**LICENCE:**
This tutorial contains adaptations of material from [Programming Language Foundations in Agda](https://plfa.github.io/) by Phil Wadler and Wen Kokke. It is licenced under Creative Commons Attribution 4.0 International.

# Programming with dependent types in Agda

**SYNTAX:**
You can enter `→` by writing `->` and pressing TAB; pressing TAB again goes back to `->`. Similar useful combinations are:

| base form | alternate form | base form | alternate form |
|:---------:|:--------------:|:---------:|:--------------:|
| ->  | → | B | 𝔹 |
| \   | λ | N | ℕ |
| <   | ⟨ | = | ≡ |
| >   | ⟩ | /= | ≢ |
| =<> | ≡⟨⟩ | qed | ∎ |

**PRO TRICKS:**
- You can ask Agda to provide the type of a closed expression. Just put the cursor nearby an expression and press SHIFT+TAB.
- You can ask Agda to compute the normal form of an expression enclosed in parantheses, such as `(λ x → x)` (already in normal form).
- Starred exercises "**Exercise***" should be skipped on a first reading and dealt with only after all the non-starred one are resolved.

### The equality relation `_≡_`

Before we begin, we need to introduce the equality type `_≡_`.
We do not need the details of its definition now;
instead, we will see how to use it via some examples below.
We will see how exactly the definition of `_≡_` works later on.
For now, we just evaluate the cell below by SHIFT+ENTER.

In [28]:
module lab00.eq where

infix 4 _≡_
data _≡_ {A : Set} (x : A) : A → Set where
    refl : x ≡ x

sym : {A : Set} {x y : A} → x ≡ y → y ≡ x
sym refl = refl

trans : {A : Set} {x y z : A} → x ≡ y → y ≡ z → x ≡ z
trans refl refl = refl

cong : {A B : Set} (f : A → B) {x y : A} → x ≡ y → f x ≡ f y
cong f refl = refl

subst : {A : Set} {x y : A} (P : A → Set) → x ≡ y → P x → P y
subst P refl px = px

infix  1 begin_
infixr 2 _≡⟨⟩_ _≡⟨_⟩_
infix  3 _∎

begin_ : {A : Set} {x y : A} → x ≡ y → x ≡ y
begin x≡y = x≡y

_≡⟨⟩_ : {A : Set} (x : A) {y : A} → x ≡ y → x ≡ y
x ≡⟨⟩ x≡y = x≡y

_≡⟨_⟩_ : {A : Set} (x : A) {y z : A} → x ≡ y → y ≡ z → x ≡ z
x ≡⟨ x≡y ⟩ y≡z = trans x≡y y≡z

_∎ : {A : Set} (x : A) → x ≡ x
x ∎ = refl

*Type-checking*
*Type-checking*(Checking lab00.eq (/Users/lorenzo/Dropbox/Workspace/teaching/Teaching/2018-2019/summer semester/LDI (logika dla informatyków)/lab/agda/lab00/eq.agda).
)
*All Done*


**UNDER THE HOOD:** A code cell must start with a line in the format
```agda
module A.B.C where
```
Upon evaluation, the file `A/B/C.agda` is created on disk from the cell's contents
and fed to the Agda interpreter.
For this reason, it is important to evaluate a cell to ensure that its changes are reflected on disk and can be used from other cells.

**SPACING: **
Agda allows us to be very flexible in the variable names,
which can be strings such as `x`, `&&`, `&&true`, or even arbitrary unicode symbols `💔`.
As a consequence, spaces in Agda have a syntactic meaning as separators,
and we need to be very generous with them.
For instance, `x ≡ y`, which in prefix notation is the same as `_≡_ x y`,
consists of three different identifiers,
while `x≡y` is a single identifier, and it is a legal Agda name.

---

## Booleans `𝔹`

We begin our exploration of Agda by defining the boolean values `true : 𝔹` and `false : 𝔹` and common functions manipulating them. For instance, `_&&_ : 𝔹 → 𝔹 → 𝔹` implements the logical "and" function. The name of the function is `_&&_`. The underscores are part of the name, but they also have a meaning on their own.
The arguments to this functions can be supplied either in prefix notation as `_&&_ x y`, or as in infix notation as `x && y` (removing the underscores). **Notice that the spaces are not optional.** (Most frequent beginner's mistake.) The expression `x&&y` is interpreted as a new name, and is not the same as `x && y`.

After evaluating the cell below,
we can check that `true` has type `𝔹` by putting the cursor on it and pressing SHIFT+TAB.
We can also evaluate **closed parenthesized** expressions involving booleans,
such as `(~ ~ (true && false))`, by putting the cursor around the enclosing parentheses and pressing TAB (even in comments).

In [29]:
module lab00.bool where

open import lab00.eq using (_≡_; refl)

-- simple type
-- the type Bool is inhabited precisely by two elements, true and false
data 𝔹 : Set where
    true : 𝔹
    false : 𝔹

-- right associative operators
infix 60 ~_ -- higher priority
infixr 50 _&&_
infixr 40 _||_ -- lower priority

-- we can define computable functions on booleans
_&&_ : 𝔹 → 𝔹 → 𝔹
true && true = true
_ && _ = false

_||_ : 𝔹 → 𝔹 → 𝔹
false || false = false
_ || _ = true

~_ : 𝔹 → 𝔹
~ true = false
~ false = true

-- Evaluate with TAB (cursor near parentheses):
-- (~ ~ ~ true)
-- (~ ~ (true && false))

-- the proof below is by refl,
-- since the two terms evaluate to the same normal form, namely "false"
th1 : ~ true ≡ ~ ~ ~ true
th1 = refl 

*Type-checking*
*Type-checking*(Checking lab00.bool (/Users/lorenzo/Dropbox/Workspace/teaching/Teaching/2018-2019/summer semester/LDI (logika dla informatyków)/lab/agda/lab00/bool.agda).
)
*Type-checking*( Checking lab00.eq (/Users/lorenzo/Dropbox/Workspace/teaching/Teaching/2018-2019/summer semester/LDI (logika dla informatyków)/lab/agda/lab00/eq.agda).
)
*All Done*


**Exercise.** Define the function `_nand_ : 𝔹 → 𝔹 → 𝔹`.

In [30]:
module lab00.bool.nand where

open import lab00.bool

_nand_ : 𝔹 → 𝔹 → 𝔹
x nand y = ?

-- we can tell Agda that there are certain holes to be filled;
-- this is useful since we can still typecheck a program with holes

*Type-checking*
*Type-checking*(Checking lab00.bool.nand (/Users/lorenzo/Dropbox/Workspace/teaching/Teaching/2018-2019/summer semester/LDI (logika dla informatyków)/lab/agda/lab00/bool/nand.agda).
)
*Type-checking*( Checking lab00.bool (/Users/lorenzo/Dropbox/Workspace/teaching/Teaching/2018-2019/summer semester/LDI (logika dla informatyków)/lab/agda/lab00/bool.agda).
)
*All Goals*(?0 : 𝔹
)


In [31]:
module lab00.bool.nand-solution where

open import lab00.bool

_nand_ : 𝔹 → 𝔹 → 𝔹
x nand y = ~ x && ~ y

*Type-checking*
*Type-checking*(Checking lab00.bool.nand-solution (/Users/lorenzo/Dropbox/Workspace/teaching/Teaching/2018-2019/summer semester/LDI (logika dla informatyków)/lab/agda/lab00/bool/nand-solution.agda).
)
*All Done*


## Our first proof

We show that negation is an involution, i.e., `~ ~ x ≡ x`.
This is achieved by *declaring* the function
```agda
~inv : (x : 𝔹) → ~ ~ x ≡ x
```
which takes as input an arbitrary boolean `x : 𝔹` and returns an term of type `~ ~ x ≡ x`.
Notice how the latter type depends not only on the input type `𝔹`, but on the *input value* `x`.
The *definition* of `~inv` follows:
```agda
~inv true = refl -- here refl : true ≡ true
~inv false = refl -- here refl : false ≡ false
```
Sometimes Agda can infer the type of `x` from the context,
for instance by the fact that it is later used as the argument of `~_ : 𝔹 → 𝔹`.
In those circumstances, we can save some typing and rewrite the declaration above as
```agda
~inv : ∀ x → ~ ~ x ≡ x
```
The notation above is very suggestive and brings us closer to proving theorems of logic.
However, we should not forget that it is just syntactic sugaring for the first declaration above.

**Exercise.** Formalise and prove that `_&&_` is commutative.

In [32]:
module lab00.bool.comm where

open import lab00.bool
open import lab00.eq

-- is there a less boring proof?
&&-comm : ∀ x y → x && y ≡ y && x
&&-comm true true = refl
&&-comm false false = refl
&&-comm true false = refl
&&-comm false true = refl

*Type-checking*
*Type-checking*(Checking lab00.bool.comm (/Users/lorenzo/Dropbox/Workspace/teaching/Teaching/2018-2019/summer semester/LDI (logika dla informatyków)/lab/agda/lab00/bool/comm.agda).
)
*All Done*


## Natural numbers `ℕ`

We now explore *inductive types* such as the natural numbers,
which have an infinite number of inhabitants. Functions on inductive types such as `_+_` and `fib` are defined recursively. In Agda, we can write only total functions (though not all of them). This is achieved by imposing severe restrictions on the format of recursive definitions. This will not usually bother us, but for instance the naive definition of the Ackerman function (which is total) won't go through Agda's termination checker:
```agda
ack : ℕ → ℕ → ℕ
ack 0 n = n + 1
ack (suc m) 0 = ack m 1
ack (suc m) (suc n) = ack m (ack (m + 1) n)
```
(There are tricks to express Ackerman in Agda, such as using primitive *higher-order recursion*, but we won't need those here.)

In [33]:
module lab00.nat where

open import lab00.eq
open import lab00.bool

data ℕ : Set where
  zero : ℕ
  suc : ℕ → ℕ

infixl 5 _+_
infixl 6 _*_ -- higher priority than _+_

-- left associative: a + b + c ≡ (a + b) + c

-- recursive function on an inductive type
_+_ : ℕ → ℕ → ℕ
zero + m = m
(suc n) + m = suc (n + m)

_*_ : ℕ → ℕ → ℕ
zero * _  =  zero
suc m * n  =  n + (m * n)

-- we can use standard numerals 0, 1, ...
-- as abbreviations for zero, suc zero, ...
{-# BUILTIN NATURAL ℕ #-}

-- the hello world of functional programming
fib : ℕ → ℕ
fib 0 = 0
fib 1 = 1
fib (suc (suc n)) = fib (suc n) + fib n

fib26 : fib 26 ≡ 121393
fib26 = refl

-- we can already prove a basic fact about _+_ and 0:
-- since "0 + m" and "m" evaluate (i.e., normalise) to the same normal form (namely, "m"),
-- we can just use reflexivity here (no induction needed)
0+m≡m : ∀ m → 0 + m ≡ m
0+m≡m m = refl

-- moreover, such proofs by normalisation work even in contexts:
-- the normal form fib (0 + m) is fib m
fib0m : ∀ m → fib (0 + m) ≡ fib m
fib0m m = refl

*Type-checking*
*Type-checking*(Checking lab00.nat (/Users/lorenzo/Dropbox/Workspace/teaching/Teaching/2018-2019/summer semester/LDI (logika dla informatyków)/lab/agda/lab00/nat.agda).
)
*All Done*


## Proofs by induction
In Agda, a proof by induction is just recursive program which transforms a proof for case $n$ into a proof for case $n+1$. In our first proof by induction we want to prove the following:
```agda
m+0≡m : (m : ℕ) → m + 0 ≡ m
```
(Notice that `m+0≡m` is a valid identifier, and it is the name of our theorem.)
Since `_+_` is defined by recursion on its first argument, `m+0` and `m` are already in normal form (and different from each other), and therefore we really need induction here (`refl` won't cut it).
In the base case, we have `m = 0` and thus we need to prove `0 + 0 ≡ 0`, which follows from reflexivity:
```agda
m+0≡m 0 = refl
```
In the inductive step, we need to prove `suc m + 0 ≡ suc m` (by defining `m+0≡m (suc m) : suc m + 0 ≡ suc m`)
under the assumption that `m + 0 ≡ m` holds (as witnessed by `m+0≡m m : m + 0 ≡ m`).
The term `suc m + 0` rewrites to `suc (m + 0)`, according to the definition of `_+_`.
Thus, it suffices to show `suc (m + 0) ≡ suc m`.
By inductive assumption, `m + 0 ≡ m` holds, and it suffices to lift the equivalence to the context `suc (...)`.
This is what the program `cong` (for *congruence*) does:
```agda
m+0≡m (suc m) = cong suc (m+0≡m m)
```

In [34]:
module lab00.nat.ind0 where

open import lab00.nat
open import lab00.eq

m+0≡m : (m : ℕ) → m + 0 ≡ m
m+0≡m 0 = refl
m+0≡m (suc m) = cong suc (m+0≡m m)

*Type-checking*
*Type-checking*(Checking lab00.nat.ind0 (/Users/lorenzo/Dropbox/Workspace/teaching/Teaching/2018-2019/summer semester/LDI (logika dla informatyków)/lab/agda/lab00/nat/ind0.agda).
)
*Type-checking*( Checking lab00.nat (/Users/lorenzo/Dropbox/Workspace/teaching/Teaching/2018-2019/summer semester/LDI (logika dla informatyków)/lab/agda/lab00/nat.agda).
)
*All Done*


## Symmetry
We now have our first proof by induction `m+0≡m : (m : ℕ) → m + 0 ≡ m`.
Suppose we now want to prove the symmetric statement, i.e., 
```agda
m≡m+0 : (m : ℕ) → m ≡ m + 0
```
One way would be to reason by induction on `m`, as above.
A better way is to use the principle *symmetry* applied to the previous `m+0≡m`,
which is what the expression `sym : ... → x ≡ y → y ≡ x` does below.

In [35]:
module lab00.nat.ind1 where

open import lab00.nat
open import lab00.eq
open import lab00.nat.ind0

m≡m+0 : (m : ℕ) → m ≡ m + 0
m≡m+0 m = sym (m+0≡m m)

*Type-checking*
*Type-checking*(Checking lab00.nat.ind1 (/Users/lorenzo/Dropbox/Workspace/teaching/Teaching/2018-2019/summer semester/LDI (logika dla informatyków)/lab/agda/lab00/nat/ind1.agda).
)
*Type-checking*( Checking lab00.nat.ind0 (/Users/lorenzo/Dropbox/Workspace/teaching/Teaching/2018-2019/summer semester/LDI (logika dla informatyków)/lab/agda/lab00/nat/ind0.agda).
)
*All Done*


## Equality chains
We can make proofs using chains of equalities more readable by using some syntactic sugaring.
This also helps documenting the proof, i.e., showing what is the *intention* behind the code.
The same proofs above can also be written in the form below.

In [36]:
module lab00.nat.ind2 where

open import lab00.nat
open import lab00.eq

m+0≡m : (m : ℕ) → m + 0 ≡ m
m+0≡m 0 = refl
m+0≡m (suc m) =
    suc m + 0 ≡⟨⟩ -- by the definition of _+_
    suc (m + 0) ≡⟨ cong suc (m+0≡m m) ⟩ -- inductive hypothesis
    suc m ∎
  
m≡m+0 : (m : ℕ) → m ≡ m + 0
m≡m+0 m =
    m ≡⟨ sym (m+0≡m m) ⟩
    m + 0 ∎
    
-- let's prove that addition is associative
+-assoc : (m n l : ℕ) → m + (n + l) ≡ m + n + l
+-assoc 0 n l =
    0 + (n + l)
    ≡⟨⟩ n + l
    ≡⟨⟩ (0 + n) + l ∎
+-assoc (suc m) n l =  
    suc m + (n + l) ≡⟨⟩
    suc (m + (n + l)) ≡⟨ cong suc (+-assoc m n l) ⟩ -- inductive hypothesis
    suc ((m + n) + l) ≡⟨⟩
    suc (m + n) + l ≡⟨⟩
    (suc m + n) + l ∎
    
-- the following lemma will be useful below
suc-lemma : (m n : ℕ) → suc (m + n) ≡ m + suc n
suc-lemma 0 n =
    suc (0 + n) ≡⟨⟩
    suc n ≡⟨⟩
    0 + suc n ∎
suc-lemma (suc m) n = 
    suc (suc m + n) ≡⟨⟩
    suc (suc (m + n)) ≡⟨ cong suc (suc-lemma m n) ⟩ 
    suc (m + suc n) ≡⟨⟩
    suc m + suc n ∎

*Type-checking*
*Type-checking*(Checking lab00.nat.ind2 (/Users/lorenzo/Dropbox/Workspace/teaching/Teaching/2018-2019/summer semester/LDI (logika dla informatyków)/lab/agda/lab00/nat/ind2.agda).
)
*All Done*


**Exercise.** Formalise and prove that addition is commutative.

*Hint:* When there are several variables to do induction on, a good heuristics is to do induction on the variable(s) that appear as recursive arguments. For instance, if we have an expression `x + y`, it is probably more covenient to reason by induction on `x`, since `_+_` is defined by induction on its first argument.

In [37]:
module lab00.nat.comm where

open import lab00.nat
open import lab00.eq
open import lab00.nat.ind2

+-comm : ?
+-comm = ?

*Type-checking*
*Type-checking*(Checking lab00.nat.comm (/Users/lorenzo/Dropbox/Workspace/teaching/Teaching/2018-2019/summer semester/LDI (logika dla informatyków)/lab/agda/lab00/nat/comm.agda).
)
*Type-checking*( Checking lab00.nat.ind2 (/Users/lorenzo/Dropbox/Workspace/teaching/Teaching/2018-2019/summer semester/LDI (logika dla informatyków)/lab/agda/lab00/nat/ind2.agda).
)
*All Goals*(?0 : _0
?1 : ?0
Sort _0  [ at /Users/lorenzo/Dropbox/Workspace/teaching/Teaching/2018-2019/summer semester/LDI (logika dla informatyków)/lab/agda/lab00/nat/comm.agda:7,10-11 ]
)


In [38]:
module lab00.nat.comm where

open import lab00.nat
open import lab00.eq
open import lab00.nat.ind2

+-comm : (m n : ℕ) → m + n ≡ n + m
+-comm 0 n =
    0 + n ≡⟨⟩
    n ≡⟨ m≡m+0 n ⟩
    n + 0 ∎
+-comm (suc m) n = 
    suc m + n ≡⟨⟩
    suc (m + n) ≡⟨ cong suc (+-comm m n) ⟩
    suc (n + m) ≡⟨ suc-lemma n m ⟩
    n + suc m ∎

*Type-checking*
*Type-checking*(Checking lab00.nat.comm (/Users/lorenzo/Dropbox/Workspace/teaching/Teaching/2018-2019/summer semester/LDI (logika dla informatyków)/lab/agda/lab00/nat/comm.agda).
)
*All Done*


**Exercise***.
1. Prove that right multiplication distributes over addition,
in the sense that
```agda
+*-distr : (a b c : ℕ) → (a + b) * c ≡ a * c + b * c
```
2. Prove that multiplication is associative. *Hint: use the previous point*.
3. Prove that multiplication is commutative. It might be convenient to preliminary prove the following two properties:
```agda
*-zero : (a : ℕ) → a * 0 ≡ 0
*-suc : (a b : ℕ) → a * suc b ≡ a + a * b
```
4. Prove that left multiplication distributes over addition, in the sense that
```agda
*+-distr : (a b c : ℕ) → a * (b + c) ≡ a * b + a * c
```
*Hint: use the previous points*.
5. Using the results above, prove the following
```agda
*+-full : (a b c d : ℕ) → (a + b) * (c + d) ≡ a * c + a * d + b * c + b * d
```
**Advice**: If an induction is required, it's convenient to proceed on the first argument `a : ℕ`.

In [39]:
module lab00.nat.prop where

-- 1.
+*-distr : (a b c : ℕ) → (a + b) * c ≡ a * c + b * c
+*-distr = ?

-- 2.
*-assoc : (a b c : ℕ) → a * b * c ≡ a * (b * c)
*-assoc = ?

-- 3.
*-zero : (a : ℕ) → a * 0 ≡ 0
*-zero = ?

*-suc : (a b : ℕ) → a * suc b ≡ a + a * b
*-suc = ?

*-comm : (a b : ℕ) → a * b ≡ b * a
*-comm = ?

-- 4.
*+-distr : (a b c : ℕ) → a * (b + c) ≡ a * b + a * c
*+-distr = ?

*Type-checking*
*Type-checking*(Checking lab00.nat.prop (/Users/lorenzo/Dropbox/Workspace/teaching/Teaching/2018-2019/summer semester/LDI (logika dla informatyków)/lab/agda/lab00/nat/prop.agda).
)
*Error*(/Users/lorenzo/Dropbox/Workspace/teaching/Teaching/2018-2019/summer semester/LDI (logika dla informatyków)/lab/agda/lab00/nat/prop.agda:4,21-22
Not in scope:
  ℕ
  at /Users/lorenzo/Dropbox/Workspace/teaching/Teaching/2018-2019/summer semester/LDI (logika dla informatyków)/lab/agda/lab00/nat/prop.agda:4,21-22
when scope checking ℕ)


In [40]:
module lab00.nat.prop where

open import lab00.nat
open import lab00.eq
open import lab00.nat.ind2
open import lab00.nat.comm

+*-distr : (a b c : ℕ) → (a + b) * c ≡ a * c + b * c
+*-distr 0 _ _ = refl
+*-distr (suc a) b c =
    (suc a + b) * c ≡⟨⟩
    suc (a + b) * c ≡⟨⟩
    c + (a + b) * c ≡⟨ cong (c +_ ) (+*-distr a b c) ⟩
    c + (a * c + b * c) ≡⟨ +-assoc c (a * c) (b * c) ⟩
    c + a * c + b * c ≡⟨⟩
    suc a * c + b * c ∎
    
*-assoc : (a b c : ℕ) → a * b * c ≡ a * (b * c)
*-assoc zero _ _ = refl
*-assoc (suc a) b c =
    suc a * b * c ≡⟨⟩
    (b + a * b) * c ≡⟨ +*-distr b (a * b) c ⟩
    b * c + a * b * c ≡⟨ cong (b * c +_) (*-assoc a b c)⟩
    b * c + a * (b * c) ≡⟨⟩
    suc a * (b * c) ∎
    
*-zero : (a : ℕ) → a * 0 ≡ 0
*-zero 0 = refl
*-zero (suc n) =
    suc n * 0 ≡⟨⟩
    0 + n * 0 ≡⟨ cong (0 +_) (*-zero n) ⟩
    0 + 0 ≡⟨⟩
    0 ∎

*-suc : (a b : ℕ) → a * suc b ≡ a + a * b
*-suc 0 _ = refl
*-suc (suc a) b =
    suc a * suc b ≡⟨⟩
    suc b + a * suc b ≡⟨ cong (suc b +_) (*-suc a b) ⟩
    suc b + (a + a * b) ≡⟨ +-assoc (suc b) a (a * b) ⟩
    suc b + a + a * b ≡⟨⟩
    suc (b + a) + a * b ≡⟨ cong (λ x → suc x + a * b) (+-comm b a) ⟩
    suc (a + b) + a * b ≡⟨⟩
    suc a + b + a * b ≡⟨ sym (+-assoc (suc a) b (a * b)) ⟩
    suc a + (b + a * b) ≡⟨⟩
    suc a + suc a * b ∎

*-comm : (a b : ℕ) → a * b ≡ b * a
*-comm 0 b =
    0 * b ≡⟨⟩
    0 ≡⟨ sym (*-zero b) ⟩
    b * 0 ∎
*-comm (suc a) b =
    suc a * b ≡⟨⟩
    b + a * b ≡⟨ cong (b +_) (*-comm a b) ⟩
    b + b * a ≡⟨ sym (*-suc b a) ⟩
    b * suc a ∎
    
*+-distr : (a b c : ℕ) → a * (b + c) ≡ a * b + a * c
*+-distr a b c =
    a * (b + c) ≡⟨ *-comm a (b + c) ⟩
    (b + c) * a ≡⟨ +*-distr b c a ⟩
    b * a + c * a ≡⟨ cong (_+ (c * a)) (*-comm b a) ⟩
    a * b + c * a ≡⟨ cong ((a * b) +_) (*-comm c a) ⟩
    a * b + a * c ∎
    
*+-full : (a b c d : ℕ) → (a + b) * (c + d) ≡ a * c + a * d + b * c + b * d
*+-full a b c d = 
    (a + b) * (c + d)                 ≡⟨ *+-distr (a + b) c d ⟩
    (a + b) * c + (a + b) * d         ≡⟨ cong ((a + b) * c +_) (+*-distr a b d) ⟩
    (a + b) * c + (a * d + b * d)     ≡⟨ cong (_+ ((a * d + b * d))) (+*-distr a b c) ⟩
    (a * c + b * c) + (a * d + b * d) ≡⟨ sym (+-assoc (a * c) (b * c) (a * d + b * d)) ⟩
    a * c + (b * c + (a * d + b * d)) ≡⟨ cong (a * c +_) (+-assoc (b * c) (a * d) (b * d)) ⟩
    a * c + ((b * c + a * d) + b * d) ≡⟨ cong (λ h → a * c + (h + b * d)) (+-comm (b * c) (a * d)) ⟩
    a * c + ((a * d + b * c) + b * d) ≡⟨ +-assoc (a * c) ((a * d + b * c)) (b * d) ⟩
    (a * c + (a * d + b * c)) + b * d ≡⟨ cong (_+ b * d) (+-assoc (a * c) (a * d) (b * c)) ⟩
    ((a * c + a * d) + b * c) + b * d ∎

*Type-checking*
*Type-checking*(Checking lab00.nat.prop (/Users/lorenzo/Dropbox/Workspace/teaching/Teaching/2018-2019/summer semester/LDI (logika dla informatyków)/lab/agda/lab00/nat/prop.agda).
)
*Type-checking*( Checking lab00.nat.comm (/Users/lorenzo/Dropbox/Workspace/teaching/Teaching/2018-2019/summer semester/LDI (logika dla informatyków)/lab/agda/lab00/nat/comm.agda).
)
*All Done*


# Relations
In the same way as we define the natural number inductively,
we can also define relations on the natural numbers inductively.
For instance, we can define a predicate (unary relation) `Even n` that is inhabited precisely when `n` is an even natural number.
The type `Even n` is called an *index type*
since it depends `n`, which is called index.

As for the natural numbers, the definition of `Even n` is inductive:
```agda
data Even : ℕ → Set where
  ev-zero : Even 0
  ev-suc2 : (n : ℕ) → Even n → Even (suc (suc n))
```
In the base case, the term `ev-zero` is evidence that `Even 0` holds.
In the inductive case, if we have some evidence `x : Even n` that `n` is even,
then we can construct evidence `ev-suc2 n x : Even (suc (suc n))` that `suc (suc n)` is even.

**IMPLICIT ARGUMENTS:**
The natural number `n` appears three times in `ev-suc2`:
As the first argument, as the argument of `Even`, and as the argument of `suc`.
Given this rich context, Agda is usually able to deduce what is `n` and its type `ℕ`
in expressions omitting `n`, such as `ev-suc2 _ x` (the type of `x` tells us what is `n` here).
We can go one step further, and mark the first argument of `ev-suc2` as an *implicit argument* `{n : ℕ}`,
allowing us to write directly things such as `ev-suc2 x`.
If at any moment we want/need to provide an implicit argument, we can always write `ev-suc2 {n} x`,
as the examples below demonstrate.

As an heuristical approach, one can first write the definition with all the explicit arguments,
and then try to make some implicit to improve readability
(iteratively, until Agda complains that it cannot solve the corresponding constraints).

In [41]:
module lab00.nat.even where

open import lab00.nat

-- indexed inductive type
data Even : ℕ → Set where
  ev-zero : Even 0
  ev-suc2 : {n : ℕ} → Even n → Even (suc (suc n))
  
-- the sum of two even numbers is even
+-ev' : (m n : ℕ) → Even m → Even n → Even (m + n)
+-ev' 0 n ev-zero evn = evn
+-ev' (suc (suc m)) n (ev-suc2 evm) evn = ev-suc2 {m + n} (+-ev' m n evm evn)

-- in compact form (Agda can correctly infer all the implicit arguments)
+-ev : {m n : ℕ} → Even m → Even n → Even (m + n)
+-ev ev-zero evn = evn
+-ev (ev-suc2 evm) evn = ev-suc2 (+-ev evm evn)

*Type-checking*
*Type-checking*(Checking lab00.nat.even (/Users/lorenzo/Dropbox/Workspace/teaching/Teaching/2018-2019/summer semester/LDI (logika dla informatyków)/lab/agda/lab00/nat/even.agda).
)
*All Done*


**Exercise.** Formalise and prove that the sum of *three* even numbers is even.

In [42]:
module lab00.nat.even-three where

open import lab00.nat
open import lab00.nat.even

++-ev : ?
++-ev = ?

*Type-checking*
*Type-checking*(Checking lab00.nat.even-three (/Users/lorenzo/Dropbox/Workspace/teaching/Teaching/2018-2019/summer semester/LDI (logika dla informatyków)/lab/agda/lab00/nat/even-three.agda).
)
*Type-checking*( Checking lab00.nat.even (/Users/lorenzo/Dropbox/Workspace/teaching/Teaching/2018-2019/summer semester/LDI (logika dla informatyków)/lab/agda/lab00/nat/even.agda).
)
*All Goals*(?0 : _0
?1 : ?0
Sort _0  [ at /Users/lorenzo/Dropbox/Workspace/teaching/Teaching/2018-2019/summer semester/LDI (logika dla informatyków)/lab/agda/lab00/nat/even-three.agda:6,9-10 ]
)


In [43]:
module lab00.nat.even-three where

open import lab00.nat
open import lab00.nat.even

++-ev : {m n l : ℕ} → Even m → Even n → Even l → Even (m + n + l)
++-ev evm evn evl = +-ev evm (+-ev evn evl)

*Type-checking*
*Type-checking*(Checking lab00.nat.even-three (/Users/lorenzo/Dropbox/Workspace/teaching/Teaching/2018-2019/summer semester/LDI (logika dla informatyków)/lab/agda/lab00/nat/even-three.agda).
)
*Error*(/Users/lorenzo/Dropbox/Workspace/teaching/Teaching/2018-2019/summer semester/LDI (logika dla informatyków)/lab/agda/lab00/nat/even-three.agda:7,21-43
.m != .m + .n of type ℕ
when checking that the inferred type of an application
  Even (.m + _n_6 evm evn evl)
matches the expected type
  Even (.m + .n + .l))


## Order
We can also define the order total relation between natural numbers in the same fashion.
```agda
data _≤_ : ℕ → ℕ → Set where
  0≤n : ∀ {n : ℕ} → 0 ≤ n
  s≤s : ∀ {m n : ℕ} → m ≤ n → suc m ≤ suc n
```
In the first case, we say that `0 ≤ n` always holds;
this is witnessed by the (base) constructor `0≤n`.
In the second case, if `m ≤ n` holds (as witnessed by, say, `m≤n`),
then `suc m ≤ suc n` also holds;
this is witnessed by the second (inductive) constructor `s≤s x`.

In [44]:
module lab00.nat.leq where

open import lab00.nat

infix 4 _≤_

data _≤_ : ℕ → ℕ → Set where
  0≤n : {n : ℕ} → 0 ≤ n
  s≤s : {m n : ℕ} → m ≤ n → suc m ≤ suc n

-- some examples
_ : 0 ≤ 1
_ = 0≤n {1} -- could omit the implicit argument

_ : 1 ≤ 100
_ = s≤s {0} {99} (0≤n {99}) -- could omit the implicit arguments

_ : 4 ≤ 1000
_ = s≤s (s≤s (s≤s (s≤s 0≤n)))

*Type-checking*
*Type-checking*(Checking lab00.nat.leq (/Users/lorenzo/Dropbox/Workspace/teaching/Teaching/2018-2019/summer semester/LDI (logika dla informatyków)/lab/agda/lab00/nat/leq.agda).
)
*All Done*


## Properties of relations
In this part we formalise an prove that `_≤_` satisfies some common relational properties.

**REFLEXIVITY:** We begin by giving an example proof that `_≤_` is *reflexive*, in the sense that
```agda
≤-refl : {n : ℕ} → n ≤ n
```
(We leave the parameter implicit because 1) Agda can infer it most of the times,
and 2) it will make the following code more readable.)
The proof that `_≤_` is reflexive is by induction:
```agda
≤-refl {0}     = 0≤n
≤-refl {suc n} = s≤s (≤-refl {n})
```
In the base case, we just use the fact that `0≤n {0} : 0 ≤ 0`.
In the inductive case, the inductive hypothesis `≤-refl {n} : n ≤ n` is a proof that `n ≤ n` holds,
and thus `s≤s (≤-refl {n}) : suc n ≤ suc n`, as required.

**TRANSITIVITY:** We show that `_≤_` is *transitive*, in the sense that
```agda
≤-trans : {m n p : ℕ} → m ≤ n → n ≤ p → m ≤ p
```
While the previous proof was by induction on the natural number argument `{n : ℕ}`,
for transitivity we do induction on the *evidence* that `m ≤ n` holds.
```agda
≤-trans 0≤n _               = 0≤n
≤-trans (s≤s m≤n) (s≤s n≤p) = s≤s (≤-trans m≤n n≤p)
```
In the base case, the first (non-implicit) argument is `0≤n : 0 ≤ n`, from which we can deduce `m ≡ 0`,
and consequently `0≤n : 0 ≤ p` is the term we are after; notice that the two occurrences of `0≤n` have different types (implicit parameters hide this information).
In the inductive case, the first argument is `s≤s m≤n : suc m ≤ suc n`
and the second argument is `s≤s n≤p : suc n ≤ suc p`,
where `m≤n : m ≤ n` and `n≤p : n ≤ p`.
By inductive assumption, `≤-trans m≤n n≤p : m ≤ p`,
and thus `s≤s (≤-trans m≤n n≤p) : suc m ≤ suc p`, as required.
Notice that the case
```agda
≤-trans (s≤s m≤n) 0≤n
```
cannot arise: The shape of the first argument implies that `n` is of the form `suc _`,
and thus it cannot be `0`, as implied by the second argument.
Agda detects that this case cannot occurr
and does not complain that the corresponding definition is missing.

In [45]:
module lab00.nat.leq.prop where

open import lab00.nat
open import lab00.nat.leq

≤-refl : {n : ℕ} → n ≤ n
≤-refl {0} = 0≤n
≤-refl {suc n} = s≤s (≤-refl {n}) -- we could omit {n}, left for clairty here

≤-trans : {m n p : ℕ} → m ≤ n → n ≤ p → m ≤ p
≤-trans 0≤n _               = 0≤n
≤-trans (s≤s m≤n) (s≤s n≤p) = s≤s (≤-trans m≤n n≤p)

*Type-checking*
*Type-checking*(Checking lab00.nat.leq.prop (/Users/lorenzo/Dropbox/Workspace/teaching/Teaching/2018-2019/summer semester/LDI (logika dla informatyków)/lab/agda/lab00/nat/leq/prop.agda).
)
*Type-checking*( Checking lab00.nat.leq (/Users/lorenzo/Dropbox/Workspace/teaching/Teaching/2018-2019/summer semester/LDI (logika dla informatyków)/lab/agda/lab00/nat/leq.agda).
)
*All Done*


**Exercise**. Prove that `_≤_` is *anti-symmetric*.

*Hint:* Do induction on `_≤_`.
As in transitivity, in the inductive step not all cases can arise (two out of four).

In [46]:
module lab00.nat.leq.asym where

open import lab00.eq
open import lab00.nat
open import lab00.nat.leq

≤-asym : {m n : ℕ} → m ≤ n → n ≤ m → m ≡ n
≤-asym = ?

*Type-checking*
*Type-checking*(Checking lab00.nat.leq.asym (/Users/lorenzo/Dropbox/Workspace/teaching/Teaching/2018-2019/summer semester/LDI (logika dla informatyków)/lab/agda/lab00/nat/leq/asym.agda).
)
*All Goals*(?0 : .m ≤ .n → .n ≤ .m → .m ≡ .n
)


In [47]:
module lab00.nat.leq.asym where

open import lab00.eq
open import lab00.nat
open import lab00.nat.leq

≤-asym : {m n : ℕ} → m ≤ n → n ≤ m → m ≡ n
≤-asym 0≤n 0≤n = refl -- m = n = 0
≤-asym {suc m} {suc n} (s≤s m≤n) (s≤s n≤m) =
    suc m ≡⟨ cong suc (≤-asym m≤n n≤m) ⟩ --inductive assumption
    suc n ∎    

*Type-checking*
*Type-checking*(Checking lab00.nat.leq.asym (/Users/lorenzo/Dropbox/Workspace/teaching/Teaching/2018-2019/summer semester/LDI (logika dla informatyków)/lab/agda/lab00/nat/leq/asym.agda).
)
*All Done*


# Additional material

## Inequality chains
In a way similar to equality chains, we can introduce inequality chain as a syntactic sugaring to simplify writing proofs involving chains of `_≤_`.
Like for equality chains, the code below can be skipped on a first reading. Usage example:
```agda
ex : (a b c d : ℕ) → a ≤ b → b ≡ c → c ≤ d → a ≤ d
ex a b c d  a≤b b≡c c≤d =
    start
        a ≤⟨ a≤b ⟩
        b ≤≡⟨ b≡c ⟩
        c ≤⟨ c≤d ⟩
        d
    stop
```

In [48]:
module lab00.nat.leq.chain where

open import lab00.eq
open import lab00.nat
open import lab00.nat.leq
open import lab00.nat.leq.prop

infix  1 start_
infixr 2 _≤⟨⟩_ _≤⟨_⟩_ _≤≡⟨_⟩_
infix  3 _stop

start_ : {x y : ℕ} → x ≤ y → x ≤ y
start p = p

_≤⟨⟩_ : (x : ℕ) {y : ℕ} → x ≤ y → x ≤ y
_ ≤⟨⟩ p = p

-- transitivity
_≤⟨_⟩_ : (x : ℕ) {y z : ℕ} → x ≤ y → y ≤ z → x ≤ z
_ ≤⟨ x≤y ⟩ y≤z = ≤-trans x≤y y≤z

-- substitutivity
_≤≡⟨_⟩_ : (x : ℕ) {y z : ℕ} → x ≡ y → y ≤ z → x ≤ z
_≤≡⟨_⟩_ x {y} {z} x≡y y≤z = subst (_≤ z) (sym x≡y) y≤z

-- reflexivity
_stop : (x : ℕ) -> x ≤ x
_ stop = ≤-refl

*Type-checking*
*Type-checking*(Checking lab00.nat.leq.chain (/Users/lorenzo/Dropbox/Workspace/teaching/Teaching/2018-2019/summer semester/LDI (logika dla informatyków)/lab/agda/lab00/nat/leq/chain.agda).
)
*Type-checking*( Checking lab00.nat.leq.prop (/Users/lorenzo/Dropbox/Workspace/teaching/Teaching/2018-2019/summer semester/LDI (logika dla informatyków)/lab/agda/lab00/nat/leq/prop.agda).
)
*All Done*


**PRE-CONGRUENCE:** We want to show that the relation `_≤_` is a *pre-congruence* w.r.t. addition,
in the following sense:
```agda
≤-precong : {m n p q : ℕ} → m ≤ n → p ≤ q → m + p ≤ n + q
```
(This is usually called *monotonicity* when `_≤_` is an order (as in our case).)

**Exercise.** Show that `_≤_` is a pre-congruence w.r.t. addition.
It is recommended to proceed in the following three steps.
1. Show that `_≤_` is a right pre-congruence:
```agda
≤-precong-right : (m p q : ℕ) → p ≤ q → m + p ≤ m + q
```
*Hint: Do induction on `m`*.
2. Show that `_≤_` is a left pre-congruence:
```agda
≤-precong-left : (m n p : ℕ) → m ≤ n → m + p ≤ n + p
```
*Hint: Use the previous point and commutativity of addition*.
3. Put together the two previous points and show that `_≤_` is a pre-congruence.

The solution to the last two points can be greatly improved by using inequality chains.

In [49]:
module lab00.nat.leq.precong where

open import lab00.eq
open import lab00.nat
open import lab00.nat.leq
open import lab00.nat.comm
open import lab00.nat.leq.chain

≤-precong-right : {m p q : ℕ} → p ≤ q → m + p ≤ m + q
≤-precong-right {0} p≤q = p≤q
≤-precong-right {suc m} {p} {q} p≤q = s≤s (≤-precong-right {m} {p} {q} p≤q)

≤-precong-left : {m n p : ℕ} → m ≤ n → m + p ≤ n + p
≤-precong-left {m} {n} {p} m≤n =
    start
        m + p ≤≡⟨ +-comm m p ⟩
        p + m ≤⟨ ≤-precong-right m≤n ⟩
        p + n ≤≡⟨ +-comm p n ⟩
        n + p
    stop

≤-precong : {m n p q : ℕ} → m ≤ n → p ≤ q → m + p ≤ n + q
≤-precong {m} {n} {p} {q} m≤n p≤q =
    start
        m + p ≤⟨ ≤-precong-right p≤q ⟩
        m + q ≤⟨ ≤-precong-left m≤n ⟩
        n + q
    stop

*Type-checking*
*Type-checking*(Checking lab00.nat.leq.precong (/Users/lorenzo/Dropbox/Workspace/teaching/Teaching/2018-2019/summer semester/LDI (logika dla informatyków)/lab/agda/lab00/nat/leq/precong.agda).
)
*Type-checking*( Checking lab00.nat.leq.chain (/Users/lorenzo/Dropbox/Workspace/teaching/Teaching/2018-2019/summer semester/LDI (logika dla informatyków)/lab/agda/lab00/nat/leq/chain.agda).
)
*All Done*


## Mutual inductive definitions
**Exercise.** Define even and odd numbers by a *mutual* inductive definition. Define addition on them, by a *mutual* recursive definition.

In [50]:
module lab00.even-odd where

open import lab00.nat

data Even : ℕ → Set
data Odd : ℕ → Set

data Even where
-- TODO

data Odd where
-- TODO

*Type-checking*
*Type-checking*(Checking lab00.even-odd (/Users/lorenzo/Dropbox/Workspace/teaching/Teaching/2018-2019/summer semester/LDI (logika dla informatyków)/lab/agda/lab00/even-odd.agda).
)
*All Done*


In [51]:
module lab00.even-odd where

open import lab00.nat

data Even : ℕ → Set
data Odd : ℕ → Set

data Even where
  zero : Even zero
  plusE : {n : ℕ} → Odd n → Even (suc n)
  
data Odd where
  plusO : {n : ℕ} → Even n → Odd (suc n)

-- plus functions defined by mutual recursion
plusEE : {m n : ℕ} → Even m → Even n → Even (m + n)
plusEO : {m n : ℕ} → Even m → Odd n → Odd (m + n)
plusOE : {m n : ℕ} → Odd m → Even n → Odd (m + n)
plusOO : {m n : ℕ} → Odd m → Odd n → Even (m + n)

plusEE zero n = n
plusEE (plusE m) n = plusE (plusOE m n)

plusEO zero n = n
plusEO (plusE m) n = plusO (plusOO m n)

plusOE (plusO m) n = plusO (plusEE m n)

plusOO (plusO m) n = plusE (plusEO m n)

*Type-checking*
*Type-checking*(Checking lab00.even-odd (/Users/lorenzo/Dropbox/Workspace/teaching/Teaching/2018-2019/summer semester/LDI (logika dla informatyków)/lab/agda/lab00/even-odd.agda).
)
*All Done*
