\[\begin{split}\newcommand{\alors}{\textsf{then}} \newcommand{\alter}{\textsf{alter}} \newcommand{\as}{\kw{as}} \newcommand{\Assum}[3]{\kw{Assum}(#1)(#2:#3)} \newcommand{\bool}{\textsf{bool}} \newcommand{\case}{\kw{case}} \newcommand{\conc}{\textsf{conc}} \newcommand{\cons}{\textsf{cons}} \newcommand{\consf}{\textsf{consf}} \newcommand{\conshl}{\textsf{cons\_hl}} \newcommand{\Def}[4]{\kw{Def}(#1)(#2:=#3:#4)} \newcommand{\emptyf}{\textsf{emptyf}} \newcommand{\End}{\kw{End}} \newcommand{\kwend}{\kw{end}} \newcommand{\EqSt}{\textsf{EqSt}} \newcommand{\even}{\textsf{even}} \newcommand{\evenO}{\textsf{even}_\textsf{O}} \newcommand{\evenS}{\textsf{even}_\textsf{S}} \newcommand{\false}{\textsf{false}} \newcommand{\filter}{\textsf{filter}} \newcommand{\Fix}{\kw{Fix}} \newcommand{\fix}{\kw{fix}} \newcommand{\for}{\textsf{for}} \newcommand{\forest}{\textsf{forest}} \newcommand{\from}{\textsf{from}} \newcommand{\Functor}{\kw{Functor}} \newcommand{\haslength}{\textsf{has\_length}} \newcommand{\hd}{\textsf{hd}} \newcommand{\ident}{\textsf{ident}} \newcommand{\In}{\kw{in}} \newcommand{\Ind}[4]{\kw{Ind}[#2](#3:=#4)} \newcommand{\ind}[3]{\kw{Ind}~[#1]\left(#2\mathrm{~:=~}#3\right)} \newcommand{\Indp}[5]{\kw{Ind}_{#5}(#1)[#2](#3:=#4)} \newcommand{\Indpstr}[6]{\kw{Ind}_{#5}(#1)[#2](#3:=#4)/{#6}} \newcommand{\injective}{\kw{injective}} \newcommand{\kw}[1]{\textsf{#1}} \newcommand{\lb}{\lambda} \newcommand{\length}{\textsf{length}} \newcommand{\letin}[3]{\kw{let}~#1:=#2~\kw{in}~#3} \newcommand{\List}{\textsf{list}} \newcommand{\lra}{\longrightarrow} \newcommand{\Match}{\kw{match}} \newcommand{\Mod}[3]{{\kw{Mod}}({#1}:{#2}\,\zeroone{:={#3}})} \newcommand{\ModA}[2]{{\kw{ModA}}({#1}=={#2})} \newcommand{\ModS}[2]{{\kw{Mod}}({#1}:{#2})} \newcommand{\ModType}[2]{{\kw{ModType}}({#1}:={#2})} \newcommand{\mto}{.\;} \newcommand{\Nat}{\mathbb{N}} \newcommand{\nat}{\textsf{nat}} \newcommand{\Nil}{\textsf{nil}} \newcommand{\nilhl}{\textsf{nil\_hl}} \newcommand{\nO}{\textsf{O}} \newcommand{\node}{\textsf{node}} \newcommand{\nS}{\textsf{S}} \newcommand{\odd}{\textsf{odd}} \newcommand{\oddS}{\textsf{odd}_\textsf{S}} \newcommand{\ovl}[1]{\overline{#1}} \newcommand{\Pair}{\textsf{pair}} \newcommand{\Prod}{\textsf{prod}} \newcommand{\Prop}{\textsf{Prop}} \newcommand{\return}{\kw{return}} \newcommand{\Set}{\textsf{Set}} \newcommand{\si}{\textsf{if}} \newcommand{\sinon}{\textsf{else}} \newcommand{\Sort}{\cal S} \newcommand{\Str}{\textsf{Stream}} \newcommand{\Struct}{\kw{Struct}} \newcommand{\subst}[3]{#1\{#2/#3\}} \newcommand{\tl}{\textsf{tl}} \newcommand{\tree}{\textsf{tree}} \newcommand{\true}{\textsf{true}} \newcommand{\Type}{\textsf{Type}} \newcommand{\unfold}{\textsf{unfold}} \newcommand{\WEV}[3]{\mbox{$#1[] \vdash #2 \lra #3$}} \newcommand{\WEVT}[3]{\mbox{$#1[] \vdash #2 \lra$}\\ \mbox{$ #3$}} \newcommand{\WF}[2]{{\cal W\!F}(#1)[#2]} \newcommand{\WFE}[1]{\WF{E}{#1}} \newcommand{\WFT}[2]{#1[] \vdash {\cal W\!F}(#2)} \newcommand{\WFTWOLINES}[2]{{\cal W\!F}\begin{array}{l}(#1)\\\mbox{}[{#2}]\end{array}} \newcommand{\with}{\kw{with}} \newcommand{\WS}[3]{#1[] \vdash #2 <: #3} \newcommand{\WSE}[2]{\WS{E}{#1}{#2}} \newcommand{\WT}[4]{#1[#2] \vdash #3 : #4} \newcommand{\WTE}[3]{\WT{E}{#1}{#2}{#3}} \newcommand{\WTEG}[2]{\WTE{\Gamma}{#1}{#2}} \newcommand{\WTM}[3]{\WT{#1}{}{#2}{#3}} \newcommand{\zeroone}[1]{[{#1}]} \newcommand{\zeros}{\textsf{zeros}} \end{split}\]

仕様記述言語 Gallina¶

この章では Coq の仕様記述言語である Gallina について記述します。それは数学的な定理を開発したりプログラムの仕様を証明することが出来ます. 定理とは公理、仮定、パラメータ、補題、定理や定数、関数、命題の定義、それに集合から構築されます。定理に含まれている論理オブジェクトの構文は Terms の節で述べられています。そのコマンド言語は Vernacular と呼ばれ、The Vernacular の節で説明されます。

Coq では、論理オブジェクトはそれらの論理的整合性を保証するために型付けられます。その規則は型付けアルゴリズムによって実装され、Calculus of Inductive Constructions の章で述べられています。

マニュアル中の文法について¶

文法はバッカスナウアー記法 (BNF)で与えられます。終端記号は黒の タイプライター体 で表されます。さらに、正規表現については特別な記法があります。

角カッコ […] で囲まれた式はこの式が最大一で度だけ出現することを意味します (これはオプショナルな部品に対応します)。

“entry sep … sep entry” という記法はエントリーでパースされリテラル “sep” 1 で分割された式の非空の列を表します。

同じように、 “entry … entry” という記法は間にセパレータ無しに “entry” エントリーによってパースされた非空の列を表します。

最後に、 “[entry sep … sep entry]” という記法は “entry” エントリーによってパースされリテラル “sep” によって分割された空になり得る式の列を表します。

字句規則¶

空白

スペース、改行、水平タブは空白とみなされます。空白は無視されますが、トークンを分割します。

コメント

Coq のコメントは (* と *) の間に囲まれ、ネストできます。それは任意の文字を含むことができます。しかしながら、string リテラルは正しく閉じられていなければなりません。コメントは空白として扱われます。

識別子とアクセス識別子

識別子は ident と書かれ、文字、数字、_、' の列であり、数字や ' から始まることはありません。つまり、以下の字句クラスで認識されます。

first_letter      ::=  a..z ∣ A..Z ∣ _ ∣ unicode-letter
subsequent_letter ::=  a..z ∣ A..Z ∣ 0..9 ∣ _ ∣ ' ∣ unicode-letter ∣ unicode-id-part
ident             ::=  first_letter[subsequent_letter…subsequent_letter]
access_ident      ::=  .ident

全ての文字には意味があります。特に、識別子はケースセンシティブです。unicode-letter エントリは非網羅的にラテン語、ギリシャ語、ドイツ語、キリル文字、アラビア語、ヘブライ語、グルジア語、ハングル、ひらがなとカタカナ、CJK 表意文字、記号やハイフンやハードスペースのような数学記号、… を含んでいます。unicode-id-part エントリは非網羅的にプライム文字や下付き文字を含みます。

アクセス識別子は、access_ident と書かれ、空白無しに . (ドット) が接頭辞になる識別子です。それらは修飾された識別子の構文で使われます。

自然数と整数

数の表示は数字の列です。整数は数の表記に任意にマイナス記号が前に付いたものです。

digit   ::=  0..9
num     ::=  digit…digit
integer ::=  [-]num

文字列

文字列は " (ダブルクォート) で区切られ、" やダブルクォート文字を表すための列である "" と異なる任意の文字の並びを囲んだものです。文法規則では、クォートされた文字列のエントリが string です。

キーワード

以下の識別子は予約済みキーワードであり、他のものには使えません:

_ as at cofix else end exists exists2 fix for
forall fun if IF in let match mod Prop return
Set then Type using where with

スペシャルトークン

以下の文字の列はスペシャルトークンです:

! % & && ( () ) * + ++ , - -> . .( ..
/ /\ : :: :< := :> ; < <- <-> <: <= <> =
=> =_D > >-> >= ? ?= @ [ \/ ] ^ { | |-
|| } ~

字句的な曖昧さは “最長マッチ” 規則に沿って解決されます: アルファベットや数字でない文字の列が幾つかの異なる方法で分離される時には、したがって最初のトークンは (その瞬間に定義されている全てのトークンの中で) 最長の可能なものなどになります。

Terms¶

項の構文¶

以下の文法は Calculus of Inductive Constructions (Cic とも呼ばれる) の項の基本的な構文を記述します。Cic の形式的な表現は章 Calculus of Inductive Constructions で与えられます。この構文の拡張は章 Gallina の拡張で与えられます。構文のカスタマイズの方法は章 Syntax extensions and interpretation scopes で説明されます。

term         ::=  forall binders , term
                  | fun binders => term
                  | fix fix_bodies
                  | cofix cofix_bodies
                  | let ident [binders] [: term] := term in term
                  | let fix fix_body in term
                  | let cofix cofix_body in term
                  | let ( [name , … , name] ) [dep_ret_type] := term in term
                  | let ' pattern [in term] := term [return_type] in term
                  | if term [dep_ret_type] then term else term
                  | term : term
                  | term <: term
                  | term :>
                  | term -> term
                  | term arg … arg
                  | @ qualid [term … term]
                  | term % ident
                  | match match_item , … , match_item [return_type] with
                    [[|] equation | … | equation] end
                  | qualid
                  | sort
                  | num
                  | _
                  | ( term )
arg          ::=  term
                  | ( ident := term )
binders      ::=  binder … binder
binder       ::=  name
                  | ( name … name : term )
                  | ( name [: term] := term )
                  | ' pattern
name         ::=  ident | _
qualid       ::=  ident | qualid access_ident
sort         ::=  Prop | Set | Type
fix_bodies   ::=  fix_body
                  | fix_body with fix_body with … with fix_body for ident
cofix_bodies ::=  cofix_body
                  | cofix_body with cofix_body with … with cofix_body for ident
fix_body     ::=  ident binders [annotation] [: term] := term
cofix_body   ::=  ident [binders] [: term] := term
annotation   ::=  { struct ident }
match_item   ::=  term [as name] [in qualid [pattern … pattern]]
dep_ret_type ::=  [as name] return_type
return_type  ::=  return term
equation     ::=  mult_pattern | … | mult_pattern => term
mult_pattern ::=  pattern , … , pattern
pattern      ::=  qualid pattern … pattern
                  | @ qualid pattern … pattern
                  | pattern as ident
                  | pattern % ident
                  | qualid
                  | _
                  | num
                  | ( or_pattern , … , or_pattern )
or_pattern   ::=  pattern | … | pattern

型¶

Coq の項は型付けされます。Coq の型は term と同じ構文クラスと認識されます。type によって term の構文クラスの中で意味論的なサブクラスの種類を表します。

量化識別子と単純識別子¶

量化識別子 (qualid) は グローバル定数 (定義、補題、定理、注意、事実)、グローバル変数 (パラメータや公理)、帰納的型 や 帰納的型のコンストラクタ を表します。単純識別子 (あるいは短く ident) は量化識別子の構文的なサブセットです。識別子は 局所変数 も表すことがある一方、量化識別子はそうではありません。

数字¶

計算の中で数字は確定された意味は持ちません。それらは表記法機構(詳しくは章 Syntax extensions and interpretation scopes を参照)を通して(訳注: 数学的)対象に束縛され得る単なる記法にすぎません。初めは数字は自然数のペアノの表現に束縛されます(Datatypes を参照)。

注釈

負の整数は num と同じレベルにはありません、このため優先順序が不自然になります。

Sorts¶

3つのソート Set、Prop、Type があります。

Prop は 論理命題 の宇宙です。論理命題それ自体が証明を型付けます。命題は form によって表します。これは term の構文クラスの意味論的なサブクラスを構成します。
Set は プログラムの型 または仕様の宇宙です。その仕様それ自体がプログラムを型付けます。我々は仕様を specif で表します。これは term の構文クラスの意味論的なサブクラスを構成します。
Type は Prop と Set の型です。

ソートについてより詳しくは節 Sorts で見つけることができます。

束縛子¶

fun、forall、fix それに cofix のような様々な構文が変数を束縛します。束縛は識別子によって表現されます。もし束縛変数がその式の中で使われないならば、その識別子は記号 _ で置き換えることができます。束縛された変数の型がシステムによって生成出来ないときは、(ident : type) という表記法によって指定することが出来ます。同じ型を共有する束縛変数の列のための表記法もあります: (ident+ : type)。頭にクオートの付いたどんなパターンでも束縛子にすることが出来ます。例 '(x,y)。

幾つかの構文は変数の値への束縛が可能です。これは “let-束縛子” と呼ばれます。文法の binder の項目は、上で定義された仮定束縛子または let-束縛子のどちらかを受理します。後者の場合の表記法は (ident := term) です。let-束縛子では、同時に高々一つの変数が導入できます。以下のように変数の型を与えることも出来ます: (ident : type := term) 。

binder のリストが認められます。fun と forall の場合は、リストの最低一つの束縛子が前提であることが意図されており、そうでなければ fun と forall は同一になります。さらに、同じ型を共有する束縛の単一の列の場合には、括弧も除去することが出来ます (例: fun (x y z : A) => t は fun x y z : A => t に短縮することができます)。

抽象¶

式 fun ident : type => term は項 term 上の型 type の変数 ident の抽象を定義します。それは式 term へ評価する変数 ident の関数を表します(例 fun x : A => x は型 A 上の恒等関数を表します)。キーワード fun には節束縛子で与えられるように幾つかの束縛子を続けることができます。複数の変数上の関数は1変数関数の反復と同等です。例えば式 “fun ident$_{1}$ … ident$_{n}$ : type => term” は “ fun ident$_{1}$ : type => … fun ident$_{n}$ : type => term” と同じ関数を表します。束縛子のリスト中に let-束縛子が現れる場合、それは let-in 定義 (節 Let-in 定義参照) に展開されます。

積¶

式 forall ident : type, term は項 term 上の型 type の変数 ident の積を表します。抽象に関してはどうかというと、forall に束縛リストが続く場合や、いくつかの変数上の積は1変数積の繰り返しと同等です。留意すべきは term は型になることを意図されていることです。

変数 ident が term 中に現れる場合、その積は 依存積 と呼ばれます。依存積 forall x : A, B の背景にある意図には二つの側面があります。それは命題 B 中での型 A の変数 x の全称量化または A から B への関数的依存積 (集合論では大抵 $\Pi_{x:A}.B$ と書かれる構造) のどちらかを表します。

非依存積型は forall _ : A, B を表す特別記法 A -> B を持ちます。その 非依存積 は包含命題と関数型の両方を表すのに使うことが出来ます。

適用¶

式 term$_0$ term$_1$ は term$_0$ の term$_1$ への適用を表します。

式 term$_0$ term$_1$ ... term$_n$ は項 term$_0$ の引数 term$_1$ ... term$_n$ への適用を表します。それは ( … ( term$_0$ term$_1$ ) … ) term$_n$ と同等で結合性は左です。

引数のための記法 (ident := term) が暗黙引数の値を明示的にするために使われます (節 Explicit applications を参照)。

型キャスト¶

式 term : type は型キャスト式です。それは term の型を type になるように強制します。

term <: type は term が型 type を持つことを検査するように局所的に仮想マシンを設定します。

term <<: type 項 term が型 type も持つことを検査するためにネイティブコンパイルを使います。

推論可能部分項¶

しばしば式は冗長な情報の断片を含んでいます。部分項は Coq によって自動的に推論されることがあり、記号 _ で置き換えると Coq が不足している情報の断片を推測します。

Let-in 定義¶

let ident := term in term’ は term’ 内で term から変数 ident への局所束縛を表します。関数の let-in 定義には糖衣構文があり、let ident binder+ := term in term’ が let ident := fun binder+ => term in term’ を表します。

場合分けによる定義¶

帰納型のオブジェクトはパターンマッチと呼ばれる場合分けの文法によって分解することができます。パターンマッチ式はある帰納オブジェクトの構造を解析し、特定の処理を適切に適用するために使われます。

この段落ではパターンマッチの基本形を説明します。一般形の説明については節 Multiple and nested pattern matching と章 Extended pattern matching を参照して下さい。パターンマッチの基本形は単一の match_item 式によって特徴づけられ、mult_pattern は単一の pattern に、pattern は qualid ident* という形式に制限されます。

"term$_0$ return_type with pattern$_1$ => term$_1$ $|$ … $|$ pattern$_n$ => term$_n$ end" にマッチする式は項 term$_0$ (帰納型 $I$ になることが期待されます) 上の パターンマッチング を表します。項 term$_1$…term$_n$ はパターンマッチ式の ブランチ です。pattern$_i$ はそれぞれ qualid ident という形式を持ち、ここで qualid はコンストラクタを表していなければなりません。全てのコンストラクタ $I$ についてちょうど1つのブランチが存在しなくてはなりません。

return_type はマッチ式全体によって返される型を表します。幾つかのケースがあります。非依存 ケースでは、全てのブランチは同じ型を持ち、return_type はブランチの共通の型です。このケースでは、return_type は通常ブランチの型から推論できるため省略されます 2。

依存ケースでは、3つのサブケースがあります。最初のサブケースでは、各ブランチ内の型はブランチ内で、マッチしたまさにその値に依存することができます。このケースでは、そのパターンマッチング全体それ自身がマッチされた項に依存します。このマッチされた項の返り型内の依存は、“as ident” という節によって表されます。ここで ident は返り型内での依存です。例えば、以下の例では:

Inductive bool : Type := true : bool | false : bool.: bool is defined bool_rect is defined bool_ind is defined bool_rec is defined
Inductive eq (A:Type) (x:A) : A -> Prop := eq_refl : eq A x x.: eq is defined eq_rect is defined eq_ind is defined eq_rec is defined
Inductive or (A:Prop) (B:Prop) : Prop := | or_introl : A -> or A B | or_intror : B -> or A B.: or is defined or_ind is defined
Definition bool_case (b:bool) : or (eq bool b true) (eq bool b false) := match b as x return or (eq bool x true) (eq bool x false) with | true => or_introl (eq bool true true) (eq bool true false) (eq_refl bool true) | false => or_intror (eq bool false true) (eq bool false false) (eq_refl bool false) end.: bool_case is defined

ブランチはそれぞれの型 "or (eq bool true true) (eq bool true false)" と "or (eq bool false true) (eq bool false false)" であり一方、パターンマッチング式全体は型 "or (eq bool b true) (eq bool b false)" を持ち、識別子 b は依存を示すために使用されます。

注釈

項がマッチしたのが変数の時、as 節は省略でき、かつそのマッチした項は返り型内で束縛名としてそれ自身を提供することが出来ます。例えば、以下の替わりの定義は受け付けられ、以前のそれと同じ意味を持ちます。

Definition bool_case (b:bool) : or (eq bool b true) (eq bool b false) := match b return or (eq bool b true) (eq bool b false) with | true => or_introl (eq bool true true) (eq bool true false) (eq_refl bool true) | false => or_intror (eq bool false true) (eq bool false false) (eq_refl bool false) end.: Toplevel input, characters 0-301: > Definition bool_case (b:bool) : or (eq bool b true) (eq bool b false) := match b return or (eq bool b true) (eq bool b false) with | true => or_introl (eq bool true true) (eq bool true false) (eq_refl bool true) | false => or_intror (eq bool false true) (eq bool false false) (eq_refl bool false) end. > ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ Error: bool_case already exists.

二つ目のサブケースは等価性述語(節 Equality 参照)や、自然数上の順序述語や、与えられた長さのリストの型(節 Matching objects of dependent types 参照)のような注釈付き帰納型にのみ関係します。この場合、各ブランチの型はそのブランチに固有の型の依存関係に依存することが出来、パターンマッチング式全体はマッチした項の型内の特定の依存関係によって決まる型を持ちます。帰納型の注釈内の返り型のこの依存性は "in $I$ _ … _ pattern$_1$ … pattern$_n$” という節を使うことで表され、ここで

$I$ はマッチされた項の帰納型;
_ はその帰納型のマッチするパラメータ：返り型はそれらに依存しない。
pattern$_i$ はその帰納型の注釈にマッチする：返り型はそれに依存する。
以下で説明する基本的な場合には、各 pattern$_i$ は ident$_i$ という名称になる; 一般の場合については Patterns in in を参照。

例えば、以下の例では:

Definition eq_sym (A:Type) (x y:A) (H:eq A x y) : eq A y x := match H in eq _ _ z return eq A z x with | eq_refl _ => eq_refl A x end.: Toplevel input, characters 105-114: > Definition eq_sym (A:Type) (x y:A) (H:eq A x y) : eq A y x := match H in eq _ _ z return eq A z x with | eq_refl _ => eq_refl A x end. > ^^^^^^^^^ Error: The constructor eq_refl (in type eq) expects 2 arguments.

ブランチの型は eq A x x です。なぜなら eq_refl パターンの型の型内で eq の第3引数が x となるためです。それに対して、パターンマッチング式全体の型は eq A y x を持ち、なぜなら H の型の eq の第3引数は y なためです。eq の第3引数内の場合分けのこの依存性は返り型の識別子 z によって表されます。

最後に、第3のケースは最初と2番目のケースの組み合わせです。特に、注釈付きの型の中でのパターンマッチにのみ適用されます。この3番目のケースでは、as と in 節の両方が利用できます。

一つまたは二つの構築子を持つ型上の場合分けのためには特別な記法があります： if … then … else … と let (…,…) := … in … です。(節 Pattern-matching on boolean values: the if expression と Irrefutable patterns: the destructuring let variants 参照)。

再帰関数¶

式 “fix ident$_1$ binder$_1$ : type$_1$ := term$_1$ with … with ident$_n$ binder$_n$ : type$_n$ := term$_n$ for ident$_i$” は相互構造再帰により定義された関数のブロックのi番目のコンポーネントを表します。これはローカルの Fixpoint コマンドに対応します。$n=1$ のとき、“for ident$_i$” の節は省略されます。

式 “cofix ident$_1$ binder$_1$ : type$_1$ with … with ident$_n$ binder$_n$ : type$_n$ for ident$_i$” は相互ガード付き余再帰により定義された項のブロックのi番目のコンポーネントを表します。これはローカルの CoFixpoint コマンドに対応します。$n=1$ のとき、“for ident$_i$” の節は省略されます。

単一の fixpoint と局所定義の関連付けは特別な構文を持ちます：let fix ident binders := term in は let ident := fix ident binders := term in を表します。同等のものが co-fixpoint にも適用されます。

The Vernacular¶

sentence           ::=  assumption
                        | definition
                        | inductive
                        | fixpoint
                        | assertion proof
assumption         ::=  assumption_keyword assums.
assumption_keyword ::=  Axiom | Conjecture
                        | Parameter | Parameters
                        | Variable | Variables
                        | Hypothesis | Hypotheses
assums             ::=  ident … ident : term
                        | ( ident … ident : term ) … ( ident … ident : term )
definition         ::=  [Local] Definition ident [binders] [: term] := term .
                        | Let ident [binders] [: term] := term .
inductive          ::=  Inductive ind_body with … with ind_body .
                        | CoInductive ind_body with … with ind_body .
ind_body           ::=  ident [binders] : term :=
                        [[|] ident [binders] [:term] | … | ident [binders] [:term]]
fixpoint           ::=  Fixpoint fix_body with … with fix_body .
                        | CoFixpoint cofix_body with … with cofix_body .
assertion          ::=  assertion_keyword ident [binders] : term .
assertion_keyword  ::=  Theorem | Lemma
                        | Remark | Fact
                        | Corollary | Proposition
                        | Definition | Example
proof              ::=  Proof . … Qed .
                        | Proof . … Defined .
                        | Proof . … Admitted .

This grammar describes The Vernacular which is the language of commands of Gallina. A sentence of the vernacular language, like in many natural languages, begins with a capital letter and ends with a dot.

The different kinds of command are described hereafter. They all suppose that the terms occurring in the sentences are well-typed.

Assumptions¶

Assumptions extend the environment with axioms, parameters, hypotheses or variables. An assumption binds an ident to a type. It is accepted by Coq if and only if this type is a correct type in the environment preexisting the declaration and if ident was not previously defined in the same module. This type is considered to be the type (or specification, or statement) assumed by ident and we say that ident has type type.

Command Parameter ident : type¶

This command links type to the name ident as its specification in the global context. The fact asserted by type is thus assumed as a postulate.

Error ident already exists.¶

Variant Parameter ident+ : type: Adds several parameters with specification type.

Variant Parameter ( ident+ : type )+: Adds blocks of parameters with different specifications.

Variant Local Parameter ( ident+ : type )+¶: Such parameters are never made accessible through their unqualified name by Import and its variants. You have to explicitly give their fully qualified name to refer to them.

Variant Local? Parameters ( ident+ : type )+¶
Variant Local? Axiom ( ident+ : type )+¶
Variant Local? Axioms ( ident+ : type )+¶
Variant Local? Conjecture ( ident+ : type )+¶
Variant Local? Conjectures ( ident+ : type )+¶: These variants are synonyms of Local? Parameter ( ident+ : type )+.

Command Variable ident : type¶

This command links type to the name ident in the context of the current section (see Section セクション機構 for a description of the section mechanism). When the current section is closed, name ident will be unknown and every object using this variable will be explicitly parametrized (the variable is discharged). Using the Variable command out of any section is equivalent to using Local Parameter.

Error ident already exists.¶

Variant Variable ident+ : term: Links type to each ident.

Variant Variable ( ident+ : term )+: Adds blocks of variables with different specifications.

Variant Variables ( ident+ : term)+¶
Variant Hypothesis ( ident+ : term)+¶
Variant Hypotheses ( ident+ : term)+¶: These variants are synonyms of Variable ( ident+ : term)+.

注釈

It is advised to use the commands Axiom, Conjecture and Hypothesis (and their plural forms) for logical postulates (i.e. when the assertion type is of sort Prop), and to use the commands Parameter and Variable (and their plural forms) in other cases (corresponding to the declaration of an abstract mathematical entity).

Definitions¶

Definitions extend the environment with associations of names to terms. A definition can be seen as a way to give a meaning to a name or as a way to abbreviate a term. In any case, the name can later be replaced at any time by its definition.

The operation of unfolding a name into its definition is called $\delta$-conversion (see Section δ-reduction). A definition is accepted by the system if and only if the defined term is well-typed in the current context of the definition and if the name is not already used. The name defined by the definition is called a constant and the term it refers to is its body. A definition has a type which is the type of its body.

A formal presentation of constants and environments is given in Section Typing rules.

Command Definition ident := term¶

This command binds term to the name ident in the environment, provided that term is well-typed.

Error ident already exists.¶

Variant Definition ident : type := term

This variant checks that the type of term is definitionally equal to type, and registers ident as being of type type, and bound to value term.

Error The term term has type type while it is expected to have type type'.¶

Variant Definition ident binders : term? := term: This is equivalent to Definition ident : forall binders, term := fun binders => term.

Variant Local Definition ident binders? : type? := term¶: Such definitions are never made accessible through their unqualified name by Import and its variants. You have to explicitly give their fully qualified name to refer to them.

Variant Local? Example ident binders? : type? := term¶: This is equivalent to Definition.

参考

Opaque, Transparent, unfold.

Command Let ident := term¶

This command binds the value term to the name ident in the environment of the current section. The name ident disappears when the current section is eventually closed, and all persistent objects (such as theorems) defined within the section and depending on ident are prefixed by the let-in definition let ident := term in. Using the Let command out of any section is equivalent to using Local Definition.

Error ident already exists.¶

Variant Let ident binders? : type? := term

Variant Let Fixpoint ident fix_body with fix_body*¶

Variant Let CoFixpoint ident cofix_body with cofix_body*¶

参考

Section セクション機構, commands Opaque, Transparent, and tactic unfold.

Inductive definitions¶

We gradually explain simple inductive types, simple annotated inductive types, simple parametric inductive types, mutually inductive types. We explain also co-inductive types.

Simple inductive types¶

Command Inductive ident : sort? := |? ident : type | ident : type*¶

This command defines a simple inductive type and its constructors. The first ident is the name of the inductively defined type and sort is the universe where it lives. The next idents are the names of its constructors and type their respective types. Depending on the universe where the inductive type ident lives (e.g. its type sort), Coq provides a number of destructors. Destructors are named ident_ind, ident_rec or ident_rect which respectively correspond to elimination principles on Prop, Set and Type. The type of the destructors expresses structural induction/recursion principles over objects of type ident. The constant ident_ind is always provided, whereas ident_rec and ident_rect can be impossible to derive (for example, when ident is a proposition).

Error Non strictly positive occurrence of ident in type.¶: The types of the constructors have to satisfy a positivity condition (see Section Positivity Condition). This condition ensures the soundness of the inductive definition.

Error The conclusion of type is not valid; it must be built from ident.¶: The conclusion of the type of the constructors must be the inductive type ident being defined (or ident applied to arguments in the case of annotated inductive types — cf. next section).

Example

The set of natural numbers is defined as:

Inductive nat : Set := | O : nat | S : nat -> nat.: nat is defined nat_rect is defined nat_ind is defined nat_rec is defined

The type nat is defined as the least Set containing O and closed by the S constructor. The names nat, O and S are added to the environment.

Now let us have a look at the elimination principles. They are three of them: nat_ind, nat_rec and nat_rect. The type of nat_ind is:

Check nat_ind.: nat_ind : forall P : nat -> Prop, P O -> (forall n : nat, P n -> P (S n)) -> forall n : nat, P n

This is the well known structural induction principle over natural numbers, i.e. the second-order form of Peano’s induction principle. It allows proving some universal property of natural numbers (forall n:nat, P n) by induction on n.

The types of nat_rec and nat_rect are similar, except that they pertain to (P:nat->Set) and (P:nat->Type) respectively. They correspond to primitive induction principles (allowing dependent types) respectively over sorts Set and Type.

Variant Inductive ident : sort? := |? ident binders? : type?*|

Constructors idents can come with binders in which case, the actual type of the constructor is forall binders, type.

In the case where inductive types have no annotations (next section gives an example of such annotations), a constructor can be defined by only giving the type of its arguments.

Example

Inductive nat : Set := O | S (_:nat).: Toplevel input, characters 0-37: > Inductive nat : Set := O | S (_:nat). > ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ Error: nat already exists.

Simple annotated inductive types¶

In an annotated inductive types, the universe where the inductive type is defined is no longer a simple sort, but what is called an arity, which is a type whose conclusion is a sort.

Example

As an example of annotated inductive types, let us define the even predicate:

Inductive even : nat -> Prop := | even_0 : even O | even_SS : forall n:nat, even n -> even (S (S n)).: even is defined even_ind is defined

The type nat->Prop means that even is a unary predicate (inductively defined) over natural numbers. The type of its two constructors are the defining clauses of the predicate even. The type of even_ind is:

Check even_ind.: even_ind : forall P : nat -> Prop, P O -> (forall n : nat, even n -> P n -> P (S (S n))) -> forall n : nat, even n -> P n

From a mathematical point of view it asserts that the natural numbers satisfying the predicate even are exactly in the smallest set of naturals satisfying the clauses even_0 or even_SS. This is why, when we want to prove any predicate P over elements of even, it is enough to prove it for O and to prove that if any natural number n satisfies P its double successor (S (S n)) satisfies also P. This is indeed analogous to the structural induction principle we got for nat.

Parametrized inductive types¶

Variant Inductive ident binders : type? := |? ident : type | ident : type*

In the previous example, each constructor introduces a different instance of the predicate even. In some cases, all the constructors introduce the same generic instance of the inductive definition, in which case, instead of an annotation, we use a context of parameters which are binders shared by all the constructors of the definition.

Parameters differ from inductive type annotations in the fact that the conclusion of each type of constructor invoke the inductive type with the same values of parameters as its specification.

Example

A typical example is the definition of polymorphic lists:

Inductive list (A:Set) : Set := | nil : list A | cons : A -> list A -> list A.: list is defined list_rect is defined list_ind is defined list_rec is defined

In the type of nil and cons, we write (list A) and not just list. The constructors nil and cons will have respectively types:

Check nil.: nil : forall A : Set, list A
Check cons.: cons : forall A : Set, A -> list A -> list A

Types of destructors are also quantified with (A:Set).

Once again, it is possible to specify only the type of the arguments of the constructors, and to omit the type of the conclusion:

Inductive list (A:Set) : Set := nil | cons (_:A) (_:list A).: Toplevel input, characters 0-60: > Inductive list (A:Set) : Set := nil | cons (_:A) (_:list A). > ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ Error: list already exists.

注釈

It is possible in the type of a constructor, to invoke recursively the inductive definition on an argument which is not the parameter itself.

One can define :

Inductive list2 (A:Set) : Set := | nil2 : list2 A | cons2 : A -> list2 (A*A) -> list2 A.
list2 is defined list2_rect is defined list2_ind is defined list2_rec is defined

that can also be written by specifying only the type of the arguments:

Inductive list2 (A:Set) : Set := nil2 | cons2 (_:A) (_:list2 (A*A)).
list2 is defined list2_rect is defined list2_ind is defined list2_rec is defined

But the following definition will give an error:

Fail Inductive listw (A:Set) : Set := | nilw : listw (A*A) | consw : A -> listw (A*A) -> listw (A*A).
The command has indeed failed with message: Last occurrence of "listw" must have "A" as 1st argument in "listw (A * A)%type".

because the conclusion of the type of constructors should be listw A in both cases.
A parametrized inductive definition can be defined using annotations instead of parameters but it will sometimes give a different (bigger) sort for the inductive definition and will produce a less convenient rule for case elimination.

参考

Section Inductive Definitions and the induction tactic.

Variants¶

Command Variant ident binders : type? := |? ident : type | ident : type*¶

The Variant command is identical to the Inductive command, except that it disallows recursive definition of types (for instance, lists cannot be defined using Variant). No induction scheme is generated for this variant, unless option Nonrecursive Elimination Schemes is on.

Error The num th argument of ident must be ident in type.¶

Mutually defined inductive types¶

Variant Inductive ident : type? := |? ident : type*| with |? ident : type?*|*

This variant allows defining a block of mutually inductive types. It has the same semantics as the above Inductive definition for each ident. All ident are simultaneously added to the environment. Then well-typing of constructors can be checked. Each one of the ident can be used on its own.

Variant Inductive ident binders : type? := |? ident : type*| with |? ident binders : type?*|*: In this variant, the inductive definitions are parametrized with binders. However, parameters correspond to a local context in which the whole set of inductive declarations is done. For this reason, the parameters must be strictly the same for each inductive types.

Example

The typical example of a mutual inductive data type is the one for trees and forests. We assume given two types A and B as variables. It can be declared the following way.

Variables A B : Set.: Toplevel input, characters 0-20: > Variables A B : Set. > ^^^^^^^^^^^^^^^^^^^^ Warning: A is declared as a local axiom [local-declaration,scope] A is declared Toplevel input, characters 0-20: > Variables A B : Set. > ^^^^^^^^^^^^^^^^^^^^ Warning: B is declared as a local axiom [local-declaration,scope] B is declared
Inductive tree : Set := node : A -> forest -> tree with forest : Set := | leaf : B -> forest | cons : tree -> forest -> forest.: tree, forest are defined tree_rect is defined tree_ind is defined tree_rec is defined forest_rect is defined forest_ind is defined forest_rec is defined

This declaration generates automatically six induction principles. They are respectively called tree_rec, tree_ind, tree_rect, forest_rec, forest_ind, forest_rect. These ones are not the most general ones but are just the induction principles corresponding to each inductive part seen as a single inductive definition.

To illustrate this point on our example, we give the types of tree_rec and forest_rec.

Check tree_rec.: tree_rec : forall P : tree -> Set, (forall (a : A) (f : forest), P (node a f)) -> forall t : tree, P t
Check forest_rec.: forest_rec : forall P : forest -> Set, (forall b : B, P (leaf b)) -> (forall (t : tree) (f0 : forest), P f0 -> P (cons t f0)) -> forall f1 : forest, P f1

Assume we want to parametrize our mutual inductive definitions with the two type variables A and B, the declaration should be done the following way:

Inductive tree (A B:Set) : Set := node : A -> forest A B -> tree A B with forest (A B:Set) : Set := | leaf : B -> forest A B | cons : tree A B -> forest A B -> forest A B.: Toplevel input, characters 0-171: > Inductive tree (A B:Set) : Set := node : A -> forest A B -> tree A B with forest (A B:Set) : Set := | leaf : B -> forest A B | cons : tree A B -> forest A B -> forest A B. > ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ Error: forest already exists.

Assume we define an inductive definition inside a section (cf. セクション機構). When the section is closed, the variables declared in the section and occurring free in the declaration are added as parameters to the inductive definition.

参考

A generic command Scheme is useful to build automatically various mutual induction principles.

Co-inductive types¶

The objects of an inductive type are well-founded with respect to the constructors of the type. In other words, such objects contain only a finite number of constructors. Co-inductive types arise from relaxing this condition, and admitting types whose objects contain an infinity of constructors. Infinite objects are introduced by a non-ending (but effective) process of construction, defined in terms of the constructors of the type.

Command CoInductive ident binders : type? := |? ident : type | ident : type*¶: This command introduces a co-inductive type. The syntax of the command is the same as the command Inductive. No principle of induction is derived from the definition of a co-inductive type, since such principles only make sense for inductive types. For co-inductive types, the only elimination principle is case analysis.

Example

An example of a co-inductive type is the type of infinite sequences of natural numbers, usually called streams.

CoInductive Stream : Set := Seq : nat -> Stream -> Stream.: Stream is defined

The usual destructors on streams hd:Stream->nat and tl:Str->Str can be defined as follows:

Definition hd (x:Stream) := let (a,s) := x in a.: hd is defined
Definition tl (x:Stream) := let (a,s) := x in s.: tl is defined

Definition of co-inductive predicates and blocks of mutually co-inductive definitions are also allowed.

Example

An example of a co-inductive predicate is the extensional equality on streams:

CoInductive EqSt : Stream -> Stream -> Prop := eqst : forall s1 s2:Stream, hd s1 = hd s2 -> EqSt (tl s1) (tl s2) -> EqSt s1 s2.: EqSt is defined

In order to prove the extensional equality of two streams s1 and s2 we have to construct an infinite proof of equality, that is, an infinite object of type (EqSt s1 s2). We will see how to introduce infinite objects in Section Definitions of recursive objects in co-inductive types.

Definition of recursive functions¶

Definition of functions by recursion over inductive objects¶

This section describes the primitive form of definition by recursion over inductive objects. See the Function command for more advanced constructions.

Command Fixpoint ident binders {struct ident}? : type? := term¶

This command allows defining functions by pattern matching over inductive objects using a fixed point construction. The meaning of this declaration is to define ident a recursive function with arguments specified by the binders such that ident applied to arguments corresponding to these binders has type type, and is equivalent to the expression term. The type of ident is consequently forall binders, type and its value is equivalent to fun binders => term.

To be accepted, a Fixpoint definition has to satisfy some syntactical constraints on a special argument called the decreasing argument. They are needed to ensure that the Fixpoint definition always terminates. The point of the {struct ident} annotation is to let the user tell the system which argument decreases along the recursive calls.

The {struct ident} annotation may be left implicit, in this case the system tries successively arguments from left to right until it finds one that satisfies the decreasing condition.

注釈

Some fixpoints may have several arguments that fit as decreasing arguments, and this choice influences the reduction of the fixpoint. Hence an explicit annotation must be used if the leftmost decreasing argument is not the desired one. Writing explicit annotations can also speed up type checking of large mutual fixpoints.
In order to keep the strong normalization property, the fixed point reduction will only be performed when the argument in position of the decreasing argument (which type should be in an inductive definition) starts with a constructor.

Example

One can define the addition function as :

Fixpoint add (n m:nat) {struct n} : nat := match n with | O => m | S p => S (add p m) end.: add is defined add is recursively defined (decreasing on 1st argument)

The match operator matches a value (here n) with the various constructors of its (inductive) type. The remaining arguments give the respective values to be returned, as functions of the parameters of the corresponding constructor. Thus here when n equals O we return m, and when n equals (S p) we return (S (add p m)).

The match operator is formally described in Section The match ... with ... end construction. The system recognizes that in the inductive call (add p m) the first argument actually decreases because it is a pattern variable coming from match n with.

Example

The following definition is not correct and generates an error message:

Fail Fixpoint wrongplus (n m:nat) {struct n} : nat := match m with | O => n | S p => S (wrongplus n p) end.: The command has indeed failed with message: Recursive definition of wrongplus is ill-formed. In environment wrongplus : nat -> nat -> nat n : nat m : nat p : nat Recursive call to wrongplus has principal argument equal to "n" instead of a subterm of "n". Recursive definition is: "fun n m : nat => match m with | 0 => n | S p => S (wrongplus n p) end".

because the declared decreasing argument n does not actually decrease in the recursive call. The function computing the addition over the second argument should rather be written:

Fixpoint plus (n m:nat) {struct m} : nat := match m with | O => n | S p => S (plus n p) end.: plus is defined plus is recursively defined (decreasing on 2nd argument)

Example

The recursive call may not only be on direct subterms of the recursive variable n but also on a deeper subterm and we can directly write the function mod2 which gives the remainder modulo 2 of a natural number.

Fixpoint mod2 (n:nat) : nat := match n with | O => O | S p => match p with | O => S O | S q => mod2 q end end.: mod2 is defined mod2 is recursively defined (decreasing on 1st argument)

Variant Fixpoint ident binders {struct ident}? : type? := term with ident binders : type? := term*

This variant allows defining simultaneously several mutual fixpoints. It is especially useful when defining functions over mutually defined inductive types.

Example

The size of trees and forests can be defined the following way:

Fixpoint tree_size (t:tree) : nat := match t with | node a f => S (forest_size f) end with forest_size (f:forest) : nat := match f with | leaf b => 1 | cons t f' => (tree_size t + forest_size f') end.: tree_size is defined forest_size is defined tree_size, forest_size are recursively defined (decreasing respectively on 1st, 1st arguments)

Definitions of recursive objects in co-inductive types¶

Command CoFixpoint ident binders? : type? := term¶

This command introduces a method for constructing an infinite object of a coinductive type. For example, the stream containing all natural numbers can be introduced applying the following method to the number O (see Section Co-inductive types for the definition of Stream, hd and tl):

CoFixpoint from (n:nat) : Stream := Seq n (from (S n)).: from is defined from is corecursively defined

Oppositely to recursive ones, there is no decreasing argument in a co-recursive definition. To be admissible, a method of construction must provide at least one extra constructor of the infinite object for each iteration. A syntactical guard condition is imposed on co-recursive definitions in order to ensure this: each recursive call in the definition must be protected by at least one constructor, and only by constructors. That is the case in the former definition, where the single recursive call of from is guarded by an application of Seq. On the contrary, the following recursive function does not satisfy the guard condition:

Fail CoFixpoint filter (p:nat -> bool) (s:Stream) : Stream := if p (hd s) then Seq (hd s) (filter p (tl s)) else filter p (tl s).: The command has indeed failed with message: Recursive definition of filter is ill-formed. In environment filter : (nat -> bool) -> Stream -> Stream p : nat -> bool s : Stream Unguarded recursive call in "filter p (tl s)". Recursive definition is: "fun (p : nat -> bool) (s : Stream) => if p (hd s) then Seq (hd s) (filter p (tl s)) else filter p (tl s)".

The elimination of co-recursive definition is done lazily, i.e. the definition is expanded only when it occurs at the head of an application which is the argument of a case analysis expression. In any other context, it is considered as a canonical expression which is completely evaluated. We can test this using the command Eval, which computes the normal forms of a term:

Eval compute in (from 0).: = (cofix from (n : nat) : Stream := Seq n (from (S n))) 0 : Stream
Eval compute in (hd (from 0)).: = 0 : nat
Eval compute in (tl (from 0)).: = (cofix from (n : nat) : Stream := Seq n (from (S n))) 1 : Stream

Variant CoFixpoint ident binders? : type? := term with ident binders? : type? := term*: As in the Fixpoint command, it is possible to introduce a block of mutually dependent methods.

Assertions and proofs¶

An assertion states a proposition (or a type) of which the proof (or an inhabitant of the type) is interactively built using tactics. The interactive proof mode is described in Chapter Proof handling and the tactics in Chapter Tactics. The basic assertion command is:

Command Theorem ident binders? : type¶

After the statement is asserted, Coq needs a proof. Once a proof of type under the assumptions represented by binders is given and validated, the proof is generalized into a proof of forall binders, type and the theorem is bound to the name ident in the environment.

Error The term term has type type which should be Set, Prop or Type.¶

Error ident already exists.¶: The name you provided is already defined. You have then to choose another name.

Variant Lemma ident binders? : type¶
Variant Remark ident binders? : type¶
Variant Fact ident binders? : type¶
Variant Corollary ident binders? : type¶
Variant Proposition ident binders? : type¶: These commands are all synonyms of Theorem ident binders? : type.

Variant Theorem ident binders? : type with ident binders? : type*

This command is useful for theorems that are proved by simultaneous induction over a mutually inductive assumption, or that assert mutually dependent statements in some mutual co-inductive type. It is equivalent to Fixpoint or CoFixpoint but using tactics to build the proof of the statements (or the body of the specification, depending on the point of view). The inductive or co-inductive types on which the induction or coinduction has to be done is assumed to be non ambiguous and is guessed by the system.

Like in a Fixpoint or CoFixpoint definition, the induction hypotheses have to be used on structurally smaller arguments (for a Fixpoint) or be guarded by a constructor (for a CoFixpoint). The verification that recursive proof arguments are correct is done only at the time of registering the lemma in the environment. To know if the use of induction hypotheses is correct at some time of the interactive development of a proof, use the command Guarded.

The command can be used also with Lemma, Remark, etc. instead of Theorem.

Variant Definition ident binders? : type

This allows defining a term of type type using the proof editing mode. It behaves as Theorem but is intended to be used in conjunction with Defined in order to define a constant of which the computational behavior is relevant.

The command can be used also with Example instead of Definition.

参考

Opaque, Transparent, unfold.

Variant Let ident binders? : type: Like Definition ident binders? : type except that the definition is turned into a let-in definition generalized over the declarations depending on it after closing the current section.

Variant Fixpoint ident binders : type with ident binders : type*: This generalizes the syntax of Fixpoint so that one or more bodies can be defined interactively using the proof editing mode (when a body is omitted, its type is mandatory in the syntax). When the block of proofs is completed, it is intended to be ended by Defined.

Variant CoFixpoint ident binders? : type with ident binders? : type*: This generalizes the syntax of CoFixpoint so that one or more bodies can be defined interactively using the proof editing mode.

A proof starts by the keyword Proof. Then Coq enters the proof editing mode until the proof is completed. The proof editing mode essentially contains tactics that are described in chapter Tactics. Besides tactics, there are commands to manage the proof editing mode. They are described in Chapter Proof handling.

When the proof is completed it should be validated and put in the environment using the keyword Qed.

注釈

Several statements can be simultaneously asserted.
Not only other assertions but any vernacular command can be given while in the process of proving a given assertion. In this case, the command is understood as if it would have been given before the statements still to be proved. Nonetheless, this practice is discouraged and may stop working in future versions.
Proofs ended by Qed are declared opaque. Their content cannot be unfolded (see Performing computations), thus realizing some form of proof-irrelevance. To be able to unfold a proof, the proof should be ended by Defined.
Proof is recommended but can currently be omitted. On the opposite side, Qed (or Defined) is mandatory to validate a proof.
One can also use Admitted in place of Qed to turn the current asserted statement into an axiom and exit the proof editing mode.

1: This is similar to the expression “entry $\{$ sep entry $\}$” in standard BNF, or “entry $($ sep entry $)$*” in the syntax of regular expressions.
2: Except if the inductive type is empty in which case there is no equation that can be used to infer the return type.

仕様記述言語 Gallina¶

マニュアル中の文法について¶

字句規則¶

Terms¶

項の構文¶

型¶

量化識別子と単純識別子¶

数字¶

Sorts¶

束縛子¶

抽象¶

積¶

適用¶

型キャスト¶

推論可能 部分項¶

Let-in 定義¶

場合分けによる定義¶

再帰関数¶

The Vernacular¶

Assumptions¶

Definitions¶

Inductive definitions¶

Simple inductive types¶

Simple annotated inductive types¶

Parametrized inductive types¶

Variants¶

Mutually defined inductive types¶

Co-inductive types¶

Definition of recursive functions¶

Definition of functions by recursion over inductive objects¶

Definitions of recursive objects in co-inductive types¶

Assertions and proofs¶

推論可能部分項¶