I want to construct an existential variable interactively. I can't use Grab Existential Variables because I need to fill the existential before I complete the goal.
Minimal exmaple
Here is a minimal example (since it's simple, it has other solutions, but it illustrates my question)
Context (A:Type).
Parameter P Q: A -> Prop.
Definition filter: forall {a}, P a -> A:= fun a Pa=> a.
Lemma my_lemma:
forall a b, Q b -> (Q b -> P a) ->
exists a (H: P a), P (filter H).
Proof.
intros ?? H H0.
do 2 eexists.
At this point, there are two solutions that don't answer my questions: (1) I could run (eauto) and then do Grab Existential Variables, but suppose that eauto doesn't succeed until I instantiate the unification variable; (2) I could just pass the proof term explicitly with instantiate(1:= H0 H) (or even instantiate(1:= ltac:(eauto))), but assume that the proof of the xistential was tedious and we wished to do it interactively.
What else can we do? We can try to use cut or assert, like so:
match goal with
|[|- P (filter ?x)] =>
match type of x with
| ?T => assert (HH:T) by eauto
end
end.
But HH is not in the context of the unification variable, so it can't be instantiated.
instantiate(1:=HH). (* Instance is not well-typed in the environment of ?H. *)
As far as I can tell, the only way to solve this is to use Show Existentials, see the type of the variable copy it by hand, roll back the proof to before the unification was introduced and construct the variable there. In the example it looks like this:
Lemma my_lemma:
forall a b, Q b -> (Q b -> P a) ->
exists a (H: P a), P (filter H).
Proof.
intros ?? H H0.
do 2 eexists.
Show Existentials.
Restart. (* This command restores the proof editing process to the original goal. *)
intros ?? H H0.
assert (HH:P a) by eauto.
eexists; exists HH.
auto.
Qed.
Obviously, I would like to avoid this workflow. So, anyway to turn the existential variables into subgoals?
Your best bet is probably to avoid creating the existential variable as an evar in the first place. You don't have to construct the variable by hand to do this; if you can identify where it's created, you can wrap the offending tactic with unshelve t, which turns all evars created by t into goals. Where this might be difficult is if the relevant tactic is deep inside some automation and difficult to identify or change.
Related
Is it possible to rewrite something that uses variables from another scope,
such as a function call that uses a variable from a match, fun, or fix ?
For example,
Theorem foo (f : nat -> nat) (rw : forall x, f x = 5) x : match x with
| 0 => 5
| S a => f a
end = 5.
rewrite rw.
(* Error: Found no subterm matching "f ?M160" in the current goal. *)
destruct x; try rewrite rw; apply eq_refl.
Qed.
So, the theorem is provable, but trying to rewrite rw initially fails,
seemingly because a is in another scope. But, the rewrite applies
unconditionally, so it seems like it should apply there too.
Of course, this is a toy example. Assume that, in a real-world scenario,
getting into the scope is a bit more complicated than just a destruct.
From Rewrite tactic fails to find term occurrence within pattern matching it looks like this isn't possible in Coq. So, is it just that it isn't implemented, or does it cause contradictions or allow for bad behavior like smuggling variables out of their scope?
What about harder cases like fix ?
You have likely heard that the Logic of Coq is not powerful enough to derive functional exensionality.
Now what you prove above is a point wise equality, that is you prove that an applied function has a certain value.
A rewrite in the match would correspond to a proof that two unapplied functions are equal: The original match statement (which is a function of x) and the rewritten match statement (also a function of x). This means you would prove a more general result as intermediate step - and Coq's logic is not able to prove this more general result.
Functional extensionality is compatible with Coq's logic, though. So one can add it as axiom and then one can add some setoid instances which allow to setoid_rewrite under binders. But afaik this does not work for rewrites under matches either.
It would also be possible to detect that in the end you prove a point wise equality, do the destruct behind the scenes, do the point wise rewrite and put things together again, but this would work only in rather trivial cases, which I guess are not sufficiently interesting to implement this.
To close here is an example of proving functional extensionality (suggested by the edit by #scubed) with a rewrite under binders - which is enabled by a global type class instance which is itself based on the functional extensionality axiom. So this proves an axiom with itself and it doesn't help for your match case, but it shows that rewriting under binders is equivalent to functional extensionality.
Require Import PeanoNat.
Require Import Setoid.
Require Import Morphisms.
Definition fun1 (x : nat) := x + 1.
Definition fun2 (x : nat) := 1 + x.
Example Fun1EqFun2: fun1 = fun2.
Proof.
unfold fun1, fun2.
Fail setoid_rewrite Nat.add_comm.
Abort.
Require Import FunctionalExtensionality.
(* This is derived from the error message of setoid_rewrite above *)
Global Instance:
forall (A B : Type),
Proper
(#pointwise_relation A B eq ==>
#pointwise_relation A B eq ==> Basics.flip Basics.impl) eq.
Proof.
(* See what all this Setoid stuff actually means ... *)
unfold Proper, pointwise_relation, respectful, Basics.flip, Basics.impl.
intros A B f g fgeq f' g' fg'eq gg'eq.
apply functional_extensionality.
intros x.
rewrite fgeq, fg'eq, gg'eq.
reflexivity.
Qed.
Theorem eq_arg (A B : Type) (f : A -> B) : f = (fun x => f x). reflexivity. Qed.
Lemma functional_extensionality' :
forall (A B : Type), forall (f g : A -> B),
(forall a : A, (f a) = (g a)) -> f = g.
Proof.
intros.
setoid_rewrite eq_arg at 2.
setoid_rewrite H.
reflexivity.
Qed.
I am a beginner at coq.
I do not know the meaning of intros [=] and intros [= <- H] . and I could not find an easy explanation. Would someone explain these two to me please?
Regards
The documentation for this is here. I will add a little explanation note.
The first historical use of intro patterns is to decompose data that is packed in inductive objects on the fly. Here is a first easy example (tested with coq 8.13.2).
Lemma forall A B, A /\ B -> B /\ A.
Proof.
If you run the tactic intros A B H then the hypothesis H will be a proof of A /\ B. Morally, this contains knowledge that A holds, but it cannot be used as such, because it is a proof of a stronger fact. It is often the case that users want directly to decompose this hypothesis, this would normally be done by typing destruct H as [Ha Hb]. But if you know right away that you will not keep hypothesis H, why not find a shorter expression. This is what the intro pattern is used for.
So you type the following command and have the resulting goal:
Intros A B [Ha Hb].
(* resulting goal
A, B : Prop
Ha : A
Hb : B
============================
B /\ A
*)
Abort.
I will not finish this proof. But you get the idea of what intro patterns are for: decompose information on the fly when inductive types (like conjunction here) pack several pieces of information together.
Now, equality information also can pack several pieces of information together. Assume now that we are working with lists of natural numbers and we have the following equality.
Require Import List.
Lemma intro_pattern_example2 n m p q l1 l2 :
(n :: S m :: l1) = (p :: S q :: l2) -> q :: p :: l2 = m :: n :: l1.
The equality in the left-hand side of the implication is an equality between two lists, but it actually packs several more elementary pieces of information: n = p, m = q, and l1 = l2. If you just type intros H, you obtain the equality between two lists of length 3, but if you type intros [=], you ask the proof system to explore the structure of each equality member and check when constructors appear so that the smaller pieces of information can be placed in separate hypothesis instead of the big one. This is a short hand for the use of the injection tactic. Here is the example.
intros [= Hn Hm Hl1].
(*resulting goal:
n, m, p, q : nat
l1, l2 : list nat
Hn : n = p
Hm : m = q
Hl1 : l1 = l2
============================
q :: p :: l2 = m :: n :: l1
*)
So you see, this intro pattern unpacks information that would otherwise be stuck in a more complex hypothesis.
Now, when an hypothesis is an equality, there is another action you might want to perform right away. You might want to rewrite with it. In intro patterns, this is done by replacing the name you would give to that equality with an arrow. Let's test this on the previous goal.
Undo.
intros [= -> -> ->].
(* resulting goal
p, q : nat
l2 : list nat
============================
q :: p :: l2 = q :: p :: l2
*)
Now this goal can be solved quickly with reflexivity, trivial, or auto. Please note that the hypotheses were used to rewrite, but they were not kept in the goal context, so this possibility to rewrite directly from the intro pattern has to be used with caution, because you are actually losing some information.
The [= ] intro pattern is used especially for equalities and when both members are datatype constructors. It exploits the natural injectivity property of these constructors. there is another property that is respected by datatype constructors. It is the fact that two pieces of data with different head constructors can never be equal. This is exploited in Coq by the discriminate tactic. The [=] intro pattern is shorthand for both the injection and discriminate tactics.
If I have a hypothesis in my proof context that looks like H: True -> P and I want to convert it to H: P, what's the easiest way to do this? I tried simpl in H but it does nothing, and the only way I've found is the extremely unsatisfactory pose proof (H Coq.Init.Logic.I) as H. Isn't there a simpler way?
There are two ways to work with this, besides using pose proof.
Using specialize.
This tactics allows you to provide arguments to you hypotheses.
In you case you could do
specialize (H I).
or even
specialize H with (1 := I).
and you can use as if you want to create a copy rather than instantiate H directly.
Using forward.
I think this is what you want here. forward H. will ask you to prove the first hypothesis of H. So you will do something like this:
forward H.
- auto.
- (* Then resume with H : P *)
but you can also provide it with a (goal-closing) tactic:
forward H by auto.
(* Now you have one goal, and H has type P *)
forward is—as of yet—not part of the standard library. It can however be defined pretty easily (here is the definition from the MetaCoq library).
Ltac forward_gen H tac :=
match type of H with
| ?X -> _ => let H' := fresh in assert (H':X) ; [tac|specialize (H H'); clear H']
end.
Tactic Notation "forward" constr(H) := forward_gen H ltac:(idtac).
Tactic Notation "forward" constr(H) "by" tactic(tac) := forward_gen H tac.
Note that simpl here doesn't work because it's not really a tactic to simplify hypotheses in the usual sense, it's really just a tactic to apply some computation rules, it basically evaluates the goal or the hypothesis you apply it on. True -> P does not reduce to P because it would then take one fewer argument.
I wanted to see a few hands on examples of Coq proofs of the form:
\exists A(x1,...,xn)
essentially where the Goal had an existential quantifier. I was having issues manipulating the goal in meaningful ways to make progress in my proof and wanted to see a few examples of common tactics to manipulate.
What are some good existential quantifiers examples in Coq to prove?
My specific example I had:
Theorem Big_Small_ForwardImpl :
forall (P : Program) (S' : State),
(BigStepR (B_PgmConf P) (B_StateConf S')) -> (ConfigEquivR (S_PgmConf P) (S_BlkConf EmptyBlk S')).
Proof.
intros.
induction P.
unfold ConfigEquivR.
refine (ex_intro _ _ _) .
my context and goals was:
1 subgoal
l : list string
s : Statement
S' : State
H : BigStepR (B_PgmConf (Pgm l s)) (B_StateConf S')
______________________________________(1/1)
exists N : nat, NSmallSteps N (S_PgmConf (Pgm l s)) (S_BlkConf EmptyBlk S')
but then changed to:
1 subgoal
l : list string
s : Statement
S' : State
H : BigStepR (B_PgmConf (Pgm l s)) (B_StateConf S')
______________________________________(1/1)
NSmallSteps ?Goal (S_PgmConf (Pgm l s)) (S_BlkConf EmptyBlk S')
after using the refine (ex_intro _ _ _) tactic. Since I am not sure what is going on I was hoping some simpler examples could show me how to manipulate existential quantifiers in my Coq goal.
helpful comment:
The ?Goal was introduced by Coq as a placeholder for some N that will have to be deduced later in the proof.
The following example is based on the code provided in this answer.
Suppose we have a type T and a binary relation R on elements of type T. For the purpose of this example, we can define those as follows.
Variable T : Type.
Variable R : T -> T -> Prop.
Let us prove the following simple theorem.
Theorem test : forall x y, R x y -> exists t, R x t.
Here is a possible solution.
Proof.
intros. exists y. apply H.
Qed.
Instead of explicitly specifying that y is the element we are looking for, we can rely on Coq's powerful automatic proof mechanisms in order to automatically deduce which variable satisfies R x t:
Proof.
intros.
eexists. (* Introduce a temporary placeholder of the form ?t *)
apply H. (* Coq can deduce from the hypothesis H that ?t must be y *)
Qed.
There exist numerous tactics that make ise of the same automated deduction mechanisms, such as eexists, eapply, eauto, etc.
Note that their names often correspond to usual tactics prefixed with an e.
I'm trying to use MSet library in a Coq development and I need a map function, which is absent from the library, but can be implemented using fold, as usual.
In the following gist, I've put a simplification of what I'm working on, full of axioms, just to get straight to the point.
My problem is to prove a property of the following map function:
Definition map (f : Exp -> Exp) s
:= MSet.fold (fun a ac => MSet.add (f a) ac) MSet.empty s.
Which uses fold from Coq MSet library. The property that I want to show is:
Lemma map_lemma : forall s f e, In e (map f s) -> exists e', In e' s /\ e = f e'.
Proof.
induction s using set_induction ; intros ; try fsetdec.
Which is intended to show that if an element e in the set map f s, then exists another element e' in s, s.t. e = f e'. My difficulty is to prove the inductive case, since the induction hypothesis produced by set_induction does not seems useful at all.
Could someone provide me any clues on how should I proceed?
First, I think there is a problem in your definition of smap. You must swap MSet.empty and s, otherwise you can prove:
Lemma snap_trivial : forall f s, smap f s= s.
Proof.
intros. reflexivity.
Qed.
With the right definition, you can use the fold_rec lemma that is adapted to this kind of goal.