Motivational example

Lemma all_filter T (p : pred T) (s : seq T) :
  all p s -> filter p s = s.
T:Type
p:pred T
s:seq T
all p s -> [seq x <- s | p x] = s
Proof.
T:Type
p:pred T
s:seq T
all p s -> [seq x <- s | p x] = s

First of all, let's try and understand the goal we see here. There are several things:

• p : pred T means p is a computable predicate over type T, i.e. pred T is T -> bool;
• all p s means all elements of sequence s satisfy predicate p;
• [seq x <- s | p x] notation stands for filter (fun x => p x) s.

We can check all the above bullet points with the following three simple commands:

Print pred.
pred = fun T : Type => T -> bool
     : Type -> Type

Arguments pred _%type_scope
Check all.
all
     : pred ?T -> seq ?T -> bool
where
?T : [T : Type  p : pred T  s : seq T |- Type]
Locate "[ seq _ <- _ | _ ]".
Notation "[ 'seq' x <- s | C ]" :=
  (filter (fun x => C) s) : seq_scope
  (default interpretation)

But wait a minute, how come we can have a term of type bool as an assumption in our goal?

Check all p s : bool.
all p s : bool
     : bool
T:Type
p:pred T
s:seq T
all p s -> [seq x <- s | p x] = s

And why the following works at all?

Check all p s : Type.
all p s : Type
     : Type
T:Type
p:pred T
s:seq T
all p s -> [seq x <- s | p x] = s

This works because of the mechanism of implicit coercions Coq uses to make sense of goals like the current one. To see clearly what is going on here, use the following vernacular:

Set Printing Coercions.
T:Type
p:pred T
s:seq T
is_true (all p s) -> [seq x <- s | p x] = s

Now we can see Coq inserted the corcion is_true around all p s so the goal would actually make sense.

Print is_true.
is_true = eq^~ true
     : bool -> Prop

Arguments is_true _%bool_scope
is_true is a coercion

If eq^~ true does not really make sense for you:

Locate "^~".
Notation "f ^~ y" := (fun x => f x y) : fun_scope
  (default interpretation)

Another approach would be to unfold is_true:

rewrite /is_true.
T:Type
p:pred T
s:seq T
all p s = true -> [seq x <- s | p x] = s

Given the above, is_true b means b = true -- this is one way to embed booleans into Prop.

Unset Printing Coercions.
T:Type
p:pred T
s:seq T
all p s = true -> [seq x <- s | p x] = s

Now that we understand the goal we can prove it by induction on s:

elim: s => //= x s IHs.
T:Type
p:pred T
x:T
s:seq T
IHs:all p s = true -> [seq x <- s | p x] = s
p x && all p s = true ->
(if p x
 then x :: [seq x <- s | p x]
 else [seq x <- s | p x]) = x :: s

In our top assumption we have both p x which is needed to simplify the if-expression in the goal conclusion and all p s which is needed to apply the induction hypothesis. So, at this point we need to transform an assumption from its symbolic form ?x && ?y = true into its logical form ?x = true /\ ?y = true.

To do this we are going to use the mechanism of views supported by SSReflect.

move=> /andP.
T:Type
p:pred T
x:T
s:seq T
IHs:all p s = true -> [seq x <- s | p x] = s
p x /\ all p s ->
(if p x
 then x :: [seq x <- s | p x]
 else [seq x <- s | p x]) = x :: s

We already know the /lemma syntax as we saw how it works for lemmas which are implications. In this case it's something like this as well, although there is some implicit machinery at work too. The mechanism is called view hints and we are going to cover it later. The rest of the proof is very straightforward.

case.
T:Type
p:pred T
x:T
s:seq T
IHs:all p s = true -> [seq x <- s | p x] = s
p x ->
all p s ->
(if p x
 then x :: [seq x <- s | p x]
 else [seq x <- s | p x]) = x :: s
move=> ->.
T:Type
p:pred T
x:T
s:seq T
IHs:all p s = true -> [seq x <- s | p x] = s
all p s -> x :: [seq x <- s | p x] = x :: s
move/IHs.
T:Type
p:pred T
x:T
s:seq T
IHs:all p s = true -> [seq x <- s | p x] = s
[seq x <- s | p x] = s ->
x :: [seq x <- s | p x] = x :: s
move=>->.
T:Type
p:pred T
x:T
s:seq T
IHs:all p s = true -> [seq x <- s | p x] = s
x :: s = x :: s
done.

Let us refactor the proof above into something more idiomatic

Restart.
T:Type
p:pred T
s:seq T
all p s -> [seq x <- s | p x] = s

by elim: s=> //= x s IHs /andP[-> /IHs->].
Qed.

reflect-predicate: definition

So, what is reflect in the type of andP from above?

About andP.
andP :
forall {b1 b2 : bool}, reflect (b1 /\ b2) (b1 && b2)

andP is not universe polymorphic
Arguments andP {b1 b2}%bool_scope
andP is opaque
Expands to: Constant Coq.ssr.ssrbool.andP

Print reflect.
Notation reflect := Bool.reflect
Print Bool.reflect.
Inductive reflect (P : Prop) : bool -> Set :=
    ReflectT : P -> reflect P true
  | ReflectF : ~ P -> reflect P false

Arguments Bool.reflect _%type_scope _%bool_scope
Arguments Bool.ReflectT _%type_scope _
Arguments Bool.ReflectF _%type_scope _

The reflect type family (or indexed type, in other words) connects a decidable proposition to the corresponding boolean expression. This is not the first time we come across an indexed type but it's the first time we run into an indexed type with two constructors where we can clearly see the difference between parameters (which have to be fixed across constructors, P here is a parameter) and indices (which can vary between constructors). In this case, type-level boolean term indicates which constructor has been used to construct a term of type reflect P b, e.g. when one has a term of type reflect P true they know the ReflectT constructor has been used to construct the term which means we have a proof of P we can get by pattern-matching on a term of type reflect P true. (And pattern-matching on a term of type reflect P false yields a refutation of P.)

Goal forall P, reflect P true -> P.
forall P : Prop, reflect P true -> P
move=> P.
P:Prop
reflect P true -> P
exact: (
  fun r : reflect P true =>
    match
      r in reflect _ b
      return (b = true -> P)
    with
    | ReflectT p => fun E => p
    | ReflectF np => fun E => ltac:(done)
    end erefl).

Undo.
P:Prop
reflect P true -> P
case.
P:Prop
P -> P
P:Prop
~ P -> P

case actually leads to unprovable goals here. It's not intelligent enough to solve this goal which requires dependent pattern matching. We need to use a special version of case for type families. Here is the syntax we need to solve this.

Undo.
P:Prop
reflect P true -> P

move=> R.
P:Prop
R:reflect P true
P
case E: true / R.
P:Prop
_p_:P
E:true = true
P
P:Prop
_n_:~ P
E:true = false
P

To the right of / we put a term (R in this case) we are going to case analyse -- this needs to be a type family. And to the left of / we put the indices of the type family we'd like to get substituted. Notice that we need to keep the relation between the original value of the index true and its values inside the branches of the underlying match-expression and this is what E in case: E is for.

-
P:Prop
_p_:P
E:true = true
P
P:Prop
_n_:~ P
E:true = false
P done.
P:Prop
_n_:~ P
E:true = false
P
done.

Restart.
forall P : Prop, reflect P true -> P

Instead of move=> R; case E: true / R we can use a shorhand:

by move=> P; case E: true /.

Restart.
forall P : Prop, reflect P true -> P

Moreover, SSReflect can figure out the indices on its own:

by move=> P; case E: _/.
Qed.

A lemma like reflect P false -> ~ P can be proved analogously.

To reinforce what has been said already, let us formally prove several lemmas about reflect. For instance, we can show P if and only if b = true as two separate lemmas.

Lemma introT_my (P : Prop) (b : bool) :
  reflect P b -> (P -> b).
P:Prop
b:bool
reflect P b -> P -> b
Proof.
P:Prop
b:bool
reflect P b -> P -> b
case.
P:Prop
b:bool
P -> P -> true
P:Prop
b:bool
~ P -> P -> false

The index b here works as a rewrite rule.

-
P:Prop
b:bool
P -> P -> true
P:Prop
b:bool
~ P -> P -> false done.
P:Prop
b:bool
~ P -> P -> false
by move=> /[apply].
Qed.

The other direction is left as an exercise for the reader.

Lemma elimT_my (P : Prop) (b : bool) :
  reflect P b -> (b -> P).
P:Prop
b:bool
reflect P b -> b -> P
Admitted.

Essentially, we have shown reflect P b -> (b <-> P), i.e. reflect P b connects a decidable proposition P to its decision procedure (the boolean expression b).

For example, we can show reflect P b lets us use classical reasoning (exercise):

Lemma reflect_lem P b :
  reflect P b -> P \/ ~ P.
P:Prop
b:bool
reflect P b -> P \/ ~ P
Admitted.

Lets look at how to build reflect-predicates for a couple of standard connectives.

Lemma andP_my (b c : bool) :
  reflect (b /\ c) (b && c).
b, c:bool
reflect (b /\ c) (b && c)
Proof.
b, c:bool
reflect (b /\ c) (b && c)
case: b.
c:bool
reflect (true /\ c) (true && c)
c:bool
reflect (false /\ c) (false && c)
-
c:bool
reflect (true /\ c) (true && c)
c:bool
reflect (false /\ c) (false && c) case: c.
reflect (true /\ true) (true && true)
reflect (true /\ false) (true && false)
c:bool
reflect (false /\ c) (false && c)
  -
reflect (true /\ true) (true && true)
reflect (true /\ false) (true && false)
c:bool
reflect (false /\ c) (false && c) constructor.
true /\ true
reflect (true /\ false) (true && false)
c:bool
reflect (false /\ c) (false && c)
    done.
reflect (true /\ false) (true && false)
c:bool
reflect (false /\ c) (false && c)
  -
reflect (true /\ false) (true && false)
c:bool
reflect (false /\ c) (false && c) constructor.
~ (true /\ false)
c:bool
reflect (false /\ c) (false && c)
    by case.
c:bool
reflect (false /\ c) (false && c)
-
c:bool
reflect (false /\ c) (false && c) constructor.
c:bool
~ (false /\ c)

Restart.
b, c:bool
reflect (b /\ c) (b && c)

An idiomatic solution would look something like so:

by case: b; case: c; constructor=> //; case.
Qed.

Lemma nandP_my b c :
  reflect (~~ b \/ ~~ c) (~~ (b && c)).
b, c:bool
reflect (~~ b \/ ~~ c) (~~ (b && c))
Proof.
b, c:bool
reflect (~~ b \/ ~~ c) (~~ (b && c))
case: b; case: c; constructor.
~ (~~ true \/ ~~ true)
~~ true \/ ~~ false
~~ false \/ ~~ true
~~ false \/ ~~ false
-
~ (~~ true \/ ~~ true)
~~ true \/ ~~ false
~~ false \/ ~~ true
~~ false \/ ~~ false by case.
~~ true \/ ~~ false
~~ false \/ ~~ true
~~ false \/ ~~ false
-
~~ true \/ ~~ false
~~ false \/ ~~ true
~~ false \/ ~~ false by right.
~~ false \/ ~~ true
~~ false \/ ~~ false
-
~~ false \/ ~~ true
~~ false \/ ~~ false by left.
~~ false \/ ~~ false
by left.

Restart.
b, c:bool
reflect (~~ b \/ ~~ c) (~~ (b && c))

This seems to be a rare opportunity for an automatic tactic to fill in the blanks for us: the intuition tactic can take care of the subgoals generated by our brute force approach.

by case: b; case: c; constructor; intuition.
Qed.

Sometimes we will need to use reflect b b as a placeholder. This is an easy exercise.

Lemma idP_my (b : bool) :
  reflect b b.
b:bool
reflect b b
Admitted.

Using reflection views on assumptions

Let's continue figuring out how and why andP works.

Lemma special_support_for_reflect_predicates b c :
  b && c -> b /\ c.
b, c:bool
b && c -> b /\ c
Proof.
b, c:bool
b && c -> b /\ c
move/andP.
b, c:bool
b /\ c -> b /\ c
Show Proof.
(fun (b c : bool) (_view_subject_ : b && c) =>
 ?Goal (elimTF andP _view_subject_))
b, c:bool
b /\ c -> b /\ c

We see andP in a context of elimTF, let's see what it is.

About elimTF.
elimTF :
forall [P : Prop] [b c : bool],
reflect P b -> b = c -> if c then P else ~ P

elimTF is not universe polymorphic
Arguments elimTF [P]%type_scope [b c]%bool_scope _ _
elimTF is opaque
Expands to: Constant Coq.ssr.ssrbool.elimTF
b, c:bool
b /\ c -> b /\ c

elimTF is a generalization of elimT we proved above.

Restart.
b, c:bool
b && c -> b /\ c

Let us see what is going on when we say move/andP:

move=> Hb.
b, c:bool
Hb:b && c
b /\ c
Check @elimTF (b /\ c) (b && c) true (@andP b c) Hb.
elimTF andP Hb
     : b /\ c
b, c:bool
Hb:b && c
b /\ c
move: Hb.
b, c:bool
b && c -> b /\ c
move/(@elimTF (b /\ c) (b && c) true (@andP b c)).
b, c:bool
b /\ c -> b /\ c

But where elimTF comes from? SSReflect uses the mechanism of view hints which provide some wrapping lemmas such as elimTF above. The user can add a new view hint using the Hint View vernacular Hint View for move/ elimTF|3.

Here elimTF is declared as a view hint for the move/ command. The (optional) number 3 specifies the number of implicit arguments to be considered for the declared hint view lemma.

The ssrbool.v module already declares a numbers of view hints, so adding new ones should be justified. For instance, one might need to do it if one defines a new logical connective.

exact: id.
Qed.

But why is elimTF's type so complex? Because it's applicable not only in the case the goal's top assumtion is of the form b && c, but it also works for b && c = false.

Lemma special_support_for_reflect_predicates' b c :
  (b && c) = false -> ~ (b /\ c).
b, c:bool
b && c = false -> ~ (b /\ c)
Proof.
b, c:bool
b && c = false -> ~ (b /\ c)
move/andP.
b, c:bool
~ (b /\ c) -> ~ (b /\ c)
Show Proof.
(fun (b c : bool) (_view_subject_ : b && c = false) =>
 ?Goal (elimTF andP _view_subject_))
b, c:bool
~ (b /\ c) -> ~ (b /\ c)

Restart.
b, c:bool
b && c = false -> ~ (b /\ c)
move=> Hb.
b, c:bool
Hb:b && c = false
~ (b /\ c)
Check @elimTF (b /\ c) (b && c) false (@andP b c) Hb.
elimTF andP Hb
     : ~ (b /\ c)
b, c:bool
Hb:b && c = false
~ (b /\ c)

exact: @elimTF (b /\ c) (b && c) false (@andP b c) Hb.
Qed.

Reflection views usually work in both directions

Lemma special_support_for_reflect_predicates'' (b c : bool) :
  b /\ c -> b && c.
b, c:bool
b /\ c -> b && c
Proof.
b, c:bool
b /\ c -> b && c
move=> /andP.
b, c:bool
b && c -> b && c
Show Proof.
(fun (b c : bool) (_view_subject_ : b /\ c) =>
 ?Goal (introT andP _view_subject_))
b, c:bool
b && c -> b && c
About introT.
introT :
forall [P : Prop] [b : bool], reflect P b -> P -> b

introT is not universe polymorphic
Arguments introT [P]%type_scope [b]%bool_scope _ _
introT is opaque
Expands to: Constant Coq.ssr.ssrbool.introT
b, c:bool
b && c -> b && c

introT view hint gets implicitly inserted because it is also declared with Hint View command.

done.
Qed.

Switching views at the goal

Lemma special_support_for_reflect_predicates''' (b c : bool) :
  b /\ c -> b && c.
b, c:bool
b /\ c -> b && c
Proof.
b, c:bool
b /\ c -> b && c
move=> bc.
b, c:bool
bc:b /\ c
b && c

If we'd like, instead of the assumption, change the goal, we can use apply/ tactic:

apply/andP.
b, c:bool
bc:b /\ c
b /\ c

Show Proof.
(fun (b c : bool) (bc : b /\ c) =>
 [eta introTF andP] ?Goal)
b, c:bool
bc:b /\ c
b /\ c

In this case the introTF view hint gets inserted because the ssrbool module introduces the correspoding view hint: Hint View for apply/ introTF|3

About introTF.
introTF :
forall [P : Prop] [b c : bool],
reflect P b -> (if c then P else ~ P) -> b = c

introTF is not universe polymorphic
Arguments introTF [P]%type_scope [b c]%bool_scope _ _
introTF is opaque
Expands to: Constant Coq.ssr.ssrbool.introTF
b, c:bool
bc:b /\ c
b /\ c
done.
Qed.

Again, introTF is a general lemma to accomodate goals of the form _ = false.

Lemma special_support_for_reflect_predicates'''' (b c : bool) :
  ~ (b /\ c) -> b && c = false.
b, c:bool
~ (b /\ c) -> b && c = false
Proof.
b, c:bool
~ (b /\ c) -> b && c = false
move=> ab.
b, c:bool
ab:~ (b /\ c)
b && c = false
apply/andP.
b, c:bool
ab:~ (b /\ c)
~ (b /\ c)
Show Proof.
(fun (b c : bool) (ab : ~ (b /\ c)) =>
 [eta introTF andP] ?Goal)
b, c:bool
ab:~ (b /\ c)
~ (b /\ c)
About introTF.
introTF :
forall [P : Prop] [b c : bool],
reflect P b -> (if c then P else ~ P) -> b = c

introTF is not universe polymorphic
Arguments introTF [P]%type_scope [b c]%bool_scope _ _
introTF is opaque
Expands to: Constant Coq.ssr.ssrbool.introTF
b, c:bool
ab:~ (b /\ c)
~ (b /\ c)
done.
Qed.

Let's look at some more machinery to work with specifiations for decision procedures. We are going to look at the eqn -- the decision procedure for equality on the nat type.

Lemma eqnP_my (n m : nat) :
  reflect (n = m) (eqn n m).
n, m:nat
reflect (n = m) (eqn n m)
Proof.
n, m:nat
reflect (n = m) (eqn n m)

One way to prove this is to turn [reflect] into a bi-implication and prove the two directions by induction separately. An idiomatic way to do that is as follows:

apply: (iffP idP).
n, m:nat
eqn n m -> n = m
n, m:nat
n = m -> eqn n m

About iffP.
iffP :
forall [P Q : Prop] [b : bool],
reflect P b -> (P -> Q) -> (Q -> P) -> reflect Q b

iffP is not universe polymorphic
Arguments iffP [P Q]%type_scope [b]%bool_scope _ (_
  _)%function_scope
iffP is opaque
Expands to: Constant Coq.ssr.ssrbool.iffP
n, m:nat
eqn n m -> n = m
n, m:nat
n = m -> eqn n m

We need the trivial reflection view idP here to convert the boolean expression eqn n m to the proposition eqn n m = true (you don't see the = true part in the subgoals because of the is_true coercion).

The rest of the proof should be trivial at this point.

-
n, m:nat
eqn n m -> n = m
n, m:nat
n = m -> eqn n m by elim: n m => [|n IHn] [|m] //= /IHn->.
n, m:nat
n = m -> eqn n m
by move=> ->; elim: m.
Qed.

Here is an example of using iffP with a non-idP argument. Here we use eqType -- a type with decidable equality and some machinery associated with it, like eqP.

Lemma nseqP (T : eqType) n (x y : T) :
  reflect (y = x /\ n > 0) (y \in nseq n x).
T:eqType
n:nat
x, y:T
reflect (y = x /\ 0 < n) (y \in nseq n x)
Proof.
T:eqType
n:nat
x, y:T
reflect (y = x /\ 0 < n) (y \in nseq n x)
rewrite mem_nseq.
T:eqType
n:nat
x, y:T
reflect (y = x /\ 0 < n) ((0 < n) && (y == x))
rewrite andbC.
T:eqType
n:nat
x, y:T
reflect (y = x /\ 0 < n) ((y == x) && (0 < n))
apply: (iffP andP).
T:eqType
n:nat
x, y:T
y == x /\ 0 < n -> y = x /\ 0 < n
T:eqType
n:nat
x, y:T
y = x /\ 0 < n -> y == x /\ 0 < n
-
T:eqType
n:nat
x, y:T
y == x /\ 0 < n -> y = x /\ 0 < n
T:eqType
n:nat
x, y:T
y = x /\ 0 < n -> y == x /\ 0 < n case.
T:eqType
n:nat
x, y:T
y == x -> 0 < n -> y = x /\ 0 < n
T:eqType
n:nat
x, y:T
y = x /\ 0 < n -> y == x /\ 0 < n
  move/eqP.
T:eqType
n:nat
x, y:T
y = x -> 0 < n -> y = x /\ 0 < n
T:eqType
n:nat
x, y:T
y = x /\ 0 < n -> y == x /\ 0 < n
  About eqP.
eqP : forall {T : eqType}, Equality.axiom eq_op

eqP is not universe polymorphic
Expanded type for implicit arguments
eqP :
forall {T : eqType} {x y : T},
reflect (x = y) (x == y)

Arguments eqP {T x y}
eqP is opaque
Expands to: Constant mathcomp.ssreflect.eqtype.eqP
T:eqType
n:nat
x, y:T
y = x -> 0 < n -> y = x /\ 0 < n
T:eqType
n:nat
x, y:T
y = x /\ 0 < n -> y == x /\ 0 < n
  move=>->.
T:eqType
n:nat
x, y:T
0 < n -> x = x /\ 0 < n
T:eqType
n:nat
x, y:T
y = x /\ 0 < n -> y == x /\ 0 < n
  done.
T:eqType
n:nat
x, y:T
y = x /\ 0 < n -> y == x /\ 0 < n
case=> ->->.
T:eqType
n:nat
x, y:T
x == x /\ true
rewrite eq_refl.
T:eqType
n:nat
x, y:T
true /\ true
done.

A more idiomatic solution

Restart.
T:eqType
n:nat
x, y:T
reflect (y = x /\ 0 < n) (y \in nseq n x)

rewrite mem_nseq andbC; apply: (iffP andP) => [[/eqP]|[/eqP]].
T:eqType
n:nat
x, y:T
y = x -> 0 < n -> y = x /\ 0 < n
T:eqType
n:nat
x, y:T
y == x -> 0 < n -> y == x /\ 0 < n

There is some code duplication here which can be reduced using -[ ] syntax:

Restart.
T:eqType
n:nat
x, y:T
reflect (y = x /\ 0 < n) (y \in nseq n x)
by rewrite mem_nseq andbC; apply: (iffP andP)=> -[/eqP].

We cannot say just [/eqP] because Coq expects us to provide tactics for both subgoals and not just one. To bypass this restriction we use the - syntax.

Qed.

Rewriting with reflect predicates

One can rewrite with view lemmas if those represent equations, like maxn_idPl.

About maxn_idPl.
maxn_idPl :
forall {m n : nat}, reflect (maxn m n = m) (n <= m)

maxn_idPl is not universe polymorphic
Arguments maxn_idPl {m n}%nat_scope
maxn_idPl is opaque
Expands to: Constant
mathcomp.ssreflect.ssrnat.maxn_idPl

Let's see an example:

Lemma leq_max m n1 n2 :
  (m <= maxn n1 n2) = (m <= n1) || (m <= n2).
m, n1, n2:nat
(m <= maxn n1 n2) = (m <= n1) || (m <= n2)
Proof.
m, n1, n2:nat
(m <= maxn n1 n2) = (m <= n1) || (m <= n2)
case/orP: (leq_total n2 n1) => [le_n21 | le_n12].
m, n1, n2:nat
le_n21:n2 <= n1
(m <= maxn n1 n2) = (m <= n1) || (m <= n2)
m, n1, n2:nat
le_n12:n1 <= n2
(m <= maxn n1 n2) = (m <= n1) || (m <= n2)
About leq_total.
leq_total : forall m n : nat, (m <= n) || (n <= m)

leq_total is not universe polymorphic
Arguments leq_total (_ _)%nat_scope
leq_total is opaque
Expands to: Constant
mathcomp.ssreflect.ssrnat.leq_total
m, n1, n2:nat
le_n21:n2 <= n1
(m <= maxn n1 n2) = (m <= n1) || (m <= n2)
m, n1, n2:nat
le_n12:n1 <= n2
(m <= maxn n1 n2) = (m <= n1) || (m <= n2)
-
m, n1, n2:nat
le_n21:n2 <= n1
(m <= maxn n1 n2) = (m <= n1) || (m <= n2)
m, n1, n2:nat
le_n12:n1 <= n2
(m <= maxn n1 n2) = (m <= n1) || (m <= n2) Search (maxn ?n1 ?n2 = ?n1).
minKn: forall m n : nat, maxn n (minn m n) = n
maxn_idPl:
  forall {m n : nat}, reflect (maxn m n = m) (n <= m)
m, n1, n2:nat
le_n21:n2 <= n1
(m <= maxn n1 n2) = (m <= n1) || (m <= n2)
m, n1, n2:nat
le_n12:n1 <= n2
(m <= maxn n1 n2) = (m <= n1) || (m <= n2)
  rewrite (maxn_idPl le_n21).
m, n1, n2:nat
le_n21:n2 <= n1
(m <= n1) = (m <= n1) || (m <= n2)
m, n1, n2:nat
le_n12:n1 <= n2
(m <= maxn n1 n2) = (m <= n1) || (m <= n2)

Why does this trick work?

Check (maxn_idPl le_n21).
maxn_idPl le_n21
     : maxn n1 n2 = n1
m, n1, n2:nat
le_n21:n2 <= n1
(m <= n1) = (m <= n1) || (m <= n2)
m, n1, n2:nat
le_n12:n1 <= n2
(m <= maxn n1 n2) = (m <= n1) || (m <= n2)

OK, this is an ordinary equation, no wonder rewrite works. The view lemma [maxn_idPl] is not a function but behaves like one here. Let us check coercions!

Set Printing Coercions.
m, n1, n2:nat
le_n21:is_true (n2 <= n1)
(m <= n1) = (m <= n1) || (m <= n2)
m, n1, n2:nat
le_n12:is_true (n1 <= n2)
(m <= maxn n1 n2) = (m <= n1) || (m <= n2)
Check (maxn_idPl le_n21).
elimT maxn_idPl le_n21
     : maxn n1 n2 = n1
m, n1, n2:nat
le_n21:is_true (n2 <= n1)
(m <= n1) = (m <= n1) || (m <= n2)
m, n1, n2:nat
le_n12:is_true (n1 <= n2)
(m <= maxn n1 n2) = (m <= n1) || (m <= n2)

No magic: elimT get implicitly inserted.

Unset Printing Coercions.
m, n1, n2:nat
le_n21:n2 <= n1
(m <= n1) = (m <= n1) || (m <= n2)
m, n1, n2:nat
le_n12:n1 <= n2
(m <= maxn n1 n2) = (m <= n1) || (m <= n2)

About elimT.
elimT :
forall [P : Prop] [b : bool], reflect P b -> b -> P

elimT is not universe polymorphic
Arguments elimT [P]%type_scope [b]%bool_scope _ _
elimT is a coercion
elimT is opaque
Expands to: Constant Coq.ssr.ssrbool.elimT
m, n1, n2:nat
le_n21:n2 <= n1
(m <= n1) = (m <= n1) || (m <= n2)
m, n1, n2:nat
le_n12:n1 <= n2
(m <= maxn n1 n2) = (m <= n1) || (m <= n2)

elimT is a coercion from reflect to Funclass, which means it gets inserted when one uses a view lemma as a function.

Essentially we invoke the following tactic:

Undo.
m, n1, n2:nat
le_n21:n2 <= n1
(m <= maxn n1 n2) = (m <= n1) || (m <= n2)
m, n1, n2:nat
le_n12:n1 <= n2
(m <= maxn n1 n2) = (m <= n1) || (m <= n2)
rewrite (elimT maxn_idPl le_n21).
m, n1, n2:nat
le_n21:n2 <= n1
(m <= n1) = (m <= n1) || (m <= n2)
m, n1, n2:nat
le_n12:n1 <= n2
(m <= maxn n1 n2) = (m <= n1) || (m <= n2)

One can easily finish the proof, but let's simplify it first.

Restart.
m, n1, n2:nat
(m <= maxn n1 n2) = (m <= n1) || (m <= n2)

We remove the symmetrical case first:

without loss le_n21: n1 n2 / n2 <= n1.
m, n1, n2:nat
(forall n1 n2 : nat,
 n2 <= n1 ->
 (m <= maxn n1 n2) = (m <= n1) || (m <= n2)) ->
(m <= maxn n1 n2) = (m <= n1) || (m <= n2)
m, n1, n2:nat
le_n21:n2 <= n1
(m <= maxn n1 n2) = (m <= n1) || (m <= n2)
-
m, n1, n2:nat
(forall n1 n2 : nat,
 n2 <= n1 ->
 (m <= maxn n1 n2) = (m <= n1) || (m <= n2)) ->
(m <= maxn n1 n2) = (m <= n1) || (m <= n2)
m, n1, n2:nat
le_n21:n2 <= n1
(m <= maxn n1 n2) = (m <= n1) || (m <= n2) by case/orP: (leq_total n2 n1) => le; last rewrite maxnC orbC; apply.
m, n1, n2:nat
le_n21:n2 <= n1
(m <= maxn n1 n2) = (m <= n1) || (m <= n2)
rewrite (maxn_idPl le_n21).
m, n1, n2:nat
le_n21:n2 <= n1
(m <= n1) = (m <= n1) || (m <= n2)

The rest is an exercise

Abort.

A specification example

About allP.
allP :
forall {T : eqType} {a : pred T} {s : seq T},
reflect {in s, forall x : T, a x} (all a s)

allP is not universe polymorphic
Arguments allP {T a} {s}%seq_scope
allP is opaque
Expands to: Constant mathcomp.ssreflect.seq.allP

Check out some other specs in the seq and ssrnat modules!

Search reflect inside seq.
nilP:
  forall {T : Type} {s : seq T},
  reflect (s = [::]) (nilp s)
all_filterP:
  forall {T : Type} {a : pred T} {s : seq T},
  reflect ([seq x <- s | a x] = s) (all a s)
perm_nilP:
  forall {T : eqType} {s : seq T},
  reflect (s = [::]) (perm_eq s [::])
natnseq0P:
  forall s : seq nat,
  reflect (s = nseq (size s) 0) (sumn s == 0)
permPl:
  forall {T : eqType} {s1 s2 : seq T},
  reflect (perm_eql s1 s2) (perm_eq s1 s2)
permPr:
  forall {T : eqType} {s1 s2 : seq T},
  reflect (perm_eq^~ s1 =1 perm_eq^~ s2)
    (perm_eq s1 s2)
all_nthP:
  forall {T : Type} {a : pred T} {s : seq T} (x0 : T),
  reflect
    (forall i : nat, i < size s -> a (nth x0 s i))
    (all a s)
constantP:
  forall [T : eqType],
  T ->
  forall s : seq T,
  reflect (exists x : T, s = nseq (size s) x)
    (constant s)
all_pred1P:
  forall [T : eqType] (x : T) (s : seq T),
  reflect (s = nseq (size s) x) (all (pred1 x) s)
has_nthP:
  forall {T : Type} {a : pred T} {s : seq T} (x0 : T),
  reflect
    (exists2 i : nat, i < size s & a (nth x0 s i))
    (has a s)
permP:
  forall {T : eqType} {s1 s2 : seq T},
  reflect (count^~ s1 =1 count^~ s2) (perm_eq s1 s2)
allP:
  forall {T : eqType} {a : pred T} {s : seq T},
  reflect {in s, forall x : T, a x} (all a s)
hasP:
  forall {T : eqType} {a : pred T} {s : seq T},
  reflect (exists2 x : T, x \in s & a x) (has a s)
count_memPn:
  forall {T : eqType} {x : T} {s : seq T},
  reflect (count_mem x s = 0) (x \notin s)
seq.nseqP:
  forall {T : eqType} {n : nat} {x y : T},
  reflect (y = x /\ 0 < n) (y \in nseq n x)
subseqP:
  forall {T : eqType} {s1 s2 : seq T},
  reflect
    (exists2 m : seq bool,
       size m = size s2 & s1 = mask m s2)
    (subseq s1 s2)
allPP:
  forall [T : eqType] [a : pred T] (s : seq T)
    [A : T -> Prop],
  (forall x : T, reflect (A x) (a x)) ->
  reflect {in s, forall x : T, A x} (all a s)
allPn:
  forall {T : eqType} {a : pred T} {s : seq T},
  reflect (exists2 x : T, x \in s & ~~ a x)
    (~~ all a s)
hasPn:
  forall {T : eqType} {a : pred T} {s : seq T},
  reflect {in s, forall x : T, ~~ a x} (~~ has a s)
subseq_uniqP:
  forall [T : eqType] [s1 s2 : seq T],
  uniq s2 ->
  reflect (s1 = [seq x <- s2 | mem s1 x])
    (subseq s1 s2)
hasPP:
  forall [T : eqType] [a : pred T] (s : seq T)
    [A : T -> Prop],
  (forall x : T, reflect (A x) (a x)) ->
  reflect (exists2 x : T, x \in s & A x) (has a s)
nthP:
  forall {T : eqType} {s : seq T} {x : T} (x0 : T),
  reflect
    (exists2 i : nat, i < size s & nth x0 s i = x)
    (x \in s)
perm_consP:
  forall {T : eqType} {x : T} {s t : seq T},
  reflect
    (exists (i : nat) (u : seq T),
       rot i t = x :: u /\ perm_eq u s)
    (perm_eq t (x :: s))
uniqPn:
  forall {T : eqType} (x0 : T) {s : seq T},
  reflect
    (exists i j : nat,
       [/\ i < j, j < size s
         & nth x0 s i = nth x0 s j]) (~~ uniq s)
mapP:
  forall {T1 T2 : eqType} {f : T1 -> T2} {s : seq T1}
    {y : T2},
  reflect (exists2 x : T1, x \in s & y = f x)
    (y \in [seq f i | i <- s])
uniqP:
  forall {T : eqType} (x0 : T) {s : seq T},
  reflect {in gtn (size s) &, injective (nth x0 s)}
    (uniq s)
flattenP:
  forall {T : eqType} {A : seq (seq T)} {x : T},
  reflect
    (exists2 s : seq_eqType T, s \in A & x \in s)
    (x \in flatten A)
perm_iotaP:
  forall {T : eqType} {s t : seq T} (x0 : T),
  let It := iota 0 (size t) in
  reflect
    (exists2 Is : seq nat_eqType,
       perm_eq Is It & s = [seq nth x0 t i | i <- Is])
    (perm_eq s t)
leq_uniq_countP:
  forall [T : eqType] (x : T) [s1 : seq T]
    (s2 : seq T),
  uniq s1 ->
  reflect (x \in s1 -> x \in s2)
    (count_mem x s1 <= count_mem x s2)
allrelP:
  forall {T S : eqType} {r : T -> S -> bool}
    {xs : seq_predType T} {ys : seq_predType S},
  reflect {in xs & ys, forall (x : T) (y : S), r x y}
    (allrel r xs ys)
flatten_mapP:
  forall {S T : eqType} {A : S -> seq T}
    {s : seq_predType S} {y : T},
  reflect (exists2 x : S, x \in s & y \in A x)
    (y \in flatten [seq A i | i <- s])
all_allpairsP:
  forall {S : eqType} {T : S -> eqType} {R : Type}
    {p : pred R} {f : forall x : S, T x -> R}
    {s : seq S} {t : forall x : S, seq (T x)},
  reflect
    (forall (x : S) (y : T x),
     x \in s -> y \in t x -> p (f x y))
    (all p [seq f x y | x <- s, y <- t x])
allpairsPdep:
  forall {S : eqType} {T : S -> eqType} {R : eqType}
    {f : forall x : S, T x -> R} {s : seq S}
    {t : forall x : S, seq (T x)} {z : R},
  reflect
    (exists (x : S) (y : T x),
       [/\ x \in s, y \in t x & z = f x y])
    (z \in [seq f x y | x <- s, y <- t x])
allpairsP:
  forall {S T R : eqType} {f : S -> T -> R}
    {s : seq S} {t : seq T} {z : R},
  reflect
    (exists p : S * T,
       [/\ p.1 \in s, p.2 \in t & z = f p.1 p.2])
    (z \in [seq f x y | x <- s, y <- t])
Search reflect inside ssrnat.
leqif_refl:
  forall (m : nat) (C : bool),
  reflect (m <= m ?= iff C) C
leP:
  forall {m n : nat},
  reflect (m <= n)%coq_nat (m <= n)
ltP:
  forall {m n : nat}, reflect (m < n)%coq_nat (m < n)
minn_idPr:
  forall {m n : nat}, reflect (minn m n = n) (n <= m)
minn_idPl:
  forall {m n : nat}, reflect (minn m n = m) (m <= n)
maxn_idPr:
  forall {m n : nat}, reflect (maxn m n = n) (m <= n)
maxn_idPl:
  forall {m n : nat}, reflect (maxn m n = m) (n <= m)
leqifP:
  forall (m n : nat) (C : bool),
  reflect (m <= n ?= iff C)
    (if C then m == n else m < n)

The inside syntax lets one look for lemmas inside a particular module only.

Vernacular

• Set Printing Coercions: turn on printing of implicit coercions -- very useful to better understand goals.
• Search <pattern> inside <module>: narrow the scope of searching to a particular module.

Tactic/tactical summary

• - action: can be used to connect unrelated views (move=> /V1 - /V2) or to force the interpretation of [] as case splitting when multiple subgoals are generated; -[/eqP].
• case ident: term: case analyse on term and keep the corresponding equation in the context under the name of ident.
• case: index_pattern / type_family: case analyse on a term of indexed type and perform substitutions of its indices according to index_pattern.
• constructor: try to pick a data constructor automatically.
• intuition: a solver for propositional intuitionistic logic.
• without loss or wlog: "without loss of generality"-style reasoning.
• apply/view_lemma: use the view mechanism on the conclusion of the goal. Can be chained together like apply/VL1/VL2/VL3.
• rewrite tactic supports patterns: rewrite [<pattern>]<equation>.