 ### new library witness.Witness

```exhibits, constructively, a nonnegative integer n such that p n
whenever we can prove the existence of such an integer```
parent 21537ba3
 (** {1 Constructive existence of a witness} Given a predicate [p] over integers and the existence of a nonnegative integer [n] such that [p n], one can build a witness using a linear search starting from 0. The difficulty here is to prove the termination of the function implementing this linear search. We use a custom variant predicate and we prove the accessibility of all integers for which there exists a witnes above. This proof is adapted from Coq's standard library (file ConstructiveEpsilon.v contributed by Yevgeniy Makarov and Jean-François Monin). *) module Witness use import int.Int use import relations.WellFounded predicate r (x y: ((int->bool),int)) = let p, x = x in let q, y = y in p = q && x = y+1 > 0 && not (p y) let witness (p: int -> bool) : int requires { exists n. n >= 0 /\ p n } ensures { result >= 0 /\ p result } = let lemma l1 (x: int) requires { x >= 0 /\ p x } ensures { acc r (p,x) } = let lemma l11 (y: (int->bool,int)) requires { r y (p,x) } ensures { acc r y } = () in () in let rec lemma l2 (x n: int) variant { n } requires { x >= 0 /\ n >= 0 /\ p (x + n) } ensures { acc r (p,x) } = if n > 0 then l2 (x+1) (n-1) in let rec search (n: int) : int requires { n >= 0 /\ exists x. x >= n && p x } variant { (p,n) with r } ensures { result >= 0 /\ p result } = if p n then n else search (n+1) in search 0 end
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!