I want to write proofs of the statement "for all x there exist a y such that x < y and y is even ".
I tried in this way...
-- ll means less function i.e ' < '
_ll_ : ℕ → ℕ → Bool
0 ll 0 = false
0 ll _ = true
a ll 0 = false
(suc a) ll (suc b) = a ll b
even : ℕ → Bool
even 0 = true
even 1 = false
even (suc (suc n)) = even n
Teven : Bool → Set
Teven true = ⊤
Teven false = ⊥
thm0 : (x : ℕ) → Σ[ y ∈ ℕ ] (Teven ( and (x ll y) (even y)))
thm0 0 = suc (suc zero) , record {}
thm0 (suc a) = ?
for the last line i.e for 'suc a' agda is not able to find solution. I once tried by writing 2 * suc a , record {}. But this is also not working. Any help will be appreciated.
What you actually want is to do two steps at once.
The problem with this kind of definitions is something that is called "boolean blindness" - by encoding your propositions as booleans, you lose any kind of useful information they contain. The effect is that you have to rely on normalization to (hopefully) do its thing, you cannot help Agda in any other way (say by pattern matching on proof terms).
However, in your case, you can change the definition of thm0 slightly to help Agda with normalization. even makes two suc steps in every recursion step - you can make thm0 do two steps as well.
Let's take a look:
thm0 : ∀ x → ∃ λ y → Teven ((x ll y) ∧ (even y))
thm0 zero = suc (suc zero) , tt
Two new cases are for suc zero (also known as 1):
thm0 (suc zero) = suc (suc zero) , tt
And for suc (suc x'):
thm0 (suc (suc x') = ?
Now, if we knew that y (the one you existentially quantified over) is suc (suc y') for some other y', Agda could normalize even y to even y' (this is just following the definition). Same deal with the "less-than" proof - once you know that x = suc (suc x') and y = suc (suc y') for some y' (x' we already know), you can reduce x ll y to x' ll y'.
So the choice for y is simple... but how do we get y' (and the proof, of course)? We can use induction (recursion) and apply thm0 to x'! Remember that given x', thm0 returns some y' together with a proof that even y' and x' ll y' - this is precisely what we need.
thm0 (suc (suc a)) with thm0 a
... | y' , p = ?
Then we simply plug in y = suc (suc y') and p (as stated above, (x ll y) ∧ even y reduces to (x' ll y') ∧ even y', which is p).
Final code:
thm0 : ∀ x → ∃ λ y → Teven ((x ll y) ∧ (even y))
thm0 zero = suc (suc zero) , tt
thm0 (suc zero) = suc (suc zero) , tt
thm0 (suc (suc x')) with thm0 x'
... | y' , p = suc (suc y') , p
However, that being said, I'd advice against this. Do not encode your propositions as booleans and then use them at the type level via Teven. This really only works for simple things and cannot be extended to more complicated propositions. Instead, try explicit proof terms:
data _less-than_ : ℕ → ℕ → Set where
suc : ∀ {x y} → x less-than y → x less-than suc y
ref : ∀ {x} → x less-than suc x
data Even : ℕ → Set where
zero : Even 0
suc-suc : ∀ {x} → Even x → Even (2 + x)
thm0 can be then written using a simple lemma:
something-even : ∀ n → Even n ⊎ Even (suc n)
something-even zero = inj₁ zero
something-even (suc n) with something-even n
... | inj₁ x = inj₂ (suc-suc x)
... | inj₂ y = inj₁ y
(this states that either n is even or its successor is even). In fact, thm0 can be implemented without using recursion!
thm0 : ∀ x → ∃ λ y → Even y × x less-than y
thm0 n with something-even n
... | inj₁ x = suc (suc n) , suc-suc x , suc ref
... | inj₂ y = suc n , y , ref
Funnily enough, when I wrote this definition, I just pattern matched on something-even (suc n) and used C-a (autocomplete) to fill in the right sides! When given enough hints, Agda can write the code without my help.
Related
I am trying to prove the following lemma (which is the meaning formula for the addition of two Binary numerals).
It goes like this :
lemma (in th2) addMeaningF_2: "∀m. m ≤ n ⟹ (m = (len x + len y) ⟹ (evalBinNum_1 (addBinNum x y) = plus (evalBinNum_1 x) (evalBinNum_1 y)))"
I am trying to perform strong induction. When I apply(induction n rule: less_induct) on the lemma, it throws an error.
exception THM 0 raised (line 755 of "drule.ML"):
infer_instantiate_types: type ?'a of variable ?a
cannot be unified with type 'b of term n
(⋀x. (⋀y. y < x ⟹ ?P y) ⟹ ?P x) ⟹ ?P ?a
Can anyone explain this?
Edit:
For more context
locale th2 = th1 +
fixes
plus :: "'a ⇒ 'a ⇒ 'a"
assumes
arith_1: "plus n zero = n"
and plus_suc: "plus n (suc m) = suc ( plus n m)"
len and evalBinNum_1 are both recursive functions
len gives us the length of a given binary numeral, while evalBinNum_1 evaluates binary numerals.
fun (in th2) evalBinNum_1 :: "BinNum ⇒ 'a"
where
"evalBinNum_1 Zero = zero"|
"evalBinNum_1 One = suc(zero)"|
"evalBinNum_1 (JoinZero x) = plus (evalBinNum_1 x) (evalBinNum_1 x)"|
"evalBinNum_1 (JoinOne x) = plus (plus (evalBinNum_1 x) (evalBinNum_1 x)) (suc zero)"
The problem is that Isabelle cannot infer the type of n (or the bound occurrence of m) when trying to use the induction rule less_induct. You might want to add a type annotation such as (n::nat) in your lemma. For the sake of generality, you might want to state that the type of n is an instance of the class wellorder, that is, (n::'a::wellorder). On another subject, I think there is a logical issue with your lemma statement: I guess you actually mean ∀m. m ≤ (n::nat) ⟶ ... ⟶ ... or, equivalently, ⋀m. m ≤ (n::nat) ⟹ ... ⟹ .... Finally, it would be good to know the context of your problem (e.g., there seems to be a locale th2 involved) for a more precise answer.
I am an isabelle noob. I have a sublocale that gives me subgoals that have bound variables. The subgoals are exact copies of assumptions I have inside some other locales. When I instantiate them, they can only be done with free variables. How do I work around this issue?
Given here are my subgoals
1. ⋀n. plus n zero = n
2. ⋀n m. plus n (suc m) = suc (plus n m)
3. ⋀n. times n zero = zero
4. ⋀n m. times n (suc m) = plus (times n m) n
5. ⋀x. (zero = zero ∨ (∃m. suc m = zero)) ∧
(x = zero ∨ (∃m. suc m = x) ⟶
suc x = zero ∨ (∃m. suc m = suc x)) ⟶
(∀x. x = zero ∨ (∃m. suc m = x))
Here is an (just a few) of the assumptions I will need to use
locale th2 = th1 +
fixes
plus :: "'a ⇒ 'a ⇒ 'a"
assumes
arith_1: "plus n zero = n"
and plus_suc: "plus n (suc m) = suc ( plus n m)"
Any reference to the assumptions ends up having schematic variables and I can only replace them with free variables. How do I deal with the issue?
Any help is widely appreciate
Your locale definition does not mean what you think it does.
In your definition:
assumes
arith_1: "plus n zero = n"
and plus_suc: "plus n (suc m) = suc ( plus n m)"
means that n and m are fixed in the entire locale. What you really want is:
assumes
arith_1: "⋀n. plus n zero = n"
and plus_suc: "⋀n m. plus n (suc m) = suc ( plus n m)"
This seems a bit strange at first, because it is the same behavior as for the theorems, but not the most natural one.
I want to increment a binary value by one, but I'm still not very familiar with how recursion in agda works.
Why aren't I getting the right output here?
Bin Type Definition
data Bin : Set where
⟨⟩ : Bin
_O : Bin → Bin
_I : Bin → Bin
My increment function
inc : Bin → Bin
inc ⟨⟩ = ⟨⟩ I
inc (x O) = ⟨⟩ I
inc (x I) = (inc x) I
A quick correction of your algorithm
Your increment function is not correct. Considering your definition of binary numbers:
data Bin : Set where
⟨⟩ : Bin
_O : Bin → Bin
_I : Bin → Bin
Your increment function should be written as follows:
inc : Bin → Bin
inc ⟨⟩ = ⟨⟩ I
inc (x O) = x I
inc (x I) = (inc x) O
When the right number is zero, you just replace it by one, but you must not forget to keep the left part of the number.
When the right number is 1, you have to keep incrementing its left part, but you also need to transform this 1 into a 0.
A quick validation of the new algorithm
But, don't take my word for it, let us try and (partially) validate our function. After all, we are in a proof assistant, aren't we ?
A good way to validate such a function is to assess which property it should provide. The result of your incremental function has to be equal to 1 plus its input value. Agda provides natural numbers so let us transform your binary numbers into naturals to check such a property. First, some imports:
open import Data.Nat
open import Data.Nat.Properties
open import Relation.Binary.PropositionalEquality
Then a function which transforms a binary number into a natural number:
_↑ : Bin → ℕ
⟨⟩ ↑ = 0
(x O) ↑ = x ↑ + x ↑
(x I) ↑ = suc (x ↑ + x ↑)
Finally, our validation property:
prop : ∀ {b} → (inc b) ↑ ≡ suc (b ↑)
prop {⟨⟩} = refl
prop {b O} = refl
prop {b I} rewrite prop {b} | +-suc (b ↑) (b ↑) = refl
This validation is of course incomplete (by nature) but at least it gives you confidence in your algorithm. You should always try and prove such assumptions when writing algorithms, which is the whole point of Agda (well, not the whole point, but at least part of it).
More on validation
To further make my point, I decided to try and keep validating your representation of binary numbers by implementing the reciprocal transformation from naturals to binary numbers:
_↓ : ℕ → Bin
zero ↓ = ⟨⟩
suc n ↓ = inc (n ↓)
We can directly prove that the two transformations are reciprocal when going up then down:
↑↓ : ∀ {n} → (n ↓) ↑ ≡ n
↑↓ {zero} = refl
↑↓ {suc n} rewrite prop {n ↓} | ↑↓ {n} = refl
Then I tried to do the other way around:
↓↑ : ∀ {b} → (b ↑) ↓ ≡ b
↓↑ {⟨⟩} = refl
↓↑ {b O} rewrite prop₂ {b ↑} rewrite ↓↑ {b} = refl
↓↑ {b I} rewrite prop₂ {b ↑} rewrite ↓↑ {b} = refl
This side needs prop₂ which has the following signature:
prop₂ : ∀ {n} → (n + n) ↓ ≡ (n ↓) O
This property should be true (in the sense that the binary numbers as we think of them should satisfy it), but it cannot be proven in your formalism because you can represent zero in an infinite number of ways, and all these ways are not prepositionally equal (for instance, the first case of prop₂ when n is equal to 0 requires to prove ⟨⟩ ≡ (⟨⟩ O) which cannot be proven).
All in all, validation not only allows us to find faulty algorithms (or to prove algorithms correct) but it can also reveal inconsistencies or mistakes in the basics of our theories themselves (even though in this case, a quick look could have been enough to see that 0 can be represented an infinite number of different manners).
As a side note, I am not saying that there should always be a single way of representing a specific element of an abstract data type, but it surely helps, especially when working with propositional equality, which is very often required.
On another side note, I am sorry if I got a little carried away but I find these kind of topics very enlightening regarding the use of proof assistants and formal validation.
Please feel free to ask for any further explanation.
The complete (and incomplete in a way) code
module BinaryNumber where
open import Data.Nat
open import Data.Nat.Properties
open import Relation.Binary.PropositionalEquality
data Bin : Set where
⟨⟩ : Bin
_O : Bin → Bin
_I : Bin → Bin
inc : Bin → Bin
inc ⟨⟩ = ⟨⟩ I
inc (x O) = x I
inc (x I) = (inc x) O
_↑ : Bin → ℕ
⟨⟩ ↑ = 0
(x O) ↑ = x ↑ + x ↑
(x I) ↑ = suc (x ↑ + x ↑)
prop : ∀ {b} → (inc b) ↑ ≡ suc (b ↑)
prop {⟨⟩} = refl
prop {b O} = refl
prop {b I} rewrite prop {b} | +-suc (b ↑) (b ↑) = refl
_↓ : ℕ → Bin
zero ↓ = ⟨⟩
suc n ↓ = inc (n ↓)
↑↓ : ∀ {n} → (n ↓) ↑ ≡ n
↑↓ {zero} = refl
↑↓ {suc n} rewrite prop {n ↓} | ↑↓ {n} = refl
prop₂ : ∀ {n} → (n + n) ↓ ≡ (n ↓) O
prop₂ {zero} = {!!}
prop₂ {suc n} = {!!}
↓↑ : ∀ {b} → (b ↑) ↓ ≡ b
↓↑ {⟨⟩} = refl
↓↑ {b O} rewrite prop₂ {b ↑} rewrite ↓↑ {b} = refl
↓↑ {b I} rewrite prop₂ {b ↑} rewrite ↓↑ {b} = refl
The standard library
As a last remark, the binary numbers are present in the standard library in the file Data.Nat.Binary.Base with the associated properties (in particular the properties of reciprocity which are not provable in your representation) in the file Data.Nat.Binary.Properties if you feel like looking how they are implemented there.
When we define inc as Bin → Bin, we are saying that it takes values of type Bin and returns values of the same type i.e. Bin.
Since we have 3 constructors available for creating Bin, all the values of type Bin would have one of the following 3 forms:
⟨⟩
b I where b is some value of type Bin
b O where b is some value of type Bin
For case 1, since ⟨⟩ stands for zero.
inc ⟨⟩ = ⟨⟩ I
For case 2, we know that adding one to a number ending with zero will just change the last digit to one, so
inc (x O) = x I
and for case 3, when a number is ending with 1, on incrementing it we get zero at the end, and carryover is generated that needs to be passed forward. Carryover can be passed by using our same inc function. Assuming (inc x) gives a binary number, we take that output and append zero at the end.
inc (x I) = (inc x) O
Also, just to extent upon the excellent answer given by MrO, who correctly pointed out that since there are infinitely many ways to represent zeros (and all numbers)
(b ↓) ↑ = b
can't be proved for b with leading zeros before the first significant digit. But if we restrict domain of ↓↑ to only binary numbers which are only canonical i.e binary number without any leading zeros, proof can be derived.
Proof of (b ↓) ↑ = b for canonical b
Extending MrO's code,
module BinaryNumber where
open import Data.Nat
open import Data.Nat.Properties
open import Relation.Binary.PropositionalEquality
open Relation.Binary.PropositionalEquality.≡-Reasoning
data Bin : Set where
⟨⟩ : Bin
_O : Bin → Bin
_I : Bin → Bin
inc : Bin → Bin
inc ⟨⟩ = ⟨⟩ I
inc (x O) = x I
inc (x I) = (inc x) O
_↑ : Bin → ℕ
⟨⟩ ↑ = 0
(x O) ↑ = x ↑ + x ↑
(x I) ↑ = suc (x ↑ + x ↑)
prop : ∀ {b} → (inc b) ↑ ≡ suc (b ↑)
prop {⟨⟩} = refl
prop {b O} = refl
prop {b I} rewrite prop {b} | +-suc (b ↑) (b ↑) = refl
_↓ : ℕ → Bin
zero ↓ = ⟨⟩ O
suc n ↓ = inc (n ↓)
↑↓ : ∀ {n} → (n ↓) ↑ ≡ n
↑↓ {zero} = refl
↑↓ {suc n} rewrite prop {n ↓} | ↑↓ {n} = refl
-- One b -> b start with ⟨⟩ I
data One : Bin → Set where
first : One (⟨⟩ I)
nextO : ∀ { b : Bin }
→ One b
------------
→ One (b O)
nextI : ∀ { b : Bin }
→ One b
------------
→ One (b I)
-- Can i.e Canonical representing binary numbers without extras leading zeros after ⟨⟩. For e.g ⟨⟩ O O I I and ⟨⟩ I I both represents binary form of number 3 but only ⟨⟩ I I is the canonical
data Can : Bin → Set where
startWithZero : Can (⟨⟩ O)
startWithOne : ∀ {b : Bin }
→ One b
------------
→ Can b
-- If m ≤ n then m ≤ (n + 1)
≤-sucʳ : ∀ {m n : ℕ }
→ m ≤ n
-----------
→ m ≤ suc n
≤-sucʳ z≤n = z≤n
≤-sucʳ (s≤s m≤n) = s≤s (≤-sucʳ m≤n)
-- If m ≤ n then m ≤ (n + p)
≤-addʳ : ∀ (m n p : ℕ)
→ m ≤ n
--------
→ m ≤ n + p
≤-addʳ m n zero m≤n rewrite +-comm n zero = m≤n
≤-addʳ m n (suc p) m≤n rewrite +-comm n (suc p) | +-comm p n = ≤-sucʳ (≤-addʳ m n p m≤n)
-- If a natural number n has eqivalent binary form (⟨⟩ I b) then 1 ≤ n
1-≤-oneb : ∀ { b : Bin }
→ One b
---------
→ suc zero ≤ b ↑
1-≤-oneb first = s≤s z≤n
1-≤-oneb {b O} (nextO oneb) = ≤-addʳ 1 ((b ↑)) ((b ↑)) (1-≤-oneb oneb)
1-≤-oneb {b I} (nextI oneb) = ≤-sucʳ (≤-addʳ 1 ((b ↑)) ((b ↑)) (1-≤-oneb oneb))
-- If 0 ≤ (n + 1) then 1 ≤ n
0-≤-suc : ∀ (n : ℕ)
→ 0 ≤ suc n
-----------
→ 1 ≤ suc n
0-≤-suc n z≤n = s≤s z≤n
-- If 1 ≤ n and binary form of n is b then binary form of (n + n) using ↓ is b O
↓-over-+ : ∀ (n : ℕ)
→ 1 ≤ n
-----------------------
→ (n + n) ↓ ≡ (n ↓) O
↓-over-+ (suc zero) s≤n = refl
↓-over-+ (suc (suc n)) (s≤s s≤n) = begin
(suc (suc n) + (suc (suc n))) ↓
≡⟨⟩
inc (( suc n + (suc (suc n))) ↓)
≡⟨ cong (inc) (cong (_↓) (+-comm (suc n) (suc (suc n)))) ⟩
inc (inc ((suc n + suc n) ↓))
≡⟨ cong (inc) (cong inc (↓-over-+ (suc n) (0-≤-suc n s≤n))) ⟩
refl
-- For all binary numbers that are canonical, ↑↓ is identity (returns same b)
↑↓-canb : ∀ ( b : Bin )
→ Can b
--------------
→ (b ↑) ↓ ≡ b
↑↓-canb _ startWithZero = refl
↑↓-canb _ (startWithOne first) = refl
↑↓-canb (b O) (startWithOne (nextO x)) rewrite ↓-over-+ (b ↑) (1-≤-oneb x) | ↑↓-canb b (startWithOne x) = refl
↑↓-canb (b I) (startWithOne (nextI x)) rewrite ↓-over-+ (b ↑) (1-≤-oneb x) | ↑↓-canb b (startWithOne x) = refl
My code:
law : ∀ a x → ((suc a) * (suc a) ÷ (suc a) ⟨ x ⟩) →ℕ ≡ (suc a , refl)
law a x = refl
I think there's too many suc a and I want to give an alias to suc a, something like (this code just describes my idea, it doesn't compile):
law : ∀ a x → ((s : suc a) * s ÷ s ⟨ x ⟩) →ℕ ≡ (s , refl)
law a x = refl
Can I achieve that?
Sure. You can use let
law : ∀ a x → let s = suc a in (s * s ÷ s ⟨ x ⟩) →ℕ ≡ (s , refl)
law a x = refl
or define an anonymous module:
module _ (a : ℕ) where
s = suc a
law : ∀ x → (s * s ÷ s ⟨ x ⟩) →ℕ ≡ (s , refl)
law x = refl
Outside of the module law has the same type signature as the one you provided.
I am pretty new to Agda. I am working on a question from the assignment. I have got most of it but there is one goal on which i am stuck.
data Arith : Set where
Num : ℕ → Arith
Plus : Arith → Arith → Arith
Times : Arith → Arith → Arith
eval : Arith → ℕ
eval (Num x) = x
eval (Plus e1 e2) = eval e1 + eval e2
eval (Times e1 e2) = eval e1 * eval e2
data Even : ℕ → Set where
zEven : Even 0
ssEven : {n : ℕ} → Even n → Even (suc (suc n))
-- [PROBLEM 1]
plusEven : ∀ n m → Even n → Even m → Even (n + m)
plusEven zero m x x₁ = x₁
plusEven (suc zero) m () x₁
plusEven (suc (suc .0)) m (ssEven zEven) x₁ = ssEven x₁
plusEven (suc (suc ._)) m (ssEven (ssEven x)) x₁ = ssEven (ssEven (plusEven _ m x x₁ ))
-- [PROBLEM 2]
timesEven : ∀ n m → Even n → Even m → Even (n * m)
timesEven zero m x x₁ = zEven
timesEven (suc ._) zero (ssEven x) x₁ = (timesEven _ zero x x₁)
timesEven (suc ._) (suc ._) (ssEven x) (ssEven x₁) = ssEven ((λ h → {!!}) (timesEven _ _ x x₁))
The goal I have to prove is
Goal: Even (.n₁ + suc (suc (.n₁ + .n * suc (suc .n₁))))
I feel that I have to use plusEven some how. But the goal does not look that straightforward. Have I made the problem difficult for me? or am I on the right track? Is there an easier way to do this? I don't want the solution to this. But a push in the right direction would be appreciated. I have been stuck on this for a while now.
If n is even, then n * m is even too, so it's irrelevant whether m is even or not and hence you should just throw away this constraint. So the actual theorems are (I made n and m implicit, because this is convenient)
timesEvenLeft : ∀ {n m} → Even n → Even (n * m)
timesEvenRight : ∀ {n m} → Even m → Even (n * m)
You can prove that n * m ≡ m * n and derive the latter theorem from the former. Hence it only remains to prove the first one. In the recursive case you need to prove Even (suc (suc n) * m) (which reduces to Even (m + (m + n * m)) having Even (n * m) (the induction hypothesis) in scope. For this you'll need yet another lemma:
plusDoubleEven : ∀ {n} m → Even n → Even (m + (m + n))
I really liked the answers posted here and they helped me a lot. But I cannot change the question given in the assignment. I used the answers posted to come up with a solution to the problem. It took me a while and it looks a little messy but it works. Thought i'd post it here too.
timesEven : ∀ n m → Even n → Even m → Even (n * m)
timesEven zero m x x₁ = zEven
timesEven (suc zero) m () x₁
timesEven (suc (suc n)) zero (ssEven x) x₁ = timesEven n zero x x₁
timesEven (suc (suc n)) (suc zero) x ()
timesEven (suc (suc n)) (suc (suc m)) (ssEven x) (ssEven x₁) = ssEven ((λ h → plusEven m (suc (suc (m + n * suc (suc m)))) x₁ (ssEven (plusEven m (n * suc (suc m)) x₁ h))) (timesEven n (suc (suc m)) x (ssEven x₁)))
It's probably not what is expected of you for this homework but a clean way to deal with these lemmas without doing too much work is, as hinted at by #user3237465, to reuse well-known properties of the natural numbers.
One way to get more out of these well-known properties is to introduce an alternative definition of Even which you can prove equivalent to the inductive one:
data Even : ℕ → Set where
zEven : Even 0
ssEven : {n : ℕ} → Even n → Even (suc (suc n))
record Even′ (n : ℕ) : Set where
constructor mkEven′
field factor : ℕ
.equality : n ≡ factor * 2
open Even′
Even⇒Even′ : {n : ℕ} → Even n → Even′ n
(...)
Even′⇒Even : {n : ℕ} → Even′ n → Even n
(...)
You can then prove plusEven and timesEven(Right/Left) by using equational reasoning, reusing lemmas from the standard library. For instance the proof of plusEven becomes:
plusEven′ : ∀ n m → Even′ n → Even′ m → Even′ (n + m)
plusEven′ n m (mkEven′ p Hp) (mkEven′ q Hq) = mkEven′ (p + q) eq where
.eq : n + m ≡ (p + q) * 2
eq = begin
n + m ≡⟨ cong₂ _+_ Hp Hq ⟩
p * 2 + q * 2 ≡⟨ sym (distribʳ-*-+ 2 p q) ⟩
(p + q) * 2
∎
plusEven : ∀ n m → Even n → Even m → Even (n + m)
plusEven n m en em = Even′⇒Even (plusEven′ n m (Even⇒Even′ en) (Even⇒Even′ em))
Here is a gist with all the right imports and all the proofs.