%

 \begin{isabellebody}%

 \def\isabellecontext{Induction}%

 %

 \begin{isamarkuptext}%

 Assuming we have defined our function such that Isabelle could prove

 termination and that the recursion equations (or some suitable derived

 equations) are simplification rules, we might like to prove something about

 our function. Since the function is recursive, the natural proof principle is

 again induction. But this time the structural form of induction that comes

 with datatypes is unlikely to work well --- otherwise we could have defined the

 function by \isacommand{primrec}. Therefore \isacommand{recdef} automatically

 proves a suitable induction rule $f$\isa{{\isachardot}induct} that follows the

 recursion pattern of the particular function $f$. We call this

 \textbf{recursion induction}. Roughly speaking, it

 requires you to prove for each \isacommand{recdef} equation that the property

 you are trying to establish holds for the left-hand side provided it holds

 for all recursive calls on the right-hand side. Here is a simple example

 involving the predefined \isa{map} functional on lists:%

 \end{isamarkuptext}%

 \isacommand{lemma}\ {\isachardoublequote}map\ f\ {\isacharparenleft}sep{\isacharparenleft}x{\isacharcomma}xs{\isacharparenright}{\isacharparenright}\ {\isacharequal}\ sep{\isacharparenleft}f\ x{\isacharcomma}\ map\ f\ xs{\isacharparenright}{\isachardoublequote}%

 \begin{isamarkuptxt}%

 \noindent

 Note that \isa{map\ f\ xs}

 is the result of applying \isa{f} to all elements of \isa{xs}. We prove

 this lemma by recursion induction over \isa{sep}:%

 \end{isamarkuptxt}%

 \isacommand{apply}{\isacharparenleft}induct{\isacharunderscore}tac\ x\ xs\ rule{\isacharcolon}\ sep{\isachardot}induct{\isacharparenright}%

 \begin{isamarkuptxt}%

 \noindent

 The resulting proof state has three subgoals corresponding to the three

 clauses for \isa{sep}:

 \begin{isabelle}%

 \ {\isadigit{1}}{\isachardot}\ {\isasymAnd}a{\isachardot}\ map\ f\ {\isacharparenleft}sep\ {\isacharparenleft}a{\isacharcomma}\ {\isacharbrackleft}{\isacharbrackright}{\isacharparenright}{\isacharparenright}\ {\isacharequal}\ sep\ {\isacharparenleft}f\ a{\isacharcomma}\ map\ f\ {\isacharbrackleft}{\isacharbrackright}{\isacharparenright}\isanewline

 \ {\isadigit{2}}{\isachardot}\ {\isasymAnd}a\ x{\isachardot}\ map\ f\ {\isacharparenleft}sep\ {\isacharparenleft}a{\isacharcomma}\ {\isacharbrackleft}x{\isacharbrackright}{\isacharparenright}{\isacharparenright}\ {\isacharequal}\ sep\ {\isacharparenleft}f\ a{\isacharcomma}\ map\ f\ {\isacharbrackleft}x{\isacharbrackright}{\isacharparenright}\isanewline

 \ {\isadigit{3}}{\isachardot}\ {\isasymAnd}a\ x\ y\ zs{\isachardot}\isanewline

 \isaindent{\ {\isadigit{3}}{\isachardot}\ \ \ \ }map\ f\ {\isacharparenleft}sep\ {\isacharparenleft}a{\isacharcomma}\ y\ {\isacharhash}\ zs{\isacharparenright}{\isacharparenright}\ {\isacharequal}\ sep\ {\isacharparenleft}f\ a{\isacharcomma}\ map\ f\ {\isacharparenleft}y\ {\isacharhash}\ zs{\isacharparenright}{\isacharparenright}\ {\isasymLongrightarrow}\isanewline

 \isaindent{\ {\isadigit{3}}{\isachardot}\ \ \ \ }map\ f\ {\isacharparenleft}sep\ {\isacharparenleft}a{\isacharcomma}\ x\ {\isacharhash}\ y\ {\isacharhash}\ zs{\isacharparenright}{\isacharparenright}\ {\isacharequal}\ sep\ {\isacharparenleft}f\ a{\isacharcomma}\ map\ f\ {\isacharparenleft}x\ {\isacharhash}\ y\ {\isacharhash}\ zs{\isacharparenright}{\isacharparenright}%

 \end{isabelle}

 The rest is pure simplification:%

 \end{isamarkuptxt}%

 \isacommand{apply}\ simp{\isacharunderscore}all\isanewline

 \isacommand{done}%

 \begin{isamarkuptext}%

 Try proving the above lemma by structural induction, and you find that you

 need an additional case distinction. What is worse, the names of variables

 are invented by Isabelle and have nothing to do with the names in the

 definition of \isa{sep}.

 In general, the format of invoking recursion induction is

 \begin{quote}

 \isacommand{apply}\isa{{\isacharparenleft}induct{\isacharunderscore}tac\ }$x@1 \dots x@n$ \isa{rule{\isacharcolon}} $f$\isa{{\isachardot}induct{\isacharparenright}}

 \end{quote}\index{*induct_tac}%

 where $x@1~\dots~x@n$ is a list of free variables in the subgoal and $f$ the

 name of a function that takes an $n$-tuple. Usually the subgoal will

 contain the term $f(x@1,\dots,x@n)$ but this need not be the case. The

 induction rules do not mention $f$ at all. For example \isa{sep{\isachardot}induct}

 \begin{isabelle}

 {\isasymlbrakk}~{\isasymAnd}a.~P~a~[];\isanewline

 ~~{\isasymAnd}a~x.~P~a~[x];\isanewline

 ~~{\isasymAnd}a~x~y~zs.~P~a~(y~\#~zs)~{\isasymLongrightarrow}~P~a~(x~\#~y~\#~zs){\isasymrbrakk}\isanewline

 {\isasymLongrightarrow}~P~u~v%

 \end{isabelle}

 merely says that in order to prove a property \isa{P} of \isa{u} and

 \isa{v} you need to prove it for the three cases where \isa{v} is the

 empty list, the singleton list, and the list with at least two elements

 (in which case you may assume it holds for the tail of that list).%

 \end{isamarkuptext}%

 \end{isabellebody}%

 %%% Local Variables:

 %%% mode: latex

 %%% TeX-master: "root"

 %%% End: