Proof about a function that uses rewrite: a "vertical bars in goals" question

2
votes

I have a function that uses rewrite to satisfy the Agda type checker. I thought that I had a reasonably good grasp of how to deal with the resulting "vertical bars" in proofs about such functions. And yet, I fail completely at dealing with these bars in my seemingly simple case.

Here are the imports and my function, step. The rewrites make Agda see that n is equal to n + 0 and that suc (acc + n) is equal to acc + suc n, respectively.

module Repro where

open import Relation.Binary.PropositionalEquality as P using (_≡_)

open import Data.Nat
open import Data.Nat.DivMod
open import Data.Nat.DivMod.Core
open import Data.Nat.Properties

open import Agda.Builtin.Nat using () renaming (mod-helper to modₕ)

step : (acc d n : ℕ) → modₕ acc (acc + n) d n ≤ acc + n
step zero d n rewrite P.sym (+-identityʳ n) = a[modₕ]n<n n (suc d) 0
step (suc acc) d n rewrite P.sym (+-suc acc n) = a[modₕ]n<n acc (suc d) (suc n)

Now for the proof, which pattern matches on acc, just like the function. Here's the zero case:

step-ok : ∀ (acc d n : ℕ) → step acc d n ≡ a[modₕ]n<n acc d n

step-ok zero d n with n        | P.sym (+-identityʳ n)
step-ok zero d n    | .(n + 0) | P.refl = ?

At this point, Agda tells me I'm not sure if there should be a case for the constructor P.refl, because I get stuck when trying to solve the following unification problems (inferred index ≟ expected index): w ≟ w + 0 [...]

I am also stuck in the second case, the suc acc case, albeit in a different way:

step-ok (suc acc) d n with suc (acc + n)  | P.sym (+-suc acc n)
step-ok (suc acc) d n    | .(acc + suc n) | P.refl = ?

Here, Agda says suc (acc + n) != w of type ℕ when checking that the type [...] of the generated with function is well-formed

Update after Sassa NF's response

I followed Sassa NF's advice and reformulated my function with P.subst instead of rewrite. I.e., I changed my right-hand side from being about n + 0 to being about n, instead of conversely changing the goal from being about n to being about n + 0:

step′ : (acc d n : ℕ) → modₕ acc (acc + n) d n ≤ acc + n
step′ zero d n = P.subst (λ # → modₕ 0 # d # ≤ #) (+-identityʳ n) (a[modₕ]n<n n (suc d) 0)
step′ (suc acc) d n = P.subst (λ # → modₕ (suc acc) # d n ≤ #) (+-suc acc n) (a[modₕ]n<n acc (suc d) (suc n))

During the proof, the P.subst in the function definition needs to be eliminated, which can be done with a with construct:

step-ok′ : ∀ (acc d n : ℕ) → step′ acc d n ≡ a[modₕ]n<n acc d n

step-ok′ zero d n with n + 0 | +-identityʳ n
...                  | .n    | P.refl = P.refl

step-ok′ (suc acc) d n with acc + suc n      | +-suc acc n
...                       | .(suc (acc + n)) | P.refl = P.refl

So, yay! I just finished my very first Agda proof involving a with.

Some progress on the original problem

My guess would be that my first issue is a unification issue during dependent pattern matching: there isn't any substitution that makes n identical to n + 0. More generally, in situations where one thing is a strict subterm of the other thing, I suppose that we may run into unification trouble. So, maybe using with to match n with n + 0 was asking for problems.

My second issue seems to be what the Agda language reference calls an ill-typed with-abstraction. According to the reference, this "happens when you abstract over a term that appears in the type of a subterm of the goal or argument types." The culprit seems to be the type of the goal's subterm a[modₕ]n<n (suc acc) d n, which is modₕ [...] ≤ (suc acc) + n, which contains the subterm I abstract over, (suc acc) + n.

It looks like this is usually resolved by additionally abstracting over the part of the goal that has the offending type. And, indeed, the following makes the error message go away:

step-ok (suc acc) d n with suc (acc + n)  | P.sym (+-suc acc n) | a[modₕ]n<n (suc acc) d n
...                      | .(acc + suc n) | P.refl              | rhs                      = {!!}

So far so good. Let's now introduce P.inspect to capture the rhs substitution:

step-ok (suc acc) d n with suc (acc + n)  | P.sym (+-suc acc n) | a[modₕ]n<n (suc acc) d n | P.inspect (a[modₕ]n<n (suc acc) d) n
...                      | .(acc + suc n) | P.refl              | rhs                      | P.[ rhs-eq ]                         = {!!}

Unfortunately, this leads to something like the original error: w != suc (acc + n) of type ℕ when checking that the type [...] of the generated with function is well-formed

One day later

Of course I'd run into the same ill-typed with-abstraction again! After all, the whole point of P.inspect is to preserve a[modₕ]n<n (suc acc) d n, so that it can construct the term a[modₕ]n<n (suc acc) d n ≡ rhs. However, preserved a[modₕ]n<n (suc acc) d n of course still has its preserved original type, modₕ [...] ≤ (suc acc) + n, whereas rhs has the modified type modₕ [...] ≤ acc + suc n. That's what's causing trouble now.

I guess one solution would be to use P.subst to change the type of the term we inspect. And, indeed, the following works, even though it is hilariously convoluted:

step-ok (suc acc) d n with suc (acc + n)  | P.sym (+-suc acc n) | a[modₕ]n<n (suc acc) d n | P.inspect (λ n → P.subst (λ # → modₕ (suc acc) # d n ≤ #) (P.sym (+-suc acc n)) (a[modₕ]n<n (suc acc) d n)) n
...                      | .(acc + suc n) | P.refl              | rhs                      | P.[ rhs-eq ]                                                                                                  rewrite +-suc acc n = rhs-eq

So, yay again! I managed to fix my original second issue - basically by using P.subst in the proof instead of in the function definition. It seems, though, that using P.subst in the function definition as per Sassa NF's guidance is preferable, as it leads to much more concise code.

The unification issue is still a little mysterious to me, but on the positive side, I unexpectedly learned about the benefits of irrelevance on top of everything.

I'm accepting Sassa NF's response, as it put me on the right track towards a solution.

1
agda
This doesn't answer your question, but may help with your original problem: <= should be a proposition, meaning for all n, m and p q : n <= m, p = q. step-ok then follows directly.Jannis Limperg
Ooooh... clever! I found out about proof-irrelevance a few days ago, but I completely missed just how useful it is. So, thank you very much for sharing this. I'm definitely going to revisit irrelevance now, because suddenly I see this pattern all over my proofs, where it would help to use the fact that a p at hand is not just a proof, but the proof of something. The standard library doesn't put <= into Prop, though, does it? It seems to be in Set. So, Agda wouldn't know that <= is a proposition, no? Again, thanks for sharing this. I am intrigued to look into this more.123omnomnom
The word "proposition" is a bit overloaded these days. What I call a proposition is any type P such that ∀ (p q : P), p ≡ q. If P : Prop, this is true definitionally. But for some P : Set, you can still prove this as a lemma. The standard library already has it: Data.Nat.Properties.≤-irrelevant.Jannis Limperg
Aaaaaah! I see! How nice! I just tried it out in a proof by induction and used it to rewrite a side condition in the inductive step to make it match the induction hypothesis. Works like a charm! Quite the gem! Thanks again for that!123omnomnom

1 Answers

1
votes

Your use of P.refl indicates some misunderstanding about the role of _≡_.

There is no magic in that type. It is just a dependent type with a single constructor. Proving that some x ≡ y resolves to P.refl does not tell Agda anything new about x and y: it only tells Agda that you managed to produce a witness of the type _≡_. This is the reason it cannot tell n and .(n + 0) are the same thing, or that suc (acc + n) is the same as .(acc + suc n). So both of the errors you see are really the same.

Now, what rewrite is for.

You cannot define C x ≡ C y for dependent type C _. C x and C y are different types. Equality is defined only for elements of the same type, so there is no way to even express the idea that an element of type C x is comparable to an element of type C y.

There is, however, an axiom of induction, which allows to produce elements of type C y, if you have an element of type C x and an element of type x ≡ y. Note there is no magic in the type _≡_ - that is, you can define your own type, and construct such a function, and Agda will be satisfied:

induction : {A : Set} {C : (x y : A) -> (x ≡ y) -> Set} (x y : A) (p : x ≡ y) ((x : A) -> C x x refl) -> C x y p
induction x .x refl f = f x

Or a simplified version that follows from the induction axiom:

transport : {A : Set} {C : A -> Set} (x y : A) (x ≡ y) (C x) -> C y
transport x .x refl cx = cx

What this means in practice, is that you get a proof for something - for example, A x ≡ A x, but then transport this proof along the equality x ≡ y to get a proof A x ≡ A y. This usually requires specifying the type explicitly, in this case {C = y -> A x ≡ A y}, and provide the x, the y and the C x. As such, it is a very cumbersome procedure, although the learners will benefit from doing these steps.

rewrite then is a syntactic mechanism that rewrites the types of the terms known before the rewrite, so that such transport is not needed after that. Because it is syntactic, it does interpret the type _≡_ in a special way (so if you define your own type, you need to tell Agda you are using a different type as equality). Rewriting types is not "telling" Agda that some types are equal. It just literally replaces occurrences of x in type signatures with y, so now you only need to construct things with y and refl.

Having said all that, you can see why it works for step. There rewrite P.sym ... literally replaced all occurrences of n with n + 0, including the return type of the function, so now it is modₕ acc (acc + (n + 0)) d (n + 0) ≤ acc + (n + 0). Then constructing a value of that type just works.

Then step-ok didn't work, because you only pattern-matched values. There is nothing to tell that n and (n + 0) are the same thing. But rewrite will. Or you could use a function like this transport.