解决目标中的平等/不平等,coq代码
Solving equality / inequality in goal, coq code
如何证明这两个语句相等:
Val.shru (Val.and a (Vint b)) (Vint c) = Vint ?3434 /\ ?3434 <> d
Val.shru (Val.and a (Vint b)) (Vint c) <> d
这个概念很简单,但坚持要找到正确的策略来解决它。这实际上是我要证明的引理:
Require Import compcert.common.Values.
Require Import compcert.lib.Coqlib.
Require Import compcert.lib.Integers.
Lemma val_remains_int:
forall (a : val) (b c d: int),
(Val.shru (Val.and a (Vint b)) (Vint c)) <> (Vint d) ->
(exists (e : int), (Val.shru (Val.and a (Vint b)) (Vint c)) = (Vint e) /\ e <> d).
Proof.
intros.
eexists.
...
Admitted.
谢谢,
如果您可以构造一个类型为 int 的值(在下面的示例中为 i0),则此引理不成立:
Require Import compcert.lib.Coqlib.
Require Import compcert.lib.Integers.
Require Import compcert.common.Values.
Variable i0 : int.
Fact counter_example_to_val_remains_int:
~ forall (a : val) (b c d: int),
(Val.shru (Val.and a (Vint b)) (Vint c)) <> (Vint d) ->
(exists (e : int),
(Val.shru (Val.and a (Vint b)) (Vint c)) = (Vint e)
/\ e <> d).
Proof.
intro H.
assert (Vundef <> Vint i0) as H0 by easy.
specialize (H Vundef i0 i0 i0 H0); clear H0.
simpl in H.
destruct H as (? & contra & _).
discriminate contra.
Qed.
至少有两个原因:
Val.and 和 Val.shru return Vundef 对于所有不是 Vint 的参数(它是 GIGO 原则的一个实例) ;- 此外,您不能在 C 中将位移动太多——结果未定义(这个大约
Val.shru)。
至于您在评论中提到的修改后的引理,简单的 reflexivity 就可以:
Lemma val_remains_int: forall a b c d: int,
Vint (Int.shru (Int.and a b) c) <> Vint d ->
exists (e : int), Vint (Int.shru (Int.and a b) c) = Vint e /\ e <> d.
Proof.
intros a b c d Hneq.
eexists. split.
- reflexivity.
- intro Heq. subst. auto.
Qed.
如何证明这两个语句相等:
Val.shru (Val.and a (Vint b)) (Vint c) = Vint ?3434 /\ ?3434 <> d
Val.shru (Val.and a (Vint b)) (Vint c) <> d
这个概念很简单,但坚持要找到正确的策略来解决它。这实际上是我要证明的引理:
Require Import compcert.common.Values.
Require Import compcert.lib.Coqlib.
Require Import compcert.lib.Integers.
Lemma val_remains_int:
forall (a : val) (b c d: int),
(Val.shru (Val.and a (Vint b)) (Vint c)) <> (Vint d) ->
(exists (e : int), (Val.shru (Val.and a (Vint b)) (Vint c)) = (Vint e) /\ e <> d).
Proof.
intros.
eexists.
...
Admitted.
谢谢,
如果您可以构造一个类型为 int 的值(在下面的示例中为 i0),则此引理不成立:
Require Import compcert.lib.Coqlib.
Require Import compcert.lib.Integers.
Require Import compcert.common.Values.
Variable i0 : int.
Fact counter_example_to_val_remains_int:
~ forall (a : val) (b c d: int),
(Val.shru (Val.and a (Vint b)) (Vint c)) <> (Vint d) ->
(exists (e : int),
(Val.shru (Val.and a (Vint b)) (Vint c)) = (Vint e)
/\ e <> d).
Proof.
intro H.
assert (Vundef <> Vint i0) as H0 by easy.
specialize (H Vundef i0 i0 i0 H0); clear H0.
simpl in H.
destruct H as (? & contra & _).
discriminate contra.
Qed.
至少有两个原因:
Val.and和Val.shrureturnVundef对于所有不是Vint的参数(它是 GIGO 原则的一个实例) ;- 此外,您不能在 C 中将位移动太多——结果未定义(这个大约
Val.shru)。
至于您在评论中提到的修改后的引理,简单的 reflexivity 就可以:
Lemma val_remains_int: forall a b c d: int,
Vint (Int.shru (Int.and a b) c) <> Vint d ->
exists (e : int), Vint (Int.shru (Int.and a b) c) = Vint e /\ e <> d.
Proof.
intros a b c d Hneq.
eexists. split.
- reflexivity.
- intro Heq. subst. auto.
Qed.