I am learning to use Coq right now and I have stumbled on a theorem I can't seem to prove. Below is the theorem and my current attempt.
Fixpoint nateq (n m : nat) : bool :=
match n with
| O => match m with
| O => true
| S _ => false
end
| S n' => match m with
| O => false
| S m' => nateq n' m'
end
end.
Theorem nateq_is_eq : ∀ n m : nat, nateq n m = true → n = m.
Proof.
admit.
Admitted.
My attempt
Theorem nateq_is_eq : ∀ n m : nat, nateq n m = true → n = m.
Proof.
intros n m H.
induction n as [| n' IHn'].
- induction m as [| m' IHm'].
+ reflexivity.
+ inversion H.
- induction m as [| m' IHm'].
+ inversion H.
+
Admitted.
My problem is in the final inductive step. The current state of my subgoals says the following:
1 subgoal
n', m' : nat
H : nateq (S n') (S m') = true
IHn' : nateq n' (S m') = true → n' = S m'
IHm' : nateq (S n') m' = true → (nateq n' m' = true → n' = m') → S n' = m'
______________________________________(1/1)
S n' = S m'
This all seems a bit convoluted. I would really appreciate any advice in the right direction.
Your induction hypothesis on n' is not general enough: to get the proof to go through, it needs to work for arbitrary m. The generalize dependent tactic can be used to solve this problem:
Require Import Coq.Unicode.Utf8.
Fixpoint nateq (n m : nat) : bool :=
match n with
| O => match m with
| O => true
| S _ => false
end
| S n' => match m with
| O => false
| S m' => nateq n' m'
end
end.
Theorem nateq_is_eq : ∀ n m : nat, nateq n m = true → n = m.
Proof.
intros n m H.
generalize dependent m.
induction n as [|n IH].
- destruct m; easy.
- destruct m as [|m]; try easy.
simpl. intros H. specialize (IH _ H). congruence.
Qed.
In this case, you can avoid the problem altogether simply by leaving m on the context:
Theorem nateq_is_eq' : ∀ n m : nat, nateq n m = true → n = m.
Proof.
intros n. induction n as [|n IH].
- destruct m; easy.
- destruct m as [|m]; try easy.
simpl. intros H. specialize (IH _ H). congruence.
Qed.
The Software Foundations book has a more detailed explanation on the generalize dependent tactic.
Related
I recently started learning Coq at a university course. I have an assignment with a problem, and I got stuck. I need to demonstrate the transitivity of the <= law, which states that for all m, n and p, if m <= n and n <= p, then m <= p. I tried every basic tactic possible, and I didn't figure it out. I want to mention that I'm a beginner and any basic solution without complicated tactics would be appreciated. It should be done with induction as well. Thanks!
Inductive Nat := O : Nat | S : Nat -> Nat.
Fixpoint le_Nat (m n : Nat) : bool :=
match m with
| O => true
| S m' => match n with
| O => false
| S n' => (le_Nat m' n')
end
end.
Lemma le_Trans :
forall m n p,
le_Nat m n = true -> le_Nat n p = true -> le_Nat m p = true.
Proof.
...
Qed.
Here is a long, detailled version:
Proof.
induction m as [| m IHm]; simpl.
- reflexivity.
- destruct n; simpl.
+ intros; discriminate.
+ destruct p; simpl.
* intros; assumption.
* apply IHm.
Qed.
and a shorter one:
induction m;destruct n; destruct p; simpl; try (reflexivity || discriminate).
apply IHm.
Qed.
You may start your proof with three nested induction/case analyses.
Many sub-goals will be trivial or easy to solve.
The last sub-goal will apply the induction hypothesis.
Proof.
induction m; destruct n ; destruct p; simpl.
(* ... *)
Coq's standard libraries give the Peano natural numbers and addition:
Inductive nat : Set :=
| O : nat
| S : nat -> nat.
Fixpoint add n m :=
match n with
| 0 => m
| S p => S (add p m)
end.
I am curious if I change the fix_definition of addition like
Fixpoint add n m :=
match n with
| 0 => m
| S p => add p (S m)
end.
Is the new addition equivalent to the old one? I tried to prove their equivalence by proving forall n m, add (S n) m = S (add n m) but failed.
In order to proof your helper lemma, you need to be careful what to introduce. If you don't introduce m, you get a more general induction hypothesis as in:
Require Import Nat.
Print add.
Fixpoint my_add n m :=
match n with
| 0 => m
| S p => my_add p (S m)
end.
Lemma my_add_S_r: forall n m, my_add n (S m) = S (my_add n m).
Proof.
(* Note: don't introduce m here - you get a more general induction hypothesis this way *)
intros n.
induction n.
- intros; reflexivity.
- intros; cbn. rewrite IHn. reflexivity.
Qed.
Lemma my_add_equiv: forall n m, add n m = my_add n m.
intros.
induction n.
- reflexivity.
- cbn. rewrite my_add_S_r. rewrite IHn. reflexivity.
Qed.
Yes both additions are equivalent, you can prove it using the lemma plus_n_Sm : forall n m : nat, S (n + m) = n + S m from the standard library (found using Search "+" (S _).) and an adequate induction hypothesis (for instance P(n) := forall m, n + m = add n m).
Unfortunately I got stuck again:
Inductive even : nat > Prop :=
| ev_0 : even 0
| ev_SS (n : nat) (H : even n) : even (S (S n)).
Lemma even_Sn_not_even_n : forall n,
even (S n) <-> not (even n).
Proof.
intros n. split.
+ intros H. unfold not. intros H1. induction H1 as [|n' E' IHn].
- inversion H.
- inversion_clear H. apply IHn in H0. apply H0.
+ intros H. induction n as [|n' IHn].
- exfalso. apply H. apply ev_0.
- apply evSS_inv'.
Here is the result:
1 subgoal (ID 179)
n' : nat
H : ~ even (S n')
IHn : ~ even n' -> even (S n')
============================
even n'
As far I could prove it in words:
(n' + 1) is not even according to H. Therefore according to IHn, it is not true that n' is not even (double negation):
IHn : ~ ~ even n'
Unfolding double negation, we conclude that n' is even.
But how to write it in coq?
The usual way to strip double negation is to introduce the "excluded middle" axiom, which is defined under the name classic in Coq.Logic.Classical_Prop, and apply the lemma NNPP.
However, in this particular case, you can use the technique called reflection by showing that the Prop is consistent with a boolean function (you might remember the evenb function introduced earlier in the book).
(Assuming you're at the beginning of IndProp) You'll soon see the following definition later in that chapter:
Inductive reflect (P : Prop) : bool -> Prop :=
| ReflectT (H : P) : reflect P true
| ReflectF (H : ~ P) : reflect P false.
You can prove the statement
Lemma even_reflect : forall n : nat, reflect (even n) (evenb n).
and then use it to move between a Prop and a boolean (which contain the same information i.e. the (non-)evenness of n) at the same time. This also means that you can do classical reasoning on that particular property without using the classic axiom.
I suggest to complete the exercises under Reflection section in IndProp, and then try the following exercises. (Edit: I uploaded the full answer here.)
(* Since `evenb` has a nontrivial recursion structure, you need the following lemma: *)
Lemma nat_ind2 :
forall P : nat -> Prop,
P 0 -> P 1 -> (forall n : nat, P n -> P (S (S n))) -> forall n : nat, P n.
Proof. fix IH 5. intros. destruct n as [| [| ]]; auto.
apply H1. apply IH; auto. Qed.
(* This is covered in an earlier chapter *)
Lemma negb_involutive : forall x : bool, negb (negb x) = x.
Proof. intros []; auto. Qed.
(* This one too. *)
Lemma evenb_S : forall n : nat, evenb (S n) = negb (evenb n).
Proof. induction n.
- auto.
- rewrite IHn. simpl. destruct (evenb n); auto. Qed.
(* Exercises. *)
Lemma evenb_even : forall n : nat, evenb n = true -> even n.
Proof. induction n using nat_ind2.
(* Fill in here *) Admitted.
Lemma evenb_odd : forall n : nat, evenb n = false -> ~ (even n).
Proof. induction n using nat_ind2.
(* Fill in here *) Admitted.
Lemma even_reflect : forall n : nat, reflect (even n) (evenb n).
Proof. (* Fill in here. Hint: You don't need induction. *) Admitted.
Lemma even_iff_evenb : forall n, even n <-> evenb n = true.
Proof. (* Fill in here. Hint: use `reflect_iff` from IndProp. *) Admitted.
Theorem reflect_iff_false : forall P b, reflect P b -> (~ P <-> b = false).
Proof. (* Fill in here. *) Admitted.
Lemma n_even_iff_evenb : forall n, ~ (even n) <-> evenb n = false.
Proof. (* Fill in here. *) Admitted.
Lemma even_Sn_not_even_n : forall n,
even (S n) <-> not (even n).
Proof. (* Fill in here.
Hint: Now you can convert all the (non-)evenness properties to booleans,
and then work with boolean logic! *) Admitted.
I am trying to prove the plus_n_Sm theorem from the Induction chapter in Software Foundations
Theorem succ_is_plus_1: forall n: nat, S n = n + 1.
Proof.
induction n as [| n' ind_hyp].
- simpl. reflexivity.
- simpl. rewrite <- ind_hyp. reflexivity.
Qed.
Theorem plus_n_Sm : forall n m : nat,
S (n + m) = n + (S m).
Proof.
induction n as [| n' ind_hyp ].
- induction m as [| m' ind_m ].
+ simpl. reflexivity.
+ simpl. reflexivity.
- induction m as [| m' ind_m2 ].
+ rewrite -> succ_is_plus_1 . rewrite <- plus_n_O. reflexivity.
+ rewrite -> succ_is_plus_1. rewrite <- ind_m2.
The output at this point is
1 subgoal
n' : nat
ind_hyp : forall m : nat, S (n' + m) = n' + S m
m' : nat
ind_m2 : S (S n' + m') = S n' + S m'
______________________________________(1/1)
S (S n' + m') + 1 = S n' + S (S m')
I'm stuck here. What am I doing wrong? What is the proper way of thinking for finding the induction proof on two variables?
As the first comment said, the key is that an induction on n suffices, m can be a constant. Then the proof is straightforward.
When using induction, I'd like to have hypotheses n = 0 and n = S n' to separate the cases.
Section x.
Variable P : nat -> Prop.
Axiom P0: P 0.
Axiom PSn : forall n, P n -> P (S n).
Theorem Pn: forall n:nat, P n.
Proof. intros n. induction n.
- (* = 0 *)
apply P0.
- (* = S n *)
apply PSn. assumption.
Qed.
In theory I could do this with induction n eqn: Hn, but that seems to mess up the inductive hypothesis:
Theorem Pn2: forall n:nat, P n.
Proof. intros n. induction n eqn: Hn.
- (* Hn : n = 0 *)
apply P0.
- (* Hn : n = S n0 *)
(*** 1 subgoals
P : nat -> Prop
n : nat
n0 : nat
Hn : n = S n0
IHn0 : n = n0 -> P n0
______________________________________(1/1)
P (S n0)
****)
Abort.
End x.
Is there an easy way to get what I want here?
Matt was almost right, you just forgot to generalize a bit your goal by reverting the remembered n:
Theorem Pn2: forall n:nat, P n.
Proof. intros n. remember n. revert n0 Heqn0.
induction n as [ | p hi]; intros m heq.
- (* heq : n = 0 *) subst. apply P0.
- (* heq : n = S n0 *)
(*
1 subgoal
P : nat -> Prop
p : nat
hi : forall n0 : nat, n0 = p -> P n0
m : nat
heq : m = S p
______________________________________(1/1)
P m
*) subst; apply (PSn p). apply hi. reflexivity.
Ooo, I think I figured it out!
Applying the inductive hypothesis changes your goal from (P n) to (P (constructor n')), so I think in general you can just match against the goal to create the equation n = construct n'.
Here's a tactic that I think does this:
(* like set (a:=b) except introduces a name and hypothesis *)
Tactic Notation
"provide_name" ident(n) "=" constr(v)
"as" simple_intropattern(H) :=
assert (exists n, n = v) as [n H] by (exists v; reflexivity).
Tactic Notation
"induction_eqn" ident(n) "as" simple_intropattern(HNS)
"eqn:" ident(Hn) :=
let PROP := fresh in (
pattern n;
match goal with [ |- ?FP _ ] => set ( PROP := FP ) end;
induction n as HNS;
match goal with [ |- PROP ?nnn ] => provide_name n = nnn as Hn end;
unfold PROP in *; clear PROP
).
It works for my example:
Theorem Pn_3: forall n:nat, P n.
Proof.
intros n.
induction_eqn n as [|n'] eqn: Hn.
- (* n: nat, Hn: n = 0; Goal: P 0 *)
apply P0.
- (* n': nat, IHn': P n';
n: nat, Hn: n = S n'
Goal: P (S n') *)
apply PSn. exact IHn'.
Qed.
I'm not sure if this is any easier, than what you have done in your second attempt, but you can first "remember" n.
Theorem Pn: forall n:nat, P n.
Proof. intro n. remember n. induction n.
- (*P : nat -> Prop
n0 : nat
Heqn0 : n0 = 0
============================
P n0
*)
subst. apply P0.
- (* P : nat -> Prop
n : nat
n0 : nat
Heqn0 : n0 = S n
IHn : n0 = n -> P n0
============================
P n0
*)