| Age | Commit message (Collapse) | Author |
|---|
|
|
|
|
|
|
|
|
|
Thus far we have found maps in both directions but lack statements about
the composition of them.
|
|
It is a definition based on Vec but with less assumptions. The VecBFF
has therefore been renamed to VecRevBFF.
VecBFF uses get : \forall n \exists m -> Vec A n -> Vec a m
VecRevBFF uses get : \forall m \exists n -> Vec A n -> Vec a m
|
|
|
|
|
|
|
|
|
|
Even though they are the same.
|
|
Semantically this is no change, but reducing to standard interface seems
better.
|
|
|
|
It is a special case of lemma-assoc-domain.
|
|
Reasoning about assoc ... = just ... has turned out to be difficult for
inductive arguments. This is why I defined a new property between a List
(Fin n) and a FinMapMaybe n A. Thanks to Janis Voigtlaender for
suggesting this. lemma-assoc-domain transforms a property about assoc
into a domain property which can be used to complete the missing pieces
of lemma-2.
|
|
Introduce lemma-map-lookupM-assoc. It branches on whether the newly
inserted element is already present. To employ the results of this
branch two new lemmata lemma-\in-lookupM-assoc and
lemma-\notin-lookupM-assoc are used and they need
lemma-lookupM-checkInsert. The remaining hole in lemma-map-lookupM-assoc
targets the case where the checkInsert actually is an insert of a new
element. It probably needs more thinking to get this case right.
|
|
|
|
|
|
Seems like the more common use case.
|
|
All proofs about expressions containing checkInsert share a common
pattern. There are three cases:
1) Inserting a key-value-pair that is already present in the map.
2) Inserting a new key into the map.
3) Failure to insert a conflicting key-value pair in the map.
The checkInsertProof record enables to write three different cases
reducing the usage of "with" (and thus line length) in
lemma-checkInsert-restrict and lemma-lookupM-assoc.
|
|
lookup and lookupM reference the same function, but serve different
purposes.
|
|
|
|
|
|
The name was deemed misleading. Nothing else changed.
|
|
|
|
|
|
|
|
|
|
As in the bff paper expand s using lemma-map-denumerate-enumerate
and apply free-theorem-list-list to commute get and map.
|
|
It is some kind of counter part to enumerate. That is:
map (denumerate s) (enumerate s) \== s
It can be employed in bff and I believe it to simplify reasoning on bff.
|
|
Looks like uses of idrange would always be passed a length, so move it
inside the definition.
|
|
|
|
|
|
The step case needs two lemmata. One for the head of the resulting map and one
for the tail. The head case is shown using a
lemma-lookupM-assoc : assoc eq (i :: _) (x :: _) == just h ->
lookupM i h == just x
|
|
|
|
|
|
|
|
Try to always construct statements of the form
complex expression \== simple expression.
|
|
|
|
Introducing the following lemmata:
* lemma-lookupM-empty : nothing \== lookupM i empty
* lemma-from-just : just x \== just y -> x \== y
* lemma-lookupM-insert : just a \== lookupM i (insert i a m)
* lemma-lookupM-insert-other : \neg (i \== j) ->
lookupM i m \== lookupM i (insert j a m)
* lemma-lookupM-generate : just a = lookupM i (generate f is) -> a \== f i
|
|
|
|
This way the inserted value is not hidden in the Is-Just proof object.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
In order to prove lemma-1 we first show a lemma-insert-same to show that
inserting the same pair twice does not change the FinMapMaye. lemma-1 still
has two goals. In the first goal agda doesn't accept "is-just (f i)". Why?
The second goal is to be shown as absurd.
|
