0

EDITED for understandability

I am trying to prove properties on a special type of tree. This tree is like the following. The problem is that the induction principle generated by Coq is insufficient for me to proof properties of the tree. For a simpler example, say the following type describes all of my 'trees':

Inductive prv_tree(E:BES) : statement -> Prop :=
| REFL (G:propVar_relation)(a:Prop) : 
  prv_tree E (G |- a ---> a)
| TRA (G:propVar_relation) (a b c:Prop) :
  prv_tree E (G |- a ---> b) -> prv_tree E (G |- b ---> c) ->
    prv_tree E (G |- a ---> c).

Then, to prove soundness of all trees (for, say, implication), I need to prove the following lemma:

Lemma soundness: forall E:BES, forall f g:Prop, forall R G:propVar_relation, 
  (prv_tree E (G |- f ---> g)) -> (E,G,R |= f --> g).

For which I need to apply induction on the structure of the tree. However, if I do intros;induction H. then the first subgoal is (E,G,R |= f --> g) i.e. the information on the required structure of f and g is lost (I would want (E,G,R |= a --> a)). (Also, for the inductive case, the induction hypothesis states (E,G,R |= f --> g), which seems odd to me).

Another approach I have tried is to remember (G |- f ---> g), to keep the structure of f and g available. The proof then proceeds as intros;remember (G |- f --> g) as stmt in H.induction H. Then, I obtain goals and environment like I would expect for my base cases. However, for proving case TRA, I obtain the following proof context: 

H : prv_tree E (G0 |- a --> b)
H0 : prv_tree E (G0 |- b --> c)
IHprv_tree1 : G0 |- a --> b = G |- f --> g -> (E,G,R |= f --> g)
IHprv_tree2 : G0 |- b --> c = G |- f --> g -> (E,G,R |= f --> g)

While I would expect the induction hypothesis to be 

IHprv_tree1 : prv_tree E (G0 |- a --> b) -> (E,G,R |= a --> b)
IHprv_tree2 : prv_tree E (G0 |- b --> c) -> (E,G,R |= b --> c)

OLD TEXT

I am trying to prove properties on a special type of tree. This tree can be constructed using 21 different rules (which I will not all repeat here). The problem is that the induction principle generated by Coq is insufficient for me to proof properties of the tree.

The tree is constructed as follows

Inductive prv_tree (E:BES): (*BES ->*) statement -> Prop := 
.... (*constructors go here*).

One of these constructors is 

CTX: forall a b c:propForm, forall x:propVar, forall G:propVar_relation,
  (prv_tree E (makeStatement G a b) -> 
    (prv_tree E (makeStatement G (replace c x a) (replace c x b))))

My goal is proving 

Lemma soundness: forall E:BES, forall f g:propForm, forall G:propVar_relation, 
  forall tree:prv_tree E (makeStatement G f g), rel_cc_on_propForm E (cc_max E) G f g.

To do this, I remember makeStatement G f g since otherwise I lose the info on the structure of f and g. I then apply induction on the tree. I have proven all cases as seperate lemmas, which I can succesfully use for the base cases. However, for the inductive cases, the induction hypothesis presented to me by Coq is unusable.

For example, for the CTX constructor mentioned before, I obtain the following induction hypothesis:

IHP {| context := G; stm_l := a; stm_r := b |} =
  {| context := empty_relation; stm_l := replace c x a;
  stm_r := replace c x b |} ->
    E, cc_max E |- replace c x a <,_ empty_relation replace c x b

which I cannot use. In stead, I want something like

IHP prv_tree E {| context := G; stm_l := a; stm_r := b |} ->
  E, cc_max E |- replace c x a <,_ empty_relation replace c x b

Can somebody explain to me how to fix this? So far, I have tried defining my own induction principle on prv_tree, however this results in the same problems, so maybe I did this wrong?

The statement for CTX in my own induction principle is the following:

  (forall a b c:propForm, forall x:propVar, forall G:propVar_relation, 
    (prv_tree E {| context := G; stm_l := a; stm_r := b |} ) ->
      P {| context := G; stm_l := replace c x a; stm_r := replace c x b |})
Myrthe van Delft
  • 53
  • 4
  • Hi Myrthe, unfortunately it is a bit difficult to see the problem here without access to a full, self-contained example. I could all well that your induction hypothesis in not general enough, see `generalize`, but again, it is difficult to say without knowing more details. – ejgallego Feb 10 '16 at 17:56
  • You can try to `revert` as many hypotheses as possible before applying your induction and see what you get. – eponier Feb 11 '16 at 09:00
  • I updated the description. revert and generalize do not help me :( – Myrthe van Delft Feb 11 '16 at 12:42
  • I'm interested to know how you define such notation `E,G,R |= a --> b`. I cannot make Coq parse such an expression, whatever notation I use. – eponier Feb 11 '16 at 13:54
  • The notation is obtained from the following line of Coq code: `Notation "E , R |- f <,_ G g" := (rel_cc_on_propForm E R G f g)(at level 200).` I will admit, I do not truly know what level I should define the notation at, but it does increase readability to not use my very long function names. (Note, this notation is slightly different from the notation in my question.) – Myrthe van Delft Feb 11 '16 at 14:21
  • Thanks. I never know what level to use either. – eponier Feb 11 '16 at 16:22

2 Answers2

0

I think I understood your problem, but I had to fill in the wholes of your question. It would have been easier if you had come up with a self-contained example, as @ejgallego suggested.

Here is how I modelled your problem:

Axiom BES : Type.
Axiom propVar_relation : Type.

Inductive statement :=
| Stmt : propVar_relation -> Prop -> Prop -> statement.

Notation "G |- a ---> b" := (Stmt G a b) (at level 50).

Inductive prv_tree(E:BES) : statement -> Prop :=
| REFL (G:propVar_relation)(a:Prop) : 
  prv_tree E (G |- a ---> a)
| TRA (G:propVar_relation) (a b c:Prop) :
  prv_tree E (G |- a ---> b) -> prv_tree E (G |- b ---> c) ->
    prv_tree E (G |- a ---> c).

Lemma soundness: forall (E: BES) (f g:Prop) (R G:propVar_relation),
  (prv_tree E (G |- f ---> g)) -> R = R.

Indeed we encounter the same problems as those you described in your question. The solution is to revert after the remember and before doing the induction.

intros.
remember (G |- f ---> g) as stmt. revert f g R G Heqstmt.
induction H; intros.

Now the induction hypotheses are still strange, but they should work.

eponier
  • 3,062
  • 9
  • 20
  • Thank you for your input. This does not appear to work, and I have found a different solution which does work. – Myrthe van Delft Feb 11 '16 at 14:14
  • The induction hypotheses I get contain `forall (f g : Prop) (R G0 : propVar_relation), G |- a ---> b = G0 |- f ---> g`, which is strange, but if you instantiate with `(f:=a)` and `(g:=b)`, you get a useful hypothesis. – eponier Feb 11 '16 at 14:27
0

Thank you for your help. In the end, I found the solution myself. The trick was in defining a helper function h:statement -> Prop, as expected by the induction principle, and use this function in stead of (E,G,R |= f --> g).

Myrthe van Delft
  • 53
  • 4