Propositional logic

Let's explore more proofs. This one states a tautology: “if A, then A”. We encode if as an implication, written ->, and we quantify over all possible propositions A by writing forall (A: Prop):

Theorem T1 : forall (A: Prop), A -> A.
forall A : Prop, A -> A
Proof.
forall A : Prop, A -> A

Goals in Coq have two parts: the context (or hypotheses) and the conclusion. A horizontal bar separates them; on paper, we would use a turnstile (⊢) instead.

The intros tactic changes ⊢ A -> A to A ⊢ A, which visually means moving A above the bar.

  intros.
A: Prop
H: A
A

Notice that the newly created hypothesis was given a name automatically (H).

The apply tactic is the modus ponens rule: it takes a term or a hypothesis of the form A -> B, and changes the conclusion from B to A. In the simplest case, where the hypothesis is simply A, and the conclusion is A as well, apply solves the goal entirely:

  apply H.
Qed.

Proofs that rely on automatically generated names can be brittle. Thankfully, the intros tactic can name the hypotheses it creates. For example:

Theorem T2 : forall (A B : Prop), A /\ B -> B /\ A.
forall A B : Prop, A /\ B -> B /\ A
Proof.
forall A B : Prop, A /\ B -> B /\ A
  intros A B HAB.
A, B: Prop
HAB: A /\ B
B /\ A

The destruct tactic performs case analysis on its argument, and gives names to each part. Here, we use it to name each side of HAB:

  destruct HAB as [HA HB].
A, B: Prop
HA: A
HB: B
B /\ A

This proof can be completed by explicitly construction a proof of B /\ A from the two terms HB and HA:

  apply (conj HB HA).
Qed.

But what is conj?

Check conj.
conj
     : forall A B : Prop, A -> B -> A /\ B
Print conj.
Inductive and (A B : Prop) : Prop :=
    conj : A -> B -> A /\ B.

Arguments and (A B)%type_scope
Arguments conj [A B]%type_scope _ _

conj is the name of the single constructor of the type and! So our proof is really just unpacking a conj (that's the first destruct), then repacking it (the apply). Print shows us as much:

Print T2.
T2 =
fun (A B : Prop) (HAB : A /\ B) =>
match HAB with
| conj x x0 =>
    (fun (HA : A) (HB : B) => conj HB HA) x x0
end
     : forall A B : Prop, A /\ B -> B /\ A

Arguments T2 (A B)%type_scope _

If /\ is in fact a type, then are True and False also types? Indeed yes! True has a single constructor, called I, and False, thankfully, has none:

Print True.
Inductive True : Prop :=  I : True.
Print False.
Inductive False : Prop :=  .

What happens if we call destruct on a term of type True? No much, since it carries no information and no subterms:

Goal True -> True.
True -> True
Proof.
True -> True
  intros HT.
HT: True
True
  destruct HT.
True
  apply I.
Qed.

What about False? Having a term of type False is impossible, since False has no constructors. Consequently, a case analysis yields… 0 cases, and a proof.

Theorem T3 : forall (A: Prop), False -> A.
forall A : Prop, False -> A
Proof.
forall A : Prop, False -> A
  intros A HF.
A: Prop
HF: False
A
  destruct HF.
Qed.

Some Coq tactics are rather smart. For example, destruct, when applied to a term of type X -> Y, first creates a new goal for X, then performs destruct on the specialization of the original term. Here is this behavior in action:

Theorem T3' : forall (A: Prop), not True -> A.
forall A : Prop, ~ True -> A
Proof.
forall A : Prop, ~ True -> A
  intros A HnotT.
A: Prop
HnotT: ~ True
A
  destruct HnotT.
A: Prop
True
  apply I.
Qed.

What happened? destruct peeked into the definition of not:

Print not.
not = fun A : Prop => A -> False
     : Prop -> Prop

Arguments not A%type_scope

Bools and props

Here is a theorem, and its proof, on propositions:

Theorem T4 : forall (A: Prop), ~(A /\ ~A).
forall A : Prop, ~ (A /\ ~ A)
Proof.
forall A : Prop, ~ (A /\ ~ A)
  unfold not.
forall A : Prop, A /\ (A -> False) -> False
  intros A H.
A: Prop
H: A /\ (A -> False)
False
  destruct H as [H1 H2].
A: Prop
H1: A
H2: A -> False
False
  apply H2.
A: Prop
H1: A
H2: A -> False
A
  apply H1.
Qed.

And here is now a suspiciously similar-looking theorem, on Booleans:

Theorem T5 (b: bool) : negb (andb b (negb b)) = true.
b: bool
negb (b && negb b) = true
Proof.
b: bool
negb (b && negb b) = true
  destruct b.
negb (true && negb true) = true
negb (false && negb false) = true
  reflexivity.
negb (false && negb false) = true
  reflexivity.
Qed.

Booleans are not the same, in Coq, as propositions: booleans are a simple two-valued type, whereas Prop is a kind (a type of types). One way to relate the two is to use equality: true = true, for example, is a proposition:

Check true = true.
true = true
     : Prop

So is true = false:

Definition bool_bogus : Prop := true = false.

Thankfully, while true = true is provable, true = false is not:

Theorem bool_bogus_proof_attempt : bool_bogus.
bool_bogus
Proof.
bool_bogus
  unfold bool_bogus.
true = false
  (* No way to make progress. *)
Abort.

On the other hand, the negation of bool_bogus is provable:

Theorem not_bool_bogus_proof : not (bool_bogus).
~ bool_bogus
Proof.
~ bool_bogus
  unfold not, bool_bogus.
true = false -> False
  intros Heq.
Heq: true = false
False
  discriminate Heq.
Qed.

Let's explore this bool/Prop connection further. Theorems T4 and T5 were very similar. Shouldn't we be able to reuse T4 to prove T5?

While it's not strictly necessary, the following axiom will help:

Axiom prop_ext : forall (P Q : Prop), (P <-> Q) -> P = Q.

We start with an injection from bool to Prop: bool_to_prop b is provable when b is equal to true.

Definition bool_to_prop (b: bool) : Prop := b = true.

We can use bool_to_prop to relate Prop and bool operators:

• neg:

  Lemma bool_to_prop_neg (b: bool) :
    bool_to_prop (negb b) = ~(bool_to_prop b).
  b: bool
  bool_to_prop (negb b) = (~ bool_to_prop b)
  Proof.
  b: bool
  bool_to_prop (negb b) = (~ bool_to_prop b)
    unfold bool_to_prop.
  b: bool
  (negb b = true) = (b <> true)
    apply prop_ext.
  b: bool
  negb b = true <-> b <> true
    split.
  b: bool
  negb b = true -> b <> true
  b: bool
  b <> true -> negb b = true
    -
  b: bool
  negb b = true -> b <> true destruct b.
  negb true = true -> true <> true
  negb false = true -> false <> true
      discriminate.
  negb false = true -> false <> true
      discriminate.
    -
  b: bool
  b <> true -> negb b = true destruct b.
  true <> true -> negb true = true
  false <> true -> negb false = true
      +
  true <> true -> negb true = true intros H.
  H: true <> true
  negb true = true
        destruct H.
  true = true
        reflexivity.
      +
  false <> true -> negb false = true reflexivity.
  Qed.

• and:

  Lemma bool_to_prop_and (b1 b2: bool) :
    bool_to_prop (andb b1 b2) = (bool_to_prop b1 /\ bool_to_prop b2).
  b1, b2: bool
  bool_to_prop (b1 && b2) =
  (bool_to_prop b1 /\ bool_to_prop b2)
  Proof.
  b1, b2: bool
  bool_to_prop (b1 && b2) =
  (bool_to_prop b1 /\ bool_to_prop b2)
    apply prop_ext.
  b1, b2: bool
  bool_to_prop (b1 && b2) <->
  bool_to_prop b1 /\ bool_to_prop b2
    split.
  b1, b2: bool
  bool_to_prop (b1 && b2) ->
  bool_to_prop b1 /\ bool_to_prop b2
  b1, b2: bool
  bool_to_prop b1 /\ bool_to_prop b2 ->
  bool_to_prop (b1 && b2)
    -
  b1, b2: bool
  bool_to_prop (b1 && b2) ->
  bool_to_prop b1 /\ bool_to_prop b2 destruct b1, b2.
  bool_to_prop (true && true) ->
  bool_to_prop true /\ bool_to_prop true
  bool_to_prop (true && false) ->
  bool_to_prop true /\ bool_to_prop false
  bool_to_prop (false && true) ->
  bool_to_prop false /\ bool_to_prop true
  bool_to_prop (false && false) ->
  bool_to_prop false /\ bool_to_prop false
      +
  bool_to_prop (true && true) ->
  bool_to_prop true /\ bool_to_prop true split.
  H: bool_to_prop (true && true)
  bool_to_prop true
  H: bool_to_prop (true && true)
  bool_to_prop true reflexivity.
  H: bool_to_prop (true && true)
  bool_to_prop true reflexivity.
      +
  bool_to_prop (true && false) ->
  bool_to_prop true /\ bool_to_prop false discriminate.
      +
  bool_to_prop (false && true) ->
  bool_to_prop false /\ bool_to_prop true discriminate.
      +
  bool_to_prop (false && false) ->
  bool_to_prop false /\ bool_to_prop false discriminate.
    -
  b1, b2: bool
  bool_to_prop b1 /\ bool_to_prop b2 ->
  bool_to_prop (b1 && b2) destruct b1, b2.
  bool_to_prop true /\ bool_to_prop true ->
  bool_to_prop (true && true)
  bool_to_prop true /\ bool_to_prop false ->
  bool_to_prop (true && false)
  bool_to_prop false /\ bool_to_prop true ->
  bool_to_prop (false && true)
  bool_to_prop false /\ bool_to_prop false ->
  bool_to_prop (false && false)
      +
  bool_to_prop true /\ bool_to_prop true ->
  bool_to_prop (true && true) reflexivity.
      +
  bool_to_prop true /\ bool_to_prop false ->
  bool_to_prop (true && false) intros [H1 H2].
  H1: bool_to_prop true
  H2: bool_to_prop false
  bool_to_prop (true && false) discriminate.
      +
  bool_to_prop false /\ bool_to_prop true ->
  bool_to_prop (false && true) intros [H1 H2].
  H1: bool_to_prop false
  H2: bool_to_prop true
  bool_to_prop (false && true) discriminate.
      +
  bool_to_prop false /\ bool_to_prop false ->
  bool_to_prop (false && false) intros [H1 H2].
  H1, H2: bool_to_prop false
  bool_to_prop (false && false) discriminate.
  Qed.
  
  Theorem T5a (b: bool) : bool_to_prop (negb (andb b (negb b))).
  b: bool
  bool_to_prop (negb (b && negb b))
  Proof.
  b: bool
  bool_to_prop (negb (b && negb b))
    rewrite bool_to_prop_neg.
  b: bool
  ~ bool_to_prop (b && negb b)
    rewrite bool_to_prop_and.
  b: bool
  ~ (bool_to_prop b /\ bool_to_prop (negb b))
    rewrite bool_to_prop_neg.
  b: bool
  ~ (bool_to_prop b /\ ~ bool_to_prop b)
    apply (T4 (bool_to_prop b)).
  Qed.