CS 336/CS M36 (part 2)/CS M46 Interactive Theorem Proving

Transcription

1 CS 336/CS M36 (part 2)/CS M46 Interactive Theorem Proving Course Notes Lent Term Term 2008 Sect. 4 The λ-calculus with Products and Conjunction Anton Setzer Dept. of Computer Science, Swansea University csetzer/lectures/ intertheo/07/index.html 4 (b) Currying 4 (d) Logic with Conjunction May 24, 2017 CS 336/CS M36/CS M46 Sect. 4 1/ 162 CS 336/CS M36/CS M46 Sect. 4 1a/ (b) Currying 4 (d) Logic with Conjunction One can expand the set of λ-types and λ-terms as follows: Types are defined as before, but we have additionally: If σ, τ are types, so is σ τ. CS 336/CS M36/CS M46 Sect. 4 (a) 1b/ 162 CS 336/CS M36/CS M46 Sect. 4 (a) 2/ 162

2 Example (Products) Example2 (Products) Assume we have some extra ground types Name := String Gender := {female, male} The exact definition of Gender and String in type theory will be given later (String will be a list of characters). Then we can define name-with-gender := String Gender Assume we have a type Term of terms, representing functions Int Int. The set of terms Term together with the function, they denote, is given as Term (Int Int) Then we have John, male : name-with-gender. If s : name-with-gender, then it s first projection is a name. CS 336/CS M36/CS M46 Sect. 4 (a) 3/ 162 Products CS 336/CS M36/CS M46 Sect. 4 (a) 4/ 162 Example The set of typed-λ-terms are defined as before but we have: If s : σ, t : τ then s, t : σ τ: Γ s : σ Γ t : τ (Pair) Γ s, t : σ τ If s : σ τ, then π 0 (s) : σ and π 1 (s) : τ: Γ s : σ τ (Proj0 ) Γ π 0 (s) : σ Γ s : σ τ (Proj1 ) Γ π 1 (s) : τ We show (λx (o o) (o o o).π 0 (x)) λy o.y, λz o.λv o.z : o o (λx (o o) (o o o). π 0 ( x }{{} :(o o) (o o o) } {{ } } {{ :o o } ((o o) (o o o)) o o )) λy o. y }{{} :o }{{} :o o, λz o. λv o. z }{{} :o }{{} o o } {{ } } o o o {{ } (o o) (o o o) } {{ } o o CS 336/CS M36/CS M46 Sect. 4 (a) 5/ 162 CS 336/CS M36/CS M46 Sect. 4 (a) 6/ 162

3 β-reduction for Pairs Example β-reduction for the pairs is the rule which allows to replace any subterm of the form π0 ( r 0, r 1 ) by r 0, any subterm of the form π1 ( r 0, r 1 ) by r 1. The subterms π i ( r 0, r 1 ) are called β-redexes of the term in question In addition we have the β-redexes (λx.t) s of the λ-calculus with. β-reduction for the typed λ-calculus with products includes both β-reduction for functions and β-reduction for pairs. (λx (o o) (o o o).π 0 (x)) λy o.y, λz o.λv o.z β π 0 ( λy o.y, λz o.λv o.z ) β λy o.y CS 336/CS M36/CS M46 Sect. 4 (a) 7/ 162 Products with many Components CS 336/CS M36/CS M46 Sect. 4 (a) 8/ 162 Products with many Components We write σ 0 σ n for ( ((σ 0 σ 1 ) σ 2 ) σ n ). Define for s 0 : σ 0,..., s n : σ n s 0,..., s n := s 0, s 1, s 2, s n : σ 0 σ n (Note by our convention that the type is equal to ( ((σ 0 σ 1 ) σ 2 ) σ n )) E.g. x, y, z := x, y, z. One can easily define corresponding projections πi n : (σ 0 σ n 1 ) σ i, s.t. π n i ( s 0,..., s n 1 ) = β s i. For instance in case n = 3 we need π 3 i ( s 0, s 1, s 2 ) = s i We obtain this by defining π0 3(x) := π 0(π 0 (x)) Then π 3 0( s 0, s 1, s 2 ) = π 0 (π 0 ( s 0, s 1, s 2 )) = π 0 ( s 0, s 1 ) = s 0 π 3 1 (x) := π 1 (π 0 (x)) Then π 3 1( s 0, s 1, s 2 ) = π 1 (π 0 ( s 0, s 1, s 2 )) = π 1 ( s 0, s 1 ) = s 1 π 3 i ( s 0, s 1, s 2 ) = π 3 i ( s 0, s 1, s 2 ) = s i CS 336/CS M36/CS M46 Sect. 4 (a) 9/ 162 CS 336/CS M36/CS M46 Sect. 4 (a) 10/ 162

4 Products with many Components η-expansion for Products π 3 i ( s 0, s 1, s 2 ) = s i π 3 2 (x) := π 1(x) Then π 3 2( s 0, s 1, s 2 ) = π 1 ( s 0, s 1, s 2 ) = s 2 If we have a product r : σ τ, then its projections are β-equal to the projections of π 0 (r), π 1 (r) : π 0 ( π 0 (r), π 1 (r) ) = β π 0 (r), π 1 ( π 0 (r), π 1 (r) ) = β π 1 (r). Therefore, similarly to functions, we would like to have that every term r : σ τ is equal to π 0 (r), π 1 (r). The η-rule expresses that subterms t : σ τ can be η-expanded to π 0 (t), π 1 (t) Details can be found on the next few slides, but won t be treated in the lecture. We jump over the rest of this Subsection and over SubSect. b. CS 336/CS M36/CS M46 Sect. 4 (a) 11/ 162 η-rule for Products CS 336/CS M36/CS M46 Sect. 4 (a) 12/ 162 η-rule for Products However, as for functions, we need to impose some restrictions, in order to avoid circularities: If t is of the form r0, r 1, and if we allowed then the reduction t π 0 (t), π 1 (t), we would get the following circular reduction: t π 0 (t), π 1 (t) π 0 ( r 0, r 1 ), π 1 ( r 0, r 1 ) β r 0, r 1 t If t occurs in the form πi (t), and if we then allowed to expand t, we would get π i (t) π i ( π 0 (t), π 1 (t) ) and would get the following circular reduction: π i (t) π i ( π 0 (t), π 1 (t) ) β π i (t), All other terms can be expanded without obtaining a new redex. CS 336/CS M36/CS M46 Sect. 4 (a) 13/ 162 CS 336/CS M36/CS M46 Sect. 4 (a) 14/ 162

5 η-expansion for Products Example η-expansion for products is the rule which allows to replace in a typed λ-term t one subterm s : σ τ, which is not of the form r0, r 1, and does not occur in the form π0 (s) or π 1 (s) by π 0 (s), π 1 (s). η-expansion for the typed λ-calculus with products includes both η-expansion for functions and for pairs. Assume g : (o o) o. (λf (o o) o.λx o o.f x) g β λx o o.g x η λx o o.g π 0 (x), π 1 (x) λx o o.g π 0 (x), π 1 (x) is therefore the β, η-normal form of (λf (o o) o.λx o o.f x) g CS 336/CS M36/CS M46 Sect. 4 (a) 15/ 162 Theorem CS 336/CS M36/CS M46 Sect. 4 (a) 16/ 162 η-rule The typed λ-calculus with products, β-reduction and with (or without) η-expansion is confluent and strongly normalising. We can introduce products as well for the untyped λ-calculus. Then we obtain a confluent (but of course non normalising) reduction system. With the η-rule we obtain now that if r : σ τ, then r = β,η π 0 (r), π 1 (r). If r : σ τ is of the form r0, r 1 then we have r = β π 0 (r), π 1 (r) : π 0 (r), π 1 (r) π 0 ( r 0, r 1 ), π 1 ( r 0, r 1 ) β r 0, r 1 Otherwise r η π 0 (r), π 1 (r). Therefore, every element of a product type is of the form something 0, something 1. Jump over Currying/Uncurrying r CS 336/CS M36/CS M46 Sect. 4 (a) 17/ 162 CS 336/CS M36/CS M46 Sect. 4 (a) 18/ 162

6 4 (b) Currying 4 (b) Currying 4 (b) Currying 4 (d) Logic with Conjunction 4 (b) Currying In the λ-calculus with products, there are two versions of a function f taking an integer and a floating point number and returning a string: f1 : (Int Float) String f2 : Int Float String. We say that f1 is in Uncurried form, and f2 is in Curried form. The name Curry honours Haskell Curry. The application of these two functions to arguments x and y is written as f 1 x, y, f 2 x y. CS 336/CS M36/CS M46 Sect. 4 (b) 18a/ (b) Currying Haskell Brooks Curry CS 336/CS M36/CS M46 Sect. 4 (b) 19/ (b) Currying Curried/Uncurried Functions Haskell Brooks Curry ( ) The above generalises to functions with arbitrarily (but finitely) many arguments of different type. The Curried version of a function f with arguments of types σ 0,..., σ n 1 and result type ρ is of type σ 0 σ n 1 ρ. Its Uncurried version has type (σ 0 σ n 1 ) ρ. CS 336/CS M36/CS M46 Sect. 4 (b) 20/ 162 CS 336/CS M36/CS M46 Sect. 4 (b) 21/ 162

7 Uncurrying 4 (b) Currying Currying 4 (b) Currying From a Curried function we can obtain an Uncurried function. This is called Uncurrying. Example: Assume f : Int Float String. Then λx Int Float.f π 0 (x) π 1 (x) : (Int Float) String is the Uncurried form of f. From a Uncurried function we can obtain an Curried function. This is called Currying. Example: Assume f : (Int Float) String. Then λx Int.λy Float.f x, y : Int Float String is the Curried form of f. On the next 2 slides follows a treatment of the general case. Jump over general case. CS 336/CS M36/CS M46 Sect. 4 (b) 22/ (b) Currying Uncurrying CS 336/CS M36/CS M46 Sect. 4 (b) 23/ (b) Currying Currying We can obtain from the Curried form f Curry of a function its Uncurried form f Uncurry by f Uncurry = λx.f Curry π n 0(x) π n n 1(x) where πi n : (σ 0 σ n 1 ) σ i are the projections. One can as well define a λ-term Uncurry : (σ 0 σ n 1 ρ) (σ 0 σ n 1 ) ρ Uncurry := λf, x.f π n 0 (x) πn n 1 (x) s.t. Uncurry f Curry β f Uncurry. This transformation is called Uncurrying. We can obtain from the Uncurried form f Uncurry of a function its Curried form f Curry by Again we can define f Curry = λx 0,..., x n 1.f Uncurry x 0,..., x n 1 Curry : ((σ 0 σ n 1 ) ρ) σ 0 σ n 1 ρ Curry := λf, x 0,..., x n 1.f x 0,..., x n 1 s.t. Curry f Uncurry β f Curry. This transformation is called Currying. It is an easy exercise to show Curry (Uncurry f ) = β,η f and Uncurry (Curry f ) = β,η f. CS 336/CS M36/CS M46 Sect. 4 (b) 24/ 162 CS 336/CS M36/CS M46 Sect. 4 (b) 25/ 162

8 4 (b) Currying (Un)Currying in Programming 4 (b) Currying (Un)Currying in Programming The Uncurried form of a function corresponds to the form functions are presented usually outside functional programming. There functions always need all arguments. 3+ is something which outside functional programming usually doesn t make much sense. In functional programming one often prefers the Curried form. This allows to apply a functional partially to its arguments. E.g. if we take + as usual in Curried form, then + 3 : Int Int is the function taking x and returning + 3 x which is 3 + x. Example: map ( + 3) [1, 2, 3] = [4, 5, 6] If we apply the function increasing every x by 3 to the list [1, 2, 3], we obtain the result of incrementing each list element by 3, i.e. [4, 5, 6]. CS 336/CS M36/CS M46 Sect. 4 (b) 26/ (b) Currying (Un)Currying in Programming CS 336/CS M36/CS M46 Sect. 4 (b) 27/ 162 One often avoids in functional programming (and as well in Agda) the formation of products (or record types). Especially for intermediate calculations. The packing and unpacking of products makes programming often harder. E.g. instead of defining a function f : σ (ρ τ) it is often better to form two functions f 1 : σ ρ and f 2 : σ τ, (which are often defined simultaneously). Only, when delivering the final program, the use of products is often better, because the result is more compact. 4 (b) Currying 4 (d) Logic with Conjunction CS 336/CS M36/CS M46 Sect. 4 (b) 28/ 162 CS 336/CS M36/CS M46 Sect. 4 (c) 28a/ 162

9 Records in Pascal In many languages there exists the notion of a Record type. In Pascal we can form for instance the type of Students In Agda, there are two ways of defining the product. The first one represents the product as a record type. Student = record begin StudentNumber : Integer; Name : String; end Elements of this type can be formed by determining their StudentNumber and Name. If x : Student, then x.studentnumber : Integer and x.name : String. CS 336/CS M36/CS M46 Sect. 4 (c) 29/ 162 Records in Java CS 336/CS M36/CS M46 Sect. 4 (c) 30/ 162 The Record Type in Agda Records correspond in Java to classes with public fields, no methods, and a standard constructor. E.g. the class Student is defined as follows: class Student{ Integer StudentNumber; String Name; Student(Integer StudentNumber, String Name){ this.studentnumber = StudentNumber; this.name = Name } } Assume we have introduced A, B : Set Then we can introduce the record type record AB : Set where field a : A b : B CS 336/CS M36/CS M46 Sect. 4 (c) 31/ 162 CS 336/CS M36/CS M46 Sect. 4 (c) 32/ 162

10 Name Clashes in the Record Type Name Clashes in the Record Type You are not allowed to use a and b, if the identifiers a and b have been introduced before. However, you can use the same record selector in different records. So causes an error. n : N n = Z record A : Set where field n : N However is accepted. record A : Set where field n : N record A : Set where field n : N N CS 336/CS M36/CS M46 Sect. 4 (c) 33/ 162 Longer Records CS 336/CS M36/CS M46 Sect. 4 (c) 34/ 162 The Product as a Record Type We can introduce longer records as well, e.g. record ABCD : Set where field a : A b : B c : C d : D Elements of a record type are introduced as follows: Assume we have a : A, b : B. Then we can introduce in the above situation ab : AB ab = record{a = a ; b = b } Note that, since a, b cannot be record selectors and separate identifiers at the same time, the ambiguous definition record{a = a; b = b} is not possible. CS 336/CS M36/CS M46 Sect. 4 (c) 35/ 162 CS 336/CS M36/CS M46 Sect. 4 (c) 36/ 162

11 The Product as a Record Type Projections Using a let expression we can get around this problem: ab : AB ab = let a : A a = a b : B b = b in record{a = a ; b = b } We recommend to avoid such definitions. If we have record AB : Set where field a : A b : B then Agda provides us with the following projection functions: AB.a : AB A AB.b : AB B CS 336/CS M36/CS M46 Sect. 4 (c) 37/ 162 Projections CS 336/CS M36/CS M46 Sect. 4 (c) 38/ 162 Records with Dependencies If we define then we obtain ab : AB ab = record{a = a ; b = b } AB.a ab = a AB.b ab = b We can define a generic product rprod A B depending on A : Set, B : Set (rprod stands for record-product): record rprod (A B : Set) : Set where field first : A second : B Here (A B : Set) stands for the two parameters (A : Set) (B : Set) The projections are denoted as follows: If ab : rprod A B, then rprod.first ab : A rprod.second ab : B CS 336/CS M36/CS M46 Sect. 4 (c) 39/ 162 CS 336/CS M36/CS M46 Sect. 4 (c) 40/ 162

12 Hidden Arguments Hidden Arguments When we use rprod.first : rprod A B A it is not always clear, which sets A and B one is referring to. In fact A and B are hidden arguments of rprod.first. In case one needs to make them explicit, this can be done as follows: rprod.first { A } { B } ab stands for rprod.first applied to ab, where ab : rprod A B. We can make any argument of a function hidden. For instance id : {A : Set} A A id a = a defines the identity function, which for any set A and a : A returns a. This function is used in the form without adding the parameter A. id a CS 336/CS M36/CS M46 Sect. 4 (c) 41/ 162 Hidden Arguments CS 336/CS M36/CS M46 Sect. 4 (c) 42/ 162 Hidden Arguments If we want to make the hidden parameter A explicit we can do so by writing id { A } a There is no deep theory about when arguments can be hidden or not. Any argument of a function can be declared to be hidden. If when type checking the code Agda cannot determine a hidden argument, then Agda will get unsolved hidden goals. CS 336/CS M36/CS M46 Sect. 4 (c) 43/ 162 CS 336/CS M36/CS M46 Sect. 4 (c) 44/ 162

13 Example Example Take the following code strange : {a : A} A strange {a} = a a : A a = strange Agda doesn t complain about the definition of strange. However, when checking the definition of a, it notices that it cannot figure out the hidden argument of strange. strange : {a : A} A strange {a} = a a : A a = strange It complains by Marking the word strange in yellow. Displaying a hidden goal in the buffer All Goals 184 : A [ at /home/csetzerlocal/test.agda:166,7-14 ] This means that for the missing hidden argument of strange a hidden goal has been introduced, which is of type A, and the position (line 166, column 7-14) is displayed. CS 336/CS M36/CS M46 Sect. 4 (c) 45/ 162 The Product using data CS 336/CS M36/CS M46 Sect. 4 (c) 46/ 162 The Product using data The data -product is introduced as follows (dprod stands for data-product): The second version of the product uses the more general data construct for defining so called algebraic types. With this construction we are leaving the so called logical framework. λ-terms and the record type form the logical framework, the basic types of Agda and of Martin-Löf type theory. The data-construct allows to introduce user-defined types. Here data dprod (A B : Set) : Set where p : A B dprod A B dprod A B depends on two sets A, B. p is the constructor of this set. The name (here p) is up to the user, we could have used any other valid Agda identifier. The idea is: The elements of Prod are exactly the terms p a b where a : A and b : B. CS 336/CS M36/CS M46 Sect. 4 (c) 47/ 162 CS 336/CS M36/CS M46 Sect. 4 (c) 48/ 162

14 Pattern Matching Pattern Matching In order to decompose an element of dprod A B in Agda, we can use pattern matching. This is best explained by an example. We postulate A, B : Set, and abbreviate dprod A B as AB: postulate A : Set postulate B : Set AB : Set AB = dprod A B postulate A : Set postulate B : Set AB : Set AB = dprod A B Assume we want to define the first projection s.t. This can be defined as follows: proj0 : AB A, proj0 (p a b) = a proj0 : AB A, proj0 (p a b) = a CS 336/CS M36/CS M46 Sect. 4 (c) 49/ 162 Pattern Matching CS 336/CS M36/CS M46 Sect. 4 (c) 50/ 162 Deep Pattern Matching postulate A : Set postulate B : Set AB : Set AB = dprod A B The second projection can be defined similarly: proj1 : AB B, proj1 (p a b) = b Note the parentheses around (p a b): proj1 p a b = b would read: proj1 applied to a variable p, a variable a and a variable b is equal to b. This causes an error, because proj1 only allows one argument. postulate A : Set postulate B : Set AB : Set AB = dprod A B Deeper pattern matching is as well possible: An element of dprod (dprod A B) B is of the form where a : A, b, b : B. We can define p (p a b ) b f : dprod (dprod A B) B A f (p (p a b) b ) = a CS 336/CS M36/CS M46 Sect. 4 (c) 51/ 162 CS 336/CS M36/CS M46 Sect. 4 (c) 52/ 162

15 Deep Pattern Matching Coverage Checker We are not allowed to use the same variable twice in a pattern (unless specially flagged flagged repeated variables occur only in advanced data types like the identity type). So causes an error. f : dprod (dprod A B) B A f (p (p a b) b) = a The coverage checker of Agda will make sure that the patterns cover all possible cases. So f : N N f Z = Z will not pass the coverage checker, because f (S n) is not defined. CS 336/CS M36/CS M46 Sect. 4 (c) 53/ 162 Hidden Arguments in dprod CS 336/CS M36/CS M46 Sect. 4 (c) 54/ 162 Hidden Arguments in dprod p in data dprod (A B : Set) : Set where p : A B dprod A B has hidden arguments {A : Set} and {B : Set}. In case one needs to make them explict, one can do so: c : dprod A B c = p {A} {B} a b If one wants to mention the first hidden argument, but not the second one, one simply omits the second one: c : dprod A B c = p {A} a b The following syntax allows to omit the first hidden argument, but to mention the second one: c : dprod A B c = p { } {B} a b In general, variables which are not used later can be written as. CS 336/CS M36/CS M46 Sect. 4 (c) 55/ 162 CS 336/CS M36/CS M46 Sect. 4 (c) 56/ 162

16 Decomposing Record Type Let D : Set D = rprod (dprod A B) C Assume we want to define f : D A which projects an element of D to the component A. Pattern matching is not possible for record types. What we can do is to use the with -construct We can abbreviate this by using: f : D A f d with rprod.first d f d p a b = a f : D A f d with rprod.first d... p a b = a Decomposing Record Type f : D A f d with rprod.first d f d p a b = a The above reads as follows: We define f d by looking at rprod.first d. We look at what happens when rprod.first d = p a b. In this case we define f d as a. CS 336/CS M36/CS M46 Sect. 4 (c) 57/ 162 Longer Example CS 336/CS M36/CS M46 Sect. 4 (c) 58/ 162 Longer Example As an example we want to define in Agda, depending on A, B, C, D : Set, ab : A B a-c : A C, b-d : B D an element f ab a-c b-d : C D. This means that f is a function which takes arguments a-c, b-d and ab as above and returns an element of C D. Therefore A, B, C, D : Set will be global assumptions (represented in Agda by postulates). So we have the following Agda code: postulate A : Set postulate B : Set postulate C : Set postulate D : Set f : (A B) (A C) (B D) (C D) CS 336/CS M36/CS M46 Sect. 4 (c) 59/ 162 CS 336/CS M36/CS M46 Sect. 4 (c) 60/ 162

17 Longer Example Longer Example Let AB and CD be names for A B and C D, respectively. Then we obtain the following code: record AB field a : A b : B record CD field c : C d : D : Set where : Set where The goal to be solved is as follows: f : AB (A C) (B D) CD f ab a-c b-d = {!!} CS 336/CS M36/CS M46 Sect. 4 (c) 61/ 162 Longer Example CS 336/CS M36/CS M46 Sect. 4 (c) 62/ 162 Longer Example The idea for this function is as follows: We first project ab : A B to elements a : A, b : B. Then we apply a-c : A C to a : A and obtain an element c : C. A diagram is as follows: ab : A B a-c a : A π 0 π 1 b : B b-d a-c A B f a-c b-d b-d And we apply b-d : B D to b : B and obtain an element d : D. Finally we form the pair c, d. c : C, c, d : C D d :D C D We will use let-expressions in order to compute the intermediate values a, b, c, d. CS 336/CS M36/CS M46 Sect. 4 (c) 63/ 162 CS 336/CS M36/CS M46 Sect. 4 (c) 64/ 162

18 Agda Code for the Above Remark on Previous Code f : AB (A C) (B D) CD f ab a-c b-d = let a : A a = AB.a ab b : B b = AB.b ab c : C c = a-c a d : D d = b-d b in record{c = c ; d = d } See exampleletexpressionrecord.agda. In the previous code we used in the let expression variables c and d instead of c and d. This is to avoid the ambiguity in record{c = c; d = d} Agda will interpret this example as intended, but it is not clear whether this will be always the case. CS 336/CS M36/CS M46 Sect. 4 (c) 65/ 162 Concrete Products CS 336/CS M36/CS M46 Sect. 4 (c) 66/ 162 Concrete Products When using the data-construct, it is often more convenient to introduce concrete products in a more direct way. Example: Assume we have defined a set Gender of genders, a set Name of names. The set of persons, given by a gender and a name, can then be defined as data Person : Set where person : Gender Name Person Then one can define customized projections using pattern matching, e.g. gender : Person Gender gender (person g n) = g CS 336/CS M36/CS M46 Sect. 4 (c) 67/ 162 CS 336/CS M36/CS M46 Sect. 4 (c) 68/ 162

19 4 (d) Logic with Conjunction 4 (d) Logic with Conjunction Constructive Meaning of 4 (b) Currying 4 (d) Logic with Conjunction A B is true, if A is true and B is true. Therefore a proof p : A B consists of a proof a : A and a proof b : B. So such a proof is a pair a, b s.t. a : A and b : B. Therefore A B is just the product A B of A and B. We can identify A B with A B. CS 336/CS M36/CS M46 Sect. 4 (d) 68a/ (d) Logic with Conjunction Conjunction in Agda CS 336/CS M36/CS M46 Sect. 4 (d) 69/ (d) Logic with Conjunction Conjunction in Agda Conjunction is represented as a product. There are two products in Agda, therefore as well two ways of representing conjunction: One using the record type: record r (A B : Set) : Set where field and1 : A and2 : B And one using the product formed using data. We use a more meaningful name for the constructor: data d (A B : Set) : Set where and : A B A d B See exampleproofproplogic3.agda The symbol can be introduced by typing in \wedge. CS 336/CS M36/CS M46 Sect. 4 (d) 70/ 162 CS 336/CS M36/CS M46 Sect. 4 (d) 71/ 162

20 4 (d) Logic with Conjunction Typing in Special Symbols 4 (d) Logic with Conjunction Typing in Special Symbols Typing in the special symbols (using the Emacs-package mule ) can be cumbersome. A more convenient way is to use the abbreviation mode: To activate the abbreviation mode, use under emacs M-x abbrev-mode Then one can let an arbitrary sequence of characters to be automatically replaced by an abbreviation. For instance if we want andd to expand to we do the following: We type in andd. We use the emacs command C-x ail We type in the mini buffer our intended expansion, namely (typed in as \wedge ). Now whenever we type in a space-like character (blanks and some punctuations) followed by andd followed by a space-like character, then andd is replaced by. You can edit the abbreviations you have defined by using M-x edit-abbrevs (when finished use C-c C-c in order to activate your definitions). CS 336/CS M36/CS M46 Sect. 4 (d) 72/ (d) Logic with Conjunction Abbreviation Mode CS 336/CS M36/CS M46 Sect. 4 (d) 73/ (d) Logic with Conjunction Customising Agda with Abbreviation Mode You can prevent the expansion of an an abbreviation by using C-q before adding any space-like character after andd. In order to load previous abbreviations and save the when exiting Agda you should add the following to your.emacs file: (read-abbrev-file " /.abbrev defs") However, for this to work you need first to create a file /.abbrev defs This is done by following the steps on the next slide CS 336/CS M36/CS M46 Sect. 4 (d) 74/ 162 CS 336/CS M36/CS M46 Sect. 4 (d) 75/ 162

21 4 (d) Logic with Conjunction Customising Agda with Abbreviation Mode 4 (d) Logic with Conjunction Customising Agda with Abbreviation Mode The creation of a file /.abbrev defs is done as follows (the steps need to be carried out only once): Define at least one abbreviation as above (you can change this abbreviation later by using M-x edit-abbrevs. For instance you can just type in fooo, type in C-x ail, and then type in the Mini-buffer foo, so that fooo is expanded to foo. Then execute M-x write-abbrev-file, and when asked for a file name, enter in the mini-buffer /.abbrev defs Now execute M-x read-abbrev-file, and when asked for a file name, enter in the mini-buffer /.abbrev defs If you now create a new abbreviation, and run C-x s which is the command for saving all buffers, it will ask as well whether you want to save the abbreviation file. CS 336/CS M36/CS M46 Sect. 4 (d) 75a/ (d) Logic with Conjunction Customising Agda with Abbreviation Mode CS 336/CS M36/CS M46 Sect. 4 (d) 75b/ (d) Logic with Conjunction Example In order to activate the abbreviation mode, whenever one enters an Agda file, add in your.emacs file after the line (load " /emacs/agdainstall") the following On the computer A A A and A B A will now be shown in Agda using both versions of. (add-hook agda2-mode-hook (lambda nil (abbrev-mode 1))) You need as well to run once write-abbrev-file. CS 336/CS M36/CS M46 Sect. 4 (d) 75c/ 162 CS 336/CS M36/CS M46 Sect. 4 (d) 76/ 162

22 4 (d) Logic with Conjunction Example (Conjunction) 4 (d) Logic with Conjunction Example (Conjunction) We prove A B B A (see exampleproofproplogic6.agda): Lemma : Set Lemma = A r B B r A lemma : Lemma lemma ab = record{and1 = r.and2 ab; and2 = r.and1 ab} Lemma : Set Lemma = A d B B d A lemma : Lemma lemma (and a b) = and b a CS 336/CS M36/CS M46 Sect. 4 (d) 77/ (d) Logic with Conjunction Conjunction with more Conjuncts CS 336/CS M36/CS M46 Sect. 4 (d) 78/ (d) Logic with Conjunction Conjunction with more Conjuncts If one has a conjunction with more than two conjuncts, e.g. A B C, one can always express it using the binary : As (A r B) r C or A r (B r C). If one adds infixl 30 r Especially when using the record version of it is more convenient to use a ternary version of conjunction (using one of the two versions of the product). Similarly one can introduce conjunctions of 4 or more conjuncts. Definition of the ternary and using a record: one can write for A r B r C (A r B) r C record And3r (A B C : Set) : Set where field and1 : A and2 : B and3 : C CS 336/CS M36/CS M46 Sect. 4 (d) 79/ 162 CS 336/CS M36/CS M46 Sect. 4 (d) 80/ 162

23 4 (d) Logic with Conjunction Conjunction with more Conjuncts 4 (b) Currying Definition of the ternary and using data : data And3d (A B C : Set) : Set where and3d : A B C And3d A B C See exampleproofproplogic5.agda 4 (d) Logic with Conjunction CS 336/CS M36/CS M46 Sect. 4 (d) 81/ 162 CS 336/CS M36/CS M46 Sect. 4 (e) 81a/ 162 λ-calculus and Term Rewriting One can combine the λ-calculus with term writing. This means that we have apart from the rules of the typed or untyped λ-calculus additional rules like x + 0 x. Then we obtain for instance λy.λz.y + 0 λy.λz.y. More details are given on the following slides, but will not be treated in this lecture. Jump over rest of this section. Consider the λ-calculus with terms using additional constants. Assume some term rewriting rules as before (which might involve some λ-terms). As in case of ordinary term rewriting, we form instantiations of the rules by replacing variables by arbitrary λ-terms (in the extended language). CS 336/CS M36/CS M46 Sect. 4 (e) 82/ 162 CS 336/CS M36/CS M46 Sect. 4 (e) 83/ 162

24 λ-calculus and Term Rewriting λ-calculus and Term Rewriting Assume for instance the rule Then s t, if s β-reduces (or η-expands, if one allows the η-rule) to t or there exists an instantiation s t s.t. s is a subterm of s and t is the result of replacing this subterm in s by t. s is called as usual a redex of s. Then we have double λx.x + x (λf.λx.f (f x)) double λx. double (double x) λx. double ((λx.x + x) x) λx. double (x + x) λx. (λx.x + x) (x + x) λx. (x + x) + (x + x) CS 336/CS M36/CS M46 Sect. 4 (e) 84/ 162 What does Subterm Mean? CS 336/CS M36/CS M46 Sect. 4 (e) 85/ 162 What does Subterm Mean? When referring to ordinary term rewriting rules, then for a term t to have subterm s meant essentially that there is a term t in which a new variable x occurs exactly once, and t = t [x := s]. Replacing this subterm by s means that we replace t by t [x := s ]. When referring to λ-terms, this is no longer the case: Assume for instance the rewrite rule x + 0 Rule x. λx.x + 0 has subterm x + 0, but there is no term t s.t. λx.x + 0 = t[y := x + 0]: If we substitute for instance in λx.y y by x + 0 we obtain λz.x + 0. The reason is that when matching a rewrite rule, free variables in the instantiation of the rule used might become bound. So we can apply x + 0 Rule x to λx.x + 0 and have therefore λx.x + 0 λx.x. Replacing a subterm by another subterm is to be understood verbally. CS 336/CS M36/CS M46 Sect. 4 (e) 86/ 162 CS 336/CS M36/CS M46 Sect. 4 (e) 87/ 162

25 Higher Order Rewrite Systems Reduction to Closed Terms The full definition of so called higher order term rewriting systems imposes more restrictions on the reduction rules. For our purposes the naive interpretation just presented suffices. Jump over next part. One can always replace term rewriting rules for the λ-calculus by one in which for all rules s Rule t we have that s, t are closed. This can be done in such a way that equality (modulo the rewriting rules, β and possibly η) in both systems coincide: Assume a rule s Rule t and let x 1,..., x n be the free variables in s. Then replace this rule by λx 1,..., x n.s Rule λx 1,..., x n.t. CS 336/CS M36/CS M46 Sect. 4 (e) 88/ 162 Proof CS 336/CS M36/CS M46 Sect. 4 (e) 89/ 162 Proof We write in the following x for x 1,..., x n. Assume a term r reduces using this rule in the original system to a term u: Then r contains a subterm of the form s where s is the result of substituting in s x i by some terms t i. Let t be the result of substituting in t x i by t i. Then u is the result of replacing s in r by t. Let then r be the result of replacing s by (λ x.s) t 1 t n, and u be the result of replacing in s s by (λ x.t) t 1 t n. Then we have r = β r Rule u = β u, so the reduction can be simulated in the second system. On the other hand, if r u by using in the second system the rule λ x.s Rule λ x.t, then r u in the previous system by using the rule s Rule t r contains a subterm equal to λ x.s and u is the result of substituting this subterm in r by λ x.t. But then r contains the subterm s and t is the result of substituting this subterm in r by t. CS 336/CS M36/CS M46 Sect. 4 (e) 90/ 162 CS 336/CS M36/CS M46 Sect. 4 (e) 91/ 162

26 Example Extended Typed λ-calculus We can replace the rewriting rules x + 0 x x + S y S (x + y) by λx.x + 0 λx.x That becomes in the new system λx, y.x + S y λx, y.s (x + y) S (0 + S 0) S (S (0 + 0)) S (S 0) Finally, we can combine the typed λ-calculus (with or without products, with or without η-expansion) with term rewriting rules. Essentially this means that we have additional constants with types and reduction rules for them. The details (which are given on the following slides) will not be treated in the lecture itself. S (0 + S 0) = β S ((λx, y.x + S y) 0 0) S ((λx, y.s(x + y)) 0 0) = β S (S (0 + 0)) = β S (S ((λx.x + 0) 0)) S (S ((λx.x) 0)) = β S (S 0) CS 336/CS M36/CS M46 Sect. 4 (e) 92/ 162 Extended Typed λ-calculus CS 336/CS M36/CS M46 Sect. 4 (e) 93/ 162 Example For introducing the new rewrite rules, we have to make the following modifications: We assign a type to each additional constant. The set of typed λ-terms is then introduced by the same rules as before, but we have as additional rule: If c is a constant of type σ, then we have Γ c : σ Assuming + : nat nat nat and writing as usual r + s for + r s we have the following derivation of λx nat.x + x : nat nat: x:nat + :nat nat nat x:nat x:nat (Ap) x:nat + x:nat nat x:nat x:nat x : nat + x x : nat (λx nat.x + x) : nat nat (Abs) The left most leaf in this derivation follows by the rule for the constant +. (Ap) CS 336/CS M36/CS M46 Sect. 4 (e) 94/ 162 CS 336/CS M36/CS M46 Sect. 4 (e) 95/ 162

27 Example Extended Typed λ-calculus Then we have (λf nat nat.λx nat.f (f x)) double λx nat. double (double x) λx nat. double ((λx nat.x + x) x) λx nat. double (x + x) λx nat. (λx nat.x + x) (x + x) λx nat. (x + x) + (x + x) Reduction rules should now be of the form Γ s Rule t : σ (instead of s Rule t) where we have Γ s : σ and Γ t : σ. As before, s shouldn t be a variable, and all variables in t should occur in s. Best guaranteed by demanding that all variables in Γ occur free in s. One usually omits Γ, σ, if it is clear from the context. Very often, the reduction rules will be of the form c Rule t : σ where c is a constant and therefore t a closed term. CS 336/CS M36/CS M46 Sect. 4 (e) 96/ 162 Extended Typed λ-calculus CS 336/CS M36/CS M46 Sect. 4 (e) 97/ 162 Example Instantiations of a rule Γ s Rule t : σ are now obtained by replacing variables x of type τ by terms r : τ (possibly depending on some context ). Reductions w.r.t. the rules are obtained by replacing subterms r : σ, which coincide with the left hand side of an instantiation of a rule r r : σ by the right hand side r. Assume ground type nat, constants + : nat nat nat (written infix, i.e. r + s for + r s), and double : nat nat. and the reduction rule double (λx nat.x + x) : nat nat. CS 336/CS M36/CS M46 Sect. 4 (e) 98/ 162 CS 336/CS M36/CS M46 Sect. 4 (e) 99/ 162

28 Example Then we have (λf nat nat.λx nat.f (f x)) double λx nat. double (double x) λx nat. double ((λx.x + x) x) λx nat. double (x + x) λx nat. (λx.x + x) (x + x) λx nat. (x + x) + (x + x) 4 (b) Currying 4 (d) Logic with Conjunction CS 336/CS M36/CS M46 Sect. 4 (e) 100/ 162 CS 336/CS M36/CS M46 Sect. 4 (f) 100a/ 162 The Type of Booleans We want to add types containing finitely many elements to the λ-calculus. We treat first the special case Bool (finite set with 2 elements) and then generalise this to general finite sets. We add a new type Bool to the set of ground types. We add constants tt : Bool, ff : Bool. Here tt stands for true, ff for false. CS 336/CS M36/CS M46 Sect. 4 (f) 101/ 162 CS 336/CS M36/CS M46 Sect. 4 (f) 102/ 162

29 Case σ Bool If then else Furthermore we add the principle of case distinction to the λ-calculus extended by Bool: Assume we have a type σ and case tt : σ case ff : σ Then we want to have that Case σ Bool case tt case ff tt = case tt Case σ Bool case tt case ff ff = case ff Case σ Bool case tt case ff b corresponds to If b then case tt else case ff : And we want that Case σ Bool case tt case ff : Bool σ Case σ Bool case tt case ff tt = case tt Case σ Bool case tt case ff ff = case ff In case b = tt, the if-then-else-term should be equal to casett, as it is the case for Case σ Bool case tt case ff b. In case b = ff, the if-then-else-term should be equal to case ff, as it is the case for Case σ Bool case tt case ff b. CS 336/CS M36/CS M46 Sect. 4 (f) 103/ 162 Type of Case σ Bool CS 336/CS M36/CS M46 Sect. 4 (f) 104/ 162 Example: Boolean Conjunction We don t need to have a complex rule for forming Case σ Bool case tt case ff. All we need to do is add a constant Case σ Bool of type Case σ Bool : σ σ Bool σ Then it follows that, whenever case tt : σ and case ff : σ, then Case σ Bool case tt case ff : Bool σ The equalities are achieved by adding reductions Case σ Bool case tt case ff tt case tt Case σ Bool case tt case ff ff case ff We define Boolean valued conjunction We write Bool : Bool Bool Bool. Bool for function symbol, Bool for the symbol, written infix, so b Bool c stands for Bool b c. Note that this will be an operation on Booleans. Above we introduced the operation on formulae, which takes two formulae A and B and forms the formula A B. b Bool c will form the Boolean value corresponding to the conjunction of b and c. CS 336/CS M36/CS M46 Sect. 4 (f) 105/ 162 CS 336/CS M36/CS M46 Sect. 4 (f) 106/ 162

30 Truth Table for Bool Example: Bool Bool has the following truth table: So we have Bool ff tt ff ff ff tt ff tt ff Bool b = ff tt Bool b = b Below we will see how to define for every Boolean value b : Bool a formula Atom b corresponding to this value. Then one can show that (Atom b) (Atom c) is equivalent to Atom (b Bool c). This means that b Bool c is true iff b is true and c is true. CS 336/CS M36/CS M46 Sect. 4 (f) 107/ 162 CS 336/CS M36/CS M46 Sect. 4 (f) 108/ 162 Example: Bool Example: Bool Bool : Bool Bool Bool. Bool will be introduced by λ-abstraction, so we get Bool = λ(b, c : Bool).Case Bool Bool e f b For conjunction we have: Bool = λ(b, c : Bool).t We have seen that tt Bool c = c for some term t. t will be defined by case distinction on b, and have result Bool, so we get Bool = λ(b, c : Bool).Case Bool Bool e f b for some e, f. So the if-case e above is c. Furthermore ff Bool c = ff So the else-case f above is ff. CS 336/CS M36/CS M46 Sect. 4 (f) 109/ 162 CS 336/CS M36/CS M46 Sect. 4 (f) 110/ 162

31 Example: Bool The Finite Sets In total we define therefore _ Bool _ = λ(b, c : Bool).Case Bool Bool c ff b : Bool Bool Bool We verify the correctness of this definition: tt Bool c = Bool tt c = Case Bool Bool c ff tt = c. as desired. ff Bool c = Bool ff c = Case Bool Bool c ff ff = ff. Correct as desired. Bool can be generalised to sets having n elements (n a fixed natural number): We add for every n N a new ground type Fin n. We add for every k N s.t. k < n a new constant Informally we will have have A n k : Fin n Fin n = {A n 0, A n 1,..., A n n 1} especially in the cases n = 2, 1, 0 we have Fin 2 = {A 2 0, A2 1 } Fin 1 = {A 1 0 } Fin 0 = CS 336/CS M36/CS M46 Sect. 4 (f) 111/ 162 The Finite Sets CS 336/CS M36/CS M46 Sect. 4 (f) 112/ 162 Rules for Fin n We have not made use of dependent types yet. n, k are external natural numbers. So we have for each n added one type Finn to the calculus. We have for each n and k < n added one constant A n k to the calculus. We add the principle of case distinction on Fin n : Assume n N, a type σ, and case i : σ for i = 0,..., n 1. Then we want Case σ n case 0 case n 1 : Fin n σ And we want Case σ n case 0 case n 1 A n i = case i CS 336/CS M36/CS M46 Sect. 4 (f) 113/ 162 CS 336/CS M36/CS M46 Sect. 4 (f) 114/ 162

32 Constants Case σ n Equality on Fin n As for Bool, this can be achieved by having constants Case σ n : σ} {{ σ} Fin n σ n times Then from casei : σ we obtain Case σ n case 0 case n 1 : Fin n σ Furthermore we add the reduction rules We can now define the Boolean valued function which determines for two elements of Fin n, whether they are equal: Define Eq n,bool : Fin n Fin n Bool s.t. Eq n,bool A i n A i n = tt Eq n,bool A i n A j n = ff for i j Case σ n case 0 case n 1 A n i case i Eq n,bool can be defined easily (for fixed n) by case distinction on its two arguments. CS 336/CS M36/CS M46 Sect. 4 (f) 115/ 162 Special Case Bool CS 336/CS M36/CS M46 Sect. 4 (f) 116/ 162 Rules for Bool can now be treated as the special case with n = 2: Fin n Bool := Fin 2 tt := A 2 0 : Bool ff := A 2 1 : Bool Case σ Bool := Case σ 2 : σ σ Bool σ (pronounced top ) is the special case for n = 1 (we write true for A 1 0 ): Fin n So we have a type := Fin1, true := A 1 0 :, (pronounced as top, typed in in Agda as \top) Case σ := Case σ 1 : σ σ. case σ a true a. CS 336/CS M36/CS M46 Sect. 4 (f) 117/ 162 CS 336/CS M36/CS M46 Sect. 4 (f) 118/ 162

33 as the True Formula Rules for Above we have seen that formulae can be identified with types for a formula to be true means to have an element of its type. has exactly one proof, and corresponds therefore to the always always true formula. That s why we call the element true, since it is the proof of the always true formula. Example: we have λx A.true : A (pronounced bottom, typed in in Agda as \bot) is the special case Fin n for n = 0: := Fin 0. has no element (Fin n has no element). Case distinction on Fin 0 is empty the number of cases is 0, so we get the empty case distinction. This means that we have Case σ : σ We have no reduction rules. CS 336/CS M36/CS M46 Sect. 4 (f) 119/ 162 CS 336/CS M36/CS M46 Sect. 4 (f) 120/ 162 has no elements. It is the formula, which is always false, since it has no proofs. Often called falsum or absurdity. Case σ expresses: from an element f of we obtain an element of any set. Correct, since there is no element of. Considered as a formula, Case σ means: from a proof of we obtain a proof of every other formula. I.e. it means implies everything. In logic this principle is called Ex falsum quodlibet (from the absurdity follows anything). E.g. A false formula like 0 = 1 or Swansea lies in Germany implies everything. For any formula A we have a proof of A: Case A : A. CS 336/CS M36/CS M46 Sect. 4 (f) 121/ 162 CS 336/CS M36/CS M46 Sect. 4 (f) 122/ 162

34 Negation The negation A of a formula A is true, iff A is false iff there is no proof of A. Now we can show that there is no proof of A iff A is true: If there is no proof of A, then from every proof of A we can obtain a proof of (since there is no proof of A); therefore A is true. On the other hand, if we A is true, i.e. has a proof, then there cannot be any proof of A, because from it we could get a proof of, which is the empty set. Therefore A is true iff A is true. Therefore we can identify A with A. 4 (b) Currying 4 (d) Logic with Conjunction CS 336/CS M36/CS M46 Sect. 4 (f) 123/ 162 CS 336/CS M36/CS M46 Sect. 4 (g) 123a/ 162 Pattern Matching We introduce Bool by listing its constructors data Bool : Set where tt : Bool ff : Bool We can use pattern matching in order to make case distinction on an argument of type Bool: Assume we want to define Bool : Bool Bool Bool tt = ff Bool ff = tt The above is already the Agda code defining Bool. examplenegbool.agda CS 336/CS M36/CS M46 Sect. 4 (g) 124/ 162 CS 336/CS M36/CS M46 Sect. 4 (g) 125/ 162

35 Finite Sets in Agda Finite Sets in Agda Finite sets can be introduced by giving one constructor for each element. E.g. data Colour : Set where blue : Colour red : Colour green : Colour Case distinction on finite sets in Agda can be done using pattern matching. In the Colour example above for instance, we can define is red : Colour Bool is red red = tt is red = ff The above has an overlapping case distinction: is red red matches both lines is red red = tt is red = ff CS 336/CS M36/CS M46 Sect. 4 (g) 126/ 162 Finite Sets in Agda CS 336/CS M36/CS M46 Sect. 4 (g) 127/ 162 in Agda is red : Colour Bool is red red = tt is red = ff The convention is that if there are overlapping patterns, then the first matching pattern is the one which is used. So is red red will be computed by having the first pattern, we get is red red = tt is red blue and is red green are computed using the second pattern, we get The definition of in Agda is straightforward: data : Set where true : We can define a function having an argument in by using pattern matching: g : Bool q true = tt is red blue = is red green = ff CS 336/CS M36/CS M46 Sect. 4 (g) 128/ 162 CS 336/CS M36/CS M46 Sect. 4 (g) 129/ 162

36 in Agda in Agda Alternatively, we can define in Agda as the empty record (note that there is no keyword field): record : Set where Then the element true of is defined as follows true : true = record{ } Agda has a builtin η-rule, which says that every x : is equal to record{ }. exampletrue.agda can be defined as the data -set with no constructors: If we want to define data : Set where g : Bool by pattern matching, we see that there is no element in, so there is no constructor case matching g x. CS 336/CS M36/CS M46 Sect. 4 (g) 130/ 162 in Agda CS 336/CS M36/CS M46 Sect. 4 (g) 131/ 162 in Agda We need to communicate this to Agda (this is needed in order to obtain decidability of pattern matching) by having the following code: g : Bool g () The code g () means: the argument at the position () is an element which matches no pattern, so this case is solved. examplefalse.agda Above we have shown why we can define A as A. Therefore negation can be defined in Agda as follows: : Set Set A = A CS 336/CS M36/CS M46 Sect. 4 (g) 132/ 162 CS 336/CS M36/CS M46 Sect. 4 (g) 133/ 162

37 Example for the Use of Example for the Use of Assume the type of trees: We can now define data Tree : Set where oak : Tree pine : Tree spruce : Tree IsConifer : Tree Set IsConifer oak = IsConifer = So IsConifer x is the false formula, if x = oak, and the true formula otherwise. If we want to define a function from trees, which are conifers, into another set, we can do so by requiring an additional argument IsConifer : f : (t : Tree) IsConifer t A f pine = {!!} f spruce = {!!} f oak () So we need to define f only for pine and spruce, the case where the first argument is oak cannot appear, since in that case the second argument is an element of the empty set, i.e. it matches no pattern. CS 336/CS M36/CS M46 Sect. 4 (g) 134/ 162 Example for the Use of CS 336/CS M36/CS M46 Sect. 4 (g) 135/ 162 Example 2 for the Use of Assume the type Stack of stacks of elements of N given by Note that we don t have to invent a result of f in case t is an oak tree. exampletree1.agda Jump over Example 2 (Stack) data Stack (A : Set) : Set where empty : Stack A push : A Stack A Stack A We can then introduce a predicate NonEmpty expressing that the stack is nonempty: NonEmpty : {A : Set} Stack A Set NonEmpty empty = NonEmpty (push ) = CS 336/CS M36/CS M46 Sect. 4 (g) 136/ 162 CS 336/CS M36/CS M46 Sect. 4 (g) 137/ 162

38 Example 2 for the Use of Atomic Formulae Now we can define top : {A : Set} (s : Stack A) NonEmpty s A top empty () top (push a ) = a (See examplestack.agda). Again we don t have to provide a result, in case s is empty (in general we couldn t provide such a result, since A might be empty). We will now show how to convert in Agda a Boolean value into a formula. Here we will leave the simply-typed λ-calculus, and move to dependent types. The operation which converts Boolean values into atomic formulae is Atom : Bool Set Atom tt = Atom ff = CS 336/CS M36/CS M46 Sect. 4 (g) 138/ 162 Atomic Formulae CS 336/CS M36/CS M46 Sect. 4 (g) 139/ 162 Example Atom : Bool Set Atom tt = Atom ff = So, in case b = tt, Atom b is the true formula, which is provable. In case b = ff, Atom b is the false formula, which is unprovable. exampleatom.agda Above we introduced the Boolean valued equality on Fin n, which for fixed n can be defined in Agda. Eq n,bool : Fin n Fin n Bool Eq n,bool A i n A i n = tt Eq n,bool = ff CS 336/CS M36/CS M46 Sect. 4 (g) 140/ 162 CS 336/CS M36/CS M46 Sect. 4 (g) 141/ 162

39 Example Example For instance in case of the set we define data Colour : Set where blue : Colour red : Colour green : Colour eqcolourbool : Colour Colour Bool eqcolourbool blue blue = tt eqcolourbool red red = tt eqcolourbool green green = tt eqcolourbool = ff We can now convert this equality into a formula as follows: == : Colour Colour Set c == c = Atom (eqcolourbool c c ) c == c is the formula expressing that c and c are the same colour. CS 336/CS M36/CS M46 Sect. 4 (g) 142/ 162 Example CS 336/CS M36/CS M46 Sect. 4 (g) 143/ 162 Example 2 Remember the definition of Boolean valued negation in Agda: == can be defined directly, by unfolding its definition. We obtain: examplecolourequality.agda == : Colour Colour Set blue == blue = red == red = green == green = == = We show Remember that we defined Bool : Bool Bool Bool tt = ff Bool ff = tt Atom ( Bool b) (Atom b) : Set Set A = A CS 336/CS M36/CS M46 Sect. 4 (g) 144/ 162 CS 336/CS M36/CS M46 Sect. 4 (g) 145/ 162

40 Example 2 Example 2 So our lemma is Lemma : Set Lemma = (b : Bool) Atom ( Bool b) (Atom b) Since A = A this is equivalent to Lemma = (b : Bool) Atom ( Bool b) Atom b We need to show lemma : Lemma lemma b p q = {!!} Lemma : Set Lemma = (b : Bool) Atom ( Bool b) Atom b lemma : Lemma lemma b p q = {!!} We need to make case distinction on b = tt and b = ff and replace the last line by the two cases: lemma : Lemma lemma tt p q = {!!} lemma ff p q = {!!} CS 336/CS M36/CS M46 Sect. 4 (g) 146/ 162 Example 2 CS 336/CS M36/CS M46 Sect. 4 (g) 147/ 162 Example 2 Lemma : Set Lemma = (b : Bool) Atom ( Bool b) Atom b lemma : Lemma lemma tt p q = {!!} lemma ff p q = {!!} In the first equation we have b = tt, therefore p : Atom ( Bool b) = Atom ff = So p matches no pattern, we can replace in this case p by (), and have solved this case. Lemma : Set Lemma = (b : Bool) Atom ( Bool b) Atom b lemma : Lemma lemma tt () q lemma ff p q = {!!} In the second case we have b = ff, so q : Atom b = Atom ff = So q matches no pattern, we can replace in this case q by (), and have solved this case as well CS 336/CS M36/CS M46 Sect. 4 (g) 148/ 162 CS 336/CS M36/CS M46 Sect. 4 (g) 149/ 162

41 Example 2 Example 3 Lemma : Set Lemma = (b : Bool) Atom ( Bool b) Atom b lemma : Lemma lemma tt () q lemma ff p () Note that it becomes increasingly complicated to guarantee that all cases are covered. Therefore it is important to check that the code has passed the coverage checker. examplenegbool2.agda Jump over Example 3 ( Bool) We introduce Boolean valued implication Bool : Bool Bool Bool and show that Atom (b Bool b ) implies Atom b Atom b. The other direction can be shown as well. CS 336/CS M36/CS M46 Sect. 4 (g) 150/ 162 Example 3 CS 336/CS M36/CS M46 Sect. 4 (g) 151/ 162 Example 3 Classically A B is true iff A is false or B is true. Something false implies everything, so A B is true if A is false. If A is true, then A B is true if B is true. So we have A B is false if A is true and B is false. In all other cases it is true. We can therefore define the Boolean valued implication as follows Bool : Bool Bool Bool tt Bool ff = ff Bool = tt We introduce the Lemma to be shown and the pattern for the proof: Lemma : Set Lemma = (b b : Bool) Atom (b Bool b ) Atom b Atom b lemma : Lemma lemma b b b b btrue = {!!} We try to make a case distinction which makes as often as possible one of the two proof objects b b : Atom (b Bool b ) or btrue : Atom b false. CS 336/CS M36/CS M46 Sect. 4 (g) 152/ 162 CS 336/CS M36/CS M46 Sect. 4 (g) 153/ 162