Theorems tagged with the spec attribute are used by the mspec and mvcgen tactics.
- When used on a theorem
foo_spec : Triple (foo a b c) P Q, thenmspecandmvcgenwill usefoo_specas a specification for calls tofoo. - Otherwise, when used on a definition that
@[simp]would work on, it is added to the internal simp set ofmvcgenthat is used withinwp⟦·⟧contexts to simplify match discriminants and applications of constants.
Equations
Instances For
massumption is like assumption, but operating on a stateful Std.Do.SPred goal.
example (P Q : SPred σs) : Q ⊢ₛ P → Q := by
mintro _ _
massumption
Equations
Instances For
mconstructor is like constructor, but operating on a stateful Std.Do.SPred goal.
example (Q : SPred σs) : Q ⊢ₛ Q ∧ Q := by
mintro HQ
mconstructor <;> mexact HQ
Equations
Instances For
mexact is like exact, but operating on a stateful Std.Do.SPred goal.
example (Q : SPred σs) : Q ⊢ₛ Q := by
mstart
mintro HQ
mexact HQ
Equations
Instances For
mexfalso is like exfalso, but operating on a stateful Std.Do.SPred goal.
example (P : SPred σs) : ⌜False⌝ ⊢ₛ P := by
mintro HP
mexfalso
mexact HP
Equations
Instances For
mexists is like exists, but operating on a stateful Std.Do.SPred goal.
example (ψ : Nat → SPred σs) : ψ 42 ⊢ₛ ∃ x, ψ x := by
mintro H
mexists 42
Equations
Instances For
mframe infers which hypotheses from the stateful context can be moved into the pure context.
This is useful because pure hypotheses "survive" the next application of modus ponens
(Std.Do.SPred.mp) and transitivity (Std.Do.SPred.entails.trans).
It is used as part of the mspec tactic.
example (P Q : SPred σs) : ⊢ₛ ⌜p⌝ ∧ Q ∧ ⌜q⌝ ∧ ⌜r⌝ ∧ P ∧ ⌜s⌝ ∧ ⌜t⌝ → Q := by
mintro _
mframe
/- `h : p ∧ q ∧ r ∧ s ∧ t` in the pure context -/
mcases h with hP
mexact h
Equations
Instances For
mhave is like have, but operating on a stateful Std.Do.SPred goal.
example (P Q : SPred σs) : P ⊢ₛ (P → Q) → Q := by
mintro HP HPQ
mhave HQ : Q := by mspecialize HPQ HP; mexact HPQ
mexact HQ
Equations
Instances For
mreplace is like replace, but operating on a stateful Std.Do.SPred goal.
example (P Q : SPred σs) : P ⊢ₛ (P → Q) → Q := by
mintro HP HPQ
mreplace HPQ : Q := by mspecialize HPQ HP; mexact HPQ
mexact HPQ
Equations
Instances For
mright is like right, but operating on a stateful Std.Do.SPred goal.
example (P Q : SPred σs) : P ⊢ₛ Q ∨ P := by
mintro HP
mright
mexact HP
Equations
Instances For
mleft is like left, but operating on a stateful Std.Do.SPred goal.
example (P Q : SPred σs) : P ⊢ₛ P ∨ Q := by
mintro HP
mleft
mexact HP
Equations
Instances For
mpure_intro operates on a stateful Std.Do.SPred goal of the form P ⊢ₛ ⌜φ⌝.
It leaves the stateful proof mode (thereby discarding P), leaving the regular goal φ.
theorem simple : ⊢ₛ (⌜True⌝ : SPred σs) := by
mpure_intro
exact True.intro
Equations
Instances For
mspecialize is like specialize, but operating on a stateful Std.Do.SPred goal.
It specializes a hypothesis from the stateful context with hypotheses from either the pure
or stateful context or pure terms.
example (P Q : SPred σs) : P ⊢ₛ (P → Q) → Q := by
mintro HP HPQ
mspecialize HPQ HP
mexact HPQ
example (y : Nat) (P Q : SPred σs) (Ψ : Nat → SPred σs) (hP : ⊢ₛ P) : ⊢ₛ Q → (∀ x, P → Q → Ψ x) → Ψ (y + 1) := by
mintro HQ HΨ
mspecialize HΨ (y + 1) hP HQ
mexact HΨ
Equations
Instances For
mspecialize_pure is like mspecialize, but it specializes a hypothesis from the
pure context with hypotheses from either the pure or stateful context or pure terms.
example (y : Nat) (P Q : SPred σs) (Ψ : Nat → SPred σs) (hP : ⊢ₛ P) (hΨ : ∀ x, ⊢ₛ P → Q → Ψ x) : ⊢ₛ Q → Ψ (y + 1) := by
mintro HQ
mspecialize_pure (hΨ (y + 1)) hP HQ => HΨ
mexact HΨ
Equations
Instances For
Start the stateful proof mode of Std.Do.SPred.
This will transform a stateful goal of the form H ⊢ₛ T into ⊢ₛ H → T
upon which mintro can be used to re-introduce H and give it a name.
It is often more convenient to use mintro directly, which will
try mstart automatically if necessary.
Equations
Instances For
Stops the stateful proof mode of Std.Do.SPred.
This will simply forget all the names given to stateful hypotheses and pretty-print
a bit differently.
Equations
Instances For
Equations
Instances For
Like rcases, but operating on stateful Std.Do.SPred goals.
Example: Given a goal h : (P ∧ (Q ∨ R) ∧ (Q → R)) ⊢ₛ R,
mcases h with ⟨-, ⟨hq | hr⟩, hqr⟩ will yield two goals:
(hq : Q, hqr : Q → R) ⊢ₛ R and (hr : R) ⊢ₛ R.
That is, mcases h with pat has the following semantics, based on pat:
pat=□h'renameshtoh'in the stateful context, regardless of whetherhis purepat=⌜h'⌝introducesh' : φto the pure local context ifh : ⌜φ⌝(c.f.Lean.Elab.Tactic.Do.ProofMode.IsPure)pat=h'is likepat=⌜h'⌝ifhis pure (c.f.Lean.Elab.Tactic.Do.ProofMode.IsPure), otherwise it is likepat=□h'.pat=_renameshto an inaccessible namepat=-discardsh⟨pat₁, pat₂⟩matches on conjunctions and existential quantifiers and recurses viapat₁andpat₂.⟨pat₁ | pat₂⟩matches on disjunctions, matching the left alternative viapat₁and the right alternative viapat₂.
Equations
Instances For
- one (name : TSyntax `Lean.binderIdent) : MRefinePat
- tuple (args : List MRefinePat) : MRefinePat
- pure (h : TSyntax `term) : MRefinePat
- stateful (h : TSyntax `Lean.binderIdent) : MRefinePat
- hole (name : TSyntax `Lean.binderIdent) : MRefinePat
Instances For
Equations
Instances For
Like intro, but introducing stateful hypotheses into the stateful context of the Std.Do.SPred
proof mode.
That is, given a stateful goal (hᵢ : Hᵢ)* ⊢ₛ P → T, mintro h transforms
into (hᵢ : Hᵢ)*, (h : P) ⊢ₛ T.
Furthermore, mintro ∀s is like intro s, but preserves the stateful goal.
That is, mintro ∀s brings the topmost state variable s:σ in scope and transforms
(hᵢ : Hᵢ)* ⊢ₛ T (where the entailment is in Std.Do.SPred (σ::σs)) into
(hᵢ : Hᵢ s)* ⊢ₛ T s (where the entailment is in Std.Do.SPred σs).
Beyond that, mintro supports the full syntax of mcases patterns
(mintro pat = (mintro h; mcases h with pat), and can perform multiple
introductions in sequence.
Equations
Instances For
mspec_no_simp $spec first tries to decompose Bind.binds before applying $spec.
This variant of mspec_no_simp does not; mspec_no_bind $spec is defined as
try with_reducible mspec_no_bind Std.Do.Spec.bind
mspec_no_bind $spec
Equations
Instances For
Like mspec, but does not attempt slight simplification and closing of trivial sub-goals.
mspec $spec is roughly (the set of simp lemmas below might not be up to date)
mspec_no_simp $spec
all_goals
((try simp only [SPred.true_intro_simp, SPred.true_intro_simp_nil, SVal.curry_cons,
SVal.uncurry_cons, SVal.getThe_here, SVal.getThe_there]);
(try mpure_intro; trivial))
Equations
Instances For
mspec is an apply-like tactic that applies a Hoare triple specification to the target of the
stateful goal.
Given a stateful goal H ⊢ₛ wp⟦prog⟧.apply Q', mspec foo_spec will instantiate
foo_spec : ... → ⦃P⦄ foo ⦃Q⦄, match foo against prog and produce subgoals for
the verification conditions ?pre : H ⊢ₛ P and ?post : Q ⊢ₚ Q'.
- If
prog = x >>= f, thenmspec Specs.bindis tried first so thatfoois matched againstxinstead. Tacticmspec_no_binddoes not attempt to do this decomposition. - If
?preor?postfollow by.rfl, then they are discharged automatically. ?postis automatically simplified into constituent⊢ₛentailments on success and failure continuations.?preand?post.*goals introduce their stateful hypothesis ash.- Any uninstantiated MVar arising from instantiation of
foo_specbecomes a new subgoal. - If the goal looks like
fun s => _ ⊢ₛ _thenmspecwill firstmintro ∀s. - If
Phas schematic variables that can be instantiated by doingmintro ∀s, for examplefoo_spec : ∀(n:Nat), ⦃⌜n = ‹Nat›ₛ⌝⦄ foo ⦃Q⦄, thenmspecwill domintro ∀sfirst to instantiaten = s. - Right before applying the spec, the
mframetactic is used, which has the following effect: Any hypothesisHᵢin the goalh₁:H₁, h₂:H₂, ..., hₙ:Hₙ ⊢ₛ Tthat is pure (i.e., equivalent to some⌜φᵢ⌝) will be moved into the pure context ashᵢ:φᵢ.
Additionally, mspec can be used without arguments or with a term argument:
mspecwithout argument will try and look up a spec forxregistered with@[spec].mspec (foo_spec blah ?bleh)will elaborate its argument as a term with expected type⦃?P⦄ x ⦃?Q⦄and introduce?blehas a subgoal. This is useful to pass an invariant to e.g.,Specs.forIn_listand leave the inductive step as a hole.
Equations
Instances For
mvcgen will break down a Hoare triple proof goal like ⦃P⦄ prog ⦃Q⦄ into verification conditions,
provided that all functions used in prog have specifications registered with @[spec].
A verification condition is an entailment in the stateful logic of Std.Do.SPred
in which the original program prog no longer occurs.
Verification conditions are introduced by the mspec tactic; see the mspec tactic for what they
look like.
When there's no applicable mspec spec, mvcgen will try and rewrite an application
prog = f a b c with the simp set registered via @[spec].
When used like mvcgen +noLetElim [foo_spec, bar_def, instBEqFloat], mvcgen will additionally
- add a Hoare triple specification
foo_spec : ... → ⦃P⦄ foo ... ⦃Q⦄tospecset for a functionfoooccurring inprog, - unfold a definition
def bar_def ... := ...inprog, - unfold any method of the
instBEqFloat : BEq Floatinstance inprog. - it will no longer substitute away
let-expressions that occur at most once inP,Qorprog.
Furthermore, mvcgen tries to close trivial verification conditions by SPred.entails.rfl or
the tactic sequence try (mpure_intro; trivial). The variant mvcgen_no_trivial does not do this.
For debugging purposes there is also mvcgen_step 42 which will do at most 42 VC generation
steps. This is useful for bisecting issues with the generated VCs.
Equations
Instances For
Like mvcgen_no_trivial, but mvcgen_step 42 will only do 42 steps of the VC generation procedure.
This is helpful for bisecting bugs in mvcgen and tracing its execution.