├── .gitignore
├── Sf.bib
├── README.md
├── Preface.lagda
├── makefile
├── MorePropositions.lagda
├── Sf.lagda
├── MoreInd.lagda
├── ProofObjects.lagda
├── MoreAgda.lagda
├── proof.sty
├── SfLib.lagda
├── InductionProofs.lagda
├── Propositions.lagda
├── Logic.lagda
├── Lists.lagda
├── Poly.lagda
├── Basics.lagda
└── natbib.bst


/.gitignore:
--------------------------------------------------------------------------------
1 | *~
2 | *.agdai
3 | *.out


--------------------------------------------------------------------------------
/Sf.bib:
--------------------------------------------------------------------------------
1 | @misc{Wiki,
2 |   author  = {{Agda Development Team}},
3 |   title   = {{The Agda Wiki website}},
4 |   howpublished = {wiki Agda},
5 |   year    = {2014}
6 | }


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
1 | Software Foundations
2 | ====================
3 | 
4 | A translation of Pierce's Coq book Software foundations to Agda.
5 | This is just an adaptation of the previous cited book. 


--------------------------------------------------------------------------------
/Preface.lagda:
--------------------------------------------------------------------------------
 1 | %if False
 2 | \begin{code}
 3 | module Preface where
 4 | \end{code}
 5 | %endif
 6 | 
 7 | \chapter*{Preface}
 8 | 
 9 | \section*{Welcome}
10 | 
11 | This electronic book is a Agda version of Pierce's Coq book named Software Foundations.
12 | 
13 | \section*{Overview}
14 | 
15 | ...
16 | 
17 | 
18 | 
19 | 


--------------------------------------------------------------------------------
/makefile:
--------------------------------------------------------------------------------
 1 | default: sf
 2 | 
 3 | sf:
 4 | 	lhs2TeX --agda Sf.lagda > Sf.tex
 5 | 	pdflatex Sf.tex
 6 | 	bibtex Sf.aux
 7 | 	pdflatex Sf.tex
 8 | 	pdflatex Sf.tex
 9 | clean:
10 | 	rm *.tex
11 | 	rm *.pdf
12 | 	rm *.aux
13 | 	rm *.log
14 | 	rm *.ptb
15 | 	rm *.toc
16 | 	rm *.out
17 | 	rm *.bbl
18 | 	rm *.blg
19 | 	rm *.agdai
20 | view: sf
21 | 	evince Sf.pdf &
22 | 


--------------------------------------------------------------------------------
/MorePropositions.lagda:
--------------------------------------------------------------------------------
  1 | \chapter{More about Propositions and Evidence}
  2 | 
  3 | %if False
  4 | \begin{code}
  5 | module MorePropositions where
  6 | 
  7 | open import Basics
  8 | open import Poly
  9 | open import Propositions
 10 | \end{code}
 11 | %endif
 12 | 
 13 | \section{Relations}
 14 | 
 15 | A proposition parameterized by a number (such as |Ev| or |Beautiful|) can be thought of as a property --- 
 16 | i.e., it defines a subset of |Nat|, namely those numbers for which the proposition is provable. In the same 
 17 | way, a two-argument proposition can be thought of as a relation --- i.e., it defines a set of pairs for which 
 18 | the proposition is provable.
 19 | 
 20 | One useful example is the ``less than or equal to'' relation on numbers.
 21 | 
 22 | The following definition should be fairly intuitive. It says that there are two ways to give evidence that one 
 23 | number is less than or equal to another: either observe that they are the same number, or give evidence that 
 24 | the first is less than or equal to the predecessor of the second.
 25 | \begin{code}
 26 | data _<=_ : Nat -> Nat -> Set where
 27 |   len : forall n -> n <= n
 28 |   les : forall n m -> n <= m -> n <= suc m
 29 | \end{code}
 30 | Proofs of facts about |<=| using the constructors |len| and |les| follow the same patterns as proofs 
 31 | about properties, like |Ev| in the previous chapter. We can apply the constructors to prove |<=| goals 
 32 | (e.g., to show that |3<=3| or |3<=6|), and we can use pattern matching to extract information from |<=| 
 33 | hypotheses in the context (e.g., to prove that |(2 <= 1) -> 2+2==5|.)
 34 | 
 35 | The "strictly less than" relation |n < m| can now be defined in terms of |n <= m|:
 36 | \begin{code}
 37 | _<_ : Nat -> Nat -> Set
 38 | n < m = suc n <= m
 39 | \end{code}
 40 | 
 41 | \begin{exe}
 42 | Prove the following fact:
 43 | \begin{spec}
 44 | leTrans : forall {m n o} -> m <= n -> n <= o -> m <= o
 45 | leTrans = (HOLE GAP 0)
 46 | \end{spec}
 47 | \end{exe}
 48 | 
 49 | \begin{exe}
 50 | Prove the following fact:
 51 | \begin{spec}
 52 | zeroLeN : forall n -> 0 <= n
 53 | zeroLeN = (HOLE GAP 0)
 54 | \end{spec}
 55 | \end{exe}
 56 | 
 57 | \begin{exe}
 58 | Prove the following fact:
 59 | \begin{spec}
 60 | nLeMSnleSm : forall n m -> n <= m -> suc n <= suc m
 61 | nLeMSnleSm = (HOLE GAP 0)
 62 | \end{spec}
 63 | \end{exe}
 64 | 
 65 | \begin{exe}
 66 | Prove the following fact:
 67 | \begin{spec}
 68 | snLeSmNLeM : forall n m -> suc n <= suc m -> n <= m
 69 | snLeSmNLeM = (HOLE GAP 0)
 70 | \end{spec}
 71 | \end{exe}
 72 | 
 73 | \begin{exe}
 74 | Prove the following fact:
 75 | \begin{spec}
 76 | lePlusL : forall a b -> a <= a + b
 77 | lePlusL = (HOLE GAP 0)
 78 | \end{spec}
 79 | \end{exe}
 80 | 
 81 | \begin{exe}
 82 | Prove the following fact:
 83 | \begin{spec}
 84 | plusLt : forall n1 n2 m -> n1 + n2 < m -> n1 < m -> n2 < m
 85 | plusLt = (HOLE GAP 0)
 86 | \end{spec}
 87 | \end{exe}
 88 | 
 89 | \begin{exe}
 90 | Prove the following fact:
 91 | \begin{spec}
 92 | ltsuc : forall n m -> n < m -> n < suc m
 93 | ltsuc = (HOLE GAP 0)
 94 | \end{spec}
 95 | \end{exe}
 96 | 
 97 | \section{Programming with Propositions}
 98 | 
 99 | A proposition is a statement expressing a factual claim, like ``two plus two equals four.'' In Agda, propositions 
100 | are written as types. Although we haven't discussed this explicitly, we have already seen numerous examples.
101 | 
102 | One important point: Both provable and unprovable claims are perfectly good propositions. Simply being a proposition is one thing; 
103 | being provable is something else! Consider these examples:
104 | \begin{spec}
105 | t : 2 + 2 == 4
106 | t = refl
107 | 
108 | t' : 2 + 2 == 5
109 | t' = (HOLE GAP 0) -- not provable
110 | \end{spec}
111 | Of course proposition |t'| cannot be provable, because reducing its type we get |4 == 5|, that can't be proved.
112 | 
113 | 
114 | 
115 | 


--------------------------------------------------------------------------------
/Sf.lagda:
--------------------------------------------------------------------------------
  1 | \documentclass{book}
  2 | \usepackage{a4}
  3 | \usepackage{palatino}
  4 | \usepackage{natbib}
  5 | \usepackage{amsmath,amsthm,proof}
  6 | \usepackage{amssymb}
  7 | \usepackage{amsfonts}
  8 | \usepackage{stmaryrd}
  9 | \usepackage{upgreek}
 10 | \usepackage[pdftex]{hyperref}
 11 | \usepackage{url}
 12 | 
 13 | 
 14 | \DeclareMathAlphabet{\mathkw}{OT1}{cmss}{bx}{n}
 15 | 
 16 | \usepackage{color}
 17 | \newcommand{\redFG}[1]{\textcolor[rgb]{0.6,0,0}{#1}}
 18 | \newcommand{\greenFG}[1]{\textcolor[rgb]{0,0.4,0}{#1}}
 19 | \newcommand{\blueFG}[1]{\textcolor[rgb]{0,0,0.8}{#1}}
 20 | \newcommand{\orangeFG}[1]{\textcolor[rgb]{0.8,0.4,0}{#1}}
 21 | \newcommand{\purpleFG}[1]{\textcolor[rgb]{0.4,0,0.4}{#1}}
 22 | \newcommand{\yellowFG}[1]{\textcolor{yellow}{#1}}
 23 | \newcommand{\brownFG}[1]{\textcolor[rgb]{0.5,0.2,0.2}{#1}}
 24 | \newcommand{\blackFG}[1]{\textcolor[rgb]{0,0,0}{#1}}
 25 | \newcommand{\whiteFG}[1]{\textcolor[rgb]{1,1,1}{#1}}
 26 | \newcommand{\yellowBG}[1]{\colorbox[rgb]{1,1,0.2}{#1}}
 27 | \newcommand{\brownBG}[1]{\colorbox[rgb]{1.0,0.7,0.4}{#1}}
 28 | 
 29 | \newcommand{\ColourStuff}{
 30 |   \newcommand{\red}{\redFG}
 31 |   \newcommand{\green}{\greenFG}
 32 |   \newcommand{\blue}{\blueFG}
 33 |   \newcommand{\orange}{\orangeFG}
 34 |   \newcommand{\purple}{\purpleFG}
 35 |   \newcommand{\yellow}{\yellowFG}
 36 |   \newcommand{\brown}{\brownFG}
 37 |   \newcommand{\black}{\blackFG}
 38 |   \newcommand{\white}{\whiteFG}
 39 | }
 40 | 
 41 | \newcommand{\MonochromeStuff}{
 42 |   \newcommand{\red}{\blackFG}
 43 |   \newcommand{\green}{\blackFG}
 44 |   \newcommand{\blue}{\blackFG}
 45 |   \newcommand{\orange}{\blackFG}
 46 |   \newcommand{\purple}{\blackFG}
 47 |   \newcommand{\yellow}{\blackFG}
 48 |   \newcommand{\brown}{\blackFG}
 49 |   \newcommand{\black}{\blackFG}
 50 |   \newcommand{\white}{\blackFG}
 51 | }
 52 | 
 53 | \ColourStuff
 54 | 
 55 | 
 56 | \newcommand{\M}[1]{\mathsf{#1}}
 57 | \newcommand{\D}[1]{\blue{\mathsf{#1}}}
 58 | \newcommand{\C}[1]{\red{\mathsf{#1}}}
 59 | \newcommand{\F}[1]{\green{\mathsf{#1}}}
 60 | \newcommand{\V}[1]{\purple{\mathit{#1}}}
 61 | \newcommand{\T}[1]{\raisebox{0.02in}{\tiny\green{\textsc{#1}}}}
 62 | 
 63 | \newcommand{\us}[1]{\_\!#1\!\_}
 64 | \newtheorem{theorem}{Theorem}
 65 | \newtheorem{exe}{Exercise}[chapter]
 66 | 
 67 | %include lhs2TeX.fmt
 68 | %include lhs2TeX.sty
 69 | %include polycode.fmt
 70 | 
 71 | %subst keyword a = "\mathkw{" a "}"
 72 | %subst conid a = "\V{" a "}"
 73 | %subst varid a = "\F{" a "}"
 74 | 
 75 | %format -> = "\blue{\rightarrow}"
 76 | 
 77 | \newcommand{\nudge}[1]{\marginpar{\footnotesize #1}}
 78 | 
 79 | %format rewrite = "\mathkw{rewrite}"
 80 | %format constructor = "\mathkw{constructor}"
 81 | %format Set = "\D{Set}"
 82 | %format Ty = "\D{Ty}"
 83 | %format iota = "\C{\upiota}"
 84 | %format ->> = "\C{\rhd}"
 85 | %format <-> = "\leftrightarrow"
 86 | %format _<->_ = "\_\!" <-> "\!\_"
 87 | %format _/=_ = "\_\!" /= "\!\_"
 88 | %format . = "."
 89 | %format _->>_ = "\_\!" ->> "\!\_"
 90 | %format * = "\C{\times}"
 91 | %format :+ = "\F{+}"
 92 | %format :* = "\F{*}"
 93 | %format _*_ = "\_\!\," * "\,\!\_"
 94 | %format _==_ = "\_\!" == "\!\_"
 95 | %format Cx = "\D{Cx}"
 96 | %format QED = "\D{\Box}"
 97 | %format ++ = "\F{++}"
 98 | %format <> = "\D{nil}"
 99 | %format Em = "\C{\mathcal{E}}"
100 | %format <: = "\D{\in}"
101 | %format _<:_ = "\us{" <: "}"
102 | %format Gam = "\V{\Gamma}"
103 | %format Ren = "\F{Ren}"
104 | %format Sub = "\F{Sub}"
105 | %format Del = "\V{\Delta}"
106 | %format sg = "\V{\sigma}"
107 | %format tau = "\V{\tau}"
108 | %format var = "\C{var}"
109 | %format lam = "\C{lam}"
110 | %format app = "\C{app}"
111 | %format :: = "\!\raisebox{ -0.09in}[0in][0in]{\red{\textsf{`}}\,}"
112 | %format _::_ = _ :: _
113 | %format ? = "\orange{?}"
114 | %format (HOLE (x) n) = { x } "\!_{" n "}"
115 | %format GAP = "\;"
116 | 
117 | \begin{document}
118 |   \title{Software Foundations}
119 |   \maketitle
120 |   \tableofcontents
121 | 
122 | %if False
123 | \begin{code}
124 | module Sf where
125 | \end{code}
126 | %endif
127 | 
128 | %include Preface.lagda
129 | %include Basics.lagda
130 | %include InductionProofs.lagda
131 | %include Lists.lagda
132 | %include Poly.lagda
133 | %include MoreAgda.lagda
134 | %include Propositions.lagda
135 | %include MorePropositions.lagda
136 | %include Logic.lagda
137 | %include ProofObjects.lagda
138 | %include MoreInd.lagda
139 | %include SfLib.lagda
140 | 
141 | \bibliographystyle{natbib}
142 | \bibliography{Sf.bib}
143 | \end{document}
144 | 


--------------------------------------------------------------------------------
/MoreInd.lagda:
--------------------------------------------------------------------------------
  1 | \chapter{More on Induction}
  2 | 
  3 | In the last chapter we introduce more formally the idea of the \textit{Curry-Howard isomorphism}, in which
  4 | logical propositions correspond to type constructors. So, to what programming construct correspond mathematical 
  5 | induction principles? In this chapter, we will wee that induction corresponds to the notion of recursion 
  6 | in programming languages.
  7 | 
  8 | %if False
  9 | \begin{code}
 10 | module MoreInd where
 11 | 
 12 | open import Basics renaming (_*_ to _:*_;_+_ to _:+_)
 13 | open import Poly
 14 | open import Propositions
 15 | open import MorePropositions
 16 | open import Logic
 17 | open import ProofObjects
 18 | \end{code}
 19 | %endif
 20 | 
 21 | Unlike Coq, Agda does not generate an induction principle for each data type we define. Instead of using induction
 22 | or applying a generated induction principle, in Agda we just use recursive functions to express the property we want.
 23 | We can even express the induction principle generated by Coq using a simple Agda function.
 24 | \begin{code}
 25 | natInd : forall (P : Nat -> Set) -> P 0 -> (forall (n : Nat) -> P n -> P (suc n)) -> 
 26 |          forall (n : Nat) -> P n
 27 | natInd P p0 IH zero = p0
 28 | natInd P p0 IH (suc n) = natInd (\ z -> P (suc z)) (IH zero p0) (\ n1 -> IH (suc n1)) n
 29 | \end{code}
 30 | With |natInd| defined we can mimic Coq style proofs for natural numbers. Here is an example, were we proceed by induction on |n|:
 31 | \begin{spec}
 32 | multZeroR : forall (n : Nat) -> n :* 0 == 0
 33 | multZeroR n = natInd (HOLE GAP 0) (HOLE GAP 1) (HOLE GAP 2) n
 34 | \end{spec}
 35 | Since the property that we want to prove is that $\forall n. n * 0 \equiv 0$, |P| parameter corresponds to the property |n :* 0 == 0|,
 36 | resulting in:
 37 | \begin{spec}
 38 | multZeroR : forall (n : Nat) -> n :* 0 == 0
 39 | multZeroR n = natInd (\x -> x :* 0 == 0) (HOLE GAP 1) (HOLE GAP 2) n
 40 | \end{spec}
 41 | The last two holes correpond to the base case and the induction step for this proof, that are trivially solved by Agda's emacs mode auto solver.
 42 | The final proof is the following.
 43 | \begin{code}
 44 | multZeroR : forall (n : Nat) -> n :* 0 == 0
 45 | multZeroR n = natInd (\x -> x :* 0 == 0) refl (λ n1 z -> z) n
 46 | \end{code}
 47 | \begin{exe}[Induction on lists]
 48 | Let's remember the list data type definition:
 49 | \begin{spec}
 50 |   data List (A : Set) : Set where
 51 |     []   : List A
 52 |     _::_ : A -> List A -> List A
 53 | \end{spec}
 54 | Define the function |listInd|, the induction principle for lists and use it to prove the following theorem:
 55 | \begin{spec}
 56 | length-++' : forall (l l' : List A) -> length (l ++ l') == length l + length l'
 57 | length-++' = (HOLE GAP 0)
 58 | \end{spec}
 59 | \end{exe}
 60 | \begin{exe}[Induction on enumerated types]
 61 | Consider the following data type definition:
 62 | \begin{code}
 63 | data RGB : Set where
 64 |   red   : RGB
 65 |   blue  : RGB
 66 |   green : RGB
 67 | \end{code}
 68 | Define the function |rgbInd|, the induction principle for |RGB| type.
 69 | \end{exe}
 70 | \begin{exe}[Induction on propositions]
 71 | Consider the definition of the following inductive predicate over natural numbers:
 72 | \begin{spec}
 73 | data Beautiful : Nat -> Set where
 74 |    b0   : Beautiful 0
 75 |    b3   : Beautiful 3
 76 |    b5   : Beautiful 5
 77 |    bsum : forall {n m} -> Beautiful n -> Beautiful m -> Beautiful (n + m)
 78 | \end{spec}
 79 | Define the function |beautifulInd|, the induction principle on |Beautiful| and use it to prove that
 80 | it is equivalent to the following data type.
 81 | \begin{spec}
 82 | data Gorgeous : Nat -> Set where
 83 |   g0 : Gorgeous 0
 84 |   g3 : forall {n} -> Gorgeous n -> Gorgeous (3 :+ n)
 85 |   g5 : forall {n} -> Gorgeous n -> Gorgeous (5 :+ n)
 86 | \end{spec}
 87 | \end{exe}
 88 | 
 89 | \section{The Agda Trusted Computing Base}
 90 | 
 91 | One issue that arises with any automated proof assistant is ``why trust it?'': what if there is a bug 
 92 | in the implementation that renders all its reasoning suspect?
 93 | 
 94 | While it is impossible to allay such concerns completely, the fact that Agda is based on the Curry-Howard correspondence 
 95 | gives it a strong foundation. Because propositions are just types and proofs are just terms, checking that an alleged proof 
 96 | of a proposition is valid just amounts to type-checking the term. Type checkers are relatively small and straightforward 
 97 | programs, so the ``trusted computing base'' for Agda --- 
 98 | the part of the code that we have to believe is operating correctly --- is small too.
 99 | 
100 | What must a typechecker do? Its primary job is to make sure that in each function application the expected and actual 
101 | argument types match, that the arms of a match expression are constructor patterns belonging to the inductive type being 
102 | matched over and all arms of the match return the same type, and so on.
103 | 
104 | There are a few additional wrinkles:
105 | 
106 | \begin{itemize}
107 |   \item Since Agda types can themselves be expressions, the checker must normalize these (by using the computation rules) before comparing them.
108 |   \item The checker must make sure that match expressions are exhaustive. That is, there must be an arm for every possible constructor. 
109 |    To see why, consider the following alleged proof object:
110 |    \begin{spec}
111 |      orBugs : forall P Q -> P + Q -> P
112 |      orBugs P Q (inl H) = H
113 |    \end{spec}
114 |    All the types here match correctly, but the match only considers one of the possible constructors for or. Agda's 
115 |    exhaustiveness check will reject this definition.
116 |    \item The checker must make sure that each fix expression terminates. It does this using a syntactic check to 
117 |          make sure that each recursive call is on a subexpression of the original argument. To see why this is essential, 
118 |          consider this alleged proof:
119 |     \begin{spec}
120 |       natEmpty : forall (n : Nat) -> Empty 
121 |       natEmpty n = natEmpty n
122 |     \end{spec}
123 |      Again, this is perfectly well-typed, but (fortunately) Agda will reject it, highlighting it as brown in Agda emacs mode.
124 | \end{itemize}
125 | 
126 | Note that the soundness of Agda depends only on the correctness of its typechecking engine. 
127 | 


--------------------------------------------------------------------------------
/ProofObjects.lagda:
--------------------------------------------------------------------------------
  1 | \chapter{Proof Objects --- Explicit Evidence in Agda}
  2 | 
  3 | We have seen that in Agda the mechanisms used for programming --- inductive data types (like |Nat| or |List|) 
  4 | and functions over these types --- can be also used for proving properties of these programs, using 
  5 | inductive propositions (like |Ev| or |_==_|), implication, and universal quantification. 
  6 | In other proof assistants, like Coq, these mechanisms are quite separate.  
  7 | 
  8 | In this chapter we will take a more serious look at the so called ``Curry-Howard Isomophism'', that
  9 | states the correspondence between functional programs and proofs.
 10 | 
 11 | %if False
 12 | \begin{code}
 13 | module ProofObjects where
 14 | 
 15 | open import Basics hiding (_*_) renaming (_+_ to _:+_)
 16 | open import Poly
 17 | open import Propositions
 18 | open import MorePropositions
 19 | open import Logic
 20 | \end{code}
 21 | %endif
 22 | 
 23 | We have already seen the fundamental idea: provability in Agda is represented by concrete evidence. 
 24 | When we construct the proof of a basic proposition, we are actually building a tree of evidence, 
 25 | which can be thought of as a data structure. If the proposition is an implication like |A -> B|, 
 26 | then its proof will be an evidence transformer: a recipe for converting evidence for |A| into 
 27 | evidence for |B|. So at a fundamental level, proofs are simply programs that manipulate evidence.
 28 | 
 29 | \begin{itemize}
 30 |   \item[Q.] If evidence is data, what are propositions themselves?
 31 |   \item[A.] They are types!
 32 | \end{itemize}
 33 | 
 34 | Look again at the definition of the beautiful property.
 35 | \begin{spec}
 36 | data Beautiful : Nat -> Set where
 37 |    b0   : Beautiful 0
 38 |    b3   : Beautiful 3
 39 |    b5   : Beautiful 5
 40 |    bsum : forall {n m} -> Beautiful n -> Beautiful m -> Beautiful (n + m)
 41 | \end{spec}
 42 | The trick is to introduce an alternative pronunciation of ``:''. Instead of ``has type'' we can also say ``is a proof of.'' 
 43 | For example, the second line in the definition of |Beautiful| declares that |b0 : beautiful 0|. Instead of 
 44 | ``b0 has type beautiful 0,'' we can say that ``b0 is a proof of beautiful 0.'' Similarly for |b3| and |b5|.
 45 | This pun between types and propositions (between : as ``has type'' and : as ``is a proof of'' or ``is evidence for'') 
 46 | is called the \textbf{Curry-Howard correspondence}. It proposes a deep connection between the world of logic and 
 47 | the world of computation. This can be represented as:
 48 | \begin{center}
 49 | \begin{tabular}{lcl}
 50 | Logic        &          & Computation\\
 51 | propositions & $\equiv$ & types\\
 52 | proofs       & $\equiv$ & data values
 53 | \end{tabular}
 54 | \end{center}
 55 | Many useful insights follow from this connection. To begin with, it gives us a natural interpretation of the type of |bsum| constructor:
 56 | \begin{center}
 57 |   |bsum : forall {n m} -> Beautiful n -> Beautiful m -> Beautiful (n + m)|
 58 | \end{center}
 59 | This can be read ``|bsum| is a constructor that takes four arguments --- two numbers, |n| and |m|, and two values, of types 
 60 | |Beautiful n| and |Beautiful m| --- and yields evidence for the proposition |Beautiful (n+m)|.''
 61 | 
 62 | A proof that eight is beautiful, is just the expression |bsum {3} {5} b3 b5|, as we can represent by the following natural deduction style proof:
 63 | \[
 64 | \begin{array}{c}
 65 |   \infer[(b_{sum})]
 66 |       {\textit{beautiful }8}
 67 |       {
 68 |         \infer[(b_3)]
 69 |         {\textit{beautiful }3}
 70 |         {} 
 71 |         &
 72 |         \infer[(b_5)]
 73 |         {\textit{beautiful }5}
 74 |         {} 
 75 |       }
 76 | \end{array}
 77 | \]
 78 | Note that in the expression |bsum {3} {5} b3 b5| we can optionally give the implicit parameters |n| and |m| of |bsum| constructor.
 79 | 
 80 | \section{Quantification, Implications and Functions}
 81 | 
 82 | In Agda there are two sorts of values with arrows in their types: constructors introduced by inductively defined data types, and functions.
 83 | Arrows correspond, in the logical side, to the way of give evidence to implications and functions.
 84 | Consider the following statement:
 85 | \begin{code}
 86 | bplus3 : forall (n : Nat) -> Beautiful n -> Beautiful (n :+ 3)
 87 | bplus3 n bn = bsum bn b3
 88 | \end{code}
 89 | What is the proof object corresponding to |bplus3|?
 90 | We're looking for an expression whose type is |forall n -> Beautiful n -> Beautiful (n + 3)| --- that is, a function that takes two 
 91 | arguments (one number and a piece of evidence) and returns a piece of evidence! 
 92 | 
 93 | When we view the proposition being proved by |bplus3| as a function type, one aspect of it may seem a little unusual. The second 
 94 | argument's type, |Beautiful n|, mentions the value of the first argument, |n|. While such dependent types are not commonly found 
 95 | in ``mainstream'' programming languages, even functional ones like ML or Haskell, they can be useful there too.
 96 | 
 97 | Notice that both implication |->| and quantification |forall| correspond to functions on evidence. In fact, they are really 
 98 | the same thing: |->| is just a shorthand for a degenerate use of |forall| where there is no dependency, i.e., no need to give 
 99 | a name to the type on the LHS of the arrow.
100 | 
101 | For example, consider this proposition:
102 | 
103 | \begin{center}
104 | |bplus3' : forall n (E : Beautiful n) -> Beautiful (n :+ 3)|
105 | \end{center}
106 | 
107 | A proof term inhabiting this proposition would be a function with two arguments: a number |n| and some evidence |E| that |n| is beautiful. 
108 | But the name |E| for this evidence is not used in the rest of the statement of |bplus3'|, so it's a bit silly to bother making up a name 
109 | for it. We could write it like this instead, using the dummy identifier |_| in place of a real name:
110 | 
111 | \begin{center}
112 | |bplus3' : forall n (_ : Beautiful n) -> Beautiful (n :+ 3)|
113 | \end{center}
114 | 
115 | \section{Giving Explicit Arguments to Lemmas and Hypotheses}
116 | 
117 | Sometimes when we want to use a theorem or a hypotheses that has implications or universal quantifiers we need to give
118 | explicit arguments to these parameters. Agda has a efficient term inference mechanism that is able to infer most of
119 | these parameters. Whenever Agda can't infer these parameters, Agda emacs mode will highlight the expression in yellow in
120 | order to indicate that there is some parameter that could not be infered. Consider the next example:
121 | 
122 | %if False
123 | \begin{code}
124 | postulate plusComm : forall (a b : Nat) -> a :+ b == b :+ a
125 | \end{code}
126 | %endif
127 | \begin{spec}
128 | plusCommR : forall (a b c d e f: Nat) -> (a :+ b) == (c :+ d) -> (c :+ d) == (e :+ f) -> 
129 |                                          (a :+ b) == (e :+ f)
130 | plusCommR a b c = (HOLE GAP 0)
131 | \end{spec}
132 | 
133 | Here I'll need a better example for this...
134 | 
135 | 
136 | 


--------------------------------------------------------------------------------
/MoreAgda.lagda:
--------------------------------------------------------------------------------
  1 | \chapter{More About Agda}
  2 | 
  3 | This chapter introduces some features involving Agda's pattern matching mechanism that, 
  4 | together, allow us to prove many more theorems about the functional programs we are writing.
  5 | 
  6 | 
  7 | %if False
  8 | \begin{code}
  9 | module MoreAgda where
 10 | 
 11 | open import Basics hiding (_*_)
 12 | open import Lists hiding (rev; length;snoc)
 13 | open import Poly
 14 | \end{code}
 15 | %endif
 16 | 
 17 | \section{Using Hypothesis and Theorems}
 18 | 
 19 | We often encounter situations where the goal to be proved is exactly the same as some 
 20 | hypothesis in the context or some previously proved lemma.
 21 | \begin{code}
 22 | 
 23 | Eq : {l : Level}(A : Set l) -> A -> A -> Set l
 24 | Eq {l} A x y = _==_ {l} {A} x y
 25 | 
 26 | NListEq : List Nat -> List Nat -> Set
 27 | NListEq l1 l2 = Eq (List Nat) l1 l2
 28 | 
 29 | Silly1 : (n o m p : Nat) -> Set
 30 | Silly1 n o m p = n == m -> t1 -> t2 
 31 |                 where 
 32 |                   t1 = NListEq (n , o , nil) (n , p , nil)
 33 |                   t2 = NListEq (n , o , nil) (m , p , nil)
 34 | 
 35 | 
 36 | silly1 : forall (n m o p : Nat) -> Silly1 n o m p
 37 | silly1 n m o p nm rewrite nm = id
 38 | \end{code}                                          
 39 | 
 40 | 
 41 | \begin{code}
 42 | Hyp : Nat -> Nat -> Set
 43 | Hyp o p = forall (q r : Nat) -> q == r -> t q r
 44 |           where
 45 |             t : Nat -> Nat -> Set
 46 |             t q r = NListEq (q , o , nil) (r , p , nil)
 47 | 
 48 | Silly2 : (n m o p : Nat) -> Set
 49 | Silly2 n m o p = n == m -> Hyp o p -> t
 50 |                where
 51 |                  t = NListEq (n , o , nil) (m , p , nil)
 52 | 
 53 | silly2 : forall (n m o p : Nat) -> Silly2 n m o p
 54 | silly2 n m o p nm hyp = hyp n m nm
 55 | \end{code}
 56 | 
 57 | 
 58 | \begin{code}
 59 | NPairEq : (n m o p : Nat) -> Set
 60 | NPairEq n m o p = Eq (Nat * Nat) (n , m) (o , p)
 61 | 
 62 | Hyp2a : Set
 63 | Hyp2a = forall (q r : Nat) -> NPairEq q q r r -> NListEq (q , nil) (r , nil)
 64 | 
 65 | Silly2a : Nat -> Nat -> Set
 66 | Silly2a n m = NPairEq n n m m -> Hyp2a -> NListEq (n , nil) (m , nil)
 67 | 
 68 | silly2a : forall (n m : Nat) -> Silly2a n m
 69 | silly2a .m m refl hyp = refl
 70 | \end{code}
 71 | 
 72 | The next is a exercice
 73 | 
 74 | \begin{code}
 75 | SillyEx : Set
 76 | SillyEx = forall (n : Nat) -> evenb n == True -> oddb (suc n) == True
 77 | 
 78 | sillyEx : SillyEx -> evenb 3 == True -> oddb 4 == True
 79 | sillyEx silly = silly (suc (suc (suc zero)))
 80 | \end{code}
 81 | 
 82 | \begin{code}
 83 | silly3 : forall (n : Nat) -> True == beqNat n 5 -> beqNat (suc (suc n)) 7 == True
 84 | silly3 n = sym
 85 | \end{code}
 86 | 
 87 | Another exercice. Need revInvolutive property.
 88 | 
 89 | \begin{code}
 90 | revExercice1 : forall (l l' : List Nat) -> l == rev l' -> l' == rev l
 91 | revExercice1 l l' = {!!}
 92 | \end{code}
 93 | 
 94 | These next examples are used to justify the apply with tactic.
 95 | 
 96 | \begin{code}
 97 | transEqExample : forall (a b c d e f : Nat) -> NListEq (a , b , nil) (c , d , nil) ->
 98 |                                                NListEq (c , d , nil) (e , f , nil) ->
 99 |                                                NListEq (a , b , nil) (e , f , nil)
100 | transEqExample a b .a .b .a .b refl refl = refl
101 | \end{code}
102 | 
103 | Now, using |trans|.
104 | 
105 | \begin{code}
106 | transEqExample' : forall (a b c d e f : Nat) -> NListEq (a , b , nil) (c , d , nil) ->
107 |                                                 NListEq (c , d , nil) (e , f , nil) ->
108 |                                                 NListEq (a , b , nil) (e , f , nil)
109 | transEqExample' a b c d e f eq1 eq2 = trans eq1 eq2
110 | \end{code}
111 | 
112 | \section{Inversion}
113 | 
114 | Explanation. Pattern matching and emacs mode rocks.
115 | 
116 | \begin{code}
117 | eqAddSuc : forall {n m : Nat} -> suc n == suc m -> n == m
118 | eqAddSuc refl = refl
119 | \end{code}
120 | 
121 | \begin{code}
122 | silly4 : forall (n m : Nat) -> NListEq (n , nil) (m , nil) -> n == m
123 | silly4 .m m refl = refl
124 | \end{code}
125 | 
126 | \begin{code}
127 | silly5 : forall (n m o : Nat) -> NListEq (n , m , nil) (o , o , nil) -> NListEq (n , nil) (m , nil)
128 | silly5 .o .o o refl = refl
129 | \end{code}
130 | 
131 | now starts sillyex1. Need to explain absurd patterns.
132 | 
133 | \begin{code}
134 | sillyex1 : forall {l}(A : Set l)(x y z : A)(l j : List A) -> Eq (List A) (x , y , l) (z , j) ->
135 |                                                              Eq (List A) (y , l) (x , j)     ->
136 |                                                              x == y
137 | sillyex1 A .z y z l1 .(y , l1) refl ()
138 | \end{code}
139 | 
140 | \begin{code}
141 | silly6 : forall (n : Nat) -> suc n == 0 -> 2 + 2 == 5
142 | silly6 n ()
143 | 
144 | silly7 : forall (n m : Nat) -> True == False -> NListEq (n , nil) (m , nil)
145 | silly7 n m ()
146 | \end{code}
147 | 
148 | silly ex2
149 | 
150 | \begin{code}
151 | sillyex2 : forall {l}{A : Set l}(x y z : A)(l j : List A) -> 
152 |            Eq (List A) (x , y , l) nil -> 
153 |            Eq (List A) (y , l) (z , j) -> 
154 |            x == z
155 | sillyex2 x y z l j ()
156 | \end{code}
157 | 
158 | \begin{spec}
159 | cong : forall {A B : Set} (f : A -> B){x y : A} -> x == y -> f x == f y
160 | cong f {x} {.x} refl = refl
161 | \end{spec}
162 | 
163 | \begin{code}
164 | lengthSnoc' : forall {A : Set}(v : A)(l : List A)(n : Nat) -> 
165 |               length l == n -> length (snoc v l) == suc n
166 | lengthSnoc' v nil n h1 = cong suc h1
167 | lengthSnoc' v (x , l) zero () 
168 | lengthSnoc' v (x , l) (suc n) p = cong suc (lengthSnoc' v l n (eqAddSuc p))
169 | \end{code}
170 | 
171 | \begin{code}
172 | beqNat0L : forall (n : Nat) -> beqNat 0 n == True -> n == 0
173 | beqNat0L zero refl = refl
174 | beqNat0L (suc n) ()
175 | 
176 | beqNat0R : forall (n : Nat) -> beqNat n 0 == True -> n == 0
177 | beqNat0R zero refl = refl
178 | beqNat0R (suc n) ()
179 | \end{code}
180 | 
181 | 
182 | \section{Using Tactics on Hypothesis}
183 | 
184 | \begin{code}
185 | sucInj : forall (n m : Nat)(b : Bool) -> beqNat (suc n) (suc m) == b -> beqNat n m == b
186 | sucInj n m b p = p
187 | \end{code}
188 | 
189 | 
190 | \begin{code}
191 | Silly3' : Nat -> Set
192 | Silly3' n = (beqNat n 5 == True -> beqNat (suc (suc n)) 7 == True) ->
193 |             True == beqNat n 5 -> True == beqNat (suc (suc n)) 7
194 | 
195 | silly3' : forall (n : Nat) -> Silly3' n
196 | silly3' n h p = p
197 | \end{code}
198 | 
199 | an exercice
200 | 
201 | \begin{code}
202 | plusNSucM : forall (n m : Nat) -> suc (n + m) == n + suc m
203 | plusNSucM = {!!}
204 | 
205 | plusInjNN : forall (n m : Nat) -> n + n == m + m -> n == m
206 | plusInjNN zero zero p = refl
207 | plusInjNN zero (suc m) () 
208 | plusInjNN (suc n) zero () 
209 | plusInjNN (suc n) (suc m) p rewrite (sym (plusNSucM n n)) | (sym (plusNSucM m m)) 
210 |                = cong suc (plusInjNN n m (eqAddSuc (eqAddSuc p)))
211 | \end{code}
212 | 
213 | \section{Varying the Induction Hypothesis}
214 | 
215 | \begin{code}
216 | 
217 | double : Nat -> Nat
218 | double zero = zero
219 | double (suc n) = suc (suc (double n))
220 | 
221 | doubleInj : forall (n m : Nat) -> double n == double m -> n == m
222 | doubleInj zero zero h = refl
223 | doubleInj zero (suc m) () 
224 | doubleInj (suc n) zero () 
225 | doubleInj (suc n) (suc m) h = cong suc (doubleInj _ _ (eqAddSuc (eqAddSuc h)))
226 | \end{code}
227 | 
228 | exercice
229 | 
230 | \begin{code}
231 | beqNatTrue : forall (n m : Nat) -> beqNat n m == True -> n == m
232 | beqNatTrue zero zero h = refl
233 | beqNatTrue zero (suc m) ()
234 | beqNatTrue (suc n) zero ()
235 | beqNatTrue (suc n) (suc m) h = cong suc (beqNatTrue n m h)
236 | \end{code}
237 | 


--------------------------------------------------------------------------------
/proof.sty:
--------------------------------------------------------------------------------
  1 | %	proof.sty	(Proof Figure Macros)
  2 | %
  3 | % 	version 3.1 (for both LaTeX 2.09 and LaTeX 2e)
  4 | %	Nov 24, 2005
  5 | % 	Copyright (C) 1990 -- 2005, Makoto Tatsuta (tatsuta@nii.ac.jp)
  6 | % 
  7 | % This program is free software; you can redistribute it or modify
  8 | % it under the terms of the GNU General Public License as published by
  9 | % the Free Software Foundation; either versions 1, or (at your option)
 10 | % any later version.
 11 | % 
 12 | % This program is distributed in the hope that it will be useful
 13 | % but WITHOUT ANY WARRANTY; without even the implied warranty of
 14 | % MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 15 | % GNU General Public License for more details.
 16 | %
 17 | %	Usage:
 18 | %		In \documentstyle, specify an optional style `proof', say,
 19 | %			\documentstyle[proof]{article}.
 20 | %
 21 | %	The following macros are available:
 22 | %
 23 | %	In all the following macros, all the arguments such as
 24 | %	<Lowers> and <Uppers> are processed in math mode.
 25 | %
 26 | %	\infer<Lower><Uppers>
 27 | %		draws an inference.
 28 | %
 29 | %		Use & in <Uppers> to delimit upper formulae.
 30 | %		<Uppers> consists more than 0 formulae.
 31 | %
 32 | %		\infer returns \hbox{ ... } or \vbox{ ... } and
 33 | %		sets \@LeftOffset and \@RightOffset globally.
 34 | %
 35 | %	\infer[<Label>]<Lower><Uppers>
 36 | %		draws an inference labeled with <Label>.
 37 | %
 38 | %	\infer*<Lower><Uppers>
 39 | %		draws a many step deduction.
 40 | %
 41 | %	\infer*[<Label>]<Lower><Uppers>
 42 | %		draws a many step deduction labeled with <Label>.
 43 | %
 44 | %	\infer=<Lower><Uppers>
 45 | %		draws a double-ruled deduction.
 46 | %
 47 | %	\infer=[<Label>]<Lower><Uppers>
 48 | %		draws a double-ruled deduction labeled with <Label>.
 49 | %
 50 | %	\deduce<Lower><Uppers>
 51 | %		draws an inference without a rule.
 52 | %
 53 | %	\deduce[<Proof>]<Lower><Uppers>
 54 | %		draws a many step deduction with a proof name.
 55 | %
 56 | %	Example:
 57 | %		If you want to write
 58 | %       	       	    B C
 59 | %		 	   -----
 60 | %		       A     D
 61 | %		      ----------
 62 | %			  E
 63 | %	use
 64 | %		\infer{E}{
 65 | %			A
 66 | %			&
 67 | %			\infer{D}{B & C}
 68 | %		}
 69 | %
 70 | 
 71 | %	Style Parameters
 72 | 
 73 | \newdimen\inferLineSkip		\inferLineSkip=2pt
 74 | \newdimen\inferLabelSkip	\inferLabelSkip=5pt
 75 | \def\inferTabSkip{\quad}
 76 | 
 77 | %	Variables
 78 | 
 79 | \newdimen\@LeftOffset	% global
 80 | \newdimen\@RightOffset	% global
 81 | \newdimen\@SavedLeftOffset	% safe from users
 82 | 
 83 | \newdimen\UpperWidth
 84 | \newdimen\LowerWidth
 85 | \newdimen\LowerHeight
 86 | \newdimen\UpperLeftOffset
 87 | \newdimen\UpperRightOffset
 88 | \newdimen\UpperCenter
 89 | \newdimen\LowerCenter
 90 | \newdimen\UpperAdjust
 91 | \newdimen\RuleAdjust
 92 | \newdimen\LowerAdjust
 93 | \newdimen\RuleWidth
 94 | \newdimen\HLabelAdjust
 95 | \newdimen\VLabelAdjust
 96 | \newdimen\WidthAdjust
 97 | 
 98 | \newbox\@UpperPart
 99 | \newbox\@LowerPart
100 | \newbox\@LabelPart
101 | \newbox\ResultBox
102 | 
103 | %	Flags
104 | 
105 | \newif\if@inferRule	% whether \@infer draws a rule.
106 | \newif\if@DoubleRule	% whether \@infer draws doulbe rules.
107 | \newif\if@ReturnLeftOffset	% whether \@infer returns \@LeftOffset.
108 | 
109 | %	Special Fonts
110 | 
111 | \def\DeduceSym{\vtop{\baselineskip4\p@ \lineskiplimit\z@
112 |     \vbox{\hbox{.}\hbox{.}\hbox{.}}\hbox{.}}}
113 | 
114 | %	Macros
115 | 
116 | % Renaming @ifnextchar and @ifnch of LaTeX2e to @IFnextchar and @IFnch.
117 | 
118 | \def\@IFnextchar#1#2#3{%
119 |   \let\reserved@e=#1\def\reserved@a{#2}\def\reserved@b{#3}\futurelet
120 |     \reserved@c\@IFnch}
121 | \def\@IFnch{\ifx \reserved@c \@sptoken \let\reserved@d\@xifnch
122 |       \else \ifx \reserved@c \reserved@e\let\reserved@d\reserved@a\else
123 |           \let\reserved@d\reserved@b\fi
124 |       \fi \reserved@d}
125 | 
126 | \def\@ifEmpty#1#2#3{\def\@tempa{\@empty}\def\@tempb{#1}\relax
127 | 	\ifx \@tempa \@tempb #2\else #3\fi }
128 | 
129 | \def\infer{\@IFnextchar *{\@inferSteps}{\relax
130 | 	\@IFnextchar ={\@inferDoubleRule}{\@inferOneStep}}}
131 | 
132 | \def\@inferOneStep{\@inferRuletrue \@DoubleRulefalse
133 | 	\@IFnextchar [{\@infer}{\@infer[\@empty]}}
134 | 
135 | \def\@inferDoubleRule={\@inferRuletrue \@DoubleRuletrue
136 | 	\@IFnextchar [{\@infer}{\@infer[\@empty]}}
137 | 
138 | \def\@inferSteps*{\@IFnextchar [{\@@inferSteps}{\@@inferSteps[\@empty]}}
139 | 
140 | \def\@@inferSteps[#1]{\@deduce{#1}[\DeduceSym]}
141 | 
142 | \def\deduce{\@IFnextchar [{\@deduce{\@empty}}
143 | 	{\@inferRulefalse \@infer[\@empty]}}
144 | 
145 | %	\@deduce<Proof Label>[<Proof>]<Lower><Uppers>
146 | 
147 | \def\@deduce#1[#2]#3#4{\@inferRulefalse
148 | 	\@infer[\@empty]{#3}{\@infer[{#1}]{#2}{#4}}}
149 | 
150 | %	\@infer[<Label>]<Lower><Uppers>
151 | %		If \@inferRuletrue, it draws a rule and <Label> is right to
152 | %		a rule. In this case, if \@DoubleRuletrue, it draws
153 | %		double rules.
154 | %
155 | %		Otherwise, draws no rule and <Label> is right to <Lower>.
156 | 
157 | \def\@infer[#1]#2#3{\relax
158 | % Get parameters
159 | 	\if@ReturnLeftOffset \else \@SavedLeftOffset=\@LeftOffset \fi
160 | 	\setbox\@LabelPart=\hbox{$#1$}\relax
161 | 	\setbox\@LowerPart=\hbox{$#2$}\relax
162 | %
163 | 	\global\@LeftOffset=0pt
164 | 	\setbox\@UpperPart=\vbox{\tabskip=0pt \halign{\relax
165 | 		\global\@RightOffset=0pt \@ReturnLeftOffsettrue $##$&&
166 | 		\inferTabSkip
167 | 		\global\@RightOffset=0pt \@ReturnLeftOffsetfalse $##$\cr
168 | 		#3\cr}}\relax
169 | 	\UpperLeftOffset=\@LeftOffset
170 | 	\UpperRightOffset=\@RightOffset
171 | % Calculate Adjustments
172 | 	\LowerWidth=\wd\@LowerPart
173 | 	\LowerHeight=\ht\@LowerPart
174 | 	\LowerCenter=0.5\LowerWidth
175 | %
176 | 	\UpperWidth=\wd\@UpperPart \advance\UpperWidth by -\UpperLeftOffset
177 | 	\advance\UpperWidth by -\UpperRightOffset
178 | 	\UpperCenter=\UpperLeftOffset
179 | 	\advance\UpperCenter by 0.5\UpperWidth
180 | %
181 | 	\ifdim \UpperWidth > \LowerWidth
182 | 		% \UpperCenter > \LowerCenter
183 | 	\UpperAdjust=0pt
184 | 	\RuleAdjust=\UpperLeftOffset
185 | 	\LowerAdjust=\UpperCenter \advance\LowerAdjust by -\LowerCenter
186 | 	\RuleWidth=\UpperWidth
187 | 	\global\@LeftOffset=\LowerAdjust
188 | %
189 | 	\else	% \UpperWidth <= \LowerWidth
190 | 	\ifdim \UpperCenter > \LowerCenter
191 | %
192 | 	\UpperAdjust=0pt
193 | 	\RuleAdjust=\UpperCenter \advance\RuleAdjust by -\LowerCenter
194 | 	\LowerAdjust=\RuleAdjust
195 | 	\RuleWidth=\LowerWidth
196 | 	\global\@LeftOffset=\LowerAdjust
197 | %
198 | 	\else	% \UpperWidth <= \LowerWidth
199 | 		% \UpperCenter <= \LowerCenter
200 | %
201 | 	\UpperAdjust=\LowerCenter \advance\UpperAdjust by -\UpperCenter
202 | 	\RuleAdjust=0pt
203 | 	\LowerAdjust=0pt
204 | 	\RuleWidth=\LowerWidth
205 | 	\global\@LeftOffset=0pt
206 | %
207 | 	\fi\fi
208 | % Make a box
209 | 	\if@inferRule
210 | %
211 | 	\setbox\ResultBox=\vbox{
212 | 		\moveright \UpperAdjust \box\@UpperPart
213 | 		\nointerlineskip \kern\inferLineSkip
214 | 		\if@DoubleRule
215 | 		\moveright \RuleAdjust \vbox{\hrule width\RuleWidth
216 | 			\kern 1pt\hrule width\RuleWidth}\relax
217 | 		\else
218 | 		\moveright \RuleAdjust \vbox{\hrule width\RuleWidth}\relax
219 | 		\fi
220 | 		\nointerlineskip \kern\inferLineSkip
221 | 		\moveright \LowerAdjust \box\@LowerPart }\relax
222 | %
223 | 	\@ifEmpty{#1}{}{\relax
224 | %
225 | 	\HLabelAdjust=\wd\ResultBox	\advance\HLabelAdjust by -\RuleAdjust
226 | 	\advance\HLabelAdjust by -\RuleWidth
227 | 	\WidthAdjust=\HLabelAdjust
228 | 	\advance\WidthAdjust by -\inferLabelSkip
229 | 	\advance\WidthAdjust by -\wd\@LabelPart
230 | 	\ifdim \WidthAdjust < 0pt \WidthAdjust=0pt \fi
231 | %
232 | 	\VLabelAdjust=\dp\@LabelPart
233 | 	\advance\VLabelAdjust by -\ht\@LabelPart
234 | 	\VLabelAdjust=0.5\VLabelAdjust	\advance\VLabelAdjust by \LowerHeight
235 | 	\advance\VLabelAdjust by \inferLineSkip
236 | %
237 | 	\setbox\ResultBox=\hbox{\box\ResultBox
238 | 		\kern -\HLabelAdjust \kern\inferLabelSkip
239 | 		\raise\VLabelAdjust \box\@LabelPart \kern\WidthAdjust}\relax
240 | %
241 | 	}\relax % end @ifEmpty
242 | %
243 | 	\else % \@inferRulefalse
244 | %
245 | 	\setbox\ResultBox=\vbox{
246 | 		\moveright \UpperAdjust \box\@UpperPart
247 | 		\nointerlineskip \kern\inferLineSkip
248 | 		\moveright \LowerAdjust \hbox{\unhbox\@LowerPart
249 | 			\@ifEmpty{#1}{}{\relax
250 | 			\kern\inferLabelSkip \unhbox\@LabelPart}}}\relax
251 | 	\fi
252 | %
253 | 	\global\@RightOffset=\wd\ResultBox
254 | 	\global\advance\@RightOffset by -\@LeftOffset
255 | 	\global\advance\@RightOffset by -\LowerWidth
256 | 	\if@ReturnLeftOffset \else \global\@LeftOffset=\@SavedLeftOffset \fi
257 | %
258 | 	\box\ResultBox
259 | }
260 | 


--------------------------------------------------------------------------------
/SfLib.lagda:
--------------------------------------------------------------------------------
  1 | \chapter{Software Foundations Library}
  2 | 
  3 | Here we collect together several useful definitions and theorems from Basics.lagda, List.lagda, 
  4 | Poly.lagda, Induction.lagda, and Logic.lagda. From now on we can import this file, instead of 
  5 | cluttering our environment with all the examples and false starts in those files.
  6 | 
  7 | %if False
  8 | \begin{code}
  9 | module SfLib where
 10 | \end{code}
 11 | %endif
 12 | 
 13 | \section{Universe Levels}
 14 | 
 15 | \begin{code}
 16 | postulate Level : Set
 17 | postulate LZero : Level
 18 | postulate LSuc  : Level -> Level
 19 | postulate LMax  : Level -> Level -> Level
 20 | \end{code}
 21 | 
 22 | %if False
 23 | \begin{code}
 24 | {-# BUILTIN LEVEL Level #-}
 25 | {-# BUILTIN LEVELZERO LZero #-}
 26 | {-# BUILTIN LEVELSUC LSuc #-}
 27 | {-# BUILTIN LEVELMAX LMax #-}
 28 | \end{code}
 29 | %endif
 30 | 
 31 | 
 32 | \section{Propositional Equality}
 33 | 
 34 | \begin{code}
 35 | data _==_ {l}{A : Set l}(x : A) : A -> Set l where
 36 |   refl : x == x
 37 | 
 38 | infix 1 _==_ 
 39 | \end{code}
 40 | 
 41 | %if False
 42 | \begin{code}
 43 | {-# BUILTIN EQUALITY _==_ #-}
 44 | {-# BUILTIN REFL refl #-}
 45 | \end{code}
 46 | %endif
 47 | 
 48 | \subsection{Functions Over Equality}
 49 | 
 50 | \begin{code}
 51 | cong : forall {l l'}{A : Set l}{B : Set l'}(f : A -> B) {x y} -> x == y -> f x == f y
 52 | cong f refl = refl
 53 | 
 54 | sym : forall {l}{A : Set l}{x y : A} -> x == y -> y == x
 55 | sym refl = refl
 56 | 
 57 | trans : forall {l}{A : Set l}{x y z : A} -> x == y -> y == z -> x == z
 58 | trans refl refl = refl
 59 | \end{code}
 60 | 
 61 | \subsection{Equational Reasoning}
 62 | 
 63 | \begin{code}
 64 | infix 2 _QED
 65 | 
 66 | _QED : forall {l}{A : Set l}(x : A) -> x == x
 67 | x QED = refl
 68 | 
 69 | infixr 2 _==[_]_
 70 | 
 71 | infix 1 begin
 72 | 
 73 | _==[_]_ : forall {l}{A : Set l} (x : A) {y z} -> x == y -> y == z -> x == z
 74 | _==[_]_ x xy yz = trans xy yz
 75 | 
 76 | begin : forall {l}{A : Set l}{x y : A} -> x == y -> x == y
 77 | begin x = x
 78 | \end{code}
 79 | 
 80 | \section{Booleans}
 81 | 
 82 | \begin{code}
 83 | data Bool : Set where
 84 |   False : Bool
 85 |   True  : Bool
 86 | \end{code}
 87 | 
 88 | \subsection{Functions Over Booleans}
 89 | 
 90 | \begin{code}
 91 | not : Bool -> Bool
 92 | not False = True
 93 | not True = False
 94 | 
 95 | and : Bool -> Bool -> Bool
 96 | and True b = b
 97 | and False x = False
 98 | 
 99 | or : Bool -> Bool -> Bool
100 | or False b = b
101 | or True b = True
102 | 
103 | if_then_else : forall {l}{A : Set l} -> Bool -> A -> A -> A
104 | if True then e else e' = e
105 | if False then e else e' = e'
106 | \end{code}
107 | 
108 | \section{Natural Numbers}
109 | 
110 | \begin{code}
111 | data Nat : Set where
112 |   zero : Nat
113 |   suc  : Nat -> Nat
114 | \end{code}
115 | 
116 | %if False
117 | \begin{code}
118 | {-# BUILTIN NATURAL  Nat #-}
119 | {-# BUILTIN ZERO zero #-}
120 | {-# BUILTIN SUC  suc #-}
121 | \end{code}
122 | %endif
123 | 
124 | \subsection{Functions Over Natural Numbers}
125 | 
126 | \begin{code}
127 | _+N_ : Nat -> Nat -> Nat
128 | zero +N m  = m
129 | suc n +N m = suc (n +N m)
130 | 
131 | _*N_ : Nat -> Nat -> Nat
132 | zero *N m = zero
133 | suc n *N m = m +N (n *N m)
134 | 
135 | infixl 4 _+N_ _*N_
136 | 
137 | beqNat : Nat -> Nat -> Bool
138 | beqNat zero zero = True
139 | beqNat zero (suc m) = False
140 | beqNat (suc n) zero = False
141 | beqNat (suc n) (suc m) = beqNat n m
142 | 
143 | bleNat : Nat -> Nat -> Bool
144 | bleNat zero m = True
145 | bleNat (suc n) zero = False
146 | bleNat (suc n) (suc m) = bleNat n m
147 | \end{code}
148 | 
149 | \section{Logic Constructors}
150 | 
151 | \subsection{Falsehood, Negation and Truth}
152 | 
153 | \begin{code}
154 | data Empty : Set where
155 | 
156 | ~_ : forall {l}(A : Set l) -> Set l
157 | ~ A = A -> Empty
158 | 
159 | _/=_ : forall {l}{A : Set l} -> A -> A -> Set l
160 | x /= y = ~ (x == y)
161 | 
162 | data Unit : Set where
163 |   unit : Unit
164 | \end{code}
165 | 
166 | \subsection{Disjunction}
167 | 
168 | \begin{code}
169 | data _+_ {a b}(A : Set a)(B : Set b) : Set (LMax a b) where
170 |   inl : A -> A + B
171 |   inr : B -> A + B
172 | \end{code}
173 | 
174 | \subsection{Dependent products}
175 | 
176 | \begin{code}
177 | infixr 4 _,_ _*_
178 | 
179 | record Sigma {a b} (A : Set a) (B : A -> Set b) : Set (LMax a b) where
180 |   constructor _,_
181 |   field
182 |     fst : A
183 |     snd : B fst
184 | 
185 | open Sigma public
186 | \end{code}
187 | 
188 | \subsection{Conjuntion}
189 | 
190 | \begin{code}
191 | _*_  : forall {a b}(A : Set a)(B : Set b) -> Set (LMax a b)
192 | A * B = Sigma A (\_ -> B)
193 | \end{code}
194 | 
195 | \subsection{Existential Quantifier}
196 | 
197 | \begin{code}
198 | exists : forall {a b}{A : Set a}(B : A -> Set b) -> Set (LMax a b)
199 | exists = Sigma _
200 | \end{code}
201 | 
202 | \subsection{Predicates Over Natural Numbers}
203 | 
204 | \subsubsection{Evenness}
205 | 
206 | \begin{code}
207 | data Ev : Nat -> Set where
208 |   ev0 : Ev 0
209 |   evs : forall {n : Nat} -> Ev n -> Ev (suc (suc n))
210 | \end{code}
211 | 
212 | \subsubsection{Ordering}
213 | 
214 | \begin{code}
215 | data _<=_ : Nat -> Nat -> Set where
216 |   le0 : forall (n : Nat) -> 0 <= n
217 |   leS : forall (n m : Nat) -> n <= m -> suc n <= suc m
218 | 
219 | data _<='_ : Nat -> Nat -> Set where
220 |   leN  : forall (n : Nat) -> n <=' n
221 |   leS' : forall (n m : Nat) -> n <=' m -> n <=' suc m
222 | 
223 | _<_ : Nat -> Nat -> Set 
224 | n < m = n <= m * n /= m
225 | 
226 | _<'_ : Nat -> Nat -> Set
227 | n <' m = n <=' m * n /= m
228 | \end{code}
229 | 
230 | \begin{code}
231 | data _>=_ : Nat -> Nat -> Set where
232 |   ge0 : forall (n : Nat) -> n >= 0
233 |   geS : forall (n m : Nat) -> n >= m -> suc n >= m
234 | 
235 | data _>='_ : Nat -> Nat -> Set where
236 |   geN  : forall (n : Nat) -> n >=' n
237 |   geS' : forall (n m : Nat) -> n >=' m -> suc n >=' m
238 | 
239 | _>_ : Nat -> Nat -> Set 
240 | n > m = n >= m * n /= m
241 | 
242 | _>'_ : Nat -> Nat -> Set
243 | n >' m = n >=' m * n /= m
244 | \end{code}
245 | 
246 | \subsection{Lists}
247 | 
248 | \begin{code}
249 | data List {l}(A : Set l) : Set l where
250 |   [] : List A
251 |   _::_ : A -> List A -> List A
252 | 
253 | length : forall {l}{A : Set l} -> List A -> Nat
254 | length [] = 0
255 | length (_ :: xs) = suc (length xs)
256 | 
257 | _++_ : forall {l}{A : Set l} -> List A -> List A -> List A
258 | [] ++ ys = ys
259 | (x :: xs) ++ ys = x :: (xs ++ ys)
260 | \end{code}
261 | 
262 | \subsection{Some Useful Lemmas}
263 | 
264 | \begin{code}
265 | andTrueElim : forall (b c : Bool) -> and b c == True -> (b == True) * (c == True)
266 | andTrueElim False False ()
267 | andTrueElim False True ()
268 | andTrueElim True False ()
269 | andTrueElim True True refl = refl , refl
270 | 
271 | beqNatSym : forall (n m : Nat) -> beqNat n m == beqNat m n
272 | beqNatSym zero zero = refl
273 | beqNatSym zero (suc m) = refl
274 | beqNatSym (suc n) zero = refl
275 | beqNatSym (suc n) (suc m) = beqNatSym n m
276 | 
277 | eqNatDec : forall (x y : Nat) -> (x == y) + (x /= y)
278 | eqNatDec zero zero = inl refl
279 | eqNatDec zero (suc y) = inr (\ ())
280 | eqNatDec (suc x) zero = inr (\ ())
281 | eqNatDec (suc x) (suc y) with eqNatDec x y 
282 | eqNatDec (suc .y) (suc y) | inl refl = inl refl
283 | eqNatDec (suc x) (suc y) | inr r = inr (λ ctr → r (inv x y ctr)) where
284 |                          inv : forall (x y : Nat) -> suc x == suc y -> x == y
285 |                          inv zero zero p = refl
286 |                          inv zero (suc y) () 
287 |                          inv (suc x) zero () 
288 |                          inv (suc .y) (suc y) refl = refl
289 | 
290 | exFalsum : forall {l}{A : Set l} -> Empty -> A
291 | exFalsum ()
292 | 
293 | evNotEvS : forall (n : Nat) -> Ev n -> ~ Ev (suc n)
294 | evNotEvS zero p ()
295 | evNotEvS (suc n) p (evs ctr) = evNotEvS n ctr p
296 | 
297 | <=-succ : forall (n : Nat) -> ~ (suc n <= n)
298 | <=-succ .(suc m) (leS .(suc m) m p) = <=-succ m p
299 | 
300 | bleNatTrue : forall (n m : Nat) -> bleNat n m == True -> n <= m
301 | bleNatTrue zero zero p = le0 zero
302 | bleNatTrue (suc n) zero ()
303 | bleNatTrue zero (suc m) p = le0 (suc m)
304 | bleNatTrue (suc n) (suc m) p = leS n m (bleNatTrue n m p)
305 | 
306 | bleNatFalse : forall (n m : Nat) -> bleNat n m == False -> ~ (n <= m)
307 | bleNatFalse zero m () _
308 | bleNatFalse (suc n) zero refl () 
309 | bleNatFalse (suc n) (suc m) p (leS .n .m r) = bleNatFalse n m p r
310 | 
311 | data AppearsIn (n : Nat) : List Nat -> Set where
312 |   here  : forall l -> AppearsIn n (n :: l)
313 |   there : forall l n' -> AppearsIn n l -> AppearsIn n (n' :: l)
314 | 
315 | data NextNat (n : Nat) : Nat -> Set where
316 |   nn : NextNat n (suc n)
317 | 
318 | data TotalRelation : Nat -> Nat -> Set where
319 |   total : forall (n m : Nat) -> TotalRelation n m
320 | 
321 | data EmptyRelation : Nat -> Nat -> Set where 
322 | \end{code}
323 | 
324 | \subsection{From Later Chapters}
325 | 
326 | \begin{code}
327 | Relation : forall {l} -> Set l -> Set (LMax (LSuc LZero) l)
328 | Relation A = A -> A -> Set
329 | 
330 | Deterministic : forall {l}{A : Set l} (R : Relation A) -> Set l
331 | Deterministic {_} {A} R = forall (x y y' : A) -> R x y -> R x y' -> y == y'
332 | 
333 | data Star {l}(A : Set l)(R : Relation A) : A -> A -> Set l where
334 |   starRefl : forall (x : A) -> Star A R x x
335 |   starStep : forall (x y z : A) -> R x y -> Star A R y z -> Star A R x z
336 | 
337 | starR : forall {l}(A : Set l)(R : Relation A)(x y : A) -> R x y -> Star A R x y
338 | starR A R x y r = starStep x y y r (starRefl y)
339 | 
340 | starTrans : forall {l}(A : Set l)(R : Relation A)(x y z : A) -> Star A R x y -> Star A R y z -> Star A R x z
341 | starTrans A R .y y z (starRefl .y) yz = yz
342 | starTrans A R x y z (starStep .x y' .y x' xy) yz = starStep x y' z x' (starTrans A R y' y z xy yz)
343 | \end{code}
344 | 
345 | \section{Identifiers and Polymorphic Maps}
346 | 
347 | \begin{code}
348 | 
349 | data Id : Set where
350 |   id : Nat -> Id
351 | 
352 | 
353 | 
354 | \end{code}
355 | 


--------------------------------------------------------------------------------
/InductionProofs.lagda:
--------------------------------------------------------------------------------
  1 | %if False
  2 | \begin{code}
  3 | module InductionProofs where
  4 | \end{code}
  5 | %endif
  6 | 
  7 | \chapter{Proof by Induction}\label{induction-proofs}
  8 | 
  9 | The next line imports all definitions from the previous chapter.
 10 | \begin{code}
 11 | open import Basics
 12 | \end{code}
 13 | By processing this file with Agda using C-c C-l, the file |Basics| is loaded 
 14 | automatically.
 15 | 
 16 | \section{Naming Cases}
 17 | 
 18 | Unlike Coq, Agda does not have a way to define tactics for naming cases in
 19 | proofs by case analysis. Agda takes very seriously the Curry-Howard isomorphism
 20 | in which case analysis is understood as pattern matching in function definitions.
 21 | Consider the following example, that show a property of |and| function:
 22 | 
 23 | \begin{spec}
 24 | andElim1 : forall (b c : Bool) -> and b c == True -> b == True
 25 | andElim1 b c prf = (HOLE GAP 0)
 26 | \end{spec}
 27 | 
 28 | We can prove this by case analysis on |b|, since and is defined by analysis
 29 | on the first argument (see Section \ref{booleans}). So, we put |b| on the hole 
 30 | and trigger the case analysis using Agda mode to produce the following:
 31 | 
 32 | \begin{spec}
 33 | andElim1 : forall (b c : Bool) -> and b c == True -> b == True
 34 | andElim1 True c  prf = (HOLE GAP 0)
 35 | andElim1 False c prf = (HOLE GAP 1)
 36 | \end{spec}
 37 | 
 38 | Now, Agda type checker is able to reduce the hypothesis |prf| and
 39 | the goals hold definitionally using |refl|.
 40 | 
 41 | \begin{code}
 42 | andElim1 : forall (b c : Bool) -> and b c == True -> b == True
 43 | andElim1 True c  prf = refl
 44 | andElim1 False c prf = prf
 45 | \end{code}
 46 | 
 47 | \begin{exe}[Simple case analysis proof.]
 48 | Prove |andElim2|:
 49 | \begin{spec}
 50 | andElim2 : forall (b c : Bool) -> and b c == True -> c == True
 51 | andElim2 b c prf = (HOLE GAP 0)
 52 | \end{spec}
 53 | \end{exe}
 54 | 
 55 | \section{Proof by Induction}\label{proof-by-induction}
 56 | 
 57 | We proved in the last chapter that 0 is a neutral element for + on the left using a simple argument. 
 58 | The fact that it is also a neutral element on the right...
 59 | 
 60 | \begin{spec}
 61 | plus0R : forall (n : Nat) -> n + 0 == n
 62 | plus0R n = refl -- does not type check!
 63 | \end{spec}
 64 | 
 65 | ... cannot be proved in the same simple way. Just using |refl| doesn't work: the n in n + 0 is an arbitrary unknown number, 
 66 | so Agda cannot reduce the definition of + can't be simplified for check that |n + 0 == n|.
 67 | 
 68 | And reasoning by cases doesn't get us much further: the branch of the case analysis where we assume n = 0 goes through, 
 69 | but in the branch where |n = S n'| for some |n'| we get stuck in exactly the same way. We could pattern match on |n'| to 
 70 | get one step further, but since |n| can be arbitrarily large, if we try to keep on like this we'll never be done.
 71 | 
 72 | \begin{spec}
 73 | plus0R : forall (n : Nat) -> n + 0 == n
 74 | plus0R zero    = refl
 75 | plus0R (suc n') = (HOLE GAP 0) -- stuck here...
 76 | \end{spec}
 77 | 
 78 | To prove such facts --- indeed, to prove most interesting facts about numbers, lists, and other inductively defined sets 
 79 | --- we need a more powerful reasoning principle: \textbf{induction}.
 80 | 
 81 | Recall (from high school) the principle of induction over natural numbers: If |P(n)| is some proposition involving a natural 
 82 | number |n| and we want to show that |P| holds for all numbers |n|, we can reason like this:
 83 | \begin{itemize}
 84 |   \item show that |P(zero)| holds;
 85 |   \item show that, for any |n'|, if |P(n')| holds, then so does |P(suc n')|;
 86 |         conclude that |P(n)| holds for all |n|.
 87 | \end{itemize}
 88 | 
 89 | Note that the induction hypothesis can be seen as a ``recursive call'' of the property being proved over |n'|. Taking this
 90 | view, induction proofs are just recursive functions! Curry-Howard isomorphism, strikes again! We need to use the induction
 91 | hypothesis |plus0R n'|, which has type |n' + 0 == n'|, but the hole has type |?0 : (suc n' + 0) == suc n'|, that can be simplified
 92 | by Agda to |?0 : suc (n' + 0) == suc n'|, according to the definition of |+|. Note that, that only difference between the type
 93 | |suc (n' + 0) == suc n'| and the type of induction hypothesis |n' + 0 == n'| is the application of |suc| constructor in both sides
 94 | of the equality, showing a \textit{congruence} property. Function |cong| allows us to reason in this way by applying a function on
 95 | both sides of a given equality. For now, we will only use |cong| and other equality related functions as ``black-boxes''. Latter,
 96 | we will see how these are defined in Agda.
 97 | 
 98 | \begin{code}
 99 | plus0R : forall (n : Nat) -> n + 0 == n
100 | plus0R zero     = refl
101 | plus0R (suc n') = cong suc (plus0R n')
102 | \end{code}
103 | 
104 | As another example of an inductive proof over natural numbers, consider the following theorem:
105 | 
106 | \begin{code}
107 | minusDiag : forall (n : Nat) -> n - n == 0
108 | minusDiag zero     = refl
109 | minusDiag (suc n') = minusDiag n'
110 | \end{code}
111 | 
112 | \begin{exe}[Simple induction proofs]
113 | Prove the following lemmas using induction. You might need previously proven results.
114 | \begin{spec}
115 | mult0R : forall (n : Nat) -> n * 0 == 0
116 | mult0R = (HOLE GAP 0)
117 | 
118 | plusNSucM : forall (n m : Nat) -> suc (n + m) == n + suc m
119 | plusNSucM = (HOLE GAP 1)
120 | 
121 | plusComm : forall (n m : Nat) -> n + m == m + n
122 | plusComm = (HOLE GAP 2)
123 | 
124 | plusAssoc : forall (n m p : Nat) -> n + (m + p) == (n + m) + p
125 | plusAssoc = (HOLE GAP 3)
126 | \end{spec}
127 | \end{exe}
128 | 
129 | \begin{exe}{doublePlus}
130 | Consider the following function, which doubles its argument:
131 | \begin{code}
132 | double : Nat -> Nat
133 | double zero = zero
134 | double (suc n') = suc (suc (double n'))
135 | \end{code}
136 | Use induction to prove this simple fact about double:
137 | \begin{spec}
138 | doublePlus : forall (n : Nat) -> double n == n + n
139 | doublePlus = (HOLE GAP 0)
140 | \end{spec}
141 | \end{exe}
142 | 
143 | \section{Proofs within Proofs}\label{proofs-within-proofs}
144 | 
145 | In informal mathematics, large proofs are very often broken into a sequence of theorems, 
146 | with later proofs referring to earlier theorems. Occasionally, however, a proof will need some 
147 | miscellaneous fact that is too trivial (and of too little general interest) to bother giving it its 
148 | own top-level name. In such cases, it is convenient to be able to simply state and prove the needed ``sub-theorem'' 
149 | right at the point where it is used. In Agda, we can do this by simply stating this little theorem as a
150 | local definition using |where| reserved word. For people used to Haskell, local definitions are just as in Haskell.
151 | In fact, Agda syntax is heavily based on Haskell's. Next example shows how to use local definitions in a proof.
152 | 
153 | \begin{code}
154 | mult0Plus' : forall (n m : Nat) -> (0 + n) * m == n * m
155 | mult0Plus' n m = cong (\n -> n * m) h where
156 |            h : 0 + n == n
157 |            h = refl
158 | \end{code}
159 | 
160 | Here we use |h| as a sub-proof of the fact |0 + n == n| and a anonymous function --- denoted by the \ --- to represent
161 | the greek letter $\lambda$, that is used in $\lambda$-calculus to represent a function binding symbol.
162 | 
163 | The next is a more elaborate example of local definitions in proofs. Note that we need to make a local proof
164 | of the fact that |n + m == m + n|, using the previous fact (proved in an exercice) that addition is commutative.
165 | 
166 | %if False
167 | Here will define plusComm just to Agda doesn't bother me in the next definition. In the typeset version,
168 | this code will not appear, thanks to lhs2TeX.
169 | \begin{code}
170 | plusSnmnSm : forall (n m : Nat) -> suc (n + m) == n + suc m
171 | plusSnmnSm zero m = refl
172 | plusSnmnSm (suc n) m = cong suc (plusSnmnSm n m)
173 | 
174 | plusComm : forall (n m : Nat) -> n + m == m + n
175 | plusComm zero m = sym (plus0R m)
176 | plusComm (suc n) m = trans (plusSnmnSm n m) 
177 |                            (trans (plusComm n (suc m)) 
178 |                                   (plusSnmnSm m n)) 
179 | \end{code}
180 | %endif
181 | 
182 | \begin{code}
183 | plusRearrange : forall (n m p q : Nat) -> (n + m) + (p + q) == (m + n) + (p + q)
184 | plusRearrange n m p q = cong (\n -> n + p + q) nmComm where
185 |               nmComm : n + m == m + n
186 |               nmComm = plusComm n m
187 | \end{code}
188 | 
189 | \begin{exe}[Commutativity of Multiplication]
190 | Use local definitions to help prove this theorem. You shouldn't need to use induction.
191 | \begin{spec}
192 | plusSwap : forall (n m p : Nat) -> n + (m + p) == m + (n + p)
193 | plusSwap = (HOLE GAP 0)
194 | \end{spec}
195 | Now prove commutativity of multiplication. (You will probably need to define and prove a 
196 | separate subsidiary theorem to be used in the proof of this one.) You may find that 
197 | |plusSwap| comes in handy.
198 | \begin{spec}
199 | multComm : forall (n m : Nat) -> n * m == m * n
200 | multComm = (HOLE GAP 0)
201 | \end{spec}
202 | \end{exe}
203 | 
204 | \begin{exe}[even |n| implies odd |suc n|]
205 | Prove the following simple fact:
206 | \begin{spec}
207 | evenNoddSucN : forall (n : Nat) -> evenb n == not (oddb (suc n))
208 | evenNoddSucN = (HOLE GAP 0)
209 | \end{spec}
210 | \end{exe}
211 | 
212 | \section{More Exercices}
213 | 
214 | \begin{exe}
215 | Take a piece of paper. For each of the following theorems, first think about whether (a) 
216 | it can be proved using only simplification and rewriting, (b) it also requires case analysis, 
217 | or (c) it also requires induction. Write down your prediction. Then fill in the proof. 
218 | (There is no need to turn in your piece of paper; this is just to encourage you to reflect before hacking!)
219 | 
220 | \begin{spec}
221 | bleNatRefl : forall (n : Nat) -> True == bleNat n n
222 | bleNatRefl =  (HOLE GAP 0)
223 | 
224 | zeroNbeqSuc : forall (n : Nat) -> beqNat 0 (suc n) == False
225 | zeroNbeqSuc =  (HOLE GAP 1)
226 | 
227 | andFalseR : forall (b : Bool) -> and b False == False
228 | andFalseR =  (HOLE GAP 2)
229 | 
230 | plusBleCompatL : forall (n m p : Nat) -> bleNat n m == True -> 
231 |                  bleNat (p + n) (p + m) == True
232 | plusBleCompatL =  (HOLE GAP 3)
233 | 
234 | sucNBeq0 : forall (n : Nat) -> beqNat (suc n) zero == False
235 | sucNBeq0 =  (HOLE GAP 4)
236 | 
237 | mult1L : forall (n : Nat) -> 1 * n == n
238 | mult1L =  (HOLE GAP 5)
239 | 
240 | all3Spec : forall (b c : Bool) -> or (and b c) (or (not b) (not c)) == True
241 | all3Spec =  (HOLE GAP 6)
242 | 
243 | multPlusDistrR : forall (n m p : Nat) -> (n + m) * p == (n * p) + (m * p)
244 | multPlusDistrR =  (HOLE GAP 7)
245 | 
246 | multAssoc : forall (n m p : Nat) -> n * (m * p) == (n * m) * p
247 | multAssoc =  (HOLE GAP 8)
248 | 
249 | beqNatRefl : forall (n : Nat) -> True == beqNat n n
250 | beqNatRefl = (HOLE GAP 9)
251 | \end{spec}
252 | \end{exe}
253 | 
254 | \section{Equational Reasoning}\label{equational-reasoning}
255 | 
256 | Agda's supports for mixfix operators offers an excellent oportunity for creating
257 | operators that can resamble pencil-and-paper style of reasoning. In this section
258 | we will see how to use support for equational reasoning to construct a proof for
259 | commutativity of addition for natural numbers.
260 | 
261 | NOTE: I belive that here would be nice to talk a bit about the usage of equational
262 | reasoning proofs. Latter, in another chapter, talk about propositional equality and
263 | some functions over it.
264 | 


--------------------------------------------------------------------------------
/Propositions.lagda:
--------------------------------------------------------------------------------
  1 | \chapter{Propositions and Evidence}
  2 | 
  3 | In previous chapters, we have seen many examples of factual claims (propositions) 
  4 | and ways of presenting evidence of their truth (proofs). In particular, we have 
  5 | worked extensively with equality propositions of the form $e = e'$, with implications 
  6 | $P \to Q$, and with quantified propositions $\forall x. P(x)$.
  7 | 
  8 | This chapter will take us on a first tour of the propositional (logical) side of Agda. 
  9 | In particular, we will expand our repertoire of primitive propositions to include user-defined propositions, 
 10 | not just equality propositions.
 11 | 
 12 | %if False
 13 | \begin{code}
 14 | module Propositions where
 15 | 
 16 | open import Basics
 17 | open import Poly
 18 | --open import MoreAgda
 19 | \end{code}
 20 | %endif
 21 | 
 22 | \section{Inductively Defined Propositions}
 23 | 
 24 | As a running example, let's define a simple property of natural numbers — we'll call it ``beautiful.''
 25 | Informally, a number is \textit{beautiful} if it is 0, 3, 5, or the sum of two \textit{beautiful numbers}.
 26 | More pedantically, we can define beautiful numbers by giving four rules:
 27 | \begin{itemize}
 28 |   \item Rule $b_0$: The number 0 is beautiful.
 29 |   \item Rule $b_3$: The number 3 is beautiful.
 30 |   \item Rule $b_5$: The number 5 is beautiful.
 31 |   \item Rule $b_{sum}$: If n and m are both beautiful, then so is their sum.
 32 | \end{itemize}
 33 | We will see many definitions like this one during the rest of the course, and for purposes of 
 34 | informal discussions, it is helpful to have a lightweight notation that makes them easy to read and write. 
 35 | Inference rules are one such notation:
 36 | \[
 37 |   \begin{array}{c}
 38 |     \infer[(b_0)]
 39 |       {\textit{beautiful } 0}
 40 |       {}
 41 |       \\
 42 |       \\
 43 |     \infer[(b_3)]
 44 |       {\textit{beautiful } 3} 
 45 |       {}
 46 |       \\
 47 |       \\
 48 |     \infer[(b_5)]
 49 |       {\textit{beautiful } 5} 
 50 |       {}
 51 |       \\
 52 |       \\
 53 |     \infer[(b_{sum})]
 54 |       {\textit{beautiful } (n+m)}
 55 |       {\textit{beautiful } n & \textit{beautiful } m}
 56 |   \end{array}
 57 | \]
 58 | Each of the textual rules above is reformatted here as an inference rule; the intended reading is that, 
 59 | if the premises above the line all hold, then the conclusion below the line follows. For example, the 
 60 | rule $b_{sum}$ says that, if $n$ and $m$ are both beautiful numbers, then it follows that $n+m$ is 
 61 | beautiful too. If a rule has no premises above the line, then its conclusion hold unconditionally.
 62 | 
 63 | These rules define the property beautiful. That is, if we want to convince someone that some particular 
 64 | number is beautiful, our argument must be based on these rules. For a simple example, suppose we claim 
 65 | that the number 5 is beautiful. To support this claim, we just need to point out that rule $b_5$ says so. 
 66 | Or, if we want to claim that 8 is beautiful, we can support our claim by first observing that 3 and 5 are 
 67 | both beautiful (by rules $b_3$ and $b_5$) and then pointing out that their sum, 8, is therefore beautiful 
 68 | by rule $b_{sum}$. This argument can be expressed graphically with the following proof tree:
 69 | \[
 70 | \begin{array}{c}
 71 |   \infer[(b_{sum})]
 72 |       {\textit{beautiful }8}
 73 |       {
 74 |         \infer[(b_3)]
 75 |         {\textit{beautiful }3}
 76 |         {} 
 77 |         &
 78 |         \infer[(b_5)]
 79 |         {\textit{beautiful }5}
 80 |         {} 
 81 |       }
 82 | \end{array}
 83 | \]
 84 | In Agda we can express the property \textit{beautiful} as an inductive data type:
 85 | \begin{code}
 86 | data Beautiful : Nat -> Set where
 87 |    b0   : Beautiful 0
 88 |    b3   : Beautiful 3
 89 |    b5   : Beautiful 5
 90 |    bsum : forall {n m} -> Beautiful n -> Beautiful m -> Beautiful (n + m)
 91 | \end{code}
 92 | The first line declares that beautiful is a type, or more formally a family of types ``indexed by'' natural numbers. 
 93 | (That is, for each number n, the claim that ``n is beautiful'' is a type.). Such a family of types
 94 | is often called a property of numbers. Each of the remaining lines embodies one of the rules for beautiful numbers.
 95 | 
 96 | As you would expect, we can also prove theorems that have hypotheses about beautiful.
 97 | 
 98 | \begin{code}
 99 | beautifulPlus8 : forall {n} -> Beautiful n -> Beautiful (8 + n)
100 | beautifulPlus8 p = bsum (bsum b3 b5) p
101 | \end{code}
102 | 
103 | \begin{exe}
104 | Prove the following fact about beautiful numbers:
105 | \begin{spec}
106 | beautifulTimes : forall {n m} -> Beautiful n -> Beautiful (m * n)
107 | beautifulTimes = (HOLE GAP 0)
108 | \end{spec}
109 | \end{exe}
110 | 
111 | \subsection{Induction Over Evidence}
112 | 
113 | Besides constructing evidence that numbers are beautiful, we can also reason about such evidence.
114 | The fact that we introduced beautiful with an data type declaration tells Agda not only that the 
115 | constructors $b_0$, $b_3$, $b_5$ and $b_{sum}$ are ways to build evidence, but also that these two constructors 
116 | are the only ways to build evidence that numbers are beautiful.
117 | In other words, if someone gives us evidence $E$ for the assertion \textit{beautiful} $n$, then we know that $E$ 
118 | must have one of four shapes:
119 | 
120 | \begin{itemize}
121 |   \item $E$ is $b_0$ (and $n$ is $O$),
122 |   \item $E$ is $b_3$ (and $n$ is $3$),
123 |   \item $E$ is $b_5$ (and $n$ is $5$),
124 |   \item $E$ is $b_{sum}$ $n_1$ $n_2$ $E_1$ $E_2$ (and $n$ is $n1+n2$, where $E_1$ is evidence that $n_1$ is 
125 |          beautiful and $E_2$ is evidence that $n_2$ is beautiful).
126 | \end{itemize}
127 | 
128 | This permits us to analyze any hypothesis of the form \textit{beautiful} $n$ to see how it was constructed, 
129 | using pattern matching. In particular, we can use the advanced features of Agda's pattern matching mechanism
130 | to analyse inductive properties.
131 | 
132 | To illustrate this, let's define another property of numbers:
133 | 
134 | \begin{code}
135 | data Gorgeous : Nat -> Set where
136 |   g0 : Gorgeous 0
137 |   g3 : forall {n} -> Gorgeous n -> Gorgeous (3 + n)
138 |   g5 : forall {n} -> Gorgeous n -> Gorgeous (5 + n)
139 | \end{code}
140 | 
141 | \begin{exe}
142 | Prove the following fact:
143 | \begin{spec}
144 | gorgeousPlus13 : forall {n} -> Gorgeous n -> Gorgeous (13 + n)
145 | gorgeousPlus13 = (HOLE GAP 0)
146 | \end{spec}
147 | \end{exe}
148 | It seems intuitively obvious that, although gorgeous and beautiful are presented using 
149 | slightly different rules, they are actually the same property in the sense that they are 
150 | true of the same numbers. Indeed, we can prove this.
151 | \begin{code}
152 | gorgeousBeautiful : forall {n} -> Gorgeous n -> Beautiful n
153 | gorgeousBeautiful g0 = b0
154 | gorgeousBeautiful (g3 p) = bsum b3 (gorgeousBeautiful p)
155 | gorgeousBeautiful (g5 p) = bsum b5 (gorgeousBeautiful p)
156 | \end{code}
157 | Let's see what happens if we try to prove this by induction on $n$ instead of induction 
158 | on the evidence |Gorgeous n|.
159 | \begin{spec}
160 | gorgeousBeautiful' : forall n -> Gorgeous n -> Beautiful n
161 | gorgeousBeautiful' zero p = b0
162 | gorgeousBeautiful' (suc n) p = (HOLE GAP 0)
163 | \end{spec}
164 | The problem here is that doing induction on n doesn't yield a useful induction hypothesis. 
165 | Knowing how the property we are interested in behaves on the predecessor of $n$ doesn't help 
166 | us prove that it holds for $n$. Instead, we would like to be able to have induction hypotheses 
167 | that mention other numbers, such as $n - 3$ and $n - 5$. This is given precisely by the shape 
168 | of the constructors for gorgeous.
169 | \begin{exe}
170 | Prove the following fact:
171 | \begin{spec}
172 | gorgeousSum : forall {n m} -> Gorgeous n -> Gorgeous m -> Gorgeous (n + m)
173 | gorgeousSum = (HOLE GAP 0)
174 | \end{spec}
175 | \end{exe}
176 | 
177 | \begin{exe}
178 | Prove the following fact:
179 | \begin{spec}
180 | beautifulGorgeous : forall {n} -> Beautiful n -> Gorgeous n
181 | beautifulGorgeous = (HOLE GAP 0)
182 | \end{spec}
183 | \end{exe}
184 | 
185 | \subsection{From Boolean Functions to Propositions}
186 | 
187 | In chapter Basics we defined a function |evenb| that tests a number for evenness, 
188 | yielding |True| if so. We can use this function to define the type that some number |n| is even:
189 | \begin{code}
190 | even : Nat -> Set
191 | even n = evenb n == True
192 | \end{code}
193 | That is, we can define ``n is even'' to mean ``the function |evenb| returns |True| when applied to |n|.''
194 | 
195 | Note that here we have defined a type just as a function! Since, in Agda, types are first class values, we
196 | can create types dynamically. This isn't a fundamentally a new type; it is still just an equality.
197 | 
198 | Another alternative is to define the concept of evenness directly. Instead of going via the |evenb| function 
199 | (``a number is even if a certain computation yields true''), we can say what the concept of evenness means by 
200 | giving two different ways of presenting evidence that a number is even.
201 | \begin{code}
202 | data Ev : Nat -> Set where
203 |   ev0  : Ev 0
204 |   evss : forall {n} -> Ev n -> Ev (suc (suc n))
205 | \end{code}
206 | This definition says that there are two ways to give evidence that a number m is even. First, 0 is even, and 
207 | |ev0| is evidence for this. Second, if |m = suc (suc n)| for some |n| and we can give evidence |e| that |n| is 
208 | even, then |m| is also even, and |evss e| is the evidence.
209 | \begin{exe}
210 | Prove the following fact:
211 | \begin{spec}
212 | doubleEven : forall n -> Ev (double n)
213 | doubleEven = (HOLE GAP 0)
214 | \end{spec}
215 | \end{exe}
216 | 
217 | \subsection{Discussion: Computational vs. Inductive Definitions}
218 | 
219 | We have seen that the proposition ``n is even'' can be phrased in two different ways --- indirectly, via a 
220 | boolean testing function |evenb|, or directly, by inductively describing what constitutes evidence for evenness. 
221 | These two ways of defining evenness are about equally easy to state and work with. Which we choose is basically 
222 | a question of taste.
223 | 
224 | However, for many other properties of interest, the direct inductive definition is preferable, since writing a 
225 | testing function may be awkward or even impossible.
226 | 
227 | One such property is beautiful. This is a perfectly sensible definition of a set of numbers, but we cannot translate 
228 | its definition directly into a Agda recursive function. We might be able to find a clever way of testing this 
229 | property using a function (indeed, it is not too hard to find one in this case), but in general this could require 
230 | arbitrarily deep thinking. In fact, if the property we are interested in is uncomputable, then we cannot define 
231 | it as a function no matter how hard we try, because Agda requires that all functions correspond to terminating computations.
232 | 
233 | On the other hand, writing an inductive definition of what it means to give evidence for the property beautiful is straightforward.
234 | 
235 | Here is a proof that the inductive definition of evenness implies the computational one.
236 | 
237 | \begin{code}
238 | evEven : forall {n} -> Ev n -> even n
239 | evEven ev0 = refl
240 | evEven (evss p) = evEven p
241 | \end{code}
242 | 
243 | \begin{exe}
244 | Prove the following fact:
245 | \begin{spec}
246 | evSum : forall {n m} -> Ev n -> Ev m -> Ev (n + m)
247 | evSum = (HOLE GAP 0)
248 | \end{spec}
249 | \end{exe}
250 | 
251 | \subsection{Pattern Matching on Evidence}
252 | 
253 | Another situation where we want to analyze evidence for evenness is when proving that, 
254 | if n is even, then pred (pred n)) is too. In this case, all we need is pattern matching:
255 | \begin{code}
256 | evMinus2 : forall {n} -> Ev n -> Ev (pred (pred n))
257 | evMinus2 ev0 = ev0
258 | evMinus2 (evss e) = e
259 | \end{code}
260 | 
261 | Another example, in which pattern matching helps narrow down to the relevant cases.
262 | \begin{code}
263 | evSSEven : forall {n} -> Ev (suc (suc n)) -> Ev n
264 | evSSEven (evss e) = e
265 | \end{code}
266 | 
267 | \begin{exe}
268 | Finding the appropriate thing to do induction on is a bit tricky here:
269 | \begin{spec}
270 | sumEv : forall {n m} -> Ev (n + m) -> Ev n -> Ev m
271 | sumEv = (HOLE GAP 0)
272 | \end{spec}
273 | \end{exe}
274 | 
275 | \begin{exe}
276 | Here's an exercise that just requires applying existing lemmas. No induction 
277 | or even case analysis is needed, but some of the rewriting may be tedious.
278 | \begin{spec}
279 | evPlusPlus : forall {n m p} -> Ev (n + m) -> Ev (n + p) -> Ev (m + p)
280 | evPlusPlus = (HOLE GAP 0)
281 | \end{spec}
282 | \end{exe}
283 | 
284 | 
285 | \section{Additional Exercises}
286 | 
287 | \begin{exe}[Palindromes]
288 | A palindrome is a sequence that reads the same backwards as forwards.
289 | \begin{enumerate}
290 |   \item Define an inductive type |Palindrome| indexed by |List A| that captures what it means to be a palindrome.
291 |         (Hint: You'll need three cases. Your definition should be based on the structure of the list; just having
292 |          a single constructor |c : forall l -> l == rev l -> Palindrome l| may seem obvious, but will not work very well.)
293 |   \item Prove that |forall l -> Palindrome (l ++ rev l)|
294 |   \item Prove that |forall l -> Palindrome l -> l == rev l| 
295 | \end{enumerate}
296 | \end{exe}
297 | 
298 | \begin{exe}[Subsequences]
299 | A list is a subsequence of another list if all of the elements in the first list occur in the same order in the 
300 | second list, possibly with some extra elements in between. For example,
301 | |(1 , 2 , 3, nil)|
302 | is a subsequence of each of the lists
303 |     |(1 , 2 , 3 , nil)|
304 |     |(1 , 1 , 1 , 2 , 2 , 3 , nil)|
305 |     |(1 , 2 , 7 , 3 , nil)|
306 |     |(5 , 6 , 1 , 9 , 9 , 2 , 7 , 3 , 8 , nil)|
307 | but it is not a subsequence of any of the lists
308 |     |(1 , 2 , nil)|
309 |     |(1 , 3 , nil)|
310 | \begin{enumerate}
311 |   \item Define an inductive proposition |SubSeq| on |List Nat| that captures what it means to be a subsequence. 
312 |         (Hint: You'll need three cases.)
313 |   \item Prove that for any lists |l_1|, |l_2|, and |l_3|, if |l_1| is a subsequence of |l_2|, then |l_1| is also a subsequence of |l_2 ++ l_3|.
314 |   \item Prove that subsquence is a transitive relation on lists.
315 | \end{enumerate}
316 | \end{exe}
317 | 


--------------------------------------------------------------------------------
/Logic.lagda:
--------------------------------------------------------------------------------
  1 | \chapter{Logic in Agda}
  2 | 
  3 | Agda's built-in logic is very small: the only primitives are data type definitions, 
  4 | universal quantification (|forall|), and implication (|->|), while all the other familiar 
  5 | logical connectives --- conjunction, disjunction, negation, existential quantification, 
  6 | even equality --- can be encoded using just these.
  7 | This chapter explains the encodings and explain with some details how equality works in Agda.
  8 | 
  9 | %if False
 10 | \begin{code}
 11 | module Logic where
 12 | 
 13 | open import Basics hiding (_*_) renaming (_+_ to _:+_)
 14 | open import Poly
 15 | open import Propositions
 16 | open import MorePropositions
 17 | \end{code}
 18 | %endif
 19 | 
 20 | \section{Conjunction}
 21 | 
 22 | The logical conjunction of types |A| and |B| can be represented with a data type that
 23 | combines the evidence of |A| and a evidence of |B| in an evidence of its conjunction.
 24 | 
 25 | \begin{spec}
 26 | data _*_ (A B : Set) : Set where
 27 |   _,_ : A -> B -> A * B
 28 | \end{spec}
 29 | 
 30 | Note that, like the definition of |Ev| in a previous chapter, this definition is parameterized; 
 31 | however, in this case, the parameters are themselves types, rather than numbers.
 32 | The intuition behind this definition is simple: to construct evidence for $A \land B$, we must provide 
 33 | evidence for |A| and evidence for |B|. More precisely:
 34 | \begin{itemize}
 35 |   \item |a , b| can be taken as evidence for |A * B| if |a| is evidence for |A| and |b| is evidence for |B|; and
 36 |   \item this is the only way to give evidence for |A * B| --- that is, if someone gives us evidence for 
 37 |         |A * B|, we know it must have the form |a , b|, where |a| is evidence for |A| and |b| is evidence for |B|.
 38 | \end{itemize}
 39 | Besides the elegance of building everything up from a tiny foundation, what's nice about defining conjunction 
 40 | this way is that we can prove statements involving conjunction using pattern matching. Consider the next example:
 41 | \begin{code}
 42 | andExample : Beautiful 0 * Beautiful 3
 43 | andExample = b0 , b3
 44 | \end{code}
 45 | The evidence for |Beautiful 0 * Beautiful 3| is just a pair of evidences, one for |Beautiful 0| and other for |Beautiful 3|.
 46 | 
 47 | We can pattern match on a conjunction in order to extract one of its components, as in the following example:
 48 | \begin{code}
 49 | andElimL : forall {A B : Set} -> A * B -> A
 50 | andElimL (a , b) = a
 51 | 
 52 | andElimR : forall {A B : Set} -> A * B -> B
 53 | andElimR (a , b) = b
 54 | \end{code}
 55 | 
 56 | \begin{exe}
 57 | Prove that conjunction is commutative:
 58 | \begin{spec}
 59 | andComm : forall {A B : Set} -> A * B -> B * A
 60 | andComm = (HOLE GAP 0)
 61 | \end{spec}
 62 | \end{exe}
 63 | 
 64 | \begin{exe}
 65 | Prove that conjunction is associative:
 66 | \begin{spec}
 67 | andAssoc : forall {A B C : Set} -> A * (B * C) -> (A * B) * C
 68 | andAssoc = (HOLE GAP 0)
 69 | \end{spec}
 70 | \end{exe}
 71 | 
 72 | \subsection{If and only if}
 73 | 
 74 | The handy ``if and only if'' connective is just the conjunction of two implications.
 75 | 
 76 | \begin{code}
 77 | _<->_ : forall (A B : Set) -> Set
 78 | A <-> B = (A -> B) * (B -> A)
 79 | 
 80 | iffImplies : forall {A B : Set} -> A <-> B -> A -> B
 81 | iffImplies (p , q) = p
 82 | 
 83 | iffSym : forall {A B : Set} -> A <-> B -> B <-> A
 84 | iffSym (p , q) = q , p
 85 | \end{code}
 86 | 
 87 | \begin{exe}
 88 | Using the proof that |<->| is symmetric (|iffSym|) as a guide,
 89 | prove that it is also reflexive e transitive.
 90 | \begin{spec}
 91 | iffRefl : forall (A : Set) -> A <-> A
 92 | iffRefl = (HOLE GAP 0)
 93 | 
 94 | iffTrans : forall (A B C : Set) -> A <-> B -> B <-> C -> A <-> C
 95 | iffTrans = (HOLE GAP 0)
 96 | \end{spec}
 97 | \end{exe}
 98 | 
 99 | 
100 | \section{Disjunction}
101 | 
102 | Disjunction ("logical or") can also be defined as an data type.
103 | 
104 | \begin{code}
105 | data _+_ (A B : Set) : Set where
106 |   inl : A -> A + B
107 |   inr : B -> A + B
108 | \end{code}
109 | 
110 | Intuitively, there are two ways of giving evidence for |A + B|:
111 | \begin{itemize}
112 |   \item give evidence for |A| (and say that it is |A| you are giving evidence for 
113 |         --- this is the function of the |inl| constructor), or
114 |   \item give evidence for |B|, tagged with the |inr| constructor.
115 | \end{itemize}
116 | 
117 | Since |A + B| has two constructors, doing pattern matching on a parameter of its type 
118 | will need to two equations.
119 | 
120 | \begin{code}
121 | orComm : forall {A B : Set} -> A + B -> B + A
122 | orComm (inl p) = inr p
123 | orComm (inr q) = inl q
124 | 
125 | orDistrAnd' : forall {A B C : Set} -> A + (B * C) -> (A + B) * (A + C)
126 | orDistrAnd' (inl p)       = inl p , inl p
127 | orDistrAnd' (inr (p , q)) = inr p , inr q
128 | \end{code}
129 | 
130 | \begin{exe}
131 | Prove the following theorem:
132 | \begin{spec}
133 | orDistrAnd : forall {A B C : Set} -> A + (B * C) <-> (A + B) * (A + C)
134 | orDistrAnd = (HOLE GAP 0)
135 | \end{spec}
136 | \end{exe}
137 | 
138 | \subsection{Relating |+| and |*| with |or| and |and|}
139 | 
140 | We've already seen several places where analogous structures can be found in 
141 | Agda's computational (expressions) and logical (types --- Set terms) worlds. Here is one more: 
142 | the boolean operators |and| and |or| are clearly analogs of the types |*| and |+|. 
143 | This analogy can be made more precise by the following theorems, which show how to translate 
144 | knowledge about |and| and |or|'s behaviors on certain inputs into propositional facts about those inputs.
145 | 
146 | \begin{code}
147 | andbProp : forall b c -> and b c == True -> (b == True) * (c == True)
148 | andbProp True .True refl = refl , refl
149 | andbProp False c ()
150 | 
151 | andTrueIntro : forall b c -> (b == True) * (c == True) -> and b c == True
152 | andTrueIntro True .True (refl , refl) = refl
153 | andTrueIntro False _    (()   , _   )
154 | \end{code}
155 | 
156 | \begin{exe}
157 | Prove the following theorems:
158 | \begin{spec}
159 | andBFalse : forall b c -> and b c == False -> (b == False) + (c == False)
160 | andBFalse = (HOLE GAP 0)
161 | 
162 | orBTrue : forall b c -> or b c == True -> (b == True) + (c == True)
163 | orBTrue = (HOLE GAP 0)
164 | 
165 | orBFalseElim : forall b c -> or b c == False = (b == False) * (c == False)
166 | orBFalseElim = (HOLE GAP 0)
167 | \end{spec}
168 | \end{exe}
169 | 
170 | \section{Falsehood}
171 | 
172 | Logical falsehood can be represented in Agda as an data type with no constructors.
173 | 
174 | \begin{code}
175 | data Empty : Set where
176 | \end{code}
177 | Intuition: |Empty| is a proposition for which there is no way to give evidence.
178 | 
179 | Since |Empty| has no constructors, pattern matching an assumption of type |Empty| 
180 | always yields zero subgoals, allowing us to immediately prove any goal.
181 | \begin{code}
182 | falseImpliesNonSense : Empty -> 2 == 3
183 | falseImpliesNonSense ()
184 | \end{code}
185 | Actually, since the proof of |falseImpliesNonSense| doesn't actually have anything 
186 | to do with the specific nonsensical thing being proved; it can easily be generalized 
187 | to work for an arbitrary |A|:
188 | \begin{code}
189 | emptyElim : forall {A : Set} -> Empty -> A
190 | emptyElim ()
191 | \end{code}
192 | This function encodes the principle \textit{ex falso quodlibet} means, literally, 
193 | ``from falsehood follows whatever you please.'' This theorem is also known as 
194 | the \textit{principle of explosion}.
195 | 
196 | \subsection{Truth}
197 | 
198 | Since we have defined falsehood in Agda, one might wonder whether it is possible to 
199 | define truth in the same way. We can.
200 | \begin{code}
201 | data Unit : Set where
202 |   unit : Unit
203 | \end{code}
204 | Truth is represented as a type with a unique inhabitant, with evidence |unit|.
205 | However, unlike |Empty|, which we'll use extensively, |Unit| is used fairly 
206 | rarely. By itself, it is trivial (and therefore uninteresting) to prove as a 
207 | goal, and it carries no useful information as a hypothesis. But it can be 
208 | useful when defining complex types using conditionals, or as a parameter to higher-order types.
209 | 
210 | 
211 | \section{Negation}
212 | 
213 | The logical complement of a proposition |A| is written |~A|:
214 | \begin{code}
215 | ~_ : (A : Set) -> Set
216 | ~ A = A -> Empty
217 | \end{code}
218 | The intuition is that, if |A| is not true, then anything at all 
219 | (even |Empty|) follows from assuming |A|.
220 | 
221 | Unlike Coq, Agda automatically expands |~ A| definition in holes,
222 | so, there's no special tactic to ``unfold'' definitions like negation.
223 | 
224 | \begin{exe}
225 | Prove the following facts:
226 | \begin{spec}
227 | doubleNeg : forall A -> A -> ~ ~ A
228 | doubleNeg = (HOLE GAP 0)
229 | 
230 | contrapositive : forall A B -> (A -> B) -> (~ B -> ~ A)
231 | contrapositive = (HOLE GAP 1)
232 | \end{spec}
233 | \end{exe}
234 | 
235 | \subsection{Inequality}
236 | 
237 | Saying |x /= y| is just the same as saying |~(x == y)|.
238 | \begin{code}
239 | _/=_ : {A : Set} (x y : A) -> Set
240 | x /= y = ~ (x == y)
241 | \end{code}
242 | Since inequality involves a negation, it again requires a little practice to be able 
243 | to work with it fluently. Here is one very useful trick. If you are trying to prove a 
244 | goal that is nonsensical (e.g., the goal state is |False == True|, apply the lemma 
245 | |emptyElim| to change the goal to |Empty|. This makes it easier to use assumptions 
246 | of the form |~ P| that are available in the context --- in particular, assumptions 
247 | of the form |x /= y|.
248 | \begin{code}
249 | notFalseThenTrue : forall b -> b /= False -> b == True
250 | notFalseThenTrue True p = refl
251 | notFalseThenTrue False p = emptyElim (p refl)
252 | \end{code}
253 | 
254 | \begin{exe}
255 | Prove the following theorems:
256 | \begin{spec}
257 | falseBeqNat : forall (n m : Nat) -> n /= m -> beqNat n m == False
258 | falseBeqNat = (HOLE GAP 0)
259 | 
260 | beqNatFalse : forall (n m : Nat) -> beqNat n m == False -> n /= m
261 | beqNatFalse = (HOLE GAP 1)
262 | 
263 | beqLeFalse : forall (n m : Nat) -> bleNat n m == False -> ~ (n <= m)
264 | beqLeFalse = (HOLE GAP 2)
265 | \end{spec}
266 | \end{exe}
267 | 
268 | \section{Existential Quantification}
269 | 
270 | Another critical logical connective is existential quantification. 
271 | We can express it with the following definition:
272 | 
273 | \begin{code}
274 | data exists {A : Set} (P : A -> Set) : Set where
275 |   exIntro : forall (witness : A) -> P witness -> exists P
276 | \end{code}
277 | 
278 | That is, |exists| is a family of types indexed by a type |A| and a property |P| over |A|. 
279 | In order to give evidence for the assertion ``there exists an |x| for which the property |P| holds''
280 |  we must actually name a witness --- a specific value |x| --- and then give evidence for |P x|, i.e., 
281 | evidence that |x| has the property |P|.
282 | 
283 | Let's consider a simple example of an existencial proposition:
284 | \begin{code}
285 | sampleEx : exists (\ n -> evenb n == True)
286 | sampleEx = exIntro zero refl
287 | \end{code}
288 | Note that we have to explicitly give the witness, |zero| and the proof term that it satisfies the property
289 | |evenb zero == True|.
290 | 
291 | If we have an existential hypothesis in the context, we can eliminate it with pattern matching, as shown in the next example. 
292 | \begin{spec}
293 | sampleEx2 : forall n -> exists (\ m -> n == 4 + m) -> exists (\ o -> n == 2 + o)
294 | sampleEx2 n (exIntro w prf) = (HOLE GAP 0)
295 | \end{spec}
296 | To finish this proof, we need to pattern match on |prf|, producing:
297 | \begin{spec}
298 | sampleEx2 : forall n -> exists (\ m -> n == 4 :+ m) -> exists (\ o -> n == 2 :+ o)
299 | sampleEx2 .(suc (suc (suc (suc w)))) (exIntro w refl) = (HOLE GAP 0)
300 | \end{spec}
301 | that is trivially solved using C-c C-a for calling Agsy --- Agda's auto solver.
302 | \begin{code}
303 | sampleEx2 : forall n -> exists (\ m -> n == 4 :+ m) -> exists (\ o -> n == 2 :+ o)
304 | sampleEx2 .(suc (suc (suc (suc w)))) (exIntro w refl) = exIntro (suc (suc w)) refl
305 | \end{code}
306 | 
307 | \begin{exe}
308 | Prove that existential quantification distributes over disjunction.
309 | \begin{spec}
310 | distrExistsOr : forall (A : Set)(P Q : A -> Set), exists (\ x -> P x + Q x) <-> (exists (\ x -> P x) + exists (\ x -> Q x))
311 | distrExistsOr = (HOLE GAP 0)
312 | \end{spec}
313 | \end{exe}
314 | 
315 | \section{Equality}
316 | 
317 | Even Agda's equality relation is not built in. It has (roughly) the following inductive definition.
318 | 
319 | \begin{spec}
320 | data _==_ {l}{A : Set l}(x : A) : A -> Set l where
321 |   refl : x == x
322 | \end{spec}
323 | 
324 | The definition of |_==_| is a bit subtle. The way to think about it is that, given a set |A|, it defines 
325 | a family of propositions ``|x| is equal to |y|,'' indexed by pairs of values (|x| and |y|) from |A|. 
326 | There is just one way of constructing evidence for members of this family: applying the constructor |refl| 
327 | to a type |A| and a value |x : A| yields evidence that |x| is equal to |x|.
328 | 
329 | \begin{exe}[Leibniz Equality]
330 | The inductive definitions of equality corresponds to Leibniz equality: what we mean when we say ``x and y are equal'' 
331 | is that every property on |P| that is true of |x| is also true of |y|.
332 | \begin{spec}
333 | leibnizEquality : forall (A : Set) (x y : A) -> x == y -> forall (P : A -> Set) -> P x -> P y
334 | leibnizEquality = (HOLE GAP 0)
335 | \end{spec}
336 | \end{exe}
337 | 
338 | We can use |refl| to construct evidence that, for example, |2 == 2|. Can we also use it to construct evidence that 
339 | |1 + 1 = 2|? Yes: indeed, it is the very same piece of evidence! The reason is that Agda treats as ``the same'' 
340 | any two terms that are convertible according to a simple set of computation rules. These rules include evaluation of 
341 | function application, inlining of definitions, and simplification of matches.
342 | 
343 | \section{Evidence-carrying booleans}
344 | 
345 | So far we've seen two different forms of equality predicates: |_==_|, which produces a |Set|, and the type-specific forms, 
346 | like |beqNat|, that produce boolean values. The former are more convenient to reason about, but we've relied on the latter 
347 | to let us use equality tests in computations. While it is straightforward to write lemmas (e.g. beqNatTrue and beqNatFalse) 
348 | that connect the two forms, using these lemmas quickly gets tedious.
349 | 
350 | It turns out that we can get the benefits of both forms at once by using a sum type (logical ``or'').
351 | 
352 | Think of sum type as being like the boolean type, but instead of its values being just |True| and |False|, 
353 | they carry evidence of truth or falsity. This means that when we pattern match on them, we are left with the 
354 | relevant evidence as a hypothesis.
355 | 
356 | Here we define a better function for equality test on |Nat|:
357 | \begin{code}
358 | eqNatDec : forall (x y : Nat) -> (x == y) + (x /= y)
359 | eqNatDec zero zero = inl refl
360 | eqNatDec zero (suc y) = inr (\ ())
361 | eqNatDec (suc x) zero = inr (\ ())
362 | eqNatDec (suc x) (suc y) with eqNatDec x y 
363 | eqNatDec (suc .y) (suc y) | inl refl = inl refl
364 | eqNatDec (suc x) (suc y) | inr r = inr (λ ctr → r (inv x y ctr)) where
365 |                          inv : forall (x y : Nat) -> suc x == suc y -> x == y
366 |                          inv zero zero p = refl
367 |                          inv zero (suc y) () 
368 |                          inv (suc x) zero () 
369 |                          inv (suc .y) (suc y) refl = refl
370 | \end{code}
371 | 
372 | Read as a theorem, this says that equality on |Nat| is decidable: that is, given two |Nat| values, we can always 
373 | produce either evidence that they are equal or evidence that they are not. Read computationally, |eqNatDec| takes 
374 | two |Nat| values and returns a sum constructed with |inl| if they are equal and |inr| if they are not; this result 
375 | can be tested with pattern matching.
376 | 
377 | \section{Additional Exercices}
378 | 
379 | \begin{exe}[Stutter]
380 | Formulating inductive definitions of predicates is an important skill you'll need in this course. Try to solve 
381 | this exercise without any help at all (except from your study group partner, if you have one).
382 | 
383 | We say that a list of numbers ``stutters'' if it repeats the same number consecutively. The predicate (type) ``NoStutter l''
384 |  means that a list |l| does not stutter. Formulate an inductive definition for |NoStutter|. 
385 | (Note that the sequence 1,4,1 does not stutter, but 1,1,4 does.)
386 | 
387 | After, check if your definition was right by doing the following tests:
388 | 
389 | \begin{spec}
390 | test1 : NoStutter (3 , 1 ,4 , 1 , 5 , 6 , nil)
391 | test1 = (HOLE GAP 0)
392 | 
393 | test2 : NoStutter nil
394 | test2 = (HOLE GAP 1)
395 | 
396 | test3 : ~ NoSutter (3 , 1 , 1 , 0 , nil)
397 | test3 = (HOLE GAP 2)
398 | \end{spec}
399 | 
400 | \end{exe}
401 | 


--------------------------------------------------------------------------------
/Lists.lagda:
--------------------------------------------------------------------------------
  1 | %if False
  2 | \begin{code}
  3 | module Lists where
  4 | open import Basics
  5 | open import InductionProofs
  6 | \end{code}
  7 | %endif
  8 | 
  9 | \chapter{Lists --- Working with Structured Data}\label{lists}
 10 | 
 11 | \section{Pairs of Numbers}
 12 | 
 13 | In a data type definition, each constructor can take any number of arguments ---
 14 |  none (as with |True| and |zero|), one (as with |suc|), or more than one, as in this definition:
 15 | 
 16 | \begin{code}
 17 | data NatProd : Set where
 18 |   _,_ : Nat -> Nat -> NatProd
 19 | \end{code}
 20 | 
 21 | This declaration can be read: ``There is just one way to construct a pair of numbers: by applying 
 22 | the constructor |,| to two arguments of type |Nat|.''
 23 | 
 24 | Here are two simple function definitions for extracting the first and second components of a pair. 
 25 | (The definitions also illustrate how to do pattern matching on two-argument constructors.)
 26 | 
 27 | \begin{code}
 28 | fst : NatProd -> Nat
 29 | fst (n , _) = n
 30 | 
 31 | snd : NatProd -> Nat
 32 | snd (_ , n) = n
 33 | \end{code}
 34 | 
 35 | The |NatProd| ilustrates that, in Agda, we can define infix constructors naturally by marking 
 36 | argument positions with underscores.
 37 | 
 38 | Let's try and prove a few simple facts about pairs. If we state the lemmas in a particular 
 39 | (and slightly peculiar) way, we can prove them with just |refl| (and its built-in simplification):
 40 | 
 41 | \begin{code}
 42 | surjectivePairing : forall (n m : Nat) -> (n , m) == (fst (n , m) , snd (n , m))
 43 | surjectivePairing n m = refl
 44 | \end{code}
 45 | 
 46 | Another way to state and prove this simple lemma is using pattern matching (case analysis):
 47 | \begin{code}
 48 | surjectivePairing' : forall (p : NatProd) -> p == (fst p , snd p)
 49 | surjectivePairing' (n , m) = refl
 50 | \end{code}
 51 | Here, in order to be able to state the definitional equality between |p| and  |(fst p , snd p)| we
 52 | need to pattern match on |p| in order to Agda be able to reduce functions |fst| and |snd|.
 53 | 
 54 | \begin{exe}[Projections and Swap]
 55 | First, define a function |swap| which swaps the first and second element of a given pair:
 56 | \begin{spec}
 57 | swap : NatProd -> NatProd
 58 | swap = (HOLE GAP 0)
 59 | \end{spec}
 60 | Next prove this property:
 61 | \begin{spec}
 62 | fstSndSwap : forall (p : NatProd) -> (snd p , fst p) == swap p
 63 | fstSndSwap = (HOLE GAP 0)
 64 | \end{spec}
 65 | \end{exe}
 66 | 
 67 | \section{List of Numbers}\label{list-of-numbers}
 68 | 
 69 | Generalizing the definition of pairs a little, we can describe the type of lists of numbers 
 70 | like this: ``A list is either the empty list or else a pair of a number and another list.''
 71 | 
 72 | \begin{code}
 73 | data NList : Set where
 74 |   <>  : NList
 75 |   _,_ : Nat -> NList -> NList
 76 | 
 77 | infixr 4 _,_
 78 | \end{code}
 79 | 
 80 | As an example, here we have a simple 3-element list:
 81 | 
 82 | \begin{code}
 83 | sample : NList 
 84 | sample = 1 , 2 , 3 , <>
 85 | \end{code}
 86 | 
 87 | As you might be an alert reader, Agda supports overloading of data constructors. The context
 88 | of a given expression is used to determine of which we are considering.
 89 | 
 90 | A number of functions are useful for manipulating lists. For example, the |repeat| function 
 91 | takes a number |n| and a |count| and returns a list of length |count| where every element is |n|.
 92 | 
 93 | \begin{code}
 94 | repeat : Nat -> Nat -> NList
 95 | repeat n zero = <>
 96 | repeat n (suc m) = n , repeat n m
 97 | \end{code}
 98 | 
 99 | The |length| function calculates the number of elements of a given list.
100 | 
101 | \begin{code}
102 | length : NList -> Nat
103 | length <> = zero
104 | length (x , xs) = suc (length xs)
105 | \end{code}
106 | 
107 | The |++| (``append'') function concatenate two lists:
108 | 
109 | \begin{code}
110 | infixr 4 _++_
111 | 
112 | _++_ : NList -> NList -> NList
113 | <> ++ ys = ys
114 | (x , xs) ++ ys = x , (xs ++ ys)
115 | \end{code}
116 | 
117 | Here are two smaller examples of programming with lists. The |head| function returns 
118 | the first element (the ``head'') of the list, while |tail| returns everything but the 
119 | first element (the ``tail''). Of course, the empty list has no first element, so 
120 | we must pass a default value to be returned in that case.
121 | 
122 | \begin{code}
123 | head : NList -> (default : Nat) -> Nat
124 | head <>      d = d
125 | head (x , _) d = x
126 | 
127 | tail : NList -> NList
128 | tail <>       = <>
129 | tail (_ , xs) = xs
130 | \end{code}
131 | 
132 | \begin{exe}[Definition of |nonZeros|]
133 | Define the function |nonZeros| that remove all |zero| values from a |NList|. Implement your function
134 | in such a way that |testNonZeros| be a type correct term.
135 | \begin{spec}
136 | nonZeros : NList -> NList
137 | nonZeros = (HOLE GAP 0)
138 | 
139 | testNonZeros : (0 , 1 , 0 , 2 , 0 , <>) == (1 , 2 , <>)
140 | testNonZeros = refl
141 | \end{spec}
142 | \end{exe}
143 | 
144 | \begin{exe}[Definition of |oddMembers|]
145 | Define the function |oddMembers| that remove all even values from a |NList|. Implement your function
146 | in such a way that |testOddMembers| be a type correct term.
147 | \begin{spec}
148 | oddMembers : NList -> NList
149 | oddMembers = (HOLE GAP 0)
150 | 
151 | testOddMembers : (0 , 1 , 0 , 3 , 0 , <>) == (1 , 3 , <>)
152 | testOddMembers = refl
153 | \end{spec}
154 | \end{exe}
155 | 
156 | \begin{exe}[Definition of |alternate|]
157 | Implement |alternate| that alternates two given |NLists| into one.
158 | \begin{spec}
159 | alternate : NList -> NList -> NList
160 | alternate = (HOLE GAP 0)
161 | \end{spec}
162 | \end{exe}
163 | 
164 | %if False
165 | This really simple example does not pass throught Coq's termination checker!
166 | 
167 | \begin{code}
168 | alternate : NList -> NList -> NList
169 | alternate <> l2 = l2
170 | alternate l1 <> = l1
171 | alternate (x , l1) (y , l2) = x , y , alternate l1 l2
172 | \end{code}
173 | %endif
174 | 
175 | \section{Bag via Lists}
176 | 
177 | A bag (or multiset) is like a set, but each element can appear multiple times instead of just once. 
178 | One reasonable implementation of bags is to represent a bag of numbers as a list.
179 | \begin{code}
180 | Bag : Set
181 | Bag = NList
182 | \end{code}
183 | Note that |Bag| is explicitly annotated with type |Set|, that is the type of ``types''.
184 | \begin{exe}[Functions over bags]
185 | Complete the following definitions for the functions |count|, |sum|, |add|, and |member| for bags.
186 | Again, implement your functions in a way that the test cases are typeable by Agda.
187 | \begin{spec}
188 | count : Bag -> Bag
189 | count = (HOLE GAP 0)
190 | 
191 | testCount1 : count 1 (1 , 2 , 1 , <>) == 2
192 | testCount1 = refl
193 | 
194 | testCount2 : count 3 (1 , 2 , 1 , <>) == 0
195 | testCount2 = refl
196 | 
197 | sum : Bag -> Nat
198 | sum = (HOLE GAP 0)
199 | 
200 | testSum : sum (1 , 2 , 1 , <>) == 6
201 | testSum = refl
202 | 
203 | add : Nat -> Bag -> Bag
204 | add = (HOLE GAP 0)
205 | 
206 | testAdd : count 1 (add 1 (1 , 2 , 1 , <>)) == 3
207 | testAdd = refl
208 | 
209 | member : Nat -> Bag -> Bool
210 | member = (HOLE GAP 0)
211 | 
212 | testMember1 : member 1 (1 , 2 , 1 , <>) == True
213 | testMember1 = refl
214 | 
215 | testMember2 : member 3 (1 , 2 , 1 , <>) == False
216 | testMember2 = refl
217 | \end{spec}
218 | \end{exe}
219 | 
220 | \begin{exe}[More |bag| functions]
221 | Here are some more bag functions for you to practice with.
222 | \begin{spec}
223 | removeOne : Nat -> Bag -> Bag
224 | removeOne = (HOLE GAP 0)
225 | 
226 | testRemoveOne1 : count 1 (removeOne 1 (1 , 2 , 1 , <>)) == 1
227 | testRemoveOne1 = refl
228 | 
229 | testRemoveOne2 : count 1 (removeOne 1 (1 , 2 , 1 , <>)) == 2
230 | testRemoveOne2 = refl
231 | 
232 | removeAll : Nat -> Bag -> Bag
233 | removeAll = (HOLE GAP 0)
234 | 
235 | testRemoveAll : count 1 (removeAll 1 (1 , 2 , 1 , <>)) == 0
236 | testRemoveAll = refl
237 | 
238 | subset : Bag -> Bag -> Bool
239 | subset = (HOLE GAP 0)
240 | 
241 | testSubset1 : subset (1 , 2 , <>) (3 , 1 , 2 , <>) == True
242 | testSubset1 = refl
243 | 
244 | testSubset2 : subset (2 , 3 , <>) (1 , 2 , 4 , <>) == False
245 | testSubset2 = refl
246 | \end{spec}
247 | \end{exe}
248 | 
249 | \begin{exe}
250 | Write down an interesting theorem about bags involving the functions |count| and |add|, 
251 | and prove it. Note that, since this problem is somewhat open-ended, it's possible that 
252 | you may come up with a theorem which is true, but whose proof requires techniques you 
253 | haven't learned yet. Feel free to ask for help if you get stuck!
254 | \end{exe}
255 | 
256 | \section{Reasoning about Lists}
257 | 
258 | Just as with numbers, simple facts about list-processing functions can sometimes be 
259 | proved entirely by simplification. For example, the simplification performed by |refl| 
260 | is enough for this theorem...
261 | \begin{code}
262 | nilAppL : forall (n : NList) -> <> ++ n == n
263 | nilAppL n = refl
264 | \end{code}
265 | ... because the |<>| is substituted into the match position in the definition of |++|, 
266 | allowing the match itself to be simplified.
267 | 
268 | Also, as with numbers, it is sometimes helpful to perform case analysis on the 
269 | possible shapes (empty or non-empty) of an unknown list, as shown in this little theorem:
270 | \begin{code}
271 | tailLengthPred : forall (n : NList) -> pred (length n) == length (tail n)
272 | tailLengthPred <>      = refl
273 | tailLengthPred (x , n) = refl
274 | \end{code}
275 | Usually, though, interesting theorems about lists require induction for their proofs.
276 | 
277 | \subsection{Micro-sermon}
278 | 
279 | Simply reading example proofs will not get you very far! It is very important to work 
280 | through the details of each one, using Agda and thinking about what each step of the 
281 | proof achieves. Otherwise it is more or less guaranteed that the exercises will make no sense.
282 | 
283 | \subsection{Induction on Lists}
284 | 
285 | Proofs by induction over datatypes like |NList| are perhaps a little less familiar than standard 
286 | natural number induction, but the basic idea is equally simple. Each data type declaration defines 
287 | a set of data values that can be built up from the declared constructors: a boolean can be either 
288 | |True| or |False|; a number can be either |zero| or |suc| applied to a number; a list can be 
289 | either |<>| or |,| applied to a number and a list.
290 | 
291 | Moreover, applications of the declared constructors to one another are the only possible shapes that 
292 | elements of a inductively defined set can have, and this fact directly gives rise to a way of reasoning 
293 | about inductively defined sets: a number is either |zero| or else it is |suc| applied to some smaller number; a list 
294 | is either |<>| or else it is |,| applied to some number and some smaller list; etc. So, if we have in mind 
295 | some proposition |P| that mentions a list |l| and we want to argue that |P| holds for all lists, we can reason as follows:
296 | \begin{itemize}
297 |   \item First, show that |P| is true of |l| when |l| is |<>|.
298 |   \item Then show that |P| is true of |l| when |l| is |n , l'| for some number |n| and some smaller list |l'|, assuming that 
299 |         |P| is true for |l'|.
300 | \end{itemize}
301 | Since larger lists can only be built up from smaller ones, eventually reaching |<>|, these two things 
302 | together establish the truth of |P| for all lists |l|. Here's a concrete example:
303 | \begin{code}
304 | appAssoc : forall (l1 l2 l3 : NList) -> l1 ++ (l2 ++ l3) == (l1 ++ l2) ++ l3
305 | appAssoc <> l2 l3 = refl
306 | appAssoc (x , l1) l2 l3 = 
307 |     ((x , l1) ++ (l2 ++ l3)) ==[ refl ]
308 |     (x , (l1 ++ (l2 ++ l3))) ==[ cong (\p -> x , p) (appAssoc l1 l2 l3) ]
309 |     (x , ((l1 ++ l2) ++ l3)) 
310 |   QED
311 | \end{code}
312 | Here we use Agda infix operators to do some equational reasoning in proofs, that allow us to argue in a 
313 | pencil and paper fashion. The operator |==[?]| acts like a
314 | equality that uses the term between brackets to rewrite the current term and |QED| finish the proof.
315 | 
316 | The same proof can be done in the following way, in a paper:
317 | 
318 | \begin{theorem}
319 | For all |NList|s |l1|, |l2| and |l3|, we have |l1 ++ (l2 ++ l3) == (l1 ++ l2) ++ l3|.
320 | \end{theorem}
321 | \begin{proof}
322 | We will proceed by induction on |l1|.
323 | \begin{enumerate}
324 |   \item Case |l1 = <>|: In this case we have: |<>| $|++| (l2 |++| l3) \equiv l2 |++| l3 \equiv$ $($|<>| $|++| l2) |++| l3$, as required.
325 |   \item Case |l1 = x , l1'|: We have that:
326 |   \begin{center}
327 |   \begin{tabular}{lcl}
328 |     (x , l1') ++ (l2 ++ l3) & $\equiv$ & \{by def.\}\\
329 |     x , (l1' ++ (l2 ++ l3)) & $\equiv$ & \{by I.H.\}\\
330 |     x , ((l1' ++ l2) ++ l3  & $\equiv$ & \{by def.\}\\
331 |     ((x , l1') ++ l2) ++ l3 & $\Box$  
332 |   \end{tabular}
333 |   \end{center}
334 |   as required.
335 | \end{enumerate}
336 | \end{proof}
337 | 
338 | Here's another simple example:
339 | 
340 | \begin{code}
341 | appLength : forall (n n' : NList) -> length (n ++ n') == length n + length n'
342 | appLength <> n' = refl
343 | appLength (x , xs) n' = 
344 |     length ((x , xs) ++ n')     ==[ refl ]
345 |     length (x , (xs ++ n'))     ==[ refl ]
346 |     suc (length (xs ++ n'))     ==[ cong suc (appLength xs n') ]
347 |     suc (length xs + length n') ==[ refl ]
348 |     length (x , xs) + length n'
349 |     QED
350 | \end{code}
351 | 
352 | \begin{exe}[Practice informal proof]
353 | Prove |appLength| theorem using a informal style, like the proof for |appAssoc|.
354 | \end{exe}
355 | 
356 | For a slightly more involved example of an inductive proof over lists, suppose we define a 
357 | ``cons on the right'' function snoc like this...
358 | 
359 | \begin{code}
360 | snoc : Nat -> NList -> NList
361 | snoc n <> = n , <>
362 | snoc n (x , xs) = x , (snoc n xs)
363 | \end{code}
364 | 
365 | ... and use it to define a list-reversing function |rev| like this:
366 | 
367 | \begin{code}
368 | rev : NList -> NList
369 | rev <> = <>
370 | rev (x , xs) = snoc x (rev xs)
371 | \end{code}
372 | 
373 | Now let's prove some more list theorems using our newly defined snoc and rev. For something a 
374 | little more challenging than the inductive proofs we've seen so far, let's prove that 
375 | reversing a list does not change its length. Our first attempt at this proof gets stuck in the successor case...
376 | 
377 | \begin{spec}
378 | revLength : forall (n : NList) -> length (rev n) == length n
379 | revLength <> = refl
380 | revLength (x , xs) =
381 |       length (rev (x , xs)) ==[ refl ]
382 |       length (snoc x (rev xs)) ==[ (HOLE GAP 0) ]
383 |       suc (length (rev xs))    ==[ (HOLE GAP 1) ]
384 |       suc (length xs)          ==[ (HOLE GAP 2) ]
385 |       length (x , xs)
386 |       QED
387 | \end{spec}
388 | 
389 | So let's take the equation about snoc that would have enabled us to make progress and prove it as a separate lemma.
390 | 
391 | \begin{code}
392 | lengthSnoc : forall (n : Nat)(l : NList) -> length (snoc n l) == suc (length l)
393 | lengthSnoc n <> = refl
394 | lengthSnoc n (x , xs) =
395 |       length (snoc n (x , xs)) ==[ refl ]
396 |       length (x , (snoc n xs)) ==[ refl ]
397 |       suc (length (snoc n xs)) ==[ cong suc (lengthSnoc n xs) ]
398 |       suc (length (x , xs))
399 |       QED
400 | \end{code}
401 | 
402 | Note that we make the lemma as general as possible: in particular, we quantify over all natlists, not just those 
403 | that result from an application of |rev|. This should seem natural, because the truth of the goal clearly doesn't 
404 | depend on the list having been reversed. Moreover, it is much easier to prove the more general property.
405 | 
406 | Now we can complete the original proof.
407 | 
408 | \begin{code}
409 | revLength : forall (l : NList) -> length (rev l) == length l
410 | revLength <> = refl
411 | revLength (x , xs) =
412 |       length (rev (x , xs))    ==[ refl ]
413 |       length (snoc x (rev xs)) ==[ lengthSnoc x (rev xs) ]
414 |       suc (length (rev xs))    ==[ cong suc (revLength xs) ]
415 |       suc (length xs)          ==[ refl ]
416 |       length (x , xs)
417 |       QED
418 | \end{code}
419 | 
420 | \begin{theorem}
421 | For all numbers n and lists l, length (snoc n l) = suc (length l).
422 | \end{theorem}
423 | \begin{proof}
424 | We will proceed by induction |l|.
425 | \begin{itemize}
426 |   \item Caso |l = <>|. We have that:
427 |   \begin{center}
428 |     \begin{tabular}{lcl}
429 |       |length (snoc n <>)| & $\equiv$ & \{by def.\} \\
430 |       |length (n , <>)|    & $\equiv$ & \{by def.\} \\
431 |       |suc zero|           & $\equiv$ & \{by def.\} \\
432 |       |suc (length <>)|
433 |     \end{tabular}
434 |   \end{center}
435 |   as required.
436 |   \item Caso |l = x , xs|. We have that:
437 |   \begin{center}
438 |     \begin{tabular}{lcl}
439 |       |length (snoc n (x , xs))| & $\equiv$ & \{by def.\} \\
440 |       |length (x , snoc n xs) |  & $\equiv$ & \{by def.\} \\
441 |       |suc (length (snoc n xs))| & $\equiv$ & \{by def.\} \\
442 |       |suc (suc (length xs))|    & $\equiv$ & \{by I.H.\} \\
443 |       |suc (length (x , xs))| 
444 |     \end{tabular}
445 |   \end{center}
446 |   as required.
447 | \end{itemize}
448 | \end{proof}
449 | 
450 | \begin{theorem}
451 | Theorem: For all lists l, length (rev l) = length l.
452 | \end{theorem}
453 | \begin{proof}
454 | We will proceed by induction |l|.
455 | \begin{itemize}
456 |   \item Case |l = nil|. We have that:
457 |   \begin{center}
458 |     \begin{tabular}{lcl}
459 |       |length (rev <>)| & $\equiv$ & \{by def.\} \\
460 |       |length <>|       & $\equiv$ & \{by def.\} \\
461 |       |zero|            & $\equiv$ & \{by def.\} \\
462 |       |length <>|
463 |     \end{tabular}
464 |   \end{center}
465 |   as required.
466 |   \item Case |l = x , xs|. We have that:
467 |   \begin{center}
468 |     \begin{tabular}{lcl}
469 |       length (rev (x , xs)) & $\equiv$ & \{by def.\} \\
470 |       length (snoc x (rev xs)) & $\equiv$ & \{by lengthSnoc\} \\
471 |       suc (length (rev xs)) & $\equiv$ & \{by I.H.\} \\
472 |       suc (length xs)
473 |     \end{tabular}
474 |   \end{center}
475 |   as required.
476 | \end{itemize}
477 | \end{proof}
478 | 
479 | \subsection{List Exercices, Part 1}
480 | 
481 | More practice with lists.
482 | 
483 | \begin{spec}
484 | appNilEnd : forall (l : NList) -> l ++ <> == l
485 | appNilEnd = (HOLE GAP 0)
486 | 
487 | revInvolutive : forall (l : NList) -> rev (rev l) == l
488 | revInvolutive = (HOLE GAP 1)
489 | \end{spec}
490 | 
491 | There is a short solution to the next exercise. If you find yourself getting tangled up, 
492 | step back and try to look for a simpler way.
493 | 
494 | \begin{spec}
495 | appAss4 : forall (l1 l2 l3 l4 : NList) -> l1 ++ (l2 ++ (l3 ++ l4)) == ((l1 ++ l2) ++ l3) ++ l4
496 | appAss4 = (HOLE GAP 0)
497 | 
498 | snocApp : forall (l : NList) -> snoc n l == l ++ (n , <>)
499 | snocApp = (HOLE GAP 1)
500 | 
501 | distrRev : forall (l1 l2 : NList) -> rev (l1 ++ l2) == rev l2 ++ rev l1
502 | distrRev = (HOLE GAP 2)
503 | 
504 | revInjective : forall (l l' : NList) -> rev l == rev l' -> l == l'
505 | revInjective = (HOLE GAP 3)
506 | \end{spec}
507 | 
508 | \section{Maybe}
509 | 
510 | Here is another type definition that is often useful in day-to-day programming:
511 | \begin{code}
512 | data NatMaybe : Set where
513 |   Just : Nat -> NatMaybe
514 |   Nothing : NatMaybe
515 | \end{code}
516 | One use of natoption is as a way of returning ``error codes'' from functions. 
517 | For example, suppose we want to write a function that returns the nth element of some list. 
518 | If we give it type |Nat -> NList -> Nat|, then we'll have to return some number when the list is too short!
519 | \begin{code}
520 | indexBad : Nat -> NList -> Nat
521 | indexBad _ <> = 42 -- arbitrary...
522 | indexBad zero (x , xs) = x
523 | indexBad (suc n) (_ , xs) = indexBad n xs
524 | \end{code}
525 | On the other hand, if we give it type |Nat -> NList -> NatMaybe|, then we can return |Nothing| when the 
526 | list is too short and |Just a| when the list has enough members and |a| appears at position |n|.
527 | \begin{code}
528 | index : Nat -> NList -> NatMaybe
529 | index _ <> = Nothing
530 | index zero (x , _) = Just x
531 | index (suc n) (_ , xs) = index n xs
532 | \end{code}
533 | 
534 | \begin{exe}[Head]
535 | Implement the function |head| from earlier so we don't have to pass a default element for the |<>| case.
536 | \end{exe}
537 | 
538 | \begin{exe}[Equality of NLists]
539 | Define a function |beqNList| that tests the equality of two given |NList|s and prove the following property:
540 | 
541 | \begin{spec}
542 | beqNList : forall (l : NList) -> beqNList l l
543 | beqNList = (HOLE GAP 0)
544 | \end{spec}
545 | \end{exe}
546 | 
547 | 
548 | 


--------------------------------------------------------------------------------
/Poly.lagda:
--------------------------------------------------------------------------------
  1 | \chapter{Polymorphism and High-Order Functions}
  2 | 
  3 | In this chapter we continue our development of basic concepts of functional programming. 
  4 | The critical new ideas are polymorphism (abstracting functions over the types of the data 
  5 | they manipulate) and higher-order functions (treating functions as data).
  6 | %if False
  7 | \begin{code}
  8 | module Poly where
  9 | 
 10 | open import Basics hiding (_*_)
 11 | open import Lists hiding (length;_++_;snoc;rev;fst;snd;index)
 12 | \end{code}
 13 | %endif
 14 | 
 15 | \section{Polymorphism}
 16 | 
 17 | \subsection{Polymorphic Lists}
 18 | 
 19 | For the last couple of chapters, we've been working just with lists of numbers. 
 20 | Obviously, interesting programs also need to be able to manipulate lists with elements 
 21 | from other types --- lists of strings, lists of booleans, lists of lists, etc. 
 22 | We could just define a new datatype for each of these, for example...
 23 | 
 24 | \begin{code}
 25 | data BList : Set where
 26 |   nil : BList
 27 |   cons : Bool -> BList -> BList
 28 | \end{code}
 29 | ... but this would quickly become tedious, partly because we have to make up different
 30 | constructor names for each datatype, but mostly because we would also need to define 
 31 | new versions of all our list manipulating functions (|length|, |rev|, etc.) for each new 
 32 | datatype definition.
 33 | 
 34 | To avoid all this repetition, Agda supports polymorphic type definitions. 
 35 | For example, here is a polymorphic list datatype.
 36 | 
 37 | \begin{code}
 38 | data List  {l}(A : Set l) : Set l where
 39 |   nil : List A
 40 |   _,_ : A -> List A -> List A
 41 | \end{code}
 42 | 
 43 | This is exactly like the definition of |NList| from the previous chapter, except that the 
 44 | |Nat| argument to the |,| constructor has been replaced by an arbitrary type |A|, a binding for |A| 
 45 | has been added to the header, and the occurrences of |NList| in the types of the constructors have 
 46 | been replaced by |List' A|.
 47 | 
 48 | What sort of thing is list itself? One good way to think about it is that list is a function 
 49 | from types (|Set|s) to type definitions; or, to put it another way, list is a function from |Set|s to |Set|s. 
 50 | For any particular type |A|, the type |List' A| is an inductively defined set of lists whose elements are 
 51 | things of type |A|.
 52 | 
 53 | We can now go back and make polymorphic (or ``generic'') versions of all the list-processing functions that 
 54 | we wrote before. Here is |length|, for example:
 55 | \begin{code}
 56 | length' : (A : Set) -> List A -> Nat
 57 | length' A nil      = zero
 58 | length' A (_ , xs) = suc (length' A xs)
 59 | \end{code}
 60 | Note that the uses of |nil| and |,| in patterns do not require any type annotations: Agda
 61 | already knows that the list contains elements of type |A|, so there's no reason to include |A| 
 62 | in the pattern. (More precisely, the type |A| is a parameter of the whole definition of list, 
 63 | not of the individual constructors. We'll come back to this point later.)
 64 | 
 65 | To use our length with other kinds of lists, we simply instantiate it with an appropriate type parameter:
 66 | \begin{code}
 67 | testLengthBool : length' Bool (True , False , nil) == 2
 68 | testLengthBool = refl
 69 | \end{code}
 70 | Let's close this subsection by re-implementing a few other standard list functions on our new polymorphic lists:
 71 | \begin{code}
 72 | _++'_ : (A : Set) -> List A -> List A -> List A
 73 | _++'_ A nil ys = ys
 74 | _++'_ A (x , xs) ys = x , (_++'_ A xs ys)
 75 | 
 76 | snoc' : (A : Set) -> A -> List A -> List A
 77 | snoc' A x nil = x , nil
 78 | snoc' A x (y , ys) = y , (snoc' A x ys)
 79 | 
 80 | rev' : (A : Set) -> List A -> List A
 81 | rev' A nil = nil
 82 | rev' A (x , xs) = snoc' A x (rev' A xs)
 83 | \end{code}
 84 | 
 85 | 
 86 | \subsection{Type Annotation Inference}
 87 | 
 88 | Unlike Coq, in Agda we must provide type annotations for functions, only in very simple and specific cases 
 89 | type annotations can be ommited. As an example:
 90 | \begin{code}
 91 | Age = Nat
 92 | \end{code}
 93 | Here we are defining that |Age| is a type and we don't need to explicitly write |Age : Set|. But, we cannot
 94 | write a list concatenation function without write its type signature. This is rejected by Agda:
 95 | \begin{spec}
 96 | app' A nil ys = ys
 97 | app' A (x , xs) ys = x , (app' A xs ys)
 98 | \end{spec}
 99 | 
100 | \subsection{Type Argument Synthesis}
101 | 
102 | Whenever we use a polymorphic function, we need to pass it one or more types in addition to its other 
103 | arguments. For example, the recursive call in the body of the |length'| function above must pass along 
104 | the type |A|. But just like providing explicit type annotations everywhere, this is heavy and verbose. 
105 | Since the second argument to |length| is a list of |A|s, it seems entirely obvious that the first 
106 | argument can only be |A| --- why should we have to write it explicitly?
107 | 
108 | Fortunately, Coq permits us to avoid this kind of redundancy. In place of any type argument we can write the 
109 | ``implicit argument'' \_, which can be read as ``Please figure out for yourself what type belongs here.'' More 
110 | precisely, when Agda encounters a \_, it will attempt to unify all locally available information --- 
111 | the type of the function being applied, the types of the other arguments, and the type expected by the context in 
112 | which the application appears --- to determine what concrete type should replace the \_.
113 | 
114 | Using implicit arguments, the |length| function can be written like this
115 | \begin{code}
116 | length1 : (A : Set) -> List A -> Nat
117 | length1 A nil      = zero
118 | length1 A (_ , xs) = suc (length1 _ xs)
119 | \end{code}
120 | In this case we don't need to write much \_, but in some cases this is significant. But, we can do better using
121 | implicit arguments.
122 | 
123 | \subsection{Implicit Arguments}
124 | 
125 | To avoid having to sprinkle \_'s throughout our programs, we can tell Agda always to infer the type argument(s) 
126 | of a given function. To this we need just to say that the type parameter of the function is implicit surrounding it
127 | using curly braces:
128 | 
129 | \begin{code}
130 | length : {A : Set} -> List A -> Nat
131 | length nil      = zero
132 | length (_ , xs) = suc (length xs)
133 | \end{code}
134 | 
135 | Note that we didn't even have to provide a type argument to the recursive call to |length|; indeed, we can provide it by
136 | surrounding it in curly braces in the pattern and in the recursive call, as follows:
137 | \begin{spec}
138 | length : {A : Set} -> List A -> Nat
139 | length {A} nil      = zero
140 | length {A} (_ , xs) = suc (length {A} xs)
141 | \end{spec}
142 | The |{A}| in the left hand side of the equation is a implicit pattern and we can pattern match on implicit parameters by 
143 | just writing them in curly braces. The same idea is used to pass an implicit parameter as a function argument.
144 | 
145 | \subsection{Exercises: Polymorphic Lists}
146 | 
147 | Here are a few simple exercises, just like ones in the Lists chapter, for practice with polymorphism. 
148 | Fill in the definitions and complete the proofs below.
149 | \begin{spec}
150 | repeat : {A : Set}(n : A)(count : Nat) : List A 
151 | repeat = (HOLE GAP 0)
152 | 
153 | testRepeat : repeat True 2 == True , (True , nil)
154 | testRepeat = refl
155 | 
156 | _++_ : {A : Set} -> List A -> List A -> List A
157 | nil ++ ys = ys
158 | (x , xs) ++ ys = x , (xs ++ ys)
159 | 
160 | snoc : {A : Set} -> A -> List A -> List A
161 | snoc x nil = x , nil
162 | snoc x (y , ys) = y , (snoc x ys)
163 | 
164 | rev : {A : Set} -> List A -> List A
165 | rev nil = nil
166 | rev (x , xs) = snoc' A x (rev' A xs)
167 | 
168 | nilApp : forall {A : Set}(l : List A) -> [] ++ l == l
169 | nilApp = (HOLE GAP 0)
170 | 
171 | revSnoc : forall {A : Set}(v : A)(s : List A) -> rev (snoc v s) == v , (rev s)
172 | revSnoc = (HOLE GAP 0)
173 | 
174 | revInvolutive : forall {A : Set}(l : List A) -> rev (rev l) == l
175 | revInvolutive = (HOLE GAP 0)
176 | 
177 | snocWithApp : {A : Set}(l1 l2 : List A)(v : A) -> snoc v (l1 ++ l2) == l1 ++ (snoc v l2)
178 | snocWithApp = (HOLE GAP 0)
179 | \end{spec}
180 | 
181 | \subsection{Polymorphic Pairs}
182 | 
183 | Following the same pattern, the type definition we gave in the last chapter 
184 | for pairs of numbers can be generalized to polymorphic pairs (or products):
185 | \begin{code}
186 | data _*_ (A B : Set) : Set where
187 |   _,_ : A -> B -> A * B
188 | \end{code}
189 | The first and second projection functions are defined as in any 
190 | functional programming language.
191 | \begin{code}
192 | fst : {A B : Set} -> A * B -> A
193 | fst (x , _) = x
194 | 
195 | snd : {A B : Set} -> A * B -> B
196 | snd (_ , y) = y
197 | \end{code}
198 | The following function takes two lists and combines them into a list of pairs. 
199 | In Coq, this functions is called \textit{combine}.
200 | \begin{code}
201 | zip : {A B : Set} -> List A -> List B -> List (A * B)
202 | zip nil _ = nil
203 | zip _ nil = nil
204 | zip (x , xs) (y , ys) = (x , y) , zip xs ys
205 | \end{code}
206 | 
207 | \begin{exe}[Unzip]
208 | The function |unzip| is the right inverse of |zip|: it takes a list of pairs and 
209 | returns a pair of lists. 
210 | \begin{spec}
211 | unzip : {A B : Set} -> List (A * B) -> (List A * List B)
212 | unzip = (HOLE GAP 0)
213 | \end{spec}
214 | \end{exe}
215 | 
216 | \subsection{Polymorphic Maybe}
217 | 
218 | One last polymorphic type for now: \textit{polymorphic options}. The type declaration generalizes 
219 | the one for |NatMaybe| in the previous chapter:
220 | \begin{code}
221 | data Maybe (A : Set) : Set where
222 |   Just : A -> Maybe A
223 |   Nothing : Maybe A
224 | \end{code}
225 | We can now rewrite the |index| function so that it works with any type of lists.
226 | \begin{code}
227 | index : {A : Set} -> Nat -> List A -> Maybe A
228 | index n nil = Nothing
229 | index zero (x , _) = Just x
230 | index (suc n) (_ , xs) = index n xs
231 | \end{code}
232 | 
233 | \section{Functions as Data}
234 | 
235 | \subsection{High-Order Functions}
236 | 
237 | Like many other modern programming languages --- including all functional languages 
238 | (ML, Haskell, Scheme, etc.) --- Agda treats functions as first-class citizens, allowing 
239 | functions to be passed as arguments to other functions, returned as results, stored in 
240 | data structures, etc.
241 | 
242 | Functions that manipulate other functions are often called higher-order functions. 
243 | Here's an example:
244 | \begin{code}
245 | doIt3Times : {A : Set} -> (A -> A) -> A -> A
246 | doIt3Times f x = f (f (f x))
247 | \end{code}
248 | The argument |f| here is itself a function (from |A| to |A|); the body of |doIt3Times| 
249 | applies |f| three times to some value |x|.
250 | 
251 | \subsection{Partial Application}
252 | 
253 | In fact, the multiple-argument functions we have already seen are also examples of 
254 | passing functions as data. To see why, recall the type of |+|:
255 | \begin{spec}
256 | + : Nat -> Nat -> Nat
257 | \end{spec}
258 | Each |->| in this expression is actually a binary operator on types. (This is the same as 
259 | saying that Agda primitively supports only one-argument functions --- do you see why?) 
260 | This operator is right-associative, so the type of |+| is really a shorthand for 
261 | |Nat -> (Nat -> Nat)| --- i.e., it can be read as saying that ``|+| is a one-argument 
262 | function that takes a |Nat| and returns a one-argument function that takes another |Nat| 
263 | and returns a |Nat|.'' In the examples above, we have always applied |+| to both of its 
264 | arguments at once, but if we like we can supply just the first. This is called 
265 | \textit{partial application}. 
266 | 
267 | The next source code piece shows the definition |plus3| that uses |+| partially applied fixing
268 | the parameter |3|.
269 | \begin{code}
270 | plus3 : Nat -> Nat
271 | plus3 = _+_ 3
272 | 
273 | testPlus3 : plus3 4 == 7
274 | testPlus3 = refl
275 | \end{code}
276 | 
277 | \subsection{Digression: Currying}
278 | 
279 | In Agda, a function |f : A -> B > C| really has the type |A -> (B -> C)|. That is, if you give |f|
280 | a value of type |A|, it will give you function |f' : B -> C|. If you then give |f'| a value of type |B|, 
281 | it will return a value of type |C|. This allows for partial application, as in |plus3|. Processing a 
282 | list of arguments with functions that return functions is called \textit{currying}, in honor of the 
283 | logician Haskell Curry.
284 | Conversely, we can reinterpret the type |A -> B -> C| as |(A * B) -> C|. This is called uncurrying. 
285 | With an uncurried binary function, both arguments must be given at once as a pair; there is no 
286 | partial application. We can define currying as follows:
287 | \begin{code}
288 | curry : {A B C : Set} -> (A -> B -> C) -> (A * B) -> C
289 | curry f (x , y) = f x y
290 | \end{code}
291 | The uncurry function can be defined in similarly:
292 | \begin{code}
293 | uncurry : {A B C : Set} -> ((A * B) -> C) -> A -> B -> C
294 | uncurry f x y = f (x , y)
295 | \end{code}
296 | 
297 | %if False
298 | More stuff used in latter chapters...
299 | \begin{code}
300 | id : {A : Set} -> A -> A
301 | id x = x
302 | 
303 | snoc : {A : Set} -> A -> List A -> List A
304 | snoc x nil = x , nil
305 | snoc x (y , ys) = y , (snoc x ys)
306 | 
307 | rev : {A : Set} -> List A -> List A
308 | rev nil = nil
309 | rev (x , xs) = snoc x (rev xs)
310 | \end{code}
311 | %endif
312 | 
313 | \begin{exe}[Curry and Uncurry are inverses]
314 | Now prove the following facts that state, together, that |curry| and |uncurry| are
315 | inverses of each other:
316 | \begin{spec}
317 | uncurryCurry : forall {A B C : Set} (f : A -> B -> C) x y -> curry (uncurry f) x y == f x y
318 | uncurryCurry = (HOLE GAP 0)
319 | 
320 | curryUncurry : forall {A B C : Set}(f : (A * B) -> C)) (p : A * B) -> uncurry (curry f) p == f p
321 | curryUncurry = (HOLE GAP 1)
322 | \end{spec}
323 | \end{exe}
324 | 
325 | \subsection{Filter}
326 | 
327 | Here is a useful higher-order function, which takes a list of |A|s and a predicate on |A| 
328 | (a function from |A| to |Bool|) and ``filters'' the list, returning a new list containing 
329 | just those elements for which the predicate returns |True|.
330 | \begin{code}
331 | filter : {A : Set} -> (A -> Bool) -> List A -> List A
332 | filter p nil = nil
333 | filter p (x , xs) with p x
334 | filter p (x , xs) | True  = x , filter p xs
335 | filter p (x , xs) | False = filter p xs
336 | \end{code}
337 | Note that in this definition we use the construct |with| to pattern match on the result |p x|.
338 | The with allows us to pattern match on intermediate results of a computation. This is very useful
339 | when pattern matching involves dependent types.
340 | 
341 | For example, if we apply |filter| to the predicate |evenb| and a list of numbers l, it returns a 
342 | list containing just the even members of l.
343 | \begin{code}
344 | testFilterEven : filter evenb (1 , 2 , 0 , 3 , nil) == (2 , 0 , nil)
345 | testFilterEven = refl
346 | \end{code}
347 | We can use |filter| to give a concise version of the |countoddmembers| function from the Lists chapter.
348 | \begin{code}
349 | countoddmembers' : List Nat -> Nat
350 | countoddmembers' l = length (filter oddb l)  
351 | 
352 | testCountOddMembers' : countoddmembers' (1 , 2 , 3 , nil) == 2
353 | testCountOddMembers' = refl
354 | \end{code}
355 | 
356 | \subsection{Anonymous Functions}
357 | 
358 | Consider the following example:
359 | \begin{code}
360 | lengthIs1 : {A : Set} -> List A -> Bool
361 | lengthIs1 l = beqNat (length l) 1
362 | 
363 | testFilter1 : filter lengthIs1 ((1 , 2 , nil) , (1 , nil) , nil) == ((1 , nil) , nil)
364 | testFilter1 = refl
365 | \end{code}
366 | Note that to filter lists whose length is 1, we need to define a function |lengthIs1| that
367 | is used only as a predicate to |filter|. This is a bit annoying.
368 | Moreover, this is not an isolated example. When using higher-order functions, we often want 
369 | to pass as arguments ``one-off'' functions that we will never use again; having to give each 
370 | of these functions a name would be tedious.
371 | 
372 | Fortunately, there is a better way. It is also possible to construct a function ``on the fly'' 
373 | without declaring it at the top level or giving it a name; this is analogous to the notation 
374 | we've been using for writing down constant lists, natural numbers, and so on.
375 | \begin{code}
376 | testAnonymous : (doIt3Times {Nat} (\ x -> x + x) 2) == 16
377 | testAnonymous = refl
378 | \end{code}
379 | Here is the motivating example from before, rewritten to use an anonymous function.
380 | \begin{code}
381 | testFilter2 : filter (\ x -> beqNat (length x) 1) ((1 , 2 , nil) , (1 , nil) , nil) == ((1 , nil) , nil)
382 | testFilter2 = refl
383 | \end{code}
384 | \begin{exe}
385 | Use |filter| to write a function filterEvenGt7 that takes a list of natural numbers as input and 
386 | returns a list of just those that are even and greater than 7.
387 | \end{exe}
388 | \begin{exe}[Partition]
389 | Use filter to write a Agda function partition:
390 | \begin{spec}
391 | partition : {A : Set} -> (A -> Bool) -> List A (List A * List A)
392 | \end{spec}
393 | Given a set |A|, a test function of type |A -> Bool| and a |List A|, |partition| should return a pair of lists. 
394 | The first member of the pair is the sublist of the original list containing the elements that satisfy the test, 
395 | and the second is the sublist containing those that fail the test. The order of elements in the two sublists 
396 | should be the same as their order in the original list.
397 | \end{exe}
398 | 
399 | \subsection{Map}
400 | 
401 | Another handy higher-order function is called |map|.
402 | \begin{code}
403 | map : {A B : Set} -> (A -> B) -> List A -> List B
404 | map f nil = nil
405 | map f (x , xs) = f x , map f xs
406 | \end{code}
407 | It takes a function |f| and a list |l = n1, n2, n3, ...| and returns the list |f n1, f n2, f n3,...| , where 
408 | |f| has been applied to each element of |l| in turn. For example:
409 | \begin{code}
410 | testMap : map plus3 (1 , 2 , nil) == (4 , 5 , nil)
411 | testMap = refl
412 | \end{code}
413 | The element types of the input and output lists need not be the same (map takes two type arguments, |A| and |B|). 
414 | This version of |map| can thus be applied to a list of numbers and a function from numbers to booleans to yield a 
415 | list of booleans:
416 | \begin{code}
417 | testMap1 : map evenb (1 , 2 , 3 , nil) == (False , True , False , nil)
418 | testMap1 = refl
419 | \end{code}
420 | \begin{exe}[|map| and |rev| commutes]
421 | Show that |map| and |rev| commute. You may need to define an auxiliary lemma.
422 | \begin{spec}
423 | mapRevComm : forall {A B : Set}(f : A -> B)(l : List A) -> map f (rev l) == rev (map f l)
424 | \end{spec}
425 | \end{exe}
426 | 
427 | \begin{exe}[|concatMap|]
428 | The function |map| maps a |List A| to a |List B| using a function of type |A -> B|. We can define 
429 | a similar function, |concatMap|, which maps a |List A| to a |List B| using a function |f| of type 
430 | |A -> List B|. Your definition should work by 'flattening' the results of f, like so:
431 | \begin{spec}
432 |  concatMap (\ n -> (n , n+1 , n+2 , nil)) (1 , 5 , 1 , nil) 
433 |       = (1 , 2 ,  3 , 5 , 6 , 7 , 10 , 11 , 12 , nil).
434 | \end{spec}
435 | \end{exe}
436 | 
437 | Lists are not the only inductive type that we can write a |map| function for. 
438 | Here is the definition of |map| for the |Maybe| type:
439 | 
440 | \begin{code}
441 | mapMaybe : {A B : Set} -> (A -> B) -> Maybe A -> Maybe B
442 | mapMaybe f Nothing = Nothing
443 | mapMaybe f (Just x) = Just (f x)
444 | \end{code}
445 | 
446 | \subsection{Fold}
447 | 
448 | An even more powerful higher-order function is called |fold|. This function is 
449 | the inspiration for the ``reduce'' operation that lies at the heart of Google's 
450 | |map|/|reduce| distributed programming framework.
451 | \begin{code}
452 | fold : {A B : Set} -> (A -> B -> B) -> B -> List A -> B
453 | fold f v nil = v
454 | fold f v (x , xs) = f x (fold f v xs)
455 | \end{code}
456 | Intuitively, the behavior of the fold operation is to insert a given binary operator 
457 | |f| between every pair of elements in a given list. For example, |fold plus (1 , 2 , 3 , 4 , nil)| 
458 | intuitively means |1+2+3+4|. To make this precise, we also need a ``starting element'' that serves as 
459 | the initial second input to |f|. So, for example,
460 | \begin{spec}
461 |  fold plus (1 , 2 , 3 , 4 , nil) 0
462 | \end{spec}
463 | yields
464 | \begin{spec}
465 | 1 + (2 + (3 + (4 + 0)))
466 | \end{spec}.
467 | 
468 | \subsection{Functions For Constructing Functions}
469 | 
470 | Most of the higher-order functions we have talked about so far take functions as arguments. Now let's 
471 | look at some examples involving returning functions as the results of other functions.
472 | 
473 | To begin, here is a function that takes a value x (drawn from some type |A|) and returns a function 
474 | from |Nat| to |A| that yields |x| whenever it is called, ignoring its nat argument.
475 | 
476 | \begin{code}
477 | constFun : {A : Set} -> A -> Nat -> A 
478 | constFun x n = x
479 | 
480 | ftrue : Nat -> Bool
481 | ftrue = constFun True
482 | 
483 | testFtrue1 : ftrue 0 == True
484 | testFtrue1 = refl
485 | \end{code}
486 | 
487 | Similarly, but a bit more interestingly, here is a function that takes a function |f| from numbers to some 
488 | type |A|, a number |k|, and a value |x|, and constructs a function that behaves exactly like |f| except 
489 | that, when called with the argument |k|, it returns |x|.
490 | \begin{code}
491 | override : {A : Set} -> (Nat -> A) -> Nat -> A -> Nat -> A
492 | override f k x k' = if beqNat k k' then x else f k'
493 | \end{code}
494 | For example, we can apply override twice to obtain a function from numbers to booleans that returns |False| on 
495 | 1 and 3 and returns |True| on all other arguments.
496 | \begin{code}
497 | fMostlyTrue : Nat -> Bool
498 | fMostlyTrue = override (override ftrue 1 False) 3 False
499 | 
500 | testFMostlyTrue1 : fMostlyTrue 0 == True
501 | testFMostlyTrue1 = refl
502 | 
503 | testFMostlyTrue2 : fMostlyTrue 1 == False
504 | testFMostlyTrue2 = refl
505 | \end{code}
506 | 
507 | \begin{exe}[Override example]
508 | Before starting to work on the following proof, make sure you understand exactly what the theorem is saying and 
509 | can paraphrase it in your own words. The proof itself is straightforward.
510 | \begin{spec}
511 | overrideExample : forall (b : Bool) -> (override (constFun b) 3 True) 2 = b.
512 | overrideExample = (HOLE GAP 0)
513 | \end{spec}
514 | \end{exe}
515 | We'll use function overriding heavily in parts of the rest of the course, and we will end up needing to know quite 
516 | a bit about its properties. Unlike Coq, Agda doesn't have a special tactic to ``unfold'' definitions. These are
517 | automatically unfolded by Agda's type checker.
518 | 
519 | \section{Additional Exercices}
520 | 
521 | \begin{exe}
522 | Many common functions on lists can be implemented in terms of |fold|. 
523 | For example, here is an alternative definition of |length|:
524 | \begin{spec}
525 | foldLength : forall {A : Set} -> List A -> Nat
526 | foldLength = fold (\ _ ac -> suc ac) 0
527 | \end{spec}
528 | Prove that
529 | \begin{spec}
530 | theoremLength : forall {A : Set}(l : List A) -> length l == foldLength l
531 | theoremLength = (HOLE GAP 0)
532 | \end{spec}
533 | \end{exe}
534 | 
535 | \begin{exe}
536 | We can also define |map| in terms of |fold|. Give a definition of |map| using |fold| and prove that it is correct with
537 | respect to the original |map| definition.
538 | \end{exe}
539 | 
540 | 
541 | 
542 | 
543 | 
544 | 


--------------------------------------------------------------------------------
/Basics.lagda:
--------------------------------------------------------------------------------
  1 | %if False
  2 | \begin{code}
  3 | module Basics where
  4 | \end{code}
  5 | %endif
  6 | 
  7 | \chapter{Basic Functional Programming in Agda}\label{basics}
  8 | 
  9 | \section{Introduction}\label{basics-introduction}
 10 | 
 11 | The functional programming style brings programming closer to mathematics: 
 12 | If a procedure or method has no side effects, then pretty much all you need 
 13 | to understand about it is how it maps inputs to outputs --- that is, you can 
 14 | think of its behavior as just computing a mathematical function. This is one 
 15 | reason for the word ``functional'' in ``functional programming.'' This direct 
 16 | connection between programs and simple mathematical objects supports both sound 
 17 | informal reasoning and formal proofs of correctness.
 18 | 
 19 | The other sense in which functional programming is ``functional'' is that it 
 20 | emphasizes the use of functions (or methods) as \textit{first-class values} --- i.e., 
 21 | values that can be passed as arguments to other functions, returned as results, 
 22 | stored in data structures, etc. The recognition that functions can be treated 
 23 | as data in this way enables a host of useful idioms, as we will see.
 24 | Other common features of functional languages include \textit{algebraic data types} and 
 25 | \textit{pattern matching}, which make it easy to construct and manipulate rich data 
 26 | structures, and sophisticated \textit{polymorphic type systems} that support abstraction 
 27 | and code reuse. Agda shares all of these features.
 28 | 
 29 | \section{Enumerated Types}\label{enumerated-types}
 30 | 
 31 | One unusual aspect of Agda is that its set of built-in features is extremely small. For 
 32 | example, instead of providing the usual palette of atomic data types (booleans, integers, strings, etc.), 
 33 | Agda offers an extremely powerful mechanism for defining new data types from scratch --- so powerful that 
 34 | all these familiar types arise as instances.
 35 | 
 36 | Agda has a standard library\footnote{The standard library isn't shipped as part of the Agda distribuition, but can be easily installed. 
 37 | For details, consult the Agda wiki \cite{Wiki}.}
 38 | that comes with definitions of booleans, numbers, and many common data structures 
 39 | like lists. But there is nothing magic or primitive about these library definitions: they are ordinary user code.
 40 | To see how this works, let's start with a very simple example.
 41 | 
 42 | \subsection{Days of Week}\label{days-of-week}
 43 | 
 44 | The following declaration tells Agda that we are defining a new set of data values --- a type.
 45 | 
 46 | \begin{code}
 47 | data Day : Set where
 48 |   Monday    : Day
 49 |   Tuesday   : Day
 50 |   Wednesday : Day
 51 |   Thursday  : Day
 52 |   Friday    : Day
 53 |   Saturday  : Day
 54 |   Sunday    : Day
 55 | \end{code}
 56 | 
 57 | The type is called Day, and its members are Monday, Tuesday, etc. The second through eighth 
 58 | lines of the definition can be read ``monday is a day, tuesday is a day, etc.''
 59 | 
 60 | Having defined Day, we can write functions that operate on days.
 61 | 
 62 | \begin{code}
 63 | nextDay : Day -> Day
 64 | nextDay Monday    = Tuesday
 65 | nextDay Tuesday   = Wednesday
 66 | nextDay Wednesday = Thursday
 67 | nextDay Thursday  = Friday
 68 | nextDay Friday    = Saturday
 69 | nextDay Saturday  = Sunday
 70 | nextDay Sunday    = Monday
 71 | \end{code}
 72 | 
 73 | One thing to note is that the argument and return types of this function are explicitly 
 74 | declared. Like most functional programming languages, Agda can often work out these types 
 75 | even if they are not given explicitly --- i.e., it performs some type inference --- but 
 76 | we'll always include them to make reading easier.
 77 | 
 78 | Having defined a function, we should check that it works on some examples. There are 
 79 | actually two different ways to do this in Agda. One uses the notion of equality and
 80 | another uses the interactive emacs mode. To test the new defined |nextDay| function,
 81 | just type C-c C-n and type |nextDay| |Friday| on the emacs buffer in order to Agda evaluate
 82 | the expression to |Saturday|.
 83 | 
 84 | \subsection{Booleans}\label{booleans}
 85 | 
 86 | In a similar way, we can define the type |Bool| of booleans, with members true and false.
 87 | 
 88 | \begin{code}
 89 | data Bool : Set where
 90 |   True  : Bool
 91 |   False : Bool
 92 | \end{code}
 93 | 
 94 | Although we are rolling our own booleans here for the sake of building up everything from 
 95 | scratch, Agda does, of course, provide a default implementation of the booleans in its standard 
 96 | library, together with a multitude of useful functions and lemmas. 
 97 | Whenever possible, we'll name our own definitions and theorems so that they exactly coincide 
 98 | with the ones in the standard library.
 99 | 
100 | Functions over booleans can be defined in the same way as above:
101 | 
102 | \begin{code}
103 | not : Bool -> Bool
104 | not True  = False
105 | not False = True
106 | 
107 | and : Bool -> Bool -> Bool
108 | and True t  = t
109 | and False _ = False
110 | 
111 | or : Bool -> Bool -> Bool
112 | or True _  = True
113 | or False t = t 
114 | \end{code}
115 | 
116 | Agda supports the so called mixfix operator syntax and unicode identifiers that are extensively used 
117 | in the standard library. We believe that using these only serves as an additional barrier for newbies
118 | learning Agda. So, we will avoid it.
119 | 
120 | Again, we can test these definitions using the emacs mode through the command C-c C-n.
121 | 
122 | \begin{exe}[The nand logic operator]
123 | Define the following function to represent the nand logic operator. Nand connective is defined using
124 | the following truth table:
125 | \begin{center}
126 | \begin{tabular}{ccc}
127 | $A$       & $B$        & |nand| $A$ $B$\\
128 | |False| & |False|  &  |True| \\
129 | |False| & |True|   &  |True| \\
130 | |True|  & |False|  &  |True| \\
131 | |True|  & |True|   &  |False| \\
132 | \end{tabular}
133 | \end{center}
134 | \begin{spec}
135 | nand : Bool -> Bool -> Bool
136 | nand a b = ?
137 | \end{spec}
138 | \end{exe}
139 | 
140 | \begin{exe}[The and3 function]
141 | Implement the |and3| function that returns the conjunction of 3 boolean values.
142 | \begin{spec}
143 | and3 : Bool -> Bool -> Bool -> Bool
144 | and3 a b c = ?
145 | \end{spec}
146 | \end{exe}
147 | 
148 | \subsection{Function Types}\label{function-types}
149 | 
150 | We can use the emacs interactive mode to deduce an expression types. Just type
151 | C-c C-d and enter a expression in the emacs buffer to Agda give this expression type.
152 | 
153 | As an example, entering the expression |and| |True|, Agda will return the type
154 | |Bool -> Bool|. Entering |not|, will also return |Bool -> Bool|.
155 | 
156 | \subsection{Numbers}\label{numbers}
157 | 
158 | The types we have defined so far are examples of ``enumerated types'': their definitions 
159 | explicitly enumerate a finite set of elements. A more interesting way of defining a type 
160 | is to give a collection of ``inductive rules'' describing its elements. For example, we 
161 | can define the natural numbers as follows:
162 | 
163 | \begin{code}
164 | data Nat : Set where
165 |   zero : Nat
166 |   suc  : Nat -> Nat
167 | \end{code}
168 | 
169 | The clauses of this definition can be read:
170 | \begin{itemize}
171 |   \item |zero| is a natural number.
172 |   \item |suc|  is a ``constructor'' that takes a natural number and yields another one --- 
173 |         that is, if |n| is a natural number, then |suc n| is too.
174 | \end{itemize}
175 | 
176 | Agda compiler provides some pragmas to enable numeric literals, in order to avoid the
177 | verbose notation of $n$-aries |suc|s.
178 | 
179 | \begin{code}
180 | {-# BUILTIN NATURAL Nat #-}
181 | {-# BUILTIN ZERO zero #-}
182 | {-# BUILTIN SUC suc #-}
183 | \end{code}
184 | 
185 | Let's look at this in a little more detail. 
186 | 
187 | Every inductively defined set (Day, Nat, Bool, etc.) is actually a set of expressions. 
188 | The definition of |Nat| says how expressions in the set |Nat| can be constructed:
189 | \begin{itemize}
190 |   \item the expression |zero| belongs to the set |Nat|;
191 |   \item if |n| is an expression belonging to the set |Nat|, then |suc n| is also an 
192 |         expression belonging to the set |Nat|; and expressions formed in these two ways 
193 |         are the only ones belonging to the set |Nat|.
194 | \end{itemize}
195 | The same rules apply for our definitions of |Day| and |Bool|. The annotations we used 
196 | for their constructors are analogous to the one for the |zero| constructor, and indicate 
197 | that each of those constructors doesn't take any arguments.
198 | 
199 | These three conditions are the precise force of the inductive declaration. They imply 
200 | that the expression |zero|, the expression |suc zero|, the expression |suc (suc zero)|, 
201 | the expression |suc (suc (suc zero))|, and so on all belong to the set |Nat|, while other 
202 | expressions like |True|, |and True False|, and |suc (suc False)| do not.
203 | 
204 | We can write simple functions that pattern match on natural numbers just as we did above --- 
205 | for example, the predecessor function:
206 | 
207 | \begin{code}
208 | pred : Nat -> Nat
209 | pred zero    = zero
210 | pred (suc n) = n
211 | \end{code}
212 | 
213 | These are all things that can be applied to a number to yield a number. However, there 
214 | is a fundamental difference: functions like pred and minustwo come with computation rules 
215 | --- e.g., the definition of |pred| says that |pred 2| can be simplified to 1 --- while 
216 | the definition of |suc| has no such behavior attached. Although it is like a function 
217 | in the sense that it can be applied to an argument, it does not do anything at all!
218 | 
219 | For most function definitions over numbers, pure pattern matching is not enough: we 
220 | also need recursion. For example, to check that a number |n| is even, we may need 
221 | to recursively check whether $n-2$ is even. 
222 | 
223 | \begin{code}
224 | evenb : Nat -> Bool
225 | evenb zero          = True
226 | evenb (suc zero)    = False
227 | evenb (suc (suc n)) = evenb n
228 | \end{code}
229 | 
230 | We can define |oddb|, a function that tests if a natural number is odd, similarly or using
231 | |evenb|.
232 | 
233 | \begin{exe}{Defining |oddb|}
234 | Define the function |oddb| that tests if a number is odd, without recursion.
235 | \begin{spec}
236 | oddb : Nat -> Bool
237 | oddb n = ?
238 | \end{spec}
239 | \end{exe}
240 | 
241 | %if False
242 | I'm putting this here, because its useful in other places...
243 | \begin{code}
244 | oddb : Nat -> Bool
245 | oddb n = not (evenb n)
246 | \end{code}
247 | %endif
248 | 
249 | Naturally, we can also define multi-argument functions by recursion.
250 | 
251 | %if False
252 | \begin{code}
253 | infixr 4 _+_
254 | infixr 4 _*_
255 | \end{code}
256 | %endif
257 | 
258 | \begin{code}
259 | _+_ : Nat -> Nat -> Nat
260 | zero + m = m
261 | suc n + m = suc (n + m)
262 | \end{code}
263 | 
264 | Adding three to two now gives us five, as we'd expect --- You can test it using C-c C-n, as you know.
265 | 
266 | The simplification that Coq performs to reach this conclusion can be visualized as follows:
267 | \begin{flushleft}
268 | \begin{tabular}{lc}
269 | |suc (suc (suc zero)) + suc (suc zero)| & $\Rightarrow$\\
270 | |suc (suc zero) + suc (suc (suc zero))| & $\Rightarrow$\\
271 | |suc zero + suc (suc (suc (suc zero)))| & $\Rightarrow$\\
272 | |zero + suc (suc (suc (suc (suc zero))))| & $\Rightarrow$\\
273 | |suc (suc (suc (suc (suc zero))))| & \\
274 | \end{tabular}
275 | \end{flushleft}
276 | 
277 | Multiplication and subtraction over naturals are defined straightforwardly, by pattern matching.
278 | The underscore represents a \textit{wildcard} pattern. Writing underscores in a pattern is the same as 
279 | writing some variable that doesn't get used on the right-hand side. This avoids the need to invent 
280 | a bogus variable name.
281 | 
282 | \begin{code}
283 | _*_ : Nat -> Nat -> Nat
284 | zero * m  = zero
285 | suc n * m = m + (n * m)
286 | 
287 | _-_ : Nat -> Nat -> Nat
288 | zero  - _     = zero
289 | (suc n) - zero  = suc n
290 | suc n - suc m = n - m
291 | \end{code}
292 | 
293 | \begin{exe}[factorial function]
294 | Define a function to compute the factorial of a given natural number.
295 | \begin{spec}
296 | factorial : Nat -> Nat
297 | factorial n = ?
298 | \end{spec}
299 | \end{exe}
300 | 
301 | When we say that Agda comes with nothing built-in, we really mean it: 
302 | even equality testing for numbers is a user-defined operation! The |beq_nat| function tests natural 
303 | numbers for equality, yielding a boolean. 
304 | 
305 | \begin{code}
306 | beqNat : Nat -> Nat -> Bool
307 | beqNat zero    zero    = True
308 | beqNat zero    (suc _) = False
309 | beqNat (suc _) zero    = False
310 | beqNat (suc n) (suc m) = beqNat n m
311 | \end{code}
312 | 
313 | Similarly, the |ble_nat| function tests natural numbers for less-or-equal, yielding a boolean.
314 | 
315 | \begin{code}
316 | bleNat : Nat -> Nat -> Bool
317 | bleNat zero    _       = True
318 | bleNat (suc n) zero    = False
319 | bleNat (suc n) (suc m) = bleNat n m
320 | \end{code}
321 | 
322 | \begin{exe}[Definition of |blt_nat|]
323 | The |blt_nat| function tests natural numbers for less-than, yielding a boolean. 
324 | \begin{spec}
325 | bltNat : Nat -> Nat -> Bool
326 | bltNat n m = ?
327 | \end{spec}
328 | \end{exe}
329 | 
330 | \section{Proof by Simplification}
331 | 
332 | \textbf{Little digression:}  In type theory based proof assistants, like Agda and Coq, there are
333 | (at least) two notions of equality: the definitional equality and the propositional equality.
334 | I need to put here some explanation about propositional equality. \textbf{End of little digression}.
335 | 
336 | %if False
337 | \begin{code}
338 | postulate Level : Set
339 | postulate LZero : Level
340 | postulate LSuc  : Level -> Level
341 | postulate LMax  : Level -> Level -> Level
342 | 
343 | {-# BUILTIN LEVEL Level #-}
344 | {-# BUILTIN LEVELZERO LZero #-}
345 | {-# BUILTIN LEVELSUC LSuc #-}
346 | {-# BUILTIN LEVELMAX LMax #-}
347 | 
348 | data _==_ {l}{A : Set l}(x : A) : A -> Set l where
349 |   refl : x == x
350 | 
351 | {-# BUILTIN EQUALITY _==_ #-}
352 | {-# BUILTIN REFL refl #-}
353 | 
354 | infix 1 _==_ 
355 | 
356 | cong : forall {l l'}{A : Set l}{B : Set l'}(f : A -> B) {x y} -> x == y -> f x == f y
357 | cong f refl = refl
358 | 
359 | sym : forall {l}{A : Set l}{x y : A} -> x == y -> y == x
360 | sym refl = refl
361 | 
362 | trans : forall {l}{A : Set l}{x y z : A} -> x == y -> y == z -> x == z
363 | trans refl refl = refl
364 | 
365 | infix 2 _QED
366 | 
367 | _QED : forall {l}{A : Set l}(x : A) -> x == x
368 | x QED = refl
369 | 
370 | infixr 2 _==[_]_
371 | 
372 | infix 1 begin
373 | 
374 | _==[_]_ : forall {l}{A : Set l} (x : A) {y z} -> x == y -> y == z -> x == z
375 | _==[_]_ x xy yz = trans xy yz
376 | 
377 | begin : forall {l}{A : Set l}{x y : A} -> x == y -> x == y
378 | begin x = x
379 | 
380 | if_then_else_ : forall {A : Set} -> Bool -> A -> A -> A
381 | if True  then t else f = t
382 | if False then t else f = f
383 | \end{code}
384 | %endif
385 | 
386 | Now that we've defined a few datatypes and functions, let's turn to the question of how to 
387 | state and prove properties of their behavior. Actually, in a sense, we've already started 
388 | doing this: each time we use C-c C-n in the previous sections makes a precise claim about the behavior 
389 | of some function on some particular inputs. The proofs of these claims were always the same: 
390 | use |refl| --- that has type |x == x|, for each |x| --- to check that both sides of the = simplify to identical values.
391 | 
392 | The same sort of ``proof by simplification'' can be used to prove more interesting properties as well. 
393 | For example, the fact that 0 is a ``neutral element'' for |+| on the left can be proved just by 
394 | observing that |0 + n| reduces to |n| no matter what |n| is, a fact that can be read directly off the definition of |+|.
395 | 
396 | \begin{code}
397 | lemmaPlus0N : forall (n : Nat) -> 0 + n == n
398 | lemmaPlus0N n = refl
399 | \end{code}
400 | 
401 | Agda emacs mode uses some unicode notation for symbols. More information about unicode notation can be found at Agda wiki.
402 | 
403 | Agda follows the so-called \textit{Curry-Howard isomorphism} where types denote logical formulas and terms proofs. So, a proof
404 | of a theorem just correspond to a function whose type denotes the formula being proved by the term defining the function.
405 | 
406 | Note that we've added the quantifier |forall (n : Nat)|, so that our theorem talks about all natural numbers |n|. 
407 | In order to prove theorems of this form, we need to to be able to reason by assuming the existence of an arbitrary 
408 | natural number |n|. This is achieved in the proof by considering the quantified variable |n| as a function parameter, 
409 | putting it on the context as an hypothesis. With this, we can start the proof by saying "OK, suppose n is some arbitrary number."
410 | 
411 | Agda does not have tactics like Coq, so in order to prove theorems we need to fully construct terms with the type of the theorem
412 | being proved. The next definitions are simple examples of proofs:
413 | 
414 | \begin{code}
415 | lemmaPlus1L : forall (n : Nat) -> 1 + n == suc n
416 | lemmaPlus1L n = refl
417 | 
418 | lemmaMult0L : forall (n : Nat) -> 0 * n == 0
419 | lemmaMult0L n = refl
420 | \end{code}
421 | 
422 | \section{Proof by Rewriting}\label{rewriting}
423 | 
424 | Here is a slightly more interesting theorem:
425 | 
426 | \begin{spec}
427 | plusIdExample : forall (n m : Nat) -> n == m -> n + n == m + m
428 | \end{spec}
429 | 
430 | Instead of making a completely universal claim about all numbers n and m, 
431 | this theorem talks about a more specialized property that only holds when |n == m|. 
432 | The arrow symbol is pronounced ``implies.''
433 | As before, we need to be able to reason by assuming the existence of some numbers |n| 
434 | and |m|. We also need to assume the hypothesis |n == m|. 
435 | 
436 | Before we show the real proof of this little theorem, we need to learn how to use 
437 | Agda emacs mode in order to interactively construct proofs. When building a term, 
438 | we can use holes, ?, as parts of a term that will need to be filled with a type correct term
439 | in order to finish the definition. 
440 | Loading the file with |[C-c C-l]|, we find that Agda
441 | checks the unfinished program, turning the |?| into labelled braces,
442 | \begin{spec}
443 | plusIdExample : forall (n m : Nat) -> n == m -> n + n == m + m
444 | plusIdExample n m = (HOLE GAP 0)
445 | \end{spec}
446 | and tells us, in the information window,
447 | \begin{spec}
448 | ?0 : n == m -> n + n == m + m
449 | \end{spec}
450 | that the type of the `hole' corresponds to the return type we wrote.
451 | In order to prove this, we need to put the equality |n == m| in context
452 | to use it as an hypothesis. To this we can add another parameter to
453 | |plusIdExample| to represent the hypothesis of type |n == m|. 
454 | This can be expessed as:
455 | \begin{spec}
456 | plusIdExample : forall (n m : Nat) -> n == m -> n + n == m + m
457 | plusIdExample n m prf = (HOLE GAP 0)
458 | \end{spec}
459 | leaving the following hole:
460 | \begin{spec}
461 | ?0 : n + n == m + m
462 | \end{spec}
463 | To finish this proof we need to use the equality constructor |refl|, but
464 | the hole doesn't have the shape |x == x|. In order to make the hole type
465 | fit the |refl| type, we need to \textit{pattern match} on the proof that |n == m|.
466 | When the pattern matches occurs, the equality |n == m| is rewritten in the hole type,
467 | making it equal to |m + m == m + m| that matches |refl| type.
468 | 
469 | Agda mode can automate the generatiion of total pattern matching in definitions. Putting
470 | the variable on which we want to pattern match on the hole and pressing C-c C-c.
471 | 
472 | In this proof, we want to pattern match on the equality |n == m|, so we put the variable |prf|
473 | on the hole and trigger Agda mode case spliting:
474 | \begin{spec}
475 | plusIdExample : forall (n m : Nat) -> n == m -> n + n == m + m
476 | plusIdExample n m prf = {!prf!}
477 | \end{spec}
478 | Emacs will change the definition of |plusIdExample| to:
479 | \begin{spec}
480 | plusIdExample : forall (n m : Nat) -> n == m -> n + n == m + m
481 | plusIdExample .m m refl = {!!}
482 | \end{spec}
483 | in which the hole has the following type
484 | \begin{spec}
485 | ?0 : m + m == m + m
486 | \end{spec}
487 | that matches |refl| type. A important part of this definition is that the left-hand side of
488 | the definition has what we call a dotted pattern. Dotted patterns specify equality constraints
489 | to be used by the type checker of Agda, when verifying a term. In this example, the dotted pattern
490 | is used to specify that the first and the second argument of |plusIdExample| must be the same, in
491 | order to |refl| be valid.
492 | 
493 | To finish the proof, we can just type |refl| in the hole and press C-c C-g or use Agda mode 
494 | proof search search, by pressing C-c C-a.
495 | 
496 | \begin{code}
497 | plusIdExample : forall (n m : Nat) -> n == m -> n + n == m + m
498 | plusIdExample .m m refl = refl
499 | \end{code}
500 | 
501 | \begin{exe}[A simple equality proof]
502 | Prove the following simple equality:
503 | \begin{spec}
504 | plusIdExercice : forall (n m o : Nat) -> n == m -> m == o -> n + m == m + o
505 | plusIdExercice = (HOLE GAP 0)
506 | \end{spec}
507 | \end{exe}
508 | 
509 | Holes can be used whenever we want to skip trying to prove a theorem and just accept it as a given. 
510 | This can be useful for developing longer proofs, since we can state subsidiary facts that we believe will be 
511 | useful for making some larger argument, use holes to accept them on faith for the moment, 
512 | and continue thinking about the larger argument until we are sure it makes sense; then we can 
513 | go back and fill in the proofs we skipped. Be careful, when we leave unfinished terms we leave
514 | a door open for total nonsense to enter Agda's nice, rigorous, formally checked world!
515 | 
516 | As another example of equality proof, consider the following simple code piece:
517 | 
518 | \begin{code}
519 | mult0Plus : forall (n m : Nat) -> (0 + n) * m == n * m
520 | mult0Plus n m = refl
521 | \end{code}
522 | 
523 | Agda is able to determine that |(0 + n) * m| is definitionally equal to |n * m|, so we can just prove
524 | |mult0Plus| using |refl|.
525 | 
526 | \section{Proof by Case Analysis}\label{case-analysis}
527 | 
528 | Of course, not everything can be proved by simple calculation: In general, unknown, hypothetical 
529 | values (arbitrary numbers, booleans, lists, etc.) can block the calculation. For example, if we try 
530 | to prove the following fact using reduction as above, we get stuck.
531 | 
532 | \begin{spec}
533 | beqNatN+1=0 : forall (n : Nat) -> beqNat (n + 1) 0 == False
534 | beqNatN+1=0 n = (HOLE GAP 0)
535 | \end{spec}
536 | 
537 | The reason for this is that the definitions of both |beqNat| and |+| begin by performing a match on 
538 | their first argument. But here, the first argument to |+| is the unknown number |n| and the argument 
539 | to |beqNat| is the compound expression |n + 1|; neither can be simplified.
540 | 
541 | What we need is to be able to consider the possible forms of |n| separately. If |n| is |zero|, then we can 
542 | calculate the final result of |beqNat (n + 1) 0| and check that it is, indeed, false. And if |n == suc n'| 
543 | for some |n'|, then, although we don't know exactly what number |n + 1| yields, we can calculate that, 
544 | at least, it will begin with one |suc|, and this is enough to calculate that, again, |beqNat (n + 1) 0| 
545 | will yield |False|.
546 | 
547 | To consider, separately, the cases where |n == 0| and where |n == S n'| we can just pattern match on |n|,
548 | getting:
549 | 
550 | \begin{code}
551 | beqNatN+1=0 : forall (n : Nat) -> beqNat (n + 1) 0 == False
552 | beqNatN+1=0 zero    = refl
553 | beqNatN+1=0 (suc n) = refl
554 | \end{code}
555 | 
556 | Proofs by case analysis (pattern matching) works for any data type, like |Bool|:
557 | 
558 | \begin{code}
559 | notInvolutive : forall (b : Bool) -> not (not b) == b
560 | notInvolutive False = refl
561 | notInvolutive True  = refl
562 | \end{code}
563 | 
564 | \begin{exe}[Proof by case analysis]
565 | Prove the following simple fact:
566 | \begin{spec}
567 | zeroNBeq+1 : forall (n : Nat) -> beqNat 0 (n + 1) == False
568 | zeroNBeq+1 n = (HOLE GAP 0)
569 | \end{spec}
570 | \end{exe}
571 | 
572 | 
573 | \section{More Exercices}\label{more-exercices}
574 | 
575 | Use what you have learned so far to prove the following theorems.
576 | \begin{exe}
577 | Prove the following:
578 | \begin{spec}
579 | identityFnAppliedTwice : forall (f : Bool -> Bool)
580 |                          (forall (b : Bool) -> f x == x) -> forall (b : Bool) -> f (f b) == b
581 | identityFnAppliedTwice = (HOLE GAP 0)
582 | \end{spec}
583 | Now state and prove a theorem |negationFnAppliedTwice| similar to the previous one but where the second 
584 | hypothesis says that the function f has the property that f x = not x.
585 | \end{exe}
586 | 
587 | \begin{exe}
588 | Prove the following lemma. (You may want to first prove a subsidiary lemma or two.)
589 | \begin{spec}
590 | lemma : forall (b c : Bool) -> (and b c == or b c) -> b == c
591 | lemma = (HOLE GAP 0)
592 | \end{spec}
593 | \end{exe}
594 | 
595 | \begin{exe}[Binary Numbers]
596 | Consider a different, more efficient representation of natural numbers using a binary 
597 | rather than unary system. That is, instead of saying that each natural number is either 
598 | zero or the successor of a natural number, we can say that each binary number is either
599 | zero, twice a binary number, or one more than twice a binary number.
600 | \begin{enumerate}
601 |   \item  First, write an inductive definition of the type bin corresponding to this description of binary numbers.
602 |   \item  Next, write an increment function for binary numbers, and a function to convert binary numbers to unary numbers.
603 | \end{enumerate}
604 | \end{exe}
605 | 


--------------------------------------------------------------------------------
/natbib.bst:
--------------------------------------------------------------------------------
   1 | %% 
   2 | %% This is file `natbib.bst', generated 
   3 | %% on <1994/9/16> with the docstrip utility (2.2h).
   4 | %% 
   5 | %% The original source files were:
   6 | %% 
   7 | %% genbst.mbs  (with options: `ay,nat,seq-lab,nm-rev,dt-beg,yr-par,vol-bf,
   8 | %%                             volp-com,etal-it')
   9 | %% ---------------------------------------- 
  10 | %% *** Personal bib style, PWD *** 
  11 | %% 
  12 | %% (Here are the specifications of the source file)
  13 | %% \ProvidesFile{genbst.mbs}[1994/09/16 1.5 (PWD)]
  14 | %%   For use with BibTeX version 0.99a or later
  15 | %%     and with LaTeX 2.09 or 2e
  16 | %%-------------------------------------------------------------------
  17 | %% NOTICE:
  18 | %% This file may be used for non-profit purposes.
  19 | %% It may not be distributed in exchange for money,
  20 | %%   other than distribution costs.
  21 | %%
  22 | %% The author provides it `as is' and does not guarantee it in any way.
  23 | %%
  24 | %% Copyright (C) 1994 Patrick W. Daly
  25 | %% Max-Planck-Institut f\"ur Aeronomie
  26 | %% Postfach 20
  27 | %% D-37189 Katlenburg-Lindau
  28 | %% Germany
  29 | %%
  30 | %% E-mail:
  31 | %% SPAN--     nsp::linmpi::daly    (note nsp also known as ecd1)
  32 | %% Internet-- daly@linmpi.dnet.gwdg.de
  33 | %%-----------------------------------------------------------
  34 | %% \CharacterTable
  35 | %%  {Upper-case    \A\B\C\D\E\F\G\H\I\J\K\L\M\N\O\P\Q\R\S\T\U\V\W\X\Y\Z
  36 | %%   Lower-case    \a\b\c\d\e\f\g\h\i\j\k\l\m\n\o\p\q\r\s\t\u\v\w\x\y\z
  37 | %%   Digits        \0\1\2\3\4\5\6\7\8\9
  38 | %%   Exclamation   \!     Double quote  \"     Hash (number) \#
  39 | %%   Dollar        \$     Percent       \%     Ampersand     \&
  40 | %%   Acute accent  \'     Left paren    \(     Right paren   \)
  41 | %%   Asterisk      \*     Plus          \+     Comma         \,
  42 | %%   Minus         \-     Point         \.     Solidus       \/
  43 | %%   Colon         \:     Semicolon     \;     Less than     \<
  44 | %%   Equals        \=     Greater than  \>     Question mark \?
  45 | %%   Commercial at \@     Left bracket  \[     Backslash     \\
  46 | %%   Right bracket \]     Circumflex    \^     Underscore    \_
  47 | %%   Grave accent  \`     Left brace    \{     Vertical bar  \|
  48 | %%   Right brace   \}     Tilde         \~}
  49 | %%---------------------------------------------------------------------
  50 |  % This is an author-year citation style bibliography. As such, it is
  51 |  % non-standard LaTeX, and requires a special package file to function properly.
  52 |  % Such a package is    natbib.sty   by Patrick W. Daly
  53 |  % The form of the \bibitem entries is
  54 |  %   \bibitem[Jones et al.(1990)]{key}...
  55 |  %   \bibitem[Jones et al.(1990)Jones, Baker, and Smith]{key}...
  56 |  % The essential feature is that the label (the part in brackets) consists
  57 |  % of the author names, as they should appear in the citation, with the year
  58 |  % in parentheses following. There must be no space before the opening
  59 |  % parenthesis!
  60 |  % With natbib v5.3, a full list of authors may also follow the year.
  61 |  % In natbib.sty, it is possible to define the type of enclosures that is
  62 |  % really wanted (brackets or parentheses), but in either case, there must
  63 |  % be parentheses in the label.
  64 |  % The \cite command functions as follows:
  65 |  %   \cite{key} ==>>                Jones et al. (1990)
  66 |  %   \cite[]{key} ==>>              (Jones et al., 1990)
  67 |  %   \cite[chap. 2]{key} ==>>       (Jones et al., 1990, chap. 2)
  68 |  %   \cite[e.g.][]{key} ==>>        (e.g. Jones et al., 1990)
  69 |  %   \cite[e.g.][p. 32]{key} ==>>   (e.g. Jones et al., p. 32)
  70 |  %   \citeauthor{key}               Jones et al.
  71 |  %   \citefullauthor{key}           Jones, Baker, and Smith
  72 |  %   \citeyear{key}                 1990
  73 | %%---------------------------------------------------------------------
  74 | 
  75 | ENTRY
  76 |   { address
  77 |     author
  78 |     booktitle
  79 |     chapter
  80 |     edition
  81 |     editor
  82 |     howpublished
  83 |     institution
  84 |     journal
  85 |     key
  86 |     month
  87 |     note
  88 |     number
  89 |     organization
  90 |     pages
  91 |     publisher
  92 |     school
  93 |     series
  94 |     title
  95 |     type
  96 |     volume
  97 |     year
  98 |   }
  99 |   {}
 100 |   { label extra.label sort.label }
 101 | 
 102 | INTEGERS { output.state before.all mid.sentence after.sentence after.block }
 103 | 
 104 | FUNCTION {init.state.consts}
 105 | { #0 'before.all :=
 106 |   #1 'mid.sentence :=
 107 |   #2 'after.sentence :=
 108 |   #3 'after.block :=
 109 | }
 110 | 
 111 | STRINGS { s t }
 112 | 
 113 | FUNCTION {output.nonnull}
 114 | { 's :=
 115 |   output.state mid.sentence =
 116 |     { ", " * write$ }
 117 |     { output.state after.block =
 118 |         { add.period$ write$
 119 |           newline$
 120 |           "\newblock " write$
 121 |         }
 122 |         { output.state before.all =
 123 |             'write$
 124 |             { add.period$ " " * write$ }
 125 |           if$
 126 |         }
 127 |       if$
 128 |       mid.sentence 'output.state :=
 129 |     }
 130 |   if$
 131 |   s
 132 | }
 133 | 
 134 | FUNCTION {output}
 135 | { duplicate$ empty$
 136 |     'pop$
 137 |     'output.nonnull
 138 |   if$
 139 | }
 140 | 
 141 | FUNCTION {output.check}
 142 | { 't :=
 143 |   duplicate$ empty$
 144 |     { pop$ "empty " t * " in " * cite$ * warning$ }
 145 |     'output.nonnull
 146 |   if$
 147 | }
 148 | 
 149 | FUNCTION {fin.entry}
 150 | { add.period$
 151 |   write$
 152 |   newline$
 153 | }
 154 | 
 155 | FUNCTION {new.block}
 156 | { output.state before.all =
 157 |     'skip$
 158 |     { after.block 'output.state := }
 159 |   if$
 160 | }
 161 | 
 162 | FUNCTION {new.sentence}
 163 | { output.state after.block =
 164 |     'skip$
 165 |     { output.state before.all =
 166 |         'skip$
 167 |         { after.sentence 'output.state := }
 168 |       if$
 169 |     }
 170 |   if$
 171 | }
 172 | 
 173 | FUNCTION {not}
 174 | {   { #0 }
 175 |     { #1 }
 176 |   if$
 177 | }
 178 | 
 179 | FUNCTION {and}
 180 | {   'skip$
 181 |     { pop$ #0 }
 182 |   if$
 183 | }
 184 | 
 185 | FUNCTION {or}
 186 | {   { pop$ #1 }
 187 |     'skip$
 188 |   if$
 189 | }
 190 | 
 191 | FUNCTION {non.stop}
 192 | { duplicate$
 193 |    "}" * add.period$
 194 |    #-1 #1 substring$ "." =
 195 | }
 196 | 
 197 | FUNCTION {new.block.checkb}
 198 | { empty$
 199 |   swap$ empty$
 200 |   and
 201 |     'skip$
 202 |     'new.block
 203 |   if$
 204 | }
 205 | 
 206 | FUNCTION {field.or.null}
 207 | { duplicate$ empty$
 208 |     { pop$ "" }
 209 |     'skip$
 210 |   if$
 211 | }
 212 | 
 213 | FUNCTION {emphasize}
 214 | { duplicate$ empty$
 215 |     { pop$ "" }
 216 |     { "{\em " swap$ * non.stop
 217 |         { "\/}" * }
 218 |         { "}" * }
 219 |       if$
 220 |     }
 221 |   if$
 222 | }
 223 | 
 224 | FUNCTION {bolden}
 225 | { duplicate$ empty$
 226 |     { pop$ "" }
 227 |     { "{\bf " swap$ * "}" * }
 228 |   if$
 229 | }
 230 | 
 231 | INTEGERS { nameptr namesleft numnames }
 232 | 
 233 | FUNCTION {format.names}
 234 | { 's :=
 235 |   #1 'nameptr :=
 236 |   s num.names$ 'numnames :=
 237 |   numnames 'namesleft :=
 238 |     { namesleft #0 > }
 239 |     { s nameptr
 240 |       "{vv~}{ll}{, jj}{, f.}" format.name$ 't :=
 241 |       nameptr #1 >
 242 |         {
 243 |           namesleft #1 >
 244 |             { ", " * t * }
 245 |             {
 246 |               numnames #2 >
 247 |                 { "," * }
 248 |                 'skip$
 249 |               if$
 250 |               t "others" =
 251 |                 { " " * "et~al." emphasize * }
 252 |                 { " and " * t * }
 253 |               if$
 254 |             }
 255 |           if$
 256 |         }
 257 |         't
 258 |       if$
 259 |       nameptr #1 + 'nameptr :=
 260 |       namesleft #1 - 'namesleft :=
 261 |     }
 262 |   while$
 263 | }
 264 | 
 265 | FUNCTION {format.names.ed}
 266 | { 's :=
 267 |   #1 'nameptr :=
 268 |   s num.names$ 'numnames :=
 269 |   numnames 'namesleft :=
 270 |     { namesleft #0 > }
 271 |     { s nameptr
 272 |       "{f.~}{vv~}{ll}{, jj}"
 273 |       format.name$ 't :=
 274 |       nameptr #1 >
 275 |         {
 276 |           namesleft #1 >
 277 |             { ", " * t * }
 278 |             {
 279 |               numnames #2 >
 280 |                 { "," * }
 281 |                 'skip$
 282 |               if$
 283 |               t "others" =
 284 |                 { " " * "et~al." emphasize * }
 285 |                 { " and " * t * }
 286 |               if$
 287 |             }
 288 |           if$
 289 |         }
 290 |         't
 291 |       if$
 292 |       nameptr #1 + 'nameptr :=
 293 |       namesleft #1 - 'namesleft :=
 294 |     }
 295 |   while$
 296 | }
 297 | 
 298 | FUNCTION {format.key}
 299 | { empty$
 300 |     { key field.or.null }
 301 |     { "" }
 302 |   if$
 303 | }
 304 | 
 305 | FUNCTION {format.authors}
 306 | { author empty$
 307 |     { "" }
 308 |     { author format.names }
 309 |   if$
 310 | }
 311 | 
 312 | FUNCTION {format.editors}
 313 | { editor empty$
 314 |     { "" }
 315 |     { editor format.names
 316 |       editor num.names$ #1 >
 317 |         { ", editors" * }
 318 |         { ", editor" * }
 319 |       if$
 320 |     }
 321 |   if$
 322 | }
 323 | 
 324 | FUNCTION {format.in.editors}
 325 | { editor empty$
 326 |     { "" }
 327 |     { editor format.names.ed
 328 |       editor num.names$ #1 >
 329 |         { ", editors" * }
 330 |         { ", editor" * }
 331 |       if$
 332 |     }
 333 |   if$
 334 | }
 335 | 
 336 | FUNCTION {format.title}
 337 | { title empty$
 338 |     { "" }
 339 |     { title "t" change.case$
 340 |     }
 341 |   if$
 342 | }
 343 | 
 344 | FUNCTION {format.full.names}
 345 | {'s :=
 346 |   #1 'nameptr :=
 347 |   s num.names$ 'numnames :=
 348 |   numnames 'namesleft :=
 349 |     { namesleft #0 > }
 350 |     { s nameptr
 351 |       "{vv~}{ll}" format.name$ 't :=
 352 |       nameptr #1 >
 353 |         {
 354 |           namesleft #1 >
 355 |             { ", " * t * }
 356 |             {
 357 |               numnames #2 >
 358 |                 { "," * }
 359 |                 'skip$
 360 |               if$
 361 |               t "others" =
 362 |                 { " " * "et~al." emphasize * }
 363 |                 { " and " * t * }
 364 |               if$
 365 |             }
 366 |           if$
 367 |         }
 368 |         't
 369 |       if$
 370 |       nameptr #1 + 'nameptr :=
 371 |       namesleft #1 - 'namesleft :=
 372 |     }
 373 |   while$
 374 | }
 375 | 
 376 | FUNCTION {author.editor.key.full}
 377 | { author empty$
 378 |     { editor empty$
 379 |         { key empty$
 380 |             { cite$ #1 #3 substring$ }
 381 |             'key
 382 |           if$
 383 |         }
 384 |         { editor format.full.names }
 385 |       if$
 386 |     }
 387 |     { author format.full.names }
 388 |   if$
 389 | }
 390 | 
 391 | FUNCTION {author.key.full}
 392 | { author empty$
 393 |     { key empty$
 394 |          { cite$ #1 #3 substring$ }
 395 |           'key
 396 |       if$
 397 |     }
 398 |     { author format.full.names }
 399 |   if$
 400 | }
 401 | 
 402 | FUNCTION {editor.key.full}
 403 | { editor empty$
 404 |     { key empty$
 405 |          { cite$ #1 #3 substring$ }
 406 |           'key
 407 |       if$
 408 |     }
 409 |     { editor format.full.names }
 410 |   if$
 411 | }
 412 | 
 413 | FUNCTION {make.full.names}
 414 | { type$ "book" =
 415 |   type$ "inbook" =
 416 |   or
 417 |     'author.editor.key.full
 418 |     { type$ "proceedings" =
 419 |         'editor.key.full
 420 |         'author.key.full
 421 |       if$
 422 |     }
 423 |   if$
 424 | }
 425 | 
 426 | FUNCTION {output.bibitem}
 427 | { newline$
 428 |   "\bibitem[" write$
 429 |   label write$
 430 |   ")" make.full.names * "]{" * write$
 431 |   cite$ write$
 432 |   "}" write$
 433 |   newline$
 434 |   ""
 435 |   before.all 'output.state :=
 436 | }
 437 | 
 438 | FUNCTION {n.dashify}
 439 | { 't :=
 440 |   ""
 441 |     { t empty$ not }
 442 |     { t #1 #1 substring$ "-" =
 443 |         { t #1 #2 substring$ "--" = not
 444 |             { "--" *
 445 |               t #2 global.max$ substring$ 't :=
 446 |             }
 447 |             {   { t #1 #1 substring$ "-" = }
 448 |                 { "-" *
 449 |                   t #2 global.max$ substring$ 't :=
 450 |                 }
 451 |               while$
 452 |             }
 453 |           if$
 454 |         }
 455 |         { t #1 #1 substring$ *
 456 |           t #2 global.max$ substring$ 't :=
 457 |         }
 458 |       if$
 459 |     }
 460 |   while$
 461 | }
 462 | 
 463 | FUNCTION {word.in}
 464 | { "In " }
 465 | 
 466 | FUNCTION {format.date}
 467 | { year duplicate$ empty$
 468 |     { "empty year in " cite$ * "; set to ????" * warning$
 469 |        pop$ "????" }
 470 |     'skip$
 471 |   if$
 472 |   before.all 'output.state :=
 473 |   " (" swap$ * extra.label * ")" *
 474 | }
 475 | 
 476 | FUNCTION {format.btitle}
 477 | { title emphasize
 478 | }
 479 | 
 480 | FUNCTION {tie.or.space.connect}
 481 | { duplicate$ text.length$ #3 <
 482 |     { "~" }
 483 |     { " " }
 484 |   if$
 485 |   swap$ * *
 486 | }
 487 | 
 488 | FUNCTION {either.or.check}
 489 | { empty$
 490 |     'pop$
 491 |     { "can't use both " swap$ * " fields in " * cite$ * warning$ }
 492 |   if$
 493 | }
 494 | 
 495 | FUNCTION {format.bvolume}
 496 | { volume empty$
 497 |     { "" }
 498 |     { "volume" volume tie.or.space.connect
 499 |       series empty$
 500 |         'skip$
 501 |         { " of " * series emphasize * }
 502 |       if$
 503 |       "volume and number" number either.or.check
 504 |     }
 505 |   if$
 506 | }
 507 | 
 508 | FUNCTION {format.number.series}
 509 | { volume empty$
 510 |     { number empty$
 511 |         { series field.or.null }
 512 |         { output.state mid.sentence =
 513 |             { "number" }
 514 |             { "Number" }
 515 |           if$
 516 |           number tie.or.space.connect
 517 |           series empty$
 518 |             { "there's a number but no series in " cite$ * warning$ }
 519 |             { " in " * series * }
 520 |           if$
 521 |         }
 522 |       if$
 523 |     }
 524 |     { "" }
 525 |   if$
 526 | }
 527 | 
 528 | FUNCTION {format.edition}
 529 | { edition empty$
 530 |     { "" }
 531 |     { output.state mid.sentence =
 532 |         { edition "l" change.case$ " edition" * }
 533 |         { edition "t" change.case$ " edition" * }
 534 |       if$
 535 |     }
 536 |   if$
 537 | }
 538 | 
 539 | INTEGERS { multiresult }
 540 | 
 541 | FUNCTION {multi.page.check}
 542 | { 't :=
 543 |   #0 'multiresult :=
 544 |     { multiresult not
 545 |       t empty$ not
 546 |       and
 547 |     }
 548 |     { t #1 #1 substring$
 549 |       duplicate$ "-" =
 550 |       swap$ duplicate$ "," =
 551 |       swap$ "+" =
 552 |       or or
 553 |         { #1 'multiresult := }
 554 |         { t #2 global.max$ substring$ 't := }
 555 |       if$
 556 |     }
 557 |   while$
 558 |   multiresult
 559 | }
 560 | 
 561 | FUNCTION {format.pages}
 562 | { pages empty$
 563 |     { "" }
 564 |     { pages multi.page.check
 565 |         { "pages" pages n.dashify tie.or.space.connect }
 566 |         { "page" pages tie.or.space.connect }
 567 |       if$
 568 |     }
 569 |   if$
 570 | }
 571 | 
 572 | FUNCTION {format.vol.num.pages}
 573 | { volume field.or.null
 574 |   bolden
 575 |   number empty$
 576 |     'skip$
 577 |     { "(" number * ")" * *
 578 |       volume empty$
 579 |         { "there's a number but no volume in " cite$ * warning$ }
 580 |         'skip$
 581 |       if$
 582 |     }
 583 |   if$
 584 |   pages empty$
 585 |     'skip$
 586 |     { duplicate$ empty$
 587 |         { pop$ format.pages }
 588 |         { ", " * pages n.dashify * }
 589 |       if$
 590 |     }
 591 |   if$
 592 | }
 593 | 
 594 | FUNCTION {format.chapter.pages}
 595 | { chapter empty$
 596 |     'format.pages
 597 |     { type empty$
 598 |         { "chapter" }
 599 |         { type "l" change.case$ }
 600 |       if$
 601 |       chapter tie.or.space.connect
 602 |       pages empty$
 603 |         'skip$
 604 |         { ", " * format.pages * }
 605 |       if$
 606 |     }
 607 |   if$
 608 | }
 609 | 
 610 | FUNCTION {format.in.ed.booktitle}
 611 | { booktitle empty$
 612 |     { "" }
 613 |     { editor empty$
 614 |         { word.in booktitle emphasize * }
 615 |         { word.in format.in.editors * ", " * booktitle emphasize * }
 616 |       if$
 617 |     }
 618 |   if$
 619 | }
 620 | 
 621 | FUNCTION {format.thesis.type}
 622 | { type empty$
 623 |     'skip$
 624 |     { pop$
 625 |       type "t" change.case$
 626 |     }
 627 |   if$
 628 | }
 629 | 
 630 | FUNCTION {format.tr.number}
 631 | { type empty$
 632 |     { "Technical Report" }
 633 |     'type
 634 |   if$
 635 |   number empty$
 636 |     { "t" change.case$ }
 637 |     { number tie.or.space.connect }
 638 |   if$
 639 | }
 640 | 
 641 | FUNCTION {format.article.crossref}
 642 | {
 643 |   word.in
 644 |   "\cite{" * crossref * "}" *
 645 | }
 646 | 
 647 | FUNCTION {format.book.crossref}
 648 | { volume empty$
 649 |     { "empty volume in " cite$ * "'s crossref of " * crossref * warning$
 650 |       word.in
 651 |     }
 652 |     { "Volume" volume tie.or.space.connect
 653 |       " of " *
 654 |     }
 655 |   if$
 656 |   "\cite{" * crossref * "}" *
 657 | }
 658 | 
 659 | FUNCTION {format.incoll.inproc.crossref}
 660 | {
 661 |   word.in
 662 |   "\cite{" * crossref * "}" *
 663 | }
 664 | 
 665 | FUNCTION {article}
 666 | { output.bibitem
 667 |   format.authors "author" output.check
 668 |   author format.key output
 669 |   format.date "year" output.check
 670 |   new.block
 671 |   format.title "title" output.check
 672 |   new.block
 673 |   crossref missing$
 674 |     { journal emphasize "journal" output.check
 675 |       format.vol.num.pages output
 676 |     }
 677 |     { format.article.crossref output.nonnull
 678 |       format.pages output
 679 |     }
 680 |   if$
 681 |   new.block
 682 |   note output
 683 |   fin.entry
 684 | }
 685 | 
 686 | FUNCTION {book}
 687 | { output.bibitem
 688 |   author empty$
 689 |     { format.editors "author and editor" output.check
 690 |       editor format.key output
 691 |     }
 692 |     { format.authors output.nonnull
 693 |       crossref missing$
 694 |         { "author and editor" editor either.or.check }
 695 |         'skip$
 696 |       if$
 697 |     }
 698 |   if$
 699 |   format.date "year" output.check
 700 |   new.block
 701 |   format.btitle "title" output.check
 702 |   crossref missing$
 703 |     { format.bvolume output
 704 |       new.block
 705 |       format.number.series output
 706 |       new.sentence
 707 |       publisher "publisher" output.check
 708 |       address output
 709 |     }
 710 |     {
 711 |       new.block
 712 |       format.book.crossref output.nonnull
 713 |     }
 714 |   if$
 715 |   format.edition output
 716 |   new.block
 717 |   note output
 718 |   fin.entry
 719 | }
 720 | 
 721 | FUNCTION {booklet}
 722 | { output.bibitem
 723 |   format.authors output
 724 |   author format.key output
 725 |   format.date "year" output.check
 726 |   new.block
 727 |   format.title "title" output.check
 728 |   new.block
 729 |   howpublished output
 730 |   address output
 731 |   new.block
 732 |   note output
 733 |   fin.entry
 734 | }
 735 | 
 736 | FUNCTION {inbook}
 737 | { output.bibitem
 738 |   author empty$
 739 |     { format.editors "author and editor" output.check
 740 |       editor format.key output
 741 |     }
 742 |     { format.authors output.nonnull
 743 |       crossref missing$
 744 |         { "author and editor" editor either.or.check }
 745 |         'skip$
 746 |       if$
 747 |     }
 748 |   if$
 749 |   format.date "year" output.check
 750 |   new.block
 751 |   format.btitle "title" output.check
 752 |   crossref missing$
 753 |     { format.bvolume output
 754 |       format.chapter.pages "chapter and pages" output.check
 755 |       new.block
 756 |       format.number.series output
 757 |       new.sentence
 758 |       publisher "publisher" output.check
 759 |       address output
 760 |     }
 761 |     { format.chapter.pages "chapter and pages" output.check
 762 |       new.block
 763 |       format.book.crossref output.nonnull
 764 |     }
 765 |   if$
 766 |   format.edition output
 767 |   new.block
 768 |   note output
 769 |   fin.entry
 770 | }
 771 | 
 772 | FUNCTION {incollection}
 773 | { output.bibitem
 774 |   format.authors "author" output.check
 775 |   author format.key output
 776 |   format.date "year" output.check
 777 |   new.block
 778 |   format.title "title" output.check
 779 |   new.block
 780 |   crossref missing$
 781 |     { format.in.ed.booktitle "booktitle" output.check
 782 |       format.bvolume output
 783 |       format.number.series output
 784 |       format.chapter.pages output
 785 |       new.sentence
 786 |       publisher "publisher" output.check
 787 |       address output
 788 |       format.edition output
 789 |     }
 790 |     { format.incoll.inproc.crossref output.nonnull
 791 |       format.chapter.pages output
 792 |     }
 793 |   if$
 794 |   new.block
 795 |   note output
 796 |   fin.entry
 797 | }
 798 | 
 799 | FUNCTION {inproceedings}
 800 | { output.bibitem
 801 |   format.authors "author" output.check
 802 |   author format.key output
 803 |   format.date "year" output.check
 804 |   new.block
 805 |   format.title "title" output.check
 806 |   new.block
 807 |   crossref missing$
 808 |     { format.in.ed.booktitle "booktitle" output.check
 809 |       format.bvolume output
 810 |       format.number.series output
 811 |       format.pages output
 812 |       address output
 813 |       new.sentence
 814 |       organization output
 815 |       publisher output
 816 |     }
 817 |     { format.incoll.inproc.crossref output.nonnull
 818 |       format.pages output
 819 |     }
 820 |   if$
 821 |   new.block
 822 |   note output
 823 |   fin.entry
 824 | }
 825 | 
 826 | FUNCTION {conference} { inproceedings }
 827 | 
 828 | FUNCTION {manual}
 829 | { output.bibitem
 830 |   format.authors output
 831 |   author format.key output
 832 |   format.date "year" output.check
 833 |   new.block
 834 |   format.btitle "title" output.check
 835 |   organization address new.block.checkb
 836 |   organization output
 837 |   address output
 838 |   format.edition output
 839 |   new.block
 840 |   note output
 841 |   fin.entry
 842 | }
 843 | 
 844 | FUNCTION {mastersthesis}
 845 | { output.bibitem
 846 |   format.authors "author" output.check
 847 |   author format.key output
 848 |   format.date "year" output.check
 849 |   new.block
 850 |   format.btitle "title" output.check
 851 |   new.block
 852 |   "Master's thesis" format.thesis.type output.nonnull
 853 |   school "school" output.check
 854 |   address output
 855 |   new.block
 856 |   note output
 857 |   fin.entry
 858 | }
 859 | 
 860 | FUNCTION {misc}
 861 | { output.bibitem
 862 |   format.authors output
 863 |   author format.key output
 864 |   format.date "year" output.check
 865 |   new.block
 866 |   format.title output
 867 |   new.block
 868 |   howpublished output
 869 |   new.block
 870 |   note output
 871 |   fin.entry
 872 | }
 873 | 
 874 | FUNCTION {phdthesis}
 875 | { output.bibitem
 876 |   format.authors "author" output.check
 877 |   author format.key output
 878 |   format.date "year" output.check
 879 |   new.block
 880 |   format.btitle "title" output.check
 881 |   new.block
 882 |   "Ph.D. thesis" format.thesis.type output.nonnull
 883 |   school "school" output.check
 884 |   address output
 885 |   new.block
 886 |   note output
 887 |   fin.entry
 888 | }
 889 | 
 890 | FUNCTION {proceedings}
 891 | { output.bibitem
 892 |   format.editors output
 893 |   editor format.key output
 894 |   format.date "year" output.check
 895 |   new.block
 896 |   format.btitle "title" output.check
 897 |   format.bvolume output
 898 |   format.number.series output
 899 |   address output
 900 |   new.sentence
 901 |   organization output
 902 |   publisher output
 903 |   new.block
 904 |   note output
 905 |   fin.entry
 906 | }
 907 | 
 908 | FUNCTION {techreport}
 909 | { output.bibitem
 910 |   format.authors "author" output.check
 911 |   author format.key output
 912 |   format.date "year" output.check
 913 |   new.block
 914 |   format.title "title" output.check
 915 |   new.block
 916 |   format.tr.number output.nonnull
 917 |   institution "institution" output.check
 918 |   address output
 919 |   new.block
 920 |   note output
 921 |   fin.entry
 922 | }
 923 | 
 924 | FUNCTION {unpublished}
 925 | { output.bibitem
 926 |   format.authors "author" output.check
 927 |   author format.key output
 928 |   format.date "year" output.check
 929 |   new.block
 930 |   format.title "title" output.check
 931 |   new.block
 932 |   note "note" output.check
 933 |   fin.entry
 934 | }
 935 | 
 936 | FUNCTION {default.type} { misc }
 937 | 
 938 | MACRO {jan} {"January"}
 939 | 
 940 | MACRO {feb} {"February"}
 941 | 
 942 | MACRO {mar} {"March"}
 943 | 
 944 | MACRO {apr} {"April"}
 945 | 
 946 | MACRO {may} {"May"}
 947 | 
 948 | MACRO {jun} {"June"}
 949 | 
 950 | MACRO {jul} {"July"}
 951 | 
 952 | MACRO {aug} {"August"}
 953 | 
 954 | MACRO {sep} {"September"}
 955 | 
 956 | MACRO {oct} {"October"}
 957 | 
 958 | MACRO {nov} {"November"}
 959 | 
 960 | MACRO {dec} {"December"}
 961 | 
 962 | MACRO {acmcs} {"ACM Computing Surveys"}
 963 | 
 964 | MACRO {acta} {"Acta Informatica"}
 965 | 
 966 | MACRO {cacm} {"Communications of the ACM"}
 967 | 
 968 | MACRO {ibmjrd} {"IBM Journal of Research and Development"}
 969 | 
 970 | MACRO {ibmsj} {"IBM Systems Journal"}
 971 | 
 972 | MACRO {ieeese} {"IEEE Transactions on Software Engineering"}
 973 | 
 974 | MACRO {ieeetc} {"IEEE Transactions on Computers"}
 975 | 
 976 | MACRO {ieeetcad}
 977 |  {"IEEE Transactions on Computer-Aided Design of Integrated Circuits"}
 978 | 
 979 | MACRO {ipl} {"Information Processing Letters"}
 980 | 
 981 | MACRO {jacm} {"Journal of the ACM"}
 982 | 
 983 | MACRO {jcss} {"Journal of Computer and System Sciences"}
 984 | 
 985 | MACRO {scp} {"Science of Computer Programming"}
 986 | 
 987 | MACRO {sicomp} {"SIAM Journal on Computing"}
 988 | 
 989 | MACRO {tocs} {"ACM Transactions on Computer Systems"}
 990 | 
 991 | MACRO {tods} {"ACM Transactions on Database Systems"}
 992 | 
 993 | MACRO {tog} {"ACM Transactions on Graphics"}
 994 | 
 995 | MACRO {toms} {"ACM Transactions on Mathematical Software"}
 996 | 
 997 | MACRO {toois} {"ACM Transactions on Office Information Systems"}
 998 | 
 999 | MACRO {toplas} {"ACM Transactions on Programming Languages and Systems"}
1000 | 
1001 | MACRO {tcs} {"Theoretical Computer Science"}
1002 | 
1003 | READ
1004 | 
1005 | FUNCTION {sortify}
1006 | { purify$
1007 |   "l" change.case$
1008 | }
1009 | 
1010 | INTEGERS { len }
1011 | 
1012 | FUNCTION {chop.word}
1013 | { 's :=
1014 |   'len :=
1015 |   s #1 len substring$ =
1016 |     { s len #1 + global.max$ substring$ }
1017 |     's
1018 |   if$
1019 | }
1020 | 
1021 | FUNCTION {format.lab.names}
1022 | { 's :=
1023 |   s #1 "{vv~}{ll}" format.name$
1024 |   s num.names$ duplicate$
1025 |   #2 >
1026 |     { pop$ " " * "et~al." emphasize * }
1027 |     { #2 <
1028 |         'skip$
1029 |         { s #2 "{ff }{vv }{ll}{ jj}" format.name$ "others" =
1030 |             { " " * "et~al." emphasize * }
1031 |             { " and " * s #2 "{vv~}{ll}" format.name$ * }
1032 |           if$
1033 |         }
1034 |       if$
1035 |     }
1036 |   if$
1037 | }
1038 | 
1039 | FUNCTION {author.key.label}
1040 | { author empty$
1041 |     { key empty$
1042 |         { cite$ #1 #3 substring$ }
1043 |         'key
1044 |       if$
1045 |     }
1046 |     { author format.lab.names }
1047 |   if$
1048 | }
1049 | 
1050 | FUNCTION {author.editor.key.label}
1051 | { author empty$
1052 |     { editor empty$
1053 |         { key empty$
1054 |             { cite$ #1 #3 substring$ }
1055 |             'key
1056 |           if$
1057 |         }
1058 |         { editor format.lab.names }
1059 |       if$
1060 |     }
1061 |     { author format.lab.names }
1062 |   if$
1063 | }
1064 | 
1065 | FUNCTION {editor.key.label}
1066 | { editor empty$
1067 |     { key empty$
1068 |         { cite$ #1 #3 substring$ }
1069 |         'key
1070 |       if$
1071 |     }
1072 |     { editor format.lab.names }
1073 |   if$
1074 | }
1075 | 
1076 | FUNCTION {calc.label}
1077 | { type$ "book" =
1078 |   type$ "inbook" =
1079 |   or
1080 |     'author.editor.key.label
1081 |     { type$ "proceedings" =
1082 |         'editor.key.label
1083 |         'author.key.label
1084 |       if$
1085 |     }
1086 |   if$
1087 |   "("
1088 |   *
1089 |   year duplicate$ empty$
1090 |      { pop$ "????" }
1091 |      { purify$ #-1 #4 substring$ }
1092 |   if$
1093 |   *
1094 |   'label :=
1095 | }
1096 | 
1097 | FUNCTION {sort.format.names}
1098 | { 's :=
1099 |   #1 'nameptr :=
1100 |   ""
1101 |   s num.names$ 'numnames :=
1102 |   numnames 'namesleft :=
1103 |     { namesleft #0 > }
1104 |     { nameptr #1 >
1105 |         { "   " * }
1106 |         'skip$
1107 |       if$
1108 |       s nameptr
1109 |       "{vv{ } }{ll{ }}{  f{ }}{  jj{ }}"
1110 |       format.name$ 't :=
1111 |       nameptr numnames = t "others" = and
1112 |         { "et al" * }
1113 |         { numnames #2 > nameptr #2 = and
1114 |           { "zzzzzz" * #1 'namesleft := }
1115 |           { t sortify * }
1116 |         if$
1117 |         }
1118 |       if$
1119 |       nameptr #1 + 'nameptr :=
1120 |       namesleft #1 - 'namesleft :=
1121 |     }
1122 |   while$
1123 | }
1124 | 
1125 | FUNCTION {sort.format.title}
1126 | { 't :=
1127 |   "A " #2
1128 |     "An " #3
1129 |       "The " #4 t chop.word
1130 |     chop.word
1131 |   chop.word
1132 |   sortify
1133 |   #1 global.max$ substring$
1134 | }
1135 | 
1136 | FUNCTION {author.sort}
1137 | { author empty$
1138 |     { key empty$
1139 |         { "to sort, need author or key in " cite$ * warning$
1140 |           ""
1141 |         }
1142 |         { key sortify }
1143 |       if$
1144 |     }
1145 |     { author sort.format.names }
1146 |   if$
1147 | }
1148 | 
1149 | FUNCTION {author.editor.sort}
1150 | { author empty$
1151 |     { editor empty$
1152 |         { key empty$
1153 |             { "to sort, need author, editor, or key in " cite$ * warning$
1154 |               ""
1155 |             }
1156 |             { key sortify }
1157 |           if$
1158 |         }
1159 |         { editor sort.format.names }
1160 |       if$
1161 |     }
1162 |     { author sort.format.names }
1163 |   if$
1164 | }
1165 | 
1166 | FUNCTION {editor.sort}
1167 | { editor empty$
1168 |     { key empty$
1169 |         { "to sort, need editor or key in " cite$ * warning$
1170 |           ""
1171 |         }
1172 |         { key sortify }
1173 |       if$
1174 |     }
1175 |     { editor sort.format.names }
1176 |   if$
1177 | }
1178 | 
1179 | FUNCTION {presort}
1180 | { calc.label
1181 |   label sortify
1182 |   "    "
1183 |   *
1184 |   type$ "book" =
1185 |   type$ "inbook" =
1186 |   or
1187 |     'author.editor.sort
1188 |     { type$ "proceedings" =
1189 |         'editor.sort
1190 |         'author.sort
1191 |       if$
1192 |     }
1193 |   if$
1194 |   #1 entry.max$ substring$
1195 |   'sort.label :=
1196 |   sort.label
1197 |   *
1198 |   "    "
1199 |   *
1200 |   title field.or.null
1201 |   sort.format.title
1202 |   *
1203 |   #1 entry.max$ substring$
1204 |   'sort.key$ :=
1205 | }
1206 | 
1207 | ITERATE {presort}
1208 | 
1209 | SORT
1210 | 
1211 | STRINGS { last.label next.extra }
1212 | 
1213 | INTEGERS { last.extra.num }
1214 | 
1215 | FUNCTION {initialize.extra.label.stuff}
1216 | { #0 int.to.chr$ 'last.label :=
1217 |   "" 'next.extra :=
1218 |   #0 'last.extra.num :=
1219 | }
1220 | 
1221 | FUNCTION {forward.pass}
1222 | { last.label label =
1223 |     { last.extra.num #1 + 'last.extra.num :=
1224 |       last.extra.num int.to.chr$ 'extra.label :=
1225 |     }
1226 |     { "a" chr.to.int$ 'last.extra.num :=
1227 |       "" 'extra.label :=
1228 |       label 'last.label :=
1229 |     }
1230 |   if$
1231 | }
1232 | 
1233 | FUNCTION {reverse.pass}
1234 | { next.extra "b" =
1235 |     { "a" 'extra.label := }
1236 |     'skip$
1237 |   if$
1238 |   extra.label 'next.extra :=
1239 |   label extra.label * 'label :=
1240 | }
1241 | 
1242 | EXECUTE {initialize.extra.label.stuff}
1243 | 
1244 | ITERATE {forward.pass}
1245 | 
1246 | REVERSE {reverse.pass}
1247 | 
1248 | FUNCTION {bib.sort.order}
1249 | { sort.label
1250 |   "    "
1251 |   *
1252 |   year field.or.null sortify
1253 |   *
1254 |   "    "
1255 |   *
1256 |   title field.or.null
1257 |   sort.format.title
1258 |   *
1259 |   #1 entry.max$ substring$
1260 |   'sort.key$ :=
1261 | }
1262 | 
1263 | ITERATE {bib.sort.order}
1264 | 
1265 | SORT
1266 | 
1267 | FUNCTION {begin.bib}
1268 | { preamble$ empty$
1269 |     'skip$
1270 |     { preamble$ write$ newline$ }
1271 |   if$
1272 |   "\begin{thebibliography}{}" write$ newline$
1273 | }
1274 | 
1275 | EXECUTE {begin.bib}
1276 | 
1277 | EXECUTE {init.state.consts}
1278 | 
1279 | ITERATE {call.type$}
1280 | 
1281 | FUNCTION {end.bib}
1282 | { newline$
1283 |   "\end{thebibliography}" write$ newline$
1284 | }
1285 | 
1286 | EXECUTE {end.bib}
1287 | %% End of customized bst file 
1288 | 


--------------------------------------------------------------------------------