lambda_delta: partial commit ...

[helm.git] / matitaB / matita / doc / primer.txt

                   ***********************************
                   *                                 *
                   *  A   M a t i t a   p r i m e r  *
                   *                                 *
                   *   (with useful ??? exercises)   *
                   ***********************************

=================================
Learning to use the on-line help:
=================================
* Select the menu Help and then the menu Contents or press F1
* In the menu you can find the syntax for lambda terms and the syntax
  and semantics of every tactic and tactical available in the system

=================================
Learning to type Unicode symbols:
=================================
* Unicode symbols are written like this: \lambda \eta \leq ...
* Optional: to get the gliph corresponding to the Unicode symbol,
  type Alt+L (for ligature) just after the \something stuff
* Additional ligatures (use Alt+L to get the gliph)
  :=   for   \def
  ->   for   \to
  =>   for   \Rightarrow
  <=   for   \leq
  >=   for   \geq
* Commonly used Unicode symbols:
  \to     for  logical implication and function space
  \forall
  \exists
  \Pi     for dependent product
  \lambda
  \land   for logical and, both on propositions and booleans
  \lor    for logical or, both on propositions and booleans
  \lnot   for logical not, both on propositions and booleans

==============================
How to set up the environment:
==============================
* Every file must start with a line like this:

  set "baseuri" "cic:/matita/nat/plus/".

  that says that every definition and lemma in the current file
  will be put in the cic:/matita/nat/plus namespace.
  For an exercise put in a foo.ma file, use the namespace
  cic:/matita/foo/
* Files can start with inclusion lines like this:

  include "nat/plus.ma".

  This is required to activate the notation given in the nat/times.ma file.
  If you do not include "nat/times.ma", you will still be able to use all
  the definitions and lemmas given in "nat/plus.ma", but without the nice
  infix '+' notation for addition.

====================================
How to browse and search the library:
====================================
* Open the menu View and then New CIC Browser. You will get a browser-like
  window with integrated searching functionalities
* To explore the library, type the URI "cic:" in the URI field and start
  browsing. Definitions will be rendered as such. Theorems will be rendered
  in a declarative style even if initially produced in a procedural style.
* To get a nice notation for addition and natural numbers, put in your
  script  include "nat/plus.ma"  and execute it. Then use the browser to
  render cic:/matita/nat/plus/associative_plus.con. The declarative proof
  you see is not fully expanded. Every time you see a "Proof" or a
  "proof of xxx" you can click on it to expand the proof. Every constant and
  symbol is an hyperlink. Follow the hyperlinks to see the definition of
  natural numbers and addition.
* The home button visualizes in declarative style the proof under development.
  It shows nothin when the system is not in proof mode.
* Theorems and definitions can be looked for by name using wildcards. Write
  "*associative*" in the seach bar, select "Locate" and press Enter.
  You will see the result list of URIs. Click on them to follow the hyperlink.
* If you know the exact statement of a theorem, but not its name, you can write
  its statement in the search bar and select match. Try with
  "\forall n,m:nat. n + m = m + n". Sometimes you can find a theorem that is
  just close enough to what you were looking for. Try with
  "\forall n:nat. O = n + O"  (O is the letter O, not the number 0)
* Sometimes you may want to obtain an hint on what theorems can be applied
  to prove something. Write the statement to prove in the search bar and select
  Hint. Try with "S O + O = O + S O". As before, you can get some useful
  results that are not immediately usable in their current form.
* Sometimes you may want to look for the theorems and definitions that are
  instances of a given statement. Write the statement in the search bar
  using lambda abstractions in front to quantify the variables to be
  instantiated. Then use Instance. Try with "\lambda n.\forall x:nat.x+n=x".

=====================
How to define things:
=====================
* Look in the manual for Syntax and then Definitions and declarations.
  Often you can omit the types of binders if they can be inferred.
  Use question marks "?" to ask the system to infer an argument of an
  application. Non recursive definitions must be given using "definition".
  Structural recursive definitions must be given using "let rec".
  Try the following examples:

  axiom f: nat \to nat

  definition square := \lambda A:Type.\lambda f:A \to A. \lambda x. f (f x).

  definition square_f : nat \to nat \def square ? f.

  inductive tree (A:Type) : Type \def
     Empty: tree A
   | Cons: A \to tree A \to tree A \to tree A.

  let rec size (A:Type) (t: tree A) on t : nat \def
   match t with
    [ Empty \Rightarrow O
    | Cons _ l r \Rightarrow size ? l + size ? r
    ].

====================
How to prove things:
====================
* Elementary proofs can be done by directly writing the lambda-terms
  (as in Agda or Epigram). Try to complete the following proofs:

  lemma ex1:
   \forall A,B:Prop.
     ((\forall X:Prop.X \to  X) \to  A \to  B) \to  A \to  B \def 
    λA,B:Prop.λH. ...

  lemma ex2: \forall n,m. m + n = m + (n + O) \def 
    ...

  Hint: to solve ex2 use eq_f and plus_n_O. Look for their types using
  the browser.

* The usual way to write proofs is by using either the procedural style
  (as in Coq and Isabelle) or the still experimental declarative style
  (as in Isar and Mizar). Let's start with the declarative style.
  Look in the manual for the following declarative tactics:

    assume id:type.                            (* new assumption *)
    suppose formula (id).                      (* new hypothesis *)
    by lambda-term done.                       (* concludes the proof *)
    by lambda-term we proved formula (id).     (* intermediate step *)
    by _ done.                                 (* concludes the proof *)
    by _ we proved formula (id).               (* intermediate step *)

  Declarative tactics must always be terminated by a dot.
  When automation fails (last two tactics), you can always help the system
  by adding new intermediate steps or by writing the lambda-term by hand.

  Prove again ex1 and ex2 in declarative style. A proof in declarative
  style starts with

    lemma id: formula.
    theorem id: formula.

  (the two forms are totally equivalent) and ends with

    qed.

  Hint: you can select well-formed sub-formulae in the sequents window,
  copy them (using the Edit/Paste menu item or the contextual menu item)
  and paste them in the text (using the Edit/Copy menu item or the
  contextual menu item).

* The most used style to write proofs in Matita is the procedural one.
  In the rest of this tutorial we will only present the procedural style.
  Look in the manual for the following procedural tactics:

    intros
    apply lambda-term
    autobatch                (* in the manual autobatch is called auto *)

  Prove again ex1 and ex2 in procedural style. A proof in procedural style
  starts and ends as a proof in declarative style. The two styles can be
  mixed.

* Some tactics open multiple new goals. For instance, copy the following
  lemma:

  lemma ex3: \forall A,B:Prop. A \to B \to (A \land B) \land (A \land B).
   intros;
   split;

  Look for the split tactic in the manual. The split tactic of the previous
  script has created two new goals, both of type (A \land B). Notice that
  the labels ?8 and ?9 of both goals are now in bold. This means that both
  goals are currently active and that the next tactic will be applied to
  both goals. The ";" tactical used after "intros" and "split" has exactly
  this meaning: it activates all goals created by the previous tactic.
  Look for it in the manual, then execute "split;" again. Now you can see
  four active goals. The first and third one ask to prove A; the reamining
  ones ask to prove B. To apply different tactics to the selected goal, we
  need to branch over the selected goals. This is achieved by using the
  tactical "[" (branching). Now type "[" and exec it. Only the first goal
  is now active (in bold), and all the previously active goals have now
  subscripts ranging from 1 to 4. Use the "apply H;" tactic to solve the goal.
  No goals are now selected. Use the "|" (next goal) tactical to activate
  the next goal. Since we are able to solve the new active goal and the
  last goal at once, we want to select the two branches at the same time.
  Use the "2,4:" tactical to select the goals having as subscripts 2 and 4.
  Now solve the goals with "apply H1;" and select the last remaining goal
  with "|". Solve the goal with "apply H;". Finally, close the branching
  section using the tactical "]" and complete the proof with "qed.".
  Look for all this tacticals in the manual. The "*:" tactical is also
  useful: it is used just after a "[" or "|" tactical to activate all the
  remaining goals with a subscript (i.e. all the goals in the innermost
  branch).

  If a tactic "T" opens multiple goals, then "T;" activates all the new
  goals opened by "T". Instead "T." just activates the first goal opened
  by "T", postponing the remaining goals without marking them with subscripts.
  In case of doubt, always use "." in declarative scripts and only all the
  other tacticals in procedural scripts.

==========================
Computation and rewriting:
==========================
* State the following theorem:

  lemma ex4: \forall n,m. S (S n) + m = S (S (n + m)).

  and introduce the hypotheses with "intros". To complete the proof, we
  can simply compute "S (S n) + m" to obtain "S (S (n + m))". Using the
  browser (click on the "+" hyperlink), look at the definition of addition:
  since addition is defined by recursion on the first argument, and since
  the first argument starts with two constructors "S", computation can be
  made. Look for the "simplify" tactic in the manual and use it to
  obtain a trivial equality. Solve the equality using "reflexivity", after
  having looked for it in the manual.
* State the following theorem:

  lemma ex5: \forall n,m. n + S (S m) = S (S (n + m)).

  Try to use simplify to complete the proof as before. Why is "simplify"
  not useful in this case? To progress in the proof we need a lemma
  stating that "\forall n,m. S (n + m) = n + S m". Using the browser,
  look for its name in the library. Since the lemma states an equality,
  it is possible to use it to replace an instance of its left hand side
  with an instance of its right hand side (or the other way around) in the
  current sequent. Look for the "rewrite" tactic in the manual, and use
  it to solve the exercise. There are two possible solutions: one only
  uses rewriting from left to right ("rewrite >"), the other rewriting
  from right to left ("rewrite <"). Find both of them.
* It may happen that "simplify" fails to yield the simplified form you
  expect. In some situations, simplify can even make your goal more complex.
  In these cases you can use the "change" tactic to convert the goal into
  any other goal which is equivalent by computation only. State again
  exercise ex4 and solve the goal without using "simplify" by means of
  "change with (S (S (n + m)) = S (S (n + m))".
* Simplify does nothing to expand definitions that are not given by
  structural recursion. To expand definition "X" in the goal, use the
  "unfold X" tactic.

  State the following lemma and use "unfold Not" to unfold the definition
  of negation in terms of implication and False. Then complete the proof
  of the theorem.

  lemma ex6: \forall A:Prop. \lnot A \to A \to False.

* Sometimes you may be interested in simplifying, changing, unfolding or even
  substituting (by means of rewrite) only a sub-expression of the
  goal. Moreover, you may be interested in simplifying, changing, unfolding or
  substituting a (sub-)expression of one hypothesis. Look in the manual
  for these tactics: all of them have an optional argument that is a
  pattern. You can generate a pattern by: 1) selecting the sub-expression you
  want to act on in the sequent; 2) copying it (using the Edit/Copy menu
  item or the contextual menu); 3) pasting it as a pattern using the
  "Edit/Paste as pattern" menu item. Other tactics also have pattern arguments.
  State and solve the following exercise:

  lemma ex7: \forall n. (n + O) + (n + O) = n + (n + O).

  The proof of the lemma must rewrite the conclusion of the sequent to
  n + (n + O) = n + (n + O) and prove it by reflexivity.

  Hint: use the browser to look for the theorem that proves
   \forall n. n = n + O  and then use a pattern to control the behaviour
   of "rewrite <".

====================
Proofs by induction:
====================
* Functions can be defined by structural recursion over arguments whose
  type is inductive. To prove properties of these functions, a common
  strategy is to proceed by induction over the recursive argument of the
  function. To proceed by induction over an inductive argument "x", use
  the "elim x" tactic.

  Now include "nat/orders.ma" to activate the notation \leq.
  Then state and prove the following lemma by induction over n:

  lemma ex8: \forall n,m. m \leq n + m.

  Hint 1: use "autobatch" to automatically prove trivial facts
  Hint 2: "autobatch" never performs computations. In inductive proofs
   you often need to "simplify" the inductive step before using
   "autobatch". Indeed, the goal of proceeding by induction over the
   recursive argument of a structural recursive definition is exactly
   that of allowing computation both in the base and inductive cases.
* Using the browser, look at the definition of addition over natural
  numbers. You can notice that all the parameters are fixed during
  recursion, but the one we are recurring on. This is the reason why
  it is possible to prove a property of addition using a simple induction
  over the recursive argument. When other arguments of the structural
  recursive functions change in recursive calls, it is necessary to
  proceed by induction over generalized predicates where the additional
  arguments are universally quantified.

  Give the following tail recursive definition of addition between natural
  numbers:

  let rec plus' n m on n \def
   match n with
    [ O \Rightarrow m
    | S n' \Rightarrow plus' n' (S m)
    ].

  Note that both parameters of plus' change during recursion.
  Now state the following lemma, and try to prove it copying the proof
  given for ex8 (that started with "intros; elim n;")

  lemma ex9: \forall n,m. m \leq plus' n m.

  Why is it impossible to prove the goal in this way? 
  Now start the proof with "intros 1;", obtaining the generalized goal
  "\forall m. m \leq plus' n m", and proceed by induction on n using
  "elim n" as before. Complete the proof by means of simplification and
  autobatch. Why is it now possible to prove the goal in this way?
* Sometimes it is not possible to obtain a generalized predicate using the
  "intros n;" trick. However, it is always possible to generalize the
  conclusion of the goal using the "generalize" tactic. Look for it in the
  manual.

  State again ex9 and find a proof that starts with
  "intros; generalize in match m;".
* Some predicates can also be given as inductive predicates.
  In this case, remember that you can proceed by induction over the
  proof of the predicate. In particular, if H is a proof of
  False/And/Or/Exists, then "elim H" corresponds to False/And/Or/Exists
  elimination.

  State and prove the following lemma:

  lemma ex10: \forall A,B:Prop. A \lor (False \land B) \to A.

====================
Proofs by inversion:
====================
* Some predicates defined by induction are really defined as dependent
  families of predicates. For instance, the \leq relation over natural
  numbers is defined as follow:

  inductive le (n:nat) : nat \to Prop \def
     le_n: le n n
   | le_S: \forall m. le n m \to le n (S m).

  In Matita we say that the first parameter of le is a left parameter
  (since it is at the left of the ":" sign), and that the second parameter
  is a right parameter. Dependent families of predicates are inductive
  definitions having a right parameter.

  Now, consider a proof H of (le n E) for some expression E.
  Differently from what happens in Agda, proceeding by elimination of H
  (i.e. doing an "elim H") ignores the fact that the second argument of
  the type of H was E. Equivalently, eliminating H of type (le n E) and
  H' of type (le n E'), you obtain exactly the same new goals even if
  E and E' are different.

  State the following exercise and try to prove it by elimination of
  the first premise (i.e. by doing an "intros; elim H;").

  lemma ex11: \forall n. n \leq O \to n = O.

  Why cannot you solve the exercise?
  To exploit hypotheses whose type is inductive and whose right parameters
  are instantiated, you can sometimes use the "inversion" tactic. Look
  for it in the manual. Solve exercise ex11 starting with
  "intros; inversion H;". As usual, autobatch is your friend to automate
  the proof of trivial facts. However, autobatch never performs introduction
  of hypotheses. Thus you often need to use "intros;" just before "autobatch;".
  
  Note: most of the time the "inductive hypotheses" generated by inversion
  are completely useless. To remove a useless hypothesis H from the context
  you can use the "clear H" tactic. Look for it in the manual.
* The "inversion" tactic is based on the t_inv lemma that is automatically
  generated for every inductive family of predicates t. Look for the
  t_inv lemma using the browser and study the clever trick (a funny
  generalization) that is used to prove it. Brave students can try to
  prove t_inv using the tactics described so far.
  
=========================================================
Proofs by injectivity and discrimination of constructors:
=========================================================
* It is not unusual to obtain hypotheses of the form k1 args1 = k2 args2
  where k1 and k2 are either equal or different constructors of the same
  inductive type. If k1 and k2 are different constructors, the hypothesis
  k1 args1 = k2 args2 is contradictory (discrimination of constructors);
  otherwise we can derive the equality between corresponding arguments
  in args1 and args2 (injectivity of constructors). Both operations are
  performed by the "destruct" tactic. Look for it in the manual.

  State and prove the following lemma using the destruct tactic twice:

  lemma ex12: \forall n,m. \lnot (O = S n) \land (S (S n) = S (S m) \to n = m).
* The destruct tactic is able to prove things by means of a very clever trick
  you already saw in the course by Coquand. Using the browser, look at the
  proof of ex12. Brave students can try to prove ex12 without using the
  destruct tactic.

============================================
Conjecturing and proving intermediate facts:
============================================
* Look for the "cut" tactic in the manual. It is used to assume a new fact
  that needs to be proved later on in order to finish the goal. The name
  "cut" comes from the cut rule of sequent calculus. As you know from theory,
  the "cut" tactic is handy, but not necessary. Moreover, remember that you
  can use axioms at your own risk to assume that some facts are provable.
* Given a term "t" that proves an implication or universal quantification,
  it is possible to do forward reasoning in procedural style by means of
  the "lapply (t args)" tactic that introduces the instantiated version of
  the assumption in the context. Look for lapply in the manual. As the
  "cut" tactic, lapply is quite handy, but not a necessary tactic.

=====================================================
Overloading existent notations and creating new ones:
=====================================================
* Mathematical notation is highly overloaded and full of ambiguities.
  In Matita you can freely overload notations. The type system is used
  to efficiently disambiguate formulae written by the user. In case no
  interpretation of the formula makes sense, the user is faced with a set
  of errors, corresponding to the different interpretations. In case multiple
  interpretations make sense, the system asks the user a minimal amount of
  questions to understand the intended meaning. Finally, the system remembers
  the history of disambiguations and the answers of the user to 1) avoid
  asking the user the same questions the next time the script is executed
  2) avoid asking the user many questions by guessing the intended
  interpretation according to recent history.

  State the following lemma:

  lemma foo:
   \forall n,m:nat.
    n = m \lor  (\lnot  n = m \land  ((leb n m \lor  leb m n) = true)).

  Following the hyperlink, look at the type inferred for leb.
  What interpretation Matita choosed for the first and second \lor sign?
  Click on the hyperlinks of the two occurrences of \lor to confirm your answer.
* The basic idea behind overloading of mathematical notations is the following:
  1. during pretty printing of formulae, the internal logical representation
     of mathematical notions is mapped to MathML Content (an infinitary XML
     based standard for the description of abstract syntax tree of mathematical
     formulae). E.g. both Or (a predicate former) and orb (a function over
     booleans) are mapped to the same MathML Content symbol "'or".
  2. then, the MathML Content abstract syntax tree of a formula is mapped
     to concrete syntax in MathML Presentation (a finitary XML based standard
     for the description of concrete syntax trees of mathematical formulae).
     E.g. the "'or x y" abstract syntax tree is mapped to "x \lor y".
     The sequent window and the browser are based on a widget that is able
     to render and interact MathML Presentation.
  3. during parsing, the two phases are reversed: starting from the concrete
     syntax tree (which is in plain Unicode text), the abstract syntax tree
     in MathML Content is computed unambiguously. Then the abstract syntax tree
     is efficiently translated to every well-typed logical representation.
     E.g. "x \lor y" is first translated to "'or x y" and then interpreted as
     "Or x y" or "orb x y", depending on which interpretation finally yields
     well-typed lambda-terms.
* Using leb and cases analysis over booleans, define the two new non
  recursive predicates:

   min: nat \to nat \to nat
   max: nat \to nat \to nat

  Now overload the \land notation (associated to the "'and x y" MathML
  Content formula) to work also for min:

  interpretation "min of two natural numbers" 'and x y =
   (cic:/matita/exercise/min.con x y).

  Note: you have to substitute "cic:/matita/exercise/min.con" with the URI
  determined by the baseuri you picked at the beginning of the file.

  Overload also the notation for \lor (associated to "'or x y") in the
  same way.

  To check if everything works correctly, state the following lemma:

  lemma foo: \forall b,n. (false \land b) = false \land (O \land n) = O.

  How the system interpreted the instances of \land?

  Now try to state the following ill-typed statement:

  lemma foo: \forall b,n. (false \land O) = false \land (O \land n) = O.

  Click on the three error locations before trying to read the errors.
  Then click on the errors and read them in the error message window
  (just below the sequent window). Which error messages did you expect?
  Which ones make sense to you? Which error message do you consider to be
  the "right" one? In what sense?
* Defining a new notation (i.e. associating to a new MathML Content tree
  some MathML Presentation tree) is more involved.

  Suppose we want to use the "a \middot b" notation for multiplication
  between natural numbers. Type:

  notation "hvbox(a break \middot b)"
  non associative with precedence 55
  for @{ 'times $a $b }.

  interpretation "times over natural numbers" 'times x y =
   (cic:/matita/nat/times/times.con x y).

  To check if everything was correct, state the following lemma:

  lemma foo: \forall n. n \middot O = O.

  The "hvbox (a break \middot b)" contains more information than just
  "a \middot b". The "hvbox" tells the system to write "a", "\middot" and
  "b" in an horizontal row if there is enough space, or vertically otherwise.
  The "break" keyword tells the system where to break the formula in case
  of need. The syntax for defining new notations is not documented in the
  manual yet.

=====================================
Using notions without including them:
=====================================
* Using the browser, look for the "fact" function.
  Notice that it is defined in the "cic:/matita/nat/factorial" namespace
  that has not been included yet. Now state the following lemma:

  lemma fact_O_S_O: fact O = 1.

  Note that Matita automatically introduces in the script some informations
  to remember where "fact" comes from. However, you do not get the nice
  notation for factorial. Remove the lines automatically added by Matita
  and replace them with

  include "nat/factorial.ma"

  before stating again the lemma. Now the lines are no longer added and you
  get the nice notation. In the future we plan to activate all notation without
  the need of including anything.

=============================
A relatively simple exercise:
=============================
* Start from an empty .ma file, change the baseuri and include the following
  files for auxiliary notation:

  include "nat/plus.ma".
  include "nat/compare.ma".
  include "list/sort.ma".
  include "datatypes/constructors.ma".

  In particular, the following notations for lists and pairs are introduced:
   []                    is the empty list
   hd::tl                is the list obtained putting a new element hd in
                         front of the list tl
   @                     list concatenation
   \times                is the cartesian product
   \langle l,r \rangle   is the pair (l,r)
* Define an inductive data type of propositional formulae built from
  a denumerable set of atoms, conjunction, disjunction, negation, truth and
  falsity (no primitive implication).

  Hint: complete the following inductive definition.

  inductive Formula : Type \def 
   FTrue: Formula
 | FFalse: Formula
 | FAtom: nat \to  Formula
 | FAnd: Formula \to  Formula \to  Formula
 | ...
* Define a classical interpretation as a function from atom indexes to booleans:

  definition interp \def  nat \to  bool.
* Define by structural recursion over formulas an evaluation function
  parameterized over an interpretation.

  Hint: complete the following definition. The order of the
  different cases should be exactly the order of the constructors in the
  definition of the inductive type.

  let rec eval (i:interp) F on F : bool \def
   match F with
    [ FTrue \Rightarrow true
    | FFalse \Rightarrow false
    | FAtom n \Rightarrow interp n
    | ...
* We are interested in formulas in a particular normal form where only atoms
  can be negated. Define the "being in normal form" not_nf predicate as an
  inductive predicate with one right parameter.

  Hint: complete the following definition.

  inductive not_nf : Formula \to  Prop \def 
      NTrue: not_nf FTrue
    | NFalse: not_nf FFalse
    | NAtom: \forall n. not_nf (FAtom n)
    ...
    | NNot: \forall n. not_nf (FNot (FAtom n))
* We want to describe a procedure that reduces a formula to an equivalent
  not_nf normal form. Define two mutually recursive functions elim_not and
  negate over formulas that respectively 1: put the formula in normal form
  and 2: put the negated of a formula in normal form.

  Hint: complete the following definition.

  let rec negate F \def 
    match F with
     [ FTrue \Rightarrow  FFalse
     | FFalse \Rightarrow  FTrue
     | ...
     | FNot f \Rightarrow  elim_not f]
   and elim_not F \def 
    match F with
     [ FTrue \Rightarrow  FTrue
     | FFalse \Rightarrow  FFalse
     | ...
     | FNot f \Rightarrow  negate f
     ].

  Why is not possible to only define elim_not by changing the FNot case
  to "FNot f \Rightarrow elim_not (FNot f)"?
* Prove that the procedures just given correctly produce normal forms.
  I.e. prove the following theorem.

  theorem not_nf_elim_not:
   \forall F.not_nf (elim_not F) \land  not_nf (negate F).

  Why is not possible to prove that one function produces normal forms
  without proving the other part of the statement? Try and see what happens.

  Hint: use the "n1,...,nm:" tactical to activate similar cases and solve
  all of them at once.
* Finally prove that the procedures just given preserve the semantics of the
  formula. I.e. prove the following theorem.

  theorem eq_eval_elim_not_eval:
   \forall i,F.
    eval i (elim_not F) = eval i F \land  eval i (negate F) = eval i (FNot F).

  Hint: you may need to prove (or assume axiomatically) additional lemmas on
  booleans such as the two demorgan laws.

================================
A moderately difficult exercise:
================================
* Consider the inductive type of propositional formulae of the previous
  exercise. Describe with an inductive type the set of well types derivation
  trees for classical propositional sequent calculus without implication.
  
  Hint: complete the following definitions.

  definition sequent \def  (list Formula) × (list Formula).

  inductive derive: sequent \to  Prop \def 
     ExchangeL:
      \forall l,l1,l2,f. derive 〈f::l1@l2,l〉 \to  derive 〈l1 @ [f] @ l2,l〉
   | ExchangeR: ...
   | Axiom: \forall l1,l2,f. derive 〈f::l1, f::l2〉
   | TrueR: \forall l1,l2. derive 〈l1,FTrue::l2〉
   | ...
   | AndR: \forall l1,l2,f1,f2.
      derive 〈l1,f1::l2〉 \to  derive 〈l1,f2::l2〉 \to 
       derive 〈l1,FAnd f1 f2::l2〉
   | ...

  Note that while the exchange rules are explicit, weakening and contraction
  are embedded in the other rules.
* Define two functions that transform the left hand side and the right hand
  side of a sequent into a logically equivalent formula obtained by making
  the conjunction (respectively disjunction) of all formulae in the
  left hand side (respectively right hand side). From those, define a function
  that folds a sequent into a logically equivalent formula obtained by
  negating the conjunction of all formulae in the left hand side and putting
  the result in disjunction with the disjunction of all formuale in the
  right hand side.
* Define a predicate is_tautology for formulae.
* Prove the soundness of the sequent calculus. I.e. prove

  theorem soundness:
   \forall F. derive F \to  is_tautology (formula_of_sequent F).

  Hint: you may need to axiomatically assume or prove several lemmas on
  booleans that are missing from the library. You also need to prove some
  lemmas on the functions you have just defined.

==========================
A long and tough exercise:
==========================
* Prove the completeness of the sequent calculus studied in the previous
  exercise. I.e. prove

  theorem completeness:
   \forall S. is_tautology (formula_of_sequent S) \to  derive S.

  Hint: the proof is by induction on the size of the sequent, defined as the
  size of all formulae in the sequent. The size of a formula is the number of
  unary and binary connectives in the formula. In the inductive case you have
  to pick one formula with a positive size, bring it in front using the
  exchange rule, and construct the tree applying the appropriate elimination
  rules. The subtrees are obtained by inductive hypotheses. In the base case,
  since the formula is a tautology, either there is a False formula in the
  left hand side of the sequent, or there is a True formula in the right hand
  side, or there is a formula both in the left and right hand sides. In all
  cases you can construct a tree by applying once or twice the exchange rules
  and once the FalseL/TrueR/Axiom rule. The computational content of the proof
  is a search strategy.

  The main difficulty of the proof is to proceed by induction on something (the
  size of the sequent) that does not reflect the structure of the sequent (made
  of a pair of lists). Moreover, from the fact that the size of the sequent is
  greater than 0, you need to detect the exact positions of a non atomic
  formula in the sequent and this needs to be done by structural recursion
  on the appropriate side, which is a list. Finally, from the fact that a
  sequent of size 0 is a tautology, you need to detect the False premise or
  the True conclusion or the two occurrences of a formula that form an axiom,
  excluding all other cases. This last proof is already quite involved, and
  finding the right inductive predicate is quite challenging.