense in logic is that of a "starting point of reasoning" (Wikipedia). The narrower sense is that of an assertion that is taken for granted in a deductive system without further proof. In Peano arithmetic, Peano's axioms are axioms in both senses of the word, since they primitive. In Coq, ZFC set theory, and other systems, they can be proved from more elementary facts.
Which tactics can I use to perform simplifications of rational expressions and prove trivial rational equivalences as shown in the following example?
Require Import Coq.QArith.QArith.
Open Scope Q_scope.
Lemma Example : (0 + 0) / 1 == 0.
I don't know much about rational in Coq, but if their implementation is constructive, you'll be able to simplify such expressions using simpl (you might need to first unfold some definitions) or compute. Since reflexivity is done modulo conversion, it should also solve such goals.
However, you might have trouble simplifying expression with free variable (for example that
forall q:Q, (q + 0) / 1 = q.
Maybe there's a tactic like omega dedicated to this task. You could maybe try with ring or lia.
I noticed that in Coq's definition of rationals the inverse of zero is defined to zero. (Usually, division by zero is not well-defined/legal/allowed.)
Require Import QArith.
Lemma inv_zero_is_zero: (/ 0) == 0.
Proof. unfold Qeq. reflexivity. Qed.
Why is it so?
Could it cause problems in calculations with rationals, or is it safe?
The short answer is: yes, it is absolutely safe.
When we say that division by zero is not well-defined, what we actually mean is that zero doesn't have a multiplicative inverse. In particular, we can't have a function that computes a multiplicative inverse for zero. However, it is possible to write a function that computes the multiplicative inverse for all other elements, and returns some arbitrary value when such an inverse doesn't exists (e.g. for zero). This is exactly what this function is doing.
Having this inverse operator be defined everywhere means that we'll be able to define other functions that compute with it without having to argue explicitly that its argument is different from zero, making it more convenient to use. Indeed, imagine what a pain it would be if we made this function return an option instead, failing when we pass it zero: we would have to make our entire code monadic, making it harder to understand and reason about. We would have a similar problem if writing a function that requires a proof that its argument is non-zero.
So, what's the catch? Well, when trying to prove anything about a function that uses the inverse operator, we will have to add explicit hypotheses saying that we're passing it an argument that is different from zero, or argue that its argument can never be zero. The lemmas about this function then get additional preconditions, e.g.
forall q, q <> 0 -> q * (/ q) = 1
Many other libraries are structured like that, cf. for instance the definition of the field axioms in the algebra library of MathComp.
There are some cases where we want to internalize the additional preconditions required by certain functions as type-level constraints. This is what we do for instance when we use length-indexed vectors and a safe get function that can only be called on numbers that are in bounds. So how do we decide which one to go for when designing a library, i.e. whether to use a rich type with a lot of extra information and prevent bogus calls to certain functions (as in the length-indexed case) or to leave this information out and require it as explicit lemmas (as in the multiplicative inverse case)? Well, there's no definite answer here, and one really needs to analyze each case individually and decide which alternative will be better for that particular case.
I know that {a^i b^j | i = j } is not regular and I can prove with pumping lemma; similarly I can use pumping lemma to prove this one not regular too. But I think I see some similar problem that says such language is actually regular. And because I'm not confident about my knowledge in pumping lemma I'm asking this bad question. Sorry.
This is how I prove it: let w be a^p b^(19k+p) , clearly this is in the language. Then if I pump a, making it a^(p+1) b^(19k+p) . It fails. Therefore, it's not regular.
Is my proof right?
Take a look at this answer. In short, you're not pumping the string correctly. The pumping lemma states that your string w can be divided as w = xyz where |xy| ≥ p, and y is not empty. You can then pump the string as xyiz for all i ≥ 0.
The key here, is that the pumping lemma states that there exists a division of the string w satisfying these properties, you do not get to choose the division, and that you can only pump the string as xyiz.
However, this language is regular, so the pumping lemma can't be used to prove if a language is regular, it can only prove if a language is irregular (it's a necessary but not sufficient condition). To show that a language is regular you can construct a DFA, NFA or regular expression that describes your language exactly. One such regular expression is:
(a^19)*(e|ab|aabb|aaabbb|...|a^18b^18)(b^19)*
where e is the empty string.
I suspect that your language is an example from an introductory course in automata or computation. If you're interested, the Myhill-Nerode theorem is not often covered in introductory material, but in this case offers a very easy proof of regularity: consider the distinguising extensions b, bb, bbb, ..., b^19 and the proof follows relatively easily from that.