coq-club AT inria.fr
Subject: The Coq mailing list
List archive
- From: Gabriel Scherer <gabriel.scherer AT gmail.com>
- To: Coq Club <coq-club AT inria.fr>
- Subject: Re: [Coq-Club] Merge similar theorems
- Date: Sun, 2 Feb 2020 11:14:46 +0100
- Authentication-results: mail3-smtp-sop.national.inria.fr; spf=None smtp.pra=gabriel.scherer AT gmail.com; spf=Pass smtp.mailfrom=gabriel.scherer AT gmail.com; spf=None smtp.helo=postmaster AT mail-qk1-f180.google.com
- Ironport-phdr: 9a23:13Qsex+X6/neav9uRHKM819IXTAuvvDOBiVQ1KB30OocTK2v8tzYMVDF4r011RmVBNmdt68P0rOe8/i5HzBZutDZ6DFKWacPfidNsd8RkQ0kDZzNImzAB9muURYHGt9fXkRu5XCxPBsdMs//Y1rPvi/6tmZKSV3wOgVvO+v6BJPZgdip2OCu4Z3TZBhDiCagbb9oIxi6sArcutMZjIZiJao91wbFqWZMd+hK2G9kP12ekwvy68uq4JJv7yFcsO89+sBdVqn3Y742RqFCAjQ8NGA16szrtR3dQgaK+3ARTGYYnAdWDgbc9B31UYv/vSX8tupmxSmVJtb2QqwuWTSj9KhkVhnlgzoaOjEj8WHXjstwjL9HoB+kuhdyzZLYbJ2TOfFjZa7WY88USnRdUcZQTyxBA52zb40TD+oaIO1Uq5Dxq0YSoReiAAWhAv7kxD1ViX/sxaA13OohHgPG0gIuHNwArWrao8nuOagITey41rPFwSnfY/5U3zr29YjGcgomofGJRb9+cNDexlI1FwPEkFqQrZHuMS6J2eQNrWeb9fRvVfiygGMgpAF+uCOgxt0tiobXgoIZ0EvE+jl5wIkrP923VlR7bMWrEJtVrS6aNo92Ttk+TGFvvSY307sLsoO4cigS0Jkr2QLTZvidf4WL4h/vTvidLSlmiH5/Zb6yhAq+/E69wePmTMa0ykxFri9dn9nMqH8N0xvT59CCSvRn/0eh3S+D1xnQ6u1ZOEw0m7fXJp09zrIqmZoTtkPDHiDymErolqOZakIk+u2w5+TmZLXpuIOcOpdqhg3iNqkigM+yDOQiPgQQQWSX5/6w2KDg8EHlWLlKi+c5kqjdsJDUP8Qboau5Dhda0ok58Bm/FTam38ocnXUdN1JKZBKHgJbzO17QOvD1Fvi/g1G2nzdqw/DKJKHuApLILnTbirfuYa5961JAyAo01d1Q+5VUCqgYLP3vXk/xqcfXAwQiMw20xubnEM9y2pkfWWKJGK+ZMbndvUWG5uI1cKGwY9o+vy+1APw47ba6hngg3FQZYKOB3J0NaXn+EO4wcGuDZn+5rd4LC2YHukIFR+znklCYGWpcbnyoXq84oCowCI+8AJ3rSYWkgbjH1yC+SM4FLltaA0yBRC+7P76PXO0BPWfLepc4zm40EIO5Qopk7imA8RfgwuM+fOXR8ywc85nk0YotvryBpVQJ7TVxSv+l/SSIRmBwkHkPQmZvjq96qE15jFyE1Poh2qEKJZlo//pMFzwCG9vcwuh9UY6gXwvAepKQSw/jTIz2WXc+SdU+x9JIaEF4SY2v
An first way to go about it would be to define an inductive to indicate which case is being considered (the naming is a bit silly in my example, but with your domain knowledge you can choose better names):
Inductive case :=
| Case1 : case
| Case2 : case
.
Definition ea_in_app_range case :=
match case with
| Case1 => ea_in_app1_range
| Case2 => ea_in_app2_range
end.
Definition CPUContextApp case :=
match case with
| Case1 => CPUContextApp1
| Case2 => CPUContextApp2
end.
Theorem app_access_self_ok :
forall case (ea : Z),
ea_in_app_range case ea ->
let tlbe := find_tlbe (CPUContextApp case) ea TLB in
( tlb_hit tlbe
/\ addr_translate_ok tlbe ea
/\ access_granted (CPUContextApp case) tlbe).
forall case (ea : Z),
ea_in_app_range case ea ->
let tlbe := find_tlbe (CPUContextApp case) ea TLB in
( tlb_hit tlbe
/\ addr_translate_ok tlbe ea
/\ access_granted (CPUContextApp case) tlbe).
This just a rephrasing of your statements with a simple factorization. It is useful if the proofs of the two theorems share a lot of logic which does not depend on the case (the parts of the proof that use case distinction are small).
Note that trying to write the proof in a higher-order style (abstracted over functions for ea_in_app_range and CPUContextApp) would be more powerful but is also going to be much harder: there is no chance for your theorem to hold for *any* function at their types, so you have to figure out what are the sufficient conditions on their choice for the theorem to hold. You get a stronger result (as long as the conditions are less restrictive than "being either foo1 or foo2") but it is much more work.
On Sun, Feb 2, 2020 at 10:32 AM 朱立平 <zlponline AT 163.com> wrote:
I have two(and may be more) theorems as follows and I don't think proving them one by one is a good way.Theorem app1_access_self_ok :forall (ea : Z),ea_in_app1_range ea ->let tlbe := find_tlbe CPUContextAPP1 ea TLB in( tlb_hit tlbe/\ addr_translate_ok tlbe ea/\ access_granted CPUContextAPP1 tlbe).Theorem app2_access_self_ok :forall (ea : Z),ea_in_app2_range ea ->let tlbe := find_tlbe CPUContextAPP2 ea TLB in( tlb_hit tlbe/\ addr_translate_ok tlbe ea/\ access_granted CPUContextAPP2 tlbe).The differences areDefinition ea_in_app1_range (ea : Z) : Prop := (to_Z "0x40040000") <= ea <=(to_Z "0x4004ffff") .Definition ea_in_app2_range (ea : Z) : Prop := (to_Z "0x40050000") <= ea <=(to_Z "0x4005ffff") .andDefinition CPUContextAPP1 := mk_cpucontext true true true (1).Definition CPUContextAPP2 := mk_cpucontext true true true (2).Is there an elegant way to prove them in one theorem? Will high-order be used in this scenario? Thanks!Best,Julian
- [Coq-Club] Merge similar theorems, 朱立平, 02/02/2020
- Re: [Coq-Club] Merge similar theorems, Gabriel Scherer, 02/02/2020
- <Possible follow-up(s)>
- Re: [Coq-Club] Merge similar theorems, Jason -Zhong Sheng- Hu, 02/03/2020
Archive powered by MHonArc 2.6.18.