Add cardinal_Add_In to FMapFacts #12096
Conversation
There was a problem hiding this comment.
The two theorems look fully relevant to me. I would however give a more appealing name to cardinal_3, even if @letouzey already used himself names like cardinal_1 and cardinal_3.
What about e.g. cardinal_Add_same?
I must however confess that I don't feel competent to evaluate the proofs done in the PR. They look pretty long and I suspect they could be made a bit more compact, by using e.g. now to close trivial subgoals, or commas to chain rewrite's. I would also recommend using bullets whenever several goals are produced.
Side question: isn't there a stronger theorem we could state? For instance, would it be true that In x m -> Add x e m m' -> m' = m??
In any case, thanks a lot for contributing. There are so many results worth to be provided!
Equality of the map key sets, perhaps? I'm sure that would be provable, but the definitions and mechanisms for map key sets doesn't exist (to my knowledge). Actual map equality isn't possible, (even using
I'll look into making these improvements. As I said, I don't know anything about what constitutes good proof style or technique in Coq, so I'm happy to take any advice. |
Rename cardinal_3 -> cardinal_Add_In Compress and structure proofs for both cardinal_Add_In and Add_transpose_neqkey using feedback from the PR (coq#12096). This includes * using commas to simplify multiple lines of rewrites, especially when using add_eq_o and add_neq_o repeatedly. * using `now` and `auto` more to solve trivial goals instead of ending proofs with trivial `reflexivity` or `assumption`. * split subgoals into bulleted points where relevant, as well as indent subgoals for enough/assert.
ivanbakel
changed the title
|
We could try to prove something like: And then the theorem |
|
Having a look at SetoidList, I think that proof would require touching more files and producing more results. Should those changes become part of this PR, or is this just a suggestion for future changes? |
This looks suspicious, if I read correctly the API, |
Only if you also have |
|
Right, sorry. |
|
I couldn't help giving it a try. I tried two approaches, one using |
|
@herbelin You probably forgot to self-assign this PR? |
I probably missed the protocol. Is a first approving reviewer of a maintainer group supposed to self-assign? Doing it anyway. |
|
Can't we take @eponier's proof instead? I find it more compact. |
In the case this is the maintainer group which the assignee should come from, then either self-assign, or re-request a review from that group. Otherwise, the PR risks being forgotten by everyone (not in anybody's review request nor assigned PR list). |
|
Here is a more compact version of @ivanbakel 's proof. In the first link I gave, I proposed two different proofs. One using I let you decide, and especially @ivanbakel who initiated this PR. |
Zimmi48
added
kind: feature
|
I'm happy to take a patch for improving the proof presented in this PR. I'm personally uncomfortable with the idea of these changes being bundled with other API changes: I don't see why they would need to be part of this PR, and I wouldn't want the discussion around If someone else wants to insist on taking the |
|
I'd personally prefer the first proof, even maybe without the intermediate lemma. That is, only exporting |
|
Is the discussion now about three and a half different proofs?
3 seems excluded for this PR. If the lemma is inlined 1 and 2 are observationally similar. So how much would it matter which one is chosen? But why would a lemma be not advised? @ppedrot, do you find them stating too intensional properties and thus too strong constraints on the implementation? |
Proof style.
Anything we export in the API is a promise to our users. |
Do you basically mean here use of bullets, indentation, explicit naming of hypotheses to which there is a reference to (which are my own basic criteria)? Or do you mean more?
A different way to say the same as I did? |
As far as I could see (I hope I'm not mistaken), the extra lemmas, whether it is |
If you push this reasoning to absurd lengths, then Fermat's last theorem should be part of the stdlib since it's a consequence of CIC. The whole point of an API is to restrict what is available to the user, and as such, anything that involves naming a lemma, writing its precise type and its implementation (when not Qed-terminated) is a piece of surface attack of the API. It's not really serious here, but since our abstraction primitives in Coq are at best primitive (pun somewhat intended), every single addition to the stdlib should be carefully thought about. |
|
I believe that we agree. We need to add lemmas which "make sense" (useful, expressing an intelligible property, ...). Here, it is about an addition in the file listing consequences of the API of finite maps over an order and I'm ok to carefully think about it. |
|
To move on, I would propose to follow @ppedrot's view, i.e. - if I followed correctly - to keep the first alternative proof by @eponier (but inlining
My observation is that proof styles vary a lot between people. As alluded above, what I consider important is the consistency of style, in particular a consistent indentation, the explicit naming of hypotheses which are reused later and the use of bullets to structurate the proof, all points which I believe are quite consensual. We could discuss other points, like the level of compactness, or the level of automation, or the time taken for the proof to be checked, ... but these are criteria on which opinions vary more easily. I'm remain ready to hear about more recommendations though. |
|
What do we do with this PR? It's been basically ready for ages (minus potentially the changelog, but it's not even clear it's really needed). |
|
Well let me fix this quickly - we can just take the first alternative proof, which is shorter and neater. Going back over my own proof, I couldn't understand a word of it. |
This shorter version was written by Jean-Christophe Léchenet in the feedback on coq#12096, as a proposed alternative to my longer and unwieldier proof. The only change I've made is to inline `remove_In_Add`, which is a lemma we don't want to expose immediately. Morever, I've had to adjust the proof slightly because a use of `subst` didn't work on my end - perhaps this is a Coq change. Co-authored-by: Jean-Christophe Léchenet <eponier@via.ecp.fr>
coqbot-app
bot
added
the
needs: full CI
This shorter version was written by Jean-Christophe Léchenet in the feedback on coq#12096, as a proposed alternative to my longer and unwieldier proof. The only change I've made is to inline `remove_In_Add`, which is a lemma we don't want to expose immediately. Morever, I've had to adjust the proof slightly because a use of `subst` didn't work on my end - perhaps this is a Coq change. Co-authored-by: Jean-Christophe Léchenet <eponier@via.ecp.fr>
ivanbakel
force-pushed
the
FMapFacts_cardinal_3
branch
from
4218e28
to
6d4b758
Compare
cardinal_3 asserts that updating a key already present in a map does not change the number of keys in the map. This complements cardinal_2, which makes the similar statement for if the key is not present. It uses a new lemma, Add_transpose_neqkey, which states that it is possible to transpose two map updates provided they are for different keys. Since of course `add x e (add y f m) <> add y f (add x e m)` necessarily, even if `x <> y`, this uses `Add` instead.
Rename cardinal_3 -> cardinal_Add_In Compress and structure proofs for both cardinal_Add_In and Add_transpose_neqkey using feedback from the PR (coq#12096). This includes * using commas to simplify multiple lines of rewrites, especially when using add_eq_o and add_neq_o repeatedly. * using `now` and `auto` more to solve trivial goals instead of ending proofs with trivial `reflexivity` or `assumption`. * split subgoals into bulleted points where relevant, as well as indent subgoals for enough/assert.
This shorter version was written by Jean-Christophe Léchenet in the feedback on coq#12096, as a proposed alternative to my longer and unwieldier proof. The only change I've made is to inline `remove_In_Add`, which is a lemma we don't want to expose immediately. Morever, I've had to adjust the proof slightly because a use of `subst` didn't work on my end - perhaps this is a Coq change. Co-authored-by: Jean-Christophe Léchenet <eponier@via.ecp.fr>
|
Note that the new proof no longer requires |
ivanbakel
force-pushed
the
FMapFacts_cardinal_3
branch
from
6d4b758
to
086a92c
Compare
|
Thanks @ppedrot for resurrecting this PR, and thanks @ivanbakel for the work! I'm glad to see that my proof was useful, but I'd appreciate to be cited for that. Thanks! |
ivanbakel
force-pushed
the
FMapFacts_cardinal_3
branch
from
086a92c
to
76aab14
Compare
|
Whoops, my mistake, apologies. Mentioned in the commit history but not the changelog - fixed that now. |
|
@coqbot run full ci |
coqbot-app
bot
removed
the
needs: full CI
ppedrot
removed
the
needs: changelog entry
|
I'm assigning and merging when the CI passes otherwise nothing will ever happen. |
|
@coqbot merge now |
Kind: feature.
cardinal_Add_In asserts that updating a key already present in a map does not change the number of keys in the map. This complements cardinal_2, which makes the similar statement for if the key is not present.
It uses a new lemma, Add_transpose_neqkey, which states that it is possible to transpose two map updates provided they are for different keys. Since of course
add x e (add y f m) <> add y f (add x e m)necessarily, even ifx <> y, this usesAddinstead.My proofs are very messy, because I am a relative Coq novice. I'll happily take advice or patches to improve them.