CMSC 433:   Programming Language Technologies and Paradigms
Notes
15 Functional Programming in Rocq
On this page:
15.1 Types and functions
15.2 Theorems and proofs
15.3 Lists
15.4 Options
15.5 Summary
15.5.1 Terms and concepts
15.5.2 Tactics
15.6 Further reading
8.17
    contents    up   

15 Functional Programming in Rocq🔗

Borrowed from https://www.cs.cornell.edu/courses/cs3110/2018sp/l/19-coq-fp/notes.html

    15.1 Types and functions

    15.2 Theorems and proofs

    15.3 Lists

    15.4 Options

    15.5 Summary

      15.5.1 Terms and concepts

      15.5.2 Tactics

    15.6 Further reading

Super-duper important tip: You absolutely must step through this file interactively in Rocq to understand what’s going on. Observe what happens to the proof state and in the output window. Just reading this file in your browser does not suffice!

15.1 Types and functions🔗

Let’s start by doing some basic functional programming in Rocq. We’ll define a type which represents the days of the week.

Rocq

Inductive day : Type :=
| sun : day
| mon : day
| tue : day
| wed : day
| thu : day
| fri : day
| sat : day.

You’ll note some differences from OCaml:

  • The definition starts with the keyword Inductive instead of the keyword type.

  • day has a type itself, Type. Essentially this is saying that day is a type.

  • The definition uses := instead of =.

  • Every constructor is explicitly given the type day. Later we’ll see that constructors can have more complicated types.

  • The definition must end with a period.

Here’s a function that returns the next day after its input. 

 
Definition next_day d :=
  match d with
  | sun => mon
  | mon => tue
  | tue => wed
  | wed => thu
  | thu => fri
  | fri => sat
  | sat => sun
  end.

Again, there are some small differences from OCaml:

  • The Definition keyword is capitalized.

  • The pattern match must end with the end keyword.

  • The branches use => instead of -> to separate the pattern from the value to be returned.

Here is another function. 

 
Definition prev_day d :=
  match d with
  | sun => sat
  | mon => sun
  | tue => mon
  | wed => tue
  | thu => wed
  | fri => thu
  | sat => fri
  end.

15.2 Theorems and proofs🔗

Now let’s prove some small theorems about programs that use days.

First, let’s prove that applying next_day to [tue] evaluates to wed. If you were going to do that with a more informal proof in natural language, your first instinct might be to say "it’s obvious." That’s kind of what the proof below does.

Rocq

Theorem wed_after_tue : next_day tue = wed.
Proof.
  auto.
Qed.

auto is a tactic that searches for a proof. Tactics are the commands written between Proof and Qed; they manipulate the proof state, which is all the subgoals that need to be proved before the proof is finished. We can see the proof auto found by printing the theorem: 
Print wed_after_tue.

The output of that is 

wed_after_tue = eq_refl : next_day tue = wed
which indicates that wed_after_tue is equal to eq_refl and proves that next_day tue = wed. Here, eq_refl is something from the Rocq standard library that says equality is reflexive, and that computation may be performed on either side of the equality to reduce the expression that appears there to a simpler expression.

Rarely, though, is a theorem so simple that it can immediately be proved by searching for a proof. Usually we need to provide Rocq with more explicit guidance. A more careful informal proof of the theorem might read "next_day tue evaluates to wed. So the equality to be proved reduces to wed = wed. That trivially holds." That is essentially the proof that strategy that is followed below: 

 
Theorem wed_after_tue' : next_day tue = wed.
Proof. 
  simpl. trivial.
Qed.
Printing the theorem shows that it’s still the same proof that is found by 
auto.

Print wed_after_tue'.

The output of that is 

wed_after_tue' = eq_refl : next_day tue = wed

Next, let’s prove that the day of the week never repeats. That is, the day after a given day d is never equal to d. 
 
Theorem day_never_repeats : forall d : day, next_day d <> d.
Again, you might say "that’s obvious." But in this case, it’s not obvious enough for auto to find a proof. 
 
Proof. auto.
So here’s a better strategy: consider all the possible values that d could have: sun, mon, etc. Now consider instantiating what the theorem says for each:

  • next_day sun <> sun

  • next_day mon <> mon

  • etc.

In each case, if we reduce the expression on the left to a value, we get an inequality that’s more obviously true:

  • mon <> sun

  • tue <> mon

  • etc.

The reason that mon <> sun is that they are different constructors of an inductive (i.e., variant) type, and different constructors can never be equal.

This is a proof strategy that Rocq will understand. To implement it, we need two new tactics:

  • destruct is a tactic that considers all the possible ways to construct an inductive type.

  • discriminate is a tactic that proves different constructors cannot be equal.


  intros d. destruct d.  
  simpl. discriminate. 
  simpl. discriminate. 
  simpl. discriminate. 
  simpl. discriminate. 
  simpl. discriminate. 
  simpl. discriminate. 
  simpl. discriminate. 
Qed.
The first step of this proof, intros d, introduces d. Think of it like saying "let d be some arbitrary day." The second step of the proof, destruct d, instructs Rocq to do case analysis on d. The next seven lines apply simpl then discriminate 7 times, once for each possible day in the case analysis.

That repetition of the same tactic is rather ugly. First, we don’t actually need to use simpl. In fact, discriminate will do simplification itself, as will many other tactics. Second, instead of writing discriminate 7 times, we could instead write all: discriminate. That means to use discriminate on all the remaining subgoals in the proof. 

 
Theorem day_never_repeats' : forall d : day, next_day d <> d.
Proof. 
  intros d. destruct d.  
  all: discriminate.
Qed.
Another way to structure that proof is with the semicolon _tactical_, which chains together tactics. The tactic [t1; t2] means to apply tactic [t1], then further apply tactic [t2] to all the subgoals generated by [t1]. 
 
Theorem day_never_repeats'' : forall d : day, next_day d <> d.
Proof. 
  intros d. destruct d; discriminate.
Qed.

Now let’s prove that if the day after d is tue, then d must be mon. To express that implication in a theorem we use the symbol ->, where A -> B means that if A is true, then so is B. 

 
Theorem mon_preceds_tues : forall d : day, 
  next_day d = tue -> d = mon.
Why does that theorem hold? An informal argument by case analysis would say that of all the 7 possible values of d, 6 of them immediately fail to make next_day d = true hold, In fact, only d=mon does. So for each of the 7 cases, we either have a contradiction, or we have a trivial equality. In Rocq, we can express that proof as follows, where we use a new tactical || for "or".

Rocq

Proof.
  intros d next_day_is_tue.
  destruct d.
  all: discriminate || trivial.
Qed.

Let’s pick apart that proof.

  • The first line introduces two assumptions into the proof: that d is a day, and that next_day d = tue. The latter is the antecedent of the implication that is being proved, i.e., the P in P -> Q; Q is called the consequent. We chose the name next_day_is_tue to record that assumption. Idiomatically, Rocq programmers will often use short names like H for these kinds of hypotheses.

  • The second line does the case analysis on d as we did before.

  • The third line says to use discriminate || trivial on all the subgoals. That works like a short-circuit OR in OCaml: if discriminate fails to find a proof of the subgoal, then trivial will be used to find the proof instead.

15.3 Lists🔗

The Rocq standard library includes lists. Some parts of the list library are already included by default, but not all are. To load the full list library, we need to issue the following commands: 

 
Require Import List.
Import ListNotations.
Rocq lists are defined in essentially the same way as OCaml lists. A list is may contain any number of elements, and each element must have the same type. The empty list is represented with nil, and cons creates a new list out of an element and an already existing list. The standard library defines lists as follows: 
 
Module MyList.

Inductive list (A : Type) : Type :=
| nil : list A
| cons : A -> list A -> list A.

End MyList.
(We wrapped that definition in its own Module so that, in the rest of this file, list still means the list in the standard library as opposed to the one we just defined ourselves.)

Let’s compare that to a similar OCaml definition of lists: 

type 'a list = nil | cons of 'a * 'a list
The ’a is a type variable in the OCaml definition. Similarly, in the Rocq definition, list (A : Type) : Type indicates that list is parameterized on a type A. Hence Rocq’s list is a type constructor just like OCaml’s list is. In fact, if we check the type of list, this becomes even clearer: 
 
Check list.
list : Type -> Type
That is, list takes a type as input and returns a type as output.

Also, notice the branches: 

| nil : list A
| cons : A -> list A -> list A.

These say that nil already has type list A, for any A, and that cons is a function that takes an A and a list A and returns a list A. So Rocq’s cons is truly a function, unlike OCaml’s. (In OCaml you can’t, for example, pass a constructor name to a function.)

We can use pattern matching to code functions that take lists as inputs, just like in OCaml.

 
Definition is_empty (A : Type) (lst : list A) :=
  match lst with
  | nil => true
  | cons _ _ => false
  end.
In is_empty, we have explicitly given type annotations on two arguments. The first argument, A, is the type of the list elements. The second argument, lst, has type list A. OCaml never made us explicitly write down the element type as an input to functions, because the language is engineered to guarantee that type inference can always figure out those types. Rocq’s type system, however, is vastly more expressive that OCaml’s, hence type inference is a hard problem in Rocq. Rocq is therefore more strict about writing these things down.

Like in OCaml, we can use syntactic sugar for lists, writing [] for nil and :: for cons: 

 
Definition is_empty_sugar (A : Type) (lst : list A) :=
  match lst with
  | [] => true
  | _::_ => false
  end.
If we want to compute with is_empty, we have to supply the type argument:

 
Compute is_empty nat [1].

Compute is_empty nat [].

In the second computation above, it wouldn’t matter what type we pass in because the list is empty, but we do have to provide _some_ type as an argument. There are various ways in Rocq of making this type argument something that the compiler infers, instead of the programmer having to provide. These are called _implicit arguments_. Here’s one way to make an argument implicit:

 
Definition is_empty' {A : Type} (lst : list A) :=
  match lst with
  | [] => true
  | _::_ => false
  end.

Compute is_empty' [1].

We put the A:Type parameter in braces instead of parentheses. This tells Rocq that the argument should be inferred. As you can see, we didn’t provide it in the example usage. In fact, Rocq would reject is_empty’ nat [1], because once we’ve made the argument implicit, we’re actually not even allowed to provide it.

If for some reason we really did need to explicitly provide an implicit argument, we could do that by prefixing the name of the function with @. For example:

Compute @is_empty' nat [1].

To define recursive functions on lists, instead of OCaml’s let rec, Rocq uses Fixpoint as a keyword. That perhaps-cryptic name comes from programming languages theory, where recursion can be defined as a so-called fixed point of a function.

Here is a definition of length for lists, and an example usage. Again, we do this in its own module to avoid clashing with the standard library’s definition of length.

 
Module MyLength.

Fixpoint length {A : Type} (lst : list A) :=
  match lst with
  | nil => 0
  | _::t => 1 + length t
  end.

Compute length [1;2].

End MyLength.

15.4 Options🔗

In the Rocq standard library, options are defined as follows. (Once more we wrap the definition in its own module to avoid clashing with the standard library’s own definition.)

 
Module MyOption.

Inductive option (A:Type) : Type :=
  | Some : A -> option A
  | None : option A.

End MyOption.
Rocq options are essentially the same as OCaml’s. Some is a function that given a value of type A, constructs an option containing that value. None is already a value that has type [option A] for any [A].

Here is a function [hd_opt]. It returns the head of a list, wrapped in [Some]. If the list is empty, it returns None. 

 
Definition hd_opt {A : Type} (lst : list A) : option A :=
  match lst  with
  | nil => None 
  | x :: _ => Some x
  end.

Compute hd_opt [1].

Compute @hd_opt nat [].
The first of those example usages returns Some 1 : option nat, and the second returns None : option nat. In the second, we are forced to explicitly provide the type argument, because Rocq can’t infer from just the empty list what kind of option it should be: should it be [option nat]? [option bool]? or something else?

Now let’s prove something about hd_opt: when applied to a list of length 0, it returns None. Informally, that holds because there are two possibilities of how a list is constructed:

- if the list is [nil], then its length is certainly 0, and evaluation of hd_opt’s pattern match will choose the branch that returns None.

- if the list is constructed with [cons], then its length is at least 1. That contradicts the assumption that its length is 0.

The proof below uses exactly that reasoning.

 
Theorem length0_implies_hdopt_is_none :
  forall A : Type, forall lst : list A,
    length lst = 0 -> hd_opt lst = None.
Proof.
  intros A lst length_lst_is_0.
  destruct lst. 
    trivial. 
    discriminate.
Qed.
The first line of that proof, which uses the intros tactic, introduces three assumptions into the proof: That A is a type, that lst has type [list A], and that the length of lst is 0. The second line does the case analysis on lst: is it nil or cons? The next two tactics handle each of those cases.

  • The first case, where the list is nil, is handled by trivial, which finds a proof that hd_opt nil = None. It succeeds in doing that by first doing some computation, which reduces hd_opt nil to None, then showing that None = None because equality is reflexive.

  • The second case, where the list is cons, is handled by discriminate, which finds a contradiction while trying to prove that [hd_opt (a :: lst) = None]. Of course, that equality is untrue: hd_opt (a :: lst) is actually Some a. So discriminate looks in the hypotheses of the proof and finds one that claims length (a :: lst) = 0. Of course, that’s untrue, because length (a :: lst) is 1 + length lst, which is at least 1, and 1 <> 0. The discriminate tactic detects that contradiction. You might recall that from an assumption of false, you are allowed to conclude anything. That’s the reasoning being used here.

When there are a few cases in a proof, as there were (two) in the previous proof, sometimes Rocq programmers use bullets to make the structure of their proofs apparent to readers. The bullets also help with focusing the programmer’s attention on the proof state during the process of constructing the proof. The bullets in the proof below, written -, cause all but one subgoal to disappear. After a subgoal has been proved, the proof state reads "There are unfocused goals." The next bullet causes the next unfocused goal to become focused. This is probably best understood by stepping through the following proof in Rocq and observing what happens to the proof state when each bullet is processed. 

 
Theorem length0_implies_hdopt_is_none' :
forall A : Type, forall lst : list A,
  length lst = 0 -> hd_opt lst = None.
Proof.
  intros A lst length_lst_is_0.
  destruct lst. 
    - trivial. 
    - discriminate.
Qed.
The characters + and * can also be used as bullets, as can , , etc.

15.5 Summary🔗

Rocq is a functional programming language. It contains many of the same features as OCaml. In fact, Rocq is implemented in OCaml. Rocq is also a proof assistant. We can write programs and prove theorems about those programs. Rocq searches for those proofs, and we guide its search with tactics.

15.5.1 Terms and concepts🔗
15.5.2 Tactics🔗
15.6 Further reading🔗
    contents    up