How to make algebraic manipulations in Coq easier?
Question
I'm experimenting with Coq's standard libraries for integers and rationals. So far my proofs are very time-consuming and look terrible. I guess I miss some important proof techniques. Such simple lemmas shouldn't be so long to prove. Any hints?
Here is an example:
Require Import QArith.forall (x y : Z) (z : positive), (0 <= x <= y)%Z -> x # z <= y # zforall (x y : Z) (z : positive), (0 <= x <= y)%Z -> x # z <= y # zx, y: Z
z: positive
H: (0 <= x <= y)%Zx # z <= y # zx, y: Z
z: positive
Hl: (0 <= x)%Z
Hr: (x <= y)%Zx # z <= y # zx, y: Z
z: positive
Hl: (0 <= x)%Z
Hr: inject_Z x <= inject_Z yx # z <= y # zx, y: Z
z: positive
Hl: (0 <= x)%Z
Hr: / inject_Z (Z.pos z) * inject_Z x <= / inject_Z (Z.pos z) * inject_Z yx # z <= y # zx, y: Z
z: positive
Hl: (0 <= x)%Z
Hr: inject_Z x <= inject_Z y0 < / inject_Z (Z.pos z)x, y: Z
z: positive
Hl: (0 <= x)%Z
Hr: / inject_Z (Z.pos z) * inject_Z x <= / inject_Z (Z.pos z) * inject_Z yx # z <= y # zx, y: Z
z: positive
Hl: (0 <= x)%Z
Hr: inject_Z x * / inject_Z (Z.pos z) <= / inject_Z (Z.pos z) * inject_Z yx # z <= y # zx, y: Z
z: positive
Hl: (0 <= x)%Z
Hr: inject_Z x * / inject_Z (Z.pos z) <= inject_Z y * / inject_Z (Z.pos z)x # z <= y # zx, y: Z
z: positive
Hl: (0 <= x)%Z
Hr: (x # 1) * / (Z.pos z # 1) <= (y # 1) * / (Z.pos z # 1)x # z <= y # zx, y: Z
z: positive
Hl: (0 <= x)%Z
Hr: (x # 1) * match Qnum (Z.pos z # 1) with | 0%Z => 0 | Z.pos p => QDen (Z.pos z # 1) # p | Z.neg p => Z.neg (Qden (Z.pos z # 1)) # p end <= (y # 1) * match Qnum (Z.pos z # 1) with | 0%Z => 0 | Z.pos p => QDen (Z.pos z # 1) # p | Z.neg p => Z.neg (Qden (Z.pos z # 1)) # p endx # z <= y # zx, y: Z
z: positive
Hl: (0 <= x)%Z
ZV: Qnum (Z.pos z # 1) = 0%Z
Hr: (x # 1) * 0 <= (y # 1) * 0x # z <= y # zx, y: Z
z: positive
Hl: (0 <= x)%Z
p: positive
ZV: Qnum (Z.pos z # 1) = Z.pos p
Hr: (x # 1) * (QDen (Z.pos z # 1) # p) <= (y # 1) * (QDen (Z.pos z # 1) # p)x # z <= y # zx, y: Z
z: positive
Hl: (0 <= x)%Z
p: positive
ZV: Qnum (Z.pos z # 1) = Z.neg p
Hr: (x # 1) * (Z.neg (Qden (Z.pos z # 1)) # p) <= (y # 1) * (Z.neg (Qden (Z.pos z # 1)) # p)x # z <= y # zx, y: Z
z: positive
Hl: (0 <= x)%Z
ZV: Qnum (Z.pos z # 1) = 0%Z
Hr: (x # 1) * 0 <= (y # 1) * 0x # z <= y # zdiscriminate.x, y: Z
z: positive
Hl: (0 <= x)%Z
ZV: Z.pos z = 0%Z
Hr: (x # 1) * 0 <= (y # 1) * 0x # z <= y # zx, y: Z
z: positive
Hl: (0 <= x)%Z
p: positive
ZV: Qnum (Z.pos z # 1) = Z.pos p
Hr: (x # 1) * (QDen (Z.pos z # 1) # p) <= (y # 1) * (QDen (Z.pos z # 1) # p)x # z <= y # zx, y: Z
z: positive
Hl: (0 <= x)%Z
p: positive
ZV: Qnum (Z.pos z # 1) = Z.pos p
Hr: (x # 1) * (1 # p) <= (y # 1) * (1 # p)x # z <= y # zx, y: Z
z: positive
Hl: (0 <= x)%Z
p: positive
ZV: Z.pos z = Z.pos p
Hr: (x # 1) * (1 # p) <= (y # 1) * (1 # p)x # z <= y # zx, y: Z
z: positive
Hl: (0 <= x)%Z
p: positive
ZV: Z.pos z = Z.pos p
Hr: (x # 1) * (1 # p) <= (y # 1) * (1 # p)z = p -> x # z <= y # zx, y: Z
z: positive
Hl: (0 <= x)%Z
p: positive
ZV: Z.pos z = Z.pos p
Hr: (x # 1) * (1 # p) <= (y # 1) * (1 # p)
ZP: z = px # z <= y # zx, y: Z
z: positive
Hl: (0 <= x)%Z
p: positive
ZV: Z.pos z = Z.pos p
Hr: Qnum (x # 1) * Qnum (1 # p) # Qden (x # 1) * Qden (1 # p) <= Qnum (y # 1) * Qnum (1 # p) # Qden (y # 1) * Qden (1 # p)
ZP: z = px # z <= y # zx, y: Z
z: positive
Hl: (0 <= x)%Z
p: positive
ZV: Z.pos z = Z.pos p
Hr: x * 1 # p <= y * 1 # p
ZP: z = px # z <= y # zx, y: Z
z: positive
Hl: (0 <= x)%Z
p: positive
ZV: Z.pos z = Z.pos p
Hr: x * 1 # z <= y * 1 # z
ZP: z = px # z <= y # zx, y: Z
z: positive
Hl: (0 <= x)%Z
p: positive
ZV: Z.pos z = Z.pos p
Hr: x # z <= y * 1 # z
ZP: z = px # z <= y # zexact Hr.x, y: Z
z: positive
Hl: (0 <= x)%Z
p: positive
ZV: Z.pos z = Z.pos p
Hr: x # z <= y # z
ZP: z = px # z <= y # zx, y: Z
z: positive
Hl: (0 <= x)%Z
p: positive
ZV: Qnum (Z.pos z # 1) = Z.neg p
Hr: (x # 1) * (Z.neg (Qden (Z.pos z # 1)) # p) <= (y # 1) * (Z.neg (Qden (Z.pos z # 1)) # p)x # z <= y # zdiscriminate.x, y: Z
z: positive
Hl: (0 <= x)%Z
p: positive
ZV: Z.pos z = Z.neg p
Hr: (x # 1) * (Z.neg (Qden (Z.pos z # 1)) # p) <= (y # 1) * (Z.neg (Qden (Z.pos z # 1)) # p)x # z <= y # zx, y: Z
z: positive
Hl: (0 <= x)%Z
Hr: inject_Z x <= inject_Z y0 < / inject_Z (Z.pos z)x, y: Z
z: positive
Hl: (0 <= x)%Z
Hr: inject_Z x <= inject_Z y0 < match Qnum (inject_Z (Z.pos z)) with | 0%Z => 0 | Z.pos p => QDen (inject_Z (Z.pos z)) # p | Z.neg p => Z.neg (Qden (inject_Z (Z.pos z))) # p endapply Z.lt_0_1. Qed.x, y: Z
z: positive
Hl: (0 <= x)%Z
Hr: inject_Z x <= inject_Z y0 < 1 # z
Answer
I did not have the courage to analyze your lengthy proof, but I see you choose to use a forward proof style. The telltale sign is the fact that you have several rewrite ... in ... in your script. Most libraries of theorems are designed to work in backward proof style.
Contrast this with my proposal for the same proof:
forall (x y : Z) (z : positive), (0 <= x <= y)%Z -> x # z <= y # zforall (x y : Z) (z : positive), (0 <= x <= y)%Z -> x # z <= y # zx, y: Z
z: positive
cmp: (0 <= x <= y)%Zx # z <= y # zx, y: Z
z: positive
cmp: (0 <= x <= y)%Zinject_Z x / inject_Z (Z.pos z) <= inject_Z y / inject_Z (Z.pos z)x, y: Z
z: positive
cmp: (0 <= x <= y)%Zinject_Z x <= inject_Z yx, y: Z
z: positive
cmp: (0 <= x <= y)%Z0 <= / inject_Z (Z.pos z)x, y: Z
z: positive
cmp: (0 <= x <= y)%Zinject_Z x <= inject_Z ytauto.x, y: Z
z: positive
cmp: (0 <= x <= y)%Z(x <= y)%Zx, y: Z
z: positive
cmp: (0 <= x <= y)%Z0 <= / inject_Z (Z.pos z)x, y: Z
z: positive
cmp: (0 <= x <= y)%Z0 <= inject_Z (Z.pos z)now rewrite <- Zle_Qle. Qed.x, y: Z
z: positive
cmp: (0 <= x <= y)%Zinject_Z 0 <= inject_Z (Z.pos z)
Here is how I proceed. First, x # z is a notation for a very specific form of division: the one that appears in a basic fraction. There are many chances that this specific form of division is less well covered by theorems in the library, so I choose to replace it by a regular division between rational numbers. To find the theorem, I just use the Search query with the patterns (_ # _) (_ / _). This gives me Qmake_Qdiv.
Then I simply expect that there is a theorem expressing a <= b -> a / c <= b / c under suitable conditions. I use Search (_ / _ <= _ / _). to find such a theorem. Alas, none is found. So I remember that division is often described as multiplication by the inverse so I search for the other possibility Search (_ * _ <= _ * _).. This gives me Qmult_le_compat_r. I try applying it and it works.
Here is what I mean by working in a backward proof style: I look at the conclusion and I think what theorem could help me obtain this conclusion? I will then try to fulfill its conditions.
There are two conditions. The first one is (inject_Z x <= inject_Z y). So now I need a theorem relating comparison in Z and comparison in Q through function inject_Z. To find it I type Search inject_Z (_ <= _).. This gives me Zle_Qle. Please note that your hypothesis is too strong: you don't need x to be positive. The automatic tactic tauto obtains the right condition from your hypothesis (which I named cmp).
The last condition is (0 <= inject_Z (Z.pos z)). I can re-use the same theorem as above, because surely 0 must be the same thing as inject_Z 0.
All this being said, I do not recommend using QArith for mathematical reasoning (the kind of algebraic reasoning that you show here), because it is less well populated than other libraries. If you want to work with numbers and reason on them, you should use math-comp or Reals: you will find more theorems that are already proved for you.
Q: thanks for the elaborate explanation. I repeated your steps. Makes sense! How did you acquire such a strategy? Is it just the experience?
A: I don't remember, I learned by trials and errors, too long ago (28 years). But I remember that in the beginning there were no rewrite ... in ... or apply ... in ... tactics, so that the backward style was practically