coq


Proof on booleans, false = true


I currently am at chapter 5 of "Software foundations" but felt the need to get back to chapter one to clarify a couple of things. In particular there is an exercise I did not quite digested, in which we are asked to use destruct twice to prove a result on booleans. Here it is with names and other details changed.
Inductive bool: Type :=
|true: bool
|false: bool.
Definition fb (b1:bool) (b2:bool) : bool :=
match b1, b2 with
| false, false => false
| _, _ => true
end.
Theorem th: forall a b: bool,
fb a b = false -> b = false.
Proof.
intros [] [] H.
- rewrite <- H. reflexivity.
- reflexivity.
- rewrite <- H. reflexivity.
- reflexivity.
Qed.
When at the first tick, context and goal are both nonsense:
H : fb true true = false
______________________________________(1/1)
true = false
Second tick the hypothesis is false. Third tick is same kind of nonsense as first one. Only fourth tick is reasonable with:
H : fb false false = false
______________________________________(1/1)
false = false
I understand that by the rewrite rules, all these things do work. However I have the impression we are quitting the narrow path of truth for the wilderness of falsity. More precisely, and AFAIK, a false hypothesis can be made to prove ANY statement, true or false. Here we use it to prove that false = true, OK why not, but still that makes me feel somewhat uncomfortable. I would not have expected a proof assistant to allow this.
Elaborating a bit
In a typical proof by contradiction, I would pick an hypothesis at random, and derive the goal till I find either a tautology or a contradiction. I would then conclude whether my hypothesis was true or false.
What happens here, in cases 1 (same for case 3), Coq starts from an hypothesis that is false:
H : fb true true = false
applies it to a goal that is a contradiction:
true = false
and combines them to find a tautology.
That is not a way of reasoning I am aware of. That recalls student 'jokes' where starting with 0=1 any absurd result on natural numbers can be proven.
Followup
So this morning during my commute I was thinking about what I had just written above. I now believe that cases 1 and 3 are proper proofs by contradiction. Indeed H is false and we use it to prove a goal that is a false. Hypotheses (values of a and b) have to be rejected. What may have confused me is that using rewrite we are doing part of the way "backward", starting from the goal.
I am a bit undecided for case 2, which reads:
H : fb true false = false
______________________________________(1/1)
false = false
which is basically false -> true, a tautology under the "principle of explosion". I would not think that could be used so directly in a proof.
Oh well, not sure I completely understood what's under the hood, but trust in Coq is untouched. Gotta go on and return to chapter 5. Thanks all for your comments.
First of all, thanks for providing a self-contained code.
I understand your uneasiness proving a goal using rewrite when you know that what you really ought to do is to derive a contradiction from the hypotheses. That does not make the reasoning incorrect though. It is true that under such assumptions you can prove this goal.
However I also think that this does not make the proof script really readable. In your example, you are considering all possible cases and it happens that three out of these four are impossible. When we read your proof we cannot see that. To make it clear that you are in an impossible case, there are a few tactic which are useful to say "look, I am now going to prove a contradiction to rule out this case".
One of them is exfalso. It will replace the current goal by False (since anything can be derived from False, as mentioned by #ejgallego in a comment).
A second one is absurd to say "I am now going to prove some statement and its negation" (this is basically equivalent to proving False).
A third one which is enough in your case is discriminate. It tries to find in the hypotheses a contradictory equality, such as true = false.
Theorem th: forall a b: bool,
fb a b = false -> b = false.
Proof.
intros [] [] H.
- discriminate.
- discriminate.
- discriminate.
- reflexivity.
Qed.
Now, just so you know, discriminate and reflexivity are both tried by the easy tactic. Thus the following proof will work as well (but it does not show what is going on and thus falls out of the scope of this question):
Theorem th: forall a b: bool,
fb a b = false -> b = false.
Proof.
intros [] [] H; easy.
Qed.
and this is syntactic sugar for the same proof:
Theorem th: forall a b: bool,
fb a b = false -> b = false.
Proof.
now intros [] [] H.
Qed.

Related Links

Saturating the proof context with a lemma
Proofs in coq using MSet
What's the difference between revert and generalize tactics in Coq?
Let expression written as inductive relation
where is Coq aac_tactics installed?
example for introduction pattern (p1 & … & pn) does not work
What's the difference between logical (Leibniz) equality and local definition in Coq?
How to show that if squares are equal, then the operands are equal as well?
rewrite works for integer but not for rationals for Coq aac_tactics
How to use Coq aac tactics to prove equalities in the goal?
How do I prove 'S x > 0' from scratch in Coq?
Best way to handle (sub) types of the form `{ x : nat | x >= 13 /\ x <= 19 }`?
Proof of idempotence for a function clearing a list but one element
How to apply Fixpoint definitions within proofs in Coq?
Is one being penalized by using 'same_relation' (and possibly other library definitions)?
Refine and # (at) symbol in Coq 8.5pl1

Categories

HOME
compiler-construction
clips
gitlab
asp.net-core
keycloak
omnet++
activiti
mediawiki
homebrew
fft
office365api
relayjs
spagobi
reveal.js
numeral.js
handsontable
ups
carthage
quartz-scheduler
worldwind
pugjs
apache-metamodel
code-review
google-cloud-speech
visjs
scriptcs
opencover
buildbot
tdd
pingfederate
fifo
windows-server-2000
libuv
webkitspeechrecognition
tinymce-4
iframe-resizer
ecto
phonegap
calibre
grails-3.1
repo
azure-sql-database
http-referer
picasso
overlap
dartium
bitbucket-pipelines
xcode-extension
hilbert-curve
android-fingerprint-api
webdriver-manager
azure-ml
glew
acoustics
fault
azure-application-gateway
pnotify
clean-architecture
sage-one
git-diff
yii2-extension
jxcore
windows-iot-core-10
spring-mongodb
gnome-shell-extensions
static-ip-address
spring-android
intrusion-detection
asp.net-4.5
skobbler-maps
firebaseui
fadeout
tform
pervasive-sql
django-unittest
libressl
processmodel
sniffer
lustre
npapi
system.reflection
jscript.net
android-imagebutton
mdt
titanium-modules
markers
typeof
tld
aapt
comexception
mysql-error-1062
srs
listings
django-nonrel
enterprisedb
referrer
manchester-syntax
ocx
amazon-appstore
code-cleanup
custom-backend
adk
mod-auth
xdomainrequest
krl
w3wp.exe
modelstate
routedevent
vc90
webkit.net
javap
avatar
phonon
uiq3

Resources

Database Users
RDBMS discuss
Database Dev&Adm
javascript
java
csharp
php
android
javascript
java
csharp
php
python
android
jquery
ruby
ios
html
Mobile App
Mobile App
Mobile App