title | date | tags | abstract | |||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|
[Final Coq Project] Coherence of Heyting's arithmetic |
2018-04-10 |
|
Proofs assistants Coq project |
The aim of this project is to prove the coherence of Heyting first order arithmetic (denoted by
Recall that a proposition
Of course,
P \/ ~P
(of type or
, itself of type Prop
), but there also exists the notation
{P} + {~P}
(of type sumbool
, itself of type Type
).
All the elementary comparison arithmetic operators are decidable. As it happens, we will especially use the following elements of the Coq Standard Library:
le_lt_dec : forall n m : nat, {n <= m} + {m < n}
nat_compare : nat -> nat -> comparison
nat_compare_spec : forall x y, CompSpec eq lt x y (nat_compare x y)
The type of le_lt_dec
enables us to directly use it to construct a term with the if ... then ... else
statement. For a goal where there is a subterm of the form
if le_lt_dec x y then ... else ...
a case analysis can be done by using
destruct (le_lt_dec x y)
this generates two subgoals: the first one corresponding to the x <= y
case, and the second one to y < x
.
The nat_compare
function is little bit more general: it returns an object of type comparison
, different in the three possible cases. For a goal where there is a subterm of the form
match nat_compare x y with ...
a case analysis can be done by using the tactic
destruct (nat_compare_spec x y)
which generates three subgoals, corresponding to the three possible cases: x=y
, x<y
, and x>y
It is also possible to use
case_eq (nat_compare x y)
and then specific lemmas for each case (which can be found with the command SearchAbout
). A case nat_compare
can also be useful.
Certain fragments of arithmetic can be decidable, and there exist some tactics to solve them. The proofs in this project resort to one of these fragments: Presburger arithmetic.
Presburger arithmetic roughly corresponds to Peano first order arithmetic where there is nothing but addition. In Coq, the omega
tactic solves a significant part thereof. In particular, all the goals involving only additions and comparisons can be directly proved. As a matter of fact, this tactic makes use of the associativity and commutativity of addition, of the transitivity of inequalities, and of existing compatibilities between the addition and inequalities.
For more details, refer to the Coq reference manual.
-
In this project, automatic tactics such as
auto
andintuition
are allowed -
The
f_equal
tactic can help proving equalities of the formf x ... = f x' ...
by proving equalities between arguments:x=x'
, and so on... -
The
simpl
tactic simply expands the definitions and compute. -
It can happen that one wishes to convert a subterm into another one which is definitionally equal. This can be done with the
change
tactic. -
The
replace
tactic replaces a subterm by another, provided that both are provably equal. -
The
set
andpose
tactics give names to subterms (by setting local definitions). They come in handy when it comes to clarifying a goal, or simplifying the names of the arguments of certain tactics. -
Lemmas dealing with logical equivalences are conveniently usable with the
apply
tactic. For instance, if you have a lemmafoe: A <--> B
, thenapply <- foe
orapply -> foe
applies a direction of the equivalence. It is also possible to userewrite
(as well as for the equality) after loading theSetoid
library. -
There exists an
admit
tactic to admit a subgoal without proving it. For obvious reasons, using this tactic is not recommended, but it can still prove convenient when it comes to focusing on specific parts of a proof. It goes without saying that the final mark with highly depend on the number ofAxiom
(andParameter
),admit
andAdmitted
remaining in the code. -
The
Print Assumption
command identifies all the axioms used in the proof of a proposition.
All the expected definitions and lemmas are explicitely asked and mentioned in the questions of this problem statement. It is not necessary to prove everything in order: a lemma can be proven with the purpose of proving another subsequent one. However, the order of the statements has to be respected.
It is of course allowed to introduce new intermediate lemmas other than the ones stated in this problem statement (but at least these stated lemmas have to be proven).
In this section, one defines the object language to study, i.e. the notions of terms, formulas, and derivation (and hence theorem) of
For the sake of simplicity, we limit ourselves to the Peano language, even though everything that is done here could be more general, as seen in class.
The first order terms involve free variables and bound (by quantifiers) ones. The definition of substitution is nettlesome owing to variable binding:
In this setting, a variable is encoded by a number: the number of quantifiers above it (i.e. its ancestors), in the syntax tree of the formula. Free variables are variables which go "too high" in the tree. The type of terms is:
Inductive term :=
| Tvar : nat -> term
| Tzero : term
| Tsucc : term -> term
| Tplus : term -> term -> term
| Tmult : term -> term -> term.
and the type of formulas:
Inductive formula :=
| Fequal : term -> term -> formula
| Ffalse : formula
| Fand : formula -> formula -> formula
| For : formula -> formula -> formula
| Fimplies : formula -> formula -> formula
| Fexists : formula -> formula
| Fforall : formula -> formula.
Therefore, with this encoding, the formula:
is represented by:
Fforall (Fexists (Fequal (Tvar 1) (Tmult (Tsucc Tzero) (Tvar 0))))
This representation has the advantage that two tlift
and flift
functions, as well as a series of provided lemmas. Look closely at these, you will need them later.
With De Bruijn indices, the notion of set of free variables seen in class is replaced by an upper bound for all the variables appearing in the expression. The predicate cterm n t
means that all the variables of t
are stricly lower than n
. Beware though: quantifiers are taken into account. Going through a quantifier increments the upper bound by one. The cterm
and cformula
predicates are inductively defined.
Lemma cterm_1 : forall n t, cterm n t ->
forall n', n <= n' -> cterm n' t.
Lemma cterm_2 : forall n t, cterm n t ->
forall k, tlift k t n = t.
Lemma cterm_3 : forall n t, cterm n t ->
forall t' j, n <= j -> tsubst j t' t = t.
Lemma cterm_4 : forall n t, cterm (S n) t ->
forall t', cterm 0 t' -> cterm n (tsubst n t' t).
The first proof is done by induction on the term and by analysing the constructors of the inductive predicate cterm
with inversion
.
Lemma cterm_1 : forall n t, cterm n t -> forall n', n <= n' -> cterm n' t.
Proof.
intros; induction t; auto; inversion H; auto.
Qed.
A natural deduction derivation of the judgement ND e A
. The ND
predicate is defined inductively with the rules of natural deduction, adapted to the use of De Bruijn indices.
1. In the language and the derivation rules, we omitted the connectors $⊤$ (Ftrue
), the negation (Fnot
), and the equivalence (Fequiv
). Define them, and prove that the associated introduction and elimination rules are admissible.
2. Define an operator nFforall
which iterates the operator Fforall
. For instance, the formula nFforall 2 A
should be tantamount to Fforall (Fforall A)
. Prove the following lemma:
Lemma nFforall_1 : forall n x t A,
fsubst x t (nFforall n A) = nFforall n (fsubst (n + x) t A).
For the sake of readability, notations were introduced in the base file to redefine many standard Coq notations, but in a different scope. As it happens, already existing notations have classic interpretations (at the meta level), but newly introduced interprétations (at the object language level) can be used with the notation (...)%pa
. For example, A \/ B
represents the meta conjunction, and (A \/ B)%
the object one (i.e. the formula Fand A B
).
Peano axioms are written in the base file thanks the Ax
predicate: the proposition Ax P
means that P
is a Peano axiom. Pay heed to how Ax
is defined. This very definition enables us to in Coq the notion of theorem
:
Definition Th T := exists axioms,
(forall A, In A axioms -> Ax A) /\ ND axioms T.
NB: The proof is required to be made at the object level: you have to express this formula as a Coq term A
of type formula
, and then prove Th A
The proof of the coherence of nat
.
A valuation of variables is represented by a list b
of values (which are nat
here): the nth i b 0
). In the base file, the following functions are defined:
tinterp : list nat -> term -> nat
finterp : list nat -> formula -> Prop
These give an interpretation of object terms and formulas as Coq integers and propositions.
An object formula (of type formula
) is said to be valid if its interpretation is provable in Coq.
Lemma tinterp_1 : forall t' t b1 b2,
tinterp (b1 ++ b2) (tsubst (length b1) t' t) =
tinterp (b1 ++ (tinterp b2 t') :: b2) t.
Lemma tinterp_2 : forall t j, cterm j t ->
forall b1 b2, j <= length b1 -> j <= length b2 ->
(forall i, i < j -> nth i b1 0 = nth i b2 0) ->
tinterp b1 t = tinterp b2 t.
Lemma tinterp_3 : forall t b0 b1 b2,
tinterp (b0++b2) t =
tinterp (b0++b1++b2) (tlift (length b1) t (length b0)).
1. Prove that the natural deduction rules are correct with respect to the interpretation of formulas:
Lemma ND_soundness : forall e A, ND e A ->
forall b, (forall B, In B e -> finterp b B) -> finterp b A.
Lemma Ax_soundness : forall A, Ax A -> forall b, finterp b A.
Theorem coherence : ~Th Ffalse.