Upload
others
View
9
Download
0
Embed Size (px)
Citation preview
CS_336 Interactive Theorem Proving
Dr. Anton Setzer
Lent Term 2004
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 0 1
0. Overview(a)
(b)
(c)
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 0 2
(a) What is Interact. Theorem Proving
(d) Need for Theorem Proving
We need to prove theorems in order to establishmathematical theorems.
E.g. that certain problems are decidable,undecidable, polynomial computable etc.
We need them as well in order to establish thecorrectness of software and hardware.
Is floating point division for the Intel processorcorrect?Is a railway control system safe?
When verifying the Swedish railway system, lots ofbugs were found.
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 0 3
Need for Theorem ProvingConcentration on the latter in this module.
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 0 4
4 Ways of Proving Theorems1. Theorem proving by hand.
What mathematicians do all the time.Will remain in the near future the main way forproving theorems.Problem: Errors.
As in programs after a certain amount of linesthere is a bug, after a certain amount of lines aproof has a bug.The problem can only be reduced by careful proofchecking, but not eliminated completely.
Unsuitable for verifying large software and hardwaresystems.
Data usually too large.Likely that one makes the same mistakes as in thesoftware.
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 0 5
4 Ways of Proving Theorems2. Theorem proving with some machine support.
Machine checks the syntax of the statements,creates a good layout, translates it into differentlanguages.Theorem proving still to be done by hand.Example: most systems for specification of software(e.g. CSP-CASL, as used by Dr. Roggenbach).Advantages:
Less errors.User is forced to obey a certain syntax.Specifications can be exchanged more easily.
Disadvantage: Similar to 1.
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 0 6
4 Ways of Proving Theorems3. Interactive Theorem Proving.
Proofs are fully checked by the system.Proof steps have to be carried out by the user.Advantages:
Correctness guaranteed (provided the theoremprover is correct).Everything which can be proved by hand, shouldbe possible to be proved in such systems.
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 0 7
4 Ways of Proving Theorems(Interactive theorem proving)
Disadvantages:It takes much longer than proving by hand.· Similar to programming:
To say in words what a program should do,doesn’t take long.To write the actual program, can take a longtime, since much more details are involved thanexpected.
Requires experts in theorem proving.
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 0 8
4 Ways of Proving Theorems4. Automated Theorem Proving.
The theorem is shown by the machine.It is the task of the user to
state the theorem,bring it into a form so that it can be solved,usually adapt certain parameters so that thetheorem proving solves the problem withinreasonable amount of time.
Espec. Dr. Kullmann is an expert in this area.
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 0 9
4 Ways of Proving Theorems(Automated theorem proving)
AdvantagesLess complicated to “feed the theorem into themachine” rather than actually proving it.Might be done by non-specialists.Sometimes faster than interactive theoremproving.
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 0 10
4 Ways of Proving Theorems(Automated theorem proving)
DisadvantagesMany problems cannot be proved automatically.Can often deal only with finite problems.· We can show the correctness of one particular
processor.· But we cannot show a theorem, stating the
correctness of a parametric unit (like a genericn-bit adder for arbitrary n.· In some cases this can be overcome.Limits on what can be done (some hardwareproblems can be verified as 32 bit versions, but notas 64 bit versions).
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 0 11
(b) Administrative IssuesAddress:Dr. A. SetzerDept. of Computer ScienceUniversity of Wales SwanseaSingleton ParkSA2 8PPUK
Room Room 211, Faraday Building
Tel. (01792) 513368
Fax. (01792) 295651
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 0 12
Assessment80% Exam.
20% coursework:4 small assignments. Each counts 5% (Plan, mightbe changed).
Handed out approx. every 2nd week.Due two weeks later.
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 0 13
Timetable, Course MaterialTwo lectures per week.
Tuesday, 11:00, Faraday J.Thursday, 10:00, Vivian 112.
Web page contains overhead slides from the lectures.Course material will be continually updated.
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 0 14
(c) Plan0.
1.
2.
3.
4. Interactive programs in dependent type theory.
5. Cayenne – A programming language with dependenttypes.
The plan might be changed slightly.
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 0 15
(d) LiteratureIn general, the module is self-contained.
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 0 16
Main Course LiteratureB. Nordström, K. Peterson, J. M. Smith:Programming in Martin-Löf’s type theory. Available via.Course book, although a little bit too high level.
B. Nordström, K. Peterson, J. M. Smith:Martin-Löf’s type theory. Handbook of ComputerScience, Vol 5, 1-37. Oxford Univ. Press, 2000.Available via
Similar as the previous book, but shorter.
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 0 17
Other Introductory BooksMartin-Löf, Per: Intuitionistic Type theory. Bibliopolis,Naples, 1984.Relatively easy short book, from the father of the typetheory we are using. Intended for philosophers.
Aarne Ranta: Type-theoretic grammar. ClarendonPress, 1995.Use of type theory in linguistics and for translationbetween languages. Has a good and simpleintroduction into type theory.
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 0 18
More advanced BooksTroelstra, A. S. and van Dalen, D.:Constructivism in mathematics. Vol. I. North Holland,1988.Contains some material of interest (e.g. BHKinterpretation of logical connective). Postgraduate level.
Chapter 11 of Troelstra, A. S. and van Dalen, D.:Constructivism in mathematics. Vol. II. North Holland,1988.Book on postgraduate level. Deviates from “officialMartin Löf type theory”.
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 0 19
1. Introduction(a)
(b)
(c)
(d)
(e)
(f)
(g)
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 1 20
(a) Approaches to Verified SoftwareWe consider 4 principal approaches towards writing verifiedsoftware.
(h)(i) First a program is written.Then its correctness is verified.
Most common approach, when formal methods areapplied.Main advantage:Ordinary programming languages can be used.Disadvantage: all or most considerations of theprogrammers are lost.Requires advanced automated theorem provingtechnologies.Dr. Kullmann is an expert on the theorem provingtechniques used there.
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 1 21
Approaches to Verified Software(ii) Prove that a solution for the problem exists.
Extract a program from it.E.g. from a proof of the statement
For every list there exists a sorted listhaving the same elements
one can extract a program, which computes from alist a sorted list having the same elements.The correctness is guaranteed.Technology not yet far developed.Dr. Berger is an expert in this area of research.
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 1 22
Approaches to Verified Software(iii) Programs written in a language which allows to
state properties of the program.Example: “This program sorts a list”.Properties should be verified when compiling theprogram
Advantages:Programmer is forced to think very clearly.Programs will be very well documented.The information about properties needed mightguide the programmer.In some cases parts of the program can even befound automatically.
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 1 23
Approaches to Verified SoftwareDisadvantages of (iii):
Requires new programming languages.Still essentially area of research. Howeveradvanced tools exist already.Might be too difficult for ordinary programmers.
Effect:Proving and programming will be the same.
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 1 24
Approaches to Verified Software(iv) Mixtures between (i), (iii).
E.g. SPARK Ada.
In this lecture, we will follow the approach of (iii), based on
dependent type theory.
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 1 25
(b) The Theorem Prover AgdaThere are several implementations of dependent typetheory:
NuPrl (Cornell, USA), the technically most advancedsystem.
Uses so called “extensional type theory”.Coq (INRIA, France), as well technically veryadvanced.LEGO (Edinburgh), about to be replaced.
Both use so called “impredicative type theory”.
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 1 26
The Theorem Prover AgdaImplementations of dependent type theory (Cont.)
The “Alf-family” (Gothenburg, Sweden) – hasprobably the clearest concepts.
Alf (developed by Lena Magnusson)Half (= Haskell Alf), developed by ThierryCoquand, Dan Synek.Agda developed by Catarina Coquand.Alfa, a graphical user interface for Agda,developed by Thomas Hallgren.
“Cayenne” (Gothenburg, Sweden) is a dependentlytyped programming language (not intended as atheorem prover).
In this module we will use Agda and briefly considerCayenne, but Alfa can be used to create Agda code.
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 1 27
Proofs in AgdaHalf, Agda, Alf are written in Haskell.
Half and Agda have an Emacs mode, which makes itquite convenient to develop proofs in it.
In most theorem provers, one has to follow one orseveral goals, and derive proofs for them.This is close to the way, proofs are carried out by hand.
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 1 28
Proofs in Agda (Cont.)The Alf-family has a different approach ofsuccessive refinement.
One starts writing the proof code similarly to writingfunctional programs.What cannot be done without machine assistancecan be left open in the form of holes (
:::::::
goals).Now one can successively, assisted by the system,fill in those goals.Therefore proof/program development in the Alffamily is very close to ordinary programming.
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 1 29
Installation of AgdaAgda is installed in the Linux lab.
Follow the item “Getting started with Agda” on thehome page of this module.Please check whether the installation works.
Agda is most easily installed under Linux or otherversions of Unix.
It can as well be installed under CYGWIN, a UNIXemulation under Windows.
See information from the course home page.
The source code for the examples given in this lecturewill be available from the course home page.
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 1 30
Thierry Coquand
The main theoretician behind Agda (which wasimplemented by his wife, of whom I have no picture).
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 1 31
(c) Concept of a Type
Typed vs. untyped languages
Examples of typed languages:Pascal, C,C++,Java, C#, Haskell, ML, . . .
Examples of untyped languages:Perl, Python, Visual Basic, Lisp, . . .
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 1 32
Advantages/DisadvantagesAdvantage of untyped languages:Greater freedom in programming.
Advantages of typed languages:
Many errors are avoided, especially when usingoperations defined somewhere else. To find sucherrors in untyped languages can be very difficult.Types are very natural comments to programs, whichexpress the basic functionality of a program.Typed languages enforce this kind of comments, andtherefore better documentation.
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 1 33
Concept of a Type (Cont.)In order to guarantee correctness of software, wemake use of a much more refined type system.
It will allow to specify any property of a program,which can be defined as a formula, as a type.
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 1 34
Need for Rich Type StructuresIn general programming, one wants a veryrich type structure.
The richer the type structure, themore data types one can define,the more flexibility one has when writing programs,
without loosing the advantages of types (preventingerrors).
In this lecture we will mainly focus on theorem proving.
Greater flexibility touched at the end.
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 1 35
Types used in other Languages
::::::::
Scalar::::::::
types:Booleans, integers, floating point numbers, characters,enumeration types.
:::::::::
Simple::::::::::::::
compound::::::::
types:Arrays, strings, record types, lists, sets.
In functional programming additionally:Function types, algebraic types (= what can be definedusing “data”).
In object-oriented programming (not relevant here):interfaces (and classes).
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 1 36
Types used in Dep. Type TheoryFunction types.Let NatList the type of lists of natural numbers.Then NatList→ NatList is the type of functions mappinglists of natural numbers to lists of natural numbers.
E.g. sorting functions (without any correctnessconditions) are elements of this type.
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 1 37
Types used in Dep. Type TheoryProducts (essentially records).Int× Char is the type of pairs 〈r, s〉, where r is aninteger and s is a character.
E.g. 〈2,′ c′〉 : Int× Char.In Haskell notation, products are written as follows:
Haskell notation for A×B is (A,B),Haskell noatation for 〈a, b〉 is (a, b).
e.g. (2, 3) :: (Int, Int).Agda notation will be that of a record type in otherlanguages.
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 1 38
Types used in Dep. Type TheoryAlgebraic types. More about this later.
Dependent versions of the above.
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 1 39
Per Martin-Löf
Professor at Stockholm University.Philosopher, mathematician and computer scientist.The Father of Martin-Löf Type Theory, the variant ofdependent type theory used in this module.
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 1 40
(d) The λ-CalculusBasic idea of the λ-calculus:We want to define functions “on the fly” (so called“:::::::::::::::::
anonyomous:::::::::::::
functions”).
Example:We want to apply a function to all elements of a list.For instance, we want to upgrade a list of studentnumbers to one with one extra digit.
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 1 41
Example for need of λ
Can be done by multiplying each student number by10.Let f : N→ N, f(x) := x ∗ 10.In many languages (e.g. C++, Perl, Python, Haskell)there is a pre-defined operation map, which takes afunction f , and a list l, and applies f to each elementof the list.So for the above f we have
map(f, [210345, 345698, 296458])
= [2103450, 3456980, 2964580] .
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 1 42
Introduction to λ-TermsOften the f is only needed once, and introducing first anew name f for it is tedious.
So one needs a short notation for “the function f , s.t.f(x) = x ∗ 10”.
Notation is λx.x ∗ 10.
So we have
map(λx.x ∗ 10, [210345, 345698, 296458])
= [2103450, 3456980, 2964580] .
In general λx.t stands for the function f s.t. f(x) = t,where t might depend on x.
above t = x ∗ 10.
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 1 43
NotationOne writes in functional programming usually s t for theapplication of s to t instead of s(t) as usual.
This is used since we have often to apply a functionseveral times, writing something like f(a)(b)(c).Instead we write f a b c.
As indicated by the example, r s t stands for (r s) t, ingeneral r0 r1 r2 · · · rn stands for (· · · ((r0 r1) r2) · · · rn).
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 1 44
Infix OperatorsWe use + and ∗ infix.The corresponding operators are written as (+), (∗).
So x + y stands for (+) x y,x ∗ y stands for (∗) x y.
+ and ∗ will bind less than any non-infix constants.Therefore S x + Sy stands for (S x) + (S y).
∗ binds more than +.Therefore x + y ∗ z stands for x + (y ∗ z),and S x + S y ∗ z stands for (S x) + ((S y) ∗ z).
These are the same conventions as in Agda.
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 1 44a
Scope of λx.
How do we read λx.x + 5?As (λx.x) + 5?Or as λx.(x + 5)?
Convention: The scope of λx. is as long as possible.So λx.x + 5 reads as λx.(x + 5).λx.(λy.y) 5 reads as λx.((λy.y) 5).
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 1 45
Scope of λx.
In (λx.x) 5, the scope λx. cannot be extendedbeyond the closing bracket.
So it is “x”,not “x) 5”, which doesn’t make sense.
In f(λx.x + 5, 3), the scope of λxis “x + 5”,not “x + 5, 3)”, which doesn’t make sense.
In (λx.x + 5) 3, the scope of λxis x + 5not x + 5) 3, which doesn’t make sense.
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 1 46
λ without a DotSometimes, λx t (without a dot) is used, if one wants tohave the scope of λx as short as possible.
E.g. λx x y would denote (λx.x) y.
In this lecture we don’t use this notation.
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 1 46a
Bound and Free VariablesWe have now bound and free variables:
::::::
Free::::::::::::
variables are variables x, which don’t occur inthe scope of a λ-abstraction “λx.”.
:::::::::
Bound::::::::::::
variables are the other variables:they are variables x that occur in the scope of aλ-abstraction “λx.”.
In λx.x + y,· x is bound (since in the scope of λx),· y is free (since it is not in the scope of λy).
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 1 47
Bound and Free VariablesIn (λy.y + z) y,
the first occurrence of y, y is bound,the second occurrence of y, y is free,z is free.
In (λy.((λz.z) y)) x, we havez is bound,y is bound (in the scope of λy),x is free.
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 1 48
Bound and Free VariablesNote that being bound and free has something to dowith an occurrence of a variable in a term, not with thevariable itself.
By the:::::
free::::::
and:::::::::
bound::::::::::::
variables of a term t we meanthe variables x which occur free or bound, respectively,in t.
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 1 49
Evaluation of λ-TermsHow do we evaluate (λx.x ∗ 10) 5?
We first replace in x ∗ 10, the variable x by 5.We obtain 5 ∗ 10.Then we reduce this further, using other reductionrules (not introduced yet).Using suitable rules, we would reduce 5 ∗ 10 to 50.We will first look only at the pure λ-calculus withoutany additional reduction rules.There (λx.x ∗ 10) 5 reduces to 5 ∗ 10, which cannot bereduced any further.
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 1 50
Basics of the λ-CalculusIn general, the result of applying λx.t to r, is obtained bysubstituting in t the variable x by r.E.g.
(λx.x + 10) 5 evaluates to 5 + 10,If we substitute in x + 10 the variable x by 5, weobtain 5 + 10.
(λx.x) ”Student” evaluates to ”Student”.If we substitute in x, the variable x by “Student”,we obtain “Student”.
(λx.x) (λy.y) evaluates to λy.y.If we substitute in x the variable x by λy.y, weobtain λy.y.
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 1 51
ReductionsWe write −→
::::(read as “
::::::::::
reduces::::
to”) for a one
step-reduction as above. So we have(λx.x + 10) 5 −→ 5 + 10,(λx.x) ”Student” −→ ”Student”,(λx.x) (λy.y) −→ λy.y.In general(λx.t) s −→ t[x := s].
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 1 52
Substitutiont[x := s] denotes the result of substituting in t thevariable x by s, e.g.
(x + 10)[x := 5] = 5 + 10,x[x := ”Student”] = ”Student”,x[x := λy.y] = λy.y.
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 1 53
β-ReductionThe reduction
(λx.t) s −→ t[x := s]
is called:::::::::::::::
β-reduction.
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 1 54
β-ReductionWe might apply β-reduction to a subterm.Examples:
((λx.x + 5) 3) + 7 −→ (3 + 5) + 7,since
(λx.x + 5) 3 −→ 3 + 5 .
Assume we have a pairing operation 〈s, t〉 for the pairs, t, then
〈(λx.x + 5) 3, 7〉 −→ 〈3 + 5, 7〉 ,
We can apply β-reduction under a λ term as well:
λx.((λy.y + 5) 3) −→ λx.3 + 5 .
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 1 55
β-RedexI subterm of the form (λx.r) s of a λ-term t is called a::::::::::
β-redex“Redex” is short for
::::::::::::
reducible:::::::::::::::
expression.
So β-reduction means reducing one β-redex.
A λ-term might have several β-redexe:E.g. In (λx.xx) ((λy.y) z) we have
one redex (λx.xx) ((λy.y) z)and one redex (λy.y) z.
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 1 55a
Multiple RedexeTherefore a term might have two different reductions:
In the example we have(λx.xx) ((λy.y) z) −→ ((λy.y) z) ((λy.y) z)(λx.xx) ((λy.y) z) −→ (λx.xx) z.
We will discuss later that the λ-calculus is confluent, so,if we have two different reducts of a λ-term, then thereexists a term t s.t. both reducts reduce (possibly usingseveral reduction steps) to t.
In the example, we have((λy.y) z) ((λy.y) z) reduces in two steps to z zand (λx.xx) z reduces in one step to the sameterm.
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 1 55b
α-ConversionWe identify λ-terms, which only differ in the choice ofthe bound variables (variables abstracted by λ):
So λx.x + 5 and λy.y + 5 are identified.Makes sense, since they both denote the samefunction f s.t. f(x) = x + 5.
(λx.x + 5) 3 + 7 and (λy.y + 5) 3 + 7 are identified.λx.λy.y and λy.λx.x are identified.
This equality is called:::::::::::::
α-equality, and the step from oneterm to another α-equal term is called
:::::::::::::::::
α-conversion.
So λx.λy.y and λy.λx.x are::::::::::
α-equal, written asλx.λy.y=α
:::
λy.λx.x.
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 1 56
α-ConversionNote that λx.λx .x =α λy.λx.x.
The x refers to the second lambda abstraction λx ,not the first one (λx.).Therefore, when changing the variable of the firstλ-abstraction, x remains unchanged.
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 1 56a
Substitution and Bound VariablesIf we carry out a substitution in a λ-term, we have to becareful.
(λx.x + 7) [x := 3] = λx.x + 7.It doesn’t make sense to substitute the x in λx.x + 7,since x is bound by λx..x is a bound variable, which is not changed by thesubstitution.
In general, in s[x := t] we only substitute freeoccurrences of x in s by t.
All bound occurrences remain unchanged.
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 1 57
Substitution and Bound VariablesMore examples:
(λx.x)[x := ”Student”] = λx.x.The x in λx.x is bound by λx, so no substitution iscarried out.
((λx.x) x)[x := ”Student”] = (λx.x) ”Student”.The first x is bound, so no substitution is carriedout.The second x is free, so substitution is carried out.
(λy.x + y)[x := 3] = λy.3 + y.x in λy.x + y is free, so it will be substituted by 3 inthe above example.
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 1 58
Substitution and α-ConversionWhen substituting in λ-terms, we sometimes have tocarry out an α-conversion first:
If we substitute in λy.y + x, the variable x by 3, weobtain correctly λy.y + 3, the function f s.t.f(y) = y + 3.If we substitute in λy.y + x, the variable x by y, weshould obtain a function f s.t. f(z) = z + y.If we did this naively, we would obtain λy.y + y.
So the free variable y, which we substituted for x,has become, when substituting it in λy.y + x, to abound variable.
This is not the correct way of doing it.
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 1 59
Substitution and α-ConversionThe correct way is as follows:
First we α-convert λy.y + x, so that the bindingvariable y is different from the free variable we aresubstituting x by:Replace for instance λy.y + x by λz.z + x.Now we can carry out the substitution:
(λy.y + x)[x := y] =α (λz.z + x)[x := y] = λz.z + y .
Similarly, we compute (λy.y + x)[x := y + y] asfollows:
(λy.y+x)[x := y+y] =α (λz.z+x)[x := y+y] = λz.z+(y+y) .
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 1 60
Substitution and α-ConversionIn general, the substitution t[x := s] is carried out asfollows:
α-convert t s.t.if x occurs in t free and is in the scope of some λu,then u doesn’t occur free in s.In other words, α-convert t s.t. one never wouldsubstitute for x the s in such a way that one of thefree variables of s becomes bound.
Then carry out the substitution.
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 1 61
Examples(λx.λy.z)[z := x] =α (λu.λy.z)[z := x] = (λu.λy.x) ,
(λx.λy.z)[z := y] =α (λx.λu.z)[z := y] = (λx.λu.y) ,
(λx.(λy.y) z)[z := y] = λx.(λy.y) y .There is no problem in substituting the z by y, since it isnot in the scope of λy.
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 1 62
Examples(λx.z)[z := λx.x] = λx.λx.x.There is no problem with this substitution, since xdoes not occurr free in λx.x.Note that the x in λx.λx.x refers to the second λ-bindingλx.
(λx.z)[z := (λx.x) x] =α (λu.z)[z := (λx.x) x] =λu.((λx.x) x).Now x occurs free in (λx.x) x (the second occurrence isfree), so we need to α-convert it.
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 1 63
Substitution and α-ConversionIf you have problems understanding this, you canproceed as follows, and are on the safe side:
α-convert t so that all bound variable in t aredifferent from all free variables in s.Then carry out the substitution.
An unnecessary α-conversion doesn’t hurt.
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 1 64
λ-termsNow we can define the untyped λ-calculus as follows:
λ terms are:Variables x,If r and s are λ-terms, so is (r s).If x is a variable and r is a λ-term, so is λx.r.
As usual brackets can be omitted, usingthe above mentioned conventions about the scope ofλx,and that r s t is read as (r s) t.
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 1 65
λ-termsExamples:
λx.x,λx.((λy.y) x),λx.x x,(λx.x x x) (λx.x x x),(λf.λx.f (f x)).
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 1 66
λ-termsOne might need additional constants to thelanguage, then we have additionally:
Any constant is a λ-term.So for instance,
If c is a constant, then λx.c, (λx.x) c are λ-terms,If + is a constant, then λx. + x x is a a λ-term.
For standard operators like +, ∗ we usually writex + y instead of + x y,x ∗ y instead of ∗ x y,etc.
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 1 67
α-Conv, β-ReductionWe identify as before α-equivalent λ-terms,
and define β-reduction as before.
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 1 68
AbbreviationsWe write λx, y. · · · for λx.λy. · · · .
Similarly for λx, y, z. etc.
E.g. λx, y, z.x (y z) stands for λx.λy.λz.x (y z) .
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 1 68a
Examples of β-Reduction
(λx.λy.x) y −→ (λy.x)[x := y] =α (λu.x)[x := y] = λu.y
(λz.λx.λy.z) x −→ (λx.λy.z)[z := x]=α (λu.λy.z)[z := x]
= λu.λy.x
(λx.(λy.y) z) y −→ (λx.(λy.y) z)[z := y] = λx.(λy.y) y
λx.(λy.y) y −→ λx.y
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 1 68b
Examples (Longer Reduction)
(λx, y.x (x y)) (λu, v.u (u v))
−→ λy.(λu, v.u (u v)) ((λu, v.u (u v)) y)
−→ λy.(λu, v.u (u v)) (λv.y (y v))
−→ λy.λv.(λv.y (y v)) ((λv.y (y v)) v)
−→ λy.λv.(λv.y (y v)) (y (y v))
−→ λy.λv.y (y (y (y v)))
= λy, v.y (y (y (y v)))
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 1 68c
Examples of Non-TerminationReproduction (Term reduces to itself).Let ω := λx.x x, Ω := ω ω. Then
Ω = ω ω = (λx.x x) ω −→ ω ω = Ω .
Expansion (Term reduct becomes bigger).Let Ω := λx.x (x x).Then
Ω Ω = (λx.x (x x)) Ω
−→ Ω (Ω Ω)
−→ Ω (Ω (Ω Ω))
−→ · · ·
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 1 68d
Reduction SystemsWe want to study certain properties of the relation −→on the set of λ-terms, like
Termination: Is there an infinite reduction
t0 −→ t1 −→ t2 −→ · · · ?
We want to consider as well λ-terms, with someadditional reductions, like s + 0 −→ s.
Behind Agda there is such an extended reductionmechanism, which is essentially terminating (theexact details follow later), and used in order todetermine equality between expressions like 0 + S 0and S 0.
Therefore we introduce the more general notions ofreduction systems and term rewriting systems.
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 1 69
Reduction SystemsA
::::::::::::
reduction::::::::::
system is a pair (T,−→) consisting of aset T (of terms) and a binary relation −→ on T .
We write s −→ t for “s, t are in relation −→” and sayusually “s reduces to t”.
Example: The set of λ-terms with β-reduction forms areduction system:
T is the set of λ-terms,More precisely, we take λ-terms identified moduleα-conversion.−→ is β-reduction.
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 1 70
Example 1 (Reduction System)A simple reduction system is N with reductionsn + 1 −→ n for n ∈ N:
2 30 1 4 5
So we have reductions of the form:
5 −→ 4 −→ 3 −→ 2 −→ 1 −→ 0 .
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 1 71
Example 2 (Reduction System)Another one is N with reductionsn −→ m for n,m ∈ N s.t. n > m:
2 30 1 4
So we have reductions of the form:
23 −→ 11 −→ 3 −→ 1 −→ 0 .
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 1 72
Example 3 (Reduction System)A third one is T = N ∪ ∗, with reductionsn + 1 −→ n for n ∈ N,and ∗ −→ n for n ∈ N:
2 30 1 4
*
So we have reductions of the form:
∗ −→ 5 −→ 4 −→ 3 −→ 2 −→ 1 −→ 0 .
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 1 73
Term Rewriting SystemsTerm rewriting systems are special cases of reductionsystems.
They are reduction systems, which are generated by a(in many cases finite) set of rules (i.e. basic reductions).
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 1 74
Example of a Term Rewriting SystemTake T = set of arithmetic expressions formed fromvariables, 0 by using the successor operation S (whereS n stands n + 1), +, ∗ and brackets.
So the following are elements of T :x + S 0,(S 0 + z) ∗ (S (S x) + 0),(S y) ∗ (S 0 + (S x ∗ 0)).
Take as rules the following:
x + 0 −→Rule x ,
x + S y −→Rule S (x + y) ,
x ∗ 0 −→Rule 0 ,
x ∗ S y −→Rule (x ∗ y) + x .
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 1 75
Term Rewriting Systems
x + 0 −→Rule x ,
x + S y −→Rule S (x + y) ,
x ∗ 0 −→Rule 0 ,
x ∗ S y −→Rule (x ∗ y) + x .
The reduction relation generated by these rules allowsto replace in a term
any subterm of the form s + 0 by s,any subterm of the form s + S t by S (s + t),any subterm of the form s ∗ 0 by 0,any subterm of the form s ∗ (S t) by (s ∗ t) + s.
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 1 76
Term Rewriting Systems
x + 0 −→Rule x ,
x + (S y) −→Rule S (x + y) ,
x ∗ 0 −→Rule 0 ,
x ∗ (S y) −→Rule (x ∗ y) + x .
So we have for instance the following reductions:0 + S (S 0) −→ S (0 + S 0),
Reduce 0 + S s to S (0 + s) using s = S 0.S (0 + S 0 ) −→ S (S (0 + 0 )),
Reduce s + S t to S (s + t), using s = t = 0,S (S (0 + 0 )) −→ S (S 0 ) .
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 1 77
Definition of Term Rewriting SystemsA term rewriting system consists of
a set of terms T built from variables, constants andsome function symbols,a relation −→Rule between terms
(if r −→Rule s we say hat r −→Rule s is a:::::
rule),s.t., if s −→Rule t, then
s is not a variable, andall free variables in t occur in s.
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 1 78
Reduction generated by −→Rule
Don’t worry if you don’t understand the followingdefinition.
For most of the module it suffices to have an intuitiveunderstanding of how to reduce terms.
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 1 79
Reduction generated by −→Rule
If we have a term rewriting system (T,−→Rule) weobtain a reduction relation −→ on T as follows:
First we construct a relation −→′ obtained fromreductions rules r −→Rule r′ by substituting the freevariables in both r and r′ by some terms.
So the same substitutions are carried out in both rand r′.If s −→′ s′ is obtained by carrying out such asubstitution in r −→Rule r′, then s −→′ s′ is called:::
an::::::::::::
instance:::
of::::::
rule::::::::::::::
r −→Rule r′.
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 1 80
Reduction generated by −→Rule
Then s −→ s′, if there exists an instance t −→′ t′ of arule s.t. s contains subterm t, and s′ is the result ofsubstituting in s the term t by t′.
The subterm s is called a:::::::
redex w.r.t. the termrewriting system used.
The reductions s −→ s′ obtained this way are thereductions
:::::::::::::
generated by the term rewriting system.
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 1 81
Example 1
x + 0 −→Rule x ,
x + S y −→Rule S (x + y) ,
x ∗ 0 −→Rule 0 ,
x ∗ S y −→Rule (x ∗ y) + x .
0 + S (S 0) −→ S (0 + S 0) is obtained as follows:The rule used is
x + S y −→Rule S (x + y) .
By substituting x by 0 and y by S 0 we obtain theinstance
0 + S (S 0) −→′ S (0 + S 0) .
In this example, the full term is reduced.Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 1 82
Example 2
x + 0 −→Rule x ,
x + S y −→Rule S (x + y) ,
x ∗ 0 −→Rule 0 ,
x ∗ S y −→Rule (x ∗ y) + x .
S (0 + S 0 ) −→ S (S (0 + 0 )) is obtained as follows:The rule used is x + S y −→Rule S (x + y) .
By substituting x and y by 0 we obtain the instance
0 + S 0 −→′ S (0 + 0 ) .
The left hand side of our reduction S (0 + S 0 )contains now the subterm 0 + S 0 .
By substituting it by S (0 + 0 ) we obtain the righthand side of the reduction, S (S (0 + 0 )) .
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 1 83
Example 3
x + 0 −→Rule x ,
x + S y −→Rule S (x + y) ,
x ∗ 0 −→Rule 0 ,
x ∗ S y −→Rule (x ∗ y) + x .
S (S (0 + 0 )) −→ S (S 0 ).The rule used is x + 0 −→Rule x .
By substituting 0 for x, we obtain the instance
0 + 0 −→′ 0 .
The left hand side of the reduction S (S (0 + 0 ))contains subterm 0 + 0 .By substituting it by 0 we obtain the right hand sideof the reduction S (S 0 ).
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 1 84
−→∗
If (T,−→) is a reduction system, we define
a−→∗:::::
b iff there exists a (possibly empty) sequence of
reductions
a = a0 −→ a1 −→ a2 −→ · · · −→ an = b
By empty reduction we mean: if a = b, then we havea −→∗ b.
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 1 85
−→∗
In order to express the above shorter, one says that−→∗ is the transitive and reflexive closure of −→, i.e.the least transitive and reflexive relation containing −→:
a −→ b implies a −→∗ b.−→∗ is reflexive, i.e. for all a we have a −→∗ a.−→∗ is transitive, i.e. a −→∗ b −→∗ c implies a −→∗ c.If there is any relation −→′ with the above 3properties, then x −→′ y implies x −→∗ y.
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 1 86
ExampleIf we take N with reductionsn + 1 −→ n for n ∈ N:
2 30 1 4 5
Then 5 −→ 4 −→ 3 −→ 2, therefore 5 −→∗ 2.
In general n −→∗ m⇔ n ≥ m.
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 1 87
←→∗
If (T,−→) is a reduction system, we define
a←→∗:::::
b iff there exists a (possibly empty) sequence of
reductions
a = a0 ←→ a1 ←→ a2 ←→ · · · ←→ an = b
wherea←→ b :⇔ (a −→ b ∨ b −→ a) .
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 1 88
←→∗
In order to express the above shorter, one says that←→∗ is the transitive, symmetric and reflexive closure of−→, i.e. the least transitive, symmetric and reflexiverelation containing −→:
a −→ b implies a −→∗ b.−→∗ is reflexive, and transitive.−→∗ is symmetric, i.e. a −→∗ b implies b −→∗ a.If there is any relation −→′ with the above properties,then x −→′ y implies x −→∗ y.
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 1 89
ExampleIf have the following reduction system:
0 1 2
3 4
Then 0←− 3 −→ 1←− 4 −→ 2, therefore 0←→∗ 2.
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 1 90
Identification of ElementsIf we have a reduction system (A,−→), one writesa =−→ b or sometimes a = b for a←→∗ b.
In case of the λ-calculus, we define a =β b⇔ a←→∗β b,
where←→β is the reflexive, symmetric and transitiveclosure of β-reduction −→.
More precisely one allows arbitrary α-conversions inbetween:a =β b iff there exists a sequence a0, . . . , an, a′0, . . . , a
′n
(n = 0 is allowed) s.t.
a =α a0 ←→β a1 =α a′1 ←→β a2 =α a′2 ←→β · · ·
←→β an =α b .
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 1 91
Determination of←→∗
In general it is infeasible to determine whether a←→∗ bholds.
One has to check all possible ways of getting from ato b, by both using −→ and←−.
In many cases this can be determined by:Simply reducing a as long as possible to some terma′ s.t. a −→∗ a′ and s.t. a′ has no further reductions,
i.e. by “evaluating a”.Doing the same with b to some term b′.Checking whether a′ is identical to b′.
This is possible, if −→ is confluent and stronglynormalising (see next slides).
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 1 92
AgdaThe underlying reduction system of Agda is“essentially” strongly normalising.
The equality derived from this reduction system is usedin order to typecheck terms.
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 1 93
Strong NormalisationA reduction system (A,−→) is
:::::::::::::::
terminating or
:::::::::::
strongly::::::::::::::::
normalising, iff there is no infinite sequence
a0 −→ a1 −→ a2 −→ a3 −→ · · ·
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 1 94
ExamplesThe following reduction system is terminating:
2 30 1 4 5
Any reduction sequence will end in 0 and terminate.
The following reduction system is not terminating:
2 30 1 4 5
(Take 0 −→ 1 −→ 2 −→ 3 −→ · · · ).
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 1 95
ExamplesThe following reduction system is terminating, but thereare arbitrarily long reduction sequences starting with ∗:
2 30 1 4
*
. ..
We have ∗ −→ n −→ (n− 1) −→ (n− 2) −→ · · · −→ 0.
The untyped λ-calculus is not terminating, since wehave
Ω −→ Ω −→ Ω −→ · · ·
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 1 96
Normal Form and IrreducibilityLet (A,−→) be a reduction system.
a ∈ A is::::::::::::::
irreducible, if there exists no b ∈ A s.t. a −→ b.
b is a:::::::::
normal:::::::
form:::
of::
a iff a −→∗ b and b is irreducible.
(A −→) is:::::::::
weakly::::::::::::::::
normalising or:::::::::::::::
normalising, if everya ∈ A has a normal form.
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 1 97
ExampleThe following system is weakly normalising, but not stronglynormalising:
0 1 2 3 5 . . .
*
Every a has a normal form, namely ∗.
But there exists an infinite sequence
0 −→ 1 −→ 2 −→ 3 −→ · · ·
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 1 98
LemmaLet (A,−→) be a strongly normalising reduction system.Then (A,−→) is weakly normalising.
Proof:A normal form of a can be obtained by simply reducing a aslong as possible:Since (A,−→) is strongly normalising, the reductionsequence terminates in some b ∈ A.
b is a normal form of A.
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 1 99
ConfluenceA reduction system (A,−→) is confluent, iff for allx, y, z ∈ A we have
if x −→∗ y and x −→∗ z,then there exists an u s.t. y −→∗ u and z −→∗ u.
x
y z
**
* *exists u
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 1 100
Church-RosserIf (A,−→) is confluent, then it has the Church-Rosserproperty:If a←→∗ b iff there exists a c s.t.
a −→∗ c ∧ b −→∗ c
a b
exists c
*
* *
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 1 101
Proof of Church-RosserDefine a ↓ b :⇔ ∃c.(a −→∗ c ∧ b −→∗ c).
We show that ↓ contains −→ and is reflexive, symmetricand transitive.Therefore it contains←→∗, and we get a←→∗ b⇒ a ↓ b.
In the other direction, a ↓ b clearly implies a←→∗ b.
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 1 102
Proof of Church-Rosser↓ contains −→:a −→ b implies a ↓ b.
a b
b
Formally: If a −→ b then we have with c := b thata −→∗ c and b −→∗ c.
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 1 103
Proof of Church-Rosser↓ is reflexive,
a a
a
Formally: We have a −→∗ a and a −→∗ a, thereforea ↓ a.
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 1 104
Proof of Church-Rosser↓ is symmetric:
a b b a
c c* * * *
=>
Formally: If a ↓ b by a −→∗ c and b −→∗ c, then b ↓ a byb −→∗ c and a −→∗ c,
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 1 105
Proof of Church-Rosser↓ is transitive:
a b c
d e* * * *a b c
d e* * * *
f* *
=>
Formally:Assume a ↓ b and b ↓ c by a −→∗ d, b −→∗ d, b −→∗ e,c −→∗ e.Then by confluence there exists an f s.t. d −→∗ f ,e −→∗ f .But then a −→∗ f and c −→∗ f , a ↓ c.
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 1 106
λ-CalculusFact: The λ-calculus is confluent (if we identifyα-equivalent terms), and fulfills therefore theChurch-Rosser property.
Note that this doesn’t give yet an easy way ofdetermining whether a =β b holds:
One needs to find a c s.t. a −→∗ c and b −→∗ c.But simply reducing a might never terminate.
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 1 107
Unique Normal FormsLemma:Let (A,−→) be a confluent reduction system.If a ∈ A has a normal form a′, then it is unique:
If a′′ is another normal form, then a′ = a′′.
Proof:
We have a −→∗ a′ and a −→∗ a′′.
By confluence, there exists a b s.t. a′ −→∗ b anda′′ −→∗ b.
But since a′ and a′′ are normal forms, it follows a′ = band a′′ = b.
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 1 108
LemmaLet (A,−→) be a strongly normalising and confluentreduction system. Then
a←→∗ b iff the normal forms of a and b coincide.
Proof:
“⇒”: By Church Rosser a←→∗ b implies the existenceof a c s.t. a −→∗ c and b −→∗ c.Reduce c further in order to obtain a normal form of aand b.Then c is a normal form of both a and b.Since by the above lemma, normal forms are unique, cis the normal form of a and b.
“⇐”: If the normal forms c coincide, then we havea −→∗ c←−∗ b, therefore a←→∗ c.
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 1 109
Towards the Typed λ-CalculusProblem of the untyped λ-calculus:
Non-Termination, therefore =β difficult to check.In fact =β is semi-decidable (r.e.), but notdecidable (recursive).
Caused by the possibility of self-application, whichallows to write essentially fully recursive programs.Avoided by the simply typed λ-calculus, which isstrongly normalising.
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 1 110
Main Idea of the λ-Calculusλx.x + 5 is a function,
taking an x : int,and returning x + 5 : int.
Therefore, we say that (λx.x + 5) : int→ int.In words, “λx.x + 5 is of type int arrow int”.
In order to clarify the type of x, we write instead ofλx.x + 5
λx : int.x + 5 .
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 1 111
Basics of the Typed λ-Calculusλx : int.x + 5 is
only applicable to some s : int,therefore not applicable to elements of other types,e.g. to “Student” (: String).
So(λx : int.x + 5) 3 is allowed,(λx : int.x + 5) “Student” is not allowed.
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 1 112
Simple TypesThe
:::::::::
simple:::::::
types used in the simply typed λ-calculusare defined inductively as follows:
The:::::::::
ground:::::::
type o is a type.If σ, τ are types, so is (σ → τ).
“Inductively” means that the set of simple types is theleast set containing the ground type, and which closedunder→.
One sometimes modifies the set of ground types,especially when adding constants to the λ-terms.
E.g. when using arithmetic expressions, one can sayfor instance that the ground types are int and float.Then we talk about the:::::::::
simple:::::::
types:::::::::
based::::
on::::::::::
ground::::::::
types::::
int:::::
and::::::
float.
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 1 113
Simple TypesUsually we denote types by Greek letters,
e.g. α (“alpha”), β (“beta”), γ (“gamma”), σ (“sigma”),τ (“tau”).
We omit brackets as usual using the convention thatα→ β → γ stands for α→ (β → γ).
Examples types:o,o→ o,(o→ o)→ o,((o→ o)→ o→ o)→ (o→ o)→ o→ o,
which stands for(((o→ o)→ (o→ o))→ ((o→ o)→ (o→ o))).
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 1 114
AbbreviationIn order to make writing down such types easier, onecan use sometimes the following abbreviations (theseare non-standard abbreviations, and should be definedexplicitly when using outside this lecture.
o2 := o→ o,o3 := o2→ o2,etc.
Soan element of type o2 can be applied to an elementof type o and one obtains an element of type o.an element of type o3 can be applied to an elementof type o2 and one obtains an element of type o2.etc.
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 1 114a
ContextsTo determine the type of a term makes only sense, if weknow the types of its variables.
For instance, in case of the λ-term x y, we couldhave
x : o→ o, y : o and therefore x y : o,or x : o→ o, y : (o→ o)→ o→ o, and thereforex y : o→ o.
Therefore we will give a type to λ terms in a context,which determines the types of the variables.
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 1 115
ContextsA
::::::::::
context is an expression of the formx1 : σ1, . . . , xn : σn where
xi are variables,σi are simple types,(when considering other type theories, σi will betypes of that theory).xi are different.
n = 0 is allowed, and we write ∅:
for the empty
context.
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 1 116
Contexts:::::::::::::
Examplesx : o, y : o→ o is a context.x : o→ o, x : o is not a context.
Note that contexts are lists of elements of the formx : σ, so the order matters.
In case of the simply typed λ-calculus, it wouldn’tmake a difference to have as context unordered setsof expressions of the form x : σ.However, when moving later to dependent typetheory, the order of the expressions x : σ will berelevant.
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 1 117
ContextsIn the following, the capital Greek letters Γ
:(“Gamma”),
∆::
(“Delta”) denote contexts.
We write Γ⇒ s : σ::::::::::
for “in context Γ, s has type σ”.
Expressions of this form are called:::::::::::::::
judgements.
Examples:x : o→ o, y : o⇒ x y : o,x : float→ int, y : float⇒ x y : int(assuming ground types float and int),x : (o→ o)→ o→ o, y : o→ o⇒ x y : o→ o.
In case Γ is empty, we write s : σ instead of ∅ ⇒ s : σ.
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 1 118
ContextsIf Γ, ∆ are contexts, Γ,∆
::::
denotes the concatenation of
both contexts, e.g. ifΓ = x : o, y : o→ o,∆ = z : o
thenΓ,∆ denotes x : o, y : o→ o, z : o,∆,Γ denotes z : o, x : o, y : o→ o,Γ, u : o denotes x : o, y : o→ o, u : o.
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 1 119
Simply Typed λ-CalculusDefinition of the
:::::::::
simply::::::::
typed::::::::::
λ-terms, depending on acontext, together with their type.
1.::::::::::::::::
Assumption.Variables, occurring in the context, are terms having thetype they have in the context:
Γ, x : σ,∆⇒ x : σ
Note that Γ, x : σ,∆ stands for any context, in whichx : σ occurs.Explanation:
From the assumption x : σ we can derive x : σ.
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 1 120
Simply Typed λ-Calculus2.
:::::::::::::::
Application.If s is of type σ → τ and t of type σ, depending oncontext Γ, then s t is of type τ under context Γ:
Γ⇒ s : σ → τ Γ⇒ t : σ (Ap)Γ⇒ s t : τ
Explanation:Assume we have s of type σ → τ .· So s is a function, taking an x : σ and returning
an element of type τ .Assume we have t is an element of type σ.Then we can apply the function s to this t, writtenas s t, and obtain an element of type τ .
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 1 121
Simply Typed λ-Calculus3.
:::::::::::::::
Abstraction.If t is a term of type τ , depending on context Γ, x : σ,then λx : σ.t is a term of type σ → τ depending oncontext Γ:
Γ, x : σ ⇒ t : τ(Abs)
Γ⇒ (λx : σ.t) : σ → τ
Explanation:If we have under assumption x : σ shown that t : τ ,then we can form a new λ-term by binding that x,and form λx : σ.t.The result is a function taking as input x : σ andreturning t : τ , so we obtain an element of σ → τ .
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 1 122
RulesWe had three
::::::
rules:1. Γ, x : σ,∆⇒ x : σ
2.Γ⇒ s : σ → τ Γ⇒ t : σ (Ap)
Γ⇒ s t : τ
3.Γ, x : σ ⇒ t : τ
(Abs)Γ⇒ (λx : σ.t) : σ → τ
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 1 123
Rules(1) Γ, x : σ,∆⇒ x : σ
is a special kind of rule, an axiom.Axioms derive typing judgements without having toprove something first (no premises).
(2) The next rule is a genuine rule:
Γ⇒ s : σ → τ Γ⇒ t : σ (Ap)Γ⇒ s t : τ
It expresses:Whenever we have derived Γ⇒ s : σ → τ
(for arbitrary context Γ, types σ, τ , term s)and whenever we derived Γ⇒ t : σ
(for the same Γ, σ, but arbitrary term t),then we can derive Γ⇒ s t : τ .
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 1 124
Rules(3) The next rule is similar:
Γ, x : σ ⇒ t : τ(Abs)
Γ⇒ (λx : σ.t) : σ → τ
It expresses:Whenever we have derived Γ, x : σ ⇒ t : τ
(for arbitrary context Γ, types σ, τ , variable x andterm t),
then we can derive from this Γ⇒ (λx : σ.t) : σ → τ .
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 1 125
DerivationsUsing rules we can derive more complex judgements:
We start with axioms, and use rules with premises inorder to derive further judgements.
Example 1:
x : o⇒ x : o (Abs)(λx : o.x) : o→ o
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 1 126
Example 2
x : o→ o, y : o⇒ x : o→ o x : o→ o, y : o⇒ y : o(Ap)
x : o→ o, y : o⇒ x y : o(Abs)
x : o→ o⇒ (λy : o.x y) : o→ o(Abs)
(λx : o→ o.λy : o.x y) : (o→ o)→ o→ o
Note that we have the following dependencies in thederived λ-term:
(λx : o→ o.λy : o. x︸︷︷︸:o→o
y︸︷︷︸:o︸ ︷︷ ︸
:o
) : (o→ o)→ o→ o
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 1 127
Self-ApplicationIn the simply typed λ-calculus we cannot assign a typeto λx.x x, i.e. there are no types σ, τ s.t. (λx : σ.x x) : τ .
Assume we could derive this.The only way to derive (λx : σ.x x) : τ is by the rule ofλ-abstraction.Then τ must be equal to σ → τ1 for some τ1, and thederivation reads then
x : σ ⇒ x x : τ1 (Abs)(λx : σ.x x) : σ → τ1
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 1 127a
Self-Applicationx : σ ⇒ x x : τ1 (Abs)
(λx : σ.x x) : σ → τ1
x : σ ⇒ x x : τ must have been derived by the rule ofapplication, so the derivation must look like this:
x : σ ⇒ x : τ2 → τ1 x : σ ⇒ x : τ2 (Ap)x : σ ⇒ x x : τ1 (Abs)
(λx : σ.x x) : σ → τ1
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 1 127b
Self-Applicationx : σ ⇒ x : τ2 → τ1 x : σ ⇒ x : τ2 (Ap)
x : σ ⇒ x x : τ1 (Abs)(λx : σ.x x) : σ → τ1
The only way to derive x : σ ⇒ x : τ2 → τ1 andx : σ ⇒ x : τ2 is by using the assumption rule.In order for x : σ ⇒ x : τ2 → τ1 to be derivable by theassumption rule, we need σ = τ2 → τ1.Similarly, in order to derive x : σ ⇒ x : τ2, we needτ2 = σ.So we have τ2 → τ1 = σ = τ2.But τ2 = τ2 → τ1 cannot be fulfilled, since τ2 → τ1 islonger than τ2.So we cannot find types σ, τ s.t. (λx : σ.x x) : τ .
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 1 127c
Remark (Weakening)If we have derived t : σ under some context, then thesame holds for any other context, which expands theoriginal one.
Formally, this means: Assume
Γ,∆⇒ t : σ .
Then we have as well
Γ, x : τ,∆⇒ t : σ ,
provided Γ, x : τ,∆ is a context (i.e. provided x does notoccur in Γ,∆).
The process of extending the context is called::::::::::::::
weakening.
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 1 128
Weakening in LogicWeakening occurs in many logic calculi as well.
It occurs in natural language reasoning as well:For instance from “I am living an Swansea” and “InSwansea the sun is shining” follows “Where I amliving, the sun is shining”.However, we can the above as well from theadditional (unused) assumption “Assuming that I ama lecturer”.So we have as well “Under the assumption that I ama lecturer, where I am living the sun is shining”,which is a weaker statement.
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 1 128a
Proof of the RemarkAssume a derivation of Γ,∆⇒ t : σ.
Insert at all corresponding positions in the contexts inthe derivation x : τ .
One needs to rename variables, in order to avoidconflicts with x.
The result is a derivation of Γ, x : τ,∆⇒ t : σ.
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 1 129
Example (Weakening)From the derivation
y : o, x : o⇒ x : o(Abs)
y : o⇒ (λx : o.x) : o→ o y : o⇒ y : o(Ap)
y : o⇒ (λx : o.x) y : o
we obtain a derivation of
y : o, x : o⇒ (λx : o.x) y : o
as follows:
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 1 130
Example (Weakening)
y : o, x : o⇒ x : o(Abs)
y : o⇒ (λx : o.x) : o→ o y : o⇒ y : o(Ap)
y : o⇒ (λx : o.x) y : o
First rename in this derivation x by u in order to avoidconflicts (note that λx : o.x is α-equivalent to λu : o.u):
y : o, u : o⇒ u : o(Abs)
y : o⇒ (λu : o.u) : o→ o y : o⇒ y : o(Ap)
y : o⇒ (λu : o.u) y : o
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 1 131
Example (Weakening)
y : o, u : o⇒ u : o(Abs)
y : o⇒ (λu : o.u) : o→ o y : o⇒ y : o(Ap)
y : o⇒ (λu : o.u) y : o
Now we obtain the following derivation ofy : o, x : o⇒ (λx : o.x) y : o
y : o, x : o, u : o⇒ u : o(Abs)
y : o, x : o⇒ (λu : o.u) : o→ o y : o, x : o⇒ y : o(Ap)
y : o, x : o⇒ (λu : o.u) y : o
Note that λx : o.x and λu : o.u are identified.
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 1 132
WeakeningBecause of the possibility of weakening, we will usuallyomit unused parts of contexts.
So a derivation of x : o→ o, y : o⇒ x (x y) : o, which infull reads as follows
x:o→o,y:o⇒x:o→o
x:o→o,y:o⇒x:o→o x:o→o,y:o⇒y:o(Ap)
x : o→ o, y : o⇒ x y : o(Ap)
x : o→ o, y : o⇒ x (x y) : o
will usually be presented as follows:
x:o→o⇒x:o→o
x:o→o⇒x:o→o y:o⇒y:o(Ap)
x : o→ o, y : o⇒ x y : o(Ap)
x : o→ o, y : o⇒ x (x y) : o
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 1 133
β-Reductionβ-reduction for typed λ-terms is defined as for untypedλ-terms.
One has only to carry around the types as well.Formally we have
(λx : σ.t) s −→ t[x := s]
And as before β-reduction can be applied to anysubterm.
A subterm (λx : σ.t) s of a term s is called a
::::::::::
β-redex of s.
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 1 134
Example
(λx:(o→o)→o→o.λy:o→o.x (x y)) (λx:o→o.λy:o.x (x y))
−→λy:o→o.(λx:o→o.λy:o.x (x y)) ((λx:o→o.λy:o.x (x y)) y)
−→ λy : o→ o.(λx : o→ o.λy : o.x (x y)) (λz : o.y (y z))
=α λy : o→ o.(λx : o→ o.λu : o.x (x u)) (λz : o.y (y z))
−→ λy : o→ o.λu : o.(λz : o.y (y z)) ((λz : o.y (y z)) u)
−→ λy : o→ o.λu : o.(λz : o.y (y z)) (y (y u))
−→ λy : o→ o.λu : o.y (y (y (y u)))
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 1 135
TheoremAs for the untyped λ-calculus, the simply typedλ-calculus is confluent.
The simply typed λ-calculus is strongly normalising.
Therefore every typed λ-term has a unique normalform, which can be obtained by β-reducing the term bychoosing arbitrary β-redexe.
Furthermore, two λ-terms are β-equal, if their normalforms are equal (up to α-conversion).
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 1 136
η-RuleIf we have a function f : σ → τ , then this functionapplied to x : σ gives result f x.
Therefore f is as a function the same as λx.f x (wherex is fresh).
However, if for instance f is a variable, we don’t havef =β λx.f x.
Especially, when working later in dependent type theorywe want to identify as many terms as possible, whichare equal.This will make it easier to prove certain goals.
Therefore we introduce a rule, which expresses that f isalways equal to λx.f x w.r.t. β, η-reduction (where x isfresh).
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 1 137
η-RuleThe η-rule expresses that subterms t : σ → τ can beη-expanded to λx.t x (where x does not occur free in t).
However, we need to impose some restrictions, in orderto avoid circularities:
If t is of the form λy.s, then
λx.t x = λx.(λy.s) x −→β λx.s[y := x] =α t ,
so if we allowed to expand t, we would obtain acircularity.If t occurs in the form t r, then we get(λx.t x) r −→β t r.Again expanding t would result in a circularity.All other terms can be expanded without obtaining anew redex.
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 1 138
η-Expansion
::::::::::::::::
η-expansion (or:::::::
η-rule) is the rule which expands onesubterm of a λ-term
of the form r : σ → τ
s.t. r is not of the form λy : σ.t
and such that r is not applied to some other termto λx : σ.r x, where x does not occur free in r.
We writer −→η s:::::::::
for s is obtained from r by the η-rule,
r −→β,η s:::::::::::
for s is obtained from r by using
β-reduction or η-expansion.Notions like −→∗
β,η:::::::
, =β,η::::
,::::::::::::::
β, η-normal:::::::
form, etc.
are to be understood correspondingly.
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 1 139
Example
(λf : (o→ o)→ o→ o.λx : o→ o.f x) f
−→β λx : o→ o.f x
−→η λx : o→ o.λy : o.f x y
−→η λx : o→ o.λy : o.f (λz : o.x z) y
λx : o→ o.λy : o.f (λz : o.x z) y is therefore the
::::::::::::::
β, η-normal:::::::
form of(λf : (o→ o)→ o→ o.λx : o→ o.f x) f .
Since f −→η λx : o→ o.f x, this is as well theβ, η-normal form of f : (o→ o)→ o→ o.
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 1 140
Example 2If we replace in the above example o by o→ o we obtain
(λf :((o→o)→o→o)→(o→o)→o→o.λx:(o→o)→o→o.f x) f
−→βλx:(o→o)→o→o.f x
−→ηλx:(o→o)→o→o.λy:o→o.f x y
−→ηλx:(o→o)→o→o.λy:o→o.λz:o.f x y z
−→ηλx:(o→o)→o→o.λy:o→o.λz:o.f (λu:o→o.x u) y z
−→ηλx:(o→o)→o→o.λy:o→o.λz:o.f (λu:o→o.λv:o.x u v) y z
−→ηλx:(o→o)→o→o.λy:o→o.λz:o.f (λu:o→o.λv:o.x (λw:o.u w) v) y z
−→ηλx:(o→o)→o→o.λy:o→o.λz:o.f (λu:o→o.λv:o.x (λw:o.u w) v) (λu:o.y u) z
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 1 141
TheoremThe typed λ-calculus with β-reduction and η-expansionis confluent and strongly normalising.
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 1 142
η-RuleWith the η-rule we obtain now that if r : σ → τ , thenr =β,η λx : σ.r x.
If r : σ → τ is of the form λy : σ.t then we haver =β λx : σ.r x:
λx : σ.r x = λx : σ.(λy : σ.t) x
−→β λx : σ.t[y := x]
=α λy : σ.t
= r
Otherwise r −→η λx.σ.r x.
Therefore, every function is of the form λx.something.
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 1 143
η-ReductionIn the literature one often uses instead of η-expansion:::::::::::::::
η-reduction, which allows to reduce λx : σ.r x to r, if x
doesn’t occur free in r.The computation of η-reduction is more difficult thanη-expansion, since one has to check, whether xdoesn’t occur free in r.Therefore in the context of interactive theoremproving, we prefer η-expansion.
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 1 144
ProductsOne can expand the set of λ-types and λ-terms asfollows:
Types are defined as before, but we haveadditionally:
If σ, τ are types, so is σ × τ .
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 1 145
ProductsThe set of typed-λ-terms are defined as before butwe have:
If s : σ, t : τ then 〈s, t〉 : σ × τ :
Γ⇒ s : σ Γ⇒ t : τΓ⇒ 〈s, t〉 : σ × τ
If s : σ × τ , then π0(s) : σ and π1(s) : τ :
Γ⇒ s : σ × τΓ⇒ π0(s) : σ
Γ⇒ s : σ × τΓ⇒ π1(s) : τ
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 1 146
β-Reduction for Pairsβ-reduction for the pairs is the rule which allows toreplace
any subterm of the form π0(〈r0, r1〉) by r0,any subterm of the form π1(〈r0, r1〉) by r1.
The subterms πi(〈r0, r1〉) are as before called:::::::::::
β-redexeof the term in question.
β-reduction for the typed λ-calculus with productsincludes both β-reduction for functions and β-reductionfor pairs.
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 1 147
η-Expansion for ProductsIf we have a product r : σ × τ , then its projections areβ-equal to the projections of 〈π0(r), π1(r)〉:
π0(〈π0(r), π1(r)〉) =β π0(r),π1(〈π0(r), π1(r)〉) =β π1(r).
Therefore, similarly to functions, we would like to havethat every term r : σ × τ is equal to 〈π0(r), π1(r)〉.
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 1 148
η-Rule for ProductsThe η-rule expresses that subterms t : σ × τ can beη-expanded to 〈π0(t), π1(t)〉
However, as for functions, we need to impose somerestrictions, in order to avoid circularities:
If t is of the form 〈r0, r1〉,
〈π0(t), π1(t)〉 −→β 〈r0, r1〉 = t
so if we allowed to expand t, we would obtain acircularity.
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 1 149
η-Rule for ProductsIf t occurs in the form πi(t), then we get
πi(〈π0(t), π1(t)〉) −→β πi(t) ,
expanding t would result in a circularity.All other terms can be expanded without obtaining anew redex.
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 1 150
η-Expansion for Productsη-expansion for products is the rule which allows toreplace in a typed λ-term t
one subterm s : σ × τ ,which is not of the form 〈r0, r1〉,and does not occur in the form π0(s) or π1(s)
by 〈π0(s), π1(s)〉.
η-expansion for the typed λ-calculus with productsincludes both η-expansion for functions and for pairs.
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 1 151
Example
(λf : (o× o)→ o.λx : o× o.f x) f
−→β λx : o× o.f x
−→η λx : o× o.f 〈π0(x), π1(x)〉
λx : o× o.f 〈π0(x), π1(x)〉 is therefore the::::::::::::::
β, η-normal:::::::
formof
(λf : (o× o)→ o.λx : o× o.f x) f
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 1 152
TheoremThe typed λ-calculus with products, β-reduction andwith (or without) η-expansion is confluent and stronglynormalising.
We can introduce products as well for the untypedλ-calculus. Then we obtain a confluent (but of coursenon normalising) reduction system.
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 1 153
η-RuleWith the η-rule we obtain now that if r : σ × τ , thenr =β,η 〈π0(r), π1(r)〉.
If r : σ × τ is of the form 〈r0, r1〉 then we haver =β 〈π0(r), π1(r)〉:
〈π0(r), π1(r)〉 = 〈π0(〈r0, r1〉), π1(〈r0, r1〉)〉
−→ 〈r0, r1〉
= r
Otherwise r −→η 〈π0(r), π1(r)〉.
Therefore, every element of a product type is of theform 〈something0, something1〉.
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 1 154
λ-Calculus and Term RewritingOne can combine the λ-calculus with term writing.
Consider the λ-calculus with terms using additionalconstants.
Assume some term rewriting rules as before (whichmight involve some λ-terms).
As in case of ordinary term rewriting, we forminstantiations −→′ of the rules by replacing variables byarbitrary λ-terms (in the extended language).
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 1 155
λ-Calculus and Term RewritingThen s −→ t, if
s β-reduces (or η-expands, if one allows the η-rule)to tor there exists an instantiation s′ −→ t′ s.t. s′ is asubterm of s and t is the result of replacing thissubterm in s by t′.· s′ is called as usual a
:::::::
redex of s.
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 1 155a
λ-Calculus and Term RewritingAssume for instance the rule
double −→ λx.x + x
Then we have
(λf.λx.f (f x)) double
−→ λx. double (double x)
−→ λx. double ((λx.x + x) x)
−→ λx. double (x + x)
−→ λx. (λx.x + x) (x + x)
−→ λx. (x + x) + (x + x)
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 1 156
What does Subterm Mean?When referring to ordinary term rewriting rules, then fora term t to have subterm s meant essentially that thereis a term t′ in which a new variable x occurs exactlyonce, and t = t′[x := s].
Replacing this subterm by s′ means that we replace tby t′[x := s′].
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 1 156a
What does Subterm Mean?When referring to λ-terms, this is no longer the case:
Assume for instance the rewrite rule x + 0 −→Rule x.λx.x + 0 has subterm x + 0, but there is no term t s.t.λx.x + 0 = t[y := x + 0]:If we substitute for instance in λx.y y by x + 0 weobtain λz.x + 0.
The reason is that when matching a rewrite rule, freevariables in the instantation of the rule used mightbecome bound.
So we can apply x + 0 −→Rule x to λx.x + 0 and havetherefore λx.x + 0 −→ λx.x.
Replacing a subterm by another subterm is to beunderstood verbally.
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 1 156b
Higher Order Rewrite SystemsThe full definition of so called higher order termrewriting systems imposes more restrictions on thereduction rules.
For our purposes the naive interpretation just presentedsuffices.
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 1 156c
Reduction to Closed TermsOne can always replace term rewriting rules for theλ-calculus by one in which for all rules s −→Rule t wehave that s, t are closed.
This can be done in such a way that equality (modulothe rewriting rules, β and possibly η) in both systemscoincide:
Assume a rules −→Rule t
and let x1, . . . , xn be the free variables in s.
Then replace this rule by
λx1, . . . , xn.s −→Rule′ λx1, . . . , xn.t .
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 1 156d
ProofWe write in the following ~x for x1, . . . , xn.
Assume a term r reduces using this rule in the originalsystem to a term u:
Then r contains a subterm of the form s′ where s′ is theresult of substituting in s xi by some terms ti.
Let t′ be the result of subsituting in t xi by ti. Then u isthe result of replacing s′ in r by t′.
Let then r′ be the result of replacing s′ by(λ~x.s) t1, . . . , tn, and u′ be the result of replacing in s s′
by (λ~x.t) t1, . . . , tn.
Then we have r =β r′ −→Rule′ u′ =β u, so the reductioncan be simulted in the second system.
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 1 156e
ProofOn the other hand, if r −→ u by using in the secondsystem the rule λ~x.s −→Rule′ λ~x.t, then r −→ u in theprevious system by using the rule s −→Rule t
r contains a subterm equal to λ~x.s and u is the resultof substituting this subterm in r by λ~x.t.But then r contains the subterm s and t is the resultof substituting this subterm in r by t.
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 1 156f
ExampleWe can replace the rewriting rules
x + 0 −→ x
x + S y −→ S (x + y)
by λx.x + 0 −→ λx.x
λx, y.x + S y −→ λx, y.S (x + y)
ThatS (0 + S 0) −→ S (S (0 + 0)) −→ S (S 0)
becomes in the new system
S (0 + S 0) =β S ((λx, y.x + S y) 0 0)
−→ S ((λx, y.S(x + y)) 0 0) =β S (S (0 + 0))
=β S (S ((λx.x + 0) 0)) −→ S (S ((λx.x) 0)) =β S (S 0)
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 1 156g
Extended Typed λ-CalculusFinally, we can combine the typed λ-calculus (with orwithout products, with or without η-expansion) with termrewriting rules.
We have to make the following adaptions:We assign a type to each additional constant.The set of typed λ-terms is then introduced by thesame rules as before, but we have as additional rule:
If c is a constant of type σ, then we have
Γ⇒ c : σ
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 1 157
ExampleAssuming (+) : nat→ nat→ nat, and writing as usualr + s for (+) r s we have the following derivation ofλx : nat.x + x : nat→ nat:
x:nat⇒(+):nat→nat→nat x:nat⇒x:nat
x:nat⇒(+) x:nat→nat x : nat⇒ x : nat
x : nat⇒ (+) x x : nat
(λx : nat.x + x) : nat→ nat
The left most leaf in this derivation follows by the rulefor the constant (+).
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 1 157a
ExampleThen we have
(λf : nat→ nat.λx : nat.f (f x)) double
−→ λx : nat. double (double x)
−→ λx : nat. double ((λx : nat.x + x) x)
−→ λx : nat. double (x + x)
−→ λx : nat. (λx : nat.x + x) (x + x)
−→ λx : nat. (x + x) + (x + x)
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 1 157b
Extended Typed λ-CalculusReduction rules should now be of the formΓ⇒ s −→Rule t : σ (instead of s −→Rule t) where wehave Γ⇒ s : σ and Γ⇒ t : σ.
As before, s shouldn’t be a variable, and allvariables in t should occur in s.· Best guaranteed by demanding that all variables
in Γ occur free in s.One usually omits Γ, σ, if it is clear from thecontext.
Very often, the reduction rules will be of the formc −→Rule t : σ where c is a constant and therefore t aclosed term.
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 1 158
Extended Typed λ-CalculusInstantiations of a rule Γ⇒ s −→Rule t : σ are nowobtained by replacing variables x of type τ by termsr : τ (possibly depending on some context ∆).
Reductions w.r.t. the rules are obtained by replacingsubterms r : σ, which coincide with the left hand side ofan instantiation of a rule r −→′ r′ : σ by the right handside r′.
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 1 159
ExampleAssume
ground type nat,constants (+) : nat→ nat→ nat (written infix, i.e.r + s for (+) r s),and double : nat→ nat.and the reduction ruledouble −→ (λx : nat.x + x) : nat→ nat.
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 1 160
ExampleThen we have
(λf : nat→ nat.λx : nat.f (f x)) double
−→ λx : nat. double (double x)
−→ λx : nat. double ((λx.x + x) x)
−→ λx : nat. double (x + x)
−→ λx : nat. (λx.x + x) (x + x)
−→ λx : nat. (x + x) + (x + x)
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 1 161
Products with many ComponentsWe write σ1 × · · · × σn for (· · · ((σ1 × σ2)× σ3) · · · × σn).
Define a1 : σ1, . . . , an : σn
〈a1, . . . , an〉 := 〈· · · 〈〈a1, a2〉, a3〉, · · · an〉 : σ1 × · · · × σn
One can easily define corresponding projectionsπn
i : (σ1 × · · · × σn)→ σi, s.t.
πni (〈a1, . . . , an〉) =β ai .
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 1 162
Curried/Uncurried FunctionsIn the λ-calculus with products, there are two versionsof a function f taking two integers and returning aninteger:
f1 : (int× int)→ int
f2 : int→ int→ int.
We saythat f1 is in
:::::::::::::
Uncurried form,and f2 is in
::::::::::
Curried from.
The name “Curry” honours Haskell Curry.
The application of these two functions to arguments xand y is written
f1〈x, y〉,f2 x y.
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 1 163
Haskell Brooks Curry
Haskell Brooks Curry(1900 - 1982)
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 1 164
Curried/Uncurried FunctionsThe above generalizes to functions with arbitrarily (butfinitely) many arguments of different type.
The::::::::::
Curried::::::::::
version of a function f with argumentsof types σ1, . . . , σn and result type ρ is of type
σ1 → · · · → σn → ρ .
The:::::::::::::
Uncurried::::::::::
version of it has type
(σ1 × · · · × σn)→ ρ .
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 1 165
UncurryingWe can obtain from the Curried form fCurry of a functionits Uncurried form fUncurry by
fUncurry = λx.fCurry π0(x) · · · πn(x)
where πni : (σ1 × · · · × σn)→ σi are the projections.
One can as well define a λ-term
Uncurry:::::::::
: (σ1 → · · · σn → ρ)→ (σ1 × · · · × σn)→ ρ
Uncurry := λf, x.f π0(x) · · · πn(x)
s.t. Uncurry fCurry −→β fUncurry.
This transformation is called::::::::::::::
Uncurrying.
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 1 166
CurryingWe can obtain from the Uncurried form fUncurry of afunction its Curried form fCurry by
fCurry = λx1, . . . , xn.fUncurry 〈x1, . . . , xn〉
Again we can define
Curry::::::
: ((σ1 × · · · × σn)→ ρ)→ σ1 → · · · → σn → ρ
Curry := λf, x1, . . . , xn.f 〈x1, . . . , xn〉
s.t. Curry fUncurry −→β fCurry.
This transformation is called:::::::::::
Currying.
It is an easy exercise to show Curry (Uncurry f) =β,η f
and Uncurry (Curry f) =β,η f .
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 1 167
(Un)Currying in ProgrammingThe Uncurried form of a function corresponds to theform functions are presented usually outside functionalprogramming.
In functional programming one often prefers the Curriedform.
This allows to apply a functional partially to itsarguments.E.g. if we take (+) as usual in Curried form, then(+) 3 : int→ int is the function taking x and returningx + 3.For instance map ((+) 3) [1, 2, 3] = [4, 5, 6]:If we apply the function increasing every x by 3 to thelist [1, 2, 3], we obtain the result of incrementing eachlist element by 3, i.e. [4, 5, 6].
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 1 168
(Un)Currying in ProgrammingOne usually avoids in functional programming (and aswell in Agda) the formation of products (or recordtypes).
The packing and unpacking of products makesprogramming often harder.E.g. instead of defining a function f : σ → (ρ× τ) it isusually better to form two functions f1 : σ → ρ andf2 : σ → τ , (which are often defined simultaneously).
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 1 169
(e) Basic Derivations in AgdaAgda is based on dependent type theory.
This extends the simply typed λ-calculus.
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 1 170
Notations in AgdaIn type theory, one uses single colons “:” for “has type”,as we did above.
In Haskell and as well in Cayenne, “:” is used in lists,and “::” is used for “has type”.
In order to be close to Haskell and Cayenne, it wasdecided to use in Agda as well “::” (although listshaven’t been introduced yet).
In this lecture we willusually use “:”,except when referring to explicit Agda code (then “::”is used).
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 1 171
Notations in AgdaIn Agda one writes \(x :: A)− > r for λx : A.r.
A can often be inferred by Agda automatically, usingmenuSolve (C-c =)(When presenting keyboard-macros, “C-c” stands for“Control-c”.)
When presenting Agda code we will write λ(x :: A)→ rfor the above, so λ means \ and→ means -> in realAgda code.
When reasoning in type theory itself (outside Agda), weuse standard type theoretic notation λx : A.r.
We sometimes omit A, and write simply λx.r.
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 1 172
PostulateIn Agda one has no predefined types, all types have tobe defined explicitly (e.g. the type of natural numbers,the type of Booleans, etc.).
In order to obtain ground types with no specificmeaning (like o above), we have to postulate suchtypes, (or use packages as introduced later).
In Agda the lowest type level, which corresponds totypes in the simply typed λ-calculus, is called for historicreasons Set.
So in order to introduce a ground type A we write:
postulate A :: Set
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 1 173
PostulateWe can now introduce other constants.For instance, in order to introduce a function from A toB where A and B are ground types, and an element oftype A, we write the following:
postulate A :: Setpostulate B :: Set.postulate f :: A→ B.postulate a :: A.
See examplePostulate1.agda
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 1 174
Basic Usage of AgdaInstructions on how to install Agda can be found underhttp://www-compsci.swan.ac.uk/∼csetzer/othersoftware/agda/agdainstallation.html
The installation will provide an Emacs/XEmacs modefor agda files.
If a file with extension .agda is loaded intoEmacs/XEmacs, then this mode is invoked.
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 1 175
Basic Usage of AgdaThere are two menus:
One from the top menu line of Emacs/XEmacs,invoked with a right mouse click.One which is activated at any position in the buffer,again invoked by a right mouse click.(Under Emacs, this menu is only active when one isinside a goal – see below).The latter one depends on where one is in the buffer.
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 1 176
Basic Usage of AgdaOn the menu, with each menu a keyboard short cut ispresented.It is advisiable to learn the most frequently used ones.
In order to type check the buffer, useLoad-Buffer (C-c C-x C-b).
Agda allows to load several buffers in sequence, and tokeep the old definitions.
E.g. one has one file, containing the definition of thenatural numbers, and one main file using it.Then one first loads the file containing the naturalnumber definitions, and then the main file.
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 1 177
Basic Usage of AgdaDefinitions introduced must be consistent – eachdefinition can occur only once.
When moving to a different file, which associates withthe same identifier the same or a different definition,one gets an error, since the other definition from theprevious file is still present.
In order to get rid of the previuos definition, one hasto restart Agda first, using(Re)start Agda (C-c C-x C-c).‘
Can be used as well in case Agda crashes (whichhappens sometimes, since evaluation of terms canbe very time and space intensive).
Then one has to load the buffer.
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 1 178
Basic λ-Termspostulate A :: Setpostulate B :: Set.postulate f :: A→ B.postulate a :: A.
Assuming the above postulates, we can now introducenew terms.
We have to give a name and a type to each newdefinition.
Example:Using the above postulates, we can define b := f a : Bas follows:b :: B
= f a
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 1 179
Basic λ-Termspostulate A :: Setpostulate B :: Set.postulate f :: A→ B.postulate a :: A.b :: B
= f a
We can as well introduce g := λx : A.x : A→ A asfollows:g :: A→ A
= λ(x :: A)→ x
See examplePostulate2.agda
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 1 180
λ-Termspostulate A :: Setpostulate B :: Set.postulate f :: A→ B.postulate a :: A.
Instead of defining λ-terms by using λ directly, it isusually more convenient to use a notation of thefollowing kind:g (a :: A)
:: A
= a
Note that in the above example, the local a overridesthe global a.
See examplePostulate3.agda
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 1 181
Goalspostulate A :: Setpostulate B :: Set.postulate f :: A→ B.postulate a :: A.
In Agda one can leave terms or types, which onedoesn’t know yet, open.
The part left open is written as ! !, and we say“goal” for it.
Example:g (x :: A)
:: A
= ! !
exampleGoal1.agda
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 1 182
GoalsWhen the buffer is loaded, the goal will be shown in adifferent colour, and one can only edit inside or outsidethe goal.
Each goal gets a number.
When inside a goal, the menu active from inside thebuffer,
when using XEmacs, changes to the::::::::::::::
goal-menu;when using Emacs, is activated and becomes thegoal-menu. (Outside a goal this menu doesn’t exist).
If one wants to edit the buffer in a way which isimpossible because of the restrictions of editing goals,one can do so by using menu Text State.
When reloading the buffer one gets back to the statein which goals have special status.
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 1 183
GoalsUsing the goal-menu, we can find out
what type is expected:Type of Goal C-c C-t.Agda shows: ?0 :: AThere is as well a variantType of Goal (unfolded) C-c C-x C-r.It evaluates the type of the goal using reduction rules(see later).
Using the main menu we can always show the types ofall goals (show-goals).
We can as well jump to the next and previous goalusing menu items Next Goal and Previous Goal.
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 1 184
GoalsInside a goal we can as well find out the current context:
Using menu Context.In our example Agda shows:a :: A
g :: (x :: A)→ A
a :: A
f :: A→ B
B :: Set
A :: Set
.
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 1 185
Indentation SensitivityAgda is indentation sensitive.
So often instead of having parentheses “〈Code〉”, asin other languages, all lines belonging to 〈Code〉 have tobe intended more then the surrounding code, andusually in the same way.
Therefore top level definitions have to start in column1.Otherwise they are considered as being an extension ofa previous definition.
All code belonging to such a definition in later columnshas to be intended at least once.
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 1 186
Indentation SensitivityExample: The following causes an error:postulate A :: Setpostulate B :: Set
We have to type instead:postulate A :: Setpostulate B :: Set
The following causes an error:a′ :: A= a
We have to type instead:a′ :: A
= A.
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 1 187
Derivations in AgdaIn Agda, rules are implicit.
The rulef : A→ B a : A
f a : B
corresponds to the following:
Assume we have introduced:g :: D → E, d :: D.
and want to solve the goal! ! :: E.
exampleSimpleDerivation4.agda
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 1 188
Derivations in Agda (Cont.)Then we can fill this goal by typing in g d:
! g d ! :: E
If we then choose goal-menu Refine (C-c C-r), thesystem shows:
g d :: E.
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 1 189
RefinementAssume in the above situation that we don’t know whatto insert.We only guess that it has to be of the form g applied tosome arguments.
We can see this since the result type of g is E(g : D → E).
Then we can insert g and use menu Refine (C-c C-r)
The system shows g ! ! :: E.
We can ask for the type of the new goal ! !, and get:! ! :: D
Now we can solve this goal by filling in d and usingrefine: g d :: E.
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 1 190
JudgementsIn ordinary functional programming, it is easy todetermine the correctly formed types.In dependent type theory the type structure is richerand more complicated.
Proof steps are required to conclude that something isa type.
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 1 191
JudgementsTherefore we have not only the judgement as infunctional programming
a : A
but as well a typing judgement A is a type, written (aswe have already seen)
A : Set
Before deriving a : A, where A is a constant, we firsthave to show A : Set.
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 1 192
Equality JudgementsAgda will identify terms which have the same normalform.E.g. s := (λ(x : A).x) r and r will be identified.
If one needs at some place r, one can insert s insteadof r and vice versa.
In Agda this is done automatically, the user doesn’t seesuch equalities.
There is not even a direct command available inAgda, which allows to check whether two terms areequal (this could probably be added easily).
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 1 193
Examplepostulate A :: Setpostulate a :: Apostulate f :: A→ Set
g (a :: A)
:: A
= a
a′ :: A
= ga
p (x :: fa)
:: (fa′)
= ! !
exampleSimpleEquality2.agda
Since a′ = g a = a, we can solve the goal by using x.
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 1 194
Equality JudgementsWhen using the simply typed λ-calculus, we couldseparate the derivation of λ-terms, from reductions.
When using dependent type theory as in Agda,reductions and derivations have to be integrated.
Traditionally, instead of introducing reductions, oneintroduces in dependent type theory equalities betweenterms.
Written asr = s : A
for r and s are equal elements of set A.
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 1 195
ExampleThe rule expressing that π0(〈a, b〉) −→ a reads in thisstyle as follows:
a : A b : Bπ0(〈a, b〉) = a : A
= is not directed, so we have as well the rule
a = b : Ab = a : A
We can therefore derive:
a : A b : Bπ0(〈a, b〉) = a : A
a = π0(〈a, b〉) : A
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 1 196
Equality Judgements (Cont.)We will have as well equality between types, written as
A = B : Set
This is something novel in dependent type theory.In simple type theory, there is only one way of writinga type.
For instance if we assume f : A→ Set, then if a = a′ : Athen f a = f a′ : Set.
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 1 197
Four JudgementsSo we have the following 4 types of judgements:
A : Set “A is a type”.a : A “a is of type A”.A = B : Set “A and B are equal types”.a = b : A “a and b are equal elements of type A”.
In Agda, only A : Set and a : A are explicit.
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 1 198
(f) Dependent JudgementsAs for the simply typed λ-calculus, in dependent typetheory, judgements might depend on a context.
So we obtain judgements of the form
x1 : A1, . . . , xn : An ⇒ A : Set
x1 : A1, . . . , xn : An ⇒ A = B : Set
x1 : A1, . . . , xn : An ⇒ s : A
x1 : A1, . . . , xn : An ⇒ s = t : A
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 1 199
Need for Context Rulesx1 : A1, . . . , xn : An ⇒ A : Set
· · ·
To derive such judgements requires that we know
A1 : Set
x1 : A1 ⇒ A2 : Set
x1 : A1, x2 : A2 ⇒ A3 : Set
· · ·
x1 : A1, x2 : A2, . . . , xn−1 : An−1 ⇒ An : Set
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 1 200
Context RuleNote that we didn’t require derivations as above in thesimply typed λ-calculus, since it was easy to veryifywhether something is a valid type.
In case of dependent types A : Set requires a derivation.
It can be as complicated to derive A : Set as it is toderive a judgement b : B:One can compute from an unchecked judgement a : Aan unchecked type expression B s.t. a : A holds iffB : Set holds.
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 1 201
Context RuleIn order to organise this in a better way we introduce anadditional judgement Γ⇒ Context for “Γ is a validcontext”.
That x1 : A1, . . . , xn : An ⇒ Context holds means exactlywhat we had above, i.e.:
A1 : Set
x1 : A1 ⇒ A2 : Set
x1 : A1, x2 : A2 ⇒ A3 : Set
· · ·
x1 : A1, x2 : A2, . . . , xn−1 : An−1 ⇒ An : Set
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 1 202
Five Dependent JudgementsSo we have therefore 5 dependent judgements:
x1 : A1, . . . , xn : An ⇒ A : Set
x1 : A1, . . . , xn : An ⇒ A = B
x1 : A1, . . . , xn : An ⇒ s : A
x1 : A1, . . . , xn : An ⇒ s = t : A
x1 : A1, . . . , xn : An ⇒ Context
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 1 203
ExampleThe assumption rule, which in case of the simply typedλ-calculus read:
Γ⇒ x : σ (if x : σ occurs in Γ)
reads in dependent type theory as follows (assumingthat x : A occurs in Γ:
Γ⇒ ContextΓ⇒ x : A
Similarly we have to deal with the rule introducingconstants.
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 1 204
Notations for Judgements, Contextsθ will in the following denote an arbitrary non dependentjudgement, i.e. one of the following :
A : Set,A = B : Set,a : A,a = b : A.
Γ, ∆ will usually denote contexts.
We have the same notations as before, i.e.Γ,∆ is the result of concatenating contexts Γ, ∆,Γ, x : A is the result of extending the context Γ byx : A,∅ is the empty context.We write for ∅ ⇒ θ usually simply θ.
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 1 205
Contexts in AgdaIn Agda, we have no explicit judgements depending oncontexts.
Not needed, since we don’t derive judgments usingrules directly.
However, if we have the open judgement
f (x :: B)
:: A
= ! !
Then we can make use of x :: B for refining the goal.
So we have to solve the goal in context x :: B.
This context can be shown using goal menu Context.
See exampleShowContext.agda.Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 1 206
Example: Derivation of double(See exampleDoubleString2.agda.)
We derivedouble := (λx.concat x x) : ((x : String)→ String) inAgda, assuming definitions of String and concat.
We start withdouble (x :: String)
:: String
= ! !
We can insert into the goal concat:
double (x :: String)
:: String
= ! concat !
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 1 207
Example: Derivation of doubleWhen using goal-menu refine, we obtain:
double (x :: String)
:: String
= concat ! ! ! !
We can check now using goal-menu Type of Goal (orType of Goal (unfolded) that the two new goals requireboth type String.
We can check using goal-menu Context that thecontext of both goals contain x :: String.
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 1 208
Example: Derivation of doubleWe insert x into the first goal and refine:
double (x :: String)
:: String
= concat x ! !
Doing the same with the second goal gives:
double (x :: String)
:: String
= concat x x
We are done.
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 1 209
double in Type TheoryA derivation of
double := λx : String.double x x
in Type Theory, assuming global constants
String : Set ,
concat : String→ String→ String ,
is as follows:We first derive x : String⇒ Context:
∅ : Context String : Setx : String⇒ Context
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 1 209a
double in Type TheoryThe remaining derivation is as follows (using the abovederivation):
x:String⇒Context
x:String⇒concat:String→String→String
x:String⇒Context
x:String⇒x:String
x:String⇒concat x:String→String
x:String⇒Context
x:String⇒x:String
x:String⇒concat x x:String
double:=λx:String.concat x x:String→String
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 1 209b
(g) Dependent TypesAssume we want to assign a type to a sorting functionsort on lists of natural numbers.
In most programming language, the type of it isessentially
sort : NatList→ NatList
for the type of lists of natural numbers NatList.
In dependent type theory, we can demand morecorrectness, namley that its type is
sort : NatList→ SortedList .
We assume some notion of NatList (list of naturalnumbers).
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 1 209c
SortedListWhat is SortedList?
An element of SortedList is a list which is sorted.It is a pair 〈l, p〉 s.t.
l is a NatList.p is a proof or verification that l is sorted:· p : Sorted(l).
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 1 210
Sorted ListsFor the moment, ignore what is meant by Sorted(l) as atype.
Only important: Sorted depends on l.Sorted(l) is a predicate expressed as a type.
Elements of SortedList are pairs 〈l, p〉 s.t.l : NatList.p : Sorted(l).
Sorted(l) is a dependent type.
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 1 211
Sorted Lists (Cont.)An element of Sorted(l) will be a proof that l is sorted.
If l is sorted, then Sorted(l) will be provable, andtherefore will have an element.
It is possible to write a program which computes anelement of Sorted(l).
If l is not sorted, then Sorted(l) will have no proof and itwill therefore no element.
Then it is not possible to write a program whichcomputes an element of Sorted(l).
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 1 212
The Dependent ProductThen the pair 〈l, p〉 will be an element of
SortedList := (l : NatList)× Sorted(l) .
SortedList is the type of pairs 〈l, p〉 s.t.l : NatList,p : Sorted(l).
called the::::::::::::::
dependent::::::::::
product
sort : NatList→ ((l : NatList)× Sorted(l)) expresses:sort converts lists into sorted lists.
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 1 213
The Dependent Function TypeFrom a sorting function we know more:
It takes a list and converts it into a sorted listwith the same elements.
Assume a type (or predicate) EqElements(l, l′) standingfor
l and l′ have the same elements.
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 1 214
The Dependent Function TypeA refined version of sort has type
(l : NatList)→ ((l′ : NatList)×Sorted(l′)×EqElements(l, l′))
“sort(l) is a list, which is sorted and has the sameelements”.
“sort is a program, which takes a list and returns asorted list with the same elements.”
The type of sort is an instance of the::::::::::::::
dependent:::::::::::
function::::::
type:The result type depends on the arguments.
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 1 215
(h) Dependent Types in ProgrammingDependent types are often needed in programming, evenif no verification is needed.We give some examples:
In Java, a relatively big library of “collection classes” isavailable.
Provides implementations of lists, sets, hash tables,etc.It would be nice to have “lists of type A”.However this is a dependent type, depending on atype A.Cannot be expressed in Java.Instead, in Java only lists of elements of typeObject are available.
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 1 216
Dependent Types in Programming(Collection classes in Java, Cont.)
Elements of other types have to be upcasted toObjectElements of the list have then to be downcasted totheir original type.
Type checking happens at run time rather than atcompile time.
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 1 217
ExampleAssume a class StudentEntry.
If we have a list listOfStudentEntries, and add to it anelement studentEntry of type StudentEntry, this element willfirst be converted (upcasted) to type Object.
If we retrieve an element (e.g. the first element) oflistOfStudentEntries, we obtain an element of Object.
If it was originally a StudentEntry, we can cast thiselement down to StudentEntry.However, whether we have an element ofStudentEntry, cannot be determined at compiletime, only at run time.
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 1 218
PolymorphismWhat is needed is a weak form of dependent types,called
:::::::::::::::::::
polymorphism.Types might depend on other types but not onelements of types.
In C++, this form of dependency is available (called:::::::::::::
templates).One writes for instance List<A> for lists of type A.
In Java, it might be available in the next release 1.5.
In C#, it will be available in the next release.
In Haskell and ML it is available.E.g. \ x→x :: α⇒ α→ α,which means that λx.x is of type α→ α for everytype α.
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 1 219
Dependent Types in ProgrammingMatrix multiplication is an operation, which takesthree natural numbers n,m, k, an n×m-matrix and anm× k-matrix, and has as result an n× k-matrix.The type of this function is a dependent type: Thetypes of n×m-matrices, of m× k-matrices and ofn× k-matrices depend on n, m, k.
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 1 220
Matrix MultiplicationUsually, this problem is solved by
taking matrices which are big enough and restrictingthe operation to n×m, m× k and n× k sub-matrices,
waste of memoryor by dynamically allocating arrays.
This means memory allocation has to be done atrun time.
In both solutions, checking that the dimensions arein accordance has to be done at run-time.
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 1 221
Type of Matrix MultiplicationLet N be the type of natural numbers(i.e. 0, 1, . . . ,; N will be introduced later).
Let Mat(n,m) be the type of n×m-matrices.(Will be introduced later).Then matrix multiplication has type
(n : N)
→ (m : N)
→ (k : N)
→ Mat(n,m)
→ Mat(m, k)
→ Mat(n, k)
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 1 222
Type of Matrix Multiplication (Cont.)A shorter notation for this type is
(n,m, k : N)
→ Mat(n,m)
→ Mat(m, k)
→ Mat(n, k)
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 1 223
Dependent Types in ProgrammingDigital Components.
A digital component (e.g. a logic gate) with n inputs andm outputs can be considered as a functionBooln → Boolm.
In general such a component is a triple consisting ofn, the number of inputs,m, the number of outputs,a function f : Booln → Boolm.
The type of f depends on n and m, an example of adependent type.
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 1 224
Dependent Types in ProgrammingPredicates are dependent types.
See the types of sort above.
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 1 224a
Dependent Types in LinguisticsAarne Ranta has used dependent types in linguistics:
In a sentence like “The man goes home”, thepredicate
in grammar the predicate is “what is said about thesubject of a sentence”;it consists essentially of the verb and whatcompletes the verb;here it is “goes home”
depends on, whether the subjectin grammar the subject is the noun or itsequivalent about which a sentence is predicated;here it is “The man”
is singular (then the predicate is “goes home”)or plural (then the predicate is “go home”).
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 1 225
Dependent Types in LinguisticsAarne Ranta constructed grammars based ondependent types, and used them for translatingsentences between different languages automatically.
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 1 225a
2. The Logical Framework(a)
(b)
(c)
(d)
(e)
(f)
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 2 226
(a) Basic Form of Rules
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 2(a) 227
Four Kinds of Rules(g) For each type construction we have usually 4 kinds of
rules:(1) Formation Rules.(2) Introduction Rules.(3) Elimination Rules.(4) Equality Rules.
Additionally there are equality versions of theformation, introduction and elimination rules.
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 2(a) 228
(1) Formation RulesThe
::::::::::::
formation::::::::
rules introduce new types.
Each type construction has one such rule.
The conclusion of such a rule will have the form:
C(a1, · · · , an) : Set .
where C is a::::::::::::::::::::::
type-constructor,a1, . . . , an are its arguments.
n = 0 is possible, in which case we write C instead ofC().
Later, we will introduce higher levels Type,Kind, . . ..Then we have formation rules with conclusionC(a1, . . . , an) : Type (or : Kind, etc.).
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 2(a) 229
Logical FrameworkPreliminarily, we will be using type theory without thelogical framework.
For instance, below we will introduce
List(A) : Set
for any A : Set, the set of lists of elements of A.
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 2(a) 230
Logical FrameworkUntil we have introduced the full logical framework, itdoesn’t make sense to talk about List itself, which wouldhave type
List : Set→ Set .
The problem is that Set→ Set doesn’t make sensewithout the logical framework.
The full logical framework is conceptually more difficult,that’s why we delay its introduction.
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 2(a) 231
Logical FrameworkWhen working later with the full logical framework,constructors will have their own type.
Then what is now
C(a1, . . . , an)
will be written asC a1 · · · an ,
namely the application of the constructor C toarguments a1, . . . , an.
For instance we will write then List A instead of List(A).
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 2(a) 232
Logical FrameworkAgda has the logical framework built in, so in Agda Listwill be a function Set→ Set, in Agda notation:
List (A :: Set)
:: Set
= · · ·
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 2(a) 233
Example 1: The Set of Lists
A : Set (List-F)List(A) : Set
The type-constructor is List.
List(A) is the type of lists of type A.
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 2(a) 234
Ex. 2: The Set of Natural NumbersFormation rule for the type of natural numbers:
N : Set (N-F)
The type-constructor is N.Note that the formation rule for N has 0 premises(therefore the fraction bar is omitted).
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 2(a) 235
Ex. 3: The Non-Dependent ProductFormation rule for the non-dependent product:
A : Set B : Set (×-F)A×B : Set
A×B stands for (×)(A,B).The type-constructor is (×).
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 2(a) 236
Formation Rules in AgdaThe formation of a type is usually done by introducing aconstant of a certain type.
Example 1:
List (A :: Set)
:: Set
= · · ·
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 2(a) 237
Example 2: (×)
Agda syntax for introducing thenon-dependent product:
(×) (A :: Set)
(B :: Set)
:: Set
= · · ·
· · · is an Agda definition of this type (more about thislater).× is ASCII symbol 215 (not the letter x).
There are as well predefined versions of the product(and of the function type) in Agda (see later).
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 2(a) 238
(2) Introduction RulesThe
::::::::::::::::
introduction:::::
rule introduces elements of a type.
The conclusion of such a rule will have the form
C(a1, . . . , an) : A
whereA is a type introduced by the correspondingformation rule,C is a constructor or term-constructor,a1, . . . , an are terms.
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 2(a) 239
Introduction Rule, Example 1aThe set NatList of lists of natural numbers withformation rule
NatList : Set (NatList-F)
has two introduction rules:
nil : NatList (N-Inil)
n : N l : NatList (NatList-Icons)cons(n, l) : NatList
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 2(a) 240
Introduction Rule, Example 1bWe generalise the previous example to lists of arbitrarytype.
Lists of type A have two introduction rules:
A : Set (List-Inil)nilA : List(A)
a : A l : List(A)(List-Icons)
consA(a, l) : List(A)
In case of the rule for nil, we needed the premiseA : Set in order to guarantee that we can form the typeList(A).
In case of the rule for cons, this premise is implicit inthe premise a : A.
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 2(a) 241
Conflicting ConstructorsWe shouldn’t use the same constructors for differentsets. So if we want to use both NatList and List(A), wehave to choose a notation like natnil instead of nil : N,similarly for cons.
We will usually ignore this distinction, if it doesn’t causeconfusion.
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 2(a) 242
Example 2: Natural Numbers.The natural numbers N can be considered as beingformed from two operations:
0,S where S(n) = n + 1.
Using these two operations we can form 0, S(0) = 1,S(1) = 2, . . . and therefore all natural numbers.
So the constructors of N are 0 and S.
The introduction rules of N are:
0 : N (N-I0)
n : N (N-IS)S(n) : N
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 2(a) 243
Canonical Elements:::::::::::::
Canonical::::::::::::
elements of a type are those introduced byan introduction rule.
Canonical elements therefore always start with aconstructor.
Examples:0, S(2 + 3) in case of N.
Here 2 stands for S(S(0)) and 3 for S(S(S(0))).nil, cons(1 + 1, concat cons(0, nil) nil) in case ofNatList.
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 2(a) 244
Non-Canonical ElementsTerms can usually be reduced further
Example:
2 + 3 = 2 + S(2) −→ S(2 + 2) .
The underlying reduction system is essentially a termrewriting system combined with the λ-calculus.
Therefore we can apply reductions to subterms.
A term is a::::::::::::::::::
non-canonical:::::::::::
element of a type, if itreduces to a canonical element of that type.
Each element of a type (depending on the emptycontext) in dependent type theory will either be acanonical or a non-canonical element of that type.
Consequence of the normalisation theorem.
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 2(a) 245
Non-Canonical ElementsE.g. 2 + 3 is a non-canonical element of N, sinceS(2 + 2) is a canonical element of N.
However, we have
x : N⇒ x : N
and x doesn’t reduce to a canonical element of N.However, if we substitute for x any closed element ofN, we get a canonical or non-canonical element of N.
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 2(a) 246
Constructors in AgdaIn Agda the constructor C of type A is written as C@(A).
If A can be inferred automatically, we can replace theabove by C@_.
As type-constructors, in Agda constructors are as independent type theory with the logical framework,i.e. we have
nil@(List N) :: List N
cons@(List N) :: (n :: N)
→ (l :: List N)
→ List N
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 2(a) 247
Constructors in AgdaSince notations like nil@(List N) are usually toocumbersome, it is better to introduce abbreviations:
nil :: List N
= nil@_
cons (n :: N)
(l :: List N)
:: List N
= cons@_ n l
Note that the above introduces nil, cons for List N, andnot for the general case List A for any type A. (Thatwould require an extra argument A : Set).
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 2(a) 248
(3) Elimination RulesElimination rules allow to take an element of a typeand compute from it an element of another type.
Example 1: The introduction rule for the non-dependentproduct is
a : A b : B (×-I)〈a, b〉 : A×B
The elimination rules are the first and secondprojections:
c : A×B(×-El0)
π0(c) : A
c : A×B(×-El1)
π1(c) : B
The equality rules will express π0(〈a, b〉) = a,π1(〈a, b〉) = b.
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 2(a) 249
Example 2: Addition in N
n : N m : N (N-El+)n + m : N
Equality rules will expressn + 0 = n.n + S(m) = S(n + m).
The equality rules show that n is only a parameter,we are eliminating the second argument m.Proceeding like this would require one eliminationrule for each function from N we want to define.Instead we will later introduce one generalelimination rule, which will allow to introduce allfunctions we expect to be definable, including allprimitive-recursive ones.
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 2(a) 250
Elimination vs. Introduction RulesElimination rules invert the introduction rules.
In case of A×B, the canonical elements are of theform 〈a, b〉 for a : A, b : B.
A non-canonical element of type A×B mustreduce to a canonical element.
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 2(a) 251
Elimination in AgdaElimination for builtin types has special notation.
For user defined types, elimination is realized bycase distinction.
Example: Definition of addition in N:
(+) (n,m :: N)
:: N
= case m of
(Z)→ n;
(S m′)→ S (n + m′)
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 2(a) 252
(4) Equality RulesThe canonical element for an element, which is theresult of an elimination, can always be computed asfollows:
Reduce the element to be eliminated to canonicalform.Then make one reduction step (Red).The result will be a canonical or non-canonicalelement of the target type.Reduce it to canonical form.
For instance in case of A×B, (Red) are the reductionsπ0(〈a, b〉) −→ a.π1(〈a, b〉) −→ b.
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 2(a) 253
Equality RulesIn case of (+), (Red) are the reductions
n + 0 −→ n.n + S(m) −→ S(n + m).Note that the second argument is the argumentwhich we are “eliminating”.
So the computation of 0 + (1 + 1) is as follows:
0+(1+1) = 0+(S(0)+S(0)) −→ 0+S(S(0+0)) −→ S(0+S(0+0))
The result is already in canonical form (but not innormal form since it can be reduced further).
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 2(a) 254
Equality RulesEquality rules express (Red) type theoretically.
They describe what happens, if onefirst introduces an element and then immediatelyeliminates it.
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 2(a) 255
Example (Equality Rule)The first equality rule for A×B is as follows:
a : A b : B (×-Eq0)π0(〈a, b〉) = a : A
In the first judgement we can derive π0(〈a, b〉) : A asfollows:
a : A b : B (×-I)〈a, b〉 : A×B
(×-El0)π0(〈a, b〉) : A
So it is derived by first introducing 〈a, b〉 and theneliminating it immediately.
The equality rule explains how to reduce that element(namely to a : A).
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 2(a) 256
Example (Equality Rule, Cont)The second equality rule for × is similar:
a : A b : B (×-Eq1)π1(〈a, b〉) = b : B
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 2(a) 257
Example 2 (Equality Rule)The first equality rule for + is as follows:
n : N (N-Eq+,0)n + 0 = n : N
n + 0 : N can be derived by first introducing 0 : N andthen by eliminating it using +.
(The right hand side is an axiom, the left hand sidehas to be concluded using some derivation.)
n : N 0 : N (N-El+)n + 0 : N
The equality rule explain how to reduce n + 0.
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 2(a) 258
Example 3 (Equality Rule)The second equality rule for + is a s follows:
n : N m : N (N-Eq+,S)n + S(m) = S(n + m) : N
n + S(m) : N can be derived by first introducing S(m) : Nand then by eliminating it using +:
n : N
m : N (N-IS)S(m) : N
(N-El+)n + S(m) : N
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 2(a) 259
Equality Rules in AgdaEquality Rules in Agda are implicit.
The notation for elimination however indicates alreadyhow the reductions take place.
(+) (n,m :: N)
:: N
= case m of
(Z)→ n;
(S m′)→ S (n + m′)
Functions corresponding to elimination are defined bytelling how elimination operates.
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 2(a) 260
Equality Versions of the RulesWe have equality versions of the formation,introduction, and elimination rules.
These express: if we replace the terms in thepremises by equal ones, we obtain equal results.
Example: Equality version of the formation rule for List:
A = B : Set (List-F=)List(A) = List(B)
Example: Equality version of the formation rule for N(degenerated):
N = N : Set (N-F=)
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 2(a) 261
Equality Versions of RulesExample: Equality version of the introduction rules forList (rule for nil is degenerated):
A : Set (List-I=nil)nilA = nilA : List(A)
a = a′ : A l = l′ : List(A)(List-I=cons)
consA(a, l) = consA(a′, l′) : List(A)
Example: Equality version of the elimination rule for(+), N:
n = n′ : N m = m′ : N (N-El=+)n + m = n′ + m′ : N
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 2(a) 262
Equality Versions of RulesThe equality versions of the rules in questions can beformed in a straight-forward way, once one knowsthe non-equality version.
We will often not mention them.
In Agda they are implicit (part of the reductionmachinery).
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 2(a) 263
(b) Nondep. Funct. Type and ProductWe introduce in the following non-dependent versions of the
product and the function type.
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 2(b) 264
The Non-Dependent Product
Formation Rule A : Set B : Set (×-F)A×B : Set
Introduction Rule a : A b : B (×-I)〈a, b〉 : A×B
Elimination Rulesc : A×B
(×-El0)π0(c) : A
c : A×B(×-El1)
π1(c) : B
Equality Rules a : A b : B (×-Eq0)π0(〈a, b〉) = a : A
a : A b : B (×-Eq1)π1(〈a, b〉) = b : B
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 2(b) 265
The η-RuleThe η-rule does not fit into the above schema:
c : A×B(×-η)
c = 〈π0(c), π1(c)〉 : A×B
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 2(b) 266
Equality Versions of the ×-RulesEquality Version of the Formation Rule
A = A′ : Set B = B′ : Set (×-F=)A×B = A′ ×B′ : Set
Equality Version of the Introduction Rule
a = a′ : A b = b′ : B (×-I=)〈a, b〉 = 〈a′, b′〉 : A×B
Equality Versions of the Elimination Rules
c = c′ : A×B(×-El=0 )
π0(c) = π0(c′) : A
c = c′ : A×B(×-El=1 )
π1(c) = π1(c′) : B
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 2(b) 267
The Product in AgdaIn Agda, the product is represented as a record type.
Assume we have introduced A,B :: SetThen we can introduce the record type
D :: Set
= siga :: A; b :: B
One can introduce longer record types as well, e.g.
siga :: A; b :: B; c :: C; e :: E
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 2(b) 268
The Product in AgdaD = siga :: A; b :: B
Elements of a record type are introduced as follows:Assume we have a′ :: A, b′ :: B.Then we can introduce in the above situation
c :: D
= structa = a′; b = b′ :: D
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 2(b) 269
The Product in AgdaD = siga :: A; b :: B
Elimination of elements of the record type is recordselection.Assume d :: D. Then we have
d.a :: A
d.b :: B
If c = structa = a′; b = b′, then we have:
c.a is equal to a′
c.b is equal to b′
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 2(b) 270
The Product in AgdaUnfortunately, the builtin product (record type) in Agdadoes not behave very well.
This is due to the fact that Agda doesn’t support theη-rule.In this setting η-equality would assert that if
c :: siga :: A; b :: B
thenc = structa = c.a; b = c.b
In most cases one can avoid this, by using theinductively defined Σ-type, which will be treated later.
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 2(b) 271
Problem of the η-RuleThe exact problem of the missing η-rule is as follows:
Assume we have s :: siga :: N; b :: N.If we then make case distinction on s.a : N, we knowin case of s.a = Z not that s = structa = Z; b = s.b.
This is since we don’t know without the η-rule,whether s = structa = s.a; b = s.b.If we had the η-rule we would gets = structa = s.a; b = s.b = structa = Z; b = s.b
If we use instead of sig the inductively definedproduct, we can make case distinction on anelement, e.g. s = p a b, and if we then make casedistinction on a, we get in case a = Z, that s = p Z b.
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 2(b) 271a
Expensiveness of the η-RuleThe reason for not having the η-rule is that it iscomputationally expensive.
Whether we can expand s to structa = s.a; b = s.bdepends on, whether s :: siga :: A; b :: B.All other reductions can be applied to terms withoutknowing the exact type of the term –in case of η, we need to know this type.So, in order to allow η-rule as part of the reductionsystem, we need to carry along with each term (andas well with each subterm) its type, which requiresan enormous additional overhead.
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 2(b) 271b
Indentation SensitivityFor sig, struct and some other constructs to beintroduced later (let, case, packages, probably somemore) there are two versions for determining the scopeof the construct:
Using “” and “”.The scope is what is enclosed in those brackets.The selections must be separated by “;”.In case of let (see below), “” and “” can beomitted.For instancestructa = a0; b = b0 :: siga :: A; b :: B
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 2(b) 272
Indentation SensitivityUsing indentation.
The scope are the following lines which areindented more than the keyword “struct”, “sig” etc.The first characters in each line must be indentedin the same way as the first line following the“struct”, “sig” etc.What forms the definition, must be more indentedthan the rest.Example:siga :: Ab :: B
is the indentation sensitive version ofsiga :: A; b :: B.
Both versions are equivalent.Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 2(b) 273
Indentation SensitivityInternally, first the indentation sensitive version istranslated to a version using curly brackets and then itis type checked.
Error messages refer to the version using curlybrackets.
One has to interpret such error messages as if one hadactually written a version using curly brackets, even ifone is using indentation sensitivity.
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 2(b) 273a
IntroUsually, we don’t have to spell out
structa = a′; b = b′
in full.
Assume we have a goal, the type of which is a sig-type,e.g.
AB :: Set = siga :: A; b :: B
ab :: AB = ! !
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 2(b) 274
IntroAB :: Set = siga :: A; b :: B
ab :: AB = ! !
Then, when the point is inside the goal, we can usegoal-menu Intro and obtain:
ab :: AB = struct
a = ! !
b = ! !
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 2(b) 275
Let expressions in AgdaWhen introducing products, let expressions are oftenuseful.They allow to introduce temporary variables.
Let-expressions have the form
let a1 :: A1
= s1
a2 :: A2
= s2
· · ·
an :: An
= sn
in t
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 2(b) 276
Let expressions in Agda (Cont.)This means that we introduce new local constantsa1 :: A1 = s1,a2 :: A2 = s2,. . .,an :: An = sn,which can now be used locally.
si can refer to all aj defined before, including ai itself,i.e. it can refer to a0, . . . , ai.
Reference to ai might result in non-termination;termination will be discussed below.
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 2(b) 277
Let expressions in Agda (Cont.)If we are in a goal, we can use the goal menuMake let expression.
We have to insert into the goal the variables,separated by blanks, e.g. “a1 a2 · · · an”.Agda will construct a template of the form:
let a1 :: ! !
= ! !
a2 :: ! !
= ! !
· · ·
an :: ! !
= ! !
in ! !Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 2(b) 278
Simple ExampleThe following function computes (n + n) ∗ (n + n) for n :: N:
f (n :: N)
:: N
= let m :: N
= n + n
in m ∗m
See exampleLetExpression.agdaNote that this version is computationally cheaper than thefunction computing directly (n + n) ∗ (n + n):
Using let, n + n is computed only once,
without let, we have to compute it twice.
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 2(b) 279
Example Using the ProductAs an example we want to define in Agda, dependingon functions a_c : A→ C, b_d : B → D and an elementab : A×B and element f(ab, a_c, b_d) : C ×D.
This means that f is a function which takes argumentsa_c, b_d and ab as above and returns an element ofC ×D.
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 2(b) 279a
Example Using the ProductSo the type of f in Agda is as follows:
AB :: Set = siga :: A; b :: B
CD :: Set = sigc :: C; d :: D
f (a_c :: A→ C)
(b_d :: B → D)
(ab :: AB)
:: CD
= ! !
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 2(b) 279b
Example Using the ProductThe idea for this function is as follows:
We first project ab to elements a : A, b : B.Then we apply a_c to a and obtain an element c : C,and b_d to b and obtain an element d : D.Finally we form the pair 〈b, d〉.
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 2(b) 279c
Example Using the ProductA diagram is as follows:
ab:A×B
a:A b:B
c′:C d′:D
〈·,·〉
〈c′, d′〉 :C×D
π0 π1
a_c b_d
C × D
a_b c_df a_c b_d
A × B
We will use let-expressions in order to compute theintermediate values a, b, c′, d′.
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 2(b) 279d
Agda Code for the Above
AB :: Set = siga :: A; b :: B
CD :: Set = sigc :: C; d :: D
f (a_c :: A→ C)
(b_d :: B → D)
(ab :: AB)
:: CD
= let a :: A = ab.a
b :: B = ab.b
c′ :: C = a_c a
d′ :: D = b_d b
in structc = c′; d = d′
See exampleLetExpressionSig.agda.
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 2(b) 280
Open ExpressionOpen abbreviates the unpacking of pairs.Assume e :: siga1 :: A1; a2 :: A2; . . .
Then open e use x1 :: A1 = a1,
x2 :: A2 = a2,
. . .
in · · ·
is equivalent to let x1 :: A1 = e.a1;
x2 :: A2 = e.a2;
· · ·
in · · ·
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 2(b) 281
Open ExpressionSo the above example readsf(a_c :: A→ C)(b_d :: B → D)(ab :: AB):: CD= open ab
use a :: A = a,b :: B = b
in let c′ :: C = a_c ad′ :: D = b_d b
in structc = c′; d = d′
See exampleOpenExpression1.agda.
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 2(b) 282
Open ExpressionIf we want to use the selectors directly,i.e. assuming
e :: siga1 :: A1; a2 :: A2; . . .
to use the names a1, a2, . . ., we can write more briefly
open e use a1, a2, . . .
in · · ·
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 2(b) 283
Open ExpressionSo the above example reads more brieflyf(a_c :: A→ C)(b_d :: B → D)(ab :: AB):: CD=open ab use a, bin let c′ :: C = a_c a
d′ :: D = b_d bin structc = c′; d = d′
See exampleOpenExpression2.agda.
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 2(b) 284
Termination CheckerThe type checker in Agda allows recursive definitions.For instance, the following passes the type checker:
a :: A = a
Necessary, since for instance the definition of + isnecessarily recursive, i.e. will make use of +:
(+) (n,m :: N)
:: N
= case m of
Z → n
S m′ → n + m′
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 2(b) 285
Termination Check (Cont.)In order to avoid mistakes, Agda has a builtintermination checker:Menu Check Termination.
One should use this command at the end of asession, in order to avoid black hole recursion.
If the termination check succeeds, all programschecked will terminate.
If the termination check fails, it might still be thecase that all programs terminate.(One cannot write a universal termination checker,since the Turing halting problem is undecidable).
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 2(b) 286
Termination CheckThe termination check can avoid non-obvious mistakes.
Assume for instance we have defined a :: A and b :: B,and AB = siga :: A; b :: B.
If we define
ab :: AB = structa = a; b = b
we havenot defined an element ab s.t. ab.a = a and ab.b = b,but defined an element ab s.t. ab.a = ab.a andab.b = ab.b.That is a black-hole recursion, and will not pass thetermination checker.
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 2(b) 287
Termination CheckEspecially, when later proving theorems, we don’t knowwhether what we have proved is true unless we haveused the termination checker.
Any formula A (which is just a type), whether it istrue or false, can be shown using black-holerecursion by using the following Agda code:
a :: A = a
Only if a theorem has passed the termination checker,we know it holds.
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 2(b) 288
The Non-Dependent Function Type
Formation Rule A : Set B : Set (→ -F)A→ B : Set
Introduction Rule x : A⇒ b : B (→ -I)(λx : A.b) : A→ B
Elimination Rulef : A→ B a : A
(→ -El)f a : B
Equality Rule x : A⇒ b : B a : A (→ -Eq)(λx : A.b) a = b[x := a] : B
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 2(b) 289
β-Reductionb[x := a] was as for the simply typed λ-calculus theresult of substituting in b every occurrence of variable xby the term a (after renaming of bound variables asusual).
The equality rule is a symmetric version of β-reduction
(λx : A.b) a −→ b[x := a]
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 2(b) 290
α-EquivalenceAs for the simply typed λ-calculus, terms which differ inthe choice of bound variables are identified:
E.g. λx : A.x and λy : A.y are identified.E.g. λx : N.x + x and λy : N.y + y are identified.A similar rule applies to bound variables in types(see later).
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 2(b) 291
The η-RuleAgain the η-rule does not fit into the above schema:
f : A→ B(→ -η)
f = (λx : A.f x) : A→ B
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 2(b) 292
Equality Versions of the→-RulesEquality Version of the Formation Rule
A = A′ : Set B = B′ : Set (→ -F=)A→ B = A′ → B′ : Set
Equality Version of the Introduction Rule
x : A⇒ b = b′ : B (→ -I=)λx : A.b = λx : A.b′ : A→ B
Equality Version of the Elimination Rule
f = f ′ : A→ B a = a′ : A(→ -El=)
f a = f ′ a′ : B
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 2(b) 293
The Function Type in AgdaIn Agda one writes A -> C for the nondependentfunction type.We write on our slides→ instead of ->.
There are two ways of introducing an element ofA→ C:
We can writef (x:: A)
:: C= · · ·
Requires the · · · is an element of type C, possiblymaking use of x.
The above introducesf :: A→ C
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 2(b) 294
The Function Type in Agda (Cont.)Alternatively, one can use the λ-notation:
Remember that \ is used instead of λ in Agda.In our slides we will use λ.
The above can be rewritten as
f :: A→ C= λ(x:: A)→ · · ·
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 2(b) 295
Equivalence of the two NotationsBoth ways of introducing functions are equivalent.
One can check this by defining two versions:
postulate A :: Set
f :: A→ A→ A
= λ(a, b :: A)→ a
g (a, b :: A)
:: A
= a
See exampleEquivalenceLambdaNotations.agda
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 2(b) 295a
Equivalence of the two NotationsIf one then introduces an arbitrary goal, e.g.
Test :: A− > A− > A
= ! !
inserts into it the value f , uses goal-menuCompute WHNF, (for compute weak head normalform), and does the same with g, one obtains twice thesame result, namely
λ(a, b :: A)→ a
This is a general method for evaluating terms (e.g. forevaluating the result of a applying a function to somearguments).
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 2(b) 295b
λ-Notation in AgdaIn most cases, it is easier to use the first way ofintroducing λ-terms.
However, λ-notation allows to introduceanonymous functions (i.e. functions without givingthem names):A typical example from functional programming is themap function, which applies a function to eachelement of a list:
map (λ(x::N)→ S x)(cons two (cons three nil))
The result would becons three (cons four nil)
See exampleMapAppliedToList.agda.
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 2(b) 296
AbbreviationsWe can write
λ(n,m::N)→ · · ·
instead of
λ(n::N)→ λ(m::N)→ · · ·
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 2(b) 297
Abbreviations (Cont.)Similarly we can write
f (n,m::N):: N= · · ·
instead of
f (n::N)(m::N):: N= · · ·
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 2(b) 298
The Function Type in Agda (Cont.)Application has the same syntax as in the rules ofdependent type theory: If we have
f :: A→ B ,
a :: A ,
then we can conclude f a :: B.
And we have that
(λ(x :: A)→ b) a
andb[x := a]
are identified.
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 2(b) 299
η-Rule in Agda (Cont.)In Agda syntax, the η-rule would state that if
f :: A→ B
thenf = λ(x :: A)→ f x .
η-rule is computationally expensive and thereforenot implemented.(This is similar to what was said about the η-rule forthe product).The lack of the η-rule causes sometimesproblems.
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 2(b) 300
IntroWhen introducing λ-terms, there is no need to introducethe λ-term by hand.
Assume for instance the following goal:
f :: A→ A
= ! !
If the position is inside the goal, we can use thegoal-menu Intro, in order to obtain a template for theλ-term:
f :: A→ A
= λ(h :: ! !)→ ! !
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 2(b) 301
SolveWe usually don’t have to introduce the types of theλ-variables, they can usually be solved automaticallyusing Agda-menu Solve.
Applied in the above situation we obtain:
f :: A→ A
= λ(h :: A)→ ! !
It is recommended to rename the automaticallygenerated variable h to something more meaningful:
f :: A→ A
= λ(a :: A)→ ! !
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 2(b) 302
SolveIn some cases, the types inferred can be simplified. Forinstance if we start with
g:: ((A→ A)→ A)→ A
= λ(h :: ! !)→ ! !
we obtain using solve
g:: ((A→ A)→ A)→ A
= λ(h :: (h :: (h :: A)→ A)→ A)→ ! !
which can be simplified to
g:: ((A→ A)→ A)→ A
= λ(a_a_a :: (A→ A)→ A)→ ! !
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 2(b) 303
SolveIn general, solve will solve goals, for which there is onlyone solution in the current context.
Uniqueness is up to equality in Agda, which isequality of the normal forms.Therefore one can often replace the solution givenby Agda by some more readable term, but it willalways be the same term up to equality in Agda.
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 2(b) 303a
Common ContextsThe convention is that all rules can as well beweakened by a common context.
This means that when introducing a rule
Γ1 ⇒ θ1 · · · Γn ⇒ θn
Γ⇒ θ
we implicitly introduce as well the following rules
∆,Γ1 ⇒ θ1 · · · ∆,Γn ⇒ θn
∆,Γ⇒ θ
This convention will not apply to the context rules(Context0) and (Context1) (see later).
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 2(b) 304
ExampleFor instance, the formation rule of ×:
A : Set B : Set (×-F)A×B : Set
can be weakened as follows:
Γ⇒ A : Set Γ⇒ B : Set (×-F)Γ⇒ A×B : Set
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 2(b) 305
Example (Cont.)Consider the sample derivation (assuming A : Set):
x : A, y : A⇒ y : A(→ -I)
x : A⇒ (λy : A.y) : A→ A(→ -I)
(λx : A.λy : A.y) : A→ A→ A
The first rule used is the rule for λ-introduction,weakened by the context x : A.
The second rule used is the rule for λ-introductionwithout any weakening.
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 2(b) 306
Weakening of AxiomsIf we have an axiom
θ
for any judgement θ
e.g. θ = N : Set or θ = 0 : N
and we want to weaken it by context Γ, we need tomake sure that Γ⇒ Context holds.
So we need in the weakened form one additionalpremise:
Γ⇒ ContextΓ⇒ θ
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 2(b) 307
ExampleThe formation rule for N
N : Set
will be weakened as follows:
Γ⇒ ContextΓ⇒ N : Set
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 2(b) 308
(c) Structural Rules
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 2(c) 309
Context RulesThe empty context
∅ ⇒ Context (Context0)
Extending a context
Γ⇒ A : Set (Context1)Γ, x : A⇒ Context
(where in the last rule x must not occur in Γ).
The convention that rules can be weakened by acommon context does not apply to the rules (Context0)and (Context1).
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 2(c) 310
Example Derivation (Context Rules)We assume the following formation rule for the type ofnatural numbers:
N : Set (N-F)
With this rule, following the convention on slide ??,we have as well introduced the rules
Γ⇒ Context (N-F)Γ⇒ N : Set
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 2(c) 311
Example Derivation (Context Rules)
The following derives x : N, y : N, z : N⇒ Context(Note that N : Set is the same as ∅ ⇒ N : Set):
N : Set (Context1)x : N⇒ Context (N-F)x : N⇒ N : Set (Context1)
x : N, y : N⇒ Context(N-F)
x : N, y : N⇒ N : Set(Context1)
x : N, y : N, z : N⇒ Context
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 2(c) 312
Assumption Rule
Γ, x : A,Γ′ ⇒ Context(Ass)
Γ, x : A,Γ′ ⇒ x : A
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 2(c) 313
Example Deriv. (Assumpt. Rule)We extend the derivation of slide ?? to a derivation ofx : N, y : N, z : N⇒ y : N:
x : N, y : N, z : N⇒ Context(Ass)
x : N, y : N, z : N⇒ y : N
Similarly we can derive x : N, y : N, z : N⇒ z : N:
x : N, y : N, z : N⇒ Context(Ass)
x : N, y : N, z : N⇒ z : N
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 2(c) 314
Example Deriv. (Assumpt. Rule)
The full derivation of first judgement on the previousslide is as follows:
N : Set (Context1)x : N⇒ Context (N-F)x : N⇒ N : Set (Context1)
x : N, y : N⇒ Context(N-F)
x : N, y : N⇒ N : Set(Context1)
x : N, y : N, z : N⇒ Context(Ass)
x : N, y : N, z : N⇒ y : N
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 2(c) 315
Assumption Rule in AgdaWhen we define a function:
f (a::A)::B= ! !
we can make use of a :: A when solving the goal! !.
This is an application of the assumption rule:When solving ! ! we essentially defineunder the assumption a :: A an element ! ! :: B.
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 2(c) 316
Assumption Rule in Agda (Cont.)
The above corresponds to a derivation
a : A⇒ ! ! : B(→ -I)
(λa : A.! !) : A→ B
If B is equal to A we can use the assumption ruledirectly
a : A⇒ a : A (→ -I)(λa : A.a) : A→ A
in order to solve this goal.
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 2(c) 317
Assumption Rule in Agda (Cont.)
More generally we might in the derivation ofa : A⇒ ! ! : B make anywhere use of a : A, as longas this is in the context.
· · · (Ass)a : A⇒ a : A
···
a : A⇒ s : B (→ -I)(λa : A.s) : A→ B
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 2(c) 318
Assumption Rule in Agda (Cont.)Similarly, when solving the goalf :: A→ B= λ(a :: A)→ ! !
in ! ! we can make use of a :: A.In fact when solving the above, we implicitly use therule
a : A⇒ ! ! : B(→ -I)
(λa : A.! !) : A→ B
So we have to solve a : A⇒ ! ! : B in order toderive
(λa : A.! !) : A→ B
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 2(c) 319
Weakening Rule
Γ,Γ′ ⇒ θ Γ,∆,Γ′ ⇒ Context(Weak)
Γ,∆,Γ′ ⇒ θ
θ:
stands for an arbitrary non-dependent judgement.
This rule allows to add an additional context piece(∆) to the context of a judgement.
The judgement Γ,Γ′ ⇒ θ is:::::::::::::
weakened by ∆.
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 2(c) 320
Weakening Rule (Cont.)
Remark: One can in fact show that the weakening rulecan be weakly derived.
:::::::::
Weakly:::::::::::
derived means: whenever the assumptionsof the rule can be derived in the complete set ofrules we provide, then as well the conclusion.However, this can’t be derived from the premise theconclusion directly.
An exception is when we additionally assume somejudgements for instance A : Set (corresponding to“postulate” in Agda).
Then Γ⇒ A : Set doesn’t follow without theweakening rule.
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 2(c) 321
Example Deriv. (Weak. Rule)We derive a : A, b : B ⇒ a : A from global assumptionsA : Set, B : Set:
A:Set (Context1)a:A⇒Context (Ass)
a:A⇒a:A
B:Set
A:Set (Context1)a:A⇒Context (Weak)
a:A⇒B:Set (Context1)a:A,b:B⇒Context
(Weak)a:A,b:B⇒a:A
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 2(c) 322
Example Deriv.2 (Weak. Rule)We derive x : A→ (B × C), a : A⇒ x : A→ (B × C)from global assumptions A : Set, B : Set, C : Set:
A : Set
A : Set
B : Set C : Set (×-F)B × C : Set
(→ -F)A→ (B × C) : Set
(Context1)x : A→ (B × C)⇒ Context
(Weak)x : A→ (B × C)⇒ A : Set
(Context1)x : A→ (B × C), a : A⇒ Context
(Ass)x : A→ (B × C), a : A⇒ x : A→ (B × C)
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 2(c) 323
General Equality Rules
::::::::::::::
ReflexivityA : Set (ReflSet)
A = A : Set
a : A (ReflElem)a = a : A
(Reflexivity can be weakly derived, except for globalassumptions).:::::::::::::
SymmetryA = B : Set (SymSet)B = A : Set
a = b : A (SymElem)b = a : A
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 2(c) 324
General Equality Rules (Cont.)
::::::::::::::
Transitivity
A = B : Set B = C : Set (TransSet)A = C : Set
a = b : A b = c : A (TransElem)a = c : A
:::::::::::
Transfer
a : A A = B : Set (TransferSet)a : B
a = b : A A = B : Set (TransferElem)a = b : B
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 2(c) 325
Example Deriv. (Gen. Equal. Rules)
N:Set(Context1)
y:N⇒Context(Ass)
y:N⇒y:N(N-Eq+,0)
y:N⇒y+0=y:N
N:Set(Context1)
y:N⇒Context(N-F)
y:N⇒N:Set(Context1)
y:N,x:N⇒Context(Ass)
y:N,x:N⇒x:N
N:Set(Context1)
y:N⇒Context(Ass)
y:N⇒y:N(→-Eq)
y:N⇒(λx:N.x) y=y:N(SymElem)
y:N⇒y=(λx:N.x) y:N(TransElem)
y:N⇒y+0=(λx:N.x) y:N(→-I=)
(λy:N.y+0)=(λy:N.(λx:N.x) y):N→N
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 2(c) 326
Example Deriv. (Gen. Equal. Rules)In the previous derivation, the most complicated stepwas:
y : N, x : N⇒ x : N y : N⇒ y : N
y : N⇒ (λx : N.x) y = y : N
This is an example of the equality rule for thenon-dependent function type (slide ??):
x : A⇒ b : B a : A (→ -Eq)(λx : A.b) a = b[x := a] : B
with A := B := N, b := x, a := y.Therefore b[x := a] = y.
This instance of the rule was weakened by anadditional context y : N.
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 2(c) 327
Example Deriv. (Gen. Equal. Rules)
Note that from the premises of that rule
y : N, x : N⇒ x : N y : N⇒ y : N
y : N⇒ (λx : N.x) y = y : N
we can derive using the introduction and eliminationrule
y : N⇒ (λx : N.x) y : N
as follows:
y : N, x : N⇒ x : N
y : N⇒ (λx : N.x) : N→ N y : N⇒ y : N
y : N⇒ (λx : N.x) y : N
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 2(c) 328
Example Deriv. (Gen. Equ. Rules)
The equality rule expresses how the function λx : N.xapplied to y is evaluated as follows:
We evaluate the body of the function (x) by settingfor x the argument of the function (y).This is the same as substituting in the body for x theargument of the function, i.e. y.
This explains how the detour above of first introducingand then eliminating an expression can be reduced(namely to y or in general to b[x := a]).
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 2(c) 329
Substitution RulesThe following rules can be weakly derived:
Substitution 1
Γ, x : A,Γ′ ⇒ θ Γ⇒ a : A(Subst1)
Γ,Γ′[x := a]⇒ θ[x := a]
(Γ′[x := a] is the result of substituting in Γ′ all occurrences ofx by a).
Substitution 2
Γ, x : A,Γ′ ⇒ B : Set Γ⇒ a = a′ : A(Subst2)
Γ,Γ′[x := a]⇒ B[x := a] = B[x := a′] : Set
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 2(c) 330
Substitution RulesSubstitution 3
Γ, x : A,Γ′ ⇒ b : B Γ⇒ a = a′ : A(Subst3)
Γ,Γ′[x := a]⇒ b[x := a] = b[x := a′] : B[x := a]
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 2(c) 331
Example Deriv. (Substitution)···
(Ass)
x:N,y:N⇒x:N
···(Ass)
x:N,y:N⇒y:N(N-I+)
x : N, y : N⇒ x + y : N 0 : N(Subst1)
y : N⇒ 0 + y : N(→-I)
(λy : N.0 + y) : N→ N
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 2(c) 332
Example Deriv. 2 (Substitution)
···z:N,x:N,y:N⇒x+y:N
N:Set (Context1)z:N⇒Context (N-F)z:N⇒N:Set (Context1)
z:N,u:N⇒Context(Ass)
z:N,u:N⇒u:N(N-IS)
z:N,u:N⇒S(u):N
N:Set (Context1)z:N⇒Context (Ass)
z:N⇒z:N (N-Eq0)z:N⇒z+0=z:N
(Subst3)z:N⇒S(z+0)=S(z):N
(Subst3)z:N,y:N⇒(S(z)+0)+y=S(z)+y:N
(→-I=)z:N⇒(λy:N.(S(z)+0)+y)=(λy:N.S(z)+y):N→N
(→-I=)(λz:N.λy:N.(S(z)+0)+y)=(λz:N.λy:N.S(z)+y):N→N→N
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 2(c) 333
(d) Dep. Funct. Set and ProductWe introduce in the following the dependent versions of the
product and the function type.
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 2(d) 334
The Dependent ProductThe dependent product is similar as the non-dependentproduct (e.g. A×B), but now the second set dependson an element of the first set.
The type theoretic notation is
(a : A)×B
Elements of (a : A)×B are pairs
〈a′, b′〉
s.t.a′ : A
b′ : B[a := a′].
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 2(d) 335
Example 1 (Dep. Products)One example for its use are the set of sorted lists:
Sorted(l) is a predicate on NatList expressing that l issorted.An element of
SortedList := (l : NatList)× Sorted(l)
is a pair〈l, p〉
s.t.l : NatList,p : Sorted(l), i.e. p is a proof that l is sorted.
So elements of SortedList are lists l together with aproof that l is sorted.
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 2(d) 336
Example 2 (Dep. Products)Let G be the set of genders,informally written
G = male, female .
Let for g : G the setNames g
be the collection of names of that gender, e.g.informally written
(Names male) = Tom, Jim,(Names female) = Jill, Sara.
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 2(d) 337
Example 2 (Dep. Products)The set of names with their gender is the set of pairs〈g, n〉 s.t. g is a Gender and n : (Names g).
This set is written as
AllNames := (g : G)× (Names g)
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 2(d) 338
Rules of the Dependent Product
Formation Rule
A : Set x : A⇒ B : Set (×-I)(x : A)×B : Set
Introduction Rule
x : A⇒ B : Set a : A b : B[x := a](×-I)
〈a, b〉 : (x : A)×B
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 2(d) 339
ExampleAssuming we have defined the set of genders G : Setand the set of names g : G⇒ (Names g) : Set, we canintroduce the set
AllNames := (g : G)× (Names g) : Set
by using the formation rule:
G : Set g : G⇒ (Names g) : Set(×-I)
(g : G)× (Names g) : Set
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 2(d) 339a
Extra Premise in the Introd. RuleIn the last introduction rule, an extra premisex : A⇒ B : Set was required.
This is required in order to guarantee that we canform the type (x : A)×B.In case of the non-dependent product, this premisewas not necessary:a : A and b : B indirectly implies that we know A : Setand B : Set from which it follows A×B : Set.
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 2(d) 340
ExampleFurthermore we can introduce
〈male,Tom〉 : AllNames
as follows:
g : G⇒ (Names g) : Set male : G Tom : (Names male)(×-I)
〈male,Tom〉 : (g : G)× (Names g)
Note that we need the premise
g : G⇒ (Names g) : Set
Otherwise we only know that (Names male) : Set, but notthat (Names female) : Set.
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 2(d) 340a
ExampleNote that we don’t have
〈female,Tom〉 : AllNames
since we don’t have
Tom : (Names female)
So here dependent types prevent errors. In an ordinaryprogramming language without dependent types, wecan’t define a corresponding type AllNames whichallows at compile time to define
〈male,Tom〉 : AllNames
but not〈female,Tom〉 : AllNames
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 2(d) 340b
Rules of the Dependent ProductElimination Rules
c : (x : A)×B(×-El0)
π0(c) : A
c : (x : A)×B(×-El1)
π1(c) : B[x := π0(c)]
Equality Rules
x : A⇒ B : Set a : A b : B[x := a](×-Eq0)
π0(〈a, b〉) = a : A
x : A⇒ B : Set a : A b : B[x := a](×-Eq1)
π1(〈a, b〉) = b : B[x := a]
Note that the last two rules require the extra premise x : A⇒
B : Set (which is not implied by the premises).
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 2(d) 341
ExampleIn the “Names-example we have that, if a : AllNames,then π0(a) : G and π1(a) : (Names π0(a)):
a : (g : G)× (Names g)(×-El0)
π0(a) : G
a : (g : G)× (Names g)(×-El1)
π1(a) : (Names π0(a))
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 2(d) 342
Rules of the Dependent ProductWe have the following η-rule:
c : (x : A)×B(×-η)
c = 〈π0(c), π1(c)〉 : (x : A)× C
As before, the η-rule expresses that every element of(x : A)×B is of the form 〈something0, something1〉.
The η-rule cannot be derived, if the element in questionis a variable.
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 2(d) 343
Equality Versions of the aboveEquality Version of the Formation Rule
A = A′ : Set x : A⇒ B = B′ : Set (×-F=)(x : A)×B = (x : A′)×B′ : Set
Equality Version of the Introduction Rule
x : A⇒ B : Set a = a′ : A b = b′ : B[x := a](×-I=)
〈a, b〉 = 〈a′, b′〉 : (x : A)×B
Equality Versions of the Elimination Rules
c = c′ : (x : A)×B(×-El=0 )
π0(c) = π0(c′) : A
c = c′ : (x : A)×B(×-El=1 )
π1(c) = π1(c′) : B[x := π0(c)]
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 2(d) 344
The Non-Dep. Product as an Abbrev.The non-dependent product A×B can now be seen asan abbreviation for (x : A)×B for some fresh variablex.
Taking A×B as an abbreviation, we can see that therules for the non-dependent product are specialcases of the rules for the dependent product.
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 2(d) 345
The Non-Dep. Product as an Abbrev.More precisely this can be seen as follows:
From A : Set and B : Set we can derivex : A⇒ B : Set using the weakening rule.Therefore the premises of the formation rule forthe non-dependent product imply those of theformation rule for the non-dependent product.From a derivation of a : A we can derive A : Set (weneed the concept of presupposition for that, asintroduced later).Therefore the premises of the introduction rule forthe non-dependent product imply those of thedependent product.Similarly for the elimination, equality and η-rule.
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 2(d) 346
The Dependent Product in AgdaIn Agda, the record type allows already dependenciesof later sets on previous ones:
Assume A :: Set, and B :: Set, posssibly dependingon a :: A.Then we can form siga :: A; b :: B.Elements of this type can be introduced in the sameway as before, i.e. if a′ :: A and b′ :: B[a := a′] then wecan form
structa = a′; b = b′ :: siga :: A; b :: B .
Note that b′ :: B[a := a′], so the type of b′ depends ona′.Furthermore, if c : siga :: A; b :: B, then c.a :: A andc.b :: B[a := c.a].
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 2(d) 347
The “Names”-Example in AgdaAlthough we haven’t introduced yet a notation foralgebraic data types, the following is readable for thosefamiliar with Haskell:
data G = male | female
data maleNames = Tom | Jim
data femaleNames = Jill | Sara
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 2(d) 348
The “Names”-Example in Agda
Names (g :: G):: Set= case g of
(male) → maleNames(female) → femaleNames
AllNames :: Set= sig
g :: Gn :: Names g
See exampleAllNames.agda.Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 2(d) 349
The “Names”-Example in AgdaNote that in the above example we have
Names male = maleNames = data Tom | JimNames female = femaleNames = data Jill | Sara
Further we have for instance
structg=male,n=Tom :: AllNames
whereas we don’t have
structg=male,n=Jill :: AllNames
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 2(d) 349a
The Dependent Function SetIn the presence of dependent types we have as well adependent function set, where the type of the resultdepends on the argument of the function.
Notation: (x : A)→ B, for the set of functions f whichmap an element a : A to an element of B[x := a].
In set-theoretic notation this is:
f | f function
∧dom(f) = A
∧∀a ∈ A.f(a) ∈ B[x := a]
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 2(d) 350
Example (Dep. Function Set)Consider the “Names example” as above(G : Set set of genders, Names g set of names for genderg).
Define
select : (g : G)→ (Names g)
select male = Tom
select female = Jill
select selects for every gender a name.
select male will be an element of(Names male) = (Names g)[g := male].
It wouldn’t make sense to say (select male) : (Names g),without knowing what g is.
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 2(d) 351
Example (Dep. Function Set)Note that for instance we don’t have
(λg : G.Tom) : (g : G)→ (Names g)
since we don’t have
((λg : G.Tom) female) : (Names female)
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 2(d) 351a
Rules of the Dep. Funct. SetFormation Rule
A : Set x : A⇒ B : Set (→ -F)(x : A)→ B : Set
Introduction Rule
x : A⇒ b : B (→ -I)(λx : A.b) : (x : A)→ B
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 2(d) 352
Rules of the Dep. Funct. SetElimination Rule
f : (x : A)→ B a : A(→ -El)
f a : B[x := a]
Equality Rule
x : A⇒ b : B a : A (→ -Eq)(λx : A.b) a = b[x := a] : B[x := a]
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 2(d) 353
The η-RuleThe η-rule has a special status:
η-Rule
f : (x : A)→ B(→ -η)
f = (λx : A.f x) : (x : A)→ B
As before, the η-rule expresses that every element of(x : A)→ B is of the form λx : A.something.
The η-rule cannot be derived, if the element in questionis a variable.
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 2(d) 354
Equality Versions of the aboveEquality Version of the Formation Rule
A = A′ : Set x : A⇒ B = B′ : Set (→ -F=)(x : A)→ B = (x : A′)→ B′ : Set
Equality Version of the Introduction Rule
x : A⇒ b = b′ : B (→ -I=)(λx : A.b) = (λx : A.b′) : (x : A)→ B
Equality Version of the Elimination Rule
f = f ′ : (x : A)→ B a = a′ : A(→ -El=)
f a = f ′ a′ : B[x := a]
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 2(d) 355
Non-Dep. Funct. Set as an Abbrev.The non-dependent function type
A→ B
can be regarded as an abbreviation for thedependent function type
(x : A)→ B ,
where B does not depend on x.
As for the product one can see that the rules for thenon-dependent function set are special cases of therules for the dependent function set.
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 2(d) 356
The Dep. Function Set in AgdaWe have seen that the non-dependent function type iswritten as A→ B in Agda.
The notation for the dependent function set is(x:: A)→ C.
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 2(d) 357
The Dep. Function Set in AgdaElements of (x :: A)→ C are introduced as before byusing
either λ-abstraction, i.e.λ(x :: A)→ t :: (x :: A)→ B.
Requires that t :: B depending on x :: A.Note that the type B of t depends on x :: A.
or by writingf(x :: A) :: C = · · ·
Elimination is application using the same notation asbefore.
E.g., if f :: (x :: A)→ C and a :: A, thenf a :: C[x := a].
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 2(d) 358
The Dep. Function Set in AgdaInternally, Agda has only the dependent function set.
That’s why one often sees in code generated by Agda(e.g. when showing context, when using solve) types ofthe form
(h :: A)→ B
where one could use as well
A→ B
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 2(d) 359
AbbreviationsWe can write
(n,m::N)→ A(n,m)
instead of
(n::N)→ (m::N)→ A(n,m)
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 2(d) 360
The “select”-Name Example in AgdaHere follows the code for the select-Name example inAgda, which should be readable for those familiar withHaskell:
data G = male | female
data maleNames = Tom | Jim
data femaleNames = Jill | Sara
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 2(d) 361
The “select”-Name Example in Agda
Names (g :: G):: Set= case g of
(male) → maleNames(female) → femaleNames
select :: (g:: G)→ Names g= λ (g:: G)→ case g of
(male) → Tom(female) → Jill
See exampleNamesFunction2.agda.
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 2(d) 362
The “select”-Name Example in AgdaAn attempt to define select s.t. select male is not inmaleNames, e.g.
select male = Jill
or that select female is not in femaleNames, e.g.
select female = Tom
will result in a type error.
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 2(d) 362a
(e) Derivations vs. Agda CodeIn this subsection we look at the relationship betweenAgda code and the corresponding derivations.
We consider various examples.First we will go through the development of theAgda code.Then we will look at, how the correspondingderivations are developed, following each step inthe development of the Agda code.
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 2(e) 363
Example 1We want to derive in Agda
λ(a :: A).a :: A→ A
(See example file exampleIdentity.agda)
Step 1:We need to introduce the type A first.Since we want to to have the definition for anarbitrary type A, we postulate (i.e. assume) one typeA:
postulate A :: Type
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 2(e) 364
Example 1 (Cont.)Step 2: We state our goal:
f :: A→ A
= ! !
Agda is an indentation-sensitive language.The complete definition of f must be intendedotherwise Agda regards this as a new definition.
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 2(e) 365
Example 1 (Cont.)Step 3:
We want to derive an element of function typeA→ A.Elements of the function type A→ A are introducedby using λ-terms.If introduced as a λ-term, the term in question will beof the form λ(a :: A)→ something.Agda has a command agda-intro (Intro) which doesthis step automatically.
Has to be executed while the cursor is inside onegoal.
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 2(e) 366
Example 1 (Cont.)Step 3 (Cont)
After executing it we get:
f :: A→ A
= λ(h :: ! !)→ ! !
(The precise Agda code uses \ instead of λ, and− > instead of→).
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 2(e) 367
Example 1 (Cont.)Step 4:
The first goal, the type of the variable h can besolved automatically.Use agda-solve (Solve )We obtain:
f :: A→ A
= λ(h :: A)→ ! !
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 2(e) 368
Example 1 (Cont.)Step 4 (Cont)
It is a good idea to rename the variable tosomething, for instance to a:This can be done by simple editing.
We can always edit the current code.If one wants to edit parts involving goals, one firsthas to execute:agda-restart ( (Re)Start Agda)Then one is in a mode where the goals areconverted to ordinary symbols and can editeverything.At the end of any editing one should execute:agda-load-buffer (Load Buffer)Otherwise the changes will not be known by Agda.
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 2(e) 369
Example 1 (Cont.)Step 4 (Cont)
We obtain:f :: A→ A
= λ(a :: A)→ ! !
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 2(e) 370
Example 1 (Cont.)Step 5:
In order for λ(a :: A)→ ! ! to be of type A→ A,! ! must be of type A.
Then this λ-term computes an element of type Adepending on some a of type A, which means it isa function of type A→ A.So the type of the goal is A.This can be inspected by using the menuagda-goalType-of-meta-reduced(Type of goal (unfolded)),which shows the type of the current goal.· Has to be executed while the cursor is inside
one goal.It shows A.
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 2(e) 371
Example 1 (Cont.)Step 5 (Cont.)
We can inspect the context.The context contains everything we can use whensolving our goal. It contains:
A :: Set.f :: A→ A.See next slide.a :: A.· Since we are defining a an element of type A
depending on a :: A, we can use a.
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 2(e) 372
Termination CheckOn the last slide we had f :: A→ A in the context.
This appears, since the type checker allows to definefunctions recursively, independently of whether therecursion terminates or not.
For the type checker a definition b :: A = b would belegal, although evaluating b doesn’t terminate (blackhole recursion).
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 2(e) 373
Termination Check (Cont.)Agda has a commandagda-term-check-buffer (Check Termination), whichchecks, whether recursive definitions are done properly.
One shoulduse this command at the end of a session, to avoidblack hole recursion.
If the termination check succeeds, all programschecked will terminate.
If the termination check fail, it might still be the casethat all programs terminate.(One cannot write a universal termination checker,since the Turing halting problem is undecidable).
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 2(e) 374
Example 1 (Cont.)Step 5 (Cont.)
Now everything with:::::::
result:::::::
type A (i.e. which has atthe right side of the arrow A) can be used in order tosolve the goal.
f would result in black-hole recursion.So we take a.
We type in a into the goal and then use the commandagda-refine (Refine)We obtain:
f :: A→ A
= λ(a :: A)→ a
and are done.
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 2(e) 375
Example 1, Using RulesIn Agda step 1 we postulated A :: Set.This corresponds in the rule system, that we canassume A : Set, i.e. can write this down without anyderivation.
In Agda step 2 we stated our goal:
f :: A→ A
= ! !
In terms of rules this means that we want to derivesomething of type A→ A.We write for this something d0 and get as conclusion ofour derivation:
d0 : A→ A
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 2(e) 376
Example 1, Using Rules (Cont.)In Agda step 3 and 4 we replaced ! ! byλ(a :: A)→ ! !:
f :: A→ A
= λ(a :: A)→ ! !
In terms of rules this means that we replace d0 byλ(a : A).d1 which is derived by an introduction rule
a : A⇒ d1 : A
(λa : A.d1) : A→ A
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 2(e) 377
Example 1, Using Rules (Cont.)In Agda step 5 we replaced ! ! in λ(a :: A)→ ! ! bya:
f :: A→ A
= λ(a :: A)→ a
In terms of rules this means that we replace d1 by a.a : A⇒ a : A follows by an assumption rule:
a : A⇒ a : A(λa : A.a) : A→ A
The assumption rule will be discussed later.Essentially it allows to derive if x : B occurs in thecontext that x : B holds.
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 2(e) 378
Example 2We consider a derivation of
λ(x :: (A→ A)→ A).x (λ(a :: A)→ a)
:: ((A→ A)→ A)→ A
(See example exampleSampleDerivation2.agda).
Step 1:We postulate A:
postulate A :: Type
We state our goal:
f :: ((A→ A)→ A)→ A
= ! !
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 2(e) 379
Example 2 (Cont.)Step 2:
The type of the goal is a function type, and we canuse agda-intro (Intro):We obtain
f :: ((A→ A)→ A)→ A
= λ(h :: ! !)→ ! !
Using agda-solve (Solve ) we obtain:
f :: ((A→ A)→ A)→ A
= λ(h :: (A→ A)→ A)→ ! !
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 2(e) 380
Example 2 (Cont.)Step 2 (Cont.):
We rename the variable h to x and useagda-load-buffer (Load Buffer)so that Agda realizes this change:
f :: ((A→ A)→ A)→ A
= λ(x :: (A→ A)→ A)→ ! !
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 2(e) 381
Example 2 (Cont.)Step 3:
The type of the new goal is A, which is the resulttype of the function we are defining.The context contains f (for recursive definitions), Aand x.x is a function of result type A. Applying it to itsargument would have as result the type of the goal inquestion.
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 2(e) 382
Example 2 (Cont.)Step 3 (Cont):
Therefore we type into the goal x and useagda-refine (Refine).
Agda will then apply x to as many goals as neededin order to obtain an element of the desired type.In our case it is one (of type A→ A).We obtain
f :: ((A→ A)→ A)→ A
= λ(x :: (A→ A)→ A)→ x ! !
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 2(e) 383
Example 2 (Cont.)Step 4:
The type of the new goal is A→ A.This is since x :: (A→ A)→ A needs to be appliedto an element of type A→ A in order to obtain anelement of type A.We try agda-intro (Intro) and obtain:
f :: ((A→ A)→ A)→ A
= λ(x :: (A→ A)→ A)→ x (λ(h :: ! !)→ ! !)
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 2(e) 384
Example 2 (Cont.)Step 4 (Cont)
Using agda-solve (Solve ) we obtain:
f :: ((A→ A)→ A)→ A
= λ(x :: (A→ A)→ A)→ x (λ(h :: A)→ ! !)
We wanted to define an element of A→ A, so thedomain of the λ term will be A.
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 2(e) 385
Example 2 (Cont.)Step 4 (Cont.)
We rename h by a, reload the buffer, and obtain:
f :: ((A→ A)→ A)→ A
= λ(x :: (A→ A)→ A)→ x (λ(a :: A)→ ! !)
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 2(e) 386
Example 2 (Cont.)Step 5
The new goal has type A.The complete expression λ(a :: A)→ ! ! shouldhave type A→ A, so ! ! must have type A.
The context contains A :: Set, f , x and a.We can use both x and a here.
There is usually more than one solution forproceeding in Agda.This means that we sometimes have to backtrackand try a different solution.
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 2(e) 387
Example 2 (Cont.)Step 5 (Cont.)
We try a :: A. After inserting it and usingagda-refine (Refine) we obtain the following and aredone.
f :: ((A→ A)→ A)→ A
= λ(x :: (A→ A)→ A)→ x (λ(a :: A)→ a)
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 2(e) 388
Example 2, Using RulesPostulating A :: Set corresponds to assuming A : Set inthe rules without deriving it.
Stating the goal means that we have as last line of thederivation:
d0 : ((A→ A)→ A)→ A
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 2(e) 389
Example 2, Using RulesThe next step in the Agda-derivation was to replace thegoal byλ(x :: (A→ A)→ A)→ ! !.
This corresponds to replacing d0 byλ(x :: (A→ A)→ A).d1 and having as last step anintroduction rule:
x : (A→ A)→ A⇒ d1 : A
(λx : ((A→ A)→ A).d1) : ((A→ A)→ A)→ A
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 2(e) 390
Example 2, Using RulesThe next step in the Agda-derivation used refine.! ! was replaced by x ! !.
This corresponds to replacing d1 by x d2, and using oneelimination rule in order to derive it:
x:(A→A)→A⇒x:(A→A)→A x:(A→A)→A⇒d2:A→A
x:(A→A)→A⇒x d2:A
(λx:((A→A)→A).x d2):((A→A)→A)→A
The left top judgement can be derived by anassumption rule (more about this later).
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 2(e) 391
Example 2, Using RulesWe then used intro on the goal which was thenreplaced by λ(x :: A)→ ! !.
This corresponds to replacing d2 by λx : A.d3 which canbe introduced by an introduction rule:
x:(A→A)→A⇒x:(A→A)→A
x:(A→A)→A,a:A⇒d3:A
x:(A→A)→A⇒(λa:A.d3):A→A
x:(A→A)→A⇒x (λa:A.d3):A
(λx:((A→A)→A).x) (λa:A.d3):((A→A)→A)→A
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 2(e) 392
Example 2, Using Rules
Finally we used refine with a, which replaced the goalby a.
This corresponds to replacing d3 by a.
x:(A→A)→A⇒x:(A→A)→A
x:(A→A)→A,a:A⇒a:A
x:(A→A)→A⇒(λa:A.a):A→A
x:(A→A)→A⇒x (λa:A.a):A
(λx:((A→A)→A).x) (λa:A.a):((A→A)→A)→A
The right hand derivation can again be derived by anassumption rule (more about this later).
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 2(e) 393
Example 3We derive an element of type
A→ B → AB
where AB is the product of A and B.(See exampleProductIntro.agda).
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 2(e) 394
Example 3 (Cont.)
Step 1:We postulate types A, B:
postulate A :: Set
postulate B :: Set
We introduce the product of A, B:This will be a record with element a : A, b : B.
AB:: Set
= siga :: A;
b :: B
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 2(e) 395
Example 3 (Cont.)
Step 2:Our goal is:
f :: A→ B → AB
= ! !
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 2(e) 396
Example 3 (Cont.)
Step 3:We use intro.
An element of A→ B → AB will be of the form
λ(a′ :: A)→ λ(b′ :: B)→ ! !
which is introduced by two introduction steps.Agda will immediately carry out both of them.We choose to use a′ instead of a, b′ instead of b,since a, b are used as labels of AB.
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 2(e) 397
Example 3 (Cont.)
Step 3 (Cont)After applying intro we get
f :: A→ B → AB
= λ(h :: ! !)→ λ(h′ :: ! !)→ ! !
After applying agda-solve and renaming of variableswe get
f :: A→ B → AB
= λ(a′ :: A)→ λ(b′ :: B)→ ! !
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 2(e) 398
Example 3 (Cont.)
Step 4:The new goal is of type AB which is a record type.An element of it can be introduced by an introductionrule.Elements of type AB introduced by the introductionprinciple will have the form
structa = ! !;
b = ! !
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 2(e) 399
Example 3 (Cont.)
Step 4 (Cont):When using intro we get:
f :: A→ B → AB
= λ(a′ :: A)→ λ(b′ :: B)→ structa = ! !;
b = ! !
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 2(e) 400
Example 3 (Cont.)
Step 5:The first goal has as context:
A,B : Set,AB : Set,f : A→ B → AB,a′ : A,b′ : B,a : A,b : B.
a : A, b : B are the projections of the record we aredefining, which might be used recursively.Using a and b would in our example result innon-termination.
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 2(e) 401
Example 3 (Cont.)
Step 5 (Cont)We insert a, use refine and solve the first goal:
f :: A→ B → AB
= λ(a′ :: A)→ λ(b′ :: B)→ structa = a′;
b = ! !
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 2(e) 402
Example 3 (Cont.)
Step 6:Similarly we can solve the second one:
f :: A→ B → AB
= λ(a′ :: A)→ λ(b′ :: B)→ structa = a′;
b = b′
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 2(e) 403
Example 3, Using RulesThe definition of AB means that AB abbreviates A×B,which can be derived as follows(using assumptions A : Set, B : Set):
A : Set B : SetA×B : Set
We won’t use this however, since it is required for theassumption rules only, the treatment of which will bedelayed until later.
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 2(e) 404
Example 3, Using Rules (Cont.)
Stating the goal corresponds to having as last line ofthe derivation:
d0 : A→ B → (A×B)
Using intro means that we replace d0 byλa′ : A.λb′ : B.d1 which is introduced by two introductionrules:
a′ : A, b′ : B ⇒ d1 : A×B
a′ : A⇒ (λb′ : B.d1) : B → (A×B)
(λa′ : A.λb′ : B.d1) : A→ B → (A×B)
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 2(e) 405
Example 3, Using Rules (Cont.)
Using intro again means that we replace d1 by 〈d2, d3〉,which can be introduced by an introduction rule:
a′ : A, b′ : B ⇒ d2 : A a′ : A, b′ : B ⇒ d3 : B
a′ : A, b′ : B ⇒ 〈d2, d3〉 : A×B
a′ : A⇒ (λb′ : B.〈d2, d3〉) : B → (A×B)
(λa′ : A.λb′ : B.〈d2, d3〉) : A→ B → (A×B)
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 2(e) 406
Example 3, Using Rules (Cont.)
Solving the goals by refining them with a′, b′ means thatwe replace d2 by b, d3 by c:
a′ : A, b′ : B ⇒ a′ : A a′ : A, b′ : B ⇒ b′ : B
a′ : A, b′ : B ⇒ 〈a′, b′〉 : A×B
a′ : A⇒ (λb′ : B.〈a′, b′〉) : B → (A×B)
(λa′ : A.λb′ : B.〈a′, b′〉) : A→ B → (A×B)
The premises require an assumption rule (which willuse the derivation of A×B), see later for details.
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 2(e) 407
Example 4We derive an element of type
(A→ BC)→ A→ B
where BC is the product of B and C. (SeeexampleProductElim.agda).
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 2(e) 408
Example 4 (Cont.)
Step 1:We postulate types A, B, C:
postulate A :: Set
postulate B :: Set
postulate C :: Set
We introduce the product of B, C:
BC:: Set
= sigb :: B;
c :: C
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 2(e) 409
Example 4 (Cont.)
Step 2:Our goal is:
f :: (A→ BC)→ A→ B
= ! !
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 2(e) 410
Example 4 (Cont.)
Step 3:We use intro and get (after using agda-solve andrenaming of variables):
f :: (A→ BC)→ A→ B
= λ(x :: A→ BC)→ λ(a :: A)→ ! !
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 2(e) 411
Example 4 (Cont.)
Step 4:The context has no element with result type B(except of f which results in a circular definition).However, x has function type with result type BC,which can be projected to B.We introduce first an element of type BC by alet-expression, and then derive from it the desiredelement of type B:
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 2(e) 412
Example 4 (Cont.)
Step 4 (Cont):Using agda-let (Make let expression) with variablebc we obtain:
f :: (A→ BC)→ A→ B
= λ(x :: A→ BC)→ λ(a :: A)→ let bc :: ! !
= ! !
in ! !
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 2(e) 413
Example 4 (Cont.)
Step 5:We insert as type of variable bc the type BC (usingrefine) and obtain:
f :: (A→ BC)→ A→ B
= λ(x :: A→ BC)→ λ(a :: A)→ let bc :: BC
= ! !
in ! !
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 2(e) 414
Example 4 (Cont.)
Step 6:For solving the first goal (definition of bc) we canrefine x, which has as result type BC.
f :: (A→ BC)→ A→ B
= λ(x :: A→ BC)→ λ(a :: A)→ let bc :: BC
= x ! !
in ! !
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 2(e) 415
Example 4 (Cont.)
Step 7:The new goal can be solved by refining it withvariable a:
f :: (A→ BC)→ A→ B
= λ(x :: A→ BC)→ λ(a :: A)→ let bc :: BC
= x a
in ! !
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 2(e) 416
Example 4 (Cont.)
Step 8:Currently, Agda doesn’t have any direct support forrefining bc to an element of type B.We have to do this by hand, insert bc.b, choose refineand obtain:
f :: (A→ BC)→ A→ B
= λ(x :: A→ BC)→ λ(a :: A)→ let bc :: BC
= x a
in bc.b
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 2(e) 417
Example 4 (Cont.)
In our rule calculus we don’t introduce a let construction(we could add this).
In order to get close to the derivations, we omit in theAgda derivation the let expression, and replace in thebody of it bc by its definition (x a).
We get
f :: (A→ BC)→ A→ B
= λ(x :: A→ BC)→ λ(a :: A)→ (x a).b
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 2(e) 418
Example 4, Using RulesUsing rules we start with our goal
d0 : (A→ (B × C))→ A→ B
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 2(e) 419
Example 4, Using Rules (Cont.)
The intro step amounts to replacing d0 by
λx : (A→ (B × C)).λa : A.d1
introduced by two applications of an introduction rule:
x : A→ (B × C), a : A⇒ d1 : A
x : A→ (B × C)⇒ (λa : A.d1) : A→ B
(λx : A→ (B × C).λa : A.d1) : (A→ (B × C))→ A→ B
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 2(e) 420
Example 4, Using Rules (Cont.)
In Agda, we then replace the goal corresponding to d1
by (x a).b.
In our rule calculus, this reads π0(x a).
This can be introduced by two applications ofelimination rules:
x:A→(B×C),a:A⇒x:A→(B×C) x:A→(B×C),a:A⇒a:A
x:A→(B×C),a:A⇒x a:B×C
x:A→(B×C),a:A⇒π0(x a):B
x:A→(B×C)⇒(λa:A.π0(x a)):A→B
(λx:(A→(B×C)).λa:A.π0(x a)):(A→(B×C))→A→B
The two initial judgements can be introduced byassumption rules.
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 2(e) 421
(f) PresuppositionsIn order to derive x : A, y : B ⇒ C : Set we need to show:
A : Set.x : A⇒ B : Set
So the judgement
x : A, y : B ⇒ C : Set
implicitly contains the judgements
A : Set ,
x : A⇒ B : Set .
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 2(f) 422
Presuppositions (Cont.)
A : Set and x : A⇒ B : Set are:::::::::::::::::::::
presuppositions of thejudgement
x : A, y : B ⇒ C : Set .
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 2(f) 423
Presuppositions (Cont.)
A : Set and B : Set are:::::::::::::::::::::
presuppositions of thejudgement
A→ B : Set .
and of the judgement
A×B : Set .
The next slide shows the presuppositions ofjudgements.
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 2(f) 424
Presuppositions
Judgement Presuppositions
Γ, x : A⇒ Context Γ⇒ A : Set.
Γ⇒ A : Set Γ⇒ Context
Γ⇒ A = B : Set Γ⇒ A : Set,Γ⇒ B : Set.
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 2(f) 425
Presuppositions
Judgement Presuppositions
Γ⇒ a : A Γ⇒ A : Set.
Γ⇒ a = b : A Γ⇒ a : A,Γ⇒ b : A.
Γ⇒ (x : A)×B : Set Γ, x : A⇒ B : Set.
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 2(f) 426
Presuppositions
Judgement Presuppositions
Γ⇒ (x : A)→ B : Set Γ, x : A⇒ B : Set.
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 2(f) 427
PresuppositionsFurthermore, presuppositions of presuppositions of
Γ⇒ θ
are as well presuppositions of
Γ⇒ θ .
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 2(f) 428
Example of Presuppositionsx : A, y : B ⇒ a = b : (z : C)×D presupposes:∅ ⇒ Context,A : Set,x : A⇒ Context,x : A⇒ B : Set,x : A, y : B ⇒ Context,x : A, y : B ⇒ C : Set,x : A, y : B, z : C ⇒ Context,x : A, y : B, z : C ⇒ D : Set,x : A, y : B ⇒ (z : C)×D : Set,x : A, y : B ⇒ a : (z : C)×D,x : A, y : B ⇒ b : (z : C)×D.
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 2(f) 429
Remark on A→ B, A×B
Note that A→ B is an abbreviation for (x : A)→ B forsome fresh x.
Similarly A×B is an abbreviation for (x : A)×B forsome fresh x.
Therefore the presupposition of A→ B : Set(which abbreviates ∅ ⇒ A→ B : Set) are:∅ ⇒ Context,A : Set,x : A⇒ Context,x : A⇒ B : Set.
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 2(f) 430
(g) The Full Logical FrameworkWe would like to add operations on types, such as
prod : Set→ Set→ Set
which should take two sets and form the product of it.
The problem is that for this we need
Set→ Set→ Set : Set
and our rules allow this only if we hadSet: Set
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 2(g) 431
SetAdding
Set : Set
as a rule results however in an inconsistent theory:using this rule we can prove everything, especiallyfalse formulas.The corresponding paradox is called::::::::::
Girard’s:::::::::::
paradox.
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 2(g) 432
Jean-Yves Girard
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 2(g) 433
Set (Cont.)Instead we introduce a new level on top of Set calledType.
So besides judgements A : Set we have as welljudgements of the form
A : Type
One rule will especially express
Set : Type
Elements of Type are types, elements of Set aresmall types.
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 2(g) 434
Set (Cont.)We add rules asserting that if A: Set then A: Type.
Further we add rules asserting that Type is closedunder the dependent function type and product.
Since Set : Type we get therefore (by closure under thefunction type)
Set→ Set→ Set : Type
and we can assign to prod above the type
prod : Set→ Set→ Set
(The definition of prod will be given later.)
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 2(g) 435
SetSet −> Set
N −> SetN −> N
Type
Set
N
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 2(g) 436
Set (Cont.)However, we cannot use prod in order to form theproduct of two sets, ie. we cannot introduce
prod Set Set : Set ,
since Set : Set does not hold.
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 2(g) 437
Rules for SetFormation Rule for Set
Set : Type
Every Set is a Type
A : Set (Set2Type)A : Type
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 2(g) 438
Closure of TypeFurther we add rules stating that Type is closed underthe dependent function type and the dependentproduct:
Closure of Type under the dependent product
A : Type x : A⇒ B : Type(×-FType)
(x : A)×B : Type
Closure of Type under the dependent function type
A : Type x : A⇒ B : Type(→ -FType)
(x : A)→ B : Type
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 2(g) 439
Nondependent CaseA special case of the above rule is the closure underthe non-dependent function type and product.This rule can be derived (e.g. from the premises onecan derive using the other rules the conclusion).
Closure of Type under the non-dependent product
A : Type B : Type(×-FType)
A×B : Type
Closure of Type under the non-dependent function type
A : Type B : Type(→ -FType)
A→ B : Type
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 2(g) 440
Equality Versions of the RulesFormation Rule for Set
Set = Set : Type (SetIsType=)
Every Set is a Type
A = B : Set (Set2Type=)A = B : Type
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 2(g) 441
Equality Versions of the RulesClosure of Type under the dependent product
A = A′ : Type x : A⇒ B = B′ : Type(×-F=,Type)
(x : A)×B = (x : A′)×B′ : Type
Closure of Type under the dependent function type
A = A′ : Type x : A⇒ B = B′ : Type(→ -F=,Type)
(x : A)→ B = (x : A′)→ B′ : Type
Similarly for the non-dependent versions of the above.
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 2(g) 442
Context RulesThe types in the contexts, which were before onlyelements of Set, can now be as well elements of Type.
Therefore we need an additional context rule
Γ⇒ A : Type(ContextType
1 )Γ, x : A⇒ Context
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 2(g) 442a
Example: prodWe can now introduce prod : Set→ Set→ Set:First we derive X : Set, Y : Set⇒ X : Set:
Set : TypeX : Set⇒ Context
X : Set⇒ Set : TypeX : Set, Y : Set⇒ ContextX : Set, Y : Set⇒ X : Set
Similarly we derive X : Set, Y : Set⇒ Y : Set.
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 2(g) 443
Example: prod (Cont.)Now we can derive our desired judgement:
X : Set, Y : Set⇒ X : Set X : Set, Y : Set⇒ Y : SetX : Set, Y : Set⇒ X × Y : Set
X : Set⇒ (λY : Set.X × Y ) : Set→ Set
(λX, Y : Set.X × Y ) : Set→ Set→ Set
So defineprod := λX, Y : Set.X × Y
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 2(g) 444
Hierarchies of TypesIf one wants to form
prod′ : Type→ Type→ Type ,
one needs to have a further level Kind above Type, s.t.
Type : Kind .
ThenType→ Type→ Type : Kind .
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 2(g) 445
SetSet −> Set
N −> SetN −> N
N
Type
Set
Kind
Type
Type−> Type
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 2(g) 446
Rules for Type as a KindType is a Kind
Type : Kind
Every Type is a Kind
A : Type(Type2Kind)
A : Kind
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 2(g) 447
Closure of KindClosure of Kind under the dependent product
A : Kind x : A⇒ B : Kind (×-FKind)(x : A)×B : Kind
Closure of Kind under the dependent function type
A : Kind x : A⇒ B : Kind (→ -FKind)(x : A)→ B : Kind
Plus equality versions of the above rules.
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 2(g) 448
Context RulesAgain, the context rules have to be expanded:
Γ⇒ A : Kind(ContextKind
1 )Γ, x : A⇒ Context
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 2(g) 448a
Hierarchies of Types (Cont.)
This can be iterated further, formingType = Type1,Kind = Type2,Type3,Type4 · · ·
Agda has a hierarchy of types built in, written as #0(which is Set), #1 (which is Type), #2 (in the rulecalculus called Kind), #3 etc.
So we have#0 = Set : Type,#0 = Set : #2, #1 = Type : #2,#0 = Set : #3, #1 = Type : #3, #2 : #3,#0 = Set : #4, #1 = Type : #4, #2 : #4, #3 : #4,etc.
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 2(g) 449
Type_3 = #3
Type = Type_1 = #1
Kind = Type_2 = #2
Set = #0
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 2(g) 450
3. Data Types(a)(b)(c)(d)(e)(f)(g)(h)(i)(j)
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 3 451
(a) The Set of BooleansFormation Rule
Bool : Set
Introduction Rules
tt : Bool ff : Bool
Elimination Rule
C : Bool→ Set ic : C tt ec : C ff cond : BoolCaseBool C ic ec cond : C cond
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 3(a) 452
The Set of Booleans (Cont.)Equality Rules
C : Bool→ Set ic : C tt ec : C ffCaseBool C ic ec tt = ic : C tt
C : Bool→ Set ic : C tt ec : C ffCaseBool C ic ec ff = ec : C ff
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 3(a) 453
RemarksIn the above
tt:
stands for true, ff:
stands for false.
ic:
stands for “if-case”, ec::
for “else-case”.
cond:::::
for “condition”.
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 3(a) 454
Remarks (Cont.)The argument C : Bool→ Set denotes the set into whichwe are eliminating.
Instead of C : Set, we have C : Bool→ Set, since theset into which we are eliminating might depend onthe Boolean value.That is necessary in order to define functionsf : (b : Bool)→ D where D depends on b.If we define
f := λ(b : Bool).CaseBool C ic ec b
we have:f tt : C tt.f ff : C ff.f : (b : Bool)→ C b.
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 3(a) 455
Remarks (Cont.)The argument C above has no computational content.
It is not needed in order to computeCaseBool C ic ec tt and CaseBool C ic ec ff.
C is only needed in order to get to allow decidable typechecking:
In the presence of arguments like this we can decidewhether a judgement a : B is derivable.
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 3(a) 456
Remarks (Cont.)We can write the elimination rule in a more compactbut less readable way:
CaseBool : (C : Bool→ Set)
→ (ic : C tt)
→ (ec : C ff)
→ (cond : Bool)
→ C cond
.
tt, ff are the constructors of Bool.
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 3(a) 457
Remarks (Cont.)Notice that we then get for C : Bool→ Set,ic : C tt, ec : C ff
f := CaseBool C ic ec
: (cond : Bool)→ C cond
,
f tt = CaseBool C ic ec tt = ic : C tt,f ff = CaseBool C ic ec ff = ec : C ff.
So we obtain functions from Bool into other setswithout having to write λ(b : Bool). · · · .
That’s why we choose the argument to eliminate fromas the last one.
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 3(a) 458
Remarks (Cont.)This is similar to the definition of for instance (+) incurried form in Haskell
(+) : int→ int→ int.(+) 3 is the function which takes an integer and addsto it 3.
Shorter than writing λx.3 + x.
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 3(a) 459
Remarks (Cont.)Note that we have the following order of thearguments of CaseBool:
First we have the set into which we eliminate.Then follow the cases, one for each constructor.Finally we put the element which we areeliminating.
In some sense CaseBool is a “then _else _if ” – thecondition (if . . .) is the last one.
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 3(a) 460
Example: ANDWe want to introduce conjunction
AND : Bool→ Bool→ Bool .
This will be of the form
AND = λb, c : Bool.t
for some term t.
t will be defined by case distinction on b, so we get
AND = λb, c.CaseBool C e f b
for some e, f .
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 3(a) 460a
Example: ANDAND = λb, c.CaseBool C e f b
C will be the set into which we are eliminating,depending on a Boolean value.
It need to be an element of Bool→ Set.Therefore we have C = λd : Bool.D for some Dwhich might depend on d.The set, into which we are eliminating, is always thesame, namely Bool.So D = Bool and therefore we have
C = λd : Bool.Bool .
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 3(a) 460b
Example: ANDNote that in
λd : Bool.Bool
Bool occurs in two different meanings:The first occurrence is that of a set.
d is chosen here as an element of that set.The second occurrence is that as an element ofanother type, namely Set.
So here Bool is a term.
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 3(a) 460c
Two Meanings of Elements of SetAll elements A of Set have these two meanings:
They can be used as terms, which are elements ofthe type Set.
The corresponding judgements are A : Set,A = A′ : Set.
And they can be used as sets, which have elements.The corresponding judgements are a : A anda = a′ : A.
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 3(a) 460d
Example: ANDSo
AND = λb, c.CaseBool (λd : Bool.Bool) e f b
for some e, f .
For conjunction we have:If b is true then
b ∧ c = tt ∧ c = c
So the if-case e above is c.If c is false then
b ∧ c = ff ∧ c = ff
So the else-case f above is ff.
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 3(a) 460e
Example: ANDIn total we define therefore
::::::
AND = λ(b, c : Bool).CaseBool (λ(d : Bool).Bool) c ff b
: Bool→ Bool→ Bool
We verify the correctness of this definition:AND tt c = CaseBool (λ(d : Bool).Bool) c ff tt = c.as desired.AND ff c = CaseBool (λ(d : Bool).Bool) c ff ff = ff.Correct as desired.
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 3(a) 461
Select ExampleAssume we have introduced in type theory
Names : Bool→ Set ,
Names tt = MaleNames ,
Names ff = FemaleNames .
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 3(a) 461a
Select ExampleThen we can define the function
SelectBool : (b : Bool)→ Names b
SelectBool tt = Tim
SelectBool ff = Sara
as follows:
SelectBool = CaseBool Names Tim Sara
Note that by using twice the η-rule we get that
SelectBool
= λb : Bool.CaseBool (λd : Bool.Names d) Tim Sara b
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 3(a) 461b
Select ExampleWe verify the correctness of SelectBool:
SelectBool tt = CaseBool Names Tim Sara tt = Tim ,
SelectBool ff = CaseBool Names Tim Sara ff = Sara .
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 3(a) 461c
Derivation of ANDWe derive in the following AND : Bool→ Bool→ Bool.
We write Bool, if itis a type in boldface red,and if it is a term, in italic blue.
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 3(a) 462
Derivation of ANDFirst we deriveb : Bool, c : Bool⇒ λ(d : Bool).Bool : Bool→ Set:
Bool : Setb : Bool⇒ Context
b : Bool⇒ Bool : Setb : Bool, c : Bool⇒ Context
b : Bool, c : Bool⇒ Bool : Set
b : Bool, c : Bool, d : Bool⇒ Context
b : Bool, c : Bool, d : Bool⇒ Bool : Set
b : Bool, c : Bool⇒ λ(d : Bool).Bool : Bool→ Set
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 3(a) 463
Derivation of ANDWe derive
b : Bool, c : Bool⇒ Bool = (λ(d : Bool).Bool) tt : Set
(using part of the derivation above):
· · ·b:Bool,c:Bool,d:Bool⇒Context
b:Bool,c:Bool,d:Bool⇒Bool :Set
· · ·b:Bool,c:Bool⇒Context
b:Bool,c:Bool⇒tt:Bool
b:Bool,c:Bool⇒(λ(d:Bool).Bool) tt=Bool :Set
b:Bool,c:Bool⇒Bool=(λ(d:Bool).Bool) tt:Set
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 3(a) 464
Derivation of ANDSimilarly follows
b : Bool, c : Bool⇒ Bool = (λ(d : Bool).Bool) ff : Set
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 3(a) 465
Derivation of ANDUsing part of the proof above, we derive
b : Bool, c : Bool⇒ c : (λ(d : Bool).Bool) tt
· · ·b:Bool,c:Bool⇒Context
b:Bool,c:Bool⇒c:Bool
· · ·b:Bool,c:Bool⇒Bool=(λ(d:Bool).Bool) tt:Set
b:Bool,c:Bool⇒c:(λ(d:Bool).Bool) tt
We derive
b : Bool, c : Bool⇒ ff : (λ(d : Bool).Bool) ff
· · ·b:Bool,c:Bool⇒Context
b:Bool,c:Bool⇒ff:Bool
· · ·b:Bool,c:Bool⇒Bool=(λ(d:Bool).Bool) ff:Set
b:Bool,c:Bool⇒ff:(λ(d:Bool).Bool) ff
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 3(a) 466
Derivation of ANDWe derive b : Bool, c : Bool⇒ b : Bool using part of theproof above:
· · ·b : Bool, c : Bool⇒ Context
b : Bool, c : Bool⇒ b : Bool
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 3(a) 467
Derivation of ANDFinally we obtain our judgement (we stack thepremises of the rule because of lack of space):
b:Bool,c:Bool⇒λ(d:Bool).Bool :Bool→Set
b:Bool,c:Bool⇒c:(λ(d:Bool).Bool) tt
b:Bool,c:Bool⇒ff:(λ(d:Bool).Bool) ff
b:Bool,c:Bool⇒b:Bool
b:Bool,c:Bool⇒CaseBool (λ(d:Bool).Bool) c ff b:Bool
b:Bool⇒λ(c:Bool).CaseBool (λ(d:Bool).Bool) c ff b:Bool→Bool
λ(b,c:Bool).CaseBool (λ(d:Bool).Bool) c ff b:Bool→Bool→Bool
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 3(a) 468
Elimination into TypeWe can extend add elimination and equality rules, havingas result Type:Elimination Rule into Type
C : Bool→ Type ic : C tt ec : C ff cond : Bool
CaseTypeBool C ic ec cond : C cond
Equality Rules into Type
C : Bool→ Type ic : C tt ec : C ff
CaseTypeBool C ic ec tt = ic : C tt
C : Bool→ Type ic : C tt ec : C ff
CaseTypeBool C ic ec ff = ec : C ff
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 3(a) 469
Elimination into Type (Cont.)We can extend this into an elimination rule
into Kind or other higher types.
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 3(a) 470
Bool in AgdaWe introduce Bool by simply listing its constructors(similarly to Haskell syntax):
data Bool = tt | ff
This introduces as well constantstt :: Bool
ff :: Bool
With this syntax, each constructorcan occur at most once in a data type,
i.e. we cannot define a second type havingconstructor tt,e.g. for defining True (which is used later):
data True = tt
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 3(a) 471
Bool in Agda (Cont.)The definition of Bool above is treated in Agda as anabbreviation for the following three more fundamentalAgda definitions:
Bool :: Set
= data tt | ff
tt :: Bool
= tt@Bool
ff :: Bool
= ff@Bool
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 3(a) 472
Notation for ConstructorsThe official notation for a constructor of a set A is
C@A .
The notation C@A is, what is displayed, whenevaluating expressions in Agda.This notation is necessary, since a constructor mightbelong to different sets.
For instance we can introduce both
Bool :: Set = data tt | ff
True :: Set = data tt
In this situation we need to be able to distinguishbetween tt@Bool and tt@True in order to getdecidable type checking.
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 3(a) 472a
Notation for ConstructorsForcing the user to use different names for constructorsdoesn’t help since we will later introdue as well sets ofthe form
D (a :: A)
:: Set
= data C · · ·
Now C@(D a) can be a constructor of D a for anya : A.
Using C alone would cause problems withdecidable type checking.
If Agda can resolve the type itself, one can write C@_instead of C@A.
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 3(a) 472b
Notation for ConstructorsIt is still recommended to avoid the use of the symbol @,and for instance define in the above situation by hand
C (a :: A)
:: D
= C@_
The abbreviation
data Bool = tt | ff
does this automatically.
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 3(a) 472c
Notation for ConstructorsHowever the abbreviation
data A = C | D | · · ·
can be used only ifone is defining a set A (and not a type A),and if the set one is defining has no parameter.
So it cannot be use in order to define
D (a :: A)
:: Set
= data C · · ·
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 3(a) 472d
Bool in Agda (Cont.)The definition of Bool as
Bool :: Set
= data tt | ff
introduces Bool as a set having constructors tt@Bool
and [email protected] tt, and ff have to be defined separately.If it is clear that the element in question is of typeBool, then one can replace tt@Bool by tt@_
:::::
.
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 3(a) 473
Bool in Agda (Cont.)The definition of Bool as above doesn’t prevent thedefinition of another set with constructors tt or ff.This syntax is the only one allowed, if one defines aset using the data keyword depending onarguments.More about this later.
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 3(a) 474
Bool in Agda (Cont.)Internally, tt will always be represented as tt@Bool,similarly for ff.
So Agda evaluates tt to [email protected] can be seen when using of the agda methodsfor evaluating a term.
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 3(a) 475
Evaluation of terms in AgdaAgda has several methods for evaluating expressions:
agda-compute-whnf, “Compute weak head normalform”,agda-compute-whnfs, “Compute weak headnormal form strict”,agda-nfC, “Compute to a depth”,agda-nfC100, “Compute to depth 100”.
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 3(a) 475a
Evaluation of terms in AgdaThe above mentioned methods can be executed(directly or by using the goal-menu), while in a goal.
An expression typed into the goal will be taken asdefault input to that function.But that can be modified.
The methods follow different evaluating strategies.Compute weak head normal form reduces a termuntil it starts with a constructor or the outer mostfunction doesn’t reduce any further, even if itsarguments are evaluated.Compute to depth 100 seems to work best in mostcases.
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 3(a) 475b
Case DistinctionElimination in Agda is based on case distinction.
Assume we want to definef : Bool→ Bool, s.t.f tt = ff,f ff = tt.
So we have the goal:
f (x :: Bool)
:: Bool
= ! !
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 3(a) 476
Case Distinction (Cont.)We can then type into the goal x and choose the menuitem “agda-case” .
This introduces a case distinction by theconstructor used for introducing x:x could have been introduced as tt or ff.
The goal expands to:
f (x :: Bool)
:: Bool
= case x of
(tt) → ! !
(ff) → ! !
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 3(a) 477
Case Distinction (Cont.)The value of x in the first goal can be tested asfollows:
Position the cursor in the first goal and choose oneof the methods for evaluating expressions, e.g.compute weak head normal form strict.Then type into the mini-buffer x.One gets the answer
tt@_.
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 3(a) 478
Case Distinction (Cont.)Alternatively, check, the cursor being in that goal,the context
(use goal-menu “agda-context” ):It contains
x :: Bool = tt@_.
Similarly one finds that in the second goal x is ff@_.
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 3(a) 479
Case Distinction (Cont.)Now we can solve the new goals by inserting
ff into the first one,tt into the second one.
We obtain a function:
f (x :: Bool)
:: Bool
= case x of
(tt) → ff
(ff) → tt
f x is the negation of x.
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 3(a) 480
Testing the Defined FunctionWe can test our function by using one of the evaluationmethods of Agda, e.g.compute weak head normal form strict.
We have to create a goal for this.The reduction machinery is context dependent.The context depends on where in the buffer we are.
See the above example where x was dependingon the goal tt or ff.
Not every place in the buffer is a good place.Good places for context are goals, and that’sthe only place where Agda allows us to computethe weak head normal form of expressions.
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 3(a) 481
Testing the Defined FunctionSo we
type in a dummy goal:
test :: Set
= ! !
move to the new goalchoose compute weak head normal form strict oranother evaluation method of Agda,and type into the mini-buffer f tt.
The result shown is ff@_.
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 3(a) 482
(b) The Finite SetsBool can be generalised to sets having n elements (n afixed natural number):
Formation RuleFinn : Set
Introduction RulesAn
k : Finn
(for k = 0, . . . , n− 1)
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 3(b) 483
Rules for Finn
Elimination Rule
C : Finn → Sets0 : C An
0s1 : C An
1· · ·
sn−1 : C Ann−1
a : Finn
Casen C s0 . . . sn−1 a : C a
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 3(b) 484
The Finite Sets (Cont)Equality Rules
C : Finn → Sets0 : C An
0s1 : C An
1· · ·
sn−1 : C Ann−1
Casen C s0 . . . sn−1 Ank = sk : C An
k
(for k = 0, . . . , n− 1).
Remark: Note that we have just introduced infinitely manyrules (for each n ∈ N and k = 0, . . . , n− 1).
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 3(b) 485
Omitting Premises in Equality RulesSince the premises of the equality rule can in mostcases be determined from the introduction andelimination rules, we will usually omit them, whenwriting down equality rules.
So we write for instance for the previous rule:
Casen C s0 . . . sn−1 Ank = sk : C An
k
We sometimes even omit the type:
Casen C s0 . . . sn−1 Ank = sk
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 3(b) 486
More Compact Elimination Rules
Casen : (C : Finn → Set)
→ (s0 : C An0 )
→ · · ·
→ (sn−1 : C Ann−1)
→ (a : Finn)
→ C a
.
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 3(b) 487
Elimination into TypeSimilarly as for Bool we can write downelimination rules, whereC : Finn → Type (instead of C : Finn → Set).
This can be done for all sets defined later as well.
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 3(b) 488
Rules for TrueTrue is the special case Finn for n = 1 (we write true for A1
0):Formation Rule
True : Set
Introduction Rulestrue : True
Elimination Rule
C : True→ Set c : C true t : TrueCaseTrue c t : C t
Equality Rule
C : True→ Set c : C trueCaseTrue c true = c : C true
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 3(b) 489
Rules for True (Cont.)CaseTrue is computationally not very interesting.
CaseTrue c is the untyped function λx.c.However, in Agda we might not be able to derive
λ(t : True).c : (t : True)→ C t
From a logic point of view, it expresses:From an element of C true we obtain an element of C tfor every t : True.
So there is no C : True→ Set s.t. C true is inhabited,but C x is not inhabited for some other x : True.This means that all elements of x of type True areindistinguishable from true, i.e. they areidentical to true.This equality is called
::::::::::
Leibnitz:::::::::::
equality.
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 3(b) 490
Formulae as TypesIn type theory, formulas are certain types.
A formula expressed as a type, is::::::::::::::::::::::
type-theoretically::::::
true, if it has an element.
The elements of such a type are proofs of thisformula.
ThereforeTruth in type theory means provability.
True has exactly one proof, and corresponds thereforeto the always always true formula.
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 3(b) 491
Rules for FalseFalse is the special case Finn for n = 0:
Formation RuleFalse : Set
There is no Introduction Rule
Elimination Rule
C : False→ Set f : False
CaseFalse f : C f
There is no Equality Rule
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 3(b) 492
FalseFalse has no elements.
It is the formula, which is always false, since it has noproofs.
Often called falsum or absurdity.
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 3(b) 493
FalseCaseFalse expresses: from an element f of False weobtain an element of any set (which might depend onf ).
Considered as a formula, this means: from a proof ofFalse we obtain a proof of every other formula.I.e. False implies everything.In logic this principle is called:::::
“Ex:::::::::
falsum::::::::::::::
quodlibet” (from the absurdity followsanything).E.g. A false formula like “0 = 1” or “Swansea lies inGermany” implies everything.
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 3(b) 494
False (Cont.)CaseFalse has no computational meaning, since thereis no element it can be applied to.
Applies of course only if we are working in aterminating type theory.If we had full recursion, we could define f : False byf = f .However that f doesn’t reduce to canonical form.That’s why it’s important to carry out thetermination check in Agda, otherwise one obtainsfor instance elements of False
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 3(b) 495
Finite Sets in AgdaFinite sets can be introduced by giving oneconstructor for each element. E.g.
data Colour = blue | red | green
With this we obtain red :: Colour
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 3(b) 496
Finite Sets in AgdaElimination is done via case distinction.
In the “Colour” example above for instance, we candefine
is_red (c :: Colour)
:: Bool
= case c of
(red) → tt
(green) → ff
(blue) → ff
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 3(b) 497
False in AgdaIn Agda we can define the empty set as a “data”-setwith no constructors:
data False =
If we want to solve
g (x :: False)
:: Bool
= ! !
we can insert into the goal x and choose menu-item“agda-case” .
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 3(b) 498
False in Agda (Cont.)The result is
g (x :: False)
:: Bool
= case x of
If we make case distinction on x there isno case to choose from, so we don’t have to defineanything.
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 3(b) 499
Example for the Use of FalseAssume the type of trees:
data Tree = oak | pine | spruce
Below we will show, how to introduce a function
IsConifer :: Tree→ Set
s.t.IsConifer oak = False
IsConifer pine = True
IsConifer spruce = True
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 3(b) 500
Example for the Use of FalseIf we want to define a function from trees, which areconifers, into another set, we can do so by requiringan additional argument “IsConifer”:
f (t :: Tree)
(p :: IsConifer t)
:: A
= case t of
oak → case p of
pine → · · ·
spruce → · · ·
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 3(b) 501
Example for the Use of FalseIn order to use f we have to know that t is a conifer,
i.e. we have to provide an argument p whichexpresses the fact that we know this.
Note that we don’t have to invent a result of f in caset is an oak tree.
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 3(b) 502
Example 2 for the Use of FalseSimilarly we can introduce a stack, together with apredicate
NonEmpty :: Stack→ Set
s.t.NonEmpty s = False
if s is the empty stack.
Now we can define
pop (s :: Stack)
(p :: NonEmpty s)
:: Stack
= · · ·
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 3(b) 503
Example 2 for the Use of FalseAgain we don’t have to provide a result, in case s isempty.
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 3(b) 504
True in AgdaThe definition of True in Agda is straightforward:
data True = true
Case distinction will require to solve the case true:
g (x :: True)
:: Bool
= case x of
(true)→ ! !
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 3(b) 505
(c) Atomic FormulaeFull title of this section:Atomic formulae and the Traffic Light Example.
We have introduced two formulae:True, the always true formula.
Corresponds to truth value tt : Bool.False, the always false formula.
Corresponds to truth value ff : Bool.
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 3(c) 506
Atomic FormulaeA formula expressing equality between two elements ofFinn (for fixed n) can now be introduced as follows:
Define a function
Eqn,Bool : Finn → Finn → Bool
s.t.
Eqn,Bool Ain Ai
n = true
Eqn,Bool Ain Aj
n = false for i 6= j
Eqn,Bool can be defined easily (for fixed n) by casedistinction on its two arguments.
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 3(c) 507
Atomic FormulaeNow apply an operation
atom : Bool→ Set
which maps the truth value to the correspondingformula, i.e. define now
Eqn : Finn → Finn → Set
Eqn x y = atom(Eqn,Bool x y)
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 3(c) 508
Atomic Formulaeatom is defined s.t.
atom tt = True
atom ff = False
So we get for Eqn above
Eqn Ain Ai
n = True
Eqn Ain Aj
n = False for i 6= j
SoEqn Ai
n Ain is inhabited, has a proof, is true;
for i 6= j, Eqn Ain Aj
n is not inhabited, has not a proof,is false.
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 3(c) 509
Atomic Formulaeatom can be defined as follows:
atom = CaseTypeBool (λb : Bool.Set) True False
: Bool→ Set
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 3(c) 510
atom in Agda
atom (b :: Bool)
:: Set
= case b of
(tt) → True
(ff) → False
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 3(c) 511
Decidable PredicatesIn general, atom allows us to define decidablepredicates on sets.
A predicate is::::::::::::
decidable if it can be decided by aBoolean valued function.
E.g. equality on natural numbers is decidable,since we can define a functionEqN,Bool : N→ N→ Bool which decides it.Equality on functions N→ N is undecidable,since we cannot define such a function – in orderto check equality between f and g we need tocheck equality between f n and g n for all n : N.
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 3(c) 512
Decidable Predicates (Cont.)Assume we have a set of states of a system A.
E.g. the set of states a railway controller can choose.
Assume we have a function f : A→ Bool.E.g. f a means: state a is safe.
Let now g : A→ Set, g a = atom(f a).If f a is true (e.g. a is safe), g a is inhabited.If f a is false (e.g. a is unsafe), g a is not inhabited.
Now, the existence of a h : (a : A)→ g a means:For all a : A we have g a is inhabited,ie. for all a : A, f a is true,e.g. for all a : A, a is safe.
.
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 3(c) 513
The Traffic Light ExampleAssume a road crossing, controlled by traffic lights:
A
A’
B
B’
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 3(c) 514
The Traffic Light ExampleAssume from each direction A, A’, B, B’ there is onetraffic light,
but A and A’ always coincide, similarly B and B’.
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 3(c) 515
The Set of Physical StatesFor simplicity assume that each traffic light is eitherred or green:
data Colour = red | green
The set of physical states of the system is given by apair, determining the colour of A (and therefore as wellA’) and of B (and B’)
Phys_State :: Set
= sig
sigA :: Colour
sigB :: Colour
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 3(c) 516
The Set of Control StatesThe set of control states is a set of states of thesystem, a controller of the system can choose.
Each of these states should be safe.In our example, all safe states will be captured(this can usually be only achieved in smallexamples).
A complete set of control states consists of:Allred – all signals are red.Agreen – signal A (and A’) is green, signal B is red.Bgreen – signal B is green, signal A is red.
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 3(c) 517
The Set of Control States (Cont.)We therefore define
data Control_State = Allred | Agreen | Bgreen
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 3(c) 518
Control States to Physical StatesWe define the state of signals A, B depending on acontrol state:
toSigA (s :: Control_State)
:: Colour
= case s of
(Allred) → red
(Agreen) → green
(Bgreen) → red
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 3(c) 519
Control States to Physical States
toSigB (s :: Control_State)
:: Colour
= case s of
(Allred) → red
(Agreen) → red
(Bgreen) → green
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 3(c) 520
Control States to Physical StatesNow we can define the physical state correspondingto a control state:
phys_state (s :: Control_State)
:: Phys_State
= struct
sigA = toSigA s
sigB = toSigB s
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 3(c) 521
Safety PredicateWe define now when a physical state is safe:
It is safe iff not both signals are green.We define now a corresponding predicate directly,without defining first a Boolean function.We first define a predicate depending on two signals:
CorAux (a, b :: Colour)
:: Set
= case a of
(red) → True
(green) → case b of
(red) → True
(green) → False
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 3(c) 522
Safety Predicate (Cont.)Now we define
Cor (s :: Phys_State)
:: Set
= CorAux s.sigA s.sigB
Remark: In some cases in order to define a functionfrom some product (i.e. a sig-set) into some other set,it is better first to introduce an auxiliary function,depending on the components of that product.
In the current example this wouldn’t have causedproblems, but in more complex examples it does(due to the lack of the η-rule).
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 3(c) 523
Safety of the SystemNow we show that all control states are safe:
cor_proof (s :: Control_State)
:: Cor(phys_state s)
= case s of
(Allred) → true
(Agreen) → true
(Bgreen) → true
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 3(c) 524
Safety of the System (Cont.)The first element true was an element ofCor(phys_state Allred), which reduces to True.
Similarly for the other two elements.
This works only because each control statecorresponds to a correct physical state.
If this hadn’t been the case, we would have gotteninstances where the goal to solve is False, which wecan’t solve.
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 3(c) 525
Safety of the System (Cont.)If one makes a mistake which results in an unsafesituation
e.g. sets toSigB Agreen = green,then in the last step we obtain one goal of type False.
Then we can’t solve this goal directly and cannotprove the correctness.(We could in Agda solve this goal by usingfull recursion,
e.g. solve this goal as cor_proof Agreen,but this would be rejected by the termination check.)
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 3(c) 526
(d) The Disjoint Union of SetsThe disjoint union A + B of two sets A and B is theunion of A and B,
but defined in such a way that we can decidewhether an element of this union is originally from Aor B.This is distinguished by having constructorsinl : A→ A + B and inr.
Elements from a : A are inserted into A + B asinl a : A + B.elements from b : B are inserted into A + B asinr b : A + B.inl stands for “in-left”, inr for “in-right”.
If we have a : A and a : B, then a is represented bothas inl a and inr a in A + B.
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 3(d) 527
Disjoint UnionInformally, if
A = 1, 2
andB = 3, 4, 5 ,
then
A + B = inl(1), inl(2), inr(3), inr(4), inr(5)
Each element of A + B iseither of the form inl(a) for some a : Aor of the form inr(b) for b : B.
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 3(d) 527a
Comparison with the ProductNote that if we have again
A = 1, 2
andB = 3, 4, 5 ,
then for the product we have informally
A×B = p(1, 3), p(1, 4), p(1, 5), p(2, 3), p(2, 4), p(2, 5)
Each element of A×B is of the form p(a, b) wherea : A and b : B.So each element of A×B contains both an elementof A and an element of B.
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 3(d) 527b
Disjoint Union vs. ProductNote that, if A is empty, then
A + B = inr(b) | b : B, which has a copy of eachelement of B,A×B is empty, since we cannot form a pair p(a, b)where a : A, b : B, since there is no element a : A.
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 3(d) 527c
Rules for A + B
Formation RuleA : Set B : Set
A + B : Set
Introduction Rules
A : Set B : Set a : Ainl A B a : A + B
A : Set B : Set b : Binr A B b : A + B
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 3(d) 528
Rules for A + B
Elimination Rules
A : SetB : Set
C : (A + B)→ Setcl : (a : A)→ C (inl A B a)cr : (b : B)→ C (inr A B b)
d : A + BCase+ A B C cl cr d : C d
Equality Rules
Case+ A B C cl cr (inl A B a) = cl a : C (inl A B a)
Case+ A B C cl cr (inr A B b) = cr b : C (inr A B b)
(cl, cr stand for “case left”, “case right”).
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 3(d) 529
Logical Framework VersionA more compact notation is:
(+) : Set→ Set→ Set, written infix.inl : (A,B : Set)→ A→ (A + B).inr : (A,B : Set)→ B → (A + B).
Case+ : (A,B : Set)
→ (C : (A + B)→ Set)
→ ((a : A)→ C (inl A B a))
→ ((b : B)→ C (inr A B b))
→ (d : A + B)
→ C d .
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 3(d) 530
Disjoint Union in AgdaThe disjoint union can be defined as a “data”-set havingtwo constructors inl (in-left) and inr (inright):
(+) (A :: Set)
(B :: Set)
:: Set
= data inl(a :: A) | inr(b :: B)
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 3(d) 531
Disjoint Union in Agda (Cont.)The notation (+) means, that + can be used infix.
Now we have, if A,B :: Set:inl@(A + B) :: A→ (A + B)
inr@(A + B) :: B → (A + B)
This can be checked using the menu “infer type” ina dummy goal.Note that we cannot assign a type to inl@_ or inr@_.(+) cannot be defined using the abbreviated datanotation(which would be of the formdata (+) = · · · ).
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 3(d) 532
Disjoint Union in Agda (Cont.)Elimination is again represented by case distinction.So if want to define for A,B :: Set for instance
f (c :: A + B)
:: Bool
= ! !
we can type into the goal c and choose menu“agda-case”.
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 3(d) 533
Disjoint Union in Agda (Cont.)We obtain
f (c :: A + B)
:: Bool
= case c of
(inl a) → ! !
(inr b) → ! !
and insert into the first goal e.g. true and the secondone false
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 3(d) 534
Use of Concrete Disjoint SetsIt is usually more convenient to define concretedisjoint unions directly with more intuitive names forconstructors, e.g.
data Plant = tree(t :: Tree) | flower(f :: Flower)
Now one can define for instance
isFlower (p :: Plant)
:: Bool
= case p of
(tree t) → ff
(flower f) → tt
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 3(d) 535
(e) The Σ-SetThe Σ-set is a second version of the dependentproduct of two sets.
It depends ona set A,and a second set B depending on A, i.e. onB : A→ Set.
Similar to the standard product (x : A)× (B x).
In Agda(x : A)× (B x) is a in Agda a builtin construct,the Σ-set is introduced by the user using aconstructor, similar to the previous sets.
The Σ-set behaves sometimes better than the standardproduct.
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 3(e) 536
Rules for Σ
Formation Rule
A : Set B : A→ SetΣ A B : Set
Introduction Rule
A : SetB : A→ Set
a : Ab : B a
p A B a b : Σ A B
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 3(e) 537
Rules for Σ
Elimination Rule
A : SetB : A→ Set
C : (Σ A B)→ Setc : (a : A)→ (b : B a)→ C (p A B a b))
d : Σ A BCaseΣ A B C c d : C d
Equality Rule
CaseΣ A B C c (p A B a b) = c a b : C (p A B a b)
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 3(e) 538
The Σ-Set using the Log. Framew.The more compact notation is:
Σ : (A : Set)
→ (A→ Set)
→ Set .
p : (A : Set)
→ (B : A→ Set)
→ (a : A)
→ (B a)
→ Σ A B .
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 3(e) 539
The Σ-Set using the Log. Framew.
CaseΣ :
(A : Set)
→ (B : A→ Set)
→ (C : (Σ A B)→ Set)
→ ((a : A, b : B a)→ C (p A B a b))
→ (d : Σ A B)
→ C d .
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 3(e) 540
The Σ-Set and the Dep. Prod.Both the Σ-set and the dep. product have similarintroduction rules.
For the Σ-set, the constructors have additionalarguments A, B necessary for bureaucratic reasonsonly.
One can define the projections π0, π1 using CaseΣ:
π0 = CaseΣ A B (λx.A) (λ(x : A).λ(y : B x).x)
π1 = CaseΣ A B (λx.B π0(x)) (λ(x : A).λ(y : B x).y)
On the other hand, from π0, π1 we can define CaseΣ asfollows:
λA,B,C, s, d.s π0(d) π1(d) .
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 3(e) 541
The Σ-Set and the Dep. Prod.However the dependent product has the η-rule (whichis however not implemented in Agda).
Because of the lack of η-rule, Σ works usuallybetter than the dependent product in Agda.
I personally don’t use the dependent product ofAgda much.
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 3(e) 542
The Σ-Set in AgdaΣ can be defined as a “data”-set with a constructor, e.g.p:
Sigma (A :: Set)
(B :: A→ Set)
:: Set
= data p (a :: A) (b :: Ba)
Elimination uses case-distinction:
f (c :: Sigma A B)
:: D
= case c of
(p a b) → · · ·
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 3(e) 543
The Σ-Set in Agda (Cont.)Again one usually defines concrete Σ-sets more directly.
Example: Assume we have defineda set Plant_Group for groups of plants (e.g. “tree”,“flower”),depending on g :: Plant_Group, setsPlants_in_group g) for plants in that group.
The set of plants can then be defined as
data Plant = plant (g :: Plant_Group)(pg :: Plants_in_group g)
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 3(e) 544
The Σ-Set in Agda (Cont.)Not surprisingly, for elimination we usecase distinction, e.g.:
f (p :: Plant)
:: Plant_group
= case p of
(plant g pg) → g
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 3(e) 545
(f) Formulae in Dep. Type TheoryWe have seen how to represent atomic decidableformulae.
Now treatment of complex formulae constructed usinglogical connectives.
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 3(f) 546
ConjunctionA ∧B is true iff both A is true and B is true.
Therefore a proof of A ∧B consists of a proof of A anda proof of B.
It is therefore a pair 〈p, q〉 consisting of a proof p of Aand a proof q of B.
Therefore the set of proofs of A ∧B is the set of pairs ofelements of A and B, i.e. A×B.
We can identify A ∧B with A×B.
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 3(f) 547
Conjunction (Cont.)With this identification, the introduction rule for theproduct allows to form a proof of A∧B from a proof of Aand a proof of B:
p : A q : B
〈p, q〉 : A ∧B
This means that we can derive A ∧ B from A and B.
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 3(f) 548
Conjunction and Natural Ded.In so called natural deduction, one has rules forderiving and eliminating formulas formed using thestandard connectives.
There the rule for introducing proofs of A ∧B is
A BA ∧B
The type theoretic introduction rule corresponds exactlyto this rule.
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 3(f) 549
Example 1For instance, assume we want to prove that a functionsort from lists to lists is a sorting algorithm.
Then we have to show that for every list l the applicationof sort to l is sorted, and has the same elements of l.
In order to show this, one would assume a list l andshow
first that sort l is sorted,then, that sort l has the same elements as l
and finally conclude that it fulfills the conjunction ofboth properties.The last operation uses the introduction rule for ∧.
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 3(f) 549a
Conjunction (Cont.)The elimination rule for ∧ allows to project a proof ofA ∧B to a proof of A and a proof of B:
p : A ∧B
π0(p) : A
p : A ∧B
π1(p) : B
This means that we can derive from A ∧ B both A andB.
This corresponds to the natural deduction eliminationrule for ∧:
A ∧BA
A ∧BB
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 3(f) 550
Example 2Assume we have defined a function f , which takes a listof natural numbers l, a proof that l is sorted, and anatural number n, and returns the Boolean value tt or ffindicating whether n is in this list or not.
Assume now a sorting function sort from lists of naturalnumbers to natural numbers, plus a proof that it is asorting function, i.e. that sort l is sorted and has thesame elements as l for every list l.
We want to apply f to sort l and need therefore a proofthat sort l is sorted.
We have that the conjunction of “sort l is sorted” and“sort l has the same elements as l” holds.
Using the elimination rule for ∧ one can conclude thedesired property, that sort l is sorted.
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 3(f) 550a
Example 3Assume a proof of A ∧B.
We want to show B ∧ A.By ∧-elimination we obtain from A ∧B that B holds.Similarly we conclude that A holds.Using ∧-introduction we conclude B ∧ A.In natural deduction, this proof is as follows:
A ∧BB
A ∧BA
B ∧ A
Below we will see how to show this in Agda.
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 3(f) 550b
DisjunctionA ∨B is true iff A is true or B is true.
Therefore a proof of A ∨ B consists of a proof of Aor a proof of B, plus the information which one.
It is therefore an element inl p for a proof p : A or anelement inr q for a proof q : B.
Therefore the set of proofs of A ∨B is thedisjoint union of A and B, i.e. A + B.
We can identify A ∨B with A + B.
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 3(f) 551
Disjunction (Cont.)With this identification, the introduction rules for +allows to form a proof of A ∨B from a proof of A or froma proof of B.
A : Set B : Set p : A
inl A B p : A + B
A : Set B : Set p : Binr A B p : A + B
Omitting the premises A,B : Set and omitting themas arguments of inl and inr (which is needed only forbureaucratic reasons) we get:
p : A
inl p : A + Bp : B
inr p : A + B
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 3(f) 552
Disjunction (Cont.)This means that we can derive A ∨ B from A and fromB.
This is what is expressed by the natural deductionintroduction rules for ∨:
AA ∨B
BA ∨B
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 3(f) 553
Example 1Assume we want to show that every prime number isequal to 2 or odd.
In order to show this one assumes a prime number.If it is 2, it is trivially equal to 2.
Using the introduction rule for ∨ one concludesthat it is equal to 2 or odd.
Otherwise, one argues (using some proof) that it isodd.
Using the introduction rule for ∨ one concludesagain that it is equal to 2 or odd.
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 3(f) 553a
Disjunction (Cont.)The elimination rule for + allows to form from anelement of A + B an element of any set C provided wecan compute such an element from A and from B:
A : SetB : Set
C : (A ∨B)→ Setsl : (a : A)→ C (inl A B a)sr : (b : B)→ C (inr A B b)
d : A ∨BCase+ A B C sl sr d : C d
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 3(f) 554
Disjunction (Cont.)Omitting the dependency of C on A ∨B and omittingthe bureaucratic premises and arguments A, B and Cwe get:
d : A ∨B sl : A→ C sr : B → CCase+ sl sr d : C
This means that we can derive from A ∨ B a formulaC, if we can derive C from A and from B.
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 3(f) 555
Disjunction (Cont.)This is what is expressed by the natural deductionelimination rules for ∨:
A ∨B
A···C
B···C
C
(Note that in the natural deduction elimination rule, fromthe premise “C derivable from A” we obtain “A→ C”,similarly for “C derivable from B” we get B → C.)
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 3(f) 556
Example 2Assume we want to show that every prime number isequal to 2, equal to 3, or ≥ 5.
We want to make use of the proof above that everyprime number is equal to 2 or odd.
We assume a prime number.We know that it is equal to 2 or odd.In case it is equal to 2 we conclude that it is equal to2, equal to 3, or ≥ 5.In case it is odd, we conclude using the fact that it isprime and 1 is not prime, that it is equal to 3 or ≥ 5.Therefore it is equal to 2, equal to 3, or ≥ 5.Now from the elimination rule for ∨ we conclude thatthe prime number chosen is equal to 2, equal to 3, or≥ 5.
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 3(f) 556a
Example 3Assume a proof of A ∨B.
We want to show B ∨ A.We have A ∨B.From assumption A we obtain A and therefore by∨-introduction B ∨ A.From assumption B we obtain B and therefore by∨-introduction B ∨ A.By ∨-elimination we obtain from these threepremises B ∨A without any premises.
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 3(f) 556b
Example 3 (Cont.)In natural deduction, this proof is as follows (we writeA1, . . . , An ` B for B follows under assumptionsA1, . . . , An):
A ∨BA ` A
A ` B ∨AB ` B
B ` B ∨ AB ∨ A
Below we will see how to show this in Agda.
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 3(f) 556c
ImplicationWe write temporarily ⊃ for logical implication, in order todistinguish it from the function type→.
Below we see that ⊃ can be identified with→.
A ⊃ B is true iff, whenever A is true then B is true.
Therefore if there is a proof of A, there must be aproof of B.
Therefore a proof of A ⊃ B is a function, which takesa proof of A and computes a proof of B.
Therefore the set of proofs of A ⊃ B is the functiontype A→ B.
We can identify A ⊃ B with A→ B.
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 3(f) 557
Implication (Cont.)With this identification, the introduction rule for →allows to form a proof of A ⊃ B from a proof of Bdepending on a proof p of A:
p : A⇒ q : B
λ(p : A).q : A ⊃ B
This means that, if we, from assumptions p:A canprove B
(i.e. we can make use of a context p : A for provingq : B)
then we can derive A ⊃ B without assuming p:A.
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 3(f) 558
Implication (Cont.)This is what is expressed by the natural deductionintroduction rule for ⊃:
A···B
A ⊃ B
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 3(f) 559
ExampleWe extend the proof that from a proof of A ∨B it followsB ∨A to a proof of
(A ∨B)→ (B ∨ A)
The previous proof can be easily transformed into aproof of A ∨B ` B ∨ A.
By→-introduction, it follows (A ∨B)→ (B ∨ A).
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 3(f) 559a
ExampleThe complete proof in natural deduction is as follows isas follows.
A ∨B ` A ∨BA ` A
A ` B ∨ AB ` B
B ` B ∨ AA ∨B ` B ∨ A
(A ∨B)→ (B ∨ A)
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 3(f) 559b
Implication (Cont.)The elimination rule for ⊃ allows to apply a proof p ofA ⊃ B to a proof of q of A in order to obtain a proof of B:
p : A ⊃ B q : Ap q : B
This means that we can derive from A ⊃ B and A thatB holds.
This is what is expressed by the natural deductionelimination rule for ⊃:
A ⊃ B AB
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 3(f) 560
ExampleAssume we want to show A→ (A→ B)→ B.
We can show this as follows:From assumptions A and A→ B we can concludeA→ B.From assumptions A and A→ B we can conclude aswell A.Using the elimination rule for→, we conclude thatunder the same assumptions we get B.Using the introduction rule for→ we conclude fromassumption A that (A→ B)→ B holds.Using again the introduction rule for→ we concludethat A→ (A→ B)→ B holds without anyassumptions.
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 3(f) 560a
ExampleA proof in natural deduction is as follows:
A,A→ B ` A→ B A,A→ B ` A
A,A→ B ` B
A ` (A→ B)→ B
A→ (A→ B)→ B
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 3(f) 560b
Negation¬A has the same meaning as A ⊃ ⊥(where ⊥ is absurdity or the set False):
If there is no proof of A, then we can prove A ⊃ ⊥.If from any proof of A we can create a proof ofabsurdity, then there cannot be a proof of A, A mustbe false.
Therefore we can identify ¬A with A→ False.
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 3(f) 561
Universal QuantificationSince we have many types, we have to write whenusing quantifiers explicitly the type, the bound variableis ranging over:We write therefore ∀x : A.B, ∃x : A.B.
∀x : A.B is true iff, for all x : A there exists a proof of B(with that x).
Therefore a proof of ∀x : A.B is a function, whichtakes an x:A and computes an element of B.
Therefore the set of proofs of ∀x : A.B is the dependentfunction type (x : A)→ B.
We can identify ∀x : A.B with (x : A)→ B.
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 3(f) 562
Universal Quantification (Cont.)With this identification, the introduction rule for thedependent function type allows to form a proof of∀x : A.B from a proof of B depending on an elementx : A:
x : A⇒ p : B
λ(x : A).p : (∀x : A.B)
This means that, if we, from x:A can prove B, then weget a proof of ∀x : A.B which doesn’t depend on x : A.
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 3(f) 563
Universal Quantification (Cont.)This is what is expressed by the natural deductionintroduction rule for ∀:
B∀x : A.B
wherex might not occur free in any assumption of theproof.
This is guaranteed in type theory, since x : A mustbe the last element of the context, so any otherassumptions must be located before it and cantherefore not depend on x:A.
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 3(f) 564
Universal Quantification (Cont.)The conclusion will no longer depend on freevariables x.
This corresponds in type theory to the fact thatx:A does no longer occur in the context of theconclusion.
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 3(f) 565
ExampleAssume one wants to show that for every naturalnumber n n + 0 == n.
In order to show this one assumes a natural number nand shows then that n + 0 == n.
then using the introduction rule for ∀ one concludes∀n : N.n + 0 == n.
In natural deduction, this proof is as follows (where theprove of n + 0 == n is not carried out):
n + 0 == n∀n : N.n + 0 == n
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 3(f) 565a
Universal Quantification (Cont.)The elimination rule for the dependent function typeallows to apply a proof p of ∀x : A.B to an element a : Ain order to obtain a proof of B[x := a]:
p : (∀x : A.B) a : A
p a : B[x := a]
This means that we can derive from ∀x:A.B and anelement of a:A that B[x:=a] holds.
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 3(f) 566
Universal Quantification (Cont.)This is what is expressed by the natural deductionelimination rule for ∀
For the simple languages used in natural deduction,there is no need to derive that a : A;in more complex type theories we have to carryout this derivation.
∀x : A.B a : AB[x := a]
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 3(f) 567
ExampleAssume a proof of ∀n : N.0 + n == n.
We want to condude that∀n,m : N.0 + (n + m) == (n + m).
This can be done as follows:One assumes n,m : N.Then one can conclude n + m : N.Using ∀n : N.0 + n == n and the elimination rule for ∀one concludes 0 + (n + m) == (n + m) underassumption n,m : N.Now using the introduction rule for ∀ twice it follows∀n,m : N.0 + (n + m) == (n + m).
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 3(f) 567a
ExampleIn natural deduction, this proof is written as follows:
∀n : N.0 + n == n
n : N,m : N ` n : N n : N,m : N ` m : N
n : N,m : N ` n + m : N
n : N,m : N ` 0 + (n + m) == (n + m)
n : N ` ∀m : N.0 + (n + m) == (n + m)
∀n,m : N.0 + (n + m) == (n + m)
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 3(f) 567b
Existential Quantification∃x : A.B is true iff there exists an a : A such thatB[x := a] is true.
Therefore a proof of ∃x : A.B is a pair 〈a,p〉 consistingof an element a : A and a proof p of B[x := a].
Therefore the set of proofs of ∃x : A.B is the dependentproduct (x : A)×B.
We can identify ∃x : A.B with (x : A)×B.
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 3(f) 568
Existential Quantification (Cont.)With this identification, the introduction rule for thedependent product allows to form a proof of ∃x : A.Bfrom an element a : A and a proof p : B[x := a]:
a : A p : B[x := a]
〈a, p〉 : (∃x : A.B)
This is what is expressed by the natural deductionintroduction rule for ∃:
a : A B[x := a]
∃x : A.B
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 3(f) 569
ExampleAssume we want to show ∀n : N.∃m : N.m > n.
In order to prove this one assumes first n : N.Then one concludes S n : N and S n > n.Using the introduction rule for ∃ one concludes∃m : N.m > n under the assumption n : N.Using the introduction rule for ∀ one concludes∀n : N.∃m : N.m > n.
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 3(f) 569a
ExampleIn natural deduction, this proof reads as follows:
n : N ` n : Nn : N ` S n : N n : N ` S n > n
n : N ` ∃m : N.m > n∀n : N.∃m : N.m > n
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 3(f) 569b
Existential Quantification (Cont.)The elimination rule for the dependent product allowsto project a proof p of ∃x : A.B to an element π0(p) : Aand proof π1(p) : B[x := π0(p)].
This kind of rule works only if we have explicit proofs.
From this we can derive a rule which is essentially thatused in natural deduction (in which one doesn’t haveexplicit proofs):
Assume:C : Set, which does not depend on x : A,p : (∃x : A.B) andx : A, y : B ⇒ c : C.
Then we have c[x := π0(p),y := π1(p)] : C, notdepending on x:A or y:B.
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 3(f) 570
Existential Quantification (Cont.)Therefore the rule in natural deduction follows fromthe type theoretic rules:
∃x : A.B
x : AB···C
C
where the conclusion does not depend on x : A and B.
.
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 3(f) 571
ExampleAssume we have shown∀n : N.∃m : N.m > n ∧ Prime(m).
We want to show that for all n there exist two primesabove it, i.e.
∀n : N.∃m : N.∃k : N.m > k∧k > n∧∧Prime(m)∧Prime(k) .
We can derive this as follows:Assume n : N.We have ∃m : N.m > n ∧ Prime(m).So assume m : N and m > n ∧ Prime(m).We have as well ∃k : N.k > m ∧ Prime(k).So assume k : N and k > m ∧ Prime(k).
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 3(f) 571a
ExampleThen we can conclude
m > k ∧ k > n ∧ Prime(m) ∧ Prime(k)
and therefore as well
∃m, k : N.m > k ∧ k > n ∧ Prime(m) ∧ Prime(k)
Now by ∃-elimination twice follows
n : N ` ∃m, k : N.m > k ∧ k > n ∧ Prime(m) ∧ Prime(k)
without assuming m, k as above.By ∀-introduction follows
∀n : N.∃m, k : N.m > k ∧ k > n ∧ Prime(m) ∧ Prime(k)
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 3(f) 571b
ExampleThe formal proof in natural deduction is as follows(some of the primeses can be shown easily in naturaldeduction):
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 3(f) 571c
ExampleFirst step: Under the global assumption
n : N,m : N,m > n ∧ Prime(m), k : N, k > m ∧ Prime(k)
we prove the following
m : N
k : N m > n ∧ k > m ∧ Prime(m) ∧ Prime(k)
∃k : N.m > n ∧ k > m ∧ Prime(m) ∧ Prime(k)
∃m, k : N.m > n ∧ k > m ∧ Prime(m) ∧ Prime(k)
So we have shown
n : N,m : N,m > n ∧ Prime(m), k : N, k > m ∧ Prime(k) `
∃m, k : N.m > n ∧ k > m ∧ Prime(m) ∧ Prime(k)
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 3(f) 571d
ExampleSecond step: Under the assumption
n : N,m : N,m > n ∧ Prime(m)
we can conclude
∃k : N.k > m ∧ Prime(k)
and then conclude by ∃-elimination and Step 1
∃k : N.k > m ∧ Prime(k)
k : N, k > m ∧ Prime(k) ` ∃m, k : N.m > n ∧ k > m ∧ Prime(m) ∧ Prime(k)
∃m, k : N.m > n ∧ k > m ∧ Prime(m) ∧ Prime(k)
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 3(f) 571e
ExampleThird step: Again we can conclude
n : N ` ∃m : N.m > n ∧ Prime(m)
and then conclude by ∃-elimination and Step 2
n : N ` ∃m : N.m > n ∧ Prime(m)
n:N,m:N,m>n∧Prime(m) ` ∃m, k : N.m > n ∧ k > m ∧ Prime(m) ∧ Prime(k)
n : N ` ∃m, k : N.m > n ∧ k > m ∧ Prime(m) ∧ Prime(k)
∀n : N.∃m, k : N.m > n ∧ k > m ∧ Prime(m) ∧ Prime(k)
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 3(f) 571f
Construct. (or Intuit.) LogicFrom type theoretic proofs we can directly extractprograms.
For instance, if p : (∀x : A.∃y : B.C(x, y)), then we havefor x : A it follows b := π0(p x) : B and π1(p x) : C(x, b).Therefore f := λx : A.π0(p x) is a function A→ B,and we have
λ(x : A).π1(p x) : (∀x : A.C(x, f x))
i.e. we have a proof that ∀x : A.C(x, f x) holds.Therefore, from a proof of ∀x : A.∃y : B.C(x, y), wecan extract a function, which computes the y fromthe x.
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 3(f) 572
Constructive Logic (Cont.)We can derive as well a function which depending onp : A + B decides whether p= inl(a) or p = inr(b).
Therefore we can decide, from a proof of a disjunction,which of the disjuncts holds.
Now:Any function in type theory is recursive.We cannot decide the Turing Halting problem, i.e.we cannot decide for a Turing machine whether ithalts or not.Therefore we cannot prove in type theory
∀x : Turing_Machine.(x halts ∨ ¬(x halts))
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 3(f) 573
Constructive Logic (Cont.)In classical logic we can prove the above, since wecan derive A ∨ ¬A (tertium non datur) for any formulaA.
In type theory, this law cannot hold, unless we don’twant that all programs can be evaluated.
The logic of type theory is intuitionistic(constructive) logic, in which A ∨ ¬A and ¬¬A→ Adon’t hold for all formulae A.
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 3(f) 574
Constructive Logic (Cont.)In classical logic,∃x : A.B is equivalent to ¬∀x : A.¬B,A ∨B is equivalent to ¬(¬A ∧ ¬B).
If we take decidable atomic formulae only and replace∃x : A.B and A ∨B by the above formulae, then allformulae provable in classical logic are derivable.
This requires (¬¬A)→ A, which can be shown for allformulae built from decidable atomic formulae using¬,→, ∧, ∀.The formula A ∨ ¬A translates into ¬(¬A ∧ ¬¬A),which trivially holds, since ¬A and ¬¬A implies ⊥.
In this sense, type theory contains classical logic,but is richer, since it has as well so called strongdisjunction and existential quantification.
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 3(f) 575
Constructive Logic (Cont.)
Proof (using classical logic) of
∃x : A.B↔ (¬∀x : A.¬B) :
We have classically:
¬¬A→ A :
If A is true, then ¬¬A→ A holds.If A is false, then ¬¬A is false, therefore ¬¬A→ Aholds.
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 3(f) 576
Constructive Logic (Cont.)We show intuitionistically(¬∃x : A.B)↔ (∀x : A.¬B) :
Assume ¬∃x : A.B, x : A and show ¬B.If we had B, then we had ∃x : A.B, contradicting¬∃x : A.B. Therefore ¬B.Assume ∀x : A.¬B. Show ¬∃x : A.B:Assume ∃x : A.B. Assume x s.t. B holds.By ∀x : A.¬B we get ¬B, therefore a contradiction.
Now it follows (classically):
(∃x : A.B)↔ (¬¬∃x : A.B)↔ (¬∀x : A.¬B)
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 3(f) 577
Constructive Logic (Cont.)Proof of
A ∨B↔ ¬(¬A ∧ ¬B) :
We show intuitionistically ¬(A ∨B)↔ (¬A ∧ ¬B) :Assume ¬(A ∨B). If A then A ∨B, a contradiction,therefore ¬A.Similarly we get ¬B, therefore ¬A ∧ ¬B.Assume ¬A ∧ ¬B, show ¬(A ∨B).Assume A ∨B. If A then a contradiction with ¬A,similarly with B.
Now it follows (classically):
(A ∨B)↔ ¬¬(A ∨B)↔ ¬(¬A ∧ ¬B)
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 3(f) 578
Constructive Logic (Cont.)Weak disjunction and existential quantification isexpressed by the formulae ¬(¬A ∧ ¬B) and ¬∀x : A.¬B.
When using only weak disjunction, existentialquantification and decidable atomic formulae, weobtain classical logic.
Strong disjunction and existential quantificaton isexpressed by the original type theoretic formulae.
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 3(f) 579
The Logical Connectives in AgdaImplication is represented by→ in Agda.
We can introduce the formula (or set) expressingA→ (A→ B)→ B as follows:
Lemma1 :: Set
= A→ (A→ B)→ B
A proof of Lemma1 is an element lemma1 of it.
So in order to prove Lemma1 we make the followinggoal:
lemma1 :: Lemma1
= ! !
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 3(f) 580
The Logical Connectives in AgdaLemma1 :: Set = A→ (A→ B)→ B
lemma1 :: Lemma1
= ! !
The type of the goal is A→ (A→ B)→ B.
When the type of goal is an implication, it is usuallyshown
unless one has an assumption which matches thegoal directly
by λ-abstracting from the premises of the implication.
If one uses goal-menu intro, this is done automaticallyand Agda abstracts λ(a : A) and λ(ab : (A→ B)).
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 3(f) 580a
The Logical Connectives in AgdaOne obtains
lemma1 :: Lemma1
= λ(a :: A)→ λ(ab :: A→ B)→ ! !
Lemma1 was A→ (A→ B)→ B,
we have abstracted from A and A→ B,
so the type of the goal is the conclusion of theimplication, namely B.
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 3(f) 580b
The Logical Connectives in Agda
lemma1 :: Lemma1
= λ(a :: A)→ λ(ab :: A→ B)→ ! !
Type of goal is B
At the position of the goal we have context a :: A andab :: A→ B, because we have λ-abstracted thosevariables.
Can be checked by using goal-menu context.
We can take ab :: A→ B and apply it to a :: A in order toobtain ab a :: B, which solves the goal.
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 3(f) 580c
The Logical Connectives in AgdaWe obtain the following proof:
lemma1 :: Lemma1
= λ(a :: A)→ λ(ab :: A→ B)→ ab a
This is exactly the same as introducing a λ-term of typeA→ (A→ B)→ B.
See exampleproofproplogic1.agda
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 3(f) 580d
Implication in AgdaNote that in the previous example
ab is an element of the function type A→ B.a is an element of A
therefore ab a is an elment of B,therefore the typing is correct.
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 3(f) 580e
Implication in AgdaAs for λ-terms, the following is equivalent to thedefinition of lemma1 above, and therefore an equivalentproof of A→ (A→ B)→ B:
lemma1 (a :: A)
(ab :: A→ B)
:: B
= ab a
See exampleproofproplogic2.agda
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 3(f) 581
Conjunction in AgdaConjunction is represented as a product.
There are two products in Agda, therefore as well twoways of representing conjunction:
One using the logical framework product:
AND1 (A,B :: Set)
:: Set
= sig
and1 :: A
and2 :: B
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 3(f) 582
Conjunction in AgdaOr using the product formed using data.We use a more meaningful name for the constructor:
AND2 (A,B :: Set)
:: Set
= data and(a :: A)(b :: B)
See exampleproofproplogic3.agda
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 3(f) 583
Conjunction in AgdaOne can write as well /\ for one of the versions ofconjunction, and use it infix.We write on slides ∧ for it, and get therefore:
(∧) (A,B :: Set)
:: Set
= data and(a :: A)(b :: B)
AB :: Set
= A ∧B
See exampleproofproplogic4.agda
On the blackboard A→ A ∧A and A ∧B → A will nowbe shown in Agda.
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 3(f) 584
Example (Conjunction)We prove (A ∧B)→ (B ∧ A) using both versions of theconjunction (see exampleproofproplogic6.agda):
lemma2a (ab :: AND1 A B)
:: AND1 B A
= struct
and1 = ab.and2
and2 = ab.and1
lemma2b (ab :: AND2 A B)
:: AND2 B A
= case ab of
(and a b) → and@_ b a
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 3(f) 585
Conjunction with more Args.If one has a conjunction with more than oneconjunctions, e.g. A ∧B ∧ C, one can always express itusing the binary ∧:
As (A ∧B) ∧ C or A ∧ (B ∧ C).
But it is often more convenient to use a trinary versionof conjunction in one of the two versions.
Similarly one can introduce conjunctions of 4 or moreconjuncts.
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 3(f) 586
Conjunction with more Args.
AND3a (A,B,C :: Set)
:: Set
= sig
and1 :: A
and2 :: B
and3 :: C
AND3b (A,B,C :: Set)
:: Set
= data and3 (a :: A) (b :: B) (c :: C)
See exampleproofproplogic5.agda
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 3(f) 587
Disjunction in AgdaOr is represented as disjoint union in type theory.
In Agda we can write \/ for it (on slides we write ∨) anddefine it as follows:
(∨) (A,B :: Set)
:: Set
= data or1(a :: A) | or2(b :: B)
See exampleproofproplogic7.agda.
On the blackboard A→ A ∨B and A ∨ A→ A will nowbe shown in Agda.
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 3(f) 588
Example (Disjunction)The following derives (A ∨B)→ (B ∨ A):
lemma3 (ab :: A ∨B)
:: B ∨ A
= case ab of
(or1 a) → or2@_ a
(or2 b) → or1@_ b
See exampleproofproplogic9.agda.
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 3(f) 589
Disjunction with more Args.As for the conjunction, it is useful to introduce specialternary versions of the disjunction (and versions withhigher arities):
OR3 (A,B,C :: Set)
:: Set
= data or1 (a :: A) | or2 (b :: B) | or3 (c :: C)
See exampleproofproplogic8.agda.
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 3(f) 590
∀ in Agda∀x : A.B is represented by (x : A)→ B in Agda.
As an example,we define a <-operation on Bool using ff < tt
and show ∀x : Bool.¬(x < x).
See exampleproofproplogic10.agda.
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 3(f) 591
Example (∀, Cont.)ff < tt should be true,
therefore as a formula equivalent to True,this is obtained by defining it as True.
tt < ff should be false,therefore as a formula equivalent to False,this is obtained by defining it as False.
Similarly tt < tt and ff < ff will be defined as False.
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 3(f) 591a
Example (∀, Cont.)First (<) is defined as follows:
(<) (a, b :: Bool)
:: Set
= case a of
(tt) → False
(ff) → case b of
(tt) → True
(ff) → False
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 3(f) 592
Example (∀, Cont.)We introduce Not A:
Not (A :: Set)
:: Set
= A→ False
The statement that (<) is antireflexive is
∀a : Bool.¬(a < a)
which is represented in Agda as follows:
Lemma4 :: Set
= (a :: Bool)→ Not(a < a)
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 3(f) 593
Example (∀, Cont.)
Lemma4 :: Set
= (a :: Bool)→ Not(a < a)
Since Not (a < a) = (a < a)→ False, we have
Lemma4 = (a :: Bool)→ Not (a < a)
= (a :: Bool)→ (a < a)→ False
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 3(f) 593a
Example (∀, Cont.)
Lemma4 = (a :: Bool)→ (a < a)→ False
We want to prove Lemma4.A proof of Lemma4 will be an elementlemma4::Lemma4.
So we have to solve the following goal:
lemma4 :: Lemma4
= ! !
The type of the goal is
Lemma4 = (a :: Bool)→ (a < a)→ False
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 3(f) 593b
Example (∀, Cont.)
lemma4 :: Lemma4
= ! !
Type of goal is Lemma4 = (a :: Bool)→ (a < a)→ False.
An element of (a :: Bool)→ (a < a)→ False can beintroduced by λ-abstracting λ(a :: Bool) andλ(aa :: (a < a)):
lemma4 :: Lemma4
= λ(a :: Bool)→
λ(aa :: a < a)→
! !
The type of goal is now the conclusion of(a :: Bool)→ (a < a)→ False, namely False.
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 3(f) 593c
Example (∀, Cont.)
lemma4 :: Lemma4
= λ(a :: Bool)→
λ(aa :: a < a)→
! !
Type of goal is False.
We need to make use of our assumptions, namelya :: Bool and aa :: a < a.
a < b is defined by case disjinction on a and b.Unless we know that a = tt or a = ff, we don’tknow much about a < a.So it seems to be a good step to make casedistinction on a.
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 3(f) 593d
Example (∀, Cont.)
lemma4 :: Lemma4
= λ(a :: Bool)→
λ(aa :: a < a)→
case a of
(tt) → ! !
(ff) → ! !
The type of both goals is the same as before, namelyFalse, since it wasn’t dependent on a.
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 3(f) 594
Example (∀, Cont.)
lemma4 :: Lemma4
= λ(a :: Bool)→
λ(aa :: a < a)→
case a of
(tt) → ! !
(ff) → ! !
However, we know now more about the assumptionsaa :: a < a.
In case of a = tt, we have a < a = (tt < tt) = False
In case of a = ff, we have a < a = (ff < ff) = False
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 3(f) 594a
Example (∀, Cont.)
lemma4 :: Lemma4
= λ(a :: Bool)→
λ(aa :: a < a)→
case a of
(tt) → ! !
(ff) → ! !
Since in both goals we have a :: (a < a) = False, we cancan make case distinction on aa, which is the emptycase distinction.
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 3(f) 594b
Example (∀, Cont.)We finish our proof as follows:
lemma4 :: Lemma4
= λ(a :: Bool)→
λ(aa :: a < a)→
case a of
(tt) → case aa of
(ff) → case aa of
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 3(f) 595
Example (∀, Cont.)In the previous example,
the type of goal was False,and aa : False.
So we could instead of using the empty case distinctiondirectly inserted aa in those goals:
lemma4a :: Lemma4
= λ(a :: Bool)→
λ(aa :: a < a)→
case a of
(tt) → aa
(ff) → aa
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 3(f) 595a
∃ in Agda∃x : A.B is represented by one of the two dependentproducts in Agda.
Using meaningful names, we can define ∃x : A.B asfollows:
Version1 :: Set
= sig
a :: A
b :: B[x := a]
Version2 :: Set
= data exists (a :: A)(b :: B[x := a])
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 3(f) 596
∃ in AgdaAbove B[x := a] is the result of substituting in B for x thevariable a.
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 3(f) 597
Example (∃)As an example,
we define negation ¬ on Bool,define an equality (==) on Bool,and show ∀a : Bool.∃b : Bool.a == ¬ b.
See exampleproofproplogic11.agda.
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 3(f) 598
Example (∃)First (==) is defined as follows:
(==) (a, b :: Bool)
:: Set
= case a of
(tt) → case b of
(tt) → True
(ff) → False
(ff) → case b of
(tt) → False
(ff) → True
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 3(f) 599
Example (∃, Cont.)¬ is defined as follows:
neg (a :: Bool)
:: Bool
= case a of
(tt) → ff
(ff) → tt
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 3(f) 600
Example (∃, Cont.)In order to introduce the statement, we introduce firstthe formula ∃b : Bool.a == ¬ b depending on a : Bool:
Lemma5aux (a :: Bool)
:: Set
= sig
b :: Bool
ab :: a == neg b
The statement ∀a : Bool.∃b : Bool.a == ¬b is now asfollows:
Lemma5 :: Set
= (a :: Bool)→ Lemma5aux a
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 3(f) 601
Example (∃, Cont.)A proof of Lemma5 is an element
lemma5 :: Lemma5
and we get the goal
lemma5 :: Lemma5
= ! !
The type of goal is
Lemma5 = (a :: Bool)→ Lemma5aux a
Any goal of funtion type is usually best solved by usingλ-abstracting.
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 3(f) 601a
Example (∃, Cont.)
Lemma5 :: Set
= (a :: Bool)→ Lemma5aux a
We get
lemma5 :: Lemma5
= λ(a :: Bool)
→ ! !
The type of the goal is
Lemma5aux a = sig
b :: Bool
ab :: a == neg b
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 3(f) 601b
Example (∃, Cont.)
lemma5 :: Lemma5
= λ(a :: Bool)
→ ! !
Type of goal is
sig
b :: Bool
ab :: a == neg b
We cannot show this goal universally for all a directly.We have to provide a different b depending onwhether a = tt or a = ff.So we need to make case distinction on a.
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 3(f) 601c
Example (∃, Cont.)We get
lemma5 :: Lemma5
= λ(a :: Bool)
→ case a of
(tt) → ! !
(ff) → ! !
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 3(f) 601d
Example (∃, Cont.)
lemma5 :: Lemma5
= λ(a :: Bool)→ case a of (tt) → ! !
(ff) → ! !
In case of a = tt, the type of goal is
Lemma5aux tt = sigb :: Bool;
ab :: tt == neg b
So we can use goal menu intro and obtain:
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 3(f) 601e
Example (∃, Cont.)
lemma5 :: Lemma5
= λ(a :: Bool)→ case a of
(tt) → struct
b = ! !
ab = ! !
(ff) → ! !
The first goal can be solved by setting b := ff.
Then the type of the second goal is(tt == neg b) = (tt == neg ff)
= (tt == tt)
= True
which can be solved by setting ab := true.Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 3(f) 602
Example (∃, Cont.)So we get:lemma5 :: Lemma5
= λ(a :: Bool)→ case a of
(tt) → struct
b = ff
ab = true
(ff) → ! !
In case a = ff, we use again intro and obtain:
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 3(f) 602a
Example (∃, Cont.)
lemma5 :: Lemma5
= λ(a :: Bool)→ case a of
(tt) → struct
b = ff
ab = true
(ff) → struct
b = ! !
ab = ! !
The case a = ff can be solved in a similar way bysetting b = tt, ab = true.
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 3(f) 603
Example (∃, Cont.)The resulting proof is as follows:lemma5 :: Lemma5
= λ(a :: Bool)→ case a of
(tt) → struct
b = ff
ab = true
(ff) → struct
b = tt
ab = true
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 3(f) 604
Complex ExampleWe assume A,B : Set and equality relations on A,B:
postulate A :: Set
postulate EqA :: A→ A→ Set
postulate B :: Set
postulate EqB :: B→ B→ Set
We will introducethe disjoint union AB of A and B
an equality EqAB on AB
and show that if EqA and EqB are symmetric, so isEqAB.
See exampleDisjointUnionEqual.agda.
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 3(f) 605
Equality SetsEqA (and EqB) could be decidable equalities,
i.e. EqA = λ(a, b :: A)→ atom (eqboolA a b),where eqboolA :: A→ A→ Bool,
Or an undecidable equality.E.g. the equality on N→ N is in standard logic
f = g :⇔ ∀n : N.f(n) = g(n)
which reads in Agda as follows:
EqN_N (f, g :: N→ N)
:: Set
= (n :: N)→ f n == g n
where == is the equality on N.Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 3(f) 605a
Undecidable EqualitiesThe last equality is undecidable, since in order to checkwhether EqN_N f g holds we have to check for all n : Nwhether f n = g n holds
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 3(f) 605b
Complex Example (Cont.)The formation of A + B is straightforward:
(+) (A,B :: Set)
:: Set
= data inl(a :: A) | inr(b :: B)
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 3(f) 606
Complex Example (Cont.)We define the equality EqAB on A + B as follows:
Assume ab, ab′ : A + B.If one is of the form inl a and the other of the forminr b, then EqAB ab ab′ should be false, so we define
EqAB (inl a) (inr b) = EqAB (inr a) (inl a) = False .
If they are of the form inl a and inl a′, respectively,then EqAB ab ab′ should be true if EqA a a′ holds.
This can be achieved by defining
EqAB (inl a) (inla′) = EqA a a′ .
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 3(f) 607
Complex Example (Cont.)If they are of the form inr b and inr b′, respectively,then EqAB ab ab′ should be true if EqB b b′ holds.
This can be achieved by defining in this case
EqAB (inr b) (inr b′) = EqB b b′ .
The above equations will be definitional equalities, i.e.for instance EqAB (inl a) (inl a′) will rewrite to EqA a a′.
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 3(f) 608
Complex Example (Cont.)The definition of EqAB is as follows:
EqAB :: (A + B)→ (A + B)→ Set
= λ(ab, ab′ :: A + B)→
case ab of
(inl a) → case ab′ of
(inl a′) → EqA a a′
(inr b′) → False
(inr b) → case ab′ of
(inl a′) → False
(inr b′) → EqB b b′
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 3(f) 609
Complex Example (Cont.)The following code is equivalent to the previous code:
EqAB (ab, ab′ :: A + B)
:: Set
= case ab of
(inl a) → case ab′ of
(inl a′) → EqA a a′
(inr b′) → False
(inr b) → case ab′ of
(inl a′) → False
(inr b′) → EqB b b′
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 3(f) 610
Complex Example (Cont.)We introduce the formulae expressing that EqA, EqB,EqAB are symmetric:
Symmetry of EqA is the formula
∀a, a′ : A.EqA a a′ → EqA a′ a
which translates as follows:
SymA :: Set
= (a, a′ :: A)→ EqA a a′ → EqA a′ a
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 3(f) 611
Complex Example (Cont.)The others are similar:
SymB :: Set
= (b, b′ :: B)→ EqB b b′ → EqB b′ b
SymAB :: Set
= (ab, ab′ :: A + B)→ EqAB ab ab′ → EqAB ab′ ab
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 3(f) 612
Formulae vs. ProofsNote that SymA is the statement expressing that EqA issymmetric.
It is not a proof that EqA is symmetric.We can define SymA independently of whether EqAis symmetric or not.A proof that EqA is symmetric is an element ofSymA, i.e a term symA s.t.
symA :: SymA
Note that we don’t have to show that SymA holds.We have to show that if SymA and SymB hold, thenSymAB holds.
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 3(f) 613
Complex ExampleWhat we want to show is that SymA and SymB impliesSymAB.
So we need to solve
symAB :: SymA→ SymB→ SymAB
= ! !
As pointed out before, it is equivalent and moreconvenient to define symAB as follows:
symAB (symA :: SymA)
(symB :: SymB)
:: SymAB
= ! !
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 3(f) 614
Complex Example
symAB (symA :: SymA)
(symB :: SymB)
:: SymAB
= ! !
The type of the goal is SymAB which is(ab, ab′ :: A + B)→ EqAB ab ab′ → EqAB ab′ ab.
An element of this type can be introduced by a λ-term,and using agda-goal-menu “intro” results in the code onthe next slide.
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 3(f) 615
Complex Example
symAB (symA :: SymA)
(symB :: SymB)
:: SymAB
= λ(ab, ab′ :: A + B)→
λ(abab′ :: EqAB ab ab′)→
! !
The type of the goal is now EqAB ab′ ab.
We make case distinction on ab and ab′ and obtain thefollowing:
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 3(f) 616
Complex Example
symAB (symA :: SymA)
(symB :: SymB)
:: SymAB
= λ(ab, ab′ :: A + B)→
λ(abab′ :: EqAB ab ab′)→
case ab of
(inl a) → case ab′ of
(inl a′) → ! !
(inr b′) → ! !
(inr b) → case ab′ of
(inl a′) → ! !
(inr b′) → ! !
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 3(f) 617
Complex Example (Cont.)In case ab = inl a and ab′ = inl a′ we
have to show
EqAB ab′ ab , which is equal to EqA a′ a
and have as assumption
abab′ :: EqAB ab ab′ , which is equal to EqA a a′ .
So we have to derive from abab′ : EqA a a′ anelement of EqA a′ a.We have
symA : (a, a′ :: A)→ EqA a a′ → EqA a′ a .
Therefore we can apply symA to a, a′ and abab′.
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 3(f) 618
Complex Example (Cont.)(Case ab = inl a, ab′ = inl a′)
We obtain
symA a a′ abab′ : EqA a′ a
Since EqA a′ a = EqAB ab′ ab we get as well
symA a a′ abab′ : EqAB ab′ ab
and can use this to solve our first goal.
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 3(f) 619
Complex Example
symAB (symA :: SymA)
(symB :: SymB)
:: SymAB
= λ(ab, ab′ :: A + B)→
λ(abab′ :: EqAB ab ab′)→
case ab of
(inl a) → case ab′ of
(inl a′) → symA a a′ abab′
(inr b′) → ! !
(inr b) → case ab′ of
(inl a′) → ! !
(inr b′) → ! !
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 3(f) 620
Complex Example (Cont.)In case ab = inr b and ab′ = inr b′ we can similarly use
symB b b′ abab′
in order to solve our goal.
In case ab = inl a, and ab′ = inr b
we have EqAB ab ab′ = False,therefore
abab′ : False ,
therefore empty case distinction on abab′ solves thegoal.
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 3(f) 621
Complex Example (Cont.)Similarly, in case ab = inl a, and ab′ = inr b we have that
abab′ : False
and again empty case distinction on abab′ solves thegoal.
The complete solution is on the next slide.
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 3(f) 622
Complex Example
symAB (symA :: SymA)
(symB :: SymB)
:: SymAB
= λ(ab, ab′ :: A + B)→
λ(abab′ :: EqAB ab ab′)→
case ab of
(inl a) → case ab′ of
(inl a′) → symA a a′ abab′
(inr b′) → case abab′ of
(inr b) → case ab′ of
(inl a′) → case abab′ of
(inr b′) → symB b b′ abab′
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 3(f) 623
Complex ExamleWhen we made the empty case distinctions, our goalwas of type False.
Since in those cases abab′ : False, we could have solvedthe goal as well by directly inserting abab′ in thosecases.
On the next slide is this alternative solution.
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 3(f) 624
Alternative SolutionsymAB′ (symA :: SymA)
(symB :: SymB)
:: SymAB
= λ(ab, ab′ :: A + B)→
λ(abab′ :: EqAB ab ab′)→
case ab of
(inl a) → case ab′ of
(inl a′) → symA a a′ abab′
(inr b′) → abab′
(inr b) → case ab′ of
(inl a′) → abab′
(inr b′) → symB b b′ abab′
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 3(f) 625
Remark on Case DistinctionCase distinction over complex expressions causesproblems in Agda.
Example(exampleCaseDistinctionComplexExpression.agda):
Assume we have defined ProdBool as the product oftwo Boolean values:
ProdBool :: Set
= sig
first :: Bool
snd :: Bool
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 3(f) 626
Remark on Case DistinctionAssume we want to define a function as follows:
f (pair :: ProdBool)
(p :: atom(and pair.first pair.snd))
:: atom pair.first
= case pair.first of
(tt) → ! !
(ff) → ! !
Although in the case distinctionwe know that pair.first = tt,therefore the type of the goal should beatom pair.first = True,Agda won’t accept to insert true there.
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 3(f) 627
Remark on Case DistinctionThe reason is that Agda will use in its reductionmechanism
only reductions from variables to other expressions,but no reductions of complex expressions toother expressions.
It would be very expensive to check reductions forcomplex expressions:
This would mean to check whether anysubexpression of an expression matches the leftside of any of those reductions.Checking whether a variable which reduces occursin a expression is instead a cheap operation.
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 3(f) 628
WorkaroundOne can work around this problem by defining anauxiliary function, which depends on a variablerepresenting the complex expression.
Then make case distinction on this single variable.
In the example above define:
h (a, b :: Bool)
(p :: atom(and a b))
:: atom a
= case a of
(tt) → true
(ff) → case p of
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 3(f) 629
WorkaroundNow one can define the function in question in terms ofthe auxiliary function:
f (pair :: ProdBool)
(p :: atom(and pair.first pair.snd))
:: atom pair.first
= h pair.first pair.second
In the example h had only as arguments thesubexpressions of the complex expression in question.
In general it might depend on other variables whichform the context of the complex expression inquestion.
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 3(f) 630
(x::A)→ B vs. λ(x::A)→ sThere seems to be a confusion about the twoexpressions
(x :: A)→ B vs. λ(x :: A)→ s
(x :: A)→ B is the dependent function set.It is a set (or a type or a kind or a higher kind).Because it is a set, it makes sense to talk aboutr :: ((x :: A)→ B).
r :: C makes only sense if C is a set or a type or akind or a higher kind.
λ(x :: A)→ s is a function, which applied to x :: Areturns s.
a :: (λ(x :: A)→ s) never makes sense, sinceλ(x :: A)→ s is not a set or type or (higher) kind.
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 3(f) 631
(x::A)→ B vs. λ(x::A)→ sEspecially, λ(x :: A)→ Set is a function which returns forx :: A the type Set.
Note thatA (b :: B)
:: Set
= d
is an abbreviation for
A :: (b :: B)→ Set
= λ(b :: B)→ d
So A defined as such is a function, not a set.It does not make sense to talk about c :: A.
Would be the same as c :: (λ(b :: B)→ d).Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 3(f) 632
(x::A)→ B vs. λ(x::A)→ s
A (b :: B)
:: Set
= d
It does make sense to talk about
c :: (b :: B)→ A b
Since (b :: B)→ A b is a set.
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 3(f) 633
(g) The Set of Natural NumbersThe set N is the type theoretic representation of the setN := 0, 1, 2, , . . . , .
N can be generated bystarting with the empty set,adding 0 to it, andadding, whenever we have x in it x + 1 to it.
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 3(g) 634
The Set of Natural Numbers (Cont.)Let S be a type theoretic notation for the operationx 7→ x + 1.
Then the type theoretic rules are
N : Set
0 : N
n : NS n : N
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 3(g) 635
Primitive RecursionPrimitive Recursion expresses:Assume we have
a : N.and, if n : N, x : N then g n x : N.
Then we can define f : N→ N, s.t.f 0 = a,f (S n) = g n (f n).
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 3(g) 636
Primitive Recursion (Cont.)The computation of f n proceeds now as follows:
Compute n.If n = 0, then the result is a.Otherwise n = S n′.
We assume that we have determined already howto compute f n′.Now f n reduces to g n′ (f n′).g n′ (f n′) can be computed, since we know how tocompute· g· f n′.
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 3(g) 637
ExampleThe function f : N→ N with f n = 2 · n can be definedprimitive recursively by:
f 0 = 0.f (S n) = S (S (f n)).
Therefore take in the definition above:a = 0,g n x = S (S x).
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 3(g) 638
Generalized Primitive RecursionWe can generalize primitive recursion as follows:
First we can replace the range of f by an arbitraryset C
i.e. we allow for any set C
f : N→ C
Further, C can now depend on N.
We obtain the following set of rules:
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 3(g) 639
Rules for the Natural NumbersFormation Rule
N : Set
Introduction Rules0 : N
n : NS n : N
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 3(g) 640
Rules for the Natural NumbersElimination Rule
C : N→ Seta : C 0
f : (x : N)→ C x→ C (S x)n : N
P C a f n : C n
Equality RulesP C a f 0 = a
P C a f (S n) = f n (P C a f n)
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 3(g) 641
Rules for the Natural NumbersNote that if we define in the elimination rule g := P C fthen
The conclusion of the elimination rule reads:
g n : C n
which means that
λ(n : N).g n : (n : N)→ C n .
The equality rules read:
g 0 = a
g (S n) = f n (g n)
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 3(g) 642
Logical Framework Rules for NThe more compact notation is:
N : Set,0 : N,S : N→ N,
P : (C : N→ Set)
→ C 0
→ ((x : N)→ C x→ C (S x))
→ (n : N)
→ C n .
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 3(g) 643
Natural Numbers in AgdaN is defined using data:
data N = Z | S(n :: N)
(Unfortunately, 0 is not an acceptable name in Agda).
Therefore we have
Z :: N
S :: N→ N
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 3(g) 644
Elimination Rules for N in AgdaElimination is represented in Agda as before via casedistinction.
Assume we want to define
f (n :: N)
:: A
= ! !
A possibly depending on n,
Then we can type into the goal n and use the menuagda-case.
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 3(g) 645
Elimination Rules for N in AgdaWe get
f (n :: N)
:: A
= case n of
(Z) → ! !
(S n′) → ! !
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 3(g) 646
Elimination Rules for N in AgdaFor solving the goals, we can now make use of f.That will be accepted by the type checker.
However, if we use of full f , and then use menu item“check-termination” , we might obtain anerror-message.
If wedo not make use of f in the case n=Z andonly use of f n′ in case n = S n′.
then check-termination succeeds.
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 3(g) 647
Elimination Rules for N in AgdaIf check-termination succeeds, the definition shouldbe correct.
(The lecturer hasn’t checked the algorithm).
However, if check-termination fails, the definitionmight still be correct.
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 3(g) 648
Power of Termination CheckThe following definition of the Fibonacci numbers can’tbe defined this way directly using the rules of typetheory, but it can be defined in Agda as follows andcheck-termination accepts it:(one := S Z):
fib (n :: N)
:: N
= case n of
(Z) → one
(S n′) → case n′ of
(Z) → one
(S n′′) → fib n′ + fib n′′
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 3(g) 649
Limitations of Termination CheckerAssume we define the predecessor function
pred (n :: N)
:: N
= case n of
(Z) → Z
(S n′) → n′
i.e
pred(n) =
0 if n = 0
n− 1 otherwise.
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 3(g) 650
Limitations of Termination CheckerThen the function
f (n :: N)
:: N
= case n of
(Z) → Z
(S n′) → f (pred n)
terminates always(it returns for all n : N the value Z).
However, check-termination fails.
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 3(g) 651
Limitations of Termination CheckerBecause of the undecidability of the Turing haltingproblem
it is undecidable whether a recursively definedfunction terminates or not
there is no extension of check-termination, whichaccepts exactly all in Agda definable functions,which terminate for all inputs.
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 3(g) 652
Limitations of Termination CheckerUnfortunately, Agda does currently not deal withsimultaneous recursion
i.e. the situation, where we decrease in one casew.r.t. one variable, in another case w.r.t. anothervariable.
In order to deal with this situation, one has to rearrangeproofs.
On next slide there is an example of a proof whichresults in non-termination, although each recursive calldescends.
Refers to a definition of (<) :: (n,m :: N)→ Set whichwill be introduced below.
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 3(g) 653
Example
mono (n, k,m :: N)(p :: n < k) :: (n + m) < (k + m)
= case n of
(Z) → case k of
(Z) → case p of
(S k′) → case m of
(Z) → true
(S m′) → mono n k m′ p
(S n′) → case k of
(Z) → case p of
(S k′) → case m of
(Z) → mono n′ k′ m p
(S m′) → mono n k m′ p
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 3(g) 654
Version accepted by AgdaThe following version will be accepted by thetermination checker:
(this version corresponds exactly to induction on m)
mono (n, k,m :: N)
(p :: n < k)
:: n + m < k + m
= case m of
(Z) → p
(S m′) → mono n k m′ p
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 3(g) 655
Amendment of Non-Termin. VersionIf one cannot reduce a non-terminating version directlyin one with only one descend, one can use auxiliarylemmata instead.
For instance in the previous non-terminating version, ifone doesn’t observe the previous much better solution,one can
replace the first reference to mono by a reference toa lemma.
(this change is not really necessary, since only thesecond reference is responsible for rejection bythe termination checker)
and observe that the second reference can bereplaced by p.
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 3(g) 656
Amendment of Non-Termin. Version
lemma (m, k :: N)
:: Z + m < S k + m
= case m of
(Z) → true
(S m′) → lemma m′ k
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 3(g) 657
mono (n, k,m :: N)(p :: n < k) :: (n + m) < (k + m)
= case n of
(Z) → case k of
(Z) → case p of
(S k′) → case m of
(Z) → true
(S m′) → lemma m′ k′
(S n′) → case k of
(Z) → case p of
(S k′) → case m of
(Z) → p
(S m′) → mono n k m′ p
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 3(g) 658
Example: AdditionDefinition of + in Agda:
(+) (n,m :: N)
:: N
= case m of
(Z) → n
(S m′) → S (n + m′)
The definition expresses:
n + 0 = n
n + (m′ + 1) = (n + m′) + 1
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 3(g) 659
Example: AdditionNote that (+) is used infix, i.e. we write n + m for(+) n m.
If m = Sm′, the definition of (+) n m refers to (+) n m′,(+) n m′ is defined before (+) n m sincem′ is introduced before m.
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 3(g) 660
Example: MultiplicationDefinition
(∗) (n,m :: N)
:: N
= case m of
(Z) → Z
(S m′) → n ∗m′ + n
The definition expresses:
n · 0 = 0
n · (m′ + 1) = (n ·m′) + n
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 3(g) 661
Example: Multiplication (Cont.)Again ∗ is treated infix.
Agda has built in that ∗ binds more than +.n ∗m′ + n is treated as (n ∗m′) + n.
Note that the definition of ∗ requires, that+ is already defined.
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 3(g) 662
Equality on NThe equality (n == m) ::Set for n,m :: N can be definedusing the equations:
(Z == Z) = True.(Z == S n) = (S n == Z) = False.(S n == S m) = (n == m).
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 3(g) 663
Equality on N (Cont.)From this one can now derive a definition in Agda:
(==) (n,m :: N)
:: Set
= case n of
(Z) → case m of
(Z) → True
(S m′) → False
(S n′) → case m of
(Z) → False
(S m′) → (n′ == m′)
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 3(g) 664
Reflexivity of ==Reflexivity of == is the formula:
∀n : N.n == n
Type theoretically this means that we have to define afunction refl:
refl (n : N)
:: n == n
= ! !
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 3(g) 665
Reflexivity of == (Cont.)This can now be shown using case distinction:
refl (n : N)
:: n == n
= case n of
(Z) → ! !
(S n′) → ! !
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 3(g) 666
Reflexivity of == (Cont.)Case n = Z is trivial.
Case n = S n′ can be solved using refl n′ (which isdefined before refl n′).
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 3(g) 667
Symmetry of ==Symmetry of == is the formula:
∀n,m : N.n == m→ m == n
Type theoretically this means that we have to define afunction sym:
sym (n,m : N)
(p :: n == m)
:: m == n
= ! !
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 3(g) 668
Symmetry of == (Cont.)This can now be shown using case distinction:
sym (n,m : N)
(p :: n == m)
:: m == n
= case n of
(Z) → case m of
(Z) → ! !
(S m′) → ! !
(S n′) → case m of
(Z) → ! !
(S m′) → ! !
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 3(g) 669
Symmetry of == (Cont.)The first goal can be solved by using true (since(Z == Z) = True).
For the second goal we know p is an element ofZ == S m′ which is False.
Therefore if we make case distinction on p we get
case p of
and have solved the second goal.
Similarly the third goal can be solved.
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 3(g) 670
Symmetry of == (Cont.)In the fourth goal, we have as type of goal S m′ == S n′
which is identical to m′ == n′.The type of p is S n′ == S m′ which is identical ton′ == m′.
The goal can be solved by using sym n′ m′ p.Note that we can use here p since it is oftype n′ == m′.
It is correct to use it sincen′ is introduced before n.· Therefore
sym n′ can be defined before sym n.This definition will beaccepted by check-termination.
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 3(g) 671
Example: < on NThe following introduces < on N:
(<) (n,m :: N)
:: Set
= case m of
(Z) → False
(S m′) → case n of
(Z) → True
(S n′) → n′ < m′
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 3(g) 672
Example: Tuples of Length nWe define tuples (or vectors) of length n in Agda.
Define first
data Nil = nil
Cons (A,B :: Set)
:: Set
= data cons(a :: A)(b :: B)
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 3(g) 673
Tuples of Length nNow we can define
Tuple (A :: Set)
(n :: N)
:: Set
= case n of
(Z) → Nil
(S m′) → Cons A (Tuple A m′)
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 3(g) 674
Tuples of Length nTherefore (with the obvious definition of two),
Tuple A n = Cons A (Cons A · · · (Cons A︸ ︷︷ ︸n times
Nil) · · · )) .
The elements of Tuple A n are
cons a1 (cons a2 · · · (cons an nil) · · · )
for elements a1, . . . , an of A.
In ordinary mathematical notation, we would write〈a1, . . . , an〉 for such an element.
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 3(g) 675
Remarks on Tuples of Length nIn ordinary mathematics, we would define
Tuple(A, 0) := 〈〉 ,
Tuple(A, n + 1) := 〈a1, . . . , an+1〉 | a1, . . . , an+1 ∈ A .
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 3(g) 676
Remarks on Tuples of Length nIf we define
nil := 〈〉 ,
cons(a1, 〈a2, . . . , an+1〉) := 〈a1, . . . , an+1〉 ,
then this reads:
Tuple(A, 0) := nil ,
Tuple(A, n + 1) := cons(a, b) | a ∈ A ∧ b ∈ Tuple(A, n) .
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 3(g) 677
Remarks on Tuples of Length nIn the type theoretic definition we have constructors
nil :: Tuple A Z
cons@(Tuple A (S n)) :: A→ Tuple A n→Tuple A (S n).
This is the type theoretic analogue of the previousdefinitions.
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 3(g) 678
Example: Sum of n-TuplesDefine
NTuple (n :: N)
:: Set
= Tuple N n
NTuple n are tuples of natural numbers of length n.
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 3(g) 679
Componentwise Sum of n-TuplesWe define component-wise sum of tuples of lengthn.
Using mathematical notation, this sum for instanceas follows:
〈2, 3, 4〉 + 〈5, 6, 7〉 = 〈7, 9, 11〉 .
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 3(g) 680
Componentwise Sum of n-Tuples
sumNTuple (n :: N)
(avec, bvec :: NTuple n)
:: NTuple n
= case n of
(Z) → nil
(S n′) →
case avec of
(cons a avec′) →
case bvec of
(cons b bvec′) →
cons@_ (a + b)
(sumNTuple n′ avec′ bvec′)
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 3(g) 681
(h) ListsWe define the set of lists of elements of type A in Agda.
We have two constructors:nil, generating the empty list.cons, adding an element of A in front of a list
So we define lists as:
list (A :: Set)
:: Set
= data nil
| cons(a :: A) (l :: list A)
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 3(h) 682
Elimination Rule for ListsElimination rule uses list-recursion:Assume
A : Set
C :: Set, depending on l :: list A.Then we can define
f (l :: list A)
:: C
= case l of
(nil) → ! !
(cons a l′) → ! !
and in the second goal we can make use of f l′.
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 3(h) 683
Example: Length of a List
length (l :: list N)
:: N
= case l of
(nil) → Z
(cons a l′) → S (length l′)
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 3(h) 684
Example: sumlistsumlist l will compute the sum of the elements of list l.
sumlist (l :: list N)
:: N
= case l of
(nil) → Z
(cons n l′) → n + sumlist l′
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 3(h) 685
Interesting ExerciseDefine
append : (A : Set)→ (list A)→ (list A)→ list A ,
s.t. append A l l′ is the result of appending the list l′ atthe end of list l.
E.g., if a, b, c, d are elements of A,and if we define cons := cons@(list A), nil := nil@(list A),then:
append A (cons a (cons b nil)) (cons c (cons d nil))
= cons a (cons b (cons c (cons d nil)))
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 3(h) 686
(i) UniversesA universe U is a set, the elements of which are codesfor sets.
So we haveU : Set,T : U→ Set (the decoding function).
We consider in the following a universe closed underFin0, Fin1, Bool,N,+,Σ,the dependent function type.
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 3(i) 687
Rules for the UniverseFormation Rule
U : Set
a : UT a : Set
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 3(i) 688
Rules for the UniverseIntroduction and Equality Rules
Fin0 : U T(Fin0) = Fin0 : Set
Fin1 : U T(Fin1) = Fin1 : Set
Bool : U T(Bool) = Bool : Set
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 3(i) 689
Rules for the UniverseIntroduction and Equality Rules (Cont.)
a : U b : Ua + b : U
T(a + b) = T(a) + T(b) : Set
a : U b : T(a)→ U
Σ(a, b) : U
T(Σ(a, b)) = Σ T(a) (λx.T (b x)) : Set
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 3(i) 690
Rules for the UniverseIntroduction and Equality Rules (Cont.)
a : U b : T(a)→ U
Π(a, b) : U
T(Π(a, b)) = (x : T(a))→ T (b x) : Set
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 3(i) 691
Elimination and Equality RulesThere exist as well elimination rules and correspondingequality rules for the universe.
They are very long (one step for each of constructor ofU) and are not very much used.
They follow the principles present in previous rules.
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 3(i) 692
Applications of the UniverseOrdinary elimination rules don’t allow to eliminate intoSet.
However often, one can verify, that all sets needed are“elements of a universe”,
i.e. there are codes in the universe representingthem.
Then one can eliminate into the universe instead of Setand use T to obtain the required function.
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 3(i) 693
Applications of the UniverseExample: Define
atom : Bool→ U ,
atom := CaseBool (λ(x : Bool).U) Fin1 Fin0 ,
atom : Bool→ Set ,
atom : λ(x : Bool).T (atom x) ,
Thenatom tt = Fin1,atom ff = Fin0.
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 3(i) 694
Universes in AgdaU and T need to be defined simultaneously.
Usually Agda type checks definitions in sequence,so no reference to later definitions possible.Special construct mutual.
Everything in the scope of it is type checkedsimultaneously.Scope determined by indentation.
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 3(i) 695
Universes in Agda (Cont.)
mutual
U :: Set
= data Nhat
| Finzerohat
| Finonehat
| Boolhat
| Sigmahat (a :: U)(b :: T a→ U)
| Pihat (a :: U)(b :: T a→ U)
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 3(i) 696
Universes in Agda (Cont.)T in the following is to be intended the same as U:
T (u :: U)
:: Set
= case u of
(Nhat) → N
(Finzerohat) → Finzero
(Finonehat) → Finone
(Boolhat) → Bool
(Sigmahat a b) → Sigma (T a)
(λ(x :: T a)→ T (b x))
(Pihat a b) → (x :: T a)→ T (b x)
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 3(i) 697
(j) Algebraic TypesThe construct “data” in Agda is much more powerfulthan what is covered by type theoretic rules.
In general we can define now sets having arbitrarilymany constructors with arbitrarily many arguments ofarbitrary types.
A :: Set
= data C1(a11 :: A11)· · ·(a1n1 :: A1n1)
| C2(a21 :: A21)· · ·(a2n2 :: A2n2)
· · ·
| Cm(am1 :: Am1)· · ·(amnm:: Amnm)
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 3(j) 698
Meaning of “data”The idea is that A as before is the least set A s.t. wehave constructors:
Ci@A :: (ai1 :: Ai1)-> · · ·-> (aini :: Aini)-> A
where a constructor always constructs new elements.
In other words the elements of A are exactly thoseconstructed by those constructors.
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 3(j) 699
Strictly Positive Algebraic TypesIn the types Aij we can make use of A.
However, it is difficult to understand A, if we havenegative occurrences of A.Example:A :: Set
= data C (f :: A -> A)What is the least set A having a constructorC@A :: (f :: A -> A)
-> A ?
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 3(j) 700
Strictly Positive Algebraic TypesIf we
have constructed some part of A already,find a function f:: A -> A, andadd C@ f to A,
then f might no longer be a function A -> A.(f applied to the new element C@ f might not bedefined).In fact, “agda-check-termination” issues a warning, ifwe define A as above.We shouldn’t make use of such definitions.
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 3(j) 701
Strictly Positive Algebraic TypesA “good” definition is the set of lists of natural numbers,defined as follows:
Nlist :: Set= data nil
| cons (a:: N)(l :: Nlist)
The constructor cons@ of N-lists refers to Nlist, butin a positive way:We have: if a :: N and l :: Nlist, then we havecons@ a l :: Nlist.
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 3(j) 702
Strictly Positive Algebraic TypesIf we add cons@ a l to Nlist, the reason foradding it (namely l:: Nlist) is not destroyed bythis addition.So we can “construct” the set Nlist by
starting with the emptyset,adding nil@ andclosing it under cons@ whenever possible.
Because we can “construct” Nlist, the above is anacceptable definition.
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 3(j) 703
Strictly Positive Algebraic TypesIn general:A :: Set= data C1 (a11:: A11) · · · (a1n1:: A1n1)
| C2 (a21:: A21) · · · (a2n2:: A2n2)· · ·| Cm (am1:: Am1) · · · (amnm:: Amnm)
is a strictly positive algebraic type, if all Aij are
either types which don’t make use of Aor are A itself.
And if A is a strictly positive algebraic type, then A isacceptable.
The definitions of finite sets, Σ A B, A + B and N werestrictly positive algebraic types.
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 3(j) 704
One further ExampleThe set of binary trees can be defined as follows:Bintree :: Set
= data leaf| branch (left :: Bintree)
(right :: Bintree)
This is a strictly positive algebraic type.
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 3(j) 705
Extensions of Strict.Pos. Alg. TypesAn often used extension is to define several setssimultaneously inductively.
Example: the even and odd numbers:mutualEven :: Set
= data Z | S (n:: Odd)
Odd :: Set= data S (n::Even)
In such examples the constructors refer strictly positiveto all sets which are to be defined simultaneously.
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 3(j) 706
Extensions of Strict.Pos. Alg. TypesWe can even allow Aij = B1− > A or evenAij = B1− > · · · − > Bl− > A, where A is one of thetypes introduced simultaneously.
Example (called “Kleene’s O”:
O:: Set= data leaf
| succ (o::O)| lim (f :: N -> O)
The last definition is unproblematic, since, if we have f:: N -> O and construct lim@ f out of it, addingthis new element to O doesn’t destroy the reason foradding it to O.
So again O can be “constructed”.Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 3(j) 707
Elimination Rules for dataFunctions from strictly positive algebraic types can nowbe defined by case distinction as before.
For termination we need only that in the definition of f ,when have to define f (C@ a1 · · · an), we can referonly to f applied to elements used in C@ a1 · · · an.
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 3(j) 708
ExamplesFor instance
in the Bintree example, when defining
f :: Bintree− > A
by case-distinction, then the definition of
f (branch@_ left right)
can make use of f left and f right.
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 3(j) 709
ExamplesIn the example of O, when defining
g :: O− > A
by case-distinction, then the definition of
g (lim@_ f)
can make use of g (f n) for all n:: N.
Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 3(j) 710
Revision Lecture1.2.3.
Interactive Theorem Proving, CS 336, Lentterm 2004, Revision Lecture 711
GeneralAccording to my data, exam Wednesday 19 May, 2 pm,Arts Hall.
Please check.
Essentially everything needed should be containedin the notes.
I will come to the exam in the first half hour (approx.; ifyou have questions ask then).
All three courseworks are preparation for the exam.
Interactive Theorem Proving, CS 336, Lentterm 2004, Revision Lecture 712
Structure of the Exam3 Questions.
Question 1, 2, 3 will be related to coursework 1, 2, 3,respectively.
Question 1 will be mainly on the λ-calculus, termrewriting and reduction systems (mainly Sect. 1 (d)).
Question 2 will be mainly on the dependent functionset and the dependent product in Agda (Sect. 2).
Question 3 will be on Sect. 3, and of the material thereon
data typesfinite sets, Bool, and atom,product and disjoint union
and simple definitions and proofs in Agda.
Interactive Theorem Proving, CS 336, Lentterm 2004, Revision Lecture 713
Structure of the ExamAgda questions will be in such a way that they caneasily be solved by hand.
Derivations only forthe λ-calculus as in Cwk 1,the dependent λ-calculus as in Cwk2, Qu. 6.
Interactive Theorem Proving, CS 336, Lentterm 2004, Revision Lecture 714
1 Introduction4 Principal approaches for writing verified software.
Concept of a type.Advantages of typed, of untyped languages.Why are types good for writing correct software?
Examples of types in other languagesScalar types (e.g. Booleans, Integers).Simple compound types (records, arrays).Function types, algebraic types (“data”)Interfaces.
Interactive Theorem Proving, CS 336, Lentterm 2004, Revision Lecture 715
Introduction (Cont.)4 kinds of judgements in dependent type theory:
A : Set, A = B : Set, a : A, a = b : A.Only A : Set, a : A are visible in Agda.
Examples of dependent types in programming.Templates (e.g. in C++) ie. parametric types.Matrix multiplication.Predicates.Dependent grammars in linguistics.
Interactive Theorem Proving, CS 336, Lentterm 2004, Revision Lecture 716
λ-CalculusThe untyped λ-Calculus:
Bound and free variables,α-, β-conversion.
The typed λ-calculus:Types,rules,product types,η-rule.
But nothing to be “learned by heart” about the (un)typedλ-calculus – only how to use it as in the Cwk.
Interactive Theorem Proving, CS 336, Lentterm 2004, Revision Lecture 717
Reduction SystemsNotions
Reduction system,strongly normalising, weakly normalising,normal form, irreducible,confluence.
Too complicated for the exam:definition of term rewriting system and how to obtainthe reduction system,definition of −→∗,←→∗.(But intuitive understanding of these notions isrequired).
Interactive Theorem Proving, CS 336, Lentterm 2004, Revision Lecture 718
Cwk 1Typical questions as in Qu 1, 3, 4, 5 and Qu 6 (a), 6 (b),and part (i) of 6 (c) - 6 (e).
Interactive Theorem Proving, CS 336, Lentterm 2004, Revision Lecture 719
2 The Logical Framework.4 kinds of rules (formation, introduction, elimination,equality).
Constructors and canonical elements.
Dependent function type, dependent product.Rules only up to the level of Cwk2, Qu. 6.Mainly how to use them in Agda (Cwk 2, Qu 1 - 3).Notion of Set vs. Type (how to use Set, Type).
Let expressions.
Interactive Theorem Proving, CS 336, Lentterm 2004, Revision Lecture 720
3. Data TypesBasic data types (Booleans, finite sets, disjoint union)
Only how to introduce and use them in Agda.
Two versions of the nondependent/dependentproduct in Agda
using “sig”,using “data”.
Atomic formulae (atom).
How to represent other formulae in type theory.
How to carry out simple proofs in type theory.
Questions like in Cwk 3, all questions (only simpleones feasible in the exam).
Interactive Theorem Proving, CS 336, Lentterm 2004, Revision Lecture 721
Proofs in AgdaMainly proofs related to equality and <-relation.
Definition of these relations in Bool, disjoint union,nondependent product as in the Cwk or similar tothat.Simple proofs about them (notions like reflexive,anti-reflexive, transitive, symmetric; proofs of suchproperties).
Interactive Theorem Proving, CS 336, Lentterm 2004, Revision Lecture 722
RestrictionsConstructive logic, natural numbers, lists not treated inthe lecture.
No natural deduction.
No formal derivations, rules in this section.
Interactive Theorem Proving, CS 336, Lentterm 2004, Revision Lecture 723