-
Notifications
You must be signed in to change notification settings - Fork 8
/
Copy pathMaps.v
385 lines (305 loc) · 14 KB
/
Maps.v
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
(** * Maps: Total and Partial Maps *)
(** _Maps_ (or _dictionaries_) are ubiquitous data structures both
generally and in the theory of programming languages in
particular; we're going to need them in many places in the coming
chapters. They also make a nice case study using ideas we've seen
in previous chapters, including building data structures out of
higher-order functions (from [Basics] and [Poly]) and the use of
reflection to streamline proofs (from [IndProp]).
We'll define two flavors of maps: _total_ maps, which include a
"default" element to be returned when a key being looked up
doesn't exist, and _partial_ maps, which return an [option] to
indicate success or failure. The latter is defined in terms of
the former, using [None] as the default element. *)
(* ################################################################# *)
(** * The Coq Standard Library *)
(** One small digression before we begin...
Unlike the chapters we have seen so far, this one does not
[Require Import] the chapter before it (and, transitively, all the
earlier chapters). Instead, in this chapter and from now, on
we're going to import the definitions and theorems we need
directly from Coq's standard library stuff. You should not notice
much difference, though, because we've been careful to name our
own definitions and theorems the same as their counterparts in the
standard library, wherever they overlap. *)
Require Import Coq.Arith.Arith.
Require Import Coq.Bool.Bool.
Require Export Coq.Strings.String.
Require Import Coq.Logic.FunctionalExtensionality.
Require Import Coq.Lists.List.
Import ListNotations.
(** Documentation for the standard library can be found at
http://coq.inria.fr/library/.
The [Search] command is a good way to look for theorems involving
objects of specific types. Take a minute now to experiment with it. *)
(* ################################################################# *)
(** * Identifiers *)
(** First, we need a type for the keys that we use to index into our
maps. For this purpose, we will simply use plain [string]s. *)
(** To compare strings, we define the function [beq_string], which
internally uses the function [string_dec] from Coq's string library.
We then establish its fundamental properties. *)
Definition beq_string x y :=
if string_dec x y then true else false.
(** (The function [string_dec] comes from Coq's string library.
If you check the result type of [string_dec], you'll see that it
does not actually return a [bool], but rather a type that looks
like [{x = y} + {x <> y}], called a [sumbool], which can be
thought of as an "evidence-carrying boolean." Formally, an
element of [sumbool] is either a proof that two things are equal
or a proof that they are unequal, together with a tag indicating
which. But for present purposes you can think of it as just a
fancy [bool].) *)
Theorem beq_string_refl : forall s, true = beq_string s s.
Proof. intros s. unfold beq_string. destruct (string_dec s s) as [|Hs].
- reflexivity.
- destruct Hs. reflexivity.
Qed.
(** The following useful property of [beq_string] follows from an
analogous lemma about strings: *)
Theorem beq_string_true_iff : forall x y : string,
beq_string x y = true <-> x = y.
Proof.
intros x y.
unfold beq_string.
destruct (string_dec x y) as [|Hs].
- subst. split. reflexivity. reflexivity.
- split.
+ intros contra. inversion contra.
+ intros H. inversion H. subst. destruct Hs. reflexivity.
Qed.
(** Similarly: *)
Theorem beq_string_false_iff : forall x y : string,
beq_string x y = false
<-> x <> y.
Proof.
intros x y. rewrite <- beq_string_true_iff.
rewrite not_true_iff_false. reflexivity. Qed.
(** This useful variant follows just by rewriting: *)
Theorem false_beq_string : forall x y : string,
x <> y -> beq_string x y = false.
Proof.
intros x y. rewrite beq_string_false_iff.
intros H. apply H. Qed.
(* ################################################################# *)
(** * Total Maps *)
(** Our main job in this chapter will be to build a definition of
partial maps that is similar in behavior to the one we saw in the
[Lists] chapter, plus accompanying lemmas about its behavior.
This time around, though, we're going to use _functions_, rather
than lists of key-value pairs, to build maps. The advantage of
this representation is that it offers a more _extensional_ view of
maps, where two maps that respond to queries in the same way will
be represented as literally the same thing (the very same function),
rather than just "equivalent" data structures. This, in turn,
simplifies proofs that use maps. *)
(** We build partial maps in two steps. First, we define a type of
_total maps_ that return a default value when we look up a key
that is not present in the map. *)
Definition total_map (A:Type) := string -> A.
(** Intuitively, a total map over an element type [A] is just a
function that can be used to look up [string]s, yielding [A]s. *)
(** The function [t_empty] yields an empty total map, given a default
element; this map always returns the default element when applied
to any string. *)
Definition t_empty {A:Type} (v : A) : total_map A :=
(fun _ => v).
(** More interesting is the [update] function, which (as before) takes
a map [m], a key [x], and a value [v] and returns a new map that
takes [x] to [v] and takes every other key to whatever [m] does. *)
Definition t_update {A:Type} (m : total_map A)
(x : string) (v : A) :=
fun x' => if beq_string x x' then v else m x'.
(** This definition is a nice example of higher-order programming:
[t_update] takes a _function_ [m] and yields a new function
[fun x' => ...] that behaves like the desired map. *)
(** For example, we can build a map taking [string]s to [bool]s, where
["foo"] and ["bar"] are mapped to [true] and every other key is
mapped to [false], like this: *)
Definition examplemap :=
t_update (t_update (t_empty false) "foo" true)
"bar" true.
(** Next, let's introduce some new notations to facilitate working
with maps. *)
(** First, we will use the following notation to create an empty total map
with a default value. *)
Notation "{ --> d }" := (t_empty d) (at level 0).
(** We then introduce a convenient notation for extending an existing
map with some bindings. *)
(** (The definition of the notation is a bit ugly, but because the
notation mechanism of Coq is not very well suited for recursive
notations, it's the best we can do.) *)
Notation "m '&' { a --> x }" :=
(t_update m a x) (at level 20).
Notation "m '&' { a --> x ; b --> y }" :=
(t_update (m & { a --> x }) b y) (at level 20).
Notation "m '&' { a --> x ; b --> y ; c --> z }" :=
(t_update (m & { a --> x ; b --> y }) c z) (at level 20).
Notation "m '&' { a --> x ; b --> y ; c --> z ; d --> t }" :=
(t_update (m & { a --> x ; b --> y ; c --> z }) d t) (at level 20).
Notation "m '&' { a --> x ; b --> y ; c --> z ; d --> t ; e --> u }" :=
(t_update (m & { a --> x ; b --> y ; c --> z ; d --> t }) e u) (at level 20).
Notation "m '&' { a --> x ; b --> y ; c --> z ; d --> t ; e --> u ; f --> v }" :=
(t_update (m & { a --> x ; b --> y ; c --> z ; d --> t ; e --> u }) f v) (at level 20).
(** The [examplemap] above can now be defined as follows: *)
Definition examplemap' :=
{ --> false } & { "foo" --> true ; "bar" --> true }.
(** This completes the definition of total maps. Note that we
don't need to define a [find] operation because it is just
function application! *)
Example update_example1 : examplemap' "baz" = false.
Proof. reflexivity. Qed.
Example update_example2 : examplemap' "foo" = true.
Proof. reflexivity. Qed.
Example update_example3 : examplemap' "quux" = false.
Proof. reflexivity. Qed.
Example update_example4 : examplemap' "bar" = true.
Proof. reflexivity. Qed.
(** To use maps in later chapters, we'll need several fundamental
facts about how they behave. *)
(** Even if you don't work the following exercises, make sure
you thoroughly understand the statements of the lemmas! *)
(** (Some of the proofs require the functional extensionality axiom,
which is discussed in the [Logic] chapter.) *)
(** **** Exercise: 1 star, optional (t_apply_empty) *)
(** First, the empty map returns its default element for all keys: *)
Lemma t_apply_empty: forall (A:Type) (x: string) (v: A), { --> v } x = v.
Proof.
(* FILL IN HERE *) Admitted.
(** [] *)
(** **** Exercise: 2 stars, optional (t_update_eq) *)
(** Next, if we update a map [m] at a key [x] with a new value [v]
and then look up [x] in the map resulting from the [update], we
get back [v]: *)
Lemma t_update_eq : forall A (m: total_map A) x v,
(m & {x --> v}) x = v.
Proof.
(* FILL IN HERE *) Admitted.
(** [] *)
(** **** Exercise: 2 stars, optional (t_update_neq) *)
(** On the other hand, if we update a map [m] at a key [x1] and then
look up a _different_ key [x2] in the resulting map, we get the
same result that [m] would have given: *)
Theorem t_update_neq : forall (X:Type) v x1 x2
(m : total_map X),
x1 <> x2 ->
(m & {x1 --> v}) x2 = m x2.
Proof.
(* FILL IN HERE *) Admitted.
(** [] *)
(** **** Exercise: 2 stars, optional (t_update_shadow) *)
(** If we update a map [m] at a key [x] with a value [v1] and then
update again with the same key [x] and another value [v2], the
resulting map behaves the same (gives the same result when applied
to any key) as the simpler map obtained by performing just
the second [update] on [m]: *)
Lemma t_update_shadow : forall A (m: total_map A) v1 v2 x,
m & {x --> v1 ; x --> v2} = m & {x --> v2}.
Proof.
(* FILL IN HERE *) Admitted.
(** [] *)
(** For the final two lemmas about total maps, it's convenient to use
the reflection idioms introduced in chapter [IndProp]. We begin
by proving a fundamental _reflection lemma_ relating the equality
proposition on [id]s with the boolean function [beq_id]. *)
(** **** Exercise: 2 stars, optional (beq_stringP) *)
(** Use the proof of [beq_natP] in chapter [IndProp] as a template to
prove the following: *)
Lemma beq_stringP : forall x y, reflect (x = y) (beq_string x y).
Proof.
(* FILL IN HERE *) Admitted.
(** [] *)
(** Now, given [string]s [x1] and [x2], we can use the [destruct (beq_stringP
x1 x2)] to simultaneously perform case analysis on the result of
[beq_string x1 x2] and generate hypotheses about the equality (in the
sense of [=]) of [x1] and [x2]. *)
(** **** Exercise: 2 stars (t_update_same) *)
(** With the example in chapter [IndProp] as a template, use
[beq_stringP] to prove the following theorem, which states that if we
update a map to assign key [x] the same value as it already has in
[m], then the result is equal to [m]: *)
Theorem t_update_same : forall X x (m : total_map X),
m & { x --> m x } = m.
Proof.
(* FILL IN HERE *) Admitted.
(** [] *)
(** **** Exercise: 3 stars, recommended (t_update_permute) *)
(** Use [beq_stringP] to prove one final property of the [update]
function: If we update a map [m] at two distinct keys, it doesn't
matter in which order we do the updates. *)
Theorem t_update_permute : forall (X:Type) v1 v2 x1 x2
(m : total_map X),
x2 <> x1 ->
m & { x2 --> v2 ; x1 --> v1 }
= m & { x1 --> v1 ; x2 --> v2 }.
Proof.
(* FILL IN HERE *) Admitted.
(** [] *)
(* ################################################################# *)
(** * Partial maps *)
(** Finally, we define _partial maps_ on top of total maps. A partial
map with elements of type [A] is simply a total map with elements
of type [option A] and default element [None]. *)
Definition partial_map (A:Type) := total_map (option A).
Definition empty {A:Type} : partial_map A :=
t_empty None.
Definition update {A:Type} (m : partial_map A)
(x : string) (v : A) :=
m & { x --> (Some v) }.
(** We introduce a similar notation for partial maps, using double
curly-brackets. **)
Notation "m '&' {{ a --> x }}" :=
(update m a x) (at level 20).
Notation "m '&' {{ a --> x ; b --> y }}" :=
(update (m & {{ a --> x }}) b y) (at level 20).
Notation "m '&' {{ a --> x ; b --> y ; c --> z }}" :=
(update (m & {{ a --> x ; b --> y }}) c z) (at level 20).
Notation "m '&' {{ a --> x ; b --> y ; c --> z ; d --> t }}" :=
(update (m & {{ a --> x ; b --> y ; c --> z }}) d t) (at level 20).
Notation "m '&' {{ a --> x ; b --> y ; c --> z ; d --> t ; e --> u }}" :=
(update (m & {{ a --> x ; b --> y ; c --> z ; d --> t }}) e u) (at level 20).
Notation "m '&' {{ a --> x ; b --> y ; c --> z ; d --> t ; e --> u ; f --> v }}" :=
(update (m & {{ a --> x ; b --> y ; c --> z ; d --> t ; e --> u }}) f v) (at level 20).
(** We now straightforwardly lift all of the basic lemmas about total
maps to partial maps. *)
Lemma apply_empty : forall (A: Type) (x: string), @empty A x = None.
Proof.
intros. unfold empty. rewrite t_apply_empty.
reflexivity.
Qed.
Lemma update_eq : forall A (m: partial_map A) x v,
(m & {{ x --> v }}) x = Some v.
Proof.
intros. unfold update. rewrite t_update_eq.
reflexivity.
Qed.
Theorem update_neq : forall (X:Type) v x1 x2
(m : partial_map X),
x2 <> x1 ->
(m & {{ x2 --> v }}) x1 = m x1.
Proof.
intros X v x1 x2 m H.
unfold update. rewrite t_update_neq. reflexivity.
apply H. Qed.
Lemma update_shadow : forall A (m: partial_map A) v1 v2 x,
m & {{ x --> v1 ; x --> v2 }} = m & {{x --> v2}}.
Proof.
intros A m v1 v2 x1. unfold update. rewrite t_update_shadow.
reflexivity.
Qed.
Theorem update_same : forall X v x (m : partial_map X),
m x = Some v ->
m & {{x --> v}} = m.
Proof.
intros X v x m H. unfold update. rewrite <- H.
apply t_update_same.
Qed.
Theorem update_permute : forall (X:Type) v1 v2 x1 x2
(m : partial_map X),
x2 <> x1 ->
m & {{x2 --> v2 ; x1 --> v1}}
= m & {{x1 --> v1 ; x2 --> v2}}.
Proof.
intros X v1 v2 x1 x2 m. unfold update.
apply t_update_permute.
Qed.