Reasoning over functions applied to lists of nat in Coq

Question

We are working on verifying a system with three functions that looks like the following. However, we do not know how to proceed further with proofs like this. Actual definitions of the Coq functions may be shared. Kindly guide us.

Parameter weights : nat -> list nat -> nat -> nat.
Parameter schedule: nat -> list nat -> list nat. 
Parameter count: nat -> list nat -> nat.

Lemma high_weight_jobs: forall (s1 s2 jobs: nat) (S: list nat), 
  jobs > 0 ->
  length S > 0 ->
  weights s1 S 0 > weights s2 S 0 -> 
  count s1 (schedule jobs S) > count s2 (schedule jobs S).
Proof.
 intros.
 induction S as [ | h tl IHS].
 + simpl in *. inversion H0.
 + 
 Admitted.

Answer 1

You should start with thinking about what properties of these 3 functions you would need to prove this. It is usually not a good idea to proof a combined property of 3 functions based on the definitions of these 3 functions. First you prove properties of the 3 individual functions and then you prove the combined property based on these individual function properties.

You can first state such properties as axioms and see if they are indeed sufficient to prove what you want and then prove them later. I find this approach sometimes more efficient because I sometimes reformulate statements so that they are more convenient in the proof.

I also commonly use modules to abstract the definitions of functions and just use the specified properties of the functions to prove derived properties. This way you can abstract such properties from the actual implementation of the functions. This is helpful if you later need to extend one of the functions in some way. If all the properties still hold, derived proofs wouldn't be affected. If you do proofs based on the definitions, any such proof would very likely break with a change of the function.

For a further discussion, I suggest that you state the specification/properties of the 3 functions you think you need to prove this.