Proofs by induction. The SSReflect proof methodology

Author:	Anton Trunov
Date:	April 15, 2021

Display all goals and responses

From mathcomp Require Import ssreflect ssrfun ssrbool eqtype ssrnat.Notation "[ rel _ _ | _ ]" was already used in scope
fun_scope. [notation-overridden,parsing]
Notation "[ rel _ _ : _ | _ ]" was already used in
scope fun_scope. [notation-overridden,parsing]
Notation "[ rel _ _ in _ & _ | _ ]" was already used
in scope fun_scope. [notation-overridden,parsing]
Notation "[ rel _ _ in _ & _ ]" was already used in
scope fun_scope. [notation-overridden,parsing]
Notation "[ rel _ _ in _ | _ ]" was already used in
scope fun_scope. [notation-overridden,parsing]
Notation "[ rel _ _ in _ ]" was already used in scope
fun_scope. [notation-overridden,parsing]
Notation "_ + _" was already used in scope nat_scope.
[notation-overridden,parsing]
Notation "_ - _" was already used in scope nat_scope.
[notation-overridden,parsing]
Notation "_ <= _" was already used in scope nat_scope.
[notation-overridden,parsing]
Notation "_ < _" was already used in scope nat_scope.
[notation-overridden,parsing]
Notation "_ >= _" was already used in scope nat_scope.
[notation-overridden,parsing]
Notation "_ > _" was already used in scope nat_scope.
[notation-overridden,parsing]
Notation "_ <= _ <= _" was already used in scope
nat_scope. [notation-overridden,parsing]
Notation "_ < _ <= _" was already used in scope
nat_scope. [notation-overridden,parsing]
Notation "_ <= _ < _" was already used in scope
nat_scope. [notation-overridden,parsing]
Notation "_ < _ < _" was already used in scope
nat_scope. [notation-overridden,parsing]
Notation "_ * _" was already used in scope nat_scope.
[notation-overridden,parsing]
Set Implicit Arguments.
Unset Strict Implicit.
Unset Printing Implicit Defensive.

Proofs by induction

Nested induction

Let's prove addition is commutative

Lemma addnC :
  commutative addn.commutative addn
Proof.commutative addn
move=> x y.x, y:nat
x + y = y + x
elim: x.y:nat
0 + y = y + 0
y:nat
forall n : nat, n + y = y + n -> n.+1 + y = y + n.+1

The goal at this point is y = y + 0 (if we take reduction into account), but to prove it we need induction again!

-y:nat
0 + y = y + 0
y:nat
forall n : nat, n + y = y + n -> n.+1 + y = y + n.+1 rewrite add0n.y:nat
y = y + 0
y:nat
forall n : nat, n + y = y + n -> n.+1 + y = y + n.+1
  elim: y=> // y IHy.y:nat
IHy:y = y + 0
y.+1 = y.+1 + 0
y:nat
forall n : nat, n + y = y + n -> n.+1 + y = y + n.+1
  rewrite addSn -IHy.y:nat
IHy:y = y + 0
y.+1 = y.+1
y:nat
forall n : nat, n + y = y + n -> n.+1 + y = y + n.+1
  done.y:nat
forall n : nat, n + y = y + n -> n.+1 + y = y + n.+1

But, of course, it's better to factor this proof out into a separate lemma addn0. Sometimes this nested induction is not really avoidable and it might not make sense to make a new lemma, then nested induction is something to consider.

Restart.commutative addn

Let us prove this lemma idiomatically

elim=> [| x IHx] y; first by rewrite addn0.x:nat
IHx:forall y : nat, x + y = y + x
y:nat
x.+1 + y = y + x.+1
by rewrite addSn IHx -addSnnS.
Qed.

The first tactical in the proof above lets us not focus on trivial goals and break our proof flow and apply rewrite addn0 only to the first subgoal generated by the elim tactic.

Generalizing Induction Hypothesis

Let turn out attention to the proverbial factorial function. Its standard implementation is non-tail-recursive which is not a problem for us, of course, given that the call stack is not going to grow large. Still, let's see a common pattern arising in this context. Mathcomp defines a postfix notation to mean factorial:

Locate "`!".Notation "n `!" := (factorial n) : nat_scope
  (default interpretation)
Print factorial.factorial = nosimpl fact_rec
     : nat -> nat

Arguments factorial _%nat_scope
Print fact_rec.fact_rec = 
fix fact_rec (n : nat) : nat :=
  match n with
  | 0 => 1
  | n'.+1 => n * fact_rec n'
  end
     : nat -> nat

Arguments fact_rec _%nat_scope

Let's define our own tail-recursive version of the factorial function.

Fixpoint factorial_helper (n : nat) (acc : nat) : nat :=
  if n is n'.+1 then
    factorial_helper n' (n * acc)
  else
    acc.

(** The iterative implementation of the factorial
function: *)
Definition factorial_iter (n : nat) : nat :=
  factorial_helper n 1.

(** Let's prove our iterative implementation of
factorial is correct. *)

Lemma factorial_iter_correct n :
  factorial_iter n = n`!.n:nat
factorial_iter n = n`!
Proof.n:nat
factorial_iter n = n`!
elim: n.factorial_iter 0 = 0`!
forall n : nat,
factorial_iter n = n`! ->
factorial_iter n.+1 = (n.+1)`!
-factorial_iter 0 = 0`!
forall n : nat,
factorial_iter n = n`! ->
factorial_iter n.+1 = (n.+1)`! done.forall n : nat,
factorial_iter n = n`! ->
factorial_iter n.+1 = (n.+1)`!
move=> n IHn.n:nat
IHn:factorial_iter n = n`!
factorial_iter n.+1 = (n.+1)`!

To proceed let's simplify the goal

rewrite /factorial_iter.n:nat
IHn:factorial_iter n = n`!
factorial_helper n.+1 1 = (n.+1)`!
move=> /=.n:nat
IHn:factorial_iter n = n`!
factorial_helper n (n.+1 * 1) = (n.+1)`!
rewrite muln1.n:nat
IHn:factorial_iter n = n`!
factorial_helper n n.+1 = (n.+1)`!

At this point it should be clear that the induction hypothesis is not directly applicable in the goal and we should unfold factorial_iter in it too.

rewrite /factorial_iter in IHn.n:nat
IHn:factorial_helper n 1 = n`!
factorial_helper n n.+1 = (n.+1)`!

And now we are stuck here: our induction hypothesis is not general enough to help us because it has the second argument to factorial_helper fixed to 1 but we need it to work for n.+1 too.

At this point we abort the proof and generalize our lemma statement. This is a common pattern in proofs by induction.

Abort.

We need to state our lemma in a way which does not fix the second argument, i.e. we replace it with a variable acc and formulate the specification of factorial_helper_correct in terms of its both arguments. A little thinking reveals that statement: we start with acc and mutliply it repeatedly by n, n-1, etc.

Lemma factorial_helper_correct n acc :
  factorial_helper n acc = n`! * acc.n, acc:nat
factorial_helper n acc = n`! * acc
Proof.n, acc:nat
factorial_helper n acc = n`! * acc
elim: n=> [|n IHn /=]; first by rewrite fact0 mul1n.acc, n:nat
IHn:factorial_helper n acc = n`! * acc
factorial_helper n (n.+1 * acc) = (n.+1)`! * acc

We seem to be stuck again because acc in the induction hypothesis does not match (n.+1 * acc) in the goal. This happens because we again fix the accumulator too early and make our induction hypothesis too specialized. Let's start over and generalize our induction hypothesis.

Restart.n, acc:nat
factorial_helper n acc = n`! * acc

We now move acc from the proof context to the goal, thus generalizing it.

move: acc.n:nat
forall acc : nat, factorial_helper n acc = n`! * acc
elim: n.forall acc : nat, factorial_helper 0 acc = 0`! * acc
forall n : nat,
(forall acc : nat, factorial_helper n acc = n`! * acc) ->
forall acc : nat,
factorial_helper n.+1 acc = (n.+1)`! * acc
-forall acc : nat, factorial_helper 0 acc = 0`! * acc
forall n : nat,
(forall acc : nat, factorial_helper n acc = n`! * acc) ->
forall acc : nat,
factorial_helper n.+1 acc = (n.+1)`! * acc move=> acc.acc:nat
factorial_helper 0 acc = 0`! * acc
forall n : nat,
(forall acc : nat, factorial_helper n acc = n`! * acc) ->
forall acc : nat,
factorial_helper n.+1 acc = (n.+1)`! * acc
  by rewrite fact0 mul1n.forall n : nat,
(forall acc : nat, factorial_helper n acc = n`! * acc) ->
forall acc : nat,
factorial_helper n.+1 acc = (n.+1)`! * acc
move=> n IHn acc /=.n:nat
IHn:forall acc : nat, factorial_helper n acc = n`! * acc
acc:nat
factorial_helper n (n.+1 * acc) = (n.+1)`! * acc

Now our induction hypothesis is universally quantified over acc and hence can be specialized to any value of the acc parameter. The rewrite tactic can take care of this specialization to n.+1 * acc.

rewrite IHn.n:nat
IHn:forall acc : nat, factorial_helper n acc = n`! * acc
acc:nat
n`! * (n.+1 * acc) = (n.+1)`! * acc
by rewrite factS mulnCA mulnA.

Restart.n, acc:nat
factorial_helper n acc = n`! * acc

After a little refactoring we get the following proof. Notice that we can combine steps like move: acc followed by elim: n into one step: elim: n acc which is a clear indicator that your induction hypothesis needs generalization for the proof to go through. It would not be idiomatic to generalize induction hypotheses unnecessarily.

elim: n acc=> [|n IHn /=] acc; first by rewrite fact0 mul1n.n:nat
IHn:forall acc : nat, factorial_helper n acc = n`! * acc
acc:nat
factorial_helper n (n.+1 * acc) = (n.+1)`! * acc
by rewrite IHn factS mulnCA mulnA.
Qed.

And now we are able to prove our main correctness lemma:

Lemma factorial_iter_correct n :
  factorial_iter n = n`!.n:nat
factorial_iter n = n`!
Proof.n:nat
factorial_iter n = n`!
rewrite /factorial_iter.n:nat
factorial_helper n 1 = n`!
by rewrite factorial_helper_correct muln1.
Qed.

On searching for lemmas to use

Using the Search command can be tricky sometimes. For example, Search (1 * _) won't find what is needed to simplify 1 * n into n (and these are not definitionally equal).

The search results are unhelpful because this sort of lemma is formulated using the left_id defintion. Since looking for left_id would return a bit too many lemmas, let's narrow the search space down by telling the Search command to restrict the search result to containing _both_ [left_id] and [muln] definitions:

Search _ left_id muln.mul1n: left_id 1 muln

To learn more about this and related issues checkout this wiki page: https://github.com/math-comp/math-comp/wiki/Search.

Custom Induction Principles

Let's define a recursive Fibonacci function for the illustration purposes (yes, it's factorial and Fibonacci in one lecture, a combo!).

Our first attempt at defining the Fibonacci function is going to fail, perhaps surprisingly.

Fail Fixpoint fib (n : nat) : nat :=
  if n is n''.+2 then
    fib n'' + fib n''.+1
  else n.The command has indeed failed with message:
Recursive definition of fib is ill-formed.
In environment
fib : nat -> nat
n : nat
n0 : nat
n'' : nat
Recursive call to fib has principal argument equal to
"n''.+1" instead of
one of the following variables: "n0"
"n''".
Recursive definition is:
"fun n : nat =>
 match n with
 | n''.+2 => fib n'' + fib n''.+1
 | _ => n
 end".

Coq cannot figure out we are using structural recursion here, because it does not see n''.+1 is a subterm of n but it simply needs a hint.

Here is the hint: name a structural subterm explicitly using the as-annotation

Fixpoint fib (n : nat) : nat :=
  if n is (n''.+1 as n').+1 then
    fib n'' + fib n'
  else n.

But before we proceed we are going to need to change the reduction behavior of fib. Let's illustrate the issue by the means of an example.

Section Illustrate_simpl_nomatch.
Variable n : nat.

Lemma default_behavior :
  fib n.+2 = 0.n:nat
fib n.+2 = 0
Proof.n:nat
fib n.+2 = 0
move=> /=.n:nat
fib n +
match n with
| 0 => n.+1
| n''.+1 => fib n'' + fib n
end = 0

When doing proofs one usually does not want reduction to make the goals harder to read and understand and exposing a match-expression like this certainly makes it harder to read and understand. So fib n.+1 should not get simplified.

Abort.

Let's forbid simplification of fib if it ends up like that, exposing the underlying match-expression.

Arguments fib n : simpl nomatch.

Lemma after_simpl_nomatch :
  fib n.+2 = 0.n:nat
fib n.+2 = 0
Proof.n:nat
fib n.+2 = 0
move=> /=.n:nat
fib n + fib n.+1 = 0

This goal is what we want!

Abort.

End Illustrate_simpl_nomatch.

The results of the Arguments command does not survive sections so we have to repeat it here. (Actually there is a few things that don't survive sections, notations most notable).

Arguments fib n : simpl nomatch.

For the sake of demonstration of certain proof techniques let us define an iterative version of the Fibonacci function.

Fixpoint fib_iter (n : nat) (f0 f1 : nat) : nat :=
  if n is n'.+1 then
    fib_iter n' f1 (f0 + f1)
  else f0.

Arguments fib_iter : simpl nomatch.

Sometimes one just needs a one-step simplification lemma, so it can be done manually in our case. Although, the Equations plugin provides this functionality out-of-box.

Lemma fib_iterS n f0 f1 :
  fib_iter n.+1 f0 f1 = fib_iter n f1 (f0 + f1).n, f0, f1:nat
fib_iter n.+1 f0 f1 = fib_iter n f1 (f0 + f1)
Proof.n, f0, f1:nat
fib_iter n.+1 f0 f1 = fib_iter n f1 (f0 + f1) by []. Qed.

We are going to need the following helper lemma which says fib_iter behave like the Fibonacci function.

Lemma fib_iter_sum n f0 f1 :
  fib_iter n.+2 f0 f1 =
  fib_iter n f0 f1 + fib_iter n.+1 f0 f1.n, f0, f1:nat
fib_iter n.+2 f0 f1 =
fib_iter n f0 f1 + fib_iter n.+1 f0 f1
Proof.n, f0, f1:nat
fib_iter n.+2 f0 f1 =
fib_iter n f0 f1 + fib_iter n.+1 f0 f1

Notice we generalize the induction hypothesis here.

elim: n f0 f1 => [//|n IHn] f0 f1.n:nat
IHn:forall f0 f1 : nat,
fib_iter n.+2 f0 f1 = fib_iter n f0 f1 + fib_iter n.+1 f0 f1
f0, f1:nat
fib_iter n.+3 f0 f1 =
fib_iter n.+1 f0 f1 + fib_iter n.+2 f0 f1
rewrite fib_iterS.n:nat
IHn:forall f0 f1 : nat,
fib_iter n.+2 f0 f1 = fib_iter n f0 f1 + fib_iter n.+1 f0 f1
f0, f1:nat
fib_iter n.+2 f1 (f0 + f1) =
fib_iter n.+1 f0 f1 + fib_iter n.+2 f0 f1
rewrite IHn.n:nat
IHn:forall f0 f1 : nat,
fib_iter n.+2 f0 f1 = fib_iter n f0 f1 + fib_iter n.+1 f0 f1
f0, f1:nat
fib_iter n f1 (f0 + f1) + fib_iter n.+1 f1 (f0 + f1) =
fib_iter n.+1 f0 f1 + fib_iter n.+2 f0 f1
done.
Qed.

Now we can try proving the main correctness lemmas.

Lemma fib_iter_correct n :
  fib_iter n 0 1 = fib n.n:nat
fib_iter n 0 1 = fib n
Proof.n:nat
fib_iter n 0 1 = fib n
elim: n=> //= n IHn.n:nat
IHn:fib_iter n 0 1 = fib n
fib_iter n 1 (0 + 1) = fib n.+1

We have used //= switch here -- it combines // and /= into one

And we are stuck again. The induction hypothesis is not general enough.

Informally, regular induction works using the induction step from the previous value of n to go to the current and it work fine for functions with a simple recursion pattern, but fib uses two previous values of n to compute the next Fibonacci number and this calls for a more powerful induction pattern.

Abort.

Pair induction

To make the proof go through we can design a custom induction principle. This induction principle repeats, in a sense, the structure of the (recursive) Fibonacci function.

Lemma nat_ind2 (P : nat -> Prop) :
  P 0 ->
  P 1 ->
  (forall n, P n -> P n.+1 -> P n.+2) ->
  forall n, P n.

Compare this to the regular induction principle:

Lemma nat_ind (P : nat -> Prop) :
  P 0 ->
  (forall n, P n -> P n.+1) ->
  forall n, P n.

Now, let us prove nat_ind2:

Lemma nat_ind2 (P : nat -> Prop) :
  P 0 ->
  P 1 ->
  (forall n, P n -> P n.+1 -> P n.+2) ->
  forall n, P n.P:nat -> Prop
P 0 ->
P 1 ->
(forall n : nat, P n -> P n.+1 -> P n.+2) ->
forall n : nat, P n
Proof.P:nat -> Prop
P 0 ->
P 1 ->
(forall n : nat, P n -> P n.+1 -> P n.+2) ->
forall n : nat, P n
move=> p0 p1 Istep n.P:nat -> Prop
p0:P 0
p1:P 1
Istep:forall n : nat, P n -> P n.+1 -> P n.+2
n:nat
P n

If we did regular induction we would get ourselves into the same trap as with fib_iter_correct lemma. So let's prove a _stronger_ goal instead. Why stronger goal? Because a stronger goal results in a stronger induction hypothesis!

Let's use the have tactic to do that. This tactic lets us to forward reasoning as opposed to backward reasoning we use with the apply tactic.

have: P n /\ P n.+1.P:nat -> Prop
p0:P 0
p1:P 1
Istep:forall n : nat, P n -> P n.+1 -> P n.+2
n:nat
P n /\ P n.+1
P:nat -> Prop
p0:P 0
p1:P 1
Istep:forall n : nat, P n -> P n.+1 -> P n.+2
n:nat
P n /\ P n.+1 -> P n

have generates two subgoals:

It makes us prove the new statement we specified.
It makes us prove the new statement implies our old goal.

-P:nat -> Prop
p0:P 0
p1:P 1
Istep:forall n : nat, P n -> P n.+1 -> P n.+2
n:nat
P n /\ P n.+1
P:nat -> Prop
p0:P 0
p1:P 1
Istep:forall n : nat, P n -> P n.+1 -> P n.+2
n:nat
P n /\ P n.+1 -> P n elim: n=> // n [IHn IHSn].P:nat -> Prop
p0:P 0
p1:P 1
Istep:forall n : nat, P n -> P n.+1 -> P n.+2
n:nat
IHn:P n
IHSn:P n.+1
P n.+1 /\ P n.+2
P:nat -> Prop
p0:P 0
p1:P 1
Istep:forall n : nat, P n -> P n.+1 -> P n.+2
n:nat
P n /\ P n.+1 -> P n
  split=> //.P:nat -> Prop
p0:P 0
p1:P 1
Istep:forall n : nat, P n -> P n.+1 -> P n.+2
n:nat
IHn:P n
IHSn:P n.+1
P n.+2
P:nat -> Prop
p0:P 0
p1:P 1
Istep:forall n : nat, P n -> P n.+1 -> P n.+2
n:nat
P n /\ P n.+1 -> P n
  by apply: Istep.P:nat -> Prop
p0:P 0
p1:P 1
Istep:forall n : nat, P n -> P n.+1 -> P n.+2
n:nat
P n /\ P n.+1 -> P n
by case.

Let's refactor the proof into a more idiomatic one using the suff (suffices) tactic which is like have but swaps the two subgoals.

Restart.P:nat -> Prop
P 0 ->
P 1 ->
(forall n : nat, P n -> P n.+1 -> P n.+2) ->
forall n : nat, P n

move=> p0 p1 Istep n; suff: P n /\ P n.+1 by case.P:nat -> Prop
p0:P 0
p1:P 1
Istep:forall n : nat, P n -> P n.+1 -> P n.+2
n:nat
P n /\ P n.+1
elim: n=> // n [IHn IHSn]; split=> //; exact: Istep.

An even shorter version would look something like so.

Restart.P:nat -> Prop
P 0 ->
P 1 ->
(forall n : nat, P n -> P n.+1 -> P n.+2) ->
forall n : nat, P n

move=> p0 p1 Istep n; suff: P n /\ P n.+1 by case.P:nat -> Prop
p0:P 0
p1:P 1
Istep:forall n : nat, P n -> P n.+1 -> P n.+2
n:nat
P n /\ P n.+1
by elim: n=> // n [/Istep pn12] /[dup]/pn12.

Let us replay it one more time with some manual breaks in between.

Restart.P:nat -> Prop
P 0 ->
P 1 ->
(forall n : nat, P n -> P n.+1 -> P n.+2) ->
forall n : nat, P n

move=> p0 p1 Istep n; suffices: P n /\ P n.+1 by case.P:nat -> Prop
p0:P 0
p1:P 1
Istep:forall n : nat, P n -> P n.+1 -> P n.+2
n:nat
P n /\ P n.+1
elim: n=> // n.P:nat -> Prop
p0:P 0
p1:P 1
Istep:forall n : nat, P n -> P n.+1 -> P n.+2
n:nat
P n /\ P n.+1 -> P n.+1 /\ P n.+2
move=> [/Istep pn12].P:nat -> Prop
p0:P 0
p1:P 1
Istep:forall n : nat, P n -> P n.+1 -> P n.+2
n:nat
pn12:P n.+1 -> P n.+2
P n.+1 -> P n.+1 /\ P n.+2
move=> /[dup].P:nat -> Prop
p0:P 0
p1:P 1
Istep:forall n : nat, P n -> P n.+1 -> P n.+2
n:nat
pn12:P n.+1 -> P n.+2
P n.+1 -> P n.+1 -> P n.+1 /\ P n.+2
move=> /pn12.P:nat -> Prop
p0:P 0
p1:P 1
Istep:forall n : nat, P n -> P n.+1 -> P n.+2
n:nat
pn12:P n.+1 -> P n.+2
P n.+2 -> P n.+1 -> P n.+1 /\ P n.+2
done.
Qed.

We have used the /[dup] action to duplicate the assumption at the top of the goal stack.

Now we can apply the custom induction principle we just proved using elim/ind_principle version of the elim tactic. Notice that the slash symbol here does not mean "view" as in move /View.

Lemma fib_iter_correct n :
  fib_iter n 0 1 = fib n.n:nat
fib_iter n 0 1 = fib n
Proof.n:nat
fib_iter n 0 1 = fib n
elim/nat_ind2: n => // n IHn1 IHn2.n:nat
IHn1:fib_iter n 0 1 = fib n
IHn2:fib_iter n.+1 0 1 = fib n.+1
fib_iter n.+2 0 1 = fib n.+2
by rewrite fib_iter_sum IHn1 IHn2.
Qed.

Note: fib_iter_correct can be proven using the suffices tactic too: fib_iter n 0 1 = fib n /\ fib_iter n.+1 0 1 = fib n.+1.

Complete induction

Now we are going to cover an even more general induction principle called complete induction.x It's also called:

strong induction;

well-founded induction;

course-of-values induction.

The statement is called ltn_ind and looks like so:

(forall m, (forall k : nat, (k < m) -> P k) -> P m) ->
forall n, P n.

This means that to prove property P holds for an arbitrary natural number n, one can assume P holds for any k smaller than n.

Let's use this induction principle to prove fib_iter correct one more time

Lemma fib_iter_correct' n :
  fib_iter n 0 1 = fib n.n:nat
fib_iter n 0 1 = fib n
Proof.n:nat
fib_iter n 0 1 = fib n
elim/ltn_ind: n=> n IHn.n:nat
IHn:forall m : nat, m < n -> fib_iter m 0 1 = fib m
fib_iter n 0 1 = fib n
Fail case: n.The command has indeed failed with message:
n is used in hypothesis IHn.
n:nat
IHn:forall m : nat, m < n -> fib_iter m 0 1 = fib m
fib_iter n 0 1 = fib n
case: n IHn=> // n IHn.n:nat
IHn:forall m : nat, m < n.+1 -> fib_iter m 0 1 = fib m
fib_iter n.+1 0 1 = fib n.+1
case: n IHn=> // n IHn.n:nat
IHn:forall m : nat, m < n.+2 -> fib_iter m 0 1 = fib m
fib_iter n.+2 0 1 = fib n.+2
rewrite fib_iter_sum.n:nat
IHn:forall m : nat, m < n.+2 -> fib_iter m 0 1 = fib m
fib_iter n 0 1 + fib_iter n.+1 0 1 = fib n.+2
rewrite !IHn.n:nat
IHn:forall m : nat, m < n.+2 -> fib_iter m 0 1 = fib m
fib n + fib n.+1 = fib n.+2
n:nat
IHn:forall m : nat, m < n.+2 -> fib_iter m 0 1 = fib m
n.+1 < n.+2
n:nat
IHn:forall m : nat, m < n.+2 -> fib_iter m 0 1 = fib m
n < n.+2
-n:nat
IHn:forall m : nat, m < n.+2 -> fib_iter m 0 1 = fib m
fib n + fib n.+1 = fib n.+2
n:nat
IHn:forall m : nat, m < n.+2 -> fib_iter m 0 1 = fib m
n.+1 < n.+2
n:nat
IHn:forall m : nat, m < n.+2 -> fib_iter m 0 1 = fib m
n < n.+2 done.n:nat
IHn:forall m : nat, m < n.+2 -> fib_iter m 0 1 = fib m
n.+1 < n.+2
n:nat
IHn:forall m : nat, m < n.+2 -> fib_iter m 0 1 = fib m
n < n.+2
-n:nat
IHn:forall m : nat, m < n.+2 -> fib_iter m 0 1 = fib m
n.+1 < n.+2
n:nat
IHn:forall m : nat, m < n.+2 -> fib_iter m 0 1 = fib m
n < n.+2 done.n:nat
IHn:forall m : nat, m < n.+2 -> fib_iter m 0 1 = fib m
n < n.+2
done.

Restart.n:nat
fib_iter n 0 1 = fib n

A more idiomatic proof would look something like this.

elim/ltn_ind: n=> [] // [] // [] // n IHn.n:nat
IHn:forall m : nat, m < n.+2 -> fib_iter m 0 1 = fib m
fib_iter n.+2 0 1 = fib n.+2
by rewrite fib_iter_sum !IHn.
Qed.

Summary

Tactic/tactical summary

/=: simplification action;

//=: solve trivial subgoals and simplify;

elim/custom_induction_principle: we specify the induction principle to use;

have, suff (suffices): forward reasoning;

rewrite !E: rewrite 1 or more times with the equation E until no more rewrites are possible.