Skip to Content.
Sympa Menu

coq-club - Re: [Coq-Club] Merge similar theorems

coq-club AT inria.fr

Subject: The Coq mailing list

List archive

Re: [Coq-Club] Merge similar theorems


Chronological Thread 
  • From: Jason -Zhong Sheng- Hu <fdhzs2010 AT hotmail.com>
  • To: "coq-club AT inria.fr" <coq-club AT inria.fr>
  • Subject: Re: [Coq-Club] Merge similar theorems
  • Date: Mon, 3 Feb 2020 01:35:25 +0000
  • Accept-language: en-CA, en-US
  • Arc-authentication-results: i=1; mx.microsoft.com 1; spf=none; dmarc=none; dkim=none; arc=none
  • Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=iNIvWQSjGMNUnV0U3WsvDX7ru4tRRrMZEMHQj+WOx9Q=; b=ckqzH+97zyoYhc9ei9I7MkZhhgyCY33E1fF6oPntwzzX/9eSNh9E1/CQHQSclkEYrZ5obAaZHzTUvisGyAAf/68NzWNS+S5wos1ZJ8qInzk4c1NOUk+wlVb2x9nv0FKYdgnKNmurtpCLOytWiXJ+S3gqpxIpy9xZo4x/PtQvuCr1oMSHQzTZT81r9YfxELa20bFA/tW1KZPZy1R/flOJ77y0gCql/BQ43oyUykgWKTmUreapRdAmQB6htk51MhrdcPsC3vEB3UrxYx4SaVB3epghlVuQ92NEKzLF11EqInmFd247nCRTyVH1yCi9UEXXzVU9+JBTUy4Wi/hcbOOYqg==
  • Arc-seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=oOkpdgkvSyBaF9HlzdrRw5xfbIwgRyRG8i9WPzbusDgT0Rkz6gUYVGK/FZVv4siHbqYFU36EA71hC1PfQAbVluKOAN3e7cVIOo6zHBWIkqJbKVVH2E9fTvrhpGQ4JnU20m0ac4gGXb27IEFT4LBkKsVL6+2tpgrivbHLlwERwYTYWxWDNn6jV+SkHyiUjNvsjMZ2XcCdOy4dia21nseqyptUrpzIJpW8KuzavT4sHq9KirlWlCJMJhaDrDpSGVGwLE4lCBZhGCkx7+avpayXhlzBwJxdgyfx9sqwcWq0nocosPZgjOrFxFhD+uDlsRGfa6/nYj7r56Yu+m4tMrrDqw==
  • Authentication-results: mail2-smtp-roc.national.inria.fr; spf=None smtp.pra=fdhzs2010 AT hotmail.com; spf=Pass smtp.mailfrom=fdhzs2010 AT hotmail.com; spf=Pass smtp.helo=postmaster AT NAM10-DM6-obe.outbound.protection.outlook.com
  • Ironport-phdr: 9a23:hWKVYhFYx4f9/62BRjb39p1GYnF86YWxBRYc798ds5kLTJ7zr8+wAkXT6L1XgUPTWs2DsrQY0raQ7/6rAjBIoc7Y9ixbK9oUD15NoP5VtjRoONSCB0z/IayiRA0BN+MGamVY+WqmO1NeAsf0ag6aiHSz6TkPBke3blItdaz6FYHIksu4yf259YHNbAVUnjq9Zq55IAmroQnLucQanIRvJrw+xxbIrXdFdetbzn5sKV6Pghrw/Mi98INt/ihKp/4t68tMWrjmcqolSrBVEC4oOH0v6s3xshnDQwqP5n8CXWgTjxFFHQvL4gzkU5noqif1ufZz1yecPc3tULA7Qi+i4LtxSB/pkygIKTg0+3zKh8NqjaJbpBWhpwFjw4PRfYqYOuZycr/bcNgHQ2dKQ8RfWDFbAo6kb4UBEfcPPfpWoYf+u1QBogCzChOwCO/z0DJEmmP60K883u88EQ/GxgsgH9cWvXrQttr1L6ASUeaox6XRzjrDb/RW2THy6IPVbx4hoe+DXbR/ccbI1EIhFR7FhUiXpIzrIjyV1uUMs3OF4+Z8SO6jl3UqqwF2ojizw8cjkIjJhoYPxl/Y8iV5xZ84KNulQ0B4ed6pCJRduz2AO4ZyXM8uWW5ltDsgxrEbpZK2fzAGyJo5yBPcd/CKdo2F7Qj+WOmNJTp1gXZodK+iiBu380Wv0PHwW8ux3VlQsCZKjsfAu3YQ3BLJ8MeHUOFy/kK51DaPyQ/T7uZELFgsm6fHLJAt36I8moMdv0rEHyL6gUL2g7SIeUk+/eio9vjnba7hpp+BMY97lxvyMrw0msy4HeQ3LBQBX3Sa+eS70r3v50r5QKhWjv0ylanZt5PaKd4Hqa6+Bg9Zyocj6xChADe6yNkVkmULIEhBdR6ZlYTkNEzCLOrlAfujgFmgiDJryOrHPr3lDJXNNH/DkLL5cLZz9kFcyAsyzctB655IF70NPOn+Wk/2tNzECx82KQ20w+L9BNph0YMeXHqDArWFP6PKrV+I+uUvLvGQa48SoTbxMuQq5/rzjXAiglIdZqmo3Z4PaH+iBPhmIkOZYWDtgtgbC2sKsBA+H6TWjwjIWjlKIn22QqgU5zchCYvgA52JDtSmh6XE1yOmFLVXYHpHAxaCCyG7WZ+DXqIuYTmVJIckoDwDU7fpcI8s0x7r/C/ng+5pIurG4XdA7MrL1N9p4uTSkVc58jkiXJfV6H2EU2whxjBAfDQxxq0q+RUhmGfG6rBxhrljLfIW/+lAC1xoNZnAyuV7D5b5XQeTJo7UGmbjec2vBHQKdvx0w9IKZBoiSfOLq0mbmgaPXfoSnbHNA4Eo+KXB2XS3P9x613vNyKgmiR8hX9dLMmqlwKV48lqKXt+bowCij6+vMJ8k8mvI/WaHw3CJuRgDAg53TaDMXHRZbUzT/430
I think the first two questions to ask are whether the proofs are similar and whether they are very long. If the proofs are similar, does that mean the addresses, the 1 and the 2 are not very significant in this case? If that's the case perhaps you can prove a theorem parametrized by those?

Thanks,
Jason Hu

On Feb 2, 2020 05:11, Gabriel Scherer  <gabriel.scherer AT gmail.com> wrote:
An first way to go about it would be to define an inductive to indicate which case is being considered (the naming is a bit silly in my example, but with your domain knowledge you can choose better names):

Inductive case :=
| Case1 : case
| Case2 : case
.
Definition ea_in_app_range case :=
  match case with
  | Case1 => ea_in_app1_range
  | Case2 => ea_in_app2_range
  end.

Definition CPUContextApp case :=
  match case with
  | Case1 => CPUContextApp1
  | Case2 => CPUContextApp2
  end.

Theorem app_access_self_ok :
    forall case (ea : Z),
        ea_in_app_range case ea ->
         let tlbe := find_tlbe (CPUContextApp case) ea TLB in
         (   tlb_hit tlbe
          /\ addr_translate_ok tlbe ea
          /\ access_granted (CPUContextApp case) tlbe).

This just a rephrasing of your statements with a simple factorization. It is useful if the proofs of the two theorems share a lot of logic which does not depend on the case (the parts of the proof that use case distinction are small).

Note that trying to write the proof in a higher-order style (abstracted over functions for ea_in_app_range and CPUContextApp) would be more powerful but is also going to be much harder: there is no chance for your theorem to hold for *any* function at their types, so you have to figure out what are the sufficient conditions on their choice for the theorem to hold. You get a stronger result (as long as the conditions are less restrictive than "being either foo1 or foo2") but it is much more work.

On Sun, Feb 2, 2020 at 10:32 AM 朱立平 <zlponline AT 163.com> wrote:
I have two(and may be more) theorems as follows and I don't think  proving them one by one is a good way.
Theorem app1_access_self_ok :
    forall (ea : Z),
        ea_in_app1_range ea ->
         let tlbe := find_tlbe CPUContextAPP1 ea TLB in
         (   tlb_hit tlbe
          /\ addr_translate_ok tlbe ea
          /\ access_granted CPUContextAPP1 tlbe).
Theorem app2_access_self_ok :
    forall (ea : Z),
        ea_in_app2_range ea ->
         let tlbe := find_tlbe CPUContextAPP2 ea TLB in
         (   tlb_hit tlbe
          /\ addr_translate_ok tlbe ea
          /\ access_granted CPUContextAPP2 tlbe).  
The differences are 
Definition ea_in_app1_range (ea : Z) : Prop :=   (to_Z "0x40040000") <= ea <=(to_Z "0x4004ffff") . 
Definition ea_in_app2_range (ea : Z) : Prop :=   (to_Z "0x40050000") <= ea <=(to_Z "0x4005ffff") .
and
Definition CPUContextAPP1 := mk_cpucontext true true true (1).
Definition CPUContextAPP2 := mk_cpucontext true true true (2).

Is there an elegant way to prove them in one theorem?  Will high-order be used in this scenario? Thanks!

Best,
Julian


 



Archive powered by MHonArc 2.6.18.

Top of Page