Tricks in Coq
Some tips, tricks, and features in Coq that are hard to discover.
If you have a trick you've found useful feel free to submit an issue or pull request!
Ltac
- The
patterntactic generalizes an expression over a variable. For example,pattern ytransforms a goal ofP x y zinto(fun y => P x y z) y. An especially useful way to use this is to pattern match oneval pattern y in constr:(P x y z)to extract just the function. lazymatchis likematchbut without backtracking on failures inside the match action. If you're not using failures for backtracking (this is often the case), thenlazymatchgets better error messages because an error inside the action becomes the overall error message rather than the uninformative "no match" error message. (The semantics ofmatchmean Coq can't do obviously do better - it can't distinguish between a bug in the action and intentionally using the failure to prevent pattern matching.)deex(see Deex.v) is a useful tactic for extracting the witness from anexistshypothesis while preserving the name of the witness and hypothesis.Ltac t ::= foo.re-defines the tacticttofoo. This changes the binding, so tactics that refer totwill use the new definition. You can use this for a form of extensibility: writeLtac hook := failand then usein your tactic. Now the user can insert an extra case in your tactic's core loop by overridingrepeat match goal with | (* initial cases *) | _ => hook | (* other cases *) endhook.learnapproach - see Learn.v for a self-contained example or Clément's thesis for more detailsunshelvetactical, especially useful with an eapply - good example use case is constructing an object by refinement where the obligations end up being your proofs with the values as evars, when you wanted to construct the values by proofunfold "+"worksdestruct matchestactic; see coq-tactical's SimplMatch.v- using
instantiateto modify evar environment (thanks to Jonathan Leivent on coq-club) eexists ?[x]lets one name an existential variable to be able to refer to it later- strong induction is in the standard library:
Require Import Arith.and useinduction n as [n IHn] using lt_wf_ind. - induction on the length of a list:
Require Import Coq.Arith.Wf_nat.andinduction xs as [xs IHxs] using (induction_ltof1 _ (@length _)); unfold ltof in IHxs. debug auto,debug eauto, anddebug trivialgive traces, including failed invocations.info_auto,info_eauto, andinfo_trivialare less verbose ways to debug which only report what the resulting proof includesconstructorandeconstructorbacktrack over the constructors over an inductive, which lets you do fun things exploring the constructors of an inductive type. See Constructors.v for some demonstrations.- There's a way to destruct and maintain an equality:
destruct_with_eqn x. You can also dodestruct x eqn:Hto explicitly name the equality hypothesis. This is similar tocase_eq x; intros; I'm not sure what the practical differences are. rew H in tnotation to useeq_rectfor a (safe) "type cast". Need to importEqNotations- see RewNotation.v for a working example.intro-patterns can be combined in a non-trivial way:intros [=->%lemma]-- see IntroPatterns.v.changetactic supports patterns (?var): e.g.repeat change (fun x => ?f x) with fwould eta-reduce all the functions (of arbitrary arity) in the goal.- One way to implement a tactic that sleeps for n seconds is in Sleep.v.
- Some tactics take an "occurrence clause" to select where they apply. The common ones are
in *andin Hto apply everywhere and in a specific hypotheses, but there are actually a bunch of forms, for example:in H1, H2(justH1andH2)in H1, H2 |- *(H1,H2, and the goal)in * |-(just hypotheses)in |-(nowhere)in |- *(just the goal, same as leaving the whole thing off)in * |- *(everywhere, same asin *) These forms would be especially useful if occurrence clauses were first-class objects; that is, if tactics could take and pass occurrence clauses. Currently user-defined tactics support occurrence clauses via a set of tactic notations.
- You can use notations to shorten repetitive Ltac patterns (much like Haskell's PatternSynonyms). Define a notation with holes (underscores) and use it in an Ltac match, eg
Notation anyplus := (_ + _).and thenI would recommend usingmatch goal with | |- context[anyplus] => idtac endLocal Notationso the notation isn't available outside the current file. - You can make all constructors of an inductive hints with
Hint Constructors; you can also do this locally in a proof witheauto using twheretis the name of the inductive. - The
intuitiontactic has some unexpected behaviors. It takes a tactic to run on each goal, which isauto with *by default, using hints from all hint databases.intuition idtacorintuition eautoare both much safer. When using these, note thatintuition eauto; simplis parsed asintuition (eauto; simpl), which is unlikely to be what you want; you'll need to instead write(intuition eauto); simpl. - The
Coq.Program.Tacticslibrary has a number of useful tactics and tactic helpers. Some gems that I like:add_hypothesisis likepose proofbut fails if the fact is already in the context (a lightweight version of thelearnapproach);destruct_one_eximplements the tricky code to eliminate anexistswhile retaining names (it's a better version of ourdeex);on_applicationmatches any application offby simply handling a large number of arities. - You can structure your proofs using bullets. You should use them in the order
-,+,*so that Proof General indents them correctly. If you need more bullets you can keep going with--,++,**(although you should rarely need more then three levels of bullets in one proof). - You can use the
settactic to create shorthand names for expressions. These are speciallet-bound variables and show up in the hypotheses asv := def. To "unfold" these definitions you can dosubst v(note the explicit name is required,substwill not do this by default). This is a good way to make large goals readable, perhaps while figuring out what lemma to extract. It can also be useful if you need to refer these expressions. - When you write a function in proof mode (useful when dependent types are involved), you probably want to end the proof with
Definedinstead ofQed. The difference is thatQedmakes the proof term opaque and prevents reduction, whileDefinedwill simplify correctly. If you mix computational parts and proof parts (eg, functions which produce sigma types) then you may want to separate the proof into a lemma so that it doesn't get unfolded into a large proof term. - To make an evar an explicit goal, you can use this trick:
unshelve (instantiate (1:=_)). The way this work is to instantiate the evar with a fresh evar (created due to the_) and then unshelve that evar, making it an explicit goal. See UnshelveInstantiate.v for a working example. - The
enoughtactic behaves likeassertbut puts the goal for the stated fact after the current goal rather than before. - You can use
context E [x]to bind a context variable, and thenlet e := eval context E [y] in ...to substitute back into the context. See Context.v for an example. - If you have a second-order match (using
@?z x, which bindzto a function) and you want to apply the function, there's a trick involving a seemingly useless match. See LtacGallinaApplication.v for an example. auto with foo nocorewith the pseudo-databasenocoredisables the defaultcorehint databases and only uses hints fromfoo(and the context).- If you need to apply a theorem to a hypothesis and then immediately destruct the result, there's a concise way to do it without repetition:
apply thm in H as [x H], for example, might be used thenthmproduces an existential for a variable namedx. - If you have a hypothesis
H: a = band needf a = f b, you can useapply (f_equal f) in H. (Strictly speaking this is just using thef_equaltheorem in the standard library, but it's also very much like the inverse direction for thef_equaltactic.) - If you want to both run Ltac and return a
constr, you can do so by wrapping the side effect inlet _ := match goal with _ => side_effect_tactic end in .... See https://stackoverflow.com/questions/45949064/check-for-evars-in-a-tactic-that-returns-a-value/46178884#46178884 for Jason Gross's much more thorough explanation. - If you want
liato help with non-linear arithmetic involving division or modulo (or the similarquotandrem), you can do that for simple cases withLtac Zify.zify_post_hook ::= Z.div_mod_to_equations.See DivMod.v for an example and the micromega documentation the full details. - Coq's
admitwill force you to useAdmitted. If you want to use Qed, you can instead useAxiom falso : False. Ltac admit := destruct falso.This can be useful for debugging Qed errors (say, due to universes) or slow Qeds.
Gallina
-
tactics in terms, eg
ltac:(eauto)can provide a proof argument -
maximally inserted implicit arguments are implicit even when for identifier alone (eg,
nilis defined to include the implicit list element type) -
maximally inserted arguments can be defined differently for different numbers of arguments - undocumented but
eq_reflprovides an example -
r.(Field)syntax: same asField r, but convenient whenFieldis a projection function for the (record) type ofr. If you use these, you might also wantSet Printing Projectionsso Coq re-prints calls to projections with the same syntax. -
Functionvernacular provides a more advanced way to define recursive functions, which removes the restriction of having a structurally decreasing argument; you just need to specify a well-founded relation or a decreasing measure maps to a nat, then prove all necessary obligations to show this function can terminate. See manual and examples inFunction.vfor more details.Two alternatives are considerable as drop-in replacements for
Function.Program Fixpointmay be useful when defining a nested recursive function. See manual and this StackOverflow post.- CPDT's way of defining general recursive functions with
Fixcombinator.
-
One can pattern-match on tuples under lambdas:
Definition fst {A B} : (A * B) -> A := fun '(x,_) => x. -
Records fields can be defined with
:>, which make that field accessor a coercion. There are three ways to use this (since there are three types of coercion classes). See Coercions.v for some concrete examples.- If the field is an ordinary type, the record can be used as that type (the field will implicitly be accessed). One good use case for this is whenever a record includes another record; this coercion will make the field accessors of the sub-record work for the outer record as well. (This is vaguely similar to Go embedded structs)
- If the field has a function type, the record can be called.
- If the field is a sort (eg,
Type), then the record can be used as a type.
-
When a Class field (as opposed to a record) is defined with
:>, it becomes a hint for typeclass resolution. This is useful when a class includes a "super-class" requirement as a field. For example,Equivalencehas fields for reflexivity, symmetry, and transitivity. The reflexivity field can be used to generically take anEquivalenceinstance and get a reflexivity instance for free. -
The type classes in RelationClasses are useful but can be repetitive to prove. RelationInstances.v goes through a few ways of making these more convenient, and why you would want to do so (basically you can make
reflexivity,transitivity, andsymmetrymore powerful). -
The types of inductives can be definitions, as long as they expand to an "arity" (a function type ending in
Prop,Set, orType). See ArityDefinition.v. -
"Views" are a programming pattern that can be used to perform a case analysis only on "relevant" parts of a datatype given the context of the case analysis. See Views.v.
-
Record fields that are functions can be written in definition-style syntax with the parameters bound after the record name, eg
{| func x y := x + y; |}(see RecordFunction.v for a complete example). -
If you have a coercion
get_function : MyRecord >-> Funclassyou can useAdd Printing Coercion get_functionand then add a notation forget_functionso your coercion can be parsed as function application but printed using some other syntax (and maybe you want that syntax to beprinting only). -
You can pass implicit arguments explicitly in a keyword-argument-like style, eg
nil (A:=nat). UseAboutto figure out argument names. -
If you do nasty dependent pattern matches or use
inversionon a goal and it produces equalities ofexistT's, you may benefit from small inversions, described in this blog post. While the small inversion tactic is still not available anywhere I can find, some support is built in to Coq's match return type inference; see SmallInversions.v for examples of how to use that. -
You can use tactics-in-terms with notations to write function-like definitions that are written in Ltac. For example, you can use this facility to write macros that inspect and transform Gallina terms, producing theorem statements and optionally their proofs automatically. A simple example is given in DefEquality.v of writing a function that produces an equality for unfolding a definition.
-
Notations can be dangerous since they by default have global scope and are imported by
Import, with no way to selectively import. A pattern I now use by default to make notations controllable is to define every notation in a module with a scope; see NotationModule.v.This pattern has several advantages:
- notations are only loaded as needed, preventing conflicts when not using the notations
- the notations can be brought into scope everywhere as needed with
ImportandLocal Open Scope, restoring the convenience of a global notation - if notations conflict, some of them can always be scoped appropriately
-
Coq has a module system, modeled after ML (eg, the one used in OCaml). You can see some simple examples of using it in Modules.v. In user code, I've found modules to be more trouble than their worth 90% of the time - the biggest issue is that once something is in a module type, the only way to extend it is with a new module that wraps an existing module, and the only way to use the extension is to instantiate it. At the same time, you can mostly simulate module types with records.
-
Coq type class resolution is extremely flexible. There's a hint database called
typeclass_instancesand typeclass resolution is essentiallyeauto with typeclass_instances. Normally you add to this database with commands likeInstance, but you can add whatever you want to it, includingHint Externs. See coq-record-update for a practical example. -
Classes are a bit special compared to any other type. First of all, in
(_ : T x1 x2)Coq will only trigger type class resolution to fill the hole whenTis a class. Second, classes get special implicit generalization behavior; specifically, you can write{T}and Coq will automatically generalize the arguments to T, which you don't even have to write down. See the manual on implicit generalization for more details. Note that you don't have to useClassat declaration time to make something a class; you can do it after the fact withExisting Class T.
Other Coq commands
-
Searchvernacular variants; see Search.v for examples. -
Search s -Learntfor a search of local hypotheses excluding Learnt -
Locatecan search for notation, including partial searches. -
Optimize Heap(undocumented) runs GC (specificallyGc.compact) -
Optimize Proof(undocumented) runs several simplifications on the current proof term (seeProofview.compact) -
(in Coq 8.12 and earlier)
Generalizable Variable Aenables implicit generalization;Definition id `(x:A) := xwill implicitly add a parameterAbeforex.Generalizable All Variablesenables implicit generalization for any identifier. Note that this surprisingly allows generalization without a backtick in Instances. Issue #6030 generously requests this behavior be documented, but it should probably require enabling some option. This has been fixed in Coq 8.13; the old behavior requiresSet Instance Generalized Output. In Coq 8.14 the option has been removed. -
Checksupports partial terms, printing a type along with a context of evars. A cool example isCheck (id _ _), where the first underscore must be a function (along with other constraints on the types involved). -
The above also works with named existentials. For example,
Check ?[x] + ?[y]works. -
Unset Intuition Negation Unfoldingwill causeintuitionto stop unfoldingnot. -
Definitions can be normalized (simplified/computed) easily with
Definition bar := Eval compute in foo. -
Set Uniform Inductive Parameters(in Coq v8.9+beta onwards) allows you to omit the uniform parameters to an inductive in the constructors. -
LemmaandTheoremare synonymous, except thatcoqdocwill not show lemmas. Also synonymous:Corollary,Remark, andFact.Definitionis nearly synonymous, except thatTheorem x := defis not supported (you need to useDefinition). -
Sections are a powerful way to write a collection of definitions and lemmas that all take the same generic arguments. Here are some tricks for working with sections, which are illustrated in Sections.v:
- Use
Context, which is strictly more powerful thanVariable- you can declare multiple dependent parameters and get type inference, and can write{A}to make sure a parameter is implicit and maximally inserted. - Tactics and hints are cleared at the end of a section. This is often annoying but you can take advantage of it by writing one-off tactics like
tthat are specific to the automation of a file, and callers don't see it. Similarly with adding hints tocorewith abandon. - Use notations and implicit types. Say you have a section that defines lists, and you want another file with a bunch of list theorems. You can start with
Context (A:Type). Notation list := (List.list A). Implicit Types (l:list).and then in the whole section you basically never need to write type annotations. The notation and implicit type disappears at the end of the section so no worries about leaking it. Furthermore, don't writeTheorem foo : forall l,but instead writeTheorem foo l :; you can often also avoid usingintroswith this trick (though be careful about doing induction and ending up with a weak induction hypothesis). - If you write a general-purpose tactic
tthat solves most goals in a section, it gets annoying to writeProof. t. Qed.every time. Instead, defineNotation magic := ltac:(t) (only parsing).and writeDefinition foo l : l = l ++ [] := magic.. You do unfortunately have to writeDefinition;LemmaandTheoremdo not support:=definitions. You don't have to call itmagicbut of course it's more fun that way. Note that this isn't the best plan because you end up with transparent proofs, which isn't great; ideally Coq would just supportTheorem foo :=syntax for opaque proofs.
- Use
-
Haskell has an operator
f $ x, which is the same asf xexcept that its parsed differently:f $ 1 + 1meansf (1 + 1), avoiding parentheses. You can simulate this in Coq with a notation:Notation "f $ x" := (f x) (at level 60, right associativity, only parsing).(from jwiegley/coq-haskell). -
A useful convention for notations is to have them start with a word and an exclamation mark. This is borrowed from @andres-erbsen, who borrowed it from the Rust macro syntax. An example of using this convention is in Macros.v. There are three big advantages to this approach: first, using it consistently alerts readers that a macro is being used, and second, using names makes it much easier to create many macros compared to inventing ASCII syntax, and third, starting every macro with a keyword makes them much easier to get parsing correctly.
-
To declare an axiomatic instance of a typeclass, use
Declare Instance foo : TypeClass. This better than the pattern ofAxiom+Existing Instance. -
To make Ltac scripts more readable, you can use
Set Default Goal Selector "!"., which will enforce that every Ltac command (sentence) be applied to exactly one focused goal. You achieve that by using a combination of bullets and braces. As a result, when reading a script you can always see the flow of where multiple goals are generated and solved. -
Arguments foo _ & _(in Coq 8.11) adds a bidirectionality hint saying that an application offooshould infer a type from its arguments after typing the first argument. See Bidirectional.v for an example and the latest Coq documentation. -
Coq 8.11 introduced compiled interfaces, aka
vosfiles (as far as I can tell there are a more principled replacement forviofiles). Suppose you make a change deep down toLib.vand want to start working onProof.vwhich importsLib.vthrough many dependencies. Withvosfiles, you can recompile all the signatures thatProof.vdepends on, skippinng proofs, and keep working. The basic way to use them is to compileProof.required_vos, a special dependencycoqdepgenerates that will build everything needed to work onProof.v. Coq natively looks forvosfiles in interactive mode, and uses emptyvosfiles to indicate that the file is fully compiled in avofile.Note that Coq also has
vokfiles; it's possible to check the missing proofs in avosfile, but this does not produce avoand so all Coq can do is record that the proofs have been checked. They can also be compiled in parallel within a single file, although I don't know how to do that. Compilingvoks lets you fairly confidently check proofs, but to really check everything (particularly universe constraints) you need to buildvofiles from scratch.Signature files have one big caveat: if Coq cannot determine the type of a theorem or the proof ends with
Defined(and thus might be relevant to later type-checking), it has to run the proof. It does so silently, potentially eliminating any performance benefit. The main reason this happens is due to proofs in a section that don't annotate which section variables are used withProof using. Generally this can be fixed withSet Default Proof Using "Type", though only on Coq master and not on Coq 8.11.0. -
Coq 8.12+alpha has a new feature
Set Printing Parenthesesthat prints parentheses as if no notations had an associativity. For example, this will print(1,2,3)as((1,2),3). This is much more readable than entirely disabling notations. -
You can use
Export Setto set options in a way that affects any file directly importing the file (but not transitively importing, the wayGlobal Setworks). This allows a project to locally set up defaults with anoptions.vfile with all of its options, which every file imports. You can use this for basic sanity settings, likeSet Default Proof Using "Type".andSet Default Goal Selector "!"without forcing them on all projects that import your project. -
You can use
all: fail "goals remaining".to assert that a proof is complete. This is useful when you'll useAdmitted.but want to document (and check in CI) that the proof is complete other than theadmit.tactics used. -
You can also use
Fail idtac.to assert that a proof is complete, which is shorter than the above but more arcane. -
You can use
Fail Fail Qed.to really assert that a proof is complete, including doing universe checks, but then still be able toRestartit. I think this is only useful for illustrating small examples but it's amusing that it works. (The newSucceedvernacular in Coq 8.15 is a better replacement, because it preserves error messages on failure.) -
Hints can now be set to global, export, or local. Global (the current default) means the hint applies to any module that transitivity imports this one; export makes the hint visible only if the caller imports this module directly. The behavior will eventually change for hints at the top-level so that they become export instead of global (see coq/coq#13384), so this might be worth understanding now. HintLocality.v walks through what the three levels do.
Using Coq
- You can pass
-noinittocoqcorcoqtopto avoid loading the standard library. - Ltac is provided as a plugin loaded by the standard library; to load it you need
Declare ML Module "ltac_plugin".(see NoInit.v). - Numeral notations are only provided by the prelude, even if you issue
Require Import Coq.Init.Datatypes. - If you use Coq master, the latest Coq reference manual is built and deployed to https://coq.github.io/doc/master/refman/index.html automatically.