The following proves the equality of two functions:
η-→ : ∀ {A B : Set} (f : A → B) → (λ (x : A) → f x) ≡ f
η-→ f = refl
Why doesn't it need extensionality? How does Agda know that the function to the left of the ≡ simplifies to f?
(λ x → f x) ≡ f is a basic rule of definitional equality for functions, called the eta rule. It's built into the type checker. Implementations of type theory commonly support it.
Related
I am working in a small project with a goal to give a definition of Gcd which gives the gcd of two numbers along with the proof that the result is correct. But I am unable to give a total definition of Gcd. The definition of Gcd in Idris 1.3.0 is total but uses assert_total to force totality which defeats the purpose of my project. Does someone have a total definition of Gcd which does not use assert_total?
P.S. - My codes are uploaded in https://github.com/anotherArka/Idris-Number-Theory.git
I have a version which uses the Accessible relation to show that the sum of the two numbers you're finding the gcd of gets smaller on every recursive call: https://gist.github.com/edwinb/1907723fbcfce2fde43a380b1faa3d2c#file-gcd-idr-L25
It relies on this, from Prelude.Wellfounded:
data Accessible : (rel : a -> a -> Type) -> (x : a) -> Type where
Access : (rec : (y : a) -> rel y x -> Accessible rel y) ->
Accessible rel x
The general idea is that you can make a recursive call by explicitly stating what gets smaller, and providing a proof on each recursive call that it really does get smaller. For gcd, it looks like this (gcdt for the total version since gcd is in the prelude):
gcdt : Nat -> Nat -> Nat
gcdt m n with (sizeAccessible (m + n))
gcdt m Z | acc = m
gcdt Z n | acc = n
gcdt (S m) (S n) | (Access rec)
= if m > n
then gcdt (minus m n) (S n) | rec _ (minusSmaller_1 _ _)
else gcdt (S m) (minus n m) | rec _ (minusSmaller_2 _ _)
sizeAccessible is defined in the prelude and allows you to explicitly state here that it's the sum of the inputs that's getting smaller. The recursive call is smaller than the input because rec is an argument of Access rec.
If you want to see in a bit more detail what's going on, you can try replacing the minusSmaller_1 and minusSmaller_2 calls with holes, to see what you have to prove:
gcdt : Nat -> Nat -> Nat
gcdt m n with (sizeAccessible (m + n))
gcdt m Z | acc = m
gcdt Z n | acc = n
gcdt (S m) (S n) | (Access rec)
= if m > n
then gcdt (minus m n) (S n) | rec _ ?smaller1
else gcdt (S m) (minus n m) | rec _ ?smaller2
For example:
*gcd> :t smaller1
m : Nat
n : Nat
rec : (y : Nat) ->
LTE (S y) (S (plus m (S n))) -> Accessible Smaller y
--------------------------------------
smaller1 : LTE (S (plus (minus m n) (S n))) (S (plus m (S n)))
I don't know of anywhere that documents Accessible in much detail, at least for Idris (you might find examples for Coq), but there are more examples in the base libraries in Data.List.Views, Data.Vect.Views and Data.Nat.Views.
FYI: the implemenation in idris 1.3.0 (and probably 1.2.0) is total, but uses the assert_total function to achieve this.
:printdef gcd
gcd : (a : Nat) ->
(b : Nat) -> {auto ok : NotBothZero a b} -> Nat
gcd a 0 = a
gcd 0 b = b
gcd a (S b) = assert_total (gcd (S b)
(modNatNZ a (S b) SIsNotZ))
In this example
%hint
lemma1: S a `LTE` S b -> a `LTE` b
lemma1 = ?todo1
myMinus: (a, b: Nat) -> {auto prf: b `LTE` a} -> Nat
myMinus (S a') (S b') = a' `myMinus` b' -- automatically uses lemma1
myMinus a b = ?todo2
Idris is able to automatically use lemma1 where it's needed. Now I add a second lemma
%hint
lemma2: S a `LTE` b -> a `LTE` b
lemma2 = ?todo3
between lemma1 and myMinus. Now Idris doesn't find lemma1 anymore, probably because it only tries lemma2, and I have to specify it manually.
Is there a way, that I can have both lemma1 and lemma2 with %hint in context and let Idris automatically choose the correct one?
I have a simple lemma:
Lemma map2_comm: forall A (f:A->A->B) n (a b:t A n),
(forall x y, (f x y) = (f y x)) -> map2 f a b = map2 f b a.
which I was able to prove using standard equality (≡). Now I am need to prove the similar lemma using setoid equality (using CoRN MathClasses). I am new to this library and type classes in general and having difficulty doing so. My first attempt is:
Lemma map2_setoid_comm `{Equiv B} `{Equiv (t B n)} `{Commutative B A}:
forall (a b: t A n),
map2 f a b = map2 f b a.
Proof.
intros.
induction n.
dep_destruct a.
dep_destruct b.
simpl.
(here '=' is 'equiv'). After 'simpl' the goal is "(nil B)=(nil B)" or "[]=[]" using VectorNotations. Normally I would finish it using 'reflexivity' tactics but it gives me:
Tactic failure: The relation equiv is not a declared reflexive relation. Maybe you need to require the Setoid library.
I guess I need somehow to define reflexivity for vector types, but I am not sure how to do that. Please advise.
First of all the lemma definition needs to be adjusted to:
Lemma map2_setoid_comm : forall `{CO:Commutative B A f} `{SB: !Setoid B} ,
forall n:nat, Commutative (map2 f (n:=n)).
To be able to use reflexivity:
Definition vec_equiv `{Equiv A} {n}: relation (vector A n) := Vforall2 (n:=n) equiv.
Instance vec_Equiv `{Equiv A} {n}: Equiv (vector A n) := vec_equiv.
This is an extension of the question posted here:
Agda and Binary Search Trees
I have
trans₁ : ∀ {a b c} → suc a ≤ suc b → suc b ≤ c → suc a ≤ c
for the definition of trans₁, but this would require me to change the definition of widen below to:
widen : ∀{min max newMin newMax}
→ BST min max
→ suc newMin ≤ suc min
→ max ≤ newMax
→ BST newMin newMax
How would i change a <= b to suc a <= suc b? This would then allow me to change the definition of trans₁ to:
trans₁ : ∀ {a b c} → a ≤ b → suc b ≤ c → suc a ≤ c
Any help is greatly appreciated.
Look at the s<=s constructor for the less than or equal to relation. Please ask on the course forums, not on stack overflow.
I'm trying to use heterogenous equality to prove statements involving this indexed datatype:
data Counter : ℕ → Set where
cut : (i j : ℕ) → Counter (suc i + j)
I was able to write my proofs using Relation.Binary.HeterogenousEquality.≅-Reasoning, but only by assuming the following congruence property:
Counter-cong : ∀ {n n′} {k : Counter n} {k′ : Counter n′} →
{A : ℕ → Set} → (f : ∀{n} → Counter n → A n) →
k ≅ k′ → f k ≅ f k′
Counter-cong f k≅k′ = {!!}
However, I can't pattern match on k≅k′ being refl without getting the following error message from the type checker:
Refuse to solve heterogeneous constraint
k : Counter n =?= k′ : Counter n′
and if I try to do a case analysis on k≅k′ (i.e. by using C-c C-c from the Emacs frontend) to make sure all the implicit arguments are properly matched with respect to their constraints imposed by the refl, I get
Cannot decide whether there should be a case for the constructor
refl, since the unification gets stuck on unifying the
inferred indices
[{.Level.zero}, {Counter n}, k]
with the expected indices
[{.Level.zero}, {Counter n′}, k′]
(if you're interested, here are some non-relevant background: Eliminating subst to prove equality)
What you can do is take an additional proof that the two indices are equal:
Counter-cong : ∀ {n n′} {k : Counter n} {k′ : Counter n′} →
{A : ℕ → Set} → (f : ∀{n} → Counter n → A n) →
n ≅ n′ → k ≅ k′ → f k ≅ f k′
Counter-cong f refl refl = refl
The original problem is that knowing Counter n ≅ Counter n′ doesn't imply n ≡ n′ because type constructors are not assumed to be injective (there's a flag --injective-type-constructors for this, which in fact makes the match go through, but it's known to be inconsistent with excluded middle), so while it can conclude that the two types are equal it won't rewrite n to n′ and so you get that error when it later checks if k and k′ are unifiable.
Since Counter n has exactly n elements, it's actually possible to prove Counter is injective using something like the pigeonhole principle (and maybe decidable equality for naturals), so you could do without the n ≅ n′ argument, though that'd be messy.
Edit: AFAICT the Het. equality behavior is still the same.