我如何证明这两个陈述是平等的:
Val.shru(Val。和a(Vint b))(Vint c)= Vint?3434 / \?3434<> d
Val.shru(Val。和a(Vint b))(Vint c)<> d
这个概念非常简单,但坚持找到解决问题的正确策略。这实际上是我要证明的引理:
Require Import compcert.common.Values.
Require Import compcert.lib.Coqlib.
Require Import compcert.lib.Integers.
Lemma val_remains_int:
forall (a : val) (b c d: int),
(Val.shru (Val.and a (Vint b)) (Vint c)) <> (Vint d) ->
(exists (e : int), (Val.shru (Val.and a (Vint b)) (Vint c)) = (Vint e) /\ e <> d).
Proof.
intros.
eexists.
...
Admitted.
谢谢,
答案 0 :(得分:0)
如果您可以在下面的示例中构造int(i0)类型的值,则此引理不成立:
Require Import compcert.lib.Coqlib.
Require Import compcert.lib.Integers.
Require Import compcert.common.Values.
Variable i0 : int.
Fact counter_example_to_val_remains_int:
~ forall (a : val) (b c d: int),
(Val.shru (Val.and a (Vint b)) (Vint c)) <> (Vint d) ->
(exists (e : int),
(Val.shru (Val.and a (Vint b)) (Vint c)) = (Vint e)
/\ e <> d).
Proof.
intro H.
assert (Vundef <> Vint i0) as H0 by easy.
specialize (H Vundef i0 i0 i0 H0); clear H0.
simpl in H.
destruct H as (? & contra & _).
discriminate contra.
Qed.
至少有两个原因:
Val.and和Val.shru返回Vundef所有不是Vint的参数(它是GIGO原则的实例); Val.shru)。至于您在评论中提到的修改后的引理,简单的reflexivity会:
Lemma val_remains_int: forall a b c d: int,
Vint (Int.shru (Int.and a b) c) <> Vint d ->
exists (e : int), Vint (Int.shru (Int.and a b) c) = Vint e /\ e <> d.
Proof.
intros a b c d Hneq.
eexists. split.
- reflexivity.
- intro Heq. subst. auto.
Qed.