Functional Programming in Coq

From: https://www.cs.cornell.edu/courses/cs3110/2018sp/l/19-coq-fp/notes.v

---

Topics:

• types and functions
• theorems and proofs
• lists
• options

---

Mega super hyper serious tip: You absolutely must step through this file interactively in Coq to understand what's going on. Observe what happens to the proof state and in the output window. Just reading this file in your browser does not suffice!

Types and functions

Let's start by doing some basic functional programming in Coq. We'll define a type which represents the days of the week.

You'll note some differences from OCaml:

• The definition starts with the keyword Inductive instead of the keyword type.
• day has a type itself, Type. Essentially this is saying that day is a type.
• The definition uses := instead of =.
• Every constructor is explicitly given the type day. Later we'll see that constructors can have more complicated types.
• The definition must end with a period.

Here's a function that returns the next day after its input.

Again, there are some small differences from OCaml:

• The Let keyword is capitalized.
• The pattern match must end with the end keyword.
• The branches use => instead of -> to separate the pattern from the value to be returned.

Although we can use Let in Coq, it's usually more idiomatic to write Definition instead, because Let is actually substituted away. We could instead write the following:

Theorems and proofs

Now let's prove some small theorems about programs that use days. First, let's prove that applying next_day to tue evaluates to wed. If you were going to do that with a more informal proof in natural language, your first instinct might be to say "it's obvious." That's kind of what the proof below does.

auto is a tactic that searches for a proof. Tactics are the commands written between Proof and Qed; they manipulate the proof state, which is all the subgoals that need to be proved before the proof is finished. We can see the proof auto found by printing the theorem:

The output of that is wed_after_tue = eq_refl : next_day tue = wed, which indicates that wed_after_tue is equal to eq_refl and proves that next_day tue = wed. Here, eq_refl is something from the Coq standard library that says equality is reflexive, and that computation may be performed on either side of the equality to reduce the expression that appears there to a simpler expression. Rarely, though, is a theorem so simple that it can immediately be proved by searching for a proof. Usually we need to provide Coq with more explicit guidance. A more careful informal proof of the theorem might read "next_day tue evaluates to wed. So the equality to be proved reduces to wed = wed. That trivially holds." That is essentially the proof that strategy that is followed below:

Printing the theorem shows that it's still the same proof that is found by auto.

The output of that is wed_after_tue' = eq_refl : next_day tue = wed. Next, let's prove that the day of the week never repeats. That is, the day after a given day d is never equal to d.

Again, you might say "that's obvious." But in this case, it's not obvious enough for auto to find a proof.

So here's a better strategy: consider all the possible values that d could have: sun, mon, etc. Now consider instantiating what the theorem says for each:

• next_day sun <> sun
• next_day mon <> mon
• etc.

In each case, if we reduce the expression on the left to a value, we get an inequality that's more obviously true:

• mon <> sun
• tue <> mon
• etc.

The reason that mon <> sun is that they are different constructors of an inductive (i.e., variant) type, and different constructors can never be equal. This is a proof strategy that Coq will understand. To implement it, we need two new tactics:

• destruct is a tactic that considers all the possible ways to construct an inductive type.
• discriminate is a tactic that proves different constructors cannot be equal.

The first step of this proof, intros d, introduces d. Think of it like saying "let d be some arbitrary day." The second step of the proof, destruct d, instructs Coq to do case analysis on d. The next seven lines apply simpl then discriminate 7 times, once for each possible day in the case analysis. That repetition of the same tactic is rather ugly. First, we don't actually need to use simpl. In fact, discriminate will do simplification itself, as will many other tactics. Second, instead of writing discriminate 7 times, we could instead write all: discriminate. That means to use discriminate on all the remaining subgoals in the proof.

Another way to structure that proof is with the semicolon tactical, which chains together tactics. The tactic t1; t2 means to apply tactic t1, then further apply tactic t2 to all the subgoals generated by t1.

Now let's prove that if the day after d is tue, then d must be mon. To express that implication in a theorem we use the symbol ->, where A -> B means that if A is true, then so is B.

Why does that theorem hold? An informal argument by case analysis would say that of all the 7 possible values of d, 6 of them immediately fail to make next_day d = true hold, In fact, only d=mon does. So for each of the 7 cases, we either have a contradiction, or we have a trivial equality. In Coq, we can express that proof as follows, where we use a new tactical || for "or".

Let's pick apart that proof.

• The first line introduces two assumptions into the proof: that d is a day, and that next_day d = tue. The latter is the antecedent of the implication that is being proved, i.e., the P in P -> Q; Q is called the consequent. We chose the name next_day_is_tue to record that assumption. Idiomatically, Coq programmers will often use short names like H for these kinds of hypotheses.
• The second line does the case analysis on d as we did before.
• The third line says to use discriminate || trivial on all the subgoals. That works like a short-circuit OR in OCaml: if discriminate fails to find a proof of the subgoal, then trivial will be used to find the proof instead.

Lists

The Coq standard library includes lists. Some parts of the list library are already included by default, but not all are. To load the full list library, we need to issue the following commands:

Coq lists are defined in essentially the same way as OCaml lists. A list is may contain any number of elements, and each element must have the same type. The empty list is represented with nil, and cons creates a new list out of an element and an already existing list. The standard library defines lists as follows:

(We wrapped that definition in its own Module so that, in the rest of this file, list still means the list in the standard library as opposed to the one we just defined ourselves.) Let's compare that to a similar OCaml definition of lists:

type 'a list = nil | cons of 'a * 'a list

The 'a is a type variable in the OCaml definition. Similarly, in the Coq definition, list (A : Type) : Type indicates that list is parameterized on a type A. Hence Coq's list is a type constructor just like OCaml's list is. In fact, if we check the type of list, this becomes even clearer:

list : Type -> Type

That is, list takes a type as input and returns a type as output. Also, notice the branches:

| nil : list A
| cons : A -> list A -> list A.

These say that nil already has type list A, for any A, and that cons is a function that takes an A and a list A and returns a list A. So Coq's cons is truly a function, unlike OCaml's. (In OCaml you can't, for example, pass a constructor name to a function.) We can use pattern matching to code functions that take lists as inputs, just like in OCaml.

In is_empty, we have explicitly given type annotations on two arguments. The first argument, A, is the type of the list elements. The second argument, lst, has type list A. OCaml never made us explicitly write down the element type as an input to functions, because the language is engineered to guarantee that type inference can always figure out those types. Coq's type system, however, is vastly more expressive that OCaml's, hence type inference is a hard problem in Coq. Coq is therefore more strict about writing these things down. Like in OCaml, we can use syntactic sugar for lists, writing [] for nil and :: for cons:

If we want to compute with is_empty, we have to supply the type argument:

In the second computation above, it wouldn't matter what type we pass in because the list is empty, but we do have to provide some type as an argument. There are various ways in Coq of making this type argument something that the compiler infers, instead of the programmer having to provide. These are called implicit arguments. Here's one way to make an argument implicit:

We put the A:Type parameter in braces instead of parentheses. This tells Coq that the argument should be inferred. As you can see, we didn't provide it in the example usage. In fact, Coq would reject is_empty' nat [1], because once we've made the argument implicit, we're actually not even allowed to provide it. If for some reason we really did need to explicitly provide an implicit argument, we could do that by prefixing the name of the function with @. For example:

To define recursive functions on lists, instead of OCaml's let rec, Coq uses Fixpoint as a keyword. That perhaps-cryptic name comes from programming languages theory, where recursion can be defined as a so-called fixed point of a function. Here is a definition of length for lists, and an example usage. Again, we do this in its own module to avoid clashing with the standard library's definition of length.

Options

In the Coq standard library, options are defined as follows. (Once more we wrap the definition in its own module to avoid clashing with the standard library's own definition.)

Coq options are essentially the same as OCaml's. Some is a function that given a value of type A, constructs an option containing that value. None is already a value that has type option A for any A. Here is a function hd_opt. It returns the head of a list, wrapped in Some. If the list is empty, it returns None.

The first of those example usages returns Some 1 : option nat, and the second returns None : option nat. In the second, we are forced to explicitly provide the type argument, because Coq can't infer from just the empty list what kind of option it should be: should it be option nat? option bool? or something else? Now let's prove something about hd_opt: when applied to a list of length 0, it returns None. Informally, that holds because there are two possibilities of how a list is constructed:

• if the list is nil, then its length is certainly 0, and evaluation of hd_opt's pattern match will choose the branch that returns None.
• if the list is constructed with cons, then its length is at least 1. That contradicts the assumption that its length is 0.

The proof below uses exactly that reasoning.

The first line of that proof, which uses the intros tactic, introduces three assumptions into the proof: That A is a type, that lst has type list A, and that the length of lst is 0. The second line does the case analysis on lst: is it nil or cons? The next two tactics handle each of those cases.

• The first case, where the list is nil, is handled by trivial, which finds a proof that hd_opt nil = None. It succeeds in doing that by first doing some computation, which reduces hd_opt nil to None, then showing that None = None because equality is reflexive.
• The second case, where the list is cons, is handled by discriminate, which finds a contradiction while trying to prove that hd_opt (a :: lst) = None. Of course, that equality is untrue: hd_opt (a :: lst) is actually Some a. So discriminate looks in the hypotheses of the proof and finds one that claims length (a :: lst) = 0. Of course, that's untrue, because length (a :: lst) is 1 + length lst, which is at least 1, and 1 <> 0. The discriminate tactic detects that contradiction. You might recall from CS 2800 that from an assumption of false, you are allowed to conclude anything. That's the reasoning being used here.

When there are a few cases in a proof, as there were (two) in the previous proof, sometimes Coq programmers use bullets to make the structure of their proofs apparent to readers. The bullets also help with focusing the programmer's attention on the proof state during the process of constructing the proof. The bullets in the proof below, written -, cause all but one subgoal to disappear. After a subgoal has been proved, the proof state reads "There are unfocused goals." The next bullet causes the next unfocused goal to become focused. This is probably best understood by stepping through the following proof in Coq and observing what happens to the proof state when each bullet is processed.

The characters + and * can also be used as bullets, as can --, ---, etc.

Summary

Coq is a functional programming language. It contains many of the same features as OCaml. In fact, Coq is implemented in OCaml. Coq is also a proof assistant. We can write programs and prove theorems about those programs. Coq searches for those proofs, and we guide its search with tactics.

Terms and concepts

• antecedent
• case analysis
• consequent
• constructor
• definition
• fixpoint
• function
• goal
• hypothesis
• implicit argument
• inductive type
• proof search
• proof state
• reflexivity of equality
• tactic
• tactical
• theorem

Tactics

• auto
• destruct
• discriminate
• intros
• simpl
• trivial
• tacticals: all, ||, ;, -, *, +

Further reading

• Software Foundations, Volume 1: Logical Foundations. Chapter 1: Basics.
• Interactive Theorem Proving and Program Development. Chapters 1 through 4. Available online from the Cornell library.