1.1 --- a/doc-src/ROOT Thu Jul 26 16:08:16 2012 +0200
1.2 +++ b/doc-src/ROOT Thu Jul 26 19:59:06 2012 +0200
1.3 @@ -1,10 +1,12 @@
1.4 -session Classes! in "Classes/Thy" = HOL +
1.5 - options [browser_info = false, document = false, document_dump = document, document_dump_only]
1.6 +session Classes! (doc) in "Classes/Thy" = HOL +
1.7 + options [browser_info = false, document = false,
1.8 + document_dump = document, document_dump_mode = "tex"]
1.9 theories [document = false] Setup
1.10 theories Classes
1.11
1.12 -session Codegen! in "Codegen/Thy" = "HOL-Library" +
1.13 - options [browser_info = false, document = false, document_dump = document, document_dump_only,
1.14 +session Codegen! (doc) in "Codegen/Thy" = "HOL-Library" +
1.15 + options [browser_info = false, document = false,
1.16 + document_dump = document, document_dump_mode = "tex",
1.17 print_mode = "no_brackets,iff"]
1.18 theories [document = false] Setup
1.19 theories
1.20 @@ -16,12 +18,14 @@
1.21 Adaptation
1.22 Further
1.23
1.24 -session Functions! in "Functions/Thy" = HOL +
1.25 - options [browser_info = false, document = false, document_dump = document, document_dump_only]
1.26 +session Functions! (doc) in "Functions/Thy" = HOL +
1.27 + options [browser_info = false, document = false,
1.28 + document_dump = document, document_dump_mode = "tex"]
1.29 theories Functions
1.30
1.31 -session IsarImplementation! in "IsarImplementation/Thy" = HOL +
1.32 - options [browser_info = false, document = false, document_dump = document, document_dump_only]
1.33 +session IsarImplementation! (doc) in "IsarImplementation/Thy" = HOL +
1.34 + options [browser_info = false, document = false,
1.35 + document_dump = document, document_dump_mode = "tex"]
1.36 theories
1.37 Eq
1.38 Integration
1.39 @@ -34,8 +38,9 @@
1.40 Syntax
1.41 Tactic
1.42
1.43 -session IsarRef in "IsarRef/Thy" = HOL +
1.44 - options [browser_info = false, document = false, document_dump = document, document_dump_only,
1.45 +session IsarRef (doc) in "IsarRef/Thy" = HOL +
1.46 + options [browser_info = false, document = false,
1.47 + document_dump = document, document_dump_mode = "tex",
1.48 quick_and_dirty]
1.49 theories
1.50 Preface
1.51 @@ -54,37 +59,43 @@
1.52 Symbols
1.53 ML_Tactic
1.54
1.55 -session IsarRef in "IsarRef/Thy" = HOLCF +
1.56 - options [browser_info = false, document = false, document_dump = document, document_dump_only,
1.57 +session IsarRef (doc) in "IsarRef/Thy" = HOLCF +
1.58 + options [browser_info = false, document = false,
1.59 + document_dump = document, document_dump_mode = "tex",
1.60 quick_and_dirty]
1.61 theories HOLCF_Specific
1.62
1.63 -session IsarRef in "IsarRef/Thy" = ZF +
1.64 - options [browser_info = false, document = false, document_dump = document, document_dump_only,
1.65 +session IsarRef (doc) in "IsarRef/Thy" = ZF +
1.66 + options [browser_info = false, document = false,
1.67 + document_dump = document, document_dump_mode = "tex",
1.68 quick_and_dirty]
1.69 theories ZF_Specific
1.70
1.71 -session LaTeXsugar! in "LaTeXsugar/Sugar" = HOL +
1.72 - options [browser_info = false, document = false, document_dump = document, document_dump_only,
1.73 +session LaTeXsugar! (doc) in "LaTeXsugar/Sugar" = HOL +
1.74 + options [browser_info = false, document = false,
1.75 + document_dump = document, document_dump_mode = "tex",
1.76 threads = 1] (* FIXME *)
1.77 theories [document_dump = ""]
1.78 "~~/src/HOL/Library/LaTeXsugar"
1.79 "~~/src/HOL/Library/OptionalSugar"
1.80 theories Sugar
1.81
1.82 -session Locales! in "Locales/Locales" = HOL +
1.83 - options [browser_info = false, document = false, document_dump = document, document_dump_only]
1.84 +session Locales! (doc) in "Locales/Locales" = HOL +
1.85 + options [browser_info = false, document = false,
1.86 + document_dump = document, document_dump_mode = "tex"]
1.87 theories
1.88 Examples1
1.89 Examples2
1.90 Examples3
1.91
1.92 -session Main! in "Main/Docs" = HOL +
1.93 - options [browser_info = false, document = false, document_dump = document, document_dump_only]
1.94 +session Main! (doc) in "Main/Docs" = HOL +
1.95 + options [browser_info = false, document = false,
1.96 + document_dump = document, document_dump_mode = "tex"]
1.97 theories Main_Doc
1.98
1.99 -session ProgProve! in "ProgProve/Thys" = HOL +
1.100 - options [browser_info = false, document = false, document_dump = document, document_dump_only,
1.101 +session ProgProve! (doc) in "ProgProve/Thys" = HOL +
1.102 + options [browser_info = false, document = false,
1.103 + document_dump = document, document_dump_mode = "tex",
1.104 show_question_marks = false]
1.105 theories
1.106 Basics
1.107 @@ -94,8 +105,9 @@
1.108 Logic
1.109 Isar
1.110
1.111 -session System! in "System/Thy" = Pure +
1.112 - options [browser_info = false, document = false, document_dump = document, document_dump_only]
1.113 +session System! (doc) in "System/Thy" = Pure +
1.114 + options [browser_info = false, document = false,
1.115 + document_dump = document, document_dump_mode = "tex"]
1.116 theories
1.117 Basics
1.118 Interfaces
1.119 @@ -103,10 +115,69 @@
1.120 Presentation
1.121 Misc
1.122
1.123 -(* session Tutorial in "Tutorial" = HOL + FIXME *)
1.124 +session Tutorial (doc) in "TutorialI" = HOL +
1.125 + options [browser_info = false, document = false,
1.126 + document_dump = document, document_dump_mode = "tex",
1.127 + print_mode = "brackets", threads = 1 (* FIXME *)]
1.128 + theories [thy_output_indent = 5]
1.129 + "ToyList/ToyList"
1.130 + "Ifexpr/Ifexpr"
1.131 + "CodeGen/CodeGen"
1.132 + "Trie/Trie"
1.133 + "Datatype/ABexpr"
1.134 + "Datatype/unfoldnested"
1.135 + "Datatype/Nested"
1.136 + "Datatype/Fundata"
1.137 + "Fun/fun0"
1.138 + "Advanced/simp2"
1.139 + "CTL/PDL"
1.140 + "CTL/CTL"
1.141 + "CTL/CTLind"
1.142 + "Inductive/Even"
1.143 + "Inductive/Mutual"
1.144 + "Inductive/Star"
1.145 + "Inductive/AB"
1.146 + "Inductive/Advanced"
1.147 + "Misc/Tree"
1.148 + "Misc/Tree2"
1.149 + "Misc/Plus"
1.150 + "Misc/case_exprs"
1.151 + "Misc/fakenat"
1.152 + "Misc/natsum"
1.153 + "Misc/pairs2"
1.154 + "Misc/Option2"
1.155 + "Misc/types"
1.156 + "Misc/prime_def"
1.157 + "Misc/simp"
1.158 + "Misc/Itrev"
1.159 + "Misc/AdvancedInd"
1.160 + "Misc/appendix"
1.161 + theories
1.162 + "Protocol/NS_Public"
1.163 + "Documents/Documents"
1.164 + theories [document_dump = ""]
1.165 + "Types/Setup"
1.166 + theories
1.167 + "Types/Numbers"
1.168 + "Types/Pairs"
1.169 + "Types/Records"
1.170 + "Types/Typedefs"
1.171 + "Types/Overloading"
1.172 + "Types/Axioms"
1.173 + "Rules/Basic"
1.174 + "Rules/Blast"
1.175 + "Rules/Force"
1.176 + "Rules/Forward"
1.177 + "Rules/Tacticals"
1.178 + "Rules/find2"
1.179 + "Sets/Examples"
1.180 + "Sets/Functions"
1.181 + "Sets/Relations"
1.182 + "Sets/Recur"
1.183
1.184 -session examples in "ZF" = ZF +
1.185 - options [browser_info = false, document = false, document_dump = document, document_dump_only,
1.186 +session examples (doc) in "ZF" = ZF +
1.187 + options [browser_info = false, document = false,
1.188 + document_dump = document, document_dump_mode = "tex",
1.189 print_mode = "brackets"]
1.190 theories
1.191 IFOL_examples
2.1 --- a/doc-src/TutorialI/Advanced/ROOT.ML Thu Jul 26 16:08:16 2012 +0200
2.2 +++ /dev/null Thu Jan 01 00:00:00 1970 +0000
2.3 @@ -1,2 +0,0 @@
2.4 -use "../settings.ML";
2.5 -use_thy "simp2";
3.1 --- a/doc-src/TutorialI/Advanced/advanced.tex Thu Jul 26 16:08:16 2012 +0200
3.2 +++ b/doc-src/TutorialI/Advanced/advanced.tex Thu Jul 26 19:59:06 2012 +0200
3.3 @@ -5,13 +5,13 @@
3.4 yet and which are worth learning. The sections of this chapter are
3.5 independent of each other and can be read in any order.
3.6
3.7 -\input{Advanced/document/simp2.tex}
3.8 +\input{document/simp2.tex}
3.9
3.10 \section{Advanced Induction Techniques}
3.11 \label{sec:advanced-ind}
3.12 \index{induction|(}
3.13 -\input{Misc/document/AdvancedInd.tex}
3.14 -\input{CTL/document/CTLind.tex}
3.15 +\input{document/AdvancedInd.tex}
3.16 +\input{document/CTLind.tex}
3.17 \index{induction|)}
3.18
3.19 %\section{Advanced Forms of Recursion}
3.20 @@ -34,16 +34,16 @@
3.21
3.22 %\subsection{Beyond Measure}
3.23 %\label{sec:beyond-measure}
3.24 -%\input{Advanced/document/WFrec.tex}
3.25 +%\input{document/WFrec.tex}
3.26 %
3.27 %\subsection{Recursion Over Nested Datatypes}
3.28 %\label{sec:nested-recdef}
3.29 -%\input{Recdef/document/Nested0.tex}
3.30 -%\input{Recdef/document/Nested1.tex}
3.31 -%\input{Recdef/document/Nested2.tex}
3.32 +%\input{document/Nested0.tex}
3.33 +%\input{document/Nested1.tex}
3.34 +%\input{document/Nested2.tex}
3.35 %
3.36 %\subsection{Partial Functions}
3.37 %\index{functions!partial}
3.38 -%\input{Advanced/document/Partial.tex}
3.39 +%\input{document/Partial.tex}
3.40 %
3.41 %\index{recdef@\isacommand {recdef} (command)|)}
4.1 --- a/doc-src/TutorialI/Advanced/document/Partial.tex Thu Jul 26 16:08:16 2012 +0200
4.2 +++ /dev/null Thu Jan 01 00:00:00 1970 +0000
4.3 @@ -1,352 +0,0 @@
4.4 -%
4.5 -\begin{isabellebody}%
4.6 -\def\isabellecontext{Partial}%
4.7 -%
4.8 -\isadelimtheory
4.9 -%
4.10 -\endisadelimtheory
4.11 -%
4.12 -\isatagtheory
4.13 -%
4.14 -\endisatagtheory
4.15 -{\isafoldtheory}%
4.16 -%
4.17 -\isadelimtheory
4.18 -%
4.19 -\endisadelimtheory
4.20 -%
4.21 -\begin{isamarkuptext}%
4.22 -\noindent Throughout this tutorial, we have emphasized
4.23 -that all functions in HOL are total. We cannot hope to define
4.24 -truly partial functions, but must make them total. A straightforward
4.25 -method is to lift the result type of the function from $\tau$ to
4.26 -$\tau$~\isa{option} (see \ref{sec:option}), where \isa{None} is
4.27 -returned if the function is applied to an argument not in its
4.28 -domain. Function \isa{assoc} in \S\ref{sec:Trie} is a simple example.
4.29 -We do not pursue this schema further because it should be clear
4.30 -how it works. Its main drawback is that the result of such a lifted
4.31 -function has to be unpacked first before it can be processed
4.32 -further. Its main advantage is that you can distinguish if the
4.33 -function was applied to an argument in its domain or not. If you do
4.34 -not need to make this distinction, for example because the function is
4.35 -never used outside its domain, it is easier to work with
4.36 -\emph{underdefined}\index{functions!underdefined} functions: for
4.37 -certain arguments we only know that a result exists, but we do not
4.38 -know what it is. When defining functions that are normally considered
4.39 -partial, underdefinedness turns out to be a very reasonable
4.40 -alternative.
4.41 -
4.42 -We have already seen an instance of underdefinedness by means of
4.43 -non-exhaustive pattern matching: the definition of \isa{last} in
4.44 -\S\ref{sec:fun}. The same is allowed for \isacommand{primrec}%
4.45 -\end{isamarkuptext}%
4.46 -\isamarkuptrue%
4.47 -\isacommand{consts}\isamarkupfalse%
4.48 -\ hd\ {\isacharcolon}{\isacharcolon}\ {\isachardoublequoteopen}{\isacharprime}a\ list\ {\isasymRightarrow}\ {\isacharprime}a{\isachardoublequoteclose}\isanewline
4.49 -\isacommand{primrec}\isamarkupfalse%
4.50 -\ {\isachardoublequoteopen}hd\ {\isacharparenleft}x{\isacharhash}xs{\isacharparenright}\ {\isacharequal}\ x{\isachardoublequoteclose}%
4.51 -\begin{isamarkuptext}%
4.52 -\noindent
4.53 -although it generates a warning.
4.54 -Even ordinary definitions allow underdefinedness, this time by means of
4.55 -preconditions:%
4.56 -\end{isamarkuptext}%
4.57 -\isamarkuptrue%
4.58 -\isacommand{constdefs}\isamarkupfalse%
4.59 -\ subtract\ {\isacharcolon}{\isacharcolon}\ {\isachardoublequoteopen}nat\ {\isasymRightarrow}\ nat\ {\isasymRightarrow}\ nat{\isachardoublequoteclose}\isanewline
4.60 -{\isachardoublequoteopen}n\ {\isasymle}\ m\ {\isasymLongrightarrow}\ subtract\ m\ n\ {\isasymequiv}\ m\ {\isacharminus}\ n{\isachardoublequoteclose}%
4.61 -\begin{isamarkuptext}%
4.62 -The rest of this section is devoted to the question of how to define
4.63 -partial recursive functions by other means than non-exhaustive pattern
4.64 -matching.%
4.65 -\end{isamarkuptext}%
4.66 -\isamarkuptrue%
4.67 -%
4.68 -\isamarkupsubsubsection{Guarded Recursion%
4.69 -}
4.70 -\isamarkuptrue%
4.71 -%
4.72 -\begin{isamarkuptext}%
4.73 -\index{recursion!guarded}%
4.74 -Neither \isacommand{primrec} nor \isacommand{recdef} allow to
4.75 -prefix an equation with a condition in the way ordinary definitions do
4.76 -(see \isa{subtract} above). Instead we have to move the condition over
4.77 -to the right-hand side of the equation. Given a partial function $f$
4.78 -that should satisfy the recursion equation $f(x) = t$ over its domain
4.79 -$dom(f)$, we turn this into the \isacommand{recdef}
4.80 -\begin{isabelle}%
4.81 -\ \ \ \ \ f\ x\ {\isacharequal}\ {\isacharparenleft}if\ x\ {\isasymin}\ dom\ f\ then\ t\ else\ arbitrary{\isacharparenright}%
4.82 -\end{isabelle}
4.83 -where \isa{arbitrary} is a predeclared constant of type \isa{{\isacharprime}a}
4.84 -which has no definition. Thus we know nothing about its value,
4.85 -which is ideal for specifying underdefined functions on top of it.
4.86 -
4.87 -As a simple example we define division on \isa{nat}:%
4.88 -\end{isamarkuptext}%
4.89 -\isamarkuptrue%
4.90 -\isacommand{consts}\isamarkupfalse%
4.91 -\ divi\ {\isacharcolon}{\isacharcolon}\ {\isachardoublequoteopen}nat\ {\isasymtimes}\ nat\ {\isasymRightarrow}\ nat{\isachardoublequoteclose}\isanewline
4.92 -\isacommand{recdef}\isamarkupfalse%
4.93 -\ divi\ {\isachardoublequoteopen}measure{\isacharparenleft}{\isasymlambda}{\isacharparenleft}m{\isacharcomma}n{\isacharparenright}{\isachardot}\ m{\isacharparenright}{\isachardoublequoteclose}\isanewline
4.94 -\ \ {\isachardoublequoteopen}divi{\isacharparenleft}m{\isacharcomma}{\isadigit{0}}{\isacharparenright}\ {\isacharequal}\ arbitrary{\isachardoublequoteclose}\isanewline
4.95 -\ \ {\isachardoublequoteopen}divi{\isacharparenleft}m{\isacharcomma}n{\isacharparenright}\ {\isacharequal}\ {\isacharparenleft}if\ m\ {\isacharless}\ n\ then\ {\isadigit{0}}\ else\ divi{\isacharparenleft}m{\isacharminus}n{\isacharcomma}n{\isacharparenright}{\isacharplus}{\isadigit{1}}{\isacharparenright}{\isachardoublequoteclose}%
4.96 -\begin{isamarkuptext}%
4.97 -\noindent Of course we could also have defined
4.98 -\isa{divi\ {\isacharparenleft}m{\isacharcomma}\ {\isadigit{0}}{\isacharparenright}} to be some specific number, for example 0. The
4.99 -latter option is chosen for the predefined \isa{div} function, which
4.100 -simplifies proofs at the expense of deviating from the
4.101 -standard mathematical division function.
4.102 -
4.103 -As a more substantial example we consider the problem of searching a graph.
4.104 -For simplicity our graph is given by a function \isa{f} of
4.105 -type \isa{{\isacharprime}a\ {\isasymRightarrow}\ {\isacharprime}a} which
4.106 -maps each node to its successor; the graph has out-degree 1.
4.107 -The task is to find the end of a chain, modelled by a node pointing to
4.108 -itself. Here is a first attempt:
4.109 -\begin{isabelle}%
4.110 -\ \ \ \ \ find\ {\isacharparenleft}f{\isacharcomma}\ x{\isacharparenright}\ {\isacharequal}\ {\isacharparenleft}if\ f\ x\ {\isacharequal}\ x\ then\ x\ else\ find\ {\isacharparenleft}f{\isacharcomma}\ f\ x{\isacharparenright}{\isacharparenright}%
4.111 -\end{isabelle}
4.112 -This may be viewed as a fixed point finder or as the second half of the well
4.113 -known \emph{Union-Find} algorithm.
4.114 -The snag is that it may not terminate if \isa{f} has non-trivial cycles.
4.115 -Phrased differently, the relation%
4.116 -\end{isamarkuptext}%
4.117 -\isamarkuptrue%
4.118 -\isacommand{constdefs}\isamarkupfalse%
4.119 -\ step{\isadigit{1}}\ {\isacharcolon}{\isacharcolon}\ {\isachardoublequoteopen}{\isacharparenleft}{\isacharprime}a\ {\isasymRightarrow}\ {\isacharprime}a{\isacharparenright}\ {\isasymRightarrow}\ {\isacharparenleft}{\isacharprime}a\ {\isasymtimes}\ {\isacharprime}a{\isacharparenright}set{\isachardoublequoteclose}\isanewline
4.120 -\ \ {\isachardoublequoteopen}step{\isadigit{1}}\ f\ {\isasymequiv}\ {\isacharbraceleft}{\isacharparenleft}y{\isacharcomma}x{\isacharparenright}{\isachardot}\ y\ {\isacharequal}\ f\ x\ {\isasymand}\ y\ {\isasymnoteq}\ x{\isacharbraceright}{\isachardoublequoteclose}%
4.121 -\begin{isamarkuptext}%
4.122 -\noindent
4.123 -must be well-founded. Thus we make the following definition:%
4.124 -\end{isamarkuptext}%
4.125 -\isamarkuptrue%
4.126 -\isacommand{consts}\isamarkupfalse%
4.127 -\ find\ {\isacharcolon}{\isacharcolon}\ {\isachardoublequoteopen}{\isacharparenleft}{\isacharprime}a\ {\isasymRightarrow}\ {\isacharprime}a{\isacharparenright}\ {\isasymtimes}\ {\isacharprime}a\ {\isasymRightarrow}\ {\isacharprime}a{\isachardoublequoteclose}\isanewline
4.128 -\isacommand{recdef}\isamarkupfalse%
4.129 -\ find\ {\isachardoublequoteopen}same{\isacharunderscore}fst\ {\isacharparenleft}{\isasymlambda}f{\isachardot}\ wf{\isacharparenleft}step{\isadigit{1}}\ f{\isacharparenright}{\isacharparenright}\ step{\isadigit{1}}{\isachardoublequoteclose}\isanewline
4.130 -\ \ {\isachardoublequoteopen}find{\isacharparenleft}f{\isacharcomma}x{\isacharparenright}\ {\isacharequal}\ {\isacharparenleft}if\ wf{\isacharparenleft}step{\isadigit{1}}\ f{\isacharparenright}\isanewline
4.131 -\ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ then\ if\ f\ x\ {\isacharequal}\ x\ then\ x\ else\ find{\isacharparenleft}f{\isacharcomma}\ f\ x{\isacharparenright}\isanewline
4.132 -\ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ else\ arbitrary{\isacharparenright}{\isachardoublequoteclose}\isanewline
4.133 -{\isacharparenleft}\isakeyword{hints}\ recdef{\isacharunderscore}simp{\isacharcolon}\ step{\isadigit{1}}{\isacharunderscore}def{\isacharparenright}%
4.134 -\begin{isamarkuptext}%
4.135 -\noindent
4.136 -The recursion equation itself should be clear enough: it is our aborted
4.137 -first attempt augmented with a check that there are no non-trivial loops.
4.138 -To express the required well-founded relation we employ the
4.139 -predefined combinator \isa{same{\isacharunderscore}fst} of type
4.140 -\begin{isabelle}%
4.141 -\ \ \ \ \ {\isacharparenleft}{\isacharprime}a\ {\isasymRightarrow}\ bool{\isacharparenright}\ {\isasymRightarrow}\ {\isacharparenleft}{\isacharprime}a\ {\isasymRightarrow}\ {\isacharparenleft}{\isacharprime}b{\isasymtimes}{\isacharprime}b{\isacharparenright}set{\isacharparenright}\ {\isasymRightarrow}\ {\isacharparenleft}{\isacharparenleft}{\isacharprime}a{\isasymtimes}{\isacharprime}b{\isacharparenright}\ {\isasymtimes}\ {\isacharparenleft}{\isacharprime}a{\isasymtimes}{\isacharprime}b{\isacharparenright}{\isacharparenright}set%
4.142 -\end{isabelle}
4.143 -defined as
4.144 -\begin{isabelle}%
4.145 -\ \ \ \ \ same{\isacharunderscore}fst\ P\ R\ {\isasymequiv}\ {\isacharbraceleft}{\isacharparenleft}{\isacharparenleft}x{\isacharprime}{\isacharcomma}\ y{\isacharprime}{\isacharparenright}{\isacharcomma}\ x{\isacharcomma}\ y{\isacharparenright}{\isachardot}\ x{\isacharprime}\ {\isacharequal}\ x\ {\isasymand}\ P\ x\ {\isasymand}\ {\isacharparenleft}y{\isacharprime}{\isacharcomma}\ y{\isacharparenright}\ {\isasymin}\ R\ x{\isacharbraceright}%
4.146 -\end{isabelle}
4.147 -This combinator is designed for
4.148 -recursive functions on pairs where the first component of the argument is
4.149 -passed unchanged to all recursive calls. Given a constraint on the first
4.150 -component and a relation on the second component, \isa{same{\isacharunderscore}fst} builds the
4.151 -required relation on pairs. The theorem
4.152 -\begin{isabelle}%
4.153 -\ \ \ \ \ {\isacharparenleft}{\isasymAnd}x{\isachardot}\ P\ x\ {\isasymLongrightarrow}\ wf\ {\isacharparenleft}R\ x{\isacharparenright}{\isacharparenright}\ {\isasymLongrightarrow}\ wf\ {\isacharparenleft}same{\isacharunderscore}fst\ P\ R{\isacharparenright}%
4.154 -\end{isabelle}
4.155 -is known to the well-foundedness prover of \isacommand{recdef}. Thus
4.156 -well-foundedness of the relation given to \isacommand{recdef} is immediate.
4.157 -Furthermore, each recursive call descends along that relation: the first
4.158 -argument stays unchanged and the second one descends along \isa{step{\isadigit{1}}\ f}. The proof requires unfolding the definition of \isa{step{\isadigit{1}}},
4.159 -as specified in the \isacommand{hints} above.
4.160 -
4.161 -Normally you will then derive the following conditional variant from
4.162 -the recursion equation:%
4.163 -\end{isamarkuptext}%
4.164 -\isamarkuptrue%
4.165 -\isacommand{lemma}\isamarkupfalse%
4.166 -\ {\isacharbrackleft}simp{\isacharbrackright}{\isacharcolon}\isanewline
4.167 -\ \ {\isachardoublequoteopen}wf{\isacharparenleft}step{\isadigit{1}}\ f{\isacharparenright}\ {\isasymLongrightarrow}\ find{\isacharparenleft}f{\isacharcomma}x{\isacharparenright}\ {\isacharequal}\ {\isacharparenleft}if\ f\ x\ {\isacharequal}\ x\ then\ x\ else\ find{\isacharparenleft}f{\isacharcomma}\ f\ x{\isacharparenright}{\isacharparenright}{\isachardoublequoteclose}\isanewline
4.168 -%
4.169 -\isadelimproof
4.170 -%
4.171 -\endisadelimproof
4.172 -%
4.173 -\isatagproof
4.174 -\isacommand{by}\isamarkupfalse%
4.175 -\ simp%
4.176 -\endisatagproof
4.177 -{\isafoldproof}%
4.178 -%
4.179 -\isadelimproof
4.180 -%
4.181 -\endisadelimproof
4.182 -%
4.183 -\begin{isamarkuptext}%
4.184 -\noindent Then you should disable the original recursion equation:%
4.185 -\end{isamarkuptext}%
4.186 -\isamarkuptrue%
4.187 -\isacommand{declare}\isamarkupfalse%
4.188 -\ find{\isachardot}simps{\isacharbrackleft}simp\ del{\isacharbrackright}%
4.189 -\begin{isamarkuptext}%
4.190 -Reasoning about such underdefined functions is like that for other
4.191 -recursive functions. Here is a simple example of recursion induction:%
4.192 -\end{isamarkuptext}%
4.193 -\isamarkuptrue%
4.194 -\isacommand{lemma}\isamarkupfalse%
4.195 -\ {\isachardoublequoteopen}wf{\isacharparenleft}step{\isadigit{1}}\ f{\isacharparenright}\ {\isasymlongrightarrow}\ f{\isacharparenleft}find{\isacharparenleft}f{\isacharcomma}x{\isacharparenright}{\isacharparenright}\ {\isacharequal}\ find{\isacharparenleft}f{\isacharcomma}x{\isacharparenright}{\isachardoublequoteclose}\isanewline
4.196 -%
4.197 -\isadelimproof
4.198 -%
4.199 -\endisadelimproof
4.200 -%
4.201 -\isatagproof
4.202 -\isacommand{apply}\isamarkupfalse%
4.203 -{\isacharparenleft}induct{\isacharunderscore}tac\ f\ x\ rule{\isacharcolon}\ find{\isachardot}induct{\isacharparenright}\isanewline
4.204 -\isacommand{apply}\isamarkupfalse%
4.205 -\ simp\isanewline
4.206 -\isacommand{done}\isamarkupfalse%
4.207 -%
4.208 -\endisatagproof
4.209 -{\isafoldproof}%
4.210 -%
4.211 -\isadelimproof
4.212 -%
4.213 -\endisadelimproof
4.214 -%
4.215 -\isamarkupsubsubsection{The {\tt\slshape while} Combinator%
4.216 -}
4.217 -\isamarkuptrue%
4.218 -%
4.219 -\begin{isamarkuptext}%
4.220 -If the recursive function happens to be tail recursive, its
4.221 -definition becomes a triviality if based on the predefined \cdx{while}
4.222 -combinator. The latter lives in the Library theory \thydx{While_Combinator}.
4.223 -% which is not part of {text Main} but needs to
4.224 -% be included explicitly among the ancestor theories.
4.225 -
4.226 -Constant \isa{while} is of type \isa{{\isacharparenleft}{\isacharprime}a\ {\isasymRightarrow}\ bool{\isacharparenright}\ {\isasymRightarrow}\ {\isacharparenleft}{\isacharprime}a\ {\isasymRightarrow}\ {\isacharprime}a{\isacharparenright}\ {\isasymRightarrow}\ {\isacharprime}a}
4.227 -and satisfies the recursion equation \begin{isabelle}%
4.228 -\ \ \ \ \ while\ b\ c\ s\ {\isacharequal}\ {\isacharparenleft}if\ b\ s\ then\ while\ b\ c\ {\isacharparenleft}c\ s{\isacharparenright}\ else\ s{\isacharparenright}%
4.229 -\end{isabelle}
4.230 -That is, \isa{while\ b\ c\ s} is equivalent to the imperative program
4.231 -\begin{verbatim}
4.232 - x := s; while b(x) do x := c(x); return x
4.233 -\end{verbatim}
4.234 -In general, \isa{s} will be a tuple or record. As an example
4.235 -consider the following definition of function \isa{find}:%
4.236 -\end{isamarkuptext}%
4.237 -\isamarkuptrue%
4.238 -\isacommand{constdefs}\isamarkupfalse%
4.239 -\ find{\isadigit{2}}\ {\isacharcolon}{\isacharcolon}\ {\isachardoublequoteopen}{\isacharparenleft}{\isacharprime}a\ {\isasymRightarrow}\ {\isacharprime}a{\isacharparenright}\ {\isasymRightarrow}\ {\isacharprime}a\ {\isasymRightarrow}\ {\isacharprime}a{\isachardoublequoteclose}\isanewline
4.240 -\ \ {\isachardoublequoteopen}find{\isadigit{2}}\ f\ x\ {\isasymequiv}\isanewline
4.241 -\ \ \ fst{\isacharparenleft}while\ {\isacharparenleft}{\isasymlambda}{\isacharparenleft}x{\isacharcomma}x{\isacharprime}{\isacharparenright}{\isachardot}\ x{\isacharprime}\ {\isasymnoteq}\ x{\isacharparenright}\ {\isacharparenleft}{\isasymlambda}{\isacharparenleft}x{\isacharcomma}x{\isacharprime}{\isacharparenright}{\isachardot}\ {\isacharparenleft}x{\isacharprime}{\isacharcomma}f\ x{\isacharprime}{\isacharparenright}{\isacharparenright}\ {\isacharparenleft}x{\isacharcomma}f\ x{\isacharparenright}{\isacharparenright}{\isachardoublequoteclose}%
4.242 -\begin{isamarkuptext}%
4.243 -\noindent
4.244 -The loop operates on two ``local variables'' \isa{x} and \isa{x{\isacharprime}}
4.245 -containing the ``current'' and the ``next'' value of function \isa{f}.
4.246 -They are initialized with the global \isa{x} and \isa{f\ x}. At the
4.247 -end \isa{fst} selects the local \isa{x}.
4.248 -
4.249 -Although the definition of tail recursive functions via \isa{while} avoids
4.250 -termination proofs, there is no free lunch. When proving properties of
4.251 -functions defined by \isa{while}, termination rears its ugly head
4.252 -again. Here is \tdx{while_rule}, the well known proof rule for total
4.253 -correctness of loops expressed with \isa{while}:
4.254 -\begin{isabelle}%
4.255 -\ \ \ \ \ {\isasymlbrakk}P\ s{\isacharsemicolon}\ {\isasymAnd}s{\isachardot}\ {\isasymlbrakk}P\ s{\isacharsemicolon}\ b\ s{\isasymrbrakk}\ {\isasymLongrightarrow}\ P\ {\isacharparenleft}c\ s{\isacharparenright}{\isacharsemicolon}\isanewline
4.256 -\isaindent{\ \ \ \ \ \ }{\isasymAnd}s{\isachardot}\ {\isasymlbrakk}P\ s{\isacharsemicolon}\ {\isasymnot}\ b\ s{\isasymrbrakk}\ {\isasymLongrightarrow}\ Q\ s{\isacharsemicolon}\ wf\ r{\isacharsemicolon}\isanewline
4.257 -\isaindent{\ \ \ \ \ \ }{\isasymAnd}s{\isachardot}\ {\isasymlbrakk}P\ s{\isacharsemicolon}\ b\ s{\isasymrbrakk}\ {\isasymLongrightarrow}\ {\isacharparenleft}c\ s{\isacharcomma}\ s{\isacharparenright}\ {\isasymin}\ r{\isasymrbrakk}\isanewline
4.258 -\isaindent{\ \ \ \ \ }{\isasymLongrightarrow}\ Q\ {\isacharparenleft}while\ b\ c\ s{\isacharparenright}%
4.259 -\end{isabelle} \isa{P} needs to be true of
4.260 -the initial state \isa{s} and invariant under \isa{c} (premises 1
4.261 -and~2). The post-condition \isa{Q} must become true when leaving the loop
4.262 -(premise~3). And each loop iteration must descend along a well-founded
4.263 -relation \isa{r} (premises 4 and~5).
4.264 -
4.265 -Let us now prove that \isa{find{\isadigit{2}}} does indeed find a fixed point. Instead
4.266 -of induction we apply the above while rule, suitably instantiated.
4.267 -Only the final premise of \isa{while{\isacharunderscore}rule} is left unproved
4.268 -by \isa{auto} but falls to \isa{simp}:%
4.269 -\end{isamarkuptext}%
4.270 -\isamarkuptrue%
4.271 -\isacommand{lemma}\isamarkupfalse%
4.272 -\ lem{\isacharcolon}\ {\isachardoublequoteopen}wf{\isacharparenleft}step{\isadigit{1}}\ f{\isacharparenright}\ {\isasymLongrightarrow}\isanewline
4.273 -\ \ {\isasymexists}y{\isachardot}\ while\ {\isacharparenleft}{\isasymlambda}{\isacharparenleft}x{\isacharcomma}x{\isacharprime}{\isacharparenright}{\isachardot}\ x{\isacharprime}\ {\isasymnoteq}\ x{\isacharparenright}\ {\isacharparenleft}{\isasymlambda}{\isacharparenleft}x{\isacharcomma}x{\isacharprime}{\isacharparenright}{\isachardot}\ {\isacharparenleft}x{\isacharprime}{\isacharcomma}f\ x{\isacharprime}{\isacharparenright}{\isacharparenright}\ {\isacharparenleft}x{\isacharcomma}f\ x{\isacharparenright}\ {\isacharequal}\ {\isacharparenleft}y{\isacharcomma}y{\isacharparenright}\ {\isasymand}\isanewline
4.274 -\ \ \ \ \ \ \ f\ y\ {\isacharequal}\ y{\isachardoublequoteclose}\isanewline
4.275 -%
4.276 -\isadelimproof
4.277 -%
4.278 -\endisadelimproof
4.279 -%
4.280 -\isatagproof
4.281 -\isacommand{apply}\isamarkupfalse%
4.282 -{\isacharparenleft}rule{\isacharunderscore}tac\ P\ {\isacharequal}\ {\isachardoublequoteopen}{\isasymlambda}{\isacharparenleft}x{\isacharcomma}x{\isacharprime}{\isacharparenright}{\isachardot}\ x{\isacharprime}\ {\isacharequal}\ f\ x{\isachardoublequoteclose}\ \isakeyword{and}\isanewline
4.283 -\ \ \ \ \ \ \ \ \ \ \ \ \ \ \ r\ {\isacharequal}\ {\isachardoublequoteopen}inv{\isacharunderscore}image\ {\isacharparenleft}step{\isadigit{1}}\ f{\isacharparenright}\ fst{\isachardoublequoteclose}\ \isakeyword{in}\ while{\isacharunderscore}rule{\isacharparenright}\isanewline
4.284 -\isacommand{apply}\isamarkupfalse%
4.285 -\ auto\isanewline
4.286 -\isacommand{apply}\isamarkupfalse%
4.287 -{\isacharparenleft}simp\ add{\isacharcolon}\ inv{\isacharunderscore}image{\isacharunderscore}def\ step{\isadigit{1}}{\isacharunderscore}def{\isacharparenright}\isanewline
4.288 -\isacommand{done}\isamarkupfalse%
4.289 -%
4.290 -\endisatagproof
4.291 -{\isafoldproof}%
4.292 -%
4.293 -\isadelimproof
4.294 -%
4.295 -\endisadelimproof
4.296 -%
4.297 -\begin{isamarkuptext}%
4.298 -The theorem itself is a simple consequence of this lemma:%
4.299 -\end{isamarkuptext}%
4.300 -\isamarkuptrue%
4.301 -\isacommand{theorem}\isamarkupfalse%
4.302 -\ {\isachardoublequoteopen}wf{\isacharparenleft}step{\isadigit{1}}\ f{\isacharparenright}\ {\isasymLongrightarrow}\ f{\isacharparenleft}find{\isadigit{2}}\ f\ x{\isacharparenright}\ {\isacharequal}\ find{\isadigit{2}}\ f\ x{\isachardoublequoteclose}\isanewline
4.303 -%
4.304 -\isadelimproof
4.305 -%
4.306 -\endisadelimproof
4.307 -%
4.308 -\isatagproof
4.309 -\isacommand{apply}\isamarkupfalse%
4.310 -{\isacharparenleft}drule{\isacharunderscore}tac\ x\ {\isacharequal}\ x\ \isakeyword{in}\ lem{\isacharparenright}\isanewline
4.311 -\isacommand{apply}\isamarkupfalse%
4.312 -{\isacharparenleft}auto\ simp\ add{\isacharcolon}\ find{\isadigit{2}}{\isacharunderscore}def{\isacharparenright}\isanewline
4.313 -\isacommand{done}\isamarkupfalse%
4.314 -%
4.315 -\endisatagproof
4.316 -{\isafoldproof}%
4.317 -%
4.318 -\isadelimproof
4.319 -%
4.320 -\endisadelimproof
4.321 -%
4.322 -\begin{isamarkuptext}%
4.323 -Let us conclude this section on partial functions by a
4.324 -discussion of the merits of the \isa{while} combinator. We have
4.325 -already seen that the advantage of not having to
4.326 -provide a termination argument when defining a function via \isa{while} merely puts off the evil hour. On top of that, tail recursive
4.327 -functions tend to be more complicated to reason about. So why use
4.328 -\isa{while} at all? The only reason is executability: the recursion
4.329 -equation for \isa{while} is a directly executable functional
4.330 -program. This is in stark contrast to guarded recursion as introduced
4.331 -above which requires an explicit test \isa{x\ {\isasymin}\ dom\ f} in the
4.332 -function body. Unless \isa{dom} is trivial, this leads to a
4.333 -definition that is impossible to execute or prohibitively slow.
4.334 -Thus, if you are aiming for an efficiently executable definition
4.335 -of a partial function, you are likely to need \isa{while}.%
4.336 -\end{isamarkuptext}%
4.337 -\isamarkuptrue%
4.338 -%
4.339 -\isadelimtheory
4.340 -%
4.341 -\endisadelimtheory
4.342 -%
4.343 -\isatagtheory
4.344 -%
4.345 -\endisatagtheory
4.346 -{\isafoldtheory}%
4.347 -%
4.348 -\isadelimtheory
4.349 -%
4.350 -\endisadelimtheory
4.351 -\end{isabellebody}%
4.352 -%%% Local Variables:
4.353 -%%% mode: latex
4.354 -%%% TeX-master: "root"
4.355 -%%% End:
5.1 --- a/doc-src/TutorialI/Advanced/document/WFrec.tex Thu Jul 26 16:08:16 2012 +0200
5.2 +++ /dev/null Thu Jan 01 00:00:00 1970 +0000
5.3 @@ -1,169 +0,0 @@
5.4 -%
5.5 -\begin{isabellebody}%
5.6 -\def\isabellecontext{WFrec}%
5.7 -%
5.8 -\isadelimtheory
5.9 -%
5.10 -\endisadelimtheory
5.11 -%
5.12 -\isatagtheory
5.13 -%
5.14 -\endisatagtheory
5.15 -{\isafoldtheory}%
5.16 -%
5.17 -\isadelimtheory
5.18 -%
5.19 -\endisadelimtheory
5.20 -%
5.21 -\begin{isamarkuptext}%
5.22 -\noindent
5.23 -So far, all recursive definitions were shown to terminate via measure
5.24 -functions. Sometimes this can be inconvenient or
5.25 -impossible. Fortunately, \isacommand{recdef} supports much more
5.26 -general definitions. For example, termination of Ackermann's function
5.27 -can be shown by means of the \rmindex{lexicographic product} \isa{{\isacharless}{\isacharasterisk}lex{\isacharasterisk}{\isachargreater}}:%
5.28 -\end{isamarkuptext}%
5.29 -\isamarkuptrue%
5.30 -\isacommand{consts}\isamarkupfalse%
5.31 -\ ack\ {\isacharcolon}{\isacharcolon}\ {\isachardoublequoteopen}nat{\isasymtimes}nat\ {\isasymRightarrow}\ nat{\isachardoublequoteclose}\isanewline
5.32 -\isacommand{recdef}\isamarkupfalse%
5.33 -\ ack\ {\isachardoublequoteopen}measure{\isacharparenleft}{\isasymlambda}m{\isachardot}\ m{\isacharparenright}\ {\isacharless}{\isacharasterisk}lex{\isacharasterisk}{\isachargreater}\ measure{\isacharparenleft}{\isasymlambda}n{\isachardot}\ n{\isacharparenright}{\isachardoublequoteclose}\isanewline
5.34 -\ \ {\isachardoublequoteopen}ack{\isacharparenleft}{\isadigit{0}}{\isacharcomma}n{\isacharparenright}\ \ \ \ \ \ \ \ \ {\isacharequal}\ Suc\ n{\isachardoublequoteclose}\isanewline
5.35 -\ \ {\isachardoublequoteopen}ack{\isacharparenleft}Suc\ m{\isacharcomma}{\isadigit{0}}{\isacharparenright}\ \ \ \ \ {\isacharequal}\ ack{\isacharparenleft}m{\isacharcomma}\ {\isadigit{1}}{\isacharparenright}{\isachardoublequoteclose}\isanewline
5.36 -\ \ {\isachardoublequoteopen}ack{\isacharparenleft}Suc\ m{\isacharcomma}Suc\ n{\isacharparenright}\ {\isacharequal}\ ack{\isacharparenleft}m{\isacharcomma}ack{\isacharparenleft}Suc\ m{\isacharcomma}n{\isacharparenright}{\isacharparenright}{\isachardoublequoteclose}%
5.37 -\begin{isamarkuptext}%
5.38 -\noindent
5.39 -The lexicographic product decreases if either its first component
5.40 -decreases (as in the second equation and in the outer call in the
5.41 -third equation) or its first component stays the same and the second
5.42 -component decreases (as in the inner call in the third equation).
5.43 -
5.44 -In general, \isacommand{recdef} supports termination proofs based on
5.45 -arbitrary well-founded relations as introduced in \S\ref{sec:Well-founded}.
5.46 -This is called \textbf{well-founded
5.47 -recursion}\indexbold{recursion!well-founded}. A function definition
5.48 -is total if and only if the set of
5.49 -all pairs $(r,l)$, where $l$ is the argument on the
5.50 -left-hand side of an equation and $r$ the argument of some recursive call on
5.51 -the corresponding right-hand side, induces a well-founded relation. For a
5.52 -systematic account of termination proofs via well-founded relations see, for
5.53 -example, Baader and Nipkow~\cite{Baader-Nipkow}.
5.54 -
5.55 -Each \isacommand{recdef} definition should be accompanied (after the function's
5.56 -name) by a well-founded relation on the function's argument type.
5.57 -Isabelle/HOL formalizes some of the most important
5.58 -constructions of well-founded relations (see \S\ref{sec:Well-founded}). For
5.59 -example, \isa{measure\ f} is always well-founded. The lexicographic
5.60 -product of two well-founded relations is again well-founded, which we relied
5.61 -on when defining Ackermann's function above.
5.62 -Of course the lexicographic product can also be iterated:%
5.63 -\end{isamarkuptext}%
5.64 -\isamarkuptrue%
5.65 -\isacommand{consts}\isamarkupfalse%
5.66 -\ contrived\ {\isacharcolon}{\isacharcolon}\ {\isachardoublequoteopen}nat\ {\isasymtimes}\ nat\ {\isasymtimes}\ nat\ {\isasymRightarrow}\ nat{\isachardoublequoteclose}\isanewline
5.67 -\isacommand{recdef}\isamarkupfalse%
5.68 -\ contrived\isanewline
5.69 -\ \ {\isachardoublequoteopen}measure{\isacharparenleft}{\isasymlambda}i{\isachardot}\ i{\isacharparenright}\ {\isacharless}{\isacharasterisk}lex{\isacharasterisk}{\isachargreater}\ measure{\isacharparenleft}{\isasymlambda}j{\isachardot}\ j{\isacharparenright}\ {\isacharless}{\isacharasterisk}lex{\isacharasterisk}{\isachargreater}\ measure{\isacharparenleft}{\isasymlambda}k{\isachardot}\ k{\isacharparenright}{\isachardoublequoteclose}\isanewline
5.70 -{\isachardoublequoteopen}contrived{\isacharparenleft}i{\isacharcomma}j{\isacharcomma}Suc\ k{\isacharparenright}\ {\isacharequal}\ contrived{\isacharparenleft}i{\isacharcomma}j{\isacharcomma}k{\isacharparenright}{\isachardoublequoteclose}\isanewline
5.71 -{\isachardoublequoteopen}contrived{\isacharparenleft}i{\isacharcomma}Suc\ j{\isacharcomma}{\isadigit{0}}{\isacharparenright}\ {\isacharequal}\ contrived{\isacharparenleft}i{\isacharcomma}j{\isacharcomma}j{\isacharparenright}{\isachardoublequoteclose}\isanewline
5.72 -{\isachardoublequoteopen}contrived{\isacharparenleft}Suc\ i{\isacharcomma}{\isadigit{0}}{\isacharcomma}{\isadigit{0}}{\isacharparenright}\ {\isacharequal}\ contrived{\isacharparenleft}i{\isacharcomma}i{\isacharcomma}i{\isacharparenright}{\isachardoublequoteclose}\isanewline
5.73 -{\isachardoublequoteopen}contrived{\isacharparenleft}{\isadigit{0}}{\isacharcomma}{\isadigit{0}}{\isacharcomma}{\isadigit{0}}{\isacharparenright}\ \ \ \ \ {\isacharequal}\ {\isadigit{0}}{\isachardoublequoteclose}%
5.74 -\begin{isamarkuptext}%
5.75 -Lexicographic products of measure functions already go a long
5.76 -way. Furthermore, you may embed a type in an
5.77 -existing well-founded relation via the inverse image construction \isa{inv{\isacharunderscore}image}. All these constructions are known to \isacommand{recdef}. Thus you
5.78 -will never have to prove well-foundedness of any relation composed
5.79 -solely of these building blocks. But of course the proof of
5.80 -termination of your function definition --- that the arguments
5.81 -decrease with every recursive call --- may still require you to provide
5.82 -additional lemmas.
5.83 -
5.84 -It is also possible to use your own well-founded relations with
5.85 -\isacommand{recdef}. For example, the greater-than relation can be made
5.86 -well-founded by cutting it off at a certain point. Here is an example
5.87 -of a recursive function that calls itself with increasing values up to ten:%
5.88 -\end{isamarkuptext}%
5.89 -\isamarkuptrue%
5.90 -\isacommand{consts}\isamarkupfalse%
5.91 -\ f\ {\isacharcolon}{\isacharcolon}\ {\isachardoublequoteopen}nat\ {\isasymRightarrow}\ nat{\isachardoublequoteclose}\isanewline
5.92 -\isacommand{recdef}\isamarkupfalse%
5.93 -\ f\ {\isachardoublequoteopen}{\isacharbraceleft}{\isacharparenleft}i{\isacharcomma}j{\isacharparenright}{\isachardot}\ j{\isacharless}i\ {\isasymand}\ i\ {\isasymle}\ {\isacharparenleft}{\isadigit{1}}{\isadigit{0}}{\isacharcolon}{\isacharcolon}nat{\isacharparenright}{\isacharbraceright}{\isachardoublequoteclose}\isanewline
5.94 -{\isachardoublequoteopen}f\ i\ {\isacharequal}\ {\isacharparenleft}if\ {\isadigit{1}}{\isadigit{0}}\ {\isasymle}\ i\ then\ {\isadigit{0}}\ else\ i\ {\isacharasterisk}\ f{\isacharparenleft}Suc\ i{\isacharparenright}{\isacharparenright}{\isachardoublequoteclose}%
5.95 -\begin{isamarkuptext}%
5.96 -\noindent
5.97 -Since \isacommand{recdef} is not prepared for the relation supplied above,
5.98 -Isabelle rejects the definition. We should first have proved that
5.99 -our relation was well-founded:%
5.100 -\end{isamarkuptext}%
5.101 -\isamarkuptrue%
5.102 -\isacommand{lemma}\isamarkupfalse%
5.103 -\ wf{\isacharunderscore}greater{\isacharcolon}\ {\isachardoublequoteopen}wf\ {\isacharbraceleft}{\isacharparenleft}i{\isacharcomma}j{\isacharparenright}{\isachardot}\ j{\isacharless}i\ {\isasymand}\ i\ {\isasymle}\ {\isacharparenleft}N{\isacharcolon}{\isacharcolon}nat{\isacharparenright}{\isacharbraceright}{\isachardoublequoteclose}%
5.104 -\isadelimproof
5.105 -%
5.106 -\endisadelimproof
5.107 -%
5.108 -\isatagproof
5.109 -%
5.110 -\begin{isamarkuptxt}%
5.111 -\noindent
5.112 -The proof is by showing that our relation is a subset of another well-founded
5.113 -relation: one given by a measure function.\index{*wf_subset (theorem)}%
5.114 -\end{isamarkuptxt}%
5.115 -\isamarkuptrue%
5.116 -\isacommand{apply}\isamarkupfalse%
5.117 -\ {\isacharparenleft}rule\ wf{\isacharunderscore}subset\ {\isacharbrackleft}of\ {\isachardoublequoteopen}measure\ {\isacharparenleft}{\isasymlambda}k{\isacharcolon}{\isacharcolon}nat{\isachardot}\ N{\isacharminus}k{\isacharparenright}{\isachardoublequoteclose}{\isacharbrackright}{\isacharcomma}\ blast{\isacharparenright}%
5.118 -\begin{isamarkuptxt}%
5.119 -\begin{isabelle}%
5.120 -\ {\isadigit{1}}{\isachardot}\ {\isacharbraceleft}{\isacharparenleft}i{\isacharcomma}\ j{\isacharparenright}{\isachardot}\ j\ {\isacharless}\ i\ {\isasymand}\ i\ {\isasymle}\ N{\isacharbraceright}\ {\isasymsubseteq}\ measure\ {\isacharparenleft}op\ {\isacharminus}\ N{\isacharparenright}%
5.121 -\end{isabelle}
5.122 -
5.123 -\noindent
5.124 -The inclusion remains to be proved. After unfolding some definitions,
5.125 -we are left with simple arithmetic that is dispatched automatically.%
5.126 -\end{isamarkuptxt}%
5.127 -\isamarkuptrue%
5.128 -\isacommand{by}\isamarkupfalse%
5.129 -\ {\isacharparenleft}clarify{\isacharcomma}\ simp\ add{\isacharcolon}\ measure{\isacharunderscore}def\ inv{\isacharunderscore}image{\isacharunderscore}def{\isacharparenright}%
5.130 -\endisatagproof
5.131 -{\isafoldproof}%
5.132 -%
5.133 -\isadelimproof
5.134 -%
5.135 -\endisadelimproof
5.136 -%
5.137 -\begin{isamarkuptext}%
5.138 -\noindent
5.139 -
5.140 -Armed with this lemma, we use the \attrdx{recdef_wf} attribute to attach a
5.141 -crucial hint\cmmdx{hints} to our definition:%
5.142 -\end{isamarkuptext}%
5.143 -\isamarkuptrue%
5.144 -{\isacharparenleft}\isakeyword{hints}\ recdef{\isacharunderscore}wf{\isacharcolon}\ wf{\isacharunderscore}greater{\isacharparenright}%
5.145 -\begin{isamarkuptext}%
5.146 -\noindent
5.147 -Alternatively, we could have given \isa{measure\ {\isacharparenleft}{\isasymlambda}k{\isacharcolon}{\isacharcolon}nat{\isachardot}\ {\isadigit{1}}{\isadigit{0}}{\isacharminus}k{\isacharparenright}} for the
5.148 -well-founded relation in our \isacommand{recdef}. However, the arithmetic
5.149 -goal in the lemma above would have arisen instead in the \isacommand{recdef}
5.150 -termination proof, where we have less control. A tailor-made termination
5.151 -relation makes even more sense when it can be used in several function
5.152 -declarations.%
5.153 -\end{isamarkuptext}%
5.154 -\isamarkuptrue%
5.155 -%
5.156 -\isadelimtheory
5.157 -%
5.158 -\endisadelimtheory
5.159 -%
5.160 -\isatagtheory
5.161 -%
5.162 -\endisatagtheory
5.163 -{\isafoldtheory}%
5.164 -%
5.165 -\isadelimtheory
5.166 -%
5.167 -\endisadelimtheory
5.168 -\end{isabellebody}%
5.169 -%%% Local Variables:
5.170 -%%% mode: latex
5.171 -%%% TeX-master: "root"
5.172 -%%% End:
6.1 --- a/doc-src/TutorialI/Advanced/document/simp2.tex Thu Jul 26 16:08:16 2012 +0200
6.2 +++ /dev/null Thu Jan 01 00:00:00 1970 +0000
6.3 @@ -1,249 +0,0 @@
6.4 -%
6.5 -\begin{isabellebody}%
6.6 -\def\isabellecontext{simp{\isadigit{2}}}%
6.7 -%
6.8 -\isadelimtheory
6.9 -%
6.10 -\endisadelimtheory
6.11 -%
6.12 -\isatagtheory
6.13 -%
6.14 -\endisatagtheory
6.15 -{\isafoldtheory}%
6.16 -%
6.17 -\isadelimtheory
6.18 -%
6.19 -\endisadelimtheory
6.20 -%
6.21 -\isamarkupsection{Simplification%
6.22 -}
6.23 -\isamarkuptrue%
6.24 -%
6.25 -\begin{isamarkuptext}%
6.26 -\label{sec:simplification-II}\index{simplification|(}
6.27 -This section describes features not covered until now. It also
6.28 -outlines the simplification process itself, which can be helpful
6.29 -when the simplifier does not do what you expect of it.%
6.30 -\end{isamarkuptext}%
6.31 -\isamarkuptrue%
6.32 -%
6.33 -\isamarkupsubsection{Advanced Features%
6.34 -}
6.35 -\isamarkuptrue%
6.36 -%
6.37 -\isamarkupsubsubsection{Congruence Rules%
6.38 -}
6.39 -\isamarkuptrue%
6.40 -%
6.41 -\begin{isamarkuptext}%
6.42 -\label{sec:simp-cong}
6.43 -While simplifying the conclusion $Q$
6.44 -of $P \Imp Q$, it is legal to use the assumption $P$.
6.45 -For $\Imp$ this policy is hardwired, but
6.46 -contextual information can also be made available for other
6.47 -operators. For example, \isa{xs\ {\isaliteral{3D}{\isacharequal}}\ {\isaliteral{5B}{\isacharbrackleft}}{\isaliteral{5D}{\isacharbrackright}}\ {\isaliteral{5C3C6C6F6E6772696768746172726F773E}{\isasymlongrightarrow}}\ xs\ {\isaliteral{40}{\isacharat}}\ xs\ {\isaliteral{3D}{\isacharequal}}\ xs} simplifies to \isa{True} because we may use \isa{xs\ {\isaliteral{3D}{\isacharequal}}\ {\isaliteral{5B}{\isacharbrackleft}}{\isaliteral{5D}{\isacharbrackright}}} when simplifying \isa{xs\ {\isaliteral{40}{\isacharat}}\ xs\ {\isaliteral{3D}{\isacharequal}}\ xs}. The generation of contextual information during simplification is
6.48 -controlled by so-called \bfindex{congruence rules}. This is the one for
6.49 -\isa{{\isaliteral{5C3C6C6F6E6772696768746172726F773E}{\isasymlongrightarrow}}}:
6.50 -\begin{isabelle}%
6.51 -\ \ \ \ \ {\isaliteral{5C3C6C6272616B6B3E}{\isasymlbrakk}}P\ {\isaliteral{3D}{\isacharequal}}\ P{\isaliteral{27}{\isacharprime}}{\isaliteral{3B}{\isacharsemicolon}}\ P{\isaliteral{27}{\isacharprime}}\ {\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\ Q\ {\isaliteral{3D}{\isacharequal}}\ Q{\isaliteral{27}{\isacharprime}}{\isaliteral{5C3C726272616B6B3E}{\isasymrbrakk}}\ {\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\ {\isaliteral{28}{\isacharparenleft}}P\ {\isaliteral{5C3C6C6F6E6772696768746172726F773E}{\isasymlongrightarrow}}\ Q{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{3D}{\isacharequal}}\ {\isaliteral{28}{\isacharparenleft}}P{\isaliteral{27}{\isacharprime}}\ {\isaliteral{5C3C6C6F6E6772696768746172726F773E}{\isasymlongrightarrow}}\ Q{\isaliteral{27}{\isacharprime}}{\isaliteral{29}{\isacharparenright}}%
6.52 -\end{isabelle}
6.53 -It should be read as follows:
6.54 -In order to simplify \isa{P\ {\isaliteral{5C3C6C6F6E6772696768746172726F773E}{\isasymlongrightarrow}}\ Q} to \isa{P{\isaliteral{27}{\isacharprime}}\ {\isaliteral{5C3C6C6F6E6772696768746172726F773E}{\isasymlongrightarrow}}\ Q{\isaliteral{27}{\isacharprime}}},
6.55 -simplify \isa{P} to \isa{P{\isaliteral{27}{\isacharprime}}}
6.56 -and assume \isa{P{\isaliteral{27}{\isacharprime}}} when simplifying \isa{Q} to \isa{Q{\isaliteral{27}{\isacharprime}}}.
6.57 -
6.58 -Here are some more examples. The congruence rules for bounded
6.59 -quantifiers supply contextual information about the bound variable:
6.60 -\begin{isabelle}%
6.61 -\ \ \ \ \ {\isaliteral{5C3C6C6272616B6B3E}{\isasymlbrakk}}A\ {\isaliteral{3D}{\isacharequal}}\ B{\isaliteral{3B}{\isacharsemicolon}}\ {\isaliteral{5C3C416E643E}{\isasymAnd}}x{\isaliteral{2E}{\isachardot}}\ x\ {\isaliteral{5C3C696E3E}{\isasymin}}\ B\ {\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\ P\ x\ {\isaliteral{3D}{\isacharequal}}\ Q\ x{\isaliteral{5C3C726272616B6B3E}{\isasymrbrakk}}\isanewline
6.62 -\isaindent{\ \ \ \ \ }{\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\ {\isaliteral{28}{\isacharparenleft}}{\isaliteral{5C3C666F72616C6C3E}{\isasymforall}}x{\isaliteral{5C3C696E3E}{\isasymin}}A{\isaliteral{2E}{\isachardot}}\ P\ x{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{3D}{\isacharequal}}\ {\isaliteral{28}{\isacharparenleft}}{\isaliteral{5C3C666F72616C6C3E}{\isasymforall}}x{\isaliteral{5C3C696E3E}{\isasymin}}B{\isaliteral{2E}{\isachardot}}\ Q\ x{\isaliteral{29}{\isacharparenright}}%
6.63 -\end{isabelle}
6.64 -One congruence rule for conditional expressions supplies contextual
6.65 -information for simplifying the \isa{then} and \isa{else} cases:
6.66 -\begin{isabelle}%
6.67 -\ \ \ \ \ {\isaliteral{5C3C6C6272616B6B3E}{\isasymlbrakk}}b\ {\isaliteral{3D}{\isacharequal}}\ c{\isaliteral{3B}{\isacharsemicolon}}\ c\ {\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\ x\ {\isaliteral{3D}{\isacharequal}}\ u{\isaliteral{3B}{\isacharsemicolon}}\ {\isaliteral{5C3C6E6F743E}{\isasymnot}}\ c\ {\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\ y\ {\isaliteral{3D}{\isacharequal}}\ v{\isaliteral{5C3C726272616B6B3E}{\isasymrbrakk}}\isanewline
6.68 -\isaindent{\ \ \ \ \ }{\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\ {\isaliteral{28}{\isacharparenleft}}if\ b\ then\ x\ else\ y{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{3D}{\isacharequal}}\ {\isaliteral{28}{\isacharparenleft}}if\ c\ then\ u\ else\ v{\isaliteral{29}{\isacharparenright}}%
6.69 -\end{isabelle}
6.70 -An alternative congruence rule for conditional expressions
6.71 -actually \emph{prevents} simplification of some arguments:
6.72 -\begin{isabelle}%
6.73 -\ \ \ \ \ b\ {\isaliteral{3D}{\isacharequal}}\ c\ {\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\ {\isaliteral{28}{\isacharparenleft}}if\ b\ then\ x\ else\ y{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{3D}{\isacharequal}}\ {\isaliteral{28}{\isacharparenleft}}if\ c\ then\ x\ else\ y{\isaliteral{29}{\isacharparenright}}%
6.74 -\end{isabelle}
6.75 -Only the first argument is simplified; the others remain unchanged.
6.76 -This makes simplification much faster and is faithful to the evaluation
6.77 -strategy in programming languages, which is why this is the default
6.78 -congruence rule for \isa{if}. Analogous rules control the evaluation of
6.79 -\isa{case} expressions.
6.80 -
6.81 -You can declare your own congruence rules with the attribute \attrdx{cong},
6.82 -either globally, in the usual manner,
6.83 -\begin{quote}
6.84 -\isacommand{declare} \textit{theorem-name} \isa{{\isaliteral{5B}{\isacharbrackleft}}cong{\isaliteral{5D}{\isacharbrackright}}}
6.85 -\end{quote}
6.86 -or locally in a \isa{simp} call by adding the modifier
6.87 -\begin{quote}
6.88 -\isa{cong{\isaliteral{3A}{\isacharcolon}}} \textit{list of theorem names}
6.89 -\end{quote}
6.90 -The effect is reversed by \isa{cong\ del} instead of \isa{cong}.
6.91 -
6.92 -\begin{warn}
6.93 -The congruence rule \isa{conj{\isaliteral{5F}{\isacharunderscore}}cong}
6.94 -\begin{isabelle}%
6.95 -\ \ \ \ \ {\isaliteral{5C3C6C6272616B6B3E}{\isasymlbrakk}}P\ {\isaliteral{3D}{\isacharequal}}\ P{\isaliteral{27}{\isacharprime}}{\isaliteral{3B}{\isacharsemicolon}}\ P{\isaliteral{27}{\isacharprime}}\ {\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\ Q\ {\isaliteral{3D}{\isacharequal}}\ Q{\isaliteral{27}{\isacharprime}}{\isaliteral{5C3C726272616B6B3E}{\isasymrbrakk}}\ {\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\ {\isaliteral{28}{\isacharparenleft}}P\ {\isaliteral{5C3C616E643E}{\isasymand}}\ Q{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{3D}{\isacharequal}}\ {\isaliteral{28}{\isacharparenleft}}P{\isaliteral{27}{\isacharprime}}\ {\isaliteral{5C3C616E643E}{\isasymand}}\ Q{\isaliteral{27}{\isacharprime}}{\isaliteral{29}{\isacharparenright}}%
6.96 -\end{isabelle}
6.97 -\par\noindent
6.98 -is occasionally useful but is not a default rule; you have to declare it explicitly.
6.99 -\end{warn}%
6.100 -\end{isamarkuptext}%
6.101 -\isamarkuptrue%
6.102 -%
6.103 -\isamarkupsubsubsection{Permutative Rewrite Rules%
6.104 -}
6.105 -\isamarkuptrue%
6.106 -%
6.107 -\begin{isamarkuptext}%
6.108 -\index{rewrite rules!permutative|bold}%
6.109 -An equation is a \textbf{permutative rewrite rule} if the left-hand
6.110 -side and right-hand side are the same up to renaming of variables. The most
6.111 -common permutative rule is commutativity: \isa{x\ {\isaliteral{2B}{\isacharplus}}\ y\ {\isaliteral{3D}{\isacharequal}}\ y\ {\isaliteral{2B}{\isacharplus}}\ x}. Other examples
6.112 -include \isa{x\ {\isaliteral{2D}{\isacharminus}}\ y\ {\isaliteral{2D}{\isacharminus}}\ z\ {\isaliteral{3D}{\isacharequal}}\ x\ {\isaliteral{2D}{\isacharminus}}\ z\ {\isaliteral{2D}{\isacharminus}}\ y} in arithmetic and \isa{insert\ x\ {\isaliteral{28}{\isacharparenleft}}insert\ y\ A{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{3D}{\isacharequal}}\ insert\ y\ {\isaliteral{28}{\isacharparenleft}}insert\ x\ A{\isaliteral{29}{\isacharparenright}}} for sets. Such rules are problematic because
6.113 -once they apply, they can be used forever. The simplifier is aware of this
6.114 -danger and treats permutative rules by means of a special strategy, called
6.115 -\bfindex{ordered rewriting}: a permutative rewrite
6.116 -rule is only applied if the term becomes smaller with respect to a fixed
6.117 -lexicographic ordering on terms. For example, commutativity rewrites
6.118 -\isa{b\ {\isaliteral{2B}{\isacharplus}}\ a} to \isa{a\ {\isaliteral{2B}{\isacharplus}}\ b}, but then stops because \isa{a\ {\isaliteral{2B}{\isacharplus}}\ b} is strictly
6.119 -smaller than \isa{b\ {\isaliteral{2B}{\isacharplus}}\ a}. Permutative rewrite rules can be turned into
6.120 -simplification rules in the usual manner via the \isa{simp} attribute; the
6.121 -simplifier recognizes their special status automatically.
6.122 -
6.123 -Permutative rewrite rules are most effective in the case of
6.124 -associative-commutative functions. (Associativity by itself is not
6.125 -permutative.) When dealing with an AC-function~$f$, keep the
6.126 -following points in mind:
6.127 -\begin{itemize}\index{associative-commutative function}
6.128 -
6.129 -\item The associative law must always be oriented from left to right,
6.130 - namely $f(f(x,y),z) = f(x,f(y,z))$. The opposite orientation, if
6.131 - used with commutativity, can lead to nontermination.
6.132 -
6.133 -\item To complete your set of rewrite rules, you must add not just
6.134 - associativity~(A) and commutativity~(C) but also a derived rule, {\bf
6.135 - left-com\-mut\-ativ\-ity} (LC): $f(x,f(y,z)) = f(y,f(x,z))$.
6.136 -\end{itemize}
6.137 -Ordered rewriting with the combination of A, C, and LC sorts a term
6.138 -lexicographically:
6.139 -\[\def\maps#1{~\stackrel{#1}{\leadsto}~}
6.140 - f(f(b,c),a) \maps{A} f(b,f(c,a)) \maps{C} f(b,f(a,c)) \maps{LC} f(a,f(b,c)) \]
6.141 -
6.142 -Note that ordered rewriting for \isa{{\isaliteral{2B}{\isacharplus}}} and \isa{{\isaliteral{2A}{\isacharasterisk}}} on numbers is rarely
6.143 -necessary because the built-in arithmetic prover often succeeds without
6.144 -such tricks.%
6.145 -\end{isamarkuptext}%
6.146 -\isamarkuptrue%
6.147 -%
6.148 -\isamarkupsubsection{How the Simplifier Works%
6.149 -}
6.150 -\isamarkuptrue%
6.151 -%
6.152 -\begin{isamarkuptext}%
6.153 -\label{sec:SimpHow}
6.154 -Roughly speaking, the simplifier proceeds bottom-up: subterms are simplified
6.155 -first. A conditional equation is only applied if its condition can be
6.156 -proved, again by simplification. Below we explain some special features of
6.157 -the rewriting process.%
6.158 -\end{isamarkuptext}%
6.159 -\isamarkuptrue%
6.160 -%
6.161 -\isamarkupsubsubsection{Higher-Order Patterns%
6.162 -}
6.163 -\isamarkuptrue%
6.164 -%
6.165 -\begin{isamarkuptext}%
6.166 -\index{simplification rule|(}
6.167 -So far we have pretended the simplifier can deal with arbitrary
6.168 -rewrite rules. This is not quite true. For reasons of feasibility,
6.169 -the simplifier expects the
6.170 -left-hand side of each rule to be a so-called \emph{higher-order
6.171 -pattern}~\cite{nipkow-patterns}\indexbold{patterns!higher-order}.
6.172 -This restricts where
6.173 -unknowns may occur. Higher-order patterns are terms in $\beta$-normal
6.174 -form. (This means there are no subterms of the form $(\lambda x. M)(N)$.)
6.175 -Each occurrence of an unknown is of the form
6.176 -$\Var{f}~x@1~\dots~x@n$, where the $x@i$ are distinct bound
6.177 -variables. Thus all ordinary rewrite rules, where all unknowns are
6.178 -of base type, for example \isa{{\isaliteral{3F}{\isacharquery}}a\ {\isaliteral{2B}{\isacharplus}}\ {\isaliteral{3F}{\isacharquery}}b\ {\isaliteral{2B}{\isacharplus}}\ {\isaliteral{3F}{\isacharquery}}c\ {\isaliteral{3D}{\isacharequal}}\ {\isaliteral{3F}{\isacharquery}}a\ {\isaliteral{2B}{\isacharplus}}\ {\isaliteral{28}{\isacharparenleft}}{\isaliteral{3F}{\isacharquery}}b\ {\isaliteral{2B}{\isacharplus}}\ {\isaliteral{3F}{\isacharquery}}c{\isaliteral{29}{\isacharparenright}}}, are acceptable: if an unknown is
6.179 -of base type, it cannot have any arguments. Additionally, the rule
6.180 -\isa{{\isaliteral{28}{\isacharparenleft}}{\isaliteral{5C3C666F72616C6C3E}{\isasymforall}}x{\isaliteral{2E}{\isachardot}}\ {\isaliteral{3F}{\isacharquery}}P\ x\ {\isaliteral{5C3C616E643E}{\isasymand}}\ {\isaliteral{3F}{\isacharquery}}Q\ x{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{3D}{\isacharequal}}\ {\isaliteral{28}{\isacharparenleft}}{\isaliteral{28}{\isacharparenleft}}{\isaliteral{5C3C666F72616C6C3E}{\isasymforall}}x{\isaliteral{2E}{\isachardot}}\ {\isaliteral{3F}{\isacharquery}}P\ x{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C616E643E}{\isasymand}}\ {\isaliteral{28}{\isacharparenleft}}{\isaliteral{5C3C666F72616C6C3E}{\isasymforall}}x{\isaliteral{2E}{\isachardot}}\ {\isaliteral{3F}{\isacharquery}}Q\ x{\isaliteral{29}{\isacharparenright}}{\isaliteral{29}{\isacharparenright}}} is also acceptable, in
6.181 -both directions: all arguments of the unknowns \isa{{\isaliteral{3F}{\isacharquery}}P} and
6.182 -\isa{{\isaliteral{3F}{\isacharquery}}Q} are distinct bound variables.
6.183 -
6.184 -If the left-hand side is not a higher-order pattern, all is not lost.
6.185 -The simplifier will still try to apply the rule provided it
6.186 -matches directly: without much $\lambda$-calculus hocus
6.187 -pocus. For example, \isa{{\isaliteral{28}{\isacharparenleft}}{\isaliteral{3F}{\isacharquery}}f\ {\isaliteral{3F}{\isacharquery}}x\ {\isaliteral{5C3C696E3E}{\isasymin}}\ range\ {\isaliteral{3F}{\isacharquery}}f{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{3D}{\isacharequal}}\ True} rewrites
6.188 -\isa{g\ a\ {\isaliteral{5C3C696E3E}{\isasymin}}\ range\ g} to \isa{True}, but will fail to match
6.189 -\isa{g{\isaliteral{28}{\isacharparenleft}}h\ b{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C696E3E}{\isasymin}}\ range{\isaliteral{28}{\isacharparenleft}}{\isaliteral{5C3C6C616D6264613E}{\isasymlambda}}x{\isaliteral{2E}{\isachardot}}\ g{\isaliteral{28}{\isacharparenleft}}h\ x{\isaliteral{29}{\isacharparenright}}{\isaliteral{29}{\isacharparenright}}}. However, you can
6.190 -eliminate the offending subterms --- those that are not patterns ---
6.191 -by adding new variables and conditions.
6.192 -In our example, we eliminate \isa{{\isaliteral{3F}{\isacharquery}}f\ {\isaliteral{3F}{\isacharquery}}x} and obtain
6.193 - \isa{{\isaliteral{3F}{\isacharquery}}y\ {\isaliteral{3D}{\isacharequal}}\ {\isaliteral{3F}{\isacharquery}}f\ {\isaliteral{3F}{\isacharquery}}x\ {\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\ {\isaliteral{28}{\isacharparenleft}}{\isaliteral{3F}{\isacharquery}}y\ {\isaliteral{5C3C696E3E}{\isasymin}}\ range\ {\isaliteral{3F}{\isacharquery}}f{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{3D}{\isacharequal}}\ True}, which is fine
6.194 -as a conditional rewrite rule since conditions can be arbitrary
6.195 -terms. However, this trick is not a panacea because the newly
6.196 -introduced conditions may be hard to solve.
6.197 -
6.198 -There is no restriction on the form of the right-hand
6.199 -sides. They may not contain extraneous term or type variables, though.%
6.200 -\end{isamarkuptext}%
6.201 -\isamarkuptrue%
6.202 -%
6.203 -\isamarkupsubsubsection{The Preprocessor%
6.204 -}
6.205 -\isamarkuptrue%
6.206 -%
6.207 -\begin{isamarkuptext}%
6.208 -\label{sec:simp-preprocessor}
6.209 -When a theorem is declared a simplification rule, it need not be a
6.210 -conditional equation already. The simplifier will turn it into a set of
6.211 -conditional equations automatically. For example, \isa{f\ x\ {\isaliteral{3D}{\isacharequal}}\ g\ x\ {\isaliteral{5C3C616E643E}{\isasymand}}\ h\ x\ {\isaliteral{3D}{\isacharequal}}\ k\ x} becomes the two separate
6.212 -simplification rules \isa{f\ x\ {\isaliteral{3D}{\isacharequal}}\ g\ x} and \isa{h\ x\ {\isaliteral{3D}{\isacharequal}}\ k\ x}. In
6.213 -general, the input theorem is converted as follows:
6.214 -\begin{eqnarray}
6.215 -\neg P &\mapsto& P = \hbox{\isa{False}} \nonumber\\
6.216 -P \longrightarrow Q &\mapsto& P \Longrightarrow Q \nonumber\\
6.217 -P \land Q &\mapsto& P,\ Q \nonumber\\
6.218 -\forall x.~P~x &\mapsto& P~\Var{x}\nonumber\\
6.219 -\forall x \in A.\ P~x &\mapsto& \Var{x} \in A \Longrightarrow P~\Var{x} \nonumber\\
6.220 -\isa{if}\ P\ \isa{then}\ Q\ \isa{else}\ R &\mapsto&
6.221 - P \Longrightarrow Q,\ \neg P \Longrightarrow R \nonumber
6.222 -\end{eqnarray}
6.223 -Once this conversion process is finished, all remaining non-equations
6.224 -$P$ are turned into trivial equations $P =\isa{True}$.
6.225 -For example, the formula
6.226 -\begin{center}\isa{{\isaliteral{28}{\isacharparenleft}}p\ {\isaliteral{5C3C6C6F6E6772696768746172726F773E}{\isasymlongrightarrow}}\ t\ {\isaliteral{3D}{\isacharequal}}\ u\ {\isaliteral{5C3C616E643E}{\isasymand}}\ {\isaliteral{5C3C6E6F743E}{\isasymnot}}\ r{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C616E643E}{\isasymand}}\ s}\end{center}
6.227 -is converted into the three rules
6.228 -\begin{center}
6.229 -\isa{p\ {\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\ t\ {\isaliteral{3D}{\isacharequal}}\ u},\quad \isa{p\ {\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\ r\ {\isaliteral{3D}{\isacharequal}}\ False},\quad \isa{s\ {\isaliteral{3D}{\isacharequal}}\ True}.
6.230 -\end{center}
6.231 -\index{simplification rule|)}
6.232 -\index{simplification|)}%
6.233 -\end{isamarkuptext}%
6.234 -\isamarkuptrue%
6.235 -%
6.236 -\isadelimtheory
6.237 -%
6.238 -\endisadelimtheory
6.239 -%
6.240 -\isatagtheory
6.241 -%
6.242 -\endisatagtheory
6.243 -{\isafoldtheory}%
6.244 -%
6.245 -\isadelimtheory
6.246 -%
6.247 -\endisadelimtheory
6.248 -\end{isabellebody}%
6.249 -%%% Local Variables:
6.250 -%%% mode: latex
6.251 -%%% TeX-master: "root"
6.252 -%%% End:
7.1 --- a/doc-src/TutorialI/CTL/ROOT.ML Thu Jul 26 16:08:16 2012 +0200
7.2 +++ /dev/null Thu Jan 01 00:00:00 1970 +0000
7.3 @@ -1,4 +0,0 @@
7.4 -use "../settings.ML";
7.5 -use_thy "PDL";
7.6 -use_thy "CTL";
7.7 -use_thy "CTLind";
8.1 --- a/doc-src/TutorialI/CTL/ctl.tex Thu Jul 26 16:08:16 2012 +0200
8.2 +++ b/doc-src/TutorialI/CTL/ctl.tex Thu Jul 26 19:59:06 2012 +0200
8.3 @@ -1,6 +1,6 @@
8.4 \index{model checking example|(}%
8.5 \index{lfp@{\texttt{lfp}}!applications of|see{CTL}}
8.6 -\input{CTL/document/Base.tex}
8.7 -\input{CTL/document/PDL.tex}
8.8 -\input{CTL/document/CTL.tex}
8.9 +\input{document/Base.tex}
8.10 +\input{document/PDL.tex}
8.11 +\input{document/CTL.tex}
8.12 \index{model checking example|)}
9.1 --- a/doc-src/TutorialI/CTL/document/Base.tex Thu Jul 26 16:08:16 2012 +0200
9.2 +++ /dev/null Thu Jan 01 00:00:00 1970 +0000
9.3 @@ -1,130 +0,0 @@
9.4 -%
9.5 -\begin{isabellebody}%
9.6 -\def\isabellecontext{Base}%
9.7 -%
9.8 -\isadelimtheory
9.9 -%
9.10 -\endisadelimtheory
9.11 -%
9.12 -\isatagtheory
9.13 -%
9.14 -\endisatagtheory
9.15 -{\isafoldtheory}%
9.16 -%
9.17 -\isadelimtheory
9.18 -%
9.19 -\endisadelimtheory
9.20 -%
9.21 -\isamarkupsection{Case Study: Verified Model Checking%
9.22 -}
9.23 -\isamarkuptrue%
9.24 -%
9.25 -\begin{isamarkuptext}%
9.26 -\label{sec:VMC}
9.27 -This chapter ends with a case study concerning model checking for
9.28 -Computation Tree Logic (CTL), a temporal logic.
9.29 -Model checking is a popular technique for the verification of finite
9.30 -state systems (implementations) with respect to temporal logic formulae
9.31 -(specifications) \cite{ClarkeGP-book,Huth-Ryan-book}. Its foundations are set theoretic
9.32 -and this section will explore them in HOL\@. This is done in two steps. First
9.33 -we consider a simple modal logic called propositional dynamic
9.34 -logic (PDL)\@. We then proceed to the temporal logic CTL, which is
9.35 -used in many real
9.36 -model checkers. In each case we give both a traditional semantics (\isa{{\isaliteral{5C3C5475726E7374696C653E}{\isasymTurnstile}}}) and a
9.37 -recursive function \isa{mc} that maps a formula into the set of all states of
9.38 -the system where the formula is valid. If the system has a finite number of
9.39 -states, \isa{mc} is directly executable: it is a model checker, albeit an
9.40 -inefficient one. The main proof obligation is to show that the semantics
9.41 -and the model checker agree.
9.42 -
9.43 -\underscoreon
9.44 -
9.45 -Our models are \emph{transition systems}:\index{transition systems}
9.46 -sets of \emph{states} with
9.47 -transitions between them. Here is a simple example:
9.48 -\begin{center}
9.49 -\unitlength.5mm
9.50 -\thicklines
9.51 -\begin{picture}(100,60)
9.52 -\put(50,50){\circle{20}}
9.53 -\put(50,50){\makebox(0,0){$p,q$}}
9.54 -\put(61,55){\makebox(0,0)[l]{$s_0$}}
9.55 -\put(44,42){\vector(-1,-1){26}}
9.56 -\put(16,18){\vector(1,1){26}}
9.57 -\put(57,43){\vector(1,-1){26}}
9.58 -\put(10,10){\circle{20}}
9.59 -\put(10,10){\makebox(0,0){$q,r$}}
9.60 -\put(-1,15){\makebox(0,0)[r]{$s_1$}}
9.61 -\put(20,10){\vector(1,0){60}}
9.62 -\put(90,10){\circle{20}}
9.63 -\put(90,10){\makebox(0,0){$r$}}
9.64 -\put(98, 5){\line(1,0){10}}
9.65 -\put(108, 5){\line(0,1){10}}
9.66 -\put(108,15){\vector(-1,0){10}}
9.67 -\put(91,21){\makebox(0,0)[bl]{$s_2$}}
9.68 -\end{picture}
9.69 -\end{center}
9.70 -Each state has a unique name or number ($s_0,s_1,s_2$), and in each state
9.71 -certain \emph{atomic propositions} ($p,q,r$) hold. The aim of temporal logic
9.72 -is to formalize statements such as ``there is no path starting from $s_2$
9.73 -leading to a state where $p$ or $q$ holds,'' which is true, and ``on all paths
9.74 -starting from $s_0$, $q$ always holds,'' which is false.
9.75 -
9.76 -Abstracting from this concrete example, we assume there is a type of
9.77 -states:%
9.78 -\end{isamarkuptext}%
9.79 -\isamarkuptrue%
9.80 -\isacommand{typedecl}\isamarkupfalse%
9.81 -\ state%
9.82 -\begin{isamarkuptext}%
9.83 -\noindent
9.84 -Command \commdx{typedecl} merely declares a new type but without
9.85 -defining it (see \S\ref{sec:typedecl}). Thus we know nothing
9.86 -about the type other than its existence. That is exactly what we need
9.87 -because \isa{state} really is an implicit parameter of our model. Of
9.88 -course it would have been more generic to make \isa{state} a type
9.89 -parameter of everything but declaring \isa{state} globally as above
9.90 -reduces clutter. Similarly we declare an arbitrary but fixed
9.91 -transition system, i.e.\ a relation between states:%
9.92 -\end{isamarkuptext}%
9.93 -\isamarkuptrue%
9.94 -\isacommand{consts}\isamarkupfalse%
9.95 -\ M\ {\isaliteral{3A}{\isacharcolon}}{\isaliteral{3A}{\isacharcolon}}\ {\isaliteral{22}{\isachardoublequoteopen}}{\isaliteral{28}{\isacharparenleft}}state\ {\isaliteral{5C3C74696D65733E}{\isasymtimes}}\ state{\isaliteral{29}{\isacharparenright}}set{\isaliteral{22}{\isachardoublequoteclose}}%
9.96 -\begin{isamarkuptext}%
9.97 -\noindent
9.98 -This is Isabelle's way of declaring a constant without defining it.
9.99 -Finally we introduce a type of atomic propositions%
9.100 -\end{isamarkuptext}%
9.101 -\isamarkuptrue%
9.102 -\isacommand{typedecl}\isamarkupfalse%
9.103 -\ {\isaliteral{22}{\isachardoublequoteopen}}atom{\isaliteral{22}{\isachardoublequoteclose}}%
9.104 -\begin{isamarkuptext}%
9.105 -\noindent
9.106 -and a \emph{labelling function}%
9.107 -\end{isamarkuptext}%
9.108 -\isamarkuptrue%
9.109 -\isacommand{consts}\isamarkupfalse%
9.110 -\ L\ {\isaliteral{3A}{\isacharcolon}}{\isaliteral{3A}{\isacharcolon}}\ {\isaliteral{22}{\isachardoublequoteopen}}state\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ atom\ set{\isaliteral{22}{\isachardoublequoteclose}}%
9.111 -\begin{isamarkuptext}%
9.112 -\noindent
9.113 -telling us which atomic propositions are true in each state.%
9.114 -\end{isamarkuptext}%
9.115 -\isamarkuptrue%
9.116 -%
9.117 -\isadelimtheory
9.118 -%
9.119 -\endisadelimtheory
9.120 -%
9.121 -\isatagtheory
9.122 -%
9.123 -\endisatagtheory
9.124 -{\isafoldtheory}%
9.125 -%
9.126 -\isadelimtheory
9.127 -%
9.128 -\endisadelimtheory
9.129 -\end{isabellebody}%
9.130 -%%% Local Variables:
9.131 -%%% mode: latex
9.132 -%%% TeX-master: "root"
9.133 -%%% End:
10.1 --- a/doc-src/TutorialI/CTL/document/CTL.tex Thu Jul 26 16:08:16 2012 +0200
10.2 +++ /dev/null Thu Jan 01 00:00:00 1970 +0000
10.3 @@ -1,575 +0,0 @@
10.4 -%
10.5 -\begin{isabellebody}%
10.6 -\def\isabellecontext{CTL}%
10.7 -%
10.8 -\isadelimtheory
10.9 -%
10.10 -\endisadelimtheory
10.11 -%
10.12 -\isatagtheory
10.13 -%
10.14 -\endisatagtheory
10.15 -{\isafoldtheory}%
10.16 -%
10.17 -\isadelimtheory
10.18 -%
10.19 -\endisadelimtheory
10.20 -%
10.21 -\isamarkupsubsection{Computation Tree Logic --- CTL%
10.22 -}
10.23 -\isamarkuptrue%
10.24 -%
10.25 -\begin{isamarkuptext}%
10.26 -\label{sec:CTL}
10.27 -\index{CTL|(}%
10.28 -The semantics of PDL only needs reflexive transitive closure.
10.29 -Let us be adventurous and introduce a more expressive temporal operator.
10.30 -We extend the datatype
10.31 -\isa{formula} by a new constructor%
10.32 -\end{isamarkuptext}%
10.33 -\isamarkuptrue%
10.34 -\ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ {\isaliteral{7C}{\isacharbar}}\ AF\ formula%
10.35 -\begin{isamarkuptext}%
10.36 -\noindent
10.37 -which stands for ``\emph{A}lways in the \emph{F}uture'':
10.38 -on all infinite paths, at some point the formula holds.
10.39 -Formalizing the notion of an infinite path is easy
10.40 -in HOL: it is simply a function from \isa{nat} to \isa{state}.%
10.41 -\end{isamarkuptext}%
10.42 -\isamarkuptrue%
10.43 -\isacommand{definition}\isamarkupfalse%
10.44 -\ Paths\ {\isaliteral{3A}{\isacharcolon}}{\isaliteral{3A}{\isacharcolon}}\ {\isaliteral{22}{\isachardoublequoteopen}}state\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ {\isaliteral{28}{\isacharparenleft}}nat\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ state{\isaliteral{29}{\isacharparenright}}set{\isaliteral{22}{\isachardoublequoteclose}}\ \isakeyword{where}\isanewline
10.45 -{\isaliteral{22}{\isachardoublequoteopen}}Paths\ s\ {\isaliteral{5C3C65717569763E}{\isasymequiv}}\ {\isaliteral{7B}{\isacharbraceleft}}p{\isaliteral{2E}{\isachardot}}\ s\ {\isaliteral{3D}{\isacharequal}}\ p\ {\isadigit{0}}\ {\isaliteral{5C3C616E643E}{\isasymand}}\ {\isaliteral{28}{\isacharparenleft}}{\isaliteral{5C3C666F72616C6C3E}{\isasymforall}}i{\isaliteral{2E}{\isachardot}}\ {\isaliteral{28}{\isacharparenleft}}p\ i{\isaliteral{2C}{\isacharcomma}}\ p{\isaliteral{28}{\isacharparenleft}}i{\isaliteral{2B}{\isacharplus}}{\isadigit{1}}{\isaliteral{29}{\isacharparenright}}{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C696E3E}{\isasymin}}\ M{\isaliteral{29}{\isacharparenright}}{\isaliteral{7D}{\isacharbraceright}}{\isaliteral{22}{\isachardoublequoteclose}}%
10.46 -\begin{isamarkuptext}%
10.47 -\noindent
10.48 -This definition allows a succinct statement of the semantics of \isa{AF}:
10.49 -\footnote{Do not be misled: neither datatypes nor recursive functions can be
10.50 -extended by new constructors or equations. This is just a trick of the
10.51 -presentation (see \S\ref{sec:doc-prep-suppress}). In reality one has to define
10.52 -a new datatype and a new function.}%
10.53 -\end{isamarkuptext}%
10.54 -\isamarkuptrue%
10.55 -{\isaliteral{22}{\isachardoublequoteopen}}s\ {\isaliteral{5C3C5475726E7374696C653E}{\isasymTurnstile}}\ AF\ f\ \ \ \ {\isaliteral{3D}{\isacharequal}}\ {\isaliteral{28}{\isacharparenleft}}{\isaliteral{5C3C666F72616C6C3E}{\isasymforall}}p\ {\isaliteral{5C3C696E3E}{\isasymin}}\ Paths\ s{\isaliteral{2E}{\isachardot}}\ {\isaliteral{5C3C6578697374733E}{\isasymexists}}i{\isaliteral{2E}{\isachardot}}\ p\ i\ {\isaliteral{5C3C5475726E7374696C653E}{\isasymTurnstile}}\ f{\isaliteral{29}{\isacharparenright}}{\isaliteral{22}{\isachardoublequoteclose}}%
10.56 -\begin{isamarkuptext}%
10.57 -\noindent
10.58 -Model checking \isa{AF} involves a function which
10.59 -is just complicated enough to warrant a separate definition:%
10.60 -\end{isamarkuptext}%
10.61 -\isamarkuptrue%
10.62 -\isacommand{definition}\isamarkupfalse%
10.63 -\ af\ {\isaliteral{3A}{\isacharcolon}}{\isaliteral{3A}{\isacharcolon}}\ {\isaliteral{22}{\isachardoublequoteopen}}state\ set\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ state\ set\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ state\ set{\isaliteral{22}{\isachardoublequoteclose}}\ \isakeyword{where}\isanewline
10.64 -{\isaliteral{22}{\isachardoublequoteopen}}af\ A\ T\ {\isaliteral{5C3C65717569763E}{\isasymequiv}}\ A\ {\isaliteral{5C3C756E696F6E3E}{\isasymunion}}\ {\isaliteral{7B}{\isacharbraceleft}}s{\isaliteral{2E}{\isachardot}}\ {\isaliteral{5C3C666F72616C6C3E}{\isasymforall}}t{\isaliteral{2E}{\isachardot}}\ {\isaliteral{28}{\isacharparenleft}}s{\isaliteral{2C}{\isacharcomma}}\ t{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C696E3E}{\isasymin}}\ M\ {\isaliteral{5C3C6C6F6E6772696768746172726F773E}{\isasymlongrightarrow}}\ t\ {\isaliteral{5C3C696E3E}{\isasymin}}\ T{\isaliteral{7D}{\isacharbraceright}}{\isaliteral{22}{\isachardoublequoteclose}}%
10.65 -\begin{isamarkuptext}%
10.66 -\noindent
10.67 -Now we define \isa{mc\ {\isaliteral{28}{\isacharparenleft}}AF\ f{\isaliteral{29}{\isacharparenright}}} as the least set \isa{T} that includes
10.68 -\isa{mc\ f} and all states all of whose direct successors are in \isa{T}:%
10.69 -\end{isamarkuptext}%
10.70 -\isamarkuptrue%
10.71 -{\isaliteral{22}{\isachardoublequoteopen}}mc{\isaliteral{28}{\isacharparenleft}}AF\ f{\isaliteral{29}{\isacharparenright}}\ \ \ \ {\isaliteral{3D}{\isacharequal}}\ lfp{\isaliteral{28}{\isacharparenleft}}af{\isaliteral{28}{\isacharparenleft}}mc\ f{\isaliteral{29}{\isacharparenright}}{\isaliteral{29}{\isacharparenright}}{\isaliteral{22}{\isachardoublequoteclose}}%
10.72 -\begin{isamarkuptext}%
10.73 -\noindent
10.74 -Because \isa{af} is monotone in its second argument (and also its first, but
10.75 -that is irrelevant), \isa{af\ A} has a least fixed point:%
10.76 -\end{isamarkuptext}%
10.77 -\isamarkuptrue%
10.78 -\isacommand{lemma}\isamarkupfalse%
10.79 -\ mono{\isaliteral{5F}{\isacharunderscore}}af{\isaliteral{3A}{\isacharcolon}}\ {\isaliteral{22}{\isachardoublequoteopen}}mono{\isaliteral{28}{\isacharparenleft}}af\ A{\isaliteral{29}{\isacharparenright}}{\isaliteral{22}{\isachardoublequoteclose}}\isanewline
10.80 -%
10.81 -\isadelimproof
10.82 -%
10.83 -\endisadelimproof
10.84 -%
10.85 -\isatagproof
10.86 -\isacommand{apply}\isamarkupfalse%
10.87 -{\isaliteral{28}{\isacharparenleft}}simp\ add{\isaliteral{3A}{\isacharcolon}}\ mono{\isaliteral{5F}{\isacharunderscore}}def\ af{\isaliteral{5F}{\isacharunderscore}}def{\isaliteral{29}{\isacharparenright}}\isanewline
10.88 -\isacommand{apply}\isamarkupfalse%
10.89 -\ blast\isanewline
10.90 -\isacommand{done}\isamarkupfalse%
10.91 -%
10.92 -\endisatagproof
10.93 -{\isafoldproof}%
10.94 -%
10.95 -\isadelimproof
10.96 -%
10.97 -\endisadelimproof
10.98 -%
10.99 -\isadelimproof
10.100 -%
10.101 -\endisadelimproof
10.102 -%
10.103 -\isatagproof
10.104 -%
10.105 -\endisatagproof
10.106 -{\isafoldproof}%
10.107 -%
10.108 -\isadelimproof
10.109 -%
10.110 -\endisadelimproof
10.111 -%
10.112 -\isadelimproof
10.113 -%
10.114 -\endisadelimproof
10.115 -%
10.116 -\isatagproof
10.117 -%
10.118 -\endisatagproof
10.119 -{\isafoldproof}%
10.120 -%
10.121 -\isadelimproof
10.122 -%
10.123 -\endisadelimproof
10.124 -%
10.125 -\begin{isamarkuptext}%
10.126 -All we need to prove now is \isa{mc\ {\isaliteral{28}{\isacharparenleft}}AF\ f{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{3D}{\isacharequal}}\ {\isaliteral{7B}{\isacharbraceleft}}s{\isaliteral{2E}{\isachardot}}\ s\ {\isaliteral{5C3C5475726E7374696C653E}{\isasymTurnstile}}\ AF\ f{\isaliteral{7D}{\isacharbraceright}}}, which states
10.127 -that \isa{mc} and \isa{{\isaliteral{5C3C5475726E7374696C653E}{\isasymTurnstile}}} agree for \isa{AF}\@.
10.128 -This time we prove the two inclusions separately, starting
10.129 -with the easy one:%
10.130 -\end{isamarkuptext}%
10.131 -\isamarkuptrue%
10.132 -\isacommand{theorem}\isamarkupfalse%
10.133 -\ AF{\isaliteral{5F}{\isacharunderscore}}lemma{\isadigit{1}}{\isaliteral{3A}{\isacharcolon}}\ {\isaliteral{22}{\isachardoublequoteopen}}lfp{\isaliteral{28}{\isacharparenleft}}af\ A{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C73756273657465713E}{\isasymsubseteq}}\ {\isaliteral{7B}{\isacharbraceleft}}s{\isaliteral{2E}{\isachardot}}\ {\isaliteral{5C3C666F72616C6C3E}{\isasymforall}}p\ {\isaliteral{5C3C696E3E}{\isasymin}}\ Paths\ s{\isaliteral{2E}{\isachardot}}\ {\isaliteral{5C3C6578697374733E}{\isasymexists}}i{\isaliteral{2E}{\isachardot}}\ p\ i\ {\isaliteral{5C3C696E3E}{\isasymin}}\ A{\isaliteral{7D}{\isacharbraceright}}{\isaliteral{22}{\isachardoublequoteclose}}%
10.134 -\isadelimproof
10.135 -%
10.136 -\endisadelimproof
10.137 -%
10.138 -\isatagproof
10.139 -%
10.140 -\begin{isamarkuptxt}%
10.141 -\noindent
10.142 -In contrast to the analogous proof for \isa{EF}, and just
10.143 -for a change, we do not use fixed point induction. Park-induction,
10.144 -named after David Park, is weaker but sufficient for this proof:
10.145 -\begin{center}
10.146 -\isa{f\ S\ {\isaliteral{5C3C6C653E}{\isasymle}}\ S\ {\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\ lfp\ f\ {\isaliteral{5C3C6C653E}{\isasymle}}\ S} \hfill (\isa{lfp{\isaliteral{5F}{\isacharunderscore}}lowerbound})
10.147 -\end{center}
10.148 -The instance of the premise \isa{f\ S\ {\isaliteral{5C3C73756273657465713E}{\isasymsubseteq}}\ S} is proved pointwise,
10.149 -a decision that \isa{auto} takes for us:%
10.150 -\end{isamarkuptxt}%
10.151 -\isamarkuptrue%
10.152 -\isacommand{apply}\isamarkupfalse%
10.153 -{\isaliteral{28}{\isacharparenleft}}rule\ lfp{\isaliteral{5F}{\isacharunderscore}}lowerbound{\isaliteral{29}{\isacharparenright}}\isanewline
10.154 -\isacommand{apply}\isamarkupfalse%
10.155 -{\isaliteral{28}{\isacharparenleft}}auto\ simp\ add{\isaliteral{3A}{\isacharcolon}}\ af{\isaliteral{5F}{\isacharunderscore}}def\ Paths{\isaliteral{5F}{\isacharunderscore}}def{\isaliteral{29}{\isacharparenright}}%
10.156 -\begin{isamarkuptxt}%
10.157 -\begin{isabelle}%
10.158 -\ {\isadigit{1}}{\isaliteral{2E}{\isachardot}}\ {\isaliteral{5C3C416E643E}{\isasymAnd}}p{\isaliteral{2E}{\isachardot}}\ {\isaliteral{5C3C6C6272616B6B3E}{\isasymlbrakk}}{\isaliteral{5C3C666F72616C6C3E}{\isasymforall}}t{\isaliteral{2E}{\isachardot}}\ {\isaliteral{28}{\isacharparenleft}}p\ {\isadigit{0}}{\isaliteral{2C}{\isacharcomma}}\ t{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C696E3E}{\isasymin}}\ M\ {\isaliteral{5C3C6C6F6E6772696768746172726F773E}{\isasymlongrightarrow}}\isanewline
10.159 -\isaindent{\ {\isadigit{1}}{\isaliteral{2E}{\isachardot}}\ {\isaliteral{5C3C416E643E}{\isasymAnd}}p{\isaliteral{2E}{\isachardot}}\ {\isaliteral{5C3C6C6272616B6B3E}{\isasymlbrakk}}{\isaliteral{5C3C666F72616C6C3E}{\isasymforall}}t{\isaliteral{2E}{\isachardot}}\ }{\isaliteral{28}{\isacharparenleft}}{\isaliteral{5C3C666F72616C6C3E}{\isasymforall}}p{\isaliteral{2E}{\isachardot}}\ t\ {\isaliteral{3D}{\isacharequal}}\ p\ {\isadigit{0}}\ {\isaliteral{5C3C616E643E}{\isasymand}}\ {\isaliteral{28}{\isacharparenleft}}{\isaliteral{5C3C666F72616C6C3E}{\isasymforall}}i{\isaliteral{2E}{\isachardot}}\ {\isaliteral{28}{\isacharparenleft}}p\ i{\isaliteral{2C}{\isacharcomma}}\ p\ {\isaliteral{28}{\isacharparenleft}}Suc\ i{\isaliteral{29}{\isacharparenright}}{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C696E3E}{\isasymin}}\ M{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C6C6F6E6772696768746172726F773E}{\isasymlongrightarrow}}\isanewline
10.160 -\isaindent{\ {\isadigit{1}}{\isaliteral{2E}{\isachardot}}\ {\isaliteral{5C3C416E643E}{\isasymAnd}}p{\isaliteral{2E}{\isachardot}}\ {\isaliteral{5C3C6C6272616B6B3E}{\isasymlbrakk}}{\isaliteral{5C3C666F72616C6C3E}{\isasymforall}}t{\isaliteral{2E}{\isachardot}}\ {\isaliteral{28}{\isacharparenleft}}{\isaliteral{5C3C666F72616C6C3E}{\isasymforall}}p{\isaliteral{2E}{\isachardot}}\ }{\isaliteral{28}{\isacharparenleft}}{\isaliteral{5C3C6578697374733E}{\isasymexists}}i{\isaliteral{2E}{\isachardot}}\ p\ i\ {\isaliteral{5C3C696E3E}{\isasymin}}\ A{\isaliteral{29}{\isacharparenright}}{\isaliteral{29}{\isacharparenright}}{\isaliteral{3B}{\isacharsemicolon}}\isanewline
10.161 -\isaindent{\ {\isadigit{1}}{\isaliteral{2E}{\isachardot}}\ {\isaliteral{5C3C416E643E}{\isasymAnd}}p{\isaliteral{2E}{\isachardot}}\ \ }{\isaliteral{5C3C666F72616C6C3E}{\isasymforall}}i{\isaliteral{2E}{\isachardot}}\ {\isaliteral{28}{\isacharparenleft}}p\ i{\isaliteral{2C}{\isacharcomma}}\ p\ {\isaliteral{28}{\isacharparenleft}}Suc\ i{\isaliteral{29}{\isacharparenright}}{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C696E3E}{\isasymin}}\ M{\isaliteral{5C3C726272616B6B3E}{\isasymrbrakk}}\isanewline
10.162 -\isaindent{\ {\isadigit{1}}{\isaliteral{2E}{\isachardot}}\ {\isaliteral{5C3C416E643E}{\isasymAnd}}p{\isaliteral{2E}{\isachardot}}\ }{\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\ {\isaliteral{5C3C6578697374733E}{\isasymexists}}i{\isaliteral{2E}{\isachardot}}\ p\ i\ {\isaliteral{5C3C696E3E}{\isasymin}}\ A%
10.163 -\end{isabelle}
10.164 -In this remaining case, we set \isa{t} to \isa{p\ {\isadigit{1}}}.
10.165 -The rest is automatic, which is surprising because it involves
10.166 -finding the instantiation \isa{{\isaliteral{5C3C6C616D6264613E}{\isasymlambda}}i{\isaliteral{2E}{\isachardot}}\ p\ {\isaliteral{28}{\isacharparenleft}}i\ {\isaliteral{2B}{\isacharplus}}\ {\isadigit{1}}{\isaliteral{29}{\isacharparenright}}}
10.167 -for \isa{{\isaliteral{5C3C666F72616C6C3E}{\isasymforall}}p}.%
10.168 -\end{isamarkuptxt}%
10.169 -\isamarkuptrue%
10.170 -\isacommand{apply}\isamarkupfalse%
10.171 -{\isaliteral{28}{\isacharparenleft}}erule{\isaliteral{5F}{\isacharunderscore}}tac\ x\ {\isaliteral{3D}{\isacharequal}}\ {\isaliteral{22}{\isachardoublequoteopen}}p\ {\isadigit{1}}{\isaliteral{22}{\isachardoublequoteclose}}\ \isakeyword{in}\ allE{\isaliteral{29}{\isacharparenright}}\isanewline
10.172 -\isacommand{apply}\isamarkupfalse%
10.173 -{\isaliteral{28}{\isacharparenleft}}auto{\isaliteral{29}{\isacharparenright}}\isanewline
10.174 -\isacommand{done}\isamarkupfalse%
10.175 -%
10.176 -\endisatagproof
10.177 -{\isafoldproof}%
10.178 -%
10.179 -\isadelimproof
10.180 -%
10.181 -\endisadelimproof
10.182 -%
10.183 -\begin{isamarkuptext}%
10.184 -The opposite inclusion is proved by contradiction: if some state
10.185 -\isa{s} is not in \isa{lfp\ {\isaliteral{28}{\isacharparenleft}}af\ A{\isaliteral{29}{\isacharparenright}}}, then we can construct an
10.186 -infinite \isa{A}-avoiding path starting from~\isa{s}. The reason is
10.187 -that by unfolding \isa{lfp} we find that if \isa{s} is not in
10.188 -\isa{lfp\ {\isaliteral{28}{\isacharparenleft}}af\ A{\isaliteral{29}{\isacharparenright}}}, then \isa{s} is not in \isa{A} and there is a
10.189 -direct successor of \isa{s} that is again not in \mbox{\isa{lfp\ {\isaliteral{28}{\isacharparenleft}}af\ A{\isaliteral{29}{\isacharparenright}}}}. Iterating this argument yields the promised infinite
10.190 -\isa{A}-avoiding path. Let us formalize this sketch.
10.191 -
10.192 -The one-step argument in the sketch above
10.193 -is proved by a variant of contraposition:%
10.194 -\end{isamarkuptext}%
10.195 -\isamarkuptrue%
10.196 -\isacommand{lemma}\isamarkupfalse%
10.197 -\ not{\isaliteral{5F}{\isacharunderscore}}in{\isaliteral{5F}{\isacharunderscore}}lfp{\isaliteral{5F}{\isacharunderscore}}afD{\isaliteral{3A}{\isacharcolon}}\isanewline
10.198 -\ {\isaliteral{22}{\isachardoublequoteopen}}s\ {\isaliteral{5C3C6E6F74696E3E}{\isasymnotin}}\ lfp{\isaliteral{28}{\isacharparenleft}}af\ A{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\ s\ {\isaliteral{5C3C6E6F74696E3E}{\isasymnotin}}\ A\ {\isaliteral{5C3C616E643E}{\isasymand}}\ {\isaliteral{28}{\isacharparenleft}}{\isaliteral{5C3C6578697374733E}{\isasymexists}}\ t{\isaliteral{2E}{\isachardot}}\ {\isaliteral{28}{\isacharparenleft}}s{\isaliteral{2C}{\isacharcomma}}t{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C696E3E}{\isasymin}}\ M\ {\isaliteral{5C3C616E643E}{\isasymand}}\ t\ {\isaliteral{5C3C6E6F74696E3E}{\isasymnotin}}\ lfp{\isaliteral{28}{\isacharparenleft}}af\ A{\isaliteral{29}{\isacharparenright}}{\isaliteral{29}{\isacharparenright}}{\isaliteral{22}{\isachardoublequoteclose}}\isanewline
10.199 -%
10.200 -\isadelimproof
10.201 -%
10.202 -\endisadelimproof
10.203 -%
10.204 -\isatagproof
10.205 -\isacommand{apply}\isamarkupfalse%
10.206 -{\isaliteral{28}{\isacharparenleft}}erule\ contrapos{\isaliteral{5F}{\isacharunderscore}}np{\isaliteral{29}{\isacharparenright}}\isanewline
10.207 -\isacommand{apply}\isamarkupfalse%
10.208 -{\isaliteral{28}{\isacharparenleft}}subst\ lfp{\isaliteral{5F}{\isacharunderscore}}unfold{\isaliteral{5B}{\isacharbrackleft}}OF\ mono{\isaliteral{5F}{\isacharunderscore}}af{\isaliteral{5D}{\isacharbrackright}}{\isaliteral{29}{\isacharparenright}}\isanewline
10.209 -\isacommand{apply}\isamarkupfalse%
10.210 -{\isaliteral{28}{\isacharparenleft}}simp\ add{\isaliteral{3A}{\isacharcolon}}\ af{\isaliteral{5F}{\isacharunderscore}}def{\isaliteral{29}{\isacharparenright}}\isanewline
10.211 -\isacommand{done}\isamarkupfalse%
10.212 -%
10.213 -\endisatagproof
10.214 -{\isafoldproof}%
10.215 -%
10.216 -\isadelimproof
10.217 -%
10.218 -\endisadelimproof
10.219 -%
10.220 -\begin{isamarkuptext}%
10.221 -\noindent
10.222 -We assume the negation of the conclusion and prove \isa{s\ {\isaliteral{5C3C696E3E}{\isasymin}}\ lfp\ {\isaliteral{28}{\isacharparenleft}}af\ A{\isaliteral{29}{\isacharparenright}}}.
10.223 -Unfolding \isa{lfp} once and
10.224 -simplifying with the definition of \isa{af} finishes the proof.
10.225 -
10.226 -Now we iterate this process. The following construction of the desired
10.227 -path is parameterized by a predicate \isa{Q} that should hold along the path:%
10.228 -\end{isamarkuptext}%
10.229 -\isamarkuptrue%
10.230 -\isacommand{primrec}\isamarkupfalse%
10.231 -\ path\ {\isaliteral{3A}{\isacharcolon}}{\isaliteral{3A}{\isacharcolon}}\ {\isaliteral{22}{\isachardoublequoteopen}}state\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ {\isaliteral{28}{\isacharparenleft}}state\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ bool{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ {\isaliteral{28}{\isacharparenleft}}nat\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ state{\isaliteral{29}{\isacharparenright}}{\isaliteral{22}{\isachardoublequoteclose}}\ \isakeyword{where}\isanewline
10.232 -{\isaliteral{22}{\isachardoublequoteopen}}path\ s\ Q\ {\isadigit{0}}\ {\isaliteral{3D}{\isacharequal}}\ s{\isaliteral{22}{\isachardoublequoteclose}}\ {\isaliteral{7C}{\isacharbar}}\isanewline
10.233 -{\isaliteral{22}{\isachardoublequoteopen}}path\ s\ Q\ {\isaliteral{28}{\isacharparenleft}}Suc\ n{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{3D}{\isacharequal}}\ {\isaliteral{28}{\isacharparenleft}}SOME\ t{\isaliteral{2E}{\isachardot}}\ {\isaliteral{28}{\isacharparenleft}}path\ s\ Q\ n{\isaliteral{2C}{\isacharcomma}}t{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C696E3E}{\isasymin}}\ M\ {\isaliteral{5C3C616E643E}{\isasymand}}\ Q\ t{\isaliteral{29}{\isacharparenright}}{\isaliteral{22}{\isachardoublequoteclose}}%
10.234 -\begin{isamarkuptext}%
10.235 -\noindent
10.236 -Element \isa{n\ {\isaliteral{2B}{\isacharplus}}\ {\isadigit{1}}} on this path is some arbitrary successor
10.237 -\isa{t} of element \isa{n} such that \isa{Q\ t} holds. Remember that \isa{SOME\ t{\isaliteral{2E}{\isachardot}}\ R\ t}
10.238 -is some arbitrary but fixed \isa{t} such that \isa{R\ t} holds (see \S\ref{sec:SOME}). Of
10.239 -course, such a \isa{t} need not exist, but that is of no
10.240 -concern to us since we will only use \isa{path} when a
10.241 -suitable \isa{t} does exist.
10.242 -
10.243 -Let us show that if each state \isa{s} that satisfies \isa{Q}
10.244 -has a successor that again satisfies \isa{Q}, then there exists an infinite \isa{Q}-path:%
10.245 -\end{isamarkuptext}%
10.246 -\isamarkuptrue%
10.247 -\isacommand{lemma}\isamarkupfalse%
10.248 -\ infinity{\isaliteral{5F}{\isacharunderscore}}lemma{\isaliteral{3A}{\isacharcolon}}\isanewline
10.249 -\ \ {\isaliteral{22}{\isachardoublequoteopen}}{\isaliteral{5C3C6C6272616B6B3E}{\isasymlbrakk}}\ Q\ s{\isaliteral{3B}{\isacharsemicolon}}\ {\isaliteral{5C3C666F72616C6C3E}{\isasymforall}}s{\isaliteral{2E}{\isachardot}}\ Q\ s\ {\isaliteral{5C3C6C6F6E6772696768746172726F773E}{\isasymlongrightarrow}}\ {\isaliteral{28}{\isacharparenleft}}{\isaliteral{5C3C6578697374733E}{\isasymexists}}\ t{\isaliteral{2E}{\isachardot}}\ {\isaliteral{28}{\isacharparenleft}}s{\isaliteral{2C}{\isacharcomma}}t{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C696E3E}{\isasymin}}\ M\ {\isaliteral{5C3C616E643E}{\isasymand}}\ Q\ t{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C726272616B6B3E}{\isasymrbrakk}}\ {\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\isanewline
10.250 -\ \ \ {\isaliteral{5C3C6578697374733E}{\isasymexists}}p{\isaliteral{5C3C696E3E}{\isasymin}}Paths\ s{\isaliteral{2E}{\isachardot}}\ {\isaliteral{5C3C666F72616C6C3E}{\isasymforall}}i{\isaliteral{2E}{\isachardot}}\ Q{\isaliteral{28}{\isacharparenleft}}p\ i{\isaliteral{29}{\isacharparenright}}{\isaliteral{22}{\isachardoublequoteclose}}%
10.251 -\isadelimproof
10.252 -%
10.253 -\endisadelimproof
10.254 -%
10.255 -\isatagproof
10.256 -%
10.257 -\begin{isamarkuptxt}%
10.258 -\noindent
10.259 -First we rephrase the conclusion slightly because we need to prove simultaneously
10.260 -both the path property and the fact that \isa{Q} holds:%
10.261 -\end{isamarkuptxt}%
10.262 -\isamarkuptrue%
10.263 -\isacommand{apply}\isamarkupfalse%
10.264 -{\isaliteral{28}{\isacharparenleft}}subgoal{\isaliteral{5F}{\isacharunderscore}}tac\isanewline
10.265 -\ \ {\isaliteral{22}{\isachardoublequoteopen}}{\isaliteral{5C3C6578697374733E}{\isasymexists}}p{\isaliteral{2E}{\isachardot}}\ s\ {\isaliteral{3D}{\isacharequal}}\ p\ {\isadigit{0}}\ {\isaliteral{5C3C616E643E}{\isasymand}}\ {\isaliteral{28}{\isacharparenleft}}{\isaliteral{5C3C666F72616C6C3E}{\isasymforall}}i{\isaliteral{3A}{\isacharcolon}}{\isaliteral{3A}{\isacharcolon}}nat{\isaliteral{2E}{\isachardot}}\ {\isaliteral{28}{\isacharparenleft}}p\ i{\isaliteral{2C}{\isacharcomma}}\ p{\isaliteral{28}{\isacharparenleft}}i{\isaliteral{2B}{\isacharplus}}{\isadigit{1}}{\isaliteral{29}{\isacharparenright}}{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C696E3E}{\isasymin}}\ M\ {\isaliteral{5C3C616E643E}{\isasymand}}\ Q{\isaliteral{28}{\isacharparenleft}}p\ i{\isaliteral{29}{\isacharparenright}}{\isaliteral{29}{\isacharparenright}}{\isaliteral{22}{\isachardoublequoteclose}}{\isaliteral{29}{\isacharparenright}}%
10.266 -\begin{isamarkuptxt}%
10.267 -\noindent
10.268 -From this proposition the original goal follows easily:%
10.269 -\end{isamarkuptxt}%
10.270 -\isamarkuptrue%
10.271 -\ \isacommand{apply}\isamarkupfalse%
10.272 -{\isaliteral{28}{\isacharparenleft}}simp\ add{\isaliteral{3A}{\isacharcolon}}\ Paths{\isaliteral{5F}{\isacharunderscore}}def{\isaliteral{2C}{\isacharcomma}}\ blast{\isaliteral{29}{\isacharparenright}}%
10.273 -\begin{isamarkuptxt}%
10.274 -\noindent
10.275 -The new subgoal is proved by providing the witness \isa{path\ s\ Q} for \isa{p}:%
10.276 -\end{isamarkuptxt}%
10.277 -\isamarkuptrue%
10.278 -\isacommand{apply}\isamarkupfalse%
10.279 -{\isaliteral{28}{\isacharparenleft}}rule{\isaliteral{5F}{\isacharunderscore}}tac\ x\ {\isaliteral{3D}{\isacharequal}}\ {\isaliteral{22}{\isachardoublequoteopen}}path\ s\ Q{\isaliteral{22}{\isachardoublequoteclose}}\ \isakeyword{in}\ exI{\isaliteral{29}{\isacharparenright}}\isanewline
10.280 -\isacommand{apply}\isamarkupfalse%
10.281 -{\isaliteral{28}{\isacharparenleft}}clarsimp{\isaliteral{29}{\isacharparenright}}%
10.282 -\begin{isamarkuptxt}%
10.283 -\noindent
10.284 -After simplification and clarification, the subgoal has the following form:
10.285 -\begin{isabelle}%
10.286 -\ {\isadigit{1}}{\isaliteral{2E}{\isachardot}}\ {\isaliteral{5C3C416E643E}{\isasymAnd}}i{\isaliteral{2E}{\isachardot}}\ {\isaliteral{5C3C6C6272616B6B3E}{\isasymlbrakk}}Q\ s{\isaliteral{3B}{\isacharsemicolon}}\ {\isaliteral{5C3C666F72616C6C3E}{\isasymforall}}s{\isaliteral{2E}{\isachardot}}\ Q\ s\ {\isaliteral{5C3C6C6F6E6772696768746172726F773E}{\isasymlongrightarrow}}\ {\isaliteral{28}{\isacharparenleft}}{\isaliteral{5C3C6578697374733E}{\isasymexists}}t{\isaliteral{2E}{\isachardot}}\ {\isaliteral{28}{\isacharparenleft}}s{\isaliteral{2C}{\isacharcomma}}\ t{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C696E3E}{\isasymin}}\ M\ {\isaliteral{5C3C616E643E}{\isasymand}}\ Q\ t{\isaliteral{29}{\isacharparenright}}{\isaliteral{5C3C726272616B6B3E}{\isasymrbrakk}}\isanewline
10.287 -\isaindent{\ {\isadigit{1}}{\isaliteral{2E}{\isachardot}}\ {\isaliteral{5C3C416E643E}{\isasymAnd}}i{\isaliteral{2E}{\isachardot}}\ }{\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\ {\isaliteral{28}{\isacharparenleft}}path\ s\ Q\ i{\isaliteral{2C}{\isacharcomma}}\ SOME\ t{\isaliteral{2E}{\isachardot}}\ {\isaliteral{28}{\isacharparenleft}}path\ s\ Q\ i{\isaliteral{2C}{\isacharcomma}}\ t{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C696E3E}{\isasymin}}\ M\ {\isaliteral{5C3C616E643E}{\isasymand}}\ Q\ t{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C696E3E}{\isasymin}}\ M\ {\isaliteral{5C3C616E643E}{\isasymand}}\isanewline
10.288 -\isaindent{\ {\isadigit{1}}{\isaliteral{2E}{\isachardot}}\ {\isaliteral{5C3C416E643E}{\isasymAnd}}i{\isaliteral{2E}{\isachardot}}\ {\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\ }Q\ {\isaliteral{28}{\isacharparenleft}}path\ s\ Q\ i{\isaliteral{29}{\isacharparenright}}%
10.289 -\end{isabelle}
10.290 -It invites a proof by induction on \isa{i}:%
10.291 -\end{isamarkuptxt}%
10.292 -\isamarkuptrue%
10.293 -\isacommand{apply}\isamarkupfalse%
10.294 -{\isaliteral{28}{\isacharparenleft}}induct{\isaliteral{5F}{\isacharunderscore}}tac\ i{\isaliteral{29}{\isacharparenright}}\isanewline
10.295 -\ \isacommand{apply}\isamarkupfalse%
10.296 -{\isaliteral{28}{\isacharparenleft}}simp{\isaliteral{29}{\isacharparenright}}%
10.297 -\begin{isamarkuptxt}%
10.298 -\noindent
10.299 -After simplification, the base case boils down to
10.300 -\begin{isabelle}%
10.301 -\ {\isadigit{1}}{\isaliteral{2E}{\isachardot}}\ {\isaliteral{5C3C6C6272616B6B3E}{\isasymlbrakk}}Q\ s{\isaliteral{3B}{\isacharsemicolon}}\ {\isaliteral{5C3C666F72616C6C3E}{\isasymforall}}s{\isaliteral{2E}{\isachardot}}\ Q\ s\ {\isaliteral{5C3C6C6F6E6772696768746172726F773E}{\isasymlongrightarrow}}\ {\isaliteral{28}{\isacharparenleft}}{\isaliteral{5C3C6578697374733E}{\isasymexists}}t{\isaliteral{2E}{\isachardot}}\ {\isaliteral{28}{\isacharparenleft}}s{\isaliteral{2C}{\isacharcomma}}\ t{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C696E3E}{\isasymin}}\ M\ {\isaliteral{5C3C616E643E}{\isasymand}}\ Q\ t{\isaliteral{29}{\isacharparenright}}{\isaliteral{5C3C726272616B6B3E}{\isasymrbrakk}}\isanewline
10.302 -\isaindent{\ {\isadigit{1}}{\isaliteral{2E}{\isachardot}}\ }{\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\ {\isaliteral{28}{\isacharparenleft}}s{\isaliteral{2C}{\isacharcomma}}\ SOME\ t{\isaliteral{2E}{\isachardot}}\ {\isaliteral{28}{\isacharparenleft}}s{\isaliteral{2C}{\isacharcomma}}\ t{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C696E3E}{\isasymin}}\ M\ {\isaliteral{5C3C616E643E}{\isasymand}}\ Q\ t{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C696E3E}{\isasymin}}\ M%
10.303 -\end{isabelle}
10.304 -The conclusion looks exceedingly trivial: after all, \isa{t} is chosen such that \isa{{\isaliteral{28}{\isacharparenleft}}s{\isaliteral{2C}{\isacharcomma}}\ t{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C696E3E}{\isasymin}}\ M}
10.305 -holds. However, we first have to show that such a \isa{t} actually exists! This reasoning
10.306 -is embodied in the theorem \isa{someI{\isadigit{2}}{\isaliteral{5F}{\isacharunderscore}}ex}:
10.307 -\begin{isabelle}%
10.308 -\ \ \ \ \ {\isaliteral{5C3C6C6272616B6B3E}{\isasymlbrakk}}{\isaliteral{5C3C6578697374733E}{\isasymexists}}a{\isaliteral{2E}{\isachardot}}\ {\isaliteral{3F}{\isacharquery}}P\ a{\isaliteral{3B}{\isacharsemicolon}}\ {\isaliteral{5C3C416E643E}{\isasymAnd}}x{\isaliteral{2E}{\isachardot}}\ {\isaliteral{3F}{\isacharquery}}P\ x\ {\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\ {\isaliteral{3F}{\isacharquery}}Q\ x{\isaliteral{5C3C726272616B6B3E}{\isasymrbrakk}}\ {\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\ {\isaliteral{3F}{\isacharquery}}Q\ {\isaliteral{28}{\isacharparenleft}}SOME\ x{\isaliteral{2E}{\isachardot}}\ {\isaliteral{3F}{\isacharquery}}P\ x{\isaliteral{29}{\isacharparenright}}%
10.309 -\end{isabelle}
10.310 -When we apply this theorem as an introduction rule, \isa{{\isaliteral{3F}{\isacharquery}}P\ x} becomes
10.311 -\isa{{\isaliteral{28}{\isacharparenleft}}s{\isaliteral{2C}{\isacharcomma}}\ x{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C696E3E}{\isasymin}}\ M\ {\isaliteral{5C3C616E643E}{\isasymand}}\ Q\ x} and \isa{{\isaliteral{3F}{\isacharquery}}Q\ x} becomes \isa{{\isaliteral{28}{\isacharparenleft}}s{\isaliteral{2C}{\isacharcomma}}\ x{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C696E3E}{\isasymin}}\ M} and we have to prove
10.312 -two subgoals: \isa{{\isaliteral{5C3C6578697374733E}{\isasymexists}}a{\isaliteral{2E}{\isachardot}}\ {\isaliteral{28}{\isacharparenleft}}s{\isaliteral{2C}{\isacharcomma}}\ a{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C696E3E}{\isasymin}}\ M\ {\isaliteral{5C3C616E643E}{\isasymand}}\ Q\ a}, which follows from the assumptions, and
10.313 -\isa{{\isaliteral{28}{\isacharparenleft}}s{\isaliteral{2C}{\isacharcomma}}\ x{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C696E3E}{\isasymin}}\ M\ {\isaliteral{5C3C616E643E}{\isasymand}}\ Q\ x\ {\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\ {\isaliteral{28}{\isacharparenleft}}s{\isaliteral{2C}{\isacharcomma}}\ x{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C696E3E}{\isasymin}}\ M}, which is trivial. Thus it is not surprising that
10.314 -\isa{fast} can prove the base case quickly:%
10.315 -\end{isamarkuptxt}%
10.316 -\isamarkuptrue%
10.317 -\ \isacommand{apply}\isamarkupfalse%
10.318 -{\isaliteral{28}{\isacharparenleft}}fast\ intro{\isaliteral{3A}{\isacharcolon}}\ someI{\isadigit{2}}{\isaliteral{5F}{\isacharunderscore}}ex{\isaliteral{29}{\isacharparenright}}%
10.319 -\begin{isamarkuptxt}%
10.320 -\noindent
10.321 -What is worth noting here is that we have used \methdx{fast} rather than
10.322 -\isa{blast}. The reason is that \isa{blast} would fail because it cannot
10.323 -cope with \isa{someI{\isadigit{2}}{\isaliteral{5F}{\isacharunderscore}}ex}: unifying its conclusion with the current
10.324 -subgoal is non-trivial because of the nested schematic variables. For
10.325 -efficiency reasons \isa{blast} does not even attempt such unifications.
10.326 -Although \isa{fast} can in principle cope with complicated unification
10.327 -problems, in practice the number of unifiers arising is often prohibitive and
10.328 -the offending rule may need to be applied explicitly rather than
10.329 -automatically. This is what happens in the step case.
10.330 -
10.331 -The induction step is similar, but more involved, because now we face nested
10.332 -occurrences of \isa{SOME}. As a result, \isa{fast} is no longer able to
10.333 -solve the subgoal and we apply \isa{someI{\isadigit{2}}{\isaliteral{5F}{\isacharunderscore}}ex} by hand. We merely
10.334 -show the proof commands but do not describe the details:%
10.335 -\end{isamarkuptxt}%
10.336 -\isamarkuptrue%
10.337 -\isacommand{apply}\isamarkupfalse%
10.338 -{\isaliteral{28}{\isacharparenleft}}simp{\isaliteral{29}{\isacharparenright}}\isanewline
10.339 -\isacommand{apply}\isamarkupfalse%
10.340 -{\isaliteral{28}{\isacharparenleft}}rule\ someI{\isadigit{2}}{\isaliteral{5F}{\isacharunderscore}}ex{\isaliteral{29}{\isacharparenright}}\isanewline
10.341 -\ \isacommand{apply}\isamarkupfalse%
10.342 -{\isaliteral{28}{\isacharparenleft}}blast{\isaliteral{29}{\isacharparenright}}\isanewline
10.343 -\isacommand{apply}\isamarkupfalse%
10.344 -{\isaliteral{28}{\isacharparenleft}}rule\ someI{\isadigit{2}}{\isaliteral{5F}{\isacharunderscore}}ex{\isaliteral{29}{\isacharparenright}}\isanewline
10.345 -\ \isacommand{apply}\isamarkupfalse%
10.346 -{\isaliteral{28}{\isacharparenleft}}blast{\isaliteral{29}{\isacharparenright}}\isanewline
10.347 -\isacommand{apply}\isamarkupfalse%
10.348 -{\isaliteral{28}{\isacharparenleft}}blast{\isaliteral{29}{\isacharparenright}}\isanewline
10.349 -\isacommand{done}\isamarkupfalse%
10.350 -%
10.351 -\endisatagproof
10.352 -{\isafoldproof}%
10.353 -%
10.354 -\isadelimproof
10.355 -%
10.356 -\endisadelimproof
10.357 -%
10.358 -\begin{isamarkuptext}%
10.359 -Function \isa{path} has fulfilled its purpose now and can be forgotten.
10.360 -It was merely defined to provide the witness in the proof of the
10.361 -\isa{infinity{\isaliteral{5F}{\isacharunderscore}}lemma}. Aficionados of minimal proofs might like to know
10.362 -that we could have given the witness without having to define a new function:
10.363 -the term
10.364 -\begin{isabelle}%
10.365 -\ \ \ \ \ nat{\isaliteral{5F}{\isacharunderscore}}rec\ s\ {\isaliteral{28}{\isacharparenleft}}{\isaliteral{5C3C6C616D6264613E}{\isasymlambda}}n\ t{\isaliteral{2E}{\isachardot}}\ SOME\ u{\isaliteral{2E}{\isachardot}}\ {\isaliteral{28}{\isacharparenleft}}t{\isaliteral{2C}{\isacharcomma}}\ u{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C696E3E}{\isasymin}}\ M\ {\isaliteral{5C3C616E643E}{\isasymand}}\ Q\ u{\isaliteral{29}{\isacharparenright}}%
10.366 -\end{isabelle}
10.367 -is extensionally equal to \isa{path\ s\ Q},
10.368 -where \isa{nat{\isaliteral{5F}{\isacharunderscore}}rec} is the predefined primitive recursor on \isa{nat}.%
10.369 -\end{isamarkuptext}%
10.370 -\isamarkuptrue%
10.371 -%
10.372 -\isadelimproof
10.373 -%
10.374 -\endisadelimproof
10.375 -%
10.376 -\isatagproof
10.377 -%
10.378 -\endisatagproof
10.379 -{\isafoldproof}%
10.380 -%
10.381 -\isadelimproof
10.382 -%
10.383 -\endisadelimproof
10.384 -%
10.385 -\begin{isamarkuptext}%
10.386 -At last we can prove the opposite direction of \isa{AF{\isaliteral{5F}{\isacharunderscore}}lemma{\isadigit{1}}}:%
10.387 -\end{isamarkuptext}%
10.388 -\isamarkuptrue%
10.389 -\isacommand{theorem}\isamarkupfalse%
10.390 -\ AF{\isaliteral{5F}{\isacharunderscore}}lemma{\isadigit{2}}{\isaliteral{3A}{\isacharcolon}}\ {\isaliteral{22}{\isachardoublequoteopen}}{\isaliteral{7B}{\isacharbraceleft}}s{\isaliteral{2E}{\isachardot}}\ {\isaliteral{5C3C666F72616C6C3E}{\isasymforall}}p\ {\isaliteral{5C3C696E3E}{\isasymin}}\ Paths\ s{\isaliteral{2E}{\isachardot}}\ {\isaliteral{5C3C6578697374733E}{\isasymexists}}i{\isaliteral{2E}{\isachardot}}\ p\ i\ {\isaliteral{5C3C696E3E}{\isasymin}}\ A{\isaliteral{7D}{\isacharbraceright}}\ {\isaliteral{5C3C73756273657465713E}{\isasymsubseteq}}\ lfp{\isaliteral{28}{\isacharparenleft}}af\ A{\isaliteral{29}{\isacharparenright}}{\isaliteral{22}{\isachardoublequoteclose}}%
10.391 -\isadelimproof
10.392 -%
10.393 -\endisadelimproof
10.394 -%
10.395 -\isatagproof
10.396 -%
10.397 -\begin{isamarkuptxt}%
10.398 -\noindent
10.399 -The proof is again pointwise and then by contraposition:%
10.400 -\end{isamarkuptxt}%
10.401 -\isamarkuptrue%
10.402 -\isacommand{apply}\isamarkupfalse%
10.403 -{\isaliteral{28}{\isacharparenleft}}rule\ subsetI{\isaliteral{29}{\isacharparenright}}\isanewline
10.404 -\isacommand{apply}\isamarkupfalse%
10.405 -{\isaliteral{28}{\isacharparenleft}}erule\ contrapos{\isaliteral{5F}{\isacharunderscore}}pp{\isaliteral{29}{\isacharparenright}}\isanewline
10.406 -\isacommand{apply}\isamarkupfalse%
10.407 -\ simp%
10.408 -\begin{isamarkuptxt}%
10.409 -\begin{isabelle}%
10.410 -\ {\isadigit{1}}{\isaliteral{2E}{\isachardot}}\ {\isaliteral{5C3C416E643E}{\isasymAnd}}x{\isaliteral{2E}{\isachardot}}\ x\ {\isaliteral{5C3C6E6F74696E3E}{\isasymnotin}}\ lfp\ {\isaliteral{28}{\isacharparenleft}}af\ A{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\ {\isaliteral{5C3C6578697374733E}{\isasymexists}}p{\isaliteral{5C3C696E3E}{\isasymin}}Paths\ x{\isaliteral{2E}{\isachardot}}\ {\isaliteral{5C3C666F72616C6C3E}{\isasymforall}}i{\isaliteral{2E}{\isachardot}}\ p\ i\ {\isaliteral{5C3C6E6F74696E3E}{\isasymnotin}}\ A%
10.411 -\end{isabelle}
10.412 -Applying the \isa{infinity{\isaliteral{5F}{\isacharunderscore}}lemma} as a destruction rule leaves two subgoals, the second
10.413 -premise of \isa{infinity{\isaliteral{5F}{\isacharunderscore}}lemma} and the original subgoal:%
10.414 -\end{isamarkuptxt}%
10.415 -\isamarkuptrue%
10.416 -\isacommand{apply}\isamarkupfalse%
10.417 -{\isaliteral{28}{\isacharparenleft}}drule\ infinity{\isaliteral{5F}{\isacharunderscore}}lemma{\isaliteral{29}{\isacharparenright}}%
10.418 -\begin{isamarkuptxt}%
10.419 -\begin{isabelle}%
10.420 -\ {\isadigit{1}}{\isaliteral{2E}{\isachardot}}\ {\isaliteral{5C3C416E643E}{\isasymAnd}}x{\isaliteral{2E}{\isachardot}}\ {\isaliteral{5C3C666F72616C6C3E}{\isasymforall}}s{\isaliteral{2E}{\isachardot}}\ s\ {\isaliteral{5C3C6E6F74696E3E}{\isasymnotin}}\ lfp\ {\isaliteral{28}{\isacharparenleft}}af\ A{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C6C6F6E6772696768746172726F773E}{\isasymlongrightarrow}}\ {\isaliteral{28}{\isacharparenleft}}{\isaliteral{5C3C6578697374733E}{\isasymexists}}t{\isaliteral{2E}{\isachardot}}\ {\isaliteral{28}{\isacharparenleft}}s{\isaliteral{2C}{\isacharcomma}}\ t{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C696E3E}{\isasymin}}\ M\ {\isaliteral{5C3C616E643E}{\isasymand}}\ t\ {\isaliteral{5C3C6E6F74696E3E}{\isasymnotin}}\ lfp\ {\isaliteral{28}{\isacharparenleft}}af\ A{\isaliteral{29}{\isacharparenright}}{\isaliteral{29}{\isacharparenright}}\isanewline
10.421 -\ {\isadigit{2}}{\isaliteral{2E}{\isachardot}}\ {\isaliteral{5C3C416E643E}{\isasymAnd}}x{\isaliteral{2E}{\isachardot}}\ {\isaliteral{5C3C6578697374733E}{\isasymexists}}p{\isaliteral{5C3C696E3E}{\isasymin}}Paths\ x{\isaliteral{2E}{\isachardot}}\ {\isaliteral{5C3C666F72616C6C3E}{\isasymforall}}i{\isaliteral{2E}{\isachardot}}\ p\ i\ {\isaliteral{5C3C6E6F74696E3E}{\isasymnotin}}\ lfp\ {\isaliteral{28}{\isacharparenleft}}af\ A{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\isanewline
10.422 -\isaindent{\ {\isadigit{2}}{\isaliteral{2E}{\isachardot}}\ {\isaliteral{5C3C416E643E}{\isasymAnd}}x{\isaliteral{2E}{\isachardot}}\ }{\isaliteral{5C3C6578697374733E}{\isasymexists}}p{\isaliteral{5C3C696E3E}{\isasymin}}Paths\ x{\isaliteral{2E}{\isachardot}}\ {\isaliteral{5C3C666F72616C6C3E}{\isasymforall}}i{\isaliteral{2E}{\isachardot}}\ p\ i\ {\isaliteral{5C3C6E6F74696E3E}{\isasymnotin}}\ A%
10.423 -\end{isabelle}
10.424 -Both are solved automatically:%
10.425 -\end{isamarkuptxt}%
10.426 -\isamarkuptrue%
10.427 -\ \isacommand{apply}\isamarkupfalse%
10.428 -{\isaliteral{28}{\isacharparenleft}}auto\ dest{\isaliteral{3A}{\isacharcolon}}\ not{\isaliteral{5F}{\isacharunderscore}}in{\isaliteral{5F}{\isacharunderscore}}lfp{\isaliteral{5F}{\isacharunderscore}}afD{\isaliteral{29}{\isacharparenright}}\isanewline
10.429 -\isacommand{done}\isamarkupfalse%
10.430 -%
10.431 -\endisatagproof
10.432 -{\isafoldproof}%
10.433 -%
10.434 -\isadelimproof
10.435 -%
10.436 -\endisadelimproof
10.437 -%
10.438 -\begin{isamarkuptext}%
10.439 -If you find these proofs too complicated, we recommend that you read
10.440 -\S\ref{sec:CTL-revisited}, where we show how inductive definitions lead to
10.441 -simpler arguments.
10.442 -
10.443 -The main theorem is proved as for PDL, except that we also derive the
10.444 -necessary equality \isa{lfp{\isaliteral{28}{\isacharparenleft}}af\ A{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{3D}{\isacharequal}}\ {\isaliteral{2E}{\isachardot}}{\isaliteral{2E}{\isachardot}}{\isaliteral{2E}{\isachardot}}} by combining
10.445 -\isa{AF{\isaliteral{5F}{\isacharunderscore}}lemma{\isadigit{1}}} and \isa{AF{\isaliteral{5F}{\isacharunderscore}}lemma{\isadigit{2}}} on the spot:%
10.446 -\end{isamarkuptext}%
10.447 -\isamarkuptrue%
10.448 -\isacommand{theorem}\isamarkupfalse%
10.449 -\ {\isaliteral{22}{\isachardoublequoteopen}}mc\ f\ {\isaliteral{3D}{\isacharequal}}\ {\isaliteral{7B}{\isacharbraceleft}}s{\isaliteral{2E}{\isachardot}}\ s\ {\isaliteral{5C3C5475726E7374696C653E}{\isasymTurnstile}}\ f{\isaliteral{7D}{\isacharbraceright}}{\isaliteral{22}{\isachardoublequoteclose}}\isanewline
10.450 -%
10.451 -\isadelimproof
10.452 -%
10.453 -\endisadelimproof
10.454 -%
10.455 -\isatagproof
10.456 -\isacommand{apply}\isamarkupfalse%
10.457 -{\isaliteral{28}{\isacharparenleft}}induct{\isaliteral{5F}{\isacharunderscore}}tac\ f{\isaliteral{29}{\isacharparenright}}\isanewline
10.458 -\isacommand{apply}\isamarkupfalse%
10.459 -{\isaliteral{28}{\isacharparenleft}}auto\ simp\ add{\isaliteral{3A}{\isacharcolon}}\ EF{\isaliteral{5F}{\isacharunderscore}}lemma\ equalityI{\isaliteral{5B}{\isacharbrackleft}}OF\ AF{\isaliteral{5F}{\isacharunderscore}}lemma{\isadigit{1}}\ AF{\isaliteral{5F}{\isacharunderscore}}lemma{\isadigit{2}}{\isaliteral{5D}{\isacharbrackright}}{\isaliteral{29}{\isacharparenright}}\isanewline
10.460 -\isacommand{done}\isamarkupfalse%
10.461 -%
10.462 -\endisatagproof
10.463 -{\isafoldproof}%
10.464 -%
10.465 -\isadelimproof
10.466 -%
10.467 -\endisadelimproof
10.468 -%
10.469 -\begin{isamarkuptext}%
10.470 -The language defined above is not quite CTL\@. The latter also includes an
10.471 -until-operator \isa{EU\ f\ g} with semantics ``there \emph{E}xists a path
10.472 -where \isa{f} is true \emph{U}ntil \isa{g} becomes true''. We need
10.473 -an auxiliary function:%
10.474 -\end{isamarkuptext}%
10.475 -\isamarkuptrue%
10.476 -\isacommand{primrec}\isamarkupfalse%
10.477 -\isanewline
10.478 -until{\isaliteral{3A}{\isacharcolon}}{\isaliteral{3A}{\isacharcolon}}\ {\isaliteral{22}{\isachardoublequoteopen}}state\ set\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ state\ set\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ state\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ state\ list\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ bool{\isaliteral{22}{\isachardoublequoteclose}}\ \isakeyword{where}\isanewline
10.479 -{\isaliteral{22}{\isachardoublequoteopen}}until\ A\ B\ s\ {\isaliteral{5B}{\isacharbrackleft}}{\isaliteral{5D}{\isacharbrackright}}\ \ \ \ {\isaliteral{3D}{\isacharequal}}\ {\isaliteral{28}{\isacharparenleft}}s\ {\isaliteral{5C3C696E3E}{\isasymin}}\ B{\isaliteral{29}{\isacharparenright}}{\isaliteral{22}{\isachardoublequoteclose}}\ {\isaliteral{7C}{\isacharbar}}\isanewline
10.480 -{\isaliteral{22}{\isachardoublequoteopen}}until\ A\ B\ s\ {\isaliteral{28}{\isacharparenleft}}t{\isaliteral{23}{\isacharhash}}p{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{3D}{\isacharequal}}\ {\isaliteral{28}{\isacharparenleft}}s\ {\isaliteral{5C3C696E3E}{\isasymin}}\ A\ {\isaliteral{5C3C616E643E}{\isasymand}}\ {\isaliteral{28}{\isacharparenleft}}s{\isaliteral{2C}{\isacharcomma}}t{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C696E3E}{\isasymin}}\ M\ {\isaliteral{5C3C616E643E}{\isasymand}}\ until\ A\ B\ t\ p{\isaliteral{29}{\isacharparenright}}{\isaliteral{22}{\isachardoublequoteclose}}%
10.481 -\begin{isamarkuptext}%
10.482 -\noindent
10.483 -Expressing the semantics of \isa{EU} is now straightforward:
10.484 -\begin{isabelle}%
10.485 -\ \ \ \ \ s\ {\isaliteral{5C3C5475726E7374696C653E}{\isasymTurnstile}}\ EU\ f\ g\ {\isaliteral{3D}{\isacharequal}}\ {\isaliteral{28}{\isacharparenleft}}{\isaliteral{5C3C6578697374733E}{\isasymexists}}p{\isaliteral{2E}{\isachardot}}\ until\ {\isaliteral{7B}{\isacharbraceleft}}t{\isaliteral{2E}{\isachardot}}\ t\ {\isaliteral{5C3C5475726E7374696C653E}{\isasymTurnstile}}\ f{\isaliteral{7D}{\isacharbraceright}}\ {\isaliteral{7B}{\isacharbraceleft}}t{\isaliteral{2E}{\isachardot}}\ t\ {\isaliteral{5C3C5475726E7374696C653E}{\isasymTurnstile}}\ g{\isaliteral{7D}{\isacharbraceright}}\ s\ p{\isaliteral{29}{\isacharparenright}}%
10.486 -\end{isabelle}
10.487 -Note that \isa{EU} is not definable in terms of the other operators!
10.488 -
10.489 -Model checking \isa{EU} is again a least fixed point construction:
10.490 -\begin{isabelle}%
10.491 -\ \ \ \ \ mc{\isaliteral{28}{\isacharparenleft}}EU\ f\ g{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{3D}{\isacharequal}}\ lfp{\isaliteral{28}{\isacharparenleft}}{\isaliteral{5C3C6C616D6264613E}{\isasymlambda}}T{\isaliteral{2E}{\isachardot}}\ mc\ g\ {\isaliteral{5C3C756E696F6E3E}{\isasymunion}}\ mc\ f\ {\isaliteral{5C3C696E7465723E}{\isasyminter}}\ {\isaliteral{28}{\isacharparenleft}}M{\isaliteral{5C3C696E76657273653E}{\isasyminverse}}\ {\isaliteral{60}{\isacharbackquote}}{\isaliteral{60}{\isacharbackquote}}\ T{\isaliteral{29}{\isacharparenright}}{\isaliteral{29}{\isacharparenright}}%
10.492 -\end{isabelle}
10.493 -
10.494 -\begin{exercise}
10.495 -Extend the datatype of formulae by the above until operator
10.496 -and prove the equivalence between semantics and model checking, i.e.\ that
10.497 -\begin{isabelle}%
10.498 -\ \ \ \ \ mc\ {\isaliteral{28}{\isacharparenleft}}EU\ f\ g{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{3D}{\isacharequal}}\ {\isaliteral{7B}{\isacharbraceleft}}s{\isaliteral{2E}{\isachardot}}\ s\ {\isaliteral{5C3C5475726E7374696C653E}{\isasymTurnstile}}\ EU\ f\ g{\isaliteral{7D}{\isacharbraceright}}%
10.499 -\end{isabelle}
10.500 -%For readability you may want to annotate {term EU} with its customary syntax
10.501 -%{text[display]"| EU formula formula E[_ U _]"}
10.502 -%which enables you to read and write {text"E[f U g]"} instead of {term"EU f g"}.
10.503 -\end{exercise}
10.504 -For more CTL exercises see, for example, Huth and Ryan \cite{Huth-Ryan-book}.%
10.505 -\end{isamarkuptext}%
10.506 -\isamarkuptrue%
10.507 -%
10.508 -\isadelimproof
10.509 -%
10.510 -\endisadelimproof
10.511 -%
10.512 -\isatagproof
10.513 -%
10.514 -\endisatagproof
10.515 -{\isafoldproof}%
10.516 -%
10.517 -\isadelimproof
10.518 -%
10.519 -\endisadelimproof
10.520 -%
10.521 -\isadelimproof
10.522 -%
10.523 -\endisadelimproof
10.524 -%
10.525 -\isatagproof
10.526 -%
10.527 -\endisatagproof
10.528 -{\isafoldproof}%
10.529 -%
10.530 -\isadelimproof
10.531 -%
10.532 -\endisadelimproof
10.533 -%
10.534 -\isadelimproof
10.535 -%
10.536 -\endisadelimproof
10.537 -%
10.538 -\isatagproof
10.539 -%
10.540 -\endisatagproof
10.541 -{\isafoldproof}%
10.542 -%
10.543 -\isadelimproof
10.544 -%
10.545 -\endisadelimproof
10.546 -%
10.547 -\begin{isamarkuptext}%
10.548 -Let us close this section with a few words about the executability of
10.549 -our model checkers. It is clear that if all sets are finite, they can be
10.550 -represented as lists and the usual set operations are easily
10.551 -implemented. Only \isa{lfp} requires a little thought. Fortunately, theory
10.552 -\isa{While{\isaliteral{5F}{\isacharunderscore}}Combinator} in the Library~\cite{HOL-Library} provides a
10.553 -theorem stating that in the case of finite sets and a monotone
10.554 -function~\isa{F}, the value of \mbox{\isa{lfp\ F}} can be computed by
10.555 -iterated application of \isa{F} to~\isa{{\isaliteral{7B}{\isacharbraceleft}}{\isaliteral{7D}{\isacharbraceright}}} until a fixed point is
10.556 -reached. It is actually possible to generate executable functional programs
10.557 -from HOL definitions, but that is beyond the scope of the tutorial.%
10.558 -\index{CTL|)}%
10.559 -\end{isamarkuptext}%
10.560 -\isamarkuptrue%
10.561 -%
10.562 -\isadelimtheory
10.563 -%
10.564 -\endisadelimtheory
10.565 -%
10.566 -\isatagtheory
10.567 -%
10.568 -\endisatagtheory
10.569 -{\isafoldtheory}%
10.570 -%
10.571 -\isadelimtheory
10.572 -%
10.573 -\endisadelimtheory
10.574 -\end{isabellebody}%
10.575 -%%% Local Variables:
10.576 -%%% mode: latex
10.577 -%%% TeX-master: "root"
10.578 -%%% End:
11.1 --- a/doc-src/TutorialI/CTL/document/CTLind.tex Thu Jul 26 16:08:16 2012 +0200
11.2 +++ /dev/null Thu Jan 01 00:00:00 1970 +0000
11.3 @@ -1,252 +0,0 @@
11.4 -%
11.5 -\begin{isabellebody}%
11.6 -\def\isabellecontext{CTLind}%
11.7 -%
11.8 -\isadelimtheory
11.9 -%
11.10 -\endisadelimtheory
11.11 -%
11.12 -\isatagtheory
11.13 -%
11.14 -\endisatagtheory
11.15 -{\isafoldtheory}%
11.16 -%
11.17 -\isadelimtheory
11.18 -%
11.19 -\endisadelimtheory
11.20 -%
11.21 -\isamarkupsubsection{CTL Revisited%
11.22 -}
11.23 -\isamarkuptrue%
11.24 -%
11.25 -\begin{isamarkuptext}%
11.26 -\label{sec:CTL-revisited}
11.27 -\index{CTL|(}%
11.28 -The purpose of this section is twofold: to demonstrate
11.29 -some of the induction principles and heuristics discussed above and to
11.30 -show how inductive definitions can simplify proofs.
11.31 -In \S\ref{sec:CTL} we gave a fairly involved proof of the correctness of a
11.32 -model checker for CTL\@. In particular the proof of the
11.33 -\isa{infinity{\isaliteral{5F}{\isacharunderscore}}lemma} on the way to \isa{AF{\isaliteral{5F}{\isacharunderscore}}lemma{\isadigit{2}}} is not as
11.34 -simple as one might expect, due to the \isa{SOME} operator
11.35 -involved. Below we give a simpler proof of \isa{AF{\isaliteral{5F}{\isacharunderscore}}lemma{\isadigit{2}}}
11.36 -based on an auxiliary inductive definition.
11.37 -
11.38 -Let us call a (finite or infinite) path \emph{\isa{A}-avoiding} if it does
11.39 -not touch any node in the set \isa{A}. Then \isa{AF{\isaliteral{5F}{\isacharunderscore}}lemma{\isadigit{2}}} says
11.40 -that if no infinite path from some state \isa{s} is \isa{A}-avoiding,
11.41 -then \isa{s\ {\isaliteral{5C3C696E3E}{\isasymin}}\ lfp\ {\isaliteral{28}{\isacharparenleft}}af\ A{\isaliteral{29}{\isacharparenright}}}. We prove this by inductively defining the set
11.42 -\isa{Avoid\ s\ A} of states reachable from \isa{s} by a finite \isa{A}-avoiding path:
11.43 -% Second proof of opposite direction, directly by well-founded induction
11.44 -% on the initial segment of M that avoids A.%
11.45 -\end{isamarkuptext}%
11.46 -\isamarkuptrue%
11.47 -\isacommand{inductive{\isaliteral{5F}{\isacharunderscore}}set}\isamarkupfalse%
11.48 -\isanewline
11.49 -\ \ Avoid\ {\isaliteral{3A}{\isacharcolon}}{\isaliteral{3A}{\isacharcolon}}\ {\isaliteral{22}{\isachardoublequoteopen}}state\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ state\ set\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ state\ set{\isaliteral{22}{\isachardoublequoteclose}}\isanewline
11.50 -\ \ \isakeyword{for}\ s\ {\isaliteral{3A}{\isacharcolon}}{\isaliteral{3A}{\isacharcolon}}\ state\ \isakeyword{and}\ A\ {\isaliteral{3A}{\isacharcolon}}{\isaliteral{3A}{\isacharcolon}}\ {\isaliteral{22}{\isachardoublequoteopen}}state\ set{\isaliteral{22}{\isachardoublequoteclose}}\isanewline
11.51 -\isakeyword{where}\isanewline
11.52 -\ \ \ \ {\isaliteral{22}{\isachardoublequoteopen}}s\ {\isaliteral{5C3C696E3E}{\isasymin}}\ Avoid\ s\ A{\isaliteral{22}{\isachardoublequoteclose}}\isanewline
11.53 -\ \ {\isaliteral{7C}{\isacharbar}}\ {\isaliteral{22}{\isachardoublequoteopen}}{\isaliteral{5C3C6C6272616B6B3E}{\isasymlbrakk}}\ t\ {\isaliteral{5C3C696E3E}{\isasymin}}\ Avoid\ s\ A{\isaliteral{3B}{\isacharsemicolon}}\ t\ {\isaliteral{5C3C6E6F74696E3E}{\isasymnotin}}\ A{\isaliteral{3B}{\isacharsemicolon}}\ {\isaliteral{28}{\isacharparenleft}}t{\isaliteral{2C}{\isacharcomma}}u{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C696E3E}{\isasymin}}\ M\ {\isaliteral{5C3C726272616B6B3E}{\isasymrbrakk}}\ {\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\ u\ {\isaliteral{5C3C696E3E}{\isasymin}}\ Avoid\ s\ A{\isaliteral{22}{\isachardoublequoteclose}}%
11.54 -\begin{isamarkuptext}%
11.55 -It is easy to see that for any infinite \isa{A}-avoiding path \isa{f}
11.56 -with \isa{f\ {\isadigit{0}}\ {\isaliteral{5C3C696E3E}{\isasymin}}\ Avoid\ s\ A} there is an infinite \isa{A}-avoiding path
11.57 -starting with \isa{s} because (by definition of \isa{Avoid}) there is a
11.58 -finite \isa{A}-avoiding path from \isa{s} to \isa{f\ {\isadigit{0}}}.
11.59 -The proof is by induction on \isa{f\ {\isadigit{0}}\ {\isaliteral{5C3C696E3E}{\isasymin}}\ Avoid\ s\ A}. However,
11.60 -this requires the following
11.61 -reformulation, as explained in \S\ref{sec:ind-var-in-prems} above;
11.62 -the \isa{rule{\isaliteral{5F}{\isacharunderscore}}format} directive undoes the reformulation after the proof.%
11.63 -\end{isamarkuptext}%
11.64 -\isamarkuptrue%
11.65 -\isacommand{lemma}\isamarkupfalse%
11.66 -\ ex{\isaliteral{5F}{\isacharunderscore}}infinite{\isaliteral{5F}{\isacharunderscore}}path{\isaliteral{5B}{\isacharbrackleft}}rule{\isaliteral{5F}{\isacharunderscore}}format{\isaliteral{5D}{\isacharbrackright}}{\isaliteral{3A}{\isacharcolon}}\isanewline
11.67 -\ \ {\isaliteral{22}{\isachardoublequoteopen}}t\ {\isaliteral{5C3C696E3E}{\isasymin}}\ Avoid\ s\ A\ \ {\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\isanewline
11.68 -\ \ \ {\isaliteral{5C3C666F72616C6C3E}{\isasymforall}}f{\isaliteral{5C3C696E3E}{\isasymin}}Paths\ t{\isaliteral{2E}{\isachardot}}\ {\isaliteral{28}{\isacharparenleft}}{\isaliteral{5C3C666F72616C6C3E}{\isasymforall}}i{\isaliteral{2E}{\isachardot}}\ f\ i\ {\isaliteral{5C3C6E6F74696E3E}{\isasymnotin}}\ A{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C6C6F6E6772696768746172726F773E}{\isasymlongrightarrow}}\ {\isaliteral{28}{\isacharparenleft}}{\isaliteral{5C3C6578697374733E}{\isasymexists}}p{\isaliteral{5C3C696E3E}{\isasymin}}Paths\ s{\isaliteral{2E}{\isachardot}}\ {\isaliteral{5C3C666F72616C6C3E}{\isasymforall}}i{\isaliteral{2E}{\isachardot}}\ p\ i\ {\isaliteral{5C3C6E6F74696E3E}{\isasymnotin}}\ A{\isaliteral{29}{\isacharparenright}}{\isaliteral{22}{\isachardoublequoteclose}}\isanewline
11.69 -%
11.70 -\isadelimproof
11.71 -%
11.72 -\endisadelimproof
11.73 -%
11.74 -\isatagproof
11.75 -\isacommand{apply}\isamarkupfalse%
11.76 -{\isaliteral{28}{\isacharparenleft}}erule\ Avoid{\isaliteral{2E}{\isachardot}}induct{\isaliteral{29}{\isacharparenright}}\isanewline
11.77 -\ \isacommand{apply}\isamarkupfalse%
11.78 -{\isaliteral{28}{\isacharparenleft}}blast{\isaliteral{29}{\isacharparenright}}\isanewline
11.79 -\isacommand{apply}\isamarkupfalse%
11.80 -{\isaliteral{28}{\isacharparenleft}}clarify{\isaliteral{29}{\isacharparenright}}\isanewline
11.81 -\isacommand{apply}\isamarkupfalse%
11.82 -{\isaliteral{28}{\isacharparenleft}}drule{\isaliteral{5F}{\isacharunderscore}}tac\ x\ {\isaliteral{3D}{\isacharequal}}\ {\isaliteral{22}{\isachardoublequoteopen}}{\isaliteral{5C3C6C616D6264613E}{\isasymlambda}}i{\isaliteral{2E}{\isachardot}}\ case\ i\ of\ {\isadigit{0}}\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ t\ {\isaliteral{7C}{\isacharbar}}\ Suc\ i\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ f\ i{\isaliteral{22}{\isachardoublequoteclose}}\ \isakeyword{in}\ bspec{\isaliteral{29}{\isacharparenright}}\isanewline
11.83 -\isacommand{apply}\isamarkupfalse%
11.84 -{\isaliteral{28}{\isacharparenleft}}simp{\isaliteral{5F}{\isacharunderscore}}all\ add{\isaliteral{3A}{\isacharcolon}}\ Paths{\isaliteral{5F}{\isacharunderscore}}def\ split{\isaliteral{3A}{\isacharcolon}}\ nat{\isaliteral{2E}{\isachardot}}split{\isaliteral{29}{\isacharparenright}}\isanewline
11.85 -\isacommand{done}\isamarkupfalse%
11.86 -%
11.87 -\endisatagproof
11.88 -{\isafoldproof}%
11.89 -%
11.90 -\isadelimproof
11.91 -%
11.92 -\endisadelimproof
11.93 -%
11.94 -\begin{isamarkuptext}%
11.95 -\noindent
11.96 -The base case (\isa{t\ {\isaliteral{3D}{\isacharequal}}\ s}) is trivial and proved by \isa{blast}.
11.97 -In the induction step, we have an infinite \isa{A}-avoiding path \isa{f}
11.98 -starting from \isa{u}, a successor of \isa{t}. Now we simply instantiate
11.99 -the \isa{{\isaliteral{5C3C666F72616C6C3E}{\isasymforall}}f{\isaliteral{5C3C696E3E}{\isasymin}}Paths\ t} in the induction hypothesis by the path starting with
11.100 -\isa{t} and continuing with \isa{f}. That is what the above $\lambda$-term
11.101 -expresses. Simplification shows that this is a path starting with \isa{t}
11.102 -and that the instantiated induction hypothesis implies the conclusion.
11.103 -
11.104 -Now we come to the key lemma. Assuming that no infinite \isa{A}-avoiding
11.105 -path starts from \isa{s}, we want to show \isa{s\ {\isaliteral{5C3C696E3E}{\isasymin}}\ lfp\ {\isaliteral{28}{\isacharparenleft}}af\ A{\isaliteral{29}{\isacharparenright}}}. For the
11.106 -inductive proof this must be generalized to the statement that every point \isa{t}
11.107 -``between'' \isa{s} and \isa{A}, in other words all of \isa{Avoid\ s\ A},
11.108 -is contained in \isa{lfp\ {\isaliteral{28}{\isacharparenleft}}af\ A{\isaliteral{29}{\isacharparenright}}}:%
11.109 -\end{isamarkuptext}%
11.110 -\isamarkuptrue%
11.111 -\isacommand{lemma}\isamarkupfalse%
11.112 -\ Avoid{\isaliteral{5F}{\isacharunderscore}}in{\isaliteral{5F}{\isacharunderscore}}lfp{\isaliteral{5B}{\isacharbrackleft}}rule{\isaliteral{5F}{\isacharunderscore}}format{\isaliteral{28}{\isacharparenleft}}no{\isaliteral{5F}{\isacharunderscore}}asm{\isaliteral{29}{\isacharparenright}}{\isaliteral{5D}{\isacharbrackright}}{\isaliteral{3A}{\isacharcolon}}\isanewline
11.113 -\ \ {\isaliteral{22}{\isachardoublequoteopen}}{\isaliteral{5C3C666F72616C6C3E}{\isasymforall}}p{\isaliteral{5C3C696E3E}{\isasymin}}Paths\ s{\isaliteral{2E}{\isachardot}}\ {\isaliteral{5C3C6578697374733E}{\isasymexists}}i{\isaliteral{2E}{\isachardot}}\ p\ i\ {\isaliteral{5C3C696E3E}{\isasymin}}\ A\ {\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\ t\ {\isaliteral{5C3C696E3E}{\isasymin}}\ Avoid\ s\ A\ {\isaliteral{5C3C6C6F6E6772696768746172726F773E}{\isasymlongrightarrow}}\ t\ {\isaliteral{5C3C696E3E}{\isasymin}}\ lfp{\isaliteral{28}{\isacharparenleft}}af\ A{\isaliteral{29}{\isacharparenright}}{\isaliteral{22}{\isachardoublequoteclose}}%
11.114 -\isadelimproof
11.115 -%
11.116 -\endisadelimproof
11.117 -%
11.118 -\isatagproof
11.119 -%
11.120 -\begin{isamarkuptxt}%
11.121 -\noindent
11.122 -The proof is by induction on the ``distance'' between \isa{t} and \isa{A}. Remember that \isa{lfp\ {\isaliteral{28}{\isacharparenleft}}af\ A{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{3D}{\isacharequal}}\ A\ {\isaliteral{5C3C756E696F6E3E}{\isasymunion}}\ M{\isaliteral{5C3C696E76657273653E}{\isasyminverse}}\ {\isaliteral{60}{\isacharbackquote}}{\isaliteral{60}{\isacharbackquote}}\ lfp\ {\isaliteral{28}{\isacharparenleft}}af\ A{\isaliteral{29}{\isacharparenright}}}.
11.123 -If \isa{t} is already in \isa{A}, then \isa{t\ {\isaliteral{5C3C696E3E}{\isasymin}}\ lfp\ {\isaliteral{28}{\isacharparenleft}}af\ A{\isaliteral{29}{\isacharparenright}}} is
11.124 -trivial. If \isa{t} is not in \isa{A} but all successors are in
11.125 -\isa{lfp\ {\isaliteral{28}{\isacharparenleft}}af\ A{\isaliteral{29}{\isacharparenright}}} (induction hypothesis), then \isa{t\ {\isaliteral{5C3C696E3E}{\isasymin}}\ lfp\ {\isaliteral{28}{\isacharparenleft}}af\ A{\isaliteral{29}{\isacharparenright}}} is
11.126 -again trivial.
11.127 -
11.128 -The formal counterpart of this proof sketch is a well-founded induction
11.129 -on~\isa{M} restricted to \isa{Avoid\ s\ A\ {\isaliteral{2D}{\isacharminus}}\ A}, roughly speaking:
11.130 -\begin{isabelle}%
11.131 -\ \ \ \ \ {\isaliteral{7B}{\isacharbraceleft}}{\isaliteral{28}{\isacharparenleft}}y{\isaliteral{2C}{\isacharcomma}}\ x{\isaliteral{29}{\isacharparenright}}{\isaliteral{2E}{\isachardot}}\ {\isaliteral{28}{\isacharparenleft}}x{\isaliteral{2C}{\isacharcomma}}\ y{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C696E3E}{\isasymin}}\ M\ {\isaliteral{5C3C616E643E}{\isasymand}}\ x\ {\isaliteral{5C3C696E3E}{\isasymin}}\ Avoid\ s\ A\ {\isaliteral{5C3C616E643E}{\isasymand}}\ x\ {\isaliteral{5C3C6E6F74696E3E}{\isasymnotin}}\ A{\isaliteral{7D}{\isacharbraceright}}%
11.132 -\end{isabelle}
11.133 -As we shall see presently, the absence of infinite \isa{A}-avoiding paths
11.134 -starting from \isa{s} implies well-foundedness of this relation. For the
11.135 -moment we assume this and proceed with the induction:%
11.136 -\end{isamarkuptxt}%
11.137 -\isamarkuptrue%
11.138 -\isacommand{apply}\isamarkupfalse%
11.139 -{\isaliteral{28}{\isacharparenleft}}subgoal{\isaliteral{5F}{\isacharunderscore}}tac\ {\isaliteral{22}{\isachardoublequoteopen}}wf{\isaliteral{7B}{\isacharbraceleft}}{\isaliteral{28}{\isacharparenleft}}y{\isaliteral{2C}{\isacharcomma}}x{\isaliteral{29}{\isacharparenright}}{\isaliteral{2E}{\isachardot}}\ {\isaliteral{28}{\isacharparenleft}}x{\isaliteral{2C}{\isacharcomma}}y{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C696E3E}{\isasymin}}\ M\ {\isaliteral{5C3C616E643E}{\isasymand}}\ x\ {\isaliteral{5C3C696E3E}{\isasymin}}\ Avoid\ s\ A\ {\isaliteral{5C3C616E643E}{\isasymand}}\ x\ {\isaliteral{5C3C6E6F74696E3E}{\isasymnotin}}\ A{\isaliteral{7D}{\isacharbraceright}}{\isaliteral{22}{\isachardoublequoteclose}}{\isaliteral{29}{\isacharparenright}}\isanewline
11.140 -\ \isacommand{apply}\isamarkupfalse%
11.141 -{\isaliteral{28}{\isacharparenleft}}erule{\isaliteral{5F}{\isacharunderscore}}tac\ a\ {\isaliteral{3D}{\isacharequal}}\ t\ \isakeyword{in}\ wf{\isaliteral{5F}{\isacharunderscore}}induct{\isaliteral{29}{\isacharparenright}}\isanewline
11.142 -\ \isacommand{apply}\isamarkupfalse%
11.143 -{\isaliteral{28}{\isacharparenleft}}clarsimp{\isaliteral{29}{\isacharparenright}}%
11.144 -\begin{isamarkuptxt}%
11.145 -\noindent
11.146 -\begin{isabelle}%
11.147 -\ {\isadigit{1}}{\isaliteral{2E}{\isachardot}}\ {\isaliteral{5C3C416E643E}{\isasymAnd}}t{\isaliteral{2E}{\isachardot}}\ {\isaliteral{5C3C6C6272616B6B3E}{\isasymlbrakk}}{\isaliteral{5C3C666F72616C6C3E}{\isasymforall}}p{\isaliteral{5C3C696E3E}{\isasymin}}Paths\ s{\isaliteral{2E}{\isachardot}}\ {\isaliteral{5C3C6578697374733E}{\isasymexists}}i{\isaliteral{2E}{\isachardot}}\ p\ i\ {\isaliteral{5C3C696E3E}{\isasymin}}\ A{\isaliteral{3B}{\isacharsemicolon}}\isanewline
11.148 -\isaindent{\ {\isadigit{1}}{\isaliteral{2E}{\isachardot}}\ {\isaliteral{5C3C416E643E}{\isasymAnd}}t{\isaliteral{2E}{\isachardot}}\ \ }{\isaliteral{5C3C666F72616C6C3E}{\isasymforall}}y{\isaliteral{2E}{\isachardot}}\ {\isaliteral{28}{\isacharparenleft}}t{\isaliteral{2C}{\isacharcomma}}\ y{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C696E3E}{\isasymin}}\ M\ {\isaliteral{5C3C616E643E}{\isasymand}}\ t\ {\isaliteral{5C3C6E6F74696E3E}{\isasymnotin}}\ A\ {\isaliteral{5C3C6C6F6E6772696768746172726F773E}{\isasymlongrightarrow}}\isanewline
11.149 -\isaindent{\ {\isadigit{1}}{\isaliteral{2E}{\isachardot}}\ {\isaliteral{5C3C416E643E}{\isasymAnd}}t{\isaliteral{2E}{\isachardot}}\ \ {\isaliteral{5C3C666F72616C6C3E}{\isasymforall}}y{\isaliteral{2E}{\isachardot}}\ }y\ {\isaliteral{5C3C696E3E}{\isasymin}}\ Avoid\ s\ A\ {\isaliteral{5C3C6C6F6E6772696768746172726F773E}{\isasymlongrightarrow}}\ y\ {\isaliteral{5C3C696E3E}{\isasymin}}\ lfp\ {\isaliteral{28}{\isacharparenleft}}af\ A{\isaliteral{29}{\isacharparenright}}{\isaliteral{3B}{\isacharsemicolon}}\isanewline
11.150 -\isaindent{\ {\isadigit{1}}{\isaliteral{2E}{\isachardot}}\ {\isaliteral{5C3C416E643E}{\isasymAnd}}t{\isaliteral{2E}{\isachardot}}\ \ }t\ {\isaliteral{5C3C696E3E}{\isasymin}}\ Avoid\ s\ A{\isaliteral{5C3C726272616B6B3E}{\isasymrbrakk}}\isanewline
11.151 -\isaindent{\ {\isadigit{1}}{\isaliteral{2E}{\isachardot}}\ {\isaliteral{5C3C416E643E}{\isasymAnd}}t{\isaliteral{2E}{\isachardot}}\ }{\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\ t\ {\isaliteral{5C3C696E3E}{\isasymin}}\ lfp\ {\isaliteral{28}{\isacharparenleft}}af\ A{\isaliteral{29}{\isacharparenright}}\isanewline
11.152 -\ {\isadigit{2}}{\isaliteral{2E}{\isachardot}}\ {\isaliteral{5C3C666F72616C6C3E}{\isasymforall}}p{\isaliteral{5C3C696E3E}{\isasymin}}Paths\ s{\isaliteral{2E}{\isachardot}}\ {\isaliteral{5C3C6578697374733E}{\isasymexists}}i{\isaliteral{2E}{\isachardot}}\ p\ i\ {\isaliteral{5C3C696E3E}{\isasymin}}\ A\ {\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\isanewline
11.153 -\isaindent{\ {\isadigit{2}}{\isaliteral{2E}{\isachardot}}\ }wf\ {\isaliteral{7B}{\isacharbraceleft}}{\isaliteral{28}{\isacharparenleft}}y{\isaliteral{2C}{\isacharcomma}}\ x{\isaliteral{29}{\isacharparenright}}{\isaliteral{2E}{\isachardot}}\ {\isaliteral{28}{\isacharparenleft}}x{\isaliteral{2C}{\isacharcomma}}\ y{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C696E3E}{\isasymin}}\ M\ {\isaliteral{5C3C616E643E}{\isasymand}}\ x\ {\isaliteral{5C3C696E3E}{\isasymin}}\ Avoid\ s\ A\ {\isaliteral{5C3C616E643E}{\isasymand}}\ x\ {\isaliteral{5C3C6E6F74696E3E}{\isasymnotin}}\ A{\isaliteral{7D}{\isacharbraceright}}%
11.154 -\end{isabelle}
11.155 -Now the induction hypothesis states that if \isa{t\ {\isaliteral{5C3C6E6F74696E3E}{\isasymnotin}}\ A}
11.156 -then all successors of \isa{t} that are in \isa{Avoid\ s\ A} are in
11.157 -\isa{lfp\ {\isaliteral{28}{\isacharparenleft}}af\ A{\isaliteral{29}{\isacharparenright}}}. Unfolding \isa{lfp} in the conclusion of the first
11.158 -subgoal once, we have to prove that \isa{t} is in \isa{A} or all successors
11.159 -of \isa{t} are in \isa{lfp\ {\isaliteral{28}{\isacharparenleft}}af\ A{\isaliteral{29}{\isacharparenright}}}. But if \isa{t} is not in \isa{A},
11.160 -the second
11.161 -\isa{Avoid}-rule implies that all successors of \isa{t} are in
11.162 -\isa{Avoid\ s\ A}, because we also assume \isa{t\ {\isaliteral{5C3C696E3E}{\isasymin}}\ Avoid\ s\ A}.
11.163 -Hence, by the induction hypothesis, all successors of \isa{t} are indeed in
11.164 -\isa{lfp\ {\isaliteral{28}{\isacharparenleft}}af\ A{\isaliteral{29}{\isacharparenright}}}. Mechanically:%
11.165 -\end{isamarkuptxt}%
11.166 -\isamarkuptrue%
11.167 -\ \isacommand{apply}\isamarkupfalse%
11.168 -{\isaliteral{28}{\isacharparenleft}}subst\ lfp{\isaliteral{5F}{\isacharunderscore}}unfold{\isaliteral{5B}{\isacharbrackleft}}OF\ mono{\isaliteral{5F}{\isacharunderscore}}af{\isaliteral{5D}{\isacharbrackright}}{\isaliteral{29}{\isacharparenright}}\isanewline
11.169 -\ \isacommand{apply}\isamarkupfalse%
11.170 -{\isaliteral{28}{\isacharparenleft}}simp\ {\isaliteral{28}{\isacharparenleft}}no{\isaliteral{5F}{\isacharunderscore}}asm{\isaliteral{29}{\isacharparenright}}\ add{\isaliteral{3A}{\isacharcolon}}\ af{\isaliteral{5F}{\isacharunderscore}}def{\isaliteral{29}{\isacharparenright}}\isanewline
11.171 -\ \isacommand{apply}\isamarkupfalse%
11.172 -{\isaliteral{28}{\isacharparenleft}}blast\ intro{\isaliteral{3A}{\isacharcolon}}\ Avoid{\isaliteral{2E}{\isachardot}}intros{\isaliteral{29}{\isacharparenright}}%
11.173 -\begin{isamarkuptxt}%
11.174 -Having proved the main goal, we return to the proof obligation that the
11.175 -relation used above is indeed well-founded. This is proved by contradiction: if
11.176 -the relation is not well-founded then there exists an infinite \isa{A}-avoiding path all in \isa{Avoid\ s\ A}, by theorem
11.177 -\isa{wf{\isaliteral{5F}{\isacharunderscore}}iff{\isaliteral{5F}{\isacharunderscore}}no{\isaliteral{5F}{\isacharunderscore}}infinite{\isaliteral{5F}{\isacharunderscore}}down{\isaliteral{5F}{\isacharunderscore}}chain}:
11.178 -\begin{isabelle}%
11.179 -\ \ \ \ \ wf\ r\ {\isaliteral{3D}{\isacharequal}}\ {\isaliteral{28}{\isacharparenleft}}{\isaliteral{5C3C6E6F743E}{\isasymnot}}\ {\isaliteral{28}{\isacharparenleft}}{\isaliteral{5C3C6578697374733E}{\isasymexists}}f{\isaliteral{2E}{\isachardot}}\ {\isaliteral{5C3C666F72616C6C3E}{\isasymforall}}i{\isaliteral{2E}{\isachardot}}\ {\isaliteral{28}{\isacharparenleft}}f\ {\isaliteral{28}{\isacharparenleft}}Suc\ i{\isaliteral{29}{\isacharparenright}}{\isaliteral{2C}{\isacharcomma}}\ f\ i{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C696E3E}{\isasymin}}\ r{\isaliteral{29}{\isacharparenright}}{\isaliteral{29}{\isacharparenright}}%
11.180 -\end{isabelle}
11.181 -From lemma \isa{ex{\isaliteral{5F}{\isacharunderscore}}infinite{\isaliteral{5F}{\isacharunderscore}}path} the existence of an infinite
11.182 -\isa{A}-avoiding path starting in \isa{s} follows, contradiction.%
11.183 -\end{isamarkuptxt}%
11.184 -\isamarkuptrue%
11.185 -\isacommand{apply}\isamarkupfalse%
11.186 -{\isaliteral{28}{\isacharparenleft}}erule\ contrapos{\isaliteral{5F}{\isacharunderscore}}pp{\isaliteral{29}{\isacharparenright}}\isanewline
11.187 -\isacommand{apply}\isamarkupfalse%
11.188 -{\isaliteral{28}{\isacharparenleft}}simp\ add{\isaliteral{3A}{\isacharcolon}}\ wf{\isaliteral{5F}{\isacharunderscore}}iff{\isaliteral{5F}{\isacharunderscore}}no{\isaliteral{5F}{\isacharunderscore}}infinite{\isaliteral{5F}{\isacharunderscore}}down{\isaliteral{5F}{\isacharunderscore}}chain{\isaliteral{29}{\isacharparenright}}\isanewline
11.189 -\isacommand{apply}\isamarkupfalse%
11.190 -{\isaliteral{28}{\isacharparenleft}}erule\ exE{\isaliteral{29}{\isacharparenright}}\isanewline
11.191 -\isacommand{apply}\isamarkupfalse%
11.192 -{\isaliteral{28}{\isacharparenleft}}rule\ ex{\isaliteral{5F}{\isacharunderscore}}infinite{\isaliteral{5F}{\isacharunderscore}}path{\isaliteral{29}{\isacharparenright}}\isanewline
11.193 -\isacommand{apply}\isamarkupfalse%
11.194 -{\isaliteral{28}{\isacharparenleft}}auto\ simp\ add{\isaliteral{3A}{\isacharcolon}}\ Paths{\isaliteral{5F}{\isacharunderscore}}def{\isaliteral{29}{\isacharparenright}}\isanewline
11.195 -\isacommand{done}\isamarkupfalse%
11.196 -%
11.197 -\endisatagproof
11.198 -{\isafoldproof}%
11.199 -%
11.200 -\isadelimproof
11.201 -%
11.202 -\endisadelimproof
11.203 -%
11.204 -\begin{isamarkuptext}%
11.205 -The \isa{{\isaliteral{28}{\isacharparenleft}}no{\isaliteral{5F}{\isacharunderscore}}asm{\isaliteral{29}{\isacharparenright}}} modifier of the \isa{rule{\isaliteral{5F}{\isacharunderscore}}format} directive in the
11.206 -statement of the lemma means
11.207 -that the assumption is left unchanged; otherwise the \isa{{\isaliteral{5C3C666F72616C6C3E}{\isasymforall}}p}
11.208 -would be turned
11.209 -into a \isa{{\isaliteral{5C3C416E643E}{\isasymAnd}}p}, which would complicate matters below. As it is,
11.210 -\isa{Avoid{\isaliteral{5F}{\isacharunderscore}}in{\isaliteral{5F}{\isacharunderscore}}lfp} is now
11.211 -\begin{isabelle}%
11.212 -\ \ \ \ \ {\isaliteral{5C3C6C6272616B6B3E}{\isasymlbrakk}}{\isaliteral{5C3C666F72616C6C3E}{\isasymforall}}p{\isaliteral{5C3C696E3E}{\isasymin}}Paths\ s{\isaliteral{2E}{\isachardot}}\ {\isaliteral{5C3C6578697374733E}{\isasymexists}}i{\isaliteral{2E}{\isachardot}}\ p\ i\ {\isaliteral{5C3C696E3E}{\isasymin}}\ A{\isaliteral{3B}{\isacharsemicolon}}\ t\ {\isaliteral{5C3C696E3E}{\isasymin}}\ Avoid\ s\ A{\isaliteral{5C3C726272616B6B3E}{\isasymrbrakk}}\ {\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\ t\ {\isaliteral{5C3C696E3E}{\isasymin}}\ lfp\ {\isaliteral{28}{\isacharparenleft}}af\ A{\isaliteral{29}{\isacharparenright}}%
11.213 -\end{isabelle}
11.214 -The main theorem is simply the corollary where \isa{t\ {\isaliteral{3D}{\isacharequal}}\ s},
11.215 -when the assumption \isa{t\ {\isaliteral{5C3C696E3E}{\isasymin}}\ Avoid\ s\ A} is trivially true
11.216 -by the first \isa{Avoid}-rule. Isabelle confirms this:%
11.217 -\index{CTL|)}%
11.218 -\end{isamarkuptext}%
11.219 -\isamarkuptrue%
11.220 -\isacommand{theorem}\isamarkupfalse%
11.221 -\ AF{\isaliteral{5F}{\isacharunderscore}}lemma{\isadigit{2}}{\isaliteral{3A}{\isacharcolon}}\ \ {\isaliteral{22}{\isachardoublequoteopen}}{\isaliteral{7B}{\isacharbraceleft}}s{\isaliteral{2E}{\isachardot}}\ {\isaliteral{5C3C666F72616C6C3E}{\isasymforall}}p\ {\isaliteral{5C3C696E3E}{\isasymin}}\ Paths\ s{\isaliteral{2E}{\isachardot}}\ {\isaliteral{5C3C6578697374733E}{\isasymexists}}\ i{\isaliteral{2E}{\isachardot}}\ p\ i\ {\isaliteral{5C3C696E3E}{\isasymin}}\ A{\isaliteral{7D}{\isacharbraceright}}\ {\isaliteral{5C3C73756273657465713E}{\isasymsubseteq}}\ lfp{\isaliteral{28}{\isacharparenleft}}af\ A{\isaliteral{29}{\isacharparenright}}{\isaliteral{22}{\isachardoublequoteclose}}\isanewline
11.222 -%
11.223 -\isadelimproof
11.224 -%
11.225 -\endisadelimproof
11.226 -%
11.227 -\isatagproof
11.228 -\isacommand{by}\isamarkupfalse%
11.229 -{\isaliteral{28}{\isacharparenleft}}auto\ elim{\isaliteral{3A}{\isacharcolon}}\ Avoid{\isaliteral{5F}{\isacharunderscore}}in{\isaliteral{5F}{\isacharunderscore}}lfp\ intro{\isaliteral{3A}{\isacharcolon}}\ Avoid{\isaliteral{2E}{\isachardot}}intros{\isaliteral{29}{\isacharparenright}}\isanewline
11.230 -\isanewline
11.231 -%
11.232 -\endisatagproof
11.233 -{\isafoldproof}%
11.234 -%
11.235 -\isadelimproof
11.236 -%
11.237 -\endisadelimproof
11.238 -%
11.239 -\isadelimtheory
11.240 -%
11.241 -\endisadelimtheory
11.242 -%
11.243 -\isatagtheory
11.244 -%
11.245 -\endisatagtheory
11.246 -{\isafoldtheory}%
11.247 -%
11.248 -\isadelimtheory
11.249 -%
11.250 -\endisadelimtheory
11.251 -\end{isabellebody}%
11.252 -%%% Local Variables:
11.253 -%%% mode: latex
11.254 -%%% TeX-master: "root"
11.255 -%%% End:
12.1 --- a/doc-src/TutorialI/CTL/document/PDL.tex Thu Jul 26 16:08:16 2012 +0200
12.2 +++ /dev/null Thu Jan 01 00:00:00 1970 +0000
12.3 @@ -1,342 +0,0 @@
12.4 -%
12.5 -\begin{isabellebody}%
12.6 -\def\isabellecontext{PDL}%
12.7 -%
12.8 -\isadelimtheory
12.9 -%
12.10 -\endisadelimtheory
12.11 -%
12.12 -\isatagtheory
12.13 -%
12.14 -\endisatagtheory
12.15 -{\isafoldtheory}%
12.16 -%
12.17 -\isadelimtheory
12.18 -%
12.19 -\endisadelimtheory
12.20 -%
12.21 -\isamarkupsubsection{Propositional Dynamic Logic --- PDL%
12.22 -}
12.23 -\isamarkuptrue%
12.24 -%
12.25 -\begin{isamarkuptext}%
12.26 -\index{PDL|(}
12.27 -The formulae of PDL are built up from atomic propositions via
12.28 -negation and conjunction and the two temporal
12.29 -connectives \isa{AX} and \isa{EF}\@. Since formulae are essentially
12.30 -syntax trees, they are naturally modelled as a datatype:%
12.31 -\footnote{The customary definition of PDL
12.32 -\cite{HarelKT-DL} looks quite different from ours, but the two are easily
12.33 -shown to be equivalent.}%
12.34 -\end{isamarkuptext}%
12.35 -\isamarkuptrue%
12.36 -\isacommand{datatype}\isamarkupfalse%
12.37 -\ formula\ {\isaliteral{3D}{\isacharequal}}\ Atom\ {\isaliteral{22}{\isachardoublequoteopen}}atom{\isaliteral{22}{\isachardoublequoteclose}}\isanewline
12.38 -\ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ {\isaliteral{7C}{\isacharbar}}\ Neg\ formula\isanewline
12.39 -\ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ {\isaliteral{7C}{\isacharbar}}\ And\ formula\ formula\isanewline
12.40 -\ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ {\isaliteral{7C}{\isacharbar}}\ AX\ formula\isanewline
12.41 -\ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ {\isaliteral{7C}{\isacharbar}}\ EF\ formula%
12.42 -\begin{isamarkuptext}%
12.43 -\noindent
12.44 -This resembles the boolean expression case study in
12.45 -\S\ref{sec:boolex}.
12.46 -A validity relation between states and formulae specifies the semantics.
12.47 -The syntax annotation allows us to write \isa{s\ {\isaliteral{5C3C5475726E7374696C653E}{\isasymTurnstile}}\ f} instead of
12.48 -\hbox{\isa{valid\ s\ f}}. The definition is by recursion over the syntax:%
12.49 -\end{isamarkuptext}%
12.50 -\isamarkuptrue%
12.51 -\isacommand{primrec}\isamarkupfalse%
12.52 -\ valid\ {\isaliteral{3A}{\isacharcolon}}{\isaliteral{3A}{\isacharcolon}}\ {\isaliteral{22}{\isachardoublequoteopen}}state\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ formula\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ bool{\isaliteral{22}{\isachardoublequoteclose}}\ \ \ {\isaliteral{28}{\isacharparenleft}}{\isaliteral{22}{\isachardoublequoteopen}}{\isaliteral{28}{\isacharparenleft}}{\isaliteral{5F}{\isacharunderscore}}\ {\isaliteral{5C3C5475726E7374696C653E}{\isasymTurnstile}}\ {\isaliteral{5F}{\isacharunderscore}}{\isaliteral{29}{\isacharparenright}}{\isaliteral{22}{\isachardoublequoteclose}}\ {\isaliteral{5B}{\isacharbrackleft}}{\isadigit{8}}{\isadigit{0}}{\isaliteral{2C}{\isacharcomma}}{\isadigit{8}}{\isadigit{0}}{\isaliteral{5D}{\isacharbrackright}}\ {\isadigit{8}}{\isadigit{0}}{\isaliteral{29}{\isacharparenright}}\isanewline
12.53 -\isakeyword{where}\isanewline
12.54 -{\isaliteral{22}{\isachardoublequoteopen}}s\ {\isaliteral{5C3C5475726E7374696C653E}{\isasymTurnstile}}\ Atom\ a\ \ {\isaliteral{3D}{\isacharequal}}\ {\isaliteral{28}{\isacharparenleft}}a\ {\isaliteral{5C3C696E3E}{\isasymin}}\ L\ s{\isaliteral{29}{\isacharparenright}}{\isaliteral{22}{\isachardoublequoteclose}}\ {\isaliteral{7C}{\isacharbar}}\isanewline
12.55 -{\isaliteral{22}{\isachardoublequoteopen}}s\ {\isaliteral{5C3C5475726E7374696C653E}{\isasymTurnstile}}\ Neg\ f\ \ \ {\isaliteral{3D}{\isacharequal}}\ {\isaliteral{28}{\isacharparenleft}}{\isaliteral{5C3C6E6F743E}{\isasymnot}}{\isaliteral{28}{\isacharparenleft}}s\ {\isaliteral{5C3C5475726E7374696C653E}{\isasymTurnstile}}\ f{\isaliteral{29}{\isacharparenright}}{\isaliteral{29}{\isacharparenright}}{\isaliteral{22}{\isachardoublequoteclose}}\ {\isaliteral{7C}{\isacharbar}}\isanewline
12.56 -{\isaliteral{22}{\isachardoublequoteopen}}s\ {\isaliteral{5C3C5475726E7374696C653E}{\isasymTurnstile}}\ And\ f\ g\ {\isaliteral{3D}{\isacharequal}}\ {\isaliteral{28}{\isacharparenleft}}s\ {\isaliteral{5C3C5475726E7374696C653E}{\isasymTurnstile}}\ f\ {\isaliteral{5C3C616E643E}{\isasymand}}\ s\ {\isaliteral{5C3C5475726E7374696C653E}{\isasymTurnstile}}\ g{\isaliteral{29}{\isacharparenright}}{\isaliteral{22}{\isachardoublequoteclose}}\ {\isaliteral{7C}{\isacharbar}}\isanewline
12.57 -{\isaliteral{22}{\isachardoublequoteopen}}s\ {\isaliteral{5C3C5475726E7374696C653E}{\isasymTurnstile}}\ AX\ f\ \ \ \ {\isaliteral{3D}{\isacharequal}}\ {\isaliteral{28}{\isacharparenleft}}{\isaliteral{5C3C666F72616C6C3E}{\isasymforall}}t{\isaliteral{2E}{\isachardot}}\ {\isaliteral{28}{\isacharparenleft}}s{\isaliteral{2C}{\isacharcomma}}t{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C696E3E}{\isasymin}}\ M\ {\isaliteral{5C3C6C6F6E6772696768746172726F773E}{\isasymlongrightarrow}}\ t\ {\isaliteral{5C3C5475726E7374696C653E}{\isasymTurnstile}}\ f{\isaliteral{29}{\isacharparenright}}{\isaliteral{22}{\isachardoublequoteclose}}\ {\isaliteral{7C}{\isacharbar}}\isanewline
12.58 -{\isaliteral{22}{\isachardoublequoteopen}}s\ {\isaliteral{5C3C5475726E7374696C653E}{\isasymTurnstile}}\ EF\ f\ \ \ \ {\isaliteral{3D}{\isacharequal}}\ {\isaliteral{28}{\isacharparenleft}}{\isaliteral{5C3C6578697374733E}{\isasymexists}}t{\isaliteral{2E}{\isachardot}}\ {\isaliteral{28}{\isacharparenleft}}s{\isaliteral{2C}{\isacharcomma}}t{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C696E3E}{\isasymin}}\ M\isaliteral{5C3C5E7375703E}{}\isactrlsup {\isaliteral{2A}{\isacharasterisk}}\ {\isaliteral{5C3C616E643E}{\isasymand}}\ t\ {\isaliteral{5C3C5475726E7374696C653E}{\isasymTurnstile}}\ f{\isaliteral{29}{\isacharparenright}}{\isaliteral{22}{\isachardoublequoteclose}}%
12.59 -\begin{isamarkuptext}%
12.60 -\noindent
12.61 -The first three equations should be self-explanatory. The temporal formula
12.62 -\isa{AX\ f} means that \isa{f} is true in \emph{A}ll ne\emph{X}t states whereas
12.63 -\isa{EF\ f} means that there \emph{E}xists some \emph{F}uture state in which \isa{f} is
12.64 -true. The future is expressed via \isa{\isaliteral{5C3C5E7375703E}{}\isactrlsup {\isaliteral{2A}{\isacharasterisk}}}, the reflexive transitive
12.65 -closure. Because of reflexivity, the future includes the present.
12.66 -
12.67 -Now we come to the model checker itself. It maps a formula into the
12.68 -set of states where the formula is true. It too is defined by
12.69 -recursion over the syntax:%
12.70 -\end{isamarkuptext}%
12.71 -\isamarkuptrue%
12.72 -\isacommand{primrec}\isamarkupfalse%
12.73 -\ mc\ {\isaliteral{3A}{\isacharcolon}}{\isaliteral{3A}{\isacharcolon}}\ {\isaliteral{22}{\isachardoublequoteopen}}formula\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ state\ set{\isaliteral{22}{\isachardoublequoteclose}}\ \isakeyword{where}\isanewline
12.74 -{\isaliteral{22}{\isachardoublequoteopen}}mc{\isaliteral{28}{\isacharparenleft}}Atom\ a{\isaliteral{29}{\isacharparenright}}\ \ {\isaliteral{3D}{\isacharequal}}\ {\isaliteral{7B}{\isacharbraceleft}}s{\isaliteral{2E}{\isachardot}}\ a\ {\isaliteral{5C3C696E3E}{\isasymin}}\ L\ s{\isaliteral{7D}{\isacharbraceright}}{\isaliteral{22}{\isachardoublequoteclose}}\ {\isaliteral{7C}{\isacharbar}}\isanewline
12.75 -{\isaliteral{22}{\isachardoublequoteopen}}mc{\isaliteral{28}{\isacharparenleft}}Neg\ f{\isaliteral{29}{\isacharparenright}}\ \ \ {\isaliteral{3D}{\isacharequal}}\ {\isaliteral{2D}{\isacharminus}}mc\ f{\isaliteral{22}{\isachardoublequoteclose}}\ {\isaliteral{7C}{\isacharbar}}\isanewline
12.76 -{\isaliteral{22}{\isachardoublequoteopen}}mc{\isaliteral{28}{\isacharparenleft}}And\ f\ g{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{3D}{\isacharequal}}\ mc\ f\ {\isaliteral{5C3C696E7465723E}{\isasyminter}}\ mc\ g{\isaliteral{22}{\isachardoublequoteclose}}\ {\isaliteral{7C}{\isacharbar}}\isanewline
12.77 -{\isaliteral{22}{\isachardoublequoteopen}}mc{\isaliteral{28}{\isacharparenleft}}AX\ f{\isaliteral{29}{\isacharparenright}}\ \ \ \ {\isaliteral{3D}{\isacharequal}}\ {\isaliteral{7B}{\isacharbraceleft}}s{\isaliteral{2E}{\isachardot}}\ {\isaliteral{5C3C666F72616C6C3E}{\isasymforall}}t{\isaliteral{2E}{\isachardot}}\ {\isaliteral{28}{\isacharparenleft}}s{\isaliteral{2C}{\isacharcomma}}t{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C696E3E}{\isasymin}}\ M\ \ {\isaliteral{5C3C6C6F6E6772696768746172726F773E}{\isasymlongrightarrow}}\ t\ {\isaliteral{5C3C696E3E}{\isasymin}}\ mc\ f{\isaliteral{7D}{\isacharbraceright}}{\isaliteral{22}{\isachardoublequoteclose}}\ {\isaliteral{7C}{\isacharbar}}\isanewline
12.78 -{\isaliteral{22}{\isachardoublequoteopen}}mc{\isaliteral{28}{\isacharparenleft}}EF\ f{\isaliteral{29}{\isacharparenright}}\ \ \ \ {\isaliteral{3D}{\isacharequal}}\ lfp{\isaliteral{28}{\isacharparenleft}}{\isaliteral{5C3C6C616D6264613E}{\isasymlambda}}T{\isaliteral{2E}{\isachardot}}\ mc\ f\ {\isaliteral{5C3C756E696F6E3E}{\isasymunion}}\ {\isaliteral{28}{\isacharparenleft}}M{\isaliteral{5C3C696E76657273653E}{\isasyminverse}}\ {\isaliteral{60}{\isacharbackquote}}{\isaliteral{60}{\isacharbackquote}}\ T{\isaliteral{29}{\isacharparenright}}{\isaliteral{29}{\isacharparenright}}{\isaliteral{22}{\isachardoublequoteclose}}%
12.79 -\begin{isamarkuptext}%
12.80 -\noindent
12.81 -Only the equation for \isa{EF} deserves some comments. Remember that the
12.82 -postfix \isa{{\isaliteral{5C3C696E76657273653E}{\isasyminverse}}} and the infix \isa{{\isaliteral{60}{\isacharbackquote}}{\isaliteral{60}{\isacharbackquote}}} are predefined and denote the
12.83 -converse of a relation and the image of a set under a relation. Thus
12.84 -\isa{M{\isaliteral{5C3C696E76657273653E}{\isasyminverse}}\ {\isaliteral{60}{\isacharbackquote}}{\isaliteral{60}{\isacharbackquote}}\ T} is the set of all predecessors of \isa{T} and the least
12.85 -fixed point (\isa{lfp}) of \isa{{\isaliteral{5C3C6C616D6264613E}{\isasymlambda}}T{\isaliteral{2E}{\isachardot}}\ mc\ f\ {\isaliteral{5C3C756E696F6E3E}{\isasymunion}}\ M{\isaliteral{5C3C696E76657273653E}{\isasyminverse}}\ {\isaliteral{60}{\isacharbackquote}}{\isaliteral{60}{\isacharbackquote}}\ T} is the least set
12.86 -\isa{T} containing \isa{mc\ f} and all predecessors of \isa{T}. If you
12.87 -find it hard to see that \isa{mc\ {\isaliteral{28}{\isacharparenleft}}EF\ f{\isaliteral{29}{\isacharparenright}}} contains exactly those states from
12.88 -which there is a path to a state where \isa{f} is true, do not worry --- this
12.89 -will be proved in a moment.
12.90 -
12.91 -First we prove monotonicity of the function inside \isa{lfp}
12.92 -in order to make sure it really has a least fixed point.%
12.93 -\end{isamarkuptext}%
12.94 -\isamarkuptrue%
12.95 -\isacommand{lemma}\isamarkupfalse%
12.96 -\ mono{\isaliteral{5F}{\isacharunderscore}}ef{\isaliteral{3A}{\isacharcolon}}\ {\isaliteral{22}{\isachardoublequoteopen}}mono{\isaliteral{28}{\isacharparenleft}}{\isaliteral{5C3C6C616D6264613E}{\isasymlambda}}T{\isaliteral{2E}{\isachardot}}\ A\ {\isaliteral{5C3C756E696F6E3E}{\isasymunion}}\ {\isaliteral{28}{\isacharparenleft}}M{\isaliteral{5C3C696E76657273653E}{\isasyminverse}}\ {\isaliteral{60}{\isacharbackquote}}{\isaliteral{60}{\isacharbackquote}}\ T{\isaliteral{29}{\isacharparenright}}{\isaliteral{29}{\isacharparenright}}{\isaliteral{22}{\isachardoublequoteclose}}\isanewline
12.97 -%
12.98 -\isadelimproof
12.99 -%
12.100 -\endisadelimproof
12.101 -%
12.102 -\isatagproof
12.103 -\isacommand{apply}\isamarkupfalse%
12.104 -{\isaliteral{28}{\isacharparenleft}}rule\ monoI{\isaliteral{29}{\isacharparenright}}\isanewline
12.105 -\isacommand{apply}\isamarkupfalse%
12.106 -\ blast\isanewline
12.107 -\isacommand{done}\isamarkupfalse%
12.108 -%
12.109 -\endisatagproof
12.110 -{\isafoldproof}%
12.111 -%
12.112 -\isadelimproof
12.113 -%
12.114 -\endisadelimproof
12.115 -%
12.116 -\begin{isamarkuptext}%
12.117 -\noindent
12.118 -Now we can relate model checking and semantics. For the \isa{EF} case we need
12.119 -a separate lemma:%
12.120 -\end{isamarkuptext}%
12.121 -\isamarkuptrue%
12.122 -\isacommand{lemma}\isamarkupfalse%
12.123 -\ EF{\isaliteral{5F}{\isacharunderscore}}lemma{\isaliteral{3A}{\isacharcolon}}\isanewline
12.124 -\ \ {\isaliteral{22}{\isachardoublequoteopen}}lfp{\isaliteral{28}{\isacharparenleft}}{\isaliteral{5C3C6C616D6264613E}{\isasymlambda}}T{\isaliteral{2E}{\isachardot}}\ A\ {\isaliteral{5C3C756E696F6E3E}{\isasymunion}}\ {\isaliteral{28}{\isacharparenleft}}M{\isaliteral{5C3C696E76657273653E}{\isasyminverse}}\ {\isaliteral{60}{\isacharbackquote}}{\isaliteral{60}{\isacharbackquote}}\ T{\isaliteral{29}{\isacharparenright}}{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{3D}{\isacharequal}}\ {\isaliteral{7B}{\isacharbraceleft}}s{\isaliteral{2E}{\isachardot}}\ {\isaliteral{5C3C6578697374733E}{\isasymexists}}t{\isaliteral{2E}{\isachardot}}\ {\isaliteral{28}{\isacharparenleft}}s{\isaliteral{2C}{\isacharcomma}}t{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C696E3E}{\isasymin}}\ M\isaliteral{5C3C5E7375703E}{}\isactrlsup {\isaliteral{2A}{\isacharasterisk}}\ {\isaliteral{5C3C616E643E}{\isasymand}}\ t\ {\isaliteral{5C3C696E3E}{\isasymin}}\ A{\isaliteral{7D}{\isacharbraceright}}{\isaliteral{22}{\isachardoublequoteclose}}%
12.125 -\isadelimproof
12.126 -%
12.127 -\endisadelimproof
12.128 -%
12.129 -\isatagproof
12.130 -%
12.131 -\begin{isamarkuptxt}%
12.132 -\noindent
12.133 -The equality is proved in the canonical fashion by proving that each set
12.134 -includes the other; the inclusion is shown pointwise:%
12.135 -\end{isamarkuptxt}%
12.136 -\isamarkuptrue%
12.137 -\isacommand{apply}\isamarkupfalse%
12.138 -{\isaliteral{28}{\isacharparenleft}}rule\ equalityI{\isaliteral{29}{\isacharparenright}}\isanewline
12.139 -\ \isacommand{apply}\isamarkupfalse%
12.140 -{\isaliteral{28}{\isacharparenleft}}rule\ subsetI{\isaliteral{29}{\isacharparenright}}\isanewline
12.141 -\ \isacommand{apply}\isamarkupfalse%
12.142 -{\isaliteral{28}{\isacharparenleft}}simp{\isaliteral{29}{\isacharparenright}}%
12.143 -\begin{isamarkuptxt}%
12.144 -\noindent
12.145 -Simplification leaves us with the following first subgoal
12.146 -\begin{isabelle}%
12.147 -\ {\isadigit{1}}{\isaliteral{2E}{\isachardot}}\ {\isaliteral{5C3C416E643E}{\isasymAnd}}s{\isaliteral{2E}{\isachardot}}\ s\ {\isaliteral{5C3C696E3E}{\isasymin}}\ lfp\ {\isaliteral{28}{\isacharparenleft}}{\isaliteral{5C3C6C616D6264613E}{\isasymlambda}}T{\isaliteral{2E}{\isachardot}}\ A\ {\isaliteral{5C3C756E696F6E3E}{\isasymunion}}\ M{\isaliteral{5C3C696E76657273653E}{\isasyminverse}}\ {\isaliteral{60}{\isacharbackquote}}{\isaliteral{60}{\isacharbackquote}}\ T{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\ {\isaliteral{5C3C6578697374733E}{\isasymexists}}t{\isaliteral{2E}{\isachardot}}\ {\isaliteral{28}{\isacharparenleft}}s{\isaliteral{2C}{\isacharcomma}}\ t{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C696E3E}{\isasymin}}\ M\isaliteral{5C3C5E7375703E}{}\isactrlsup {\isaliteral{2A}{\isacharasterisk}}\ {\isaliteral{5C3C616E643E}{\isasymand}}\ t\ {\isaliteral{5C3C696E3E}{\isasymin}}\ A%
12.148 -\end{isabelle}
12.149 -which is proved by \isa{lfp}-induction:%
12.150 -\end{isamarkuptxt}%
12.151 -\isamarkuptrue%
12.152 -\ \isacommand{apply}\isamarkupfalse%
12.153 -{\isaliteral{28}{\isacharparenleft}}erule\ lfp{\isaliteral{5F}{\isacharunderscore}}induct{\isaliteral{5F}{\isacharunderscore}}set{\isaliteral{29}{\isacharparenright}}\isanewline
12.154 -\ \ \isacommand{apply}\isamarkupfalse%
12.155 -{\isaliteral{28}{\isacharparenleft}}rule\ mono{\isaliteral{5F}{\isacharunderscore}}ef{\isaliteral{29}{\isacharparenright}}\isanewline
12.156 -\ \isacommand{apply}\isamarkupfalse%
12.157 -{\isaliteral{28}{\isacharparenleft}}simp{\isaliteral{29}{\isacharparenright}}%
12.158 -\begin{isamarkuptxt}%
12.159 -\noindent
12.160 -Having disposed of the monotonicity subgoal,
12.161 -simplification leaves us with the following goal:
12.162 -\begin{isabelle}
12.163 -\ {\isadigit{1}}{\isachardot}\ {\isasymAnd}x{\isachardot}\ x\ {\isasymin}\ A\ {\isasymor}\isanewline
12.164 -\ \ \ \ \ \ \ \ \ x\ {\isasymin}\ M{\isasyminverse}\ {\isacharbackquote}{\isacharbackquote}\ {\isacharparenleft}lfp\ {\isacharparenleft}\dots{\isacharparenright}\ {\isasyminter}\ {\isacharbraceleft}x{\isachardot}\ {\isasymexists}t{\isachardot}\ {\isacharparenleft}x{\isacharcomma}\ t{\isacharparenright}\ {\isasymin}\ M\isactrlsup {\isacharasterisk}\ {\isasymand}\ t\ {\isasymin}\ A{\isacharbraceright}{\isacharparenright}\isanewline
12.165 -\ \ \ \ \ \ \ \ {\isasymLongrightarrow}\ {\isasymexists}t{\isachardot}\ {\isacharparenleft}x{\isacharcomma}\ t{\isacharparenright}\ {\isasymin}\ M\isactrlsup {\isacharasterisk}\ {\isasymand}\ t\ {\isasymin}\ A
12.166 -\end{isabelle}
12.167 -It is proved by \isa{blast}, using the transitivity of
12.168 -\isa{M\isactrlsup {\isacharasterisk}}.%
12.169 -\end{isamarkuptxt}%
12.170 -\isamarkuptrue%
12.171 -\ \isacommand{apply}\isamarkupfalse%
12.172 -{\isaliteral{28}{\isacharparenleft}}blast\ intro{\isaliteral{3A}{\isacharcolon}}\ rtrancl{\isaliteral{5F}{\isacharunderscore}}trans{\isaliteral{29}{\isacharparenright}}%
12.173 -\begin{isamarkuptxt}%
12.174 -We now return to the second set inclusion subgoal, which is again proved
12.175 -pointwise:%
12.176 -\end{isamarkuptxt}%
12.177 -\isamarkuptrue%
12.178 -\isacommand{apply}\isamarkupfalse%
12.179 -{\isaliteral{28}{\isacharparenleft}}rule\ subsetI{\isaliteral{29}{\isacharparenright}}\isanewline
12.180 -\isacommand{apply}\isamarkupfalse%
12.181 -{\isaliteral{28}{\isacharparenleft}}simp{\isaliteral{2C}{\isacharcomma}}\ clarify{\isaliteral{29}{\isacharparenright}}%
12.182 -\begin{isamarkuptxt}%
12.183 -\noindent
12.184 -After simplification and clarification we are left with
12.185 -\begin{isabelle}%
12.186 -\ {\isadigit{1}}{\isaliteral{2E}{\isachardot}}\ {\isaliteral{5C3C416E643E}{\isasymAnd}}x\ t{\isaliteral{2E}{\isachardot}}\ {\isaliteral{5C3C6C6272616B6B3E}{\isasymlbrakk}}{\isaliteral{28}{\isacharparenleft}}x{\isaliteral{2C}{\isacharcomma}}\ t{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C696E3E}{\isasymin}}\ M\isaliteral{5C3C5E7375703E}{}\isactrlsup {\isaliteral{2A}{\isacharasterisk}}{\isaliteral{3B}{\isacharsemicolon}}\ t\ {\isaliteral{5C3C696E3E}{\isasymin}}\ A{\isaliteral{5C3C726272616B6B3E}{\isasymrbrakk}}\ {\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\ x\ {\isaliteral{5C3C696E3E}{\isasymin}}\ lfp\ {\isaliteral{28}{\isacharparenleft}}{\isaliteral{5C3C6C616D6264613E}{\isasymlambda}}T{\isaliteral{2E}{\isachardot}}\ A\ {\isaliteral{5C3C756E696F6E3E}{\isasymunion}}\ M{\isaliteral{5C3C696E76657273653E}{\isasyminverse}}\ {\isaliteral{60}{\isacharbackquote}}{\isaliteral{60}{\isacharbackquote}}\ T{\isaliteral{29}{\isacharparenright}}%
12.187 -\end{isabelle}
12.188 -This goal is proved by induction on \isa{{\isaliteral{28}{\isacharparenleft}}s{\isaliteral{2C}{\isacharcomma}}\ t{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C696E3E}{\isasymin}}\ M\isaliteral{5C3C5E7375703E}{}\isactrlsup {\isaliteral{2A}{\isacharasterisk}}}. But since the model
12.189 -checker works backwards (from \isa{t} to \isa{s}), we cannot use the
12.190 -induction theorem \isa{rtrancl{\isaliteral{5F}{\isacharunderscore}}induct}: it works in the
12.191 -forward direction. Fortunately the converse induction theorem
12.192 -\isa{converse{\isaliteral{5F}{\isacharunderscore}}rtrancl{\isaliteral{5F}{\isacharunderscore}}induct} already exists:
12.193 -\begin{isabelle}%
12.194 -\ \ \ \ \ {\isaliteral{5C3C6C6272616B6B3E}{\isasymlbrakk}}{\isaliteral{28}{\isacharparenleft}}a{\isaliteral{2C}{\isacharcomma}}\ b{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C696E3E}{\isasymin}}\ r\isaliteral{5C3C5E7375703E}{}\isactrlsup {\isaliteral{2A}{\isacharasterisk}}{\isaliteral{3B}{\isacharsemicolon}}\ P\ b{\isaliteral{3B}{\isacharsemicolon}}\isanewline
12.195 -\isaindent{\ \ \ \ \ \ }{\isaliteral{5C3C416E643E}{\isasymAnd}}y\ z{\isaliteral{2E}{\isachardot}}\ {\isaliteral{5C3C6C6272616B6B3E}{\isasymlbrakk}}{\isaliteral{28}{\isacharparenleft}}y{\isaliteral{2C}{\isacharcomma}}\ z{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C696E3E}{\isasymin}}\ r{\isaliteral{3B}{\isacharsemicolon}}\ {\isaliteral{28}{\isacharparenleft}}z{\isaliteral{2C}{\isacharcomma}}\ b{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C696E3E}{\isasymin}}\ r\isaliteral{5C3C5E7375703E}{}\isactrlsup {\isaliteral{2A}{\isacharasterisk}}{\isaliteral{3B}{\isacharsemicolon}}\ P\ z{\isaliteral{5C3C726272616B6B3E}{\isasymrbrakk}}\ {\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\ P\ y{\isaliteral{5C3C726272616B6B3E}{\isasymrbrakk}}\isanewline
12.196 -\isaindent{\ \ \ \ \ }{\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\ P\ a%
12.197 -\end{isabelle}
12.198 -It says that if \isa{{\isaliteral{28}{\isacharparenleft}}a{\isaliteral{2C}{\isacharcomma}}\ b{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C696E3E}{\isasymin}}\ r\isaliteral{5C3C5E7375703E}{}\isactrlsup {\isaliteral{2A}{\isacharasterisk}}} and we know \isa{P\ b} then we can infer
12.199 -\isa{P\ a} provided each step backwards from a predecessor \isa{z} of
12.200 -\isa{b} preserves \isa{P}.%
12.201 -\end{isamarkuptxt}%
12.202 -\isamarkuptrue%
12.203 -\isacommand{apply}\isamarkupfalse%
12.204 -{\isaliteral{28}{\isacharparenleft}}erule\ converse{\isaliteral{5F}{\isacharunderscore}}rtrancl{\isaliteral{5F}{\isacharunderscore}}induct{\isaliteral{29}{\isacharparenright}}%
12.205 -\begin{isamarkuptxt}%
12.206 -\noindent
12.207 -The base case
12.208 -\begin{isabelle}%
12.209 -\ {\isadigit{1}}{\isaliteral{2E}{\isachardot}}\ {\isaliteral{5C3C416E643E}{\isasymAnd}}x\ t{\isaliteral{2E}{\isachardot}}\ t\ {\isaliteral{5C3C696E3E}{\isasymin}}\ A\ {\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\ t\ {\isaliteral{5C3C696E3E}{\isasymin}}\ lfp\ {\isaliteral{28}{\isacharparenleft}}{\isaliteral{5C3C6C616D6264613E}{\isasymlambda}}T{\isaliteral{2E}{\isachardot}}\ A\ {\isaliteral{5C3C756E696F6E3E}{\isasymunion}}\ M{\isaliteral{5C3C696E76657273653E}{\isasyminverse}}\ {\isaliteral{60}{\isacharbackquote}}{\isaliteral{60}{\isacharbackquote}}\ T{\isaliteral{29}{\isacharparenright}}%
12.210 -\end{isabelle}
12.211 -is solved by unrolling \isa{lfp} once%
12.212 -\end{isamarkuptxt}%
12.213 -\isamarkuptrue%
12.214 -\ \isacommand{apply}\isamarkupfalse%
12.215 -{\isaliteral{28}{\isacharparenleft}}subst\ lfp{\isaliteral{5F}{\isacharunderscore}}unfold{\isaliteral{5B}{\isacharbrackleft}}OF\ mono{\isaliteral{5F}{\isacharunderscore}}ef{\isaliteral{5D}{\isacharbrackright}}{\isaliteral{29}{\isacharparenright}}%
12.216 -\begin{isamarkuptxt}%
12.217 -\begin{isabelle}%
12.218 -\ {\isadigit{1}}{\isaliteral{2E}{\isachardot}}\ {\isaliteral{5C3C416E643E}{\isasymAnd}}x\ t{\isaliteral{2E}{\isachardot}}\ t\ {\isaliteral{5C3C696E3E}{\isasymin}}\ A\ {\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\ t\ {\isaliteral{5C3C696E3E}{\isasymin}}\ A\ {\isaliteral{5C3C756E696F6E3E}{\isasymunion}}\ M{\isaliteral{5C3C696E76657273653E}{\isasyminverse}}\ {\isaliteral{60}{\isacharbackquote}}{\isaliteral{60}{\isacharbackquote}}\ lfp\ {\isaliteral{28}{\isacharparenleft}}{\isaliteral{5C3C6C616D6264613E}{\isasymlambda}}T{\isaliteral{2E}{\isachardot}}\ A\ {\isaliteral{5C3C756E696F6E3E}{\isasymunion}}\ M{\isaliteral{5C3C696E76657273653E}{\isasyminverse}}\ {\isaliteral{60}{\isacharbackquote}}{\isaliteral{60}{\isacharbackquote}}\ T{\isaliteral{29}{\isacharparenright}}%
12.219 -\end{isabelle}
12.220 -and disposing of the resulting trivial subgoal automatically:%
12.221 -\end{isamarkuptxt}%
12.222 -\isamarkuptrue%
12.223 -\ \isacommand{apply}\isamarkupfalse%
12.224 -{\isaliteral{28}{\isacharparenleft}}blast{\isaliteral{29}{\isacharparenright}}%
12.225 -\begin{isamarkuptxt}%
12.226 -\noindent
12.227 -The proof of the induction step is identical to the one for the base case:%
12.228 -\end{isamarkuptxt}%
12.229 -\isamarkuptrue%
12.230 -\isacommand{apply}\isamarkupfalse%
12.231 -{\isaliteral{28}{\isacharparenleft}}subst\ lfp{\isaliteral{5F}{\isacharunderscore}}unfold{\isaliteral{5B}{\isacharbrackleft}}OF\ mono{\isaliteral{5F}{\isacharunderscore}}ef{\isaliteral{5D}{\isacharbrackright}}{\isaliteral{29}{\isacharparenright}}\isanewline
12.232 -\isacommand{apply}\isamarkupfalse%
12.233 -{\isaliteral{28}{\isacharparenleft}}blast{\isaliteral{29}{\isacharparenright}}\isanewline
12.234 -\isacommand{done}\isamarkupfalse%
12.235 -%
12.236 -\endisatagproof
12.237 -{\isafoldproof}%
12.238 -%
12.239 -\isadelimproof
12.240 -%
12.241 -\endisadelimproof
12.242 -%
12.243 -\begin{isamarkuptext}%
12.244 -The main theorem is proved in the familiar manner: induction followed by
12.245 -\isa{auto} augmented with the lemma as a simplification rule.%
12.246 -\end{isamarkuptext}%
12.247 -\isamarkuptrue%
12.248 -\isacommand{theorem}\isamarkupfalse%
12.249 -\ {\isaliteral{22}{\isachardoublequoteopen}}mc\ f\ {\isaliteral{3D}{\isacharequal}}\ {\isaliteral{7B}{\isacharbraceleft}}s{\isaliteral{2E}{\isachardot}}\ s\ {\isaliteral{5C3C5475726E7374696C653E}{\isasymTurnstile}}\ f{\isaliteral{7D}{\isacharbraceright}}{\isaliteral{22}{\isachardoublequoteclose}}\isanewline
12.250 -%
12.251 -\isadelimproof
12.252 -%
12.253 -\endisadelimproof
12.254 -%
12.255 -\isatagproof
12.256 -\isacommand{apply}\isamarkupfalse%
12.257 -{\isaliteral{28}{\isacharparenleft}}induct{\isaliteral{5F}{\isacharunderscore}}tac\ f{\isaliteral{29}{\isacharparenright}}\isanewline
12.258 -\isacommand{apply}\isamarkupfalse%
12.259 -{\isaliteral{28}{\isacharparenleft}}auto\ simp\ add{\isaliteral{3A}{\isacharcolon}}\ EF{\isaliteral{5F}{\isacharunderscore}}lemma{\isaliteral{29}{\isacharparenright}}\isanewline
12.260 -\isacommand{done}\isamarkupfalse%
12.261 -%
12.262 -\endisatagproof
12.263 -{\isafoldproof}%
12.264 -%
12.265 -\isadelimproof
12.266 -%
12.267 -\endisadelimproof
12.268 -%
12.269 -\begin{isamarkuptext}%
12.270 -\begin{exercise}
12.271 -\isa{AX} has a dual operator \isa{EN}
12.272 -(``there exists a next state such that'')%
12.273 -\footnote{We cannot use the customary \isa{EX}: it is reserved
12.274 -as the \textsc{ascii}-equivalent of \isa{{\isaliteral{5C3C6578697374733E}{\isasymexists}}}.}
12.275 -with the intended semantics
12.276 -\begin{isabelle}%
12.277 -\ \ \ \ \ s\ {\isaliteral{5C3C5475726E7374696C653E}{\isasymTurnstile}}\ EN\ f\ {\isaliteral{3D}{\isacharequal}}\ {\isaliteral{28}{\isacharparenleft}}{\isaliteral{5C3C6578697374733E}{\isasymexists}}t{\isaliteral{2E}{\isachardot}}\ {\isaliteral{28}{\isacharparenleft}}s{\isaliteral{2C}{\isacharcomma}}\ t{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C696E3E}{\isasymin}}\ M\ {\isaliteral{5C3C616E643E}{\isasymand}}\ t\ {\isaliteral{5C3C5475726E7374696C653E}{\isasymTurnstile}}\ f{\isaliteral{29}{\isacharparenright}}%
12.278 -\end{isabelle}
12.279 -Fortunately, \isa{EN\ f} can already be expressed as a PDL formula. How?
12.280 -
12.281 -Show that the semantics for \isa{EF} satisfies the following recursion equation:
12.282 -\begin{isabelle}%
12.283 -\ \ \ \ \ s\ {\isaliteral{5C3C5475726E7374696C653E}{\isasymTurnstile}}\ EF\ f\ {\isaliteral{3D}{\isacharequal}}\ {\isaliteral{28}{\isacharparenleft}}s\ {\isaliteral{5C3C5475726E7374696C653E}{\isasymTurnstile}}\ f\ {\isaliteral{5C3C6F723E}{\isasymor}}\ s\ {\isaliteral{5C3C5475726E7374696C653E}{\isasymTurnstile}}\ EN\ {\isaliteral{28}{\isacharparenleft}}EF\ f{\isaliteral{29}{\isacharparenright}}{\isaliteral{29}{\isacharparenright}}%
12.284 -\end{isabelle}
12.285 -\end{exercise}
12.286 -\index{PDL|)}%
12.287 -\end{isamarkuptext}%
12.288 -\isamarkuptrue%
12.289 -%
12.290 -\isadelimproof
12.291 -%
12.292 -\endisadelimproof
12.293 -%
12.294 -\isatagproof
12.295 -%
12.296 -\endisatagproof
12.297 -{\isafoldproof}%
12.298 -%
12.299 -\isadelimproof
12.300 -%
12.301 -\endisadelimproof
12.302 -%
12.303 -\isadelimproof
12.304 -%
12.305 -\endisadelimproof
12.306 -%
12.307 -\isatagproof
12.308 -%
12.309 -\endisatagproof
12.310 -{\isafoldproof}%
12.311 -%
12.312 -\isadelimproof
12.313 -%
12.314 -\endisadelimproof
12.315 -%
12.316 -\isadelimproof
12.317 -%
12.318 -\endisadelimproof
12.319 -%
12.320 -\isatagproof
12.321 -%
12.322 -\endisatagproof
12.323 -{\isafoldproof}%
12.324 -%
12.325 -\isadelimproof
12.326 -%
12.327 -\endisadelimproof
12.328 -%
12.329 -\isadelimtheory
12.330 -%
12.331 -\endisadelimtheory
12.332 -%
12.333 -\isatagtheory
12.334 -%
12.335 -\endisatagtheory
12.336 -{\isafoldtheory}%
12.337 -%
12.338 -\isadelimtheory
12.339 -%
12.340 -\endisadelimtheory
12.341 -\end{isabellebody}%
12.342 -%%% Local Variables:
12.343 -%%% mode: latex
12.344 -%%% TeX-master: "root"
12.345 -%%% End:
13.1 --- a/doc-src/TutorialI/CodeGen/ROOT.ML Thu Jul 26 16:08:16 2012 +0200
13.2 +++ /dev/null Thu Jan 01 00:00:00 1970 +0000
13.3 @@ -1,2 +0,0 @@
13.4 -use "../settings.ML";
13.5 -use_thy "CodeGen";
14.1 --- a/doc-src/TutorialI/CodeGen/document/CodeGen.tex Thu Jul 26 16:08:16 2012 +0200
14.2 +++ /dev/null Thu Jan 01 00:00:00 1970 +0000
14.3 @@ -1,237 +0,0 @@
14.4 -%
14.5 -\begin{isabellebody}%
14.6 -\def\isabellecontext{CodeGen}%
14.7 -%
14.8 -\isadelimtheory
14.9 -%
14.10 -\endisadelimtheory
14.11 -%
14.12 -\isatagtheory
14.13 -%
14.14 -\endisatagtheory
14.15 -{\isafoldtheory}%
14.16 -%
14.17 -\isadelimtheory
14.18 -%
14.19 -\endisadelimtheory
14.20 -%
14.21 -\isamarkupsection{Case Study: Compiling Expressions%
14.22 -}
14.23 -\isamarkuptrue%
14.24 -%
14.25 -\begin{isamarkuptext}%
14.26 -\label{sec:ExprCompiler}
14.27 -\index{compiling expressions example|(}%
14.28 -The task is to develop a compiler from a generic type of expressions (built
14.29 -from variables, constants and binary operations) to a stack machine. This
14.30 -generic type of expressions is a generalization of the boolean expressions in
14.31 -\S\ref{sec:boolex}. This time we do not commit ourselves to a particular
14.32 -type of variables or values but make them type parameters. Neither is there
14.33 -a fixed set of binary operations: instead the expression contains the
14.34 -appropriate function itself.%
14.35 -\end{isamarkuptext}%
14.36 -\isamarkuptrue%
14.37 -\isacommand{type{\isaliteral{5F}{\isacharunderscore}}synonym}\isamarkupfalse%
14.38 -\ {\isaliteral{27}{\isacharprime}}v\ binop\ {\isaliteral{3D}{\isacharequal}}\ {\isaliteral{22}{\isachardoublequoteopen}}{\isaliteral{27}{\isacharprime}}v\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ {\isaliteral{27}{\isacharprime}}v\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ {\isaliteral{27}{\isacharprime}}v{\isaliteral{22}{\isachardoublequoteclose}}\isanewline
14.39 -\isacommand{datatype}\isamarkupfalse%
14.40 -\ {\isaliteral{28}{\isacharparenleft}}{\isaliteral{27}{\isacharprime}}a{\isaliteral{2C}{\isacharcomma}}{\isaliteral{27}{\isacharprime}}v{\isaliteral{29}{\isacharparenright}}expr\ {\isaliteral{3D}{\isacharequal}}\ Cex\ {\isaliteral{27}{\isacharprime}}v\isanewline
14.41 -\ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ {\isaliteral{7C}{\isacharbar}}\ Vex\ {\isaliteral{27}{\isacharprime}}a\isanewline
14.42 -\ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ {\isaliteral{7C}{\isacharbar}}\ Bex\ {\isaliteral{22}{\isachardoublequoteopen}}{\isaliteral{27}{\isacharprime}}v\ binop{\isaliteral{22}{\isachardoublequoteclose}}\ \ {\isaliteral{22}{\isachardoublequoteopen}}{\isaliteral{28}{\isacharparenleft}}{\isaliteral{27}{\isacharprime}}a{\isaliteral{2C}{\isacharcomma}}{\isaliteral{27}{\isacharprime}}v{\isaliteral{29}{\isacharparenright}}expr{\isaliteral{22}{\isachardoublequoteclose}}\ \ {\isaliteral{22}{\isachardoublequoteopen}}{\isaliteral{28}{\isacharparenleft}}{\isaliteral{27}{\isacharprime}}a{\isaliteral{2C}{\isacharcomma}}{\isaliteral{27}{\isacharprime}}v{\isaliteral{29}{\isacharparenright}}expr{\isaliteral{22}{\isachardoublequoteclose}}%
14.43 -\begin{isamarkuptext}%
14.44 -\noindent
14.45 -The three constructors represent constants, variables and the application of
14.46 -a binary operation to two subexpressions.
14.47 -
14.48 -The value of an expression with respect to an environment that maps variables to
14.49 -values is easily defined:%
14.50 -\end{isamarkuptext}%
14.51 -\isamarkuptrue%
14.52 -\isacommand{primrec}\isamarkupfalse%
14.53 -\ {\isaliteral{22}{\isachardoublequoteopen}}value{\isaliteral{22}{\isachardoublequoteclose}}\ {\isaliteral{3A}{\isacharcolon}}{\isaliteral{3A}{\isacharcolon}}\ {\isaliteral{22}{\isachardoublequoteopen}}{\isaliteral{28}{\isacharparenleft}}{\isaliteral{27}{\isacharprime}}a{\isaliteral{2C}{\isacharcomma}}{\isaliteral{27}{\isacharprime}}v{\isaliteral{29}{\isacharparenright}}expr\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ {\isaliteral{28}{\isacharparenleft}}{\isaliteral{27}{\isacharprime}}a\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ {\isaliteral{27}{\isacharprime}}v{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ {\isaliteral{27}{\isacharprime}}v{\isaliteral{22}{\isachardoublequoteclose}}\ \isakeyword{where}\isanewline
14.54 -{\isaliteral{22}{\isachardoublequoteopen}}value\ {\isaliteral{28}{\isacharparenleft}}Cex\ v{\isaliteral{29}{\isacharparenright}}\ env\ {\isaliteral{3D}{\isacharequal}}\ v{\isaliteral{22}{\isachardoublequoteclose}}\ {\isaliteral{7C}{\isacharbar}}\isanewline
14.55 -{\isaliteral{22}{\isachardoublequoteopen}}value\ {\isaliteral{28}{\isacharparenleft}}Vex\ a{\isaliteral{29}{\isacharparenright}}\ env\ {\isaliteral{3D}{\isacharequal}}\ env\ a{\isaliteral{22}{\isachardoublequoteclose}}\ {\isaliteral{7C}{\isacharbar}}\isanewline
14.56 -{\isaliteral{22}{\isachardoublequoteopen}}value\ {\isaliteral{28}{\isacharparenleft}}Bex\ f\ e{\isadigit{1}}\ e{\isadigit{2}}{\isaliteral{29}{\isacharparenright}}\ env\ {\isaliteral{3D}{\isacharequal}}\ f\ {\isaliteral{28}{\isacharparenleft}}value\ e{\isadigit{1}}\ env{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{28}{\isacharparenleft}}value\ e{\isadigit{2}}\ env{\isaliteral{29}{\isacharparenright}}{\isaliteral{22}{\isachardoublequoteclose}}%
14.57 -\begin{isamarkuptext}%
14.58 -The stack machine has three instructions: load a constant value onto the
14.59 -stack, load the contents of an address onto the stack, and apply a
14.60 -binary operation to the two topmost elements of the stack, replacing them by
14.61 -the result. As for \isa{expr}, addresses and values are type parameters:%
14.62 -\end{isamarkuptext}%
14.63 -\isamarkuptrue%
14.64 -\isacommand{datatype}\isamarkupfalse%
14.65 -\ {\isaliteral{28}{\isacharparenleft}}{\isaliteral{27}{\isacharprime}}a{\isaliteral{2C}{\isacharcomma}}{\isaliteral{27}{\isacharprime}}v{\isaliteral{29}{\isacharparenright}}\ instr\ {\isaliteral{3D}{\isacharequal}}\ Const\ {\isaliteral{27}{\isacharprime}}v\isanewline
14.66 -\ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ {\isaliteral{7C}{\isacharbar}}\ Load\ {\isaliteral{27}{\isacharprime}}a\isanewline
14.67 -\ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ {\isaliteral{7C}{\isacharbar}}\ Apply\ {\isaliteral{22}{\isachardoublequoteopen}}{\isaliteral{27}{\isacharprime}}v\ binop{\isaliteral{22}{\isachardoublequoteclose}}%
14.68 -\begin{isamarkuptext}%
14.69 -The execution of the stack machine is modelled by a function
14.70 -\isa{exec} that takes a list of instructions, a store (modelled as a
14.71 -function from addresses to values, just like the environment for
14.72 -evaluating expressions), and a stack (modelled as a list) of values,
14.73 -and returns the stack at the end of the execution --- the store remains
14.74 -unchanged:%
14.75 -\end{isamarkuptext}%
14.76 -\isamarkuptrue%
14.77 -\isacommand{primrec}\isamarkupfalse%
14.78 -\ exec\ {\isaliteral{3A}{\isacharcolon}}{\isaliteral{3A}{\isacharcolon}}\ {\isaliteral{22}{\isachardoublequoteopen}}{\isaliteral{28}{\isacharparenleft}}{\isaliteral{27}{\isacharprime}}a{\isaliteral{2C}{\isacharcomma}}{\isaliteral{27}{\isacharprime}}v{\isaliteral{29}{\isacharparenright}}instr\ list\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ {\isaliteral{28}{\isacharparenleft}}{\isaliteral{27}{\isacharprime}}a{\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}{\isaliteral{27}{\isacharprime}}v{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ {\isaliteral{27}{\isacharprime}}v\ list\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ {\isaliteral{27}{\isacharprime}}v\ list{\isaliteral{22}{\isachardoublequoteclose}}\isanewline
14.79 -\isakeyword{where}\isanewline
14.80 -{\isaliteral{22}{\isachardoublequoteopen}}exec\ {\isaliteral{5B}{\isacharbrackleft}}{\isaliteral{5D}{\isacharbrackright}}\ s\ vs\ {\isaliteral{3D}{\isacharequal}}\ vs{\isaliteral{22}{\isachardoublequoteclose}}\ {\isaliteral{7C}{\isacharbar}}\isanewline
14.81 -{\isaliteral{22}{\isachardoublequoteopen}}exec\ {\isaliteral{28}{\isacharparenleft}}i{\isaliteral{23}{\isacharhash}}is{\isaliteral{29}{\isacharparenright}}\ s\ vs\ {\isaliteral{3D}{\isacharequal}}\ {\isaliteral{28}{\isacharparenleft}}case\ i\ of\isanewline
14.82 -\ \ \ \ Const\ v\ \ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ exec\ is\ s\ {\isaliteral{28}{\isacharparenleft}}v{\isaliteral{23}{\isacharhash}}vs{\isaliteral{29}{\isacharparenright}}\isanewline
14.83 -\ \ {\isaliteral{7C}{\isacharbar}}\ Load\ a\ \ \ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ exec\ is\ s\ {\isaliteral{28}{\isacharparenleft}}{\isaliteral{28}{\isacharparenleft}}s\ a{\isaliteral{29}{\isacharparenright}}{\isaliteral{23}{\isacharhash}}vs{\isaliteral{29}{\isacharparenright}}\isanewline
14.84 -\ \ {\isaliteral{7C}{\isacharbar}}\ Apply\ f\ \ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ exec\ is\ s\ {\isaliteral{28}{\isacharparenleft}}{\isaliteral{28}{\isacharparenleft}}f\ {\isaliteral{28}{\isacharparenleft}}hd\ vs{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{28}{\isacharparenleft}}hd{\isaliteral{28}{\isacharparenleft}}tl\ vs{\isaliteral{29}{\isacharparenright}}{\isaliteral{29}{\isacharparenright}}{\isaliteral{29}{\isacharparenright}}{\isaliteral{23}{\isacharhash}}{\isaliteral{28}{\isacharparenleft}}tl{\isaliteral{28}{\isacharparenleft}}tl\ vs{\isaliteral{29}{\isacharparenright}}{\isaliteral{29}{\isacharparenright}}{\isaliteral{29}{\isacharparenright}}{\isaliteral{29}{\isacharparenright}}{\isaliteral{22}{\isachardoublequoteclose}}%
14.85 -\begin{isamarkuptext}%
14.86 -\noindent
14.87 -Recall that \isa{hd} and \isa{tl}
14.88 -return the first element and the remainder of a list.
14.89 -Because all functions are total, \cdx{hd} is defined even for the empty
14.90 -list, although we do not know what the result is. Thus our model of the
14.91 -machine always terminates properly, although the definition above does not
14.92 -tell us much about the result in situations where \isa{Apply} was executed
14.93 -with fewer than two elements on the stack.
14.94 -
14.95 -The compiler is a function from expressions to a list of instructions. Its
14.96 -definition is obvious:%
14.97 -\end{isamarkuptext}%
14.98 -\isamarkuptrue%
14.99 -\isacommand{primrec}\isamarkupfalse%
14.100 -\ compile\ {\isaliteral{3A}{\isacharcolon}}{\isaliteral{3A}{\isacharcolon}}\ {\isaliteral{22}{\isachardoublequoteopen}}{\isaliteral{28}{\isacharparenleft}}{\isaliteral{27}{\isacharprime}}a{\isaliteral{2C}{\isacharcomma}}{\isaliteral{27}{\isacharprime}}v{\isaliteral{29}{\isacharparenright}}expr\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ {\isaliteral{28}{\isacharparenleft}}{\isaliteral{27}{\isacharprime}}a{\isaliteral{2C}{\isacharcomma}}{\isaliteral{27}{\isacharprime}}v{\isaliteral{29}{\isacharparenright}}instr\ list{\isaliteral{22}{\isachardoublequoteclose}}\ \isakeyword{where}\isanewline
14.101 -{\isaliteral{22}{\isachardoublequoteopen}}compile\ {\isaliteral{28}{\isacharparenleft}}Cex\ v{\isaliteral{29}{\isacharparenright}}\ \ \ \ \ \ \ {\isaliteral{3D}{\isacharequal}}\ {\isaliteral{5B}{\isacharbrackleft}}Const\ v{\isaliteral{5D}{\isacharbrackright}}{\isaliteral{22}{\isachardoublequoteclose}}\ {\isaliteral{7C}{\isacharbar}}\isanewline
14.102 -{\isaliteral{22}{\isachardoublequoteopen}}compile\ {\isaliteral{28}{\isacharparenleft}}Vex\ a{\isaliteral{29}{\isacharparenright}}\ \ \ \ \ \ \ {\isaliteral{3D}{\isacharequal}}\ {\isaliteral{5B}{\isacharbrackleft}}Load\ a{\isaliteral{5D}{\isacharbrackright}}{\isaliteral{22}{\isachardoublequoteclose}}\ {\isaliteral{7C}{\isacharbar}}\isanewline
14.103 -{\isaliteral{22}{\isachardoublequoteopen}}compile\ {\isaliteral{28}{\isacharparenleft}}Bex\ f\ e{\isadigit{1}}\ e{\isadigit{2}}{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{3D}{\isacharequal}}\ {\isaliteral{28}{\isacharparenleft}}compile\ e{\isadigit{2}}{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{40}{\isacharat}}\ {\isaliteral{28}{\isacharparenleft}}compile\ e{\isadigit{1}}{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{40}{\isacharat}}\ {\isaliteral{5B}{\isacharbrackleft}}Apply\ f{\isaliteral{5D}{\isacharbrackright}}{\isaliteral{22}{\isachardoublequoteclose}}%
14.104 -\begin{isamarkuptext}%
14.105 -Now we have to prove the correctness of the compiler, i.e.\ that the
14.106 -execution of a compiled expression results in the value of the expression:%
14.107 -\end{isamarkuptext}%
14.108 -\isamarkuptrue%
14.109 -\isacommand{theorem}\isamarkupfalse%
14.110 -\ {\isaliteral{22}{\isachardoublequoteopen}}exec\ {\isaliteral{28}{\isacharparenleft}}compile\ e{\isaliteral{29}{\isacharparenright}}\ s\ {\isaliteral{5B}{\isacharbrackleft}}{\isaliteral{5D}{\isacharbrackright}}\ {\isaliteral{3D}{\isacharequal}}\ {\isaliteral{5B}{\isacharbrackleft}}value\ e\ s{\isaliteral{5D}{\isacharbrackright}}{\isaliteral{22}{\isachardoublequoteclose}}%
14.111 -\isadelimproof
14.112 -%
14.113 -\endisadelimproof
14.114 -%
14.115 -\isatagproof
14.116 -%
14.117 -\endisatagproof
14.118 -{\isafoldproof}%
14.119 -%
14.120 -\isadelimproof
14.121 -%
14.122 -\endisadelimproof
14.123 -%
14.124 -\begin{isamarkuptext}%
14.125 -\noindent
14.126 -This theorem needs to be generalized:%
14.127 -\end{isamarkuptext}%
14.128 -\isamarkuptrue%
14.129 -\isacommand{theorem}\isamarkupfalse%
14.130 -\ {\isaliteral{22}{\isachardoublequoteopen}}{\isaliteral{5C3C666F72616C6C3E}{\isasymforall}}vs{\isaliteral{2E}{\isachardot}}\ exec\ {\isaliteral{28}{\isacharparenleft}}compile\ e{\isaliteral{29}{\isacharparenright}}\ s\ vs\ {\isaliteral{3D}{\isacharequal}}\ {\isaliteral{28}{\isacharparenleft}}value\ e\ s{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{23}{\isacharhash}}\ vs{\isaliteral{22}{\isachardoublequoteclose}}%
14.131 -\isadelimproof
14.132 -%
14.133 -\endisadelimproof
14.134 -%
14.135 -\isatagproof
14.136 -%
14.137 -\begin{isamarkuptxt}%
14.138 -\noindent
14.139 -It will be proved by induction on \isa{e} followed by simplification.
14.140 -First, we must prove a lemma about executing the concatenation of two
14.141 -instruction sequences:%
14.142 -\end{isamarkuptxt}%
14.143 -\isamarkuptrue%
14.144 -%
14.145 -\endisatagproof
14.146 -{\isafoldproof}%
14.147 -%
14.148 -\isadelimproof
14.149 -%
14.150 -\endisadelimproof
14.151 -\isacommand{lemma}\isamarkupfalse%
14.152 -\ exec{\isaliteral{5F}{\isacharunderscore}}app{\isaliteral{5B}{\isacharbrackleft}}simp{\isaliteral{5D}{\isacharbrackright}}{\isaliteral{3A}{\isacharcolon}}\isanewline
14.153 -\ \ {\isaliteral{22}{\isachardoublequoteopen}}{\isaliteral{5C3C666F72616C6C3E}{\isasymforall}}vs{\isaliteral{2E}{\isachardot}}\ exec\ {\isaliteral{28}{\isacharparenleft}}xs{\isaliteral{40}{\isacharat}}ys{\isaliteral{29}{\isacharparenright}}\ s\ vs\ {\isaliteral{3D}{\isacharequal}}\ exec\ ys\ s\ {\isaliteral{28}{\isacharparenleft}}exec\ xs\ s\ vs{\isaliteral{29}{\isacharparenright}}{\isaliteral{22}{\isachardoublequoteclose}}%
14.154 -\isadelimproof
14.155 -%
14.156 -\endisadelimproof
14.157 -%
14.158 -\isatagproof
14.159 -%
14.160 -\begin{isamarkuptxt}%
14.161 -\noindent
14.162 -This requires induction on \isa{xs} and ordinary simplification for the
14.163 -base cases. In the induction step, simplification leaves us with a formula
14.164 -that contains two \isa{case}-expressions over instructions. Thus we add
14.165 -automatic case splitting, which finishes the proof:%
14.166 -\end{isamarkuptxt}%
14.167 -\isamarkuptrue%
14.168 -\isacommand{apply}\isamarkupfalse%
14.169 -{\isaliteral{28}{\isacharparenleft}}induct{\isaliteral{5F}{\isacharunderscore}}tac\ xs{\isaliteral{2C}{\isacharcomma}}\ simp{\isaliteral{2C}{\isacharcomma}}\ simp\ split{\isaliteral{3A}{\isacharcolon}}\ instr{\isaliteral{2E}{\isachardot}}split{\isaliteral{29}{\isacharparenright}}%
14.170 -\endisatagproof
14.171 -{\isafoldproof}%
14.172 -%
14.173 -\isadelimproof
14.174 -%
14.175 -\endisadelimproof
14.176 -%
14.177 -\begin{isamarkuptext}%
14.178 -\noindent
14.179 -Note that because both \methdx{simp_all} and \methdx{auto} perform simplification, they can
14.180 -be modified in the same way as \isa{simp}. Thus the proof can be
14.181 -rewritten as%
14.182 -\end{isamarkuptext}%
14.183 -\isamarkuptrue%
14.184 -%
14.185 -\isadelimproof
14.186 -%
14.187 -\endisadelimproof
14.188 -%
14.189 -\isatagproof
14.190 -\isacommand{apply}\isamarkupfalse%
14.191 -{\isaliteral{28}{\isacharparenleft}}induct{\isaliteral{5F}{\isacharunderscore}}tac\ xs{\isaliteral{2C}{\isacharcomma}}\ simp{\isaliteral{5F}{\isacharunderscore}}all\ split{\isaliteral{3A}{\isacharcolon}}\ instr{\isaliteral{2E}{\isachardot}}split{\isaliteral{29}{\isacharparenright}}%
14.192 -\endisatagproof
14.193 -{\isafoldproof}%
14.194 -%
14.195 -\isadelimproof
14.196 -%
14.197 -\endisadelimproof
14.198 -%
14.199 -\begin{isamarkuptext}%
14.200 -\noindent
14.201 -Although this is more compact, it is less clear for the reader of the proof.
14.202 -
14.203 -We could now go back and prove \isa{exec\ {\isaliteral{28}{\isacharparenleft}}compile\ e{\isaliteral{29}{\isacharparenright}}\ s\ {\isaliteral{5B}{\isacharbrackleft}}{\isaliteral{5D}{\isacharbrackright}}\ {\isaliteral{3D}{\isacharequal}}\ {\isaliteral{5B}{\isacharbrackleft}}value\ e\ s{\isaliteral{5D}{\isacharbrackright}}}
14.204 -merely by simplification with the generalized version we just proved.
14.205 -However, this is unnecessary because the generalized version fully subsumes
14.206 -its instance.%
14.207 -\index{compiling expressions example|)}%
14.208 -\end{isamarkuptext}%
14.209 -\isamarkuptrue%
14.210 -%
14.211 -\isadelimproof
14.212 -%
14.213 -\endisadelimproof
14.214 -%
14.215 -\isatagproof
14.216 -%
14.217 -\endisatagproof
14.218 -{\isafoldproof}%
14.219 -%
14.220 -\isadelimproof
14.221 -%
14.222 -\endisadelimproof
14.223 -%
14.224 -\isadelimtheory
14.225 -%
14.226 -\endisadelimtheory
14.227 -%
14.228 -\isatagtheory
14.229 -%
14.230 -\endisatagtheory
14.231 -{\isafoldtheory}%
14.232 -%
14.233 -\isadelimtheory
14.234 -%
14.235 -\endisadelimtheory
14.236 -\end{isabellebody}%
14.237 -%%% Local Variables:
14.238 -%%% mode: latex
14.239 -%%% TeX-master: "root"
14.240 -%%% End:
15.1 --- a/doc-src/TutorialI/Datatype/Nested.thy Thu Jul 26 16:08:16 2012 +0200
15.2 +++ b/doc-src/TutorialI/Datatype/Nested.thy Thu Jul 26 19:59:06 2012 +0200
15.3 @@ -30,7 +30,7 @@
15.4 would be something like
15.5 \medskip
15.6
15.7 -\input{Datatype/document/unfoldnested.tex}
15.8 +\input{document/unfoldnested.tex}
15.9 \medskip
15.10
15.11 \noindent
16.1 --- a/doc-src/TutorialI/Datatype/ROOT.ML Thu Jul 26 16:08:16 2012 +0200
16.2 +++ /dev/null Thu Jan 01 00:00:00 1970 +0000
16.3 @@ -1,5 +0,0 @@
16.4 -use "../settings.ML";
16.5 -use_thy "ABexpr";
16.6 -use_thy "unfoldnested";
16.7 -use_thy "Nested";
16.8 -use_thy "Fundata";
17.1 --- a/doc-src/TutorialI/Datatype/document/ABexpr.tex Thu Jul 26 16:08:16 2012 +0200
17.2 +++ /dev/null Thu Jan 01 00:00:00 1970 +0000
17.3 @@ -1,199 +0,0 @@
17.4 -%
17.5 -\begin{isabellebody}%
17.6 -\def\isabellecontext{ABexpr}%
17.7 -%
17.8 -\isadelimtheory
17.9 -%
17.10 -\endisadelimtheory
17.11 -%
17.12 -\isatagtheory
17.13 -%
17.14 -\endisatagtheory
17.15 -{\isafoldtheory}%
17.16 -%
17.17 -\isadelimtheory
17.18 -%
17.19 -\endisadelimtheory
17.20 -%
17.21 -\begin{isamarkuptext}%
17.22 -\index{datatypes!mutually recursive}%
17.23 -Sometimes it is necessary to define two datatypes that depend on each
17.24 -other. This is called \textbf{mutual recursion}. As an example consider a
17.25 -language of arithmetic and boolean expressions where
17.26 -\begin{itemize}
17.27 -\item arithmetic expressions contain boolean expressions because there are
17.28 - conditional expressions like ``if $m<n$ then $n-m$ else $m-n$'',
17.29 - and
17.30 -\item boolean expressions contain arithmetic expressions because of
17.31 - comparisons like ``$m<n$''.
17.32 -\end{itemize}
17.33 -In Isabelle this becomes%
17.34 -\end{isamarkuptext}%
17.35 -\isamarkuptrue%
17.36 -\isacommand{datatype}\isamarkupfalse%
17.37 -\ {\isaliteral{27}{\isacharprime}}a\ aexp\ {\isaliteral{3D}{\isacharequal}}\ IF\ \ \ {\isaliteral{22}{\isachardoublequoteopen}}{\isaliteral{27}{\isacharprime}}a\ bexp{\isaliteral{22}{\isachardoublequoteclose}}\ {\isaliteral{22}{\isachardoublequoteopen}}{\isaliteral{27}{\isacharprime}}a\ aexp{\isaliteral{22}{\isachardoublequoteclose}}\ {\isaliteral{22}{\isachardoublequoteopen}}{\isaliteral{27}{\isacharprime}}a\ aexp{\isaliteral{22}{\isachardoublequoteclose}}\isanewline
17.38 -\ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ {\isaliteral{7C}{\isacharbar}}\ Sum\ \ {\isaliteral{22}{\isachardoublequoteopen}}{\isaliteral{27}{\isacharprime}}a\ aexp{\isaliteral{22}{\isachardoublequoteclose}}\ {\isaliteral{22}{\isachardoublequoteopen}}{\isaliteral{27}{\isacharprime}}a\ aexp{\isaliteral{22}{\isachardoublequoteclose}}\isanewline
17.39 -\ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ {\isaliteral{7C}{\isacharbar}}\ Diff\ {\isaliteral{22}{\isachardoublequoteopen}}{\isaliteral{27}{\isacharprime}}a\ aexp{\isaliteral{22}{\isachardoublequoteclose}}\ {\isaliteral{22}{\isachardoublequoteopen}}{\isaliteral{27}{\isacharprime}}a\ aexp{\isaliteral{22}{\isachardoublequoteclose}}\isanewline
17.40 -\ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ {\isaliteral{7C}{\isacharbar}}\ Var\ {\isaliteral{27}{\isacharprime}}a\isanewline
17.41 -\ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ {\isaliteral{7C}{\isacharbar}}\ Num\ nat\isanewline
17.42 -\isakeyword{and}\ \ \ \ \ \ {\isaliteral{27}{\isacharprime}}a\ bexp\ {\isaliteral{3D}{\isacharequal}}\ Less\ {\isaliteral{22}{\isachardoublequoteopen}}{\isaliteral{27}{\isacharprime}}a\ aexp{\isaliteral{22}{\isachardoublequoteclose}}\ {\isaliteral{22}{\isachardoublequoteopen}}{\isaliteral{27}{\isacharprime}}a\ aexp{\isaliteral{22}{\isachardoublequoteclose}}\isanewline
17.43 -\ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ {\isaliteral{7C}{\isacharbar}}\ And\ \ {\isaliteral{22}{\isachardoublequoteopen}}{\isaliteral{27}{\isacharprime}}a\ bexp{\isaliteral{22}{\isachardoublequoteclose}}\ {\isaliteral{22}{\isachardoublequoteopen}}{\isaliteral{27}{\isacharprime}}a\ bexp{\isaliteral{22}{\isachardoublequoteclose}}\isanewline
17.44 -\ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ {\isaliteral{7C}{\isacharbar}}\ Neg\ \ {\isaliteral{22}{\isachardoublequoteopen}}{\isaliteral{27}{\isacharprime}}a\ bexp{\isaliteral{22}{\isachardoublequoteclose}}%
17.45 -\begin{isamarkuptext}%
17.46 -\noindent
17.47 -Type \isa{aexp} is similar to \isa{expr} in \S\ref{sec:ExprCompiler},
17.48 -except that we have added an \isa{IF} constructor,
17.49 -fixed the values to be of type \isa{nat} and declared the two binary
17.50 -operations \isa{Sum} and \isa{Diff}. Boolean
17.51 -expressions can be arithmetic comparisons, conjunctions and negations.
17.52 -The semantics is given by two evaluation functions:%
17.53 -\end{isamarkuptext}%
17.54 -\isamarkuptrue%
17.55 -\isacommand{primrec}\isamarkupfalse%
17.56 -\ evala\ {\isaliteral{3A}{\isacharcolon}}{\isaliteral{3A}{\isacharcolon}}\ {\isaliteral{22}{\isachardoublequoteopen}}{\isaliteral{27}{\isacharprime}}a\ aexp\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ {\isaliteral{28}{\isacharparenleft}}{\isaliteral{27}{\isacharprime}}a\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ nat{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ nat{\isaliteral{22}{\isachardoublequoteclose}}\ \isakeyword{and}\isanewline
17.57 -\ \ \ \ \ \ \ \ \ evalb\ {\isaliteral{3A}{\isacharcolon}}{\isaliteral{3A}{\isacharcolon}}\ {\isaliteral{22}{\isachardoublequoteopen}}{\isaliteral{27}{\isacharprime}}a\ bexp\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ {\isaliteral{28}{\isacharparenleft}}{\isaliteral{27}{\isacharprime}}a\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ nat{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ bool{\isaliteral{22}{\isachardoublequoteclose}}\ \isakeyword{where}\isanewline
17.58 -{\isaliteral{22}{\isachardoublequoteopen}}evala\ {\isaliteral{28}{\isacharparenleft}}IF\ b\ a{\isadigit{1}}\ a{\isadigit{2}}{\isaliteral{29}{\isacharparenright}}\ env\ {\isaliteral{3D}{\isacharequal}}\isanewline
17.59 -\ \ \ {\isaliteral{28}{\isacharparenleft}}if\ evalb\ b\ env\ then\ evala\ a{\isadigit{1}}\ env\ else\ evala\ a{\isadigit{2}}\ env{\isaliteral{29}{\isacharparenright}}{\isaliteral{22}{\isachardoublequoteclose}}\ {\isaliteral{7C}{\isacharbar}}\isanewline
17.60 -{\isaliteral{22}{\isachardoublequoteopen}}evala\ {\isaliteral{28}{\isacharparenleft}}Sum\ a{\isadigit{1}}\ a{\isadigit{2}}{\isaliteral{29}{\isacharparenright}}\ env\ {\isaliteral{3D}{\isacharequal}}\ evala\ a{\isadigit{1}}\ env\ {\isaliteral{2B}{\isacharplus}}\ evala\ a{\isadigit{2}}\ env{\isaliteral{22}{\isachardoublequoteclose}}\ {\isaliteral{7C}{\isacharbar}}\isanewline
17.61 -{\isaliteral{22}{\isachardoublequoteopen}}evala\ {\isaliteral{28}{\isacharparenleft}}Diff\ a{\isadigit{1}}\ a{\isadigit{2}}{\isaliteral{29}{\isacharparenright}}\ env\ {\isaliteral{3D}{\isacharequal}}\ evala\ a{\isadigit{1}}\ env\ {\isaliteral{2D}{\isacharminus}}\ evala\ a{\isadigit{2}}\ env{\isaliteral{22}{\isachardoublequoteclose}}\ {\isaliteral{7C}{\isacharbar}}\isanewline
17.62 -{\isaliteral{22}{\isachardoublequoteopen}}evala\ {\isaliteral{28}{\isacharparenleft}}Var\ v{\isaliteral{29}{\isacharparenright}}\ env\ {\isaliteral{3D}{\isacharequal}}\ env\ v{\isaliteral{22}{\isachardoublequoteclose}}\ {\isaliteral{7C}{\isacharbar}}\isanewline
17.63 -{\isaliteral{22}{\isachardoublequoteopen}}evala\ {\isaliteral{28}{\isacharparenleft}}Num\ n{\isaliteral{29}{\isacharparenright}}\ env\ {\isaliteral{3D}{\isacharequal}}\ n{\isaliteral{22}{\isachardoublequoteclose}}\ {\isaliteral{7C}{\isacharbar}}\isanewline
17.64 -\isanewline
17.65 -{\isaliteral{22}{\isachardoublequoteopen}}evalb\ {\isaliteral{28}{\isacharparenleft}}Less\ a{\isadigit{1}}\ a{\isadigit{2}}{\isaliteral{29}{\isacharparenright}}\ env\ {\isaliteral{3D}{\isacharequal}}\ {\isaliteral{28}{\isacharparenleft}}evala\ a{\isadigit{1}}\ env\ {\isaliteral{3C}{\isacharless}}\ evala\ a{\isadigit{2}}\ env{\isaliteral{29}{\isacharparenright}}{\isaliteral{22}{\isachardoublequoteclose}}\ {\isaliteral{7C}{\isacharbar}}\isanewline
17.66 -{\isaliteral{22}{\isachardoublequoteopen}}evalb\ {\isaliteral{28}{\isacharparenleft}}And\ b{\isadigit{1}}\ b{\isadigit{2}}{\isaliteral{29}{\isacharparenright}}\ env\ {\isaliteral{3D}{\isacharequal}}\ {\isaliteral{28}{\isacharparenleft}}evalb\ b{\isadigit{1}}\ env\ {\isaliteral{5C3C616E643E}{\isasymand}}\ evalb\ b{\isadigit{2}}\ env{\isaliteral{29}{\isacharparenright}}{\isaliteral{22}{\isachardoublequoteclose}}\ {\isaliteral{7C}{\isacharbar}}\isanewline
17.67 -{\isaliteral{22}{\isachardoublequoteopen}}evalb\ {\isaliteral{28}{\isacharparenleft}}Neg\ b{\isaliteral{29}{\isacharparenright}}\ env\ {\isaliteral{3D}{\isacharequal}}\ {\isaliteral{28}{\isacharparenleft}}{\isaliteral{5C3C6E6F743E}{\isasymnot}}\ evalb\ b\ env{\isaliteral{29}{\isacharparenright}}{\isaliteral{22}{\isachardoublequoteclose}}%
17.68 -\begin{isamarkuptext}%
17.69 -\noindent
17.70 -
17.71 -Both take an expression and an environment (a mapping from variables
17.72 -\isa{{\isaliteral{27}{\isacharprime}}a} to values \isa{nat}) and return its arithmetic/boolean
17.73 -value. Since the datatypes are mutually recursive, so are functions
17.74 -that operate on them. Hence they need to be defined in a single
17.75 -\isacommand{primrec} section. Notice the \isakeyword{and} separating
17.76 -the declarations of \isa{evala} and \isa{evalb}. Their defining
17.77 -equations need not be split into two groups;
17.78 -the empty line is purely for readability.
17.79 -
17.80 -In the same fashion we also define two functions that perform substitution:%
17.81 -\end{isamarkuptext}%
17.82 -\isamarkuptrue%
17.83 -\isacommand{primrec}\isamarkupfalse%
17.84 -\ substa\ {\isaliteral{3A}{\isacharcolon}}{\isaliteral{3A}{\isacharcolon}}\ {\isaliteral{22}{\isachardoublequoteopen}}{\isaliteral{28}{\isacharparenleft}}{\isaliteral{27}{\isacharprime}}a\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ {\isaliteral{27}{\isacharprime}}b\ aexp{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ {\isaliteral{27}{\isacharprime}}a\ aexp\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ {\isaliteral{27}{\isacharprime}}b\ aexp{\isaliteral{22}{\isachardoublequoteclose}}\ \isakeyword{and}\isanewline
17.85 -\ \ \ \ \ \ \ \ \ substb\ {\isaliteral{3A}{\isacharcolon}}{\isaliteral{3A}{\isacharcolon}}\ {\isaliteral{22}{\isachardoublequoteopen}}{\isaliteral{28}{\isacharparenleft}}{\isaliteral{27}{\isacharprime}}a\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ {\isaliteral{27}{\isacharprime}}b\ aexp{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ {\isaliteral{27}{\isacharprime}}a\ bexp\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ {\isaliteral{27}{\isacharprime}}b\ bexp{\isaliteral{22}{\isachardoublequoteclose}}\ \isakeyword{where}\isanewline
17.86 -{\isaliteral{22}{\isachardoublequoteopen}}substa\ s\ {\isaliteral{28}{\isacharparenleft}}IF\ b\ a{\isadigit{1}}\ a{\isadigit{2}}{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{3D}{\isacharequal}}\isanewline
17.87 -\ \ \ IF\ {\isaliteral{28}{\isacharparenleft}}substb\ s\ b{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{28}{\isacharparenleft}}substa\ s\ a{\isadigit{1}}{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{28}{\isacharparenleft}}substa\ s\ a{\isadigit{2}}{\isaliteral{29}{\isacharparenright}}{\isaliteral{22}{\isachardoublequoteclose}}\ {\isaliteral{7C}{\isacharbar}}\isanewline
17.88 -{\isaliteral{22}{\isachardoublequoteopen}}substa\ s\ {\isaliteral{28}{\isacharparenleft}}Sum\ a{\isadigit{1}}\ a{\isadigit{2}}{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{3D}{\isacharequal}}\ Sum\ {\isaliteral{28}{\isacharparenleft}}substa\ s\ a{\isadigit{1}}{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{28}{\isacharparenleft}}substa\ s\ a{\isadigit{2}}{\isaliteral{29}{\isacharparenright}}{\isaliteral{22}{\isachardoublequoteclose}}\ {\isaliteral{7C}{\isacharbar}}\isanewline
17.89 -{\isaliteral{22}{\isachardoublequoteopen}}substa\ s\ {\isaliteral{28}{\isacharparenleft}}Diff\ a{\isadigit{1}}\ a{\isadigit{2}}{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{3D}{\isacharequal}}\ Diff\ {\isaliteral{28}{\isacharparenleft}}substa\ s\ a{\isadigit{1}}{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{28}{\isacharparenleft}}substa\ s\ a{\isadigit{2}}{\isaliteral{29}{\isacharparenright}}{\isaliteral{22}{\isachardoublequoteclose}}\ {\isaliteral{7C}{\isacharbar}}\isanewline
17.90 -{\isaliteral{22}{\isachardoublequoteopen}}substa\ s\ {\isaliteral{28}{\isacharparenleft}}Var\ v{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{3D}{\isacharequal}}\ s\ v{\isaliteral{22}{\isachardoublequoteclose}}\ {\isaliteral{7C}{\isacharbar}}\isanewline
17.91 -{\isaliteral{22}{\isachardoublequoteopen}}substa\ s\ {\isaliteral{28}{\isacharparenleft}}Num\ n{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{3D}{\isacharequal}}\ Num\ n{\isaliteral{22}{\isachardoublequoteclose}}\ {\isaliteral{7C}{\isacharbar}}\isanewline
17.92 -\isanewline
17.93 -{\isaliteral{22}{\isachardoublequoteopen}}substb\ s\ {\isaliteral{28}{\isacharparenleft}}Less\ a{\isadigit{1}}\ a{\isadigit{2}}{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{3D}{\isacharequal}}\ Less\ {\isaliteral{28}{\isacharparenleft}}substa\ s\ a{\isadigit{1}}{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{28}{\isacharparenleft}}substa\ s\ a{\isadigit{2}}{\isaliteral{29}{\isacharparenright}}{\isaliteral{22}{\isachardoublequoteclose}}\ {\isaliteral{7C}{\isacharbar}}\isanewline
17.94 -{\isaliteral{22}{\isachardoublequoteopen}}substb\ s\ {\isaliteral{28}{\isacharparenleft}}And\ b{\isadigit{1}}\ b{\isadigit{2}}{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{3D}{\isacharequal}}\ And\ {\isaliteral{28}{\isacharparenleft}}substb\ s\ b{\isadigit{1}}{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{28}{\isacharparenleft}}substb\ s\ b{\isadigit{2}}{\isaliteral{29}{\isacharparenright}}{\isaliteral{22}{\isachardoublequoteclose}}\ {\isaliteral{7C}{\isacharbar}}\isanewline
17.95 -{\isaliteral{22}{\isachardoublequoteopen}}substb\ s\ {\isaliteral{28}{\isacharparenleft}}Neg\ b{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{3D}{\isacharequal}}\ Neg\ {\isaliteral{28}{\isacharparenleft}}substb\ s\ b{\isaliteral{29}{\isacharparenright}}{\isaliteral{22}{\isachardoublequoteclose}}%
17.96 -\begin{isamarkuptext}%
17.97 -\noindent
17.98 -Their first argument is a function mapping variables to expressions, the
17.99 -substitution. It is applied to all variables in the second argument. As a
17.100 -result, the type of variables in the expression may change from \isa{{\isaliteral{27}{\isacharprime}}a}
17.101 -to \isa{{\isaliteral{27}{\isacharprime}}b}. Note that there are only arithmetic and no boolean variables.
17.102 -
17.103 -Now we can prove a fundamental theorem about the interaction between
17.104 -evaluation and substitution: applying a substitution $s$ to an expression $a$
17.105 -and evaluating the result in an environment $env$ yields the same result as
17.106 -evaluation $a$ in the environment that maps every variable $x$ to the value
17.107 -of $s(x)$ under $env$. If you try to prove this separately for arithmetic or
17.108 -boolean expressions (by induction), you find that you always need the other
17.109 -theorem in the induction step. Therefore you need to state and prove both
17.110 -theorems simultaneously:%
17.111 -\end{isamarkuptext}%
17.112 -\isamarkuptrue%
17.113 -\isacommand{lemma}\isamarkupfalse%
17.114 -\ {\isaliteral{22}{\isachardoublequoteopen}}evala\ {\isaliteral{28}{\isacharparenleft}}substa\ s\ a{\isaliteral{29}{\isacharparenright}}\ env\ {\isaliteral{3D}{\isacharequal}}\ evala\ a\ {\isaliteral{28}{\isacharparenleft}}{\isaliteral{5C3C6C616D6264613E}{\isasymlambda}}x{\isaliteral{2E}{\isachardot}}\ evala\ {\isaliteral{28}{\isacharparenleft}}s\ x{\isaliteral{29}{\isacharparenright}}\ env{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C616E643E}{\isasymand}}\isanewline
17.115 -\ \ \ \ \ \ \ \ evalb\ {\isaliteral{28}{\isacharparenleft}}substb\ s\ b{\isaliteral{29}{\isacharparenright}}\ env\ {\isaliteral{3D}{\isacharequal}}\ evalb\ b\ {\isaliteral{28}{\isacharparenleft}}{\isaliteral{5C3C6C616D6264613E}{\isasymlambda}}x{\isaliteral{2E}{\isachardot}}\ evala\ {\isaliteral{28}{\isacharparenleft}}s\ x{\isaliteral{29}{\isacharparenright}}\ env{\isaliteral{29}{\isacharparenright}}{\isaliteral{22}{\isachardoublequoteclose}}\isanewline
17.116 -%
17.117 -\isadelimproof
17.118 -%
17.119 -\endisadelimproof
17.120 -%
17.121 -\isatagproof
17.122 -\isacommand{apply}\isamarkupfalse%
17.123 -{\isaliteral{28}{\isacharparenleft}}induct{\isaliteral{5F}{\isacharunderscore}}tac\ a\ \isakeyword{and}\ b{\isaliteral{29}{\isacharparenright}}%
17.124 -\begin{isamarkuptxt}%
17.125 -\noindent The resulting 8 goals (one for each constructor) are proved in one fell swoop:%
17.126 -\end{isamarkuptxt}%
17.127 -\isamarkuptrue%
17.128 -\isacommand{apply}\isamarkupfalse%
17.129 -\ simp{\isaliteral{5F}{\isacharunderscore}}all%
17.130 -\endisatagproof
17.131 -{\isafoldproof}%
17.132 -%
17.133 -\isadelimproof
17.134 -%
17.135 -\endisadelimproof
17.136 -%
17.137 -\begin{isamarkuptext}%
17.138 -In general, given $n$ mutually recursive datatypes $\tau@1$, \dots, $\tau@n$,
17.139 -an inductive proof expects a goal of the form
17.140 -\[ P@1(x@1)\ \land \dots \land P@n(x@n) \]
17.141 -where each variable $x@i$ is of type $\tau@i$. Induction is started by
17.142 -\begin{isabelle}
17.143 -\isacommand{apply}\isa{{\isaliteral{28}{\isacharparenleft}}induct{\isaliteral{5F}{\isacharunderscore}}tac} $x@1$ \isacommand{and} \dots\ \isacommand{and} $x@n$\isa{{\isaliteral{29}{\isacharparenright}}}
17.144 -\end{isabelle}
17.145 -
17.146 -\begin{exercise}
17.147 - Define a function \isa{norma} of type \isa{{\isaliteral{27}{\isacharprime}}a\ aexp\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ {\isaliteral{27}{\isacharprime}}a\ aexp} that
17.148 - replaces \isa{IF}s with complex boolean conditions by nested
17.149 - \isa{IF}s; it should eliminate the constructors
17.150 - \isa{And} and \isa{Neg}, leaving only \isa{Less}.
17.151 - Prove that \isa{norma}
17.152 - preserves the value of an expression and that the result of \isa{norma}
17.153 - is really normal, i.e.\ no more \isa{And}s and \isa{Neg}s occur in
17.154 - it. ({\em Hint:} proceed as in \S\ref{sec:boolex} and read the discussion
17.155 - of type annotations following lemma \isa{subst{\isaliteral{5F}{\isacharunderscore}}id} below).
17.156 -\end{exercise}%
17.157 -\end{isamarkuptext}%
17.158 -\isamarkuptrue%
17.159 -%
17.160 -\isadelimproof
17.161 -%
17.162 -\endisadelimproof
17.163 -%
17.164 -\isatagproof
17.165 -%
17.166 -\endisatagproof
17.167 -{\isafoldproof}%
17.168 -%
17.169 -\isadelimproof
17.170 -%
17.171 -\endisadelimproof
17.172 -%
17.173 -\isadelimproof
17.174 -%
17.175 -\endisadelimproof
17.176 -%
17.177 -\isatagproof
17.178 -%
17.179 -\endisatagproof
17.180 -{\isafoldproof}%
17.181 -%
17.182 -\isadelimproof
17.183 -%
17.184 -\endisadelimproof
17.185 -%
17.186 -\isadelimtheory
17.187 -%
17.188 -\endisadelimtheory
17.189 -%
17.190 -\isatagtheory
17.191 -%
17.192 -\endisatagtheory
17.193 -{\isafoldtheory}%
17.194 -%
17.195 -\isadelimtheory
17.196 -%
17.197 -\endisadelimtheory
17.198 -\end{isabellebody}%
17.199 -%%% Local Variables:
17.200 -%%% mode: latex
17.201 -%%% TeX-master: "root"
17.202 -%%% End:
18.1 --- a/doc-src/TutorialI/Datatype/document/Fundata.tex Thu Jul 26 16:08:16 2012 +0200
18.2 +++ /dev/null Thu Jan 01 00:00:00 1970 +0000
18.3 @@ -1,115 +0,0 @@
18.4 -%
18.5 -\begin{isabellebody}%
18.6 -\def\isabellecontext{Fundata}%
18.7 -%
18.8 -\isadelimtheory
18.9 -%
18.10 -\endisadelimtheory
18.11 -%
18.12 -\isatagtheory
18.13 -%
18.14 -\endisatagtheory
18.15 -{\isafoldtheory}%
18.16 -%
18.17 -\isadelimtheory
18.18 -%
18.19 -\endisadelimtheory
18.20 -\isacommand{datatype}\isamarkupfalse%
18.21 -\ {\isaliteral{28}{\isacharparenleft}}{\isaliteral{27}{\isacharprime}}a{\isaliteral{2C}{\isacharcomma}}{\isaliteral{27}{\isacharprime}}i{\isaliteral{29}{\isacharparenright}}bigtree\ {\isaliteral{3D}{\isacharequal}}\ Tip\ {\isaliteral{7C}{\isacharbar}}\ Br\ {\isaliteral{27}{\isacharprime}}a\ {\isaliteral{22}{\isachardoublequoteopen}}{\isaliteral{27}{\isacharprime}}i\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ {\isaliteral{28}{\isacharparenleft}}{\isaliteral{27}{\isacharprime}}a{\isaliteral{2C}{\isacharcomma}}{\isaliteral{27}{\isacharprime}}i{\isaliteral{29}{\isacharparenright}}bigtree{\isaliteral{22}{\isachardoublequoteclose}}%
18.22 -\begin{isamarkuptext}%
18.23 -\noindent
18.24 -Parameter \isa{{\isaliteral{27}{\isacharprime}}a} is the type of values stored in
18.25 -the \isa{Br}anches of the tree, whereas \isa{{\isaliteral{27}{\isacharprime}}i} is the index
18.26 -type over which the tree branches. If \isa{{\isaliteral{27}{\isacharprime}}i} is instantiated to
18.27 -\isa{bool}, the result is a binary tree; if it is instantiated to
18.28 -\isa{nat}, we have an infinitely branching tree because each node
18.29 -has as many subtrees as there are natural numbers. How can we possibly
18.30 -write down such a tree? Using functional notation! For example, the term
18.31 -\begin{isabelle}%
18.32 -\ \ \ \ \ Br\ {\isadigit{0}}\ {\isaliteral{28}{\isacharparenleft}}{\isaliteral{5C3C6C616D6264613E}{\isasymlambda}}i{\isaliteral{2E}{\isachardot}}\ Br\ i\ {\isaliteral{28}{\isacharparenleft}}{\isaliteral{5C3C6C616D6264613E}{\isasymlambda}}n{\isaliteral{2E}{\isachardot}}\ Tip{\isaliteral{29}{\isacharparenright}}{\isaliteral{29}{\isacharparenright}}%
18.33 -\end{isabelle}
18.34 -of type \isa{{\isaliteral{28}{\isacharparenleft}}nat{\isaliteral{2C}{\isacharcomma}}\ nat{\isaliteral{29}{\isacharparenright}}\ bigtree} is the tree whose
18.35 -root is labeled with 0 and whose $i$th subtree is labeled with $i$ and
18.36 -has merely \isa{Tip}s as further subtrees.
18.37 -
18.38 -Function \isa{map{\isaliteral{5F}{\isacharunderscore}}bt} applies a function to all labels in a \isa{bigtree}:%
18.39 -\end{isamarkuptext}%
18.40 -\isamarkuptrue%
18.41 -\isacommand{primrec}\isamarkupfalse%
18.42 -\ map{\isaliteral{5F}{\isacharunderscore}}bt\ {\isaliteral{3A}{\isacharcolon}}{\isaliteral{3A}{\isacharcolon}}\ {\isaliteral{22}{\isachardoublequoteopen}}{\isaliteral{28}{\isacharparenleft}}{\isaliteral{27}{\isacharprime}}a\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ {\isaliteral{27}{\isacharprime}}b{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ {\isaliteral{28}{\isacharparenleft}}{\isaliteral{27}{\isacharprime}}a{\isaliteral{2C}{\isacharcomma}}{\isaliteral{27}{\isacharprime}}i{\isaliteral{29}{\isacharparenright}}bigtree\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ {\isaliteral{28}{\isacharparenleft}}{\isaliteral{27}{\isacharprime}}b{\isaliteral{2C}{\isacharcomma}}{\isaliteral{27}{\isacharprime}}i{\isaliteral{29}{\isacharparenright}}bigtree{\isaliteral{22}{\isachardoublequoteclose}}\isanewline
18.43 -\isakeyword{where}\isanewline
18.44 -{\isaliteral{22}{\isachardoublequoteopen}}map{\isaliteral{5F}{\isacharunderscore}}bt\ f\ Tip\ \ \ \ \ \ {\isaliteral{3D}{\isacharequal}}\ Tip{\isaliteral{22}{\isachardoublequoteclose}}\ {\isaliteral{7C}{\isacharbar}}\isanewline
18.45 -{\isaliteral{22}{\isachardoublequoteopen}}map{\isaliteral{5F}{\isacharunderscore}}bt\ f\ {\isaliteral{28}{\isacharparenleft}}Br\ a\ F{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{3D}{\isacharequal}}\ Br\ {\isaliteral{28}{\isacharparenleft}}f\ a{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{28}{\isacharparenleft}}{\isaliteral{5C3C6C616D6264613E}{\isasymlambda}}i{\isaliteral{2E}{\isachardot}}\ map{\isaliteral{5F}{\isacharunderscore}}bt\ f\ {\isaliteral{28}{\isacharparenleft}}F\ i{\isaliteral{29}{\isacharparenright}}{\isaliteral{29}{\isacharparenright}}{\isaliteral{22}{\isachardoublequoteclose}}%
18.46 -\begin{isamarkuptext}%
18.47 -\noindent This is a valid \isacommand{primrec} definition because the
18.48 -recursive calls of \isa{map{\isaliteral{5F}{\isacharunderscore}}bt} involve only subtrees of
18.49 -\isa{F}, which is itself a subterm of the left-hand side. Thus termination
18.50 -is assured. The seasoned functional programmer might try expressing
18.51 -\isa{{\isaliteral{5C3C6C616D6264613E}{\isasymlambda}}i{\isaliteral{2E}{\isachardot}}\ map{\isaliteral{5F}{\isacharunderscore}}bt\ f\ {\isaliteral{28}{\isacharparenleft}}F\ i{\isaliteral{29}{\isacharparenright}}} as \isa{map{\isaliteral{5F}{\isacharunderscore}}bt\ f\ {\isaliteral{5C3C636972633E}{\isasymcirc}}\ F}, which Isabelle
18.52 -however will reject. Applying \isa{map{\isaliteral{5F}{\isacharunderscore}}bt} to only one of its arguments
18.53 -makes the termination proof less obvious.
18.54 -
18.55 -The following lemma has a simple proof by induction:%
18.56 -\end{isamarkuptext}%
18.57 -\isamarkuptrue%
18.58 -\isacommand{lemma}\isamarkupfalse%
18.59 -\ {\isaliteral{22}{\isachardoublequoteopen}}map{\isaliteral{5F}{\isacharunderscore}}bt\ {\isaliteral{28}{\isacharparenleft}}g\ o\ f{\isaliteral{29}{\isacharparenright}}\ T\ {\isaliteral{3D}{\isacharequal}}\ map{\isaliteral{5F}{\isacharunderscore}}bt\ g\ {\isaliteral{28}{\isacharparenleft}}map{\isaliteral{5F}{\isacharunderscore}}bt\ f\ T{\isaliteral{29}{\isacharparenright}}{\isaliteral{22}{\isachardoublequoteclose}}\isanewline
18.60 -%
18.61 -\isadelimproof
18.62 -%
18.63 -\endisadelimproof
18.64 -%
18.65 -\isatagproof
18.66 -\isacommand{apply}\isamarkupfalse%
18.67 -{\isaliteral{28}{\isacharparenleft}}induct{\isaliteral{5F}{\isacharunderscore}}tac\ T{\isaliteral{2C}{\isacharcomma}}\ simp{\isaliteral{5F}{\isacharunderscore}}all{\isaliteral{29}{\isacharparenright}}\isanewline
18.68 -\isacommand{done}\isamarkupfalse%
18.69 -%
18.70 -\endisatagproof
18.71 -{\isafoldproof}%
18.72 -%
18.73 -\isadelimproof
18.74 -%
18.75 -\endisadelimproof
18.76 -%
18.77 -\isadelimproof
18.78 -%
18.79 -\endisadelimproof
18.80 -%
18.81 -\isatagproof
18.82 -%
18.83 -\begin{isamarkuptxt}%
18.84 -\noindent
18.85 -Because of the function type, the proof state after induction looks unusual.
18.86 -Notice the quantified induction hypothesis:
18.87 -\begin{isabelle}%
18.88 -\ {\isadigit{1}}{\isaliteral{2E}{\isachardot}}\ map{\isaliteral{5F}{\isacharunderscore}}bt\ {\isaliteral{28}{\isacharparenleft}}g\ {\isaliteral{5C3C636972633E}{\isasymcirc}}\ f{\isaliteral{29}{\isacharparenright}}\ Tip\ {\isaliteral{3D}{\isacharequal}}\ map{\isaliteral{5F}{\isacharunderscore}}bt\ g\ {\isaliteral{28}{\isacharparenleft}}map{\isaliteral{5F}{\isacharunderscore}}bt\ f\ Tip{\isaliteral{29}{\isacharparenright}}\isanewline
18.89 -\ {\isadigit{2}}{\isaliteral{2E}{\isachardot}}\ {\isaliteral{5C3C416E643E}{\isasymAnd}}a\ F{\isaliteral{2E}{\isachardot}}\ {\isaliteral{28}{\isacharparenleft}}{\isaliteral{5C3C416E643E}{\isasymAnd}}x{\isaliteral{2E}{\isachardot}}\ map{\isaliteral{5F}{\isacharunderscore}}bt\ {\isaliteral{28}{\isacharparenleft}}g\ {\isaliteral{5C3C636972633E}{\isasymcirc}}\ f{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{28}{\isacharparenleft}}F\ x{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{3D}{\isacharequal}}\ map{\isaliteral{5F}{\isacharunderscore}}bt\ g\ {\isaliteral{28}{\isacharparenleft}}map{\isaliteral{5F}{\isacharunderscore}}bt\ f\ {\isaliteral{28}{\isacharparenleft}}F\ x{\isaliteral{29}{\isacharparenright}}{\isaliteral{29}{\isacharparenright}}{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\isanewline
18.90 -\isaindent{\ {\isadigit{2}}{\isaliteral{2E}{\isachardot}}\ {\isaliteral{5C3C416E643E}{\isasymAnd}}a\ F{\isaliteral{2E}{\isachardot}}\ }map{\isaliteral{5F}{\isacharunderscore}}bt\ {\isaliteral{28}{\isacharparenleft}}g\ {\isaliteral{5C3C636972633E}{\isasymcirc}}\ f{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{28}{\isacharparenleft}}Br\ a\ F{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{3D}{\isacharequal}}\ map{\isaliteral{5F}{\isacharunderscore}}bt\ g\ {\isaliteral{28}{\isacharparenleft}}map{\isaliteral{5F}{\isacharunderscore}}bt\ f\ {\isaliteral{28}{\isacharparenleft}}Br\ a\ F{\isaliteral{29}{\isacharparenright}}{\isaliteral{29}{\isacharparenright}}%
18.91 -\end{isabelle}%
18.92 -\end{isamarkuptxt}%
18.93 -\isamarkuptrue%
18.94 -%
18.95 -\endisatagproof
18.96 -{\isafoldproof}%
18.97 -%
18.98 -\isadelimproof
18.99 -%
18.100 -\endisadelimproof
18.101 -%
18.102 -\isadelimtheory
18.103 -%
18.104 -\endisadelimtheory
18.105 -%
18.106 -\isatagtheory
18.107 -%
18.108 -\endisatagtheory
18.109 -{\isafoldtheory}%
18.110 -%
18.111 -\isadelimtheory
18.112 -%
18.113 -\endisadelimtheory
18.114 -\end{isabellebody}%
18.115 -%%% Local Variables:
18.116 -%%% mode: latex
18.117 -%%% TeX-master: "root"
18.118 -%%% End:
19.1 --- a/doc-src/TutorialI/Datatype/document/Nested.tex Thu Jul 26 16:08:16 2012 +0200
19.2 +++ /dev/null Thu Jan 01 00:00:00 1970 +0000
19.3 @@ -1,240 +0,0 @@
19.4 -%
19.5 -\begin{isabellebody}%
19.6 -\def\isabellecontext{Nested}%
19.7 -%
19.8 -\isadelimtheory
19.9 -%
19.10 -\endisadelimtheory
19.11 -%
19.12 -\isatagtheory
19.13 -%
19.14 -\endisatagtheory
19.15 -{\isafoldtheory}%
19.16 -%
19.17 -\isadelimtheory
19.18 -%
19.19 -\endisadelimtheory
19.20 -%
19.21 -\begin{isamarkuptext}%
19.22 -\index{datatypes!and nested recursion}%
19.23 -So far, all datatypes had the property that on the right-hand side of their
19.24 -definition they occurred only at the top-level: directly below a
19.25 -constructor. Now we consider \emph{nested recursion}, where the recursive
19.26 -datatype occurs nested in some other datatype (but not inside itself!).
19.27 -Consider the following model of terms
19.28 -where function symbols can be applied to a list of arguments:%
19.29 -\end{isamarkuptext}%
19.30 -\isamarkuptrue%
19.31 -\isacommand{datatype}\isamarkupfalse%
19.32 -\ {\isaliteral{28}{\isacharparenleft}}{\isaliteral{27}{\isacharprime}}v{\isaliteral{2C}{\isacharcomma}}{\isaliteral{27}{\isacharprime}}f{\isaliteral{29}{\isacharparenright}}{\isaliteral{22}{\isachardoublequoteopen}}term{\isaliteral{22}{\isachardoublequoteclose}}\ {\isaliteral{3D}{\isacharequal}}\ Var\ {\isaliteral{27}{\isacharprime}}v\ {\isaliteral{7C}{\isacharbar}}\ App\ {\isaliteral{27}{\isacharprime}}f\ {\isaliteral{22}{\isachardoublequoteopen}}{\isaliteral{28}{\isacharparenleft}}{\isaliteral{27}{\isacharprime}}v{\isaliteral{2C}{\isacharcomma}}{\isaliteral{27}{\isacharprime}}f{\isaliteral{29}{\isacharparenright}}term\ list{\isaliteral{22}{\isachardoublequoteclose}}%
19.33 -\begin{isamarkuptext}%
19.34 -\noindent
19.35 -Note that we need to quote \isa{term} on the left to avoid confusion with
19.36 -the Isabelle command \isacommand{term}.
19.37 -Parameter \isa{{\isaliteral{27}{\isacharprime}}v} is the type of variables and \isa{{\isaliteral{27}{\isacharprime}}f} the type of
19.38 -function symbols.
19.39 -A mathematical term like $f(x,g(y))$ becomes \isa{App\ f\ {\isaliteral{5B}{\isacharbrackleft}}Var\ x{\isaliteral{2C}{\isacharcomma}}\ App\ g\ {\isaliteral{5B}{\isacharbrackleft}}Var\ y{\isaliteral{5D}{\isacharbrackright}}{\isaliteral{5D}{\isacharbrackright}}}, where \isa{f}, \isa{g}, \isa{x}, \isa{y} are
19.40 -suitable values, e.g.\ numbers or strings.
19.41 -
19.42 -What complicates the definition of \isa{term} is the nested occurrence of
19.43 -\isa{term} inside \isa{list} on the right-hand side. In principle,
19.44 -nested recursion can be eliminated in favour of mutual recursion by unfolding
19.45 -the offending datatypes, here \isa{list}. The result for \isa{term}
19.46 -would be something like
19.47 -\medskip
19.48 -
19.49 -\input{Datatype/document/unfoldnested.tex}
19.50 -\medskip
19.51 -
19.52 -\noindent
19.53 -Although we do not recommend this unfolding to the user, it shows how to
19.54 -simulate nested recursion by mutual recursion.
19.55 -Now we return to the initial definition of \isa{term} using
19.56 -nested recursion.
19.57 -
19.58 -Let us define a substitution function on terms. Because terms involve term
19.59 -lists, we need to define two substitution functions simultaneously:%
19.60 -\end{isamarkuptext}%
19.61 -\isamarkuptrue%
19.62 -\isacommand{primrec}\isamarkupfalse%
19.63 -\isanewline
19.64 -subst\ {\isaliteral{3A}{\isacharcolon}}{\isaliteral{3A}{\isacharcolon}}\ {\isaliteral{22}{\isachardoublequoteopen}}{\isaliteral{28}{\isacharparenleft}}{\isaliteral{27}{\isacharprime}}v{\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}{\isaliteral{28}{\isacharparenleft}}{\isaliteral{27}{\isacharprime}}v{\isaliteral{2C}{\isacharcomma}}{\isaliteral{27}{\isacharprime}}f{\isaliteral{29}{\isacharparenright}}term{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ {\isaliteral{28}{\isacharparenleft}}{\isaliteral{27}{\isacharprime}}v{\isaliteral{2C}{\isacharcomma}}{\isaliteral{27}{\isacharprime}}f{\isaliteral{29}{\isacharparenright}}term\ \ \ \ \ \ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ {\isaliteral{28}{\isacharparenleft}}{\isaliteral{27}{\isacharprime}}v{\isaliteral{2C}{\isacharcomma}}{\isaliteral{27}{\isacharprime}}f{\isaliteral{29}{\isacharparenright}}term{\isaliteral{22}{\isachardoublequoteclose}}\ \isakeyword{and}\isanewline
19.65 -substs{\isaliteral{3A}{\isacharcolon}}{\isaliteral{3A}{\isacharcolon}}\ {\isaliteral{22}{\isachardoublequoteopen}}{\isaliteral{28}{\isacharparenleft}}{\isaliteral{27}{\isacharprime}}v{\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}{\isaliteral{28}{\isacharparenleft}}{\isaliteral{27}{\isacharprime}}v{\isaliteral{2C}{\isacharcomma}}{\isaliteral{27}{\isacharprime}}f{\isaliteral{29}{\isacharparenright}}term{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ {\isaliteral{28}{\isacharparenleft}}{\isaliteral{27}{\isacharprime}}v{\isaliteral{2C}{\isacharcomma}}{\isaliteral{27}{\isacharprime}}f{\isaliteral{29}{\isacharparenright}}term\ list\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ {\isaliteral{28}{\isacharparenleft}}{\isaliteral{27}{\isacharprime}}v{\isaliteral{2C}{\isacharcomma}}{\isaliteral{27}{\isacharprime}}f{\isaliteral{29}{\isacharparenright}}term\ list{\isaliteral{22}{\isachardoublequoteclose}}\isanewline
19.66 -\isakeyword{where}\isanewline
19.67 -{\isaliteral{22}{\isachardoublequoteopen}}subst\ s\ {\isaliteral{28}{\isacharparenleft}}Var\ x{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{3D}{\isacharequal}}\ s\ x{\isaliteral{22}{\isachardoublequoteclose}}\ {\isaliteral{7C}{\isacharbar}}\isanewline
19.68 -\ \ subst{\isaliteral{5F}{\isacharunderscore}}App{\isaliteral{3A}{\isacharcolon}}\isanewline
19.69 -{\isaliteral{22}{\isachardoublequoteopen}}subst\ s\ {\isaliteral{28}{\isacharparenleft}}App\ f\ ts{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{3D}{\isacharequal}}\ App\ f\ {\isaliteral{28}{\isacharparenleft}}substs\ s\ ts{\isaliteral{29}{\isacharparenright}}{\isaliteral{22}{\isachardoublequoteclose}}\ {\isaliteral{7C}{\isacharbar}}\isanewline
19.70 -\isanewline
19.71 -{\isaliteral{22}{\isachardoublequoteopen}}substs\ s\ {\isaliteral{5B}{\isacharbrackleft}}{\isaliteral{5D}{\isacharbrackright}}\ {\isaliteral{3D}{\isacharequal}}\ {\isaliteral{5B}{\isacharbrackleft}}{\isaliteral{5D}{\isacharbrackright}}{\isaliteral{22}{\isachardoublequoteclose}}\ {\isaliteral{7C}{\isacharbar}}\isanewline
19.72 -{\isaliteral{22}{\isachardoublequoteopen}}substs\ s\ {\isaliteral{28}{\isacharparenleft}}t\ {\isaliteral{23}{\isacharhash}}\ ts{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{3D}{\isacharequal}}\ subst\ s\ t\ {\isaliteral{23}{\isacharhash}}\ substs\ s\ ts{\isaliteral{22}{\isachardoublequoteclose}}%
19.73 -\begin{isamarkuptext}%
19.74 -\noindent
19.75 -Individual equations in a \commdx{primrec} definition may be
19.76 -named as shown for \isa{subst{\isaliteral{5F}{\isacharunderscore}}App}.
19.77 -The significance of this device will become apparent below.
19.78 -
19.79 -Similarly, when proving a statement about terms inductively, we need
19.80 -to prove a related statement about term lists simultaneously. For example,
19.81 -the fact that the identity substitution does not change a term needs to be
19.82 -strengthened and proved as follows:%
19.83 -\end{isamarkuptext}%
19.84 -\isamarkuptrue%
19.85 -\isacommand{lemma}\isamarkupfalse%
19.86 -\ subst{\isaliteral{5F}{\isacharunderscore}}id{\isaliteral{3A}{\isacharcolon}}\ {\isaliteral{22}{\isachardoublequoteopen}}subst\ \ Var\ t\ \ {\isaliteral{3D}{\isacharequal}}\ {\isaliteral{28}{\isacharparenleft}}t\ {\isaliteral{3A}{\isacharcolon}}{\isaliteral{3A}{\isacharcolon}}{\isaliteral{28}{\isacharparenleft}}{\isaliteral{27}{\isacharprime}}v{\isaliteral{2C}{\isacharcomma}}{\isaliteral{27}{\isacharprime}}f{\isaliteral{29}{\isacharparenright}}term{\isaliteral{29}{\isacharparenright}}\ \ {\isaliteral{5C3C616E643E}{\isasymand}}\isanewline
19.87 -\ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ substs\ Var\ ts\ {\isaliteral{3D}{\isacharequal}}\ {\isaliteral{28}{\isacharparenleft}}ts{\isaliteral{3A}{\isacharcolon}}{\isaliteral{3A}{\isacharcolon}}{\isaliteral{28}{\isacharparenleft}}{\isaliteral{27}{\isacharprime}}v{\isaliteral{2C}{\isacharcomma}}{\isaliteral{27}{\isacharprime}}f{\isaliteral{29}{\isacharparenright}}term\ list{\isaliteral{29}{\isacharparenright}}{\isaliteral{22}{\isachardoublequoteclose}}\isanewline
19.88 -%
19.89 -\isadelimproof
19.90 -%
19.91 -\endisadelimproof
19.92 -%
19.93 -\isatagproof
19.94 -\isacommand{apply}\isamarkupfalse%
19.95 -{\isaliteral{28}{\isacharparenleft}}induct{\isaliteral{5F}{\isacharunderscore}}tac\ t\ \isakeyword{and}\ ts{\isaliteral{2C}{\isacharcomma}}\ simp{\isaliteral{5F}{\isacharunderscore}}all{\isaliteral{29}{\isacharparenright}}\isanewline
19.96 -\isacommand{done}\isamarkupfalse%
19.97 -%
19.98 -\endisatagproof
19.99 -{\isafoldproof}%
19.100 -%
19.101 -\isadelimproof
19.102 -%
19.103 -\endisadelimproof
19.104 -%
19.105 -\begin{isamarkuptext}%
19.106 -\noindent
19.107 -Note that \isa{Var} is the identity substitution because by definition it
19.108 -leaves variables unchanged: \isa{subst\ Var\ {\isaliteral{28}{\isacharparenleft}}Var\ x{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{3D}{\isacharequal}}\ Var\ x}. Note also
19.109 -that the type annotations are necessary because otherwise there is nothing in
19.110 -the goal to enforce that both halves of the goal talk about the same type
19.111 -parameters \isa{{\isaliteral{28}{\isacharparenleft}}{\isaliteral{27}{\isacharprime}}v{\isaliteral{2C}{\isacharcomma}}{\isaliteral{27}{\isacharprime}}f{\isaliteral{29}{\isacharparenright}}}. As a result, induction would fail
19.112 -because the two halves of the goal would be unrelated.
19.113 -
19.114 -\begin{exercise}
19.115 -The fact that substitution distributes over composition can be expressed
19.116 -roughly as follows:
19.117 -\begin{isabelle}%
19.118 -\ \ \ \ \ subst\ {\isaliteral{28}{\isacharparenleft}}f\ {\isaliteral{5C3C636972633E}{\isasymcirc}}\ g{\isaliteral{29}{\isacharparenright}}\ t\ {\isaliteral{3D}{\isacharequal}}\ subst\ f\ {\isaliteral{28}{\isacharparenleft}}subst\ g\ t{\isaliteral{29}{\isacharparenright}}%
19.119 -\end{isabelle}
19.120 -Correct this statement (you will find that it does not type-check),
19.121 -strengthen it, and prove it. (Note: \isa{{\isaliteral{5C3C636972633E}{\isasymcirc}}} is function composition;
19.122 -its definition is found in theorem \isa{o{\isaliteral{5F}{\isacharunderscore}}def}).
19.123 -\end{exercise}
19.124 -\begin{exercise}\label{ex:trev-trev}
19.125 - Define a function \isa{trev} of type \isa{{\isaliteral{28}{\isacharparenleft}}{\isaliteral{27}{\isacharprime}}v{\isaliteral{2C}{\isacharcomma}}\ {\isaliteral{27}{\isacharprime}}f{\isaliteral{29}{\isacharparenright}}\ Nested{\isaliteral{2E}{\isachardot}}term\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ {\isaliteral{28}{\isacharparenleft}}{\isaliteral{27}{\isacharprime}}v{\isaliteral{2C}{\isacharcomma}}\ {\isaliteral{27}{\isacharprime}}f{\isaliteral{29}{\isacharparenright}}\ Nested{\isaliteral{2E}{\isachardot}}term}
19.126 -that recursively reverses the order of arguments of all function symbols in a
19.127 - term. Prove that \isa{trev\ {\isaliteral{28}{\isacharparenleft}}trev\ t{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{3D}{\isacharequal}}\ t}.
19.128 -\end{exercise}
19.129 -
19.130 -The experienced functional programmer may feel that our definition of
19.131 -\isa{subst} is too complicated in that \isa{substs} is
19.132 -unnecessary. The \isa{App}-case can be defined directly as
19.133 -\begin{isabelle}%
19.134 -\ \ \ \ \ subst\ s\ {\isaliteral{28}{\isacharparenleft}}App\ f\ ts{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{3D}{\isacharequal}}\ App\ f\ {\isaliteral{28}{\isacharparenleft}}map\ {\isaliteral{28}{\isacharparenleft}}subst\ s{\isaliteral{29}{\isacharparenright}}\ ts{\isaliteral{29}{\isacharparenright}}%
19.135 -\end{isabelle}
19.136 -where \isa{map} is the standard list function such that
19.137 -\isa{map\ f\ {\isaliteral{5B}{\isacharbrackleft}}x{\isadigit{1}}{\isaliteral{2C}{\isacharcomma}}{\isaliteral{2E}{\isachardot}}{\isaliteral{2E}{\isachardot}}{\isaliteral{2E}{\isachardot}}{\isaliteral{2C}{\isacharcomma}}xn{\isaliteral{5D}{\isacharbrackright}}\ {\isaliteral{3D}{\isacharequal}}\ {\isaliteral{5B}{\isacharbrackleft}}f\ x{\isadigit{1}}{\isaliteral{2C}{\isacharcomma}}{\isaliteral{2E}{\isachardot}}{\isaliteral{2E}{\isachardot}}{\isaliteral{2E}{\isachardot}}{\isaliteral{2C}{\isacharcomma}}f\ xn{\isaliteral{5D}{\isacharbrackright}}}. This is true, but Isabelle
19.138 -insists on the conjunctive format. Fortunately, we can easily \emph{prove}
19.139 -that the suggested equation holds:%
19.140 -\end{isamarkuptext}%
19.141 -\isamarkuptrue%
19.142 -%
19.143 -\isadelimproof
19.144 -%
19.145 -\endisadelimproof
19.146 -%
19.147 -\isatagproof
19.148 -%
19.149 -\endisatagproof
19.150 -{\isafoldproof}%
19.151 -%
19.152 -\isadelimproof
19.153 -%
19.154 -\endisadelimproof
19.155 -%
19.156 -\isadelimproof
19.157 -%
19.158 -\endisadelimproof
19.159 -%
19.160 -\isatagproof
19.161 -%
19.162 -\endisatagproof
19.163 -{\isafoldproof}%
19.164 -%
19.165 -\isadelimproof
19.166 -%
19.167 -\endisadelimproof
19.168 -%
19.169 -\isadelimproof
19.170 -%
19.171 -\endisadelimproof
19.172 -%
19.173 -\isatagproof
19.174 -%
19.175 -\endisatagproof
19.176 -{\isafoldproof}%
19.177 -%
19.178 -\isadelimproof
19.179 -\isanewline
19.180 -%
19.181 -\endisadelimproof
19.182 -\isacommand{lemma}\isamarkupfalse%
19.183 -\ {\isaliteral{5B}{\isacharbrackleft}}simp{\isaliteral{5D}{\isacharbrackright}}{\isaliteral{3A}{\isacharcolon}}\ {\isaliteral{22}{\isachardoublequoteopen}}subst\ s\ {\isaliteral{28}{\isacharparenleft}}App\ f\ ts{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{3D}{\isacharequal}}\ App\ f\ {\isaliteral{28}{\isacharparenleft}}map\ {\isaliteral{28}{\isacharparenleft}}subst\ s{\isaliteral{29}{\isacharparenright}}\ ts{\isaliteral{29}{\isacharparenright}}{\isaliteral{22}{\isachardoublequoteclose}}\isanewline
19.184 -%
19.185 -\isadelimproof
19.186 -%
19.187 -\endisadelimproof
19.188 -%
19.189 -\isatagproof
19.190 -\isacommand{apply}\isamarkupfalse%
19.191 -{\isaliteral{28}{\isacharparenleft}}induct{\isaliteral{5F}{\isacharunderscore}}tac\ ts{\isaliteral{2C}{\isacharcomma}}\ simp{\isaliteral{5F}{\isacharunderscore}}all{\isaliteral{29}{\isacharparenright}}\isanewline
19.192 -\isacommand{done}\isamarkupfalse%
19.193 -%
19.194 -\endisatagproof
19.195 -{\isafoldproof}%
19.196 -%
19.197 -\isadelimproof
19.198 -%
19.199 -\endisadelimproof
19.200 -%
19.201 -\begin{isamarkuptext}%
19.202 -\noindent
19.203 -What is more, we can now disable the old defining equation as a
19.204 -simplification rule:%
19.205 -\end{isamarkuptext}%
19.206 -\isamarkuptrue%
19.207 -\isacommand{declare}\isamarkupfalse%
19.208 -\ subst{\isaliteral{5F}{\isacharunderscore}}App\ {\isaliteral{5B}{\isacharbrackleft}}simp\ del{\isaliteral{5D}{\isacharbrackright}}%
19.209 -\begin{isamarkuptext}%
19.210 -\noindent The advantage is that now we have replaced \isa{substs} by \isa{map}, we can profit from the large number of
19.211 -pre-proved lemmas about \isa{map}. Unfortunately, inductive proofs
19.212 -about type \isa{term} are still awkward because they expect a
19.213 -conjunction. One could derive a new induction principle as well (see
19.214 -\S\ref{sec:derive-ind}), but simpler is to stop using
19.215 -\isacommand{primrec} and to define functions with \isacommand{fun}
19.216 -instead. Simple uses of \isacommand{fun} are described in
19.217 -\S\ref{sec:fun} below. Advanced applications, including functions
19.218 -over nested datatypes like \isa{term}, are discussed in a
19.219 -separate tutorial~\cite{isabelle-function}.
19.220 -
19.221 -Of course, you may also combine mutual and nested recursion of datatypes. For example,
19.222 -constructor \isa{Sum} in \S\ref{sec:datatype-mut-rec} could take a list of
19.223 -expressions as its argument: \isa{Sum}~\isa{{\isaliteral{22}{\isachardoublequote}}{\isaliteral{27}{\isacharprime}}a\ aexp\ list{\isaliteral{22}{\isachardoublequote}}}.%
19.224 -\end{isamarkuptext}%
19.225 -\isamarkuptrue%
19.226 -%
19.227 -\isadelimtheory
19.228 -%
19.229 -\endisadelimtheory
19.230 -%
19.231 -\isatagtheory
19.232 -%
19.233 -\endisatagtheory
19.234 -{\isafoldtheory}%
19.235 -%
19.236 -\isadelimtheory
19.237 -%
19.238 -\endisadelimtheory
19.239 -\end{isabellebody}%
19.240 -%%% Local Variables:
19.241 -%%% mode: latex
19.242 -%%% TeX-master: "root"
19.243 -%%% End:
20.1 --- a/doc-src/TutorialI/Datatype/document/unfoldnested.tex Thu Jul 26 16:08:16 2012 +0200
20.2 +++ /dev/null Thu Jan 01 00:00:00 1970 +0000
20.3 @@ -1,36 +0,0 @@
20.4 -%
20.5 -\begin{isabellebody}%
20.6 -\def\isabellecontext{unfoldnested}%
20.7 -%
20.8 -\isadelimtheory
20.9 -%
20.10 -\endisadelimtheory
20.11 -%
20.12 -\isatagtheory
20.13 -%
20.14 -\endisatagtheory
20.15 -{\isafoldtheory}%
20.16 -%
20.17 -\isadelimtheory
20.18 -%
20.19 -\endisadelimtheory
20.20 -\isacommand{datatype}\isamarkupfalse%
20.21 -\ {\isaliteral{28}{\isacharparenleft}}{\isaliteral{27}{\isacharprime}}v{\isaliteral{2C}{\isacharcomma}}{\isaliteral{27}{\isacharprime}}f{\isaliteral{29}{\isacharparenright}}{\isaliteral{22}{\isachardoublequoteopen}}term{\isaliteral{22}{\isachardoublequoteclose}}\ {\isaliteral{3D}{\isacharequal}}\ Var\ {\isaliteral{27}{\isacharprime}}v\ {\isaliteral{7C}{\isacharbar}}\ App\ {\isaliteral{27}{\isacharprime}}f\ {\isaliteral{22}{\isachardoublequoteopen}}{\isaliteral{28}{\isacharparenleft}}{\isaliteral{27}{\isacharprime}}v{\isaliteral{2C}{\isacharcomma}}{\isaliteral{27}{\isacharprime}}f{\isaliteral{29}{\isacharparenright}}term{\isaliteral{5F}{\isacharunderscore}}list{\isaliteral{22}{\isachardoublequoteclose}}\isanewline
20.22 -\isakeyword{and}\ {\isaliteral{28}{\isacharparenleft}}{\isaliteral{27}{\isacharprime}}v{\isaliteral{2C}{\isacharcomma}}{\isaliteral{27}{\isacharprime}}f{\isaliteral{29}{\isacharparenright}}term{\isaliteral{5F}{\isacharunderscore}}list\ {\isaliteral{3D}{\isacharequal}}\ Nil\ {\isaliteral{7C}{\isacharbar}}\ Cons\ {\isaliteral{22}{\isachardoublequoteopen}}{\isaliteral{28}{\isacharparenleft}}{\isaliteral{27}{\isacharprime}}v{\isaliteral{2C}{\isacharcomma}}{\isaliteral{27}{\isacharprime}}f{\isaliteral{29}{\isacharparenright}}term{\isaliteral{22}{\isachardoublequoteclose}}\ {\isaliteral{22}{\isachardoublequoteopen}}{\isaliteral{28}{\isacharparenleft}}{\isaliteral{27}{\isacharprime}}v{\isaliteral{2C}{\isacharcomma}}{\isaliteral{27}{\isacharprime}}f{\isaliteral{29}{\isacharparenright}}term{\isaliteral{5F}{\isacharunderscore}}list{\isaliteral{22}{\isachardoublequoteclose}}%
20.23 -\isadelimtheory
20.24 -%
20.25 -\endisadelimtheory
20.26 -%
20.27 -\isatagtheory
20.28 -%
20.29 -\endisatagtheory
20.30 -{\isafoldtheory}%
20.31 -%
20.32 -\isadelimtheory
20.33 -%
20.34 -\endisadelimtheory
20.35 -\end{isabellebody}%
20.36 -%%% Local Variables:
20.37 -%%% mode: latex
20.38 -%%% TeX-master: "root"
20.39 -%%% End:
21.1 --- a/doc-src/TutorialI/Documents/ROOT.ML Thu Jul 26 16:08:16 2012 +0200
21.2 +++ /dev/null Thu Jan 01 00:00:00 1970 +0000
21.3 @@ -1,2 +0,0 @@
21.4 -
21.5 -use_thy "Documents";
22.1 --- a/doc-src/TutorialI/Documents/document/Documents.tex Thu Jul 26 16:08:16 2012 +0200
22.2 +++ /dev/null Thu Jan 01 00:00:00 1970 +0000
22.3 @@ -1,933 +0,0 @@
22.4 -%
22.5 -\begin{isabellebody}%
22.6 -\def\isabellecontext{Documents}%
22.7 -%
22.8 -\isadelimtheory
22.9 -%
22.10 -\endisadelimtheory
22.11 -%
22.12 -\isatagtheory
22.13 -%
22.14 -\endisatagtheory
22.15 -{\isafoldtheory}%
22.16 -%
22.17 -\isadelimtheory
22.18 -%
22.19 -\endisadelimtheory
22.20 -%
22.21 -\isamarkupsection{Concrete Syntax \label{sec:concrete-syntax}%
22.22 -}
22.23 -\isamarkuptrue%
22.24 -%
22.25 -\begin{isamarkuptext}%
22.26 -The core concept of Isabelle's framework for concrete syntax is that
22.27 - of \bfindex{mixfix annotations}. Associated with any kind of
22.28 - constant declaration, mixfixes affect both the grammar productions
22.29 - for the parser and output templates for the pretty printer.
22.30 -
22.31 - In full generality, parser and pretty printer configuration is a
22.32 - subtle affair~\cite{isabelle-ref}. Your syntax specifications need
22.33 - to interact properly with the existing setup of Isabelle/Pure and
22.34 - Isabelle/HOL\@. To avoid creating ambiguities with existing
22.35 - elements, it is particularly important to give new syntactic
22.36 - constructs the right precedence.
22.37 -
22.38 - Below we introduce a few simple syntax declaration
22.39 - forms that already cover many common situations fairly well.%
22.40 -\end{isamarkuptext}%
22.41 -\isamarkuptrue%
22.42 -%
22.43 -\isamarkupsubsection{Infix Annotations%
22.44 -}
22.45 -\isamarkuptrue%
22.46 -%
22.47 -\begin{isamarkuptext}%
22.48 -Syntax annotations may be included wherever constants are declared,
22.49 - such as \isacommand{definition} and \isacommand{primrec} --- and also
22.50 - \isacommand{datatype}, which declares constructor operations.
22.51 - Type-constructors may be annotated as well, although this is less
22.52 - frequently encountered in practice (the infix type \isa{{\isaliteral{5C3C74696D65733E}{\isasymtimes}}} comes
22.53 - to mind).
22.54 -
22.55 - Infix declarations\index{infix annotations} provide a useful special
22.56 - case of mixfixes. The following example of the exclusive-or
22.57 - operation on boolean values illustrates typical infix declarations.%
22.58 -\end{isamarkuptext}%
22.59 -\isamarkuptrue%
22.60 -\isacommand{definition}\isamarkupfalse%
22.61 -\ xor\ {\isaliteral{3A}{\isacharcolon}}{\isaliteral{3A}{\isacharcolon}}\ {\isaliteral{22}{\isachardoublequoteopen}}bool\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ bool\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ bool{\isaliteral{22}{\isachardoublequoteclose}}\ \ \ \ {\isaliteral{28}{\isacharparenleft}}\isakeyword{infixl}\ {\isaliteral{22}{\isachardoublequoteopen}}{\isaliteral{5B}{\isacharbrackleft}}{\isaliteral{2B}{\isacharplus}}{\isaliteral{5D}{\isacharbrackright}}{\isaliteral{22}{\isachardoublequoteclose}}\ {\isadigit{6}}{\isadigit{0}}{\isaliteral{29}{\isacharparenright}}\isanewline
22.62 -\isakeyword{where}\ {\isaliteral{22}{\isachardoublequoteopen}}A\ {\isaliteral{5B}{\isacharbrackleft}}{\isaliteral{2B}{\isacharplus}}{\isaliteral{5D}{\isacharbrackright}}\ B\ {\isaliteral{5C3C65717569763E}{\isasymequiv}}\ {\isaliteral{28}{\isacharparenleft}}A\ {\isaliteral{5C3C616E643E}{\isasymand}}\ {\isaliteral{5C3C6E6F743E}{\isasymnot}}\ B{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C6F723E}{\isasymor}}\ {\isaliteral{28}{\isacharparenleft}}{\isaliteral{5C3C6E6F743E}{\isasymnot}}\ A\ {\isaliteral{5C3C616E643E}{\isasymand}}\ B{\isaliteral{29}{\isacharparenright}}{\isaliteral{22}{\isachardoublequoteclose}}%
22.63 -\begin{isamarkuptext}%
22.64 -\noindent Now \isa{xor\ A\ B} and \isa{A\ {\isaliteral{5B}{\isacharbrackleft}}{\isaliteral{2B}{\isacharplus}}{\isaliteral{5D}{\isacharbrackright}}\ B} refer to the
22.65 - same expression internally. Any curried function with at least two
22.66 - arguments may be given infix syntax. For partial applications with
22.67 - fewer than two operands, there is a notation using the prefix~\isa{op}. For instance, \isa{xor} without arguments is represented as
22.68 - \isa{op\ {\isaliteral{5B}{\isacharbrackleft}}{\isaliteral{2B}{\isacharplus}}{\isaliteral{5D}{\isacharbrackright}}}; together with ordinary function application, this
22.69 - turns \isa{xor\ A} into \isa{op\ {\isaliteral{5B}{\isacharbrackleft}}{\isaliteral{2B}{\isacharplus}}{\isaliteral{5D}{\isacharbrackright}}\ A}.
22.70 -
22.71 - The keyword \isakeyword{infixl} seen above specifies an
22.72 - infix operator that is nested to the \emph{left}: in iterated
22.73 - applications the more complex expression appears on the left-hand
22.74 - side, and \isa{A\ {\isaliteral{5B}{\isacharbrackleft}}{\isaliteral{2B}{\isacharplus}}{\isaliteral{5D}{\isacharbrackright}}\ B\ {\isaliteral{5B}{\isacharbrackleft}}{\isaliteral{2B}{\isacharplus}}{\isaliteral{5D}{\isacharbrackright}}\ C} stands for \isa{{\isaliteral{28}{\isacharparenleft}}A\ {\isaliteral{5B}{\isacharbrackleft}}{\isaliteral{2B}{\isacharplus}}{\isaliteral{5D}{\isacharbrackright}}\ B{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5B}{\isacharbrackleft}}{\isaliteral{2B}{\isacharplus}}{\isaliteral{5D}{\isacharbrackright}}\ C}. Similarly, \isakeyword{infixr} means nesting to the
22.75 - \emph{right}, reading \isa{A\ {\isaliteral{5B}{\isacharbrackleft}}{\isaliteral{2B}{\isacharplus}}{\isaliteral{5D}{\isacharbrackright}}\ B\ {\isaliteral{5B}{\isacharbrackleft}}{\isaliteral{2B}{\isacharplus}}{\isaliteral{5D}{\isacharbrackright}}\ C} as \isa{A\ {\isaliteral{5B}{\isacharbrackleft}}{\isaliteral{2B}{\isacharplus}}{\isaliteral{5D}{\isacharbrackright}}\ {\isaliteral{28}{\isacharparenleft}}B\ {\isaliteral{5B}{\isacharbrackleft}}{\isaliteral{2B}{\isacharplus}}{\isaliteral{5D}{\isacharbrackright}}\ C{\isaliteral{29}{\isacharparenright}}}. A \emph{non-oriented} declaration via \isakeyword{infix}
22.76 - would render \isa{A\ {\isaliteral{5B}{\isacharbrackleft}}{\isaliteral{2B}{\isacharplus}}{\isaliteral{5D}{\isacharbrackright}}\ B\ {\isaliteral{5B}{\isacharbrackleft}}{\isaliteral{2B}{\isacharplus}}{\isaliteral{5D}{\isacharbrackright}}\ C} illegal, but demand explicit
22.77 - parentheses to indicate the intended grouping.
22.78 -
22.79 - The string \isa{{\isaliteral{22}{\isachardoublequote}}{\isaliteral{5B}{\isacharbrackleft}}{\isaliteral{2B}{\isacharplus}}{\isaliteral{5D}{\isacharbrackright}}{\isaliteral{22}{\isachardoublequote}}} in our annotation refers to the
22.80 - concrete syntax to represent the operator (a literal token), while
22.81 - the number \isa{{\isadigit{6}}{\isadigit{0}}} determines the precedence of the construct:
22.82 - the syntactic priorities of the arguments and result. Isabelle/HOL
22.83 - already uses up many popular combinations of ASCII symbols for its
22.84 - own use, including both \isa{{\isaliteral{2B}{\isacharplus}}} and \isa{{\isaliteral{2B}{\isacharplus}}{\isaliteral{2B}{\isacharplus}}}. Longer
22.85 - character combinations are more likely to be still available for
22.86 - user extensions, such as our~\isa{{\isaliteral{5B}{\isacharbrackleft}}{\isaliteral{2B}{\isacharplus}}{\isaliteral{5D}{\isacharbrackright}}}.
22.87 -
22.88 - Operator precedences have a range of 0--1000. Very low or high
22.89 - priorities are reserved for the meta-logic. HOL syntax mainly uses
22.90 - the range of 10--100: the equality infix \isa{{\isaliteral{3D}{\isacharequal}}} is centered at
22.91 - 50; logical connectives (like \isa{{\isaliteral{5C3C6F723E}{\isasymor}}} and \isa{{\isaliteral{5C3C616E643E}{\isasymand}}}) are
22.92 - below 50; algebraic ones (like \isa{{\isaliteral{2B}{\isacharplus}}} and \isa{{\isaliteral{2A}{\isacharasterisk}}}) are
22.93 - above 50. User syntax should strive to coexist with common HOL
22.94 - forms, or use the mostly unused range 100--900.%
22.95 -\end{isamarkuptext}%
22.96 -\isamarkuptrue%
22.97 -%
22.98 -\isamarkupsubsection{Mathematical Symbols \label{sec:syntax-symbols}%
22.99 -}
22.100 -\isamarkuptrue%
22.101 -%
22.102 -\begin{isamarkuptext}%
22.103 -Concrete syntax based on ASCII characters has inherent limitations.
22.104 - Mathematical notation demands a larger repertoire of glyphs.
22.105 - Several standards of extended character sets have been proposed over
22.106 - decades, but none has become universally available so far. Isabelle
22.107 - has its own notion of \bfindex{symbols} as the smallest entities of
22.108 - source text, without referring to internal encodings. There are
22.109 - three kinds of such ``generalized characters'':
22.110 -
22.111 - \begin{enumerate}
22.112 -
22.113 - \item 7-bit ASCII characters
22.114 -
22.115 - \item named symbols: \verb,\,\verb,<,$ident$\verb,>,
22.116 -
22.117 - \item named control symbols: \verb,\,\verb,<^,$ident$\verb,>,
22.118 -
22.119 - \end{enumerate}
22.120 -
22.121 - Here $ident$ is any sequence of letters.
22.122 - This results in an infinite store of symbols, whose
22.123 - interpretation is left to further front-end tools. For example, the
22.124 - user-interface of Proof~General + X-Symbol and the Isabelle document
22.125 - processor (see \S\ref{sec:document-preparation}) display the
22.126 - \verb,\,\verb,<forall>, symbol as~\isa{{\isaliteral{5C3C666F72616C6C3E}{\isasymforall}}}.
22.127 -
22.128 - A list of standard Isabelle symbols is given in
22.129 - \cite{isabelle-isar-ref}. You may introduce your own
22.130 - interpretation of further symbols by configuring the appropriate
22.131 - front-end tool accordingly, e.g.\ by defining certain {\LaTeX}
22.132 - macros (see also \S\ref{sec:doc-prep-symbols}). There are also a
22.133 - few predefined control symbols, such as \verb,\,\verb,<^sub>, and
22.134 - \verb,\,\verb,<^sup>, for sub- and superscript of the subsequent
22.135 - printable symbol, respectively. For example, \verb,A\<^sup>\<star>, is
22.136 - output as \isa{A\isaliteral{5C3C5E7375703E}{}\isactrlsup {\isaliteral{5C3C737461723E}{\isasymstar}}}.
22.137 -
22.138 - A number of symbols are considered letters by the Isabelle lexer and
22.139 - can be used as part of identifiers. These are the greek letters
22.140 - \isa{{\isaliteral{5C3C616C7068613E}{\isasymalpha}}} (\verb+\+\verb+<alpha>+), \isa{{\isaliteral{5C3C626574613E}{\isasymbeta}}}
22.141 - (\verb+\+\verb+<beta>+), etc. (excluding \isa{{\isaliteral{5C3C6C616D6264613E}{\isasymlambda}}}),
22.142 - special letters like \isa{{\isaliteral{5C3C413E}{\isasymA}}} (\verb+\+\verb+<A>+) and \isa{{\isaliteral{5C3C41413E}{\isasymAA}}} (\verb+\+\verb+<AA>+), and the control symbols
22.143 - \verb+\+\verb+<^isub>+ and \verb+\+\verb+<^isup>+ for single letter
22.144 - sub and super scripts. This means that the input
22.145 -
22.146 - \medskip
22.147 - {\small\noindent \verb,\,\verb,<forall>\,\verb,<alpha>\<^isub>1.,~\verb,\,\verb,<alpha>\<^isub>1 = \,\verb,<Pi>\<^isup>\<A>,}
22.148 -
22.149 - \medskip
22.150 - \noindent is recognized as the term \isa{{\isaliteral{5C3C666F72616C6C3E}{\isasymforall}}{\isaliteral{5C3C616C7068613E}{\isasymalpha}}\isaliteral{5C3C5E697375623E}{}\isactrlisub {\isadigit{1}}{\isaliteral{2E}{\isachardot}}\ {\isaliteral{5C3C616C7068613E}{\isasymalpha}}\isaliteral{5C3C5E697375623E}{}\isactrlisub {\isadigit{1}}\ {\isaliteral{3D}{\isacharequal}}\ {\isaliteral{5C3C50693E}{\isasymPi}}\isaliteral{5C3C5E697375703E}{}\isactrlisup {\isaliteral{5C3C413E}{\isasymA}}}
22.151 - by Isabelle. Note that \isa{{\isaliteral{5C3C50693E}{\isasymPi}}\isaliteral{5C3C5E697375703E}{}\isactrlisup {\isaliteral{5C3C413E}{\isasymA}}} is a single
22.152 - syntactic entity, not an exponentiation.
22.153 -
22.154 - Replacing our previous definition of \isa{xor} by the
22.155 - following specifies an Isabelle symbol for the new operator:%
22.156 -\end{isamarkuptext}%
22.157 -\isamarkuptrue%
22.158 -%
22.159 -\isadelimML
22.160 -%
22.161 -\endisadelimML
22.162 -%
22.163 -\isatagML
22.164 -%
22.165 -\endisatagML
22.166 -{\isafoldML}%
22.167 -%
22.168 -\isadelimML
22.169 -%
22.170 -\endisadelimML
22.171 -\isacommand{definition}\isamarkupfalse%
22.172 -\ xor\ {\isaliteral{3A}{\isacharcolon}}{\isaliteral{3A}{\isacharcolon}}\ {\isaliteral{22}{\isachardoublequoteopen}}bool\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ bool\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ bool{\isaliteral{22}{\isachardoublequoteclose}}\ \ \ \ {\isaliteral{28}{\isacharparenleft}}\isakeyword{infixl}\ {\isaliteral{22}{\isachardoublequoteopen}}{\isaliteral{5C3C6F706C75733E}{\isasymoplus}}{\isaliteral{22}{\isachardoublequoteclose}}\ {\isadigit{6}}{\isadigit{0}}{\isaliteral{29}{\isacharparenright}}\isanewline
22.173 -\isakeyword{where}\ {\isaliteral{22}{\isachardoublequoteopen}}A\ {\isaliteral{5C3C6F706C75733E}{\isasymoplus}}\ B\ {\isaliteral{5C3C65717569763E}{\isasymequiv}}\ {\isaliteral{28}{\isacharparenleft}}A\ {\isaliteral{5C3C616E643E}{\isasymand}}\ {\isaliteral{5C3C6E6F743E}{\isasymnot}}\ B{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C6F723E}{\isasymor}}\ {\isaliteral{28}{\isacharparenleft}}{\isaliteral{5C3C6E6F743E}{\isasymnot}}\ A\ {\isaliteral{5C3C616E643E}{\isasymand}}\ B{\isaliteral{29}{\isacharparenright}}{\isaliteral{22}{\isachardoublequoteclose}}%
22.174 -\isadelimML
22.175 -%
22.176 -\endisadelimML
22.177 -%
22.178 -\isatagML
22.179 -%
22.180 -\endisatagML
22.181 -{\isafoldML}%
22.182 -%
22.183 -\isadelimML
22.184 -%
22.185 -\endisadelimML
22.186 -%
22.187 -\begin{isamarkuptext}%
22.188 -\noindent Proof~General provides several input methods to enter
22.189 - \isa{{\isaliteral{5C3C6F706C75733E}{\isasymoplus}}} in the text. If all fails one may just type a named
22.190 - entity \verb,\,\verb,<oplus>, by hand; the corresponding symbol will
22.191 - be displayed after further input.
22.192 -
22.193 - More flexible is to provide alternative syntax forms
22.194 - through the \bfindex{print mode} concept~\cite{isabelle-ref}. By
22.195 - convention, the mode of ``$xsymbols$'' is enabled whenever
22.196 - Proof~General's X-Symbol mode or {\LaTeX} output is active. Now
22.197 - consider the following hybrid declaration of \isa{xor}:%
22.198 -\end{isamarkuptext}%
22.199 -\isamarkuptrue%
22.200 -%
22.201 -\isadelimML
22.202 -%
22.203 -\endisadelimML
22.204 -%
22.205 -\isatagML
22.206 -%
22.207 -\endisatagML
22.208 -{\isafoldML}%
22.209 -%
22.210 -\isadelimML
22.211 -%
22.212 -\endisadelimML
22.213 -\isacommand{definition}\isamarkupfalse%
22.214 -\ xor\ {\isaliteral{3A}{\isacharcolon}}{\isaliteral{3A}{\isacharcolon}}\ {\isaliteral{22}{\isachardoublequoteopen}}bool\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ bool\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ bool{\isaliteral{22}{\isachardoublequoteclose}}\ \ \ \ {\isaliteral{28}{\isacharparenleft}}\isakeyword{infixl}\ {\isaliteral{22}{\isachardoublequoteopen}}{\isaliteral{5B}{\isacharbrackleft}}{\isaliteral{2B}{\isacharplus}}{\isaliteral{5D}{\isacharbrackright}}{\isaliteral{5C3C69676E6F72653E}{\isasymignore}}{\isaliteral{22}{\isachardoublequoteclose}}\ {\isadigit{6}}{\isadigit{0}}{\isaliteral{29}{\isacharparenright}}\isanewline
22.215 -\isakeyword{where}\ {\isaliteral{22}{\isachardoublequoteopen}}A\ {\isaliteral{5B}{\isacharbrackleft}}{\isaliteral{2B}{\isacharplus}}{\isaliteral{5D}{\isacharbrackright}}{\isaliteral{5C3C69676E6F72653E}{\isasymignore}}\ B\ {\isaliteral{5C3C65717569763E}{\isasymequiv}}\ {\isaliteral{28}{\isacharparenleft}}A\ {\isaliteral{5C3C616E643E}{\isasymand}}\ {\isaliteral{5C3C6E6F743E}{\isasymnot}}\ B{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C6F723E}{\isasymor}}\ {\isaliteral{28}{\isacharparenleft}}{\isaliteral{5C3C6E6F743E}{\isasymnot}}\ A\ {\isaliteral{5C3C616E643E}{\isasymand}}\ B{\isaliteral{29}{\isacharparenright}}{\isaliteral{22}{\isachardoublequoteclose}}\isanewline
22.216 -\isanewline
22.217 -\isacommand{notation}\isamarkupfalse%
22.218 -\ {\isaliteral{28}{\isacharparenleft}}xsymbols{\isaliteral{29}{\isacharparenright}}\ xor\ {\isaliteral{28}{\isacharparenleft}}\isakeyword{infixl}\ {\isaliteral{22}{\isachardoublequoteopen}}{\isaliteral{5C3C6F706C75733E}{\isasymoplus}}{\isaliteral{5C3C69676E6F72653E}{\isasymignore}}{\isaliteral{22}{\isachardoublequoteclose}}\ {\isadigit{6}}{\isadigit{0}}{\isaliteral{29}{\isacharparenright}}%
22.219 -\isadelimML
22.220 -%
22.221 -\endisadelimML
22.222 -%
22.223 -\isatagML
22.224 -%
22.225 -\endisatagML
22.226 -{\isafoldML}%
22.227 -%
22.228 -\isadelimML
22.229 -%
22.230 -\endisadelimML
22.231 -%
22.232 -\begin{isamarkuptext}%
22.233 -\noindent
22.234 -The \commdx{notation} command associates a mixfix
22.235 -annotation with a known constant. The print mode specification,
22.236 -here \isa{{\isaliteral{28}{\isacharparenleft}}xsymbols{\isaliteral{29}{\isacharparenright}}}, is optional.
22.237 -
22.238 -We may now write \isa{A\ {\isaliteral{5B}{\isacharbrackleft}}{\isaliteral{2B}{\isacharplus}}{\isaliteral{5D}{\isacharbrackright}}\ B} or \isa{A\ {\isaliteral{5C3C6F706C75733E}{\isasymoplus}}\ B} in input, while
22.239 -output uses the nicer syntax of $xsymbols$ whenever that print mode is
22.240 -active. Such an arrangement is particularly useful for interactive
22.241 -development, where users may type ASCII text and see mathematical
22.242 -symbols displayed during proofs.%
22.243 -\end{isamarkuptext}%
22.244 -\isamarkuptrue%
22.245 -%
22.246 -\isamarkupsubsection{Prefix Annotations%
22.247 -}
22.248 -\isamarkuptrue%
22.249 -%
22.250 -\begin{isamarkuptext}%
22.251 -Prefix syntax annotations\index{prefix annotation} are another form
22.252 - of mixfixes \cite{isabelle-ref}, without any template arguments or
22.253 - priorities --- just some literal syntax. The following example
22.254 - associates common symbols with the constructors of a datatype.%
22.255 -\end{isamarkuptext}%
22.256 -\isamarkuptrue%
22.257 -\isacommand{datatype}\isamarkupfalse%
22.258 -\ currency\ {\isaliteral{3D}{\isacharequal}}\isanewline
22.259 -\ \ \ \ Euro\ nat\ \ \ \ {\isaliteral{28}{\isacharparenleft}}{\isaliteral{22}{\isachardoublequoteopen}}{\isaliteral{5C3C6575726F3E}{\isasymeuro}}{\isaliteral{22}{\isachardoublequoteclose}}{\isaliteral{29}{\isacharparenright}}\isanewline
22.260 -\ \ {\isaliteral{7C}{\isacharbar}}\ Pounds\ nat\ \ {\isaliteral{28}{\isacharparenleft}}{\isaliteral{22}{\isachardoublequoteopen}}{\isaliteral{5C3C706F756E64733E}{\isasympounds}}{\isaliteral{22}{\isachardoublequoteclose}}{\isaliteral{29}{\isacharparenright}}\isanewline
22.261 -\ \ {\isaliteral{7C}{\isacharbar}}\ Yen\ nat\ \ \ \ \ {\isaliteral{28}{\isacharparenleft}}{\isaliteral{22}{\isachardoublequoteopen}}{\isaliteral{5C3C79656E3E}{\isasymyen}}{\isaliteral{22}{\isachardoublequoteclose}}{\isaliteral{29}{\isacharparenright}}\isanewline
22.262 -\ \ {\isaliteral{7C}{\isacharbar}}\ Dollar\ nat\ \ {\isaliteral{28}{\isacharparenleft}}{\isaliteral{22}{\isachardoublequoteopen}}{\isaliteral{24}{\isachardollar}}{\isaliteral{22}{\isachardoublequoteclose}}{\isaliteral{29}{\isacharparenright}}%
22.263 -\begin{isamarkuptext}%
22.264 -\noindent Here the mixfix annotations on the rightmost column happen
22.265 - to consist of a single Isabelle symbol each: \verb,\,\verb,<euro>,,
22.266 - \verb,\,\verb,<pounds>,, \verb,\,\verb,<yen>,, and \verb,$,. Recall
22.267 - that a constructor like \isa{Euro} actually is a function \isa{nat\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ currency}. The expression \isa{Euro\ {\isadigit{1}}{\isadigit{0}}} will be
22.268 - printed as \isa{{\isaliteral{5C3C6575726F3E}{\isasymeuro}}\ {\isadigit{1}}{\isadigit{0}}}; only the head of the application is
22.269 - subject to our concrete syntax. This rather simple form already
22.270 - achieves conformance with notational standards of the European
22.271 - Commission.
22.272 -
22.273 - Prefix syntax works the same way for other commands that introduce new constants, e.g. \isakeyword{primrec}.%
22.274 -\end{isamarkuptext}%
22.275 -\isamarkuptrue%
22.276 -%
22.277 -\isamarkupsubsection{Abbreviations \label{sec:abbreviations}%
22.278 -}
22.279 -\isamarkuptrue%
22.280 -%
22.281 -\begin{isamarkuptext}%
22.282 -Mixfix syntax annotations merely decorate particular constant
22.283 -application forms with concrete syntax, for instance replacing
22.284 -\isa{xor\ A\ B} by \isa{A\ {\isaliteral{5C3C6F706C75733E}{\isasymoplus}}\ B}. Occasionally, the relationship
22.285 -between some piece of notation and its internal form is more
22.286 -complicated. Here we need \emph{abbreviations}.
22.287 -
22.288 -Command \commdx{abbreviation} introduces an uninterpreted notational
22.289 -constant as an abbreviation for a complex term. Abbreviations are
22.290 -unfolded upon parsing and re-introduced upon printing. This provides a
22.291 -simple mechanism for syntactic macros.
22.292 -
22.293 -A typical use of abbreviations is to introduce relational notation for
22.294 -membership in a set of pairs, replacing \isa{{\isaliteral{28}{\isacharparenleft}}x{\isaliteral{2C}{\isacharcomma}}\ y{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C696E3E}{\isasymin}}\ sim} by
22.295 -\isa{x\ {\isaliteral{5C3C617070726F783E}{\isasymapprox}}\ y}. We assume that a constant \isa{sim} of type
22.296 -\isa{{\isaliteral{28}{\isacharparenleft}}{\isaliteral{27}{\isacharprime}}a\ {\isaliteral{5C3C74696D65733E}{\isasymtimes}}\ {\isaliteral{27}{\isacharprime}}a{\isaliteral{29}{\isacharparenright}}\ set} has been introduced at this point.%
22.297 -\end{isamarkuptext}%
22.298 -\isamarkuptrue%
22.299 -\isacommand{abbreviation}\isamarkupfalse%
22.300 -\ sim{\isadigit{2}}\ {\isaliteral{3A}{\isacharcolon}}{\isaliteral{3A}{\isacharcolon}}\ {\isaliteral{22}{\isachardoublequoteopen}}{\isaliteral{27}{\isacharprime}}a\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ {\isaliteral{27}{\isacharprime}}a\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ bool{\isaliteral{22}{\isachardoublequoteclose}}\ \ \ {\isaliteral{28}{\isacharparenleft}}\isakeyword{infix}\ {\isaliteral{22}{\isachardoublequoteopen}}{\isaliteral{5C3C617070726F783E}{\isasymapprox}}{\isaliteral{22}{\isachardoublequoteclose}}\ {\isadigit{5}}{\isadigit{0}}{\isaliteral{29}{\isacharparenright}}\isanewline
22.301 -\isakeyword{where}\ {\isaliteral{22}{\isachardoublequoteopen}}x\ {\isaliteral{5C3C617070726F783E}{\isasymapprox}}\ y\ \ {\isaliteral{5C3C65717569763E}{\isasymequiv}}\ \ {\isaliteral{28}{\isacharparenleft}}x{\isaliteral{2C}{\isacharcomma}}\ y{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C696E3E}{\isasymin}}\ sim{\isaliteral{22}{\isachardoublequoteclose}}%
22.302 -\begin{isamarkuptext}%
22.303 -\noindent The given meta-equality is used as a rewrite rule
22.304 -after parsing (replacing \mbox{\isa{x\ {\isaliteral{5C3C617070726F783E}{\isasymapprox}}\ y}} by \isa{{\isaliteral{28}{\isacharparenleft}}x{\isaliteral{2C}{\isacharcomma}}y{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C696E3E}{\isasymin}}\ sim}) and before printing (turning \isa{{\isaliteral{28}{\isacharparenleft}}x{\isaliteral{2C}{\isacharcomma}}y{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C696E3E}{\isasymin}}\ sim} back into
22.305 -\mbox{\isa{x\ {\isaliteral{5C3C617070726F783E}{\isasymapprox}}\ y}}). The name of the dummy constant \isa{sim{\isadigit{2}}}
22.306 -does not matter, as long as it is unique.
22.307 -
22.308 -Another common application of abbreviations is to
22.309 -provide variant versions of fundamental relational expressions, such
22.310 -as \isa{{\isaliteral{5C3C6E6F7465713E}{\isasymnoteq}}} for negated equalities. The following declaration
22.311 -stems from Isabelle/HOL itself:%
22.312 -\end{isamarkuptext}%
22.313 -\isamarkuptrue%
22.314 -\isacommand{abbreviation}\isamarkupfalse%
22.315 -\ not{\isaliteral{5F}{\isacharunderscore}}equal\ {\isaliteral{3A}{\isacharcolon}}{\isaliteral{3A}{\isacharcolon}}\ {\isaliteral{22}{\isachardoublequoteopen}}{\isaliteral{27}{\isacharprime}}a\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ {\isaliteral{27}{\isacharprime}}a\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ bool{\isaliteral{22}{\isachardoublequoteclose}}\ \ \ \ {\isaliteral{28}{\isacharparenleft}}\isakeyword{infixl}\ {\isaliteral{22}{\isachardoublequoteopen}}{\isaliteral{7E}{\isachartilde}}{\isaliteral{3D}{\isacharequal}}{\isaliteral{5C3C69676E6F72653E}{\isasymignore}}{\isaliteral{22}{\isachardoublequoteclose}}\ {\isadigit{5}}{\isadigit{0}}{\isaliteral{29}{\isacharparenright}}\isanewline
22.316 -\isakeyword{where}\ {\isaliteral{22}{\isachardoublequoteopen}}x\ {\isaliteral{7E}{\isachartilde}}{\isaliteral{3D}{\isacharequal}}{\isaliteral{5C3C69676E6F72653E}{\isasymignore}}\ y\ \ {\isaliteral{5C3C65717569763E}{\isasymequiv}}\ \ {\isaliteral{5C3C6E6F743E}{\isasymnot}}\ {\isaliteral{28}{\isacharparenleft}}x\ {\isaliteral{3D}{\isacharequal}}\ y{\isaliteral{29}{\isacharparenright}}{\isaliteral{22}{\isachardoublequoteclose}}\isanewline
22.317 -\isanewline
22.318 -\isacommand{notation}\isamarkupfalse%
22.319 -\ {\isaliteral{28}{\isacharparenleft}}xsymbols{\isaliteral{29}{\isacharparenright}}\ not{\isaliteral{5F}{\isacharunderscore}}equal\ {\isaliteral{28}{\isacharparenleft}}\isakeyword{infix}\ {\isaliteral{22}{\isachardoublequoteopen}}{\isaliteral{5C3C6E6F7465713E}{\isasymnoteq}}{\isaliteral{5C3C69676E6F72653E}{\isasymignore}}{\isaliteral{22}{\isachardoublequoteclose}}\ {\isadigit{5}}{\isadigit{0}}{\isaliteral{29}{\isacharparenright}}%
22.320 -\begin{isamarkuptext}%
22.321 -\noindent The notation \isa{{\isaliteral{5C3C6E6F7465713E}{\isasymnoteq}}} is introduced separately to restrict it
22.322 -to the \emph{xsymbols} mode.
22.323 -
22.324 -Abbreviations are appropriate when the defined concept is a
22.325 -simple variation on an existing one. But because of the automatic
22.326 -folding and unfolding of abbreviations, they do not scale up well to
22.327 -large hierarchies of concepts. Abbreviations do not replace
22.328 -definitions.
22.329 -
22.330 -Abbreviations are a simplified form of the general concept of
22.331 -\emph{syntax translations}; even heavier transformations may be
22.332 -written in ML \cite{isabelle-ref}.%
22.333 -\end{isamarkuptext}%
22.334 -\isamarkuptrue%
22.335 -%
22.336 -\isamarkupsection{Document Preparation \label{sec:document-preparation}%
22.337 -}
22.338 -\isamarkuptrue%
22.339 -%
22.340 -\begin{isamarkuptext}%
22.341 -Isabelle/Isar is centered around the concept of \bfindex{formal
22.342 - proof documents}\index{documents|bold}. The outcome of a formal
22.343 - development effort is meant to be a human-readable record, presented
22.344 - as browsable PDF file or printed on paper. The overall document
22.345 - structure follows traditional mathematical articles, with sections,
22.346 - intermediate explanations, definitions, theorems and proofs.
22.347 -
22.348 - \medskip The Isabelle document preparation system essentially acts
22.349 - as a front-end to {\LaTeX}. After checking specifications and
22.350 - proofs formally, the theory sources are turned into typesetting
22.351 - instructions in a schematic manner. This lets you write authentic
22.352 - reports on theory developments with little effort: many technical
22.353 - consistency checks are handled by the system.
22.354 -
22.355 - Here is an example to illustrate the idea of Isabelle document
22.356 - preparation.%
22.357 -\end{isamarkuptext}%
22.358 -\isamarkuptrue%
22.359 -%
22.360 -\begin{quotation}
22.361 -%
22.362 -\begin{isamarkuptext}%
22.363 -The following datatype definition of \isa{{\isaliteral{27}{\isacharprime}}a\ bintree} models
22.364 - binary trees with nodes being decorated by elements of type \isa{{\isaliteral{27}{\isacharprime}}a}.%
22.365 -\end{isamarkuptext}%
22.366 -\isamarkuptrue%
22.367 -\isacommand{datatype}\isamarkupfalse%
22.368 -\ {\isaliteral{27}{\isacharprime}}a\ bintree\ {\isaliteral{3D}{\isacharequal}}\isanewline
22.369 -\ \ \ \ \ Leaf\ {\isaliteral{7C}{\isacharbar}}\ Branch\ {\isaliteral{27}{\isacharprime}}a\ \ {\isaliteral{22}{\isachardoublequoteopen}}{\isaliteral{27}{\isacharprime}}a\ bintree{\isaliteral{22}{\isachardoublequoteclose}}\ \ {\isaliteral{22}{\isachardoublequoteopen}}{\isaliteral{27}{\isacharprime}}a\ bintree{\isaliteral{22}{\isachardoublequoteclose}}%
22.370 -\begin{isamarkuptext}%
22.371 -\noindent The datatype induction rule generated here is of the form
22.372 - \begin{isabelle}%
22.373 -\ {\isaliteral{5C3C6C6272616B6B3E}{\isasymlbrakk}}P\ Leaf{\isaliteral{3B}{\isacharsemicolon}}\isanewline
22.374 -\isaindent{\ \ }{\isaliteral{5C3C416E643E}{\isasymAnd}}a\ bintree{\isadigit{1}}\ bintree{\isadigit{2}}{\isaliteral{2E}{\isachardot}}\isanewline
22.375 -\isaindent{\ \ \ \ \ }{\isaliteral{5C3C6C6272616B6B3E}{\isasymlbrakk}}P\ bintree{\isadigit{1}}{\isaliteral{3B}{\isacharsemicolon}}\ P\ bintree{\isadigit{2}}{\isaliteral{5C3C726272616B6B3E}{\isasymrbrakk}}\ {\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\ P\ {\isaliteral{28}{\isacharparenleft}}Branch\ a\ bintree{\isadigit{1}}\ bintree{\isadigit{2}}{\isaliteral{29}{\isacharparenright}}{\isaliteral{5C3C726272616B6B3E}{\isasymrbrakk}}\isanewline
22.376 -\isaindent{\ }{\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\ P\ bintree%
22.377 -\end{isabelle}%
22.378 -\end{isamarkuptext}%
22.379 -\isamarkuptrue%
22.380 -%
22.381 -\end{quotation}
22.382 -%
22.383 -\begin{isamarkuptext}%
22.384 -\noindent The above document output has been produced as follows:
22.385 -
22.386 - \begin{ttbox}
22.387 - text {\ttlbrace}*
22.388 - The following datatype definition of {\at}{\ttlbrace}text "'a bintree"{\ttrbrace}
22.389 - models binary trees with nodes being decorated by elements
22.390 - of type {\at}{\ttlbrace}typ 'a{\ttrbrace}.
22.391 - *{\ttrbrace}
22.392 -
22.393 - datatype 'a bintree =
22.394 - Leaf | Branch 'a "'a bintree" "'a bintree"
22.395 - \end{ttbox}
22.396 - \begin{ttbox}
22.397 - text {\ttlbrace}*
22.398 - {\ttback}noindent The datatype induction rule generated here is
22.399 - of the form {\at}{\ttlbrace}thm [display] bintree.induct [no_vars]{\ttrbrace}
22.400 - *{\ttrbrace}
22.401 - \end{ttbox}\vspace{-\medskipamount}
22.402 -
22.403 - \noindent Here we have augmented the theory by formal comments
22.404 - (using \isakeyword{text} blocks), the informal parts may again refer
22.405 - to formal entities by means of ``antiquotations'' (such as
22.406 - \texttt{\at}\verb,{text "'a bintree"}, or
22.407 - \texttt{\at}\verb,{typ 'a},), see also \S\ref{sec:doc-prep-text}.%
22.408 -\end{isamarkuptext}%
22.409 -\isamarkuptrue%
22.410 -%
22.411 -\isamarkupsubsection{Isabelle Sessions%
22.412 -}
22.413 -\isamarkuptrue%
22.414 -%
22.415 -\begin{isamarkuptext}%
22.416 -In contrast to the highly interactive mode of Isabelle/Isar theory
22.417 - development, the document preparation stage essentially works in
22.418 - batch-mode. An Isabelle \bfindex{session} consists of a collection
22.419 - of source files that may contribute to an output document. Each
22.420 - session is derived from a single parent, usually an object-logic
22.421 - image like \texttt{HOL}. This results in an overall tree structure,
22.422 - which is reflected by the output location in the file system
22.423 - (usually rooted at \verb,~/.isabelle/IsabelleXXXX/browser_info,).
22.424 -
22.425 - \medskip The easiest way to manage Isabelle sessions is via
22.426 - \texttt{isabelle mkdir} (generates an initial session source setup)
22.427 - and \texttt{isabelle make} (run sessions controlled by
22.428 - \texttt{IsaMakefile}). For example, a new session
22.429 - \texttt{MySession} derived from \texttt{HOL} may be produced as
22.430 - follows:
22.431 -
22.432 -\begin{verbatim}
22.433 - isabelle mkdir HOL MySession
22.434 - isabelle make
22.435 -\end{verbatim}
22.436 -
22.437 - The \texttt{isabelle make} job also informs about the file-system
22.438 - location of the ultimate results. The above dry run should be able
22.439 - to produce some \texttt{document.pdf} (with dummy title, empty table
22.440 - of contents etc.). Any failure at this stage usually indicates
22.441 - technical problems of the {\LaTeX} installation.
22.442 -
22.443 - \medskip The detailed arrangement of the session sources is as
22.444 - follows.
22.445 -
22.446 - \begin{itemize}
22.447 -
22.448 - \item Directory \texttt{MySession} holds the required theory files
22.449 - $T@1$\texttt{.thy}, \dots, $T@n$\texttt{.thy}.
22.450 -
22.451 - \item File \texttt{MySession/ROOT.ML} holds appropriate ML commands
22.452 - for loading all wanted theories, usually just
22.453 - ``\texttt{use_thy"$T@i$";}'' for any $T@i$ in leaf position of the
22.454 - dependency graph.
22.455 -
22.456 - \item Directory \texttt{MySession/document} contains everything
22.457 - required for the {\LaTeX} stage; only \texttt{root.tex} needs to be
22.458 - provided initially.
22.459 -
22.460 - The latter file holds appropriate {\LaTeX} code to commence a
22.461 - document (\verb,\documentclass, etc.), and to include the generated
22.462 - files $T@i$\texttt{.tex} for each theory. Isabelle will generate a
22.463 - file \texttt{session.tex} holding {\LaTeX} commands to include all
22.464 - generated theory output files in topologically sorted order, so
22.465 - \verb,\input{session}, in the body of \texttt{root.tex} does the job
22.466 - in most situations.
22.467 -
22.468 - \item \texttt{IsaMakefile} holds appropriate dependencies and
22.469 - invocations of Isabelle tools to control the batch job. In fact,
22.470 - several sessions may be managed by the same \texttt{IsaMakefile}.
22.471 - See the \emph{Isabelle System Manual} \cite{isabelle-sys}
22.472 - for further details, especially on
22.473 - \texttt{isabelle usedir} and \texttt{isabelle make}.
22.474 -
22.475 - \end{itemize}
22.476 -
22.477 - One may now start to populate the directory \texttt{MySession}, and
22.478 - the file \texttt{MySession/ROOT.ML} accordingly. The file
22.479 - \texttt{MySession/document/root.tex} should also be adapted at some
22.480 - point; the default version is mostly self-explanatory. Note that
22.481 - \verb,\isabellestyle, enables fine-tuning of the general appearance
22.482 - of characters and mathematical symbols (see also
22.483 - \S\ref{sec:doc-prep-symbols}).
22.484 -
22.485 - Especially observe the included {\LaTeX} packages \texttt{isabelle}
22.486 - (mandatory), \texttt{isabellesym} (required for mathematical
22.487 - symbols), and the final \texttt{pdfsetup} (provides sane defaults
22.488 - for \texttt{hyperref}, including URL markup). All three are
22.489 - distributed with Isabelle. Further packages may be required in
22.490 - particular applications, say for unusual mathematical symbols.
22.491 -
22.492 - \medskip Any additional files for the {\LaTeX} stage go into the
22.493 - \texttt{MySession/document} directory as well. In particular,
22.494 - adding a file named \texttt{root.bib} causes an automatic run of
22.495 - \texttt{bibtex} to process a bibliographic database; see also
22.496 - \texttt{isabelle document} \cite{isabelle-sys}.
22.497 -
22.498 - \medskip Any failure of the document preparation phase in an
22.499 - Isabelle batch session leaves the generated sources in their target
22.500 - location, identified by the accompanying error message. This lets
22.501 - you trace {\LaTeX} problems with the generated files at hand.%
22.502 -\end{isamarkuptext}%
22.503 -\isamarkuptrue%
22.504 -%
22.505 -\isamarkupsubsection{Structure Markup%
22.506 -}
22.507 -\isamarkuptrue%
22.508 -%
22.509 -\begin{isamarkuptext}%
22.510 -The large-scale structure of Isabelle documents follows existing
22.511 - {\LaTeX} conventions, with chapters, sections, subsubsections etc.
22.512 - The Isar language includes separate \bfindex{markup commands}, which
22.513 - do not affect the formal meaning of a theory (or proof), but result
22.514 - in corresponding {\LaTeX} elements.
22.515 -
22.516 - There are separate markup commands depending on the textual context:
22.517 - in header position (just before \isakeyword{theory}), within the
22.518 - theory body, or within a proof. The header needs to be treated
22.519 - specially here, since ordinary theory and proof commands may only
22.520 - occur \emph{after} the initial \isakeyword{theory} specification.
22.521 -
22.522 - \medskip
22.523 -
22.524 - \begin{tabular}{llll}
22.525 - header & theory & proof & default meaning \\\hline
22.526 - & \commdx{chapter} & & \verb,\chapter, \\
22.527 - \commdx{header} & \commdx{section} & \commdx{sect} & \verb,\section, \\
22.528 - & \commdx{subsection} & \commdx{subsect} & \verb,\subsection, \\
22.529 - & \commdx{subsubsection} & \commdx{subsubsect} & \verb,\subsubsection, \\
22.530 - \end{tabular}
22.531 -
22.532 - \medskip
22.533 -
22.534 - From the Isabelle perspective, each markup command takes a single
22.535 - $text$ argument (delimited by \verb,",~\isa{{\isaliteral{5C3C646F74733E}{\isasymdots}}}~\verb,", or
22.536 - \verb,{,\verb,*,~\isa{{\isaliteral{5C3C646F74733E}{\isasymdots}}}~\verb,*,\verb,},). After stripping any
22.537 - surrounding white space, the argument is passed to a {\LaTeX} macro
22.538 - \verb,\isamarkupXYZ, for command \isakeyword{XYZ}. These macros are
22.539 - defined in \verb,isabelle.sty, according to the meaning given in the
22.540 - rightmost column above.
22.541 -
22.542 - \medskip The following source fragment illustrates structure markup
22.543 - of a theory. Note that {\LaTeX} labels may be included inside of
22.544 - section headings as well.
22.545 -
22.546 - \begin{ttbox}
22.547 - header {\ttlbrace}* Some properties of Foo Bar elements *{\ttrbrace}
22.548 -
22.549 - theory Foo_Bar
22.550 - imports Main
22.551 - begin
22.552 -
22.553 - subsection {\ttlbrace}* Basic definitions *{\ttrbrace}
22.554 -
22.555 - definition foo :: \dots
22.556 -
22.557 - definition bar :: \dots
22.558 -
22.559 - subsection {\ttlbrace}* Derived rules *{\ttrbrace}
22.560 -
22.561 - lemma fooI: \dots
22.562 - lemma fooE: \dots
22.563 -
22.564 - subsection {\ttlbrace}* Main theorem {\ttback}label{\ttlbrace}sec:main-theorem{\ttrbrace} *{\ttrbrace}
22.565 -
22.566 - theorem main: \dots
22.567 -
22.568 - end
22.569 - \end{ttbox}\vspace{-\medskipamount}
22.570 -
22.571 - You may occasionally want to change the meaning of markup commands,
22.572 - say via \verb,\renewcommand, in \texttt{root.tex}. For example,
22.573 - \verb,\isamarkupheader, is a good candidate for some tuning. We
22.574 - could move it up in the hierarchy to become \verb,\chapter,.
22.575 -
22.576 -\begin{verbatim}
22.577 - \renewcommand{\isamarkupheader}[1]{\chapter{#1}}
22.578 -\end{verbatim}
22.579 -
22.580 - \noindent Now we must change the document class given in
22.581 - \texttt{root.tex} to something that supports chapters. A suitable
22.582 - command is \verb,\documentclass{report},.
22.583 -
22.584 - \medskip The {\LaTeX} macro \verb,\isabellecontext, is maintained to
22.585 - hold the name of the current theory context. This is particularly
22.586 - useful for document headings:
22.587 -
22.588 -\begin{verbatim}
22.589 - \renewcommand{\isamarkupheader}[1]
22.590 - {\chapter{#1}\markright{THEORY~\isabellecontext}}
22.591 -\end{verbatim}
22.592 -
22.593 - \noindent Make sure to include something like
22.594 - \verb,\pagestyle{headings}, in \texttt{root.tex}; the document
22.595 - should have more than two pages to show the effect.%
22.596 -\end{isamarkuptext}%
22.597 -\isamarkuptrue%
22.598 -%
22.599 -\isamarkupsubsection{Formal Comments and Antiquotations \label{sec:doc-prep-text}%
22.600 -}
22.601 -\isamarkuptrue%
22.602 -%
22.603 -\begin{isamarkuptext}%
22.604 -Isabelle \bfindex{source comments}, which are of the form
22.605 - \verb,(,\verb,*,~\isa{{\isaliteral{5C3C646F74733E}{\isasymdots}}}~\verb,*,\verb,),, essentially act like
22.606 - white space and do not really contribute to the content. They
22.607 - mainly serve technical purposes to mark certain oddities in the raw
22.608 - input text. In contrast, \bfindex{formal comments} are portions of
22.609 - text that are associated with formal Isabelle/Isar commands
22.610 - (\bfindex{marginal comments}), or as standalone paragraphs within a
22.611 - theory or proof context (\bfindex{text blocks}).
22.612 -
22.613 - \medskip Marginal comments are part of each command's concrete
22.614 - syntax \cite{isabelle-ref}; the common form is ``\verb,--,~$text$''
22.615 - where $text$ is delimited by \verb,",\isa{{\isaliteral{5C3C646F74733E}{\isasymdots}}}\verb,", or
22.616 - \verb,{,\verb,*,~\isa{{\isaliteral{5C3C646F74733E}{\isasymdots}}}~\verb,*,\verb,}, as before. Multiple
22.617 - marginal comments may be given at the same time. Here is a simple
22.618 - example:%
22.619 -\end{isamarkuptext}%
22.620 -\isamarkuptrue%
22.621 -\isacommand{lemma}\isamarkupfalse%
22.622 -\ {\isaliteral{22}{\isachardoublequoteopen}}A\ {\isaliteral{2D}{\isacharminus}}{\isaliteral{2D}{\isacharminus}}{\isaliteral{3E}{\isachargreater}}\ A{\isaliteral{22}{\isachardoublequoteclose}}\isanewline
22.623 -\ \ %
22.624 -\isamarkupcmt{a triviality of propositional logic%
22.625 -}
22.626 -\isanewline
22.627 -\ \ %
22.628 -\isamarkupcmt{(should not really bother)%
22.629 -}
22.630 -\isanewline
22.631 -%
22.632 -\isadelimproof
22.633 -\ \ %
22.634 -\endisadelimproof
22.635 -%
22.636 -\isatagproof
22.637 -\isacommand{by}\isamarkupfalse%
22.638 -\ {\isaliteral{28}{\isacharparenleft}}rule\ impI{\isaliteral{29}{\isacharparenright}}\ %
22.639 -\isamarkupcmt{implicit assumption step involved here%
22.640 -}
22.641 -%
22.642 -\endisatagproof
22.643 -{\isafoldproof}%
22.644 -%
22.645 -\isadelimproof
22.646 -%
22.647 -\endisadelimproof
22.648 -%
22.649 -\begin{isamarkuptext}%
22.650 -\noindent The above output has been produced as follows:
22.651 -
22.652 -\begin{verbatim}
22.653 - lemma "A --> A"
22.654 - -- "a triviality of propositional logic"
22.655 - -- "(should not really bother)"
22.656 - by (rule impI) -- "implicit assumption step involved here"
22.657 -\end{verbatim}
22.658 -
22.659 - From the {\LaTeX} viewpoint, ``\verb,--,'' acts like a markup
22.660 - command, associated with the macro \verb,\isamarkupcmt, (taking a
22.661 - single argument).
22.662 -
22.663 - \medskip Text blocks are introduced by the commands \bfindex{text}
22.664 - and \bfindex{txt}, for theory and proof contexts, respectively.
22.665 - Each takes again a single $text$ argument, which is interpreted as a
22.666 - free-form paragraph in {\LaTeX} (surrounded by some additional
22.667 - vertical space). This behavior may be changed by redefining the
22.668 - {\LaTeX} environments of \verb,isamarkuptext, or
22.669 - \verb,isamarkuptxt,, respectively (via \verb,\renewenvironment,) The
22.670 - text style of the body is determined by \verb,\isastyletext, and
22.671 - \verb,\isastyletxt,; the default setup uses a smaller font within
22.672 - proofs. This may be changed as follows:
22.673 -
22.674 -\begin{verbatim}
22.675 - \renewcommand{\isastyletxt}{\isastyletext}
22.676 -\end{verbatim}
22.677 -
22.678 - \medskip The $text$ part of Isabelle markup commands essentially
22.679 - inserts \emph{quoted material} into a formal text, mainly for
22.680 - instruction of the reader. An \bfindex{antiquotation} is again a
22.681 - formal object embedded into such an informal portion. The
22.682 - interpretation of antiquotations is limited to some well-formedness
22.683 - checks, with the result being pretty printed to the resulting
22.684 - document. Quoted text blocks together with antiquotations provide
22.685 - an attractive means of referring to formal entities, with good
22.686 - confidence in getting the technical details right (especially syntax
22.687 - and types).
22.688 -
22.689 - The general syntax of antiquotations is as follows:
22.690 - \texttt{{\at}{\ttlbrace}$name$ $arguments${\ttrbrace}}, or
22.691 - \texttt{{\at}{\ttlbrace}$name$ [$options$] $arguments${\ttrbrace}}
22.692 - for a comma-separated list of options consisting of a $name$ or
22.693 - \texttt{$name$=$value$} each. The syntax of $arguments$ depends on
22.694 - the kind of antiquotation, it generally follows the same conventions
22.695 - for types, terms, or theorems as in the formal part of a theory.
22.696 -
22.697 - \medskip This sentence demonstrates quotations and antiquotations:
22.698 - \isa{{\isaliteral{5C3C6C616D6264613E}{\isasymlambda}}x\ y{\isaliteral{2E}{\isachardot}}\ x} is a well-typed term.
22.699 -
22.700 - \medskip\noindent The output above was produced as follows:
22.701 - \begin{ttbox}
22.702 -text {\ttlbrace}*
22.703 - This sentence demonstrates quotations and antiquotations:
22.704 - {\at}{\ttlbrace}term "%x y. x"{\ttrbrace} is a well-typed term.
22.705 -*{\ttrbrace}
22.706 - \end{ttbox}\vspace{-\medskipamount}
22.707 -
22.708 - The notational change from the ASCII character~\verb,%, to the
22.709 - symbol~\isa{{\isaliteral{5C3C6C616D6264613E}{\isasymlambda}}} reveals that Isabelle printed this term, after
22.710 - parsing and type-checking. Document preparation enables symbolic
22.711 - output by default.
22.712 -
22.713 - \medskip The next example includes an option to show the type of all
22.714 - variables. The antiquotation
22.715 - \texttt{{\at}}\verb,{term [show_types] "%x y. x"}, produces the
22.716 - output \isa{{\isaliteral{5C3C6C616D6264613E}{\isasymlambda}}{\isaliteral{28}{\isacharparenleft}}x{\isaliteral{5C3C436F6C6F6E3E}{\isasymColon}}{\isaliteral{27}{\isacharprime}}a{\isaliteral{29}{\isacharparenright}}\ y{\isaliteral{5C3C436F6C6F6E3E}{\isasymColon}}{\isaliteral{27}{\isacharprime}}b{\isaliteral{2E}{\isachardot}}\ x}. Type inference has figured
22.717 - out the most general typings in the present theory context. Terms
22.718 - may acquire different typings due to constraints imposed by their
22.719 - environment; within a proof, for example, variables are given the
22.720 - same types as they have in the main goal statement.
22.721 -
22.722 - \medskip Several further kinds of antiquotations and options are
22.723 - available \cite{isabelle-isar-ref}. Here are a few commonly used
22.724 - combinations:
22.725 -
22.726 - \medskip
22.727 -
22.728 - \begin{tabular}{ll}
22.729 - \texttt{\at}\verb,{typ,~$\tau$\verb,}, & print type $\tau$ \\
22.730 - \texttt{\at}\verb,{const,~$c$\verb,}, & check existence of $c$ and print it \\
22.731 - \texttt{\at}\verb,{term,~$t$\verb,}, & print term $t$ \\
22.732 - \texttt{\at}\verb,{prop,~$\phi$\verb,}, & print proposition $\phi$ \\
22.733 - \texttt{\at}\verb,{prop [display],~$\phi$\verb,}, & print large proposition $\phi$ (with linebreaks) \\
22.734 - \texttt{\at}\verb,{prop [source],~$\phi$\verb,}, & check proposition $\phi$, print its input \\
22.735 - \texttt{\at}\verb,{thm,~$a$\verb,}, & print fact $a$ \\
22.736 - \texttt{\at}\verb,{thm,~$a$~\verb,[no_vars]}, & print fact $a$, fixing schematic variables \\
22.737 - \texttt{\at}\verb,{thm [source],~$a$\verb,}, & check availability of fact $a$, print its name \\
22.738 - \texttt{\at}\verb,{text,~$s$\verb,}, & print uninterpreted text $s$ \\
22.739 - \end{tabular}
22.740 -
22.741 - \medskip
22.742 -
22.743 - Note that \attrdx{no_vars} given above is \emph{not} an
22.744 - antiquotation option, but an attribute of the theorem argument given
22.745 - here. This might be useful with a diagnostic command like
22.746 - \isakeyword{thm}, too.
22.747 -
22.748 - \medskip The \texttt{\at}\verb,{text, $s$\verb,}, antiquotation is
22.749 - particularly interesting. Embedding uninterpreted text within an
22.750 - informal body might appear useless at first sight. Here the key
22.751 - virtue is that the string $s$ is processed as Isabelle output,
22.752 - interpreting Isabelle symbols appropriately.
22.753 -
22.754 - For example, \texttt{\at}\verb,{text "\<forall>\<exists>"}, produces \isa{{\isaliteral{5C3C666F72616C6C3E}{\isasymforall}}{\isaliteral{5C3C6578697374733E}{\isasymexists}}}, according to the standard interpretation of these symbol
22.755 - (cf.\ \S\ref{sec:doc-prep-symbols}). Thus we achieve consistent
22.756 - mathematical notation in both the formal and informal parts of the
22.757 - document very easily, independently of the term language of
22.758 - Isabelle. Manual {\LaTeX} code would leave more control over the
22.759 - typesetting, but is also slightly more tedious.%
22.760 -\end{isamarkuptext}%
22.761 -\isamarkuptrue%
22.762 -%
22.763 -\isamarkupsubsection{Interpretation of Symbols \label{sec:doc-prep-symbols}%
22.764 -}
22.765 -\isamarkuptrue%
22.766 -%
22.767 -\begin{isamarkuptext}%
22.768 -As has been pointed out before (\S\ref{sec:syntax-symbols}),
22.769 - Isabelle symbols are the smallest syntactic entities --- a
22.770 - straightforward generalization of ASCII characters. While Isabelle
22.771 - does not impose any interpretation of the infinite collection of
22.772 - named symbols, {\LaTeX} documents use canonical glyphs for certain
22.773 - standard symbols \cite{isabelle-isar-ref}.
22.774 -
22.775 - The {\LaTeX} code produced from Isabelle text follows a simple
22.776 - scheme. You can tune the final appearance by redefining certain
22.777 - macros, say in \texttt{root.tex} of the document.
22.778 -
22.779 - \begin{enumerate}
22.780 -
22.781 - \item 7-bit ASCII characters: letters \texttt{A\dots Z} and
22.782 - \texttt{a\dots z} are output directly, digits are passed as an
22.783 - argument to the \verb,\isadigit, macro, other characters are
22.784 - replaced by specifically named macros of the form
22.785 - \verb,\isacharXYZ,.
22.786 -
22.787 - \item Named symbols: \verb,\,\verb,<XYZ>, is turned into
22.788 - \verb,{\isasymXYZ},; note the additional braces.
22.789 -
22.790 - \item Named control symbols: \verb,\,\verb,<^XYZ>, is turned into
22.791 - \verb,\isactrlXYZ,; subsequent symbols may act as arguments if the
22.792 - control macro is defined accordingly.
22.793 -
22.794 - \end{enumerate}
22.795 -
22.796 - You may occasionally wish to give new {\LaTeX} interpretations of
22.797 - named symbols. This merely requires an appropriate definition of
22.798 - \verb,\isasymXYZ,, for \verb,\,\verb,<XYZ>, (see
22.799 - \texttt{isabelle.sty} for working examples). Control symbols are
22.800 - slightly more difficult to get right, though.
22.801 -
22.802 - \medskip The \verb,\isabellestyle, macro provides a high-level
22.803 - interface to tune the general appearance of individual symbols. For
22.804 - example, \verb,\isabellestyle{it}, uses the italics text style to
22.805 - mimic the general appearance of the {\LaTeX} math mode; double
22.806 - quotes are not printed at all. The resulting quality of typesetting
22.807 - is quite good, so this should be the default style for work that
22.808 - gets distributed to a broader audience.%
22.809 -\end{isamarkuptext}%
22.810 -\isamarkuptrue%
22.811 -%
22.812 -\isamarkupsubsection{Suppressing Output \label{sec:doc-prep-suppress}%
22.813 -}
22.814 -\isamarkuptrue%
22.815 -%
22.816 -\begin{isamarkuptext}%
22.817 -By default, Isabelle's document system generates a {\LaTeX} file for
22.818 - each theory that gets loaded while running the session. The
22.819 - generated \texttt{session.tex} will include all of these in order of
22.820 - appearance, which in turn gets included by the standard
22.821 - \texttt{root.tex}. Certainly one may change the order or suppress
22.822 - unwanted theories by ignoring \texttt{session.tex} and load
22.823 - individual files directly in \texttt{root.tex}. On the other hand,
22.824 - such an arrangement requires additional maintenance whenever the
22.825 - collection of theories changes.
22.826 -
22.827 - Alternatively, one may tune the theory loading process in
22.828 - \texttt{ROOT.ML} itself: traversal of the theory dependency graph
22.829 - may be fine-tuned by adding \verb,use_thy, invocations, although
22.830 - topological sorting still has to be observed. Moreover, the ML
22.831 - operator \verb,no_document, temporarily disables document generation
22.832 - while executing a theory loader command. Its usage is like this:
22.833 -
22.834 -\begin{verbatim}
22.835 - no_document use_thy "T";
22.836 -\end{verbatim}
22.837 -
22.838 - \medskip Theory output may be suppressed more selectively, either
22.839 - via \bfindex{tagged command regions} or \bfindex{ignored material}.
22.840 -
22.841 - Tagged command regions works by annotating commands with named tags,
22.842 - which correspond to certain {\LaTeX} markup that tells how to treat
22.843 - particular parts of a document when doing the actual type-setting.
22.844 - By default, certain Isabelle/Isar commands are implicitly marked up
22.845 - using the predefined tags ``\emph{theory}'' (for theory begin and
22.846 - end), ``\emph{proof}'' (for proof commands), and ``\emph{ML}'' (for
22.847 - commands involving ML code). Users may add their own tags using the
22.848 - \verb,%,\emph{tag} notation right after a command name. In the
22.849 - subsequent example we hide a particularly irrelevant proof:%
22.850 -\end{isamarkuptext}%
22.851 -\isamarkuptrue%
22.852 -\isacommand{lemma}\isamarkupfalse%
22.853 -\ {\isaliteral{22}{\isachardoublequoteopen}}x\ {\isaliteral{3D}{\isacharequal}}\ x{\isaliteral{22}{\isachardoublequoteclose}}%
22.854 -\isadeliminvisible
22.855 -\ %
22.856 -\endisadeliminvisible
22.857 -%
22.858 -\isataginvisible
22.859 -\isacommand{by}\isamarkupfalse%
22.860 -\ {\isaliteral{28}{\isacharparenleft}}simp{\isaliteral{29}{\isacharparenright}}%
22.861 -\endisataginvisible
22.862 -{\isafoldinvisible}%
22.863 -%
22.864 -\isadeliminvisible
22.865 -%
22.866 -\endisadeliminvisible
22.867 -%
22.868 -\begin{isamarkuptext}%
22.869 -The original source has been ``\verb,lemma "x = x" by %invisible (simp),''.
22.870 - Tags observe the structure of proofs; adjacent commands with the
22.871 - same tag are joined into a single region. The Isabelle document
22.872 - preparation system allows the user to specify how to interpret a
22.873 - tagged region, in order to keep, drop, or fold the corresponding
22.874 - parts of the document. See the \emph{Isabelle System Manual}
22.875 - \cite{isabelle-sys} for further details, especially on
22.876 - \texttt{isabelle usedir} and \texttt{isabelle document}.
22.877 -
22.878 - Ignored material is specified by delimiting the original formal
22.879 - source with special source comments
22.880 - \verb,(,\verb,*,\verb,<,\verb,*,\verb,), and
22.881 - \verb,(,\verb,*,\verb,>,\verb,*,\verb,),. These parts are stripped
22.882 - before the type-setting phase, without affecting the formal checking
22.883 - of the theory, of course. For example, we may hide parts of a proof
22.884 - that seem unfit for general public inspection. The following
22.885 - ``fully automatic'' proof is actually a fake:%
22.886 -\end{isamarkuptext}%
22.887 -\isamarkuptrue%
22.888 -\isacommand{lemma}\isamarkupfalse%
22.889 -\ {\isaliteral{22}{\isachardoublequoteopen}}x\ {\isaliteral{5C3C6E6F7465713E}{\isasymnoteq}}\ {\isaliteral{28}{\isacharparenleft}}{\isadigit{0}}{\isaliteral{3A}{\isacharcolon}}{\isaliteral{3A}{\isacharcolon}}int{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\ {\isadigit{0}}\ {\isaliteral{3C}{\isacharless}}\ x\ {\isaliteral{2A}{\isacharasterisk}}\ x{\isaliteral{22}{\isachardoublequoteclose}}\isanewline
22.890 -%
22.891 -\isadelimproof
22.892 -\ \ %
22.893 -\endisadelimproof
22.894 -%
22.895 -\isatagproof
22.896 -\isacommand{by}\isamarkupfalse%
22.897 -\ {\isaliteral{28}{\isacharparenleft}}auto{\isaliteral{29}{\isacharparenright}}%
22.898 -\endisatagproof
22.899 -{\isafoldproof}%
22.900 -%
22.901 -\isadelimproof
22.902 -%
22.903 -\endisadelimproof
22.904 -%
22.905 -\begin{isamarkuptext}%
22.906 -\noindent The real source of the proof has been as follows:
22.907 -
22.908 -\begin{verbatim}
22.909 - by (auto(*<*)simp add: zero_less_mult_iff(*>*))
22.910 -\end{verbatim}
22.911 -%(*
22.912 -
22.913 - \medskip Suppressing portions of printed text demands care. You
22.914 - should not misrepresent the underlying theory development. It is
22.915 - easy to invalidate the visible text by hiding references to
22.916 - questionable axioms, for example.%
22.917 -\end{isamarkuptext}%
22.918 -\isamarkuptrue%
22.919 -%
22.920 -\isadelimtheory
22.921 -%
22.922 -\endisadelimtheory
22.923 -%
22.924 -\isatagtheory
22.925 -%
22.926 -\endisatagtheory
22.927 -{\isafoldtheory}%
22.928 -%
22.929 -\isadelimtheory
22.930 -%
22.931 -\endisadelimtheory
22.932 -\end{isabellebody}%
22.933 -%%% Local Variables:
22.934 -%%% mode: latex
22.935 -%%% TeX-master: "root"
22.936 -%%% End:
23.1 --- a/doc-src/TutorialI/Documents/documents.tex Thu Jul 26 16:08:16 2012 +0200
23.2 +++ b/doc-src/TutorialI/Documents/documents.tex Thu Jul 26 19:59:06 2012 +0200
23.3 @@ -16,7 +16,7 @@
23.4 \emph{notations}, but suggestive textual representation of ideas is vital to
23.5 reduce the mental effort to comprehend and apply them.
23.6
23.7 -\input{Documents/document/Documents.tex}
23.8 +\input{document/Documents.tex}
23.9
23.10 %%% Local Variables:
23.11 %%% mode: latex
24.1 --- a/doc-src/TutorialI/Fun/ROOT.ML Thu Jul 26 16:08:16 2012 +0200
24.2 +++ /dev/null Thu Jan 01 00:00:00 1970 +0000
24.3 @@ -1,2 +0,0 @@
24.4 -use "../settings.ML";
24.5 -use_thy "fun0";
25.1 --- a/doc-src/TutorialI/Fun/document/fun0.tex Thu Jul 26 16:08:16 2012 +0200
25.2 +++ /dev/null Thu Jan 01 00:00:00 1970 +0000
25.3 @@ -1,360 +0,0 @@
25.4 -%
25.5 -\begin{isabellebody}%
25.6 -\def\isabellecontext{fun{\isadigit{0}}}%
25.7 -%
25.8 -\isadelimtheory
25.9 -%
25.10 -\endisadelimtheory
25.11 -%
25.12 -\isatagtheory
25.13 -%
25.14 -\endisatagtheory
25.15 -{\isafoldtheory}%
25.16 -%
25.17 -\isadelimtheory
25.18 -%
25.19 -\endisadelimtheory
25.20 -%
25.21 -\begin{isamarkuptext}%
25.22 -\subsection{Definition}
25.23 -\label{sec:fun-examples}
25.24 -
25.25 -Here is a simple example, the \rmindex{Fibonacci function}:%
25.26 -\end{isamarkuptext}%
25.27 -\isamarkuptrue%
25.28 -\isacommand{fun}\isamarkupfalse%
25.29 -\ fib\ {\isaliteral{3A}{\isacharcolon}}{\isaliteral{3A}{\isacharcolon}}\ {\isaliteral{22}{\isachardoublequoteopen}}nat\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ nat{\isaliteral{22}{\isachardoublequoteclose}}\ \isakeyword{where}\isanewline
25.30 -{\isaliteral{22}{\isachardoublequoteopen}}fib\ {\isadigit{0}}\ {\isaliteral{3D}{\isacharequal}}\ {\isadigit{0}}{\isaliteral{22}{\isachardoublequoteclose}}\ {\isaliteral{7C}{\isacharbar}}\isanewline
25.31 -{\isaliteral{22}{\isachardoublequoteopen}}fib\ {\isaliteral{28}{\isacharparenleft}}Suc\ {\isadigit{0}}{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{3D}{\isacharequal}}\ {\isadigit{1}}{\isaliteral{22}{\isachardoublequoteclose}}\ {\isaliteral{7C}{\isacharbar}}\isanewline
25.32 -{\isaliteral{22}{\isachardoublequoteopen}}fib\ {\isaliteral{28}{\isacharparenleft}}Suc{\isaliteral{28}{\isacharparenleft}}Suc\ x{\isaliteral{29}{\isacharparenright}}{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{3D}{\isacharequal}}\ fib\ x\ {\isaliteral{2B}{\isacharplus}}\ fib\ {\isaliteral{28}{\isacharparenleft}}Suc\ x{\isaliteral{29}{\isacharparenright}}{\isaliteral{22}{\isachardoublequoteclose}}%
25.33 -\begin{isamarkuptext}%
25.34 -\noindent
25.35 -This resembles ordinary functional programming languages. Note the obligatory
25.36 -\isacommand{where} and \isa{|}. Command \isacommand{fun} declares and
25.37 -defines the function in one go. Isabelle establishes termination automatically
25.38 -because \isa{fib}'s argument decreases in every recursive call.
25.39 -
25.40 -Slightly more interesting is the insertion of a fixed element
25.41 -between any two elements of a list:%
25.42 -\end{isamarkuptext}%
25.43 -\isamarkuptrue%
25.44 -\isacommand{fun}\isamarkupfalse%
25.45 -\ sep\ {\isaliteral{3A}{\isacharcolon}}{\isaliteral{3A}{\isacharcolon}}\ {\isaliteral{22}{\isachardoublequoteopen}}{\isaliteral{27}{\isacharprime}}a\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ {\isaliteral{27}{\isacharprime}}a\ list\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ {\isaliteral{27}{\isacharprime}}a\ list{\isaliteral{22}{\isachardoublequoteclose}}\ \isakeyword{where}\isanewline
25.46 -{\isaliteral{22}{\isachardoublequoteopen}}sep\ a\ {\isaliteral{5B}{\isacharbrackleft}}{\isaliteral{5D}{\isacharbrackright}}\ \ \ \ \ {\isaliteral{3D}{\isacharequal}}\ {\isaliteral{5B}{\isacharbrackleft}}{\isaliteral{5D}{\isacharbrackright}}{\isaliteral{22}{\isachardoublequoteclose}}\ {\isaliteral{7C}{\isacharbar}}\isanewline
25.47 -{\isaliteral{22}{\isachardoublequoteopen}}sep\ a\ {\isaliteral{5B}{\isacharbrackleft}}x{\isaliteral{5D}{\isacharbrackright}}\ \ \ \ {\isaliteral{3D}{\isacharequal}}\ {\isaliteral{5B}{\isacharbrackleft}}x{\isaliteral{5D}{\isacharbrackright}}{\isaliteral{22}{\isachardoublequoteclose}}\ {\isaliteral{7C}{\isacharbar}}\isanewline
25.48 -{\isaliteral{22}{\isachardoublequoteopen}}sep\ a\ {\isaliteral{28}{\isacharparenleft}}x{\isaliteral{23}{\isacharhash}}y{\isaliteral{23}{\isacharhash}}zs{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{3D}{\isacharequal}}\ x\ {\isaliteral{23}{\isacharhash}}\ a\ {\isaliteral{23}{\isacharhash}}\ sep\ a\ {\isaliteral{28}{\isacharparenleft}}y{\isaliteral{23}{\isacharhash}}zs{\isaliteral{29}{\isacharparenright}}{\isaliteral{22}{\isachardoublequoteclose}}%
25.49 -\begin{isamarkuptext}%
25.50 -\noindent
25.51 -This time the length of the list decreases with the
25.52 -recursive call; the first argument is irrelevant for termination.
25.53 -
25.54 -Pattern matching\index{pattern matching!and \isacommand{fun}}
25.55 -need not be exhaustive and may employ wildcards:%
25.56 -\end{isamarkuptext}%
25.57 -\isamarkuptrue%
25.58 -\isacommand{fun}\isamarkupfalse%
25.59 -\ last\ {\isaliteral{3A}{\isacharcolon}}{\isaliteral{3A}{\isacharcolon}}\ {\isaliteral{22}{\isachardoublequoteopen}}{\isaliteral{27}{\isacharprime}}a\ list\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ {\isaliteral{27}{\isacharprime}}a{\isaliteral{22}{\isachardoublequoteclose}}\ \isakeyword{where}\isanewline
25.60 -{\isaliteral{22}{\isachardoublequoteopen}}last\ {\isaliteral{5B}{\isacharbrackleft}}x{\isaliteral{5D}{\isacharbrackright}}\ \ \ \ \ \ {\isaliteral{3D}{\isacharequal}}\ x{\isaliteral{22}{\isachardoublequoteclose}}\ {\isaliteral{7C}{\isacharbar}}\isanewline
25.61 -{\isaliteral{22}{\isachardoublequoteopen}}last\ {\isaliteral{28}{\isacharparenleft}}{\isaliteral{5F}{\isacharunderscore}}{\isaliteral{23}{\isacharhash}}y{\isaliteral{23}{\isacharhash}}zs{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{3D}{\isacharequal}}\ last\ {\isaliteral{28}{\isacharparenleft}}y{\isaliteral{23}{\isacharhash}}zs{\isaliteral{29}{\isacharparenright}}{\isaliteral{22}{\isachardoublequoteclose}}%
25.62 -\begin{isamarkuptext}%
25.63 -Overlapping patterns are disambiguated by taking the order of equations into
25.64 -account, just as in functional programming:%
25.65 -\end{isamarkuptext}%
25.66 -\isamarkuptrue%
25.67 -\isacommand{fun}\isamarkupfalse%
25.68 -\ sep{\isadigit{1}}\ {\isaliteral{3A}{\isacharcolon}}{\isaliteral{3A}{\isacharcolon}}\ {\isaliteral{22}{\isachardoublequoteopen}}{\isaliteral{27}{\isacharprime}}a\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ {\isaliteral{27}{\isacharprime}}a\ list\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ {\isaliteral{27}{\isacharprime}}a\ list{\isaliteral{22}{\isachardoublequoteclose}}\ \isakeyword{where}\isanewline
25.69 -{\isaliteral{22}{\isachardoublequoteopen}}sep{\isadigit{1}}\ a\ {\isaliteral{28}{\isacharparenleft}}x{\isaliteral{23}{\isacharhash}}y{\isaliteral{23}{\isacharhash}}zs{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{3D}{\isacharequal}}\ x\ {\isaliteral{23}{\isacharhash}}\ a\ {\isaliteral{23}{\isacharhash}}\ sep{\isadigit{1}}\ a\ {\isaliteral{28}{\isacharparenleft}}y{\isaliteral{23}{\isacharhash}}zs{\isaliteral{29}{\isacharparenright}}{\isaliteral{22}{\isachardoublequoteclose}}\ {\isaliteral{7C}{\isacharbar}}\isanewline
25.70 -{\isaliteral{22}{\isachardoublequoteopen}}sep{\isadigit{1}}\ {\isaliteral{5F}{\isacharunderscore}}\ xs\ \ \ \ \ \ \ {\isaliteral{3D}{\isacharequal}}\ xs{\isaliteral{22}{\isachardoublequoteclose}}%
25.71 -\begin{isamarkuptext}%
25.72 -\noindent
25.73 -To guarantee that the second equation can only be applied if the first
25.74 -one does not match, Isabelle internally replaces the second equation
25.75 -by the two possibilities that are left: \isa{sep{\isadigit{1}}\ a\ {\isaliteral{5B}{\isacharbrackleft}}{\isaliteral{5D}{\isacharbrackright}}\ {\isaliteral{3D}{\isacharequal}}\ {\isaliteral{5B}{\isacharbrackleft}}{\isaliteral{5D}{\isacharbrackright}}} and
25.76 -\isa{sep{\isadigit{1}}\ a\ {\isaliteral{5B}{\isacharbrackleft}}x{\isaliteral{5D}{\isacharbrackright}}\ {\isaliteral{3D}{\isacharequal}}\ {\isaliteral{5B}{\isacharbrackleft}}x{\isaliteral{5D}{\isacharbrackright}}}. Thus the functions \isa{sep} and
25.77 -\isa{sep{\isadigit{1}}} are identical.
25.78 -
25.79 -Because of its pattern matching syntax, \isacommand{fun} is also useful
25.80 -for the definition of non-recursive functions:%
25.81 -\end{isamarkuptext}%
25.82 -\isamarkuptrue%
25.83 -\isacommand{fun}\isamarkupfalse%
25.84 -\ swap{\isadigit{1}}{\isadigit{2}}\ {\isaliteral{3A}{\isacharcolon}}{\isaliteral{3A}{\isacharcolon}}\ {\isaliteral{22}{\isachardoublequoteopen}}{\isaliteral{27}{\isacharprime}}a\ list\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ {\isaliteral{27}{\isacharprime}}a\ list{\isaliteral{22}{\isachardoublequoteclose}}\ \isakeyword{where}\isanewline
25.85 -{\isaliteral{22}{\isachardoublequoteopen}}swap{\isadigit{1}}{\isadigit{2}}\ {\isaliteral{28}{\isacharparenleft}}x{\isaliteral{23}{\isacharhash}}y{\isaliteral{23}{\isacharhash}}zs{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{3D}{\isacharequal}}\ y{\isaliteral{23}{\isacharhash}}x{\isaliteral{23}{\isacharhash}}zs{\isaliteral{22}{\isachardoublequoteclose}}\ {\isaliteral{7C}{\isacharbar}}\isanewline
25.86 -{\isaliteral{22}{\isachardoublequoteopen}}swap{\isadigit{1}}{\isadigit{2}}\ zs\ \ \ \ \ \ \ {\isaliteral{3D}{\isacharequal}}\ zs{\isaliteral{22}{\isachardoublequoteclose}}%
25.87 -\begin{isamarkuptext}%
25.88 -After a function~$f$ has been defined via \isacommand{fun},
25.89 -its defining equations (or variants derived from them) are available
25.90 -under the name $f$\isa{{\isaliteral{2E}{\isachardot}}simps} as theorems.
25.91 -For example, look (via \isacommand{thm}) at
25.92 -\isa{sep{\isaliteral{2E}{\isachardot}}simps} and \isa{sep{\isadigit{1}}{\isaliteral{2E}{\isachardot}}simps} to see that they define
25.93 -the same function. What is more, those equations are automatically declared as
25.94 -simplification rules.
25.95 -
25.96 -\subsection{Termination}
25.97 -
25.98 -Isabelle's automatic termination prover for \isacommand{fun} has a
25.99 -fixed notion of the \emph{size} (of type \isa{nat}) of an
25.100 -argument. The size of a natural number is the number itself. The size
25.101 -of a list is its length. For the general case see \S\ref{sec:general-datatype}.
25.102 -A recursive function is accepted if \isacommand{fun} can
25.103 -show that the size of one fixed argument becomes smaller with each
25.104 -recursive call.
25.105 -
25.106 -More generally, \isacommand{fun} allows any \emph{lexicographic
25.107 -combination} of size measures in case there are multiple
25.108 -arguments. For example, the following version of \rmindex{Ackermann's
25.109 -function} is accepted:%
25.110 -\end{isamarkuptext}%
25.111 -\isamarkuptrue%
25.112 -\isacommand{fun}\isamarkupfalse%
25.113 -\ ack{\isadigit{2}}\ {\isaliteral{3A}{\isacharcolon}}{\isaliteral{3A}{\isacharcolon}}\ {\isaliteral{22}{\isachardoublequoteopen}}nat\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ nat\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ nat{\isaliteral{22}{\isachardoublequoteclose}}\ \isakeyword{where}\isanewline
25.114 -{\isaliteral{22}{\isachardoublequoteopen}}ack{\isadigit{2}}\ n\ {\isadigit{0}}\ {\isaliteral{3D}{\isacharequal}}\ Suc\ n{\isaliteral{22}{\isachardoublequoteclose}}\ {\isaliteral{7C}{\isacharbar}}\isanewline
25.115 -{\isaliteral{22}{\isachardoublequoteopen}}ack{\isadigit{2}}\ {\isadigit{0}}\ {\isaliteral{28}{\isacharparenleft}}Suc\ m{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{3D}{\isacharequal}}\ ack{\isadigit{2}}\ {\isaliteral{28}{\isacharparenleft}}Suc\ {\isadigit{0}}{\isaliteral{29}{\isacharparenright}}\ m{\isaliteral{22}{\isachardoublequoteclose}}\ {\isaliteral{7C}{\isacharbar}}\isanewline
25.116 -{\isaliteral{22}{\isachardoublequoteopen}}ack{\isadigit{2}}\ {\isaliteral{28}{\isacharparenleft}}Suc\ n{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{28}{\isacharparenleft}}Suc\ m{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{3D}{\isacharequal}}\ ack{\isadigit{2}}\ {\isaliteral{28}{\isacharparenleft}}ack{\isadigit{2}}\ n\ {\isaliteral{28}{\isacharparenleft}}Suc\ m{\isaliteral{29}{\isacharparenright}}{\isaliteral{29}{\isacharparenright}}\ m{\isaliteral{22}{\isachardoublequoteclose}}%
25.117 -\begin{isamarkuptext}%
25.118 -The order of arguments has no influence on whether
25.119 -\isacommand{fun} can prove termination of a function. For more details
25.120 -see elsewhere~\cite{bulwahnKN07}.
25.121 -
25.122 -\subsection{Simplification}
25.123 -\label{sec:fun-simplification}
25.124 -
25.125 -Upon a successful termination proof, the recursion equations become
25.126 -simplification rules, just as with \isacommand{primrec}.
25.127 -In most cases this works fine, but there is a subtle
25.128 -problem that must be mentioned: simplification may not
25.129 -terminate because of automatic splitting of \isa{if}.
25.130 -\index{*if expressions!splitting of}
25.131 -Let us look at an example:%
25.132 -\end{isamarkuptext}%
25.133 -\isamarkuptrue%
25.134 -\isacommand{fun}\isamarkupfalse%
25.135 -\ gcd\ {\isaliteral{3A}{\isacharcolon}}{\isaliteral{3A}{\isacharcolon}}\ {\isaliteral{22}{\isachardoublequoteopen}}nat\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ nat\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ nat{\isaliteral{22}{\isachardoublequoteclose}}\ \isakeyword{where}\isanewline
25.136 -{\isaliteral{22}{\isachardoublequoteopen}}gcd\ m\ n\ {\isaliteral{3D}{\isacharequal}}\ {\isaliteral{28}{\isacharparenleft}}if\ n{\isaliteral{3D}{\isacharequal}}{\isadigit{0}}\ then\ m\ else\ gcd\ n\ {\isaliteral{28}{\isacharparenleft}}m\ mod\ n{\isaliteral{29}{\isacharparenright}}{\isaliteral{29}{\isacharparenright}}{\isaliteral{22}{\isachardoublequoteclose}}%
25.137 -\begin{isamarkuptext}%
25.138 -\noindent
25.139 -The second argument decreases with each recursive call.
25.140 -The termination condition
25.141 -\begin{isabelle}%
25.142 -\ \ \ \ \ n\ {\isaliteral{5C3C6E6F7465713E}{\isasymnoteq}}\ {\isadigit{0}}\ {\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\ m\ mod\ n\ {\isaliteral{3C}{\isacharless}}\ n%
25.143 -\end{isabelle}
25.144 -is proved automatically because it is already present as a lemma in
25.145 -HOL\@. Thus the recursion equation becomes a simplification
25.146 -rule. Of course the equation is nonterminating if we are allowed to unfold
25.147 -the recursive call inside the \isa{else} branch, which is why programming
25.148 -languages and our simplifier don't do that. Unfortunately the simplifier does
25.149 -something else that leads to the same problem: it splits
25.150 -each \isa{if}-expression unless its
25.151 -condition simplifies to \isa{True} or \isa{False}. For
25.152 -example, simplification reduces
25.153 -\begin{isabelle}%
25.154 -\ \ \ \ \ gcd\ m\ n\ {\isaliteral{3D}{\isacharequal}}\ k%
25.155 -\end{isabelle}
25.156 -in one step to
25.157 -\begin{isabelle}%
25.158 -\ \ \ \ \ {\isaliteral{28}{\isacharparenleft}}if\ n\ {\isaliteral{3D}{\isacharequal}}\ {\isadigit{0}}\ then\ m\ else\ gcd\ n\ {\isaliteral{28}{\isacharparenleft}}m\ mod\ n{\isaliteral{29}{\isacharparenright}}{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{3D}{\isacharequal}}\ k%
25.159 -\end{isabelle}
25.160 -where the condition cannot be reduced further, and splitting leads to
25.161 -\begin{isabelle}%
25.162 -\ \ \ \ \ {\isaliteral{28}{\isacharparenleft}}n\ {\isaliteral{3D}{\isacharequal}}\ {\isadigit{0}}\ {\isaliteral{5C3C6C6F6E6772696768746172726F773E}{\isasymlongrightarrow}}\ m\ {\isaliteral{3D}{\isacharequal}}\ k{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C616E643E}{\isasymand}}\ {\isaliteral{28}{\isacharparenleft}}n\ {\isaliteral{5C3C6E6F7465713E}{\isasymnoteq}}\ {\isadigit{0}}\ {\isaliteral{5C3C6C6F6E6772696768746172726F773E}{\isasymlongrightarrow}}\ gcd\ n\ {\isaliteral{28}{\isacharparenleft}}m\ mod\ n{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{3D}{\isacharequal}}\ k{\isaliteral{29}{\isacharparenright}}%
25.163 -\end{isabelle}
25.164 -Since the recursive call \isa{gcd\ n\ {\isaliteral{28}{\isacharparenleft}}m\ mod\ n{\isaliteral{29}{\isacharparenright}}} is no longer protected by
25.165 -an \isa{if}, it is unfolded again, which leads to an infinite chain of
25.166 -simplification steps. Fortunately, this problem can be avoided in many
25.167 -different ways.
25.168 -
25.169 -The most radical solution is to disable the offending theorem
25.170 -\isa{split{\isaliteral{5F}{\isacharunderscore}}if},
25.171 -as shown in \S\ref{sec:AutoCaseSplits}. However, we do not recommend this
25.172 -approach: you will often have to invoke the rule explicitly when
25.173 -\isa{if} is involved.
25.174 -
25.175 -If possible, the definition should be given by pattern matching on the left
25.176 -rather than \isa{if} on the right. In the case of \isa{gcd} the
25.177 -following alternative definition suggests itself:%
25.178 -\end{isamarkuptext}%
25.179 -\isamarkuptrue%
25.180 -\isacommand{fun}\isamarkupfalse%
25.181 -\ gcd{\isadigit{1}}\ {\isaliteral{3A}{\isacharcolon}}{\isaliteral{3A}{\isacharcolon}}\ {\isaliteral{22}{\isachardoublequoteopen}}nat\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ nat\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ nat{\isaliteral{22}{\isachardoublequoteclose}}\ \isakeyword{where}\isanewline
25.182 -{\isaliteral{22}{\isachardoublequoteopen}}gcd{\isadigit{1}}\ m\ {\isadigit{0}}\ {\isaliteral{3D}{\isacharequal}}\ m{\isaliteral{22}{\isachardoublequoteclose}}\ {\isaliteral{7C}{\isacharbar}}\isanewline
25.183 -{\isaliteral{22}{\isachardoublequoteopen}}gcd{\isadigit{1}}\ m\ n\ {\isaliteral{3D}{\isacharequal}}\ gcd{\isadigit{1}}\ n\ {\isaliteral{28}{\isacharparenleft}}m\ mod\ n{\isaliteral{29}{\isacharparenright}}{\isaliteral{22}{\isachardoublequoteclose}}%
25.184 -\begin{isamarkuptext}%
25.185 -\noindent
25.186 -The order of equations is important: it hides the side condition
25.187 -\isa{n\ {\isaliteral{5C3C6E6F7465713E}{\isasymnoteq}}\ {\isadigit{0}}}. Unfortunately, not all conditionals can be
25.188 -expressed by pattern matching.
25.189 -
25.190 -A simple alternative is to replace \isa{if} by \isa{case},
25.191 -which is also available for \isa{bool} and is not split automatically:%
25.192 -\end{isamarkuptext}%
25.193 -\isamarkuptrue%
25.194 -\isacommand{fun}\isamarkupfalse%
25.195 -\ gcd{\isadigit{2}}\ {\isaliteral{3A}{\isacharcolon}}{\isaliteral{3A}{\isacharcolon}}\ {\isaliteral{22}{\isachardoublequoteopen}}nat\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ nat\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ nat{\isaliteral{22}{\isachardoublequoteclose}}\ \isakeyword{where}\isanewline
25.196 -{\isaliteral{22}{\isachardoublequoteopen}}gcd{\isadigit{2}}\ m\ n\ {\isaliteral{3D}{\isacharequal}}\ {\isaliteral{28}{\isacharparenleft}}case\ n{\isaliteral{3D}{\isacharequal}}{\isadigit{0}}\ of\ True\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ m\ {\isaliteral{7C}{\isacharbar}}\ False\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ gcd{\isadigit{2}}\ n\ {\isaliteral{28}{\isacharparenleft}}m\ mod\ n{\isaliteral{29}{\isacharparenright}}{\isaliteral{29}{\isacharparenright}}{\isaliteral{22}{\isachardoublequoteclose}}%
25.197 -\begin{isamarkuptext}%
25.198 -\noindent
25.199 -This is probably the neatest solution next to pattern matching, and it is
25.200 -always available.
25.201 -
25.202 -A final alternative is to replace the offending simplification rules by
25.203 -derived conditional ones. For \isa{gcd} it means we have to prove
25.204 -these lemmas:%
25.205 -\end{isamarkuptext}%
25.206 -\isamarkuptrue%
25.207 -\isacommand{lemma}\isamarkupfalse%
25.208 -\ {\isaliteral{5B}{\isacharbrackleft}}simp{\isaliteral{5D}{\isacharbrackright}}{\isaliteral{3A}{\isacharcolon}}\ {\isaliteral{22}{\isachardoublequoteopen}}gcd\ m\ {\isadigit{0}}\ {\isaliteral{3D}{\isacharequal}}\ m{\isaliteral{22}{\isachardoublequoteclose}}\isanewline
25.209 -%
25.210 -\isadelimproof
25.211 -%
25.212 -\endisadelimproof
25.213 -%
25.214 -\isatagproof
25.215 -\isacommand{apply}\isamarkupfalse%
25.216 -{\isaliteral{28}{\isacharparenleft}}simp{\isaliteral{29}{\isacharparenright}}\isanewline
25.217 -\isacommand{done}\isamarkupfalse%
25.218 -%
25.219 -\endisatagproof
25.220 -{\isafoldproof}%
25.221 -%
25.222 -\isadelimproof
25.223 -\isanewline
25.224 -%
25.225 -\endisadelimproof
25.226 -\isanewline
25.227 -\isacommand{lemma}\isamarkupfalse%
25.228 -\ {\isaliteral{5B}{\isacharbrackleft}}simp{\isaliteral{5D}{\isacharbrackright}}{\isaliteral{3A}{\isacharcolon}}\ {\isaliteral{22}{\isachardoublequoteopen}}n\ {\isaliteral{5C3C6E6F7465713E}{\isasymnoteq}}\ {\isadigit{0}}\ {\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\ gcd\ m\ n\ {\isaliteral{3D}{\isacharequal}}\ gcd\ n\ {\isaliteral{28}{\isacharparenleft}}m\ mod\ n{\isaliteral{29}{\isacharparenright}}{\isaliteral{22}{\isachardoublequoteclose}}\isanewline
25.229 -%
25.230 -\isadelimproof
25.231 -%
25.232 -\endisadelimproof
25.233 -%
25.234 -\isatagproof
25.235 -\isacommand{apply}\isamarkupfalse%
25.236 -{\isaliteral{28}{\isacharparenleft}}simp{\isaliteral{29}{\isacharparenright}}\isanewline
25.237 -\isacommand{done}\isamarkupfalse%
25.238 -%
25.239 -\endisatagproof
25.240 -{\isafoldproof}%
25.241 -%
25.242 -\isadelimproof
25.243 -%
25.244 -\endisadelimproof
25.245 -%
25.246 -\begin{isamarkuptext}%
25.247 -\noindent
25.248 -Simplification terminates for these proofs because the condition of the \isa{if} simplifies to \isa{True} or \isa{False}.
25.249 -Now we can disable the original simplification rule:%
25.250 -\end{isamarkuptext}%
25.251 -\isamarkuptrue%
25.252 -\isacommand{declare}\isamarkupfalse%
25.253 -\ gcd{\isaliteral{2E}{\isachardot}}simps\ {\isaliteral{5B}{\isacharbrackleft}}simp\ del{\isaliteral{5D}{\isacharbrackright}}%
25.254 -\begin{isamarkuptext}%
25.255 -\index{induction!recursion|(}
25.256 -\index{recursion induction|(}
25.257 -
25.258 -\subsection{Induction}
25.259 -\label{sec:fun-induction}
25.260 -
25.261 -Having defined a function we might like to prove something about it.
25.262 -Since the function is recursive, the natural proof principle is
25.263 -again induction. But this time the structural form of induction that comes
25.264 -with datatypes is unlikely to work well --- otherwise we could have defined the
25.265 -function by \isacommand{primrec}. Therefore \isacommand{fun} automatically
25.266 -proves a suitable induction rule $f$\isa{{\isaliteral{2E}{\isachardot}}induct} that follows the
25.267 -recursion pattern of the particular function $f$. We call this
25.268 -\textbf{recursion induction}. Roughly speaking, it
25.269 -requires you to prove for each \isacommand{fun} equation that the property
25.270 -you are trying to establish holds for the left-hand side provided it holds
25.271 -for all recursive calls on the right-hand side. Here is a simple example
25.272 -involving the predefined \isa{map} functional on lists:%
25.273 -\end{isamarkuptext}%
25.274 -\isamarkuptrue%
25.275 -\isacommand{lemma}\isamarkupfalse%
25.276 -\ {\isaliteral{22}{\isachardoublequoteopen}}map\ f\ {\isaliteral{28}{\isacharparenleft}}sep\ x\ xs{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{3D}{\isacharequal}}\ sep\ {\isaliteral{28}{\isacharparenleft}}f\ x{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{28}{\isacharparenleft}}map\ f\ xs{\isaliteral{29}{\isacharparenright}}{\isaliteral{22}{\isachardoublequoteclose}}%
25.277 -\isadelimproof
25.278 -%
25.279 -\endisadelimproof
25.280 -%
25.281 -\isatagproof
25.282 -%
25.283 -\begin{isamarkuptxt}%
25.284 -\noindent
25.285 -Note that \isa{map\ f\ xs}
25.286 -is the result of applying \isa{f} to all elements of \isa{xs}. We prove
25.287 -this lemma by recursion induction over \isa{sep}:%
25.288 -\end{isamarkuptxt}%
25.289 -\isamarkuptrue%
25.290 -\isacommand{apply}\isamarkupfalse%
25.291 -{\isaliteral{28}{\isacharparenleft}}induct{\isaliteral{5F}{\isacharunderscore}}tac\ x\ xs\ rule{\isaliteral{3A}{\isacharcolon}}\ sep{\isaliteral{2E}{\isachardot}}induct{\isaliteral{29}{\isacharparenright}}%
25.292 -\begin{isamarkuptxt}%
25.293 -\noindent
25.294 -The resulting proof state has three subgoals corresponding to the three
25.295 -clauses for \isa{sep}:
25.296 -\begin{isabelle}%
25.297 -\ {\isadigit{1}}{\isaliteral{2E}{\isachardot}}\ {\isaliteral{5C3C416E643E}{\isasymAnd}}a{\isaliteral{2E}{\isachardot}}\ map\ f\ {\isaliteral{28}{\isacharparenleft}}sep\ a\ {\isaliteral{5B}{\isacharbrackleft}}{\isaliteral{5D}{\isacharbrackright}}{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{3D}{\isacharequal}}\ sep\ {\isaliteral{28}{\isacharparenleft}}f\ a{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{28}{\isacharparenleft}}map\ f\ {\isaliteral{5B}{\isacharbrackleft}}{\isaliteral{5D}{\isacharbrackright}}{\isaliteral{29}{\isacharparenright}}\isanewline
25.298 -\ {\isadigit{2}}{\isaliteral{2E}{\isachardot}}\ {\isaliteral{5C3C416E643E}{\isasymAnd}}a\ x{\isaliteral{2E}{\isachardot}}\ map\ f\ {\isaliteral{28}{\isacharparenleft}}sep\ a\ {\isaliteral{5B}{\isacharbrackleft}}x{\isaliteral{5D}{\isacharbrackright}}{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{3D}{\isacharequal}}\ sep\ {\isaliteral{28}{\isacharparenleft}}f\ a{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{28}{\isacharparenleft}}map\ f\ {\isaliteral{5B}{\isacharbrackleft}}x{\isaliteral{5D}{\isacharbrackright}}{\isaliteral{29}{\isacharparenright}}\isanewline
25.299 -\ {\isadigit{3}}{\isaliteral{2E}{\isachardot}}\ {\isaliteral{5C3C416E643E}{\isasymAnd}}a\ x\ y\ zs{\isaliteral{2E}{\isachardot}}\isanewline
25.300 -\isaindent{\ {\isadigit{3}}{\isaliteral{2E}{\isachardot}}\ \ \ \ }map\ f\ {\isaliteral{28}{\isacharparenleft}}sep\ a\ {\isaliteral{28}{\isacharparenleft}}y\ {\isaliteral{23}{\isacharhash}}\ zs{\isaliteral{29}{\isacharparenright}}{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{3D}{\isacharequal}}\ sep\ {\isaliteral{28}{\isacharparenleft}}f\ a{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{28}{\isacharparenleft}}map\ f\ {\isaliteral{28}{\isacharparenleft}}y\ {\isaliteral{23}{\isacharhash}}\ zs{\isaliteral{29}{\isacharparenright}}{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\isanewline
25.301 -\isaindent{\ {\isadigit{3}}{\isaliteral{2E}{\isachardot}}\ \ \ \ }map\ f\ {\isaliteral{28}{\isacharparenleft}}sep\ a\ {\isaliteral{28}{\isacharparenleft}}x\ {\isaliteral{23}{\isacharhash}}\ y\ {\isaliteral{23}{\isacharhash}}\ zs{\isaliteral{29}{\isacharparenright}}{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{3D}{\isacharequal}}\ sep\ {\isaliteral{28}{\isacharparenleft}}f\ a{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{28}{\isacharparenleft}}map\ f\ {\isaliteral{28}{\isacharparenleft}}x\ {\isaliteral{23}{\isacharhash}}\ y\ {\isaliteral{23}{\isacharhash}}\ zs{\isaliteral{29}{\isacharparenright}}{\isaliteral{29}{\isacharparenright}}%
25.302 -\end{isabelle}
25.303 -The rest is pure simplification:%
25.304 -\end{isamarkuptxt}%
25.305 -\isamarkuptrue%
25.306 -\isacommand{apply}\isamarkupfalse%
25.307 -\ simp{\isaliteral{5F}{\isacharunderscore}}all\isanewline
25.308 -\isacommand{done}\isamarkupfalse%
25.309 -%
25.310 -\endisatagproof
25.311 -{\isafoldproof}%
25.312 -%
25.313 -\isadelimproof
25.314 -%
25.315 -\endisadelimproof
25.316 -%
25.317 -\begin{isamarkuptext}%
25.318 -\noindent The proof goes smoothly because the induction rule
25.319 -follows the recursion of \isa{sep}. Try proving the above lemma by
25.320 -structural induction, and you find that you need an additional case
25.321 -distinction.
25.322 -
25.323 -In general, the format of invoking recursion induction is
25.324 -\begin{quote}
25.325 -\isacommand{apply}\isa{{\isaliteral{28}{\isacharparenleft}}induct{\isaliteral{5F}{\isacharunderscore}}tac} $x@1 \dots x@n$ \isa{rule{\isaliteral{3A}{\isacharcolon}}} $f$\isa{{\isaliteral{2E}{\isachardot}}induct{\isaliteral{29}{\isacharparenright}}}
25.326 -\end{quote}\index{*induct_tac (method)}%
25.327 -where $x@1~\dots~x@n$ is a list of free variables in the subgoal and $f$ the
25.328 -name of a function that takes $n$ arguments. Usually the subgoal will
25.329 -contain the term $f x@1 \dots x@n$ but this need not be the case. The
25.330 -induction rules do not mention $f$ at all. Here is \isa{sep{\isaliteral{2E}{\isachardot}}induct}:
25.331 -\begin{isabelle}
25.332 -{\isasymlbrakk}~{\isasymAnd}a.~P~a~[];\isanewline
25.333 -~~{\isasymAnd}a~x.~P~a~[x];\isanewline
25.334 -~~{\isasymAnd}a~x~y~zs.~P~a~(y~\#~zs)~{\isasymLongrightarrow}~P~a~(x~\#~y~\#~zs){\isasymrbrakk}\isanewline
25.335 -{\isasymLongrightarrow}~P~u~v%
25.336 -\end{isabelle}
25.337 -It merely says that in order to prove a property \isa{P} of \isa{u} and
25.338 -\isa{v} you need to prove it for the three cases where \isa{v} is the
25.339 -empty list, the singleton list, and the list with at least two elements.
25.340 -The final case has an induction hypothesis: you may assume that \isa{P}
25.341 -holds for the tail of that list.
25.342 -\index{induction!recursion|)}
25.343 -\index{recursion induction|)}%
25.344 -\end{isamarkuptext}%
25.345 -\isamarkuptrue%
25.346 -%
25.347 -\isadelimtheory
25.348 -%
25.349 -\endisadelimtheory
25.350 -%
25.351 -\isatagtheory
25.352 -%
25.353 -\endisatagtheory
25.354 -{\isafoldtheory}%
25.355 -%
25.356 -\isadelimtheory
25.357 -%
25.358 -\endisadelimtheory
25.359 -\end{isabellebody}%
25.360 -%%% Local Variables:
25.361 -%%% mode: latex
25.362 -%%% TeX-master: "root"
25.363 -%%% End:
26.1 --- a/doc-src/TutorialI/Ifexpr/ROOT.ML Thu Jul 26 16:08:16 2012 +0200
26.2 +++ /dev/null Thu Jan 01 00:00:00 1970 +0000
26.3 @@ -1,2 +0,0 @@
26.4 -use "../settings.ML";
26.5 -use_thy "Ifexpr";
27.1 --- a/doc-src/TutorialI/Ifexpr/document/Ifexpr.tex Thu Jul 26 16:08:16 2012 +0200
27.2 +++ /dev/null Thu Jan 01 00:00:00 1970 +0000
27.3 @@ -1,351 +0,0 @@
27.4 -%
27.5 -\begin{isabellebody}%
27.6 -\def\isabellecontext{Ifexpr}%
27.7 -%
27.8 -\isadelimtheory
27.9 -%
27.10 -\endisadelimtheory
27.11 -%
27.12 -\isatagtheory
27.13 -%
27.14 -\endisatagtheory
27.15 -{\isafoldtheory}%
27.16 -%
27.17 -\isadelimtheory
27.18 -%
27.19 -\endisadelimtheory
27.20 -%
27.21 -\isamarkupsubsection{Case Study: Boolean Expressions%
27.22 -}
27.23 -\isamarkuptrue%
27.24 -%
27.25 -\begin{isamarkuptext}%
27.26 -\label{sec:boolex}\index{boolean expressions example|(}
27.27 -The aim of this case study is twofold: it shows how to model boolean
27.28 -expressions and some algorithms for manipulating them, and it demonstrates
27.29 -the constructs introduced above.%
27.30 -\end{isamarkuptext}%
27.31 -\isamarkuptrue%
27.32 -%
27.33 -\isamarkupsubsubsection{Modelling Boolean Expressions%
27.34 -}
27.35 -\isamarkuptrue%
27.36 -%
27.37 -\begin{isamarkuptext}%
27.38 -We want to represent boolean expressions built up from variables and
27.39 -constants by negation and conjunction. The following datatype serves exactly
27.40 -that purpose:%
27.41 -\end{isamarkuptext}%
27.42 -\isamarkuptrue%
27.43 -\isacommand{datatype}\isamarkupfalse%
27.44 -\ boolex\ {\isaliteral{3D}{\isacharequal}}\ Const\ bool\ {\isaliteral{7C}{\isacharbar}}\ Var\ nat\ {\isaliteral{7C}{\isacharbar}}\ Neg\ boolex\isanewline
27.45 -\ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ {\isaliteral{7C}{\isacharbar}}\ And\ boolex\ boolex%
27.46 -\begin{isamarkuptext}%
27.47 -\noindent
27.48 -The two constants are represented by \isa{Const\ True} and
27.49 -\isa{Const\ False}. Variables are represented by terms of the form
27.50 -\isa{Var\ n}, where \isa{n} is a natural number (type \isa{nat}).
27.51 -For example, the formula $P@0 \land \neg P@1$ is represented by the term
27.52 -\isa{And\ {\isaliteral{28}{\isacharparenleft}}Var\ {\isadigit{0}}{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{28}{\isacharparenleft}}Neg\ {\isaliteral{28}{\isacharparenleft}}Var\ {\isadigit{1}}{\isaliteral{29}{\isacharparenright}}{\isaliteral{29}{\isacharparenright}}}.
27.53 -
27.54 -\subsubsection{The Value of a Boolean Expression}
27.55 -
27.56 -The value of a boolean expression depends on the value of its variables.
27.57 -Hence the function \isa{value} takes an additional parameter, an
27.58 -\emph{environment} of type \isa{nat\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ bool}, which maps variables to their
27.59 -values:%
27.60 -\end{isamarkuptext}%
27.61 -\isamarkuptrue%
27.62 -\isacommand{primrec}\isamarkupfalse%
27.63 -\ {\isaliteral{22}{\isachardoublequoteopen}}value{\isaliteral{22}{\isachardoublequoteclose}}\ {\isaliteral{3A}{\isacharcolon}}{\isaliteral{3A}{\isacharcolon}}\ {\isaliteral{22}{\isachardoublequoteopen}}boolex\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ {\isaliteral{28}{\isacharparenleft}}nat\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ bool{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ bool{\isaliteral{22}{\isachardoublequoteclose}}\ \isakeyword{where}\isanewline
27.64 -{\isaliteral{22}{\isachardoublequoteopen}}value\ {\isaliteral{28}{\isacharparenleft}}Const\ b{\isaliteral{29}{\isacharparenright}}\ env\ {\isaliteral{3D}{\isacharequal}}\ b{\isaliteral{22}{\isachardoublequoteclose}}\ {\isaliteral{7C}{\isacharbar}}\isanewline
27.65 -{\isaliteral{22}{\isachardoublequoteopen}}value\ {\isaliteral{28}{\isacharparenleft}}Var\ x{\isaliteral{29}{\isacharparenright}}\ \ \ env\ {\isaliteral{3D}{\isacharequal}}\ env\ x{\isaliteral{22}{\isachardoublequoteclose}}\ {\isaliteral{7C}{\isacharbar}}\isanewline
27.66 -{\isaliteral{22}{\isachardoublequoteopen}}value\ {\isaliteral{28}{\isacharparenleft}}Neg\ b{\isaliteral{29}{\isacharparenright}}\ \ \ env\ {\isaliteral{3D}{\isacharequal}}\ {\isaliteral{28}{\isacharparenleft}}{\isaliteral{5C3C6E6F743E}{\isasymnot}}\ value\ b\ env{\isaliteral{29}{\isacharparenright}}{\isaliteral{22}{\isachardoublequoteclose}}\ {\isaliteral{7C}{\isacharbar}}\isanewline
27.67 -{\isaliteral{22}{\isachardoublequoteopen}}value\ {\isaliteral{28}{\isacharparenleft}}And\ b\ c{\isaliteral{29}{\isacharparenright}}\ env\ {\isaliteral{3D}{\isacharequal}}\ {\isaliteral{28}{\isacharparenleft}}value\ b\ env\ {\isaliteral{5C3C616E643E}{\isasymand}}\ value\ c\ env{\isaliteral{29}{\isacharparenright}}{\isaliteral{22}{\isachardoublequoteclose}}%
27.68 -\begin{isamarkuptext}%
27.69 -\noindent
27.70 -\subsubsection{If-Expressions}
27.71 -
27.72 -An alternative and often more efficient (because in a certain sense
27.73 -canonical) representation are so-called \emph{If-expressions} built up
27.74 -from constants (\isa{CIF}), variables (\isa{VIF}) and conditionals
27.75 -(\isa{IF}):%
27.76 -\end{isamarkuptext}%
27.77 -\isamarkuptrue%
27.78 -\isacommand{datatype}\isamarkupfalse%
27.79 -\ ifex\ {\isaliteral{3D}{\isacharequal}}\ CIF\ bool\ {\isaliteral{7C}{\isacharbar}}\ VIF\ nat\ {\isaliteral{7C}{\isacharbar}}\ IF\ ifex\ ifex\ ifex%
27.80 -\begin{isamarkuptext}%
27.81 -\noindent
27.82 -The evaluation of If-expressions proceeds as for \isa{boolex}:%
27.83 -\end{isamarkuptext}%
27.84 -\isamarkuptrue%
27.85 -\isacommand{primrec}\isamarkupfalse%
27.86 -\ valif\ {\isaliteral{3A}{\isacharcolon}}{\isaliteral{3A}{\isacharcolon}}\ {\isaliteral{22}{\isachardoublequoteopen}}ifex\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ {\isaliteral{28}{\isacharparenleft}}nat\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ bool{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ bool{\isaliteral{22}{\isachardoublequoteclose}}\ \isakeyword{where}\isanewline
27.87 -{\isaliteral{22}{\isachardoublequoteopen}}valif\ {\isaliteral{28}{\isacharparenleft}}CIF\ b{\isaliteral{29}{\isacharparenright}}\ \ \ \ env\ {\isaliteral{3D}{\isacharequal}}\ b{\isaliteral{22}{\isachardoublequoteclose}}\ {\isaliteral{7C}{\isacharbar}}\isanewline
27.88 -{\isaliteral{22}{\isachardoublequoteopen}}valif\ {\isaliteral{28}{\isacharparenleft}}VIF\ x{\isaliteral{29}{\isacharparenright}}\ \ \ \ env\ {\isaliteral{3D}{\isacharequal}}\ env\ x{\isaliteral{22}{\isachardoublequoteclose}}\ {\isaliteral{7C}{\isacharbar}}\isanewline
27.89 -{\isaliteral{22}{\isachardoublequoteopen}}valif\ {\isaliteral{28}{\isacharparenleft}}IF\ b\ t\ e{\isaliteral{29}{\isacharparenright}}\ env\ {\isaliteral{3D}{\isacharequal}}\ {\isaliteral{28}{\isacharparenleft}}if\ valif\ b\ env\ then\ valif\ t\ env\isanewline
27.90 -\ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ else\ valif\ e\ env{\isaliteral{29}{\isacharparenright}}{\isaliteral{22}{\isachardoublequoteclose}}%
27.91 -\begin{isamarkuptext}%
27.92 -\subsubsection{Converting Boolean and If-Expressions}
27.93 -
27.94 -The type \isa{boolex} is close to the customary representation of logical
27.95 -formulae, whereas \isa{ifex} is designed for efficiency. It is easy to
27.96 -translate from \isa{boolex} into \isa{ifex}:%
27.97 -\end{isamarkuptext}%
27.98 -\isamarkuptrue%
27.99 -\isacommand{primrec}\isamarkupfalse%
27.100 -\ bool{\isadigit{2}}if\ {\isaliteral{3A}{\isacharcolon}}{\isaliteral{3A}{\isacharcolon}}\ {\isaliteral{22}{\isachardoublequoteopen}}boolex\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ ifex{\isaliteral{22}{\isachardoublequoteclose}}\ \isakeyword{where}\isanewline
27.101 -{\isaliteral{22}{\isachardoublequoteopen}}bool{\isadigit{2}}if\ {\isaliteral{28}{\isacharparenleft}}Const\ b{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{3D}{\isacharequal}}\ CIF\ b{\isaliteral{22}{\isachardoublequoteclose}}\ {\isaliteral{7C}{\isacharbar}}\isanewline
27.102 -{\isaliteral{22}{\isachardoublequoteopen}}bool{\isadigit{2}}if\ {\isaliteral{28}{\isacharparenleft}}Var\ x{\isaliteral{29}{\isacharparenright}}\ \ \ {\isaliteral{3D}{\isacharequal}}\ VIF\ x{\isaliteral{22}{\isachardoublequoteclose}}\ {\isaliteral{7C}{\isacharbar}}\isanewline
27.103 -{\isaliteral{22}{\isachardoublequoteopen}}bool{\isadigit{2}}if\ {\isaliteral{28}{\isacharparenleft}}Neg\ b{\isaliteral{29}{\isacharparenright}}\ \ \ {\isaliteral{3D}{\isacharequal}}\ IF\ {\isaliteral{28}{\isacharparenleft}}bool{\isadigit{2}}if\ b{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{28}{\isacharparenleft}}CIF\ False{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{28}{\isacharparenleft}}CIF\ True{\isaliteral{29}{\isacharparenright}}{\isaliteral{22}{\isachardoublequoteclose}}\ {\isaliteral{7C}{\isacharbar}}\isanewline
27.104 -{\isaliteral{22}{\isachardoublequoteopen}}bool{\isadigit{2}}if\ {\isaliteral{28}{\isacharparenleft}}And\ b\ c{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{3D}{\isacharequal}}\ IF\ {\isaliteral{28}{\isacharparenleft}}bool{\isadigit{2}}if\ b{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{28}{\isacharparenleft}}bool{\isadigit{2}}if\ c{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{28}{\isacharparenleft}}CIF\ False{\isaliteral{29}{\isacharparenright}}{\isaliteral{22}{\isachardoublequoteclose}}%
27.105 -\begin{isamarkuptext}%
27.106 -\noindent
27.107 -At last, we have something we can verify: that \isa{bool{\isadigit{2}}if} preserves the
27.108 -value of its argument:%
27.109 -\end{isamarkuptext}%
27.110 -\isamarkuptrue%
27.111 -\isacommand{lemma}\isamarkupfalse%
27.112 -\ {\isaliteral{22}{\isachardoublequoteopen}}valif\ {\isaliteral{28}{\isacharparenleft}}bool{\isadigit{2}}if\ b{\isaliteral{29}{\isacharparenright}}\ env\ {\isaliteral{3D}{\isacharequal}}\ value\ b\ env{\isaliteral{22}{\isachardoublequoteclose}}%
27.113 -\isadelimproof
27.114 -%
27.115 -\endisadelimproof
27.116 -%
27.117 -\isatagproof
27.118 -%
27.119 -\begin{isamarkuptxt}%
27.120 -\noindent
27.121 -The proof is canonical:%
27.122 -\end{isamarkuptxt}%
27.123 -\isamarkuptrue%
27.124 -\isacommand{apply}\isamarkupfalse%
27.125 -{\isaliteral{28}{\isacharparenleft}}induct{\isaliteral{5F}{\isacharunderscore}}tac\ b{\isaliteral{29}{\isacharparenright}}\isanewline
27.126 -\isacommand{apply}\isamarkupfalse%
27.127 -{\isaliteral{28}{\isacharparenleft}}auto{\isaliteral{29}{\isacharparenright}}\isanewline
27.128 -\isacommand{done}\isamarkupfalse%
27.129 -%
27.130 -\endisatagproof
27.131 -{\isafoldproof}%
27.132 -%
27.133 -\isadelimproof
27.134 -%
27.135 -\endisadelimproof
27.136 -%
27.137 -\begin{isamarkuptext}%
27.138 -\noindent
27.139 -In fact, all proofs in this case study look exactly like this. Hence we do
27.140 -not show them below.
27.141 -
27.142 -More interesting is the transformation of If-expressions into a normal form
27.143 -where the first argument of \isa{IF} cannot be another \isa{IF} but
27.144 -must be a constant or variable. Such a normal form can be computed by
27.145 -repeatedly replacing a subterm of the form \isa{IF\ {\isaliteral{28}{\isacharparenleft}}IF\ b\ x\ y{\isaliteral{29}{\isacharparenright}}\ z\ u} by
27.146 -\isa{IF\ b\ {\isaliteral{28}{\isacharparenleft}}IF\ x\ z\ u{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{28}{\isacharparenleft}}IF\ y\ z\ u{\isaliteral{29}{\isacharparenright}}}, which has the same value. The following
27.147 -primitive recursive functions perform this task:%
27.148 -\end{isamarkuptext}%
27.149 -\isamarkuptrue%
27.150 -\isacommand{primrec}\isamarkupfalse%
27.151 -\ normif\ {\isaliteral{3A}{\isacharcolon}}{\isaliteral{3A}{\isacharcolon}}\ {\isaliteral{22}{\isachardoublequoteopen}}ifex\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ ifex\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ ifex\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ ifex{\isaliteral{22}{\isachardoublequoteclose}}\ \isakeyword{where}\isanewline
27.152 -{\isaliteral{22}{\isachardoublequoteopen}}normif\ {\isaliteral{28}{\isacharparenleft}}CIF\ b{\isaliteral{29}{\isacharparenright}}\ \ \ \ t\ e\ {\isaliteral{3D}{\isacharequal}}\ IF\ {\isaliteral{28}{\isacharparenleft}}CIF\ b{\isaliteral{29}{\isacharparenright}}\ t\ e{\isaliteral{22}{\isachardoublequoteclose}}\ {\isaliteral{7C}{\isacharbar}}\isanewline
27.153 -{\isaliteral{22}{\isachardoublequoteopen}}normif\ {\isaliteral{28}{\isacharparenleft}}VIF\ x{\isaliteral{29}{\isacharparenright}}\ \ \ \ t\ e\ {\isaliteral{3D}{\isacharequal}}\ IF\ {\isaliteral{28}{\isacharparenleft}}VIF\ x{\isaliteral{29}{\isacharparenright}}\ t\ e{\isaliteral{22}{\isachardoublequoteclose}}\ {\isaliteral{7C}{\isacharbar}}\isanewline
27.154 -{\isaliteral{22}{\isachardoublequoteopen}}normif\ {\isaliteral{28}{\isacharparenleft}}IF\ b\ t\ e{\isaliteral{29}{\isacharparenright}}\ u\ f\ {\isaliteral{3D}{\isacharequal}}\ normif\ b\ {\isaliteral{28}{\isacharparenleft}}normif\ t\ u\ f{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{28}{\isacharparenleft}}normif\ e\ u\ f{\isaliteral{29}{\isacharparenright}}{\isaliteral{22}{\isachardoublequoteclose}}\isanewline
27.155 -\isanewline
27.156 -\isacommand{primrec}\isamarkupfalse%
27.157 -\ norm\ {\isaliteral{3A}{\isacharcolon}}{\isaliteral{3A}{\isacharcolon}}\ {\isaliteral{22}{\isachardoublequoteopen}}ifex\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ ifex{\isaliteral{22}{\isachardoublequoteclose}}\ \isakeyword{where}\isanewline
27.158 -{\isaliteral{22}{\isachardoublequoteopen}}norm\ {\isaliteral{28}{\isacharparenleft}}CIF\ b{\isaliteral{29}{\isacharparenright}}\ \ \ \ {\isaliteral{3D}{\isacharequal}}\ CIF\ b{\isaliteral{22}{\isachardoublequoteclose}}\ {\isaliteral{7C}{\isacharbar}}\isanewline
27.159 -{\isaliteral{22}{\isachardoublequoteopen}}norm\ {\isaliteral{28}{\isacharparenleft}}VIF\ x{\isaliteral{29}{\isacharparenright}}\ \ \ \ {\isaliteral{3D}{\isacharequal}}\ VIF\ x{\isaliteral{22}{\isachardoublequoteclose}}\ {\isaliteral{7C}{\isacharbar}}\isanewline
27.160 -{\isaliteral{22}{\isachardoublequoteopen}}norm\ {\isaliteral{28}{\isacharparenleft}}IF\ b\ t\ e{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{3D}{\isacharequal}}\ normif\ b\ {\isaliteral{28}{\isacharparenleft}}norm\ t{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{28}{\isacharparenleft}}norm\ e{\isaliteral{29}{\isacharparenright}}{\isaliteral{22}{\isachardoublequoteclose}}%
27.161 -\begin{isamarkuptext}%
27.162 -\noindent
27.163 -Their interplay is tricky; we leave it to you to develop an
27.164 -intuitive understanding. Fortunately, Isabelle can help us to verify that the
27.165 -transformation preserves the value of the expression:%
27.166 -\end{isamarkuptext}%
27.167 -\isamarkuptrue%
27.168 -\isacommand{theorem}\isamarkupfalse%
27.169 -\ {\isaliteral{22}{\isachardoublequoteopen}}valif\ {\isaliteral{28}{\isacharparenleft}}norm\ b{\isaliteral{29}{\isacharparenright}}\ env\ {\isaliteral{3D}{\isacharequal}}\ valif\ b\ env{\isaliteral{22}{\isachardoublequoteclose}}%
27.170 -\isadelimproof
27.171 -%
27.172 -\endisadelimproof
27.173 -%
27.174 -\isatagproof
27.175 -%
27.176 -\endisatagproof
27.177 -{\isafoldproof}%
27.178 -%
27.179 -\isadelimproof
27.180 -%
27.181 -\endisadelimproof
27.182 -%
27.183 -\begin{isamarkuptext}%
27.184 -\noindent
27.185 -The proof is canonical, provided we first show the following simplification
27.186 -lemma, which also helps to understand what \isa{normif} does:%
27.187 -\end{isamarkuptext}%
27.188 -\isamarkuptrue%
27.189 -\isacommand{lemma}\isamarkupfalse%
27.190 -\ {\isaliteral{5B}{\isacharbrackleft}}simp{\isaliteral{5D}{\isacharbrackright}}{\isaliteral{3A}{\isacharcolon}}\isanewline
27.191 -\ \ {\isaliteral{22}{\isachardoublequoteopen}}{\isaliteral{5C3C666F72616C6C3E}{\isasymforall}}t\ e{\isaliteral{2E}{\isachardot}}\ valif\ {\isaliteral{28}{\isacharparenleft}}normif\ b\ t\ e{\isaliteral{29}{\isacharparenright}}\ env\ {\isaliteral{3D}{\isacharequal}}\ valif\ {\isaliteral{28}{\isacharparenleft}}IF\ b\ t\ e{\isaliteral{29}{\isacharparenright}}\ env{\isaliteral{22}{\isachardoublequoteclose}}%
27.192 -\isadelimproof
27.193 -%
27.194 -\endisadelimproof
27.195 -%
27.196 -\isatagproof
27.197 -%
27.198 -\endisatagproof
27.199 -{\isafoldproof}%
27.200 -%
27.201 -\isadelimproof
27.202 -%
27.203 -\endisadelimproof
27.204 -%
27.205 -\isadelimproof
27.206 -%
27.207 -\endisadelimproof
27.208 -%
27.209 -\isatagproof
27.210 -%
27.211 -\endisatagproof
27.212 -{\isafoldproof}%
27.213 -%
27.214 -\isadelimproof
27.215 -%
27.216 -\endisadelimproof
27.217 -%
27.218 -\begin{isamarkuptext}%
27.219 -\noindent
27.220 -Note that the lemma does not have a name, but is implicitly used in the proof
27.221 -of the theorem shown above because of the \isa{{\isaliteral{5B}{\isacharbrackleft}}simp{\isaliteral{5D}{\isacharbrackright}}} attribute.
27.222 -
27.223 -But how can we be sure that \isa{norm} really produces a normal form in
27.224 -the above sense? We define a function that tests If-expressions for normality:%
27.225 -\end{isamarkuptext}%
27.226 -\isamarkuptrue%
27.227 -\isacommand{primrec}\isamarkupfalse%
27.228 -\ normal\ {\isaliteral{3A}{\isacharcolon}}{\isaliteral{3A}{\isacharcolon}}\ {\isaliteral{22}{\isachardoublequoteopen}}ifex\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ bool{\isaliteral{22}{\isachardoublequoteclose}}\ \isakeyword{where}\isanewline
27.229 -{\isaliteral{22}{\isachardoublequoteopen}}normal{\isaliteral{28}{\isacharparenleft}}CIF\ b{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{3D}{\isacharequal}}\ True{\isaliteral{22}{\isachardoublequoteclose}}\ {\isaliteral{7C}{\isacharbar}}\isanewline
27.230 -{\isaliteral{22}{\isachardoublequoteopen}}normal{\isaliteral{28}{\isacharparenleft}}VIF\ x{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{3D}{\isacharequal}}\ True{\isaliteral{22}{\isachardoublequoteclose}}\ {\isaliteral{7C}{\isacharbar}}\isanewline
27.231 -{\isaliteral{22}{\isachardoublequoteopen}}normal{\isaliteral{28}{\isacharparenleft}}IF\ b\ t\ e{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{3D}{\isacharequal}}\ {\isaliteral{28}{\isacharparenleft}}normal\ t\ {\isaliteral{5C3C616E643E}{\isasymand}}\ normal\ e\ {\isaliteral{5C3C616E643E}{\isasymand}}\isanewline
27.232 -\ \ \ \ \ {\isaliteral{28}{\isacharparenleft}}case\ b\ of\ CIF\ b\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ True\ {\isaliteral{7C}{\isacharbar}}\ VIF\ x\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ True\ {\isaliteral{7C}{\isacharbar}}\ IF\ x\ y\ z\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ False{\isaliteral{29}{\isacharparenright}}{\isaliteral{29}{\isacharparenright}}{\isaliteral{22}{\isachardoublequoteclose}}%
27.233 -\begin{isamarkuptext}%
27.234 -\noindent
27.235 -Now we prove \isa{normal\ {\isaliteral{28}{\isacharparenleft}}norm\ b{\isaliteral{29}{\isacharparenright}}}. Of course, this requires a lemma about
27.236 -normality of \isa{normif}:%
27.237 -\end{isamarkuptext}%
27.238 -\isamarkuptrue%
27.239 -\isacommand{lemma}\isamarkupfalse%
27.240 -\ {\isaliteral{5B}{\isacharbrackleft}}simp{\isaliteral{5D}{\isacharbrackright}}{\isaliteral{3A}{\isacharcolon}}\ {\isaliteral{22}{\isachardoublequoteopen}}{\isaliteral{5C3C666F72616C6C3E}{\isasymforall}}t\ e{\isaliteral{2E}{\isachardot}}\ normal{\isaliteral{28}{\isacharparenleft}}normif\ b\ t\ e{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{3D}{\isacharequal}}\ {\isaliteral{28}{\isacharparenleft}}normal\ t\ {\isaliteral{5C3C616E643E}{\isasymand}}\ normal\ e{\isaliteral{29}{\isacharparenright}}{\isaliteral{22}{\isachardoublequoteclose}}%
27.241 -\isadelimproof
27.242 -%
27.243 -\endisadelimproof
27.244 -%
27.245 -\isatagproof
27.246 -%
27.247 -\endisatagproof
27.248 -{\isafoldproof}%
27.249 -%
27.250 -\isadelimproof
27.251 -%
27.252 -\endisadelimproof
27.253 -%
27.254 -\isadelimproof
27.255 -%
27.256 -\endisadelimproof
27.257 -%
27.258 -\isatagproof
27.259 -%
27.260 -\endisatagproof
27.261 -{\isafoldproof}%
27.262 -%
27.263 -\isadelimproof
27.264 -%
27.265 -\endisadelimproof
27.266 -%
27.267 -\begin{isamarkuptext}%
27.268 -\medskip
27.269 -How do we come up with the required lemmas? Try to prove the main theorems
27.270 -without them and study carefully what \isa{auto} leaves unproved. This
27.271 -can provide the clue. The necessity of universal quantification
27.272 -(\isa{{\isaliteral{5C3C666F72616C6C3E}{\isasymforall}}t\ e}) in the two lemmas is explained in
27.273 -\S\ref{sec:InductionHeuristics}
27.274 -
27.275 -\begin{exercise}
27.276 - We strengthen the definition of a \isa{normal} If-expression as follows:
27.277 - the first argument of all \isa{IF}s must be a variable. Adapt the above
27.278 - development to this changed requirement. (Hint: you may need to formulate
27.279 - some of the goals as implications (\isa{{\isaliteral{5C3C6C6F6E6772696768746172726F773E}{\isasymlongrightarrow}}}) rather than
27.280 - equalities (\isa{{\isaliteral{3D}{\isacharequal}}}).)
27.281 -\end{exercise}
27.282 -\index{boolean expressions example|)}%
27.283 -\end{isamarkuptext}%
27.284 -\isamarkuptrue%
27.285 -%
27.286 -\isadelimproof
27.287 -%
27.288 -\endisadelimproof
27.289 -%
27.290 -\isatagproof
27.291 -%
27.292 -\endisatagproof
27.293 -{\isafoldproof}%
27.294 -%
27.295 -\isadelimproof
27.296 -%
27.297 -\endisadelimproof
27.298 -%
27.299 -\isadelimproof
27.300 -%
27.301 -\endisadelimproof
27.302 -%
27.303 -\isatagproof
27.304 -%
27.305 -\endisatagproof
27.306 -{\isafoldproof}%
27.307 -%
27.308 -\isadelimproof
27.309 -%
27.310 -\endisadelimproof
27.311 -%
27.312 -\isadelimproof
27.313 -%
27.314 -\endisadelimproof
27.315 -%
27.316 -\isatagproof
27.317 -%
27.318 -\endisatagproof
27.319 -{\isafoldproof}%
27.320 -%
27.321 -\isadelimproof
27.322 -%
27.323 -\endisadelimproof
27.324 -%
27.325 -\isadelimproof
27.326 -%
27.327 -\endisadelimproof
27.328 -%
27.329 -\isatagproof
27.330 -%
27.331 -\endisatagproof
27.332 -{\isafoldproof}%
27.333 -%
27.334 -\isadelimproof
27.335 -%
27.336 -\endisadelimproof
27.337 -%
27.338 -\isadelimtheory
27.339 -%
27.340 -\endisadelimtheory
27.341 -%
27.342 -\isatagtheory
27.343 -%
27.344 -\endisatagtheory
27.345 -{\isafoldtheory}%
27.346 -%
27.347 -\isadelimtheory
27.348 -%
27.349 -\endisadelimtheory
27.350 -\end{isabellebody}%
27.351 -%%% Local Variables:
27.352 -%%% mode: latex
27.353 -%%% TeX-master: "root"
27.354 -%%% End:
28.1 --- a/doc-src/TutorialI/Inductive/ROOT.ML Thu Jul 26 16:08:16 2012 +0200
28.2 +++ /dev/null Thu Jan 01 00:00:00 1970 +0000
28.3 @@ -1,7 +0,0 @@
28.4 -use "../settings.ML";
28.5 -use_thy "Even";
28.6 -use_thy "Mutual";
28.7 -use_thy "Star";
28.8 -use_thy "AB";
28.9 -use_thy "Advanced";
28.10 -
29.1 --- a/doc-src/TutorialI/Inductive/document/AB.tex Thu Jul 26 16:08:16 2012 +0200
29.2 +++ /dev/null Thu Jan 01 00:00:00 1970 +0000
29.3 @@ -1,462 +0,0 @@
29.4 -%
29.5 -\begin{isabellebody}%
29.6 -\def\isabellecontext{AB}%
29.7 -%
29.8 -\isadelimtheory
29.9 -%
29.10 -\endisadelimtheory
29.11 -%
29.12 -\isatagtheory
29.13 -%
29.14 -\endisatagtheory
29.15 -{\isafoldtheory}%
29.16 -%
29.17 -\isadelimtheory
29.18 -%
29.19 -\endisadelimtheory
29.20 -%
29.21 -\isamarkupsection{Case Study: A Context Free Grammar%
29.22 -}
29.23 -\isamarkuptrue%
29.24 -%
29.25 -\begin{isamarkuptext}%
29.26 -\label{sec:CFG}
29.27 -\index{grammars!defining inductively|(}%
29.28 -Grammars are nothing but shorthands for inductive definitions of nonterminals
29.29 -which represent sets of strings. For example, the production
29.30 -$A \to B c$ is short for
29.31 -\[ w \in B \Longrightarrow wc \in A \]
29.32 -This section demonstrates this idea with an example
29.33 -due to Hopcroft and Ullman, a grammar for generating all words with an
29.34 -equal number of $a$'s and~$b$'s:
29.35 -\begin{eqnarray}
29.36 -S &\to& \epsilon \mid b A \mid a B \nonumber\\
29.37 -A &\to& a S \mid b A A \nonumber\\
29.38 -B &\to& b S \mid a B B \nonumber
29.39 -\end{eqnarray}
29.40 -At the end we say a few words about the relationship between
29.41 -the original proof \cite[p.\ts81]{HopcroftUllman} and our formal version.
29.42 -
29.43 -We start by fixing the alphabet, which consists only of \isa{a}'s
29.44 -and~\isa{b}'s:%
29.45 -\end{isamarkuptext}%
29.46 -\isamarkuptrue%
29.47 -\isacommand{datatype}\isamarkupfalse%
29.48 -\ alfa\ {\isaliteral{3D}{\isacharequal}}\ a\ {\isaliteral{7C}{\isacharbar}}\ b%
29.49 -\begin{isamarkuptext}%
29.50 -\noindent
29.51 -For convenience we include the following easy lemmas as simplification rules:%
29.52 -\end{isamarkuptext}%
29.53 -\isamarkuptrue%
29.54 -\isacommand{lemma}\isamarkupfalse%
29.55 -\ {\isaliteral{5B}{\isacharbrackleft}}simp{\isaliteral{5D}{\isacharbrackright}}{\isaliteral{3A}{\isacharcolon}}\ {\isaliteral{22}{\isachardoublequoteopen}}{\isaliteral{28}{\isacharparenleft}}x\ {\isaliteral{5C3C6E6F7465713E}{\isasymnoteq}}\ a{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{3D}{\isacharequal}}\ {\isaliteral{28}{\isacharparenleft}}x\ {\isaliteral{3D}{\isacharequal}}\ b{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C616E643E}{\isasymand}}\ {\isaliteral{28}{\isacharparenleft}}x\ {\isaliteral{5C3C6E6F7465713E}{\isasymnoteq}}\ b{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{3D}{\isacharequal}}\ {\isaliteral{28}{\isacharparenleft}}x\ {\isaliteral{3D}{\isacharequal}}\ a{\isaliteral{29}{\isacharparenright}}{\isaliteral{22}{\isachardoublequoteclose}}\isanewline
29.56 -%
29.57 -\isadelimproof
29.58 -%
29.59 -\endisadelimproof
29.60 -%
29.61 -\isatagproof
29.62 -\isacommand{by}\isamarkupfalse%
29.63 -\ {\isaliteral{28}{\isacharparenleft}}case{\isaliteral{5F}{\isacharunderscore}}tac\ x{\isaliteral{2C}{\isacharcomma}}\ auto{\isaliteral{29}{\isacharparenright}}%
29.64 -\endisatagproof
29.65 -{\isafoldproof}%
29.66 -%
29.67 -\isadelimproof
29.68 -%
29.69 -\endisadelimproof
29.70 -%
29.71 -\begin{isamarkuptext}%
29.72 -\noindent
29.73 -Words over this alphabet are of type \isa{alfa\ list}, and
29.74 -the three nonterminals are declared as sets of such words.
29.75 -The productions above are recast as a \emph{mutual} inductive
29.76 -definition\index{inductive definition!simultaneous}
29.77 -of \isa{S}, \isa{A} and~\isa{B}:%
29.78 -\end{isamarkuptext}%
29.79 -\isamarkuptrue%
29.80 -\isacommand{inductive{\isaliteral{5F}{\isacharunderscore}}set}\isamarkupfalse%
29.81 -\isanewline
29.82 -\ \ S\ {\isaliteral{3A}{\isacharcolon}}{\isaliteral{3A}{\isacharcolon}}\ {\isaliteral{22}{\isachardoublequoteopen}}alfa\ list\ set{\isaliteral{22}{\isachardoublequoteclose}}\ \isakeyword{and}\isanewline
29.83 -\ \ A\ {\isaliteral{3A}{\isacharcolon}}{\isaliteral{3A}{\isacharcolon}}\ {\isaliteral{22}{\isachardoublequoteopen}}alfa\ list\ set{\isaliteral{22}{\isachardoublequoteclose}}\ \isakeyword{and}\isanewline
29.84 -\ \ B\ {\isaliteral{3A}{\isacharcolon}}{\isaliteral{3A}{\isacharcolon}}\ {\isaliteral{22}{\isachardoublequoteopen}}alfa\ list\ set{\isaliteral{22}{\isachardoublequoteclose}}\isanewline
29.85 -\isakeyword{where}\isanewline
29.86 -\ \ {\isaliteral{22}{\isachardoublequoteopen}}{\isaliteral{5B}{\isacharbrackleft}}{\isaliteral{5D}{\isacharbrackright}}\ {\isaliteral{5C3C696E3E}{\isasymin}}\ S{\isaliteral{22}{\isachardoublequoteclose}}\isanewline
29.87 -{\isaliteral{7C}{\isacharbar}}\ {\isaliteral{22}{\isachardoublequoteopen}}w\ {\isaliteral{5C3C696E3E}{\isasymin}}\ A\ {\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\ b{\isaliteral{23}{\isacharhash}}w\ {\isaliteral{5C3C696E3E}{\isasymin}}\ S{\isaliteral{22}{\isachardoublequoteclose}}\isanewline
29.88 -{\isaliteral{7C}{\isacharbar}}\ {\isaliteral{22}{\isachardoublequoteopen}}w\ {\isaliteral{5C3C696E3E}{\isasymin}}\ B\ {\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\ a{\isaliteral{23}{\isacharhash}}w\ {\isaliteral{5C3C696E3E}{\isasymin}}\ S{\isaliteral{22}{\isachardoublequoteclose}}\isanewline
29.89 -\isanewline
29.90 -{\isaliteral{7C}{\isacharbar}}\ {\isaliteral{22}{\isachardoublequoteopen}}w\ {\isaliteral{5C3C696E3E}{\isasymin}}\ S\ \ \ \ \ \ \ \ {\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\ a{\isaliteral{23}{\isacharhash}}w\ \ \ {\isaliteral{5C3C696E3E}{\isasymin}}\ A{\isaliteral{22}{\isachardoublequoteclose}}\isanewline
29.91 -{\isaliteral{7C}{\isacharbar}}\ {\isaliteral{22}{\isachardoublequoteopen}}{\isaliteral{5C3C6C6272616B6B3E}{\isasymlbrakk}}\ v{\isaliteral{5C3C696E3E}{\isasymin}}A{\isaliteral{3B}{\isacharsemicolon}}\ w{\isaliteral{5C3C696E3E}{\isasymin}}A\ {\isaliteral{5C3C726272616B6B3E}{\isasymrbrakk}}\ {\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\ b{\isaliteral{23}{\isacharhash}}v{\isaliteral{40}{\isacharat}}w\ {\isaliteral{5C3C696E3E}{\isasymin}}\ A{\isaliteral{22}{\isachardoublequoteclose}}\isanewline
29.92 -\isanewline
29.93 -{\isaliteral{7C}{\isacharbar}}\ {\isaliteral{22}{\isachardoublequoteopen}}w\ {\isaliteral{5C3C696E3E}{\isasymin}}\ S\ \ \ \ \ \ \ \ \ \ \ \ {\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\ b{\isaliteral{23}{\isacharhash}}w\ \ \ {\isaliteral{5C3C696E3E}{\isasymin}}\ B{\isaliteral{22}{\isachardoublequoteclose}}\isanewline
29.94 -{\isaliteral{7C}{\isacharbar}}\ {\isaliteral{22}{\isachardoublequoteopen}}{\isaliteral{5C3C6C6272616B6B3E}{\isasymlbrakk}}\ v\ {\isaliteral{5C3C696E3E}{\isasymin}}\ B{\isaliteral{3B}{\isacharsemicolon}}\ w\ {\isaliteral{5C3C696E3E}{\isasymin}}\ B\ {\isaliteral{5C3C726272616B6B3E}{\isasymrbrakk}}\ {\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\ a{\isaliteral{23}{\isacharhash}}v{\isaliteral{40}{\isacharat}}w\ {\isaliteral{5C3C696E3E}{\isasymin}}\ B{\isaliteral{22}{\isachardoublequoteclose}}%
29.95 -\begin{isamarkuptext}%
29.96 -\noindent
29.97 -First we show that all words in \isa{S} contain the same number of \isa{a}'s and \isa{b}'s. Since the definition of \isa{S} is by mutual
29.98 -induction, so is the proof: we show at the same time that all words in
29.99 -\isa{A} contain one more \isa{a} than \isa{b} and all words in \isa{B} contain one more \isa{b} than \isa{a}.%
29.100 -\end{isamarkuptext}%
29.101 -\isamarkuptrue%
29.102 -\isacommand{lemma}\isamarkupfalse%
29.103 -\ correctness{\isaliteral{3A}{\isacharcolon}}\isanewline
29.104 -\ \ {\isaliteral{22}{\isachardoublequoteopen}}{\isaliteral{28}{\isacharparenleft}}w\ {\isaliteral{5C3C696E3E}{\isasymin}}\ S\ {\isaliteral{5C3C6C6F6E6772696768746172726F773E}{\isasymlongrightarrow}}\ size{\isaliteral{5B}{\isacharbrackleft}}x{\isaliteral{5C3C6C6566746172726F773E}{\isasymleftarrow}}w{\isaliteral{2E}{\isachardot}}\ x{\isaliteral{3D}{\isacharequal}}a{\isaliteral{5D}{\isacharbrackright}}\ {\isaliteral{3D}{\isacharequal}}\ size{\isaliteral{5B}{\isacharbrackleft}}x{\isaliteral{5C3C6C6566746172726F773E}{\isasymleftarrow}}w{\isaliteral{2E}{\isachardot}}\ x{\isaliteral{3D}{\isacharequal}}b{\isaliteral{5D}{\isacharbrackright}}{\isaliteral{29}{\isacharparenright}}\ \ \ \ \ {\isaliteral{5C3C616E643E}{\isasymand}}\isanewline
29.105 -\ \ \ {\isaliteral{28}{\isacharparenleft}}w\ {\isaliteral{5C3C696E3E}{\isasymin}}\ A\ {\isaliteral{5C3C6C6F6E6772696768746172726F773E}{\isasymlongrightarrow}}\ size{\isaliteral{5B}{\isacharbrackleft}}x{\isaliteral{5C3C6C6566746172726F773E}{\isasymleftarrow}}w{\isaliteral{2E}{\isachardot}}\ x{\isaliteral{3D}{\isacharequal}}a{\isaliteral{5D}{\isacharbrackright}}\ {\isaliteral{3D}{\isacharequal}}\ size{\isaliteral{5B}{\isacharbrackleft}}x{\isaliteral{5C3C6C6566746172726F773E}{\isasymleftarrow}}w{\isaliteral{2E}{\isachardot}}\ x{\isaliteral{3D}{\isacharequal}}b{\isaliteral{5D}{\isacharbrackright}}\ {\isaliteral{2B}{\isacharplus}}\ {\isadigit{1}}{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C616E643E}{\isasymand}}\isanewline
29.106 -\ \ \ {\isaliteral{28}{\isacharparenleft}}w\ {\isaliteral{5C3C696E3E}{\isasymin}}\ B\ {\isaliteral{5C3C6C6F6E6772696768746172726F773E}{\isasymlongrightarrow}}\ size{\isaliteral{5B}{\isacharbrackleft}}x{\isaliteral{5C3C6C6566746172726F773E}{\isasymleftarrow}}w{\isaliteral{2E}{\isachardot}}\ x{\isaliteral{3D}{\isacharequal}}b{\isaliteral{5D}{\isacharbrackright}}\ {\isaliteral{3D}{\isacharequal}}\ size{\isaliteral{5B}{\isacharbrackleft}}x{\isaliteral{5C3C6C6566746172726F773E}{\isasymleftarrow}}w{\isaliteral{2E}{\isachardot}}\ x{\isaliteral{3D}{\isacharequal}}a{\isaliteral{5D}{\isacharbrackright}}\ {\isaliteral{2B}{\isacharplus}}\ {\isadigit{1}}{\isaliteral{29}{\isacharparenright}}{\isaliteral{22}{\isachardoublequoteclose}}%
29.107 -\isadelimproof
29.108 -%
29.109 -\endisadelimproof
29.110 -%
29.111 -\isatagproof
29.112 -%
29.113 -\begin{isamarkuptxt}%
29.114 -\noindent
29.115 -These propositions are expressed with the help of the predefined \isa{filter} function on lists, which has the convenient syntax \isa{{\isaliteral{5B}{\isacharbrackleft}}x{\isaliteral{5C3C6C6566746172726F773E}{\isasymleftarrow}}xs{\isaliteral{2E}{\isachardot}}\ P\ x{\isaliteral{5D}{\isacharbrackright}}}, the list of all elements \isa{x} in \isa{xs} such that \isa{P\ x}
29.116 -holds. Remember that on lists \isa{size} and \isa{length} are synonymous.
29.117 -
29.118 -The proof itself is by rule induction and afterwards automatic:%
29.119 -\end{isamarkuptxt}%
29.120 -\isamarkuptrue%
29.121 -\isacommand{by}\isamarkupfalse%
29.122 -\ {\isaliteral{28}{\isacharparenleft}}rule\ S{\isaliteral{5F}{\isacharunderscore}}A{\isaliteral{5F}{\isacharunderscore}}B{\isaliteral{2E}{\isachardot}}induct{\isaliteral{2C}{\isacharcomma}}\ auto{\isaliteral{29}{\isacharparenright}}%
29.123 -\endisatagproof
29.124 -{\isafoldproof}%
29.125 -%
29.126 -\isadelimproof
29.127 -%
29.128 -\endisadelimproof
29.129 -%
29.130 -\begin{isamarkuptext}%
29.131 -\noindent
29.132 -This may seem surprising at first, and is indeed an indication of the power
29.133 -of inductive definitions. But it is also quite straightforward. For example,
29.134 -consider the production $A \to b A A$: if $v,w \in A$ and the elements of $A$
29.135 -contain one more $a$ than~$b$'s, then $bvw$ must again contain one more $a$
29.136 -than~$b$'s.
29.137 -
29.138 -As usual, the correctness of syntactic descriptions is easy, but completeness
29.139 -is hard: does \isa{S} contain \emph{all} words with an equal number of
29.140 -\isa{a}'s and \isa{b}'s? It turns out that this proof requires the
29.141 -following lemma: every string with two more \isa{a}'s than \isa{b}'s can be cut somewhere such that each half has one more \isa{a} than
29.142 -\isa{b}. This is best seen by imagining counting the difference between the
29.143 -number of \isa{a}'s and \isa{b}'s starting at the left end of the
29.144 -word. We start with 0 and end (at the right end) with 2. Since each move to the
29.145 -right increases or decreases the difference by 1, we must have passed through
29.146 -1 on our way from 0 to 2. Formally, we appeal to the following discrete
29.147 -intermediate value theorem \isa{nat{\isadigit{0}}{\isaliteral{5F}{\isacharunderscore}}intermed{\isaliteral{5F}{\isacharunderscore}}int{\isaliteral{5F}{\isacharunderscore}}val}
29.148 -\begin{isabelle}%
29.149 -\ \ \ \ \ {\isaliteral{5C3C6C6272616B6B3E}{\isasymlbrakk}}{\isaliteral{5C3C666F72616C6C3E}{\isasymforall}}i{\isaliteral{3C}{\isacharless}}n{\isaliteral{2E}{\isachardot}}\ {\isaliteral{5C3C6261723E}{\isasymbar}}f\ {\isaliteral{28}{\isacharparenleft}}i\ {\isaliteral{2B}{\isacharplus}}\ {\isadigit{1}}{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{2D}{\isacharminus}}\ f\ i{\isaliteral{5C3C6261723E}{\isasymbar}}\ {\isaliteral{5C3C6C653E}{\isasymle}}\ {\isadigit{1}}{\isaliteral{3B}{\isacharsemicolon}}\ f\ {\isadigit{0}}\ {\isaliteral{5C3C6C653E}{\isasymle}}\ k{\isaliteral{3B}{\isacharsemicolon}}\ k\ {\isaliteral{5C3C6C653E}{\isasymle}}\ f\ n{\isaliteral{5C3C726272616B6B3E}{\isasymrbrakk}}\isanewline
29.150 -\isaindent{\ \ \ \ \ }{\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\ {\isaliteral{5C3C6578697374733E}{\isasymexists}}i{\isaliteral{5C3C6C653E}{\isasymle}}n{\isaliteral{2E}{\isachardot}}\ f\ i\ {\isaliteral{3D}{\isacharequal}}\ k%
29.151 -\end{isabelle}
29.152 -where \isa{f} is of type \isa{nat\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ int}, \isa{int} are the integers,
29.153 -\isa{{\isaliteral{5C3C6261723E}{\isasymbar}}{\isaliteral{2E}{\isachardot}}{\isaliteral{5C3C6261723E}{\isasymbar}}} is the absolute value function\footnote{See
29.154 -Table~\ref{tab:ascii} in the Appendix for the correct \textsc{ascii}
29.155 -syntax.}, and \isa{{\isadigit{1}}} is the integer 1 (see \S\ref{sec:numbers}).
29.156 -
29.157 -First we show that our specific function, the difference between the
29.158 -numbers of \isa{a}'s and \isa{b}'s, does indeed only change by 1 in every
29.159 -move to the right. At this point we also start generalizing from \isa{a}'s
29.160 -and \isa{b}'s to an arbitrary property \isa{P}. Otherwise we would have
29.161 -to prove the desired lemma twice, once as stated above and once with the
29.162 -roles of \isa{a}'s and \isa{b}'s interchanged.%
29.163 -\end{isamarkuptext}%
29.164 -\isamarkuptrue%
29.165 -\isacommand{lemma}\isamarkupfalse%
29.166 -\ step{\isadigit{1}}{\isaliteral{3A}{\isacharcolon}}\ {\isaliteral{22}{\isachardoublequoteopen}}{\isaliteral{5C3C666F72616C6C3E}{\isasymforall}}i\ {\isaliteral{3C}{\isacharless}}\ size\ w{\isaliteral{2E}{\isachardot}}\isanewline
29.167 -\ \ {\isaliteral{5C3C6261723E}{\isasymbar}}{\isaliteral{28}{\isacharparenleft}}int{\isaliteral{28}{\isacharparenleft}}size{\isaliteral{5B}{\isacharbrackleft}}x{\isaliteral{5C3C6C6566746172726F773E}{\isasymleftarrow}}take\ {\isaliteral{28}{\isacharparenleft}}i{\isaliteral{2B}{\isacharplus}}{\isadigit{1}}{\isaliteral{29}{\isacharparenright}}\ w{\isaliteral{2E}{\isachardot}}\ P\ x{\isaliteral{5D}{\isacharbrackright}}{\isaliteral{29}{\isacharparenright}}{\isaliteral{2D}{\isacharminus}}int{\isaliteral{28}{\isacharparenleft}}size{\isaliteral{5B}{\isacharbrackleft}}x{\isaliteral{5C3C6C6566746172726F773E}{\isasymleftarrow}}take\ {\isaliteral{28}{\isacharparenleft}}i{\isaliteral{2B}{\isacharplus}}{\isadigit{1}}{\isaliteral{29}{\isacharparenright}}\ w{\isaliteral{2E}{\isachardot}}\ {\isaliteral{5C3C6E6F743E}{\isasymnot}}P\ x{\isaliteral{5D}{\isacharbrackright}}{\isaliteral{29}{\isacharparenright}}{\isaliteral{29}{\isacharparenright}}\isanewline
29.168 -\ \ \ {\isaliteral{2D}{\isacharminus}}\ {\isaliteral{28}{\isacharparenleft}}int{\isaliteral{28}{\isacharparenleft}}size{\isaliteral{5B}{\isacharbrackleft}}x{\isaliteral{5C3C6C6566746172726F773E}{\isasymleftarrow}}take\ i\ w{\isaliteral{2E}{\isachardot}}\ P\ x{\isaliteral{5D}{\isacharbrackright}}{\isaliteral{29}{\isacharparenright}}{\isaliteral{2D}{\isacharminus}}int{\isaliteral{28}{\isacharparenleft}}size{\isaliteral{5B}{\isacharbrackleft}}x{\isaliteral{5C3C6C6566746172726F773E}{\isasymleftarrow}}take\ i\ w{\isaliteral{2E}{\isachardot}}\ {\isaliteral{5C3C6E6F743E}{\isasymnot}}P\ x{\isaliteral{5D}{\isacharbrackright}}{\isaliteral{29}{\isacharparenright}}{\isaliteral{29}{\isacharparenright}}{\isaliteral{5C3C6261723E}{\isasymbar}}\ {\isaliteral{5C3C6C653E}{\isasymle}}\ {\isadigit{1}}{\isaliteral{22}{\isachardoublequoteclose}}%
29.169 -\isadelimproof
29.170 -%
29.171 -\endisadelimproof
29.172 -%
29.173 -\isatagproof
29.174 -%
29.175 -\begin{isamarkuptxt}%
29.176 -\noindent
29.177 -The lemma is a bit hard to read because of the coercion function
29.178 -\isa{int\ {\isaliteral{3A}{\isacharcolon}}{\isaliteral{3A}{\isacharcolon}}\ nat\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ int}. It is required because \isa{size} returns
29.179 -a natural number, but subtraction on type~\isa{nat} will do the wrong thing.
29.180 -Function \isa{take} is predefined and \isa{take\ i\ xs} is the prefix of
29.181 -length \isa{i} of \isa{xs}; below we also need \isa{drop\ i\ xs}, which
29.182 -is what remains after that prefix has been dropped from \isa{xs}.
29.183 -
29.184 -The proof is by induction on \isa{w}, with a trivial base case, and a not
29.185 -so trivial induction step. Since it is essentially just arithmetic, we do not
29.186 -discuss it.%
29.187 -\end{isamarkuptxt}%
29.188 -\isamarkuptrue%
29.189 -\isacommand{apply}\isamarkupfalse%
29.190 -{\isaliteral{28}{\isacharparenleft}}induct{\isaliteral{5F}{\isacharunderscore}}tac\ w{\isaliteral{29}{\isacharparenright}}\isanewline
29.191 -\isacommand{apply}\isamarkupfalse%
29.192 -{\isaliteral{28}{\isacharparenleft}}auto\ simp\ add{\isaliteral{3A}{\isacharcolon}}\ abs{\isaliteral{5F}{\isacharunderscore}}if\ take{\isaliteral{5F}{\isacharunderscore}}Cons\ split{\isaliteral{3A}{\isacharcolon}}\ nat{\isaliteral{2E}{\isachardot}}split{\isaliteral{29}{\isacharparenright}}\isanewline
29.193 -\isacommand{done}\isamarkupfalse%
29.194 -%
29.195 -\endisatagproof
29.196 -{\isafoldproof}%
29.197 -%
29.198 -\isadelimproof
29.199 -%
29.200 -\endisadelimproof
29.201 -%
29.202 -\begin{isamarkuptext}%
29.203 -Finally we come to the above-mentioned lemma about cutting in half a word with two more elements of one sort than of the other sort:%
29.204 -\end{isamarkuptext}%
29.205 -\isamarkuptrue%
29.206 -\isacommand{lemma}\isamarkupfalse%
29.207 -\ part{\isadigit{1}}{\isaliteral{3A}{\isacharcolon}}\isanewline
29.208 -\ {\isaliteral{22}{\isachardoublequoteopen}}size{\isaliteral{5B}{\isacharbrackleft}}x{\isaliteral{5C3C6C6566746172726F773E}{\isasymleftarrow}}w{\isaliteral{2E}{\isachardot}}\ P\ x{\isaliteral{5D}{\isacharbrackright}}\ {\isaliteral{3D}{\isacharequal}}\ size{\isaliteral{5B}{\isacharbrackleft}}x{\isaliteral{5C3C6C6566746172726F773E}{\isasymleftarrow}}w{\isaliteral{2E}{\isachardot}}\ {\isaliteral{5C3C6E6F743E}{\isasymnot}}P\ x{\isaliteral{5D}{\isacharbrackright}}{\isaliteral{2B}{\isacharplus}}{\isadigit{2}}\ {\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\isanewline
29.209 -\ \ {\isaliteral{5C3C6578697374733E}{\isasymexists}}i{\isaliteral{5C3C6C653E}{\isasymle}}size\ w{\isaliteral{2E}{\isachardot}}\ size{\isaliteral{5B}{\isacharbrackleft}}x{\isaliteral{5C3C6C6566746172726F773E}{\isasymleftarrow}}take\ i\ w{\isaliteral{2E}{\isachardot}}\ P\ x{\isaliteral{5D}{\isacharbrackright}}\ {\isaliteral{3D}{\isacharequal}}\ size{\isaliteral{5B}{\isacharbrackleft}}x{\isaliteral{5C3C6C6566746172726F773E}{\isasymleftarrow}}take\ i\ w{\isaliteral{2E}{\isachardot}}\ {\isaliteral{5C3C6E6F743E}{\isasymnot}}P\ x{\isaliteral{5D}{\isacharbrackright}}{\isaliteral{2B}{\isacharplus}}{\isadigit{1}}{\isaliteral{22}{\isachardoublequoteclose}}%
29.210 -\isadelimproof
29.211 -%
29.212 -\endisadelimproof
29.213 -%
29.214 -\isatagproof
29.215 -%
29.216 -\begin{isamarkuptxt}%
29.217 -\noindent
29.218 -This is proved by \isa{force} with the help of the intermediate value theorem,
29.219 -instantiated appropriately and with its first premise disposed of by lemma
29.220 -\isa{step{\isadigit{1}}}:%
29.221 -\end{isamarkuptxt}%
29.222 -\isamarkuptrue%
29.223 -\isacommand{apply}\isamarkupfalse%
29.224 -{\isaliteral{28}{\isacharparenleft}}insert\ nat{\isadigit{0}}{\isaliteral{5F}{\isacharunderscore}}intermed{\isaliteral{5F}{\isacharunderscore}}int{\isaliteral{5F}{\isacharunderscore}}val{\isaliteral{5B}{\isacharbrackleft}}OF\ step{\isadigit{1}}{\isaliteral{2C}{\isacharcomma}}\ of\ {\isaliteral{22}{\isachardoublequoteopen}}P{\isaliteral{22}{\isachardoublequoteclose}}\ {\isaliteral{22}{\isachardoublequoteopen}}w{\isaliteral{22}{\isachardoublequoteclose}}\ {\isaliteral{22}{\isachardoublequoteopen}}{\isadigit{1}}{\isaliteral{22}{\isachardoublequoteclose}}{\isaliteral{5D}{\isacharbrackright}}{\isaliteral{29}{\isacharparenright}}\isanewline
29.225 -\isacommand{by}\isamarkupfalse%
29.226 -\ force%
29.227 -\endisatagproof
29.228 -{\isafoldproof}%
29.229 -%
29.230 -\isadelimproof
29.231 -%
29.232 -\endisadelimproof
29.233 -%
29.234 -\begin{isamarkuptext}%
29.235 -\noindent
29.236 -
29.237 -Lemma \isa{part{\isadigit{1}}} tells us only about the prefix \isa{take\ i\ w}.
29.238 -An easy lemma deals with the suffix \isa{drop\ i\ w}:%
29.239 -\end{isamarkuptext}%
29.240 -\isamarkuptrue%
29.241 -\isacommand{lemma}\isamarkupfalse%
29.242 -\ part{\isadigit{2}}{\isaliteral{3A}{\isacharcolon}}\isanewline
29.243 -\ \ {\isaliteral{22}{\isachardoublequoteopen}}{\isaliteral{5C3C6C6272616B6B3E}{\isasymlbrakk}}size{\isaliteral{5B}{\isacharbrackleft}}x{\isaliteral{5C3C6C6566746172726F773E}{\isasymleftarrow}}take\ i\ w\ {\isaliteral{40}{\isacharat}}\ drop\ i\ w{\isaliteral{2E}{\isachardot}}\ P\ x{\isaliteral{5D}{\isacharbrackright}}\ {\isaliteral{3D}{\isacharequal}}\isanewline
29.244 -\ \ \ \ size{\isaliteral{5B}{\isacharbrackleft}}x{\isaliteral{5C3C6C6566746172726F773E}{\isasymleftarrow}}take\ i\ w\ {\isaliteral{40}{\isacharat}}\ drop\ i\ w{\isaliteral{2E}{\isachardot}}\ {\isaliteral{5C3C6E6F743E}{\isasymnot}}P\ x{\isaliteral{5D}{\isacharbrackright}}{\isaliteral{2B}{\isacharplus}}{\isadigit{2}}{\isaliteral{3B}{\isacharsemicolon}}\isanewline
29.245 -\ \ \ \ size{\isaliteral{5B}{\isacharbrackleft}}x{\isaliteral{5C3C6C6566746172726F773E}{\isasymleftarrow}}take\ i\ w{\isaliteral{2E}{\isachardot}}\ P\ x{\isaliteral{5D}{\isacharbrackright}}\ {\isaliteral{3D}{\isacharequal}}\ size{\isaliteral{5B}{\isacharbrackleft}}x{\isaliteral{5C3C6C6566746172726F773E}{\isasymleftarrow}}take\ i\ w{\isaliteral{2E}{\isachardot}}\ {\isaliteral{5C3C6E6F743E}{\isasymnot}}P\ x{\isaliteral{5D}{\isacharbrackright}}{\isaliteral{2B}{\isacharplus}}{\isadigit{1}}{\isaliteral{5C3C726272616B6B3E}{\isasymrbrakk}}\isanewline
29.246 -\ \ \ {\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\ size{\isaliteral{5B}{\isacharbrackleft}}x{\isaliteral{5C3C6C6566746172726F773E}{\isasymleftarrow}}drop\ i\ w{\isaliteral{2E}{\isachardot}}\ P\ x{\isaliteral{5D}{\isacharbrackright}}\ {\isaliteral{3D}{\isacharequal}}\ size{\isaliteral{5B}{\isacharbrackleft}}x{\isaliteral{5C3C6C6566746172726F773E}{\isasymleftarrow}}drop\ i\ w{\isaliteral{2E}{\isachardot}}\ {\isaliteral{5C3C6E6F743E}{\isasymnot}}P\ x{\isaliteral{5D}{\isacharbrackright}}{\isaliteral{2B}{\isacharplus}}{\isadigit{1}}{\isaliteral{22}{\isachardoublequoteclose}}\isanewline
29.247 -%
29.248 -\isadelimproof
29.249 -%
29.250 -\endisadelimproof
29.251 -%
29.252 -\isatagproof
29.253 -\isacommand{by}\isamarkupfalse%
29.254 -{\isaliteral{28}{\isacharparenleft}}simp\ del{\isaliteral{3A}{\isacharcolon}}\ append{\isaliteral{5F}{\isacharunderscore}}take{\isaliteral{5F}{\isacharunderscore}}drop{\isaliteral{5F}{\isacharunderscore}}id{\isaliteral{29}{\isacharparenright}}%
29.255 -\endisatagproof
29.256 -{\isafoldproof}%
29.257 -%
29.258 -\isadelimproof
29.259 -%
29.260 -\endisadelimproof
29.261 -%
29.262 -\begin{isamarkuptext}%
29.263 -\noindent
29.264 -In the proof we have disabled the normally useful lemma
29.265 -\begin{isabelle}
29.266 -\isa{take\ n\ xs\ {\isaliteral{40}{\isacharat}}\ drop\ n\ xs\ {\isaliteral{3D}{\isacharequal}}\ xs}
29.267 -\rulename{append_take_drop_id}
29.268 -\end{isabelle}
29.269 -to allow the simplifier to apply the following lemma instead:
29.270 -\begin{isabelle}%
29.271 -\ \ \ \ \ {\isaliteral{5B}{\isacharbrackleft}}x{\isaliteral{5C3C696E3E}{\isasymin}}xs{\isaliteral{40}{\isacharat}}ys{\isaliteral{2E}{\isachardot}}\ P\ x{\isaliteral{5D}{\isacharbrackright}}\ {\isaliteral{3D}{\isacharequal}}\ {\isaliteral{5B}{\isacharbrackleft}}x{\isaliteral{5C3C696E3E}{\isasymin}}xs{\isaliteral{2E}{\isachardot}}\ P\ x{\isaliteral{5D}{\isacharbrackright}}\ {\isaliteral{40}{\isacharat}}\ {\isaliteral{5B}{\isacharbrackleft}}x{\isaliteral{5C3C696E3E}{\isasymin}}ys{\isaliteral{2E}{\isachardot}}\ P\ x{\isaliteral{5D}{\isacharbrackright}}%
29.272 -\end{isabelle}
29.273 -
29.274 -To dispose of trivial cases automatically, the rules of the inductive
29.275 -definition are declared simplification rules:%
29.276 -\end{isamarkuptext}%
29.277 -\isamarkuptrue%
29.278 -\isacommand{declare}\isamarkupfalse%
29.279 -\ S{\isaliteral{5F}{\isacharunderscore}}A{\isaliteral{5F}{\isacharunderscore}}B{\isaliteral{2E}{\isachardot}}intros{\isaliteral{5B}{\isacharbrackleft}}simp{\isaliteral{5D}{\isacharbrackright}}%
29.280 -\begin{isamarkuptext}%
29.281 -\noindent
29.282 -This could have been done earlier but was not necessary so far.
29.283 -
29.284 -The completeness theorem tells us that if a word has the same number of
29.285 -\isa{a}'s and \isa{b}'s, then it is in \isa{S}, and similarly
29.286 -for \isa{A} and \isa{B}:%
29.287 -\end{isamarkuptext}%
29.288 -\isamarkuptrue%
29.289 -\isacommand{theorem}\isamarkupfalse%
29.290 -\ completeness{\isaliteral{3A}{\isacharcolon}}\isanewline
29.291 -\ \ {\isaliteral{22}{\isachardoublequoteopen}}{\isaliteral{28}{\isacharparenleft}}size{\isaliteral{5B}{\isacharbrackleft}}x{\isaliteral{5C3C6C6566746172726F773E}{\isasymleftarrow}}w{\isaliteral{2E}{\isachardot}}\ x{\isaliteral{3D}{\isacharequal}}a{\isaliteral{5D}{\isacharbrackright}}\ {\isaliteral{3D}{\isacharequal}}\ size{\isaliteral{5B}{\isacharbrackleft}}x{\isaliteral{5C3C6C6566746172726F773E}{\isasymleftarrow}}w{\isaliteral{2E}{\isachardot}}\ x{\isaliteral{3D}{\isacharequal}}b{\isaliteral{5D}{\isacharbrackright}}\ \ \ \ \ {\isaliteral{5C3C6C6F6E6772696768746172726F773E}{\isasymlongrightarrow}}\ w\ {\isaliteral{5C3C696E3E}{\isasymin}}\ S{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C616E643E}{\isasymand}}\isanewline
29.292 -\ \ \ {\isaliteral{28}{\isacharparenleft}}size{\isaliteral{5B}{\isacharbrackleft}}x{\isaliteral{5C3C6C6566746172726F773E}{\isasymleftarrow}}w{\isaliteral{2E}{\isachardot}}\ x{\isaliteral{3D}{\isacharequal}}a{\isaliteral{5D}{\isacharbrackright}}\ {\isaliteral{3D}{\isacharequal}}\ size{\isaliteral{5B}{\isacharbrackleft}}x{\isaliteral{5C3C6C6566746172726F773E}{\isasymleftarrow}}w{\isaliteral{2E}{\isachardot}}\ x{\isaliteral{3D}{\isacharequal}}b{\isaliteral{5D}{\isacharbrackright}}\ {\isaliteral{2B}{\isacharplus}}\ {\isadigit{1}}\ {\isaliteral{5C3C6C6F6E6772696768746172726F773E}{\isasymlongrightarrow}}\ w\ {\isaliteral{5C3C696E3E}{\isasymin}}\ A{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C616E643E}{\isasymand}}\isanewline
29.293 -\ \ \ {\isaliteral{28}{\isacharparenleft}}size{\isaliteral{5B}{\isacharbrackleft}}x{\isaliteral{5C3C6C6566746172726F773E}{\isasymleftarrow}}w{\isaliteral{2E}{\isachardot}}\ x{\isaliteral{3D}{\isacharequal}}b{\isaliteral{5D}{\isacharbrackright}}\ {\isaliteral{3D}{\isacharequal}}\ size{\isaliteral{5B}{\isacharbrackleft}}x{\isaliteral{5C3C6C6566746172726F773E}{\isasymleftarrow}}w{\isaliteral{2E}{\isachardot}}\ x{\isaliteral{3D}{\isacharequal}}a{\isaliteral{5D}{\isacharbrackright}}\ {\isaliteral{2B}{\isacharplus}}\ {\isadigit{1}}\ {\isaliteral{5C3C6C6F6E6772696768746172726F773E}{\isasymlongrightarrow}}\ w\ {\isaliteral{5C3C696E3E}{\isasymin}}\ B{\isaliteral{29}{\isacharparenright}}{\isaliteral{22}{\isachardoublequoteclose}}%
29.294 -\isadelimproof
29.295 -%
29.296 -\endisadelimproof
29.297 -%
29.298 -\isatagproof
29.299 -%
29.300 -\begin{isamarkuptxt}%
29.301 -\noindent
29.302 -The proof is by induction on \isa{w}. Structural induction would fail here
29.303 -because, as we can see from the grammar, we need to make bigger steps than
29.304 -merely appending a single letter at the front. Hence we induct on the length
29.305 -of \isa{w}, using the induction rule \isa{length{\isaliteral{5F}{\isacharunderscore}}induct}:%
29.306 -\end{isamarkuptxt}%
29.307 -\isamarkuptrue%
29.308 -\isacommand{apply}\isamarkupfalse%
29.309 -{\isaliteral{28}{\isacharparenleft}}induct{\isaliteral{5F}{\isacharunderscore}}tac\ w\ rule{\isaliteral{3A}{\isacharcolon}}\ length{\isaliteral{5F}{\isacharunderscore}}induct{\isaliteral{29}{\isacharparenright}}\isanewline
29.310 -\isacommand{apply}\isamarkupfalse%
29.311 -{\isaliteral{28}{\isacharparenleft}}rename{\isaliteral{5F}{\isacharunderscore}}tac\ w{\isaliteral{29}{\isacharparenright}}%
29.312 -\begin{isamarkuptxt}%
29.313 -\noindent
29.314 -The \isa{rule} parameter tells \isa{induct{\isaliteral{5F}{\isacharunderscore}}tac} explicitly which induction
29.315 -rule to use. For details see \S\ref{sec:complete-ind} below.
29.316 -In this case the result is that we may assume the lemma already
29.317 -holds for all words shorter than \isa{w}. Because the induction step renames
29.318 -the induction variable we rename it back to \isa{w}.
29.319 -
29.320 -The proof continues with a case distinction on \isa{w},
29.321 -on whether \isa{w} is empty or not.%
29.322 -\end{isamarkuptxt}%
29.323 -\isamarkuptrue%
29.324 -\isacommand{apply}\isamarkupfalse%
29.325 -{\isaliteral{28}{\isacharparenleft}}case{\isaliteral{5F}{\isacharunderscore}}tac\ w{\isaliteral{29}{\isacharparenright}}\isanewline
29.326 -\ \isacommand{apply}\isamarkupfalse%
29.327 -{\isaliteral{28}{\isacharparenleft}}simp{\isaliteral{5F}{\isacharunderscore}}all{\isaliteral{29}{\isacharparenright}}%
29.328 -\begin{isamarkuptxt}%
29.329 -\noindent
29.330 -Simplification disposes of the base case and leaves only a conjunction
29.331 -of two step cases to be proved:
29.332 -if \isa{w\ {\isaliteral{3D}{\isacharequal}}\ a\ {\isaliteral{23}{\isacharhash}}\ v} and \begin{isabelle}%
29.333 -\ \ \ \ \ length\ {\isaliteral{28}{\isacharparenleft}}if\ x\ {\isaliteral{3D}{\isacharequal}}\ a\ then\ {\isaliteral{5B}{\isacharbrackleft}}x\ {\isaliteral{5C3C696E3E}{\isasymin}}\ v{\isaliteral{5D}{\isacharbrackright}}\ else\ {\isaliteral{5B}{\isacharbrackleft}}{\isaliteral{5D}{\isacharbrackright}}{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{3D}{\isacharequal}}\isanewline
29.334 -\isaindent{\ \ \ \ \ }length\ {\isaliteral{28}{\isacharparenleft}}if\ x\ {\isaliteral{3D}{\isacharequal}}\ b\ then\ {\isaliteral{5B}{\isacharbrackleft}}x\ {\isaliteral{5C3C696E3E}{\isasymin}}\ v{\isaliteral{5D}{\isacharbrackright}}\ else\ {\isaliteral{5B}{\isacharbrackleft}}{\isaliteral{5D}{\isacharbrackright}}{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{2B}{\isacharplus}}\ {\isadigit{2}}%
29.335 -\end{isabelle} then
29.336 -\isa{b\ {\isaliteral{23}{\isacharhash}}\ v\ {\isaliteral{5C3C696E3E}{\isasymin}}\ A}, and similarly for \isa{w\ {\isaliteral{3D}{\isacharequal}}\ b\ {\isaliteral{23}{\isacharhash}}\ v}.
29.337 -We only consider the first case in detail.
29.338 -
29.339 -After breaking the conjunction up into two cases, we can apply
29.340 -\isa{part{\isadigit{1}}} to the assumption that \isa{w} contains two more \isa{a}'s than \isa{b}'s.%
29.341 -\end{isamarkuptxt}%
29.342 -\isamarkuptrue%
29.343 -\isacommand{apply}\isamarkupfalse%
29.344 -{\isaliteral{28}{\isacharparenleft}}rule\ conjI{\isaliteral{29}{\isacharparenright}}\isanewline
29.345 -\ \isacommand{apply}\isamarkupfalse%
29.346 -{\isaliteral{28}{\isacharparenleft}}clarify{\isaliteral{29}{\isacharparenright}}\isanewline
29.347 -\ \isacommand{apply}\isamarkupfalse%
29.348 -{\isaliteral{28}{\isacharparenleft}}frule\ part{\isadigit{1}}{\isaliteral{5B}{\isacharbrackleft}}of\ {\isaliteral{22}{\isachardoublequoteopen}}{\isaliteral{5C3C6C616D6264613E}{\isasymlambda}}x{\isaliteral{2E}{\isachardot}}\ x{\isaliteral{3D}{\isacharequal}}a{\isaliteral{22}{\isachardoublequoteclose}}{\isaliteral{2C}{\isacharcomma}}\ simplified{\isaliteral{5D}{\isacharbrackright}}{\isaliteral{29}{\isacharparenright}}\isanewline
29.349 -\ \isacommand{apply}\isamarkupfalse%
29.350 -{\isaliteral{28}{\isacharparenleft}}clarify{\isaliteral{29}{\isacharparenright}}%
29.351 -\begin{isamarkuptxt}%
29.352 -\noindent
29.353 -This yields an index \isa{i\ {\isaliteral{5C3C6C653E}{\isasymle}}\ length\ v} such that
29.354 -\begin{isabelle}%
29.355 -\ \ \ \ \ length\ {\isaliteral{5B}{\isacharbrackleft}}x{\isaliteral{5C3C6C6566746172726F773E}{\isasymleftarrow}}take\ i\ v\ {\isaliteral{2E}{\isachardot}}\ x\ {\isaliteral{3D}{\isacharequal}}\ a{\isaliteral{5D}{\isacharbrackright}}\ {\isaliteral{3D}{\isacharequal}}\ length\ {\isaliteral{5B}{\isacharbrackleft}}x{\isaliteral{5C3C6C6566746172726F773E}{\isasymleftarrow}}take\ i\ v\ {\isaliteral{2E}{\isachardot}}\ x\ {\isaliteral{3D}{\isacharequal}}\ b{\isaliteral{5D}{\isacharbrackright}}\ {\isaliteral{2B}{\isacharplus}}\ {\isadigit{1}}%
29.356 -\end{isabelle}
29.357 -With the help of \isa{part{\isadigit{2}}} it follows that
29.358 -\begin{isabelle}%
29.359 -\ \ \ \ \ length\ {\isaliteral{5B}{\isacharbrackleft}}x{\isaliteral{5C3C6C6566746172726F773E}{\isasymleftarrow}}drop\ i\ v\ {\isaliteral{2E}{\isachardot}}\ x\ {\isaliteral{3D}{\isacharequal}}\ a{\isaliteral{5D}{\isacharbrackright}}\ {\isaliteral{3D}{\isacharequal}}\ length\ {\isaliteral{5B}{\isacharbrackleft}}x{\isaliteral{5C3C6C6566746172726F773E}{\isasymleftarrow}}drop\ i\ v\ {\isaliteral{2E}{\isachardot}}\ x\ {\isaliteral{3D}{\isacharequal}}\ b{\isaliteral{5D}{\isacharbrackright}}\ {\isaliteral{2B}{\isacharplus}}\ {\isadigit{1}}%
29.360 -\end{isabelle}%
29.361 -\end{isamarkuptxt}%
29.362 -\isamarkuptrue%
29.363 -\ \isacommand{apply}\isamarkupfalse%
29.364 -{\isaliteral{28}{\isacharparenleft}}drule\ part{\isadigit{2}}{\isaliteral{5B}{\isacharbrackleft}}of\ {\isaliteral{22}{\isachardoublequoteopen}}{\isaliteral{5C3C6C616D6264613E}{\isasymlambda}}x{\isaliteral{2E}{\isachardot}}\ x{\isaliteral{3D}{\isacharequal}}a{\isaliteral{22}{\isachardoublequoteclose}}{\isaliteral{2C}{\isacharcomma}}\ simplified{\isaliteral{5D}{\isacharbrackright}}{\isaliteral{29}{\isacharparenright}}\isanewline
29.365 -\ \ \isacommand{apply}\isamarkupfalse%
29.366 -{\isaliteral{28}{\isacharparenleft}}assumption{\isaliteral{29}{\isacharparenright}}%
29.367 -\begin{isamarkuptxt}%
29.368 -\noindent
29.369 -Now it is time to decompose \isa{v} in the conclusion \isa{b\ {\isaliteral{23}{\isacharhash}}\ v\ {\isaliteral{5C3C696E3E}{\isasymin}}\ A}
29.370 -into \isa{take\ i\ v\ {\isaliteral{40}{\isacharat}}\ drop\ i\ v},%
29.371 -\end{isamarkuptxt}%
29.372 -\isamarkuptrue%
29.373 -\ \isacommand{apply}\isamarkupfalse%
29.374 -{\isaliteral{28}{\isacharparenleft}}rule{\isaliteral{5F}{\isacharunderscore}}tac\ n{\isadigit{1}}{\isaliteral{3D}{\isacharequal}}i\ \isakeyword{and}\ t{\isaliteral{3D}{\isacharequal}}v\ \isakeyword{in}\ subst{\isaliteral{5B}{\isacharbrackleft}}OF\ append{\isaliteral{5F}{\isacharunderscore}}take{\isaliteral{5F}{\isacharunderscore}}drop{\isaliteral{5F}{\isacharunderscore}}id{\isaliteral{5D}{\isacharbrackright}}{\isaliteral{29}{\isacharparenright}}%
29.375 -\begin{isamarkuptxt}%
29.376 -\noindent
29.377 -(the variables \isa{n{\isadigit{1}}} and \isa{t} are the result of composing the
29.378 -theorems \isa{subst} and \isa{append{\isaliteral{5F}{\isacharunderscore}}take{\isaliteral{5F}{\isacharunderscore}}drop{\isaliteral{5F}{\isacharunderscore}}id})
29.379 -after which the appropriate rule of the grammar reduces the goal
29.380 -to the two subgoals \isa{take\ i\ v\ {\isaliteral{5C3C696E3E}{\isasymin}}\ A} and \isa{drop\ i\ v\ {\isaliteral{5C3C696E3E}{\isasymin}}\ A}:%
29.381 -\end{isamarkuptxt}%
29.382 -\isamarkuptrue%
29.383 -\ \isacommand{apply}\isamarkupfalse%
29.384 -{\isaliteral{28}{\isacharparenleft}}rule\ S{\isaliteral{5F}{\isacharunderscore}}A{\isaliteral{5F}{\isacharunderscore}}B{\isaliteral{2E}{\isachardot}}intros{\isaliteral{29}{\isacharparenright}}%
29.385 -\begin{isamarkuptxt}%
29.386 -Both subgoals follow from the induction hypothesis because both \isa{take\ i\ v} and \isa{drop\ i\ v} are shorter than \isa{w}:%
29.387 -\end{isamarkuptxt}%
29.388 -\isamarkuptrue%
29.389 -\ \ \isacommand{apply}\isamarkupfalse%
29.390 -{\isaliteral{28}{\isacharparenleft}}force\ simp\ add{\isaliteral{3A}{\isacharcolon}}\ min{\isaliteral{5F}{\isacharunderscore}}less{\isaliteral{5F}{\isacharunderscore}}iff{\isaliteral{5F}{\isacharunderscore}}disj{\isaliteral{29}{\isacharparenright}}\isanewline
29.391 -\ \isacommand{apply}\isamarkupfalse%
29.392 -{\isaliteral{28}{\isacharparenleft}}force\ split\ add{\isaliteral{3A}{\isacharcolon}}\ nat{\isaliteral{5F}{\isacharunderscore}}diff{\isaliteral{5F}{\isacharunderscore}}split{\isaliteral{29}{\isacharparenright}}%
29.393 -\begin{isamarkuptxt}%
29.394 -The case \isa{w\ {\isaliteral{3D}{\isacharequal}}\ b\ {\isaliteral{23}{\isacharhash}}\ v} is proved analogously:%
29.395 -\end{isamarkuptxt}%
29.396 -\isamarkuptrue%
29.397 -\isacommand{apply}\isamarkupfalse%
29.398 -{\isaliteral{28}{\isacharparenleft}}clarify{\isaliteral{29}{\isacharparenright}}\isanewline
29.399 -\isacommand{apply}\isamarkupfalse%
29.400 -{\isaliteral{28}{\isacharparenleft}}frule\ part{\isadigit{1}}{\isaliteral{5B}{\isacharbrackleft}}of\ {\isaliteral{22}{\isachardoublequoteopen}}{\isaliteral{5C3C6C616D6264613E}{\isasymlambda}}x{\isaliteral{2E}{\isachardot}}\ x{\isaliteral{3D}{\isacharequal}}b{\isaliteral{22}{\isachardoublequoteclose}}{\isaliteral{2C}{\isacharcomma}}\ simplified{\isaliteral{5D}{\isacharbrackright}}{\isaliteral{29}{\isacharparenright}}\isanewline
29.401 -\isacommand{apply}\isamarkupfalse%
29.402 -{\isaliteral{28}{\isacharparenleft}}clarify{\isaliteral{29}{\isacharparenright}}\isanewline
29.403 -\isacommand{apply}\isamarkupfalse%
29.404 -{\isaliteral{28}{\isacharparenleft}}drule\ part{\isadigit{2}}{\isaliteral{5B}{\isacharbrackleft}}of\ {\isaliteral{22}{\isachardoublequoteopen}}{\isaliteral{5C3C6C616D6264613E}{\isasymlambda}}x{\isaliteral{2E}{\isachardot}}\ x{\isaliteral{3D}{\isacharequal}}b{\isaliteral{22}{\isachardoublequoteclose}}{\isaliteral{2C}{\isacharcomma}}\ simplified{\isaliteral{5D}{\isacharbrackright}}{\isaliteral{29}{\isacharparenright}}\isanewline
29.405 -\ \isacommand{apply}\isamarkupfalse%
29.406 -{\isaliteral{28}{\isacharparenleft}}assumption{\isaliteral{29}{\isacharparenright}}\isanewline
29.407 -\isacommand{apply}\isamarkupfalse%
29.408 -{\isaliteral{28}{\isacharparenleft}}rule{\isaliteral{5F}{\isacharunderscore}}tac\ n{\isadigit{1}}{\isaliteral{3D}{\isacharequal}}i\ \isakeyword{and}\ t{\isaliteral{3D}{\isacharequal}}v\ \isakeyword{in}\ subst{\isaliteral{5B}{\isacharbrackleft}}OF\ append{\isaliteral{5F}{\isacharunderscore}}take{\isaliteral{5F}{\isacharunderscore}}drop{\isaliteral{5F}{\isacharunderscore}}id{\isaliteral{5D}{\isacharbrackright}}{\isaliteral{29}{\isacharparenright}}\isanewline
29.409 -\isacommand{apply}\isamarkupfalse%
29.410 -{\isaliteral{28}{\isacharparenleft}}rule\ S{\isaliteral{5F}{\isacharunderscore}}A{\isaliteral{5F}{\isacharunderscore}}B{\isaliteral{2E}{\isachardot}}intros{\isaliteral{29}{\isacharparenright}}\isanewline
29.411 -\ \isacommand{apply}\isamarkupfalse%
29.412 -{\isaliteral{28}{\isacharparenleft}}force\ simp\ add{\isaliteral{3A}{\isacharcolon}}\ min{\isaliteral{5F}{\isacharunderscore}}less{\isaliteral{5F}{\isacharunderscore}}iff{\isaliteral{5F}{\isacharunderscore}}disj{\isaliteral{29}{\isacharparenright}}\isanewline
29.413 -\isacommand{by}\isamarkupfalse%
29.414 -{\isaliteral{28}{\isacharparenleft}}force\ simp\ add{\isaliteral{3A}{\isacharcolon}}\ min{\isaliteral{5F}{\isacharunderscore}}less{\isaliteral{5F}{\isacharunderscore}}iff{\isaliteral{5F}{\isacharunderscore}}disj\ split\ add{\isaliteral{3A}{\isacharcolon}}\ nat{\isaliteral{5F}{\isacharunderscore}}diff{\isaliteral{5F}{\isacharunderscore}}split{\isaliteral{29}{\isacharparenright}}%
29.415 -\endisatagproof
29.416 -{\isafoldproof}%
29.417 -%
29.418 -\isadelimproof
29.419 -%
29.420 -\endisadelimproof
29.421 -%
29.422 -\begin{isamarkuptext}%
29.423 -We conclude this section with a comparison of our proof with
29.424 -Hopcroft\index{Hopcroft, J. E.} and Ullman's\index{Ullman, J. D.}
29.425 -\cite[p.\ts81]{HopcroftUllman}.
29.426 -For a start, the textbook
29.427 -grammar, for no good reason, excludes the empty word, thus complicating
29.428 -matters just a little bit: they have 8 instead of our 7 productions.
29.429 -
29.430 -More importantly, the proof itself is different: rather than
29.431 -separating the two directions, they perform one induction on the
29.432 -length of a word. This deprives them of the beauty of rule induction,
29.433 -and in the easy direction (correctness) their reasoning is more
29.434 -detailed than our \isa{auto}. For the hard part (completeness), they
29.435 -consider just one of the cases that our \isa{simp{\isaliteral{5F}{\isacharunderscore}}all} disposes of
29.436 -automatically. Then they conclude the proof by saying about the
29.437 -remaining cases: ``We do this in a manner similar to our method of
29.438 -proof for part (1); this part is left to the reader''. But this is
29.439 -precisely the part that requires the intermediate value theorem and
29.440 -thus is not at all similar to the other cases (which are automatic in
29.441 -Isabelle). The authors are at least cavalier about this point and may
29.442 -even have overlooked the slight difficulty lurking in the omitted
29.443 -cases. Such errors are found in many pen-and-paper proofs when they
29.444 -are scrutinized formally.%
29.445 -\index{grammars!defining inductively|)}%
29.446 -\end{isamarkuptext}%
29.447 -\isamarkuptrue%
29.448 -%
29.449 -\isadelimtheory
29.450 -%
29.451 -\endisadelimtheory
29.452 -%
29.453 -\isatagtheory
29.454 -%
29.455 -\endisatagtheory
29.456 -{\isafoldtheory}%
29.457 -%
29.458 -\isadelimtheory
29.459 -%
29.460 -\endisadelimtheory
29.461 -\end{isabellebody}%
29.462 -%%% Local Variables:
29.463 -%%% mode: latex
29.464 -%%% TeX-master: "root"
29.465 -%%% End:
30.1 --- a/doc-src/TutorialI/Inductive/document/Advanced.tex Thu Jul 26 16:08:16 2012 +0200
30.2 +++ /dev/null Thu Jan 01 00:00:00 1970 +0000
30.3 @@ -1,599 +0,0 @@
30.4 -%
30.5 -\begin{isabellebody}%
30.6 -\def\isabellecontext{Advanced}%
30.7 -%
30.8 -\isadelimtheory
30.9 -%
30.10 -\endisadelimtheory
30.11 -%
30.12 -\isatagtheory
30.13 -%
30.14 -\endisatagtheory
30.15 -{\isafoldtheory}%
30.16 -%
30.17 -\isadelimtheory
30.18 -%
30.19 -\endisadelimtheory
30.20 -%
30.21 -\isadelimML
30.22 -%
30.23 -\endisadelimML
30.24 -%
30.25 -\isatagML
30.26 -%
30.27 -\endisatagML
30.28 -{\isafoldML}%
30.29 -%
30.30 -\isadelimML
30.31 -%
30.32 -\endisadelimML
30.33 -%
30.34 -\begin{isamarkuptext}%
30.35 -The premises of introduction rules may contain universal quantifiers and
30.36 -monotone functions. A universal quantifier lets the rule
30.37 -refer to any number of instances of
30.38 -the inductively defined set. A monotone function lets the rule refer
30.39 -to existing constructions (such as ``list of'') over the inductively defined
30.40 -set. The examples below show how to use the additional expressiveness
30.41 -and how to reason from the resulting definitions.%
30.42 -\end{isamarkuptext}%
30.43 -\isamarkuptrue%
30.44 -%
30.45 -\isamarkupsubsection{Universal Quantifiers in Introduction Rules \label{sec:gterm-datatype}%
30.46 -}
30.47 -\isamarkuptrue%
30.48 -%
30.49 -\begin{isamarkuptext}%
30.50 -\index{ground terms example|(}%
30.51 -\index{quantifiers!and inductive definitions|(}%
30.52 -As a running example, this section develops the theory of \textbf{ground
30.53 -terms}: terms constructed from constant and function
30.54 -symbols but not variables. To simplify matters further, we regard a
30.55 -constant as a function applied to the null argument list. Let us declare a
30.56 -datatype \isa{gterm} for the type of ground terms. It is a type constructor
30.57 -whose argument is a type of function symbols.%
30.58 -\end{isamarkuptext}%
30.59 -\isamarkuptrue%
30.60 -\isacommand{datatype}\isamarkupfalse%
30.61 -\ {\isaliteral{27}{\isacharprime}}f\ gterm\ {\isaliteral{3D}{\isacharequal}}\ Apply\ {\isaliteral{27}{\isacharprime}}f\ {\isaliteral{22}{\isachardoublequoteopen}}{\isaliteral{27}{\isacharprime}}f\ gterm\ list{\isaliteral{22}{\isachardoublequoteclose}}%
30.62 -\begin{isamarkuptext}%
30.63 -To try it out, we declare a datatype of some integer operations:
30.64 -integer constants, the unary minus operator and the addition
30.65 -operator.%
30.66 -\end{isamarkuptext}%
30.67 -\isamarkuptrue%
30.68 -\isacommand{datatype}\isamarkupfalse%
30.69 -\ integer{\isaliteral{5F}{\isacharunderscore}}op\ {\isaliteral{3D}{\isacharequal}}\ Number\ int\ {\isaliteral{7C}{\isacharbar}}\ UnaryMinus\ {\isaliteral{7C}{\isacharbar}}\ Plus%
30.70 -\begin{isamarkuptext}%
30.71 -Now the type \isa{integer{\isaliteral{5F}{\isacharunderscore}}op\ gterm} denotes the ground
30.72 -terms built over those symbols.
30.73 -
30.74 -The type constructor \isa{gterm} can be generalized to a function
30.75 -over sets. It returns
30.76 -the set of ground terms that can be formed over a set \isa{F} of function symbols. For
30.77 -example, we could consider the set of ground terms formed from the finite
30.78 -set \isa{{\isaliteral{7B}{\isacharbraceleft}}Number\ {\isadigit{2}}{\isaliteral{2C}{\isacharcomma}}\ UnaryMinus{\isaliteral{2C}{\isacharcomma}}\ Plus{\isaliteral{7D}{\isacharbraceright}}}.
30.79 -
30.80 -This concept is inductive. If we have a list \isa{args} of ground terms
30.81 -over~\isa{F} and a function symbol \isa{f} in \isa{F}, then we
30.82 -can apply \isa{f} to \isa{args} to obtain another ground term.
30.83 -The only difficulty is that the argument list may be of any length. Hitherto,
30.84 -each rule in an inductive definition referred to the inductively
30.85 -defined set a fixed number of times, typically once or twice.
30.86 -A universal quantifier in the premise of the introduction rule
30.87 -expresses that every element of \isa{args} belongs
30.88 -to our inductively defined set: is a ground term
30.89 -over~\isa{F}. The function \isa{set} denotes the set of elements in a given
30.90 -list.%
30.91 -\end{isamarkuptext}%
30.92 -\isamarkuptrue%
30.93 -\isacommand{inductive{\isaliteral{5F}{\isacharunderscore}}set}\isamarkupfalse%
30.94 -\isanewline
30.95 -\ \ gterms\ {\isaliteral{3A}{\isacharcolon}}{\isaliteral{3A}{\isacharcolon}}\ {\isaliteral{22}{\isachardoublequoteopen}}{\isaliteral{27}{\isacharprime}}f\ set\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ {\isaliteral{27}{\isacharprime}}f\ gterm\ set{\isaliteral{22}{\isachardoublequoteclose}}\isanewline
30.96 -\ \ \isakeyword{for}\ F\ {\isaliteral{3A}{\isacharcolon}}{\isaliteral{3A}{\isacharcolon}}\ {\isaliteral{22}{\isachardoublequoteopen}}{\isaliteral{27}{\isacharprime}}f\ set{\isaliteral{22}{\isachardoublequoteclose}}\isanewline
30.97 -\isakeyword{where}\isanewline
30.98 -step{\isaliteral{5B}{\isacharbrackleft}}intro{\isaliteral{21}{\isacharbang}}{\isaliteral{5D}{\isacharbrackright}}{\isaliteral{3A}{\isacharcolon}}\ {\isaliteral{22}{\isachardoublequoteopen}}{\isaliteral{5C3C6C6272616B6B3E}{\isasymlbrakk}}{\isaliteral{5C3C666F72616C6C3E}{\isasymforall}}t\ {\isaliteral{5C3C696E3E}{\isasymin}}\ set\ args{\isaliteral{2E}{\isachardot}}\ t\ {\isaliteral{5C3C696E3E}{\isasymin}}\ gterms\ F{\isaliteral{3B}{\isacharsemicolon}}\ \ f\ {\isaliteral{5C3C696E3E}{\isasymin}}\ F{\isaliteral{5C3C726272616B6B3E}{\isasymrbrakk}}\isanewline
30.99 -\ \ \ \ \ \ \ \ \ \ \ \ \ \ \ {\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\ {\isaliteral{28}{\isacharparenleft}}Apply\ f\ args{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C696E3E}{\isasymin}}\ gterms\ F{\isaliteral{22}{\isachardoublequoteclose}}%
30.100 -\begin{isamarkuptext}%
30.101 -To demonstrate a proof from this definition, let us
30.102 -show that the function \isa{gterms}
30.103 -is \textbf{monotone}. We shall need this concept shortly.%
30.104 -\end{isamarkuptext}%
30.105 -\isamarkuptrue%
30.106 -\isacommand{lemma}\isamarkupfalse%
30.107 -\ gterms{\isaliteral{5F}{\isacharunderscore}}mono{\isaliteral{3A}{\isacharcolon}}\ {\isaliteral{22}{\isachardoublequoteopen}}F{\isaliteral{5C3C73756273657465713E}{\isasymsubseteq}}G\ {\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\ gterms\ F\ {\isaliteral{5C3C73756273657465713E}{\isasymsubseteq}}\ gterms\ G{\isaliteral{22}{\isachardoublequoteclose}}\isanewline
30.108 -%
30.109 -\isadelimproof
30.110 -%
30.111 -\endisadelimproof
30.112 -%
30.113 -\isatagproof
30.114 -\isacommand{apply}\isamarkupfalse%
30.115 -\ clarify\isanewline
30.116 -\isacommand{apply}\isamarkupfalse%
30.117 -\ {\isaliteral{28}{\isacharparenleft}}erule\ gterms{\isaliteral{2E}{\isachardot}}induct{\isaliteral{29}{\isacharparenright}}\isanewline
30.118 -\isacommand{apply}\isamarkupfalse%
30.119 -\ blast\isanewline
30.120 -\isacommand{done}\isamarkupfalse%
30.121 -%
30.122 -\endisatagproof
30.123 -{\isafoldproof}%
30.124 -%
30.125 -\isadelimproof
30.126 -%
30.127 -\endisadelimproof
30.128 -%
30.129 -\isadelimproof
30.130 -%
30.131 -\endisadelimproof
30.132 -%
30.133 -\isatagproof
30.134 -%
30.135 -\begin{isamarkuptxt}%
30.136 -Intuitively, this theorem says that
30.137 -enlarging the set of function symbols enlarges the set of ground
30.138 -terms. The proof is a trivial rule induction.
30.139 -First we use the \isa{clarify} method to assume the existence of an element of
30.140 -\isa{gterms\ F}. (We could have used \isa{intro\ subsetI}.) We then
30.141 -apply rule induction. Here is the resulting subgoal:
30.142 -\begin{isabelle}%
30.143 -\ {\isadigit{1}}{\isaliteral{2E}{\isachardot}}\ {\isaliteral{5C3C416E643E}{\isasymAnd}}x\ args\ f{\isaliteral{2E}{\isachardot}}\isanewline
30.144 -\isaindent{\ {\isadigit{1}}{\isaliteral{2E}{\isachardot}}\ \ \ \ }{\isaliteral{5C3C6C6272616B6B3E}{\isasymlbrakk}}F\ {\isaliteral{5C3C73756273657465713E}{\isasymsubseteq}}\ G{\isaliteral{3B}{\isacharsemicolon}}\ {\isaliteral{5C3C666F72616C6C3E}{\isasymforall}}t{\isaliteral{5C3C696E3E}{\isasymin}}set\ args{\isaliteral{2E}{\isachardot}}\ t\ {\isaliteral{5C3C696E3E}{\isasymin}}\ gterms\ F\ {\isaliteral{5C3C616E643E}{\isasymand}}\ t\ {\isaliteral{5C3C696E3E}{\isasymin}}\ gterms\ G{\isaliteral{3B}{\isacharsemicolon}}\ f\ {\isaliteral{5C3C696E3E}{\isasymin}}\ F{\isaliteral{5C3C726272616B6B3E}{\isasymrbrakk}}\isanewline
30.145 -\isaindent{\ {\isadigit{1}}{\isaliteral{2E}{\isachardot}}\ \ \ \ }{\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\ Apply\ f\ args\ {\isaliteral{5C3C696E3E}{\isasymin}}\ gterms\ G%
30.146 -\end{isabelle}
30.147 -The assumptions state that \isa{f} belongs
30.148 -to~\isa{F}, which is included in~\isa{G}, and that every element of the list \isa{args} is
30.149 -a ground term over~\isa{G}. The \isa{blast} method finds this chain of reasoning easily.%
30.150 -\end{isamarkuptxt}%
30.151 -\isamarkuptrue%
30.152 -%
30.153 -\endisatagproof
30.154 -{\isafoldproof}%
30.155 -%
30.156 -\isadelimproof
30.157 -%
30.158 -\endisadelimproof
30.159 -%
30.160 -\begin{isamarkuptext}%
30.161 -\begin{warn}
30.162 -Why do we call this function \isa{gterms} instead
30.163 -of \isa{gterm}? A constant may have the same name as a type. However,
30.164 -name clashes could arise in the theorems that Isabelle generates.
30.165 -Our choice of names keeps \isa{gterms{\isaliteral{2E}{\isachardot}}induct} separate from
30.166 -\isa{gterm{\isaliteral{2E}{\isachardot}}induct}.
30.167 -\end{warn}
30.168 -
30.169 -Call a term \textbf{well-formed} if each symbol occurring in it is applied
30.170 -to the correct number of arguments. (This number is called the symbol's
30.171 -\textbf{arity}.) We can express well-formedness by
30.172 -generalizing the inductive definition of
30.173 -\isa{gterms}.
30.174 -Suppose we are given a function called \isa{arity}, specifying the arities
30.175 -of all symbols. In the inductive step, we have a list \isa{args} of such
30.176 -terms and a function symbol~\isa{f}. If the length of the list matches the
30.177 -function's arity then applying \isa{f} to \isa{args} yields a well-formed
30.178 -term.%
30.179 -\end{isamarkuptext}%
30.180 -\isamarkuptrue%
30.181 -\isacommand{inductive{\isaliteral{5F}{\isacharunderscore}}set}\isamarkupfalse%
30.182 -\isanewline
30.183 -\ \ well{\isaliteral{5F}{\isacharunderscore}}formed{\isaliteral{5F}{\isacharunderscore}}gterm\ {\isaliteral{3A}{\isacharcolon}}{\isaliteral{3A}{\isacharcolon}}\ {\isaliteral{22}{\isachardoublequoteopen}}{\isaliteral{28}{\isacharparenleft}}{\isaliteral{27}{\isacharprime}}f\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ nat{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ {\isaliteral{27}{\isacharprime}}f\ gterm\ set{\isaliteral{22}{\isachardoublequoteclose}}\isanewline
30.184 -\ \ \isakeyword{for}\ arity\ {\isaliteral{3A}{\isacharcolon}}{\isaliteral{3A}{\isacharcolon}}\ {\isaliteral{22}{\isachardoublequoteopen}}{\isaliteral{27}{\isacharprime}}f\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ nat{\isaliteral{22}{\isachardoublequoteclose}}\isanewline
30.185 -\isakeyword{where}\isanewline
30.186 -step{\isaliteral{5B}{\isacharbrackleft}}intro{\isaliteral{21}{\isacharbang}}{\isaliteral{5D}{\isacharbrackright}}{\isaliteral{3A}{\isacharcolon}}\ {\isaliteral{22}{\isachardoublequoteopen}}{\isaliteral{5C3C6C6272616B6B3E}{\isasymlbrakk}}{\isaliteral{5C3C666F72616C6C3E}{\isasymforall}}t\ {\isaliteral{5C3C696E3E}{\isasymin}}\ set\ args{\isaliteral{2E}{\isachardot}}\ t\ {\isaliteral{5C3C696E3E}{\isasymin}}\ well{\isaliteral{5F}{\isacharunderscore}}formed{\isaliteral{5F}{\isacharunderscore}}gterm\ arity{\isaliteral{3B}{\isacharsemicolon}}\ \ \isanewline
30.187 -\ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ length\ args\ {\isaliteral{3D}{\isacharequal}}\ arity\ f{\isaliteral{5C3C726272616B6B3E}{\isasymrbrakk}}\isanewline
30.188 -\ \ \ \ \ \ \ \ \ \ \ \ \ \ \ {\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\ {\isaliteral{28}{\isacharparenleft}}Apply\ f\ args{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C696E3E}{\isasymin}}\ well{\isaliteral{5F}{\isacharunderscore}}formed{\isaliteral{5F}{\isacharunderscore}}gterm\ arity{\isaliteral{22}{\isachardoublequoteclose}}%
30.189 -\begin{isamarkuptext}%
30.190 -The inductive definition neatly captures the reasoning above.
30.191 -The universal quantification over the
30.192 -\isa{set} of arguments expresses that all of them are well-formed.%
30.193 -\index{quantifiers!and inductive definitions|)}%
30.194 -\end{isamarkuptext}%
30.195 -\isamarkuptrue%
30.196 -%
30.197 -\isamarkupsubsection{Alternative Definition Using a Monotone Function%
30.198 -}
30.199 -\isamarkuptrue%
30.200 -%
30.201 -\begin{isamarkuptext}%
30.202 -\index{monotone functions!and inductive definitions|(}%
30.203 -An inductive definition may refer to the
30.204 -inductively defined set through an arbitrary monotone function. To
30.205 -demonstrate this powerful feature, let us
30.206 -change the inductive definition above, replacing the
30.207 -quantifier by a use of the function \isa{lists}. This
30.208 -function, from the Isabelle theory of lists, is analogous to the
30.209 -function \isa{gterms} declared above: if \isa{A} is a set then
30.210 -\isa{lists\ A} is the set of lists whose elements belong to
30.211 -\isa{A}.
30.212 -
30.213 -In the inductive definition of well-formed terms, examine the one
30.214 -introduction rule. The first premise states that \isa{args} belongs to
30.215 -the \isa{lists} of well-formed terms. This formulation is more
30.216 -direct, if more obscure, than using a universal quantifier.%
30.217 -\end{isamarkuptext}%
30.218 -\isamarkuptrue%
30.219 -\isacommand{inductive{\isaliteral{5F}{\isacharunderscore}}set}\isamarkupfalse%
30.220 -\isanewline
30.221 -\ \ well{\isaliteral{5F}{\isacharunderscore}}formed{\isaliteral{5F}{\isacharunderscore}}gterm{\isaliteral{27}{\isacharprime}}\ {\isaliteral{3A}{\isacharcolon}}{\isaliteral{3A}{\isacharcolon}}\ {\isaliteral{22}{\isachardoublequoteopen}}{\isaliteral{28}{\isacharparenleft}}{\isaliteral{27}{\isacharprime}}f\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ nat{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ {\isaliteral{27}{\isacharprime}}f\ gterm\ set{\isaliteral{22}{\isachardoublequoteclose}}\isanewline
30.222 -\ \ \isakeyword{for}\ arity\ {\isaliteral{3A}{\isacharcolon}}{\isaliteral{3A}{\isacharcolon}}\ {\isaliteral{22}{\isachardoublequoteopen}}{\isaliteral{27}{\isacharprime}}f\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ nat{\isaliteral{22}{\isachardoublequoteclose}}\isanewline
30.223 -\isakeyword{where}\isanewline
30.224 -step{\isaliteral{5B}{\isacharbrackleft}}intro{\isaliteral{21}{\isacharbang}}{\isaliteral{5D}{\isacharbrackright}}{\isaliteral{3A}{\isacharcolon}}\ {\isaliteral{22}{\isachardoublequoteopen}}{\isaliteral{5C3C6C6272616B6B3E}{\isasymlbrakk}}args\ {\isaliteral{5C3C696E3E}{\isasymin}}\ lists\ {\isaliteral{28}{\isacharparenleft}}well{\isaliteral{5F}{\isacharunderscore}}formed{\isaliteral{5F}{\isacharunderscore}}gterm{\isaliteral{27}{\isacharprime}}\ arity{\isaliteral{29}{\isacharparenright}}{\isaliteral{3B}{\isacharsemicolon}}\ \ \isanewline
30.225 -\ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ length\ args\ {\isaliteral{3D}{\isacharequal}}\ arity\ f{\isaliteral{5C3C726272616B6B3E}{\isasymrbrakk}}\isanewline
30.226 -\ \ \ \ \ \ \ \ \ \ \ \ \ \ \ {\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\ {\isaliteral{28}{\isacharparenleft}}Apply\ f\ args{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C696E3E}{\isasymin}}\ well{\isaliteral{5F}{\isacharunderscore}}formed{\isaliteral{5F}{\isacharunderscore}}gterm{\isaliteral{27}{\isacharprime}}\ arity{\isaliteral{22}{\isachardoublequoteclose}}\isanewline
30.227 -\isakeyword{monos}\ lists{\isaliteral{5F}{\isacharunderscore}}mono%
30.228 -\begin{isamarkuptext}%
30.229 -We cite the theorem \isa{lists{\isaliteral{5F}{\isacharunderscore}}mono} to justify
30.230 -using the function \isa{lists}.%
30.231 -\footnote{This particular theorem is installed by default already, but we
30.232 -include the \isakeyword{monos} declaration in order to illustrate its syntax.}
30.233 -\begin{isabelle}%
30.234 -A\ {\isaliteral{5C3C73756273657465713E}{\isasymsubseteq}}\ B\ {\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\ lists\ A\ {\isaliteral{5C3C73756273657465713E}{\isasymsubseteq}}\ lists\ B\rulename{lists{\isaliteral{5F}{\isacharunderscore}}mono}%
30.235 -\end{isabelle}
30.236 -Why must the function be monotone? An inductive definition describes
30.237 -an iterative construction: each element of the set is constructed by a
30.238 -finite number of introduction rule applications. For example, the
30.239 -elements of \isa{even} are constructed by finitely many applications of
30.240 -the rules
30.241 -\begin{isabelle}%
30.242 -{\isadigit{0}}\ {\isaliteral{5C3C696E3E}{\isasymin}}\ even\isasep\isanewline%
30.243 -n\ {\isaliteral{5C3C696E3E}{\isasymin}}\ even\ {\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\ Suc\ {\isaliteral{28}{\isacharparenleft}}Suc\ n{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C696E3E}{\isasymin}}\ even%
30.244 -\end{isabelle}
30.245 -All references to a set in its
30.246 -inductive definition must be positive. Applications of an
30.247 -introduction rule cannot invalidate previous applications, allowing the
30.248 -construction process to converge.
30.249 -The following pair of rules do not constitute an inductive definition:
30.250 -\begin{trivlist}
30.251 -\item \isa{{\isadigit{0}}\ {\isaliteral{5C3C696E3E}{\isasymin}}\ even}
30.252 -\item \isa{n\ {\isaliteral{5C3C6E6F74696E3E}{\isasymnotin}}\ even\ {\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\ Suc\ n\ {\isaliteral{5C3C696E3E}{\isasymin}}\ even}
30.253 -\end{trivlist}
30.254 -Showing that 4 is even using these rules requires showing that 3 is not
30.255 -even. It is far from trivial to show that this set of rules
30.256 -characterizes the even numbers.
30.257 -
30.258 -Even with its use of the function \isa{lists}, the premise of our
30.259 -introduction rule is positive:
30.260 -\begin{isabelle}%
30.261 -args\ {\isaliteral{5C3C696E3E}{\isasymin}}\ lists\ {\isaliteral{28}{\isacharparenleft}}well{\isaliteral{5F}{\isacharunderscore}}formed{\isaliteral{5F}{\isacharunderscore}}gterm{\isaliteral{27}{\isacharprime}}\ arity{\isaliteral{29}{\isacharparenright}}%
30.262 -\end{isabelle}
30.263 -To apply the rule we construct a list \isa{args} of previously
30.264 -constructed well-formed terms. We obtain a
30.265 -new term, \isa{Apply\ f\ args}. Because \isa{lists} is monotone,
30.266 -applications of the rule remain valid as new terms are constructed.
30.267 -Further lists of well-formed
30.268 -terms become available and none are taken away.%
30.269 -\index{monotone functions!and inductive definitions|)}%
30.270 -\end{isamarkuptext}%
30.271 -\isamarkuptrue%
30.272 -%
30.273 -\isamarkupsubsection{A Proof of Equivalence%
30.274 -}
30.275 -\isamarkuptrue%
30.276 -%
30.277 -\begin{isamarkuptext}%
30.278 -We naturally hope that these two inductive definitions of ``well-formed''
30.279 -coincide. The equality can be proved by separate inclusions in
30.280 -each direction. Each is a trivial rule induction.%
30.281 -\end{isamarkuptext}%
30.282 -\isamarkuptrue%
30.283 -\isacommand{lemma}\isamarkupfalse%
30.284 -\ {\isaliteral{22}{\isachardoublequoteopen}}well{\isaliteral{5F}{\isacharunderscore}}formed{\isaliteral{5F}{\isacharunderscore}}gterm\ arity\ {\isaliteral{5C3C73756273657465713E}{\isasymsubseteq}}\ well{\isaliteral{5F}{\isacharunderscore}}formed{\isaliteral{5F}{\isacharunderscore}}gterm{\isaliteral{27}{\isacharprime}}\ arity{\isaliteral{22}{\isachardoublequoteclose}}\isanewline
30.285 -%
30.286 -\isadelimproof
30.287 -%
30.288 -\endisadelimproof
30.289 -%
30.290 -\isatagproof
30.291 -\isacommand{apply}\isamarkupfalse%
30.292 -\ clarify\isanewline
30.293 -\isacommand{apply}\isamarkupfalse%
30.294 -\ {\isaliteral{28}{\isacharparenleft}}erule\ well{\isaliteral{5F}{\isacharunderscore}}formed{\isaliteral{5F}{\isacharunderscore}}gterm{\isaliteral{2E}{\isachardot}}induct{\isaliteral{29}{\isacharparenright}}\isanewline
30.295 -\isacommand{apply}\isamarkupfalse%
30.296 -\ auto\isanewline
30.297 -\isacommand{done}\isamarkupfalse%
30.298 -%
30.299 -\endisatagproof
30.300 -{\isafoldproof}%
30.301 -%
30.302 -\isadelimproof
30.303 -%
30.304 -\endisadelimproof
30.305 -%
30.306 -\isadelimproof
30.307 -%
30.308 -\endisadelimproof
30.309 -%
30.310 -\isatagproof
30.311 -%
30.312 -\begin{isamarkuptxt}%
30.313 -The \isa{clarify} method gives
30.314 -us an element of \isa{well{\isaliteral{5F}{\isacharunderscore}}formed{\isaliteral{5F}{\isacharunderscore}}gterm\ arity} on which to perform
30.315 -induction. The resulting subgoal can be proved automatically:
30.316 -\begin{isabelle}%
30.317 -\ {\isadigit{1}}{\isaliteral{2E}{\isachardot}}\ {\isaliteral{5C3C416E643E}{\isasymAnd}}x\ args\ f{\isaliteral{2E}{\isachardot}}\isanewline
30.318 -\isaindent{\ {\isadigit{1}}{\isaliteral{2E}{\isachardot}}\ \ \ \ }{\isaliteral{5C3C6C6272616B6B3E}{\isasymlbrakk}}{\isaliteral{5C3C666F72616C6C3E}{\isasymforall}}t{\isaliteral{5C3C696E3E}{\isasymin}}set\ args{\isaliteral{2E}{\isachardot}}\isanewline
30.319 -\isaindent{\ {\isadigit{1}}{\isaliteral{2E}{\isachardot}}\ \ \ \ {\isaliteral{5C3C6C6272616B6B3E}{\isasymlbrakk}}\ \ \ }t\ {\isaliteral{5C3C696E3E}{\isasymin}}\ well{\isaliteral{5F}{\isacharunderscore}}formed{\isaliteral{5F}{\isacharunderscore}}gterm\ arity\ {\isaliteral{5C3C616E643E}{\isasymand}}\ t\ {\isaliteral{5C3C696E3E}{\isasymin}}\ well{\isaliteral{5F}{\isacharunderscore}}formed{\isaliteral{5F}{\isacharunderscore}}gterm{\isaliteral{27}{\isacharprime}}\ arity{\isaliteral{3B}{\isacharsemicolon}}\isanewline
30.320 -\isaindent{\ {\isadigit{1}}{\isaliteral{2E}{\isachardot}}\ \ \ \ \ }length\ args\ {\isaliteral{3D}{\isacharequal}}\ arity\ f{\isaliteral{5C3C726272616B6B3E}{\isasymrbrakk}}\isanewline
30.321 -\isaindent{\ {\isadigit{1}}{\isaliteral{2E}{\isachardot}}\ \ \ \ }{\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\ Apply\ f\ args\ {\isaliteral{5C3C696E3E}{\isasymin}}\ well{\isaliteral{5F}{\isacharunderscore}}formed{\isaliteral{5F}{\isacharunderscore}}gterm{\isaliteral{27}{\isacharprime}}\ arity%
30.322 -\end{isabelle}
30.323 -This proof resembles the one given in
30.324 -{\S}\ref{sec:gterm-datatype} above, especially in the form of the
30.325 -induction hypothesis. Next, we consider the opposite inclusion:%
30.326 -\end{isamarkuptxt}%
30.327 -\isamarkuptrue%
30.328 -%
30.329 -\endisatagproof
30.330 -{\isafoldproof}%
30.331 -%
30.332 -\isadelimproof
30.333 -%
30.334 -\endisadelimproof
30.335 -\isacommand{lemma}\isamarkupfalse%
30.336 -\ {\isaliteral{22}{\isachardoublequoteopen}}well{\isaliteral{5F}{\isacharunderscore}}formed{\isaliteral{5F}{\isacharunderscore}}gterm{\isaliteral{27}{\isacharprime}}\ arity\ {\isaliteral{5C3C73756273657465713E}{\isasymsubseteq}}\ well{\isaliteral{5F}{\isacharunderscore}}formed{\isaliteral{5F}{\isacharunderscore}}gterm\ arity{\isaliteral{22}{\isachardoublequoteclose}}\isanewline
30.337 -%
30.338 -\isadelimproof
30.339 -%
30.340 -\endisadelimproof
30.341 -%
30.342 -\isatagproof
30.343 -\isacommand{apply}\isamarkupfalse%
30.344 -\ clarify\isanewline
30.345 -\isacommand{apply}\isamarkupfalse%
30.346 -\ {\isaliteral{28}{\isacharparenleft}}erule\ well{\isaliteral{5F}{\isacharunderscore}}formed{\isaliteral{5F}{\isacharunderscore}}gterm{\isaliteral{27}{\isacharprime}}{\isaliteral{2E}{\isachardot}}induct{\isaliteral{29}{\isacharparenright}}\isanewline
30.347 -\isacommand{apply}\isamarkupfalse%
30.348 -\ auto\isanewline
30.349 -\isacommand{done}\isamarkupfalse%
30.350 -%
30.351 -\endisatagproof
30.352 -{\isafoldproof}%
30.353 -%
30.354 -\isadelimproof
30.355 -%
30.356 -\endisadelimproof
30.357 -%
30.358 -\isadelimproof
30.359 -%
30.360 -\endisadelimproof
30.361 -%
30.362 -\isatagproof
30.363 -%
30.364 -\begin{isamarkuptxt}%
30.365 -The proof script is virtually identical,
30.366 -but the subgoal after applying induction may be surprising:
30.367 -\begin{isabelle}%
30.368 -\ {\isadigit{1}}{\isaliteral{2E}{\isachardot}}\ {\isaliteral{5C3C416E643E}{\isasymAnd}}x\ args\ f{\isaliteral{2E}{\isachardot}}\isanewline
30.369 -\isaindent{\ {\isadigit{1}}{\isaliteral{2E}{\isachardot}}\ \ \ \ }{\isaliteral{5C3C6C6272616B6B3E}{\isasymlbrakk}}args\isanewline
30.370 -\isaindent{\ {\isadigit{1}}{\isaliteral{2E}{\isachardot}}\ \ \ \ {\isaliteral{5C3C6C6272616B6B3E}{\isasymlbrakk}}}{\isaliteral{5C3C696E3E}{\isasymin}}\ lists\isanewline
30.371 -\isaindent{\ {\isadigit{1}}{\isaliteral{2E}{\isachardot}}\ \ \ \ {\isaliteral{5C3C6C6272616B6B3E}{\isasymlbrakk}}{\isaliteral{5C3C696E3E}{\isasymin}}\ \ }{\isaliteral{28}{\isacharparenleft}}well{\isaliteral{5F}{\isacharunderscore}}formed{\isaliteral{5F}{\isacharunderscore}}gterm{\isaliteral{27}{\isacharprime}}\ arity\ {\isaliteral{5C3C696E7465723E}{\isasyminter}}\isanewline
30.372 -\isaindent{\ {\isadigit{1}}{\isaliteral{2E}{\isachardot}}\ \ \ \ {\isaliteral{5C3C6C6272616B6B3E}{\isasymlbrakk}}{\isaliteral{5C3C696E3E}{\isasymin}}\ \ {\isaliteral{28}{\isacharparenleft}}}{\isaliteral{7B}{\isacharbraceleft}}a{\isaliteral{2E}{\isachardot}}\ a\ {\isaliteral{5C3C696E3E}{\isasymin}}\ well{\isaliteral{5F}{\isacharunderscore}}formed{\isaliteral{5F}{\isacharunderscore}}gterm\ arity{\isaliteral{7D}{\isacharbraceright}}{\isaliteral{29}{\isacharparenright}}{\isaliteral{3B}{\isacharsemicolon}}\isanewline
30.373 -\isaindent{\ {\isadigit{1}}{\isaliteral{2E}{\isachardot}}\ \ \ \ \ }length\ args\ {\isaliteral{3D}{\isacharequal}}\ arity\ f{\isaliteral{5C3C726272616B6B3E}{\isasymrbrakk}}\isanewline
30.374 -\isaindent{\ {\isadigit{1}}{\isaliteral{2E}{\isachardot}}\ \ \ \ }{\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\ Apply\ f\ args\ {\isaliteral{5C3C696E3E}{\isasymin}}\ well{\isaliteral{5F}{\isacharunderscore}}formed{\isaliteral{5F}{\isacharunderscore}}gterm\ arity%
30.375 -\end{isabelle}
30.376 -The induction hypothesis contains an application of \isa{lists}. Using a
30.377 -monotone function in the inductive definition always has this effect. The
30.378 -subgoal may look uninviting, but fortunately
30.379 -\isa{lists} distributes over intersection:
30.380 -\begin{isabelle}%
30.381 -lists\ {\isaliteral{28}{\isacharparenleft}}A\ {\isaliteral{5C3C696E7465723E}{\isasyminter}}\ B{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{3D}{\isacharequal}}\ lists\ A\ {\isaliteral{5C3C696E7465723E}{\isasyminter}}\ lists\ B\rulename{lists{\isaliteral{5F}{\isacharunderscore}}Int{\isaliteral{5F}{\isacharunderscore}}eq}%
30.382 -\end{isabelle}
30.383 -Thanks to this default simplification rule, the induction hypothesis
30.384 -is quickly replaced by its two parts:
30.385 -\begin{trivlist}
30.386 -\item \isa{args\ {\isaliteral{5C3C696E3E}{\isasymin}}\ lists\ {\isaliteral{28}{\isacharparenleft}}well{\isaliteral{5F}{\isacharunderscore}}formed{\isaliteral{5F}{\isacharunderscore}}gterm{\isaliteral{27}{\isacharprime}}\ arity{\isaliteral{29}{\isacharparenright}}}
30.387 -\item \isa{args\ {\isaliteral{5C3C696E3E}{\isasymin}}\ lists\ {\isaliteral{28}{\isacharparenleft}}well{\isaliteral{5F}{\isacharunderscore}}formed{\isaliteral{5F}{\isacharunderscore}}gterm\ arity{\isaliteral{29}{\isacharparenright}}}
30.388 -\end{trivlist}
30.389 -Invoking the rule \isa{well{\isaliteral{5F}{\isacharunderscore}}formed{\isaliteral{5F}{\isacharunderscore}}gterm{\isaliteral{2E}{\isachardot}}step} completes the proof. The
30.390 -call to \isa{auto} does all this work.
30.391 -
30.392 -This example is typical of how monotone functions
30.393 -\index{monotone functions} can be used. In particular, many of them
30.394 -distribute over intersection. Monotonicity implies one direction of
30.395 -this set equality; we have this theorem:
30.396 -\begin{isabelle}%
30.397 -mono\ f\ {\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\ f\ {\isaliteral{28}{\isacharparenleft}}A\ {\isaliteral{5C3C696E7465723E}{\isasyminter}}\ B{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C73756273657465713E}{\isasymsubseteq}}\ f\ A\ {\isaliteral{5C3C696E7465723E}{\isasyminter}}\ f\ B\rulename{mono{\isaliteral{5F}{\isacharunderscore}}Int}%
30.398 -\end{isabelle}%
30.399 -\end{isamarkuptxt}%
30.400 -\isamarkuptrue%
30.401 -%
30.402 -\endisatagproof
30.403 -{\isafoldproof}%
30.404 -%
30.405 -\isadelimproof
30.406 -%
30.407 -\endisadelimproof
30.408 -%
30.409 -\isamarkupsubsection{Another Example of Rule Inversion%
30.410 -}
30.411 -\isamarkuptrue%
30.412 -%
30.413 -\begin{isamarkuptext}%
30.414 -\index{rule inversion|(}%
30.415 -Does \isa{gterms} distribute over intersection? We have proved that this
30.416 -function is monotone, so \isa{mono{\isaliteral{5F}{\isacharunderscore}}Int} gives one of the inclusions. The
30.417 -opposite inclusion asserts that if \isa{t} is a ground term over both of the
30.418 -sets
30.419 -\isa{F} and~\isa{G} then it is also a ground term over their intersection,
30.420 -\isa{F\ {\isaliteral{5C3C696E7465723E}{\isasyminter}}\ G}.%
30.421 -\end{isamarkuptext}%
30.422 -\isamarkuptrue%
30.423 -\isacommand{lemma}\isamarkupfalse%
30.424 -\ gterms{\isaliteral{5F}{\isacharunderscore}}IntI{\isaliteral{3A}{\isacharcolon}}\isanewline
30.425 -\ \ \ \ \ {\isaliteral{22}{\isachardoublequoteopen}}t\ {\isaliteral{5C3C696E3E}{\isasymin}}\ gterms\ F\ {\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\ t\ {\isaliteral{5C3C696E3E}{\isasymin}}\ gterms\ G\ {\isaliteral{5C3C6C6F6E6772696768746172726F773E}{\isasymlongrightarrow}}\ t\ {\isaliteral{5C3C696E3E}{\isasymin}}\ gterms\ {\isaliteral{28}{\isacharparenleft}}F{\isaliteral{5C3C696E7465723E}{\isasyminter}}G{\isaliteral{29}{\isacharparenright}}{\isaliteral{22}{\isachardoublequoteclose}}%
30.426 -\isadelimproof
30.427 -%
30.428 -\endisadelimproof
30.429 -%
30.430 -\isatagproof
30.431 -%
30.432 -\endisatagproof
30.433 -{\isafoldproof}%
30.434 -%
30.435 -\isadelimproof
30.436 -%
30.437 -\endisadelimproof
30.438 -%
30.439 -\begin{isamarkuptext}%
30.440 -Attempting this proof, we get the assumption
30.441 -\isa{Apply\ f\ args\ {\isaliteral{5C3C696E3E}{\isasymin}}\ gterms\ G}, which cannot be broken down.
30.442 -It looks like a job for rule inversion:\cmmdx{inductive\protect\_cases}%
30.443 -\end{isamarkuptext}%
30.444 -\isamarkuptrue%
30.445 -\isacommand{inductive{\isaliteral{5F}{\isacharunderscore}}cases}\isamarkupfalse%
30.446 -\ gterm{\isaliteral{5F}{\isacharunderscore}}Apply{\isaliteral{5F}{\isacharunderscore}}elim\ {\isaliteral{5B}{\isacharbrackleft}}elim{\isaliteral{21}{\isacharbang}}{\isaliteral{5D}{\isacharbrackright}}{\isaliteral{3A}{\isacharcolon}}\ {\isaliteral{22}{\isachardoublequoteopen}}Apply\ f\ args\ {\isaliteral{5C3C696E3E}{\isasymin}}\ gterms\ F{\isaliteral{22}{\isachardoublequoteclose}}%
30.447 -\begin{isamarkuptext}%
30.448 -Here is the result.
30.449 -\begin{isabelle}%
30.450 -{\isaliteral{5C3C6C6272616B6B3E}{\isasymlbrakk}}Apply\ f\ args\ {\isaliteral{5C3C696E3E}{\isasymin}}\ gterms\ F{\isaliteral{3B}{\isacharsemicolon}}\isanewline
30.451 -\isaindent{\ }{\isaliteral{5C3C6C6272616B6B3E}{\isasymlbrakk}}{\isaliteral{5C3C666F72616C6C3E}{\isasymforall}}t{\isaliteral{5C3C696E3E}{\isasymin}}set\ args{\isaliteral{2E}{\isachardot}}\ t\ {\isaliteral{5C3C696E3E}{\isasymin}}\ gterms\ F{\isaliteral{3B}{\isacharsemicolon}}\ f\ {\isaliteral{5C3C696E3E}{\isasymin}}\ F{\isaliteral{5C3C726272616B6B3E}{\isasymrbrakk}}\ {\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\ P{\isaliteral{5C3C726272616B6B3E}{\isasymrbrakk}}\isanewline
30.452 -{\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\ P\rulename{gterm{\isaliteral{5F}{\isacharunderscore}}Apply{\isaliteral{5F}{\isacharunderscore}}elim}%
30.453 -\end{isabelle}
30.454 -This rule replaces an assumption about \isa{Apply\ f\ args} by
30.455 -assumptions about \isa{f} and~\isa{args}.
30.456 -No cases are discarded (there was only one to begin
30.457 -with) but the rule applies specifically to the pattern \isa{Apply\ f\ args}.
30.458 -It can be applied repeatedly as an elimination rule without looping, so we
30.459 -have given the \isa{elim{\isaliteral{21}{\isacharbang}}} attribute.
30.460 -
30.461 -Now we can prove the other half of that distributive law.%
30.462 -\end{isamarkuptext}%
30.463 -\isamarkuptrue%
30.464 -\isacommand{lemma}\isamarkupfalse%
30.465 -\ gterms{\isaliteral{5F}{\isacharunderscore}}IntI\ {\isaliteral{5B}{\isacharbrackleft}}rule{\isaliteral{5F}{\isacharunderscore}}format{\isaliteral{2C}{\isacharcomma}}\ intro{\isaliteral{21}{\isacharbang}}{\isaliteral{5D}{\isacharbrackright}}{\isaliteral{3A}{\isacharcolon}}\isanewline
30.466 -\ \ \ \ \ {\isaliteral{22}{\isachardoublequoteopen}}t\ {\isaliteral{5C3C696E3E}{\isasymin}}\ gterms\ F\ {\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\ t\ {\isaliteral{5C3C696E3E}{\isasymin}}\ gterms\ G\ {\isaliteral{5C3C6C6F6E6772696768746172726F773E}{\isasymlongrightarrow}}\ t\ {\isaliteral{5C3C696E3E}{\isasymin}}\ gterms\ {\isaliteral{28}{\isacharparenleft}}F{\isaliteral{5C3C696E7465723E}{\isasyminter}}G{\isaliteral{29}{\isacharparenright}}{\isaliteral{22}{\isachardoublequoteclose}}\isanewline
30.467 -%
30.468 -\isadelimproof
30.469 -%
30.470 -\endisadelimproof
30.471 -%
30.472 -\isatagproof
30.473 -\isacommand{apply}\isamarkupfalse%
30.474 -\ {\isaliteral{28}{\isacharparenleft}}erule\ gterms{\isaliteral{2E}{\isachardot}}induct{\isaliteral{29}{\isacharparenright}}\isanewline
30.475 -\isacommand{apply}\isamarkupfalse%
30.476 -\ blast\isanewline
30.477 -\isacommand{done}\isamarkupfalse%
30.478 -%
30.479 -\endisatagproof
30.480 -{\isafoldproof}%
30.481 -%
30.482 -\isadelimproof
30.483 -%
30.484 -\endisadelimproof
30.485 -%
30.486 -\isadelimproof
30.487 -%
30.488 -\endisadelimproof
30.489 -%
30.490 -\isatagproof
30.491 -%
30.492 -\begin{isamarkuptxt}%
30.493 -The proof begins with rule induction over the definition of
30.494 -\isa{gterms}, which leaves a single subgoal:
30.495 -\begin{isabelle}%
30.496 -\ {\isadigit{1}}{\isaliteral{2E}{\isachardot}}\ {\isaliteral{5C3C416E643E}{\isasymAnd}}args\ f{\isaliteral{2E}{\isachardot}}\isanewline
30.497 -\isaindent{\ {\isadigit{1}}{\isaliteral{2E}{\isachardot}}\ \ \ \ }{\isaliteral{5C3C6C6272616B6B3E}{\isasymlbrakk}}{\isaliteral{5C3C666F72616C6C3E}{\isasymforall}}t{\isaliteral{5C3C696E3E}{\isasymin}}set\ args{\isaliteral{2E}{\isachardot}}\isanewline
30.498 -\isaindent{\ {\isadigit{1}}{\isaliteral{2E}{\isachardot}}\ \ \ \ {\isaliteral{5C3C6C6272616B6B3E}{\isasymlbrakk}}\ \ \ }t\ {\isaliteral{5C3C696E3E}{\isasymin}}\ gterms\ F\ {\isaliteral{5C3C616E643E}{\isasymand}}\ {\isaliteral{28}{\isacharparenleft}}t\ {\isaliteral{5C3C696E3E}{\isasymin}}\ gterms\ G\ {\isaliteral{5C3C6C6F6E6772696768746172726F773E}{\isasymlongrightarrow}}\ t\ {\isaliteral{5C3C696E3E}{\isasymin}}\ gterms\ {\isaliteral{28}{\isacharparenleft}}F\ {\isaliteral{5C3C696E7465723E}{\isasyminter}}\ G{\isaliteral{29}{\isacharparenright}}{\isaliteral{29}{\isacharparenright}}{\isaliteral{3B}{\isacharsemicolon}}\isanewline
30.499 -\isaindent{\ {\isadigit{1}}{\isaliteral{2E}{\isachardot}}\ \ \ \ \ }f\ {\isaliteral{5C3C696E3E}{\isasymin}}\ F{\isaliteral{5C3C726272616B6B3E}{\isasymrbrakk}}\isanewline
30.500 -\isaindent{\ {\isadigit{1}}{\isaliteral{2E}{\isachardot}}\ \ \ \ }{\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\ Apply\ f\ args\ {\isaliteral{5C3C696E3E}{\isasymin}}\ gterms\ G\ {\isaliteral{5C3C6C6F6E6772696768746172726F773E}{\isasymlongrightarrow}}\isanewline
30.501 -\isaindent{\ {\isadigit{1}}{\isaliteral{2E}{\isachardot}}\ \ \ \ {\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\ }Apply\ f\ args\ {\isaliteral{5C3C696E3E}{\isasymin}}\ gterms\ {\isaliteral{28}{\isacharparenleft}}F\ {\isaliteral{5C3C696E7465723E}{\isasyminter}}\ G{\isaliteral{29}{\isacharparenright}}%
30.502 -\end{isabelle}
30.503 -To prove this, we assume \isa{Apply\ f\ args\ {\isaliteral{5C3C696E3E}{\isasymin}}\ gterms\ G}. Rule inversion,
30.504 -in the form of \isa{gterm{\isaliteral{5F}{\isacharunderscore}}Apply{\isaliteral{5F}{\isacharunderscore}}elim}, infers
30.505 -that every element of \isa{args} belongs to
30.506 -\isa{gterms\ G}; hence (by the induction hypothesis) it belongs
30.507 -to \isa{gterms\ {\isaliteral{28}{\isacharparenleft}}F\ {\isaliteral{5C3C696E7465723E}{\isasyminter}}\ G{\isaliteral{29}{\isacharparenright}}}. Rule inversion also yields
30.508 -\isa{f\ {\isaliteral{5C3C696E3E}{\isasymin}}\ G} and hence \isa{f\ {\isaliteral{5C3C696E3E}{\isasymin}}\ F\ {\isaliteral{5C3C696E7465723E}{\isasyminter}}\ G}.
30.509 -All of this reasoning is done by \isa{blast}.
30.510 -
30.511 -\smallskip
30.512 -Our distributive law is a trivial consequence of previously-proved results:%
30.513 -\end{isamarkuptxt}%
30.514 -\isamarkuptrue%
30.515 -%
30.516 -\endisatagproof
30.517 -{\isafoldproof}%
30.518 -%
30.519 -\isadelimproof
30.520 -%
30.521 -\endisadelimproof
30.522 -\isacommand{lemma}\isamarkupfalse%
30.523 -\ gterms{\isaliteral{5F}{\isacharunderscore}}Int{\isaliteral{5F}{\isacharunderscore}}eq\ {\isaliteral{5B}{\isacharbrackleft}}simp{\isaliteral{5D}{\isacharbrackright}}{\isaliteral{3A}{\isacharcolon}}\isanewline
30.524 -\ \ \ \ \ {\isaliteral{22}{\isachardoublequoteopen}}gterms\ {\isaliteral{28}{\isacharparenleft}}F\ {\isaliteral{5C3C696E7465723E}{\isasyminter}}\ G{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{3D}{\isacharequal}}\ gterms\ F\ {\isaliteral{5C3C696E7465723E}{\isasyminter}}\ gterms\ G{\isaliteral{22}{\isachardoublequoteclose}}\isanewline
30.525 -%
30.526 -\isadelimproof
30.527 -%
30.528 -\endisadelimproof
30.529 -%
30.530 -\isatagproof
30.531 -\isacommand{by}\isamarkupfalse%
30.532 -\ {\isaliteral{28}{\isacharparenleft}}blast\ intro{\isaliteral{21}{\isacharbang}}{\isaliteral{3A}{\isacharcolon}}\ mono{\isaliteral{5F}{\isacharunderscore}}Int\ monoI\ gterms{\isaliteral{5F}{\isacharunderscore}}mono{\isaliteral{29}{\isacharparenright}}%
30.533 -\endisatagproof
30.534 -{\isafoldproof}%
30.535 -%
30.536 -\isadelimproof
30.537 -%
30.538 -\endisadelimproof
30.539 -%
30.540 -\index{rule inversion|)}%
30.541 -\index{ground terms example|)}
30.542 -
30.543 -
30.544 -\begin{isamarkuptext}
30.545 -\begin{exercise}
30.546 -A function mapping function symbols to their
30.547 -types is called a \textbf{signature}. Given a type
30.548 -ranging over type symbols, we can represent a function's type by a
30.549 -list of argument types paired with the result type.
30.550 -Complete this inductive definition:
30.551 -\begin{isabelle}
30.552 -\isacommand{inductive{\isaliteral{5F}{\isacharunderscore}}set}\isamarkupfalse%
30.553 -\isanewline
30.554 -\ \ well{\isaliteral{5F}{\isacharunderscore}}typed{\isaliteral{5F}{\isacharunderscore}}gterm\ {\isaliteral{3A}{\isacharcolon}}{\isaliteral{3A}{\isacharcolon}}\ {\isaliteral{22}{\isachardoublequoteopen}}{\isaliteral{28}{\isacharparenleft}}{\isaliteral{27}{\isacharprime}}f\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ {\isaliteral{27}{\isacharprime}}t\ list\ {\isaliteral{2A}{\isacharasterisk}}\ {\isaliteral{27}{\isacharprime}}t{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ {\isaliteral{28}{\isacharparenleft}}{\isaliteral{27}{\isacharprime}}f\ gterm\ {\isaliteral{2A}{\isacharasterisk}}\ {\isaliteral{27}{\isacharprime}}t{\isaliteral{29}{\isacharparenright}}set{\isaliteral{22}{\isachardoublequoteclose}}\isanewline
30.555 -\ \ \isakeyword{for}\ sig\ {\isaliteral{3A}{\isacharcolon}}{\isaliteral{3A}{\isacharcolon}}\ {\isaliteral{22}{\isachardoublequoteopen}}{\isaliteral{27}{\isacharprime}}f\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ {\isaliteral{27}{\isacharprime}}t\ list\ {\isaliteral{2A}{\isacharasterisk}}\ {\isaliteral{27}{\isacharprime}}t{\isaliteral{22}{\isachardoublequoteclose}}%
30.556 -\end{isabelle}
30.557 -\end{exercise}
30.558 -\end{isamarkuptext}
30.559 -%
30.560 -\isadelimproof
30.561 -%
30.562 -\endisadelimproof
30.563 -%
30.564 -\isatagproof
30.565 -%
30.566 -\endisatagproof
30.567 -{\isafoldproof}%
30.568 -%
30.569 -\isadelimproof
30.570 -%
30.571 -\endisadelimproof
30.572 -%
30.573 -\isadelimproof
30.574 -%
30.575 -\endisadelimproof
30.576 -%
30.577 -\isatagproof
30.578 -%
30.579 -\endisatagproof
30.580 -{\isafoldproof}%
30.581 -%
30.582 -\isadelimproof
30.583 -%
30.584 -\endisadelimproof
30.585 -%
30.586 -\isadelimtheory
30.587 -%
30.588 -\endisadelimtheory
30.589 -%
30.590 -\isatagtheory
30.591 -%
30.592 -\endisatagtheory
30.593 -{\isafoldtheory}%
30.594 -%
30.595 -\isadelimtheory
30.596 -%
30.597 -\endisadelimtheory
30.598 -\end{isabellebody}%
30.599 -%%% Local Variables:
30.600 -%%% mode: latex
30.601 -%%% TeX-master: "root"
30.602 -%%% End:
31.1 --- a/doc-src/TutorialI/Inductive/document/Even.tex Thu Jul 26 16:08:16 2012 +0200
31.2 +++ /dev/null Thu Jan 01 00:00:00 1970 +0000
31.3 @@ -1,543 +0,0 @@
31.4 -%
31.5 -\begin{isabellebody}%
31.6 -\def\isabellecontext{Even}%
31.7 -%
31.8 -\isadelimtheory
31.9 -%
31.10 -\endisadelimtheory
31.11 -%
31.12 -\isatagtheory
31.13 -%
31.14 -\endisatagtheory
31.15 -{\isafoldtheory}%
31.16 -%
31.17 -\isadelimtheory
31.18 -%
31.19 -\endisadelimtheory
31.20 -%
31.21 -\isadelimML
31.22 -%
31.23 -\endisadelimML
31.24 -%
31.25 -\isatagML
31.26 -%
31.27 -\endisatagML
31.28 -{\isafoldML}%
31.29 -%
31.30 -\isadelimML
31.31 -%
31.32 -\endisadelimML
31.33 -%
31.34 -\isamarkupsection{The Set of Even Numbers%
31.35 -}
31.36 -\isamarkuptrue%
31.37 -%
31.38 -\begin{isamarkuptext}%
31.39 -\index{even numbers!defining inductively|(}%
31.40 -The set of even numbers can be inductively defined as the least set
31.41 -containing 0 and closed under the operation $+2$. Obviously,
31.42 -\emph{even} can also be expressed using the divides relation (\isa{dvd}).
31.43 -We shall prove below that the two formulations coincide. On the way we
31.44 -shall examine the primary means of reasoning about inductively defined
31.45 -sets: rule induction.%
31.46 -\end{isamarkuptext}%
31.47 -\isamarkuptrue%
31.48 -%
31.49 -\isamarkupsubsection{Making an Inductive Definition%
31.50 -}
31.51 -\isamarkuptrue%
31.52 -%
31.53 -\begin{isamarkuptext}%
31.54 -Using \commdx{inductive\protect\_set}, we declare the constant \isa{even} to be
31.55 -a set of natural numbers with the desired properties.%
31.56 -\end{isamarkuptext}%
31.57 -\isamarkuptrue%
31.58 -\isacommand{inductive{\isaliteral{5F}{\isacharunderscore}}set}\isamarkupfalse%
31.59 -\ even\ {\isaliteral{3A}{\isacharcolon}}{\isaliteral{3A}{\isacharcolon}}\ {\isaliteral{22}{\isachardoublequoteopen}}nat\ set{\isaliteral{22}{\isachardoublequoteclose}}\ \isakeyword{where}\isanewline
31.60 -zero{\isaliteral{5B}{\isacharbrackleft}}intro{\isaliteral{21}{\isacharbang}}{\isaliteral{5D}{\isacharbrackright}}{\isaliteral{3A}{\isacharcolon}}\ {\isaliteral{22}{\isachardoublequoteopen}}{\isadigit{0}}\ {\isaliteral{5C3C696E3E}{\isasymin}}\ even{\isaliteral{22}{\isachardoublequoteclose}}\ {\isaliteral{7C}{\isacharbar}}\isanewline
31.61 -step{\isaliteral{5B}{\isacharbrackleft}}intro{\isaliteral{21}{\isacharbang}}{\isaliteral{5D}{\isacharbrackright}}{\isaliteral{3A}{\isacharcolon}}\ {\isaliteral{22}{\isachardoublequoteopen}}n\ {\isaliteral{5C3C696E3E}{\isasymin}}\ even\ {\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\ {\isaliteral{28}{\isacharparenleft}}Suc\ {\isaliteral{28}{\isacharparenleft}}Suc\ n{\isaliteral{29}{\isacharparenright}}{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C696E3E}{\isasymin}}\ even{\isaliteral{22}{\isachardoublequoteclose}}%
31.62 -\begin{isamarkuptext}%
31.63 -An inductive definition consists of introduction rules. The first one
31.64 -above states that 0 is even; the second states that if $n$ is even, then so
31.65 -is~$n+2$. Given this declaration, Isabelle generates a fixed point
31.66 -definition for \isa{even} and proves theorems about it,
31.67 -thus following the definitional approach (see {\S}\ref{sec:definitional}).
31.68 -These theorems
31.69 -include the introduction rules specified in the declaration, an elimination
31.70 -rule for case analysis and an induction rule. We can refer to these
31.71 -theorems by automatically-generated names. Here are two examples:
31.72 -\begin{isabelle}%
31.73 -{\isadigit{0}}\ {\isaliteral{5C3C696E3E}{\isasymin}}\ even\rulename{even{\isaliteral{2E}{\isachardot}}zero}\par\smallskip%
31.74 -n\ {\isaliteral{5C3C696E3E}{\isasymin}}\ even\ {\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\ Suc\ {\isaliteral{28}{\isacharparenleft}}Suc\ n{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C696E3E}{\isasymin}}\ even\rulename{even{\isaliteral{2E}{\isachardot}}step}%
31.75 -\end{isabelle}
31.76 -
31.77 -The introduction rules can be given attributes. Here
31.78 -both rules are specified as \isa{intro!},%
31.79 -\index{intro"!@\isa {intro"!} (attribute)}
31.80 -directing the classical reasoner to
31.81 -apply them aggressively. Obviously, regarding 0 as even is safe. The
31.82 -\isa{step} rule is also safe because $n+2$ is even if and only if $n$ is
31.83 -even. We prove this equivalence later.%
31.84 -\end{isamarkuptext}%
31.85 -\isamarkuptrue%
31.86 -%
31.87 -\isamarkupsubsection{Using Introduction Rules%
31.88 -}
31.89 -\isamarkuptrue%
31.90 -%
31.91 -\begin{isamarkuptext}%
31.92 -Our first lemma states that numbers of the form $2\times k$ are even.
31.93 -Introduction rules are used to show that specific values belong to the
31.94 -inductive set. Such proofs typically involve
31.95 -induction, perhaps over some other inductive set.%
31.96 -\end{isamarkuptext}%
31.97 -\isamarkuptrue%
31.98 -\isacommand{lemma}\isamarkupfalse%
31.99 -\ two{\isaliteral{5F}{\isacharunderscore}}times{\isaliteral{5F}{\isacharunderscore}}even{\isaliteral{5B}{\isacharbrackleft}}intro{\isaliteral{21}{\isacharbang}}{\isaliteral{5D}{\isacharbrackright}}{\isaliteral{3A}{\isacharcolon}}\ {\isaliteral{22}{\isachardoublequoteopen}}{\isadigit{2}}{\isaliteral{2A}{\isacharasterisk}}k\ {\isaliteral{5C3C696E3E}{\isasymin}}\ even{\isaliteral{22}{\isachardoublequoteclose}}\isanewline
31.100 -%
31.101 -\isadelimproof
31.102 -%
31.103 -\endisadelimproof
31.104 -%
31.105 -\isatagproof
31.106 -\isacommand{apply}\isamarkupfalse%
31.107 -\ {\isaliteral{28}{\isacharparenleft}}induct{\isaliteral{5F}{\isacharunderscore}}tac\ k{\isaliteral{29}{\isacharparenright}}\isanewline
31.108 -\ \isacommand{apply}\isamarkupfalse%
31.109 -\ auto\isanewline
31.110 -\isacommand{done}\isamarkupfalse%
31.111 -%
31.112 -\endisatagproof
31.113 -{\isafoldproof}%
31.114 -%
31.115 -\isadelimproof
31.116 -%
31.117 -\endisadelimproof
31.118 -%
31.119 -\isadelimproof
31.120 -%
31.121 -\endisadelimproof
31.122 -%
31.123 -\isatagproof
31.124 -%
31.125 -\begin{isamarkuptxt}%
31.126 -\noindent
31.127 -The first step is induction on the natural number \isa{k}, which leaves
31.128 -two subgoals:
31.129 -\begin{isabelle}%
31.130 -\ {\isadigit{1}}{\isaliteral{2E}{\isachardot}}\ {\isadigit{2}}\ {\isaliteral{2A}{\isacharasterisk}}\ {\isadigit{0}}\ {\isaliteral{5C3C696E3E}{\isasymin}}\ even\isanewline
31.131 -\ {\isadigit{2}}{\isaliteral{2E}{\isachardot}}\ {\isaliteral{5C3C416E643E}{\isasymAnd}}n{\isaliteral{2E}{\isachardot}}\ {\isadigit{2}}\ {\isaliteral{2A}{\isacharasterisk}}\ n\ {\isaliteral{5C3C696E3E}{\isasymin}}\ even\ {\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\ {\isadigit{2}}\ {\isaliteral{2A}{\isacharasterisk}}\ Suc\ n\ {\isaliteral{5C3C696E3E}{\isasymin}}\ even%
31.132 -\end{isabelle}
31.133 -Here \isa{auto} simplifies both subgoals so that they match the introduction
31.134 -rules, which are then applied automatically.
31.135 -
31.136 -Our ultimate goal is to prove the equivalence between the traditional
31.137 -definition of \isa{even} (using the divides relation) and our inductive
31.138 -definition. One direction of this equivalence is immediate by the lemma
31.139 -just proved, whose \isa{intro{\isaliteral{21}{\isacharbang}}} attribute ensures it is applied automatically.%
31.140 -\end{isamarkuptxt}%
31.141 -\isamarkuptrue%
31.142 -%
31.143 -\endisatagproof
31.144 -{\isafoldproof}%
31.145 -%
31.146 -\isadelimproof
31.147 -%
31.148 -\endisadelimproof
31.149 -\isacommand{lemma}\isamarkupfalse%
31.150 -\ dvd{\isaliteral{5F}{\isacharunderscore}}imp{\isaliteral{5F}{\isacharunderscore}}even{\isaliteral{3A}{\isacharcolon}}\ {\isaliteral{22}{\isachardoublequoteopen}}{\isadigit{2}}\ dvd\ n\ {\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\ n\ {\isaliteral{5C3C696E3E}{\isasymin}}\ even{\isaliteral{22}{\isachardoublequoteclose}}\isanewline
31.151 -%
31.152 -\isadelimproof
31.153 -%
31.154 -\endisadelimproof
31.155 -%
31.156 -\isatagproof
31.157 -\isacommand{by}\isamarkupfalse%
31.158 -\ {\isaliteral{28}{\isacharparenleft}}auto\ simp\ add{\isaliteral{3A}{\isacharcolon}}\ dvd{\isaliteral{5F}{\isacharunderscore}}def{\isaliteral{29}{\isacharparenright}}%
31.159 -\endisatagproof
31.160 -{\isafoldproof}%
31.161 -%
31.162 -\isadelimproof
31.163 -%
31.164 -\endisadelimproof
31.165 -%
31.166 -\isamarkupsubsection{Rule Induction \label{sec:rule-induction}%
31.167 -}
31.168 -\isamarkuptrue%
31.169 -%
31.170 -\begin{isamarkuptext}%
31.171 -\index{rule induction|(}%
31.172 -From the definition of the set
31.173 -\isa{even}, Isabelle has
31.174 -generated an induction rule:
31.175 -\begin{isabelle}%
31.176 -{\isaliteral{5C3C6C6272616B6B3E}{\isasymlbrakk}}x\ {\isaliteral{5C3C696E3E}{\isasymin}}\ even{\isaliteral{3B}{\isacharsemicolon}}\ P\ {\isadigit{0}}{\isaliteral{3B}{\isacharsemicolon}}\isanewline
31.177 -\isaindent{\ }{\isaliteral{5C3C416E643E}{\isasymAnd}}n{\isaliteral{2E}{\isachardot}}\ {\isaliteral{5C3C6C6272616B6B3E}{\isasymlbrakk}}n\ {\isaliteral{5C3C696E3E}{\isasymin}}\ even{\isaliteral{3B}{\isacharsemicolon}}\ P\ n{\isaliteral{5C3C726272616B6B3E}{\isasymrbrakk}}\ {\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\ P\ {\isaliteral{28}{\isacharparenleft}}Suc\ {\isaliteral{28}{\isacharparenleft}}Suc\ n{\isaliteral{29}{\isacharparenright}}{\isaliteral{29}{\isacharparenright}}{\isaliteral{5C3C726272616B6B3E}{\isasymrbrakk}}\isanewline
31.178 -{\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\ P\ x\rulename{even{\isaliteral{2E}{\isachardot}}induct}%
31.179 -\end{isabelle}
31.180 -A property \isa{P} holds for every even number provided it
31.181 -holds for~\isa{{\isadigit{0}}} and is closed under the operation
31.182 -\isa{Suc(Suc \(\cdot\))}. Then \isa{P} is closed under the introduction
31.183 -rules for \isa{even}, which is the least set closed under those rules.
31.184 -This type of inductive argument is called \textbf{rule induction}.
31.185 -
31.186 -Apart from the double application of \isa{Suc}, the induction rule above
31.187 -resembles the familiar mathematical induction, which indeed is an instance
31.188 -of rule induction; the natural numbers can be defined inductively to be
31.189 -the least set containing \isa{{\isadigit{0}}} and closed under~\isa{Suc}.
31.190 -
31.191 -Induction is the usual way of proving a property of the elements of an
31.192 -inductively defined set. Let us prove that all members of the set
31.193 -\isa{even} are multiples of two.%
31.194 -\end{isamarkuptext}%
31.195 -\isamarkuptrue%
31.196 -\isacommand{lemma}\isamarkupfalse%
31.197 -\ even{\isaliteral{5F}{\isacharunderscore}}imp{\isaliteral{5F}{\isacharunderscore}}dvd{\isaliteral{3A}{\isacharcolon}}\ {\isaliteral{22}{\isachardoublequoteopen}}n\ {\isaliteral{5C3C696E3E}{\isasymin}}\ even\ {\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\ {\isadigit{2}}\ dvd\ n{\isaliteral{22}{\isachardoublequoteclose}}%
31.198 -\isadelimproof
31.199 -%
31.200 -\endisadelimproof
31.201 -%
31.202 -\isatagproof
31.203 -%
31.204 -\begin{isamarkuptxt}%
31.205 -We begin by applying induction. Note that \isa{even{\isaliteral{2E}{\isachardot}}induct} has the form
31.206 -of an elimination rule, so we use the method \isa{erule}. We get two
31.207 -subgoals:%
31.208 -\end{isamarkuptxt}%
31.209 -\isamarkuptrue%
31.210 -\isacommand{apply}\isamarkupfalse%
31.211 -\ {\isaliteral{28}{\isacharparenleft}}erule\ even{\isaliteral{2E}{\isachardot}}induct{\isaliteral{29}{\isacharparenright}}%
31.212 -\begin{isamarkuptxt}%
31.213 -\begin{isabelle}%
31.214 -\ {\isadigit{1}}{\isaliteral{2E}{\isachardot}}\ {\isadigit{2}}\ dvd\ {\isadigit{0}}\isanewline
31.215 -\ {\isadigit{2}}{\isaliteral{2E}{\isachardot}}\ {\isaliteral{5C3C416E643E}{\isasymAnd}}n{\isaliteral{2E}{\isachardot}}\ {\isaliteral{5C3C6C6272616B6B3E}{\isasymlbrakk}}n\ {\isaliteral{5C3C696E3E}{\isasymin}}\ even{\isaliteral{3B}{\isacharsemicolon}}\ {\isadigit{2}}\ dvd\ n{\isaliteral{5C3C726272616B6B3E}{\isasymrbrakk}}\ {\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\ {\isadigit{2}}\ dvd\ Suc\ {\isaliteral{28}{\isacharparenleft}}Suc\ n{\isaliteral{29}{\isacharparenright}}%
31.216 -\end{isabelle}
31.217 -We unfold the definition of \isa{dvd} in both subgoals, proving the first
31.218 -one and simplifying the second:%
31.219 -\end{isamarkuptxt}%
31.220 -\isamarkuptrue%
31.221 -\isacommand{apply}\isamarkupfalse%
31.222 -\ {\isaliteral{28}{\isacharparenleft}}simp{\isaliteral{5F}{\isacharunderscore}}all\ add{\isaliteral{3A}{\isacharcolon}}\ dvd{\isaliteral{5F}{\isacharunderscore}}def{\isaliteral{29}{\isacharparenright}}%
31.223 -\begin{isamarkuptxt}%
31.224 -\begin{isabelle}%
31.225 -\ {\isadigit{1}}{\isaliteral{2E}{\isachardot}}\ {\isaliteral{5C3C416E643E}{\isasymAnd}}n{\isaliteral{2E}{\isachardot}}\ {\isaliteral{5C3C6C6272616B6B3E}{\isasymlbrakk}}n\ {\isaliteral{5C3C696E3E}{\isasymin}}\ even{\isaliteral{3B}{\isacharsemicolon}}\ {\isaliteral{5C3C6578697374733E}{\isasymexists}}k{\isaliteral{2E}{\isachardot}}\ n\ {\isaliteral{3D}{\isacharequal}}\ {\isadigit{2}}\ {\isaliteral{2A}{\isacharasterisk}}\ k{\isaliteral{5C3C726272616B6B3E}{\isasymrbrakk}}\ {\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\ {\isaliteral{5C3C6578697374733E}{\isasymexists}}k{\isaliteral{2E}{\isachardot}}\ Suc\ {\isaliteral{28}{\isacharparenleft}}Suc\ n{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{3D}{\isacharequal}}\ {\isadigit{2}}\ {\isaliteral{2A}{\isacharasterisk}}\ k%
31.226 -\end{isabelle}
31.227 -The next command eliminates the existential quantifier from the assumption
31.228 -and replaces \isa{n} by \isa{{\isadigit{2}}\ {\isaliteral{2A}{\isacharasterisk}}\ k}.%
31.229 -\end{isamarkuptxt}%
31.230 -\isamarkuptrue%
31.231 -\isacommand{apply}\isamarkupfalse%
31.232 -\ clarify%
31.233 -\begin{isamarkuptxt}%
31.234 -\begin{isabelle}%
31.235 -\ {\isadigit{1}}{\isaliteral{2E}{\isachardot}}\ {\isaliteral{5C3C416E643E}{\isasymAnd}}n\ k{\isaliteral{2E}{\isachardot}}\ {\isadigit{2}}\ {\isaliteral{2A}{\isacharasterisk}}\ k\ {\isaliteral{5C3C696E3E}{\isasymin}}\ even\ {\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\ {\isaliteral{5C3C6578697374733E}{\isasymexists}}ka{\isaliteral{2E}{\isachardot}}\ Suc\ {\isaliteral{28}{\isacharparenleft}}Suc\ {\isaliteral{28}{\isacharparenleft}}{\isadigit{2}}\ {\isaliteral{2A}{\isacharasterisk}}\ k{\isaliteral{29}{\isacharparenright}}{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{3D}{\isacharequal}}\ {\isadigit{2}}\ {\isaliteral{2A}{\isacharasterisk}}\ ka%
31.236 -\end{isabelle}
31.237 -To conclude, we tell Isabelle that the desired value is
31.238 -\isa{Suc\ k}. With this hint, the subgoal falls to \isa{simp}.%
31.239 -\end{isamarkuptxt}%
31.240 -\isamarkuptrue%
31.241 -\isacommand{apply}\isamarkupfalse%
31.242 -\ {\isaliteral{28}{\isacharparenleft}}rule{\isaliteral{5F}{\isacharunderscore}}tac\ x\ {\isaliteral{3D}{\isacharequal}}\ {\isaliteral{22}{\isachardoublequoteopen}}Suc\ k{\isaliteral{22}{\isachardoublequoteclose}}\ \isakeyword{in}\ exI{\isaliteral{2C}{\isacharcomma}}\ simp{\isaliteral{29}{\isacharparenright}}%
31.243 -\endisatagproof
31.244 -{\isafoldproof}%
31.245 -%
31.246 -\isadelimproof
31.247 -%
31.248 -\endisadelimproof
31.249 -%
31.250 -\begin{isamarkuptext}%
31.251 -Combining the previous two results yields our objective, the
31.252 -equivalence relating \isa{even} and \isa{dvd}.
31.253 -%
31.254 -%we don't want [iff]: discuss?%
31.255 -\end{isamarkuptext}%
31.256 -\isamarkuptrue%
31.257 -\isacommand{theorem}\isamarkupfalse%
31.258 -\ even{\isaliteral{5F}{\isacharunderscore}}iff{\isaliteral{5F}{\isacharunderscore}}dvd{\isaliteral{3A}{\isacharcolon}}\ {\isaliteral{22}{\isachardoublequoteopen}}{\isaliteral{28}{\isacharparenleft}}n\ {\isaliteral{5C3C696E3E}{\isasymin}}\ even{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{3D}{\isacharequal}}\ {\isaliteral{28}{\isacharparenleft}}{\isadigit{2}}\ dvd\ n{\isaliteral{29}{\isacharparenright}}{\isaliteral{22}{\isachardoublequoteclose}}\isanewline
31.259 -%
31.260 -\isadelimproof
31.261 -%
31.262 -\endisadelimproof
31.263 -%
31.264 -\isatagproof
31.265 -\isacommand{by}\isamarkupfalse%
31.266 -\ {\isaliteral{28}{\isacharparenleft}}blast\ intro{\isaliteral{3A}{\isacharcolon}}\ dvd{\isaliteral{5F}{\isacharunderscore}}imp{\isaliteral{5F}{\isacharunderscore}}even\ even{\isaliteral{5F}{\isacharunderscore}}imp{\isaliteral{5F}{\isacharunderscore}}dvd{\isaliteral{29}{\isacharparenright}}%
31.267 -\endisatagproof
31.268 -{\isafoldproof}%
31.269 -%
31.270 -\isadelimproof
31.271 -%
31.272 -\endisadelimproof
31.273 -%
31.274 -\isamarkupsubsection{Generalization and Rule Induction \label{sec:gen-rule-induction}%
31.275 -}
31.276 -\isamarkuptrue%
31.277 -%
31.278 -\begin{isamarkuptext}%
31.279 -\index{generalizing for induction}%
31.280 -Before applying induction, we typically must generalize
31.281 -the induction formula. With rule induction, the required generalization
31.282 -can be hard to find and sometimes requires a complete reformulation of the
31.283 -problem. In this example, our first attempt uses the obvious statement of
31.284 -the result. It fails:%
31.285 -\end{isamarkuptext}%
31.286 -\isamarkuptrue%
31.287 -\isacommand{lemma}\isamarkupfalse%
31.288 -\ {\isaliteral{22}{\isachardoublequoteopen}}Suc\ {\isaliteral{28}{\isacharparenleft}}Suc\ n{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C696E3E}{\isasymin}}\ even\ {\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\ n\ {\isaliteral{5C3C696E3E}{\isasymin}}\ even{\isaliteral{22}{\isachardoublequoteclose}}\isanewline
31.289 -%
31.290 -\isadelimproof
31.291 -%
31.292 -\endisadelimproof
31.293 -%
31.294 -\isatagproof
31.295 -\isacommand{apply}\isamarkupfalse%
31.296 -\ {\isaliteral{28}{\isacharparenleft}}erule\ even{\isaliteral{2E}{\isachardot}}induct{\isaliteral{29}{\isacharparenright}}\isanewline
31.297 -\isacommand{oops}\isamarkupfalse%
31.298 -%
31.299 -\endisatagproof
31.300 -{\isafoldproof}%
31.301 -%
31.302 -\isadelimproof
31.303 -%
31.304 -\endisadelimproof
31.305 -%
31.306 -\isadelimproof
31.307 -%
31.308 -\endisadelimproof
31.309 -%
31.310 -\isatagproof
31.311 -%
31.312 -\begin{isamarkuptxt}%
31.313 -Rule induction finds no occurrences of \isa{Suc\ {\isaliteral{28}{\isacharparenleft}}Suc\ n{\isaliteral{29}{\isacharparenright}}} in the
31.314 -conclusion, which it therefore leaves unchanged. (Look at
31.315 -\isa{even{\isaliteral{2E}{\isachardot}}induct} to see why this happens.) We have these subgoals:
31.316 -\begin{isabelle}%
31.317 -\ {\isadigit{1}}{\isaliteral{2E}{\isachardot}}\ n\ {\isaliteral{5C3C696E3E}{\isasymin}}\ even\isanewline
31.318 -\ {\isadigit{2}}{\isaliteral{2E}{\isachardot}}\ {\isaliteral{5C3C416E643E}{\isasymAnd}}na{\isaliteral{2E}{\isachardot}}\ {\isaliteral{5C3C6C6272616B6B3E}{\isasymlbrakk}}na\ {\isaliteral{5C3C696E3E}{\isasymin}}\ even{\isaliteral{3B}{\isacharsemicolon}}\ n\ {\isaliteral{5C3C696E3E}{\isasymin}}\ even{\isaliteral{5C3C726272616B6B3E}{\isasymrbrakk}}\ {\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\ n\ {\isaliteral{5C3C696E3E}{\isasymin}}\ even%
31.319 -\end{isabelle}
31.320 -The first one is hopeless. Rule induction on
31.321 -a non-variable term discards information, and usually fails.
31.322 -How to deal with such situations
31.323 -in general is described in {\S}\ref{sec:ind-var-in-prems} below.
31.324 -In the current case the solution is easy because
31.325 -we have the necessary inverse, subtraction:%
31.326 -\end{isamarkuptxt}%
31.327 -\isamarkuptrue%
31.328 -%
31.329 -\endisatagproof
31.330 -{\isafoldproof}%
31.331 -%
31.332 -\isadelimproof
31.333 -%
31.334 -\endisadelimproof
31.335 -\isacommand{lemma}\isamarkupfalse%
31.336 -\ even{\isaliteral{5F}{\isacharunderscore}}imp{\isaliteral{5F}{\isacharunderscore}}even{\isaliteral{5F}{\isacharunderscore}}minus{\isaliteral{5F}{\isacharunderscore}}{\isadigit{2}}{\isaliteral{3A}{\isacharcolon}}\ {\isaliteral{22}{\isachardoublequoteopen}}n\ {\isaliteral{5C3C696E3E}{\isasymin}}\ even\ {\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\ n\ {\isaliteral{2D}{\isacharminus}}\ {\isadigit{2}}\ {\isaliteral{5C3C696E3E}{\isasymin}}\ even{\isaliteral{22}{\isachardoublequoteclose}}\isanewline
31.337 -%
31.338 -\isadelimproof
31.339 -%
31.340 -\endisadelimproof
31.341 -%
31.342 -\isatagproof
31.343 -\isacommand{apply}\isamarkupfalse%
31.344 -\ {\isaliteral{28}{\isacharparenleft}}erule\ even{\isaliteral{2E}{\isachardot}}induct{\isaliteral{29}{\isacharparenright}}\isanewline
31.345 -\ \isacommand{apply}\isamarkupfalse%
31.346 -\ auto\isanewline
31.347 -\isacommand{done}\isamarkupfalse%
31.348 -%
31.349 -\endisatagproof
31.350 -{\isafoldproof}%
31.351 -%
31.352 -\isadelimproof
31.353 -%
31.354 -\endisadelimproof
31.355 -%
31.356 -\isadelimproof
31.357 -%
31.358 -\endisadelimproof
31.359 -%
31.360 -\isatagproof
31.361 -%
31.362 -\begin{isamarkuptxt}%
31.363 -This lemma is trivially inductive. Here are the subgoals:
31.364 -\begin{isabelle}%
31.365 -\ {\isadigit{1}}{\isaliteral{2E}{\isachardot}}\ {\isadigit{0}}\ {\isaliteral{2D}{\isacharminus}}\ {\isadigit{2}}\ {\isaliteral{5C3C696E3E}{\isasymin}}\ even\isanewline
31.366 -\ {\isadigit{2}}{\isaliteral{2E}{\isachardot}}\ {\isaliteral{5C3C416E643E}{\isasymAnd}}n{\isaliteral{2E}{\isachardot}}\ {\isaliteral{5C3C6C6272616B6B3E}{\isasymlbrakk}}n\ {\isaliteral{5C3C696E3E}{\isasymin}}\ even{\isaliteral{3B}{\isacharsemicolon}}\ n\ {\isaliteral{2D}{\isacharminus}}\ {\isadigit{2}}\ {\isaliteral{5C3C696E3E}{\isasymin}}\ even{\isaliteral{5C3C726272616B6B3E}{\isasymrbrakk}}\ {\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\ Suc\ {\isaliteral{28}{\isacharparenleft}}Suc\ n{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{2D}{\isacharminus}}\ {\isadigit{2}}\ {\isaliteral{5C3C696E3E}{\isasymin}}\ even%
31.367 -\end{isabelle}
31.368 -The first is trivial because \isa{{\isadigit{0}}\ {\isaliteral{2D}{\isacharminus}}\ {\isadigit{2}}} simplifies to \isa{{\isadigit{0}}}, which is
31.369 -even. The second is trivial too: \isa{Suc\ {\isaliteral{28}{\isacharparenleft}}Suc\ n{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{2D}{\isacharminus}}\ {\isadigit{2}}} simplifies to
31.370 -\isa{n}, matching the assumption.%
31.371 -\index{rule induction|)} %the sequel isn't really about induction
31.372 -
31.373 -\medskip
31.374 -Using our lemma, we can easily prove the result we originally wanted:%
31.375 -\end{isamarkuptxt}%
31.376 -\isamarkuptrue%
31.377 -%
31.378 -\endisatagproof
31.379 -{\isafoldproof}%
31.380 -%
31.381 -\isadelimproof
31.382 -%
31.383 -\endisadelimproof
31.384 -\isacommand{lemma}\isamarkupfalse%
31.385 -\ Suc{\isaliteral{5F}{\isacharunderscore}}Suc{\isaliteral{5F}{\isacharunderscore}}even{\isaliteral{5F}{\isacharunderscore}}imp{\isaliteral{5F}{\isacharunderscore}}even{\isaliteral{3A}{\isacharcolon}}\ {\isaliteral{22}{\isachardoublequoteopen}}Suc\ {\isaliteral{28}{\isacharparenleft}}Suc\ n{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C696E3E}{\isasymin}}\ even\ {\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\ n\ {\isaliteral{5C3C696E3E}{\isasymin}}\ even{\isaliteral{22}{\isachardoublequoteclose}}\isanewline
31.386 -%
31.387 -\isadelimproof
31.388 -%
31.389 -\endisadelimproof
31.390 -%
31.391 -\isatagproof
31.392 -\isacommand{by}\isamarkupfalse%
31.393 -\ {\isaliteral{28}{\isacharparenleft}}drule\ even{\isaliteral{5F}{\isacharunderscore}}imp{\isaliteral{5F}{\isacharunderscore}}even{\isaliteral{5F}{\isacharunderscore}}minus{\isaliteral{5F}{\isacharunderscore}}{\isadigit{2}}{\isaliteral{2C}{\isacharcomma}}\ simp{\isaliteral{29}{\isacharparenright}}%
31.394 -\endisatagproof
31.395 -{\isafoldproof}%
31.396 -%
31.397 -\isadelimproof
31.398 -%
31.399 -\endisadelimproof
31.400 -%
31.401 -\begin{isamarkuptext}%
31.402 -We have just proved the converse of the introduction rule \isa{even{\isaliteral{2E}{\isachardot}}step}.
31.403 -This suggests proving the following equivalence. We give it the
31.404 -\attrdx{iff} attribute because of its obvious value for simplification.%
31.405 -\end{isamarkuptext}%
31.406 -\isamarkuptrue%
31.407 -\isacommand{lemma}\isamarkupfalse%
31.408 -\ {\isaliteral{5B}{\isacharbrackleft}}iff{\isaliteral{5D}{\isacharbrackright}}{\isaliteral{3A}{\isacharcolon}}\ {\isaliteral{22}{\isachardoublequoteopen}}{\isaliteral{28}{\isacharparenleft}}{\isaliteral{28}{\isacharparenleft}}Suc\ {\isaliteral{28}{\isacharparenleft}}Suc\ n{\isaliteral{29}{\isacharparenright}}{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C696E3E}{\isasymin}}\ even{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{3D}{\isacharequal}}\ {\isaliteral{28}{\isacharparenleft}}n\ {\isaliteral{5C3C696E3E}{\isasymin}}\ even{\isaliteral{29}{\isacharparenright}}{\isaliteral{22}{\isachardoublequoteclose}}\isanewline
31.409 -%
31.410 -\isadelimproof
31.411 -%
31.412 -\endisadelimproof
31.413 -%
31.414 -\isatagproof
31.415 -\isacommand{by}\isamarkupfalse%
31.416 -\ {\isaliteral{28}{\isacharparenleft}}blast\ dest{\isaliteral{3A}{\isacharcolon}}\ Suc{\isaliteral{5F}{\isacharunderscore}}Suc{\isaliteral{5F}{\isacharunderscore}}even{\isaliteral{5F}{\isacharunderscore}}imp{\isaliteral{5F}{\isacharunderscore}}even{\isaliteral{29}{\isacharparenright}}%
31.417 -\endisatagproof
31.418 -{\isafoldproof}%
31.419 -%
31.420 -\isadelimproof
31.421 -%
31.422 -\endisadelimproof
31.423 -%
31.424 -\isamarkupsubsection{Rule Inversion \label{sec:rule-inversion}%
31.425 -}
31.426 -\isamarkuptrue%
31.427 -%
31.428 -\begin{isamarkuptext}%
31.429 -\index{rule inversion|(}%
31.430 -Case analysis on an inductive definition is called \textbf{rule
31.431 -inversion}. It is frequently used in proofs about operational
31.432 -semantics. It can be highly effective when it is applied
31.433 -automatically. Let us look at how rule inversion is done in
31.434 -Isabelle/HOL\@.
31.435 -
31.436 -Recall that \isa{even} is the minimal set closed under these two rules:
31.437 -\begin{isabelle}%
31.438 -{\isadigit{0}}\ {\isaliteral{5C3C696E3E}{\isasymin}}\ even\isasep\isanewline%
31.439 -n\ {\isaliteral{5C3C696E3E}{\isasymin}}\ even\ {\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\ Suc\ {\isaliteral{28}{\isacharparenleft}}Suc\ n{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C696E3E}{\isasymin}}\ even%
31.440 -\end{isabelle}
31.441 -Minimality means that \isa{even} contains only the elements that these
31.442 -rules force it to contain. If we are told that \isa{a}
31.443 -belongs to
31.444 -\isa{even} then there are only two possibilities. Either \isa{a} is \isa{{\isadigit{0}}}
31.445 -or else \isa{a} has the form \isa{Suc\ {\isaliteral{28}{\isacharparenleft}}Suc\ n{\isaliteral{29}{\isacharparenright}}}, for some suitable \isa{n}
31.446 -that belongs to
31.447 -\isa{even}. That is the gist of the \isa{cases} rule, which Isabelle proves
31.448 -for us when it accepts an inductive definition:
31.449 -\begin{isabelle}%
31.450 -{\isaliteral{5C3C6C6272616B6B3E}{\isasymlbrakk}}a\ {\isaliteral{5C3C696E3E}{\isasymin}}\ even{\isaliteral{3B}{\isacharsemicolon}}\ a\ {\isaliteral{3D}{\isacharequal}}\ {\isadigit{0}}\ {\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\ P{\isaliteral{3B}{\isacharsemicolon}}\isanewline
31.451 -\isaindent{\ }{\isaliteral{5C3C416E643E}{\isasymAnd}}n{\isaliteral{2E}{\isachardot}}\ {\isaliteral{5C3C6C6272616B6B3E}{\isasymlbrakk}}a\ {\isaliteral{3D}{\isacharequal}}\ Suc\ {\isaliteral{28}{\isacharparenleft}}Suc\ n{\isaliteral{29}{\isacharparenright}}{\isaliteral{3B}{\isacharsemicolon}}\ n\ {\isaliteral{5C3C696E3E}{\isasymin}}\ even{\isaliteral{5C3C726272616B6B3E}{\isasymrbrakk}}\ {\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\ P{\isaliteral{5C3C726272616B6B3E}{\isasymrbrakk}}\isanewline
31.452 -{\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\ P\rulename{even{\isaliteral{2E}{\isachardot}}cases}%
31.453 -\end{isabelle}
31.454 -This general rule is less useful than instances of it for
31.455 -specific patterns. For example, if \isa{a} has the form
31.456 -\isa{Suc\ {\isaliteral{28}{\isacharparenleft}}Suc\ n{\isaliteral{29}{\isacharparenright}}} then the first case becomes irrelevant, while the second
31.457 -case tells us that \isa{n} belongs to \isa{even}. Isabelle will generate
31.458 -this instance for us:%
31.459 -\end{isamarkuptext}%
31.460 -\isamarkuptrue%
31.461 -\isacommand{inductive{\isaliteral{5F}{\isacharunderscore}}cases}\isamarkupfalse%
31.462 -\ Suc{\isaliteral{5F}{\isacharunderscore}}Suc{\isaliteral{5F}{\isacharunderscore}}cases\ {\isaliteral{5B}{\isacharbrackleft}}elim{\isaliteral{21}{\isacharbang}}{\isaliteral{5D}{\isacharbrackright}}{\isaliteral{3A}{\isacharcolon}}\ {\isaliteral{22}{\isachardoublequoteopen}}Suc{\isaliteral{28}{\isacharparenleft}}Suc\ n{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C696E3E}{\isasymin}}\ even{\isaliteral{22}{\isachardoublequoteclose}}%
31.463 -\begin{isamarkuptext}%
31.464 -The \commdx{inductive\protect\_cases} command generates an instance of
31.465 -the \isa{cases} rule for the supplied pattern and gives it the supplied name:
31.466 -\begin{isabelle}%
31.467 -{\isaliteral{5C3C6C6272616B6B3E}{\isasymlbrakk}}Suc\ {\isaliteral{28}{\isacharparenleft}}Suc\ n{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C696E3E}{\isasymin}}\ even{\isaliteral{3B}{\isacharsemicolon}}\ n\ {\isaliteral{5C3C696E3E}{\isasymin}}\ even\ {\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\ P{\isaliteral{5C3C726272616B6B3E}{\isasymrbrakk}}\ {\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\ P\rulename{Suc{\isaliteral{5F}{\isacharunderscore}}Suc{\isaliteral{5F}{\isacharunderscore}}cases}%
31.468 -\end{isabelle}
31.469 -Applying this as an elimination rule yields one case where \isa{even{\isaliteral{2E}{\isachardot}}cases}
31.470 -would yield two. Rule inversion works well when the conclusions of the
31.471 -introduction rules involve datatype constructors like \isa{Suc} and \isa{{\isaliteral{23}{\isacharhash}}}
31.472 -(list ``cons''); freeness reasoning discards all but one or two cases.
31.473 -
31.474 -In the \isacommand{inductive\_cases} command we supplied an
31.475 -attribute, \isa{elim{\isaliteral{21}{\isacharbang}}},
31.476 -\index{elim"!@\isa {elim"!} (attribute)}%
31.477 -indicating that this elimination rule can be
31.478 -applied aggressively. The original
31.479 -\isa{cases} rule would loop if used in that manner because the
31.480 -pattern~\isa{a} matches everything.
31.481 -
31.482 -The rule \isa{Suc{\isaliteral{5F}{\isacharunderscore}}Suc{\isaliteral{5F}{\isacharunderscore}}cases} is equivalent to the following implication:
31.483 -\begin{isabelle}%
31.484 -Suc\ {\isaliteral{28}{\isacharparenleft}}Suc\ n{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C696E3E}{\isasymin}}\ even\ {\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\ n\ {\isaliteral{5C3C696E3E}{\isasymin}}\ even%
31.485 -\end{isabelle}
31.486 -Just above we devoted some effort to reaching precisely
31.487 -this result. Yet we could have obtained it by a one-line declaration,
31.488 -dispensing with the lemma \isa{even{\isaliteral{5F}{\isacharunderscore}}imp{\isaliteral{5F}{\isacharunderscore}}even{\isaliteral{5F}{\isacharunderscore}}minus{\isaliteral{5F}{\isacharunderscore}}{\isadigit{2}}}.
31.489 -This example also justifies the terminology
31.490 -\textbf{rule inversion}: the new rule inverts the introduction rule
31.491 -\isa{even{\isaliteral{2E}{\isachardot}}step}. In general, a rule can be inverted when the set of elements
31.492 -it introduces is disjoint from those of the other introduction rules.
31.493 -
31.494 -For one-off applications of rule inversion, use the \methdx{ind_cases} method.
31.495 -Here is an example:%
31.496 -\end{isamarkuptext}%
31.497 -\isamarkuptrue%
31.498 -%
31.499 -\isadelimproof
31.500 -%
31.501 -\endisadelimproof
31.502 -%
31.503 -\isatagproof
31.504 -\isacommand{apply}\isamarkupfalse%
31.505 -\ {\isaliteral{28}{\isacharparenleft}}ind{\isaliteral{5F}{\isacharunderscore}}cases\ {\isaliteral{22}{\isachardoublequoteopen}}Suc{\isaliteral{28}{\isacharparenleft}}Suc\ n{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C696E3E}{\isasymin}}\ even{\isaliteral{22}{\isachardoublequoteclose}}{\isaliteral{29}{\isacharparenright}}%
31.506 -\endisatagproof
31.507 -{\isafoldproof}%
31.508 -%
31.509 -\isadelimproof
31.510 -%
31.511 -\endisadelimproof
31.512 -%
31.513 -\begin{isamarkuptext}%
31.514 -The specified instance of the \isa{cases} rule is generated, then applied
31.515 -as an elimination rule.
31.516 -
31.517 -To summarize, every inductive definition produces a \isa{cases} rule. The
31.518 -\commdx{inductive\protect\_cases} command stores an instance of the
31.519 -\isa{cases} rule for a given pattern. Within a proof, the
31.520 -\isa{ind{\isaliteral{5F}{\isacharunderscore}}cases} method applies an instance of the \isa{cases}
31.521 -rule.
31.522 -
31.523 -The even numbers example has shown how inductive definitions can be
31.524 -used. Later examples will show that they are actually worth using.%
31.525 -\index{rule inversion|)}%
31.526 -\index{even numbers!defining inductively|)}%
31.527 -\end{isamarkuptext}%
31.528 -\isamarkuptrue%
31.529 -%
31.530 -\isadelimtheory
31.531 -%
31.532 -\endisadelimtheory
31.533 -%
31.534 -\isatagtheory
31.535 -%
31.536 -\endisatagtheory
31.537 -{\isafoldtheory}%
31.538 -%
31.539 -\isadelimtheory
31.540 -%
31.541 -\endisadelimtheory
31.542 -\end{isabellebody}%
31.543 -%%% Local Variables:
31.544 -%%% mode: latex
31.545 -%%% TeX-master: "root"
31.546 -%%% End:
32.1 --- a/doc-src/TutorialI/Inductive/document/Mutual.tex Thu Jul 26 16:08:16 2012 +0200
32.2 +++ /dev/null Thu Jan 01 00:00:00 1970 +0000
32.3 @@ -1,131 +0,0 @@
32.4 -%
32.5 -\begin{isabellebody}%
32.6 -\def\isabellecontext{Mutual}%
32.7 -%
32.8 -\isadelimtheory
32.9 -%
32.10 -\endisadelimtheory
32.11 -%
32.12 -\isatagtheory
32.13 -%
32.14 -\endisatagtheory
32.15 -{\isafoldtheory}%
32.16 -%
32.17 -\isadelimtheory
32.18 -%
32.19 -\endisadelimtheory
32.20 -%
32.21 -\isamarkupsubsection{Mutually Inductive Definitions%
32.22 -}
32.23 -\isamarkuptrue%
32.24 -%
32.25 -\begin{isamarkuptext}%
32.26 -Just as there are datatypes defined by mutual recursion, there are sets defined
32.27 -by mutual induction. As a trivial example we consider the even and odd
32.28 -natural numbers:%
32.29 -\end{isamarkuptext}%
32.30 -\isamarkuptrue%
32.31 -\isacommand{inductive{\isaliteral{5F}{\isacharunderscore}}set}\isamarkupfalse%
32.32 -\isanewline
32.33 -\ \ Even\ {\isaliteral{3A}{\isacharcolon}}{\isaliteral{3A}{\isacharcolon}}\ {\isaliteral{22}{\isachardoublequoteopen}}nat\ set{\isaliteral{22}{\isachardoublequoteclose}}\ \isakeyword{and}\isanewline
32.34 -\ \ Odd\ \ {\isaliteral{3A}{\isacharcolon}}{\isaliteral{3A}{\isacharcolon}}\ {\isaliteral{22}{\isachardoublequoteopen}}nat\ set{\isaliteral{22}{\isachardoublequoteclose}}\isanewline
32.35 -\isakeyword{where}\isanewline
32.36 -\ \ zero{\isaliteral{3A}{\isacharcolon}}\ \ {\isaliteral{22}{\isachardoublequoteopen}}{\isadigit{0}}\ {\isaliteral{5C3C696E3E}{\isasymin}}\ Even{\isaliteral{22}{\isachardoublequoteclose}}\isanewline
32.37 -{\isaliteral{7C}{\isacharbar}}\ EvenI{\isaliteral{3A}{\isacharcolon}}\ {\isaliteral{22}{\isachardoublequoteopen}}n\ {\isaliteral{5C3C696E3E}{\isasymin}}\ Odd\ {\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\ Suc\ n\ {\isaliteral{5C3C696E3E}{\isasymin}}\ Even{\isaliteral{22}{\isachardoublequoteclose}}\isanewline
32.38 -{\isaliteral{7C}{\isacharbar}}\ OddI{\isaliteral{3A}{\isacharcolon}}\ \ {\isaliteral{22}{\isachardoublequoteopen}}n\ {\isaliteral{5C3C696E3E}{\isasymin}}\ Even\ {\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\ Suc\ n\ {\isaliteral{5C3C696E3E}{\isasymin}}\ Odd{\isaliteral{22}{\isachardoublequoteclose}}%
32.39 -\begin{isamarkuptext}%
32.40 -\noindent
32.41 -The mutually inductive definition of multiple sets is no different from
32.42 -that of a single set, except for induction: just as for mutually recursive
32.43 -datatypes, induction needs to involve all the simultaneously defined sets. In
32.44 -the above case, the induction rule is called \isa{Even{\isaliteral{5F}{\isacharunderscore}}Odd{\isaliteral{2E}{\isachardot}}induct}
32.45 -(simply concatenate the names of the sets involved) and has the conclusion
32.46 -\begin{isabelle}%
32.47 -\ \ \ \ \ {\isaliteral{28}{\isacharparenleft}}{\isaliteral{3F}{\isacharquery}}x\ {\isaliteral{5C3C696E3E}{\isasymin}}\ Even\ {\isaliteral{5C3C6C6F6E6772696768746172726F773E}{\isasymlongrightarrow}}\ {\isaliteral{3F}{\isacharquery}}P\ {\isaliteral{3F}{\isacharquery}}x{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C616E643E}{\isasymand}}\ {\isaliteral{28}{\isacharparenleft}}{\isaliteral{3F}{\isacharquery}}y\ {\isaliteral{5C3C696E3E}{\isasymin}}\ Odd\ {\isaliteral{5C3C6C6F6E6772696768746172726F773E}{\isasymlongrightarrow}}\ {\isaliteral{3F}{\isacharquery}}Q\ {\isaliteral{3F}{\isacharquery}}y{\isaliteral{29}{\isacharparenright}}%
32.48 -\end{isabelle}
32.49 -
32.50 -If we want to prove that all even numbers are divisible by two, we have to
32.51 -generalize the statement as follows:%
32.52 -\end{isamarkuptext}%
32.53 -\isamarkuptrue%
32.54 -\isacommand{lemma}\isamarkupfalse%
32.55 -\ {\isaliteral{22}{\isachardoublequoteopen}}{\isaliteral{28}{\isacharparenleft}}m\ {\isaliteral{5C3C696E3E}{\isasymin}}\ Even\ {\isaliteral{5C3C6C6F6E6772696768746172726F773E}{\isasymlongrightarrow}}\ {\isadigit{2}}\ dvd\ m{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C616E643E}{\isasymand}}\ {\isaliteral{28}{\isacharparenleft}}n\ {\isaliteral{5C3C696E3E}{\isasymin}}\ Odd\ {\isaliteral{5C3C6C6F6E6772696768746172726F773E}{\isasymlongrightarrow}}\ {\isadigit{2}}\ dvd\ {\isaliteral{28}{\isacharparenleft}}Suc\ n{\isaliteral{29}{\isacharparenright}}{\isaliteral{29}{\isacharparenright}}{\isaliteral{22}{\isachardoublequoteclose}}%
32.56 -\isadelimproof
32.57 -%
32.58 -\endisadelimproof
32.59 -%
32.60 -\isatagproof
32.61 -%
32.62 -\begin{isamarkuptxt}%
32.63 -\noindent
32.64 -The proof is by rule induction. Because of the form of the induction theorem,
32.65 -it is applied by \isa{rule} rather than \isa{erule} as for ordinary
32.66 -inductive definitions:%
32.67 -\end{isamarkuptxt}%
32.68 -\isamarkuptrue%
32.69 -\isacommand{apply}\isamarkupfalse%
32.70 -{\isaliteral{28}{\isacharparenleft}}rule\ Even{\isaliteral{5F}{\isacharunderscore}}Odd{\isaliteral{2E}{\isachardot}}induct{\isaliteral{29}{\isacharparenright}}%
32.71 -\begin{isamarkuptxt}%
32.72 -\begin{isabelle}%
32.73 -\ {\isadigit{1}}{\isaliteral{2E}{\isachardot}}\ {\isadigit{2}}\ dvd\ {\isadigit{0}}\isanewline
32.74 -\ {\isadigit{2}}{\isaliteral{2E}{\isachardot}}\ {\isaliteral{5C3C416E643E}{\isasymAnd}}n{\isaliteral{2E}{\isachardot}}\ {\isaliteral{5C3C6C6272616B6B3E}{\isasymlbrakk}}n\ {\isaliteral{5C3C696E3E}{\isasymin}}\ Odd{\isaliteral{3B}{\isacharsemicolon}}\ {\isadigit{2}}\ dvd\ Suc\ n{\isaliteral{5C3C726272616B6B3E}{\isasymrbrakk}}\ {\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\ {\isadigit{2}}\ dvd\ Suc\ n\isanewline
32.75 -\ {\isadigit{3}}{\isaliteral{2E}{\isachardot}}\ {\isaliteral{5C3C416E643E}{\isasymAnd}}n{\isaliteral{2E}{\isachardot}}\ {\isaliteral{5C3C6C6272616B6B3E}{\isasymlbrakk}}n\ {\isaliteral{5C3C696E3E}{\isasymin}}\ Even{\isaliteral{3B}{\isacharsemicolon}}\ {\isadigit{2}}\ dvd\ n{\isaliteral{5C3C726272616B6B3E}{\isasymrbrakk}}\ {\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\ {\isadigit{2}}\ dvd\ Suc\ {\isaliteral{28}{\isacharparenleft}}Suc\ n{\isaliteral{29}{\isacharparenright}}%
32.76 -\end{isabelle}
32.77 -The first two subgoals are proved by simplification and the final one can be
32.78 -proved in the same manner as in \S\ref{sec:rule-induction}
32.79 -where the same subgoal was encountered before.
32.80 -We do not show the proof script.%
32.81 -\end{isamarkuptxt}%
32.82 -\isamarkuptrue%
32.83 -%
32.84 -\endisatagproof
32.85 -{\isafoldproof}%
32.86 -%
32.87 -\isadelimproof
32.88 -%
32.89 -\endisadelimproof
32.90 -%
32.91 -\isamarkupsubsection{Inductively Defined Predicates\label{sec:ind-predicates}%
32.92 -}
32.93 -\isamarkuptrue%
32.94 -%
32.95 -\begin{isamarkuptext}%
32.96 -\index{inductive predicates|(}
32.97 -Instead of a set of even numbers one can also define a predicate on \isa{nat}:%
32.98 -\end{isamarkuptext}%
32.99 -\isamarkuptrue%
32.100 -\isacommand{inductive}\isamarkupfalse%
32.101 -\ evn\ {\isaliteral{3A}{\isacharcolon}}{\isaliteral{3A}{\isacharcolon}}\ {\isaliteral{22}{\isachardoublequoteopen}}nat\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ bool{\isaliteral{22}{\isachardoublequoteclose}}\ \isakeyword{where}\isanewline
32.102 -zero{\isaliteral{3A}{\isacharcolon}}\ {\isaliteral{22}{\isachardoublequoteopen}}evn\ {\isadigit{0}}{\isaliteral{22}{\isachardoublequoteclose}}\ {\isaliteral{7C}{\isacharbar}}\isanewline
32.103 -step{\isaliteral{3A}{\isacharcolon}}\ {\isaliteral{22}{\isachardoublequoteopen}}evn\ n\ {\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\ evn{\isaliteral{28}{\isacharparenleft}}Suc{\isaliteral{28}{\isacharparenleft}}Suc\ n{\isaliteral{29}{\isacharparenright}}{\isaliteral{29}{\isacharparenright}}{\isaliteral{22}{\isachardoublequoteclose}}%
32.104 -\begin{isamarkuptext}%
32.105 -\noindent Everything works as before, except that
32.106 -you write \commdx{inductive} instead of \isacommand{inductive\_set} and
32.107 -\isa{evn\ n} instead of \isa{n\ {\isaliteral{5C3C696E3E}{\isasymin}}\ even}.
32.108 -When defining an n-ary relation as a predicate, it is recommended to curry
32.109 -the predicate: its type should be \mbox{\isa{{\isaliteral{5C3C7461753E}{\isasymtau}}\isaliteral{5C3C5E697375623E}{}\isactrlisub {\isadigit{1}}\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ {\isaliteral{5C3C646F74733E}{\isasymdots}}\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ {\isaliteral{5C3C7461753E}{\isasymtau}}\isaliteral{5C3C5E697375623E}{}\isactrlisub n\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ bool}}
32.110 -rather than
32.111 -\isa{{\isaliteral{5C3C7461753E}{\isasymtau}}\isaliteral{5C3C5E697375623E}{}\isactrlisub {\isadigit{1}}\ {\isaliteral{5C3C74696D65733E}{\isasymtimes}}\ {\isaliteral{5C3C646F74733E}{\isasymdots}}\ {\isaliteral{5C3C74696D65733E}{\isasymtimes}}\ {\isaliteral{5C3C7461753E}{\isasymtau}}\isaliteral{5C3C5E697375623E}{}\isactrlisub n\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ bool}. The curried version facilitates inductions.
32.112 -
32.113 -When should you choose sets and when predicates? If you intend to combine your notion with set theoretic notation, define it as an inductive set. If not, define it as an inductive predicate, thus avoiding the \isa{{\isaliteral{5C3C696E3E}{\isasymin}}} notation. But note that predicates of more than one argument cannot be combined with the usual set theoretic operators: \isa{P\ {\isaliteral{5C3C756E696F6E3E}{\isasymunion}}\ Q} is not well-typed if \isa{P{\isaliteral{2C}{\isacharcomma}}\ Q\ {\isaliteral{3A}{\isacharcolon}}{\isaliteral{3A}{\isacharcolon}}\ {\isaliteral{5C3C7461753E}{\isasymtau}}\isaliteral{5C3C5E697375623E}{}\isactrlisub {\isadigit{1}}\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ {\isaliteral{5C3C7461753E}{\isasymtau}}\isaliteral{5C3C5E697375623E}{}\isactrlisub {\isadigit{2}}\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ bool}, you have to write \isa{{\isaliteral{5C3C6C616D6264613E}{\isasymlambda}}x\ y{\isaliteral{2E}{\isachardot}}\ P\ x\ y\ {\isaliteral{5C3C616E643E}{\isasymand}}\ Q\ x\ y} instead.
32.114 -\index{inductive predicates|)}%
32.115 -\end{isamarkuptext}%
32.116 -\isamarkuptrue%
32.117 -%
32.118 -\isadelimtheory
32.119 -%
32.120 -\endisadelimtheory
32.121 -%
32.122 -\isatagtheory
32.123 -%
32.124 -\endisatagtheory
32.125 -{\isafoldtheory}%
32.126 -%
32.127 -\isadelimtheory
32.128 -%
32.129 -\endisadelimtheory
32.130 -\end{isabellebody}%
32.131 -%%% Local Variables:
32.132 -%%% mode: latex
32.133 -%%% TeX-master: "root"
32.134 -%%% End:
33.1 --- a/doc-src/TutorialI/Inductive/document/Star.tex Thu Jul 26 16:08:16 2012 +0200
33.2 +++ /dev/null Thu Jan 01 00:00:00 1970 +0000
33.3 @@ -1,315 +0,0 @@
33.4 -%
33.5 -\begin{isabellebody}%
33.6 -\def\isabellecontext{Star}%
33.7 -%
33.8 -\isadelimtheory
33.9 -%
33.10 -\endisadelimtheory
33.11 -%
33.12 -\isatagtheory
33.13 -%
33.14 -\endisatagtheory
33.15 -{\isafoldtheory}%
33.16 -%
33.17 -\isadelimtheory
33.18 -%
33.19 -\endisadelimtheory
33.20 -%
33.21 -\isamarkupsection{The Reflexive Transitive Closure%
33.22 -}
33.23 -\isamarkuptrue%
33.24 -%
33.25 -\begin{isamarkuptext}%
33.26 -\label{sec:rtc}
33.27 -\index{reflexive transitive closure!defining inductively|(}%
33.28 -An inductive definition may accept parameters, so it can express
33.29 -functions that yield sets.
33.30 -Relations too can be defined inductively, since they are just sets of pairs.
33.31 -A perfect example is the function that maps a relation to its
33.32 -reflexive transitive closure. This concept was already
33.33 -introduced in \S\ref{sec:Relations}, where the operator \isa{\isaliteral{5C3C5E7375703E}{}\isactrlsup {\isaliteral{2A}{\isacharasterisk}}} was
33.34 -defined as a least fixed point because inductive definitions were not yet
33.35 -available. But now they are:%
33.36 -\end{isamarkuptext}%
33.37 -\isamarkuptrue%
33.38 -\isacommand{inductive{\isaliteral{5F}{\isacharunderscore}}set}\isamarkupfalse%
33.39 -\isanewline
33.40 -\ \ rtc\ {\isaliteral{3A}{\isacharcolon}}{\isaliteral{3A}{\isacharcolon}}\ {\isaliteral{22}{\isachardoublequoteopen}}{\isaliteral{28}{\isacharparenleft}}{\isaliteral{27}{\isacharprime}}a\ {\isaliteral{5C3C74696D65733E}{\isasymtimes}}\ {\isaliteral{27}{\isacharprime}}a{\isaliteral{29}{\isacharparenright}}set\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ {\isaliteral{28}{\isacharparenleft}}{\isaliteral{27}{\isacharprime}}a\ {\isaliteral{5C3C74696D65733E}{\isasymtimes}}\ {\isaliteral{27}{\isacharprime}}a{\isaliteral{29}{\isacharparenright}}set{\isaliteral{22}{\isachardoublequoteclose}}\ \ \ {\isaliteral{28}{\isacharparenleft}}{\isaliteral{22}{\isachardoublequoteopen}}{\isaliteral{5F}{\isacharunderscore}}{\isaliteral{2A}{\isacharasterisk}}{\isaliteral{22}{\isachardoublequoteclose}}\ {\isaliteral{5B}{\isacharbrackleft}}{\isadigit{1}}{\isadigit{0}}{\isadigit{0}}{\isadigit{0}}{\isaliteral{5D}{\isacharbrackright}}\ {\isadigit{9}}{\isadigit{9}}{\isadigit{9}}{\isaliteral{29}{\isacharparenright}}\isanewline
33.41 -\ \ \isakeyword{for}\ r\ {\isaliteral{3A}{\isacharcolon}}{\isaliteral{3A}{\isacharcolon}}\ {\isaliteral{22}{\isachardoublequoteopen}}{\isaliteral{28}{\isacharparenleft}}{\isaliteral{27}{\isacharprime}}a\ {\isaliteral{5C3C74696D65733E}{\isasymtimes}}\ {\isaliteral{27}{\isacharprime}}a{\isaliteral{29}{\isacharparenright}}set{\isaliteral{22}{\isachardoublequoteclose}}\isanewline
33.42 -\isakeyword{where}\isanewline
33.43 -\ \ rtc{\isaliteral{5F}{\isacharunderscore}}refl{\isaliteral{5B}{\isacharbrackleft}}iff{\isaliteral{5D}{\isacharbrackright}}{\isaliteral{3A}{\isacharcolon}}\ \ {\isaliteral{22}{\isachardoublequoteopen}}{\isaliteral{28}{\isacharparenleft}}x{\isaliteral{2C}{\isacharcomma}}x{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C696E3E}{\isasymin}}\ r{\isaliteral{2A}{\isacharasterisk}}{\isaliteral{22}{\isachardoublequoteclose}}\isanewline
33.44 -{\isaliteral{7C}{\isacharbar}}\ rtc{\isaliteral{5F}{\isacharunderscore}}step{\isaliteral{3A}{\isacharcolon}}\ \ \ \ \ \ \ {\isaliteral{22}{\isachardoublequoteopen}}{\isaliteral{5C3C6C6272616B6B3E}{\isasymlbrakk}}\ {\isaliteral{28}{\isacharparenleft}}x{\isaliteral{2C}{\isacharcomma}}y{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C696E3E}{\isasymin}}\ r{\isaliteral{3B}{\isacharsemicolon}}\ {\isaliteral{28}{\isacharparenleft}}y{\isaliteral{2C}{\isacharcomma}}z{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C696E3E}{\isasymin}}\ r{\isaliteral{2A}{\isacharasterisk}}\ {\isaliteral{5C3C726272616B6B3E}{\isasymrbrakk}}\ {\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\ {\isaliteral{28}{\isacharparenleft}}x{\isaliteral{2C}{\isacharcomma}}z{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C696E3E}{\isasymin}}\ r{\isaliteral{2A}{\isacharasterisk}}{\isaliteral{22}{\isachardoublequoteclose}}%
33.45 -\begin{isamarkuptext}%
33.46 -\noindent
33.47 -The function \isa{rtc} is annotated with concrete syntax: instead of
33.48 -\isa{rtc\ r} we can write \isa{r{\isaliteral{2A}{\isacharasterisk}}}. The actual definition
33.49 -consists of two rules. Reflexivity is obvious and is immediately given the
33.50 -\isa{iff} attribute to increase automation. The
33.51 -second rule, \isa{rtc{\isaliteral{5F}{\isacharunderscore}}step}, says that we can always add one more
33.52 -\isa{r}-step to the left. Although we could make \isa{rtc{\isaliteral{5F}{\isacharunderscore}}step} an
33.53 -introduction rule, this is dangerous: the recursion in the second premise
33.54 -slows down and may even kill the automatic tactics.
33.55 -
33.56 -The above definition of the concept of reflexive transitive closure may
33.57 -be sufficiently intuitive but it is certainly not the only possible one:
33.58 -for a start, it does not even mention transitivity.
33.59 -The rest of this section is devoted to proving that it is equivalent to
33.60 -the standard definition. We start with a simple lemma:%
33.61 -\end{isamarkuptext}%
33.62 -\isamarkuptrue%
33.63 -\isacommand{lemma}\isamarkupfalse%
33.64 -\ {\isaliteral{5B}{\isacharbrackleft}}intro{\isaliteral{5D}{\isacharbrackright}}{\isaliteral{3A}{\isacharcolon}}\ {\isaliteral{22}{\isachardoublequoteopen}}{\isaliteral{28}{\isacharparenleft}}x{\isaliteral{2C}{\isacharcomma}}y{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C696E3E}{\isasymin}}\ r\ {\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\ {\isaliteral{28}{\isacharparenleft}}x{\isaliteral{2C}{\isacharcomma}}y{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C696E3E}{\isasymin}}\ r{\isaliteral{2A}{\isacharasterisk}}{\isaliteral{22}{\isachardoublequoteclose}}\isanewline
33.65 -%
33.66 -\isadelimproof
33.67 -%
33.68 -\endisadelimproof
33.69 -%
33.70 -\isatagproof
33.71 -\isacommand{by}\isamarkupfalse%
33.72 -{\isaliteral{28}{\isacharparenleft}}blast\ intro{\isaliteral{3A}{\isacharcolon}}\ rtc{\isaliteral{5F}{\isacharunderscore}}step{\isaliteral{29}{\isacharparenright}}%
33.73 -\endisatagproof
33.74 -{\isafoldproof}%
33.75 -%
33.76 -\isadelimproof
33.77 -%
33.78 -\endisadelimproof
33.79 -%
33.80 -\begin{isamarkuptext}%
33.81 -\noindent
33.82 -Although the lemma itself is an unremarkable consequence of the basic rules,
33.83 -it has the advantage that it can be declared an introduction rule without the
33.84 -danger of killing the automatic tactics because \isa{r{\isaliteral{2A}{\isacharasterisk}}} occurs only in
33.85 -the conclusion and not in the premise. Thus some proofs that would otherwise
33.86 -need \isa{rtc{\isaliteral{5F}{\isacharunderscore}}step} can now be found automatically. The proof also
33.87 -shows that \isa{blast} is able to handle \isa{rtc{\isaliteral{5F}{\isacharunderscore}}step}. But
33.88 -some of the other automatic tactics are more sensitive, and even \isa{blast} can be lead astray in the presence of large numbers of rules.
33.89 -
33.90 -To prove transitivity, we need rule induction, i.e.\ theorem
33.91 -\isa{rtc{\isaliteral{2E}{\isachardot}}induct}:
33.92 -\begin{isabelle}%
33.93 -\ \ \ \ \ {\isaliteral{5C3C6C6272616B6B3E}{\isasymlbrakk}}{\isaliteral{28}{\isacharparenleft}}{\isaliteral{3F}{\isacharquery}}x{\isadigit{1}}{\isaliteral{2E}{\isachardot}}{\isadigit{0}}{\isaliteral{2C}{\isacharcomma}}\ {\isaliteral{3F}{\isacharquery}}x{\isadigit{2}}{\isaliteral{2E}{\isachardot}}{\isadigit{0}}{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C696E3E}{\isasymin}}\ {\isaliteral{3F}{\isacharquery}}r{\isaliteral{2A}{\isacharasterisk}}{\isaliteral{3B}{\isacharsemicolon}}\ {\isaliteral{5C3C416E643E}{\isasymAnd}}x{\isaliteral{2E}{\isachardot}}\ {\isaliteral{3F}{\isacharquery}}P\ x\ x{\isaliteral{3B}{\isacharsemicolon}}\isanewline
33.94 -\isaindent{\ \ \ \ \ \ }{\isaliteral{5C3C416E643E}{\isasymAnd}}x\ y\ z{\isaliteral{2E}{\isachardot}}\ {\isaliteral{5C3C6C6272616B6B3E}{\isasymlbrakk}}{\isaliteral{28}{\isacharparenleft}}x{\isaliteral{2C}{\isacharcomma}}\ y{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C696E3E}{\isasymin}}\ {\isaliteral{3F}{\isacharquery}}r{\isaliteral{3B}{\isacharsemicolon}}\ {\isaliteral{28}{\isacharparenleft}}y{\isaliteral{2C}{\isacharcomma}}\ z{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C696E3E}{\isasymin}}\ {\isaliteral{3F}{\isacharquery}}r{\isaliteral{2A}{\isacharasterisk}}{\isaliteral{3B}{\isacharsemicolon}}\ {\isaliteral{3F}{\isacharquery}}P\ y\ z{\isaliteral{5C3C726272616B6B3E}{\isasymrbrakk}}\ {\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\ {\isaliteral{3F}{\isacharquery}}P\ x\ z{\isaliteral{5C3C726272616B6B3E}{\isasymrbrakk}}\isanewline
33.95 -\isaindent{\ \ \ \ \ }{\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\ {\isaliteral{3F}{\isacharquery}}P\ {\isaliteral{3F}{\isacharquery}}x{\isadigit{1}}{\isaliteral{2E}{\isachardot}}{\isadigit{0}}\ {\isaliteral{3F}{\isacharquery}}x{\isadigit{2}}{\isaliteral{2E}{\isachardot}}{\isadigit{0}}%
33.96 -\end{isabelle}
33.97 -It says that \isa{{\isaliteral{3F}{\isacharquery}}P} holds for an arbitrary pair \isa{{\isaliteral{28}{\isacharparenleft}}{\isaliteral{3F}{\isacharquery}}x{\isadigit{1}}{\isaliteral{2E}{\isachardot}}{\isadigit{0}}{\isaliteral{2C}{\isacharcomma}}\ {\isaliteral{3F}{\isacharquery}}x{\isadigit{2}}{\isaliteral{2E}{\isachardot}}{\isadigit{0}}{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C696E3E}{\isasymin}}\ {\isaliteral{3F}{\isacharquery}}r{\isaliteral{2A}{\isacharasterisk}}}
33.98 -if \isa{{\isaliteral{3F}{\isacharquery}}P} is preserved by all rules of the inductive definition,
33.99 -i.e.\ if \isa{{\isaliteral{3F}{\isacharquery}}P} holds for the conclusion provided it holds for the
33.100 -premises. In general, rule induction for an $n$-ary inductive relation $R$
33.101 -expects a premise of the form $(x@1,\dots,x@n) \in R$.
33.102 -
33.103 -Now we turn to the inductive proof of transitivity:%
33.104 -\end{isamarkuptext}%
33.105 -\isamarkuptrue%
33.106 -\isacommand{lemma}\isamarkupfalse%
33.107 -\ rtc{\isaliteral{5F}{\isacharunderscore}}trans{\isaliteral{3A}{\isacharcolon}}\ {\isaliteral{22}{\isachardoublequoteopen}}{\isaliteral{5C3C6C6272616B6B3E}{\isasymlbrakk}}\ {\isaliteral{28}{\isacharparenleft}}x{\isaliteral{2C}{\isacharcomma}}y{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C696E3E}{\isasymin}}\ r{\isaliteral{2A}{\isacharasterisk}}{\isaliteral{3B}{\isacharsemicolon}}\ {\isaliteral{28}{\isacharparenleft}}y{\isaliteral{2C}{\isacharcomma}}z{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C696E3E}{\isasymin}}\ r{\isaliteral{2A}{\isacharasterisk}}\ {\isaliteral{5C3C726272616B6B3E}{\isasymrbrakk}}\ {\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\ {\isaliteral{28}{\isacharparenleft}}x{\isaliteral{2C}{\isacharcomma}}z{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C696E3E}{\isasymin}}\ r{\isaliteral{2A}{\isacharasterisk}}{\isaliteral{22}{\isachardoublequoteclose}}\isanewline
33.108 -%
33.109 -\isadelimproof
33.110 -%
33.111 -\endisadelimproof
33.112 -%
33.113 -\isatagproof
33.114 -\isacommand{apply}\isamarkupfalse%
33.115 -{\isaliteral{28}{\isacharparenleft}}erule\ rtc{\isaliteral{2E}{\isachardot}}induct{\isaliteral{29}{\isacharparenright}}%
33.116 -\begin{isamarkuptxt}%
33.117 -\noindent
33.118 -Unfortunately, even the base case is a problem:
33.119 -\begin{isabelle}%
33.120 -\ {\isadigit{1}}{\isaliteral{2E}{\isachardot}}\ {\isaliteral{5C3C416E643E}{\isasymAnd}}x{\isaliteral{2E}{\isachardot}}\ {\isaliteral{28}{\isacharparenleft}}y{\isaliteral{2C}{\isacharcomma}}\ z{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C696E3E}{\isasymin}}\ r{\isaliteral{2A}{\isacharasterisk}}\ {\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\ {\isaliteral{28}{\isacharparenleft}}x{\isaliteral{2C}{\isacharcomma}}\ z{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C696E3E}{\isasymin}}\ r{\isaliteral{2A}{\isacharasterisk}}%
33.121 -\end{isabelle}
33.122 -We have to abandon this proof attempt.
33.123 -To understand what is going on, let us look again at \isa{rtc{\isaliteral{2E}{\isachardot}}induct}.
33.124 -In the above application of \isa{erule}, the first premise of
33.125 -\isa{rtc{\isaliteral{2E}{\isachardot}}induct} is unified with the first suitable assumption, which
33.126 -is \isa{{\isaliteral{28}{\isacharparenleft}}x{\isaliteral{2C}{\isacharcomma}}\ y{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C696E3E}{\isasymin}}\ r{\isaliteral{2A}{\isacharasterisk}}} rather than \isa{{\isaliteral{28}{\isacharparenleft}}y{\isaliteral{2C}{\isacharcomma}}\ z{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C696E3E}{\isasymin}}\ r{\isaliteral{2A}{\isacharasterisk}}}. Although that
33.127 -is what we want, it is merely due to the order in which the assumptions occur
33.128 -in the subgoal, which it is not good practice to rely on. As a result,
33.129 -\isa{{\isaliteral{3F}{\isacharquery}}xb} becomes \isa{x}, \isa{{\isaliteral{3F}{\isacharquery}}xa} becomes
33.130 -\isa{y} and \isa{{\isaliteral{3F}{\isacharquery}}P} becomes \isa{{\isaliteral{5C3C6C616D6264613E}{\isasymlambda}}u\ v{\isaliteral{2E}{\isachardot}}\ {\isaliteral{28}{\isacharparenleft}}u{\isaliteral{2C}{\isacharcomma}}\ z{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C696E3E}{\isasymin}}\ r{\isaliteral{2A}{\isacharasterisk}}}, thus
33.131 -yielding the above subgoal. So what went wrong?
33.132 -
33.133 -When looking at the instantiation of \isa{{\isaliteral{3F}{\isacharquery}}P} we see that it does not
33.134 -depend on its second parameter at all. The reason is that in our original
33.135 -goal, of the pair \isa{{\isaliteral{28}{\isacharparenleft}}x{\isaliteral{2C}{\isacharcomma}}\ y{\isaliteral{29}{\isacharparenright}}} only \isa{x} appears also in the
33.136 -conclusion, but not \isa{y}. Thus our induction statement is too
33.137 -general. Fortunately, it can easily be specialized:
33.138 -transfer the additional premise \isa{{\isaliteral{28}{\isacharparenleft}}y{\isaliteral{2C}{\isacharcomma}}\ z{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C696E3E}{\isasymin}}\ r{\isaliteral{2A}{\isacharasterisk}}} into the conclusion:%
33.139 -\end{isamarkuptxt}%
33.140 -\isamarkuptrue%
33.141 -%
33.142 -\endisatagproof
33.143 -{\isafoldproof}%
33.144 -%
33.145 -\isadelimproof
33.146 -%
33.147 -\endisadelimproof
33.148 -\isacommand{lemma}\isamarkupfalse%
33.149 -\ rtc{\isaliteral{5F}{\isacharunderscore}}trans{\isaliteral{5B}{\isacharbrackleft}}rule{\isaliteral{5F}{\isacharunderscore}}format{\isaliteral{5D}{\isacharbrackright}}{\isaliteral{3A}{\isacharcolon}}\isanewline
33.150 -\ \ {\isaliteral{22}{\isachardoublequoteopen}}{\isaliteral{28}{\isacharparenleft}}x{\isaliteral{2C}{\isacharcomma}}y{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C696E3E}{\isasymin}}\ r{\isaliteral{2A}{\isacharasterisk}}\ {\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\ {\isaliteral{28}{\isacharparenleft}}y{\isaliteral{2C}{\isacharcomma}}z{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C696E3E}{\isasymin}}\ r{\isaliteral{2A}{\isacharasterisk}}\ {\isaliteral{5C3C6C6F6E6772696768746172726F773E}{\isasymlongrightarrow}}\ {\isaliteral{28}{\isacharparenleft}}x{\isaliteral{2C}{\isacharcomma}}z{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C696E3E}{\isasymin}}\ r{\isaliteral{2A}{\isacharasterisk}}{\isaliteral{22}{\isachardoublequoteclose}}%
33.151 -\isadelimproof
33.152 -%
33.153 -\endisadelimproof
33.154 -%
33.155 -\isatagproof
33.156 -%
33.157 -\begin{isamarkuptxt}%
33.158 -\noindent
33.159 -This is not an obscure trick but a generally applicable heuristic:
33.160 -\begin{quote}\em
33.161 -When proving a statement by rule induction on $(x@1,\dots,x@n) \in R$,
33.162 -pull all other premises containing any of the $x@i$ into the conclusion
33.163 -using $\longrightarrow$.
33.164 -\end{quote}
33.165 -A similar heuristic for other kinds of inductions is formulated in
33.166 -\S\ref{sec:ind-var-in-prems}. The \isa{rule{\isaliteral{5F}{\isacharunderscore}}format} directive turns
33.167 -\isa{{\isaliteral{5C3C6C6F6E6772696768746172726F773E}{\isasymlongrightarrow}}} back into \isa{{\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}}: in the end we obtain the original
33.168 -statement of our lemma.%
33.169 -\end{isamarkuptxt}%
33.170 -\isamarkuptrue%
33.171 -\isacommand{apply}\isamarkupfalse%
33.172 -{\isaliteral{28}{\isacharparenleft}}erule\ rtc{\isaliteral{2E}{\isachardot}}induct{\isaliteral{29}{\isacharparenright}}%
33.173 -\begin{isamarkuptxt}%
33.174 -\noindent
33.175 -Now induction produces two subgoals which are both proved automatically:
33.176 -\begin{isabelle}%
33.177 -\ {\isadigit{1}}{\isaliteral{2E}{\isachardot}}\ {\isaliteral{5C3C416E643E}{\isasymAnd}}x{\isaliteral{2E}{\isachardot}}\ {\isaliteral{28}{\isacharparenleft}}x{\isaliteral{2C}{\isacharcomma}}\ z{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C696E3E}{\isasymin}}\ r{\isaliteral{2A}{\isacharasterisk}}\ {\isaliteral{5C3C6C6F6E6772696768746172726F773E}{\isasymlongrightarrow}}\ {\isaliteral{28}{\isacharparenleft}}x{\isaliteral{2C}{\isacharcomma}}\ z{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C696E3E}{\isasymin}}\ r{\isaliteral{2A}{\isacharasterisk}}\isanewline
33.178 -\ {\isadigit{2}}{\isaliteral{2E}{\isachardot}}\ {\isaliteral{5C3C416E643E}{\isasymAnd}}x\ y\ za{\isaliteral{2E}{\isachardot}}\isanewline
33.179 -\isaindent{\ {\isadigit{2}}{\isaliteral{2E}{\isachardot}}\ \ \ \ }{\isaliteral{5C3C6C6272616B6B3E}{\isasymlbrakk}}{\isaliteral{28}{\isacharparenleft}}x{\isaliteral{2C}{\isacharcomma}}\ y{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C696E3E}{\isasymin}}\ r{\isaliteral{3B}{\isacharsemicolon}}\ {\isaliteral{28}{\isacharparenleft}}y{\isaliteral{2C}{\isacharcomma}}\ za{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C696E3E}{\isasymin}}\ r{\isaliteral{2A}{\isacharasterisk}}{\isaliteral{3B}{\isacharsemicolon}}\ {\isaliteral{28}{\isacharparenleft}}za{\isaliteral{2C}{\isacharcomma}}\ z{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C696E3E}{\isasymin}}\ r{\isaliteral{2A}{\isacharasterisk}}\ {\isaliteral{5C3C6C6F6E6772696768746172726F773E}{\isasymlongrightarrow}}\ {\isaliteral{28}{\isacharparenleft}}y{\isaliteral{2C}{\isacharcomma}}\ z{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C696E3E}{\isasymin}}\ r{\isaliteral{2A}{\isacharasterisk}}{\isaliteral{5C3C726272616B6B3E}{\isasymrbrakk}}\isanewline
33.180 -\isaindent{\ {\isadigit{2}}{\isaliteral{2E}{\isachardot}}\ \ \ \ }{\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\ {\isaliteral{28}{\isacharparenleft}}za{\isaliteral{2C}{\isacharcomma}}\ z{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C696E3E}{\isasymin}}\ r{\isaliteral{2A}{\isacharasterisk}}\ {\isaliteral{5C3C6C6F6E6772696768746172726F773E}{\isasymlongrightarrow}}\ {\isaliteral{28}{\isacharparenleft}}x{\isaliteral{2C}{\isacharcomma}}\ z{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C696E3E}{\isasymin}}\ r{\isaliteral{2A}{\isacharasterisk}}%
33.181 -\end{isabelle}%
33.182 -\end{isamarkuptxt}%
33.183 -\isamarkuptrue%
33.184 -\ \isacommand{apply}\isamarkupfalse%
33.185 -{\isaliteral{28}{\isacharparenleft}}blast{\isaliteral{29}{\isacharparenright}}\isanewline
33.186 -\isacommand{apply}\isamarkupfalse%
33.187 -{\isaliteral{28}{\isacharparenleft}}blast\ intro{\isaliteral{3A}{\isacharcolon}}\ rtc{\isaliteral{5F}{\isacharunderscore}}step{\isaliteral{29}{\isacharparenright}}\isanewline
33.188 -\isacommand{done}\isamarkupfalse%
33.189 -%
33.190 -\endisatagproof
33.191 -{\isafoldproof}%
33.192 -%
33.193 -\isadelimproof
33.194 -%
33.195 -\endisadelimproof
33.196 -%
33.197 -\begin{isamarkuptext}%
33.198 -Let us now prove that \isa{r{\isaliteral{2A}{\isacharasterisk}}} is really the reflexive transitive closure
33.199 -of \isa{r}, i.e.\ the least reflexive and transitive
33.200 -relation containing \isa{r}. The latter is easily formalized%
33.201 -\end{isamarkuptext}%
33.202 -\isamarkuptrue%
33.203 -\isacommand{inductive{\isaliteral{5F}{\isacharunderscore}}set}\isamarkupfalse%
33.204 -\isanewline
33.205 -\ \ rtc{\isadigit{2}}\ {\isaliteral{3A}{\isacharcolon}}{\isaliteral{3A}{\isacharcolon}}\ {\isaliteral{22}{\isachardoublequoteopen}}{\isaliteral{28}{\isacharparenleft}}{\isaliteral{27}{\isacharprime}}a\ {\isaliteral{5C3C74696D65733E}{\isasymtimes}}\ {\isaliteral{27}{\isacharprime}}a{\isaliteral{29}{\isacharparenright}}set\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ {\isaliteral{28}{\isacharparenleft}}{\isaliteral{27}{\isacharprime}}a\ {\isaliteral{5C3C74696D65733E}{\isasymtimes}}\ {\isaliteral{27}{\isacharprime}}a{\isaliteral{29}{\isacharparenright}}set{\isaliteral{22}{\isachardoublequoteclose}}\isanewline
33.206 -\ \ \isakeyword{for}\ r\ {\isaliteral{3A}{\isacharcolon}}{\isaliteral{3A}{\isacharcolon}}\ {\isaliteral{22}{\isachardoublequoteopen}}{\isaliteral{28}{\isacharparenleft}}{\isaliteral{27}{\isacharprime}}a\ {\isaliteral{5C3C74696D65733E}{\isasymtimes}}\ {\isaliteral{27}{\isacharprime}}a{\isaliteral{29}{\isacharparenright}}set{\isaliteral{22}{\isachardoublequoteclose}}\isanewline
33.207 -\isakeyword{where}\isanewline
33.208 -\ \ {\isaliteral{22}{\isachardoublequoteopen}}{\isaliteral{28}{\isacharparenleft}}x{\isaliteral{2C}{\isacharcomma}}y{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C696E3E}{\isasymin}}\ r\ {\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\ {\isaliteral{28}{\isacharparenleft}}x{\isaliteral{2C}{\isacharcomma}}y{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C696E3E}{\isasymin}}\ rtc{\isadigit{2}}\ r{\isaliteral{22}{\isachardoublequoteclose}}\isanewline
33.209 -{\isaliteral{7C}{\isacharbar}}\ {\isaliteral{22}{\isachardoublequoteopen}}{\isaliteral{28}{\isacharparenleft}}x{\isaliteral{2C}{\isacharcomma}}x{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C696E3E}{\isasymin}}\ rtc{\isadigit{2}}\ r{\isaliteral{22}{\isachardoublequoteclose}}\isanewline
33.210 -{\isaliteral{7C}{\isacharbar}}\ {\isaliteral{22}{\isachardoublequoteopen}}{\isaliteral{5C3C6C6272616B6B3E}{\isasymlbrakk}}\ {\isaliteral{28}{\isacharparenleft}}x{\isaliteral{2C}{\isacharcomma}}y{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C696E3E}{\isasymin}}\ rtc{\isadigit{2}}\ r{\isaliteral{3B}{\isacharsemicolon}}\ {\isaliteral{28}{\isacharparenleft}}y{\isaliteral{2C}{\isacharcomma}}z{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C696E3E}{\isasymin}}\ rtc{\isadigit{2}}\ r\ {\isaliteral{5C3C726272616B6B3E}{\isasymrbrakk}}\ {\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\ {\isaliteral{28}{\isacharparenleft}}x{\isaliteral{2C}{\isacharcomma}}z{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C696E3E}{\isasymin}}\ rtc{\isadigit{2}}\ r{\isaliteral{22}{\isachardoublequoteclose}}%
33.211 -\begin{isamarkuptext}%
33.212 -\noindent
33.213 -and the equivalence of the two definitions is easily shown by the obvious rule
33.214 -inductions:%
33.215 -\end{isamarkuptext}%
33.216 -\isamarkuptrue%
33.217 -\isacommand{lemma}\isamarkupfalse%
33.218 -\ {\isaliteral{22}{\isachardoublequoteopen}}{\isaliteral{28}{\isacharparenleft}}x{\isaliteral{2C}{\isacharcomma}}y{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C696E3E}{\isasymin}}\ rtc{\isadigit{2}}\ r\ {\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\ {\isaliteral{28}{\isacharparenleft}}x{\isaliteral{2C}{\isacharcomma}}y{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C696E3E}{\isasymin}}\ r{\isaliteral{2A}{\isacharasterisk}}{\isaliteral{22}{\isachardoublequoteclose}}\isanewline
33.219 -%
33.220 -\isadelimproof
33.221 -%
33.222 -\endisadelimproof
33.223 -%
33.224 -\isatagproof
33.225 -\isacommand{apply}\isamarkupfalse%
33.226 -{\isaliteral{28}{\isacharparenleft}}erule\ rtc{\isadigit{2}}{\isaliteral{2E}{\isachardot}}induct{\isaliteral{29}{\isacharparenright}}\isanewline
33.227 -\ \ \isacommand{apply}\isamarkupfalse%
33.228 -{\isaliteral{28}{\isacharparenleft}}blast{\isaliteral{29}{\isacharparenright}}\isanewline
33.229 -\ \isacommand{apply}\isamarkupfalse%
33.230 -{\isaliteral{28}{\isacharparenleft}}blast{\isaliteral{29}{\isacharparenright}}\isanewline
33.231 -\isacommand{apply}\isamarkupfalse%
33.232 -{\isaliteral{28}{\isacharparenleft}}blast\ intro{\isaliteral{3A}{\isacharcolon}}\ rtc{\isaliteral{5F}{\isacharunderscore}}trans{\isaliteral{29}{\isacharparenright}}\isanewline
33.233 -\isacommand{done}\isamarkupfalse%
33.234 -%
33.235 -\endisatagproof
33.236 -{\isafoldproof}%
33.237 -%
33.238 -\isadelimproof
33.239 -\isanewline
33.240 -%
33.241 -\endisadelimproof
33.242 -\isanewline
33.243 -\isacommand{lemma}\isamarkupfalse%
33.244 -\ {\isaliteral{22}{\isachardoublequoteopen}}{\isaliteral{28}{\isacharparenleft}}x{\isaliteral{2C}{\isacharcomma}}y{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C696E3E}{\isasymin}}\ r{\isaliteral{2A}{\isacharasterisk}}\ {\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\ {\isaliteral{28}{\isacharparenleft}}x{\isaliteral{2C}{\isacharcomma}}y{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C696E3E}{\isasymin}}\ rtc{\isadigit{2}}\ r{\isaliteral{22}{\isachardoublequoteclose}}\isanewline
33.245 -%
33.246 -\isadelimproof
33.247 -%
33.248 -\endisadelimproof
33.249 -%
33.250 -\isatagproof
33.251 -\isacommand{apply}\isamarkupfalse%
33.252 -{\isaliteral{28}{\isacharparenleft}}erule\ rtc{\isaliteral{2E}{\isachardot}}induct{\isaliteral{29}{\isacharparenright}}\isanewline
33.253 -\ \isacommand{apply}\isamarkupfalse%
33.254 -{\isaliteral{28}{\isacharparenleft}}blast\ intro{\isaliteral{3A}{\isacharcolon}}\ rtc{\isadigit{2}}{\isaliteral{2E}{\isachardot}}intros{\isaliteral{29}{\isacharparenright}}\isanewline
33.255 -\isacommand{apply}\isamarkupfalse%
33.256 -{\isaliteral{28}{\isacharparenleft}}blast\ intro{\isaliteral{3A}{\isacharcolon}}\ rtc{\isadigit{2}}{\isaliteral{2E}{\isachardot}}intros{\isaliteral{29}{\isacharparenright}}\isanewline
33.257 -\isacommand{done}\isamarkupfalse%
33.258 -%
33.259 -\endisatagproof
33.260 -{\isafoldproof}%
33.261 -%
33.262 -\isadelimproof
33.263 -%
33.264 -\endisadelimproof
33.265 -%
33.266 -\begin{isamarkuptext}%
33.267 -So why did we start with the first definition? Because it is simpler. It
33.268 -contains only two rules, and the single step rule is simpler than
33.269 -transitivity. As a consequence, \isa{rtc{\isaliteral{2E}{\isachardot}}induct} is simpler than
33.270 -\isa{rtc{\isadigit{2}}{\isaliteral{2E}{\isachardot}}induct}. Since inductive proofs are hard enough
33.271 -anyway, we should always pick the simplest induction schema available.
33.272 -Hence \isa{rtc} is the definition of choice.
33.273 -\index{reflexive transitive closure!defining inductively|)}
33.274 -
33.275 -\begin{exercise}\label{ex:converse-rtc-step}
33.276 -Show that the converse of \isa{rtc{\isaliteral{5F}{\isacharunderscore}}step} also holds:
33.277 -\begin{isabelle}%
33.278 -\ \ \ \ \ {\isaliteral{5C3C6C6272616B6B3E}{\isasymlbrakk}}{\isaliteral{28}{\isacharparenleft}}x{\isaliteral{2C}{\isacharcomma}}\ y{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C696E3E}{\isasymin}}\ r{\isaliteral{2A}{\isacharasterisk}}{\isaliteral{3B}{\isacharsemicolon}}\ {\isaliteral{28}{\isacharparenleft}}y{\isaliteral{2C}{\isacharcomma}}\ z{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C696E3E}{\isasymin}}\ r{\isaliteral{5C3C726272616B6B3E}{\isasymrbrakk}}\ {\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\ {\isaliteral{28}{\isacharparenleft}}x{\isaliteral{2C}{\isacharcomma}}\ z{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C696E3E}{\isasymin}}\ r{\isaliteral{2A}{\isacharasterisk}}%
33.279 -\end{isabelle}
33.280 -\end{exercise}
33.281 -\begin{exercise}
33.282 -Repeat the development of this section, but starting with a definition of
33.283 -\isa{rtc} where \isa{rtc{\isaliteral{5F}{\isacharunderscore}}step} is replaced by its converse as shown
33.284 -in exercise~\ref{ex:converse-rtc-step}.
33.285 -\end{exercise}%
33.286 -\end{isamarkuptext}%
33.287 -\isamarkuptrue%
33.288 -%
33.289 -\isadelimproof
33.290 -%
33.291 -\endisadelimproof
33.292 -%
33.293 -\isatagproof
33.294 -%
33.295 -\endisatagproof
33.296 -{\isafoldproof}%
33.297 -%
33.298 -\isadelimproof
33.299 -%
33.300 -\endisadelimproof
33.301 -%
33.302 -\isadelimtheory
33.303 -%
33.304 -\endisadelimtheory
33.305 -%
33.306 -\isatagtheory
33.307 -%
33.308 -\endisatagtheory
33.309 -{\isafoldtheory}%
33.310 -%
33.311 -\isadelimtheory
33.312 -%
33.313 -\endisadelimtheory
33.314 -\end{isabellebody}%
33.315 -%%% Local Variables:
33.316 -%%% mode: latex
33.317 -%%% TeX-master: "root"
33.318 -%%% End:
34.1 --- a/doc-src/TutorialI/Inductive/inductive.tex Thu Jul 26 16:08:16 2012 +0200
34.2 +++ b/doc-src/TutorialI/Inductive/inductive.tex Thu Jul 26 19:59:06 2012 +0200
34.3 @@ -18,14 +18,14 @@
34.4 See {\S}\ref{sec:ind-predicates}.
34.5 \end{warn}
34.6
34.7 -\input{Inductive/document/Even}
34.8 -\input{Inductive/document/Mutual}
34.9 -\input{Inductive/document/Star}
34.10 +\input{document/Even}
34.11 +\input{document/Mutual}
34.12 +\input{document/Star}
34.13
34.14 \section{Advanced Inductive Definitions}
34.15 \label{sec:adv-ind-def}
34.16 -\input{Inductive/document/Advanced}
34.17 +\input{document/Advanced}
34.18
34.19 -\input{Inductive/document/AB}
34.20 +\input{document/AB}
34.21
34.22 \index{inductive definitions|)}
35.1 --- a/doc-src/TutorialI/IsaMakefile Thu Jul 26 16:08:16 2012 +0200
35.2 +++ b/doc-src/TutorialI/IsaMakefile Thu Jul 26 19:59:06 2012 +0200
35.3 @@ -4,9 +4,7 @@
35.4
35.5 ## targets
35.6
35.7 -default: HOL-ToyList HOL-Ifexpr HOL-CodeGen HOL-Trie HOL-Datatype HOL-Fun HOL-Fun \
35.8 - HOL-Advanced HOL-Rules HOL-Sets HOL-CTL HOL-Inductive HOL-Types HOL-Misc \
35.9 - HOL-Protocol HOL-Documents
35.10 +default: HOL-Tutorial HOL-ToyList2
35.11 images:
35.12 test:
35.13 all: default
35.14 @@ -18,7 +16,7 @@
35.15 OUT = $(ISABELLE_OUTPUT)
35.16 LOG = $(OUT)/log
35.17 OPTIONS = -m brackets -i true -d "" -D document -M 1
35.18 -USEDIR = @$(ISABELLE_TOOL) usedir $(OPTIONS) $(OUT)/HOL
35.19 +USEDIR = @$(ISABELLE_TOOL) usedir $(OPTIONS)
35.20
35.21
35.22 ## HOL
35.23 @@ -27,218 +25,42 @@
35.24 @cd $(SRC)/HOL; $(ISABELLE_TOOL) make HOL
35.25
35.26
35.27 +## HOL-Tutorial
35.28
35.29 -## HOL-Ifexpr
35.30 +HOL-Tutorial: HOL $(LOG)/HOL-Tutorial.gz
35.31
35.32 -HOL-Ifexpr: HOL $(LOG)/HOL-Ifexpr.gz
35.33 +$(LOG)/HOL-Tutorial.gz: $(OUT)/HOL ROOT.ML Ifexpr/Ifexpr.thy \
35.34 + ToyList2/ToyList.thy CodeGen/CodeGen.thy Datatype/ABexpr.thy \
35.35 + Datatype/Nested.thy Datatype/unfoldnested.thy Datatype/Fundata.thy \
35.36 + Trie/Trie.thy Fun/fun0.thy Advanced/simp2.thy Rules/Basic.thy \
35.37 + Rules/Blast.thy Rules/Force.thy Rules/Primes.thy Rules/Forward.thy \
35.38 + Rules/Tacticals.thy Rules/find2.thy Sets/Examples.thy \
35.39 + Sets/Functions.thy Sets/Recur.thy Sets/Relations.thy CTL/Base.thy \
35.40 + CTL/PDL.thy CTL/CTL.thy CTL/CTLind.thy Inductive/Even.thy \
35.41 + Inductive/Mutual.thy Inductive/Star.thy Inductive/AB.thy \
35.42 + Inductive/Advanced.thy Types/Numbers.thy Types/Pairs.thy \
35.43 + Types/Records.thy Types/Typedefs.thy Types/Overloading.thy \
35.44 + Types/Axioms.thy Misc/Tree.thy Misc/Tree2.thy Misc/Plus.thy \
35.45 + Misc/fakenat.thy Misc/natsum.thy Misc/pairs2.thy Misc/Option2.thy \
35.46 + Misc/types.thy Misc/prime_def.thy Misc/case_exprs.thy Misc/simp.thy \
35.47 + Misc/Itrev.thy Misc/AdvancedInd.thy Misc/appendix.thy \
35.48 + Protocol/Message.thy Protocol/Event.thy Protocol/Public.thy \
35.49 + Protocol/NS_Public.thy Documents/Documents.thy
35.50 + $(USEDIR) -s Tutorial $(OUT)/HOL .
35.51
35.52 -$(LOG)/HOL-Ifexpr.gz: $(OUT)/HOL Ifexpr/Ifexpr.thy Ifexpr/ROOT.ML
35.53 - $(USEDIR) Ifexpr
35.54 - @rm -f Ifexpr/document/isabelle.sty
35.55 - @rm -f Ifexpr/document/isabellesym.sty
35.56 - @rm -f Ifexpr/document/pdfsetup.sty
35.57 - @rm -f Ifexpr/document/session.tex
35.58 - @rm -f tutorial.dvi
35.59
35.60 -## HOL-ToyList
35.61 +## HOL-ToyList2
35.62
35.63 -HOL-ToyList: HOL $(LOG)/HOL-ToyList.gz $(LOG)/HOL-ToyList2.gz
35.64 +HOL-ToyList2: HOL $(LOG)/HOL-ToyList2.gz
35.65
35.66 ToyList2/ToyList.thy: ToyList2/ToyList1 ToyList2/ToyList2
35.67 cat ToyList2/ToyList1 ToyList2/ToyList2 > ToyList2/ToyList.thy
35.68
35.69 -$(LOG)/HOL-ToyList2.gz: $(OUT)/HOL ToyList2/ToyList.thy ToyList2/ROOT.ML
35.70 - $(USEDIR) ToyList2
35.71 - @rm -f ToyList2/document/isabelle.sty
35.72 - @rm -f ToyList2/document/isabellesym.sty
35.73 - @rm -f ToyList2/document/pdfsetup.sty
35.74 - @rm -f ToyList2/document/session.tex
35.75 - @rm -f tutorial.dvi
35.76 +$(LOG)/HOL-ToyList2.gz: $(OUT)/HOL ToyList2/ROOT.ML
35.77 + $(USEDIR) $(OUT)/HOL ToyList2
35.78
35.79 -$(LOG)/HOL-ToyList.gz: $(OUT)/HOL ToyList/ToyList.thy ToyList/ROOT.ML
35.80 - $(USEDIR) ToyList
35.81 - @rm -f ToyList/document/isabelle.sty
35.82 - @rm -f ToyList/document/isabellesym.sty
35.83 - @rm -f ToyList/document/pdfsetup.sty
35.84 - @rm -f ToyList/document/session.tex
35.85 - @rm -f tutorial.dvi
35.86 -
35.87 -## HOL-CodeGen
35.88 -
35.89 -HOL-CodeGen: HOL $(LOG)/HOL-CodeGen.gz
35.90 -
35.91 -$(LOG)/HOL-CodeGen.gz: $(OUT)/HOL CodeGen/ROOT.ML CodeGen/CodeGen.thy
35.92 - $(USEDIR) CodeGen
35.93 - @rm -f CodeGen/document/isabelle.sty
35.94 - @rm -f CodeGen/document/isabellesym.sty
35.95 - @rm -f CodeGen/document/pdfsetup.sty
35.96 - @rm -f CodeGen/document/session.tex
35.97 - @rm -f tutorial.dvi
35.98 -
35.99 -
35.100 -## HOL-Datatype
35.101 -
35.102 -HOL-Datatype: HOL $(LOG)/HOL-Datatype.gz
35.103 -
35.104 -$(LOG)/HOL-Datatype.gz: $(OUT)/HOL Datatype/ROOT.ML Datatype/ABexpr.thy \
35.105 - Datatype/Nested.thy Datatype/unfoldnested.thy \
35.106 - Datatype/Fundata.thy
35.107 - $(USEDIR) Datatype
35.108 - @rm -f Datatype/document/isabelle.sty
35.109 - @rm -f Datatype/document/isabellesym.sty
35.110 - @rm -f Datatype/document/pdfsetup.sty
35.111 - @rm -f Datatype/document/session.tex
35.112 - @rm -f tutorial.dvi
35.113 -
35.114 -
35.115 -## HOL-Trie
35.116 -
35.117 -HOL-Trie: HOL $(LOG)/HOL-Trie.gz
35.118 -
35.119 -$(LOG)/HOL-Trie.gz: $(OUT)/HOL Trie/ROOT.ML Trie/Trie.thy
35.120 - $(USEDIR) Trie
35.121 - @rm -f Trie/document/isabelle.sty
35.122 - @rm -f Trie/document/isabellesym.sty
35.123 - @rm -f Trie/document/pdfsetup.sty
35.124 - @rm -f Trie/document/session.tex
35.125 - @rm -f tutorial.dvi
35.126 -
35.127 -
35.128 -## HOL-Fun
35.129 -
35.130 -HOL-Fun: HOL $(LOG)/HOL-Fun.gz
35.131 -
35.132 -$(LOG)/HOL-Fun.gz: $(OUT)/HOL Fun/ROOT.ML Fun/fun0.thy
35.133 - $(USEDIR) Fun
35.134 - @rm -f Fun/document/isabelle.sty
35.135 - @rm -f Fun/document/isabellesym.sty
35.136 - @rm -f Fun/document/pdfsetup.sty
35.137 - @rm -f Fun/document/session.tex
35.138 - @rm -f tutorial.dvi
35.139 -
35.140 -
35.141 -## HOL-Advanced
35.142 -
35.143 -HOL-Advanced: HOL $(LOG)/HOL-Advanced.gz
35.144 -
35.145 -$(LOG)/HOL-Advanced.gz: $(OUT)/HOL Advanced/simp2.thy Advanced/ROOT.ML
35.146 - $(USEDIR) Advanced
35.147 - @rm -f Advanced/document/isabelle.sty
35.148 - @rm -f Advanced/document/isabellesym.sty
35.149 - @rm -f Advanced/document/pdfsetup.sty
35.150 - @rm -f Advanced/document/session.tex
35.151 - @rm -f tutorial.dvi
35.152 -
35.153 -## HOL-Rules
35.154 -
35.155 -HOL-Rules: HOL $(LOG)/HOL-Rules.gz
35.156 -
35.157 -$(LOG)/HOL-Rules.gz: $(OUT)/HOL Rules/Basic.thy \
35.158 - Rules/Blast.thy Rules/Force.thy Rules/Primes.thy Rules/Forward.thy \
35.159 - Rules/Tacticals.thy Rules/find2.thy Rules/ROOT.ML
35.160 - @$(USEDIR) Rules
35.161 - @rm -f Rules/document/isabelle.sty
35.162 - @rm -f Rules/document/isabellesym.sty
35.163 - @rm -f Rules/document/pdfsetup.sty
35.164 - @rm -f Rules/document/session.tex
35.165 - @rm -f tutorial.dvi
35.166 -
35.167 -## HOL-Sets
35.168 -
35.169 -HOL-Sets: HOL $(LOG)/HOL-Sets.gz
35.170 -
35.171 -$(LOG)/HOL-Sets.gz: $(OUT)/HOL Sets/Examples.thy Sets/Functions.thy \
35.172 - Sets/Recur.thy Sets/Relations.thy Sets/ROOT.ML
35.173 - @$(USEDIR) Sets
35.174 - @rm -f Sets/document/isabelle.sty
35.175 - @rm -f Sets/document/isabellesym.sty
35.176 - @rm -f Sets/document/pdfsetup.sty
35.177 - @rm -f Sets/document/session.tex
35.178 - @rm -f tutorial.dvi
35.179 -
35.180 -## HOL-CTL
35.181 -
35.182 -HOL-CTL: HOL $(LOG)/HOL-CTL.gz
35.183 -
35.184 -$(LOG)/HOL-CTL.gz: $(OUT)/HOL CTL/Base.thy CTL/PDL.thy CTL/CTL.thy CTL/CTLind.thy CTL/ROOT.ML
35.185 - $(USEDIR) CTL
35.186 - @rm -f CTL/document/isabelle.sty
35.187 - @rm -f CTL/document/isabellesym.sty
35.188 - @rm -f CTL/document/pdfsetup.sty
35.189 - @rm -f CTL/document/session.tex
35.190 - @rm -f tutorial.dvi
35.191 -
35.192 -## HOL-Inductive
35.193 -
35.194 -HOL-Inductive: HOL $(LOG)/HOL-Inductive.gz
35.195 -
35.196 -$(LOG)/HOL-Inductive.gz: $(OUT)/HOL Inductive/ROOT.ML \
35.197 - Inductive/Even.thy Inductive/Mutual.thy Inductive/Star.thy Inductive/AB.thy \
35.198 - Inductive/Advanced.thy
35.199 - $(USEDIR) Inductive
35.200 - @rm -f Inductive/document/isabelle.sty
35.201 - @rm -f Inductive/document/isabellesym.sty
35.202 - @rm -f Inductive/document/pdfsetup.sty
35.203 - @rm -f Inductive/document/session.tex
35.204 - @rm -f tutorial.dvi
35.205 -
35.206 -## HOL-Types
35.207 -
35.208 -HOL-Types: HOL $(LOG)/HOL-Types.gz
35.209 -
35.210 -$(LOG)/HOL-Types.gz: $(OUT)/HOL Types/ROOT.ML \
35.211 - Types/Numbers.thy Types/Pairs.thy Types/Records.thy Types/Typedefs.thy \
35.212 - Types/Overloading.thy Types/Axioms.thy
35.213 - $(USEDIR) Types
35.214 - @rm -f Types/document/isabelle.sty
35.215 - @rm -f Types/document/isabellesym.sty
35.216 - @rm -f Types/document/pdfsetup.sty
35.217 - @rm -f Types/document/session.tex
35.218 - @rm -f tutorial.dvi
35.219 -
35.220 -## HOL-Misc
35.221 -
35.222 -HOL-Misc: HOL $(LOG)/HOL-Misc.gz
35.223 -
35.224 -$(LOG)/HOL-Misc.gz: $(OUT)/HOL Misc/ROOT.ML Misc/Tree.thy Misc/Tree2.thy \
35.225 - Misc/Plus.thy Misc/fakenat.thy Misc/natsum.thy Misc/pairs.thy \
35.226 - Misc/Option2.thy Misc/types.thy Misc/prime_def.thy Misc/case_exprs.thy \
35.227 - Misc/simp.thy Misc/Itrev.thy Misc/AdvancedInd.thy Misc/appendix.thy
35.228 - $(USEDIR) Misc
35.229 - @rm -f Misc/document/isabelle.sty
35.230 - @rm -f Misc/document/isabellesym.sty
35.231 - @rm -f Misc/document/pdfsetup.sty
35.232 - @rm -f Misc/document/session.tex
35.233 - @rm -f tutorial.dvi
35.234 -
35.235 -
35.236 -## HOL-Protocol
35.237 -
35.238 -HOL-Protocol: HOL $(LOG)/HOL-Protocol.gz
35.239 -
35.240 -$(LOG)/HOL-Protocol.gz: $(OUT)/HOL Protocol/ROOT.ML \
35.241 - Protocol/Message.thy Protocol/Event.thy \
35.242 - Protocol/Public.thy Protocol/NS_Public.thy
35.243 - $(USEDIR) Protocol
35.244 - @rm -f Protocol/document/isabelle.sty
35.245 - @rm -f Protocol/document/isabellesym.sty
35.246 - @rm -f Protocol/document/pdfsetup.sty
35.247 - @rm -f Protocol/document/session.tex
35.248 - @rm -f tutorial.dvi
35.249 -
35.250 -## HOL-Documents
35.251 -
35.252 -HOL-Documents: HOL $(LOG)/HOL-Documents.gz
35.253 -
35.254 -$(LOG)/HOL-Documents.gz: $(OUT)/HOL Documents/Documents.thy Documents/ROOT.ML
35.255 - $(USEDIR) Documents
35.256 - @rm -f Documents/document/isabelle.sty
35.257 - @rm -f Documents/document/isabellesym.sty
35.258 - @rm -f Documents/document/pdfsetup.sty
35.259 - @rm -f Documents/document/session.tex
35.260 - @rm -f tutorial.dvi
35.261
35.262 ## clean
35.263
35.264 clean:
35.265 - @rm -f tutorial.dvi $(LOG)/HOL-Ifexpr.gz $(LOG)/HOL-CodeGen.gz $(LOG)/HOL-Misc.gz $(LOG)/HOL-ToyList.gz $(LOG)/HOL-ToyList2.gz $(LOG)/HOL-Trie.gz $(LOG)/HOL-Datatype.gz $(LOG)/HOL-Fun.gz $(LOG)/HOL-Advanced.gz $(LOG)/HOL-Rules.gz $(LOG)/HOL-Sets.gz $(LOG)/HOL-CTL.gz $(LOG)/HOL-Inductive.gz $(LOG)/HOL-Types.gz $(LOG)/HOL-Protocol.gz $(LOG)/HOL-Documents.gz Rules/document/*.tex Sets/document/*.tex
35.266 + @rm -f tutorial.dvi $(LOG)/HOL-Tutorial.gz $(LOG)/HOL-ToyList2.gz
36.1 --- a/doc-src/TutorialI/Makefile Thu Jul 26 16:08:16 2012 +0200
36.2 +++ b/doc-src/TutorialI/Makefile Thu Jul 26 19:59:06 2012 +0200
36.3 @@ -13,16 +13,15 @@
36.4 NAME = tutorial
36.5 FILES = tutorial.tex basics.tex fp.tex appendix.tex \
36.6 Advanced/advanced.tex CTL/ctl.tex Inductive/inductive.tex \
36.7 - Inductive/document/AB.tex Inductive/document/Advanced.tex \
36.8 - Inductive/document/Even.tex Inductive/document/Mutual.tex \
36.9 - Inductive/document/Star.tex Protocol/protocol.tex \
36.10 - Protocol/document/Event.tex Protocol/document/Message.tex \
36.11 - Protocol/document/Public.tex Protocol/document/NS_Public.tex \
36.12 - Rules/rules.tex Sets/sets.tex Types/numerics.tex \
36.13 - Types/types.tex Types/document/Overloading.tex \
36.14 - Types/document/Axioms.tex Documents/documents.tex Misc/document/appendix.tex ../iman.sty \
36.15 - ../ttbox.sty ../extra.sty ../../lib/texinputs/isabelle.sty ../../lib/texinputs/isabellesym.sty \
36.16 - ../pdfsetup.sty
36.17 + document/AB.tex document/Advanced.tex document/Even.tex \
36.18 + document/Mutual.tex document/Star.tex Protocol/protocol.tex \
36.19 + document/Event.tex document/Message.tex document/Public.tex \
36.20 + document/NS_Public.tex Rules/rules.tex Sets/sets.tex \
36.21 + Types/numerics.tex Types/types.tex document/Overloading.tex \
36.22 + document/Axioms.tex Documents/documents.tex \
36.23 + document/appendix.tex ../iman.sty ../ttbox.sty ../extra.sty \
36.24 + ../../lib/texinputs/isabelle.sty \
36.25 + ../../lib/texinputs/isabellesym.sty ../pdfsetup.sty
36.26
36.27 dvi: $(NAME).dvi
36.28
37.1 --- a/doc-src/TutorialI/Misc/ROOT.ML Thu Jul 26 16:08:16 2012 +0200
37.2 +++ /dev/null Thu Jan 01 00:00:00 1970 +0000
37.3 @@ -1,15 +0,0 @@
37.4 -use "../settings.ML";
37.5 -use_thy "Tree";
37.6 -use_thy "Tree2";
37.7 -use_thy "Plus";
37.8 -use_thy "case_exprs";
37.9 -use_thy "fakenat";
37.10 -use_thy "natsum";
37.11 -use_thy "pairs";
37.12 -use_thy "Option2";
37.13 -use_thy "types";
37.14 -use_thy "prime_def";
37.15 -use_thy "simp";
37.16 -use_thy "Itrev";
37.17 -use_thy "AdvancedInd";
37.18 -use_thy "appendix";
38.1 --- a/doc-src/TutorialI/Misc/document/AdvancedInd.tex Thu Jul 26 16:08:16 2012 +0200
38.2 +++ /dev/null Thu Jan 01 00:00:00 1970 +0000
38.3 @@ -1,436 +0,0 @@
38.4 -%
38.5 -\begin{isabellebody}%
38.6 -\def\isabellecontext{AdvancedInd}%
38.7 -%
38.8 -\isadelimtheory
38.9 -%
38.10 -\endisadelimtheory
38.11 -%
38.12 -\isatagtheory
38.13 -%
38.14 -\endisatagtheory
38.15 -{\isafoldtheory}%
38.16 -%
38.17 -\isadelimtheory
38.18 -%
38.19 -\endisadelimtheory
38.20 -%
38.21 -\begin{isamarkuptext}%
38.22 -\noindent
38.23 -Now that we have learned about rules and logic, we take another look at the
38.24 -finer points of induction. We consider two questions: what to do if the
38.25 -proposition to be proved is not directly amenable to induction
38.26 -(\S\ref{sec:ind-var-in-prems}), and how to utilize (\S\ref{sec:complete-ind})
38.27 -and even derive (\S\ref{sec:derive-ind}) new induction schemas. We conclude
38.28 -with an extended example of induction (\S\ref{sec:CTL-revisited}).%
38.29 -\end{isamarkuptext}%
38.30 -\isamarkuptrue%
38.31 -%
38.32 -\isamarkupsubsection{Massaging the Proposition%
38.33 -}
38.34 -\isamarkuptrue%
38.35 -%
38.36 -\begin{isamarkuptext}%
38.37 -\label{sec:ind-var-in-prems}
38.38 -Often we have assumed that the theorem to be proved is already in a form
38.39 -that is amenable to induction, but sometimes it isn't.
38.40 -Here is an example.
38.41 -Since \isa{hd} and \isa{last} return the first and last element of a
38.42 -non-empty list, this lemma looks easy to prove:%
38.43 -\end{isamarkuptext}%
38.44 -\isamarkuptrue%
38.45 -\isacommand{lemma}\isamarkupfalse%
38.46 -\ {\isaliteral{22}{\isachardoublequoteopen}}xs\ {\isaliteral{5C3C6E6F7465713E}{\isasymnoteq}}\ {\isaliteral{5B}{\isacharbrackleft}}{\isaliteral{5D}{\isacharbrackright}}\ {\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\ hd{\isaliteral{28}{\isacharparenleft}}rev\ xs{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{3D}{\isacharequal}}\ last\ xs{\isaliteral{22}{\isachardoublequoteclose}}\isanewline
38.47 -%
38.48 -\isadelimproof
38.49 -%
38.50 -\endisadelimproof
38.51 -%
38.52 -\isatagproof
38.53 -\isacommand{apply}\isamarkupfalse%
38.54 -{\isaliteral{28}{\isacharparenleft}}induct{\isaliteral{5F}{\isacharunderscore}}tac\ xs{\isaliteral{29}{\isacharparenright}}%
38.55 -\begin{isamarkuptxt}%
38.56 -\noindent
38.57 -But induction produces the warning
38.58 -\begin{quote}\tt
38.59 -Induction variable occurs also among premises!
38.60 -\end{quote}
38.61 -and leads to the base case
38.62 -\begin{isabelle}%
38.63 -\ {\isadigit{1}}{\isaliteral{2E}{\isachardot}}\ xs\ {\isaliteral{5C3C6E6F7465713E}{\isasymnoteq}}\ {\isaliteral{5B}{\isacharbrackleft}}{\isaliteral{5D}{\isacharbrackright}}\ {\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\ hd\ {\isaliteral{28}{\isacharparenleft}}rev\ {\isaliteral{5B}{\isacharbrackleft}}{\isaliteral{5D}{\isacharbrackright}}{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{3D}{\isacharequal}}\ last\ {\isaliteral{5B}{\isacharbrackleft}}{\isaliteral{5D}{\isacharbrackright}}%
38.64 -\end{isabelle}
38.65 -Simplification reduces the base case to this:
38.66 -\begin{isabelle}
38.67 -\ 1.\ xs\ {\isasymnoteq}\ []\ {\isasymLongrightarrow}\ hd\ []\ =\ last\ []
38.68 -\end{isabelle}
38.69 -We cannot prove this equality because we do not know what \isa{hd} and
38.70 -\isa{last} return when applied to \isa{{\isaliteral{5B}{\isacharbrackleft}}{\isaliteral{5D}{\isacharbrackright}}}.
38.71 -
38.72 -We should not have ignored the warning. Because the induction
38.73 -formula is only the conclusion, induction does not affect the occurrence of \isa{xs} in the premises.
38.74 -Thus the case that should have been trivial
38.75 -becomes unprovable. Fortunately, the solution is easy:\footnote{A similar
38.76 -heuristic applies to rule inductions; see \S\ref{sec:rtc}.}
38.77 -\begin{quote}
38.78 -\emph{Pull all occurrences of the induction variable into the conclusion
38.79 -using \isa{{\isaliteral{5C3C6C6F6E6772696768746172726F773E}{\isasymlongrightarrow}}}.}
38.80 -\end{quote}
38.81 -Thus we should state the lemma as an ordinary
38.82 -implication~(\isa{{\isaliteral{5C3C6C6F6E6772696768746172726F773E}{\isasymlongrightarrow}}}), letting
38.83 -\attrdx{rule_format} (\S\ref{sec:forward}) convert the
38.84 -result to the usual \isa{{\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}} form:%
38.85 -\end{isamarkuptxt}%
38.86 -\isamarkuptrue%
38.87 -%
38.88 -\endisatagproof
38.89 -{\isafoldproof}%
38.90 -%
38.91 -\isadelimproof
38.92 -%
38.93 -\endisadelimproof
38.94 -\isacommand{lemma}\isamarkupfalse%
38.95 -\ hd{\isaliteral{5F}{\isacharunderscore}}rev\ {\isaliteral{5B}{\isacharbrackleft}}rule{\isaliteral{5F}{\isacharunderscore}}format{\isaliteral{5D}{\isacharbrackright}}{\isaliteral{3A}{\isacharcolon}}\ {\isaliteral{22}{\isachardoublequoteopen}}xs\ {\isaliteral{5C3C6E6F7465713E}{\isasymnoteq}}\ {\isaliteral{5B}{\isacharbrackleft}}{\isaliteral{5D}{\isacharbrackright}}\ {\isaliteral{5C3C6C6F6E6772696768746172726F773E}{\isasymlongrightarrow}}\ hd{\isaliteral{28}{\isacharparenleft}}rev\ xs{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{3D}{\isacharequal}}\ last\ xs{\isaliteral{22}{\isachardoublequoteclose}}%
38.96 -\isadelimproof
38.97 -%
38.98 -\endisadelimproof
38.99 -%
38.100 -\isatagproof
38.101 -%
38.102 -\begin{isamarkuptxt}%
38.103 -\noindent
38.104 -This time, induction leaves us with a trivial base case:
38.105 -\begin{isabelle}%
38.106 -\ {\isadigit{1}}{\isaliteral{2E}{\isachardot}}\ {\isaliteral{5B}{\isacharbrackleft}}{\isaliteral{5D}{\isacharbrackright}}\ {\isaliteral{5C3C6E6F7465713E}{\isasymnoteq}}\ {\isaliteral{5B}{\isacharbrackleft}}{\isaliteral{5D}{\isacharbrackright}}\ {\isaliteral{5C3C6C6F6E6772696768746172726F773E}{\isasymlongrightarrow}}\ hd\ {\isaliteral{28}{\isacharparenleft}}rev\ {\isaliteral{5B}{\isacharbrackleft}}{\isaliteral{5D}{\isacharbrackright}}{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{3D}{\isacharequal}}\ last\ {\isaliteral{5B}{\isacharbrackleft}}{\isaliteral{5D}{\isacharbrackright}}%
38.107 -\end{isabelle}
38.108 -And \isa{auto} completes the proof.
38.109 -
38.110 -If there are multiple premises $A@1$, \dots, $A@n$ containing the
38.111 -induction variable, you should turn the conclusion $C$ into
38.112 -\[ A@1 \longrightarrow \cdots A@n \longrightarrow C. \]
38.113 -Additionally, you may also have to universally quantify some other variables,
38.114 -which can yield a fairly complex conclusion. However, \isa{rule{\isaliteral{5F}{\isacharunderscore}}format}
38.115 -can remove any number of occurrences of \isa{{\isaliteral{5C3C666F72616C6C3E}{\isasymforall}}} and
38.116 -\isa{{\isaliteral{5C3C6C6F6E6772696768746172726F773E}{\isasymlongrightarrow}}}.
38.117 -
38.118 -\index{induction!on a term}%
38.119 -A second reason why your proposition may not be amenable to induction is that
38.120 -you want to induct on a complex term, rather than a variable. In
38.121 -general, induction on a term~$t$ requires rephrasing the conclusion~$C$
38.122 -as
38.123 -\begin{equation}\label{eqn:ind-over-term}
38.124 -\forall y@1 \dots y@n.~ x = t \longrightarrow C.
38.125 -\end{equation}
38.126 -where $y@1 \dots y@n$ are the free variables in $t$ and $x$ is a new variable.
38.127 -Now you can perform induction on~$x$. An example appears in
38.128 -\S\ref{sec:complete-ind} below.
38.129 -
38.130 -The very same problem may occur in connection with rule induction. Remember
38.131 -that it requires a premise of the form $(x@1,\dots,x@k) \in R$, where $R$ is
38.132 -some inductively defined set and the $x@i$ are variables. If instead we have
38.133 -a premise $t \in R$, where $t$ is not just an $n$-tuple of variables, we
38.134 -replace it with $(x@1,\dots,x@k) \in R$, and rephrase the conclusion $C$ as
38.135 -\[ \forall y@1 \dots y@n.~ (x@1,\dots,x@k) = t \longrightarrow C. \]
38.136 -For an example see \S\ref{sec:CTL-revisited} below.
38.137 -
38.138 -Of course, all premises that share free variables with $t$ need to be pulled into
38.139 -the conclusion as well, under the \isa{{\isaliteral{5C3C666F72616C6C3E}{\isasymforall}}}, again using \isa{{\isaliteral{5C3C6C6F6E6772696768746172726F773E}{\isasymlongrightarrow}}} as shown above.
38.140 -
38.141 -Readers who are puzzled by the form of statement
38.142 -(\ref{eqn:ind-over-term}) above should remember that the
38.143 -transformation is only performed to permit induction. Once induction
38.144 -has been applied, the statement can be transformed back into something quite
38.145 -intuitive. For example, applying wellfounded induction on $x$ (w.r.t.\
38.146 -$\prec$) to (\ref{eqn:ind-over-term}) and transforming the result a
38.147 -little leads to the goal
38.148 -\[ \bigwedge\overline{y}.\
38.149 - \forall \overline{z}.\ t\,\overline{z} \prec t\,\overline{y}\ \longrightarrow\ C\,\overline{z}
38.150 - \ \Longrightarrow\ C\,\overline{y} \]
38.151 -where $\overline{y}$ stands for $y@1 \dots y@n$ and the dependence of $t$ and
38.152 -$C$ on the free variables of $t$ has been made explicit.
38.153 -Unfortunately, this induction schema cannot be expressed as a
38.154 -single theorem because it depends on the number of free variables in $t$ ---
38.155 -the notation $\overline{y}$ is merely an informal device.%
38.156 -\end{isamarkuptxt}%
38.157 -\isamarkuptrue%
38.158 -%
38.159 -\endisatagproof
38.160 -{\isafoldproof}%
38.161 -%
38.162 -\isadelimproof
38.163 -%
38.164 -\endisadelimproof
38.165 -%
38.166 -\isamarkupsubsection{Beyond Structural and Recursion Induction%
38.167 -}
38.168 -\isamarkuptrue%
38.169 -%
38.170 -\begin{isamarkuptext}%
38.171 -\label{sec:complete-ind}
38.172 -So far, inductive proofs were by structural induction for
38.173 -primitive recursive functions and recursion induction for total recursive
38.174 -functions. But sometimes structural induction is awkward and there is no
38.175 -recursive function that could furnish a more appropriate
38.176 -induction schema. In such cases a general-purpose induction schema can
38.177 -be helpful. We show how to apply such induction schemas by an example.
38.178 -
38.179 -Structural induction on \isa{nat} is
38.180 -usually known as mathematical induction. There is also \textbf{complete}
38.181 -\index{induction!complete}%
38.182 -induction, where you prove $P(n)$ under the assumption that $P(m)$
38.183 -holds for all $m<n$. In Isabelle, this is the theorem \tdx{nat_less_induct}:
38.184 -\begin{isabelle}%
38.185 -\ \ \ \ \ {\isaliteral{28}{\isacharparenleft}}{\isaliteral{5C3C416E643E}{\isasymAnd}}n{\isaliteral{2E}{\isachardot}}\ {\isaliteral{5C3C666F72616C6C3E}{\isasymforall}}m{\isaliteral{3C}{\isacharless}}n{\isaliteral{2E}{\isachardot}}\ P\ m\ {\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\ P\ n{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\ P\ n%
38.186 -\end{isabelle}
38.187 -As an application, we prove a property of the following
38.188 -function:%
38.189 -\end{isamarkuptext}%
38.190 -\isamarkuptrue%
38.191 -\isacommand{consts}\isamarkupfalse%
38.192 -\ f\ {\isaliteral{3A}{\isacharcolon}}{\isaliteral{3A}{\isacharcolon}}\ {\isaliteral{22}{\isachardoublequoteopen}}nat\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ nat{\isaliteral{22}{\isachardoublequoteclose}}\isanewline
38.193 -\isacommand{axioms}\isamarkupfalse%
38.194 -\ f{\isaliteral{5F}{\isacharunderscore}}ax{\isaliteral{3A}{\isacharcolon}}\ {\isaliteral{22}{\isachardoublequoteopen}}f{\isaliteral{28}{\isacharparenleft}}f{\isaliteral{28}{\isacharparenleft}}n{\isaliteral{29}{\isacharparenright}}{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{3C}{\isacharless}}\ f{\isaliteral{28}{\isacharparenleft}}Suc{\isaliteral{28}{\isacharparenleft}}n{\isaliteral{29}{\isacharparenright}}{\isaliteral{29}{\isacharparenright}}{\isaliteral{22}{\isachardoublequoteclose}}%
38.195 -\begin{isamarkuptext}%
38.196 -\begin{warn}
38.197 -We discourage the use of axioms because of the danger of
38.198 -inconsistencies. Axiom \isa{f{\isaliteral{5F}{\isacharunderscore}}ax} does
38.199 -not introduce an inconsistency because, for example, the identity function
38.200 -satisfies it. Axioms can be useful in exploratory developments, say when
38.201 -you assume some well-known theorems so that you can quickly demonstrate some
38.202 -point about methodology. If your example turns into a substantial proof
38.203 -development, you should replace axioms by theorems.
38.204 -\end{warn}\noindent
38.205 -The axiom for \isa{f} implies \isa{n\ {\isaliteral{5C3C6C653E}{\isasymle}}\ f\ n}, which can
38.206 -be proved by induction on \mbox{\isa{f\ n}}. Following the recipe outlined
38.207 -above, we have to phrase the proposition as follows to allow induction:%
38.208 -\end{isamarkuptext}%
38.209 -\isamarkuptrue%
38.210 -\isacommand{lemma}\isamarkupfalse%
38.211 -\ f{\isaliteral{5F}{\isacharunderscore}}incr{\isaliteral{5F}{\isacharunderscore}}lem{\isaliteral{3A}{\isacharcolon}}\ {\isaliteral{22}{\isachardoublequoteopen}}{\isaliteral{5C3C666F72616C6C3E}{\isasymforall}}i{\isaliteral{2E}{\isachardot}}\ k\ {\isaliteral{3D}{\isacharequal}}\ f\ i\ {\isaliteral{5C3C6C6F6E6772696768746172726F773E}{\isasymlongrightarrow}}\ i\ {\isaliteral{5C3C6C653E}{\isasymle}}\ f\ i{\isaliteral{22}{\isachardoublequoteclose}}%
38.212 -\isadelimproof
38.213 -%
38.214 -\endisadelimproof
38.215 -%
38.216 -\isatagproof
38.217 -%
38.218 -\begin{isamarkuptxt}%
38.219 -\noindent
38.220 -To perform induction on \isa{k} using \isa{nat{\isaliteral{5F}{\isacharunderscore}}less{\isaliteral{5F}{\isacharunderscore}}induct}, we use
38.221 -the same general induction method as for recursion induction (see
38.222 -\S\ref{sec:fun-induction}):%
38.223 -\end{isamarkuptxt}%
38.224 -\isamarkuptrue%
38.225 -\isacommand{apply}\isamarkupfalse%
38.226 -{\isaliteral{28}{\isacharparenleft}}induct{\isaliteral{5F}{\isacharunderscore}}tac\ k\ rule{\isaliteral{3A}{\isacharcolon}}\ nat{\isaliteral{5F}{\isacharunderscore}}less{\isaliteral{5F}{\isacharunderscore}}induct{\isaliteral{29}{\isacharparenright}}%
38.227 -\begin{isamarkuptxt}%
38.228 -\noindent
38.229 -We get the following proof state:
38.230 -\begin{isabelle}%
38.231 -\ {\isadigit{1}}{\isaliteral{2E}{\isachardot}}\ {\isaliteral{5C3C416E643E}{\isasymAnd}}n{\isaliteral{2E}{\isachardot}}\ {\isaliteral{5C3C666F72616C6C3E}{\isasymforall}}m{\isaliteral{3C}{\isacharless}}n{\isaliteral{2E}{\isachardot}}\ {\isaliteral{5C3C666F72616C6C3E}{\isasymforall}}i{\isaliteral{2E}{\isachardot}}\ m\ {\isaliteral{3D}{\isacharequal}}\ f\ i\ {\isaliteral{5C3C6C6F6E6772696768746172726F773E}{\isasymlongrightarrow}}\ i\ {\isaliteral{5C3C6C653E}{\isasymle}}\ f\ i\ {\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\ {\isaliteral{5C3C666F72616C6C3E}{\isasymforall}}i{\isaliteral{2E}{\isachardot}}\ n\ {\isaliteral{3D}{\isacharequal}}\ f\ i\ {\isaliteral{5C3C6C6F6E6772696768746172726F773E}{\isasymlongrightarrow}}\ i\ {\isaliteral{5C3C6C653E}{\isasymle}}\ f\ i%
38.232 -\end{isabelle}
38.233 -After stripping the \isa{{\isaliteral{5C3C666F72616C6C3E}{\isasymforall}}i}, the proof continues with a case
38.234 -distinction on \isa{i}. The case \isa{i\ {\isaliteral{3D}{\isacharequal}}\ {\isadigit{0}}} is trivial and we focus on
38.235 -the other case:%
38.236 -\end{isamarkuptxt}%
38.237 -\isamarkuptrue%
38.238 -\isacommand{apply}\isamarkupfalse%
38.239 -{\isaliteral{28}{\isacharparenleft}}rule\ allI{\isaliteral{29}{\isacharparenright}}\isanewline
38.240 -\isacommand{apply}\isamarkupfalse%
38.241 -{\isaliteral{28}{\isacharparenleft}}case{\isaliteral{5F}{\isacharunderscore}}tac\ i{\isaliteral{29}{\isacharparenright}}\isanewline
38.242 -\ \isacommand{apply}\isamarkupfalse%
38.243 -{\isaliteral{28}{\isacharparenleft}}simp{\isaliteral{29}{\isacharparenright}}%
38.244 -\begin{isamarkuptxt}%
38.245 -\begin{isabelle}%
38.246 -\ {\isadigit{1}}{\isaliteral{2E}{\isachardot}}\ {\isaliteral{5C3C416E643E}{\isasymAnd}}n\ i\ nat{\isaliteral{2E}{\isachardot}}\isanewline
38.247 -\isaindent{\ {\isadigit{1}}{\isaliteral{2E}{\isachardot}}\ \ \ \ }{\isaliteral{5C3C6C6272616B6B3E}{\isasymlbrakk}}{\isaliteral{5C3C666F72616C6C3E}{\isasymforall}}m{\isaliteral{3C}{\isacharless}}n{\isaliteral{2E}{\isachardot}}\ {\isaliteral{5C3C666F72616C6C3E}{\isasymforall}}i{\isaliteral{2E}{\isachardot}}\ m\ {\isaliteral{3D}{\isacharequal}}\ f\ i\ {\isaliteral{5C3C6C6F6E6772696768746172726F773E}{\isasymlongrightarrow}}\ i\ {\isaliteral{5C3C6C653E}{\isasymle}}\ f\ i{\isaliteral{3B}{\isacharsemicolon}}\ i\ {\isaliteral{3D}{\isacharequal}}\ Suc\ nat{\isaliteral{5C3C726272616B6B3E}{\isasymrbrakk}}\ {\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\ n\ {\isaliteral{3D}{\isacharequal}}\ f\ i\ {\isaliteral{5C3C6C6F6E6772696768746172726F773E}{\isasymlongrightarrow}}\ i\ {\isaliteral{5C3C6C653E}{\isasymle}}\ f\ i%
38.248 -\end{isabelle}%
38.249 -\end{isamarkuptxt}%
38.250 -\isamarkuptrue%
38.251 -\isacommand{by}\isamarkupfalse%
38.252 -{\isaliteral{28}{\isacharparenleft}}blast\ intro{\isaliteral{21}{\isacharbang}}{\isaliteral{3A}{\isacharcolon}}\ f{\isaliteral{5F}{\isacharunderscore}}ax\ Suc{\isaliteral{5F}{\isacharunderscore}}leI\ intro{\isaliteral{3A}{\isacharcolon}}\ le{\isaliteral{5F}{\isacharunderscore}}less{\isaliteral{5F}{\isacharunderscore}}trans{\isaliteral{29}{\isacharparenright}}%
38.253 -\endisatagproof
38.254 -{\isafoldproof}%
38.255 -%
38.256 -\isadelimproof
38.257 -%
38.258 -\endisadelimproof
38.259 -%
38.260 -\begin{isamarkuptext}%
38.261 -\noindent
38.262 -If you find the last step puzzling, here are the two lemmas it employs:
38.263 -\begin{isabelle}
38.264 -\isa{m\ {\isaliteral{3C}{\isacharless}}\ n\ {\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\ Suc\ m\ {\isaliteral{5C3C6C653E}{\isasymle}}\ n}
38.265 -\rulename{Suc_leI}\isanewline
38.266 -\isa{{\isaliteral{5C3C6C6272616B6B3E}{\isasymlbrakk}}x\ {\isaliteral{5C3C6C653E}{\isasymle}}\ y{\isaliteral{3B}{\isacharsemicolon}}\ y\ {\isaliteral{3C}{\isacharless}}\ z{\isaliteral{5C3C726272616B6B3E}{\isasymrbrakk}}\ {\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\ x\ {\isaliteral{3C}{\isacharless}}\ z}
38.267 -\rulename{le_less_trans}
38.268 -\end{isabelle}
38.269 -%
38.270 -The proof goes like this (writing \isa{j} instead of \isa{nat}).
38.271 -Since \isa{i\ {\isaliteral{3D}{\isacharequal}}\ Suc\ j} it suffices to show
38.272 -\hbox{\isa{j\ {\isaliteral{3C}{\isacharless}}\ f\ {\isaliteral{28}{\isacharparenleft}}Suc\ j{\isaliteral{29}{\isacharparenright}}}},
38.273 -by \isa{Suc{\isaliteral{5F}{\isacharunderscore}}leI}\@. This is
38.274 -proved as follows. From \isa{f{\isaliteral{5F}{\isacharunderscore}}ax} we have \isa{f\ {\isaliteral{28}{\isacharparenleft}}f\ j{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{3C}{\isacharless}}\ f\ {\isaliteral{28}{\isacharparenleft}}Suc\ j{\isaliteral{29}{\isacharparenright}}}
38.275 -(1) which implies \isa{f\ j\ {\isaliteral{5C3C6C653E}{\isasymle}}\ f\ {\isaliteral{28}{\isacharparenleft}}f\ j{\isaliteral{29}{\isacharparenright}}} by the induction hypothesis.
38.276 -Using (1) once more we obtain \isa{f\ j\ {\isaliteral{3C}{\isacharless}}\ f\ {\isaliteral{28}{\isacharparenleft}}Suc\ j{\isaliteral{29}{\isacharparenright}}} (2) by the transitivity
38.277 -rule \isa{le{\isaliteral{5F}{\isacharunderscore}}less{\isaliteral{5F}{\isacharunderscore}}trans}.
38.278 -Using the induction hypothesis once more we obtain \isa{j\ {\isaliteral{5C3C6C653E}{\isasymle}}\ f\ j}
38.279 -which, together with (2) yields \isa{j\ {\isaliteral{3C}{\isacharless}}\ f\ {\isaliteral{28}{\isacharparenleft}}Suc\ j{\isaliteral{29}{\isacharparenright}}} (again by
38.280 -\isa{le{\isaliteral{5F}{\isacharunderscore}}less{\isaliteral{5F}{\isacharunderscore}}trans}).
38.281 -
38.282 -This last step shows both the power and the danger of automatic proofs. They
38.283 -will usually not tell you how the proof goes, because it can be hard to
38.284 -translate the internal proof into a human-readable format. Automatic
38.285 -proofs are easy to write but hard to read and understand.
38.286 -
38.287 -The desired result, \isa{i\ {\isaliteral{5C3C6C653E}{\isasymle}}\ f\ i}, follows from \isa{f{\isaliteral{5F}{\isacharunderscore}}incr{\isaliteral{5F}{\isacharunderscore}}lem}:%
38.288 -\end{isamarkuptext}%
38.289 -\isamarkuptrue%
38.290 -\isacommand{lemmas}\isamarkupfalse%
38.291 -\ f{\isaliteral{5F}{\isacharunderscore}}incr\ {\isaliteral{3D}{\isacharequal}}\ f{\isaliteral{5F}{\isacharunderscore}}incr{\isaliteral{5F}{\isacharunderscore}}lem{\isaliteral{5B}{\isacharbrackleft}}rule{\isaliteral{5F}{\isacharunderscore}}format{\isaliteral{2C}{\isacharcomma}}\ OF\ refl{\isaliteral{5D}{\isacharbrackright}}%
38.292 -\begin{isamarkuptext}%
38.293 -\noindent
38.294 -The final \isa{refl} gets rid of the premise \isa{{\isaliteral{3F}{\isacharquery}}k\ {\isaliteral{3D}{\isacharequal}}\ f\ {\isaliteral{3F}{\isacharquery}}i}.
38.295 -We could have included this derivation in the original statement of the lemma:%
38.296 -\end{isamarkuptext}%
38.297 -\isamarkuptrue%
38.298 -\isacommand{lemma}\isamarkupfalse%
38.299 -\ f{\isaliteral{5F}{\isacharunderscore}}incr{\isaliteral{5B}{\isacharbrackleft}}rule{\isaliteral{5F}{\isacharunderscore}}format{\isaliteral{2C}{\isacharcomma}}\ OF\ refl{\isaliteral{5D}{\isacharbrackright}}{\isaliteral{3A}{\isacharcolon}}\ {\isaliteral{22}{\isachardoublequoteopen}}{\isaliteral{5C3C666F72616C6C3E}{\isasymforall}}i{\isaliteral{2E}{\isachardot}}\ k\ {\isaliteral{3D}{\isacharequal}}\ f\ i\ {\isaliteral{5C3C6C6F6E6772696768746172726F773E}{\isasymlongrightarrow}}\ i\ {\isaliteral{5C3C6C653E}{\isasymle}}\ f\ i{\isaliteral{22}{\isachardoublequoteclose}}%
38.300 -\isadelimproof
38.301 -%
38.302 -\endisadelimproof
38.303 -%
38.304 -\isatagproof
38.305 -%
38.306 -\endisatagproof
38.307 -{\isafoldproof}%
38.308 -%
38.309 -\isadelimproof
38.310 -%
38.311 -\endisadelimproof
38.312 -%
38.313 -\begin{isamarkuptext}%
38.314 -\begin{exercise}
38.315 -From the axiom and lemma for \isa{f}, show that \isa{f} is the
38.316 -identity function.
38.317 -\end{exercise}
38.318 -
38.319 -Method \methdx{induct_tac} can be applied with any rule $r$
38.320 -whose conclusion is of the form ${?}P~?x@1 \dots ?x@n$, in which case the
38.321 -format is
38.322 -\begin{quote}
38.323 -\isacommand{apply}\isa{{\isaliteral{28}{\isacharparenleft}}induct{\isaliteral{5F}{\isacharunderscore}}tac} $y@1 \dots y@n$ \isa{rule{\isaliteral{3A}{\isacharcolon}}} $r$\isa{{\isaliteral{29}{\isacharparenright}}}
38.324 -\end{quote}
38.325 -where $y@1, \dots, y@n$ are variables in the conclusion of the first subgoal.
38.326 -
38.327 -A further useful induction rule is \isa{length{\isaliteral{5F}{\isacharunderscore}}induct},
38.328 -induction on the length of a list\indexbold{*length_induct}
38.329 -\begin{isabelle}%
38.330 -\ \ \ \ \ {\isaliteral{28}{\isacharparenleft}}{\isaliteral{5C3C416E643E}{\isasymAnd}}xs{\isaliteral{2E}{\isachardot}}\ {\isaliteral{5C3C666F72616C6C3E}{\isasymforall}}ys{\isaliteral{2E}{\isachardot}}\ length\ ys\ {\isaliteral{3C}{\isacharless}}\ length\ xs\ {\isaliteral{5C3C6C6F6E6772696768746172726F773E}{\isasymlongrightarrow}}\ P\ ys\ {\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\ P\ xs{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\ P\ xs%
38.331 -\end{isabelle}
38.332 -which is a special case of \isa{measure{\isaliteral{5F}{\isacharunderscore}}induct}
38.333 -\begin{isabelle}%
38.334 -\ \ \ \ \ {\isaliteral{28}{\isacharparenleft}}{\isaliteral{5C3C416E643E}{\isasymAnd}}x{\isaliteral{2E}{\isachardot}}\ {\isaliteral{5C3C666F72616C6C3E}{\isasymforall}}y{\isaliteral{2E}{\isachardot}}\ f\ y\ {\isaliteral{3C}{\isacharless}}\ f\ x\ {\isaliteral{5C3C6C6F6E6772696768746172726F773E}{\isasymlongrightarrow}}\ P\ y\ {\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\ P\ x{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\ P\ a%
38.335 -\end{isabelle}
38.336 -where \isa{f} may be any function into type \isa{nat}.%
38.337 -\end{isamarkuptext}%
38.338 -\isamarkuptrue%
38.339 -%
38.340 -\isamarkupsubsection{Derivation of New Induction Schemas%
38.341 -}
38.342 -\isamarkuptrue%
38.343 -%
38.344 -\begin{isamarkuptext}%
38.345 -\label{sec:derive-ind}
38.346 -\index{induction!deriving new schemas}%
38.347 -Induction schemas are ordinary theorems and you can derive new ones
38.348 -whenever you wish. This section shows you how, using the example
38.349 -of \isa{nat{\isaliteral{5F}{\isacharunderscore}}less{\isaliteral{5F}{\isacharunderscore}}induct}. Assume we only have structural induction
38.350 -available for \isa{nat} and want to derive complete induction. We
38.351 -must generalize the statement as shown:%
38.352 -\end{isamarkuptext}%
38.353 -\isamarkuptrue%
38.354 -\isacommand{lemma}\isamarkupfalse%
38.355 -\ induct{\isaliteral{5F}{\isacharunderscore}}lem{\isaliteral{3A}{\isacharcolon}}\ {\isaliteral{22}{\isachardoublequoteopen}}{\isaliteral{28}{\isacharparenleft}}{\isaliteral{5C3C416E643E}{\isasymAnd}}n{\isaliteral{3A}{\isacharcolon}}{\isaliteral{3A}{\isacharcolon}}nat{\isaliteral{2E}{\isachardot}}\ {\isaliteral{5C3C666F72616C6C3E}{\isasymforall}}m{\isaliteral{3C}{\isacharless}}n{\isaliteral{2E}{\isachardot}}\ P\ m\ {\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\ P\ n{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\ {\isaliteral{5C3C666F72616C6C3E}{\isasymforall}}m{\isaliteral{3C}{\isacharless}}n{\isaliteral{2E}{\isachardot}}\ P\ m{\isaliteral{22}{\isachardoublequoteclose}}\isanewline
38.356 -%
38.357 -\isadelimproof
38.358 -%
38.359 -\endisadelimproof
38.360 -%
38.361 -\isatagproof
38.362 -\isacommand{apply}\isamarkupfalse%
38.363 -{\isaliteral{28}{\isacharparenleft}}induct{\isaliteral{5F}{\isacharunderscore}}tac\ n{\isaliteral{29}{\isacharparenright}}%
38.364 -\begin{isamarkuptxt}%
38.365 -\noindent
38.366 -The base case is vacuously true. For the induction step (\isa{m\ {\isaliteral{3C}{\isacharless}}\ Suc\ n}) we distinguish two cases: case \isa{m\ {\isaliteral{3C}{\isacharless}}\ n} is true by induction
38.367 -hypothesis and case \isa{m\ {\isaliteral{3D}{\isacharequal}}\ n} follows from the assumption, again using
38.368 -the induction hypothesis:%
38.369 -\end{isamarkuptxt}%
38.370 -\isamarkuptrue%
38.371 -\ \isacommand{apply}\isamarkupfalse%
38.372 -{\isaliteral{28}{\isacharparenleft}}blast{\isaliteral{29}{\isacharparenright}}\isanewline
38.373 -\isacommand{by}\isamarkupfalse%
38.374 -{\isaliteral{28}{\isacharparenleft}}blast\ elim{\isaliteral{3A}{\isacharcolon}}\ less{\isaliteral{5F}{\isacharunderscore}}SucE{\isaliteral{29}{\isacharparenright}}%
38.375 -\endisatagproof
38.376 -{\isafoldproof}%
38.377 -%
38.378 -\isadelimproof
38.379 -%
38.380 -\endisadelimproof
38.381 -%
38.382 -\begin{isamarkuptext}%
38.383 -\noindent
38.384 -The elimination rule \isa{less{\isaliteral{5F}{\isacharunderscore}}SucE} expresses the case distinction:
38.385 -\begin{isabelle}%
38.386 -\ \ \ \ \ {\isaliteral{5C3C6C6272616B6B3E}{\isasymlbrakk}}m\ {\isaliteral{3C}{\isacharless}}\ Suc\ n{\isaliteral{3B}{\isacharsemicolon}}\ m\ {\isaliteral{3C}{\isacharless}}\ n\ {\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\ P{\isaliteral{3B}{\isacharsemicolon}}\ m\ {\isaliteral{3D}{\isacharequal}}\ n\ {\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\ P{\isaliteral{5C3C726272616B6B3E}{\isasymrbrakk}}\ {\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\ P%
38.387 -\end{isabelle}
38.388 -
38.389 -Now it is straightforward to derive the original version of
38.390 -\isa{nat{\isaliteral{5F}{\isacharunderscore}}less{\isaliteral{5F}{\isacharunderscore}}induct} by manipulating the conclusion of the above
38.391 -lemma: instantiate \isa{n} by \isa{Suc\ n} and \isa{m} by \isa{n}
38.392 -and remove the trivial condition \isa{n\ {\isaliteral{3C}{\isacharless}}\ Suc\ n}. Fortunately, this
38.393 -happens automatically when we add the lemma as a new premise to the
38.394 -desired goal:%
38.395 -\end{isamarkuptext}%
38.396 -\isamarkuptrue%
38.397 -\isacommand{theorem}\isamarkupfalse%
38.398 -\ nat{\isaliteral{5F}{\isacharunderscore}}less{\isaliteral{5F}{\isacharunderscore}}induct{\isaliteral{3A}{\isacharcolon}}\ {\isaliteral{22}{\isachardoublequoteopen}}{\isaliteral{28}{\isacharparenleft}}{\isaliteral{5C3C416E643E}{\isasymAnd}}n{\isaliteral{3A}{\isacharcolon}}{\isaliteral{3A}{\isacharcolon}}nat{\isaliteral{2E}{\isachardot}}\ {\isaliteral{5C3C666F72616C6C3E}{\isasymforall}}m{\isaliteral{3C}{\isacharless}}n{\isaliteral{2E}{\isachardot}}\ P\ m\ {\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\ P\ n{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\ P\ n{\isaliteral{22}{\isachardoublequoteclose}}\isanewline
38.399 -%
38.400 -\isadelimproof
38.401 -%
38.402 -\endisadelimproof
38.403 -%
38.404 -\isatagproof
38.405 -\isacommand{by}\isamarkupfalse%
38.406 -{\isaliteral{28}{\isacharparenleft}}insert\ induct{\isaliteral{5F}{\isacharunderscore}}lem{\isaliteral{2C}{\isacharcomma}}\ blast{\isaliteral{29}{\isacharparenright}}%
38.407 -\endisatagproof
38.408 -{\isafoldproof}%
38.409 -%
38.410 -\isadelimproof
38.411 -%
38.412 -\endisadelimproof
38.413 -%
38.414 -\begin{isamarkuptext}%
38.415 -HOL already provides the mother of
38.416 -all inductions, well-founded induction (see \S\ref{sec:Well-founded}). For
38.417 -example theorem \isa{nat{\isaliteral{5F}{\isacharunderscore}}less{\isaliteral{5F}{\isacharunderscore}}induct} is
38.418 -a special case of \isa{wf{\isaliteral{5F}{\isacharunderscore}}induct} where \isa{r} is \isa{{\isaliteral{3C}{\isacharless}}} on
38.419 -\isa{nat}. The details can be found in theory \isa{Wellfounded_Recursion}.%
38.420 -\end{isamarkuptext}%
38.421 -\isamarkuptrue%
38.422 -%
38.423 -\isadelimtheory
38.424 -%
38.425 -\endisadelimtheory
38.426 -%
38.427 -\isatagtheory
38.428 -%
38.429 -\endisatagtheory
38.430 -{\isafoldtheory}%
38.431 -%
38.432 -\isadelimtheory
38.433 -%
38.434 -\endisadelimtheory
38.435 -\end{isabellebody}%
38.436 -%%% Local Variables:
38.437 -%%% mode: latex
38.438 -%%% TeX-master: "root"
38.439 -%%% End:
39.1 --- a/doc-src/TutorialI/Misc/document/Itrev.tex Thu Jul 26 16:08:16 2012 +0200
39.2 +++ /dev/null Thu Jan 01 00:00:00 1970 +0000
39.3 @@ -1,222 +0,0 @@
39.4 -%
39.5 -\begin{isabellebody}%
39.6 -\def\isabellecontext{Itrev}%
39.7 -%
39.8 -\isadelimtheory
39.9 -%
39.10 -\endisadelimtheory
39.11 -%
39.12 -\isatagtheory
39.13 -%
39.14 -\endisatagtheory
39.15 -{\isafoldtheory}%
39.16 -%
39.17 -\isadelimtheory
39.18 -%
39.19 -\endisadelimtheory
39.20 -%
39.21 -\isamarkupsection{Induction Heuristics%
39.22 -}
39.23 -\isamarkuptrue%
39.24 -%
39.25 -\begin{isamarkuptext}%
39.26 -\label{sec:InductionHeuristics}
39.27 -\index{induction heuristics|(}%
39.28 -The purpose of this section is to illustrate some simple heuristics for
39.29 -inductive proofs. The first one we have already mentioned in our initial
39.30 -example:
39.31 -\begin{quote}
39.32 -\emph{Theorems about recursive functions are proved by induction.}
39.33 -\end{quote}
39.34 -In case the function has more than one argument
39.35 -\begin{quote}
39.36 -\emph{Do induction on argument number $i$ if the function is defined by
39.37 -recursion in argument number $i$.}
39.38 -\end{quote}
39.39 -When we look at the proof of \isa{{\isaliteral{28}{\isacharparenleft}}xs{\isaliteral{40}{\isacharat}}ys{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{40}{\isacharat}}\ zs\ {\isaliteral{3D}{\isacharequal}}\ xs\ {\isaliteral{40}{\isacharat}}\ {\isaliteral{28}{\isacharparenleft}}ys{\isaliteral{40}{\isacharat}}zs{\isaliteral{29}{\isacharparenright}}}
39.40 -in \S\ref{sec:intro-proof} we find
39.41 -\begin{itemize}
39.42 -\item \isa{{\isaliteral{40}{\isacharat}}} is recursive in
39.43 -the first argument
39.44 -\item \isa{xs} occurs only as the first argument of
39.45 -\isa{{\isaliteral{40}{\isacharat}}}
39.46 -\item both \isa{ys} and \isa{zs} occur at least once as
39.47 -the second argument of \isa{{\isaliteral{40}{\isacharat}}}
39.48 -\end{itemize}
39.49 -Hence it is natural to perform induction on~\isa{xs}.
39.50 -
39.51 -The key heuristic, and the main point of this section, is to
39.52 -\emph{generalize the goal before induction}.
39.53 -The reason is simple: if the goal is
39.54 -too specific, the induction hypothesis is too weak to allow the induction
39.55 -step to go through. Let us illustrate the idea with an example.
39.56 -
39.57 -Function \cdx{rev} has quadratic worst-case running time
39.58 -because it calls function \isa{{\isaliteral{40}{\isacharat}}} for each element of the list and
39.59 -\isa{{\isaliteral{40}{\isacharat}}} is linear in its first argument. A linear time version of
39.60 -\isa{rev} reqires an extra argument where the result is accumulated
39.61 -gradually, using only~\isa{{\isaliteral{23}{\isacharhash}}}:%
39.62 -\end{isamarkuptext}%
39.63 -\isamarkuptrue%
39.64 -\isacommand{primrec}\isamarkupfalse%
39.65 -\ itrev\ {\isaliteral{3A}{\isacharcolon}}{\isaliteral{3A}{\isacharcolon}}\ {\isaliteral{22}{\isachardoublequoteopen}}{\isaliteral{27}{\isacharprime}}a\ list\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ {\isaliteral{27}{\isacharprime}}a\ list\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ {\isaliteral{27}{\isacharprime}}a\ list{\isaliteral{22}{\isachardoublequoteclose}}\ \isakeyword{where}\isanewline
39.66 -{\isaliteral{22}{\isachardoublequoteopen}}itrev\ {\isaliteral{5B}{\isacharbrackleft}}{\isaliteral{5D}{\isacharbrackright}}\ \ \ \ \ ys\ {\isaliteral{3D}{\isacharequal}}\ ys{\isaliteral{22}{\isachardoublequoteclose}}\ {\isaliteral{7C}{\isacharbar}}\isanewline
39.67 -{\isaliteral{22}{\isachardoublequoteopen}}itrev\ {\isaliteral{28}{\isacharparenleft}}x{\isaliteral{23}{\isacharhash}}xs{\isaliteral{29}{\isacharparenright}}\ ys\ {\isaliteral{3D}{\isacharequal}}\ itrev\ xs\ {\isaliteral{28}{\isacharparenleft}}x{\isaliteral{23}{\isacharhash}}ys{\isaliteral{29}{\isacharparenright}}{\isaliteral{22}{\isachardoublequoteclose}}%
39.68 -\begin{isamarkuptext}%
39.69 -\noindent
39.70 -The behaviour of \cdx{itrev} is simple: it reverses
39.71 -its first argument by stacking its elements onto the second argument,
39.72 -and returning that second argument when the first one becomes
39.73 -empty. Note that \isa{itrev} is tail-recursive: it can be
39.74 -compiled into a loop.
39.75 -
39.76 -Naturally, we would like to show that \isa{itrev} does indeed reverse
39.77 -its first argument provided the second one is empty:%
39.78 -\end{isamarkuptext}%
39.79 -\isamarkuptrue%
39.80 -\isacommand{lemma}\isamarkupfalse%
39.81 -\ {\isaliteral{22}{\isachardoublequoteopen}}itrev\ xs\ {\isaliteral{5B}{\isacharbrackleft}}{\isaliteral{5D}{\isacharbrackright}}\ {\isaliteral{3D}{\isacharequal}}\ rev\ xs{\isaliteral{22}{\isachardoublequoteclose}}%
39.82 -\isadelimproof
39.83 -%
39.84 -\endisadelimproof
39.85 -%
39.86 -\isatagproof
39.87 -%
39.88 -\begin{isamarkuptxt}%
39.89 -\noindent
39.90 -There is no choice as to the induction variable, and we immediately simplify:%
39.91 -\end{isamarkuptxt}%
39.92 -\isamarkuptrue%
39.93 -\isacommand{apply}\isamarkupfalse%
39.94 -{\isaliteral{28}{\isacharparenleft}}induct{\isaliteral{5F}{\isacharunderscore}}tac\ xs{\isaliteral{2C}{\isacharcomma}}\ simp{\isaliteral{5F}{\isacharunderscore}}all{\isaliteral{29}{\isacharparenright}}%
39.95 -\begin{isamarkuptxt}%
39.96 -\noindent
39.97 -Unfortunately, this attempt does not prove
39.98 -the induction step:
39.99 -\begin{isabelle}%
39.100 -\ {\isadigit{1}}{\isaliteral{2E}{\isachardot}}\ {\isaliteral{5C3C416E643E}{\isasymAnd}}a\ list{\isaliteral{2E}{\isachardot}}\isanewline
39.101 -\isaindent{\ {\isadigit{1}}{\isaliteral{2E}{\isachardot}}\ \ \ \ }itrev\ list\ {\isaliteral{5B}{\isacharbrackleft}}{\isaliteral{5D}{\isacharbrackright}}\ {\isaliteral{3D}{\isacharequal}}\ rev\ list\ {\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\ itrev\ list\ {\isaliteral{5B}{\isacharbrackleft}}a{\isaliteral{5D}{\isacharbrackright}}\ {\isaliteral{3D}{\isacharequal}}\ rev\ list\ {\isaliteral{40}{\isacharat}}\ {\isaliteral{5B}{\isacharbrackleft}}a{\isaliteral{5D}{\isacharbrackright}}%
39.102 -\end{isabelle}
39.103 -The induction hypothesis is too weak. The fixed
39.104 -argument,~\isa{{\isaliteral{5B}{\isacharbrackleft}}{\isaliteral{5D}{\isacharbrackright}}}, prevents it from rewriting the conclusion.
39.105 -This example suggests a heuristic:
39.106 -\begin{quote}\index{generalizing induction formulae}%
39.107 -\emph{Generalize goals for induction by replacing constants by variables.}
39.108 -\end{quote}
39.109 -Of course one cannot do this na\"{\i}vely: \isa{itrev\ xs\ ys\ {\isaliteral{3D}{\isacharequal}}\ rev\ xs} is
39.110 -just not true. The correct generalization is%
39.111 -\end{isamarkuptxt}%
39.112 -\isamarkuptrue%
39.113 -%
39.114 -\endisatagproof
39.115 -{\isafoldproof}%
39.116 -%
39.117 -\isadelimproof
39.118 -%
39.119 -\endisadelimproof
39.120 -\isacommand{lemma}\isamarkupfalse%
39.121 -\ {\isaliteral{22}{\isachardoublequoteopen}}itrev\ xs\ ys\ {\isaliteral{3D}{\isacharequal}}\ rev\ xs\ {\isaliteral{40}{\isacharat}}\ ys{\isaliteral{22}{\isachardoublequoteclose}}%
39.122 -\isadelimproof
39.123 -%
39.124 -\endisadelimproof
39.125 -%
39.126 -\isatagproof
39.127 -%
39.128 -\begin{isamarkuptxt}%
39.129 -\noindent
39.130 -If \isa{ys} is replaced by \isa{{\isaliteral{5B}{\isacharbrackleft}}{\isaliteral{5D}{\isacharbrackright}}}, the right-hand side simplifies to
39.131 -\isa{rev\ xs}, as required.
39.132 -
39.133 -In this instance it was easy to guess the right generalization.
39.134 -Other situations can require a good deal of creativity.
39.135 -
39.136 -Although we now have two variables, only \isa{xs} is suitable for
39.137 -induction, and we repeat our proof attempt. Unfortunately, we are still
39.138 -not there:
39.139 -\begin{isabelle}%
39.140 -\ {\isadigit{1}}{\isaliteral{2E}{\isachardot}}\ {\isaliteral{5C3C416E643E}{\isasymAnd}}a\ list{\isaliteral{2E}{\isachardot}}\isanewline
39.141 -\isaindent{\ {\isadigit{1}}{\isaliteral{2E}{\isachardot}}\ \ \ \ }itrev\ list\ ys\ {\isaliteral{3D}{\isacharequal}}\ rev\ list\ {\isaliteral{40}{\isacharat}}\ ys\ {\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\isanewline
39.142 -\isaindent{\ {\isadigit{1}}{\isaliteral{2E}{\isachardot}}\ \ \ \ }itrev\ list\ {\isaliteral{28}{\isacharparenleft}}a\ {\isaliteral{23}{\isacharhash}}\ ys{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{3D}{\isacharequal}}\ rev\ list\ {\isaliteral{40}{\isacharat}}\ a\ {\isaliteral{23}{\isacharhash}}\ ys%
39.143 -\end{isabelle}
39.144 -The induction hypothesis is still too weak, but this time it takes no
39.145 -intuition to generalize: the problem is that \isa{ys} is fixed throughout
39.146 -the subgoal, but the induction hypothesis needs to be applied with
39.147 -\isa{a\ {\isaliteral{23}{\isacharhash}}\ ys} instead of \isa{ys}. Hence we prove the theorem
39.148 -for all \isa{ys} instead of a fixed one:%
39.149 -\end{isamarkuptxt}%
39.150 -\isamarkuptrue%
39.151 -%
39.152 -\endisatagproof
39.153 -{\isafoldproof}%
39.154 -%
39.155 -\isadelimproof
39.156 -%
39.157 -\endisadelimproof
39.158 -\isacommand{lemma}\isamarkupfalse%
39.159 -\ {\isaliteral{22}{\isachardoublequoteopen}}{\isaliteral{5C3C666F72616C6C3E}{\isasymforall}}ys{\isaliteral{2E}{\isachardot}}\ itrev\ xs\ ys\ {\isaliteral{3D}{\isacharequal}}\ rev\ xs\ {\isaliteral{40}{\isacharat}}\ ys{\isaliteral{22}{\isachardoublequoteclose}}%
39.160 -\isadelimproof
39.161 -%
39.162 -\endisadelimproof
39.163 -%
39.164 -\isatagproof
39.165 -%
39.166 -\endisatagproof
39.167 -{\isafoldproof}%
39.168 -%
39.169 -\isadelimproof
39.170 -%
39.171 -\endisadelimproof
39.172 -%
39.173 -\begin{isamarkuptext}%
39.174 -\noindent
39.175 -This time induction on \isa{xs} followed by simplification succeeds. This
39.176 -leads to another heuristic for generalization:
39.177 -\begin{quote}
39.178 -\emph{Generalize goals for induction by universally quantifying all free
39.179 -variables {\em(except the induction variable itself!)}.}
39.180 -\end{quote}
39.181 -This prevents trivial failures like the one above and does not affect the
39.182 -validity of the goal. However, this heuristic should not be applied blindly.
39.183 -It is not always required, and the additional quantifiers can complicate
39.184 -matters in some cases. The variables that should be quantified are typically
39.185 -those that change in recursive calls.
39.186 -
39.187 -A final point worth mentioning is the orientation of the equation we just
39.188 -proved: the more complex notion (\isa{itrev}) is on the left-hand
39.189 -side, the simpler one (\isa{rev}) on the right-hand side. This constitutes
39.190 -another, albeit weak heuristic that is not restricted to induction:
39.191 -\begin{quote}
39.192 - \emph{The right-hand side of an equation should (in some sense) be simpler
39.193 - than the left-hand side.}
39.194 -\end{quote}
39.195 -This heuristic is tricky to apply because it is not obvious that
39.196 -\isa{rev\ xs\ {\isaliteral{40}{\isacharat}}\ ys} is simpler than \isa{itrev\ xs\ ys}. But see what
39.197 -happens if you try to prove \isa{rev\ xs\ {\isaliteral{40}{\isacharat}}\ ys\ {\isaliteral{3D}{\isacharequal}}\ itrev\ xs\ ys}!
39.198 -
39.199 -If you have tried these heuristics and still find your
39.200 -induction does not go through, and no obvious lemma suggests itself, you may
39.201 -need to generalize your proposition even further. This requires insight into
39.202 -the problem at hand and is beyond simple rules of thumb.
39.203 -Additionally, you can read \S\ref{sec:advanced-ind}
39.204 -to learn about some advanced techniques for inductive proofs.%
39.205 -\index{induction heuristics|)}%
39.206 -\end{isamarkuptext}%
39.207 -\isamarkuptrue%
39.208 -%
39.209 -\isadelimtheory
39.210 -%
39.211 -\endisadelimtheory
39.212 -%
39.213 -\isatagtheory
39.214 -%
39.215 -\endisatagtheory
39.216 -{\isafoldtheory}%
39.217 -%
39.218 -\isadelimtheory
39.219 -%
39.220 -\endisadelimtheory
39.221 -\end{isabellebody}%
39.222 -%%% Local Variables:
39.223 -%%% mode: latex
39.224 -%%% TeX-master: "root"
39.225 -%%% End:
40.1 --- a/doc-src/TutorialI/Misc/document/Option2.tex Thu Jul 26 16:08:16 2012 +0200
40.2 +++ /dev/null Thu Jan 01 00:00:00 1970 +0000
40.3 @@ -1,56 +0,0 @@
40.4 -%
40.5 -\begin{isabellebody}%
40.6 -\def\isabellecontext{Option{\isadigit{2}}}%
40.7 -%
40.8 -\isadelimtheory
40.9 -%
40.10 -\endisadelimtheory
40.11 -%
40.12 -\isatagtheory
40.13 -%
40.14 -\endisatagtheory
40.15 -{\isafoldtheory}%
40.16 -%
40.17 -\isadelimtheory
40.18 -%
40.19 -\endisadelimtheory
40.20 -%
40.21 -\begin{isamarkuptext}%
40.22 -\indexbold{*option (type)}\indexbold{*None (constant)}%
40.23 -\indexbold{*Some (constant)}
40.24 -Our final datatype is very simple but still eminently useful:%
40.25 -\end{isamarkuptext}%
40.26 -\isamarkuptrue%
40.27 -\isacommand{datatype}\isamarkupfalse%
40.28 -\ {\isaliteral{27}{\isacharprime}}a\ option\ {\isaliteral{3D}{\isacharequal}}\ None\ {\isaliteral{7C}{\isacharbar}}\ Some\ {\isaliteral{27}{\isacharprime}}a%
40.29 -\begin{isamarkuptext}%
40.30 -\noindent
40.31 -Frequently one needs to add a distinguished element to some existing type.
40.32 -For example, type \isa{t\ option} can model the result of a computation that
40.33 -may either terminate with an error (represented by \isa{None}) or return
40.34 -some value \isa{v} (represented by \isa{Some\ v}).
40.35 -Similarly, \isa{nat} extended with $\infty$ can be modeled by type
40.36 -\isa{nat\ option}. In both cases one could define a new datatype with
40.37 -customized constructors like \isa{Error} and \isa{Infinity},
40.38 -but it is often simpler to use \isa{option}. For an application see
40.39 -\S\ref{sec:Trie}.%
40.40 -\end{isamarkuptext}%
40.41 -\isamarkuptrue%
40.42 -%
40.43 -\isadelimtheory
40.44 -%
40.45 -\endisadelimtheory
40.46 -%
40.47 -\isatagtheory
40.48 -%
40.49 -\endisatagtheory
40.50 -{\isafoldtheory}%
40.51 -%
40.52 -\isadelimtheory
40.53 -%
40.54 -\endisadelimtheory
40.55 -\end{isabellebody}%
40.56 -%%% Local Variables:
40.57 -%%% mode: latex
40.58 -%%% TeX-master: "root"
40.59 -%%% End:
41.1 --- a/doc-src/TutorialI/Misc/document/Plus.tex Thu Jul 26 16:08:16 2012 +0200
41.2 +++ /dev/null Thu Jan 01 00:00:00 1970 +0000
41.3 @@ -1,74 +0,0 @@
41.4 -%
41.5 -\begin{isabellebody}%
41.6 -\def\isabellecontext{Plus}%
41.7 -%
41.8 -\isadelimtheory
41.9 -%
41.10 -\endisadelimtheory
41.11 -%
41.12 -\isatagtheory
41.13 -%
41.14 -\endisatagtheory
41.15 -{\isafoldtheory}%
41.16 -%
41.17 -\isadelimtheory
41.18 -%
41.19 -\endisadelimtheory
41.20 -%
41.21 -\begin{isamarkuptext}%
41.22 -\noindent Define the following addition function%
41.23 -\end{isamarkuptext}%
41.24 -\isamarkuptrue%
41.25 -\isacommand{primrec}\isamarkupfalse%
41.26 -\ add\ {\isaliteral{3A}{\isacharcolon}}{\isaliteral{3A}{\isacharcolon}}\ {\isaliteral{22}{\isachardoublequoteopen}}nat\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ nat\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ nat{\isaliteral{22}{\isachardoublequoteclose}}\ \isakeyword{where}\isanewline
41.27 -{\isaliteral{22}{\isachardoublequoteopen}}add\ m\ {\isadigit{0}}\ {\isaliteral{3D}{\isacharequal}}\ m{\isaliteral{22}{\isachardoublequoteclose}}\ {\isaliteral{7C}{\isacharbar}}\isanewline
41.28 -{\isaliteral{22}{\isachardoublequoteopen}}add\ m\ {\isaliteral{28}{\isacharparenleft}}Suc\ n{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{3D}{\isacharequal}}\ add\ {\isaliteral{28}{\isacharparenleft}}Suc\ m{\isaliteral{29}{\isacharparenright}}\ n{\isaliteral{22}{\isachardoublequoteclose}}%
41.29 -\begin{isamarkuptext}%
41.30 -\noindent and prove%
41.31 -\end{isamarkuptext}%
41.32 -\isamarkuptrue%
41.33 -%
41.34 -\isadelimproof
41.35 -%
41.36 -\endisadelimproof
41.37 -%
41.38 -\isatagproof
41.39 -%
41.40 -\endisatagproof
41.41 -{\isafoldproof}%
41.42 -%
41.43 -\isadelimproof
41.44 -%
41.45 -\endisadelimproof
41.46 -\isacommand{lemma}\isamarkupfalse%
41.47 -\ {\isaliteral{22}{\isachardoublequoteopen}}add\ m\ n\ {\isaliteral{3D}{\isacharequal}}\ m{\isaliteral{2B}{\isacharplus}}n{\isaliteral{22}{\isachardoublequoteclose}}%
41.48 -\isadelimproof
41.49 -%
41.50 -\endisadelimproof
41.51 -%
41.52 -\isatagproof
41.53 -%
41.54 -\endisatagproof
41.55 -{\isafoldproof}%
41.56 -%
41.57 -\isadelimproof
41.58 -%
41.59 -\endisadelimproof
41.60 -%
41.61 -\isadelimtheory
41.62 -%
41.63 -\endisadelimtheory
41.64 -%
41.65 -\isatagtheory
41.66 -%
41.67 -\endisatagtheory
41.68 -{\isafoldtheory}%
41.69 -%
41.70 -\isadelimtheory
41.71 -%
41.72 -\endisadelimtheory
41.73 -\end{isabellebody}%
41.74 -%%% Local Variables:
41.75 -%%% mode: latex
41.76 -%%% TeX-master: "root"
41.77 -%%% End:
42.1 --- a/doc-src/TutorialI/Misc/document/Tree.tex Thu Jul 26 16:08:16 2012 +0200
42.2 +++ /dev/null Thu Jan 01 00:00:00 1970 +0000
42.3 @@ -1,83 +0,0 @@
42.4 -%
42.5 -\begin{isabellebody}%
42.6 -\def\isabellecontext{Tree}%
42.7 -%
42.8 -\isadelimtheory
42.9 -%
42.10 -\endisadelimtheory
42.11 -%
42.12 -\isatagtheory
42.13 -%
42.14 -\endisatagtheory
42.15 -{\isafoldtheory}%
42.16 -%
42.17 -\isadelimtheory
42.18 -%
42.19 -\endisadelimtheory
42.20 -%
42.21 -\begin{isamarkuptext}%
42.22 -\noindent
42.23 -Define the datatype of \rmindex{binary trees}:%
42.24 -\end{isamarkuptext}%
42.25 -\isamarkuptrue%
42.26 -\isacommand{datatype}\isamarkupfalse%
42.27 -\ {\isaliteral{27}{\isacharprime}}a\ tree\ {\isaliteral{3D}{\isacharequal}}\ Tip\ {\isaliteral{7C}{\isacharbar}}\ Node\ {\isaliteral{22}{\isachardoublequoteopen}}{\isaliteral{27}{\isacharprime}}a\ tree{\isaliteral{22}{\isachardoublequoteclose}}\ {\isaliteral{27}{\isacharprime}}a\ {\isaliteral{22}{\isachardoublequoteopen}}{\isaliteral{27}{\isacharprime}}a\ tree{\isaliteral{22}{\isachardoublequoteclose}}%
42.28 -\begin{isamarkuptext}%
42.29 -\noindent
42.30 -Define a function \isa{mirror} that mirrors a binary tree
42.31 -by swapping subtrees recursively. Prove%
42.32 -\end{isamarkuptext}%
42.33 -\isamarkuptrue%
42.34 -\isacommand{lemma}\isamarkupfalse%
42.35 -\ mirror{\isaliteral{5F}{\isacharunderscore}}mirror{\isaliteral{3A}{\isacharcolon}}\ {\isaliteral{22}{\isachardoublequoteopen}}mirror{\isaliteral{28}{\isacharparenleft}}mirror\ t{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{3D}{\isacharequal}}\ t{\isaliteral{22}{\isachardoublequoteclose}}%
42.36 -\isadelimproof
42.37 -%
42.38 -\endisadelimproof
42.39 -%
42.40 -\isatagproof
42.41 -%
42.42 -\endisatagproof
42.43 -{\isafoldproof}%
42.44 -%
42.45 -\isadelimproof
42.46 -%
42.47 -\endisadelimproof
42.48 -%
42.49 -\begin{isamarkuptext}%
42.50 -\noindent
42.51 -Define a function \isa{flatten} that flattens a tree into a list
42.52 -by traversing it in infix order. Prove%
42.53 -\end{isamarkuptext}%
42.54 -\isamarkuptrue%
42.55 -\isacommand{lemma}\isamarkupfalse%
42.56 -\ {\isaliteral{22}{\isachardoublequoteopen}}flatten{\isaliteral{28}{\isacharparenleft}}mirror\ t{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{3D}{\isacharequal}}\ rev{\isaliteral{28}{\isacharparenleft}}flatten\ t{\isaliteral{29}{\isacharparenright}}{\isaliteral{22}{\isachardoublequoteclose}}%
42.57 -\isadelimproof
42.58 -%
42.59 -\endisadelimproof
42.60 -%
42.61 -\isatagproof
42.62 -%
42.63 -\endisatagproof
42.64 -{\isafoldproof}%
42.65 -%
42.66 -\isadelimproof
42.67 -%
42.68 -\endisadelimproof
42.69 -%
42.70 -\isadelimtheory
42.71 -%
42.72 -\endisadelimtheory
42.73 -%
42.74 -\isatagtheory
42.75 -%
42.76 -\endisatagtheory
42.77 -{\isafoldtheory}%
42.78 -%
42.79 -\isadelimtheory
42.80 -%
42.81 -\endisadelimtheory
42.82 -\end{isabellebody}%
42.83 -%%% Local Variables:
42.84 -%%% mode: latex
42.85 -%%% TeX-master: "root"
42.86 -%%% End:
43.1 --- a/doc-src/TutorialI/Misc/document/Tree2.tex Thu Jul 26 16:08:16 2012 +0200
43.2 +++ /dev/null Thu Jan 01 00:00:00 1970 +0000
43.3 @@ -1,75 +0,0 @@
43.4 -%
43.5 -\begin{isabellebody}%
43.6 -\def\isabellecontext{Tree{\isadigit{2}}}%
43.7 -%
43.8 -\isadelimtheory
43.9 -%
43.10 -\endisadelimtheory
43.11 -%
43.12 -\isatagtheory
43.13 -%
43.14 -\endisatagtheory
43.15 -{\isafoldtheory}%
43.16 -%
43.17 -\isadelimtheory
43.18 -%
43.19 -\endisadelimtheory
43.20 -%
43.21 -\begin{isamarkuptext}%
43.22 -\noindent In Exercise~\ref{ex:Tree} we defined a function
43.23 -\isa{flatten} from trees to lists. The straightforward version of
43.24 -\isa{flatten} is based on \isa{{\isaliteral{40}{\isacharat}}} and is thus, like \isa{rev},
43.25 -quadratic. A linear time version of \isa{flatten} again reqires an extra
43.26 -argument, the accumulator. Define%
43.27 -\end{isamarkuptext}%
43.28 -\isamarkuptrue%
43.29 -flatten{\isadigit{2}}\ {\isaliteral{3A}{\isacharcolon}}{\isaliteral{3A}{\isacharcolon}}\ {\isaliteral{22}{\isachardoublequoteopen}}{\isaliteral{27}{\isacharprime}}a\ tree\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ {\isaliteral{27}{\isacharprime}}a\ list\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ {\isaliteral{27}{\isacharprime}}a\ list{\isaliteral{22}{\isachardoublequoteclose}}%
43.30 -\begin{isamarkuptext}%
43.31 -\noindent and prove%
43.32 -\end{isamarkuptext}%
43.33 -\isamarkuptrue%
43.34 -%
43.35 -\isadelimproof
43.36 -%
43.37 -\endisadelimproof
43.38 -%
43.39 -\isatagproof
43.40 -%
43.41 -\endisatagproof
43.42 -{\isafoldproof}%
43.43 -%
43.44 -\isadelimproof
43.45 -%
43.46 -\endisadelimproof
43.47 -\isacommand{lemma}\isamarkupfalse%
43.48 -\ {\isaliteral{22}{\isachardoublequoteopen}}flatten{\isadigit{2}}\ t\ {\isaliteral{5B}{\isacharbrackleft}}{\isaliteral{5D}{\isacharbrackright}}\ {\isaliteral{3D}{\isacharequal}}\ flatten\ t{\isaliteral{22}{\isachardoublequoteclose}}%
43.49 -\isadelimproof
43.50 -%
43.51 -\endisadelimproof
43.52 -%
43.53 -\isatagproof
43.54 -%
43.55 -\endisatagproof
43.56 -{\isafoldproof}%
43.57 -%
43.58 -\isadelimproof
43.59 -%
43.60 -\endisadelimproof
43.61 -%
43.62 -\isadelimtheory
43.63 -%
43.64 -\endisadelimtheory
43.65 -%
43.66 -\isatagtheory
43.67 -%
43.68 -\endisatagtheory
43.69 -{\isafoldtheory}%
43.70 -%
43.71 -\isadelimtheory
43.72 -%
43.73 -\endisadelimtheory
43.74 -\end{isabellebody}%
43.75 -%%% Local Variables:
43.76 -%%% mode: latex
43.77 -%%% TeX-master: "root"
43.78 -%%% End:
44.1 --- a/doc-src/TutorialI/Misc/document/appendix.tex Thu Jul 26 16:08:16 2012 +0200
44.2 +++ /dev/null Thu Jan 01 00:00:00 1970 +0000
44.3 @@ -1,63 +0,0 @@
44.4 -%
44.5 -\begin{isabellebody}%
44.6 -\def\isabellecontext{appendix}%
44.7 -%
44.8 -\isadelimtheory
44.9 -%
44.10 -\endisadelimtheory
44.11 -%
44.12 -\isatagtheory
44.13 -%
44.14 -\endisatagtheory
44.15 -{\isafoldtheory}%
44.16 -%
44.17 -\isadelimtheory
44.18 -%
44.19 -\endisadelimtheory
44.20 -%
44.21 -\begin{isamarkuptext}%
44.22 -\begin{table}[htbp]
44.23 -\begin{center}
44.24 -\begin{tabular}{lll}
44.25 -Constant & Type & Syntax \\
44.26 -\hline
44.27 -\isa{{\isadigit{0}}} & \isa{{\isaliteral{27}{\isacharprime}}a{\isaliteral{5C3C436F6C6F6E3E}{\isasymColon}}zero} \\
44.28 -\isa{{\isadigit{1}}} & \isa{{\isaliteral{27}{\isacharprime}}a{\isaliteral{5C3C436F6C6F6E3E}{\isasymColon}}one} \\
44.29 -\isa{plus} & \isa{{\isaliteral{27}{\isacharprime}}a{\isaliteral{5C3C436F6C6F6E3E}{\isasymColon}}plus\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ {\isaliteral{27}{\isacharprime}}a{\isaliteral{5C3C436F6C6F6E3E}{\isasymColon}}plus\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ {\isaliteral{27}{\isacharprime}}a{\isaliteral{5C3C436F6C6F6E3E}{\isasymColon}}plus} & (infixl $+$ 65) \\
44.30 -\isa{minus} & \isa{{\isaliteral{27}{\isacharprime}}a{\isaliteral{5C3C436F6C6F6E3E}{\isasymColon}}minus\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ {\isaliteral{27}{\isacharprime}}a{\isaliteral{5C3C436F6C6F6E3E}{\isasymColon}}minus\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ {\isaliteral{27}{\isacharprime}}a{\isaliteral{5C3C436F6C6F6E3E}{\isasymColon}}minus} & (infixl $-$ 65) \\
44.31 -\isa{uminus} & \isa{{\isaliteral{27}{\isacharprime}}a{\isaliteral{5C3C436F6C6F6E3E}{\isasymColon}}uminus\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ {\isaliteral{27}{\isacharprime}}a{\isaliteral{5C3C436F6C6F6E3E}{\isasymColon}}uminus} & $- x$ \\
44.32 -\isa{times} & \isa{{\isaliteral{27}{\isacharprime}}a{\isaliteral{5C3C436F6C6F6E3E}{\isasymColon}}times\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ {\isaliteral{27}{\isacharprime}}a{\isaliteral{5C3C436F6C6F6E3E}{\isasymColon}}times\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ {\isaliteral{27}{\isacharprime}}a{\isaliteral{5C3C436F6C6F6E3E}{\isasymColon}}times} & (infixl $*$ 70) \\
44.33 -\isa{divide} & \isa{{\isaliteral{27}{\isacharprime}}a{\isaliteral{5C3C436F6C6F6E3E}{\isasymColon}}inverse\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ {\isaliteral{27}{\isacharprime}}a{\isaliteral{5C3C436F6C6F6E3E}{\isasymColon}}inverse\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ {\isaliteral{27}{\isacharprime}}a{\isaliteral{5C3C436F6C6F6E3E}{\isasymColon}}inverse} & (infixl $/$ 70) \\
44.34 -\isa{Divides{\isaliteral{2E}{\isachardot}}div} & \isa{{\isaliteral{27}{\isacharprime}}a{\isaliteral{5C3C436F6C6F6E3E}{\isasymColon}}div\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ {\isaliteral{27}{\isacharprime}}a{\isaliteral{5C3C436F6C6F6E3E}{\isasymColon}}div\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ {\isaliteral{27}{\isacharprime}}a{\isaliteral{5C3C436F6C6F6E3E}{\isasymColon}}div} & (infixl $div$ 70) \\
44.35 -\isa{Divides{\isaliteral{2E}{\isachardot}}mod} & \isa{{\isaliteral{27}{\isacharprime}}a{\isaliteral{5C3C436F6C6F6E3E}{\isasymColon}}div\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ {\isaliteral{27}{\isacharprime}}a{\isaliteral{5C3C436F6C6F6E3E}{\isasymColon}}div\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ {\isaliteral{27}{\isacharprime}}a{\isaliteral{5C3C436F6C6F6E3E}{\isasymColon}}div} & (infixl $mod$ 70) \\
44.36 -\isa{abs} & \isa{{\isaliteral{27}{\isacharprime}}a{\isaliteral{5C3C436F6C6F6E3E}{\isasymColon}}abs\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ {\isaliteral{27}{\isacharprime}}a{\isaliteral{5C3C436F6C6F6E3E}{\isasymColon}}abs} & ${\mid} x {\mid}$ \\
44.37 -\isa{sgn} & \isa{{\isaliteral{27}{\isacharprime}}a{\isaliteral{5C3C436F6C6F6E3E}{\isasymColon}}sgn\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ {\isaliteral{27}{\isacharprime}}a{\isaliteral{5C3C436F6C6F6E3E}{\isasymColon}}sgn} \\
44.38 -\isa{less{\isaliteral{5F}{\isacharunderscore}}eq} & \isa{{\isaliteral{27}{\isacharprime}}a{\isaliteral{5C3C436F6C6F6E3E}{\isasymColon}}ord\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ {\isaliteral{27}{\isacharprime}}a{\isaliteral{5C3C436F6C6F6E3E}{\isasymColon}}ord\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ bool} & (infixl $\le$ 50) \\
44.39 -\isa{less} & \isa{{\isaliteral{27}{\isacharprime}}a{\isaliteral{5C3C436F6C6F6E3E}{\isasymColon}}ord\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ {\isaliteral{27}{\isacharprime}}a{\isaliteral{5C3C436F6C6F6E3E}{\isasymColon}}ord\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ bool} & (infixl $<$ 50) \\
44.40 -\isa{top} & \isa{{\isaliteral{27}{\isacharprime}}a{\isaliteral{5C3C436F6C6F6E3E}{\isasymColon}}top} \\
44.41 -\isa{bot} & \isa{{\isaliteral{27}{\isacharprime}}a{\isaliteral{5C3C436F6C6F6E3E}{\isasymColon}}bot}
44.42 -\end{tabular}
44.43 -\caption{Important Overloaded Constants in Main}
44.44 -\label{tab:overloading}
44.45 -\end{center}
44.46 -\end{table}%
44.47 -\end{isamarkuptext}%
44.48 -\isamarkuptrue%
44.49 -%
44.50 -\isadelimtheory
44.51 -%
44.52 -\endisadelimtheory
44.53 -%
44.54 -\isatagtheory
44.55 -%
44.56 -\endisatagtheory
44.57 -{\isafoldtheory}%
44.58 -%
44.59 -\isadelimtheory
44.60 -%
44.61 -\endisadelimtheory
44.62 -\end{isabellebody}%
44.63 -%%% Local Variables:
44.64 -%%% mode: latex
44.65 -%%% TeX-master: "root"
44.66 -%%% End:
45.1 --- a/doc-src/TutorialI/Misc/document/case_exprs.tex Thu Jul 26 16:08:16 2012 +0200
45.2 +++ /dev/null Thu Jan 01 00:00:00 1970 +0000
45.3 @@ -1,137 +0,0 @@
45.4 -%
45.5 -\begin{isabellebody}%
45.6 -\def\isabellecontext{case{\isaliteral{5F}{\isacharunderscore}}exprs}%
45.7 -%
45.8 -\isadelimtheory
45.9 -%
45.10 -\endisadelimtheory
45.11 -%
45.12 -\isatagtheory
45.13 -%
45.14 -\endisatagtheory
45.15 -{\isafoldtheory}%
45.16 -%
45.17 -\isadelimtheory
45.18 -%
45.19 -\endisadelimtheory
45.20 -%
45.21 -\begin{isamarkuptext}%
45.22 -\subsection{Case Expressions}
45.23 -\label{sec:case-expressions}\index{*case expressions}%
45.24 -HOL also features \isa{case}-expressions for analyzing
45.25 -elements of a datatype. For example,
45.26 -\begin{isabelle}%
45.27 -\ \ \ \ \ case\ xs\ of\ {\isaliteral{5B}{\isacharbrackleft}}{\isaliteral{5D}{\isacharbrackright}}\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ {\isaliteral{5B}{\isacharbrackleft}}{\isaliteral{5D}{\isacharbrackright}}\ {\isaliteral{7C}{\isacharbar}}\ y\ {\isaliteral{23}{\isacharhash}}\ ys\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ y%
45.28 -\end{isabelle}
45.29 -evaluates to \isa{{\isaliteral{5B}{\isacharbrackleft}}{\isaliteral{5D}{\isacharbrackright}}} if \isa{xs} is \isa{{\isaliteral{5B}{\isacharbrackleft}}{\isaliteral{5D}{\isacharbrackright}}} and to \isa{y} if
45.30 -\isa{xs} is \isa{y\ {\isaliteral{23}{\isacharhash}}\ ys}. (Since the result in both branches must be of
45.31 -the same type, it follows that \isa{y} is of type \isa{{\isaliteral{27}{\isacharprime}}a\ list} and hence
45.32 -that \isa{xs} is of type \isa{{\isaliteral{27}{\isacharprime}}a\ list\ list}.)
45.33 -
45.34 -In general, case expressions are of the form
45.35 -\[
45.36 -\begin{array}{c}
45.37 -\isa{case}~e~\isa{of}\ pattern@1~\isa{{\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}}~e@1\ \isa{{\isaliteral{7C}{\isacharbar}}}\ \dots\
45.38 - \isa{{\isaliteral{7C}{\isacharbar}}}~pattern@m~\isa{{\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}}~e@m
45.39 -\end{array}
45.40 -\]
45.41 -Like in functional programming, patterns are expressions consisting of
45.42 -datatype constructors (e.g. \isa{{\isaliteral{5B}{\isacharbrackleft}}{\isaliteral{5D}{\isacharbrackright}}} and \isa{{\isaliteral{23}{\isacharhash}}})
45.43 -and variables, including the wildcard ``\verb$_$''.
45.44 -Not all cases need to be covered and the order of cases matters.
45.45 -However, one is well-advised not to wallow in complex patterns because
45.46 -complex case distinctions tend to induce complex proofs.
45.47 -
45.48 -\begin{warn}
45.49 -Internally Isabelle only knows about exhaustive case expressions with
45.50 -non-nested patterns: $pattern@i$ must be of the form
45.51 -$C@i~x@ {i1}~\dots~x@ {ik@i}$ and $C@1, \dots, C@m$ must be exactly the
45.52 -constructors of the type of $e$.
45.53 -%
45.54 -More complex case expressions are automatically
45.55 -translated into the simpler form upon parsing but are not translated
45.56 -back for printing. This may lead to surprising output.
45.57 -\end{warn}
45.58 -
45.59 -\begin{warn}
45.60 -Like \isa{if}, \isa{case}-expressions may need to be enclosed in
45.61 -parentheses to indicate their scope.
45.62 -\end{warn}
45.63 -
45.64 -\subsection{Structural Induction and Case Distinction}
45.65 -\label{sec:struct-ind-case}
45.66 -\index{case distinctions}\index{induction!structural}%
45.67 -Induction is invoked by \methdx{induct_tac}, as we have seen above;
45.68 -it works for any datatype. In some cases, induction is overkill and a case
45.69 -distinction over all constructors of the datatype suffices. This is performed
45.70 -by \methdx{case_tac}. Here is a trivial example:%
45.71 -\end{isamarkuptext}%
45.72 -\isamarkuptrue%
45.73 -\isacommand{lemma}\isamarkupfalse%
45.74 -\ {\isaliteral{22}{\isachardoublequoteopen}}{\isaliteral{28}{\isacharparenleft}}case\ xs\ of\ {\isaliteral{5B}{\isacharbrackleft}}{\isaliteral{5D}{\isacharbrackright}}\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ {\isaliteral{5B}{\isacharbrackleft}}{\isaliteral{5D}{\isacharbrackright}}\ {\isaliteral{7C}{\isacharbar}}\ y{\isaliteral{23}{\isacharhash}}ys\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ xs{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{3D}{\isacharequal}}\ xs{\isaliteral{22}{\isachardoublequoteclose}}\isanewline
45.75 -%
45.76 -\isadelimproof
45.77 -%
45.78 -\endisadelimproof
45.79 -%
45.80 -\isatagproof
45.81 -\isacommand{apply}\isamarkupfalse%
45.82 -{\isaliteral{28}{\isacharparenleft}}case{\isaliteral{5F}{\isacharunderscore}}tac\ xs{\isaliteral{29}{\isacharparenright}}%
45.83 -\begin{isamarkuptxt}%
45.84 -\noindent
45.85 -results in the proof state
45.86 -\begin{isabelle}%
45.87 -\ {\isadigit{1}}{\isaliteral{2E}{\isachardot}}\ xs\ {\isaliteral{3D}{\isacharequal}}\ {\isaliteral{5B}{\isacharbrackleft}}{\isaliteral{5D}{\isacharbrackright}}\ {\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\ {\isaliteral{28}{\isacharparenleft}}case\ xs\ of\ {\isaliteral{5B}{\isacharbrackleft}}{\isaliteral{5D}{\isacharbrackright}}\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ {\isaliteral{5B}{\isacharbrackleft}}{\isaliteral{5D}{\isacharbrackright}}\ {\isaliteral{7C}{\isacharbar}}\ y\ {\isaliteral{23}{\isacharhash}}\ ys\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ xs{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{3D}{\isacharequal}}\ xs\isanewline
45.88 -\ {\isadigit{2}}{\isaliteral{2E}{\isachardot}}\ {\isaliteral{5C3C416E643E}{\isasymAnd}}a\ list{\isaliteral{2E}{\isachardot}}\isanewline
45.89 -\isaindent{\ {\isadigit{2}}{\isaliteral{2E}{\isachardot}}\ \ \ \ }xs\ {\isaliteral{3D}{\isacharequal}}\ a\ {\isaliteral{23}{\isacharhash}}\ list\ {\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\ {\isaliteral{28}{\isacharparenleft}}case\ xs\ of\ {\isaliteral{5B}{\isacharbrackleft}}{\isaliteral{5D}{\isacharbrackright}}\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ {\isaliteral{5B}{\isacharbrackleft}}{\isaliteral{5D}{\isacharbrackright}}\ {\isaliteral{7C}{\isacharbar}}\ y\ {\isaliteral{23}{\isacharhash}}\ ys\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ xs{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{3D}{\isacharequal}}\ xs%
45.90 -\end{isabelle}
45.91 -which is solved automatically:%
45.92 -\end{isamarkuptxt}%
45.93 -\isamarkuptrue%
45.94 -\isacommand{apply}\isamarkupfalse%
45.95 -{\isaliteral{28}{\isacharparenleft}}auto{\isaliteral{29}{\isacharparenright}}%
45.96 -\endisatagproof
45.97 -{\isafoldproof}%
45.98 -%
45.99 -\isadelimproof
45.100 -%
45.101 -\endisadelimproof
45.102 -%
45.103 -\begin{isamarkuptext}%
45.104 -Note that we do not need to give a lemma a name if we do not intend to refer
45.105 -to it explicitly in the future.
45.106 -Other basic laws about a datatype are applied automatically during
45.107 -simplification, so no special methods are provided for them.
45.108 -
45.109 -\begin{warn}
45.110 - Induction is only allowed on free (or \isasymAnd-bound) variables that
45.111 - should not occur among the assumptions of the subgoal; see
45.112 - \S\ref{sec:ind-var-in-prems} for details. Case distinction
45.113 - (\isa{case{\isaliteral{5F}{\isacharunderscore}}tac}) works for arbitrary terms, which need to be
45.114 - quoted if they are non-atomic. However, apart from \isa{{\isaliteral{5C3C416E643E}{\isasymAnd}}}-bound
45.115 - variables, the terms must not contain variables that are bound outside.
45.116 - For example, given the goal \isa{{\isaliteral{5C3C666F72616C6C3E}{\isasymforall}}xs{\isaliteral{2E}{\isachardot}}\ xs\ {\isaliteral{3D}{\isacharequal}}\ {\isaliteral{5B}{\isacharbrackleft}}{\isaliteral{5D}{\isacharbrackright}}\ {\isaliteral{5C3C6F723E}{\isasymor}}\ {\isaliteral{28}{\isacharparenleft}}{\isaliteral{5C3C6578697374733E}{\isasymexists}}y\ ys{\isaliteral{2E}{\isachardot}}\ xs\ {\isaliteral{3D}{\isacharequal}}\ y\ {\isaliteral{23}{\isacharhash}}\ ys{\isaliteral{29}{\isacharparenright}}},
45.117 - \isa{case{\isaliteral{5F}{\isacharunderscore}}tac\ xs} will not work as expected because Isabelle interprets
45.118 - the \isa{xs} as a new free variable distinct from the bound
45.119 - \isa{xs} in the goal.
45.120 -\end{warn}%
45.121 -\end{isamarkuptext}%
45.122 -\isamarkuptrue%
45.123 -%
45.124 -\isadelimtheory
45.125 -%
45.126 -\endisadelimtheory
45.127 -%
45.128 -\isatagtheory
45.129 -%
45.130 -\endisatagtheory
45.131 -{\isafoldtheory}%
45.132 -%
45.133 -\isadelimtheory
45.134 -%
45.135 -\endisadelimtheory
45.136 -\end{isabellebody}%
45.137 -%%% Local Variables:
45.138 -%%% mode: latex
45.139 -%%% TeX-master: "root"
45.140 -%%% End:
46.1 --- a/doc-src/TutorialI/Misc/document/fakenat.tex Thu Jul 26 16:08:16 2012 +0200
46.2 +++ /dev/null Thu Jan 01 00:00:00 1970 +0000
46.3 @@ -1,42 +0,0 @@
46.4 -%
46.5 -\begin{isabellebody}%
46.6 -\def\isabellecontext{fakenat}%
46.7 -%
46.8 -\isadelimtheory
46.9 -%
46.10 -\endisadelimtheory
46.11 -%
46.12 -\isatagtheory
46.13 -%
46.14 -\endisatagtheory
46.15 -{\isafoldtheory}%
46.16 -%
46.17 -\isadelimtheory
46.18 -%
46.19 -\endisadelimtheory
46.20 -%
46.21 -\begin{isamarkuptext}%
46.22 -\noindent
46.23 -The type \tydx{nat} of natural
46.24 -numbers is predefined to have the constructors \cdx{0} and~\cdx{Suc}. It behaves as if it were declared like this:%
46.25 -\end{isamarkuptext}%
46.26 -\isamarkuptrue%
46.27 -\isacommand{datatype}\isamarkupfalse%
46.28 -\ nat\ {\isaliteral{3D}{\isacharequal}}\ {\isadigit{0}}\ {\isaliteral{7C}{\isacharbar}}\ Suc\ nat%
46.29 -\isadelimtheory
46.30 -%
46.31 -\endisadelimtheory
46.32 -%
46.33 -\isatagtheory
46.34 -%
46.35 -\endisatagtheory
46.36 -{\isafoldtheory}%
46.37 -%
46.38 -\isadelimtheory
46.39 -%
46.40 -\endisadelimtheory
46.41 -\end{isabellebody}%
46.42 -%%% Local Variables:
46.43 -%%% mode: latex
46.44 -%%% TeX-master: "root"
46.45 -%%% End:
47.1 --- a/doc-src/TutorialI/Misc/document/natsum.tex Thu Jul 26 16:08:16 2012 +0200
47.2 +++ /dev/null Thu Jan 01 00:00:00 1970 +0000
47.3 @@ -1,232 +0,0 @@
47.4 -%
47.5 -\begin{isabellebody}%
47.6 -\def\isabellecontext{natsum}%
47.7 -%
47.8 -\isadelimtheory
47.9 -%
47.10 -\endisadelimtheory
47.11 -%
47.12 -\isatagtheory
47.13 -%
47.14 -\endisatagtheory
47.15 -{\isafoldtheory}%
47.16 -%
47.17 -\isadelimtheory
47.18 -%
47.19 -\endisadelimtheory
47.20 -%
47.21 -\begin{isamarkuptext}%
47.22 -\noindent
47.23 -In particular, there are \isa{case}-expressions, for example
47.24 -\begin{isabelle}%
47.25 -\ \ \ \ \ case\ n\ of\ {\isadigit{0}}\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ {\isadigit{0}}\ {\isaliteral{7C}{\isacharbar}}\ Suc\ m\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ m%
47.26 -\end{isabelle}
47.27 -primitive recursion, for example%
47.28 -\end{isamarkuptext}%
47.29 -\isamarkuptrue%
47.30 -\isacommand{primrec}\isamarkupfalse%
47.31 -\ sum\ {\isaliteral{3A}{\isacharcolon}}{\isaliteral{3A}{\isacharcolon}}\ {\isaliteral{22}{\isachardoublequoteopen}}nat\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ nat{\isaliteral{22}{\isachardoublequoteclose}}\ \isakeyword{where}\isanewline
47.32 -{\isaliteral{22}{\isachardoublequoteopen}}sum\ {\isadigit{0}}\ {\isaliteral{3D}{\isacharequal}}\ {\isadigit{0}}{\isaliteral{22}{\isachardoublequoteclose}}\ {\isaliteral{7C}{\isacharbar}}\isanewline
47.33 -{\isaliteral{22}{\isachardoublequoteopen}}sum\ {\isaliteral{28}{\isacharparenleft}}Suc\ n{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{3D}{\isacharequal}}\ Suc\ n\ {\isaliteral{2B}{\isacharplus}}\ sum\ n{\isaliteral{22}{\isachardoublequoteclose}}%
47.34 -\begin{isamarkuptext}%
47.35 -\noindent
47.36 -and induction, for example%
47.37 -\end{isamarkuptext}%
47.38 -\isamarkuptrue%
47.39 -\isacommand{lemma}\isamarkupfalse%
47.40 -\ {\isaliteral{22}{\isachardoublequoteopen}}sum\ n\ {\isaliteral{2B}{\isacharplus}}\ sum\ n\ {\isaliteral{3D}{\isacharequal}}\ n{\isaliteral{2A}{\isacharasterisk}}{\isaliteral{28}{\isacharparenleft}}Suc\ n{\isaliteral{29}{\isacharparenright}}{\isaliteral{22}{\isachardoublequoteclose}}\isanewline
47.41 -%
47.42 -\isadelimproof
47.43 -%
47.44 -\endisadelimproof
47.45 -%
47.46 -\isatagproof
47.47 -\isacommand{apply}\isamarkupfalse%
47.48 -{\isaliteral{28}{\isacharparenleft}}induct{\isaliteral{5F}{\isacharunderscore}}tac\ n{\isaliteral{29}{\isacharparenright}}\isanewline
47.49 -\isacommand{apply}\isamarkupfalse%
47.50 -{\isaliteral{28}{\isacharparenleft}}auto{\isaliteral{29}{\isacharparenright}}\isanewline
47.51 -\isacommand{done}\isamarkupfalse%
47.52 -%
47.53 -\endisatagproof
47.54 -{\isafoldproof}%
47.55 -%
47.56 -\isadelimproof
47.57 -%
47.58 -\endisadelimproof
47.59 -%
47.60 -\begin{isamarkuptext}%
47.61 -\newcommand{\mystar}{*%
47.62 -}
47.63 -\index{arithmetic operations!for \protect\isa{nat}}%
47.64 -The arithmetic operations \isadxboldpos{+}{$HOL2arithfun},
47.65 -\isadxboldpos{-}{$HOL2arithfun}, \isadxboldpos{\mystar}{$HOL2arithfun},
47.66 -\sdx{div}, \sdx{mod}, \cdx{min} and
47.67 -\cdx{max} are predefined, as are the relations
47.68 -\isadxboldpos{\isasymle}{$HOL2arithrel} and
47.69 -\isadxboldpos{<}{$HOL2arithrel}. As usual, \isa{m\ {\isaliteral{2D}{\isacharminus}}\ n\ {\isaliteral{3D}{\isacharequal}}\ {\isadigit{0}}} if
47.70 -\isa{m\ {\isaliteral{3C}{\isacharless}}\ n}. There is even a least number operation
47.71 -\sdx{LEAST}\@. For example, \isa{{\isaliteral{28}{\isacharparenleft}}LEAST\ n{\isaliteral{2E}{\isachardot}}\ {\isadigit{0}}\ {\isaliteral{3C}{\isacharless}}\ n{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{3D}{\isacharequal}}\ Suc\ {\isadigit{0}}}.
47.72 -\begin{warn}\index{overloading}
47.73 - The constants \cdx{0} and \cdx{1} and the operations
47.74 - \isadxboldpos{+}{$HOL2arithfun}, \isadxboldpos{-}{$HOL2arithfun},
47.75 - \isadxboldpos{\mystar}{$HOL2arithfun}, \cdx{min},
47.76 - \cdx{max}, \isadxboldpos{\isasymle}{$HOL2arithrel} and
47.77 - \isadxboldpos{<}{$HOL2arithrel} are overloaded: they are available
47.78 - not just for natural numbers but for other types as well.
47.79 - For example, given the goal \isa{x\ {\isaliteral{2B}{\isacharplus}}\ {\isadigit{0}}\ {\isaliteral{3D}{\isacharequal}}\ x}, there is nothing to indicate
47.80 - that you are talking about natural numbers. Hence Isabelle can only infer
47.81 - that \isa{x} is of some arbitrary type where \isa{{\isadigit{0}}} and \isa{{\isaliteral{2B}{\isacharplus}}} are
47.82 - declared. As a consequence, you will be unable to prove the
47.83 - goal. To alert you to such pitfalls, Isabelle flags numerals without a
47.84 - fixed type in its output: \isa{x\ {\isaliteral{2B}{\isacharplus}}\ {\isaliteral{28}{\isacharparenleft}}{\isadigit{0}}{\isaliteral{5C3C436F6C6F6E3E}{\isasymColon}}{\isaliteral{27}{\isacharprime}}a{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{3D}{\isacharequal}}\ x}. (In the absence of a numeral,
47.85 - it may take you some time to realize what has happened if \pgmenu{Show
47.86 - Types} is not set). In this particular example, you need to include
47.87 - an explicit type constraint, for example \isa{x{\isaliteral{2B}{\isacharplus}}{\isadigit{0}}\ {\isaliteral{3D}{\isacharequal}}\ {\isaliteral{28}{\isacharparenleft}}x{\isaliteral{3A}{\isacharcolon}}{\isaliteral{3A}{\isacharcolon}}nat{\isaliteral{29}{\isacharparenright}}}. If there
47.88 - is enough contextual information this may not be necessary: \isa{Suc\ x\ {\isaliteral{3D}{\isacharequal}}\ x} automatically implies \isa{x{\isaliteral{3A}{\isacharcolon}}{\isaliteral{3A}{\isacharcolon}}nat} because \isa{Suc} is not
47.89 - overloaded.
47.90 -
47.91 - For details on overloading see \S\ref{sec:overloading}.
47.92 - Table~\ref{tab:overloading} in the appendix shows the most important
47.93 - overloaded operations.
47.94 -\end{warn}
47.95 -\begin{warn}
47.96 - The symbols \isadxboldpos{>}{$HOL2arithrel} and
47.97 - \isadxboldpos{\isasymge}{$HOL2arithrel} are merely syntax: \isa{x\ {\isaliteral{3E}{\isachargreater}}\ y}
47.98 - stands for \isa{y\ {\isaliteral{3C}{\isacharless}}\ x} and similary for \isa{{\isaliteral{5C3C67653E}{\isasymge}}} and
47.99 - \isa{{\isaliteral{5C3C6C653E}{\isasymle}}}.
47.100 -\end{warn}
47.101 -\begin{warn}
47.102 - Constant \isa{{\isadigit{1}}{\isaliteral{3A}{\isacharcolon}}{\isaliteral{3A}{\isacharcolon}}nat} is defined to equal \isa{Suc\ {\isadigit{0}}}. This definition
47.103 - (see \S\ref{sec:ConstDefinitions}) is unfolded automatically by some
47.104 - tactics (like \isa{auto}, \isa{simp} and \isa{arith}) but not by
47.105 - others (especially the single step tactics in Chapter~\ref{chap:rules}).
47.106 - If you need the full set of numerals, see~\S\ref{sec:numerals}.
47.107 - \emph{Novices are advised to stick to \isa{{\isadigit{0}}} and \isa{Suc}.}
47.108 -\end{warn}
47.109 -
47.110 -Both \isa{auto} and \isa{simp}
47.111 -(a method introduced below, \S\ref{sec:Simplification}) prove
47.112 -simple arithmetic goals automatically:%
47.113 -\end{isamarkuptext}%
47.114 -\isamarkuptrue%
47.115 -\isacommand{lemma}\isamarkupfalse%
47.116 -\ {\isaliteral{22}{\isachardoublequoteopen}}{\isaliteral{5C3C6C6272616B6B3E}{\isasymlbrakk}}\ {\isaliteral{5C3C6E6F743E}{\isasymnot}}\ m\ {\isaliteral{3C}{\isacharless}}\ n{\isaliteral{3B}{\isacharsemicolon}}\ m\ {\isaliteral{3C}{\isacharless}}\ n\ {\isaliteral{2B}{\isacharplus}}\ {\isaliteral{28}{\isacharparenleft}}{\isadigit{1}}{\isaliteral{3A}{\isacharcolon}}{\isaliteral{3A}{\isacharcolon}}nat{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C726272616B6B3E}{\isasymrbrakk}}\ {\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\ m\ {\isaliteral{3D}{\isacharequal}}\ n{\isaliteral{22}{\isachardoublequoteclose}}%
47.117 -\isadelimproof
47.118 -%
47.119 -\endisadelimproof
47.120 -%
47.121 -\isatagproof
47.122 -%
47.123 -\endisatagproof
47.124 -{\isafoldproof}%
47.125 -%
47.126 -\isadelimproof
47.127 -%
47.128 -\endisadelimproof
47.129 -%
47.130 -\begin{isamarkuptext}%
47.131 -\noindent
47.132 -For efficiency's sake, this built-in prover ignores quantified formulae,
47.133 -many logical connectives, and all arithmetic operations apart from addition.
47.134 -In consequence, \isa{auto} and \isa{simp} cannot prove this slightly more complex goal:%
47.135 -\end{isamarkuptext}%
47.136 -\isamarkuptrue%
47.137 -\isacommand{lemma}\isamarkupfalse%
47.138 -\ {\isaliteral{22}{\isachardoublequoteopen}}m\ {\isaliteral{5C3C6E6F7465713E}{\isasymnoteq}}\ {\isaliteral{28}{\isacharparenleft}}n{\isaliteral{3A}{\isacharcolon}}{\isaliteral{3A}{\isacharcolon}}nat{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\ m\ {\isaliteral{3C}{\isacharless}}\ n\ {\isaliteral{5C3C6F723E}{\isasymor}}\ n\ {\isaliteral{3C}{\isacharless}}\ m{\isaliteral{22}{\isachardoublequoteclose}}%
47.139 -\isadelimproof
47.140 -%
47.141 -\endisadelimproof
47.142 -%
47.143 -\isatagproof
47.144 -%
47.145 -\endisatagproof
47.146 -{\isafoldproof}%
47.147 -%
47.148 -\isadelimproof
47.149 -%
47.150 -\endisadelimproof
47.151 -%
47.152 -\begin{isamarkuptext}%
47.153 -\noindent The method \methdx{arith} is more general. It attempts to
47.154 -prove the first subgoal provided it is a \textbf{linear arithmetic} formula.
47.155 -Such formulas may involve the usual logical connectives (\isa{{\isaliteral{5C3C6E6F743E}{\isasymnot}}},
47.156 -\isa{{\isaliteral{5C3C616E643E}{\isasymand}}}, \isa{{\isaliteral{5C3C6F723E}{\isasymor}}}, \isa{{\isaliteral{5C3C6C6F6E6772696768746172726F773E}{\isasymlongrightarrow}}}, \isa{{\isaliteral{3D}{\isacharequal}}},
47.157 -\isa{{\isaliteral{5C3C666F72616C6C3E}{\isasymforall}}}, \isa{{\isaliteral{5C3C6578697374733E}{\isasymexists}}}), the relations \isa{{\isaliteral{3D}{\isacharequal}}},
47.158 -\isa{{\isaliteral{5C3C6C653E}{\isasymle}}} and \isa{{\isaliteral{3C}{\isacharless}}}, and the operations \isa{{\isaliteral{2B}{\isacharplus}}}, \isa{{\isaliteral{2D}{\isacharminus}}},
47.159 -\isa{min} and \isa{max}. For example,%
47.160 -\end{isamarkuptext}%
47.161 -\isamarkuptrue%
47.162 -\isacommand{lemma}\isamarkupfalse%
47.163 -\ {\isaliteral{22}{\isachardoublequoteopen}}min\ i\ {\isaliteral{28}{\isacharparenleft}}max\ j\ {\isaliteral{28}{\isacharparenleft}}k{\isaliteral{2A}{\isacharasterisk}}k{\isaliteral{29}{\isacharparenright}}{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{3D}{\isacharequal}}\ max\ {\isaliteral{28}{\isacharparenleft}}min\ {\isaliteral{28}{\isacharparenleft}}k{\isaliteral{2A}{\isacharasterisk}}k{\isaliteral{29}{\isacharparenright}}\ i{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{28}{\isacharparenleft}}min\ i\ {\isaliteral{28}{\isacharparenleft}}j{\isaliteral{3A}{\isacharcolon}}{\isaliteral{3A}{\isacharcolon}}nat{\isaliteral{29}{\isacharparenright}}{\isaliteral{29}{\isacharparenright}}{\isaliteral{22}{\isachardoublequoteclose}}\isanewline
47.164 -%
47.165 -\isadelimproof
47.166 -%
47.167 -\endisadelimproof
47.168 -%
47.169 -\isatagproof
47.170 -\isacommand{apply}\isamarkupfalse%
47.171 -{\isaliteral{28}{\isacharparenleft}}arith{\isaliteral{29}{\isacharparenright}}%
47.172 -\endisatagproof
47.173 -{\isafoldproof}%
47.174 -%
47.175 -\isadelimproof
47.176 -%
47.177 -\endisadelimproof
47.178 -%
47.179 -\begin{isamarkuptext}%
47.180 -\noindent
47.181 -succeeds because \isa{k\ {\isaliteral{2A}{\isacharasterisk}}\ k} can be treated as atomic. In contrast,%
47.182 -\end{isamarkuptext}%
47.183 -\isamarkuptrue%
47.184 -\isacommand{lemma}\isamarkupfalse%
47.185 -\ {\isaliteral{22}{\isachardoublequoteopen}}n{\isaliteral{2A}{\isacharasterisk}}n\ {\isaliteral{3D}{\isacharequal}}\ n{\isaliteral{2B}{\isacharplus}}{\isadigit{1}}\ {\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\ n{\isaliteral{3D}{\isacharequal}}{\isadigit{0}}{\isaliteral{22}{\isachardoublequoteclose}}%
47.186 -\isadelimproof
47.187 -%
47.188 -\endisadelimproof
47.189 -%
47.190 -\isatagproof
47.191 -%
47.192 -\endisatagproof
47.193 -{\isafoldproof}%
47.194 -%
47.195 -\isadelimproof
47.196 -%
47.197 -\endisadelimproof
47.198 -%
47.199 -\begin{isamarkuptext}%
47.200 -\noindent
47.201 -is not proved by \isa{arith} because the proof relies
47.202 -on properties of multiplication. Only multiplication by numerals (which is
47.203 -the same as iterated addition) is taken into account.
47.204 -
47.205 -\begin{warn} The running time of \isa{arith} is exponential in the number
47.206 - of occurrences of \ttindexboldpos{-}{$HOL2arithfun}, \cdx{min} and
47.207 - \cdx{max} because they are first eliminated by case distinctions.
47.208 -
47.209 -If \isa{k} is a numeral, \sdx{div}~\isa{k}, \sdx{mod}~\isa{k} and
47.210 -\isa{k}~\sdx{dvd} are also supported, where the former two are eliminated
47.211 -by case distinctions, again blowing up the running time.
47.212 -
47.213 -If the formula involves quantifiers, \isa{arith} may take
47.214 -super-exponential time and space.
47.215 -\end{warn}%
47.216 -\end{isamarkuptext}%
47.217 -\isamarkuptrue%
47.218 -%
47.219 -\isadelimtheory
47.220 -%
47.221 -\endisadelimtheory
47.222 -%
47.223 -\isatagtheory
47.224 -%
47.225 -\endisatagtheory
47.226 -{\isafoldtheory}%
47.227 -%
47.228 -\isadelimtheory
47.229 -%
47.230 -\endisadelimtheory
47.231 -\end{isabellebody}%
47.232 -%%% Local Variables:
47.233 -%%% mode: latex
47.234 -%%% TeX-master: "root"
47.235 -%%% End:
48.1 --- a/doc-src/TutorialI/Misc/document/pairs.tex Thu Jul 26 16:08:16 2012 +0200
48.2 +++ /dev/null Thu Jan 01 00:00:00 1970 +0000
48.3 @@ -1,66 +0,0 @@
48.4 -%
48.5 -\begin{isabellebody}%
48.6 -\def\isabellecontext{pairs}%
48.7 -%
48.8 -\isadelimtheory
48.9 -%
48.10 -\endisadelimtheory
48.11 -%
48.12 -\isatagtheory
48.13 -%
48.14 -\endisatagtheory
48.15 -{\isafoldtheory}%
48.16 -%
48.17 -\isadelimtheory
48.18 -%
48.19 -\endisadelimtheory
48.20 -%
48.21 -\begin{isamarkuptext}%
48.22 -\label{sec:pairs}\index{pairs and tuples}
48.23 -HOL also has ordered pairs: \isa{($a@1$,$a@2$)} is of type $\tau@1$
48.24 -\indexboldpos{\isasymtimes}{$Isatype} $\tau@2$ provided each $a@i$ is of type
48.25 -$\tau@i$. The functions \cdx{fst} and
48.26 -\cdx{snd} extract the components of a pair:
48.27 - \isa{fst($x$,$y$) = $x$} and \isa{snd($x$,$y$) = $y$}. Tuples
48.28 -are simulated by pairs nested to the right: \isa{($a@1$,$a@2$,$a@3$)} stands
48.29 -for \isa{($a@1$,($a@2$,$a@3$))} and $\tau@1 \times \tau@2 \times \tau@3$ for
48.30 -$\tau@1 \times (\tau@2 \times \tau@3)$. Therefore we have
48.31 -\isa{fst(snd($a@1$,$a@2$,$a@3$)) = $a@2$}.
48.32 -
48.33 -Remarks:
48.34 -\begin{itemize}
48.35 -\item
48.36 -There is also the type \tydx{unit}, which contains exactly one
48.37 -element denoted by~\cdx{()}. This type can be viewed
48.38 -as a degenerate product with 0 components.
48.39 -\item
48.40 -Products, like type \isa{nat}, are datatypes, which means
48.41 -in particular that \isa{induct{\isaliteral{5F}{\isacharunderscore}}tac} and \isa{case{\isaliteral{5F}{\isacharunderscore}}tac} are applicable to
48.42 -terms of product type.
48.43 -Both split the term into a number of variables corresponding to the tuple structure
48.44 -(up to 7 components).
48.45 -\item
48.46 -Tuples with more than two or three components become unwieldy;
48.47 -records are preferable.
48.48 -\end{itemize}
48.49 -For more information on pairs and records see Chapter~\ref{ch:more-types}.%
48.50 -\end{isamarkuptext}%
48.51 -\isamarkuptrue%
48.52 -%
48.53 -\isadelimtheory
48.54 -%
48.55 -\endisadelimtheory
48.56 -%
48.57 -\isatagtheory
48.58 -%
48.59 -\endisatagtheory
48.60 -{\isafoldtheory}%
48.61 -%
48.62 -\isadelimtheory
48.63 -%
48.64 -\endisadelimtheory
48.65 -\end{isabellebody}%
48.66 -%%% Local Variables:
48.67 -%%% mode: latex
48.68 -%%% TeX-master: "root"
48.69 -%%% End:
49.1 --- a/doc-src/TutorialI/Misc/document/prime_def.tex Thu Jul 26 16:08:16 2012 +0200
49.2 +++ /dev/null Thu Jan 01 00:00:00 1970 +0000
49.3 @@ -1,53 +0,0 @@
49.4 -%
49.5 -\begin{isabellebody}%
49.6 -\def\isabellecontext{prime{\isaliteral{5F}{\isacharunderscore}}def}%
49.7 -%
49.8 -\isadelimtheory
49.9 -%
49.10 -\endisadelimtheory
49.11 -%
49.12 -\isatagtheory
49.13 -%
49.14 -\endisatagtheory
49.15 -{\isafoldtheory}%
49.16 -%
49.17 -\isadelimtheory
49.18 -%
49.19 -\endisadelimtheory
49.20 -%
49.21 -\begin{isamarkuptext}%
49.22 -\begin{warn}
49.23 -A common mistake when writing definitions is to introduce extra free
49.24 -variables on the right-hand side. Consider the following, flawed definition
49.25 -(where \isa{dvd} means ``divides''):
49.26 -\begin{isabelle}%
49.27 -\ \ \ \ \ {\isaliteral{22}{\isachardoublequote}}prime\ p\ {\isaliteral{5C3C65717569763E}{\isasymequiv}}\ {\isadigit{1}}\ {\isaliteral{3C}{\isacharless}}\ p\ {\isaliteral{5C3C616E643E}{\isasymand}}\ {\isaliteral{28}{\isacharparenleft}}m\ dvd\ p\ {\isaliteral{5C3C6C6F6E6772696768746172726F773E}{\isasymlongrightarrow}}\ m\ {\isaliteral{3D}{\isacharequal}}\ {\isadigit{1}}\ {\isaliteral{5C3C6F723E}{\isasymor}}\ m\ {\isaliteral{3D}{\isacharequal}}\ p{\isaliteral{29}{\isacharparenright}}{\isaliteral{22}{\isachardoublequote}}%
49.28 -\end{isabelle}
49.29 -\par\noindent\hangindent=0pt
49.30 -Isabelle rejects this ``definition'' because of the extra \isa{m} on the
49.31 -right-hand side, which would introduce an inconsistency (why?).
49.32 -The correct version is
49.33 -\begin{isabelle}%
49.34 -\ \ \ \ \ {\isaliteral{22}{\isachardoublequote}}prime\ p\ {\isaliteral{5C3C65717569763E}{\isasymequiv}}\ {\isadigit{1}}\ {\isaliteral{3C}{\isacharless}}\ p\ {\isaliteral{5C3C616E643E}{\isasymand}}\ {\isaliteral{28}{\isacharparenleft}}{\isaliteral{5C3C666F72616C6C3E}{\isasymforall}}m{\isaliteral{2E}{\isachardot}}\ m\ dvd\ p\ {\isaliteral{5C3C6C6F6E6772696768746172726F773E}{\isasymlongrightarrow}}\ m\ {\isaliteral{3D}{\isacharequal}}\ {\isadigit{1}}\ {\isaliteral{5C3C6F723E}{\isasymor}}\ m\ {\isaliteral{3D}{\isacharequal}}\ p{\isaliteral{29}{\isacharparenright}}{\isaliteral{22}{\isachardoublequote}}%
49.35 -\end{isabelle}
49.36 -\end{warn}%
49.37 -\end{isamarkuptext}%
49.38 -\isamarkuptrue%
49.39 -%
49.40 -\isadelimtheory
49.41 -%
49.42 -\endisadelimtheory
49.43 -%
49.44 -\isatagtheory
49.45 -%
49.46 -\endisatagtheory
49.47 -{\isafoldtheory}%
49.48 -%
49.49 -\isadelimtheory
49.50 -%
49.51 -\endisadelimtheory
49.52 -\end{isabellebody}%
49.53 -%%% Local Variables:
49.54 -%%% mode: latex
49.55 -%%% TeX-master: "root"
49.56 -%%% End:
50.1 --- a/doc-src/TutorialI/Misc/document/simp.tex Thu Jul 26 16:08:16 2012 +0200
50.2 +++ /dev/null Thu Jan 01 00:00:00 1970 +0000
50.3 @@ -1,799 +0,0 @@
50.4 -%
50.5 -\begin{isabellebody}%
50.6 -\def\isabellecontext{simp}%
50.7 -%
50.8 -\isadelimtheory
50.9 -%
50.10 -\endisadelimtheory
50.11 -%
50.12 -\isatagtheory
50.13 -%
50.14 -\endisatagtheory
50.15 -{\isafoldtheory}%
50.16 -%
50.17 -\isadelimtheory
50.18 -%
50.19 -\endisadelimtheory
50.20 -%
50.21 -\isamarkupsubsection{Simplification Rules%
50.22 -}
50.23 -\isamarkuptrue%
50.24 -%
50.25 -\begin{isamarkuptext}%
50.26 -\index{simplification rules}
50.27 -To facilitate simplification,
50.28 -the attribute \isa{{\isaliteral{5B}{\isacharbrackleft}}simp{\isaliteral{5D}{\isacharbrackright}}}\index{*simp (attribute)}
50.29 -declares theorems to be simplification rules, which the simplifier
50.30 -will use automatically. In addition, \isacommand{datatype} and
50.31 -\isacommand{primrec} declarations (and a few others)
50.32 -implicitly declare some simplification rules.
50.33 -Explicit definitions are \emph{not} declared as
50.34 -simplification rules automatically!
50.35 -
50.36 -Nearly any theorem can become a simplification
50.37 -rule. The simplifier will try to transform it into an equation.
50.38 -For example, the theorem
50.39 -\isa{{\isaliteral{5C3C6E6F743E}{\isasymnot}}\ P} is turned into \isa{P\ {\isaliteral{3D}{\isacharequal}}\ False}. The details
50.40 -are explained in \S\ref{sec:SimpHow}.
50.41 -
50.42 -The simplification attribute of theorems can be turned on and off:%
50.43 -\index{*simp del (attribute)}
50.44 -\begin{quote}
50.45 -\isacommand{declare} \textit{theorem-name}\isa{{\isaliteral{5B}{\isacharbrackleft}}simp{\isaliteral{5D}{\isacharbrackright}}}\\
50.46 -\isacommand{declare} \textit{theorem-name}\isa{{\isaliteral{5B}{\isacharbrackleft}}simp\ del{\isaliteral{5D}{\isacharbrackright}}}
50.47 -\end{quote}
50.48 -Only equations that really simplify, like \isa{rev\
50.49 -{\isacharparenleft}rev\ xs{\isacharparenright}\ {\isacharequal}\ xs} and
50.50 -\isa{xs\ {\isacharat}\ {\isacharbrackleft}{\isacharbrackright}\
50.51 -{\isacharequal}\ xs}, should be declared as default simplification rules.
50.52 -More specific ones should only be used selectively and should
50.53 -not be made default. Distributivity laws, for example, alter
50.54 -the structure of terms and can produce an exponential blow-up instead of
50.55 -simplification. A default simplification rule may
50.56 -need to be disabled in certain proofs. Frequent changes in the simplification
50.57 -status of a theorem may indicate an unwise use of defaults.
50.58 -\begin{warn}
50.59 - Simplification can run forever, for example if both $f(x) = g(x)$ and
50.60 - $g(x) = f(x)$ are simplification rules. It is the user's responsibility not
50.61 - to include simplification rules that can lead to nontermination, either on
50.62 - their own or in combination with other simplification rules.
50.63 -\end{warn}
50.64 -\begin{warn}
50.65 - It is inadvisable to toggle the simplification attribute of a
50.66 - theorem from a parent theory $A$ in a child theory $B$ for good.
50.67 - The reason is that if some theory $C$ is based both on $B$ and (via a
50.68 - different path) on $A$, it is not defined what the simplification attribute
50.69 - of that theorem will be in $C$: it could be either.
50.70 -\end{warn}%
50.71 -\end{isamarkuptext}%
50.72 -\isamarkuptrue%
50.73 -%
50.74 -\isamarkupsubsection{The {\tt\slshape simp} Method%
50.75 -}
50.76 -\isamarkuptrue%
50.77 -%
50.78 -\begin{isamarkuptext}%
50.79 -\index{*simp (method)|bold}
50.80 -The general format of the simplification method is
50.81 -\begin{quote}
50.82 -\isa{simp} \textit{list of modifiers}
50.83 -\end{quote}
50.84 -where the list of \emph{modifiers} fine tunes the behaviour and may
50.85 -be empty. Specific modifiers are discussed below. Most if not all of the
50.86 -proofs seen so far could have been performed
50.87 -with \isa{simp} instead of \isa{auto}, except that \isa{simp} attacks
50.88 -only the first subgoal and may thus need to be repeated --- use
50.89 -\methdx{simp_all} to simplify all subgoals.
50.90 -If nothing changes, \isa{simp} fails.%
50.91 -\end{isamarkuptext}%
50.92 -\isamarkuptrue%
50.93 -%
50.94 -\isamarkupsubsection{Adding and Deleting Simplification Rules%
50.95 -}
50.96 -\isamarkuptrue%
50.97 -%
50.98 -\begin{isamarkuptext}%
50.99 -\index{simplification rules!adding and deleting}%
50.100 -If a certain theorem is merely needed in a few proofs by simplification,
50.101 -we do not need to make it a global simplification rule. Instead we can modify
50.102 -the set of simplification rules used in a simplification step by adding rules
50.103 -to it and/or deleting rules from it. The two modifiers for this are
50.104 -\begin{quote}
50.105 -\isa{add{\isaliteral{3A}{\isacharcolon}}} \textit{list of theorem names}\index{*add (modifier)}\\
50.106 -\isa{del{\isaliteral{3A}{\isacharcolon}}} \textit{list of theorem names}\index{*del (modifier)}
50.107 -\end{quote}
50.108 -Or you can use a specific list of theorems and omit all others:
50.109 -\begin{quote}
50.110 -\isa{only{\isaliteral{3A}{\isacharcolon}}} \textit{list of theorem names}\index{*only (modifier)}
50.111 -\end{quote}
50.112 -In this example, we invoke the simplifier, adding two distributive
50.113 -laws:
50.114 -\begin{quote}
50.115 -\isacommand{apply}\isa{{\isaliteral{28}{\isacharparenleft}}simp\ add{\isaliteral{3A}{\isacharcolon}}\ mod{\isaliteral{5F}{\isacharunderscore}}mult{\isaliteral{5F}{\isacharunderscore}}distrib\ add{\isaliteral{5F}{\isacharunderscore}}mult{\isaliteral{5F}{\isacharunderscore}}distrib{\isaliteral{29}{\isacharparenright}}}
50.116 -\end{quote}%
50.117 -\end{isamarkuptext}%
50.118 -\isamarkuptrue%
50.119 -%
50.120 -\isamarkupsubsection{Assumptions%
50.121 -}
50.122 -\isamarkuptrue%
50.123 -%
50.124 -\begin{isamarkuptext}%
50.125 -\index{simplification!with/of assumptions}
50.126 -By default, assumptions are part of the simplification process: they are used
50.127 -as simplification rules and are simplified themselves. For example:%
50.128 -\end{isamarkuptext}%
50.129 -\isamarkuptrue%
50.130 -\isacommand{lemma}\isamarkupfalse%
50.131 -\ {\isaliteral{22}{\isachardoublequoteopen}}{\isaliteral{5C3C6C6272616B6B3E}{\isasymlbrakk}}\ xs\ {\isaliteral{40}{\isacharat}}\ zs\ {\isaliteral{3D}{\isacharequal}}\ ys\ {\isaliteral{40}{\isacharat}}\ xs{\isaliteral{3B}{\isacharsemicolon}}\ {\isaliteral{5B}{\isacharbrackleft}}{\isaliteral{5D}{\isacharbrackright}}\ {\isaliteral{40}{\isacharat}}\ xs\ {\isaliteral{3D}{\isacharequal}}\ {\isaliteral{5B}{\isacharbrackleft}}{\isaliteral{5D}{\isacharbrackright}}\ {\isaliteral{40}{\isacharat}}\ {\isaliteral{5B}{\isacharbrackleft}}{\isaliteral{5D}{\isacharbrackright}}\ {\isaliteral{5C3C726272616B6B3E}{\isasymrbrakk}}\ {\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\ ys\ {\isaliteral{3D}{\isacharequal}}\ zs{\isaliteral{22}{\isachardoublequoteclose}}\isanewline
50.132 -%
50.133 -\isadelimproof
50.134 -%
50.135 -\endisadelimproof
50.136 -%
50.137 -\isatagproof
50.138 -\isacommand{apply}\isamarkupfalse%
50.139 -\ simp\isanewline
50.140 -\isacommand{done}\isamarkupfalse%
50.141 -%
50.142 -\endisatagproof
50.143 -{\isafoldproof}%
50.144 -%
50.145 -\isadelimproof
50.146 -%
50.147 -\endisadelimproof
50.148 -%
50.149 -\begin{isamarkuptext}%
50.150 -\noindent
50.151 -The second assumption simplifies to \isa{xs\ {\isaliteral{3D}{\isacharequal}}\ {\isaliteral{5B}{\isacharbrackleft}}{\isaliteral{5D}{\isacharbrackright}}}, which in turn
50.152 -simplifies the first assumption to \isa{zs\ {\isaliteral{3D}{\isacharequal}}\ ys}, thus reducing the
50.153 -conclusion to \isa{ys\ {\isaliteral{3D}{\isacharequal}}\ ys} and hence to \isa{True}.
50.154 -
50.155 -In some cases, using the assumptions can lead to nontermination:%
50.156 -\end{isamarkuptext}%
50.157 -\isamarkuptrue%
50.158 -\isacommand{lemma}\isamarkupfalse%
50.159 -\ {\isaliteral{22}{\isachardoublequoteopen}}{\isaliteral{5C3C666F72616C6C3E}{\isasymforall}}x{\isaliteral{2E}{\isachardot}}\ f\ x\ {\isaliteral{3D}{\isacharequal}}\ g\ {\isaliteral{28}{\isacharparenleft}}f\ {\isaliteral{28}{\isacharparenleft}}g\ x{\isaliteral{29}{\isacharparenright}}{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\ f\ {\isaliteral{5B}{\isacharbrackleft}}{\isaliteral{5D}{\isacharbrackright}}\ {\isaliteral{3D}{\isacharequal}}\ f\ {\isaliteral{5B}{\isacharbrackleft}}{\isaliteral{5D}{\isacharbrackright}}\ {\isaliteral{40}{\isacharat}}\ {\isaliteral{5B}{\isacharbrackleft}}{\isaliteral{5D}{\isacharbrackright}}{\isaliteral{22}{\isachardoublequoteclose}}%
50.160 -\isadelimproof
50.161 -%
50.162 -\endisadelimproof
50.163 -%
50.164 -\isatagproof
50.165 -%
50.166 -\begin{isamarkuptxt}%
50.167 -\noindent
50.168 -An unmodified application of \isa{simp} loops. The culprit is the
50.169 -simplification rule \isa{f\ x\ {\isaliteral{3D}{\isacharequal}}\ g\ {\isaliteral{28}{\isacharparenleft}}f\ {\isaliteral{28}{\isacharparenleft}}g\ x{\isaliteral{29}{\isacharparenright}}{\isaliteral{29}{\isacharparenright}}}, which is extracted from
50.170 -the assumption. (Isabelle notices certain simple forms of
50.171 -nontermination but not this one.) The problem can be circumvented by
50.172 -telling the simplifier to ignore the assumptions:%
50.173 -\end{isamarkuptxt}%
50.174 -\isamarkuptrue%
50.175 -\isacommand{apply}\isamarkupfalse%
50.176 -{\isaliteral{28}{\isacharparenleft}}simp\ {\isaliteral{28}{\isacharparenleft}}no{\isaliteral{5F}{\isacharunderscore}}asm{\isaliteral{29}{\isacharparenright}}{\isaliteral{29}{\isacharparenright}}\isanewline
50.177 -\isacommand{done}\isamarkupfalse%
50.178 -%
50.179 -\endisatagproof
50.180 -{\isafoldproof}%
50.181 -%
50.182 -\isadelimproof
50.183 -%
50.184 -\endisadelimproof
50.185 -%
50.186 -\begin{isamarkuptext}%
50.187 -\noindent
50.188 -Three modifiers influence the treatment of assumptions:
50.189 -\begin{description}
50.190 -\item[\isa{{\isaliteral{28}{\isacharparenleft}}no{\isaliteral{5F}{\isacharunderscore}}asm{\isaliteral{29}{\isacharparenright}}}]\index{*no_asm (modifier)}
50.191 - means that assumptions are completely ignored.
50.192 -\item[\isa{{\isaliteral{28}{\isacharparenleft}}no{\isaliteral{5F}{\isacharunderscore}}asm{\isaliteral{5F}{\isacharunderscore}}simp{\isaliteral{29}{\isacharparenright}}}]\index{*no_asm_simp (modifier)}
50.193 - means that the assumptions are not simplified but
50.194 - are used in the simplification of the conclusion.
50.195 -\item[\isa{{\isaliteral{28}{\isacharparenleft}}no{\isaliteral{5F}{\isacharunderscore}}asm{\isaliteral{5F}{\isacharunderscore}}use{\isaliteral{29}{\isacharparenright}}}]\index{*no_asm_use (modifier)}
50.196 - means that the assumptions are simplified but are not
50.197 - used in the simplification of each other or the conclusion.
50.198 -\end{description}
50.199 -Only one of the modifiers is allowed, and it must precede all
50.200 -other modifiers.
50.201 -%\begin{warn}
50.202 -%Assumptions are simplified in a left-to-right fashion. If an
50.203 -%assumption can help in simplifying one to the left of it, this may get
50.204 -%overlooked. In such cases you have to rotate the assumptions explicitly:
50.205 -%\isacommand{apply}@ {text"("}\methdx{rotate_tac}~$n$@ {text")"}
50.206 -%causes a cyclic shift by $n$ positions from right to left, if $n$ is
50.207 -%positive, and from left to right, if $n$ is negative.
50.208 -%Beware that such rotations make proofs quite brittle.
50.209 -%\end{warn}%
50.210 -\end{isamarkuptext}%
50.211 -\isamarkuptrue%
50.212 -%
50.213 -\isamarkupsubsection{Rewriting with Definitions%
50.214 -}
50.215 -\isamarkuptrue%
50.216 -%
50.217 -\begin{isamarkuptext}%
50.218 -\label{sec:Simp-with-Defs}\index{simplification!with definitions}
50.219 -Constant definitions (\S\ref{sec:ConstDefinitions}) can be used as
50.220 -simplification rules, but by default they are not: the simplifier does not
50.221 -expand them automatically. Definitions are intended for introducing abstract
50.222 -concepts and not merely as abbreviations. Of course, we need to expand
50.223 -the definition initially, but once we have proved enough abstract properties
50.224 -of the new constant, we can forget its original definition. This style makes
50.225 -proofs more robust: if the definition has to be changed,
50.226 -only the proofs of the abstract properties will be affected.
50.227 -
50.228 -For example, given%
50.229 -\end{isamarkuptext}%
50.230 -\isamarkuptrue%
50.231 -\isacommand{definition}\isamarkupfalse%
50.232 -\ xor\ {\isaliteral{3A}{\isacharcolon}}{\isaliteral{3A}{\isacharcolon}}\ {\isaliteral{22}{\isachardoublequoteopen}}bool\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ bool\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ bool{\isaliteral{22}{\isachardoublequoteclose}}\ \isakeyword{where}\isanewline
50.233 -{\isaliteral{22}{\isachardoublequoteopen}}xor\ A\ B\ {\isaliteral{5C3C65717569763E}{\isasymequiv}}\ {\isaliteral{28}{\isacharparenleft}}A\ {\isaliteral{5C3C616E643E}{\isasymand}}\ {\isaliteral{5C3C6E6F743E}{\isasymnot}}B{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C6F723E}{\isasymor}}\ {\isaliteral{28}{\isacharparenleft}}{\isaliteral{5C3C6E6F743E}{\isasymnot}}A\ {\isaliteral{5C3C616E643E}{\isasymand}}\ B{\isaliteral{29}{\isacharparenright}}{\isaliteral{22}{\isachardoublequoteclose}}%
50.234 -\begin{isamarkuptext}%
50.235 -\noindent
50.236 -we may want to prove%
50.237 -\end{isamarkuptext}%
50.238 -\isamarkuptrue%
50.239 -\isacommand{lemma}\isamarkupfalse%
50.240 -\ {\isaliteral{22}{\isachardoublequoteopen}}xor\ A\ {\isaliteral{28}{\isacharparenleft}}{\isaliteral{5C3C6E6F743E}{\isasymnot}}A{\isaliteral{29}{\isacharparenright}}{\isaliteral{22}{\isachardoublequoteclose}}%
50.241 -\isadelimproof
50.242 -%
50.243 -\endisadelimproof
50.244 -%
50.245 -\isatagproof
50.246 -%
50.247 -\begin{isamarkuptxt}%
50.248 -\noindent
50.249 -Typically, we begin by unfolding some definitions:
50.250 -\indexbold{definitions!unfolding}%
50.251 -\end{isamarkuptxt}%
50.252 -\isamarkuptrue%
50.253 -\isacommand{apply}\isamarkupfalse%
50.254 -{\isaliteral{28}{\isacharparenleft}}simp\ only{\isaliteral{3A}{\isacharcolon}}\ xor{\isaliteral{5F}{\isacharunderscore}}def{\isaliteral{29}{\isacharparenright}}%
50.255 -\begin{isamarkuptxt}%
50.256 -\noindent
50.257 -In this particular case, the resulting goal
50.258 -\begin{isabelle}%
50.259 -\ {\isadigit{1}}{\isaliteral{2E}{\isachardot}}\ A\ {\isaliteral{5C3C616E643E}{\isasymand}}\ {\isaliteral{5C3C6E6F743E}{\isasymnot}}\ {\isaliteral{5C3C6E6F743E}{\isasymnot}}\ A\ {\isaliteral{5C3C6F723E}{\isasymor}}\ {\isaliteral{5C3C6E6F743E}{\isasymnot}}\ A\ {\isaliteral{5C3C616E643E}{\isasymand}}\ {\isaliteral{5C3C6E6F743E}{\isasymnot}}\ A%
50.260 -\end{isabelle}
50.261 -can be proved by simplification. Thus we could have proved the lemma outright by%
50.262 -\end{isamarkuptxt}%
50.263 -\isamarkuptrue%
50.264 -%
50.265 -\endisatagproof
50.266 -{\isafoldproof}%
50.267 -%
50.268 -\isadelimproof
50.269 -%
50.270 -\endisadelimproof
50.271 -%
50.272 -\isadelimproof
50.273 -%
50.274 -\endisadelimproof
50.275 -%
50.276 -\isatagproof
50.277 -\isacommand{apply}\isamarkupfalse%
50.278 -{\isaliteral{28}{\isacharparenleft}}simp\ add{\isaliteral{3A}{\isacharcolon}}\ xor{\isaliteral{5F}{\isacharunderscore}}def{\isaliteral{29}{\isacharparenright}}%
50.279 -\endisatagproof
50.280 -{\isafoldproof}%
50.281 -%
50.282 -\isadelimproof
50.283 -%
50.284 -\endisadelimproof
50.285 -%
50.286 -\begin{isamarkuptext}%
50.287 -\noindent
50.288 -Of course we can also unfold definitions in the middle of a proof.
50.289 -
50.290 -\begin{warn}
50.291 - If you have defined $f\,x\,y~\isasymequiv~t$ then you can only unfold
50.292 - occurrences of $f$ with at least two arguments. This may be helpful for unfolding
50.293 - $f$ selectively, but it may also get in the way. Defining
50.294 - $f$~\isasymequiv~\isasymlambda$x\,y.\;t$ allows to unfold all occurrences of $f$.
50.295 -\end{warn}
50.296 -
50.297 -There is also the special method \isa{unfold}\index{*unfold (method)|bold}
50.298 -which merely unfolds
50.299 -one or several definitions, as in \isacommand{apply}\isa{(unfold xor_def)}.
50.300 -This is can be useful in situations where \isa{simp} does too much.
50.301 -Warning: \isa{unfold} acts on all subgoals!%
50.302 -\end{isamarkuptext}%
50.303 -\isamarkuptrue%
50.304 -%
50.305 -\isamarkupsubsection{Simplifying {\tt\slshape let}-Expressions%
50.306 -}
50.307 -\isamarkuptrue%
50.308 -%
50.309 -\begin{isamarkuptext}%
50.310 -\index{simplification!of \isa{let}-expressions}\index{*let expressions}%
50.311 -Proving a goal containing \isa{let}-expressions almost invariably requires the
50.312 -\isa{let}-con\-structs to be expanded at some point. Since
50.313 -\isa{let}\ldots\isa{=}\ldots\isa{in}{\ldots} is just syntactic sugar for
50.314 -the predefined constant \isa{Let}, expanding \isa{let}-constructs
50.315 -means rewriting with \tdx{Let_def}:%
50.316 -\end{isamarkuptext}%
50.317 -\isamarkuptrue%
50.318 -\isacommand{lemma}\isamarkupfalse%
50.319 -\ {\isaliteral{22}{\isachardoublequoteopen}}{\isaliteral{28}{\isacharparenleft}}let\ xs\ {\isaliteral{3D}{\isacharequal}}\ {\isaliteral{5B}{\isacharbrackleft}}{\isaliteral{5D}{\isacharbrackright}}\ in\ xs{\isaliteral{40}{\isacharat}}ys{\isaliteral{40}{\isacharat}}xs{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{3D}{\isacharequal}}\ ys{\isaliteral{22}{\isachardoublequoteclose}}\isanewline
50.320 -%
50.321 -\isadelimproof
50.322 -%
50.323 -\endisadelimproof
50.324 -%
50.325 -\isatagproof
50.326 -\isacommand{apply}\isamarkupfalse%
50.327 -{\isaliteral{28}{\isacharparenleft}}simp\ add{\isaliteral{3A}{\isacharcolon}}\ Let{\isaliteral{5F}{\isacharunderscore}}def{\isaliteral{29}{\isacharparenright}}\isanewline
50.328 -\isacommand{done}\isamarkupfalse%
50.329 -%
50.330 -\endisatagproof
50.331 -{\isafoldproof}%
50.332 -%
50.333 -\isadelimproof
50.334 -%
50.335 -\endisadelimproof
50.336 -%
50.337 -\begin{isamarkuptext}%
50.338 -If, in a particular context, there is no danger of a combinatorial explosion
50.339 -of nested \isa{let}s, you could even simplify with \isa{Let{\isaliteral{5F}{\isacharunderscore}}def} by
50.340 -default:%
50.341 -\end{isamarkuptext}%
50.342 -\isamarkuptrue%
50.343 -\isacommand{declare}\isamarkupfalse%
50.344 -\ Let{\isaliteral{5F}{\isacharunderscore}}def\ {\isaliteral{5B}{\isacharbrackleft}}simp{\isaliteral{5D}{\isacharbrackright}}%
50.345 -\isamarkupsubsection{Conditional Simplification Rules%
50.346 -}
50.347 -\isamarkuptrue%
50.348 -%
50.349 -\begin{isamarkuptext}%
50.350 -\index{conditional simplification rules}%
50.351 -So far all examples of rewrite rules were equations. The simplifier also
50.352 -accepts \emph{conditional} equations, for example%
50.353 -\end{isamarkuptext}%
50.354 -\isamarkuptrue%
50.355 -\isacommand{lemma}\isamarkupfalse%
50.356 -\ hd{\isaliteral{5F}{\isacharunderscore}}Cons{\isaliteral{5F}{\isacharunderscore}}tl{\isaliteral{5B}{\isacharbrackleft}}simp{\isaliteral{5D}{\isacharbrackright}}{\isaliteral{3A}{\isacharcolon}}\ {\isaliteral{22}{\isachardoublequoteopen}}xs\ {\isaliteral{5C3C6E6F7465713E}{\isasymnoteq}}\ {\isaliteral{5B}{\isacharbrackleft}}{\isaliteral{5D}{\isacharbrackright}}\ \ {\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\ \ hd\ xs\ {\isaliteral{23}{\isacharhash}}\ tl\ xs\ {\isaliteral{3D}{\isacharequal}}\ xs{\isaliteral{22}{\isachardoublequoteclose}}\isanewline
50.357 -%
50.358 -\isadelimproof
50.359 -%
50.360 -\endisadelimproof
50.361 -%
50.362 -\isatagproof
50.363 -\isacommand{apply}\isamarkupfalse%
50.364 -{\isaliteral{28}{\isacharparenleft}}case{\isaliteral{5F}{\isacharunderscore}}tac\ xs{\isaliteral{2C}{\isacharcomma}}\ simp{\isaliteral{2C}{\isacharcomma}}\ simp{\isaliteral{29}{\isacharparenright}}\isanewline
50.365 -\isacommand{done}\isamarkupfalse%
50.366 -%
50.367 -\endisatagproof
50.368 -{\isafoldproof}%
50.369 -%
50.370 -\isadelimproof
50.371 -%
50.372 -\endisadelimproof
50.373 -%
50.374 -\begin{isamarkuptext}%
50.375 -\noindent
50.376 -Note the use of ``\ttindexboldpos{,}{$Isar}'' to string together a
50.377 -sequence of methods. Assuming that the simplification rule
50.378 -\isa{{\isaliteral{28}{\isacharparenleft}}rev\ xs\ {\isaliteral{3D}{\isacharequal}}\ {\isaliteral{5B}{\isacharbrackleft}}{\isaliteral{5D}{\isacharbrackright}}{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{3D}{\isacharequal}}\ {\isaliteral{28}{\isacharparenleft}}xs\ {\isaliteral{3D}{\isacharequal}}\ {\isaliteral{5B}{\isacharbrackleft}}{\isaliteral{5D}{\isacharbrackright}}{\isaliteral{29}{\isacharparenright}}}
50.379 -is present as well,
50.380 -the lemma below is proved by plain simplification:%
50.381 -\end{isamarkuptext}%
50.382 -\isamarkuptrue%
50.383 -\isacommand{lemma}\isamarkupfalse%
50.384 -\ {\isaliteral{22}{\isachardoublequoteopen}}xs\ {\isaliteral{5C3C6E6F7465713E}{\isasymnoteq}}\ {\isaliteral{5B}{\isacharbrackleft}}{\isaliteral{5D}{\isacharbrackright}}\ {\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\ hd{\isaliteral{28}{\isacharparenleft}}rev\ xs{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{23}{\isacharhash}}\ tl{\isaliteral{28}{\isacharparenleft}}rev\ xs{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{3D}{\isacharequal}}\ rev\ xs{\isaliteral{22}{\isachardoublequoteclose}}%
50.385 -\isadelimproof
50.386 -%
50.387 -\endisadelimproof
50.388 -%
50.389 -\isatagproof
50.390 -%
50.391 -\endisatagproof
50.392 -{\isafoldproof}%
50.393 -%
50.394 -\isadelimproof
50.395 -%
50.396 -\endisadelimproof
50.397 -%
50.398 -\begin{isamarkuptext}%
50.399 -\noindent
50.400 -The conditional equation \isa{hd{\isaliteral{5F}{\isacharunderscore}}Cons{\isaliteral{5F}{\isacharunderscore}}tl} above
50.401 -can simplify \isa{hd\ {\isaliteral{28}{\isacharparenleft}}rev\ xs{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{23}{\isacharhash}}\ tl\ {\isaliteral{28}{\isacharparenleft}}rev\ xs{\isaliteral{29}{\isacharparenright}}} to \isa{rev\ xs}
50.402 -because the corresponding precondition \isa{rev\ xs\ {\isaliteral{5C3C6E6F7465713E}{\isasymnoteq}}\ {\isaliteral{5B}{\isacharbrackleft}}{\isaliteral{5D}{\isacharbrackright}}}
50.403 -simplifies to \isa{xs\ {\isaliteral{5C3C6E6F7465713E}{\isasymnoteq}}\ {\isaliteral{5B}{\isacharbrackleft}}{\isaliteral{5D}{\isacharbrackright}}}, which is exactly the local
50.404 -assumption of the subgoal.%
50.405 -\end{isamarkuptext}%
50.406 -\isamarkuptrue%
50.407 -%
50.408 -\isamarkupsubsection{Automatic Case Splits%
50.409 -}
50.410 -\isamarkuptrue%
50.411 -%
50.412 -\begin{isamarkuptext}%
50.413 -\label{sec:AutoCaseSplits}\indexbold{case splits}%
50.414 -Goals containing \isa{if}-expressions\index{*if expressions!splitting of}
50.415 -are usually proved by case
50.416 -distinction on the boolean condition. Here is an example:%
50.417 -\end{isamarkuptext}%
50.418 -\isamarkuptrue%
50.419 -\isacommand{lemma}\isamarkupfalse%
50.420 -\ {\isaliteral{22}{\isachardoublequoteopen}}{\isaliteral{5C3C666F72616C6C3E}{\isasymforall}}xs{\isaliteral{2E}{\isachardot}}\ if\ xs\ {\isaliteral{3D}{\isacharequal}}\ {\isaliteral{5B}{\isacharbrackleft}}{\isaliteral{5D}{\isacharbrackright}}\ then\ rev\ xs\ {\isaliteral{3D}{\isacharequal}}\ {\isaliteral{5B}{\isacharbrackleft}}{\isaliteral{5D}{\isacharbrackright}}\ else\ rev\ xs\ {\isaliteral{5C3C6E6F7465713E}{\isasymnoteq}}\ {\isaliteral{5B}{\isacharbrackleft}}{\isaliteral{5D}{\isacharbrackright}}{\isaliteral{22}{\isachardoublequoteclose}}%
50.421 -\isadelimproof
50.422 -%
50.423 -\endisadelimproof
50.424 -%
50.425 -\isatagproof
50.426 -%
50.427 -\begin{isamarkuptxt}%
50.428 -\noindent
50.429 -The goal can be split by a special method, \methdx{split}:%
50.430 -\end{isamarkuptxt}%
50.431 -\isamarkuptrue%
50.432 -\isacommand{apply}\isamarkupfalse%
50.433 -{\isaliteral{28}{\isacharparenleft}}split\ split{\isaliteral{5F}{\isacharunderscore}}if{\isaliteral{29}{\isacharparenright}}%
50.434 -\begin{isamarkuptxt}%
50.435 -\noindent
50.436 -\begin{isabelle}%
50.437 -\ {\isadigit{1}}{\isaliteral{2E}{\isachardot}}\ {\isaliteral{5C3C666F72616C6C3E}{\isasymforall}}xs{\isaliteral{2E}{\isachardot}}\ {\isaliteral{28}{\isacharparenleft}}xs\ {\isaliteral{3D}{\isacharequal}}\ {\isaliteral{5B}{\isacharbrackleft}}{\isaliteral{5D}{\isacharbrackright}}\ {\isaliteral{5C3C6C6F6E6772696768746172726F773E}{\isasymlongrightarrow}}\ rev\ xs\ {\isaliteral{3D}{\isacharequal}}\ {\isaliteral{5B}{\isacharbrackleft}}{\isaliteral{5D}{\isacharbrackright}}{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C616E643E}{\isasymand}}\ {\isaliteral{28}{\isacharparenleft}}xs\ {\isaliteral{5C3C6E6F7465713E}{\isasymnoteq}}\ {\isaliteral{5B}{\isacharbrackleft}}{\isaliteral{5D}{\isacharbrackright}}\ {\isaliteral{5C3C6C6F6E6772696768746172726F773E}{\isasymlongrightarrow}}\ rev\ xs\ {\isaliteral{5C3C6E6F7465713E}{\isasymnoteq}}\ {\isaliteral{5B}{\isacharbrackleft}}{\isaliteral{5D}{\isacharbrackright}}{\isaliteral{29}{\isacharparenright}}%
50.438 -\end{isabelle}
50.439 -where \tdx{split_if} is a theorem that expresses splitting of
50.440 -\isa{if}s. Because
50.441 -splitting the \isa{if}s is usually the right proof strategy, the
50.442 -simplifier does it automatically. Try \isacommand{apply}\isa{{\isaliteral{28}{\isacharparenleft}}simp{\isaliteral{29}{\isacharparenright}}}
50.443 -on the initial goal above.
50.444 -
50.445 -This splitting idea generalizes from \isa{if} to \sdx{case}.
50.446 -Let us simplify a case analysis over lists:\index{*list.split (theorem)}%
50.447 -\end{isamarkuptxt}%
50.448 -\isamarkuptrue%
50.449 -%
50.450 -\endisatagproof
50.451 -{\isafoldproof}%
50.452 -%
50.453 -\isadelimproof
50.454 -%
50.455 -\endisadelimproof
50.456 -\isacommand{lemma}\isamarkupfalse%
50.457 -\ {\isaliteral{22}{\isachardoublequoteopen}}{\isaliteral{28}{\isacharparenleft}}case\ xs\ of\ {\isaliteral{5B}{\isacharbrackleft}}{\isaliteral{5D}{\isacharbrackright}}\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ zs\ {\isaliteral{7C}{\isacharbar}}\ y{\isaliteral{23}{\isacharhash}}ys\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ y{\isaliteral{23}{\isacharhash}}{\isaliteral{28}{\isacharparenleft}}ys{\isaliteral{40}{\isacharat}}zs{\isaliteral{29}{\isacharparenright}}{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{3D}{\isacharequal}}\ xs{\isaliteral{40}{\isacharat}}zs{\isaliteral{22}{\isachardoublequoteclose}}\isanewline
50.458 -%
50.459 -\isadelimproof
50.460 -%
50.461 -\endisadelimproof
50.462 -%
50.463 -\isatagproof
50.464 -\isacommand{apply}\isamarkupfalse%
50.465 -{\isaliteral{28}{\isacharparenleft}}split\ list{\isaliteral{2E}{\isachardot}}split{\isaliteral{29}{\isacharparenright}}%
50.466 -\begin{isamarkuptxt}%
50.467 -\begin{isabelle}%
50.468 -\ {\isadigit{1}}{\isaliteral{2E}{\isachardot}}\ {\isaliteral{28}{\isacharparenleft}}xs\ {\isaliteral{3D}{\isacharequal}}\ {\isaliteral{5B}{\isacharbrackleft}}{\isaliteral{5D}{\isacharbrackright}}\ {\isaliteral{5C3C6C6F6E6772696768746172726F773E}{\isasymlongrightarrow}}\ zs\ {\isaliteral{3D}{\isacharequal}}\ xs\ {\isaliteral{40}{\isacharat}}\ zs{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C616E643E}{\isasymand}}\isanewline
50.469 -\isaindent{\ {\isadigit{1}}{\isaliteral{2E}{\isachardot}}\ }{\isaliteral{28}{\isacharparenleft}}{\isaliteral{5C3C666F72616C6C3E}{\isasymforall}}a\ list{\isaliteral{2E}{\isachardot}}\ xs\ {\isaliteral{3D}{\isacharequal}}\ a\ {\isaliteral{23}{\isacharhash}}\ list\ {\isaliteral{5C3C6C6F6E6772696768746172726F773E}{\isasymlongrightarrow}}\ a\ {\isaliteral{23}{\isacharhash}}\ list\ {\isaliteral{40}{\isacharat}}\ zs\ {\isaliteral{3D}{\isacharequal}}\ xs\ {\isaliteral{40}{\isacharat}}\ zs{\isaliteral{29}{\isacharparenright}}%
50.470 -\end{isabelle}
50.471 -The simplifier does not split
50.472 -\isa{case}-expressions, as it does \isa{if}-expressions,
50.473 -because with recursive datatypes it could lead to nontermination.
50.474 -Instead, the simplifier has a modifier
50.475 -\isa{split}\index{*split (modifier)}
50.476 -for adding splitting rules explicitly. The
50.477 -lemma above can be proved in one step by%
50.478 -\end{isamarkuptxt}%
50.479 -\isamarkuptrue%
50.480 -%
50.481 -\endisatagproof
50.482 -{\isafoldproof}%
50.483 -%
50.484 -\isadelimproof
50.485 -%
50.486 -\endisadelimproof
50.487 -%
50.488 -\isadelimproof
50.489 -%
50.490 -\endisadelimproof
50.491 -%
50.492 -\isatagproof
50.493 -\isacommand{apply}\isamarkupfalse%
50.494 -{\isaliteral{28}{\isacharparenleft}}simp\ split{\isaliteral{3A}{\isacharcolon}}\ list{\isaliteral{2E}{\isachardot}}split{\isaliteral{29}{\isacharparenright}}%
50.495 -\endisatagproof
50.496 -{\isafoldproof}%
50.497 -%
50.498 -\isadelimproof
50.499 -%
50.500 -\endisadelimproof
50.501 -%
50.502 -\begin{isamarkuptext}%
50.503 -\noindent
50.504 -whereas \isacommand{apply}\isa{{\isaliteral{28}{\isacharparenleft}}simp{\isaliteral{29}{\isacharparenright}}} alone will not succeed.
50.505 -
50.506 -Every datatype $t$ comes with a theorem
50.507 -$t$\isa{{\isaliteral{2E}{\isachardot}}split} which can be declared to be a \bfindex{split rule} either
50.508 -locally as above, or by giving it the \attrdx{split} attribute globally:%
50.509 -\end{isamarkuptext}%
50.510 -\isamarkuptrue%
50.511 -\isacommand{declare}\isamarkupfalse%
50.512 -\ list{\isaliteral{2E}{\isachardot}}split\ {\isaliteral{5B}{\isacharbrackleft}}split{\isaliteral{5D}{\isacharbrackright}}%
50.513 -\begin{isamarkuptext}%
50.514 -\noindent
50.515 -The \isa{split} attribute can be removed with the \isa{del} modifier,
50.516 -either locally%
50.517 -\end{isamarkuptext}%
50.518 -\isamarkuptrue%
50.519 -%
50.520 -\isadelimproof
50.521 -%
50.522 -\endisadelimproof
50.523 -%
50.524 -\isatagproof
50.525 -\isacommand{apply}\isamarkupfalse%
50.526 -{\isaliteral{28}{\isacharparenleft}}simp\ split\ del{\isaliteral{3A}{\isacharcolon}}\ split{\isaliteral{5F}{\isacharunderscore}}if{\isaliteral{29}{\isacharparenright}}%
50.527 -\endisatagproof
50.528 -{\isafoldproof}%
50.529 -%
50.530 -\isadelimproof
50.531 -%
50.532 -\endisadelimproof
50.533 -%
50.534 -\begin{isamarkuptext}%
50.535 -\noindent
50.536 -or globally:%
50.537 -\end{isamarkuptext}%
50.538 -\isamarkuptrue%
50.539 -\isacommand{declare}\isamarkupfalse%
50.540 -\ list{\isaliteral{2E}{\isachardot}}split\ {\isaliteral{5B}{\isacharbrackleft}}split\ del{\isaliteral{5D}{\isacharbrackright}}%
50.541 -\begin{isamarkuptext}%
50.542 -Polished proofs typically perform splitting within \isa{simp} rather than
50.543 -invoking the \isa{split} method. However, if a goal contains
50.544 -several \isa{if} and \isa{case} expressions,
50.545 -the \isa{split} method can be
50.546 -helpful in selectively exploring the effects of splitting.
50.547 -
50.548 -The split rules shown above are intended to affect only the subgoal's
50.549 -conclusion. If you want to split an \isa{if} or \isa{case}-expression
50.550 -in the assumptions, you have to apply \tdx{split_if_asm} or
50.551 -$t$\isa{{\isaliteral{2E}{\isachardot}}split{\isaliteral{5F}{\isacharunderscore}}asm}:%
50.552 -\end{isamarkuptext}%
50.553 -\isamarkuptrue%
50.554 -\isacommand{lemma}\isamarkupfalse%
50.555 -\ {\isaliteral{22}{\isachardoublequoteopen}}if\ xs\ {\isaliteral{3D}{\isacharequal}}\ {\isaliteral{5B}{\isacharbrackleft}}{\isaliteral{5D}{\isacharbrackright}}\ then\ ys\ {\isaliteral{5C3C6E6F7465713E}{\isasymnoteq}}\ {\isaliteral{5B}{\isacharbrackleft}}{\isaliteral{5D}{\isacharbrackright}}\ else\ ys\ {\isaliteral{3D}{\isacharequal}}\ {\isaliteral{5B}{\isacharbrackleft}}{\isaliteral{5D}{\isacharbrackright}}\ {\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\ xs\ {\isaliteral{40}{\isacharat}}\ ys\ {\isaliteral{5C3C6E6F7465713E}{\isasymnoteq}}\ {\isaliteral{5B}{\isacharbrackleft}}{\isaliteral{5D}{\isacharbrackright}}{\isaliteral{22}{\isachardoublequoteclose}}\isanewline
50.556 -%
50.557 -\isadelimproof
50.558 -%
50.559 -\endisadelimproof
50.560 -%
50.561 -\isatagproof
50.562 -\isacommand{apply}\isamarkupfalse%
50.563 -{\isaliteral{28}{\isacharparenleft}}split\ split{\isaliteral{5F}{\isacharunderscore}}if{\isaliteral{5F}{\isacharunderscore}}asm{\isaliteral{29}{\isacharparenright}}%
50.564 -\begin{isamarkuptxt}%
50.565 -\noindent
50.566 -Unlike splitting the conclusion, this step creates two
50.567 -separate subgoals, which here can be solved by \isa{simp{\isaliteral{5F}{\isacharunderscore}}all}:
50.568 -\begin{isabelle}%
50.569 -\ {\isadigit{1}}{\isaliteral{2E}{\isachardot}}\ {\isaliteral{5C3C6C6272616B6B3E}{\isasymlbrakk}}xs\ {\isaliteral{3D}{\isacharequal}}\ {\isaliteral{5B}{\isacharbrackleft}}{\isaliteral{5D}{\isacharbrackright}}{\isaliteral{3B}{\isacharsemicolon}}\ ys\ {\isaliteral{5C3C6E6F7465713E}{\isasymnoteq}}\ {\isaliteral{5B}{\isacharbrackleft}}{\isaliteral{5D}{\isacharbrackright}}{\isaliteral{5C3C726272616B6B3E}{\isasymrbrakk}}\ {\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\ xs\ {\isaliteral{40}{\isacharat}}\ ys\ {\isaliteral{5C3C6E6F7465713E}{\isasymnoteq}}\ {\isaliteral{5B}{\isacharbrackleft}}{\isaliteral{5D}{\isacharbrackright}}\isanewline
50.570 -\ {\isadigit{2}}{\isaliteral{2E}{\isachardot}}\ {\isaliteral{5C3C6C6272616B6B3E}{\isasymlbrakk}}xs\ {\isaliteral{5C3C6E6F7465713E}{\isasymnoteq}}\ {\isaliteral{5B}{\isacharbrackleft}}{\isaliteral{5D}{\isacharbrackright}}{\isaliteral{3B}{\isacharsemicolon}}\ ys\ {\isaliteral{3D}{\isacharequal}}\ {\isaliteral{5B}{\isacharbrackleft}}{\isaliteral{5D}{\isacharbrackright}}{\isaliteral{5C3C726272616B6B3E}{\isasymrbrakk}}\ {\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\ xs\ {\isaliteral{40}{\isacharat}}\ ys\ {\isaliteral{5C3C6E6F7465713E}{\isasymnoteq}}\ {\isaliteral{5B}{\isacharbrackleft}}{\isaliteral{5D}{\isacharbrackright}}%
50.571 -\end{isabelle}
50.572 -If you need to split both in the assumptions and the conclusion,
50.573 -use $t$\isa{{\isaliteral{2E}{\isachardot}}splits} which subsumes $t$\isa{{\isaliteral{2E}{\isachardot}}split} and
50.574 -$t$\isa{{\isaliteral{2E}{\isachardot}}split{\isaliteral{5F}{\isacharunderscore}}asm}. Analogously, there is \isa{if{\isaliteral{5F}{\isacharunderscore}}splits}.
50.575 -
50.576 -\begin{warn}
50.577 - The simplifier merely simplifies the condition of an
50.578 - \isa{if}\index{*if expressions!simplification of} but not the
50.579 - \isa{then} or \isa{else} parts. The latter are simplified only after the
50.580 - condition reduces to \isa{True} or \isa{False}, or after splitting. The
50.581 - same is true for \sdx{case}-expressions: only the selector is
50.582 - simplified at first, until either the expression reduces to one of the
50.583 - cases or it is split.
50.584 -\end{warn}%
50.585 -\end{isamarkuptxt}%
50.586 -\isamarkuptrue%
50.587 -%
50.588 -\endisatagproof
50.589 -{\isafoldproof}%
50.590 -%
50.591 -\isadelimproof
50.592 -%
50.593 -\endisadelimproof
50.594 -%
50.595 -\isamarkupsubsection{Tracing%
50.596 -}
50.597 -\isamarkuptrue%
50.598 -%
50.599 -\begin{isamarkuptext}%
50.600 -\indexbold{tracing the simplifier}
50.601 -Using the simplifier effectively may take a bit of experimentation. Set the
50.602 -Proof General flag \pgmenu{Isabelle} $>$ \pgmenu{Settings} $>$ \pgmenu{Trace Simplifier} to get a better idea of what is going on:%
50.603 -\end{isamarkuptext}%
50.604 -\isamarkuptrue%
50.605 -\isacommand{lemma}\isamarkupfalse%
50.606 -\ {\isaliteral{22}{\isachardoublequoteopen}}rev\ {\isaliteral{5B}{\isacharbrackleft}}a{\isaliteral{5D}{\isacharbrackright}}\ {\isaliteral{3D}{\isacharequal}}\ {\isaliteral{5B}{\isacharbrackleft}}{\isaliteral{5D}{\isacharbrackright}}{\isaliteral{22}{\isachardoublequoteclose}}\isanewline
50.607 -%
50.608 -\isadelimproof
50.609 -%
50.610 -\endisadelimproof
50.611 -%
50.612 -\isatagproof
50.613 -\isacommand{apply}\isamarkupfalse%
50.614 -{\isaliteral{28}{\isacharparenleft}}simp{\isaliteral{29}{\isacharparenright}}%
50.615 -\endisatagproof
50.616 -{\isafoldproof}%
50.617 -%
50.618 -\isadelimproof
50.619 -%
50.620 -\endisadelimproof
50.621 -%
50.622 -\begin{isamarkuptext}%
50.623 -\noindent
50.624 -produces the following trace in Proof General's \pgmenu{Trace} buffer:
50.625 -
50.626 -\begin{ttbox}\makeatother
50.627 -[1]Applying instance of rewrite rule "List.rev.simps_2":
50.628 -rev (?x1 # ?xs1) \(\equiv\) rev ?xs1 @ [?x1]
50.629 -
50.630 -[1]Rewriting:
50.631 -rev [a] \(\equiv\) rev [] @ [a]
50.632 -
50.633 -[1]Applying instance of rewrite rule "List.rev.simps_1":
50.634 -rev [] \(\equiv\) []
50.635 -
50.636 -[1]Rewriting:
50.637 -rev [] \(\equiv\) []
50.638 -
50.639 -[1]Applying instance of rewrite rule "List.op @.append_Nil":
50.640 -[] @ ?y \(\equiv\) ?y
50.641 -
50.642 -[1]Rewriting:
50.643 -[] @ [a] \(\equiv\) [a]
50.644 -
50.645 -[1]Applying instance of rewrite rule
50.646 -?x2 # ?t1 = ?t1 \(\equiv\) False
50.647 -
50.648 -[1]Rewriting:
50.649 -[a] = [] \(\equiv\) False
50.650 -\end{ttbox}
50.651 -The trace lists each rule being applied, both in its general form and
50.652 -the instance being used. The \texttt{[}$i$\texttt{]} in front (where
50.653 -above $i$ is always \texttt{1}) indicates that we are inside the $i$th
50.654 -invocation of the simplifier. Each attempt to apply a
50.655 -conditional rule shows the rule followed by the trace of the
50.656 -(recursive!) simplification of the conditions, the latter prefixed by
50.657 -\texttt{[}$i+1$\texttt{]} instead of \texttt{[}$i$\texttt{]}.
50.658 -Another source of recursive invocations of the simplifier are
50.659 -proofs of arithmetic formulae. By default, recursive invocations are not shown,
50.660 -you must increase the trace depth via \pgmenu{Isabelle} $>$ \pgmenu{Settings} $>$ \pgmenu{Trace Simplifier Depth}.
50.661 -
50.662 -Many other hints about the simplifier's actions may appear.
50.663 -
50.664 -In more complicated cases, the trace can be very lengthy. Thus it is
50.665 -advisable to reset the \pgmenu{Trace Simplifier} flag after having
50.666 -obtained the desired trace.
50.667 -Since this is easily forgotten (and may have the unpleasant effect of
50.668 -swamping the interface with trace information), here is how you can switch
50.669 -the trace on locally in a proof:%
50.670 -\end{isamarkuptext}%
50.671 -\isamarkuptrue%
50.672 -%
50.673 -\isadelimproof
50.674 -%
50.675 -\endisadelimproof
50.676 -%
50.677 -\isatagproof
50.678 -\isacommand{using}\isamarkupfalse%
50.679 -\ {\isaliteral{5B}{\isacharbrackleft}}{\isaliteral{5B}{\isacharbrackleft}}simp{\isaliteral{5F}{\isacharunderscore}}trace{\isaliteral{3D}{\isacharequal}}true{\isaliteral{5D}{\isacharbrackright}}{\isaliteral{5D}{\isacharbrackright}}\isanewline
50.680 -\isacommand{apply}\isamarkupfalse%
50.681 -\ simp%
50.682 -\endisatagproof
50.683 -{\isafoldproof}%
50.684 -%
50.685 -\isadelimproof
50.686 -%
50.687 -\endisadelimproof
50.688 -%
50.689 -\begin{isamarkuptext}%
50.690 -\noindent
50.691 -Within the current proof, all simplifications in subsequent proof steps
50.692 -will be traced, but the text reminds you to remove the \isa{using} clause
50.693 -after it has done its job.%
50.694 -\end{isamarkuptext}%
50.695 -\isamarkuptrue%
50.696 -%
50.697 -\isamarkupsubsection{Finding Theorems\label{sec:find}%
50.698 -}
50.699 -\isamarkuptrue%
50.700 -%
50.701 -\begin{isamarkuptext}%
50.702 -\indexbold{finding theorems}\indexbold{searching theorems}
50.703 -Isabelle's large database of proved theorems
50.704 -offers a powerful search engine. Its chief limitation is
50.705 -its restriction to the theories currently loaded.
50.706 -
50.707 -\begin{pgnote}
50.708 -The search engine is started by clicking on Proof General's \pgmenu{Find} icon.
50.709 -You specify your search textually in the input buffer at the bottom
50.710 -of the window.
50.711 -\end{pgnote}
50.712 -
50.713 -The simplest form of search finds theorems containing specified
50.714 -patterns. A pattern can be any term (even
50.715 -a single identifier). It may contain ``\texttt{\_}'', a wildcard standing
50.716 -for any term. Here are some
50.717 -examples:
50.718 -\begin{ttbox}
50.719 -length
50.720 -"_ # _ = _ # _"
50.721 -"_ + _"
50.722 -"_ * (_ - (_::nat))"
50.723 -\end{ttbox}
50.724 -Specifying types, as shown in the last example,
50.725 -constrains searches involving overloaded operators.
50.726 -
50.727 -\begin{warn}
50.728 -Always use ``\texttt{\_}'' rather than variable names: searching for
50.729 -\texttt{"x + y"} will usually not find any matching theorems
50.730 -because they would need to contain \texttt{x} and~\texttt{y} literally.
50.731 -When searching for infix operators, do not just type in the symbol,
50.732 -such as~\texttt{+}, but a proper term such as \texttt{"_ + _"}.
50.733 -This remark applies to more complicated syntaxes, too.
50.734 -\end{warn}
50.735 -
50.736 -If you are looking for rewrite rules (possibly conditional) that could
50.737 -simplify some term, prefix the pattern with \texttt{simp:}.
50.738 -\begin{ttbox}
50.739 -simp: "_ * (_ + _)"
50.740 -\end{ttbox}
50.741 -This finds \emph{all} equations---not just those with a \isa{simp} attribute---whose conclusion has the form
50.742 -\begin{isabelle}%
50.743 -\ \ \ \ \ {\isaliteral{5F}{\isacharunderscore}}\ {\isaliteral{2A}{\isacharasterisk}}\ {\isaliteral{28}{\isacharparenleft}}{\isaliteral{5F}{\isacharunderscore}}\ {\isaliteral{2B}{\isacharplus}}\ {\isaliteral{5F}{\isacharunderscore}}{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{3D}{\isacharequal}}\ {\isaliteral{5C3C646F74733E}{\isasymdots}}%
50.744 -\end{isabelle}
50.745 -It only finds equations that can simplify the given pattern
50.746 -at the root, not somewhere inside: for example, equations of the form
50.747 -\isa{{\isaliteral{5F}{\isacharunderscore}}\ {\isaliteral{2B}{\isacharplus}}\ {\isaliteral{5F}{\isacharunderscore}}\ {\isaliteral{3D}{\isacharequal}}\ {\isaliteral{5C3C646F74733E}{\isasymdots}}} do not match.
50.748 -
50.749 -You may also search for theorems by name---you merely
50.750 -need to specify a substring. For example, you could search for all
50.751 -commutativity theorems like this:
50.752 -\begin{ttbox}
50.753 -name: comm
50.754 -\end{ttbox}
50.755 -This retrieves all theorems whose name contains \texttt{comm}.
50.756 -
50.757 -Search criteria can also be negated by prefixing them with ``\texttt{-}''.
50.758 -For example,
50.759 -\begin{ttbox}
50.760 --name: List
50.761 -\end{ttbox}
50.762 -finds theorems whose name does not contain \texttt{List}. You can use this
50.763 -to exclude particular theories from the search: the long name of
50.764 -a theorem contains the name of the theory it comes from.
50.765 -
50.766 -Finallly, different search criteria can be combined arbitrarily.
50.767 -The effect is conjuctive: Find returns the theorems that satisfy all of
50.768 -the criteria. For example,
50.769 -\begin{ttbox}
50.770 -"_ + _" -"_ - _" -simp: "_ * (_ + _)" name: assoc
50.771 -\end{ttbox}
50.772 -looks for theorems containing plus but not minus, and which do not simplify
50.773 -\mbox{\isa{{\isaliteral{5F}{\isacharunderscore}}\ {\isaliteral{2A}{\isacharasterisk}}\ {\isaliteral{28}{\isacharparenleft}}{\isaliteral{5F}{\isacharunderscore}}\ {\isaliteral{2B}{\isacharplus}}\ {\isaliteral{5F}{\isacharunderscore}}{\isaliteral{29}{\isacharparenright}}}} at the root, and whose name contains \texttt{assoc}.
50.774 -
50.775 -Further search criteria are explained in \S\ref{sec:find2}.
50.776 -
50.777 -\begin{pgnote}
50.778 -Proof General keeps a history of all your search expressions.
50.779 -If you click on \pgmenu{Find}, you can use the arrow keys to scroll
50.780 -through previous searches and just modify them. This saves you having
50.781 -to type in lengthy expressions again and again.
50.782 -\end{pgnote}%
50.783 -\end{isamarkuptext}%
50.784 -\isamarkuptrue%
50.785 -%
50.786 -\isadelimtheory
50.787 -%
50.788 -\endisadelimtheory
50.789 -%
50.790 -\isatagtheory
50.791 -%
50.792 -\endisatagtheory
50.793 -{\isafoldtheory}%
50.794 -%
50.795 -\isadelimtheory
50.796 -%
50.797 -\endisadelimtheory
50.798 -\end{isabellebody}%
50.799 -%%% Local Variables:
50.800 -%%% mode: latex
50.801 -%%% TeX-master: "root"
50.802 -%%% End:
51.1 --- a/doc-src/TutorialI/Misc/document/types.tex Thu Jul 26 16:08:16 2012 +0200
51.2 +++ /dev/null Thu Jan 01 00:00:00 1970 +0000
51.3 @@ -1,75 +0,0 @@
51.4 -%
51.5 -\begin{isabellebody}%
51.6 -\def\isabellecontext{types}%
51.7 -%
51.8 -\isadelimtheory
51.9 -%
51.10 -\endisadelimtheory
51.11 -%
51.12 -\isatagtheory
51.13 -%
51.14 -\endisatagtheory
51.15 -{\isafoldtheory}%
51.16 -%
51.17 -\isadelimtheory
51.18 -%
51.19 -\endisadelimtheory
51.20 -\isacommand{type{\isaliteral{5F}{\isacharunderscore}}synonym}\isamarkupfalse%
51.21 -\ number\ {\isaliteral{3D}{\isacharequal}}\ nat\isanewline
51.22 -\isacommand{type{\isaliteral{5F}{\isacharunderscore}}synonym}\isamarkupfalse%
51.23 -\ gate\ {\isaliteral{3D}{\isacharequal}}\ {\isaliteral{22}{\isachardoublequoteopen}}bool\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ bool\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ bool{\isaliteral{22}{\isachardoublequoteclose}}\isanewline
51.24 -\isacommand{type{\isaliteral{5F}{\isacharunderscore}}synonym}\isamarkupfalse%
51.25 -\ {\isaliteral{28}{\isacharparenleft}}{\isaliteral{27}{\isacharprime}}a{\isaliteral{2C}{\isacharcomma}}\ {\isaliteral{27}{\isacharprime}}b{\isaliteral{29}{\isacharparenright}}\ alist\ {\isaliteral{3D}{\isacharequal}}\ {\isaliteral{22}{\isachardoublequoteopen}}{\isaliteral{28}{\isacharparenleft}}{\isaliteral{27}{\isacharprime}}a\ {\isaliteral{5C3C74696D65733E}{\isasymtimes}}\ {\isaliteral{27}{\isacharprime}}b{\isaliteral{29}{\isacharparenright}}\ list{\isaliteral{22}{\isachardoublequoteclose}}%
51.26 -\begin{isamarkuptext}%
51.27 -\noindent
51.28 -Internally all synonyms are fully expanded. As a consequence Isabelle's
51.29 -output never contains synonyms. Their main purpose is to improve the
51.30 -readability of theories. Synonyms can be used just like any other
51.31 -type.%
51.32 -\end{isamarkuptext}%
51.33 -\isamarkuptrue%
51.34 -%
51.35 -\isamarkupsubsection{Constant Definitions%
51.36 -}
51.37 -\isamarkuptrue%
51.38 -%
51.39 -\begin{isamarkuptext}%
51.40 -\label{sec:ConstDefinitions}\indexbold{definitions}%
51.41 -Nonrecursive definitions can be made with the \commdx{definition}
51.42 -command, for example \isa{nand} and \isa{xor} gates
51.43 -(based on type \isa{gate} above):%
51.44 -\end{isamarkuptext}%
51.45 -\isamarkuptrue%
51.46 -\isacommand{definition}\isamarkupfalse%
51.47 -\ nand\ {\isaliteral{3A}{\isacharcolon}}{\isaliteral{3A}{\isacharcolon}}\ gate\ \isakeyword{where}\ {\isaliteral{22}{\isachardoublequoteopen}}nand\ A\ B\ {\isaliteral{5C3C65717569763E}{\isasymequiv}}\ {\isaliteral{5C3C6E6F743E}{\isasymnot}}{\isaliteral{28}{\isacharparenleft}}A\ {\isaliteral{5C3C616E643E}{\isasymand}}\ B{\isaliteral{29}{\isacharparenright}}{\isaliteral{22}{\isachardoublequoteclose}}\isanewline
51.48 -\isacommand{definition}\isamarkupfalse%
51.49 -\ xor\ \ {\isaliteral{3A}{\isacharcolon}}{\isaliteral{3A}{\isacharcolon}}\ gate\ \isakeyword{where}\ {\isaliteral{22}{\isachardoublequoteopen}}xor\ \ A\ B\ {\isaliteral{5C3C65717569763E}{\isasymequiv}}\ A\ {\isaliteral{5C3C616E643E}{\isasymand}}\ {\isaliteral{5C3C6E6F743E}{\isasymnot}}B\ {\isaliteral{5C3C6F723E}{\isasymor}}\ {\isaliteral{5C3C6E6F743E}{\isasymnot}}A\ {\isaliteral{5C3C616E643E}{\isasymand}}\ B{\isaliteral{22}{\isachardoublequoteclose}}%
51.50 -\begin{isamarkuptext}%
51.51 -\noindent%
51.52 -The symbol \indexboldpos{\isasymequiv}{$IsaEq} is a special form of equality
51.53 -that must be used in constant definitions.
51.54 -Pattern-matching is not allowed: each definition must be of
51.55 -the form $f\,x@1\,\dots\,x@n~\isasymequiv~t$.
51.56 -Section~\ref{sec:Simp-with-Defs} explains how definitions are used
51.57 -in proofs. The default name of each definition is $f$\isa{{\isaliteral{5F}{\isacharunderscore}}def}, where
51.58 -$f$ is the name of the defined constant.%
51.59 -\end{isamarkuptext}%
51.60 -\isamarkuptrue%
51.61 -%
51.62 -\isadelimtheory
51.63 -%
51.64 -\endisadelimtheory
51.65 -%
51.66 -\isatagtheory
51.67 -%
51.68 -\endisatagtheory
51.69 -{\isafoldtheory}%
51.70 -%
51.71 -\isadelimtheory
51.72 -%
51.73 -\endisadelimtheory
51.74 -\end{isabellebody}%
51.75 -%%% Local Variables:
51.76 -%%% mode: latex
51.77 -%%% TeX-master: "root"
51.78 -%%% End:
52.1 --- a/doc-src/TutorialI/Misc/pairs.thy Thu Jul 26 16:08:16 2012 +0200
52.2 +++ /dev/null Thu Jan 01 00:00:00 1970 +0000
52.3 @@ -1,35 +0,0 @@
52.4 -(*<*)
52.5 -theory pairs imports Main begin;
52.6 -(*>*)
52.7 -text{*\label{sec:pairs}\index{pairs and tuples}
52.8 -HOL also has ordered pairs: \isa{($a@1$,$a@2$)} is of type $\tau@1$
52.9 -\indexboldpos{\isasymtimes}{$Isatype} $\tau@2$ provided each $a@i$ is of type
52.10 -$\tau@i$. The functions \cdx{fst} and
52.11 -\cdx{snd} extract the components of a pair:
52.12 - \isa{fst($x$,$y$) = $x$} and \isa{snd($x$,$y$) = $y$}. Tuples
52.13 -are simulated by pairs nested to the right: \isa{($a@1$,$a@2$,$a@3$)} stands
52.14 -for \isa{($a@1$,($a@2$,$a@3$))} and $\tau@1 \times \tau@2 \times \tau@3$ for
52.15 -$\tau@1 \times (\tau@2 \times \tau@3)$. Therefore we have
52.16 -\isa{fst(snd($a@1$,$a@2$,$a@3$)) = $a@2$}.
52.17 -
52.18 -Remarks:
52.19 -\begin{itemize}
52.20 -\item
52.21 -There is also the type \tydx{unit}, which contains exactly one
52.22 -element denoted by~\cdx{()}. This type can be viewed
52.23 -as a degenerate product with 0 components.
52.24 -\item
52.25 -Products, like type @{typ nat}, are datatypes, which means
52.26 -in particular that @{text induct_tac} and @{text case_tac} are applicable to
52.27 -terms of product type.
52.28 -Both split the term into a number of variables corresponding to the tuple structure
52.29 -(up to 7 components).
52.30 -\item
52.31 -Tuples with more than two or three components become unwieldy;
52.32 -records are preferable.
52.33 -\end{itemize}
52.34 -For more information on pairs and records see Chapter~\ref{ch:more-types}.
52.35 -*}
52.36 -(*<*)
52.37 -end
52.38 -(*>*)
53.1 --- /dev/null Thu Jan 01 00:00:00 1970 +0000
53.2 +++ b/doc-src/TutorialI/Misc/pairs2.thy Thu Jul 26 19:59:06 2012 +0200
53.3 @@ -0,0 +1,35 @@
53.4 +(*<*)
53.5 +theory pairs2 imports Main begin;
53.6 +(*>*)
53.7 +text{*\label{sec:pairs}\index{pairs and tuples}
53.8 +HOL also has ordered pairs: \isa{($a@1$,$a@2$)} is of type $\tau@1$
53.9 +\indexboldpos{\isasymtimes}{$Isatype} $\tau@2$ provided each $a@i$ is of type
53.10 +$\tau@i$. The functions \cdx{fst} and
53.11 +\cdx{snd} extract the components of a pair:
53.12 + \isa{fst($x$,$y$) = $x$} and \isa{snd($x$,$y$) = $y$}. Tuples
53.13 +are simulated by pairs nested to the right: \isa{($a@1$,$a@2$,$a@3$)} stands
53.14 +for \isa{($a@1$,($a@2$,$a@3$))} and $\tau@1 \times \tau@2 \times \tau@3$ for
53.15 +$\tau@1 \times (\tau@2 \times \tau@3)$. Therefore we have
53.16 +\isa{fst(snd($a@1$,$a@2$,$a@3$)) = $a@2$}.
53.17 +
53.18 +Remarks:
53.19 +\begin{itemize}
53.20 +\item
53.21 +There is also the type \tydx{unit}, which contains exactly one
53.22 +element denoted by~\cdx{()}. This type can be viewed
53.23 +as a degenerate product with 0 components.
53.24 +\item
53.25 +Products, like type @{typ nat}, are datatypes, which means
53.26 +in particular that @{text induct_tac} and @{text case_tac} are applicable to
53.27 +terms of product type.
53.28 +Both split the term into a number of variables corresponding to the tuple structure
53.29 +(up to 7 components).
53.30 +\item
53.31 +Tuples with more than two or three components become unwieldy;
53.32 +records are preferable.
53.33 +\end{itemize}
53.34 +For more information on pairs and records see Chapter~\ref{ch:more-types}.
53.35 +*}
53.36 +(*<*)
53.37 +end
53.38 +(*>*)
54.1 --- a/doc-src/TutorialI/Protocol/ROOT.ML Thu Jul 26 16:08:16 2012 +0200
54.2 +++ /dev/null Thu Jan 01 00:00:00 1970 +0000
54.3 @@ -1,6 +0,0 @@
54.4 -(*
54.5 -To update:
54.6 -cp /home/lcp/isabelle/Repos/HOL/Auth/{Message.thy,Message_lemmas.ML,Event.thy,Event_lemmas.ML,Public.thy,Public_lemmas.ML,NS_Public.thy} .
54.7 -*)
54.8 -
54.9 -use_thy "NS_Public";
55.1 --- a/doc-src/TutorialI/Protocol/document/Event.tex Thu Jul 26 16:08:16 2012 +0200
55.2 +++ /dev/null Thu Jan 01 00:00:00 1970 +0000
55.3 @@ -1,518 +0,0 @@
55.4 -%
55.5 -\begin{isabellebody}%
55.6 -\def\isabellecontext{Event}%
55.7 -%
55.8 -\isadelimtheory
55.9 -%
55.10 -\endisadelimtheory
55.11 -%
55.12 -\isatagtheory
55.13 -%
55.14 -\endisatagtheory
55.15 -{\isafoldtheory}%
55.16 -%
55.17 -\isadelimtheory
55.18 -%
55.19 -\endisadelimtheory
55.20 -%
55.21 -\isadelimproof
55.22 -%
55.23 -\endisadelimproof
55.24 -%
55.25 -\isatagproof
55.26 -%
55.27 -\endisatagproof
55.28 -{\isafoldproof}%
55.29 -%
55.30 -\isadelimproof
55.31 -%
55.32 -\endisadelimproof
55.33 -%
55.34 -\isadelimproof
55.35 -%
55.36 -\endisadelimproof
55.37 -%
55.38 -\isatagproof
55.39 -%
55.40 -\endisatagproof
55.41 -{\isafoldproof}%
55.42 -%
55.43 -\isadelimproof
55.44 -%
55.45 -\endisadelimproof
55.46 -%
55.47 -\isadelimproof
55.48 -%
55.49 -\endisadelimproof
55.50 -%
55.51 -\isatagproof
55.52 -%
55.53 -\endisatagproof
55.54 -{\isafoldproof}%
55.55 -%
55.56 -\isadelimproof
55.57 -%
55.58 -\endisadelimproof
55.59 -%
55.60 -\isadelimproof
55.61 -%
55.62 -\endisadelimproof
55.63 -%
55.64 -\isatagproof
55.65 -%
55.66 -\endisatagproof
55.67 -{\isafoldproof}%
55.68 -%
55.69 -\isadelimproof
55.70 -%
55.71 -\endisadelimproof
55.72 -%
55.73 -\isadelimproof
55.74 -%
55.75 -\endisadelimproof
55.76 -%
55.77 -\isatagproof
55.78 -%
55.79 -\endisatagproof
55.80 -{\isafoldproof}%
55.81 -%
55.82 -\isadelimproof
55.83 -%
55.84 -\endisadelimproof
55.85 -%
55.86 -\isadelimproof
55.87 -%
55.88 -\endisadelimproof
55.89 -%
55.90 -\isatagproof
55.91 -%
55.92 -\endisatagproof
55.93 -{\isafoldproof}%
55.94 -%
55.95 -\isadelimproof
55.96 -%
55.97 -\endisadelimproof
55.98 -%
55.99 -\isadelimproof
55.100 -%
55.101 -\endisadelimproof
55.102 -%
55.103 -\isatagproof
55.104 -%
55.105 -\endisatagproof
55.106 -{\isafoldproof}%
55.107 -%
55.108 -\isadelimproof
55.109 -%
55.110 -\endisadelimproof
55.111 -%
55.112 -\isadelimproof
55.113 -%
55.114 -\endisadelimproof
55.115 -%
55.116 -\isatagproof
55.117 -%
55.118 -\endisatagproof
55.119 -{\isafoldproof}%
55.120 -%
55.121 -\isadelimproof
55.122 -%
55.123 -\endisadelimproof
55.124 -%
55.125 -\isadelimproof
55.126 -%
55.127 -\endisadelimproof
55.128 -%
55.129 -\isatagproof
55.130 -%
55.131 -\endisatagproof
55.132 -{\isafoldproof}%
55.133 -%
55.134 -\isadelimproof
55.135 -%
55.136 -\endisadelimproof
55.137 -%
55.138 -\isadelimproof
55.139 -%
55.140 -\endisadelimproof
55.141 -%
55.142 -\isatagproof
55.143 -%
55.144 -\endisatagproof
55.145 -{\isafoldproof}%
55.146 -%
55.147 -\isadelimproof
55.148 -%
55.149 -\endisadelimproof
55.150 -%
55.151 -\isadelimproof
55.152 -%
55.153 -\endisadelimproof
55.154 -%
55.155 -\isatagproof
55.156 -%
55.157 -\endisatagproof
55.158 -{\isafoldproof}%
55.159 -%
55.160 -\isadelimproof
55.161 -%
55.162 -\endisadelimproof
55.163 -%
55.164 -\isadelimproof
55.165 -%
55.166 -\endisadelimproof
55.167 -%
55.168 -\isatagproof
55.169 -%
55.170 -\endisatagproof
55.171 -{\isafoldproof}%
55.172 -%
55.173 -\isadelimproof
55.174 -%
55.175 -\endisadelimproof
55.176 -%
55.177 -\isadelimproof
55.178 -%
55.179 -\endisadelimproof
55.180 -%
55.181 -\isatagproof
55.182 -%
55.183 -\endisatagproof
55.184 -{\isafoldproof}%
55.185 -%
55.186 -\isadelimproof
55.187 -%
55.188 -\endisadelimproof
55.189 -%
55.190 -\isadelimproof
55.191 -%
55.192 -\endisadelimproof
55.193 -%
55.194 -\isatagproof
55.195 -%
55.196 -\endisatagproof
55.197 -{\isafoldproof}%
55.198 -%
55.199 -\isadelimproof
55.200 -%
55.201 -\endisadelimproof
55.202 -%
55.203 -\isadelimproof
55.204 -%
55.205 -\endisadelimproof
55.206 -%
55.207 -\isatagproof
55.208 -%
55.209 -\endisatagproof
55.210 -{\isafoldproof}%
55.211 -%
55.212 -\isadelimproof
55.213 -%
55.214 -\endisadelimproof
55.215 -%
55.216 -\isadelimproof
55.217 -%
55.218 -\endisadelimproof
55.219 -%
55.220 -\isatagproof
55.221 -%
55.222 -\endisatagproof
55.223 -{\isafoldproof}%
55.224 -%
55.225 -\isadelimproof
55.226 -%
55.227 -\endisadelimproof
55.228 -%
55.229 -\isadelimproof
55.230 -%
55.231 -\endisadelimproof
55.232 -%
55.233 -\isatagproof
55.234 -%
55.235 -\endisatagproof
55.236 -{\isafoldproof}%
55.237 -%
55.238 -\isadelimproof
55.239 -%
55.240 -\endisadelimproof
55.241 -%
55.242 -\isadelimproof
55.243 -%
55.244 -\endisadelimproof
55.245 -%
55.246 -\isatagproof
55.247 -%
55.248 -\endisatagproof
55.249 -{\isafoldproof}%
55.250 -%
55.251 -\isadelimproof
55.252 -%
55.253 -\endisadelimproof
55.254 -%
55.255 -\isadelimproof
55.256 -%
55.257 -\endisadelimproof
55.258 -%
55.259 -\isatagproof
55.260 -%
55.261 -\endisatagproof
55.262 -{\isafoldproof}%
55.263 -%
55.264 -\isadelimproof
55.265 -%
55.266 -\endisadelimproof
55.267 -%
55.268 -\isadelimproof
55.269 -%
55.270 -\endisadelimproof
55.271 -%
55.272 -\isatagproof
55.273 -%
55.274 -\endisatagproof
55.275 -{\isafoldproof}%
55.276 -%
55.277 -\isadelimproof
55.278 -%
55.279 -\endisadelimproof
55.280 -%
55.281 -\isadelimproof
55.282 -%
55.283 -\endisadelimproof
55.284 -%
55.285 -\isatagproof
55.286 -%
55.287 -\endisatagproof
55.288 -{\isafoldproof}%
55.289 -%
55.290 -\isadelimproof
55.291 -%
55.292 -\endisadelimproof
55.293 -%
55.294 -\isadelimproof
55.295 -%
55.296 -\endisadelimproof
55.297 -%
55.298 -\isatagproof
55.299 -%
55.300 -\endisatagproof
55.301 -{\isafoldproof}%
55.302 -%
55.303 -\isadelimproof
55.304 -%
55.305 -\endisadelimproof
55.306 -%
55.307 -\isadelimproof
55.308 -%
55.309 -\endisadelimproof
55.310 -%
55.311 -\isatagproof
55.312 -%
55.313 -\endisatagproof
55.314 -{\isafoldproof}%
55.315 -%
55.316 -\isadelimproof
55.317 -%
55.318 -\endisadelimproof
55.319 -%
55.320 -\isadelimproof
55.321 -%
55.322 -\endisadelimproof
55.323 -%
55.324 -\isatagproof
55.325 -%
55.326 -\endisatagproof
55.327 -{\isafoldproof}%
55.328 -%
55.329 -\isadelimproof
55.330 -%
55.331 -\endisadelimproof
55.332 -%
55.333 -\isadelimproof
55.334 -%
55.335 -\endisadelimproof
55.336 -%
55.337 -\isatagproof
55.338 -%
55.339 -\endisatagproof
55.340 -{\isafoldproof}%
55.341 -%
55.342 -\isadelimproof
55.343 -%
55.344 -\endisadelimproof
55.345 -%
55.346 -\isadelimproof
55.347 -%
55.348 -\endisadelimproof
55.349 -%
55.350 -\isatagproof
55.351 -%
55.352 -\endisatagproof
55.353 -{\isafoldproof}%
55.354 -%
55.355 -\isadelimproof
55.356 -%
55.357 -\endisadelimproof
55.358 -%
55.359 -\isadelimproof
55.360 -%
55.361 -\endisadelimproof
55.362 -%
55.363 -\isatagproof
55.364 -%
55.365 -\endisatagproof
55.366 -{\isafoldproof}%
55.367 -%
55.368 -\isadelimproof
55.369 -%
55.370 -\endisadelimproof
55.371 -%
55.372 -\isadelimproof
55.373 -%
55.374 -\endisadelimproof
55.375 -%
55.376 -\isatagproof
55.377 -%
55.378 -\endisatagproof
55.379 -{\isafoldproof}%
55.380 -%
55.381 -\isadelimproof
55.382 -%
55.383 -\endisadelimproof
55.384 -%
55.385 -\isadelimML
55.386 -%
55.387 -\endisadelimML
55.388 -%
55.389 -\isatagML
55.390 -%
55.391 -\endisatagML
55.392 -{\isafoldML}%
55.393 -%
55.394 -\isadelimML
55.395 -%
55.396 -\endisadelimML
55.397 -%
55.398 -\isadelimproof
55.399 -%
55.400 -\endisadelimproof
55.401 -%
55.402 -\isatagproof
55.403 -%
55.404 -\endisatagproof
55.405 -{\isafoldproof}%
55.406 -%
55.407 -\isadelimproof
55.408 -%
55.409 -\endisadelimproof
55.410 -%
55.411 -\isadelimproof
55.412 -%
55.413 -\endisadelimproof
55.414 -%
55.415 -\isatagproof
55.416 -%
55.417 -\endisatagproof
55.418 -{\isafoldproof}%
55.419 -%
55.420 -\isadelimproof
55.421 -%
55.422 -\endisadelimproof
55.423 -%
55.424 -\isadelimproof
55.425 -%
55.426 -\endisadelimproof
55.427 -%
55.428 -\isatagproof
55.429 -%
55.430 -\endisatagproof
55.431 -{\isafoldproof}%
55.432 -%
55.433 -\isadelimproof
55.434 -%
55.435 -\endisadelimproof
55.436 -%
55.437 -\isadelimML
55.438 -%
55.439 -\endisadelimML
55.440 -%
55.441 -\isatagML
55.442 -%
55.443 -\endisatagML
55.444 -{\isafoldML}%
55.445 -%
55.446 -\isadelimML
55.447 -%
55.448 -\endisadelimML
55.449 -%
55.450 -\isadelimML
55.451 -%
55.452 -\endisadelimML
55.453 -%
55.454 -\isatagML
55.455 -%
55.456 -\endisatagML
55.457 -{\isafoldML}%
55.458 -%
55.459 -\isadelimML
55.460 -%
55.461 -\endisadelimML
55.462 -%
55.463 -\isamarkupsection{Event Traces \label{sec:events}%
55.464 -}
55.465 -\isamarkuptrue%
55.466 -%
55.467 -\begin{isamarkuptext}%
55.468 -The system's behaviour is formalized as a set of traces of
55.469 -\emph{events}. The most important event, \isa{Says\ A\ B\ X}, expresses
55.470 -$A\to B : X$, which is the attempt by~$A$ to send~$B$ the message~$X$.
55.471 -A trace is simply a list, constructed in reverse
55.472 -using~\isa{{\isaliteral{23}{\isacharhash}}}. Other event types include reception of messages (when
55.473 -we want to make it explicit) and an agent's storing a fact.
55.474 -
55.475 -Sometimes the protocol requires an agent to generate a new nonce. The
55.476 -probability that a 20-byte random number has appeared before is effectively
55.477 -zero. To formalize this important property, the set \isa{used\ evs}
55.478 -denotes the set of all items mentioned in the trace~\isa{evs}.
55.479 -The function \isa{used} has a straightforward
55.480 -recursive definition. Here is the case for \isa{Says} event:
55.481 -\begin{isabelle}%
55.482 -\ \ \ \ \ used\ {\isaliteral{28}{\isacharparenleft}}Says\ A\ B\ X\ {\isaliteral{23}{\isacharhash}}\ evs{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{3D}{\isacharequal}}\ parts\ {\isaliteral{7B}{\isacharbraceleft}}X{\isaliteral{7D}{\isacharbraceright}}\ {\isaliteral{5C3C756E696F6E3E}{\isasymunion}}\ used\ evs%
55.483 -\end{isabelle}
55.484 -
55.485 -The function \isa{knows} formalizes an agent's knowledge. Mostly we only
55.486 -care about the spy's knowledge, and \isa{knows\ Spy\ evs} is the set of items
55.487 -available to the spy in the trace~\isa{evs}. Already in the empty trace,
55.488 -the spy starts with some secrets at his disposal, such as the private keys
55.489 -of compromised users. After each \isa{Says} event, the spy learns the
55.490 -message that was sent:
55.491 -\begin{isabelle}%
55.492 -\ \ \ \ \ knows\ Spy\ {\isaliteral{28}{\isacharparenleft}}Says\ A\ B\ X\ {\isaliteral{23}{\isacharhash}}\ evs{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{3D}{\isacharequal}}\ insert\ X\ {\isaliteral{28}{\isacharparenleft}}knows\ Spy\ evs{\isaliteral{29}{\isacharparenright}}%
55.493 -\end{isabelle}
55.494 -Combinations of functions express other important
55.495 -sets of messages derived from~\isa{evs}:
55.496 -\begin{itemize}
55.497 -\item \isa{analz\ {\isaliteral{28}{\isacharparenleft}}knows\ Spy\ evs{\isaliteral{29}{\isacharparenright}}} is everything that the spy could
55.498 -learn by decryption
55.499 -\item \isa{synth\ {\isaliteral{28}{\isacharparenleft}}analz\ {\isaliteral{28}{\isacharparenleft}}knows\ Spy\ evs{\isaliteral{29}{\isacharparenright}}{\isaliteral{29}{\isacharparenright}}} is everything that the spy
55.500 -could generate
55.501 -\end{itemize}%
55.502 -\end{isamarkuptext}%
55.503 -\isamarkuptrue%
55.504 -%
55.505 -\isadelimtheory
55.506 -%
55.507 -\endisadelimtheory
55.508 -%
55.509 -\isatagtheory
55.510 -%
55.511 -\endisatagtheory
55.512 -{\isafoldtheory}%
55.513 -%
55.514 -\isadelimtheory
55.515 -%
55.516 -\endisadelimtheory
55.517 -\end{isabellebody}%
55.518 -%%% Local Variables:
55.519 -%%% mode: latex
55.520 -%%% TeX-master: "root"
55.521 -%%% End:
56.1 --- a/doc-src/TutorialI/Protocol/document/Message.tex Thu Jul 26 16:08:16 2012 +0200
56.2 +++ /dev/null Thu Jan 01 00:00:00 1970 +0000
56.3 @@ -1,1638 +0,0 @@
56.4 -%
56.5 -\begin{isabellebody}%
56.6 -\def\isabellecontext{Message}%
56.7 -%
56.8 -\isadelimtheory
56.9 -%
56.10 -\endisadelimtheory
56.11 -%
56.12 -\isatagtheory
56.13 -%
56.14 -\endisatagtheory
56.15 -{\isafoldtheory}%
56.16 -%
56.17 -\isadelimtheory
56.18 -%
56.19 -\endisadelimtheory
56.20 -%
56.21 -\isadelimML
56.22 -%
56.23 -\endisadelimML
56.24 -%
56.25 -\isatagML
56.26 -%
56.27 -\endisatagML
56.28 -{\isafoldML}%
56.29 -%
56.30 -\isadelimML
56.31 -%
56.32 -\endisadelimML
56.33 -%
56.34 -\isadelimproof
56.35 -%
56.36 -\endisadelimproof
56.37 -%
56.38 -\isatagproof
56.39 -%
56.40 -\endisatagproof
56.41 -{\isafoldproof}%
56.42 -%
56.43 -\isadelimproof
56.44 -%
56.45 -\endisadelimproof
56.46 -%
56.47 -\isamarkupsection{Agents and Messages%
56.48 -}
56.49 -\isamarkuptrue%
56.50 -%
56.51 -\begin{isamarkuptext}%
56.52 -All protocol specifications refer to a syntactic theory of messages.
56.53 -Datatype
56.54 -\isa{agent} introduces the constant \isa{Server} (a trusted central
56.55 -machine, needed for some protocols), an infinite population of
56.56 -friendly agents, and the~\isa{Spy}:%
56.57 -\end{isamarkuptext}%
56.58 -\isamarkuptrue%
56.59 -\isacommand{datatype}\isamarkupfalse%
56.60 -\ agent\ {\isaliteral{3D}{\isacharequal}}\ Server\ {\isaliteral{7C}{\isacharbar}}\ Friend\ nat\ {\isaliteral{7C}{\isacharbar}}\ Spy%
56.61 -\begin{isamarkuptext}%
56.62 -Keys are just natural numbers. Function \isa{invKey} maps a public key to
56.63 -the matching private key, and vice versa:%
56.64 -\end{isamarkuptext}%
56.65 -\isamarkuptrue%
56.66 -\isacommand{type{\isaliteral{5F}{\isacharunderscore}}synonym}\isamarkupfalse%
56.67 -\ key\ {\isaliteral{3D}{\isacharequal}}\ nat\isanewline
56.68 -\isacommand{consts}\isamarkupfalse%
56.69 -\ invKey\ {\isaliteral{3A}{\isacharcolon}}{\isaliteral{3A}{\isacharcolon}}\ {\isaliteral{22}{\isachardoublequoteopen}}key\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ key{\isaliteral{22}{\isachardoublequoteclose}}%
56.70 -\isadelimproof
56.71 -%
56.72 -\endisadelimproof
56.73 -%
56.74 -\isatagproof
56.75 -%
56.76 -\endisatagproof
56.77 -{\isafoldproof}%
56.78 -%
56.79 -\isadelimproof
56.80 -%
56.81 -\endisadelimproof
56.82 -%
56.83 -\begin{isamarkuptext}%
56.84 -Datatype
56.85 -\isa{msg} introduces the message forms, which include agent names, nonces,
56.86 -keys, compound messages, and encryptions.%
56.87 -\end{isamarkuptext}%
56.88 -\isamarkuptrue%
56.89 -\isacommand{datatype}\isamarkupfalse%
56.90 -\isanewline
56.91 -\ \ \ \ \ msg\ {\isaliteral{3D}{\isacharequal}}\ Agent\ \ agent\isanewline
56.92 -\ \ \ \ \ \ \ \ \ {\isaliteral{7C}{\isacharbar}}\ Nonce\ \ nat\isanewline
56.93 -\ \ \ \ \ \ \ \ \ {\isaliteral{7C}{\isacharbar}}\ Key\ \ \ \ key\isanewline
56.94 -\ \ \ \ \ \ \ \ \ {\isaliteral{7C}{\isacharbar}}\ MPair\ \ msg\ msg\isanewline
56.95 -\ \ \ \ \ \ \ \ \ {\isaliteral{7C}{\isacharbar}}\ Crypt\ \ key\ msg%
56.96 -\begin{isamarkuptext}%
56.97 -\noindent
56.98 -The notation $\comp{X\sb 1,\ldots X\sb{n-1},X\sb n}$
56.99 -abbreviates
56.100 -$\isa{MPair}\,X\sb 1\,\ldots\allowbreak(\isa{MPair}\,X\sb{n-1}\,X\sb n)$.
56.101 -
56.102 -Since datatype constructors are injective, we have the theorem
56.103 -\begin{isabelle}%
56.104 -Crypt\ K\ X\ {\isaliteral{3D}{\isacharequal}}\ Crypt\ K{\isaliteral{27}{\isacharprime}}\ X{\isaliteral{27}{\isacharprime}}\ {\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\ K\ {\isaliteral{3D}{\isacharequal}}\ K{\isaliteral{27}{\isacharprime}}\ {\isaliteral{5C3C616E643E}{\isasymand}}\ X\ {\isaliteral{3D}{\isacharequal}}\ X{\isaliteral{27}{\isacharprime}}%
56.105 -\end{isabelle}
56.106 -A ciphertext can be decrypted using only one key and
56.107 -can yield only one plaintext. In the real world, decryption with the
56.108 -wrong key succeeds but yields garbage. Our model of encryption is
56.109 -realistic if encryption adds some redundancy to the plaintext, such as a
56.110 -checksum, so that garbage can be detected.%
56.111 -\end{isamarkuptext}%
56.112 -\isamarkuptrue%
56.113 -%
56.114 -\isadelimproof
56.115 -%
56.116 -\endisadelimproof
56.117 -%
56.118 -\isatagproof
56.119 -%
56.120 -\endisatagproof
56.121 -{\isafoldproof}%
56.122 -%
56.123 -\isadelimproof
56.124 -%
56.125 -\endisadelimproof
56.126 -%
56.127 -\isadelimproof
56.128 -%
56.129 -\endisadelimproof
56.130 -%
56.131 -\isatagproof
56.132 -%
56.133 -\endisatagproof
56.134 -{\isafoldproof}%
56.135 -%
56.136 -\isadelimproof
56.137 -%
56.138 -\endisadelimproof
56.139 -%
56.140 -\isadelimproof
56.141 -%
56.142 -\endisadelimproof
56.143 -%
56.144 -\isatagproof
56.145 -%
56.146 -\endisatagproof
56.147 -{\isafoldproof}%
56.148 -%
56.149 -\isadelimproof
56.150 -%
56.151 -\endisadelimproof
56.152 -%
56.153 -\isadelimproof
56.154 -%
56.155 -\endisadelimproof
56.156 -%
56.157 -\isatagproof
56.158 -%
56.159 -\endisatagproof
56.160 -{\isafoldproof}%
56.161 -%
56.162 -\isadelimproof
56.163 -%
56.164 -\endisadelimproof
56.165 -%
56.166 -\isadelimproof
56.167 -%
56.168 -\endisadelimproof
56.169 -%
56.170 -\isatagproof
56.171 -%
56.172 -\endisatagproof
56.173 -{\isafoldproof}%
56.174 -%
56.175 -\isadelimproof
56.176 -%
56.177 -\endisadelimproof
56.178 -%
56.179 -\isadelimproof
56.180 -%
56.181 -\endisadelimproof
56.182 -%
56.183 -\isatagproof
56.184 -%
56.185 -\endisatagproof
56.186 -{\isafoldproof}%
56.187 -%
56.188 -\isadelimproof
56.189 -%
56.190 -\endisadelimproof
56.191 -%
56.192 -\isadelimproof
56.193 -%
56.194 -\endisadelimproof
56.195 -%
56.196 -\isatagproof
56.197 -%
56.198 -\endisatagproof
56.199 -{\isafoldproof}%
56.200 -%
56.201 -\isadelimproof
56.202 -%
56.203 -\endisadelimproof
56.204 -%
56.205 -\isadelimproof
56.206 -%
56.207 -\endisadelimproof
56.208 -%
56.209 -\isatagproof
56.210 -%
56.211 -\endisatagproof
56.212 -{\isafoldproof}%
56.213 -%
56.214 -\isadelimproof
56.215 -%
56.216 -\endisadelimproof
56.217 -%
56.218 -\isadelimproof
56.219 -%
56.220 -\endisadelimproof
56.221 -%
56.222 -\isatagproof
56.223 -%
56.224 -\endisatagproof
56.225 -{\isafoldproof}%
56.226 -%
56.227 -\isadelimproof
56.228 -%
56.229 -\endisadelimproof
56.230 -%
56.231 -\isadelimproof
56.232 -%
56.233 -\endisadelimproof
56.234 -%
56.235 -\isatagproof
56.236 -%
56.237 -\endisatagproof
56.238 -{\isafoldproof}%
56.239 -%
56.240 -\isadelimproof
56.241 -%
56.242 -\endisadelimproof
56.243 -%
56.244 -\isadelimproof
56.245 -%
56.246 -\endisadelimproof
56.247 -%
56.248 -\isatagproof
56.249 -%
56.250 -\endisatagproof
56.251 -{\isafoldproof}%
56.252 -%
56.253 -\isadelimproof
56.254 -%
56.255 -\endisadelimproof
56.256 -%
56.257 -\isadelimproof
56.258 -%
56.259 -\endisadelimproof
56.260 -%
56.261 -\isatagproof
56.262 -%
56.263 -\endisatagproof
56.264 -{\isafoldproof}%
56.265 -%
56.266 -\isadelimproof
56.267 -%
56.268 -\endisadelimproof
56.269 -%
56.270 -\isadelimproof
56.271 -%
56.272 -\endisadelimproof
56.273 -%
56.274 -\isatagproof
56.275 -%
56.276 -\endisatagproof
56.277 -{\isafoldproof}%
56.278 -%
56.279 -\isadelimproof
56.280 -%
56.281 -\endisadelimproof
56.282 -%
56.283 -\isadelimproof
56.284 -%
56.285 -\endisadelimproof
56.286 -%
56.287 -\isatagproof
56.288 -%
56.289 -\endisatagproof
56.290 -{\isafoldproof}%
56.291 -%
56.292 -\isadelimproof
56.293 -%
56.294 -\endisadelimproof
56.295 -%
56.296 -\isadelimproof
56.297 -%
56.298 -\endisadelimproof
56.299 -%
56.300 -\isatagproof
56.301 -%
56.302 -\endisatagproof
56.303 -{\isafoldproof}%
56.304 -%
56.305 -\isadelimproof
56.306 -%
56.307 -\endisadelimproof
56.308 -%
56.309 -\isadelimproof
56.310 -%
56.311 -\endisadelimproof
56.312 -%
56.313 -\isatagproof
56.314 -%
56.315 -\endisatagproof
56.316 -{\isafoldproof}%
56.317 -%
56.318 -\isadelimproof
56.319 -%
56.320 -\endisadelimproof
56.321 -%
56.322 -\isadelimproof
56.323 -%
56.324 -\endisadelimproof
56.325 -%
56.326 -\isatagproof
56.327 -%
56.328 -\endisatagproof
56.329 -{\isafoldproof}%
56.330 -%
56.331 -\isadelimproof
56.332 -%
56.333 -\endisadelimproof
56.334 -%
56.335 -\isadelimproof
56.336 -%
56.337 -\endisadelimproof
56.338 -%
56.339 -\isatagproof
56.340 -%
56.341 -\endisatagproof
56.342 -{\isafoldproof}%
56.343 -%
56.344 -\isadelimproof
56.345 -%
56.346 -\endisadelimproof
56.347 -%
56.348 -\isadelimproof
56.349 -%
56.350 -\endisadelimproof
56.351 -%
56.352 -\isatagproof
56.353 -%
56.354 -\endisatagproof
56.355 -{\isafoldproof}%
56.356 -%
56.357 -\isadelimproof
56.358 -%
56.359 -\endisadelimproof
56.360 -%
56.361 -\isadelimproof
56.362 -%
56.363 -\endisadelimproof
56.364 -%
56.365 -\isatagproof
56.366 -%
56.367 -\endisatagproof
56.368 -{\isafoldproof}%
56.369 -%
56.370 -\isadelimproof
56.371 -%
56.372 -\endisadelimproof
56.373 -%
56.374 -\isadelimproof
56.375 -%
56.376 -\endisadelimproof
56.377 -%
56.378 -\isatagproof
56.379 -%
56.380 -\endisatagproof
56.381 -{\isafoldproof}%
56.382 -%
56.383 -\isadelimproof
56.384 -%
56.385 -\endisadelimproof
56.386 -%
56.387 -\isadelimproof
56.388 -%
56.389 -\endisadelimproof
56.390 -%
56.391 -\isatagproof
56.392 -%
56.393 -\endisatagproof
56.394 -{\isafoldproof}%
56.395 -%
56.396 -\isadelimproof
56.397 -%
56.398 -\endisadelimproof
56.399 -%
56.400 -\isadelimproof
56.401 -%
56.402 -\endisadelimproof
56.403 -%
56.404 -\isatagproof
56.405 -%
56.406 -\endisatagproof
56.407 -{\isafoldproof}%
56.408 -%
56.409 -\isadelimproof
56.410 -%
56.411 -\endisadelimproof
56.412 -%
56.413 -\isadelimproof
56.414 -%
56.415 -\endisadelimproof
56.416 -%
56.417 -\isatagproof
56.418 -%
56.419 -\endisatagproof
56.420 -{\isafoldproof}%
56.421 -%
56.422 -\isadelimproof
56.423 -%
56.424 -\endisadelimproof
56.425 -%
56.426 -\isadelimproof
56.427 -%
56.428 -\endisadelimproof
56.429 -%
56.430 -\isatagproof
56.431 -%
56.432 -\endisatagproof
56.433 -{\isafoldproof}%
56.434 -%
56.435 -\isadelimproof
56.436 -%
56.437 -\endisadelimproof
56.438 -%
56.439 -\isadelimproof
56.440 -%
56.441 -\endisadelimproof
56.442 -%
56.443 -\isatagproof
56.444 -%
56.445 -\endisatagproof
56.446 -{\isafoldproof}%
56.447 -%
56.448 -\isadelimproof
56.449 -%
56.450 -\endisadelimproof
56.451 -%
56.452 -\isadelimproof
56.453 -%
56.454 -\endisadelimproof
56.455 -%
56.456 -\isatagproof
56.457 -%
56.458 -\endisatagproof
56.459 -{\isafoldproof}%
56.460 -%
56.461 -\isadelimproof
56.462 -%
56.463 -\endisadelimproof
56.464 -%
56.465 -\isadelimproof
56.466 -%
56.467 -\endisadelimproof
56.468 -%
56.469 -\isatagproof
56.470 -%
56.471 -\endisatagproof
56.472 -{\isafoldproof}%
56.473 -%
56.474 -\isadelimproof
56.475 -%
56.476 -\endisadelimproof
56.477 -%
56.478 -\isadelimproof
56.479 -%
56.480 -\endisadelimproof
56.481 -%
56.482 -\isatagproof
56.483 -%
56.484 -\endisatagproof
56.485 -{\isafoldproof}%
56.486 -%
56.487 -\isadelimproof
56.488 -%
56.489 -\endisadelimproof
56.490 -%
56.491 -\isadelimproof
56.492 -%
56.493 -\endisadelimproof
56.494 -%
56.495 -\isatagproof
56.496 -%
56.497 -\endisatagproof
56.498 -{\isafoldproof}%
56.499 -%
56.500 -\isadelimproof
56.501 -%
56.502 -\endisadelimproof
56.503 -%
56.504 -\isadelimproof
56.505 -%
56.506 -\endisadelimproof
56.507 -%
56.508 -\isatagproof
56.509 -%
56.510 -\endisatagproof
56.511 -{\isafoldproof}%
56.512 -%
56.513 -\isadelimproof
56.514 -%
56.515 -\endisadelimproof
56.516 -%
56.517 -\isadelimproof
56.518 -%
56.519 -\endisadelimproof
56.520 -%
56.521 -\isatagproof
56.522 -%
56.523 -\endisatagproof
56.524 -{\isafoldproof}%
56.525 -%
56.526 -\isadelimproof
56.527 -%
56.528 -\endisadelimproof
56.529 -%
56.530 -\isadelimproof
56.531 -%
56.532 -\endisadelimproof
56.533 -%
56.534 -\isatagproof
56.535 -%
56.536 -\endisatagproof
56.537 -{\isafoldproof}%
56.538 -%
56.539 -\isadelimproof
56.540 -%
56.541 -\endisadelimproof
56.542 -%
56.543 -\isadelimproof
56.544 -%
56.545 -\endisadelimproof
56.546 -%
56.547 -\isatagproof
56.548 -%
56.549 -\endisatagproof
56.550 -{\isafoldproof}%
56.551 -%
56.552 -\isadelimproof
56.553 -%
56.554 -\endisadelimproof
56.555 -%
56.556 -\isadelimproof
56.557 -%
56.558 -\endisadelimproof
56.559 -%
56.560 -\isatagproof
56.561 -%
56.562 -\endisatagproof
56.563 -{\isafoldproof}%
56.564 -%
56.565 -\isadelimproof
56.566 -%
56.567 -\endisadelimproof
56.568 -%
56.569 -\isadelimproof
56.570 -%
56.571 -\endisadelimproof
56.572 -%
56.573 -\isatagproof
56.574 -%
56.575 -\endisatagproof
56.576 -{\isafoldproof}%
56.577 -%
56.578 -\isadelimproof
56.579 -%
56.580 -\endisadelimproof
56.581 -%
56.582 -\isadelimproof
56.583 -%
56.584 -\endisadelimproof
56.585 -%
56.586 -\isatagproof
56.587 -%
56.588 -\endisatagproof
56.589 -{\isafoldproof}%
56.590 -%
56.591 -\isadelimproof
56.592 -%
56.593 -\endisadelimproof
56.594 -%
56.595 -\isadelimproof
56.596 -%
56.597 -\endisadelimproof
56.598 -%
56.599 -\isatagproof
56.600 -%
56.601 -\endisatagproof
56.602 -{\isafoldproof}%
56.603 -%
56.604 -\isadelimproof
56.605 -%
56.606 -\endisadelimproof
56.607 -%
56.608 -\isadelimproof
56.609 -%
56.610 -\endisadelimproof
56.611 -%
56.612 -\isatagproof
56.613 -%
56.614 -\endisatagproof
56.615 -{\isafoldproof}%
56.616 -%
56.617 -\isadelimproof
56.618 -%
56.619 -\endisadelimproof
56.620 -%
56.621 -\isadelimproof
56.622 -%
56.623 -\endisadelimproof
56.624 -%
56.625 -\isatagproof
56.626 -%
56.627 -\endisatagproof
56.628 -{\isafoldproof}%
56.629 -%
56.630 -\isadelimproof
56.631 -%
56.632 -\endisadelimproof
56.633 -%
56.634 -\isadelimproof
56.635 -%
56.636 -\endisadelimproof
56.637 -%
56.638 -\isatagproof
56.639 -%
56.640 -\endisatagproof
56.641 -{\isafoldproof}%
56.642 -%
56.643 -\isadelimproof
56.644 -%
56.645 -\endisadelimproof
56.646 -%
56.647 -\isadelimproof
56.648 -%
56.649 -\endisadelimproof
56.650 -%
56.651 -\isatagproof
56.652 -%
56.653 -\endisatagproof
56.654 -{\isafoldproof}%
56.655 -%
56.656 -\isadelimproof
56.657 -%
56.658 -\endisadelimproof
56.659 -%
56.660 -\isadelimproof
56.661 -%
56.662 -\endisadelimproof
56.663 -%
56.664 -\isatagproof
56.665 -%
56.666 -\endisatagproof
56.667 -{\isafoldproof}%
56.668 -%
56.669 -\isadelimproof
56.670 -%
56.671 -\endisadelimproof
56.672 -%
56.673 -\isamarkupsection{Modelling the Adversary%
56.674 -}
56.675 -\isamarkuptrue%
56.676 -%
56.677 -\begin{isamarkuptext}%
56.678 -The spy is part of the system and must be built into the model. He is
56.679 -a malicious user who does not have to follow the protocol. He
56.680 -watches the network and uses any keys he knows to decrypt messages.
56.681 -Thus he accumulates additional keys and nonces. These he can use to
56.682 -compose new messages, which he may send to anybody.
56.683 -
56.684 -Two functions enable us to formalize this behaviour: \isa{analz} and
56.685 -\isa{synth}. Each function maps a sets of messages to another set of
56.686 -messages. The set \isa{analz\ H} formalizes what the adversary can learn
56.687 -from the set of messages~$H$. The closure properties of this set are
56.688 -defined inductively.%
56.689 -\end{isamarkuptext}%
56.690 -\isamarkuptrue%
56.691 -\isacommand{inductive{\isaliteral{5F}{\isacharunderscore}}set}\isamarkupfalse%
56.692 -\isanewline
56.693 -\ \ analz\ {\isaliteral{3A}{\isacharcolon}}{\isaliteral{3A}{\isacharcolon}}\ {\isaliteral{22}{\isachardoublequoteopen}}msg\ set\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ msg\ set{\isaliteral{22}{\isachardoublequoteclose}}\isanewline
56.694 -\ \ \isakeyword{for}\ H\ {\isaliteral{3A}{\isacharcolon}}{\isaliteral{3A}{\isacharcolon}}\ {\isaliteral{22}{\isachardoublequoteopen}}msg\ set{\isaliteral{22}{\isachardoublequoteclose}}\isanewline
56.695 -\ \ \isakeyword{where}\isanewline
56.696 -\ \ \ \ Inj\ {\isaliteral{5B}{\isacharbrackleft}}intro{\isaliteral{2C}{\isacharcomma}}simp{\isaliteral{5D}{\isacharbrackright}}\ {\isaliteral{3A}{\isacharcolon}}\ {\isaliteral{22}{\isachardoublequoteopen}}X\ {\isaliteral{5C3C696E3E}{\isasymin}}\ H\ {\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\ X\ {\isaliteral{5C3C696E3E}{\isasymin}}\ analz\ H{\isaliteral{22}{\isachardoublequoteclose}}\isanewline
56.697 -\ \ {\isaliteral{7C}{\isacharbar}}\ Fst{\isaliteral{3A}{\isacharcolon}}\ \ \ \ \ {\isaliteral{22}{\isachardoublequoteopen}}{\isaliteral{5C3C6C62726163653E}{\isasymlbrace}}X{\isaliteral{2C}{\isacharcomma}}Y{\isaliteral{5C3C7262726163653E}{\isasymrbrace}}\ {\isaliteral{5C3C696E3E}{\isasymin}}\ analz\ H\ {\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\ X\ {\isaliteral{5C3C696E3E}{\isasymin}}\ analz\ H{\isaliteral{22}{\isachardoublequoteclose}}\isanewline
56.698 -\ \ {\isaliteral{7C}{\isacharbar}}\ Snd{\isaliteral{3A}{\isacharcolon}}\ \ \ \ \ {\isaliteral{22}{\isachardoublequoteopen}}{\isaliteral{5C3C6C62726163653E}{\isasymlbrace}}X{\isaliteral{2C}{\isacharcomma}}Y{\isaliteral{5C3C7262726163653E}{\isasymrbrace}}\ {\isaliteral{5C3C696E3E}{\isasymin}}\ analz\ H\ {\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\ Y\ {\isaliteral{5C3C696E3E}{\isasymin}}\ analz\ H{\isaliteral{22}{\isachardoublequoteclose}}\isanewline
56.699 -\ \ {\isaliteral{7C}{\isacharbar}}\ Decrypt\ {\isaliteral{5B}{\isacharbrackleft}}dest{\isaliteral{5D}{\isacharbrackright}}{\isaliteral{3A}{\isacharcolon}}\ \isanewline
56.700 -\ \ \ \ \ \ \ \ \ \ \ \ \ {\isaliteral{22}{\isachardoublequoteopen}}{\isaliteral{5C3C6C6272616B6B3E}{\isasymlbrakk}}Crypt\ K\ X\ {\isaliteral{5C3C696E3E}{\isasymin}}\ analz\ H{\isaliteral{3B}{\isacharsemicolon}}\ Key{\isaliteral{28}{\isacharparenleft}}invKey\ K{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C696E3E}{\isasymin}}\ analz\ H{\isaliteral{5C3C726272616B6B3E}{\isasymrbrakk}}\isanewline
56.701 -\ \ \ \ \ \ \ \ \ \ \ \ \ \ {\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\ X\ {\isaliteral{5C3C696E3E}{\isasymin}}\ analz\ H{\isaliteral{22}{\isachardoublequoteclose}}%
56.702 -\isadelimproof
56.703 -%
56.704 -\endisadelimproof
56.705 -%
56.706 -\isatagproof
56.707 -%
56.708 -\endisatagproof
56.709 -{\isafoldproof}%
56.710 -%
56.711 -\isadelimproof
56.712 -%
56.713 -\endisadelimproof
56.714 -%
56.715 -\isadelimproof
56.716 -%
56.717 -\endisadelimproof
56.718 -%
56.719 -\isatagproof
56.720 -%
56.721 -\endisatagproof
56.722 -{\isafoldproof}%
56.723 -%
56.724 -\isadelimproof
56.725 -%
56.726 -\endisadelimproof
56.727 -%
56.728 -\isadelimproof
56.729 -%
56.730 -\endisadelimproof
56.731 -%
56.732 -\isatagproof
56.733 -%
56.734 -\endisatagproof
56.735 -{\isafoldproof}%
56.736 -%
56.737 -\isadelimproof
56.738 -%
56.739 -\endisadelimproof
56.740 -%
56.741 -\isadelimproof
56.742 -%
56.743 -\endisadelimproof
56.744 -%
56.745 -\isatagproof
56.746 -%
56.747 -\endisatagproof
56.748 -{\isafoldproof}%
56.749 -%
56.750 -\isadelimproof
56.751 -%
56.752 -\endisadelimproof
56.753 -%
56.754 -\isadelimproof
56.755 -%
56.756 -\endisadelimproof
56.757 -%
56.758 -\isatagproof
56.759 -%
56.760 -\endisatagproof
56.761 -{\isafoldproof}%
56.762 -%
56.763 -\isadelimproof
56.764 -%
56.765 -\endisadelimproof
56.766 -%
56.767 -\isadelimproof
56.768 -%
56.769 -\endisadelimproof
56.770 -%
56.771 -\isatagproof
56.772 -%
56.773 -\endisatagproof
56.774 -{\isafoldproof}%
56.775 -%
56.776 -\isadelimproof
56.777 -%
56.778 -\endisadelimproof
56.779 -%
56.780 -\isadelimproof
56.781 -%
56.782 -\endisadelimproof
56.783 -%
56.784 -\isatagproof
56.785 -%
56.786 -\endisatagproof
56.787 -{\isafoldproof}%
56.788 -%
56.789 -\isadelimproof
56.790 -%
56.791 -\endisadelimproof
56.792 -%
56.793 -\isadelimproof
56.794 -%
56.795 -\endisadelimproof
56.796 -%
56.797 -\isatagproof
56.798 -%
56.799 -\endisatagproof
56.800 -{\isafoldproof}%
56.801 -%
56.802 -\isadelimproof
56.803 -%
56.804 -\endisadelimproof
56.805 -%
56.806 -\isadelimproof
56.807 -%
56.808 -\endisadelimproof
56.809 -%
56.810 -\isatagproof
56.811 -%
56.812 -\endisatagproof
56.813 -{\isafoldproof}%
56.814 -%
56.815 -\isadelimproof
56.816 -%
56.817 -\endisadelimproof
56.818 -%
56.819 -\isadelimproof
56.820 -%
56.821 -\endisadelimproof
56.822 -%
56.823 -\isatagproof
56.824 -%
56.825 -\endisatagproof
56.826 -{\isafoldproof}%
56.827 -%
56.828 -\isadelimproof
56.829 -%
56.830 -\endisadelimproof
56.831 -%
56.832 -\isadelimproof
56.833 -%
56.834 -\endisadelimproof
56.835 -%
56.836 -\isatagproof
56.837 -%
56.838 -\endisatagproof
56.839 -{\isafoldproof}%
56.840 -%
56.841 -\isadelimproof
56.842 -%
56.843 -\endisadelimproof
56.844 -%
56.845 -\isadelimproof
56.846 -%
56.847 -\endisadelimproof
56.848 -%
56.849 -\isatagproof
56.850 -%
56.851 -\endisatagproof
56.852 -{\isafoldproof}%
56.853 -%
56.854 -\isadelimproof
56.855 -%
56.856 -\endisadelimproof
56.857 -%
56.858 -\isadelimproof
56.859 -%
56.860 -\endisadelimproof
56.861 -%
56.862 -\isatagproof
56.863 -%
56.864 -\endisatagproof
56.865 -{\isafoldproof}%
56.866 -%
56.867 -\isadelimproof
56.868 -%
56.869 -\endisadelimproof
56.870 -%
56.871 -\isadelimproof
56.872 -%
56.873 -\endisadelimproof
56.874 -%
56.875 -\isatagproof
56.876 -%
56.877 -\endisatagproof
56.878 -{\isafoldproof}%
56.879 -%
56.880 -\isadelimproof
56.881 -%
56.882 -\endisadelimproof
56.883 -%
56.884 -\isadelimproof
56.885 -%
56.886 -\endisadelimproof
56.887 -%
56.888 -\isatagproof
56.889 -%
56.890 -\endisatagproof
56.891 -{\isafoldproof}%
56.892 -%
56.893 -\isadelimproof
56.894 -%
56.895 -\endisadelimproof
56.896 -%
56.897 -\isadelimproof
56.898 -%
56.899 -\endisadelimproof
56.900 -%
56.901 -\isatagproof
56.902 -%
56.903 -\endisatagproof
56.904 -{\isafoldproof}%
56.905 -%
56.906 -\isadelimproof
56.907 -%
56.908 -\endisadelimproof
56.909 -%
56.910 -\isadelimproof
56.911 -%
56.912 -\endisadelimproof
56.913 -%
56.914 -\isatagproof
56.915 -%
56.916 -\endisatagproof
56.917 -{\isafoldproof}%
56.918 -%
56.919 -\isadelimproof
56.920 -%
56.921 -\endisadelimproof
56.922 -%
56.923 -\isadelimproof
56.924 -%
56.925 -\endisadelimproof
56.926 -%
56.927 -\isatagproof
56.928 -%
56.929 -\endisatagproof
56.930 -{\isafoldproof}%
56.931 -%
56.932 -\isadelimproof
56.933 -%
56.934 -\endisadelimproof
56.935 -%
56.936 -\isadelimproof
56.937 -%
56.938 -\endisadelimproof
56.939 -%
56.940 -\isatagproof
56.941 -%
56.942 -\endisatagproof
56.943 -{\isafoldproof}%
56.944 -%
56.945 -\isadelimproof
56.946 -%
56.947 -\endisadelimproof
56.948 -%
56.949 -\isadelimproof
56.950 -%
56.951 -\endisadelimproof
56.952 -%
56.953 -\isatagproof
56.954 -%
56.955 -\endisatagproof
56.956 -{\isafoldproof}%
56.957 -%
56.958 -\isadelimproof
56.959 -%
56.960 -\endisadelimproof
56.961 -%
56.962 -\isadelimproof
56.963 -%
56.964 -\endisadelimproof
56.965 -%
56.966 -\isatagproof
56.967 -%
56.968 -\endisatagproof
56.969 -{\isafoldproof}%
56.970 -%
56.971 -\isadelimproof
56.972 -%
56.973 -\endisadelimproof
56.974 -%
56.975 -\isadelimproof
56.976 -%
56.977 -\endisadelimproof
56.978 -%
56.979 -\isatagproof
56.980 -%
56.981 -\endisatagproof
56.982 -{\isafoldproof}%
56.983 -%
56.984 -\isadelimproof
56.985 -%
56.986 -\endisadelimproof
56.987 -%
56.988 -\isadelimproof
56.989 -%
56.990 -\endisadelimproof
56.991 -%
56.992 -\isatagproof
56.993 -%
56.994 -\endisatagproof
56.995 -{\isafoldproof}%
56.996 -%
56.997 -\isadelimproof
56.998 -%
56.999 -\endisadelimproof
56.1000 -%
56.1001 -\isadelimproof
56.1002 -%
56.1003 -\endisadelimproof
56.1004 -%
56.1005 -\isatagproof
56.1006 -%
56.1007 -\endisatagproof
56.1008 -{\isafoldproof}%
56.1009 -%
56.1010 -\isadelimproof
56.1011 -%
56.1012 -\endisadelimproof
56.1013 -%
56.1014 -\isadelimproof
56.1015 -%
56.1016 -\endisadelimproof
56.1017 -%
56.1018 -\isatagproof
56.1019 -%
56.1020 -\endisatagproof
56.1021 -{\isafoldproof}%
56.1022 -%
56.1023 -\isadelimproof
56.1024 -%
56.1025 -\endisadelimproof
56.1026 -%
56.1027 -\isadelimproof
56.1028 -%
56.1029 -\endisadelimproof
56.1030 -%
56.1031 -\isatagproof
56.1032 -%
56.1033 -\endisatagproof
56.1034 -{\isafoldproof}%
56.1035 -%
56.1036 -\isadelimproof
56.1037 -%
56.1038 -\endisadelimproof
56.1039 -%
56.1040 -\isadelimproof
56.1041 -%
56.1042 -\endisadelimproof
56.1043 -%
56.1044 -\isatagproof
56.1045 -%
56.1046 -\endisatagproof
56.1047 -{\isafoldproof}%
56.1048 -%
56.1049 -\isadelimproof
56.1050 -%
56.1051 -\endisadelimproof
56.1052 -%
56.1053 -\isadelimproof
56.1054 -%
56.1055 -\endisadelimproof
56.1056 -%
56.1057 -\isatagproof
56.1058 -%
56.1059 -\endisatagproof
56.1060 -{\isafoldproof}%
56.1061 -%
56.1062 -\isadelimproof
56.1063 -%
56.1064 -\endisadelimproof
56.1065 -%
56.1066 -\isadelimproof
56.1067 -%
56.1068 -\endisadelimproof
56.1069 -%
56.1070 -\isatagproof
56.1071 -%
56.1072 -\endisatagproof
56.1073 -{\isafoldproof}%
56.1074 -%
56.1075 -\isadelimproof
56.1076 -%
56.1077 -\endisadelimproof
56.1078 -%
56.1079 -\isadelimproof
56.1080 -%
56.1081 -\endisadelimproof
56.1082 -%
56.1083 -\isatagproof
56.1084 -%
56.1085 -\endisatagproof
56.1086 -{\isafoldproof}%
56.1087 -%
56.1088 -\isadelimproof
56.1089 -%
56.1090 -\endisadelimproof
56.1091 -%
56.1092 -\isadelimproof
56.1093 -%
56.1094 -\endisadelimproof
56.1095 -%
56.1096 -\isatagproof
56.1097 -%
56.1098 -\endisatagproof
56.1099 -{\isafoldproof}%
56.1100 -%
56.1101 -\isadelimproof
56.1102 -%
56.1103 -\endisadelimproof
56.1104 -%
56.1105 -\isadelimproof
56.1106 -%
56.1107 -\endisadelimproof
56.1108 -%
56.1109 -\isatagproof
56.1110 -%
56.1111 -\endisatagproof
56.1112 -{\isafoldproof}%
56.1113 -%
56.1114 -\isadelimproof
56.1115 -%
56.1116 -\endisadelimproof
56.1117 -%
56.1118 -\begin{isamarkuptext}%
56.1119 -Note the \isa{Decrypt} rule: the spy can decrypt a
56.1120 -message encrypted with key~$K$ if he has the matching key,~$K^{-1}$.
56.1121 -Properties proved by rule induction include the following:
56.1122 -\begin{isabelle}%
56.1123 -G\ {\isaliteral{5C3C73756273657465713E}{\isasymsubseteq}}\ H\ {\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\ analz\ G\ {\isaliteral{5C3C73756273657465713E}{\isasymsubseteq}}\ analz\ H\rulename{analz{\isaliteral{5F}{\isacharunderscore}}mono}\par\smallskip%
56.1124 -analz\ {\isaliteral{28}{\isacharparenleft}}analz\ H{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{3D}{\isacharequal}}\ analz\ H\rulename{analz{\isaliteral{5F}{\isacharunderscore}}idem}%
56.1125 -\end{isabelle}
56.1126 -
56.1127 -The set of fake messages that an intruder could invent
56.1128 -starting from~\isa{H} is \isa{synth{\isaliteral{28}{\isacharparenleft}}analz\ H{\isaliteral{29}{\isacharparenright}}}, where \isa{synth\ H}
56.1129 -formalizes what the adversary can build from the set of messages~$H$.%
56.1130 -\end{isamarkuptext}%
56.1131 -\isamarkuptrue%
56.1132 -\isacommand{inductive{\isaliteral{5F}{\isacharunderscore}}set}\isamarkupfalse%
56.1133 -\isanewline
56.1134 -\ \ synth\ {\isaliteral{3A}{\isacharcolon}}{\isaliteral{3A}{\isacharcolon}}\ {\isaliteral{22}{\isachardoublequoteopen}}msg\ set\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ msg\ set{\isaliteral{22}{\isachardoublequoteclose}}\isanewline
56.1135 -\ \ \isakeyword{for}\ H\ {\isaliteral{3A}{\isacharcolon}}{\isaliteral{3A}{\isacharcolon}}\ {\isaliteral{22}{\isachardoublequoteopen}}msg\ set{\isaliteral{22}{\isachardoublequoteclose}}\isanewline
56.1136 -\ \ \isakeyword{where}\isanewline
56.1137 -\ \ \ \ Inj\ \ \ \ {\isaliteral{5B}{\isacharbrackleft}}intro{\isaliteral{5D}{\isacharbrackright}}{\isaliteral{3A}{\isacharcolon}}\ {\isaliteral{22}{\isachardoublequoteopen}}X\ {\isaliteral{5C3C696E3E}{\isasymin}}\ H\ {\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\ X\ {\isaliteral{5C3C696E3E}{\isasymin}}\ synth\ H{\isaliteral{22}{\isachardoublequoteclose}}\isanewline
56.1138 -\ \ {\isaliteral{7C}{\isacharbar}}\ Agent\ \ {\isaliteral{5B}{\isacharbrackleft}}intro{\isaliteral{5D}{\isacharbrackright}}{\isaliteral{3A}{\isacharcolon}}\ {\isaliteral{22}{\isachardoublequoteopen}}Agent\ agt\ {\isaliteral{5C3C696E3E}{\isasymin}}\ synth\ H{\isaliteral{22}{\isachardoublequoteclose}}\isanewline
56.1139 -\ \ {\isaliteral{7C}{\isacharbar}}\ MPair\ \ {\isaliteral{5B}{\isacharbrackleft}}intro{\isaliteral{5D}{\isacharbrackright}}{\isaliteral{3A}{\isacharcolon}}\isanewline
56.1140 -\ \ \ \ \ \ \ \ \ \ \ \ \ \ {\isaliteral{22}{\isachardoublequoteopen}}{\isaliteral{5C3C6C6272616B6B3E}{\isasymlbrakk}}X\ {\isaliteral{5C3C696E3E}{\isasymin}}\ synth\ H{\isaliteral{3B}{\isacharsemicolon}}\ \ Y\ {\isaliteral{5C3C696E3E}{\isasymin}}\ synth\ H{\isaliteral{5C3C726272616B6B3E}{\isasymrbrakk}}\ {\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\ {\isaliteral{5C3C6C62726163653E}{\isasymlbrace}}X{\isaliteral{2C}{\isacharcomma}}Y{\isaliteral{5C3C7262726163653E}{\isasymrbrace}}\ {\isaliteral{5C3C696E3E}{\isasymin}}\ synth\ H{\isaliteral{22}{\isachardoublequoteclose}}\isanewline
56.1141 -\ \ {\isaliteral{7C}{\isacharbar}}\ Crypt\ \ {\isaliteral{5B}{\isacharbrackleft}}intro{\isaliteral{5D}{\isacharbrackright}}{\isaliteral{3A}{\isacharcolon}}\isanewline
56.1142 -\ \ \ \ \ \ \ \ \ \ \ \ \ \ {\isaliteral{22}{\isachardoublequoteopen}}{\isaliteral{5C3C6C6272616B6B3E}{\isasymlbrakk}}X\ {\isaliteral{5C3C696E3E}{\isasymin}}\ synth\ H{\isaliteral{3B}{\isacharsemicolon}}\ \ Key\ K\ {\isaliteral{5C3C696E3E}{\isasymin}}\ H{\isaliteral{5C3C726272616B6B3E}{\isasymrbrakk}}\ {\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\ Crypt\ K\ X\ {\isaliteral{5C3C696E3E}{\isasymin}}\ synth\ H{\isaliteral{22}{\isachardoublequoteclose}}%
56.1143 -\isadelimproof
56.1144 -%
56.1145 -\endisadelimproof
56.1146 -%
56.1147 -\isatagproof
56.1148 -%
56.1149 -\endisatagproof
56.1150 -{\isafoldproof}%
56.1151 -%
56.1152 -\isadelimproof
56.1153 -%
56.1154 -\endisadelimproof
56.1155 -%
56.1156 -\isadelimproof
56.1157 -%
56.1158 -\endisadelimproof
56.1159 -%
56.1160 -\isatagproof
56.1161 -%
56.1162 -\endisatagproof
56.1163 -{\isafoldproof}%
56.1164 -%
56.1165 -\isadelimproof
56.1166 -%
56.1167 -\endisadelimproof
56.1168 -%
56.1169 -\isadelimproof
56.1170 -%
56.1171 -\endisadelimproof
56.1172 -%
56.1173 -\isatagproof
56.1174 -%
56.1175 -\endisatagproof
56.1176 -{\isafoldproof}%
56.1177 -%
56.1178 -\isadelimproof
56.1179 -%
56.1180 -\endisadelimproof
56.1181 -%
56.1182 -\begin{isamarkuptext}%
56.1183 -The set includes all agent names. Nonces and keys are assumed to be
56.1184 -unguessable, so none are included beyond those already in~$H$. Two
56.1185 -elements of \isa{synth\ H} can be combined, and an element can be encrypted
56.1186 -using a key present in~$H$.
56.1187 -
56.1188 -Like \isa{analz}, this set operator is monotone and idempotent. It also
56.1189 -satisfies an interesting equation involving \isa{analz}:
56.1190 -\begin{isabelle}%
56.1191 -analz\ {\isaliteral{28}{\isacharparenleft}}synth\ H{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{3D}{\isacharequal}}\ analz\ H\ {\isaliteral{5C3C756E696F6E3E}{\isasymunion}}\ synth\ H\rulename{analz{\isaliteral{5F}{\isacharunderscore}}synth}%
56.1192 -\end{isabelle}
56.1193 -Rule inversion plays a major role in reasoning about \isa{synth}, through
56.1194 -declarations such as this one:%
56.1195 -\end{isamarkuptext}%
56.1196 -\isamarkuptrue%
56.1197 -\isacommand{inductive{\isaliteral{5F}{\isacharunderscore}}cases}\isamarkupfalse%
56.1198 -\ Nonce{\isaliteral{5F}{\isacharunderscore}}synth\ {\isaliteral{5B}{\isacharbrackleft}}elim{\isaliteral{21}{\isacharbang}}{\isaliteral{5D}{\isacharbrackright}}{\isaliteral{3A}{\isacharcolon}}\ {\isaliteral{22}{\isachardoublequoteopen}}Nonce\ n\ {\isaliteral{5C3C696E3E}{\isasymin}}\ synth\ H{\isaliteral{22}{\isachardoublequoteclose}}%
56.1199 -\begin{isamarkuptext}%
56.1200 -\noindent
56.1201 -The resulting elimination rule replaces every assumption of the form
56.1202 -\isa{Nonce\ n\ {\isaliteral{5C3C696E3E}{\isasymin}}\ synth\ H} by \isa{Nonce\ n\ {\isaliteral{5C3C696E3E}{\isasymin}}\ H},
56.1203 -expressing that a nonce cannot be guessed.
56.1204 -
56.1205 -A third operator, \isa{parts}, is useful for stating correctness
56.1206 -properties. The set
56.1207 -\isa{parts\ H} consists of the components of elements of~$H$. This set
56.1208 -includes~\isa{H} and is closed under the projections from a compound
56.1209 -message to its immediate parts.
56.1210 -Its definition resembles that of \isa{analz} except in the rule
56.1211 -corresponding to the constructor \isa{Crypt}:
56.1212 -\begin{isabelle}%
56.1213 -\ \ \ \ \ Crypt\ K\ X\ {\isaliteral{5C3C696E3E}{\isasymin}}\ parts\ H\ {\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\ X\ {\isaliteral{5C3C696E3E}{\isasymin}}\ parts\ H%
56.1214 -\end{isabelle}
56.1215 -The body of an encrypted message is always regarded as part of it. We can
56.1216 -use \isa{parts} to express general well-formedness properties of a protocol,
56.1217 -for example, that an uncompromised agent's private key will never be
56.1218 -included as a component of any message.%
56.1219 -\end{isamarkuptext}%
56.1220 -\isamarkuptrue%
56.1221 -%
56.1222 -\isadelimproof
56.1223 -%
56.1224 -\endisadelimproof
56.1225 -%
56.1226 -\isatagproof
56.1227 -%
56.1228 -\endisatagproof
56.1229 -{\isafoldproof}%
56.1230 -%
56.1231 -\isadelimproof
56.1232 -%
56.1233 -\endisadelimproof
56.1234 -%
56.1235 -\isadelimproof
56.1236 -%
56.1237 -\endisadelimproof
56.1238 -%
56.1239 -\isatagproof
56.1240 -%
56.1241 -\endisatagproof
56.1242 -{\isafoldproof}%
56.1243 -%
56.1244 -\isadelimproof
56.1245 -%
56.1246 -\endisadelimproof
56.1247 -%
56.1248 -\isadelimproof
56.1249 -%
56.1250 -\endisadelimproof
56.1251 -%
56.1252 -\isatagproof
56.1253 -%
56.1254 -\endisatagproof
56.1255 -{\isafoldproof}%
56.1256 -%
56.1257 -\isadelimproof
56.1258 -%
56.1259 -\endisadelimproof
56.1260 -%
56.1261 -\isadelimproof
56.1262 -%
56.1263 -\endisadelimproof
56.1264 -%
56.1265 -\isatagproof
56.1266 -%
56.1267 -\endisatagproof
56.1268 -{\isafoldproof}%
56.1269 -%
56.1270 -\isadelimproof
56.1271 -%
56.1272 -\endisadelimproof
56.1273 -%
56.1274 -\isadelimproof
56.1275 -%
56.1276 -\endisadelimproof
56.1277 -%
56.1278 -\isatagproof
56.1279 -%
56.1280 -\endisatagproof
56.1281 -{\isafoldproof}%
56.1282 -%
56.1283 -\isadelimproof
56.1284 -%
56.1285 -\endisadelimproof
56.1286 -%
56.1287 -\isadelimproof
56.1288 -%
56.1289 -\endisadelimproof
56.1290 -%
56.1291 -\isatagproof
56.1292 -%
56.1293 -\endisatagproof
56.1294 -{\isafoldproof}%
56.1295 -%
56.1296 -\isadelimproof
56.1297 -%
56.1298 -\endisadelimproof
56.1299 -%
56.1300 -\isadelimproof
56.1301 -%
56.1302 -\endisadelimproof
56.1303 -%
56.1304 -\isatagproof
56.1305 -%
56.1306 -\endisatagproof
56.1307 -{\isafoldproof}%
56.1308 -%
56.1309 -\isadelimproof
56.1310 -%
56.1311 -\endisadelimproof
56.1312 -%
56.1313 -\isadelimproof
56.1314 -%
56.1315 -\endisadelimproof
56.1316 -%
56.1317 -\isatagproof
56.1318 -%
56.1319 -\endisatagproof
56.1320 -{\isafoldproof}%
56.1321 -%
56.1322 -\isadelimproof
56.1323 -%
56.1324 -\endisadelimproof
56.1325 -%
56.1326 -\isadelimproof
56.1327 -%
56.1328 -\endisadelimproof
56.1329 -%
56.1330 -\isatagproof
56.1331 -%
56.1332 -\endisatagproof
56.1333 -{\isafoldproof}%
56.1334 -%
56.1335 -\isadelimproof
56.1336 -%
56.1337 -\endisadelimproof
56.1338 -%
56.1339 -\isadelimproof
56.1340 -%
56.1341 -\endisadelimproof
56.1342 -%
56.1343 -\isatagproof
56.1344 -%
56.1345 -\endisatagproof
56.1346 -{\isafoldproof}%
56.1347 -%
56.1348 -\isadelimproof
56.1349 -%
56.1350 -\endisadelimproof
56.1351 -%
56.1352 -\isadelimproof
56.1353 -%
56.1354 -\endisadelimproof
56.1355 -%
56.1356 -\isatagproof
56.1357 -%
56.1358 -\endisatagproof
56.1359 -{\isafoldproof}%
56.1360 -%
56.1361 -\isadelimproof
56.1362 -%
56.1363 -\endisadelimproof
56.1364 -%
56.1365 -\isadelimproof
56.1366 -%
56.1367 -\endisadelimproof
56.1368 -%
56.1369 -\isatagproof
56.1370 -%
56.1371 -\endisatagproof
56.1372 -{\isafoldproof}%
56.1373 -%
56.1374 -\isadelimproof
56.1375 -%
56.1376 -\endisadelimproof
56.1377 -%
56.1378 -\isadelimproof
56.1379 -%
56.1380 -\endisadelimproof
56.1381 -%
56.1382 -\isatagproof
56.1383 -%
56.1384 -\endisatagproof
56.1385 -{\isafoldproof}%
56.1386 -%
56.1387 -\isadelimproof
56.1388 -%
56.1389 -\endisadelimproof
56.1390 -%
56.1391 -\isadelimproof
56.1392 -%
56.1393 -\endisadelimproof
56.1394 -%
56.1395 -\isatagproof
56.1396 -%
56.1397 -\endisatagproof
56.1398 -{\isafoldproof}%
56.1399 -%
56.1400 -\isadelimproof
56.1401 -%
56.1402 -\endisadelimproof
56.1403 -%
56.1404 -\isadelimproof
56.1405 -%
56.1406 -\endisadelimproof
56.1407 -%
56.1408 -\isatagproof
56.1409 -%
56.1410 -\endisatagproof
56.1411 -{\isafoldproof}%
56.1412 -%
56.1413 -\isadelimproof
56.1414 -%
56.1415 -\endisadelimproof
56.1416 -%
56.1417 -\isadelimproof
56.1418 -%
56.1419 -\endisadelimproof
56.1420 -%
56.1421 -\isatagproof
56.1422 -%
56.1423 -\endisatagproof
56.1424 -{\isafoldproof}%
56.1425 -%
56.1426 -\isadelimproof
56.1427 -%
56.1428 -\endisadelimproof
56.1429 -%
56.1430 -\isadelimproof
56.1431 -%
56.1432 -\endisadelimproof
56.1433 -%
56.1434 -\isatagproof
56.1435 -%
56.1436 -\endisatagproof
56.1437 -{\isafoldproof}%
56.1438 -%
56.1439 -\isadelimproof
56.1440 -%
56.1441 -\endisadelimproof
56.1442 -%
56.1443 -\isadelimproof
56.1444 -%
56.1445 -\endisadelimproof
56.1446 -%
56.1447 -\isatagproof
56.1448 -%
56.1449 -\endisatagproof
56.1450 -{\isafoldproof}%
56.1451 -%
56.1452 -\isadelimproof
56.1453 -%
56.1454 -\endisadelimproof
56.1455 -%
56.1456 -\isadelimproof
56.1457 -%
56.1458 -\endisadelimproof
56.1459 -%
56.1460 -\isatagproof
56.1461 -%
56.1462 -\endisatagproof
56.1463 -{\isafoldproof}%
56.1464 -%
56.1465 -\isadelimproof
56.1466 -%
56.1467 -\endisadelimproof
56.1468 -%
56.1469 -\isadelimproof
56.1470 -%
56.1471 -\endisadelimproof
56.1472 -%
56.1473 -\isatagproof
56.1474 -%
56.1475 -\endisatagproof
56.1476 -{\isafoldproof}%
56.1477 -%
56.1478 -\isadelimproof
56.1479 -%
56.1480 -\endisadelimproof
56.1481 -%
56.1482 -\isadelimproof
56.1483 -%
56.1484 -\endisadelimproof
56.1485 -%
56.1486 -\isatagproof
56.1487 -%
56.1488 -\endisatagproof
56.1489 -{\isafoldproof}%
56.1490 -%
56.1491 -\isadelimproof
56.1492 -%
56.1493 -\endisadelimproof
56.1494 -%
56.1495 -\isadelimproof
56.1496 -%
56.1497 -\endisadelimproof
56.1498 -%
56.1499 -\isatagproof
56.1500 -%
56.1501 -\endisatagproof
56.1502 -{\isafoldproof}%
56.1503 -%
56.1504 -\isadelimproof
56.1505 -%
56.1506 -\endisadelimproof
56.1507 -%
56.1508 -\isadelimproof
56.1509 -%
56.1510 -\endisadelimproof
56.1511 -%
56.1512 -\isatagproof
56.1513 -%
56.1514 -\endisatagproof
56.1515 -{\isafoldproof}%
56.1516 -%
56.1517 -\isadelimproof
56.1518 -%
56.1519 -\endisadelimproof
56.1520 -%
56.1521 -\isadelimML
56.1522 -%
56.1523 -\endisadelimML
56.1524 -%
56.1525 -\isatagML
56.1526 -%
56.1527 -\endisatagML
56.1528 -{\isafoldML}%
56.1529 -%
56.1530 -\isadelimML
56.1531 -%
56.1532 -\endisadelimML
56.1533 -%
56.1534 -\isadelimproof
56.1535 -%
56.1536 -\endisadelimproof
56.1537 -%
56.1538 -\isatagproof
56.1539 -%
56.1540 -\endisatagproof
56.1541 -{\isafoldproof}%
56.1542 -%
56.1543 -\isadelimproof
56.1544 -%
56.1545 -\endisadelimproof
56.1546 -%
56.1547 -\isadelimproof
56.1548 -%
56.1549 -\endisadelimproof
56.1550 -%
56.1551 -\isatagproof
56.1552 -%
56.1553 -\endisatagproof
56.1554 -{\isafoldproof}%
56.1555 -%
56.1556 -\isadelimproof
56.1557 -%
56.1558 -\endisadelimproof
56.1559 -%
56.1560 -\isadelimproof
56.1561 -%
56.1562 -\endisadelimproof
56.1563 -%
56.1564 -\isatagproof
56.1565 -%
56.1566 -\endisatagproof
56.1567 -{\isafoldproof}%
56.1568 -%
56.1569 -\isadelimproof
56.1570 -%
56.1571 -\endisadelimproof
56.1572 -%
56.1573 -\isadelimproof
56.1574 -%
56.1575 -\endisadelimproof
56.1576 -%
56.1577 -\isatagproof
56.1578 -%
56.1579 -\endisatagproof
56.1580 -{\isafoldproof}%
56.1581 -%
56.1582 -\isadelimproof
56.1583 -%
56.1584 -\endisadelimproof
56.1585 -%
56.1586 -\isadelimproof
56.1587 -%
56.1588 -\endisadelimproof
56.1589 -%
56.1590 -\isatagproof
56.1591 -%
56.1592 -\endisatagproof
56.1593 -{\isafoldproof}%
56.1594 -%
56.1595 -\isadelimproof
56.1596 -%
56.1597 -\endisadelimproof
56.1598 -%
56.1599 -\isadelimproof
56.1600 -%
56.1601 -\endisadelimproof
56.1602 -%
56.1603 -\isatagproof
56.1604 -%
56.1605 -\endisatagproof
56.1606 -{\isafoldproof}%
56.1607 -%
56.1608 -\isadelimproof
56.1609 -%
56.1610 -\endisadelimproof
56.1611 -%
56.1612 -\isadelimML
56.1613 -%
56.1614 -\endisadelimML
56.1615 -%
56.1616 -\isatagML
56.1617 -%
56.1618 -\endisatagML
56.1619 -{\isafoldML}%
56.1620 -%
56.1621 -\isadelimML
56.1622 -%
56.1623 -\endisadelimML
56.1624 -%
56.1625 -\isadelimtheory
56.1626 -%
56.1627 -\endisadelimtheory
56.1628 -%
56.1629 -\isatagtheory
56.1630 -%
56.1631 -\endisatagtheory
56.1632 -{\isafoldtheory}%
56.1633 -%
56.1634 -\isadelimtheory
56.1635 -%
56.1636 -\endisadelimtheory
56.1637 -\end{isabellebody}%
56.1638 -%%% Local Variables:
56.1639 -%%% mode: latex
56.1640 -%%% TeX-master: "root"
56.1641 -%%% End:
57.1 --- a/doc-src/TutorialI/Protocol/document/NS_Public.tex Thu Jul 26 16:08:16 2012 +0200
57.2 +++ /dev/null Thu Jan 01 00:00:00 1970 +0000
57.3 @@ -1,517 +0,0 @@
57.4 -%
57.5 -\begin{isabellebody}%
57.6 -\def\isabellecontext{NS{\isaliteral{5F}{\isacharunderscore}}Public}%
57.7 -%
57.8 -\isadelimtheory
57.9 -%
57.10 -\endisadelimtheory
57.11 -%
57.12 -\isatagtheory
57.13 -%
57.14 -\endisatagtheory
57.15 -{\isafoldtheory}%
57.16 -%
57.17 -\isadelimtheory
57.18 -%
57.19 -\endisadelimtheory
57.20 -%
57.21 -\isamarkupsection{Modelling the Protocol \label{sec:modelling}%
57.22 -}
57.23 -\isamarkuptrue%
57.24 -%
57.25 -\begin{figure}
57.26 -\begin{isabelle}
57.27 -\isacommand{inductive{\isaliteral{5F}{\isacharunderscore}}set}\isamarkupfalse%
57.28 -\ ns{\isaliteral{5F}{\isacharunderscore}}public\ {\isaliteral{3A}{\isacharcolon}}{\isaliteral{3A}{\isacharcolon}}\ {\isaliteral{22}{\isachardoublequoteopen}}event\ list\ set{\isaliteral{22}{\isachardoublequoteclose}}\isanewline
57.29 -\ \ \isakeyword{where}\isanewline
57.30 -\isanewline
57.31 -\ \ \ Nil{\isaliteral{3A}{\isacharcolon}}\ \ {\isaliteral{22}{\isachardoublequoteopen}}{\isaliteral{5B}{\isacharbrackleft}}{\isaliteral{5D}{\isacharbrackright}}\ {\isaliteral{5C3C696E3E}{\isasymin}}\ ns{\isaliteral{5F}{\isacharunderscore}}public{\isaliteral{22}{\isachardoublequoteclose}}\isanewline
57.32 -\isanewline
57.33 -\isanewline
57.34 -\ {\isaliteral{7C}{\isacharbar}}\ Fake{\isaliteral{3A}{\isacharcolon}}\ {\isaliteral{22}{\isachardoublequoteopen}}{\isaliteral{5C3C6C6272616B6B3E}{\isasymlbrakk}}evsf\ {\isaliteral{5C3C696E3E}{\isasymin}}\ ns{\isaliteral{5F}{\isacharunderscore}}public{\isaliteral{3B}{\isacharsemicolon}}\ \ X\ {\isaliteral{5C3C696E3E}{\isasymin}}\ synth\ {\isaliteral{28}{\isacharparenleft}}analz\ {\isaliteral{28}{\isacharparenleft}}knows\ Spy\ evsf{\isaliteral{29}{\isacharparenright}}{\isaliteral{29}{\isacharparenright}}{\isaliteral{5C3C726272616B6B3E}{\isasymrbrakk}}\isanewline
57.35 -\ \ \ \ \ \ \ \ \ \ {\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\ Says\ Spy\ B\ X\ \ {\isaliteral{23}{\isacharhash}}\ evsf\ {\isaliteral{5C3C696E3E}{\isasymin}}\ ns{\isaliteral{5F}{\isacharunderscore}}public{\isaliteral{22}{\isachardoublequoteclose}}\isanewline
57.36 -\isanewline
57.37 -\isanewline
57.38 -\ {\isaliteral{7C}{\isacharbar}}\ NS{\isadigit{1}}{\isaliteral{3A}{\isacharcolon}}\ \ {\isaliteral{22}{\isachardoublequoteopen}}{\isaliteral{5C3C6C6272616B6B3E}{\isasymlbrakk}}evs{\isadigit{1}}\ {\isaliteral{5C3C696E3E}{\isasymin}}\ ns{\isaliteral{5F}{\isacharunderscore}}public{\isaliteral{3B}{\isacharsemicolon}}\ \ Nonce\ NA\ {\isaliteral{5C3C6E6F74696E3E}{\isasymnotin}}\ used\ evs{\isadigit{1}}{\isaliteral{5C3C726272616B6B3E}{\isasymrbrakk}}\isanewline
57.39 -\ \ \ \ \ \ \ \ \ \ {\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\ Says\ A\ B\ {\isaliteral{28}{\isacharparenleft}}Crypt\ {\isaliteral{28}{\isacharparenleft}}pubK\ B{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C6C62726163653E}{\isasymlbrace}}Nonce\ NA{\isaliteral{2C}{\isacharcomma}}\ Agent\ A{\isaliteral{5C3C7262726163653E}{\isasymrbrace}}{\isaliteral{29}{\isacharparenright}}\isanewline
57.40 -\ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ {\isaliteral{23}{\isacharhash}}\ evs{\isadigit{1}}\ \ {\isaliteral{5C3C696E3E}{\isasymin}}\ \ ns{\isaliteral{5F}{\isacharunderscore}}public{\isaliteral{22}{\isachardoublequoteclose}}\isanewline
57.41 -\isanewline
57.42 -\isanewline
57.43 -\ {\isaliteral{7C}{\isacharbar}}\ NS{\isadigit{2}}{\isaliteral{3A}{\isacharcolon}}\ \ {\isaliteral{22}{\isachardoublequoteopen}}{\isaliteral{5C3C6C6272616B6B3E}{\isasymlbrakk}}evs{\isadigit{2}}\ {\isaliteral{5C3C696E3E}{\isasymin}}\ ns{\isaliteral{5F}{\isacharunderscore}}public{\isaliteral{3B}{\isacharsemicolon}}\ \ Nonce\ NB\ {\isaliteral{5C3C6E6F74696E3E}{\isasymnotin}}\ used\ evs{\isadigit{2}}{\isaliteral{3B}{\isacharsemicolon}}\isanewline
57.44 -\ \ \ \ \ \ \ \ \ \ \ Says\ A{\isaliteral{27}{\isacharprime}}\ B\ {\isaliteral{28}{\isacharparenleft}}Crypt\ {\isaliteral{28}{\isacharparenleft}}pubK\ B{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C6C62726163653E}{\isasymlbrace}}Nonce\ NA{\isaliteral{2C}{\isacharcomma}}\ Agent\ A{\isaliteral{5C3C7262726163653E}{\isasymrbrace}}{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C696E3E}{\isasymin}}\ set\ evs{\isadigit{2}}{\isaliteral{5C3C726272616B6B3E}{\isasymrbrakk}}\isanewline
57.45 -\ \ \ \ \ \ \ \ \ \ {\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\ Says\ B\ A\ {\isaliteral{28}{\isacharparenleft}}Crypt\ {\isaliteral{28}{\isacharparenleft}}pubK\ A{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C6C62726163653E}{\isasymlbrace}}Nonce\ NA{\isaliteral{2C}{\isacharcomma}}\ Nonce\ NB{\isaliteral{2C}{\isacharcomma}}\ Agent\ B{\isaliteral{5C3C7262726163653E}{\isasymrbrace}}{\isaliteral{29}{\isacharparenright}}\isanewline
57.46 -\ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ {\isaliteral{23}{\isacharhash}}\ evs{\isadigit{2}}\ \ {\isaliteral{5C3C696E3E}{\isasymin}}\ \ ns{\isaliteral{5F}{\isacharunderscore}}public{\isaliteral{22}{\isachardoublequoteclose}}\isanewline
57.47 -\isanewline
57.48 -\isanewline
57.49 -\ {\isaliteral{7C}{\isacharbar}}\ NS{\isadigit{3}}{\isaliteral{3A}{\isacharcolon}}\ \ {\isaliteral{22}{\isachardoublequoteopen}}{\isaliteral{5C3C6C6272616B6B3E}{\isasymlbrakk}}evs{\isadigit{3}}\ {\isaliteral{5C3C696E3E}{\isasymin}}\ ns{\isaliteral{5F}{\isacharunderscore}}public{\isaliteral{3B}{\isacharsemicolon}}\isanewline
57.50 -\ \ \ \ \ \ \ \ \ \ \ Says\ A\ \ B\ {\isaliteral{28}{\isacharparenleft}}Crypt\ {\isaliteral{28}{\isacharparenleft}}pubK\ B{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C6C62726163653E}{\isasymlbrace}}Nonce\ NA{\isaliteral{2C}{\isacharcomma}}\ Agent\ A{\isaliteral{5C3C7262726163653E}{\isasymrbrace}}{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C696E3E}{\isasymin}}\ set\ evs{\isadigit{3}}{\isaliteral{3B}{\isacharsemicolon}}\isanewline
57.51 -\ \ \ \ \ \ \ \ \ \ \ Says\ B{\isaliteral{27}{\isacharprime}}\ A\ {\isaliteral{28}{\isacharparenleft}}Crypt\ {\isaliteral{28}{\isacharparenleft}}pubK\ A{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C6C62726163653E}{\isasymlbrace}}Nonce\ NA{\isaliteral{2C}{\isacharcomma}}\ Nonce\ NB{\isaliteral{2C}{\isacharcomma}}\ Agent\ B{\isaliteral{5C3C7262726163653E}{\isasymrbrace}}{\isaliteral{29}{\isacharparenright}}\isanewline
57.52 -\ \ \ \ \ \ \ \ \ \ \ \ \ \ {\isaliteral{5C3C696E3E}{\isasymin}}\ set\ evs{\isadigit{3}}{\isaliteral{5C3C726272616B6B3E}{\isasymrbrakk}}\isanewline
57.53 -\ \ \ \ \ \ \ \ \ \ {\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\ Says\ A\ B\ {\isaliteral{28}{\isacharparenleft}}Crypt\ {\isaliteral{28}{\isacharparenleft}}pubK\ B{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{28}{\isacharparenleft}}Nonce\ NB{\isaliteral{29}{\isacharparenright}}{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{23}{\isacharhash}}\ evs{\isadigit{3}}\ {\isaliteral{5C3C696E3E}{\isasymin}}\ ns{\isaliteral{5F}{\isacharunderscore}}public{\isaliteral{22}{\isachardoublequoteclose}}%
57.54 -\end{isabelle}
57.55 -\caption{An Inductive Protocol Definition}\label{fig:ns_public}
57.56 -\end{figure}
57.57 -%
57.58 -\begin{isamarkuptext}%
57.59 -Let us formalize the Needham-Schroeder public-key protocol, as corrected by
57.60 -Lowe:
57.61 -\begin{alignat*%
57.62 -}{2}
57.63 - &1.&\quad A\to B &: \comp{Na,A}\sb{Kb} \\
57.64 - &2.&\quad B\to A &: \comp{Na,Nb,B}\sb{Ka} \\
57.65 - &3.&\quad A\to B &: \comp{Nb}\sb{Kb}
57.66 -\end{alignat*%
57.67 -}
57.68 -
57.69 -Each protocol step is specified by a rule of an inductive definition. An
57.70 -event trace has type \isa{event\ list}, so we declare the constant
57.71 -\isa{ns{\isaliteral{5F}{\isacharunderscore}}public} to be a set of such traces.
57.72 -
57.73 -Figure~\ref{fig:ns_public} presents the inductive definition. The
57.74 -\isa{Nil} rule introduces the empty trace. The \isa{Fake} rule models the
57.75 -adversary's sending a message built from components taken from past
57.76 -traffic, expressed using the functions \isa{synth} and
57.77 -\isa{analz}.
57.78 -The next three rules model how honest agents would perform the three
57.79 -protocol steps.
57.80 -
57.81 -Here is a detailed explanation of rule \isa{NS{\isadigit{2}}}.
57.82 -A trace containing an event of the form
57.83 -\begin{isabelle}%
57.84 -\ \ \ \ \ Says\ A{\isaliteral{27}{\isacharprime}}\ B\ {\isaliteral{28}{\isacharparenleft}}Crypt\ {\isaliteral{28}{\isacharparenleft}}pubK\ B{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C6C62726163653E}{\isasymlbrace}}Nonce\ NA{\isaliteral{2C}{\isacharcomma}}\ Agent\ A{\isaliteral{5C3C7262726163653E}{\isasymrbrace}}{\isaliteral{29}{\isacharparenright}}%
57.85 -\end{isabelle}
57.86 -may be extended by an event of the form
57.87 -\begin{isabelle}%
57.88 -\ \ \ \ \ Says\ B\ A\ {\isaliteral{28}{\isacharparenleft}}Crypt\ {\isaliteral{28}{\isacharparenleft}}pubK\ A{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C6C62726163653E}{\isasymlbrace}}Nonce\ NA{\isaliteral{2C}{\isacharcomma}}\ Nonce\ NB{\isaliteral{2C}{\isacharcomma}}\ Agent\ B{\isaliteral{5C3C7262726163653E}{\isasymrbrace}}{\isaliteral{29}{\isacharparenright}}%
57.89 -\end{isabelle}
57.90 -where \isa{NB} is a fresh nonce: \isa{Nonce\ NB\ {\isaliteral{5C3C6E6F74696E3E}{\isasymnotin}}\ used\ evs{\isadigit{2}}}.
57.91 -Writing the sender as \isa{A{\isaliteral{27}{\isacharprime}}} indicates that \isa{B} does not
57.92 -know who sent the message. Calling the trace variable \isa{evs{\isadigit{2}}} rather
57.93 -than simply \isa{evs} helps us know where we are in a proof after many
57.94 -case-splits: every subgoal mentioning \isa{evs{\isadigit{2}}} involves message~2 of the
57.95 -protocol.
57.96 -
57.97 -Benefits of this approach are simplicity and clarity. The semantic model
57.98 -is set theory, proofs are by induction and the translation from the informal
57.99 -notation to the inductive rules is straightforward.%
57.100 -\end{isamarkuptext}%
57.101 -\isamarkuptrue%
57.102 -%
57.103 -\isamarkupsection{Proving Elementary Properties \label{sec:regularity}%
57.104 -}
57.105 -\isamarkuptrue%
57.106 -%
57.107 -\isadelimproof
57.108 -%
57.109 -\endisadelimproof
57.110 -%
57.111 -\isatagproof
57.112 -%
57.113 -\endisatagproof
57.114 -{\isafoldproof}%
57.115 -%
57.116 -\isadelimproof
57.117 -%
57.118 -\endisadelimproof
57.119 -%
57.120 -\begin{isamarkuptext}%
57.121 -Secrecy properties can be hard to prove. The conclusion of a typical
57.122 -secrecy theorem is
57.123 -\isa{X\ {\isaliteral{5C3C6E6F74696E3E}{\isasymnotin}}\ analz\ {\isaliteral{28}{\isacharparenleft}}knows\ Spy\ evs{\isaliteral{29}{\isacharparenright}}}. The difficulty arises from
57.124 -having to reason about \isa{analz}, or less formally, showing that the spy
57.125 -can never learn~\isa{X}. Much easier is to prove that \isa{X} can never
57.126 -occur at all. Such \emph{regularity} properties are typically expressed
57.127 -using \isa{parts} rather than \isa{analz}.
57.128 -
57.129 -The following lemma states that \isa{A}'s private key is potentially
57.130 -known to the spy if and only if \isa{A} belongs to the set \isa{bad} of
57.131 -compromised agents. The statement uses \isa{parts}: the very presence of
57.132 -\isa{A}'s private key in a message, whether protected by encryption or
57.133 -not, is enough to confirm that \isa{A} is compromised. The proof, like
57.134 -nearly all protocol proofs, is by induction over traces.%
57.135 -\end{isamarkuptext}%
57.136 -\isamarkuptrue%
57.137 -\isacommand{lemma}\isamarkupfalse%
57.138 -\ Spy{\isaliteral{5F}{\isacharunderscore}}see{\isaliteral{5F}{\isacharunderscore}}priK\ {\isaliteral{5B}{\isacharbrackleft}}simp{\isaliteral{5D}{\isacharbrackright}}{\isaliteral{3A}{\isacharcolon}}\isanewline
57.139 -\ \ \ \ \ \ {\isaliteral{22}{\isachardoublequoteopen}}evs\ {\isaliteral{5C3C696E3E}{\isasymin}}\ ns{\isaliteral{5F}{\isacharunderscore}}public\isanewline
57.140 -\ \ \ \ \ \ \ {\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\ {\isaliteral{28}{\isacharparenleft}}Key\ {\isaliteral{28}{\isacharparenleft}}priK\ A{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C696E3E}{\isasymin}}\ parts\ {\isaliteral{28}{\isacharparenleft}}knows\ Spy\ evs{\isaliteral{29}{\isacharparenright}}{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{3D}{\isacharequal}}\ {\isaliteral{28}{\isacharparenleft}}A\ {\isaliteral{5C3C696E3E}{\isasymin}}\ bad{\isaliteral{29}{\isacharparenright}}{\isaliteral{22}{\isachardoublequoteclose}}\isanewline
57.141 -%
57.142 -\isadelimproof
57.143 -%
57.144 -\endisadelimproof
57.145 -%
57.146 -\isatagproof
57.147 -\isacommand{apply}\isamarkupfalse%
57.148 -\ {\isaliteral{28}{\isacharparenleft}}erule\ ns{\isaliteral{5F}{\isacharunderscore}}public{\isaliteral{2E}{\isachardot}}induct{\isaliteral{2C}{\isacharcomma}}\ simp{\isaliteral{5F}{\isacharunderscore}}all{\isaliteral{29}{\isacharparenright}}%
57.149 -\begin{isamarkuptxt}%
57.150 -The induction yields five subgoals, one for each rule in the definition of
57.151 -\isa{ns{\isaliteral{5F}{\isacharunderscore}}public}. The idea is to prove that the protocol property holds initially
57.152 -(rule \isa{Nil}), is preserved by each of the legitimate protocol steps (rules
57.153 -\isa{NS{\isadigit{1}}}--\isa{{\isadigit{3}}}), and even is preserved in the face of anything the
57.154 -spy can do (rule \isa{Fake}).
57.155 -
57.156 -The proof is trivial. No legitimate protocol rule sends any keys
57.157 -at all, so only \isa{Fake} is relevant. Indeed, simplification leaves
57.158 -only the \isa{Fake} case, as indicated by the variable name \isa{evsf}:
57.159 -\begin{isabelle}%
57.160 -\ {\isadigit{1}}{\isaliteral{2E}{\isachardot}}\ {\isaliteral{5C3C416E643E}{\isasymAnd}}evsf\ X{\isaliteral{2E}{\isachardot}}\isanewline
57.161 -\isaindent{\ {\isadigit{1}}{\isaliteral{2E}{\isachardot}}\ \ \ \ }{\isaliteral{5C3C6C6272616B6B3E}{\isasymlbrakk}}evsf\ {\isaliteral{5C3C696E3E}{\isasymin}}\ ns{\isaliteral{5F}{\isacharunderscore}}public{\isaliteral{3B}{\isacharsemicolon}}\isanewline
57.162 -\isaindent{\ {\isadigit{1}}{\isaliteral{2E}{\isachardot}}\ \ \ \ \ }{\isaliteral{28}{\isacharparenleft}}Key\ {\isaliteral{28}{\isacharparenleft}}priK\ A{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C696E3E}{\isasymin}}\ parts\ {\isaliteral{28}{\isacharparenleft}}knows\ Spy\ evsf{\isaliteral{29}{\isacharparenright}}{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{3D}{\isacharequal}}\ {\isaliteral{28}{\isacharparenleft}}A\ {\isaliteral{5C3C696E3E}{\isasymin}}\ bad{\isaliteral{29}{\isacharparenright}}{\isaliteral{3B}{\isacharsemicolon}}\isanewline
57.163 -\isaindent{\ {\isadigit{1}}{\isaliteral{2E}{\isachardot}}\ \ \ \ \ }X\ {\isaliteral{5C3C696E3E}{\isasymin}}\ synth\ {\isaliteral{28}{\isacharparenleft}}analz\ {\isaliteral{28}{\isacharparenleft}}knows\ Spy\ evsf{\isaliteral{29}{\isacharparenright}}{\isaliteral{29}{\isacharparenright}}{\isaliteral{5C3C726272616B6B3E}{\isasymrbrakk}}\isanewline
57.164 -\isaindent{\ {\isadigit{1}}{\isaliteral{2E}{\isachardot}}\ \ \ \ }{\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\ {\isaliteral{28}{\isacharparenleft}}Key\ {\isaliteral{28}{\isacharparenleft}}priK\ A{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C696E3E}{\isasymin}}\ parts\ {\isaliteral{28}{\isacharparenleft}}insert\ X\ {\isaliteral{28}{\isacharparenleft}}knows\ Spy\ evsf{\isaliteral{29}{\isacharparenright}}{\isaliteral{29}{\isacharparenright}}{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{3D}{\isacharequal}}\isanewline
57.165 -\isaindent{\ {\isadigit{1}}{\isaliteral{2E}{\isachardot}}\ \ \ \ {\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\ }{\isaliteral{28}{\isacharparenleft}}A\ {\isaliteral{5C3C696E3E}{\isasymin}}\ bad{\isaliteral{29}{\isacharparenright}}%
57.166 -\end{isabelle}%
57.167 -\end{isamarkuptxt}%
57.168 -\isamarkuptrue%
57.169 -\isacommand{by}\isamarkupfalse%
57.170 -\ blast%
57.171 -\endisatagproof
57.172 -{\isafoldproof}%
57.173 -%
57.174 -\isadelimproof
57.175 -%
57.176 -\endisadelimproof
57.177 -%
57.178 -\isadelimproof
57.179 -%
57.180 -\endisadelimproof
57.181 -%
57.182 -\isatagproof
57.183 -%
57.184 -\endisatagproof
57.185 -{\isafoldproof}%
57.186 -%
57.187 -\isadelimproof
57.188 -%
57.189 -\endisadelimproof
57.190 -%
57.191 -\begin{isamarkuptext}%
57.192 -The \isa{Fake} case is proved automatically. If
57.193 -\isa{priK\ A} is in the extended trace then either (1) it was already in the
57.194 -original trace or (2) it was
57.195 -generated by the spy, who must have known this key already.
57.196 -Either way, the induction hypothesis applies.
57.197 -
57.198 -\emph{Unicity} lemmas are regularity lemmas stating that specified items
57.199 -can occur only once in a trace. The following lemma states that a nonce
57.200 -cannot be used both as $Na$ and as $Nb$ unless
57.201 -it is known to the spy. Intuitively, it holds because honest agents
57.202 -always choose fresh values as nonces; only the spy might reuse a value,
57.203 -and he doesn't know this particular value. The proof script is short:
57.204 -induction, simplification, \isa{blast}. The first line uses the rule
57.205 -\isa{rev{\isaliteral{5F}{\isacharunderscore}}mp} to prepare the induction by moving two assumptions into the
57.206 -induction formula.%
57.207 -\end{isamarkuptext}%
57.208 -\isamarkuptrue%
57.209 -\isacommand{lemma}\isamarkupfalse%
57.210 -\ no{\isaliteral{5F}{\isacharunderscore}}nonce{\isaliteral{5F}{\isacharunderscore}}NS{\isadigit{1}}{\isaliteral{5F}{\isacharunderscore}}NS{\isadigit{2}}{\isaliteral{3A}{\isacharcolon}}\isanewline
57.211 -\ \ \ \ {\isaliteral{22}{\isachardoublequoteopen}}{\isaliteral{5C3C6C6272616B6B3E}{\isasymlbrakk}}Crypt\ {\isaliteral{28}{\isacharparenleft}}pubK\ C{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C6C62726163653E}{\isasymlbrace}}NA{\isaliteral{27}{\isacharprime}}{\isaliteral{2C}{\isacharcomma}}\ Nonce\ NA{\isaliteral{2C}{\isacharcomma}}\ Agent\ D{\isaliteral{5C3C7262726163653E}{\isasymrbrace}}\ {\isaliteral{5C3C696E3E}{\isasymin}}\ parts\ {\isaliteral{28}{\isacharparenleft}}knows\ Spy\ evs{\isaliteral{29}{\isacharparenright}}{\isaliteral{3B}{\isacharsemicolon}}\isanewline
57.212 -\ \ \ \ \ \ Crypt\ {\isaliteral{28}{\isacharparenleft}}pubK\ B{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C6C62726163653E}{\isasymlbrace}}Nonce\ NA{\isaliteral{2C}{\isacharcomma}}\ Agent\ A{\isaliteral{5C3C7262726163653E}{\isasymrbrace}}\ {\isaliteral{5C3C696E3E}{\isasymin}}\ parts\ {\isaliteral{28}{\isacharparenleft}}knows\ Spy\ evs{\isaliteral{29}{\isacharparenright}}{\isaliteral{3B}{\isacharsemicolon}}\isanewline
57.213 -\ \ \ \ \ \ evs\ {\isaliteral{5C3C696E3E}{\isasymin}}\ ns{\isaliteral{5F}{\isacharunderscore}}public{\isaliteral{5C3C726272616B6B3E}{\isasymrbrakk}}\isanewline
57.214 -\ \ \ \ \ {\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\ Nonce\ NA\ {\isaliteral{5C3C696E3E}{\isasymin}}\ analz\ {\isaliteral{28}{\isacharparenleft}}knows\ Spy\ evs{\isaliteral{29}{\isacharparenright}}{\isaliteral{22}{\isachardoublequoteclose}}\isanewline
57.215 -%
57.216 -\isadelimproof
57.217 -%
57.218 -\endisadelimproof
57.219 -%
57.220 -\isatagproof
57.221 -\isacommand{apply}\isamarkupfalse%
57.222 -\ {\isaliteral{28}{\isacharparenleft}}erule\ rev{\isaliteral{5F}{\isacharunderscore}}mp{\isaliteral{2C}{\isacharcomma}}\ erule\ rev{\isaliteral{5F}{\isacharunderscore}}mp{\isaliteral{29}{\isacharparenright}}\isanewline
57.223 -\isacommand{apply}\isamarkupfalse%
57.224 -\ {\isaliteral{28}{\isacharparenleft}}erule\ ns{\isaliteral{5F}{\isacharunderscore}}public{\isaliteral{2E}{\isachardot}}induct{\isaliteral{2C}{\isacharcomma}}\ simp{\isaliteral{5F}{\isacharunderscore}}all{\isaliteral{29}{\isacharparenright}}\isanewline
57.225 -\isacommand{apply}\isamarkupfalse%
57.226 -\ {\isaliteral{28}{\isacharparenleft}}blast\ intro{\isaliteral{3A}{\isacharcolon}}\ analz{\isaliteral{5F}{\isacharunderscore}}insertI{\isaliteral{29}{\isacharparenright}}{\isaliteral{2B}{\isacharplus}}\isanewline
57.227 -\isacommand{done}\isamarkupfalse%
57.228 -%
57.229 -\endisatagproof
57.230 -{\isafoldproof}%
57.231 -%
57.232 -\isadelimproof
57.233 -%
57.234 -\endisadelimproof
57.235 -%
57.236 -\begin{isamarkuptext}%
57.237 -The following unicity lemma states that, if \isa{NA} is secret, then its
57.238 -appearance in any instance of message~1 determines the other components.
57.239 -The proof is similar to the previous one.%
57.240 -\end{isamarkuptext}%
57.241 -\isamarkuptrue%
57.242 -\isacommand{lemma}\isamarkupfalse%
57.243 -\ unique{\isaliteral{5F}{\isacharunderscore}}NA{\isaliteral{3A}{\isacharcolon}}\isanewline
57.244 -\ \ \ \ \ {\isaliteral{22}{\isachardoublequoteopen}}{\isaliteral{5C3C6C6272616B6B3E}{\isasymlbrakk}}Crypt{\isaliteral{28}{\isacharparenleft}}pubK\ B{\isaliteral{29}{\isacharparenright}}\ \ {\isaliteral{5C3C6C62726163653E}{\isasymlbrace}}Nonce\ NA{\isaliteral{2C}{\isacharcomma}}\ Agent\ A\ {\isaliteral{5C3C7262726163653E}{\isasymrbrace}}\ {\isaliteral{5C3C696E3E}{\isasymin}}\ parts{\isaliteral{28}{\isacharparenleft}}knows\ Spy\ evs{\isaliteral{29}{\isacharparenright}}{\isaliteral{3B}{\isacharsemicolon}}\isanewline
57.245 -\ \ \ \ \ \ \ Crypt{\isaliteral{28}{\isacharparenleft}}pubK\ B{\isaliteral{27}{\isacharprime}}{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C6C62726163653E}{\isasymlbrace}}Nonce\ NA{\isaliteral{2C}{\isacharcomma}}\ Agent\ A{\isaliteral{27}{\isacharprime}}{\isaliteral{5C3C7262726163653E}{\isasymrbrace}}\ {\isaliteral{5C3C696E3E}{\isasymin}}\ parts{\isaliteral{28}{\isacharparenleft}}knows\ Spy\ evs{\isaliteral{29}{\isacharparenright}}{\isaliteral{3B}{\isacharsemicolon}}\isanewline
57.246 -\ \ \ \ \ \ \ Nonce\ NA\ {\isaliteral{5C3C6E6F74696E3E}{\isasymnotin}}\ analz\ {\isaliteral{28}{\isacharparenleft}}knows\ Spy\ evs{\isaliteral{29}{\isacharparenright}}{\isaliteral{3B}{\isacharsemicolon}}\ evs\ {\isaliteral{5C3C696E3E}{\isasymin}}\ ns{\isaliteral{5F}{\isacharunderscore}}public{\isaliteral{5C3C726272616B6B3E}{\isasymrbrakk}}\isanewline
57.247 -\ \ \ \ \ \ {\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\ A{\isaliteral{3D}{\isacharequal}}A{\isaliteral{27}{\isacharprime}}\ {\isaliteral{5C3C616E643E}{\isasymand}}\ B{\isaliteral{3D}{\isacharequal}}B{\isaliteral{27}{\isacharprime}}{\isaliteral{22}{\isachardoublequoteclose}}%
57.248 -\isadelimproof
57.249 -%
57.250 -\endisadelimproof
57.251 -%
57.252 -\isatagproof
57.253 -%
57.254 -\endisatagproof
57.255 -{\isafoldproof}%
57.256 -%
57.257 -\isadelimproof
57.258 -%
57.259 -\endisadelimproof
57.260 -%
57.261 -\isamarkupsection{Proving Secrecy Theorems \label{sec:secrecy}%
57.262 -}
57.263 -\isamarkuptrue%
57.264 -%
57.265 -\isadelimproof
57.266 -%
57.267 -\endisadelimproof
57.268 -%
57.269 -\isatagproof
57.270 -%
57.271 -\endisatagproof
57.272 -{\isafoldproof}%
57.273 -%
57.274 -\isadelimproof
57.275 -%
57.276 -\endisadelimproof
57.277 -%
57.278 -\isadelimproof
57.279 -%
57.280 -\endisadelimproof
57.281 -%
57.282 -\isatagproof
57.283 -%
57.284 -\endisatagproof
57.285 -{\isafoldproof}%
57.286 -%
57.287 -\isadelimproof
57.288 -%
57.289 -\endisadelimproof
57.290 -%
57.291 -\isadelimproof
57.292 -%
57.293 -\endisadelimproof
57.294 -%
57.295 -\isatagproof
57.296 -%
57.297 -\endisatagproof
57.298 -{\isafoldproof}%
57.299 -%
57.300 -\isadelimproof
57.301 -%
57.302 -\endisadelimproof
57.303 -%
57.304 -\isadelimproof
57.305 -%
57.306 -\endisadelimproof
57.307 -%
57.308 -\isatagproof
57.309 -%
57.310 -\endisatagproof
57.311 -{\isafoldproof}%
57.312 -%
57.313 -\isadelimproof
57.314 -%
57.315 -\endisadelimproof
57.316 -%
57.317 -\isadelimproof
57.318 -%
57.319 -\endisadelimproof
57.320 -%
57.321 -\isatagproof
57.322 -%
57.323 -\endisatagproof
57.324 -{\isafoldproof}%
57.325 -%
57.326 -\isadelimproof
57.327 -%
57.328 -\endisadelimproof
57.329 -%
57.330 -\begin{isamarkuptext}%
57.331 -The secrecy theorems for Bob (the second participant) are especially
57.332 -important because they fail for the original protocol. The following
57.333 -theorem states that if Bob sends message~2 to Alice, and both agents are
57.334 -uncompromised, then Bob's nonce will never reach the spy.%
57.335 -\end{isamarkuptext}%
57.336 -\isamarkuptrue%
57.337 -\isacommand{theorem}\isamarkupfalse%
57.338 -\ Spy{\isaliteral{5F}{\isacharunderscore}}not{\isaliteral{5F}{\isacharunderscore}}see{\isaliteral{5F}{\isacharunderscore}}NB\ {\isaliteral{5B}{\isacharbrackleft}}dest{\isaliteral{5D}{\isacharbrackright}}{\isaliteral{3A}{\isacharcolon}}\isanewline
57.339 -\ {\isaliteral{22}{\isachardoublequoteopen}}{\isaliteral{5C3C6C6272616B6B3E}{\isasymlbrakk}}Says\ B\ A\ {\isaliteral{28}{\isacharparenleft}}Crypt\ {\isaliteral{28}{\isacharparenleft}}pubK\ A{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C6C62726163653E}{\isasymlbrace}}Nonce\ NA{\isaliteral{2C}{\isacharcomma}}\ Nonce\ NB{\isaliteral{2C}{\isacharcomma}}\ Agent\ B{\isaliteral{5C3C7262726163653E}{\isasymrbrace}}{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C696E3E}{\isasymin}}\ set\ evs{\isaliteral{3B}{\isacharsemicolon}}\isanewline
57.340 -\ \ \ A\ {\isaliteral{5C3C6E6F74696E3E}{\isasymnotin}}\ bad{\isaliteral{3B}{\isacharsemicolon}}\ \ B\ {\isaliteral{5C3C6E6F74696E3E}{\isasymnotin}}\ bad{\isaliteral{3B}{\isacharsemicolon}}\ \ evs\ {\isaliteral{5C3C696E3E}{\isasymin}}\ ns{\isaliteral{5F}{\isacharunderscore}}public{\isaliteral{5C3C726272616B6B3E}{\isasymrbrakk}}\isanewline
57.341 -\ \ {\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\ Nonce\ NB\ {\isaliteral{5C3C6E6F74696E3E}{\isasymnotin}}\ analz\ {\isaliteral{28}{\isacharparenleft}}knows\ Spy\ evs{\isaliteral{29}{\isacharparenright}}{\isaliteral{22}{\isachardoublequoteclose}}%
57.342 -\isadelimproof
57.343 -%
57.344 -\endisadelimproof
57.345 -%
57.346 -\isatagproof
57.347 -%
57.348 -\begin{isamarkuptxt}%
57.349 -To prove it, we must formulate the induction properly (one of the
57.350 -assumptions mentions~\isa{evs}), apply induction, and simplify:%
57.351 -\end{isamarkuptxt}%
57.352 -\isamarkuptrue%
57.353 -\isacommand{apply}\isamarkupfalse%
57.354 -\ {\isaliteral{28}{\isacharparenleft}}erule\ rev{\isaliteral{5F}{\isacharunderscore}}mp{\isaliteral{2C}{\isacharcomma}}\ erule\ ns{\isaliteral{5F}{\isacharunderscore}}public{\isaliteral{2E}{\isachardot}}induct{\isaliteral{2C}{\isacharcomma}}\ simp{\isaliteral{5F}{\isacharunderscore}}all{\isaliteral{29}{\isacharparenright}}%
57.355 -\begin{isamarkuptxt}%
57.356 -The proof states are too complicated to present in full.
57.357 -Let's examine the simplest subgoal, that for message~1. The following
57.358 -event has just occurred:
57.359 -\[ 1.\quad A'\to B' : \comp{Na',A'}\sb{Kb'} \]
57.360 -The variables above have been primed because this step
57.361 -belongs to a different run from that referred to in the theorem
57.362 -statement --- the theorem
57.363 -refers to a past instance of message~2, while this subgoal
57.364 -concerns message~1 being sent just now.
57.365 -In the Isabelle subgoal, instead of primed variables like $B'$ and $Na'$
57.366 -we have \isa{Ba} and~\isa{NAa}:
57.367 -\begin{isabelle}%
57.368 -\ {\isadigit{1}}{\isaliteral{2E}{\isachardot}}\ {\isaliteral{5C3C416E643E}{\isasymAnd}}evs{\isadigit{1}}\ NAa\ Ba{\isaliteral{2E}{\isachardot}}\isanewline
57.369 -\isaindent{\ {\isadigit{1}}{\isaliteral{2E}{\isachardot}}\ \ \ \ }{\isaliteral{5C3C6C6272616B6B3E}{\isasymlbrakk}}A\ {\isaliteral{5C3C6E6F74696E3E}{\isasymnotin}}\ bad{\isaliteral{3B}{\isacharsemicolon}}\ B\ {\isaliteral{5C3C6E6F74696E3E}{\isasymnotin}}\ bad{\isaliteral{3B}{\isacharsemicolon}}\ evs{\isadigit{1}}\ {\isaliteral{5C3C696E3E}{\isasymin}}\ ns{\isaliteral{5F}{\isacharunderscore}}public{\isaliteral{3B}{\isacharsemicolon}}\isanewline
57.370 -\isaindent{\ {\isadigit{1}}{\isaliteral{2E}{\isachardot}}\ \ \ \ \ }Says\ B\ A\ {\isaliteral{28}{\isacharparenleft}}Crypt\ {\isaliteral{28}{\isacharparenleft}}pubK\ A{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C6C62726163653E}{\isasymlbrace}}Nonce\ NA{\isaliteral{2C}{\isacharcomma}}\ Nonce\ NB{\isaliteral{2C}{\isacharcomma}}\ Agent\ B{\isaliteral{5C3C7262726163653E}{\isasymrbrace}}{\isaliteral{29}{\isacharparenright}}\isanewline
57.371 -\isaindent{\ {\isadigit{1}}{\isaliteral{2E}{\isachardot}}\ \ \ \ \ }{\isaliteral{5C3C696E3E}{\isasymin}}\ set\ evs{\isadigit{1}}\ {\isaliteral{5C3C6C6F6E6772696768746172726F773E}{\isasymlongrightarrow}}\isanewline
57.372 -\isaindent{\ {\isadigit{1}}{\isaliteral{2E}{\isachardot}}\ \ \ \ \ }Nonce\ NB\ {\isaliteral{5C3C6E6F74696E3E}{\isasymnotin}}\ analz\ {\isaliteral{28}{\isacharparenleft}}knows\ Spy\ evs{\isadigit{1}}{\isaliteral{29}{\isacharparenright}}{\isaliteral{3B}{\isacharsemicolon}}\isanewline
57.373 -\isaindent{\ {\isadigit{1}}{\isaliteral{2E}{\isachardot}}\ \ \ \ \ }Nonce\ NAa\ {\isaliteral{5C3C6E6F74696E3E}{\isasymnotin}}\ used\ evs{\isadigit{1}}{\isaliteral{5C3C726272616B6B3E}{\isasymrbrakk}}\isanewline
57.374 -\isaindent{\ {\isadigit{1}}{\isaliteral{2E}{\isachardot}}\ \ \ \ }{\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\ Ba\ {\isaliteral{5C3C696E3E}{\isasymin}}\ bad\ {\isaliteral{5C3C6C6F6E6772696768746172726F773E}{\isasymlongrightarrow}}\isanewline
57.375 -\isaindent{\ {\isadigit{1}}{\isaliteral{2E}{\isachardot}}\ \ \ \ {\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\ }Says\ B\ A\ {\isaliteral{28}{\isacharparenleft}}Crypt\ {\isaliteral{28}{\isacharparenleft}}pubK\ A{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C6C62726163653E}{\isasymlbrace}}Nonce\ NA{\isaliteral{2C}{\isacharcomma}}\ Nonce\ NB{\isaliteral{2C}{\isacharcomma}}\ Agent\ B{\isaliteral{5C3C7262726163653E}{\isasymrbrace}}{\isaliteral{29}{\isacharparenright}}\isanewline
57.376 -\isaindent{\ {\isadigit{1}}{\isaliteral{2E}{\isachardot}}\ \ \ \ {\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\ }{\isaliteral{5C3C696E3E}{\isasymin}}\ set\ evs{\isadigit{1}}\ {\isaliteral{5C3C6C6F6E6772696768746172726F773E}{\isasymlongrightarrow}}\isanewline
57.377 -\isaindent{\ {\isadigit{1}}{\isaliteral{2E}{\isachardot}}\ \ \ \ {\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\ }NB\ {\isaliteral{5C3C6E6F7465713E}{\isasymnoteq}}\ NAa%
57.378 -\end{isabelle}
57.379 -The simplifier has used a
57.380 -default simplification rule that does a case
57.381 -analysis for each encrypted message on whether or not the decryption key
57.382 -is compromised.
57.383 -\begin{isabelle}%
57.384 -analz\ {\isaliteral{28}{\isacharparenleft}}insert\ {\isaliteral{28}{\isacharparenleft}}Crypt\ K\ X{\isaliteral{29}{\isacharparenright}}\ H{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{3D}{\isacharequal}}\isanewline
57.385 -{\isaliteral{28}{\isacharparenleft}}if\ Key\ {\isaliteral{28}{\isacharparenleft}}invKey\ K{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C696E3E}{\isasymin}}\ analz\ H\isanewline
57.386 -\isaindent{{\isaliteral{28}{\isacharparenleft}}}then\ insert\ {\isaliteral{28}{\isacharparenleft}}Crypt\ K\ X{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{28}{\isacharparenleft}}analz\ {\isaliteral{28}{\isacharparenleft}}insert\ X\ H{\isaliteral{29}{\isacharparenright}}{\isaliteral{29}{\isacharparenright}}\isanewline
57.387 -\isaindent{{\isaliteral{28}{\isacharparenleft}}}else\ insert\ {\isaliteral{28}{\isacharparenleft}}Crypt\ K\ X{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{28}{\isacharparenleft}}analz\ H{\isaliteral{29}{\isacharparenright}}{\isaliteral{29}{\isacharparenright}}\rulename{analz{\isaliteral{5F}{\isacharunderscore}}Crypt{\isaliteral{5F}{\isacharunderscore}}if}%
57.388 -\end{isabelle}
57.389 -The simplifier has also used \isa{Spy{\isaliteral{5F}{\isacharunderscore}}see{\isaliteral{5F}{\isacharunderscore}}priK}, proved in
57.390 -{\S}\ref{sec:regularity} above, to yield \isa{Ba\ {\isaliteral{5C3C696E3E}{\isasymin}}\ bad}.
57.391 -
57.392 -Recall that this subgoal concerns the case
57.393 -where the last message to be sent was
57.394 -\[ 1.\quad A'\to B' : \comp{Na',A'}\sb{Kb'}. \]
57.395 -This message can compromise $Nb$ only if $Nb=Na'$ and $B'$ is compromised,
57.396 -allowing the spy to decrypt the message. The Isabelle subgoal says
57.397 -precisely this, if we allow for its choice of variable names.
57.398 -Proving \isa{NB\ {\isaliteral{5C3C6E6F7465713E}{\isasymnoteq}}\ NAa} is easy: \isa{NB} was
57.399 -sent earlier, while \isa{NAa} is fresh; formally, we have
57.400 -the assumption \isa{Nonce\ NAa\ {\isaliteral{5C3C6E6F74696E3E}{\isasymnotin}}\ used\ evs{\isadigit{1}}}.
57.401 -
57.402 -Note that our reasoning concerned \isa{B}'s participation in another
57.403 -run. Agents may engage in several runs concurrently, and some attacks work
57.404 -by interleaving the messages of two runs. With model checking, this
57.405 -possibility can cause a state-space explosion, and for us it
57.406 -certainly complicates proofs. The biggest subgoal concerns message~2. It
57.407 -splits into several cases, such as whether or not the message just sent is
57.408 -the very message mentioned in the theorem statement.
57.409 -Some of the cases are proved by unicity, others by
57.410 -the induction hypothesis. For all those complications, the proofs are
57.411 -automatic by \isa{blast} with the theorem \isa{no{\isaliteral{5F}{\isacharunderscore}}nonce{\isaliteral{5F}{\isacharunderscore}}NS{\isadigit{1}}{\isaliteral{5F}{\isacharunderscore}}NS{\isadigit{2}}}.
57.412 -
57.413 -The remaining theorems about the protocol are not hard to prove. The
57.414 -following one asserts a form of \emph{authenticity}: if
57.415 -\isa{B} has sent an instance of message~2 to~\isa{A} and has received the
57.416 -expected reply, then that reply really originated with~\isa{A}. The
57.417 -proof is a simple induction.%
57.418 -\end{isamarkuptxt}%
57.419 -\isamarkuptrue%
57.420 -%
57.421 -\endisatagproof
57.422 -{\isafoldproof}%
57.423 -%
57.424 -\isadelimproof
57.425 -%
57.426 -\endisadelimproof
57.427 -%
57.428 -\isadelimproof
57.429 -%
57.430 -\endisadelimproof
57.431 -%
57.432 -\isatagproof
57.433 -%
57.434 -\endisatagproof
57.435 -{\isafoldproof}%
57.436 -%
57.437 -\isadelimproof
57.438 -%
57.439 -\endisadelimproof
57.440 -\isacommand{theorem}\isamarkupfalse%
57.441 -\ B{\isaliteral{5F}{\isacharunderscore}}trusts{\isaliteral{5F}{\isacharunderscore}}NS{\isadigit{3}}{\isaliteral{3A}{\isacharcolon}}\isanewline
57.442 -\ {\isaliteral{22}{\isachardoublequoteopen}}{\isaliteral{5C3C6C6272616B6B3E}{\isasymlbrakk}}Says\ B\ A\ \ {\isaliteral{28}{\isacharparenleft}}Crypt\ {\isaliteral{28}{\isacharparenleft}}pubK\ A{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C6C62726163653E}{\isasymlbrace}}Nonce\ NA{\isaliteral{2C}{\isacharcomma}}\ Nonce\ NB{\isaliteral{2C}{\isacharcomma}}\ Agent\ B{\isaliteral{5C3C7262726163653E}{\isasymrbrace}}{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C696E3E}{\isasymin}}\ set\ evs{\isaliteral{3B}{\isacharsemicolon}}\isanewline
57.443 -\ \ \ Says\ A{\isaliteral{27}{\isacharprime}}\ B\ {\isaliteral{28}{\isacharparenleft}}Crypt\ {\isaliteral{28}{\isacharparenleft}}pubK\ B{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{28}{\isacharparenleft}}Nonce\ NB{\isaliteral{29}{\isacharparenright}}{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C696E3E}{\isasymin}}\ set\ evs{\isaliteral{3B}{\isacharsemicolon}}\isanewline
57.444 -\ \ \ A\ {\isaliteral{5C3C6E6F74696E3E}{\isasymnotin}}\ bad{\isaliteral{3B}{\isacharsemicolon}}\ \ B\ {\isaliteral{5C3C6E6F74696E3E}{\isasymnotin}}\ bad{\isaliteral{3B}{\isacharsemicolon}}\ \ evs\ {\isaliteral{5C3C696E3E}{\isasymin}}\ ns{\isaliteral{5F}{\isacharunderscore}}public{\isaliteral{5C3C726272616B6B3E}{\isasymrbrakk}}\isanewline
57.445 -\ \ {\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\ Says\ A\ B\ {\isaliteral{28}{\isacharparenleft}}Crypt\ {\isaliteral{28}{\isacharparenleft}}pubK\ B{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{28}{\isacharparenleft}}Nonce\ NB{\isaliteral{29}{\isacharparenright}}{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C696E3E}{\isasymin}}\ set\ evs{\isaliteral{22}{\isachardoublequoteclose}}%
57.446 -\isadelimproof
57.447 -%
57.448 -\endisadelimproof
57.449 -%
57.450 -\isatagproof
57.451 -%
57.452 -\endisatagproof
57.453 -{\isafoldproof}%
57.454 -%
57.455 -\isadelimproof
57.456 -%
57.457 -\endisadelimproof
57.458 -%
57.459 -\isadelimproof
57.460 -%
57.461 -\endisadelimproof
57.462 -%
57.463 -\isatagproof
57.464 -%
57.465 -\endisatagproof
57.466 -{\isafoldproof}%
57.467 -%
57.468 -\isadelimproof
57.469 -%
57.470 -\endisadelimproof
57.471 -%
57.472 -\begin{isamarkuptext}%
57.473 -From similar assumptions, we can prove that \isa{A} started the protocol
57.474 -run by sending an instance of message~1 involving the nonce~\isa{NA}\@.
57.475 -For this theorem, the conclusion is
57.476 -\begin{isabelle}%
57.477 -Says\ A\ B\ {\isaliteral{28}{\isacharparenleft}}Crypt\ {\isaliteral{28}{\isacharparenleft}}pubK\ B{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C6C62726163653E}{\isasymlbrace}}Nonce\ NA{\isaliteral{2C}{\isacharcomma}}\ Agent\ A{\isaliteral{5C3C7262726163653E}{\isasymrbrace}}{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C696E3E}{\isasymin}}\ set\ evs%
57.478 -\end{isabelle}
57.479 -Analogous theorems can be proved for~\isa{A}, stating that nonce~\isa{NA}
57.480 -remains secret and that message~2 really originates with~\isa{B}. Even the
57.481 -flawed protocol establishes these properties for~\isa{A};
57.482 -the flaw only harms the second participant.
57.483 -
57.484 -\medskip
57.485 -
57.486 -Detailed information on this protocol verification technique can be found
57.487 -elsewhere~\cite{paulson-jcs}, including proofs of an Internet
57.488 -protocol~\cite{paulson-tls}. We must stress that the protocol discussed
57.489 -in this chapter is trivial. There are only three messages; no keys are
57.490 -exchanged; we merely have to prove that encrypted data remains secret.
57.491 -Real world protocols are much longer and distribute many secrets to their
57.492 -participants. To be realistic, the model has to include the possibility
57.493 -of keys being lost dynamically due to carelessness. If those keys have
57.494 -been used to encrypt other sensitive information, there may be cascading
57.495 -losses. We may still be able to establish a bound on the losses and to
57.496 -prove that other protocol runs function
57.497 -correctly~\cite{paulson-yahalom}. Proofs of real-world protocols follow
57.498 -the strategy illustrated above, but the subgoals can
57.499 -be much bigger and there are more of them.
57.500 -\index{protocols!security|)}%
57.501 -\end{isamarkuptext}%
57.502 -\isamarkuptrue%
57.503 -%
57.504 -\isadelimtheory
57.505 -%
57.506 -\endisadelimtheory
57.507 -%
57.508 -\isatagtheory
57.509 -%
57.510 -\endisatagtheory
57.511 -{\isafoldtheory}%
57.512 -%
57.513 -\isadelimtheory
57.514 -%
57.515 -\endisadelimtheory
57.516 -\end{isabellebody}%
57.517 -%%% Local Variables:
57.518 -%%% mode: latex
57.519 -%%% TeX-master: "root"
57.520 -%%% End:
58.1 --- a/doc-src/TutorialI/Protocol/document/Public.tex Thu Jul 26 16:08:16 2012 +0200
58.2 +++ /dev/null Thu Jan 01 00:00:00 1970 +0000
58.3 @@ -1,321 +0,0 @@
58.4 -%
58.5 -\begin{isabellebody}%
58.6 -\def\isabellecontext{Public}%
58.7 -%
58.8 -\isadelimtheory
58.9 -%
58.10 -\endisadelimtheory
58.11 -%
58.12 -\isatagtheory
58.13 -%
58.14 -\endisatagtheory
58.15 -{\isafoldtheory}%
58.16 -%
58.17 -\isadelimtheory
58.18 -%
58.19 -\endisadelimtheory
58.20 -%
58.21 -\begin{isamarkuptext}%
58.22 -The function
58.23 -\isa{pubK} maps agents to their public keys. The function
58.24 -\isa{priK} maps agents to their private keys. It is merely
58.25 -an abbreviation (cf.\ \S\ref{sec:abbreviations}) defined in terms of
58.26 -\isa{invKey} and \isa{pubK}.%
58.27 -\end{isamarkuptext}%
58.28 -\isamarkuptrue%
58.29 -\isacommand{consts}\isamarkupfalse%
58.30 -\ pubK\ {\isaliteral{3A}{\isacharcolon}}{\isaliteral{3A}{\isacharcolon}}\ {\isaliteral{22}{\isachardoublequoteopen}}agent\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ key{\isaliteral{22}{\isachardoublequoteclose}}\isanewline
58.31 -\isacommand{abbreviation}\isamarkupfalse%
58.32 -\ priK\ {\isaliteral{3A}{\isacharcolon}}{\isaliteral{3A}{\isacharcolon}}\ {\isaliteral{22}{\isachardoublequoteopen}}agent\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ key{\isaliteral{22}{\isachardoublequoteclose}}\isanewline
58.33 -\isakeyword{where}\ {\isaliteral{22}{\isachardoublequoteopen}}priK\ x\ \ {\isaliteral{5C3C65717569763E}{\isasymequiv}}\ \ invKey{\isaliteral{28}{\isacharparenleft}}pubK\ x{\isaliteral{29}{\isacharparenright}}{\isaliteral{22}{\isachardoublequoteclose}}%
58.34 -\begin{isamarkuptext}%
58.35 -\noindent
58.36 -The set \isa{bad} consists of those agents whose private keys are known to
58.37 -the spy.
58.38 -
58.39 -Two axioms are asserted about the public-key cryptosystem.
58.40 -No two agents have the same public key, and no private key equals
58.41 -any public key.%
58.42 -\end{isamarkuptext}%
58.43 -\isamarkuptrue%
58.44 -\isacommand{axioms}\isamarkupfalse%
58.45 -\isanewline
58.46 -\ \ inj{\isaliteral{5F}{\isacharunderscore}}pubK{\isaliteral{3A}{\isacharcolon}}\ \ \ \ \ \ \ \ {\isaliteral{22}{\isachardoublequoteopen}}inj\ pubK{\isaliteral{22}{\isachardoublequoteclose}}\isanewline
58.47 -\ \ priK{\isaliteral{5F}{\isacharunderscore}}neq{\isaliteral{5F}{\isacharunderscore}}pubK{\isaliteral{3A}{\isacharcolon}}\ \ \ {\isaliteral{22}{\isachardoublequoteopen}}priK\ A\ {\isaliteral{5C3C6E6F7465713E}{\isasymnoteq}}\ pubK\ B{\isaliteral{22}{\isachardoublequoteclose}}%
58.48 -\isadelimproof
58.49 -%
58.50 -\endisadelimproof
58.51 -%
58.52 -\isatagproof
58.53 -%
58.54 -\endisatagproof
58.55 -{\isafoldproof}%
58.56 -%
58.57 -\isadelimproof
58.58 -%
58.59 -\endisadelimproof
58.60 -%
58.61 -\isadelimproof
58.62 -%
58.63 -\endisadelimproof
58.64 -%
58.65 -\isatagproof
58.66 -%
58.67 -\endisatagproof
58.68 -{\isafoldproof}%
58.69 -%
58.70 -\isadelimproof
58.71 -%
58.72 -\endisadelimproof
58.73 -%
58.74 -\isadelimproof
58.75 -%
58.76 -\endisadelimproof
58.77 -%
58.78 -\isatagproof
58.79 -%
58.80 -\endisatagproof
58.81 -{\isafoldproof}%
58.82 -%
58.83 -\isadelimproof
58.84 -%
58.85 -\endisadelimproof
58.86 -%
58.87 -\isadelimproof
58.88 -%
58.89 -\endisadelimproof
58.90 -%
58.91 -\isatagproof
58.92 -%
58.93 -\endisatagproof
58.94 -{\isafoldproof}%
58.95 -%
58.96 -\isadelimproof
58.97 -%
58.98 -\endisadelimproof
58.99 -%
58.100 -\isadelimproof
58.101 -%
58.102 -\endisadelimproof
58.103 -%
58.104 -\isatagproof
58.105 -%
58.106 -\endisatagproof
58.107 -{\isafoldproof}%
58.108 -%
58.109 -\isadelimproof
58.110 -%
58.111 -\endisadelimproof
58.112 -%
58.113 -\isadelimproof
58.114 -%
58.115 -\endisadelimproof
58.116 -%
58.117 -\isatagproof
58.118 -%
58.119 -\endisatagproof
58.120 -{\isafoldproof}%
58.121 -%
58.122 -\isadelimproof
58.123 -%
58.124 -\endisadelimproof
58.125 -%
58.126 -\isadelimproof
58.127 -%
58.128 -\endisadelimproof
58.129 -%
58.130 -\isatagproof
58.131 -%
58.132 -\endisatagproof
58.133 -{\isafoldproof}%
58.134 -%
58.135 -\isadelimproof
58.136 -%
58.137 -\endisadelimproof
58.138 -%
58.139 -\isadelimproof
58.140 -%
58.141 -\endisadelimproof
58.142 -%
58.143 -\isatagproof
58.144 -%
58.145 -\endisatagproof
58.146 -{\isafoldproof}%
58.147 -%
58.148 -\isadelimproof
58.149 -%
58.150 -\endisadelimproof
58.151 -%
58.152 -\isadelimproof
58.153 -%
58.154 -\endisadelimproof
58.155 -%
58.156 -\isatagproof
58.157 -%
58.158 -\endisatagproof
58.159 -{\isafoldproof}%
58.160 -%
58.161 -\isadelimproof
58.162 -%
58.163 -\endisadelimproof
58.164 -%
58.165 -\isadelimproof
58.166 -%
58.167 -\endisadelimproof
58.168 -%
58.169 -\isatagproof
58.170 -%
58.171 -\endisatagproof
58.172 -{\isafoldproof}%
58.173 -%
58.174 -\isadelimproof
58.175 -%
58.176 -\endisadelimproof
58.177 -%
58.178 -\isadelimproof
58.179 -%
58.180 -\endisadelimproof
58.181 -%
58.182 -\isatagproof
58.183 -%
58.184 -\endisatagproof
58.185 -{\isafoldproof}%
58.186 -%
58.187 -\isadelimproof
58.188 -%
58.189 -\endisadelimproof
58.190 -%
58.191 -\isadelimproof
58.192 -%
58.193 -\endisadelimproof
58.194 -%
58.195 -\isatagproof
58.196 -%
58.197 -\endisatagproof
58.198 -{\isafoldproof}%
58.199 -%
58.200 -\isadelimproof
58.201 -%
58.202 -\endisadelimproof
58.203 -%
58.204 -\isadelimproof
58.205 -%
58.206 -\endisadelimproof
58.207 -%
58.208 -\isatagproof
58.209 -%
58.210 -\endisatagproof
58.211 -{\isafoldproof}%
58.212 -%
58.213 -\isadelimproof
58.214 -%
58.215 -\endisadelimproof
58.216 -%
58.217 -\isadelimproof
58.218 -%
58.219 -\endisadelimproof
58.220 -%
58.221 -\isatagproof
58.222 -%
58.223 -\endisatagproof
58.224 -{\isafoldproof}%
58.225 -%
58.226 -\isadelimproof
58.227 -%
58.228 -\endisadelimproof
58.229 -%
58.230 -\isadelimproof
58.231 -%
58.232 -\endisadelimproof
58.233 -%
58.234 -\isatagproof
58.235 -%
58.236 -\endisatagproof
58.237 -{\isafoldproof}%
58.238 -%
58.239 -\isadelimproof
58.240 -%
58.241 -\endisadelimproof
58.242 -%
58.243 -\isadelimproof
58.244 -%
58.245 -\endisadelimproof
58.246 -%
58.247 -\isatagproof
58.248 -%
58.249 -\endisatagproof
58.250 -{\isafoldproof}%
58.251 -%
58.252 -\isadelimproof
58.253 -%
58.254 -\endisadelimproof
58.255 -%
58.256 -\isadelimproof
58.257 -%
58.258 -\endisadelimproof
58.259 -%
58.260 -\isatagproof
58.261 -%
58.262 -\endisatagproof
58.263 -{\isafoldproof}%
58.264 -%
58.265 -\isadelimproof
58.266 -%
58.267 -\endisadelimproof
58.268 -%
58.269 -\isadelimproof
58.270 -%
58.271 -\endisadelimproof
58.272 -%
58.273 -\isatagproof
58.274 -%
58.275 -\endisatagproof
58.276 -{\isafoldproof}%
58.277 -%
58.278 -\isadelimproof
58.279 -%
58.280 -\endisadelimproof
58.281 -%
58.282 -\isadelimproof
58.283 -%
58.284 -\endisadelimproof
58.285 -%
58.286 -\isatagproof
58.287 -%
58.288 -\endisatagproof
58.289 -{\isafoldproof}%
58.290 -%
58.291 -\isadelimproof
58.292 -%
58.293 -\endisadelimproof
58.294 -%
58.295 -\isadelimML
58.296 -%
58.297 -\endisadelimML
58.298 -%
58.299 -\isatagML
58.300 -%
58.301 -\endisatagML
58.302 -{\isafoldML}%
58.303 -%
58.304 -\isadelimML
58.305 -%
58.306 -\endisadelimML
58.307 -%
58.308 -\isadelimtheory
58.309 -%
58.310 -\endisadelimtheory
58.311 -%
58.312 -\isatagtheory
58.313 -%
58.314 -\endisatagtheory
58.315 -{\isafoldtheory}%
58.316 -%
58.317 -\isadelimtheory
58.318 -%
58.319 -\endisadelimtheory
58.320 -\end{isabellebody}%
58.321 -%%% Local Variables:
58.322 -%%% mode: latex
58.323 -%%% TeX-master: "root"
58.324 -%%% End:
59.1 --- a/doc-src/TutorialI/Protocol/protocol.tex Thu Jul 26 16:08:16 2012 +0200
59.2 +++ b/doc-src/TutorialI/Protocol/protocol.tex Thu Jul 26 19:59:06 2012 +0200
59.3 @@ -129,7 +129,7 @@
59.4 \index{Needham-Schroeder protocol|)}
59.5
59.6
59.7 -\input{Protocol/document/Message}
59.8 -\input{Protocol/document/Event}
59.9 -\input{Protocol/document/Public}
59.10 -\input{Protocol/document/NS_Public}
59.11 +\input{document/Message}
59.12 +\input{document/Event}
59.13 +\input{document/Public}
59.14 +\input{document/NS_Public}
60.1 --- /dev/null Thu Jan 01 00:00:00 1970 +0000
60.2 +++ b/doc-src/TutorialI/ROOT.ML Thu Jul 26 19:59:06 2012 +0200
60.3 @@ -0,0 +1,71 @@
60.4 +Thy_Output.indent_default := 5;
60.5 +
60.6 +use_thy "ToyList/ToyList";
60.7 +
60.8 +use_thy "Ifexpr/Ifexpr";
60.9 +
60.10 +use_thy "CodeGen/CodeGen";
60.11 +
60.12 +use_thy "Trie/Trie";
60.13 +
60.14 +use_thy "Datatype/ABexpr";
60.15 +use_thy "Datatype/unfoldnested";
60.16 +use_thy "Datatype/Nested";
60.17 +use_thy "Datatype/Fundata";
60.18 +
60.19 +use_thy "Fun/fun0";
60.20 +
60.21 +use_thy "Advanced/simp2";
60.22 +
60.23 +use_thy "CTL/PDL";
60.24 +use_thy "CTL/CTL";
60.25 +use_thy "CTL/CTLind";
60.26 +
60.27 +use_thy "Inductive/Even";
60.28 +use_thy "Inductive/Mutual";
60.29 +use_thy "Inductive/Star";
60.30 +use_thy "Inductive/AB";
60.31 +use_thy "Inductive/Advanced";
60.32 +
60.33 +use_thy "Misc/Tree";
60.34 +use_thy "Misc/Tree2";
60.35 +use_thy "Misc/Plus";
60.36 +use_thy "Misc/case_exprs";
60.37 +use_thy "Misc/fakenat";
60.38 +use_thy "Misc/natsum";
60.39 +use_thy "Misc/pairs2";
60.40 +use_thy "Misc/Option2";
60.41 +use_thy "Misc/types";
60.42 +use_thy "Misc/prime_def";
60.43 +use_thy "Misc/simp";
60.44 +use_thy "Misc/Itrev";
60.45 +use_thy "Misc/AdvancedInd";
60.46 +use_thy "Misc/appendix";
60.47 +
60.48 +
60.49 +Thy_Output.indent_default := 0;
60.50 +
60.51 +use_thy "Protocol/NS_Public";
60.52 +
60.53 +use_thy "Documents/Documents";
60.54 +
60.55 +no_document use_thy "Types/Setup";
60.56 +use_thy "Types/Numbers";
60.57 +use_thy "Types/Pairs";
60.58 +use_thy "Types/Records";
60.59 +use_thy "Types/Typedefs";
60.60 +use_thy "Types/Overloading";
60.61 +use_thy "Types/Axioms";
60.62 +
60.63 +use_thy "Rules/Basic";
60.64 +use_thy "Rules/Blast";
60.65 +use_thy "Rules/Force";
60.66 +use_thy "Rules/Forward";
60.67 +use_thy "Rules/Tacticals";
60.68 +use_thy "Rules/find2";
60.69 +
60.70 +use_thy "Sets/Examples";
60.71 +use_thy "Sets/Functions";
60.72 +use_thy "Sets/Relations";
60.73 +use_thy "Sets/Recur";
60.74 +
61.1 --- a/doc-src/TutorialI/Recdef/ROOT.ML Thu Jul 26 16:08:16 2012 +0200
61.2 +++ /dev/null Thu Jan 01 00:00:00 1970 +0000
61.3 @@ -1,5 +0,0 @@
61.4 -use "../settings";
61.5 -use_thy "termination";
61.6 -use_thy "Induction";
61.7 -use_thy "Nested1";
61.8 -use_thy "Nested2";
62.1 --- a/doc-src/TutorialI/Rules/ROOT.ML Thu Jul 26 16:08:16 2012 +0200
62.2 +++ /dev/null Thu Jan 01 00:00:00 1970 +0000
62.3 @@ -1,7 +0,0 @@
62.4 -use_thy "Basic";
62.5 -use_thy "Blast";
62.6 -use_thy "Force";
62.7 -use_thy "Forward";
62.8 -use_thy "Tacticals";
62.9 -
62.10 -use_thy "find2";
62.11 \ No newline at end of file
63.1 --- a/doc-src/TutorialI/Rules/document/find2.tex Thu Jul 26 16:08:16 2012 +0200
63.2 +++ /dev/null Thu Jan 01 00:00:00 1970 +0000
63.3 @@ -1,101 +0,0 @@
63.4 -%
63.5 -\begin{isabellebody}%
63.6 -\def\isabellecontext{find{\isadigit{2}}}%
63.7 -%
63.8 -\isadelimtheory
63.9 -%
63.10 -\endisadelimtheory
63.11 -%
63.12 -\isatagtheory
63.13 -%
63.14 -\endisatagtheory
63.15 -{\isafoldtheory}%
63.16 -%
63.17 -\isadelimtheory
63.18 -%
63.19 -\endisadelimtheory
63.20 -%
63.21 -\isadelimproof
63.22 -%
63.23 -\endisadelimproof
63.24 -%
63.25 -\isatagproof
63.26 -%
63.27 -\begin{isamarkuptxt}%
63.28 -\index{finding theorems}\index{searching theorems} In
63.29 -\S\ref{sec:find}, we introduced Proof General's \pgmenu{Find} button
63.30 -for finding theorems in the database via pattern matching. If we are
63.31 -inside a proof, we can be more specific; we can search for introduction,
63.32 -elimination and destruction rules \emph{with respect to the current goal}.
63.33 -For this purpose, \pgmenu{Find} provides three aditional search criteria:
63.34 -\texttt{intro}, \texttt{elim} and \texttt{dest}.
63.35 -
63.36 -For example, given the goal \begin{isabelle}%
63.37 -\ {\isadigit{1}}{\isaliteral{2E}{\isachardot}}\ A\ {\isaliteral{5C3C616E643E}{\isasymand}}\ B%
63.38 -\end{isabelle}
63.39 -you can click on \pgmenu{Find} and type in the search expression
63.40 -\texttt{intro}. You will be shown a few rules ending in \isa{{\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\ {\isaliteral{3F}{\isacharquery}}P\ {\isaliteral{5C3C616E643E}{\isasymand}}\ {\isaliteral{3F}{\isacharquery}}Q},
63.41 -among them \isa{conjI}\@. You may even discover that
63.42 -the very theorem you are trying to prove is already in the
63.43 -database. Given the goal%
63.44 -\end{isamarkuptxt}%
63.45 -\isamarkuptrue%
63.46 -%
63.47 -\endisatagproof
63.48 -{\isafoldproof}%
63.49 -%
63.50 -\isadelimproof
63.51 -%
63.52 -\endisadelimproof
63.53 -%
63.54 -\isadelimproof
63.55 -%
63.56 -\endisadelimproof
63.57 -%
63.58 -\isatagproof
63.59 -%
63.60 -\begin{isamarkuptxt}%
63.61 -\vspace{-\bigskipamount}
63.62 -\begin{isabelle}%
63.63 -\ {\isadigit{1}}{\isaliteral{2E}{\isachardot}}\ A\ {\isaliteral{5C3C6C6F6E6772696768746172726F773E}{\isasymlongrightarrow}}\ A%
63.64 -\end{isabelle}
63.65 -the search for \texttt{intro} finds not just \isa{impI}
63.66 -but also \isa{imp{\isaliteral{5F}{\isacharunderscore}}refl}: \isa{{\isaliteral{3F}{\isacharquery}}P\ {\isaliteral{5C3C6C6F6E6772696768746172726F773E}{\isasymlongrightarrow}}\ {\isaliteral{3F}{\isacharquery}}P}.
63.67 -
63.68 -As before, search criteria can be combined freely: for example,
63.69 -\begin{ttbox}
63.70 -"_ \at\ _" intro
63.71 -\end{ttbox}
63.72 -searches for all introduction rules that match the current goal and
63.73 -mention the \isa{{\isaliteral{40}{\isacharat}}} function.
63.74 -
63.75 -Searching for elimination and destruction rules via \texttt{elim} and
63.76 -\texttt{dest} is analogous to \texttt{intro} but takes the assumptions
63.77 -into account, too.%
63.78 -\end{isamarkuptxt}%
63.79 -\isamarkuptrue%
63.80 -%
63.81 -\endisatagproof
63.82 -{\isafoldproof}%
63.83 -%
63.84 -\isadelimproof
63.85 -%
63.86 -\endisadelimproof
63.87 -%
63.88 -\isadelimtheory
63.89 -%
63.90 -\endisadelimtheory
63.91 -%
63.92 -\isatagtheory
63.93 -%
63.94 -\endisatagtheory
63.95 -{\isafoldtheory}%
63.96 -%
63.97 -\isadelimtheory
63.98 -%
63.99 -\endisadelimtheory
63.100 -\end{isabellebody}%
63.101 -%%% Local Variables:
63.102 -%%% mode: latex
63.103 -%%% TeX-master: "root"
63.104 -%%% End:
64.1 --- a/doc-src/TutorialI/Rules/rules.tex Thu Jul 26 16:08:16 2012 +0200
64.2 +++ b/doc-src/TutorialI/Rules/rules.tex Thu Jul 26 19:59:06 2012 +0200
64.3 @@ -1809,7 +1809,7 @@
64.4
64.5 \section{Finding More Theorems}
64.6 \label{sec:find2}
64.7 -\input{Rules/document/find2.tex}
64.8 +\input{document/find2.tex}
64.9
64.10
64.11 \section{Forward Proof: Transforming Theorems}\label{sec:forward}
65.1 --- a/doc-src/TutorialI/Sets/ROOT.ML Thu Jul 26 16:08:16 2012 +0200
65.2 +++ /dev/null Thu Jan 01 00:00:00 1970 +0000
65.3 @@ -1,4 +0,0 @@
65.4 -use_thy "Examples";
65.5 -use_thy "Functions";
65.6 -use_thy "Relations";
65.7 -use_thy "Recur";
66.1 --- a/doc-src/TutorialI/ToyList/ROOT.ML Thu Jul 26 16:08:16 2012 +0200
66.2 +++ /dev/null Thu Jan 01 00:00:00 1970 +0000
66.3 @@ -1,3 +0,0 @@
66.4 -use "../settings.ML";
66.5 -use_thy "ToyList";
66.6 -
67.1 --- a/doc-src/TutorialI/ToyList/document/ToyList.tex Thu Jul 26 16:08:16 2012 +0200
67.2 +++ /dev/null Thu Jan 01 00:00:00 1970 +0000
67.3 @@ -1,530 +0,0 @@
67.4 -%
67.5 -\begin{isabellebody}%
67.6 -\def\isabellecontext{ToyList}%
67.7 -%
67.8 -\isadelimtheory
67.9 -%
67.10 -\endisadelimtheory
67.11 -%
67.12 -\isatagtheory
67.13 -\isacommand{theory}\isamarkupfalse%
67.14 -\ ToyList\isanewline
67.15 -\isakeyword{imports}\ Datatype\isanewline
67.16 -\isakeyword{begin}%
67.17 -\endisatagtheory
67.18 -{\isafoldtheory}%
67.19 -%
67.20 -\isadelimtheory
67.21 -%
67.22 -\endisadelimtheory
67.23 -%
67.24 -\begin{isamarkuptext}%
67.25 -\noindent
67.26 -HOL already has a predefined theory of lists called \isa{List} ---
67.27 -\isa{ToyList} is merely a small fragment of it chosen as an example. In
67.28 -contrast to what is recommended in \S\ref{sec:Basic:Theories},
67.29 -\isa{ToyList} is not based on \isa{Main} but on \isa{Datatype}, a
67.30 -theory that contains pretty much everything but lists, thus avoiding
67.31 -ambiguities caused by defining lists twice.%
67.32 -\end{isamarkuptext}%
67.33 -\isamarkuptrue%
67.34 -\isacommand{datatype}\isamarkupfalse%
67.35 -\ {\isaliteral{27}{\isacharprime}}a\ list\ {\isaliteral{3D}{\isacharequal}}\ Nil\ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ {\isaliteral{28}{\isacharparenleft}}{\isaliteral{22}{\isachardoublequoteopen}}{\isaliteral{5B}{\isacharbrackleft}}{\isaliteral{5D}{\isacharbrackright}}{\isaliteral{22}{\isachardoublequoteclose}}{\isaliteral{29}{\isacharparenright}}\isanewline
67.36 -\ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ {\isaliteral{7C}{\isacharbar}}\ Cons\ {\isaliteral{27}{\isacharprime}}a\ {\isaliteral{22}{\isachardoublequoteopen}}{\isaliteral{27}{\isacharprime}}a\ list{\isaliteral{22}{\isachardoublequoteclose}}\ \ \ \ \ \ \ \ \ \ \ \ {\isaliteral{28}{\isacharparenleft}}\isakeyword{infixr}\ {\isaliteral{22}{\isachardoublequoteopen}}{\isaliteral{23}{\isacharhash}}{\isaliteral{22}{\isachardoublequoteclose}}\ {\isadigit{6}}{\isadigit{5}}{\isaliteral{29}{\isacharparenright}}%
67.37 -\begin{isamarkuptext}%
67.38 -\noindent
67.39 -The datatype\index{datatype@\isacommand {datatype} (command)}
67.40 -\tydx{list} introduces two
67.41 -constructors \cdx{Nil} and \cdx{Cons}, the
67.42 -empty~list and the operator that adds an element to the front of a list. For
67.43 -example, the term \isa{Cons True (Cons False Nil)} is a value of
67.44 -type \isa{bool\ list}, namely the list with the elements \isa{True} and
67.45 -\isa{False}. Because this notation quickly becomes unwieldy, the
67.46 -datatype declaration is annotated with an alternative syntax: instead of
67.47 -\isa{Nil} and \isa{Cons x xs} we can write
67.48 -\isa{{\isaliteral{5B}{\isacharbrackleft}}{\isaliteral{5D}{\isacharbrackright}}}\index{$HOL2list@\isa{[]}|bold} and
67.49 -\isa{x\ {\isaliteral{23}{\isacharhash}}\ xs}\index{$HOL2list@\isa{\#}|bold}. In fact, this
67.50 -alternative syntax is the familiar one. Thus the list \isa{Cons True
67.51 -(Cons False Nil)} becomes \isa{True\ {\isaliteral{23}{\isacharhash}}\ False\ {\isaliteral{23}{\isacharhash}}\ {\isaliteral{5B}{\isacharbrackleft}}{\isaliteral{5D}{\isacharbrackright}}}. The annotation
67.52 -\isacommand{infixr}\index{infixr@\isacommand{infixr} (annotation)}
67.53 -means that \isa{{\isaliteral{23}{\isacharhash}}} associates to
67.54 -the right: the term \isa{x\ {\isaliteral{23}{\isacharhash}}\ y\ {\isaliteral{23}{\isacharhash}}\ z} is read as \isa{x\ {\isaliteral{23}{\isacharhash}}\ {\isaliteral{28}{\isacharparenleft}}y\ {\isaliteral{23}{\isacharhash}}\ z{\isaliteral{29}{\isacharparenright}}}
67.55 -and not as \isa{{\isaliteral{28}{\isacharparenleft}}x\ {\isaliteral{23}{\isacharhash}}\ y{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{23}{\isacharhash}}\ z}.
67.56 -The \isa{{\isadigit{6}}{\isadigit{5}}} is the priority of the infix \isa{{\isaliteral{23}{\isacharhash}}}.
67.57 -
67.58 -\begin{warn}
67.59 - Syntax annotations can be powerful, but they are difficult to master and
67.60 - are never necessary. You
67.61 - could drop them from theory \isa{ToyList} and go back to the identifiers
67.62 - \isa{Nil} and \isa{Cons}. Novices should avoid using
67.63 - syntax annotations in their own theories.
67.64 -\end{warn}
67.65 -Next, two functions \isa{app} and \cdx{rev} are defined recursively,
67.66 -in this order, because Isabelle insists on definition before use:%
67.67 -\end{isamarkuptext}%
67.68 -\isamarkuptrue%
67.69 -\isacommand{primrec}\isamarkupfalse%
67.70 -\ app\ {\isaliteral{3A}{\isacharcolon}}{\isaliteral{3A}{\isacharcolon}}\ {\isaliteral{22}{\isachardoublequoteopen}}{\isaliteral{27}{\isacharprime}}a\ list\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ {\isaliteral{27}{\isacharprime}}a\ list\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ {\isaliteral{27}{\isacharprime}}a\ list{\isaliteral{22}{\isachardoublequoteclose}}\ {\isaliteral{28}{\isacharparenleft}}\isakeyword{infixr}\ {\isaliteral{22}{\isachardoublequoteopen}}{\isaliteral{40}{\isacharat}}{\isaliteral{22}{\isachardoublequoteclose}}\ {\isadigit{6}}{\isadigit{5}}{\isaliteral{29}{\isacharparenright}}\ \isakeyword{where}\isanewline
67.71 -{\isaliteral{22}{\isachardoublequoteopen}}{\isaliteral{5B}{\isacharbrackleft}}{\isaliteral{5D}{\isacharbrackright}}\ {\isaliteral{40}{\isacharat}}\ ys\ \ \ \ \ \ \ {\isaliteral{3D}{\isacharequal}}\ ys{\isaliteral{22}{\isachardoublequoteclose}}\ {\isaliteral{7C}{\isacharbar}}\isanewline
67.72 -{\isaliteral{22}{\isachardoublequoteopen}}{\isaliteral{28}{\isacharparenleft}}x\ {\isaliteral{23}{\isacharhash}}\ xs{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{40}{\isacharat}}\ ys\ {\isaliteral{3D}{\isacharequal}}\ x\ {\isaliteral{23}{\isacharhash}}\ {\isaliteral{28}{\isacharparenleft}}xs\ {\isaliteral{40}{\isacharat}}\ ys{\isaliteral{29}{\isacharparenright}}{\isaliteral{22}{\isachardoublequoteclose}}\isanewline
67.73 -\isanewline
67.74 -\isacommand{primrec}\isamarkupfalse%
67.75 -\ rev\ {\isaliteral{3A}{\isacharcolon}}{\isaliteral{3A}{\isacharcolon}}\ {\isaliteral{22}{\isachardoublequoteopen}}{\isaliteral{27}{\isacharprime}}a\ list\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ {\isaliteral{27}{\isacharprime}}a\ list{\isaliteral{22}{\isachardoublequoteclose}}\ \isakeyword{where}\isanewline
67.76 -{\isaliteral{22}{\isachardoublequoteopen}}rev\ {\isaliteral{5B}{\isacharbrackleft}}{\isaliteral{5D}{\isacharbrackright}}\ \ \ \ \ \ \ \ {\isaliteral{3D}{\isacharequal}}\ {\isaliteral{5B}{\isacharbrackleft}}{\isaliteral{5D}{\isacharbrackright}}{\isaliteral{22}{\isachardoublequoteclose}}\ {\isaliteral{7C}{\isacharbar}}\isanewline
67.77 -{\isaliteral{22}{\isachardoublequoteopen}}rev\ {\isaliteral{28}{\isacharparenleft}}x\ {\isaliteral{23}{\isacharhash}}\ xs{\isaliteral{29}{\isacharparenright}}\ \ {\isaliteral{3D}{\isacharequal}}\ {\isaliteral{28}{\isacharparenleft}}rev\ xs{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{40}{\isacharat}}\ {\isaliteral{28}{\isacharparenleft}}x\ {\isaliteral{23}{\isacharhash}}\ {\isaliteral{5B}{\isacharbrackleft}}{\isaliteral{5D}{\isacharbrackright}}{\isaliteral{29}{\isacharparenright}}{\isaliteral{22}{\isachardoublequoteclose}}%
67.78 -\begin{isamarkuptext}%
67.79 -\noindent
67.80 -Each function definition is of the form
67.81 -\begin{center}
67.82 -\isacommand{primrec} \textit{name} \isa{{\isaliteral{3A}{\isacharcolon}}{\isaliteral{3A}{\isacharcolon}}} \textit{type} \textit{(optional syntax)} \isakeyword{where} \textit{equations}
67.83 -\end{center}
67.84 -The equations must be separated by \isa{{\isaliteral{7C}{\isacharbar}}}.
67.85 -%
67.86 -Function \isa{app} is annotated with concrete syntax. Instead of the
67.87 -prefix syntax \isa{app\ xs\ ys} the infix
67.88 -\isa{xs\ {\isaliteral{40}{\isacharat}}\ ys}\index{$HOL2list@\isa{\at}|bold} becomes the preferred
67.89 -form.
67.90 -
67.91 -\index{*rev (constant)|(}\index{append function|(}
67.92 -The equations for \isa{app} and \isa{rev} hardly need comments:
67.93 -\isa{app} appends two lists and \isa{rev} reverses a list. The
67.94 -keyword \commdx{primrec} indicates that the recursion is
67.95 -of a particularly primitive kind where each recursive call peels off a datatype
67.96 -constructor from one of the arguments. Thus the
67.97 -recursion always terminates, i.e.\ the function is \textbf{total}.
67.98 -\index{functions!total}
67.99 -
67.100 -The termination requirement is absolutely essential in HOL, a logic of total
67.101 -functions. If we were to drop it, inconsistencies would quickly arise: the
67.102 -``definition'' $f(n) = f(n)+1$ immediately leads to $0 = 1$ by subtracting
67.103 -$f(n)$ on both sides.
67.104 -% However, this is a subtle issue that we cannot discuss here further.
67.105 -
67.106 -\begin{warn}
67.107 - As we have indicated, the requirement for total functions is an essential characteristic of HOL\@. It is only
67.108 - because of totality that reasoning in HOL is comparatively easy. More
67.109 - generally, the philosophy in HOL is to refrain from asserting arbitrary axioms (such as
67.110 - function definitions whose totality has not been proved) because they
67.111 - quickly lead to inconsistencies. Instead, fixed constructs for introducing
67.112 - types and functions are offered (such as \isacommand{datatype} and
67.113 - \isacommand{primrec}) which are guaranteed to preserve consistency.
67.114 -\end{warn}
67.115 -
67.116 -\index{syntax}%
67.117 -A remark about syntax. The textual definition of a theory follows a fixed
67.118 -syntax with keywords like \isacommand{datatype} and \isacommand{end}.
67.119 -% (see Fig.~\ref{fig:keywords} in Appendix~\ref{sec:Appendix} for a full list).
67.120 -Embedded in this syntax are the types and formulae of HOL, whose syntax is
67.121 -extensible (see \S\ref{sec:concrete-syntax}), e.g.\ by new user-defined infix operators.
67.122 -To distinguish the two levels, everything
67.123 -HOL-specific (terms and types) should be enclosed in
67.124 -\texttt{"}\dots\texttt{"}.
67.125 -To lessen this burden, quotation marks around a single identifier can be
67.126 -dropped, unless the identifier happens to be a keyword, for example
67.127 -\isa{"end"}.
67.128 -When Isabelle prints a syntax error message, it refers to the HOL syntax as
67.129 -the \textbf{inner syntax} and the enclosing theory language as the \textbf{outer syntax}.
67.130 -
67.131 -Comments\index{comment} must be in enclosed in \texttt{(* }and\texttt{ *)}.
67.132 -
67.133 -\section{Evaluation}
67.134 -\index{evaluation}
67.135 -
67.136 -Assuming you have processed the declarations and definitions of
67.137 -\texttt{ToyList} presented so far, you may want to test your
67.138 -functions by running them. For example, what is the value of
67.139 -\isa{rev\ {\isaliteral{28}{\isacharparenleft}}True\ {\isaliteral{23}{\isacharhash}}\ False\ {\isaliteral{23}{\isacharhash}}\ {\isaliteral{5B}{\isacharbrackleft}}{\isaliteral{5D}{\isacharbrackright}}{\isaliteral{29}{\isacharparenright}}}? Command%
67.140 -\end{isamarkuptext}%
67.141 -\isamarkuptrue%
67.142 -\isacommand{value}\isamarkupfalse%
67.143 -\ {\isaliteral{22}{\isachardoublequoteopen}}rev\ {\isaliteral{28}{\isacharparenleft}}True\ {\isaliteral{23}{\isacharhash}}\ False\ {\isaliteral{23}{\isacharhash}}\ {\isaliteral{5B}{\isacharbrackleft}}{\isaliteral{5D}{\isacharbrackright}}{\isaliteral{29}{\isacharparenright}}{\isaliteral{22}{\isachardoublequoteclose}}%
67.144 -\begin{isamarkuptext}%
67.145 -\noindent yields the correct result \isa{False\ {\isaliteral{23}{\isacharhash}}\ True\ {\isaliteral{23}{\isacharhash}}\ {\isaliteral{5B}{\isacharbrackleft}}{\isaliteral{5D}{\isacharbrackright}}}.
67.146 -But we can go beyond mere functional programming and evaluate terms with
67.147 -variables in them, executing functions symbolically:%
67.148 -\end{isamarkuptext}%
67.149 -\isamarkuptrue%
67.150 -\isacommand{value}\isamarkupfalse%
67.151 -\ {\isaliteral{22}{\isachardoublequoteopen}}rev\ {\isaliteral{28}{\isacharparenleft}}a\ {\isaliteral{23}{\isacharhash}}\ b\ {\isaliteral{23}{\isacharhash}}\ c\ {\isaliteral{23}{\isacharhash}}\ {\isaliteral{5B}{\isacharbrackleft}}{\isaliteral{5D}{\isacharbrackright}}{\isaliteral{29}{\isacharparenright}}{\isaliteral{22}{\isachardoublequoteclose}}%
67.152 -\begin{isamarkuptext}%
67.153 -\noindent yields \isa{c\ {\isaliteral{23}{\isacharhash}}\ b\ {\isaliteral{23}{\isacharhash}}\ a\ {\isaliteral{23}{\isacharhash}}\ {\isaliteral{5B}{\isacharbrackleft}}{\isaliteral{5D}{\isacharbrackright}}}.
67.154 -
67.155 -\section{An Introductory Proof}
67.156 -\label{sec:intro-proof}
67.157 -
67.158 -Having convinced ourselves (as well as one can by testing) that our
67.159 -definitions capture our intentions, we are ready to prove a few simple
67.160 -theorems. This will illustrate not just the basic proof commands but
67.161 -also the typical proof process.
67.162 -
67.163 -\subsubsection*{Main Goal.}
67.164 -
67.165 -Our goal is to show that reversing a list twice produces the original
67.166 -list.%
67.167 -\end{isamarkuptext}%
67.168 -\isamarkuptrue%
67.169 -\isacommand{theorem}\isamarkupfalse%
67.170 -\ rev{\isaliteral{5F}{\isacharunderscore}}rev\ {\isaliteral{5B}{\isacharbrackleft}}simp{\isaliteral{5D}{\isacharbrackright}}{\isaliteral{3A}{\isacharcolon}}\ {\isaliteral{22}{\isachardoublequoteopen}}rev{\isaliteral{28}{\isacharparenleft}}rev\ xs{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{3D}{\isacharequal}}\ xs{\isaliteral{22}{\isachardoublequoteclose}}%
67.171 -\isadelimproof
67.172 -%
67.173 -\endisadelimproof
67.174 -%
67.175 -\isatagproof
67.176 -%
67.177 -\begin{isamarkuptxt}%
67.178 -\index{theorem@\isacommand {theorem} (command)|bold}%
67.179 -\noindent
67.180 -This \isacommand{theorem} command does several things:
67.181 -\begin{itemize}
67.182 -\item
67.183 -It establishes a new theorem to be proved, namely \isa{rev\ {\isaliteral{28}{\isacharparenleft}}rev\ xs{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{3D}{\isacharequal}}\ xs}.
67.184 -\item
67.185 -It gives that theorem the name \isa{rev{\isaliteral{5F}{\isacharunderscore}}rev}, for later reference.
67.186 -\item
67.187 -It tells Isabelle (via the bracketed attribute \attrdx{simp}) to take the eventual theorem as a simplification rule: future proofs involving
67.188 -simplification will replace occurrences of \isa{rev\ {\isaliteral{28}{\isacharparenleft}}rev\ xs{\isaliteral{29}{\isacharparenright}}} by
67.189 -\isa{xs}.
67.190 -\end{itemize}
67.191 -The name and the simplification attribute are optional.
67.192 -Isabelle's response is to print the initial proof state consisting
67.193 -of some header information (like how many subgoals there are) followed by
67.194 -\begin{isabelle}%
67.195 -\ {\isadigit{1}}{\isaliteral{2E}{\isachardot}}\ rev\ {\isaliteral{28}{\isacharparenleft}}rev\ xs{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{3D}{\isacharequal}}\ xs%
67.196 -\end{isabelle}
67.197 -For compactness reasons we omit the header in this tutorial.
67.198 -Until we have finished a proof, the \rmindex{proof state} proper
67.199 -always looks like this:
67.200 -\begin{isabelle}
67.201 -~1.~$G\sb{1}$\isanewline
67.202 -~~\vdots~~\isanewline
67.203 -~$n$.~$G\sb{n}$
67.204 -\end{isabelle}
67.205 -The numbered lines contain the subgoals $G\sb{1}$, \dots, $G\sb{n}$
67.206 -that we need to prove to establish the main goal.\index{subgoals}
67.207 -Initially there is only one subgoal, which is identical with the
67.208 -main goal. (If you always want to see the main goal as well,
67.209 -set the flag \isa{Proof.show_main_goal}\index{*show_main_goal (flag)}
67.210 ---- this flag used to be set by default.)
67.211 -
67.212 -Let us now get back to \isa{rev\ {\isaliteral{28}{\isacharparenleft}}rev\ xs{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{3D}{\isacharequal}}\ xs}. Properties of recursively
67.213 -defined functions are best established by induction. In this case there is
67.214 -nothing obvious except induction on \isa{xs}:%
67.215 -\end{isamarkuptxt}%
67.216 -\isamarkuptrue%
67.217 -\isacommand{apply}\isamarkupfalse%
67.218 -{\isaliteral{28}{\isacharparenleft}}induct{\isaliteral{5F}{\isacharunderscore}}tac\ xs{\isaliteral{29}{\isacharparenright}}%
67.219 -\begin{isamarkuptxt}%
67.220 -\noindent\index{*induct_tac (method)}%
67.221 -This tells Isabelle to perform induction on variable \isa{xs}. The suffix
67.222 -\isa{tac} stands for \textbf{tactic},\index{tactics}
67.223 -a synonym for ``theorem proving function''.
67.224 -By default, induction acts on the first subgoal. The new proof state contains
67.225 -two subgoals, namely the base case (\isa{Nil}) and the induction step
67.226 -(\isa{Cons}):
67.227 -\begin{isabelle}%
67.228 -\ {\isadigit{1}}{\isaliteral{2E}{\isachardot}}\ rev\ {\isaliteral{28}{\isacharparenleft}}rev\ {\isaliteral{5B}{\isacharbrackleft}}{\isaliteral{5D}{\isacharbrackright}}{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{3D}{\isacharequal}}\ {\isaliteral{5B}{\isacharbrackleft}}{\isaliteral{5D}{\isacharbrackright}}\isanewline
67.229 -\ {\isadigit{2}}{\isaliteral{2E}{\isachardot}}\ {\isaliteral{5C3C416E643E}{\isasymAnd}}a\ list{\isaliteral{2E}{\isachardot}}\isanewline
67.230 -\isaindent{\ {\isadigit{2}}{\isaliteral{2E}{\isachardot}}\ \ \ \ }rev\ {\isaliteral{28}{\isacharparenleft}}rev\ list{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{3D}{\isacharequal}}\ list\ {\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\ rev\ {\isaliteral{28}{\isacharparenleft}}rev\ {\isaliteral{28}{\isacharparenleft}}a\ {\isaliteral{23}{\isacharhash}}\ list{\isaliteral{29}{\isacharparenright}}{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{3D}{\isacharequal}}\ a\ {\isaliteral{23}{\isacharhash}}\ list%
67.231 -\end{isabelle}
67.232 -
67.233 -The induction step is an example of the general format of a subgoal:\index{subgoals}
67.234 -\begin{isabelle}
67.235 -~$i$.~{\isasymAnd}$x\sb{1}$~\dots$x\sb{n}$.~{\it assumptions}~{\isasymLongrightarrow}~{\it conclusion}
67.236 -\end{isabelle}\index{$IsaAnd@\isasymAnd|bold}
67.237 -The prefix of bound variables \isasymAnd$x\sb{1}$~\dots~$x\sb{n}$ can be
67.238 -ignored most of the time, or simply treated as a list of variables local to
67.239 -this subgoal. Their deeper significance is explained in Chapter~\ref{chap:rules}.
67.240 -The {\it assumptions}\index{assumptions!of subgoal}
67.241 -are the local assumptions for this subgoal and {\it
67.242 - conclusion}\index{conclusion!of subgoal} is the actual proposition to be proved.
67.243 -Typical proof steps
67.244 -that add new assumptions are induction and case distinction. In our example
67.245 -the only assumption is the induction hypothesis \isa{rev\ {\isaliteral{28}{\isacharparenleft}}rev\ list{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{3D}{\isacharequal}}\ list}, where \isa{list} is a variable name chosen by Isabelle. If there
67.246 -are multiple assumptions, they are enclosed in the bracket pair
67.247 -\indexboldpos{\isasymlbrakk}{$Isabrl} and
67.248 -\indexboldpos{\isasymrbrakk}{$Isabrr} and separated by semicolons.
67.249 -
67.250 -Let us try to solve both goals automatically:%
67.251 -\end{isamarkuptxt}%
67.252 -\isamarkuptrue%
67.253 -\isacommand{apply}\isamarkupfalse%
67.254 -{\isaliteral{28}{\isacharparenleft}}auto{\isaliteral{29}{\isacharparenright}}%
67.255 -\begin{isamarkuptxt}%
67.256 -\noindent
67.257 -This command tells Isabelle to apply a proof strategy called
67.258 -\isa{auto} to all subgoals. Essentially, \isa{auto} tries to
67.259 -simplify the subgoals. In our case, subgoal~1 is solved completely (thanks
67.260 -to the equation \isa{rev\ {\isaliteral{5B}{\isacharbrackleft}}{\isaliteral{5D}{\isacharbrackright}}\ {\isaliteral{3D}{\isacharequal}}\ {\isaliteral{5B}{\isacharbrackleft}}{\isaliteral{5D}{\isacharbrackright}}}) and disappears; the simplified version
67.261 -of subgoal~2 becomes the new subgoal~1:
67.262 -\begin{isabelle}%
67.263 -\ {\isadigit{1}}{\isaliteral{2E}{\isachardot}}\ {\isaliteral{5C3C416E643E}{\isasymAnd}}a\ list{\isaliteral{2E}{\isachardot}}\isanewline
67.264 -\isaindent{\ {\isadigit{1}}{\isaliteral{2E}{\isachardot}}\ \ \ \ }rev\ {\isaliteral{28}{\isacharparenleft}}rev\ list{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{3D}{\isacharequal}}\ list\ {\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\ rev\ {\isaliteral{28}{\isacharparenleft}}rev\ list\ {\isaliteral{40}{\isacharat}}\ a\ {\isaliteral{23}{\isacharhash}}\ {\isaliteral{5B}{\isacharbrackleft}}{\isaliteral{5D}{\isacharbrackright}}{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{3D}{\isacharequal}}\ a\ {\isaliteral{23}{\isacharhash}}\ list%
67.265 -\end{isabelle}
67.266 -In order to simplify this subgoal further, a lemma suggests itself.%
67.267 -\end{isamarkuptxt}%
67.268 -\isamarkuptrue%
67.269 -%
67.270 -\endisatagproof
67.271 -{\isafoldproof}%
67.272 -%
67.273 -\isadelimproof
67.274 -%
67.275 -\endisadelimproof
67.276 -%
67.277 -\isamarkupsubsubsection{First Lemma%
67.278 -}
67.279 -\isamarkuptrue%
67.280 -%
67.281 -\begin{isamarkuptext}%
67.282 -\indexbold{abandoning a proof}\indexbold{proofs!abandoning}
67.283 -After abandoning the above proof attempt (at the shell level type
67.284 -\commdx{oops}) we start a new proof:%
67.285 -\end{isamarkuptext}%
67.286 -\isamarkuptrue%
67.287 -\isacommand{lemma}\isamarkupfalse%
67.288 -\ rev{\isaliteral{5F}{\isacharunderscore}}app\ {\isaliteral{5B}{\isacharbrackleft}}simp{\isaliteral{5D}{\isacharbrackright}}{\isaliteral{3A}{\isacharcolon}}\ {\isaliteral{22}{\isachardoublequoteopen}}rev{\isaliteral{28}{\isacharparenleft}}xs\ {\isaliteral{40}{\isacharat}}\ ys{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{3D}{\isacharequal}}\ {\isaliteral{28}{\isacharparenleft}}rev\ ys{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{40}{\isacharat}}\ {\isaliteral{28}{\isacharparenleft}}rev\ xs{\isaliteral{29}{\isacharparenright}}{\isaliteral{22}{\isachardoublequoteclose}}%
67.289 -\isadelimproof
67.290 -%
67.291 -\endisadelimproof
67.292 -%
67.293 -\isatagproof
67.294 -%
67.295 -\begin{isamarkuptxt}%
67.296 -\noindent The keywords \commdx{theorem} and
67.297 -\commdx{lemma} are interchangeable and merely indicate
67.298 -the importance we attach to a proposition. Therefore we use the words
67.299 -\emph{theorem} and \emph{lemma} pretty much interchangeably, too.
67.300 -
67.301 -There are two variables that we could induct on: \isa{xs} and
67.302 -\isa{ys}. Because \isa{{\isaliteral{40}{\isacharat}}} is defined by recursion on
67.303 -the first argument, \isa{xs} is the correct one:%
67.304 -\end{isamarkuptxt}%
67.305 -\isamarkuptrue%
67.306 -\isacommand{apply}\isamarkupfalse%
67.307 -{\isaliteral{28}{\isacharparenleft}}induct{\isaliteral{5F}{\isacharunderscore}}tac\ xs{\isaliteral{29}{\isacharparenright}}%
67.308 -\begin{isamarkuptxt}%
67.309 -\noindent
67.310 -This time not even the base case is solved automatically:%
67.311 -\end{isamarkuptxt}%
67.312 -\isamarkuptrue%
67.313 -\isacommand{apply}\isamarkupfalse%
67.314 -{\isaliteral{28}{\isacharparenleft}}auto{\isaliteral{29}{\isacharparenright}}%
67.315 -\begin{isamarkuptxt}%
67.316 -\begin{isabelle}%
67.317 -\ {\isadigit{1}}{\isaliteral{2E}{\isachardot}}\ rev\ ys\ {\isaliteral{3D}{\isacharequal}}\ rev\ ys\ {\isaliteral{40}{\isacharat}}\ {\isaliteral{5B}{\isacharbrackleft}}{\isaliteral{5D}{\isacharbrackright}}%
67.318 -\end{isabelle}
67.319 -Again, we need to abandon this proof attempt and prove another simple lemma
67.320 -first. In the future the step of abandoning an incomplete proof before
67.321 -embarking on the proof of a lemma usually remains implicit.%
67.322 -\end{isamarkuptxt}%
67.323 -\isamarkuptrue%
67.324 -%
67.325 -\endisatagproof
67.326 -{\isafoldproof}%
67.327 -%
67.328 -\isadelimproof
67.329 -%
67.330 -\endisadelimproof
67.331 -%
67.332 -\isamarkupsubsubsection{Second Lemma%
67.333 -}
67.334 -\isamarkuptrue%
67.335 -%
67.336 -\begin{isamarkuptext}%
67.337 -We again try the canonical proof procedure:%
67.338 -\end{isamarkuptext}%
67.339 -\isamarkuptrue%
67.340 -\isacommand{lemma}\isamarkupfalse%
67.341 -\ app{\isaliteral{5F}{\isacharunderscore}}Nil{\isadigit{2}}\ {\isaliteral{5B}{\isacharbrackleft}}simp{\isaliteral{5D}{\isacharbrackright}}{\isaliteral{3A}{\isacharcolon}}\ {\isaliteral{22}{\isachardoublequoteopen}}xs\ {\isaliteral{40}{\isacharat}}\ {\isaliteral{5B}{\isacharbrackleft}}{\isaliteral{5D}{\isacharbrackright}}\ {\isaliteral{3D}{\isacharequal}}\ xs{\isaliteral{22}{\isachardoublequoteclose}}\isanewline
67.342 -%
67.343 -\isadelimproof
67.344 -%
67.345 -\endisadelimproof
67.346 -%
67.347 -\isatagproof
67.348 -\isacommand{apply}\isamarkupfalse%
67.349 -{\isaliteral{28}{\isacharparenleft}}induct{\isaliteral{5F}{\isacharunderscore}}tac\ xs{\isaliteral{29}{\isacharparenright}}\isanewline
67.350 -\isacommand{apply}\isamarkupfalse%
67.351 -{\isaliteral{28}{\isacharparenleft}}auto{\isaliteral{29}{\isacharparenright}}%
67.352 -\begin{isamarkuptxt}%
67.353 -\noindent
67.354 -It works, yielding the desired message \isa{No\ subgoals{\isaliteral{21}{\isacharbang}}}:
67.355 -\begin{isabelle}%
67.356 -xs\ {\isaliteral{40}{\isacharat}}\ {\isaliteral{5B}{\isacharbrackleft}}{\isaliteral{5D}{\isacharbrackright}}\ {\isaliteral{3D}{\isacharequal}}\ xs\isanewline
67.357 -No\ subgoals{\isaliteral{21}{\isacharbang}}%
67.358 -\end{isabelle}
67.359 -We still need to confirm that the proof is now finished:%
67.360 -\end{isamarkuptxt}%
67.361 -\isamarkuptrue%
67.362 -\isacommand{done}\isamarkupfalse%
67.363 -%
67.364 -\endisatagproof
67.365 -{\isafoldproof}%
67.366 -%
67.367 -\isadelimproof
67.368 -%
67.369 -\endisadelimproof
67.370 -%
67.371 -\begin{isamarkuptext}%
67.372 -\noindent
67.373 -As a result of that final \commdx{done}, Isabelle associates the lemma just proved
67.374 -with its name. In this tutorial, we sometimes omit to show that final \isacommand{done}
67.375 -if it is obvious from the context that the proof is finished.
67.376 -
67.377 -% Instead of \isacommand{apply} followed by a dot, you can simply write
67.378 -% \isacommand{by}\indexbold{by}, which we do most of the time.
67.379 -Notice that in lemma \isa{app{\isaliteral{5F}{\isacharunderscore}}Nil{\isadigit{2}}},
67.380 -as printed out after the final \isacommand{done}, the free variable \isa{xs} has been
67.381 -replaced by the unknown \isa{{\isaliteral{3F}{\isacharquery}}xs}, just as explained in
67.382 -\S\ref{sec:variables}.
67.383 -
67.384 -Going back to the proof of the first lemma%
67.385 -\end{isamarkuptext}%
67.386 -\isamarkuptrue%
67.387 -\isacommand{lemma}\isamarkupfalse%
67.388 -\ rev{\isaliteral{5F}{\isacharunderscore}}app\ {\isaliteral{5B}{\isacharbrackleft}}simp{\isaliteral{5D}{\isacharbrackright}}{\isaliteral{3A}{\isacharcolon}}\ {\isaliteral{22}{\isachardoublequoteopen}}rev{\isaliteral{28}{\isacharparenleft}}xs\ {\isaliteral{40}{\isacharat}}\ ys{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{3D}{\isacharequal}}\ {\isaliteral{28}{\isacharparenleft}}rev\ ys{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{40}{\isacharat}}\ {\isaliteral{28}{\isacharparenleft}}rev\ xs{\isaliteral{29}{\isacharparenright}}{\isaliteral{22}{\isachardoublequoteclose}}\isanewline
67.389 -%
67.390 -\isadelimproof
67.391 -%
67.392 -\endisadelimproof
67.393 -%
67.394 -\isatagproof
67.395 -\isacommand{apply}\isamarkupfalse%
67.396 -{\isaliteral{28}{\isacharparenleft}}induct{\isaliteral{5F}{\isacharunderscore}}tac\ xs{\isaliteral{29}{\isacharparenright}}\isanewline
67.397 -\isacommand{apply}\isamarkupfalse%
67.398 -{\isaliteral{28}{\isacharparenleft}}auto{\isaliteral{29}{\isacharparenright}}%
67.399 -\begin{isamarkuptxt}%
67.400 -\noindent
67.401 -we find that this time \isa{auto} solves the base case, but the
67.402 -induction step merely simplifies to
67.403 -\begin{isabelle}%
67.404 -\ {\isadigit{1}}{\isaliteral{2E}{\isachardot}}\ {\isaliteral{5C3C416E643E}{\isasymAnd}}a\ list{\isaliteral{2E}{\isachardot}}\isanewline
67.405 -\isaindent{\ {\isadigit{1}}{\isaliteral{2E}{\isachardot}}\ \ \ \ }rev\ {\isaliteral{28}{\isacharparenleft}}list\ {\isaliteral{40}{\isacharat}}\ ys{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{3D}{\isacharequal}}\ rev\ ys\ {\isaliteral{40}{\isacharat}}\ rev\ list\ {\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\isanewline
67.406 -\isaindent{\ {\isadigit{1}}{\isaliteral{2E}{\isachardot}}\ \ \ \ }{\isaliteral{28}{\isacharparenleft}}rev\ ys\ {\isaliteral{40}{\isacharat}}\ rev\ list{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{40}{\isacharat}}\ a\ {\isaliteral{23}{\isacharhash}}\ {\isaliteral{5B}{\isacharbrackleft}}{\isaliteral{5D}{\isacharbrackright}}\ {\isaliteral{3D}{\isacharequal}}\ rev\ ys\ {\isaliteral{40}{\isacharat}}\ rev\ list\ {\isaliteral{40}{\isacharat}}\ a\ {\isaliteral{23}{\isacharhash}}\ {\isaliteral{5B}{\isacharbrackleft}}{\isaliteral{5D}{\isacharbrackright}}%
67.407 -\end{isabelle}
67.408 -Now we need to remember that \isa{{\isaliteral{40}{\isacharat}}} associates to the right, and that
67.409 -\isa{{\isaliteral{23}{\isacharhash}}} and \isa{{\isaliteral{40}{\isacharat}}} have the same priority (namely the \isa{{\isadigit{6}}{\isadigit{5}}}
67.410 -in their \isacommand{infixr} annotation). Thus the conclusion really is
67.411 -\begin{isabelle}
67.412 -~~~~~(rev~ys~@~rev~list)~@~(a~\#~[])~=~rev~ys~@~(rev~list~@~(a~\#~[]))
67.413 -\end{isabelle}
67.414 -and the missing lemma is associativity of \isa{{\isaliteral{40}{\isacharat}}}.%
67.415 -\end{isamarkuptxt}%
67.416 -\isamarkuptrue%
67.417 -%
67.418 -\endisatagproof
67.419 -{\isafoldproof}%
67.420 -%
67.421 -\isadelimproof
67.422 -%
67.423 -\endisadelimproof
67.424 -%
67.425 -\isamarkupsubsubsection{Third Lemma%
67.426 -}
67.427 -\isamarkuptrue%
67.428 -%
67.429 -\begin{isamarkuptext}%
67.430 -Abandoning the previous attempt, the canonical proof procedure
67.431 -succeeds without further ado.%
67.432 -\end{isamarkuptext}%
67.433 -\isamarkuptrue%
67.434 -\isacommand{lemma}\isamarkupfalse%
67.435 -\ app{\isaliteral{5F}{\isacharunderscore}}assoc\ {\isaliteral{5B}{\isacharbrackleft}}simp{\isaliteral{5D}{\isacharbrackright}}{\isaliteral{3A}{\isacharcolon}}\ {\isaliteral{22}{\isachardoublequoteopen}}{\isaliteral{28}{\isacharparenleft}}xs\ {\isaliteral{40}{\isacharat}}\ ys{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{40}{\isacharat}}\ zs\ {\isaliteral{3D}{\isacharequal}}\ xs\ {\isaliteral{40}{\isacharat}}\ {\isaliteral{28}{\isacharparenleft}}ys\ {\isaliteral{40}{\isacharat}}\ zs{\isaliteral{29}{\isacharparenright}}{\isaliteral{22}{\isachardoublequoteclose}}\isanewline
67.436 -%
67.437 -\isadelimproof
67.438 -%
67.439 -\endisadelimproof
67.440 -%
67.441 -\isatagproof
67.442 -\isacommand{apply}\isamarkupfalse%
67.443 -{\isaliteral{28}{\isacharparenleft}}induct{\isaliteral{5F}{\isacharunderscore}}tac\ xs{\isaliteral{29}{\isacharparenright}}\isanewline
67.444 -\isacommand{apply}\isamarkupfalse%
67.445 -{\isaliteral{28}{\isacharparenleft}}auto{\isaliteral{29}{\isacharparenright}}\isanewline
67.446 -\isacommand{done}\isamarkupfalse%
67.447 -%
67.448 -\endisatagproof
67.449 -{\isafoldproof}%
67.450 -%
67.451 -\isadelimproof
67.452 -%
67.453 -\endisadelimproof
67.454 -%
67.455 -\begin{isamarkuptext}%
67.456 -\noindent
67.457 -Now we can prove the first lemma:%
67.458 -\end{isamarkuptext}%
67.459 -\isamarkuptrue%
67.460 -\isacommand{lemma}\isamarkupfalse%
67.461 -\ rev{\isaliteral{5F}{\isacharunderscore}}app\ {\isaliteral{5B}{\isacharbrackleft}}simp{\isaliteral{5D}{\isacharbrackright}}{\isaliteral{3A}{\isacharcolon}}\ {\isaliteral{22}{\isachardoublequoteopen}}rev{\isaliteral{28}{\isacharparenleft}}xs\ {\isaliteral{40}{\isacharat}}\ ys{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{3D}{\isacharequal}}\ {\isaliteral{28}{\isacharparenleft}}rev\ ys{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{40}{\isacharat}}\ {\isaliteral{28}{\isacharparenleft}}rev\ xs{\isaliteral{29}{\isacharparenright}}{\isaliteral{22}{\isachardoublequoteclose}}\isanewline
67.462 -%
67.463 -\isadelimproof
67.464 -%
67.465 -\endisadelimproof
67.466 -%
67.467 -\isatagproof
67.468 -\isacommand{apply}\isamarkupfalse%
67.469 -{\isaliteral{28}{\isacharparenleft}}induct{\isaliteral{5F}{\isacharunderscore}}tac\ xs{\isaliteral{29}{\isacharparenright}}\isanewline
67.470 -\isacommand{apply}\isamarkupfalse%
67.471 -{\isaliteral{28}{\isacharparenleft}}auto{\isaliteral{29}{\isacharparenright}}\isanewline
67.472 -\isacommand{done}\isamarkupfalse%
67.473 -%
67.474 -\endisatagproof
67.475 -{\isafoldproof}%
67.476 -%
67.477 -\isadelimproof
67.478 -%
67.479 -\endisadelimproof
67.480 -%
67.481 -\begin{isamarkuptext}%
67.482 -\noindent
67.483 -Finally, we prove our main theorem:%
67.484 -\end{isamarkuptext}%
67.485 -\isamarkuptrue%
67.486 -\isacommand{theorem}\isamarkupfalse%
67.487 -\ rev{\isaliteral{5F}{\isacharunderscore}}rev\ {\isaliteral{5B}{\isacharbrackleft}}simp{\isaliteral{5D}{\isacharbrackright}}{\isaliteral{3A}{\isacharcolon}}\ {\isaliteral{22}{\isachardoublequoteopen}}rev{\isaliteral{28}{\isacharparenleft}}rev\ xs{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{3D}{\isacharequal}}\ xs{\isaliteral{22}{\isachardoublequoteclose}}\isanewline
67.488 -%
67.489 -\isadelimproof
67.490 -%
67.491 -\endisadelimproof
67.492 -%
67.493 -\isatagproof
67.494 -\isacommand{apply}\isamarkupfalse%
67.495 -{\isaliteral{28}{\isacharparenleft}}induct{\isaliteral{5F}{\isacharunderscore}}tac\ xs{\isaliteral{29}{\isacharparenright}}\isanewline
67.496 -\isacommand{apply}\isamarkupfalse%
67.497 -{\isaliteral{28}{\isacharparenleft}}auto{\isaliteral{29}{\isacharparenright}}\isanewline
67.498 -\isacommand{done}\isamarkupfalse%
67.499 -%
67.500 -\endisatagproof
67.501 -{\isafoldproof}%
67.502 -%
67.503 -\isadelimproof
67.504 -%
67.505 -\endisadelimproof
67.506 -%
67.507 -\begin{isamarkuptext}%
67.508 -\noindent
67.509 -The final \commdx{end} tells Isabelle to close the current theory because
67.510 -we are finished with its development:%
67.511 -\index{*rev (constant)|)}\index{append function|)}%
67.512 -\end{isamarkuptext}%
67.513 -\isamarkuptrue%
67.514 -%
67.515 -\isadelimtheory
67.516 -%
67.517 -\endisadelimtheory
67.518 -%
67.519 -\isatagtheory
67.520 -\isacommand{end}\isamarkupfalse%
67.521 -%
67.522 -\endisatagtheory
67.523 -{\isafoldtheory}%
67.524 -%
67.525 -\isadelimtheory
67.526 -%
67.527 -\endisadelimtheory
67.528 -\isanewline
67.529 -\end{isabellebody}%
67.530 -%%% Local Variables:
67.531 -%%% mode: latex
67.532 -%%% TeX-master: "root"
67.533 -%%% End:
68.1 --- a/doc-src/TutorialI/Trie/ROOT.ML Thu Jul 26 16:08:16 2012 +0200
68.2 +++ /dev/null Thu Jan 01 00:00:00 1970 +0000
68.3 @@ -1,2 +0,0 @@
68.4 -use "../settings.ML";
68.5 -use_thy "Trie";
69.1 --- a/doc-src/TutorialI/Trie/document/Trie.tex Thu Jul 26 16:08:16 2012 +0200
69.2 +++ /dev/null Thu Jan 01 00:00:00 1970 +0000
69.3 @@ -1,297 +0,0 @@
69.4 -%
69.5 -\begin{isabellebody}%
69.6 -\def\isabellecontext{Trie}%
69.7 -%
69.8 -\isadelimtheory
69.9 -%
69.10 -\endisadelimtheory
69.11 -%
69.12 -\isatagtheory
69.13 -%
69.14 -\endisatagtheory
69.15 -{\isafoldtheory}%
69.16 -%
69.17 -\isadelimtheory
69.18 -%
69.19 -\endisadelimtheory
69.20 -%
69.21 -\begin{isamarkuptext}%
69.22 -To minimize running time, each node of a trie should contain an array that maps
69.23 -letters to subtries. We have chosen a
69.24 -representation where the subtries are held in an association list, i.e.\ a
69.25 -list of (letter,trie) pairs. Abstracting over the alphabet \isa{{\isaliteral{27}{\isacharprime}}a} and the
69.26 -values \isa{{\isaliteral{27}{\isacharprime}}v} we define a trie as follows:%
69.27 -\end{isamarkuptext}%
69.28 -\isamarkuptrue%
69.29 -\isacommand{datatype}\isamarkupfalse%
69.30 -\ {\isaliteral{28}{\isacharparenleft}}{\isaliteral{27}{\isacharprime}}a{\isaliteral{2C}{\isacharcomma}}{\isaliteral{27}{\isacharprime}}v{\isaliteral{29}{\isacharparenright}}trie\ {\isaliteral{3D}{\isacharequal}}\ Trie\ \ {\isaliteral{22}{\isachardoublequoteopen}}{\isaliteral{27}{\isacharprime}}v\ option{\isaliteral{22}{\isachardoublequoteclose}}\ \ {\isaliteral{22}{\isachardoublequoteopen}}{\isaliteral{28}{\isacharparenleft}}{\isaliteral{27}{\isacharprime}}a\ {\isaliteral{2A}{\isacharasterisk}}\ {\isaliteral{28}{\isacharparenleft}}{\isaliteral{27}{\isacharprime}}a{\isaliteral{2C}{\isacharcomma}}{\isaliteral{27}{\isacharprime}}v{\isaliteral{29}{\isacharparenright}}trie{\isaliteral{29}{\isacharparenright}}list{\isaliteral{22}{\isachardoublequoteclose}}%
69.31 -\begin{isamarkuptext}%
69.32 -\noindent
69.33 -\index{datatypes!and nested recursion}%
69.34 -The first component is the optional value, the second component the
69.35 -association list of subtries. This is an example of nested recursion involving products,
69.36 -which is fine because products are datatypes as well.
69.37 -We define two selector functions:%
69.38 -\end{isamarkuptext}%
69.39 -\isamarkuptrue%
69.40 -\isacommand{primrec}\isamarkupfalse%
69.41 -\ {\isaliteral{22}{\isachardoublequoteopen}}value{\isaliteral{22}{\isachardoublequoteclose}}\ {\isaliteral{3A}{\isacharcolon}}{\isaliteral{3A}{\isacharcolon}}\ {\isaliteral{22}{\isachardoublequoteopen}}{\isaliteral{28}{\isacharparenleft}}{\isaliteral{27}{\isacharprime}}a{\isaliteral{2C}{\isacharcomma}}{\isaliteral{27}{\isacharprime}}v{\isaliteral{29}{\isacharparenright}}trie\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ {\isaliteral{27}{\isacharprime}}v\ option{\isaliteral{22}{\isachardoublequoteclose}}\ \isakeyword{where}\isanewline
69.42 -{\isaliteral{22}{\isachardoublequoteopen}}value{\isaliteral{28}{\isacharparenleft}}Trie\ ov\ al{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{3D}{\isacharequal}}\ ov{\isaliteral{22}{\isachardoublequoteclose}}\isanewline
69.43 -\isacommand{primrec}\isamarkupfalse%
69.44 -\ alist\ {\isaliteral{3A}{\isacharcolon}}{\isaliteral{3A}{\isacharcolon}}\ {\isaliteral{22}{\isachardoublequoteopen}}{\isaliteral{28}{\isacharparenleft}}{\isaliteral{27}{\isacharprime}}a{\isaliteral{2C}{\isacharcomma}}{\isaliteral{27}{\isacharprime}}v{\isaliteral{29}{\isacharparenright}}trie\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ {\isaliteral{28}{\isacharparenleft}}{\isaliteral{27}{\isacharprime}}a\ {\isaliteral{2A}{\isacharasterisk}}\ {\isaliteral{28}{\isacharparenleft}}{\isaliteral{27}{\isacharprime}}a{\isaliteral{2C}{\isacharcomma}}{\isaliteral{27}{\isacharprime}}v{\isaliteral{29}{\isacharparenright}}trie{\isaliteral{29}{\isacharparenright}}list{\isaliteral{22}{\isachardoublequoteclose}}\ \isakeyword{where}\isanewline
69.45 -{\isaliteral{22}{\isachardoublequoteopen}}alist{\isaliteral{28}{\isacharparenleft}}Trie\ ov\ al{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{3D}{\isacharequal}}\ al{\isaliteral{22}{\isachardoublequoteclose}}%
69.46 -\begin{isamarkuptext}%
69.47 -\noindent
69.48 -Association lists come with a generic lookup function. Its result
69.49 -involves type \isa{option} because a lookup can fail:%
69.50 -\end{isamarkuptext}%
69.51 -\isamarkuptrue%
69.52 -\isacommand{primrec}\isamarkupfalse%
69.53 -\ assoc\ {\isaliteral{3A}{\isacharcolon}}{\isaliteral{3A}{\isacharcolon}}\ {\isaliteral{22}{\isachardoublequoteopen}}{\isaliteral{28}{\isacharparenleft}}{\isaliteral{27}{\isacharprime}}key\ {\isaliteral{2A}{\isacharasterisk}}\ {\isaliteral{27}{\isacharprime}}val{\isaliteral{29}{\isacharparenright}}list\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ {\isaliteral{27}{\isacharprime}}key\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ {\isaliteral{27}{\isacharprime}}val\ option{\isaliteral{22}{\isachardoublequoteclose}}\ \isakeyword{where}\isanewline
69.54 -{\isaliteral{22}{\isachardoublequoteopen}}assoc\ {\isaliteral{5B}{\isacharbrackleft}}{\isaliteral{5D}{\isacharbrackright}}\ x\ {\isaliteral{3D}{\isacharequal}}\ None{\isaliteral{22}{\isachardoublequoteclose}}\ {\isaliteral{7C}{\isacharbar}}\isanewline
69.55 -{\isaliteral{22}{\isachardoublequoteopen}}assoc\ {\isaliteral{28}{\isacharparenleft}}p{\isaliteral{23}{\isacharhash}}ps{\isaliteral{29}{\isacharparenright}}\ x\ {\isaliteral{3D}{\isacharequal}}\isanewline
69.56 -\ \ \ {\isaliteral{28}{\isacharparenleft}}let\ {\isaliteral{28}{\isacharparenleft}}a{\isaliteral{2C}{\isacharcomma}}b{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{3D}{\isacharequal}}\ p\ in\ if\ a{\isaliteral{3D}{\isacharequal}}x\ then\ Some\ b\ else\ assoc\ ps\ x{\isaliteral{29}{\isacharparenright}}{\isaliteral{22}{\isachardoublequoteclose}}%
69.57 -\begin{isamarkuptext}%
69.58 -Now we can define the lookup function for tries. It descends into the trie
69.59 -examining the letters of the search string one by one. As
69.60 -recursion on lists is simpler than on tries, let us express this as primitive
69.61 -recursion on the search string argument:%
69.62 -\end{isamarkuptext}%
69.63 -\isamarkuptrue%
69.64 -\isacommand{primrec}\isamarkupfalse%
69.65 -\ lookup\ {\isaliteral{3A}{\isacharcolon}}{\isaliteral{3A}{\isacharcolon}}\ {\isaliteral{22}{\isachardoublequoteopen}}{\isaliteral{28}{\isacharparenleft}}{\isaliteral{27}{\isacharprime}}a{\isaliteral{2C}{\isacharcomma}}{\isaliteral{27}{\isacharprime}}v{\isaliteral{29}{\isacharparenright}}trie\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ {\isaliteral{27}{\isacharprime}}a\ list\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ {\isaliteral{27}{\isacharprime}}v\ option{\isaliteral{22}{\isachardoublequoteclose}}\ \isakeyword{where}\isanewline
69.66 -{\isaliteral{22}{\isachardoublequoteopen}}lookup\ t\ {\isaliteral{5B}{\isacharbrackleft}}{\isaliteral{5D}{\isacharbrackright}}\ {\isaliteral{3D}{\isacharequal}}\ value\ t{\isaliteral{22}{\isachardoublequoteclose}}\ {\isaliteral{7C}{\isacharbar}}\isanewline
69.67 -{\isaliteral{22}{\isachardoublequoteopen}}lookup\ t\ {\isaliteral{28}{\isacharparenleft}}a{\isaliteral{23}{\isacharhash}}as{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{3D}{\isacharequal}}\ {\isaliteral{28}{\isacharparenleft}}case\ assoc\ {\isaliteral{28}{\isacharparenleft}}alist\ t{\isaliteral{29}{\isacharparenright}}\ a\ of\isanewline
69.68 -\ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ None\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ None\isanewline
69.69 -\ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ {\isaliteral{7C}{\isacharbar}}\ Some\ at\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ lookup\ at\ as{\isaliteral{29}{\isacharparenright}}{\isaliteral{22}{\isachardoublequoteclose}}%
69.70 -\begin{isamarkuptext}%
69.71 -As a first simple property we prove that looking up a string in the empty
69.72 -trie \isa{Trie\ None\ {\isaliteral{5B}{\isacharbrackleft}}{\isaliteral{5D}{\isacharbrackright}}} always returns \isa{None}. The proof merely
69.73 -distinguishes the two cases whether the search string is empty or not:%
69.74 -\end{isamarkuptext}%
69.75 -\isamarkuptrue%
69.76 -\isacommand{lemma}\isamarkupfalse%
69.77 -\ {\isaliteral{5B}{\isacharbrackleft}}simp{\isaliteral{5D}{\isacharbrackright}}{\isaliteral{3A}{\isacharcolon}}\ {\isaliteral{22}{\isachardoublequoteopen}}lookup\ {\isaliteral{28}{\isacharparenleft}}Trie\ None\ {\isaliteral{5B}{\isacharbrackleft}}{\isaliteral{5D}{\isacharbrackright}}{\isaliteral{29}{\isacharparenright}}\ as\ {\isaliteral{3D}{\isacharequal}}\ None{\isaliteral{22}{\isachardoublequoteclose}}\isanewline
69.78 -%
69.79 -\isadelimproof
69.80 -%
69.81 -\endisadelimproof
69.82 -%
69.83 -\isatagproof
69.84 -\isacommand{apply}\isamarkupfalse%
69.85 -{\isaliteral{28}{\isacharparenleft}}case{\isaliteral{5F}{\isacharunderscore}}tac\ as{\isaliteral{2C}{\isacharcomma}}\ simp{\isaliteral{5F}{\isacharunderscore}}all{\isaliteral{29}{\isacharparenright}}\isanewline
69.86 -\isacommand{done}\isamarkupfalse%
69.87 -%
69.88 -\endisatagproof
69.89 -{\isafoldproof}%
69.90 -%
69.91 -\isadelimproof
69.92 -%
69.93 -\endisadelimproof
69.94 -%
69.95 -\begin{isamarkuptext}%
69.96 -Things begin to get interesting with the definition of an update function
69.97 -that adds a new (string, value) pair to a trie, overwriting the old value
69.98 -associated with that string:%
69.99 -\end{isamarkuptext}%
69.100 -\isamarkuptrue%
69.101 -\isacommand{primrec}\isamarkupfalse%
69.102 -\ update{\isaliteral{3A}{\isacharcolon}}{\isaliteral{3A}{\isacharcolon}}\ {\isaliteral{22}{\isachardoublequoteopen}}{\isaliteral{28}{\isacharparenleft}}{\isaliteral{27}{\isacharprime}}a{\isaliteral{2C}{\isacharcomma}}{\isaliteral{27}{\isacharprime}}v{\isaliteral{29}{\isacharparenright}}trie\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ {\isaliteral{27}{\isacharprime}}a\ list\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ {\isaliteral{27}{\isacharprime}}v\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ {\isaliteral{28}{\isacharparenleft}}{\isaliteral{27}{\isacharprime}}a{\isaliteral{2C}{\isacharcomma}}{\isaliteral{27}{\isacharprime}}v{\isaliteral{29}{\isacharparenright}}trie{\isaliteral{22}{\isachardoublequoteclose}}\ \isakeyword{where}\isanewline
69.103 -{\isaliteral{22}{\isachardoublequoteopen}}update\ t\ {\isaliteral{5B}{\isacharbrackleft}}{\isaliteral{5D}{\isacharbrackright}}\ \ \ \ \ v\ {\isaliteral{3D}{\isacharequal}}\ Trie\ {\isaliteral{28}{\isacharparenleft}}Some\ v{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{28}{\isacharparenleft}}alist\ t{\isaliteral{29}{\isacharparenright}}{\isaliteral{22}{\isachardoublequoteclose}}\ {\isaliteral{7C}{\isacharbar}}\isanewline
69.104 -{\isaliteral{22}{\isachardoublequoteopen}}update\ t\ {\isaliteral{28}{\isacharparenleft}}a{\isaliteral{23}{\isacharhash}}as{\isaliteral{29}{\isacharparenright}}\ v\ {\isaliteral{3D}{\isacharequal}}\isanewline
69.105 -\ \ \ {\isaliteral{28}{\isacharparenleft}}let\ tt\ {\isaliteral{3D}{\isacharequal}}\ {\isaliteral{28}{\isacharparenleft}}case\ assoc\ {\isaliteral{28}{\isacharparenleft}}alist\ t{\isaliteral{29}{\isacharparenright}}\ a\ of\isanewline
69.106 -\ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ None\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ Trie\ None\ {\isaliteral{5B}{\isacharbrackleft}}{\isaliteral{5D}{\isacharbrackright}}\ {\isaliteral{7C}{\isacharbar}}\ Some\ at\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ at{\isaliteral{29}{\isacharparenright}}\isanewline
69.107 -\ \ \ \ in\ Trie\ {\isaliteral{28}{\isacharparenleft}}value\ t{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{28}{\isacharparenleft}}{\isaliteral{28}{\isacharparenleft}}a{\isaliteral{2C}{\isacharcomma}}update\ tt\ as\ v{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{23}{\isacharhash}}\ alist\ t{\isaliteral{29}{\isacharparenright}}{\isaliteral{29}{\isacharparenright}}{\isaliteral{22}{\isachardoublequoteclose}}%
69.108 -\begin{isamarkuptext}%
69.109 -\noindent
69.110 -The base case is obvious. In the recursive case the subtrie
69.111 -\isa{tt} associated with the first letter \isa{a} is extracted,
69.112 -recursively updated, and then placed in front of the association list.
69.113 -The old subtrie associated with \isa{a} is still in the association list
69.114 -but no longer accessible via \isa{assoc}. Clearly, there is room here for
69.115 -optimizations!
69.116 -
69.117 -Before we start on any proofs about \isa{update} we tell the simplifier to
69.118 -expand all \isa{let}s and to split all \isa{case}-constructs over
69.119 -options:%
69.120 -\end{isamarkuptext}%
69.121 -\isamarkuptrue%
69.122 -\isacommand{declare}\isamarkupfalse%
69.123 -\ Let{\isaliteral{5F}{\isacharunderscore}}def{\isaliteral{5B}{\isacharbrackleft}}simp{\isaliteral{5D}{\isacharbrackright}}\ option{\isaliteral{2E}{\isachardot}}split{\isaliteral{5B}{\isacharbrackleft}}split{\isaliteral{5D}{\isacharbrackright}}%
69.124 -\begin{isamarkuptext}%
69.125 -\noindent
69.126 -The reason becomes clear when looking (probably after a failed proof
69.127 -attempt) at the body of \isa{update}: it contains both
69.128 -\isa{let} and a case distinction over type \isa{option}.
69.129 -
69.130 -Our main goal is to prove the correct interaction of \isa{update} and
69.131 -\isa{lookup}:%
69.132 -\end{isamarkuptext}%
69.133 -\isamarkuptrue%
69.134 -\isacommand{theorem}\isamarkupfalse%
69.135 -\ {\isaliteral{22}{\isachardoublequoteopen}}{\isaliteral{5C3C666F72616C6C3E}{\isasymforall}}t\ v\ bs{\isaliteral{2E}{\isachardot}}\ lookup\ {\isaliteral{28}{\isacharparenleft}}update\ t\ as\ v{\isaliteral{29}{\isacharparenright}}\ bs\ {\isaliteral{3D}{\isacharequal}}\isanewline
69.136 -\ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ {\isaliteral{28}{\isacharparenleft}}if\ as{\isaliteral{3D}{\isacharequal}}bs\ then\ Some\ v\ else\ lookup\ t\ bs{\isaliteral{29}{\isacharparenright}}{\isaliteral{22}{\isachardoublequoteclose}}%
69.137 -\isadelimproof
69.138 -%
69.139 -\endisadelimproof
69.140 -%
69.141 -\isatagproof
69.142 -%
69.143 -\begin{isamarkuptxt}%
69.144 -\noindent
69.145 -Our plan is to induct on \isa{as}; hence the remaining variables are
69.146 -quantified. From the definitions it is clear that induction on either
69.147 -\isa{as} or \isa{bs} is required. The choice of \isa{as} is
69.148 -guided by the intuition that simplification of \isa{lookup} might be easier
69.149 -if \isa{update} has already been simplified, which can only happen if
69.150 -\isa{as} is instantiated.
69.151 -The start of the proof is conventional:%
69.152 -\end{isamarkuptxt}%
69.153 -\isamarkuptrue%
69.154 -\isacommand{apply}\isamarkupfalse%
69.155 -{\isaliteral{28}{\isacharparenleft}}induct{\isaliteral{5F}{\isacharunderscore}}tac\ as{\isaliteral{2C}{\isacharcomma}}\ auto{\isaliteral{29}{\isacharparenright}}%
69.156 -\begin{isamarkuptxt}%
69.157 -\noindent
69.158 -Unfortunately, this time we are left with three intimidating looking subgoals:
69.159 -\begin{isabelle}
69.160 -~1.~\dots~{\isasymLongrightarrow}~lookup~\dots~bs~=~lookup~t~bs\isanewline
69.161 -~2.~\dots~{\isasymLongrightarrow}~lookup~\dots~bs~=~lookup~t~bs\isanewline
69.162 -~3.~\dots~{\isasymLongrightarrow}~lookup~\dots~bs~=~lookup~t~bs
69.163 -\end{isabelle}
69.164 -Clearly, if we want to make headway we have to instantiate \isa{bs} as
69.165 -well now. It turns out that instead of induction, case distinction
69.166 -suffices:%
69.167 -\end{isamarkuptxt}%
69.168 -\isamarkuptrue%
69.169 -\isacommand{apply}\isamarkupfalse%
69.170 -{\isaliteral{28}{\isacharparenleft}}case{\isaliteral{5F}{\isacharunderscore}}tac{\isaliteral{5B}{\isacharbrackleft}}{\isaliteral{21}{\isacharbang}}{\isaliteral{5D}{\isacharbrackright}}\ bs{\isaliteral{2C}{\isacharcomma}}\ auto{\isaliteral{29}{\isacharparenright}}\isanewline
69.171 -\isacommand{done}\isamarkupfalse%
69.172 -%
69.173 -\endisatagproof
69.174 -{\isafoldproof}%
69.175 -%
69.176 -\isadelimproof
69.177 -%
69.178 -\endisadelimproof
69.179 -%
69.180 -\begin{isamarkuptext}%
69.181 -\noindent
69.182 -\index{subgoal numbering}%
69.183 -All methods ending in \isa{tac} take an optional first argument that
69.184 -specifies the range of subgoals they are applied to, where \isa{{\isaliteral{5B}{\isacharbrackleft}}{\isaliteral{21}{\isacharbang}}{\isaliteral{5D}{\isacharbrackright}}} means
69.185 -all subgoals, i.e.\ \isa{{\isaliteral{5B}{\isacharbrackleft}}{\isadigit{1}}{\isaliteral{2D}{\isacharminus}}{\isadigit{3}}{\isaliteral{5D}{\isacharbrackright}}} in our case. Individual subgoal numbers,
69.186 -e.g. \isa{{\isaliteral{5B}{\isacharbrackleft}}{\isadigit{2}}{\isaliteral{5D}{\isacharbrackright}}} are also allowed.
69.187 -
69.188 -This proof may look surprisingly straightforward. However, note that this
69.189 -comes at a cost: the proof script is unreadable because the intermediate
69.190 -proof states are invisible, and we rely on the (possibly brittle) magic of
69.191 -\isa{auto} (\isa{simp{\isaliteral{5F}{\isacharunderscore}}all} will not do --- try it) to split the subgoals
69.192 -of the induction up in such a way that case distinction on \isa{bs} makes
69.193 -sense and solves the proof.
69.194 -
69.195 -\begin{exercise}
69.196 - Modify \isa{update} (and its type) such that it allows both insertion and
69.197 - deletion of entries with a single function. Prove the corresponding version
69.198 - of the main theorem above.
69.199 - Optimize your function such that it shrinks tries after
69.200 - deletion if possible.
69.201 -\end{exercise}
69.202 -
69.203 -\begin{exercise}
69.204 - Write an improved version of \isa{update} that does not suffer from the
69.205 - space leak (pointed out above) caused by not deleting overwritten entries
69.206 - from the association list. Prove the main theorem for your improved
69.207 - \isa{update}.
69.208 -\end{exercise}
69.209 -
69.210 -\begin{exercise}
69.211 - Conceptually, each node contains a mapping from letters to optional
69.212 - subtries. Above we have implemented this by means of an association
69.213 - list. Replay the development replacing \isa{{\isaliteral{28}{\isacharparenleft}}{\isaliteral{27}{\isacharprime}}a\ {\isaliteral{5C3C74696D65733E}{\isasymtimes}}\ {\isaliteral{28}{\isacharparenleft}}{\isaliteral{27}{\isacharprime}}a{\isaliteral{2C}{\isacharcomma}}\ {\isaliteral{27}{\isacharprime}}v{\isaliteral{29}{\isacharparenright}}\ trie{\isaliteral{29}{\isacharparenright}}\ list}
69.214 - with \isa{{\isaliteral{27}{\isacharprime}}a\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ {\isaliteral{28}{\isacharparenleft}}{\isaliteral{27}{\isacharprime}}a{\isaliteral{2C}{\isacharcomma}}\ {\isaliteral{27}{\isacharprime}}v{\isaliteral{29}{\isacharparenright}}\ trie\ option}.
69.215 -\end{exercise}%
69.216 -\end{isamarkuptext}%
69.217 -\isamarkuptrue%
69.218 -%
69.219 -\isadelimproof
69.220 -%
69.221 -\endisadelimproof
69.222 -%
69.223 -\isatagproof
69.224 -%
69.225 -\endisatagproof
69.226 -{\isafoldproof}%
69.227 -%
69.228 -\isadelimproof
69.229 -%
69.230 -\endisadelimproof
69.231 -%
69.232 -\isadelimproof
69.233 -%
69.234 -\endisadelimproof
69.235 -%
69.236 -\isatagproof
69.237 -%
69.238 -\endisatagproof
69.239 -{\isafoldproof}%
69.240 -%
69.241 -\isadelimproof
69.242 -%
69.243 -\endisadelimproof
69.244 -%
69.245 -\isadelimproof
69.246 -%
69.247 -\endisadelimproof
69.248 -%
69.249 -\isatagproof
69.250 -%
69.251 -\endisatagproof
69.252 -{\isafoldproof}%
69.253 -%
69.254 -\isadelimproof
69.255 -%
69.256 -\endisadelimproof
69.257 -%
69.258 -\isadelimproof
69.259 -%
69.260 -\endisadelimproof
69.261 -%
69.262 -\isatagproof
69.263 -%
69.264 -\endisatagproof
69.265 -{\isafoldproof}%
69.266 -%
69.267 -\isadelimproof
69.268 -%
69.269 -\endisadelimproof
69.270 -%
69.271 -\isadelimproof
69.272 -%
69.273 -\endisadelimproof
69.274 -%
69.275 -\isatagproof
69.276 -%
69.277 -\endisatagproof
69.278 -{\isafoldproof}%
69.279 -%
69.280 -\isadelimproof
69.281 -%
69.282 -\endisadelimproof
69.283 -%
69.284 -\isadelimtheory
69.285 -%
69.286 -\endisadelimtheory
69.287 -%
69.288 -\isatagtheory
69.289 -%
69.290 -\endisatagtheory
69.291 -{\isafoldtheory}%
69.292 -%
69.293 -\isadelimtheory
69.294 -%
69.295 -\endisadelimtheory
69.296 -\end{isabellebody}%
69.297 -%%% Local Variables:
69.298 -%%% mode: latex
69.299 -%%% TeX-master: "root"
69.300 -%%% End:
70.1 --- a/doc-src/TutorialI/Types/ROOT.ML Thu Jul 26 16:08:16 2012 +0200
70.2 +++ /dev/null Thu Jan 01 00:00:00 1970 +0000
70.3 @@ -1,10 +0,0 @@
70.4 -
70.5 -no_document use_thy "Setup";
70.6 -
70.7 -use "../settings.ML";
70.8 -use_thy "Numbers";
70.9 -use_thy "Pairs";
70.10 -use_thy "Records";
70.11 -use_thy "Typedefs";
70.12 -use_thy "Overloading";
70.13 -use_thy "Axioms";
71.1 --- a/doc-src/TutorialI/Types/document/Axioms.tex Thu Jul 26 16:08:16 2012 +0200
71.2 +++ /dev/null Thu Jan 01 00:00:00 1970 +0000
71.3 @@ -1,487 +0,0 @@
71.4 -%
71.5 -\begin{isabellebody}%
71.6 -\def\isabellecontext{Axioms}%
71.7 -%
71.8 -\isadelimtheory
71.9 -%
71.10 -\endisadelimtheory
71.11 -%
71.12 -\isatagtheory
71.13 -%
71.14 -\endisatagtheory
71.15 -{\isafoldtheory}%
71.16 -%
71.17 -\isadelimtheory
71.18 -%
71.19 -\endisadelimtheory
71.20 -%
71.21 -\isamarkupsubsection{Axioms%
71.22 -}
71.23 -\isamarkuptrue%
71.24 -%
71.25 -\begin{isamarkuptext}%
71.26 -Attaching axioms to our classes lets us reason on the level of
71.27 -classes. The results will be applicable to all types in a class, just
71.28 -as in axiomatic mathematics.
71.29 -
71.30 -\begin{warn}
71.31 -Proofs in this section use structured \emph{Isar} proofs, which are not
71.32 -covered in this tutorial; but see \cite{Nipkow-TYPES02}.%
71.33 -\end{warn}%
71.34 -\end{isamarkuptext}%
71.35 -\isamarkuptrue%
71.36 -%
71.37 -\isamarkupsubsubsection{Semigroups%
71.38 -}
71.39 -\isamarkuptrue%
71.40 -%
71.41 -\begin{isamarkuptext}%
71.42 -We specify \emph{semigroups} as subclass of \isa{plus}:%
71.43 -\end{isamarkuptext}%
71.44 -\isamarkuptrue%
71.45 -\isacommand{class}\isamarkupfalse%
71.46 -\ semigroup\ {\isaliteral{3D}{\isacharequal}}\ plus\ {\isaliteral{2B}{\isacharplus}}\isanewline
71.47 -\ \ \isakeyword{assumes}\ assoc{\isaliteral{3A}{\isacharcolon}}\ {\isaliteral{22}{\isachardoublequoteopen}}{\isaliteral{28}{\isacharparenleft}}x\ {\isaliteral{5C3C6F706C75733E}{\isasymoplus}}\ y{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C6F706C75733E}{\isasymoplus}}\ z\ {\isaliteral{3D}{\isacharequal}}\ x\ {\isaliteral{5C3C6F706C75733E}{\isasymoplus}}\ {\isaliteral{28}{\isacharparenleft}}y\ {\isaliteral{5C3C6F706C75733E}{\isasymoplus}}\ z{\isaliteral{29}{\isacharparenright}}{\isaliteral{22}{\isachardoublequoteclose}}%
71.48 -\begin{isamarkuptext}%
71.49 -\noindent This \hyperlink{command.class}{\mbox{\isa{\isacommand{class}}}} specification requires that
71.50 -all instances of \isa{semigroup} obey \hyperlink{fact.assoc:}{\mbox{\isa{assoc{\isaliteral{3A}{\isacharcolon}}}}}~\isa{{\isaliteral{22}{\isachardoublequote}}{\isaliteral{5C3C416E643E}{\isasymAnd}}x\ y\ z\ {\isaliteral{5C3C436F6C6F6E3E}{\isasymColon}}\ {\isaliteral{27}{\isacharprime}}a{\isaliteral{5C3C436F6C6F6E3E}{\isasymColon}}semigroup{\isaliteral{2E}{\isachardot}}\ {\isaliteral{28}{\isacharparenleft}}x\ {\isaliteral{5C3C6F706C75733E}{\isasymoplus}}\ y{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C6F706C75733E}{\isasymoplus}}\ z\ {\isaliteral{3D}{\isacharequal}}\ x\ {\isaliteral{5C3C6F706C75733E}{\isasymoplus}}\ {\isaliteral{28}{\isacharparenleft}}y\ {\isaliteral{5C3C6F706C75733E}{\isasymoplus}}\ z{\isaliteral{29}{\isacharparenright}}{\isaliteral{22}{\isachardoublequote}}}.
71.51 -
71.52 -We can use this class axiom to derive further abstract theorems
71.53 -relative to class \isa{semigroup}:%
71.54 -\end{isamarkuptext}%
71.55 -\isamarkuptrue%
71.56 -\isacommand{lemma}\isamarkupfalse%
71.57 -\ assoc{\isaliteral{5F}{\isacharunderscore}}left{\isaliteral{3A}{\isacharcolon}}\isanewline
71.58 -\ \ \isakeyword{fixes}\ x\ y\ z\ {\isaliteral{3A}{\isacharcolon}}{\isaliteral{3A}{\isacharcolon}}\ {\isaliteral{22}{\isachardoublequoteopen}}{\isaliteral{27}{\isacharprime}}a{\isaliteral{5C3C436F6C6F6E3E}{\isasymColon}}semigroup{\isaliteral{22}{\isachardoublequoteclose}}\isanewline
71.59 -\ \ \isakeyword{shows}\ {\isaliteral{22}{\isachardoublequoteopen}}x\ {\isaliteral{5C3C6F706C75733E}{\isasymoplus}}\ {\isaliteral{28}{\isacharparenleft}}y\ {\isaliteral{5C3C6F706C75733E}{\isasymoplus}}\ z{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{3D}{\isacharequal}}\ {\isaliteral{28}{\isacharparenleft}}x\ {\isaliteral{5C3C6F706C75733E}{\isasymoplus}}\ y{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C6F706C75733E}{\isasymoplus}}\ z{\isaliteral{22}{\isachardoublequoteclose}}\isanewline
71.60 -%
71.61 -\isadelimproof
71.62 -\ \ %
71.63 -\endisadelimproof
71.64 -%
71.65 -\isatagproof
71.66 -\isacommand{using}\isamarkupfalse%
71.67 -\ assoc\ \isacommand{by}\isamarkupfalse%
71.68 -\ {\isaliteral{28}{\isacharparenleft}}rule\ sym{\isaliteral{29}{\isacharparenright}}%
71.69 -\endisatagproof
71.70 -{\isafoldproof}%
71.71 -%
71.72 -\isadelimproof
71.73 -%
71.74 -\endisadelimproof
71.75 -%
71.76 -\begin{isamarkuptext}%
71.77 -\noindent The \isa{semigroup} constraint on type \isa{{\isaliteral{27}{\isacharprime}}a} restricts instantiations of \isa{{\isaliteral{27}{\isacharprime}}a} to types of class
71.78 -\isa{semigroup} and during the proof enables us to use the fact
71.79 -\hyperlink{fact.assoc}{\mbox{\isa{assoc}}} whose type parameter is itself constrained to class
71.80 -\isa{semigroup}. The main advantage of classes is that theorems
71.81 -can be proved in the abstract and freely reused for each instance.
71.82 -
71.83 -On instantiation, we have to give a proof that the given operations
71.84 -obey the class axioms:%
71.85 -\end{isamarkuptext}%
71.86 -\isamarkuptrue%
71.87 -\isacommand{instantiation}\isamarkupfalse%
71.88 -\ nat\ {\isaliteral{3A}{\isacharcolon}}{\isaliteral{3A}{\isacharcolon}}\ semigroup\isanewline
71.89 -\isakeyword{begin}\isanewline
71.90 -\isanewline
71.91 -\isacommand{instance}\isamarkupfalse%
71.92 -%
71.93 -\isadelimproof
71.94 -\ %
71.95 -\endisadelimproof
71.96 -%
71.97 -\isatagproof
71.98 -\isacommand{proof}\isamarkupfalse%
71.99 -%
71.100 -\begin{isamarkuptxt}%
71.101 -\noindent The proof opens with a default proof step, which for
71.102 -instance judgements invokes method \hyperlink{method.intro-classes}{\mbox{\isa{intro{\isaliteral{5F}{\isacharunderscore}}classes}}}.%
71.103 -\end{isamarkuptxt}%
71.104 -\isamarkuptrue%
71.105 -\ \ \isacommand{fix}\isamarkupfalse%
71.106 -\ m\ n\ q\ {\isaliteral{3A}{\isacharcolon}}{\isaliteral{3A}{\isacharcolon}}\ nat\isanewline
71.107 -\ \ \isacommand{show}\isamarkupfalse%
71.108 -\ {\isaliteral{22}{\isachardoublequoteopen}}{\isaliteral{28}{\isacharparenleft}}m\ {\isaliteral{5C3C6F706C75733E}{\isasymoplus}}\ n{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C6F706C75733E}{\isasymoplus}}\ q\ {\isaliteral{3D}{\isacharequal}}\ m\ {\isaliteral{5C3C6F706C75733E}{\isasymoplus}}\ {\isaliteral{28}{\isacharparenleft}}n\ {\isaliteral{5C3C6F706C75733E}{\isasymoplus}}\ q{\isaliteral{29}{\isacharparenright}}{\isaliteral{22}{\isachardoublequoteclose}}\isanewline
71.109 -\ \ \ \ \isacommand{by}\isamarkupfalse%
71.110 -\ {\isaliteral{28}{\isacharparenleft}}induct\ m{\isaliteral{29}{\isacharparenright}}\ simp{\isaliteral{5F}{\isacharunderscore}}all\isanewline
71.111 -\isacommand{qed}\isamarkupfalse%
71.112 -%
71.113 -\endisatagproof
71.114 -{\isafoldproof}%
71.115 -%
71.116 -\isadelimproof
71.117 -%
71.118 -\endisadelimproof
71.119 -\isanewline
71.120 -\isanewline
71.121 -\isacommand{end}\isamarkupfalse%
71.122 -%
71.123 -\begin{isamarkuptext}%
71.124 -\noindent Again, the interesting things enter the stage with
71.125 -parametric types:%
71.126 -\end{isamarkuptext}%
71.127 -\isamarkuptrue%
71.128 -\isacommand{instantiation}\isamarkupfalse%
71.129 -\ prod\ {\isaliteral{3A}{\isacharcolon}}{\isaliteral{3A}{\isacharcolon}}\ {\isaliteral{28}{\isacharparenleft}}semigroup{\isaliteral{2C}{\isacharcomma}}\ semigroup{\isaliteral{29}{\isacharparenright}}\ semigroup\isanewline
71.130 -\isakeyword{begin}\isanewline
71.131 -\isanewline
71.132 -\isacommand{instance}\isamarkupfalse%
71.133 -%
71.134 -\isadelimproof
71.135 -\ %
71.136 -\endisadelimproof
71.137 -%
71.138 -\isatagproof
71.139 -\isacommand{proof}\isamarkupfalse%
71.140 -\isanewline
71.141 -\ \ \isacommand{fix}\isamarkupfalse%
71.142 -\ p\isaliteral{5C3C5E697375623E}{}\isactrlisub {\isadigit{1}}\ p\isaliteral{5C3C5E697375623E}{}\isactrlisub {\isadigit{2}}\ p\isaliteral{5C3C5E697375623E}{}\isactrlisub {\isadigit{3}}\ {\isaliteral{3A}{\isacharcolon}}{\isaliteral{3A}{\isacharcolon}}\ {\isaliteral{22}{\isachardoublequoteopen}}{\isaliteral{27}{\isacharprime}}a{\isaliteral{5C3C436F6C6F6E3E}{\isasymColon}}semigroup\ {\isaliteral{5C3C74696D65733E}{\isasymtimes}}\ {\isaliteral{27}{\isacharprime}}b{\isaliteral{5C3C436F6C6F6E3E}{\isasymColon}}semigroup{\isaliteral{22}{\isachardoublequoteclose}}\isanewline
71.143 -\ \ \isacommand{show}\isamarkupfalse%
71.144 -\ {\isaliteral{22}{\isachardoublequoteopen}}p\isaliteral{5C3C5E697375623E}{}\isactrlisub {\isadigit{1}}\ {\isaliteral{5C3C6F706C75733E}{\isasymoplus}}\ p\isaliteral{5C3C5E697375623E}{}\isactrlisub {\isadigit{2}}\ {\isaliteral{5C3C6F706C75733E}{\isasymoplus}}\ p\isaliteral{5C3C5E697375623E}{}\isactrlisub {\isadigit{3}}\ {\isaliteral{3D}{\isacharequal}}\ p\isaliteral{5C3C5E697375623E}{}\isactrlisub {\isadigit{1}}\ {\isaliteral{5C3C6F706C75733E}{\isasymoplus}}\ {\isaliteral{28}{\isacharparenleft}}p\isaliteral{5C3C5E697375623E}{}\isactrlisub {\isadigit{2}}\ {\isaliteral{5C3C6F706C75733E}{\isasymoplus}}\ p\isaliteral{5C3C5E697375623E}{}\isactrlisub {\isadigit{3}}{\isaliteral{29}{\isacharparenright}}{\isaliteral{22}{\isachardoublequoteclose}}\isanewline
71.145 -\ \ \ \ \isacommand{by}\isamarkupfalse%
71.146 -\ {\isaliteral{28}{\isacharparenleft}}cases\ p\isaliteral{5C3C5E697375623E}{}\isactrlisub {\isadigit{1}}{\isaliteral{2C}{\isacharcomma}}\ cases\ p\isaliteral{5C3C5E697375623E}{}\isactrlisub {\isadigit{2}}{\isaliteral{2C}{\isacharcomma}}\ cases\ p\isaliteral{5C3C5E697375623E}{}\isactrlisub {\isadigit{3}}{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{28}{\isacharparenleft}}simp\ add{\isaliteral{3A}{\isacharcolon}}\ assoc{\isaliteral{29}{\isacharparenright}}%
71.147 -\begin{isamarkuptxt}%
71.148 -\noindent Associativity of product semigroups is established
71.149 -using the hypothetical associativity \hyperlink{fact.assoc}{\mbox{\isa{assoc}}} of the type
71.150 -components, which holds due to the \isa{semigroup} constraints
71.151 -imposed on the type components by the \hyperlink{command.instance}{\mbox{\isa{\isacommand{instance}}}} proposition.
71.152 -Indeed, this pattern often occurs with parametric types and type
71.153 -classes.%
71.154 -\end{isamarkuptxt}%
71.155 -\isamarkuptrue%
71.156 -\isacommand{qed}\isamarkupfalse%
71.157 -%
71.158 -\endisatagproof
71.159 -{\isafoldproof}%
71.160 -%
71.161 -\isadelimproof
71.162 -%
71.163 -\endisadelimproof
71.164 -\isanewline
71.165 -\isanewline
71.166 -\isacommand{end}\isamarkupfalse%
71.167 -%
71.168 -\isamarkupsubsubsection{Monoids%
71.169 -}
71.170 -\isamarkuptrue%
71.171 -%
71.172 -\begin{isamarkuptext}%
71.173 -We define a subclass \isa{monoidl} (a semigroup with a
71.174 -left-hand neutral) by extending \isa{semigroup} with one additional
71.175 -parameter \isa{neutral} together with its property:%
71.176 -\end{isamarkuptext}%
71.177 -\isamarkuptrue%
71.178 -\isacommand{class}\isamarkupfalse%
71.179 -\ monoidl\ {\isaliteral{3D}{\isacharequal}}\ semigroup\ {\isaliteral{2B}{\isacharplus}}\isanewline
71.180 -\ \ \isakeyword{fixes}\ neutral\ {\isaliteral{3A}{\isacharcolon}}{\isaliteral{3A}{\isacharcolon}}\ {\isaliteral{22}{\isachardoublequoteopen}}{\isaliteral{27}{\isacharprime}}a{\isaliteral{22}{\isachardoublequoteclose}}\ {\isaliteral{28}{\isacharparenleft}}{\isaliteral{22}{\isachardoublequoteopen}}{\isaliteral{5C3C7A65726F3E}{\isasymzero}}{\isaliteral{22}{\isachardoublequoteclose}}{\isaliteral{29}{\isacharparenright}}\isanewline
71.181 -\ \ \isakeyword{assumes}\ neutl{\isaliteral{3A}{\isacharcolon}}\ {\isaliteral{22}{\isachardoublequoteopen}}{\isaliteral{5C3C7A65726F3E}{\isasymzero}}\ {\isaliteral{5C3C6F706C75733E}{\isasymoplus}}\ x\ {\isaliteral{3D}{\isacharequal}}\ x{\isaliteral{22}{\isachardoublequoteclose}}%
71.182 -\begin{isamarkuptext}%
71.183 -\noindent Again, we prove some instances, by providing
71.184 -suitable parameter definitions and proofs for the additional
71.185 -specifications.%
71.186 -\end{isamarkuptext}%
71.187 -\isamarkuptrue%
71.188 -\isacommand{instantiation}\isamarkupfalse%
71.189 -\ nat\ {\isaliteral{3A}{\isacharcolon}}{\isaliteral{3A}{\isacharcolon}}\ monoidl\isanewline
71.190 -\isakeyword{begin}\isanewline
71.191 -\isanewline
71.192 -\isacommand{definition}\isamarkupfalse%
71.193 -\isanewline
71.194 -\ \ neutral{\isaliteral{5F}{\isacharunderscore}}nat{\isaliteral{5F}{\isacharunderscore}}def{\isaliteral{3A}{\isacharcolon}}\ {\isaliteral{22}{\isachardoublequoteopen}}{\isaliteral{5C3C7A65726F3E}{\isasymzero}}\ {\isaliteral{3D}{\isacharequal}}\ {\isaliteral{28}{\isacharparenleft}}{\isadigit{0}}{\isaliteral{5C3C436F6C6F6E3E}{\isasymColon}}nat{\isaliteral{29}{\isacharparenright}}{\isaliteral{22}{\isachardoublequoteclose}}\isanewline
71.195 -\isanewline
71.196 -\isacommand{instance}\isamarkupfalse%
71.197 -%
71.198 -\isadelimproof
71.199 -\ %
71.200 -\endisadelimproof
71.201 -%
71.202 -\isatagproof
71.203 -\isacommand{proof}\isamarkupfalse%
71.204 -\isanewline
71.205 -\ \ \isacommand{fix}\isamarkupfalse%
71.206 -\ n\ {\isaliteral{3A}{\isacharcolon}}{\isaliteral{3A}{\isacharcolon}}\ nat\isanewline
71.207 -\ \ \isacommand{show}\isamarkupfalse%
71.208 -\ {\isaliteral{22}{\isachardoublequoteopen}}{\isaliteral{5C3C7A65726F3E}{\isasymzero}}\ {\isaliteral{5C3C6F706C75733E}{\isasymoplus}}\ n\ {\isaliteral{3D}{\isacharequal}}\ n{\isaliteral{22}{\isachardoublequoteclose}}\isanewline
71.209 -\ \ \ \ \isacommand{unfolding}\isamarkupfalse%
71.210 -\ neutral{\isaliteral{5F}{\isacharunderscore}}nat{\isaliteral{5F}{\isacharunderscore}}def\ \isacommand{by}\isamarkupfalse%
71.211 -\ simp\isanewline
71.212 -\isacommand{qed}\isamarkupfalse%
71.213 -%
71.214 -\endisatagproof
71.215 -{\isafoldproof}%
71.216 -%
71.217 -\isadelimproof
71.218 -%
71.219 -\endisadelimproof
71.220 -\isanewline
71.221 -\isanewline
71.222 -\isacommand{end}\isamarkupfalse%
71.223 -%
71.224 -\begin{isamarkuptext}%
71.225 -\noindent In contrast to the examples above, we here have both
71.226 -specification of class operations and a non-trivial instance proof.
71.227 -
71.228 -This covers products as well:%
71.229 -\end{isamarkuptext}%
71.230 -\isamarkuptrue%
71.231 -\isacommand{instantiation}\isamarkupfalse%
71.232 -\ prod\ {\isaliteral{3A}{\isacharcolon}}{\isaliteral{3A}{\isacharcolon}}\ {\isaliteral{28}{\isacharparenleft}}monoidl{\isaliteral{2C}{\isacharcomma}}\ monoidl{\isaliteral{29}{\isacharparenright}}\ monoidl\isanewline
71.233 -\isakeyword{begin}\isanewline
71.234 -\isanewline
71.235 -\isacommand{definition}\isamarkupfalse%
71.236 -\isanewline
71.237 -\ \ neutral{\isaliteral{5F}{\isacharunderscore}}prod{\isaliteral{5F}{\isacharunderscore}}def{\isaliteral{3A}{\isacharcolon}}\ {\isaliteral{22}{\isachardoublequoteopen}}{\isaliteral{5C3C7A65726F3E}{\isasymzero}}\ {\isaliteral{3D}{\isacharequal}}\ {\isaliteral{28}{\isacharparenleft}}{\isaliteral{5C3C7A65726F3E}{\isasymzero}}{\isaliteral{2C}{\isacharcomma}}\ {\isaliteral{5C3C7A65726F3E}{\isasymzero}}{\isaliteral{29}{\isacharparenright}}{\isaliteral{22}{\isachardoublequoteclose}}\isanewline
71.238 -\isanewline
71.239 -\isacommand{instance}\isamarkupfalse%
71.240 -%
71.241 -\isadelimproof
71.242 -\ %
71.243 -\endisadelimproof
71.244 -%
71.245 -\isatagproof
71.246 -\isacommand{proof}\isamarkupfalse%
71.247 -\isanewline
71.248 -\ \ \isacommand{fix}\isamarkupfalse%
71.249 -\ p\ {\isaliteral{3A}{\isacharcolon}}{\isaliteral{3A}{\isacharcolon}}\ {\isaliteral{22}{\isachardoublequoteopen}}{\isaliteral{27}{\isacharprime}}a{\isaliteral{5C3C436F6C6F6E3E}{\isasymColon}}monoidl\ {\isaliteral{5C3C74696D65733E}{\isasymtimes}}\ {\isaliteral{27}{\isacharprime}}b{\isaliteral{5C3C436F6C6F6E3E}{\isasymColon}}monoidl{\isaliteral{22}{\isachardoublequoteclose}}\isanewline
71.250 -\ \ \isacommand{show}\isamarkupfalse%
71.251 -\ {\isaliteral{22}{\isachardoublequoteopen}}{\isaliteral{5C3C7A65726F3E}{\isasymzero}}\ {\isaliteral{5C3C6F706C75733E}{\isasymoplus}}\ p\ {\isaliteral{3D}{\isacharequal}}\ p{\isaliteral{22}{\isachardoublequoteclose}}\isanewline
71.252 -\ \ \ \ \isacommand{by}\isamarkupfalse%
71.253 -\ {\isaliteral{28}{\isacharparenleft}}cases\ p{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{28}{\isacharparenleft}}simp\ add{\isaliteral{3A}{\isacharcolon}}\ neutral{\isaliteral{5F}{\isacharunderscore}}prod{\isaliteral{5F}{\isacharunderscore}}def\ neutl{\isaliteral{29}{\isacharparenright}}\isanewline
71.254 -\isacommand{qed}\isamarkupfalse%
71.255 -%
71.256 -\endisatagproof
71.257 -{\isafoldproof}%
71.258 -%
71.259 -\isadelimproof
71.260 -%
71.261 -\endisadelimproof
71.262 -\isanewline
71.263 -\isanewline
71.264 -\isacommand{end}\isamarkupfalse%
71.265 -%
71.266 -\begin{isamarkuptext}%
71.267 -\noindent Fully-fledged monoids are modelled by another
71.268 -subclass which does not add new parameters but tightens the
71.269 -specification:%
71.270 -\end{isamarkuptext}%
71.271 -\isamarkuptrue%
71.272 -\isacommand{class}\isamarkupfalse%
71.273 -\ monoid\ {\isaliteral{3D}{\isacharequal}}\ monoidl\ {\isaliteral{2B}{\isacharplus}}\isanewline
71.274 -\ \ \isakeyword{assumes}\ neutr{\isaliteral{3A}{\isacharcolon}}\ {\isaliteral{22}{\isachardoublequoteopen}}x\ {\isaliteral{5C3C6F706C75733E}{\isasymoplus}}\ {\isaliteral{5C3C7A65726F3E}{\isasymzero}}\ {\isaliteral{3D}{\isacharequal}}\ x{\isaliteral{22}{\isachardoublequoteclose}}%
71.275 -\begin{isamarkuptext}%
71.276 -\noindent Corresponding instances for \isa{nat} and products
71.277 -are left as an exercise to the reader.%
71.278 -\end{isamarkuptext}%
71.279 -\isamarkuptrue%
71.280 -%
71.281 -\isamarkupsubsubsection{Groups%
71.282 -}
71.283 -\isamarkuptrue%
71.284 -%
71.285 -\begin{isamarkuptext}%
71.286 -\noindent To finish our small algebra example, we add a \isa{group} class:%
71.287 -\end{isamarkuptext}%
71.288 -\isamarkuptrue%
71.289 -\isacommand{class}\isamarkupfalse%
71.290 -\ group\ {\isaliteral{3D}{\isacharequal}}\ monoidl\ {\isaliteral{2B}{\isacharplus}}\isanewline
71.291 -\ \ \isakeyword{fixes}\ inv\ {\isaliteral{3A}{\isacharcolon}}{\isaliteral{3A}{\isacharcolon}}\ {\isaliteral{22}{\isachardoublequoteopen}}{\isaliteral{27}{\isacharprime}}a\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ {\isaliteral{27}{\isacharprime}}a{\isaliteral{22}{\isachardoublequoteclose}}\ {\isaliteral{28}{\isacharparenleft}}{\isaliteral{22}{\isachardoublequoteopen}}{\isaliteral{5C3C6469763E}{\isasymdiv}}\ {\isaliteral{5F}{\isacharunderscore}}{\isaliteral{22}{\isachardoublequoteclose}}\ {\isaliteral{5B}{\isacharbrackleft}}{\isadigit{8}}{\isadigit{1}}{\isaliteral{5D}{\isacharbrackright}}\ {\isadigit{8}}{\isadigit{0}}{\isaliteral{29}{\isacharparenright}}\isanewline
71.292 -\ \ \isakeyword{assumes}\ invl{\isaliteral{3A}{\isacharcolon}}\ {\isaliteral{22}{\isachardoublequoteopen}}{\isaliteral{5C3C6469763E}{\isasymdiv}}\ x\ {\isaliteral{5C3C6F706C75733E}{\isasymoplus}}\ x\ {\isaliteral{3D}{\isacharequal}}\ {\isaliteral{5C3C7A65726F3E}{\isasymzero}}{\isaliteral{22}{\isachardoublequoteclose}}%
71.293 -\begin{isamarkuptext}%
71.294 -\noindent We continue with a further example for abstract
71.295 -proofs relative to type classes:%
71.296 -\end{isamarkuptext}%
71.297 -\isamarkuptrue%
71.298 -\isacommand{lemma}\isamarkupfalse%
71.299 -\ left{\isaliteral{5F}{\isacharunderscore}}cancel{\isaliteral{3A}{\isacharcolon}}\isanewline
71.300 -\ \ \isakeyword{fixes}\ x\ y\ z\ {\isaliteral{3A}{\isacharcolon}}{\isaliteral{3A}{\isacharcolon}}\ {\isaliteral{22}{\isachardoublequoteopen}}{\isaliteral{27}{\isacharprime}}a{\isaliteral{5C3C436F6C6F6E3E}{\isasymColon}}group{\isaliteral{22}{\isachardoublequoteclose}}\isanewline
71.301 -\ \ \isakeyword{shows}\ {\isaliteral{22}{\isachardoublequoteopen}}x\ {\isaliteral{5C3C6F706C75733E}{\isasymoplus}}\ y\ {\isaliteral{3D}{\isacharequal}}\ x\ {\isaliteral{5C3C6F706C75733E}{\isasymoplus}}\ z\ {\isaliteral{5C3C6C6F6E676C65667472696768746172726F773E}{\isasymlongleftrightarrow}}\ y\ {\isaliteral{3D}{\isacharequal}}\ z{\isaliteral{22}{\isachardoublequoteclose}}\isanewline
71.302 -%
71.303 -\isadelimproof
71.304 -%
71.305 -\endisadelimproof
71.306 -%
71.307 -\isatagproof
71.308 -\isacommand{proof}\isamarkupfalse%
71.309 -\isanewline
71.310 -\ \ \isacommand{assume}\isamarkupfalse%
71.311 -\ {\isaliteral{22}{\isachardoublequoteopen}}x\ {\isaliteral{5C3C6F706C75733E}{\isasymoplus}}\ y\ {\isaliteral{3D}{\isacharequal}}\ x\ {\isaliteral{5C3C6F706C75733E}{\isasymoplus}}\ z{\isaliteral{22}{\isachardoublequoteclose}}\isanewline
71.312 -\ \ \isacommand{then}\isamarkupfalse%
71.313 -\ \isacommand{have}\isamarkupfalse%
71.314 -\ {\isaliteral{22}{\isachardoublequoteopen}}{\isaliteral{5C3C6469763E}{\isasymdiv}}\ x\ {\isaliteral{5C3C6F706C75733E}{\isasymoplus}}\ {\isaliteral{28}{\isacharparenleft}}x\ {\isaliteral{5C3C6F706C75733E}{\isasymoplus}}\ y{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{3D}{\isacharequal}}\ {\isaliteral{5C3C6469763E}{\isasymdiv}}\ x\ {\isaliteral{5C3C6F706C75733E}{\isasymoplus}}\ {\isaliteral{28}{\isacharparenleft}}x\ {\isaliteral{5C3C6F706C75733E}{\isasymoplus}}\ z{\isaliteral{29}{\isacharparenright}}{\isaliteral{22}{\isachardoublequoteclose}}\ \isacommand{by}\isamarkupfalse%
71.315 -\ simp\isanewline
71.316 -\ \ \isacommand{then}\isamarkupfalse%
71.317 -\ \isacommand{have}\isamarkupfalse%
71.318 -\ {\isaliteral{22}{\isachardoublequoteopen}}{\isaliteral{28}{\isacharparenleft}}{\isaliteral{5C3C6469763E}{\isasymdiv}}\ x\ {\isaliteral{5C3C6F706C75733E}{\isasymoplus}}\ x{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C6F706C75733E}{\isasymoplus}}\ y\ {\isaliteral{3D}{\isacharequal}}\ {\isaliteral{28}{\isacharparenleft}}{\isaliteral{5C3C6469763E}{\isasymdiv}}\ x\ {\isaliteral{5C3C6F706C75733E}{\isasymoplus}}\ x{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C6F706C75733E}{\isasymoplus}}\ z{\isaliteral{22}{\isachardoublequoteclose}}\ \isacommand{by}\isamarkupfalse%
71.319 -\ {\isaliteral{28}{\isacharparenleft}}simp\ add{\isaliteral{3A}{\isacharcolon}}\ assoc{\isaliteral{29}{\isacharparenright}}\isanewline
71.320 -\ \ \isacommand{then}\isamarkupfalse%
71.321 -\ \isacommand{show}\isamarkupfalse%
71.322 -\ {\isaliteral{22}{\isachardoublequoteopen}}y\ {\isaliteral{3D}{\isacharequal}}\ z{\isaliteral{22}{\isachardoublequoteclose}}\ \isacommand{by}\isamarkupfalse%
71.323 -\ {\isaliteral{28}{\isacharparenleft}}simp\ add{\isaliteral{3A}{\isacharcolon}}\ invl\ neutl{\isaliteral{29}{\isacharparenright}}\isanewline
71.324 -\isacommand{next}\isamarkupfalse%
71.325 -\isanewline
71.326 -\ \ \isacommand{assume}\isamarkupfalse%
71.327 -\ {\isaliteral{22}{\isachardoublequoteopen}}y\ {\isaliteral{3D}{\isacharequal}}\ z{\isaliteral{22}{\isachardoublequoteclose}}\isanewline
71.328 -\ \ \isacommand{then}\isamarkupfalse%
71.329 -\ \isacommand{show}\isamarkupfalse%
71.330 -\ {\isaliteral{22}{\isachardoublequoteopen}}x\ {\isaliteral{5C3C6F706C75733E}{\isasymoplus}}\ y\ {\isaliteral{3D}{\isacharequal}}\ x\ {\isaliteral{5C3C6F706C75733E}{\isasymoplus}}\ z{\isaliteral{22}{\isachardoublequoteclose}}\ \isacommand{by}\isamarkupfalse%
71.331 -\ simp\isanewline
71.332 -\isacommand{qed}\isamarkupfalse%
71.333 -%
71.334 -\endisatagproof
71.335 -{\isafoldproof}%
71.336 -%
71.337 -\isadelimproof
71.338 -%
71.339 -\endisadelimproof
71.340 -%
71.341 -\begin{isamarkuptext}%
71.342 -\noindent Any \isa{group} is also a \isa{monoid}; this
71.343 -can be made explicit by claiming an additional subclass relation,
71.344 -together with a proof of the logical difference:%
71.345 -\end{isamarkuptext}%
71.346 -\isamarkuptrue%
71.347 -\isacommand{instance}\isamarkupfalse%
71.348 -\ group\ {\isaliteral{5C3C73756273657465713E}{\isasymsubseteq}}\ monoid\isanewline
71.349 -%
71.350 -\isadelimproof
71.351 -%
71.352 -\endisadelimproof
71.353 -%
71.354 -\isatagproof
71.355 -\isacommand{proof}\isamarkupfalse%
71.356 -\isanewline
71.357 -\ \ \isacommand{fix}\isamarkupfalse%
71.358 -\ x\isanewline
71.359 -\ \ \isacommand{from}\isamarkupfalse%
71.360 -\ invl\ \isacommand{have}\isamarkupfalse%
71.361 -\ {\isaliteral{22}{\isachardoublequoteopen}}{\isaliteral{5C3C6469763E}{\isasymdiv}}\ x\ {\isaliteral{5C3C6F706C75733E}{\isasymoplus}}\ x\ {\isaliteral{3D}{\isacharequal}}\ {\isaliteral{5C3C7A65726F3E}{\isasymzero}}{\isaliteral{22}{\isachardoublequoteclose}}\ \isacommand{{\isaliteral{2E}{\isachardot}}}\isamarkupfalse%
71.362 -\isanewline
71.363 -\ \ \isacommand{then}\isamarkupfalse%
71.364 -\ \isacommand{have}\isamarkupfalse%
71.365 -\ {\isaliteral{22}{\isachardoublequoteopen}}{\isaliteral{5C3C6469763E}{\isasymdiv}}\ x\ {\isaliteral{5C3C6F706C75733E}{\isasymoplus}}\ {\isaliteral{28}{\isacharparenleft}}x\ {\isaliteral{5C3C6F706C75733E}{\isasymoplus}}\ {\isaliteral{5C3C7A65726F3E}{\isasymzero}}{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{3D}{\isacharequal}}\ {\isaliteral{5C3C6469763E}{\isasymdiv}}\ x\ {\isaliteral{5C3C6F706C75733E}{\isasymoplus}}\ x{\isaliteral{22}{\isachardoublequoteclose}}\isanewline
71.366 -\ \ \ \ \isacommand{by}\isamarkupfalse%
71.367 -\ {\isaliteral{28}{\isacharparenleft}}simp\ add{\isaliteral{3A}{\isacharcolon}}\ neutl\ invl\ assoc\ {\isaliteral{5B}{\isacharbrackleft}}symmetric{\isaliteral{5D}{\isacharbrackright}}{\isaliteral{29}{\isacharparenright}}\isanewline
71.368 -\ \ \isacommand{then}\isamarkupfalse%
71.369 -\ \isacommand{show}\isamarkupfalse%
71.370 -\ {\isaliteral{22}{\isachardoublequoteopen}}x\ {\isaliteral{5C3C6F706C75733E}{\isasymoplus}}\ {\isaliteral{5C3C7A65726F3E}{\isasymzero}}\ {\isaliteral{3D}{\isacharequal}}\ x{\isaliteral{22}{\isachardoublequoteclose}}\ \isacommand{by}\isamarkupfalse%
71.371 -\ {\isaliteral{28}{\isacharparenleft}}simp\ add{\isaliteral{3A}{\isacharcolon}}\ left{\isaliteral{5F}{\isacharunderscore}}cancel{\isaliteral{29}{\isacharparenright}}\isanewline
71.372 -\isacommand{qed}\isamarkupfalse%
71.373 -%
71.374 -\endisatagproof
71.375 -{\isafoldproof}%
71.376 -%
71.377 -\isadelimproof
71.378 -%
71.379 -\endisadelimproof
71.380 -%
71.381 -\begin{isamarkuptext}%
71.382 -\noindent The proof result is propagated to the type system,
71.383 -making \isa{group} an instance of \isa{monoid} by adding an
71.384 -additional edge to the graph of subclass relation; see also
71.385 -Figure~\ref{fig:subclass}.
71.386 -
71.387 -\begin{figure}[htbp]
71.388 - \begin{center}
71.389 - \small
71.390 - \unitlength 0.6mm
71.391 - \begin{picture}(40,60)(0,0)
71.392 - \put(20,60){\makebox(0,0){\isa{semigroup}}}
71.393 - \put(20,40){\makebox(0,0){\isa{monoidl}}}
71.394 - \put(00,20){\makebox(0,0){\isa{monoid}}}
71.395 - \put(40,00){\makebox(0,0){\isa{group}}}
71.396 - \put(20,55){\vector(0,-1){10}}
71.397 - \put(15,35){\vector(-1,-1){10}}
71.398 - \put(25,35){\vector(1,-3){10}}
71.399 - \end{picture}
71.400 - \hspace{8em}
71.401 - \begin{picture}(40,60)(0,0)
71.402 - \put(20,60){\makebox(0,0){\isa{semigroup}}}
71.403 - \put(20,40){\makebox(0,0){\isa{monoidl}}}
71.404 - \put(00,20){\makebox(0,0){\isa{monoid}}}
71.405 - \put(40,00){\makebox(0,0){\isa{group}}}
71.406 - \put(20,55){\vector(0,-1){10}}
71.407 - \put(15,35){\vector(-1,-1){10}}
71.408 - \put(05,15){\vector(3,-1){30}}
71.409 - \end{picture}
71.410 - \caption{Subclass relationship of monoids and groups:
71.411 - before and after establishing the relationship
71.412 - \isa{group\ {\isaliteral{5C3C73756273657465713E}{\isasymsubseteq}}\ monoid}; transitive edges are left out.}
71.413 - \label{fig:subclass}
71.414 - \end{center}
71.415 -\end{figure}%
71.416 -\end{isamarkuptext}%
71.417 -\isamarkuptrue%
71.418 -%
71.419 -\isamarkupsubsubsection{Inconsistencies%
71.420 -}
71.421 -\isamarkuptrue%
71.422 -%
71.423 -\begin{isamarkuptext}%
71.424 -The reader may be wondering what happens if we attach an
71.425 -inconsistent set of axioms to a class. So far we have always avoided
71.426 -to add new axioms to HOL for fear of inconsistencies and suddenly it
71.427 -seems that we are throwing all caution to the wind. So why is there no
71.428 -problem?
71.429 -
71.430 -The point is that by construction, all type variables in the axioms of
71.431 -a \isacommand{class} are automatically constrained with the class
71.432 -being defined (as shown for axiom \isa{refl} above). These
71.433 -constraints are always carried around and Isabelle takes care that
71.434 -they are never lost, unless the type variable is instantiated with a
71.435 -type that has been shown to belong to that class. Thus you may be able
71.436 -to prove \isa{False} from your axioms, but Isabelle will remind you
71.437 -that this theorem has the hidden hypothesis that the class is
71.438 -non-empty.
71.439 -
71.440 -Even if each individual class is consistent, intersections of
71.441 -(unrelated) classes readily become inconsistent in practice. Now we
71.442 -know this need not worry us.%
71.443 -\end{isamarkuptext}%
71.444 -\isamarkuptrue%
71.445 -%
71.446 -\isamarkupsubsubsection{Syntactic Classes and Predefined Overloading%
71.447 -}
71.448 -\isamarkuptrue%
71.449 -%
71.450 -\begin{isamarkuptext}%
71.451 -In our algebra example, we have started with a \emph{syntactic
71.452 -class} \isa{plus} which only specifies operations but no axioms; it
71.453 -would have been also possible to start immediately with class \isa{semigroup}, specifying the \isa{{\isaliteral{5C3C6F706C75733E}{\isasymoplus}}} operation and associativity at
71.454 -the same time.
71.455 -
71.456 -Which approach is more appropriate depends. Usually it is more
71.457 -convenient to introduce operations and axioms in the same class: then
71.458 -the type checker will automatically insert the corresponding class
71.459 -constraints whenever the operations occur, reducing the need of manual
71.460 -annotations. However, when operations are decorated with popular
71.461 -syntax, syntactic classes can be an option to re-use the syntax in
71.462 -different contexts; this is indeed the way most overloaded constants
71.463 -in HOL are introduced, of which the most important are listed in
71.464 -Table~\ref{tab:overloading} in the appendix. Section
71.465 -\ref{sec:numeric-classes} covers a range of corresponding classes
71.466 -\emph{with} axioms.
71.467 -
71.468 -Further note that classes may contain axioms but \emph{no} operations.
71.469 -An example is class \isa{finite} from theory \isa{Finite{\isaliteral{5F}{\isacharunderscore}}Set}
71.470 -which specifies a type to be finite: \isa{{\isaliteral{22}{\isachardoublequote}}finite\ {\isaliteral{28}{\isacharparenleft}}UNIV\ {\isaliteral{5C3C436F6C6F6E3E}{\isasymColon}}\ {\isaliteral{27}{\isacharprime}}a{\isaliteral{5C3C436F6C6F6E3E}{\isasymColon}}finite\ set{\isaliteral{29}{\isacharparenright}}{\isaliteral{22}{\isachardoublequote}}}.%
71.471 -\end{isamarkuptext}%
71.472 -\isamarkuptrue%
71.473 -%
71.474 -\isadelimtheory
71.475 -%
71.476 -\endisadelimtheory
71.477 -%
71.478 -\isatagtheory
71.479 -%
71.480 -\endisatagtheory
71.481 -{\isafoldtheory}%
71.482 -%
71.483 -\isadelimtheory
71.484 -%
71.485 -\endisadelimtheory
71.486 -\end{isabellebody}%
71.487 -%%% Local Variables:
71.488 -%%% mode: latex
71.489 -%%% TeX-master: "root"
71.490 -%%% End:
72.1 --- a/doc-src/TutorialI/Types/document/Numbers.tex Thu Jul 26 16:08:16 2012 +0200
72.2 +++ /dev/null Thu Jan 01 00:00:00 1970 +0000
72.3 @@ -1,611 +0,0 @@
72.4 -%
72.5 -\begin{isabellebody}%
72.6 -\def\isabellecontext{Numbers}%
72.7 -%
72.8 -\isadelimtheory
72.9 -%
72.10 -\endisadelimtheory
72.11 -%
72.12 -\isatagtheory
72.13 -\isacommand{theory}\isamarkupfalse%
72.14 -\ Numbers\isanewline
72.15 -\isakeyword{imports}\ Complex{\isaliteral{5F}{\isacharunderscore}}Main\isanewline
72.16 -\isakeyword{begin}%
72.17 -\endisatagtheory
72.18 -{\isafoldtheory}%
72.19 -%
72.20 -\isadelimtheory
72.21 -\isanewline
72.22 -%
72.23 -\endisadelimtheory
72.24 -%
72.25 -\isadelimML
72.26 -\isanewline
72.27 -%
72.28 -\endisadelimML
72.29 -%
72.30 -\isatagML
72.31 -\isacommand{ML}\isamarkupfalse%
72.32 -\ {\isaliteral{22}{\isachardoublequoteopen}}Pretty{\isaliteral{2E}{\isachardot}}margin{\isaliteral{5F}{\isacharunderscore}}default\ {\isaliteral{3A}{\isacharcolon}}{\isaliteral{3D}{\isacharequal}}\ {\isadigit{6}}{\isadigit{4}}{\isaliteral{22}{\isachardoublequoteclose}}%
72.33 -\endisatagML
72.34 -{\isafoldML}%
72.35 -%
72.36 -\isadelimML
72.37 -\isanewline
72.38 -%
72.39 -\endisadelimML
72.40 -\isacommand{declare}\isamarkupfalse%
72.41 -\ {\isaliteral{5B}{\isacharbrackleft}}{\isaliteral{5B}{\isacharbrackleft}}thy{\isaliteral{5F}{\isacharunderscore}}output{\isaliteral{5F}{\isacharunderscore}}indent\ {\isaliteral{3D}{\isacharequal}}\ {\isadigit{0}}{\isaliteral{5D}{\isacharbrackright}}{\isaliteral{5D}{\isacharbrackright}}%
72.42 -\begin{isamarkuptext}%
72.43 -numeric literals; default simprules; can re-orient%
72.44 -\end{isamarkuptext}%
72.45 -\isamarkuptrue%
72.46 -\isacommand{lemma}\isamarkupfalse%
72.47 -\ {\isaliteral{22}{\isachardoublequoteopen}}{\isadigit{2}}\ {\isaliteral{2A}{\isacharasterisk}}\ m\ {\isaliteral{3D}{\isacharequal}}\ m\ {\isaliteral{2B}{\isacharplus}}\ m{\isaliteral{22}{\isachardoublequoteclose}}%
72.48 -\isadelimproof
72.49 -%
72.50 -\endisadelimproof
72.51 -%
72.52 -\isatagproof
72.53 -%
72.54 -\begin{isamarkuptxt}%
72.55 -\begin{isabelle}%
72.56 -\ {\isadigit{1}}{\isaliteral{2E}{\isachardot}}\ {\isaliteral{28}{\isacharparenleft}}{\isadigit{2}}{\isaliteral{5C3C436F6C6F6E3E}{\isasymColon}}{\isaliteral{27}{\isacharprime}}a{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{2A}{\isacharasterisk}}\ m\ {\isaliteral{3D}{\isacharequal}}\ m\ {\isaliteral{2B}{\isacharplus}}\ m%
72.57 -\end{isabelle}%
72.58 -\end{isamarkuptxt}%
72.59 -\isamarkuptrue%
72.60 -\isacommand{oops}\isamarkupfalse%
72.61 -%
72.62 -\endisatagproof
72.63 -{\isafoldproof}%
72.64 -%
72.65 -\isadelimproof
72.66 -%
72.67 -\endisadelimproof
72.68 -\isanewline
72.69 -\isanewline
72.70 -\isacommand{fun}\isamarkupfalse%
72.71 -\ h\ {\isaliteral{3A}{\isacharcolon}}{\isaliteral{3A}{\isacharcolon}}\ {\isaliteral{22}{\isachardoublequoteopen}}nat\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ nat{\isaliteral{22}{\isachardoublequoteclose}}\ \isakeyword{where}\isanewline
72.72 -{\isaliteral{22}{\isachardoublequoteopen}}h\ i\ {\isaliteral{3D}{\isacharequal}}\ {\isaliteral{28}{\isacharparenleft}}if\ i\ {\isaliteral{3D}{\isacharequal}}\ {\isadigit{3}}\ then\ {\isadigit{2}}\ else\ i{\isaliteral{29}{\isacharparenright}}{\isaliteral{22}{\isachardoublequoteclose}}%
72.73 -\begin{isamarkuptext}%
72.74 -\isa{h\ {\isadigit{3}}\ {\isaliteral{3D}{\isacharequal}}\ {\isadigit{2}}}
72.75 -\isa{h\ i\ {\isaliteral{3D}{\isacharequal}}\ i}%
72.76 -\end{isamarkuptext}%
72.77 -\isamarkuptrue%
72.78 -%
72.79 -\begin{isamarkuptext}%
72.80 -\begin{isabelle}%
72.81 -Numeral{\isadigit{1}}\ {\isaliteral{3D}{\isacharequal}}\ {\isaliteral{28}{\isacharparenleft}}{\isadigit{1}}{\isaliteral{5C3C436F6C6F6E3E}{\isasymColon}}{\isaliteral{27}{\isacharprime}}a{\isaliteral{29}{\isacharparenright}}%
72.82 -\end{isabelle}
72.83 -\rulename{numeral_1_eq_1}
72.84 -
72.85 -\begin{isabelle}%
72.86 -{\isadigit{2}}\ {\isaliteral{2B}{\isacharplus}}\ n\ {\isaliteral{3D}{\isacharequal}}\ Suc\ {\isaliteral{28}{\isacharparenleft}}Suc\ n{\isaliteral{29}{\isacharparenright}}%
72.87 -\end{isabelle}
72.88 -\rulename{add_2_eq_Suc}
72.89 -
72.90 -\begin{isabelle}%
72.91 -n\ {\isaliteral{2B}{\isacharplus}}\ {\isadigit{2}}\ {\isaliteral{3D}{\isacharequal}}\ Suc\ {\isaliteral{28}{\isacharparenleft}}Suc\ n{\isaliteral{29}{\isacharparenright}}%
72.92 -\end{isabelle}
72.93 -\rulename{add_2_eq_Suc'}
72.94 -
72.95 -\begin{isabelle}%
72.96 -a\ {\isaliteral{2B}{\isacharplus}}\ b\ {\isaliteral{2B}{\isacharplus}}\ c\ {\isaliteral{3D}{\isacharequal}}\ a\ {\isaliteral{2B}{\isacharplus}}\ {\isaliteral{28}{\isacharparenleft}}b\ {\isaliteral{2B}{\isacharplus}}\ c{\isaliteral{29}{\isacharparenright}}%
72.97 -\end{isabelle}
72.98 -\rulename{add_assoc}
72.99 -
72.100 -\begin{isabelle}%
72.101 -a\ {\isaliteral{2B}{\isacharplus}}\ b\ {\isaliteral{3D}{\isacharequal}}\ b\ {\isaliteral{2B}{\isacharplus}}\ a%
72.102 -\end{isabelle}
72.103 -\rulename{add_commute}
72.104 -
72.105 -\begin{isabelle}%
72.106 -b\ {\isaliteral{2B}{\isacharplus}}\ {\isaliteral{28}{\isacharparenleft}}a\ {\isaliteral{2B}{\isacharplus}}\ c{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{3D}{\isacharequal}}\ a\ {\isaliteral{2B}{\isacharplus}}\ {\isaliteral{28}{\isacharparenleft}}b\ {\isaliteral{2B}{\isacharplus}}\ c{\isaliteral{29}{\isacharparenright}}%
72.107 -\end{isabelle}
72.108 -\rulename{add_left_commute}
72.109 -
72.110 -these form add_ac; similarly there is mult_ac%
72.111 -\end{isamarkuptext}%
72.112 -\isamarkuptrue%
72.113 -\isacommand{lemma}\isamarkupfalse%
72.114 -\ {\isaliteral{22}{\isachardoublequoteopen}}Suc{\isaliteral{28}{\isacharparenleft}}i\ {\isaliteral{2B}{\isacharplus}}\ j{\isaliteral{2A}{\isacharasterisk}}l{\isaliteral{2A}{\isacharasterisk}}k\ {\isaliteral{2B}{\isacharplus}}\ m{\isaliteral{2A}{\isacharasterisk}}n{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{3D}{\isacharequal}}\ f\ {\isaliteral{28}{\isacharparenleft}}n{\isaliteral{2A}{\isacharasterisk}}m\ {\isaliteral{2B}{\isacharplus}}\ i\ {\isaliteral{2B}{\isacharplus}}\ k{\isaliteral{2A}{\isacharasterisk}}j{\isaliteral{2A}{\isacharasterisk}}l{\isaliteral{29}{\isacharparenright}}{\isaliteral{22}{\isachardoublequoteclose}}%
72.115 -\isadelimproof
72.116 -%
72.117 -\endisadelimproof
72.118 -%
72.119 -\isatagproof
72.120 -%
72.121 -\begin{isamarkuptxt}%
72.122 -\begin{isabelle}%
72.123 -\ {\isadigit{1}}{\isaliteral{2E}{\isachardot}}\ Suc\ {\isaliteral{28}{\isacharparenleft}}i\ {\isaliteral{2B}{\isacharplus}}\ j\ {\isaliteral{2A}{\isacharasterisk}}\ l\ {\isaliteral{2A}{\isacharasterisk}}\ k\ {\isaliteral{2B}{\isacharplus}}\ m\ {\isaliteral{2A}{\isacharasterisk}}\ n{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{3D}{\isacharequal}}\ f\ {\isaliteral{28}{\isacharparenleft}}n\ {\isaliteral{2A}{\isacharasterisk}}\ m\ {\isaliteral{2B}{\isacharplus}}\ i\ {\isaliteral{2B}{\isacharplus}}\ k\ {\isaliteral{2A}{\isacharasterisk}}\ j\ {\isaliteral{2A}{\isacharasterisk}}\ l{\isaliteral{29}{\isacharparenright}}%
72.124 -\end{isabelle}%
72.125 -\end{isamarkuptxt}%
72.126 -\isamarkuptrue%
72.127 -\isacommand{apply}\isamarkupfalse%
72.128 -\ {\isaliteral{28}{\isacharparenleft}}simp\ add{\isaliteral{3A}{\isacharcolon}}\ add{\isaliteral{5F}{\isacharunderscore}}ac\ mult{\isaliteral{5F}{\isacharunderscore}}ac{\isaliteral{29}{\isacharparenright}}%
72.129 -\begin{isamarkuptxt}%
72.130 -\begin{isabelle}%
72.131 -\ {\isadigit{1}}{\isaliteral{2E}{\isachardot}}\ Suc\ {\isaliteral{28}{\isacharparenleft}}i\ {\isaliteral{2B}{\isacharplus}}\ {\isaliteral{28}{\isacharparenleft}}m\ {\isaliteral{2A}{\isacharasterisk}}\ n\ {\isaliteral{2B}{\isacharplus}}\ j\ {\isaliteral{2A}{\isacharasterisk}}\ {\isaliteral{28}{\isacharparenleft}}k\ {\isaliteral{2A}{\isacharasterisk}}\ l{\isaliteral{29}{\isacharparenright}}{\isaliteral{29}{\isacharparenright}}{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{3D}{\isacharequal}}\isanewline
72.132 -\isaindent{\ {\isadigit{1}}{\isaliteral{2E}{\isachardot}}\ }f\ {\isaliteral{28}{\isacharparenleft}}i\ {\isaliteral{2B}{\isacharplus}}\ {\isaliteral{28}{\isacharparenleft}}m\ {\isaliteral{2A}{\isacharasterisk}}\ n\ {\isaliteral{2B}{\isacharplus}}\ j\ {\isaliteral{2A}{\isacharasterisk}}\ {\isaliteral{28}{\isacharparenleft}}k\ {\isaliteral{2A}{\isacharasterisk}}\ l{\isaliteral{29}{\isacharparenright}}{\isaliteral{29}{\isacharparenright}}{\isaliteral{29}{\isacharparenright}}%
72.133 -\end{isabelle}%
72.134 -\end{isamarkuptxt}%
72.135 -\isamarkuptrue%
72.136 -\isacommand{oops}\isamarkupfalse%
72.137 -%
72.138 -\endisatagproof
72.139 -{\isafoldproof}%
72.140 -%
72.141 -\isadelimproof
72.142 -%
72.143 -\endisadelimproof
72.144 -%
72.145 -\begin{isamarkuptext}%
72.146 -\begin{isabelle}%
72.147 -m\ {\isaliteral{5C3C6C653E}{\isasymle}}\ n\ {\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\ m\ div\ k\ {\isaliteral{5C3C6C653E}{\isasymle}}\ n\ div\ k%
72.148 -\end{isabelle}
72.149 -\rulename{div_le_mono}
72.150 -
72.151 -\begin{isabelle}%
72.152 -{\isaliteral{28}{\isacharparenleft}}m\ {\isaliteral{2D}{\isacharminus}}\ n{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{2A}{\isacharasterisk}}\ k\ {\isaliteral{3D}{\isacharequal}}\ m\ {\isaliteral{2A}{\isacharasterisk}}\ k\ {\isaliteral{2D}{\isacharminus}}\ n\ {\isaliteral{2A}{\isacharasterisk}}\ k%
72.153 -\end{isabelle}
72.154 -\rulename{diff_mult_distrib}
72.155 -
72.156 -\begin{isabelle}%
72.157 -a\ mod\ b\ {\isaliteral{2A}{\isacharasterisk}}\ c\ {\isaliteral{3D}{\isacharequal}}\ a\ {\isaliteral{2A}{\isacharasterisk}}\ c\ mod\ {\isaliteral{28}{\isacharparenleft}}b\ {\isaliteral{2A}{\isacharasterisk}}\ c{\isaliteral{29}{\isacharparenright}}%
72.158 -\end{isabelle}
72.159 -\rulename{mult_mod_left}
72.160 -
72.161 -\begin{isabelle}%
72.162 -P\ {\isaliteral{28}{\isacharparenleft}}a\ {\isaliteral{2D}{\isacharminus}}\ b{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{3D}{\isacharequal}}\ {\isaliteral{28}{\isacharparenleft}}{\isaliteral{28}{\isacharparenleft}}a\ {\isaliteral{3C}{\isacharless}}\ b\ {\isaliteral{5C3C6C6F6E6772696768746172726F773E}{\isasymlongrightarrow}}\ P\ {\isadigit{0}}{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C616E643E}{\isasymand}}\ {\isaliteral{28}{\isacharparenleft}}{\isaliteral{5C3C666F72616C6C3E}{\isasymforall}}d{\isaliteral{2E}{\isachardot}}\ a\ {\isaliteral{3D}{\isacharequal}}\ b\ {\isaliteral{2B}{\isacharplus}}\ d\ {\isaliteral{5C3C6C6F6E6772696768746172726F773E}{\isasymlongrightarrow}}\ P\ d{\isaliteral{29}{\isacharparenright}}{\isaliteral{29}{\isacharparenright}}%
72.163 -\end{isabelle}
72.164 -\rulename{nat_diff_split}%
72.165 -\end{isamarkuptext}%
72.166 -\isamarkuptrue%
72.167 -\isacommand{lemma}\isamarkupfalse%
72.168 -\ {\isaliteral{22}{\isachardoublequoteopen}}{\isaliteral{28}{\isacharparenleft}}n\ {\isaliteral{2D}{\isacharminus}}\ {\isadigit{1}}{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{2A}{\isacharasterisk}}\ {\isaliteral{28}{\isacharparenleft}}n\ {\isaliteral{2B}{\isacharplus}}\ {\isadigit{1}}{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{3D}{\isacharequal}}\ n\ {\isaliteral{2A}{\isacharasterisk}}\ n\ {\isaliteral{2D}{\isacharminus}}\ {\isaliteral{28}{\isacharparenleft}}{\isadigit{1}}{\isaliteral{3A}{\isacharcolon}}{\isaliteral{3A}{\isacharcolon}}nat{\isaliteral{29}{\isacharparenright}}{\isaliteral{22}{\isachardoublequoteclose}}\isanewline
72.169 -%
72.170 -\isadelimproof
72.171 -%
72.172 -\endisadelimproof
72.173 -%
72.174 -\isatagproof
72.175 -\isacommand{apply}\isamarkupfalse%
72.176 -\ {\isaliteral{28}{\isacharparenleft}}clarsimp\ split{\isaliteral{3A}{\isacharcolon}}\ nat{\isaliteral{5F}{\isacharunderscore}}diff{\isaliteral{5F}{\isacharunderscore}}split\ iff\ del{\isaliteral{3A}{\isacharcolon}}\ less{\isaliteral{5F}{\isacharunderscore}}Suc{\isadigit{0}}{\isaliteral{29}{\isacharparenright}}\isanewline
72.177 -\ %
72.178 -\isamarkupcmt{\begin{isabelle}%
72.179 -\ {\isadigit{1}}{\isaliteral{2E}{\isachardot}}\ {\isaliteral{5C3C416E643E}{\isasymAnd}}d{\isaliteral{2E}{\isachardot}}\ {\isaliteral{5C3C6C6272616B6B3E}{\isasymlbrakk}}n\ {\isaliteral{3C}{\isacharless}}\ Suc\ {\isadigit{0}}{\isaliteral{3B}{\isacharsemicolon}}\ n\ {\isaliteral{2A}{\isacharasterisk}}\ n\ {\isaliteral{3D}{\isacharequal}}\ Suc\ d{\isaliteral{5C3C726272616B6B3E}{\isasymrbrakk}}\ {\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\ d\ {\isaliteral{3D}{\isacharequal}}\ {\isadigit{0}}%
72.180 -\end{isabelle}%
72.181 -}
72.182 -\isanewline
72.183 -\isacommand{apply}\isamarkupfalse%
72.184 -\ {\isaliteral{28}{\isacharparenleft}}subgoal{\isaliteral{5F}{\isacharunderscore}}tac\ {\isaliteral{22}{\isachardoublequoteopen}}n{\isaliteral{3D}{\isacharequal}}{\isadigit{0}}{\isaliteral{22}{\isachardoublequoteclose}}{\isaliteral{2C}{\isacharcomma}}\ force{\isaliteral{2C}{\isacharcomma}}\ arith{\isaliteral{29}{\isacharparenright}}\isanewline
72.185 -\isacommand{done}\isamarkupfalse%
72.186 -%
72.187 -\endisatagproof
72.188 -{\isafoldproof}%
72.189 -%
72.190 -\isadelimproof
72.191 -\isanewline
72.192 -%
72.193 -\endisadelimproof
72.194 -\isanewline
72.195 -\isanewline
72.196 -\isacommand{lemma}\isamarkupfalse%
72.197 -\ {\isaliteral{22}{\isachardoublequoteopen}}{\isaliteral{28}{\isacharparenleft}}n\ {\isaliteral{2D}{\isacharminus}}\ {\isadigit{2}}{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{2A}{\isacharasterisk}}\ {\isaliteral{28}{\isacharparenleft}}n\ {\isaliteral{2B}{\isacharplus}}\ {\isadigit{2}}{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{3D}{\isacharequal}}\ n\ {\isaliteral{2A}{\isacharasterisk}}\ n\ {\isaliteral{2D}{\isacharminus}}\ {\isaliteral{28}{\isacharparenleft}}{\isadigit{4}}{\isaliteral{3A}{\isacharcolon}}{\isaliteral{3A}{\isacharcolon}}nat{\isaliteral{29}{\isacharparenright}}{\isaliteral{22}{\isachardoublequoteclose}}\isanewline
72.198 -%
72.199 -\isadelimproof
72.200 -%
72.201 -\endisadelimproof
72.202 -%
72.203 -\isatagproof
72.204 -\isacommand{apply}\isamarkupfalse%
72.205 -\ {\isaliteral{28}{\isacharparenleft}}simp\ split{\isaliteral{3A}{\isacharcolon}}\ nat{\isaliteral{5F}{\isacharunderscore}}diff{\isaliteral{5F}{\isacharunderscore}}split{\isaliteral{2C}{\isacharcomma}}\ clarify{\isaliteral{29}{\isacharparenright}}\isanewline
72.206 -\ %
72.207 -\isamarkupcmt{\begin{isabelle}%
72.208 -\ {\isadigit{1}}{\isaliteral{2E}{\isachardot}}\ {\isaliteral{5C3C416E643E}{\isasymAnd}}d{\isaliteral{2E}{\isachardot}}\ {\isaliteral{5C3C6C6272616B6B3E}{\isasymlbrakk}}n\ {\isaliteral{3C}{\isacharless}}\ {\isadigit{2}}{\isaliteral{3B}{\isacharsemicolon}}\ n\ {\isaliteral{2A}{\isacharasterisk}}\ n\ {\isaliteral{3D}{\isacharequal}}\ {\isadigit{4}}\ {\isaliteral{2B}{\isacharplus}}\ d{\isaliteral{5C3C726272616B6B3E}{\isasymrbrakk}}\ {\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\ d\ {\isaliteral{3D}{\isacharequal}}\ {\isadigit{0}}%
72.209 -\end{isabelle}%
72.210 -}
72.211 -\isanewline
72.212 -\isacommand{apply}\isamarkupfalse%
72.213 -\ {\isaliteral{28}{\isacharparenleft}}subgoal{\isaliteral{5F}{\isacharunderscore}}tac\ {\isaliteral{22}{\isachardoublequoteopen}}n{\isaliteral{3D}{\isacharequal}}{\isadigit{0}}\ {\isaliteral{7C}{\isacharbar}}\ n{\isaliteral{3D}{\isacharequal}}{\isadigit{1}}{\isaliteral{22}{\isachardoublequoteclose}}{\isaliteral{2C}{\isacharcomma}}\ force{\isaliteral{2C}{\isacharcomma}}\ arith{\isaliteral{29}{\isacharparenright}}\isanewline
72.214 -\isacommand{done}\isamarkupfalse%
72.215 -%
72.216 -\endisatagproof
72.217 -{\isafoldproof}%
72.218 -%
72.219 -\isadelimproof
72.220 -%
72.221 -\endisadelimproof
72.222 -%
72.223 -\begin{isamarkuptext}%
72.224 -\begin{isabelle}%
72.225 -m\ mod\ n\ {\isaliteral{3D}{\isacharequal}}\ {\isaliteral{28}{\isacharparenleft}}if\ m\ {\isaliteral{3C}{\isacharless}}\ n\ then\ m\ else\ {\isaliteral{28}{\isacharparenleft}}m\ {\isaliteral{2D}{\isacharminus}}\ n{\isaliteral{29}{\isacharparenright}}\ mod\ n{\isaliteral{29}{\isacharparenright}}%
72.226 -\end{isabelle}
72.227 -\rulename{mod_if}
72.228 -
72.229 -\begin{isabelle}%
72.230 -a\ div\ b\ {\isaliteral{2A}{\isacharasterisk}}\ b\ {\isaliteral{2B}{\isacharplus}}\ a\ mod\ b\ {\isaliteral{3D}{\isacharequal}}\ a%
72.231 -\end{isabelle}
72.232 -\rulename{mod_div_equality}
72.233 -
72.234 -
72.235 -\begin{isabelle}%
72.236 -a\ {\isaliteral{2A}{\isacharasterisk}}\ b\ div\ c\ {\isaliteral{3D}{\isacharequal}}\ a\ {\isaliteral{2A}{\isacharasterisk}}\ {\isaliteral{28}{\isacharparenleft}}b\ div\ c{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{2B}{\isacharplus}}\ a\ {\isaliteral{2A}{\isacharasterisk}}\ {\isaliteral{28}{\isacharparenleft}}b\ mod\ c{\isaliteral{29}{\isacharparenright}}\ div\ c%
72.237 -\end{isabelle}
72.238 -\rulename{div_mult1_eq}
72.239 -
72.240 -\begin{isabelle}%
72.241 -a\ {\isaliteral{2A}{\isacharasterisk}}\ b\ mod\ c\ {\isaliteral{3D}{\isacharequal}}\ a\ {\isaliteral{2A}{\isacharasterisk}}\ {\isaliteral{28}{\isacharparenleft}}b\ mod\ c{\isaliteral{29}{\isacharparenright}}\ mod\ c%
72.242 -\end{isabelle}
72.243 -\rulename{mod_mult_right_eq}
72.244 -
72.245 -\begin{isabelle}%
72.246 -a\ div\ {\isaliteral{28}{\isacharparenleft}}b\ {\isaliteral{2A}{\isacharasterisk}}\ c{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{3D}{\isacharequal}}\ a\ div\ b\ div\ c%
72.247 -\end{isabelle}
72.248 -\rulename{div_mult2_eq}
72.249 -
72.250 -\begin{isabelle}%
72.251 -a\ mod\ {\isaliteral{28}{\isacharparenleft}}b\ {\isaliteral{2A}{\isacharasterisk}}\ c{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{3D}{\isacharequal}}\ b\ {\isaliteral{2A}{\isacharasterisk}}\ {\isaliteral{28}{\isacharparenleft}}a\ div\ b\ mod\ c{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{2B}{\isacharplus}}\ a\ mod\ b%
72.252 -\end{isabelle}
72.253 -\rulename{mod_mult2_eq}
72.254 -
72.255 -\begin{isabelle}%
72.256 -c\ {\isaliteral{5C3C6E6F7465713E}{\isasymnoteq}}\ {\isaliteral{28}{\isacharparenleft}}{\isadigit{0}}{\isaliteral{5C3C436F6C6F6E3E}{\isasymColon}}{\isaliteral{27}{\isacharprime}}a{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\ c\ {\isaliteral{2A}{\isacharasterisk}}\ a\ div\ {\isaliteral{28}{\isacharparenleft}}c\ {\isaliteral{2A}{\isacharasterisk}}\ b{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{3D}{\isacharequal}}\ a\ div\ b%
72.257 -\end{isabelle}
72.258 -\rulename{div_mult_mult1}
72.259 -
72.260 -\begin{isabelle}%
72.261 -a\ div\ {\isaliteral{28}{\isacharparenleft}}{\isadigit{0}}{\isaliteral{5C3C436F6C6F6E3E}{\isasymColon}}{\isaliteral{27}{\isacharprime}}a{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{3D}{\isacharequal}}\ {\isaliteral{28}{\isacharparenleft}}{\isadigit{0}}{\isaliteral{5C3C436F6C6F6E3E}{\isasymColon}}{\isaliteral{27}{\isacharprime}}a{\isaliteral{29}{\isacharparenright}}%
72.262 -\end{isabelle}
72.263 -\rulename{div_by_0}
72.264 -
72.265 -\begin{isabelle}%
72.266 -a\ mod\ {\isaliteral{28}{\isacharparenleft}}{\isadigit{0}}{\isaliteral{5C3C436F6C6F6E3E}{\isasymColon}}{\isaliteral{27}{\isacharprime}}a{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{3D}{\isacharequal}}\ a%
72.267 -\end{isabelle}
72.268 -\rulename{mod_by_0}
72.269 -
72.270 -\begin{isabelle}%
72.271 -{\isaliteral{5C3C6C6272616B6B3E}{\isasymlbrakk}}m\ dvd\ n{\isaliteral{3B}{\isacharsemicolon}}\ n\ dvd\ m{\isaliteral{5C3C726272616B6B3E}{\isasymrbrakk}}\ {\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\ m\ {\isaliteral{3D}{\isacharequal}}\ n%
72.272 -\end{isabelle}
72.273 -\rulename{dvd_antisym}
72.274 -
72.275 -\begin{isabelle}%
72.276 -{\isaliteral{5C3C6C6272616B6B3E}{\isasymlbrakk}}a\ dvd\ b{\isaliteral{3B}{\isacharsemicolon}}\ a\ dvd\ c{\isaliteral{5C3C726272616B6B3E}{\isasymrbrakk}}\ {\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\ a\ dvd\ b\ {\isaliteral{2B}{\isacharplus}}\ c%
72.277 -\end{isabelle}
72.278 -\rulename{dvd_add}
72.279 -
72.280 -For the integers, I'd list a few theorems that somehow involve negative
72.281 -numbers.%
72.282 -\end{isamarkuptext}%
72.283 -\isamarkuptrue%
72.284 -%
72.285 -\begin{isamarkuptext}%
72.286 -Division, remainder of negatives
72.287 -
72.288 -
72.289 -\begin{isabelle}%
72.290 -{\isadigit{0}}\ {\isaliteral{3C}{\isacharless}}\ b\ {\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\ {\isadigit{0}}\ {\isaliteral{5C3C6C653E}{\isasymle}}\ a\ mod\ b%
72.291 -\end{isabelle}
72.292 -\rulename{pos_mod_sign}
72.293 -
72.294 -\begin{isabelle}%
72.295 -{\isadigit{0}}\ {\isaliteral{3C}{\isacharless}}\ b\ {\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\ a\ mod\ b\ {\isaliteral{3C}{\isacharless}}\ b%
72.296 -\end{isabelle}
72.297 -\rulename{pos_mod_bound}
72.298 -
72.299 -\begin{isabelle}%
72.300 -b\ {\isaliteral{3C}{\isacharless}}\ {\isadigit{0}}\ {\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\ a\ mod\ b\ {\isaliteral{5C3C6C653E}{\isasymle}}\ {\isadigit{0}}%
72.301 -\end{isabelle}
72.302 -\rulename{neg_mod_sign}
72.303 -
72.304 -\begin{isabelle}%
72.305 -b\ {\isaliteral{3C}{\isacharless}}\ {\isadigit{0}}\ {\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\ b\ {\isaliteral{3C}{\isacharless}}\ a\ mod\ b%
72.306 -\end{isabelle}
72.307 -\rulename{neg_mod_bound}
72.308 -
72.309 -\begin{isabelle}%
72.310 -{\isaliteral{28}{\isacharparenleft}}a\ {\isaliteral{2B}{\isacharplus}}\ b{\isaliteral{29}{\isacharparenright}}\ div\ c\ {\isaliteral{3D}{\isacharequal}}\ a\ div\ c\ {\isaliteral{2B}{\isacharplus}}\ b\ div\ c\ {\isaliteral{2B}{\isacharplus}}\ {\isaliteral{28}{\isacharparenleft}}a\ mod\ c\ {\isaliteral{2B}{\isacharplus}}\ b\ mod\ c{\isaliteral{29}{\isacharparenright}}\ div\ c%
72.311 -\end{isabelle}
72.312 -\rulename{zdiv_zadd1_eq}
72.313 -
72.314 -\begin{isabelle}%
72.315 -{\isaliteral{28}{\isacharparenleft}}a\ {\isaliteral{2B}{\isacharplus}}\ b{\isaliteral{29}{\isacharparenright}}\ mod\ c\ {\isaliteral{3D}{\isacharequal}}\ {\isaliteral{28}{\isacharparenleft}}a\ mod\ c\ {\isaliteral{2B}{\isacharplus}}\ b\ mod\ c{\isaliteral{29}{\isacharparenright}}\ mod\ c%
72.316 -\end{isabelle}
72.317 -\rulename{mod_add_eq}
72.318 -
72.319 -\begin{isabelle}%
72.320 -a\ {\isaliteral{2A}{\isacharasterisk}}\ b\ div\ c\ {\isaliteral{3D}{\isacharequal}}\ a\ {\isaliteral{2A}{\isacharasterisk}}\ {\isaliteral{28}{\isacharparenleft}}b\ div\ c{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{2B}{\isacharplus}}\ a\ {\isaliteral{2A}{\isacharasterisk}}\ {\isaliteral{28}{\isacharparenleft}}b\ mod\ c{\isaliteral{29}{\isacharparenright}}\ div\ c%
72.321 -\end{isabelle}
72.322 -\rulename{zdiv_zmult1_eq}
72.323 -
72.324 -\begin{isabelle}%
72.325 -a\ {\isaliteral{2A}{\isacharasterisk}}\ b\ mod\ c\ {\isaliteral{3D}{\isacharequal}}\ a\ {\isaliteral{2A}{\isacharasterisk}}\ {\isaliteral{28}{\isacharparenleft}}b\ mod\ c{\isaliteral{29}{\isacharparenright}}\ mod\ c%
72.326 -\end{isabelle}
72.327 -\rulename{mod_mult_right_eq}
72.328 -
72.329 -\begin{isabelle}%
72.330 -{\isadigit{0}}\ {\isaliteral{3C}{\isacharless}}\ c\ {\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\ a\ div\ {\isaliteral{28}{\isacharparenleft}}b\ {\isaliteral{2A}{\isacharasterisk}}\ c{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{3D}{\isacharequal}}\ a\ div\ b\ div\ c%
72.331 -\end{isabelle}
72.332 -\rulename{zdiv_zmult2_eq}
72.333 -
72.334 -\begin{isabelle}%
72.335 -{\isadigit{0}}\ {\isaliteral{3C}{\isacharless}}\ c\ {\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\ a\ mod\ {\isaliteral{28}{\isacharparenleft}}b\ {\isaliteral{2A}{\isacharasterisk}}\ c{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{3D}{\isacharequal}}\ b\ {\isaliteral{2A}{\isacharasterisk}}\ {\isaliteral{28}{\isacharparenleft}}a\ div\ b\ mod\ c{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{2B}{\isacharplus}}\ a\ mod\ b%
72.336 -\end{isabelle}
72.337 -\rulename{zmod_zmult2_eq}%
72.338 -\end{isamarkuptext}%
72.339 -\isamarkuptrue%
72.340 -\isacommand{lemma}\isamarkupfalse%
72.341 -\ {\isaliteral{22}{\isachardoublequoteopen}}abs\ {\isaliteral{28}{\isacharparenleft}}x{\isaliteral{2B}{\isacharplus}}y{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C6C653E}{\isasymle}}\ abs\ x\ {\isaliteral{2B}{\isacharplus}}\ abs\ {\isaliteral{28}{\isacharparenleft}}y\ {\isaliteral{3A}{\isacharcolon}}{\isaliteral{3A}{\isacharcolon}}\ int{\isaliteral{29}{\isacharparenright}}{\isaliteral{22}{\isachardoublequoteclose}}\isanewline
72.342 -%
72.343 -\isadelimproof
72.344 -%
72.345 -\endisadelimproof
72.346 -%
72.347 -\isatagproof
72.348 -\isacommand{by}\isamarkupfalse%
72.349 -\ arith%
72.350 -\endisatagproof
72.351 -{\isafoldproof}%
72.352 -%
72.353 -\isadelimproof
72.354 -\isanewline
72.355 -%
72.356 -\endisadelimproof
72.357 -\isanewline
72.358 -\isacommand{lemma}\isamarkupfalse%
72.359 -\ {\isaliteral{22}{\isachardoublequoteopen}}abs\ {\isaliteral{28}{\isacharparenleft}}{\isadigit{2}}{\isaliteral{2A}{\isacharasterisk}}x{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{3D}{\isacharequal}}\ {\isadigit{2}}\ {\isaliteral{2A}{\isacharasterisk}}\ abs\ {\isaliteral{28}{\isacharparenleft}}x\ {\isaliteral{3A}{\isacharcolon}}{\isaliteral{3A}{\isacharcolon}}\ int{\isaliteral{29}{\isacharparenright}}{\isaliteral{22}{\isachardoublequoteclose}}\isanewline
72.360 -%
72.361 -\isadelimproof
72.362 -%
72.363 -\endisadelimproof
72.364 -%
72.365 -\isatagproof
72.366 -\isacommand{by}\isamarkupfalse%
72.367 -\ {\isaliteral{28}{\isacharparenleft}}simp\ add{\isaliteral{3A}{\isacharcolon}}\ abs{\isaliteral{5F}{\isacharunderscore}}if{\isaliteral{29}{\isacharparenright}}%
72.368 -\endisatagproof
72.369 -{\isafoldproof}%
72.370 -%
72.371 -\isadelimproof
72.372 -%
72.373 -\endisadelimproof
72.374 -%
72.375 -\begin{isamarkuptext}%
72.376 -Induction rules for the Integers
72.377 -
72.378 -\begin{isabelle}%
72.379 -{\isaliteral{5C3C6C6272616B6B3E}{\isasymlbrakk}}k\ {\isaliteral{5C3C6C653E}{\isasymle}}\ i{\isaliteral{3B}{\isacharsemicolon}}\ P\ k{\isaliteral{3B}{\isacharsemicolon}}\ {\isaliteral{5C3C416E643E}{\isasymAnd}}i{\isaliteral{2E}{\isachardot}}\ {\isaliteral{5C3C6C6272616B6B3E}{\isasymlbrakk}}k\ {\isaliteral{5C3C6C653E}{\isasymle}}\ i{\isaliteral{3B}{\isacharsemicolon}}\ P\ i{\isaliteral{5C3C726272616B6B3E}{\isasymrbrakk}}\ {\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\ P\ {\isaliteral{28}{\isacharparenleft}}i\ {\isaliteral{2B}{\isacharplus}}\ {\isadigit{1}}{\isaliteral{29}{\isacharparenright}}{\isaliteral{5C3C726272616B6B3E}{\isasymrbrakk}}\ {\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\ P\ i%
72.380 -\end{isabelle}
72.381 -\rulename{int_ge_induct}
72.382 -
72.383 -\begin{isabelle}%
72.384 -{\isaliteral{5C3C6C6272616B6B3E}{\isasymlbrakk}}k\ {\isaliteral{3C}{\isacharless}}\ i{\isaliteral{3B}{\isacharsemicolon}}\ P\ {\isaliteral{28}{\isacharparenleft}}k\ {\isaliteral{2B}{\isacharplus}}\ {\isadigit{1}}{\isaliteral{29}{\isacharparenright}}{\isaliteral{3B}{\isacharsemicolon}}\ {\isaliteral{5C3C416E643E}{\isasymAnd}}i{\isaliteral{2E}{\isachardot}}\ {\isaliteral{5C3C6C6272616B6B3E}{\isasymlbrakk}}k\ {\isaliteral{3C}{\isacharless}}\ i{\isaliteral{3B}{\isacharsemicolon}}\ P\ i{\isaliteral{5C3C726272616B6B3E}{\isasymrbrakk}}\ {\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\ P\ {\isaliteral{28}{\isacharparenleft}}i\ {\isaliteral{2B}{\isacharplus}}\ {\isadigit{1}}{\isaliteral{29}{\isacharparenright}}{\isaliteral{5C3C726272616B6B3E}{\isasymrbrakk}}\ {\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\ P\ i%
72.385 -\end{isabelle}
72.386 -\rulename{int_gr_induct}
72.387 -
72.388 -\begin{isabelle}%
72.389 -{\isaliteral{5C3C6C6272616B6B3E}{\isasymlbrakk}}i\ {\isaliteral{5C3C6C653E}{\isasymle}}\ k{\isaliteral{3B}{\isacharsemicolon}}\ P\ k{\isaliteral{3B}{\isacharsemicolon}}\ {\isaliteral{5C3C416E643E}{\isasymAnd}}i{\isaliteral{2E}{\isachardot}}\ {\isaliteral{5C3C6C6272616B6B3E}{\isasymlbrakk}}i\ {\isaliteral{5C3C6C653E}{\isasymle}}\ k{\isaliteral{3B}{\isacharsemicolon}}\ P\ i{\isaliteral{5C3C726272616B6B3E}{\isasymrbrakk}}\ {\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\ P\ {\isaliteral{28}{\isacharparenleft}}i\ {\isaliteral{2D}{\isacharminus}}\ {\isadigit{1}}{\isaliteral{29}{\isacharparenright}}{\isaliteral{5C3C726272616B6B3E}{\isasymrbrakk}}\ {\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\ P\ i%
72.390 -\end{isabelle}
72.391 -\rulename{int_le_induct}
72.392 -
72.393 -\begin{isabelle}%
72.394 -{\isaliteral{5C3C6C6272616B6B3E}{\isasymlbrakk}}i\ {\isaliteral{3C}{\isacharless}}\ k{\isaliteral{3B}{\isacharsemicolon}}\ P\ {\isaliteral{28}{\isacharparenleft}}k\ {\isaliteral{2D}{\isacharminus}}\ {\isadigit{1}}{\isaliteral{29}{\isacharparenright}}{\isaliteral{3B}{\isacharsemicolon}}\ {\isaliteral{5C3C416E643E}{\isasymAnd}}i{\isaliteral{2E}{\isachardot}}\ {\isaliteral{5C3C6C6272616B6B3E}{\isasymlbrakk}}i\ {\isaliteral{3C}{\isacharless}}\ k{\isaliteral{3B}{\isacharsemicolon}}\ P\ i{\isaliteral{5C3C726272616B6B3E}{\isasymrbrakk}}\ {\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\ P\ {\isaliteral{28}{\isacharparenleft}}i\ {\isaliteral{2D}{\isacharminus}}\ {\isadigit{1}}{\isaliteral{29}{\isacharparenright}}{\isaliteral{5C3C726272616B6B3E}{\isasymrbrakk}}\ {\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\ P\ i%
72.395 -\end{isabelle}
72.396 -\rulename{int_less_induct}%
72.397 -\end{isamarkuptext}%
72.398 -\isamarkuptrue%
72.399 -%
72.400 -\begin{isamarkuptext}%
72.401 -FIELDS
72.402 -
72.403 -\begin{isabelle}%
72.404 -x\ {\isaliteral{3C}{\isacharless}}\ y\ {\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\ {\isaliteral{5C3C6578697374733E}{\isasymexists}}z{\isaliteral{3E}{\isachargreater}}x{\isaliteral{2E}{\isachardot}}\ z\ {\isaliteral{3C}{\isacharless}}\ y%
72.405 -\end{isabelle}
72.406 -\rulename{dense}
72.407 -
72.408 -\begin{isabelle}%
72.409 -a\ {\isaliteral{2A}{\isacharasterisk}}\ {\isaliteral{28}{\isacharparenleft}}b\ {\isaliteral{2F}{\isacharslash}}\ c{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{3D}{\isacharequal}}\ a\ {\isaliteral{2A}{\isacharasterisk}}\ b\ {\isaliteral{2F}{\isacharslash}}\ c%
72.410 -\end{isabelle}
72.411 -\rulename{times_divide_eq_right}
72.412 -
72.413 -\begin{isabelle}%
72.414 -b\ {\isaliteral{2F}{\isacharslash}}\ c\ {\isaliteral{2A}{\isacharasterisk}}\ a\ {\isaliteral{3D}{\isacharequal}}\ b\ {\isaliteral{2A}{\isacharasterisk}}\ a\ {\isaliteral{2F}{\isacharslash}}\ c%
72.415 -\end{isabelle}
72.416 -\rulename{times_divide_eq_left}
72.417 -
72.418 -\begin{isabelle}%
72.419 -a\ {\isaliteral{2F}{\isacharslash}}\ {\isaliteral{28}{\isacharparenleft}}b\ {\isaliteral{2F}{\isacharslash}}\ c{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{3D}{\isacharequal}}\ a\ {\isaliteral{2A}{\isacharasterisk}}\ c\ {\isaliteral{2F}{\isacharslash}}\ b%
72.420 -\end{isabelle}
72.421 -\rulename{divide_divide_eq_right}
72.422 -
72.423 -\begin{isabelle}%
72.424 -a\ {\isaliteral{2F}{\isacharslash}}\ b\ {\isaliteral{2F}{\isacharslash}}\ c\ {\isaliteral{3D}{\isacharequal}}\ a\ {\isaliteral{2F}{\isacharslash}}\ {\isaliteral{28}{\isacharparenleft}}b\ {\isaliteral{2A}{\isacharasterisk}}\ c{\isaliteral{29}{\isacharparenright}}%
72.425 -\end{isabelle}
72.426 -\rulename{divide_divide_eq_left}
72.427 -
72.428 -\begin{isabelle}%
72.429 -{\isaliteral{2D}{\isacharminus}}\ {\isaliteral{28}{\isacharparenleft}}a\ {\isaliteral{2F}{\isacharslash}}\ b{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{3D}{\isacharequal}}\ {\isaliteral{2D}{\isacharminus}}\ a\ {\isaliteral{2F}{\isacharslash}}\ b%
72.430 -\end{isabelle}
72.431 -\rulename{minus_divide_left}
72.432 -
72.433 -\begin{isabelle}%
72.434 -{\isaliteral{2D}{\isacharminus}}\ {\isaliteral{28}{\isacharparenleft}}a\ {\isaliteral{2F}{\isacharslash}}\ b{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{3D}{\isacharequal}}\ a\ {\isaliteral{2F}{\isacharslash}}\ {\isaliteral{2D}{\isacharminus}}\ b%
72.435 -\end{isabelle}
72.436 -\rulename{minus_divide_right}
72.437 -
72.438 -This last NOT a simprule
72.439 -
72.440 -\begin{isabelle}%
72.441 -{\isaliteral{28}{\isacharparenleft}}a\ {\isaliteral{2B}{\isacharplus}}\ b{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{2F}{\isacharslash}}\ c\ {\isaliteral{3D}{\isacharequal}}\ a\ {\isaliteral{2F}{\isacharslash}}\ c\ {\isaliteral{2B}{\isacharplus}}\ b\ {\isaliteral{2F}{\isacharslash}}\ c%
72.442 -\end{isabelle}
72.443 -\rulename{add_divide_distrib}%
72.444 -\end{isamarkuptext}%
72.445 -\isamarkuptrue%
72.446 -\isacommand{lemma}\isamarkupfalse%
72.447 -\ {\isaliteral{22}{\isachardoublequoteopen}}{\isadigit{3}}{\isaliteral{2F}{\isacharslash}}{\isadigit{4}}\ {\isaliteral{3C}{\isacharless}}\ {\isaliteral{28}{\isacharparenleft}}{\isadigit{7}}{\isaliteral{2F}{\isacharslash}}{\isadigit{8}}\ {\isaliteral{3A}{\isacharcolon}}{\isaliteral{3A}{\isacharcolon}}\ real{\isaliteral{29}{\isacharparenright}}{\isaliteral{22}{\isachardoublequoteclose}}\isanewline
72.448 -%
72.449 -\isadelimproof
72.450 -%
72.451 -\endisadelimproof
72.452 -%
72.453 -\isatagproof
72.454 -\isacommand{by}\isamarkupfalse%
72.455 -\ simp%
72.456 -\endisatagproof
72.457 -{\isafoldproof}%
72.458 -%
72.459 -\isadelimproof
72.460 -\ \isanewline
72.461 -%
72.462 -\endisadelimproof
72.463 -\isanewline
72.464 -\isacommand{lemma}\isamarkupfalse%
72.465 -\ {\isaliteral{22}{\isachardoublequoteopen}}P\ {\isaliteral{28}{\isacharparenleft}}{\isaliteral{28}{\isacharparenleft}}{\isadigit{3}}{\isaliteral{2F}{\isacharslash}}{\isadigit{4}}{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{2A}{\isacharasterisk}}\ {\isaliteral{28}{\isacharparenleft}}{\isadigit{8}}{\isaliteral{2F}{\isacharslash}}{\isadigit{1}}{\isadigit{5}}\ {\isaliteral{3A}{\isacharcolon}}{\isaliteral{3A}{\isacharcolon}}\ real{\isaliteral{29}{\isacharparenright}}{\isaliteral{29}{\isacharparenright}}{\isaliteral{22}{\isachardoublequoteclose}}%
72.466 -\isadelimproof
72.467 -%
72.468 -\endisadelimproof
72.469 -%
72.470 -\isatagproof
72.471 -%
72.472 -\begin{isamarkuptxt}%
72.473 -\begin{isabelle}%
72.474 -\ {\isadigit{1}}{\isaliteral{2E}{\isachardot}}\ P\ {\isaliteral{28}{\isacharparenleft}}{\isadigit{3}}\ {\isaliteral{2F}{\isacharslash}}\ {\isadigit{4}}\ {\isaliteral{2A}{\isacharasterisk}}\ {\isaliteral{28}{\isacharparenleft}}{\isadigit{8}}\ {\isaliteral{2F}{\isacharslash}}\ {\isadigit{1}}{\isadigit{5}}{\isaliteral{29}{\isacharparenright}}{\isaliteral{29}{\isacharparenright}}%
72.475 -\end{isabelle}%
72.476 -\end{isamarkuptxt}%
72.477 -\isamarkuptrue%
72.478 -\isacommand{apply}\isamarkupfalse%
72.479 -\ simp%
72.480 -\begin{isamarkuptxt}%
72.481 -\begin{isabelle}%
72.482 -\ {\isadigit{1}}{\isaliteral{2E}{\isachardot}}\ P\ {\isaliteral{28}{\isacharparenleft}}{\isadigit{2}}\ {\isaliteral{2F}{\isacharslash}}\ {\isadigit{5}}{\isaliteral{29}{\isacharparenright}}%
72.483 -\end{isabelle}%
72.484 -\end{isamarkuptxt}%
72.485 -\isamarkuptrue%
72.486 -\isacommand{oops}\isamarkupfalse%
72.487 -%
72.488 -\endisatagproof
72.489 -{\isafoldproof}%
72.490 -%
72.491 -\isadelimproof
72.492 -%
72.493 -\endisadelimproof
72.494 -\isanewline
72.495 -\isanewline
72.496 -\isacommand{lemma}\isamarkupfalse%
72.497 -\ {\isaliteral{22}{\isachardoublequoteopen}}{\isaliteral{28}{\isacharparenleft}}{\isadigit{3}}{\isaliteral{2F}{\isacharslash}}{\isadigit{4}}{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{2A}{\isacharasterisk}}\ {\isaliteral{28}{\isacharparenleft}}{\isadigit{8}}{\isaliteral{2F}{\isacharslash}}{\isadigit{1}}{\isadigit{5}}{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{3C}{\isacharless}}\ {\isaliteral{28}{\isacharparenleft}}x\ {\isaliteral{3A}{\isacharcolon}}{\isaliteral{3A}{\isacharcolon}}\ real{\isaliteral{29}{\isacharparenright}}{\isaliteral{22}{\isachardoublequoteclose}}%
72.498 -\isadelimproof
72.499 -%
72.500 -\endisadelimproof
72.501 -%
72.502 -\isatagproof
72.503 -%
72.504 -\begin{isamarkuptxt}%
72.505 -\begin{isabelle}%
72.506 -\ {\isadigit{1}}{\isaliteral{2E}{\isachardot}}\ {\isadigit{3}}\ {\isaliteral{2F}{\isacharslash}}\ {\isadigit{4}}\ {\isaliteral{2A}{\isacharasterisk}}\ {\isaliteral{28}{\isacharparenleft}}{\isadigit{8}}\ {\isaliteral{2F}{\isacharslash}}\ {\isadigit{1}}{\isadigit{5}}{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{3C}{\isacharless}}\ x%
72.507 -\end{isabelle}%
72.508 -\end{isamarkuptxt}%
72.509 -\isamarkuptrue%
72.510 -\isacommand{apply}\isamarkupfalse%
72.511 -\ simp%
72.512 -\begin{isamarkuptxt}%
72.513 -\begin{isabelle}%
72.514 -\ {\isadigit{1}}{\isaliteral{2E}{\isachardot}}\ {\isadigit{2}}\ {\isaliteral{3C}{\isacharless}}\ x\ {\isaliteral{2A}{\isacharasterisk}}\ {\isadigit{5}}%
72.515 -\end{isabelle}%
72.516 -\end{isamarkuptxt}%
72.517 -\isamarkuptrue%
72.518 -\isacommand{oops}\isamarkupfalse%
72.519 -%
72.520 -\endisatagproof
72.521 -{\isafoldproof}%
72.522 -%
72.523 -\isadelimproof
72.524 -%
72.525 -\endisadelimproof
72.526 -%
72.527 -\begin{isamarkuptext}%
72.528 -Ring and Field
72.529 -
72.530 -Requires a field, or else an ordered ring
72.531 -
72.532 -\begin{isabelle}%
72.533 -{\isaliteral{28}{\isacharparenleft}}a\ {\isaliteral{2A}{\isacharasterisk}}\ b\ {\isaliteral{3D}{\isacharequal}}\ {\isaliteral{28}{\isacharparenleft}}{\isadigit{0}}{\isaliteral{5C3C436F6C6F6E3E}{\isasymColon}}{\isaliteral{27}{\isacharprime}}a{\isaliteral{29}{\isacharparenright}}{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{3D}{\isacharequal}}\ {\isaliteral{28}{\isacharparenleft}}a\ {\isaliteral{3D}{\isacharequal}}\ {\isaliteral{28}{\isacharparenleft}}{\isadigit{0}}{\isaliteral{5C3C436F6C6F6E3E}{\isasymColon}}{\isaliteral{27}{\isacharprime}}a{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C6F723E}{\isasymor}}\ b\ {\isaliteral{3D}{\isacharequal}}\ {\isaliteral{28}{\isacharparenleft}}{\isadigit{0}}{\isaliteral{5C3C436F6C6F6E3E}{\isasymColon}}{\isaliteral{27}{\isacharprime}}a{\isaliteral{29}{\isacharparenright}}{\isaliteral{29}{\isacharparenright}}%
72.534 -\end{isabelle}
72.535 -\rulename{mult_eq_0_iff}
72.536 -
72.537 -\begin{isabelle}%
72.538 -{\isaliteral{28}{\isacharparenleft}}a\ {\isaliteral{2A}{\isacharasterisk}}\ c\ {\isaliteral{3D}{\isacharequal}}\ b\ {\isaliteral{2A}{\isacharasterisk}}\ c{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{3D}{\isacharequal}}\ {\isaliteral{28}{\isacharparenleft}}c\ {\isaliteral{3D}{\isacharequal}}\ {\isaliteral{28}{\isacharparenleft}}{\isadigit{0}}{\isaliteral{5C3C436F6C6F6E3E}{\isasymColon}}{\isaliteral{27}{\isacharprime}}a{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C6F723E}{\isasymor}}\ a\ {\isaliteral{3D}{\isacharequal}}\ b{\isaliteral{29}{\isacharparenright}}%
72.539 -\end{isabelle}
72.540 -\rulename{mult_cancel_right}
72.541 -
72.542 -\begin{isabelle}%
72.543 -{\isaliteral{28}{\isacharparenleft}}c\ {\isaliteral{2A}{\isacharasterisk}}\ a\ {\isaliteral{3D}{\isacharequal}}\ c\ {\isaliteral{2A}{\isacharasterisk}}\ b{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{3D}{\isacharequal}}\ {\isaliteral{28}{\isacharparenleft}}c\ {\isaliteral{3D}{\isacharequal}}\ {\isaliteral{28}{\isacharparenleft}}{\isadigit{0}}{\isaliteral{5C3C436F6C6F6E3E}{\isasymColon}}{\isaliteral{27}{\isacharprime}}a{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C6F723E}{\isasymor}}\ a\ {\isaliteral{3D}{\isacharequal}}\ b{\isaliteral{29}{\isacharparenright}}%
72.544 -\end{isabelle}
72.545 -\rulename{mult_cancel_left}%
72.546 -\end{isamarkuptext}%
72.547 -\isamarkuptrue%
72.548 -%
72.549 -\begin{isamarkuptext}%
72.550 -effect of show sorts on the above
72.551 -
72.552 -\begin{isabelle}%
72.553 -{\isaliteral{28}{\isacharparenleft}}{\isaliteral{28}{\isacharparenleft}}c{\isaliteral{5C3C436F6C6F6E3E}{\isasymColon}}{\isaliteral{27}{\isacharprime}}a{\isaliteral{5C3C436F6C6F6E3E}{\isasymColon}}ring{\isaliteral{5F}{\isacharunderscore}}no{\isaliteral{5F}{\isacharunderscore}}zero{\isaliteral{5F}{\isacharunderscore}}divisors{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{2A}{\isacharasterisk}}\ {\isaliteral{28}{\isacharparenleft}}a{\isaliteral{5C3C436F6C6F6E3E}{\isasymColon}}{\isaliteral{27}{\isacharprime}}a{\isaliteral{5C3C436F6C6F6E3E}{\isasymColon}}ring{\isaliteral{5F}{\isacharunderscore}}no{\isaliteral{5F}{\isacharunderscore}}zero{\isaliteral{5F}{\isacharunderscore}}divisors{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{3D}{\isacharequal}}\isanewline
72.554 -\isaindent{{\isaliteral{28}{\isacharparenleft}}}c\ {\isaliteral{2A}{\isacharasterisk}}\ {\isaliteral{28}{\isacharparenleft}}b{\isaliteral{5C3C436F6C6F6E3E}{\isasymColon}}{\isaliteral{27}{\isacharprime}}a{\isaliteral{5C3C436F6C6F6E3E}{\isasymColon}}ring{\isaliteral{5F}{\isacharunderscore}}no{\isaliteral{5F}{\isacharunderscore}}zero{\isaliteral{5F}{\isacharunderscore}}divisors{\isaliteral{29}{\isacharparenright}}{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{3D}{\isacharequal}}\isanewline
72.555 -{\isaliteral{28}{\isacharparenleft}}c\ {\isaliteral{3D}{\isacharequal}}\ {\isaliteral{28}{\isacharparenleft}}{\isadigit{0}}{\isaliteral{5C3C436F6C6F6E3E}{\isasymColon}}{\isaliteral{27}{\isacharprime}}a{\isaliteral{5C3C436F6C6F6E3E}{\isasymColon}}ring{\isaliteral{5F}{\isacharunderscore}}no{\isaliteral{5F}{\isacharunderscore}}zero{\isaliteral{5F}{\isacharunderscore}}divisors{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C6F723E}{\isasymor}}\ a\ {\isaliteral{3D}{\isacharequal}}\ b{\isaliteral{29}{\isacharparenright}}%
72.556 -\end{isabelle}
72.557 -\rulename{mult_cancel_left}%
72.558 -\end{isamarkuptext}%
72.559 -\isamarkuptrue%
72.560 -%
72.561 -\begin{isamarkuptext}%
72.562 -absolute value
72.563 -
72.564 -\begin{isabelle}%
72.565 -{\isaliteral{5C3C6261723E}{\isasymbar}}a\ {\isaliteral{2A}{\isacharasterisk}}\ b{\isaliteral{5C3C6261723E}{\isasymbar}}\ {\isaliteral{3D}{\isacharequal}}\ {\isaliteral{5C3C6261723E}{\isasymbar}}a{\isaliteral{5C3C6261723E}{\isasymbar}}\ {\isaliteral{2A}{\isacharasterisk}}\ {\isaliteral{5C3C6261723E}{\isasymbar}}b{\isaliteral{5C3C6261723E}{\isasymbar}}%
72.566 -\end{isabelle}
72.567 -\rulename{abs_mult}
72.568 -
72.569 -\begin{isabelle}%
72.570 -{\isaliteral{28}{\isacharparenleft}}{\isaliteral{5C3C6261723E}{\isasymbar}}a{\isaliteral{5C3C6261723E}{\isasymbar}}\ {\isaliteral{5C3C6C653E}{\isasymle}}\ b{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{3D}{\isacharequal}}\ {\isaliteral{28}{\isacharparenleft}}a\ {\isaliteral{5C3C6C653E}{\isasymle}}\ b\ {\isaliteral{5C3C616E643E}{\isasymand}}\ {\isaliteral{2D}{\isacharminus}}\ a\ {\isaliteral{5C3C6C653E}{\isasymle}}\ b{\isaliteral{29}{\isacharparenright}}%
72.571 -\end{isabelle}
72.572 -\rulename{abs_le_iff}
72.573 -
72.574 -\begin{isabelle}%
72.575 -{\isaliteral{5C3C6261723E}{\isasymbar}}a\ {\isaliteral{2B}{\isacharplus}}\ b{\isaliteral{5C3C6261723E}{\isasymbar}}\ {\isaliteral{5C3C6C653E}{\isasymle}}\ {\isaliteral{5C3C6261723E}{\isasymbar}}a{\isaliteral{5C3C6261723E}{\isasymbar}}\ {\isaliteral{2B}{\isacharplus}}\ {\isaliteral{5C3C6261723E}{\isasymbar}}b{\isaliteral{5C3C6261723E}{\isasymbar}}%
72.576 -\end{isabelle}
72.577 -\rulename{abs_triangle_ineq}
72.578 -
72.579 -\begin{isabelle}%
72.580 -a\isaliteral{5C3C5E627375703E}{}\isactrlbsup m\ {\isaliteral{2B}{\isacharplus}}\ n\isaliteral{5C3C5E657375703E}{}\isactrlesup \ {\isaliteral{3D}{\isacharequal}}\ a\isaliteral{5C3C5E627375703E}{}\isactrlbsup m\isaliteral{5C3C5E657375703E}{}\isactrlesup \ {\isaliteral{2A}{\isacharasterisk}}\ a\isaliteral{5C3C5E627375703E}{}\isactrlbsup n\isaliteral{5C3C5E657375703E}{}\isactrlesup %
72.581 -\end{isabelle}
72.582 -\rulename{power_add}
72.583 -
72.584 -\begin{isabelle}%
72.585 -a\isaliteral{5C3C5E627375703E}{}\isactrlbsup m\ {\isaliteral{2A}{\isacharasterisk}}\ n\isaliteral{5C3C5E657375703E}{}\isactrlesup \ {\isaliteral{3D}{\isacharequal}}\ a\isaliteral{5C3C5E627375703E}{}\isactrlbsup m\isaliteral{5C3C5E657375703E}{}\isactrlesup \isaliteral{5C3C5E627375703E}{}\isactrlbsup n\isaliteral{5C3C5E657375703E}{}\isactrlesup %
72.586 -\end{isabelle}
72.587 -\rulename{power_mult}
72.588 -
72.589 -\begin{isabelle}%
72.590 -{\isaliteral{5C3C6261723E}{\isasymbar}}a\isaliteral{5C3C5E627375703E}{}\isactrlbsup n\isaliteral{5C3C5E657375703E}{}\isactrlesup {\isaliteral{5C3C6261723E}{\isasymbar}}\ {\isaliteral{3D}{\isacharequal}}\ {\isaliteral{5C3C6261723E}{\isasymbar}}a{\isaliteral{5C3C6261723E}{\isasymbar}}\isaliteral{5C3C5E627375703E}{}\isactrlbsup n\isaliteral{5C3C5E657375703E}{}\isactrlesup %
72.591 -\end{isabelle}
72.592 -\rulename{power_abs}%
72.593 -\end{isamarkuptext}%
72.594 -\isamarkuptrue%
72.595 -%
72.596 -\isadelimtheory
72.597 -%
72.598 -\endisadelimtheory
72.599 -%
72.600 -\isatagtheory
72.601 -\isacommand{end}\isamarkupfalse%
72.602 -%
72.603 -\endisatagtheory
72.604 -{\isafoldtheory}%
72.605 -%
72.606 -\isadelimtheory
72.607 -%
72.608 -\endisadelimtheory
72.609 -\isanewline
72.610 -\end{isabellebody}%
72.611 -%%% Local Variables:
72.612 -%%% mode: latex
72.613 -%%% TeX-master: "root"
72.614 -%%% End:
73.1 --- a/doc-src/TutorialI/Types/document/Overloading.tex Thu Jul 26 16:08:16 2012 +0200
73.2 +++ /dev/null Thu Jan 01 00:00:00 1970 +0000
73.3 @@ -1,159 +0,0 @@
73.4 -%
73.5 -\begin{isabellebody}%
73.6 -\def\isabellecontext{Overloading}%
73.7 -%
73.8 -\isadelimtheory
73.9 -%
73.10 -\endisadelimtheory
73.11 -%
73.12 -\isatagtheory
73.13 -%
73.14 -\endisatagtheory
73.15 -{\isafoldtheory}%
73.16 -%
73.17 -\isadelimtheory
73.18 -%
73.19 -\endisadelimtheory
73.20 -%
73.21 -\begin{isamarkuptext}%
73.22 -Type classes allow \emph{overloading}; thus a constant may
73.23 -have multiple definitions at non-overlapping types.%
73.24 -\end{isamarkuptext}%
73.25 -\isamarkuptrue%
73.26 -%
73.27 -\isamarkupsubsubsection{Overloading%
73.28 -}
73.29 -\isamarkuptrue%
73.30 -%
73.31 -\begin{isamarkuptext}%
73.32 -We can introduce a binary infix addition operator \isa{{\isaliteral{5C3C6F74696D65733E}{\isasymotimes}}}
73.33 -for arbitrary types by means of a type class:%
73.34 -\end{isamarkuptext}%
73.35 -\isamarkuptrue%
73.36 -\isacommand{class}\isamarkupfalse%
73.37 -\ plus\ {\isaliteral{3D}{\isacharequal}}\isanewline
73.38 -\ \ \isakeyword{fixes}\ plus\ {\isaliteral{3A}{\isacharcolon}}{\isaliteral{3A}{\isacharcolon}}\ {\isaliteral{22}{\isachardoublequoteopen}}{\isaliteral{27}{\isacharprime}}a\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ {\isaliteral{27}{\isacharprime}}a\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ {\isaliteral{27}{\isacharprime}}a{\isaliteral{22}{\isachardoublequoteclose}}\ {\isaliteral{28}{\isacharparenleft}}\isakeyword{infixl}\ {\isaliteral{22}{\isachardoublequoteopen}}{\isaliteral{5C3C6F706C75733E}{\isasymoplus}}{\isaliteral{22}{\isachardoublequoteclose}}\ {\isadigit{7}}{\isadigit{0}}{\isaliteral{29}{\isacharparenright}}%
73.39 -\begin{isamarkuptext}%
73.40 -\noindent This introduces a new class \isa{plus},
73.41 -along with a constant \isa{plus} with nice infix syntax.
73.42 -\isa{plus} is also named \emph{class operation}. The type
73.43 -of \isa{plus} carries a class constraint \isa{{\isaliteral{22}{\isachardoublequote}}{\isaliteral{27}{\isacharprime}}a\ {\isaliteral{3A}{\isacharcolon}}{\isaliteral{3A}{\isacharcolon}}\ plus{\isaliteral{22}{\isachardoublequote}}} on its type variable, meaning that only types of class
73.44 -\isa{plus} can be instantiated for \isa{{\isaliteral{22}{\isachardoublequote}}{\isaliteral{27}{\isacharprime}}a{\isaliteral{22}{\isachardoublequote}}}.
73.45 -To breathe life into \isa{plus} we need to declare a type
73.46 -to be an \bfindex{instance} of \isa{plus}:%
73.47 -\end{isamarkuptext}%
73.48 -\isamarkuptrue%
73.49 -\isacommand{instantiation}\isamarkupfalse%
73.50 -\ nat\ {\isaliteral{3A}{\isacharcolon}}{\isaliteral{3A}{\isacharcolon}}\ plus\isanewline
73.51 -\isakeyword{begin}%
73.52 -\begin{isamarkuptext}%
73.53 -\noindent Command \isacommand{instantiation} opens a local
73.54 -theory context. Here we can now instantiate \isa{plus} on
73.55 -\isa{nat}:%
73.56 -\end{isamarkuptext}%
73.57 -\isamarkuptrue%
73.58 -\isacommand{primrec}\isamarkupfalse%
73.59 -\ plus{\isaliteral{5F}{\isacharunderscore}}nat\ {\isaliteral{3A}{\isacharcolon}}{\isaliteral{3A}{\isacharcolon}}\ {\isaliteral{22}{\isachardoublequoteopen}}nat\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ nat\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ nat{\isaliteral{22}{\isachardoublequoteclose}}\ \isakeyword{where}\isanewline
73.60 -\ \ \ \ {\isaliteral{22}{\isachardoublequoteopen}}{\isaliteral{28}{\isacharparenleft}}{\isadigit{0}}{\isaliteral{3A}{\isacharcolon}}{\isaliteral{3A}{\isacharcolon}}nat{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C6F706C75733E}{\isasymoplus}}\ n\ {\isaliteral{3D}{\isacharequal}}\ n{\isaliteral{22}{\isachardoublequoteclose}}\isanewline
73.61 -\ \ {\isaliteral{7C}{\isacharbar}}\ {\isaliteral{22}{\isachardoublequoteopen}}Suc\ m\ {\isaliteral{5C3C6F706C75733E}{\isasymoplus}}\ n\ {\isaliteral{3D}{\isacharequal}}\ Suc\ {\isaliteral{28}{\isacharparenleft}}m\ {\isaliteral{5C3C6F706C75733E}{\isasymoplus}}\ n{\isaliteral{29}{\isacharparenright}}{\isaliteral{22}{\isachardoublequoteclose}}%
73.62 -\begin{isamarkuptext}%
73.63 -\noindent Note that the name \isa{plus} carries a
73.64 -suffix \isa{{\isaliteral{5F}{\isacharunderscore}}nat}; by default, the local name of a class operation
73.65 -\isa{f} to be instantiated on type constructor \isa{{\isaliteral{5C3C6B617070613E}{\isasymkappa}}} is mangled
73.66 -as \isa{f{\isaliteral{5F}{\isacharunderscore}}{\isaliteral{5C3C6B617070613E}{\isasymkappa}}}. In case of uncertainty, these names may be inspected
73.67 -using the \hyperlink{command.print-context}{\mbox{\isa{\isacommand{print{\isaliteral{5F}{\isacharunderscore}}context}}}} command or the corresponding
73.68 -ProofGeneral button.
73.69 -
73.70 -Although class \isa{plus} has no axioms, the instantiation must be
73.71 -formally concluded by a (trivial) instantiation proof ``..'':%
73.72 -\end{isamarkuptext}%
73.73 -\isamarkuptrue%
73.74 -\isacommand{instance}\isamarkupfalse%
73.75 -%
73.76 -\isadelimproof
73.77 -\ %
73.78 -\endisadelimproof
73.79 -%
73.80 -\isatagproof
73.81 -\isacommand{{\isaliteral{2E}{\isachardot}}{\isaliteral{2E}{\isachardot}}}\isamarkupfalse%
73.82 -%
73.83 -\endisatagproof
73.84 -{\isafoldproof}%
73.85 -%
73.86 -\isadelimproof
73.87 -%
73.88 -\endisadelimproof
73.89 -%
73.90 -\begin{isamarkuptext}%
73.91 -\noindent More interesting \isacommand{instance} proofs will
73.92 -arise below.
73.93 -
73.94 -The instantiation is finished by an explicit%
73.95 -\end{isamarkuptext}%
73.96 -\isamarkuptrue%
73.97 -\isacommand{end}\isamarkupfalse%
73.98 -%
73.99 -\begin{isamarkuptext}%
73.100 -\noindent From now on, terms like \isa{Suc\ {\isaliteral{28}{\isacharparenleft}}m\ {\isaliteral{5C3C6F706C75733E}{\isasymoplus}}\ {\isadigit{2}}{\isaliteral{29}{\isacharparenright}}} are
73.101 -legal.%
73.102 -\end{isamarkuptext}%
73.103 -\isamarkuptrue%
73.104 -\isacommand{instantiation}\isamarkupfalse%
73.105 -\ prod\ {\isaliteral{3A}{\isacharcolon}}{\isaliteral{3A}{\isacharcolon}}\ {\isaliteral{28}{\isacharparenleft}}plus{\isaliteral{2C}{\isacharcomma}}\ plus{\isaliteral{29}{\isacharparenright}}\ plus\isanewline
73.106 -\isakeyword{begin}%
73.107 -\begin{isamarkuptext}%
73.108 -\noindent Here we instantiate the product type \isa{prod} to
73.109 -class \isa{plus}, given that its type arguments are of
73.110 -class \isa{plus}:%
73.111 -\end{isamarkuptext}%
73.112 -\isamarkuptrue%
73.113 -\isacommand{fun}\isamarkupfalse%
73.114 -\ plus{\isaliteral{5F}{\isacharunderscore}}prod\ {\isaliteral{3A}{\isacharcolon}}{\isaliteral{3A}{\isacharcolon}}\ {\isaliteral{22}{\isachardoublequoteopen}}{\isaliteral{27}{\isacharprime}}a\ {\isaliteral{5C3C74696D65733E}{\isasymtimes}}\ {\isaliteral{27}{\isacharprime}}b\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ {\isaliteral{27}{\isacharprime}}a\ {\isaliteral{5C3C74696D65733E}{\isasymtimes}}\ {\isaliteral{27}{\isacharprime}}b\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ {\isaliteral{27}{\isacharprime}}a\ {\isaliteral{5C3C74696D65733E}{\isasymtimes}}\ {\isaliteral{27}{\isacharprime}}b{\isaliteral{22}{\isachardoublequoteclose}}\ \isakeyword{where}\isanewline
73.115 -\ \ {\isaliteral{22}{\isachardoublequoteopen}}{\isaliteral{28}{\isacharparenleft}}x{\isaliteral{2C}{\isacharcomma}}\ y{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C6F706C75733E}{\isasymoplus}}\ {\isaliteral{28}{\isacharparenleft}}w{\isaliteral{2C}{\isacharcomma}}\ z{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{3D}{\isacharequal}}\ {\isaliteral{28}{\isacharparenleft}}x\ {\isaliteral{5C3C6F706C75733E}{\isasymoplus}}\ w{\isaliteral{2C}{\isacharcomma}}\ y\ {\isaliteral{5C3C6F706C75733E}{\isasymoplus}}\ z{\isaliteral{29}{\isacharparenright}}{\isaliteral{22}{\isachardoublequoteclose}}%
73.116 -\begin{isamarkuptext}%
73.117 -\noindent Obviously, overloaded specifications may include
73.118 -recursion over the syntactic structure of types.%
73.119 -\end{isamarkuptext}%
73.120 -\isamarkuptrue%
73.121 -\isacommand{instance}\isamarkupfalse%
73.122 -%
73.123 -\isadelimproof
73.124 -\ %
73.125 -\endisadelimproof
73.126 -%
73.127 -\isatagproof
73.128 -\isacommand{{\isaliteral{2E}{\isachardot}}{\isaliteral{2E}{\isachardot}}}\isamarkupfalse%
73.129 -%
73.130 -\endisatagproof
73.131 -{\isafoldproof}%
73.132 -%
73.133 -\isadelimproof
73.134 -%
73.135 -\endisadelimproof
73.136 -\isanewline
73.137 -\isanewline
73.138 -\isacommand{end}\isamarkupfalse%
73.139 -%
73.140 -\begin{isamarkuptext}%
73.141 -\noindent This way we have encoded the canonical lifting of
73.142 -binary operations to products by means of type classes.%
73.143 -\end{isamarkuptext}%
73.144 -\isamarkuptrue%
73.145 -%
73.146 -\isadelimtheory
73.147 -%
73.148 -\endisadelimtheory
73.149 -%
73.150 -\isatagtheory
73.151 -%
73.152 -\endisatagtheory
73.153 -{\isafoldtheory}%
73.154 -%
73.155 -\isadelimtheory
73.156 -%
73.157 -\endisadelimtheory
73.158 -\end{isabellebody}%
73.159 -%%% Local Variables:
73.160 -%%% mode: latex
73.161 -%%% TeX-master: "root"
73.162 -%%% End:
74.1 --- a/doc-src/TutorialI/Types/document/Pairs.tex Thu Jul 26 16:08:16 2012 +0200
74.2 +++ /dev/null Thu Jan 01 00:00:00 1970 +0000
74.3 @@ -1,394 +0,0 @@
74.4 -%
74.5 -\begin{isabellebody}%
74.6 -\def\isabellecontext{Pairs}%
74.7 -%
74.8 -\isadelimtheory
74.9 -%
74.10 -\endisadelimtheory
74.11 -%
74.12 -\isatagtheory
74.13 -%
74.14 -\endisatagtheory
74.15 -{\isafoldtheory}%
74.16 -%
74.17 -\isadelimtheory
74.18 -%
74.19 -\endisadelimtheory
74.20 -%
74.21 -\isamarkupsection{Pairs and Tuples%
74.22 -}
74.23 -\isamarkuptrue%
74.24 -%
74.25 -\begin{isamarkuptext}%
74.26 -\label{sec:products}
74.27 -Ordered pairs were already introduced in \S\ref{sec:pairs}, but only with a minimal
74.28 -repertoire of operations: pairing and the two projections \isa{fst} and
74.29 -\isa{snd}. In any non-trivial application of pairs you will find that this
74.30 -quickly leads to unreadable nests of projections. This
74.31 -section introduces syntactic sugar to overcome this
74.32 -problem: pattern matching with tuples.%
74.33 -\end{isamarkuptext}%
74.34 -\isamarkuptrue%
74.35 -%
74.36 -\isamarkupsubsection{Pattern Matching with Tuples%
74.37 -}
74.38 -\isamarkuptrue%
74.39 -%
74.40 -\begin{isamarkuptext}%
74.41 -Tuples may be used as patterns in $\lambda$-abstractions,
74.42 -for example \isa{{\isaliteral{5C3C6C616D6264613E}{\isasymlambda}}{\isaliteral{28}{\isacharparenleft}}x{\isaliteral{2C}{\isacharcomma}}y{\isaliteral{2C}{\isacharcomma}}z{\isaliteral{29}{\isacharparenright}}{\isaliteral{2E}{\isachardot}}x{\isaliteral{2B}{\isacharplus}}y{\isaliteral{2B}{\isacharplus}}z} and \isa{{\isaliteral{5C3C6C616D6264613E}{\isasymlambda}}{\isaliteral{28}{\isacharparenleft}}{\isaliteral{28}{\isacharparenleft}}x{\isaliteral{2C}{\isacharcomma}}y{\isaliteral{29}{\isacharparenright}}{\isaliteral{2C}{\isacharcomma}}z{\isaliteral{29}{\isacharparenright}}{\isaliteral{2E}{\isachardot}}x{\isaliteral{2B}{\isacharplus}}y{\isaliteral{2B}{\isacharplus}}z}. In fact,
74.43 -tuple patterns can be used in most variable binding constructs,
74.44 -and they can be nested. Here are
74.45 -some typical examples:
74.46 -\begin{quote}
74.47 -\isa{let\ {\isaliteral{28}{\isacharparenleft}}x{\isaliteral{2C}{\isacharcomma}}\ y{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{3D}{\isacharequal}}\ f\ z\ in\ {\isaliteral{28}{\isacharparenleft}}y{\isaliteral{2C}{\isacharcomma}}\ x{\isaliteral{29}{\isacharparenright}}}\\
74.48 -\isa{case\ xs\ of\ {\isaliteral{5B}{\isacharbrackleft}}{\isaliteral{5D}{\isacharbrackright}}\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ {\isadigit{0}}\ {\isaliteral{7C}{\isacharbar}}\ {\isaliteral{28}{\isacharparenleft}}x{\isaliteral{2C}{\isacharcomma}}\ y{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{23}{\isacharhash}}\ zs\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ x\ {\isaliteral{2B}{\isacharplus}}\ y}\\
74.49 -\isa{{\isaliteral{5C3C666F72616C6C3E}{\isasymforall}}{\isaliteral{28}{\isacharparenleft}}x{\isaliteral{2C}{\isacharcomma}}y{\isaliteral{29}{\isacharparenright}}{\isaliteral{5C3C696E3E}{\isasymin}}A{\isaliteral{2E}{\isachardot}}\ x{\isaliteral{3D}{\isacharequal}}y}\\
74.50 -\isa{{\isaliteral{7B}{\isacharbraceleft}}{\isaliteral{28}{\isacharparenleft}}x{\isaliteral{2C}{\isacharcomma}}y{\isaliteral{2C}{\isacharcomma}}z{\isaliteral{29}{\isacharparenright}}{\isaliteral{2E}{\isachardot}}\ x{\isaliteral{3D}{\isacharequal}}z{\isaliteral{7D}{\isacharbraceright}}}\\
74.51 -\isa{{\isaliteral{5C3C556E696F6E3E}{\isasymUnion}}\isaliteral{5C3C5E627375623E}{}\isactrlbsub {\isaliteral{28}{\isacharparenleft}}x{\isaliteral{2C}{\isacharcomma}}\ y{\isaliteral{29}{\isacharparenright}}{\isaliteral{5C3C696E3E}{\isasymin}}A\isaliteral{5C3C5E657375623E}{}\isactrlesub \ {\isaliteral{7B}{\isacharbraceleft}}x\ {\isaliteral{2B}{\isacharplus}}\ y{\isaliteral{7D}{\isacharbraceright}}}
74.52 -\end{quote}
74.53 -The intuitive meanings of these expressions should be obvious.
74.54 -Unfortunately, we need to know in more detail what the notation really stands
74.55 -for once we have to reason about it. Abstraction
74.56 -over pairs and tuples is merely a convenient shorthand for a more complex
74.57 -internal representation. Thus the internal and external form of a term may
74.58 -differ, which can affect proofs. If you want to avoid this complication,
74.59 -stick to \isa{fst} and \isa{snd} and write \isa{{\isaliteral{5C3C6C616D6264613E}{\isasymlambda}}p{\isaliteral{2E}{\isachardot}}\ fst\ p\ {\isaliteral{2B}{\isacharplus}}\ snd\ p}
74.60 -instead of \isa{{\isaliteral{5C3C6C616D6264613E}{\isasymlambda}}{\isaliteral{28}{\isacharparenleft}}x{\isaliteral{2C}{\isacharcomma}}y{\isaliteral{29}{\isacharparenright}}{\isaliteral{2E}{\isachardot}}\ x{\isaliteral{2B}{\isacharplus}}y}. These terms are distinct even though they
74.61 -denote the same function.
74.62 -
74.63 -Internally, \isa{{\isaliteral{5C3C6C616D6264613E}{\isasymlambda}}{\isaliteral{28}{\isacharparenleft}}x{\isaliteral{2C}{\isacharcomma}}\ y{\isaliteral{29}{\isacharparenright}}{\isaliteral{2E}{\isachardot}}\ t} becomes \isa{split\ {\isaliteral{28}{\isacharparenleft}}{\isaliteral{5C3C6C616D6264613E}{\isasymlambda}}x\ y{\isaliteral{2E}{\isachardot}}\ t{\isaliteral{29}{\isacharparenright}}}, where
74.64 -\cdx{split} is the uncurrying function of type \isa{{\isaliteral{28}{\isacharparenleft}}{\isaliteral{27}{\isacharprime}}a\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ {\isaliteral{27}{\isacharprime}}b\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ {\isaliteral{27}{\isacharprime}}c{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ {\isaliteral{27}{\isacharprime}}a\ {\isaliteral{5C3C74696D65733E}{\isasymtimes}}\ {\isaliteral{27}{\isacharprime}}b\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ {\isaliteral{27}{\isacharprime}}c} defined as
74.65 -\begin{center}
74.66 -\isa{prod{\isaliteral{5F}{\isacharunderscore}}case\ {\isaliteral{3D}{\isacharequal}}\ {\isaliteral{28}{\isacharparenleft}}{\isaliteral{5C3C6C616D6264613E}{\isasymlambda}}c\ p{\isaliteral{2E}{\isachardot}}\ c\ {\isaliteral{28}{\isacharparenleft}}fst\ p{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{28}{\isacharparenleft}}snd\ p{\isaliteral{29}{\isacharparenright}}{\isaliteral{29}{\isacharparenright}}}
74.67 -\hfill(\isa{split{\isaliteral{5F}{\isacharunderscore}}def})
74.68 -\end{center}
74.69 -Pattern matching in
74.70 -other variable binding constructs is translated similarly. Thus we need to
74.71 -understand how to reason about such constructs.%
74.72 -\end{isamarkuptext}%
74.73 -\isamarkuptrue%
74.74 -%
74.75 -\isamarkupsubsection{Theorem Proving%
74.76 -}
74.77 -\isamarkuptrue%
74.78 -%
74.79 -\begin{isamarkuptext}%
74.80 -The most obvious approach is the brute force expansion of \isa{prod{\isaliteral{5F}{\isacharunderscore}}case}:%
74.81 -\end{isamarkuptext}%
74.82 -\isamarkuptrue%
74.83 -\isacommand{lemma}\isamarkupfalse%
74.84 -\ {\isaliteral{22}{\isachardoublequoteopen}}{\isaliteral{28}{\isacharparenleft}}{\isaliteral{5C3C6C616D6264613E}{\isasymlambda}}{\isaliteral{28}{\isacharparenleft}}x{\isaliteral{2C}{\isacharcomma}}y{\isaliteral{29}{\isacharparenright}}{\isaliteral{2E}{\isachardot}}x{\isaliteral{29}{\isacharparenright}}\ p\ {\isaliteral{3D}{\isacharequal}}\ fst\ p{\isaliteral{22}{\isachardoublequoteclose}}\isanewline
74.85 -%
74.86 -\isadelimproof
74.87 -%
74.88 -\endisadelimproof
74.89 -%
74.90 -\isatagproof
74.91 -\isacommand{by}\isamarkupfalse%
74.92 -{\isaliteral{28}{\isacharparenleft}}simp\ add{\isaliteral{3A}{\isacharcolon}}\ split{\isaliteral{5F}{\isacharunderscore}}def{\isaliteral{29}{\isacharparenright}}%
74.93 -\endisatagproof
74.94 -{\isafoldproof}%
74.95 -%
74.96 -\isadelimproof
74.97 -%
74.98 -\endisadelimproof
74.99 -%
74.100 -\begin{isamarkuptext}%
74.101 -\noindent
74.102 -This works well if rewriting with \isa{split{\isaliteral{5F}{\isacharunderscore}}def} finishes the
74.103 -proof, as it does above. But if it does not, you end up with exactly what
74.104 -we are trying to avoid: nests of \isa{fst} and \isa{snd}. Thus this
74.105 -approach is neither elegant nor very practical in large examples, although it
74.106 -can be effective in small ones.
74.107 -
74.108 -If we consider why this lemma presents a problem,
74.109 -we realize that we need to replace variable~\isa{p} by some pair \isa{{\isaliteral{28}{\isacharparenleft}}a{\isaliteral{2C}{\isacharcomma}}\ b{\isaliteral{29}{\isacharparenright}}}. Then both sides of the
74.110 -equation would simplify to \isa{a} by the simplification rules
74.111 -\isa{{\isaliteral{28}{\isacharparenleft}}case\ {\isaliteral{28}{\isacharparenleft}}a{\isaliteral{2C}{\isacharcomma}}\ b{\isaliteral{29}{\isacharparenright}}\ of\ {\isaliteral{28}{\isacharparenleft}}x{\isaliteral{2C}{\isacharcomma}}\ xa{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ f\ x\ xa{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{3D}{\isacharequal}}\ f\ a\ b} and \isa{fst\ {\isaliteral{28}{\isacharparenleft}}a{\isaliteral{2C}{\isacharcomma}}\ b{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{3D}{\isacharequal}}\ a}.
74.112 -To reason about tuple patterns requires some way of
74.113 -converting a variable of product type into a pair.
74.114 -In case of a subterm of the form \isa{case\ p\ of\ {\isaliteral{28}{\isacharparenleft}}x{\isaliteral{2C}{\isacharcomma}}\ xa{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ f\ x\ xa} this is easy: the split
74.115 -rule \isa{split{\isaliteral{5F}{\isacharunderscore}}split} replaces \isa{p} by a pair:%
74.116 -\index{*split (method)}%
74.117 -\end{isamarkuptext}%
74.118 -\isamarkuptrue%
74.119 -\isacommand{lemma}\isamarkupfalse%
74.120 -\ {\isaliteral{22}{\isachardoublequoteopen}}{\isaliteral{28}{\isacharparenleft}}{\isaliteral{5C3C6C616D6264613E}{\isasymlambda}}{\isaliteral{28}{\isacharparenleft}}x{\isaliteral{2C}{\isacharcomma}}y{\isaliteral{29}{\isacharparenright}}{\isaliteral{2E}{\isachardot}}y{\isaliteral{29}{\isacharparenright}}\ p\ {\isaliteral{3D}{\isacharequal}}\ snd\ p{\isaliteral{22}{\isachardoublequoteclose}}\isanewline
74.121 -%
74.122 -\isadelimproof
74.123 -%
74.124 -\endisadelimproof
74.125 -%
74.126 -\isatagproof
74.127 -\isacommand{apply}\isamarkupfalse%
74.128 -{\isaliteral{28}{\isacharparenleft}}split\ split{\isaliteral{5F}{\isacharunderscore}}split{\isaliteral{29}{\isacharparenright}}%
74.129 -\begin{isamarkuptxt}%
74.130 -\begin{isabelle}%
74.131 -\ {\isadigit{1}}{\isaliteral{2E}{\isachardot}}\ {\isaliteral{5C3C666F72616C6C3E}{\isasymforall}}x\ y{\isaliteral{2E}{\isachardot}}\ p\ {\isaliteral{3D}{\isacharequal}}\ {\isaliteral{28}{\isacharparenleft}}x{\isaliteral{2C}{\isacharcomma}}\ y{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C6C6F6E6772696768746172726F773E}{\isasymlongrightarrow}}\ y\ {\isaliteral{3D}{\isacharequal}}\ snd\ p%
74.132 -\end{isabelle}
74.133 -This subgoal is easily proved by simplification. Thus we could have combined
74.134 -simplification and splitting in one command that proves the goal outright:%
74.135 -\end{isamarkuptxt}%
74.136 -\isamarkuptrue%
74.137 -%
74.138 -\endisatagproof
74.139 -{\isafoldproof}%
74.140 -%
74.141 -\isadelimproof
74.142 -%
74.143 -\endisadelimproof
74.144 -%
74.145 -\isadelimproof
74.146 -%
74.147 -\endisadelimproof
74.148 -%
74.149 -\isatagproof
74.150 -\isacommand{by}\isamarkupfalse%
74.151 -{\isaliteral{28}{\isacharparenleft}}simp\ split{\isaliteral{3A}{\isacharcolon}}\ split{\isaliteral{5F}{\isacharunderscore}}split{\isaliteral{29}{\isacharparenright}}%
74.152 -\endisatagproof
74.153 -{\isafoldproof}%
74.154 -%
74.155 -\isadelimproof
74.156 -%
74.157 -\endisadelimproof
74.158 -%
74.159 -\begin{isamarkuptext}%
74.160 -Let us look at a second example:%
74.161 -\end{isamarkuptext}%
74.162 -\isamarkuptrue%
74.163 -\isacommand{lemma}\isamarkupfalse%
74.164 -\ {\isaliteral{22}{\isachardoublequoteopen}}let\ {\isaliteral{28}{\isacharparenleft}}x{\isaliteral{2C}{\isacharcomma}}y{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{3D}{\isacharequal}}\ p\ in\ fst\ p\ {\isaliteral{3D}{\isacharequal}}\ x{\isaliteral{22}{\isachardoublequoteclose}}\isanewline
74.165 -%
74.166 -\isadelimproof
74.167 -%
74.168 -\endisadelimproof
74.169 -%
74.170 -\isatagproof
74.171 -\isacommand{apply}\isamarkupfalse%
74.172 -{\isaliteral{28}{\isacharparenleft}}simp\ only{\isaliteral{3A}{\isacharcolon}}\ Let{\isaliteral{5F}{\isacharunderscore}}def{\isaliteral{29}{\isacharparenright}}%
74.173 -\begin{isamarkuptxt}%
74.174 -\begin{isabelle}%
74.175 -\ {\isadigit{1}}{\isaliteral{2E}{\isachardot}}\ case\ p\ of\ {\isaliteral{28}{\isacharparenleft}}x{\isaliteral{2C}{\isacharcomma}}\ y{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ fst\ p\ {\isaliteral{3D}{\isacharequal}}\ x%
74.176 -\end{isabelle}
74.177 -A paired \isa{let} reduces to a paired $\lambda$-abstraction, which
74.178 -can be split as above. The same is true for paired set comprehension:%
74.179 -\end{isamarkuptxt}%
74.180 -\isamarkuptrue%
74.181 -%
74.182 -\endisatagproof
74.183 -{\isafoldproof}%
74.184 -%
74.185 -\isadelimproof
74.186 -%
74.187 -\endisadelimproof
74.188 -\isacommand{lemma}\isamarkupfalse%
74.189 -\ {\isaliteral{22}{\isachardoublequoteopen}}p\ {\isaliteral{5C3C696E3E}{\isasymin}}\ {\isaliteral{7B}{\isacharbraceleft}}{\isaliteral{28}{\isacharparenleft}}x{\isaliteral{2C}{\isacharcomma}}y{\isaliteral{29}{\isacharparenright}}{\isaliteral{2E}{\isachardot}}\ x{\isaliteral{3D}{\isacharequal}}y{\isaliteral{7D}{\isacharbraceright}}\ {\isaliteral{5C3C6C6F6E6772696768746172726F773E}{\isasymlongrightarrow}}\ fst\ p\ {\isaliteral{3D}{\isacharequal}}\ snd\ p{\isaliteral{22}{\isachardoublequoteclose}}\isanewline
74.190 -%
74.191 -\isadelimproof
74.192 -%
74.193 -\endisadelimproof
74.194 -%
74.195 -\isatagproof
74.196 -\isacommand{apply}\isamarkupfalse%
74.197 -\ simp%
74.198 -\begin{isamarkuptxt}%
74.199 -\begin{isabelle}%
74.200 -\ {\isadigit{1}}{\isaliteral{2E}{\isachardot}}\ {\isaliteral{28}{\isacharparenleft}}case\ p\ of\ {\isaliteral{28}{\isacharparenleft}}x{\isaliteral{2C}{\isacharcomma}}\ xa{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ x\ {\isaliteral{3D}{\isacharequal}}\ xa{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C6C6F6E6772696768746172726F773E}{\isasymlongrightarrow}}\ fst\ p\ {\isaliteral{3D}{\isacharequal}}\ snd\ p%
74.201 -\end{isabelle}
74.202 -Again, simplification produces a term suitable for \isa{split{\isaliteral{5F}{\isacharunderscore}}split}
74.203 -as above. If you are worried about the strange form of the premise:
74.204 -\isa{split\ {\isaliteral{28}{\isacharparenleft}}op\ {\isaliteral{3D}{\isacharequal}}{\isaliteral{29}{\isacharparenright}}} is short for \isa{{\isaliteral{5C3C6C616D6264613E}{\isasymlambda}}{\isaliteral{28}{\isacharparenleft}}x{\isaliteral{2C}{\isacharcomma}}\ y{\isaliteral{29}{\isacharparenright}}{\isaliteral{2E}{\isachardot}}\ x\ {\isaliteral{3D}{\isacharequal}}\ y}.
74.205 -The same proof procedure works for%
74.206 -\end{isamarkuptxt}%
74.207 -\isamarkuptrue%
74.208 -%
74.209 -\endisatagproof
74.210 -{\isafoldproof}%
74.211 -%
74.212 -\isadelimproof
74.213 -%
74.214 -\endisadelimproof
74.215 -\isacommand{lemma}\isamarkupfalse%
74.216 -\ {\isaliteral{22}{\isachardoublequoteopen}}p\ {\isaliteral{5C3C696E3E}{\isasymin}}\ {\isaliteral{7B}{\isacharbraceleft}}{\isaliteral{28}{\isacharparenleft}}x{\isaliteral{2C}{\isacharcomma}}y{\isaliteral{29}{\isacharparenright}}{\isaliteral{2E}{\isachardot}}\ x{\isaliteral{3D}{\isacharequal}}y{\isaliteral{7D}{\isacharbraceright}}\ {\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\ fst\ p\ {\isaliteral{3D}{\isacharequal}}\ snd\ p{\isaliteral{22}{\isachardoublequoteclose}}%
74.217 -\isadelimproof
74.218 -%
74.219 -\endisadelimproof
74.220 -%
74.221 -\isatagproof
74.222 -%
74.223 -\begin{isamarkuptxt}%
74.224 -\noindent
74.225 -except that we now have to use \isa{split{\isaliteral{5F}{\isacharunderscore}}split{\isaliteral{5F}{\isacharunderscore}}asm}, because
74.226 -\isa{prod{\isaliteral{5F}{\isacharunderscore}}case} occurs in the assumptions.
74.227 -
74.228 -However, splitting \isa{prod{\isaliteral{5F}{\isacharunderscore}}case} is not always a solution, as no \isa{prod{\isaliteral{5F}{\isacharunderscore}}case}
74.229 -may be present in the goal. Consider the following function:%
74.230 -\end{isamarkuptxt}%
74.231 -\isamarkuptrue%
74.232 -%
74.233 -\endisatagproof
74.234 -{\isafoldproof}%
74.235 -%
74.236 -\isadelimproof
74.237 -%
74.238 -\endisadelimproof
74.239 -\isacommand{primrec}\isamarkupfalse%
74.240 -\ swap\ {\isaliteral{3A}{\isacharcolon}}{\isaliteral{3A}{\isacharcolon}}\ {\isaliteral{22}{\isachardoublequoteopen}}{\isaliteral{27}{\isacharprime}}a\ {\isaliteral{5C3C74696D65733E}{\isasymtimes}}\ {\isaliteral{27}{\isacharprime}}b\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ {\isaliteral{27}{\isacharprime}}b\ {\isaliteral{5C3C74696D65733E}{\isasymtimes}}\ {\isaliteral{27}{\isacharprime}}a{\isaliteral{22}{\isachardoublequoteclose}}\ \isakeyword{where}\ {\isaliteral{22}{\isachardoublequoteopen}}swap\ {\isaliteral{28}{\isacharparenleft}}x{\isaliteral{2C}{\isacharcomma}}y{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{3D}{\isacharequal}}\ {\isaliteral{28}{\isacharparenleft}}y{\isaliteral{2C}{\isacharcomma}}x{\isaliteral{29}{\isacharparenright}}{\isaliteral{22}{\isachardoublequoteclose}}%
74.241 -\begin{isamarkuptext}%
74.242 -\noindent
74.243 -Note that the above \isacommand{primrec} definition is admissible
74.244 -because \isa{{\isaliteral{5C3C74696D65733E}{\isasymtimes}}} is a datatype. When we now try to prove%
74.245 -\end{isamarkuptext}%
74.246 -\isamarkuptrue%
74.247 -\isacommand{lemma}\isamarkupfalse%
74.248 -\ {\isaliteral{22}{\isachardoublequoteopen}}swap{\isaliteral{28}{\isacharparenleft}}swap\ p{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{3D}{\isacharequal}}\ p{\isaliteral{22}{\isachardoublequoteclose}}%
74.249 -\isadelimproof
74.250 -%
74.251 -\endisadelimproof
74.252 -%
74.253 -\isatagproof
74.254 -%
74.255 -\begin{isamarkuptxt}%
74.256 -\noindent
74.257 -simplification will do nothing, because the defining equation for
74.258 -\isa{swap} expects a pair. Again, we need to turn \isa{p}
74.259 -into a pair first, but this time there is no \isa{prod{\isaliteral{5F}{\isacharunderscore}}case} in sight.
74.260 -The only thing we can do is to split the term by hand:%
74.261 -\end{isamarkuptxt}%
74.262 -\isamarkuptrue%
74.263 -\isacommand{apply}\isamarkupfalse%
74.264 -{\isaliteral{28}{\isacharparenleft}}case{\isaliteral{5F}{\isacharunderscore}}tac\ p{\isaliteral{29}{\isacharparenright}}%
74.265 -\begin{isamarkuptxt}%
74.266 -\noindent
74.267 -\begin{isabelle}%
74.268 -\ {\isadigit{1}}{\isaliteral{2E}{\isachardot}}\ {\isaliteral{5C3C416E643E}{\isasymAnd}}a\ b{\isaliteral{2E}{\isachardot}}\ p\ {\isaliteral{3D}{\isacharequal}}\ {\isaliteral{28}{\isacharparenleft}}a{\isaliteral{2C}{\isacharcomma}}\ b{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\ swap\ {\isaliteral{28}{\isacharparenleft}}swap\ p{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{3D}{\isacharequal}}\ p%
74.269 -\end{isabelle}
74.270 -Again, \methdx{case_tac} is applicable because \isa{{\isaliteral{5C3C74696D65733E}{\isasymtimes}}} is a datatype.
74.271 -The subgoal is easily proved by \isa{simp}.
74.272 -
74.273 -Splitting by \isa{case{\isaliteral{5F}{\isacharunderscore}}tac} also solves the previous examples and may thus
74.274 -appear preferable to the more arcane methods introduced first. However, see
74.275 -the warning about \isa{case{\isaliteral{5F}{\isacharunderscore}}tac} in \S\ref{sec:struct-ind-case}.
74.276 -
74.277 -Alternatively, you can split \emph{all} \isa{{\isaliteral{5C3C416E643E}{\isasymAnd}}}-quantified variables
74.278 -in a goal with the rewrite rule \isa{split{\isaliteral{5F}{\isacharunderscore}}paired{\isaliteral{5F}{\isacharunderscore}}all}:%
74.279 -\end{isamarkuptxt}%
74.280 -\isamarkuptrue%
74.281 -%
74.282 -\endisatagproof
74.283 -{\isafoldproof}%
74.284 -%
74.285 -\isadelimproof
74.286 -%
74.287 -\endisadelimproof
74.288 -\isacommand{lemma}\isamarkupfalse%
74.289 -\ {\isaliteral{22}{\isachardoublequoteopen}}{\isaliteral{5C3C416E643E}{\isasymAnd}}p\ q{\isaliteral{2E}{\isachardot}}\ swap{\isaliteral{28}{\isacharparenleft}}swap\ p{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{3D}{\isacharequal}}\ q\ {\isaliteral{5C3C6C6F6E6772696768746172726F773E}{\isasymlongrightarrow}}\ p\ {\isaliteral{3D}{\isacharequal}}\ q{\isaliteral{22}{\isachardoublequoteclose}}\isanewline
74.290 -%
74.291 -\isadelimproof
74.292 -%
74.293 -\endisadelimproof
74.294 -%
74.295 -\isatagproof
74.296 -\isacommand{apply}\isamarkupfalse%
74.297 -{\isaliteral{28}{\isacharparenleft}}simp\ only{\isaliteral{3A}{\isacharcolon}}\ split{\isaliteral{5F}{\isacharunderscore}}paired{\isaliteral{5F}{\isacharunderscore}}all{\isaliteral{29}{\isacharparenright}}%
74.298 -\begin{isamarkuptxt}%
74.299 -\noindent
74.300 -\begin{isabelle}%
74.301 -\ {\isadigit{1}}{\isaliteral{2E}{\isachardot}}\ {\isaliteral{5C3C416E643E}{\isasymAnd}}a\ b\ aa\ ba{\isaliteral{2E}{\isachardot}}\ swap\ {\isaliteral{28}{\isacharparenleft}}swap\ {\isaliteral{28}{\isacharparenleft}}a{\isaliteral{2C}{\isacharcomma}}\ b{\isaliteral{29}{\isacharparenright}}{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{3D}{\isacharequal}}\ {\isaliteral{28}{\isacharparenleft}}aa{\isaliteral{2C}{\isacharcomma}}\ ba{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C6C6F6E6772696768746172726F773E}{\isasymlongrightarrow}}\ {\isaliteral{28}{\isacharparenleft}}a{\isaliteral{2C}{\isacharcomma}}\ b{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{3D}{\isacharequal}}\ {\isaliteral{28}{\isacharparenleft}}aa{\isaliteral{2C}{\isacharcomma}}\ ba{\isaliteral{29}{\isacharparenright}}%
74.302 -\end{isabelle}%
74.303 -\end{isamarkuptxt}%
74.304 -\isamarkuptrue%
74.305 -\isacommand{apply}\isamarkupfalse%
74.306 -\ simp\isanewline
74.307 -\isacommand{done}\isamarkupfalse%
74.308 -%
74.309 -\endisatagproof
74.310 -{\isafoldproof}%
74.311 -%
74.312 -\isadelimproof
74.313 -%
74.314 -\endisadelimproof
74.315 -%
74.316 -\begin{isamarkuptext}%
74.317 -\noindent
74.318 -Note that we have intentionally included only \isa{split{\isaliteral{5F}{\isacharunderscore}}paired{\isaliteral{5F}{\isacharunderscore}}all}
74.319 -in the first simplification step, and then we simplify again.
74.320 -This time the reason was not merely
74.321 -pedagogical:
74.322 -\isa{split{\isaliteral{5F}{\isacharunderscore}}paired{\isaliteral{5F}{\isacharunderscore}}all} may interfere with other functions
74.323 -of the simplifier.
74.324 -The following command could fail (here it does not)
74.325 -where two separate \isa{simp} applications succeed.%
74.326 -\end{isamarkuptext}%
74.327 -\isamarkuptrue%
74.328 -%
74.329 -\isadelimproof
74.330 -%
74.331 -\endisadelimproof
74.332 -%
74.333 -\isatagproof
74.334 -\isacommand{apply}\isamarkupfalse%
74.335 -{\isaliteral{28}{\isacharparenleft}}simp\ add{\isaliteral{3A}{\isacharcolon}}\ split{\isaliteral{5F}{\isacharunderscore}}paired{\isaliteral{5F}{\isacharunderscore}}all{\isaliteral{29}{\isacharparenright}}%
74.336 -\endisatagproof
74.337 -{\isafoldproof}%
74.338 -%
74.339 -\isadelimproof
74.340 -%
74.341 -\endisadelimproof
74.342 -%
74.343 -\begin{isamarkuptext}%
74.344 -\noindent
74.345 -Finally, the simplifier automatically splits all \isa{{\isaliteral{5C3C666F72616C6C3E}{\isasymforall}}} and
74.346 -\isa{{\isaliteral{5C3C6578697374733E}{\isasymexists}}}-quantified variables:%
74.347 -\end{isamarkuptext}%
74.348 -\isamarkuptrue%
74.349 -\isacommand{lemma}\isamarkupfalse%
74.350 -\ {\isaliteral{22}{\isachardoublequoteopen}}{\isaliteral{5C3C666F72616C6C3E}{\isasymforall}}p{\isaliteral{2E}{\isachardot}}\ {\isaliteral{5C3C6578697374733E}{\isasymexists}}q{\isaliteral{2E}{\isachardot}}\ swap\ p\ {\isaliteral{3D}{\isacharequal}}\ swap\ q{\isaliteral{22}{\isachardoublequoteclose}}\isanewline
74.351 -%
74.352 -\isadelimproof
74.353 -%
74.354 -\endisadelimproof
74.355 -%
74.356 -\isatagproof
74.357 -\isacommand{by}\isamarkupfalse%
74.358 -\ simp%
74.359 -\endisatagproof
74.360 -{\isafoldproof}%
74.361 -%
74.362 -\isadelimproof
74.363 -%
74.364 -\endisadelimproof
74.365 -%
74.366 -\begin{isamarkuptext}%
74.367 -\noindent
74.368 -To turn off this automatic splitting, disable the
74.369 -responsible simplification rules:
74.370 -\begin{center}
74.371 -\isa{{\isaliteral{28}{\isacharparenleft}}{\isaliteral{5C3C666F72616C6C3E}{\isasymforall}}x{\isaliteral{2E}{\isachardot}}\ P\ x{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{3D}{\isacharequal}}\ {\isaliteral{28}{\isacharparenleft}}{\isaliteral{5C3C666F72616C6C3E}{\isasymforall}}a\ b{\isaliteral{2E}{\isachardot}}\ P\ {\isaliteral{28}{\isacharparenleft}}a{\isaliteral{2C}{\isacharcomma}}\ b{\isaliteral{29}{\isacharparenright}}{\isaliteral{29}{\isacharparenright}}}
74.372 -\hfill
74.373 -(\isa{split{\isaliteral{5F}{\isacharunderscore}}paired{\isaliteral{5F}{\isacharunderscore}}All})\\
74.374 -\isa{{\isaliteral{28}{\isacharparenleft}}{\isaliteral{5C3C6578697374733E}{\isasymexists}}x{\isaliteral{2E}{\isachardot}}\ P\ x{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{3D}{\isacharequal}}\ {\isaliteral{28}{\isacharparenleft}}{\isaliteral{5C3C6578697374733E}{\isasymexists}}a\ b{\isaliteral{2E}{\isachardot}}\ P\ {\isaliteral{28}{\isacharparenleft}}a{\isaliteral{2C}{\isacharcomma}}\ b{\isaliteral{29}{\isacharparenright}}{\isaliteral{29}{\isacharparenright}}}
74.375 -\hfill
74.376 -(\isa{split{\isaliteral{5F}{\isacharunderscore}}paired{\isaliteral{5F}{\isacharunderscore}}Ex})
74.377 -\end{center}%
74.378 -\end{isamarkuptext}%
74.379 -\isamarkuptrue%
74.380 -%
74.381 -\isadelimtheory
74.382 -%
74.383 -\endisadelimtheory
74.384 -%
74.385 -\isatagtheory
74.386 -%
74.387 -\endisatagtheory
74.388 -{\isafoldtheory}%
74.389 -%
74.390 -\isadelimtheory
74.391 -%
74.392 -\endisadelimtheory
74.393 -\end{isabellebody}%
74.394 -%%% Local Variables:
74.395 -%%% mode: latex
74.396 -%%% TeX-master: "root"
74.397 -%%% End:
75.1 --- a/doc-src/TutorialI/Types/document/Records.tex Thu Jul 26 16:08:16 2012 +0200
75.2 +++ /dev/null Thu Jan 01 00:00:00 1970 +0000
75.3 @@ -1,665 +0,0 @@
75.4 -%
75.5 -\begin{isabellebody}%
75.6 -\def\isabellecontext{Records}%
75.7 -%
75.8 -\isamarkupheader{Records \label{sec:records}%
75.9 -}
75.10 -\isamarkuptrue%
75.11 -%
75.12 -\isadelimtheory
75.13 -%
75.14 -\endisadelimtheory
75.15 -%
75.16 -\isatagtheory
75.17 -%
75.18 -\endisatagtheory
75.19 -{\isafoldtheory}%
75.20 -%
75.21 -\isadelimtheory
75.22 -%
75.23 -\endisadelimtheory
75.24 -%
75.25 -\begin{isamarkuptext}%
75.26 -\index{records|(}%
75.27 - Records are familiar from programming languages. A record of $n$
75.28 - fields is essentially an $n$-tuple, but the record's components have
75.29 - names, which can make expressions easier to read and reduces the
75.30 - risk of confusing one field for another.
75.31 -
75.32 - A record of Isabelle/HOL covers a collection of fields, with select
75.33 - and update operations. Each field has a specified type, which may
75.34 - be polymorphic. The field names are part of the record type, and
75.35 - the order of the fields is significant --- as it is in Pascal but
75.36 - not in Standard ML. If two different record types have field names
75.37 - in common, then the ambiguity is resolved in the usual way, by
75.38 - qualified names.
75.39 -
75.40 - Record types can also be defined by extending other record types.
75.41 - Extensible records make use of the reserved pseudo-field \cdx{more},
75.42 - which is present in every record type. Generic record operations
75.43 - work on all possible extensions of a given type scheme; polymorphism
75.44 - takes care of structural sub-typing behind the scenes. There are
75.45 - also explicit coercion functions between fixed record types.%
75.46 -\end{isamarkuptext}%
75.47 -\isamarkuptrue%
75.48 -%
75.49 -\isamarkupsubsection{Record Basics%
75.50 -}
75.51 -\isamarkuptrue%
75.52 -%
75.53 -\begin{isamarkuptext}%
75.54 -Record types are not primitive in Isabelle and have a delicate
75.55 - internal representation \cite{NaraschewskiW-TPHOLs98}, based on
75.56 - nested copies of the primitive product type. A \commdx{record}
75.57 - declaration introduces a new record type scheme by specifying its
75.58 - fields, which are packaged internally to hold up the perception of
75.59 - the record as a distinguished entity. Here is a simple example:%
75.60 -\end{isamarkuptext}%
75.61 -\isamarkuptrue%
75.62 -\isacommand{record}\isamarkupfalse%
75.63 -\ point\ {\isaliteral{3D}{\isacharequal}}\isanewline
75.64 -\ \ Xcoord\ {\isaliteral{3A}{\isacharcolon}}{\isaliteral{3A}{\isacharcolon}}\ int\isanewline
75.65 -\ \ Ycoord\ {\isaliteral{3A}{\isacharcolon}}{\isaliteral{3A}{\isacharcolon}}\ int%
75.66 -\begin{isamarkuptext}%
75.67 -\noindent
75.68 - Records of type \isa{point} have two fields named \isa{Xcoord}
75.69 - and \isa{Ycoord}, both of type~\isa{int}. We now define a
75.70 - constant of type \isa{point}:%
75.71 -\end{isamarkuptext}%
75.72 -\isamarkuptrue%
75.73 -\isacommand{definition}\isamarkupfalse%
75.74 -\ pt{\isadigit{1}}\ {\isaliteral{3A}{\isacharcolon}}{\isaliteral{3A}{\isacharcolon}}\ point\ \isakeyword{where}\isanewline
75.75 -{\isaliteral{22}{\isachardoublequoteopen}}pt{\isadigit{1}}\ {\isaliteral{5C3C65717569763E}{\isasymequiv}}\ {\isaliteral{28}{\isacharparenleft}}{\isaliteral{7C}{\isacharbar}}\ Xcoord\ {\isaliteral{3D}{\isacharequal}}\ {\isadigit{9}}{\isadigit{9}}{\isadigit{9}}{\isaliteral{2C}{\isacharcomma}}\ Ycoord\ {\isaliteral{3D}{\isacharequal}}\ {\isadigit{2}}{\isadigit{3}}\ {\isaliteral{7C}{\isacharbar}}{\isaliteral{29}{\isacharparenright}}{\isaliteral{22}{\isachardoublequoteclose}}%
75.76 -\begin{isamarkuptext}%
75.77 -\noindent
75.78 - We see above the ASCII notation for record brackets. You can also
75.79 - use the symbolic brackets \isa{{\isaliteral{5C3C6C706172723E}{\isasymlparr}}} and \isa{{\isaliteral{5C3C72706172723E}{\isasymrparr}}}. Record type
75.80 - expressions can be also written directly with individual fields.
75.81 - The type name above is merely an abbreviation.%
75.82 -\end{isamarkuptext}%
75.83 -\isamarkuptrue%
75.84 -\isacommand{definition}\isamarkupfalse%
75.85 -\ pt{\isadigit{2}}\ {\isaliteral{3A}{\isacharcolon}}{\isaliteral{3A}{\isacharcolon}}\ {\isaliteral{22}{\isachardoublequoteopen}}{\isaliteral{5C3C6C706172723E}{\isasymlparr}}Xcoord\ {\isaliteral{3A}{\isacharcolon}}{\isaliteral{3A}{\isacharcolon}}\ int{\isaliteral{2C}{\isacharcomma}}\ Ycoord\ {\isaliteral{3A}{\isacharcolon}}{\isaliteral{3A}{\isacharcolon}}\ int{\isaliteral{5C3C72706172723E}{\isasymrparr}}{\isaliteral{22}{\isachardoublequoteclose}}\ \isakeyword{where}\isanewline
75.86 -{\isaliteral{22}{\isachardoublequoteopen}}pt{\isadigit{2}}\ {\isaliteral{5C3C65717569763E}{\isasymequiv}}\ {\isaliteral{5C3C6C706172723E}{\isasymlparr}}Xcoord\ {\isaliteral{3D}{\isacharequal}}\ {\isaliteral{2D}{\isacharminus}}{\isadigit{4}}{\isadigit{5}}{\isaliteral{2C}{\isacharcomma}}\ Ycoord\ {\isaliteral{3D}{\isacharequal}}\ {\isadigit{9}}{\isadigit{7}}{\isaliteral{5C3C72706172723E}{\isasymrparr}}{\isaliteral{22}{\isachardoublequoteclose}}%
75.87 -\begin{isamarkuptext}%
75.88 -For each field, there is a \emph{selector}\index{selector!record}
75.89 - function of the same name. For example, if \isa{p} has type \isa{point} then \isa{Xcoord\ p} denotes the value of the \isa{Xcoord} field of~\isa{p}. Expressions involving field selection
75.90 - of explicit records are simplified automatically:%
75.91 -\end{isamarkuptext}%
75.92 -\isamarkuptrue%
75.93 -\isacommand{lemma}\isamarkupfalse%
75.94 -\ {\isaliteral{22}{\isachardoublequoteopen}}Xcoord\ {\isaliteral{5C3C6C706172723E}{\isasymlparr}}Xcoord\ {\isaliteral{3D}{\isacharequal}}\ a{\isaliteral{2C}{\isacharcomma}}\ Ycoord\ {\isaliteral{3D}{\isacharequal}}\ b{\isaliteral{5C3C72706172723E}{\isasymrparr}}\ {\isaliteral{3D}{\isacharequal}}\ a{\isaliteral{22}{\isachardoublequoteclose}}\isanewline
75.95 -%
75.96 -\isadelimproof
75.97 -\ \ %
75.98 -\endisadelimproof
75.99 -%
75.100 -\isatagproof
75.101 -\isacommand{by}\isamarkupfalse%
75.102 -\ simp%
75.103 -\endisatagproof
75.104 -{\isafoldproof}%
75.105 -%
75.106 -\isadelimproof
75.107 -%
75.108 -\endisadelimproof
75.109 -%
75.110 -\begin{isamarkuptext}%
75.111 -The \emph{update}\index{update!record} operation is functional. For
75.112 - example, \isa{p{\isaliteral{5C3C6C706172723E}{\isasymlparr}}Xcoord\ {\isaliteral{3A}{\isacharcolon}}{\isaliteral{3D}{\isacharequal}}\ {\isadigit{0}}{\isaliteral{5C3C72706172723E}{\isasymrparr}}} is a record whose \isa{Xcoord}
75.113 - value is zero and whose \isa{Ycoord} value is copied from~\isa{p}. Updates of explicit records are also simplified automatically:%
75.114 -\end{isamarkuptext}%
75.115 -\isamarkuptrue%
75.116 -\isacommand{lemma}\isamarkupfalse%
75.117 -\ {\isaliteral{22}{\isachardoublequoteopen}}{\isaliteral{5C3C6C706172723E}{\isasymlparr}}Xcoord\ {\isaliteral{3D}{\isacharequal}}\ a{\isaliteral{2C}{\isacharcomma}}\ Ycoord\ {\isaliteral{3D}{\isacharequal}}\ b{\isaliteral{5C3C72706172723E}{\isasymrparr}}{\isaliteral{5C3C6C706172723E}{\isasymlparr}}Xcoord\ {\isaliteral{3A}{\isacharcolon}}{\isaliteral{3D}{\isacharequal}}\ {\isadigit{0}}{\isaliteral{5C3C72706172723E}{\isasymrparr}}\ {\isaliteral{3D}{\isacharequal}}\isanewline
75.118 -\ \ \ \ \ \ \ \ \ {\isaliteral{5C3C6C706172723E}{\isasymlparr}}Xcoord\ {\isaliteral{3D}{\isacharequal}}\ {\isadigit{0}}{\isaliteral{2C}{\isacharcomma}}\ Ycoord\ {\isaliteral{3D}{\isacharequal}}\ b{\isaliteral{5C3C72706172723E}{\isasymrparr}}{\isaliteral{22}{\isachardoublequoteclose}}\isanewline
75.119 -%
75.120 -\isadelimproof
75.121 -\ \ %
75.122 -\endisadelimproof
75.123 -%
75.124 -\isatagproof
75.125 -\isacommand{by}\isamarkupfalse%
75.126 -\ simp%
75.127 -\endisatagproof
75.128 -{\isafoldproof}%
75.129 -%
75.130 -\isadelimproof
75.131 -%
75.132 -\endisadelimproof
75.133 -%
75.134 -\begin{isamarkuptext}%
75.135 -\begin{warn}
75.136 - Field names are declared as constants and can no longer be used as
75.137 - variables. It would be unwise, for example, to call the fields of
75.138 - type \isa{point} simply \isa{x} and~\isa{y}.
75.139 - \end{warn}%
75.140 -\end{isamarkuptext}%
75.141 -\isamarkuptrue%
75.142 -%
75.143 -\isamarkupsubsection{Extensible Records and Generic Operations%
75.144 -}
75.145 -\isamarkuptrue%
75.146 -%
75.147 -\begin{isamarkuptext}%
75.148 -\index{records!extensible|(}%
75.149 -
75.150 - Now, let us define coloured points (type \isa{cpoint}) to be
75.151 - points extended with a field \isa{col} of type \isa{colour}:%
75.152 -\end{isamarkuptext}%
75.153 -\isamarkuptrue%
75.154 -\isacommand{datatype}\isamarkupfalse%
75.155 -\ colour\ {\isaliteral{3D}{\isacharequal}}\ Red\ {\isaliteral{7C}{\isacharbar}}\ Green\ {\isaliteral{7C}{\isacharbar}}\ Blue\isanewline
75.156 -\isanewline
75.157 -\isacommand{record}\isamarkupfalse%
75.158 -\ cpoint\ {\isaliteral{3D}{\isacharequal}}\ point\ {\isaliteral{2B}{\isacharplus}}\isanewline
75.159 -\ \ col\ {\isaliteral{3A}{\isacharcolon}}{\isaliteral{3A}{\isacharcolon}}\ colour%
75.160 -\begin{isamarkuptext}%
75.161 -\noindent
75.162 - The fields of this new type are \isa{Xcoord}, \isa{Ycoord} and
75.163 - \isa{col}, in that order.%
75.164 -\end{isamarkuptext}%
75.165 -\isamarkuptrue%
75.166 -\isacommand{definition}\isamarkupfalse%
75.167 -\ cpt{\isadigit{1}}\ {\isaliteral{3A}{\isacharcolon}}{\isaliteral{3A}{\isacharcolon}}\ cpoint\ \isakeyword{where}\isanewline
75.168 -{\isaliteral{22}{\isachardoublequoteopen}}cpt{\isadigit{1}}\ {\isaliteral{5C3C65717569763E}{\isasymequiv}}\ {\isaliteral{5C3C6C706172723E}{\isasymlparr}}Xcoord\ {\isaliteral{3D}{\isacharequal}}\ {\isadigit{9}}{\isadigit{9}}{\isadigit{9}}{\isaliteral{2C}{\isacharcomma}}\ Ycoord\ {\isaliteral{3D}{\isacharequal}}\ {\isadigit{2}}{\isadigit{3}}{\isaliteral{2C}{\isacharcomma}}\ col\ {\isaliteral{3D}{\isacharequal}}\ Green{\isaliteral{5C3C72706172723E}{\isasymrparr}}{\isaliteral{22}{\isachardoublequoteclose}}%
75.169 -\begin{isamarkuptext}%
75.170 -We can define generic operations that work on arbitrary
75.171 - instances of a record scheme, e.g.\ covering \isa{point}, \isa{cpoint}, and any further extensions. Every record structure has an
75.172 - implicit pseudo-field, \cdx{more}, that keeps the extension as an
75.173 - explicit value. Its type is declared as completely
75.174 - polymorphic:~\isa{{\isaliteral{27}{\isacharprime}}a}. When a fixed record value is expressed
75.175 - using just its standard fields, the value of \isa{more} is
75.176 - implicitly set to \isa{{\isaliteral{28}{\isacharparenleft}}{\isaliteral{29}{\isacharparenright}}}, the empty tuple, which has type
75.177 - \isa{unit}. Within the record brackets, you can refer to the
75.178 - \isa{more} field by writing ``\isa{{\isaliteral{5C3C646F74733E}{\isasymdots}}}'' (three dots):%
75.179 -\end{isamarkuptext}%
75.180 -\isamarkuptrue%
75.181 -\isacommand{lemma}\isamarkupfalse%
75.182 -\ {\isaliteral{22}{\isachardoublequoteopen}}Xcoord\ {\isaliteral{5C3C6C706172723E}{\isasymlparr}}Xcoord\ {\isaliteral{3D}{\isacharequal}}\ a{\isaliteral{2C}{\isacharcomma}}\ Ycoord\ {\isaliteral{3D}{\isacharequal}}\ b{\isaliteral{2C}{\isacharcomma}}\ {\isaliteral{5C3C646F74733E}{\isasymdots}}\ {\isaliteral{3D}{\isacharequal}}\ p{\isaliteral{5C3C72706172723E}{\isasymrparr}}\ {\isaliteral{3D}{\isacharequal}}\ a{\isaliteral{22}{\isachardoublequoteclose}}\isanewline
75.183 -%
75.184 -\isadelimproof
75.185 -\ \ %
75.186 -\endisadelimproof
75.187 -%
75.188 -\isatagproof
75.189 -\isacommand{by}\isamarkupfalse%
75.190 -\ simp%
75.191 -\endisatagproof
75.192 -{\isafoldproof}%
75.193 -%
75.194 -\isadelimproof
75.195 -%
75.196 -\endisadelimproof
75.197 -%
75.198 -\begin{isamarkuptext}%
75.199 -This lemma applies to any record whose first two fields are \isa{Xcoord} and~\isa{Ycoord}. Note that \isa{{\isaliteral{5C3C6C706172723E}{\isasymlparr}}Xcoord\ {\isaliteral{3D}{\isacharequal}}\ a{\isaliteral{2C}{\isacharcomma}}\ Ycoord\ {\isaliteral{3D}{\isacharequal}}\ b{\isaliteral{2C}{\isacharcomma}}\ {\isaliteral{5C3C646F74733E}{\isasymdots}}\ {\isaliteral{3D}{\isacharequal}}\ {\isaliteral{28}{\isacharparenleft}}{\isaliteral{29}{\isacharparenright}}{\isaliteral{5C3C72706172723E}{\isasymrparr}}} is exactly the same as \isa{{\isaliteral{5C3C6C706172723E}{\isasymlparr}}Xcoord\ {\isaliteral{3D}{\isacharequal}}\ a{\isaliteral{2C}{\isacharcomma}}\ Ycoord\ {\isaliteral{3D}{\isacharequal}}\ b{\isaliteral{5C3C72706172723E}{\isasymrparr}}}. Selectors and updates are always polymorphic wrt.\ the
75.200 - \isa{more} part of a record scheme, its value is just ignored (for
75.201 - select) or copied (for update).
75.202 -
75.203 - The \isa{more} pseudo-field may be manipulated directly as well,
75.204 - but the identifier needs to be qualified:%
75.205 -\end{isamarkuptext}%
75.206 -\isamarkuptrue%
75.207 -\isacommand{lemma}\isamarkupfalse%
75.208 -\ {\isaliteral{22}{\isachardoublequoteopen}}point{\isaliteral{2E}{\isachardot}}more\ cpt{\isadigit{1}}\ {\isaliteral{3D}{\isacharequal}}\ {\isaliteral{5C3C6C706172723E}{\isasymlparr}}col\ {\isaliteral{3D}{\isacharequal}}\ Green{\isaliteral{5C3C72706172723E}{\isasymrparr}}{\isaliteral{22}{\isachardoublequoteclose}}\isanewline
75.209 -%
75.210 -\isadelimproof
75.211 -\ \ %
75.212 -\endisadelimproof
75.213 -%
75.214 -\isatagproof
75.215 -\isacommand{by}\isamarkupfalse%
75.216 -\ {\isaliteral{28}{\isacharparenleft}}simp\ add{\isaliteral{3A}{\isacharcolon}}\ cpt{\isadigit{1}}{\isaliteral{5F}{\isacharunderscore}}def{\isaliteral{29}{\isacharparenright}}%
75.217 -\endisatagproof
75.218 -{\isafoldproof}%
75.219 -%
75.220 -\isadelimproof
75.221 -%
75.222 -\endisadelimproof
75.223 -%
75.224 -\begin{isamarkuptext}%
75.225 -\noindent
75.226 - We see that the colour part attached to this \isa{point} is a
75.227 - rudimentary record in its own right, namely \isa{{\isaliteral{5C3C6C706172723E}{\isasymlparr}}col\ {\isaliteral{3D}{\isacharequal}}\ Green{\isaliteral{5C3C72706172723E}{\isasymrparr}}}. In order to select or update \isa{col}, this fragment
75.228 - needs to be put back into the context of the parent type scheme, say
75.229 - as \isa{more} part of another \isa{point}.
75.230 -
75.231 - To define generic operations, we need to know a bit more about
75.232 - records. Our definition of \isa{point} above has generated two
75.233 - type abbreviations:
75.234 -
75.235 - \medskip
75.236 - \begin{tabular}{l}
75.237 - \isa{point}~\isa{{\isaliteral{3D}{\isacharequal}}}~\isa{{\isaliteral{5C3C6C706172723E}{\isasymlparr}}Xcoord\ {\isaliteral{3A}{\isacharcolon}}{\isaliteral{3A}{\isacharcolon}}\ int{\isaliteral{2C}{\isacharcomma}}\ Ycoord\ {\isaliteral{3A}{\isacharcolon}}{\isaliteral{3A}{\isacharcolon}}\ int{\isaliteral{5C3C72706172723E}{\isasymrparr}}} \\
75.238 - \isa{{\isaliteral{27}{\isacharprime}}a\ point{\isaliteral{5F}{\isacharunderscore}}scheme}~\isa{{\isaliteral{3D}{\isacharequal}}}~\isa{{\isaliteral{5C3C6C706172723E}{\isasymlparr}}Xcoord\ {\isaliteral{3A}{\isacharcolon}}{\isaliteral{3A}{\isacharcolon}}\ int{\isaliteral{2C}{\isacharcomma}}\ Ycoord\ {\isaliteral{3A}{\isacharcolon}}{\isaliteral{3A}{\isacharcolon}}\ int{\isaliteral{2C}{\isacharcomma}}\ {\isaliteral{5C3C646F74733E}{\isasymdots}}\ {\isaliteral{3A}{\isacharcolon}}{\isaliteral{3A}{\isacharcolon}}\ {\isaliteral{27}{\isacharprime}}a{\isaliteral{5C3C72706172723E}{\isasymrparr}}} \\
75.239 - \end{tabular}
75.240 - \medskip
75.241 -
75.242 -\noindent
75.243 - Type \isa{point} is for fixed records having exactly the two fields
75.244 - \isa{Xcoord} and~\isa{Ycoord}, while the polymorphic type \isa{{\isaliteral{27}{\isacharprime}}a\ point{\isaliteral{5F}{\isacharunderscore}}scheme} comprises all possible extensions to those two
75.245 - fields. Note that \isa{unit\ point{\isaliteral{5F}{\isacharunderscore}}scheme} coincides with \isa{point}, and \isa{{\isaliteral{5C3C6C706172723E}{\isasymlparr}}col\ {\isaliteral{3A}{\isacharcolon}}{\isaliteral{3A}{\isacharcolon}}\ colour{\isaliteral{5C3C72706172723E}{\isasymrparr}}\ point{\isaliteral{5F}{\isacharunderscore}}scheme} with \isa{cpoint}.
75.246 -
75.247 - In the following example we define two operations --- methods, if we
75.248 - regard records as objects --- to get and set any point's \isa{Xcoord} field.%
75.249 -\end{isamarkuptext}%
75.250 -\isamarkuptrue%
75.251 -\isacommand{definition}\isamarkupfalse%
75.252 -\ getX\ {\isaliteral{3A}{\isacharcolon}}{\isaliteral{3A}{\isacharcolon}}\ {\isaliteral{22}{\isachardoublequoteopen}}{\isaliteral{27}{\isacharprime}}a\ point{\isaliteral{5F}{\isacharunderscore}}scheme\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ int{\isaliteral{22}{\isachardoublequoteclose}}\ \isakeyword{where}\isanewline
75.253 -{\isaliteral{22}{\isachardoublequoteopen}}getX\ r\ {\isaliteral{5C3C65717569763E}{\isasymequiv}}\ Xcoord\ r{\isaliteral{22}{\isachardoublequoteclose}}\isanewline
75.254 -\isacommand{definition}\isamarkupfalse%
75.255 -\ setX\ {\isaliteral{3A}{\isacharcolon}}{\isaliteral{3A}{\isacharcolon}}\ {\isaliteral{22}{\isachardoublequoteopen}}{\isaliteral{27}{\isacharprime}}a\ point{\isaliteral{5F}{\isacharunderscore}}scheme\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ int\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ {\isaliteral{27}{\isacharprime}}a\ point{\isaliteral{5F}{\isacharunderscore}}scheme{\isaliteral{22}{\isachardoublequoteclose}}\ \isakeyword{where}\isanewline
75.256 -{\isaliteral{22}{\isachardoublequoteopen}}setX\ r\ a\ {\isaliteral{5C3C65717569763E}{\isasymequiv}}\ r{\isaliteral{5C3C6C706172723E}{\isasymlparr}}Xcoord\ {\isaliteral{3A}{\isacharcolon}}{\isaliteral{3D}{\isacharequal}}\ a{\isaliteral{5C3C72706172723E}{\isasymrparr}}{\isaliteral{22}{\isachardoublequoteclose}}%
75.257 -\begin{isamarkuptext}%
75.258 -Here is a generic method that modifies a point, incrementing its
75.259 - \isa{Xcoord} field. The \isa{Ycoord} and \isa{more} fields
75.260 - are copied across. It works for any record type scheme derived from
75.261 - \isa{point} (including \isa{cpoint} etc.):%
75.262 -\end{isamarkuptext}%
75.263 -\isamarkuptrue%
75.264 -\isacommand{definition}\isamarkupfalse%
75.265 -\ incX\ {\isaliteral{3A}{\isacharcolon}}{\isaliteral{3A}{\isacharcolon}}\ {\isaliteral{22}{\isachardoublequoteopen}}{\isaliteral{27}{\isacharprime}}a\ point{\isaliteral{5F}{\isacharunderscore}}scheme\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ {\isaliteral{27}{\isacharprime}}a\ point{\isaliteral{5F}{\isacharunderscore}}scheme{\isaliteral{22}{\isachardoublequoteclose}}\ \isakeyword{where}\isanewline
75.266 -{\isaliteral{22}{\isachardoublequoteopen}}incX\ r\ {\isaliteral{5C3C65717569763E}{\isasymequiv}}\isanewline
75.267 -\ \ {\isaliteral{5C3C6C706172723E}{\isasymlparr}}Xcoord\ {\isaliteral{3D}{\isacharequal}}\ Xcoord\ r\ {\isaliteral{2B}{\isacharplus}}\ {\isadigit{1}}{\isaliteral{2C}{\isacharcomma}}\ Ycoord\ {\isaliteral{3D}{\isacharequal}}\ Ycoord\ r{\isaliteral{2C}{\isacharcomma}}\ {\isaliteral{5C3C646F74733E}{\isasymdots}}\ {\isaliteral{3D}{\isacharequal}}\ point{\isaliteral{2E}{\isachardot}}more\ r{\isaliteral{5C3C72706172723E}{\isasymrparr}}{\isaliteral{22}{\isachardoublequoteclose}}%
75.268 -\begin{isamarkuptext}%
75.269 -Generic theorems can be proved about generic methods. This trivial
75.270 - lemma relates \isa{incX} to \isa{getX} and \isa{setX}:%
75.271 -\end{isamarkuptext}%
75.272 -\isamarkuptrue%
75.273 -\isacommand{lemma}\isamarkupfalse%
75.274 -\ {\isaliteral{22}{\isachardoublequoteopen}}incX\ r\ {\isaliteral{3D}{\isacharequal}}\ setX\ r\ {\isaliteral{28}{\isacharparenleft}}getX\ r\ {\isaliteral{2B}{\isacharplus}}\ {\isadigit{1}}{\isaliteral{29}{\isacharparenright}}{\isaliteral{22}{\isachardoublequoteclose}}\isanewline
75.275 -%
75.276 -\isadelimproof
75.277 -\ \ %
75.278 -\endisadelimproof
75.279 -%
75.280 -\isatagproof
75.281 -\isacommand{by}\isamarkupfalse%
75.282 -\ {\isaliteral{28}{\isacharparenleft}}simp\ add{\isaliteral{3A}{\isacharcolon}}\ getX{\isaliteral{5F}{\isacharunderscore}}def\ setX{\isaliteral{5F}{\isacharunderscore}}def\ incX{\isaliteral{5F}{\isacharunderscore}}def{\isaliteral{29}{\isacharparenright}}%
75.283 -\endisatagproof
75.284 -{\isafoldproof}%
75.285 -%
75.286 -\isadelimproof
75.287 -%
75.288 -\endisadelimproof
75.289 -%
75.290 -\begin{isamarkuptext}%
75.291 -\begin{warn}
75.292 - If you use the symbolic record brackets \isa{{\isaliteral{5C3C6C706172723E}{\isasymlparr}}} and \isa{{\isaliteral{5C3C72706172723E}{\isasymrparr}}},
75.293 - then you must also use the symbolic ellipsis, ``\isa{{\isaliteral{5C3C646F74733E}{\isasymdots}}}'', rather
75.294 - than three consecutive periods, ``\isa{{\isaliteral{2E}{\isachardot}}{\isaliteral{2E}{\isachardot}}{\isaliteral{2E}{\isachardot}}}''. Mixing the ASCII
75.295 - and symbolic versions causes a syntax error. (The two versions are
75.296 - more distinct on screen than they are on paper.)
75.297 - \end{warn}%
75.298 - \index{records!extensible|)}%
75.299 -\end{isamarkuptext}%
75.300 -\isamarkuptrue%
75.301 -%
75.302 -\isamarkupsubsection{Record Equality%
75.303 -}
75.304 -\isamarkuptrue%
75.305 -%
75.306 -\begin{isamarkuptext}%
75.307 -Two records are equal\index{equality!of records} if all pairs of
75.308 - corresponding fields are equal. Concrete record equalities are
75.309 - simplified automatically:%
75.310 -\end{isamarkuptext}%
75.311 -\isamarkuptrue%
75.312 -\isacommand{lemma}\isamarkupfalse%
75.313 -\ {\isaliteral{22}{\isachardoublequoteopen}}{\isaliteral{28}{\isacharparenleft}}{\isaliteral{5C3C6C706172723E}{\isasymlparr}}Xcoord\ {\isaliteral{3D}{\isacharequal}}\ a{\isaliteral{2C}{\isacharcomma}}\ Ycoord\ {\isaliteral{3D}{\isacharequal}}\ b{\isaliteral{5C3C72706172723E}{\isasymrparr}}\ {\isaliteral{3D}{\isacharequal}}\ {\isaliteral{5C3C6C706172723E}{\isasymlparr}}Xcoord\ {\isaliteral{3D}{\isacharequal}}\ a{\isaliteral{27}{\isacharprime}}{\isaliteral{2C}{\isacharcomma}}\ Ycoord\ {\isaliteral{3D}{\isacharequal}}\ b{\isaliteral{27}{\isacharprime}}{\isaliteral{5C3C72706172723E}{\isasymrparr}}{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{3D}{\isacharequal}}\isanewline
75.314 -\ \ \ \ {\isaliteral{28}{\isacharparenleft}}a\ {\isaliteral{3D}{\isacharequal}}\ a{\isaliteral{27}{\isacharprime}}\ {\isaliteral{5C3C616E643E}{\isasymand}}\ b\ {\isaliteral{3D}{\isacharequal}}\ b{\isaliteral{27}{\isacharprime}}{\isaliteral{29}{\isacharparenright}}{\isaliteral{22}{\isachardoublequoteclose}}\isanewline
75.315 -%
75.316 -\isadelimproof
75.317 -\ \ %
75.318 -\endisadelimproof
75.319 -%
75.320 -\isatagproof
75.321 -\isacommand{by}\isamarkupfalse%
75.322 -\ simp%
75.323 -\endisatagproof
75.324 -{\isafoldproof}%
75.325 -%
75.326 -\isadelimproof
75.327 -%
75.328 -\endisadelimproof
75.329 -%
75.330 -\begin{isamarkuptext}%
75.331 -The following equality is similar, but generic, in that \isa{r}
75.332 - can be any instance of \isa{{\isaliteral{27}{\isacharprime}}a\ point{\isaliteral{5F}{\isacharunderscore}}scheme}:%
75.333 -\end{isamarkuptext}%
75.334 -\isamarkuptrue%
75.335 -\isacommand{lemma}\isamarkupfalse%
75.336 -\ {\isaliteral{22}{\isachardoublequoteopen}}r{\isaliteral{5C3C6C706172723E}{\isasymlparr}}Xcoord\ {\isaliteral{3A}{\isacharcolon}}{\isaliteral{3D}{\isacharequal}}\ a{\isaliteral{2C}{\isacharcomma}}\ Ycoord\ {\isaliteral{3A}{\isacharcolon}}{\isaliteral{3D}{\isacharequal}}\ b{\isaliteral{5C3C72706172723E}{\isasymrparr}}\ {\isaliteral{3D}{\isacharequal}}\ r{\isaliteral{5C3C6C706172723E}{\isasymlparr}}Ycoord\ {\isaliteral{3A}{\isacharcolon}}{\isaliteral{3D}{\isacharequal}}\ b{\isaliteral{2C}{\isacharcomma}}\ Xcoord\ {\isaliteral{3A}{\isacharcolon}}{\isaliteral{3D}{\isacharequal}}\ a{\isaliteral{5C3C72706172723E}{\isasymrparr}}{\isaliteral{22}{\isachardoublequoteclose}}\isanewline
75.337 -%
75.338 -\isadelimproof
75.339 -\ \ %
75.340 -\endisadelimproof
75.341 -%
75.342 -\isatagproof
75.343 -\isacommand{by}\isamarkupfalse%
75.344 -\ simp%
75.345 -\endisatagproof
75.346 -{\isafoldproof}%
75.347 -%
75.348 -\isadelimproof
75.349 -%
75.350 -\endisadelimproof
75.351 -%
75.352 -\begin{isamarkuptext}%
75.353 -\noindent
75.354 - We see above the syntax for iterated updates. We could equivalently
75.355 - have written the left-hand side as \isa{r{\isaliteral{5C3C6C706172723E}{\isasymlparr}}Xcoord\ {\isaliteral{3A}{\isacharcolon}}{\isaliteral{3D}{\isacharequal}}\ a{\isaliteral{5C3C72706172723E}{\isasymrparr}}{\isaliteral{5C3C6C706172723E}{\isasymlparr}}Ycoord\ {\isaliteral{3A}{\isacharcolon}}{\isaliteral{3D}{\isacharequal}}\ b{\isaliteral{5C3C72706172723E}{\isasymrparr}}}.
75.356 -
75.357 - Record equality is \emph{extensional}:
75.358 - \index{extensionality!for records} a record is determined entirely
75.359 - by the values of its fields.%
75.360 -\end{isamarkuptext}%
75.361 -\isamarkuptrue%
75.362 -\isacommand{lemma}\isamarkupfalse%
75.363 -\ {\isaliteral{22}{\isachardoublequoteopen}}r\ {\isaliteral{3D}{\isacharequal}}\ {\isaliteral{5C3C6C706172723E}{\isasymlparr}}Xcoord\ {\isaliteral{3D}{\isacharequal}}\ Xcoord\ r{\isaliteral{2C}{\isacharcomma}}\ Ycoord\ {\isaliteral{3D}{\isacharequal}}\ Ycoord\ r{\isaliteral{5C3C72706172723E}{\isasymrparr}}{\isaliteral{22}{\isachardoublequoteclose}}\isanewline
75.364 -%
75.365 -\isadelimproof
75.366 -\ \ %
75.367 -\endisadelimproof
75.368 -%
75.369 -\isatagproof
75.370 -\isacommand{by}\isamarkupfalse%
75.371 -\ simp%
75.372 -\endisatagproof
75.373 -{\isafoldproof}%
75.374 -%
75.375 -\isadelimproof
75.376 -%
75.377 -\endisadelimproof
75.378 -%
75.379 -\begin{isamarkuptext}%
75.380 -\noindent
75.381 - The generic version of this equality includes the pseudo-field
75.382 - \isa{more}:%
75.383 -\end{isamarkuptext}%
75.384 -\isamarkuptrue%
75.385 -\isacommand{lemma}\isamarkupfalse%
75.386 -\ {\isaliteral{22}{\isachardoublequoteopen}}r\ {\isaliteral{3D}{\isacharequal}}\ {\isaliteral{5C3C6C706172723E}{\isasymlparr}}Xcoord\ {\isaliteral{3D}{\isacharequal}}\ Xcoord\ r{\isaliteral{2C}{\isacharcomma}}\ Ycoord\ {\isaliteral{3D}{\isacharequal}}\ Ycoord\ r{\isaliteral{2C}{\isacharcomma}}\ {\isaliteral{5C3C646F74733E}{\isasymdots}}\ {\isaliteral{3D}{\isacharequal}}\ point{\isaliteral{2E}{\isachardot}}more\ r{\isaliteral{5C3C72706172723E}{\isasymrparr}}{\isaliteral{22}{\isachardoublequoteclose}}\isanewline
75.387 -%
75.388 -\isadelimproof
75.389 -\ \ %
75.390 -\endisadelimproof
75.391 -%
75.392 -\isatagproof
75.393 -\isacommand{by}\isamarkupfalse%
75.394 -\ simp%
75.395 -\endisatagproof
75.396 -{\isafoldproof}%
75.397 -%
75.398 -\isadelimproof
75.399 -%
75.400 -\endisadelimproof
75.401 -%
75.402 -\begin{isamarkuptext}%
75.403 -The simplifier can prove many record equalities
75.404 - automatically, but general equality reasoning can be tricky.
75.405 - Consider proving this obvious fact:%
75.406 -\end{isamarkuptext}%
75.407 -\isamarkuptrue%
75.408 -\isacommand{lemma}\isamarkupfalse%
75.409 -\ {\isaliteral{22}{\isachardoublequoteopen}}r{\isaliteral{5C3C6C706172723E}{\isasymlparr}}Xcoord\ {\isaliteral{3A}{\isacharcolon}}{\isaliteral{3D}{\isacharequal}}\ a{\isaliteral{5C3C72706172723E}{\isasymrparr}}\ {\isaliteral{3D}{\isacharequal}}\ r{\isaliteral{5C3C6C706172723E}{\isasymlparr}}Xcoord\ {\isaliteral{3A}{\isacharcolon}}{\isaliteral{3D}{\isacharequal}}\ a{\isaliteral{27}{\isacharprime}}{\isaliteral{5C3C72706172723E}{\isasymrparr}}\ {\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\ a\ {\isaliteral{3D}{\isacharequal}}\ a{\isaliteral{27}{\isacharprime}}{\isaliteral{22}{\isachardoublequoteclose}}\isanewline
75.410 -%
75.411 -\isadelimproof
75.412 -\ \ %
75.413 -\endisadelimproof
75.414 -%
75.415 -\isatagproof
75.416 -\isacommand{apply}\isamarkupfalse%
75.417 -\ simp{\isaliteral{3F}{\isacharquery}}\isanewline
75.418 -\ \ \isacommand{oops}\isamarkupfalse%
75.419 -%
75.420 -\endisatagproof
75.421 -{\isafoldproof}%
75.422 -%
75.423 -\isadelimproof
75.424 -%
75.425 -\endisadelimproof
75.426 -%
75.427 -\begin{isamarkuptext}%
75.428 -\noindent
75.429 - Here the simplifier can do nothing, since general record equality is
75.430 - not eliminated automatically. One way to proceed is by an explicit
75.431 - forward step that applies the selector \isa{Xcoord} to both sides
75.432 - of the assumed record equality:%
75.433 -\end{isamarkuptext}%
75.434 -\isamarkuptrue%
75.435 -\isacommand{lemma}\isamarkupfalse%
75.436 -\ {\isaliteral{22}{\isachardoublequoteopen}}r{\isaliteral{5C3C6C706172723E}{\isasymlparr}}Xcoord\ {\isaliteral{3A}{\isacharcolon}}{\isaliteral{3D}{\isacharequal}}\ a{\isaliteral{5C3C72706172723E}{\isasymrparr}}\ {\isaliteral{3D}{\isacharequal}}\ r{\isaliteral{5C3C6C706172723E}{\isasymlparr}}Xcoord\ {\isaliteral{3A}{\isacharcolon}}{\isaliteral{3D}{\isacharequal}}\ a{\isaliteral{27}{\isacharprime}}{\isaliteral{5C3C72706172723E}{\isasymrparr}}\ {\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\ a\ {\isaliteral{3D}{\isacharequal}}\ a{\isaliteral{27}{\isacharprime}}{\isaliteral{22}{\isachardoublequoteclose}}\isanewline
75.437 -%
75.438 -\isadelimproof
75.439 -\ \ %
75.440 -\endisadelimproof
75.441 -%
75.442 -\isatagproof
75.443 -\isacommand{apply}\isamarkupfalse%
75.444 -\ {\isaliteral{28}{\isacharparenleft}}drule{\isaliteral{5F}{\isacharunderscore}}tac\ f\ {\isaliteral{3D}{\isacharequal}}\ Xcoord\ \isakeyword{in}\ arg{\isaliteral{5F}{\isacharunderscore}}cong{\isaliteral{29}{\isacharparenright}}%
75.445 -\begin{isamarkuptxt}%
75.446 -\begin{isabelle}%
75.447 -\ {\isadigit{1}}{\isaliteral{2E}{\isachardot}}\ Xcoord\ {\isaliteral{28}{\isacharparenleft}}r{\isaliteral{5C3C6C706172723E}{\isasymlparr}}Xcoord\ {\isaliteral{3A}{\isacharcolon}}{\isaliteral{3D}{\isacharequal}}\ a{\isaliteral{5C3C72706172723E}{\isasymrparr}}{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{3D}{\isacharequal}}\ Xcoord\ {\isaliteral{28}{\isacharparenleft}}r{\isaliteral{5C3C6C706172723E}{\isasymlparr}}Xcoord\ {\isaliteral{3A}{\isacharcolon}}{\isaliteral{3D}{\isacharequal}}\ a{\isaliteral{27}{\isacharprime}}{\isaliteral{5C3C72706172723E}{\isasymrparr}}{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\ a\ {\isaliteral{3D}{\isacharequal}}\ a{\isaliteral{27}{\isacharprime}}%
75.448 -\end{isabelle}
75.449 - Now, \isa{simp} will reduce the assumption to the desired
75.450 - conclusion.%
75.451 -\end{isamarkuptxt}%
75.452 -\isamarkuptrue%
75.453 -\ \ \isacommand{apply}\isamarkupfalse%
75.454 -\ simp\isanewline
75.455 -\ \ \isacommand{done}\isamarkupfalse%
75.456 -%
75.457 -\endisatagproof
75.458 -{\isafoldproof}%
75.459 -%
75.460 -\isadelimproof
75.461 -%
75.462 -\endisadelimproof
75.463 -%
75.464 -\begin{isamarkuptext}%
75.465 -The \isa{cases} method is preferable to such a forward proof. We
75.466 - state the desired lemma again:%
75.467 -\end{isamarkuptext}%
75.468 -\isamarkuptrue%
75.469 -\isacommand{lemma}\isamarkupfalse%
75.470 -\ {\isaliteral{22}{\isachardoublequoteopen}}r{\isaliteral{5C3C6C706172723E}{\isasymlparr}}Xcoord\ {\isaliteral{3A}{\isacharcolon}}{\isaliteral{3D}{\isacharequal}}\ a{\isaliteral{5C3C72706172723E}{\isasymrparr}}\ {\isaliteral{3D}{\isacharequal}}\ r{\isaliteral{5C3C6C706172723E}{\isasymlparr}}Xcoord\ {\isaliteral{3A}{\isacharcolon}}{\isaliteral{3D}{\isacharequal}}\ a{\isaliteral{27}{\isacharprime}}{\isaliteral{5C3C72706172723E}{\isasymrparr}}\ {\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\ a\ {\isaliteral{3D}{\isacharequal}}\ a{\isaliteral{27}{\isacharprime}}{\isaliteral{22}{\isachardoublequoteclose}}%
75.471 -\isadelimproof
75.472 -%
75.473 -\endisadelimproof
75.474 -%
75.475 -\isatagproof
75.476 -%
75.477 -\begin{isamarkuptxt}%
75.478 -The \methdx{cases} method adds an equality to replace the
75.479 - named record term by an explicit record expression, listing all
75.480 - fields. It even includes the pseudo-field \isa{more}, since the
75.481 - record equality stated here is generic for all extensions.%
75.482 -\end{isamarkuptxt}%
75.483 -\isamarkuptrue%
75.484 -\ \ \isacommand{apply}\isamarkupfalse%
75.485 -\ {\isaliteral{28}{\isacharparenleft}}cases\ r{\isaliteral{29}{\isacharparenright}}%
75.486 -\begin{isamarkuptxt}%
75.487 -\begin{isabelle}%
75.488 -\ {\isadigit{1}}{\isaliteral{2E}{\isachardot}}\ {\isaliteral{5C3C416E643E}{\isasymAnd}}Xcoord\ Ycoord\ more{\isaliteral{2E}{\isachardot}}\isanewline
75.489 -\isaindent{\ {\isadigit{1}}{\isaliteral{2E}{\isachardot}}\ \ \ \ }{\isaliteral{5C3C6C6272616B6B3E}{\isasymlbrakk}}r{\isaliteral{5C3C6C706172723E}{\isasymlparr}}Xcoord\ {\isaliteral{3A}{\isacharcolon}}{\isaliteral{3D}{\isacharequal}}\ a{\isaliteral{5C3C72706172723E}{\isasymrparr}}\ {\isaliteral{3D}{\isacharequal}}\ r{\isaliteral{5C3C6C706172723E}{\isasymlparr}}Xcoord\ {\isaliteral{3A}{\isacharcolon}}{\isaliteral{3D}{\isacharequal}}\ a{\isaliteral{27}{\isacharprime}}{\isaliteral{5C3C72706172723E}{\isasymrparr}}{\isaliteral{3B}{\isacharsemicolon}}\isanewline
75.490 -\isaindent{\ {\isadigit{1}}{\isaliteral{2E}{\isachardot}}\ \ \ \ \ }r\ {\isaliteral{3D}{\isacharequal}}\ {\isaliteral{5C3C6C706172723E}{\isasymlparr}}Xcoord\ {\isaliteral{3D}{\isacharequal}}\ Xcoord{\isaliteral{2C}{\isacharcomma}}\ Ycoord\ {\isaliteral{3D}{\isacharequal}}\ Ycoord{\isaliteral{2C}{\isacharcomma}}\ {\isaliteral{5C3C646F74733E}{\isasymdots}}\ {\isaliteral{3D}{\isacharequal}}\ more{\isaliteral{5C3C72706172723E}{\isasymrparr}}{\isaliteral{5C3C726272616B6B3E}{\isasymrbrakk}}\isanewline
75.491 -\isaindent{\ {\isadigit{1}}{\isaliteral{2E}{\isachardot}}\ \ \ \ }{\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\ a\ {\isaliteral{3D}{\isacharequal}}\ a{\isaliteral{27}{\isacharprime}}%
75.492 -\end{isabelle} Again, \isa{simp} finishes the proof. Because \isa{r} is now represented as
75.493 - an explicit record construction, the updates can be applied and the
75.494 - record equality can be replaced by equality of the corresponding
75.495 - fields (due to injectivity).%
75.496 -\end{isamarkuptxt}%
75.497 -\isamarkuptrue%
75.498 -\ \ \isacommand{apply}\isamarkupfalse%
75.499 -\ simp\isanewline
75.500 -\ \ \isacommand{done}\isamarkupfalse%
75.501 -%
75.502 -\endisatagproof
75.503 -{\isafoldproof}%
75.504 -%
75.505 -\isadelimproof
75.506 -%
75.507 -\endisadelimproof
75.508 -%
75.509 -\begin{isamarkuptext}%
75.510 -The generic cases method does not admit references to locally bound
75.511 - parameters of a goal. In longer proof scripts one might have to
75.512 - fall back on the primitive \isa{rule{\isaliteral{5F}{\isacharunderscore}}tac} used together with the
75.513 - internal field representation rules of records. The above use of
75.514 - \isa{{\isaliteral{28}{\isacharparenleft}}cases\ r{\isaliteral{29}{\isacharparenright}}} would become \isa{{\isaliteral{28}{\isacharparenleft}}rule{\isaliteral{5F}{\isacharunderscore}}tac\ r\ {\isaliteral{3D}{\isacharequal}}\ r\ in\ point{\isaliteral{2E}{\isachardot}}cases{\isaliteral{5F}{\isacharunderscore}}scheme{\isaliteral{29}{\isacharparenright}}}.%
75.515 -\end{isamarkuptext}%
75.516 -\isamarkuptrue%
75.517 -%
75.518 -\isamarkupsubsection{Extending and Truncating Records%
75.519 -}
75.520 -\isamarkuptrue%
75.521 -%
75.522 -\begin{isamarkuptext}%
75.523 -Each record declaration introduces a number of derived operations to
75.524 - refer collectively to a record's fields and to convert between fixed
75.525 - record types. They can, for instance, convert between types \isa{point} and \isa{cpoint}. We can add a colour to a point or convert
75.526 - a \isa{cpoint} to a \isa{point} by forgetting its colour.
75.527 -
75.528 - \begin{itemize}
75.529 -
75.530 - \item Function \cdx{make} takes as arguments all of the record's
75.531 - fields (including those inherited from ancestors). It returns the
75.532 - corresponding record.
75.533 -
75.534 - \item Function \cdx{fields} takes the record's very own fields and
75.535 - returns a record fragment consisting of just those fields. This may
75.536 - be filled into the \isa{more} part of the parent record scheme.
75.537 -
75.538 - \item Function \cdx{extend} takes two arguments: a record to be
75.539 - extended and a record containing the new fields.
75.540 -
75.541 - \item Function \cdx{truncate} takes a record (possibly an extension
75.542 - of the original record type) and returns a fixed record, removing
75.543 - any additional fields.
75.544 -
75.545 - \end{itemize}
75.546 - These functions provide useful abbreviations for standard
75.547 - record expressions involving constructors and selectors. The
75.548 - definitions, which are \emph{not} unfolded by default, are made
75.549 - available by the collective name of \isa{defs} (\isa{point{\isaliteral{2E}{\isachardot}}defs}, \isa{cpoint{\isaliteral{2E}{\isachardot}}defs}, etc.).
75.550 - For example, here are the versions of those functions generated for
75.551 - record \isa{point}. We omit \isa{point{\isaliteral{2E}{\isachardot}}fields}, which happens to
75.552 - be the same as \isa{point{\isaliteral{2E}{\isachardot}}make}.
75.553 -
75.554 - \begin{isabelle}%
75.555 -point{\isaliteral{2E}{\isachardot}}make\ Xcoord\ Ycoord\ {\isaliteral{5C3C65717569763E}{\isasymequiv}}\ {\isaliteral{5C3C6C706172723E}{\isasymlparr}}Xcoord\ {\isaliteral{3D}{\isacharequal}}\ Xcoord{\isaliteral{2C}{\isacharcomma}}\ Ycoord\ {\isaliteral{3D}{\isacharequal}}\ Ycoord{\isaliteral{5C3C72706172723E}{\isasymrparr}}\isasep\isanewline%
75.556 -point{\isaliteral{2E}{\isachardot}}extend\ r\ more\ {\isaliteral{5C3C65717569763E}{\isasymequiv}}\isanewline
75.557 -{\isaliteral{5C3C6C706172723E}{\isasymlparr}}Xcoord\ {\isaliteral{3D}{\isacharequal}}\ Xcoord\ r{\isaliteral{2C}{\isacharcomma}}\ Ycoord\ {\isaliteral{3D}{\isacharequal}}\ Ycoord\ r{\isaliteral{2C}{\isacharcomma}}\ {\isaliteral{5C3C646F74733E}{\isasymdots}}\ {\isaliteral{3D}{\isacharequal}}\ more{\isaliteral{5C3C72706172723E}{\isasymrparr}}\isasep\isanewline%
75.558 -point{\isaliteral{2E}{\isachardot}}truncate\ r\ {\isaliteral{5C3C65717569763E}{\isasymequiv}}\ {\isaliteral{5C3C6C706172723E}{\isasymlparr}}Xcoord\ {\isaliteral{3D}{\isacharequal}}\ Xcoord\ r{\isaliteral{2C}{\isacharcomma}}\ Ycoord\ {\isaliteral{3D}{\isacharequal}}\ Ycoord\ r{\isaliteral{5C3C72706172723E}{\isasymrparr}}%
75.559 -\end{isabelle}
75.560 - Contrast those with the corresponding functions for record \isa{cpoint}. Observe \isa{cpoint{\isaliteral{2E}{\isachardot}}fields} in particular.
75.561 - \begin{isabelle}%
75.562 -cpoint{\isaliteral{2E}{\isachardot}}make\ Xcoord\ Ycoord\ col\ {\isaliteral{5C3C65717569763E}{\isasymequiv}}\isanewline
75.563 -{\isaliteral{5C3C6C706172723E}{\isasymlparr}}Xcoord\ {\isaliteral{3D}{\isacharequal}}\ Xcoord{\isaliteral{2C}{\isacharcomma}}\ Ycoord\ {\isaliteral{3D}{\isacharequal}}\ Ycoord{\isaliteral{2C}{\isacharcomma}}\ col\ {\isaliteral{3D}{\isacharequal}}\ col{\isaliteral{5C3C72706172723E}{\isasymrparr}}\isasep\isanewline%
75.564 -cpoint{\isaliteral{2E}{\isachardot}}fields\ col\ {\isaliteral{5C3C65717569763E}{\isasymequiv}}\ {\isaliteral{5C3C6C706172723E}{\isasymlparr}}col\ {\isaliteral{3D}{\isacharequal}}\ col{\isaliteral{5C3C72706172723E}{\isasymrparr}}\isasep\isanewline%
75.565 -cpoint{\isaliteral{2E}{\isachardot}}extend\ r\ more\ {\isaliteral{5C3C65717569763E}{\isasymequiv}}\isanewline
75.566 -{\isaliteral{5C3C6C706172723E}{\isasymlparr}}Xcoord\ {\isaliteral{3D}{\isacharequal}}\ Xcoord\ r{\isaliteral{2C}{\isacharcomma}}\ Ycoord\ {\isaliteral{3D}{\isacharequal}}\ Ycoord\ r{\isaliteral{2C}{\isacharcomma}}\ col\ {\isaliteral{3D}{\isacharequal}}\ col\ r{\isaliteral{2C}{\isacharcomma}}\ {\isaliteral{5C3C646F74733E}{\isasymdots}}\ {\isaliteral{3D}{\isacharequal}}\ more{\isaliteral{5C3C72706172723E}{\isasymrparr}}\isasep\isanewline%
75.567 -cpoint{\isaliteral{2E}{\isachardot}}truncate\ r\ {\isaliteral{5C3C65717569763E}{\isasymequiv}}\isanewline
75.568 -{\isaliteral{5C3C6C706172723E}{\isasymlparr}}Xcoord\ {\isaliteral{3D}{\isacharequal}}\ Xcoord\ r{\isaliteral{2C}{\isacharcomma}}\ Ycoord\ {\isaliteral{3D}{\isacharequal}}\ Ycoord\ r{\isaliteral{2C}{\isacharcomma}}\ col\ {\isaliteral{3D}{\isacharequal}}\ col\ r{\isaliteral{5C3C72706172723E}{\isasymrparr}}%
75.569 -\end{isabelle}
75.570 -
75.571 - To demonstrate these functions, we declare a new coloured point by
75.572 - extending an ordinary point. Function \isa{point{\isaliteral{2E}{\isachardot}}extend} augments
75.573 - \isa{pt{\isadigit{1}}} with a colour value, which is converted into an
75.574 - appropriate record fragment by \isa{cpoint{\isaliteral{2E}{\isachardot}}fields}.%
75.575 -\end{isamarkuptext}%
75.576 -\isamarkuptrue%
75.577 -\isacommand{definition}\isamarkupfalse%
75.578 -\ cpt{\isadigit{2}}\ {\isaliteral{3A}{\isacharcolon}}{\isaliteral{3A}{\isacharcolon}}\ cpoint\ \isakeyword{where}\isanewline
75.579 -{\isaliteral{22}{\isachardoublequoteopen}}cpt{\isadigit{2}}\ {\isaliteral{5C3C65717569763E}{\isasymequiv}}\ point{\isaliteral{2E}{\isachardot}}extend\ pt{\isadigit{1}}\ {\isaliteral{28}{\isacharparenleft}}cpoint{\isaliteral{2E}{\isachardot}}fields\ Green{\isaliteral{29}{\isacharparenright}}{\isaliteral{22}{\isachardoublequoteclose}}%
75.580 -\begin{isamarkuptext}%
75.581 -The coloured points \isa{cpt{\isadigit{1}}} and \isa{cpt{\isadigit{2}}} are equal. The
75.582 - proof is trivial, by unfolding all the definitions. We deliberately
75.583 - omit the definition of~\isa{pt{\isadigit{1}}} in order to reveal the underlying
75.584 - comparison on type \isa{point}.%
75.585 -\end{isamarkuptext}%
75.586 -\isamarkuptrue%
75.587 -\isacommand{lemma}\isamarkupfalse%
75.588 -\ {\isaliteral{22}{\isachardoublequoteopen}}cpt{\isadigit{1}}\ {\isaliteral{3D}{\isacharequal}}\ cpt{\isadigit{2}}{\isaliteral{22}{\isachardoublequoteclose}}\isanewline
75.589 -%
75.590 -\isadelimproof
75.591 -\ \ %
75.592 -\endisadelimproof
75.593 -%
75.594 -\isatagproof
75.595 -\isacommand{apply}\isamarkupfalse%
75.596 -\ {\isaliteral{28}{\isacharparenleft}}simp\ add{\isaliteral{3A}{\isacharcolon}}\ cpt{\isadigit{1}}{\isaliteral{5F}{\isacharunderscore}}def\ cpt{\isadigit{2}}{\isaliteral{5F}{\isacharunderscore}}def\ point{\isaliteral{2E}{\isachardot}}defs\ cpoint{\isaliteral{2E}{\isachardot}}defs{\isaliteral{29}{\isacharparenright}}%
75.597 -\begin{isamarkuptxt}%
75.598 -\begin{isabelle}%
75.599 -\ {\isadigit{1}}{\isaliteral{2E}{\isachardot}}\ Xcoord\ pt{\isadigit{1}}\ {\isaliteral{3D}{\isacharequal}}\ {\isadigit{9}}{\isadigit{9}}{\isadigit{9}}\ {\isaliteral{5C3C616E643E}{\isasymand}}\ Ycoord\ pt{\isadigit{1}}\ {\isaliteral{3D}{\isacharequal}}\ {\isadigit{2}}{\isadigit{3}}%
75.600 -\end{isabelle}%
75.601 -\end{isamarkuptxt}%
75.602 -\isamarkuptrue%
75.603 -\ \ \isacommand{apply}\isamarkupfalse%
75.604 -\ {\isaliteral{28}{\isacharparenleft}}simp\ add{\isaliteral{3A}{\isacharcolon}}\ pt{\isadigit{1}}{\isaliteral{5F}{\isacharunderscore}}def{\isaliteral{29}{\isacharparenright}}\isanewline
75.605 -\ \ \isacommand{done}\isamarkupfalse%
75.606 -%
75.607 -\endisatagproof
75.608 -{\isafoldproof}%
75.609 -%
75.610 -\isadelimproof
75.611 -%
75.612 -\endisadelimproof
75.613 -%
75.614 -\begin{isamarkuptext}%
75.615 -In the example below, a coloured point is truncated to leave a
75.616 - point. We use the \isa{truncate} function of the target record.%
75.617 -\end{isamarkuptext}%
75.618 -\isamarkuptrue%
75.619 -\isacommand{lemma}\isamarkupfalse%
75.620 -\ {\isaliteral{22}{\isachardoublequoteopen}}point{\isaliteral{2E}{\isachardot}}truncate\ cpt{\isadigit{2}}\ {\isaliteral{3D}{\isacharequal}}\ pt{\isadigit{1}}{\isaliteral{22}{\isachardoublequoteclose}}\isanewline
75.621 -%
75.622 -\isadelimproof
75.623 -\ \ %
75.624 -\endisadelimproof
75.625 -%
75.626 -\isatagproof
75.627 -\isacommand{by}\isamarkupfalse%
75.628 -\ {\isaliteral{28}{\isacharparenleft}}simp\ add{\isaliteral{3A}{\isacharcolon}}\ pt{\isadigit{1}}{\isaliteral{5F}{\isacharunderscore}}def\ cpt{\isadigit{2}}{\isaliteral{5F}{\isacharunderscore}}def\ point{\isaliteral{2E}{\isachardot}}defs{\isaliteral{29}{\isacharparenright}}%
75.629 -\endisatagproof
75.630 -{\isafoldproof}%
75.631 -%
75.632 -\isadelimproof
75.633 -%
75.634 -\endisadelimproof
75.635 -%
75.636 -\begin{isamarkuptext}%
75.637 -\begin{exercise}
75.638 - Extend record \isa{cpoint} to have a further field, \isa{intensity}, of type~\isa{nat}. Experiment with generic operations
75.639 - (using polymorphic selectors and updates) and explicit coercions
75.640 - (using \isa{extend}, \isa{truncate} etc.) among the three record
75.641 - types.
75.642 - \end{exercise}
75.643 -
75.644 - \begin{exercise}
75.645 - (For Java programmers.)
75.646 - Model a small class hierarchy using records.
75.647 - \end{exercise}
75.648 - \index{records|)}%
75.649 -\end{isamarkuptext}%
75.650 -\isamarkuptrue%
75.651 -%
75.652 -\isadelimtheory
75.653 -%
75.654 -\endisadelimtheory
75.655 -%
75.656 -\isatagtheory
75.657 -%
75.658 -\endisatagtheory
75.659 -{\isafoldtheory}%
75.660 -%
75.661 -\isadelimtheory
75.662 -%
75.663 -\endisadelimtheory
75.664 -\end{isabellebody}%
75.665 -%%% Local Variables:
75.666 -%%% mode: latex
75.667 -%%% TeX-master: "root"
75.668 -%%% End:
76.1 --- a/doc-src/TutorialI/Types/document/Typedefs.tex Thu Jul 26 16:08:16 2012 +0200
76.2 +++ /dev/null Thu Jan 01 00:00:00 1970 +0000
76.3 @@ -1,340 +0,0 @@
76.4 -%
76.5 -\begin{isabellebody}%
76.6 -\def\isabellecontext{Typedefs}%
76.7 -%
76.8 -\isadelimtheory
76.9 -%
76.10 -\endisadelimtheory
76.11 -%
76.12 -\isatagtheory
76.13 -%
76.14 -\endisatagtheory
76.15 -{\isafoldtheory}%
76.16 -%
76.17 -\isadelimtheory
76.18 -%
76.19 -\endisadelimtheory
76.20 -%
76.21 -\isamarkupsection{Introducing New Types%
76.22 -}
76.23 -\isamarkuptrue%
76.24 -%
76.25 -\begin{isamarkuptext}%
76.26 -\label{sec:adv-typedef}
76.27 -For most applications, a combination of predefined types like \isa{bool} and
76.28 -\isa{{\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}} with recursive datatypes and records is quite sufficient. Very
76.29 -occasionally you may feel the need for a more advanced type. If you
76.30 -are certain that your type is not definable by any of the
76.31 -standard means, then read on.
76.32 -\begin{warn}
76.33 - Types in HOL must be non-empty; otherwise the quantifier rules would be
76.34 - unsound, because $\exists x.\ x=x$ is a theorem.
76.35 -\end{warn}%
76.36 -\end{isamarkuptext}%
76.37 -\isamarkuptrue%
76.38 -%
76.39 -\isamarkupsubsection{Declaring New Types%
76.40 -}
76.41 -\isamarkuptrue%
76.42 -%
76.43 -\begin{isamarkuptext}%
76.44 -\label{sec:typedecl}
76.45 -\index{types!declaring|(}%
76.46 -\index{typedecl@\isacommand {typedecl} (command)}%
76.47 -The most trivial way of introducing a new type is by a \textbf{type
76.48 -declaration}:%
76.49 -\end{isamarkuptext}%
76.50 -\isamarkuptrue%
76.51 -\isacommand{typedecl}\isamarkupfalse%
76.52 -\ my{\isaliteral{5F}{\isacharunderscore}}new{\isaliteral{5F}{\isacharunderscore}}type%
76.53 -\begin{isamarkuptext}%
76.54 -\noindent
76.55 -This does not define \isa{my{\isaliteral{5F}{\isacharunderscore}}new{\isaliteral{5F}{\isacharunderscore}}type} at all but merely introduces its
76.56 -name. Thus we know nothing about this type, except that it is
76.57 -non-empty. Such declarations without definitions are
76.58 -useful if that type can be viewed as a parameter of the theory.
76.59 -A typical example is given in \S\ref{sec:VMC}, where we define a transition
76.60 -relation over an arbitrary type of states.
76.61 -
76.62 -In principle we can always get rid of such type declarations by making those
76.63 -types parameters of every other type, thus keeping the theory generic. In
76.64 -practice, however, the resulting clutter can make types hard to read.
76.65 -
76.66 -If you are looking for a quick and dirty way of introducing a new type
76.67 -together with its properties: declare the type and state its properties as
76.68 -axioms. Example:%
76.69 -\end{isamarkuptext}%
76.70 -\isamarkuptrue%
76.71 -\isacommand{axioms}\isamarkupfalse%
76.72 -\isanewline
76.73 -just{\isaliteral{5F}{\isacharunderscore}}one{\isaliteral{3A}{\isacharcolon}}\ {\isaliteral{22}{\isachardoublequoteopen}}{\isaliteral{5C3C6578697374733E}{\isasymexists}}x{\isaliteral{3A}{\isacharcolon}}{\isaliteral{3A}{\isacharcolon}}my{\isaliteral{5F}{\isacharunderscore}}new{\isaliteral{5F}{\isacharunderscore}}type{\isaliteral{2E}{\isachardot}}\ {\isaliteral{5C3C666F72616C6C3E}{\isasymforall}}y{\isaliteral{2E}{\isachardot}}\ x\ {\isaliteral{3D}{\isacharequal}}\ y{\isaliteral{22}{\isachardoublequoteclose}}%
76.74 -\begin{isamarkuptext}%
76.75 -\noindent
76.76 -However, we strongly discourage this approach, except at explorative stages
76.77 -of your development. It is extremely easy to write down contradictory sets of
76.78 -axioms, in which case you will be able to prove everything but it will mean
76.79 -nothing. In the example above, the axiomatic approach is
76.80 -unnecessary: a one-element type called \isa{unit} is already defined in HOL.
76.81 -\index{types!declaring|)}%
76.82 -\end{isamarkuptext}%
76.83 -\isamarkuptrue%
76.84 -%
76.85 -\isamarkupsubsection{Defining New Types%
76.86 -}
76.87 -\isamarkuptrue%
76.88 -%
76.89 -\begin{isamarkuptext}%
76.90 -\label{sec:typedef}
76.91 -\index{types!defining|(}%
76.92 -\index{typedecl@\isacommand {typedef} (command)|(}%
76.93 -Now we come to the most general means of safely introducing a new type, the
76.94 -\textbf{type definition}. All other means, for example
76.95 -\isacommand{datatype}, are based on it. The principle is extremely simple:
76.96 -any non-empty subset of an existing type can be turned into a new type.
76.97 -More precisely, the new type is specified to be isomorphic to some
76.98 -non-empty subset of an existing type.
76.99 -
76.100 -Let us work a simple example, the definition of a three-element type.
76.101 -It is easily represented by the first three natural numbers:%
76.102 -\end{isamarkuptext}%
76.103 -\isamarkuptrue%
76.104 -\isacommand{typedef}\isamarkupfalse%
76.105 -\ three\ {\isaliteral{3D}{\isacharequal}}\ {\isaliteral{22}{\isachardoublequoteopen}}{\isaliteral{7B}{\isacharbraceleft}}{\isadigit{0}}{\isaliteral{3A}{\isacharcolon}}{\isaliteral{3A}{\isacharcolon}}nat{\isaliteral{2C}{\isacharcomma}}\ {\isadigit{1}}{\isaliteral{2C}{\isacharcomma}}\ {\isadigit{2}}{\isaliteral{7D}{\isacharbraceright}}{\isaliteral{22}{\isachardoublequoteclose}}%
76.106 -\isadelimproof
76.107 -%
76.108 -\endisadelimproof
76.109 -%
76.110 -\isatagproof
76.111 -%
76.112 -\begin{isamarkuptxt}%
76.113 -\noindent
76.114 -In order to enforce that the representing set on the right-hand side is
76.115 -non-empty, this definition actually starts a proof to that effect:
76.116 -\begin{isabelle}%
76.117 -\ {\isadigit{1}}{\isaliteral{2E}{\isachardot}}\ {\isaliteral{5C3C6578697374733E}{\isasymexists}}x{\isaliteral{2E}{\isachardot}}\ x\ {\isaliteral{5C3C696E3E}{\isasymin}}\ {\isaliteral{7B}{\isacharbraceleft}}{\isadigit{0}}{\isaliteral{2C}{\isacharcomma}}\ {\isadigit{1}}{\isaliteral{2C}{\isacharcomma}}\ {\isadigit{2}}{\isaliteral{7D}{\isacharbraceright}}%
76.118 -\end{isabelle}
76.119 -Fortunately, this is easy enough to show, even \isa{auto} could do it.
76.120 -In general, one has to provide a witness, in our case 0:%
76.121 -\end{isamarkuptxt}%
76.122 -\isamarkuptrue%
76.123 -\isacommand{apply}\isamarkupfalse%
76.124 -{\isaliteral{28}{\isacharparenleft}}rule{\isaliteral{5F}{\isacharunderscore}}tac\ x\ {\isaliteral{3D}{\isacharequal}}\ {\isadigit{0}}\ \isakeyword{in}\ exI{\isaliteral{29}{\isacharparenright}}\isanewline
76.125 -\isacommand{by}\isamarkupfalse%
76.126 -\ simp%
76.127 -\endisatagproof
76.128 -{\isafoldproof}%
76.129 -%
76.130 -\isadelimproof
76.131 -%
76.132 -\endisadelimproof
76.133 -%
76.134 -\begin{isamarkuptext}%
76.135 -This type definition introduces the new type \isa{three} and asserts
76.136 -that it is a copy of the set \isa{{\isaliteral{7B}{\isacharbraceleft}}{\isadigit{0}}{\isaliteral{2C}{\isacharcomma}}\ {\isadigit{1}}{\isaliteral{2C}{\isacharcomma}}\ {\isadigit{2}}{\isaliteral{7D}{\isacharbraceright}}}. This assertion
76.137 -is expressed via a bijection between the \emph{type} \isa{three} and the
76.138 -\emph{set} \isa{{\isaliteral{7B}{\isacharbraceleft}}{\isadigit{0}}{\isaliteral{2C}{\isacharcomma}}\ {\isadigit{1}}{\isaliteral{2C}{\isacharcomma}}\ {\isadigit{2}}{\isaliteral{7D}{\isacharbraceright}}}. To this end, the command declares the following
76.139 -constants behind the scenes:
76.140 -\begin{center}
76.141 -\begin{tabular}{rcl}
76.142 -\isa{three} &::& \isa{nat\ set} \\
76.143 -\isa{Rep{\isaliteral{5F}{\isacharunderscore}}three} &::& \isa{three\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ nat}\\
76.144 -\isa{Abs{\isaliteral{5F}{\isacharunderscore}}three} &::& \isa{nat\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ three}
76.145 -\end{tabular}
76.146 -\end{center}
76.147 -where constant \isa{three} is explicitly defined as the representing set:
76.148 -\begin{center}
76.149 -\isa{three\ {\isaliteral{5C3C65717569763E}{\isasymequiv}}\ {\isaliteral{7B}{\isacharbraceleft}}{\isadigit{0}}{\isaliteral{2C}{\isacharcomma}}\ {\isadigit{1}}{\isaliteral{2C}{\isacharcomma}}\ {\isadigit{2}}{\isaliteral{7D}{\isacharbraceright}}}\hfill(\isa{three{\isaliteral{5F}{\isacharunderscore}}def})
76.150 -\end{center}
76.151 -The situation is best summarized with the help of the following diagram,
76.152 -where squares denote types and the irregular region denotes a set:
76.153 -\begin{center}
76.154 -\includegraphics[scale=.8]{typedef}
76.155 -\end{center}
76.156 -Finally, \isacommand{typedef} asserts that \isa{Rep{\isaliteral{5F}{\isacharunderscore}}three} is
76.157 -surjective on the subset \isa{three} and \isa{Abs{\isaliteral{5F}{\isacharunderscore}}three} and \isa{Rep{\isaliteral{5F}{\isacharunderscore}}three} are inverses of each other:
76.158 -\begin{center}
76.159 -\begin{tabular}{@ {}r@ {\qquad\qquad}l@ {}}
76.160 -\isa{Rep{\isaliteral{5F}{\isacharunderscore}}three\ x\ {\isaliteral{5C3C696E3E}{\isasymin}}\ three} & (\isa{Rep{\isaliteral{5F}{\isacharunderscore}}three}) \\
76.161 -\isa{Abs{\isaliteral{5F}{\isacharunderscore}}three\ {\isaliteral{28}{\isacharparenleft}}Rep{\isaliteral{5F}{\isacharunderscore}}three\ x{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{3D}{\isacharequal}}\ x} & (\isa{Rep{\isaliteral{5F}{\isacharunderscore}}three{\isaliteral{5F}{\isacharunderscore}}inverse}) \\
76.162 -\isa{y\ {\isaliteral{5C3C696E3E}{\isasymin}}\ three\ {\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\ Rep{\isaliteral{5F}{\isacharunderscore}}three\ {\isaliteral{28}{\isacharparenleft}}Abs{\isaliteral{5F}{\isacharunderscore}}three\ y{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{3D}{\isacharequal}}\ y} & (\isa{Abs{\isaliteral{5F}{\isacharunderscore}}three{\isaliteral{5F}{\isacharunderscore}}inverse})
76.163 -\end{tabular}
76.164 -\end{center}
76.165 -%
76.166 -From this example it should be clear what \isacommand{typedef} does
76.167 -in general given a name (here \isa{three}) and a set
76.168 -(here \isa{{\isaliteral{7B}{\isacharbraceleft}}{\isadigit{0}}{\isaliteral{2C}{\isacharcomma}}\ {\isadigit{1}}{\isaliteral{2C}{\isacharcomma}}\ {\isadigit{2}}{\isaliteral{7D}{\isacharbraceright}}}).
76.169 -
76.170 -Our next step is to define the basic functions expected on the new type.
76.171 -Although this depends on the type at hand, the following strategy works well:
76.172 -\begin{itemize}
76.173 -\item define a small kernel of basic functions that can express all other
76.174 -functions you anticipate.
76.175 -\item define the kernel in terms of corresponding functions on the
76.176 -representing type using \isa{Abs} and \isa{Rep} to convert between the
76.177 -two levels.
76.178 -\end{itemize}
76.179 -In our example it suffices to give the three elements of type \isa{three}
76.180 -names:%
76.181 -\end{isamarkuptext}%
76.182 -\isamarkuptrue%
76.183 -\isacommand{definition}\isamarkupfalse%
76.184 -\ A\ {\isaliteral{3A}{\isacharcolon}}{\isaliteral{3A}{\isacharcolon}}\ three\ \isakeyword{where}\ {\isaliteral{22}{\isachardoublequoteopen}}A\ {\isaliteral{5C3C65717569763E}{\isasymequiv}}\ Abs{\isaliteral{5F}{\isacharunderscore}}three\ {\isadigit{0}}{\isaliteral{22}{\isachardoublequoteclose}}\isanewline
76.185 -\isacommand{definition}\isamarkupfalse%
76.186 -\ B\ {\isaliteral{3A}{\isacharcolon}}{\isaliteral{3A}{\isacharcolon}}\ three\ \isakeyword{where}\ {\isaliteral{22}{\isachardoublequoteopen}}B\ {\isaliteral{5C3C65717569763E}{\isasymequiv}}\ Abs{\isaliteral{5F}{\isacharunderscore}}three\ {\isadigit{1}}{\isaliteral{22}{\isachardoublequoteclose}}\isanewline
76.187 -\isacommand{definition}\isamarkupfalse%
76.188 -\ C\ {\isaliteral{3A}{\isacharcolon}}{\isaliteral{3A}{\isacharcolon}}\ three\ \isakeyword{where}\ {\isaliteral{22}{\isachardoublequoteopen}}C\ {\isaliteral{5C3C65717569763E}{\isasymequiv}}\ Abs{\isaliteral{5F}{\isacharunderscore}}three\ {\isadigit{2}}{\isaliteral{22}{\isachardoublequoteclose}}%
76.189 -\begin{isamarkuptext}%
76.190 -So far, everything was easy. But it is clear that reasoning about \isa{three} will be hell if we have to go back to \isa{nat} every time. Thus our
76.191 -aim must be to raise our level of abstraction by deriving enough theorems
76.192 -about type \isa{three} to characterize it completely. And those theorems
76.193 -should be phrased in terms of \isa{A}, \isa{B} and \isa{C}, not \isa{Abs{\isaliteral{5F}{\isacharunderscore}}three} and \isa{Rep{\isaliteral{5F}{\isacharunderscore}}three}. Because of the simplicity of the example,
76.194 -we merely need to prove that \isa{A}, \isa{B} and \isa{C} are distinct
76.195 -and that they exhaust the type.
76.196 -
76.197 -In processing our \isacommand{typedef} declaration,
76.198 -Isabelle proves several helpful lemmas. The first two
76.199 -express injectivity of \isa{Rep{\isaliteral{5F}{\isacharunderscore}}three} and \isa{Abs{\isaliteral{5F}{\isacharunderscore}}three}:
76.200 -\begin{center}
76.201 -\begin{tabular}{@ {}r@ {\qquad}l@ {}}
76.202 -\isa{{\isaliteral{28}{\isacharparenleft}}Rep{\isaliteral{5F}{\isacharunderscore}}three\ x\ {\isaliteral{3D}{\isacharequal}}\ Rep{\isaliteral{5F}{\isacharunderscore}}three\ y{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{3D}{\isacharequal}}\ {\isaliteral{28}{\isacharparenleft}}x\ {\isaliteral{3D}{\isacharequal}}\ y{\isaliteral{29}{\isacharparenright}}} & (\isa{Rep{\isaliteral{5F}{\isacharunderscore}}three{\isaliteral{5F}{\isacharunderscore}}inject}) \\
76.203 -\begin{tabular}{@ {}l@ {}}
76.204 -\isa{{\isaliteral{5C3C6C6272616B6B3E}{\isasymlbrakk}}x\ {\isaliteral{5C3C696E3E}{\isasymin}}\ three{\isaliteral{3B}{\isacharsemicolon}}\ y\ {\isaliteral{5C3C696E3E}{\isasymin}}\ three\ {\isaliteral{5C3C726272616B6B3E}{\isasymrbrakk}}} \\
76.205 -\isa{{\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\ {\isaliteral{28}{\isacharparenleft}}Abs{\isaliteral{5F}{\isacharunderscore}}three\ x\ {\isaliteral{3D}{\isacharequal}}\ Abs{\isaliteral{5F}{\isacharunderscore}}three\ y{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{3D}{\isacharequal}}\ {\isaliteral{28}{\isacharparenleft}}x\ {\isaliteral{3D}{\isacharequal}}\ y{\isaliteral{29}{\isacharparenright}}}
76.206 -\end{tabular} & (\isa{Abs{\isaliteral{5F}{\isacharunderscore}}three{\isaliteral{5F}{\isacharunderscore}}inject}) \\
76.207 -\end{tabular}
76.208 -\end{center}
76.209 -The following ones allow to replace some \isa{x{\isaliteral{3A}{\isacharcolon}}{\isaliteral{3A}{\isacharcolon}}three} by
76.210 -\isa{Abs{\isaliteral{5F}{\isacharunderscore}}three{\isaliteral{28}{\isacharparenleft}}y{\isaliteral{3A}{\isacharcolon}}{\isaliteral{3A}{\isacharcolon}}nat{\isaliteral{29}{\isacharparenright}}}, and conversely \isa{y} by \isa{Rep{\isaliteral{5F}{\isacharunderscore}}three\ x}:
76.211 -\begin{center}
76.212 -\begin{tabular}{@ {}r@ {\qquad}l@ {}}
76.213 -\isa{{\isaliteral{5C3C6C6272616B6B3E}{\isasymlbrakk}}y\ {\isaliteral{5C3C696E3E}{\isasymin}}\ three{\isaliteral{3B}{\isacharsemicolon}}\ {\isaliteral{5C3C416E643E}{\isasymAnd}}x{\isaliteral{2E}{\isachardot}}\ y\ {\isaliteral{3D}{\isacharequal}}\ Rep{\isaliteral{5F}{\isacharunderscore}}three\ x\ {\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\ P{\isaliteral{5C3C726272616B6B3E}{\isasymrbrakk}}\ {\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\ P} & (\isa{Rep{\isaliteral{5F}{\isacharunderscore}}three{\isaliteral{5F}{\isacharunderscore}}cases}) \\
76.214 -\isa{{\isaliteral{28}{\isacharparenleft}}{\isaliteral{5C3C416E643E}{\isasymAnd}}y{\isaliteral{2E}{\isachardot}}\ {\isaliteral{5C3C6C6272616B6B3E}{\isasymlbrakk}}x\ {\isaliteral{3D}{\isacharequal}}\ Abs{\isaliteral{5F}{\isacharunderscore}}three\ y{\isaliteral{3B}{\isacharsemicolon}}\ y\ {\isaliteral{5C3C696E3E}{\isasymin}}\ three{\isaliteral{5C3C726272616B6B3E}{\isasymrbrakk}}\ {\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\ P{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\ P} & (\isa{Abs{\isaliteral{5F}{\isacharunderscore}}three{\isaliteral{5F}{\isacharunderscore}}cases}) \\
76.215 -\isa{{\isaliteral{5C3C6C6272616B6B3E}{\isasymlbrakk}}y\ {\isaliteral{5C3C696E3E}{\isasymin}}\ three{\isaliteral{3B}{\isacharsemicolon}}\ {\isaliteral{5C3C416E643E}{\isasymAnd}}x{\isaliteral{2E}{\isachardot}}\ P\ {\isaliteral{28}{\isacharparenleft}}Rep{\isaliteral{5F}{\isacharunderscore}}three\ x{\isaliteral{29}{\isacharparenright}}{\isaliteral{5C3C726272616B6B3E}{\isasymrbrakk}}\ {\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\ P\ y} & (\isa{Rep{\isaliteral{5F}{\isacharunderscore}}three{\isaliteral{5F}{\isacharunderscore}}induct}) \\
76.216 -\isa{{\isaliteral{28}{\isacharparenleft}}{\isaliteral{5C3C416E643E}{\isasymAnd}}y{\isaliteral{2E}{\isachardot}}\ y\ {\isaliteral{5C3C696E3E}{\isasymin}}\ three\ {\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\ P\ {\isaliteral{28}{\isacharparenleft}}Abs{\isaliteral{5F}{\isacharunderscore}}three\ y{\isaliteral{29}{\isacharparenright}}{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\ P\ x} & (\isa{Abs{\isaliteral{5F}{\isacharunderscore}}three{\isaliteral{5F}{\isacharunderscore}}induct}) \\
76.217 -\end{tabular}
76.218 -\end{center}
76.219 -These theorems are proved for any type definition, with \isa{three}
76.220 -replaced by the name of the type in question.
76.221 -
76.222 -Distinctness of \isa{A}, \isa{B} and \isa{C} follows immediately
76.223 -if we expand their definitions and rewrite with the injectivity
76.224 -of \isa{Abs{\isaliteral{5F}{\isacharunderscore}}three}:%
76.225 -\end{isamarkuptext}%
76.226 -\isamarkuptrue%
76.227 -\isacommand{lemma}\isamarkupfalse%
76.228 -\ {\isaliteral{22}{\isachardoublequoteopen}}A\ {\isaliteral{5C3C6E6F7465713E}{\isasymnoteq}}\ B\ {\isaliteral{5C3C616E643E}{\isasymand}}\ B\ {\isaliteral{5C3C6E6F7465713E}{\isasymnoteq}}\ A\ {\isaliteral{5C3C616E643E}{\isasymand}}\ A\ {\isaliteral{5C3C6E6F7465713E}{\isasymnoteq}}\ C\ {\isaliteral{5C3C616E643E}{\isasymand}}\ C\ {\isaliteral{5C3C6E6F7465713E}{\isasymnoteq}}\ A\ {\isaliteral{5C3C616E643E}{\isasymand}}\ B\ {\isaliteral{5C3C6E6F7465713E}{\isasymnoteq}}\ C\ {\isaliteral{5C3C616E643E}{\isasymand}}\ C\ {\isaliteral{5C3C6E6F7465713E}{\isasymnoteq}}\ B{\isaliteral{22}{\isachardoublequoteclose}}\isanewline
76.229 -%
76.230 -\isadelimproof
76.231 -%
76.232 -\endisadelimproof
76.233 -%
76.234 -\isatagproof
76.235 -\isacommand{by}\isamarkupfalse%
76.236 -{\isaliteral{28}{\isacharparenleft}}simp\ add{\isaliteral{3A}{\isacharcolon}}\ Abs{\isaliteral{5F}{\isacharunderscore}}three{\isaliteral{5F}{\isacharunderscore}}inject\ A{\isaliteral{5F}{\isacharunderscore}}def\ B{\isaliteral{5F}{\isacharunderscore}}def\ C{\isaliteral{5F}{\isacharunderscore}}def\ three{\isaliteral{5F}{\isacharunderscore}}def{\isaliteral{29}{\isacharparenright}}%
76.237 -\endisatagproof
76.238 -{\isafoldproof}%
76.239 -%
76.240 -\isadelimproof
76.241 -%
76.242 -\endisadelimproof
76.243 -%
76.244 -\begin{isamarkuptext}%
76.245 -\noindent
76.246 -Of course we rely on the simplifier to solve goals like \isa{{\isadigit{0}}\ {\isaliteral{5C3C6E6F7465713E}{\isasymnoteq}}\ {\isadigit{1}}}.
76.247 -
76.248 -The fact that \isa{A}, \isa{B} and \isa{C} exhaust type \isa{three} is
76.249 -best phrased as a case distinction theorem: if you want to prove \isa{P\ x}
76.250 -(where \isa{x} is of type \isa{three}) it suffices to prove \isa{P\ A},
76.251 -\isa{P\ B} and \isa{P\ C}:%
76.252 -\end{isamarkuptext}%
76.253 -\isamarkuptrue%
76.254 -\isacommand{lemma}\isamarkupfalse%
76.255 -\ three{\isaliteral{5F}{\isacharunderscore}}cases{\isaliteral{3A}{\isacharcolon}}\ {\isaliteral{22}{\isachardoublequoteopen}}{\isaliteral{5C3C6C6272616B6B3E}{\isasymlbrakk}}\ P\ A{\isaliteral{3B}{\isacharsemicolon}}\ P\ B{\isaliteral{3B}{\isacharsemicolon}}\ P\ C\ {\isaliteral{5C3C726272616B6B3E}{\isasymrbrakk}}\ {\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\ P\ x{\isaliteral{22}{\isachardoublequoteclose}}%
76.256 -\isadelimproof
76.257 -%
76.258 -\endisadelimproof
76.259 -%
76.260 -\isatagproof
76.261 -%
76.262 -\begin{isamarkuptxt}%
76.263 -\noindent Again this follows easily using the induction principle stemming from the type definition:%
76.264 -\end{isamarkuptxt}%
76.265 -\isamarkuptrue%
76.266 -\isacommand{apply}\isamarkupfalse%
76.267 -{\isaliteral{28}{\isacharparenleft}}induct{\isaliteral{5F}{\isacharunderscore}}tac\ x{\isaliteral{29}{\isacharparenright}}%
76.268 -\begin{isamarkuptxt}%
76.269 -\begin{isabelle}%
76.270 -\ {\isadigit{1}}{\isaliteral{2E}{\isachardot}}\ {\isaliteral{5C3C416E643E}{\isasymAnd}}y{\isaliteral{2E}{\isachardot}}\ {\isaliteral{5C3C6C6272616B6B3E}{\isasymlbrakk}}P\ A{\isaliteral{3B}{\isacharsemicolon}}\ P\ B{\isaliteral{3B}{\isacharsemicolon}}\ P\ C{\isaliteral{3B}{\isacharsemicolon}}\ y\ {\isaliteral{5C3C696E3E}{\isasymin}}\ three{\isaliteral{5C3C726272616B6B3E}{\isasymrbrakk}}\ {\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\ P\ {\isaliteral{28}{\isacharparenleft}}Abs{\isaliteral{5F}{\isacharunderscore}}three\ y{\isaliteral{29}{\isacharparenright}}%
76.271 -\end{isabelle}
76.272 -Simplification with \isa{three{\isaliteral{5F}{\isacharunderscore}}def} leads to the disjunction \isa{y\ {\isaliteral{3D}{\isacharequal}}\ {\isadigit{0}}\ {\isaliteral{5C3C6F723E}{\isasymor}}\ y\ {\isaliteral{3D}{\isacharequal}}\ {\isadigit{1}}\ {\isaliteral{5C3C6F723E}{\isasymor}}\ y\ {\isaliteral{3D}{\isacharequal}}\ {\isadigit{2}}} which \isa{auto} separates into three
76.273 -subgoals, each of which is easily solved by simplification:%
76.274 -\end{isamarkuptxt}%
76.275 -\isamarkuptrue%
76.276 -\isacommand{apply}\isamarkupfalse%
76.277 -{\isaliteral{28}{\isacharparenleft}}auto\ simp\ add{\isaliteral{3A}{\isacharcolon}}\ three{\isaliteral{5F}{\isacharunderscore}}def\ A{\isaliteral{5F}{\isacharunderscore}}def\ B{\isaliteral{5F}{\isacharunderscore}}def\ C{\isaliteral{5F}{\isacharunderscore}}def{\isaliteral{29}{\isacharparenright}}\isanewline
76.278 -\isacommand{done}\isamarkupfalse%
76.279 -%
76.280 -\endisatagproof
76.281 -{\isafoldproof}%
76.282 -%
76.283 -\isadelimproof
76.284 -%
76.285 -\endisadelimproof
76.286 -%
76.287 -\begin{isamarkuptext}%
76.288 -\noindent
76.289 -This concludes the derivation of the characteristic theorems for
76.290 -type \isa{three}.
76.291 -
76.292 -The attentive reader has realized long ago that the
76.293 -above lengthy definition can be collapsed into one line:%
76.294 -\end{isamarkuptext}%
76.295 -\isamarkuptrue%
76.296 -\isacommand{datatype}\isamarkupfalse%
76.297 -\ better{\isaliteral{5F}{\isacharunderscore}}three\ {\isaliteral{3D}{\isacharequal}}\ A\ {\isaliteral{7C}{\isacharbar}}\ B\ {\isaliteral{7C}{\isacharbar}}\ C%
76.298 -\begin{isamarkuptext}%
76.299 -\noindent
76.300 -In fact, the \isacommand{datatype} command performs internally more or less
76.301 -the same derivations as we did, which gives you some idea what life would be
76.302 -like without \isacommand{datatype}.
76.303 -
76.304 -Although \isa{three} could be defined in one line, we have chosen this
76.305 -example to demonstrate \isacommand{typedef} because its simplicity makes the
76.306 -key concepts particularly easy to grasp. If you would like to see a
76.307 -non-trivial example that cannot be defined more directly, we recommend the
76.308 -definition of \emph{finite multisets} in the Library~\cite{HOL-Library}.
76.309 -
76.310 -Let us conclude by summarizing the above procedure for defining a new type.
76.311 -Given some abstract axiomatic description $P$ of a type $ty$ in terms of a
76.312 -set of functions $F$, this involves three steps:
76.313 -\begin{enumerate}
76.314 -\item Find an appropriate type $\tau$ and subset $A$ which has the desired
76.315 - properties $P$, and make a type definition based on this representation.
76.316 -\item Define the required functions $F$ on $ty$ by lifting
76.317 -analogous functions on the representation via $Abs_ty$ and $Rep_ty$.
76.318 -\item Prove that $P$ holds for $ty$ by lifting $P$ from the representation.
76.319 -\end{enumerate}
76.320 -You can now forget about the representation and work solely in terms of the
76.321 -abstract functions $F$ and properties $P$.%
76.322 -\index{typedecl@\isacommand {typedef} (command)|)}%
76.323 -\index{types!defining|)}%
76.324 -\end{isamarkuptext}%
76.325 -\isamarkuptrue%
76.326 -%
76.327 -\isadelimtheory
76.328 -%
76.329 -\endisadelimtheory
76.330 -%
76.331 -\isatagtheory
76.332 -%
76.333 -\endisatagtheory
76.334 -{\isafoldtheory}%
76.335 -%
76.336 -\isadelimtheory
76.337 -%
76.338 -\endisadelimtheory
76.339 -\end{isabellebody}%
76.340 -%%% Local Variables:
76.341 -%%% mode: latex
76.342 -%%% TeX-master: "root"
76.343 -%%% End:
77.1 --- a/doc-src/TutorialI/Types/types.tex Thu Jul 26 16:08:16 2012 +0200
77.2 +++ b/doc-src/TutorialI/Types/types.tex Thu Jul 26 19:59:06 2012 +0200
77.3 @@ -22,10 +22,10 @@
77.4 is about, but consult the rest only when necessary.
77.5
77.6 \index{pairs and tuples|(}
77.7 -\input{Types/document/Pairs} %%%Section "Pairs and Tuples"
77.8 +\input{document/Pairs} %%%Section "Pairs and Tuples"
77.9 \index{pairs and tuples|)}
77.10
77.11 -\input{Types/document/Records} %%%Section "Records"
77.12 +\input{document/Records} %%%Section "Records"
77.13
77.14
77.15 \section{Type Classes} %%%Section
77.16 @@ -55,15 +55,15 @@
77.17 \label{sec:overloading}
77.18 \index{overloading|(}
77.19
77.20 -\input{Types/document/Overloading}
77.21 +\input{document/Overloading}
77.22
77.23 \index{overloading|)}
77.24
77.25 -\input{Types/document/Axioms}
77.26 +\input{document/Axioms}
77.27
77.28 \index{type classes|)}
77.29 \index{*class|)}
77.30
77.31 \input{Types/numerics} %%%Section "Numbers"
77.32
77.33 -\input{Types/document/Typedefs} %%%Section "Introducing New Types"
77.34 +\input{document/Typedefs} %%%Section "Introducing New Types"
78.1 --- a/doc-src/TutorialI/appendix.tex Thu Jul 26 16:08:16 2012 +0200
78.2 +++ b/doc-src/TutorialI/appendix.tex Thu Jul 26 19:59:06 2012 +0200
78.3 @@ -111,7 +111,7 @@
78.4 \label{tab:ascii}
78.5 \end{table}\indexbold{ASCII@\textsc{ascii} symbols}
78.6
78.7 -\input{Misc/document/appendix.tex}
78.8 +\input{document/appendix.tex}
78.9
78.10 \begin{table}[htbp]
78.11 \begin{center}
79.1 --- /dev/null Thu Jan 01 00:00:00 1970 +0000
79.2 +++ b/doc-src/TutorialI/document/AB.tex Thu Jul 26 19:59:06 2012 +0200
79.3 @@ -0,0 +1,462 @@
79.4 +%
79.5 +\begin{isabellebody}%
79.6 +\def\isabellecontext{AB}%
79.7 +%
79.8 +\isadelimtheory
79.9 +%
79.10 +\endisadelimtheory
79.11 +%
79.12 +\isatagtheory
79.13 +%
79.14 +\endisatagtheory
79.15 +{\isafoldtheory}%
79.16 +%
79.17 +\isadelimtheory
79.18 +%
79.19 +\endisadelimtheory
79.20 +%
79.21 +\isamarkupsection{Case Study: A Context Free Grammar%
79.22 +}
79.23 +\isamarkuptrue%
79.24 +%
79.25 +\begin{isamarkuptext}%
79.26 +\label{sec:CFG}
79.27 +\index{grammars!defining inductively|(}%
79.28 +Grammars are nothing but shorthands for inductive definitions of nonterminals
79.29 +which represent sets of strings. For example, the production
79.30 +$A \to B c$ is short for
79.31 +\[ w \in B \Longrightarrow wc \in A \]
79.32 +This section demonstrates this idea with an example
79.33 +due to Hopcroft and Ullman, a grammar for generating all words with an
79.34 +equal number of $a$'s and~$b$'s:
79.35 +\begin{eqnarray}
79.36 +S &\to& \epsilon \mid b A \mid a B \nonumber\\
79.37 +A &\to& a S \mid b A A \nonumber\\
79.38 +B &\to& b S \mid a B B \nonumber
79.39 +\end{eqnarray}
79.40 +At the end we say a few words about the relationship between
79.41 +the original proof \cite[p.\ts81]{HopcroftUllman} and our formal version.
79.42 +
79.43 +We start by fixing the alphabet, which consists only of \isa{a}'s
79.44 +and~\isa{b}'s:%
79.45 +\end{isamarkuptext}%
79.46 +\isamarkuptrue%
79.47 +\isacommand{datatype}\isamarkupfalse%
79.48 +\ alfa\ {\isaliteral{3D}{\isacharequal}}\ a\ {\isaliteral{7C}{\isacharbar}}\ b%
79.49 +\begin{isamarkuptext}%
79.50 +\noindent
79.51 +For convenience we include the following easy lemmas as simplification rules:%
79.52 +\end{isamarkuptext}%
79.53 +\isamarkuptrue%
79.54 +\isacommand{lemma}\isamarkupfalse%
79.55 +\ {\isaliteral{5B}{\isacharbrackleft}}simp{\isaliteral{5D}{\isacharbrackright}}{\isaliteral{3A}{\isacharcolon}}\ {\isaliteral{22}{\isachardoublequoteopen}}{\isaliteral{28}{\isacharparenleft}}x\ {\isaliteral{5C3C6E6F7465713E}{\isasymnoteq}}\ a{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{3D}{\isacharequal}}\ {\isaliteral{28}{\isacharparenleft}}x\ {\isaliteral{3D}{\isacharequal}}\ b{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C616E643E}{\isasymand}}\ {\isaliteral{28}{\isacharparenleft}}x\ {\isaliteral{5C3C6E6F7465713E}{\isasymnoteq}}\ b{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{3D}{\isacharequal}}\ {\isaliteral{28}{\isacharparenleft}}x\ {\isaliteral{3D}{\isacharequal}}\ a{\isaliteral{29}{\isacharparenright}}{\isaliteral{22}{\isachardoublequoteclose}}\isanewline
79.56 +%
79.57 +\isadelimproof
79.58 +%
79.59 +\endisadelimproof
79.60 +%
79.61 +\isatagproof
79.62 +\isacommand{by}\isamarkupfalse%
79.63 +\ {\isaliteral{28}{\isacharparenleft}}case{\isaliteral{5F}{\isacharunderscore}}tac\ x{\isaliteral{2C}{\isacharcomma}}\ auto{\isaliteral{29}{\isacharparenright}}%
79.64 +\endisatagproof
79.65 +{\isafoldproof}%
79.66 +%
79.67 +\isadelimproof
79.68 +%
79.69 +\endisadelimproof
79.70 +%
79.71 +\begin{isamarkuptext}%
79.72 +\noindent
79.73 +Words over this alphabet are of type \isa{alfa\ list}, and
79.74 +the three nonterminals are declared as sets of such words.
79.75 +The productions above are recast as a \emph{mutual} inductive
79.76 +definition\index{inductive definition!simultaneous}
79.77 +of \isa{S}, \isa{A} and~\isa{B}:%
79.78 +\end{isamarkuptext}%
79.79 +\isamarkuptrue%
79.80 +\isacommand{inductive{\isaliteral{5F}{\isacharunderscore}}set}\isamarkupfalse%
79.81 +\isanewline
79.82 +\ \ S\ {\isaliteral{3A}{\isacharcolon}}{\isaliteral{3A}{\isacharcolon}}\ {\isaliteral{22}{\isachardoublequoteopen}}alfa\ list\ set{\isaliteral{22}{\isachardoublequoteclose}}\ \isakeyword{and}\isanewline
79.83 +\ \ A\ {\isaliteral{3A}{\isacharcolon}}{\isaliteral{3A}{\isacharcolon}}\ {\isaliteral{22}{\isachardoublequoteopen}}alfa\ list\ set{\isaliteral{22}{\isachardoublequoteclose}}\ \isakeyword{and}\isanewline
79.84 +\ \ B\ {\isaliteral{3A}{\isacharcolon}}{\isaliteral{3A}{\isacharcolon}}\ {\isaliteral{22}{\isachardoublequoteopen}}alfa\ list\ set{\isaliteral{22}{\isachardoublequoteclose}}\isanewline
79.85 +\isakeyword{where}\isanewline
79.86 +\ \ {\isaliteral{22}{\isachardoublequoteopen}}{\isaliteral{5B}{\isacharbrackleft}}{\isaliteral{5D}{\isacharbrackright}}\ {\isaliteral{5C3C696E3E}{\isasymin}}\ S{\isaliteral{22}{\isachardoublequoteclose}}\isanewline
79.87 +{\isaliteral{7C}{\isacharbar}}\ {\isaliteral{22}{\isachardoublequoteopen}}w\ {\isaliteral{5C3C696E3E}{\isasymin}}\ A\ {\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\ b{\isaliteral{23}{\isacharhash}}w\ {\isaliteral{5C3C696E3E}{\isasymin}}\ S{\isaliteral{22}{\isachardoublequoteclose}}\isanewline
79.88 +{\isaliteral{7C}{\isacharbar}}\ {\isaliteral{22}{\isachardoublequoteopen}}w\ {\isaliteral{5C3C696E3E}{\isasymin}}\ B\ {\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\ a{\isaliteral{23}{\isacharhash}}w\ {\isaliteral{5C3C696E3E}{\isasymin}}\ S{\isaliteral{22}{\isachardoublequoteclose}}\isanewline
79.89 +\isanewline
79.90 +{\isaliteral{7C}{\isacharbar}}\ {\isaliteral{22}{\isachardoublequoteopen}}w\ {\isaliteral{5C3C696E3E}{\isasymin}}\ S\ \ \ \ \ \ \ \ {\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\ a{\isaliteral{23}{\isacharhash}}w\ \ \ {\isaliteral{5C3C696E3E}{\isasymin}}\ A{\isaliteral{22}{\isachardoublequoteclose}}\isanewline
79.91 +{\isaliteral{7C}{\isacharbar}}\ {\isaliteral{22}{\isachardoublequoteopen}}{\isaliteral{5C3C6C6272616B6B3E}{\isasymlbrakk}}\ v{\isaliteral{5C3C696E3E}{\isasymin}}A{\isaliteral{3B}{\isacharsemicolon}}\ w{\isaliteral{5C3C696E3E}{\isasymin}}A\ {\isaliteral{5C3C726272616B6B3E}{\isasymrbrakk}}\ {\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\ b{\isaliteral{23}{\isacharhash}}v{\isaliteral{40}{\isacharat}}w\ {\isaliteral{5C3C696E3E}{\isasymin}}\ A{\isaliteral{22}{\isachardoublequoteclose}}\isanewline
79.92 +\isanewline
79.93 +{\isaliteral{7C}{\isacharbar}}\ {\isaliteral{22}{\isachardoublequoteopen}}w\ {\isaliteral{5C3C696E3E}{\isasymin}}\ S\ \ \ \ \ \ \ \ \ \ \ \ {\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\ b{\isaliteral{23}{\isacharhash}}w\ \ \ {\isaliteral{5C3C696E3E}{\isasymin}}\ B{\isaliteral{22}{\isachardoublequoteclose}}\isanewline
79.94 +{\isaliteral{7C}{\isacharbar}}\ {\isaliteral{22}{\isachardoublequoteopen}}{\isaliteral{5C3C6C6272616B6B3E}{\isasymlbrakk}}\ v\ {\isaliteral{5C3C696E3E}{\isasymin}}\ B{\isaliteral{3B}{\isacharsemicolon}}\ w\ {\isaliteral{5C3C696E3E}{\isasymin}}\ B\ {\isaliteral{5C3C726272616B6B3E}{\isasymrbrakk}}\ {\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\ a{\isaliteral{23}{\isacharhash}}v{\isaliteral{40}{\isacharat}}w\ {\isaliteral{5C3C696E3E}{\isasymin}}\ B{\isaliteral{22}{\isachardoublequoteclose}}%
79.95 +\begin{isamarkuptext}%
79.96 +\noindent
79.97 +First we show that all words in \isa{S} contain the same number of \isa{a}'s and \isa{b}'s. Since the definition of \isa{S} is by mutual
79.98 +induction, so is the proof: we show at the same time that all words in
79.99 +\isa{A} contain one more \isa{a} than \isa{b} and all words in \isa{B} contain one more \isa{b} than \isa{a}.%
79.100 +\end{isamarkuptext}%
79.101 +\isamarkuptrue%
79.102 +\isacommand{lemma}\isamarkupfalse%
79.103 +\ correctness{\isaliteral{3A}{\isacharcolon}}\isanewline
79.104 +\ \ {\isaliteral{22}{\isachardoublequoteopen}}{\isaliteral{28}{\isacharparenleft}}w\ {\isaliteral{5C3C696E3E}{\isasymin}}\ S\ {\isaliteral{5C3C6C6F6E6772696768746172726F773E}{\isasymlongrightarrow}}\ size{\isaliteral{5B}{\isacharbrackleft}}x{\isaliteral{5C3C6C6566746172726F773E}{\isasymleftarrow}}w{\isaliteral{2E}{\isachardot}}\ x{\isaliteral{3D}{\isacharequal}}a{\isaliteral{5D}{\isacharbrackright}}\ {\isaliteral{3D}{\isacharequal}}\ size{\isaliteral{5B}{\isacharbrackleft}}x{\isaliteral{5C3C6C6566746172726F773E}{\isasymleftarrow}}w{\isaliteral{2E}{\isachardot}}\ x{\isaliteral{3D}{\isacharequal}}b{\isaliteral{5D}{\isacharbrackright}}{\isaliteral{29}{\isacharparenright}}\ \ \ \ \ {\isaliteral{5C3C616E643E}{\isasymand}}\isanewline
79.105 +\ \ \ {\isaliteral{28}{\isacharparenleft}}w\ {\isaliteral{5C3C696E3E}{\isasymin}}\ A\ {\isaliteral{5C3C6C6F6E6772696768746172726F773E}{\isasymlongrightarrow}}\ size{\isaliteral{5B}{\isacharbrackleft}}x{\isaliteral{5C3C6C6566746172726F773E}{\isasymleftarrow}}w{\isaliteral{2E}{\isachardot}}\ x{\isaliteral{3D}{\isacharequal}}a{\isaliteral{5D}{\isacharbrackright}}\ {\isaliteral{3D}{\isacharequal}}\ size{\isaliteral{5B}{\isacharbrackleft}}x{\isaliteral{5C3C6C6566746172726F773E}{\isasymleftarrow}}w{\isaliteral{2E}{\isachardot}}\ x{\isaliteral{3D}{\isacharequal}}b{\isaliteral{5D}{\isacharbrackright}}\ {\isaliteral{2B}{\isacharplus}}\ {\isadigit{1}}{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C616E643E}{\isasymand}}\isanewline
79.106 +\ \ \ {\isaliteral{28}{\isacharparenleft}}w\ {\isaliteral{5C3C696E3E}{\isasymin}}\ B\ {\isaliteral{5C3C6C6F6E6772696768746172726F773E}{\isasymlongrightarrow}}\ size{\isaliteral{5B}{\isacharbrackleft}}x{\isaliteral{5C3C6C6566746172726F773E}{\isasymleftarrow}}w{\isaliteral{2E}{\isachardot}}\ x{\isaliteral{3D}{\isacharequal}}b{\isaliteral{5D}{\isacharbrackright}}\ {\isaliteral{3D}{\isacharequal}}\ size{\isaliteral{5B}{\isacharbrackleft}}x{\isaliteral{5C3C6C6566746172726F773E}{\isasymleftarrow}}w{\isaliteral{2E}{\isachardot}}\ x{\isaliteral{3D}{\isacharequal}}a{\isaliteral{5D}{\isacharbrackright}}\ {\isaliteral{2B}{\isacharplus}}\ {\isadigit{1}}{\isaliteral{29}{\isacharparenright}}{\isaliteral{22}{\isachardoublequoteclose}}%
79.107 +\isadelimproof
79.108 +%
79.109 +\endisadelimproof
79.110 +%
79.111 +\isatagproof
79.112 +%
79.113 +\begin{isamarkuptxt}%
79.114 +\noindent
79.115 +These propositions are expressed with the help of the predefined \isa{filter} function on lists, which has the convenient syntax \isa{{\isaliteral{5B}{\isacharbrackleft}}x{\isaliteral{5C3C6C6566746172726F773E}{\isasymleftarrow}}xs{\isaliteral{2E}{\isachardot}}\ P\ x{\isaliteral{5D}{\isacharbrackright}}}, the list of all elements \isa{x} in \isa{xs} such that \isa{P\ x}
79.116 +holds. Remember that on lists \isa{size} and \isa{length} are synonymous.
79.117 +
79.118 +The proof itself is by rule induction and afterwards automatic:%
79.119 +\end{isamarkuptxt}%
79.120 +\isamarkuptrue%
79.121 +\isacommand{by}\isamarkupfalse%
79.122 +\ {\isaliteral{28}{\isacharparenleft}}rule\ S{\isaliteral{5F}{\isacharunderscore}}A{\isaliteral{5F}{\isacharunderscore}}B{\isaliteral{2E}{\isachardot}}induct{\isaliteral{2C}{\isacharcomma}}\ auto{\isaliteral{29}{\isacharparenright}}%
79.123 +\endisatagproof
79.124 +{\isafoldproof}%
79.125 +%
79.126 +\isadelimproof
79.127 +%
79.128 +\endisadelimproof
79.129 +%
79.130 +\begin{isamarkuptext}%
79.131 +\noindent
79.132 +This may seem surprising at first, and is indeed an indication of the power
79.133 +of inductive definitions. But it is also quite straightforward. For example,
79.134 +consider the production $A \to b A A$: if $v,w \in A$ and the elements of $A$
79.135 +contain one more $a$ than~$b$'s, then $bvw$ must again contain one more $a$
79.136 +than~$b$'s.
79.137 +
79.138 +As usual, the correctness of syntactic descriptions is easy, but completeness
79.139 +is hard: does \isa{S} contain \emph{all} words with an equal number of
79.140 +\isa{a}'s and \isa{b}'s? It turns out that this proof requires the
79.141 +following lemma: every string with two more \isa{a}'s than \isa{b}'s can be cut somewhere such that each half has one more \isa{a} than
79.142 +\isa{b}. This is best seen by imagining counting the difference between the
79.143 +number of \isa{a}'s and \isa{b}'s starting at the left end of the
79.144 +word. We start with 0 and end (at the right end) with 2. Since each move to the
79.145 +right increases or decreases the difference by 1, we must have passed through
79.146 +1 on our way from 0 to 2. Formally, we appeal to the following discrete
79.147 +intermediate value theorem \isa{nat{\isadigit{0}}{\isaliteral{5F}{\isacharunderscore}}intermed{\isaliteral{5F}{\isacharunderscore}}int{\isaliteral{5F}{\isacharunderscore}}val}
79.148 +\begin{isabelle}%
79.149 +\ \ \ \ \ {\isaliteral{5C3C6C6272616B6B3E}{\isasymlbrakk}}{\isaliteral{5C3C666F72616C6C3E}{\isasymforall}}i{\isaliteral{3C}{\isacharless}}n{\isaliteral{2E}{\isachardot}}\ {\isaliteral{5C3C6261723E}{\isasymbar}}f\ {\isaliteral{28}{\isacharparenleft}}i\ {\isaliteral{2B}{\isacharplus}}\ {\isadigit{1}}{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{2D}{\isacharminus}}\ f\ i{\isaliteral{5C3C6261723E}{\isasymbar}}\ {\isaliteral{5C3C6C653E}{\isasymle}}\ {\isadigit{1}}{\isaliteral{3B}{\isacharsemicolon}}\ f\ {\isadigit{0}}\ {\isaliteral{5C3C6C653E}{\isasymle}}\ k{\isaliteral{3B}{\isacharsemicolon}}\ k\ {\isaliteral{5C3C6C653E}{\isasymle}}\ f\ n{\isaliteral{5C3C726272616B6B3E}{\isasymrbrakk}}\isanewline
79.150 +\isaindent{\ \ \ \ \ }{\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\ {\isaliteral{5C3C6578697374733E}{\isasymexists}}i{\isaliteral{5C3C6C653E}{\isasymle}}n{\isaliteral{2E}{\isachardot}}\ f\ i\ {\isaliteral{3D}{\isacharequal}}\ k%
79.151 +\end{isabelle}
79.152 +where \isa{f} is of type \isa{nat\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ int}, \isa{int} are the integers,
79.153 +\isa{{\isaliteral{5C3C6261723E}{\isasymbar}}{\isaliteral{2E}{\isachardot}}{\isaliteral{5C3C6261723E}{\isasymbar}}} is the absolute value function\footnote{See
79.154 +Table~\ref{tab:ascii} in the Appendix for the correct \textsc{ascii}
79.155 +syntax.}, and \isa{{\isadigit{1}}} is the integer 1 (see \S\ref{sec:numbers}).
79.156 +
79.157 +First we show that our specific function, the difference between the
79.158 +numbers of \isa{a}'s and \isa{b}'s, does indeed only change by 1 in every
79.159 +move to the right. At this point we also start generalizing from \isa{a}'s
79.160 +and \isa{b}'s to an arbitrary property \isa{P}. Otherwise we would have
79.161 +to prove the desired lemma twice, once as stated above and once with the
79.162 +roles of \isa{a}'s and \isa{b}'s interchanged.%
79.163 +\end{isamarkuptext}%
79.164 +\isamarkuptrue%
79.165 +\isacommand{lemma}\isamarkupfalse%
79.166 +\ step{\isadigit{1}}{\isaliteral{3A}{\isacharcolon}}\ {\isaliteral{22}{\isachardoublequoteopen}}{\isaliteral{5C3C666F72616C6C3E}{\isasymforall}}i\ {\isaliteral{3C}{\isacharless}}\ size\ w{\isaliteral{2E}{\isachardot}}\isanewline
79.167 +\ \ {\isaliteral{5C3C6261723E}{\isasymbar}}{\isaliteral{28}{\isacharparenleft}}int{\isaliteral{28}{\isacharparenleft}}size{\isaliteral{5B}{\isacharbrackleft}}x{\isaliteral{5C3C6C6566746172726F773E}{\isasymleftarrow}}take\ {\isaliteral{28}{\isacharparenleft}}i{\isaliteral{2B}{\isacharplus}}{\isadigit{1}}{\isaliteral{29}{\isacharparenright}}\ w{\isaliteral{2E}{\isachardot}}\ P\ x{\isaliteral{5D}{\isacharbrackright}}{\isaliteral{29}{\isacharparenright}}{\isaliteral{2D}{\isacharminus}}int{\isaliteral{28}{\isacharparenleft}}size{\isaliteral{5B}{\isacharbrackleft}}x{\isaliteral{5C3C6C6566746172726F773E}{\isasymleftarrow}}take\ {\isaliteral{28}{\isacharparenleft}}i{\isaliteral{2B}{\isacharplus}}{\isadigit{1}}{\isaliteral{29}{\isacharparenright}}\ w{\isaliteral{2E}{\isachardot}}\ {\isaliteral{5C3C6E6F743E}{\isasymnot}}P\ x{\isaliteral{5D}{\isacharbrackright}}{\isaliteral{29}{\isacharparenright}}{\isaliteral{29}{\isacharparenright}}\isanewline
79.168 +\ \ \ {\isaliteral{2D}{\isacharminus}}\ {\isaliteral{28}{\isacharparenleft}}int{\isaliteral{28}{\isacharparenleft}}size{\isaliteral{5B}{\isacharbrackleft}}x{\isaliteral{5C3C6C6566746172726F773E}{\isasymleftarrow}}take\ i\ w{\isaliteral{2E}{\isachardot}}\ P\ x{\isaliteral{5D}{\isacharbrackright}}{\isaliteral{29}{\isacharparenright}}{\isaliteral{2D}{\isacharminus}}int{\isaliteral{28}{\isacharparenleft}}size{\isaliteral{5B}{\isacharbrackleft}}x{\isaliteral{5C3C6C6566746172726F773E}{\isasymleftarrow}}take\ i\ w{\isaliteral{2E}{\isachardot}}\ {\isaliteral{5C3C6E6F743E}{\isasymnot}}P\ x{\isaliteral{5D}{\isacharbrackright}}{\isaliteral{29}{\isacharparenright}}{\isaliteral{29}{\isacharparenright}}{\isaliteral{5C3C6261723E}{\isasymbar}}\ {\isaliteral{5C3C6C653E}{\isasymle}}\ {\isadigit{1}}{\isaliteral{22}{\isachardoublequoteclose}}%
79.169 +\isadelimproof
79.170 +%
79.171 +\endisadelimproof
79.172 +%
79.173 +\isatagproof
79.174 +%
79.175 +\begin{isamarkuptxt}%
79.176 +\noindent
79.177 +The lemma is a bit hard to read because of the coercion function
79.178 +\isa{int\ {\isaliteral{3A}{\isacharcolon}}{\isaliteral{3A}{\isacharcolon}}\ nat\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ int}. It is required because \isa{size} returns
79.179 +a natural number, but subtraction on type~\isa{nat} will do the wrong thing.
79.180 +Function \isa{take} is predefined and \isa{take\ i\ xs} is the prefix of
79.181 +length \isa{i} of \isa{xs}; below we also need \isa{drop\ i\ xs}, which
79.182 +is what remains after that prefix has been dropped from \isa{xs}.
79.183 +
79.184 +The proof is by induction on \isa{w}, with a trivial base case, and a not
79.185 +so trivial induction step. Since it is essentially just arithmetic, we do not
79.186 +discuss it.%
79.187 +\end{isamarkuptxt}%
79.188 +\isamarkuptrue%
79.189 +\isacommand{apply}\isamarkupfalse%
79.190 +{\isaliteral{28}{\isacharparenleft}}induct{\isaliteral{5F}{\isacharunderscore}}tac\ w{\isaliteral{29}{\isacharparenright}}\isanewline
79.191 +\isacommand{apply}\isamarkupfalse%
79.192 +{\isaliteral{28}{\isacharparenleft}}auto\ simp\ add{\isaliteral{3A}{\isacharcolon}}\ abs{\isaliteral{5F}{\isacharunderscore}}if\ take{\isaliteral{5F}{\isacharunderscore}}Cons\ split{\isaliteral{3A}{\isacharcolon}}\ nat{\isaliteral{2E}{\isachardot}}split{\isaliteral{29}{\isacharparenright}}\isanewline
79.193 +\isacommand{done}\isamarkupfalse%
79.194 +%
79.195 +\endisatagproof
79.196 +{\isafoldproof}%
79.197 +%
79.198 +\isadelimproof
79.199 +%
79.200 +\endisadelimproof
79.201 +%
79.202 +\begin{isamarkuptext}%
79.203 +Finally we come to the above-mentioned lemma about cutting in half a word with two more elements of one sort than of the other sort:%
79.204 +\end{isamarkuptext}%
79.205 +\isamarkuptrue%
79.206 +\isacommand{lemma}\isamarkupfalse%
79.207 +\ part{\isadigit{1}}{\isaliteral{3A}{\isacharcolon}}\isanewline
79.208 +\ {\isaliteral{22}{\isachardoublequoteopen}}size{\isaliteral{5B}{\isacharbrackleft}}x{\isaliteral{5C3C6C6566746172726F773E}{\isasymleftarrow}}w{\isaliteral{2E}{\isachardot}}\ P\ x{\isaliteral{5D}{\isacharbrackright}}\ {\isaliteral{3D}{\isacharequal}}\ size{\isaliteral{5B}{\isacharbrackleft}}x{\isaliteral{5C3C6C6566746172726F773E}{\isasymleftarrow}}w{\isaliteral{2E}{\isachardot}}\ {\isaliteral{5C3C6E6F743E}{\isasymnot}}P\ x{\isaliteral{5D}{\isacharbrackright}}{\isaliteral{2B}{\isacharplus}}{\isadigit{2}}\ {\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\isanewline
79.209 +\ \ {\isaliteral{5C3C6578697374733E}{\isasymexists}}i{\isaliteral{5C3C6C653E}{\isasymle}}size\ w{\isaliteral{2E}{\isachardot}}\ size{\isaliteral{5B}{\isacharbrackleft}}x{\isaliteral{5C3C6C6566746172726F773E}{\isasymleftarrow}}take\ i\ w{\isaliteral{2E}{\isachardot}}\ P\ x{\isaliteral{5D}{\isacharbrackright}}\ {\isaliteral{3D}{\isacharequal}}\ size{\isaliteral{5B}{\isacharbrackleft}}x{\isaliteral{5C3C6C6566746172726F773E}{\isasymleftarrow}}take\ i\ w{\isaliteral{2E}{\isachardot}}\ {\isaliteral{5C3C6E6F743E}{\isasymnot}}P\ x{\isaliteral{5D}{\isacharbrackright}}{\isaliteral{2B}{\isacharplus}}{\isadigit{1}}{\isaliteral{22}{\isachardoublequoteclose}}%
79.210 +\isadelimproof
79.211 +%
79.212 +\endisadelimproof
79.213 +%
79.214 +\isatagproof
79.215 +%
79.216 +\begin{isamarkuptxt}%
79.217 +\noindent
79.218 +This is proved by \isa{force} with the help of the intermediate value theorem,
79.219 +instantiated appropriately and with its first premise disposed of by lemma
79.220 +\isa{step{\isadigit{1}}}:%
79.221 +\end{isamarkuptxt}%
79.222 +\isamarkuptrue%
79.223 +\isacommand{apply}\isamarkupfalse%
79.224 +{\isaliteral{28}{\isacharparenleft}}insert\ nat{\isadigit{0}}{\isaliteral{5F}{\isacharunderscore}}intermed{\isaliteral{5F}{\isacharunderscore}}int{\isaliteral{5F}{\isacharunderscore}}val{\isaliteral{5B}{\isacharbrackleft}}OF\ step{\isadigit{1}}{\isaliteral{2C}{\isacharcomma}}\ of\ {\isaliteral{22}{\isachardoublequoteopen}}P{\isaliteral{22}{\isachardoublequoteclose}}\ {\isaliteral{22}{\isachardoublequoteopen}}w{\isaliteral{22}{\isachardoublequoteclose}}\ {\isaliteral{22}{\isachardoublequoteopen}}{\isadigit{1}}{\isaliteral{22}{\isachardoublequoteclose}}{\isaliteral{5D}{\isacharbrackright}}{\isaliteral{29}{\isacharparenright}}\isanewline
79.225 +\isacommand{by}\isamarkupfalse%
79.226 +\ force%
79.227 +\endisatagproof
79.228 +{\isafoldproof}%
79.229 +%
79.230 +\isadelimproof
79.231 +%
79.232 +\endisadelimproof
79.233 +%
79.234 +\begin{isamarkuptext}%
79.235 +\noindent
79.236 +
79.237 +Lemma \isa{part{\isadigit{1}}} tells us only about the prefix \isa{take\ i\ w}.
79.238 +An easy lemma deals with the suffix \isa{drop\ i\ w}:%
79.239 +\end{isamarkuptext}%
79.240 +\isamarkuptrue%
79.241 +\isacommand{lemma}\isamarkupfalse%
79.242 +\ part{\isadigit{2}}{\isaliteral{3A}{\isacharcolon}}\isanewline
79.243 +\ \ {\isaliteral{22}{\isachardoublequoteopen}}{\isaliteral{5C3C6C6272616B6B3E}{\isasymlbrakk}}size{\isaliteral{5B}{\isacharbrackleft}}x{\isaliteral{5C3C6C6566746172726F773E}{\isasymleftarrow}}take\ i\ w\ {\isaliteral{40}{\isacharat}}\ drop\ i\ w{\isaliteral{2E}{\isachardot}}\ P\ x{\isaliteral{5D}{\isacharbrackright}}\ {\isaliteral{3D}{\isacharequal}}\isanewline
79.244 +\ \ \ \ size{\isaliteral{5B}{\isacharbrackleft}}x{\isaliteral{5C3C6C6566746172726F773E}{\isasymleftarrow}}take\ i\ w\ {\isaliteral{40}{\isacharat}}\ drop\ i\ w{\isaliteral{2E}{\isachardot}}\ {\isaliteral{5C3C6E6F743E}{\isasymnot}}P\ x{\isaliteral{5D}{\isacharbrackright}}{\isaliteral{2B}{\isacharplus}}{\isadigit{2}}{\isaliteral{3B}{\isacharsemicolon}}\isanewline
79.245 +\ \ \ \ size{\isaliteral{5B}{\isacharbrackleft}}x{\isaliteral{5C3C6C6566746172726F773E}{\isasymleftarrow}}take\ i\ w{\isaliteral{2E}{\isachardot}}\ P\ x{\isaliteral{5D}{\isacharbrackright}}\ {\isaliteral{3D}{\isacharequal}}\ size{\isaliteral{5B}{\isacharbrackleft}}x{\isaliteral{5C3C6C6566746172726F773E}{\isasymleftarrow}}take\ i\ w{\isaliteral{2E}{\isachardot}}\ {\isaliteral{5C3C6E6F743E}{\isasymnot}}P\ x{\isaliteral{5D}{\isacharbrackright}}{\isaliteral{2B}{\isacharplus}}{\isadigit{1}}{\isaliteral{5C3C726272616B6B3E}{\isasymrbrakk}}\isanewline
79.246 +\ \ \ {\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\ size{\isaliteral{5B}{\isacharbrackleft}}x{\isaliteral{5C3C6C6566746172726F773E}{\isasymleftarrow}}drop\ i\ w{\isaliteral{2E}{\isachardot}}\ P\ x{\isaliteral{5D}{\isacharbrackright}}\ {\isaliteral{3D}{\isacharequal}}\ size{\isaliteral{5B}{\isacharbrackleft}}x{\isaliteral{5C3C6C6566746172726F773E}{\isasymleftarrow}}drop\ i\ w{\isaliteral{2E}{\isachardot}}\ {\isaliteral{5C3C6E6F743E}{\isasymnot}}P\ x{\isaliteral{5D}{\isacharbrackright}}{\isaliteral{2B}{\isacharplus}}{\isadigit{1}}{\isaliteral{22}{\isachardoublequoteclose}}\isanewline
79.247 +%
79.248 +\isadelimproof
79.249 +%
79.250 +\endisadelimproof
79.251 +%
79.252 +\isatagproof
79.253 +\isacommand{by}\isamarkupfalse%
79.254 +{\isaliteral{28}{\isacharparenleft}}simp\ del{\isaliteral{3A}{\isacharcolon}}\ append{\isaliteral{5F}{\isacharunderscore}}take{\isaliteral{5F}{\isacharunderscore}}drop{\isaliteral{5F}{\isacharunderscore}}id{\isaliteral{29}{\isacharparenright}}%
79.255 +\endisatagproof
79.256 +{\isafoldproof}%
79.257 +%
79.258 +\isadelimproof
79.259 +%
79.260 +\endisadelimproof
79.261 +%
79.262 +\begin{isamarkuptext}%
79.263 +\noindent
79.264 +In the proof we have disabled the normally useful lemma
79.265 +\begin{isabelle}
79.266 +\isa{take\ n\ xs\ {\isaliteral{40}{\isacharat}}\ drop\ n\ xs\ {\isaliteral{3D}{\isacharequal}}\ xs}
79.267 +\rulename{append_take_drop_id}
79.268 +\end{isabelle}
79.269 +to allow the simplifier to apply the following lemma instead:
79.270 +\begin{isabelle}%
79.271 +\ \ \ \ \ {\isaliteral{5B}{\isacharbrackleft}}x{\isaliteral{5C3C696E3E}{\isasymin}}xs{\isaliteral{40}{\isacharat}}ys{\isaliteral{2E}{\isachardot}}\ P\ x{\isaliteral{5D}{\isacharbrackright}}\ {\isaliteral{3D}{\isacharequal}}\ {\isaliteral{5B}{\isacharbrackleft}}x{\isaliteral{5C3C696E3E}{\isasymin}}xs{\isaliteral{2E}{\isachardot}}\ P\ x{\isaliteral{5D}{\isacharbrackright}}\ {\isaliteral{40}{\isacharat}}\ {\isaliteral{5B}{\isacharbrackleft}}x{\isaliteral{5C3C696E3E}{\isasymin}}ys{\isaliteral{2E}{\isachardot}}\ P\ x{\isaliteral{5D}{\isacharbrackright}}%
79.272 +\end{isabelle}
79.273 +
79.274 +To dispose of trivial cases automatically, the rules of the inductive
79.275 +definition are declared simplification rules:%
79.276 +\end{isamarkuptext}%
79.277 +\isamarkuptrue%
79.278 +\isacommand{declare}\isamarkupfalse%
79.279 +\ S{\isaliteral{5F}{\isacharunderscore}}A{\isaliteral{5F}{\isacharunderscore}}B{\isaliteral{2E}{\isachardot}}intros{\isaliteral{5B}{\isacharbrackleft}}simp{\isaliteral{5D}{\isacharbrackright}}%
79.280 +\begin{isamarkuptext}%
79.281 +\noindent
79.282 +This could have been done earlier but was not necessary so far.
79.283 +
79.284 +The completeness theorem tells us that if a word has the same number of
79.285 +\isa{a}'s and \isa{b}'s, then it is in \isa{S}, and similarly
79.286 +for \isa{A} and \isa{B}:%
79.287 +\end{isamarkuptext}%
79.288 +\isamarkuptrue%
79.289 +\isacommand{theorem}\isamarkupfalse%
79.290 +\ completeness{\isaliteral{3A}{\isacharcolon}}\isanewline
79.291 +\ \ {\isaliteral{22}{\isachardoublequoteopen}}{\isaliteral{28}{\isacharparenleft}}size{\isaliteral{5B}{\isacharbrackleft}}x{\isaliteral{5C3C6C6566746172726F773E}{\isasymleftarrow}}w{\isaliteral{2E}{\isachardot}}\ x{\isaliteral{3D}{\isacharequal}}a{\isaliteral{5D}{\isacharbrackright}}\ {\isaliteral{3D}{\isacharequal}}\ size{\isaliteral{5B}{\isacharbrackleft}}x{\isaliteral{5C3C6C6566746172726F773E}{\isasymleftarrow}}w{\isaliteral{2E}{\isachardot}}\ x{\isaliteral{3D}{\isacharequal}}b{\isaliteral{5D}{\isacharbrackright}}\ \ \ \ \ {\isaliteral{5C3C6C6F6E6772696768746172726F773E}{\isasymlongrightarrow}}\ w\ {\isaliteral{5C3C696E3E}{\isasymin}}\ S{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C616E643E}{\isasymand}}\isanewline
79.292 +\ \ \ {\isaliteral{28}{\isacharparenleft}}size{\isaliteral{5B}{\isacharbrackleft}}x{\isaliteral{5C3C6C6566746172726F773E}{\isasymleftarrow}}w{\isaliteral{2E}{\isachardot}}\ x{\isaliteral{3D}{\isacharequal}}a{\isaliteral{5D}{\isacharbrackright}}\ {\isaliteral{3D}{\isacharequal}}\ size{\isaliteral{5B}{\isacharbrackleft}}x{\isaliteral{5C3C6C6566746172726F773E}{\isasymleftarrow}}w{\isaliteral{2E}{\isachardot}}\ x{\isaliteral{3D}{\isacharequal}}b{\isaliteral{5D}{\isacharbrackright}}\ {\isaliteral{2B}{\isacharplus}}\ {\isadigit{1}}\ {\isaliteral{5C3C6C6F6E6772696768746172726F773E}{\isasymlongrightarrow}}\ w\ {\isaliteral{5C3C696E3E}{\isasymin}}\ A{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C616E643E}{\isasymand}}\isanewline
79.293 +\ \ \ {\isaliteral{28}{\isacharparenleft}}size{\isaliteral{5B}{\isacharbrackleft}}x{\isaliteral{5C3C6C6566746172726F773E}{\isasymleftarrow}}w{\isaliteral{2E}{\isachardot}}\ x{\isaliteral{3D}{\isacharequal}}b{\isaliteral{5D}{\isacharbrackright}}\ {\isaliteral{3D}{\isacharequal}}\ size{\isaliteral{5B}{\isacharbrackleft}}x{\isaliteral{5C3C6C6566746172726F773E}{\isasymleftarrow}}w{\isaliteral{2E}{\isachardot}}\ x{\isaliteral{3D}{\isacharequal}}a{\isaliteral{5D}{\isacharbrackright}}\ {\isaliteral{2B}{\isacharplus}}\ {\isadigit{1}}\ {\isaliteral{5C3C6C6F6E6772696768746172726F773E}{\isasymlongrightarrow}}\ w\ {\isaliteral{5C3C696E3E}{\isasymin}}\ B{\isaliteral{29}{\isacharparenright}}{\isaliteral{22}{\isachardoublequoteclose}}%
79.294 +\isadelimproof
79.295 +%
79.296 +\endisadelimproof
79.297 +%
79.298 +\isatagproof
79.299 +%
79.300 +\begin{isamarkuptxt}%
79.301 +\noindent
79.302 +The proof is by induction on \isa{w}. Structural induction would fail here
79.303 +because, as we can see from the grammar, we need to make bigger steps than
79.304 +merely appending a single letter at the front. Hence we induct on the length
79.305 +of \isa{w}, using the induction rule \isa{length{\isaliteral{5F}{\isacharunderscore}}induct}:%
79.306 +\end{isamarkuptxt}%
79.307 +\isamarkuptrue%
79.308 +\isacommand{apply}\isamarkupfalse%
79.309 +{\isaliteral{28}{\isacharparenleft}}induct{\isaliteral{5F}{\isacharunderscore}}tac\ w\ rule{\isaliteral{3A}{\isacharcolon}}\ length{\isaliteral{5F}{\isacharunderscore}}induct{\isaliteral{29}{\isacharparenright}}\isanewline
79.310 +\isacommand{apply}\isamarkupfalse%
79.311 +{\isaliteral{28}{\isacharparenleft}}rename{\isaliteral{5F}{\isacharunderscore}}tac\ w{\isaliteral{29}{\isacharparenright}}%
79.312 +\begin{isamarkuptxt}%
79.313 +\noindent
79.314 +The \isa{rule} parameter tells \isa{induct{\isaliteral{5F}{\isacharunderscore}}tac} explicitly which induction
79.315 +rule to use. For details see \S\ref{sec:complete-ind} below.
79.316 +In this case the result is that we may assume the lemma already
79.317 +holds for all words shorter than \isa{w}. Because the induction step renames
79.318 +the induction variable we rename it back to \isa{w}.
79.319 +
79.320 +The proof continues with a case distinction on \isa{w},
79.321 +on whether \isa{w} is empty or not.%
79.322 +\end{isamarkuptxt}%
79.323 +\isamarkuptrue%
79.324 +\isacommand{apply}\isamarkupfalse%
79.325 +{\isaliteral{28}{\isacharparenleft}}case{\isaliteral{5F}{\isacharunderscore}}tac\ w{\isaliteral{29}{\isacharparenright}}\isanewline
79.326 +\ \isacommand{apply}\isamarkupfalse%
79.327 +{\isaliteral{28}{\isacharparenleft}}simp{\isaliteral{5F}{\isacharunderscore}}all{\isaliteral{29}{\isacharparenright}}%
79.328 +\begin{isamarkuptxt}%
79.329 +\noindent
79.330 +Simplification disposes of the base case and leaves only a conjunction
79.331 +of two step cases to be proved:
79.332 +if \isa{w\ {\isaliteral{3D}{\isacharequal}}\ a\ {\isaliteral{23}{\isacharhash}}\ v} and \begin{isabelle}%
79.333 +\ \ \ \ \ length\ {\isaliteral{28}{\isacharparenleft}}if\ x\ {\isaliteral{3D}{\isacharequal}}\ a\ then\ {\isaliteral{5B}{\isacharbrackleft}}x\ {\isaliteral{5C3C696E3E}{\isasymin}}\ v{\isaliteral{5D}{\isacharbrackright}}\ else\ {\isaliteral{5B}{\isacharbrackleft}}{\isaliteral{5D}{\isacharbrackright}}{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{3D}{\isacharequal}}\isanewline
79.334 +\isaindent{\ \ \ \ \ }length\ {\isaliteral{28}{\isacharparenleft}}if\ x\ {\isaliteral{3D}{\isacharequal}}\ b\ then\ {\isaliteral{5B}{\isacharbrackleft}}x\ {\isaliteral{5C3C696E3E}{\isasymin}}\ v{\isaliteral{5D}{\isacharbrackright}}\ else\ {\isaliteral{5B}{\isacharbrackleft}}{\isaliteral{5D}{\isacharbrackright}}{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{2B}{\isacharplus}}\ {\isadigit{2}}%
79.335 +\end{isabelle} then
79.336 +\isa{b\ {\isaliteral{23}{\isacharhash}}\ v\ {\isaliteral{5C3C696E3E}{\isasymin}}\ A}, and similarly for \isa{w\ {\isaliteral{3D}{\isacharequal}}\ b\ {\isaliteral{23}{\isacharhash}}\ v}.
79.337 +We only consider the first case in detail.
79.338 +
79.339 +After breaking the conjunction up into two cases, we can apply
79.340 +\isa{part{\isadigit{1}}} to the assumption that \isa{w} contains two more \isa{a}'s than \isa{b}'s.%
79.341 +\end{isamarkuptxt}%
79.342 +\isamarkuptrue%
79.343 +\isacommand{apply}\isamarkupfalse%
79.344 +{\isaliteral{28}{\isacharparenleft}}rule\ conjI{\isaliteral{29}{\isacharparenright}}\isanewline
79.345 +\ \isacommand{apply}\isamarkupfalse%
79.346 +{\isaliteral{28}{\isacharparenleft}}clarify{\isaliteral{29}{\isacharparenright}}\isanewline
79.347 +\ \isacommand{apply}\isamarkupfalse%
79.348 +{\isaliteral{28}{\isacharparenleft}}frule\ part{\isadigit{1}}{\isaliteral{5B}{\isacharbrackleft}}of\ {\isaliteral{22}{\isachardoublequoteopen}}{\isaliteral{5C3C6C616D6264613E}{\isasymlambda}}x{\isaliteral{2E}{\isachardot}}\ x{\isaliteral{3D}{\isacharequal}}a{\isaliteral{22}{\isachardoublequoteclose}}{\isaliteral{2C}{\isacharcomma}}\ simplified{\isaliteral{5D}{\isacharbrackright}}{\isaliteral{29}{\isacharparenright}}\isanewline
79.349 +\ \isacommand{apply}\isamarkupfalse%
79.350 +{\isaliteral{28}{\isacharparenleft}}clarify{\isaliteral{29}{\isacharparenright}}%
79.351 +\begin{isamarkuptxt}%
79.352 +\noindent
79.353 +This yields an index \isa{i\ {\isaliteral{5C3C6C653E}{\isasymle}}\ length\ v} such that
79.354 +\begin{isabelle}%
79.355 +\ \ \ \ \ length\ {\isaliteral{5B}{\isacharbrackleft}}x{\isaliteral{5C3C6C6566746172726F773E}{\isasymleftarrow}}take\ i\ v\ {\isaliteral{2E}{\isachardot}}\ x\ {\isaliteral{3D}{\isacharequal}}\ a{\isaliteral{5D}{\isacharbrackright}}\ {\isaliteral{3D}{\isacharequal}}\ length\ {\isaliteral{5B}{\isacharbrackleft}}x{\isaliteral{5C3C6C6566746172726F773E}{\isasymleftarrow}}take\ i\ v\ {\isaliteral{2E}{\isachardot}}\ x\ {\isaliteral{3D}{\isacharequal}}\ b{\isaliteral{5D}{\isacharbrackright}}\ {\isaliteral{2B}{\isacharplus}}\ {\isadigit{1}}%
79.356 +\end{isabelle}
79.357 +With the help of \isa{part{\isadigit{2}}} it follows that
79.358 +\begin{isabelle}%
79.359 +\ \ \ \ \ length\ {\isaliteral{5B}{\isacharbrackleft}}x{\isaliteral{5C3C6C6566746172726F773E}{\isasymleftarrow}}drop\ i\ v\ {\isaliteral{2E}{\isachardot}}\ x\ {\isaliteral{3D}{\isacharequal}}\ a{\isaliteral{5D}{\isacharbrackright}}\ {\isaliteral{3D}{\isacharequal}}\ length\ {\isaliteral{5B}{\isacharbrackleft}}x{\isaliteral{5C3C6C6566746172726F773E}{\isasymleftarrow}}drop\ i\ v\ {\isaliteral{2E}{\isachardot}}\ x\ {\isaliteral{3D}{\isacharequal}}\ b{\isaliteral{5D}{\isacharbrackright}}\ {\isaliteral{2B}{\isacharplus}}\ {\isadigit{1}}%
79.360 +\end{isabelle}%
79.361 +\end{isamarkuptxt}%
79.362 +\isamarkuptrue%
79.363 +\ \isacommand{apply}\isamarkupfalse%
79.364 +{\isaliteral{28}{\isacharparenleft}}drule\ part{\isadigit{2}}{\isaliteral{5B}{\isacharbrackleft}}of\ {\isaliteral{22}{\isachardoublequoteopen}}{\isaliteral{5C3C6C616D6264613E}{\isasymlambda}}x{\isaliteral{2E}{\isachardot}}\ x{\isaliteral{3D}{\isacharequal}}a{\isaliteral{22}{\isachardoublequoteclose}}{\isaliteral{2C}{\isacharcomma}}\ simplified{\isaliteral{5D}{\isacharbrackright}}{\isaliteral{29}{\isacharparenright}}\isanewline
79.365 +\ \ \isacommand{apply}\isamarkupfalse%
79.366 +{\isaliteral{28}{\isacharparenleft}}assumption{\isaliteral{29}{\isacharparenright}}%
79.367 +\begin{isamarkuptxt}%
79.368 +\noindent
79.369 +Now it is time to decompose \isa{v} in the conclusion \isa{b\ {\isaliteral{23}{\isacharhash}}\ v\ {\isaliteral{5C3C696E3E}{\isasymin}}\ A}
79.370 +into \isa{take\ i\ v\ {\isaliteral{40}{\isacharat}}\ drop\ i\ v},%
79.371 +\end{isamarkuptxt}%
79.372 +\isamarkuptrue%
79.373 +\ \isacommand{apply}\isamarkupfalse%
79.374 +{\isaliteral{28}{\isacharparenleft}}rule{\isaliteral{5F}{\isacharunderscore}}tac\ n{\isadigit{1}}{\isaliteral{3D}{\isacharequal}}i\ \isakeyword{and}\ t{\isaliteral{3D}{\isacharequal}}v\ \isakeyword{in}\ subst{\isaliteral{5B}{\isacharbrackleft}}OF\ append{\isaliteral{5F}{\isacharunderscore}}take{\isaliteral{5F}{\isacharunderscore}}drop{\isaliteral{5F}{\isacharunderscore}}id{\isaliteral{5D}{\isacharbrackright}}{\isaliteral{29}{\isacharparenright}}%
79.375 +\begin{isamarkuptxt}%
79.376 +\noindent
79.377 +(the variables \isa{n{\isadigit{1}}} and \isa{t} are the result of composing the
79.378 +theorems \isa{subst} and \isa{append{\isaliteral{5F}{\isacharunderscore}}take{\isaliteral{5F}{\isacharunderscore}}drop{\isaliteral{5F}{\isacharunderscore}}id})
79.379 +after which the appropriate rule of the grammar reduces the goal
79.380 +to the two subgoals \isa{take\ i\ v\ {\isaliteral{5C3C696E3E}{\isasymin}}\ A} and \isa{drop\ i\ v\ {\isaliteral{5C3C696E3E}{\isasymin}}\ A}:%
79.381 +\end{isamarkuptxt}%
79.382 +\isamarkuptrue%
79.383 +\ \isacommand{apply}\isamarkupfalse%
79.384 +{\isaliteral{28}{\isacharparenleft}}rule\ S{\isaliteral{5F}{\isacharunderscore}}A{\isaliteral{5F}{\isacharunderscore}}B{\isaliteral{2E}{\isachardot}}intros{\isaliteral{29}{\isacharparenright}}%
79.385 +\begin{isamarkuptxt}%
79.386 +Both subgoals follow from the induction hypothesis because both \isa{take\ i\ v} and \isa{drop\ i\ v} are shorter than \isa{w}:%
79.387 +\end{isamarkuptxt}%
79.388 +\isamarkuptrue%
79.389 +\ \ \isacommand{apply}\isamarkupfalse%
79.390 +{\isaliteral{28}{\isacharparenleft}}force\ simp\ add{\isaliteral{3A}{\isacharcolon}}\ min{\isaliteral{5F}{\isacharunderscore}}less{\isaliteral{5F}{\isacharunderscore}}iff{\isaliteral{5F}{\isacharunderscore}}disj{\isaliteral{29}{\isacharparenright}}\isanewline
79.391 +\ \isacommand{apply}\isamarkupfalse%
79.392 +{\isaliteral{28}{\isacharparenleft}}force\ split\ add{\isaliteral{3A}{\isacharcolon}}\ nat{\isaliteral{5F}{\isacharunderscore}}diff{\isaliteral{5F}{\isacharunderscore}}split{\isaliteral{29}{\isacharparenright}}%
79.393 +\begin{isamarkuptxt}%
79.394 +The case \isa{w\ {\isaliteral{3D}{\isacharequal}}\ b\ {\isaliteral{23}{\isacharhash}}\ v} is proved analogously:%
79.395 +\end{isamarkuptxt}%
79.396 +\isamarkuptrue%
79.397 +\isacommand{apply}\isamarkupfalse%
79.398 +{\isaliteral{28}{\isacharparenleft}}clarify{\isaliteral{29}{\isacharparenright}}\isanewline
79.399 +\isacommand{apply}\isamarkupfalse%
79.400 +{\isaliteral{28}{\isacharparenleft}}frule\ part{\isadigit{1}}{\isaliteral{5B}{\isacharbrackleft}}of\ {\isaliteral{22}{\isachardoublequoteopen}}{\isaliteral{5C3C6C616D6264613E}{\isasymlambda}}x{\isaliteral{2E}{\isachardot}}\ x{\isaliteral{3D}{\isacharequal}}b{\isaliteral{22}{\isachardoublequoteclose}}{\isaliteral{2C}{\isacharcomma}}\ simplified{\isaliteral{5D}{\isacharbrackright}}{\isaliteral{29}{\isacharparenright}}\isanewline
79.401 +\isacommand{apply}\isamarkupfalse%
79.402 +{\isaliteral{28}{\isacharparenleft}}clarify{\isaliteral{29}{\isacharparenright}}\isanewline
79.403 +\isacommand{apply}\isamarkupfalse%
79.404 +{\isaliteral{28}{\isacharparenleft}}drule\ part{\isadigit{2}}{\isaliteral{5B}{\isacharbrackleft}}of\ {\isaliteral{22}{\isachardoublequoteopen}}{\isaliteral{5C3C6C616D6264613E}{\isasymlambda}}x{\isaliteral{2E}{\isachardot}}\ x{\isaliteral{3D}{\isacharequal}}b{\isaliteral{22}{\isachardoublequoteclose}}{\isaliteral{2C}{\isacharcomma}}\ simplified{\isaliteral{5D}{\isacharbrackright}}{\isaliteral{29}{\isacharparenright}}\isanewline
79.405 +\ \isacommand{apply}\isamarkupfalse%
79.406 +{\isaliteral{28}{\isacharparenleft}}assumption{\isaliteral{29}{\isacharparenright}}\isanewline
79.407 +\isacommand{apply}\isamarkupfalse%
79.408 +{\isaliteral{28}{\isacharparenleft}}rule{\isaliteral{5F}{\isacharunderscore}}tac\ n{\isadigit{1}}{\isaliteral{3D}{\isacharequal}}i\ \isakeyword{and}\ t{\isaliteral{3D}{\isacharequal}}v\ \isakeyword{in}\ subst{\isaliteral{5B}{\isacharbrackleft}}OF\ append{\isaliteral{5F}{\isacharunderscore}}take{\isaliteral{5F}{\isacharunderscore}}drop{\isaliteral{5F}{\isacharunderscore}}id{\isaliteral{5D}{\isacharbrackright}}{\isaliteral{29}{\isacharparenright}}\isanewline
79.409 +\isacommand{apply}\isamarkupfalse%
79.410 +{\isaliteral{28}{\isacharparenleft}}rule\ S{\isaliteral{5F}{\isacharunderscore}}A{\isaliteral{5F}{\isacharunderscore}}B{\isaliteral{2E}{\isachardot}}intros{\isaliteral{29}{\isacharparenright}}\isanewline
79.411 +\ \isacommand{apply}\isamarkupfalse%
79.412 +{\isaliteral{28}{\isacharparenleft}}force\ simp\ add{\isaliteral{3A}{\isacharcolon}}\ min{\isaliteral{5F}{\isacharunderscore}}less{\isaliteral{5F}{\isacharunderscore}}iff{\isaliteral{5F}{\isacharunderscore}}disj{\isaliteral{29}{\isacharparenright}}\isanewline
79.413 +\isacommand{by}\isamarkupfalse%
79.414 +{\isaliteral{28}{\isacharparenleft}}force\ simp\ add{\isaliteral{3A}{\isacharcolon}}\ min{\isaliteral{5F}{\isacharunderscore}}less{\isaliteral{5F}{\isacharunderscore}}iff{\isaliteral{5F}{\isacharunderscore}}disj\ split\ add{\isaliteral{3A}{\isacharcolon}}\ nat{\isaliteral{5F}{\isacharunderscore}}diff{\isaliteral{5F}{\isacharunderscore}}split{\isaliteral{29}{\isacharparenright}}%
79.415 +\endisatagproof
79.416 +{\isafoldproof}%
79.417 +%
79.418 +\isadelimproof
79.419 +%
79.420 +\endisadelimproof
79.421 +%
79.422 +\begin{isamarkuptext}%
79.423 +We conclude this section with a comparison of our proof with
79.424 +Hopcroft\index{Hopcroft, J. E.} and Ullman's\index{Ullman, J. D.}
79.425 +\cite[p.\ts81]{HopcroftUllman}.
79.426 +For a start, the textbook
79.427 +grammar, for no good reason, excludes the empty word, thus complicating
79.428 +matters just a little bit: they have 8 instead of our 7 productions.
79.429 +
79.430 +More importantly, the proof itself is different: rather than
79.431 +separating the two directions, they perform one induction on the
79.432 +length of a word. This deprives them of the beauty of rule induction,
79.433 +and in the easy direction (correctness) their reasoning is more
79.434 +detailed than our \isa{auto}. For the hard part (completeness), they
79.435 +consider just one of the cases that our \isa{simp{\isaliteral{5F}{\isacharunderscore}}all} disposes of
79.436 +automatically. Then they conclude the proof by saying about the
79.437 +remaining cases: ``We do this in a manner similar to our method of
79.438 +proof for part (1); this part is left to the reader''. But this is
79.439 +precisely the part that requires the intermediate value theorem and
79.440 +thus is not at all similar to the other cases (which are automatic in
79.441 +Isabelle). The authors are at least cavalier about this point and may
79.442 +even have overlooked the slight difficulty lurking in the omitted
79.443 +cases. Such errors are found in many pen-and-paper proofs when they
79.444 +are scrutinized formally.%
79.445 +\index{grammars!defining inductively|)}%
79.446 +\end{isamarkuptext}%
79.447 +\isamarkuptrue%
79.448 +%
79.449 +\isadelimtheory
79.450 +%
79.451 +\endisadelimtheory
79.452 +%
79.453 +\isatagtheory
79.454 +%
79.455 +\endisatagtheory
79.456 +{\isafoldtheory}%
79.457 +%
79.458 +\isadelimtheory
79.459 +%
79.460 +\endisadelimtheory
79.461 +\end{isabellebody}%
79.462 +%%% Local Variables:
79.463 +%%% mode: latex
79.464 +%%% TeX-master: "root"
79.465 +%%% End:
80.1 --- /dev/null Thu Jan 01 00:00:00 1970 +0000
80.2 +++ b/doc-src/TutorialI/document/ABexpr.tex Thu Jul 26 19:59:06 2012 +0200
80.3 @@ -0,0 +1,199 @@
80.4 +%
80.5 +\begin{isabellebody}%
80.6 +\def\isabellecontext{ABexpr}%
80.7 +%
80.8 +\isadelimtheory
80.9 +%
80.10 +\endisadelimtheory
80.11 +%
80.12 +\isatagtheory
80.13 +%
80.14 +\endisatagtheory
80.15 +{\isafoldtheory}%
80.16 +%
80.17 +\isadelimtheory
80.18 +%
80.19 +\endisadelimtheory
80.20 +%
80.21 +\begin{isamarkuptext}%
80.22 +\index{datatypes!mutually recursive}%
80.23 +Sometimes it is necessary to define two datatypes that depend on each
80.24 +other. This is called \textbf{mutual recursion}. As an example consider a
80.25 +language of arithmetic and boolean expressions where
80.26 +\begin{itemize}
80.27 +\item arithmetic expressions contain boolean expressions because there are
80.28 + conditional expressions like ``if $m<n$ then $n-m$ else $m-n$'',
80.29 + and
80.30 +\item boolean expressions contain arithmetic expressions because of
80.31 + comparisons like ``$m<n$''.
80.32 +\end{itemize}
80.33 +In Isabelle this becomes%
80.34 +\end{isamarkuptext}%
80.35 +\isamarkuptrue%
80.36 +\isacommand{datatype}\isamarkupfalse%
80.37 +\ {\isaliteral{27}{\isacharprime}}a\ aexp\ {\isaliteral{3D}{\isacharequal}}\ IF\ \ \ {\isaliteral{22}{\isachardoublequoteopen}}{\isaliteral{27}{\isacharprime}}a\ bexp{\isaliteral{22}{\isachardoublequoteclose}}\ {\isaliteral{22}{\isachardoublequoteopen}}{\isaliteral{27}{\isacharprime}}a\ aexp{\isaliteral{22}{\isachardoublequoteclose}}\ {\isaliteral{22}{\isachardoublequoteopen}}{\isaliteral{27}{\isacharprime}}a\ aexp{\isaliteral{22}{\isachardoublequoteclose}}\isanewline
80.38 +\ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ {\isaliteral{7C}{\isacharbar}}\ Sum\ \ {\isaliteral{22}{\isachardoublequoteopen}}{\isaliteral{27}{\isacharprime}}a\ aexp{\isaliteral{22}{\isachardoublequoteclose}}\ {\isaliteral{22}{\isachardoublequoteopen}}{\isaliteral{27}{\isacharprime}}a\ aexp{\isaliteral{22}{\isachardoublequoteclose}}\isanewline
80.39 +\ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ {\isaliteral{7C}{\isacharbar}}\ Diff\ {\isaliteral{22}{\isachardoublequoteopen}}{\isaliteral{27}{\isacharprime}}a\ aexp{\isaliteral{22}{\isachardoublequoteclose}}\ {\isaliteral{22}{\isachardoublequoteopen}}{\isaliteral{27}{\isacharprime}}a\ aexp{\isaliteral{22}{\isachardoublequoteclose}}\isanewline
80.40 +\ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ {\isaliteral{7C}{\isacharbar}}\ Var\ {\isaliteral{27}{\isacharprime}}a\isanewline
80.41 +\ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ {\isaliteral{7C}{\isacharbar}}\ Num\ nat\isanewline
80.42 +\isakeyword{and}\ \ \ \ \ \ {\isaliteral{27}{\isacharprime}}a\ bexp\ {\isaliteral{3D}{\isacharequal}}\ Less\ {\isaliteral{22}{\isachardoublequoteopen}}{\isaliteral{27}{\isacharprime}}a\ aexp{\isaliteral{22}{\isachardoublequoteclose}}\ {\isaliteral{22}{\isachardoublequoteopen}}{\isaliteral{27}{\isacharprime}}a\ aexp{\isaliteral{22}{\isachardoublequoteclose}}\isanewline
80.43 +\ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ {\isaliteral{7C}{\isacharbar}}\ And\ \ {\isaliteral{22}{\isachardoublequoteopen}}{\isaliteral{27}{\isacharprime}}a\ bexp{\isaliteral{22}{\isachardoublequoteclose}}\ {\isaliteral{22}{\isachardoublequoteopen}}{\isaliteral{27}{\isacharprime}}a\ bexp{\isaliteral{22}{\isachardoublequoteclose}}\isanewline
80.44 +\ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ {\isaliteral{7C}{\isacharbar}}\ Neg\ \ {\isaliteral{22}{\isachardoublequoteopen}}{\isaliteral{27}{\isacharprime}}a\ bexp{\isaliteral{22}{\isachardoublequoteclose}}%
80.45 +\begin{isamarkuptext}%
80.46 +\noindent
80.47 +Type \isa{aexp} is similar to \isa{expr} in \S\ref{sec:ExprCompiler},
80.48 +except that we have added an \isa{IF} constructor,
80.49 +fixed the values to be of type \isa{nat} and declared the two binary
80.50 +operations \isa{Sum} and \isa{Diff}. Boolean
80.51 +expressions can be arithmetic comparisons, conjunctions and negations.
80.52 +The semantics is given by two evaluation functions:%
80.53 +\end{isamarkuptext}%
80.54 +\isamarkuptrue%
80.55 +\isacommand{primrec}\isamarkupfalse%
80.56 +\ evala\ {\isaliteral{3A}{\isacharcolon}}{\isaliteral{3A}{\isacharcolon}}\ {\isaliteral{22}{\isachardoublequoteopen}}{\isaliteral{27}{\isacharprime}}a\ aexp\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ {\isaliteral{28}{\isacharparenleft}}{\isaliteral{27}{\isacharprime}}a\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ nat{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ nat{\isaliteral{22}{\isachardoublequoteclose}}\ \isakeyword{and}\isanewline
80.57 +\ \ \ \ \ \ \ \ \ evalb\ {\isaliteral{3A}{\isacharcolon}}{\isaliteral{3A}{\isacharcolon}}\ {\isaliteral{22}{\isachardoublequoteopen}}{\isaliteral{27}{\isacharprime}}a\ bexp\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ {\isaliteral{28}{\isacharparenleft}}{\isaliteral{27}{\isacharprime}}a\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ nat{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ bool{\isaliteral{22}{\isachardoublequoteclose}}\ \isakeyword{where}\isanewline
80.58 +{\isaliteral{22}{\isachardoublequoteopen}}evala\ {\isaliteral{28}{\isacharparenleft}}IF\ b\ a{\isadigit{1}}\ a{\isadigit{2}}{\isaliteral{29}{\isacharparenright}}\ env\ {\isaliteral{3D}{\isacharequal}}\isanewline
80.59 +\ \ \ {\isaliteral{28}{\isacharparenleft}}if\ evalb\ b\ env\ then\ evala\ a{\isadigit{1}}\ env\ else\ evala\ a{\isadigit{2}}\ env{\isaliteral{29}{\isacharparenright}}{\isaliteral{22}{\isachardoublequoteclose}}\ {\isaliteral{7C}{\isacharbar}}\isanewline
80.60 +{\isaliteral{22}{\isachardoublequoteopen}}evala\ {\isaliteral{28}{\isacharparenleft}}Sum\ a{\isadigit{1}}\ a{\isadigit{2}}{\isaliteral{29}{\isacharparenright}}\ env\ {\isaliteral{3D}{\isacharequal}}\ evala\ a{\isadigit{1}}\ env\ {\isaliteral{2B}{\isacharplus}}\ evala\ a{\isadigit{2}}\ env{\isaliteral{22}{\isachardoublequoteclose}}\ {\isaliteral{7C}{\isacharbar}}\isanewline
80.61 +{\isaliteral{22}{\isachardoublequoteopen}}evala\ {\isaliteral{28}{\isacharparenleft}}Diff\ a{\isadigit{1}}\ a{\isadigit{2}}{\isaliteral{29}{\isacharparenright}}\ env\ {\isaliteral{3D}{\isacharequal}}\ evala\ a{\isadigit{1}}\ env\ {\isaliteral{2D}{\isacharminus}}\ evala\ a{\isadigit{2}}\ env{\isaliteral{22}{\isachardoublequoteclose}}\ {\isaliteral{7C}{\isacharbar}}\isanewline
80.62 +{\isaliteral{22}{\isachardoublequoteopen}}evala\ {\isaliteral{28}{\isacharparenleft}}Var\ v{\isaliteral{29}{\isacharparenright}}\ env\ {\isaliteral{3D}{\isacharequal}}\ env\ v{\isaliteral{22}{\isachardoublequoteclose}}\ {\isaliteral{7C}{\isacharbar}}\isanewline
80.63 +{\isaliteral{22}{\isachardoublequoteopen}}evala\ {\isaliteral{28}{\isacharparenleft}}Num\ n{\isaliteral{29}{\isacharparenright}}\ env\ {\isaliteral{3D}{\isacharequal}}\ n{\isaliteral{22}{\isachardoublequoteclose}}\ {\isaliteral{7C}{\isacharbar}}\isanewline
80.64 +\isanewline
80.65 +{\isaliteral{22}{\isachardoublequoteopen}}evalb\ {\isaliteral{28}{\isacharparenleft}}Less\ a{\isadigit{1}}\ a{\isadigit{2}}{\isaliteral{29}{\isacharparenright}}\ env\ {\isaliteral{3D}{\isacharequal}}\ {\isaliteral{28}{\isacharparenleft}}evala\ a{\isadigit{1}}\ env\ {\isaliteral{3C}{\isacharless}}\ evala\ a{\isadigit{2}}\ env{\isaliteral{29}{\isacharparenright}}{\isaliteral{22}{\isachardoublequoteclose}}\ {\isaliteral{7C}{\isacharbar}}\isanewline
80.66 +{\isaliteral{22}{\isachardoublequoteopen}}evalb\ {\isaliteral{28}{\isacharparenleft}}And\ b{\isadigit{1}}\ b{\isadigit{2}}{\isaliteral{29}{\isacharparenright}}\ env\ {\isaliteral{3D}{\isacharequal}}\ {\isaliteral{28}{\isacharparenleft}}evalb\ b{\isadigit{1}}\ env\ {\isaliteral{5C3C616E643E}{\isasymand}}\ evalb\ b{\isadigit{2}}\ env{\isaliteral{29}{\isacharparenright}}{\isaliteral{22}{\isachardoublequoteclose}}\ {\isaliteral{7C}{\isacharbar}}\isanewline
80.67 +{\isaliteral{22}{\isachardoublequoteopen}}evalb\ {\isaliteral{28}{\isacharparenleft}}Neg\ b{\isaliteral{29}{\isacharparenright}}\ env\ {\isaliteral{3D}{\isacharequal}}\ {\isaliteral{28}{\isacharparenleft}}{\isaliteral{5C3C6E6F743E}{\isasymnot}}\ evalb\ b\ env{\isaliteral{29}{\isacharparenright}}{\isaliteral{22}{\isachardoublequoteclose}}%
80.68 +\begin{isamarkuptext}%
80.69 +\noindent
80.70 +
80.71 +Both take an expression and an environment (a mapping from variables
80.72 +\isa{{\isaliteral{27}{\isacharprime}}a} to values \isa{nat}) and return its arithmetic/boolean
80.73 +value. Since the datatypes are mutually recursive, so are functions
80.74 +that operate on them. Hence they need to be defined in a single
80.75 +\isacommand{primrec} section. Notice the \isakeyword{and} separating
80.76 +the declarations of \isa{evala} and \isa{evalb}. Their defining
80.77 +equations need not be split into two groups;
80.78 +the empty line is purely for readability.
80.79 +
80.80 +In the same fashion we also define two functions that perform substitution:%
80.81 +\end{isamarkuptext}%
80.82 +\isamarkuptrue%
80.83 +\isacommand{primrec}\isamarkupfalse%
80.84 +\ substa\ {\isaliteral{3A}{\isacharcolon}}{\isaliteral{3A}{\isacharcolon}}\ {\isaliteral{22}{\isachardoublequoteopen}}{\isaliteral{28}{\isacharparenleft}}{\isaliteral{27}{\isacharprime}}a\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ {\isaliteral{27}{\isacharprime}}b\ aexp{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ {\isaliteral{27}{\isacharprime}}a\ aexp\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ {\isaliteral{27}{\isacharprime}}b\ aexp{\isaliteral{22}{\isachardoublequoteclose}}\ \isakeyword{and}\isanewline
80.85 +\ \ \ \ \ \ \ \ \ substb\ {\isaliteral{3A}{\isacharcolon}}{\isaliteral{3A}{\isacharcolon}}\ {\isaliteral{22}{\isachardoublequoteopen}}{\isaliteral{28}{\isacharparenleft}}{\isaliteral{27}{\isacharprime}}a\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ {\isaliteral{27}{\isacharprime}}b\ aexp{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ {\isaliteral{27}{\isacharprime}}a\ bexp\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ {\isaliteral{27}{\isacharprime}}b\ bexp{\isaliteral{22}{\isachardoublequoteclose}}\ \isakeyword{where}\isanewline
80.86 +{\isaliteral{22}{\isachardoublequoteopen}}substa\ s\ {\isaliteral{28}{\isacharparenleft}}IF\ b\ a{\isadigit{1}}\ a{\isadigit{2}}{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{3D}{\isacharequal}}\isanewline
80.87 +\ \ \ IF\ {\isaliteral{28}{\isacharparenleft}}substb\ s\ b{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{28}{\isacharparenleft}}substa\ s\ a{\isadigit{1}}{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{28}{\isacharparenleft}}substa\ s\ a{\isadigit{2}}{\isaliteral{29}{\isacharparenright}}{\isaliteral{22}{\isachardoublequoteclose}}\ {\isaliteral{7C}{\isacharbar}}\isanewline
80.88 +{\isaliteral{22}{\isachardoublequoteopen}}substa\ s\ {\isaliteral{28}{\isacharparenleft}}Sum\ a{\isadigit{1}}\ a{\isadigit{2}}{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{3D}{\isacharequal}}\ Sum\ {\isaliteral{28}{\isacharparenleft}}substa\ s\ a{\isadigit{1}}{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{28}{\isacharparenleft}}substa\ s\ a{\isadigit{2}}{\isaliteral{29}{\isacharparenright}}{\isaliteral{22}{\isachardoublequoteclose}}\ {\isaliteral{7C}{\isacharbar}}\isanewline
80.89 +{\isaliteral{22}{\isachardoublequoteopen}}substa\ s\ {\isaliteral{28}{\isacharparenleft}}Diff\ a{\isadigit{1}}\ a{\isadigit{2}}{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{3D}{\isacharequal}}\ Diff\ {\isaliteral{28}{\isacharparenleft}}substa\ s\ a{\isadigit{1}}{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{28}{\isacharparenleft}}substa\ s\ a{\isadigit{2}}{\isaliteral{29}{\isacharparenright}}{\isaliteral{22}{\isachardoublequoteclose}}\ {\isaliteral{7C}{\isacharbar}}\isanewline
80.90 +{\isaliteral{22}{\isachardoublequoteopen}}substa\ s\ {\isaliteral{28}{\isacharparenleft}}Var\ v{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{3D}{\isacharequal}}\ s\ v{\isaliteral{22}{\isachardoublequoteclose}}\ {\isaliteral{7C}{\isacharbar}}\isanewline
80.91 +{\isaliteral{22}{\isachardoublequoteopen}}substa\ s\ {\isaliteral{28}{\isacharparenleft}}Num\ n{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{3D}{\isacharequal}}\ Num\ n{\isaliteral{22}{\isachardoublequoteclose}}\ {\isaliteral{7C}{\isacharbar}}\isanewline
80.92 +\isanewline
80.93 +{\isaliteral{22}{\isachardoublequoteopen}}substb\ s\ {\isaliteral{28}{\isacharparenleft}}Less\ a{\isadigit{1}}\ a{\isadigit{2}}{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{3D}{\isacharequal}}\ Less\ {\isaliteral{28}{\isacharparenleft}}substa\ s\ a{\isadigit{1}}{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{28}{\isacharparenleft}}substa\ s\ a{\isadigit{2}}{\isaliteral{29}{\isacharparenright}}{\isaliteral{22}{\isachardoublequoteclose}}\ {\isaliteral{7C}{\isacharbar}}\isanewline
80.94 +{\isaliteral{22}{\isachardoublequoteopen}}substb\ s\ {\isaliteral{28}{\isacharparenleft}}And\ b{\isadigit{1}}\ b{\isadigit{2}}{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{3D}{\isacharequal}}\ And\ {\isaliteral{28}{\isacharparenleft}}substb\ s\ b{\isadigit{1}}{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{28}{\isacharparenleft}}substb\ s\ b{\isadigit{2}}{\isaliteral{29}{\isacharparenright}}{\isaliteral{22}{\isachardoublequoteclose}}\ {\isaliteral{7C}{\isacharbar}}\isanewline
80.95 +{\isaliteral{22}{\isachardoublequoteopen}}substb\ s\ {\isaliteral{28}{\isacharparenleft}}Neg\ b{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{3D}{\isacharequal}}\ Neg\ {\isaliteral{28}{\isacharparenleft}}substb\ s\ b{\isaliteral{29}{\isacharparenright}}{\isaliteral{22}{\isachardoublequoteclose}}%
80.96 +\begin{isamarkuptext}%
80.97 +\noindent
80.98 +Their first argument is a function mapping variables to expressions, the
80.99 +substitution. It is applied to all variables in the second argument. As a
80.100 +result, the type of variables in the expression may change from \isa{{\isaliteral{27}{\isacharprime}}a}
80.101 +to \isa{{\isaliteral{27}{\isacharprime}}b}. Note that there are only arithmetic and no boolean variables.
80.102 +
80.103 +Now we can prove a fundamental theorem about the interaction between
80.104 +evaluation and substitution: applying a substitution $s$ to an expression $a$
80.105 +and evaluating the result in an environment $env$ yields the same result as
80.106 +evaluation $a$ in the environment that maps every variable $x$ to the value
80.107 +of $s(x)$ under $env$. If you try to prove this separately for arithmetic or
80.108 +boolean expressions (by induction), you find that you always need the other
80.109 +theorem in the induction step. Therefore you need to state and prove both
80.110 +theorems simultaneously:%
80.111 +\end{isamarkuptext}%
80.112 +\isamarkuptrue%
80.113 +\isacommand{lemma}\isamarkupfalse%
80.114 +\ {\isaliteral{22}{\isachardoublequoteopen}}evala\ {\isaliteral{28}{\isacharparenleft}}substa\ s\ a{\isaliteral{29}{\isacharparenright}}\ env\ {\isaliteral{3D}{\isacharequal}}\ evala\ a\ {\isaliteral{28}{\isacharparenleft}}{\isaliteral{5C3C6C616D6264613E}{\isasymlambda}}x{\isaliteral{2E}{\isachardot}}\ evala\ {\isaliteral{28}{\isacharparenleft}}s\ x{\isaliteral{29}{\isacharparenright}}\ env{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C616E643E}{\isasymand}}\isanewline
80.115 +\ \ \ \ \ \ \ \ evalb\ {\isaliteral{28}{\isacharparenleft}}substb\ s\ b{\isaliteral{29}{\isacharparenright}}\ env\ {\isaliteral{3D}{\isacharequal}}\ evalb\ b\ {\isaliteral{28}{\isacharparenleft}}{\isaliteral{5C3C6C616D6264613E}{\isasymlambda}}x{\isaliteral{2E}{\isachardot}}\ evala\ {\isaliteral{28}{\isacharparenleft}}s\ x{\isaliteral{29}{\isacharparenright}}\ env{\isaliteral{29}{\isacharparenright}}{\isaliteral{22}{\isachardoublequoteclose}}\isanewline
80.116 +%
80.117 +\isadelimproof
80.118 +%
80.119 +\endisadelimproof
80.120 +%
80.121 +\isatagproof
80.122 +\isacommand{apply}\isamarkupfalse%
80.123 +{\isaliteral{28}{\isacharparenleft}}induct{\isaliteral{5F}{\isacharunderscore}}tac\ a\ \isakeyword{and}\ b{\isaliteral{29}{\isacharparenright}}%
80.124 +\begin{isamarkuptxt}%
80.125 +\noindent The resulting 8 goals (one for each constructor) are proved in one fell swoop:%
80.126 +\end{isamarkuptxt}%
80.127 +\isamarkuptrue%
80.128 +\isacommand{apply}\isamarkupfalse%
80.129 +\ simp{\isaliteral{5F}{\isacharunderscore}}all%
80.130 +\endisatagproof
80.131 +{\isafoldproof}%
80.132 +%
80.133 +\isadelimproof
80.134 +%
80.135 +\endisadelimproof
80.136 +%
80.137 +\begin{isamarkuptext}%
80.138 +In general, given $n$ mutually recursive datatypes $\tau@1$, \dots, $\tau@n$,
80.139 +an inductive proof expects a goal of the form
80.140 +\[ P@1(x@1)\ \land \dots \land P@n(x@n) \]
80.141 +where each variable $x@i$ is of type $\tau@i$. Induction is started by
80.142 +\begin{isabelle}
80.143 +\isacommand{apply}\isa{{\isaliteral{28}{\isacharparenleft}}induct{\isaliteral{5F}{\isacharunderscore}}tac} $x@1$ \isacommand{and} \dots\ \isacommand{and} $x@n$\isa{{\isaliteral{29}{\isacharparenright}}}
80.144 +\end{isabelle}
80.145 +
80.146 +\begin{exercise}
80.147 + Define a function \isa{norma} of type \isa{{\isaliteral{27}{\isacharprime}}a\ aexp\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ {\isaliteral{27}{\isacharprime}}a\ aexp} that
80.148 + replaces \isa{IF}s with complex boolean conditions by nested
80.149 + \isa{IF}s; it should eliminate the constructors
80.150 + \isa{And} and \isa{Neg}, leaving only \isa{Less}.
80.151 + Prove that \isa{norma}
80.152 + preserves the value of an expression and that the result of \isa{norma}
80.153 + is really normal, i.e.\ no more \isa{And}s and \isa{Neg}s occur in
80.154 + it. ({\em Hint:} proceed as in \S\ref{sec:boolex} and read the discussion
80.155 + of type annotations following lemma \isa{subst{\isaliteral{5F}{\isacharunderscore}}id} below).
80.156 +\end{exercise}%
80.157 +\end{isamarkuptext}%
80.158 +\isamarkuptrue%
80.159 +%
80.160 +\isadelimproof
80.161 +%
80.162 +\endisadelimproof
80.163 +%
80.164 +\isatagproof
80.165 +%
80.166 +\endisatagproof
80.167 +{\isafoldproof}%
80.168 +%
80.169 +\isadelimproof
80.170 +%
80.171 +\endisadelimproof
80.172 +%
80.173 +\isadelimproof
80.174 +%
80.175 +\endisadelimproof
80.176 +%
80.177 +\isatagproof
80.178 +%
80.179 +\endisatagproof
80.180 +{\isafoldproof}%
80.181 +%
80.182 +\isadelimproof
80.183 +%
80.184 +\endisadelimproof
80.185 +%
80.186 +\isadelimtheory
80.187 +%
80.188 +\endisadelimtheory
80.189 +%
80.190 +\isatagtheory
80.191 +%
80.192 +\endisatagtheory
80.193 +{\isafoldtheory}%
80.194 +%
80.195 +\isadelimtheory
80.196 +%
80.197 +\endisadelimtheory
80.198 +\end{isabellebody}%
80.199 +%%% Local Variables:
80.200 +%%% mode: latex
80.201 +%%% TeX-master: "root"
80.202 +%%% End:
81.1 --- /dev/null Thu Jan 01 00:00:00 1970 +0000
81.2 +++ b/doc-src/TutorialI/document/Advanced.tex Thu Jul 26 19:59:06 2012 +0200
81.3 @@ -0,0 +1,599 @@
81.4 +%
81.5 +\begin{isabellebody}%
81.6 +\def\isabellecontext{Advanced}%
81.7 +%
81.8 +\isadelimtheory
81.9 +%
81.10 +\endisadelimtheory
81.11 +%
81.12 +\isatagtheory
81.13 +%
81.14 +\endisatagtheory
81.15 +{\isafoldtheory}%
81.16 +%
81.17 +\isadelimtheory
81.18 +%
81.19 +\endisadelimtheory
81.20 +%
81.21 +\isadelimML
81.22 +%
81.23 +\endisadelimML
81.24 +%
81.25 +\isatagML
81.26 +%
81.27 +\endisatagML
81.28 +{\isafoldML}%
81.29 +%
81.30 +\isadelimML
81.31 +%
81.32 +\endisadelimML
81.33 +%
81.34 +\begin{isamarkuptext}%
81.35 +The premises of introduction rules may contain universal quantifiers and
81.36 +monotone functions. A universal quantifier lets the rule
81.37 +refer to any number of instances of
81.38 +the inductively defined set. A monotone function lets the rule refer
81.39 +to existing constructions (such as ``list of'') over the inductively defined
81.40 +set. The examples below show how to use the additional expressiveness
81.41 +and how to reason from the resulting definitions.%
81.42 +\end{isamarkuptext}%
81.43 +\isamarkuptrue%
81.44 +%
81.45 +\isamarkupsubsection{Universal Quantifiers in Introduction Rules \label{sec:gterm-datatype}%
81.46 +}
81.47 +\isamarkuptrue%
81.48 +%
81.49 +\begin{isamarkuptext}%
81.50 +\index{ground terms example|(}%
81.51 +\index{quantifiers!and inductive definitions|(}%
81.52 +As a running example, this section develops the theory of \textbf{ground
81.53 +terms}: terms constructed from constant and function
81.54 +symbols but not variables. To simplify matters further, we regard a
81.55 +constant as a function applied to the null argument list. Let us declare a
81.56 +datatype \isa{gterm} for the type of ground terms. It is a type constructor
81.57 +whose argument is a type of function symbols.%
81.58 +\end{isamarkuptext}%
81.59 +\isamarkuptrue%
81.60 +\isacommand{datatype}\isamarkupfalse%
81.61 +\ {\isaliteral{27}{\isacharprime}}f\ gterm\ {\isaliteral{3D}{\isacharequal}}\ Apply\ {\isaliteral{27}{\isacharprime}}f\ {\isaliteral{22}{\isachardoublequoteopen}}{\isaliteral{27}{\isacharprime}}f\ gterm\ list{\isaliteral{22}{\isachardoublequoteclose}}%
81.62 +\begin{isamarkuptext}%
81.63 +To try it out, we declare a datatype of some integer operations:
81.64 +integer constants, the unary minus operator and the addition
81.65 +operator.%
81.66 +\end{isamarkuptext}%
81.67 +\isamarkuptrue%
81.68 +\isacommand{datatype}\isamarkupfalse%
81.69 +\ integer{\isaliteral{5F}{\isacharunderscore}}op\ {\isaliteral{3D}{\isacharequal}}\ Number\ int\ {\isaliteral{7C}{\isacharbar}}\ UnaryMinus\ {\isaliteral{7C}{\isacharbar}}\ Plus%
81.70 +\begin{isamarkuptext}%
81.71 +Now the type \isa{integer{\isaliteral{5F}{\isacharunderscore}}op\ gterm} denotes the ground
81.72 +terms built over those symbols.
81.73 +
81.74 +The type constructor \isa{gterm} can be generalized to a function
81.75 +over sets. It returns
81.76 +the set of ground terms that can be formed over a set \isa{F} of function symbols. For
81.77 +example, we could consider the set of ground terms formed from the finite
81.78 +set \isa{{\isaliteral{7B}{\isacharbraceleft}}Number\ {\isadigit{2}}{\isaliteral{2C}{\isacharcomma}}\ UnaryMinus{\isaliteral{2C}{\isacharcomma}}\ Plus{\isaliteral{7D}{\isacharbraceright}}}.
81.79 +
81.80 +This concept is inductive. If we have a list \isa{args} of ground terms
81.81 +over~\isa{F} and a function symbol \isa{f} in \isa{F}, then we
81.82 +can apply \isa{f} to \isa{args} to obtain another ground term.
81.83 +The only difficulty is that the argument list may be of any length. Hitherto,
81.84 +each rule in an inductive definition referred to the inductively
81.85 +defined set a fixed number of times, typically once or twice.
81.86 +A universal quantifier in the premise of the introduction rule
81.87 +expresses that every element of \isa{args} belongs
81.88 +to our inductively defined set: is a ground term
81.89 +over~\isa{F}. The function \isa{set} denotes the set of elements in a given
81.90 +list.%
81.91 +\end{isamarkuptext}%
81.92 +\isamarkuptrue%
81.93 +\isacommand{inductive{\isaliteral{5F}{\isacharunderscore}}set}\isamarkupfalse%
81.94 +\isanewline
81.95 +\ \ gterms\ {\isaliteral{3A}{\isacharcolon}}{\isaliteral{3A}{\isacharcolon}}\ {\isaliteral{22}{\isachardoublequoteopen}}{\isaliteral{27}{\isacharprime}}f\ set\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ {\isaliteral{27}{\isacharprime}}f\ gterm\ set{\isaliteral{22}{\isachardoublequoteclose}}\isanewline
81.96 +\ \ \isakeyword{for}\ F\ {\isaliteral{3A}{\isacharcolon}}{\isaliteral{3A}{\isacharcolon}}\ {\isaliteral{22}{\isachardoublequoteopen}}{\isaliteral{27}{\isacharprime}}f\ set{\isaliteral{22}{\isachardoublequoteclose}}\isanewline
81.97 +\isakeyword{where}\isanewline
81.98 +step{\isaliteral{5B}{\isacharbrackleft}}intro{\isaliteral{21}{\isacharbang}}{\isaliteral{5D}{\isacharbrackright}}{\isaliteral{3A}{\isacharcolon}}\ {\isaliteral{22}{\isachardoublequoteopen}}{\isaliteral{5C3C6C6272616B6B3E}{\isasymlbrakk}}{\isaliteral{5C3C666F72616C6C3E}{\isasymforall}}t\ {\isaliteral{5C3C696E3E}{\isasymin}}\ set\ args{\isaliteral{2E}{\isachardot}}\ t\ {\isaliteral{5C3C696E3E}{\isasymin}}\ gterms\ F{\isaliteral{3B}{\isacharsemicolon}}\ \ f\ {\isaliteral{5C3C696E3E}{\isasymin}}\ F{\isaliteral{5C3C726272616B6B3E}{\isasymrbrakk}}\isanewline
81.99 +\ \ \ \ \ \ \ \ \ \ \ \ \ \ \ {\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\ {\isaliteral{28}{\isacharparenleft}}Apply\ f\ args{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C696E3E}{\isasymin}}\ gterms\ F{\isaliteral{22}{\isachardoublequoteclose}}%
81.100 +\begin{isamarkuptext}%
81.101 +To demonstrate a proof from this definition, let us
81.102 +show that the function \isa{gterms}
81.103 +is \textbf{monotone}. We shall need this concept shortly.%
81.104 +\end{isamarkuptext}%
81.105 +\isamarkuptrue%
81.106 +\isacommand{lemma}\isamarkupfalse%
81.107 +\ gterms{\isaliteral{5F}{\isacharunderscore}}mono{\isaliteral{3A}{\isacharcolon}}\ {\isaliteral{22}{\isachardoublequoteopen}}F{\isaliteral{5C3C73756273657465713E}{\isasymsubseteq}}G\ {\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\ gterms\ F\ {\isaliteral{5C3C73756273657465713E}{\isasymsubseteq}}\ gterms\ G{\isaliteral{22}{\isachardoublequoteclose}}\isanewline
81.108 +%
81.109 +\isadelimproof
81.110 +%
81.111 +\endisadelimproof
81.112 +%
81.113 +\isatagproof
81.114 +\isacommand{apply}\isamarkupfalse%
81.115 +\ clarify\isanewline
81.116 +\isacommand{apply}\isamarkupfalse%
81.117 +\ {\isaliteral{28}{\isacharparenleft}}erule\ gterms{\isaliteral{2E}{\isachardot}}induct{\isaliteral{29}{\isacharparenright}}\isanewline
81.118 +\isacommand{apply}\isamarkupfalse%
81.119 +\ blast\isanewline
81.120 +\isacommand{done}\isamarkupfalse%
81.121 +%
81.122 +\endisatagproof
81.123 +{\isafoldproof}%
81.124 +%
81.125 +\isadelimproof
81.126 +%
81.127 +\endisadelimproof
81.128 +%
81.129 +\isadelimproof
81.130 +%
81.131 +\endisadelimproof
81.132 +%
81.133 +\isatagproof
81.134 +%
81.135 +\begin{isamarkuptxt}%
81.136 +Intuitively, this theorem says that
81.137 +enlarging the set of function symbols enlarges the set of ground
81.138 +terms. The proof is a trivial rule induction.
81.139 +First we use the \isa{clarify} method to assume the existence of an element of
81.140 +\isa{gterms\ F}. (We could have used \isa{intro\ subsetI}.) We then
81.141 +apply rule induction. Here is the resulting subgoal:
81.142 +\begin{isabelle}%
81.143 +\ {\isadigit{1}}{\isaliteral{2E}{\isachardot}}\ {\isaliteral{5C3C416E643E}{\isasymAnd}}x\ args\ f{\isaliteral{2E}{\isachardot}}\isanewline
81.144 +\isaindent{\ {\isadigit{1}}{\isaliteral{2E}{\isachardot}}\ \ \ \ }{\isaliteral{5C3C6C6272616B6B3E}{\isasymlbrakk}}F\ {\isaliteral{5C3C73756273657465713E}{\isasymsubseteq}}\ G{\isaliteral{3B}{\isacharsemicolon}}\ {\isaliteral{5C3C666F72616C6C3E}{\isasymforall}}t{\isaliteral{5C3C696E3E}{\isasymin}}set\ args{\isaliteral{2E}{\isachardot}}\ t\ {\isaliteral{5C3C696E3E}{\isasymin}}\ gterms\ F\ {\isaliteral{5C3C616E643E}{\isasymand}}\ t\ {\isaliteral{5C3C696E3E}{\isasymin}}\ gterms\ G{\isaliteral{3B}{\isacharsemicolon}}\ f\ {\isaliteral{5C3C696E3E}{\isasymin}}\ F{\isaliteral{5C3C726272616B6B3E}{\isasymrbrakk}}\isanewline
81.145 +\isaindent{\ {\isadigit{1}}{\isaliteral{2E}{\isachardot}}\ \ \ \ }{\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\ Apply\ f\ args\ {\isaliteral{5C3C696E3E}{\isasymin}}\ gterms\ G%
81.146 +\end{isabelle}
81.147 +The assumptions state that \isa{f} belongs
81.148 +to~\isa{F}, which is included in~\isa{G}, and that every element of the list \isa{args} is
81.149 +a ground term over~\isa{G}. The \isa{blast} method finds this chain of reasoning easily.%
81.150 +\end{isamarkuptxt}%
81.151 +\isamarkuptrue%
81.152 +%
81.153 +\endisatagproof
81.154 +{\isafoldproof}%
81.155 +%
81.156 +\isadelimproof
81.157 +%
81.158 +\endisadelimproof
81.159 +%
81.160 +\begin{isamarkuptext}%
81.161 +\begin{warn}
81.162 +Why do we call this function \isa{gterms} instead
81.163 +of \isa{gterm}? A constant may have the same name as a type. However,
81.164 +name clashes could arise in the theorems that Isabelle generates.
81.165 +Our choice of names keeps \isa{gterms{\isaliteral{2E}{\isachardot}}induct} separate from
81.166 +\isa{gterm{\isaliteral{2E}{\isachardot}}induct}.
81.167 +\end{warn}
81.168 +
81.169 +Call a term \textbf{well-formed} if each symbol occurring in it is applied
81.170 +to the correct number of arguments. (This number is called the symbol's
81.171 +\textbf{arity}.) We can express well-formedness by
81.172 +generalizing the inductive definition of
81.173 +\isa{gterms}.
81.174 +Suppose we are given a function called \isa{arity}, specifying the arities
81.175 +of all symbols. In the inductive step, we have a list \isa{args} of such
81.176 +terms and a function symbol~\isa{f}. If the length of the list matches the
81.177 +function's arity then applying \isa{f} to \isa{args} yields a well-formed
81.178 +term.%
81.179 +\end{isamarkuptext}%
81.180 +\isamarkuptrue%
81.181 +\isacommand{inductive{\isaliteral{5F}{\isacharunderscore}}set}\isamarkupfalse%
81.182 +\isanewline
81.183 +\ \ well{\isaliteral{5F}{\isacharunderscore}}formed{\isaliteral{5F}{\isacharunderscore}}gterm\ {\isaliteral{3A}{\isacharcolon}}{\isaliteral{3A}{\isacharcolon}}\ {\isaliteral{22}{\isachardoublequoteopen}}{\isaliteral{28}{\isacharparenleft}}{\isaliteral{27}{\isacharprime}}f\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ nat{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ {\isaliteral{27}{\isacharprime}}f\ gterm\ set{\isaliteral{22}{\isachardoublequoteclose}}\isanewline
81.184 +\ \ \isakeyword{for}\ arity\ {\isaliteral{3A}{\isacharcolon}}{\isaliteral{3A}{\isacharcolon}}\ {\isaliteral{22}{\isachardoublequoteopen}}{\isaliteral{27}{\isacharprime}}f\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ nat{\isaliteral{22}{\isachardoublequoteclose}}\isanewline
81.185 +\isakeyword{where}\isanewline
81.186 +step{\isaliteral{5B}{\isacharbrackleft}}intro{\isaliteral{21}{\isacharbang}}{\isaliteral{5D}{\isacharbrackright}}{\isaliteral{3A}{\isacharcolon}}\ {\isaliteral{22}{\isachardoublequoteopen}}{\isaliteral{5C3C6C6272616B6B3E}{\isasymlbrakk}}{\isaliteral{5C3C666F72616C6C3E}{\isasymforall}}t\ {\isaliteral{5C3C696E3E}{\isasymin}}\ set\ args{\isaliteral{2E}{\isachardot}}\ t\ {\isaliteral{5C3C696E3E}{\isasymin}}\ well{\isaliteral{5F}{\isacharunderscore}}formed{\isaliteral{5F}{\isacharunderscore}}gterm\ arity{\isaliteral{3B}{\isacharsemicolon}}\ \ \isanewline
81.187 +\ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ length\ args\ {\isaliteral{3D}{\isacharequal}}\ arity\ f{\isaliteral{5C3C726272616B6B3E}{\isasymrbrakk}}\isanewline
81.188 +\ \ \ \ \ \ \ \ \ \ \ \ \ \ \ {\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\ {\isaliteral{28}{\isacharparenleft}}Apply\ f\ args{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C696E3E}{\isasymin}}\ well{\isaliteral{5F}{\isacharunderscore}}formed{\isaliteral{5F}{\isacharunderscore}}gterm\ arity{\isaliteral{22}{\isachardoublequoteclose}}%
81.189 +\begin{isamarkuptext}%
81.190 +The inductive definition neatly captures the reasoning above.
81.191 +The universal quantification over the
81.192 +\isa{set} of arguments expresses that all of them are well-formed.%
81.193 +\index{quantifiers!and inductive definitions|)}%
81.194 +\end{isamarkuptext}%
81.195 +\isamarkuptrue%
81.196 +%
81.197 +\isamarkupsubsection{Alternative Definition Using a Monotone Function%
81.198 +}
81.199 +\isamarkuptrue%
81.200 +%
81.201 +\begin{isamarkuptext}%
81.202 +\index{monotone functions!and inductive definitions|(}%
81.203 +An inductive definition may refer to the
81.204 +inductively defined set through an arbitrary monotone function. To
81.205 +demonstrate this powerful feature, let us
81.206 +change the inductive definition above, replacing the
81.207 +quantifier by a use of the function \isa{lists}. This
81.208 +function, from the Isabelle theory of lists, is analogous to the
81.209 +function \isa{gterms} declared above: if \isa{A} is a set then
81.210 +\isa{lists\ A} is the set of lists whose elements belong to
81.211 +\isa{A}.
81.212 +
81.213 +In the inductive definition of well-formed terms, examine the one
81.214 +introduction rule. The first premise states that \isa{args} belongs to
81.215 +the \isa{lists} of well-formed terms. This formulation is more
81.216 +direct, if more obscure, than using a universal quantifier.%
81.217 +\end{isamarkuptext}%
81.218 +\isamarkuptrue%
81.219 +\isacommand{inductive{\isaliteral{5F}{\isacharunderscore}}set}\isamarkupfalse%
81.220 +\isanewline
81.221 +\ \ well{\isaliteral{5F}{\isacharunderscore}}formed{\isaliteral{5F}{\isacharunderscore}}gterm{\isaliteral{27}{\isacharprime}}\ {\isaliteral{3A}{\isacharcolon}}{\isaliteral{3A}{\isacharcolon}}\ {\isaliteral{22}{\isachardoublequoteopen}}{\isaliteral{28}{\isacharparenleft}}{\isaliteral{27}{\isacharprime}}f\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ nat{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ {\isaliteral{27}{\isacharprime}}f\ gterm\ set{\isaliteral{22}{\isachardoublequoteclose}}\isanewline
81.222 +\ \ \isakeyword{for}\ arity\ {\isaliteral{3A}{\isacharcolon}}{\isaliteral{3A}{\isacharcolon}}\ {\isaliteral{22}{\isachardoublequoteopen}}{\isaliteral{27}{\isacharprime}}f\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ nat{\isaliteral{22}{\isachardoublequoteclose}}\isanewline
81.223 +\isakeyword{where}\isanewline
81.224 +step{\isaliteral{5B}{\isacharbrackleft}}intro{\isaliteral{21}{\isacharbang}}{\isaliteral{5D}{\isacharbrackright}}{\isaliteral{3A}{\isacharcolon}}\ {\isaliteral{22}{\isachardoublequoteopen}}{\isaliteral{5C3C6C6272616B6B3E}{\isasymlbrakk}}args\ {\isaliteral{5C3C696E3E}{\isasymin}}\ lists\ {\isaliteral{28}{\isacharparenleft}}well{\isaliteral{5F}{\isacharunderscore}}formed{\isaliteral{5F}{\isacharunderscore}}gterm{\isaliteral{27}{\isacharprime}}\ arity{\isaliteral{29}{\isacharparenright}}{\isaliteral{3B}{\isacharsemicolon}}\ \ \isanewline
81.225 +\ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ length\ args\ {\isaliteral{3D}{\isacharequal}}\ arity\ f{\isaliteral{5C3C726272616B6B3E}{\isasymrbrakk}}\isanewline
81.226 +\ \ \ \ \ \ \ \ \ \ \ \ \ \ \ {\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\ {\isaliteral{28}{\isacharparenleft}}Apply\ f\ args{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C696E3E}{\isasymin}}\ well{\isaliteral{5F}{\isacharunderscore}}formed{\isaliteral{5F}{\isacharunderscore}}gterm{\isaliteral{27}{\isacharprime}}\ arity{\isaliteral{22}{\isachardoublequoteclose}}\isanewline
81.227 +\isakeyword{monos}\ lists{\isaliteral{5F}{\isacharunderscore}}mono%
81.228 +\begin{isamarkuptext}%
81.229 +We cite the theorem \isa{lists{\isaliteral{5F}{\isacharunderscore}}mono} to justify
81.230 +using the function \isa{lists}.%
81.231 +\footnote{This particular theorem is installed by default already, but we
81.232 +include the \isakeyword{monos} declaration in order to illustrate its syntax.}
81.233 +\begin{isabelle}%
81.234 +A\ {\isaliteral{5C3C73756273657465713E}{\isasymsubseteq}}\ B\ {\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\ lists\ A\ {\isaliteral{5C3C73756273657465713E}{\isasymsubseteq}}\ lists\ B\rulename{lists{\isaliteral{5F}{\isacharunderscore}}mono}%
81.235 +\end{isabelle}
81.236 +Why must the function be monotone? An inductive definition describes
81.237 +an iterative construction: each element of the set is constructed by a
81.238 +finite number of introduction rule applications. For example, the
81.239 +elements of \isa{even} are constructed by finitely many applications of
81.240 +the rules
81.241 +\begin{isabelle}%
81.242 +{\isadigit{0}}\ {\isaliteral{5C3C696E3E}{\isasymin}}\ even\isasep\isanewline%
81.243 +n\ {\isaliteral{5C3C696E3E}{\isasymin}}\ even\ {\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\ Suc\ {\isaliteral{28}{\isacharparenleft}}Suc\ n{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C696E3E}{\isasymin}}\ even%
81.244 +\end{isabelle}
81.245 +All references to a set in its
81.246 +inductive definition must be positive. Applications of an
81.247 +introduction rule cannot invalidate previous applications, allowing the
81.248 +construction process to converge.
81.249 +The following pair of rules do not constitute an inductive definition:
81.250 +\begin{trivlist}
81.251 +\item \isa{{\isadigit{0}}\ {\isaliteral{5C3C696E3E}{\isasymin}}\ even}
81.252 +\item \isa{n\ {\isaliteral{5C3C6E6F74696E3E}{\isasymnotin}}\ even\ {\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\ Suc\ n\ {\isaliteral{5C3C696E3E}{\isasymin}}\ even}
81.253 +\end{trivlist}
81.254 +Showing that 4 is even using these rules requires showing that 3 is not
81.255 +even. It is far from trivial to show that this set of rules
81.256 +characterizes the even numbers.
81.257 +
81.258 +Even with its use of the function \isa{lists}, the premise of our
81.259 +introduction rule is positive:
81.260 +\begin{isabelle}%
81.261 +args\ {\isaliteral{5C3C696E3E}{\isasymin}}\ lists\ {\isaliteral{28}{\isacharparenleft}}well{\isaliteral{5F}{\isacharunderscore}}formed{\isaliteral{5F}{\isacharunderscore}}gterm{\isaliteral{27}{\isacharprime}}\ arity{\isaliteral{29}{\isacharparenright}}%
81.262 +\end{isabelle}
81.263 +To apply the rule we construct a list \isa{args} of previously
81.264 +constructed well-formed terms. We obtain a
81.265 +new term, \isa{Apply\ f\ args}. Because \isa{lists} is monotone,
81.266 +applications of the rule remain valid as new terms are constructed.
81.267 +Further lists of well-formed
81.268 +terms become available and none are taken away.%
81.269 +\index{monotone functions!and inductive definitions|)}%
81.270 +\end{isamarkuptext}%
81.271 +\isamarkuptrue%
81.272 +%
81.273 +\isamarkupsubsection{A Proof of Equivalence%
81.274 +}
81.275 +\isamarkuptrue%
81.276 +%
81.277 +\begin{isamarkuptext}%
81.278 +We naturally hope that these two inductive definitions of ``well-formed''
81.279 +coincide. The equality can be proved by separate inclusions in
81.280 +each direction. Each is a trivial rule induction.%
81.281 +\end{isamarkuptext}%
81.282 +\isamarkuptrue%
81.283 +\isacommand{lemma}\isamarkupfalse%
81.284 +\ {\isaliteral{22}{\isachardoublequoteopen}}well{\isaliteral{5F}{\isacharunderscore}}formed{\isaliteral{5F}{\isacharunderscore}}gterm\ arity\ {\isaliteral{5C3C73756273657465713E}{\isasymsubseteq}}\ well{\isaliteral{5F}{\isacharunderscore}}formed{\isaliteral{5F}{\isacharunderscore}}gterm{\isaliteral{27}{\isacharprime}}\ arity{\isaliteral{22}{\isachardoublequoteclose}}\isanewline
81.285 +%
81.286 +\isadelimproof
81.287 +%
81.288 +\endisadelimproof
81.289 +%
81.290 +\isatagproof
81.291 +\isacommand{apply}\isamarkupfalse%
81.292 +\ clarify\isanewline
81.293 +\isacommand{apply}\isamarkupfalse%
81.294 +\ {\isaliteral{28}{\isacharparenleft}}erule\ well{\isaliteral{5F}{\isacharunderscore}}formed{\isaliteral{5F}{\isacharunderscore}}gterm{\isaliteral{2E}{\isachardot}}induct{\isaliteral{29}{\isacharparenright}}\isanewline
81.295 +\isacommand{apply}\isamarkupfalse%
81.296 +\ auto\isanewline
81.297 +\isacommand{done}\isamarkupfalse%
81.298 +%
81.299 +\endisatagproof
81.300 +{\isafoldproof}%
81.301 +%
81.302 +\isadelimproof
81.303 +%
81.304 +\endisadelimproof
81.305 +%
81.306 +\isadelimproof
81.307 +%
81.308 +\endisadelimproof
81.309 +%
81.310 +\isatagproof
81.311 +%
81.312 +\begin{isamarkuptxt}%
81.313 +The \isa{clarify} method gives
81.314 +us an element of \isa{well{\isaliteral{5F}{\isacharunderscore}}formed{\isaliteral{5F}{\isacharunderscore}}gterm\ arity} on which to perform
81.315 +induction. The resulting subgoal can be proved automatically:
81.316 +\begin{isabelle}%
81.317 +\ {\isadigit{1}}{\isaliteral{2E}{\isachardot}}\ {\isaliteral{5C3C416E643E}{\isasymAnd}}x\ args\ f{\isaliteral{2E}{\isachardot}}\isanewline
81.318 +\isaindent{\ {\isadigit{1}}{\isaliteral{2E}{\isachardot}}\ \ \ \ }{\isaliteral{5C3C6C6272616B6B3E}{\isasymlbrakk}}{\isaliteral{5C3C666F72616C6C3E}{\isasymforall}}t{\isaliteral{5C3C696E3E}{\isasymin}}set\ args{\isaliteral{2E}{\isachardot}}\isanewline
81.319 +\isaindent{\ {\isadigit{1}}{\isaliteral{2E}{\isachardot}}\ \ \ \ {\isaliteral{5C3C6C6272616B6B3E}{\isasymlbrakk}}\ \ \ }t\ {\isaliteral{5C3C696E3E}{\isasymin}}\ well{\isaliteral{5F}{\isacharunderscore}}formed{\isaliteral{5F}{\isacharunderscore}}gterm\ arity\ {\isaliteral{5C3C616E643E}{\isasymand}}\ t\ {\isaliteral{5C3C696E3E}{\isasymin}}\ well{\isaliteral{5F}{\isacharunderscore}}formed{\isaliteral{5F}{\isacharunderscore}}gterm{\isaliteral{27}{\isacharprime}}\ arity{\isaliteral{3B}{\isacharsemicolon}}\isanewline
81.320 +\isaindent{\ {\isadigit{1}}{\isaliteral{2E}{\isachardot}}\ \ \ \ \ }length\ args\ {\isaliteral{3D}{\isacharequal}}\ arity\ f{\isaliteral{5C3C726272616B6B3E}{\isasymrbrakk}}\isanewline
81.321 +\isaindent{\ {\isadigit{1}}{\isaliteral{2E}{\isachardot}}\ \ \ \ }{\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\ Apply\ f\ args\ {\isaliteral{5C3C696E3E}{\isasymin}}\ well{\isaliteral{5F}{\isacharunderscore}}formed{\isaliteral{5F}{\isacharunderscore}}gterm{\isaliteral{27}{\isacharprime}}\ arity%
81.322 +\end{isabelle}
81.323 +This proof resembles the one given in
81.324 +{\S}\ref{sec:gterm-datatype} above, especially in the form of the
81.325 +induction hypothesis. Next, we consider the opposite inclusion:%
81.326 +\end{isamarkuptxt}%
81.327 +\isamarkuptrue%
81.328 +%
81.329 +\endisatagproof
81.330 +{\isafoldproof}%
81.331 +%
81.332 +\isadelimproof
81.333 +%
81.334 +\endisadelimproof
81.335 +\isacommand{lemma}\isamarkupfalse%
81.336 +\ {\isaliteral{22}{\isachardoublequoteopen}}well{\isaliteral{5F}{\isacharunderscore}}formed{\isaliteral{5F}{\isacharunderscore}}gterm{\isaliteral{27}{\isacharprime}}\ arity\ {\isaliteral{5C3C73756273657465713E}{\isasymsubseteq}}\ well{\isaliteral{5F}{\isacharunderscore}}formed{\isaliteral{5F}{\isacharunderscore}}gterm\ arity{\isaliteral{22}{\isachardoublequoteclose}}\isanewline
81.337 +%
81.338 +\isadelimproof
81.339 +%
81.340 +\endisadelimproof
81.341 +%
81.342 +\isatagproof
81.343 +\isacommand{apply}\isamarkupfalse%
81.344 +\ clarify\isanewline
81.345 +\isacommand{apply}\isamarkupfalse%
81.346 +\ {\isaliteral{28}{\isacharparenleft}}erule\ well{\isaliteral{5F}{\isacharunderscore}}formed{\isaliteral{5F}{\isacharunderscore}}gterm{\isaliteral{27}{\isacharprime}}{\isaliteral{2E}{\isachardot}}induct{\isaliteral{29}{\isacharparenright}}\isanewline
81.347 +\isacommand{apply}\isamarkupfalse%
81.348 +\ auto\isanewline
81.349 +\isacommand{done}\isamarkupfalse%
81.350 +%
81.351 +\endisatagproof
81.352 +{\isafoldproof}%
81.353 +%
81.354 +\isadelimproof
81.355 +%
81.356 +\endisadelimproof
81.357 +%
81.358 +\isadelimproof
81.359 +%
81.360 +\endisadelimproof
81.361 +%
81.362 +\isatagproof
81.363 +%
81.364 +\begin{isamarkuptxt}%
81.365 +The proof script is virtually identical,
81.366 +but the subgoal after applying induction may be surprising:
81.367 +\begin{isabelle}%
81.368 +\ {\isadigit{1}}{\isaliteral{2E}{\isachardot}}\ {\isaliteral{5C3C416E643E}{\isasymAnd}}x\ args\ f{\isaliteral{2E}{\isachardot}}\isanewline
81.369 +\isaindent{\ {\isadigit{1}}{\isaliteral{2E}{\isachardot}}\ \ \ \ }{\isaliteral{5C3C6C6272616B6B3E}{\isasymlbrakk}}args\isanewline
81.370 +\isaindent{\ {\isadigit{1}}{\isaliteral{2E}{\isachardot}}\ \ \ \ {\isaliteral{5C3C6C6272616B6B3E}{\isasymlbrakk}}}{\isaliteral{5C3C696E3E}{\isasymin}}\ lists\isanewline
81.371 +\isaindent{\ {\isadigit{1}}{\isaliteral{2E}{\isachardot}}\ \ \ \ {\isaliteral{5C3C6C6272616B6B3E}{\isasymlbrakk}}{\isaliteral{5C3C696E3E}{\isasymin}}\ \ }{\isaliteral{28}{\isacharparenleft}}well{\isaliteral{5F}{\isacharunderscore}}formed{\isaliteral{5F}{\isacharunderscore}}gterm{\isaliteral{27}{\isacharprime}}\ arity\ {\isaliteral{5C3C696E7465723E}{\isasyminter}}\isanewline
81.372 +\isaindent{\ {\isadigit{1}}{\isaliteral{2E}{\isachardot}}\ \ \ \ {\isaliteral{5C3C6C6272616B6B3E}{\isasymlbrakk}}{\isaliteral{5C3C696E3E}{\isasymin}}\ \ {\isaliteral{28}{\isacharparenleft}}}{\isaliteral{7B}{\isacharbraceleft}}a{\isaliteral{2E}{\isachardot}}\ a\ {\isaliteral{5C3C696E3E}{\isasymin}}\ well{\isaliteral{5F}{\isacharunderscore}}formed{\isaliteral{5F}{\isacharunderscore}}gterm\ arity{\isaliteral{7D}{\isacharbraceright}}{\isaliteral{29}{\isacharparenright}}{\isaliteral{3B}{\isacharsemicolon}}\isanewline
81.373 +\isaindent{\ {\isadigit{1}}{\isaliteral{2E}{\isachardot}}\ \ \ \ \ }length\ args\ {\isaliteral{3D}{\isacharequal}}\ arity\ f{\isaliteral{5C3C726272616B6B3E}{\isasymrbrakk}}\isanewline
81.374 +\isaindent{\ {\isadigit{1}}{\isaliteral{2E}{\isachardot}}\ \ \ \ }{\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\ Apply\ f\ args\ {\isaliteral{5C3C696E3E}{\isasymin}}\ well{\isaliteral{5F}{\isacharunderscore}}formed{\isaliteral{5F}{\isacharunderscore}}gterm\ arity%
81.375 +\end{isabelle}
81.376 +The induction hypothesis contains an application of \isa{lists}. Using a
81.377 +monotone function in the inductive definition always has this effect. The
81.378 +subgoal may look uninviting, but fortunately
81.379 +\isa{lists} distributes over intersection:
81.380 +\begin{isabelle}%
81.381 +lists\ {\isaliteral{28}{\isacharparenleft}}A\ {\isaliteral{5C3C696E7465723E}{\isasyminter}}\ B{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{3D}{\isacharequal}}\ lists\ A\ {\isaliteral{5C3C696E7465723E}{\isasyminter}}\ lists\ B\rulename{lists{\isaliteral{5F}{\isacharunderscore}}Int{\isaliteral{5F}{\isacharunderscore}}eq}%
81.382 +\end{isabelle}
81.383 +Thanks to this default simplification rule, the induction hypothesis
81.384 +is quickly replaced by its two parts:
81.385 +\begin{trivlist}
81.386 +\item \isa{args\ {\isaliteral{5C3C696E3E}{\isasymin}}\ lists\ {\isaliteral{28}{\isacharparenleft}}well{\isaliteral{5F}{\isacharunderscore}}formed{\isaliteral{5F}{\isacharunderscore}}gterm{\isaliteral{27}{\isacharprime}}\ arity{\isaliteral{29}{\isacharparenright}}}
81.387 +\item \isa{args\ {\isaliteral{5C3C696E3E}{\isasymin}}\ lists\ {\isaliteral{28}{\isacharparenleft}}well{\isaliteral{5F}{\isacharunderscore}}formed{\isaliteral{5F}{\isacharunderscore}}gterm\ arity{\isaliteral{29}{\isacharparenright}}}
81.388 +\end{trivlist}
81.389 +Invoking the rule \isa{well{\isaliteral{5F}{\isacharunderscore}}formed{\isaliteral{5F}{\isacharunderscore}}gterm{\isaliteral{2E}{\isachardot}}step} completes the proof. The
81.390 +call to \isa{auto} does all this work.
81.391 +
81.392 +This example is typical of how monotone functions
81.393 +\index{monotone functions} can be used. In particular, many of them
81.394 +distribute over intersection. Monotonicity implies one direction of
81.395 +this set equality; we have this theorem:
81.396 +\begin{isabelle}%
81.397 +mono\ f\ {\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\ f\ {\isaliteral{28}{\isacharparenleft}}A\ {\isaliteral{5C3C696E7465723E}{\isasyminter}}\ B{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C73756273657465713E}{\isasymsubseteq}}\ f\ A\ {\isaliteral{5C3C696E7465723E}{\isasyminter}}\ f\ B\rulename{mono{\isaliteral{5F}{\isacharunderscore}}Int}%
81.398 +\end{isabelle}%
81.399 +\end{isamarkuptxt}%
81.400 +\isamarkuptrue%
81.401 +%
81.402 +\endisatagproof
81.403 +{\isafoldproof}%
81.404 +%
81.405 +\isadelimproof
81.406 +%
81.407 +\endisadelimproof
81.408 +%
81.409 +\isamarkupsubsection{Another Example of Rule Inversion%
81.410 +}
81.411 +\isamarkuptrue%
81.412 +%
81.413 +\begin{isamarkuptext}%
81.414 +\index{rule inversion|(}%
81.415 +Does \isa{gterms} distribute over intersection? We have proved that this
81.416 +function is monotone, so \isa{mono{\isaliteral{5F}{\isacharunderscore}}Int} gives one of the inclusions. The
81.417 +opposite inclusion asserts that if \isa{t} is a ground term over both of the
81.418 +sets
81.419 +\isa{F} and~\isa{G} then it is also a ground term over their intersection,
81.420 +\isa{F\ {\isaliteral{5C3C696E7465723E}{\isasyminter}}\ G}.%
81.421 +\end{isamarkuptext}%
81.422 +\isamarkuptrue%
81.423 +\isacommand{lemma}\isamarkupfalse%
81.424 +\ gterms{\isaliteral{5F}{\isacharunderscore}}IntI{\isaliteral{3A}{\isacharcolon}}\isanewline
81.425 +\ \ \ \ \ {\isaliteral{22}{\isachardoublequoteopen}}t\ {\isaliteral{5C3C696E3E}{\isasymin}}\ gterms\ F\ {\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\ t\ {\isaliteral{5C3C696E3E}{\isasymin}}\ gterms\ G\ {\isaliteral{5C3C6C6F6E6772696768746172726F773E}{\isasymlongrightarrow}}\ t\ {\isaliteral{5C3C696E3E}{\isasymin}}\ gterms\ {\isaliteral{28}{\isacharparenleft}}F{\isaliteral{5C3C696E7465723E}{\isasyminter}}G{\isaliteral{29}{\isacharparenright}}{\isaliteral{22}{\isachardoublequoteclose}}%
81.426 +\isadelimproof
81.427 +%
81.428 +\endisadelimproof
81.429 +%
81.430 +\isatagproof
81.431 +%
81.432 +\endisatagproof
81.433 +{\isafoldproof}%
81.434 +%
81.435 +\isadelimproof
81.436 +%
81.437 +\endisadelimproof
81.438 +%
81.439 +\begin{isamarkuptext}%
81.440 +Attempting this proof, we get the assumption
81.441 +\isa{Apply\ f\ args\ {\isaliteral{5C3C696E3E}{\isasymin}}\ gterms\ G}, which cannot be broken down.
81.442 +It looks like a job for rule inversion:\cmmdx{inductive\protect\_cases}%
81.443 +\end{isamarkuptext}%
81.444 +\isamarkuptrue%
81.445 +\isacommand{inductive{\isaliteral{5F}{\isacharunderscore}}cases}\isamarkupfalse%
81.446 +\ gterm{\isaliteral{5F}{\isacharunderscore}}Apply{\isaliteral{5F}{\isacharunderscore}}elim\ {\isaliteral{5B}{\isacharbrackleft}}elim{\isaliteral{21}{\isacharbang}}{\isaliteral{5D}{\isacharbrackright}}{\isaliteral{3A}{\isacharcolon}}\ {\isaliteral{22}{\isachardoublequoteopen}}Apply\ f\ args\ {\isaliteral{5C3C696E3E}{\isasymin}}\ gterms\ F{\isaliteral{22}{\isachardoublequoteclose}}%
81.447 +\begin{isamarkuptext}%
81.448 +Here is the result.
81.449 +\begin{isabelle}%
81.450 +{\isaliteral{5C3C6C6272616B6B3E}{\isasymlbrakk}}Apply\ f\ args\ {\isaliteral{5C3C696E3E}{\isasymin}}\ gterms\ F{\isaliteral{3B}{\isacharsemicolon}}\isanewline
81.451 +\isaindent{\ }{\isaliteral{5C3C6C6272616B6B3E}{\isasymlbrakk}}{\isaliteral{5C3C666F72616C6C3E}{\isasymforall}}t{\isaliteral{5C3C696E3E}{\isasymin}}set\ args{\isaliteral{2E}{\isachardot}}\ t\ {\isaliteral{5C3C696E3E}{\isasymin}}\ gterms\ F{\isaliteral{3B}{\isacharsemicolon}}\ f\ {\isaliteral{5C3C696E3E}{\isasymin}}\ F{\isaliteral{5C3C726272616B6B3E}{\isasymrbrakk}}\ {\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\ P{\isaliteral{5C3C726272616B6B3E}{\isasymrbrakk}}\isanewline
81.452 +{\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\ P\rulename{gterm{\isaliteral{5F}{\isacharunderscore}}Apply{\isaliteral{5F}{\isacharunderscore}}elim}%
81.453 +\end{isabelle}
81.454 +This rule replaces an assumption about \isa{Apply\ f\ args} by
81.455 +assumptions about \isa{f} and~\isa{args}.
81.456 +No cases are discarded (there was only one to begin
81.457 +with) but the rule applies specifically to the pattern \isa{Apply\ f\ args}.
81.458 +It can be applied repeatedly as an elimination rule without looping, so we
81.459 +have given the \isa{elim{\isaliteral{21}{\isacharbang}}} attribute.
81.460 +
81.461 +Now we can prove the other half of that distributive law.%
81.462 +\end{isamarkuptext}%
81.463 +\isamarkuptrue%
81.464 +\isacommand{lemma}\isamarkupfalse%
81.465 +\ gterms{\isaliteral{5F}{\isacharunderscore}}IntI\ {\isaliteral{5B}{\isacharbrackleft}}rule{\isaliteral{5F}{\isacharunderscore}}format{\isaliteral{2C}{\isacharcomma}}\ intro{\isaliteral{21}{\isacharbang}}{\isaliteral{5D}{\isacharbrackright}}{\isaliteral{3A}{\isacharcolon}}\isanewline
81.466 +\ \ \ \ \ {\isaliteral{22}{\isachardoublequoteopen}}t\ {\isaliteral{5C3C696E3E}{\isasymin}}\ gterms\ F\ {\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\ t\ {\isaliteral{5C3C696E3E}{\isasymin}}\ gterms\ G\ {\isaliteral{5C3C6C6F6E6772696768746172726F773E}{\isasymlongrightarrow}}\ t\ {\isaliteral{5C3C696E3E}{\isasymin}}\ gterms\ {\isaliteral{28}{\isacharparenleft}}F{\isaliteral{5C3C696E7465723E}{\isasyminter}}G{\isaliteral{29}{\isacharparenright}}{\isaliteral{22}{\isachardoublequoteclose}}\isanewline
81.467 +%
81.468 +\isadelimproof
81.469 +%
81.470 +\endisadelimproof
81.471 +%
81.472 +\isatagproof
81.473 +\isacommand{apply}\isamarkupfalse%
81.474 +\ {\isaliteral{28}{\isacharparenleft}}erule\ gterms{\isaliteral{2E}{\isachardot}}induct{\isaliteral{29}{\isacharparenright}}\isanewline
81.475 +\isacommand{apply}\isamarkupfalse%
81.476 +\ blast\isanewline
81.477 +\isacommand{done}\isamarkupfalse%
81.478 +%
81.479 +\endisatagproof
81.480 +{\isafoldproof}%
81.481 +%
81.482 +\isadelimproof
81.483 +%
81.484 +\endisadelimproof
81.485 +%
81.486 +\isadelimproof
81.487 +%
81.488 +\endisadelimproof
81.489 +%
81.490 +\isatagproof
81.491 +%
81.492 +\begin{isamarkuptxt}%
81.493 +The proof begins with rule induction over the definition of
81.494 +\isa{gterms}, which leaves a single subgoal:
81.495 +\begin{isabelle}%
81.496 +\ {\isadigit{1}}{\isaliteral{2E}{\isachardot}}\ {\isaliteral{5C3C416E643E}{\isasymAnd}}args\ f{\isaliteral{2E}{\isachardot}}\isanewline
81.497 +\isaindent{\ {\isadigit{1}}{\isaliteral{2E}{\isachardot}}\ \ \ \ }{\isaliteral{5C3C6C6272616B6B3E}{\isasymlbrakk}}{\isaliteral{5C3C666F72616C6C3E}{\isasymforall}}t{\isaliteral{5C3C696E3E}{\isasymin}}set\ args{\isaliteral{2E}{\isachardot}}\isanewline
81.498 +\isaindent{\ {\isadigit{1}}{\isaliteral{2E}{\isachardot}}\ \ \ \ {\isaliteral{5C3C6C6272616B6B3E}{\isasymlbrakk}}\ \ \ }t\ {\isaliteral{5C3C696E3E}{\isasymin}}\ gterms\ F\ {\isaliteral{5C3C616E643E}{\isasymand}}\ {\isaliteral{28}{\isacharparenleft}}t\ {\isaliteral{5C3C696E3E}{\isasymin}}\ gterms\ G\ {\isaliteral{5C3C6C6F6E6772696768746172726F773E}{\isasymlongrightarrow}}\ t\ {\isaliteral{5C3C696E3E}{\isasymin}}\ gterms\ {\isaliteral{28}{\isacharparenleft}}F\ {\isaliteral{5C3C696E7465723E}{\isasyminter}}\ G{\isaliteral{29}{\isacharparenright}}{\isaliteral{29}{\isacharparenright}}{\isaliteral{3B}{\isacharsemicolon}}\isanewline
81.499 +\isaindent{\ {\isadigit{1}}{\isaliteral{2E}{\isachardot}}\ \ \ \ \ }f\ {\isaliteral{5C3C696E3E}{\isasymin}}\ F{\isaliteral{5C3C726272616B6B3E}{\isasymrbrakk}}\isanewline
81.500 +\isaindent{\ {\isadigit{1}}{\isaliteral{2E}{\isachardot}}\ \ \ \ }{\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\ Apply\ f\ args\ {\isaliteral{5C3C696E3E}{\isasymin}}\ gterms\ G\ {\isaliteral{5C3C6C6F6E6772696768746172726F773E}{\isasymlongrightarrow}}\isanewline
81.501 +\isaindent{\ {\isadigit{1}}{\isaliteral{2E}{\isachardot}}\ \ \ \ {\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\ }Apply\ f\ args\ {\isaliteral{5C3C696E3E}{\isasymin}}\ gterms\ {\isaliteral{28}{\isacharparenleft}}F\ {\isaliteral{5C3C696E7465723E}{\isasyminter}}\ G{\isaliteral{29}{\isacharparenright}}%
81.502 +\end{isabelle}
81.503 +To prove this, we assume \isa{Apply\ f\ args\ {\isaliteral{5C3C696E3E}{\isasymin}}\ gterms\ G}. Rule inversion,
81.504 +in the form of \isa{gterm{\isaliteral{5F}{\isacharunderscore}}Apply{\isaliteral{5F}{\isacharunderscore}}elim}, infers
81.505 +that every element of \isa{args} belongs to
81.506 +\isa{gterms\ G}; hence (by the induction hypothesis) it belongs
81.507 +to \isa{gterms\ {\isaliteral{28}{\isacharparenleft}}F\ {\isaliteral{5C3C696E7465723E}{\isasyminter}}\ G{\isaliteral{29}{\isacharparenright}}}. Rule inversion also yields
81.508 +\isa{f\ {\isaliteral{5C3C696E3E}{\isasymin}}\ G} and hence \isa{f\ {\isaliteral{5C3C696E3E}{\isasymin}}\ F\ {\isaliteral{5C3C696E7465723E}{\isasyminter}}\ G}.
81.509 +All of this reasoning is done by \isa{blast}.
81.510 +
81.511 +\smallskip
81.512 +Our distributive law is a trivial consequence of previously-proved results:%
81.513 +\end{isamarkuptxt}%
81.514 +\isamarkuptrue%
81.515 +%
81.516 +\endisatagproof
81.517 +{\isafoldproof}%
81.518 +%
81.519 +\isadelimproof
81.520 +%
81.521 +\endisadelimproof
81.522 +\isacommand{lemma}\isamarkupfalse%
81.523 +\ gterms{\isaliteral{5F}{\isacharunderscore}}Int{\isaliteral{5F}{\isacharunderscore}}eq\ {\isaliteral{5B}{\isacharbrackleft}}simp{\isaliteral{5D}{\isacharbrackright}}{\isaliteral{3A}{\isacharcolon}}\isanewline
81.524 +\ \ \ \ \ {\isaliteral{22}{\isachardoublequoteopen}}gterms\ {\isaliteral{28}{\isacharparenleft}}F\ {\isaliteral{5C3C696E7465723E}{\isasyminter}}\ G{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{3D}{\isacharequal}}\ gterms\ F\ {\isaliteral{5C3C696E7465723E}{\isasyminter}}\ gterms\ G{\isaliteral{22}{\isachardoublequoteclose}}\isanewline
81.525 +%
81.526 +\isadelimproof
81.527 +%
81.528 +\endisadelimproof
81.529 +%
81.530 +\isatagproof
81.531 +\isacommand{by}\isamarkupfalse%
81.532 +\ {\isaliteral{28}{\isacharparenleft}}blast\ intro{\isaliteral{21}{\isacharbang}}{\isaliteral{3A}{\isacharcolon}}\ mono{\isaliteral{5F}{\isacharunderscore}}Int\ monoI\ gterms{\isaliteral{5F}{\isacharunderscore}}mono{\isaliteral{29}{\isacharparenright}}%
81.533 +\endisatagproof
81.534 +{\isafoldproof}%
81.535 +%
81.536 +\isadelimproof
81.537 +%
81.538 +\endisadelimproof
81.539 +%
81.540 +\index{rule inversion|)}%
81.541 +\index{ground terms example|)}
81.542 +
81.543 +
81.544 +\begin{isamarkuptext}
81.545 +\begin{exercise}
81.546 +A function mapping function symbols to their
81.547 +types is called a \textbf{signature}. Given a type
81.548 +ranging over type symbols, we can represent a function's type by a
81.549 +list of argument types paired with the result type.
81.550 +Complete this inductive definition:
81.551 +\begin{isabelle}
81.552 +\isacommand{inductive{\isaliteral{5F}{\isacharunderscore}}set}\isamarkupfalse%
81.553 +\isanewline
81.554 +\ \ well{\isaliteral{5F}{\isacharunderscore}}typed{\isaliteral{5F}{\isacharunderscore}}gterm\ {\isaliteral{3A}{\isacharcolon}}{\isaliteral{3A}{\isacharcolon}}\ {\isaliteral{22}{\isachardoublequoteopen}}{\isaliteral{28}{\isacharparenleft}}{\isaliteral{27}{\isacharprime}}f\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ {\isaliteral{27}{\isacharprime}}t\ list\ {\isaliteral{2A}{\isacharasterisk}}\ {\isaliteral{27}{\isacharprime}}t{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ {\isaliteral{28}{\isacharparenleft}}{\isaliteral{27}{\isacharprime}}f\ gterm\ {\isaliteral{2A}{\isacharasterisk}}\ {\isaliteral{27}{\isacharprime}}t{\isaliteral{29}{\isacharparenright}}set{\isaliteral{22}{\isachardoublequoteclose}}\isanewline
81.555 +\ \ \isakeyword{for}\ sig\ {\isaliteral{3A}{\isacharcolon}}{\isaliteral{3A}{\isacharcolon}}\ {\isaliteral{22}{\isachardoublequoteopen}}{\isaliteral{27}{\isacharprime}}f\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ {\isaliteral{27}{\isacharprime}}t\ list\ {\isaliteral{2A}{\isacharasterisk}}\ {\isaliteral{27}{\isacharprime}}t{\isaliteral{22}{\isachardoublequoteclose}}%
81.556 +\end{isabelle}
81.557 +\end{exercise}
81.558 +\end{isamarkuptext}
81.559 +%
81.560 +\isadelimproof
81.561 +%
81.562 +\endisadelimproof
81.563 +%
81.564 +\isatagproof
81.565 +%
81.566 +\endisatagproof
81.567 +{\isafoldproof}%
81.568 +%
81.569 +\isadelimproof
81.570 +%
81.571 +\endisadelimproof
81.572 +%
81.573 +\isadelimproof
81.574 +%
81.575 +\endisadelimproof
81.576 +%
81.577 +\isatagproof
81.578 +%
81.579 +\endisatagproof
81.580 +{\isafoldproof}%
81.581 +%
81.582 +\isadelimproof
81.583 +%
81.584 +\endisadelimproof
81.585 +%
81.586 +\isadelimtheory
81.587 +%
81.588 +\endisadelimtheory
81.589 +%
81.590 +\isatagtheory
81.591 +%
81.592 +\endisatagtheory
81.593 +{\isafoldtheory}%
81.594 +%
81.595 +\isadelimtheory
81.596 +%
81.597 +\endisadelimtheory
81.598 +\end{isabellebody}%
81.599 +%%% Local Variables:
81.600 +%%% mode: latex
81.601 +%%% TeX-master: "root"
81.602 +%%% End:
82.1 --- /dev/null Thu Jan 01 00:00:00 1970 +0000
82.2 +++ b/doc-src/TutorialI/document/AdvancedInd.tex Thu Jul 26 19:59:06 2012 +0200
82.3 @@ -0,0 +1,436 @@
82.4 +%
82.5 +\begin{isabellebody}%
82.6 +\def\isabellecontext{AdvancedInd}%
82.7 +%
82.8 +\isadelimtheory
82.9 +%
82.10 +\endisadelimtheory
82.11 +%
82.12 +\isatagtheory
82.13 +%
82.14 +\endisatagtheory
82.15 +{\isafoldtheory}%
82.16 +%
82.17 +\isadelimtheory
82.18 +%
82.19 +\endisadelimtheory
82.20 +%
82.21 +\begin{isamarkuptext}%
82.22 +\noindent
82.23 +Now that we have learned about rules and logic, we take another look at the
82.24 +finer points of induction. We consider two questions: what to do if the
82.25 +proposition to be proved is not directly amenable to induction
82.26 +(\S\ref{sec:ind-var-in-prems}), and how to utilize (\S\ref{sec:complete-ind})
82.27 +and even derive (\S\ref{sec:derive-ind}) new induction schemas. We conclude
82.28 +with an extended example of induction (\S\ref{sec:CTL-revisited}).%
82.29 +\end{isamarkuptext}%
82.30 +\isamarkuptrue%
82.31 +%
82.32 +\isamarkupsubsection{Massaging the Proposition%
82.33 +}
82.34 +\isamarkuptrue%
82.35 +%
82.36 +\begin{isamarkuptext}%
82.37 +\label{sec:ind-var-in-prems}
82.38 +Often we have assumed that the theorem to be proved is already in a form
82.39 +that is amenable to induction, but sometimes it isn't.
82.40 +Here is an example.
82.41 +Since \isa{hd} and \isa{last} return the first and last element of a
82.42 +non-empty list, this lemma looks easy to prove:%
82.43 +\end{isamarkuptext}%
82.44 +\isamarkuptrue%
82.45 +\isacommand{lemma}\isamarkupfalse%
82.46 +\ {\isaliteral{22}{\isachardoublequoteopen}}xs\ {\isaliteral{5C3C6E6F7465713E}{\isasymnoteq}}\ {\isaliteral{5B}{\isacharbrackleft}}{\isaliteral{5D}{\isacharbrackright}}\ {\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\ hd{\isaliteral{28}{\isacharparenleft}}rev\ xs{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{3D}{\isacharequal}}\ last\ xs{\isaliteral{22}{\isachardoublequoteclose}}\isanewline
82.47 +%
82.48 +\isadelimproof
82.49 +%
82.50 +\endisadelimproof
82.51 +%
82.52 +\isatagproof
82.53 +\isacommand{apply}\isamarkupfalse%
82.54 +{\isaliteral{28}{\isacharparenleft}}induct{\isaliteral{5F}{\isacharunderscore}}tac\ xs{\isaliteral{29}{\isacharparenright}}%
82.55 +\begin{isamarkuptxt}%
82.56 +\noindent
82.57 +But induction produces the warning
82.58 +\begin{quote}\tt
82.59 +Induction variable occurs also among premises!
82.60 +\end{quote}
82.61 +and leads to the base case
82.62 +\begin{isabelle}%
82.63 +\ {\isadigit{1}}{\isaliteral{2E}{\isachardot}}\ xs\ {\isaliteral{5C3C6E6F7465713E}{\isasymnoteq}}\ {\isaliteral{5B}{\isacharbrackleft}}{\isaliteral{5D}{\isacharbrackright}}\ {\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\ hd\ {\isaliteral{28}{\isacharparenleft}}rev\ {\isaliteral{5B}{\isacharbrackleft}}{\isaliteral{5D}{\isacharbrackright}}{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{3D}{\isacharequal}}\ last\ {\isaliteral{5B}{\isacharbrackleft}}{\isaliteral{5D}{\isacharbrackright}}%
82.64 +\end{isabelle}
82.65 +Simplification reduces the base case to this:
82.66 +\begin{isabelle}
82.67 +\ 1.\ xs\ {\isasymnoteq}\ []\ {\isasymLongrightarrow}\ hd\ []\ =\ last\ []
82.68 +\end{isabelle}
82.69 +We cannot prove this equality because we do not know what \isa{hd} and
82.70 +\isa{last} return when applied to \isa{{\isaliteral{5B}{\isacharbrackleft}}{\isaliteral{5D}{\isacharbrackright}}}.
82.71 +
82.72 +We should not have ignored the warning. Because the induction
82.73 +formula is only the conclusion, induction does not affect the occurrence of \isa{xs} in the premises.
82.74 +Thus the case that should have been trivial
82.75 +becomes unprovable. Fortunately, the solution is easy:\footnote{A similar
82.76 +heuristic applies to rule inductions; see \S\ref{sec:rtc}.}
82.77 +\begin{quote}
82.78 +\emph{Pull all occurrences of the induction variable into the conclusion
82.79 +using \isa{{\isaliteral{5C3C6C6F6E6772696768746172726F773E}{\isasymlongrightarrow}}}.}
82.80 +\end{quote}
82.81 +Thus we should state the lemma as an ordinary
82.82 +implication~(\isa{{\isaliteral{5C3C6C6F6E6772696768746172726F773E}{\isasymlongrightarrow}}}), letting
82.83 +\attrdx{rule_format} (\S\ref{sec:forward}) convert the
82.84 +result to the usual \isa{{\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}} form:%
82.85 +\end{isamarkuptxt}%
82.86 +\isamarkuptrue%
82.87 +%
82.88 +\endisatagproof
82.89 +{\isafoldproof}%
82.90 +%
82.91 +\isadelimproof
82.92 +%
82.93 +\endisadelimproof
82.94 +\isacommand{lemma}\isamarkupfalse%
82.95 +\ hd{\isaliteral{5F}{\isacharunderscore}}rev\ {\isaliteral{5B}{\isacharbrackleft}}rule{\isaliteral{5F}{\isacharunderscore}}format{\isaliteral{5D}{\isacharbrackright}}{\isaliteral{3A}{\isacharcolon}}\ {\isaliteral{22}{\isachardoublequoteopen}}xs\ {\isaliteral{5C3C6E6F7465713E}{\isasymnoteq}}\ {\isaliteral{5B}{\isacharbrackleft}}{\isaliteral{5D}{\isacharbrackright}}\ {\isaliteral{5C3C6C6F6E6772696768746172726F773E}{\isasymlongrightarrow}}\ hd{\isaliteral{28}{\isacharparenleft}}rev\ xs{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{3D}{\isacharequal}}\ last\ xs{\isaliteral{22}{\isachardoublequoteclose}}%
82.96 +\isadelimproof
82.97 +%
82.98 +\endisadelimproof
82.99 +%
82.100 +\isatagproof
82.101 +%
82.102 +\begin{isamarkuptxt}%
82.103 +\noindent
82.104 +This time, induction leaves us with a trivial base case:
82.105 +\begin{isabelle}%
82.106 +\ {\isadigit{1}}{\isaliteral{2E}{\isachardot}}\ {\isaliteral{5B}{\isacharbrackleft}}{\isaliteral{5D}{\isacharbrackright}}\ {\isaliteral{5C3C6E6F7465713E}{\isasymnoteq}}\ {\isaliteral{5B}{\isacharbrackleft}}{\isaliteral{5D}{\isacharbrackright}}\ {\isaliteral{5C3C6C6F6E6772696768746172726F773E}{\isasymlongrightarrow}}\ hd\ {\isaliteral{28}{\isacharparenleft}}rev\ {\isaliteral{5B}{\isacharbrackleft}}{\isaliteral{5D}{\isacharbrackright}}{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{3D}{\isacharequal}}\ last\ {\isaliteral{5B}{\isacharbrackleft}}{\isaliteral{5D}{\isacharbrackright}}%
82.107 +\end{isabelle}
82.108 +And \isa{auto} completes the proof.
82.109 +
82.110 +If there are multiple premises $A@1$, \dots, $A@n$ containing the
82.111 +induction variable, you should turn the conclusion $C$ into
82.112 +\[ A@1 \longrightarrow \cdots A@n \longrightarrow C. \]
82.113 +Additionally, you may also have to universally quantify some other variables,
82.114 +which can yield a fairly complex conclusion. However, \isa{rule{\isaliteral{5F}{\isacharunderscore}}format}
82.115 +can remove any number of occurrences of \isa{{\isaliteral{5C3C666F72616C6C3E}{\isasymforall}}} and
82.116 +\isa{{\isaliteral{5C3C6C6F6E6772696768746172726F773E}{\isasymlongrightarrow}}}.
82.117 +
82.118 +\index{induction!on a term}%
82.119 +A second reason why your proposition may not be amenable to induction is that
82.120 +you want to induct on a complex term, rather than a variable. In
82.121 +general, induction on a term~$t$ requires rephrasing the conclusion~$C$
82.122 +as
82.123 +\begin{equation}\label{eqn:ind-over-term}
82.124 +\forall y@1 \dots y@n.~ x = t \longrightarrow C.
82.125 +\end{equation}
82.126 +where $y@1 \dots y@n$ are the free variables in $t$ and $x$ is a new variable.
82.127 +Now you can perform induction on~$x$. An example appears in
82.128 +\S\ref{sec:complete-ind} below.
82.129 +
82.130 +The very same problem may occur in connection with rule induction. Remember
82.131 +that it requires a premise of the form $(x@1,\dots,x@k) \in R$, where $R$ is
82.132 +some inductively defined set and the $x@i$ are variables. If instead we have
82.133 +a premise $t \in R$, where $t$ is not just an $n$-tuple of variables, we
82.134 +replace it with $(x@1,\dots,x@k) \in R$, and rephrase the conclusion $C$ as
82.135 +\[ \forall y@1 \dots y@n.~ (x@1,\dots,x@k) = t \longrightarrow C. \]
82.136 +For an example see \S\ref{sec:CTL-revisited} below.
82.137 +
82.138 +Of course, all premises that share free variables with $t$ need to be pulled into
82.139 +the conclusion as well, under the \isa{{\isaliteral{5C3C666F72616C6C3E}{\isasymforall}}}, again using \isa{{\isaliteral{5C3C6C6F6E6772696768746172726F773E}{\isasymlongrightarrow}}} as shown above.
82.140 +
82.141 +Readers who are puzzled by the form of statement
82.142 +(\ref{eqn:ind-over-term}) above should remember that the
82.143 +transformation is only performed to permit induction. Once induction
82.144 +has been applied, the statement can be transformed back into something quite
82.145 +intuitive. For example, applying wellfounded induction on $x$ (w.r.t.\
82.146 +$\prec$) to (\ref{eqn:ind-over-term}) and transforming the result a
82.147 +little leads to the goal
82.148 +\[ \bigwedge\overline{y}.\
82.149 + \forall \overline{z}.\ t\,\overline{z} \prec t\,\overline{y}\ \longrightarrow\ C\,\overline{z}
82.150 + \ \Longrightarrow\ C\,\overline{y} \]
82.151 +where $\overline{y}$ stands for $y@1 \dots y@n$ and the dependence of $t$ and
82.152 +$C$ on the free variables of $t$ has been made explicit.
82.153 +Unfortunately, this induction schema cannot be expressed as a
82.154 +single theorem because it depends on the number of free variables in $t$ ---
82.155 +the notation $\overline{y}$ is merely an informal device.%
82.156 +\end{isamarkuptxt}%
82.157 +\isamarkuptrue%
82.158 +%
82.159 +\endisatagproof
82.160 +{\isafoldproof}%
82.161 +%
82.162 +\isadelimproof
82.163 +%
82.164 +\endisadelimproof
82.165 +%
82.166 +\isamarkupsubsection{Beyond Structural and Recursion Induction%
82.167 +}
82.168 +\isamarkuptrue%
82.169 +%
82.170 +\begin{isamarkuptext}%
82.171 +\label{sec:complete-ind}
82.172 +So far, inductive proofs were by structural induction for
82.173 +primitive recursive functions and recursion induction for total recursive
82.174 +functions. But sometimes structural induction is awkward and there is no
82.175 +recursive function that could furnish a more appropriate
82.176 +induction schema. In such cases a general-purpose induction schema can
82.177 +be helpful. We show how to apply such induction schemas by an example.
82.178 +
82.179 +Structural induction on \isa{nat} is
82.180 +usually known as mathematical induction. There is also \textbf{complete}
82.181 +\index{induction!complete}%
82.182 +induction, where you prove $P(n)$ under the assumption that $P(m)$
82.183 +holds for all $m<n$. In Isabelle, this is the theorem \tdx{nat_less_induct}:
82.184 +\begin{isabelle}%
82.185 +\ \ \ \ \ {\isaliteral{28}{\isacharparenleft}}{\isaliteral{5C3C416E643E}{\isasymAnd}}n{\isaliteral{2E}{\isachardot}}\ {\isaliteral{5C3C666F72616C6C3E}{\isasymforall}}m{\isaliteral{3C}{\isacharless}}n{\isaliteral{2E}{\isachardot}}\ P\ m\ {\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\ P\ n{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\ P\ n%
82.186 +\end{isabelle}
82.187 +As an application, we prove a property of the following
82.188 +function:%
82.189 +\end{isamarkuptext}%
82.190 +\isamarkuptrue%
82.191 +\isacommand{consts}\isamarkupfalse%
82.192 +\ f\ {\isaliteral{3A}{\isacharcolon}}{\isaliteral{3A}{\isacharcolon}}\ {\isaliteral{22}{\isachardoublequoteopen}}nat\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ nat{\isaliteral{22}{\isachardoublequoteclose}}\isanewline
82.193 +\isacommand{axioms}\isamarkupfalse%
82.194 +\ f{\isaliteral{5F}{\isacharunderscore}}ax{\isaliteral{3A}{\isacharcolon}}\ {\isaliteral{22}{\isachardoublequoteopen}}f{\isaliteral{28}{\isacharparenleft}}f{\isaliteral{28}{\isacharparenleft}}n{\isaliteral{29}{\isacharparenright}}{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{3C}{\isacharless}}\ f{\isaliteral{28}{\isacharparenleft}}Suc{\isaliteral{28}{\isacharparenleft}}n{\isaliteral{29}{\isacharparenright}}{\isaliteral{29}{\isacharparenright}}{\isaliteral{22}{\isachardoublequoteclose}}%
82.195 +\begin{isamarkuptext}%
82.196 +\begin{warn}
82.197 +We discourage the use of axioms because of the danger of
82.198 +inconsistencies. Axiom \isa{f{\isaliteral{5F}{\isacharunderscore}}ax} does
82.199 +not introduce an inconsistency because, for example, the identity function
82.200 +satisfies it. Axioms can be useful in exploratory developments, say when
82.201 +you assume some well-known theorems so that you can quickly demonstrate some
82.202 +point about methodology. If your example turns into a substantial proof
82.203 +development, you should replace axioms by theorems.
82.204 +\end{warn}\noindent
82.205 +The axiom for \isa{f} implies \isa{n\ {\isaliteral{5C3C6C653E}{\isasymle}}\ f\ n}, which can
82.206 +be proved by induction on \mbox{\isa{f\ n}}. Following the recipe outlined
82.207 +above, we have to phrase the proposition as follows to allow induction:%
82.208 +\end{isamarkuptext}%
82.209 +\isamarkuptrue%
82.210 +\isacommand{lemma}\isamarkupfalse%
82.211 +\ f{\isaliteral{5F}{\isacharunderscore}}incr{\isaliteral{5F}{\isacharunderscore}}lem{\isaliteral{3A}{\isacharcolon}}\ {\isaliteral{22}{\isachardoublequoteopen}}{\isaliteral{5C3C666F72616C6C3E}{\isasymforall}}i{\isaliteral{2E}{\isachardot}}\ k\ {\isaliteral{3D}{\isacharequal}}\ f\ i\ {\isaliteral{5C3C6C6F6E6772696768746172726F773E}{\isasymlongrightarrow}}\ i\ {\isaliteral{5C3C6C653E}{\isasymle}}\ f\ i{\isaliteral{22}{\isachardoublequoteclose}}%
82.212 +\isadelimproof
82.213 +%
82.214 +\endisadelimproof
82.215 +%
82.216 +\isatagproof
82.217 +%
82.218 +\begin{isamarkuptxt}%
82.219 +\noindent
82.220 +To perform induction on \isa{k} using \isa{nat{\isaliteral{5F}{\isacharunderscore}}less{\isaliteral{5F}{\isacharunderscore}}induct}, we use
82.221 +the same general induction method as for recursion induction (see
82.222 +\S\ref{sec:fun-induction}):%
82.223 +\end{isamarkuptxt}%
82.224 +\isamarkuptrue%
82.225 +\isacommand{apply}\isamarkupfalse%
82.226 +{\isaliteral{28}{\isacharparenleft}}induct{\isaliteral{5F}{\isacharunderscore}}tac\ k\ rule{\isaliteral{3A}{\isacharcolon}}\ nat{\isaliteral{5F}{\isacharunderscore}}less{\isaliteral{5F}{\isacharunderscore}}induct{\isaliteral{29}{\isacharparenright}}%
82.227 +\begin{isamarkuptxt}%
82.228 +\noindent
82.229 +We get the following proof state:
82.230 +\begin{isabelle}%
82.231 +\ {\isadigit{1}}{\isaliteral{2E}{\isachardot}}\ {\isaliteral{5C3C416E643E}{\isasymAnd}}n{\isaliteral{2E}{\isachardot}}\ {\isaliteral{5C3C666F72616C6C3E}{\isasymforall}}m{\isaliteral{3C}{\isacharless}}n{\isaliteral{2E}{\isachardot}}\ {\isaliteral{5C3C666F72616C6C3E}{\isasymforall}}i{\isaliteral{2E}{\isachardot}}\ m\ {\isaliteral{3D}{\isacharequal}}\ f\ i\ {\isaliteral{5C3C6C6F6E6772696768746172726F773E}{\isasymlongrightarrow}}\ i\ {\isaliteral{5C3C6C653E}{\isasymle}}\ f\ i\ {\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\ {\isaliteral{5C3C666F72616C6C3E}{\isasymforall}}i{\isaliteral{2E}{\isachardot}}\ n\ {\isaliteral{3D}{\isacharequal}}\ f\ i\ {\isaliteral{5C3C6C6F6E6772696768746172726F773E}{\isasymlongrightarrow}}\ i\ {\isaliteral{5C3C6C653E}{\isasymle}}\ f\ i%
82.232 +\end{isabelle}
82.233 +After stripping the \isa{{\isaliteral{5C3C666F72616C6C3E}{\isasymforall}}i}, the proof continues with a case
82.234 +distinction on \isa{i}. The case \isa{i\ {\isaliteral{3D}{\isacharequal}}\ {\isadigit{0}}} is trivial and we focus on
82.235 +the other case:%
82.236 +\end{isamarkuptxt}%
82.237 +\isamarkuptrue%
82.238 +\isacommand{apply}\isamarkupfalse%
82.239 +{\isaliteral{28}{\isacharparenleft}}rule\ allI{\isaliteral{29}{\isacharparenright}}\isanewline
82.240 +\isacommand{apply}\isamarkupfalse%
82.241 +{\isaliteral{28}{\isacharparenleft}}case{\isaliteral{5F}{\isacharunderscore}}tac\ i{\isaliteral{29}{\isacharparenright}}\isanewline
82.242 +\ \isacommand{apply}\isamarkupfalse%
82.243 +{\isaliteral{28}{\isacharparenleft}}simp{\isaliteral{29}{\isacharparenright}}%
82.244 +\begin{isamarkuptxt}%
82.245 +\begin{isabelle}%
82.246 +\ {\isadigit{1}}{\isaliteral{2E}{\isachardot}}\ {\isaliteral{5C3C416E643E}{\isasymAnd}}n\ i\ nat{\isaliteral{2E}{\isachardot}}\isanewline
82.247 +\isaindent{\ {\isadigit{1}}{\isaliteral{2E}{\isachardot}}\ \ \ \ }{\isaliteral{5C3C6C6272616B6B3E}{\isasymlbrakk}}{\isaliteral{5C3C666F72616C6C3E}{\isasymforall}}m{\isaliteral{3C}{\isacharless}}n{\isaliteral{2E}{\isachardot}}\ {\isaliteral{5C3C666F72616C6C3E}{\isasymforall}}i{\isaliteral{2E}{\isachardot}}\ m\ {\isaliteral{3D}{\isacharequal}}\ f\ i\ {\isaliteral{5C3C6C6F6E6772696768746172726F773E}{\isasymlongrightarrow}}\ i\ {\isaliteral{5C3C6C653E}{\isasymle}}\ f\ i{\isaliteral{3B}{\isacharsemicolon}}\ i\ {\isaliteral{3D}{\isacharequal}}\ Suc\ nat{\isaliteral{5C3C726272616B6B3E}{\isasymrbrakk}}\ {\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\ n\ {\isaliteral{3D}{\isacharequal}}\ f\ i\ {\isaliteral{5C3C6C6F6E6772696768746172726F773E}{\isasymlongrightarrow}}\ i\ {\isaliteral{5C3C6C653E}{\isasymle}}\ f\ i%
82.248 +\end{isabelle}%
82.249 +\end{isamarkuptxt}%
82.250 +\isamarkuptrue%
82.251 +\isacommand{by}\isamarkupfalse%
82.252 +{\isaliteral{28}{\isacharparenleft}}blast\ intro{\isaliteral{21}{\isacharbang}}{\isaliteral{3A}{\isacharcolon}}\ f{\isaliteral{5F}{\isacharunderscore}}ax\ Suc{\isaliteral{5F}{\isacharunderscore}}leI\ intro{\isaliteral{3A}{\isacharcolon}}\ le{\isaliteral{5F}{\isacharunderscore}}less{\isaliteral{5F}{\isacharunderscore}}trans{\isaliteral{29}{\isacharparenright}}%
82.253 +\endisatagproof
82.254 +{\isafoldproof}%
82.255 +%
82.256 +\isadelimproof
82.257 +%
82.258 +\endisadelimproof
82.259 +%
82.260 +\begin{isamarkuptext}%
82.261 +\noindent
82.262 +If you find the last step puzzling, here are the two lemmas it employs:
82.263 +\begin{isabelle}
82.264 +\isa{m\ {\isaliteral{3C}{\isacharless}}\ n\ {\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\ Suc\ m\ {\isaliteral{5C3C6C653E}{\isasymle}}\ n}
82.265 +\rulename{Suc_leI}\isanewline
82.266 +\isa{{\isaliteral{5C3C6C6272616B6B3E}{\isasymlbrakk}}x\ {\isaliteral{5C3C6C653E}{\isasymle}}\ y{\isaliteral{3B}{\isacharsemicolon}}\ y\ {\isaliteral{3C}{\isacharless}}\ z{\isaliteral{5C3C726272616B6B3E}{\isasymrbrakk}}\ {\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\ x\ {\isaliteral{3C}{\isacharless}}\ z}
82.267 +\rulename{le_less_trans}
82.268 +\end{isabelle}
82.269 +%
82.270 +The proof goes like this (writing \isa{j} instead of \isa{nat}).
82.271 +Since \isa{i\ {\isaliteral{3D}{\isacharequal}}\ Suc\ j} it suffices to show
82.272 +\hbox{\isa{j\ {\isaliteral{3C}{\isacharless}}\ f\ {\isaliteral{28}{\isacharparenleft}}Suc\ j{\isaliteral{29}{\isacharparenright}}}},
82.273 +by \isa{Suc{\isaliteral{5F}{\isacharunderscore}}leI}\@. This is
82.274 +proved as follows. From \isa{f{\isaliteral{5F}{\isacharunderscore}}ax} we have \isa{f\ {\isaliteral{28}{\isacharparenleft}}f\ j{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{3C}{\isacharless}}\ f\ {\isaliteral{28}{\isacharparenleft}}Suc\ j{\isaliteral{29}{\isacharparenright}}}
82.275 +(1) which implies \isa{f\ j\ {\isaliteral{5C3C6C653E}{\isasymle}}\ f\ {\isaliteral{28}{\isacharparenleft}}f\ j{\isaliteral{29}{\isacharparenright}}} by the induction hypothesis.
82.276 +Using (1) once more we obtain \isa{f\ j\ {\isaliteral{3C}{\isacharless}}\ f\ {\isaliteral{28}{\isacharparenleft}}Suc\ j{\isaliteral{29}{\isacharparenright}}} (2) by the transitivity
82.277 +rule \isa{le{\isaliteral{5F}{\isacharunderscore}}less{\isaliteral{5F}{\isacharunderscore}}trans}.
82.278 +Using the induction hypothesis once more we obtain \isa{j\ {\isaliteral{5C3C6C653E}{\isasymle}}\ f\ j}
82.279 +which, together with (2) yields \isa{j\ {\isaliteral{3C}{\isacharless}}\ f\ {\isaliteral{28}{\isacharparenleft}}Suc\ j{\isaliteral{29}{\isacharparenright}}} (again by
82.280 +\isa{le{\isaliteral{5F}{\isacharunderscore}}less{\isaliteral{5F}{\isacharunderscore}}trans}).
82.281 +
82.282 +This last step shows both the power and the danger of automatic proofs. They
82.283 +will usually not tell you how the proof goes, because it can be hard to
82.284 +translate the internal proof into a human-readable format. Automatic
82.285 +proofs are easy to write but hard to read and understand.
82.286 +
82.287 +The desired result, \isa{i\ {\isaliteral{5C3C6C653E}{\isasymle}}\ f\ i}, follows from \isa{f{\isaliteral{5F}{\isacharunderscore}}incr{\isaliteral{5F}{\isacharunderscore}}lem}:%
82.288 +\end{isamarkuptext}%
82.289 +\isamarkuptrue%
82.290 +\isacommand{lemmas}\isamarkupfalse%
82.291 +\ f{\isaliteral{5F}{\isacharunderscore}}incr\ {\isaliteral{3D}{\isacharequal}}\ f{\isaliteral{5F}{\isacharunderscore}}incr{\isaliteral{5F}{\isacharunderscore}}lem{\isaliteral{5B}{\isacharbrackleft}}rule{\isaliteral{5F}{\isacharunderscore}}format{\isaliteral{2C}{\isacharcomma}}\ OF\ refl{\isaliteral{5D}{\isacharbrackright}}%
82.292 +\begin{isamarkuptext}%
82.293 +\noindent
82.294 +The final \isa{refl} gets rid of the premise \isa{{\isaliteral{3F}{\isacharquery}}k\ {\isaliteral{3D}{\isacharequal}}\ f\ {\isaliteral{3F}{\isacharquery}}i}.
82.295 +We could have included this derivation in the original statement of the lemma:%
82.296 +\end{isamarkuptext}%
82.297 +\isamarkuptrue%
82.298 +\isacommand{lemma}\isamarkupfalse%
82.299 +\ f{\isaliteral{5F}{\isacharunderscore}}incr{\isaliteral{5B}{\isacharbrackleft}}rule{\isaliteral{5F}{\isacharunderscore}}format{\isaliteral{2C}{\isacharcomma}}\ OF\ refl{\isaliteral{5D}{\isacharbrackright}}{\isaliteral{3A}{\isacharcolon}}\ {\isaliteral{22}{\isachardoublequoteopen}}{\isaliteral{5C3C666F72616C6C3E}{\isasymforall}}i{\isaliteral{2E}{\isachardot}}\ k\ {\isaliteral{3D}{\isacharequal}}\ f\ i\ {\isaliteral{5C3C6C6F6E6772696768746172726F773E}{\isasymlongrightarrow}}\ i\ {\isaliteral{5C3C6C653E}{\isasymle}}\ f\ i{\isaliteral{22}{\isachardoublequoteclose}}%
82.300 +\isadelimproof
82.301 +%
82.302 +\endisadelimproof
82.303 +%
82.304 +\isatagproof
82.305 +%
82.306 +\endisatagproof
82.307 +{\isafoldproof}%
82.308 +%
82.309 +\isadelimproof
82.310 +%
82.311 +\endisadelimproof
82.312 +%
82.313 +\begin{isamarkuptext}%
82.314 +\begin{exercise}
82.315 +From the axiom and lemma for \isa{f}, show that \isa{f} is the
82.316 +identity function.
82.317 +\end{exercise}
82.318 +
82.319 +Method \methdx{induct_tac} can be applied with any rule $r$
82.320 +whose conclusion is of the form ${?}P~?x@1 \dots ?x@n$, in which case the
82.321 +format is
82.322 +\begin{quote}
82.323 +\isacommand{apply}\isa{{\isaliteral{28}{\isacharparenleft}}induct{\isaliteral{5F}{\isacharunderscore}}tac} $y@1 \dots y@n$ \isa{rule{\isaliteral{3A}{\isacharcolon}}} $r$\isa{{\isaliteral{29}{\isacharparenright}}}
82.324 +\end{quote}
82.325 +where $y@1, \dots, y@n$ are variables in the conclusion of the first subgoal.
82.326 +
82.327 +A further useful induction rule is \isa{length{\isaliteral{5F}{\isacharunderscore}}induct},
82.328 +induction on the length of a list\indexbold{*length_induct}
82.329 +\begin{isabelle}%
82.330 +\ \ \ \ \ {\isaliteral{28}{\isacharparenleft}}{\isaliteral{5C3C416E643E}{\isasymAnd}}xs{\isaliteral{2E}{\isachardot}}\ {\isaliteral{5C3C666F72616C6C3E}{\isasymforall}}ys{\isaliteral{2E}{\isachardot}}\ length\ ys\ {\isaliteral{3C}{\isacharless}}\ length\ xs\ {\isaliteral{5C3C6C6F6E6772696768746172726F773E}{\isasymlongrightarrow}}\ P\ ys\ {\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\ P\ xs{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\ P\ xs%
82.331 +\end{isabelle}
82.332 +which is a special case of \isa{measure{\isaliteral{5F}{\isacharunderscore}}induct}
82.333 +\begin{isabelle}%
82.334 +\ \ \ \ \ {\isaliteral{28}{\isacharparenleft}}{\isaliteral{5C3C416E643E}{\isasymAnd}}x{\isaliteral{2E}{\isachardot}}\ {\isaliteral{5C3C666F72616C6C3E}{\isasymforall}}y{\isaliteral{2E}{\isachardot}}\ f\ y\ {\isaliteral{3C}{\isacharless}}\ f\ x\ {\isaliteral{5C3C6C6F6E6772696768746172726F773E}{\isasymlongrightarrow}}\ P\ y\ {\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\ P\ x{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\ P\ a%
82.335 +\end{isabelle}
82.336 +where \isa{f} may be any function into type \isa{nat}.%
82.337 +\end{isamarkuptext}%
82.338 +\isamarkuptrue%
82.339 +%
82.340 +\isamarkupsubsection{Derivation of New Induction Schemas%
82.341 +}
82.342 +\isamarkuptrue%
82.343 +%
82.344 +\begin{isamarkuptext}%
82.345 +\label{sec:derive-ind}
82.346 +\index{induction!deriving new schemas}%
82.347 +Induction schemas are ordinary theorems and you can derive new ones
82.348 +whenever you wish. This section shows you how, using the example
82.349 +of \isa{nat{\isaliteral{5F}{\isacharunderscore}}less{\isaliteral{5F}{\isacharunderscore}}induct}. Assume we only have structural induction
82.350 +available for \isa{nat} and want to derive complete induction. We
82.351 +must generalize the statement as shown:%
82.352 +\end{isamarkuptext}%
82.353 +\isamarkuptrue%
82.354 +\isacommand{lemma}\isamarkupfalse%
82.355 +\ induct{\isaliteral{5F}{\isacharunderscore}}lem{\isaliteral{3A}{\isacharcolon}}\ {\isaliteral{22}{\isachardoublequoteopen}}{\isaliteral{28}{\isacharparenleft}}{\isaliteral{5C3C416E643E}{\isasymAnd}}n{\isaliteral{3A}{\isacharcolon}}{\isaliteral{3A}{\isacharcolon}}nat{\isaliteral{2E}{\isachardot}}\ {\isaliteral{5C3C666F72616C6C3E}{\isasymforall}}m{\isaliteral{3C}{\isacharless}}n{\isaliteral{2E}{\isachardot}}\ P\ m\ {\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\ P\ n{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\ {\isaliteral{5C3C666F72616C6C3E}{\isasymforall}}m{\isaliteral{3C}{\isacharless}}n{\isaliteral{2E}{\isachardot}}\ P\ m{\isaliteral{22}{\isachardoublequoteclose}}\isanewline
82.356 +%
82.357 +\isadelimproof
82.358 +%
82.359 +\endisadelimproof
82.360 +%
82.361 +\isatagproof
82.362 +\isacommand{apply}\isamarkupfalse%
82.363 +{\isaliteral{28}{\isacharparenleft}}induct{\isaliteral{5F}{\isacharunderscore}}tac\ n{\isaliteral{29}{\isacharparenright}}%
82.364 +\begin{isamarkuptxt}%
82.365 +\noindent
82.366 +The base case is vacuously true. For the induction step (\isa{m\ {\isaliteral{3C}{\isacharless}}\ Suc\ n}) we distinguish two cases: case \isa{m\ {\isaliteral{3C}{\isacharless}}\ n} is true by induction
82.367 +hypothesis and case \isa{m\ {\isaliteral{3D}{\isacharequal}}\ n} follows from the assumption, again using
82.368 +the induction hypothesis:%
82.369 +\end{isamarkuptxt}%
82.370 +\isamarkuptrue%
82.371 +\ \isacommand{apply}\isamarkupfalse%
82.372 +{\isaliteral{28}{\isacharparenleft}}blast{\isaliteral{29}{\isacharparenright}}\isanewline
82.373 +\isacommand{by}\isamarkupfalse%
82.374 +{\isaliteral{28}{\isacharparenleft}}blast\ elim{\isaliteral{3A}{\isacharcolon}}\ less{\isaliteral{5F}{\isacharunderscore}}SucE{\isaliteral{29}{\isacharparenright}}%
82.375 +\endisatagproof
82.376 +{\isafoldproof}%
82.377 +%
82.378 +\isadelimproof
82.379 +%
82.380 +\endisadelimproof
82.381 +%
82.382 +\begin{isamarkuptext}%
82.383 +\noindent
82.384 +The elimination rule \isa{less{\isaliteral{5F}{\isacharunderscore}}SucE} expresses the case distinction:
82.385 +\begin{isabelle}%
82.386 +\ \ \ \ \ {\isaliteral{5C3C6C6272616B6B3E}{\isasymlbrakk}}m\ {\isaliteral{3C}{\isacharless}}\ Suc\ n{\isaliteral{3B}{\isacharsemicolon}}\ m\ {\isaliteral{3C}{\isacharless}}\ n\ {\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\ P{\isaliteral{3B}{\isacharsemicolon}}\ m\ {\isaliteral{3D}{\isacharequal}}\ n\ {\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\ P{\isaliteral{5C3C726272616B6B3E}{\isasymrbrakk}}\ {\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\ P%
82.387 +\end{isabelle}
82.388 +
82.389 +Now it is straightforward to derive the original version of
82.390 +\isa{nat{\isaliteral{5F}{\isacharunderscore}}less{\isaliteral{5F}{\isacharunderscore}}induct} by manipulating the conclusion of the above
82.391 +lemma: instantiate \isa{n} by \isa{Suc\ n} and \isa{m} by \isa{n}
82.392 +and remove the trivial condition \isa{n\ {\isaliteral{3C}{\isacharless}}\ Suc\ n}. Fortunately, this
82.393 +happens automatically when we add the lemma as a new premise to the
82.394 +desired goal:%
82.395 +\end{isamarkuptext}%
82.396 +\isamarkuptrue%
82.397 +\isacommand{theorem}\isamarkupfalse%
82.398 +\ nat{\isaliteral{5F}{\isacharunderscore}}less{\isaliteral{5F}{\isacharunderscore}}induct{\isaliteral{3A}{\isacharcolon}}\ {\isaliteral{22}{\isachardoublequoteopen}}{\isaliteral{28}{\isacharparenleft}}{\isaliteral{5C3C416E643E}{\isasymAnd}}n{\isaliteral{3A}{\isacharcolon}}{\isaliteral{3A}{\isacharcolon}}nat{\isaliteral{2E}{\isachardot}}\ {\isaliteral{5C3C666F72616C6C3E}{\isasymforall}}m{\isaliteral{3C}{\isacharless}}n{\isaliteral{2E}{\isachardot}}\ P\ m\ {\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\ P\ n{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\ P\ n{\isaliteral{22}{\isachardoublequoteclose}}\isanewline
82.399 +%
82.400 +\isadelimproof
82.401 +%
82.402 +\endisadelimproof
82.403 +%
82.404 +\isatagproof
82.405 +\isacommand{by}\isamarkupfalse%
82.406 +{\isaliteral{28}{\isacharparenleft}}insert\ induct{\isaliteral{5F}{\isacharunderscore}}lem{\isaliteral{2C}{\isacharcomma}}\ blast{\isaliteral{29}{\isacharparenright}}%
82.407 +\endisatagproof
82.408 +{\isafoldproof}%
82.409 +%
82.410 +\isadelimproof
82.411 +%
82.412 +\endisadelimproof
82.413 +%
82.414 +\begin{isamarkuptext}%
82.415 +HOL already provides the mother of
82.416 +all inductions, well-founded induction (see \S\ref{sec:Well-founded}). For
82.417 +example theorem \isa{nat{\isaliteral{5F}{\isacharunderscore}}less{\isaliteral{5F}{\isacharunderscore}}induct} is
82.418 +a special case of \isa{wf{\isaliteral{5F}{\isacharunderscore}}induct} where \isa{r} is \isa{{\isaliteral{3C}{\isacharless}}} on
82.419 +\isa{nat}. The details can be found in theory \isa{Wellfounded_Recursion}.%
82.420 +\end{isamarkuptext}%
82.421 +\isamarkuptrue%
82.422 +%
82.423 +\isadelimtheory
82.424 +%
82.425 +\endisadelimtheory
82.426 +%
82.427 +\isatagtheory
82.428 +%
82.429 +\endisatagtheory
82.430 +{\isafoldtheory}%
82.431 +%
82.432 +\isadelimtheory
82.433 +%
82.434 +\endisadelimtheory
82.435 +\end{isabellebody}%
82.436 +%%% Local Variables:
82.437 +%%% mode: latex
82.438 +%%% TeX-master: "root"
82.439 +%%% End:
83.1 --- /dev/null Thu Jan 01 00:00:00 1970 +0000
83.2 +++ b/doc-src/TutorialI/document/Axioms.tex Thu Jul 26 19:59:06 2012 +0200
83.3 @@ -0,0 +1,487 @@
83.4 +%
83.5 +\begin{isabellebody}%
83.6 +\def\isabellecontext{Axioms}%
83.7 +%
83.8 +\isadelimtheory
83.9 +%
83.10 +\endisadelimtheory
83.11 +%
83.12 +\isatagtheory
83.13 +%
83.14 +\endisatagtheory
83.15 +{\isafoldtheory}%
83.16 +%
83.17 +\isadelimtheory
83.18 +%
83.19 +\endisadelimtheory
83.20 +%
83.21 +\isamarkupsubsection{Axioms%
83.22 +}
83.23 +\isamarkuptrue%
83.24 +%
83.25 +\begin{isamarkuptext}%
83.26 +Attaching axioms to our classes lets us reason on the level of
83.27 +classes. The results will be applicable to all types in a class, just
83.28 +as in axiomatic mathematics.
83.29 +
83.30 +\begin{warn}
83.31 +Proofs in this section use structured \emph{Isar} proofs, which are not
83.32 +covered in this tutorial; but see \cite{Nipkow-TYPES02}.%
83.33 +\end{warn}%
83.34 +\end{isamarkuptext}%
83.35 +\isamarkuptrue%
83.36 +%
83.37 +\isamarkupsubsubsection{Semigroups%
83.38 +}
83.39 +\isamarkuptrue%
83.40 +%
83.41 +\begin{isamarkuptext}%
83.42 +We specify \emph{semigroups} as subclass of \isa{plus}:%
83.43 +\end{isamarkuptext}%
83.44 +\isamarkuptrue%
83.45 +\isacommand{class}\isamarkupfalse%
83.46 +\ semigroup\ {\isaliteral{3D}{\isacharequal}}\ plus\ {\isaliteral{2B}{\isacharplus}}\isanewline
83.47 +\ \ \isakeyword{assumes}\ assoc{\isaliteral{3A}{\isacharcolon}}\ {\isaliteral{22}{\isachardoublequoteopen}}{\isaliteral{28}{\isacharparenleft}}x\ {\isaliteral{5C3C6F706C75733E}{\isasymoplus}}\ y{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C6F706C75733E}{\isasymoplus}}\ z\ {\isaliteral{3D}{\isacharequal}}\ x\ {\isaliteral{5C3C6F706C75733E}{\isasymoplus}}\ {\isaliteral{28}{\isacharparenleft}}y\ {\isaliteral{5C3C6F706C75733E}{\isasymoplus}}\ z{\isaliteral{29}{\isacharparenright}}{\isaliteral{22}{\isachardoublequoteclose}}%
83.48 +\begin{isamarkuptext}%
83.49 +\noindent This \hyperlink{command.class}{\mbox{\isa{\isacommand{class}}}} specification requires that
83.50 +all instances of \isa{semigroup} obey \hyperlink{fact.assoc:}{\mbox{\isa{assoc{\isaliteral{3A}{\isacharcolon}}}}}~\isa{{\isaliteral{22}{\isachardoublequote}}{\isaliteral{5C3C416E643E}{\isasymAnd}}x\ y\ z\ {\isaliteral{5C3C436F6C6F6E3E}{\isasymColon}}\ {\isaliteral{27}{\isacharprime}}a{\isaliteral{5C3C436F6C6F6E3E}{\isasymColon}}semigroup{\isaliteral{2E}{\isachardot}}\ {\isaliteral{28}{\isacharparenleft}}x\ {\isaliteral{5C3C6F706C75733E}{\isasymoplus}}\ y{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C6F706C75733E}{\isasymoplus}}\ z\ {\isaliteral{3D}{\isacharequal}}\ x\ {\isaliteral{5C3C6F706C75733E}{\isasymoplus}}\ {\isaliteral{28}{\isacharparenleft}}y\ {\isaliteral{5C3C6F706C75733E}{\isasymoplus}}\ z{\isaliteral{29}{\isacharparenright}}{\isaliteral{22}{\isachardoublequote}}}.
83.51 +
83.52 +We can use this class axiom to derive further abstract theorems
83.53 +relative to class \isa{semigroup}:%
83.54 +\end{isamarkuptext}%
83.55 +\isamarkuptrue%
83.56 +\isacommand{lemma}\isamarkupfalse%
83.57 +\ assoc{\isaliteral{5F}{\isacharunderscore}}left{\isaliteral{3A}{\isacharcolon}}\isanewline
83.58 +\ \ \isakeyword{fixes}\ x\ y\ z\ {\isaliteral{3A}{\isacharcolon}}{\isaliteral{3A}{\isacharcolon}}\ {\isaliteral{22}{\isachardoublequoteopen}}{\isaliteral{27}{\isacharprime}}a{\isaliteral{5C3C436F6C6F6E3E}{\isasymColon}}semigroup{\isaliteral{22}{\isachardoublequoteclose}}\isanewline
83.59 +\ \ \isakeyword{shows}\ {\isaliteral{22}{\isachardoublequoteopen}}x\ {\isaliteral{5C3C6F706C75733E}{\isasymoplus}}\ {\isaliteral{28}{\isacharparenleft}}y\ {\isaliteral{5C3C6F706C75733E}{\isasymoplus}}\ z{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{3D}{\isacharequal}}\ {\isaliteral{28}{\isacharparenleft}}x\ {\isaliteral{5C3C6F706C75733E}{\isasymoplus}}\ y{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C6F706C75733E}{\isasymoplus}}\ z{\isaliteral{22}{\isachardoublequoteclose}}\isanewline
83.60 +%
83.61 +\isadelimproof
83.62 +\ \ %
83.63 +\endisadelimproof
83.64 +%
83.65 +\isatagproof
83.66 +\isacommand{using}\isamarkupfalse%
83.67 +\ assoc\ \isacommand{by}\isamarkupfalse%
83.68 +\ {\isaliteral{28}{\isacharparenleft}}rule\ sym{\isaliteral{29}{\isacharparenright}}%
83.69 +\endisatagproof
83.70 +{\isafoldproof}%
83.71 +%
83.72 +\isadelimproof
83.73 +%
83.74 +\endisadelimproof
83.75 +%
83.76 +\begin{isamarkuptext}%
83.77 +\noindent The \isa{semigroup} constraint on type \isa{{\isaliteral{27}{\isacharprime}}a} restricts instantiations of \isa{{\isaliteral{27}{\isacharprime}}a} to types of class
83.78 +\isa{semigroup} and during the proof enables us to use the fact
83.79 +\hyperlink{fact.assoc}{\mbox{\isa{assoc}}} whose type parameter is itself constrained to class
83.80 +\isa{semigroup}. The main advantage of classes is that theorems
83.81 +can be proved in the abstract and freely reused for each instance.
83.82 +
83.83 +On instantiation, we have to give a proof that the given operations
83.84 +obey the class axioms:%
83.85 +\end{isamarkuptext}%
83.86 +\isamarkuptrue%
83.87 +\isacommand{instantiation}\isamarkupfalse%
83.88 +\ nat\ {\isaliteral{3A}{\isacharcolon}}{\isaliteral{3A}{\isacharcolon}}\ semigroup\isanewline
83.89 +\isakeyword{begin}\isanewline
83.90 +\isanewline
83.91 +\isacommand{instance}\isamarkupfalse%
83.92 +%
83.93 +\isadelimproof
83.94 +\ %
83.95 +\endisadelimproof
83.96 +%
83.97 +\isatagproof
83.98 +\isacommand{proof}\isamarkupfalse%
83.99 +%
83.100 +\begin{isamarkuptxt}%
83.101 +\noindent The proof opens with a default proof step, which for
83.102 +instance judgements invokes method \hyperlink{method.intro-classes}{\mbox{\isa{intro{\isaliteral{5F}{\isacharunderscore}}classes}}}.%
83.103 +\end{isamarkuptxt}%
83.104 +\isamarkuptrue%
83.105 +\ \ \isacommand{fix}\isamarkupfalse%
83.106 +\ m\ n\ q\ {\isaliteral{3A}{\isacharcolon}}{\isaliteral{3A}{\isacharcolon}}\ nat\isanewline
83.107 +\ \ \isacommand{show}\isamarkupfalse%
83.108 +\ {\isaliteral{22}{\isachardoublequoteopen}}{\isaliteral{28}{\isacharparenleft}}m\ {\isaliteral{5C3C6F706C75733E}{\isasymoplus}}\ n{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C6F706C75733E}{\isasymoplus}}\ q\ {\isaliteral{3D}{\isacharequal}}\ m\ {\isaliteral{5C3C6F706C75733E}{\isasymoplus}}\ {\isaliteral{28}{\isacharparenleft}}n\ {\isaliteral{5C3C6F706C75733E}{\isasymoplus}}\ q{\isaliteral{29}{\isacharparenright}}{\isaliteral{22}{\isachardoublequoteclose}}\isanewline
83.109 +\ \ \ \ \isacommand{by}\isamarkupfalse%
83.110 +\ {\isaliteral{28}{\isacharparenleft}}induct\ m{\isaliteral{29}{\isacharparenright}}\ simp{\isaliteral{5F}{\isacharunderscore}}all\isanewline
83.111 +\isacommand{qed}\isamarkupfalse%
83.112 +%
83.113 +\endisatagproof
83.114 +{\isafoldproof}%
83.115 +%
83.116 +\isadelimproof
83.117 +%
83.118 +\endisadelimproof
83.119 +\isanewline
83.120 +\isanewline
83.121 +\isacommand{end}\isamarkupfalse%
83.122 +%
83.123 +\begin{isamarkuptext}%
83.124 +\noindent Again, the interesting things enter the stage with
83.125 +parametric types:%
83.126 +\end{isamarkuptext}%
83.127 +\isamarkuptrue%
83.128 +\isacommand{instantiation}\isamarkupfalse%
83.129 +\ prod\ {\isaliteral{3A}{\isacharcolon}}{\isaliteral{3A}{\isacharcolon}}\ {\isaliteral{28}{\isacharparenleft}}semigroup{\isaliteral{2C}{\isacharcomma}}\ semigroup{\isaliteral{29}{\isacharparenright}}\ semigroup\isanewline
83.130 +\isakeyword{begin}\isanewline
83.131 +\isanewline
83.132 +\isacommand{instance}\isamarkupfalse%
83.133 +%
83.134 +\isadelimproof
83.135 +\ %
83.136 +\endisadelimproof
83.137 +%
83.138 +\isatagproof
83.139 +\isacommand{proof}\isamarkupfalse%
83.140 +\isanewline
83.141 +\ \ \isacommand{fix}\isamarkupfalse%
83.142 +\ p\isaliteral{5C3C5E697375623E}{}\isactrlisub {\isadigit{1}}\ p\isaliteral{5C3C5E697375623E}{}\isactrlisub {\isadigit{2}}\ p\isaliteral{5C3C5E697375623E}{}\isactrlisub {\isadigit{3}}\ {\isaliteral{3A}{\isacharcolon}}{\isaliteral{3A}{\isacharcolon}}\ {\isaliteral{22}{\isachardoublequoteopen}}{\isaliteral{27}{\isacharprime}}a{\isaliteral{5C3C436F6C6F6E3E}{\isasymColon}}semigroup\ {\isaliteral{5C3C74696D65733E}{\isasymtimes}}\ {\isaliteral{27}{\isacharprime}}b{\isaliteral{5C3C436F6C6F6E3E}{\isasymColon}}semigroup{\isaliteral{22}{\isachardoublequoteclose}}\isanewline
83.143 +\ \ \isacommand{show}\isamarkupfalse%
83.144 +\ {\isaliteral{22}{\isachardoublequoteopen}}p\isaliteral{5C3C5E697375623E}{}\isactrlisub {\isadigit{1}}\ {\isaliteral{5C3C6F706C75733E}{\isasymoplus}}\ p\isaliteral{5C3C5E697375623E}{}\isactrlisub {\isadigit{2}}\ {\isaliteral{5C3C6F706C75733E}{\isasymoplus}}\ p\isaliteral{5C3C5E697375623E}{}\isactrlisub {\isadigit{3}}\ {\isaliteral{3D}{\isacharequal}}\ p\isaliteral{5C3C5E697375623E}{}\isactrlisub {\isadigit{1}}\ {\isaliteral{5C3C6F706C75733E}{\isasymoplus}}\ {\isaliteral{28}{\isacharparenleft}}p\isaliteral{5C3C5E697375623E}{}\isactrlisub {\isadigit{2}}\ {\isaliteral{5C3C6F706C75733E}{\isasymoplus}}\ p\isaliteral{5C3C5E697375623E}{}\isactrlisub {\isadigit{3}}{\isaliteral{29}{\isacharparenright}}{\isaliteral{22}{\isachardoublequoteclose}}\isanewline
83.145 +\ \ \ \ \isacommand{by}\isamarkupfalse%
83.146 +\ {\isaliteral{28}{\isacharparenleft}}cases\ p\isaliteral{5C3C5E697375623E}{}\isactrlisub {\isadigit{1}}{\isaliteral{2C}{\isacharcomma}}\ cases\ p\isaliteral{5C3C5E697375623E}{}\isactrlisub {\isadigit{2}}{\isaliteral{2C}{\isacharcomma}}\ cases\ p\isaliteral{5C3C5E697375623E}{}\isactrlisub {\isadigit{3}}{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{28}{\isacharparenleft}}simp\ add{\isaliteral{3A}{\isacharcolon}}\ assoc{\isaliteral{29}{\isacharparenright}}%
83.147 +\begin{isamarkuptxt}%
83.148 +\noindent Associativity of product semigroups is established
83.149 +using the hypothetical associativity \hyperlink{fact.assoc}{\mbox{\isa{assoc}}} of the type
83.150 +components, which holds due to the \isa{semigroup} constraints
83.151 +imposed on the type components by the \hyperlink{command.instance}{\mbox{\isa{\isacommand{instance}}}} proposition.
83.152 +Indeed, this pattern often occurs with parametric types and type
83.153 +classes.%
83.154 +\end{isamarkuptxt}%
83.155 +\isamarkuptrue%
83.156 +\isacommand{qed}\isamarkupfalse%
83.157 +%
83.158 +\endisatagproof
83.159 +{\isafoldproof}%
83.160 +%
83.161 +\isadelimproof
83.162 +%
83.163 +\endisadelimproof
83.164 +\isanewline
83.165 +\isanewline
83.166 +\isacommand{end}\isamarkupfalse%
83.167 +%
83.168 +\isamarkupsubsubsection{Monoids%
83.169 +}
83.170 +\isamarkuptrue%
83.171 +%
83.172 +\begin{isamarkuptext}%
83.173 +We define a subclass \isa{monoidl} (a semigroup with a
83.174 +left-hand neutral) by extending \isa{semigroup} with one additional
83.175 +parameter \isa{neutral} together with its property:%
83.176 +\end{isamarkuptext}%
83.177 +\isamarkuptrue%
83.178 +\isacommand{class}\isamarkupfalse%
83.179 +\ monoidl\ {\isaliteral{3D}{\isacharequal}}\ semigroup\ {\isaliteral{2B}{\isacharplus}}\isanewline
83.180 +\ \ \isakeyword{fixes}\ neutral\ {\isaliteral{3A}{\isacharcolon}}{\isaliteral{3A}{\isacharcolon}}\ {\isaliteral{22}{\isachardoublequoteopen}}{\isaliteral{27}{\isacharprime}}a{\isaliteral{22}{\isachardoublequoteclose}}\ {\isaliteral{28}{\isacharparenleft}}{\isaliteral{22}{\isachardoublequoteopen}}{\isaliteral{5C3C7A65726F3E}{\isasymzero}}{\isaliteral{22}{\isachardoublequoteclose}}{\isaliteral{29}{\isacharparenright}}\isanewline
83.181 +\ \ \isakeyword{assumes}\ neutl{\isaliteral{3A}{\isacharcolon}}\ {\isaliteral{22}{\isachardoublequoteopen}}{\isaliteral{5C3C7A65726F3E}{\isasymzero}}\ {\isaliteral{5C3C6F706C75733E}{\isasymoplus}}\ x\ {\isaliteral{3D}{\isacharequal}}\ x{\isaliteral{22}{\isachardoublequoteclose}}%
83.182 +\begin{isamarkuptext}%
83.183 +\noindent Again, we prove some instances, by providing
83.184 +suitable parameter definitions and proofs for the additional
83.185 +specifications.%
83.186 +\end{isamarkuptext}%
83.187 +\isamarkuptrue%
83.188 +\isacommand{instantiation}\isamarkupfalse%
83.189 +\ nat\ {\isaliteral{3A}{\isacharcolon}}{\isaliteral{3A}{\isacharcolon}}\ monoidl\isanewline
83.190 +\isakeyword{begin}\isanewline
83.191 +\isanewline
83.192 +\isacommand{definition}\isamarkupfalse%
83.193 +\isanewline
83.194 +\ \ neutral{\isaliteral{5F}{\isacharunderscore}}nat{\isaliteral{5F}{\isacharunderscore}}def{\isaliteral{3A}{\isacharcolon}}\ {\isaliteral{22}{\isachardoublequoteopen}}{\isaliteral{5C3C7A65726F3E}{\isasymzero}}\ {\isaliteral{3D}{\isacharequal}}\ {\isaliteral{28}{\isacharparenleft}}{\isadigit{0}}{\isaliteral{5C3C436F6C6F6E3E}{\isasymColon}}nat{\isaliteral{29}{\isacharparenright}}{\isaliteral{22}{\isachardoublequoteclose}}\isanewline
83.195 +\isanewline
83.196 +\isacommand{instance}\isamarkupfalse%
83.197 +%
83.198 +\isadelimproof
83.199 +\ %
83.200 +\endisadelimproof
83.201 +%
83.202 +\isatagproof
83.203 +\isacommand{proof}\isamarkupfalse%
83.204 +\isanewline
83.205 +\ \ \isacommand{fix}\isamarkupfalse%
83.206 +\ n\ {\isaliteral{3A}{\isacharcolon}}{\isaliteral{3A}{\isacharcolon}}\ nat\isanewline
83.207 +\ \ \isacommand{show}\isamarkupfalse%
83.208 +\ {\isaliteral{22}{\isachardoublequoteopen}}{\isaliteral{5C3C7A65726F3E}{\isasymzero}}\ {\isaliteral{5C3C6F706C75733E}{\isasymoplus}}\ n\ {\isaliteral{3D}{\isacharequal}}\ n{\isaliteral{22}{\isachardoublequoteclose}}\isanewline
83.209 +\ \ \ \ \isacommand{unfolding}\isamarkupfalse%
83.210 +\ neutral{\isaliteral{5F}{\isacharunderscore}}nat{\isaliteral{5F}{\isacharunderscore}}def\ \isacommand{by}\isamarkupfalse%
83.211 +\ simp\isanewline
83.212 +\isacommand{qed}\isamarkupfalse%
83.213 +%
83.214 +\endisatagproof
83.215 +{\isafoldproof}%
83.216 +%
83.217 +\isadelimproof
83.218 +%
83.219 +\endisadelimproof
83.220 +\isanewline
83.221 +\isanewline
83.222 +\isacommand{end}\isamarkupfalse%
83.223 +%
83.224 +\begin{isamarkuptext}%
83.225 +\noindent In contrast to the examples above, we here have both
83.226 +specification of class operations and a non-trivial instance proof.
83.227 +
83.228 +This covers products as well:%
83.229 +\end{isamarkuptext}%
83.230 +\isamarkuptrue%
83.231 +\isacommand{instantiation}\isamarkupfalse%
83.232 +\ prod\ {\isaliteral{3A}{\isacharcolon}}{\isaliteral{3A}{\isacharcolon}}\ {\isaliteral{28}{\isacharparenleft}}monoidl{\isaliteral{2C}{\isacharcomma}}\ monoidl{\isaliteral{29}{\isacharparenright}}\ monoidl\isanewline
83.233 +\isakeyword{begin}\isanewline
83.234 +\isanewline
83.235 +\isacommand{definition}\isamarkupfalse%
83.236 +\isanewline
83.237 +\ \ neutral{\isaliteral{5F}{\isacharunderscore}}prod{\isaliteral{5F}{\isacharunderscore}}def{\isaliteral{3A}{\isacharcolon}}\ {\isaliteral{22}{\isachardoublequoteopen}}{\isaliteral{5C3C7A65726F3E}{\isasymzero}}\ {\isaliteral{3D}{\isacharequal}}\ {\isaliteral{28}{\isacharparenleft}}{\isaliteral{5C3C7A65726F3E}{\isasymzero}}{\isaliteral{2C}{\isacharcomma}}\ {\isaliteral{5C3C7A65726F3E}{\isasymzero}}{\isaliteral{29}{\isacharparenright}}{\isaliteral{22}{\isachardoublequoteclose}}\isanewline
83.238 +\isanewline
83.239 +\isacommand{instance}\isamarkupfalse%
83.240 +%
83.241 +\isadelimproof
83.242 +\ %
83.243 +\endisadelimproof
83.244 +%
83.245 +\isatagproof
83.246 +\isacommand{proof}\isamarkupfalse%
83.247 +\isanewline
83.248 +\ \ \isacommand{fix}\isamarkupfalse%
83.249 +\ p\ {\isaliteral{3A}{\isacharcolon}}{\isaliteral{3A}{\isacharcolon}}\ {\isaliteral{22}{\isachardoublequoteopen}}{\isaliteral{27}{\isacharprime}}a{\isaliteral{5C3C436F6C6F6E3E}{\isasymColon}}monoidl\ {\isaliteral{5C3C74696D65733E}{\isasymtimes}}\ {\isaliteral{27}{\isacharprime}}b{\isaliteral{5C3C436F6C6F6E3E}{\isasymColon}}monoidl{\isaliteral{22}{\isachardoublequoteclose}}\isanewline
83.250 +\ \ \isacommand{show}\isamarkupfalse%
83.251 +\ {\isaliteral{22}{\isachardoublequoteopen}}{\isaliteral{5C3C7A65726F3E}{\isasymzero}}\ {\isaliteral{5C3C6F706C75733E}{\isasymoplus}}\ p\ {\isaliteral{3D}{\isacharequal}}\ p{\isaliteral{22}{\isachardoublequoteclose}}\isanewline
83.252 +\ \ \ \ \isacommand{by}\isamarkupfalse%
83.253 +\ {\isaliteral{28}{\isacharparenleft}}cases\ p{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{28}{\isacharparenleft}}simp\ add{\isaliteral{3A}{\isacharcolon}}\ neutral{\isaliteral{5F}{\isacharunderscore}}prod{\isaliteral{5F}{\isacharunderscore}}def\ neutl{\isaliteral{29}{\isacharparenright}}\isanewline
83.254 +\isacommand{qed}\isamarkupfalse%
83.255 +%
83.256 +\endisatagproof
83.257 +{\isafoldproof}%
83.258 +%
83.259 +\isadelimproof
83.260 +%
83.261 +\endisadelimproof
83.262 +\isanewline
83.263 +\isanewline
83.264 +\isacommand{end}\isamarkupfalse%
83.265 +%
83.266 +\begin{isamarkuptext}%
83.267 +\noindent Fully-fledged monoids are modelled by another
83.268 +subclass which does not add new parameters but tightens the
83.269 +specification:%
83.270 +\end{isamarkuptext}%
83.271 +\isamarkuptrue%
83.272 +\isacommand{class}\isamarkupfalse%
83.273 +\ monoid\ {\isaliteral{3D}{\isacharequal}}\ monoidl\ {\isaliteral{2B}{\isacharplus}}\isanewline
83.274 +\ \ \isakeyword{assumes}\ neutr{\isaliteral{3A}{\isacharcolon}}\ {\isaliteral{22}{\isachardoublequoteopen}}x\ {\isaliteral{5C3C6F706C75733E}{\isasymoplus}}\ {\isaliteral{5C3C7A65726F3E}{\isasymzero}}\ {\isaliteral{3D}{\isacharequal}}\ x{\isaliteral{22}{\isachardoublequoteclose}}%
83.275 +\begin{isamarkuptext}%
83.276 +\noindent Corresponding instances for \isa{nat} and products
83.277 +are left as an exercise to the reader.%
83.278 +\end{isamarkuptext}%
83.279 +\isamarkuptrue%
83.280 +%
83.281 +\isamarkupsubsubsection{Groups%
83.282 +}
83.283 +\isamarkuptrue%
83.284 +%
83.285 +\begin{isamarkuptext}%
83.286 +\noindent To finish our small algebra example, we add a \isa{group} class:%
83.287 +\end{isamarkuptext}%
83.288 +\isamarkuptrue%
83.289 +\isacommand{class}\isamarkupfalse%
83.290 +\ group\ {\isaliteral{3D}{\isacharequal}}\ monoidl\ {\isaliteral{2B}{\isacharplus}}\isanewline
83.291 +\ \ \isakeyword{fixes}\ inv\ {\isaliteral{3A}{\isacharcolon}}{\isaliteral{3A}{\isacharcolon}}\ {\isaliteral{22}{\isachardoublequoteopen}}{\isaliteral{27}{\isacharprime}}a\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ {\isaliteral{27}{\isacharprime}}a{\isaliteral{22}{\isachardoublequoteclose}}\ {\isaliteral{28}{\isacharparenleft}}{\isaliteral{22}{\isachardoublequoteopen}}{\isaliteral{5C3C6469763E}{\isasymdiv}}\ {\isaliteral{5F}{\isacharunderscore}}{\isaliteral{22}{\isachardoublequoteclose}}\ {\isaliteral{5B}{\isacharbrackleft}}{\isadigit{8}}{\isadigit{1}}{\isaliteral{5D}{\isacharbrackright}}\ {\isadigit{8}}{\isadigit{0}}{\isaliteral{29}{\isacharparenright}}\isanewline
83.292 +\ \ \isakeyword{assumes}\ invl{\isaliteral{3A}{\isacharcolon}}\ {\isaliteral{22}{\isachardoublequoteopen}}{\isaliteral{5C3C6469763E}{\isasymdiv}}\ x\ {\isaliteral{5C3C6F706C75733E}{\isasymoplus}}\ x\ {\isaliteral{3D}{\isacharequal}}\ {\isaliteral{5C3C7A65726F3E}{\isasymzero}}{\isaliteral{22}{\isachardoublequoteclose}}%
83.293 +\begin{isamarkuptext}%
83.294 +\noindent We continue with a further example for abstract
83.295 +proofs relative to type classes:%
83.296 +\end{isamarkuptext}%
83.297 +\isamarkuptrue%
83.298 +\isacommand{lemma}\isamarkupfalse%
83.299 +\ left{\isaliteral{5F}{\isacharunderscore}}cancel{\isaliteral{3A}{\isacharcolon}}\isanewline
83.300 +\ \ \isakeyword{fixes}\ x\ y\ z\ {\isaliteral{3A}{\isacharcolon}}{\isaliteral{3A}{\isacharcolon}}\ {\isaliteral{22}{\isachardoublequoteopen}}{\isaliteral{27}{\isacharprime}}a{\isaliteral{5C3C436F6C6F6E3E}{\isasymColon}}group{\isaliteral{22}{\isachardoublequoteclose}}\isanewline
83.301 +\ \ \isakeyword{shows}\ {\isaliteral{22}{\isachardoublequoteopen}}x\ {\isaliteral{5C3C6F706C75733E}{\isasymoplus}}\ y\ {\isaliteral{3D}{\isacharequal}}\ x\ {\isaliteral{5C3C6F706C75733E}{\isasymoplus}}\ z\ {\isaliteral{5C3C6C6F6E676C65667472696768746172726F773E}{\isasymlongleftrightarrow}}\ y\ {\isaliteral{3D}{\isacharequal}}\ z{\isaliteral{22}{\isachardoublequoteclose}}\isanewline
83.302 +%
83.303 +\isadelimproof
83.304 +%
83.305 +\endisadelimproof
83.306 +%
83.307 +\isatagproof
83.308 +\isacommand{proof}\isamarkupfalse%
83.309 +\isanewline
83.310 +\ \ \isacommand{assume}\isamarkupfalse%
83.311 +\ {\isaliteral{22}{\isachardoublequoteopen}}x\ {\isaliteral{5C3C6F706C75733E}{\isasymoplus}}\ y\ {\isaliteral{3D}{\isacharequal}}\ x\ {\isaliteral{5C3C6F706C75733E}{\isasymoplus}}\ z{\isaliteral{22}{\isachardoublequoteclose}}\isanewline
83.312 +\ \ \isacommand{then}\isamarkupfalse%
83.313 +\ \isacommand{have}\isamarkupfalse%
83.314 +\ {\isaliteral{22}{\isachardoublequoteopen}}{\isaliteral{5C3C6469763E}{\isasymdiv}}\ x\ {\isaliteral{5C3C6F706C75733E}{\isasymoplus}}\ {\isaliteral{28}{\isacharparenleft}}x\ {\isaliteral{5C3C6F706C75733E}{\isasymoplus}}\ y{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{3D}{\isacharequal}}\ {\isaliteral{5C3C6469763E}{\isasymdiv}}\ x\ {\isaliteral{5C3C6F706C75733E}{\isasymoplus}}\ {\isaliteral{28}{\isacharparenleft}}x\ {\isaliteral{5C3C6F706C75733E}{\isasymoplus}}\ z{\isaliteral{29}{\isacharparenright}}{\isaliteral{22}{\isachardoublequoteclose}}\ \isacommand{by}\isamarkupfalse%
83.315 +\ simp\isanewline
83.316 +\ \ \isacommand{then}\isamarkupfalse%
83.317 +\ \isacommand{have}\isamarkupfalse%
83.318 +\ {\isaliteral{22}{\isachardoublequoteopen}}{\isaliteral{28}{\isacharparenleft}}{\isaliteral{5C3C6469763E}{\isasymdiv}}\ x\ {\isaliteral{5C3C6F706C75733E}{\isasymoplus}}\ x{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C6F706C75733E}{\isasymoplus}}\ y\ {\isaliteral{3D}{\isacharequal}}\ {\isaliteral{28}{\isacharparenleft}}{\isaliteral{5C3C6469763E}{\isasymdiv}}\ x\ {\isaliteral{5C3C6F706C75733E}{\isasymoplus}}\ x{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C6F706C75733E}{\isasymoplus}}\ z{\isaliteral{22}{\isachardoublequoteclose}}\ \isacommand{by}\isamarkupfalse%
83.319 +\ {\isaliteral{28}{\isacharparenleft}}simp\ add{\isaliteral{3A}{\isacharcolon}}\ assoc{\isaliteral{29}{\isacharparenright}}\isanewline
83.320 +\ \ \isacommand{then}\isamarkupfalse%
83.321 +\ \isacommand{show}\isamarkupfalse%
83.322 +\ {\isaliteral{22}{\isachardoublequoteopen}}y\ {\isaliteral{3D}{\isacharequal}}\ z{\isaliteral{22}{\isachardoublequoteclose}}\ \isacommand{by}\isamarkupfalse%
83.323 +\ {\isaliteral{28}{\isacharparenleft}}simp\ add{\isaliteral{3A}{\isacharcolon}}\ invl\ neutl{\isaliteral{29}{\isacharparenright}}\isanewline
83.324 +\isacommand{next}\isamarkupfalse%
83.325 +\isanewline
83.326 +\ \ \isacommand{assume}\isamarkupfalse%
83.327 +\ {\isaliteral{22}{\isachardoublequoteopen}}y\ {\isaliteral{3D}{\isacharequal}}\ z{\isaliteral{22}{\isachardoublequoteclose}}\isanewline
83.328 +\ \ \isacommand{then}\isamarkupfalse%
83.329 +\ \isacommand{show}\isamarkupfalse%
83.330 +\ {\isaliteral{22}{\isachardoublequoteopen}}x\ {\isaliteral{5C3C6F706C75733E}{\isasymoplus}}\ y\ {\isaliteral{3D}{\isacharequal}}\ x\ {\isaliteral{5C3C6F706C75733E}{\isasymoplus}}\ z{\isaliteral{22}{\isachardoublequoteclose}}\ \isacommand{by}\isamarkupfalse%
83.331 +\ simp\isanewline
83.332 +\isacommand{qed}\isamarkupfalse%
83.333 +%
83.334 +\endisatagproof
83.335 +{\isafoldproof}%
83.336 +%
83.337 +\isadelimproof
83.338 +%
83.339 +\endisadelimproof
83.340 +%
83.341 +\begin{isamarkuptext}%
83.342 +\noindent Any \isa{group} is also a \isa{monoid}; this
83.343 +can be made explicit by claiming an additional subclass relation,
83.344 +together with a proof of the logical difference:%
83.345 +\end{isamarkuptext}%
83.346 +\isamarkuptrue%
83.347 +\isacommand{instance}\isamarkupfalse%
83.348 +\ group\ {\isaliteral{5C3C73756273657465713E}{\isasymsubseteq}}\ monoid\isanewline
83.349 +%
83.350 +\isadelimproof
83.351 +%
83.352 +\endisadelimproof
83.353 +%
83.354 +\isatagproof
83.355 +\isacommand{proof}\isamarkupfalse%
83.356 +\isanewline
83.357 +\ \ \isacommand{fix}\isamarkupfalse%
83.358 +\ x\isanewline
83.359 +\ \ \isacommand{from}\isamarkupfalse%
83.360 +\ invl\ \isacommand{have}\isamarkupfalse%
83.361 +\ {\isaliteral{22}{\isachardoublequoteopen}}{\isaliteral{5C3C6469763E}{\isasymdiv}}\ x\ {\isaliteral{5C3C6F706C75733E}{\isasymoplus}}\ x\ {\isaliteral{3D}{\isacharequal}}\ {\isaliteral{5C3C7A65726F3E}{\isasymzero}}{\isaliteral{22}{\isachardoublequoteclose}}\ \isacommand{{\isaliteral{2E}{\isachardot}}}\isamarkupfalse%
83.362 +\isanewline
83.363 +\ \ \isacommand{then}\isamarkupfalse%
83.364 +\ \isacommand{have}\isamarkupfalse%
83.365 +\ {\isaliteral{22}{\isachardoublequoteopen}}{\isaliteral{5C3C6469763E}{\isasymdiv}}\ x\ {\isaliteral{5C3C6F706C75733E}{\isasymoplus}}\ {\isaliteral{28}{\isacharparenleft}}x\ {\isaliteral{5C3C6F706C75733E}{\isasymoplus}}\ {\isaliteral{5C3C7A65726F3E}{\isasymzero}}{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{3D}{\isacharequal}}\ {\isaliteral{5C3C6469763E}{\isasymdiv}}\ x\ {\isaliteral{5C3C6F706C75733E}{\isasymoplus}}\ x{\isaliteral{22}{\isachardoublequoteclose}}\isanewline
83.366 +\ \ \ \ \isacommand{by}\isamarkupfalse%
83.367 +\ {\isaliteral{28}{\isacharparenleft}}simp\ add{\isaliteral{3A}{\isacharcolon}}\ neutl\ invl\ assoc\ {\isaliteral{5B}{\isacharbrackleft}}symmetric{\isaliteral{5D}{\isacharbrackright}}{\isaliteral{29}{\isacharparenright}}\isanewline
83.368 +\ \ \isacommand{then}\isamarkupfalse%
83.369 +\ \isacommand{show}\isamarkupfalse%
83.370 +\ {\isaliteral{22}{\isachardoublequoteopen}}x\ {\isaliteral{5C3C6F706C75733E}{\isasymoplus}}\ {\isaliteral{5C3C7A65726F3E}{\isasymzero}}\ {\isaliteral{3D}{\isacharequal}}\ x{\isaliteral{22}{\isachardoublequoteclose}}\ \isacommand{by}\isamarkupfalse%
83.371 +\ {\isaliteral{28}{\isacharparenleft}}simp\ add{\isaliteral{3A}{\isacharcolon}}\ left{\isaliteral{5F}{\isacharunderscore}}cancel{\isaliteral{29}{\isacharparenright}}\isanewline
83.372 +\isacommand{qed}\isamarkupfalse%
83.373 +%
83.374 +\endisatagproof
83.375 +{\isafoldproof}%
83.376 +%
83.377 +\isadelimproof
83.378 +%
83.379 +\endisadelimproof
83.380 +%
83.381 +\begin{isamarkuptext}%
83.382 +\noindent The proof result is propagated to the type system,
83.383 +making \isa{group} an instance of \isa{monoid} by adding an
83.384 +additional edge to the graph of subclass relation; see also
83.385 +Figure~\ref{fig:subclass}.
83.386 +
83.387 +\begin{figure}[htbp]
83.388 + \begin{center}
83.389 + \small
83.390 + \unitlength 0.6mm
83.391 + \begin{picture}(40,60)(0,0)
83.392 + \put(20,60){\makebox(0,0){\isa{semigroup}}}
83.393 + \put(20,40){\makebox(0,0){\isa{monoidl}}}
83.394 + \put(00,20){\makebox(0,0){\isa{monoid}}}
83.395 + \put(40,00){\makebox(0,0){\isa{group}}}
83.396 + \put(20,55){\vector(0,-1){10}}
83.397 + \put(15,35){\vector(-1,-1){10}}
83.398 + \put(25,35){\vector(1,-3){10}}
83.399 + \end{picture}
83.400 + \hspace{8em}
83.401 + \begin{picture}(40,60)(0,0)
83.402 + \put(20,60){\makebox(0,0){\isa{semigroup}}}
83.403 + \put(20,40){\makebox(0,0){\isa{monoidl}}}
83.404 + \put(00,20){\makebox(0,0){\isa{monoid}}}
83.405 + \put(40,00){\makebox(0,0){\isa{group}}}
83.406 + \put(20,55){\vector(0,-1){10}}
83.407 + \put(15,35){\vector(-1,-1){10}}
83.408 + \put(05,15){\vector(3,-1){30}}
83.409 + \end{picture}
83.410 + \caption{Subclass relationship of monoids and groups:
83.411 + before and after establishing the relationship
83.412 + \isa{group\ {\isaliteral{5C3C73756273657465713E}{\isasymsubseteq}}\ monoid}; transitive edges are left out.}
83.413 + \label{fig:subclass}
83.414 + \end{center}
83.415 +\end{figure}%
83.416 +\end{isamarkuptext}%
83.417 +\isamarkuptrue%
83.418 +%
83.419 +\isamarkupsubsubsection{Inconsistencies%
83.420 +}
83.421 +\isamarkuptrue%
83.422 +%
83.423 +\begin{isamarkuptext}%
83.424 +The reader may be wondering what happens if we attach an
83.425 +inconsistent set of axioms to a class. So far we have always avoided
83.426 +to add new axioms to HOL for fear of inconsistencies and suddenly it
83.427 +seems that we are throwing all caution to the wind. So why is there no
83.428 +problem?
83.429 +
83.430 +The point is that by construction, all type variables in the axioms of
83.431 +a \isacommand{class} are automatically constrained with the class
83.432 +being defined (as shown for axiom \isa{refl} above). These
83.433 +constraints are always carried around and Isabelle takes care that
83.434 +they are never lost, unless the type variable is instantiated with a
83.435 +type that has been shown to belong to that class. Thus you may be able
83.436 +to prove \isa{False} from your axioms, but Isabelle will remind you
83.437 +that this theorem has the hidden hypothesis that the class is
83.438 +non-empty.
83.439 +
83.440 +Even if each individual class is consistent, intersections of
83.441 +(unrelated) classes readily become inconsistent in practice. Now we
83.442 +know this need not worry us.%
83.443 +\end{isamarkuptext}%
83.444 +\isamarkuptrue%
83.445 +%
83.446 +\isamarkupsubsubsection{Syntactic Classes and Predefined Overloading%
83.447 +}
83.448 +\isamarkuptrue%
83.449 +%
83.450 +\begin{isamarkuptext}%
83.451 +In our algebra example, we have started with a \emph{syntactic
83.452 +class} \isa{plus} which only specifies operations but no axioms; it
83.453 +would have been also possible to start immediately with class \isa{semigroup}, specifying the \isa{{\isaliteral{5C3C6F706C75733E}{\isasymoplus}}} operation and associativity at
83.454 +the same time.
83.455 +
83.456 +Which approach is more appropriate depends. Usually it is more
83.457 +convenient to introduce operations and axioms in the same class: then
83.458 +the type checker will automatically insert the corresponding class
83.459 +constraints whenever the operations occur, reducing the need of manual
83.460 +annotations. However, when operations are decorated with popular
83.461 +syntax, syntactic classes can be an option to re-use the syntax in
83.462 +different contexts; this is indeed the way most overloaded constants
83.463 +in HOL are introduced, of which the most important are listed in
83.464 +Table~\ref{tab:overloading} in the appendix. Section
83.465 +\ref{sec:numeric-classes} covers a range of corresponding classes
83.466 +\emph{with} axioms.
83.467 +
83.468 +Further note that classes may contain axioms but \emph{no} operations.
83.469 +An example is class \isa{finite} from theory \isa{Finite{\isaliteral{5F}{\isacharunderscore}}Set}
83.470 +which specifies a type to be finite: \isa{{\isaliteral{22}{\isachardoublequote}}finite\ {\isaliteral{28}{\isacharparenleft}}UNIV\ {\isaliteral{5C3C436F6C6F6E3E}{\isasymColon}}\ {\isaliteral{27}{\isacharprime}}a{\isaliteral{5C3C436F6C6F6E3E}{\isasymColon}}finite\ set{\isaliteral{29}{\isacharparenright}}{\isaliteral{22}{\isachardoublequote}}}.%
83.471 +\end{isamarkuptext}%
83.472 +\isamarkuptrue%
83.473 +%
83.474 +\isadelimtheory
83.475 +%
83.476 +\endisadelimtheory
83.477 +%
83.478 +\isatagtheory
83.479 +%
83.480 +\endisatagtheory
83.481 +{\isafoldtheory}%
83.482 +%
83.483 +\isadelimtheory
83.484 +%
83.485 +\endisadelimtheory
83.486 +\end{isabellebody}%
83.487 +%%% Local Variables:
83.488 +%%% mode: latex
83.489 +%%% TeX-master: "root"
83.490 +%%% End:
84.1 --- /dev/null Thu Jan 01 00:00:00 1970 +0000
84.2 +++ b/doc-src/TutorialI/document/Base.tex Thu Jul 26 19:59:06 2012 +0200
84.3 @@ -0,0 +1,130 @@
84.4 +%
84.5 +\begin{isabellebody}%
84.6 +\def\isabellecontext{Base}%
84.7 +%
84.8 +\isadelimtheory
84.9 +%
84.10 +\endisadelimtheory
84.11 +%
84.12 +\isatagtheory
84.13 +%
84.14 +\endisatagtheory
84.15 +{\isafoldtheory}%
84.16 +%
84.17 +\isadelimtheory
84.18 +%
84.19 +\endisadelimtheory
84.20 +%
84.21 +\isamarkupsection{Case Study: Verified Model Checking%
84.22 +}
84.23 +\isamarkuptrue%
84.24 +%
84.25 +\begin{isamarkuptext}%
84.26 +\label{sec:VMC}
84.27 +This chapter ends with a case study concerning model checking for
84.28 +Computation Tree Logic (CTL), a temporal logic.
84.29 +Model checking is a popular technique for the verification of finite
84.30 +state systems (implementations) with respect to temporal logic formulae
84.31 +(specifications) \cite{ClarkeGP-book,Huth-Ryan-book}. Its foundations are set theoretic
84.32 +and this section will explore them in HOL\@. This is done in two steps. First
84.33 +we consider a simple modal logic called propositional dynamic
84.34 +logic (PDL)\@. We then proceed to the temporal logic CTL, which is
84.35 +used in many real
84.36 +model checkers. In each case we give both a traditional semantics (\isa{{\isaliteral{5C3C5475726E7374696C653E}{\isasymTurnstile}}}) and a
84.37 +recursive function \isa{mc} that maps a formula into the set of all states of
84.38 +the system where the formula is valid. If the system has a finite number of
84.39 +states, \isa{mc} is directly executable: it is a model checker, albeit an
84.40 +inefficient one. The main proof obligation is to show that the semantics
84.41 +and the model checker agree.
84.42 +
84.43 +\underscoreon
84.44 +
84.45 +Our models are \emph{transition systems}:\index{transition systems}
84.46 +sets of \emph{states} with
84.47 +transitions between them. Here is a simple example:
84.48 +\begin{center}
84.49 +\unitlength.5mm
84.50 +\thicklines
84.51 +\begin{picture}(100,60)
84.52 +\put(50,50){\circle{20}}
84.53 +\put(50,50){\makebox(0,0){$p,q$}}
84.54 +\put(61,55){\makebox(0,0)[l]{$s_0$}}
84.55 +\put(44,42){\vector(-1,-1){26}}
84.56 +\put(16,18){\vector(1,1){26}}
84.57 +\put(57,43){\vector(1,-1){26}}
84.58 +\put(10,10){\circle{20}}
84.59 +\put(10,10){\makebox(0,0){$q,r$}}
84.60 +\put(-1,15){\makebox(0,0)[r]{$s_1$}}
84.61 +\put(20,10){\vector(1,0){60}}
84.62 +\put(90,10){\circle{20}}
84.63 +\put(90,10){\makebox(0,0){$r$}}
84.64 +\put(98, 5){\line(1,0){10}}
84.65 +\put(108, 5){\line(0,1){10}}
84.66 +\put(108,15){\vector(-1,0){10}}
84.67 +\put(91,21){\makebox(0,0)[bl]{$s_2$}}
84.68 +\end{picture}
84.69 +\end{center}
84.70 +Each state has a unique name or number ($s_0,s_1,s_2$), and in each state
84.71 +certain \emph{atomic propositions} ($p,q,r$) hold. The aim of temporal logic
84.72 +is to formalize statements such as ``there is no path starting from $s_2$
84.73 +leading to a state where $p$ or $q$ holds,'' which is true, and ``on all paths
84.74 +starting from $s_0$, $q$ always holds,'' which is false.
84.75 +
84.76 +Abstracting from this concrete example, we assume there is a type of
84.77 +states:%
84.78 +\end{isamarkuptext}%
84.79 +\isamarkuptrue%
84.80 +\isacommand{typedecl}\isamarkupfalse%
84.81 +\ state%
84.82 +\begin{isamarkuptext}%
84.83 +\noindent
84.84 +Command \commdx{typedecl} merely declares a new type but without
84.85 +defining it (see \S\ref{sec:typedecl}). Thus we know nothing
84.86 +about the type other than its existence. That is exactly what we need
84.87 +because \isa{state} really is an implicit parameter of our model. Of
84.88 +course it would have been more generic to make \isa{state} a type
84.89 +parameter of everything but declaring \isa{state} globally as above
84.90 +reduces clutter. Similarly we declare an arbitrary but fixed
84.91 +transition system, i.e.\ a relation between states:%
84.92 +\end{isamarkuptext}%
84.93 +\isamarkuptrue%
84.94 +\isacommand{consts}\isamarkupfalse%
84.95 +\ M\ {\isaliteral{3A}{\isacharcolon}}{\isaliteral{3A}{\isacharcolon}}\ {\isaliteral{22}{\isachardoublequoteopen}}{\isaliteral{28}{\isacharparenleft}}state\ {\isaliteral{5C3C74696D65733E}{\isasymtimes}}\ state{\isaliteral{29}{\isacharparenright}}set{\isaliteral{22}{\isachardoublequoteclose}}%
84.96 +\begin{isamarkuptext}%
84.97 +\noindent
84.98 +This is Isabelle's way of declaring a constant without defining it.
84.99 +Finally we introduce a type of atomic propositions%
84.100 +\end{isamarkuptext}%
84.101 +\isamarkuptrue%
84.102 +\isacommand{typedecl}\isamarkupfalse%
84.103 +\ {\isaliteral{22}{\isachardoublequoteopen}}atom{\isaliteral{22}{\isachardoublequoteclose}}%
84.104 +\begin{isamarkuptext}%
84.105 +\noindent
84.106 +and a \emph{labelling function}%
84.107 +\end{isamarkuptext}%
84.108 +\isamarkuptrue%
84.109 +\isacommand{consts}\isamarkupfalse%
84.110 +\ L\ {\isaliteral{3A}{\isacharcolon}}{\isaliteral{3A}{\isacharcolon}}\ {\isaliteral{22}{\isachardoublequoteopen}}state\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ atom\ set{\isaliteral{22}{\isachardoublequoteclose}}%
84.111 +\begin{isamarkuptext}%
84.112 +\noindent
84.113 +telling us which atomic propositions are true in each state.%
84.114 +\end{isamarkuptext}%
84.115 +\isamarkuptrue%
84.116 +%
84.117 +\isadelimtheory
84.118 +%
84.119 +\endisadelimtheory
84.120 +%
84.121 +\isatagtheory
84.122 +%
84.123 +\endisatagtheory
84.124 +{\isafoldtheory}%
84.125 +%
84.126 +\isadelimtheory
84.127 +%
84.128 +\endisadelimtheory
84.129 +\end{isabellebody}%
84.130 +%%% Local Variables:
84.131 +%%% mode: latex
84.132 +%%% TeX-master: "root"
84.133 +%%% End:
85.1 --- /dev/null Thu Jan 01 00:00:00 1970 +0000
85.2 +++ b/doc-src/TutorialI/document/CTL.tex Thu Jul 26 19:59:06 2012 +0200
85.3 @@ -0,0 +1,575 @@
85.4 +%
85.5 +\begin{isabellebody}%
85.6 +\def\isabellecontext{CTL}%
85.7 +%
85.8 +\isadelimtheory
85.9 +%
85.10 +\endisadelimtheory
85.11 +%
85.12 +\isatagtheory
85.13 +%
85.14 +\endisatagtheory
85.15 +{\isafoldtheory}%
85.16 +%
85.17 +\isadelimtheory
85.18 +%
85.19 +\endisadelimtheory
85.20 +%
85.21 +\isamarkupsubsection{Computation Tree Logic --- CTL%
85.22 +}
85.23 +\isamarkuptrue%
85.24 +%
85.25 +\begin{isamarkuptext}%
85.26 +\label{sec:CTL}
85.27 +\index{CTL|(}%
85.28 +The semantics of PDL only needs reflexive transitive closure.
85.29 +Let us be adventurous and introduce a more expressive temporal operator.
85.30 +We extend the datatype
85.31 +\isa{formula} by a new constructor%
85.32 +\end{isamarkuptext}%
85.33 +\isamarkuptrue%
85.34 +\ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ {\isaliteral{7C}{\isacharbar}}\ AF\ formula%
85.35 +\begin{isamarkuptext}%
85.36 +\noindent
85.37 +which stands for ``\emph{A}lways in the \emph{F}uture'':
85.38 +on all infinite paths, at some point the formula holds.
85.39 +Formalizing the notion of an infinite path is easy
85.40 +in HOL: it is simply a function from \isa{nat} to \isa{state}.%
85.41 +\end{isamarkuptext}%
85.42 +\isamarkuptrue%
85.43 +\isacommand{definition}\isamarkupfalse%
85.44 +\ Paths\ {\isaliteral{3A}{\isacharcolon}}{\isaliteral{3A}{\isacharcolon}}\ {\isaliteral{22}{\isachardoublequoteopen}}state\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ {\isaliteral{28}{\isacharparenleft}}nat\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ state{\isaliteral{29}{\isacharparenright}}set{\isaliteral{22}{\isachardoublequoteclose}}\ \isakeyword{where}\isanewline
85.45 +{\isaliteral{22}{\isachardoublequoteopen}}Paths\ s\ {\isaliteral{5C3C65717569763E}{\isasymequiv}}\ {\isaliteral{7B}{\isacharbraceleft}}p{\isaliteral{2E}{\isachardot}}\ s\ {\isaliteral{3D}{\isacharequal}}\ p\ {\isadigit{0}}\ {\isaliteral{5C3C616E643E}{\isasymand}}\ {\isaliteral{28}{\isacharparenleft}}{\isaliteral{5C3C666F72616C6C3E}{\isasymforall}}i{\isaliteral{2E}{\isachardot}}\ {\isaliteral{28}{\isacharparenleft}}p\ i{\isaliteral{2C}{\isacharcomma}}\ p{\isaliteral{28}{\isacharparenleft}}i{\isaliteral{2B}{\isacharplus}}{\isadigit{1}}{\isaliteral{29}{\isacharparenright}}{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C696E3E}{\isasymin}}\ M{\isaliteral{29}{\isacharparenright}}{\isaliteral{7D}{\isacharbraceright}}{\isaliteral{22}{\isachardoublequoteclose}}%
85.46 +\begin{isamarkuptext}%
85.47 +\noindent
85.48 +This definition allows a succinct statement of the semantics of \isa{AF}:
85.49 +\footnote{Do not be misled: neither datatypes nor recursive functions can be
85.50 +extended by new constructors or equations. This is just a trick of the
85.51 +presentation (see \S\ref{sec:doc-prep-suppress}). In reality one has to define
85.52 +a new datatype and a new function.}%
85.53 +\end{isamarkuptext}%
85.54 +\isamarkuptrue%
85.55 +{\isaliteral{22}{\isachardoublequoteopen}}s\ {\isaliteral{5C3C5475726E7374696C653E}{\isasymTurnstile}}\ AF\ f\ \ \ \ {\isaliteral{3D}{\isacharequal}}\ {\isaliteral{28}{\isacharparenleft}}{\isaliteral{5C3C666F72616C6C3E}{\isasymforall}}p\ {\isaliteral{5C3C696E3E}{\isasymin}}\ Paths\ s{\isaliteral{2E}{\isachardot}}\ {\isaliteral{5C3C6578697374733E}{\isasymexists}}i{\isaliteral{2E}{\isachardot}}\ p\ i\ {\isaliteral{5C3C5475726E7374696C653E}{\isasymTurnstile}}\ f{\isaliteral{29}{\isacharparenright}}{\isaliteral{22}{\isachardoublequoteclose}}%
85.56 +\begin{isamarkuptext}%
85.57 +\noindent
85.58 +Model checking \isa{AF} involves a function which
85.59 +is just complicated enough to warrant a separate definition:%
85.60 +\end{isamarkuptext}%
85.61 +\isamarkuptrue%
85.62 +\isacommand{definition}\isamarkupfalse%
85.63 +\ af\ {\isaliteral{3A}{\isacharcolon}}{\isaliteral{3A}{\isacharcolon}}\ {\isaliteral{22}{\isachardoublequoteopen}}state\ set\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ state\ set\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ state\ set{\isaliteral{22}{\isachardoublequoteclose}}\ \isakeyword{where}\isanewline
85.64 +{\isaliteral{22}{\isachardoublequoteopen}}af\ A\ T\ {\isaliteral{5C3C65717569763E}{\isasymequiv}}\ A\ {\isaliteral{5C3C756E696F6E3E}{\isasymunion}}\ {\isaliteral{7B}{\isacharbraceleft}}s{\isaliteral{2E}{\isachardot}}\ {\isaliteral{5C3C666F72616C6C3E}{\isasymforall}}t{\isaliteral{2E}{\isachardot}}\ {\isaliteral{28}{\isacharparenleft}}s{\isaliteral{2C}{\isacharcomma}}\ t{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C696E3E}{\isasymin}}\ M\ {\isaliteral{5C3C6C6F6E6772696768746172726F773E}{\isasymlongrightarrow}}\ t\ {\isaliteral{5C3C696E3E}{\isasymin}}\ T{\isaliteral{7D}{\isacharbraceright}}{\isaliteral{22}{\isachardoublequoteclose}}%
85.65 +\begin{isamarkuptext}%
85.66 +\noindent
85.67 +Now we define \isa{mc\ {\isaliteral{28}{\isacharparenleft}}AF\ f{\isaliteral{29}{\isacharparenright}}} as the least set \isa{T} that includes
85.68 +\isa{mc\ f} and all states all of whose direct successors are in \isa{T}:%
85.69 +\end{isamarkuptext}%
85.70 +\isamarkuptrue%
85.71 +{\isaliteral{22}{\isachardoublequoteopen}}mc{\isaliteral{28}{\isacharparenleft}}AF\ f{\isaliteral{29}{\isacharparenright}}\ \ \ \ {\isaliteral{3D}{\isacharequal}}\ lfp{\isaliteral{28}{\isacharparenleft}}af{\isaliteral{28}{\isacharparenleft}}mc\ f{\isaliteral{29}{\isacharparenright}}{\isaliteral{29}{\isacharparenright}}{\isaliteral{22}{\isachardoublequoteclose}}%
85.72 +\begin{isamarkuptext}%
85.73 +\noindent
85.74 +Because \isa{af} is monotone in its second argument (and also its first, but
85.75 +that is irrelevant), \isa{af\ A} has a least fixed point:%
85.76 +\end{isamarkuptext}%
85.77 +\isamarkuptrue%
85.78 +\isacommand{lemma}\isamarkupfalse%
85.79 +\ mono{\isaliteral{5F}{\isacharunderscore}}af{\isaliteral{3A}{\isacharcolon}}\ {\isaliteral{22}{\isachardoublequoteopen}}mono{\isaliteral{28}{\isacharparenleft}}af\ A{\isaliteral{29}{\isacharparenright}}{\isaliteral{22}{\isachardoublequoteclose}}\isanewline
85.80 +%
85.81 +\isadelimproof
85.82 +%
85.83 +\endisadelimproof
85.84 +%
85.85 +\isatagproof
85.86 +\isacommand{apply}\isamarkupfalse%
85.87 +{\isaliteral{28}{\isacharparenleft}}simp\ add{\isaliteral{3A}{\isacharcolon}}\ mono{\isaliteral{5F}{\isacharunderscore}}def\ af{\isaliteral{5F}{\isacharunderscore}}def{\isaliteral{29}{\isacharparenright}}\isanewline
85.88 +\isacommand{apply}\isamarkupfalse%
85.89 +\ blast\isanewline
85.90 +\isacommand{done}\isamarkupfalse%
85.91 +%
85.92 +\endisatagproof
85.93 +{\isafoldproof}%
85.94 +%
85.95 +\isadelimproof
85.96 +%
85.97 +\endisadelimproof
85.98 +%
85.99 +\isadelimproof
85.100 +%
85.101 +\endisadelimproof
85.102 +%
85.103 +\isatagproof
85.104 +%
85.105 +\endisatagproof
85.106 +{\isafoldproof}%
85.107 +%
85.108 +\isadelimproof
85.109 +%
85.110 +\endisadelimproof
85.111 +%
85.112 +\isadelimproof
85.113 +%
85.114 +\endisadelimproof
85.115 +%
85.116 +\isatagproof
85.117 +%
85.118 +\endisatagproof
85.119 +{\isafoldproof}%
85.120 +%
85.121 +\isadelimproof
85.122 +%
85.123 +\endisadelimproof
85.124 +%
85.125 +\begin{isamarkuptext}%
85.126 +All we need to prove now is \isa{mc\ {\isaliteral{28}{\isacharparenleft}}AF\ f{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{3D}{\isacharequal}}\ {\isaliteral{7B}{\isacharbraceleft}}s{\isaliteral{2E}{\isachardot}}\ s\ {\isaliteral{5C3C5475726E7374696C653E}{\isasymTurnstile}}\ AF\ f{\isaliteral{7D}{\isacharbraceright}}}, which states
85.127 +that \isa{mc} and \isa{{\isaliteral{5C3C5475726E7374696C653E}{\isasymTurnstile}}} agree for \isa{AF}\@.
85.128 +This time we prove the two inclusions separately, starting
85.129 +with the easy one:%
85.130 +\end{isamarkuptext}%
85.131 +\isamarkuptrue%
85.132 +\isacommand{theorem}\isamarkupfalse%
85.133 +\ AF{\isaliteral{5F}{\isacharunderscore}}lemma{\isadigit{1}}{\isaliteral{3A}{\isacharcolon}}\ {\isaliteral{22}{\isachardoublequoteopen}}lfp{\isaliteral{28}{\isacharparenleft}}af\ A{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C73756273657465713E}{\isasymsubseteq}}\ {\isaliteral{7B}{\isacharbraceleft}}s{\isaliteral{2E}{\isachardot}}\ {\isaliteral{5C3C666F72616C6C3E}{\isasymforall}}p\ {\isaliteral{5C3C696E3E}{\isasymin}}\ Paths\ s{\isaliteral{2E}{\isachardot}}\ {\isaliteral{5C3C6578697374733E}{\isasymexists}}i{\isaliteral{2E}{\isachardot}}\ p\ i\ {\isaliteral{5C3C696E3E}{\isasymin}}\ A{\isaliteral{7D}{\isacharbraceright}}{\isaliteral{22}{\isachardoublequoteclose}}%
85.134 +\isadelimproof
85.135 +%
85.136 +\endisadelimproof
85.137 +%
85.138 +\isatagproof
85.139 +%
85.140 +\begin{isamarkuptxt}%
85.141 +\noindent
85.142 +In contrast to the analogous proof for \isa{EF}, and just
85.143 +for a change, we do not use fixed point induction. Park-induction,
85.144 +named after David Park, is weaker but sufficient for this proof:
85.145 +\begin{center}
85.146 +\isa{f\ S\ {\isaliteral{5C3C6C653E}{\isasymle}}\ S\ {\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\ lfp\ f\ {\isaliteral{5C3C6C653E}{\isasymle}}\ S} \hfill (\isa{lfp{\isaliteral{5F}{\isacharunderscore}}lowerbound})
85.147 +\end{center}
85.148 +The instance of the premise \isa{f\ S\ {\isaliteral{5C3C73756273657465713E}{\isasymsubseteq}}\ S} is proved pointwise,
85.149 +a decision that \isa{auto} takes for us:%
85.150 +\end{isamarkuptxt}%
85.151 +\isamarkuptrue%
85.152 +\isacommand{apply}\isamarkupfalse%
85.153 +{\isaliteral{28}{\isacharparenleft}}rule\ lfp{\isaliteral{5F}{\isacharunderscore}}lowerbound{\isaliteral{29}{\isacharparenright}}\isanewline
85.154 +\isacommand{apply}\isamarkupfalse%
85.155 +{\isaliteral{28}{\isacharparenleft}}auto\ simp\ add{\isaliteral{3A}{\isacharcolon}}\ af{\isaliteral{5F}{\isacharunderscore}}def\ Paths{\isaliteral{5F}{\isacharunderscore}}def{\isaliteral{29}{\isacharparenright}}%
85.156 +\begin{isamarkuptxt}%
85.157 +\begin{isabelle}%
85.158 +\ {\isadigit{1}}{\isaliteral{2E}{\isachardot}}\ {\isaliteral{5C3C416E643E}{\isasymAnd}}p{\isaliteral{2E}{\isachardot}}\ {\isaliteral{5C3C6C6272616B6B3E}{\isasymlbrakk}}{\isaliteral{5C3C666F72616C6C3E}{\isasymforall}}t{\isaliteral{2E}{\isachardot}}\ {\isaliteral{28}{\isacharparenleft}}p\ {\isadigit{0}}{\isaliteral{2C}{\isacharcomma}}\ t{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C696E3E}{\isasymin}}\ M\ {\isaliteral{5C3C6C6F6E6772696768746172726F773E}{\isasymlongrightarrow}}\isanewline
85.159 +\isaindent{\ {\isadigit{1}}{\isaliteral{2E}{\isachardot}}\ {\isaliteral{5C3C416E643E}{\isasymAnd}}p{\isaliteral{2E}{\isachardot}}\ {\isaliteral{5C3C6C6272616B6B3E}{\isasymlbrakk}}{\isaliteral{5C3C666F72616C6C3E}{\isasymforall}}t{\isaliteral{2E}{\isachardot}}\ }{\isaliteral{28}{\isacharparenleft}}{\isaliteral{5C3C666F72616C6C3E}{\isasymforall}}p{\isaliteral{2E}{\isachardot}}\ t\ {\isaliteral{3D}{\isacharequal}}\ p\ {\isadigit{0}}\ {\isaliteral{5C3C616E643E}{\isasymand}}\ {\isaliteral{28}{\isacharparenleft}}{\isaliteral{5C3C666F72616C6C3E}{\isasymforall}}i{\isaliteral{2E}{\isachardot}}\ {\isaliteral{28}{\isacharparenleft}}p\ i{\isaliteral{2C}{\isacharcomma}}\ p\ {\isaliteral{28}{\isacharparenleft}}Suc\ i{\isaliteral{29}{\isacharparenright}}{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C696E3E}{\isasymin}}\ M{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C6C6F6E6772696768746172726F773E}{\isasymlongrightarrow}}\isanewline
85.160 +\isaindent{\ {\isadigit{1}}{\isaliteral{2E}{\isachardot}}\ {\isaliteral{5C3C416E643E}{\isasymAnd}}p{\isaliteral{2E}{\isachardot}}\ {\isaliteral{5C3C6C6272616B6B3E}{\isasymlbrakk}}{\isaliteral{5C3C666F72616C6C3E}{\isasymforall}}t{\isaliteral{2E}{\isachardot}}\ {\isaliteral{28}{\isacharparenleft}}{\isaliteral{5C3C666F72616C6C3E}{\isasymforall}}p{\isaliteral{2E}{\isachardot}}\ }{\isaliteral{28}{\isacharparenleft}}{\isaliteral{5C3C6578697374733E}{\isasymexists}}i{\isaliteral{2E}{\isachardot}}\ p\ i\ {\isaliteral{5C3C696E3E}{\isasymin}}\ A{\isaliteral{29}{\isacharparenright}}{\isaliteral{29}{\isacharparenright}}{\isaliteral{3B}{\isacharsemicolon}}\isanewline
85.161 +\isaindent{\ {\isadigit{1}}{\isaliteral{2E}{\isachardot}}\ {\isaliteral{5C3C416E643E}{\isasymAnd}}p{\isaliteral{2E}{\isachardot}}\ \ }{\isaliteral{5C3C666F72616C6C3E}{\isasymforall}}i{\isaliteral{2E}{\isachardot}}\ {\isaliteral{28}{\isacharparenleft}}p\ i{\isaliteral{2C}{\isacharcomma}}\ p\ {\isaliteral{28}{\isacharparenleft}}Suc\ i{\isaliteral{29}{\isacharparenright}}{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C696E3E}{\isasymin}}\ M{\isaliteral{5C3C726272616B6B3E}{\isasymrbrakk}}\isanewline
85.162 +\isaindent{\ {\isadigit{1}}{\isaliteral{2E}{\isachardot}}\ {\isaliteral{5C3C416E643E}{\isasymAnd}}p{\isaliteral{2E}{\isachardot}}\ }{\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\ {\isaliteral{5C3C6578697374733E}{\isasymexists}}i{\isaliteral{2E}{\isachardot}}\ p\ i\ {\isaliteral{5C3C696E3E}{\isasymin}}\ A%
85.163 +\end{isabelle}
85.164 +In this remaining case, we set \isa{t} to \isa{p\ {\isadigit{1}}}.
85.165 +The rest is automatic, which is surprising because it involves
85.166 +finding the instantiation \isa{{\isaliteral{5C3C6C616D6264613E}{\isasymlambda}}i{\isaliteral{2E}{\isachardot}}\ p\ {\isaliteral{28}{\isacharparenleft}}i\ {\isaliteral{2B}{\isacharplus}}\ {\isadigit{1}}{\isaliteral{29}{\isacharparenright}}}
85.167 +for \isa{{\isaliteral{5C3C666F72616C6C3E}{\isasymforall}}p}.%
85.168 +\end{isamarkuptxt}%
85.169 +\isamarkuptrue%
85.170 +\isacommand{apply}\isamarkupfalse%
85.171 +{\isaliteral{28}{\isacharparenleft}}erule{\isaliteral{5F}{\isacharunderscore}}tac\ x\ {\isaliteral{3D}{\isacharequal}}\ {\isaliteral{22}{\isachardoublequoteopen}}p\ {\isadigit{1}}{\isaliteral{22}{\isachardoublequoteclose}}\ \isakeyword{in}\ allE{\isaliteral{29}{\isacharparenright}}\isanewline
85.172 +\isacommand{apply}\isamarkupfalse%
85.173 +{\isaliteral{28}{\isacharparenleft}}auto{\isaliteral{29}{\isacharparenright}}\isanewline
85.174 +\isacommand{done}\isamarkupfalse%
85.175 +%
85.176 +\endisatagproof
85.177 +{\isafoldproof}%
85.178 +%
85.179 +\isadelimproof
85.180 +%
85.181 +\endisadelimproof
85.182 +%
85.183 +\begin{isamarkuptext}%
85.184 +The opposite inclusion is proved by contradiction: if some state
85.185 +\isa{s} is not in \isa{lfp\ {\isaliteral{28}{\isacharparenleft}}af\ A{\isaliteral{29}{\isacharparenright}}}, then we can construct an
85.186 +infinite \isa{A}-avoiding path starting from~\isa{s}. The reason is
85.187 +that by unfolding \isa{lfp} we find that if \isa{s} is not in
85.188 +\isa{lfp\ {\isaliteral{28}{\isacharparenleft}}af\ A{\isaliteral{29}{\isacharparenright}}}, then \isa{s} is not in \isa{A} and there is a
85.189 +direct successor of \isa{s} that is again not in \mbox{\isa{lfp\ {\isaliteral{28}{\isacharparenleft}}af\ A{\isaliteral{29}{\isacharparenright}}}}. Iterating this argument yields the promised infinite
85.190 +\isa{A}-avoiding path. Let us formalize this sketch.
85.191 +
85.192 +The one-step argument in the sketch above
85.193 +is proved by a variant of contraposition:%
85.194 +\end{isamarkuptext}%
85.195 +\isamarkuptrue%
85.196 +\isacommand{lemma}\isamarkupfalse%
85.197 +\ not{\isaliteral{5F}{\isacharunderscore}}in{\isaliteral{5F}{\isacharunderscore}}lfp{\isaliteral{5F}{\isacharunderscore}}afD{\isaliteral{3A}{\isacharcolon}}\isanewline
85.198 +\ {\isaliteral{22}{\isachardoublequoteopen}}s\ {\isaliteral{5C3C6E6F74696E3E}{\isasymnotin}}\ lfp{\isaliteral{28}{\isacharparenleft}}af\ A{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\ s\ {\isaliteral{5C3C6E6F74696E3E}{\isasymnotin}}\ A\ {\isaliteral{5C3C616E643E}{\isasymand}}\ {\isaliteral{28}{\isacharparenleft}}{\isaliteral{5C3C6578697374733E}{\isasymexists}}\ t{\isaliteral{2E}{\isachardot}}\ {\isaliteral{28}{\isacharparenleft}}s{\isaliteral{2C}{\isacharcomma}}t{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C696E3E}{\isasymin}}\ M\ {\isaliteral{5C3C616E643E}{\isasymand}}\ t\ {\isaliteral{5C3C6E6F74696E3E}{\isasymnotin}}\ lfp{\isaliteral{28}{\isacharparenleft}}af\ A{\isaliteral{29}{\isacharparenright}}{\isaliteral{29}{\isacharparenright}}{\isaliteral{22}{\isachardoublequoteclose}}\isanewline
85.199 +%
85.200 +\isadelimproof
85.201 +%
85.202 +\endisadelimproof
85.203 +%
85.204 +\isatagproof
85.205 +\isacommand{apply}\isamarkupfalse%
85.206 +{\isaliteral{28}{\isacharparenleft}}erule\ contrapos{\isaliteral{5F}{\isacharunderscore}}np{\isaliteral{29}{\isacharparenright}}\isanewline
85.207 +\isacommand{apply}\isamarkupfalse%
85.208 +{\isaliteral{28}{\isacharparenleft}}subst\ lfp{\isaliteral{5F}{\isacharunderscore}}unfold{\isaliteral{5B}{\isacharbrackleft}}OF\ mono{\isaliteral{5F}{\isacharunderscore}}af{\isaliteral{5D}{\isacharbrackright}}{\isaliteral{29}{\isacharparenright}}\isanewline
85.209 +\isacommand{apply}\isamarkupfalse%
85.210 +{\isaliteral{28}{\isacharparenleft}}simp\ add{\isaliteral{3A}{\isacharcolon}}\ af{\isaliteral{5F}{\isacharunderscore}}def{\isaliteral{29}{\isacharparenright}}\isanewline
85.211 +\isacommand{done}\isamarkupfalse%
85.212 +%
85.213 +\endisatagproof
85.214 +{\isafoldproof}%
85.215 +%
85.216 +\isadelimproof
85.217 +%
85.218 +\endisadelimproof
85.219 +%
85.220 +\begin{isamarkuptext}%
85.221 +\noindent
85.222 +We assume the negation of the conclusion and prove \isa{s\ {\isaliteral{5C3C696E3E}{\isasymin}}\ lfp\ {\isaliteral{28}{\isacharparenleft}}af\ A{\isaliteral{29}{\isacharparenright}}}.
85.223 +Unfolding \isa{lfp} once and
85.224 +simplifying with the definition of \isa{af} finishes the proof.
85.225 +
85.226 +Now we iterate this process. The following construction of the desired
85.227 +path is parameterized by a predicate \isa{Q} that should hold along the path:%
85.228 +\end{isamarkuptext}%
85.229 +\isamarkuptrue%
85.230 +\isacommand{primrec}\isamarkupfalse%
85.231 +\ path\ {\isaliteral{3A}{\isacharcolon}}{\isaliteral{3A}{\isacharcolon}}\ {\isaliteral{22}{\isachardoublequoteopen}}state\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ {\isaliteral{28}{\isacharparenleft}}state\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ bool{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ {\isaliteral{28}{\isacharparenleft}}nat\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ state{\isaliteral{29}{\isacharparenright}}{\isaliteral{22}{\isachardoublequoteclose}}\ \isakeyword{where}\isanewline
85.232 +{\isaliteral{22}{\isachardoublequoteopen}}path\ s\ Q\ {\isadigit{0}}\ {\isaliteral{3D}{\isacharequal}}\ s{\isaliteral{22}{\isachardoublequoteclose}}\ {\isaliteral{7C}{\isacharbar}}\isanewline
85.233 +{\isaliteral{22}{\isachardoublequoteopen}}path\ s\ Q\ {\isaliteral{28}{\isacharparenleft}}Suc\ n{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{3D}{\isacharequal}}\ {\isaliteral{28}{\isacharparenleft}}SOME\ t{\isaliteral{2E}{\isachardot}}\ {\isaliteral{28}{\isacharparenleft}}path\ s\ Q\ n{\isaliteral{2C}{\isacharcomma}}t{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C696E3E}{\isasymin}}\ M\ {\isaliteral{5C3C616E643E}{\isasymand}}\ Q\ t{\isaliteral{29}{\isacharparenright}}{\isaliteral{22}{\isachardoublequoteclose}}%
85.234 +\begin{isamarkuptext}%
85.235 +\noindent
85.236 +Element \isa{n\ {\isaliteral{2B}{\isacharplus}}\ {\isadigit{1}}} on this path is some arbitrary successor
85.237 +\isa{t} of element \isa{n} such that \isa{Q\ t} holds. Remember that \isa{SOME\ t{\isaliteral{2E}{\isachardot}}\ R\ t}
85.238 +is some arbitrary but fixed \isa{t} such that \isa{R\ t} holds (see \S\ref{sec:SOME}). Of
85.239 +course, such a \isa{t} need not exist, but that is of no
85.240 +concern to us since we will only use \isa{path} when a
85.241 +suitable \isa{t} does exist.
85.242 +
85.243 +Let us show that if each state \isa{s} that satisfies \isa{Q}
85.244 +has a successor that again satisfies \isa{Q}, then there exists an infinite \isa{Q}-path:%
85.245 +\end{isamarkuptext}%
85.246 +\isamarkuptrue%
85.247 +\isacommand{lemma}\isamarkupfalse%
85.248 +\ infinity{\isaliteral{5F}{\isacharunderscore}}lemma{\isaliteral{3A}{\isacharcolon}}\isanewline
85.249 +\ \ {\isaliteral{22}{\isachardoublequoteopen}}{\isaliteral{5C3C6C6272616B6B3E}{\isasymlbrakk}}\ Q\ s{\isaliteral{3B}{\isacharsemicolon}}\ {\isaliteral{5C3C666F72616C6C3E}{\isasymforall}}s{\isaliteral{2E}{\isachardot}}\ Q\ s\ {\isaliteral{5C3C6C6F6E6772696768746172726F773E}{\isasymlongrightarrow}}\ {\isaliteral{28}{\isacharparenleft}}{\isaliteral{5C3C6578697374733E}{\isasymexists}}\ t{\isaliteral{2E}{\isachardot}}\ {\isaliteral{28}{\isacharparenleft}}s{\isaliteral{2C}{\isacharcomma}}t{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C696E3E}{\isasymin}}\ M\ {\isaliteral{5C3C616E643E}{\isasymand}}\ Q\ t{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C726272616B6B3E}{\isasymrbrakk}}\ {\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\isanewline
85.250 +\ \ \ {\isaliteral{5C3C6578697374733E}{\isasymexists}}p{\isaliteral{5C3C696E3E}{\isasymin}}Paths\ s{\isaliteral{2E}{\isachardot}}\ {\isaliteral{5C3C666F72616C6C3E}{\isasymforall}}i{\isaliteral{2E}{\isachardot}}\ Q{\isaliteral{28}{\isacharparenleft}}p\ i{\isaliteral{29}{\isacharparenright}}{\isaliteral{22}{\isachardoublequoteclose}}%
85.251 +\isadelimproof
85.252 +%
85.253 +\endisadelimproof
85.254 +%
85.255 +\isatagproof
85.256 +%
85.257 +\begin{isamarkuptxt}%
85.258 +\noindent
85.259 +First we rephrase the conclusion slightly because we need to prove simultaneously
85.260 +both the path property and the fact that \isa{Q} holds:%
85.261 +\end{isamarkuptxt}%
85.262 +\isamarkuptrue%
85.263 +\isacommand{apply}\isamarkupfalse%
85.264 +{\isaliteral{28}{\isacharparenleft}}subgoal{\isaliteral{5F}{\isacharunderscore}}tac\isanewline
85.265 +\ \ {\isaliteral{22}{\isachardoublequoteopen}}{\isaliteral{5C3C6578697374733E}{\isasymexists}}p{\isaliteral{2E}{\isachardot}}\ s\ {\isaliteral{3D}{\isacharequal}}\ p\ {\isadigit{0}}\ {\isaliteral{5C3C616E643E}{\isasymand}}\ {\isaliteral{28}{\isacharparenleft}}{\isaliteral{5C3C666F72616C6C3E}{\isasymforall}}i{\isaliteral{3A}{\isacharcolon}}{\isaliteral{3A}{\isacharcolon}}nat{\isaliteral{2E}{\isachardot}}\ {\isaliteral{28}{\isacharparenleft}}p\ i{\isaliteral{2C}{\isacharcomma}}\ p{\isaliteral{28}{\isacharparenleft}}i{\isaliteral{2B}{\isacharplus}}{\isadigit{1}}{\isaliteral{29}{\isacharparenright}}{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C696E3E}{\isasymin}}\ M\ {\isaliteral{5C3C616E643E}{\isasymand}}\ Q{\isaliteral{28}{\isacharparenleft}}p\ i{\isaliteral{29}{\isacharparenright}}{\isaliteral{29}{\isacharparenright}}{\isaliteral{22}{\isachardoublequoteclose}}{\isaliteral{29}{\isacharparenright}}%
85.266 +\begin{isamarkuptxt}%
85.267 +\noindent
85.268 +From this proposition the original goal follows easily:%
85.269 +\end{isamarkuptxt}%
85.270 +\isamarkuptrue%
85.271 +\ \isacommand{apply}\isamarkupfalse%
85.272 +{\isaliteral{28}{\isacharparenleft}}simp\ add{\isaliteral{3A}{\isacharcolon}}\ Paths{\isaliteral{5F}{\isacharunderscore}}def{\isaliteral{2C}{\isacharcomma}}\ blast{\isaliteral{29}{\isacharparenright}}%
85.273 +\begin{isamarkuptxt}%
85.274 +\noindent
85.275 +The new subgoal is proved by providing the witness \isa{path\ s\ Q} for \isa{p}:%
85.276 +\end{isamarkuptxt}%
85.277 +\isamarkuptrue%
85.278 +\isacommand{apply}\isamarkupfalse%
85.279 +{\isaliteral{28}{\isacharparenleft}}rule{\isaliteral{5F}{\isacharunderscore}}tac\ x\ {\isaliteral{3D}{\isacharequal}}\ {\isaliteral{22}{\isachardoublequoteopen}}path\ s\ Q{\isaliteral{22}{\isachardoublequoteclose}}\ \isakeyword{in}\ exI{\isaliteral{29}{\isacharparenright}}\isanewline
85.280 +\isacommand{apply}\isamarkupfalse%
85.281 +{\isaliteral{28}{\isacharparenleft}}clarsimp{\isaliteral{29}{\isacharparenright}}%
85.282 +\begin{isamarkuptxt}%
85.283 +\noindent
85.284 +After simplification and clarification, the subgoal has the following form:
85.285 +\begin{isabelle}%
85.286 +\ {\isadigit{1}}{\isaliteral{2E}{\isachardot}}\ {\isaliteral{5C3C416E643E}{\isasymAnd}}i{\isaliteral{2E}{\isachardot}}\ {\isaliteral{5C3C6C6272616B6B3E}{\isasymlbrakk}}Q\ s{\isaliteral{3B}{\isacharsemicolon}}\ {\isaliteral{5C3C666F72616C6C3E}{\isasymforall}}s{\isaliteral{2E}{\isachardot}}\ Q\ s\ {\isaliteral{5C3C6C6F6E6772696768746172726F773E}{\isasymlongrightarrow}}\ {\isaliteral{28}{\isacharparenleft}}{\isaliteral{5C3C6578697374733E}{\isasymexists}}t{\isaliteral{2E}{\isachardot}}\ {\isaliteral{28}{\isacharparenleft}}s{\isaliteral{2C}{\isacharcomma}}\ t{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C696E3E}{\isasymin}}\ M\ {\isaliteral{5C3C616E643E}{\isasymand}}\ Q\ t{\isaliteral{29}{\isacharparenright}}{\isaliteral{5C3C726272616B6B3E}{\isasymrbrakk}}\isanewline
85.287 +\isaindent{\ {\isadigit{1}}{\isaliteral{2E}{\isachardot}}\ {\isaliteral{5C3C416E643E}{\isasymAnd}}i{\isaliteral{2E}{\isachardot}}\ }{\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\ {\isaliteral{28}{\isacharparenleft}}path\ s\ Q\ i{\isaliteral{2C}{\isacharcomma}}\ SOME\ t{\isaliteral{2E}{\isachardot}}\ {\isaliteral{28}{\isacharparenleft}}path\ s\ Q\ i{\isaliteral{2C}{\isacharcomma}}\ t{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C696E3E}{\isasymin}}\ M\ {\isaliteral{5C3C616E643E}{\isasymand}}\ Q\ t{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C696E3E}{\isasymin}}\ M\ {\isaliteral{5C3C616E643E}{\isasymand}}\isanewline
85.288 +\isaindent{\ {\isadigit{1}}{\isaliteral{2E}{\isachardot}}\ {\isaliteral{5C3C416E643E}{\isasymAnd}}i{\isaliteral{2E}{\isachardot}}\ {\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\ }Q\ {\isaliteral{28}{\isacharparenleft}}path\ s\ Q\ i{\isaliteral{29}{\isacharparenright}}%
85.289 +\end{isabelle}
85.290 +It invites a proof by induction on \isa{i}:%
85.291 +\end{isamarkuptxt}%
85.292 +\isamarkuptrue%
85.293 +\isacommand{apply}\isamarkupfalse%
85.294 +{\isaliteral{28}{\isacharparenleft}}induct{\isaliteral{5F}{\isacharunderscore}}tac\ i{\isaliteral{29}{\isacharparenright}}\isanewline
85.295 +\ \isacommand{apply}\isamarkupfalse%
85.296 +{\isaliteral{28}{\isacharparenleft}}simp{\isaliteral{29}{\isacharparenright}}%
85.297 +\begin{isamarkuptxt}%
85.298 +\noindent
85.299 +After simplification, the base case boils down to
85.300 +\begin{isabelle}%
85.301 +\ {\isadigit{1}}{\isaliteral{2E}{\isachardot}}\ {\isaliteral{5C3C6C6272616B6B3E}{\isasymlbrakk}}Q\ s{\isaliteral{3B}{\isacharsemicolon}}\ {\isaliteral{5C3C666F72616C6C3E}{\isasymforall}}s{\isaliteral{2E}{\isachardot}}\ Q\ s\ {\isaliteral{5C3C6C6F6E6772696768746172726F773E}{\isasymlongrightarrow}}\ {\isaliteral{28}{\isacharparenleft}}{\isaliteral{5C3C6578697374733E}{\isasymexists}}t{\isaliteral{2E}{\isachardot}}\ {\isaliteral{28}{\isacharparenleft}}s{\isaliteral{2C}{\isacharcomma}}\ t{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C696E3E}{\isasymin}}\ M\ {\isaliteral{5C3C616E643E}{\isasymand}}\ Q\ t{\isaliteral{29}{\isacharparenright}}{\isaliteral{5C3C726272616B6B3E}{\isasymrbrakk}}\isanewline
85.302 +\isaindent{\ {\isadigit{1}}{\isaliteral{2E}{\isachardot}}\ }{\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\ {\isaliteral{28}{\isacharparenleft}}s{\isaliteral{2C}{\isacharcomma}}\ SOME\ t{\isaliteral{2E}{\isachardot}}\ {\isaliteral{28}{\isacharparenleft}}s{\isaliteral{2C}{\isacharcomma}}\ t{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C696E3E}{\isasymin}}\ M\ {\isaliteral{5C3C616E643E}{\isasymand}}\ Q\ t{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C696E3E}{\isasymin}}\ M%
85.303 +\end{isabelle}
85.304 +The conclusion looks exceedingly trivial: after all, \isa{t} is chosen such that \isa{{\isaliteral{28}{\isacharparenleft}}s{\isaliteral{2C}{\isacharcomma}}\ t{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C696E3E}{\isasymin}}\ M}
85.305 +holds. However, we first have to show that such a \isa{t} actually exists! This reasoning
85.306 +is embodied in the theorem \isa{someI{\isadigit{2}}{\isaliteral{5F}{\isacharunderscore}}ex}:
85.307 +\begin{isabelle}%
85.308 +\ \ \ \ \ {\isaliteral{5C3C6C6272616B6B3E}{\isasymlbrakk}}{\isaliteral{5C3C6578697374733E}{\isasymexists}}a{\isaliteral{2E}{\isachardot}}\ {\isaliteral{3F}{\isacharquery}}P\ a{\isaliteral{3B}{\isacharsemicolon}}\ {\isaliteral{5C3C416E643E}{\isasymAnd}}x{\isaliteral{2E}{\isachardot}}\ {\isaliteral{3F}{\isacharquery}}P\ x\ {\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\ {\isaliteral{3F}{\isacharquery}}Q\ x{\isaliteral{5C3C726272616B6B3E}{\isasymrbrakk}}\ {\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\ {\isaliteral{3F}{\isacharquery}}Q\ {\isaliteral{28}{\isacharparenleft}}SOME\ x{\isaliteral{2E}{\isachardot}}\ {\isaliteral{3F}{\isacharquery}}P\ x{\isaliteral{29}{\isacharparenright}}%
85.309 +\end{isabelle}
85.310 +When we apply this theorem as an introduction rule, \isa{{\isaliteral{3F}{\isacharquery}}P\ x} becomes
85.311 +\isa{{\isaliteral{28}{\isacharparenleft}}s{\isaliteral{2C}{\isacharcomma}}\ x{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C696E3E}{\isasymin}}\ M\ {\isaliteral{5C3C616E643E}{\isasymand}}\ Q\ x} and \isa{{\isaliteral{3F}{\isacharquery}}Q\ x} becomes \isa{{\isaliteral{28}{\isacharparenleft}}s{\isaliteral{2C}{\isacharcomma}}\ x{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C696E3E}{\isasymin}}\ M} and we have to prove
85.312 +two subgoals: \isa{{\isaliteral{5C3C6578697374733E}{\isasymexists}}a{\isaliteral{2E}{\isachardot}}\ {\isaliteral{28}{\isacharparenleft}}s{\isaliteral{2C}{\isacharcomma}}\ a{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C696E3E}{\isasymin}}\ M\ {\isaliteral{5C3C616E643E}{\isasymand}}\ Q\ a}, which follows from the assumptions, and
85.313 +\isa{{\isaliteral{28}{\isacharparenleft}}s{\isaliteral{2C}{\isacharcomma}}\ x{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C696E3E}{\isasymin}}\ M\ {\isaliteral{5C3C616E643E}{\isasymand}}\ Q\ x\ {\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\ {\isaliteral{28}{\isacharparenleft}}s{\isaliteral{2C}{\isacharcomma}}\ x{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C696E3E}{\isasymin}}\ M}, which is trivial. Thus it is not surprising that
85.314 +\isa{fast} can prove the base case quickly:%
85.315 +\end{isamarkuptxt}%
85.316 +\isamarkuptrue%
85.317 +\ \isacommand{apply}\isamarkupfalse%
85.318 +{\isaliteral{28}{\isacharparenleft}}fast\ intro{\isaliteral{3A}{\isacharcolon}}\ someI{\isadigit{2}}{\isaliteral{5F}{\isacharunderscore}}ex{\isaliteral{29}{\isacharparenright}}%
85.319 +\begin{isamarkuptxt}%
85.320 +\noindent
85.321 +What is worth noting here is that we have used \methdx{fast} rather than
85.322 +\isa{blast}. The reason is that \isa{blast} would fail because it cannot
85.323 +cope with \isa{someI{\isadigit{2}}{\isaliteral{5F}{\isacharunderscore}}ex}: unifying its conclusion with the current
85.324 +subgoal is non-trivial because of the nested schematic variables. For
85.325 +efficiency reasons \isa{blast} does not even attempt such unifications.
85.326 +Although \isa{fast} can in principle cope with complicated unification
85.327 +problems, in practice the number of unifiers arising is often prohibitive and
85.328 +the offending rule may need to be applied explicitly rather than
85.329 +automatically. This is what happens in the step case.
85.330 +
85.331 +The induction step is similar, but more involved, because now we face nested
85.332 +occurrences of \isa{SOME}. As a result, \isa{fast} is no longer able to
85.333 +solve the subgoal and we apply \isa{someI{\isadigit{2}}{\isaliteral{5F}{\isacharunderscore}}ex} by hand. We merely
85.334 +show the proof commands but do not describe the details:%
85.335 +\end{isamarkuptxt}%
85.336 +\isamarkuptrue%
85.337 +\isacommand{apply}\isamarkupfalse%
85.338 +{\isaliteral{28}{\isacharparenleft}}simp{\isaliteral{29}{\isacharparenright}}\isanewline
85.339 +\isacommand{apply}\isamarkupfalse%
85.340 +{\isaliteral{28}{\isacharparenleft}}rule\ someI{\isadigit{2}}{\isaliteral{5F}{\isacharunderscore}}ex{\isaliteral{29}{\isacharparenright}}\isanewline
85.341 +\ \isacommand{apply}\isamarkupfalse%
85.342 +{\isaliteral{28}{\isacharparenleft}}blast{\isaliteral{29}{\isacharparenright}}\isanewline
85.343 +\isacommand{apply}\isamarkupfalse%
85.344 +{\isaliteral{28}{\isacharparenleft}}rule\ someI{\isadigit{2}}{\isaliteral{5F}{\isacharunderscore}}ex{\isaliteral{29}{\isacharparenright}}\isanewline
85.345 +\ \isacommand{apply}\isamarkupfalse%
85.346 +{\isaliteral{28}{\isacharparenleft}}blast{\isaliteral{29}{\isacharparenright}}\isanewline
85.347 +\isacommand{apply}\isamarkupfalse%
85.348 +{\isaliteral{28}{\isacharparenleft}}blast{\isaliteral{29}{\isacharparenright}}\isanewline
85.349 +\isacommand{done}\isamarkupfalse%
85.350 +%
85.351 +\endisatagproof
85.352 +{\isafoldproof}%
85.353 +%
85.354 +\isadelimproof
85.355 +%
85.356 +\endisadelimproof
85.357 +%
85.358 +\begin{isamarkuptext}%
85.359 +Function \isa{path} has fulfilled its purpose now and can be forgotten.
85.360 +It was merely defined to provide the witness in the proof of the
85.361 +\isa{infinity{\isaliteral{5F}{\isacharunderscore}}lemma}. Aficionados of minimal proofs might like to know
85.362 +that we could have given the witness without having to define a new function:
85.363 +the term
85.364 +\begin{isabelle}%
85.365 +\ \ \ \ \ nat{\isaliteral{5F}{\isacharunderscore}}rec\ s\ {\isaliteral{28}{\isacharparenleft}}{\isaliteral{5C3C6C616D6264613E}{\isasymlambda}}n\ t{\isaliteral{2E}{\isachardot}}\ SOME\ u{\isaliteral{2E}{\isachardot}}\ {\isaliteral{28}{\isacharparenleft}}t{\isaliteral{2C}{\isacharcomma}}\ u{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C696E3E}{\isasymin}}\ M\ {\isaliteral{5C3C616E643E}{\isasymand}}\ Q\ u{\isaliteral{29}{\isacharparenright}}%
85.366 +\end{isabelle}
85.367 +is extensionally equal to \isa{path\ s\ Q},
85.368 +where \isa{nat{\isaliteral{5F}{\isacharunderscore}}rec} is the predefined primitive recursor on \isa{nat}.%
85.369 +\end{isamarkuptext}%
85.370 +\isamarkuptrue%
85.371 +%
85.372 +\isadelimproof
85.373 +%
85.374 +\endisadelimproof
85.375 +%
85.376 +\isatagproof
85.377 +%
85.378 +\endisatagproof
85.379 +{\isafoldproof}%
85.380 +%
85.381 +\isadelimproof
85.382 +%
85.383 +\endisadelimproof
85.384 +%
85.385 +\begin{isamarkuptext}%
85.386 +At last we can prove the opposite direction of \isa{AF{\isaliteral{5F}{\isacharunderscore}}lemma{\isadigit{1}}}:%
85.387 +\end{isamarkuptext}%
85.388 +\isamarkuptrue%
85.389 +\isacommand{theorem}\isamarkupfalse%
85.390 +\ AF{\isaliteral{5F}{\isacharunderscore}}lemma{\isadigit{2}}{\isaliteral{3A}{\isacharcolon}}\ {\isaliteral{22}{\isachardoublequoteopen}}{\isaliteral{7B}{\isacharbraceleft}}s{\isaliteral{2E}{\isachardot}}\ {\isaliteral{5C3C666F72616C6C3E}{\isasymforall}}p\ {\isaliteral{5C3C696E3E}{\isasymin}}\ Paths\ s{\isaliteral{2E}{\isachardot}}\ {\isaliteral{5C3C6578697374733E}{\isasymexists}}i{\isaliteral{2E}{\isachardot}}\ p\ i\ {\isaliteral{5C3C696E3E}{\isasymin}}\ A{\isaliteral{7D}{\isacharbraceright}}\ {\isaliteral{5C3C73756273657465713E}{\isasymsubseteq}}\ lfp{\isaliteral{28}{\isacharparenleft}}af\ A{\isaliteral{29}{\isacharparenright}}{\isaliteral{22}{\isachardoublequoteclose}}%
85.391 +\isadelimproof
85.392 +%
85.393 +\endisadelimproof
85.394 +%
85.395 +\isatagproof
85.396 +%
85.397 +\begin{isamarkuptxt}%
85.398 +\noindent
85.399 +The proof is again pointwise and then by contraposition:%
85.400 +\end{isamarkuptxt}%
85.401 +\isamarkuptrue%
85.402 +\isacommand{apply}\isamarkupfalse%
85.403 +{\isaliteral{28}{\isacharparenleft}}rule\ subsetI{\isaliteral{29}{\isacharparenright}}\isanewline
85.404 +\isacommand{apply}\isamarkupfalse%
85.405 +{\isaliteral{28}{\isacharparenleft}}erule\ contrapos{\isaliteral{5F}{\isacharunderscore}}pp{\isaliteral{29}{\isacharparenright}}\isanewline
85.406 +\isacommand{apply}\isamarkupfalse%
85.407 +\ simp%
85.408 +\begin{isamarkuptxt}%
85.409 +\begin{isabelle}%
85.410 +\ {\isadigit{1}}{\isaliteral{2E}{\isachardot}}\ {\isaliteral{5C3C416E643E}{\isasymAnd}}x{\isaliteral{2E}{\isachardot}}\ x\ {\isaliteral{5C3C6E6F74696E3E}{\isasymnotin}}\ lfp\ {\isaliteral{28}{\isacharparenleft}}af\ A{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\ {\isaliteral{5C3C6578697374733E}{\isasymexists}}p{\isaliteral{5C3C696E3E}{\isasymin}}Paths\ x{\isaliteral{2E}{\isachardot}}\ {\isaliteral{5C3C666F72616C6C3E}{\isasymforall}}i{\isaliteral{2E}{\isachardot}}\ p\ i\ {\isaliteral{5C3C6E6F74696E3E}{\isasymnotin}}\ A%
85.411 +\end{isabelle}
85.412 +Applying the \isa{infinity{\isaliteral{5F}{\isacharunderscore}}lemma} as a destruction rule leaves two subgoals, the second
85.413 +premise of \isa{infinity{\isaliteral{5F}{\isacharunderscore}}lemma} and the original subgoal:%
85.414 +\end{isamarkuptxt}%
85.415 +\isamarkuptrue%
85.416 +\isacommand{apply}\isamarkupfalse%
85.417 +{\isaliteral{28}{\isacharparenleft}}drule\ infinity{\isaliteral{5F}{\isacharunderscore}}lemma{\isaliteral{29}{\isacharparenright}}%
85.418 +\begin{isamarkuptxt}%
85.419 +\begin{isabelle}%
85.420 +\ {\isadigit{1}}{\isaliteral{2E}{\isachardot}}\ {\isaliteral{5C3C416E643E}{\isasymAnd}}x{\isaliteral{2E}{\isachardot}}\ {\isaliteral{5C3C666F72616C6C3E}{\isasymforall}}s{\isaliteral{2E}{\isachardot}}\ s\ {\isaliteral{5C3C6E6F74696E3E}{\isasymnotin}}\ lfp\ {\isaliteral{28}{\isacharparenleft}}af\ A{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C6C6F6E6772696768746172726F773E}{\isasymlongrightarrow}}\ {\isaliteral{28}{\isacharparenleft}}{\isaliteral{5C3C6578697374733E}{\isasymexists}}t{\isaliteral{2E}{\isachardot}}\ {\isaliteral{28}{\isacharparenleft}}s{\isaliteral{2C}{\isacharcomma}}\ t{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C696E3E}{\isasymin}}\ M\ {\isaliteral{5C3C616E643E}{\isasymand}}\ t\ {\isaliteral{5C3C6E6F74696E3E}{\isasymnotin}}\ lfp\ {\isaliteral{28}{\isacharparenleft}}af\ A{\isaliteral{29}{\isacharparenright}}{\isaliteral{29}{\isacharparenright}}\isanewline
85.421 +\ {\isadigit{2}}{\isaliteral{2E}{\isachardot}}\ {\isaliteral{5C3C416E643E}{\isasymAnd}}x{\isaliteral{2E}{\isachardot}}\ {\isaliteral{5C3C6578697374733E}{\isasymexists}}p{\isaliteral{5C3C696E3E}{\isasymin}}Paths\ x{\isaliteral{2E}{\isachardot}}\ {\isaliteral{5C3C666F72616C6C3E}{\isasymforall}}i{\isaliteral{2E}{\isachardot}}\ p\ i\ {\isaliteral{5C3C6E6F74696E3E}{\isasymnotin}}\ lfp\ {\isaliteral{28}{\isacharparenleft}}af\ A{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\isanewline
85.422 +\isaindent{\ {\isadigit{2}}{\isaliteral{2E}{\isachardot}}\ {\isaliteral{5C3C416E643E}{\isasymAnd}}x{\isaliteral{2E}{\isachardot}}\ }{\isaliteral{5C3C6578697374733E}{\isasymexists}}p{\isaliteral{5C3C696E3E}{\isasymin}}Paths\ x{\isaliteral{2E}{\isachardot}}\ {\isaliteral{5C3C666F72616C6C3E}{\isasymforall}}i{\isaliteral{2E}{\isachardot}}\ p\ i\ {\isaliteral{5C3C6E6F74696E3E}{\isasymnotin}}\ A%
85.423 +\end{isabelle}
85.424 +Both are solved automatically:%
85.425 +\end{isamarkuptxt}%
85.426 +\isamarkuptrue%
85.427 +\ \isacommand{apply}\isamarkupfalse%
85.428 +{\isaliteral{28}{\isacharparenleft}}auto\ dest{\isaliteral{3A}{\isacharcolon}}\ not{\isaliteral{5F}{\isacharunderscore}}in{\isaliteral{5F}{\isacharunderscore}}lfp{\isaliteral{5F}{\isacharunderscore}}afD{\isaliteral{29}{\isacharparenright}}\isanewline
85.429 +\isacommand{done}\isamarkupfalse%
85.430 +%
85.431 +\endisatagproof
85.432 +{\isafoldproof}%
85.433 +%
85.434 +\isadelimproof
85.435 +%
85.436 +\endisadelimproof
85.437 +%
85.438 +\begin{isamarkuptext}%
85.439 +If you find these proofs too complicated, we recommend that you read
85.440 +\S\ref{sec:CTL-revisited}, where we show how inductive definitions lead to
85.441 +simpler arguments.
85.442 +
85.443 +The main theorem is proved as for PDL, except that we also derive the
85.444 +necessary equality \isa{lfp{\isaliteral{28}{\isacharparenleft}}af\ A{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{3D}{\isacharequal}}\ {\isaliteral{2E}{\isachardot}}{\isaliteral{2E}{\isachardot}}{\isaliteral{2E}{\isachardot}}} by combining
85.445 +\isa{AF{\isaliteral{5F}{\isacharunderscore}}lemma{\isadigit{1}}} and \isa{AF{\isaliteral{5F}{\isacharunderscore}}lemma{\isadigit{2}}} on the spot:%
85.446 +\end{isamarkuptext}%
85.447 +\isamarkuptrue%
85.448 +\isacommand{theorem}\isamarkupfalse%
85.449 +\ {\isaliteral{22}{\isachardoublequoteopen}}mc\ f\ {\isaliteral{3D}{\isacharequal}}\ {\isaliteral{7B}{\isacharbraceleft}}s{\isaliteral{2E}{\isachardot}}\ s\ {\isaliteral{5C3C5475726E7374696C653E}{\isasymTurnstile}}\ f{\isaliteral{7D}{\isacharbraceright}}{\isaliteral{22}{\isachardoublequoteclose}}\isanewline
85.450 +%
85.451 +\isadelimproof
85.452 +%
85.453 +\endisadelimproof
85.454 +%
85.455 +\isatagproof
85.456 +\isacommand{apply}\isamarkupfalse%
85.457 +{\isaliteral{28}{\isacharparenleft}}induct{\isaliteral{5F}{\isacharunderscore}}tac\ f{\isaliteral{29}{\isacharparenright}}\isanewline
85.458 +\isacommand{apply}\isamarkupfalse%
85.459 +{\isaliteral{28}{\isacharparenleft}}auto\ simp\ add{\isaliteral{3A}{\isacharcolon}}\ EF{\isaliteral{5F}{\isacharunderscore}}lemma\ equalityI{\isaliteral{5B}{\isacharbrackleft}}OF\ AF{\isaliteral{5F}{\isacharunderscore}}lemma{\isadigit{1}}\ AF{\isaliteral{5F}{\isacharunderscore}}lemma{\isadigit{2}}{\isaliteral{5D}{\isacharbrackright}}{\isaliteral{29}{\isacharparenright}}\isanewline
85.460 +\isacommand{done}\isamarkupfalse%
85.461 +%
85.462 +\endisatagproof
85.463 +{\isafoldproof}%
85.464 +%
85.465 +\isadelimproof
85.466 +%
85.467 +\endisadelimproof
85.468 +%
85.469 +\begin{isamarkuptext}%
85.470 +The language defined above is not quite CTL\@. The latter also includes an
85.471 +until-operator \isa{EU\ f\ g} with semantics ``there \emph{E}xists a path
85.472 +where \isa{f} is true \emph{U}ntil \isa{g} becomes true''. We need
85.473 +an auxiliary function:%
85.474 +\end{isamarkuptext}%
85.475 +\isamarkuptrue%
85.476 +\isacommand{primrec}\isamarkupfalse%
85.477 +\isanewline
85.478 +until{\isaliteral{3A}{\isacharcolon}}{\isaliteral{3A}{\isacharcolon}}\ {\isaliteral{22}{\isachardoublequoteopen}}state\ set\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ state\ set\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ state\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ state\ list\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ bool{\isaliteral{22}{\isachardoublequoteclose}}\ \isakeyword{where}\isanewline
85.479 +{\isaliteral{22}{\isachardoublequoteopen}}until\ A\ B\ s\ {\isaliteral{5B}{\isacharbrackleft}}{\isaliteral{5D}{\isacharbrackright}}\ \ \ \ {\isaliteral{3D}{\isacharequal}}\ {\isaliteral{28}{\isacharparenleft}}s\ {\isaliteral{5C3C696E3E}{\isasymin}}\ B{\isaliteral{29}{\isacharparenright}}{\isaliteral{22}{\isachardoublequoteclose}}\ {\isaliteral{7C}{\isacharbar}}\isanewline
85.480 +{\isaliteral{22}{\isachardoublequoteopen}}until\ A\ B\ s\ {\isaliteral{28}{\isacharparenleft}}t{\isaliteral{23}{\isacharhash}}p{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{3D}{\isacharequal}}\ {\isaliteral{28}{\isacharparenleft}}s\ {\isaliteral{5C3C696E3E}{\isasymin}}\ A\ {\isaliteral{5C3C616E643E}{\isasymand}}\ {\isaliteral{28}{\isacharparenleft}}s{\isaliteral{2C}{\isacharcomma}}t{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C696E3E}{\isasymin}}\ M\ {\isaliteral{5C3C616E643E}{\isasymand}}\ until\ A\ B\ t\ p{\isaliteral{29}{\isacharparenright}}{\isaliteral{22}{\isachardoublequoteclose}}%
85.481 +\begin{isamarkuptext}%
85.482 +\noindent
85.483 +Expressing the semantics of \isa{EU} is now straightforward:
85.484 +\begin{isabelle}%
85.485 +\ \ \ \ \ s\ {\isaliteral{5C3C5475726E7374696C653E}{\isasymTurnstile}}\ EU\ f\ g\ {\isaliteral{3D}{\isacharequal}}\ {\isaliteral{28}{\isacharparenleft}}{\isaliteral{5C3C6578697374733E}{\isasymexists}}p{\isaliteral{2E}{\isachardot}}\ until\ {\isaliteral{7B}{\isacharbraceleft}}t{\isaliteral{2E}{\isachardot}}\ t\ {\isaliteral{5C3C5475726E7374696C653E}{\isasymTurnstile}}\ f{\isaliteral{7D}{\isacharbraceright}}\ {\isaliteral{7B}{\isacharbraceleft}}t{\isaliteral{2E}{\isachardot}}\ t\ {\isaliteral{5C3C5475726E7374696C653E}{\isasymTurnstile}}\ g{\isaliteral{7D}{\isacharbraceright}}\ s\ p{\isaliteral{29}{\isacharparenright}}%
85.486 +\end{isabelle}
85.487 +Note that \isa{EU} is not definable in terms of the other operators!
85.488 +
85.489 +Model checking \isa{EU} is again a least fixed point construction:
85.490 +\begin{isabelle}%
85.491 +\ \ \ \ \ mc{\isaliteral{28}{\isacharparenleft}}EU\ f\ g{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{3D}{\isacharequal}}\ lfp{\isaliteral{28}{\isacharparenleft}}{\isaliteral{5C3C6C616D6264613E}{\isasymlambda}}T{\isaliteral{2E}{\isachardot}}\ mc\ g\ {\isaliteral{5C3C756E696F6E3E}{\isasymunion}}\ mc\ f\ {\isaliteral{5C3C696E7465723E}{\isasyminter}}\ {\isaliteral{28}{\isacharparenleft}}M{\isaliteral{5C3C696E76657273653E}{\isasyminverse}}\ {\isaliteral{60}{\isacharbackquote}}{\isaliteral{60}{\isacharbackquote}}\ T{\isaliteral{29}{\isacharparenright}}{\isaliteral{29}{\isacharparenright}}%
85.492 +\end{isabelle}
85.493 +
85.494 +\begin{exercise}
85.495 +Extend the datatype of formulae by the above until operator
85.496 +and prove the equivalence between semantics and model checking, i.e.\ that
85.497 +\begin{isabelle}%
85.498 +\ \ \ \ \ mc\ {\isaliteral{28}{\isacharparenleft}}EU\ f\ g{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{3D}{\isacharequal}}\ {\isaliteral{7B}{\isacharbraceleft}}s{\isaliteral{2E}{\isachardot}}\ s\ {\isaliteral{5C3C5475726E7374696C653E}{\isasymTurnstile}}\ EU\ f\ g{\isaliteral{7D}{\isacharbraceright}}%
85.499 +\end{isabelle}
85.500 +%For readability you may want to annotate {term EU} with its customary syntax
85.501 +%{text[display]"| EU formula formula E[_ U _]"}
85.502 +%which enables you to read and write {text"E[f U g]"} instead of {term"EU f g"}.
85.503 +\end{exercise}
85.504 +For more CTL exercises see, for example, Huth and Ryan \cite{Huth-Ryan-book}.%
85.505 +\end{isamarkuptext}%
85.506 +\isamarkuptrue%
85.507 +%
85.508 +\isadelimproof
85.509 +%
85.510 +\endisadelimproof
85.511 +%
85.512 +\isatagproof
85.513 +%
85.514 +\endisatagproof
85.515 +{\isafoldproof}%
85.516 +%
85.517 +\isadelimproof
85.518 +%
85.519 +\endisadelimproof
85.520 +%
85.521 +\isadelimproof
85.522 +%
85.523 +\endisadelimproof
85.524 +%
85.525 +\isatagproof
85.526 +%
85.527 +\endisatagproof
85.528 +{\isafoldproof}%
85.529 +%
85.530 +\isadelimproof
85.531 +%
85.532 +\endisadelimproof
85.533 +%
85.534 +\isadelimproof
85.535 +%
85.536 +\endisadelimproof
85.537 +%
85.538 +\isatagproof
85.539 +%
85.540 +\endisatagproof
85.541 +{\isafoldproof}%
85.542 +%
85.543 +\isadelimproof
85.544 +%
85.545 +\endisadelimproof
85.546 +%
85.547 +\begin{isamarkuptext}%
85.548 +Let us close this section with a few words about the executability of
85.549 +our model checkers. It is clear that if all sets are finite, they can be
85.550 +represented as lists and the usual set operations are easily
85.551 +implemented. Only \isa{lfp} requires a little thought. Fortunately, theory
85.552 +\isa{While{\isaliteral{5F}{\isacharunderscore}}Combinator} in the Library~\cite{HOL-Library} provides a
85.553 +theorem stating that in the case of finite sets and a monotone
85.554 +function~\isa{F}, the value of \mbox{\isa{lfp\ F}} can be computed by
85.555 +iterated application of \isa{F} to~\isa{{\isaliteral{7B}{\isacharbraceleft}}{\isaliteral{7D}{\isacharbraceright}}} until a fixed point is
85.556 +reached. It is actually possible to generate executable functional programs
85.557 +from HOL definitions, but that is beyond the scope of the tutorial.%
85.558 +\index{CTL|)}%
85.559 +\end{isamarkuptext}%
85.560 +\isamarkuptrue%
85.561 +%
85.562 +\isadelimtheory
85.563 +%
85.564 +\endisadelimtheory
85.565 +%
85.566 +\isatagtheory
85.567 +%
85.568 +\endisatagtheory
85.569 +{\isafoldtheory}%
85.570 +%
85.571 +\isadelimtheory
85.572 +%
85.573 +\endisadelimtheory
85.574 +\end{isabellebody}%
85.575 +%%% Local Variables:
85.576 +%%% mode: latex
85.577 +%%% TeX-master: "root"
85.578 +%%% End:
86.1 --- /dev/null Thu Jan 01 00:00:00 1970 +0000
86.2 +++ b/doc-src/TutorialI/document/CTLind.tex Thu Jul 26 19:59:06 2012 +0200
86.3 @@ -0,0 +1,252 @@
86.4 +%
86.5 +\begin{isabellebody}%
86.6 +\def\isabellecontext{CTLind}%
86.7 +%
86.8 +\isadelimtheory
86.9 +%
86.10 +\endisadelimtheory
86.11 +%
86.12 +\isatagtheory
86.13 +%
86.14 +\endisatagtheory
86.15 +{\isafoldtheory}%
86.16 +%
86.17 +\isadelimtheory
86.18 +%
86.19 +\endisadelimtheory
86.20 +%
86.21 +\isamarkupsubsection{CTL Revisited%
86.22 +}
86.23 +\isamarkuptrue%
86.24 +%
86.25 +\begin{isamarkuptext}%
86.26 +\label{sec:CTL-revisited}
86.27 +\index{CTL|(}%
86.28 +The purpose of this section is twofold: to demonstrate
86.29 +some of the induction principles and heuristics discussed above and to
86.30 +show how inductive definitions can simplify proofs.
86.31 +In \S\ref{sec:CTL} we gave a fairly involved proof of the correctness of a
86.32 +model checker for CTL\@. In particular the proof of the
86.33 +\isa{infinity{\isaliteral{5F}{\isacharunderscore}}lemma} on the way to \isa{AF{\isaliteral{5F}{\isacharunderscore}}lemma{\isadigit{2}}} is not as
86.34 +simple as one might expect, due to the \isa{SOME} operator
86.35 +involved. Below we give a simpler proof of \isa{AF{\isaliteral{5F}{\isacharunderscore}}lemma{\isadigit{2}}}
86.36 +based on an auxiliary inductive definition.
86.37 +
86.38 +Let us call a (finite or infinite) path \emph{\isa{A}-avoiding} if it does
86.39 +not touch any node in the set \isa{A}. Then \isa{AF{\isaliteral{5F}{\isacharunderscore}}lemma{\isadigit{2}}} says
86.40 +that if no infinite path from some state \isa{s} is \isa{A}-avoiding,
86.41 +then \isa{s\ {\isaliteral{5C3C696E3E}{\isasymin}}\ lfp\ {\isaliteral{28}{\isacharparenleft}}af\ A{\isaliteral{29}{\isacharparenright}}}. We prove this by inductively defining the set
86.42 +\isa{Avoid\ s\ A} of states reachable from \isa{s} by a finite \isa{A}-avoiding path:
86.43 +% Second proof of opposite direction, directly by well-founded induction
86.44 +% on the initial segment of M that avoids A.%
86.45 +\end{isamarkuptext}%
86.46 +\isamarkuptrue%
86.47 +\isacommand{inductive{\isaliteral{5F}{\isacharunderscore}}set}\isamarkupfalse%
86.48 +\isanewline
86.49 +\ \ Avoid\ {\isaliteral{3A}{\isacharcolon}}{\isaliteral{3A}{\isacharcolon}}\ {\isaliteral{22}{\isachardoublequoteopen}}state\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ state\ set\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ state\ set{\isaliteral{22}{\isachardoublequoteclose}}\isanewline
86.50 +\ \ \isakeyword{for}\ s\ {\isaliteral{3A}{\isacharcolon}}{\isaliteral{3A}{\isacharcolon}}\ state\ \isakeyword{and}\ A\ {\isaliteral{3A}{\isacharcolon}}{\isaliteral{3A}{\isacharcolon}}\ {\isaliteral{22}{\isachardoublequoteopen}}state\ set{\isaliteral{22}{\isachardoublequoteclose}}\isanewline
86.51 +\isakeyword{where}\isanewline
86.52 +\ \ \ \ {\isaliteral{22}{\isachardoublequoteopen}}s\ {\isaliteral{5C3C696E3E}{\isasymin}}\ Avoid\ s\ A{\isaliteral{22}{\isachardoublequoteclose}}\isanewline
86.53 +\ \ {\isaliteral{7C}{\isacharbar}}\ {\isaliteral{22}{\isachardoublequoteopen}}{\isaliteral{5C3C6C6272616B6B3E}{\isasymlbrakk}}\ t\ {\isaliteral{5C3C696E3E}{\isasymin}}\ Avoid\ s\ A{\isaliteral{3B}{\isacharsemicolon}}\ t\ {\isaliteral{5C3C6E6F74696E3E}{\isasymnotin}}\ A{\isaliteral{3B}{\isacharsemicolon}}\ {\isaliteral{28}{\isacharparenleft}}t{\isaliteral{2C}{\isacharcomma}}u{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C696E3E}{\isasymin}}\ M\ {\isaliteral{5C3C726272616B6B3E}{\isasymrbrakk}}\ {\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\ u\ {\isaliteral{5C3C696E3E}{\isasymin}}\ Avoid\ s\ A{\isaliteral{22}{\isachardoublequoteclose}}%
86.54 +\begin{isamarkuptext}%
86.55 +It is easy to see that for any infinite \isa{A}-avoiding path \isa{f}
86.56 +with \isa{f\ {\isadigit{0}}\ {\isaliteral{5C3C696E3E}{\isasymin}}\ Avoid\ s\ A} there is an infinite \isa{A}-avoiding path
86.57 +starting with \isa{s} because (by definition of \isa{Avoid}) there is a
86.58 +finite \isa{A}-avoiding path from \isa{s} to \isa{f\ {\isadigit{0}}}.
86.59 +The proof is by induction on \isa{f\ {\isadigit{0}}\ {\isaliteral{5C3C696E3E}{\isasymin}}\ Avoid\ s\ A}. However,
86.60 +this requires the following
86.61 +reformulation, as explained in \S\ref{sec:ind-var-in-prems} above;
86.62 +the \isa{rule{\isaliteral{5F}{\isacharunderscore}}format} directive undoes the reformulation after the proof.%
86.63 +\end{isamarkuptext}%
86.64 +\isamarkuptrue%
86.65 +\isacommand{lemma}\isamarkupfalse%
86.66 +\ ex{\isaliteral{5F}{\isacharunderscore}}infinite{\isaliteral{5F}{\isacharunderscore}}path{\isaliteral{5B}{\isacharbrackleft}}rule{\isaliteral{5F}{\isacharunderscore}}format{\isaliteral{5D}{\isacharbrackright}}{\isaliteral{3A}{\isacharcolon}}\isanewline
86.67 +\ \ {\isaliteral{22}{\isachardoublequoteopen}}t\ {\isaliteral{5C3C696E3E}{\isasymin}}\ Avoid\ s\ A\ \ {\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\isanewline
86.68 +\ \ \ {\isaliteral{5C3C666F72616C6C3E}{\isasymforall}}f{\isaliteral{5C3C696E3E}{\isasymin}}Paths\ t{\isaliteral{2E}{\isachardot}}\ {\isaliteral{28}{\isacharparenleft}}{\isaliteral{5C3C666F72616C6C3E}{\isasymforall}}i{\isaliteral{2E}{\isachardot}}\ f\ i\ {\isaliteral{5C3C6E6F74696E3E}{\isasymnotin}}\ A{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C6C6F6E6772696768746172726F773E}{\isasymlongrightarrow}}\ {\isaliteral{28}{\isacharparenleft}}{\isaliteral{5C3C6578697374733E}{\isasymexists}}p{\isaliteral{5C3C696E3E}{\isasymin}}Paths\ s{\isaliteral{2E}{\isachardot}}\ {\isaliteral{5C3C666F72616C6C3E}{\isasymforall}}i{\isaliteral{2E}{\isachardot}}\ p\ i\ {\isaliteral{5C3C6E6F74696E3E}{\isasymnotin}}\ A{\isaliteral{29}{\isacharparenright}}{\isaliteral{22}{\isachardoublequoteclose}}\isanewline
86.69 +%
86.70 +\isadelimproof
86.71 +%
86.72 +\endisadelimproof
86.73 +%
86.74 +\isatagproof
86.75 +\isacommand{apply}\isamarkupfalse%
86.76 +{\isaliteral{28}{\isacharparenleft}}erule\ Avoid{\isaliteral{2E}{\isachardot}}induct{\isaliteral{29}{\isacharparenright}}\isanewline
86.77 +\ \isacommand{apply}\isamarkupfalse%
86.78 +{\isaliteral{28}{\isacharparenleft}}blast{\isaliteral{29}{\isacharparenright}}\isanewline
86.79 +\isacommand{apply}\isamarkupfalse%
86.80 +{\isaliteral{28}{\isacharparenleft}}clarify{\isaliteral{29}{\isacharparenright}}\isanewline
86.81 +\isacommand{apply}\isamarkupfalse%
86.82 +{\isaliteral{28}{\isacharparenleft}}drule{\isaliteral{5F}{\isacharunderscore}}tac\ x\ {\isaliteral{3D}{\isacharequal}}\ {\isaliteral{22}{\isachardoublequoteopen}}{\isaliteral{5C3C6C616D6264613E}{\isasymlambda}}i{\isaliteral{2E}{\isachardot}}\ case\ i\ of\ {\isadigit{0}}\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ t\ {\isaliteral{7C}{\isacharbar}}\ Suc\ i\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ f\ i{\isaliteral{22}{\isachardoublequoteclose}}\ \isakeyword{in}\ bspec{\isaliteral{29}{\isacharparenright}}\isanewline
86.83 +\isacommand{apply}\isamarkupfalse%
86.84 +{\isaliteral{28}{\isacharparenleft}}simp{\isaliteral{5F}{\isacharunderscore}}all\ add{\isaliteral{3A}{\isacharcolon}}\ Paths{\isaliteral{5F}{\isacharunderscore}}def\ split{\isaliteral{3A}{\isacharcolon}}\ nat{\isaliteral{2E}{\isachardot}}split{\isaliteral{29}{\isacharparenright}}\isanewline
86.85 +\isacommand{done}\isamarkupfalse%
86.86 +%
86.87 +\endisatagproof
86.88 +{\isafoldproof}%
86.89 +%
86.90 +\isadelimproof
86.91 +%
86.92 +\endisadelimproof
86.93 +%
86.94 +\begin{isamarkuptext}%
86.95 +\noindent
86.96 +The base case (\isa{t\ {\isaliteral{3D}{\isacharequal}}\ s}) is trivial and proved by \isa{blast}.
86.97 +In the induction step, we have an infinite \isa{A}-avoiding path \isa{f}
86.98 +starting from \isa{u}, a successor of \isa{t}. Now we simply instantiate
86.99 +the \isa{{\isaliteral{5C3C666F72616C6C3E}{\isasymforall}}f{\isaliteral{5C3C696E3E}{\isasymin}}Paths\ t} in the induction hypothesis by the path starting with
86.100 +\isa{t} and continuing with \isa{f}. That is what the above $\lambda$-term
86.101 +expresses. Simplification shows that this is a path starting with \isa{t}
86.102 +and that the instantiated induction hypothesis implies the conclusion.
86.103 +
86.104 +Now we come to the key lemma. Assuming that no infinite \isa{A}-avoiding
86.105 +path starts from \isa{s}, we want to show \isa{s\ {\isaliteral{5C3C696E3E}{\isasymin}}\ lfp\ {\isaliteral{28}{\isacharparenleft}}af\ A{\isaliteral{29}{\isacharparenright}}}. For the
86.106 +inductive proof this must be generalized to the statement that every point \isa{t}
86.107 +``between'' \isa{s} and \isa{A}, in other words all of \isa{Avoid\ s\ A},
86.108 +is contained in \isa{lfp\ {\isaliteral{28}{\isacharparenleft}}af\ A{\isaliteral{29}{\isacharparenright}}}:%
86.109 +\end{isamarkuptext}%
86.110 +\isamarkuptrue%
86.111 +\isacommand{lemma}\isamarkupfalse%
86.112 +\ Avoid{\isaliteral{5F}{\isacharunderscore}}in{\isaliteral{5F}{\isacharunderscore}}lfp{\isaliteral{5B}{\isacharbrackleft}}rule{\isaliteral{5F}{\isacharunderscore}}format{\isaliteral{28}{\isacharparenleft}}no{\isaliteral{5F}{\isacharunderscore}}asm{\isaliteral{29}{\isacharparenright}}{\isaliteral{5D}{\isacharbrackright}}{\isaliteral{3A}{\isacharcolon}}\isanewline
86.113 +\ \ {\isaliteral{22}{\isachardoublequoteopen}}{\isaliteral{5C3C666F72616C6C3E}{\isasymforall}}p{\isaliteral{5C3C696E3E}{\isasymin}}Paths\ s{\isaliteral{2E}{\isachardot}}\ {\isaliteral{5C3C6578697374733E}{\isasymexists}}i{\isaliteral{2E}{\isachardot}}\ p\ i\ {\isaliteral{5C3C696E3E}{\isasymin}}\ A\ {\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\ t\ {\isaliteral{5C3C696E3E}{\isasymin}}\ Avoid\ s\ A\ {\isaliteral{5C3C6C6F6E6772696768746172726F773E}{\isasymlongrightarrow}}\ t\ {\isaliteral{5C3C696E3E}{\isasymin}}\ lfp{\isaliteral{28}{\isacharparenleft}}af\ A{\isaliteral{29}{\isacharparenright}}{\isaliteral{22}{\isachardoublequoteclose}}%
86.114 +\isadelimproof
86.115 +%
86.116 +\endisadelimproof
86.117 +%
86.118 +\isatagproof
86.119 +%
86.120 +\begin{isamarkuptxt}%
86.121 +\noindent
86.122 +The proof is by induction on the ``distance'' between \isa{t} and \isa{A}. Remember that \isa{lfp\ {\isaliteral{28}{\isacharparenleft}}af\ A{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{3D}{\isacharequal}}\ A\ {\isaliteral{5C3C756E696F6E3E}{\isasymunion}}\ M{\isaliteral{5C3C696E76657273653E}{\isasyminverse}}\ {\isaliteral{60}{\isacharbackquote}}{\isaliteral{60}{\isacharbackquote}}\ lfp\ {\isaliteral{28}{\isacharparenleft}}af\ A{\isaliteral{29}{\isacharparenright}}}.
86.123 +If \isa{t} is already in \isa{A}, then \isa{t\ {\isaliteral{5C3C696E3E}{\isasymin}}\ lfp\ {\isaliteral{28}{\isacharparenleft}}af\ A{\isaliteral{29}{\isacharparenright}}} is
86.124 +trivial. If \isa{t} is not in \isa{A} but all successors are in
86.125 +\isa{lfp\ {\isaliteral{28}{\isacharparenleft}}af\ A{\isaliteral{29}{\isacharparenright}}} (induction hypothesis), then \isa{t\ {\isaliteral{5C3C696E3E}{\isasymin}}\ lfp\ {\isaliteral{28}{\isacharparenleft}}af\ A{\isaliteral{29}{\isacharparenright}}} is
86.126 +again trivial.
86.127 +
86.128 +The formal counterpart of this proof sketch is a well-founded induction
86.129 +on~\isa{M} restricted to \isa{Avoid\ s\ A\ {\isaliteral{2D}{\isacharminus}}\ A}, roughly speaking:
86.130 +\begin{isabelle}%
86.131 +\ \ \ \ \ {\isaliteral{7B}{\isacharbraceleft}}{\isaliteral{28}{\isacharparenleft}}y{\isaliteral{2C}{\isacharcomma}}\ x{\isaliteral{29}{\isacharparenright}}{\isaliteral{2E}{\isachardot}}\ {\isaliteral{28}{\isacharparenleft}}x{\isaliteral{2C}{\isacharcomma}}\ y{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C696E3E}{\isasymin}}\ M\ {\isaliteral{5C3C616E643E}{\isasymand}}\ x\ {\isaliteral{5C3C696E3E}{\isasymin}}\ Avoid\ s\ A\ {\isaliteral{5C3C616E643E}{\isasymand}}\ x\ {\isaliteral{5C3C6E6F74696E3E}{\isasymnotin}}\ A{\isaliteral{7D}{\isacharbraceright}}%
86.132 +\end{isabelle}
86.133 +As we shall see presently, the absence of infinite \isa{A}-avoiding paths
86.134 +starting from \isa{s} implies well-foundedness of this relation. For the
86.135 +moment we assume this and proceed with the induction:%
86.136 +\end{isamarkuptxt}%
86.137 +\isamarkuptrue%
86.138 +\isacommand{apply}\isamarkupfalse%
86.139 +{\isaliteral{28}{\isacharparenleft}}subgoal{\isaliteral{5F}{\isacharunderscore}}tac\ {\isaliteral{22}{\isachardoublequoteopen}}wf{\isaliteral{7B}{\isacharbraceleft}}{\isaliteral{28}{\isacharparenleft}}y{\isaliteral{2C}{\isacharcomma}}x{\isaliteral{29}{\isacharparenright}}{\isaliteral{2E}{\isachardot}}\ {\isaliteral{28}{\isacharparenleft}}x{\isaliteral{2C}{\isacharcomma}}y{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C696E3E}{\isasymin}}\ M\ {\isaliteral{5C3C616E643E}{\isasymand}}\ x\ {\isaliteral{5C3C696E3E}{\isasymin}}\ Avoid\ s\ A\ {\isaliteral{5C3C616E643E}{\isasymand}}\ x\ {\isaliteral{5C3C6E6F74696E3E}{\isasymnotin}}\ A{\isaliteral{7D}{\isacharbraceright}}{\isaliteral{22}{\isachardoublequoteclose}}{\isaliteral{29}{\isacharparenright}}\isanewline
86.140 +\ \isacommand{apply}\isamarkupfalse%
86.141 +{\isaliteral{28}{\isacharparenleft}}erule{\isaliteral{5F}{\isacharunderscore}}tac\ a\ {\isaliteral{3D}{\isacharequal}}\ t\ \isakeyword{in}\ wf{\isaliteral{5F}{\isacharunderscore}}induct{\isaliteral{29}{\isacharparenright}}\isanewline
86.142 +\ \isacommand{apply}\isamarkupfalse%
86.143 +{\isaliteral{28}{\isacharparenleft}}clarsimp{\isaliteral{29}{\isacharparenright}}%
86.144 +\begin{isamarkuptxt}%
86.145 +\noindent
86.146 +\begin{isabelle}%
86.147 +\ {\isadigit{1}}{\isaliteral{2E}{\isachardot}}\ {\isaliteral{5C3C416E643E}{\isasymAnd}}t{\isaliteral{2E}{\isachardot}}\ {\isaliteral{5C3C6C6272616B6B3E}{\isasymlbrakk}}{\isaliteral{5C3C666F72616C6C3E}{\isasymforall}}p{\isaliteral{5C3C696E3E}{\isasymin}}Paths\ s{\isaliteral{2E}{\isachardot}}\ {\isaliteral{5C3C6578697374733E}{\isasymexists}}i{\isaliteral{2E}{\isachardot}}\ p\ i\ {\isaliteral{5C3C696E3E}{\isasymin}}\ A{\isaliteral{3B}{\isacharsemicolon}}\isanewline
86.148 +\isaindent{\ {\isadigit{1}}{\isaliteral{2E}{\isachardot}}\ {\isaliteral{5C3C416E643E}{\isasymAnd}}t{\isaliteral{2E}{\isachardot}}\ \ }{\isaliteral{5C3C666F72616C6C3E}{\isasymforall}}y{\isaliteral{2E}{\isachardot}}\ {\isaliteral{28}{\isacharparenleft}}t{\isaliteral{2C}{\isacharcomma}}\ y{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C696E3E}{\isasymin}}\ M\ {\isaliteral{5C3C616E643E}{\isasymand}}\ t\ {\isaliteral{5C3C6E6F74696E3E}{\isasymnotin}}\ A\ {\isaliteral{5C3C6C6F6E6772696768746172726F773E}{\isasymlongrightarrow}}\isanewline
86.149 +\isaindent{\ {\isadigit{1}}{\isaliteral{2E}{\isachardot}}\ {\isaliteral{5C3C416E643E}{\isasymAnd}}t{\isaliteral{2E}{\isachardot}}\ \ {\isaliteral{5C3C666F72616C6C3E}{\isasymforall}}y{\isaliteral{2E}{\isachardot}}\ }y\ {\isaliteral{5C3C696E3E}{\isasymin}}\ Avoid\ s\ A\ {\isaliteral{5C3C6C6F6E6772696768746172726F773E}{\isasymlongrightarrow}}\ y\ {\isaliteral{5C3C696E3E}{\isasymin}}\ lfp\ {\isaliteral{28}{\isacharparenleft}}af\ A{\isaliteral{29}{\isacharparenright}}{\isaliteral{3B}{\isacharsemicolon}}\isanewline
86.150 +\isaindent{\ {\isadigit{1}}{\isaliteral{2E}{\isachardot}}\ {\isaliteral{5C3C416E643E}{\isasymAnd}}t{\isaliteral{2E}{\isachardot}}\ \ }t\ {\isaliteral{5C3C696E3E}{\isasymin}}\ Avoid\ s\ A{\isaliteral{5C3C726272616B6B3E}{\isasymrbrakk}}\isanewline
86.151 +\isaindent{\ {\isadigit{1}}{\isaliteral{2E}{\isachardot}}\ {\isaliteral{5C3C416E643E}{\isasymAnd}}t{\isaliteral{2E}{\isachardot}}\ }{\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\ t\ {\isaliteral{5C3C696E3E}{\isasymin}}\ lfp\ {\isaliteral{28}{\isacharparenleft}}af\ A{\isaliteral{29}{\isacharparenright}}\isanewline
86.152 +\ {\isadigit{2}}{\isaliteral{2E}{\isachardot}}\ {\isaliteral{5C3C666F72616C6C3E}{\isasymforall}}p{\isaliteral{5C3C696E3E}{\isasymin}}Paths\ s{\isaliteral{2E}{\isachardot}}\ {\isaliteral{5C3C6578697374733E}{\isasymexists}}i{\isaliteral{2E}{\isachardot}}\ p\ i\ {\isaliteral{5C3C696E3E}{\isasymin}}\ A\ {\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\isanewline
86.153 +\isaindent{\ {\isadigit{2}}{\isaliteral{2E}{\isachardot}}\ }wf\ {\isaliteral{7B}{\isacharbraceleft}}{\isaliteral{28}{\isacharparenleft}}y{\isaliteral{2C}{\isacharcomma}}\ x{\isaliteral{29}{\isacharparenright}}{\isaliteral{2E}{\isachardot}}\ {\isaliteral{28}{\isacharparenleft}}x{\isaliteral{2C}{\isacharcomma}}\ y{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C696E3E}{\isasymin}}\ M\ {\isaliteral{5C3C616E643E}{\isasymand}}\ x\ {\isaliteral{5C3C696E3E}{\isasymin}}\ Avoid\ s\ A\ {\isaliteral{5C3C616E643E}{\isasymand}}\ x\ {\isaliteral{5C3C6E6F74696E3E}{\isasymnotin}}\ A{\isaliteral{7D}{\isacharbraceright}}%
86.154 +\end{isabelle}
86.155 +Now the induction hypothesis states that if \isa{t\ {\isaliteral{5C3C6E6F74696E3E}{\isasymnotin}}\ A}
86.156 +then all successors of \isa{t} that are in \isa{Avoid\ s\ A} are in
86.157 +\isa{lfp\ {\isaliteral{28}{\isacharparenleft}}af\ A{\isaliteral{29}{\isacharparenright}}}. Unfolding \isa{lfp} in the conclusion of the first
86.158 +subgoal once, we have to prove that \isa{t} is in \isa{A} or all successors
86.159 +of \isa{t} are in \isa{lfp\ {\isaliteral{28}{\isacharparenleft}}af\ A{\isaliteral{29}{\isacharparenright}}}. But if \isa{t} is not in \isa{A},
86.160 +the second
86.161 +\isa{Avoid}-rule implies that all successors of \isa{t} are in
86.162 +\isa{Avoid\ s\ A}, because we also assume \isa{t\ {\isaliteral{5C3C696E3E}{\isasymin}}\ Avoid\ s\ A}.
86.163 +Hence, by the induction hypothesis, all successors of \isa{t} are indeed in
86.164 +\isa{lfp\ {\isaliteral{28}{\isacharparenleft}}af\ A{\isaliteral{29}{\isacharparenright}}}. Mechanically:%
86.165 +\end{isamarkuptxt}%
86.166 +\isamarkuptrue%
86.167 +\ \isacommand{apply}\isamarkupfalse%
86.168 +{\isaliteral{28}{\isacharparenleft}}subst\ lfp{\isaliteral{5F}{\isacharunderscore}}unfold{\isaliteral{5B}{\isacharbrackleft}}OF\ mono{\isaliteral{5F}{\isacharunderscore}}af{\isaliteral{5D}{\isacharbrackright}}{\isaliteral{29}{\isacharparenright}}\isanewline
86.169 +\ \isacommand{apply}\isamarkupfalse%
86.170 +{\isaliteral{28}{\isacharparenleft}}simp\ {\isaliteral{28}{\isacharparenleft}}no{\isaliteral{5F}{\isacharunderscore}}asm{\isaliteral{29}{\isacharparenright}}\ add{\isaliteral{3A}{\isacharcolon}}\ af{\isaliteral{5F}{\isacharunderscore}}def{\isaliteral{29}{\isacharparenright}}\isanewline
86.171 +\ \isacommand{apply}\isamarkupfalse%
86.172 +{\isaliteral{28}{\isacharparenleft}}blast\ intro{\isaliteral{3A}{\isacharcolon}}\ Avoid{\isaliteral{2E}{\isachardot}}intros{\isaliteral{29}{\isacharparenright}}%
86.173 +\begin{isamarkuptxt}%
86.174 +Having proved the main goal, we return to the proof obligation that the
86.175 +relation used above is indeed well-founded. This is proved by contradiction: if
86.176 +the relation is not well-founded then there exists an infinite \isa{A}-avoiding path all in \isa{Avoid\ s\ A}, by theorem
86.177 +\isa{wf{\isaliteral{5F}{\isacharunderscore}}iff{\isaliteral{5F}{\isacharunderscore}}no{\isaliteral{5F}{\isacharunderscore}}infinite{\isaliteral{5F}{\isacharunderscore}}down{\isaliteral{5F}{\isacharunderscore}}chain}:
86.178 +\begin{isabelle}%
86.179 +\ \ \ \ \ wf\ r\ {\isaliteral{3D}{\isacharequal}}\ {\isaliteral{28}{\isacharparenleft}}{\isaliteral{5C3C6E6F743E}{\isasymnot}}\ {\isaliteral{28}{\isacharparenleft}}{\isaliteral{5C3C6578697374733E}{\isasymexists}}f{\isaliteral{2E}{\isachardot}}\ {\isaliteral{5C3C666F72616C6C3E}{\isasymforall}}i{\isaliteral{2E}{\isachardot}}\ {\isaliteral{28}{\isacharparenleft}}f\ {\isaliteral{28}{\isacharparenleft}}Suc\ i{\isaliteral{29}{\isacharparenright}}{\isaliteral{2C}{\isacharcomma}}\ f\ i{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C696E3E}{\isasymin}}\ r{\isaliteral{29}{\isacharparenright}}{\isaliteral{29}{\isacharparenright}}%
86.180 +\end{isabelle}
86.181 +From lemma \isa{ex{\isaliteral{5F}{\isacharunderscore}}infinite{\isaliteral{5F}{\isacharunderscore}}path} the existence of an infinite
86.182 +\isa{A}-avoiding path starting in \isa{s} follows, contradiction.%
86.183 +\end{isamarkuptxt}%
86.184 +\isamarkuptrue%
86.185 +\isacommand{apply}\isamarkupfalse%
86.186 +{\isaliteral{28}{\isacharparenleft}}erule\ contrapos{\isaliteral{5F}{\isacharunderscore}}pp{\isaliteral{29}{\isacharparenright}}\isanewline
86.187 +\isacommand{apply}\isamarkupfalse%
86.188 +{\isaliteral{28}{\isacharparenleft}}simp\ add{\isaliteral{3A}{\isacharcolon}}\ wf{\isaliteral{5F}{\isacharunderscore}}iff{\isaliteral{5F}{\isacharunderscore}}no{\isaliteral{5F}{\isacharunderscore}}infinite{\isaliteral{5F}{\isacharunderscore}}down{\isaliteral{5F}{\isacharunderscore}}chain{\isaliteral{29}{\isacharparenright}}\isanewline
86.189 +\isacommand{apply}\isamarkupfalse%
86.190 +{\isaliteral{28}{\isacharparenleft}}erule\ exE{\isaliteral{29}{\isacharparenright}}\isanewline
86.191 +\isacommand{apply}\isamarkupfalse%
86.192 +{\isaliteral{28}{\isacharparenleft}}rule\ ex{\isaliteral{5F}{\isacharunderscore}}infinite{\isaliteral{5F}{\isacharunderscore}}path{\isaliteral{29}{\isacharparenright}}\isanewline
86.193 +\isacommand{apply}\isamarkupfalse%
86.194 +{\isaliteral{28}{\isacharparenleft}}auto\ simp\ add{\isaliteral{3A}{\isacharcolon}}\ Paths{\isaliteral{5F}{\isacharunderscore}}def{\isaliteral{29}{\isacharparenright}}\isanewline
86.195 +\isacommand{done}\isamarkupfalse%
86.196 +%
86.197 +\endisatagproof
86.198 +{\isafoldproof}%
86.199 +%
86.200 +\isadelimproof
86.201 +%
86.202 +\endisadelimproof
86.203 +%
86.204 +\begin{isamarkuptext}%
86.205 +The \isa{{\isaliteral{28}{\isacharparenleft}}no{\isaliteral{5F}{\isacharunderscore}}asm{\isaliteral{29}{\isacharparenright}}} modifier of the \isa{rule{\isaliteral{5F}{\isacharunderscore}}format} directive in the
86.206 +statement of the lemma means
86.207 +that the assumption is left unchanged; otherwise the \isa{{\isaliteral{5C3C666F72616C6C3E}{\isasymforall}}p}
86.208 +would be turned
86.209 +into a \isa{{\isaliteral{5C3C416E643E}{\isasymAnd}}p}, which would complicate matters below. As it is,
86.210 +\isa{Avoid{\isaliteral{5F}{\isacharunderscore}}in{\isaliteral{5F}{\isacharunderscore}}lfp} is now
86.211 +\begin{isabelle}%
86.212 +\ \ \ \ \ {\isaliteral{5C3C6C6272616B6B3E}{\isasymlbrakk}}{\isaliteral{5C3C666F72616C6C3E}{\isasymforall}}p{\isaliteral{5C3C696E3E}{\isasymin}}Paths\ s{\isaliteral{2E}{\isachardot}}\ {\isaliteral{5C3C6578697374733E}{\isasymexists}}i{\isaliteral{2E}{\isachardot}}\ p\ i\ {\isaliteral{5C3C696E3E}{\isasymin}}\ A{\isaliteral{3B}{\isacharsemicolon}}\ t\ {\isaliteral{5C3C696E3E}{\isasymin}}\ Avoid\ s\ A{\isaliteral{5C3C726272616B6B3E}{\isasymrbrakk}}\ {\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\ t\ {\isaliteral{5C3C696E3E}{\isasymin}}\ lfp\ {\isaliteral{28}{\isacharparenleft}}af\ A{\isaliteral{29}{\isacharparenright}}%
86.213 +\end{isabelle}
86.214 +The main theorem is simply the corollary where \isa{t\ {\isaliteral{3D}{\isacharequal}}\ s},
86.215 +when the assumption \isa{t\ {\isaliteral{5C3C696E3E}{\isasymin}}\ Avoid\ s\ A} is trivially true
86.216 +by the first \isa{Avoid}-rule. Isabelle confirms this:%
86.217 +\index{CTL|)}%
86.218 +\end{isamarkuptext}%
86.219 +\isamarkuptrue%
86.220 +\isacommand{theorem}\isamarkupfalse%
86.221 +\ AF{\isaliteral{5F}{\isacharunderscore}}lemma{\isadigit{2}}{\isaliteral{3A}{\isacharcolon}}\ \ {\isaliteral{22}{\isachardoublequoteopen}}{\isaliteral{7B}{\isacharbraceleft}}s{\isaliteral{2E}{\isachardot}}\ {\isaliteral{5C3C666F72616C6C3E}{\isasymforall}}p\ {\isaliteral{5C3C696E3E}{\isasymin}}\ Paths\ s{\isaliteral{2E}{\isachardot}}\ {\isaliteral{5C3C6578697374733E}{\isasymexists}}\ i{\isaliteral{2E}{\isachardot}}\ p\ i\ {\isaliteral{5C3C696E3E}{\isasymin}}\ A{\isaliteral{7D}{\isacharbraceright}}\ {\isaliteral{5C3C73756273657465713E}{\isasymsubseteq}}\ lfp{\isaliteral{28}{\isacharparenleft}}af\ A{\isaliteral{29}{\isacharparenright}}{\isaliteral{22}{\isachardoublequoteclose}}\isanewline
86.222 +%
86.223 +\isadelimproof
86.224 +%
86.225 +\endisadelimproof
86.226 +%
86.227 +\isatagproof
86.228 +\isacommand{by}\isamarkupfalse%
86.229 +{\isaliteral{28}{\isacharparenleft}}auto\ elim{\isaliteral{3A}{\isacharcolon}}\ Avoid{\isaliteral{5F}{\isacharunderscore}}in{\isaliteral{5F}{\isacharunderscore}}lfp\ intro{\isaliteral{3A}{\isacharcolon}}\ Avoid{\isaliteral{2E}{\isachardot}}intros{\isaliteral{29}{\isacharparenright}}\isanewline
86.230 +\isanewline
86.231 +%
86.232 +\endisatagproof
86.233 +{\isafoldproof}%
86.234 +%
86.235 +\isadelimproof
86.236 +%
86.237 +\endisadelimproof
86.238 +%
86.239 +\isadelimtheory
86.240 +%
86.241 +\endisadelimtheory
86.242 +%
86.243 +\isatagtheory
86.244 +%
86.245 +\endisatagtheory
86.246 +{\isafoldtheory}%
86.247 +%
86.248 +\isadelimtheory
86.249 +%
86.250 +\endisadelimtheory
86.251 +\end{isabellebody}%
86.252 +%%% Local Variables:
86.253 +%%% mode: latex
86.254 +%%% TeX-master: "root"
86.255 +%%% End:
87.1 --- /dev/null Thu Jan 01 00:00:00 1970 +0000
87.2 +++ b/doc-src/TutorialI/document/CodeGen.tex Thu Jul 26 19:59:06 2012 +0200
87.3 @@ -0,0 +1,237 @@
87.4 +%
87.5 +\begin{isabellebody}%
87.6 +\def\isabellecontext{CodeGen}%
87.7 +%
87.8 +\isadelimtheory
87.9 +%
87.10 +\endisadelimtheory
87.11 +%
87.12 +\isatagtheory
87.13 +%
87.14 +\endisatagtheory
87.15 +{\isafoldtheory}%
87.16 +%
87.17 +\isadelimtheory
87.18 +%
87.19 +\endisadelimtheory
87.20 +%
87.21 +\isamarkupsection{Case Study: Compiling Expressions%
87.22 +}
87.23 +\isamarkuptrue%
87.24 +%
87.25 +\begin{isamarkuptext}%
87.26 +\label{sec:ExprCompiler}
87.27 +\index{compiling expressions example|(}%
87.28 +The task is to develop a compiler from a generic type of expressions (built
87.29 +from variables, constants and binary operations) to a stack machine. This
87.30 +generic type of expressions is a generalization of the boolean expressions in
87.31 +\S\ref{sec:boolex}. This time we do not commit ourselves to a particular
87.32 +type of variables or values but make them type parameters. Neither is there
87.33 +a fixed set of binary operations: instead the expression contains the
87.34 +appropriate function itself.%
87.35 +\end{isamarkuptext}%
87.36 +\isamarkuptrue%
87.37 +\isacommand{type{\isaliteral{5F}{\isacharunderscore}}synonym}\isamarkupfalse%
87.38 +\ {\isaliteral{27}{\isacharprime}}v\ binop\ {\isaliteral{3D}{\isacharequal}}\ {\isaliteral{22}{\isachardoublequoteopen}}{\isaliteral{27}{\isacharprime}}v\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ {\isaliteral{27}{\isacharprime}}v\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ {\isaliteral{27}{\isacharprime}}v{\isaliteral{22}{\isachardoublequoteclose}}\isanewline
87.39 +\isacommand{datatype}\isamarkupfalse%
87.40 +\ {\isaliteral{28}{\isacharparenleft}}{\isaliteral{27}{\isacharprime}}a{\isaliteral{2C}{\isacharcomma}}{\isaliteral{27}{\isacharprime}}v{\isaliteral{29}{\isacharparenright}}expr\ {\isaliteral{3D}{\isacharequal}}\ Cex\ {\isaliteral{27}{\isacharprime}}v\isanewline
87.41 +\ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ {\isaliteral{7C}{\isacharbar}}\ Vex\ {\isaliteral{27}{\isacharprime}}a\isanewline
87.42 +\ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ {\isaliteral{7C}{\isacharbar}}\ Bex\ {\isaliteral{22}{\isachardoublequoteopen}}{\isaliteral{27}{\isacharprime}}v\ binop{\isaliteral{22}{\isachardoublequoteclose}}\ \ {\isaliteral{22}{\isachardoublequoteopen}}{\isaliteral{28}{\isacharparenleft}}{\isaliteral{27}{\isacharprime}}a{\isaliteral{2C}{\isacharcomma}}{\isaliteral{27}{\isacharprime}}v{\isaliteral{29}{\isacharparenright}}expr{\isaliteral{22}{\isachardoublequoteclose}}\ \ {\isaliteral{22}{\isachardoublequoteopen}}{\isaliteral{28}{\isacharparenleft}}{\isaliteral{27}{\isacharprime}}a{\isaliteral{2C}{\isacharcomma}}{\isaliteral{27}{\isacharprime}}v{\isaliteral{29}{\isacharparenright}}expr{\isaliteral{22}{\isachardoublequoteclose}}%
87.43 +\begin{isamarkuptext}%
87.44 +\noindent
87.45 +The three constructors represent constants, variables and the application of
87.46 +a binary operation to two subexpressions.
87.47 +
87.48 +The value of an expression with respect to an environment that maps variables to
87.49 +values is easily defined:%
87.50 +\end{isamarkuptext}%
87.51 +\isamarkuptrue%
87.52 +\isacommand{primrec}\isamarkupfalse%
87.53 +\ {\isaliteral{22}{\isachardoublequoteopen}}value{\isaliteral{22}{\isachardoublequoteclose}}\ {\isaliteral{3A}{\isacharcolon}}{\isaliteral{3A}{\isacharcolon}}\ {\isaliteral{22}{\isachardoublequoteopen}}{\isaliteral{28}{\isacharparenleft}}{\isaliteral{27}{\isacharprime}}a{\isaliteral{2C}{\isacharcomma}}{\isaliteral{27}{\isacharprime}}v{\isaliteral{29}{\isacharparenright}}expr\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ {\isaliteral{28}{\isacharparenleft}}{\isaliteral{27}{\isacharprime}}a\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ {\isaliteral{27}{\isacharprime}}v{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ {\isaliteral{27}{\isacharprime}}v{\isaliteral{22}{\isachardoublequoteclose}}\ \isakeyword{where}\isanewline
87.54 +{\isaliteral{22}{\isachardoublequoteopen}}value\ {\isaliteral{28}{\isacharparenleft}}Cex\ v{\isaliteral{29}{\isacharparenright}}\ env\ {\isaliteral{3D}{\isacharequal}}\ v{\isaliteral{22}{\isachardoublequoteclose}}\ {\isaliteral{7C}{\isacharbar}}\isanewline
87.55 +{\isaliteral{22}{\isachardoublequoteopen}}value\ {\isaliteral{28}{\isacharparenleft}}Vex\ a{\isaliteral{29}{\isacharparenright}}\ env\ {\isaliteral{3D}{\isacharequal}}\ env\ a{\isaliteral{22}{\isachardoublequoteclose}}\ {\isaliteral{7C}{\isacharbar}}\isanewline
87.56 +{\isaliteral{22}{\isachardoublequoteopen}}value\ {\isaliteral{28}{\isacharparenleft}}Bex\ f\ e{\isadigit{1}}\ e{\isadigit{2}}{\isaliteral{29}{\isacharparenright}}\ env\ {\isaliteral{3D}{\isacharequal}}\ f\ {\isaliteral{28}{\isacharparenleft}}value\ e{\isadigit{1}}\ env{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{28}{\isacharparenleft}}value\ e{\isadigit{2}}\ env{\isaliteral{29}{\isacharparenright}}{\isaliteral{22}{\isachardoublequoteclose}}%
87.57 +\begin{isamarkuptext}%
87.58 +The stack machine has three instructions: load a constant value onto the
87.59 +stack, load the contents of an address onto the stack, and apply a
87.60 +binary operation to the two topmost elements of the stack, replacing them by
87.61 +the result. As for \isa{expr}, addresses and values are type parameters:%
87.62 +\end{isamarkuptext}%
87.63 +\isamarkuptrue%
87.64 +\isacommand{datatype}\isamarkupfalse%
87.65 +\ {\isaliteral{28}{\isacharparenleft}}{\isaliteral{27}{\isacharprime}}a{\isaliteral{2C}{\isacharcomma}}{\isaliteral{27}{\isacharprime}}v{\isaliteral{29}{\isacharparenright}}\ instr\ {\isaliteral{3D}{\isacharequal}}\ Const\ {\isaliteral{27}{\isacharprime}}v\isanewline
87.66 +\ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ {\isaliteral{7C}{\isacharbar}}\ Load\ {\isaliteral{27}{\isacharprime}}a\isanewline
87.67 +\ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ {\isaliteral{7C}{\isacharbar}}\ Apply\ {\isaliteral{22}{\isachardoublequoteopen}}{\isaliteral{27}{\isacharprime}}v\ binop{\isaliteral{22}{\isachardoublequoteclose}}%
87.68 +\begin{isamarkuptext}%
87.69 +The execution of the stack machine is modelled by a function
87.70 +\isa{exec} that takes a list of instructions, a store (modelled as a
87.71 +function from addresses to values, just like the environment for
87.72 +evaluating expressions), and a stack (modelled as a list) of values,
87.73 +and returns the stack at the end of the execution --- the store remains
87.74 +unchanged:%
87.75 +\end{isamarkuptext}%
87.76 +\isamarkuptrue%
87.77 +\isacommand{primrec}\isamarkupfalse%
87.78 +\ exec\ {\isaliteral{3A}{\isacharcolon}}{\isaliteral{3A}{\isacharcolon}}\ {\isaliteral{22}{\isachardoublequoteopen}}{\isaliteral{28}{\isacharparenleft}}{\isaliteral{27}{\isacharprime}}a{\isaliteral{2C}{\isacharcomma}}{\isaliteral{27}{\isacharprime}}v{\isaliteral{29}{\isacharparenright}}instr\ list\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ {\isaliteral{28}{\isacharparenleft}}{\isaliteral{27}{\isacharprime}}a{\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}{\isaliteral{27}{\isacharprime}}v{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ {\isaliteral{27}{\isacharprime}}v\ list\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ {\isaliteral{27}{\isacharprime}}v\ list{\isaliteral{22}{\isachardoublequoteclose}}\isanewline
87.79 +\isakeyword{where}\isanewline
87.80 +{\isaliteral{22}{\isachardoublequoteopen}}exec\ {\isaliteral{5B}{\isacharbrackleft}}{\isaliteral{5D}{\isacharbrackright}}\ s\ vs\ {\isaliteral{3D}{\isacharequal}}\ vs{\isaliteral{22}{\isachardoublequoteclose}}\ {\isaliteral{7C}{\isacharbar}}\isanewline
87.81 +{\isaliteral{22}{\isachardoublequoteopen}}exec\ {\isaliteral{28}{\isacharparenleft}}i{\isaliteral{23}{\isacharhash}}is{\isaliteral{29}{\isacharparenright}}\ s\ vs\ {\isaliteral{3D}{\isacharequal}}\ {\isaliteral{28}{\isacharparenleft}}case\ i\ of\isanewline
87.82 +\ \ \ \ Const\ v\ \ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ exec\ is\ s\ {\isaliteral{28}{\isacharparenleft}}v{\isaliteral{23}{\isacharhash}}vs{\isaliteral{29}{\isacharparenright}}\isanewline
87.83 +\ \ {\isaliteral{7C}{\isacharbar}}\ Load\ a\ \ \ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ exec\ is\ s\ {\isaliteral{28}{\isacharparenleft}}{\isaliteral{28}{\isacharparenleft}}s\ a{\isaliteral{29}{\isacharparenright}}{\isaliteral{23}{\isacharhash}}vs{\isaliteral{29}{\isacharparenright}}\isanewline
87.84 +\ \ {\isaliteral{7C}{\isacharbar}}\ Apply\ f\ \ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ exec\ is\ s\ {\isaliteral{28}{\isacharparenleft}}{\isaliteral{28}{\isacharparenleft}}f\ {\isaliteral{28}{\isacharparenleft}}hd\ vs{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{28}{\isacharparenleft}}hd{\isaliteral{28}{\isacharparenleft}}tl\ vs{\isaliteral{29}{\isacharparenright}}{\isaliteral{29}{\isacharparenright}}{\isaliteral{29}{\isacharparenright}}{\isaliteral{23}{\isacharhash}}{\isaliteral{28}{\isacharparenleft}}tl{\isaliteral{28}{\isacharparenleft}}tl\ vs{\isaliteral{29}{\isacharparenright}}{\isaliteral{29}{\isacharparenright}}{\isaliteral{29}{\isacharparenright}}{\isaliteral{29}{\isacharparenright}}{\isaliteral{22}{\isachardoublequoteclose}}%
87.85 +\begin{isamarkuptext}%
87.86 +\noindent
87.87 +Recall that \isa{hd} and \isa{tl}
87.88 +return the first element and the remainder of a list.
87.89 +Because all functions are total, \cdx{hd} is defined even for the empty
87.90 +list, although we do not know what the result is. Thus our model of the
87.91 +machine always terminates properly, although the definition above does not
87.92 +tell us much about the result in situations where \isa{Apply} was executed
87.93 +with fewer than two elements on the stack.
87.94 +
87.95 +The compiler is a function from expressions to a list of instructions. Its
87.96 +definition is obvious:%
87.97 +\end{isamarkuptext}%
87.98 +\isamarkuptrue%
87.99 +\isacommand{primrec}\isamarkupfalse%
87.100 +\ compile\ {\isaliteral{3A}{\isacharcolon}}{\isaliteral{3A}{\isacharcolon}}\ {\isaliteral{22}{\isachardoublequoteopen}}{\isaliteral{28}{\isacharparenleft}}{\isaliteral{27}{\isacharprime}}a{\isaliteral{2C}{\isacharcomma}}{\isaliteral{27}{\isacharprime}}v{\isaliteral{29}{\isacharparenright}}expr\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ {\isaliteral{28}{\isacharparenleft}}{\isaliteral{27}{\isacharprime}}a{\isaliteral{2C}{\isacharcomma}}{\isaliteral{27}{\isacharprime}}v{\isaliteral{29}{\isacharparenright}}instr\ list{\isaliteral{22}{\isachardoublequoteclose}}\ \isakeyword{where}\isanewline
87.101 +{\isaliteral{22}{\isachardoublequoteopen}}compile\ {\isaliteral{28}{\isacharparenleft}}Cex\ v{\isaliteral{29}{\isacharparenright}}\ \ \ \ \ \ \ {\isaliteral{3D}{\isacharequal}}\ {\isaliteral{5B}{\isacharbrackleft}}Const\ v{\isaliteral{5D}{\isacharbrackright}}{\isaliteral{22}{\isachardoublequoteclose}}\ {\isaliteral{7C}{\isacharbar}}\isanewline
87.102 +{\isaliteral{22}{\isachardoublequoteopen}}compile\ {\isaliteral{28}{\isacharparenleft}}Vex\ a{\isaliteral{29}{\isacharparenright}}\ \ \ \ \ \ \ {\isaliteral{3D}{\isacharequal}}\ {\isaliteral{5B}{\isacharbrackleft}}Load\ a{\isaliteral{5D}{\isacharbrackright}}{\isaliteral{22}{\isachardoublequoteclose}}\ {\isaliteral{7C}{\isacharbar}}\isanewline
87.103 +{\isaliteral{22}{\isachardoublequoteopen}}compile\ {\isaliteral{28}{\isacharparenleft}}Bex\ f\ e{\isadigit{1}}\ e{\isadigit{2}}{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{3D}{\isacharequal}}\ {\isaliteral{28}{\isacharparenleft}}compile\ e{\isadigit{2}}{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{40}{\isacharat}}\ {\isaliteral{28}{\isacharparenleft}}compile\ e{\isadigit{1}}{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{40}{\isacharat}}\ {\isaliteral{5B}{\isacharbrackleft}}Apply\ f{\isaliteral{5D}{\isacharbrackright}}{\isaliteral{22}{\isachardoublequoteclose}}%
87.104 +\begin{isamarkuptext}%
87.105 +Now we have to prove the correctness of the compiler, i.e.\ that the
87.106 +execution of a compiled expression results in the value of the expression:%
87.107 +\end{isamarkuptext}%
87.108 +\isamarkuptrue%
87.109 +\isacommand{theorem}\isamarkupfalse%
87.110 +\ {\isaliteral{22}{\isachardoublequoteopen}}exec\ {\isaliteral{28}{\isacharparenleft}}compile\ e{\isaliteral{29}{\isacharparenright}}\ s\ {\isaliteral{5B}{\isacharbrackleft}}{\isaliteral{5D}{\isacharbrackright}}\ {\isaliteral{3D}{\isacharequal}}\ {\isaliteral{5B}{\isacharbrackleft}}value\ e\ s{\isaliteral{5D}{\isacharbrackright}}{\isaliteral{22}{\isachardoublequoteclose}}%
87.111 +\isadelimproof
87.112 +%
87.113 +\endisadelimproof
87.114 +%
87.115 +\isatagproof
87.116 +%
87.117 +\endisatagproof
87.118 +{\isafoldproof}%
87.119 +%
87.120 +\isadelimproof
87.121 +%
87.122 +\endisadelimproof
87.123 +%
87.124 +\begin{isamarkuptext}%
87.125 +\noindent
87.126 +This theorem needs to be generalized:%
87.127 +\end{isamarkuptext}%
87.128 +\isamarkuptrue%
87.129 +\isacommand{theorem}\isamarkupfalse%
87.130 +\ {\isaliteral{22}{\isachardoublequoteopen}}{\isaliteral{5C3C666F72616C6C3E}{\isasymforall}}vs{\isaliteral{2E}{\isachardot}}\ exec\ {\isaliteral{28}{\isacharparenleft}}compile\ e{\isaliteral{29}{\isacharparenright}}\ s\ vs\ {\isaliteral{3D}{\isacharequal}}\ {\isaliteral{28}{\isacharparenleft}}value\ e\ s{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{23}{\isacharhash}}\ vs{\isaliteral{22}{\isachardoublequoteclose}}%
87.131 +\isadelimproof
87.132 +%
87.133 +\endisadelimproof
87.134 +%
87.135 +\isatagproof
87.136 +%
87.137 +\begin{isamarkuptxt}%
87.138 +\noindent
87.139 +It will be proved by induction on \isa{e} followed by simplification.
87.140 +First, we must prove a lemma about executing the concatenation of two
87.141 +instruction sequences:%
87.142 +\end{isamarkuptxt}%
87.143 +\isamarkuptrue%
87.144 +%
87.145 +\endisatagproof
87.146 +{\isafoldproof}%
87.147 +%
87.148 +\isadelimproof
87.149 +%
87.150 +\endisadelimproof
87.151 +\isacommand{lemma}\isamarkupfalse%
87.152 +\ exec{\isaliteral{5F}{\isacharunderscore}}app{\isaliteral{5B}{\isacharbrackleft}}simp{\isaliteral{5D}{\isacharbrackright}}{\isaliteral{3A}{\isacharcolon}}\isanewline
87.153 +\ \ {\isaliteral{22}{\isachardoublequoteopen}}{\isaliteral{5C3C666F72616C6C3E}{\isasymforall}}vs{\isaliteral{2E}{\isachardot}}\ exec\ {\isaliteral{28}{\isacharparenleft}}xs{\isaliteral{40}{\isacharat}}ys{\isaliteral{29}{\isacharparenright}}\ s\ vs\ {\isaliteral{3D}{\isacharequal}}\ exec\ ys\ s\ {\isaliteral{28}{\isacharparenleft}}exec\ xs\ s\ vs{\isaliteral{29}{\isacharparenright}}{\isaliteral{22}{\isachardoublequoteclose}}%
87.154 +\isadelimproof
87.155 +%
87.156 +\endisadelimproof
87.157 +%
87.158 +\isatagproof
87.159 +%
87.160 +\begin{isamarkuptxt}%
87.161 +\noindent
87.162 +This requires induction on \isa{xs} and ordinary simplification for the
87.163 +base cases. In the induction step, simplification leaves us with a formula
87.164 +that contains two \isa{case}-expressions over instructions. Thus we add
87.165 +automatic case splitting, which finishes the proof:%
87.166 +\end{isamarkuptxt}%
87.167 +\isamarkuptrue%
87.168 +\isacommand{apply}\isamarkupfalse%
87.169 +{\isaliteral{28}{\isacharparenleft}}induct{\isaliteral{5F}{\isacharunderscore}}tac\ xs{\isaliteral{2C}{\isacharcomma}}\ simp{\isaliteral{2C}{\isacharcomma}}\ simp\ split{\isaliteral{3A}{\isacharcolon}}\ instr{\isaliteral{2E}{\isachardot}}split{\isaliteral{29}{\isacharparenright}}%
87.170 +\endisatagproof
87.171 +{\isafoldproof}%
87.172 +%
87.173 +\isadelimproof
87.174 +%
87.175 +\endisadelimproof
87.176 +%
87.177 +\begin{isamarkuptext}%
87.178 +\noindent
87.179 +Note that because both \methdx{simp_all} and \methdx{auto} perform simplification, they can
87.180 +be modified in the same way as \isa{simp}. Thus the proof can be
87.181 +rewritten as%
87.182 +\end{isamarkuptext}%
87.183 +\isamarkuptrue%
87.184 +%
87.185 +\isadelimproof
87.186 +%
87.187 +\endisadelimproof
87.188 +%
87.189 +\isatagproof
87.190 +\isacommand{apply}\isamarkupfalse%
87.191 +{\isaliteral{28}{\isacharparenleft}}induct{\isaliteral{5F}{\isacharunderscore}}tac\ xs{\isaliteral{2C}{\isacharcomma}}\ simp{\isaliteral{5F}{\isacharunderscore}}all\ split{\isaliteral{3A}{\isacharcolon}}\ instr{\isaliteral{2E}{\isachardot}}split{\isaliteral{29}{\isacharparenright}}%
87.192 +\endisatagproof
87.193 +{\isafoldproof}%
87.194 +%
87.195 +\isadelimproof
87.196 +%
87.197 +\endisadelimproof
87.198 +%
87.199 +\begin{isamarkuptext}%
87.200 +\noindent
87.201 +Although this is more compact, it is less clear for the reader of the proof.
87.202 +
87.203 +We could now go back and prove \isa{exec\ {\isaliteral{28}{\isacharparenleft}}compile\ e{\isaliteral{29}{\isacharparenright}}\ s\ {\isaliteral{5B}{\isacharbrackleft}}{\isaliteral{5D}{\isacharbrackright}}\ {\isaliteral{3D}{\isacharequal}}\ {\isaliteral{5B}{\isacharbrackleft}}value\ e\ s{\isaliteral{5D}{\isacharbrackright}}}
87.204 +merely by simplification with the generalized version we just proved.
87.205 +However, this is unnecessary because the generalized version fully subsumes
87.206 +its instance.%
87.207 +\index{compiling expressions example|)}%
87.208 +\end{isamarkuptext}%
87.209 +\isamarkuptrue%
87.210 +%
87.211 +\isadelimproof
87.212 +%
87.213 +\endisadelimproof
87.214 +%
87.215 +\isatagproof
87.216 +%
87.217 +\endisatagproof
87.218 +{\isafoldproof}%
87.219 +%
87.220 +\isadelimproof
87.221 +%
87.222 +\endisadelimproof
87.223 +%
87.224 +\isadelimtheory
87.225 +%
87.226 +\endisadelimtheory
87.227 +%
87.228 +\isatagtheory
87.229 +%
87.230 +\endisatagtheory
87.231 +{\isafoldtheory}%
87.232 +%
87.233 +\isadelimtheory
87.234 +%
87.235 +\endisadelimtheory
87.236 +\end{isabellebody}%
87.237 +%%% Local Variables:
87.238 +%%% mode: latex
87.239 +%%% TeX-master: "root"
87.240 +%%% End:
88.1 --- /dev/null Thu Jan 01 00:00:00 1970 +0000
88.2 +++ b/doc-src/TutorialI/document/Documents.tex Thu Jul 26 19:59:06 2012 +0200
88.3 @@ -0,0 +1,933 @@
88.4 +%
88.5 +\begin{isabellebody}%
88.6 +\def\isabellecontext{Documents}%
88.7 +%
88.8 +\isadelimtheory
88.9 +%
88.10 +\endisadelimtheory
88.11 +%
88.12 +\isatagtheory
88.13 +%
88.14 +\endisatagtheory
88.15 +{\isafoldtheory}%
88.16 +%
88.17 +\isadelimtheory
88.18 +%
88.19 +\endisadelimtheory
88.20 +%
88.21 +\isamarkupsection{Concrete Syntax \label{sec:concrete-syntax}%
88.22 +}
88.23 +\isamarkuptrue%
88.24 +%
88.25 +\begin{isamarkuptext}%
88.26 +The core concept of Isabelle's framework for concrete syntax is that
88.27 + of \bfindex{mixfix annotations}. Associated with any kind of
88.28 + constant declaration, mixfixes affect both the grammar productions
88.29 + for the parser and output templates for the pretty printer.
88.30 +
88.31 + In full generality, parser and pretty printer configuration is a
88.32 + subtle affair~\cite{isabelle-ref}. Your syntax specifications need
88.33 + to interact properly with the existing setup of Isabelle/Pure and
88.34 + Isabelle/HOL\@. To avoid creating ambiguities with existing
88.35 + elements, it is particularly important to give new syntactic
88.36 + constructs the right precedence.
88.37 +
88.38 + Below we introduce a few simple syntax declaration
88.39 + forms that already cover many common situations fairly well.%
88.40 +\end{isamarkuptext}%
88.41 +\isamarkuptrue%
88.42 +%
88.43 +\isamarkupsubsection{Infix Annotations%
88.44 +}
88.45 +\isamarkuptrue%
88.46 +%
88.47 +\begin{isamarkuptext}%
88.48 +Syntax annotations may be included wherever constants are declared,
88.49 + such as \isacommand{definition} and \isacommand{primrec} --- and also
88.50 + \isacommand{datatype}, which declares constructor operations.
88.51 + Type-constructors may be annotated as well, although this is less
88.52 + frequently encountered in practice (the infix type \isa{{\isaliteral{5C3C74696D65733E}{\isasymtimes}}} comes
88.53 + to mind).
88.54 +
88.55 + Infix declarations\index{infix annotations} provide a useful special
88.56 + case of mixfixes. The following example of the exclusive-or
88.57 + operation on boolean values illustrates typical infix declarations.%
88.58 +\end{isamarkuptext}%
88.59 +\isamarkuptrue%
88.60 +\isacommand{definition}\isamarkupfalse%
88.61 +\ xor\ {\isaliteral{3A}{\isacharcolon}}{\isaliteral{3A}{\isacharcolon}}\ {\isaliteral{22}{\isachardoublequoteopen}}bool\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ bool\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ bool{\isaliteral{22}{\isachardoublequoteclose}}\ \ \ \ {\isaliteral{28}{\isacharparenleft}}\isakeyword{infixl}\ {\isaliteral{22}{\isachardoublequoteopen}}{\isaliteral{5B}{\isacharbrackleft}}{\isaliteral{2B}{\isacharplus}}{\isaliteral{5D}{\isacharbrackright}}{\isaliteral{22}{\isachardoublequoteclose}}\ {\isadigit{6}}{\isadigit{0}}{\isaliteral{29}{\isacharparenright}}\isanewline
88.62 +\isakeyword{where}\ {\isaliteral{22}{\isachardoublequoteopen}}A\ {\isaliteral{5B}{\isacharbrackleft}}{\isaliteral{2B}{\isacharplus}}{\isaliteral{5D}{\isacharbrackright}}\ B\ {\isaliteral{5C3C65717569763E}{\isasymequiv}}\ {\isaliteral{28}{\isacharparenleft}}A\ {\isaliteral{5C3C616E643E}{\isasymand}}\ {\isaliteral{5C3C6E6F743E}{\isasymnot}}\ B{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C6F723E}{\isasymor}}\ {\isaliteral{28}{\isacharparenleft}}{\isaliteral{5C3C6E6F743E}{\isasymnot}}\ A\ {\isaliteral{5C3C616E643E}{\isasymand}}\ B{\isaliteral{29}{\isacharparenright}}{\isaliteral{22}{\isachardoublequoteclose}}%
88.63 +\begin{isamarkuptext}%
88.64 +\noindent Now \isa{xor\ A\ B} and \isa{A\ {\isaliteral{5B}{\isacharbrackleft}}{\isaliteral{2B}{\isacharplus}}{\isaliteral{5D}{\isacharbrackright}}\ B} refer to the
88.65 + same expression internally. Any curried function with at least two
88.66 + arguments may be given infix syntax. For partial applications with
88.67 + fewer than two operands, there is a notation using the prefix~\isa{op}. For instance, \isa{xor} without arguments is represented as
88.68 + \isa{op\ {\isaliteral{5B}{\isacharbrackleft}}{\isaliteral{2B}{\isacharplus}}{\isaliteral{5D}{\isacharbrackright}}}; together with ordinary function application, this
88.69 + turns \isa{xor\ A} into \isa{op\ {\isaliteral{5B}{\isacharbrackleft}}{\isaliteral{2B}{\isacharplus}}{\isaliteral{5D}{\isacharbrackright}}\ A}.
88.70 +
88.71 + The keyword \isakeyword{infixl} seen above specifies an
88.72 + infix operator that is nested to the \emph{left}: in iterated
88.73 + applications the more complex expression appears on the left-hand
88.74 + side, and \isa{A\ {\isaliteral{5B}{\isacharbrackleft}}{\isaliteral{2B}{\isacharplus}}{\isaliteral{5D}{\isacharbrackright}}\ B\ {\isaliteral{5B}{\isacharbrackleft}}{\isaliteral{2B}{\isacharplus}}{\isaliteral{5D}{\isacharbrackright}}\ C} stands for \isa{{\isaliteral{28}{\isacharparenleft}}A\ {\isaliteral{5B}{\isacharbrackleft}}{\isaliteral{2B}{\isacharplus}}{\isaliteral{5D}{\isacharbrackright}}\ B{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5B}{\isacharbrackleft}}{\isaliteral{2B}{\isacharplus}}{\isaliteral{5D}{\isacharbrackright}}\ C}. Similarly, \isakeyword{infixr} means nesting to the
88.75 + \emph{right}, reading \isa{A\ {\isaliteral{5B}{\isacharbrackleft}}{\isaliteral{2B}{\isacharplus}}{\isaliteral{5D}{\isacharbrackright}}\ B\ {\isaliteral{5B}{\isacharbrackleft}}{\isaliteral{2B}{\isacharplus}}{\isaliteral{5D}{\isacharbrackright}}\ C} as \isa{A\ {\isaliteral{5B}{\isacharbrackleft}}{\isaliteral{2B}{\isacharplus}}{\isaliteral{5D}{\isacharbrackright}}\ {\isaliteral{28}{\isacharparenleft}}B\ {\isaliteral{5B}{\isacharbrackleft}}{\isaliteral{2B}{\isacharplus}}{\isaliteral{5D}{\isacharbrackright}}\ C{\isaliteral{29}{\isacharparenright}}}. A \emph{non-oriented} declaration via \isakeyword{infix}
88.76 + would render \isa{A\ {\isaliteral{5B}{\isacharbrackleft}}{\isaliteral{2B}{\isacharplus}}{\isaliteral{5D}{\isacharbrackright}}\ B\ {\isaliteral{5B}{\isacharbrackleft}}{\isaliteral{2B}{\isacharplus}}{\isaliteral{5D}{\isacharbrackright}}\ C} illegal, but demand explicit
88.77 + parentheses to indicate the intended grouping.
88.78 +
88.79 + The string \isa{{\isaliteral{22}{\isachardoublequote}}{\isaliteral{5B}{\isacharbrackleft}}{\isaliteral{2B}{\isacharplus}}{\isaliteral{5D}{\isacharbrackright}}{\isaliteral{22}{\isachardoublequote}}} in our annotation refers to the
88.80 + concrete syntax to represent the operator (a literal token), while
88.81 + the number \isa{{\isadigit{6}}{\isadigit{0}}} determines the precedence of the construct:
88.82 + the syntactic priorities of the arguments and result. Isabelle/HOL
88.83 + already uses up many popular combinations of ASCII symbols for its
88.84 + own use, including both \isa{{\isaliteral{2B}{\isacharplus}}} and \isa{{\isaliteral{2B}{\isacharplus}}{\isaliteral{2B}{\isacharplus}}}. Longer
88.85 + character combinations are more likely to be still available for
88.86 + user extensions, such as our~\isa{{\isaliteral{5B}{\isacharbrackleft}}{\isaliteral{2B}{\isacharplus}}{\isaliteral{5D}{\isacharbrackright}}}.
88.87 +
88.88 + Operator precedences have a range of 0--1000. Very low or high
88.89 + priorities are reserved for the meta-logic. HOL syntax mainly uses
88.90 + the range of 10--100: the equality infix \isa{{\isaliteral{3D}{\isacharequal}}} is centered at
88.91 + 50; logical connectives (like \isa{{\isaliteral{5C3C6F723E}{\isasymor}}} and \isa{{\isaliteral{5C3C616E643E}{\isasymand}}}) are
88.92 + below 50; algebraic ones (like \isa{{\isaliteral{2B}{\isacharplus}}} and \isa{{\isaliteral{2A}{\isacharasterisk}}}) are
88.93 + above 50. User syntax should strive to coexist with common HOL
88.94 + forms, or use the mostly unused range 100--900.%
88.95 +\end{isamarkuptext}%
88.96 +\isamarkuptrue%
88.97 +%
88.98 +\isamarkupsubsection{Mathematical Symbols \label{sec:syntax-symbols}%
88.99 +}
88.100 +\isamarkuptrue%
88.101 +%
88.102 +\begin{isamarkuptext}%
88.103 +Concrete syntax based on ASCII characters has inherent limitations.
88.104 + Mathematical notation demands a larger repertoire of glyphs.
88.105 + Several standards of extended character sets have been proposed over
88.106 + decades, but none has become universally available so far. Isabelle
88.107 + has its own notion of \bfindex{symbols} as the smallest entities of
88.108 + source text, without referring to internal encodings. There are
88.109 + three kinds of such ``generalized characters'':
88.110 +
88.111 + \begin{enumerate}
88.112 +
88.113 + \item 7-bit ASCII characters
88.114 +
88.115 + \item named symbols: \verb,\,\verb,<,$ident$\verb,>,
88.116 +
88.117 + \item named control symbols: \verb,\,\verb,<^,$ident$\verb,>,
88.118 +
88.119 + \end{enumerate}
88.120 +
88.121 + Here $ident$ is any sequence of letters.
88.122 + This results in an infinite store of symbols, whose
88.123 + interpretation is left to further front-end tools. For example, the
88.124 + user-interface of Proof~General + X-Symbol and the Isabelle document
88.125 + processor (see \S\ref{sec:document-preparation}) display the
88.126 + \verb,\,\verb,<forall>, symbol as~\isa{{\isaliteral{5C3C666F72616C6C3E}{\isasymforall}}}.
88.127 +
88.128 + A list of standard Isabelle symbols is given in
88.129 + \cite{isabelle-isar-ref}. You may introduce your own
88.130 + interpretation of further symbols by configuring the appropriate
88.131 + front-end tool accordingly, e.g.\ by defining certain {\LaTeX}
88.132 + macros (see also \S\ref{sec:doc-prep-symbols}). There are also a
88.133 + few predefined control symbols, such as \verb,\,\verb,<^sub>, and
88.134 + \verb,\,\verb,<^sup>, for sub- and superscript of the subsequent
88.135 + printable symbol, respectively. For example, \verb,A\<^sup>\<star>, is
88.136 + output as \isa{A\isaliteral{5C3C5E7375703E}{}\isactrlsup {\isaliteral{5C3C737461723E}{\isasymstar}}}.
88.137 +
88.138 + A number of symbols are considered letters by the Isabelle lexer and
88.139 + can be used as part of identifiers. These are the greek letters
88.140 + \isa{{\isaliteral{5C3C616C7068613E}{\isasymalpha}}} (\verb+\+\verb+<alpha>+), \isa{{\isaliteral{5C3C626574613E}{\isasymbeta}}}
88.141 + (\verb+\+\verb+<beta>+), etc. (excluding \isa{{\isaliteral{5C3C6C616D6264613E}{\isasymlambda}}}),
88.142 + special letters like \isa{{\isaliteral{5C3C413E}{\isasymA}}} (\verb+\+\verb+<A>+) and \isa{{\isaliteral{5C3C41413E}{\isasymAA}}} (\verb+\+\verb+<AA>+), and the control symbols
88.143 + \verb+\+\verb+<^isub>+ and \verb+\+\verb+<^isup>+ for single letter
88.144 + sub and super scripts. This means that the input
88.145 +
88.146 + \medskip
88.147 + {\small\noindent \verb,\,\verb,<forall>\,\verb,<alpha>\<^isub>1.,~\verb,\,\verb,<alpha>\<^isub>1 = \,\verb,<Pi>\<^isup>\<A>,}
88.148 +
88.149 + \medskip
88.150 + \noindent is recognized as the term \isa{{\isaliteral{5C3C666F72616C6C3E}{\isasymforall}}{\isaliteral{5C3C616C7068613E}{\isasymalpha}}\isaliteral{5C3C5E697375623E}{}\isactrlisub {\isadigit{1}}{\isaliteral{2E}{\isachardot}}\ {\isaliteral{5C3C616C7068613E}{\isasymalpha}}\isaliteral{5C3C5E697375623E}{}\isactrlisub {\isadigit{1}}\ {\isaliteral{3D}{\isacharequal}}\ {\isaliteral{5C3C50693E}{\isasymPi}}\isaliteral{5C3C5E697375703E}{}\isactrlisup {\isaliteral{5C3C413E}{\isasymA}}}
88.151 + by Isabelle. Note that \isa{{\isaliteral{5C3C50693E}{\isasymPi}}\isaliteral{5C3C5E697375703E}{}\isactrlisup {\isaliteral{5C3C413E}{\isasymA}}} is a single
88.152 + syntactic entity, not an exponentiation.
88.153 +
88.154 + Replacing our previous definition of \isa{xor} by the
88.155 + following specifies an Isabelle symbol for the new operator:%
88.156 +\end{isamarkuptext}%
88.157 +\isamarkuptrue%
88.158 +%
88.159 +\isadelimML
88.160 +%
88.161 +\endisadelimML
88.162 +%
88.163 +\isatagML
88.164 +%
88.165 +\endisatagML
88.166 +{\isafoldML}%
88.167 +%
88.168 +\isadelimML
88.169 +%
88.170 +\endisadelimML
88.171 +\isacommand{definition}\isamarkupfalse%
88.172 +\ xor\ {\isaliteral{3A}{\isacharcolon}}{\isaliteral{3A}{\isacharcolon}}\ {\isaliteral{22}{\isachardoublequoteopen}}bool\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ bool\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ bool{\isaliteral{22}{\isachardoublequoteclose}}\ \ \ \ {\isaliteral{28}{\isacharparenleft}}\isakeyword{infixl}\ {\isaliteral{22}{\isachardoublequoteopen}}{\isaliteral{5C3C6F706C75733E}{\isasymoplus}}{\isaliteral{22}{\isachardoublequoteclose}}\ {\isadigit{6}}{\isadigit{0}}{\isaliteral{29}{\isacharparenright}}\isanewline
88.173 +\isakeyword{where}\ {\isaliteral{22}{\isachardoublequoteopen}}A\ {\isaliteral{5C3C6F706C75733E}{\isasymoplus}}\ B\ {\isaliteral{5C3C65717569763E}{\isasymequiv}}\ {\isaliteral{28}{\isacharparenleft}}A\ {\isaliteral{5C3C616E643E}{\isasymand}}\ {\isaliteral{5C3C6E6F743E}{\isasymnot}}\ B{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C6F723E}{\isasymor}}\ {\isaliteral{28}{\isacharparenleft}}{\isaliteral{5C3C6E6F743E}{\isasymnot}}\ A\ {\isaliteral{5C3C616E643E}{\isasymand}}\ B{\isaliteral{29}{\isacharparenright}}{\isaliteral{22}{\isachardoublequoteclose}}%
88.174 +\isadelimML
88.175 +%
88.176 +\endisadelimML
88.177 +%
88.178 +\isatagML
88.179 +%
88.180 +\endisatagML
88.181 +{\isafoldML}%
88.182 +%
88.183 +\isadelimML
88.184 +%
88.185 +\endisadelimML
88.186 +%
88.187 +\begin{isamarkuptext}%
88.188 +\noindent Proof~General provides several input methods to enter
88.189 + \isa{{\isaliteral{5C3C6F706C75733E}{\isasymoplus}}} in the text. If all fails one may just type a named
88.190 + entity \verb,\,\verb,<oplus>, by hand; the corresponding symbol will
88.191 + be displayed after further input.
88.192 +
88.193 + More flexible is to provide alternative syntax forms
88.194 + through the \bfindex{print mode} concept~\cite{isabelle-ref}. By
88.195 + convention, the mode of ``$xsymbols$'' is enabled whenever
88.196 + Proof~General's X-Symbol mode or {\LaTeX} output is active. Now
88.197 + consider the following hybrid declaration of \isa{xor}:%
88.198 +\end{isamarkuptext}%
88.199 +\isamarkuptrue%
88.200 +%
88.201 +\isadelimML
88.202 +%
88.203 +\endisadelimML
88.204 +%
88.205 +\isatagML
88.206 +%
88.207 +\endisatagML
88.208 +{\isafoldML}%
88.209 +%
88.210 +\isadelimML
88.211 +%
88.212 +\endisadelimML
88.213 +\isacommand{definition}\isamarkupfalse%
88.214 +\ xor\ {\isaliteral{3A}{\isacharcolon}}{\isaliteral{3A}{\isacharcolon}}\ {\isaliteral{22}{\isachardoublequoteopen}}bool\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ bool\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ bool{\isaliteral{22}{\isachardoublequoteclose}}\ \ \ \ {\isaliteral{28}{\isacharparenleft}}\isakeyword{infixl}\ {\isaliteral{22}{\isachardoublequoteopen}}{\isaliteral{5B}{\isacharbrackleft}}{\isaliteral{2B}{\isacharplus}}{\isaliteral{5D}{\isacharbrackright}}{\isaliteral{5C3C69676E6F72653E}{\isasymignore}}{\isaliteral{22}{\isachardoublequoteclose}}\ {\isadigit{6}}{\isadigit{0}}{\isaliteral{29}{\isacharparenright}}\isanewline
88.215 +\isakeyword{where}\ {\isaliteral{22}{\isachardoublequoteopen}}A\ {\isaliteral{5B}{\isacharbrackleft}}{\isaliteral{2B}{\isacharplus}}{\isaliteral{5D}{\isacharbrackright}}{\isaliteral{5C3C69676E6F72653E}{\isasymignore}}\ B\ {\isaliteral{5C3C65717569763E}{\isasymequiv}}\ {\isaliteral{28}{\isacharparenleft}}A\ {\isaliteral{5C3C616E643E}{\isasymand}}\ {\isaliteral{5C3C6E6F743E}{\isasymnot}}\ B{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C6F723E}{\isasymor}}\ {\isaliteral{28}{\isacharparenleft}}{\isaliteral{5C3C6E6F743E}{\isasymnot}}\ A\ {\isaliteral{5C3C616E643E}{\isasymand}}\ B{\isaliteral{29}{\isacharparenright}}{\isaliteral{22}{\isachardoublequoteclose}}\isanewline
88.216 +\isanewline
88.217 +\isacommand{notation}\isamarkupfalse%
88.218 +\ {\isaliteral{28}{\isacharparenleft}}xsymbols{\isaliteral{29}{\isacharparenright}}\ xor\ {\isaliteral{28}{\isacharparenleft}}\isakeyword{infixl}\ {\isaliteral{22}{\isachardoublequoteopen}}{\isaliteral{5C3C6F706C75733E}{\isasymoplus}}{\isaliteral{5C3C69676E6F72653E}{\isasymignore}}{\isaliteral{22}{\isachardoublequoteclose}}\ {\isadigit{6}}{\isadigit{0}}{\isaliteral{29}{\isacharparenright}}%
88.219 +\isadelimML
88.220 +%
88.221 +\endisadelimML
88.222 +%
88.223 +\isatagML
88.224 +%
88.225 +\endisatagML
88.226 +{\isafoldML}%
88.227 +%
88.228 +\isadelimML
88.229 +%
88.230 +\endisadelimML
88.231 +%
88.232 +\begin{isamarkuptext}%
88.233 +\noindent
88.234 +The \commdx{notation} command associates a mixfix
88.235 +annotation with a known constant. The print mode specification,
88.236 +here \isa{{\isaliteral{28}{\isacharparenleft}}xsymbols{\isaliteral{29}{\isacharparenright}}}, is optional.
88.237 +
88.238 +We may now write \isa{A\ {\isaliteral{5B}{\isacharbrackleft}}{\isaliteral{2B}{\isacharplus}}{\isaliteral{5D}{\isacharbrackright}}\ B} or \isa{A\ {\isaliteral{5C3C6F706C75733E}{\isasymoplus}}\ B} in input, while
88.239 +output uses the nicer syntax of $xsymbols$ whenever that print mode is
88.240 +active. Such an arrangement is particularly useful for interactive
88.241 +development, where users may type ASCII text and see mathematical
88.242 +symbols displayed during proofs.%
88.243 +\end{isamarkuptext}%
88.244 +\isamarkuptrue%
88.245 +%
88.246 +\isamarkupsubsection{Prefix Annotations%
88.247 +}
88.248 +\isamarkuptrue%
88.249 +%
88.250 +\begin{isamarkuptext}%
88.251 +Prefix syntax annotations\index{prefix annotation} are another form
88.252 + of mixfixes \cite{isabelle-ref}, without any template arguments or
88.253 + priorities --- just some literal syntax. The following example
88.254 + associates common symbols with the constructors of a datatype.%
88.255 +\end{isamarkuptext}%
88.256 +\isamarkuptrue%
88.257 +\isacommand{datatype}\isamarkupfalse%
88.258 +\ currency\ {\isaliteral{3D}{\isacharequal}}\isanewline
88.259 +\ \ \ \ Euro\ nat\ \ \ \ {\isaliteral{28}{\isacharparenleft}}{\isaliteral{22}{\isachardoublequoteopen}}{\isaliteral{5C3C6575726F3E}{\isasymeuro}}{\isaliteral{22}{\isachardoublequoteclose}}{\isaliteral{29}{\isacharparenright}}\isanewline
88.260 +\ \ {\isaliteral{7C}{\isacharbar}}\ Pounds\ nat\ \ {\isaliteral{28}{\isacharparenleft}}{\isaliteral{22}{\isachardoublequoteopen}}{\isaliteral{5C3C706F756E64733E}{\isasympounds}}{\isaliteral{22}{\isachardoublequoteclose}}{\isaliteral{29}{\isacharparenright}}\isanewline
88.261 +\ \ {\isaliteral{7C}{\isacharbar}}\ Yen\ nat\ \ \ \ \ {\isaliteral{28}{\isacharparenleft}}{\isaliteral{22}{\isachardoublequoteopen}}{\isaliteral{5C3C79656E3E}{\isasymyen}}{\isaliteral{22}{\isachardoublequoteclose}}{\isaliteral{29}{\isacharparenright}}\isanewline
88.262 +\ \ {\isaliteral{7C}{\isacharbar}}\ Dollar\ nat\ \ {\isaliteral{28}{\isacharparenleft}}{\isaliteral{22}{\isachardoublequoteopen}}{\isaliteral{24}{\isachardollar}}{\isaliteral{22}{\isachardoublequoteclose}}{\isaliteral{29}{\isacharparenright}}%
88.263 +\begin{isamarkuptext}%
88.264 +\noindent Here the mixfix annotations on the rightmost column happen
88.265 + to consist of a single Isabelle symbol each: \verb,\,\verb,<euro>,,
88.266 + \verb,\,\verb,<pounds>,, \verb,\,\verb,<yen>,, and \verb,$,. Recall
88.267 + that a constructor like \isa{Euro} actually is a function \isa{nat\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ currency}. The expression \isa{Euro\ {\isadigit{1}}{\isadigit{0}}} will be
88.268 + printed as \isa{{\isaliteral{5C3C6575726F3E}{\isasymeuro}}\ {\isadigit{1}}{\isadigit{0}}}; only the head of the application is
88.269 + subject to our concrete syntax. This rather simple form already
88.270 + achieves conformance with notational standards of the European
88.271 + Commission.
88.272 +
88.273 + Prefix syntax works the same way for other commands that introduce new constants, e.g. \isakeyword{primrec}.%
88.274 +\end{isamarkuptext}%
88.275 +\isamarkuptrue%
88.276 +%
88.277 +\isamarkupsubsection{Abbreviations \label{sec:abbreviations}%
88.278 +}
88.279 +\isamarkuptrue%
88.280 +%
88.281 +\begin{isamarkuptext}%
88.282 +Mixfix syntax annotations merely decorate particular constant
88.283 +application forms with concrete syntax, for instance replacing
88.284 +\isa{xor\ A\ B} by \isa{A\ {\isaliteral{5C3C6F706C75733E}{\isasymoplus}}\ B}. Occasionally, the relationship
88.285 +between some piece of notation and its internal form is more
88.286 +complicated. Here we need \emph{abbreviations}.
88.287 +
88.288 +Command \commdx{abbreviation} introduces an uninterpreted notational
88.289 +constant as an abbreviation for a complex term. Abbreviations are
88.290 +unfolded upon parsing and re-introduced upon printing. This provides a
88.291 +simple mechanism for syntactic macros.
88.292 +
88.293 +A typical use of abbreviations is to introduce relational notation for
88.294 +membership in a set of pairs, replacing \isa{{\isaliteral{28}{\isacharparenleft}}x{\isaliteral{2C}{\isacharcomma}}\ y{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C696E3E}{\isasymin}}\ sim} by
88.295 +\isa{x\ {\isaliteral{5C3C617070726F783E}{\isasymapprox}}\ y}. We assume that a constant \isa{sim} of type
88.296 +\isa{{\isaliteral{28}{\isacharparenleft}}{\isaliteral{27}{\isacharprime}}a\ {\isaliteral{5C3C74696D65733E}{\isasymtimes}}\ {\isaliteral{27}{\isacharprime}}a{\isaliteral{29}{\isacharparenright}}\ set} has been introduced at this point.%
88.297 +\end{isamarkuptext}%
88.298 +\isamarkuptrue%
88.299 +\isacommand{abbreviation}\isamarkupfalse%
88.300 +\ sim{\isadigit{2}}\ {\isaliteral{3A}{\isacharcolon}}{\isaliteral{3A}{\isacharcolon}}\ {\isaliteral{22}{\isachardoublequoteopen}}{\isaliteral{27}{\isacharprime}}a\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ {\isaliteral{27}{\isacharprime}}a\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ bool{\isaliteral{22}{\isachardoublequoteclose}}\ \ \ {\isaliteral{28}{\isacharparenleft}}\isakeyword{infix}\ {\isaliteral{22}{\isachardoublequoteopen}}{\isaliteral{5C3C617070726F783E}{\isasymapprox}}{\isaliteral{22}{\isachardoublequoteclose}}\ {\isadigit{5}}{\isadigit{0}}{\isaliteral{29}{\isacharparenright}}\isanewline
88.301 +\isakeyword{where}\ {\isaliteral{22}{\isachardoublequoteopen}}x\ {\isaliteral{5C3C617070726F783E}{\isasymapprox}}\ y\ \ {\isaliteral{5C3C65717569763E}{\isasymequiv}}\ \ {\isaliteral{28}{\isacharparenleft}}x{\isaliteral{2C}{\isacharcomma}}\ y{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C696E3E}{\isasymin}}\ sim{\isaliteral{22}{\isachardoublequoteclose}}%
88.302 +\begin{isamarkuptext}%
88.303 +\noindent The given meta-equality is used as a rewrite rule
88.304 +after parsing (replacing \mbox{\isa{x\ {\isaliteral{5C3C617070726F783E}{\isasymapprox}}\ y}} by \isa{{\isaliteral{28}{\isacharparenleft}}x{\isaliteral{2C}{\isacharcomma}}y{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C696E3E}{\isasymin}}\ sim}) and before printing (turning \isa{{\isaliteral{28}{\isacharparenleft}}x{\isaliteral{2C}{\isacharcomma}}y{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C696E3E}{\isasymin}}\ sim} back into
88.305 +\mbox{\isa{x\ {\isaliteral{5C3C617070726F783E}{\isasymapprox}}\ y}}). The name of the dummy constant \isa{sim{\isadigit{2}}}
88.306 +does not matter, as long as it is unique.
88.307 +
88.308 +Another common application of abbreviations is to
88.309 +provide variant versions of fundamental relational expressions, such
88.310 +as \isa{{\isaliteral{5C3C6E6F7465713E}{\isasymnoteq}}} for negated equalities. The following declaration
88.311 +stems from Isabelle/HOL itself:%
88.312 +\end{isamarkuptext}%
88.313 +\isamarkuptrue%
88.314 +\isacommand{abbreviation}\isamarkupfalse%
88.315 +\ not{\isaliteral{5F}{\isacharunderscore}}equal\ {\isaliteral{3A}{\isacharcolon}}{\isaliteral{3A}{\isacharcolon}}\ {\isaliteral{22}{\isachardoublequoteopen}}{\isaliteral{27}{\isacharprime}}a\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ {\isaliteral{27}{\isacharprime}}a\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ bool{\isaliteral{22}{\isachardoublequoteclose}}\ \ \ \ {\isaliteral{28}{\isacharparenleft}}\isakeyword{infixl}\ {\isaliteral{22}{\isachardoublequoteopen}}{\isaliteral{7E}{\isachartilde}}{\isaliteral{3D}{\isacharequal}}{\isaliteral{5C3C69676E6F72653E}{\isasymignore}}{\isaliteral{22}{\isachardoublequoteclose}}\ {\isadigit{5}}{\isadigit{0}}{\isaliteral{29}{\isacharparenright}}\isanewline
88.316 +\isakeyword{where}\ {\isaliteral{22}{\isachardoublequoteopen}}x\ {\isaliteral{7E}{\isachartilde}}{\isaliteral{3D}{\isacharequal}}{\isaliteral{5C3C69676E6F72653E}{\isasymignore}}\ y\ \ {\isaliteral{5C3C65717569763E}{\isasymequiv}}\ \ {\isaliteral{5C3C6E6F743E}{\isasymnot}}\ {\isaliteral{28}{\isacharparenleft}}x\ {\isaliteral{3D}{\isacharequal}}\ y{\isaliteral{29}{\isacharparenright}}{\isaliteral{22}{\isachardoublequoteclose}}\isanewline
88.317 +\isanewline
88.318 +\isacommand{notation}\isamarkupfalse%
88.319 +\ {\isaliteral{28}{\isacharparenleft}}xsymbols{\isaliteral{29}{\isacharparenright}}\ not{\isaliteral{5F}{\isacharunderscore}}equal\ {\isaliteral{28}{\isacharparenleft}}\isakeyword{infix}\ {\isaliteral{22}{\isachardoublequoteopen}}{\isaliteral{5C3C6E6F7465713E}{\isasymnoteq}}{\isaliteral{5C3C69676E6F72653E}{\isasymignore}}{\isaliteral{22}{\isachardoublequoteclose}}\ {\isadigit{5}}{\isadigit{0}}{\isaliteral{29}{\isacharparenright}}%
88.320 +\begin{isamarkuptext}%
88.321 +\noindent The notation \isa{{\isaliteral{5C3C6E6F7465713E}{\isasymnoteq}}} is introduced separately to restrict it
88.322 +to the \emph{xsymbols} mode.
88.323 +
88.324 +Abbreviations are appropriate when the defined concept is a
88.325 +simple variation on an existing one. But because of the automatic
88.326 +folding and unfolding of abbreviations, they do not scale up well to
88.327 +large hierarchies of concepts. Abbreviations do not replace
88.328 +definitions.
88.329 +
88.330 +Abbreviations are a simplified form of the general concept of
88.331 +\emph{syntax translations}; even heavier transformations may be
88.332 +written in ML \cite{isabelle-ref}.%
88.333 +\end{isamarkuptext}%
88.334 +\isamarkuptrue%
88.335 +%
88.336 +\isamarkupsection{Document Preparation \label{sec:document-preparation}%
88.337 +}
88.338 +\isamarkuptrue%
88.339 +%
88.340 +\begin{isamarkuptext}%
88.341 +Isabelle/Isar is centered around the concept of \bfindex{formal
88.342 + proof documents}\index{documents|bold}. The outcome of a formal
88.343 + development effort is meant to be a human-readable record, presented
88.344 + as browsable PDF file or printed on paper. The overall document
88.345 + structure follows traditional mathematical articles, with sections,
88.346 + intermediate explanations, definitions, theorems and proofs.
88.347 +
88.348 + \medskip The Isabelle document preparation system essentially acts
88.349 + as a front-end to {\LaTeX}. After checking specifications and
88.350 + proofs formally, the theory sources are turned into typesetting
88.351 + instructions in a schematic manner. This lets you write authentic
88.352 + reports on theory developments with little effort: many technical
88.353 + consistency checks are handled by the system.
88.354 +
88.355 + Here is an example to illustrate the idea of Isabelle document
88.356 + preparation.%
88.357 +\end{isamarkuptext}%
88.358 +\isamarkuptrue%
88.359 +%
88.360 +\begin{quotation}
88.361 +%
88.362 +\begin{isamarkuptext}%
88.363 +The following datatype definition of \isa{{\isaliteral{27}{\isacharprime}}a\ bintree} models
88.364 + binary trees with nodes being decorated by elements of type \isa{{\isaliteral{27}{\isacharprime}}a}.%
88.365 +\end{isamarkuptext}%
88.366 +\isamarkuptrue%
88.367 +\isacommand{datatype}\isamarkupfalse%
88.368 +\ {\isaliteral{27}{\isacharprime}}a\ bintree\ {\isaliteral{3D}{\isacharequal}}\isanewline
88.369 +\ \ \ \ \ Leaf\ {\isaliteral{7C}{\isacharbar}}\ Branch\ {\isaliteral{27}{\isacharprime}}a\ \ {\isaliteral{22}{\isachardoublequoteopen}}{\isaliteral{27}{\isacharprime}}a\ bintree{\isaliteral{22}{\isachardoublequoteclose}}\ \ {\isaliteral{22}{\isachardoublequoteopen}}{\isaliteral{27}{\isacharprime}}a\ bintree{\isaliteral{22}{\isachardoublequoteclose}}%
88.370 +\begin{isamarkuptext}%
88.371 +\noindent The datatype induction rule generated here is of the form
88.372 + \begin{isabelle}%
88.373 +\ {\isaliteral{5C3C6C6272616B6B3E}{\isasymlbrakk}}P\ Leaf{\isaliteral{3B}{\isacharsemicolon}}\isanewline
88.374 +\isaindent{\ \ }{\isaliteral{5C3C416E643E}{\isasymAnd}}a\ bintree{\isadigit{1}}\ bintree{\isadigit{2}}{\isaliteral{2E}{\isachardot}}\isanewline
88.375 +\isaindent{\ \ \ \ \ }{\isaliteral{5C3C6C6272616B6B3E}{\isasymlbrakk}}P\ bintree{\isadigit{1}}{\isaliteral{3B}{\isacharsemicolon}}\ P\ bintree{\isadigit{2}}{\isaliteral{5C3C726272616B6B3E}{\isasymrbrakk}}\ {\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\ P\ {\isaliteral{28}{\isacharparenleft}}Branch\ a\ bintree{\isadigit{1}}\ bintree{\isadigit{2}}{\isaliteral{29}{\isacharparenright}}{\isaliteral{5C3C726272616B6B3E}{\isasymrbrakk}}\isanewline
88.376 +\isaindent{\ }{\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\ P\ bintree%
88.377 +\end{isabelle}%
88.378 +\end{isamarkuptext}%
88.379 +\isamarkuptrue%
88.380 +%
88.381 +\end{quotation}
88.382 +%
88.383 +\begin{isamarkuptext}%
88.384 +\noindent The above document output has been produced as follows:
88.385 +
88.386 + \begin{ttbox}
88.387 + text {\ttlbrace}*
88.388 + The following datatype definition of {\at}{\ttlbrace}text "'a bintree"{\ttrbrace}
88.389 + models binary trees with nodes being decorated by elements
88.390 + of type {\at}{\ttlbrace}typ 'a{\ttrbrace}.
88.391 + *{\ttrbrace}
88.392 +
88.393 + datatype 'a bintree =
88.394 + Leaf | Branch 'a "'a bintree" "'a bintree"
88.395 + \end{ttbox}
88.396 + \begin{ttbox}
88.397 + text {\ttlbrace}*
88.398 + {\ttback}noindent The datatype induction rule generated here is
88.399 + of the form {\at}{\ttlbrace}thm [display] bintree.induct [no_vars]{\ttrbrace}
88.400 + *{\ttrbrace}
88.401 + \end{ttbox}\vspace{-\medskipamount}
88.402 +
88.403 + \noindent Here we have augmented the theory by formal comments
88.404 + (using \isakeyword{text} blocks), the informal parts may again refer
88.405 + to formal entities by means of ``antiquotations'' (such as
88.406 + \texttt{\at}\verb,{text "'a bintree"}, or
88.407 + \texttt{\at}\verb,{typ 'a},), see also \S\ref{sec:doc-prep-text}.%
88.408 +\end{isamarkuptext}%
88.409 +\isamarkuptrue%
88.410 +%
88.411 +\isamarkupsubsection{Isabelle Sessions%
88.412 +}
88.413 +\isamarkuptrue%
88.414 +%
88.415 +\begin{isamarkuptext}%
88.416 +In contrast to the highly interactive mode of Isabelle/Isar theory
88.417 + development, the document preparation stage essentially works in
88.418 + batch-mode. An Isabelle \bfindex{session} consists of a collection
88.419 + of source files that may contribute to an output document. Each
88.420 + session is derived from a single parent, usually an object-logic
88.421 + image like \texttt{HOL}. This results in an overall tree structure,
88.422 + which is reflected by the output location in the file system
88.423 + (usually rooted at \verb,~/.isabelle/IsabelleXXXX/browser_info,).
88.424 +
88.425 + \medskip The easiest way to manage Isabelle sessions is via
88.426 + \texttt{isabelle mkdir} (generates an initial session source setup)
88.427 + and \texttt{isabelle make} (run sessions controlled by
88.428 + \texttt{IsaMakefile}). For example, a new session
88.429 + \texttt{MySession} derived from \texttt{HOL} may be produced as
88.430 + follows:
88.431 +
88.432 +\begin{verbatim}
88.433 + isabelle mkdir HOL MySession
88.434 + isabelle make
88.435 +\end{verbatim}
88.436 +
88.437 + The \texttt{isabelle make} job also informs about the file-system
88.438 + location of the ultimate results. The above dry run should be able
88.439 + to produce some \texttt{document.pdf} (with dummy title, empty table
88.440 + of contents etc.). Any failure at this stage usually indicates
88.441 + technical problems of the {\LaTeX} installation.
88.442 +
88.443 + \medskip The detailed arrangement of the session sources is as
88.444 + follows.
88.445 +
88.446 + \begin{itemize}
88.447 +
88.448 + \item Directory \texttt{MySession} holds the required theory files
88.449 + $T@1$\texttt{.thy}, \dots, $T@n$\texttt{.thy}.
88.450 +
88.451 + \item File \texttt{MySession/ROOT.ML} holds appropriate ML commands
88.452 + for loading all wanted theories, usually just
88.453 + ``\texttt{use_thy"$T@i$";}'' for any $T@i$ in leaf position of the
88.454 + dependency graph.
88.455 +
88.456 + \item Directory \texttt{MySession/document} contains everything
88.457 + required for the {\LaTeX} stage; only \texttt{root.tex} needs to be
88.458 + provided initially.
88.459 +
88.460 + The latter file holds appropriate {\LaTeX} code to commence a
88.461 + document (\verb,\documentclass, etc.), and to include the generated
88.462 + files $T@i$\texttt{.tex} for each theory. Isabelle will generate a
88.463 + file \texttt{session.tex} holding {\LaTeX} commands to include all
88.464 + generated theory output files in topologically sorted order, so
88.465 + \verb,\input{session}, in the body of \texttt{root.tex} does the job
88.466 + in most situations.
88.467 +
88.468 + \item \texttt{IsaMakefile} holds appropriate dependencies and
88.469 + invocations of Isabelle tools to control the batch job. In fact,
88.470 + several sessions may be managed by the same \texttt{IsaMakefile}.
88.471 + See the \emph{Isabelle System Manual} \cite{isabelle-sys}
88.472 + for further details, especially on
88.473 + \texttt{isabelle usedir} and \texttt{isabelle make}.
88.474 +
88.475 + \end{itemize}
88.476 +
88.477 + One may now start to populate the directory \texttt{MySession}, and
88.478 + the file \texttt{MySession/ROOT.ML} accordingly. The file
88.479 + \texttt{MySession/document/root.tex} should also be adapted at some
88.480 + point; the default version is mostly self-explanatory. Note that
88.481 + \verb,\isabellestyle, enables fine-tuning of the general appearance
88.482 + of characters and mathematical symbols (see also
88.483 + \S\ref{sec:doc-prep-symbols}).
88.484 +
88.485 + Especially observe the included {\LaTeX} packages \texttt{isabelle}
88.486 + (mandatory), \texttt{isabellesym} (required for mathematical
88.487 + symbols), and the final \texttt{pdfsetup} (provides sane defaults
88.488 + for \texttt{hyperref}, including URL markup). All three are
88.489 + distributed with Isabelle. Further packages may be required in
88.490 + particular applications, say for unusual mathematical symbols.
88.491 +
88.492 + \medskip Any additional files for the {\LaTeX} stage go into the
88.493 + \texttt{MySession/document} directory as well. In particular,
88.494 + adding a file named \texttt{root.bib} causes an automatic run of
88.495 + \texttt{bibtex} to process a bibliographic database; see also
88.496 + \texttt{isabelle document} \cite{isabelle-sys}.
88.497 +
88.498 + \medskip Any failure of the document preparation phase in an
88.499 + Isabelle batch session leaves the generated sources in their target
88.500 + location, identified by the accompanying error message. This lets
88.501 + you trace {\LaTeX} problems with the generated files at hand.%
88.502 +\end{isamarkuptext}%
88.503 +\isamarkuptrue%
88.504 +%
88.505 +\isamarkupsubsection{Structure Markup%
88.506 +}
88.507 +\isamarkuptrue%
88.508 +%
88.509 +\begin{isamarkuptext}%
88.510 +The large-scale structure of Isabelle documents follows existing
88.511 + {\LaTeX} conventions, with chapters, sections, subsubsections etc.
88.512 + The Isar language includes separate \bfindex{markup commands}, which
88.513 + do not affect the formal meaning of a theory (or proof), but result
88.514 + in corresponding {\LaTeX} elements.
88.515 +
88.516 + There are separate markup commands depending on the textual context:
88.517 + in header position (just before \isakeyword{theory}), within the
88.518 + theory body, or within a proof. The header needs to be treated
88.519 + specially here, since ordinary theory and proof commands may only
88.520 + occur \emph{after} the initial \isakeyword{theory} specification.
88.521 +
88.522 + \medskip
88.523 +
88.524 + \begin{tabular}{llll}
88.525 + header & theory & proof & default meaning \\\hline
88.526 + & \commdx{chapter} & & \verb,\chapter, \\
88.527 + \commdx{header} & \commdx{section} & \commdx{sect} & \verb,\section, \\
88.528 + & \commdx{subsection} & \commdx{subsect} & \verb,\subsection, \\
88.529 + & \commdx{subsubsection} & \commdx{subsubsect} & \verb,\subsubsection, \\
88.530 + \end{tabular}
88.531 +
88.532 + \medskip
88.533 +
88.534 + From the Isabelle perspective, each markup command takes a single
88.535 + $text$ argument (delimited by \verb,",~\isa{{\isaliteral{5C3C646F74733E}{\isasymdots}}}~\verb,", or
88.536 + \verb,{,\verb,*,~\isa{{\isaliteral{5C3C646F74733E}{\isasymdots}}}~\verb,*,\verb,},). After stripping any
88.537 + surrounding white space, the argument is passed to a {\LaTeX} macro
88.538 + \verb,\isamarkupXYZ, for command \isakeyword{XYZ}. These macros are
88.539 + defined in \verb,isabelle.sty, according to the meaning given in the
88.540 + rightmost column above.
88.541 +
88.542 + \medskip The following source fragment illustrates structure markup
88.543 + of a theory. Note that {\LaTeX} labels may be included inside of
88.544 + section headings as well.
88.545 +
88.546 + \begin{ttbox}
88.547 + header {\ttlbrace}* Some properties of Foo Bar elements *{\ttrbrace}
88.548 +
88.549 + theory Foo_Bar
88.550 + imports Main
88.551 + begin
88.552 +
88.553 + subsection {\ttlbrace}* Basic definitions *{\ttrbrace}
88.554 +
88.555 + definition foo :: \dots
88.556 +
88.557 + definition bar :: \dots
88.558 +
88.559 + subsection {\ttlbrace}* Derived rules *{\ttrbrace}
88.560 +
88.561 + lemma fooI: \dots
88.562 + lemma fooE: \dots
88.563 +
88.564 + subsection {\ttlbrace}* Main theorem {\ttback}label{\ttlbrace}sec:main-theorem{\ttrbrace} *{\ttrbrace}
88.565 +
88.566 + theorem main: \dots
88.567 +
88.568 + end
88.569 + \end{ttbox}\vspace{-\medskipamount}
88.570 +
88.571 + You may occasionally want to change the meaning of markup commands,
88.572 + say via \verb,\renewcommand, in \texttt{root.tex}. For example,
88.573 + \verb,\isamarkupheader, is a good candidate for some tuning. We
88.574 + could move it up in the hierarchy to become \verb,\chapter,.
88.575 +
88.576 +\begin{verbatim}
88.577 + \renewcommand{\isamarkupheader}[1]{\chapter{#1}}
88.578 +\end{verbatim}
88.579 +
88.580 + \noindent Now we must change the document class given in
88.581 + \texttt{root.tex} to something that supports chapters. A suitable
88.582 + command is \verb,\documentclass{report},.
88.583 +
88.584 + \medskip The {\LaTeX} macro \verb,\isabellecontext, is maintained to
88.585 + hold the name of the current theory context. This is particularly
88.586 + useful for document headings:
88.587 +
88.588 +\begin{verbatim}
88.589 + \renewcommand{\isamarkupheader}[1]
88.590 + {\chapter{#1}\markright{THEORY~\isabellecontext}}
88.591 +\end{verbatim}
88.592 +
88.593 + \noindent Make sure to include something like
88.594 + \verb,\pagestyle{headings}, in \texttt{root.tex}; the document
88.595 + should have more than two pages to show the effect.%
88.596 +\end{isamarkuptext}%
88.597 +\isamarkuptrue%
88.598 +%
88.599 +\isamarkupsubsection{Formal Comments and Antiquotations \label{sec:doc-prep-text}%
88.600 +}
88.601 +\isamarkuptrue%
88.602 +%
88.603 +\begin{isamarkuptext}%
88.604 +Isabelle \bfindex{source comments}, which are of the form
88.605 + \verb,(,\verb,*,~\isa{{\isaliteral{5C3C646F74733E}{\isasymdots}}}~\verb,*,\verb,),, essentially act like
88.606 + white space and do not really contribute to the content. They
88.607 + mainly serve technical purposes to mark certain oddities in the raw
88.608 + input text. In contrast, \bfindex{formal comments} are portions of
88.609 + text that are associated with formal Isabelle/Isar commands
88.610 + (\bfindex{marginal comments}), or as standalone paragraphs within a
88.611 + theory or proof context (\bfindex{text blocks}).
88.612 +
88.613 + \medskip Marginal comments are part of each command's concrete
88.614 + syntax \cite{isabelle-ref}; the common form is ``\verb,--,~$text$''
88.615 + where $text$ is delimited by \verb,",\isa{{\isaliteral{5C3C646F74733E}{\isasymdots}}}\verb,", or
88.616 + \verb,{,\verb,*,~\isa{{\isaliteral{5C3C646F74733E}{\isasymdots}}}~\verb,*,\verb,}, as before. Multiple
88.617 + marginal comments may be given at the same time. Here is a simple
88.618 + example:%
88.619 +\end{isamarkuptext}%
88.620 +\isamarkuptrue%
88.621 +\isacommand{lemma}\isamarkupfalse%
88.622 +\ {\isaliteral{22}{\isachardoublequoteopen}}A\ {\isaliteral{2D}{\isacharminus}}{\isaliteral{2D}{\isacharminus}}{\isaliteral{3E}{\isachargreater}}\ A{\isaliteral{22}{\isachardoublequoteclose}}\isanewline
88.623 +\ \ %
88.624 +\isamarkupcmt{a triviality of propositional logic%
88.625 +}
88.626 +\isanewline
88.627 +\ \ %
88.628 +\isamarkupcmt{(should not really bother)%
88.629 +}
88.630 +\isanewline
88.631 +%
88.632 +\isadelimproof
88.633 +\ \ %
88.634 +\endisadelimproof
88.635 +%
88.636 +\isatagproof
88.637 +\isacommand{by}\isamarkupfalse%
88.638 +\ {\isaliteral{28}{\isacharparenleft}}rule\ impI{\isaliteral{29}{\isacharparenright}}\ %
88.639 +\isamarkupcmt{implicit assumption step involved here%
88.640 +}
88.641 +%
88.642 +\endisatagproof
88.643 +{\isafoldproof}%
88.644 +%
88.645 +\isadelimproof
88.646 +%
88.647 +\endisadelimproof
88.648 +%
88.649 +\begin{isamarkuptext}%
88.650 +\noindent The above output has been produced as follows:
88.651 +
88.652 +\begin{verbatim}
88.653 + lemma "A --> A"
88.654 + -- "a triviality of propositional logic"
88.655 + -- "(should not really bother)"
88.656 + by (rule impI) -- "implicit assumption step involved here"
88.657 +\end{verbatim}
88.658 +
88.659 + From the {\LaTeX} viewpoint, ``\verb,--,'' acts like a markup
88.660 + command, associated with the macro \verb,\isamarkupcmt, (taking a
88.661 + single argument).
88.662 +
88.663 + \medskip Text blocks are introduced by the commands \bfindex{text}
88.664 + and \bfindex{txt}, for theory and proof contexts, respectively.
88.665 + Each takes again a single $text$ argument, which is interpreted as a
88.666 + free-form paragraph in {\LaTeX} (surrounded by some additional
88.667 + vertical space). This behavior may be changed by redefining the
88.668 + {\LaTeX} environments of \verb,isamarkuptext, or
88.669 + \verb,isamarkuptxt,, respectively (via \verb,\renewenvironment,) The
88.670 + text style of the body is determined by \verb,\isastyletext, and
88.671 + \verb,\isastyletxt,; the default setup uses a smaller font within
88.672 + proofs. This may be changed as follows:
88.673 +
88.674 +\begin{verbatim}
88.675 + \renewcommand{\isastyletxt}{\isastyletext}
88.676 +\end{verbatim}
88.677 +
88.678 + \medskip The $text$ part of Isabelle markup commands essentially
88.679 + inserts \emph{quoted material} into a formal text, mainly for
88.680 + instruction of the reader. An \bfindex{antiquotation} is again a
88.681 + formal object embedded into such an informal portion. The
88.682 + interpretation of antiquotations is limited to some well-formedness
88.683 + checks, with the result being pretty printed to the resulting
88.684 + document. Quoted text blocks together with antiquotations provide
88.685 + an attractive means of referring to formal entities, with good
88.686 + confidence in getting the technical details right (especially syntax
88.687 + and types).
88.688 +
88.689 + The general syntax of antiquotations is as follows:
88.690 + \texttt{{\at}{\ttlbrace}$name$ $arguments${\ttrbrace}}, or
88.691 + \texttt{{\at}{\ttlbrace}$name$ [$options$] $arguments${\ttrbrace}}
88.692 + for a comma-separated list of options consisting of a $name$ or
88.693 + \texttt{$name$=$value$} each. The syntax of $arguments$ depends on
88.694 + the kind of antiquotation, it generally follows the same conventions
88.695 + for types, terms, or theorems as in the formal part of a theory.
88.696 +
88.697 + \medskip This sentence demonstrates quotations and antiquotations:
88.698 + \isa{{\isaliteral{5C3C6C616D6264613E}{\isasymlambda}}x\ y{\isaliteral{2E}{\isachardot}}\ x} is a well-typed term.
88.699 +
88.700 + \medskip\noindent The output above was produced as follows:
88.701 + \begin{ttbox}
88.702 +text {\ttlbrace}*
88.703 + This sentence demonstrates quotations and antiquotations:
88.704 + {\at}{\ttlbrace}term "%x y. x"{\ttrbrace} is a well-typed term.
88.705 +*{\ttrbrace}
88.706 + \end{ttbox}\vspace{-\medskipamount}
88.707 +
88.708 + The notational change from the ASCII character~\verb,%, to the
88.709 + symbol~\isa{{\isaliteral{5C3C6C616D6264613E}{\isasymlambda}}} reveals that Isabelle printed this term, after
88.710 + parsing and type-checking. Document preparation enables symbolic
88.711 + output by default.
88.712 +
88.713 + \medskip The next example includes an option to show the type of all
88.714 + variables. The antiquotation
88.715 + \texttt{{\at}}\verb,{term [show_types] "%x y. x"}, produces the
88.716 + output \isa{{\isaliteral{5C3C6C616D6264613E}{\isasymlambda}}{\isaliteral{28}{\isacharparenleft}}x{\isaliteral{5C3C436F6C6F6E3E}{\isasymColon}}{\isaliteral{27}{\isacharprime}}a{\isaliteral{29}{\isacharparenright}}\ y{\isaliteral{5C3C436F6C6F6E3E}{\isasymColon}}{\isaliteral{27}{\isacharprime}}b{\isaliteral{2E}{\isachardot}}\ x}. Type inference has figured
88.717 + out the most general typings in the present theory context. Terms
88.718 + may acquire different typings due to constraints imposed by their
88.719 + environment; within a proof, for example, variables are given the
88.720 + same types as they have in the main goal statement.
88.721 +
88.722 + \medskip Several further kinds of antiquotations and options are
88.723 + available \cite{isabelle-isar-ref}. Here are a few commonly used
88.724 + combinations:
88.725 +
88.726 + \medskip
88.727 +
88.728 + \begin{tabular}{ll}
88.729 + \texttt{\at}\verb,{typ,~$\tau$\verb,}, & print type $\tau$ \\
88.730 + \texttt{\at}\verb,{const,~$c$\verb,}, & check existence of $c$ and print it \\
88.731 + \texttt{\at}\verb,{term,~$t$\verb,}, & print term $t$ \\
88.732 + \texttt{\at}\verb,{prop,~$\phi$\verb,}, & print proposition $\phi$ \\
88.733 + \texttt{\at}\verb,{prop [display],~$\phi$\verb,}, & print large proposition $\phi$ (with linebreaks) \\
88.734 + \texttt{\at}\verb,{prop [source],~$\phi$\verb,}, & check proposition $\phi$, print its input \\
88.735 + \texttt{\at}\verb,{thm,~$a$\verb,}, & print fact $a$ \\
88.736 + \texttt{\at}\verb,{thm,~$a$~\verb,[no_vars]}, & print fact $a$, fixing schematic variables \\
88.737 + \texttt{\at}\verb,{thm [source],~$a$\verb,}, & check availability of fact $a$, print its name \\
88.738 + \texttt{\at}\verb,{text,~$s$\verb,}, & print uninterpreted text $s$ \\
88.739 + \end{tabular}
88.740 +
88.741 + \medskip
88.742 +
88.743 + Note that \attrdx{no_vars} given above is \emph{not} an
88.744 + antiquotation option, but an attribute of the theorem argument given
88.745 + here. This might be useful with a diagnostic command like
88.746 + \isakeyword{thm}, too.
88.747 +
88.748 + \medskip The \texttt{\at}\verb,{text, $s$\verb,}, antiquotation is
88.749 + particularly interesting. Embedding uninterpreted text within an
88.750 + informal body might appear useless at first sight. Here the key
88.751 + virtue is that the string $s$ is processed as Isabelle output,
88.752 + interpreting Isabelle symbols appropriately.
88.753 +
88.754 + For example, \texttt{\at}\verb,{text "\<forall>\<exists>"}, produces \isa{{\isaliteral{5C3C666F72616C6C3E}{\isasymforall}}{\isaliteral{5C3C6578697374733E}{\isasymexists}}}, according to the standard interpretation of these symbol
88.755 + (cf.\ \S\ref{sec:doc-prep-symbols}). Thus we achieve consistent
88.756 + mathematical notation in both the formal and informal parts of the
88.757 + document very easily, independently of the term language of
88.758 + Isabelle. Manual {\LaTeX} code would leave more control over the
88.759 + typesetting, but is also slightly more tedious.%
88.760 +\end{isamarkuptext}%
88.761 +\isamarkuptrue%
88.762 +%
88.763 +\isamarkupsubsection{Interpretation of Symbols \label{sec:doc-prep-symbols}%
88.764 +}
88.765 +\isamarkuptrue%
88.766 +%
88.767 +\begin{isamarkuptext}%
88.768 +As has been pointed out before (\S\ref{sec:syntax-symbols}),
88.769 + Isabelle symbols are the smallest syntactic entities --- a
88.770 + straightforward generalization of ASCII characters. While Isabelle
88.771 + does not impose any interpretation of the infinite collection of
88.772 + named symbols, {\LaTeX} documents use canonical glyphs for certain
88.773 + standard symbols \cite{isabelle-isar-ref}.
88.774 +
88.775 + The {\LaTeX} code produced from Isabelle text follows a simple
88.776 + scheme. You can tune the final appearance by redefining certain
88.777 + macros, say in \texttt{root.tex} of the document.
88.778 +
88.779 + \begin{enumerate}
88.780 +
88.781 + \item 7-bit ASCII characters: letters \texttt{A\dots Z} and
88.782 + \texttt{a\dots z} are output directly, digits are passed as an
88.783 + argument to the \verb,\isadigit, macro, other characters are
88.784 + replaced by specifically named macros of the form
88.785 + \verb,\isacharXYZ,.
88.786 +
88.787 + \item Named symbols: \verb,\,\verb,<XYZ>, is turned into
88.788 + \verb,{\isasymXYZ},; note the additional braces.
88.789 +
88.790 + \item Named control symbols: \verb,\,\verb,<^XYZ>, is turned into
88.791 + \verb,\isactrlXYZ,; subsequent symbols may act as arguments if the
88.792 + control macro is defined accordingly.
88.793 +
88.794 + \end{enumerate}
88.795 +
88.796 + You may occasionally wish to give new {\LaTeX} interpretations of
88.797 + named symbols. This merely requires an appropriate definition of
88.798 + \verb,\isasymXYZ,, for \verb,\,\verb,<XYZ>, (see
88.799 + \texttt{isabelle.sty} for working examples). Control symbols are
88.800 + slightly more difficult to get right, though.
88.801 +
88.802 + \medskip The \verb,\isabellestyle, macro provides a high-level
88.803 + interface to tune the general appearance of individual symbols. For
88.804 + example, \verb,\isabellestyle{it}, uses the italics text style to
88.805 + mimic the general appearance of the {\LaTeX} math mode; double
88.806 + quotes are not printed at all. The resulting quality of typesetting
88.807 + is quite good, so this should be the default style for work that
88.808 + gets distributed to a broader audience.%
88.809 +\end{isamarkuptext}%
88.810 +\isamarkuptrue%
88.811 +%
88.812 +\isamarkupsubsection{Suppressing Output \label{sec:doc-prep-suppress}%
88.813 +}
88.814 +\isamarkuptrue%
88.815 +%
88.816 +\begin{isamarkuptext}%
88.817 +By default, Isabelle's document system generates a {\LaTeX} file for
88.818 + each theory that gets loaded while running the session. The
88.819 + generated \texttt{session.tex} will include all of these in order of
88.820 + appearance, which in turn gets included by the standard
88.821 + \texttt{root.tex}. Certainly one may change the order or suppress
88.822 + unwanted theories by ignoring \texttt{session.tex} and load
88.823 + individual files directly in \texttt{root.tex}. On the other hand,
88.824 + such an arrangement requires additional maintenance whenever the
88.825 + collection of theories changes.
88.826 +
88.827 + Alternatively, one may tune the theory loading process in
88.828 + \texttt{ROOT.ML} itself: traversal of the theory dependency graph
88.829 + may be fine-tuned by adding \verb,use_thy, invocations, although
88.830 + topological sorting still has to be observed. Moreover, the ML
88.831 + operator \verb,no_document, temporarily disables document generation
88.832 + while executing a theory loader command. Its usage is like this:
88.833 +
88.834 +\begin{verbatim}
88.835 + no_document use_thy "T";
88.836 +\end{verbatim}
88.837 +
88.838 + \medskip Theory output may be suppressed more selectively, either
88.839 + via \bfindex{tagged command regions} or \bfindex{ignored material}.
88.840 +
88.841 + Tagged command regions works by annotating commands with named tags,
88.842 + which correspond to certain {\LaTeX} markup that tells how to treat
88.843 + particular parts of a document when doing the actual type-setting.
88.844 + By default, certain Isabelle/Isar commands are implicitly marked up
88.845 + using the predefined tags ``\emph{theory}'' (for theory begin and
88.846 + end), ``\emph{proof}'' (for proof commands), and ``\emph{ML}'' (for
88.847 + commands involving ML code). Users may add their own tags using the
88.848 + \verb,%,\emph{tag} notation right after a command name. In the
88.849 + subsequent example we hide a particularly irrelevant proof:%
88.850 +\end{isamarkuptext}%
88.851 +\isamarkuptrue%
88.852 +\isacommand{lemma}\isamarkupfalse%
88.853 +\ {\isaliteral{22}{\isachardoublequoteopen}}x\ {\isaliteral{3D}{\isacharequal}}\ x{\isaliteral{22}{\isachardoublequoteclose}}%
88.854 +\isadeliminvisible
88.855 +\ %
88.856 +\endisadeliminvisible
88.857 +%
88.858 +\isataginvisible
88.859 +\isacommand{by}\isamarkupfalse%
88.860 +\ {\isaliteral{28}{\isacharparenleft}}simp{\isaliteral{29}{\isacharparenright}}%
88.861 +\endisataginvisible
88.862 +{\isafoldinvisible}%
88.863 +%
88.864 +\isadeliminvisible
88.865 +%
88.866 +\endisadeliminvisible
88.867 +%
88.868 +\begin{isamarkuptext}%
88.869 +The original source has been ``\verb,lemma "x = x" by %invisible (simp),''.
88.870 + Tags observe the structure of proofs; adjacent commands with the
88.871 + same tag are joined into a single region. The Isabelle document
88.872 + preparation system allows the user to specify how to interpret a
88.873 + tagged region, in order to keep, drop, or fold the corresponding
88.874 + parts of the document. See the \emph{Isabelle System Manual}
88.875 + \cite{isabelle-sys} for further details, especially on
88.876 + \texttt{isabelle usedir} and \texttt{isabelle document}.
88.877 +
88.878 + Ignored material is specified by delimiting the original formal
88.879 + source with special source comments
88.880 + \verb,(,\verb,*,\verb,<,\verb,*,\verb,), and
88.881 + \verb,(,\verb,*,\verb,>,\verb,*,\verb,),. These parts are stripped
88.882 + before the type-setting phase, without affecting the formal checking
88.883 + of the theory, of course. For example, we may hide parts of a proof
88.884 + that seem unfit for general public inspection. The following
88.885 + ``fully automatic'' proof is actually a fake:%
88.886 +\end{isamarkuptext}%
88.887 +\isamarkuptrue%
88.888 +\isacommand{lemma}\isamarkupfalse%
88.889 +\ {\isaliteral{22}{\isachardoublequoteopen}}x\ {\isaliteral{5C3C6E6F7465713E}{\isasymnoteq}}\ {\isaliteral{28}{\isacharparenleft}}{\isadigit{0}}{\isaliteral{3A}{\isacharcolon}}{\isaliteral{3A}{\isacharcolon}}int{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\ {\isadigit{0}}\ {\isaliteral{3C}{\isacharless}}\ x\ {\isaliteral{2A}{\isacharasterisk}}\ x{\isaliteral{22}{\isachardoublequoteclose}}\isanewline
88.890 +%
88.891 +\isadelimproof
88.892 +\ \ %
88.893 +\endisadelimproof
88.894 +%
88.895 +\isatagproof
88.896 +\isacommand{by}\isamarkupfalse%
88.897 +\ {\isaliteral{28}{\isacharparenleft}}auto{\isaliteral{29}{\isacharparenright}}%
88.898 +\endisatagproof
88.899 +{\isafoldproof}%
88.900 +%
88.901 +\isadelimproof
88.902 +%
88.903 +\endisadelimproof
88.904 +%
88.905 +\begin{isamarkuptext}%
88.906 +\noindent The real source of the proof has been as follows:
88.907 +
88.908 +\begin{verbatim}
88.909 + by (auto(*<*)simp add: zero_less_mult_iff(*>*))
88.910 +\end{verbatim}
88.911 +%(*
88.912 +
88.913 + \medskip Suppressing portions of printed text demands care. You
88.914 + should not misrepresent the underlying theory development. It is
88.915 + easy to invalidate the visible text by hiding references to
88.916 + questionable axioms, for example.%
88.917 +\end{isamarkuptext}%
88.918 +\isamarkuptrue%
88.919 +%
88.920 +\isadelimtheory
88.921 +%
88.922 +\endisadelimtheory
88.923 +%
88.924 +\isatagtheory
88.925 +%
88.926 +\endisatagtheory
88.927 +{\isafoldtheory}%
88.928 +%
88.929 +\isadelimtheory
88.930 +%
88.931 +\endisadelimtheory
88.932 +\end{isabellebody}%
88.933 +%%% Local Variables:
88.934 +%%% mode: latex
88.935 +%%% TeX-master: "root"
88.936 +%%% End:
89.1 --- /dev/null Thu Jan 01 00:00:00 1970 +0000
89.2 +++ b/doc-src/TutorialI/document/Even.tex Thu Jul 26 19:59:06 2012 +0200
89.3 @@ -0,0 +1,543 @@
89.4 +%
89.5 +\begin{isabellebody}%
89.6 +\def\isabellecontext{Even}%
89.7 +%
89.8 +\isadelimtheory
89.9 +%
89.10 +\endisadelimtheory
89.11 +%
89.12 +\isatagtheory
89.13 +%
89.14 +\endisatagtheory
89.15 +{\isafoldtheory}%
89.16 +%
89.17 +\isadelimtheory
89.18 +%
89.19 +\endisadelimtheory
89.20 +%
89.21 +\isadelimML
89.22 +%
89.23 +\endisadelimML
89.24 +%
89.25 +\isatagML
89.26 +%
89.27 +\endisatagML
89.28 +{\isafoldML}%
89.29 +%
89.30 +\isadelimML
89.31 +%
89.32 +\endisadelimML
89.33 +%
89.34 +\isamarkupsection{The Set of Even Numbers%
89.35 +}
89.36 +\isamarkuptrue%
89.37 +%
89.38 +\begin{isamarkuptext}%
89.39 +\index{even numbers!defining inductively|(}%
89.40 +The set of even numbers can be inductively defined as the least set
89.41 +containing 0 and closed under the operation $+2$. Obviously,
89.42 +\emph{even} can also be expressed using the divides relation (\isa{dvd}).
89.43 +We shall prove below that the two formulations coincide. On the way we
89.44 +shall examine the primary means of reasoning about inductively defined
89.45 +sets: rule induction.%
89.46 +\end{isamarkuptext}%
89.47 +\isamarkuptrue%
89.48 +%
89.49 +\isamarkupsubsection{Making an Inductive Definition%
89.50 +}
89.51 +\isamarkuptrue%
89.52 +%
89.53 +\begin{isamarkuptext}%
89.54 +Using \commdx{inductive\protect\_set}, we declare the constant \isa{even} to be
89.55 +a set of natural numbers with the desired properties.%
89.56 +\end{isamarkuptext}%
89.57 +\isamarkuptrue%
89.58 +\isacommand{inductive{\isaliteral{5F}{\isacharunderscore}}set}\isamarkupfalse%
89.59 +\ even\ {\isaliteral{3A}{\isacharcolon}}{\isaliteral{3A}{\isacharcolon}}\ {\isaliteral{22}{\isachardoublequoteopen}}nat\ set{\isaliteral{22}{\isachardoublequoteclose}}\ \isakeyword{where}\isanewline
89.60 +zero{\isaliteral{5B}{\isacharbrackleft}}intro{\isaliteral{21}{\isacharbang}}{\isaliteral{5D}{\isacharbrackright}}{\isaliteral{3A}{\isacharcolon}}\ {\isaliteral{22}{\isachardoublequoteopen}}{\isadigit{0}}\ {\isaliteral{5C3C696E3E}{\isasymin}}\ even{\isaliteral{22}{\isachardoublequoteclose}}\ {\isaliteral{7C}{\isacharbar}}\isanewline
89.61 +step{\isaliteral{5B}{\isacharbrackleft}}intro{\isaliteral{21}{\isacharbang}}{\isaliteral{5D}{\isacharbrackright}}{\isaliteral{3A}{\isacharcolon}}\ {\isaliteral{22}{\isachardoublequoteopen}}n\ {\isaliteral{5C3C696E3E}{\isasymin}}\ even\ {\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\ {\isaliteral{28}{\isacharparenleft}}Suc\ {\isaliteral{28}{\isacharparenleft}}Suc\ n{\isaliteral{29}{\isacharparenright}}{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C696E3E}{\isasymin}}\ even{\isaliteral{22}{\isachardoublequoteclose}}%
89.62 +\begin{isamarkuptext}%
89.63 +An inductive definition consists of introduction rules. The first one
89.64 +above states that 0 is even; the second states that if $n$ is even, then so
89.65 +is~$n+2$. Given this declaration, Isabelle generates a fixed point
89.66 +definition for \isa{even} and proves theorems about it,
89.67 +thus following the definitional approach (see {\S}\ref{sec:definitional}).
89.68 +These theorems
89.69 +include the introduction rules specified in the declaration, an elimination
89.70 +rule for case analysis and an induction rule. We can refer to these
89.71 +theorems by automatically-generated names. Here are two examples:
89.72 +\begin{isabelle}%
89.73 +{\isadigit{0}}\ {\isaliteral{5C3C696E3E}{\isasymin}}\ even\rulename{even{\isaliteral{2E}{\isachardot}}zero}\par\smallskip%
89.74 +n\ {\isaliteral{5C3C696E3E}{\isasymin}}\ even\ {\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\ Suc\ {\isaliteral{28}{\isacharparenleft}}Suc\ n{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C696E3E}{\isasymin}}\ even\rulename{even{\isaliteral{2E}{\isachardot}}step}%
89.75 +\end{isabelle}
89.76 +
89.77 +The introduction rules can be given attributes. Here
89.78 +both rules are specified as \isa{intro!},%
89.79 +\index{intro"!@\isa {intro"!} (attribute)}
89.80 +directing the classical reasoner to
89.81 +apply them aggressively. Obviously, regarding 0 as even is safe. The
89.82 +\isa{step} rule is also safe because $n+2$ is even if and only if $n$ is
89.83 +even. We prove this equivalence later.%
89.84 +\end{isamarkuptext}%
89.85 +\isamarkuptrue%
89.86 +%
89.87 +\isamarkupsubsection{Using Introduction Rules%
89.88 +}
89.89 +\isamarkuptrue%
89.90 +%
89.91 +\begin{isamarkuptext}%
89.92 +Our first lemma states that numbers of the form $2\times k$ are even.
89.93 +Introduction rules are used to show that specific values belong to the
89.94 +inductive set. Such proofs typically involve
89.95 +induction, perhaps over some other inductive set.%
89.96 +\end{isamarkuptext}%
89.97 +\isamarkuptrue%
89.98 +\isacommand{lemma}\isamarkupfalse%
89.99 +\ two{\isaliteral{5F}{\isacharunderscore}}times{\isaliteral{5F}{\isacharunderscore}}even{\isaliteral{5B}{\isacharbrackleft}}intro{\isaliteral{21}{\isacharbang}}{\isaliteral{5D}{\isacharbrackright}}{\isaliteral{3A}{\isacharcolon}}\ {\isaliteral{22}{\isachardoublequoteopen}}{\isadigit{2}}{\isaliteral{2A}{\isacharasterisk}}k\ {\isaliteral{5C3C696E3E}{\isasymin}}\ even{\isaliteral{22}{\isachardoublequoteclose}}\isanewline
89.100 +%
89.101 +\isadelimproof
89.102 +%
89.103 +\endisadelimproof
89.104 +%
89.105 +\isatagproof
89.106 +\isacommand{apply}\isamarkupfalse%
89.107 +\ {\isaliteral{28}{\isacharparenleft}}induct{\isaliteral{5F}{\isacharunderscore}}tac\ k{\isaliteral{29}{\isacharparenright}}\isanewline
89.108 +\ \isacommand{apply}\isamarkupfalse%
89.109 +\ auto\isanewline
89.110 +\isacommand{done}\isamarkupfalse%
89.111 +%
89.112 +\endisatagproof
89.113 +{\isafoldproof}%
89.114 +%
89.115 +\isadelimproof
89.116 +%
89.117 +\endisadelimproof
89.118 +%
89.119 +\isadelimproof
89.120 +%
89.121 +\endisadelimproof
89.122 +%
89.123 +\isatagproof
89.124 +%
89.125 +\begin{isamarkuptxt}%
89.126 +\noindent
89.127 +The first step is induction on the natural number \isa{k}, which leaves
89.128 +two subgoals:
89.129 +\begin{isabelle}%
89.130 +\ {\isadigit{1}}{\isaliteral{2E}{\isachardot}}\ {\isadigit{2}}\ {\isaliteral{2A}{\isacharasterisk}}\ {\isadigit{0}}\ {\isaliteral{5C3C696E3E}{\isasymin}}\ even\isanewline
89.131 +\ {\isadigit{2}}{\isaliteral{2E}{\isachardot}}\ {\isaliteral{5C3C416E643E}{\isasymAnd}}n{\isaliteral{2E}{\isachardot}}\ {\isadigit{2}}\ {\isaliteral{2A}{\isacharasterisk}}\ n\ {\isaliteral{5C3C696E3E}{\isasymin}}\ even\ {\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\ {\isadigit{2}}\ {\isaliteral{2A}{\isacharasterisk}}\ Suc\ n\ {\isaliteral{5C3C696E3E}{\isasymin}}\ even%
89.132 +\end{isabelle}
89.133 +Here \isa{auto} simplifies both subgoals so that they match the introduction
89.134 +rules, which are then applied automatically.
89.135 +
89.136 +Our ultimate goal is to prove the equivalence between the traditional
89.137 +definition of \isa{even} (using the divides relation) and our inductive
89.138 +definition. One direction of this equivalence is immediate by the lemma
89.139 +just proved, whose \isa{intro{\isaliteral{21}{\isacharbang}}} attribute ensures it is applied automatically.%
89.140 +\end{isamarkuptxt}%
89.141 +\isamarkuptrue%
89.142 +%
89.143 +\endisatagproof
89.144 +{\isafoldproof}%
89.145 +%
89.146 +\isadelimproof
89.147 +%
89.148 +\endisadelimproof
89.149 +\isacommand{lemma}\isamarkupfalse%
89.150 +\ dvd{\isaliteral{5F}{\isacharunderscore}}imp{\isaliteral{5F}{\isacharunderscore}}even{\isaliteral{3A}{\isacharcolon}}\ {\isaliteral{22}{\isachardoublequoteopen}}{\isadigit{2}}\ dvd\ n\ {\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\ n\ {\isaliteral{5C3C696E3E}{\isasymin}}\ even{\isaliteral{22}{\isachardoublequoteclose}}\isanewline
89.151 +%
89.152 +\isadelimproof
89.153 +%
89.154 +\endisadelimproof
89.155 +%
89.156 +\isatagproof
89.157 +\isacommand{by}\isamarkupfalse%
89.158 +\ {\isaliteral{28}{\isacharparenleft}}auto\ simp\ add{\isaliteral{3A}{\isacharcolon}}\ dvd{\isaliteral{5F}{\isacharunderscore}}def{\isaliteral{29}{\isacharparenright}}%
89.159 +\endisatagproof
89.160 +{\isafoldproof}%
89.161 +%
89.162 +\isadelimproof
89.163 +%
89.164 +\endisadelimproof
89.165 +%
89.166 +\isamarkupsubsection{Rule Induction \label{sec:rule-induction}%
89.167 +}
89.168 +\isamarkuptrue%
89.169 +%
89.170 +\begin{isamarkuptext}%
89.171 +\index{rule induction|(}%
89.172 +From the definition of the set
89.173 +\isa{even}, Isabelle has
89.174 +generated an induction rule:
89.175 +\begin{isabelle}%
89.176 +{\isaliteral{5C3C6C6272616B6B3E}{\isasymlbrakk}}x\ {\isaliteral{5C3C696E3E}{\isasymin}}\ even{\isaliteral{3B}{\isacharsemicolon}}\ P\ {\isadigit{0}}{\isaliteral{3B}{\isacharsemicolon}}\isanewline
89.177 +\isaindent{\ }{\isaliteral{5C3C416E643E}{\isasymAnd}}n{\isaliteral{2E}{\isachardot}}\ {\isaliteral{5C3C6C6272616B6B3E}{\isasymlbrakk}}n\ {\isaliteral{5C3C696E3E}{\isasymin}}\ even{\isaliteral{3B}{\isacharsemicolon}}\ P\ n{\isaliteral{5C3C726272616B6B3E}{\isasymrbrakk}}\ {\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\ P\ {\isaliteral{28}{\isacharparenleft}}Suc\ {\isaliteral{28}{\isacharparenleft}}Suc\ n{\isaliteral{29}{\isacharparenright}}{\isaliteral{29}{\isacharparenright}}{\isaliteral{5C3C726272616B6B3E}{\isasymrbrakk}}\isanewline
89.178 +{\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\ P\ x\rulename{even{\isaliteral{2E}{\isachardot}}induct}%
89.179 +\end{isabelle}
89.180 +A property \isa{P} holds for every even number provided it
89.181 +holds for~\isa{{\isadigit{0}}} and is closed under the operation
89.182 +\isa{Suc(Suc \(\cdot\))}. Then \isa{P} is closed under the introduction
89.183 +rules for \isa{even}, which is the least set closed under those rules.
89.184 +This type of inductive argument is called \textbf{rule induction}.
89.185 +
89.186 +Apart from the double application of \isa{Suc}, the induction rule above
89.187 +resembles the familiar mathematical induction, which indeed is an instance
89.188 +of rule induction; the natural numbers can be defined inductively to be
89.189 +the least set containing \isa{{\isadigit{0}}} and closed under~\isa{Suc}.
89.190 +
89.191 +Induction is the usual way of proving a property of the elements of an
89.192 +inductively defined set. Let us prove that all members of the set
89.193 +\isa{even} are multiples of two.%
89.194 +\end{isamarkuptext}%
89.195 +\isamarkuptrue%
89.196 +\isacommand{lemma}\isamarkupfalse%
89.197 +\ even{\isaliteral{5F}{\isacharunderscore}}imp{\isaliteral{5F}{\isacharunderscore}}dvd{\isaliteral{3A}{\isacharcolon}}\ {\isaliteral{22}{\isachardoublequoteopen}}n\ {\isaliteral{5C3C696E3E}{\isasymin}}\ even\ {\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\ {\isadigit{2}}\ dvd\ n{\isaliteral{22}{\isachardoublequoteclose}}%
89.198 +\isadelimproof
89.199 +%
89.200 +\endisadelimproof
89.201 +%
89.202 +\isatagproof
89.203 +%
89.204 +\begin{isamarkuptxt}%
89.205 +We begin by applying induction. Note that \isa{even{\isaliteral{2E}{\isachardot}}induct} has the form
89.206 +of an elimination rule, so we use the method \isa{erule}. We get two
89.207 +subgoals:%
89.208 +\end{isamarkuptxt}%
89.209 +\isamarkuptrue%
89.210 +\isacommand{apply}\isamarkupfalse%
89.211 +\ {\isaliteral{28}{\isacharparenleft}}erule\ even{\isaliteral{2E}{\isachardot}}induct{\isaliteral{29}{\isacharparenright}}%
89.212 +\begin{isamarkuptxt}%
89.213 +\begin{isabelle}%
89.214 +\ {\isadigit{1}}{\isaliteral{2E}{\isachardot}}\ {\isadigit{2}}\ dvd\ {\isadigit{0}}\isanewline
89.215 +\ {\isadigit{2}}{\isaliteral{2E}{\isachardot}}\ {\isaliteral{5C3C416E643E}{\isasymAnd}}n{\isaliteral{2E}{\isachardot}}\ {\isaliteral{5C3C6C6272616B6B3E}{\isasymlbrakk}}n\ {\isaliteral{5C3C696E3E}{\isasymin}}\ even{\isaliteral{3B}{\isacharsemicolon}}\ {\isadigit{2}}\ dvd\ n{\isaliteral{5C3C726272616B6B3E}{\isasymrbrakk}}\ {\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\ {\isadigit{2}}\ dvd\ Suc\ {\isaliteral{28}{\isacharparenleft}}Suc\ n{\isaliteral{29}{\isacharparenright}}%
89.216 +\end{isabelle}
89.217 +We unfold the definition of \isa{dvd} in both subgoals, proving the first
89.218 +one and simplifying the second:%
89.219 +\end{isamarkuptxt}%
89.220 +\isamarkuptrue%
89.221 +\isacommand{apply}\isamarkupfalse%
89.222 +\ {\isaliteral{28}{\isacharparenleft}}simp{\isaliteral{5F}{\isacharunderscore}}all\ add{\isaliteral{3A}{\isacharcolon}}\ dvd{\isaliteral{5F}{\isacharunderscore}}def{\isaliteral{29}{\isacharparenright}}%
89.223 +\begin{isamarkuptxt}%
89.224 +\begin{isabelle}%
89.225 +\ {\isadigit{1}}{\isaliteral{2E}{\isachardot}}\ {\isaliteral{5C3C416E643E}{\isasymAnd}}n{\isaliteral{2E}{\isachardot}}\ {\isaliteral{5C3C6C6272616B6B3E}{\isasymlbrakk}}n\ {\isaliteral{5C3C696E3E}{\isasymin}}\ even{\isaliteral{3B}{\isacharsemicolon}}\ {\isaliteral{5C3C6578697374733E}{\isasymexists}}k{\isaliteral{2E}{\isachardot}}\ n\ {\isaliteral{3D}{\isacharequal}}\ {\isadigit{2}}\ {\isaliteral{2A}{\isacharasterisk}}\ k{\isaliteral{5C3C726272616B6B3E}{\isasymrbrakk}}\ {\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\ {\isaliteral{5C3C6578697374733E}{\isasymexists}}k{\isaliteral{2E}{\isachardot}}\ Suc\ {\isaliteral{28}{\isacharparenleft}}Suc\ n{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{3D}{\isacharequal}}\ {\isadigit{2}}\ {\isaliteral{2A}{\isacharasterisk}}\ k%
89.226 +\end{isabelle}
89.227 +The next command eliminates the existential quantifier from the assumption
89.228 +and replaces \isa{n} by \isa{{\isadigit{2}}\ {\isaliteral{2A}{\isacharasterisk}}\ k}.%
89.229 +\end{isamarkuptxt}%
89.230 +\isamarkuptrue%
89.231 +\isacommand{apply}\isamarkupfalse%
89.232 +\ clarify%
89.233 +\begin{isamarkuptxt}%
89.234 +\begin{isabelle}%
89.235 +\ {\isadigit{1}}{\isaliteral{2E}{\isachardot}}\ {\isaliteral{5C3C416E643E}{\isasymAnd}}n\ k{\isaliteral{2E}{\isachardot}}\ {\isadigit{2}}\ {\isaliteral{2A}{\isacharasterisk}}\ k\ {\isaliteral{5C3C696E3E}{\isasymin}}\ even\ {\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\ {\isaliteral{5C3C6578697374733E}{\isasymexists}}ka{\isaliteral{2E}{\isachardot}}\ Suc\ {\isaliteral{28}{\isacharparenleft}}Suc\ {\isaliteral{28}{\isacharparenleft}}{\isadigit{2}}\ {\isaliteral{2A}{\isacharasterisk}}\ k{\isaliteral{29}{\isacharparenright}}{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{3D}{\isacharequal}}\ {\isadigit{2}}\ {\isaliteral{2A}{\isacharasterisk}}\ ka%
89.236 +\end{isabelle}
89.237 +To conclude, we tell Isabelle that the desired value is
89.238 +\isa{Suc\ k}. With this hint, the subgoal falls to \isa{simp}.%
89.239 +\end{isamarkuptxt}%
89.240 +\isamarkuptrue%
89.241 +\isacommand{apply}\isamarkupfalse%
89.242 +\ {\isaliteral{28}{\isacharparenleft}}rule{\isaliteral{5F}{\isacharunderscore}}tac\ x\ {\isaliteral{3D}{\isacharequal}}\ {\isaliteral{22}{\isachardoublequoteopen}}Suc\ k{\isaliteral{22}{\isachardoublequoteclose}}\ \isakeyword{in}\ exI{\isaliteral{2C}{\isacharcomma}}\ simp{\isaliteral{29}{\isacharparenright}}%
89.243 +\endisatagproof
89.244 +{\isafoldproof}%
89.245 +%
89.246 +\isadelimproof
89.247 +%
89.248 +\endisadelimproof
89.249 +%
89.250 +\begin{isamarkuptext}%
89.251 +Combining the previous two results yields our objective, the
89.252 +equivalence relating \isa{even} and \isa{dvd}.
89.253 +%
89.254 +%we don't want [iff]: discuss?%
89.255 +\end{isamarkuptext}%
89.256 +\isamarkuptrue%
89.257 +\isacommand{theorem}\isamarkupfalse%
89.258 +\ even{\isaliteral{5F}{\isacharunderscore}}iff{\isaliteral{5F}{\isacharunderscore}}dvd{\isaliteral{3A}{\isacharcolon}}\ {\isaliteral{22}{\isachardoublequoteopen}}{\isaliteral{28}{\isacharparenleft}}n\ {\isaliteral{5C3C696E3E}{\isasymin}}\ even{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{3D}{\isacharequal}}\ {\isaliteral{28}{\isacharparenleft}}{\isadigit{2}}\ dvd\ n{\isaliteral{29}{\isacharparenright}}{\isaliteral{22}{\isachardoublequoteclose}}\isanewline
89.259 +%
89.260 +\isadelimproof
89.261 +%
89.262 +\endisadelimproof
89.263 +%
89.264 +\isatagproof
89.265 +\isacommand{by}\isamarkupfalse%
89.266 +\ {\isaliteral{28}{\isacharparenleft}}blast\ intro{\isaliteral{3A}{\isacharcolon}}\ dvd{\isaliteral{5F}{\isacharunderscore}}imp{\isaliteral{5F}{\isacharunderscore}}even\ even{\isaliteral{5F}{\isacharunderscore}}imp{\isaliteral{5F}{\isacharunderscore}}dvd{\isaliteral{29}{\isacharparenright}}%
89.267 +\endisatagproof
89.268 +{\isafoldproof}%
89.269 +%
89.270 +\isadelimproof
89.271 +%
89.272 +\endisadelimproof
89.273 +%
89.274 +\isamarkupsubsection{Generalization and Rule Induction \label{sec:gen-rule-induction}%
89.275 +}
89.276 +\isamarkuptrue%
89.277 +%
89.278 +\begin{isamarkuptext}%
89.279 +\index{generalizing for induction}%
89.280 +Before applying induction, we typically must generalize
89.281 +the induction formula. With rule induction, the required generalization
89.282 +can be hard to find and sometimes requires a complete reformulation of the
89.283 +problem. In this example, our first attempt uses the obvious statement of
89.284 +the result. It fails:%
89.285 +\end{isamarkuptext}%
89.286 +\isamarkuptrue%
89.287 +\isacommand{lemma}\isamarkupfalse%
89.288 +\ {\isaliteral{22}{\isachardoublequoteopen}}Suc\ {\isaliteral{28}{\isacharparenleft}}Suc\ n{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C696E3E}{\isasymin}}\ even\ {\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\ n\ {\isaliteral{5C3C696E3E}{\isasymin}}\ even{\isaliteral{22}{\isachardoublequoteclose}}\isanewline
89.289 +%
89.290 +\isadelimproof
89.291 +%
89.292 +\endisadelimproof
89.293 +%
89.294 +\isatagproof
89.295 +\isacommand{apply}\isamarkupfalse%
89.296 +\ {\isaliteral{28}{\isacharparenleft}}erule\ even{\isaliteral{2E}{\isachardot}}induct{\isaliteral{29}{\isacharparenright}}\isanewline
89.297 +\isacommand{oops}\isamarkupfalse%
89.298 +%
89.299 +\endisatagproof
89.300 +{\isafoldproof}%
89.301 +%
89.302 +\isadelimproof
89.303 +%
89.304 +\endisadelimproof
89.305 +%
89.306 +\isadelimproof
89.307 +%
89.308 +\endisadelimproof
89.309 +%
89.310 +\isatagproof
89.311 +%
89.312 +\begin{isamarkuptxt}%
89.313 +Rule induction finds no occurrences of \isa{Suc\ {\isaliteral{28}{\isacharparenleft}}Suc\ n{\isaliteral{29}{\isacharparenright}}} in the
89.314 +conclusion, which it therefore leaves unchanged. (Look at
89.315 +\isa{even{\isaliteral{2E}{\isachardot}}induct} to see why this happens.) We have these subgoals:
89.316 +\begin{isabelle}%
89.317 +\ {\isadigit{1}}{\isaliteral{2E}{\isachardot}}\ n\ {\isaliteral{5C3C696E3E}{\isasymin}}\ even\isanewline
89.318 +\ {\isadigit{2}}{\isaliteral{2E}{\isachardot}}\ {\isaliteral{5C3C416E643E}{\isasymAnd}}na{\isaliteral{2E}{\isachardot}}\ {\isaliteral{5C3C6C6272616B6B3E}{\isasymlbrakk}}na\ {\isaliteral{5C3C696E3E}{\isasymin}}\ even{\isaliteral{3B}{\isacharsemicolon}}\ n\ {\isaliteral{5C3C696E3E}{\isasymin}}\ even{\isaliteral{5C3C726272616B6B3E}{\isasymrbrakk}}\ {\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\ n\ {\isaliteral{5C3C696E3E}{\isasymin}}\ even%
89.319 +\end{isabelle}
89.320 +The first one is hopeless. Rule induction on
89.321 +a non-variable term discards information, and usually fails.
89.322 +How to deal with such situations
89.323 +in general is described in {\S}\ref{sec:ind-var-in-prems} below.
89.324 +In the current case the solution is easy because
89.325 +we have the necessary inverse, subtraction:%
89.326 +\end{isamarkuptxt}%
89.327 +\isamarkuptrue%
89.328 +%
89.329 +\endisatagproof
89.330 +{\isafoldproof}%
89.331 +%
89.332 +\isadelimproof
89.333 +%
89.334 +\endisadelimproof
89.335 +\isacommand{lemma}\isamarkupfalse%
89.336 +\ even{\isaliteral{5F}{\isacharunderscore}}imp{\isaliteral{5F}{\isacharunderscore}}even{\isaliteral{5F}{\isacharunderscore}}minus{\isaliteral{5F}{\isacharunderscore}}{\isadigit{2}}{\isaliteral{3A}{\isacharcolon}}\ {\isaliteral{22}{\isachardoublequoteopen}}n\ {\isaliteral{5C3C696E3E}{\isasymin}}\ even\ {\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\ n\ {\isaliteral{2D}{\isacharminus}}\ {\isadigit{2}}\ {\isaliteral{5C3C696E3E}{\isasymin}}\ even{\isaliteral{22}{\isachardoublequoteclose}}\isanewline
89.337 +%
89.338 +\isadelimproof
89.339 +%
89.340 +\endisadelimproof
89.341 +%
89.342 +\isatagproof
89.343 +\isacommand{apply}\isamarkupfalse%
89.344 +\ {\isaliteral{28}{\isacharparenleft}}erule\ even{\isaliteral{2E}{\isachardot}}induct{\isaliteral{29}{\isacharparenright}}\isanewline
89.345 +\ \isacommand{apply}\isamarkupfalse%
89.346 +\ auto\isanewline
89.347 +\isacommand{done}\isamarkupfalse%
89.348 +%
89.349 +\endisatagproof
89.350 +{\isafoldproof}%
89.351 +%
89.352 +\isadelimproof
89.353 +%
89.354 +\endisadelimproof
89.355 +%
89.356 +\isadelimproof
89.357 +%
89.358 +\endisadelimproof
89.359 +%
89.360 +\isatagproof
89.361 +%
89.362 +\begin{isamarkuptxt}%
89.363 +This lemma is trivially inductive. Here are the subgoals:
89.364 +\begin{isabelle}%
89.365 +\ {\isadigit{1}}{\isaliteral{2E}{\isachardot}}\ {\isadigit{0}}\ {\isaliteral{2D}{\isacharminus}}\ {\isadigit{2}}\ {\isaliteral{5C3C696E3E}{\isasymin}}\ even\isanewline
89.366 +\ {\isadigit{2}}{\isaliteral{2E}{\isachardot}}\ {\isaliteral{5C3C416E643E}{\isasymAnd}}n{\isaliteral{2E}{\isachardot}}\ {\isaliteral{5C3C6C6272616B6B3E}{\isasymlbrakk}}n\ {\isaliteral{5C3C696E3E}{\isasymin}}\ even{\isaliteral{3B}{\isacharsemicolon}}\ n\ {\isaliteral{2D}{\isacharminus}}\ {\isadigit{2}}\ {\isaliteral{5C3C696E3E}{\isasymin}}\ even{\isaliteral{5C3C726272616B6B3E}{\isasymrbrakk}}\ {\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\ Suc\ {\isaliteral{28}{\isacharparenleft}}Suc\ n{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{2D}{\isacharminus}}\ {\isadigit{2}}\ {\isaliteral{5C3C696E3E}{\isasymin}}\ even%
89.367 +\end{isabelle}
89.368 +The first is trivial because \isa{{\isadigit{0}}\ {\isaliteral{2D}{\isacharminus}}\ {\isadigit{2}}} simplifies to \isa{{\isadigit{0}}}, which is
89.369 +even. The second is trivial too: \isa{Suc\ {\isaliteral{28}{\isacharparenleft}}Suc\ n{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{2D}{\isacharminus}}\ {\isadigit{2}}} simplifies to
89.370 +\isa{n}, matching the assumption.%
89.371 +\index{rule induction|)} %the sequel isn't really about induction
89.372 +
89.373 +\medskip
89.374 +Using our lemma, we can easily prove the result we originally wanted:%
89.375 +\end{isamarkuptxt}%
89.376 +\isamarkuptrue%
89.377 +%
89.378 +\endisatagproof
89.379 +{\isafoldproof}%
89.380 +%
89.381 +\isadelimproof
89.382 +%
89.383 +\endisadelimproof
89.384 +\isacommand{lemma}\isamarkupfalse%
89.385 +\ Suc{\isaliteral{5F}{\isacharunderscore}}Suc{\isaliteral{5F}{\isacharunderscore}}even{\isaliteral{5F}{\isacharunderscore}}imp{\isaliteral{5F}{\isacharunderscore}}even{\isaliteral{3A}{\isacharcolon}}\ {\isaliteral{22}{\isachardoublequoteopen}}Suc\ {\isaliteral{28}{\isacharparenleft}}Suc\ n{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C696E3E}{\isasymin}}\ even\ {\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\ n\ {\isaliteral{5C3C696E3E}{\isasymin}}\ even{\isaliteral{22}{\isachardoublequoteclose}}\isanewline
89.386 +%
89.387 +\isadelimproof
89.388 +%
89.389 +\endisadelimproof
89.390 +%
89.391 +\isatagproof
89.392 +\isacommand{by}\isamarkupfalse%
89.393 +\ {\isaliteral{28}{\isacharparenleft}}drule\ even{\isaliteral{5F}{\isacharunderscore}}imp{\isaliteral{5F}{\isacharunderscore}}even{\isaliteral{5F}{\isacharunderscore}}minus{\isaliteral{5F}{\isacharunderscore}}{\isadigit{2}}{\isaliteral{2C}{\isacharcomma}}\ simp{\isaliteral{29}{\isacharparenright}}%
89.394 +\endisatagproof
89.395 +{\isafoldproof}%
89.396 +%
89.397 +\isadelimproof
89.398 +%
89.399 +\endisadelimproof
89.400 +%
89.401 +\begin{isamarkuptext}%
89.402 +We have just proved the converse of the introduction rule \isa{even{\isaliteral{2E}{\isachardot}}step}.
89.403 +This suggests proving the following equivalence. We give it the
89.404 +\attrdx{iff} attribute because of its obvious value for simplification.%
89.405 +\end{isamarkuptext}%
89.406 +\isamarkuptrue%
89.407 +\isacommand{lemma}\isamarkupfalse%
89.408 +\ {\isaliteral{5B}{\isacharbrackleft}}iff{\isaliteral{5D}{\isacharbrackright}}{\isaliteral{3A}{\isacharcolon}}\ {\isaliteral{22}{\isachardoublequoteopen}}{\isaliteral{28}{\isacharparenleft}}{\isaliteral{28}{\isacharparenleft}}Suc\ {\isaliteral{28}{\isacharparenleft}}Suc\ n{\isaliteral{29}{\isacharparenright}}{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C696E3E}{\isasymin}}\ even{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{3D}{\isacharequal}}\ {\isaliteral{28}{\isacharparenleft}}n\ {\isaliteral{5C3C696E3E}{\isasymin}}\ even{\isaliteral{29}{\isacharparenright}}{\isaliteral{22}{\isachardoublequoteclose}}\isanewline
89.409 +%
89.410 +\isadelimproof
89.411 +%
89.412 +\endisadelimproof
89.413 +%
89.414 +\isatagproof
89.415 +\isacommand{by}\isamarkupfalse%
89.416 +\ {\isaliteral{28}{\isacharparenleft}}blast\ dest{\isaliteral{3A}{\isacharcolon}}\ Suc{\isaliteral{5F}{\isacharunderscore}}Suc{\isaliteral{5F}{\isacharunderscore}}even{\isaliteral{5F}{\isacharunderscore}}imp{\isaliteral{5F}{\isacharunderscore}}even{\isaliteral{29}{\isacharparenright}}%
89.417 +\endisatagproof
89.418 +{\isafoldproof}%
89.419 +%
89.420 +\isadelimproof
89.421 +%
89.422 +\endisadelimproof
89.423 +%
89.424 +\isamarkupsubsection{Rule Inversion \label{sec:rule-inversion}%
89.425 +}
89.426 +\isamarkuptrue%
89.427 +%
89.428 +\begin{isamarkuptext}%
89.429 +\index{rule inversion|(}%
89.430 +Case analysis on an inductive definition is called \textbf{rule
89.431 +inversion}. It is frequently used in proofs about operational
89.432 +semantics. It can be highly effective when it is applied
89.433 +automatically. Let us look at how rule inversion is done in
89.434 +Isabelle/HOL\@.
89.435 +
89.436 +Recall that \isa{even} is the minimal set closed under these two rules:
89.437 +\begin{isabelle}%
89.438 +{\isadigit{0}}\ {\isaliteral{5C3C696E3E}{\isasymin}}\ even\isasep\isanewline%
89.439 +n\ {\isaliteral{5C3C696E3E}{\isasymin}}\ even\ {\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\ Suc\ {\isaliteral{28}{\isacharparenleft}}Suc\ n{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C696E3E}{\isasymin}}\ even%
89.440 +\end{isabelle}
89.441 +Minimality means that \isa{even} contains only the elements that these
89.442 +rules force it to contain. If we are told that \isa{a}
89.443 +belongs to
89.444 +\isa{even} then there are only two possibilities. Either \isa{a} is \isa{{\isadigit{0}}}
89.445 +or else \isa{a} has the form \isa{Suc\ {\isaliteral{28}{\isacharparenleft}}Suc\ n{\isaliteral{29}{\isacharparenright}}}, for some suitable \isa{n}
89.446 +that belongs to
89.447 +\isa{even}. That is the gist of the \isa{cases} rule, which Isabelle proves
89.448 +for us when it accepts an inductive definition:
89.449 +\begin{isabelle}%
89.450 +{\isaliteral{5C3C6C6272616B6B3E}{\isasymlbrakk}}a\ {\isaliteral{5C3C696E3E}{\isasymin}}\ even{\isaliteral{3B}{\isacharsemicolon}}\ a\ {\isaliteral{3D}{\isacharequal}}\ {\isadigit{0}}\ {\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\ P{\isaliteral{3B}{\isacharsemicolon}}\isanewline
89.451 +\isaindent{\ }{\isaliteral{5C3C416E643E}{\isasymAnd}}n{\isaliteral{2E}{\isachardot}}\ {\isaliteral{5C3C6C6272616B6B3E}{\isasymlbrakk}}a\ {\isaliteral{3D}{\isacharequal}}\ Suc\ {\isaliteral{28}{\isacharparenleft}}Suc\ n{\isaliteral{29}{\isacharparenright}}{\isaliteral{3B}{\isacharsemicolon}}\ n\ {\isaliteral{5C3C696E3E}{\isasymin}}\ even{\isaliteral{5C3C726272616B6B3E}{\isasymrbrakk}}\ {\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\ P{\isaliteral{5C3C726272616B6B3E}{\isasymrbrakk}}\isanewline
89.452 +{\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\ P\rulename{even{\isaliteral{2E}{\isachardot}}cases}%
89.453 +\end{isabelle}
89.454 +This general rule is less useful than instances of it for
89.455 +specific patterns. For example, if \isa{a} has the form
89.456 +\isa{Suc\ {\isaliteral{28}{\isacharparenleft}}Suc\ n{\isaliteral{29}{\isacharparenright}}} then the first case becomes irrelevant, while the second
89.457 +case tells us that \isa{n} belongs to \isa{even}. Isabelle will generate
89.458 +this instance for us:%
89.459 +\end{isamarkuptext}%
89.460 +\isamarkuptrue%
89.461 +\isacommand{inductive{\isaliteral{5F}{\isacharunderscore}}cases}\isamarkupfalse%
89.462 +\ Suc{\isaliteral{5F}{\isacharunderscore}}Suc{\isaliteral{5F}{\isacharunderscore}}cases\ {\isaliteral{5B}{\isacharbrackleft}}elim{\isaliteral{21}{\isacharbang}}{\isaliteral{5D}{\isacharbrackright}}{\isaliteral{3A}{\isacharcolon}}\ {\isaliteral{22}{\isachardoublequoteopen}}Suc{\isaliteral{28}{\isacharparenleft}}Suc\ n{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C696E3E}{\isasymin}}\ even{\isaliteral{22}{\isachardoublequoteclose}}%
89.463 +\begin{isamarkuptext}%
89.464 +The \commdx{inductive\protect\_cases} command generates an instance of
89.465 +the \isa{cases} rule for the supplied pattern and gives it the supplied name:
89.466 +\begin{isabelle}%
89.467 +{\isaliteral{5C3C6C6272616B6B3E}{\isasymlbrakk}}Suc\ {\isaliteral{28}{\isacharparenleft}}Suc\ n{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C696E3E}{\isasymin}}\ even{\isaliteral{3B}{\isacharsemicolon}}\ n\ {\isaliteral{5C3C696E3E}{\isasymin}}\ even\ {\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\ P{\isaliteral{5C3C726272616B6B3E}{\isasymrbrakk}}\ {\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\ P\rulename{Suc{\isaliteral{5F}{\isacharunderscore}}Suc{\isaliteral{5F}{\isacharunderscore}}cases}%
89.468 +\end{isabelle}
89.469 +Applying this as an elimination rule yields one case where \isa{even{\isaliteral{2E}{\isachardot}}cases}
89.470 +would yield two. Rule inversion works well when the conclusions of the
89.471 +introduction rules involve datatype constructors like \isa{Suc} and \isa{{\isaliteral{23}{\isacharhash}}}
89.472 +(list ``cons''); freeness reasoning discards all but one or two cases.
89.473 +
89.474 +In the \isacommand{inductive\_cases} command we supplied an
89.475 +attribute, \isa{elim{\isaliteral{21}{\isacharbang}}},
89.476 +\index{elim"!@\isa {elim"!} (attribute)}%
89.477 +indicating that this elimination rule can be
89.478 +applied aggressively. The original
89.479 +\isa{cases} rule would loop if used in that manner because the
89.480 +pattern~\isa{a} matches everything.
89.481 +
89.482 +The rule \isa{Suc{\isaliteral{5F}{\isacharunderscore}}Suc{\isaliteral{5F}{\isacharunderscore}}cases} is equivalent to the following implication:
89.483 +\begin{isabelle}%
89.484 +Suc\ {\isaliteral{28}{\isacharparenleft}}Suc\ n{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C696E3E}{\isasymin}}\ even\ {\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\ n\ {\isaliteral{5C3C696E3E}{\isasymin}}\ even%
89.485 +\end{isabelle}
89.486 +Just above we devoted some effort to reaching precisely
89.487 +this result. Yet we could have obtained it by a one-line declaration,
89.488 +dispensing with the lemma \isa{even{\isaliteral{5F}{\isacharunderscore}}imp{\isaliteral{5F}{\isacharunderscore}}even{\isaliteral{5F}{\isacharunderscore}}minus{\isaliteral{5F}{\isacharunderscore}}{\isadigit{2}}}.
89.489 +This example also justifies the terminology
89.490 +\textbf{rule inversion}: the new rule inverts the introduction rule
89.491 +\isa{even{\isaliteral{2E}{\isachardot}}step}. In general, a rule can be inverted when the set of elements
89.492 +it introduces is disjoint from those of the other introduction rules.
89.493 +
89.494 +For one-off applications of rule inversion, use the \methdx{ind_cases} method.
89.495 +Here is an example:%
89.496 +\end{isamarkuptext}%
89.497 +\isamarkuptrue%
89.498 +%
89.499 +\isadelimproof
89.500 +%
89.501 +\endisadelimproof
89.502 +%
89.503 +\isatagproof
89.504 +\isacommand{apply}\isamarkupfalse%
89.505 +\ {\isaliteral{28}{\isacharparenleft}}ind{\isaliteral{5F}{\isacharunderscore}}cases\ {\isaliteral{22}{\isachardoublequoteopen}}Suc{\isaliteral{28}{\isacharparenleft}}Suc\ n{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C696E3E}{\isasymin}}\ even{\isaliteral{22}{\isachardoublequoteclose}}{\isaliteral{29}{\isacharparenright}}%
89.506 +\endisatagproof
89.507 +{\isafoldproof}%
89.508 +%
89.509 +\isadelimproof
89.510 +%
89.511 +\endisadelimproof
89.512 +%
89.513 +\begin{isamarkuptext}%
89.514 +The specified instance of the \isa{cases} rule is generated, then applied
89.515 +as an elimination rule.
89.516 +
89.517 +To summarize, every inductive definition produces a \isa{cases} rule. The
89.518 +\commdx{inductive\protect\_cases} command stores an instance of the
89.519 +\isa{cases} rule for a given pattern. Within a proof, the
89.520 +\isa{ind{\isaliteral{5F}{\isacharunderscore}}cases} method applies an instance of the \isa{cases}
89.521 +rule.
89.522 +
89.523 +The even numbers example has shown how inductive definitions can be
89.524 +used. Later examples will show that they are actually worth using.%
89.525 +\index{rule inversion|)}%
89.526 +\index{even numbers!defining inductively|)}%
89.527 +\end{isamarkuptext}%
89.528 +\isamarkuptrue%
89.529 +%
89.530 +\isadelimtheory
89.531 +%
89.532 +\endisadelimtheory
89.533 +%
89.534 +\isatagtheory
89.535 +%
89.536 +\endisatagtheory
89.537 +{\isafoldtheory}%
89.538 +%
89.539 +\isadelimtheory
89.540 +%
89.541 +\endisadelimtheory
89.542 +\end{isabellebody}%
89.543 +%%% Local Variables:
89.544 +%%% mode: latex
89.545 +%%% TeX-master: "root"
89.546 +%%% End:
90.1 --- /dev/null Thu Jan 01 00:00:00 1970 +0000
90.2 +++ b/doc-src/TutorialI/document/Event.tex Thu Jul 26 19:59:06 2012 +0200
90.3 @@ -0,0 +1,518 @@
90.4 +%
90.5 +\begin{isabellebody}%
90.6 +\def\isabellecontext{Event}%
90.7 +%
90.8 +\isadelimtheory
90.9 +%
90.10 +\endisadelimtheory
90.11 +%
90.12 +\isatagtheory
90.13 +%
90.14 +\endisatagtheory
90.15 +{\isafoldtheory}%
90.16 +%
90.17 +\isadelimtheory
90.18 +%
90.19 +\endisadelimtheory
90.20 +%
90.21 +\isadelimproof
90.22 +%
90.23 +\endisadelimproof
90.24 +%
90.25 +\isatagproof
90.26 +%
90.27 +\endisatagproof
90.28 +{\isafoldproof}%
90.29 +%
90.30 +\isadelimproof
90.31 +%
90.32 +\endisadelimproof
90.33 +%
90.34 +\isadelimproof
90.35 +%
90.36 +\endisadelimproof
90.37 +%
90.38 +\isatagproof
90.39 +%
90.40 +\endisatagproof
90.41 +{\isafoldproof}%
90.42 +%
90.43 +\isadelimproof
90.44 +%
90.45 +\endisadelimproof
90.46 +%
90.47 +\isadelimproof
90.48 +%
90.49 +\endisadelimproof
90.50 +%
90.51 +\isatagproof
90.52 +%
90.53 +\endisatagproof
90.54 +{\isafoldproof}%
90.55 +%
90.56 +\isadelimproof
90.57 +%
90.58 +\endisadelimproof
90.59 +%
90.60 +\isadelimproof
90.61 +%
90.62 +\endisadelimproof
90.63 +%
90.64 +\isatagproof
90.65 +%
90.66 +\endisatagproof
90.67 +{\isafoldproof}%
90.68 +%
90.69 +\isadelimproof
90.70 +%
90.71 +\endisadelimproof
90.72 +%
90.73 +\isadelimproof
90.74 +%
90.75 +\endisadelimproof
90.76 +%
90.77 +\isatagproof
90.78 +%
90.79 +\endisatagproof
90.80 +{\isafoldproof}%
90.81 +%
90.82 +\isadelimproof
90.83 +%
90.84 +\endisadelimproof
90.85 +%
90.86 +\isadelimproof
90.87 +%
90.88 +\endisadelimproof
90.89 +%
90.90 +\isatagproof
90.91 +%
90.92 +\endisatagproof
90.93 +{\isafoldproof}%
90.94 +%
90.95 +\isadelimproof
90.96 +%
90.97 +\endisadelimproof
90.98 +%
90.99 +\isadelimproof
90.100 +%
90.101 +\endisadelimproof
90.102 +%
90.103 +\isatagproof
90.104 +%
90.105 +\endisatagproof
90.106 +{\isafoldproof}%
90.107 +%
90.108 +\isadelimproof
90.109 +%
90.110 +\endisadelimproof
90.111 +%
90.112 +\isadelimproof
90.113 +%
90.114 +\endisadelimproof
90.115 +%
90.116 +\isatagproof
90.117 +%
90.118 +\endisatagproof
90.119 +{\isafoldproof}%
90.120 +%
90.121 +\isadelimproof
90.122 +%
90.123 +\endisadelimproof
90.124 +%
90.125 +\isadelimproof
90.126 +%
90.127 +\endisadelimproof
90.128 +%
90.129 +\isatagproof
90.130 +%
90.131 +\endisatagproof
90.132 +{\isafoldproof}%
90.133 +%
90.134 +\isadelimproof
90.135 +%
90.136 +\endisadelimproof
90.137 +%
90.138 +\isadelimproof
90.139 +%
90.140 +\endisadelimproof
90.141 +%
90.142 +\isatagproof
90.143 +%
90.144 +\endisatagproof
90.145 +{\isafoldproof}%
90.146 +%
90.147 +\isadelimproof
90.148 +%
90.149 +\endisadelimproof
90.150 +%
90.151 +\isadelimproof
90.152 +%
90.153 +\endisadelimproof
90.154 +%
90.155 +\isatagproof
90.156 +%
90.157 +\endisatagproof
90.158 +{\isafoldproof}%
90.159 +%
90.160 +\isadelimproof
90.161 +%
90.162 +\endisadelimproof
90.163 +%
90.164 +\isadelimproof
90.165 +%
90.166 +\endisadelimproof
90.167 +%
90.168 +\isatagproof
90.169 +%
90.170 +\endisatagproof
90.171 +{\isafoldproof}%
90.172 +%
90.173 +\isadelimproof
90.174 +%
90.175 +\endisadelimproof
90.176 +%
90.177 +\isadelimproof
90.178 +%
90.179 +\endisadelimproof
90.180 +%
90.181 +\isatagproof
90.182 +%
90.183 +\endisatagproof
90.184 +{\isafoldproof}%
90.185 +%
90.186 +\isadelimproof
90.187 +%
90.188 +\endisadelimproof
90.189 +%
90.190 +\isadelimproof
90.191 +%
90.192 +\endisadelimproof
90.193 +%
90.194 +\isatagproof
90.195 +%
90.196 +\endisatagproof
90.197 +{\isafoldproof}%
90.198 +%
90.199 +\isadelimproof
90.200 +%
90.201 +\endisadelimproof
90.202 +%
90.203 +\isadelimproof
90.204 +%
90.205 +\endisadelimproof
90.206 +%
90.207 +\isatagproof
90.208 +%
90.209 +\endisatagproof
90.210 +{\isafoldproof}%
90.211 +%
90.212 +\isadelimproof
90.213 +%
90.214 +\endisadelimproof
90.215 +%
90.216 +\isadelimproof
90.217 +%
90.218 +\endisadelimproof
90.219 +%
90.220 +\isatagproof
90.221 +%
90.222 +\endisatagproof
90.223 +{\isafoldproof}%
90.224 +%
90.225 +\isadelimproof
90.226 +%
90.227 +\endisadelimproof
90.228 +%
90.229 +\isadelimproof
90.230 +%
90.231 +\endisadelimproof
90.232 +%
90.233 +\isatagproof
90.234 +%
90.235 +\endisatagproof
90.236 +{\isafoldproof}%
90.237 +%
90.238 +\isadelimproof
90.239 +%
90.240 +\endisadelimproof
90.241 +%
90.242 +\isadelimproof
90.243 +%
90.244 +\endisadelimproof
90.245 +%
90.246 +\isatagproof
90.247 +%
90.248 +\endisatagproof
90.249 +{\isafoldproof}%
90.250 +%
90.251 +\isadelimproof
90.252 +%
90.253 +\endisadelimproof
90.254 +%
90.255 +\isadelimproof
90.256 +%
90.257 +\endisadelimproof
90.258 +%
90.259 +\isatagproof
90.260 +%
90.261 +\endisatagproof
90.262 +{\isafoldproof}%
90.263 +%
90.264 +\isadelimproof
90.265 +%
90.266 +\endisadelimproof
90.267 +%
90.268 +\isadelimproof
90.269 +%
90.270 +\endisadelimproof
90.271 +%
90.272 +\isatagproof
90.273 +%
90.274 +\endisatagproof
90.275 +{\isafoldproof}%
90.276 +%
90.277 +\isadelimproof
90.278 +%
90.279 +\endisadelimproof
90.280 +%
90.281 +\isadelimproof
90.282 +%
90.283 +\endisadelimproof
90.284 +%
90.285 +\isatagproof
90.286 +%
90.287 +\endisatagproof
90.288 +{\isafoldproof}%
90.289 +%
90.290 +\isadelimproof
90.291 +%
90.292 +\endisadelimproof
90.293 +%
90.294 +\isadelimproof
90.295 +%
90.296 +\endisadelimproof
90.297 +%
90.298 +\isatagproof
90.299 +%
90.300 +\endisatagproof
90.301 +{\isafoldproof}%
90.302 +%
90.303 +\isadelimproof
90.304 +%
90.305 +\endisadelimproof
90.306 +%
90.307 +\isadelimproof
90.308 +%
90.309 +\endisadelimproof
90.310 +%
90.311 +\isatagproof
90.312 +%
90.313 +\endisatagproof
90.314 +{\isafoldproof}%
90.315 +%
90.316 +\isadelimproof
90.317 +%
90.318 +\endisadelimproof
90.319 +%
90.320 +\isadelimproof
90.321 +%
90.322 +\endisadelimproof
90.323 +%
90.324 +\isatagproof
90.325 +%
90.326 +\endisatagproof
90.327 +{\isafoldproof}%
90.328 +%
90.329 +\isadelimproof
90.330 +%
90.331 +\endisadelimproof
90.332 +%
90.333 +\isadelimproof
90.334 +%
90.335 +\endisadelimproof
90.336 +%
90.337 +\isatagproof
90.338 +%
90.339 +\endisatagproof
90.340 +{\isafoldproof}%
90.341 +%
90.342 +\isadelimproof
90.343 +%
90.344 +\endisadelimproof
90.345 +%
90.346 +\isadelimproof
90.347 +%
90.348 +\endisadelimproof
90.349 +%
90.350 +\isatagproof
90.351 +%
90.352 +\endisatagproof
90.353 +{\isafoldproof}%
90.354 +%
90.355 +\isadelimproof
90.356 +%
90.357 +\endisadelimproof
90.358 +%
90.359 +\isadelimproof
90.360 +%
90.361 +\endisadelimproof
90.362 +%
90.363 +\isatagproof
90.364 +%
90.365 +\endisatagproof
90.366 +{\isafoldproof}%
90.367 +%
90.368 +\isadelimproof
90.369 +%
90.370 +\endisadelimproof
90.371 +%
90.372 +\isadelimproof
90.373 +%
90.374 +\endisadelimproof
90.375 +%
90.376 +\isatagproof
90.377 +%
90.378 +\endisatagproof
90.379 +{\isafoldproof}%
90.380 +%
90.381 +\isadelimproof
90.382 +%
90.383 +\endisadelimproof
90.384 +%
90.385 +\isadelimML
90.386 +%
90.387 +\endisadelimML
90.388 +%
90.389 +\isatagML
90.390 +%
90.391 +\endisatagML
90.392 +{\isafoldML}%
90.393 +%
90.394 +\isadelimML
90.395 +%
90.396 +\endisadelimML
90.397 +%
90.398 +\isadelimproof
90.399 +%
90.400 +\endisadelimproof
90.401 +%
90.402 +\isatagproof
90.403 +%
90.404 +\endisatagproof
90.405 +{\isafoldproof}%
90.406 +%
90.407 +\isadelimproof
90.408 +%
90.409 +\endisadelimproof
90.410 +%
90.411 +\isadelimproof
90.412 +%
90.413 +\endisadelimproof
90.414 +%
90.415 +\isatagproof
90.416 +%
90.417 +\endisatagproof
90.418 +{\isafoldproof}%
90.419 +%
90.420 +\isadelimproof
90.421 +%
90.422 +\endisadelimproof
90.423 +%
90.424 +\isadelimproof
90.425 +%
90.426 +\endisadelimproof
90.427 +%
90.428 +\isatagproof
90.429 +%
90.430 +\endisatagproof
90.431 +{\isafoldproof}%
90.432 +%
90.433 +\isadelimproof
90.434 +%
90.435 +\endisadelimproof
90.436 +%
90.437 +\isadelimML
90.438 +%
90.439 +\endisadelimML
90.440 +%
90.441 +\isatagML
90.442 +%
90.443 +\endisatagML
90.444 +{\isafoldML}%
90.445 +%
90.446 +\isadelimML
90.447 +%
90.448 +\endisadelimML
90.449 +%
90.450 +\isadelimML
90.451 +%
90.452 +\endisadelimML
90.453 +%
90.454 +\isatagML
90.455 +%
90.456 +\endisatagML
90.457 +{\isafoldML}%
90.458 +%
90.459 +\isadelimML
90.460 +%
90.461 +\endisadelimML
90.462 +%
90.463 +\isamarkupsection{Event Traces \label{sec:events}%
90.464 +}
90.465 +\isamarkuptrue%
90.466 +%
90.467 +\begin{isamarkuptext}%
90.468 +The system's behaviour is formalized as a set of traces of
90.469 +\emph{events}. The most important event, \isa{Says\ A\ B\ X}, expresses
90.470 +$A\to B : X$, which is the attempt by~$A$ to send~$B$ the message~$X$.
90.471 +A trace is simply a list, constructed in reverse
90.472 +using~\isa{{\isaliteral{23}{\isacharhash}}}. Other event types include reception of messages (when
90.473 +we want to make it explicit) and an agent's storing a fact.
90.474 +
90.475 +Sometimes the protocol requires an agent to generate a new nonce. The
90.476 +probability that a 20-byte random number has appeared before is effectively
90.477 +zero. To formalize this important property, the set \isa{used\ evs}
90.478 +denotes the set of all items mentioned in the trace~\isa{evs}.
90.479 +The function \isa{used} has a straightforward
90.480 +recursive definition. Here is the case for \isa{Says} event:
90.481 +\begin{isabelle}%
90.482 +\ \ \ \ \ used\ {\isaliteral{28}{\isacharparenleft}}Says\ A\ B\ X\ {\isaliteral{23}{\isacharhash}}\ evs{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{3D}{\isacharequal}}\ parts\ {\isaliteral{7B}{\isacharbraceleft}}X{\isaliteral{7D}{\isacharbraceright}}\ {\isaliteral{5C3C756E696F6E3E}{\isasymunion}}\ used\ evs%
90.483 +\end{isabelle}
90.484 +
90.485 +The function \isa{knows} formalizes an agent's knowledge. Mostly we only
90.486 +care about the spy's knowledge, and \isa{knows\ Spy\ evs} is the set of items
90.487 +available to the spy in the trace~\isa{evs}. Already in the empty trace,
90.488 +the spy starts with some secrets at his disposal, such as the private keys
90.489 +of compromised users. After each \isa{Says} event, the spy learns the
90.490 +message that was sent:
90.491 +\begin{isabelle}%
90.492 +\ \ \ \ \ knows\ Spy\ {\isaliteral{28}{\isacharparenleft}}Says\ A\ B\ X\ {\isaliteral{23}{\isacharhash}}\ evs{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{3D}{\isacharequal}}\ insert\ X\ {\isaliteral{28}{\isacharparenleft}}knows\ Spy\ evs{\isaliteral{29}{\isacharparenright}}%
90.493 +\end{isabelle}
90.494 +Combinations of functions express other important
90.495 +sets of messages derived from~\isa{evs}:
90.496 +\begin{itemize}
90.497 +\item \isa{analz\ {\isaliteral{28}{\isacharparenleft}}knows\ Spy\ evs{\isaliteral{29}{\isacharparenright}}} is everything that the spy could
90.498 +learn by decryption
90.499 +\item \isa{synth\ {\isaliteral{28}{\isacharparenleft}}analz\ {\isaliteral{28}{\isacharparenleft}}knows\ Spy\ evs{\isaliteral{29}{\isacharparenright}}{\isaliteral{29}{\isacharparenright}}} is everything that the spy
90.500 +could generate
90.501 +\end{itemize}%
90.502 +\end{isamarkuptext}%
90.503 +\isamarkuptrue%
90.504 +%
90.505 +\isadelimtheory
90.506 +%
90.507 +\endisadelimtheory
90.508 +%
90.509 +\isatagtheory
90.510 +%
90.511 +\endisatagtheory
90.512 +{\isafoldtheory}%
90.513 +%
90.514 +\isadelimtheory
90.515 +%
90.516 +\endisadelimtheory
90.517 +\end{isabellebody}%
90.518 +%%% Local Variables:
90.519 +%%% mode: latex
90.520 +%%% TeX-master: "root"
90.521 +%%% End:
91.1 --- /dev/null Thu Jan 01 00:00:00 1970 +0000
91.2 +++ b/doc-src/TutorialI/document/Fundata.tex Thu Jul 26 19:59:06 2012 +0200
91.3 @@ -0,0 +1,115 @@
91.4 +%
91.5 +\begin{isabellebody}%
91.6 +\def\isabellecontext{Fundata}%
91.7 +%
91.8 +\isadelimtheory
91.9 +%
91.10 +\endisadelimtheory
91.11 +%
91.12 +\isatagtheory
91.13 +%
91.14 +\endisatagtheory
91.15 +{\isafoldtheory}%
91.16 +%
91.17 +\isadelimtheory
91.18 +%
91.19 +\endisadelimtheory
91.20 +\isacommand{datatype}\isamarkupfalse%
91.21 +\ {\isaliteral{28}{\isacharparenleft}}{\isaliteral{27}{\isacharprime}}a{\isaliteral{2C}{\isacharcomma}}{\isaliteral{27}{\isacharprime}}i{\isaliteral{29}{\isacharparenright}}bigtree\ {\isaliteral{3D}{\isacharequal}}\ Tip\ {\isaliteral{7C}{\isacharbar}}\ Br\ {\isaliteral{27}{\isacharprime}}a\ {\isaliteral{22}{\isachardoublequoteopen}}{\isaliteral{27}{\isacharprime}}i\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ {\isaliteral{28}{\isacharparenleft}}{\isaliteral{27}{\isacharprime}}a{\isaliteral{2C}{\isacharcomma}}{\isaliteral{27}{\isacharprime}}i{\isaliteral{29}{\isacharparenright}}bigtree{\isaliteral{22}{\isachardoublequoteclose}}%
91.22 +\begin{isamarkuptext}%
91.23 +\noindent
91.24 +Parameter \isa{{\isaliteral{27}{\isacharprime}}a} is the type of values stored in
91.25 +the \isa{Br}anches of the tree, whereas \isa{{\isaliteral{27}{\isacharprime}}i} is the index
91.26 +type over which the tree branches. If \isa{{\isaliteral{27}{\isacharprime}}i} is instantiated to
91.27 +\isa{bool}, the result is a binary tree; if it is instantiated to
91.28 +\isa{nat}, we have an infinitely branching tree because each node
91.29 +has as many subtrees as there are natural numbers. How can we possibly
91.30 +write down such a tree? Using functional notation! For example, the term
91.31 +\begin{isabelle}%
91.32 +\ \ \ \ \ Br\ {\isadigit{0}}\ {\isaliteral{28}{\isacharparenleft}}{\isaliteral{5C3C6C616D6264613E}{\isasymlambda}}i{\isaliteral{2E}{\isachardot}}\ Br\ i\ {\isaliteral{28}{\isacharparenleft}}{\isaliteral{5C3C6C616D6264613E}{\isasymlambda}}n{\isaliteral{2E}{\isachardot}}\ Tip{\isaliteral{29}{\isacharparenright}}{\isaliteral{29}{\isacharparenright}}%
91.33 +\end{isabelle}
91.34 +of type \isa{{\isaliteral{28}{\isacharparenleft}}nat{\isaliteral{2C}{\isacharcomma}}\ nat{\isaliteral{29}{\isacharparenright}}\ bigtree} is the tree whose
91.35 +root is labeled with 0 and whose $i$th subtree is labeled with $i$ and
91.36 +has merely \isa{Tip}s as further subtrees.
91.37 +
91.38 +Function \isa{map{\isaliteral{5F}{\isacharunderscore}}bt} applies a function to all labels in a \isa{bigtree}:%
91.39 +\end{isamarkuptext}%
91.40 +\isamarkuptrue%
91.41 +\isacommand{primrec}\isamarkupfalse%
91.42 +\ map{\isaliteral{5F}{\isacharunderscore}}bt\ {\isaliteral{3A}{\isacharcolon}}{\isaliteral{3A}{\isacharcolon}}\ {\isaliteral{22}{\isachardoublequoteopen}}{\isaliteral{28}{\isacharparenleft}}{\isaliteral{27}{\isacharprime}}a\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ {\isaliteral{27}{\isacharprime}}b{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ {\isaliteral{28}{\isacharparenleft}}{\isaliteral{27}{\isacharprime}}a{\isaliteral{2C}{\isacharcomma}}{\isaliteral{27}{\isacharprime}}i{\isaliteral{29}{\isacharparenright}}bigtree\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ {\isaliteral{28}{\isacharparenleft}}{\isaliteral{27}{\isacharprime}}b{\isaliteral{2C}{\isacharcomma}}{\isaliteral{27}{\isacharprime}}i{\isaliteral{29}{\isacharparenright}}bigtree{\isaliteral{22}{\isachardoublequoteclose}}\isanewline
91.43 +\isakeyword{where}\isanewline
91.44 +{\isaliteral{22}{\isachardoublequoteopen}}map{\isaliteral{5F}{\isacharunderscore}}bt\ f\ Tip\ \ \ \ \ \ {\isaliteral{3D}{\isacharequal}}\ Tip{\isaliteral{22}{\isachardoublequoteclose}}\ {\isaliteral{7C}{\isacharbar}}\isanewline
91.45 +{\isaliteral{22}{\isachardoublequoteopen}}map{\isaliteral{5F}{\isacharunderscore}}bt\ f\ {\isaliteral{28}{\isacharparenleft}}Br\ a\ F{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{3D}{\isacharequal}}\ Br\ {\isaliteral{28}{\isacharparenleft}}f\ a{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{28}{\isacharparenleft}}{\isaliteral{5C3C6C616D6264613E}{\isasymlambda}}i{\isaliteral{2E}{\isachardot}}\ map{\isaliteral{5F}{\isacharunderscore}}bt\ f\ {\isaliteral{28}{\isacharparenleft}}F\ i{\isaliteral{29}{\isacharparenright}}{\isaliteral{29}{\isacharparenright}}{\isaliteral{22}{\isachardoublequoteclose}}%
91.46 +\begin{isamarkuptext}%
91.47 +\noindent This is a valid \isacommand{primrec} definition because the
91.48 +recursive calls of \isa{map{\isaliteral{5F}{\isacharunderscore}}bt} involve only subtrees of
91.49 +\isa{F}, which is itself a subterm of the left-hand side. Thus termination
91.50 +is assured. The seasoned functional programmer might try expressing
91.51 +\isa{{\isaliteral{5C3C6C616D6264613E}{\isasymlambda}}i{\isaliteral{2E}{\isachardot}}\ map{\isaliteral{5F}{\isacharunderscore}}bt\ f\ {\isaliteral{28}{\isacharparenleft}}F\ i{\isaliteral{29}{\isacharparenright}}} as \isa{map{\isaliteral{5F}{\isacharunderscore}}bt\ f\ {\isaliteral{5C3C636972633E}{\isasymcirc}}\ F}, which Isabelle
91.52 +however will reject. Applying \isa{map{\isaliteral{5F}{\isacharunderscore}}bt} to only one of its arguments
91.53 +makes the termination proof less obvious.
91.54 +
91.55 +The following lemma has a simple proof by induction:%
91.56 +\end{isamarkuptext}%
91.57 +\isamarkuptrue%
91.58 +\isacommand{lemma}\isamarkupfalse%
91.59 +\ {\isaliteral{22}{\isachardoublequoteopen}}map{\isaliteral{5F}{\isacharunderscore}}bt\ {\isaliteral{28}{\isacharparenleft}}g\ o\ f{\isaliteral{29}{\isacharparenright}}\ T\ {\isaliteral{3D}{\isacharequal}}\ map{\isaliteral{5F}{\isacharunderscore}}bt\ g\ {\isaliteral{28}{\isacharparenleft}}map{\isaliteral{5F}{\isacharunderscore}}bt\ f\ T{\isaliteral{29}{\isacharparenright}}{\isaliteral{22}{\isachardoublequoteclose}}\isanewline
91.60 +%
91.61 +\isadelimproof
91.62 +%
91.63 +\endisadelimproof
91.64 +%
91.65 +\isatagproof
91.66 +\isacommand{apply}\isamarkupfalse%
91.67 +{\isaliteral{28}{\isacharparenleft}}induct{\isaliteral{5F}{\isacharunderscore}}tac\ T{\isaliteral{2C}{\isacharcomma}}\ simp{\isaliteral{5F}{\isacharunderscore}}all{\isaliteral{29}{\isacharparenright}}\isanewline
91.68 +\isacommand{done}\isamarkupfalse%
91.69 +%
91.70 +\endisatagproof
91.71 +{\isafoldproof}%
91.72 +%
91.73 +\isadelimproof
91.74 +%
91.75 +\endisadelimproof
91.76 +%
91.77 +\isadelimproof
91.78 +%
91.79 +\endisadelimproof
91.80 +%
91.81 +\isatagproof
91.82 +%
91.83 +\begin{isamarkuptxt}%
91.84 +\noindent
91.85 +Because of the function type, the proof state after induction looks unusual.
91.86 +Notice the quantified induction hypothesis:
91.87 +\begin{isabelle}%
91.88 +\ {\isadigit{1}}{\isaliteral{2E}{\isachardot}}\ map{\isaliteral{5F}{\isacharunderscore}}bt\ {\isaliteral{28}{\isacharparenleft}}g\ {\isaliteral{5C3C636972633E}{\isasymcirc}}\ f{\isaliteral{29}{\isacharparenright}}\ Tip\ {\isaliteral{3D}{\isacharequal}}\ map{\isaliteral{5F}{\isacharunderscore}}bt\ g\ {\isaliteral{28}{\isacharparenleft}}map{\isaliteral{5F}{\isacharunderscore}}bt\ f\ Tip{\isaliteral{29}{\isacharparenright}}\isanewline
91.89 +\ {\isadigit{2}}{\isaliteral{2E}{\isachardot}}\ {\isaliteral{5C3C416E643E}{\isasymAnd}}a\ F{\isaliteral{2E}{\isachardot}}\ {\isaliteral{28}{\isacharparenleft}}{\isaliteral{5C3C416E643E}{\isasymAnd}}x{\isaliteral{2E}{\isachardot}}\ map{\isaliteral{5F}{\isacharunderscore}}bt\ {\isaliteral{28}{\isacharparenleft}}g\ {\isaliteral{5C3C636972633E}{\isasymcirc}}\ f{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{28}{\isacharparenleft}}F\ x{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{3D}{\isacharequal}}\ map{\isaliteral{5F}{\isacharunderscore}}bt\ g\ {\isaliteral{28}{\isacharparenleft}}map{\isaliteral{5F}{\isacharunderscore}}bt\ f\ {\isaliteral{28}{\isacharparenleft}}F\ x{\isaliteral{29}{\isacharparenright}}{\isaliteral{29}{\isacharparenright}}{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\isanewline
91.90 +\isaindent{\ {\isadigit{2}}{\isaliteral{2E}{\isachardot}}\ {\isaliteral{5C3C416E643E}{\isasymAnd}}a\ F{\isaliteral{2E}{\isachardot}}\ }map{\isaliteral{5F}{\isacharunderscore}}bt\ {\isaliteral{28}{\isacharparenleft}}g\ {\isaliteral{5C3C636972633E}{\isasymcirc}}\ f{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{28}{\isacharparenleft}}Br\ a\ F{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{3D}{\isacharequal}}\ map{\isaliteral{5F}{\isacharunderscore}}bt\ g\ {\isaliteral{28}{\isacharparenleft}}map{\isaliteral{5F}{\isacharunderscore}}bt\ f\ {\isaliteral{28}{\isacharparenleft}}Br\ a\ F{\isaliteral{29}{\isacharparenright}}{\isaliteral{29}{\isacharparenright}}%
91.91 +\end{isabelle}%
91.92 +\end{isamarkuptxt}%
91.93 +\isamarkuptrue%
91.94 +%
91.95 +\endisatagproof
91.96 +{\isafoldproof}%
91.97 +%
91.98 +\isadelimproof
91.99 +%
91.100 +\endisadelimproof
91.101 +%
91.102 +\isadelimtheory
91.103 +%
91.104 +\endisadelimtheory
91.105 +%
91.106 +\isatagtheory
91.107 +%
91.108 +\endisatagtheory
91.109 +{\isafoldtheory}%
91.110 +%
91.111 +\isadelimtheory
91.112 +%
91.113 +\endisadelimtheory
91.114 +\end{isabellebody}%
91.115 +%%% Local Variables:
91.116 +%%% mode: latex
91.117 +%%% TeX-master: "root"
91.118 +%%% End:
92.1 --- /dev/null Thu Jan 01 00:00:00 1970 +0000
92.2 +++ b/doc-src/TutorialI/document/Ifexpr.tex Thu Jul 26 19:59:06 2012 +0200
92.3 @@ -0,0 +1,351 @@
92.4 +%
92.5 +\begin{isabellebody}%
92.6 +\def\isabellecontext{Ifexpr}%
92.7 +%
92.8 +\isadelimtheory
92.9 +%
92.10 +\endisadelimtheory
92.11 +%
92.12 +\isatagtheory
92.13 +%
92.14 +\endisatagtheory
92.15 +{\isafoldtheory}%
92.16 +%
92.17 +\isadelimtheory
92.18 +%
92.19 +\endisadelimtheory
92.20 +%
92.21 +\isamarkupsubsection{Case Study: Boolean Expressions%
92.22 +}
92.23 +\isamarkuptrue%
92.24 +%
92.25 +\begin{isamarkuptext}%
92.26 +\label{sec:boolex}\index{boolean expressions example|(}
92.27 +The aim of this case study is twofold: it shows how to model boolean
92.28 +expressions and some algorithms for manipulating them, and it demonstrates
92.29 +the constructs introduced above.%
92.30 +\end{isamarkuptext}%
92.31 +\isamarkuptrue%
92.32 +%
92.33 +\isamarkupsubsubsection{Modelling Boolean Expressions%
92.34 +}
92.35 +\isamarkuptrue%
92.36 +%
92.37 +\begin{isamarkuptext}%
92.38 +We want to represent boolean expressions built up from variables and
92.39 +constants by negation and conjunction. The following datatype serves exactly
92.40 +that purpose:%
92.41 +\end{isamarkuptext}%
92.42 +\isamarkuptrue%
92.43 +\isacommand{datatype}\isamarkupfalse%
92.44 +\ boolex\ {\isaliteral{3D}{\isacharequal}}\ Const\ bool\ {\isaliteral{7C}{\isacharbar}}\ Var\ nat\ {\isaliteral{7C}{\isacharbar}}\ Neg\ boolex\isanewline
92.45 +\ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ {\isaliteral{7C}{\isacharbar}}\ And\ boolex\ boolex%
92.46 +\begin{isamarkuptext}%
92.47 +\noindent
92.48 +The two constants are represented by \isa{Const\ True} and
92.49 +\isa{Const\ False}. Variables are represented by terms of the form
92.50 +\isa{Var\ n}, where \isa{n} is a natural number (type \isa{nat}).
92.51 +For example, the formula $P@0 \land \neg P@1$ is represented by the term
92.52 +\isa{And\ {\isaliteral{28}{\isacharparenleft}}Var\ {\isadigit{0}}{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{28}{\isacharparenleft}}Neg\ {\isaliteral{28}{\isacharparenleft}}Var\ {\isadigit{1}}{\isaliteral{29}{\isacharparenright}}{\isaliteral{29}{\isacharparenright}}}.
92.53 +
92.54 +\subsubsection{The Value of a Boolean Expression}
92.55 +
92.56 +The value of a boolean expression depends on the value of its variables.
92.57 +Hence the function \isa{value} takes an additional parameter, an
92.58 +\emph{environment} of type \isa{nat\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ bool}, which maps variables to their
92.59 +values:%
92.60 +\end{isamarkuptext}%
92.61 +\isamarkuptrue%
92.62 +\isacommand{primrec}\isamarkupfalse%
92.63 +\ {\isaliteral{22}{\isachardoublequoteopen}}value{\isaliteral{22}{\isachardoublequoteclose}}\ {\isaliteral{3A}{\isacharcolon}}{\isaliteral{3A}{\isacharcolon}}\ {\isaliteral{22}{\isachardoublequoteopen}}boolex\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ {\isaliteral{28}{\isacharparenleft}}nat\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ bool{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ bool{\isaliteral{22}{\isachardoublequoteclose}}\ \isakeyword{where}\isanewline
92.64 +{\isaliteral{22}{\isachardoublequoteopen}}value\ {\isaliteral{28}{\isacharparenleft}}Const\ b{\isaliteral{29}{\isacharparenright}}\ env\ {\isaliteral{3D}{\isacharequal}}\ b{\isaliteral{22}{\isachardoublequoteclose}}\ {\isaliteral{7C}{\isacharbar}}\isanewline
92.65 +{\isaliteral{22}{\isachardoublequoteopen}}value\ {\isaliteral{28}{\isacharparenleft}}Var\ x{\isaliteral{29}{\isacharparenright}}\ \ \ env\ {\isaliteral{3D}{\isacharequal}}\ env\ x{\isaliteral{22}{\isachardoublequoteclose}}\ {\isaliteral{7C}{\isacharbar}}\isanewline
92.66 +{\isaliteral{22}{\isachardoublequoteopen}}value\ {\isaliteral{28}{\isacharparenleft}}Neg\ b{\isaliteral{29}{\isacharparenright}}\ \ \ env\ {\isaliteral{3D}{\isacharequal}}\ {\isaliteral{28}{\isacharparenleft}}{\isaliteral{5C3C6E6F743E}{\isasymnot}}\ value\ b\ env{\isaliteral{29}{\isacharparenright}}{\isaliteral{22}{\isachardoublequoteclose}}\ {\isaliteral{7C}{\isacharbar}}\isanewline
92.67 +{\isaliteral{22}{\isachardoublequoteopen}}value\ {\isaliteral{28}{\isacharparenleft}}And\ b\ c{\isaliteral{29}{\isacharparenright}}\ env\ {\isaliteral{3D}{\isacharequal}}\ {\isaliteral{28}{\isacharparenleft}}value\ b\ env\ {\isaliteral{5C3C616E643E}{\isasymand}}\ value\ c\ env{\isaliteral{29}{\isacharparenright}}{\isaliteral{22}{\isachardoublequoteclose}}%
92.68 +\begin{isamarkuptext}%
92.69 +\noindent
92.70 +\subsubsection{If-Expressions}
92.71 +
92.72 +An alternative and often more efficient (because in a certain sense
92.73 +canonical) representation are so-called \emph{If-expressions} built up
92.74 +from constants (\isa{CIF}), variables (\isa{VIF}) and conditionals
92.75 +(\isa{IF}):%
92.76 +\end{isamarkuptext}%
92.77 +\isamarkuptrue%
92.78 +\isacommand{datatype}\isamarkupfalse%
92.79 +\ ifex\ {\isaliteral{3D}{\isacharequal}}\ CIF\ bool\ {\isaliteral{7C}{\isacharbar}}\ VIF\ nat\ {\isaliteral{7C}{\isacharbar}}\ IF\ ifex\ ifex\ ifex%
92.80 +\begin{isamarkuptext}%
92.81 +\noindent
92.82 +The evaluation of If-expressions proceeds as for \isa{boolex}:%
92.83 +\end{isamarkuptext}%
92.84 +\isamarkuptrue%
92.85 +\isacommand{primrec}\isamarkupfalse%
92.86 +\ valif\ {\isaliteral{3A}{\isacharcolon}}{\isaliteral{3A}{\isacharcolon}}\ {\isaliteral{22}{\isachardoublequoteopen}}ifex\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ {\isaliteral{28}{\isacharparenleft}}nat\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ bool{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ bool{\isaliteral{22}{\isachardoublequoteclose}}\ \isakeyword{where}\isanewline
92.87 +{\isaliteral{22}{\isachardoublequoteopen}}valif\ {\isaliteral{28}{\isacharparenleft}}CIF\ b{\isaliteral{29}{\isacharparenright}}\ \ \ \ env\ {\isaliteral{3D}{\isacharequal}}\ b{\isaliteral{22}{\isachardoublequoteclose}}\ {\isaliteral{7C}{\isacharbar}}\isanewline
92.88 +{\isaliteral{22}{\isachardoublequoteopen}}valif\ {\isaliteral{28}{\isacharparenleft}}VIF\ x{\isaliteral{29}{\isacharparenright}}\ \ \ \ env\ {\isaliteral{3D}{\isacharequal}}\ env\ x{\isaliteral{22}{\isachardoublequoteclose}}\ {\isaliteral{7C}{\isacharbar}}\isanewline
92.89 +{\isaliteral{22}{\isachardoublequoteopen}}valif\ {\isaliteral{28}{\isacharparenleft}}IF\ b\ t\ e{\isaliteral{29}{\isacharparenright}}\ env\ {\isaliteral{3D}{\isacharequal}}\ {\isaliteral{28}{\isacharparenleft}}if\ valif\ b\ env\ then\ valif\ t\ env\isanewline
92.90 +\ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ else\ valif\ e\ env{\isaliteral{29}{\isacharparenright}}{\isaliteral{22}{\isachardoublequoteclose}}%
92.91 +\begin{isamarkuptext}%
92.92 +\subsubsection{Converting Boolean and If-Expressions}
92.93 +
92.94 +The type \isa{boolex} is close to the customary representation of logical
92.95 +formulae, whereas \isa{ifex} is designed for efficiency. It is easy to
92.96 +translate from \isa{boolex} into \isa{ifex}:%
92.97 +\end{isamarkuptext}%
92.98 +\isamarkuptrue%
92.99 +\isacommand{primrec}\isamarkupfalse%
92.100 +\ bool{\isadigit{2}}if\ {\isaliteral{3A}{\isacharcolon}}{\isaliteral{3A}{\isacharcolon}}\ {\isaliteral{22}{\isachardoublequoteopen}}boolex\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ ifex{\isaliteral{22}{\isachardoublequoteclose}}\ \isakeyword{where}\isanewline
92.101 +{\isaliteral{22}{\isachardoublequoteopen}}bool{\isadigit{2}}if\ {\isaliteral{28}{\isacharparenleft}}Const\ b{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{3D}{\isacharequal}}\ CIF\ b{\isaliteral{22}{\isachardoublequoteclose}}\ {\isaliteral{7C}{\isacharbar}}\isanewline
92.102 +{\isaliteral{22}{\isachardoublequoteopen}}bool{\isadigit{2}}if\ {\isaliteral{28}{\isacharparenleft}}Var\ x{\isaliteral{29}{\isacharparenright}}\ \ \ {\isaliteral{3D}{\isacharequal}}\ VIF\ x{\isaliteral{22}{\isachardoublequoteclose}}\ {\isaliteral{7C}{\isacharbar}}\isanewline
92.103 +{\isaliteral{22}{\isachardoublequoteopen}}bool{\isadigit{2}}if\ {\isaliteral{28}{\isacharparenleft}}Neg\ b{\isaliteral{29}{\isacharparenright}}\ \ \ {\isaliteral{3D}{\isacharequal}}\ IF\ {\isaliteral{28}{\isacharparenleft}}bool{\isadigit{2}}if\ b{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{28}{\isacharparenleft}}CIF\ False{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{28}{\isacharparenleft}}CIF\ True{\isaliteral{29}{\isacharparenright}}{\isaliteral{22}{\isachardoublequoteclose}}\ {\isaliteral{7C}{\isacharbar}}\isanewline
92.104 +{\isaliteral{22}{\isachardoublequoteopen}}bool{\isadigit{2}}if\ {\isaliteral{28}{\isacharparenleft}}And\ b\ c{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{3D}{\isacharequal}}\ IF\ {\isaliteral{28}{\isacharparenleft}}bool{\isadigit{2}}if\ b{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{28}{\isacharparenleft}}bool{\isadigit{2}}if\ c{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{28}{\isacharparenleft}}CIF\ False{\isaliteral{29}{\isacharparenright}}{\isaliteral{22}{\isachardoublequoteclose}}%
92.105 +\begin{isamarkuptext}%
92.106 +\noindent
92.107 +At last, we have something we can verify: that \isa{bool{\isadigit{2}}if} preserves the
92.108 +value of its argument:%
92.109 +\end{isamarkuptext}%
92.110 +\isamarkuptrue%
92.111 +\isacommand{lemma}\isamarkupfalse%
92.112 +\ {\isaliteral{22}{\isachardoublequoteopen}}valif\ {\isaliteral{28}{\isacharparenleft}}bool{\isadigit{2}}if\ b{\isaliteral{29}{\isacharparenright}}\ env\ {\isaliteral{3D}{\isacharequal}}\ value\ b\ env{\isaliteral{22}{\isachardoublequoteclose}}%
92.113 +\isadelimproof
92.114 +%
92.115 +\endisadelimproof
92.116 +%
92.117 +\isatagproof
92.118 +%
92.119 +\begin{isamarkuptxt}%
92.120 +\noindent
92.121 +The proof is canonical:%
92.122 +\end{isamarkuptxt}%
92.123 +\isamarkuptrue%
92.124 +\isacommand{apply}\isamarkupfalse%
92.125 +{\isaliteral{28}{\isacharparenleft}}induct{\isaliteral{5F}{\isacharunderscore}}tac\ b{\isaliteral{29}{\isacharparenright}}\isanewline
92.126 +\isacommand{apply}\isamarkupfalse%
92.127 +{\isaliteral{28}{\isacharparenleft}}auto{\isaliteral{29}{\isacharparenright}}\isanewline
92.128 +\isacommand{done}\isamarkupfalse%
92.129 +%
92.130 +\endisatagproof
92.131 +{\isafoldproof}%
92.132 +%
92.133 +\isadelimproof
92.134 +%
92.135 +\endisadelimproof
92.136 +%
92.137 +\begin{isamarkuptext}%
92.138 +\noindent
92.139 +In fact, all proofs in this case study look exactly like this. Hence we do
92.140 +not show them below.
92.141 +
92.142 +More interesting is the transformation of If-expressions into a normal form
92.143 +where the first argument of \isa{IF} cannot be another \isa{IF} but
92.144 +must be a constant or variable. Such a normal form can be computed by
92.145 +repeatedly replacing a subterm of the form \isa{IF\ {\isaliteral{28}{\isacharparenleft}}IF\ b\ x\ y{\isaliteral{29}{\isacharparenright}}\ z\ u} by
92.146 +\isa{IF\ b\ {\isaliteral{28}{\isacharparenleft}}IF\ x\ z\ u{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{28}{\isacharparenleft}}IF\ y\ z\ u{\isaliteral{29}{\isacharparenright}}}, which has the same value. The following
92.147 +primitive recursive functions perform this task:%
92.148 +\end{isamarkuptext}%
92.149 +\isamarkuptrue%
92.150 +\isacommand{primrec}\isamarkupfalse%
92.151 +\ normif\ {\isaliteral{3A}{\isacharcolon}}{\isaliteral{3A}{\isacharcolon}}\ {\isaliteral{22}{\isachardoublequoteopen}}ifex\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ ifex\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ ifex\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ ifex{\isaliteral{22}{\isachardoublequoteclose}}\ \isakeyword{where}\isanewline
92.152 +{\isaliteral{22}{\isachardoublequoteopen}}normif\ {\isaliteral{28}{\isacharparenleft}}CIF\ b{\isaliteral{29}{\isacharparenright}}\ \ \ \ t\ e\ {\isaliteral{3D}{\isacharequal}}\ IF\ {\isaliteral{28}{\isacharparenleft}}CIF\ b{\isaliteral{29}{\isacharparenright}}\ t\ e{\isaliteral{22}{\isachardoublequoteclose}}\ {\isaliteral{7C}{\isacharbar}}\isanewline
92.153 +{\isaliteral{22}{\isachardoublequoteopen}}normif\ {\isaliteral{28}{\isacharparenleft}}VIF\ x{\isaliteral{29}{\isacharparenright}}\ \ \ \ t\ e\ {\isaliteral{3D}{\isacharequal}}\ IF\ {\isaliteral{28}{\isacharparenleft}}VIF\ x{\isaliteral{29}{\isacharparenright}}\ t\ e{\isaliteral{22}{\isachardoublequoteclose}}\ {\isaliteral{7C}{\isacharbar}}\isanewline
92.154 +{\isaliteral{22}{\isachardoublequoteopen}}normif\ {\isaliteral{28}{\isacharparenleft}}IF\ b\ t\ e{\isaliteral{29}{\isacharparenright}}\ u\ f\ {\isaliteral{3D}{\isacharequal}}\ normif\ b\ {\isaliteral{28}{\isacharparenleft}}normif\ t\ u\ f{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{28}{\isacharparenleft}}normif\ e\ u\ f{\isaliteral{29}{\isacharparenright}}{\isaliteral{22}{\isachardoublequoteclose}}\isanewline
92.155 +\isanewline
92.156 +\isacommand{primrec}\isamarkupfalse%
92.157 +\ norm\ {\isaliteral{3A}{\isacharcolon}}{\isaliteral{3A}{\isacharcolon}}\ {\isaliteral{22}{\isachardoublequoteopen}}ifex\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ ifex{\isaliteral{22}{\isachardoublequoteclose}}\ \isakeyword{where}\isanewline
92.158 +{\isaliteral{22}{\isachardoublequoteopen}}norm\ {\isaliteral{28}{\isacharparenleft}}CIF\ b{\isaliteral{29}{\isacharparenright}}\ \ \ \ {\isaliteral{3D}{\isacharequal}}\ CIF\ b{\isaliteral{22}{\isachardoublequoteclose}}\ {\isaliteral{7C}{\isacharbar}}\isanewline
92.159 +{\isaliteral{22}{\isachardoublequoteopen}}norm\ {\isaliteral{28}{\isacharparenleft}}VIF\ x{\isaliteral{29}{\isacharparenright}}\ \ \ \ {\isaliteral{3D}{\isacharequal}}\ VIF\ x{\isaliteral{22}{\isachardoublequoteclose}}\ {\isaliteral{7C}{\isacharbar}}\isanewline
92.160 +{\isaliteral{22}{\isachardoublequoteopen}}norm\ {\isaliteral{28}{\isacharparenleft}}IF\ b\ t\ e{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{3D}{\isacharequal}}\ normif\ b\ {\isaliteral{28}{\isacharparenleft}}norm\ t{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{28}{\isacharparenleft}}norm\ e{\isaliteral{29}{\isacharparenright}}{\isaliteral{22}{\isachardoublequoteclose}}%
92.161 +\begin{isamarkuptext}%
92.162 +\noindent
92.163 +Their interplay is tricky; we leave it to you to develop an
92.164 +intuitive understanding. Fortunately, Isabelle can help us to verify that the
92.165 +transformation preserves the value of the expression:%
92.166 +\end{isamarkuptext}%
92.167 +\isamarkuptrue%
92.168 +\isacommand{theorem}\isamarkupfalse%
92.169 +\ {\isaliteral{22}{\isachardoublequoteopen}}valif\ {\isaliteral{28}{\isacharparenleft}}norm\ b{\isaliteral{29}{\isacharparenright}}\ env\ {\isaliteral{3D}{\isacharequal}}\ valif\ b\ env{\isaliteral{22}{\isachardoublequoteclose}}%
92.170 +\isadelimproof
92.171 +%
92.172 +\endisadelimproof
92.173 +%
92.174 +\isatagproof
92.175 +%
92.176 +\endisatagproof
92.177 +{\isafoldproof}%
92.178 +%
92.179 +\isadelimproof
92.180 +%
92.181 +\endisadelimproof
92.182 +%
92.183 +\begin{isamarkuptext}%
92.184 +\noindent
92.185 +The proof is canonical, provided we first show the following simplification
92.186 +lemma, which also helps to understand what \isa{normif} does:%
92.187 +\end{isamarkuptext}%
92.188 +\isamarkuptrue%
92.189 +\isacommand{lemma}\isamarkupfalse%
92.190 +\ {\isaliteral{5B}{\isacharbrackleft}}simp{\isaliteral{5D}{\isacharbrackright}}{\isaliteral{3A}{\isacharcolon}}\isanewline
92.191 +\ \ {\isaliteral{22}{\isachardoublequoteopen}}{\isaliteral{5C3C666F72616C6C3E}{\isasymforall}}t\ e{\isaliteral{2E}{\isachardot}}\ valif\ {\isaliteral{28}{\isacharparenleft}}normif\ b\ t\ e{\isaliteral{29}{\isacharparenright}}\ env\ {\isaliteral{3D}{\isacharequal}}\ valif\ {\isaliteral{28}{\isacharparenleft}}IF\ b\ t\ e{\isaliteral{29}{\isacharparenright}}\ env{\isaliteral{22}{\isachardoublequoteclose}}%
92.192 +\isadelimproof
92.193 +%
92.194 +\endisadelimproof
92.195 +%
92.196 +\isatagproof
92.197 +%
92.198 +\endisatagproof
92.199 +{\isafoldproof}%
92.200 +%
92.201 +\isadelimproof
92.202 +%
92.203 +\endisadelimproof
92.204 +%
92.205 +\isadelimproof
92.206 +%
92.207 +\endisadelimproof
92.208 +%
92.209 +\isatagproof
92.210 +%
92.211 +\endisatagproof
92.212 +{\isafoldproof}%
92.213 +%
92.214 +\isadelimproof
92.215 +%
92.216 +\endisadelimproof
92.217 +%
92.218 +\begin{isamarkuptext}%
92.219 +\noindent
92.220 +Note that the lemma does not have a name, but is implicitly used in the proof
92.221 +of the theorem shown above because of the \isa{{\isaliteral{5B}{\isacharbrackleft}}simp{\isaliteral{5D}{\isacharbrackright}}} attribute.
92.222 +
92.223 +But how can we be sure that \isa{norm} really produces a normal form in
92.224 +the above sense? We define a function that tests If-expressions for normality:%
92.225 +\end{isamarkuptext}%
92.226 +\isamarkuptrue%
92.227 +\isacommand{primrec}\isamarkupfalse%
92.228 +\ normal\ {\isaliteral{3A}{\isacharcolon}}{\isaliteral{3A}{\isacharcolon}}\ {\isaliteral{22}{\isachardoublequoteopen}}ifex\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ bool{\isaliteral{22}{\isachardoublequoteclose}}\ \isakeyword{where}\isanewline
92.229 +{\isaliteral{22}{\isachardoublequoteopen}}normal{\isaliteral{28}{\isacharparenleft}}CIF\ b{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{3D}{\isacharequal}}\ True{\isaliteral{22}{\isachardoublequoteclose}}\ {\isaliteral{7C}{\isacharbar}}\isanewline
92.230 +{\isaliteral{22}{\isachardoublequoteopen}}normal{\isaliteral{28}{\isacharparenleft}}VIF\ x{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{3D}{\isacharequal}}\ True{\isaliteral{22}{\isachardoublequoteclose}}\ {\isaliteral{7C}{\isacharbar}}\isanewline
92.231 +{\isaliteral{22}{\isachardoublequoteopen}}normal{\isaliteral{28}{\isacharparenleft}}IF\ b\ t\ e{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{3D}{\isacharequal}}\ {\isaliteral{28}{\isacharparenleft}}normal\ t\ {\isaliteral{5C3C616E643E}{\isasymand}}\ normal\ e\ {\isaliteral{5C3C616E643E}{\isasymand}}\isanewline
92.232 +\ \ \ \ \ {\isaliteral{28}{\isacharparenleft}}case\ b\ of\ CIF\ b\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ True\ {\isaliteral{7C}{\isacharbar}}\ VIF\ x\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ True\ {\isaliteral{7C}{\isacharbar}}\ IF\ x\ y\ z\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ False{\isaliteral{29}{\isacharparenright}}{\isaliteral{29}{\isacharparenright}}{\isaliteral{22}{\isachardoublequoteclose}}%
92.233 +\begin{isamarkuptext}%
92.234 +\noindent
92.235 +Now we prove \isa{normal\ {\isaliteral{28}{\isacharparenleft}}norm\ b{\isaliteral{29}{\isacharparenright}}}. Of course, this requires a lemma about
92.236 +normality of \isa{normif}:%
92.237 +\end{isamarkuptext}%
92.238 +\isamarkuptrue%
92.239 +\isacommand{lemma}\isamarkupfalse%
92.240 +\ {\isaliteral{5B}{\isacharbrackleft}}simp{\isaliteral{5D}{\isacharbrackright}}{\isaliteral{3A}{\isacharcolon}}\ {\isaliteral{22}{\isachardoublequoteopen}}{\isaliteral{5C3C666F72616C6C3E}{\isasymforall}}t\ e{\isaliteral{2E}{\isachardot}}\ normal{\isaliteral{28}{\isacharparenleft}}normif\ b\ t\ e{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{3D}{\isacharequal}}\ {\isaliteral{28}{\isacharparenleft}}normal\ t\ {\isaliteral{5C3C616E643E}{\isasymand}}\ normal\ e{\isaliteral{29}{\isacharparenright}}{\isaliteral{22}{\isachardoublequoteclose}}%
92.241 +\isadelimproof
92.242 +%
92.243 +\endisadelimproof
92.244 +%
92.245 +\isatagproof
92.246 +%
92.247 +\endisatagproof
92.248 +{\isafoldproof}%
92.249 +%
92.250 +\isadelimproof
92.251 +%
92.252 +\endisadelimproof
92.253 +%
92.254 +\isadelimproof
92.255 +%
92.256 +\endisadelimproof
92.257 +%
92.258 +\isatagproof
92.259 +%
92.260 +\endisatagproof
92.261 +{\isafoldproof}%
92.262 +%
92.263 +\isadelimproof
92.264 +%
92.265 +\endisadelimproof
92.266 +%
92.267 +\begin{isamarkuptext}%
92.268 +\medskip
92.269 +How do we come up with the required lemmas? Try to prove the main theorems
92.270 +without them and study carefully what \isa{auto} leaves unproved. This
92.271 +can provide the clue. The necessity of universal quantification
92.272 +(\isa{{\isaliteral{5C3C666F72616C6C3E}{\isasymforall}}t\ e}) in the two lemmas is explained in
92.273 +\S\ref{sec:InductionHeuristics}
92.274 +
92.275 +\begin{exercise}
92.276 + We strengthen the definition of a \isa{normal} If-expression as follows:
92.277 + the first argument of all \isa{IF}s must be a variable. Adapt the above
92.278 + development to this changed requirement. (Hint: you may need to formulate
92.279 + some of the goals as implications (\isa{{\isaliteral{5C3C6C6F6E6772696768746172726F773E}{\isasymlongrightarrow}}}) rather than
92.280 + equalities (\isa{{\isaliteral{3D}{\isacharequal}}}).)
92.281 +\end{exercise}
92.282 +\index{boolean expressions example|)}%
92.283 +\end{isamarkuptext}%
92.284 +\isamarkuptrue%
92.285 +%
92.286 +\isadelimproof
92.287 +%
92.288 +\endisadelimproof
92.289 +%
92.290 +\isatagproof
92.291 +%
92.292 +\endisatagproof
92.293 +{\isafoldproof}%
92.294 +%
92.295 +\isadelimproof
92.296 +%
92.297 +\endisadelimproof
92.298 +%
92.299 +\isadelimproof
92.300 +%
92.301 +\endisadelimproof
92.302 +%
92.303 +\isatagproof
92.304 +%
92.305 +\endisatagproof
92.306 +{\isafoldproof}%
92.307 +%
92.308 +\isadelimproof
92.309 +%
92.310 +\endisadelimproof
92.311 +%
92.312 +\isadelimproof
92.313 +%
92.314 +\endisadelimproof
92.315 +%
92.316 +\isatagproof
92.317 +%
92.318 +\endisatagproof
92.319 +{\isafoldproof}%
92.320 +%
92.321 +\isadelimproof
92.322 +%
92.323 +\endisadelimproof
92.324 +%
92.325 +\isadelimproof
92.326 +%
92.327 +\endisadelimproof
92.328 +%
92.329 +\isatagproof
92.330 +%
92.331 +\endisatagproof
92.332 +{\isafoldproof}%
92.333 +%
92.334 +\isadelimproof
92.335 +%
92.336 +\endisadelimproof
92.337 +%
92.338 +\isadelimtheory
92.339 +%
92.340 +\endisadelimtheory
92.341 +%
92.342 +\isatagtheory
92.343 +%
92.344 +\endisatagtheory
92.345 +{\isafoldtheory}%
92.346 +%
92.347 +\isadelimtheory
92.348 +%
92.349 +\endisadelimtheory
92.350 +\end{isabellebody}%
92.351 +%%% Local Variables:
92.352 +%%% mode: latex
92.353 +%%% TeX-master: "root"
92.354 +%%% End:
93.1 --- /dev/null Thu Jan 01 00:00:00 1970 +0000
93.2 +++ b/doc-src/TutorialI/document/Itrev.tex Thu Jul 26 19:59:06 2012 +0200
93.3 @@ -0,0 +1,222 @@
93.4 +%
93.5 +\begin{isabellebody}%
93.6 +\def\isabellecontext{Itrev}%
93.7 +%
93.8 +\isadelimtheory
93.9 +%
93.10 +\endisadelimtheory
93.11 +%
93.12 +\isatagtheory
93.13 +%
93.14 +\endisatagtheory
93.15 +{\isafoldtheory}%
93.16 +%
93.17 +\isadelimtheory
93.18 +%
93.19 +\endisadelimtheory
93.20 +%
93.21 +\isamarkupsection{Induction Heuristics%
93.22 +}
93.23 +\isamarkuptrue%
93.24 +%
93.25 +\begin{isamarkuptext}%
93.26 +\label{sec:InductionHeuristics}
93.27 +\index{induction heuristics|(}%
93.28 +The purpose of this section is to illustrate some simple heuristics for
93.29 +inductive proofs. The first one we have already mentioned in our initial
93.30 +example:
93.31 +\begin{quote}
93.32 +\emph{Theorems about recursive functions are proved by induction.}
93.33 +\end{quote}
93.34 +In case the function has more than one argument
93.35 +\begin{quote}
93.36 +\emph{Do induction on argument number $i$ if the function is defined by
93.37 +recursion in argument number $i$.}
93.38 +\end{quote}
93.39 +When we look at the proof of \isa{{\isaliteral{28}{\isacharparenleft}}xs{\isaliteral{40}{\isacharat}}ys{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{40}{\isacharat}}\ zs\ {\isaliteral{3D}{\isacharequal}}\ xs\ {\isaliteral{40}{\isacharat}}\ {\isaliteral{28}{\isacharparenleft}}ys{\isaliteral{40}{\isacharat}}zs{\isaliteral{29}{\isacharparenright}}}
93.40 +in \S\ref{sec:intro-proof} we find
93.41 +\begin{itemize}
93.42 +\item \isa{{\isaliteral{40}{\isacharat}}} is recursive in
93.43 +the first argument
93.44 +\item \isa{xs} occurs only as the first argument of
93.45 +\isa{{\isaliteral{40}{\isacharat}}}
93.46 +\item both \isa{ys} and \isa{zs} occur at least once as
93.47 +the second argument of \isa{{\isaliteral{40}{\isacharat}}}
93.48 +\end{itemize}
93.49 +Hence it is natural to perform induction on~\isa{xs}.
93.50 +
93.51 +The key heuristic, and the main point of this section, is to
93.52 +\emph{generalize the goal before induction}.
93.53 +The reason is simple: if the goal is
93.54 +too specific, the induction hypothesis is too weak to allow the induction
93.55 +step to go through. Let us illustrate the idea with an example.
93.56 +
93.57 +Function \cdx{rev} has quadratic worst-case running time
93.58 +because it calls function \isa{{\isaliteral{40}{\isacharat}}} for each element of the list and
93.59 +\isa{{\isaliteral{40}{\isacharat}}} is linear in its first argument. A linear time version of
93.60 +\isa{rev} reqires an extra argument where the result is accumulated
93.61 +gradually, using only~\isa{{\isaliteral{23}{\isacharhash}}}:%
93.62 +\end{isamarkuptext}%
93.63 +\isamarkuptrue%
93.64 +\isacommand{primrec}\isamarkupfalse%
93.65 +\ itrev\ {\isaliteral{3A}{\isacharcolon}}{\isaliteral{3A}{\isacharcolon}}\ {\isaliteral{22}{\isachardoublequoteopen}}{\isaliteral{27}{\isacharprime}}a\ list\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ {\isaliteral{27}{\isacharprime}}a\ list\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ {\isaliteral{27}{\isacharprime}}a\ list{\isaliteral{22}{\isachardoublequoteclose}}\ \isakeyword{where}\isanewline
93.66 +{\isaliteral{22}{\isachardoublequoteopen}}itrev\ {\isaliteral{5B}{\isacharbrackleft}}{\isaliteral{5D}{\isacharbrackright}}\ \ \ \ \ ys\ {\isaliteral{3D}{\isacharequal}}\ ys{\isaliteral{22}{\isachardoublequoteclose}}\ {\isaliteral{7C}{\isacharbar}}\isanewline
93.67 +{\isaliteral{22}{\isachardoublequoteopen}}itrev\ {\isaliteral{28}{\isacharparenleft}}x{\isaliteral{23}{\isacharhash}}xs{\isaliteral{29}{\isacharparenright}}\ ys\ {\isaliteral{3D}{\isacharequal}}\ itrev\ xs\ {\isaliteral{28}{\isacharparenleft}}x{\isaliteral{23}{\isacharhash}}ys{\isaliteral{29}{\isacharparenright}}{\isaliteral{22}{\isachardoublequoteclose}}%
93.68 +\begin{isamarkuptext}%
93.69 +\noindent
93.70 +The behaviour of \cdx{itrev} is simple: it reverses
93.71 +its first argument by stacking its elements onto the second argument,
93.72 +and returning that second argument when the first one becomes
93.73 +empty. Note that \isa{itrev} is tail-recursive: it can be
93.74 +compiled into a loop.
93.75 +
93.76 +Naturally, we would like to show that \isa{itrev} does indeed reverse
93.77 +its first argument provided the second one is empty:%
93.78 +\end{isamarkuptext}%
93.79 +\isamarkuptrue%
93.80 +\isacommand{lemma}\isamarkupfalse%
93.81 +\ {\isaliteral{22}{\isachardoublequoteopen}}itrev\ xs\ {\isaliteral{5B}{\isacharbrackleft}}{\isaliteral{5D}{\isacharbrackright}}\ {\isaliteral{3D}{\isacharequal}}\ rev\ xs{\isaliteral{22}{\isachardoublequoteclose}}%
93.82 +\isadelimproof
93.83 +%
93.84 +\endisadelimproof
93.85 +%
93.86 +\isatagproof
93.87 +%
93.88 +\begin{isamarkuptxt}%
93.89 +\noindent
93.90 +There is no choice as to the induction variable, and we immediately simplify:%
93.91 +\end{isamarkuptxt}%
93.92 +\isamarkuptrue%
93.93 +\isacommand{apply}\isamarkupfalse%
93.94 +{\isaliteral{28}{\isacharparenleft}}induct{\isaliteral{5F}{\isacharunderscore}}tac\ xs{\isaliteral{2C}{\isacharcomma}}\ simp{\isaliteral{5F}{\isacharunderscore}}all{\isaliteral{29}{\isacharparenright}}%
93.95 +\begin{isamarkuptxt}%
93.96 +\noindent
93.97 +Unfortunately, this attempt does not prove
93.98 +the induction step:
93.99 +\begin{isabelle}%
93.100 +\ {\isadigit{1}}{\isaliteral{2E}{\isachardot}}\ {\isaliteral{5C3C416E643E}{\isasymAnd}}a\ list{\isaliteral{2E}{\isachardot}}\isanewline
93.101 +\isaindent{\ {\isadigit{1}}{\isaliteral{2E}{\isachardot}}\ \ \ \ }itrev\ list\ {\isaliteral{5B}{\isacharbrackleft}}{\isaliteral{5D}{\isacharbrackright}}\ {\isaliteral{3D}{\isacharequal}}\ rev\ list\ {\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\ itrev\ list\ {\isaliteral{5B}{\isacharbrackleft}}a{\isaliteral{5D}{\isacharbrackright}}\ {\isaliteral{3D}{\isacharequal}}\ rev\ list\ {\isaliteral{40}{\isacharat}}\ {\isaliteral{5B}{\isacharbrackleft}}a{\isaliteral{5D}{\isacharbrackright}}%
93.102 +\end{isabelle}
93.103 +The induction hypothesis is too weak. The fixed
93.104 +argument,~\isa{{\isaliteral{5B}{\isacharbrackleft}}{\isaliteral{5D}{\isacharbrackright}}}, prevents it from rewriting the conclusion.
93.105 +This example suggests a heuristic:
93.106 +\begin{quote}\index{generalizing induction formulae}%
93.107 +\emph{Generalize goals for induction by replacing constants by variables.}
93.108 +\end{quote}
93.109 +Of course one cannot do this na\"{\i}vely: \isa{itrev\ xs\ ys\ {\isaliteral{3D}{\isacharequal}}\ rev\ xs} is
93.110 +just not true. The correct generalization is%
93.111 +\end{isamarkuptxt}%
93.112 +\isamarkuptrue%
93.113 +%
93.114 +\endisatagproof
93.115 +{\isafoldproof}%
93.116 +%
93.117 +\isadelimproof
93.118 +%
93.119 +\endisadelimproof
93.120 +\isacommand{lemma}\isamarkupfalse%
93.121 +\ {\isaliteral{22}{\isachardoublequoteopen}}itrev\ xs\ ys\ {\isaliteral{3D}{\isacharequal}}\ rev\ xs\ {\isaliteral{40}{\isacharat}}\ ys{\isaliteral{22}{\isachardoublequoteclose}}%
93.122 +\isadelimproof
93.123 +%
93.124 +\endisadelimproof
93.125 +%
93.126 +\isatagproof
93.127 +%
93.128 +\begin{isamarkuptxt}%
93.129 +\noindent
93.130 +If \isa{ys} is replaced by \isa{{\isaliteral{5B}{\isacharbrackleft}}{\isaliteral{5D}{\isacharbrackright}}}, the right-hand side simplifies to
93.131 +\isa{rev\ xs}, as required.
93.132 +
93.133 +In this instance it was easy to guess the right generalization.
93.134 +Other situations can require a good deal of creativity.
93.135 +
93.136 +Although we now have two variables, only \isa{xs} is suitable for
93.137 +induction, and we repeat our proof attempt. Unfortunately, we are still
93.138 +not there:
93.139 +\begin{isabelle}%
93.140 +\ {\isadigit{1}}{\isaliteral{2E}{\isachardot}}\ {\isaliteral{5C3C416E643E}{\isasymAnd}}a\ list{\isaliteral{2E}{\isachardot}}\isanewline
93.141 +\isaindent{\ {\isadigit{1}}{\isaliteral{2E}{\isachardot}}\ \ \ \ }itrev\ list\ ys\ {\isaliteral{3D}{\isacharequal}}\ rev\ list\ {\isaliteral{40}{\isacharat}}\ ys\ {\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\isanewline
93.142 +\isaindent{\ {\isadigit{1}}{\isaliteral{2E}{\isachardot}}\ \ \ \ }itrev\ list\ {\isaliteral{28}{\isacharparenleft}}a\ {\isaliteral{23}{\isacharhash}}\ ys{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{3D}{\isacharequal}}\ rev\ list\ {\isaliteral{40}{\isacharat}}\ a\ {\isaliteral{23}{\isacharhash}}\ ys%
93.143 +\end{isabelle}
93.144 +The induction hypothesis is still too weak, but this time it takes no
93.145 +intuition to generalize: the problem is that \isa{ys} is fixed throughout
93.146 +the subgoal, but the induction hypothesis needs to be applied with
93.147 +\isa{a\ {\isaliteral{23}{\isacharhash}}\ ys} instead of \isa{ys}. Hence we prove the theorem
93.148 +for all \isa{ys} instead of a fixed one:%
93.149 +\end{isamarkuptxt}%
93.150 +\isamarkuptrue%
93.151 +%
93.152 +\endisatagproof
93.153 +{\isafoldproof}%
93.154 +%
93.155 +\isadelimproof
93.156 +%
93.157 +\endisadelimproof
93.158 +\isacommand{lemma}\isamarkupfalse%
93.159 +\ {\isaliteral{22}{\isachardoublequoteopen}}{\isaliteral{5C3C666F72616C6C3E}{\isasymforall}}ys{\isaliteral{2E}{\isachardot}}\ itrev\ xs\ ys\ {\isaliteral{3D}{\isacharequal}}\ rev\ xs\ {\isaliteral{40}{\isacharat}}\ ys{\isaliteral{22}{\isachardoublequoteclose}}%
93.160 +\isadelimproof
93.161 +%
93.162 +\endisadelimproof
93.163 +%
93.164 +\isatagproof
93.165 +%
93.166 +\endisatagproof
93.167 +{\isafoldproof}%
93.168 +%
93.169 +\isadelimproof
93.170 +%
93.171 +\endisadelimproof
93.172 +%
93.173 +\begin{isamarkuptext}%
93.174 +\noindent
93.175 +This time induction on \isa{xs} followed by simplification succeeds. This
93.176 +leads to another heuristic for generalization:
93.177 +\begin{quote}
93.178 +\emph{Generalize goals for induction by universally quantifying all free
93.179 +variables {\em(except the induction variable itself!)}.}
93.180 +\end{quote}
93.181 +This prevents trivial failures like the one above and does not affect the
93.182 +validity of the goal. However, this heuristic should not be applied blindly.
93.183 +It is not always required, and the additional quantifiers can complicate
93.184 +matters in some cases. The variables that should be quantified are typically
93.185 +those that change in recursive calls.
93.186 +
93.187 +A final point worth mentioning is the orientation of the equation we just
93.188 +proved: the more complex notion (\isa{itrev}) is on the left-hand
93.189 +side, the simpler one (\isa{rev}) on the right-hand side. This constitutes
93.190 +another, albeit weak heuristic that is not restricted to induction:
93.191 +\begin{quote}
93.192 + \emph{The right-hand side of an equation should (in some sense) be simpler
93.193 + than the left-hand side.}
93.194 +\end{quote}
93.195 +This heuristic is tricky to apply because it is not obvious that
93.196 +\isa{rev\ xs\ {\isaliteral{40}{\isacharat}}\ ys} is simpler than \isa{itrev\ xs\ ys}. But see what
93.197 +happens if you try to prove \isa{rev\ xs\ {\isaliteral{40}{\isacharat}}\ ys\ {\isaliteral{3D}{\isacharequal}}\ itrev\ xs\ ys}!
93.198 +
93.199 +If you have tried these heuristics and still find your
93.200 +induction does not go through, and no obvious lemma suggests itself, you may
93.201 +need to generalize your proposition even further. This requires insight into
93.202 +the problem at hand and is beyond simple rules of thumb.
93.203 +Additionally, you can read \S\ref{sec:advanced-ind}
93.204 +to learn about some advanced techniques for inductive proofs.%
93.205 +\index{induction heuristics|)}%
93.206 +\end{isamarkuptext}%
93.207 +\isamarkuptrue%
93.208 +%
93.209 +\isadelimtheory
93.210 +%
93.211 +\endisadelimtheory
93.212 +%
93.213 +\isatagtheory
93.214 +%
93.215 +\endisatagtheory
93.216 +{\isafoldtheory}%
93.217 +%
93.218 +\isadelimtheory
93.219 +%
93.220 +\endisadelimtheory
93.221 +\end{isabellebody}%
93.222 +%%% Local Variables:
93.223 +%%% mode: latex
93.224 +%%% TeX-master: "root"
93.225 +%%% End:
94.1 --- /dev/null Thu Jan 01 00:00:00 1970 +0000
94.2 +++ b/doc-src/TutorialI/document/Message.tex Thu Jul 26 19:59:06 2012 +0200
94.3 @@ -0,0 +1,1638 @@
94.4 +%
94.5 +\begin{isabellebody}%
94.6 +\def\isabellecontext{Message}%
94.7 +%
94.8 +\isadelimtheory
94.9 +%
94.10 +\endisadelimtheory
94.11 +%
94.12 +\isatagtheory
94.13 +%
94.14 +\endisatagtheory
94.15 +{\isafoldtheory}%
94.16 +%
94.17 +\isadelimtheory
94.18 +%
94.19 +\endisadelimtheory
94.20 +%
94.21 +\isadelimML
94.22 +%
94.23 +\endisadelimML
94.24 +%
94.25 +\isatagML
94.26 +%
94.27 +\endisatagML
94.28 +{\isafoldML}%
94.29 +%
94.30 +\isadelimML
94.31 +%
94.32 +\endisadelimML
94.33 +%
94.34 +\isadelimproof
94.35 +%
94.36 +\endisadelimproof
94.37 +%
94.38 +\isatagproof
94.39 +%
94.40 +\endisatagproof
94.41 +{\isafoldproof}%
94.42 +%
94.43 +\isadelimproof
94.44 +%
94.45 +\endisadelimproof
94.46 +%
94.47 +\isamarkupsection{Agents and Messages%
94.48 +}
94.49 +\isamarkuptrue%
94.50 +%
94.51 +\begin{isamarkuptext}%
94.52 +All protocol specifications refer to a syntactic theory of messages.
94.53 +Datatype
94.54 +\isa{agent} introduces the constant \isa{Server} (a trusted central
94.55 +machine, needed for some protocols), an infinite population of
94.56 +friendly agents, and the~\isa{Spy}:%
94.57 +\end{isamarkuptext}%
94.58 +\isamarkuptrue%
94.59 +\isacommand{datatype}\isamarkupfalse%
94.60 +\ agent\ {\isaliteral{3D}{\isacharequal}}\ Server\ {\isaliteral{7C}{\isacharbar}}\ Friend\ nat\ {\isaliteral{7C}{\isacharbar}}\ Spy%
94.61 +\begin{isamarkuptext}%
94.62 +Keys are just natural numbers. Function \isa{invKey} maps a public key to
94.63 +the matching private key, and vice versa:%
94.64 +\end{isamarkuptext}%
94.65 +\isamarkuptrue%
94.66 +\isacommand{type{\isaliteral{5F}{\isacharunderscore}}synonym}\isamarkupfalse%
94.67 +\ key\ {\isaliteral{3D}{\isacharequal}}\ nat\isanewline
94.68 +\isacommand{consts}\isamarkupfalse%
94.69 +\ invKey\ {\isaliteral{3A}{\isacharcolon}}{\isaliteral{3A}{\isacharcolon}}\ {\isaliteral{22}{\isachardoublequoteopen}}key\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ key{\isaliteral{22}{\isachardoublequoteclose}}%
94.70 +\isadelimproof
94.71 +%
94.72 +\endisadelimproof
94.73 +%
94.74 +\isatagproof
94.75 +%
94.76 +\endisatagproof
94.77 +{\isafoldproof}%
94.78 +%
94.79 +\isadelimproof
94.80 +%
94.81 +\endisadelimproof
94.82 +%
94.83 +\begin{isamarkuptext}%
94.84 +Datatype
94.85 +\isa{msg} introduces the message forms, which include agent names, nonces,
94.86 +keys, compound messages, and encryptions.%
94.87 +\end{isamarkuptext}%
94.88 +\isamarkuptrue%
94.89 +\isacommand{datatype}\isamarkupfalse%
94.90 +\isanewline
94.91 +\ \ \ \ \ msg\ {\isaliteral{3D}{\isacharequal}}\ Agent\ \ agent\isanewline
94.92 +\ \ \ \ \ \ \ \ \ {\isaliteral{7C}{\isacharbar}}\ Nonce\ \ nat\isanewline
94.93 +\ \ \ \ \ \ \ \ \ {\isaliteral{7C}{\isacharbar}}\ Key\ \ \ \ key\isanewline
94.94 +\ \ \ \ \ \ \ \ \ {\isaliteral{7C}{\isacharbar}}\ MPair\ \ msg\ msg\isanewline
94.95 +\ \ \ \ \ \ \ \ \ {\isaliteral{7C}{\isacharbar}}\ Crypt\ \ key\ msg%
94.96 +\begin{isamarkuptext}%
94.97 +\noindent
94.98 +The notation $\comp{X\sb 1,\ldots X\sb{n-1},X\sb n}$
94.99 +abbreviates
94.100 +$\isa{MPair}\,X\sb 1\,\ldots\allowbreak(\isa{MPair}\,X\sb{n-1}\,X\sb n)$.
94.101 +
94.102 +Since datatype constructors are injective, we have the theorem
94.103 +\begin{isabelle}%
94.104 +Crypt\ K\ X\ {\isaliteral{3D}{\isacharequal}}\ Crypt\ K{\isaliteral{27}{\isacharprime}}\ X{\isaliteral{27}{\isacharprime}}\ {\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\ K\ {\isaliteral{3D}{\isacharequal}}\ K{\isaliteral{27}{\isacharprime}}\ {\isaliteral{5C3C616E643E}{\isasymand}}\ X\ {\isaliteral{3D}{\isacharequal}}\ X{\isaliteral{27}{\isacharprime}}%
94.105 +\end{isabelle}
94.106 +A ciphertext can be decrypted using only one key and
94.107 +can yield only one plaintext. In the real world, decryption with the
94.108 +wrong key succeeds but yields garbage. Our model of encryption is
94.109 +realistic if encryption adds some redundancy to the plaintext, such as a
94.110 +checksum, so that garbage can be detected.%
94.111 +\end{isamarkuptext}%
94.112 +\isamarkuptrue%
94.113 +%
94.114 +\isadelimproof
94.115 +%
94.116 +\endisadelimproof
94.117 +%
94.118 +\isatagproof
94.119 +%
94.120 +\endisatagproof
94.121 +{\isafoldproof}%
94.122 +%
94.123 +\isadelimproof
94.124 +%
94.125 +\endisadelimproof
94.126 +%
94.127 +\isadelimproof
94.128 +%
94.129 +\endisadelimproof
94.130 +%
94.131 +\isatagproof
94.132 +%
94.133 +\endisatagproof
94.134 +{\isafoldproof}%
94.135 +%
94.136 +\isadelimproof
94.137 +%
94.138 +\endisadelimproof
94.139 +%
94.140 +\isadelimproof
94.141 +%
94.142 +\endisadelimproof
94.143 +%
94.144 +\isatagproof
94.145 +%
94.146 +\endisatagproof
94.147 +{\isafoldproof}%
94.148 +%
94.149 +\isadelimproof
94.150 +%
94.151 +\endisadelimproof
94.152 +%
94.153 +\isadelimproof
94.154 +%
94.155 +\endisadelimproof
94.156 +%
94.157 +\isatagproof
94.158 +%
94.159 +\endisatagproof
94.160 +{\isafoldproof}%
94.161 +%
94.162 +\isadelimproof
94.163 +%
94.164 +\endisadelimproof
94.165 +%
94.166 +\isadelimproof
94.167 +%
94.168 +\endisadelimproof
94.169 +%
94.170 +\isatagproof
94.171 +%
94.172 +\endisatagproof
94.173 +{\isafoldproof}%
94.174 +%
94.175 +\isadelimproof
94.176 +%
94.177 +\endisadelimproof
94.178 +%
94.179 +\isadelimproof
94.180 +%
94.181 +\endisadelimproof
94.182 +%
94.183 +\isatagproof
94.184 +%
94.185 +\endisatagproof
94.186 +{\isafoldproof}%
94.187 +%
94.188 +\isadelimproof
94.189 +%
94.190 +\endisadelimproof
94.191 +%
94.192 +\isadelimproof
94.193 +%
94.194 +\endisadelimproof
94.195 +%
94.196 +\isatagproof
94.197 +%
94.198 +\endisatagproof
94.199 +{\isafoldproof}%
94.200 +%
94.201 +\isadelimproof
94.202 +%
94.203 +\endisadelimproof
94.204 +%
94.205 +\isadelimproof
94.206 +%
94.207 +\endisadelimproof
94.208 +%
94.209 +\isatagproof
94.210 +%
94.211 +\endisatagproof
94.212 +{\isafoldproof}%
94.213 +%
94.214 +\isadelimproof
94.215 +%
94.216 +\endisadelimproof
94.217 +%
94.218 +\isadelimproof
94.219 +%
94.220 +\endisadelimproof
94.221 +%
94.222 +\isatagproof
94.223 +%
94.224 +\endisatagproof
94.225 +{\isafoldproof}%
94.226 +%
94.227 +\isadelimproof
94.228 +%
94.229 +\endisadelimproof
94.230 +%
94.231 +\isadelimproof
94.232 +%
94.233 +\endisadelimproof
94.234 +%
94.235 +\isatagproof
94.236 +%
94.237 +\endisatagproof
94.238 +{\isafoldproof}%
94.239 +%
94.240 +\isadelimproof
94.241 +%
94.242 +\endisadelimproof
94.243 +%
94.244 +\isadelimproof
94.245 +%
94.246 +\endisadelimproof
94.247 +%
94.248 +\isatagproof
94.249 +%
94.250 +\endisatagproof
94.251 +{\isafoldproof}%
94.252 +%
94.253 +\isadelimproof
94.254 +%
94.255 +\endisadelimproof
94.256 +%
94.257 +\isadelimproof
94.258 +%
94.259 +\endisadelimproof
94.260 +%
94.261 +\isatagproof
94.262 +%
94.263 +\endisatagproof
94.264 +{\isafoldproof}%
94.265 +%
94.266 +\isadelimproof
94.267 +%
94.268 +\endisadelimproof
94.269 +%
94.270 +\isadelimproof
94.271 +%
94.272 +\endisadelimproof
94.273 +%
94.274 +\isatagproof
94.275 +%
94.276 +\endisatagproof
94.277 +{\isafoldproof}%
94.278 +%
94.279 +\isadelimproof
94.280 +%
94.281 +\endisadelimproof
94.282 +%
94.283 +\isadelimproof
94.284 +%
94.285 +\endisadelimproof
94.286 +%
94.287 +\isatagproof
94.288 +%
94.289 +\endisatagproof
94.290 +{\isafoldproof}%
94.291 +%
94.292 +\isadelimproof
94.293 +%
94.294 +\endisadelimproof
94.295 +%
94.296 +\isadelimproof
94.297 +%
94.298 +\endisadelimproof
94.299 +%
94.300 +\isatagproof
94.301 +%
94.302 +\endisatagproof
94.303 +{\isafoldproof}%
94.304 +%
94.305 +\isadelimproof
94.306 +%
94.307 +\endisadelimproof
94.308 +%
94.309 +\isadelimproof
94.310 +%
94.311 +\endisadelimproof
94.312 +%
94.313 +\isatagproof
94.314 +%
94.315 +\endisatagproof
94.316 +{\isafoldproof}%
94.317 +%
94.318 +\isadelimproof
94.319 +%
94.320 +\endisadelimproof
94.321 +%
94.322 +\isadelimproof
94.323 +%
94.324 +\endisadelimproof
94.325 +%
94.326 +\isatagproof
94.327 +%
94.328 +\endisatagproof
94.329 +{\isafoldproof}%
94.330 +%
94.331 +\isadelimproof
94.332 +%
94.333 +\endisadelimproof
94.334 +%
94.335 +\isadelimproof
94.336 +%
94.337 +\endisadelimproof
94.338 +%
94.339 +\isatagproof
94.340 +%
94.341 +\endisatagproof
94.342 +{\isafoldproof}%
94.343 +%
94.344 +\isadelimproof
94.345 +%
94.346 +\endisadelimproof
94.347 +%
94.348 +\isadelimproof
94.349 +%
94.350 +\endisadelimproof
94.351 +%
94.352 +\isatagproof
94.353 +%
94.354 +\endisatagproof
94.355 +{\isafoldproof}%
94.356 +%
94.357 +\isadelimproof
94.358 +%
94.359 +\endisadelimproof
94.360 +%
94.361 +\isadelimproof
94.362 +%
94.363 +\endisadelimproof
94.364 +%
94.365 +\isatagproof
94.366 +%
94.367 +\endisatagproof
94.368 +{\isafoldproof}%
94.369 +%
94.370 +\isadelimproof
94.371 +%
94.372 +\endisadelimproof
94.373 +%
94.374 +\isadelimproof
94.375 +%
94.376 +\endisadelimproof
94.377 +%
94.378 +\isatagproof
94.379 +%
94.380 +\endisatagproof
94.381 +{\isafoldproof}%
94.382 +%
94.383 +\isadelimproof
94.384 +%
94.385 +\endisadelimproof
94.386 +%
94.387 +\isadelimproof
94.388 +%
94.389 +\endisadelimproof
94.390 +%
94.391 +\isatagproof
94.392 +%
94.393 +\endisatagproof
94.394 +{\isafoldproof}%
94.395 +%
94.396 +\isadelimproof
94.397 +%
94.398 +\endisadelimproof
94.399 +%
94.400 +\isadelimproof
94.401 +%
94.402 +\endisadelimproof
94.403 +%
94.404 +\isatagproof
94.405 +%
94.406 +\endisatagproof
94.407 +{\isafoldproof}%
94.408 +%
94.409 +\isadelimproof
94.410 +%
94.411 +\endisadelimproof
94.412 +%
94.413 +\isadelimproof
94.414 +%
94.415 +\endisadelimproof
94.416 +%
94.417 +\isatagproof
94.418 +%
94.419 +\endisatagproof
94.420 +{\isafoldproof}%
94.421 +%
94.422 +\isadelimproof
94.423 +%
94.424 +\endisadelimproof
94.425 +%
94.426 +\isadelimproof
94.427 +%
94.428 +\endisadelimproof
94.429 +%
94.430 +\isatagproof
94.431 +%
94.432 +\endisatagproof
94.433 +{\isafoldproof}%
94.434 +%
94.435 +\isadelimproof
94.436 +%
94.437 +\endisadelimproof
94.438 +%
94.439 +\isadelimproof
94.440 +%
94.441 +\endisadelimproof
94.442 +%
94.443 +\isatagproof
94.444 +%
94.445 +\endisatagproof
94.446 +{\isafoldproof}%
94.447 +%
94.448 +\isadelimproof
94.449 +%
94.450 +\endisadelimproof
94.451 +%
94.452 +\isadelimproof
94.453 +%
94.454 +\endisadelimproof
94.455 +%
94.456 +\isatagproof
94.457 +%
94.458 +\endisatagproof
94.459 +{\isafoldproof}%
94.460 +%
94.461 +\isadelimproof
94.462 +%
94.463 +\endisadelimproof
94.464 +%
94.465 +\isadelimproof
94.466 +%
94.467 +\endisadelimproof
94.468 +%
94.469 +\isatagproof
94.470 +%
94.471 +\endisatagproof
94.472 +{\isafoldproof}%
94.473 +%
94.474 +\isadelimproof
94.475 +%
94.476 +\endisadelimproof
94.477 +%
94.478 +\isadelimproof
94.479 +%
94.480 +\endisadelimproof
94.481 +%
94.482 +\isatagproof
94.483 +%
94.484 +\endisatagproof
94.485 +{\isafoldproof}%
94.486 +%
94.487 +\isadelimproof
94.488 +%
94.489 +\endisadelimproof
94.490 +%
94.491 +\isadelimproof
94.492 +%
94.493 +\endisadelimproof
94.494 +%
94.495 +\isatagproof
94.496 +%
94.497 +\endisatagproof
94.498 +{\isafoldproof}%
94.499 +%
94.500 +\isadelimproof
94.501 +%
94.502 +\endisadelimproof
94.503 +%
94.504 +\isadelimproof
94.505 +%
94.506 +\endisadelimproof
94.507 +%
94.508 +\isatagproof
94.509 +%
94.510 +\endisatagproof
94.511 +{\isafoldproof}%
94.512 +%
94.513 +\isadelimproof
94.514 +%
94.515 +\endisadelimproof
94.516 +%
94.517 +\isadelimproof
94.518 +%
94.519 +\endisadelimproof
94.520 +%
94.521 +\isatagproof
94.522 +%
94.523 +\endisatagproof
94.524 +{\isafoldproof}%
94.525 +%
94.526 +\isadelimproof
94.527 +%
94.528 +\endisadelimproof
94.529 +%
94.530 +\isadelimproof
94.531 +%
94.532 +\endisadelimproof
94.533 +%
94.534 +\isatagproof
94.535 +%
94.536 +\endisatagproof
94.537 +{\isafoldproof}%
94.538 +%
94.539 +\isadelimproof
94.540 +%
94.541 +\endisadelimproof
94.542 +%
94.543 +\isadelimproof
94.544 +%
94.545 +\endisadelimproof
94.546 +%
94.547 +\isatagproof
94.548 +%
94.549 +\endisatagproof
94.550 +{\isafoldproof}%
94.551 +%
94.552 +\isadelimproof
94.553 +%
94.554 +\endisadelimproof
94.555 +%
94.556 +\isadelimproof
94.557 +%
94.558 +\endisadelimproof
94.559 +%
94.560 +\isatagproof
94.561 +%
94.562 +\endisatagproof
94.563 +{\isafoldproof}%
94.564 +%
94.565 +\isadelimproof
94.566 +%
94.567 +\endisadelimproof
94.568 +%
94.569 +\isadelimproof
94.570 +%
94.571 +\endisadelimproof
94.572 +%
94.573 +\isatagproof
94.574 +%
94.575 +\endisatagproof
94.576 +{\isafoldproof}%
94.577 +%
94.578 +\isadelimproof
94.579 +%
94.580 +\endisadelimproof
94.581 +%
94.582 +\isadelimproof
94.583 +%
94.584 +\endisadelimproof
94.585 +%
94.586 +\isatagproof
94.587 +%
94.588 +\endisatagproof
94.589 +{\isafoldproof}%
94.590 +%
94.591 +\isadelimproof
94.592 +%
94.593 +\endisadelimproof
94.594 +%
94.595 +\isadelimproof
94.596 +%
94.597 +\endisadelimproof
94.598 +%
94.599 +\isatagproof
94.600 +%
94.601 +\endisatagproof
94.602 +{\isafoldproof}%
94.603 +%
94.604 +\isadelimproof
94.605 +%
94.606 +\endisadelimproof
94.607 +%
94.608 +\isadelimproof
94.609 +%
94.610 +\endisadelimproof
94.611 +%
94.612 +\isatagproof
94.613 +%
94.614 +\endisatagproof
94.615 +{\isafoldproof}%
94.616 +%
94.617 +\isadelimproof
94.618 +%
94.619 +\endisadelimproof
94.620 +%
94.621 +\isadelimproof
94.622 +%
94.623 +\endisadelimproof
94.624 +%
94.625 +\isatagproof
94.626 +%
94.627 +\endisatagproof
94.628 +{\isafoldproof}%
94.629 +%
94.630 +\isadelimproof
94.631 +%
94.632 +\endisadelimproof
94.633 +%
94.634 +\isadelimproof
94.635 +%
94.636 +\endisadelimproof
94.637 +%
94.638 +\isatagproof
94.639 +%
94.640 +\endisatagproof
94.641 +{\isafoldproof}%
94.642 +%
94.643 +\isadelimproof
94.644 +%
94.645 +\endisadelimproof
94.646 +%
94.647 +\isadelimproof
94.648 +%
94.649 +\endisadelimproof
94.650 +%
94.651 +\isatagproof
94.652 +%
94.653 +\endisatagproof
94.654 +{\isafoldproof}%
94.655 +%
94.656 +\isadelimproof
94.657 +%
94.658 +\endisadelimproof
94.659 +%
94.660 +\isadelimproof
94.661 +%
94.662 +\endisadelimproof
94.663 +%
94.664 +\isatagproof
94.665 +%
94.666 +\endisatagproof
94.667 +{\isafoldproof}%
94.668 +%
94.669 +\isadelimproof
94.670 +%
94.671 +\endisadelimproof
94.672 +%
94.673 +\isamarkupsection{Modelling the Adversary%
94.674 +}
94.675 +\isamarkuptrue%
94.676 +%
94.677 +\begin{isamarkuptext}%
94.678 +The spy is part of the system and must be built into the model. He is
94.679 +a malicious user who does not have to follow the protocol. He
94.680 +watches the network and uses any keys he knows to decrypt messages.
94.681 +Thus he accumulates additional keys and nonces. These he can use to
94.682 +compose new messages, which he may send to anybody.
94.683 +
94.684 +Two functions enable us to formalize this behaviour: \isa{analz} and
94.685 +\isa{synth}. Each function maps a sets of messages to another set of
94.686 +messages. The set \isa{analz\ H} formalizes what the adversary can learn
94.687 +from the set of messages~$H$. The closure properties of this set are
94.688 +defined inductively.%
94.689 +\end{isamarkuptext}%
94.690 +\isamarkuptrue%
94.691 +\isacommand{inductive{\isaliteral{5F}{\isacharunderscore}}set}\isamarkupfalse%
94.692 +\isanewline
94.693 +\ \ analz\ {\isaliteral{3A}{\isacharcolon}}{\isaliteral{3A}{\isacharcolon}}\ {\isaliteral{22}{\isachardoublequoteopen}}msg\ set\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ msg\ set{\isaliteral{22}{\isachardoublequoteclose}}\isanewline
94.694 +\ \ \isakeyword{for}\ H\ {\isaliteral{3A}{\isacharcolon}}{\isaliteral{3A}{\isacharcolon}}\ {\isaliteral{22}{\isachardoublequoteopen}}msg\ set{\isaliteral{22}{\isachardoublequoteclose}}\isanewline
94.695 +\ \ \isakeyword{where}\isanewline
94.696 +\ \ \ \ Inj\ {\isaliteral{5B}{\isacharbrackleft}}intro{\isaliteral{2C}{\isacharcomma}}simp{\isaliteral{5D}{\isacharbrackright}}\ {\isaliteral{3A}{\isacharcolon}}\ {\isaliteral{22}{\isachardoublequoteopen}}X\ {\isaliteral{5C3C696E3E}{\isasymin}}\ H\ {\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\ X\ {\isaliteral{5C3C696E3E}{\isasymin}}\ analz\ H{\isaliteral{22}{\isachardoublequoteclose}}\isanewline
94.697 +\ \ {\isaliteral{7C}{\isacharbar}}\ Fst{\isaliteral{3A}{\isacharcolon}}\ \ \ \ \ {\isaliteral{22}{\isachardoublequoteopen}}{\isaliteral{5C3C6C62726163653E}{\isasymlbrace}}X{\isaliteral{2C}{\isacharcomma}}Y{\isaliteral{5C3C7262726163653E}{\isasymrbrace}}\ {\isaliteral{5C3C696E3E}{\isasymin}}\ analz\ H\ {\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\ X\ {\isaliteral{5C3C696E3E}{\isasymin}}\ analz\ H{\isaliteral{22}{\isachardoublequoteclose}}\isanewline
94.698 +\ \ {\isaliteral{7C}{\isacharbar}}\ Snd{\isaliteral{3A}{\isacharcolon}}\ \ \ \ \ {\isaliteral{22}{\isachardoublequoteopen}}{\isaliteral{5C3C6C62726163653E}{\isasymlbrace}}X{\isaliteral{2C}{\isacharcomma}}Y{\isaliteral{5C3C7262726163653E}{\isasymrbrace}}\ {\isaliteral{5C3C696E3E}{\isasymin}}\ analz\ H\ {\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\ Y\ {\isaliteral{5C3C696E3E}{\isasymin}}\ analz\ H{\isaliteral{22}{\isachardoublequoteclose}}\isanewline
94.699 +\ \ {\isaliteral{7C}{\isacharbar}}\ Decrypt\ {\isaliteral{5B}{\isacharbrackleft}}dest{\isaliteral{5D}{\isacharbrackright}}{\isaliteral{3A}{\isacharcolon}}\ \isanewline
94.700 +\ \ \ \ \ \ \ \ \ \ \ \ \ {\isaliteral{22}{\isachardoublequoteopen}}{\isaliteral{5C3C6C6272616B6B3E}{\isasymlbrakk}}Crypt\ K\ X\ {\isaliteral{5C3C696E3E}{\isasymin}}\ analz\ H{\isaliteral{3B}{\isacharsemicolon}}\ Key{\isaliteral{28}{\isacharparenleft}}invKey\ K{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C696E3E}{\isasymin}}\ analz\ H{\isaliteral{5C3C726272616B6B3E}{\isasymrbrakk}}\isanewline
94.701 +\ \ \ \ \ \ \ \ \ \ \ \ \ \ {\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\ X\ {\isaliteral{5C3C696E3E}{\isasymin}}\ analz\ H{\isaliteral{22}{\isachardoublequoteclose}}%
94.702 +\isadelimproof
94.703 +%
94.704 +\endisadelimproof
94.705 +%
94.706 +\isatagproof
94.707 +%
94.708 +\endisatagproof
94.709 +{\isafoldproof}%
94.710 +%
94.711 +\isadelimproof
94.712 +%
94.713 +\endisadelimproof
94.714 +%
94.715 +\isadelimproof
94.716 +%
94.717 +\endisadelimproof
94.718 +%
94.719 +\isatagproof
94.720 +%
94.721 +\endisatagproof
94.722 +{\isafoldproof}%
94.723 +%
94.724 +\isadelimproof
94.725 +%
94.726 +\endisadelimproof
94.727 +%
94.728 +\isadelimproof
94.729 +%
94.730 +\endisadelimproof
94.731 +%
94.732 +\isatagproof
94.733 +%
94.734 +\endisatagproof
94.735 +{\isafoldproof}%
94.736 +%
94.737 +\isadelimproof
94.738 +%
94.739 +\endisadelimproof
94.740 +%
94.741 +\isadelimproof
94.742 +%
94.743 +\endisadelimproof
94.744 +%
94.745 +\isatagproof
94.746 +%
94.747 +\endisatagproof
94.748 +{\isafoldproof}%
94.749 +%
94.750 +\isadelimproof
94.751 +%
94.752 +\endisadelimproof
94.753 +%
94.754 +\isadelimproof
94.755 +%
94.756 +\endisadelimproof
94.757 +%
94.758 +\isatagproof
94.759 +%
94.760 +\endisatagproof
94.761 +{\isafoldproof}%
94.762 +%
94.763 +\isadelimproof
94.764 +%
94.765 +\endisadelimproof
94.766 +%
94.767 +\isadelimproof
94.768 +%
94.769 +\endisadelimproof
94.770 +%
94.771 +\isatagproof
94.772 +%
94.773 +\endisatagproof
94.774 +{\isafoldproof}%
94.775 +%
94.776 +\isadelimproof
94.777 +%
94.778 +\endisadelimproof
94.779 +%
94.780 +\isadelimproof
94.781 +%
94.782 +\endisadelimproof
94.783 +%
94.784 +\isatagproof
94.785 +%
94.786 +\endisatagproof
94.787 +{\isafoldproof}%
94.788 +%
94.789 +\isadelimproof
94.790 +%
94.791 +\endisadelimproof
94.792 +%
94.793 +\isadelimproof
94.794 +%
94.795 +\endisadelimproof
94.796 +%
94.797 +\isatagproof
94.798 +%
94.799 +\endisatagproof
94.800 +{\isafoldproof}%
94.801 +%
94.802 +\isadelimproof
94.803 +%
94.804 +\endisadelimproof
94.805 +%
94.806 +\isadelimproof
94.807 +%
94.808 +\endisadelimproof
94.809 +%
94.810 +\isatagproof
94.811 +%
94.812 +\endisatagproof
94.813 +{\isafoldproof}%
94.814 +%
94.815 +\isadelimproof
94.816 +%
94.817 +\endisadelimproof
94.818 +%
94.819 +\isadelimproof
94.820 +%
94.821 +\endisadelimproof
94.822 +%
94.823 +\isatagproof
94.824 +%
94.825 +\endisatagproof
94.826 +{\isafoldproof}%
94.827 +%
94.828 +\isadelimproof
94.829 +%
94.830 +\endisadelimproof
94.831 +%
94.832 +\isadelimproof
94.833 +%
94.834 +\endisadelimproof
94.835 +%
94.836 +\isatagproof
94.837 +%
94.838 +\endisatagproof
94.839 +{\isafoldproof}%
94.840 +%
94.841 +\isadelimproof
94.842 +%
94.843 +\endisadelimproof
94.844 +%
94.845 +\isadelimproof
94.846 +%
94.847 +\endisadelimproof
94.848 +%
94.849 +\isatagproof
94.850 +%
94.851 +\endisatagproof
94.852 +{\isafoldproof}%
94.853 +%
94.854 +\isadelimproof
94.855 +%
94.856 +\endisadelimproof
94.857 +%
94.858 +\isadelimproof
94.859 +%
94.860 +\endisadelimproof
94.861 +%
94.862 +\isatagproof
94.863 +%
94.864 +\endisatagproof
94.865 +{\isafoldproof}%
94.866 +%
94.867 +\isadelimproof
94.868 +%
94.869 +\endisadelimproof
94.870 +%
94.871 +\isadelimproof
94.872 +%
94.873 +\endisadelimproof
94.874 +%
94.875 +\isatagproof
94.876 +%
94.877 +\endisatagproof
94.878 +{\isafoldproof}%
94.879 +%
94.880 +\isadelimproof
94.881 +%
94.882 +\endisadelimproof
94.883 +%
94.884 +\isadelimproof
94.885 +%
94.886 +\endisadelimproof
94.887 +%
94.888 +\isatagproof
94.889 +%
94.890 +\endisatagproof
94.891 +{\isafoldproof}%
94.892 +%
94.893 +\isadelimproof
94.894 +%
94.895 +\endisadelimproof
94.896 +%
94.897 +\isadelimproof
94.898 +%
94.899 +\endisadelimproof
94.900 +%
94.901 +\isatagproof
94.902 +%
94.903 +\endisatagproof
94.904 +{\isafoldproof}%
94.905 +%
94.906 +\isadelimproof
94.907 +%
94.908 +\endisadelimproof
94.909 +%
94.910 +\isadelimproof
94.911 +%
94.912 +\endisadelimproof
94.913 +%
94.914 +\isatagproof
94.915 +%
94.916 +\endisatagproof
94.917 +{\isafoldproof}%
94.918 +%
94.919 +\isadelimproof
94.920 +%
94.921 +\endisadelimproof
94.922 +%
94.923 +\isadelimproof
94.924 +%
94.925 +\endisadelimproof
94.926 +%
94.927 +\isatagproof
94.928 +%
94.929 +\endisatagproof
94.930 +{\isafoldproof}%
94.931 +%
94.932 +\isadelimproof
94.933 +%
94.934 +\endisadelimproof
94.935 +%
94.936 +\isadelimproof
94.937 +%
94.938 +\endisadelimproof
94.939 +%
94.940 +\isatagproof
94.941 +%
94.942 +\endisatagproof
94.943 +{\isafoldproof}%
94.944 +%
94.945 +\isadelimproof
94.946 +%
94.947 +\endisadelimproof
94.948 +%
94.949 +\isadelimproof
94.950 +%
94.951 +\endisadelimproof
94.952 +%
94.953 +\isatagproof
94.954 +%
94.955 +\endisatagproof
94.956 +{\isafoldproof}%
94.957 +%
94.958 +\isadelimproof
94.959 +%
94.960 +\endisadelimproof
94.961 +%
94.962 +\isadelimproof
94.963 +%
94.964 +\endisadelimproof
94.965 +%
94.966 +\isatagproof
94.967 +%
94.968 +\endisatagproof
94.969 +{\isafoldproof}%
94.970 +%
94.971 +\isadelimproof
94.972 +%
94.973 +\endisadelimproof
94.974 +%
94.975 +\isadelimproof
94.976 +%
94.977 +\endisadelimproof
94.978 +%
94.979 +\isatagproof
94.980 +%
94.981 +\endisatagproof
94.982 +{\isafoldproof}%
94.983 +%
94.984 +\isadelimproof
94.985 +%
94.986 +\endisadelimproof
94.987 +%
94.988 +\isadelimproof
94.989 +%
94.990 +\endisadelimproof
94.991 +%
94.992 +\isatagproof
94.993 +%
94.994 +\endisatagproof
94.995 +{\isafoldproof}%
94.996 +%
94.997 +\isadelimproof
94.998 +%
94.999 +\endisadelimproof
94.1000 +%
94.1001 +\isadelimproof
94.1002 +%
94.1003 +\endisadelimproof
94.1004 +%
94.1005 +\isatagproof
94.1006 +%
94.1007 +\endisatagproof
94.1008 +{\isafoldproof}%
94.1009 +%
94.1010 +\isadelimproof
94.1011 +%
94.1012 +\endisadelimproof
94.1013 +%
94.1014 +\isadelimproof
94.1015 +%
94.1016 +\endisadelimproof
94.1017 +%
94.1018 +\isatagproof
94.1019 +%
94.1020 +\endisatagproof
94.1021 +{\isafoldproof}%
94.1022 +%
94.1023 +\isadelimproof
94.1024 +%
94.1025 +\endisadelimproof
94.1026 +%
94.1027 +\isadelimproof
94.1028 +%
94.1029 +\endisadelimproof
94.1030 +%
94.1031 +\isatagproof
94.1032 +%
94.1033 +\endisatagproof
94.1034 +{\isafoldproof}%
94.1035 +%
94.1036 +\isadelimproof
94.1037 +%
94.1038 +\endisadelimproof
94.1039 +%
94.1040 +\isadelimproof
94.1041 +%
94.1042 +\endisadelimproof
94.1043 +%
94.1044 +\isatagproof
94.1045 +%
94.1046 +\endisatagproof
94.1047 +{\isafoldproof}%
94.1048 +%
94.1049 +\isadelimproof
94.1050 +%
94.1051 +\endisadelimproof
94.1052 +%
94.1053 +\isadelimproof
94.1054 +%
94.1055 +\endisadelimproof
94.1056 +%
94.1057 +\isatagproof
94.1058 +%
94.1059 +\endisatagproof
94.1060 +{\isafoldproof}%
94.1061 +%
94.1062 +\isadelimproof
94.1063 +%
94.1064 +\endisadelimproof
94.1065 +%
94.1066 +\isadelimproof
94.1067 +%
94.1068 +\endisadelimproof
94.1069 +%
94.1070 +\isatagproof
94.1071 +%
94.1072 +\endisatagproof
94.1073 +{\isafoldproof}%
94.1074 +%
94.1075 +\isadelimproof
94.1076 +%
94.1077 +\endisadelimproof
94.1078 +%
94.1079 +\isadelimproof
94.1080 +%
94.1081 +\endisadelimproof
94.1082 +%
94.1083 +\isatagproof
94.1084 +%
94.1085 +\endisatagproof
94.1086 +{\isafoldproof}%
94.1087 +%
94.1088 +\isadelimproof
94.1089 +%
94.1090 +\endisadelimproof
94.1091 +%
94.1092 +\isadelimproof
94.1093 +%
94.1094 +\endisadelimproof
94.1095 +%
94.1096 +\isatagproof
94.1097 +%
94.1098 +\endisatagproof
94.1099 +{\isafoldproof}%
94.1100 +%
94.1101 +\isadelimproof
94.1102 +%
94.1103 +\endisadelimproof
94.1104 +%
94.1105 +\isadelimproof
94.1106 +%
94.1107 +\endisadelimproof
94.1108 +%
94.1109 +\isatagproof
94.1110 +%
94.1111 +\endisatagproof
94.1112 +{\isafoldproof}%
94.1113 +%
94.1114 +\isadelimproof
94.1115 +%
94.1116 +\endisadelimproof
94.1117 +%
94.1118 +\begin{isamarkuptext}%
94.1119 +Note the \isa{Decrypt} rule: the spy can decrypt a
94.1120 +message encrypted with key~$K$ if he has the matching key,~$K^{-1}$.
94.1121 +Properties proved by rule induction include the following:
94.1122 +\begin{isabelle}%
94.1123 +G\ {\isaliteral{5C3C73756273657465713E}{\isasymsubseteq}}\ H\ {\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\ analz\ G\ {\isaliteral{5C3C73756273657465713E}{\isasymsubseteq}}\ analz\ H\rulename{analz{\isaliteral{5F}{\isacharunderscore}}mono}\par\smallskip%
94.1124 +analz\ {\isaliteral{28}{\isacharparenleft}}analz\ H{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{3D}{\isacharequal}}\ analz\ H\rulename{analz{\isaliteral{5F}{\isacharunderscore}}idem}%
94.1125 +\end{isabelle}
94.1126 +
94.1127 +The set of fake messages that an intruder could invent
94.1128 +starting from~\isa{H} is \isa{synth{\isaliteral{28}{\isacharparenleft}}analz\ H{\isaliteral{29}{\isacharparenright}}}, where \isa{synth\ H}
94.1129 +formalizes what the adversary can build from the set of messages~$H$.%
94.1130 +\end{isamarkuptext}%
94.1131 +\isamarkuptrue%
94.1132 +\isacommand{inductive{\isaliteral{5F}{\isacharunderscore}}set}\isamarkupfalse%
94.1133 +\isanewline
94.1134 +\ \ synth\ {\isaliteral{3A}{\isacharcolon}}{\isaliteral{3A}{\isacharcolon}}\ {\isaliteral{22}{\isachardoublequoteopen}}msg\ set\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ msg\ set{\isaliteral{22}{\isachardoublequoteclose}}\isanewline
94.1135 +\ \ \isakeyword{for}\ H\ {\isaliteral{3A}{\isacharcolon}}{\isaliteral{3A}{\isacharcolon}}\ {\isaliteral{22}{\isachardoublequoteopen}}msg\ set{\isaliteral{22}{\isachardoublequoteclose}}\isanewline
94.1136 +\ \ \isakeyword{where}\isanewline
94.1137 +\ \ \ \ Inj\ \ \ \ {\isaliteral{5B}{\isacharbrackleft}}intro{\isaliteral{5D}{\isacharbrackright}}{\isaliteral{3A}{\isacharcolon}}\ {\isaliteral{22}{\isachardoublequoteopen}}X\ {\isaliteral{5C3C696E3E}{\isasymin}}\ H\ {\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\ X\ {\isaliteral{5C3C696E3E}{\isasymin}}\ synth\ H{\isaliteral{22}{\isachardoublequoteclose}}\isanewline
94.1138 +\ \ {\isaliteral{7C}{\isacharbar}}\ Agent\ \ {\isaliteral{5B}{\isacharbrackleft}}intro{\isaliteral{5D}{\isacharbrackright}}{\isaliteral{3A}{\isacharcolon}}\ {\isaliteral{22}{\isachardoublequoteopen}}Agent\ agt\ {\isaliteral{5C3C696E3E}{\isasymin}}\ synth\ H{\isaliteral{22}{\isachardoublequoteclose}}\isanewline
94.1139 +\ \ {\isaliteral{7C}{\isacharbar}}\ MPair\ \ {\isaliteral{5B}{\isacharbrackleft}}intro{\isaliteral{5D}{\isacharbrackright}}{\isaliteral{3A}{\isacharcolon}}\isanewline
94.1140 +\ \ \ \ \ \ \ \ \ \ \ \ \ \ {\isaliteral{22}{\isachardoublequoteopen}}{\isaliteral{5C3C6C6272616B6B3E}{\isasymlbrakk}}X\ {\isaliteral{5C3C696E3E}{\isasymin}}\ synth\ H{\isaliteral{3B}{\isacharsemicolon}}\ \ Y\ {\isaliteral{5C3C696E3E}{\isasymin}}\ synth\ H{\isaliteral{5C3C726272616B6B3E}{\isasymrbrakk}}\ {\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\ {\isaliteral{5C3C6C62726163653E}{\isasymlbrace}}X{\isaliteral{2C}{\isacharcomma}}Y{\isaliteral{5C3C7262726163653E}{\isasymrbrace}}\ {\isaliteral{5C3C696E3E}{\isasymin}}\ synth\ H{\isaliteral{22}{\isachardoublequoteclose}}\isanewline
94.1141 +\ \ {\isaliteral{7C}{\isacharbar}}\ Crypt\ \ {\isaliteral{5B}{\isacharbrackleft}}intro{\isaliteral{5D}{\isacharbrackright}}{\isaliteral{3A}{\isacharcolon}}\isanewline
94.1142 +\ \ \ \ \ \ \ \ \ \ \ \ \ \ {\isaliteral{22}{\isachardoublequoteopen}}{\isaliteral{5C3C6C6272616B6B3E}{\isasymlbrakk}}X\ {\isaliteral{5C3C696E3E}{\isasymin}}\ synth\ H{\isaliteral{3B}{\isacharsemicolon}}\ \ Key\ K\ {\isaliteral{5C3C696E3E}{\isasymin}}\ H{\isaliteral{5C3C726272616B6B3E}{\isasymrbrakk}}\ {\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\ Crypt\ K\ X\ {\isaliteral{5C3C696E3E}{\isasymin}}\ synth\ H{\isaliteral{22}{\isachardoublequoteclose}}%
94.1143 +\isadelimproof
94.1144 +%
94.1145 +\endisadelimproof
94.1146 +%
94.1147 +\isatagproof
94.1148 +%
94.1149 +\endisatagproof
94.1150 +{\isafoldproof}%
94.1151 +%
94.1152 +\isadelimproof
94.1153 +%
94.1154 +\endisadelimproof
94.1155 +%
94.1156 +\isadelimproof
94.1157 +%
94.1158 +\endisadelimproof
94.1159 +%
94.1160 +\isatagproof
94.1161 +%
94.1162 +\endisatagproof
94.1163 +{\isafoldproof}%
94.1164 +%
94.1165 +\isadelimproof
94.1166 +%
94.1167 +\endisadelimproof
94.1168 +%
94.1169 +\isadelimproof
94.1170 +%
94.1171 +\endisadelimproof
94.1172 +%
94.1173 +\isatagproof
94.1174 +%
94.1175 +\endisatagproof
94.1176 +{\isafoldproof}%
94.1177 +%
94.1178 +\isadelimproof
94.1179 +%
94.1180 +\endisadelimproof
94.1181 +%
94.1182 +\begin{isamarkuptext}%
94.1183 +The set includes all agent names. Nonces and keys are assumed to be
94.1184 +unguessable, so none are included beyond those already in~$H$. Two
94.1185 +elements of \isa{synth\ H} can be combined, and an element can be encrypted
94.1186 +using a key present in~$H$.
94.1187 +
94.1188 +Like \isa{analz}, this set operator is monotone and idempotent. It also
94.1189 +satisfies an interesting equation involving \isa{analz}:
94.1190 +\begin{isabelle}%
94.1191 +analz\ {\isaliteral{28}{\isacharparenleft}}synth\ H{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{3D}{\isacharequal}}\ analz\ H\ {\isaliteral{5C3C756E696F6E3E}{\isasymunion}}\ synth\ H\rulename{analz{\isaliteral{5F}{\isacharunderscore}}synth}%
94.1192 +\end{isabelle}
94.1193 +Rule inversion plays a major role in reasoning about \isa{synth}, through
94.1194 +declarations such as this one:%
94.1195 +\end{isamarkuptext}%
94.1196 +\isamarkuptrue%
94.1197 +\isacommand{inductive{\isaliteral{5F}{\isacharunderscore}}cases}\isamarkupfalse%
94.1198 +\ Nonce{\isaliteral{5F}{\isacharunderscore}}synth\ {\isaliteral{5B}{\isacharbrackleft}}elim{\isaliteral{21}{\isacharbang}}{\isaliteral{5D}{\isacharbrackright}}{\isaliteral{3A}{\isacharcolon}}\ {\isaliteral{22}{\isachardoublequoteopen}}Nonce\ n\ {\isaliteral{5C3C696E3E}{\isasymin}}\ synth\ H{\isaliteral{22}{\isachardoublequoteclose}}%
94.1199 +\begin{isamarkuptext}%
94.1200 +\noindent
94.1201 +The resulting elimination rule replaces every assumption of the form
94.1202 +\isa{Nonce\ n\ {\isaliteral{5C3C696E3E}{\isasymin}}\ synth\ H} by \isa{Nonce\ n\ {\isaliteral{5C3C696E3E}{\isasymin}}\ H},
94.1203 +expressing that a nonce cannot be guessed.
94.1204 +
94.1205 +A third operator, \isa{parts}, is useful for stating correctness
94.1206 +properties. The set
94.1207 +\isa{parts\ H} consists of the components of elements of~$H$. This set
94.1208 +includes~\isa{H} and is closed under the projections from a compound
94.1209 +message to its immediate parts.
94.1210 +Its definition resembles that of \isa{analz} except in the rule
94.1211 +corresponding to the constructor \isa{Crypt}:
94.1212 +\begin{isabelle}%
94.1213 +\ \ \ \ \ Crypt\ K\ X\ {\isaliteral{5C3C696E3E}{\isasymin}}\ parts\ H\ {\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\ X\ {\isaliteral{5C3C696E3E}{\isasymin}}\ parts\ H%
94.1214 +\end{isabelle}
94.1215 +The body of an encrypted message is always regarded as part of it. We can
94.1216 +use \isa{parts} to express general well-formedness properties of a protocol,
94.1217 +for example, that an uncompromised agent's private key will never be
94.1218 +included as a component of any message.%
94.1219 +\end{isamarkuptext}%
94.1220 +\isamarkuptrue%
94.1221 +%
94.1222 +\isadelimproof
94.1223 +%
94.1224 +\endisadelimproof
94.1225 +%
94.1226 +\isatagproof
94.1227 +%
94.1228 +\endisatagproof
94.1229 +{\isafoldproof}%
94.1230 +%
94.1231 +\isadelimproof
94.1232 +%
94.1233 +\endisadelimproof
94.1234 +%
94.1235 +\isadelimproof
94.1236 +%
94.1237 +\endisadelimproof
94.1238 +%
94.1239 +\isatagproof
94.1240 +%
94.1241 +\endisatagproof
94.1242 +{\isafoldproof}%
94.1243 +%
94.1244 +\isadelimproof
94.1245 +%
94.1246 +\endisadelimproof
94.1247 +%
94.1248 +\isadelimproof
94.1249 +%
94.1250 +\endisadelimproof
94.1251 +%
94.1252 +\isatagproof
94.1253 +%
94.1254 +\endisatagproof
94.1255 +{\isafoldproof}%
94.1256 +%
94.1257 +\isadelimproof
94.1258 +%
94.1259 +\endisadelimproof
94.1260 +%
94.1261 +\isadelimproof
94.1262 +%
94.1263 +\endisadelimproof
94.1264 +%
94.1265 +\isatagproof
94.1266 +%
94.1267 +\endisatagproof
94.1268 +{\isafoldproof}%
94.1269 +%
94.1270 +\isadelimproof
94.1271 +%
94.1272 +\endisadelimproof
94.1273 +%
94.1274 +\isadelimproof
94.1275 +%
94.1276 +\endisadelimproof
94.1277 +%
94.1278 +\isatagproof
94.1279 +%
94.1280 +\endisatagproof
94.1281 +{\isafoldproof}%
94.1282 +%
94.1283 +\isadelimproof
94.1284 +%
94.1285 +\endisadelimproof
94.1286 +%
94.1287 +\isadelimproof
94.1288 +%
94.1289 +\endisadelimproof
94.1290 +%
94.1291 +\isatagproof
94.1292 +%
94.1293 +\endisatagproof
94.1294 +{\isafoldproof}%
94.1295 +%
94.1296 +\isadelimproof
94.1297 +%
94.1298 +\endisadelimproof
94.1299 +%
94.1300 +\isadelimproof
94.1301 +%
94.1302 +\endisadelimproof
94.1303 +%
94.1304 +\isatagproof
94.1305 +%
94.1306 +\endisatagproof
94.1307 +{\isafoldproof}%
94.1308 +%
94.1309 +\isadelimproof
94.1310 +%
94.1311 +\endisadelimproof
94.1312 +%
94.1313 +\isadelimproof
94.1314 +%
94.1315 +\endisadelimproof
94.1316 +%
94.1317 +\isatagproof
94.1318 +%
94.1319 +\endisatagproof
94.1320 +{\isafoldproof}%
94.1321 +%
94.1322 +\isadelimproof
94.1323 +%
94.1324 +\endisadelimproof
94.1325 +%
94.1326 +\isadelimproof
94.1327 +%
94.1328 +\endisadelimproof
94.1329 +%
94.1330 +\isatagproof
94.1331 +%
94.1332 +\endisatagproof
94.1333 +{\isafoldproof}%
94.1334 +%
94.1335 +\isadelimproof
94.1336 +%
94.1337 +\endisadelimproof
94.1338 +%
94.1339 +\isadelimproof
94.1340 +%
94.1341 +\endisadelimproof
94.1342 +%
94.1343 +\isatagproof
94.1344 +%
94.1345 +\endisatagproof
94.1346 +{\isafoldproof}%
94.1347 +%
94.1348 +\isadelimproof
94.1349 +%
94.1350 +\endisadelimproof
94.1351 +%
94.1352 +\isadelimproof
94.1353 +%
94.1354 +\endisadelimproof
94.1355 +%
94.1356 +\isatagproof
94.1357 +%
94.1358 +\endisatagproof
94.1359 +{\isafoldproof}%
94.1360 +%
94.1361 +\isadelimproof
94.1362 +%
94.1363 +\endisadelimproof
94.1364 +%
94.1365 +\isadelimproof
94.1366 +%
94.1367 +\endisadelimproof
94.1368 +%
94.1369 +\isatagproof
94.1370 +%
94.1371 +\endisatagproof
94.1372 +{\isafoldproof}%
94.1373 +%
94.1374 +\isadelimproof
94.1375 +%
94.1376 +\endisadelimproof
94.1377 +%
94.1378 +\isadelimproof
94.1379 +%
94.1380 +\endisadelimproof
94.1381 +%
94.1382 +\isatagproof
94.1383 +%
94.1384 +\endisatagproof
94.1385 +{\isafoldproof}%
94.1386 +%
94.1387 +\isadelimproof
94.1388 +%
94.1389 +\endisadelimproof
94.1390 +%
94.1391 +\isadelimproof
94.1392 +%
94.1393 +\endisadelimproof
94.1394 +%
94.1395 +\isatagproof
94.1396 +%
94.1397 +\endisatagproof
94.1398 +{\isafoldproof}%
94.1399 +%
94.1400 +\isadelimproof
94.1401 +%
94.1402 +\endisadelimproof
94.1403 +%
94.1404 +\isadelimproof
94.1405 +%
94.1406 +\endisadelimproof
94.1407 +%
94.1408 +\isatagproof
94.1409 +%
94.1410 +\endisatagproof
94.1411 +{\isafoldproof}%
94.1412 +%
94.1413 +\isadelimproof
94.1414 +%
94.1415 +\endisadelimproof
94.1416 +%
94.1417 +\isadelimproof
94.1418 +%
94.1419 +\endisadelimproof
94.1420 +%
94.1421 +\isatagproof
94.1422 +%
94.1423 +\endisatagproof
94.1424 +{\isafoldproof}%
94.1425 +%
94.1426 +\isadelimproof
94.1427 +%
94.1428 +\endisadelimproof
94.1429 +%
94.1430 +\isadelimproof
94.1431 +%
94.1432 +\endisadelimproof
94.1433 +%
94.1434 +\isatagproof
94.1435 +%
94.1436 +\endisatagproof
94.1437 +{\isafoldproof}%
94.1438 +%
94.1439 +\isadelimproof
94.1440 +%
94.1441 +\endisadelimproof
94.1442 +%
94.1443 +\isadelimproof
94.1444 +%
94.1445 +\endisadelimproof
94.1446 +%
94.1447 +\isatagproof
94.1448 +%
94.1449 +\endisatagproof
94.1450 +{\isafoldproof}%
94.1451 +%
94.1452 +\isadelimproof
94.1453 +%
94.1454 +\endisadelimproof
94.1455 +%
94.1456 +\isadelimproof
94.1457 +%
94.1458 +\endisadelimproof
94.1459 +%
94.1460 +\isatagproof
94.1461 +%
94.1462 +\endisatagproof
94.1463 +{\isafoldproof}%
94.1464 +%
94.1465 +\isadelimproof
94.1466 +%
94.1467 +\endisadelimproof
94.1468 +%
94.1469 +\isadelimproof
94.1470 +%
94.1471 +\endisadelimproof
94.1472 +%
94.1473 +\isatagproof
94.1474 +%
94.1475 +\endisatagproof
94.1476 +{\isafoldproof}%
94.1477 +%
94.1478 +\isadelimproof
94.1479 +%
94.1480 +\endisadelimproof
94.1481 +%
94.1482 +\isadelimproof
94.1483 +%
94.1484 +\endisadelimproof
94.1485 +%
94.1486 +\isatagproof
94.1487 +%
94.1488 +\endisatagproof
94.1489 +{\isafoldproof}%
94.1490 +%
94.1491 +\isadelimproof
94.1492 +%
94.1493 +\endisadelimproof
94.1494 +%
94.1495 +\isadelimproof
94.1496 +%
94.1497 +\endisadelimproof
94.1498 +%
94.1499 +\isatagproof
94.1500 +%
94.1501 +\endisatagproof
94.1502 +{\isafoldproof}%
94.1503 +%
94.1504 +\isadelimproof
94.1505 +%
94.1506 +\endisadelimproof
94.1507 +%
94.1508 +\isadelimproof
94.1509 +%
94.1510 +\endisadelimproof
94.1511 +%
94.1512 +\isatagproof
94.1513 +%
94.1514 +\endisatagproof
94.1515 +{\isafoldproof}%
94.1516 +%
94.1517 +\isadelimproof
94.1518 +%
94.1519 +\endisadelimproof
94.1520 +%
94.1521 +\isadelimML
94.1522 +%
94.1523 +\endisadelimML
94.1524 +%
94.1525 +\isatagML
94.1526 +%
94.1527 +\endisatagML
94.1528 +{\isafoldML}%
94.1529 +%
94.1530 +\isadelimML
94.1531 +%
94.1532 +\endisadelimML
94.1533 +%
94.1534 +\isadelimproof
94.1535 +%
94.1536 +\endisadelimproof
94.1537 +%
94.1538 +\isatagproof
94.1539 +%
94.1540 +\endisatagproof
94.1541 +{\isafoldproof}%
94.1542 +%
94.1543 +\isadelimproof
94.1544 +%
94.1545 +\endisadelimproof
94.1546 +%
94.1547 +\isadelimproof
94.1548 +%
94.1549 +\endisadelimproof
94.1550 +%
94.1551 +\isatagproof
94.1552 +%
94.1553 +\endisatagproof
94.1554 +{\isafoldproof}%
94.1555 +%
94.1556 +\isadelimproof
94.1557 +%
94.1558 +\endisadelimproof
94.1559 +%
94.1560 +\isadelimproof
94.1561 +%
94.1562 +\endisadelimproof
94.1563 +%
94.1564 +\isatagproof
94.1565 +%
94.1566 +\endisatagproof
94.1567 +{\isafoldproof}%
94.1568 +%
94.1569 +\isadelimproof
94.1570 +%
94.1571 +\endisadelimproof
94.1572 +%
94.1573 +\isadelimproof
94.1574 +%
94.1575 +\endisadelimproof
94.1576 +%
94.1577 +\isatagproof
94.1578 +%
94.1579 +\endisatagproof
94.1580 +{\isafoldproof}%
94.1581 +%
94.1582 +\isadelimproof
94.1583 +%
94.1584 +\endisadelimproof
94.1585 +%
94.1586 +\isadelimproof
94.1587 +%
94.1588 +\endisadelimproof
94.1589 +%
94.1590 +\isatagproof
94.1591 +%
94.1592 +\endisatagproof
94.1593 +{\isafoldproof}%
94.1594 +%
94.1595 +\isadelimproof
94.1596 +%
94.1597 +\endisadelimproof
94.1598 +%
94.1599 +\isadelimproof
94.1600 +%
94.1601 +\endisadelimproof
94.1602 +%
94.1603 +\isatagproof
94.1604 +%
94.1605 +\endisatagproof
94.1606 +{\isafoldproof}%
94.1607 +%
94.1608 +\isadelimproof
94.1609 +%
94.1610 +\endisadelimproof
94.1611 +%
94.1612 +\isadelimML
94.1613 +%
94.1614 +\endisadelimML
94.1615 +%
94.1616 +\isatagML
94.1617 +%
94.1618 +\endisatagML
94.1619 +{\isafoldML}%
94.1620 +%
94.1621 +\isadelimML
94.1622 +%
94.1623 +\endisadelimML
94.1624 +%
94.1625 +\isadelimtheory
94.1626 +%
94.1627 +\endisadelimtheory
94.1628 +%
94.1629 +\isatagtheory
94.1630 +%
94.1631 +\endisatagtheory
94.1632 +{\isafoldtheory}%
94.1633 +%
94.1634 +\isadelimtheory
94.1635 +%
94.1636 +\endisadelimtheory
94.1637 +\end{isabellebody}%
94.1638 +%%% Local Variables:
94.1639 +%%% mode: latex
94.1640 +%%% TeX-master: "root"
94.1641 +%%% End:
95.1 --- /dev/null Thu Jan 01 00:00:00 1970 +0000
95.2 +++ b/doc-src/TutorialI/document/Mutual.tex Thu Jul 26 19:59:06 2012 +0200
95.3 @@ -0,0 +1,131 @@
95.4 +%
95.5 +\begin{isabellebody}%
95.6 +\def\isabellecontext{Mutual}%
95.7 +%
95.8 +\isadelimtheory
95.9 +%
95.10 +\endisadelimtheory
95.11 +%
95.12 +\isatagtheory
95.13 +%
95.14 +\endisatagtheory
95.15 +{\isafoldtheory}%
95.16 +%
95.17 +\isadelimtheory
95.18 +%
95.19 +\endisadelimtheory
95.20 +%
95.21 +\isamarkupsubsection{Mutually Inductive Definitions%
95.22 +}
95.23 +\isamarkuptrue%
95.24 +%
95.25 +\begin{isamarkuptext}%
95.26 +Just as there are datatypes defined by mutual recursion, there are sets defined
95.27 +by mutual induction. As a trivial example we consider the even and odd
95.28 +natural numbers:%
95.29 +\end{isamarkuptext}%
95.30 +\isamarkuptrue%
95.31 +\isacommand{inductive{\isaliteral{5F}{\isacharunderscore}}set}\isamarkupfalse%
95.32 +\isanewline
95.33 +\ \ Even\ {\isaliteral{3A}{\isacharcolon}}{\isaliteral{3A}{\isacharcolon}}\ {\isaliteral{22}{\isachardoublequoteopen}}nat\ set{\isaliteral{22}{\isachardoublequoteclose}}\ \isakeyword{and}\isanewline
95.34 +\ \ Odd\ \ {\isaliteral{3A}{\isacharcolon}}{\isaliteral{3A}{\isacharcolon}}\ {\isaliteral{22}{\isachardoublequoteopen}}nat\ set{\isaliteral{22}{\isachardoublequoteclose}}\isanewline
95.35 +\isakeyword{where}\isanewline
95.36 +\ \ zero{\isaliteral{3A}{\isacharcolon}}\ \ {\isaliteral{22}{\isachardoublequoteopen}}{\isadigit{0}}\ {\isaliteral{5C3C696E3E}{\isasymin}}\ Even{\isaliteral{22}{\isachardoublequoteclose}}\isanewline
95.37 +{\isaliteral{7C}{\isacharbar}}\ EvenI{\isaliteral{3A}{\isacharcolon}}\ {\isaliteral{22}{\isachardoublequoteopen}}n\ {\isaliteral{5C3C696E3E}{\isasymin}}\ Odd\ {\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\ Suc\ n\ {\isaliteral{5C3C696E3E}{\isasymin}}\ Even{\isaliteral{22}{\isachardoublequoteclose}}\isanewline
95.38 +{\isaliteral{7C}{\isacharbar}}\ OddI{\isaliteral{3A}{\isacharcolon}}\ \ {\isaliteral{22}{\isachardoublequoteopen}}n\ {\isaliteral{5C3C696E3E}{\isasymin}}\ Even\ {\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\ Suc\ n\ {\isaliteral{5C3C696E3E}{\isasymin}}\ Odd{\isaliteral{22}{\isachardoublequoteclose}}%
95.39 +\begin{isamarkuptext}%
95.40 +\noindent
95.41 +The mutually inductive definition of multiple sets is no different from
95.42 +that of a single set, except for induction: just as for mutually recursive
95.43 +datatypes, induction needs to involve all the simultaneously defined sets. In
95.44 +the above case, the induction rule is called \isa{Even{\isaliteral{5F}{\isacharunderscore}}Odd{\isaliteral{2E}{\isachardot}}induct}
95.45 +(simply concatenate the names of the sets involved) and has the conclusion
95.46 +\begin{isabelle}%
95.47 +\ \ \ \ \ {\isaliteral{28}{\isacharparenleft}}{\isaliteral{3F}{\isacharquery}}x\ {\isaliteral{5C3C696E3E}{\isasymin}}\ Even\ {\isaliteral{5C3C6C6F6E6772696768746172726F773E}{\isasymlongrightarrow}}\ {\isaliteral{3F}{\isacharquery}}P\ {\isaliteral{3F}{\isacharquery}}x{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C616E643E}{\isasymand}}\ {\isaliteral{28}{\isacharparenleft}}{\isaliteral{3F}{\isacharquery}}y\ {\isaliteral{5C3C696E3E}{\isasymin}}\ Odd\ {\isaliteral{5C3C6C6F6E6772696768746172726F773E}{\isasymlongrightarrow}}\ {\isaliteral{3F}{\isacharquery}}Q\ {\isaliteral{3F}{\isacharquery}}y{\isaliteral{29}{\isacharparenright}}%
95.48 +\end{isabelle}
95.49 +
95.50 +If we want to prove that all even numbers are divisible by two, we have to
95.51 +generalize the statement as follows:%
95.52 +\end{isamarkuptext}%
95.53 +\isamarkuptrue%
95.54 +\isacommand{lemma}\isamarkupfalse%
95.55 +\ {\isaliteral{22}{\isachardoublequoteopen}}{\isaliteral{28}{\isacharparenleft}}m\ {\isaliteral{5C3C696E3E}{\isasymin}}\ Even\ {\isaliteral{5C3C6C6F6E6772696768746172726F773E}{\isasymlongrightarrow}}\ {\isadigit{2}}\ dvd\ m{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C616E643E}{\isasymand}}\ {\isaliteral{28}{\isacharparenleft}}n\ {\isaliteral{5C3C696E3E}{\isasymin}}\ Odd\ {\isaliteral{5C3C6C6F6E6772696768746172726F773E}{\isasymlongrightarrow}}\ {\isadigit{2}}\ dvd\ {\isaliteral{28}{\isacharparenleft}}Suc\ n{\isaliteral{29}{\isacharparenright}}{\isaliteral{29}{\isacharparenright}}{\isaliteral{22}{\isachardoublequoteclose}}%
95.56 +\isadelimproof
95.57 +%
95.58 +\endisadelimproof
95.59 +%
95.60 +\isatagproof
95.61 +%
95.62 +\begin{isamarkuptxt}%
95.63 +\noindent
95.64 +The proof is by rule induction. Because of the form of the induction theorem,
95.65 +it is applied by \isa{rule} rather than \isa{erule} as for ordinary
95.66 +inductive definitions:%
95.67 +\end{isamarkuptxt}%
95.68 +\isamarkuptrue%
95.69 +\isacommand{apply}\isamarkupfalse%
95.70 +{\isaliteral{28}{\isacharparenleft}}rule\ Even{\isaliteral{5F}{\isacharunderscore}}Odd{\isaliteral{2E}{\isachardot}}induct{\isaliteral{29}{\isacharparenright}}%
95.71 +\begin{isamarkuptxt}%
95.72 +\begin{isabelle}%
95.73 +\ {\isadigit{1}}{\isaliteral{2E}{\isachardot}}\ {\isadigit{2}}\ dvd\ {\isadigit{0}}\isanewline
95.74 +\ {\isadigit{2}}{\isaliteral{2E}{\isachardot}}\ {\isaliteral{5C3C416E643E}{\isasymAnd}}n{\isaliteral{2E}{\isachardot}}\ {\isaliteral{5C3C6C6272616B6B3E}{\isasymlbrakk}}n\ {\isaliteral{5C3C696E3E}{\isasymin}}\ Odd{\isaliteral{3B}{\isacharsemicolon}}\ {\isadigit{2}}\ dvd\ Suc\ n{\isaliteral{5C3C726272616B6B3E}{\isasymrbrakk}}\ {\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\ {\isadigit{2}}\ dvd\ Suc\ n\isanewline
95.75 +\ {\isadigit{3}}{\isaliteral{2E}{\isachardot}}\ {\isaliteral{5C3C416E643E}{\isasymAnd}}n{\isaliteral{2E}{\isachardot}}\ {\isaliteral{5C3C6C6272616B6B3E}{\isasymlbrakk}}n\ {\isaliteral{5C3C696E3E}{\isasymin}}\ Even{\isaliteral{3B}{\isacharsemicolon}}\ {\isadigit{2}}\ dvd\ n{\isaliteral{5C3C726272616B6B3E}{\isasymrbrakk}}\ {\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\ {\isadigit{2}}\ dvd\ Suc\ {\isaliteral{28}{\isacharparenleft}}Suc\ n{\isaliteral{29}{\isacharparenright}}%
95.76 +\end{isabelle}
95.77 +The first two subgoals are proved by simplification and the final one can be
95.78 +proved in the same manner as in \S\ref{sec:rule-induction}
95.79 +where the same subgoal was encountered before.
95.80 +We do not show the proof script.%
95.81 +\end{isamarkuptxt}%
95.82 +\isamarkuptrue%
95.83 +%
95.84 +\endisatagproof
95.85 +{\isafoldproof}%
95.86 +%
95.87 +\isadelimproof
95.88 +%
95.89 +\endisadelimproof
95.90 +%
95.91 +\isamarkupsubsection{Inductively Defined Predicates\label{sec:ind-predicates}%
95.92 +}
95.93 +\isamarkuptrue%
95.94 +%
95.95 +\begin{isamarkuptext}%
95.96 +\index{inductive predicates|(}
95.97 +Instead of a set of even numbers one can also define a predicate on \isa{nat}:%
95.98 +\end{isamarkuptext}%
95.99 +\isamarkuptrue%
95.100 +\isacommand{inductive}\isamarkupfalse%
95.101 +\ evn\ {\isaliteral{3A}{\isacharcolon}}{\isaliteral{3A}{\isacharcolon}}\ {\isaliteral{22}{\isachardoublequoteopen}}nat\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ bool{\isaliteral{22}{\isachardoublequoteclose}}\ \isakeyword{where}\isanewline
95.102 +zero{\isaliteral{3A}{\isacharcolon}}\ {\isaliteral{22}{\isachardoublequoteopen}}evn\ {\isadigit{0}}{\isaliteral{22}{\isachardoublequoteclose}}\ {\isaliteral{7C}{\isacharbar}}\isanewline
95.103 +step{\isaliteral{3A}{\isacharcolon}}\ {\isaliteral{22}{\isachardoublequoteopen}}evn\ n\ {\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\ evn{\isaliteral{28}{\isacharparenleft}}Suc{\isaliteral{28}{\isacharparenleft}}Suc\ n{\isaliteral{29}{\isacharparenright}}{\isaliteral{29}{\isacharparenright}}{\isaliteral{22}{\isachardoublequoteclose}}%
95.104 +\begin{isamarkuptext}%
95.105 +\noindent Everything works as before, except that
95.106 +you write \commdx{inductive} instead of \isacommand{inductive\_set} and
95.107 +\isa{evn\ n} instead of \isa{n\ {\isaliteral{5C3C696E3E}{\isasymin}}\ even}.
95.108 +When defining an n-ary relation as a predicate, it is recommended to curry
95.109 +the predicate: its type should be \mbox{\isa{{\isaliteral{5C3C7461753E}{\isasymtau}}\isaliteral{5C3C5E697375623E}{}\isactrlisub {\isadigit{1}}\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ {\isaliteral{5C3C646F74733E}{\isasymdots}}\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ {\isaliteral{5C3C7461753E}{\isasymtau}}\isaliteral{5C3C5E697375623E}{}\isactrlisub n\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ bool}}
95.110 +rather than
95.111 +\isa{{\isaliteral{5C3C7461753E}{\isasymtau}}\isaliteral{5C3C5E697375623E}{}\isactrlisub {\isadigit{1}}\ {\isaliteral{5C3C74696D65733E}{\isasymtimes}}\ {\isaliteral{5C3C646F74733E}{\isasymdots}}\ {\isaliteral{5C3C74696D65733E}{\isasymtimes}}\ {\isaliteral{5C3C7461753E}{\isasymtau}}\isaliteral{5C3C5E697375623E}{}\isactrlisub n\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ bool}. The curried version facilitates inductions.
95.112 +
95.113 +When should you choose sets and when predicates? If you intend to combine your notion with set theoretic notation, define it as an inductive set. If not, define it as an inductive predicate, thus avoiding the \isa{{\isaliteral{5C3C696E3E}{\isasymin}}} notation. But note that predicates of more than one argument cannot be combined with the usual set theoretic operators: \isa{P\ {\isaliteral{5C3C756E696F6E3E}{\isasymunion}}\ Q} is not well-typed if \isa{P{\isaliteral{2C}{\isacharcomma}}\ Q\ {\isaliteral{3A}{\isacharcolon}}{\isaliteral{3A}{\isacharcolon}}\ {\isaliteral{5C3C7461753E}{\isasymtau}}\isaliteral{5C3C5E697375623E}{}\isactrlisub {\isadigit{1}}\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ {\isaliteral{5C3C7461753E}{\isasymtau}}\isaliteral{5C3C5E697375623E}{}\isactrlisub {\isadigit{2}}\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ bool}, you have to write \isa{{\isaliteral{5C3C6C616D6264613E}{\isasymlambda}}x\ y{\isaliteral{2E}{\isachardot}}\ P\ x\ y\ {\isaliteral{5C3C616E643E}{\isasymand}}\ Q\ x\ y} instead.
95.114 +\index{inductive predicates|)}%
95.115 +\end{isamarkuptext}%
95.116 +\isamarkuptrue%
95.117 +%
95.118 +\isadelimtheory
95.119 +%
95.120 +\endisadelimtheory
95.121 +%
95.122 +\isatagtheory
95.123 +%
95.124 +\endisatagtheory
95.125 +{\isafoldtheory}%
95.126 +%
95.127 +\isadelimtheory
95.128 +%
95.129 +\endisadelimtheory
95.130 +\end{isabellebody}%
95.131 +%%% Local Variables:
95.132 +%%% mode: latex
95.133 +%%% TeX-master: "root"
95.134 +%%% End:
96.1 --- /dev/null Thu Jan 01 00:00:00 1970 +0000
96.2 +++ b/doc-src/TutorialI/document/NS_Public.tex Thu Jul 26 19:59:06 2012 +0200
96.3 @@ -0,0 +1,517 @@
96.4 +%
96.5 +\begin{isabellebody}%
96.6 +\def\isabellecontext{NS{\isaliteral{5F}{\isacharunderscore}}Public}%
96.7 +%
96.8 +\isadelimtheory
96.9 +%
96.10 +\endisadelimtheory
96.11 +%
96.12 +\isatagtheory
96.13 +%
96.14 +\endisatagtheory
96.15 +{\isafoldtheory}%
96.16 +%
96.17 +\isadelimtheory
96.18 +%
96.19 +\endisadelimtheory
96.20 +%
96.21 +\isamarkupsection{Modelling the Protocol \label{sec:modelling}%
96.22 +}
96.23 +\isamarkuptrue%
96.24 +%
96.25 +\begin{figure}
96.26 +\begin{isabelle}
96.27 +\isacommand{inductive{\isaliteral{5F}{\isacharunderscore}}set}\isamarkupfalse%
96.28 +\ ns{\isaliteral{5F}{\isacharunderscore}}public\ {\isaliteral{3A}{\isacharcolon}}{\isaliteral{3A}{\isacharcolon}}\ {\isaliteral{22}{\isachardoublequoteopen}}event\ list\ set{\isaliteral{22}{\isachardoublequoteclose}}\isanewline
96.29 +\ \ \isakeyword{where}\isanewline
96.30 +\isanewline
96.31 +\ \ \ Nil{\isaliteral{3A}{\isacharcolon}}\ \ {\isaliteral{22}{\isachardoublequoteopen}}{\isaliteral{5B}{\isacharbrackleft}}{\isaliteral{5D}{\isacharbrackright}}\ {\isaliteral{5C3C696E3E}{\isasymin}}\ ns{\isaliteral{5F}{\isacharunderscore}}public{\isaliteral{22}{\isachardoublequoteclose}}\isanewline
96.32 +\isanewline
96.33 +\isanewline
96.34 +\ {\isaliteral{7C}{\isacharbar}}\ Fake{\isaliteral{3A}{\isacharcolon}}\ {\isaliteral{22}{\isachardoublequoteopen}}{\isaliteral{5C3C6C6272616B6B3E}{\isasymlbrakk}}evsf\ {\isaliteral{5C3C696E3E}{\isasymin}}\ ns{\isaliteral{5F}{\isacharunderscore}}public{\isaliteral{3B}{\isacharsemicolon}}\ \ X\ {\isaliteral{5C3C696E3E}{\isasymin}}\ synth\ {\isaliteral{28}{\isacharparenleft}}analz\ {\isaliteral{28}{\isacharparenleft}}knows\ Spy\ evsf{\isaliteral{29}{\isacharparenright}}{\isaliteral{29}{\isacharparenright}}{\isaliteral{5C3C726272616B6B3E}{\isasymrbrakk}}\isanewline
96.35 +\ \ \ \ \ \ \ \ \ \ {\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\ Says\ Spy\ B\ X\ \ {\isaliteral{23}{\isacharhash}}\ evsf\ {\isaliteral{5C3C696E3E}{\isasymin}}\ ns{\isaliteral{5F}{\isacharunderscore}}public{\isaliteral{22}{\isachardoublequoteclose}}\isanewline
96.36 +\isanewline
96.37 +\isanewline
96.38 +\ {\isaliteral{7C}{\isacharbar}}\ NS{\isadigit{1}}{\isaliteral{3A}{\isacharcolon}}\ \ {\isaliteral{22}{\isachardoublequoteopen}}{\isaliteral{5C3C6C6272616B6B3E}{\isasymlbrakk}}evs{\isadigit{1}}\ {\isaliteral{5C3C696E3E}{\isasymin}}\ ns{\isaliteral{5F}{\isacharunderscore}}public{\isaliteral{3B}{\isacharsemicolon}}\ \ Nonce\ NA\ {\isaliteral{5C3C6E6F74696E3E}{\isasymnotin}}\ used\ evs{\isadigit{1}}{\isaliteral{5C3C726272616B6B3E}{\isasymrbrakk}}\isanewline
96.39 +\ \ \ \ \ \ \ \ \ \ {\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\ Says\ A\ B\ {\isaliteral{28}{\isacharparenleft}}Crypt\ {\isaliteral{28}{\isacharparenleft}}pubK\ B{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C6C62726163653E}{\isasymlbrace}}Nonce\ NA{\isaliteral{2C}{\isacharcomma}}\ Agent\ A{\isaliteral{5C3C7262726163653E}{\isasymrbrace}}{\isaliteral{29}{\isacharparenright}}\isanewline
96.40 +\ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ {\isaliteral{23}{\isacharhash}}\ evs{\isadigit{1}}\ \ {\isaliteral{5C3C696E3E}{\isasymin}}\ \ ns{\isaliteral{5F}{\isacharunderscore}}public{\isaliteral{22}{\isachardoublequoteclose}}\isanewline
96.41 +\isanewline
96.42 +\isanewline
96.43 +\ {\isaliteral{7C}{\isacharbar}}\ NS{\isadigit{2}}{\isaliteral{3A}{\isacharcolon}}\ \ {\isaliteral{22}{\isachardoublequoteopen}}{\isaliteral{5C3C6C6272616B6B3E}{\isasymlbrakk}}evs{\isadigit{2}}\ {\isaliteral{5C3C696E3E}{\isasymin}}\ ns{\isaliteral{5F}{\isacharunderscore}}public{\isaliteral{3B}{\isacharsemicolon}}\ \ Nonce\ NB\ {\isaliteral{5C3C6E6F74696E3E}{\isasymnotin}}\ used\ evs{\isadigit{2}}{\isaliteral{3B}{\isacharsemicolon}}\isanewline
96.44 +\ \ \ \ \ \ \ \ \ \ \ Says\ A{\isaliteral{27}{\isacharprime}}\ B\ {\isaliteral{28}{\isacharparenleft}}Crypt\ {\isaliteral{28}{\isacharparenleft}}pubK\ B{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C6C62726163653E}{\isasymlbrace}}Nonce\ NA{\isaliteral{2C}{\isacharcomma}}\ Agent\ A{\isaliteral{5C3C7262726163653E}{\isasymrbrace}}{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C696E3E}{\isasymin}}\ set\ evs{\isadigit{2}}{\isaliteral{5C3C726272616B6B3E}{\isasymrbrakk}}\isanewline
96.45 +\ \ \ \ \ \ \ \ \ \ {\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\ Says\ B\ A\ {\isaliteral{28}{\isacharparenleft}}Crypt\ {\isaliteral{28}{\isacharparenleft}}pubK\ A{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C6C62726163653E}{\isasymlbrace}}Nonce\ NA{\isaliteral{2C}{\isacharcomma}}\ Nonce\ NB{\isaliteral{2C}{\isacharcomma}}\ Agent\ B{\isaliteral{5C3C7262726163653E}{\isasymrbrace}}{\isaliteral{29}{\isacharparenright}}\isanewline
96.46 +\ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ {\isaliteral{23}{\isacharhash}}\ evs{\isadigit{2}}\ \ {\isaliteral{5C3C696E3E}{\isasymin}}\ \ ns{\isaliteral{5F}{\isacharunderscore}}public{\isaliteral{22}{\isachardoublequoteclose}}\isanewline
96.47 +\isanewline
96.48 +\isanewline
96.49 +\ {\isaliteral{7C}{\isacharbar}}\ NS{\isadigit{3}}{\isaliteral{3A}{\isacharcolon}}\ \ {\isaliteral{22}{\isachardoublequoteopen}}{\isaliteral{5C3C6C6272616B6B3E}{\isasymlbrakk}}evs{\isadigit{3}}\ {\isaliteral{5C3C696E3E}{\isasymin}}\ ns{\isaliteral{5F}{\isacharunderscore}}public{\isaliteral{3B}{\isacharsemicolon}}\isanewline
96.50 +\ \ \ \ \ \ \ \ \ \ \ Says\ A\ \ B\ {\isaliteral{28}{\isacharparenleft}}Crypt\ {\isaliteral{28}{\isacharparenleft}}pubK\ B{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C6C62726163653E}{\isasymlbrace}}Nonce\ NA{\isaliteral{2C}{\isacharcomma}}\ Agent\ A{\isaliteral{5C3C7262726163653E}{\isasymrbrace}}{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C696E3E}{\isasymin}}\ set\ evs{\isadigit{3}}{\isaliteral{3B}{\isacharsemicolon}}\isanewline
96.51 +\ \ \ \ \ \ \ \ \ \ \ Says\ B{\isaliteral{27}{\isacharprime}}\ A\ {\isaliteral{28}{\isacharparenleft}}Crypt\ {\isaliteral{28}{\isacharparenleft}}pubK\ A{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C6C62726163653E}{\isasymlbrace}}Nonce\ NA{\isaliteral{2C}{\isacharcomma}}\ Nonce\ NB{\isaliteral{2C}{\isacharcomma}}\ Agent\ B{\isaliteral{5C3C7262726163653E}{\isasymrbrace}}{\isaliteral{29}{\isacharparenright}}\isanewline
96.52 +\ \ \ \ \ \ \ \ \ \ \ \ \ \ {\isaliteral{5C3C696E3E}{\isasymin}}\ set\ evs{\isadigit{3}}{\isaliteral{5C3C726272616B6B3E}{\isasymrbrakk}}\isanewline
96.53 +\ \ \ \ \ \ \ \ \ \ {\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\ Says\ A\ B\ {\isaliteral{28}{\isacharparenleft}}Crypt\ {\isaliteral{28}{\isacharparenleft}}pubK\ B{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{28}{\isacharparenleft}}Nonce\ NB{\isaliteral{29}{\isacharparenright}}{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{23}{\isacharhash}}\ evs{\isadigit{3}}\ {\isaliteral{5C3C696E3E}{\isasymin}}\ ns{\isaliteral{5F}{\isacharunderscore}}public{\isaliteral{22}{\isachardoublequoteclose}}%
96.54 +\end{isabelle}
96.55 +\caption{An Inductive Protocol Definition}\label{fig:ns_public}
96.56 +\end{figure}
96.57 +%
96.58 +\begin{isamarkuptext}%
96.59 +Let us formalize the Needham-Schroeder public-key protocol, as corrected by
96.60 +Lowe:
96.61 +\begin{alignat*%
96.62 +}{2}
96.63 + &1.&\quad A\to B &: \comp{Na,A}\sb{Kb} \\
96.64 + &2.&\quad B\to A &: \comp{Na,Nb,B}\sb{Ka} \\
96.65 + &3.&\quad A\to B &: \comp{Nb}\sb{Kb}
96.66 +\end{alignat*%
96.67 +}
96.68 +
96.69 +Each protocol step is specified by a rule of an inductive definition. An
96.70 +event trace has type \isa{event\ list}, so we declare the constant
96.71 +\isa{ns{\isaliteral{5F}{\isacharunderscore}}public} to be a set of such traces.
96.72 +
96.73 +Figure~\ref{fig:ns_public} presents the inductive definition. The
96.74 +\isa{Nil} rule introduces the empty trace. The \isa{Fake} rule models the
96.75 +adversary's sending a message built from components taken from past
96.76 +traffic, expressed using the functions \isa{synth} and
96.77 +\isa{analz}.
96.78 +The next three rules model how honest agents would perform the three
96.79 +protocol steps.
96.80 +
96.81 +Here is a detailed explanation of rule \isa{NS{\isadigit{2}}}.
96.82 +A trace containing an event of the form
96.83 +\begin{isabelle}%
96.84 +\ \ \ \ \ Says\ A{\isaliteral{27}{\isacharprime}}\ B\ {\isaliteral{28}{\isacharparenleft}}Crypt\ {\isaliteral{28}{\isacharparenleft}}pubK\ B{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C6C62726163653E}{\isasymlbrace}}Nonce\ NA{\isaliteral{2C}{\isacharcomma}}\ Agent\ A{\isaliteral{5C3C7262726163653E}{\isasymrbrace}}{\isaliteral{29}{\isacharparenright}}%
96.85 +\end{isabelle}
96.86 +may be extended by an event of the form
96.87 +\begin{isabelle}%
96.88 +\ \ \ \ \ Says\ B\ A\ {\isaliteral{28}{\isacharparenleft}}Crypt\ {\isaliteral{28}{\isacharparenleft}}pubK\ A{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C6C62726163653E}{\isasymlbrace}}Nonce\ NA{\isaliteral{2C}{\isacharcomma}}\ Nonce\ NB{\isaliteral{2C}{\isacharcomma}}\ Agent\ B{\isaliteral{5C3C7262726163653E}{\isasymrbrace}}{\isaliteral{29}{\isacharparenright}}%
96.89 +\end{isabelle}
96.90 +where \isa{NB} is a fresh nonce: \isa{Nonce\ NB\ {\isaliteral{5C3C6E6F74696E3E}{\isasymnotin}}\ used\ evs{\isadigit{2}}}.
96.91 +Writing the sender as \isa{A{\isaliteral{27}{\isacharprime}}} indicates that \isa{B} does not
96.92 +know who sent the message. Calling the trace variable \isa{evs{\isadigit{2}}} rather
96.93 +than simply \isa{evs} helps us know where we are in a proof after many
96.94 +case-splits: every subgoal mentioning \isa{evs{\isadigit{2}}} involves message~2 of the
96.95 +protocol.
96.96 +
96.97 +Benefits of this approach are simplicity and clarity. The semantic model
96.98 +is set theory, proofs are by induction and the translation from the informal
96.99 +notation to the inductive rules is straightforward.%
96.100 +\end{isamarkuptext}%
96.101 +\isamarkuptrue%
96.102 +%
96.103 +\isamarkupsection{Proving Elementary Properties \label{sec:regularity}%
96.104 +}
96.105 +\isamarkuptrue%
96.106 +%
96.107 +\isadelimproof
96.108 +%
96.109 +\endisadelimproof
96.110 +%
96.111 +\isatagproof
96.112 +%
96.113 +\endisatagproof
96.114 +{\isafoldproof}%
96.115 +%
96.116 +\isadelimproof
96.117 +%
96.118 +\endisadelimproof
96.119 +%
96.120 +\begin{isamarkuptext}%
96.121 +Secrecy properties can be hard to prove. The conclusion of a typical
96.122 +secrecy theorem is
96.123 +\isa{X\ {\isaliteral{5C3C6E6F74696E3E}{\isasymnotin}}\ analz\ {\isaliteral{28}{\isacharparenleft}}knows\ Spy\ evs{\isaliteral{29}{\isacharparenright}}}. The difficulty arises from
96.124 +having to reason about \isa{analz}, or less formally, showing that the spy
96.125 +can never learn~\isa{X}. Much easier is to prove that \isa{X} can never
96.126 +occur at all. Such \emph{regularity} properties are typically expressed
96.127 +using \isa{parts} rather than \isa{analz}.
96.128 +
96.129 +The following lemma states that \isa{A}'s private key is potentially
96.130 +known to the spy if and only if \isa{A} belongs to the set \isa{bad} of
96.131 +compromised agents. The statement uses \isa{parts}: the very presence of
96.132 +\isa{A}'s private key in a message, whether protected by encryption or
96.133 +not, is enough to confirm that \isa{A} is compromised. The proof, like
96.134 +nearly all protocol proofs, is by induction over traces.%
96.135 +\end{isamarkuptext}%
96.136 +\isamarkuptrue%
96.137 +\isacommand{lemma}\isamarkupfalse%
96.138 +\ Spy{\isaliteral{5F}{\isacharunderscore}}see{\isaliteral{5F}{\isacharunderscore}}priK\ {\isaliteral{5B}{\isacharbrackleft}}simp{\isaliteral{5D}{\isacharbrackright}}{\isaliteral{3A}{\isacharcolon}}\isanewline
96.139 +\ \ \ \ \ \ {\isaliteral{22}{\isachardoublequoteopen}}evs\ {\isaliteral{5C3C696E3E}{\isasymin}}\ ns{\isaliteral{5F}{\isacharunderscore}}public\isanewline
96.140 +\ \ \ \ \ \ \ {\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\ {\isaliteral{28}{\isacharparenleft}}Key\ {\isaliteral{28}{\isacharparenleft}}priK\ A{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C696E3E}{\isasymin}}\ parts\ {\isaliteral{28}{\isacharparenleft}}knows\ Spy\ evs{\isaliteral{29}{\isacharparenright}}{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{3D}{\isacharequal}}\ {\isaliteral{28}{\isacharparenleft}}A\ {\isaliteral{5C3C696E3E}{\isasymin}}\ bad{\isaliteral{29}{\isacharparenright}}{\isaliteral{22}{\isachardoublequoteclose}}\isanewline
96.141 +%
96.142 +\isadelimproof
96.143 +%
96.144 +\endisadelimproof
96.145 +%
96.146 +\isatagproof
96.147 +\isacommand{apply}\isamarkupfalse%
96.148 +\ {\isaliteral{28}{\isacharparenleft}}erule\ ns{\isaliteral{5F}{\isacharunderscore}}public{\isaliteral{2E}{\isachardot}}induct{\isaliteral{2C}{\isacharcomma}}\ simp{\isaliteral{5F}{\isacharunderscore}}all{\isaliteral{29}{\isacharparenright}}%
96.149 +\begin{isamarkuptxt}%
96.150 +The induction yields five subgoals, one for each rule in the definition of
96.151 +\isa{ns{\isaliteral{5F}{\isacharunderscore}}public}. The idea is to prove that the protocol property holds initially
96.152 +(rule \isa{Nil}), is preserved by each of the legitimate protocol steps (rules
96.153 +\isa{NS{\isadigit{1}}}--\isa{{\isadigit{3}}}), and even is preserved in the face of anything the
96.154 +spy can do (rule \isa{Fake}).
96.155 +
96.156 +The proof is trivial. No legitimate protocol rule sends any keys
96.157 +at all, so only \isa{Fake} is relevant. Indeed, simplification leaves
96.158 +only the \isa{Fake} case, as indicated by the variable name \isa{evsf}:
96.159 +\begin{isabelle}%
96.160 +\ {\isadigit{1}}{\isaliteral{2E}{\isachardot}}\ {\isaliteral{5C3C416E643E}{\isasymAnd}}evsf\ X{\isaliteral{2E}{\isachardot}}\isanewline
96.161 +\isaindent{\ {\isadigit{1}}{\isaliteral{2E}{\isachardot}}\ \ \ \ }{\isaliteral{5C3C6C6272616B6B3E}{\isasymlbrakk}}evsf\ {\isaliteral{5C3C696E3E}{\isasymin}}\ ns{\isaliteral{5F}{\isacharunderscore}}public{\isaliteral{3B}{\isacharsemicolon}}\isanewline
96.162 +\isaindent{\ {\isadigit{1}}{\isaliteral{2E}{\isachardot}}\ \ \ \ \ }{\isaliteral{28}{\isacharparenleft}}Key\ {\isaliteral{28}{\isacharparenleft}}priK\ A{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C696E3E}{\isasymin}}\ parts\ {\isaliteral{28}{\isacharparenleft}}knows\ Spy\ evsf{\isaliteral{29}{\isacharparenright}}{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{3D}{\isacharequal}}\ {\isaliteral{28}{\isacharparenleft}}A\ {\isaliteral{5C3C696E3E}{\isasymin}}\ bad{\isaliteral{29}{\isacharparenright}}{\isaliteral{3B}{\isacharsemicolon}}\isanewline
96.163 +\isaindent{\ {\isadigit{1}}{\isaliteral{2E}{\isachardot}}\ \ \ \ \ }X\ {\isaliteral{5C3C696E3E}{\isasymin}}\ synth\ {\isaliteral{28}{\isacharparenleft}}analz\ {\isaliteral{28}{\isacharparenleft}}knows\ Spy\ evsf{\isaliteral{29}{\isacharparenright}}{\isaliteral{29}{\isacharparenright}}{\isaliteral{5C3C726272616B6B3E}{\isasymrbrakk}}\isanewline
96.164 +\isaindent{\ {\isadigit{1}}{\isaliteral{2E}{\isachardot}}\ \ \ \ }{\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\ {\isaliteral{28}{\isacharparenleft}}Key\ {\isaliteral{28}{\isacharparenleft}}priK\ A{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C696E3E}{\isasymin}}\ parts\ {\isaliteral{28}{\isacharparenleft}}insert\ X\ {\isaliteral{28}{\isacharparenleft}}knows\ Spy\ evsf{\isaliteral{29}{\isacharparenright}}{\isaliteral{29}{\isacharparenright}}{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{3D}{\isacharequal}}\isanewline
96.165 +\isaindent{\ {\isadigit{1}}{\isaliteral{2E}{\isachardot}}\ \ \ \ {\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\ }{\isaliteral{28}{\isacharparenleft}}A\ {\isaliteral{5C3C696E3E}{\isasymin}}\ bad{\isaliteral{29}{\isacharparenright}}%
96.166 +\end{isabelle}%
96.167 +\end{isamarkuptxt}%
96.168 +\isamarkuptrue%
96.169 +\isacommand{by}\isamarkupfalse%
96.170 +\ blast%
96.171 +\endisatagproof
96.172 +{\isafoldproof}%
96.173 +%
96.174 +\isadelimproof
96.175 +%
96.176 +\endisadelimproof
96.177 +%
96.178 +\isadelimproof
96.179 +%
96.180 +\endisadelimproof
96.181 +%
96.182 +\isatagproof
96.183 +%
96.184 +\endisatagproof
96.185 +{\isafoldproof}%
96.186 +%
96.187 +\isadelimproof
96.188 +%
96.189 +\endisadelimproof
96.190 +%
96.191 +\begin{isamarkuptext}%
96.192 +The \isa{Fake} case is proved automatically. If
96.193 +\isa{priK\ A} is in the extended trace then either (1) it was already in the
96.194 +original trace or (2) it was
96.195 +generated by the spy, who must have known this key already.
96.196 +Either way, the induction hypothesis applies.
96.197 +
96.198 +\emph{Unicity} lemmas are regularity lemmas stating that specified items
96.199 +can occur only once in a trace. The following lemma states that a nonce
96.200 +cannot be used both as $Na$ and as $Nb$ unless
96.201 +it is known to the spy. Intuitively, it holds because honest agents
96.202 +always choose fresh values as nonces; only the spy might reuse a value,
96.203 +and he doesn't know this particular value. The proof script is short:
96.204 +induction, simplification, \isa{blast}. The first line uses the rule
96.205 +\isa{rev{\isaliteral{5F}{\isacharunderscore}}mp} to prepare the induction by moving two assumptions into the
96.206 +induction formula.%
96.207 +\end{isamarkuptext}%
96.208 +\isamarkuptrue%
96.209 +\isacommand{lemma}\isamarkupfalse%
96.210 +\ no{\isaliteral{5F}{\isacharunderscore}}nonce{\isaliteral{5F}{\isacharunderscore}}NS{\isadigit{1}}{\isaliteral{5F}{\isacharunderscore}}NS{\isadigit{2}}{\isaliteral{3A}{\isacharcolon}}\isanewline
96.211 +\ \ \ \ {\isaliteral{22}{\isachardoublequoteopen}}{\isaliteral{5C3C6C6272616B6B3E}{\isasymlbrakk}}Crypt\ {\isaliteral{28}{\isacharparenleft}}pubK\ C{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C6C62726163653E}{\isasymlbrace}}NA{\isaliteral{27}{\isacharprime}}{\isaliteral{2C}{\isacharcomma}}\ Nonce\ NA{\isaliteral{2C}{\isacharcomma}}\ Agent\ D{\isaliteral{5C3C7262726163653E}{\isasymrbrace}}\ {\isaliteral{5C3C696E3E}{\isasymin}}\ parts\ {\isaliteral{28}{\isacharparenleft}}knows\ Spy\ evs{\isaliteral{29}{\isacharparenright}}{\isaliteral{3B}{\isacharsemicolon}}\isanewline
96.212 +\ \ \ \ \ \ Crypt\ {\isaliteral{28}{\isacharparenleft}}pubK\ B{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C6C62726163653E}{\isasymlbrace}}Nonce\ NA{\isaliteral{2C}{\isacharcomma}}\ Agent\ A{\isaliteral{5C3C7262726163653E}{\isasymrbrace}}\ {\isaliteral{5C3C696E3E}{\isasymin}}\ parts\ {\isaliteral{28}{\isacharparenleft}}knows\ Spy\ evs{\isaliteral{29}{\isacharparenright}}{\isaliteral{3B}{\isacharsemicolon}}\isanewline
96.213 +\ \ \ \ \ \ evs\ {\isaliteral{5C3C696E3E}{\isasymin}}\ ns{\isaliteral{5F}{\isacharunderscore}}public{\isaliteral{5C3C726272616B6B3E}{\isasymrbrakk}}\isanewline
96.214 +\ \ \ \ \ {\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\ Nonce\ NA\ {\isaliteral{5C3C696E3E}{\isasymin}}\ analz\ {\isaliteral{28}{\isacharparenleft}}knows\ Spy\ evs{\isaliteral{29}{\isacharparenright}}{\isaliteral{22}{\isachardoublequoteclose}}\isanewline
96.215 +%
96.216 +\isadelimproof
96.217 +%
96.218 +\endisadelimproof
96.219 +%
96.220 +\isatagproof
96.221 +\isacommand{apply}\isamarkupfalse%
96.222 +\ {\isaliteral{28}{\isacharparenleft}}erule\ rev{\isaliteral{5F}{\isacharunderscore}}mp{\isaliteral{2C}{\isacharcomma}}\ erule\ rev{\isaliteral{5F}{\isacharunderscore}}mp{\isaliteral{29}{\isacharparenright}}\isanewline
96.223 +\isacommand{apply}\isamarkupfalse%
96.224 +\ {\isaliteral{28}{\isacharparenleft}}erule\ ns{\isaliteral{5F}{\isacharunderscore}}public{\isaliteral{2E}{\isachardot}}induct{\isaliteral{2C}{\isacharcomma}}\ simp{\isaliteral{5F}{\isacharunderscore}}all{\isaliteral{29}{\isacharparenright}}\isanewline
96.225 +\isacommand{apply}\isamarkupfalse%
96.226 +\ {\isaliteral{28}{\isacharparenleft}}blast\ intro{\isaliteral{3A}{\isacharcolon}}\ analz{\isaliteral{5F}{\isacharunderscore}}insertI{\isaliteral{29}{\isacharparenright}}{\isaliteral{2B}{\isacharplus}}\isanewline
96.227 +\isacommand{done}\isamarkupfalse%
96.228 +%
96.229 +\endisatagproof
96.230 +{\isafoldproof}%
96.231 +%
96.232 +\isadelimproof
96.233 +%
96.234 +\endisadelimproof
96.235 +%
96.236 +\begin{isamarkuptext}%
96.237 +The following unicity lemma states that, if \isa{NA} is secret, then its
96.238 +appearance in any instance of message~1 determines the other components.
96.239 +The proof is similar to the previous one.%
96.240 +\end{isamarkuptext}%
96.241 +\isamarkuptrue%
96.242 +\isacommand{lemma}\isamarkupfalse%
96.243 +\ unique{\isaliteral{5F}{\isacharunderscore}}NA{\isaliteral{3A}{\isacharcolon}}\isanewline
96.244 +\ \ \ \ \ {\isaliteral{22}{\isachardoublequoteopen}}{\isaliteral{5C3C6C6272616B6B3E}{\isasymlbrakk}}Crypt{\isaliteral{28}{\isacharparenleft}}pubK\ B{\isaliteral{29}{\isacharparenright}}\ \ {\isaliteral{5C3C6C62726163653E}{\isasymlbrace}}Nonce\ NA{\isaliteral{2C}{\isacharcomma}}\ Agent\ A\ {\isaliteral{5C3C7262726163653E}{\isasymrbrace}}\ {\isaliteral{5C3C696E3E}{\isasymin}}\ parts{\isaliteral{28}{\isacharparenleft}}knows\ Spy\ evs{\isaliteral{29}{\isacharparenright}}{\isaliteral{3B}{\isacharsemicolon}}\isanewline
96.245 +\ \ \ \ \ \ \ Crypt{\isaliteral{28}{\isacharparenleft}}pubK\ B{\isaliteral{27}{\isacharprime}}{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C6C62726163653E}{\isasymlbrace}}Nonce\ NA{\isaliteral{2C}{\isacharcomma}}\ Agent\ A{\isaliteral{27}{\isacharprime}}{\isaliteral{5C3C7262726163653E}{\isasymrbrace}}\ {\isaliteral{5C3C696E3E}{\isasymin}}\ parts{\isaliteral{28}{\isacharparenleft}}knows\ Spy\ evs{\isaliteral{29}{\isacharparenright}}{\isaliteral{3B}{\isacharsemicolon}}\isanewline
96.246 +\ \ \ \ \ \ \ Nonce\ NA\ {\isaliteral{5C3C6E6F74696E3E}{\isasymnotin}}\ analz\ {\isaliteral{28}{\isacharparenleft}}knows\ Spy\ evs{\isaliteral{29}{\isacharparenright}}{\isaliteral{3B}{\isacharsemicolon}}\ evs\ {\isaliteral{5C3C696E3E}{\isasymin}}\ ns{\isaliteral{5F}{\isacharunderscore}}public{\isaliteral{5C3C726272616B6B3E}{\isasymrbrakk}}\isanewline
96.247 +\ \ \ \ \ \ {\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\ A{\isaliteral{3D}{\isacharequal}}A{\isaliteral{27}{\isacharprime}}\ {\isaliteral{5C3C616E643E}{\isasymand}}\ B{\isaliteral{3D}{\isacharequal}}B{\isaliteral{27}{\isacharprime}}{\isaliteral{22}{\isachardoublequoteclose}}%
96.248 +\isadelimproof
96.249 +%
96.250 +\endisadelimproof
96.251 +%
96.252 +\isatagproof
96.253 +%
96.254 +\endisatagproof
96.255 +{\isafoldproof}%
96.256 +%
96.257 +\isadelimproof
96.258 +%
96.259 +\endisadelimproof
96.260 +%
96.261 +\isamarkupsection{Proving Secrecy Theorems \label{sec:secrecy}%
96.262 +}
96.263 +\isamarkuptrue%
96.264 +%
96.265 +\isadelimproof
96.266 +%
96.267 +\endisadelimproof
96.268 +%
96.269 +\isatagproof
96.270 +%
96.271 +\endisatagproof
96.272 +{\isafoldproof}%
96.273 +%
96.274 +\isadelimproof
96.275 +%
96.276 +\endisadelimproof
96.277 +%
96.278 +\isadelimproof
96.279 +%
96.280 +\endisadelimproof
96.281 +%
96.282 +\isatagproof
96.283 +%
96.284 +\endisatagproof
96.285 +{\isafoldproof}%
96.286 +%
96.287 +\isadelimproof
96.288 +%
96.289 +\endisadelimproof
96.290 +%
96.291 +\isadelimproof
96.292 +%
96.293 +\endisadelimproof
96.294 +%
96.295 +\isatagproof
96.296 +%
96.297 +\endisatagproof
96.298 +{\isafoldproof}%
96.299 +%
96.300 +\isadelimproof
96.301 +%
96.302 +\endisadelimproof
96.303 +%
96.304 +\isadelimproof
96.305 +%
96.306 +\endisadelimproof
96.307 +%
96.308 +\isatagproof
96.309 +%
96.310 +\endisatagproof
96.311 +{\isafoldproof}%
96.312 +%
96.313 +\isadelimproof
96.314 +%
96.315 +\endisadelimproof
96.316 +%
96.317 +\isadelimproof
96.318 +%
96.319 +\endisadelimproof
96.320 +%
96.321 +\isatagproof
96.322 +%
96.323 +\endisatagproof
96.324 +{\isafoldproof}%
96.325 +%
96.326 +\isadelimproof
96.327 +%
96.328 +\endisadelimproof
96.329 +%
96.330 +\begin{isamarkuptext}%
96.331 +The secrecy theorems for Bob (the second participant) are especially
96.332 +important because they fail for the original protocol. The following
96.333 +theorem states that if Bob sends message~2 to Alice, and both agents are
96.334 +uncompromised, then Bob's nonce will never reach the spy.%
96.335 +\end{isamarkuptext}%
96.336 +\isamarkuptrue%
96.337 +\isacommand{theorem}\isamarkupfalse%
96.338 +\ Spy{\isaliteral{5F}{\isacharunderscore}}not{\isaliteral{5F}{\isacharunderscore}}see{\isaliteral{5F}{\isacharunderscore}}NB\ {\isaliteral{5B}{\isacharbrackleft}}dest{\isaliteral{5D}{\isacharbrackright}}{\isaliteral{3A}{\isacharcolon}}\isanewline
96.339 +\ {\isaliteral{22}{\isachardoublequoteopen}}{\isaliteral{5C3C6C6272616B6B3E}{\isasymlbrakk}}Says\ B\ A\ {\isaliteral{28}{\isacharparenleft}}Crypt\ {\isaliteral{28}{\isacharparenleft}}pubK\ A{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C6C62726163653E}{\isasymlbrace}}Nonce\ NA{\isaliteral{2C}{\isacharcomma}}\ Nonce\ NB{\isaliteral{2C}{\isacharcomma}}\ Agent\ B{\isaliteral{5C3C7262726163653E}{\isasymrbrace}}{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C696E3E}{\isasymin}}\ set\ evs{\isaliteral{3B}{\isacharsemicolon}}\isanewline
96.340 +\ \ \ A\ {\isaliteral{5C3C6E6F74696E3E}{\isasymnotin}}\ bad{\isaliteral{3B}{\isacharsemicolon}}\ \ B\ {\isaliteral{5C3C6E6F74696E3E}{\isasymnotin}}\ bad{\isaliteral{3B}{\isacharsemicolon}}\ \ evs\ {\isaliteral{5C3C696E3E}{\isasymin}}\ ns{\isaliteral{5F}{\isacharunderscore}}public{\isaliteral{5C3C726272616B6B3E}{\isasymrbrakk}}\isanewline
96.341 +\ \ {\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\ Nonce\ NB\ {\isaliteral{5C3C6E6F74696E3E}{\isasymnotin}}\ analz\ {\isaliteral{28}{\isacharparenleft}}knows\ Spy\ evs{\isaliteral{29}{\isacharparenright}}{\isaliteral{22}{\isachardoublequoteclose}}%
96.342 +\isadelimproof
96.343 +%
96.344 +\endisadelimproof
96.345 +%
96.346 +\isatagproof
96.347 +%
96.348 +\begin{isamarkuptxt}%
96.349 +To prove it, we must formulate the induction properly (one of the
96.350 +assumptions mentions~\isa{evs}), apply induction, and simplify:%
96.351 +\end{isamarkuptxt}%
96.352 +\isamarkuptrue%
96.353 +\isacommand{apply}\isamarkupfalse%
96.354 +\ {\isaliteral{28}{\isacharparenleft}}erule\ rev{\isaliteral{5F}{\isacharunderscore}}mp{\isaliteral{2C}{\isacharcomma}}\ erule\ ns{\isaliteral{5F}{\isacharunderscore}}public{\isaliteral{2E}{\isachardot}}induct{\isaliteral{2C}{\isacharcomma}}\ simp{\isaliteral{5F}{\isacharunderscore}}all{\isaliteral{29}{\isacharparenright}}%
96.355 +\begin{isamarkuptxt}%
96.356 +The proof states are too complicated to present in full.
96.357 +Let's examine the simplest subgoal, that for message~1. The following
96.358 +event has just occurred:
96.359 +\[ 1.\quad A'\to B' : \comp{Na',A'}\sb{Kb'} \]
96.360 +The variables above have been primed because this step
96.361 +belongs to a different run from that referred to in the theorem
96.362 +statement --- the theorem
96.363 +refers to a past instance of message~2, while this subgoal
96.364 +concerns message~1 being sent just now.
96.365 +In the Isabelle subgoal, instead of primed variables like $B'$ and $Na'$
96.366 +we have \isa{Ba} and~\isa{NAa}:
96.367 +\begin{isabelle}%
96.368 +\ {\isadigit{1}}{\isaliteral{2E}{\isachardot}}\ {\isaliteral{5C3C416E643E}{\isasymAnd}}evs{\isadigit{1}}\ NAa\ Ba{\isaliteral{2E}{\isachardot}}\isanewline
96.369 +\isaindent{\ {\isadigit{1}}{\isaliteral{2E}{\isachardot}}\ \ \ \ }{\isaliteral{5C3C6C6272616B6B3E}{\isasymlbrakk}}A\ {\isaliteral{5C3C6E6F74696E3E}{\isasymnotin}}\ bad{\isaliteral{3B}{\isacharsemicolon}}\ B\ {\isaliteral{5C3C6E6F74696E3E}{\isasymnotin}}\ bad{\isaliteral{3B}{\isacharsemicolon}}\ evs{\isadigit{1}}\ {\isaliteral{5C3C696E3E}{\isasymin}}\ ns{\isaliteral{5F}{\isacharunderscore}}public{\isaliteral{3B}{\isacharsemicolon}}\isanewline
96.370 +\isaindent{\ {\isadigit{1}}{\isaliteral{2E}{\isachardot}}\ \ \ \ \ }Says\ B\ A\ {\isaliteral{28}{\isacharparenleft}}Crypt\ {\isaliteral{28}{\isacharparenleft}}pubK\ A{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C6C62726163653E}{\isasymlbrace}}Nonce\ NA{\isaliteral{2C}{\isacharcomma}}\ Nonce\ NB{\isaliteral{2C}{\isacharcomma}}\ Agent\ B{\isaliteral{5C3C7262726163653E}{\isasymrbrace}}{\isaliteral{29}{\isacharparenright}}\isanewline
96.371 +\isaindent{\ {\isadigit{1}}{\isaliteral{2E}{\isachardot}}\ \ \ \ \ }{\isaliteral{5C3C696E3E}{\isasymin}}\ set\ evs{\isadigit{1}}\ {\isaliteral{5C3C6C6F6E6772696768746172726F773E}{\isasymlongrightarrow}}\isanewline
96.372 +\isaindent{\ {\isadigit{1}}{\isaliteral{2E}{\isachardot}}\ \ \ \ \ }Nonce\ NB\ {\isaliteral{5C3C6E6F74696E3E}{\isasymnotin}}\ analz\ {\isaliteral{28}{\isacharparenleft}}knows\ Spy\ evs{\isadigit{1}}{\isaliteral{29}{\isacharparenright}}{\isaliteral{3B}{\isacharsemicolon}}\isanewline
96.373 +\isaindent{\ {\isadigit{1}}{\isaliteral{2E}{\isachardot}}\ \ \ \ \ }Nonce\ NAa\ {\isaliteral{5C3C6E6F74696E3E}{\isasymnotin}}\ used\ evs{\isadigit{1}}{\isaliteral{5C3C726272616B6B3E}{\isasymrbrakk}}\isanewline
96.374 +\isaindent{\ {\isadigit{1}}{\isaliteral{2E}{\isachardot}}\ \ \ \ }{\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\ Ba\ {\isaliteral{5C3C696E3E}{\isasymin}}\ bad\ {\isaliteral{5C3C6C6F6E6772696768746172726F773E}{\isasymlongrightarrow}}\isanewline
96.375 +\isaindent{\ {\isadigit{1}}{\isaliteral{2E}{\isachardot}}\ \ \ \ {\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\ }Says\ B\ A\ {\isaliteral{28}{\isacharparenleft}}Crypt\ {\isaliteral{28}{\isacharparenleft}}pubK\ A{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C6C62726163653E}{\isasymlbrace}}Nonce\ NA{\isaliteral{2C}{\isacharcomma}}\ Nonce\ NB{\isaliteral{2C}{\isacharcomma}}\ Agent\ B{\isaliteral{5C3C7262726163653E}{\isasymrbrace}}{\isaliteral{29}{\isacharparenright}}\isanewline
96.376 +\isaindent{\ {\isadigit{1}}{\isaliteral{2E}{\isachardot}}\ \ \ \ {\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\ }{\isaliteral{5C3C696E3E}{\isasymin}}\ set\ evs{\isadigit{1}}\ {\isaliteral{5C3C6C6F6E6772696768746172726F773E}{\isasymlongrightarrow}}\isanewline
96.377 +\isaindent{\ {\isadigit{1}}{\isaliteral{2E}{\isachardot}}\ \ \ \ {\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\ }NB\ {\isaliteral{5C3C6E6F7465713E}{\isasymnoteq}}\ NAa%
96.378 +\end{isabelle}
96.379 +The simplifier has used a
96.380 +default simplification rule that does a case
96.381 +analysis for each encrypted message on whether or not the decryption key
96.382 +is compromised.
96.383 +\begin{isabelle}%
96.384 +analz\ {\isaliteral{28}{\isacharparenleft}}insert\ {\isaliteral{28}{\isacharparenleft}}Crypt\ K\ X{\isaliteral{29}{\isacharparenright}}\ H{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{3D}{\isacharequal}}\isanewline
96.385 +{\isaliteral{28}{\isacharparenleft}}if\ Key\ {\isaliteral{28}{\isacharparenleft}}invKey\ K{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C696E3E}{\isasymin}}\ analz\ H\isanewline
96.386 +\isaindent{{\isaliteral{28}{\isacharparenleft}}}then\ insert\ {\isaliteral{28}{\isacharparenleft}}Crypt\ K\ X{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{28}{\isacharparenleft}}analz\ {\isaliteral{28}{\isacharparenleft}}insert\ X\ H{\isaliteral{29}{\isacharparenright}}{\isaliteral{29}{\isacharparenright}}\isanewline
96.387 +\isaindent{{\isaliteral{28}{\isacharparenleft}}}else\ insert\ {\isaliteral{28}{\isacharparenleft}}Crypt\ K\ X{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{28}{\isacharparenleft}}analz\ H{\isaliteral{29}{\isacharparenright}}{\isaliteral{29}{\isacharparenright}}\rulename{analz{\isaliteral{5F}{\isacharunderscore}}Crypt{\isaliteral{5F}{\isacharunderscore}}if}%
96.388 +\end{isabelle}
96.389 +The simplifier has also used \isa{Spy{\isaliteral{5F}{\isacharunderscore}}see{\isaliteral{5F}{\isacharunderscore}}priK}, proved in
96.390 +{\S}\ref{sec:regularity} above, to yield \isa{Ba\ {\isaliteral{5C3C696E3E}{\isasymin}}\ bad}.
96.391 +
96.392 +Recall that this subgoal concerns the case
96.393 +where the last message to be sent was
96.394 +\[ 1.\quad A'\to B' : \comp{Na',A'}\sb{Kb'}. \]
96.395 +This message can compromise $Nb$ only if $Nb=Na'$ and $B'$ is compromised,
96.396 +allowing the spy to decrypt the message. The Isabelle subgoal says
96.397 +precisely this, if we allow for its choice of variable names.
96.398 +Proving \isa{NB\ {\isaliteral{5C3C6E6F7465713E}{\isasymnoteq}}\ NAa} is easy: \isa{NB} was
96.399 +sent earlier, while \isa{NAa} is fresh; formally, we have
96.400 +the assumption \isa{Nonce\ NAa\ {\isaliteral{5C3C6E6F74696E3E}{\isasymnotin}}\ used\ evs{\isadigit{1}}}.
96.401 +
96.402 +Note that our reasoning concerned \isa{B}'s participation in another
96.403 +run. Agents may engage in several runs concurrently, and some attacks work
96.404 +by interleaving the messages of two runs. With model checking, this
96.405 +possibility can cause a state-space explosion, and for us it
96.406 +certainly complicates proofs. The biggest subgoal concerns message~2. It
96.407 +splits into several cases, such as whether or not the message just sent is
96.408 +the very message mentioned in the theorem statement.
96.409 +Some of the cases are proved by unicity, others by
96.410 +the induction hypothesis. For all those complications, the proofs are
96.411 +automatic by \isa{blast} with the theorem \isa{no{\isaliteral{5F}{\isacharunderscore}}nonce{\isaliteral{5F}{\isacharunderscore}}NS{\isadigit{1}}{\isaliteral{5F}{\isacharunderscore}}NS{\isadigit{2}}}.
96.412 +
96.413 +The remaining theorems about the protocol are not hard to prove. The
96.414 +following one asserts a form of \emph{authenticity}: if
96.415 +\isa{B} has sent an instance of message~2 to~\isa{A} and has received the
96.416 +expected reply, then that reply really originated with~\isa{A}. The
96.417 +proof is a simple induction.%
96.418 +\end{isamarkuptxt}%
96.419 +\isamarkuptrue%
96.420 +%
96.421 +\endisatagproof
96.422 +{\isafoldproof}%
96.423 +%
96.424 +\isadelimproof
96.425 +%
96.426 +\endisadelimproof
96.427 +%
96.428 +\isadelimproof
96.429 +%
96.430 +\endisadelimproof
96.431 +%
96.432 +\isatagproof
96.433 +%
96.434 +\endisatagproof
96.435 +{\isafoldproof}%
96.436 +%
96.437 +\isadelimproof
96.438 +%
96.439 +\endisadelimproof
96.440 +\isacommand{theorem}\isamarkupfalse%
96.441 +\ B{\isaliteral{5F}{\isacharunderscore}}trusts{\isaliteral{5F}{\isacharunderscore}}NS{\isadigit{3}}{\isaliteral{3A}{\isacharcolon}}\isanewline
96.442 +\ {\isaliteral{22}{\isachardoublequoteopen}}{\isaliteral{5C3C6C6272616B6B3E}{\isasymlbrakk}}Says\ B\ A\ \ {\isaliteral{28}{\isacharparenleft}}Crypt\ {\isaliteral{28}{\isacharparenleft}}pubK\ A{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C6C62726163653E}{\isasymlbrace}}Nonce\ NA{\isaliteral{2C}{\isacharcomma}}\ Nonce\ NB{\isaliteral{2C}{\isacharcomma}}\ Agent\ B{\isaliteral{5C3C7262726163653E}{\isasymrbrace}}{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C696E3E}{\isasymin}}\ set\ evs{\isaliteral{3B}{\isacharsemicolon}}\isanewline
96.443 +\ \ \ Says\ A{\isaliteral{27}{\isacharprime}}\ B\ {\isaliteral{28}{\isacharparenleft}}Crypt\ {\isaliteral{28}{\isacharparenleft}}pubK\ B{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{28}{\isacharparenleft}}Nonce\ NB{\isaliteral{29}{\isacharparenright}}{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C696E3E}{\isasymin}}\ set\ evs{\isaliteral{3B}{\isacharsemicolon}}\isanewline
96.444 +\ \ \ A\ {\isaliteral{5C3C6E6F74696E3E}{\isasymnotin}}\ bad{\isaliteral{3B}{\isacharsemicolon}}\ \ B\ {\isaliteral{5C3C6E6F74696E3E}{\isasymnotin}}\ bad{\isaliteral{3B}{\isacharsemicolon}}\ \ evs\ {\isaliteral{5C3C696E3E}{\isasymin}}\ ns{\isaliteral{5F}{\isacharunderscore}}public{\isaliteral{5C3C726272616B6B3E}{\isasymrbrakk}}\isanewline
96.445 +\ \ {\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\ Says\ A\ B\ {\isaliteral{28}{\isacharparenleft}}Crypt\ {\isaliteral{28}{\isacharparenleft}}pubK\ B{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{28}{\isacharparenleft}}Nonce\ NB{\isaliteral{29}{\isacharparenright}}{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C696E3E}{\isasymin}}\ set\ evs{\isaliteral{22}{\isachardoublequoteclose}}%
96.446 +\isadelimproof
96.447 +%
96.448 +\endisadelimproof
96.449 +%
96.450 +\isatagproof
96.451 +%
96.452 +\endisatagproof
96.453 +{\isafoldproof}%
96.454 +%
96.455 +\isadelimproof
96.456 +%
96.457 +\endisadelimproof
96.458 +%
96.459 +\isadelimproof
96.460 +%
96.461 +\endisadelimproof
96.462 +%
96.463 +\isatagproof
96.464 +%
96.465 +\endisatagproof
96.466 +{\isafoldproof}%
96.467 +%
96.468 +\isadelimproof
96.469 +%
96.470 +\endisadelimproof
96.471 +%
96.472 +\begin{isamarkuptext}%
96.473 +From similar assumptions, we can prove that \isa{A} started the protocol
96.474 +run by sending an instance of message~1 involving the nonce~\isa{NA}\@.
96.475 +For this theorem, the conclusion is
96.476 +\begin{isabelle}%
96.477 +Says\ A\ B\ {\isaliteral{28}{\isacharparenleft}}Crypt\ {\isaliteral{28}{\isacharparenleft}}pubK\ B{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C6C62726163653E}{\isasymlbrace}}Nonce\ NA{\isaliteral{2C}{\isacharcomma}}\ Agent\ A{\isaliteral{5C3C7262726163653E}{\isasymrbrace}}{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C696E3E}{\isasymin}}\ set\ evs%
96.478 +\end{isabelle}
96.479 +Analogous theorems can be proved for~\isa{A}, stating that nonce~\isa{NA}
96.480 +remains secret and that message~2 really originates with~\isa{B}. Even the
96.481 +flawed protocol establishes these properties for~\isa{A};
96.482 +the flaw only harms the second participant.
96.483 +
96.484 +\medskip
96.485 +
96.486 +Detailed information on this protocol verification technique can be found
96.487 +elsewhere~\cite{paulson-jcs}, including proofs of an Internet
96.488 +protocol~\cite{paulson-tls}. We must stress that the protocol discussed
96.489 +in this chapter is trivial. There are only three messages; no keys are
96.490 +exchanged; we merely have to prove that encrypted data remains secret.
96.491 +Real world protocols are much longer and distribute many secrets to their
96.492 +participants. To be realistic, the model has to include the possibility
96.493 +of keys being lost dynamically due to carelessness. If those keys have
96.494 +been used to encrypt other sensitive information, there may be cascading
96.495 +losses. We may still be able to establish a bound on the losses and to
96.496 +prove that other protocol runs function
96.497 +correctly~\cite{paulson-yahalom}. Proofs of real-world protocols follow
96.498 +the strategy illustrated above, but the subgoals can
96.499 +be much bigger and there are more of them.
96.500 +\index{protocols!security|)}%
96.501 +\end{isamarkuptext}%
96.502 +\isamarkuptrue%
96.503 +%
96.504 +\isadelimtheory
96.505 +%
96.506 +\endisadelimtheory
96.507 +%
96.508 +\isatagtheory
96.509 +%
96.510 +\endisatagtheory
96.511 +{\isafoldtheory}%
96.512 +%
96.513 +\isadelimtheory
96.514 +%
96.515 +\endisadelimtheory
96.516 +\end{isabellebody}%
96.517 +%%% Local Variables:
96.518 +%%% mode: latex
96.519 +%%% TeX-master: "root"
96.520 +%%% End:
97.1 --- /dev/null Thu Jan 01 00:00:00 1970 +0000
97.2 +++ b/doc-src/TutorialI/document/Nested.tex Thu Jul 26 19:59:06 2012 +0200
97.3 @@ -0,0 +1,240 @@
97.4 +%
97.5 +\begin{isabellebody}%
97.6 +\def\isabellecontext{Nested}%
97.7 +%
97.8 +\isadelimtheory
97.9 +%
97.10 +\endisadelimtheory
97.11 +%
97.12 +\isatagtheory
97.13 +%
97.14 +\endisatagtheory
97.15 +{\isafoldtheory}%
97.16 +%
97.17 +\isadelimtheory
97.18 +%
97.19 +\endisadelimtheory
97.20 +%
97.21 +\begin{isamarkuptext}%
97.22 +\index{datatypes!and nested recursion}%
97.23 +So far, all datatypes had the property that on the right-hand side of their
97.24 +definition they occurred only at the top-level: directly below a
97.25 +constructor. Now we consider \emph{nested recursion}, where the recursive
97.26 +datatype occurs nested in some other datatype (but not inside itself!).
97.27 +Consider the following model of terms
97.28 +where function symbols can be applied to a list of arguments:%
97.29 +\end{isamarkuptext}%
97.30 +\isamarkuptrue%
97.31 +\isacommand{datatype}\isamarkupfalse%
97.32 +\ {\isaliteral{28}{\isacharparenleft}}{\isaliteral{27}{\isacharprime}}v{\isaliteral{2C}{\isacharcomma}}{\isaliteral{27}{\isacharprime}}f{\isaliteral{29}{\isacharparenright}}{\isaliteral{22}{\isachardoublequoteopen}}term{\isaliteral{22}{\isachardoublequoteclose}}\ {\isaliteral{3D}{\isacharequal}}\ Var\ {\isaliteral{27}{\isacharprime}}v\ {\isaliteral{7C}{\isacharbar}}\ App\ {\isaliteral{27}{\isacharprime}}f\ {\isaliteral{22}{\isachardoublequoteopen}}{\isaliteral{28}{\isacharparenleft}}{\isaliteral{27}{\isacharprime}}v{\isaliteral{2C}{\isacharcomma}}{\isaliteral{27}{\isacharprime}}f{\isaliteral{29}{\isacharparenright}}term\ list{\isaliteral{22}{\isachardoublequoteclose}}%
97.33 +\begin{isamarkuptext}%
97.34 +\noindent
97.35 +Note that we need to quote \isa{term} on the left to avoid confusion with
97.36 +the Isabelle command \isacommand{term}.
97.37 +Parameter \isa{{\isaliteral{27}{\isacharprime}}v} is the type of variables and \isa{{\isaliteral{27}{\isacharprime}}f} the type of
97.38 +function symbols.
97.39 +A mathematical term like $f(x,g(y))$ becomes \isa{App\ f\ {\isaliteral{5B}{\isacharbrackleft}}Var\ x{\isaliteral{2C}{\isacharcomma}}\ App\ g\ {\isaliteral{5B}{\isacharbrackleft}}Var\ y{\isaliteral{5D}{\isacharbrackright}}{\isaliteral{5D}{\isacharbrackright}}}, where \isa{f}, \isa{g}, \isa{x}, \isa{y} are
97.40 +suitable values, e.g.\ numbers or strings.
97.41 +
97.42 +What complicates the definition of \isa{term} is the nested occurrence of
97.43 +\isa{term} inside \isa{list} on the right-hand side. In principle,
97.44 +nested recursion can be eliminated in favour of mutual recursion by unfolding
97.45 +the offending datatypes, here \isa{list}. The result for \isa{term}
97.46 +would be something like
97.47 +\medskip
97.48 +
97.49 +\input{document/unfoldnested.tex}
97.50 +\medskip
97.51 +
97.52 +\noindent
97.53 +Although we do not recommend this unfolding to the user, it shows how to
97.54 +simulate nested recursion by mutual recursion.
97.55 +Now we return to the initial definition of \isa{term} using
97.56 +nested recursion.
97.57 +
97.58 +Let us define a substitution function on terms. Because terms involve term
97.59 +lists, we need to define two substitution functions simultaneously:%
97.60 +\end{isamarkuptext}%
97.61 +\isamarkuptrue%
97.62 +\isacommand{primrec}\isamarkupfalse%
97.63 +\isanewline
97.64 +subst\ {\isaliteral{3A}{\isacharcolon}}{\isaliteral{3A}{\isacharcolon}}\ {\isaliteral{22}{\isachardoublequoteopen}}{\isaliteral{28}{\isacharparenleft}}{\isaliteral{27}{\isacharprime}}v{\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}{\isaliteral{28}{\isacharparenleft}}{\isaliteral{27}{\isacharprime}}v{\isaliteral{2C}{\isacharcomma}}{\isaliteral{27}{\isacharprime}}f{\isaliteral{29}{\isacharparenright}}term{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ {\isaliteral{28}{\isacharparenleft}}{\isaliteral{27}{\isacharprime}}v{\isaliteral{2C}{\isacharcomma}}{\isaliteral{27}{\isacharprime}}f{\isaliteral{29}{\isacharparenright}}term\ \ \ \ \ \ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ {\isaliteral{28}{\isacharparenleft}}{\isaliteral{27}{\isacharprime}}v{\isaliteral{2C}{\isacharcomma}}{\isaliteral{27}{\isacharprime}}f{\isaliteral{29}{\isacharparenright}}term{\isaliteral{22}{\isachardoublequoteclose}}\ \isakeyword{and}\isanewline
97.65 +substs{\isaliteral{3A}{\isacharcolon}}{\isaliteral{3A}{\isacharcolon}}\ {\isaliteral{22}{\isachardoublequoteopen}}{\isaliteral{28}{\isacharparenleft}}{\isaliteral{27}{\isacharprime}}v{\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}{\isaliteral{28}{\isacharparenleft}}{\isaliteral{27}{\isacharprime}}v{\isaliteral{2C}{\isacharcomma}}{\isaliteral{27}{\isacharprime}}f{\isaliteral{29}{\isacharparenright}}term{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ {\isaliteral{28}{\isacharparenleft}}{\isaliteral{27}{\isacharprime}}v{\isaliteral{2C}{\isacharcomma}}{\isaliteral{27}{\isacharprime}}f{\isaliteral{29}{\isacharparenright}}term\ list\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ {\isaliteral{28}{\isacharparenleft}}{\isaliteral{27}{\isacharprime}}v{\isaliteral{2C}{\isacharcomma}}{\isaliteral{27}{\isacharprime}}f{\isaliteral{29}{\isacharparenright}}term\ list{\isaliteral{22}{\isachardoublequoteclose}}\isanewline
97.66 +\isakeyword{where}\isanewline
97.67 +{\isaliteral{22}{\isachardoublequoteopen}}subst\ s\ {\isaliteral{28}{\isacharparenleft}}Var\ x{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{3D}{\isacharequal}}\ s\ x{\isaliteral{22}{\isachardoublequoteclose}}\ {\isaliteral{7C}{\isacharbar}}\isanewline
97.68 +\ \ subst{\isaliteral{5F}{\isacharunderscore}}App{\isaliteral{3A}{\isacharcolon}}\isanewline
97.69 +{\isaliteral{22}{\isachardoublequoteopen}}subst\ s\ {\isaliteral{28}{\isacharparenleft}}App\ f\ ts{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{3D}{\isacharequal}}\ App\ f\ {\isaliteral{28}{\isacharparenleft}}substs\ s\ ts{\isaliteral{29}{\isacharparenright}}{\isaliteral{22}{\isachardoublequoteclose}}\ {\isaliteral{7C}{\isacharbar}}\isanewline
97.70 +\isanewline
97.71 +{\isaliteral{22}{\isachardoublequoteopen}}substs\ s\ {\isaliteral{5B}{\isacharbrackleft}}{\isaliteral{5D}{\isacharbrackright}}\ {\isaliteral{3D}{\isacharequal}}\ {\isaliteral{5B}{\isacharbrackleft}}{\isaliteral{5D}{\isacharbrackright}}{\isaliteral{22}{\isachardoublequoteclose}}\ {\isaliteral{7C}{\isacharbar}}\isanewline
97.72 +{\isaliteral{22}{\isachardoublequoteopen}}substs\ s\ {\isaliteral{28}{\isacharparenleft}}t\ {\isaliteral{23}{\isacharhash}}\ ts{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{3D}{\isacharequal}}\ subst\ s\ t\ {\isaliteral{23}{\isacharhash}}\ substs\ s\ ts{\isaliteral{22}{\isachardoublequoteclose}}%
97.73 +\begin{isamarkuptext}%
97.74 +\noindent
97.75 +Individual equations in a \commdx{primrec} definition may be
97.76 +named as shown for \isa{subst{\isaliteral{5F}{\isacharunderscore}}App}.
97.77 +The significance of this device will become apparent below.
97.78 +
97.79 +Similarly, when proving a statement about terms inductively, we need
97.80 +to prove a related statement about term lists simultaneously. For example,
97.81 +the fact that the identity substitution does not change a term needs to be
97.82 +strengthened and proved as follows:%
97.83 +\end{isamarkuptext}%
97.84 +\isamarkuptrue%
97.85 +\isacommand{lemma}\isamarkupfalse%
97.86 +\ subst{\isaliteral{5F}{\isacharunderscore}}id{\isaliteral{3A}{\isacharcolon}}\ {\isaliteral{22}{\isachardoublequoteopen}}subst\ \ Var\ t\ \ {\isaliteral{3D}{\isacharequal}}\ {\isaliteral{28}{\isacharparenleft}}t\ {\isaliteral{3A}{\isacharcolon}}{\isaliteral{3A}{\isacharcolon}}{\isaliteral{28}{\isacharparenleft}}{\isaliteral{27}{\isacharprime}}v{\isaliteral{2C}{\isacharcomma}}{\isaliteral{27}{\isacharprime}}f{\isaliteral{29}{\isacharparenright}}term{\isaliteral{29}{\isacharparenright}}\ \ {\isaliteral{5C3C616E643E}{\isasymand}}\isanewline
97.87 +\ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ substs\ Var\ ts\ {\isaliteral{3D}{\isacharequal}}\ {\isaliteral{28}{\isacharparenleft}}ts{\isaliteral{3A}{\isacharcolon}}{\isaliteral{3A}{\isacharcolon}}{\isaliteral{28}{\isacharparenleft}}{\isaliteral{27}{\isacharprime}}v{\isaliteral{2C}{\isacharcomma}}{\isaliteral{27}{\isacharprime}}f{\isaliteral{29}{\isacharparenright}}term\ list{\isaliteral{29}{\isacharparenright}}{\isaliteral{22}{\isachardoublequoteclose}}\isanewline
97.88 +%
97.89 +\isadelimproof
97.90 +%
97.91 +\endisadelimproof
97.92 +%
97.93 +\isatagproof
97.94 +\isacommand{apply}\isamarkupfalse%
97.95 +{\isaliteral{28}{\isacharparenleft}}induct{\isaliteral{5F}{\isacharunderscore}}tac\ t\ \isakeyword{and}\ ts{\isaliteral{2C}{\isacharcomma}}\ simp{\isaliteral{5F}{\isacharunderscore}}all{\isaliteral{29}{\isacharparenright}}\isanewline
97.96 +\isacommand{done}\isamarkupfalse%
97.97 +%
97.98 +\endisatagproof
97.99 +{\isafoldproof}%
97.100 +%
97.101 +\isadelimproof
97.102 +%
97.103 +\endisadelimproof
97.104 +%
97.105 +\begin{isamarkuptext}%
97.106 +\noindent
97.107 +Note that \isa{Var} is the identity substitution because by definition it
97.108 +leaves variables unchanged: \isa{subst\ Var\ {\isaliteral{28}{\isacharparenleft}}Var\ x{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{3D}{\isacharequal}}\ Var\ x}. Note also
97.109 +that the type annotations are necessary because otherwise there is nothing in
97.110 +the goal to enforce that both halves of the goal talk about the same type
97.111 +parameters \isa{{\isaliteral{28}{\isacharparenleft}}{\isaliteral{27}{\isacharprime}}v{\isaliteral{2C}{\isacharcomma}}{\isaliteral{27}{\isacharprime}}f{\isaliteral{29}{\isacharparenright}}}. As a result, induction would fail
97.112 +because the two halves of the goal would be unrelated.
97.113 +
97.114 +\begin{exercise}
97.115 +The fact that substitution distributes over composition can be expressed
97.116 +roughly as follows:
97.117 +\begin{isabelle}%
97.118 +\ \ \ \ \ subst\ {\isaliteral{28}{\isacharparenleft}}f\ {\isaliteral{5C3C636972633E}{\isasymcirc}}\ g{\isaliteral{29}{\isacharparenright}}\ t\ {\isaliteral{3D}{\isacharequal}}\ subst\ f\ {\isaliteral{28}{\isacharparenleft}}subst\ g\ t{\isaliteral{29}{\isacharparenright}}%
97.119 +\end{isabelle}
97.120 +Correct this statement (you will find that it does not type-check),
97.121 +strengthen it, and prove it. (Note: \isa{{\isaliteral{5C3C636972633E}{\isasymcirc}}} is function composition;
97.122 +its definition is found in theorem \isa{o{\isaliteral{5F}{\isacharunderscore}}def}).
97.123 +\end{exercise}
97.124 +\begin{exercise}\label{ex:trev-trev}
97.125 + Define a function \isa{trev} of type \isa{{\isaliteral{28}{\isacharparenleft}}{\isaliteral{27}{\isacharprime}}v{\isaliteral{2C}{\isacharcomma}}\ {\isaliteral{27}{\isacharprime}}f{\isaliteral{29}{\isacharparenright}}\ Nested{\isaliteral{2E}{\isachardot}}term\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ {\isaliteral{28}{\isacharparenleft}}{\isaliteral{27}{\isacharprime}}v{\isaliteral{2C}{\isacharcomma}}\ {\isaliteral{27}{\isacharprime}}f{\isaliteral{29}{\isacharparenright}}\ Nested{\isaliteral{2E}{\isachardot}}term}
97.126 +that recursively reverses the order of arguments of all function symbols in a
97.127 + term. Prove that \isa{trev\ {\isaliteral{28}{\isacharparenleft}}trev\ t{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{3D}{\isacharequal}}\ t}.
97.128 +\end{exercise}
97.129 +
97.130 +The experienced functional programmer may feel that our definition of
97.131 +\isa{subst} is too complicated in that \isa{substs} is
97.132 +unnecessary. The \isa{App}-case can be defined directly as
97.133 +\begin{isabelle}%
97.134 +\ \ \ \ \ subst\ s\ {\isaliteral{28}{\isacharparenleft}}App\ f\ ts{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{3D}{\isacharequal}}\ App\ f\ {\isaliteral{28}{\isacharparenleft}}map\ {\isaliteral{28}{\isacharparenleft}}subst\ s{\isaliteral{29}{\isacharparenright}}\ ts{\isaliteral{29}{\isacharparenright}}%
97.135 +\end{isabelle}
97.136 +where \isa{map} is the standard list function such that
97.137 +\isa{map\ f\ {\isaliteral{5B}{\isacharbrackleft}}x{\isadigit{1}}{\isaliteral{2C}{\isacharcomma}}{\isaliteral{2E}{\isachardot}}{\isaliteral{2E}{\isachardot}}{\isaliteral{2E}{\isachardot}}{\isaliteral{2C}{\isacharcomma}}xn{\isaliteral{5D}{\isacharbrackright}}\ {\isaliteral{3D}{\isacharequal}}\ {\isaliteral{5B}{\isacharbrackleft}}f\ x{\isadigit{1}}{\isaliteral{2C}{\isacharcomma}}{\isaliteral{2E}{\isachardot}}{\isaliteral{2E}{\isachardot}}{\isaliteral{2E}{\isachardot}}{\isaliteral{2C}{\isacharcomma}}f\ xn{\isaliteral{5D}{\isacharbrackright}}}. This is true, but Isabelle
97.138 +insists on the conjunctive format. Fortunately, we can easily \emph{prove}
97.139 +that the suggested equation holds:%
97.140 +\end{isamarkuptext}%
97.141 +\isamarkuptrue%
97.142 +%
97.143 +\isadelimproof
97.144 +%
97.145 +\endisadelimproof
97.146 +%
97.147 +\isatagproof
97.148 +%
97.149 +\endisatagproof
97.150 +{\isafoldproof}%
97.151 +%
97.152 +\isadelimproof
97.153 +%
97.154 +\endisadelimproof
97.155 +%
97.156 +\isadelimproof
97.157 +%
97.158 +\endisadelimproof
97.159 +%
97.160 +\isatagproof
97.161 +%
97.162 +\endisatagproof
97.163 +{\isafoldproof}%
97.164 +%
97.165 +\isadelimproof
97.166 +%
97.167 +\endisadelimproof
97.168 +%
97.169 +\isadelimproof
97.170 +%
97.171 +\endisadelimproof
97.172 +%
97.173 +\isatagproof
97.174 +%
97.175 +\endisatagproof
97.176 +{\isafoldproof}%
97.177 +%
97.178 +\isadelimproof
97.179 +\isanewline
97.180 +%
97.181 +\endisadelimproof
97.182 +\isacommand{lemma}\isamarkupfalse%
97.183 +\ {\isaliteral{5B}{\isacharbrackleft}}simp{\isaliteral{5D}{\isacharbrackright}}{\isaliteral{3A}{\isacharcolon}}\ {\isaliteral{22}{\isachardoublequoteopen}}subst\ s\ {\isaliteral{28}{\isacharparenleft}}App\ f\ ts{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{3D}{\isacharequal}}\ App\ f\ {\isaliteral{28}{\isacharparenleft}}map\ {\isaliteral{28}{\isacharparenleft}}subst\ s{\isaliteral{29}{\isacharparenright}}\ ts{\isaliteral{29}{\isacharparenright}}{\isaliteral{22}{\isachardoublequoteclose}}\isanewline
97.184 +%
97.185 +\isadelimproof
97.186 +%
97.187 +\endisadelimproof
97.188 +%
97.189 +\isatagproof
97.190 +\isacommand{apply}\isamarkupfalse%
97.191 +{\isaliteral{28}{\isacharparenleft}}induct{\isaliteral{5F}{\isacharunderscore}}tac\ ts{\isaliteral{2C}{\isacharcomma}}\ simp{\isaliteral{5F}{\isacharunderscore}}all{\isaliteral{29}{\isacharparenright}}\isanewline
97.192 +\isacommand{done}\isamarkupfalse%
97.193 +%
97.194 +\endisatagproof
97.195 +{\isafoldproof}%
97.196 +%
97.197 +\isadelimproof
97.198 +%
97.199 +\endisadelimproof
97.200 +%
97.201 +\begin{isamarkuptext}%
97.202 +\noindent
97.203 +What is more, we can now disable the old defining equation as a
97.204 +simplification rule:%
97.205 +\end{isamarkuptext}%
97.206 +\isamarkuptrue%
97.207 +\isacommand{declare}\isamarkupfalse%
97.208 +\ subst{\isaliteral{5F}{\isacharunderscore}}App\ {\isaliteral{5B}{\isacharbrackleft}}simp\ del{\isaliteral{5D}{\isacharbrackright}}%
97.209 +\begin{isamarkuptext}%
97.210 +\noindent The advantage is that now we have replaced \isa{substs} by \isa{map}, we can profit from the large number of
97.211 +pre-proved lemmas about \isa{map}. Unfortunately, inductive proofs
97.212 +about type \isa{term} are still awkward because they expect a
97.213 +conjunction. One could derive a new induction principle as well (see
97.214 +\S\ref{sec:derive-ind}), but simpler is to stop using
97.215 +\isacommand{primrec} and to define functions with \isacommand{fun}
97.216 +instead. Simple uses of \isacommand{fun} are described in
97.217 +\S\ref{sec:fun} below. Advanced applications, including functions
97.218 +over nested datatypes like \isa{term}, are discussed in a
97.219 +separate tutorial~\cite{isabelle-function}.
97.220 +
97.221 +Of course, you may also combine mutual and nested recursion of datatypes. For example,
97.222 +constructor \isa{Sum} in \S\ref{sec:datatype-mut-rec} could take a list of
97.223 +expressions as its argument: \isa{Sum}~\isa{{\isaliteral{22}{\isachardoublequote}}{\isaliteral{27}{\isacharprime}}a\ aexp\ list{\isaliteral{22}{\isachardoublequote}}}.%
97.224 +\end{isamarkuptext}%
97.225 +\isamarkuptrue%
97.226 +%
97.227 +\isadelimtheory
97.228 +%
97.229 +\endisadelimtheory
97.230 +%
97.231 +\isatagtheory
97.232 +%
97.233 +\endisatagtheory
97.234 +{\isafoldtheory}%
97.235 +%
97.236 +\isadelimtheory
97.237 +%
97.238 +\endisadelimtheory
97.239 +\end{isabellebody}%
97.240 +%%% Local Variables:
97.241 +%%% mode: latex
97.242 +%%% TeX-master: "root"
97.243 +%%% End:
98.1 --- /dev/null Thu Jan 01 00:00:00 1970 +0000
98.2 +++ b/doc-src/TutorialI/document/Numbers.tex Thu Jul 26 19:59:06 2012 +0200
98.3 @@ -0,0 +1,611 @@
98.4 +%
98.5 +\begin{isabellebody}%
98.6 +\def\isabellecontext{Numbers}%
98.7 +%
98.8 +\isadelimtheory
98.9 +%
98.10 +\endisadelimtheory
98.11 +%
98.12 +\isatagtheory
98.13 +\isacommand{theory}\isamarkupfalse%
98.14 +\ Numbers\isanewline
98.15 +\isakeyword{imports}\ Complex{\isaliteral{5F}{\isacharunderscore}}Main\isanewline
98.16 +\isakeyword{begin}%
98.17 +\endisatagtheory
98.18 +{\isafoldtheory}%
98.19 +%
98.20 +\isadelimtheory
98.21 +\isanewline
98.22 +%
98.23 +\endisadelimtheory
98.24 +%
98.25 +\isadelimML
98.26 +\isanewline
98.27 +%
98.28 +\endisadelimML
98.29 +%
98.30 +\isatagML
98.31 +\isacommand{ML}\isamarkupfalse%
98.32 +\ {\isaliteral{22}{\isachardoublequoteopen}}Pretty{\isaliteral{2E}{\isachardot}}margin{\isaliteral{5F}{\isacharunderscore}}default\ {\isaliteral{3A}{\isacharcolon}}{\isaliteral{3D}{\isacharequal}}\ {\isadigit{6}}{\isadigit{4}}{\isaliteral{22}{\isachardoublequoteclose}}%
98.33 +\endisatagML
98.34 +{\isafoldML}%
98.35 +%
98.36 +\isadelimML
98.37 +\isanewline
98.38 +%
98.39 +\endisadelimML
98.40 +\isacommand{declare}\isamarkupfalse%
98.41 +\ {\isaliteral{5B}{\isacharbrackleft}}{\isaliteral{5B}{\isacharbrackleft}}thy{\isaliteral{5F}{\isacharunderscore}}output{\isaliteral{5F}{\isacharunderscore}}indent\ {\isaliteral{3D}{\isacharequal}}\ {\isadigit{0}}{\isaliteral{5D}{\isacharbrackright}}{\isaliteral{5D}{\isacharbrackright}}%
98.42 +\begin{isamarkuptext}%
98.43 +numeric literals; default simprules; can re-orient%
98.44 +\end{isamarkuptext}%
98.45 +\isamarkuptrue%
98.46 +\isacommand{lemma}\isamarkupfalse%
98.47 +\ {\isaliteral{22}{\isachardoublequoteopen}}{\isadigit{2}}\ {\isaliteral{2A}{\isacharasterisk}}\ m\ {\isaliteral{3D}{\isacharequal}}\ m\ {\isaliteral{2B}{\isacharplus}}\ m{\isaliteral{22}{\isachardoublequoteclose}}%
98.48 +\isadelimproof
98.49 +%
98.50 +\endisadelimproof
98.51 +%
98.52 +\isatagproof
98.53 +%
98.54 +\begin{isamarkuptxt}%
98.55 +\begin{isabelle}%
98.56 +\ {\isadigit{1}}{\isaliteral{2E}{\isachardot}}\ {\isaliteral{28}{\isacharparenleft}}{\isadigit{2}}{\isaliteral{5C3C436F6C6F6E3E}{\isasymColon}}{\isaliteral{27}{\isacharprime}}a{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{2A}{\isacharasterisk}}\ m\ {\isaliteral{3D}{\isacharequal}}\ m\ {\isaliteral{2B}{\isacharplus}}\ m%
98.57 +\end{isabelle}%
98.58 +\end{isamarkuptxt}%
98.59 +\isamarkuptrue%
98.60 +\isacommand{oops}\isamarkupfalse%
98.61 +%
98.62 +\endisatagproof
98.63 +{\isafoldproof}%
98.64 +%
98.65 +\isadelimproof
98.66 +%
98.67 +\endisadelimproof
98.68 +\isanewline
98.69 +\isanewline
98.70 +\isacommand{fun}\isamarkupfalse%
98.71 +\ h\ {\isaliteral{3A}{\isacharcolon}}{\isaliteral{3A}{\isacharcolon}}\ {\isaliteral{22}{\isachardoublequoteopen}}nat\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ nat{\isaliteral{22}{\isachardoublequoteclose}}\ \isakeyword{where}\isanewline
98.72 +{\isaliteral{22}{\isachardoublequoteopen}}h\ i\ {\isaliteral{3D}{\isacharequal}}\ {\isaliteral{28}{\isacharparenleft}}if\ i\ {\isaliteral{3D}{\isacharequal}}\ {\isadigit{3}}\ then\ {\isadigit{2}}\ else\ i{\isaliteral{29}{\isacharparenright}}{\isaliteral{22}{\isachardoublequoteclose}}%
98.73 +\begin{isamarkuptext}%
98.74 +\isa{h\ {\isadigit{3}}\ {\isaliteral{3D}{\isacharequal}}\ {\isadigit{2}}}
98.75 +\isa{h\ i\ {\isaliteral{3D}{\isacharequal}}\ i}%
98.76 +\end{isamarkuptext}%
98.77 +\isamarkuptrue%
98.78 +%
98.79 +\begin{isamarkuptext}%
98.80 +\begin{isabelle}%
98.81 +Numeral{\isadigit{1}}\ {\isaliteral{3D}{\isacharequal}}\ {\isaliteral{28}{\isacharparenleft}}{\isadigit{1}}{\isaliteral{5C3C436F6C6F6E3E}{\isasymColon}}{\isaliteral{27}{\isacharprime}}a{\isaliteral{29}{\isacharparenright}}%
98.82 +\end{isabelle}
98.83 +\rulename{numeral_1_eq_1}
98.84 +
98.85 +\begin{isabelle}%
98.86 +{\isadigit{2}}\ {\isaliteral{2B}{\isacharplus}}\ n\ {\isaliteral{3D}{\isacharequal}}\ Suc\ {\isaliteral{28}{\isacharparenleft}}Suc\ n{\isaliteral{29}{\isacharparenright}}%
98.87 +\end{isabelle}
98.88 +\rulename{add_2_eq_Suc}
98.89 +
98.90 +\begin{isabelle}%
98.91 +n\ {\isaliteral{2B}{\isacharplus}}\ {\isadigit{2}}\ {\isaliteral{3D}{\isacharequal}}\ Suc\ {\isaliteral{28}{\isacharparenleft}}Suc\ n{\isaliteral{29}{\isacharparenright}}%
98.92 +\end{isabelle}
98.93 +\rulename{add_2_eq_Suc'}
98.94 +
98.95 +\begin{isabelle}%
98.96 +a\ {\isaliteral{2B}{\isacharplus}}\ b\ {\isaliteral{2B}{\isacharplus}}\ c\ {\isaliteral{3D}{\isacharequal}}\ a\ {\isaliteral{2B}{\isacharplus}}\ {\isaliteral{28}{\isacharparenleft}}b\ {\isaliteral{2B}{\isacharplus}}\ c{\isaliteral{29}{\isacharparenright}}%
98.97 +\end{isabelle}
98.98 +\rulename{add_assoc}
98.99 +
98.100 +\begin{isabelle}%
98.101 +a\ {\isaliteral{2B}{\isacharplus}}\ b\ {\isaliteral{3D}{\isacharequal}}\ b\ {\isaliteral{2B}{\isacharplus}}\ a%
98.102 +\end{isabelle}
98.103 +\rulename{add_commute}
98.104 +
98.105 +\begin{isabelle}%
98.106 +b\ {\isaliteral{2B}{\isacharplus}}\ {\isaliteral{28}{\isacharparenleft}}a\ {\isaliteral{2B}{\isacharplus}}\ c{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{3D}{\isacharequal}}\ a\ {\isaliteral{2B}{\isacharplus}}\ {\isaliteral{28}{\isacharparenleft}}b\ {\isaliteral{2B}{\isacharplus}}\ c{\isaliteral{29}{\isacharparenright}}%
98.107 +\end{isabelle}
98.108 +\rulename{add_left_commute}
98.109 +
98.110 +these form add_ac; similarly there is mult_ac%
98.111 +\end{isamarkuptext}%
98.112 +\isamarkuptrue%
98.113 +\isacommand{lemma}\isamarkupfalse%
98.114 +\ {\isaliteral{22}{\isachardoublequoteopen}}Suc{\isaliteral{28}{\isacharparenleft}}i\ {\isaliteral{2B}{\isacharplus}}\ j{\isaliteral{2A}{\isacharasterisk}}l{\isaliteral{2A}{\isacharasterisk}}k\ {\isaliteral{2B}{\isacharplus}}\ m{\isaliteral{2A}{\isacharasterisk}}n{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{3D}{\isacharequal}}\ f\ {\isaliteral{28}{\isacharparenleft}}n{\isaliteral{2A}{\isacharasterisk}}m\ {\isaliteral{2B}{\isacharplus}}\ i\ {\isaliteral{2B}{\isacharplus}}\ k{\isaliteral{2A}{\isacharasterisk}}j{\isaliteral{2A}{\isacharasterisk}}l{\isaliteral{29}{\isacharparenright}}{\isaliteral{22}{\isachardoublequoteclose}}%
98.115 +\isadelimproof
98.116 +%
98.117 +\endisadelimproof
98.118 +%
98.119 +\isatagproof
98.120 +%
98.121 +\begin{isamarkuptxt}%
98.122 +\begin{isabelle}%
98.123 +\ {\isadigit{1}}{\isaliteral{2E}{\isachardot}}\ Suc\ {\isaliteral{28}{\isacharparenleft}}i\ {\isaliteral{2B}{\isacharplus}}\ j\ {\isaliteral{2A}{\isacharasterisk}}\ l\ {\isaliteral{2A}{\isacharasterisk}}\ k\ {\isaliteral{2B}{\isacharplus}}\ m\ {\isaliteral{2A}{\isacharasterisk}}\ n{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{3D}{\isacharequal}}\ f\ {\isaliteral{28}{\isacharparenleft}}n\ {\isaliteral{2A}{\isacharasterisk}}\ m\ {\isaliteral{2B}{\isacharplus}}\ i\ {\isaliteral{2B}{\isacharplus}}\ k\ {\isaliteral{2A}{\isacharasterisk}}\ j\ {\isaliteral{2A}{\isacharasterisk}}\ l{\isaliteral{29}{\isacharparenright}}%
98.124 +\end{isabelle}%
98.125 +\end{isamarkuptxt}%
98.126 +\isamarkuptrue%
98.127 +\isacommand{apply}\isamarkupfalse%
98.128 +\ {\isaliteral{28}{\isacharparenleft}}simp\ add{\isaliteral{3A}{\isacharcolon}}\ add{\isaliteral{5F}{\isacharunderscore}}ac\ mult{\isaliteral{5F}{\isacharunderscore}}ac{\isaliteral{29}{\isacharparenright}}%
98.129 +\begin{isamarkuptxt}%
98.130 +\begin{isabelle}%
98.131 +\ {\isadigit{1}}{\isaliteral{2E}{\isachardot}}\ Suc\ {\isaliteral{28}{\isacharparenleft}}i\ {\isaliteral{2B}{\isacharplus}}\ {\isaliteral{28}{\isacharparenleft}}m\ {\isaliteral{2A}{\isacharasterisk}}\ n\ {\isaliteral{2B}{\isacharplus}}\ j\ {\isaliteral{2A}{\isacharasterisk}}\ {\isaliteral{28}{\isacharparenleft}}k\ {\isaliteral{2A}{\isacharasterisk}}\ l{\isaliteral{29}{\isacharparenright}}{\isaliteral{29}{\isacharparenright}}{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{3D}{\isacharequal}}\isanewline
98.132 +\isaindent{\ {\isadigit{1}}{\isaliteral{2E}{\isachardot}}\ }f\ {\isaliteral{28}{\isacharparenleft}}i\ {\isaliteral{2B}{\isacharplus}}\ {\isaliteral{28}{\isacharparenleft}}m\ {\isaliteral{2A}{\isacharasterisk}}\ n\ {\isaliteral{2B}{\isacharplus}}\ j\ {\isaliteral{2A}{\isacharasterisk}}\ {\isaliteral{28}{\isacharparenleft}}k\ {\isaliteral{2A}{\isacharasterisk}}\ l{\isaliteral{29}{\isacharparenright}}{\isaliteral{29}{\isacharparenright}}{\isaliteral{29}{\isacharparenright}}%
98.133 +\end{isabelle}%
98.134 +\end{isamarkuptxt}%
98.135 +\isamarkuptrue%
98.136 +\isacommand{oops}\isamarkupfalse%
98.137 +%
98.138 +\endisatagproof
98.139 +{\isafoldproof}%
98.140 +%
98.141 +\isadelimproof
98.142 +%
98.143 +\endisadelimproof
98.144 +%
98.145 +\begin{isamarkuptext}%
98.146 +\begin{isabelle}%
98.147 +m\ {\isaliteral{5C3C6C653E}{\isasymle}}\ n\ {\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\ m\ div\ k\ {\isaliteral{5C3C6C653E}{\isasymle}}\ n\ div\ k%
98.148 +\end{isabelle}
98.149 +\rulename{div_le_mono}
98.150 +
98.151 +\begin{isabelle}%
98.152 +{\isaliteral{28}{\isacharparenleft}}m\ {\isaliteral{2D}{\isacharminus}}\ n{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{2A}{\isacharasterisk}}\ k\ {\isaliteral{3D}{\isacharequal}}\ m\ {\isaliteral{2A}{\isacharasterisk}}\ k\ {\isaliteral{2D}{\isacharminus}}\ n\ {\isaliteral{2A}{\isacharasterisk}}\ k%
98.153 +\end{isabelle}
98.154 +\rulename{diff_mult_distrib}
98.155 +
98.156 +\begin{isabelle}%
98.157 +a\ mod\ b\ {\isaliteral{2A}{\isacharasterisk}}\ c\ {\isaliteral{3D}{\isacharequal}}\ a\ {\isaliteral{2A}{\isacharasterisk}}\ c\ mod\ {\isaliteral{28}{\isacharparenleft}}b\ {\isaliteral{2A}{\isacharasterisk}}\ c{\isaliteral{29}{\isacharparenright}}%
98.158 +\end{isabelle}
98.159 +\rulename{mult_mod_left}
98.160 +
98.161 +\begin{isabelle}%
98.162 +P\ {\isaliteral{28}{\isacharparenleft}}a\ {\isaliteral{2D}{\isacharminus}}\ b{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{3D}{\isacharequal}}\ {\isaliteral{28}{\isacharparenleft}}{\isaliteral{28}{\isacharparenleft}}a\ {\isaliteral{3C}{\isacharless}}\ b\ {\isaliteral{5C3C6C6F6E6772696768746172726F773E}{\isasymlongrightarrow}}\ P\ {\isadigit{0}}{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C616E643E}{\isasymand}}\ {\isaliteral{28}{\isacharparenleft}}{\isaliteral{5C3C666F72616C6C3E}{\isasymforall}}d{\isaliteral{2E}{\isachardot}}\ a\ {\isaliteral{3D}{\isacharequal}}\ b\ {\isaliteral{2B}{\isacharplus}}\ d\ {\isaliteral{5C3C6C6F6E6772696768746172726F773E}{\isasymlongrightarrow}}\ P\ d{\isaliteral{29}{\isacharparenright}}{\isaliteral{29}{\isacharparenright}}%
98.163 +\end{isabelle}
98.164 +\rulename{nat_diff_split}%
98.165 +\end{isamarkuptext}%
98.166 +\isamarkuptrue%
98.167 +\isacommand{lemma}\isamarkupfalse%
98.168 +\ {\isaliteral{22}{\isachardoublequoteopen}}{\isaliteral{28}{\isacharparenleft}}n\ {\isaliteral{2D}{\isacharminus}}\ {\isadigit{1}}{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{2A}{\isacharasterisk}}\ {\isaliteral{28}{\isacharparenleft}}n\ {\isaliteral{2B}{\isacharplus}}\ {\isadigit{1}}{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{3D}{\isacharequal}}\ n\ {\isaliteral{2A}{\isacharasterisk}}\ n\ {\isaliteral{2D}{\isacharminus}}\ {\isaliteral{28}{\isacharparenleft}}{\isadigit{1}}{\isaliteral{3A}{\isacharcolon}}{\isaliteral{3A}{\isacharcolon}}nat{\isaliteral{29}{\isacharparenright}}{\isaliteral{22}{\isachardoublequoteclose}}\isanewline
98.169 +%
98.170 +\isadelimproof
98.171 +%
98.172 +\endisadelimproof
98.173 +%
98.174 +\isatagproof
98.175 +\isacommand{apply}\isamarkupfalse%
98.176 +\ {\isaliteral{28}{\isacharparenleft}}clarsimp\ split{\isaliteral{3A}{\isacharcolon}}\ nat{\isaliteral{5F}{\isacharunderscore}}diff{\isaliteral{5F}{\isacharunderscore}}split\ iff\ del{\isaliteral{3A}{\isacharcolon}}\ less{\isaliteral{5F}{\isacharunderscore}}Suc{\isadigit{0}}{\isaliteral{29}{\isacharparenright}}\isanewline
98.177 +\ %
98.178 +\isamarkupcmt{\begin{isabelle}%
98.179 +\ {\isadigit{1}}{\isaliteral{2E}{\isachardot}}\ {\isaliteral{5C3C416E643E}{\isasymAnd}}d{\isaliteral{2E}{\isachardot}}\ {\isaliteral{5C3C6C6272616B6B3E}{\isasymlbrakk}}n\ {\isaliteral{3C}{\isacharless}}\ Suc\ {\isadigit{0}}{\isaliteral{3B}{\isacharsemicolon}}\ n\ {\isaliteral{2A}{\isacharasterisk}}\ n\ {\isaliteral{3D}{\isacharequal}}\ Suc\ d{\isaliteral{5C3C726272616B6B3E}{\isasymrbrakk}}\ {\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\ d\ {\isaliteral{3D}{\isacharequal}}\ {\isadigit{0}}%
98.180 +\end{isabelle}%
98.181 +}
98.182 +\isanewline
98.183 +\isacommand{apply}\isamarkupfalse%
98.184 +\ {\isaliteral{28}{\isacharparenleft}}subgoal{\isaliteral{5F}{\isacharunderscore}}tac\ {\isaliteral{22}{\isachardoublequoteopen}}n{\isaliteral{3D}{\isacharequal}}{\isadigit{0}}{\isaliteral{22}{\isachardoublequoteclose}}{\isaliteral{2C}{\isacharcomma}}\ force{\isaliteral{2C}{\isacharcomma}}\ arith{\isaliteral{29}{\isacharparenright}}\isanewline
98.185 +\isacommand{done}\isamarkupfalse%
98.186 +%
98.187 +\endisatagproof
98.188 +{\isafoldproof}%
98.189 +%
98.190 +\isadelimproof
98.191 +\isanewline
98.192 +%
98.193 +\endisadelimproof
98.194 +\isanewline
98.195 +\isanewline
98.196 +\isacommand{lemma}\isamarkupfalse%
98.197 +\ {\isaliteral{22}{\isachardoublequoteopen}}{\isaliteral{28}{\isacharparenleft}}n\ {\isaliteral{2D}{\isacharminus}}\ {\isadigit{2}}{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{2A}{\isacharasterisk}}\ {\isaliteral{28}{\isacharparenleft}}n\ {\isaliteral{2B}{\isacharplus}}\ {\isadigit{2}}{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{3D}{\isacharequal}}\ n\ {\isaliteral{2A}{\isacharasterisk}}\ n\ {\isaliteral{2D}{\isacharminus}}\ {\isaliteral{28}{\isacharparenleft}}{\isadigit{4}}{\isaliteral{3A}{\isacharcolon}}{\isaliteral{3A}{\isacharcolon}}nat{\isaliteral{29}{\isacharparenright}}{\isaliteral{22}{\isachardoublequoteclose}}\isanewline
98.198 +%
98.199 +\isadelimproof
98.200 +%
98.201 +\endisadelimproof
98.202 +%
98.203 +\isatagproof
98.204 +\isacommand{apply}\isamarkupfalse%
98.205 +\ {\isaliteral{28}{\isacharparenleft}}simp\ split{\isaliteral{3A}{\isacharcolon}}\ nat{\isaliteral{5F}{\isacharunderscore}}diff{\isaliteral{5F}{\isacharunderscore}}split{\isaliteral{2C}{\isacharcomma}}\ clarify{\isaliteral{29}{\isacharparenright}}\isanewline
98.206 +\ %
98.207 +\isamarkupcmt{\begin{isabelle}%
98.208 +\ {\isadigit{1}}{\isaliteral{2E}{\isachardot}}\ {\isaliteral{5C3C416E643E}{\isasymAnd}}d{\isaliteral{2E}{\isachardot}}\ {\isaliteral{5C3C6C6272616B6B3E}{\isasymlbrakk}}n\ {\isaliteral{3C}{\isacharless}}\ {\isadigit{2}}{\isaliteral{3B}{\isacharsemicolon}}\ n\ {\isaliteral{2A}{\isacharasterisk}}\ n\ {\isaliteral{3D}{\isacharequal}}\ {\isadigit{4}}\ {\isaliteral{2B}{\isacharplus}}\ d{\isaliteral{5C3C726272616B6B3E}{\isasymrbrakk}}\ {\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\ d\ {\isaliteral{3D}{\isacharequal}}\ {\isadigit{0}}%
98.209 +\end{isabelle}%
98.210 +}
98.211 +\isanewline
98.212 +\isacommand{apply}\isamarkupfalse%
98.213 +\ {\isaliteral{28}{\isacharparenleft}}subgoal{\isaliteral{5F}{\isacharunderscore}}tac\ {\isaliteral{22}{\isachardoublequoteopen}}n{\isaliteral{3D}{\isacharequal}}{\isadigit{0}}\ {\isaliteral{7C}{\isacharbar}}\ n{\isaliteral{3D}{\isacharequal}}{\isadigit{1}}{\isaliteral{22}{\isachardoublequoteclose}}{\isaliteral{2C}{\isacharcomma}}\ force{\isaliteral{2C}{\isacharcomma}}\ arith{\isaliteral{29}{\isacharparenright}}\isanewline
98.214 +\isacommand{done}\isamarkupfalse%
98.215 +%
98.216 +\endisatagproof
98.217 +{\isafoldproof}%
98.218 +%
98.219 +\isadelimproof
98.220 +%
98.221 +\endisadelimproof
98.222 +%
98.223 +\begin{isamarkuptext}%
98.224 +\begin{isabelle}%
98.225 +m\ mod\ n\ {\isaliteral{3D}{\isacharequal}}\ {\isaliteral{28}{\isacharparenleft}}if\ m\ {\isaliteral{3C}{\isacharless}}\ n\ then\ m\ else\ {\isaliteral{28}{\isacharparenleft}}m\ {\isaliteral{2D}{\isacharminus}}\ n{\isaliteral{29}{\isacharparenright}}\ mod\ n{\isaliteral{29}{\isacharparenright}}%
98.226 +\end{isabelle}
98.227 +\rulename{mod_if}
98.228 +
98.229 +\begin{isabelle}%
98.230 +a\ div\ b\ {\isaliteral{2A}{\isacharasterisk}}\ b\ {\isaliteral{2B}{\isacharplus}}\ a\ mod\ b\ {\isaliteral{3D}{\isacharequal}}\ a%
98.231 +\end{isabelle}
98.232 +\rulename{mod_div_equality}
98.233 +
98.234 +
98.235 +\begin{isabelle}%
98.236 +a\ {\isaliteral{2A}{\isacharasterisk}}\ b\ div\ c\ {\isaliteral{3D}{\isacharequal}}\ a\ {\isaliteral{2A}{\isacharasterisk}}\ {\isaliteral{28}{\isacharparenleft}}b\ div\ c{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{2B}{\isacharplus}}\ a\ {\isaliteral{2A}{\isacharasterisk}}\ {\isaliteral{28}{\isacharparenleft}}b\ mod\ c{\isaliteral{29}{\isacharparenright}}\ div\ c%
98.237 +\end{isabelle}
98.238 +\rulename{div_mult1_eq}
98.239 +
98.240 +\begin{isabelle}%
98.241 +a\ {\isaliteral{2A}{\isacharasterisk}}\ b\ mod\ c\ {\isaliteral{3D}{\isacharequal}}\ a\ {\isaliteral{2A}{\isacharasterisk}}\ {\isaliteral{28}{\isacharparenleft}}b\ mod\ c{\isaliteral{29}{\isacharparenright}}\ mod\ c%
98.242 +\end{isabelle}
98.243 +\rulename{mod_mult_right_eq}
98.244 +
98.245 +\begin{isabelle}%
98.246 +a\ div\ {\isaliteral{28}{\isacharparenleft}}b\ {\isaliteral{2A}{\isacharasterisk}}\ c{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{3D}{\isacharequal}}\ a\ div\ b\ div\ c%
98.247 +\end{isabelle}
98.248 +\rulename{div_mult2_eq}
98.249 +
98.250 +\begin{isabelle}%
98.251 +a\ mod\ {\isaliteral{28}{\isacharparenleft}}b\ {\isaliteral{2A}{\isacharasterisk}}\ c{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{3D}{\isacharequal}}\ b\ {\isaliteral{2A}{\isacharasterisk}}\ {\isaliteral{28}{\isacharparenleft}}a\ div\ b\ mod\ c{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{2B}{\isacharplus}}\ a\ mod\ b%
98.252 +\end{isabelle}
98.253 +\rulename{mod_mult2_eq}
98.254 +
98.255 +\begin{isabelle}%
98.256 +c\ {\isaliteral{5C3C6E6F7465713E}{\isasymnoteq}}\ {\isaliteral{28}{\isacharparenleft}}{\isadigit{0}}{\isaliteral{5C3C436F6C6F6E3E}{\isasymColon}}{\isaliteral{27}{\isacharprime}}a{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\ c\ {\isaliteral{2A}{\isacharasterisk}}\ a\ div\ {\isaliteral{28}{\isacharparenleft}}c\ {\isaliteral{2A}{\isacharasterisk}}\ b{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{3D}{\isacharequal}}\ a\ div\ b%
98.257 +\end{isabelle}
98.258 +\rulename{div_mult_mult1}
98.259 +
98.260 +\begin{isabelle}%
98.261 +a\ div\ {\isaliteral{28}{\isacharparenleft}}{\isadigit{0}}{\isaliteral{5C3C436F6C6F6E3E}{\isasymColon}}{\isaliteral{27}{\isacharprime}}a{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{3D}{\isacharequal}}\ {\isaliteral{28}{\isacharparenleft}}{\isadigit{0}}{\isaliteral{5C3C436F6C6F6E3E}{\isasymColon}}{\isaliteral{27}{\isacharprime}}a{\isaliteral{29}{\isacharparenright}}%
98.262 +\end{isabelle}
98.263 +\rulename{div_by_0}
98.264 +
98.265 +\begin{isabelle}%
98.266 +a\ mod\ {\isaliteral{28}{\isacharparenleft}}{\isadigit{0}}{\isaliteral{5C3C436F6C6F6E3E}{\isasymColon}}{\isaliteral{27}{\isacharprime}}a{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{3D}{\isacharequal}}\ a%
98.267 +\end{isabelle}
98.268 +\rulename{mod_by_0}
98.269 +
98.270 +\begin{isabelle}%
98.271 +{\isaliteral{5C3C6C6272616B6B3E}{\isasymlbrakk}}m\ dvd\ n{\isaliteral{3B}{\isacharsemicolon}}\ n\ dvd\ m{\isaliteral{5C3C726272616B6B3E}{\isasymrbrakk}}\ {\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\ m\ {\isaliteral{3D}{\isacharequal}}\ n%
98.272 +\end{isabelle}
98.273 +\rulename{dvd_antisym}
98.274 +
98.275 +\begin{isabelle}%
98.276 +{\isaliteral{5C3C6C6272616B6B3E}{\isasymlbrakk}}a\ dvd\ b{\isaliteral{3B}{\isacharsemicolon}}\ a\ dvd\ c{\isaliteral{5C3C726272616B6B3E}{\isasymrbrakk}}\ {\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\ a\ dvd\ b\ {\isaliteral{2B}{\isacharplus}}\ c%
98.277 +\end{isabelle}
98.278 +\rulename{dvd_add}
98.279 +
98.280 +For the integers, I'd list a few theorems that somehow involve negative
98.281 +numbers.%
98.282 +\end{isamarkuptext}%
98.283 +\isamarkuptrue%
98.284 +%
98.285 +\begin{isamarkuptext}%
98.286 +Division, remainder of negatives
98.287 +
98.288 +
98.289 +\begin{isabelle}%
98.290 +{\isadigit{0}}\ {\isaliteral{3C}{\isacharless}}\ b\ {\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\ {\isadigit{0}}\ {\isaliteral{5C3C6C653E}{\isasymle}}\ a\ mod\ b%
98.291 +\end{isabelle}
98.292 +\rulename{pos_mod_sign}
98.293 +
98.294 +\begin{isabelle}%
98.295 +{\isadigit{0}}\ {\isaliteral{3C}{\isacharless}}\ b\ {\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\ a\ mod\ b\ {\isaliteral{3C}{\isacharless}}\ b%
98.296 +\end{isabelle}
98.297 +\rulename{pos_mod_bound}
98.298 +
98.299 +\begin{isabelle}%
98.300 +b\ {\isaliteral{3C}{\isacharless}}\ {\isadigit{0}}\ {\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\ a\ mod\ b\ {\isaliteral{5C3C6C653E}{\isasymle}}\ {\isadigit{0}}%
98.301 +\end{isabelle}
98.302 +\rulename{neg_mod_sign}
98.303 +
98.304 +\begin{isabelle}%
98.305 +b\ {\isaliteral{3C}{\isacharless}}\ {\isadigit{0}}\ {\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\ b\ {\isaliteral{3C}{\isacharless}}\ a\ mod\ b%
98.306 +\end{isabelle}
98.307 +\rulename{neg_mod_bound}
98.308 +
98.309 +\begin{isabelle}%
98.310 +{\isaliteral{28}{\isacharparenleft}}a\ {\isaliteral{2B}{\isacharplus}}\ b{\isaliteral{29}{\isacharparenright}}\ div\ c\ {\isaliteral{3D}{\isacharequal}}\ a\ div\ c\ {\isaliteral{2B}{\isacharplus}}\ b\ div\ c\ {\isaliteral{2B}{\isacharplus}}\ {\isaliteral{28}{\isacharparenleft}}a\ mod\ c\ {\isaliteral{2B}{\isacharplus}}\ b\ mod\ c{\isaliteral{29}{\isacharparenright}}\ div\ c%
98.311 +\end{isabelle}
98.312 +\rulename{zdiv_zadd1_eq}
98.313 +
98.314 +\begin{isabelle}%
98.315 +{\isaliteral{28}{\isacharparenleft}}a\ {\isaliteral{2B}{\isacharplus}}\ b{\isaliteral{29}{\isacharparenright}}\ mod\ c\ {\isaliteral{3D}{\isacharequal}}\ {\isaliteral{28}{\isacharparenleft}}a\ mod\ c\ {\isaliteral{2B}{\isacharplus}}\ b\ mod\ c{\isaliteral{29}{\isacharparenright}}\ mod\ c%
98.316 +\end{isabelle}
98.317 +\rulename{mod_add_eq}
98.318 +
98.319 +\begin{isabelle}%
98.320 +a\ {\isaliteral{2A}{\isacharasterisk}}\ b\ div\ c\ {\isaliteral{3D}{\isacharequal}}\ a\ {\isaliteral{2A}{\isacharasterisk}}\ {\isaliteral{28}{\isacharparenleft}}b\ div\ c{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{2B}{\isacharplus}}\ a\ {\isaliteral{2A}{\isacharasterisk}}\ {\isaliteral{28}{\isacharparenleft}}b\ mod\ c{\isaliteral{29}{\isacharparenright}}\ div\ c%
98.321 +\end{isabelle}
98.322 +\rulename{zdiv_zmult1_eq}
98.323 +
98.324 +\begin{isabelle}%
98.325 +a\ {\isaliteral{2A}{\isacharasterisk}}\ b\ mod\ c\ {\isaliteral{3D}{\isacharequal}}\ a\ {\isaliteral{2A}{\isacharasterisk}}\ {\isaliteral{28}{\isacharparenleft}}b\ mod\ c{\isaliteral{29}{\isacharparenright}}\ mod\ c%
98.326 +\end{isabelle}
98.327 +\rulename{mod_mult_right_eq}
98.328 +
98.329 +\begin{isabelle}%
98.330 +{\isadigit{0}}\ {\isaliteral{3C}{\isacharless}}\ c\ {\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\ a\ div\ {\isaliteral{28}{\isacharparenleft}}b\ {\isaliteral{2A}{\isacharasterisk}}\ c{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{3D}{\isacharequal}}\ a\ div\ b\ div\ c%
98.331 +\end{isabelle}
98.332 +\rulename{zdiv_zmult2_eq}
98.333 +
98.334 +\begin{isabelle}%
98.335 +{\isadigit{0}}\ {\isaliteral{3C}{\isacharless}}\ c\ {\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\ a\ mod\ {\isaliteral{28}{\isacharparenleft}}b\ {\isaliteral{2A}{\isacharasterisk}}\ c{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{3D}{\isacharequal}}\ b\ {\isaliteral{2A}{\isacharasterisk}}\ {\isaliteral{28}{\isacharparenleft}}a\ div\ b\ mod\ c{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{2B}{\isacharplus}}\ a\ mod\ b%
98.336 +\end{isabelle}
98.337 +\rulename{zmod_zmult2_eq}%
98.338 +\end{isamarkuptext}%
98.339 +\isamarkuptrue%
98.340 +\isacommand{lemma}\isamarkupfalse%
98.341 +\ {\isaliteral{22}{\isachardoublequoteopen}}abs\ {\isaliteral{28}{\isacharparenleft}}x{\isaliteral{2B}{\isacharplus}}y{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C6C653E}{\isasymle}}\ abs\ x\ {\isaliteral{2B}{\isacharplus}}\ abs\ {\isaliteral{28}{\isacharparenleft}}y\ {\isaliteral{3A}{\isacharcolon}}{\isaliteral{3A}{\isacharcolon}}\ int{\isaliteral{29}{\isacharparenright}}{\isaliteral{22}{\isachardoublequoteclose}}\isanewline
98.342 +%
98.343 +\isadelimproof
98.344 +%
98.345 +\endisadelimproof
98.346 +%
98.347 +\isatagproof
98.348 +\isacommand{by}\isamarkupfalse%
98.349 +\ arith%
98.350 +\endisatagproof
98.351 +{\isafoldproof}%
98.352 +%
98.353 +\isadelimproof
98.354 +\isanewline
98.355 +%
98.356 +\endisadelimproof
98.357 +\isanewline
98.358 +\isacommand{lemma}\isamarkupfalse%
98.359 +\ {\isaliteral{22}{\isachardoublequoteopen}}abs\ {\isaliteral{28}{\isacharparenleft}}{\isadigit{2}}{\isaliteral{2A}{\isacharasterisk}}x{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{3D}{\isacharequal}}\ {\isadigit{2}}\ {\isaliteral{2A}{\isacharasterisk}}\ abs\ {\isaliteral{28}{\isacharparenleft}}x\ {\isaliteral{3A}{\isacharcolon}}{\isaliteral{3A}{\isacharcolon}}\ int{\isaliteral{29}{\isacharparenright}}{\isaliteral{22}{\isachardoublequoteclose}}\isanewline
98.360 +%
98.361 +\isadelimproof
98.362 +%
98.363 +\endisadelimproof
98.364 +%
98.365 +\isatagproof
98.366 +\isacommand{by}\isamarkupfalse%
98.367 +\ {\isaliteral{28}{\isacharparenleft}}simp\ add{\isaliteral{3A}{\isacharcolon}}\ abs{\isaliteral{5F}{\isacharunderscore}}if{\isaliteral{29}{\isacharparenright}}%
98.368 +\endisatagproof
98.369 +{\isafoldproof}%
98.370 +%
98.371 +\isadelimproof
98.372 +%
98.373 +\endisadelimproof
98.374 +%
98.375 +\begin{isamarkuptext}%
98.376 +Induction rules for the Integers
98.377 +
98.378 +\begin{isabelle}%
98.379 +{\isaliteral{5C3C6C6272616B6B3E}{\isasymlbrakk}}k\ {\isaliteral{5C3C6C653E}{\isasymle}}\ i{\isaliteral{3B}{\isacharsemicolon}}\ P\ k{\isaliteral{3B}{\isacharsemicolon}}\ {\isaliteral{5C3C416E643E}{\isasymAnd}}i{\isaliteral{2E}{\isachardot}}\ {\isaliteral{5C3C6C6272616B6B3E}{\isasymlbrakk}}k\ {\isaliteral{5C3C6C653E}{\isasymle}}\ i{\isaliteral{3B}{\isacharsemicolon}}\ P\ i{\isaliteral{5C3C726272616B6B3E}{\isasymrbrakk}}\ {\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\ P\ {\isaliteral{28}{\isacharparenleft}}i\ {\isaliteral{2B}{\isacharplus}}\ {\isadigit{1}}{\isaliteral{29}{\isacharparenright}}{\isaliteral{5C3C726272616B6B3E}{\isasymrbrakk}}\ {\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\ P\ i%
98.380 +\end{isabelle}
98.381 +\rulename{int_ge_induct}
98.382 +
98.383 +\begin{isabelle}%
98.384 +{\isaliteral{5C3C6C6272616B6B3E}{\isasymlbrakk}}k\ {\isaliteral{3C}{\isacharless}}\ i{\isaliteral{3B}{\isacharsemicolon}}\ P\ {\isaliteral{28}{\isacharparenleft}}k\ {\isaliteral{2B}{\isacharplus}}\ {\isadigit{1}}{\isaliteral{29}{\isacharparenright}}{\isaliteral{3B}{\isacharsemicolon}}\ {\isaliteral{5C3C416E643E}{\isasymAnd}}i{\isaliteral{2E}{\isachardot}}\ {\isaliteral{5C3C6C6272616B6B3E}{\isasymlbrakk}}k\ {\isaliteral{3C}{\isacharless}}\ i{\isaliteral{3B}{\isacharsemicolon}}\ P\ i{\isaliteral{5C3C726272616B6B3E}{\isasymrbrakk}}\ {\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\ P\ {\isaliteral{28}{\isacharparenleft}}i\ {\isaliteral{2B}{\isacharplus}}\ {\isadigit{1}}{\isaliteral{29}{\isacharparenright}}{\isaliteral{5C3C726272616B6B3E}{\isasymrbrakk}}\ {\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\ P\ i%
98.385 +\end{isabelle}
98.386 +\rulename{int_gr_induct}
98.387 +
98.388 +\begin{isabelle}%
98.389 +{\isaliteral{5C3C6C6272616B6B3E}{\isasymlbrakk}}i\ {\isaliteral{5C3C6C653E}{\isasymle}}\ k{\isaliteral{3B}{\isacharsemicolon}}\ P\ k{\isaliteral{3B}{\isacharsemicolon}}\ {\isaliteral{5C3C416E643E}{\isasymAnd}}i{\isaliteral{2E}{\isachardot}}\ {\isaliteral{5C3C6C6272616B6B3E}{\isasymlbrakk}}i\ {\isaliteral{5C3C6C653E}{\isasymle}}\ k{\isaliteral{3B}{\isacharsemicolon}}\ P\ i{\isaliteral{5C3C726272616B6B3E}{\isasymrbrakk}}\ {\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\ P\ {\isaliteral{28}{\isacharparenleft}}i\ {\isaliteral{2D}{\isacharminus}}\ {\isadigit{1}}{\isaliteral{29}{\isacharparenright}}{\isaliteral{5C3C726272616B6B3E}{\isasymrbrakk}}\ {\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\ P\ i%
98.390 +\end{isabelle}
98.391 +\rulename{int_le_induct}
98.392 +
98.393 +\begin{isabelle}%
98.394 +{\isaliteral{5C3C6C6272616B6B3E}{\isasymlbrakk}}i\ {\isaliteral{3C}{\isacharless}}\ k{\isaliteral{3B}{\isacharsemicolon}}\ P\ {\isaliteral{28}{\isacharparenleft}}k\ {\isaliteral{2D}{\isacharminus}}\ {\isadigit{1}}{\isaliteral{29}{\isacharparenright}}{\isaliteral{3B}{\isacharsemicolon}}\ {\isaliteral{5C3C416E643E}{\isasymAnd}}i{\isaliteral{2E}{\isachardot}}\ {\isaliteral{5C3C6C6272616B6B3E}{\isasymlbrakk}}i\ {\isaliteral{3C}{\isacharless}}\ k{\isaliteral{3B}{\isacharsemicolon}}\ P\ i{\isaliteral{5C3C726272616B6B3E}{\isasymrbrakk}}\ {\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\ P\ {\isaliteral{28}{\isacharparenleft}}i\ {\isaliteral{2D}{\isacharminus}}\ {\isadigit{1}}{\isaliteral{29}{\isacharparenright}}{\isaliteral{5C3C726272616B6B3E}{\isasymrbrakk}}\ {\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\ P\ i%
98.395 +\end{isabelle}
98.396 +\rulename{int_less_induct}%
98.397 +\end{isamarkuptext}%
98.398 +\isamarkuptrue%
98.399 +%
98.400 +\begin{isamarkuptext}%
98.401 +FIELDS
98.402 +
98.403 +\begin{isabelle}%
98.404 +x\ {\isaliteral{3C}{\isacharless}}\ y\ {\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\ {\isaliteral{5C3C6578697374733E}{\isasymexists}}z{\isaliteral{3E}{\isachargreater}}x{\isaliteral{2E}{\isachardot}}\ z\ {\isaliteral{3C}{\isacharless}}\ y%
98.405 +\end{isabelle}
98.406 +\rulename{dense}
98.407 +
98.408 +\begin{isabelle}%
98.409 +a\ {\isaliteral{2A}{\isacharasterisk}}\ {\isaliteral{28}{\isacharparenleft}}b\ {\isaliteral{2F}{\isacharslash}}\ c{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{3D}{\isacharequal}}\ a\ {\isaliteral{2A}{\isacharasterisk}}\ b\ {\isaliteral{2F}{\isacharslash}}\ c%
98.410 +\end{isabelle}
98.411 +\rulename{times_divide_eq_right}
98.412 +
98.413 +\begin{isabelle}%
98.414 +b\ {\isaliteral{2F}{\isacharslash}}\ c\ {\isaliteral{2A}{\isacharasterisk}}\ a\ {\isaliteral{3D}{\isacharequal}}\ b\ {\isaliteral{2A}{\isacharasterisk}}\ a\ {\isaliteral{2F}{\isacharslash}}\ c%
98.415 +\end{isabelle}
98.416 +\rulename{times_divide_eq_left}
98.417 +
98.418 +\begin{isabelle}%
98.419 +a\ {\isaliteral{2F}{\isacharslash}}\ {\isaliteral{28}{\isacharparenleft}}b\ {\isaliteral{2F}{\isacharslash}}\ c{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{3D}{\isacharequal}}\ a\ {\isaliteral{2A}{\isacharasterisk}}\ c\ {\isaliteral{2F}{\isacharslash}}\ b%
98.420 +\end{isabelle}
98.421 +\rulename{divide_divide_eq_right}
98.422 +
98.423 +\begin{isabelle}%
98.424 +a\ {\isaliteral{2F}{\isacharslash}}\ b\ {\isaliteral{2F}{\isacharslash}}\ c\ {\isaliteral{3D}{\isacharequal}}\ a\ {\isaliteral{2F}{\isacharslash}}\ {\isaliteral{28}{\isacharparenleft}}b\ {\isaliteral{2A}{\isacharasterisk}}\ c{\isaliteral{29}{\isacharparenright}}%
98.425 +\end{isabelle}
98.426 +\rulename{divide_divide_eq_left}
98.427 +
98.428 +\begin{isabelle}%
98.429 +{\isaliteral{2D}{\isacharminus}}\ {\isaliteral{28}{\isacharparenleft}}a\ {\isaliteral{2F}{\isacharslash}}\ b{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{3D}{\isacharequal}}\ {\isaliteral{2D}{\isacharminus}}\ a\ {\isaliteral{2F}{\isacharslash}}\ b%
98.430 +\end{isabelle}
98.431 +\rulename{minus_divide_left}
98.432 +
98.433 +\begin{isabelle}%
98.434 +{\isaliteral{2D}{\isacharminus}}\ {\isaliteral{28}{\isacharparenleft}}a\ {\isaliteral{2F}{\isacharslash}}\ b{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{3D}{\isacharequal}}\ a\ {\isaliteral{2F}{\isacharslash}}\ {\isaliteral{2D}{\isacharminus}}\ b%
98.435 +\end{isabelle}
98.436 +\rulename{minus_divide_right}
98.437 +
98.438 +This last NOT a simprule
98.439 +
98.440 +\begin{isabelle}%
98.441 +{\isaliteral{28}{\isacharparenleft}}a\ {\isaliteral{2B}{\isacharplus}}\ b{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{2F}{\isacharslash}}\ c\ {\isaliteral{3D}{\isacharequal}}\ a\ {\isaliteral{2F}{\isacharslash}}\ c\ {\isaliteral{2B}{\isacharplus}}\ b\ {\isaliteral{2F}{\isacharslash}}\ c%
98.442 +\end{isabelle}
98.443 +\rulename{add_divide_distrib}%
98.444 +\end{isamarkuptext}%
98.445 +\isamarkuptrue%
98.446 +\isacommand{lemma}\isamarkupfalse%
98.447 +\ {\isaliteral{22}{\isachardoublequoteopen}}{\isadigit{3}}{\isaliteral{2F}{\isacharslash}}{\isadigit{4}}\ {\isaliteral{3C}{\isacharless}}\ {\isaliteral{28}{\isacharparenleft}}{\isadigit{7}}{\isaliteral{2F}{\isacharslash}}{\isadigit{8}}\ {\isaliteral{3A}{\isacharcolon}}{\isaliteral{3A}{\isacharcolon}}\ real{\isaliteral{29}{\isacharparenright}}{\isaliteral{22}{\isachardoublequoteclose}}\isanewline
98.448 +%
98.449 +\isadelimproof
98.450 +%
98.451 +\endisadelimproof
98.452 +%
98.453 +\isatagproof
98.454 +\isacommand{by}\isamarkupfalse%
98.455 +\ simp%
98.456 +\endisatagproof
98.457 +{\isafoldproof}%
98.458 +%
98.459 +\isadelimproof
98.460 +\ \isanewline
98.461 +%
98.462 +\endisadelimproof
98.463 +\isanewline
98.464 +\isacommand{lemma}\isamarkupfalse%
98.465 +\ {\isaliteral{22}{\isachardoublequoteopen}}P\ {\isaliteral{28}{\isacharparenleft}}{\isaliteral{28}{\isacharparenleft}}{\isadigit{3}}{\isaliteral{2F}{\isacharslash}}{\isadigit{4}}{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{2A}{\isacharasterisk}}\ {\isaliteral{28}{\isacharparenleft}}{\isadigit{8}}{\isaliteral{2F}{\isacharslash}}{\isadigit{1}}{\isadigit{5}}\ {\isaliteral{3A}{\isacharcolon}}{\isaliteral{3A}{\isacharcolon}}\ real{\isaliteral{29}{\isacharparenright}}{\isaliteral{29}{\isacharparenright}}{\isaliteral{22}{\isachardoublequoteclose}}%
98.466 +\isadelimproof
98.467 +%
98.468 +\endisadelimproof
98.469 +%
98.470 +\isatagproof
98.471 +%
98.472 +\begin{isamarkuptxt}%
98.473 +\begin{isabelle}%
98.474 +\ {\isadigit{1}}{\isaliteral{2E}{\isachardot}}\ P\ {\isaliteral{28}{\isacharparenleft}}{\isadigit{3}}\ {\isaliteral{2F}{\isacharslash}}\ {\isadigit{4}}\ {\isaliteral{2A}{\isacharasterisk}}\ {\isaliteral{28}{\isacharparenleft}}{\isadigit{8}}\ {\isaliteral{2F}{\isacharslash}}\ {\isadigit{1}}{\isadigit{5}}{\isaliteral{29}{\isacharparenright}}{\isaliteral{29}{\isacharparenright}}%
98.475 +\end{isabelle}%
98.476 +\end{isamarkuptxt}%
98.477 +\isamarkuptrue%
98.478 +\isacommand{apply}\isamarkupfalse%
98.479 +\ simp%
98.480 +\begin{isamarkuptxt}%
98.481 +\begin{isabelle}%
98.482 +\ {\isadigit{1}}{\isaliteral{2E}{\isachardot}}\ P\ {\isaliteral{28}{\isacharparenleft}}{\isadigit{2}}\ {\isaliteral{2F}{\isacharslash}}\ {\isadigit{5}}{\isaliteral{29}{\isacharparenright}}%
98.483 +\end{isabelle}%
98.484 +\end{isamarkuptxt}%
98.485 +\isamarkuptrue%
98.486 +\isacommand{oops}\isamarkupfalse%
98.487 +%
98.488 +\endisatagproof
98.489 +{\isafoldproof}%
98.490 +%
98.491 +\isadelimproof
98.492 +%
98.493 +\endisadelimproof
98.494 +\isanewline
98.495 +\isanewline
98.496 +\isacommand{lemma}\isamarkupfalse%
98.497 +\ {\isaliteral{22}{\isachardoublequoteopen}}{\isaliteral{28}{\isacharparenleft}}{\isadigit{3}}{\isaliteral{2F}{\isacharslash}}{\isadigit{4}}{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{2A}{\isacharasterisk}}\ {\isaliteral{28}{\isacharparenleft}}{\isadigit{8}}{\isaliteral{2F}{\isacharslash}}{\isadigit{1}}{\isadigit{5}}{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{3C}{\isacharless}}\ {\isaliteral{28}{\isacharparenleft}}x\ {\isaliteral{3A}{\isacharcolon}}{\isaliteral{3A}{\isacharcolon}}\ real{\isaliteral{29}{\isacharparenright}}{\isaliteral{22}{\isachardoublequoteclose}}%
98.498 +\isadelimproof
98.499 +%
98.500 +\endisadelimproof
98.501 +%
98.502 +\isatagproof
98.503 +%
98.504 +\begin{isamarkuptxt}%
98.505 +\begin{isabelle}%
98.506 +\ {\isadigit{1}}{\isaliteral{2E}{\isachardot}}\ {\isadigit{3}}\ {\isaliteral{2F}{\isacharslash}}\ {\isadigit{4}}\ {\isaliteral{2A}{\isacharasterisk}}\ {\isaliteral{28}{\isacharparenleft}}{\isadigit{8}}\ {\isaliteral{2F}{\isacharslash}}\ {\isadigit{1}}{\isadigit{5}}{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{3C}{\isacharless}}\ x%
98.507 +\end{isabelle}%
98.508 +\end{isamarkuptxt}%
98.509 +\isamarkuptrue%
98.510 +\isacommand{apply}\isamarkupfalse%
98.511 +\ simp%
98.512 +\begin{isamarkuptxt}%
98.513 +\begin{isabelle}%
98.514 +\ {\isadigit{1}}{\isaliteral{2E}{\isachardot}}\ {\isadigit{2}}\ {\isaliteral{3C}{\isacharless}}\ x\ {\isaliteral{2A}{\isacharasterisk}}\ {\isadigit{5}}%
98.515 +\end{isabelle}%
98.516 +\end{isamarkuptxt}%
98.517 +\isamarkuptrue%
98.518 +\isacommand{oops}\isamarkupfalse%
98.519 +%
98.520 +\endisatagproof
98.521 +{\isafoldproof}%
98.522 +%
98.523 +\isadelimproof
98.524 +%
98.525 +\endisadelimproof
98.526 +%
98.527 +\begin{isamarkuptext}%
98.528 +Ring and Field
98.529 +
98.530 +Requires a field, or else an ordered ring
98.531 +
98.532 +\begin{isabelle}%
98.533 +{\isaliteral{28}{\isacharparenleft}}a\ {\isaliteral{2A}{\isacharasterisk}}\ b\ {\isaliteral{3D}{\isacharequal}}\ {\isaliteral{28}{\isacharparenleft}}{\isadigit{0}}{\isaliteral{5C3C436F6C6F6E3E}{\isasymColon}}{\isaliteral{27}{\isacharprime}}a{\isaliteral{29}{\isacharparenright}}{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{3D}{\isacharequal}}\ {\isaliteral{28}{\isacharparenleft}}a\ {\isaliteral{3D}{\isacharequal}}\ {\isaliteral{28}{\isacharparenleft}}{\isadigit{0}}{\isaliteral{5C3C436F6C6F6E3E}{\isasymColon}}{\isaliteral{27}{\isacharprime}}a{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C6F723E}{\isasymor}}\ b\ {\isaliteral{3D}{\isacharequal}}\ {\isaliteral{28}{\isacharparenleft}}{\isadigit{0}}{\isaliteral{5C3C436F6C6F6E3E}{\isasymColon}}{\isaliteral{27}{\isacharprime}}a{\isaliteral{29}{\isacharparenright}}{\isaliteral{29}{\isacharparenright}}%
98.534 +\end{isabelle}
98.535 +\rulename{mult_eq_0_iff}
98.536 +
98.537 +\begin{isabelle}%
98.538 +{\isaliteral{28}{\isacharparenleft}}a\ {\isaliteral{2A}{\isacharasterisk}}\ c\ {\isaliteral{3D}{\isacharequal}}\ b\ {\isaliteral{2A}{\isacharasterisk}}\ c{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{3D}{\isacharequal}}\ {\isaliteral{28}{\isacharparenleft}}c\ {\isaliteral{3D}{\isacharequal}}\ {\isaliteral{28}{\isacharparenleft}}{\isadigit{0}}{\isaliteral{5C3C436F6C6F6E3E}{\isasymColon}}{\isaliteral{27}{\isacharprime}}a{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C6F723E}{\isasymor}}\ a\ {\isaliteral{3D}{\isacharequal}}\ b{\isaliteral{29}{\isacharparenright}}%
98.539 +\end{isabelle}
98.540 +\rulename{mult_cancel_right}
98.541 +
98.542 +\begin{isabelle}%
98.543 +{\isaliteral{28}{\isacharparenleft}}c\ {\isaliteral{2A}{\isacharasterisk}}\ a\ {\isaliteral{3D}{\isacharequal}}\ c\ {\isaliteral{2A}{\isacharasterisk}}\ b{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{3D}{\isacharequal}}\ {\isaliteral{28}{\isacharparenleft}}c\ {\isaliteral{3D}{\isacharequal}}\ {\isaliteral{28}{\isacharparenleft}}{\isadigit{0}}{\isaliteral{5C3C436F6C6F6E3E}{\isasymColon}}{\isaliteral{27}{\isacharprime}}a{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C6F723E}{\isasymor}}\ a\ {\isaliteral{3D}{\isacharequal}}\ b{\isaliteral{29}{\isacharparenright}}%
98.544 +\end{isabelle}
98.545 +\rulename{mult_cancel_left}%
98.546 +\end{isamarkuptext}%
98.547 +\isamarkuptrue%
98.548 +%
98.549 +\begin{isamarkuptext}%
98.550 +effect of show sorts on the above
98.551 +
98.552 +\begin{isabelle}%
98.553 +{\isaliteral{28}{\isacharparenleft}}{\isaliteral{28}{\isacharparenleft}}c{\isaliteral{5C3C436F6C6F6E3E}{\isasymColon}}{\isaliteral{27}{\isacharprime}}a{\isaliteral{5C3C436F6C6F6E3E}{\isasymColon}}ring{\isaliteral{5F}{\isacharunderscore}}no{\isaliteral{5F}{\isacharunderscore}}zero{\isaliteral{5F}{\isacharunderscore}}divisors{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{2A}{\isacharasterisk}}\ {\isaliteral{28}{\isacharparenleft}}a{\isaliteral{5C3C436F6C6F6E3E}{\isasymColon}}{\isaliteral{27}{\isacharprime}}a{\isaliteral{5C3C436F6C6F6E3E}{\isasymColon}}ring{\isaliteral{5F}{\isacharunderscore}}no{\isaliteral{5F}{\isacharunderscore}}zero{\isaliteral{5F}{\isacharunderscore}}divisors{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{3D}{\isacharequal}}\isanewline
98.554 +\isaindent{{\isaliteral{28}{\isacharparenleft}}}c\ {\isaliteral{2A}{\isacharasterisk}}\ {\isaliteral{28}{\isacharparenleft}}b{\isaliteral{5C3C436F6C6F6E3E}{\isasymColon}}{\isaliteral{27}{\isacharprime}}a{\isaliteral{5C3C436F6C6F6E3E}{\isasymColon}}ring{\isaliteral{5F}{\isacharunderscore}}no{\isaliteral{5F}{\isacharunderscore}}zero{\isaliteral{5F}{\isacharunderscore}}divisors{\isaliteral{29}{\isacharparenright}}{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{3D}{\isacharequal}}\isanewline
98.555 +{\isaliteral{28}{\isacharparenleft}}c\ {\isaliteral{3D}{\isacharequal}}\ {\isaliteral{28}{\isacharparenleft}}{\isadigit{0}}{\isaliteral{5C3C436F6C6F6E3E}{\isasymColon}}{\isaliteral{27}{\isacharprime}}a{\isaliteral{5C3C436F6C6F6E3E}{\isasymColon}}ring{\isaliteral{5F}{\isacharunderscore}}no{\isaliteral{5F}{\isacharunderscore}}zero{\isaliteral{5F}{\isacharunderscore}}divisors{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C6F723E}{\isasymor}}\ a\ {\isaliteral{3D}{\isacharequal}}\ b{\isaliteral{29}{\isacharparenright}}%
98.556 +\end{isabelle}
98.557 +\rulename{mult_cancel_left}%
98.558 +\end{isamarkuptext}%
98.559 +\isamarkuptrue%
98.560 +%
98.561 +\begin{isamarkuptext}%
98.562 +absolute value
98.563 +
98.564 +\begin{isabelle}%
98.565 +{\isaliteral{5C3C6261723E}{\isasymbar}}a\ {\isaliteral{2A}{\isacharasterisk}}\ b{\isaliteral{5C3C6261723E}{\isasymbar}}\ {\isaliteral{3D}{\isacharequal}}\ {\isaliteral{5C3C6261723E}{\isasymbar}}a{\isaliteral{5C3C6261723E}{\isasymbar}}\ {\isaliteral{2A}{\isacharasterisk}}\ {\isaliteral{5C3C6261723E}{\isasymbar}}b{\isaliteral{5C3C6261723E}{\isasymbar}}%
98.566 +\end{isabelle}
98.567 +\rulename{abs_mult}
98.568 +
98.569 +\begin{isabelle}%
98.570 +{\isaliteral{28}{\isacharparenleft}}{\isaliteral{5C3C6261723E}{\isasymbar}}a{\isaliteral{5C3C6261723E}{\isasymbar}}\ {\isaliteral{5C3C6C653E}{\isasymle}}\ b{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{3D}{\isacharequal}}\ {\isaliteral{28}{\isacharparenleft}}a\ {\isaliteral{5C3C6C653E}{\isasymle}}\ b\ {\isaliteral{5C3C616E643E}{\isasymand}}\ {\isaliteral{2D}{\isacharminus}}\ a\ {\isaliteral{5C3C6C653E}{\isasymle}}\ b{\isaliteral{29}{\isacharparenright}}%
98.571 +\end{isabelle}
98.572 +\rulename{abs_le_iff}
98.573 +
98.574 +\begin{isabelle}%
98.575 +{\isaliteral{5C3C6261723E}{\isasymbar}}a\ {\isaliteral{2B}{\isacharplus}}\ b{\isaliteral{5C3C6261723E}{\isasymbar}}\ {\isaliteral{5C3C6C653E}{\isasymle}}\ {\isaliteral{5C3C6261723E}{\isasymbar}}a{\isaliteral{5C3C6261723E}{\isasymbar}}\ {\isaliteral{2B}{\isacharplus}}\ {\isaliteral{5C3C6261723E}{\isasymbar}}b{\isaliteral{5C3C6261723E}{\isasymbar}}%
98.576 +\end{isabelle}
98.577 +\rulename{abs_triangle_ineq}
98.578 +
98.579 +\begin{isabelle}%
98.580 +a\isaliteral{5C3C5E627375703E}{}\isactrlbsup m\ {\isaliteral{2B}{\isacharplus}}\ n\isaliteral{5C3C5E657375703E}{}\isactrlesup \ {\isaliteral{3D}{\isacharequal}}\ a\isaliteral{5C3C5E627375703E}{}\isactrlbsup m\isaliteral{5C3C5E657375703E}{}\isactrlesup \ {\isaliteral{2A}{\isacharasterisk}}\ a\isaliteral{5C3C5E627375703E}{}\isactrlbsup n\isaliteral{5C3C5E657375703E}{}\isactrlesup %
98.581 +\end{isabelle}
98.582 +\rulename{power_add}
98.583 +
98.584 +\begin{isabelle}%
98.585 +a\isaliteral{5C3C5E627375703E}{}\isactrlbsup m\ {\isaliteral{2A}{\isacharasterisk}}\ n\isaliteral{5C3C5E657375703E}{}\isactrlesup \ {\isaliteral{3D}{\isacharequal}}\ a\isaliteral{5C3C5E627375703E}{}\isactrlbsup m\isaliteral{5C3C5E657375703E}{}\isactrlesup \isaliteral{5C3C5E627375703E}{}\isactrlbsup n\isaliteral{5C3C5E657375703E}{}\isactrlesup %
98.586 +\end{isabelle}
98.587 +\rulename{power_mult}
98.588 +
98.589 +\begin{isabelle}%
98.590 +{\isaliteral{5C3C6261723E}{\isasymbar}}a\isaliteral{5C3C5E627375703E}{}\isactrlbsup n\isaliteral{5C3C5E657375703E}{}\isactrlesup {\isaliteral{5C3C6261723E}{\isasymbar}}\ {\isaliteral{3D}{\isacharequal}}\ {\isaliteral{5C3C6261723E}{\isasymbar}}a{\isaliteral{5C3C6261723E}{\isasymbar}}\isaliteral{5C3C5E627375703E}{}\isactrlbsup n\isaliteral{5C3C5E657375703E}{}\isactrlesup %
98.591 +\end{isabelle}
98.592 +\rulename{power_abs}%
98.593 +\end{isamarkuptext}%
98.594 +\isamarkuptrue%
98.595 +%
98.596 +\isadelimtheory
98.597 +%
98.598 +\endisadelimtheory
98.599 +%
98.600 +\isatagtheory
98.601 +\isacommand{end}\isamarkupfalse%
98.602 +%
98.603 +\endisatagtheory
98.604 +{\isafoldtheory}%
98.605 +%
98.606 +\isadelimtheory
98.607 +%
98.608 +\endisadelimtheory
98.609 +\isanewline
98.610 +\end{isabellebody}%
98.611 +%%% Local Variables:
98.612 +%%% mode: latex
98.613 +%%% TeX-master: "root"
98.614 +%%% End:
99.1 --- /dev/null Thu Jan 01 00:00:00 1970 +0000
99.2 +++ b/doc-src/TutorialI/document/Option2.tex Thu Jul 26 19:59:06 2012 +0200
99.3 @@ -0,0 +1,56 @@
99.4 +%
99.5 +\begin{isabellebody}%
99.6 +\def\isabellecontext{Option{\isadigit{2}}}%
99.7 +%
99.8 +\isadelimtheory
99.9 +%
99.10 +\endisadelimtheory
99.11 +%
99.12 +\isatagtheory
99.13 +%
99.14 +\endisatagtheory
99.15 +{\isafoldtheory}%
99.16 +%
99.17 +\isadelimtheory
99.18 +%
99.19 +\endisadelimtheory
99.20 +%
99.21 +\begin{isamarkuptext}%
99.22 +\indexbold{*option (type)}\indexbold{*None (constant)}%
99.23 +\indexbold{*Some (constant)}
99.24 +Our final datatype is very simple but still eminently useful:%
99.25 +\end{isamarkuptext}%
99.26 +\isamarkuptrue%
99.27 +\isacommand{datatype}\isamarkupfalse%
99.28 +\ {\isaliteral{27}{\isacharprime}}a\ option\ {\isaliteral{3D}{\isacharequal}}\ None\ {\isaliteral{7C}{\isacharbar}}\ Some\ {\isaliteral{27}{\isacharprime}}a%
99.29 +\begin{isamarkuptext}%
99.30 +\noindent
99.31 +Frequently one needs to add a distinguished element to some existing type.
99.32 +For example, type \isa{t\ option} can model the result of a computation that
99.33 +may either terminate with an error (represented by \isa{None}) or return
99.34 +some value \isa{v} (represented by \isa{Some\ v}).
99.35 +Similarly, \isa{nat} extended with $\infty$ can be modeled by type
99.36 +\isa{nat\ option}. In both cases one could define a new datatype with
99.37 +customized constructors like \isa{Error} and \isa{Infinity},
99.38 +but it is often simpler to use \isa{option}. For an application see
99.39 +\S\ref{sec:Trie}.%
99.40 +\end{isamarkuptext}%
99.41 +\isamarkuptrue%
99.42 +%
99.43 +\isadelimtheory
99.44 +%
99.45 +\endisadelimtheory
99.46 +%
99.47 +\isatagtheory
99.48 +%
99.49 +\endisatagtheory
99.50 +{\isafoldtheory}%
99.51 +%
99.52 +\isadelimtheory
99.53 +%
99.54 +\endisadelimtheory
99.55 +\end{isabellebody}%
99.56 +%%% Local Variables:
99.57 +%%% mode: latex
99.58 +%%% TeX-master: "root"
99.59 +%%% End:
100.1 --- /dev/null Thu Jan 01 00:00:00 1970 +0000
100.2 +++ b/doc-src/TutorialI/document/Overloading.tex Thu Jul 26 19:59:06 2012 +0200
100.3 @@ -0,0 +1,159 @@
100.4 +%
100.5 +\begin{isabellebody}%
100.6 +\def\isabellecontext{Overloading}%
100.7 +%
100.8 +\isadelimtheory
100.9 +%
100.10 +\endisadelimtheory
100.11 +%
100.12 +\isatagtheory
100.13 +%
100.14 +\endisatagtheory
100.15 +{\isafoldtheory}%
100.16 +%
100.17 +\isadelimtheory
100.18 +%
100.19 +\endisadelimtheory
100.20 +%
100.21 +\begin{isamarkuptext}%
100.22 +Type classes allow \emph{overloading}; thus a constant may
100.23 +have multiple definitions at non-overlapping types.%
100.24 +\end{isamarkuptext}%
100.25 +\isamarkuptrue%
100.26 +%
100.27 +\isamarkupsubsubsection{Overloading%
100.28 +}
100.29 +\isamarkuptrue%
100.30 +%
100.31 +\begin{isamarkuptext}%
100.32 +We can introduce a binary infix addition operator \isa{{\isaliteral{5C3C6F74696D65733E}{\isasymotimes}}}
100.33 +for arbitrary types by means of a type class:%
100.34 +\end{isamarkuptext}%
100.35 +\isamarkuptrue%
100.36 +\isacommand{class}\isamarkupfalse%
100.37 +\ plus\ {\isaliteral{3D}{\isacharequal}}\isanewline
100.38 +\ \ \isakeyword{fixes}\ plus\ {\isaliteral{3A}{\isacharcolon}}{\isaliteral{3A}{\isacharcolon}}\ {\isaliteral{22}{\isachardoublequoteopen}}{\isaliteral{27}{\isacharprime}}a\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ {\isaliteral{27}{\isacharprime}}a\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ {\isaliteral{27}{\isacharprime}}a{\isaliteral{22}{\isachardoublequoteclose}}\ {\isaliteral{28}{\isacharparenleft}}\isakeyword{infixl}\ {\isaliteral{22}{\isachardoublequoteopen}}{\isaliteral{5C3C6F706C75733E}{\isasymoplus}}{\isaliteral{22}{\isachardoublequoteclose}}\ {\isadigit{7}}{\isadigit{0}}{\isaliteral{29}{\isacharparenright}}%
100.39 +\begin{isamarkuptext}%
100.40 +\noindent This introduces a new class \isa{plus},
100.41 +along with a constant \isa{plus} with nice infix syntax.
100.42 +\isa{plus} is also named \emph{class operation}. The type
100.43 +of \isa{plus} carries a class constraint \isa{{\isaliteral{22}{\isachardoublequote}}{\isaliteral{27}{\isacharprime}}a\ {\isaliteral{3A}{\isacharcolon}}{\isaliteral{3A}{\isacharcolon}}\ plus{\isaliteral{22}{\isachardoublequote}}} on its type variable, meaning that only types of class
100.44 +\isa{plus} can be instantiated for \isa{{\isaliteral{22}{\isachardoublequote}}{\isaliteral{27}{\isacharprime}}a{\isaliteral{22}{\isachardoublequote}}}.
100.45 +To breathe life into \isa{plus} we need to declare a type
100.46 +to be an \bfindex{instance} of \isa{plus}:%
100.47 +\end{isamarkuptext}%
100.48 +\isamarkuptrue%
100.49 +\isacommand{instantiation}\isamarkupfalse%
100.50 +\ nat\ {\isaliteral{3A}{\isacharcolon}}{\isaliteral{3A}{\isacharcolon}}\ plus\isanewline
100.51 +\isakeyword{begin}%
100.52 +\begin{isamarkuptext}%
100.53 +\noindent Command \isacommand{instantiation} opens a local
100.54 +theory context. Here we can now instantiate \isa{plus} on
100.55 +\isa{nat}:%
100.56 +\end{isamarkuptext}%
100.57 +\isamarkuptrue%
100.58 +\isacommand{primrec}\isamarkupfalse%
100.59 +\ plus{\isaliteral{5F}{\isacharunderscore}}nat\ {\isaliteral{3A}{\isacharcolon}}{\isaliteral{3A}{\isacharcolon}}\ {\isaliteral{22}{\isachardoublequoteopen}}nat\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ nat\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ nat{\isaliteral{22}{\isachardoublequoteclose}}\ \isakeyword{where}\isanewline
100.60 +\ \ \ \ {\isaliteral{22}{\isachardoublequoteopen}}{\isaliteral{28}{\isacharparenleft}}{\isadigit{0}}{\isaliteral{3A}{\isacharcolon}}{\isaliteral{3A}{\isacharcolon}}nat{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C6F706C75733E}{\isasymoplus}}\ n\ {\isaliteral{3D}{\isacharequal}}\ n{\isaliteral{22}{\isachardoublequoteclose}}\isanewline
100.61 +\ \ {\isaliteral{7C}{\isacharbar}}\ {\isaliteral{22}{\isachardoublequoteopen}}Suc\ m\ {\isaliteral{5C3C6F706C75733E}{\isasymoplus}}\ n\ {\isaliteral{3D}{\isacharequal}}\ Suc\ {\isaliteral{28}{\isacharparenleft}}m\ {\isaliteral{5C3C6F706C75733E}{\isasymoplus}}\ n{\isaliteral{29}{\isacharparenright}}{\isaliteral{22}{\isachardoublequoteclose}}%
100.62 +\begin{isamarkuptext}%
100.63 +\noindent Note that the name \isa{plus} carries a
100.64 +suffix \isa{{\isaliteral{5F}{\isacharunderscore}}nat}; by default, the local name of a class operation
100.65 +\isa{f} to be instantiated on type constructor \isa{{\isaliteral{5C3C6B617070613E}{\isasymkappa}}} is mangled
100.66 +as \isa{f{\isaliteral{5F}{\isacharunderscore}}{\isaliteral{5C3C6B617070613E}{\isasymkappa}}}. In case of uncertainty, these names may be inspected
100.67 +using the \hyperlink{command.print-context}{\mbox{\isa{\isacommand{print{\isaliteral{5F}{\isacharunderscore}}context}}}} command or the corresponding
100.68 +ProofGeneral button.
100.69 +
100.70 +Although class \isa{plus} has no axioms, the instantiation must be
100.71 +formally concluded by a (trivial) instantiation proof ``..'':%
100.72 +\end{isamarkuptext}%
100.73 +\isamarkuptrue%
100.74 +\isacommand{instance}\isamarkupfalse%
100.75 +%
100.76 +\isadelimproof
100.77 +\ %
100.78 +\endisadelimproof
100.79 +%
100.80 +\isatagproof
100.81 +\isacommand{{\isaliteral{2E}{\isachardot}}{\isaliteral{2E}{\isachardot}}}\isamarkupfalse%
100.82 +%
100.83 +\endisatagproof
100.84 +{\isafoldproof}%
100.85 +%
100.86 +\isadelimproof
100.87 +%
100.88 +\endisadelimproof
100.89 +%
100.90 +\begin{isamarkuptext}%
100.91 +\noindent More interesting \isacommand{instance} proofs will
100.92 +arise below.
100.93 +
100.94 +The instantiation is finished by an explicit%
100.95 +\end{isamarkuptext}%
100.96 +\isamarkuptrue%
100.97 +\isacommand{end}\isamarkupfalse%
100.98 +%
100.99 +\begin{isamarkuptext}%
100.100 +\noindent From now on, terms like \isa{Suc\ {\isaliteral{28}{\isacharparenleft}}m\ {\isaliteral{5C3C6F706C75733E}{\isasymoplus}}\ {\isadigit{2}}{\isaliteral{29}{\isacharparenright}}} are
100.101 +legal.%
100.102 +\end{isamarkuptext}%
100.103 +\isamarkuptrue%
100.104 +\isacommand{instantiation}\isamarkupfalse%
100.105 +\ prod\ {\isaliteral{3A}{\isacharcolon}}{\isaliteral{3A}{\isacharcolon}}\ {\isaliteral{28}{\isacharparenleft}}plus{\isaliteral{2C}{\isacharcomma}}\ plus{\isaliteral{29}{\isacharparenright}}\ plus\isanewline
100.106 +\isakeyword{begin}%
100.107 +\begin{isamarkuptext}%
100.108 +\noindent Here we instantiate the product type \isa{prod} to
100.109 +class \isa{plus}, given that its type arguments are of
100.110 +class \isa{plus}:%
100.111 +\end{isamarkuptext}%
100.112 +\isamarkuptrue%
100.113 +\isacommand{fun}\isamarkupfalse%
100.114 +\ plus{\isaliteral{5F}{\isacharunderscore}}prod\ {\isaliteral{3A}{\isacharcolon}}{\isaliteral{3A}{\isacharcolon}}\ {\isaliteral{22}{\isachardoublequoteopen}}{\isaliteral{27}{\isacharprime}}a\ {\isaliteral{5C3C74696D65733E}{\isasymtimes}}\ {\isaliteral{27}{\isacharprime}}b\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ {\isaliteral{27}{\isacharprime}}a\ {\isaliteral{5C3C74696D65733E}{\isasymtimes}}\ {\isaliteral{27}{\isacharprime}}b\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ {\isaliteral{27}{\isacharprime}}a\ {\isaliteral{5C3C74696D65733E}{\isasymtimes}}\ {\isaliteral{27}{\isacharprime}}b{\isaliteral{22}{\isachardoublequoteclose}}\ \isakeyword{where}\isanewline
100.115 +\ \ {\isaliteral{22}{\isachardoublequoteopen}}{\isaliteral{28}{\isacharparenleft}}x{\isaliteral{2C}{\isacharcomma}}\ y{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C6F706C75733E}{\isasymoplus}}\ {\isaliteral{28}{\isacharparenleft}}w{\isaliteral{2C}{\isacharcomma}}\ z{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{3D}{\isacharequal}}\ {\isaliteral{28}{\isacharparenleft}}x\ {\isaliteral{5C3C6F706C75733E}{\isasymoplus}}\ w{\isaliteral{2C}{\isacharcomma}}\ y\ {\isaliteral{5C3C6F706C75733E}{\isasymoplus}}\ z{\isaliteral{29}{\isacharparenright}}{\isaliteral{22}{\isachardoublequoteclose}}%
100.116 +\begin{isamarkuptext}%
100.117 +\noindent Obviously, overloaded specifications may include
100.118 +recursion over the syntactic structure of types.%
100.119 +\end{isamarkuptext}%
100.120 +\isamarkuptrue%
100.121 +\isacommand{instance}\isamarkupfalse%
100.122 +%
100.123 +\isadelimproof
100.124 +\ %
100.125 +\endisadelimproof
100.126 +%
100.127 +\isatagproof
100.128 +\isacommand{{\isaliteral{2E}{\isachardot}}{\isaliteral{2E}{\isachardot}}}\isamarkupfalse%
100.129 +%
100.130 +\endisatagproof
100.131 +{\isafoldproof}%
100.132 +%
100.133 +\isadelimproof
100.134 +%
100.135 +\endisadelimproof
100.136 +\isanewline
100.137 +\isanewline
100.138 +\isacommand{end}\isamarkupfalse%
100.139 +%
100.140 +\begin{isamarkuptext}%
100.141 +\noindent This way we have encoded the canonical lifting of
100.142 +binary operations to products by means of type classes.%
100.143 +\end{isamarkuptext}%
100.144 +\isamarkuptrue%
100.145 +%
100.146 +\isadelimtheory
100.147 +%
100.148 +\endisadelimtheory
100.149 +%
100.150 +\isatagtheory
100.151 +%
100.152 +\endisatagtheory
100.153 +{\isafoldtheory}%
100.154 +%
100.155 +\isadelimtheory
100.156 +%
100.157 +\endisadelimtheory
100.158 +\end{isabellebody}%
100.159 +%%% Local Variables:
100.160 +%%% mode: latex
100.161 +%%% TeX-master: "root"
100.162 +%%% End:
101.1 --- /dev/null Thu Jan 01 00:00:00 1970 +0000
101.2 +++ b/doc-src/TutorialI/document/PDL.tex Thu Jul 26 19:59:06 2012 +0200
101.3 @@ -0,0 +1,342 @@
101.4 +%
101.5 +\begin{isabellebody}%
101.6 +\def\isabellecontext{PDL}%
101.7 +%
101.8 +\isadelimtheory
101.9 +%
101.10 +\endisadelimtheory
101.11 +%
101.12 +\isatagtheory
101.13 +%
101.14 +\endisatagtheory
101.15 +{\isafoldtheory}%
101.16 +%
101.17 +\isadelimtheory
101.18 +%
101.19 +\endisadelimtheory
101.20 +%
101.21 +\isamarkupsubsection{Propositional Dynamic Logic --- PDL%
101.22 +}
101.23 +\isamarkuptrue%
101.24 +%
101.25 +\begin{isamarkuptext}%
101.26 +\index{PDL|(}
101.27 +The formulae of PDL are built up from atomic propositions via
101.28 +negation and conjunction and the two temporal
101.29 +connectives \isa{AX} and \isa{EF}\@. Since formulae are essentially
101.30 +syntax trees, they are naturally modelled as a datatype:%
101.31 +\footnote{The customary definition of PDL
101.32 +\cite{HarelKT-DL} looks quite different from ours, but the two are easily
101.33 +shown to be equivalent.}%
101.34 +\end{isamarkuptext}%
101.35 +\isamarkuptrue%
101.36 +\isacommand{datatype}\isamarkupfalse%
101.37 +\ formula\ {\isaliteral{3D}{\isacharequal}}\ Atom\ {\isaliteral{22}{\isachardoublequoteopen}}atom{\isaliteral{22}{\isachardoublequoteclose}}\isanewline
101.38 +\ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ {\isaliteral{7C}{\isacharbar}}\ Neg\ formula\isanewline
101.39 +\ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ {\isaliteral{7C}{\isacharbar}}\ And\ formula\ formula\isanewline
101.40 +\ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ {\isaliteral{7C}{\isacharbar}}\ AX\ formula\isanewline
101.41 +\ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ {\isaliteral{7C}{\isacharbar}}\ EF\ formula%
101.42 +\begin{isamarkuptext}%
101.43 +\noindent
101.44 +This resembles the boolean expression case study in
101.45 +\S\ref{sec:boolex}.
101.46 +A validity relation between states and formulae specifies the semantics.
101.47 +The syntax annotation allows us to write \isa{s\ {\isaliteral{5C3C5475726E7374696C653E}{\isasymTurnstile}}\ f} instead of
101.48 +\hbox{\isa{valid\ s\ f}}. The definition is by recursion over the syntax:%
101.49 +\end{isamarkuptext}%
101.50 +\isamarkuptrue%
101.51 +\isacommand{primrec}\isamarkupfalse%
101.52 +\ valid\ {\isaliteral{3A}{\isacharcolon}}{\isaliteral{3A}{\isacharcolon}}\ {\isaliteral{22}{\isachardoublequoteopen}}state\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ formula\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ bool{\isaliteral{22}{\isachardoublequoteclose}}\ \ \ {\isaliteral{28}{\isacharparenleft}}{\isaliteral{22}{\isachardoublequoteopen}}{\isaliteral{28}{\isacharparenleft}}{\isaliteral{5F}{\isacharunderscore}}\ {\isaliteral{5C3C5475726E7374696C653E}{\isasymTurnstile}}\ {\isaliteral{5F}{\isacharunderscore}}{\isaliteral{29}{\isacharparenright}}{\isaliteral{22}{\isachardoublequoteclose}}\ {\isaliteral{5B}{\isacharbrackleft}}{\isadigit{8}}{\isadigit{0}}{\isaliteral{2C}{\isacharcomma}}{\isadigit{8}}{\isadigit{0}}{\isaliteral{5D}{\isacharbrackright}}\ {\isadigit{8}}{\isadigit{0}}{\isaliteral{29}{\isacharparenright}}\isanewline
101.53 +\isakeyword{where}\isanewline
101.54 +{\isaliteral{22}{\isachardoublequoteopen}}s\ {\isaliteral{5C3C5475726E7374696C653E}{\isasymTurnstile}}\ Atom\ a\ \ {\isaliteral{3D}{\isacharequal}}\ {\isaliteral{28}{\isacharparenleft}}a\ {\isaliteral{5C3C696E3E}{\isasymin}}\ L\ s{\isaliteral{29}{\isacharparenright}}{\isaliteral{22}{\isachardoublequoteclose}}\ {\isaliteral{7C}{\isacharbar}}\isanewline
101.55 +{\isaliteral{22}{\isachardoublequoteopen}}s\ {\isaliteral{5C3C5475726E7374696C653E}{\isasymTurnstile}}\ Neg\ f\ \ \ {\isaliteral{3D}{\isacharequal}}\ {\isaliteral{28}{\isacharparenleft}}{\isaliteral{5C3C6E6F743E}{\isasymnot}}{\isaliteral{28}{\isacharparenleft}}s\ {\isaliteral{5C3C5475726E7374696C653E}{\isasymTurnstile}}\ f{\isaliteral{29}{\isacharparenright}}{\isaliteral{29}{\isacharparenright}}{\isaliteral{22}{\isachardoublequoteclose}}\ {\isaliteral{7C}{\isacharbar}}\isanewline
101.56 +{\isaliteral{22}{\isachardoublequoteopen}}s\ {\isaliteral{5C3C5475726E7374696C653E}{\isasymTurnstile}}\ And\ f\ g\ {\isaliteral{3D}{\isacharequal}}\ {\isaliteral{28}{\isacharparenleft}}s\ {\isaliteral{5C3C5475726E7374696C653E}{\isasymTurnstile}}\ f\ {\isaliteral{5C3C616E643E}{\isasymand}}\ s\ {\isaliteral{5C3C5475726E7374696C653E}{\isasymTurnstile}}\ g{\isaliteral{29}{\isacharparenright}}{\isaliteral{22}{\isachardoublequoteclose}}\ {\isaliteral{7C}{\isacharbar}}\isanewline
101.57 +{\isaliteral{22}{\isachardoublequoteopen}}s\ {\isaliteral{5C3C5475726E7374696C653E}{\isasymTurnstile}}\ AX\ f\ \ \ \ {\isaliteral{3D}{\isacharequal}}\ {\isaliteral{28}{\isacharparenleft}}{\isaliteral{5C3C666F72616C6C3E}{\isasymforall}}t{\isaliteral{2E}{\isachardot}}\ {\isaliteral{28}{\isacharparenleft}}s{\isaliteral{2C}{\isacharcomma}}t{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C696E3E}{\isasymin}}\ M\ {\isaliteral{5C3C6C6F6E6772696768746172726F773E}{\isasymlongrightarrow}}\ t\ {\isaliteral{5C3C5475726E7374696C653E}{\isasymTurnstile}}\ f{\isaliteral{29}{\isacharparenright}}{\isaliteral{22}{\isachardoublequoteclose}}\ {\isaliteral{7C}{\isacharbar}}\isanewline
101.58 +{\isaliteral{22}{\isachardoublequoteopen}}s\ {\isaliteral{5C3C5475726E7374696C653E}{\isasymTurnstile}}\ EF\ f\ \ \ \ {\isaliteral{3D}{\isacharequal}}\ {\isaliteral{28}{\isacharparenleft}}{\isaliteral{5C3C6578697374733E}{\isasymexists}}t{\isaliteral{2E}{\isachardot}}\ {\isaliteral{28}{\isacharparenleft}}s{\isaliteral{2C}{\isacharcomma}}t{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C696E3E}{\isasymin}}\ M\isaliteral{5C3C5E7375703E}{}\isactrlsup {\isaliteral{2A}{\isacharasterisk}}\ {\isaliteral{5C3C616E643E}{\isasymand}}\ t\ {\isaliteral{5C3C5475726E7374696C653E}{\isasymTurnstile}}\ f{\isaliteral{29}{\isacharparenright}}{\isaliteral{22}{\isachardoublequoteclose}}%
101.59 +\begin{isamarkuptext}%
101.60 +\noindent
101.61 +The first three equations should be self-explanatory. The temporal formula
101.62 +\isa{AX\ f} means that \isa{f} is true in \emph{A}ll ne\emph{X}t states whereas
101.63 +\isa{EF\ f} means that there \emph{E}xists some \emph{F}uture state in which \isa{f} is
101.64 +true. The future is expressed via \isa{\isaliteral{5C3C5E7375703E}{}\isactrlsup {\isaliteral{2A}{\isacharasterisk}}}, the reflexive transitive
101.65 +closure. Because of reflexivity, the future includes the present.
101.66 +
101.67 +Now we come to the model checker itself. It maps a formula into the
101.68 +set of states where the formula is true. It too is defined by
101.69 +recursion over the syntax:%
101.70 +\end{isamarkuptext}%
101.71 +\isamarkuptrue%
101.72 +\isacommand{primrec}\isamarkupfalse%
101.73 +\ mc\ {\isaliteral{3A}{\isacharcolon}}{\isaliteral{3A}{\isacharcolon}}\ {\isaliteral{22}{\isachardoublequoteopen}}formula\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ state\ set{\isaliteral{22}{\isachardoublequoteclose}}\ \isakeyword{where}\isanewline
101.74 +{\isaliteral{22}{\isachardoublequoteopen}}mc{\isaliteral{28}{\isacharparenleft}}Atom\ a{\isaliteral{29}{\isacharparenright}}\ \ {\isaliteral{3D}{\isacharequal}}\ {\isaliteral{7B}{\isacharbraceleft}}s{\isaliteral{2E}{\isachardot}}\ a\ {\isaliteral{5C3C696E3E}{\isasymin}}\ L\ s{\isaliteral{7D}{\isacharbraceright}}{\isaliteral{22}{\isachardoublequoteclose}}\ {\isaliteral{7C}{\isacharbar}}\isanewline
101.75 +{\isaliteral{22}{\isachardoublequoteopen}}mc{\isaliteral{28}{\isacharparenleft}}Neg\ f{\isaliteral{29}{\isacharparenright}}\ \ \ {\isaliteral{3D}{\isacharequal}}\ {\isaliteral{2D}{\isacharminus}}mc\ f{\isaliteral{22}{\isachardoublequoteclose}}\ {\isaliteral{7C}{\isacharbar}}\isanewline
101.76 +{\isaliteral{22}{\isachardoublequoteopen}}mc{\isaliteral{28}{\isacharparenleft}}And\ f\ g{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{3D}{\isacharequal}}\ mc\ f\ {\isaliteral{5C3C696E7465723E}{\isasyminter}}\ mc\ g{\isaliteral{22}{\isachardoublequoteclose}}\ {\isaliteral{7C}{\isacharbar}}\isanewline
101.77 +{\isaliteral{22}{\isachardoublequoteopen}}mc{\isaliteral{28}{\isacharparenleft}}AX\ f{\isaliteral{29}{\isacharparenright}}\ \ \ \ {\isaliteral{3D}{\isacharequal}}\ {\isaliteral{7B}{\isacharbraceleft}}s{\isaliteral{2E}{\isachardot}}\ {\isaliteral{5C3C666F72616C6C3E}{\isasymforall}}t{\isaliteral{2E}{\isachardot}}\ {\isaliteral{28}{\isacharparenleft}}s{\isaliteral{2C}{\isacharcomma}}t{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C696E3E}{\isasymin}}\ M\ \ {\isaliteral{5C3C6C6F6E6772696768746172726F773E}{\isasymlongrightarrow}}\ t\ {\isaliteral{5C3C696E3E}{\isasymin}}\ mc\ f{\isaliteral{7D}{\isacharbraceright}}{\isaliteral{22}{\isachardoublequoteclose}}\ {\isaliteral{7C}{\isacharbar}}\isanewline
101.78 +{\isaliteral{22}{\isachardoublequoteopen}}mc{\isaliteral{28}{\isacharparenleft}}EF\ f{\isaliteral{29}{\isacharparenright}}\ \ \ \ {\isaliteral{3D}{\isacharequal}}\ lfp{\isaliteral{28}{\isacharparenleft}}{\isaliteral{5C3C6C616D6264613E}{\isasymlambda}}T{\isaliteral{2E}{\isachardot}}\ mc\ f\ {\isaliteral{5C3C756E696F6E3E}{\isasymunion}}\ {\isaliteral{28}{\isacharparenleft}}M{\isaliteral{5C3C696E76657273653E}{\isasyminverse}}\ {\isaliteral{60}{\isacharbackquote}}{\isaliteral{60}{\isacharbackquote}}\ T{\isaliteral{29}{\isacharparenright}}{\isaliteral{29}{\isacharparenright}}{\isaliteral{22}{\isachardoublequoteclose}}%
101.79 +\begin{isamarkuptext}%
101.80 +\noindent
101.81 +Only the equation for \isa{EF} deserves some comments. Remember that the
101.82 +postfix \isa{{\isaliteral{5C3C696E76657273653E}{\isasyminverse}}} and the infix \isa{{\isaliteral{60}{\isacharbackquote}}{\isaliteral{60}{\isacharbackquote}}} are predefined and denote the
101.83 +converse of a relation and the image of a set under a relation. Thus
101.84 +\isa{M{\isaliteral{5C3C696E76657273653E}{\isasyminverse}}\ {\isaliteral{60}{\isacharbackquote}}{\isaliteral{60}{\isacharbackquote}}\ T} is the set of all predecessors of \isa{T} and the least
101.85 +fixed point (\isa{lfp}) of \isa{{\isaliteral{5C3C6C616D6264613E}{\isasymlambda}}T{\isaliteral{2E}{\isachardot}}\ mc\ f\ {\isaliteral{5C3C756E696F6E3E}{\isasymunion}}\ M{\isaliteral{5C3C696E76657273653E}{\isasyminverse}}\ {\isaliteral{60}{\isacharbackquote}}{\isaliteral{60}{\isacharbackquote}}\ T} is the least set
101.86 +\isa{T} containing \isa{mc\ f} and all predecessors of \isa{T}. If you
101.87 +find it hard to see that \isa{mc\ {\isaliteral{28}{\isacharparenleft}}EF\ f{\isaliteral{29}{\isacharparenright}}} contains exactly those states from
101.88 +which there is a path to a state where \isa{f} is true, do not worry --- this
101.89 +will be proved in a moment.
101.90 +
101.91 +First we prove monotonicity of the function inside \isa{lfp}
101.92 +in order to make sure it really has a least fixed point.%
101.93 +\end{isamarkuptext}%
101.94 +\isamarkuptrue%
101.95 +\isacommand{lemma}\isamarkupfalse%
101.96 +\ mono{\isaliteral{5F}{\isacharunderscore}}ef{\isaliteral{3A}{\isacharcolon}}\ {\isaliteral{22}{\isachardoublequoteopen}}mono{\isaliteral{28}{\isacharparenleft}}{\isaliteral{5C3C6C616D6264613E}{\isasymlambda}}T{\isaliteral{2E}{\isachardot}}\ A\ {\isaliteral{5C3C756E696F6E3E}{\isasymunion}}\ {\isaliteral{28}{\isacharparenleft}}M{\isaliteral{5C3C696E76657273653E}{\isasyminverse}}\ {\isaliteral{60}{\isacharbackquote}}{\isaliteral{60}{\isacharbackquote}}\ T{\isaliteral{29}{\isacharparenright}}{\isaliteral{29}{\isacharparenright}}{\isaliteral{22}{\isachardoublequoteclose}}\isanewline
101.97 +%
101.98 +\isadelimproof
101.99 +%
101.100 +\endisadelimproof
101.101 +%
101.102 +\isatagproof
101.103 +\isacommand{apply}\isamarkupfalse%
101.104 +{\isaliteral{28}{\isacharparenleft}}rule\ monoI{\isaliteral{29}{\isacharparenright}}\isanewline
101.105 +\isacommand{apply}\isamarkupfalse%
101.106 +\ blast\isanewline
101.107 +\isacommand{done}\isamarkupfalse%
101.108 +%
101.109 +\endisatagproof
101.110 +{\isafoldproof}%
101.111 +%
101.112 +\isadelimproof
101.113 +%
101.114 +\endisadelimproof
101.115 +%
101.116 +\begin{isamarkuptext}%
101.117 +\noindent
101.118 +Now we can relate model checking and semantics. For the \isa{EF} case we need
101.119 +a separate lemma:%
101.120 +\end{isamarkuptext}%
101.121 +\isamarkuptrue%
101.122 +\isacommand{lemma}\isamarkupfalse%
101.123 +\ EF{\isaliteral{5F}{\isacharunderscore}}lemma{\isaliteral{3A}{\isacharcolon}}\isanewline
101.124 +\ \ {\isaliteral{22}{\isachardoublequoteopen}}lfp{\isaliteral{28}{\isacharparenleft}}{\isaliteral{5C3C6C616D6264613E}{\isasymlambda}}T{\isaliteral{2E}{\isachardot}}\ A\ {\isaliteral{5C3C756E696F6E3E}{\isasymunion}}\ {\isaliteral{28}{\isacharparenleft}}M{\isaliteral{5C3C696E76657273653E}{\isasyminverse}}\ {\isaliteral{60}{\isacharbackquote}}{\isaliteral{60}{\isacharbackquote}}\ T{\isaliteral{29}{\isacharparenright}}{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{3D}{\isacharequal}}\ {\isaliteral{7B}{\isacharbraceleft}}s{\isaliteral{2E}{\isachardot}}\ {\isaliteral{5C3C6578697374733E}{\isasymexists}}t{\isaliteral{2E}{\isachardot}}\ {\isaliteral{28}{\isacharparenleft}}s{\isaliteral{2C}{\isacharcomma}}t{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C696E3E}{\isasymin}}\ M\isaliteral{5C3C5E7375703E}{}\isactrlsup {\isaliteral{2A}{\isacharasterisk}}\ {\isaliteral{5C3C616E643E}{\isasymand}}\ t\ {\isaliteral{5C3C696E3E}{\isasymin}}\ A{\isaliteral{7D}{\isacharbraceright}}{\isaliteral{22}{\isachardoublequoteclose}}%
101.125 +\isadelimproof
101.126 +%
101.127 +\endisadelimproof
101.128 +%
101.129 +\isatagproof
101.130 +%
101.131 +\begin{isamarkuptxt}%
101.132 +\noindent
101.133 +The equality is proved in the canonical fashion by proving that each set
101.134 +includes the other; the inclusion is shown pointwise:%
101.135 +\end{isamarkuptxt}%
101.136 +\isamarkuptrue%
101.137 +\isacommand{apply}\isamarkupfalse%
101.138 +{\isaliteral{28}{\isacharparenleft}}rule\ equalityI{\isaliteral{29}{\isacharparenright}}\isanewline
101.139 +\ \isacommand{apply}\isamarkupfalse%
101.140 +{\isaliteral{28}{\isacharparenleft}}rule\ subsetI{\isaliteral{29}{\isacharparenright}}\isanewline
101.141 +\ \isacommand{apply}\isamarkupfalse%
101.142 +{\isaliteral{28}{\isacharparenleft}}simp{\isaliteral{29}{\isacharparenright}}%
101.143 +\begin{isamarkuptxt}%
101.144 +\noindent
101.145 +Simplification leaves us with the following first subgoal
101.146 +\begin{isabelle}%
101.147 +\ {\isadigit{1}}{\isaliteral{2E}{\isachardot}}\ {\isaliteral{5C3C416E643E}{\isasymAnd}}s{\isaliteral{2E}{\isachardot}}\ s\ {\isaliteral{5C3C696E3E}{\isasymin}}\ lfp\ {\isaliteral{28}{\isacharparenleft}}{\isaliteral{5C3C6C616D6264613E}{\isasymlambda}}T{\isaliteral{2E}{\isachardot}}\ A\ {\isaliteral{5C3C756E696F6E3E}{\isasymunion}}\ M{\isaliteral{5C3C696E76657273653E}{\isasyminverse}}\ {\isaliteral{60}{\isacharbackquote}}{\isaliteral{60}{\isacharbackquote}}\ T{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\ {\isaliteral{5C3C6578697374733E}{\isasymexists}}t{\isaliteral{2E}{\isachardot}}\ {\isaliteral{28}{\isacharparenleft}}s{\isaliteral{2C}{\isacharcomma}}\ t{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C696E3E}{\isasymin}}\ M\isaliteral{5C3C5E7375703E}{}\isactrlsup {\isaliteral{2A}{\isacharasterisk}}\ {\isaliteral{5C3C616E643E}{\isasymand}}\ t\ {\isaliteral{5C3C696E3E}{\isasymin}}\ A%
101.148 +\end{isabelle}
101.149 +which is proved by \isa{lfp}-induction:%
101.150 +\end{isamarkuptxt}%
101.151 +\isamarkuptrue%
101.152 +\ \isacommand{apply}\isamarkupfalse%
101.153 +{\isaliteral{28}{\isacharparenleft}}erule\ lfp{\isaliteral{5F}{\isacharunderscore}}induct{\isaliteral{5F}{\isacharunderscore}}set{\isaliteral{29}{\isacharparenright}}\isanewline
101.154 +\ \ \isacommand{apply}\isamarkupfalse%
101.155 +{\isaliteral{28}{\isacharparenleft}}rule\ mono{\isaliteral{5F}{\isacharunderscore}}ef{\isaliteral{29}{\isacharparenright}}\isanewline
101.156 +\ \isacommand{apply}\isamarkupfalse%
101.157 +{\isaliteral{28}{\isacharparenleft}}simp{\isaliteral{29}{\isacharparenright}}%
101.158 +\begin{isamarkuptxt}%
101.159 +\noindent
101.160 +Having disposed of the monotonicity subgoal,
101.161 +simplification leaves us with the following goal:
101.162 +\begin{isabelle}
101.163 +\ {\isadigit{1}}{\isachardot}\ {\isasymAnd}x{\isachardot}\ x\ {\isasymin}\ A\ {\isasymor}\isanewline
101.164 +\ \ \ \ \ \ \ \ \ x\ {\isasymin}\ M{\isasyminverse}\ {\isacharbackquote}{\isacharbackquote}\ {\isacharparenleft}lfp\ {\isacharparenleft}\dots{\isacharparenright}\ {\isasyminter}\ {\isacharbraceleft}x{\isachardot}\ {\isasymexists}t{\isachardot}\ {\isacharparenleft}x{\isacharcomma}\ t{\isacharparenright}\ {\isasymin}\ M\isactrlsup {\isacharasterisk}\ {\isasymand}\ t\ {\isasymin}\ A{\isacharbraceright}{\isacharparenright}\isanewline
101.165 +\ \ \ \ \ \ \ \ {\isasymLongrightarrow}\ {\isasymexists}t{\isachardot}\ {\isacharparenleft}x{\isacharcomma}\ t{\isacharparenright}\ {\isasymin}\ M\isactrlsup {\isacharasterisk}\ {\isasymand}\ t\ {\isasymin}\ A
101.166 +\end{isabelle}
101.167 +It is proved by \isa{blast}, using the transitivity of
101.168 +\isa{M\isactrlsup {\isacharasterisk}}.%
101.169 +\end{isamarkuptxt}%
101.170 +\isamarkuptrue%
101.171 +\ \isacommand{apply}\isamarkupfalse%
101.172 +{\isaliteral{28}{\isacharparenleft}}blast\ intro{\isaliteral{3A}{\isacharcolon}}\ rtrancl{\isaliteral{5F}{\isacharunderscore}}trans{\isaliteral{29}{\isacharparenright}}%
101.173 +\begin{isamarkuptxt}%
101.174 +We now return to the second set inclusion subgoal, which is again proved
101.175 +pointwise:%
101.176 +\end{isamarkuptxt}%
101.177 +\isamarkuptrue%
101.178 +\isacommand{apply}\isamarkupfalse%
101.179 +{\isaliteral{28}{\isacharparenleft}}rule\ subsetI{\isaliteral{29}{\isacharparenright}}\isanewline
101.180 +\isacommand{apply}\isamarkupfalse%
101.181 +{\isaliteral{28}{\isacharparenleft}}simp{\isaliteral{2C}{\isacharcomma}}\ clarify{\isaliteral{29}{\isacharparenright}}%
101.182 +\begin{isamarkuptxt}%
101.183 +\noindent
101.184 +After simplification and clarification we are left with
101.185 +\begin{isabelle}%
101.186 +\ {\isadigit{1}}{\isaliteral{2E}{\isachardot}}\ {\isaliteral{5C3C416E643E}{\isasymAnd}}x\ t{\isaliteral{2E}{\isachardot}}\ {\isaliteral{5C3C6C6272616B6B3E}{\isasymlbrakk}}{\isaliteral{28}{\isacharparenleft}}x{\isaliteral{2C}{\isacharcomma}}\ t{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C696E3E}{\isasymin}}\ M\isaliteral{5C3C5E7375703E}{}\isactrlsup {\isaliteral{2A}{\isacharasterisk}}{\isaliteral{3B}{\isacharsemicolon}}\ t\ {\isaliteral{5C3C696E3E}{\isasymin}}\ A{\isaliteral{5C3C726272616B6B3E}{\isasymrbrakk}}\ {\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\ x\ {\isaliteral{5C3C696E3E}{\isasymin}}\ lfp\ {\isaliteral{28}{\isacharparenleft}}{\isaliteral{5C3C6C616D6264613E}{\isasymlambda}}T{\isaliteral{2E}{\isachardot}}\ A\ {\isaliteral{5C3C756E696F6E3E}{\isasymunion}}\ M{\isaliteral{5C3C696E76657273653E}{\isasyminverse}}\ {\isaliteral{60}{\isacharbackquote}}{\isaliteral{60}{\isacharbackquote}}\ T{\isaliteral{29}{\isacharparenright}}%
101.187 +\end{isabelle}
101.188 +This goal is proved by induction on \isa{{\isaliteral{28}{\isacharparenleft}}s{\isaliteral{2C}{\isacharcomma}}\ t{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C696E3E}{\isasymin}}\ M\isaliteral{5C3C5E7375703E}{}\isactrlsup {\isaliteral{2A}{\isacharasterisk}}}. But since the model
101.189 +checker works backwards (from \isa{t} to \isa{s}), we cannot use the
101.190 +induction theorem \isa{rtrancl{\isaliteral{5F}{\isacharunderscore}}induct}: it works in the
101.191 +forward direction. Fortunately the converse induction theorem
101.192 +\isa{converse{\isaliteral{5F}{\isacharunderscore}}rtrancl{\isaliteral{5F}{\isacharunderscore}}induct} already exists:
101.193 +\begin{isabelle}%
101.194 +\ \ \ \ \ {\isaliteral{5C3C6C6272616B6B3E}{\isasymlbrakk}}{\isaliteral{28}{\isacharparenleft}}a{\isaliteral{2C}{\isacharcomma}}\ b{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C696E3E}{\isasymin}}\ r\isaliteral{5C3C5E7375703E}{}\isactrlsup {\isaliteral{2A}{\isacharasterisk}}{\isaliteral{3B}{\isacharsemicolon}}\ P\ b{\isaliteral{3B}{\isacharsemicolon}}\isanewline
101.195 +\isaindent{\ \ \ \ \ \ }{\isaliteral{5C3C416E643E}{\isasymAnd}}y\ z{\isaliteral{2E}{\isachardot}}\ {\isaliteral{5C3C6C6272616B6B3E}{\isasymlbrakk}}{\isaliteral{28}{\isacharparenleft}}y{\isaliteral{2C}{\isacharcomma}}\ z{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C696E3E}{\isasymin}}\ r{\isaliteral{3B}{\isacharsemicolon}}\ {\isaliteral{28}{\isacharparenleft}}z{\isaliteral{2C}{\isacharcomma}}\ b{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C696E3E}{\isasymin}}\ r\isaliteral{5C3C5E7375703E}{}\isactrlsup {\isaliteral{2A}{\isacharasterisk}}{\isaliteral{3B}{\isacharsemicolon}}\ P\ z{\isaliteral{5C3C726272616B6B3E}{\isasymrbrakk}}\ {\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\ P\ y{\isaliteral{5C3C726272616B6B3E}{\isasymrbrakk}}\isanewline
101.196 +\isaindent{\ \ \ \ \ }{\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\ P\ a%
101.197 +\end{isabelle}
101.198 +It says that if \isa{{\isaliteral{28}{\isacharparenleft}}a{\isaliteral{2C}{\isacharcomma}}\ b{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C696E3E}{\isasymin}}\ r\isaliteral{5C3C5E7375703E}{}\isactrlsup {\isaliteral{2A}{\isacharasterisk}}} and we know \isa{P\ b} then we can infer
101.199 +\isa{P\ a} provided each step backwards from a predecessor \isa{z} of
101.200 +\isa{b} preserves \isa{P}.%
101.201 +\end{isamarkuptxt}%
101.202 +\isamarkuptrue%
101.203 +\isacommand{apply}\isamarkupfalse%
101.204 +{\isaliteral{28}{\isacharparenleft}}erule\ converse{\isaliteral{5F}{\isacharunderscore}}rtrancl{\isaliteral{5F}{\isacharunderscore}}induct{\isaliteral{29}{\isacharparenright}}%
101.205 +\begin{isamarkuptxt}%
101.206 +\noindent
101.207 +The base case
101.208 +\begin{isabelle}%
101.209 +\ {\isadigit{1}}{\isaliteral{2E}{\isachardot}}\ {\isaliteral{5C3C416E643E}{\isasymAnd}}x\ t{\isaliteral{2E}{\isachardot}}\ t\ {\isaliteral{5C3C696E3E}{\isasymin}}\ A\ {\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\ t\ {\isaliteral{5C3C696E3E}{\isasymin}}\ lfp\ {\isaliteral{28}{\isacharparenleft}}{\isaliteral{5C3C6C616D6264613E}{\isasymlambda}}T{\isaliteral{2E}{\isachardot}}\ A\ {\isaliteral{5C3C756E696F6E3E}{\isasymunion}}\ M{\isaliteral{5C3C696E76657273653E}{\isasyminverse}}\ {\isaliteral{60}{\isacharbackquote}}{\isaliteral{60}{\isacharbackquote}}\ T{\isaliteral{29}{\isacharparenright}}%
101.210 +\end{isabelle}
101.211 +is solved by unrolling \isa{lfp} once%
101.212 +\end{isamarkuptxt}%
101.213 +\isamarkuptrue%
101.214 +\ \isacommand{apply}\isamarkupfalse%
101.215 +{\isaliteral{28}{\isacharparenleft}}subst\ lfp{\isaliteral{5F}{\isacharunderscore}}unfold{\isaliteral{5B}{\isacharbrackleft}}OF\ mono{\isaliteral{5F}{\isacharunderscore}}ef{\isaliteral{5D}{\isacharbrackright}}{\isaliteral{29}{\isacharparenright}}%
101.216 +\begin{isamarkuptxt}%
101.217 +\begin{isabelle}%
101.218 +\ {\isadigit{1}}{\isaliteral{2E}{\isachardot}}\ {\isaliteral{5C3C416E643E}{\isasymAnd}}x\ t{\isaliteral{2E}{\isachardot}}\ t\ {\isaliteral{5C3C696E3E}{\isasymin}}\ A\ {\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\ t\ {\isaliteral{5C3C696E3E}{\isasymin}}\ A\ {\isaliteral{5C3C756E696F6E3E}{\isasymunion}}\ M{\isaliteral{5C3C696E76657273653E}{\isasyminverse}}\ {\isaliteral{60}{\isacharbackquote}}{\isaliteral{60}{\isacharbackquote}}\ lfp\ {\isaliteral{28}{\isacharparenleft}}{\isaliteral{5C3C6C616D6264613E}{\isasymlambda}}T{\isaliteral{2E}{\isachardot}}\ A\ {\isaliteral{5C3C756E696F6E3E}{\isasymunion}}\ M{\isaliteral{5C3C696E76657273653E}{\isasyminverse}}\ {\isaliteral{60}{\isacharbackquote}}{\isaliteral{60}{\isacharbackquote}}\ T{\isaliteral{29}{\isacharparenright}}%
101.219 +\end{isabelle}
101.220 +and disposing of the resulting trivial subgoal automatically:%
101.221 +\end{isamarkuptxt}%
101.222 +\isamarkuptrue%
101.223 +\ \isacommand{apply}\isamarkupfalse%
101.224 +{\isaliteral{28}{\isacharparenleft}}blast{\isaliteral{29}{\isacharparenright}}%
101.225 +\begin{isamarkuptxt}%
101.226 +\noindent
101.227 +The proof of the induction step is identical to the one for the base case:%
101.228 +\end{isamarkuptxt}%
101.229 +\isamarkuptrue%
101.230 +\isacommand{apply}\isamarkupfalse%
101.231 +{\isaliteral{28}{\isacharparenleft}}subst\ lfp{\isaliteral{5F}{\isacharunderscore}}unfold{\isaliteral{5B}{\isacharbrackleft}}OF\ mono{\isaliteral{5F}{\isacharunderscore}}ef{\isaliteral{5D}{\isacharbrackright}}{\isaliteral{29}{\isacharparenright}}\isanewline
101.232 +\isacommand{apply}\isamarkupfalse%
101.233 +{\isaliteral{28}{\isacharparenleft}}blast{\isaliteral{29}{\isacharparenright}}\isanewline
101.234 +\isacommand{done}\isamarkupfalse%
101.235 +%
101.236 +\endisatagproof
101.237 +{\isafoldproof}%
101.238 +%
101.239 +\isadelimproof
101.240 +%
101.241 +\endisadelimproof
101.242 +%
101.243 +\begin{isamarkuptext}%
101.244 +The main theorem is proved in the familiar manner: induction followed by
101.245 +\isa{auto} augmented with the lemma as a simplification rule.%
101.246 +\end{isamarkuptext}%
101.247 +\isamarkuptrue%
101.248 +\isacommand{theorem}\isamarkupfalse%
101.249 +\ {\isaliteral{22}{\isachardoublequoteopen}}mc\ f\ {\isaliteral{3D}{\isacharequal}}\ {\isaliteral{7B}{\isacharbraceleft}}s{\isaliteral{2E}{\isachardot}}\ s\ {\isaliteral{5C3C5475726E7374696C653E}{\isasymTurnstile}}\ f{\isaliteral{7D}{\isacharbraceright}}{\isaliteral{22}{\isachardoublequoteclose}}\isanewline
101.250 +%
101.251 +\isadelimproof
101.252 +%
101.253 +\endisadelimproof
101.254 +%
101.255 +\isatagproof
101.256 +\isacommand{apply}\isamarkupfalse%
101.257 +{\isaliteral{28}{\isacharparenleft}}induct{\isaliteral{5F}{\isacharunderscore}}tac\ f{\isaliteral{29}{\isacharparenright}}\isanewline
101.258 +\isacommand{apply}\isamarkupfalse%
101.259 +{\isaliteral{28}{\isacharparenleft}}auto\ simp\ add{\isaliteral{3A}{\isacharcolon}}\ EF{\isaliteral{5F}{\isacharunderscore}}lemma{\isaliteral{29}{\isacharparenright}}\isanewline
101.260 +\isacommand{done}\isamarkupfalse%
101.261 +%
101.262 +\endisatagproof
101.263 +{\isafoldproof}%
101.264 +%
101.265 +\isadelimproof
101.266 +%
101.267 +\endisadelimproof
101.268 +%
101.269 +\begin{isamarkuptext}%
101.270 +\begin{exercise}
101.271 +\isa{AX} has a dual operator \isa{EN}
101.272 +(``there exists a next state such that'')%
101.273 +\footnote{We cannot use the customary \isa{EX}: it is reserved
101.274 +as the \textsc{ascii}-equivalent of \isa{{\isaliteral{5C3C6578697374733E}{\isasymexists}}}.}
101.275 +with the intended semantics
101.276 +\begin{isabelle}%
101.277 +\ \ \ \ \ s\ {\isaliteral{5C3C5475726E7374696C653E}{\isasymTurnstile}}\ EN\ f\ {\isaliteral{3D}{\isacharequal}}\ {\isaliteral{28}{\isacharparenleft}}{\isaliteral{5C3C6578697374733E}{\isasymexists}}t{\isaliteral{2E}{\isachardot}}\ {\isaliteral{28}{\isacharparenleft}}s{\isaliteral{2C}{\isacharcomma}}\ t{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C696E3E}{\isasymin}}\ M\ {\isaliteral{5C3C616E643E}{\isasymand}}\ t\ {\isaliteral{5C3C5475726E7374696C653E}{\isasymTurnstile}}\ f{\isaliteral{29}{\isacharparenright}}%
101.278 +\end{isabelle}
101.279 +Fortunately, \isa{EN\ f} can already be expressed as a PDL formula. How?
101.280 +
101.281 +Show that the semantics for \isa{EF} satisfies the following recursion equation:
101.282 +\begin{isabelle}%
101.283 +\ \ \ \ \ s\ {\isaliteral{5C3C5475726E7374696C653E}{\isasymTurnstile}}\ EF\ f\ {\isaliteral{3D}{\isacharequal}}\ {\isaliteral{28}{\isacharparenleft}}s\ {\isaliteral{5C3C5475726E7374696C653E}{\isasymTurnstile}}\ f\ {\isaliteral{5C3C6F723E}{\isasymor}}\ s\ {\isaliteral{5C3C5475726E7374696C653E}{\isasymTurnstile}}\ EN\ {\isaliteral{28}{\isacharparenleft}}EF\ f{\isaliteral{29}{\isacharparenright}}{\isaliteral{29}{\isacharparenright}}%
101.284 +\end{isabelle}
101.285 +\end{exercise}
101.286 +\index{PDL|)}%
101.287 +\end{isamarkuptext}%
101.288 +\isamarkuptrue%
101.289 +%
101.290 +\isadelimproof
101.291 +%
101.292 +\endisadelimproof
101.293 +%
101.294 +\isatagproof
101.295 +%
101.296 +\endisatagproof
101.297 +{\isafoldproof}%
101.298 +%
101.299 +\isadelimproof
101.300 +%
101.301 +\endisadelimproof
101.302 +%
101.303 +\isadelimproof
101.304 +%
101.305 +\endisadelimproof
101.306 +%
101.307 +\isatagproof
101.308 +%
101.309 +\endisatagproof
101.310 +{\isafoldproof}%
101.311 +%
101.312 +\isadelimproof
101.313 +%
101.314 +\endisadelimproof
101.315 +%
101.316 +\isadelimproof
101.317 +%
101.318 +\endisadelimproof
101.319 +%
101.320 +\isatagproof
101.321 +%
101.322 +\endisatagproof
101.323 +{\isafoldproof}%
101.324 +%
101.325 +\isadelimproof
101.326 +%
101.327 +\endisadelimproof
101.328 +%
101.329 +\isadelimtheory
101.330 +%
101.331 +\endisadelimtheory
101.332 +%
101.333 +\isatagtheory
101.334 +%
101.335 +\endisatagtheory
101.336 +{\isafoldtheory}%
101.337 +%
101.338 +\isadelimtheory
101.339 +%
101.340 +\endisadelimtheory
101.341 +\end{isabellebody}%
101.342 +%%% Local Variables:
101.343 +%%% mode: latex
101.344 +%%% TeX-master: "root"
101.345 +%%% End:
102.1 --- /dev/null Thu Jan 01 00:00:00 1970 +0000
102.2 +++ b/doc-src/TutorialI/document/Pairs.tex Thu Jul 26 19:59:06 2012 +0200
102.3 @@ -0,0 +1,394 @@
102.4 +%
102.5 +\begin{isabellebody}%
102.6 +\def\isabellecontext{Pairs}%
102.7 +%
102.8 +\isadelimtheory
102.9 +%
102.10 +\endisadelimtheory
102.11 +%
102.12 +\isatagtheory
102.13 +%
102.14 +\endisatagtheory
102.15 +{\isafoldtheory}%
102.16 +%
102.17 +\isadelimtheory
102.18 +%
102.19 +\endisadelimtheory
102.20 +%
102.21 +\isamarkupsection{Pairs and Tuples%
102.22 +}
102.23 +\isamarkuptrue%
102.24 +%
102.25 +\begin{isamarkuptext}%
102.26 +\label{sec:products}
102.27 +Ordered pairs were already introduced in \S\ref{sec:pairs}, but only with a minimal
102.28 +repertoire of operations: pairing and the two projections \isa{fst} and
102.29 +\isa{snd}. In any non-trivial application of pairs you will find that this
102.30 +quickly leads to unreadable nests of projections. This
102.31 +section introduces syntactic sugar to overcome this
102.32 +problem: pattern matching with tuples.%
102.33 +\end{isamarkuptext}%
102.34 +\isamarkuptrue%
102.35 +%
102.36 +\isamarkupsubsection{Pattern Matching with Tuples%
102.37 +}
102.38 +\isamarkuptrue%
102.39 +%
102.40 +\begin{isamarkuptext}%
102.41 +Tuples may be used as patterns in $\lambda$-abstractions,
102.42 +for example \isa{{\isaliteral{5C3C6C616D6264613E}{\isasymlambda}}{\isaliteral{28}{\isacharparenleft}}x{\isaliteral{2C}{\isacharcomma}}y{\isaliteral{2C}{\isacharcomma}}z{\isaliteral{29}{\isacharparenright}}{\isaliteral{2E}{\isachardot}}x{\isaliteral{2B}{\isacharplus}}y{\isaliteral{2B}{\isacharplus}}z} and \isa{{\isaliteral{5C3C6C616D6264613E}{\isasymlambda}}{\isaliteral{28}{\isacharparenleft}}{\isaliteral{28}{\isacharparenleft}}x{\isaliteral{2C}{\isacharcomma}}y{\isaliteral{29}{\isacharparenright}}{\isaliteral{2C}{\isacharcomma}}z{\isaliteral{29}{\isacharparenright}}{\isaliteral{2E}{\isachardot}}x{\isaliteral{2B}{\isacharplus}}y{\isaliteral{2B}{\isacharplus}}z}. In fact,
102.43 +tuple patterns can be used in most variable binding constructs,
102.44 +and they can be nested. Here are
102.45 +some typical examples:
102.46 +\begin{quote}
102.47 +\isa{let\ {\isaliteral{28}{\isacharparenleft}}x{\isaliteral{2C}{\isacharcomma}}\ y{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{3D}{\isacharequal}}\ f\ z\ in\ {\isaliteral{28}{\isacharparenleft}}y{\isaliteral{2C}{\isacharcomma}}\ x{\isaliteral{29}{\isacharparenright}}}\\
102.48 +\isa{case\ xs\ of\ {\isaliteral{5B}{\isacharbrackleft}}{\isaliteral{5D}{\isacharbrackright}}\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ {\isadigit{0}}\ {\isaliteral{7C}{\isacharbar}}\ {\isaliteral{28}{\isacharparenleft}}x{\isaliteral{2C}{\isacharcomma}}\ y{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{23}{\isacharhash}}\ zs\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ x\ {\isaliteral{2B}{\isacharplus}}\ y}\\
102.49 +\isa{{\isaliteral{5C3C666F72616C6C3E}{\isasymforall}}{\isaliteral{28}{\isacharparenleft}}x{\isaliteral{2C}{\isacharcomma}}y{\isaliteral{29}{\isacharparenright}}{\isaliteral{5C3C696E3E}{\isasymin}}A{\isaliteral{2E}{\isachardot}}\ x{\isaliteral{3D}{\isacharequal}}y}\\
102.50 +\isa{{\isaliteral{7B}{\isacharbraceleft}}{\isaliteral{28}{\isacharparenleft}}x{\isaliteral{2C}{\isacharcomma}}y{\isaliteral{2C}{\isacharcomma}}z{\isaliteral{29}{\isacharparenright}}{\isaliteral{2E}{\isachardot}}\ x{\isaliteral{3D}{\isacharequal}}z{\isaliteral{7D}{\isacharbraceright}}}\\
102.51 +\isa{{\isaliteral{5C3C556E696F6E3E}{\isasymUnion}}\isaliteral{5C3C5E627375623E}{}\isactrlbsub {\isaliteral{28}{\isacharparenleft}}x{\isaliteral{2C}{\isacharcomma}}\ y{\isaliteral{29}{\isacharparenright}}{\isaliteral{5C3C696E3E}{\isasymin}}A\isaliteral{5C3C5E657375623E}{}\isactrlesub \ {\isaliteral{7B}{\isacharbraceleft}}x\ {\isaliteral{2B}{\isacharplus}}\ y{\isaliteral{7D}{\isacharbraceright}}}
102.52 +\end{quote}
102.53 +The intuitive meanings of these expressions should be obvious.
102.54 +Unfortunately, we need to know in more detail what the notation really stands
102.55 +for once we have to reason about it. Abstraction
102.56 +over pairs and tuples is merely a convenient shorthand for a more complex
102.57 +internal representation. Thus the internal and external form of a term may
102.58 +differ, which can affect proofs. If you want to avoid this complication,
102.59 +stick to \isa{fst} and \isa{snd} and write \isa{{\isaliteral{5C3C6C616D6264613E}{\isasymlambda}}p{\isaliteral{2E}{\isachardot}}\ fst\ p\ {\isaliteral{2B}{\isacharplus}}\ snd\ p}
102.60 +instead of \isa{{\isaliteral{5C3C6C616D6264613E}{\isasymlambda}}{\isaliteral{28}{\isacharparenleft}}x{\isaliteral{2C}{\isacharcomma}}y{\isaliteral{29}{\isacharparenright}}{\isaliteral{2E}{\isachardot}}\ x{\isaliteral{2B}{\isacharplus}}y}. These terms are distinct even though they
102.61 +denote the same function.
102.62 +
102.63 +Internally, \isa{{\isaliteral{5C3C6C616D6264613E}{\isasymlambda}}{\isaliteral{28}{\isacharparenleft}}x{\isaliteral{2C}{\isacharcomma}}\ y{\isaliteral{29}{\isacharparenright}}{\isaliteral{2E}{\isachardot}}\ t} becomes \isa{split\ {\isaliteral{28}{\isacharparenleft}}{\isaliteral{5C3C6C616D6264613E}{\isasymlambda}}x\ y{\isaliteral{2E}{\isachardot}}\ t{\isaliteral{29}{\isacharparenright}}}, where
102.64 +\cdx{split} is the uncurrying function of type \isa{{\isaliteral{28}{\isacharparenleft}}{\isaliteral{27}{\isacharprime}}a\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ {\isaliteral{27}{\isacharprime}}b\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ {\isaliteral{27}{\isacharprime}}c{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ {\isaliteral{27}{\isacharprime}}a\ {\isaliteral{5C3C74696D65733E}{\isasymtimes}}\ {\isaliteral{27}{\isacharprime}}b\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ {\isaliteral{27}{\isacharprime}}c} defined as
102.65 +\begin{center}
102.66 +\isa{prod{\isaliteral{5F}{\isacharunderscore}}case\ {\isaliteral{3D}{\isacharequal}}\ {\isaliteral{28}{\isacharparenleft}}{\isaliteral{5C3C6C616D6264613E}{\isasymlambda}}c\ p{\isaliteral{2E}{\isachardot}}\ c\ {\isaliteral{28}{\isacharparenleft}}fst\ p{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{28}{\isacharparenleft}}snd\ p{\isaliteral{29}{\isacharparenright}}{\isaliteral{29}{\isacharparenright}}}
102.67 +\hfill(\isa{split{\isaliteral{5F}{\isacharunderscore}}def})
102.68 +\end{center}
102.69 +Pattern matching in
102.70 +other variable binding constructs is translated similarly. Thus we need to
102.71 +understand how to reason about such constructs.%
102.72 +\end{isamarkuptext}%
102.73 +\isamarkuptrue%
102.74 +%
102.75 +\isamarkupsubsection{Theorem Proving%
102.76 +}
102.77 +\isamarkuptrue%
102.78 +%
102.79 +\begin{isamarkuptext}%
102.80 +The most obvious approach is the brute force expansion of \isa{prod{\isaliteral{5F}{\isacharunderscore}}case}:%
102.81 +\end{isamarkuptext}%
102.82 +\isamarkuptrue%
102.83 +\isacommand{lemma}\isamarkupfalse%
102.84 +\ {\isaliteral{22}{\isachardoublequoteopen}}{\isaliteral{28}{\isacharparenleft}}{\isaliteral{5C3C6C616D6264613E}{\isasymlambda}}{\isaliteral{28}{\isacharparenleft}}x{\isaliteral{2C}{\isacharcomma}}y{\isaliteral{29}{\isacharparenright}}{\isaliteral{2E}{\isachardot}}x{\isaliteral{29}{\isacharparenright}}\ p\ {\isaliteral{3D}{\isacharequal}}\ fst\ p{\isaliteral{22}{\isachardoublequoteclose}}\isanewline
102.85 +%
102.86 +\isadelimproof
102.87 +%
102.88 +\endisadelimproof
102.89 +%
102.90 +\isatagproof
102.91 +\isacommand{by}\isamarkupfalse%
102.92 +{\isaliteral{28}{\isacharparenleft}}simp\ add{\isaliteral{3A}{\isacharcolon}}\ split{\isaliteral{5F}{\isacharunderscore}}def{\isaliteral{29}{\isacharparenright}}%
102.93 +\endisatagproof
102.94 +{\isafoldproof}%
102.95 +%
102.96 +\isadelimproof
102.97 +%
102.98 +\endisadelimproof
102.99 +%
102.100 +\begin{isamarkuptext}%
102.101 +\noindent
102.102 +This works well if rewriting with \isa{split{\isaliteral{5F}{\isacharunderscore}}def} finishes the
102.103 +proof, as it does above. But if it does not, you end up with exactly what
102.104 +we are trying to avoid: nests of \isa{fst} and \isa{snd}. Thus this
102.105 +approach is neither elegant nor very practical in large examples, although it
102.106 +can be effective in small ones.
102.107 +
102.108 +If we consider why this lemma presents a problem,
102.109 +we realize that we need to replace variable~\isa{p} by some pair \isa{{\isaliteral{28}{\isacharparenleft}}a{\isaliteral{2C}{\isacharcomma}}\ b{\isaliteral{29}{\isacharparenright}}}. Then both sides of the
102.110 +equation would simplify to \isa{a} by the simplification rules
102.111 +\isa{{\isaliteral{28}{\isacharparenleft}}case\ {\isaliteral{28}{\isacharparenleft}}a{\isaliteral{2C}{\isacharcomma}}\ b{\isaliteral{29}{\isacharparenright}}\ of\ {\isaliteral{28}{\isacharparenleft}}x{\isaliteral{2C}{\isacharcomma}}\ xa{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ f\ x\ xa{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{3D}{\isacharequal}}\ f\ a\ b} and \isa{fst\ {\isaliteral{28}{\isacharparenleft}}a{\isaliteral{2C}{\isacharcomma}}\ b{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{3D}{\isacharequal}}\ a}.
102.112 +To reason about tuple patterns requires some way of
102.113 +converting a variable of product type into a pair.
102.114 +In case of a subterm of the form \isa{case\ p\ of\ {\isaliteral{28}{\isacharparenleft}}x{\isaliteral{2C}{\isacharcomma}}\ xa{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ f\ x\ xa} this is easy: the split
102.115 +rule \isa{split{\isaliteral{5F}{\isacharunderscore}}split} replaces \isa{p} by a pair:%
102.116 +\index{*split (method)}%
102.117 +\end{isamarkuptext}%
102.118 +\isamarkuptrue%
102.119 +\isacommand{lemma}\isamarkupfalse%
102.120 +\ {\isaliteral{22}{\isachardoublequoteopen}}{\isaliteral{28}{\isacharparenleft}}{\isaliteral{5C3C6C616D6264613E}{\isasymlambda}}{\isaliteral{28}{\isacharparenleft}}x{\isaliteral{2C}{\isacharcomma}}y{\isaliteral{29}{\isacharparenright}}{\isaliteral{2E}{\isachardot}}y{\isaliteral{29}{\isacharparenright}}\ p\ {\isaliteral{3D}{\isacharequal}}\ snd\ p{\isaliteral{22}{\isachardoublequoteclose}}\isanewline
102.121 +%
102.122 +\isadelimproof
102.123 +%
102.124 +\endisadelimproof
102.125 +%
102.126 +\isatagproof
102.127 +\isacommand{apply}\isamarkupfalse%
102.128 +{\isaliteral{28}{\isacharparenleft}}split\ split{\isaliteral{5F}{\isacharunderscore}}split{\isaliteral{29}{\isacharparenright}}%
102.129 +\begin{isamarkuptxt}%
102.130 +\begin{isabelle}%
102.131 +\ {\isadigit{1}}{\isaliteral{2E}{\isachardot}}\ {\isaliteral{5C3C666F72616C6C3E}{\isasymforall}}x\ y{\isaliteral{2E}{\isachardot}}\ p\ {\isaliteral{3D}{\isacharequal}}\ {\isaliteral{28}{\isacharparenleft}}x{\isaliteral{2C}{\isacharcomma}}\ y{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C6C6F6E6772696768746172726F773E}{\isasymlongrightarrow}}\ y\ {\isaliteral{3D}{\isacharequal}}\ snd\ p%
102.132 +\end{isabelle}
102.133 +This subgoal is easily proved by simplification. Thus we could have combined
102.134 +simplification and splitting in one command that proves the goal outright:%
102.135 +\end{isamarkuptxt}%
102.136 +\isamarkuptrue%
102.137 +%
102.138 +\endisatagproof
102.139 +{\isafoldproof}%
102.140 +%
102.141 +\isadelimproof
102.142 +%
102.143 +\endisadelimproof
102.144 +%
102.145 +\isadelimproof
102.146 +%
102.147 +\endisadelimproof
102.148 +%
102.149 +\isatagproof
102.150 +\isacommand{by}\isamarkupfalse%
102.151 +{\isaliteral{28}{\isacharparenleft}}simp\ split{\isaliteral{3A}{\isacharcolon}}\ split{\isaliteral{5F}{\isacharunderscore}}split{\isaliteral{29}{\isacharparenright}}%
102.152 +\endisatagproof
102.153 +{\isafoldproof}%
102.154 +%
102.155 +\isadelimproof
102.156 +%
102.157 +\endisadelimproof
102.158 +%
102.159 +\begin{isamarkuptext}%
102.160 +Let us look at a second example:%
102.161 +\end{isamarkuptext}%
102.162 +\isamarkuptrue%
102.163 +\isacommand{lemma}\isamarkupfalse%
102.164 +\ {\isaliteral{22}{\isachardoublequoteopen}}let\ {\isaliteral{28}{\isacharparenleft}}x{\isaliteral{2C}{\isacharcomma}}y{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{3D}{\isacharequal}}\ p\ in\ fst\ p\ {\isaliteral{3D}{\isacharequal}}\ x{\isaliteral{22}{\isachardoublequoteclose}}\isanewline
102.165 +%
102.166 +\isadelimproof
102.167 +%
102.168 +\endisadelimproof
102.169 +%
102.170 +\isatagproof
102.171 +\isacommand{apply}\isamarkupfalse%
102.172 +{\isaliteral{28}{\isacharparenleft}}simp\ only{\isaliteral{3A}{\isacharcolon}}\ Let{\isaliteral{5F}{\isacharunderscore}}def{\isaliteral{29}{\isacharparenright}}%
102.173 +\begin{isamarkuptxt}%
102.174 +\begin{isabelle}%
102.175 +\ {\isadigit{1}}{\isaliteral{2E}{\isachardot}}\ case\ p\ of\ {\isaliteral{28}{\isacharparenleft}}x{\isaliteral{2C}{\isacharcomma}}\ y{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ fst\ p\ {\isaliteral{3D}{\isacharequal}}\ x%
102.176 +\end{isabelle}
102.177 +A paired \isa{let} reduces to a paired $\lambda$-abstraction, which
102.178 +can be split as above. The same is true for paired set comprehension:%
102.179 +\end{isamarkuptxt}%
102.180 +\isamarkuptrue%
102.181 +%
102.182 +\endisatagproof
102.183 +{\isafoldproof}%
102.184 +%
102.185 +\isadelimproof
102.186 +%
102.187 +\endisadelimproof
102.188 +\isacommand{lemma}\isamarkupfalse%
102.189 +\ {\isaliteral{22}{\isachardoublequoteopen}}p\ {\isaliteral{5C3C696E3E}{\isasymin}}\ {\isaliteral{7B}{\isacharbraceleft}}{\isaliteral{28}{\isacharparenleft}}x{\isaliteral{2C}{\isacharcomma}}y{\isaliteral{29}{\isacharparenright}}{\isaliteral{2E}{\isachardot}}\ x{\isaliteral{3D}{\isacharequal}}y{\isaliteral{7D}{\isacharbraceright}}\ {\isaliteral{5C3C6C6F6E6772696768746172726F773E}{\isasymlongrightarrow}}\ fst\ p\ {\isaliteral{3D}{\isacharequal}}\ snd\ p{\isaliteral{22}{\isachardoublequoteclose}}\isanewline
102.190 +%
102.191 +\isadelimproof
102.192 +%
102.193 +\endisadelimproof
102.194 +%
102.195 +\isatagproof
102.196 +\isacommand{apply}\isamarkupfalse%
102.197 +\ simp%
102.198 +\begin{isamarkuptxt}%
102.199 +\begin{isabelle}%
102.200 +\ {\isadigit{1}}{\isaliteral{2E}{\isachardot}}\ {\isaliteral{28}{\isacharparenleft}}case\ p\ of\ {\isaliteral{28}{\isacharparenleft}}x{\isaliteral{2C}{\isacharcomma}}\ xa{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ x\ {\isaliteral{3D}{\isacharequal}}\ xa{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C6C6F6E6772696768746172726F773E}{\isasymlongrightarrow}}\ fst\ p\ {\isaliteral{3D}{\isacharequal}}\ snd\ p%
102.201 +\end{isabelle}
102.202 +Again, simplification produces a term suitable for \isa{split{\isaliteral{5F}{\isacharunderscore}}split}
102.203 +as above. If you are worried about the strange form of the premise:
102.204 +\isa{split\ {\isaliteral{28}{\isacharparenleft}}op\ {\isaliteral{3D}{\isacharequal}}{\isaliteral{29}{\isacharparenright}}} is short for \isa{{\isaliteral{5C3C6C616D6264613E}{\isasymlambda}}{\isaliteral{28}{\isacharparenleft}}x{\isaliteral{2C}{\isacharcomma}}\ y{\isaliteral{29}{\isacharparenright}}{\isaliteral{2E}{\isachardot}}\ x\ {\isaliteral{3D}{\isacharequal}}\ y}.
102.205 +The same proof procedure works for%
102.206 +\end{isamarkuptxt}%
102.207 +\isamarkuptrue%
102.208 +%
102.209 +\endisatagproof
102.210 +{\isafoldproof}%
102.211 +%
102.212 +\isadelimproof
102.213 +%
102.214 +\endisadelimproof
102.215 +\isacommand{lemma}\isamarkupfalse%
102.216 +\ {\isaliteral{22}{\isachardoublequoteopen}}p\ {\isaliteral{5C3C696E3E}{\isasymin}}\ {\isaliteral{7B}{\isacharbraceleft}}{\isaliteral{28}{\isacharparenleft}}x{\isaliteral{2C}{\isacharcomma}}y{\isaliteral{29}{\isacharparenright}}{\isaliteral{2E}{\isachardot}}\ x{\isaliteral{3D}{\isacharequal}}y{\isaliteral{7D}{\isacharbraceright}}\ {\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\ fst\ p\ {\isaliteral{3D}{\isacharequal}}\ snd\ p{\isaliteral{22}{\isachardoublequoteclose}}%
102.217 +\isadelimproof
102.218 +%
102.219 +\endisadelimproof
102.220 +%
102.221 +\isatagproof
102.222 +%
102.223 +\begin{isamarkuptxt}%
102.224 +\noindent
102.225 +except that we now have to use \isa{split{\isaliteral{5F}{\isacharunderscore}}split{\isaliteral{5F}{\isacharunderscore}}asm}, because
102.226 +\isa{prod{\isaliteral{5F}{\isacharunderscore}}case} occurs in the assumptions.
102.227 +
102.228 +However, splitting \isa{prod{\isaliteral{5F}{\isacharunderscore}}case} is not always a solution, as no \isa{prod{\isaliteral{5F}{\isacharunderscore}}case}
102.229 +may be present in the goal. Consider the following function:%
102.230 +\end{isamarkuptxt}%
102.231 +\isamarkuptrue%
102.232 +%
102.233 +\endisatagproof
102.234 +{\isafoldproof}%
102.235 +%
102.236 +\isadelimproof
102.237 +%
102.238 +\endisadelimproof
102.239 +\isacommand{primrec}\isamarkupfalse%
102.240 +\ swap\ {\isaliteral{3A}{\isacharcolon}}{\isaliteral{3A}{\isacharcolon}}\ {\isaliteral{22}{\isachardoublequoteopen}}{\isaliteral{27}{\isacharprime}}a\ {\isaliteral{5C3C74696D65733E}{\isasymtimes}}\ {\isaliteral{27}{\isacharprime}}b\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ {\isaliteral{27}{\isacharprime}}b\ {\isaliteral{5C3C74696D65733E}{\isasymtimes}}\ {\isaliteral{27}{\isacharprime}}a{\isaliteral{22}{\isachardoublequoteclose}}\ \isakeyword{where}\ {\isaliteral{22}{\isachardoublequoteopen}}swap\ {\isaliteral{28}{\isacharparenleft}}x{\isaliteral{2C}{\isacharcomma}}y{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{3D}{\isacharequal}}\ {\isaliteral{28}{\isacharparenleft}}y{\isaliteral{2C}{\isacharcomma}}x{\isaliteral{29}{\isacharparenright}}{\isaliteral{22}{\isachardoublequoteclose}}%
102.241 +\begin{isamarkuptext}%
102.242 +\noindent
102.243 +Note that the above \isacommand{primrec} definition is admissible
102.244 +because \isa{{\isaliteral{5C3C74696D65733E}{\isasymtimes}}} is a datatype. When we now try to prove%
102.245 +\end{isamarkuptext}%
102.246 +\isamarkuptrue%
102.247 +\isacommand{lemma}\isamarkupfalse%
102.248 +\ {\isaliteral{22}{\isachardoublequoteopen}}swap{\isaliteral{28}{\isacharparenleft}}swap\ p{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{3D}{\isacharequal}}\ p{\isaliteral{22}{\isachardoublequoteclose}}%
102.249 +\isadelimproof
102.250 +%
102.251 +\endisadelimproof
102.252 +%
102.253 +\isatagproof
102.254 +%
102.255 +\begin{isamarkuptxt}%
102.256 +\noindent
102.257 +simplification will do nothing, because the defining equation for
102.258 +\isa{swap} expects a pair. Again, we need to turn \isa{p}
102.259 +into a pair first, but this time there is no \isa{prod{\isaliteral{5F}{\isacharunderscore}}case} in sight.
102.260 +The only thing we can do is to split the term by hand:%
102.261 +\end{isamarkuptxt}%
102.262 +\isamarkuptrue%
102.263 +\isacommand{apply}\isamarkupfalse%
102.264 +{\isaliteral{28}{\isacharparenleft}}case{\isaliteral{5F}{\isacharunderscore}}tac\ p{\isaliteral{29}{\isacharparenright}}%
102.265 +\begin{isamarkuptxt}%
102.266 +\noindent
102.267 +\begin{isabelle}%
102.268 +\ {\isadigit{1}}{\isaliteral{2E}{\isachardot}}\ {\isaliteral{5C3C416E643E}{\isasymAnd}}a\ b{\isaliteral{2E}{\isachardot}}\ p\ {\isaliteral{3D}{\isacharequal}}\ {\isaliteral{28}{\isacharparenleft}}a{\isaliteral{2C}{\isacharcomma}}\ b{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\ swap\ {\isaliteral{28}{\isacharparenleft}}swap\ p{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{3D}{\isacharequal}}\ p%
102.269 +\end{isabelle}
102.270 +Again, \methdx{case_tac} is applicable because \isa{{\isaliteral{5C3C74696D65733E}{\isasymtimes}}} is a datatype.
102.271 +The subgoal is easily proved by \isa{simp}.
102.272 +
102.273 +Splitting by \isa{case{\isaliteral{5F}{\isacharunderscore}}tac} also solves the previous examples and may thus
102.274 +appear preferable to the more arcane methods introduced first. However, see
102.275 +the warning about \isa{case{\isaliteral{5F}{\isacharunderscore}}tac} in \S\ref{sec:struct-ind-case}.
102.276 +
102.277 +Alternatively, you can split \emph{all} \isa{{\isaliteral{5C3C416E643E}{\isasymAnd}}}-quantified variables
102.278 +in a goal with the rewrite rule \isa{split{\isaliteral{5F}{\isacharunderscore}}paired{\isaliteral{5F}{\isacharunderscore}}all}:%
102.279 +\end{isamarkuptxt}%
102.280 +\isamarkuptrue%
102.281 +%
102.282 +\endisatagproof
102.283 +{\isafoldproof}%
102.284 +%
102.285 +\isadelimproof
102.286 +%
102.287 +\endisadelimproof
102.288 +\isacommand{lemma}\isamarkupfalse%
102.289 +\ {\isaliteral{22}{\isachardoublequoteopen}}{\isaliteral{5C3C416E643E}{\isasymAnd}}p\ q{\isaliteral{2E}{\isachardot}}\ swap{\isaliteral{28}{\isacharparenleft}}swap\ p{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{3D}{\isacharequal}}\ q\ {\isaliteral{5C3C6C6F6E6772696768746172726F773E}{\isasymlongrightarrow}}\ p\ {\isaliteral{3D}{\isacharequal}}\ q{\isaliteral{22}{\isachardoublequoteclose}}\isanewline
102.290 +%
102.291 +\isadelimproof
102.292 +%
102.293 +\endisadelimproof
102.294 +%
102.295 +\isatagproof
102.296 +\isacommand{apply}\isamarkupfalse%
102.297 +{\isaliteral{28}{\isacharparenleft}}simp\ only{\isaliteral{3A}{\isacharcolon}}\ split{\isaliteral{5F}{\isacharunderscore}}paired{\isaliteral{5F}{\isacharunderscore}}all{\isaliteral{29}{\isacharparenright}}%
102.298 +\begin{isamarkuptxt}%
102.299 +\noindent
102.300 +\begin{isabelle}%
102.301 +\ {\isadigit{1}}{\isaliteral{2E}{\isachardot}}\ {\isaliteral{5C3C416E643E}{\isasymAnd}}a\ b\ aa\ ba{\isaliteral{2E}{\isachardot}}\ swap\ {\isaliteral{28}{\isacharparenleft}}swap\ {\isaliteral{28}{\isacharparenleft}}a{\isaliteral{2C}{\isacharcomma}}\ b{\isaliteral{29}{\isacharparenright}}{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{3D}{\isacharequal}}\ {\isaliteral{28}{\isacharparenleft}}aa{\isaliteral{2C}{\isacharcomma}}\ ba{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C6C6F6E6772696768746172726F773E}{\isasymlongrightarrow}}\ {\isaliteral{28}{\isacharparenleft}}a{\isaliteral{2C}{\isacharcomma}}\ b{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{3D}{\isacharequal}}\ {\isaliteral{28}{\isacharparenleft}}aa{\isaliteral{2C}{\isacharcomma}}\ ba{\isaliteral{29}{\isacharparenright}}%
102.302 +\end{isabelle}%
102.303 +\end{isamarkuptxt}%
102.304 +\isamarkuptrue%
102.305 +\isacommand{apply}\isamarkupfalse%
102.306 +\ simp\isanewline
102.307 +\isacommand{done}\isamarkupfalse%
102.308 +%
102.309 +\endisatagproof
102.310 +{\isafoldproof}%
102.311 +%
102.312 +\isadelimproof
102.313 +%
102.314 +\endisadelimproof
102.315 +%
102.316 +\begin{isamarkuptext}%
102.317 +\noindent
102.318 +Note that we have intentionally included only \isa{split{\isaliteral{5F}{\isacharunderscore}}paired{\isaliteral{5F}{\isacharunderscore}}all}
102.319 +in the first simplification step, and then we simplify again.
102.320 +This time the reason was not merely
102.321 +pedagogical:
102.322 +\isa{split{\isaliteral{5F}{\isacharunderscore}}paired{\isaliteral{5F}{\isacharunderscore}}all} may interfere with other functions
102.323 +of the simplifier.
102.324 +The following command could fail (here it does not)
102.325 +where two separate \isa{simp} applications succeed.%
102.326 +\end{isamarkuptext}%
102.327 +\isamarkuptrue%
102.328 +%
102.329 +\isadelimproof
102.330 +%
102.331 +\endisadelimproof
102.332 +%
102.333 +\isatagproof
102.334 +\isacommand{apply}\isamarkupfalse%
102.335 +{\isaliteral{28}{\isacharparenleft}}simp\ add{\isaliteral{3A}{\isacharcolon}}\ split{\isaliteral{5F}{\isacharunderscore}}paired{\isaliteral{5F}{\isacharunderscore}}all{\isaliteral{29}{\isacharparenright}}%
102.336 +\endisatagproof
102.337 +{\isafoldproof}%
102.338 +%
102.339 +\isadelimproof
102.340 +%
102.341 +\endisadelimproof
102.342 +%
102.343 +\begin{isamarkuptext}%
102.344 +\noindent
102.345 +Finally, the simplifier automatically splits all \isa{{\isaliteral{5C3C666F72616C6C3E}{\isasymforall}}} and
102.346 +\isa{{\isaliteral{5C3C6578697374733E}{\isasymexists}}}-quantified variables:%
102.347 +\end{isamarkuptext}%
102.348 +\isamarkuptrue%
102.349 +\isacommand{lemma}\isamarkupfalse%
102.350 +\ {\isaliteral{22}{\isachardoublequoteopen}}{\isaliteral{5C3C666F72616C6C3E}{\isasymforall}}p{\isaliteral{2E}{\isachardot}}\ {\isaliteral{5C3C6578697374733E}{\isasymexists}}q{\isaliteral{2E}{\isachardot}}\ swap\ p\ {\isaliteral{3D}{\isacharequal}}\ swap\ q{\isaliteral{22}{\isachardoublequoteclose}}\isanewline
102.351 +%
102.352 +\isadelimproof
102.353 +%
102.354 +\endisadelimproof
102.355 +%
102.356 +\isatagproof
102.357 +\isacommand{by}\isamarkupfalse%
102.358 +\ simp%
102.359 +\endisatagproof
102.360 +{\isafoldproof}%
102.361 +%
102.362 +\isadelimproof
102.363 +%
102.364 +\endisadelimproof
102.365 +%
102.366 +\begin{isamarkuptext}%
102.367 +\noindent
102.368 +To turn off this automatic splitting, disable the
102.369 +responsible simplification rules:
102.370 +\begin{center}
102.371 +\isa{{\isaliteral{28}{\isacharparenleft}}{\isaliteral{5C3C666F72616C6C3E}{\isasymforall}}x{\isaliteral{2E}{\isachardot}}\ P\ x{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{3D}{\isacharequal}}\ {\isaliteral{28}{\isacharparenleft}}{\isaliteral{5C3C666F72616C6C3E}{\isasymforall}}a\ b{\isaliteral{2E}{\isachardot}}\ P\ {\isaliteral{28}{\isacharparenleft}}a{\isaliteral{2C}{\isacharcomma}}\ b{\isaliteral{29}{\isacharparenright}}{\isaliteral{29}{\isacharparenright}}}
102.372 +\hfill
102.373 +(\isa{split{\isaliteral{5F}{\isacharunderscore}}paired{\isaliteral{5F}{\isacharunderscore}}All})\\
102.374 +\isa{{\isaliteral{28}{\isacharparenleft}}{\isaliteral{5C3C6578697374733E}{\isasymexists}}x{\isaliteral{2E}{\isachardot}}\ P\ x{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{3D}{\isacharequal}}\ {\isaliteral{28}{\isacharparenleft}}{\isaliteral{5C3C6578697374733E}{\isasymexists}}a\ b{\isaliteral{2E}{\isachardot}}\ P\ {\isaliteral{28}{\isacharparenleft}}a{\isaliteral{2C}{\isacharcomma}}\ b{\isaliteral{29}{\isacharparenright}}{\isaliteral{29}{\isacharparenright}}}
102.375 +\hfill
102.376 +(\isa{split{\isaliteral{5F}{\isacharunderscore}}paired{\isaliteral{5F}{\isacharunderscore}}Ex})
102.377 +\end{center}%
102.378 +\end{isamarkuptext}%
102.379 +\isamarkuptrue%
102.380 +%
102.381 +\isadelimtheory
102.382 +%
102.383 +\endisadelimtheory
102.384 +%
102.385 +\isatagtheory
102.386 +%
102.387 +\endisatagtheory
102.388 +{\isafoldtheory}%
102.389 +%
102.390 +\isadelimtheory
102.391 +%
102.392 +\endisadelimtheory
102.393 +\end{isabellebody}%
102.394 +%%% Local Variables:
102.395 +%%% mode: latex
102.396 +%%% TeX-master: "root"
102.397 +%%% End:
103.1 --- /dev/null Thu Jan 01 00:00:00 1970 +0000
103.2 +++ b/doc-src/TutorialI/document/Partial.tex Thu Jul 26 19:59:06 2012 +0200
103.3 @@ -0,0 +1,352 @@
103.4 +%
103.5 +\begin{isabellebody}%
103.6 +\def\isabellecontext{Partial}%
103.7 +%
103.8 +\isadelimtheory
103.9 +%
103.10 +\endisadelimtheory
103.11 +%
103.12 +\isatagtheory
103.13 +%
103.14 +\endisatagtheory
103.15 +{\isafoldtheory}%
103.16 +%
103.17 +\isadelimtheory
103.18 +%
103.19 +\endisadelimtheory
103.20 +%
103.21 +\begin{isamarkuptext}%
103.22 +\noindent Throughout this tutorial, we have emphasized
103.23 +that all functions in HOL are total. We cannot hope to define
103.24 +truly partial functions, but must make them total. A straightforward
103.25 +method is to lift the result type of the function from $\tau$ to
103.26 +$\tau$~\isa{option} (see \ref{sec:option}), where \isa{None} is
103.27 +returned if the function is applied to an argument not in its
103.28 +domain. Function \isa{assoc} in \S\ref{sec:Trie} is a simple example.
103.29 +We do not pursue this schema further because it should be clear
103.30 +how it works. Its main drawback is that the result of such a lifted
103.31 +function has to be unpacked first before it can be processed
103.32 +further. Its main advantage is that you can distinguish if the
103.33 +function was applied to an argument in its domain or not. If you do
103.34 +not need to make this distinction, for example because the function is
103.35 +never used outside its domain, it is easier to work with
103.36 +\emph{underdefined}\index{functions!underdefined} functions: for
103.37 +certain arguments we only know that a result exists, but we do not
103.38 +know what it is. When defining functions that are normally considered
103.39 +partial, underdefinedness turns out to be a very reasonable
103.40 +alternative.
103.41 +
103.42 +We have already seen an instance of underdefinedness by means of
103.43 +non-exhaustive pattern matching: the definition of \isa{last} in
103.44 +\S\ref{sec:fun}. The same is allowed for \isacommand{primrec}%
103.45 +\end{isamarkuptext}%
103.46 +\isamarkuptrue%
103.47 +\isacommand{consts}\isamarkupfalse%
103.48 +\ hd\ {\isacharcolon}{\isacharcolon}\ {\isachardoublequoteopen}{\isacharprime}a\ list\ {\isasymRightarrow}\ {\isacharprime}a{\isachardoublequoteclose}\isanewline
103.49 +\isacommand{primrec}\isamarkupfalse%
103.50 +\ {\isachardoublequoteopen}hd\ {\isacharparenleft}x{\isacharhash}xs{\isacharparenright}\ {\isacharequal}\ x{\isachardoublequoteclose}%
103.51 +\begin{isamarkuptext}%
103.52 +\noindent
103.53 +although it generates a warning.
103.54 +Even ordinary definitions allow underdefinedness, this time by means of
103.55 +preconditions:%
103.56 +\end{isamarkuptext}%
103.57 +\isamarkuptrue%
103.58 +\isacommand{constdefs}\isamarkupfalse%
103.59 +\ subtract\ {\isacharcolon}{\isacharcolon}\ {\isachardoublequoteopen}nat\ {\isasymRightarrow}\ nat\ {\isasymRightarrow}\ nat{\isachardoublequoteclose}\isanewline
103.60 +{\isachardoublequoteopen}n\ {\isasymle}\ m\ {\isasymLongrightarrow}\ subtract\ m\ n\ {\isasymequiv}\ m\ {\isacharminus}\ n{\isachardoublequoteclose}%
103.61 +\begin{isamarkuptext}%
103.62 +The rest of this section is devoted to the question of how to define
103.63 +partial recursive functions by other means than non-exhaustive pattern
103.64 +matching.%
103.65 +\end{isamarkuptext}%
103.66 +\isamarkuptrue%
103.67 +%
103.68 +\isamarkupsubsubsection{Guarded Recursion%
103.69 +}
103.70 +\isamarkuptrue%
103.71 +%
103.72 +\begin{isamarkuptext}%
103.73 +\index{recursion!guarded}%
103.74 +Neither \isacommand{primrec} nor \isacommand{recdef} allow to
103.75 +prefix an equation with a condition in the way ordinary definitions do
103.76 +(see \isa{subtract} above). Instead we have to move the condition over
103.77 +to the right-hand side of the equation. Given a partial function $f$
103.78 +that should satisfy the recursion equation $f(x) = t$ over its domain
103.79 +$dom(f)$, we turn this into the \isacommand{recdef}
103.80 +\begin{isabelle}%
103.81 +\ \ \ \ \ f\ x\ {\isacharequal}\ {\isacharparenleft}if\ x\ {\isasymin}\ dom\ f\ then\ t\ else\ arbitrary{\isacharparenright}%
103.82 +\end{isabelle}
103.83 +where \isa{arbitrary} is a predeclared constant of type \isa{{\isacharprime}a}
103.84 +which has no definition. Thus we know nothing about its value,
103.85 +which is ideal for specifying underdefined functions on top of it.
103.86 +
103.87 +As a simple example we define division on \isa{nat}:%
103.88 +\end{isamarkuptext}%
103.89 +\isamarkuptrue%
103.90 +\isacommand{consts}\isamarkupfalse%
103.91 +\ divi\ {\isacharcolon}{\isacharcolon}\ {\isachardoublequoteopen}nat\ {\isasymtimes}\ nat\ {\isasymRightarrow}\ nat{\isachardoublequoteclose}\isanewline
103.92 +\isacommand{recdef}\isamarkupfalse%
103.93 +\ divi\ {\isachardoublequoteopen}measure{\isacharparenleft}{\isasymlambda}{\isacharparenleft}m{\isacharcomma}n{\isacharparenright}{\isachardot}\ m{\isacharparenright}{\isachardoublequoteclose}\isanewline
103.94 +\ \ {\isachardoublequoteopen}divi{\isacharparenleft}m{\isacharcomma}{\isadigit{0}}{\isacharparenright}\ {\isacharequal}\ arbitrary{\isachardoublequoteclose}\isanewline
103.95 +\ \ {\isachardoublequoteopen}divi{\isacharparenleft}m{\isacharcomma}n{\isacharparenright}\ {\isacharequal}\ {\isacharparenleft}if\ m\ {\isacharless}\ n\ then\ {\isadigit{0}}\ else\ divi{\isacharparenleft}m{\isacharminus}n{\isacharcomma}n{\isacharparenright}{\isacharplus}{\isadigit{1}}{\isacharparenright}{\isachardoublequoteclose}%
103.96 +\begin{isamarkuptext}%
103.97 +\noindent Of course we could also have defined
103.98 +\isa{divi\ {\isacharparenleft}m{\isacharcomma}\ {\isadigit{0}}{\isacharparenright}} to be some specific number, for example 0. The
103.99 +latter option is chosen for the predefined \isa{div} function, which
103.100 +simplifies proofs at the expense of deviating from the
103.101 +standard mathematical division function.
103.102 +
103.103 +As a more substantial example we consider the problem of searching a graph.
103.104 +For simplicity our graph is given by a function \isa{f} of
103.105 +type \isa{{\isacharprime}a\ {\isasymRightarrow}\ {\isacharprime}a} which
103.106 +maps each node to its successor; the graph has out-degree 1.
103.107 +The task is to find the end of a chain, modelled by a node pointing to
103.108 +itself. Here is a first attempt:
103.109 +\begin{isabelle}%
103.110 +\ \ \ \ \ find\ {\isacharparenleft}f{\isacharcomma}\ x{\isacharparenright}\ {\isacharequal}\ {\isacharparenleft}if\ f\ x\ {\isacharequal}\ x\ then\ x\ else\ find\ {\isacharparenleft}f{\isacharcomma}\ f\ x{\isacharparenright}{\isacharparenright}%
103.111 +\end{isabelle}
103.112 +This may be viewed as a fixed point finder or as the second half of the well
103.113 +known \emph{Union-Find} algorithm.
103.114 +The snag is that it may not terminate if \isa{f} has non-trivial cycles.
103.115 +Phrased differently, the relation%
103.116 +\end{isamarkuptext}%
103.117 +\isamarkuptrue%
103.118 +\isacommand{constdefs}\isamarkupfalse%
103.119 +\ step{\isadigit{1}}\ {\isacharcolon}{\isacharcolon}\ {\isachardoublequoteopen}{\isacharparenleft}{\isacharprime}a\ {\isasymRightarrow}\ {\isacharprime}a{\isacharparenright}\ {\isasymRightarrow}\ {\isacharparenleft}{\isacharprime}a\ {\isasymtimes}\ {\isacharprime}a{\isacharparenright}set{\isachardoublequoteclose}\isanewline
103.120 +\ \ {\isachardoublequoteopen}step{\isadigit{1}}\ f\ {\isasymequiv}\ {\isacharbraceleft}{\isacharparenleft}y{\isacharcomma}x{\isacharparenright}{\isachardot}\ y\ {\isacharequal}\ f\ x\ {\isasymand}\ y\ {\isasymnoteq}\ x{\isacharbraceright}{\isachardoublequoteclose}%
103.121 +\begin{isamarkuptext}%
103.122 +\noindent
103.123 +must be well-founded. Thus we make the following definition:%
103.124 +\end{isamarkuptext}%
103.125 +\isamarkuptrue%
103.126 +\isacommand{consts}\isamarkupfalse%
103.127 +\ find\ {\isacharcolon}{\isacharcolon}\ {\isachardoublequoteopen}{\isacharparenleft}{\isacharprime}a\ {\isasymRightarrow}\ {\isacharprime}a{\isacharparenright}\ {\isasymtimes}\ {\isacharprime}a\ {\isasymRightarrow}\ {\isacharprime}a{\isachardoublequoteclose}\isanewline
103.128 +\isacommand{recdef}\isamarkupfalse%
103.129 +\ find\ {\isachardoublequoteopen}same{\isacharunderscore}fst\ {\isacharparenleft}{\isasymlambda}f{\isachardot}\ wf{\isacharparenleft}step{\isadigit{1}}\ f{\isacharparenright}{\isacharparenright}\ step{\isadigit{1}}{\isachardoublequoteclose}\isanewline
103.130 +\ \ {\isachardoublequoteopen}find{\isacharparenleft}f{\isacharcomma}x{\isacharparenright}\ {\isacharequal}\ {\isacharparenleft}if\ wf{\isacharparenleft}step{\isadigit{1}}\ f{\isacharparenright}\isanewline
103.131 +\ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ then\ if\ f\ x\ {\isacharequal}\ x\ then\ x\ else\ find{\isacharparenleft}f{\isacharcomma}\ f\ x{\isacharparenright}\isanewline
103.132 +\ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ else\ arbitrary{\isacharparenright}{\isachardoublequoteclose}\isanewline
103.133 +{\isacharparenleft}\isakeyword{hints}\ recdef{\isacharunderscore}simp{\isacharcolon}\ step{\isadigit{1}}{\isacharunderscore}def{\isacharparenright}%
103.134 +\begin{isamarkuptext}%
103.135 +\noindent
103.136 +The recursion equation itself should be clear enough: it is our aborted
103.137 +first attempt augmented with a check that there are no non-trivial loops.
103.138 +To express the required well-founded relation we employ the
103.139 +predefined combinator \isa{same{\isacharunderscore}fst} of type
103.140 +\begin{isabelle}%
103.141 +\ \ \ \ \ {\isacharparenleft}{\isacharprime}a\ {\isasymRightarrow}\ bool{\isacharparenright}\ {\isasymRightarrow}\ {\isacharparenleft}{\isacharprime}a\ {\isasymRightarrow}\ {\isacharparenleft}{\isacharprime}b{\isasymtimes}{\isacharprime}b{\isacharparenright}set{\isacharparenright}\ {\isasymRightarrow}\ {\isacharparenleft}{\isacharparenleft}{\isacharprime}a{\isasymtimes}{\isacharprime}b{\isacharparenright}\ {\isasymtimes}\ {\isacharparenleft}{\isacharprime}a{\isasymtimes}{\isacharprime}b{\isacharparenright}{\isacharparenright}set%
103.142 +\end{isabelle}
103.143 +defined as
103.144 +\begin{isabelle}%
103.145 +\ \ \ \ \ same{\isacharunderscore}fst\ P\ R\ {\isasymequiv}\ {\isacharbraceleft}{\isacharparenleft}{\isacharparenleft}x{\isacharprime}{\isacharcomma}\ y{\isacharprime}{\isacharparenright}{\isacharcomma}\ x{\isacharcomma}\ y{\isacharparenright}{\isachardot}\ x{\isacharprime}\ {\isacharequal}\ x\ {\isasymand}\ P\ x\ {\isasymand}\ {\isacharparenleft}y{\isacharprime}{\isacharcomma}\ y{\isacharparenright}\ {\isasymin}\ R\ x{\isacharbraceright}%
103.146 +\end{isabelle}
103.147 +This combinator is designed for
103.148 +recursive functions on pairs where the first component of the argument is
103.149 +passed unchanged to all recursive calls. Given a constraint on the first
103.150 +component and a relation on the second component, \isa{same{\isacharunderscore}fst} builds the
103.151 +required relation on pairs. The theorem
103.152 +\begin{isabelle}%
103.153 +\ \ \ \ \ {\isacharparenleft}{\isasymAnd}x{\isachardot}\ P\ x\ {\isasymLongrightarrow}\ wf\ {\isacharparenleft}R\ x{\isacharparenright}{\isacharparenright}\ {\isasymLongrightarrow}\ wf\ {\isacharparenleft}same{\isacharunderscore}fst\ P\ R{\isacharparenright}%
103.154 +\end{isabelle}
103.155 +is known to the well-foundedness prover of \isacommand{recdef}. Thus
103.156 +well-foundedness of the relation given to \isacommand{recdef} is immediate.
103.157 +Furthermore, each recursive call descends along that relation: the first
103.158 +argument stays unchanged and the second one descends along \isa{step{\isadigit{1}}\ f}. The proof requires unfolding the definition of \isa{step{\isadigit{1}}},
103.159 +as specified in the \isacommand{hints} above.
103.160 +
103.161 +Normally you will then derive the following conditional variant from
103.162 +the recursion equation:%
103.163 +\end{isamarkuptext}%
103.164 +\isamarkuptrue%
103.165 +\isacommand{lemma}\isamarkupfalse%
103.166 +\ {\isacharbrackleft}simp{\isacharbrackright}{\isacharcolon}\isanewline
103.167 +\ \ {\isachardoublequoteopen}wf{\isacharparenleft}step{\isadigit{1}}\ f{\isacharparenright}\ {\isasymLongrightarrow}\ find{\isacharparenleft}f{\isacharcomma}x{\isacharparenright}\ {\isacharequal}\ {\isacharparenleft}if\ f\ x\ {\isacharequal}\ x\ then\ x\ else\ find{\isacharparenleft}f{\isacharcomma}\ f\ x{\isacharparenright}{\isacharparenright}{\isachardoublequoteclose}\isanewline
103.168 +%
103.169 +\isadelimproof
103.170 +%
103.171 +\endisadelimproof
103.172 +%
103.173 +\isatagproof
103.174 +\isacommand{by}\isamarkupfalse%
103.175 +\ simp%
103.176 +\endisatagproof
103.177 +{\isafoldproof}%
103.178 +%
103.179 +\isadelimproof
103.180 +%
103.181 +\endisadelimproof
103.182 +%
103.183 +\begin{isamarkuptext}%
103.184 +\noindent Then you should disable the original recursion equation:%
103.185 +\end{isamarkuptext}%
103.186 +\isamarkuptrue%
103.187 +\isacommand{declare}\isamarkupfalse%
103.188 +\ find{\isachardot}simps{\isacharbrackleft}simp\ del{\isacharbrackright}%
103.189 +\begin{isamarkuptext}%
103.190 +Reasoning about such underdefined functions is like that for other
103.191 +recursive functions. Here is a simple example of recursion induction:%
103.192 +\end{isamarkuptext}%
103.193 +\isamarkuptrue%
103.194 +\isacommand{lemma}\isamarkupfalse%
103.195 +\ {\isachardoublequoteopen}wf{\isacharparenleft}step{\isadigit{1}}\ f{\isacharparenright}\ {\isasymlongrightarrow}\ f{\isacharparenleft}find{\isacharparenleft}f{\isacharcomma}x{\isacharparenright}{\isacharparenright}\ {\isacharequal}\ find{\isacharparenleft}f{\isacharcomma}x{\isacharparenright}{\isachardoublequoteclose}\isanewline
103.196 +%
103.197 +\isadelimproof
103.198 +%
103.199 +\endisadelimproof
103.200 +%
103.201 +\isatagproof
103.202 +\isacommand{apply}\isamarkupfalse%
103.203 +{\isacharparenleft}induct{\isacharunderscore}tac\ f\ x\ rule{\isacharcolon}\ find{\isachardot}induct{\isacharparenright}\isanewline
103.204 +\isacommand{apply}\isamarkupfalse%
103.205 +\ simp\isanewline
103.206 +\isacommand{done}\isamarkupfalse%
103.207 +%
103.208 +\endisatagproof
103.209 +{\isafoldproof}%
103.210 +%
103.211 +\isadelimproof
103.212 +%
103.213 +\endisadelimproof
103.214 +%
103.215 +\isamarkupsubsubsection{The {\tt\slshape while} Combinator%
103.216 +}
103.217 +\isamarkuptrue%
103.218 +%
103.219 +\begin{isamarkuptext}%
103.220 +If the recursive function happens to be tail recursive, its
103.221 +definition becomes a triviality if based on the predefined \cdx{while}
103.222 +combinator. The latter lives in the Library theory \thydx{While_Combinator}.
103.223 +% which is not part of {text Main} but needs to
103.224 +% be included explicitly among the ancestor theories.
103.225 +
103.226 +Constant \isa{while} is of type \isa{{\isacharparenleft}{\isacharprime}a\ {\isasymRightarrow}\ bool{\isacharparenright}\ {\isasymRightarrow}\ {\isacharparenleft}{\isacharprime}a\ {\isasymRightarrow}\ {\isacharprime}a{\isacharparenright}\ {\isasymRightarrow}\ {\isacharprime}a}
103.227 +and satisfies the recursion equation \begin{isabelle}%
103.228 +\ \ \ \ \ while\ b\ c\ s\ {\isacharequal}\ {\isacharparenleft}if\ b\ s\ then\ while\ b\ c\ {\isacharparenleft}c\ s{\isacharparenright}\ else\ s{\isacharparenright}%
103.229 +\end{isabelle}
103.230 +That is, \isa{while\ b\ c\ s} is equivalent to the imperative program
103.231 +\begin{verbatim}
103.232 + x := s; while b(x) do x := c(x); return x
103.233 +\end{verbatim}
103.234 +In general, \isa{s} will be a tuple or record. As an example
103.235 +consider the following definition of function \isa{find}:%
103.236 +\end{isamarkuptext}%
103.237 +\isamarkuptrue%
103.238 +\isacommand{constdefs}\isamarkupfalse%
103.239 +\ find{\isadigit{2}}\ {\isacharcolon}{\isacharcolon}\ {\isachardoublequoteopen}{\isacharparenleft}{\isacharprime}a\ {\isasymRightarrow}\ {\isacharprime}a{\isacharparenright}\ {\isasymRightarrow}\ {\isacharprime}a\ {\isasymRightarrow}\ {\isacharprime}a{\isachardoublequoteclose}\isanewline
103.240 +\ \ {\isachardoublequoteopen}find{\isadigit{2}}\ f\ x\ {\isasymequiv}\isanewline
103.241 +\ \ \ fst{\isacharparenleft}while\ {\isacharparenleft}{\isasymlambda}{\isacharparenleft}x{\isacharcomma}x{\isacharprime}{\isacharparenright}{\isachardot}\ x{\isacharprime}\ {\isasymnoteq}\ x{\isacharparenright}\ {\isacharparenleft}{\isasymlambda}{\isacharparenleft}x{\isacharcomma}x{\isacharprime}{\isacharparenright}{\isachardot}\ {\isacharparenleft}x{\isacharprime}{\isacharcomma}f\ x{\isacharprime}{\isacharparenright}{\isacharparenright}\ {\isacharparenleft}x{\isacharcomma}f\ x{\isacharparenright}{\isacharparenright}{\isachardoublequoteclose}%
103.242 +\begin{isamarkuptext}%
103.243 +\noindent
103.244 +The loop operates on two ``local variables'' \isa{x} and \isa{x{\isacharprime}}
103.245 +containing the ``current'' and the ``next'' value of function \isa{f}.
103.246 +They are initialized with the global \isa{x} and \isa{f\ x}. At the
103.247 +end \isa{fst} selects the local \isa{x}.
103.248 +
103.249 +Although the definition of tail recursive functions via \isa{while} avoids
103.250 +termination proofs, there is no free lunch. When proving properties of
103.251 +functions defined by \isa{while}, termination rears its ugly head
103.252 +again. Here is \tdx{while_rule}, the well known proof rule for total
103.253 +correctness of loops expressed with \isa{while}:
103.254 +\begin{isabelle}%
103.255 +\ \ \ \ \ {\isasymlbrakk}P\ s{\isacharsemicolon}\ {\isasymAnd}s{\isachardot}\ {\isasymlbrakk}P\ s{\isacharsemicolon}\ b\ s{\isasymrbrakk}\ {\isasymLongrightarrow}\ P\ {\isacharparenleft}c\ s{\isacharparenright}{\isacharsemicolon}\isanewline
103.256 +\isaindent{\ \ \ \ \ \ }{\isasymAnd}s{\isachardot}\ {\isasymlbrakk}P\ s{\isacharsemicolon}\ {\isasymnot}\ b\ s{\isasymrbrakk}\ {\isasymLongrightarrow}\ Q\ s{\isacharsemicolon}\ wf\ r{\isacharsemicolon}\isanewline
103.257 +\isaindent{\ \ \ \ \ \ }{\isasymAnd}s{\isachardot}\ {\isasymlbrakk}P\ s{\isacharsemicolon}\ b\ s{\isasymrbrakk}\ {\isasymLongrightarrow}\ {\isacharparenleft}c\ s{\isacharcomma}\ s{\isacharparenright}\ {\isasymin}\ r{\isasymrbrakk}\isanewline
103.258 +\isaindent{\ \ \ \ \ }{\isasymLongrightarrow}\ Q\ {\isacharparenleft}while\ b\ c\ s{\isacharparenright}%
103.259 +\end{isabelle} \isa{P} needs to be true of
103.260 +the initial state \isa{s} and invariant under \isa{c} (premises 1
103.261 +and~2). The post-condition \isa{Q} must become true when leaving the loop
103.262 +(premise~3). And each loop iteration must descend along a well-founded
103.263 +relation \isa{r} (premises 4 and~5).
103.264 +
103.265 +Let us now prove that \isa{find{\isadigit{2}}} does indeed find a fixed point. Instead
103.266 +of induction we apply the above while rule, suitably instantiated.
103.267 +Only the final premise of \isa{while{\isacharunderscore}rule} is left unproved
103.268 +by \isa{auto} but falls to \isa{simp}:%
103.269 +\end{isamarkuptext}%
103.270 +\isamarkuptrue%
103.271 +\isacommand{lemma}\isamarkupfalse%
103.272 +\ lem{\isacharcolon}\ {\isachardoublequoteopen}wf{\isacharparenleft}step{\isadigit{1}}\ f{\isacharparenright}\ {\isasymLongrightarrow}\isanewline
103.273 +\ \ {\isasymexists}y{\isachardot}\ while\ {\isacharparenleft}{\isasymlambda}{\isacharparenleft}x{\isacharcomma}x{\isacharprime}{\isacharparenright}{\isachardot}\ x{\isacharprime}\ {\isasymnoteq}\ x{\isacharparenright}\ {\isacharparenleft}{\isasymlambda}{\isacharparenleft}x{\isacharcomma}x{\isacharprime}{\isacharparenright}{\isachardot}\ {\isacharparenleft}x{\isacharprime}{\isacharcomma}f\ x{\isacharprime}{\isacharparenright}{\isacharparenright}\ {\isacharparenleft}x{\isacharcomma}f\ x{\isacharparenright}\ {\isacharequal}\ {\isacharparenleft}y{\isacharcomma}y{\isacharparenright}\ {\isasymand}\isanewline
103.274 +\ \ \ \ \ \ \ f\ y\ {\isacharequal}\ y{\isachardoublequoteclose}\isanewline
103.275 +%
103.276 +\isadelimproof
103.277 +%
103.278 +\endisadelimproof
103.279 +%
103.280 +\isatagproof
103.281 +\isacommand{apply}\isamarkupfalse%
103.282 +{\isacharparenleft}rule{\isacharunderscore}tac\ P\ {\isacharequal}\ {\isachardoublequoteopen}{\isasymlambda}{\isacharparenleft}x{\isacharcomma}x{\isacharprime}{\isacharparenright}{\isachardot}\ x{\isacharprime}\ {\isacharequal}\ f\ x{\isachardoublequoteclose}\ \isakeyword{and}\isanewline
103.283 +\ \ \ \ \ \ \ \ \ \ \ \ \ \ \ r\ {\isacharequal}\ {\isachardoublequoteopen}inv{\isacharunderscore}image\ {\isacharparenleft}step{\isadigit{1}}\ f{\isacharparenright}\ fst{\isachardoublequoteclose}\ \isakeyword{in}\ while{\isacharunderscore}rule{\isacharparenright}\isanewline
103.284 +\isacommand{apply}\isamarkupfalse%
103.285 +\ auto\isanewline
103.286 +\isacommand{apply}\isamarkupfalse%
103.287 +{\isacharparenleft}simp\ add{\isacharcolon}\ inv{\isacharunderscore}image{\isacharunderscore}def\ step{\isadigit{1}}{\isacharunderscore}def{\isacharparenright}\isanewline
103.288 +\isacommand{done}\isamarkupfalse%
103.289 +%
103.290 +\endisatagproof
103.291 +{\isafoldproof}%
103.292 +%
103.293 +\isadelimproof
103.294 +%
103.295 +\endisadelimproof
103.296 +%
103.297 +\begin{isamarkuptext}%
103.298 +The theorem itself is a simple consequence of this lemma:%
103.299 +\end{isamarkuptext}%
103.300 +\isamarkuptrue%
103.301 +\isacommand{theorem}\isamarkupfalse%
103.302 +\ {\isachardoublequoteopen}wf{\isacharparenleft}step{\isadigit{1}}\ f{\isacharparenright}\ {\isasymLongrightarrow}\ f{\isacharparenleft}find{\isadigit{2}}\ f\ x{\isacharparenright}\ {\isacharequal}\ find{\isadigit{2}}\ f\ x{\isachardoublequoteclose}\isanewline
103.303 +%
103.304 +\isadelimproof
103.305 +%
103.306 +\endisadelimproof
103.307 +%
103.308 +\isatagproof
103.309 +\isacommand{apply}\isamarkupfalse%
103.310 +{\isacharparenleft}drule{\isacharunderscore}tac\ x\ {\isacharequal}\ x\ \isakeyword{in}\ lem{\isacharparenright}\isanewline
103.311 +\isacommand{apply}\isamarkupfalse%
103.312 +{\isacharparenleft}auto\ simp\ add{\isacharcolon}\ find{\isadigit{2}}{\isacharunderscore}def{\isacharparenright}\isanewline
103.313 +\isacommand{done}\isamarkupfalse%
103.314 +%
103.315 +\endisatagproof
103.316 +{\isafoldproof}%
103.317 +%
103.318 +\isadelimproof
103.319 +%
103.320 +\endisadelimproof
103.321 +%
103.322 +\begin{isamarkuptext}%
103.323 +Let us conclude this section on partial functions by a
103.324 +discussion of the merits of the \isa{while} combinator. We have
103.325 +already seen that the advantage of not having to
103.326 +provide a termination argument when defining a function via \isa{while} merely puts off the evil hour. On top of that, tail recursive
103.327 +functions tend to be more complicated to reason about. So why use
103.328 +\isa{while} at all? The only reason is executability: the recursion
103.329 +equation for \isa{while} is a directly executable functional
103.330 +program. This is in stark contrast to guarded recursion as introduced
103.331 +above which requires an explicit test \isa{x\ {\isasymin}\ dom\ f} in the
103.332 +function body. Unless \isa{dom} is trivial, this leads to a
103.333 +definition that is impossible to execute or prohibitively slow.
103.334 +Thus, if you are aiming for an efficiently executable definition
103.335 +of a partial function, you are likely to need \isa{while}.%
103.336 +\end{isamarkuptext}%
103.337 +\isamarkuptrue%
103.338 +%
103.339 +\isadelimtheory
103.340 +%
103.341 +\endisadelimtheory
103.342 +%
103.343 +\isatagtheory
103.344 +%
103.345 +\endisatagtheory
103.346 +{\isafoldtheory}%
103.347 +%
103.348 +\isadelimtheory
103.349 +%
103.350 +\endisadelimtheory
103.351 +\end{isabellebody}%
103.352 +%%% Local Variables:
103.353 +%%% mode: latex
103.354 +%%% TeX-master: "root"
103.355 +%%% End:
104.1 --- /dev/null Thu Jan 01 00:00:00 1970 +0000
104.2 +++ b/doc-src/TutorialI/document/Plus.tex Thu Jul 26 19:59:06 2012 +0200
104.3 @@ -0,0 +1,74 @@
104.4 +%
104.5 +\begin{isabellebody}%
104.6 +\def\isabellecontext{Plus}%
104.7 +%
104.8 +\isadelimtheory
104.9 +%
104.10 +\endisadelimtheory
104.11 +%
104.12 +\isatagtheory
104.13 +%
104.14 +\endisatagtheory
104.15 +{\isafoldtheory}%
104.16 +%
104.17 +\isadelimtheory
104.18 +%
104.19 +\endisadelimtheory
104.20 +%
104.21 +\begin{isamarkuptext}%
104.22 +\noindent Define the following addition function%
104.23 +\end{isamarkuptext}%
104.24 +\isamarkuptrue%
104.25 +\isacommand{primrec}\isamarkupfalse%
104.26 +\ add\ {\isaliteral{3A}{\isacharcolon}}{\isaliteral{3A}{\isacharcolon}}\ {\isaliteral{22}{\isachardoublequoteopen}}nat\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ nat\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ nat{\isaliteral{22}{\isachardoublequoteclose}}\ \isakeyword{where}\isanewline
104.27 +{\isaliteral{22}{\isachardoublequoteopen}}add\ m\ {\isadigit{0}}\ {\isaliteral{3D}{\isacharequal}}\ m{\isaliteral{22}{\isachardoublequoteclose}}\ {\isaliteral{7C}{\isacharbar}}\isanewline
104.28 +{\isaliteral{22}{\isachardoublequoteopen}}add\ m\ {\isaliteral{28}{\isacharparenleft}}Suc\ n{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{3D}{\isacharequal}}\ add\ {\isaliteral{28}{\isacharparenleft}}Suc\ m{\isaliteral{29}{\isacharparenright}}\ n{\isaliteral{22}{\isachardoublequoteclose}}%
104.29 +\begin{isamarkuptext}%
104.30 +\noindent and prove%
104.31 +\end{isamarkuptext}%
104.32 +\isamarkuptrue%
104.33 +%
104.34 +\isadelimproof
104.35 +%
104.36 +\endisadelimproof
104.37 +%
104.38 +\isatagproof
104.39 +%
104.40 +\endisatagproof
104.41 +{\isafoldproof}%
104.42 +%
104.43 +\isadelimproof
104.44 +%
104.45 +\endisadelimproof
104.46 +\isacommand{lemma}\isamarkupfalse%
104.47 +\ {\isaliteral{22}{\isachardoublequoteopen}}add\ m\ n\ {\isaliteral{3D}{\isacharequal}}\ m{\isaliteral{2B}{\isacharplus}}n{\isaliteral{22}{\isachardoublequoteclose}}%
104.48 +\isadelimproof
104.49 +%
104.50 +\endisadelimproof
104.51 +%
104.52 +\isatagproof
104.53 +%
104.54 +\endisatagproof
104.55 +{\isafoldproof}%
104.56 +%
104.57 +\isadelimproof
104.58 +%
104.59 +\endisadelimproof
104.60 +%
104.61 +\isadelimtheory
104.62 +%
104.63 +\endisadelimtheory
104.64 +%
104.65 +\isatagtheory
104.66 +%
104.67 +\endisatagtheory
104.68 +{\isafoldtheory}%
104.69 +%
104.70 +\isadelimtheory
104.71 +%
104.72 +\endisadelimtheory
104.73 +\end{isabellebody}%
104.74 +%%% Local Variables:
104.75 +%%% mode: latex
104.76 +%%% TeX-master: "root"
104.77 +%%% End:
105.1 --- /dev/null Thu Jan 01 00:00:00 1970 +0000
105.2 +++ b/doc-src/TutorialI/document/Public.tex Thu Jul 26 19:59:06 2012 +0200
105.3 @@ -0,0 +1,321 @@
105.4 +%
105.5 +\begin{isabellebody}%
105.6 +\def\isabellecontext{Public}%
105.7 +%
105.8 +\isadelimtheory
105.9 +%
105.10 +\endisadelimtheory
105.11 +%
105.12 +\isatagtheory
105.13 +%
105.14 +\endisatagtheory
105.15 +{\isafoldtheory}%
105.16 +%
105.17 +\isadelimtheory
105.18 +%
105.19 +\endisadelimtheory
105.20 +%
105.21 +\begin{isamarkuptext}%
105.22 +The function
105.23 +\isa{pubK} maps agents to their public keys. The function
105.24 +\isa{priK} maps agents to their private keys. It is merely
105.25 +an abbreviation (cf.\ \S\ref{sec:abbreviations}) defined in terms of
105.26 +\isa{invKey} and \isa{pubK}.%
105.27 +\end{isamarkuptext}%
105.28 +\isamarkuptrue%
105.29 +\isacommand{consts}\isamarkupfalse%
105.30 +\ pubK\ {\isaliteral{3A}{\isacharcolon}}{\isaliteral{3A}{\isacharcolon}}\ {\isaliteral{22}{\isachardoublequoteopen}}agent\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ key{\isaliteral{22}{\isachardoublequoteclose}}\isanewline
105.31 +\isacommand{abbreviation}\isamarkupfalse%
105.32 +\ priK\ {\isaliteral{3A}{\isacharcolon}}{\isaliteral{3A}{\isacharcolon}}\ {\isaliteral{22}{\isachardoublequoteopen}}agent\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ key{\isaliteral{22}{\isachardoublequoteclose}}\isanewline
105.33 +\isakeyword{where}\ {\isaliteral{22}{\isachardoublequoteopen}}priK\ x\ \ {\isaliteral{5C3C65717569763E}{\isasymequiv}}\ \ invKey{\isaliteral{28}{\isacharparenleft}}pubK\ x{\isaliteral{29}{\isacharparenright}}{\isaliteral{22}{\isachardoublequoteclose}}%
105.34 +\begin{isamarkuptext}%
105.35 +\noindent
105.36 +The set \isa{bad} consists of those agents whose private keys are known to
105.37 +the spy.
105.38 +
105.39 +Two axioms are asserted about the public-key cryptosystem.
105.40 +No two agents have the same public key, and no private key equals
105.41 +any public key.%
105.42 +\end{isamarkuptext}%
105.43 +\isamarkuptrue%
105.44 +\isacommand{axioms}\isamarkupfalse%
105.45 +\isanewline
105.46 +\ \ inj{\isaliteral{5F}{\isacharunderscore}}pubK{\isaliteral{3A}{\isacharcolon}}\ \ \ \ \ \ \ \ {\isaliteral{22}{\isachardoublequoteopen}}inj\ pubK{\isaliteral{22}{\isachardoublequoteclose}}\isanewline
105.47 +\ \ priK{\isaliteral{5F}{\isacharunderscore}}neq{\isaliteral{5F}{\isacharunderscore}}pubK{\isaliteral{3A}{\isacharcolon}}\ \ \ {\isaliteral{22}{\isachardoublequoteopen}}priK\ A\ {\isaliteral{5C3C6E6F7465713E}{\isasymnoteq}}\ pubK\ B{\isaliteral{22}{\isachardoublequoteclose}}%
105.48 +\isadelimproof
105.49 +%
105.50 +\endisadelimproof
105.51 +%
105.52 +\isatagproof
105.53 +%
105.54 +\endisatagproof
105.55 +{\isafoldproof}%
105.56 +%
105.57 +\isadelimproof
105.58 +%
105.59 +\endisadelimproof
105.60 +%
105.61 +\isadelimproof
105.62 +%
105.63 +\endisadelimproof
105.64 +%
105.65 +\isatagproof
105.66 +%
105.67 +\endisatagproof
105.68 +{\isafoldproof}%
105.69 +%
105.70 +\isadelimproof
105.71 +%
105.72 +\endisadelimproof
105.73 +%
105.74 +\isadelimproof
105.75 +%
105.76 +\endisadelimproof
105.77 +%
105.78 +\isatagproof
105.79 +%
105.80 +\endisatagproof
105.81 +{\isafoldproof}%
105.82 +%
105.83 +\isadelimproof
105.84 +%
105.85 +\endisadelimproof
105.86 +%
105.87 +\isadelimproof
105.88 +%
105.89 +\endisadelimproof
105.90 +%
105.91 +\isatagproof
105.92 +%
105.93 +\endisatagproof
105.94 +{\isafoldproof}%
105.95 +%
105.96 +\isadelimproof
105.97 +%
105.98 +\endisadelimproof
105.99 +%
105.100 +\isadelimproof
105.101 +%
105.102 +\endisadelimproof
105.103 +%
105.104 +\isatagproof
105.105 +%
105.106 +\endisatagproof
105.107 +{\isafoldproof}%
105.108 +%
105.109 +\isadelimproof
105.110 +%
105.111 +\endisadelimproof
105.112 +%
105.113 +\isadelimproof
105.114 +%
105.115 +\endisadelimproof
105.116 +%
105.117 +\isatagproof
105.118 +%
105.119 +\endisatagproof
105.120 +{\isafoldproof}%
105.121 +%
105.122 +\isadelimproof
105.123 +%
105.124 +\endisadelimproof
105.125 +%
105.126 +\isadelimproof
105.127 +%
105.128 +\endisadelimproof
105.129 +%
105.130 +\isatagproof
105.131 +%
105.132 +\endisatagproof
105.133 +{\isafoldproof}%
105.134 +%
105.135 +\isadelimproof
105.136 +%
105.137 +\endisadelimproof
105.138 +%
105.139 +\isadelimproof
105.140 +%
105.141 +\endisadelimproof
105.142 +%
105.143 +\isatagproof
105.144 +%
105.145 +\endisatagproof
105.146 +{\isafoldproof}%
105.147 +%
105.148 +\isadelimproof
105.149 +%
105.150 +\endisadelimproof
105.151 +%
105.152 +\isadelimproof
105.153 +%
105.154 +\endisadelimproof
105.155 +%
105.156 +\isatagproof
105.157 +%
105.158 +\endisatagproof
105.159 +{\isafoldproof}%
105.160 +%
105.161 +\isadelimproof
105.162 +%
105.163 +\endisadelimproof
105.164 +%
105.165 +\isadelimproof
105.166 +%
105.167 +\endisadelimproof
105.168 +%
105.169 +\isatagproof
105.170 +%
105.171 +\endisatagproof
105.172 +{\isafoldproof}%
105.173 +%
105.174 +\isadelimproof
105.175 +%
105.176 +\endisadelimproof
105.177 +%
105.178 +\isadelimproof
105.179 +%
105.180 +\endisadelimproof
105.181 +%
105.182 +\isatagproof
105.183 +%
105.184 +\endisatagproof
105.185 +{\isafoldproof}%
105.186 +%
105.187 +\isadelimproof
105.188 +%
105.189 +\endisadelimproof
105.190 +%
105.191 +\isadelimproof
105.192 +%
105.193 +\endisadelimproof
105.194 +%
105.195 +\isatagproof
105.196 +%
105.197 +\endisatagproof
105.198 +{\isafoldproof}%
105.199 +%
105.200 +\isadelimproof
105.201 +%
105.202 +\endisadelimproof
105.203 +%
105.204 +\isadelimproof
105.205 +%
105.206 +\endisadelimproof
105.207 +%
105.208 +\isatagproof
105.209 +%
105.210 +\endisatagproof
105.211 +{\isafoldproof}%
105.212 +%
105.213 +\isadelimproof
105.214 +%
105.215 +\endisadelimproof
105.216 +%
105.217 +\isadelimproof
105.218 +%
105.219 +\endisadelimproof
105.220 +%
105.221 +\isatagproof
105.222 +%
105.223 +\endisatagproof
105.224 +{\isafoldproof}%
105.225 +%
105.226 +\isadelimproof
105.227 +%
105.228 +\endisadelimproof
105.229 +%
105.230 +\isadelimproof
105.231 +%
105.232 +\endisadelimproof
105.233 +%
105.234 +\isatagproof
105.235 +%
105.236 +\endisatagproof
105.237 +{\isafoldproof}%
105.238 +%
105.239 +\isadelimproof
105.240 +%
105.241 +\endisadelimproof
105.242 +%
105.243 +\isadelimproof
105.244 +%
105.245 +\endisadelimproof
105.246 +%
105.247 +\isatagproof
105.248 +%
105.249 +\endisatagproof
105.250 +{\isafoldproof}%
105.251 +%
105.252 +\isadelimproof
105.253 +%
105.254 +\endisadelimproof
105.255 +%
105.256 +\isadelimproof
105.257 +%
105.258 +\endisadelimproof
105.259 +%
105.260 +\isatagproof
105.261 +%
105.262 +\endisatagproof
105.263 +{\isafoldproof}%
105.264 +%
105.265 +\isadelimproof
105.266 +%
105.267 +\endisadelimproof
105.268 +%
105.269 +\isadelimproof
105.270 +%
105.271 +\endisadelimproof
105.272 +%
105.273 +\isatagproof
105.274 +%
105.275 +\endisatagproof
105.276 +{\isafoldproof}%
105.277 +%
105.278 +\isadelimproof
105.279 +%
105.280 +\endisadelimproof
105.281 +%
105.282 +\isadelimproof
105.283 +%
105.284 +\endisadelimproof
105.285 +%
105.286 +\isatagproof
105.287 +%
105.288 +\endisatagproof
105.289 +{\isafoldproof}%
105.290 +%
105.291 +\isadelimproof
105.292 +%
105.293 +\endisadelimproof
105.294 +%
105.295 +\isadelimML
105.296 +%
105.297 +\endisadelimML
105.298 +%
105.299 +\isatagML
105.300 +%
105.301 +\endisatagML
105.302 +{\isafoldML}%
105.303 +%
105.304 +\isadelimML
105.305 +%
105.306 +\endisadelimML
105.307 +%
105.308 +\isadelimtheory
105.309 +%
105.310 +\endisadelimtheory
105.311 +%
105.312 +\isatagtheory
105.313 +%
105.314 +\endisatagtheory
105.315 +{\isafoldtheory}%
105.316 +%
105.317 +\isadelimtheory
105.318 +%
105.319 +\endisadelimtheory
105.320 +\end{isabellebody}%
105.321 +%%% Local Variables:
105.322 +%%% mode: latex
105.323 +%%% TeX-master: "root"
105.324 +%%% End:
106.1 --- /dev/null Thu Jan 01 00:00:00 1970 +0000
106.2 +++ b/doc-src/TutorialI/document/Records.tex Thu Jul 26 19:59:06 2012 +0200
106.3 @@ -0,0 +1,665 @@
106.4 +%
106.5 +\begin{isabellebody}%
106.6 +\def\isabellecontext{Records}%
106.7 +%
106.8 +\isamarkupheader{Records \label{sec:records}%
106.9 +}
106.10 +\isamarkuptrue%
106.11 +%
106.12 +\isadelimtheory
106.13 +%
106.14 +\endisadelimtheory
106.15 +%
106.16 +\isatagtheory
106.17 +%
106.18 +\endisatagtheory
106.19 +{\isafoldtheory}%
106.20 +%
106.21 +\isadelimtheory
106.22 +%
106.23 +\endisadelimtheory
106.24 +%
106.25 +\begin{isamarkuptext}%
106.26 +\index{records|(}%
106.27 + Records are familiar from programming languages. A record of $n$
106.28 + fields is essentially an $n$-tuple, but the record's components have
106.29 + names, which can make expressions easier to read and reduces the
106.30 + risk of confusing one field for another.
106.31 +
106.32 + A record of Isabelle/HOL covers a collection of fields, with select
106.33 + and update operations. Each field has a specified type, which may
106.34 + be polymorphic. The field names are part of the record type, and
106.35 + the order of the fields is significant --- as it is in Pascal but
106.36 + not in Standard ML. If two different record types have field names
106.37 + in common, then the ambiguity is resolved in the usual way, by
106.38 + qualified names.
106.39 +
106.40 + Record types can also be defined by extending other record types.
106.41 + Extensible records make use of the reserved pseudo-field \cdx{more},
106.42 + which is present in every record type. Generic record operations
106.43 + work on all possible extensions of a given type scheme; polymorphism
106.44 + takes care of structural sub-typing behind the scenes. There are
106.45 + also explicit coercion functions between fixed record types.%
106.46 +\end{isamarkuptext}%
106.47 +\isamarkuptrue%
106.48 +%
106.49 +\isamarkupsubsection{Record Basics%
106.50 +}
106.51 +\isamarkuptrue%
106.52 +%
106.53 +\begin{isamarkuptext}%
106.54 +Record types are not primitive in Isabelle and have a delicate
106.55 + internal representation \cite{NaraschewskiW-TPHOLs98}, based on
106.56 + nested copies of the primitive product type. A \commdx{record}
106.57 + declaration introduces a new record type scheme by specifying its
106.58 + fields, which are packaged internally to hold up the perception of
106.59 + the record as a distinguished entity. Here is a simple example:%
106.60 +\end{isamarkuptext}%
106.61 +\isamarkuptrue%
106.62 +\isacommand{record}\isamarkupfalse%
106.63 +\ point\ {\isaliteral{3D}{\isacharequal}}\isanewline
106.64 +\ \ Xcoord\ {\isaliteral{3A}{\isacharcolon}}{\isaliteral{3A}{\isacharcolon}}\ int\isanewline
106.65 +\ \ Ycoord\ {\isaliteral{3A}{\isacharcolon}}{\isaliteral{3A}{\isacharcolon}}\ int%
106.66 +\begin{isamarkuptext}%
106.67 +\noindent
106.68 + Records of type \isa{point} have two fields named \isa{Xcoord}
106.69 + and \isa{Ycoord}, both of type~\isa{int}. We now define a
106.70 + constant of type \isa{point}:%
106.71 +\end{isamarkuptext}%
106.72 +\isamarkuptrue%
106.73 +\isacommand{definition}\isamarkupfalse%
106.74 +\ pt{\isadigit{1}}\ {\isaliteral{3A}{\isacharcolon}}{\isaliteral{3A}{\isacharcolon}}\ point\ \isakeyword{where}\isanewline
106.75 +{\isaliteral{22}{\isachardoublequoteopen}}pt{\isadigit{1}}\ {\isaliteral{5C3C65717569763E}{\isasymequiv}}\ {\isaliteral{28}{\isacharparenleft}}{\isaliteral{7C}{\isacharbar}}\ Xcoord\ {\isaliteral{3D}{\isacharequal}}\ {\isadigit{9}}{\isadigit{9}}{\isadigit{9}}{\isaliteral{2C}{\isacharcomma}}\ Ycoord\ {\isaliteral{3D}{\isacharequal}}\ {\isadigit{2}}{\isadigit{3}}\ {\isaliteral{7C}{\isacharbar}}{\isaliteral{29}{\isacharparenright}}{\isaliteral{22}{\isachardoublequoteclose}}%
106.76 +\begin{isamarkuptext}%
106.77 +\noindent
106.78 + We see above the ASCII notation for record brackets. You can also
106.79 + use the symbolic brackets \isa{{\isaliteral{5C3C6C706172723E}{\isasymlparr}}} and \isa{{\isaliteral{5C3C72706172723E}{\isasymrparr}}}. Record type
106.80 + expressions can be also written directly with individual fields.
106.81 + The type name above is merely an abbreviation.%
106.82 +\end{isamarkuptext}%
106.83 +\isamarkuptrue%
106.84 +\isacommand{definition}\isamarkupfalse%
106.85 +\ pt{\isadigit{2}}\ {\isaliteral{3A}{\isacharcolon}}{\isaliteral{3A}{\isacharcolon}}\ {\isaliteral{22}{\isachardoublequoteopen}}{\isaliteral{5C3C6C706172723E}{\isasymlparr}}Xcoord\ {\isaliteral{3A}{\isacharcolon}}{\isaliteral{3A}{\isacharcolon}}\ int{\isaliteral{2C}{\isacharcomma}}\ Ycoord\ {\isaliteral{3A}{\isacharcolon}}{\isaliteral{3A}{\isacharcolon}}\ int{\isaliteral{5C3C72706172723E}{\isasymrparr}}{\isaliteral{22}{\isachardoublequoteclose}}\ \isakeyword{where}\isanewline
106.86 +{\isaliteral{22}{\isachardoublequoteopen}}pt{\isadigit{2}}\ {\isaliteral{5C3C65717569763E}{\isasymequiv}}\ {\isaliteral{5C3C6C706172723E}{\isasymlparr}}Xcoord\ {\isaliteral{3D}{\isacharequal}}\ {\isaliteral{2D}{\isacharminus}}{\isadigit{4}}{\isadigit{5}}{\isaliteral{2C}{\isacharcomma}}\ Ycoord\ {\isaliteral{3D}{\isacharequal}}\ {\isadigit{9}}{\isadigit{7}}{\isaliteral{5C3C72706172723E}{\isasymrparr}}{\isaliteral{22}{\isachardoublequoteclose}}%
106.87 +\begin{isamarkuptext}%
106.88 +For each field, there is a \emph{selector}\index{selector!record}
106.89 + function of the same name. For example, if \isa{p} has type \isa{point} then \isa{Xcoord\ p} denotes the value of the \isa{Xcoord} field of~\isa{p}. Expressions involving field selection
106.90 + of explicit records are simplified automatically:%
106.91 +\end{isamarkuptext}%
106.92 +\isamarkuptrue%
106.93 +\isacommand{lemma}\isamarkupfalse%
106.94 +\ {\isaliteral{22}{\isachardoublequoteopen}}Xcoord\ {\isaliteral{5C3C6C706172723E}{\isasymlparr}}Xcoord\ {\isaliteral{3D}{\isacharequal}}\ a{\isaliteral{2C}{\isacharcomma}}\ Ycoord\ {\isaliteral{3D}{\isacharequal}}\ b{\isaliteral{5C3C72706172723E}{\isasymrparr}}\ {\isaliteral{3D}{\isacharequal}}\ a{\isaliteral{22}{\isachardoublequoteclose}}\isanewline
106.95 +%
106.96 +\isadelimproof
106.97 +\ \ %
106.98 +\endisadelimproof
106.99 +%
106.100 +\isatagproof
106.101 +\isacommand{by}\isamarkupfalse%
106.102 +\ simp%
106.103 +\endisatagproof
106.104 +{\isafoldproof}%
106.105 +%
106.106 +\isadelimproof
106.107 +%
106.108 +\endisadelimproof
106.109 +%
106.110 +\begin{isamarkuptext}%
106.111 +The \emph{update}\index{update!record} operation is functional. For
106.112 + example, \isa{p{\isaliteral{5C3C6C706172723E}{\isasymlparr}}Xcoord\ {\isaliteral{3A}{\isacharcolon}}{\isaliteral{3D}{\isacharequal}}\ {\isadigit{0}}{\isaliteral{5C3C72706172723E}{\isasymrparr}}} is a record whose \isa{Xcoord}
106.113 + value is zero and whose \isa{Ycoord} value is copied from~\isa{p}. Updates of explicit records are also simplified automatically:%
106.114 +\end{isamarkuptext}%
106.115 +\isamarkuptrue%
106.116 +\isacommand{lemma}\isamarkupfalse%
106.117 +\ {\isaliteral{22}{\isachardoublequoteopen}}{\isaliteral{5C3C6C706172723E}{\isasymlparr}}Xcoord\ {\isaliteral{3D}{\isacharequal}}\ a{\isaliteral{2C}{\isacharcomma}}\ Ycoord\ {\isaliteral{3D}{\isacharequal}}\ b{\isaliteral{5C3C72706172723E}{\isasymrparr}}{\isaliteral{5C3C6C706172723E}{\isasymlparr}}Xcoord\ {\isaliteral{3A}{\isacharcolon}}{\isaliteral{3D}{\isacharequal}}\ {\isadigit{0}}{\isaliteral{5C3C72706172723E}{\isasymrparr}}\ {\isaliteral{3D}{\isacharequal}}\isanewline
106.118 +\ \ \ \ \ \ \ \ \ {\isaliteral{5C3C6C706172723E}{\isasymlparr}}Xcoord\ {\isaliteral{3D}{\isacharequal}}\ {\isadigit{0}}{\isaliteral{2C}{\isacharcomma}}\ Ycoord\ {\isaliteral{3D}{\isacharequal}}\ b{\isaliteral{5C3C72706172723E}{\isasymrparr}}{\isaliteral{22}{\isachardoublequoteclose}}\isanewline
106.119 +%
106.120 +\isadelimproof
106.121 +\ \ %
106.122 +\endisadelimproof
106.123 +%
106.124 +\isatagproof
106.125 +\isacommand{by}\isamarkupfalse%
106.126 +\ simp%
106.127 +\endisatagproof
106.128 +{\isafoldproof}%
106.129 +%
106.130 +\isadelimproof
106.131 +%
106.132 +\endisadelimproof
106.133 +%
106.134 +\begin{isamarkuptext}%
106.135 +\begin{warn}
106.136 + Field names are declared as constants and can no longer be used as
106.137 + variables. It would be unwise, for example, to call the fields of
106.138 + type \isa{point} simply \isa{x} and~\isa{y}.
106.139 + \end{warn}%
106.140 +\end{isamarkuptext}%
106.141 +\isamarkuptrue%
106.142 +%
106.143 +\isamarkupsubsection{Extensible Records and Generic Operations%
106.144 +}
106.145 +\isamarkuptrue%
106.146 +%
106.147 +\begin{isamarkuptext}%
106.148 +\index{records!extensible|(}%
106.149 +
106.150 + Now, let us define coloured points (type \isa{cpoint}) to be
106.151 + points extended with a field \isa{col} of type \isa{colour}:%
106.152 +\end{isamarkuptext}%
106.153 +\isamarkuptrue%
106.154 +\isacommand{datatype}\isamarkupfalse%
106.155 +\ colour\ {\isaliteral{3D}{\isacharequal}}\ Red\ {\isaliteral{7C}{\isacharbar}}\ Green\ {\isaliteral{7C}{\isacharbar}}\ Blue\isanewline
106.156 +\isanewline
106.157 +\isacommand{record}\isamarkupfalse%
106.158 +\ cpoint\ {\isaliteral{3D}{\isacharequal}}\ point\ {\isaliteral{2B}{\isacharplus}}\isanewline
106.159 +\ \ col\ {\isaliteral{3A}{\isacharcolon}}{\isaliteral{3A}{\isacharcolon}}\ colour%
106.160 +\begin{isamarkuptext}%
106.161 +\noindent
106.162 + The fields of this new type are \isa{Xcoord}, \isa{Ycoord} and
106.163 + \isa{col}, in that order.%
106.164 +\end{isamarkuptext}%
106.165 +\isamarkuptrue%
106.166 +\isacommand{definition}\isamarkupfalse%
106.167 +\ cpt{\isadigit{1}}\ {\isaliteral{3A}{\isacharcolon}}{\isaliteral{3A}{\isacharcolon}}\ cpoint\ \isakeyword{where}\isanewline
106.168 +{\isaliteral{22}{\isachardoublequoteopen}}cpt{\isadigit{1}}\ {\isaliteral{5C3C65717569763E}{\isasymequiv}}\ {\isaliteral{5C3C6C706172723E}{\isasymlparr}}Xcoord\ {\isaliteral{3D}{\isacharequal}}\ {\isadigit{9}}{\isadigit{9}}{\isadigit{9}}{\isaliteral{2C}{\isacharcomma}}\ Ycoord\ {\isaliteral{3D}{\isacharequal}}\ {\isadigit{2}}{\isadigit{3}}{\isaliteral{2C}{\isacharcomma}}\ col\ {\isaliteral{3D}{\isacharequal}}\ Green{\isaliteral{5C3C72706172723E}{\isasymrparr}}{\isaliteral{22}{\isachardoublequoteclose}}%
106.169 +\begin{isamarkuptext}%
106.170 +We can define generic operations that work on arbitrary
106.171 + instances of a record scheme, e.g.\ covering \isa{point}, \isa{cpoint}, and any further extensions. Every record structure has an
106.172 + implicit pseudo-field, \cdx{more}, that keeps the extension as an
106.173 + explicit value. Its type is declared as completely
106.174 + polymorphic:~\isa{{\isaliteral{27}{\isacharprime}}a}. When a fixed record value is expressed
106.175 + using just its standard fields, the value of \isa{more} is
106.176 + implicitly set to \isa{{\isaliteral{28}{\isacharparenleft}}{\isaliteral{29}{\isacharparenright}}}, the empty tuple, which has type
106.177 + \isa{unit}. Within the record brackets, you can refer to the
106.178 + \isa{more} field by writing ``\isa{{\isaliteral{5C3C646F74733E}{\isasymdots}}}'' (three dots):%
106.179 +\end{isamarkuptext}%
106.180 +\isamarkuptrue%
106.181 +\isacommand{lemma}\isamarkupfalse%
106.182 +\ {\isaliteral{22}{\isachardoublequoteopen}}Xcoord\ {\isaliteral{5C3C6C706172723E}{\isasymlparr}}Xcoord\ {\isaliteral{3D}{\isacharequal}}\ a{\isaliteral{2C}{\isacharcomma}}\ Ycoord\ {\isaliteral{3D}{\isacharequal}}\ b{\isaliteral{2C}{\isacharcomma}}\ {\isaliteral{5C3C646F74733E}{\isasymdots}}\ {\isaliteral{3D}{\isacharequal}}\ p{\isaliteral{5C3C72706172723E}{\isasymrparr}}\ {\isaliteral{3D}{\isacharequal}}\ a{\isaliteral{22}{\isachardoublequoteclose}}\isanewline
106.183 +%
106.184 +\isadelimproof
106.185 +\ \ %
106.186 +\endisadelimproof
106.187 +%
106.188 +\isatagproof
106.189 +\isacommand{by}\isamarkupfalse%
106.190 +\ simp%
106.191 +\endisatagproof
106.192 +{\isafoldproof}%
106.193 +%
106.194 +\isadelimproof
106.195 +%
106.196 +\endisadelimproof
106.197 +%
106.198 +\begin{isamarkuptext}%
106.199 +This lemma applies to any record whose first two fields are \isa{Xcoord} and~\isa{Ycoord}. Note that \isa{{\isaliteral{5C3C6C706172723E}{\isasymlparr}}Xcoord\ {\isaliteral{3D}{\isacharequal}}\ a{\isaliteral{2C}{\isacharcomma}}\ Ycoord\ {\isaliteral{3D}{\isacharequal}}\ b{\isaliteral{2C}{\isacharcomma}}\ {\isaliteral{5C3C646F74733E}{\isasymdots}}\ {\isaliteral{3D}{\isacharequal}}\ {\isaliteral{28}{\isacharparenleft}}{\isaliteral{29}{\isacharparenright}}{\isaliteral{5C3C72706172723E}{\isasymrparr}}} is exactly the same as \isa{{\isaliteral{5C3C6C706172723E}{\isasymlparr}}Xcoord\ {\isaliteral{3D}{\isacharequal}}\ a{\isaliteral{2C}{\isacharcomma}}\ Ycoord\ {\isaliteral{3D}{\isacharequal}}\ b{\isaliteral{5C3C72706172723E}{\isasymrparr}}}. Selectors and updates are always polymorphic wrt.\ the
106.200 + \isa{more} part of a record scheme, its value is just ignored (for
106.201 + select) or copied (for update).
106.202 +
106.203 + The \isa{more} pseudo-field may be manipulated directly as well,
106.204 + but the identifier needs to be qualified:%
106.205 +\end{isamarkuptext}%
106.206 +\isamarkuptrue%
106.207 +\isacommand{lemma}\isamarkupfalse%
106.208 +\ {\isaliteral{22}{\isachardoublequoteopen}}point{\isaliteral{2E}{\isachardot}}more\ cpt{\isadigit{1}}\ {\isaliteral{3D}{\isacharequal}}\ {\isaliteral{5C3C6C706172723E}{\isasymlparr}}col\ {\isaliteral{3D}{\isacharequal}}\ Green{\isaliteral{5C3C72706172723E}{\isasymrparr}}{\isaliteral{22}{\isachardoublequoteclose}}\isanewline
106.209 +%
106.210 +\isadelimproof
106.211 +\ \ %
106.212 +\endisadelimproof
106.213 +%
106.214 +\isatagproof
106.215 +\isacommand{by}\isamarkupfalse%
106.216 +\ {\isaliteral{28}{\isacharparenleft}}simp\ add{\isaliteral{3A}{\isacharcolon}}\ cpt{\isadigit{1}}{\isaliteral{5F}{\isacharunderscore}}def{\isaliteral{29}{\isacharparenright}}%
106.217 +\endisatagproof
106.218 +{\isafoldproof}%
106.219 +%
106.220 +\isadelimproof
106.221 +%
106.222 +\endisadelimproof
106.223 +%
106.224 +\begin{isamarkuptext}%
106.225 +\noindent
106.226 + We see that the colour part attached to this \isa{point} is a
106.227 + rudimentary record in its own right, namely \isa{{\isaliteral{5C3C6C706172723E}{\isasymlparr}}col\ {\isaliteral{3D}{\isacharequal}}\ Green{\isaliteral{5C3C72706172723E}{\isasymrparr}}}. In order to select or update \isa{col}, this fragment
106.228 + needs to be put back into the context of the parent type scheme, say
106.229 + as \isa{more} part of another \isa{point}.
106.230 +
106.231 + To define generic operations, we need to know a bit more about
106.232 + records. Our definition of \isa{point} above has generated two
106.233 + type abbreviations:
106.234 +
106.235 + \medskip
106.236 + \begin{tabular}{l}
106.237 + \isa{point}~\isa{{\isaliteral{3D}{\isacharequal}}}~\isa{{\isaliteral{5C3C6C706172723E}{\isasymlparr}}Xcoord\ {\isaliteral{3A}{\isacharcolon}}{\isaliteral{3A}{\isacharcolon}}\ int{\isaliteral{2C}{\isacharcomma}}\ Ycoord\ {\isaliteral{3A}{\isacharcolon}}{\isaliteral{3A}{\isacharcolon}}\ int{\isaliteral{5C3C72706172723E}{\isasymrparr}}} \\
106.238 + \isa{{\isaliteral{27}{\isacharprime}}a\ point{\isaliteral{5F}{\isacharunderscore}}scheme}~\isa{{\isaliteral{3D}{\isacharequal}}}~\isa{{\isaliteral{5C3C6C706172723E}{\isasymlparr}}Xcoord\ {\isaliteral{3A}{\isacharcolon}}{\isaliteral{3A}{\isacharcolon}}\ int{\isaliteral{2C}{\isacharcomma}}\ Ycoord\ {\isaliteral{3A}{\isacharcolon}}{\isaliteral{3A}{\isacharcolon}}\ int{\isaliteral{2C}{\isacharcomma}}\ {\isaliteral{5C3C646F74733E}{\isasymdots}}\ {\isaliteral{3A}{\isacharcolon}}{\isaliteral{3A}{\isacharcolon}}\ {\isaliteral{27}{\isacharprime}}a{\isaliteral{5C3C72706172723E}{\isasymrparr}}} \\
106.239 + \end{tabular}
106.240 + \medskip
106.241 +
106.242 +\noindent
106.243 + Type \isa{point} is for fixed records having exactly the two fields
106.244 + \isa{Xcoord} and~\isa{Ycoord}, while the polymorphic type \isa{{\isaliteral{27}{\isacharprime}}a\ point{\isaliteral{5F}{\isacharunderscore}}scheme} comprises all possible extensions to those two
106.245 + fields. Note that \isa{unit\ point{\isaliteral{5F}{\isacharunderscore}}scheme} coincides with \isa{point}, and \isa{{\isaliteral{5C3C6C706172723E}{\isasymlparr}}col\ {\isaliteral{3A}{\isacharcolon}}{\isaliteral{3A}{\isacharcolon}}\ colour{\isaliteral{5C3C72706172723E}{\isasymrparr}}\ point{\isaliteral{5F}{\isacharunderscore}}scheme} with \isa{cpoint}.
106.246 +
106.247 + In the following example we define two operations --- methods, if we
106.248 + regard records as objects --- to get and set any point's \isa{Xcoord} field.%
106.249 +\end{isamarkuptext}%
106.250 +\isamarkuptrue%
106.251 +\isacommand{definition}\isamarkupfalse%
106.252 +\ getX\ {\isaliteral{3A}{\isacharcolon}}{\isaliteral{3A}{\isacharcolon}}\ {\isaliteral{22}{\isachardoublequoteopen}}{\isaliteral{27}{\isacharprime}}a\ point{\isaliteral{5F}{\isacharunderscore}}scheme\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ int{\isaliteral{22}{\isachardoublequoteclose}}\ \isakeyword{where}\isanewline
106.253 +{\isaliteral{22}{\isachardoublequoteopen}}getX\ r\ {\isaliteral{5C3C65717569763E}{\isasymequiv}}\ Xcoord\ r{\isaliteral{22}{\isachardoublequoteclose}}\isanewline
106.254 +\isacommand{definition}\isamarkupfalse%
106.255 +\ setX\ {\isaliteral{3A}{\isacharcolon}}{\isaliteral{3A}{\isacharcolon}}\ {\isaliteral{22}{\isachardoublequoteopen}}{\isaliteral{27}{\isacharprime}}a\ point{\isaliteral{5F}{\isacharunderscore}}scheme\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ int\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ {\isaliteral{27}{\isacharprime}}a\ point{\isaliteral{5F}{\isacharunderscore}}scheme{\isaliteral{22}{\isachardoublequoteclose}}\ \isakeyword{where}\isanewline
106.256 +{\isaliteral{22}{\isachardoublequoteopen}}setX\ r\ a\ {\isaliteral{5C3C65717569763E}{\isasymequiv}}\ r{\isaliteral{5C3C6C706172723E}{\isasymlparr}}Xcoord\ {\isaliteral{3A}{\isacharcolon}}{\isaliteral{3D}{\isacharequal}}\ a{\isaliteral{5C3C72706172723E}{\isasymrparr}}{\isaliteral{22}{\isachardoublequoteclose}}%
106.257 +\begin{isamarkuptext}%
106.258 +Here is a generic method that modifies a point, incrementing its
106.259 + \isa{Xcoord} field. The \isa{Ycoord} and \isa{more} fields
106.260 + are copied across. It works for any record type scheme derived from
106.261 + \isa{point} (including \isa{cpoint} etc.):%
106.262 +\end{isamarkuptext}%
106.263 +\isamarkuptrue%
106.264 +\isacommand{definition}\isamarkupfalse%
106.265 +\ incX\ {\isaliteral{3A}{\isacharcolon}}{\isaliteral{3A}{\isacharcolon}}\ {\isaliteral{22}{\isachardoublequoteopen}}{\isaliteral{27}{\isacharprime}}a\ point{\isaliteral{5F}{\isacharunderscore}}scheme\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ {\isaliteral{27}{\isacharprime}}a\ point{\isaliteral{5F}{\isacharunderscore}}scheme{\isaliteral{22}{\isachardoublequoteclose}}\ \isakeyword{where}\isanewline
106.266 +{\isaliteral{22}{\isachardoublequoteopen}}incX\ r\ {\isaliteral{5C3C65717569763E}{\isasymequiv}}\isanewline
106.267 +\ \ {\isaliteral{5C3C6C706172723E}{\isasymlparr}}Xcoord\ {\isaliteral{3D}{\isacharequal}}\ Xcoord\ r\ {\isaliteral{2B}{\isacharplus}}\ {\isadigit{1}}{\isaliteral{2C}{\isacharcomma}}\ Ycoord\ {\isaliteral{3D}{\isacharequal}}\ Ycoord\ r{\isaliteral{2C}{\isacharcomma}}\ {\isaliteral{5C3C646F74733E}{\isasymdots}}\ {\isaliteral{3D}{\isacharequal}}\ point{\isaliteral{2E}{\isachardot}}more\ r{\isaliteral{5C3C72706172723E}{\isasymrparr}}{\isaliteral{22}{\isachardoublequoteclose}}%
106.268 +\begin{isamarkuptext}%
106.269 +Generic theorems can be proved about generic methods. This trivial
106.270 + lemma relates \isa{incX} to \isa{getX} and \isa{setX}:%
106.271 +\end{isamarkuptext}%
106.272 +\isamarkuptrue%
106.273 +\isacommand{lemma}\isamarkupfalse%
106.274 +\ {\isaliteral{22}{\isachardoublequoteopen}}incX\ r\ {\isaliteral{3D}{\isacharequal}}\ setX\ r\ {\isaliteral{28}{\isacharparenleft}}getX\ r\ {\isaliteral{2B}{\isacharplus}}\ {\isadigit{1}}{\isaliteral{29}{\isacharparenright}}{\isaliteral{22}{\isachardoublequoteclose}}\isanewline
106.275 +%
106.276 +\isadelimproof
106.277 +\ \ %
106.278 +\endisadelimproof
106.279 +%
106.280 +\isatagproof
106.281 +\isacommand{by}\isamarkupfalse%
106.282 +\ {\isaliteral{28}{\isacharparenleft}}simp\ add{\isaliteral{3A}{\isacharcolon}}\ getX{\isaliteral{5F}{\isacharunderscore}}def\ setX{\isaliteral{5F}{\isacharunderscore}}def\ incX{\isaliteral{5F}{\isacharunderscore}}def{\isaliteral{29}{\isacharparenright}}%
106.283 +\endisatagproof
106.284 +{\isafoldproof}%
106.285 +%
106.286 +\isadelimproof
106.287 +%
106.288 +\endisadelimproof
106.289 +%
106.290 +\begin{isamarkuptext}%
106.291 +\begin{warn}
106.292 + If you use the symbolic record brackets \isa{{\isaliteral{5C3C6C706172723E}{\isasymlparr}}} and \isa{{\isaliteral{5C3C72706172723E}{\isasymrparr}}},
106.293 + then you must also use the symbolic ellipsis, ``\isa{{\isaliteral{5C3C646F74733E}{\isasymdots}}}'', rather
106.294 + than three consecutive periods, ``\isa{{\isaliteral{2E}{\isachardot}}{\isaliteral{2E}{\isachardot}}{\isaliteral{2E}{\isachardot}}}''. Mixing the ASCII
106.295 + and symbolic versions causes a syntax error. (The two versions are
106.296 + more distinct on screen than they are on paper.)
106.297 + \end{warn}%
106.298 + \index{records!extensible|)}%
106.299 +\end{isamarkuptext}%
106.300 +\isamarkuptrue%
106.301 +%
106.302 +\isamarkupsubsection{Record Equality%
106.303 +}
106.304 +\isamarkuptrue%
106.305 +%
106.306 +\begin{isamarkuptext}%
106.307 +Two records are equal\index{equality!of records} if all pairs of
106.308 + corresponding fields are equal. Concrete record equalities are
106.309 + simplified automatically:%
106.310 +\end{isamarkuptext}%
106.311 +\isamarkuptrue%
106.312 +\isacommand{lemma}\isamarkupfalse%
106.313 +\ {\isaliteral{22}{\isachardoublequoteopen}}{\isaliteral{28}{\isacharparenleft}}{\isaliteral{5C3C6C706172723E}{\isasymlparr}}Xcoord\ {\isaliteral{3D}{\isacharequal}}\ a{\isaliteral{2C}{\isacharcomma}}\ Ycoord\ {\isaliteral{3D}{\isacharequal}}\ b{\isaliteral{5C3C72706172723E}{\isasymrparr}}\ {\isaliteral{3D}{\isacharequal}}\ {\isaliteral{5C3C6C706172723E}{\isasymlparr}}Xcoord\ {\isaliteral{3D}{\isacharequal}}\ a{\isaliteral{27}{\isacharprime}}{\isaliteral{2C}{\isacharcomma}}\ Ycoord\ {\isaliteral{3D}{\isacharequal}}\ b{\isaliteral{27}{\isacharprime}}{\isaliteral{5C3C72706172723E}{\isasymrparr}}{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{3D}{\isacharequal}}\isanewline
106.314 +\ \ \ \ {\isaliteral{28}{\isacharparenleft}}a\ {\isaliteral{3D}{\isacharequal}}\ a{\isaliteral{27}{\isacharprime}}\ {\isaliteral{5C3C616E643E}{\isasymand}}\ b\ {\isaliteral{3D}{\isacharequal}}\ b{\isaliteral{27}{\isacharprime}}{\isaliteral{29}{\isacharparenright}}{\isaliteral{22}{\isachardoublequoteclose}}\isanewline
106.315 +%
106.316 +\isadelimproof
106.317 +\ \ %
106.318 +\endisadelimproof
106.319 +%
106.320 +\isatagproof
106.321 +\isacommand{by}\isamarkupfalse%
106.322 +\ simp%
106.323 +\endisatagproof
106.324 +{\isafoldproof}%
106.325 +%
106.326 +\isadelimproof
106.327 +%
106.328 +\endisadelimproof
106.329 +%
106.330 +\begin{isamarkuptext}%
106.331 +The following equality is similar, but generic, in that \isa{r}
106.332 + can be any instance of \isa{{\isaliteral{27}{\isacharprime}}a\ point{\isaliteral{5F}{\isacharunderscore}}scheme}:%
106.333 +\end{isamarkuptext}%
106.334 +\isamarkuptrue%
106.335 +\isacommand{lemma}\isamarkupfalse%
106.336 +\ {\isaliteral{22}{\isachardoublequoteopen}}r{\isaliteral{5C3C6C706172723E}{\isasymlparr}}Xcoord\ {\isaliteral{3A}{\isacharcolon}}{\isaliteral{3D}{\isacharequal}}\ a{\isaliteral{2C}{\isacharcomma}}\ Ycoord\ {\isaliteral{3A}{\isacharcolon}}{\isaliteral{3D}{\isacharequal}}\ b{\isaliteral{5C3C72706172723E}{\isasymrparr}}\ {\isaliteral{3D}{\isacharequal}}\ r{\isaliteral{5C3C6C706172723E}{\isasymlparr}}Ycoord\ {\isaliteral{3A}{\isacharcolon}}{\isaliteral{3D}{\isacharequal}}\ b{\isaliteral{2C}{\isacharcomma}}\ Xcoord\ {\isaliteral{3A}{\isacharcolon}}{\isaliteral{3D}{\isacharequal}}\ a{\isaliteral{5C3C72706172723E}{\isasymrparr}}{\isaliteral{22}{\isachardoublequoteclose}}\isanewline
106.337 +%
106.338 +\isadelimproof
106.339 +\ \ %
106.340 +\endisadelimproof
106.341 +%
106.342 +\isatagproof
106.343 +\isacommand{by}\isamarkupfalse%
106.344 +\ simp%
106.345 +\endisatagproof
106.346 +{\isafoldproof}%
106.347 +%
106.348 +\isadelimproof
106.349 +%
106.350 +\endisadelimproof
106.351 +%
106.352 +\begin{isamarkuptext}%
106.353 +\noindent
106.354 + We see above the syntax for iterated updates. We could equivalently
106.355 + have written the left-hand side as \isa{r{\isaliteral{5C3C6C706172723E}{\isasymlparr}}Xcoord\ {\isaliteral{3A}{\isacharcolon}}{\isaliteral{3D}{\isacharequal}}\ a{\isaliteral{5C3C72706172723E}{\isasymrparr}}{\isaliteral{5C3C6C706172723E}{\isasymlparr}}Ycoord\ {\isaliteral{3A}{\isacharcolon}}{\isaliteral{3D}{\isacharequal}}\ b{\isaliteral{5C3C72706172723E}{\isasymrparr}}}.
106.356 +
106.357 + Record equality is \emph{extensional}:
106.358 + \index{extensionality!for records} a record is determined entirely
106.359 + by the values of its fields.%
106.360 +\end{isamarkuptext}%
106.361 +\isamarkuptrue%
106.362 +\isacommand{lemma}\isamarkupfalse%
106.363 +\ {\isaliteral{22}{\isachardoublequoteopen}}r\ {\isaliteral{3D}{\isacharequal}}\ {\isaliteral{5C3C6C706172723E}{\isasymlparr}}Xcoord\ {\isaliteral{3D}{\isacharequal}}\ Xcoord\ r{\isaliteral{2C}{\isacharcomma}}\ Ycoord\ {\isaliteral{3D}{\isacharequal}}\ Ycoord\ r{\isaliteral{5C3C72706172723E}{\isasymrparr}}{\isaliteral{22}{\isachardoublequoteclose}}\isanewline
106.364 +%
106.365 +\isadelimproof
106.366 +\ \ %
106.367 +\endisadelimproof
106.368 +%
106.369 +\isatagproof
106.370 +\isacommand{by}\isamarkupfalse%
106.371 +\ simp%
106.372 +\endisatagproof
106.373 +{\isafoldproof}%
106.374 +%
106.375 +\isadelimproof
106.376 +%
106.377 +\endisadelimproof
106.378 +%
106.379 +\begin{isamarkuptext}%
106.380 +\noindent
106.381 + The generic version of this equality includes the pseudo-field
106.382 + \isa{more}:%
106.383 +\end{isamarkuptext}%
106.384 +\isamarkuptrue%
106.385 +\isacommand{lemma}\isamarkupfalse%
106.386 +\ {\isaliteral{22}{\isachardoublequoteopen}}r\ {\isaliteral{3D}{\isacharequal}}\ {\isaliteral{5C3C6C706172723E}{\isasymlparr}}Xcoord\ {\isaliteral{3D}{\isacharequal}}\ Xcoord\ r{\isaliteral{2C}{\isacharcomma}}\ Ycoord\ {\isaliteral{3D}{\isacharequal}}\ Ycoord\ r{\isaliteral{2C}{\isacharcomma}}\ {\isaliteral{5C3C646F74733E}{\isasymdots}}\ {\isaliteral{3D}{\isacharequal}}\ point{\isaliteral{2E}{\isachardot}}more\ r{\isaliteral{5C3C72706172723E}{\isasymrparr}}{\isaliteral{22}{\isachardoublequoteclose}}\isanewline
106.387 +%
106.388 +\isadelimproof
106.389 +\ \ %
106.390 +\endisadelimproof
106.391 +%
106.392 +\isatagproof
106.393 +\isacommand{by}\isamarkupfalse%
106.394 +\ simp%
106.395 +\endisatagproof
106.396 +{\isafoldproof}%
106.397 +%
106.398 +\isadelimproof
106.399 +%
106.400 +\endisadelimproof
106.401 +%
106.402 +\begin{isamarkuptext}%
106.403 +The simplifier can prove many record equalities
106.404 + automatically, but general equality reasoning can be tricky.
106.405 + Consider proving this obvious fact:%
106.406 +\end{isamarkuptext}%
106.407 +\isamarkuptrue%
106.408 +\isacommand{lemma}\isamarkupfalse%
106.409 +\ {\isaliteral{22}{\isachardoublequoteopen}}r{\isaliteral{5C3C6C706172723E}{\isasymlparr}}Xcoord\ {\isaliteral{3A}{\isacharcolon}}{\isaliteral{3D}{\isacharequal}}\ a{\isaliteral{5C3C72706172723E}{\isasymrparr}}\ {\isaliteral{3D}{\isacharequal}}\ r{\isaliteral{5C3C6C706172723E}{\isasymlparr}}Xcoord\ {\isaliteral{3A}{\isacharcolon}}{\isaliteral{3D}{\isacharequal}}\ a{\isaliteral{27}{\isacharprime}}{\isaliteral{5C3C72706172723E}{\isasymrparr}}\ {\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\ a\ {\isaliteral{3D}{\isacharequal}}\ a{\isaliteral{27}{\isacharprime}}{\isaliteral{22}{\isachardoublequoteclose}}\isanewline
106.410 +%
106.411 +\isadelimproof
106.412 +\ \ %
106.413 +\endisadelimproof
106.414 +%
106.415 +\isatagproof
106.416 +\isacommand{apply}\isamarkupfalse%
106.417 +\ simp{\isaliteral{3F}{\isacharquery}}\isanewline
106.418 +\ \ \isacommand{oops}\isamarkupfalse%
106.419 +%
106.420 +\endisatagproof
106.421 +{\isafoldproof}%
106.422 +%
106.423 +\isadelimproof
106.424 +%
106.425 +\endisadelimproof
106.426 +%
106.427 +\begin{isamarkuptext}%
106.428 +\noindent
106.429 + Here the simplifier can do nothing, since general record equality is
106.430 + not eliminated automatically. One way to proceed is by an explicit
106.431 + forward step that applies the selector \isa{Xcoord} to both sides
106.432 + of the assumed record equality:%
106.433 +\end{isamarkuptext}%
106.434 +\isamarkuptrue%
106.435 +\isacommand{lemma}\isamarkupfalse%
106.436 +\ {\isaliteral{22}{\isachardoublequoteopen}}r{\isaliteral{5C3C6C706172723E}{\isasymlparr}}Xcoord\ {\isaliteral{3A}{\isacharcolon}}{\isaliteral{3D}{\isacharequal}}\ a{\isaliteral{5C3C72706172723E}{\isasymrparr}}\ {\isaliteral{3D}{\isacharequal}}\ r{\isaliteral{5C3C6C706172723E}{\isasymlparr}}Xcoord\ {\isaliteral{3A}{\isacharcolon}}{\isaliteral{3D}{\isacharequal}}\ a{\isaliteral{27}{\isacharprime}}{\isaliteral{5C3C72706172723E}{\isasymrparr}}\ {\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\ a\ {\isaliteral{3D}{\isacharequal}}\ a{\isaliteral{27}{\isacharprime}}{\isaliteral{22}{\isachardoublequoteclose}}\isanewline
106.437 +%
106.438 +\isadelimproof
106.439 +\ \ %
106.440 +\endisadelimproof
106.441 +%
106.442 +\isatagproof
106.443 +\isacommand{apply}\isamarkupfalse%
106.444 +\ {\isaliteral{28}{\isacharparenleft}}drule{\isaliteral{5F}{\isacharunderscore}}tac\ f\ {\isaliteral{3D}{\isacharequal}}\ Xcoord\ \isakeyword{in}\ arg{\isaliteral{5F}{\isacharunderscore}}cong{\isaliteral{29}{\isacharparenright}}%
106.445 +\begin{isamarkuptxt}%
106.446 +\begin{isabelle}%
106.447 +\ {\isadigit{1}}{\isaliteral{2E}{\isachardot}}\ Xcoord\ {\isaliteral{28}{\isacharparenleft}}r{\isaliteral{5C3C6C706172723E}{\isasymlparr}}Xcoord\ {\isaliteral{3A}{\isacharcolon}}{\isaliteral{3D}{\isacharequal}}\ a{\isaliteral{5C3C72706172723E}{\isasymrparr}}{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{3D}{\isacharequal}}\ Xcoord\ {\isaliteral{28}{\isacharparenleft}}r{\isaliteral{5C3C6C706172723E}{\isasymlparr}}Xcoord\ {\isaliteral{3A}{\isacharcolon}}{\isaliteral{3D}{\isacharequal}}\ a{\isaliteral{27}{\isacharprime}}{\isaliteral{5C3C72706172723E}{\isasymrparr}}{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\ a\ {\isaliteral{3D}{\isacharequal}}\ a{\isaliteral{27}{\isacharprime}}%
106.448 +\end{isabelle}
106.449 + Now, \isa{simp} will reduce the assumption to the desired
106.450 + conclusion.%
106.451 +\end{isamarkuptxt}%
106.452 +\isamarkuptrue%
106.453 +\ \ \isacommand{apply}\isamarkupfalse%
106.454 +\ simp\isanewline
106.455 +\ \ \isacommand{done}\isamarkupfalse%
106.456 +%
106.457 +\endisatagproof
106.458 +{\isafoldproof}%
106.459 +%
106.460 +\isadelimproof
106.461 +%
106.462 +\endisadelimproof
106.463 +%
106.464 +\begin{isamarkuptext}%
106.465 +The \isa{cases} method is preferable to such a forward proof. We
106.466 + state the desired lemma again:%
106.467 +\end{isamarkuptext}%
106.468 +\isamarkuptrue%
106.469 +\isacommand{lemma}\isamarkupfalse%
106.470 +\ {\isaliteral{22}{\isachardoublequoteopen}}r{\isaliteral{5C3C6C706172723E}{\isasymlparr}}Xcoord\ {\isaliteral{3A}{\isacharcolon}}{\isaliteral{3D}{\isacharequal}}\ a{\isaliteral{5C3C72706172723E}{\isasymrparr}}\ {\isaliteral{3D}{\isacharequal}}\ r{\isaliteral{5C3C6C706172723E}{\isasymlparr}}Xcoord\ {\isaliteral{3A}{\isacharcolon}}{\isaliteral{3D}{\isacharequal}}\ a{\isaliteral{27}{\isacharprime}}{\isaliteral{5C3C72706172723E}{\isasymrparr}}\ {\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\ a\ {\isaliteral{3D}{\isacharequal}}\ a{\isaliteral{27}{\isacharprime}}{\isaliteral{22}{\isachardoublequoteclose}}%
106.471 +\isadelimproof
106.472 +%
106.473 +\endisadelimproof
106.474 +%
106.475 +\isatagproof
106.476 +%
106.477 +\begin{isamarkuptxt}%
106.478 +The \methdx{cases} method adds an equality to replace the
106.479 + named record term by an explicit record expression, listing all
106.480 + fields. It even includes the pseudo-field \isa{more}, since the
106.481 + record equality stated here is generic for all extensions.%
106.482 +\end{isamarkuptxt}%
106.483 +\isamarkuptrue%
106.484 +\ \ \isacommand{apply}\isamarkupfalse%
106.485 +\ {\isaliteral{28}{\isacharparenleft}}cases\ r{\isaliteral{29}{\isacharparenright}}%
106.486 +\begin{isamarkuptxt}%
106.487 +\begin{isabelle}%
106.488 +\ {\isadigit{1}}{\isaliteral{2E}{\isachardot}}\ {\isaliteral{5C3C416E643E}{\isasymAnd}}Xcoord\ Ycoord\ more{\isaliteral{2E}{\isachardot}}\isanewline
106.489 +\isaindent{\ {\isadigit{1}}{\isaliteral{2E}{\isachardot}}\ \ \ \ }{\isaliteral{5C3C6C6272616B6B3E}{\isasymlbrakk}}r{\isaliteral{5C3C6C706172723E}{\isasymlparr}}Xcoord\ {\isaliteral{3A}{\isacharcolon}}{\isaliteral{3D}{\isacharequal}}\ a{\isaliteral{5C3C72706172723E}{\isasymrparr}}\ {\isaliteral{3D}{\isacharequal}}\ r{\isaliteral{5C3C6C706172723E}{\isasymlparr}}Xcoord\ {\isaliteral{3A}{\isacharcolon}}{\isaliteral{3D}{\isacharequal}}\ a{\isaliteral{27}{\isacharprime}}{\isaliteral{5C3C72706172723E}{\isasymrparr}}{\isaliteral{3B}{\isacharsemicolon}}\isanewline
106.490 +\isaindent{\ {\isadigit{1}}{\isaliteral{2E}{\isachardot}}\ \ \ \ \ }r\ {\isaliteral{3D}{\isacharequal}}\ {\isaliteral{5C3C6C706172723E}{\isasymlparr}}Xcoord\ {\isaliteral{3D}{\isacharequal}}\ Xcoord{\isaliteral{2C}{\isacharcomma}}\ Ycoord\ {\isaliteral{3D}{\isacharequal}}\ Ycoord{\isaliteral{2C}{\isacharcomma}}\ {\isaliteral{5C3C646F74733E}{\isasymdots}}\ {\isaliteral{3D}{\isacharequal}}\ more{\isaliteral{5C3C72706172723E}{\isasymrparr}}{\isaliteral{5C3C726272616B6B3E}{\isasymrbrakk}}\isanewline
106.491 +\isaindent{\ {\isadigit{1}}{\isaliteral{2E}{\isachardot}}\ \ \ \ }{\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\ a\ {\isaliteral{3D}{\isacharequal}}\ a{\isaliteral{27}{\isacharprime}}%
106.492 +\end{isabelle} Again, \isa{simp} finishes the proof. Because \isa{r} is now represented as
106.493 + an explicit record construction, the updates can be applied and the
106.494 + record equality can be replaced by equality of the corresponding
106.495 + fields (due to injectivity).%
106.496 +\end{isamarkuptxt}%
106.497 +\isamarkuptrue%
106.498 +\ \ \isacommand{apply}\isamarkupfalse%
106.499 +\ simp\isanewline
106.500 +\ \ \isacommand{done}\isamarkupfalse%
106.501 +%
106.502 +\endisatagproof
106.503 +{\isafoldproof}%
106.504 +%
106.505 +\isadelimproof
106.506 +%
106.507 +\endisadelimproof
106.508 +%
106.509 +\begin{isamarkuptext}%
106.510 +The generic cases method does not admit references to locally bound
106.511 + parameters of a goal. In longer proof scripts one might have to
106.512 + fall back on the primitive \isa{rule{\isaliteral{5F}{\isacharunderscore}}tac} used together with the
106.513 + internal field representation rules of records. The above use of
106.514 + \isa{{\isaliteral{28}{\isacharparenleft}}cases\ r{\isaliteral{29}{\isacharparenright}}} would become \isa{{\isaliteral{28}{\isacharparenleft}}rule{\isaliteral{5F}{\isacharunderscore}}tac\ r\ {\isaliteral{3D}{\isacharequal}}\ r\ in\ point{\isaliteral{2E}{\isachardot}}cases{\isaliteral{5F}{\isacharunderscore}}scheme{\isaliteral{29}{\isacharparenright}}}.%
106.515 +\end{isamarkuptext}%
106.516 +\isamarkuptrue%
106.517 +%
106.518 +\isamarkupsubsection{Extending and Truncating Records%
106.519 +}
106.520 +\isamarkuptrue%
106.521 +%
106.522 +\begin{isamarkuptext}%
106.523 +Each record declaration introduces a number of derived operations to
106.524 + refer collectively to a record's fields and to convert between fixed
106.525 + record types. They can, for instance, convert between types \isa{point} and \isa{cpoint}. We can add a colour to a point or convert
106.526 + a \isa{cpoint} to a \isa{point} by forgetting its colour.
106.527 +
106.528 + \begin{itemize}
106.529 +
106.530 + \item Function \cdx{make} takes as arguments all of the record's
106.531 + fields (including those inherited from ancestors). It returns the
106.532 + corresponding record.
106.533 +
106.534 + \item Function \cdx{fields} takes the record's very own fields and
106.535 + returns a record fragment consisting of just those fields. This may
106.536 + be filled into the \isa{more} part of the parent record scheme.
106.537 +
106.538 + \item Function \cdx{extend} takes two arguments: a record to be
106.539 + extended and a record containing the new fields.
106.540 +
106.541 + \item Function \cdx{truncate} takes a record (possibly an extension
106.542 + of the original record type) and returns a fixed record, removing
106.543 + any additional fields.
106.544 +
106.545 + \end{itemize}
106.546 + These functions provide useful abbreviations for standard
106.547 + record expressions involving constructors and selectors. The
106.548 + definitions, which are \emph{not} unfolded by default, are made
106.549 + available by the collective name of \isa{defs} (\isa{point{\isaliteral{2E}{\isachardot}}defs}, \isa{cpoint{\isaliteral{2E}{\isachardot}}defs}, etc.).
106.550 + For example, here are the versions of those functions generated for
106.551 + record \isa{point}. We omit \isa{point{\isaliteral{2E}{\isachardot}}fields}, which happens to
106.552 + be the same as \isa{point{\isaliteral{2E}{\isachardot}}make}.
106.553 +
106.554 + \begin{isabelle}%
106.555 +point{\isaliteral{2E}{\isachardot}}make\ Xcoord\ Ycoord\ {\isaliteral{5C3C65717569763E}{\isasymequiv}}\ {\isaliteral{5C3C6C706172723E}{\isasymlparr}}Xcoord\ {\isaliteral{3D}{\isacharequal}}\ Xcoord{\isaliteral{2C}{\isacharcomma}}\ Ycoord\ {\isaliteral{3D}{\isacharequal}}\ Ycoord{\isaliteral{5C3C72706172723E}{\isasymrparr}}\isasep\isanewline%
106.556 +point{\isaliteral{2E}{\isachardot}}extend\ r\ more\ {\isaliteral{5C3C65717569763E}{\isasymequiv}}\isanewline
106.557 +{\isaliteral{5C3C6C706172723E}{\isasymlparr}}Xcoord\ {\isaliteral{3D}{\isacharequal}}\ Xcoord\ r{\isaliteral{2C}{\isacharcomma}}\ Ycoord\ {\isaliteral{3D}{\isacharequal}}\ Ycoord\ r{\isaliteral{2C}{\isacharcomma}}\ {\isaliteral{5C3C646F74733E}{\isasymdots}}\ {\isaliteral{3D}{\isacharequal}}\ more{\isaliteral{5C3C72706172723E}{\isasymrparr}}\isasep\isanewline%
106.558 +point{\isaliteral{2E}{\isachardot}}truncate\ r\ {\isaliteral{5C3C65717569763E}{\isasymequiv}}\ {\isaliteral{5C3C6C706172723E}{\isasymlparr}}Xcoord\ {\isaliteral{3D}{\isacharequal}}\ Xcoord\ r{\isaliteral{2C}{\isacharcomma}}\ Ycoord\ {\isaliteral{3D}{\isacharequal}}\ Ycoord\ r{\isaliteral{5C3C72706172723E}{\isasymrparr}}%
106.559 +\end{isabelle}
106.560 + Contrast those with the corresponding functions for record \isa{cpoint}. Observe \isa{cpoint{\isaliteral{2E}{\isachardot}}fields} in particular.
106.561 + \begin{isabelle}%
106.562 +cpoint{\isaliteral{2E}{\isachardot}}make\ Xcoord\ Ycoord\ col\ {\isaliteral{5C3C65717569763E}{\isasymequiv}}\isanewline
106.563 +{\isaliteral{5C3C6C706172723E}{\isasymlparr}}Xcoord\ {\isaliteral{3D}{\isacharequal}}\ Xcoord{\isaliteral{2C}{\isacharcomma}}\ Ycoord\ {\isaliteral{3D}{\isacharequal}}\ Ycoord{\isaliteral{2C}{\isacharcomma}}\ col\ {\isaliteral{3D}{\isacharequal}}\ col{\isaliteral{5C3C72706172723E}{\isasymrparr}}\isasep\isanewline%
106.564 +cpoint{\isaliteral{2E}{\isachardot}}fields\ col\ {\isaliteral{5C3C65717569763E}{\isasymequiv}}\ {\isaliteral{5C3C6C706172723E}{\isasymlparr}}col\ {\isaliteral{3D}{\isacharequal}}\ col{\isaliteral{5C3C72706172723E}{\isasymrparr}}\isasep\isanewline%
106.565 +cpoint{\isaliteral{2E}{\isachardot}}extend\ r\ more\ {\isaliteral{5C3C65717569763E}{\isasymequiv}}\isanewline
106.566 +{\isaliteral{5C3C6C706172723E}{\isasymlparr}}Xcoord\ {\isaliteral{3D}{\isacharequal}}\ Xcoord\ r{\isaliteral{2C}{\isacharcomma}}\ Ycoord\ {\isaliteral{3D}{\isacharequal}}\ Ycoord\ r{\isaliteral{2C}{\isacharcomma}}\ col\ {\isaliteral{3D}{\isacharequal}}\ col\ r{\isaliteral{2C}{\isacharcomma}}\ {\isaliteral{5C3C646F74733E}{\isasymdots}}\ {\isaliteral{3D}{\isacharequal}}\ more{\isaliteral{5C3C72706172723E}{\isasymrparr}}\isasep\isanewline%
106.567 +cpoint{\isaliteral{2E}{\isachardot}}truncate\ r\ {\isaliteral{5C3C65717569763E}{\isasymequiv}}\isanewline
106.568 +{\isaliteral{5C3C6C706172723E}{\isasymlparr}}Xcoord\ {\isaliteral{3D}{\isacharequal}}\ Xcoord\ r{\isaliteral{2C}{\isacharcomma}}\ Ycoord\ {\isaliteral{3D}{\isacharequal}}\ Ycoord\ r{\isaliteral{2C}{\isacharcomma}}\ col\ {\isaliteral{3D}{\isacharequal}}\ col\ r{\isaliteral{5C3C72706172723E}{\isasymrparr}}%
106.569 +\end{isabelle}
106.570 +
106.571 + To demonstrate these functions, we declare a new coloured point by
106.572 + extending an ordinary point. Function \isa{point{\isaliteral{2E}{\isachardot}}extend} augments
106.573 + \isa{pt{\isadigit{1}}} with a colour value, which is converted into an
106.574 + appropriate record fragment by \isa{cpoint{\isaliteral{2E}{\isachardot}}fields}.%
106.575 +\end{isamarkuptext}%
106.576 +\isamarkuptrue%
106.577 +\isacommand{definition}\isamarkupfalse%
106.578 +\ cpt{\isadigit{2}}\ {\isaliteral{3A}{\isacharcolon}}{\isaliteral{3A}{\isacharcolon}}\ cpoint\ \isakeyword{where}\isanewline
106.579 +{\isaliteral{22}{\isachardoublequoteopen}}cpt{\isadigit{2}}\ {\isaliteral{5C3C65717569763E}{\isasymequiv}}\ point{\isaliteral{2E}{\isachardot}}extend\ pt{\isadigit{1}}\ {\isaliteral{28}{\isacharparenleft}}cpoint{\isaliteral{2E}{\isachardot}}fields\ Green{\isaliteral{29}{\isacharparenright}}{\isaliteral{22}{\isachardoublequoteclose}}%
106.580 +\begin{isamarkuptext}%
106.581 +The coloured points \isa{cpt{\isadigit{1}}} and \isa{cpt{\isadigit{2}}} are equal. The
106.582 + proof is trivial, by unfolding all the definitions. We deliberately
106.583 + omit the definition of~\isa{pt{\isadigit{1}}} in order to reveal the underlying
106.584 + comparison on type \isa{point}.%
106.585 +\end{isamarkuptext}%
106.586 +\isamarkuptrue%
106.587 +\isacommand{lemma}\isamarkupfalse%
106.588 +\ {\isaliteral{22}{\isachardoublequoteopen}}cpt{\isadigit{1}}\ {\isaliteral{3D}{\isacharequal}}\ cpt{\isadigit{2}}{\isaliteral{22}{\isachardoublequoteclose}}\isanewline
106.589 +%
106.590 +\isadelimproof
106.591 +\ \ %
106.592 +\endisadelimproof
106.593 +%
106.594 +\isatagproof
106.595 +\isacommand{apply}\isamarkupfalse%
106.596 +\ {\isaliteral{28}{\isacharparenleft}}simp\ add{\isaliteral{3A}{\isacharcolon}}\ cpt{\isadigit{1}}{\isaliteral{5F}{\isacharunderscore}}def\ cpt{\isadigit{2}}{\isaliteral{5F}{\isacharunderscore}}def\ point{\isaliteral{2E}{\isachardot}}defs\ cpoint{\isaliteral{2E}{\isachardot}}defs{\isaliteral{29}{\isacharparenright}}%
106.597 +\begin{isamarkuptxt}%
106.598 +\begin{isabelle}%
106.599 +\ {\isadigit{1}}{\isaliteral{2E}{\isachardot}}\ Xcoord\ pt{\isadigit{1}}\ {\isaliteral{3D}{\isacharequal}}\ {\isadigit{9}}{\isadigit{9}}{\isadigit{9}}\ {\isaliteral{5C3C616E643E}{\isasymand}}\ Ycoord\ pt{\isadigit{1}}\ {\isaliteral{3D}{\isacharequal}}\ {\isadigit{2}}{\isadigit{3}}%
106.600 +\end{isabelle}%
106.601 +\end{isamarkuptxt}%
106.602 +\isamarkuptrue%
106.603 +\ \ \isacommand{apply}\isamarkupfalse%
106.604 +\ {\isaliteral{28}{\isacharparenleft}}simp\ add{\isaliteral{3A}{\isacharcolon}}\ pt{\isadigit{1}}{\isaliteral{5F}{\isacharunderscore}}def{\isaliteral{29}{\isacharparenright}}\isanewline
106.605 +\ \ \isacommand{done}\isamarkupfalse%
106.606 +%
106.607 +\endisatagproof
106.608 +{\isafoldproof}%
106.609 +%
106.610 +\isadelimproof
106.611 +%
106.612 +\endisadelimproof
106.613 +%
106.614 +\begin{isamarkuptext}%
106.615 +In the example below, a coloured point is truncated to leave a
106.616 + point. We use the \isa{truncate} function of the target record.%
106.617 +\end{isamarkuptext}%
106.618 +\isamarkuptrue%
106.619 +\isacommand{lemma}\isamarkupfalse%
106.620 +\ {\isaliteral{22}{\isachardoublequoteopen}}point{\isaliteral{2E}{\isachardot}}truncate\ cpt{\isadigit{2}}\ {\isaliteral{3D}{\isacharequal}}\ pt{\isadigit{1}}{\isaliteral{22}{\isachardoublequoteclose}}\isanewline
106.621 +%
106.622 +\isadelimproof
106.623 +\ \ %
106.624 +\endisadelimproof
106.625 +%
106.626 +\isatagproof
106.627 +\isacommand{by}\isamarkupfalse%
106.628 +\ {\isaliteral{28}{\isacharparenleft}}simp\ add{\isaliteral{3A}{\isacharcolon}}\ pt{\isadigit{1}}{\isaliteral{5F}{\isacharunderscore}}def\ cpt{\isadigit{2}}{\isaliteral{5F}{\isacharunderscore}}def\ point{\isaliteral{2E}{\isachardot}}defs{\isaliteral{29}{\isacharparenright}}%
106.629 +\endisatagproof
106.630 +{\isafoldproof}%
106.631 +%
106.632 +\isadelimproof
106.633 +%
106.634 +\endisadelimproof
106.635 +%
106.636 +\begin{isamarkuptext}%
106.637 +\begin{exercise}
106.638 + Extend record \isa{cpoint} to have a further field, \isa{intensity}, of type~\isa{nat}. Experiment with generic operations
106.639 + (using polymorphic selectors and updates) and explicit coercions
106.640 + (using \isa{extend}, \isa{truncate} etc.) among the three record
106.641 + types.
106.642 + \end{exercise}
106.643 +
106.644 + \begin{exercise}
106.645 + (For Java programmers.)
106.646 + Model a small class hierarchy using records.
106.647 + \end{exercise}
106.648 + \index{records|)}%
106.649 +\end{isamarkuptext}%
106.650 +\isamarkuptrue%
106.651 +%
106.652 +\isadelimtheory
106.653 +%
106.654 +\endisadelimtheory
106.655 +%
106.656 +\isatagtheory
106.657 +%
106.658 +\endisatagtheory
106.659 +{\isafoldtheory}%
106.660 +%
106.661 +\isadelimtheory
106.662 +%
106.663 +\endisadelimtheory
106.664 +\end{isabellebody}%
106.665 +%%% Local Variables:
106.666 +%%% mode: latex
106.667 +%%% TeX-master: "root"
106.668 +%%% End:
107.1 --- /dev/null Thu Jan 01 00:00:00 1970 +0000
107.2 +++ b/doc-src/TutorialI/document/Star.tex Thu Jul 26 19:59:06 2012 +0200
107.3 @@ -0,0 +1,315 @@
107.4 +%
107.5 +\begin{isabellebody}%
107.6 +\def\isabellecontext{Star}%
107.7 +%
107.8 +\isadelimtheory
107.9 +%
107.10 +\endisadelimtheory
107.11 +%
107.12 +\isatagtheory
107.13 +%
107.14 +\endisatagtheory
107.15 +{\isafoldtheory}%
107.16 +%
107.17 +\isadelimtheory
107.18 +%
107.19 +\endisadelimtheory
107.20 +%
107.21 +\isamarkupsection{The Reflexive Transitive Closure%
107.22 +}
107.23 +\isamarkuptrue%
107.24 +%
107.25 +\begin{isamarkuptext}%
107.26 +\label{sec:rtc}
107.27 +\index{reflexive transitive closure!defining inductively|(}%
107.28 +An inductive definition may accept parameters, so it can express
107.29 +functions that yield sets.
107.30 +Relations too can be defined inductively, since they are just sets of pairs.
107.31 +A perfect example is the function that maps a relation to its
107.32 +reflexive transitive closure. This concept was already
107.33 +introduced in \S\ref{sec:Relations}, where the operator \isa{\isaliteral{5C3C5E7375703E}{}\isactrlsup {\isaliteral{2A}{\isacharasterisk}}} was
107.34 +defined as a least fixed point because inductive definitions were not yet
107.35 +available. But now they are:%
107.36 +\end{isamarkuptext}%
107.37 +\isamarkuptrue%
107.38 +\isacommand{inductive{\isaliteral{5F}{\isacharunderscore}}set}\isamarkupfalse%
107.39 +\isanewline
107.40 +\ \ rtc\ {\isaliteral{3A}{\isacharcolon}}{\isaliteral{3A}{\isacharcolon}}\ {\isaliteral{22}{\isachardoublequoteopen}}{\isaliteral{28}{\isacharparenleft}}{\isaliteral{27}{\isacharprime}}a\ {\isaliteral{5C3C74696D65733E}{\isasymtimes}}\ {\isaliteral{27}{\isacharprime}}a{\isaliteral{29}{\isacharparenright}}set\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ {\isaliteral{28}{\isacharparenleft}}{\isaliteral{27}{\isacharprime}}a\ {\isaliteral{5C3C74696D65733E}{\isasymtimes}}\ {\isaliteral{27}{\isacharprime}}a{\isaliteral{29}{\isacharparenright}}set{\isaliteral{22}{\isachardoublequoteclose}}\ \ \ {\isaliteral{28}{\isacharparenleft}}{\isaliteral{22}{\isachardoublequoteopen}}{\isaliteral{5F}{\isacharunderscore}}{\isaliteral{2A}{\isacharasterisk}}{\isaliteral{22}{\isachardoublequoteclose}}\ {\isaliteral{5B}{\isacharbrackleft}}{\isadigit{1}}{\isadigit{0}}{\isadigit{0}}{\isadigit{0}}{\isaliteral{5D}{\isacharbrackright}}\ {\isadigit{9}}{\isadigit{9}}{\isadigit{9}}{\isaliteral{29}{\isacharparenright}}\isanewline
107.41 +\ \ \isakeyword{for}\ r\ {\isaliteral{3A}{\isacharcolon}}{\isaliteral{3A}{\isacharcolon}}\ {\isaliteral{22}{\isachardoublequoteopen}}{\isaliteral{28}{\isacharparenleft}}{\isaliteral{27}{\isacharprime}}a\ {\isaliteral{5C3C74696D65733E}{\isasymtimes}}\ {\isaliteral{27}{\isacharprime}}a{\isaliteral{29}{\isacharparenright}}set{\isaliteral{22}{\isachardoublequoteclose}}\isanewline
107.42 +\isakeyword{where}\isanewline
107.43 +\ \ rtc{\isaliteral{5F}{\isacharunderscore}}refl{\isaliteral{5B}{\isacharbrackleft}}iff{\isaliteral{5D}{\isacharbrackright}}{\isaliteral{3A}{\isacharcolon}}\ \ {\isaliteral{22}{\isachardoublequoteopen}}{\isaliteral{28}{\isacharparenleft}}x{\isaliteral{2C}{\isacharcomma}}x{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C696E3E}{\isasymin}}\ r{\isaliteral{2A}{\isacharasterisk}}{\isaliteral{22}{\isachardoublequoteclose}}\isanewline
107.44 +{\isaliteral{7C}{\isacharbar}}\ rtc{\isaliteral{5F}{\isacharunderscore}}step{\isaliteral{3A}{\isacharcolon}}\ \ \ \ \ \ \ {\isaliteral{22}{\isachardoublequoteopen}}{\isaliteral{5C3C6C6272616B6B3E}{\isasymlbrakk}}\ {\isaliteral{28}{\isacharparenleft}}x{\isaliteral{2C}{\isacharcomma}}y{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C696E3E}{\isasymin}}\ r{\isaliteral{3B}{\isacharsemicolon}}\ {\isaliteral{28}{\isacharparenleft}}y{\isaliteral{2C}{\isacharcomma}}z{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C696E3E}{\isasymin}}\ r{\isaliteral{2A}{\isacharasterisk}}\ {\isaliteral{5C3C726272616B6B3E}{\isasymrbrakk}}\ {\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\ {\isaliteral{28}{\isacharparenleft}}x{\isaliteral{2C}{\isacharcomma}}z{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C696E3E}{\isasymin}}\ r{\isaliteral{2A}{\isacharasterisk}}{\isaliteral{22}{\isachardoublequoteclose}}%
107.45 +\begin{isamarkuptext}%
107.46 +\noindent
107.47 +The function \isa{rtc} is annotated with concrete syntax: instead of
107.48 +\isa{rtc\ r} we can write \isa{r{\isaliteral{2A}{\isacharasterisk}}}. The actual definition
107.49 +consists of two rules. Reflexivity is obvious and is immediately given the
107.50 +\isa{iff} attribute to increase automation. The
107.51 +second rule, \isa{rtc{\isaliteral{5F}{\isacharunderscore}}step}, says that we can always add one more
107.52 +\isa{r}-step to the left. Although we could make \isa{rtc{\isaliteral{5F}{\isacharunderscore}}step} an
107.53 +introduction rule, this is dangerous: the recursion in the second premise
107.54 +slows down and may even kill the automatic tactics.
107.55 +
107.56 +The above definition of the concept of reflexive transitive closure may
107.57 +be sufficiently intuitive but it is certainly not the only possible one:
107.58 +for a start, it does not even mention transitivity.
107.59 +The rest of this section is devoted to proving that it is equivalent to
107.60 +the standard definition. We start with a simple lemma:%
107.61 +\end{isamarkuptext}%
107.62 +\isamarkuptrue%
107.63 +\isacommand{lemma}\isamarkupfalse%
107.64 +\ {\isaliteral{5B}{\isacharbrackleft}}intro{\isaliteral{5D}{\isacharbrackright}}{\isaliteral{3A}{\isacharcolon}}\ {\isaliteral{22}{\isachardoublequoteopen}}{\isaliteral{28}{\isacharparenleft}}x{\isaliteral{2C}{\isacharcomma}}y{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C696E3E}{\isasymin}}\ r\ {\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\ {\isaliteral{28}{\isacharparenleft}}x{\isaliteral{2C}{\isacharcomma}}y{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C696E3E}{\isasymin}}\ r{\isaliteral{2A}{\isacharasterisk}}{\isaliteral{22}{\isachardoublequoteclose}}\isanewline
107.65 +%
107.66 +\isadelimproof
107.67 +%
107.68 +\endisadelimproof
107.69 +%
107.70 +\isatagproof
107.71 +\isacommand{by}\isamarkupfalse%
107.72 +{\isaliteral{28}{\isacharparenleft}}blast\ intro{\isaliteral{3A}{\isacharcolon}}\ rtc{\isaliteral{5F}{\isacharunderscore}}step{\isaliteral{29}{\isacharparenright}}%
107.73 +\endisatagproof
107.74 +{\isafoldproof}%
107.75 +%
107.76 +\isadelimproof
107.77 +%
107.78 +\endisadelimproof
107.79 +%
107.80 +\begin{isamarkuptext}%
107.81 +\noindent
107.82 +Although the lemma itself is an unremarkable consequence of the basic rules,
107.83 +it has the advantage that it can be declared an introduction rule without the
107.84 +danger of killing the automatic tactics because \isa{r{\isaliteral{2A}{\isacharasterisk}}} occurs only in
107.85 +the conclusion and not in the premise. Thus some proofs that would otherwise
107.86 +need \isa{rtc{\isaliteral{5F}{\isacharunderscore}}step} can now be found automatically. The proof also
107.87 +shows that \isa{blast} is able to handle \isa{rtc{\isaliteral{5F}{\isacharunderscore}}step}. But
107.88 +some of the other automatic tactics are more sensitive, and even \isa{blast} can be lead astray in the presence of large numbers of rules.
107.89 +
107.90 +To prove transitivity, we need rule induction, i.e.\ theorem
107.91 +\isa{rtc{\isaliteral{2E}{\isachardot}}induct}:
107.92 +\begin{isabelle}%
107.93 +\ \ \ \ \ {\isaliteral{5C3C6C6272616B6B3E}{\isasymlbrakk}}{\isaliteral{28}{\isacharparenleft}}{\isaliteral{3F}{\isacharquery}}x{\isadigit{1}}{\isaliteral{2E}{\isachardot}}{\isadigit{0}}{\isaliteral{2C}{\isacharcomma}}\ {\isaliteral{3F}{\isacharquery}}x{\isadigit{2}}{\isaliteral{2E}{\isachardot}}{\isadigit{0}}{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C696E3E}{\isasymin}}\ {\isaliteral{3F}{\isacharquery}}r{\isaliteral{2A}{\isacharasterisk}}{\isaliteral{3B}{\isacharsemicolon}}\ {\isaliteral{5C3C416E643E}{\isasymAnd}}x{\isaliteral{2E}{\isachardot}}\ {\isaliteral{3F}{\isacharquery}}P\ x\ x{\isaliteral{3B}{\isacharsemicolon}}\isanewline
107.94 +\isaindent{\ \ \ \ \ \ }{\isaliteral{5C3C416E643E}{\isasymAnd}}x\ y\ z{\isaliteral{2E}{\isachardot}}\ {\isaliteral{5C3C6C6272616B6B3E}{\isasymlbrakk}}{\isaliteral{28}{\isacharparenleft}}x{\isaliteral{2C}{\isacharcomma}}\ y{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C696E3E}{\isasymin}}\ {\isaliteral{3F}{\isacharquery}}r{\isaliteral{3B}{\isacharsemicolon}}\ {\isaliteral{28}{\isacharparenleft}}y{\isaliteral{2C}{\isacharcomma}}\ z{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C696E3E}{\isasymin}}\ {\isaliteral{3F}{\isacharquery}}r{\isaliteral{2A}{\isacharasterisk}}{\isaliteral{3B}{\isacharsemicolon}}\ {\isaliteral{3F}{\isacharquery}}P\ y\ z{\isaliteral{5C3C726272616B6B3E}{\isasymrbrakk}}\ {\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\ {\isaliteral{3F}{\isacharquery}}P\ x\ z{\isaliteral{5C3C726272616B6B3E}{\isasymrbrakk}}\isanewline
107.95 +\isaindent{\ \ \ \ \ }{\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\ {\isaliteral{3F}{\isacharquery}}P\ {\isaliteral{3F}{\isacharquery}}x{\isadigit{1}}{\isaliteral{2E}{\isachardot}}{\isadigit{0}}\ {\isaliteral{3F}{\isacharquery}}x{\isadigit{2}}{\isaliteral{2E}{\isachardot}}{\isadigit{0}}%
107.96 +\end{isabelle}
107.97 +It says that \isa{{\isaliteral{3F}{\isacharquery}}P} holds for an arbitrary pair \isa{{\isaliteral{28}{\isacharparenleft}}{\isaliteral{3F}{\isacharquery}}x{\isadigit{1}}{\isaliteral{2E}{\isachardot}}{\isadigit{0}}{\isaliteral{2C}{\isacharcomma}}\ {\isaliteral{3F}{\isacharquery}}x{\isadigit{2}}{\isaliteral{2E}{\isachardot}}{\isadigit{0}}{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C696E3E}{\isasymin}}\ {\isaliteral{3F}{\isacharquery}}r{\isaliteral{2A}{\isacharasterisk}}}
107.98 +if \isa{{\isaliteral{3F}{\isacharquery}}P} is preserved by all rules of the inductive definition,
107.99 +i.e.\ if \isa{{\isaliteral{3F}{\isacharquery}}P} holds for the conclusion provided it holds for the
107.100 +premises. In general, rule induction for an $n$-ary inductive relation $R$
107.101 +expects a premise of the form $(x@1,\dots,x@n) \in R$.
107.102 +
107.103 +Now we turn to the inductive proof of transitivity:%
107.104 +\end{isamarkuptext}%
107.105 +\isamarkuptrue%
107.106 +\isacommand{lemma}\isamarkupfalse%
107.107 +\ rtc{\isaliteral{5F}{\isacharunderscore}}trans{\isaliteral{3A}{\isacharcolon}}\ {\isaliteral{22}{\isachardoublequoteopen}}{\isaliteral{5C3C6C6272616B6B3E}{\isasymlbrakk}}\ {\isaliteral{28}{\isacharparenleft}}x{\isaliteral{2C}{\isacharcomma}}y{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C696E3E}{\isasymin}}\ r{\isaliteral{2A}{\isacharasterisk}}{\isaliteral{3B}{\isacharsemicolon}}\ {\isaliteral{28}{\isacharparenleft}}y{\isaliteral{2C}{\isacharcomma}}z{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C696E3E}{\isasymin}}\ r{\isaliteral{2A}{\isacharasterisk}}\ {\isaliteral{5C3C726272616B6B3E}{\isasymrbrakk}}\ {\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\ {\isaliteral{28}{\isacharparenleft}}x{\isaliteral{2C}{\isacharcomma}}z{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C696E3E}{\isasymin}}\ r{\isaliteral{2A}{\isacharasterisk}}{\isaliteral{22}{\isachardoublequoteclose}}\isanewline
107.108 +%
107.109 +\isadelimproof
107.110 +%
107.111 +\endisadelimproof
107.112 +%
107.113 +\isatagproof
107.114 +\isacommand{apply}\isamarkupfalse%
107.115 +{\isaliteral{28}{\isacharparenleft}}erule\ rtc{\isaliteral{2E}{\isachardot}}induct{\isaliteral{29}{\isacharparenright}}%
107.116 +\begin{isamarkuptxt}%
107.117 +\noindent
107.118 +Unfortunately, even the base case is a problem:
107.119 +\begin{isabelle}%
107.120 +\ {\isadigit{1}}{\isaliteral{2E}{\isachardot}}\ {\isaliteral{5C3C416E643E}{\isasymAnd}}x{\isaliteral{2E}{\isachardot}}\ {\isaliteral{28}{\isacharparenleft}}y{\isaliteral{2C}{\isacharcomma}}\ z{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C696E3E}{\isasymin}}\ r{\isaliteral{2A}{\isacharasterisk}}\ {\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\ {\isaliteral{28}{\isacharparenleft}}x{\isaliteral{2C}{\isacharcomma}}\ z{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C696E3E}{\isasymin}}\ r{\isaliteral{2A}{\isacharasterisk}}%
107.121 +\end{isabelle}
107.122 +We have to abandon this proof attempt.
107.123 +To understand what is going on, let us look again at \isa{rtc{\isaliteral{2E}{\isachardot}}induct}.
107.124 +In the above application of \isa{erule}, the first premise of
107.125 +\isa{rtc{\isaliteral{2E}{\isachardot}}induct} is unified with the first suitable assumption, which
107.126 +is \isa{{\isaliteral{28}{\isacharparenleft}}x{\isaliteral{2C}{\isacharcomma}}\ y{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C696E3E}{\isasymin}}\ r{\isaliteral{2A}{\isacharasterisk}}} rather than \isa{{\isaliteral{28}{\isacharparenleft}}y{\isaliteral{2C}{\isacharcomma}}\ z{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C696E3E}{\isasymin}}\ r{\isaliteral{2A}{\isacharasterisk}}}. Although that
107.127 +is what we want, it is merely due to the order in which the assumptions occur
107.128 +in the subgoal, which it is not good practice to rely on. As a result,
107.129 +\isa{{\isaliteral{3F}{\isacharquery}}xb} becomes \isa{x}, \isa{{\isaliteral{3F}{\isacharquery}}xa} becomes
107.130 +\isa{y} and \isa{{\isaliteral{3F}{\isacharquery}}P} becomes \isa{{\isaliteral{5C3C6C616D6264613E}{\isasymlambda}}u\ v{\isaliteral{2E}{\isachardot}}\ {\isaliteral{28}{\isacharparenleft}}u{\isaliteral{2C}{\isacharcomma}}\ z{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C696E3E}{\isasymin}}\ r{\isaliteral{2A}{\isacharasterisk}}}, thus
107.131 +yielding the above subgoal. So what went wrong?
107.132 +
107.133 +When looking at the instantiation of \isa{{\isaliteral{3F}{\isacharquery}}P} we see that it does not
107.134 +depend on its second parameter at all. The reason is that in our original
107.135 +goal, of the pair \isa{{\isaliteral{28}{\isacharparenleft}}x{\isaliteral{2C}{\isacharcomma}}\ y{\isaliteral{29}{\isacharparenright}}} only \isa{x} appears also in the
107.136 +conclusion, but not \isa{y}. Thus our induction statement is too
107.137 +general. Fortunately, it can easily be specialized:
107.138 +transfer the additional premise \isa{{\isaliteral{28}{\isacharparenleft}}y{\isaliteral{2C}{\isacharcomma}}\ z{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C696E3E}{\isasymin}}\ r{\isaliteral{2A}{\isacharasterisk}}} into the conclusion:%
107.139 +\end{isamarkuptxt}%
107.140 +\isamarkuptrue%
107.141 +%
107.142 +\endisatagproof
107.143 +{\isafoldproof}%
107.144 +%
107.145 +\isadelimproof
107.146 +%
107.147 +\endisadelimproof
107.148 +\isacommand{lemma}\isamarkupfalse%
107.149 +\ rtc{\isaliteral{5F}{\isacharunderscore}}trans{\isaliteral{5B}{\isacharbrackleft}}rule{\isaliteral{5F}{\isacharunderscore}}format{\isaliteral{5D}{\isacharbrackright}}{\isaliteral{3A}{\isacharcolon}}\isanewline
107.150 +\ \ {\isaliteral{22}{\isachardoublequoteopen}}{\isaliteral{28}{\isacharparenleft}}x{\isaliteral{2C}{\isacharcomma}}y{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C696E3E}{\isasymin}}\ r{\isaliteral{2A}{\isacharasterisk}}\ {\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\ {\isaliteral{28}{\isacharparenleft}}y{\isaliteral{2C}{\isacharcomma}}z{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C696E3E}{\isasymin}}\ r{\isaliteral{2A}{\isacharasterisk}}\ {\isaliteral{5C3C6C6F6E6772696768746172726F773E}{\isasymlongrightarrow}}\ {\isaliteral{28}{\isacharparenleft}}x{\isaliteral{2C}{\isacharcomma}}z{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C696E3E}{\isasymin}}\ r{\isaliteral{2A}{\isacharasterisk}}{\isaliteral{22}{\isachardoublequoteclose}}%
107.151 +\isadelimproof
107.152 +%
107.153 +\endisadelimproof
107.154 +%
107.155 +\isatagproof
107.156 +%
107.157 +\begin{isamarkuptxt}%
107.158 +\noindent
107.159 +This is not an obscure trick but a generally applicable heuristic:
107.160 +\begin{quote}\em
107.161 +When proving a statement by rule induction on $(x@1,\dots,x@n) \in R$,
107.162 +pull all other premises containing any of the $x@i$ into the conclusion
107.163 +using $\longrightarrow$.
107.164 +\end{quote}
107.165 +A similar heuristic for other kinds of inductions is formulated in
107.166 +\S\ref{sec:ind-var-in-prems}. The \isa{rule{\isaliteral{5F}{\isacharunderscore}}format} directive turns
107.167 +\isa{{\isaliteral{5C3C6C6F6E6772696768746172726F773E}{\isasymlongrightarrow}}} back into \isa{{\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}}: in the end we obtain the original
107.168 +statement of our lemma.%
107.169 +\end{isamarkuptxt}%
107.170 +\isamarkuptrue%
107.171 +\isacommand{apply}\isamarkupfalse%
107.172 +{\isaliteral{28}{\isacharparenleft}}erule\ rtc{\isaliteral{2E}{\isachardot}}induct{\isaliteral{29}{\isacharparenright}}%
107.173 +\begin{isamarkuptxt}%
107.174 +\noindent
107.175 +Now induction produces two subgoals which are both proved automatically:
107.176 +\begin{isabelle}%
107.177 +\ {\isadigit{1}}{\isaliteral{2E}{\isachardot}}\ {\isaliteral{5C3C416E643E}{\isasymAnd}}x{\isaliteral{2E}{\isachardot}}\ {\isaliteral{28}{\isacharparenleft}}x{\isaliteral{2C}{\isacharcomma}}\ z{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C696E3E}{\isasymin}}\ r{\isaliteral{2A}{\isacharasterisk}}\ {\isaliteral{5C3C6C6F6E6772696768746172726F773E}{\isasymlongrightarrow}}\ {\isaliteral{28}{\isacharparenleft}}x{\isaliteral{2C}{\isacharcomma}}\ z{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C696E3E}{\isasymin}}\ r{\isaliteral{2A}{\isacharasterisk}}\isanewline
107.178 +\ {\isadigit{2}}{\isaliteral{2E}{\isachardot}}\ {\isaliteral{5C3C416E643E}{\isasymAnd}}x\ y\ za{\isaliteral{2E}{\isachardot}}\isanewline
107.179 +\isaindent{\ {\isadigit{2}}{\isaliteral{2E}{\isachardot}}\ \ \ \ }{\isaliteral{5C3C6C6272616B6B3E}{\isasymlbrakk}}{\isaliteral{28}{\isacharparenleft}}x{\isaliteral{2C}{\isacharcomma}}\ y{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C696E3E}{\isasymin}}\ r{\isaliteral{3B}{\isacharsemicolon}}\ {\isaliteral{28}{\isacharparenleft}}y{\isaliteral{2C}{\isacharcomma}}\ za{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C696E3E}{\isasymin}}\ r{\isaliteral{2A}{\isacharasterisk}}{\isaliteral{3B}{\isacharsemicolon}}\ {\isaliteral{28}{\isacharparenleft}}za{\isaliteral{2C}{\isacharcomma}}\ z{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C696E3E}{\isasymin}}\ r{\isaliteral{2A}{\isacharasterisk}}\ {\isaliteral{5C3C6C6F6E6772696768746172726F773E}{\isasymlongrightarrow}}\ {\isaliteral{28}{\isacharparenleft}}y{\isaliteral{2C}{\isacharcomma}}\ z{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C696E3E}{\isasymin}}\ r{\isaliteral{2A}{\isacharasterisk}}{\isaliteral{5C3C726272616B6B3E}{\isasymrbrakk}}\isanewline
107.180 +\isaindent{\ {\isadigit{2}}{\isaliteral{2E}{\isachardot}}\ \ \ \ }{\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\ {\isaliteral{28}{\isacharparenleft}}za{\isaliteral{2C}{\isacharcomma}}\ z{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C696E3E}{\isasymin}}\ r{\isaliteral{2A}{\isacharasterisk}}\ {\isaliteral{5C3C6C6F6E6772696768746172726F773E}{\isasymlongrightarrow}}\ {\isaliteral{28}{\isacharparenleft}}x{\isaliteral{2C}{\isacharcomma}}\ z{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C696E3E}{\isasymin}}\ r{\isaliteral{2A}{\isacharasterisk}}%
107.181 +\end{isabelle}%
107.182 +\end{isamarkuptxt}%
107.183 +\isamarkuptrue%
107.184 +\ \isacommand{apply}\isamarkupfalse%
107.185 +{\isaliteral{28}{\isacharparenleft}}blast{\isaliteral{29}{\isacharparenright}}\isanewline
107.186 +\isacommand{apply}\isamarkupfalse%
107.187 +{\isaliteral{28}{\isacharparenleft}}blast\ intro{\isaliteral{3A}{\isacharcolon}}\ rtc{\isaliteral{5F}{\isacharunderscore}}step{\isaliteral{29}{\isacharparenright}}\isanewline
107.188 +\isacommand{done}\isamarkupfalse%
107.189 +%
107.190 +\endisatagproof
107.191 +{\isafoldproof}%
107.192 +%
107.193 +\isadelimproof
107.194 +%
107.195 +\endisadelimproof
107.196 +%
107.197 +\begin{isamarkuptext}%
107.198 +Let us now prove that \isa{r{\isaliteral{2A}{\isacharasterisk}}} is really the reflexive transitive closure
107.199 +of \isa{r}, i.e.\ the least reflexive and transitive
107.200 +relation containing \isa{r}. The latter is easily formalized%
107.201 +\end{isamarkuptext}%
107.202 +\isamarkuptrue%
107.203 +\isacommand{inductive{\isaliteral{5F}{\isacharunderscore}}set}\isamarkupfalse%
107.204 +\isanewline
107.205 +\ \ rtc{\isadigit{2}}\ {\isaliteral{3A}{\isacharcolon}}{\isaliteral{3A}{\isacharcolon}}\ {\isaliteral{22}{\isachardoublequoteopen}}{\isaliteral{28}{\isacharparenleft}}{\isaliteral{27}{\isacharprime}}a\ {\isaliteral{5C3C74696D65733E}{\isasymtimes}}\ {\isaliteral{27}{\isacharprime}}a{\isaliteral{29}{\isacharparenright}}set\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ {\isaliteral{28}{\isacharparenleft}}{\isaliteral{27}{\isacharprime}}a\ {\isaliteral{5C3C74696D65733E}{\isasymtimes}}\ {\isaliteral{27}{\isacharprime}}a{\isaliteral{29}{\isacharparenright}}set{\isaliteral{22}{\isachardoublequoteclose}}\isanewline
107.206 +\ \ \isakeyword{for}\ r\ {\isaliteral{3A}{\isacharcolon}}{\isaliteral{3A}{\isacharcolon}}\ {\isaliteral{22}{\isachardoublequoteopen}}{\isaliteral{28}{\isacharparenleft}}{\isaliteral{27}{\isacharprime}}a\ {\isaliteral{5C3C74696D65733E}{\isasymtimes}}\ {\isaliteral{27}{\isacharprime}}a{\isaliteral{29}{\isacharparenright}}set{\isaliteral{22}{\isachardoublequoteclose}}\isanewline
107.207 +\isakeyword{where}\isanewline
107.208 +\ \ {\isaliteral{22}{\isachardoublequoteopen}}{\isaliteral{28}{\isacharparenleft}}x{\isaliteral{2C}{\isacharcomma}}y{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C696E3E}{\isasymin}}\ r\ {\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\ {\isaliteral{28}{\isacharparenleft}}x{\isaliteral{2C}{\isacharcomma}}y{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C696E3E}{\isasymin}}\ rtc{\isadigit{2}}\ r{\isaliteral{22}{\isachardoublequoteclose}}\isanewline
107.209 +{\isaliteral{7C}{\isacharbar}}\ {\isaliteral{22}{\isachardoublequoteopen}}{\isaliteral{28}{\isacharparenleft}}x{\isaliteral{2C}{\isacharcomma}}x{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C696E3E}{\isasymin}}\ rtc{\isadigit{2}}\ r{\isaliteral{22}{\isachardoublequoteclose}}\isanewline
107.210 +{\isaliteral{7C}{\isacharbar}}\ {\isaliteral{22}{\isachardoublequoteopen}}{\isaliteral{5C3C6C6272616B6B3E}{\isasymlbrakk}}\ {\isaliteral{28}{\isacharparenleft}}x{\isaliteral{2C}{\isacharcomma}}y{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C696E3E}{\isasymin}}\ rtc{\isadigit{2}}\ r{\isaliteral{3B}{\isacharsemicolon}}\ {\isaliteral{28}{\isacharparenleft}}y{\isaliteral{2C}{\isacharcomma}}z{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C696E3E}{\isasymin}}\ rtc{\isadigit{2}}\ r\ {\isaliteral{5C3C726272616B6B3E}{\isasymrbrakk}}\ {\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\ {\isaliteral{28}{\isacharparenleft}}x{\isaliteral{2C}{\isacharcomma}}z{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C696E3E}{\isasymin}}\ rtc{\isadigit{2}}\ r{\isaliteral{22}{\isachardoublequoteclose}}%
107.211 +\begin{isamarkuptext}%
107.212 +\noindent
107.213 +and the equivalence of the two definitions is easily shown by the obvious rule
107.214 +inductions:%
107.215 +\end{isamarkuptext}%
107.216 +\isamarkuptrue%
107.217 +\isacommand{lemma}\isamarkupfalse%
107.218 +\ {\isaliteral{22}{\isachardoublequoteopen}}{\isaliteral{28}{\isacharparenleft}}x{\isaliteral{2C}{\isacharcomma}}y{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C696E3E}{\isasymin}}\ rtc{\isadigit{2}}\ r\ {\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\ {\isaliteral{28}{\isacharparenleft}}x{\isaliteral{2C}{\isacharcomma}}y{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C696E3E}{\isasymin}}\ r{\isaliteral{2A}{\isacharasterisk}}{\isaliteral{22}{\isachardoublequoteclose}}\isanewline
107.219 +%
107.220 +\isadelimproof
107.221 +%
107.222 +\endisadelimproof
107.223 +%
107.224 +\isatagproof
107.225 +\isacommand{apply}\isamarkupfalse%
107.226 +{\isaliteral{28}{\isacharparenleft}}erule\ rtc{\isadigit{2}}{\isaliteral{2E}{\isachardot}}induct{\isaliteral{29}{\isacharparenright}}\isanewline
107.227 +\ \ \isacommand{apply}\isamarkupfalse%
107.228 +{\isaliteral{28}{\isacharparenleft}}blast{\isaliteral{29}{\isacharparenright}}\isanewline
107.229 +\ \isacommand{apply}\isamarkupfalse%
107.230 +{\isaliteral{28}{\isacharparenleft}}blast{\isaliteral{29}{\isacharparenright}}\isanewline
107.231 +\isacommand{apply}\isamarkupfalse%
107.232 +{\isaliteral{28}{\isacharparenleft}}blast\ intro{\isaliteral{3A}{\isacharcolon}}\ rtc{\isaliteral{5F}{\isacharunderscore}}trans{\isaliteral{29}{\isacharparenright}}\isanewline
107.233 +\isacommand{done}\isamarkupfalse%
107.234 +%
107.235 +\endisatagproof
107.236 +{\isafoldproof}%
107.237 +%
107.238 +\isadelimproof
107.239 +\isanewline
107.240 +%
107.241 +\endisadelimproof
107.242 +\isanewline
107.243 +\isacommand{lemma}\isamarkupfalse%
107.244 +\ {\isaliteral{22}{\isachardoublequoteopen}}{\isaliteral{28}{\isacharparenleft}}x{\isaliteral{2C}{\isacharcomma}}y{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C696E3E}{\isasymin}}\ r{\isaliteral{2A}{\isacharasterisk}}\ {\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\ {\isaliteral{28}{\isacharparenleft}}x{\isaliteral{2C}{\isacharcomma}}y{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C696E3E}{\isasymin}}\ rtc{\isadigit{2}}\ r{\isaliteral{22}{\isachardoublequoteclose}}\isanewline
107.245 +%
107.246 +\isadelimproof
107.247 +%
107.248 +\endisadelimproof
107.249 +%
107.250 +\isatagproof
107.251 +\isacommand{apply}\isamarkupfalse%
107.252 +{\isaliteral{28}{\isacharparenleft}}erule\ rtc{\isaliteral{2E}{\isachardot}}induct{\isaliteral{29}{\isacharparenright}}\isanewline
107.253 +\ \isacommand{apply}\isamarkupfalse%
107.254 +{\isaliteral{28}{\isacharparenleft}}blast\ intro{\isaliteral{3A}{\isacharcolon}}\ rtc{\isadigit{2}}{\isaliteral{2E}{\isachardot}}intros{\isaliteral{29}{\isacharparenright}}\isanewline
107.255 +\isacommand{apply}\isamarkupfalse%
107.256 +{\isaliteral{28}{\isacharparenleft}}blast\ intro{\isaliteral{3A}{\isacharcolon}}\ rtc{\isadigit{2}}{\isaliteral{2E}{\isachardot}}intros{\isaliteral{29}{\isacharparenright}}\isanewline
107.257 +\isacommand{done}\isamarkupfalse%
107.258 +%
107.259 +\endisatagproof
107.260 +{\isafoldproof}%
107.261 +%
107.262 +\isadelimproof
107.263 +%
107.264 +\endisadelimproof
107.265 +%
107.266 +\begin{isamarkuptext}%
107.267 +So why did we start with the first definition? Because it is simpler. It
107.268 +contains only two rules, and the single step rule is simpler than
107.269 +transitivity. As a consequence, \isa{rtc{\isaliteral{2E}{\isachardot}}induct} is simpler than
107.270 +\isa{rtc{\isadigit{2}}{\isaliteral{2E}{\isachardot}}induct}. Since inductive proofs are hard enough
107.271 +anyway, we should always pick the simplest induction schema available.
107.272 +Hence \isa{rtc} is the definition of choice.
107.273 +\index{reflexive transitive closure!defining inductively|)}
107.274 +
107.275 +\begin{exercise}\label{ex:converse-rtc-step}
107.276 +Show that the converse of \isa{rtc{\isaliteral{5F}{\isacharunderscore}}step} also holds:
107.277 +\begin{isabelle}%
107.278 +\ \ \ \ \ {\isaliteral{5C3C6C6272616B6B3E}{\isasymlbrakk}}{\isaliteral{28}{\isacharparenleft}}x{\isaliteral{2C}{\isacharcomma}}\ y{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C696E3E}{\isasymin}}\ r{\isaliteral{2A}{\isacharasterisk}}{\isaliteral{3B}{\isacharsemicolon}}\ {\isaliteral{28}{\isacharparenleft}}y{\isaliteral{2C}{\isacharcomma}}\ z{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C696E3E}{\isasymin}}\ r{\isaliteral{5C3C726272616B6B3E}{\isasymrbrakk}}\ {\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\ {\isaliteral{28}{\isacharparenleft}}x{\isaliteral{2C}{\isacharcomma}}\ z{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C696E3E}{\isasymin}}\ r{\isaliteral{2A}{\isacharasterisk}}%
107.279 +\end{isabelle}
107.280 +\end{exercise}
107.281 +\begin{exercise}
107.282 +Repeat the development of this section, but starting with a definition of
107.283 +\isa{rtc} where \isa{rtc{\isaliteral{5F}{\isacharunderscore}}step} is replaced by its converse as shown
107.284 +in exercise~\ref{ex:converse-rtc-step}.
107.285 +\end{exercise}%
107.286 +\end{isamarkuptext}%
107.287 +\isamarkuptrue%
107.288 +%
107.289 +\isadelimproof
107.290 +%
107.291 +\endisadelimproof
107.292 +%
107.293 +\isatagproof
107.294 +%
107.295 +\endisatagproof
107.296 +{\isafoldproof}%
107.297 +%
107.298 +\isadelimproof
107.299 +%
107.300 +\endisadelimproof
107.301 +%
107.302 +\isadelimtheory
107.303 +%
107.304 +\endisadelimtheory
107.305 +%
107.306 +\isatagtheory
107.307 +%
107.308 +\endisatagtheory
107.309 +{\isafoldtheory}%
107.310 +%
107.311 +\isadelimtheory
107.312 +%
107.313 +\endisadelimtheory
107.314 +\end{isabellebody}%
107.315 +%%% Local Variables:
107.316 +%%% mode: latex
107.317 +%%% TeX-master: "root"
107.318 +%%% End:
108.1 --- /dev/null Thu Jan 01 00:00:00 1970 +0000
108.2 +++ b/doc-src/TutorialI/document/ToyList.tex Thu Jul 26 19:59:06 2012 +0200
108.3 @@ -0,0 +1,530 @@
108.4 +%
108.5 +\begin{isabellebody}%
108.6 +\def\isabellecontext{ToyList}%
108.7 +%
108.8 +\isadelimtheory
108.9 +%
108.10 +\endisadelimtheory
108.11 +%
108.12 +\isatagtheory
108.13 +\isacommand{theory}\isamarkupfalse%
108.14 +\ ToyList\isanewline
108.15 +\isakeyword{imports}\ Datatype\isanewline
108.16 +\isakeyword{begin}%
108.17 +\endisatagtheory
108.18 +{\isafoldtheory}%
108.19 +%
108.20 +\isadelimtheory
108.21 +%
108.22 +\endisadelimtheory
108.23 +%
108.24 +\begin{isamarkuptext}%
108.25 +\noindent
108.26 +HOL already has a predefined theory of lists called \isa{List} ---
108.27 +\isa{ToyList} is merely a small fragment of it chosen as an example. In
108.28 +contrast to what is recommended in \S\ref{sec:Basic:Theories},
108.29 +\isa{ToyList} is not based on \isa{Main} but on \isa{Datatype}, a
108.30 +theory that contains pretty much everything but lists, thus avoiding
108.31 +ambiguities caused by defining lists twice.%
108.32 +\end{isamarkuptext}%
108.33 +\isamarkuptrue%
108.34 +\isacommand{datatype}\isamarkupfalse%
108.35 +\ {\isaliteral{27}{\isacharprime}}a\ list\ {\isaliteral{3D}{\isacharequal}}\ Nil\ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ {\isaliteral{28}{\isacharparenleft}}{\isaliteral{22}{\isachardoublequoteopen}}{\isaliteral{5B}{\isacharbrackleft}}{\isaliteral{5D}{\isacharbrackright}}{\isaliteral{22}{\isachardoublequoteclose}}{\isaliteral{29}{\isacharparenright}}\isanewline
108.36 +\ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ {\isaliteral{7C}{\isacharbar}}\ Cons\ {\isaliteral{27}{\isacharprime}}a\ {\isaliteral{22}{\isachardoublequoteopen}}{\isaliteral{27}{\isacharprime}}a\ list{\isaliteral{22}{\isachardoublequoteclose}}\ \ \ \ \ \ \ \ \ \ \ \ {\isaliteral{28}{\isacharparenleft}}\isakeyword{infixr}\ {\isaliteral{22}{\isachardoublequoteopen}}{\isaliteral{23}{\isacharhash}}{\isaliteral{22}{\isachardoublequoteclose}}\ {\isadigit{6}}{\isadigit{5}}{\isaliteral{29}{\isacharparenright}}%
108.37 +\begin{isamarkuptext}%
108.38 +\noindent
108.39 +The datatype\index{datatype@\isacommand {datatype} (command)}
108.40 +\tydx{list} introduces two
108.41 +constructors \cdx{Nil} and \cdx{Cons}, the
108.42 +empty~list and the operator that adds an element to the front of a list. For
108.43 +example, the term \isa{Cons True (Cons False Nil)} is a value of
108.44 +type \isa{bool\ list}, namely the list with the elements \isa{True} and
108.45 +\isa{False}. Because this notation quickly becomes unwieldy, the
108.46 +datatype declaration is annotated with an alternative syntax: instead of
108.47 +\isa{Nil} and \isa{Cons x xs} we can write
108.48 +\isa{{\isaliteral{5B}{\isacharbrackleft}}{\isaliteral{5D}{\isacharbrackright}}}\index{$HOL2list@\isa{[]}|bold} and
108.49 +\isa{x\ {\isaliteral{23}{\isacharhash}}\ xs}\index{$HOL2list@\isa{\#}|bold}. In fact, this
108.50 +alternative syntax is the familiar one. Thus the list \isa{Cons True
108.51 +(Cons False Nil)} becomes \isa{True\ {\isaliteral{23}{\isacharhash}}\ False\ {\isaliteral{23}{\isacharhash}}\ {\isaliteral{5B}{\isacharbrackleft}}{\isaliteral{5D}{\isacharbrackright}}}. The annotation
108.52 +\isacommand{infixr}\index{infixr@\isacommand{infixr} (annotation)}
108.53 +means that \isa{{\isaliteral{23}{\isacharhash}}} associates to
108.54 +the right: the term \isa{x\ {\isaliteral{23}{\isacharhash}}\ y\ {\isaliteral{23}{\isacharhash}}\ z} is read as \isa{x\ {\isaliteral{23}{\isacharhash}}\ {\isaliteral{28}{\isacharparenleft}}y\ {\isaliteral{23}{\isacharhash}}\ z{\isaliteral{29}{\isacharparenright}}}
108.55 +and not as \isa{{\isaliteral{28}{\isacharparenleft}}x\ {\isaliteral{23}{\isacharhash}}\ y{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{23}{\isacharhash}}\ z}.
108.56 +The \isa{{\isadigit{6}}{\isadigit{5}}} is the priority of the infix \isa{{\isaliteral{23}{\isacharhash}}}.
108.57 +
108.58 +\begin{warn}
108.59 + Syntax annotations can be powerful, but they are difficult to master and
108.60 + are never necessary. You
108.61 + could drop them from theory \isa{ToyList} and go back to the identifiers
108.62 + \isa{Nil} and \isa{Cons}. Novices should avoid using
108.63 + syntax annotations in their own theories.
108.64 +\end{warn}
108.65 +Next, two functions \isa{app} and \cdx{rev} are defined recursively,
108.66 +in this order, because Isabelle insists on definition before use:%
108.67 +\end{isamarkuptext}%
108.68 +\isamarkuptrue%
108.69 +\isacommand{primrec}\isamarkupfalse%
108.70 +\ app\ {\isaliteral{3A}{\isacharcolon}}{\isaliteral{3A}{\isacharcolon}}\ {\isaliteral{22}{\isachardoublequoteopen}}{\isaliteral{27}{\isacharprime}}a\ list\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ {\isaliteral{27}{\isacharprime}}a\ list\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ {\isaliteral{27}{\isacharprime}}a\ list{\isaliteral{22}{\isachardoublequoteclose}}\ {\isaliteral{28}{\isacharparenleft}}\isakeyword{infixr}\ {\isaliteral{22}{\isachardoublequoteopen}}{\isaliteral{40}{\isacharat}}{\isaliteral{22}{\isachardoublequoteclose}}\ {\isadigit{6}}{\isadigit{5}}{\isaliteral{29}{\isacharparenright}}\ \isakeyword{where}\isanewline
108.71 +{\isaliteral{22}{\isachardoublequoteopen}}{\isaliteral{5B}{\isacharbrackleft}}{\isaliteral{5D}{\isacharbrackright}}\ {\isaliteral{40}{\isacharat}}\ ys\ \ \ \ \ \ \ {\isaliteral{3D}{\isacharequal}}\ ys{\isaliteral{22}{\isachardoublequoteclose}}\ {\isaliteral{7C}{\isacharbar}}\isanewline
108.72 +{\isaliteral{22}{\isachardoublequoteopen}}{\isaliteral{28}{\isacharparenleft}}x\ {\isaliteral{23}{\isacharhash}}\ xs{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{40}{\isacharat}}\ ys\ {\isaliteral{3D}{\isacharequal}}\ x\ {\isaliteral{23}{\isacharhash}}\ {\isaliteral{28}{\isacharparenleft}}xs\ {\isaliteral{40}{\isacharat}}\ ys{\isaliteral{29}{\isacharparenright}}{\isaliteral{22}{\isachardoublequoteclose}}\isanewline
108.73 +\isanewline
108.74 +\isacommand{primrec}\isamarkupfalse%
108.75 +\ rev\ {\isaliteral{3A}{\isacharcolon}}{\isaliteral{3A}{\isacharcolon}}\ {\isaliteral{22}{\isachardoublequoteopen}}{\isaliteral{27}{\isacharprime}}a\ list\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ {\isaliteral{27}{\isacharprime}}a\ list{\isaliteral{22}{\isachardoublequoteclose}}\ \isakeyword{where}\isanewline
108.76 +{\isaliteral{22}{\isachardoublequoteopen}}rev\ {\isaliteral{5B}{\isacharbrackleft}}{\isaliteral{5D}{\isacharbrackright}}\ \ \ \ \ \ \ \ {\isaliteral{3D}{\isacharequal}}\ {\isaliteral{5B}{\isacharbrackleft}}{\isaliteral{5D}{\isacharbrackright}}{\isaliteral{22}{\isachardoublequoteclose}}\ {\isaliteral{7C}{\isacharbar}}\isanewline
108.77 +{\isaliteral{22}{\isachardoublequoteopen}}rev\ {\isaliteral{28}{\isacharparenleft}}x\ {\isaliteral{23}{\isacharhash}}\ xs{\isaliteral{29}{\isacharparenright}}\ \ {\isaliteral{3D}{\isacharequal}}\ {\isaliteral{28}{\isacharparenleft}}rev\ xs{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{40}{\isacharat}}\ {\isaliteral{28}{\isacharparenleft}}x\ {\isaliteral{23}{\isacharhash}}\ {\isaliteral{5B}{\isacharbrackleft}}{\isaliteral{5D}{\isacharbrackright}}{\isaliteral{29}{\isacharparenright}}{\isaliteral{22}{\isachardoublequoteclose}}%
108.78 +\begin{isamarkuptext}%
108.79 +\noindent
108.80 +Each function definition is of the form
108.81 +\begin{center}
108.82 +\isacommand{primrec} \textit{name} \isa{{\isaliteral{3A}{\isacharcolon}}{\isaliteral{3A}{\isacharcolon}}} \textit{type} \textit{(optional syntax)} \isakeyword{where} \textit{equations}
108.83 +\end{center}
108.84 +The equations must be separated by \isa{{\isaliteral{7C}{\isacharbar}}}.
108.85 +%
108.86 +Function \isa{app} is annotated with concrete syntax. Instead of the
108.87 +prefix syntax \isa{app\ xs\ ys} the infix
108.88 +\isa{xs\ {\isaliteral{40}{\isacharat}}\ ys}\index{$HOL2list@\isa{\at}|bold} becomes the preferred
108.89 +form.
108.90 +
108.91 +\index{*rev (constant)|(}\index{append function|(}
108.92 +The equations for \isa{app} and \isa{rev} hardly need comments:
108.93 +\isa{app} appends two lists and \isa{rev} reverses a list. The
108.94 +keyword \commdx{primrec} indicates that the recursion is
108.95 +of a particularly primitive kind where each recursive call peels off a datatype
108.96 +constructor from one of the arguments. Thus the
108.97 +recursion always terminates, i.e.\ the function is \textbf{total}.
108.98 +\index{functions!total}
108.99 +
108.100 +The termination requirement is absolutely essential in HOL, a logic of total
108.101 +functions. If we were to drop it, inconsistencies would quickly arise: the
108.102 +``definition'' $f(n) = f(n)+1$ immediately leads to $0 = 1$ by subtracting
108.103 +$f(n)$ on both sides.
108.104 +% However, this is a subtle issue that we cannot discuss here further.
108.105 +
108.106 +\begin{warn}
108.107 + As we have indicated, the requirement for total functions is an essential characteristic of HOL\@. It is only
108.108 + because of totality that reasoning in HOL is comparatively easy. More
108.109 + generally, the philosophy in HOL is to refrain from asserting arbitrary axioms (such as
108.110 + function definitions whose totality has not been proved) because they
108.111 + quickly lead to inconsistencies. Instead, fixed constructs for introducing
108.112 + types and functions are offered (such as \isacommand{datatype} and
108.113 + \isacommand{primrec}) which are guaranteed to preserve consistency.
108.114 +\end{warn}
108.115 +
108.116 +\index{syntax}%
108.117 +A remark about syntax. The textual definition of a theory follows a fixed
108.118 +syntax with keywords like \isacommand{datatype} and \isacommand{end}.
108.119 +% (see Fig.~\ref{fig:keywords} in Appendix~\ref{sec:Appendix} for a full list).
108.120 +Embedded in this syntax are the types and formulae of HOL, whose syntax is
108.121 +extensible (see \S\ref{sec:concrete-syntax}), e.g.\ by new user-defined infix operators.
108.122 +To distinguish the two levels, everything
108.123 +HOL-specific (terms and types) should be enclosed in
108.124 +\texttt{"}\dots\texttt{"}.
108.125 +To lessen this burden, quotation marks around a single identifier can be
108.126 +dropped, unless the identifier happens to be a keyword, for example
108.127 +\isa{"end"}.
108.128 +When Isabelle prints a syntax error message, it refers to the HOL syntax as
108.129 +the \textbf{inner syntax} and the enclosing theory language as the \textbf{outer syntax}.
108.130 +
108.131 +Comments\index{comment} must be in enclosed in \texttt{(* }and\texttt{ *)}.
108.132 +
108.133 +\section{Evaluation}
108.134 +\index{evaluation}
108.135 +
108.136 +Assuming you have processed the declarations and definitions of
108.137 +\texttt{ToyList} presented so far, you may want to test your
108.138 +functions by running them. For example, what is the value of
108.139 +\isa{rev\ {\isaliteral{28}{\isacharparenleft}}True\ {\isaliteral{23}{\isacharhash}}\ False\ {\isaliteral{23}{\isacharhash}}\ {\isaliteral{5B}{\isacharbrackleft}}{\isaliteral{5D}{\isacharbrackright}}{\isaliteral{29}{\isacharparenright}}}? Command%
108.140 +\end{isamarkuptext}%
108.141 +\isamarkuptrue%
108.142 +\isacommand{value}\isamarkupfalse%
108.143 +\ {\isaliteral{22}{\isachardoublequoteopen}}rev\ {\isaliteral{28}{\isacharparenleft}}True\ {\isaliteral{23}{\isacharhash}}\ False\ {\isaliteral{23}{\isacharhash}}\ {\isaliteral{5B}{\isacharbrackleft}}{\isaliteral{5D}{\isacharbrackright}}{\isaliteral{29}{\isacharparenright}}{\isaliteral{22}{\isachardoublequoteclose}}%
108.144 +\begin{isamarkuptext}%
108.145 +\noindent yields the correct result \isa{False\ {\isaliteral{23}{\isacharhash}}\ True\ {\isaliteral{23}{\isacharhash}}\ {\isaliteral{5B}{\isacharbrackleft}}{\isaliteral{5D}{\isacharbrackright}}}.
108.146 +But we can go beyond mere functional programming and evaluate terms with
108.147 +variables in them, executing functions symbolically:%
108.148 +\end{isamarkuptext}%
108.149 +\isamarkuptrue%
108.150 +\isacommand{value}\isamarkupfalse%
108.151 +\ {\isaliteral{22}{\isachardoublequoteopen}}rev\ {\isaliteral{28}{\isacharparenleft}}a\ {\isaliteral{23}{\isacharhash}}\ b\ {\isaliteral{23}{\isacharhash}}\ c\ {\isaliteral{23}{\isacharhash}}\ {\isaliteral{5B}{\isacharbrackleft}}{\isaliteral{5D}{\isacharbrackright}}{\isaliteral{29}{\isacharparenright}}{\isaliteral{22}{\isachardoublequoteclose}}%
108.152 +\begin{isamarkuptext}%
108.153 +\noindent yields \isa{c\ {\isaliteral{23}{\isacharhash}}\ b\ {\isaliteral{23}{\isacharhash}}\ a\ {\isaliteral{23}{\isacharhash}}\ {\isaliteral{5B}{\isacharbrackleft}}{\isaliteral{5D}{\isacharbrackright}}}.
108.154 +
108.155 +\section{An Introductory Proof}
108.156 +\label{sec:intro-proof}
108.157 +
108.158 +Having convinced ourselves (as well as one can by testing) that our
108.159 +definitions capture our intentions, we are ready to prove a few simple
108.160 +theorems. This will illustrate not just the basic proof commands but
108.161 +also the typical proof process.
108.162 +
108.163 +\subsubsection*{Main Goal.}
108.164 +
108.165 +Our goal is to show that reversing a list twice produces the original
108.166 +list.%
108.167 +\end{isamarkuptext}%
108.168 +\isamarkuptrue%
108.169 +\isacommand{theorem}\isamarkupfalse%
108.170 +\ rev{\isaliteral{5F}{\isacharunderscore}}rev\ {\isaliteral{5B}{\isacharbrackleft}}simp{\isaliteral{5D}{\isacharbrackright}}{\isaliteral{3A}{\isacharcolon}}\ {\isaliteral{22}{\isachardoublequoteopen}}rev{\isaliteral{28}{\isacharparenleft}}rev\ xs{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{3D}{\isacharequal}}\ xs{\isaliteral{22}{\isachardoublequoteclose}}%
108.171 +\isadelimproof
108.172 +%
108.173 +\endisadelimproof
108.174 +%
108.175 +\isatagproof
108.176 +%
108.177 +\begin{isamarkuptxt}%
108.178 +\index{theorem@\isacommand {theorem} (command)|bold}%
108.179 +\noindent
108.180 +This \isacommand{theorem} command does several things:
108.181 +\begin{itemize}
108.182 +\item
108.183 +It establishes a new theorem to be proved, namely \isa{rev\ {\isaliteral{28}{\isacharparenleft}}rev\ xs{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{3D}{\isacharequal}}\ xs}.
108.184 +\item
108.185 +It gives that theorem the name \isa{rev{\isaliteral{5F}{\isacharunderscore}}rev}, for later reference.
108.186 +\item
108.187 +It tells Isabelle (via the bracketed attribute \attrdx{simp}) to take the eventual theorem as a simplification rule: future proofs involving
108.188 +simplification will replace occurrences of \isa{rev\ {\isaliteral{28}{\isacharparenleft}}rev\ xs{\isaliteral{29}{\isacharparenright}}} by
108.189 +\isa{xs}.
108.190 +\end{itemize}
108.191 +The name and the simplification attribute are optional.
108.192 +Isabelle's response is to print the initial proof state consisting
108.193 +of some header information (like how many subgoals there are) followed by
108.194 +\begin{isabelle}%
108.195 +\ {\isadigit{1}}{\isaliteral{2E}{\isachardot}}\ rev\ {\isaliteral{28}{\isacharparenleft}}rev\ xs{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{3D}{\isacharequal}}\ xs%
108.196 +\end{isabelle}
108.197 +For compactness reasons we omit the header in this tutorial.
108.198 +Until we have finished a proof, the \rmindex{proof state} proper
108.199 +always looks like this:
108.200 +\begin{isabelle}
108.201 +~1.~$G\sb{1}$\isanewline
108.202 +~~\vdots~~\isanewline
108.203 +~$n$.~$G\sb{n}$
108.204 +\end{isabelle}
108.205 +The numbered lines contain the subgoals $G\sb{1}$, \dots, $G\sb{n}$
108.206 +that we need to prove to establish the main goal.\index{subgoals}
108.207 +Initially there is only one subgoal, which is identical with the
108.208 +main goal. (If you always want to see the main goal as well,
108.209 +set the flag \isa{Proof.show_main_goal}\index{*show_main_goal (flag)}
108.210 +--- this flag used to be set by default.)
108.211 +
108.212 +Let us now get back to \isa{rev\ {\isaliteral{28}{\isacharparenleft}}rev\ xs{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{3D}{\isacharequal}}\ xs}. Properties of recursively
108.213 +defined functions are best established by induction. In this case there is
108.214 +nothing obvious except induction on \isa{xs}:%
108.215 +\end{isamarkuptxt}%
108.216 +\isamarkuptrue%
108.217 +\isacommand{apply}\isamarkupfalse%
108.218 +{\isaliteral{28}{\isacharparenleft}}induct{\isaliteral{5F}{\isacharunderscore}}tac\ xs{\isaliteral{29}{\isacharparenright}}%
108.219 +\begin{isamarkuptxt}%
108.220 +\noindent\index{*induct_tac (method)}%
108.221 +This tells Isabelle to perform induction on variable \isa{xs}. The suffix
108.222 +\isa{tac} stands for \textbf{tactic},\index{tactics}
108.223 +a synonym for ``theorem proving function''.
108.224 +By default, induction acts on the first subgoal. The new proof state contains
108.225 +two subgoals, namely the base case (\isa{Nil}) and the induction step
108.226 +(\isa{Cons}):
108.227 +\begin{isabelle}%
108.228 +\ {\isadigit{1}}{\isaliteral{2E}{\isachardot}}\ rev\ {\isaliteral{28}{\isacharparenleft}}rev\ {\isaliteral{5B}{\isacharbrackleft}}{\isaliteral{5D}{\isacharbrackright}}{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{3D}{\isacharequal}}\ {\isaliteral{5B}{\isacharbrackleft}}{\isaliteral{5D}{\isacharbrackright}}\isanewline
108.229 +\ {\isadigit{2}}{\isaliteral{2E}{\isachardot}}\ {\isaliteral{5C3C416E643E}{\isasymAnd}}a\ list{\isaliteral{2E}{\isachardot}}\isanewline
108.230 +\isaindent{\ {\isadigit{2}}{\isaliteral{2E}{\isachardot}}\ \ \ \ }rev\ {\isaliteral{28}{\isacharparenleft}}rev\ list{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{3D}{\isacharequal}}\ list\ {\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\ rev\ {\isaliteral{28}{\isacharparenleft}}rev\ {\isaliteral{28}{\isacharparenleft}}a\ {\isaliteral{23}{\isacharhash}}\ list{\isaliteral{29}{\isacharparenright}}{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{3D}{\isacharequal}}\ a\ {\isaliteral{23}{\isacharhash}}\ list%
108.231 +\end{isabelle}
108.232 +
108.233 +The induction step is an example of the general format of a subgoal:\index{subgoals}
108.234 +\begin{isabelle}
108.235 +~$i$.~{\isasymAnd}$x\sb{1}$~\dots$x\sb{n}$.~{\it assumptions}~{\isasymLongrightarrow}~{\it conclusion}
108.236 +\end{isabelle}\index{$IsaAnd@\isasymAnd|bold}
108.237 +The prefix of bound variables \isasymAnd$x\sb{1}$~\dots~$x\sb{n}$ can be
108.238 +ignored most of the time, or simply treated as a list of variables local to
108.239 +this subgoal. Their deeper significance is explained in Chapter~\ref{chap:rules}.
108.240 +The {\it assumptions}\index{assumptions!of subgoal}
108.241 +are the local assumptions for this subgoal and {\it
108.242 + conclusion}\index{conclusion!of subgoal} is the actual proposition to be proved.
108.243 +Typical proof steps
108.244 +that add new assumptions are induction and case distinction. In our example
108.245 +the only assumption is the induction hypothesis \isa{rev\ {\isaliteral{28}{\isacharparenleft}}rev\ list{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{3D}{\isacharequal}}\ list}, where \isa{list} is a variable name chosen by Isabelle. If there
108.246 +are multiple assumptions, they are enclosed in the bracket pair
108.247 +\indexboldpos{\isasymlbrakk}{$Isabrl} and
108.248 +\indexboldpos{\isasymrbrakk}{$Isabrr} and separated by semicolons.
108.249 +
108.250 +Let us try to solve both goals automatically:%
108.251 +\end{isamarkuptxt}%
108.252 +\isamarkuptrue%
108.253 +\isacommand{apply}\isamarkupfalse%
108.254 +{\isaliteral{28}{\isacharparenleft}}auto{\isaliteral{29}{\isacharparenright}}%
108.255 +\begin{isamarkuptxt}%
108.256 +\noindent
108.257 +This command tells Isabelle to apply a proof strategy called
108.258 +\isa{auto} to all subgoals. Essentially, \isa{auto} tries to
108.259 +simplify the subgoals. In our case, subgoal~1 is solved completely (thanks
108.260 +to the equation \isa{rev\ {\isaliteral{5B}{\isacharbrackleft}}{\isaliteral{5D}{\isacharbrackright}}\ {\isaliteral{3D}{\isacharequal}}\ {\isaliteral{5B}{\isacharbrackleft}}{\isaliteral{5D}{\isacharbrackright}}}) and disappears; the simplified version
108.261 +of subgoal~2 becomes the new subgoal~1:
108.262 +\begin{isabelle}%
108.263 +\ {\isadigit{1}}{\isaliteral{2E}{\isachardot}}\ {\isaliteral{5C3C416E643E}{\isasymAnd}}a\ list{\isaliteral{2E}{\isachardot}}\isanewline
108.264 +\isaindent{\ {\isadigit{1}}{\isaliteral{2E}{\isachardot}}\ \ \ \ }rev\ {\isaliteral{28}{\isacharparenleft}}rev\ list{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{3D}{\isacharequal}}\ list\ {\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\ rev\ {\isaliteral{28}{\isacharparenleft}}rev\ list\ {\isaliteral{40}{\isacharat}}\ a\ {\isaliteral{23}{\isacharhash}}\ {\isaliteral{5B}{\isacharbrackleft}}{\isaliteral{5D}{\isacharbrackright}}{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{3D}{\isacharequal}}\ a\ {\isaliteral{23}{\isacharhash}}\ list%
108.265 +\end{isabelle}
108.266 +In order to simplify this subgoal further, a lemma suggests itself.%
108.267 +\end{isamarkuptxt}%
108.268 +\isamarkuptrue%
108.269 +%
108.270 +\endisatagproof
108.271 +{\isafoldproof}%
108.272 +%
108.273 +\isadelimproof
108.274 +%
108.275 +\endisadelimproof
108.276 +%
108.277 +\isamarkupsubsubsection{First Lemma%
108.278 +}
108.279 +\isamarkuptrue%
108.280 +%
108.281 +\begin{isamarkuptext}%
108.282 +\indexbold{abandoning a proof}\indexbold{proofs!abandoning}
108.283 +After abandoning the above proof attempt (at the shell level type
108.284 +\commdx{oops}) we start a new proof:%
108.285 +\end{isamarkuptext}%
108.286 +\isamarkuptrue%
108.287 +\isacommand{lemma}\isamarkupfalse%
108.288 +\ rev{\isaliteral{5F}{\isacharunderscore}}app\ {\isaliteral{5B}{\isacharbrackleft}}simp{\isaliteral{5D}{\isacharbrackright}}{\isaliteral{3A}{\isacharcolon}}\ {\isaliteral{22}{\isachardoublequoteopen}}rev{\isaliteral{28}{\isacharparenleft}}xs\ {\isaliteral{40}{\isacharat}}\ ys{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{3D}{\isacharequal}}\ {\isaliteral{28}{\isacharparenleft}}rev\ ys{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{40}{\isacharat}}\ {\isaliteral{28}{\isacharparenleft}}rev\ xs{\isaliteral{29}{\isacharparenright}}{\isaliteral{22}{\isachardoublequoteclose}}%
108.289 +\isadelimproof
108.290 +%
108.291 +\endisadelimproof
108.292 +%
108.293 +\isatagproof
108.294 +%
108.295 +\begin{isamarkuptxt}%
108.296 +\noindent The keywords \commdx{theorem} and
108.297 +\commdx{lemma} are interchangeable and merely indicate
108.298 +the importance we attach to a proposition. Therefore we use the words
108.299 +\emph{theorem} and \emph{lemma} pretty much interchangeably, too.
108.300 +
108.301 +There are two variables that we could induct on: \isa{xs} and
108.302 +\isa{ys}. Because \isa{{\isaliteral{40}{\isacharat}}} is defined by recursion on
108.303 +the first argument, \isa{xs} is the correct one:%
108.304 +\end{isamarkuptxt}%
108.305 +\isamarkuptrue%
108.306 +\isacommand{apply}\isamarkupfalse%
108.307 +{\isaliteral{28}{\isacharparenleft}}induct{\isaliteral{5F}{\isacharunderscore}}tac\ xs{\isaliteral{29}{\isacharparenright}}%
108.308 +\begin{isamarkuptxt}%
108.309 +\noindent
108.310 +This time not even the base case is solved automatically:%
108.311 +\end{isamarkuptxt}%
108.312 +\isamarkuptrue%
108.313 +\isacommand{apply}\isamarkupfalse%
108.314 +{\isaliteral{28}{\isacharparenleft}}auto{\isaliteral{29}{\isacharparenright}}%
108.315 +\begin{isamarkuptxt}%
108.316 +\begin{isabelle}%
108.317 +\ {\isadigit{1}}{\isaliteral{2E}{\isachardot}}\ rev\ ys\ {\isaliteral{3D}{\isacharequal}}\ rev\ ys\ {\isaliteral{40}{\isacharat}}\ {\isaliteral{5B}{\isacharbrackleft}}{\isaliteral{5D}{\isacharbrackright}}%
108.318 +\end{isabelle}
108.319 +Again, we need to abandon this proof attempt and prove another simple lemma
108.320 +first. In the future the step of abandoning an incomplete proof before
108.321 +embarking on the proof of a lemma usually remains implicit.%
108.322 +\end{isamarkuptxt}%
108.323 +\isamarkuptrue%
108.324 +%
108.325 +\endisatagproof
108.326 +{\isafoldproof}%
108.327 +%
108.328 +\isadelimproof
108.329 +%
108.330 +\endisadelimproof
108.331 +%
108.332 +\isamarkupsubsubsection{Second Lemma%
108.333 +}
108.334 +\isamarkuptrue%
108.335 +%
108.336 +\begin{isamarkuptext}%
108.337 +We again try the canonical proof procedure:%
108.338 +\end{isamarkuptext}%
108.339 +\isamarkuptrue%
108.340 +\isacommand{lemma}\isamarkupfalse%
108.341 +\ app{\isaliteral{5F}{\isacharunderscore}}Nil{\isadigit{2}}\ {\isaliteral{5B}{\isacharbrackleft}}simp{\isaliteral{5D}{\isacharbrackright}}{\isaliteral{3A}{\isacharcolon}}\ {\isaliteral{22}{\isachardoublequoteopen}}xs\ {\isaliteral{40}{\isacharat}}\ {\isaliteral{5B}{\isacharbrackleft}}{\isaliteral{5D}{\isacharbrackright}}\ {\isaliteral{3D}{\isacharequal}}\ xs{\isaliteral{22}{\isachardoublequoteclose}}\isanewline
108.342 +%
108.343 +\isadelimproof
108.344 +%
108.345 +\endisadelimproof
108.346 +%
108.347 +\isatagproof
108.348 +\isacommand{apply}\isamarkupfalse%
108.349 +{\isaliteral{28}{\isacharparenleft}}induct{\isaliteral{5F}{\isacharunderscore}}tac\ xs{\isaliteral{29}{\isacharparenright}}\isanewline
108.350 +\isacommand{apply}\isamarkupfalse%
108.351 +{\isaliteral{28}{\isacharparenleft}}auto{\isaliteral{29}{\isacharparenright}}%
108.352 +\begin{isamarkuptxt}%
108.353 +\noindent
108.354 +It works, yielding the desired message \isa{No\ subgoals{\isaliteral{21}{\isacharbang}}}:
108.355 +\begin{isabelle}%
108.356 +xs\ {\isaliteral{40}{\isacharat}}\ {\isaliteral{5B}{\isacharbrackleft}}{\isaliteral{5D}{\isacharbrackright}}\ {\isaliteral{3D}{\isacharequal}}\ xs\isanewline
108.357 +No\ subgoals{\isaliteral{21}{\isacharbang}}%
108.358 +\end{isabelle}
108.359 +We still need to confirm that the proof is now finished:%
108.360 +\end{isamarkuptxt}%
108.361 +\isamarkuptrue%
108.362 +\isacommand{done}\isamarkupfalse%
108.363 +%
108.364 +\endisatagproof
108.365 +{\isafoldproof}%
108.366 +%
108.367 +\isadelimproof
108.368 +%
108.369 +\endisadelimproof
108.370 +%
108.371 +\begin{isamarkuptext}%
108.372 +\noindent
108.373 +As a result of that final \commdx{done}, Isabelle associates the lemma just proved
108.374 +with its name. In this tutorial, we sometimes omit to show that final \isacommand{done}
108.375 +if it is obvious from the context that the proof is finished.
108.376 +
108.377 +% Instead of \isacommand{apply} followed by a dot, you can simply write
108.378 +% \isacommand{by}\indexbold{by}, which we do most of the time.
108.379 +Notice that in lemma \isa{app{\isaliteral{5F}{\isacharunderscore}}Nil{\isadigit{2}}},
108.380 +as printed out after the final \isacommand{done}, the free variable \isa{xs} has been
108.381 +replaced by the unknown \isa{{\isaliteral{3F}{\isacharquery}}xs}, just as explained in
108.382 +\S\ref{sec:variables}.
108.383 +
108.384 +Going back to the proof of the first lemma%
108.385 +\end{isamarkuptext}%
108.386 +\isamarkuptrue%
108.387 +\isacommand{lemma}\isamarkupfalse%
108.388 +\ rev{\isaliteral{5F}{\isacharunderscore}}app\ {\isaliteral{5B}{\isacharbrackleft}}simp{\isaliteral{5D}{\isacharbrackright}}{\isaliteral{3A}{\isacharcolon}}\ {\isaliteral{22}{\isachardoublequoteopen}}rev{\isaliteral{28}{\isacharparenleft}}xs\ {\isaliteral{40}{\isacharat}}\ ys{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{3D}{\isacharequal}}\ {\isaliteral{28}{\isacharparenleft}}rev\ ys{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{40}{\isacharat}}\ {\isaliteral{28}{\isacharparenleft}}rev\ xs{\isaliteral{29}{\isacharparenright}}{\isaliteral{22}{\isachardoublequoteclose}}\isanewline
108.389 +%
108.390 +\isadelimproof
108.391 +%
108.392 +\endisadelimproof
108.393 +%
108.394 +\isatagproof
108.395 +\isacommand{apply}\isamarkupfalse%
108.396 +{\isaliteral{28}{\isacharparenleft}}induct{\isaliteral{5F}{\isacharunderscore}}tac\ xs{\isaliteral{29}{\isacharparenright}}\isanewline
108.397 +\isacommand{apply}\isamarkupfalse%
108.398 +{\isaliteral{28}{\isacharparenleft}}auto{\isaliteral{29}{\isacharparenright}}%
108.399 +\begin{isamarkuptxt}%
108.400 +\noindent
108.401 +we find that this time \isa{auto} solves the base case, but the
108.402 +induction step merely simplifies to
108.403 +\begin{isabelle}%
108.404 +\ {\isadigit{1}}{\isaliteral{2E}{\isachardot}}\ {\isaliteral{5C3C416E643E}{\isasymAnd}}a\ list{\isaliteral{2E}{\isachardot}}\isanewline
108.405 +\isaindent{\ {\isadigit{1}}{\isaliteral{2E}{\isachardot}}\ \ \ \ }rev\ {\isaliteral{28}{\isacharparenleft}}list\ {\isaliteral{40}{\isacharat}}\ ys{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{3D}{\isacharequal}}\ rev\ ys\ {\isaliteral{40}{\isacharat}}\ rev\ list\ {\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\isanewline
108.406 +\isaindent{\ {\isadigit{1}}{\isaliteral{2E}{\isachardot}}\ \ \ \ }{\isaliteral{28}{\isacharparenleft}}rev\ ys\ {\isaliteral{40}{\isacharat}}\ rev\ list{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{40}{\isacharat}}\ a\ {\isaliteral{23}{\isacharhash}}\ {\isaliteral{5B}{\isacharbrackleft}}{\isaliteral{5D}{\isacharbrackright}}\ {\isaliteral{3D}{\isacharequal}}\ rev\ ys\ {\isaliteral{40}{\isacharat}}\ rev\ list\ {\isaliteral{40}{\isacharat}}\ a\ {\isaliteral{23}{\isacharhash}}\ {\isaliteral{5B}{\isacharbrackleft}}{\isaliteral{5D}{\isacharbrackright}}%
108.407 +\end{isabelle}
108.408 +Now we need to remember that \isa{{\isaliteral{40}{\isacharat}}} associates to the right, and that
108.409 +\isa{{\isaliteral{23}{\isacharhash}}} and \isa{{\isaliteral{40}{\isacharat}}} have the same priority (namely the \isa{{\isadigit{6}}{\isadigit{5}}}
108.410 +in their \isacommand{infixr} annotation). Thus the conclusion really is
108.411 +\begin{isabelle}
108.412 +~~~~~(rev~ys~@~rev~list)~@~(a~\#~[])~=~rev~ys~@~(rev~list~@~(a~\#~[]))
108.413 +\end{isabelle}
108.414 +and the missing lemma is associativity of \isa{{\isaliteral{40}{\isacharat}}}.%
108.415 +\end{isamarkuptxt}%
108.416 +\isamarkuptrue%
108.417 +%
108.418 +\endisatagproof
108.419 +{\isafoldproof}%
108.420 +%
108.421 +\isadelimproof
108.422 +%
108.423 +\endisadelimproof
108.424 +%
108.425 +\isamarkupsubsubsection{Third Lemma%
108.426 +}
108.427 +\isamarkuptrue%
108.428 +%
108.429 +\begin{isamarkuptext}%
108.430 +Abandoning the previous attempt, the canonical proof procedure
108.431 +succeeds without further ado.%
108.432 +\end{isamarkuptext}%
108.433 +\isamarkuptrue%
108.434 +\isacommand{lemma}\isamarkupfalse%
108.435 +\ app{\isaliteral{5F}{\isacharunderscore}}assoc\ {\isaliteral{5B}{\isacharbrackleft}}simp{\isaliteral{5D}{\isacharbrackright}}{\isaliteral{3A}{\isacharcolon}}\ {\isaliteral{22}{\isachardoublequoteopen}}{\isaliteral{28}{\isacharparenleft}}xs\ {\isaliteral{40}{\isacharat}}\ ys{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{40}{\isacharat}}\ zs\ {\isaliteral{3D}{\isacharequal}}\ xs\ {\isaliteral{40}{\isacharat}}\ {\isaliteral{28}{\isacharparenleft}}ys\ {\isaliteral{40}{\isacharat}}\ zs{\isaliteral{29}{\isacharparenright}}{\isaliteral{22}{\isachardoublequoteclose}}\isanewline
108.436 +%
108.437 +\isadelimproof
108.438 +%
108.439 +\endisadelimproof
108.440 +%
108.441 +\isatagproof
108.442 +\isacommand{apply}\isamarkupfalse%
108.443 +{\isaliteral{28}{\isacharparenleft}}induct{\isaliteral{5F}{\isacharunderscore}}tac\ xs{\isaliteral{29}{\isacharparenright}}\isanewline
108.444 +\isacommand{apply}\isamarkupfalse%
108.445 +{\isaliteral{28}{\isacharparenleft}}auto{\isaliteral{29}{\isacharparenright}}\isanewline
108.446 +\isacommand{done}\isamarkupfalse%
108.447 +%
108.448 +\endisatagproof
108.449 +{\isafoldproof}%
108.450 +%
108.451 +\isadelimproof
108.452 +%
108.453 +\endisadelimproof
108.454 +%
108.455 +\begin{isamarkuptext}%
108.456 +\noindent
108.457 +Now we can prove the first lemma:%
108.458 +\end{isamarkuptext}%
108.459 +\isamarkuptrue%
108.460 +\isacommand{lemma}\isamarkupfalse%
108.461 +\ rev{\isaliteral{5F}{\isacharunderscore}}app\ {\isaliteral{5B}{\isacharbrackleft}}simp{\isaliteral{5D}{\isacharbrackright}}{\isaliteral{3A}{\isacharcolon}}\ {\isaliteral{22}{\isachardoublequoteopen}}rev{\isaliteral{28}{\isacharparenleft}}xs\ {\isaliteral{40}{\isacharat}}\ ys{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{3D}{\isacharequal}}\ {\isaliteral{28}{\isacharparenleft}}rev\ ys{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{40}{\isacharat}}\ {\isaliteral{28}{\isacharparenleft}}rev\ xs{\isaliteral{29}{\isacharparenright}}{\isaliteral{22}{\isachardoublequoteclose}}\isanewline
108.462 +%
108.463 +\isadelimproof
108.464 +%
108.465 +\endisadelimproof
108.466 +%
108.467 +\isatagproof
108.468 +\isacommand{apply}\isamarkupfalse%
108.469 +{\isaliteral{28}{\isacharparenleft}}induct{\isaliteral{5F}{\isacharunderscore}}tac\ xs{\isaliteral{29}{\isacharparenright}}\isanewline
108.470 +\isacommand{apply}\isamarkupfalse%
108.471 +{\isaliteral{28}{\isacharparenleft}}auto{\isaliteral{29}{\isacharparenright}}\isanewline
108.472 +\isacommand{done}\isamarkupfalse%
108.473 +%
108.474 +\endisatagproof
108.475 +{\isafoldproof}%
108.476 +%
108.477 +\isadelimproof
108.478 +%
108.479 +\endisadelimproof
108.480 +%
108.481 +\begin{isamarkuptext}%
108.482 +\noindent
108.483 +Finally, we prove our main theorem:%
108.484 +\end{isamarkuptext}%
108.485 +\isamarkuptrue%
108.486 +\isacommand{theorem}\isamarkupfalse%
108.487 +\ rev{\isaliteral{5F}{\isacharunderscore}}rev\ {\isaliteral{5B}{\isacharbrackleft}}simp{\isaliteral{5D}{\isacharbrackright}}{\isaliteral{3A}{\isacharcolon}}\ {\isaliteral{22}{\isachardoublequoteopen}}rev{\isaliteral{28}{\isacharparenleft}}rev\ xs{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{3D}{\isacharequal}}\ xs{\isaliteral{22}{\isachardoublequoteclose}}\isanewline
108.488 +%
108.489 +\isadelimproof
108.490 +%
108.491 +\endisadelimproof
108.492 +%
108.493 +\isatagproof
108.494 +\isacommand{apply}\isamarkupfalse%
108.495 +{\isaliteral{28}{\isacharparenleft}}induct{\isaliteral{5F}{\isacharunderscore}}tac\ xs{\isaliteral{29}{\isacharparenright}}\isanewline
108.496 +\isacommand{apply}\isamarkupfalse%
108.497 +{\isaliteral{28}{\isacharparenleft}}auto{\isaliteral{29}{\isacharparenright}}\isanewline
108.498 +\isacommand{done}\isamarkupfalse%
108.499 +%
108.500 +\endisatagproof
108.501 +{\isafoldproof}%
108.502 +%
108.503 +\isadelimproof
108.504 +%
108.505 +\endisadelimproof
108.506 +%
108.507 +\begin{isamarkuptext}%
108.508 +\noindent
108.509 +The final \commdx{end} tells Isabelle to close the current theory because
108.510 +we are finished with its development:%
108.511 +\index{*rev (constant)|)}\index{append function|)}%
108.512 +\end{isamarkuptext}%
108.513 +\isamarkuptrue%
108.514 +%
108.515 +\isadelimtheory
108.516 +%
108.517 +\endisadelimtheory
108.518 +%
108.519 +\isatagtheory
108.520 +\isacommand{end}\isamarkupfalse%
108.521 +%
108.522 +\endisatagtheory
108.523 +{\isafoldtheory}%
108.524 +%
108.525 +\isadelimtheory
108.526 +%
108.527 +\endisadelimtheory
108.528 +\isanewline
108.529 +\end{isabellebody}%
108.530 +%%% Local Variables:
108.531 +%%% mode: latex
108.532 +%%% TeX-master: "root"
108.533 +%%% End:
109.1 --- /dev/null Thu Jan 01 00:00:00 1970 +0000
109.2 +++ b/doc-src/TutorialI/document/Tree.tex Thu Jul 26 19:59:06 2012 +0200
109.3 @@ -0,0 +1,83 @@
109.4 +%
109.5 +\begin{isabellebody}%
109.6 +\def\isabellecontext{Tree}%
109.7 +%
109.8 +\isadelimtheory
109.9 +%
109.10 +\endisadelimtheory
109.11 +%
109.12 +\isatagtheory
109.13 +%
109.14 +\endisatagtheory
109.15 +{\isafoldtheory}%
109.16 +%
109.17 +\isadelimtheory
109.18 +%
109.19 +\endisadelimtheory
109.20 +%
109.21 +\begin{isamarkuptext}%
109.22 +\noindent
109.23 +Define the datatype of \rmindex{binary trees}:%
109.24 +\end{isamarkuptext}%
109.25 +\isamarkuptrue%
109.26 +\isacommand{datatype}\isamarkupfalse%
109.27 +\ {\isaliteral{27}{\isacharprime}}a\ tree\ {\isaliteral{3D}{\isacharequal}}\ Tip\ {\isaliteral{7C}{\isacharbar}}\ Node\ {\isaliteral{22}{\isachardoublequoteopen}}{\isaliteral{27}{\isacharprime}}a\ tree{\isaliteral{22}{\isachardoublequoteclose}}\ {\isaliteral{27}{\isacharprime}}a\ {\isaliteral{22}{\isachardoublequoteopen}}{\isaliteral{27}{\isacharprime}}a\ tree{\isaliteral{22}{\isachardoublequoteclose}}%
109.28 +\begin{isamarkuptext}%
109.29 +\noindent
109.30 +Define a function \isa{mirror} that mirrors a binary tree
109.31 +by swapping subtrees recursively. Prove%
109.32 +\end{isamarkuptext}%
109.33 +\isamarkuptrue%
109.34 +\isacommand{lemma}\isamarkupfalse%
109.35 +\ mirror{\isaliteral{5F}{\isacharunderscore}}mirror{\isaliteral{3A}{\isacharcolon}}\ {\isaliteral{22}{\isachardoublequoteopen}}mirror{\isaliteral{28}{\isacharparenleft}}mirror\ t{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{3D}{\isacharequal}}\ t{\isaliteral{22}{\isachardoublequoteclose}}%
109.36 +\isadelimproof
109.37 +%
109.38 +\endisadelimproof
109.39 +%
109.40 +\isatagproof
109.41 +%
109.42 +\endisatagproof
109.43 +{\isafoldproof}%
109.44 +%
109.45 +\isadelimproof
109.46 +%
109.47 +\endisadelimproof
109.48 +%
109.49 +\begin{isamarkuptext}%
109.50 +\noindent
109.51 +Define a function \isa{flatten} that flattens a tree into a list
109.52 +by traversing it in infix order. Prove%
109.53 +\end{isamarkuptext}%
109.54 +\isamarkuptrue%
109.55 +\isacommand{lemma}\isamarkupfalse%
109.56 +\ {\isaliteral{22}{\isachardoublequoteopen}}flatten{\isaliteral{28}{\isacharparenleft}}mirror\ t{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{3D}{\isacharequal}}\ rev{\isaliteral{28}{\isacharparenleft}}flatten\ t{\isaliteral{29}{\isacharparenright}}{\isaliteral{22}{\isachardoublequoteclose}}%
109.57 +\isadelimproof
109.58 +%
109.59 +\endisadelimproof
109.60 +%
109.61 +\isatagproof
109.62 +%
109.63 +\endisatagproof
109.64 +{\isafoldproof}%
109.65 +%
109.66 +\isadelimproof
109.67 +%
109.68 +\endisadelimproof
109.69 +%
109.70 +\isadelimtheory
109.71 +%
109.72 +\endisadelimtheory
109.73 +%
109.74 +\isatagtheory
109.75 +%
109.76 +\endisatagtheory
109.77 +{\isafoldtheory}%
109.78 +%
109.79 +\isadelimtheory
109.80 +%
109.81 +\endisadelimtheory
109.82 +\end{isabellebody}%
109.83 +%%% Local Variables:
109.84 +%%% mode: latex
109.85 +%%% TeX-master: "root"
109.86 +%%% End:
110.1 --- /dev/null Thu Jan 01 00:00:00 1970 +0000
110.2 +++ b/doc-src/TutorialI/document/Tree2.tex Thu Jul 26 19:59:06 2012 +0200
110.3 @@ -0,0 +1,75 @@
110.4 +%
110.5 +\begin{isabellebody}%
110.6 +\def\isabellecontext{Tree{\isadigit{2}}}%
110.7 +%
110.8 +\isadelimtheory
110.9 +%
110.10 +\endisadelimtheory
110.11 +%
110.12 +\isatagtheory
110.13 +%
110.14 +\endisatagtheory
110.15 +{\isafoldtheory}%
110.16 +%
110.17 +\isadelimtheory
110.18 +%
110.19 +\endisadelimtheory
110.20 +%
110.21 +\begin{isamarkuptext}%
110.22 +\noindent In Exercise~\ref{ex:Tree} we defined a function
110.23 +\isa{flatten} from trees to lists. The straightforward version of
110.24 +\isa{flatten} is based on \isa{{\isaliteral{40}{\isacharat}}} and is thus, like \isa{rev},
110.25 +quadratic. A linear time version of \isa{flatten} again reqires an extra
110.26 +argument, the accumulator. Define%
110.27 +\end{isamarkuptext}%
110.28 +\isamarkuptrue%
110.29 +flatten{\isadigit{2}}\ {\isaliteral{3A}{\isacharcolon}}{\isaliteral{3A}{\isacharcolon}}\ {\isaliteral{22}{\isachardoublequoteopen}}{\isaliteral{27}{\isacharprime}}a\ tree\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ {\isaliteral{27}{\isacharprime}}a\ list\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ {\isaliteral{27}{\isacharprime}}a\ list{\isaliteral{22}{\isachardoublequoteclose}}%
110.30 +\begin{isamarkuptext}%
110.31 +\noindent and prove%
110.32 +\end{isamarkuptext}%
110.33 +\isamarkuptrue%
110.34 +%
110.35 +\isadelimproof
110.36 +%
110.37 +\endisadelimproof
110.38 +%
110.39 +\isatagproof
110.40 +%
110.41 +\endisatagproof
110.42 +{\isafoldproof}%
110.43 +%
110.44 +\isadelimproof
110.45 +%
110.46 +\endisadelimproof
110.47 +\isacommand{lemma}\isamarkupfalse%
110.48 +\ {\isaliteral{22}{\isachardoublequoteopen}}flatten{\isadigit{2}}\ t\ {\isaliteral{5B}{\isacharbrackleft}}{\isaliteral{5D}{\isacharbrackright}}\ {\isaliteral{3D}{\isacharequal}}\ flatten\ t{\isaliteral{22}{\isachardoublequoteclose}}%
110.49 +\isadelimproof
110.50 +%
110.51 +\endisadelimproof
110.52 +%
110.53 +\isatagproof
110.54 +%
110.55 +\endisatagproof
110.56 +{\isafoldproof}%
110.57 +%
110.58 +\isadelimproof
110.59 +%
110.60 +\endisadelimproof
110.61 +%
110.62 +\isadelimtheory
110.63 +%
110.64 +\endisadelimtheory
110.65 +%
110.66 +\isatagtheory
110.67 +%
110.68 +\endisatagtheory
110.69 +{\isafoldtheory}%
110.70 +%
110.71 +\isadelimtheory
110.72 +%
110.73 +\endisadelimtheory
110.74 +\end{isabellebody}%
110.75 +%%% Local Variables:
110.76 +%%% mode: latex
110.77 +%%% TeX-master: "root"
110.78 +%%% End:
111.1 --- /dev/null Thu Jan 01 00:00:00 1970 +0000
111.2 +++ b/doc-src/TutorialI/document/Trie.tex Thu Jul 26 19:59:06 2012 +0200
111.3 @@ -0,0 +1,297 @@
111.4 +%
111.5 +\begin{isabellebody}%
111.6 +\def\isabellecontext{Trie}%
111.7 +%
111.8 +\isadelimtheory
111.9 +%
111.10 +\endisadelimtheory
111.11 +%
111.12 +\isatagtheory
111.13 +%
111.14 +\endisatagtheory
111.15 +{\isafoldtheory}%
111.16 +%
111.17 +\isadelimtheory
111.18 +%
111.19 +\endisadelimtheory
111.20 +%
111.21 +\begin{isamarkuptext}%
111.22 +To minimize running time, each node of a trie should contain an array that maps
111.23 +letters to subtries. We have chosen a
111.24 +representation where the subtries are held in an association list, i.e.\ a
111.25 +list of (letter,trie) pairs. Abstracting over the alphabet \isa{{\isaliteral{27}{\isacharprime}}a} and the
111.26 +values \isa{{\isaliteral{27}{\isacharprime}}v} we define a trie as follows:%
111.27 +\end{isamarkuptext}%
111.28 +\isamarkuptrue%
111.29 +\isacommand{datatype}\isamarkupfalse%
111.30 +\ {\isaliteral{28}{\isacharparenleft}}{\isaliteral{27}{\isacharprime}}a{\isaliteral{2C}{\isacharcomma}}{\isaliteral{27}{\isacharprime}}v{\isaliteral{29}{\isacharparenright}}trie\ {\isaliteral{3D}{\isacharequal}}\ Trie\ \ {\isaliteral{22}{\isachardoublequoteopen}}{\isaliteral{27}{\isacharprime}}v\ option{\isaliteral{22}{\isachardoublequoteclose}}\ \ {\isaliteral{22}{\isachardoublequoteopen}}{\isaliteral{28}{\isacharparenleft}}{\isaliteral{27}{\isacharprime}}a\ {\isaliteral{2A}{\isacharasterisk}}\ {\isaliteral{28}{\isacharparenleft}}{\isaliteral{27}{\isacharprime}}a{\isaliteral{2C}{\isacharcomma}}{\isaliteral{27}{\isacharprime}}v{\isaliteral{29}{\isacharparenright}}trie{\isaliteral{29}{\isacharparenright}}list{\isaliteral{22}{\isachardoublequoteclose}}%
111.31 +\begin{isamarkuptext}%
111.32 +\noindent
111.33 +\index{datatypes!and nested recursion}%
111.34 +The first component is the optional value, the second component the
111.35 +association list of subtries. This is an example of nested recursion involving products,
111.36 +which is fine because products are datatypes as well.
111.37 +We define two selector functions:%
111.38 +\end{isamarkuptext}%
111.39 +\isamarkuptrue%
111.40 +\isacommand{primrec}\isamarkupfalse%
111.41 +\ {\isaliteral{22}{\isachardoublequoteopen}}value{\isaliteral{22}{\isachardoublequoteclose}}\ {\isaliteral{3A}{\isacharcolon}}{\isaliteral{3A}{\isacharcolon}}\ {\isaliteral{22}{\isachardoublequoteopen}}{\isaliteral{28}{\isacharparenleft}}{\isaliteral{27}{\isacharprime}}a{\isaliteral{2C}{\isacharcomma}}{\isaliteral{27}{\isacharprime}}v{\isaliteral{29}{\isacharparenright}}trie\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ {\isaliteral{27}{\isacharprime}}v\ option{\isaliteral{22}{\isachardoublequoteclose}}\ \isakeyword{where}\isanewline
111.42 +{\isaliteral{22}{\isachardoublequoteopen}}value{\isaliteral{28}{\isacharparenleft}}Trie\ ov\ al{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{3D}{\isacharequal}}\ ov{\isaliteral{22}{\isachardoublequoteclose}}\isanewline
111.43 +\isacommand{primrec}\isamarkupfalse%
111.44 +\ alist\ {\isaliteral{3A}{\isacharcolon}}{\isaliteral{3A}{\isacharcolon}}\ {\isaliteral{22}{\isachardoublequoteopen}}{\isaliteral{28}{\isacharparenleft}}{\isaliteral{27}{\isacharprime}}a{\isaliteral{2C}{\isacharcomma}}{\isaliteral{27}{\isacharprime}}v{\isaliteral{29}{\isacharparenright}}trie\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ {\isaliteral{28}{\isacharparenleft}}{\isaliteral{27}{\isacharprime}}a\ {\isaliteral{2A}{\isacharasterisk}}\ {\isaliteral{28}{\isacharparenleft}}{\isaliteral{27}{\isacharprime}}a{\isaliteral{2C}{\isacharcomma}}{\isaliteral{27}{\isacharprime}}v{\isaliteral{29}{\isacharparenright}}trie{\isaliteral{29}{\isacharparenright}}list{\isaliteral{22}{\isachardoublequoteclose}}\ \isakeyword{where}\isanewline
111.45 +{\isaliteral{22}{\isachardoublequoteopen}}alist{\isaliteral{28}{\isacharparenleft}}Trie\ ov\ al{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{3D}{\isacharequal}}\ al{\isaliteral{22}{\isachardoublequoteclose}}%
111.46 +\begin{isamarkuptext}%
111.47 +\noindent
111.48 +Association lists come with a generic lookup function. Its result
111.49 +involves type \isa{option} because a lookup can fail:%
111.50 +\end{isamarkuptext}%
111.51 +\isamarkuptrue%
111.52 +\isacommand{primrec}\isamarkupfalse%
111.53 +\ assoc\ {\isaliteral{3A}{\isacharcolon}}{\isaliteral{3A}{\isacharcolon}}\ {\isaliteral{22}{\isachardoublequoteopen}}{\isaliteral{28}{\isacharparenleft}}{\isaliteral{27}{\isacharprime}}key\ {\isaliteral{2A}{\isacharasterisk}}\ {\isaliteral{27}{\isacharprime}}val{\isaliteral{29}{\isacharparenright}}list\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ {\isaliteral{27}{\isacharprime}}key\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ {\isaliteral{27}{\isacharprime}}val\ option{\isaliteral{22}{\isachardoublequoteclose}}\ \isakeyword{where}\isanewline
111.54 +{\isaliteral{22}{\isachardoublequoteopen}}assoc\ {\isaliteral{5B}{\isacharbrackleft}}{\isaliteral{5D}{\isacharbrackright}}\ x\ {\isaliteral{3D}{\isacharequal}}\ None{\isaliteral{22}{\isachardoublequoteclose}}\ {\isaliteral{7C}{\isacharbar}}\isanewline
111.55 +{\isaliteral{22}{\isachardoublequoteopen}}assoc\ {\isaliteral{28}{\isacharparenleft}}p{\isaliteral{23}{\isacharhash}}ps{\isaliteral{29}{\isacharparenright}}\ x\ {\isaliteral{3D}{\isacharequal}}\isanewline
111.56 +\ \ \ {\isaliteral{28}{\isacharparenleft}}let\ {\isaliteral{28}{\isacharparenleft}}a{\isaliteral{2C}{\isacharcomma}}b{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{3D}{\isacharequal}}\ p\ in\ if\ a{\isaliteral{3D}{\isacharequal}}x\ then\ Some\ b\ else\ assoc\ ps\ x{\isaliteral{29}{\isacharparenright}}{\isaliteral{22}{\isachardoublequoteclose}}%
111.57 +\begin{isamarkuptext}%
111.58 +Now we can define the lookup function for tries. It descends into the trie
111.59 +examining the letters of the search string one by one. As
111.60 +recursion on lists is simpler than on tries, let us express this as primitive
111.61 +recursion on the search string argument:%
111.62 +\end{isamarkuptext}%
111.63 +\isamarkuptrue%
111.64 +\isacommand{primrec}\isamarkupfalse%
111.65 +\ lookup\ {\isaliteral{3A}{\isacharcolon}}{\isaliteral{3A}{\isacharcolon}}\ {\isaliteral{22}{\isachardoublequoteopen}}{\isaliteral{28}{\isacharparenleft}}{\isaliteral{27}{\isacharprime}}a{\isaliteral{2C}{\isacharcomma}}{\isaliteral{27}{\isacharprime}}v{\isaliteral{29}{\isacharparenright}}trie\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ {\isaliteral{27}{\isacharprime}}a\ list\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ {\isaliteral{27}{\isacharprime}}v\ option{\isaliteral{22}{\isachardoublequoteclose}}\ \isakeyword{where}\isanewline
111.66 +{\isaliteral{22}{\isachardoublequoteopen}}lookup\ t\ {\isaliteral{5B}{\isacharbrackleft}}{\isaliteral{5D}{\isacharbrackright}}\ {\isaliteral{3D}{\isacharequal}}\ value\ t{\isaliteral{22}{\isachardoublequoteclose}}\ {\isaliteral{7C}{\isacharbar}}\isanewline
111.67 +{\isaliteral{22}{\isachardoublequoteopen}}lookup\ t\ {\isaliteral{28}{\isacharparenleft}}a{\isaliteral{23}{\isacharhash}}as{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{3D}{\isacharequal}}\ {\isaliteral{28}{\isacharparenleft}}case\ assoc\ {\isaliteral{28}{\isacharparenleft}}alist\ t{\isaliteral{29}{\isacharparenright}}\ a\ of\isanewline
111.68 +\ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ None\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ None\isanewline
111.69 +\ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ {\isaliteral{7C}{\isacharbar}}\ Some\ at\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ lookup\ at\ as{\isaliteral{29}{\isacharparenright}}{\isaliteral{22}{\isachardoublequoteclose}}%
111.70 +\begin{isamarkuptext}%
111.71 +As a first simple property we prove that looking up a string in the empty
111.72 +trie \isa{Trie\ None\ {\isaliteral{5B}{\isacharbrackleft}}{\isaliteral{5D}{\isacharbrackright}}} always returns \isa{None}. The proof merely
111.73 +distinguishes the two cases whether the search string is empty or not:%
111.74 +\end{isamarkuptext}%
111.75 +\isamarkuptrue%
111.76 +\isacommand{lemma}\isamarkupfalse%
111.77 +\ {\isaliteral{5B}{\isacharbrackleft}}simp{\isaliteral{5D}{\isacharbrackright}}{\isaliteral{3A}{\isacharcolon}}\ {\isaliteral{22}{\isachardoublequoteopen}}lookup\ {\isaliteral{28}{\isacharparenleft}}Trie\ None\ {\isaliteral{5B}{\isacharbrackleft}}{\isaliteral{5D}{\isacharbrackright}}{\isaliteral{29}{\isacharparenright}}\ as\ {\isaliteral{3D}{\isacharequal}}\ None{\isaliteral{22}{\isachardoublequoteclose}}\isanewline
111.78 +%
111.79 +\isadelimproof
111.80 +%
111.81 +\endisadelimproof
111.82 +%
111.83 +\isatagproof
111.84 +\isacommand{apply}\isamarkupfalse%
111.85 +{\isaliteral{28}{\isacharparenleft}}case{\isaliteral{5F}{\isacharunderscore}}tac\ as{\isaliteral{2C}{\isacharcomma}}\ simp{\isaliteral{5F}{\isacharunderscore}}all{\isaliteral{29}{\isacharparenright}}\isanewline
111.86 +\isacommand{done}\isamarkupfalse%
111.87 +%
111.88 +\endisatagproof
111.89 +{\isafoldproof}%
111.90 +%
111.91 +\isadelimproof
111.92 +%
111.93 +\endisadelimproof
111.94 +%
111.95 +\begin{isamarkuptext}%
111.96 +Things begin to get interesting with the definition of an update function
111.97 +that adds a new (string, value) pair to a trie, overwriting the old value
111.98 +associated with that string:%
111.99 +\end{isamarkuptext}%
111.100 +\isamarkuptrue%
111.101 +\isacommand{primrec}\isamarkupfalse%
111.102 +\ update{\isaliteral{3A}{\isacharcolon}}{\isaliteral{3A}{\isacharcolon}}\ {\isaliteral{22}{\isachardoublequoteopen}}{\isaliteral{28}{\isacharparenleft}}{\isaliteral{27}{\isacharprime}}a{\isaliteral{2C}{\isacharcomma}}{\isaliteral{27}{\isacharprime}}v{\isaliteral{29}{\isacharparenright}}trie\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ {\isaliteral{27}{\isacharprime}}a\ list\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ {\isaliteral{27}{\isacharprime}}v\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ {\isaliteral{28}{\isacharparenleft}}{\isaliteral{27}{\isacharprime}}a{\isaliteral{2C}{\isacharcomma}}{\isaliteral{27}{\isacharprime}}v{\isaliteral{29}{\isacharparenright}}trie{\isaliteral{22}{\isachardoublequoteclose}}\ \isakeyword{where}\isanewline
111.103 +{\isaliteral{22}{\isachardoublequoteopen}}update\ t\ {\isaliteral{5B}{\isacharbrackleft}}{\isaliteral{5D}{\isacharbrackright}}\ \ \ \ \ v\ {\isaliteral{3D}{\isacharequal}}\ Trie\ {\isaliteral{28}{\isacharparenleft}}Some\ v{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{28}{\isacharparenleft}}alist\ t{\isaliteral{29}{\isacharparenright}}{\isaliteral{22}{\isachardoublequoteclose}}\ {\isaliteral{7C}{\isacharbar}}\isanewline
111.104 +{\isaliteral{22}{\isachardoublequoteopen}}update\ t\ {\isaliteral{28}{\isacharparenleft}}a{\isaliteral{23}{\isacharhash}}as{\isaliteral{29}{\isacharparenright}}\ v\ {\isaliteral{3D}{\isacharequal}}\isanewline
111.105 +\ \ \ {\isaliteral{28}{\isacharparenleft}}let\ tt\ {\isaliteral{3D}{\isacharequal}}\ {\isaliteral{28}{\isacharparenleft}}case\ assoc\ {\isaliteral{28}{\isacharparenleft}}alist\ t{\isaliteral{29}{\isacharparenright}}\ a\ of\isanewline
111.106 +\ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ None\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ Trie\ None\ {\isaliteral{5B}{\isacharbrackleft}}{\isaliteral{5D}{\isacharbrackright}}\ {\isaliteral{7C}{\isacharbar}}\ Some\ at\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ at{\isaliteral{29}{\isacharparenright}}\isanewline
111.107 +\ \ \ \ in\ Trie\ {\isaliteral{28}{\isacharparenleft}}value\ t{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{28}{\isacharparenleft}}{\isaliteral{28}{\isacharparenleft}}a{\isaliteral{2C}{\isacharcomma}}update\ tt\ as\ v{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{23}{\isacharhash}}\ alist\ t{\isaliteral{29}{\isacharparenright}}{\isaliteral{29}{\isacharparenright}}{\isaliteral{22}{\isachardoublequoteclose}}%
111.108 +\begin{isamarkuptext}%
111.109 +\noindent
111.110 +The base case is obvious. In the recursive case the subtrie
111.111 +\isa{tt} associated with the first letter \isa{a} is extracted,
111.112 +recursively updated, and then placed in front of the association list.
111.113 +The old subtrie associated with \isa{a} is still in the association list
111.114 +but no longer accessible via \isa{assoc}. Clearly, there is room here for
111.115 +optimizations!
111.116 +
111.117 +Before we start on any proofs about \isa{update} we tell the simplifier to
111.118 +expand all \isa{let}s and to split all \isa{case}-constructs over
111.119 +options:%
111.120 +\end{isamarkuptext}%
111.121 +\isamarkuptrue%
111.122 +\isacommand{declare}\isamarkupfalse%
111.123 +\ Let{\isaliteral{5F}{\isacharunderscore}}def{\isaliteral{5B}{\isacharbrackleft}}simp{\isaliteral{5D}{\isacharbrackright}}\ option{\isaliteral{2E}{\isachardot}}split{\isaliteral{5B}{\isacharbrackleft}}split{\isaliteral{5D}{\isacharbrackright}}%
111.124 +\begin{isamarkuptext}%
111.125 +\noindent
111.126 +The reason becomes clear when looking (probably after a failed proof
111.127 +attempt) at the body of \isa{update}: it contains both
111.128 +\isa{let} and a case distinction over type \isa{option}.
111.129 +
111.130 +Our main goal is to prove the correct interaction of \isa{update} and
111.131 +\isa{lookup}:%
111.132 +\end{isamarkuptext}%
111.133 +\isamarkuptrue%
111.134 +\isacommand{theorem}\isamarkupfalse%
111.135 +\ {\isaliteral{22}{\isachardoublequoteopen}}{\isaliteral{5C3C666F72616C6C3E}{\isasymforall}}t\ v\ bs{\isaliteral{2E}{\isachardot}}\ lookup\ {\isaliteral{28}{\isacharparenleft}}update\ t\ as\ v{\isaliteral{29}{\isacharparenright}}\ bs\ {\isaliteral{3D}{\isacharequal}}\isanewline
111.136 +\ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ {\isaliteral{28}{\isacharparenleft}}if\ as{\isaliteral{3D}{\isacharequal}}bs\ then\ Some\ v\ else\ lookup\ t\ bs{\isaliteral{29}{\isacharparenright}}{\isaliteral{22}{\isachardoublequoteclose}}%
111.137 +\isadelimproof
111.138 +%
111.139 +\endisadelimproof
111.140 +%
111.141 +\isatagproof
111.142 +%
111.143 +\begin{isamarkuptxt}%
111.144 +\noindent
111.145 +Our plan is to induct on \isa{as}; hence the remaining variables are
111.146 +quantified. From the definitions it is clear that induction on either
111.147 +\isa{as} or \isa{bs} is required. The choice of \isa{as} is
111.148 +guided by the intuition that simplification of \isa{lookup} might be easier
111.149 +if \isa{update} has already been simplified, which can only happen if
111.150 +\isa{as} is instantiated.
111.151 +The start of the proof is conventional:%
111.152 +\end{isamarkuptxt}%
111.153 +\isamarkuptrue%
111.154 +\isacommand{apply}\isamarkupfalse%
111.155 +{\isaliteral{28}{\isacharparenleft}}induct{\isaliteral{5F}{\isacharunderscore}}tac\ as{\isaliteral{2C}{\isacharcomma}}\ auto{\isaliteral{29}{\isacharparenright}}%
111.156 +\begin{isamarkuptxt}%
111.157 +\noindent
111.158 +Unfortunately, this time we are left with three intimidating looking subgoals:
111.159 +\begin{isabelle}
111.160 +~1.~\dots~{\isasymLongrightarrow}~lookup~\dots~bs~=~lookup~t~bs\isanewline
111.161 +~2.~\dots~{\isasymLongrightarrow}~lookup~\dots~bs~=~lookup~t~bs\isanewline
111.162 +~3.~\dots~{\isasymLongrightarrow}~lookup~\dots~bs~=~lookup~t~bs
111.163 +\end{isabelle}
111.164 +Clearly, if we want to make headway we have to instantiate \isa{bs} as
111.165 +well now. It turns out that instead of induction, case distinction
111.166 +suffices:%
111.167 +\end{isamarkuptxt}%
111.168 +\isamarkuptrue%
111.169 +\isacommand{apply}\isamarkupfalse%
111.170 +{\isaliteral{28}{\isacharparenleft}}case{\isaliteral{5F}{\isacharunderscore}}tac{\isaliteral{5B}{\isacharbrackleft}}{\isaliteral{21}{\isacharbang}}{\isaliteral{5D}{\isacharbrackright}}\ bs{\isaliteral{2C}{\isacharcomma}}\ auto{\isaliteral{29}{\isacharparenright}}\isanewline
111.171 +\isacommand{done}\isamarkupfalse%
111.172 +%
111.173 +\endisatagproof
111.174 +{\isafoldproof}%
111.175 +%
111.176 +\isadelimproof
111.177 +%
111.178 +\endisadelimproof
111.179 +%
111.180 +\begin{isamarkuptext}%
111.181 +\noindent
111.182 +\index{subgoal numbering}%
111.183 +All methods ending in \isa{tac} take an optional first argument that
111.184 +specifies the range of subgoals they are applied to, where \isa{{\isaliteral{5B}{\isacharbrackleft}}{\isaliteral{21}{\isacharbang}}{\isaliteral{5D}{\isacharbrackright}}} means
111.185 +all subgoals, i.e.\ \isa{{\isaliteral{5B}{\isacharbrackleft}}{\isadigit{1}}{\isaliteral{2D}{\isacharminus}}{\isadigit{3}}{\isaliteral{5D}{\isacharbrackright}}} in our case. Individual subgoal numbers,
111.186 +e.g. \isa{{\isaliteral{5B}{\isacharbrackleft}}{\isadigit{2}}{\isaliteral{5D}{\isacharbrackright}}} are also allowed.
111.187 +
111.188 +This proof may look surprisingly straightforward. However, note that this
111.189 +comes at a cost: the proof script is unreadable because the intermediate
111.190 +proof states are invisible, and we rely on the (possibly brittle) magic of
111.191 +\isa{auto} (\isa{simp{\isaliteral{5F}{\isacharunderscore}}all} will not do --- try it) to split the subgoals
111.192 +of the induction up in such a way that case distinction on \isa{bs} makes
111.193 +sense and solves the proof.
111.194 +
111.195 +\begin{exercise}
111.196 + Modify \isa{update} (and its type) such that it allows both insertion and
111.197 + deletion of entries with a single function. Prove the corresponding version
111.198 + of the main theorem above.
111.199 + Optimize your function such that it shrinks tries after
111.200 + deletion if possible.
111.201 +\end{exercise}
111.202 +
111.203 +\begin{exercise}
111.204 + Write an improved version of \isa{update} that does not suffer from the
111.205 + space leak (pointed out above) caused by not deleting overwritten entries
111.206 + from the association list. Prove the main theorem for your improved
111.207 + \isa{update}.
111.208 +\end{exercise}
111.209 +
111.210 +\begin{exercise}
111.211 + Conceptually, each node contains a mapping from letters to optional
111.212 + subtries. Above we have implemented this by means of an association
111.213 + list. Replay the development replacing \isa{{\isaliteral{28}{\isacharparenleft}}{\isaliteral{27}{\isacharprime}}a\ {\isaliteral{5C3C74696D65733E}{\isasymtimes}}\ {\isaliteral{28}{\isacharparenleft}}{\isaliteral{27}{\isacharprime}}a{\isaliteral{2C}{\isacharcomma}}\ {\isaliteral{27}{\isacharprime}}v{\isaliteral{29}{\isacharparenright}}\ trie{\isaliteral{29}{\isacharparenright}}\ list}
111.214 + with \isa{{\isaliteral{27}{\isacharprime}}a\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ {\isaliteral{28}{\isacharparenleft}}{\isaliteral{27}{\isacharprime}}a{\isaliteral{2C}{\isacharcomma}}\ {\isaliteral{27}{\isacharprime}}v{\isaliteral{29}{\isacharparenright}}\ trie\ option}.
111.215 +\end{exercise}%
111.216 +\end{isamarkuptext}%
111.217 +\isamarkuptrue%
111.218 +%
111.219 +\isadelimproof
111.220 +%
111.221 +\endisadelimproof
111.222 +%
111.223 +\isatagproof
111.224 +%
111.225 +\endisatagproof
111.226 +{\isafoldproof}%
111.227 +%
111.228 +\isadelimproof
111.229 +%
111.230 +\endisadelimproof
111.231 +%
111.232 +\isadelimproof
111.233 +%
111.234 +\endisadelimproof
111.235 +%
111.236 +\isatagproof
111.237 +%
111.238 +\endisatagproof
111.239 +{\isafoldproof}%
111.240 +%
111.241 +\isadelimproof
111.242 +%
111.243 +\endisadelimproof
111.244 +%
111.245 +\isadelimproof
111.246 +%
111.247 +\endisadelimproof
111.248 +%
111.249 +\isatagproof
111.250 +%
111.251 +\endisatagproof
111.252 +{\isafoldproof}%
111.253 +%
111.254 +\isadelimproof
111.255 +%
111.256 +\endisadelimproof
111.257 +%
111.258 +\isadelimproof
111.259 +%
111.260 +\endisadelimproof
111.261 +%
111.262 +\isatagproof
111.263 +%
111.264 +\endisatagproof
111.265 +{\isafoldproof}%
111.266 +%
111.267 +\isadelimproof
111.268 +%
111.269 +\endisadelimproof
111.270 +%
111.271 +\isadelimproof
111.272 +%
111.273 +\endisadelimproof
111.274 +%
111.275 +\isatagproof
111.276 +%
111.277 +\endisatagproof
111.278 +{\isafoldproof}%
111.279 +%
111.280 +\isadelimproof
111.281 +%
111.282 +\endisadelimproof
111.283 +%
111.284 +\isadelimtheory
111.285 +%
111.286 +\endisadelimtheory
111.287 +%
111.288 +\isatagtheory
111.289 +%
111.290 +\endisatagtheory
111.291 +{\isafoldtheory}%
111.292 +%
111.293 +\isadelimtheory
111.294 +%
111.295 +\endisadelimtheory
111.296 +\end{isabellebody}%
111.297 +%%% Local Variables:
111.298 +%%% mode: latex
111.299 +%%% TeX-master: "root"
111.300 +%%% End:
112.1 --- /dev/null Thu Jan 01 00:00:00 1970 +0000
112.2 +++ b/doc-src/TutorialI/document/Typedefs.tex Thu Jul 26 19:59:06 2012 +0200
112.3 @@ -0,0 +1,340 @@
112.4 +%
112.5 +\begin{isabellebody}%
112.6 +\def\isabellecontext{Typedefs}%
112.7 +%
112.8 +\isadelimtheory
112.9 +%
112.10 +\endisadelimtheory
112.11 +%
112.12 +\isatagtheory
112.13 +%
112.14 +\endisatagtheory
112.15 +{\isafoldtheory}%
112.16 +%
112.17 +\isadelimtheory
112.18 +%
112.19 +\endisadelimtheory
112.20 +%
112.21 +\isamarkupsection{Introducing New Types%
112.22 +}
112.23 +\isamarkuptrue%
112.24 +%
112.25 +\begin{isamarkuptext}%
112.26 +\label{sec:adv-typedef}
112.27 +For most applications, a combination of predefined types like \isa{bool} and
112.28 +\isa{{\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}} with recursive datatypes and records is quite sufficient. Very
112.29 +occasionally you may feel the need for a more advanced type. If you
112.30 +are certain that your type is not definable by any of the
112.31 +standard means, then read on.
112.32 +\begin{warn}
112.33 + Types in HOL must be non-empty; otherwise the quantifier rules would be
112.34 + unsound, because $\exists x.\ x=x$ is a theorem.
112.35 +\end{warn}%
112.36 +\end{isamarkuptext}%
112.37 +\isamarkuptrue%
112.38 +%
112.39 +\isamarkupsubsection{Declaring New Types%
112.40 +}
112.41 +\isamarkuptrue%
112.42 +%
112.43 +\begin{isamarkuptext}%
112.44 +\label{sec:typedecl}
112.45 +\index{types!declaring|(}%
112.46 +\index{typedecl@\isacommand {typedecl} (command)}%
112.47 +The most trivial way of introducing a new type is by a \textbf{type
112.48 +declaration}:%
112.49 +\end{isamarkuptext}%
112.50 +\isamarkuptrue%
112.51 +\isacommand{typedecl}\isamarkupfalse%
112.52 +\ my{\isaliteral{5F}{\isacharunderscore}}new{\isaliteral{5F}{\isacharunderscore}}type%
112.53 +\begin{isamarkuptext}%
112.54 +\noindent
112.55 +This does not define \isa{my{\isaliteral{5F}{\isacharunderscore}}new{\isaliteral{5F}{\isacharunderscore}}type} at all but merely introduces its
112.56 +name. Thus we know nothing about this type, except that it is
112.57 +non-empty. Such declarations without definitions are
112.58 +useful if that type can be viewed as a parameter of the theory.
112.59 +A typical example is given in \S\ref{sec:VMC}, where we define a transition
112.60 +relation over an arbitrary type of states.
112.61 +
112.62 +In principle we can always get rid of such type declarations by making those
112.63 +types parameters of every other type, thus keeping the theory generic. In
112.64 +practice, however, the resulting clutter can make types hard to read.
112.65 +
112.66 +If you are looking for a quick and dirty way of introducing a new type
112.67 +together with its properties: declare the type and state its properties as
112.68 +axioms. Example:%
112.69 +\end{isamarkuptext}%
112.70 +\isamarkuptrue%
112.71 +\isacommand{axioms}\isamarkupfalse%
112.72 +\isanewline
112.73 +just{\isaliteral{5F}{\isacharunderscore}}one{\isaliteral{3A}{\isacharcolon}}\ {\isaliteral{22}{\isachardoublequoteopen}}{\isaliteral{5C3C6578697374733E}{\isasymexists}}x{\isaliteral{3A}{\isacharcolon}}{\isaliteral{3A}{\isacharcolon}}my{\isaliteral{5F}{\isacharunderscore}}new{\isaliteral{5F}{\isacharunderscore}}type{\isaliteral{2E}{\isachardot}}\ {\isaliteral{5C3C666F72616C6C3E}{\isasymforall}}y{\isaliteral{2E}{\isachardot}}\ x\ {\isaliteral{3D}{\isacharequal}}\ y{\isaliteral{22}{\isachardoublequoteclose}}%
112.74 +\begin{isamarkuptext}%
112.75 +\noindent
112.76 +However, we strongly discourage this approach, except at explorative stages
112.77 +of your development. It is extremely easy to write down contradictory sets of
112.78 +axioms, in which case you will be able to prove everything but it will mean
112.79 +nothing. In the example above, the axiomatic approach is
112.80 +unnecessary: a one-element type called \isa{unit} is already defined in HOL.
112.81 +\index{types!declaring|)}%
112.82 +\end{isamarkuptext}%
112.83 +\isamarkuptrue%
112.84 +%
112.85 +\isamarkupsubsection{Defining New Types%
112.86 +}
112.87 +\isamarkuptrue%
112.88 +%
112.89 +\begin{isamarkuptext}%
112.90 +\label{sec:typedef}
112.91 +\index{types!defining|(}%
112.92 +\index{typedecl@\isacommand {typedef} (command)|(}%
112.93 +Now we come to the most general means of safely introducing a new type, the
112.94 +\textbf{type definition}. All other means, for example
112.95 +\isacommand{datatype}, are based on it. The principle is extremely simple:
112.96 +any non-empty subset of an existing type can be turned into a new type.
112.97 +More precisely, the new type is specified to be isomorphic to some
112.98 +non-empty subset of an existing type.
112.99 +
112.100 +Let us work a simple example, the definition of a three-element type.
112.101 +It is easily represented by the first three natural numbers:%
112.102 +\end{isamarkuptext}%
112.103 +\isamarkuptrue%
112.104 +\isacommand{typedef}\isamarkupfalse%
112.105 +\ three\ {\isaliteral{3D}{\isacharequal}}\ {\isaliteral{22}{\isachardoublequoteopen}}{\isaliteral{7B}{\isacharbraceleft}}{\isadigit{0}}{\isaliteral{3A}{\isacharcolon}}{\isaliteral{3A}{\isacharcolon}}nat{\isaliteral{2C}{\isacharcomma}}\ {\isadigit{1}}{\isaliteral{2C}{\isacharcomma}}\ {\isadigit{2}}{\isaliteral{7D}{\isacharbraceright}}{\isaliteral{22}{\isachardoublequoteclose}}%
112.106 +\isadelimproof
112.107 +%
112.108 +\endisadelimproof
112.109 +%
112.110 +\isatagproof
112.111 +%
112.112 +\begin{isamarkuptxt}%
112.113 +\noindent
112.114 +In order to enforce that the representing set on the right-hand side is
112.115 +non-empty, this definition actually starts a proof to that effect:
112.116 +\begin{isabelle}%
112.117 +\ {\isadigit{1}}{\isaliteral{2E}{\isachardot}}\ {\isaliteral{5C3C6578697374733E}{\isasymexists}}x{\isaliteral{2E}{\isachardot}}\ x\ {\isaliteral{5C3C696E3E}{\isasymin}}\ {\isaliteral{7B}{\isacharbraceleft}}{\isadigit{0}}{\isaliteral{2C}{\isacharcomma}}\ {\isadigit{1}}{\isaliteral{2C}{\isacharcomma}}\ {\isadigit{2}}{\isaliteral{7D}{\isacharbraceright}}%
112.118 +\end{isabelle}
112.119 +Fortunately, this is easy enough to show, even \isa{auto} could do it.
112.120 +In general, one has to provide a witness, in our case 0:%
112.121 +\end{isamarkuptxt}%
112.122 +\isamarkuptrue%
112.123 +\isacommand{apply}\isamarkupfalse%
112.124 +{\isaliteral{28}{\isacharparenleft}}rule{\isaliteral{5F}{\isacharunderscore}}tac\ x\ {\isaliteral{3D}{\isacharequal}}\ {\isadigit{0}}\ \isakeyword{in}\ exI{\isaliteral{29}{\isacharparenright}}\isanewline
112.125 +\isacommand{by}\isamarkupfalse%
112.126 +\ simp%
112.127 +\endisatagproof
112.128 +{\isafoldproof}%
112.129 +%
112.130 +\isadelimproof
112.131 +%
112.132 +\endisadelimproof
112.133 +%
112.134 +\begin{isamarkuptext}%
112.135 +This type definition introduces the new type \isa{three} and asserts
112.136 +that it is a copy of the set \isa{{\isaliteral{7B}{\isacharbraceleft}}{\isadigit{0}}{\isaliteral{2C}{\isacharcomma}}\ {\isadigit{1}}{\isaliteral{2C}{\isacharcomma}}\ {\isadigit{2}}{\isaliteral{7D}{\isacharbraceright}}}. This assertion
112.137 +is expressed via a bijection between the \emph{type} \isa{three} and the
112.138 +\emph{set} \isa{{\isaliteral{7B}{\isacharbraceleft}}{\isadigit{0}}{\isaliteral{2C}{\isacharcomma}}\ {\isadigit{1}}{\isaliteral{2C}{\isacharcomma}}\ {\isadigit{2}}{\isaliteral{7D}{\isacharbraceright}}}. To this end, the command declares the following
112.139 +constants behind the scenes:
112.140 +\begin{center}
112.141 +\begin{tabular}{rcl}
112.142 +\isa{three} &::& \isa{nat\ set} \\
112.143 +\isa{Rep{\isaliteral{5F}{\isacharunderscore}}three} &::& \isa{three\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ nat}\\
112.144 +\isa{Abs{\isaliteral{5F}{\isacharunderscore}}three} &::& \isa{nat\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ three}
112.145 +\end{tabular}
112.146 +\end{center}
112.147 +where constant \isa{three} is explicitly defined as the representing set:
112.148 +\begin{center}
112.149 +\isa{three\ {\isaliteral{5C3C65717569763E}{\isasymequiv}}\ {\isaliteral{7B}{\isacharbraceleft}}{\isadigit{0}}{\isaliteral{2C}{\isacharcomma}}\ {\isadigit{1}}{\isaliteral{2C}{\isacharcomma}}\ {\isadigit{2}}{\isaliteral{7D}{\isacharbraceright}}}\hfill(\isa{three{\isaliteral{5F}{\isacharunderscore}}def})
112.150 +\end{center}
112.151 +The situation is best summarized with the help of the following diagram,
112.152 +where squares denote types and the irregular region denotes a set:
112.153 +\begin{center}
112.154 +\includegraphics[scale=.8]{typedef}
112.155 +\end{center}
112.156 +Finally, \isacommand{typedef} asserts that \isa{Rep{\isaliteral{5F}{\isacharunderscore}}three} is
112.157 +surjective on the subset \isa{three} and \isa{Abs{\isaliteral{5F}{\isacharunderscore}}three} and \isa{Rep{\isaliteral{5F}{\isacharunderscore}}three} are inverses of each other:
112.158 +\begin{center}
112.159 +\begin{tabular}{@ {}r@ {\qquad\qquad}l@ {}}
112.160 +\isa{Rep{\isaliteral{5F}{\isacharunderscore}}three\ x\ {\isaliteral{5C3C696E3E}{\isasymin}}\ three} & (\isa{Rep{\isaliteral{5F}{\isacharunderscore}}three}) \\
112.161 +\isa{Abs{\isaliteral{5F}{\isacharunderscore}}three\ {\isaliteral{28}{\isacharparenleft}}Rep{\isaliteral{5F}{\isacharunderscore}}three\ x{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{3D}{\isacharequal}}\ x} & (\isa{Rep{\isaliteral{5F}{\isacharunderscore}}three{\isaliteral{5F}{\isacharunderscore}}inverse}) \\
112.162 +\isa{y\ {\isaliteral{5C3C696E3E}{\isasymin}}\ three\ {\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\ Rep{\isaliteral{5F}{\isacharunderscore}}three\ {\isaliteral{28}{\isacharparenleft}}Abs{\isaliteral{5F}{\isacharunderscore}}three\ y{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{3D}{\isacharequal}}\ y} & (\isa{Abs{\isaliteral{5F}{\isacharunderscore}}three{\isaliteral{5F}{\isacharunderscore}}inverse})
112.163 +\end{tabular}
112.164 +\end{center}
112.165 +%
112.166 +From this example it should be clear what \isacommand{typedef} does
112.167 +in general given a name (here \isa{three}) and a set
112.168 +(here \isa{{\isaliteral{7B}{\isacharbraceleft}}{\isadigit{0}}{\isaliteral{2C}{\isacharcomma}}\ {\isadigit{1}}{\isaliteral{2C}{\isacharcomma}}\ {\isadigit{2}}{\isaliteral{7D}{\isacharbraceright}}}).
112.169 +
112.170 +Our next step is to define the basic functions expected on the new type.
112.171 +Although this depends on the type at hand, the following strategy works well:
112.172 +\begin{itemize}
112.173 +\item define a small kernel of basic functions that can express all other
112.174 +functions you anticipate.
112.175 +\item define the kernel in terms of corresponding functions on the
112.176 +representing type using \isa{Abs} and \isa{Rep} to convert between the
112.177 +two levels.
112.178 +\end{itemize}
112.179 +In our example it suffices to give the three elements of type \isa{three}
112.180 +names:%
112.181 +\end{isamarkuptext}%
112.182 +\isamarkuptrue%
112.183 +\isacommand{definition}\isamarkupfalse%
112.184 +\ A\ {\isaliteral{3A}{\isacharcolon}}{\isaliteral{3A}{\isacharcolon}}\ three\ \isakeyword{where}\ {\isaliteral{22}{\isachardoublequoteopen}}A\ {\isaliteral{5C3C65717569763E}{\isasymequiv}}\ Abs{\isaliteral{5F}{\isacharunderscore}}three\ {\isadigit{0}}{\isaliteral{22}{\isachardoublequoteclose}}\isanewline
112.185 +\isacommand{definition}\isamarkupfalse%
112.186 +\ B\ {\isaliteral{3A}{\isacharcolon}}{\isaliteral{3A}{\isacharcolon}}\ three\ \isakeyword{where}\ {\isaliteral{22}{\isachardoublequoteopen}}B\ {\isaliteral{5C3C65717569763E}{\isasymequiv}}\ Abs{\isaliteral{5F}{\isacharunderscore}}three\ {\isadigit{1}}{\isaliteral{22}{\isachardoublequoteclose}}\isanewline
112.187 +\isacommand{definition}\isamarkupfalse%
112.188 +\ C\ {\isaliteral{3A}{\isacharcolon}}{\isaliteral{3A}{\isacharcolon}}\ three\ \isakeyword{where}\ {\isaliteral{22}{\isachardoublequoteopen}}C\ {\isaliteral{5C3C65717569763E}{\isasymequiv}}\ Abs{\isaliteral{5F}{\isacharunderscore}}three\ {\isadigit{2}}{\isaliteral{22}{\isachardoublequoteclose}}%
112.189 +\begin{isamarkuptext}%
112.190 +So far, everything was easy. But it is clear that reasoning about \isa{three} will be hell if we have to go back to \isa{nat} every time. Thus our
112.191 +aim must be to raise our level of abstraction by deriving enough theorems
112.192 +about type \isa{three} to characterize it completely. And those theorems
112.193 +should be phrased in terms of \isa{A}, \isa{B} and \isa{C}, not \isa{Abs{\isaliteral{5F}{\isacharunderscore}}three} and \isa{Rep{\isaliteral{5F}{\isacharunderscore}}three}. Because of the simplicity of the example,
112.194 +we merely need to prove that \isa{A}, \isa{B} and \isa{C} are distinct
112.195 +and that they exhaust the type.
112.196 +
112.197 +In processing our \isacommand{typedef} declaration,
112.198 +Isabelle proves several helpful lemmas. The first two
112.199 +express injectivity of \isa{Rep{\isaliteral{5F}{\isacharunderscore}}three} and \isa{Abs{\isaliteral{5F}{\isacharunderscore}}three}:
112.200 +\begin{center}
112.201 +\begin{tabular}{@ {}r@ {\qquad}l@ {}}
112.202 +\isa{{\isaliteral{28}{\isacharparenleft}}Rep{\isaliteral{5F}{\isacharunderscore}}three\ x\ {\isaliteral{3D}{\isacharequal}}\ Rep{\isaliteral{5F}{\isacharunderscore}}three\ y{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{3D}{\isacharequal}}\ {\isaliteral{28}{\isacharparenleft}}x\ {\isaliteral{3D}{\isacharequal}}\ y{\isaliteral{29}{\isacharparenright}}} & (\isa{Rep{\isaliteral{5F}{\isacharunderscore}}three{\isaliteral{5F}{\isacharunderscore}}inject}) \\
112.203 +\begin{tabular}{@ {}l@ {}}
112.204 +\isa{{\isaliteral{5C3C6C6272616B6B3E}{\isasymlbrakk}}x\ {\isaliteral{5C3C696E3E}{\isasymin}}\ three{\isaliteral{3B}{\isacharsemicolon}}\ y\ {\isaliteral{5C3C696E3E}{\isasymin}}\ three\ {\isaliteral{5C3C726272616B6B3E}{\isasymrbrakk}}} \\
112.205 +\isa{{\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\ {\isaliteral{28}{\isacharparenleft}}Abs{\isaliteral{5F}{\isacharunderscore}}three\ x\ {\isaliteral{3D}{\isacharequal}}\ Abs{\isaliteral{5F}{\isacharunderscore}}three\ y{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{3D}{\isacharequal}}\ {\isaliteral{28}{\isacharparenleft}}x\ {\isaliteral{3D}{\isacharequal}}\ y{\isaliteral{29}{\isacharparenright}}}
112.206 +\end{tabular} & (\isa{Abs{\isaliteral{5F}{\isacharunderscore}}three{\isaliteral{5F}{\isacharunderscore}}inject}) \\
112.207 +\end{tabular}
112.208 +\end{center}
112.209 +The following ones allow to replace some \isa{x{\isaliteral{3A}{\isacharcolon}}{\isaliteral{3A}{\isacharcolon}}three} by
112.210 +\isa{Abs{\isaliteral{5F}{\isacharunderscore}}three{\isaliteral{28}{\isacharparenleft}}y{\isaliteral{3A}{\isacharcolon}}{\isaliteral{3A}{\isacharcolon}}nat{\isaliteral{29}{\isacharparenright}}}, and conversely \isa{y} by \isa{Rep{\isaliteral{5F}{\isacharunderscore}}three\ x}:
112.211 +\begin{center}
112.212 +\begin{tabular}{@ {}r@ {\qquad}l@ {}}
112.213 +\isa{{\isaliteral{5C3C6C6272616B6B3E}{\isasymlbrakk}}y\ {\isaliteral{5C3C696E3E}{\isasymin}}\ three{\isaliteral{3B}{\isacharsemicolon}}\ {\isaliteral{5C3C416E643E}{\isasymAnd}}x{\isaliteral{2E}{\isachardot}}\ y\ {\isaliteral{3D}{\isacharequal}}\ Rep{\isaliteral{5F}{\isacharunderscore}}three\ x\ {\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\ P{\isaliteral{5C3C726272616B6B3E}{\isasymrbrakk}}\ {\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\ P} & (\isa{Rep{\isaliteral{5F}{\isacharunderscore}}three{\isaliteral{5F}{\isacharunderscore}}cases}) \\
112.214 +\isa{{\isaliteral{28}{\isacharparenleft}}{\isaliteral{5C3C416E643E}{\isasymAnd}}y{\isaliteral{2E}{\isachardot}}\ {\isaliteral{5C3C6C6272616B6B3E}{\isasymlbrakk}}x\ {\isaliteral{3D}{\isacharequal}}\ Abs{\isaliteral{5F}{\isacharunderscore}}three\ y{\isaliteral{3B}{\isacharsemicolon}}\ y\ {\isaliteral{5C3C696E3E}{\isasymin}}\ three{\isaliteral{5C3C726272616B6B3E}{\isasymrbrakk}}\ {\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\ P{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\ P} & (\isa{Abs{\isaliteral{5F}{\isacharunderscore}}three{\isaliteral{5F}{\isacharunderscore}}cases}) \\
112.215 +\isa{{\isaliteral{5C3C6C6272616B6B3E}{\isasymlbrakk}}y\ {\isaliteral{5C3C696E3E}{\isasymin}}\ three{\isaliteral{3B}{\isacharsemicolon}}\ {\isaliteral{5C3C416E643E}{\isasymAnd}}x{\isaliteral{2E}{\isachardot}}\ P\ {\isaliteral{28}{\isacharparenleft}}Rep{\isaliteral{5F}{\isacharunderscore}}three\ x{\isaliteral{29}{\isacharparenright}}{\isaliteral{5C3C726272616B6B3E}{\isasymrbrakk}}\ {\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\ P\ y} & (\isa{Rep{\isaliteral{5F}{\isacharunderscore}}three{\isaliteral{5F}{\isacharunderscore}}induct}) \\
112.216 +\isa{{\isaliteral{28}{\isacharparenleft}}{\isaliteral{5C3C416E643E}{\isasymAnd}}y{\isaliteral{2E}{\isachardot}}\ y\ {\isaliteral{5C3C696E3E}{\isasymin}}\ three\ {\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\ P\ {\isaliteral{28}{\isacharparenleft}}Abs{\isaliteral{5F}{\isacharunderscore}}three\ y{\isaliteral{29}{\isacharparenright}}{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\ P\ x} & (\isa{Abs{\isaliteral{5F}{\isacharunderscore}}three{\isaliteral{5F}{\isacharunderscore}}induct}) \\
112.217 +\end{tabular}
112.218 +\end{center}
112.219 +These theorems are proved for any type definition, with \isa{three}
112.220 +replaced by the name of the type in question.
112.221 +
112.222 +Distinctness of \isa{A}, \isa{B} and \isa{C} follows immediately
112.223 +if we expand their definitions and rewrite with the injectivity
112.224 +of \isa{Abs{\isaliteral{5F}{\isacharunderscore}}three}:%
112.225 +\end{isamarkuptext}%
112.226 +\isamarkuptrue%
112.227 +\isacommand{lemma}\isamarkupfalse%
112.228 +\ {\isaliteral{22}{\isachardoublequoteopen}}A\ {\isaliteral{5C3C6E6F7465713E}{\isasymnoteq}}\ B\ {\isaliteral{5C3C616E643E}{\isasymand}}\ B\ {\isaliteral{5C3C6E6F7465713E}{\isasymnoteq}}\ A\ {\isaliteral{5C3C616E643E}{\isasymand}}\ A\ {\isaliteral{5C3C6E6F7465713E}{\isasymnoteq}}\ C\ {\isaliteral{5C3C616E643E}{\isasymand}}\ C\ {\isaliteral{5C3C6E6F7465713E}{\isasymnoteq}}\ A\ {\isaliteral{5C3C616E643E}{\isasymand}}\ B\ {\isaliteral{5C3C6E6F7465713E}{\isasymnoteq}}\ C\ {\isaliteral{5C3C616E643E}{\isasymand}}\ C\ {\isaliteral{5C3C6E6F7465713E}{\isasymnoteq}}\ B{\isaliteral{22}{\isachardoublequoteclose}}\isanewline
112.229 +%
112.230 +\isadelimproof
112.231 +%
112.232 +\endisadelimproof
112.233 +%
112.234 +\isatagproof
112.235 +\isacommand{by}\isamarkupfalse%
112.236 +{\isaliteral{28}{\isacharparenleft}}simp\ add{\isaliteral{3A}{\isacharcolon}}\ Abs{\isaliteral{5F}{\isacharunderscore}}three{\isaliteral{5F}{\isacharunderscore}}inject\ A{\isaliteral{5F}{\isacharunderscore}}def\ B{\isaliteral{5F}{\isacharunderscore}}def\ C{\isaliteral{5F}{\isacharunderscore}}def\ three{\isaliteral{5F}{\isacharunderscore}}def{\isaliteral{29}{\isacharparenright}}%
112.237 +\endisatagproof
112.238 +{\isafoldproof}%
112.239 +%
112.240 +\isadelimproof
112.241 +%
112.242 +\endisadelimproof
112.243 +%
112.244 +\begin{isamarkuptext}%
112.245 +\noindent
112.246 +Of course we rely on the simplifier to solve goals like \isa{{\isadigit{0}}\ {\isaliteral{5C3C6E6F7465713E}{\isasymnoteq}}\ {\isadigit{1}}}.
112.247 +
112.248 +The fact that \isa{A}, \isa{B} and \isa{C} exhaust type \isa{three} is
112.249 +best phrased as a case distinction theorem: if you want to prove \isa{P\ x}
112.250 +(where \isa{x} is of type \isa{three}) it suffices to prove \isa{P\ A},
112.251 +\isa{P\ B} and \isa{P\ C}:%
112.252 +\end{isamarkuptext}%
112.253 +\isamarkuptrue%
112.254 +\isacommand{lemma}\isamarkupfalse%
112.255 +\ three{\isaliteral{5F}{\isacharunderscore}}cases{\isaliteral{3A}{\isacharcolon}}\ {\isaliteral{22}{\isachardoublequoteopen}}{\isaliteral{5C3C6C6272616B6B3E}{\isasymlbrakk}}\ P\ A{\isaliteral{3B}{\isacharsemicolon}}\ P\ B{\isaliteral{3B}{\isacharsemicolon}}\ P\ C\ {\isaliteral{5C3C726272616B6B3E}{\isasymrbrakk}}\ {\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\ P\ x{\isaliteral{22}{\isachardoublequoteclose}}%
112.256 +\isadelimproof
112.257 +%
112.258 +\endisadelimproof
112.259 +%
112.260 +\isatagproof
112.261 +%
112.262 +\begin{isamarkuptxt}%
112.263 +\noindent Again this follows easily using the induction principle stemming from the type definition:%
112.264 +\end{isamarkuptxt}%
112.265 +\isamarkuptrue%
112.266 +\isacommand{apply}\isamarkupfalse%
112.267 +{\isaliteral{28}{\isacharparenleft}}induct{\isaliteral{5F}{\isacharunderscore}}tac\ x{\isaliteral{29}{\isacharparenright}}%
112.268 +\begin{isamarkuptxt}%
112.269 +\begin{isabelle}%
112.270 +\ {\isadigit{1}}{\isaliteral{2E}{\isachardot}}\ {\isaliteral{5C3C416E643E}{\isasymAnd}}y{\isaliteral{2E}{\isachardot}}\ {\isaliteral{5C3C6C6272616B6B3E}{\isasymlbrakk}}P\ A{\isaliteral{3B}{\isacharsemicolon}}\ P\ B{\isaliteral{3B}{\isacharsemicolon}}\ P\ C{\isaliteral{3B}{\isacharsemicolon}}\ y\ {\isaliteral{5C3C696E3E}{\isasymin}}\ three{\isaliteral{5C3C726272616B6B3E}{\isasymrbrakk}}\ {\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\ P\ {\isaliteral{28}{\isacharparenleft}}Abs{\isaliteral{5F}{\isacharunderscore}}three\ y{\isaliteral{29}{\isacharparenright}}%
112.271 +\end{isabelle}
112.272 +Simplification with \isa{three{\isaliteral{5F}{\isacharunderscore}}def} leads to the disjunction \isa{y\ {\isaliteral{3D}{\isacharequal}}\ {\isadigit{0}}\ {\isaliteral{5C3C6F723E}{\isasymor}}\ y\ {\isaliteral{3D}{\isacharequal}}\ {\isadigit{1}}\ {\isaliteral{5C3C6F723E}{\isasymor}}\ y\ {\isaliteral{3D}{\isacharequal}}\ {\isadigit{2}}} which \isa{auto} separates into three
112.273 +subgoals, each of which is easily solved by simplification:%
112.274 +\end{isamarkuptxt}%
112.275 +\isamarkuptrue%
112.276 +\isacommand{apply}\isamarkupfalse%
112.277 +{\isaliteral{28}{\isacharparenleft}}auto\ simp\ add{\isaliteral{3A}{\isacharcolon}}\ three{\isaliteral{5F}{\isacharunderscore}}def\ A{\isaliteral{5F}{\isacharunderscore}}def\ B{\isaliteral{5F}{\isacharunderscore}}def\ C{\isaliteral{5F}{\isacharunderscore}}def{\isaliteral{29}{\isacharparenright}}\isanewline
112.278 +\isacommand{done}\isamarkupfalse%
112.279 +%
112.280 +\endisatagproof
112.281 +{\isafoldproof}%
112.282 +%
112.283 +\isadelimproof
112.284 +%
112.285 +\endisadelimproof
112.286 +%
112.287 +\begin{isamarkuptext}%
112.288 +\noindent
112.289 +This concludes the derivation of the characteristic theorems for
112.290 +type \isa{three}.
112.291 +
112.292 +The attentive reader has realized long ago that the
112.293 +above lengthy definition can be collapsed into one line:%
112.294 +\end{isamarkuptext}%
112.295 +\isamarkuptrue%
112.296 +\isacommand{datatype}\isamarkupfalse%
112.297 +\ better{\isaliteral{5F}{\isacharunderscore}}three\ {\isaliteral{3D}{\isacharequal}}\ A\ {\isaliteral{7C}{\isacharbar}}\ B\ {\isaliteral{7C}{\isacharbar}}\ C%
112.298 +\begin{isamarkuptext}%
112.299 +\noindent
112.300 +In fact, the \isacommand{datatype} command performs internally more or less
112.301 +the same derivations as we did, which gives you some idea what life would be
112.302 +like without \isacommand{datatype}.
112.303 +
112.304 +Although \isa{three} could be defined in one line, we have chosen this
112.305 +example to demonstrate \isacommand{typedef} because its simplicity makes the
112.306 +key concepts particularly easy to grasp. If you would like to see a
112.307 +non-trivial example that cannot be defined more directly, we recommend the
112.308 +definition of \emph{finite multisets} in the Library~\cite{HOL-Library}.
112.309 +
112.310 +Let us conclude by summarizing the above procedure for defining a new type.
112.311 +Given some abstract axiomatic description $P$ of a type $ty$ in terms of a
112.312 +set of functions $F$, this involves three steps:
112.313 +\begin{enumerate}
112.314 +\item Find an appropriate type $\tau$ and subset $A$ which has the desired
112.315 + properties $P$, and make a type definition based on this representation.
112.316 +\item Define the required functions $F$ on $ty$ by lifting
112.317 +analogous functions on the representation via $Abs_ty$ and $Rep_ty$.
112.318 +\item Prove that $P$ holds for $ty$ by lifting $P$ from the representation.
112.319 +\end{enumerate}
112.320 +You can now forget about the representation and work solely in terms of the
112.321 +abstract functions $F$ and properties $P$.%
112.322 +\index{typedecl@\isacommand {typedef} (command)|)}%
112.323 +\index{types!defining|)}%
112.324 +\end{isamarkuptext}%
112.325 +\isamarkuptrue%
112.326 +%
112.327 +\isadelimtheory
112.328 +%
112.329 +\endisadelimtheory
112.330 +%
112.331 +\isatagtheory
112.332 +%
112.333 +\endisatagtheory
112.334 +{\isafoldtheory}%
112.335 +%
112.336 +\isadelimtheory
112.337 +%
112.338 +\endisadelimtheory
112.339 +\end{isabellebody}%
112.340 +%%% Local Variables:
112.341 +%%% mode: latex
112.342 +%%% TeX-master: "root"
112.343 +%%% End:
113.1 --- /dev/null Thu Jan 01 00:00:00 1970 +0000
113.2 +++ b/doc-src/TutorialI/document/WFrec.tex Thu Jul 26 19:59:06 2012 +0200
113.3 @@ -0,0 +1,169 @@
113.4 +%
113.5 +\begin{isabellebody}%
113.6 +\def\isabellecontext{WFrec}%
113.7 +%
113.8 +\isadelimtheory
113.9 +%
113.10 +\endisadelimtheory
113.11 +%
113.12 +\isatagtheory
113.13 +%
113.14 +\endisatagtheory
113.15 +{\isafoldtheory}%
113.16 +%
113.17 +\isadelimtheory
113.18 +%
113.19 +\endisadelimtheory
113.20 +%
113.21 +\begin{isamarkuptext}%
113.22 +\noindent
113.23 +So far, all recursive definitions were shown to terminate via measure
113.24 +functions. Sometimes this can be inconvenient or
113.25 +impossible. Fortunately, \isacommand{recdef} supports much more
113.26 +general definitions. For example, termination of Ackermann's function
113.27 +can be shown by means of the \rmindex{lexicographic product} \isa{{\isacharless}{\isacharasterisk}lex{\isacharasterisk}{\isachargreater}}:%
113.28 +\end{isamarkuptext}%
113.29 +\isamarkuptrue%
113.30 +\isacommand{consts}\isamarkupfalse%
113.31 +\ ack\ {\isacharcolon}{\isacharcolon}\ {\isachardoublequoteopen}nat{\isasymtimes}nat\ {\isasymRightarrow}\ nat{\isachardoublequoteclose}\isanewline
113.32 +\isacommand{recdef}\isamarkupfalse%
113.33 +\ ack\ {\isachardoublequoteopen}measure{\isacharparenleft}{\isasymlambda}m{\isachardot}\ m{\isacharparenright}\ {\isacharless}{\isacharasterisk}lex{\isacharasterisk}{\isachargreater}\ measure{\isacharparenleft}{\isasymlambda}n{\isachardot}\ n{\isacharparenright}{\isachardoublequoteclose}\isanewline
113.34 +\ \ {\isachardoublequoteopen}ack{\isacharparenleft}{\isadigit{0}}{\isacharcomma}n{\isacharparenright}\ \ \ \ \ \ \ \ \ {\isacharequal}\ Suc\ n{\isachardoublequoteclose}\isanewline
113.35 +\ \ {\isachardoublequoteopen}ack{\isacharparenleft}Suc\ m{\isacharcomma}{\isadigit{0}}{\isacharparenright}\ \ \ \ \ {\isacharequal}\ ack{\isacharparenleft}m{\isacharcomma}\ {\isadigit{1}}{\isacharparenright}{\isachardoublequoteclose}\isanewline
113.36 +\ \ {\isachardoublequoteopen}ack{\isacharparenleft}Suc\ m{\isacharcomma}Suc\ n{\isacharparenright}\ {\isacharequal}\ ack{\isacharparenleft}m{\isacharcomma}ack{\isacharparenleft}Suc\ m{\isacharcomma}n{\isacharparenright}{\isacharparenright}{\isachardoublequoteclose}%
113.37 +\begin{isamarkuptext}%
113.38 +\noindent
113.39 +The lexicographic product decreases if either its first component
113.40 +decreases (as in the second equation and in the outer call in the
113.41 +third equation) or its first component stays the same and the second
113.42 +component decreases (as in the inner call in the third equation).
113.43 +
113.44 +In general, \isacommand{recdef} supports termination proofs based on
113.45 +arbitrary well-founded relations as introduced in \S\ref{sec:Well-founded}.
113.46 +This is called \textbf{well-founded
113.47 +recursion}\indexbold{recursion!well-founded}. A function definition
113.48 +is total if and only if the set of
113.49 +all pairs $(r,l)$, where $l$ is the argument on the
113.50 +left-hand side of an equation and $r$ the argument of some recursive call on
113.51 +the corresponding right-hand side, induces a well-founded relation. For a
113.52 +systematic account of termination proofs via well-founded relations see, for
113.53 +example, Baader and Nipkow~\cite{Baader-Nipkow}.
113.54 +
113.55 +Each \isacommand{recdef} definition should be accompanied (after the function's
113.56 +name) by a well-founded relation on the function's argument type.
113.57 +Isabelle/HOL formalizes some of the most important
113.58 +constructions of well-founded relations (see \S\ref{sec:Well-founded}). For
113.59 +example, \isa{measure\ f} is always well-founded. The lexicographic
113.60 +product of two well-founded relations is again well-founded, which we relied
113.61 +on when defining Ackermann's function above.
113.62 +Of course the lexicographic product can also be iterated:%
113.63 +\end{isamarkuptext}%
113.64 +\isamarkuptrue%
113.65 +\isacommand{consts}\isamarkupfalse%
113.66 +\ contrived\ {\isacharcolon}{\isacharcolon}\ {\isachardoublequoteopen}nat\ {\isasymtimes}\ nat\ {\isasymtimes}\ nat\ {\isasymRightarrow}\ nat{\isachardoublequoteclose}\isanewline
113.67 +\isacommand{recdef}\isamarkupfalse%
113.68 +\ contrived\isanewline
113.69 +\ \ {\isachardoublequoteopen}measure{\isacharparenleft}{\isasymlambda}i{\isachardot}\ i{\isacharparenright}\ {\isacharless}{\isacharasterisk}lex{\isacharasterisk}{\isachargreater}\ measure{\isacharparenleft}{\isasymlambda}j{\isachardot}\ j{\isacharparenright}\ {\isacharless}{\isacharasterisk}lex{\isacharasterisk}{\isachargreater}\ measure{\isacharparenleft}{\isasymlambda}k{\isachardot}\ k{\isacharparenright}{\isachardoublequoteclose}\isanewline
113.70 +{\isachardoublequoteopen}contrived{\isacharparenleft}i{\isacharcomma}j{\isacharcomma}Suc\ k{\isacharparenright}\ {\isacharequal}\ contrived{\isacharparenleft}i{\isacharcomma}j{\isacharcomma}k{\isacharparenright}{\isachardoublequoteclose}\isanewline
113.71 +{\isachardoublequoteopen}contrived{\isacharparenleft}i{\isacharcomma}Suc\ j{\isacharcomma}{\isadigit{0}}{\isacharparenright}\ {\isacharequal}\ contrived{\isacharparenleft}i{\isacharcomma}j{\isacharcomma}j{\isacharparenright}{\isachardoublequoteclose}\isanewline
113.72 +{\isachardoublequoteopen}contrived{\isacharparenleft}Suc\ i{\isacharcomma}{\isadigit{0}}{\isacharcomma}{\isadigit{0}}{\isacharparenright}\ {\isacharequal}\ contrived{\isacharparenleft}i{\isacharcomma}i{\isacharcomma}i{\isacharparenright}{\isachardoublequoteclose}\isanewline
113.73 +{\isachardoublequoteopen}contrived{\isacharparenleft}{\isadigit{0}}{\isacharcomma}{\isadigit{0}}{\isacharcomma}{\isadigit{0}}{\isacharparenright}\ \ \ \ \ {\isacharequal}\ {\isadigit{0}}{\isachardoublequoteclose}%
113.74 +\begin{isamarkuptext}%
113.75 +Lexicographic products of measure functions already go a long
113.76 +way. Furthermore, you may embed a type in an
113.77 +existing well-founded relation via the inverse image construction \isa{inv{\isacharunderscore}image}. All these constructions are known to \isacommand{recdef}. Thus you
113.78 +will never have to prove well-foundedness of any relation composed
113.79 +solely of these building blocks. But of course the proof of
113.80 +termination of your function definition --- that the arguments
113.81 +decrease with every recursive call --- may still require you to provide
113.82 +additional lemmas.
113.83 +
113.84 +It is also possible to use your own well-founded relations with
113.85 +\isacommand{recdef}. For example, the greater-than relation can be made
113.86 +well-founded by cutting it off at a certain point. Here is an example
113.87 +of a recursive function that calls itself with increasing values up to ten:%
113.88 +\end{isamarkuptext}%
113.89 +\isamarkuptrue%
113.90 +\isacommand{consts}\isamarkupfalse%
113.91 +\ f\ {\isacharcolon}{\isacharcolon}\ {\isachardoublequoteopen}nat\ {\isasymRightarrow}\ nat{\isachardoublequoteclose}\isanewline
113.92 +\isacommand{recdef}\isamarkupfalse%
113.93 +\ f\ {\isachardoublequoteopen}{\isacharbraceleft}{\isacharparenleft}i{\isacharcomma}j{\isacharparenright}{\isachardot}\ j{\isacharless}i\ {\isasymand}\ i\ {\isasymle}\ {\isacharparenleft}{\isadigit{1}}{\isadigit{0}}{\isacharcolon}{\isacharcolon}nat{\isacharparenright}{\isacharbraceright}{\isachardoublequoteclose}\isanewline
113.94 +{\isachardoublequoteopen}f\ i\ {\isacharequal}\ {\isacharparenleft}if\ {\isadigit{1}}{\isadigit{0}}\ {\isasymle}\ i\ then\ {\isadigit{0}}\ else\ i\ {\isacharasterisk}\ f{\isacharparenleft}Suc\ i{\isacharparenright}{\isacharparenright}{\isachardoublequoteclose}%
113.95 +\begin{isamarkuptext}%
113.96 +\noindent
113.97 +Since \isacommand{recdef} is not prepared for the relation supplied above,
113.98 +Isabelle rejects the definition. We should first have proved that
113.99 +our relation was well-founded:%
113.100 +\end{isamarkuptext}%
113.101 +\isamarkuptrue%
113.102 +\isacommand{lemma}\isamarkupfalse%
113.103 +\ wf{\isacharunderscore}greater{\isacharcolon}\ {\isachardoublequoteopen}wf\ {\isacharbraceleft}{\isacharparenleft}i{\isacharcomma}j{\isacharparenright}{\isachardot}\ j{\isacharless}i\ {\isasymand}\ i\ {\isasymle}\ {\isacharparenleft}N{\isacharcolon}{\isacharcolon}nat{\isacharparenright}{\isacharbraceright}{\isachardoublequoteclose}%
113.104 +\isadelimproof
113.105 +%
113.106 +\endisadelimproof
113.107 +%
113.108 +\isatagproof
113.109 +%
113.110 +\begin{isamarkuptxt}%
113.111 +\noindent
113.112 +The proof is by showing that our relation is a subset of another well-founded
113.113 +relation: one given by a measure function.\index{*wf_subset (theorem)}%
113.114 +\end{isamarkuptxt}%
113.115 +\isamarkuptrue%
113.116 +\isacommand{apply}\isamarkupfalse%
113.117 +\ {\isacharparenleft}rule\ wf{\isacharunderscore}subset\ {\isacharbrackleft}of\ {\isachardoublequoteopen}measure\ {\isacharparenleft}{\isasymlambda}k{\isacharcolon}{\isacharcolon}nat{\isachardot}\ N{\isacharminus}k{\isacharparenright}{\isachardoublequoteclose}{\isacharbrackright}{\isacharcomma}\ blast{\isacharparenright}%
113.118 +\begin{isamarkuptxt}%
113.119 +\begin{isabelle}%
113.120 +\ {\isadigit{1}}{\isachardot}\ {\isacharbraceleft}{\isacharparenleft}i{\isacharcomma}\ j{\isacharparenright}{\isachardot}\ j\ {\isacharless}\ i\ {\isasymand}\ i\ {\isasymle}\ N{\isacharbraceright}\ {\isasymsubseteq}\ measure\ {\isacharparenleft}op\ {\isacharminus}\ N{\isacharparenright}%
113.121 +\end{isabelle}
113.122 +
113.123 +\noindent
113.124 +The inclusion remains to be proved. After unfolding some definitions,
113.125 +we are left with simple arithmetic that is dispatched automatically.%
113.126 +\end{isamarkuptxt}%
113.127 +\isamarkuptrue%
113.128 +\isacommand{by}\isamarkupfalse%
113.129 +\ {\isacharparenleft}clarify{\isacharcomma}\ simp\ add{\isacharcolon}\ measure{\isacharunderscore}def\ inv{\isacharunderscore}image{\isacharunderscore}def{\isacharparenright}%
113.130 +\endisatagproof
113.131 +{\isafoldproof}%
113.132 +%
113.133 +\isadelimproof
113.134 +%
113.135 +\endisadelimproof
113.136 +%
113.137 +\begin{isamarkuptext}%
113.138 +\noindent
113.139 +
113.140 +Armed with this lemma, we use the \attrdx{recdef_wf} attribute to attach a
113.141 +crucial hint\cmmdx{hints} to our definition:%
113.142 +\end{isamarkuptext}%
113.143 +\isamarkuptrue%
113.144 +{\isacharparenleft}\isakeyword{hints}\ recdef{\isacharunderscore}wf{\isacharcolon}\ wf{\isacharunderscore}greater{\isacharparenright}%
113.145 +\begin{isamarkuptext}%
113.146 +\noindent
113.147 +Alternatively, we could have given \isa{measure\ {\isacharparenleft}{\isasymlambda}k{\isacharcolon}{\isacharcolon}nat{\isachardot}\ {\isadigit{1}}{\isadigit{0}}{\isacharminus}k{\isacharparenright}} for the
113.148 +well-founded relation in our \isacommand{recdef}. However, the arithmetic
113.149 +goal in the lemma above would have arisen instead in the \isacommand{recdef}
113.150 +termination proof, where we have less control. A tailor-made termination
113.151 +relation makes even more sense when it can be used in several function
113.152 +declarations.%
113.153 +\end{isamarkuptext}%
113.154 +\isamarkuptrue%
113.155 +%
113.156 +\isadelimtheory
113.157 +%
113.158 +\endisadelimtheory
113.159 +%
113.160 +\isatagtheory
113.161 +%
113.162 +\endisatagtheory
113.163 +{\isafoldtheory}%
113.164 +%
113.165 +\isadelimtheory
113.166 +%
113.167 +\endisadelimtheory
113.168 +\end{isabellebody}%
113.169 +%%% Local Variables:
113.170 +%%% mode: latex
113.171 +%%% TeX-master: "root"
113.172 +%%% End:
114.1 --- /dev/null Thu Jan 01 00:00:00 1970 +0000
114.2 +++ b/doc-src/TutorialI/document/appendix.tex Thu Jul 26 19:59:06 2012 +0200
114.3 @@ -0,0 +1,63 @@
114.4 +%
114.5 +\begin{isabellebody}%
114.6 +\def\isabellecontext{appendix}%
114.7 +%
114.8 +\isadelimtheory
114.9 +%
114.10 +\endisadelimtheory
114.11 +%
114.12 +\isatagtheory
114.13 +%
114.14 +\endisatagtheory
114.15 +{\isafoldtheory}%
114.16 +%
114.17 +\isadelimtheory
114.18 +%
114.19 +\endisadelimtheory
114.20 +%
114.21 +\begin{isamarkuptext}%
114.22 +\begin{table}[htbp]
114.23 +\begin{center}
114.24 +\begin{tabular}{lll}
114.25 +Constant & Type & Syntax \\
114.26 +\hline
114.27 +\isa{{\isadigit{0}}} & \isa{{\isaliteral{27}{\isacharprime}}a{\isaliteral{5C3C436F6C6F6E3E}{\isasymColon}}zero} \\
114.28 +\isa{{\isadigit{1}}} & \isa{{\isaliteral{27}{\isacharprime}}a{\isaliteral{5C3C436F6C6F6E3E}{\isasymColon}}one} \\
114.29 +\isa{plus} & \isa{{\isaliteral{27}{\isacharprime}}a{\isaliteral{5C3C436F6C6F6E3E}{\isasymColon}}plus\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ {\isaliteral{27}{\isacharprime}}a{\isaliteral{5C3C436F6C6F6E3E}{\isasymColon}}plus\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ {\isaliteral{27}{\isacharprime}}a{\isaliteral{5C3C436F6C6F6E3E}{\isasymColon}}plus} & (infixl $+$ 65) \\
114.30 +\isa{minus} & \isa{{\isaliteral{27}{\isacharprime}}a{\isaliteral{5C3C436F6C6F6E3E}{\isasymColon}}minus\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ {\isaliteral{27}{\isacharprime}}a{\isaliteral{5C3C436F6C6F6E3E}{\isasymColon}}minus\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ {\isaliteral{27}{\isacharprime}}a{\isaliteral{5C3C436F6C6F6E3E}{\isasymColon}}minus} & (infixl $-$ 65) \\
114.31 +\isa{uminus} & \isa{{\isaliteral{27}{\isacharprime}}a{\isaliteral{5C3C436F6C6F6E3E}{\isasymColon}}uminus\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ {\isaliteral{27}{\isacharprime}}a{\isaliteral{5C3C436F6C6F6E3E}{\isasymColon}}uminus} & $- x$ \\
114.32 +\isa{times} & \isa{{\isaliteral{27}{\isacharprime}}a{\isaliteral{5C3C436F6C6F6E3E}{\isasymColon}}times\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ {\isaliteral{27}{\isacharprime}}a{\isaliteral{5C3C436F6C6F6E3E}{\isasymColon}}times\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ {\isaliteral{27}{\isacharprime}}a{\isaliteral{5C3C436F6C6F6E3E}{\isasymColon}}times} & (infixl $*$ 70) \\
114.33 +\isa{divide} & \isa{{\isaliteral{27}{\isacharprime}}a{\isaliteral{5C3C436F6C6F6E3E}{\isasymColon}}inverse\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ {\isaliteral{27}{\isacharprime}}a{\isaliteral{5C3C436F6C6F6E3E}{\isasymColon}}inverse\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ {\isaliteral{27}{\isacharprime}}a{\isaliteral{5C3C436F6C6F6E3E}{\isasymColon}}inverse} & (infixl $/$ 70) \\
114.34 +\isa{Divides{\isaliteral{2E}{\isachardot}}div} & \isa{{\isaliteral{27}{\isacharprime}}a{\isaliteral{5C3C436F6C6F6E3E}{\isasymColon}}div\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ {\isaliteral{27}{\isacharprime}}a{\isaliteral{5C3C436F6C6F6E3E}{\isasymColon}}div\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ {\isaliteral{27}{\isacharprime}}a{\isaliteral{5C3C436F6C6F6E3E}{\isasymColon}}div} & (infixl $div$ 70) \\
114.35 +\isa{Divides{\isaliteral{2E}{\isachardot}}mod} & \isa{{\isaliteral{27}{\isacharprime}}a{\isaliteral{5C3C436F6C6F6E3E}{\isasymColon}}div\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ {\isaliteral{27}{\isacharprime}}a{\isaliteral{5C3C436F6C6F6E3E}{\isasymColon}}div\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ {\isaliteral{27}{\isacharprime}}a{\isaliteral{5C3C436F6C6F6E3E}{\isasymColon}}div} & (infixl $mod$ 70) \\
114.36 +\isa{abs} & \isa{{\isaliteral{27}{\isacharprime}}a{\isaliteral{5C3C436F6C6F6E3E}{\isasymColon}}abs\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ {\isaliteral{27}{\isacharprime}}a{\isaliteral{5C3C436F6C6F6E3E}{\isasymColon}}abs} & ${\mid} x {\mid}$ \\
114.37 +\isa{sgn} & \isa{{\isaliteral{27}{\isacharprime}}a{\isaliteral{5C3C436F6C6F6E3E}{\isasymColon}}sgn\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ {\isaliteral{27}{\isacharprime}}a{\isaliteral{5C3C436F6C6F6E3E}{\isasymColon}}sgn} \\
114.38 +\isa{less{\isaliteral{5F}{\isacharunderscore}}eq} & \isa{{\isaliteral{27}{\isacharprime}}a{\isaliteral{5C3C436F6C6F6E3E}{\isasymColon}}ord\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ {\isaliteral{27}{\isacharprime}}a{\isaliteral{5C3C436F6C6F6E3E}{\isasymColon}}ord\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ bool} & (infixl $\le$ 50) \\
114.39 +\isa{less} & \isa{{\isaliteral{27}{\isacharprime}}a{\isaliteral{5C3C436F6C6F6E3E}{\isasymColon}}ord\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ {\isaliteral{27}{\isacharprime}}a{\isaliteral{5C3C436F6C6F6E3E}{\isasymColon}}ord\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ bool} & (infixl $<$ 50) \\
114.40 +\isa{top} & \isa{{\isaliteral{27}{\isacharprime}}a{\isaliteral{5C3C436F6C6F6E3E}{\isasymColon}}top} \\
114.41 +\isa{bot} & \isa{{\isaliteral{27}{\isacharprime}}a{\isaliteral{5C3C436F6C6F6E3E}{\isasymColon}}bot}
114.42 +\end{tabular}
114.43 +\caption{Important Overloaded Constants in Main}
114.44 +\label{tab:overloading}
114.45 +\end{center}
114.46 +\end{table}%
114.47 +\end{isamarkuptext}%
114.48 +\isamarkuptrue%
114.49 +%
114.50 +\isadelimtheory
114.51 +%
114.52 +\endisadelimtheory
114.53 +%
114.54 +\isatagtheory
114.55 +%
114.56 +\endisatagtheory
114.57 +{\isafoldtheory}%
114.58 +%
114.59 +\isadelimtheory
114.60 +%
114.61 +\endisadelimtheory
114.62 +\end{isabellebody}%
114.63 +%%% Local Variables:
114.64 +%%% mode: latex
114.65 +%%% TeX-master: "root"
114.66 +%%% End:
115.1 --- /dev/null Thu Jan 01 00:00:00 1970 +0000
115.2 +++ b/doc-src/TutorialI/document/case_exprs.tex Thu Jul 26 19:59:06 2012 +0200
115.3 @@ -0,0 +1,137 @@
115.4 +%
115.5 +\begin{isabellebody}%
115.6 +\def\isabellecontext{case{\isaliteral{5F}{\isacharunderscore}}exprs}%
115.7 +%
115.8 +\isadelimtheory
115.9 +%
115.10 +\endisadelimtheory
115.11 +%
115.12 +\isatagtheory
115.13 +%
115.14 +\endisatagtheory
115.15 +{\isafoldtheory}%
115.16 +%
115.17 +\isadelimtheory
115.18 +%
115.19 +\endisadelimtheory
115.20 +%
115.21 +\begin{isamarkuptext}%
115.22 +\subsection{Case Expressions}
115.23 +\label{sec:case-expressions}\index{*case expressions}%
115.24 +HOL also features \isa{case}-expressions for analyzing
115.25 +elements of a datatype. For example,
115.26 +\begin{isabelle}%
115.27 +\ \ \ \ \ case\ xs\ of\ {\isaliteral{5B}{\isacharbrackleft}}{\isaliteral{5D}{\isacharbrackright}}\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ {\isaliteral{5B}{\isacharbrackleft}}{\isaliteral{5D}{\isacharbrackright}}\ {\isaliteral{7C}{\isacharbar}}\ y\ {\isaliteral{23}{\isacharhash}}\ ys\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ y%
115.28 +\end{isabelle}
115.29 +evaluates to \isa{{\isaliteral{5B}{\isacharbrackleft}}{\isaliteral{5D}{\isacharbrackright}}} if \isa{xs} is \isa{{\isaliteral{5B}{\isacharbrackleft}}{\isaliteral{5D}{\isacharbrackright}}} and to \isa{y} if
115.30 +\isa{xs} is \isa{y\ {\isaliteral{23}{\isacharhash}}\ ys}. (Since the result in both branches must be of
115.31 +the same type, it follows that \isa{y} is of type \isa{{\isaliteral{27}{\isacharprime}}a\ list} and hence
115.32 +that \isa{xs} is of type \isa{{\isaliteral{27}{\isacharprime}}a\ list\ list}.)
115.33 +
115.34 +In general, case expressions are of the form
115.35 +\[
115.36 +\begin{array}{c}
115.37 +\isa{case}~e~\isa{of}\ pattern@1~\isa{{\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}}~e@1\ \isa{{\isaliteral{7C}{\isacharbar}}}\ \dots\
115.38 + \isa{{\isaliteral{7C}{\isacharbar}}}~pattern@m~\isa{{\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}}~e@m
115.39 +\end{array}
115.40 +\]
115.41 +Like in functional programming, patterns are expressions consisting of
115.42 +datatype constructors (e.g. \isa{{\isaliteral{5B}{\isacharbrackleft}}{\isaliteral{5D}{\isacharbrackright}}} and \isa{{\isaliteral{23}{\isacharhash}}})
115.43 +and variables, including the wildcard ``\verb$_$''.
115.44 +Not all cases need to be covered and the order of cases matters.
115.45 +However, one is well-advised not to wallow in complex patterns because
115.46 +complex case distinctions tend to induce complex proofs.
115.47 +
115.48 +\begin{warn}
115.49 +Internally Isabelle only knows about exhaustive case expressions with
115.50 +non-nested patterns: $pattern@i$ must be of the form
115.51 +$C@i~x@ {i1}~\dots~x@ {ik@i}$ and $C@1, \dots, C@m$ must be exactly the
115.52 +constructors of the type of $e$.
115.53 +%
115.54 +More complex case expressions are automatically
115.55 +translated into the simpler form upon parsing but are not translated
115.56 +back for printing. This may lead to surprising output.
115.57 +\end{warn}
115.58 +
115.59 +\begin{warn}
115.60 +Like \isa{if}, \isa{case}-expressions may need to be enclosed in
115.61 +parentheses to indicate their scope.
115.62 +\end{warn}
115.63 +
115.64 +\subsection{Structural Induction and Case Distinction}
115.65 +\label{sec:struct-ind-case}
115.66 +\index{case distinctions}\index{induction!structural}%
115.67 +Induction is invoked by \methdx{induct_tac}, as we have seen above;
115.68 +it works for any datatype. In some cases, induction is overkill and a case
115.69 +distinction over all constructors of the datatype suffices. This is performed
115.70 +by \methdx{case_tac}. Here is a trivial example:%
115.71 +\end{isamarkuptext}%
115.72 +\isamarkuptrue%
115.73 +\isacommand{lemma}\isamarkupfalse%
115.74 +\ {\isaliteral{22}{\isachardoublequoteopen}}{\isaliteral{28}{\isacharparenleft}}case\ xs\ of\ {\isaliteral{5B}{\isacharbrackleft}}{\isaliteral{5D}{\isacharbrackright}}\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ {\isaliteral{5B}{\isacharbrackleft}}{\isaliteral{5D}{\isacharbrackright}}\ {\isaliteral{7C}{\isacharbar}}\ y{\isaliteral{23}{\isacharhash}}ys\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ xs{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{3D}{\isacharequal}}\ xs{\isaliteral{22}{\isachardoublequoteclose}}\isanewline
115.75 +%
115.76 +\isadelimproof
115.77 +%
115.78 +\endisadelimproof
115.79 +%
115.80 +\isatagproof
115.81 +\isacommand{apply}\isamarkupfalse%
115.82 +{\isaliteral{28}{\isacharparenleft}}case{\isaliteral{5F}{\isacharunderscore}}tac\ xs{\isaliteral{29}{\isacharparenright}}%
115.83 +\begin{isamarkuptxt}%
115.84 +\noindent
115.85 +results in the proof state
115.86 +\begin{isabelle}%
115.87 +\ {\isadigit{1}}{\isaliteral{2E}{\isachardot}}\ xs\ {\isaliteral{3D}{\isacharequal}}\ {\isaliteral{5B}{\isacharbrackleft}}{\isaliteral{5D}{\isacharbrackright}}\ {\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\ {\isaliteral{28}{\isacharparenleft}}case\ xs\ of\ {\isaliteral{5B}{\isacharbrackleft}}{\isaliteral{5D}{\isacharbrackright}}\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ {\isaliteral{5B}{\isacharbrackleft}}{\isaliteral{5D}{\isacharbrackright}}\ {\isaliteral{7C}{\isacharbar}}\ y\ {\isaliteral{23}{\isacharhash}}\ ys\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ xs{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{3D}{\isacharequal}}\ xs\isanewline
115.88 +\ {\isadigit{2}}{\isaliteral{2E}{\isachardot}}\ {\isaliteral{5C3C416E643E}{\isasymAnd}}a\ list{\isaliteral{2E}{\isachardot}}\isanewline
115.89 +\isaindent{\ {\isadigit{2}}{\isaliteral{2E}{\isachardot}}\ \ \ \ }xs\ {\isaliteral{3D}{\isacharequal}}\ a\ {\isaliteral{23}{\isacharhash}}\ list\ {\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\ {\isaliteral{28}{\isacharparenleft}}case\ xs\ of\ {\isaliteral{5B}{\isacharbrackleft}}{\isaliteral{5D}{\isacharbrackright}}\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ {\isaliteral{5B}{\isacharbrackleft}}{\isaliteral{5D}{\isacharbrackright}}\ {\isaliteral{7C}{\isacharbar}}\ y\ {\isaliteral{23}{\isacharhash}}\ ys\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ xs{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{3D}{\isacharequal}}\ xs%
115.90 +\end{isabelle}
115.91 +which is solved automatically:%
115.92 +\end{isamarkuptxt}%
115.93 +\isamarkuptrue%
115.94 +\isacommand{apply}\isamarkupfalse%
115.95 +{\isaliteral{28}{\isacharparenleft}}auto{\isaliteral{29}{\isacharparenright}}%
115.96 +\endisatagproof
115.97 +{\isafoldproof}%
115.98 +%
115.99 +\isadelimproof
115.100 +%
115.101 +\endisadelimproof
115.102 +%
115.103 +\begin{isamarkuptext}%
115.104 +Note that we do not need to give a lemma a name if we do not intend to refer
115.105 +to it explicitly in the future.
115.106 +Other basic laws about a datatype are applied automatically during
115.107 +simplification, so no special methods are provided for them.
115.108 +
115.109 +\begin{warn}
115.110 + Induction is only allowed on free (or \isasymAnd-bound) variables that
115.111 + should not occur among the assumptions of the subgoal; see
115.112 + \S\ref{sec:ind-var-in-prems} for details. Case distinction
115.113 + (\isa{case{\isaliteral{5F}{\isacharunderscore}}tac}) works for arbitrary terms, which need to be
115.114 + quoted if they are non-atomic. However, apart from \isa{{\isaliteral{5C3C416E643E}{\isasymAnd}}}-bound
115.115 + variables, the terms must not contain variables that are bound outside.
115.116 + For example, given the goal \isa{{\isaliteral{5C3C666F72616C6C3E}{\isasymforall}}xs{\isaliteral{2E}{\isachardot}}\ xs\ {\isaliteral{3D}{\isacharequal}}\ {\isaliteral{5B}{\isacharbrackleft}}{\isaliteral{5D}{\isacharbrackright}}\ {\isaliteral{5C3C6F723E}{\isasymor}}\ {\isaliteral{28}{\isacharparenleft}}{\isaliteral{5C3C6578697374733E}{\isasymexists}}y\ ys{\isaliteral{2E}{\isachardot}}\ xs\ {\isaliteral{3D}{\isacharequal}}\ y\ {\isaliteral{23}{\isacharhash}}\ ys{\isaliteral{29}{\isacharparenright}}},
115.117 + \isa{case{\isaliteral{5F}{\isacharunderscore}}tac\ xs} will not work as expected because Isabelle interprets
115.118 + the \isa{xs} as a new free variable distinct from the bound
115.119 + \isa{xs} in the goal.
115.120 +\end{warn}%
115.121 +\end{isamarkuptext}%
115.122 +\isamarkuptrue%
115.123 +%
115.124 +\isadelimtheory
115.125 +%
115.126 +\endisadelimtheory
115.127 +%
115.128 +\isatagtheory
115.129 +%
115.130 +\endisatagtheory
115.131 +{\isafoldtheory}%
115.132 +%
115.133 +\isadelimtheory
115.134 +%
115.135 +\endisadelimtheory
115.136 +\end{isabellebody}%
115.137 +%%% Local Variables:
115.138 +%%% mode: latex
115.139 +%%% TeX-master: "root"
115.140 +%%% End:
116.1 --- /dev/null Thu Jan 01 00:00:00 1970 +0000
116.2 +++ b/doc-src/TutorialI/document/fakenat.tex Thu Jul 26 19:59:06 2012 +0200
116.3 @@ -0,0 +1,42 @@
116.4 +%
116.5 +\begin{isabellebody}%
116.6 +\def\isabellecontext{fakenat}%
116.7 +%
116.8 +\isadelimtheory
116.9 +%
116.10 +\endisadelimtheory
116.11 +%
116.12 +\isatagtheory
116.13 +%
116.14 +\endisatagtheory
116.15 +{\isafoldtheory}%
116.16 +%
116.17 +\isadelimtheory
116.18 +%
116.19 +\endisadelimtheory
116.20 +%
116.21 +\begin{isamarkuptext}%
116.22 +\noindent
116.23 +The type \tydx{nat} of natural
116.24 +numbers is predefined to have the constructors \cdx{0} and~\cdx{Suc}. It behaves as if it were declared like this:%
116.25 +\end{isamarkuptext}%
116.26 +\isamarkuptrue%
116.27 +\isacommand{datatype}\isamarkupfalse%
116.28 +\ nat\ {\isaliteral{3D}{\isacharequal}}\ {\isadigit{0}}\ {\isaliteral{7C}{\isacharbar}}\ Suc\ nat%
116.29 +\isadelimtheory
116.30 +%
116.31 +\endisadelimtheory
116.32 +%
116.33 +\isatagtheory
116.34 +%
116.35 +\endisatagtheory
116.36 +{\isafoldtheory}%
116.37 +%
116.38 +\isadelimtheory
116.39 +%
116.40 +\endisadelimtheory
116.41 +\end{isabellebody}%
116.42 +%%% Local Variables:
116.43 +%%% mode: latex
116.44 +%%% TeX-master: "root"
116.45 +%%% End:
117.1 --- /dev/null Thu Jan 01 00:00:00 1970 +0000
117.2 +++ b/doc-src/TutorialI/document/find2.tex Thu Jul 26 19:59:06 2012 +0200
117.3 @@ -0,0 +1,101 @@
117.4 +%
117.5 +\begin{isabellebody}%
117.6 +\def\isabellecontext{find{\isadigit{2}}}%
117.7 +%
117.8 +\isadelimtheory
117.9 +%
117.10 +\endisadelimtheory
117.11 +%
117.12 +\isatagtheory
117.13 +%
117.14 +\endisatagtheory
117.15 +{\isafoldtheory}%
117.16 +%
117.17 +\isadelimtheory
117.18 +%
117.19 +\endisadelimtheory
117.20 +%
117.21 +\isadelimproof
117.22 +%
117.23 +\endisadelimproof
117.24 +%
117.25 +\isatagproof
117.26 +%
117.27 +\begin{isamarkuptxt}%
117.28 +\index{finding theorems}\index{searching theorems} In
117.29 +\S\ref{sec:find}, we introduced Proof General's \pgmenu{Find} button
117.30 +for finding theorems in the database via pattern matching. If we are
117.31 +inside a proof, we can be more specific; we can search for introduction,
117.32 +elimination and destruction rules \emph{with respect to the current goal}.
117.33 +For this purpose, \pgmenu{Find} provides three aditional search criteria:
117.34 +\texttt{intro}, \texttt{elim} and \texttt{dest}.
117.35 +
117.36 +For example, given the goal \begin{isabelle}%
117.37 +\ {\isadigit{1}}{\isaliteral{2E}{\isachardot}}\ A\ {\isaliteral{5C3C616E643E}{\isasymand}}\ B%
117.38 +\end{isabelle}
117.39 +you can click on \pgmenu{Find} and type in the search expression
117.40 +\texttt{intro}. You will be shown a few rules ending in \isa{{\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\ {\isaliteral{3F}{\isacharquery}}P\ {\isaliteral{5C3C616E643E}{\isasymand}}\ {\isaliteral{3F}{\isacharquery}}Q},
117.41 +among them \isa{conjI}\@. You may even discover that
117.42 +the very theorem you are trying to prove is already in the
117.43 +database. Given the goal%
117.44 +\end{isamarkuptxt}%
117.45 +\isamarkuptrue%
117.46 +%
117.47 +\endisatagproof
117.48 +{\isafoldproof}%
117.49 +%
117.50 +\isadelimproof
117.51 +%
117.52 +\endisadelimproof
117.53 +%
117.54 +\isadelimproof
117.55 +%
117.56 +\endisadelimproof
117.57 +%
117.58 +\isatagproof
117.59 +%
117.60 +\begin{isamarkuptxt}%
117.61 +\vspace{-\bigskipamount}
117.62 +\begin{isabelle}%
117.63 +\ {\isadigit{1}}{\isaliteral{2E}{\isachardot}}\ A\ {\isaliteral{5C3C6C6F6E6772696768746172726F773E}{\isasymlongrightarrow}}\ A%
117.64 +\end{isabelle}
117.65 +the search for \texttt{intro} finds not just \isa{impI}
117.66 +but also \isa{imp{\isaliteral{5F}{\isacharunderscore}}refl}: \isa{{\isaliteral{3F}{\isacharquery}}P\ {\isaliteral{5C3C6C6F6E6772696768746172726F773E}{\isasymlongrightarrow}}\ {\isaliteral{3F}{\isacharquery}}P}.
117.67 +
117.68 +As before, search criteria can be combined freely: for example,
117.69 +\begin{ttbox}
117.70 +"_ \at\ _" intro
117.71 +\end{ttbox}
117.72 +searches for all introduction rules that match the current goal and
117.73 +mention the \isa{{\isaliteral{40}{\isacharat}}} function.
117.74 +
117.75 +Searching for elimination and destruction rules via \texttt{elim} and
117.76 +\texttt{dest} is analogous to \texttt{intro} but takes the assumptions
117.77 +into account, too.%
117.78 +\end{isamarkuptxt}%
117.79 +\isamarkuptrue%
117.80 +%
117.81 +\endisatagproof
117.82 +{\isafoldproof}%
117.83 +%
117.84 +\isadelimproof
117.85 +%
117.86 +\endisadelimproof
117.87 +%
117.88 +\isadelimtheory
117.89 +%
117.90 +\endisadelimtheory
117.91 +%
117.92 +\isatagtheory
117.93 +%
117.94 +\endisatagtheory
117.95 +{\isafoldtheory}%
117.96 +%
117.97 +\isadelimtheory
117.98 +%
117.99 +\endisadelimtheory
117.100 +\end{isabellebody}%
117.101 +%%% Local Variables:
117.102 +%%% mode: latex
117.103 +%%% TeX-master: "root"
117.104 +%%% End:
118.1 --- /dev/null Thu Jan 01 00:00:00 1970 +0000
118.2 +++ b/doc-src/TutorialI/document/fun0.tex Thu Jul 26 19:59:06 2012 +0200
118.3 @@ -0,0 +1,360 @@
118.4 +%
118.5 +\begin{isabellebody}%
118.6 +\def\isabellecontext{fun{\isadigit{0}}}%
118.7 +%
118.8 +\isadelimtheory
118.9 +%
118.10 +\endisadelimtheory
118.11 +%
118.12 +\isatagtheory
118.13 +%
118.14 +\endisatagtheory
118.15 +{\isafoldtheory}%
118.16 +%
118.17 +\isadelimtheory
118.18 +%
118.19 +\endisadelimtheory
118.20 +%
118.21 +\begin{isamarkuptext}%
118.22 +\subsection{Definition}
118.23 +\label{sec:fun-examples}
118.24 +
118.25 +Here is a simple example, the \rmindex{Fibonacci function}:%
118.26 +\end{isamarkuptext}%
118.27 +\isamarkuptrue%
118.28 +\isacommand{fun}\isamarkupfalse%
118.29 +\ fib\ {\isaliteral{3A}{\isacharcolon}}{\isaliteral{3A}{\isacharcolon}}\ {\isaliteral{22}{\isachardoublequoteopen}}nat\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ nat{\isaliteral{22}{\isachardoublequoteclose}}\ \isakeyword{where}\isanewline
118.30 +{\isaliteral{22}{\isachardoublequoteopen}}fib\ {\isadigit{0}}\ {\isaliteral{3D}{\isacharequal}}\ {\isadigit{0}}{\isaliteral{22}{\isachardoublequoteclose}}\ {\isaliteral{7C}{\isacharbar}}\isanewline
118.31 +{\isaliteral{22}{\isachardoublequoteopen}}fib\ {\isaliteral{28}{\isacharparenleft}}Suc\ {\isadigit{0}}{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{3D}{\isacharequal}}\ {\isadigit{1}}{\isaliteral{22}{\isachardoublequoteclose}}\ {\isaliteral{7C}{\isacharbar}}\isanewline
118.32 +{\isaliteral{22}{\isachardoublequoteopen}}fib\ {\isaliteral{28}{\isacharparenleft}}Suc{\isaliteral{28}{\isacharparenleft}}Suc\ x{\isaliteral{29}{\isacharparenright}}{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{3D}{\isacharequal}}\ fib\ x\ {\isaliteral{2B}{\isacharplus}}\ fib\ {\isaliteral{28}{\isacharparenleft}}Suc\ x{\isaliteral{29}{\isacharparenright}}{\isaliteral{22}{\isachardoublequoteclose}}%
118.33 +\begin{isamarkuptext}%
118.34 +\noindent
118.35 +This resembles ordinary functional programming languages. Note the obligatory
118.36 +\isacommand{where} and \isa{|}. Command \isacommand{fun} declares and
118.37 +defines the function in one go. Isabelle establishes termination automatically
118.38 +because \isa{fib}'s argument decreases in every recursive call.
118.39 +
118.40 +Slightly more interesting is the insertion of a fixed element
118.41 +between any two elements of a list:%
118.42 +\end{isamarkuptext}%
118.43 +\isamarkuptrue%
118.44 +\isacommand{fun}\isamarkupfalse%
118.45 +\ sep\ {\isaliteral{3A}{\isacharcolon}}{\isaliteral{3A}{\isacharcolon}}\ {\isaliteral{22}{\isachardoublequoteopen}}{\isaliteral{27}{\isacharprime}}a\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ {\isaliteral{27}{\isacharprime}}a\ list\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ {\isaliteral{27}{\isacharprime}}a\ list{\isaliteral{22}{\isachardoublequoteclose}}\ \isakeyword{where}\isanewline
118.46 +{\isaliteral{22}{\isachardoublequoteopen}}sep\ a\ {\isaliteral{5B}{\isacharbrackleft}}{\isaliteral{5D}{\isacharbrackright}}\ \ \ \ \ {\isaliteral{3D}{\isacharequal}}\ {\isaliteral{5B}{\isacharbrackleft}}{\isaliteral{5D}{\isacharbrackright}}{\isaliteral{22}{\isachardoublequoteclose}}\ {\isaliteral{7C}{\isacharbar}}\isanewline
118.47 +{\isaliteral{22}{\isachardoublequoteopen}}sep\ a\ {\isaliteral{5B}{\isacharbrackleft}}x{\isaliteral{5D}{\isacharbrackright}}\ \ \ \ {\isaliteral{3D}{\isacharequal}}\ {\isaliteral{5B}{\isacharbrackleft}}x{\isaliteral{5D}{\isacharbrackright}}{\isaliteral{22}{\isachardoublequoteclose}}\ {\isaliteral{7C}{\isacharbar}}\isanewline
118.48 +{\isaliteral{22}{\isachardoublequoteopen}}sep\ a\ {\isaliteral{28}{\isacharparenleft}}x{\isaliteral{23}{\isacharhash}}y{\isaliteral{23}{\isacharhash}}zs{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{3D}{\isacharequal}}\ x\ {\isaliteral{23}{\isacharhash}}\ a\ {\isaliteral{23}{\isacharhash}}\ sep\ a\ {\isaliteral{28}{\isacharparenleft}}y{\isaliteral{23}{\isacharhash}}zs{\isaliteral{29}{\isacharparenright}}{\isaliteral{22}{\isachardoublequoteclose}}%
118.49 +\begin{isamarkuptext}%
118.50 +\noindent
118.51 +This time the length of the list decreases with the
118.52 +recursive call; the first argument is irrelevant for termination.
118.53 +
118.54 +Pattern matching\index{pattern matching!and \isacommand{fun}}
118.55 +need not be exhaustive and may employ wildcards:%
118.56 +\end{isamarkuptext}%
118.57 +\isamarkuptrue%
118.58 +\isacommand{fun}\isamarkupfalse%
118.59 +\ last\ {\isaliteral{3A}{\isacharcolon}}{\isaliteral{3A}{\isacharcolon}}\ {\isaliteral{22}{\isachardoublequoteopen}}{\isaliteral{27}{\isacharprime}}a\ list\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ {\isaliteral{27}{\isacharprime}}a{\isaliteral{22}{\isachardoublequoteclose}}\ \isakeyword{where}\isanewline
118.60 +{\isaliteral{22}{\isachardoublequoteopen}}last\ {\isaliteral{5B}{\isacharbrackleft}}x{\isaliteral{5D}{\isacharbrackright}}\ \ \ \ \ \ {\isaliteral{3D}{\isacharequal}}\ x{\isaliteral{22}{\isachardoublequoteclose}}\ {\isaliteral{7C}{\isacharbar}}\isanewline
118.61 +{\isaliteral{22}{\isachardoublequoteopen}}last\ {\isaliteral{28}{\isacharparenleft}}{\isaliteral{5F}{\isacharunderscore}}{\isaliteral{23}{\isacharhash}}y{\isaliteral{23}{\isacharhash}}zs{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{3D}{\isacharequal}}\ last\ {\isaliteral{28}{\isacharparenleft}}y{\isaliteral{23}{\isacharhash}}zs{\isaliteral{29}{\isacharparenright}}{\isaliteral{22}{\isachardoublequoteclose}}%
118.62 +\begin{isamarkuptext}%
118.63 +Overlapping patterns are disambiguated by taking the order of equations into
118.64 +account, just as in functional programming:%
118.65 +\end{isamarkuptext}%
118.66 +\isamarkuptrue%
118.67 +\isacommand{fun}\isamarkupfalse%
118.68 +\ sep{\isadigit{1}}\ {\isaliteral{3A}{\isacharcolon}}{\isaliteral{3A}{\isacharcolon}}\ {\isaliteral{22}{\isachardoublequoteopen}}{\isaliteral{27}{\isacharprime}}a\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ {\isaliteral{27}{\isacharprime}}a\ list\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ {\isaliteral{27}{\isacharprime}}a\ list{\isaliteral{22}{\isachardoublequoteclose}}\ \isakeyword{where}\isanewline
118.69 +{\isaliteral{22}{\isachardoublequoteopen}}sep{\isadigit{1}}\ a\ {\isaliteral{28}{\isacharparenleft}}x{\isaliteral{23}{\isacharhash}}y{\isaliteral{23}{\isacharhash}}zs{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{3D}{\isacharequal}}\ x\ {\isaliteral{23}{\isacharhash}}\ a\ {\isaliteral{23}{\isacharhash}}\ sep{\isadigit{1}}\ a\ {\isaliteral{28}{\isacharparenleft}}y{\isaliteral{23}{\isacharhash}}zs{\isaliteral{29}{\isacharparenright}}{\isaliteral{22}{\isachardoublequoteclose}}\ {\isaliteral{7C}{\isacharbar}}\isanewline
118.70 +{\isaliteral{22}{\isachardoublequoteopen}}sep{\isadigit{1}}\ {\isaliteral{5F}{\isacharunderscore}}\ xs\ \ \ \ \ \ \ {\isaliteral{3D}{\isacharequal}}\ xs{\isaliteral{22}{\isachardoublequoteclose}}%
118.71 +\begin{isamarkuptext}%
118.72 +\noindent
118.73 +To guarantee that the second equation can only be applied if the first
118.74 +one does not match, Isabelle internally replaces the second equation
118.75 +by the two possibilities that are left: \isa{sep{\isadigit{1}}\ a\ {\isaliteral{5B}{\isacharbrackleft}}{\isaliteral{5D}{\isacharbrackright}}\ {\isaliteral{3D}{\isacharequal}}\ {\isaliteral{5B}{\isacharbrackleft}}{\isaliteral{5D}{\isacharbrackright}}} and
118.76 +\isa{sep{\isadigit{1}}\ a\ {\isaliteral{5B}{\isacharbrackleft}}x{\isaliteral{5D}{\isacharbrackright}}\ {\isaliteral{3D}{\isacharequal}}\ {\isaliteral{5B}{\isacharbrackleft}}x{\isaliteral{5D}{\isacharbrackright}}}. Thus the functions \isa{sep} and
118.77 +\isa{sep{\isadigit{1}}} are identical.
118.78 +
118.79 +Because of its pattern matching syntax, \isacommand{fun} is also useful
118.80 +for the definition of non-recursive functions:%
118.81 +\end{isamarkuptext}%
118.82 +\isamarkuptrue%
118.83 +\isacommand{fun}\isamarkupfalse%
118.84 +\ swap{\isadigit{1}}{\isadigit{2}}\ {\isaliteral{3A}{\isacharcolon}}{\isaliteral{3A}{\isacharcolon}}\ {\isaliteral{22}{\isachardoublequoteopen}}{\isaliteral{27}{\isacharprime}}a\ list\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ {\isaliteral{27}{\isacharprime}}a\ list{\isaliteral{22}{\isachardoublequoteclose}}\ \isakeyword{where}\isanewline
118.85 +{\isaliteral{22}{\isachardoublequoteopen}}swap{\isadigit{1}}{\isadigit{2}}\ {\isaliteral{28}{\isacharparenleft}}x{\isaliteral{23}{\isacharhash}}y{\isaliteral{23}{\isacharhash}}zs{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{3D}{\isacharequal}}\ y{\isaliteral{23}{\isacharhash}}x{\isaliteral{23}{\isacharhash}}zs{\isaliteral{22}{\isachardoublequoteclose}}\ {\isaliteral{7C}{\isacharbar}}\isanewline
118.86 +{\isaliteral{22}{\isachardoublequoteopen}}swap{\isadigit{1}}{\isadigit{2}}\ zs\ \ \ \ \ \ \ {\isaliteral{3D}{\isacharequal}}\ zs{\isaliteral{22}{\isachardoublequoteclose}}%
118.87 +\begin{isamarkuptext}%
118.88 +After a function~$f$ has been defined via \isacommand{fun},
118.89 +its defining equations (or variants derived from them) are available
118.90 +under the name $f$\isa{{\isaliteral{2E}{\isachardot}}simps} as theorems.
118.91 +For example, look (via \isacommand{thm}) at
118.92 +\isa{sep{\isaliteral{2E}{\isachardot}}simps} and \isa{sep{\isadigit{1}}{\isaliteral{2E}{\isachardot}}simps} to see that they define
118.93 +the same function. What is more, those equations are automatically declared as
118.94 +simplification rules.
118.95 +
118.96 +\subsection{Termination}
118.97 +
118.98 +Isabelle's automatic termination prover for \isacommand{fun} has a
118.99 +fixed notion of the \emph{size} (of type \isa{nat}) of an
118.100 +argument. The size of a natural number is the number itself. The size
118.101 +of a list is its length. For the general case see \S\ref{sec:general-datatype}.
118.102 +A recursive function is accepted if \isacommand{fun} can
118.103 +show that the size of one fixed argument becomes smaller with each
118.104 +recursive call.
118.105 +
118.106 +More generally, \isacommand{fun} allows any \emph{lexicographic
118.107 +combination} of size measures in case there are multiple
118.108 +arguments. For example, the following version of \rmindex{Ackermann's
118.109 +function} is accepted:%
118.110 +\end{isamarkuptext}%
118.111 +\isamarkuptrue%
118.112 +\isacommand{fun}\isamarkupfalse%
118.113 +\ ack{\isadigit{2}}\ {\isaliteral{3A}{\isacharcolon}}{\isaliteral{3A}{\isacharcolon}}\ {\isaliteral{22}{\isachardoublequoteopen}}nat\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ nat\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ nat{\isaliteral{22}{\isachardoublequoteclose}}\ \isakeyword{where}\isanewline
118.114 +{\isaliteral{22}{\isachardoublequoteopen}}ack{\isadigit{2}}\ n\ {\isadigit{0}}\ {\isaliteral{3D}{\isacharequal}}\ Suc\ n{\isaliteral{22}{\isachardoublequoteclose}}\ {\isaliteral{7C}{\isacharbar}}\isanewline
118.115 +{\isaliteral{22}{\isachardoublequoteopen}}ack{\isadigit{2}}\ {\isadigit{0}}\ {\isaliteral{28}{\isacharparenleft}}Suc\ m{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{3D}{\isacharequal}}\ ack{\isadigit{2}}\ {\isaliteral{28}{\isacharparenleft}}Suc\ {\isadigit{0}}{\isaliteral{29}{\isacharparenright}}\ m{\isaliteral{22}{\isachardoublequoteclose}}\ {\isaliteral{7C}{\isacharbar}}\isanewline
118.116 +{\isaliteral{22}{\isachardoublequoteopen}}ack{\isadigit{2}}\ {\isaliteral{28}{\isacharparenleft}}Suc\ n{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{28}{\isacharparenleft}}Suc\ m{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{3D}{\isacharequal}}\ ack{\isadigit{2}}\ {\isaliteral{28}{\isacharparenleft}}ack{\isadigit{2}}\ n\ {\isaliteral{28}{\isacharparenleft}}Suc\ m{\isaliteral{29}{\isacharparenright}}{\isaliteral{29}{\isacharparenright}}\ m{\isaliteral{22}{\isachardoublequoteclose}}%
118.117 +\begin{isamarkuptext}%
118.118 +The order of arguments has no influence on whether
118.119 +\isacommand{fun} can prove termination of a function. For more details
118.120 +see elsewhere~\cite{bulwahnKN07}.
118.121 +
118.122 +\subsection{Simplification}
118.123 +\label{sec:fun-simplification}
118.124 +
118.125 +Upon a successful termination proof, the recursion equations become
118.126 +simplification rules, just as with \isacommand{primrec}.
118.127 +In most cases this works fine, but there is a subtle
118.128 +problem that must be mentioned: simplification may not
118.129 +terminate because of automatic splitting of \isa{if}.
118.130 +\index{*if expressions!splitting of}
118.131 +Let us look at an example:%
118.132 +\end{isamarkuptext}%
118.133 +\isamarkuptrue%
118.134 +\isacommand{fun}\isamarkupfalse%
118.135 +\ gcd\ {\isaliteral{3A}{\isacharcolon}}{\isaliteral{3A}{\isacharcolon}}\ {\isaliteral{22}{\isachardoublequoteopen}}nat\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ nat\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ nat{\isaliteral{22}{\isachardoublequoteclose}}\ \isakeyword{where}\isanewline
118.136 +{\isaliteral{22}{\isachardoublequoteopen}}gcd\ m\ n\ {\isaliteral{3D}{\isacharequal}}\ {\isaliteral{28}{\isacharparenleft}}if\ n{\isaliteral{3D}{\isacharequal}}{\isadigit{0}}\ then\ m\ else\ gcd\ n\ {\isaliteral{28}{\isacharparenleft}}m\ mod\ n{\isaliteral{29}{\isacharparenright}}{\isaliteral{29}{\isacharparenright}}{\isaliteral{22}{\isachardoublequoteclose}}%
118.137 +\begin{isamarkuptext}%
118.138 +\noindent
118.139 +The second argument decreases with each recursive call.
118.140 +The termination condition
118.141 +\begin{isabelle}%
118.142 +\ \ \ \ \ n\ {\isaliteral{5C3C6E6F7465713E}{\isasymnoteq}}\ {\isadigit{0}}\ {\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\ m\ mod\ n\ {\isaliteral{3C}{\isacharless}}\ n%
118.143 +\end{isabelle}
118.144 +is proved automatically because it is already present as a lemma in
118.145 +HOL\@. Thus the recursion equation becomes a simplification
118.146 +rule. Of course the equation is nonterminating if we are allowed to unfold
118.147 +the recursive call inside the \isa{else} branch, which is why programming
118.148 +languages and our simplifier don't do that. Unfortunately the simplifier does
118.149 +something else that leads to the same problem: it splits
118.150 +each \isa{if}-expression unless its
118.151 +condition simplifies to \isa{True} or \isa{False}. For
118.152 +example, simplification reduces
118.153 +\begin{isabelle}%
118.154 +\ \ \ \ \ gcd\ m\ n\ {\isaliteral{3D}{\isacharequal}}\ k%
118.155 +\end{isabelle}
118.156 +in one step to
118.157 +\begin{isabelle}%
118.158 +\ \ \ \ \ {\isaliteral{28}{\isacharparenleft}}if\ n\ {\isaliteral{3D}{\isacharequal}}\ {\isadigit{0}}\ then\ m\ else\ gcd\ n\ {\isaliteral{28}{\isacharparenleft}}m\ mod\ n{\isaliteral{29}{\isacharparenright}}{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{3D}{\isacharequal}}\ k%
118.159 +\end{isabelle}
118.160 +where the condition cannot be reduced further, and splitting leads to
118.161 +\begin{isabelle}%
118.162 +\ \ \ \ \ {\isaliteral{28}{\isacharparenleft}}n\ {\isaliteral{3D}{\isacharequal}}\ {\isadigit{0}}\ {\isaliteral{5C3C6C6F6E6772696768746172726F773E}{\isasymlongrightarrow}}\ m\ {\isaliteral{3D}{\isacharequal}}\ k{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C616E643E}{\isasymand}}\ {\isaliteral{28}{\isacharparenleft}}n\ {\isaliteral{5C3C6E6F7465713E}{\isasymnoteq}}\ {\isadigit{0}}\ {\isaliteral{5C3C6C6F6E6772696768746172726F773E}{\isasymlongrightarrow}}\ gcd\ n\ {\isaliteral{28}{\isacharparenleft}}m\ mod\ n{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{3D}{\isacharequal}}\ k{\isaliteral{29}{\isacharparenright}}%
118.163 +\end{isabelle}
118.164 +Since the recursive call \isa{gcd\ n\ {\isaliteral{28}{\isacharparenleft}}m\ mod\ n{\isaliteral{29}{\isacharparenright}}} is no longer protected by
118.165 +an \isa{if}, it is unfolded again, which leads to an infinite chain of
118.166 +simplification steps. Fortunately, this problem can be avoided in many
118.167 +different ways.
118.168 +
118.169 +The most radical solution is to disable the offending theorem
118.170 +\isa{split{\isaliteral{5F}{\isacharunderscore}}if},
118.171 +as shown in \S\ref{sec:AutoCaseSplits}. However, we do not recommend this
118.172 +approach: you will often have to invoke the rule explicitly when
118.173 +\isa{if} is involved.
118.174 +
118.175 +If possible, the definition should be given by pattern matching on the left
118.176 +rather than \isa{if} on the right. In the case of \isa{gcd} the
118.177 +following alternative definition suggests itself:%
118.178 +\end{isamarkuptext}%
118.179 +\isamarkuptrue%
118.180 +\isacommand{fun}\isamarkupfalse%
118.181 +\ gcd{\isadigit{1}}\ {\isaliteral{3A}{\isacharcolon}}{\isaliteral{3A}{\isacharcolon}}\ {\isaliteral{22}{\isachardoublequoteopen}}nat\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ nat\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ nat{\isaliteral{22}{\isachardoublequoteclose}}\ \isakeyword{where}\isanewline
118.182 +{\isaliteral{22}{\isachardoublequoteopen}}gcd{\isadigit{1}}\ m\ {\isadigit{0}}\ {\isaliteral{3D}{\isacharequal}}\ m{\isaliteral{22}{\isachardoublequoteclose}}\ {\isaliteral{7C}{\isacharbar}}\isanewline
118.183 +{\isaliteral{22}{\isachardoublequoteopen}}gcd{\isadigit{1}}\ m\ n\ {\isaliteral{3D}{\isacharequal}}\ gcd{\isadigit{1}}\ n\ {\isaliteral{28}{\isacharparenleft}}m\ mod\ n{\isaliteral{29}{\isacharparenright}}{\isaliteral{22}{\isachardoublequoteclose}}%
118.184 +\begin{isamarkuptext}%
118.185 +\noindent
118.186 +The order of equations is important: it hides the side condition
118.187 +\isa{n\ {\isaliteral{5C3C6E6F7465713E}{\isasymnoteq}}\ {\isadigit{0}}}. Unfortunately, not all conditionals can be
118.188 +expressed by pattern matching.
118.189 +
118.190 +A simple alternative is to replace \isa{if} by \isa{case},
118.191 +which is also available for \isa{bool} and is not split automatically:%
118.192 +\end{isamarkuptext}%
118.193 +\isamarkuptrue%
118.194 +\isacommand{fun}\isamarkupfalse%
118.195 +\ gcd{\isadigit{2}}\ {\isaliteral{3A}{\isacharcolon}}{\isaliteral{3A}{\isacharcolon}}\ {\isaliteral{22}{\isachardoublequoteopen}}nat\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ nat\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ nat{\isaliteral{22}{\isachardoublequoteclose}}\ \isakeyword{where}\isanewline
118.196 +{\isaliteral{22}{\isachardoublequoteopen}}gcd{\isadigit{2}}\ m\ n\ {\isaliteral{3D}{\isacharequal}}\ {\isaliteral{28}{\isacharparenleft}}case\ n{\isaliteral{3D}{\isacharequal}}{\isadigit{0}}\ of\ True\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ m\ {\isaliteral{7C}{\isacharbar}}\ False\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ gcd{\isadigit{2}}\ n\ {\isaliteral{28}{\isacharparenleft}}m\ mod\ n{\isaliteral{29}{\isacharparenright}}{\isaliteral{29}{\isacharparenright}}{\isaliteral{22}{\isachardoublequoteclose}}%
118.197 +\begin{isamarkuptext}%
118.198 +\noindent
118.199 +This is probably the neatest solution next to pattern matching, and it is
118.200 +always available.
118.201 +
118.202 +A final alternative is to replace the offending simplification rules by
118.203 +derived conditional ones. For \isa{gcd} it means we have to prove
118.204 +these lemmas:%
118.205 +\end{isamarkuptext}%
118.206 +\isamarkuptrue%
118.207 +\isacommand{lemma}\isamarkupfalse%
118.208 +\ {\isaliteral{5B}{\isacharbrackleft}}simp{\isaliteral{5D}{\isacharbrackright}}{\isaliteral{3A}{\isacharcolon}}\ {\isaliteral{22}{\isachardoublequoteopen}}gcd\ m\ {\isadigit{0}}\ {\isaliteral{3D}{\isacharequal}}\ m{\isaliteral{22}{\isachardoublequoteclose}}\isanewline
118.209 +%
118.210 +\isadelimproof
118.211 +%
118.212 +\endisadelimproof
118.213 +%
118.214 +\isatagproof
118.215 +\isacommand{apply}\isamarkupfalse%
118.216 +{\isaliteral{28}{\isacharparenleft}}simp{\isaliteral{29}{\isacharparenright}}\isanewline
118.217 +\isacommand{done}\isamarkupfalse%
118.218 +%
118.219 +\endisatagproof
118.220 +{\isafoldproof}%
118.221 +%
118.222 +\isadelimproof
118.223 +\isanewline
118.224 +%
118.225 +\endisadelimproof
118.226 +\isanewline
118.227 +\isacommand{lemma}\isamarkupfalse%
118.228 +\ {\isaliteral{5B}{\isacharbrackleft}}simp{\isaliteral{5D}{\isacharbrackright}}{\isaliteral{3A}{\isacharcolon}}\ {\isaliteral{22}{\isachardoublequoteopen}}n\ {\isaliteral{5C3C6E6F7465713E}{\isasymnoteq}}\ {\isadigit{0}}\ {\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\ gcd\ m\ n\ {\isaliteral{3D}{\isacharequal}}\ gcd\ n\ {\isaliteral{28}{\isacharparenleft}}m\ mod\ n{\isaliteral{29}{\isacharparenright}}{\isaliteral{22}{\isachardoublequoteclose}}\isanewline
118.229 +%
118.230 +\isadelimproof
118.231 +%
118.232 +\endisadelimproof
118.233 +%
118.234 +\isatagproof
118.235 +\isacommand{apply}\isamarkupfalse%
118.236 +{\isaliteral{28}{\isacharparenleft}}simp{\isaliteral{29}{\isacharparenright}}\isanewline
118.237 +\isacommand{done}\isamarkupfalse%
118.238 +%
118.239 +\endisatagproof
118.240 +{\isafoldproof}%
118.241 +%
118.242 +\isadelimproof
118.243 +%
118.244 +\endisadelimproof
118.245 +%
118.246 +\begin{isamarkuptext}%
118.247 +\noindent
118.248 +Simplification terminates for these proofs because the condition of the \isa{if} simplifies to \isa{True} or \isa{False}.
118.249 +Now we can disable the original simplification rule:%
118.250 +\end{isamarkuptext}%
118.251 +\isamarkuptrue%
118.252 +\isacommand{declare}\isamarkupfalse%
118.253 +\ gcd{\isaliteral{2E}{\isachardot}}simps\ {\isaliteral{5B}{\isacharbrackleft}}simp\ del{\isaliteral{5D}{\isacharbrackright}}%
118.254 +\begin{isamarkuptext}%
118.255 +\index{induction!recursion|(}
118.256 +\index{recursion induction|(}
118.257 +
118.258 +\subsection{Induction}
118.259 +\label{sec:fun-induction}
118.260 +
118.261 +Having defined a function we might like to prove something about it.
118.262 +Since the function is recursive, the natural proof principle is
118.263 +again induction. But this time the structural form of induction that comes
118.264 +with datatypes is unlikely to work well --- otherwise we could have defined the
118.265 +function by \isacommand{primrec}. Therefore \isacommand{fun} automatically
118.266 +proves a suitable induction rule $f$\isa{{\isaliteral{2E}{\isachardot}}induct} that follows the
118.267 +recursion pattern of the particular function $f$. We call this
118.268 +\textbf{recursion induction}. Roughly speaking, it
118.269 +requires you to prove for each \isacommand{fun} equation that the property
118.270 +you are trying to establish holds for the left-hand side provided it holds
118.271 +for all recursive calls on the right-hand side. Here is a simple example
118.272 +involving the predefined \isa{map} functional on lists:%
118.273 +\end{isamarkuptext}%
118.274 +\isamarkuptrue%
118.275 +\isacommand{lemma}\isamarkupfalse%
118.276 +\ {\isaliteral{22}{\isachardoublequoteopen}}map\ f\ {\isaliteral{28}{\isacharparenleft}}sep\ x\ xs{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{3D}{\isacharequal}}\ sep\ {\isaliteral{28}{\isacharparenleft}}f\ x{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{28}{\isacharparenleft}}map\ f\ xs{\isaliteral{29}{\isacharparenright}}{\isaliteral{22}{\isachardoublequoteclose}}%
118.277 +\isadelimproof
118.278 +%
118.279 +\endisadelimproof
118.280 +%
118.281 +\isatagproof
118.282 +%
118.283 +\begin{isamarkuptxt}%
118.284 +\noindent
118.285 +Note that \isa{map\ f\ xs}
118.286 +is the result of applying \isa{f} to all elements of \isa{xs}. We prove
118.287 +this lemma by recursion induction over \isa{sep}:%
118.288 +\end{isamarkuptxt}%
118.289 +\isamarkuptrue%
118.290 +\isacommand{apply}\isamarkupfalse%
118.291 +{\isaliteral{28}{\isacharparenleft}}induct{\isaliteral{5F}{\isacharunderscore}}tac\ x\ xs\ rule{\isaliteral{3A}{\isacharcolon}}\ sep{\isaliteral{2E}{\isachardot}}induct{\isaliteral{29}{\isacharparenright}}%
118.292 +\begin{isamarkuptxt}%
118.293 +\noindent
118.294 +The resulting proof state has three subgoals corresponding to the three
118.295 +clauses for \isa{sep}:
118.296 +\begin{isabelle}%
118.297 +\ {\isadigit{1}}{\isaliteral{2E}{\isachardot}}\ {\isaliteral{5C3C416E643E}{\isasymAnd}}a{\isaliteral{2E}{\isachardot}}\ map\ f\ {\isaliteral{28}{\isacharparenleft}}sep\ a\ {\isaliteral{5B}{\isacharbrackleft}}{\isaliteral{5D}{\isacharbrackright}}{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{3D}{\isacharequal}}\ sep\ {\isaliteral{28}{\isacharparenleft}}f\ a{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{28}{\isacharparenleft}}map\ f\ {\isaliteral{5B}{\isacharbrackleft}}{\isaliteral{5D}{\isacharbrackright}}{\isaliteral{29}{\isacharparenright}}\isanewline
118.298 +\ {\isadigit{2}}{\isaliteral{2E}{\isachardot}}\ {\isaliteral{5C3C416E643E}{\isasymAnd}}a\ x{\isaliteral{2E}{\isachardot}}\ map\ f\ {\isaliteral{28}{\isacharparenleft}}sep\ a\ {\isaliteral{5B}{\isacharbrackleft}}x{\isaliteral{5D}{\isacharbrackright}}{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{3D}{\isacharequal}}\ sep\ {\isaliteral{28}{\isacharparenleft}}f\ a{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{28}{\isacharparenleft}}map\ f\ {\isaliteral{5B}{\isacharbrackleft}}x{\isaliteral{5D}{\isacharbrackright}}{\isaliteral{29}{\isacharparenright}}\isanewline
118.299 +\ {\isadigit{3}}{\isaliteral{2E}{\isachardot}}\ {\isaliteral{5C3C416E643E}{\isasymAnd}}a\ x\ y\ zs{\isaliteral{2E}{\isachardot}}\isanewline
118.300 +\isaindent{\ {\isadigit{3}}{\isaliteral{2E}{\isachardot}}\ \ \ \ }map\ f\ {\isaliteral{28}{\isacharparenleft}}sep\ a\ {\isaliteral{28}{\isacharparenleft}}y\ {\isaliteral{23}{\isacharhash}}\ zs{\isaliteral{29}{\isacharparenright}}{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{3D}{\isacharequal}}\ sep\ {\isaliteral{28}{\isacharparenleft}}f\ a{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{28}{\isacharparenleft}}map\ f\ {\isaliteral{28}{\isacharparenleft}}y\ {\isaliteral{23}{\isacharhash}}\ zs{\isaliteral{29}{\isacharparenright}}{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\isanewline
118.301 +\isaindent{\ {\isadigit{3}}{\isaliteral{2E}{\isachardot}}\ \ \ \ }map\ f\ {\isaliteral{28}{\isacharparenleft}}sep\ a\ {\isaliteral{28}{\isacharparenleft}}x\ {\isaliteral{23}{\isacharhash}}\ y\ {\isaliteral{23}{\isacharhash}}\ zs{\isaliteral{29}{\isacharparenright}}{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{3D}{\isacharequal}}\ sep\ {\isaliteral{28}{\isacharparenleft}}f\ a{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{28}{\isacharparenleft}}map\ f\ {\isaliteral{28}{\isacharparenleft}}x\ {\isaliteral{23}{\isacharhash}}\ y\ {\isaliteral{23}{\isacharhash}}\ zs{\isaliteral{29}{\isacharparenright}}{\isaliteral{29}{\isacharparenright}}%
118.302 +\end{isabelle}
118.303 +The rest is pure simplification:%
118.304 +\end{isamarkuptxt}%
118.305 +\isamarkuptrue%
118.306 +\isacommand{apply}\isamarkupfalse%
118.307 +\ simp{\isaliteral{5F}{\isacharunderscore}}all\isanewline
118.308 +\isacommand{done}\isamarkupfalse%
118.309 +%
118.310 +\endisatagproof
118.311 +{\isafoldproof}%
118.312 +%
118.313 +\isadelimproof
118.314 +%
118.315 +\endisadelimproof
118.316 +%
118.317 +\begin{isamarkuptext}%
118.318 +\noindent The proof goes smoothly because the induction rule
118.319 +follows the recursion of \isa{sep}. Try proving the above lemma by
118.320 +structural induction, and you find that you need an additional case
118.321 +distinction.
118.322 +
118.323 +In general, the format of invoking recursion induction is
118.324 +\begin{quote}
118.325 +\isacommand{apply}\isa{{\isaliteral{28}{\isacharparenleft}}induct{\isaliteral{5F}{\isacharunderscore}}tac} $x@1 \dots x@n$ \isa{rule{\isaliteral{3A}{\isacharcolon}}} $f$\isa{{\isaliteral{2E}{\isachardot}}induct{\isaliteral{29}{\isacharparenright}}}
118.326 +\end{quote}\index{*induct_tac (method)}%
118.327 +where $x@1~\dots~x@n$ is a list of free variables in the subgoal and $f$ the
118.328 +name of a function that takes $n$ arguments. Usually the subgoal will
118.329 +contain the term $f x@1 \dots x@n$ but this need not be the case. The
118.330 +induction rules do not mention $f$ at all. Here is \isa{sep{\isaliteral{2E}{\isachardot}}induct}:
118.331 +\begin{isabelle}
118.332 +{\isasymlbrakk}~{\isasymAnd}a.~P~a~[];\isanewline
118.333 +~~{\isasymAnd}a~x.~P~a~[x];\isanewline
118.334 +~~{\isasymAnd}a~x~y~zs.~P~a~(y~\#~zs)~{\isasymLongrightarrow}~P~a~(x~\#~y~\#~zs){\isasymrbrakk}\isanewline
118.335 +{\isasymLongrightarrow}~P~u~v%
118.336 +\end{isabelle}
118.337 +It merely says that in order to prove a property \isa{P} of \isa{u} and
118.338 +\isa{v} you need to prove it for the three cases where \isa{v} is the
118.339 +empty list, the singleton list, and the list with at least two elements.
118.340 +The final case has an induction hypothesis: you may assume that \isa{P}
118.341 +holds for the tail of that list.
118.342 +\index{induction!recursion|)}
118.343 +\index{recursion induction|)}%
118.344 +\end{isamarkuptext}%
118.345 +\isamarkuptrue%
118.346 +%
118.347 +\isadelimtheory
118.348 +%
118.349 +\endisadelimtheory
118.350 +%
118.351 +\isatagtheory
118.352 +%
118.353 +\endisatagtheory
118.354 +{\isafoldtheory}%
118.355 +%
118.356 +\isadelimtheory
118.357 +%
118.358 +\endisadelimtheory
118.359 +\end{isabellebody}%
118.360 +%%% Local Variables:
118.361 +%%% mode: latex
118.362 +%%% TeX-master: "root"
118.363 +%%% End:
119.1 --- /dev/null Thu Jan 01 00:00:00 1970 +0000
119.2 +++ b/doc-src/TutorialI/document/natsum.tex Thu Jul 26 19:59:06 2012 +0200
119.3 @@ -0,0 +1,232 @@
119.4 +%
119.5 +\begin{isabellebody}%
119.6 +\def\isabellecontext{natsum}%
119.7 +%
119.8 +\isadelimtheory
119.9 +%
119.10 +\endisadelimtheory
119.11 +%
119.12 +\isatagtheory
119.13 +%
119.14 +\endisatagtheory
119.15 +{\isafoldtheory}%
119.16 +%
119.17 +\isadelimtheory
119.18 +%
119.19 +\endisadelimtheory
119.20 +%
119.21 +\begin{isamarkuptext}%
119.22 +\noindent
119.23 +In particular, there are \isa{case}-expressions, for example
119.24 +\begin{isabelle}%
119.25 +\ \ \ \ \ case\ n\ of\ {\isadigit{0}}\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ {\isadigit{0}}\ {\isaliteral{7C}{\isacharbar}}\ Suc\ m\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ m%
119.26 +\end{isabelle}
119.27 +primitive recursion, for example%
119.28 +\end{isamarkuptext}%
119.29 +\isamarkuptrue%
119.30 +\isacommand{primrec}\isamarkupfalse%
119.31 +\ sum\ {\isaliteral{3A}{\isacharcolon}}{\isaliteral{3A}{\isacharcolon}}\ {\isaliteral{22}{\isachardoublequoteopen}}nat\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ nat{\isaliteral{22}{\isachardoublequoteclose}}\ \isakeyword{where}\isanewline
119.32 +{\isaliteral{22}{\isachardoublequoteopen}}sum\ {\isadigit{0}}\ {\isaliteral{3D}{\isacharequal}}\ {\isadigit{0}}{\isaliteral{22}{\isachardoublequoteclose}}\ {\isaliteral{7C}{\isacharbar}}\isanewline
119.33 +{\isaliteral{22}{\isachardoublequoteopen}}sum\ {\isaliteral{28}{\isacharparenleft}}Suc\ n{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{3D}{\isacharequal}}\ Suc\ n\ {\isaliteral{2B}{\isacharplus}}\ sum\ n{\isaliteral{22}{\isachardoublequoteclose}}%
119.34 +\begin{isamarkuptext}%
119.35 +\noindent
119.36 +and induction, for example%
119.37 +\end{isamarkuptext}%
119.38 +\isamarkuptrue%
119.39 +\isacommand{lemma}\isamarkupfalse%
119.40 +\ {\isaliteral{22}{\isachardoublequoteopen}}sum\ n\ {\isaliteral{2B}{\isacharplus}}\ sum\ n\ {\isaliteral{3D}{\isacharequal}}\ n{\isaliteral{2A}{\isacharasterisk}}{\isaliteral{28}{\isacharparenleft}}Suc\ n{\isaliteral{29}{\isacharparenright}}{\isaliteral{22}{\isachardoublequoteclose}}\isanewline
119.41 +%
119.42 +\isadelimproof
119.43 +%
119.44 +\endisadelimproof
119.45 +%
119.46 +\isatagproof
119.47 +\isacommand{apply}\isamarkupfalse%
119.48 +{\isaliteral{28}{\isacharparenleft}}induct{\isaliteral{5F}{\isacharunderscore}}tac\ n{\isaliteral{29}{\isacharparenright}}\isanewline
119.49 +\isacommand{apply}\isamarkupfalse%
119.50 +{\isaliteral{28}{\isacharparenleft}}auto{\isaliteral{29}{\isacharparenright}}\isanewline
119.51 +\isacommand{done}\isamarkupfalse%
119.52 +%
119.53 +\endisatagproof
119.54 +{\isafoldproof}%
119.55 +%
119.56 +\isadelimproof
119.57 +%
119.58 +\endisadelimproof
119.59 +%
119.60 +\begin{isamarkuptext}%
119.61 +\newcommand{\mystar}{*%
119.62 +}
119.63 +\index{arithmetic operations!for \protect\isa{nat}}%
119.64 +The arithmetic operations \isadxboldpos{+}{$HOL2arithfun},
119.65 +\isadxboldpos{-}{$HOL2arithfun}, \isadxboldpos{\mystar}{$HOL2arithfun},
119.66 +\sdx{div}, \sdx{mod}, \cdx{min} and
119.67 +\cdx{max} are predefined, as are the relations
119.68 +\isadxboldpos{\isasymle}{$HOL2arithrel} and
119.69 +\isadxboldpos{<}{$HOL2arithrel}. As usual, \isa{m\ {\isaliteral{2D}{\isacharminus}}\ n\ {\isaliteral{3D}{\isacharequal}}\ {\isadigit{0}}} if
119.70 +\isa{m\ {\isaliteral{3C}{\isacharless}}\ n}. There is even a least number operation
119.71 +\sdx{LEAST}\@. For example, \isa{{\isaliteral{28}{\isacharparenleft}}LEAST\ n{\isaliteral{2E}{\isachardot}}\ {\isadigit{0}}\ {\isaliteral{3C}{\isacharless}}\ n{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{3D}{\isacharequal}}\ Suc\ {\isadigit{0}}}.
119.72 +\begin{warn}\index{overloading}
119.73 + The constants \cdx{0} and \cdx{1} and the operations
119.74 + \isadxboldpos{+}{$HOL2arithfun}, \isadxboldpos{-}{$HOL2arithfun},
119.75 + \isadxboldpos{\mystar}{$HOL2arithfun}, \cdx{min},
119.76 + \cdx{max}, \isadxboldpos{\isasymle}{$HOL2arithrel} and
119.77 + \isadxboldpos{<}{$HOL2arithrel} are overloaded: they are available
119.78 + not just for natural numbers but for other types as well.
119.79 + For example, given the goal \isa{x\ {\isaliteral{2B}{\isacharplus}}\ {\isadigit{0}}\ {\isaliteral{3D}{\isacharequal}}\ x}, there is nothing to indicate
119.80 + that you are talking about natural numbers. Hence Isabelle can only infer
119.81 + that \isa{x} is of some arbitrary type where \isa{{\isadigit{0}}} and \isa{{\isaliteral{2B}{\isacharplus}}} are
119.82 + declared. As a consequence, you will be unable to prove the
119.83 + goal. To alert you to such pitfalls, Isabelle flags numerals without a
119.84 + fixed type in its output: \isa{x\ {\isaliteral{2B}{\isacharplus}}\ {\isaliteral{28}{\isacharparenleft}}{\isadigit{0}}{\isaliteral{5C3C436F6C6F6E3E}{\isasymColon}}{\isaliteral{27}{\isacharprime}}a{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{3D}{\isacharequal}}\ x}. (In the absence of a numeral,
119.85 + it may take you some time to realize what has happened if \pgmenu{Show
119.86 + Types} is not set). In this particular example, you need to include
119.87 + an explicit type constraint, for example \isa{x{\isaliteral{2B}{\isacharplus}}{\isadigit{0}}\ {\isaliteral{3D}{\isacharequal}}\ {\isaliteral{28}{\isacharparenleft}}x{\isaliteral{3A}{\isacharcolon}}{\isaliteral{3A}{\isacharcolon}}nat{\isaliteral{29}{\isacharparenright}}}. If there
119.88 + is enough contextual information this may not be necessary: \isa{Suc\ x\ {\isaliteral{3D}{\isacharequal}}\ x} automatically implies \isa{x{\isaliteral{3A}{\isacharcolon}}{\isaliteral{3A}{\isacharcolon}}nat} because \isa{Suc} is not
119.89 + overloaded.
119.90 +
119.91 + For details on overloading see \S\ref{sec:overloading}.
119.92 + Table~\ref{tab:overloading} in the appendix shows the most important
119.93 + overloaded operations.
119.94 +\end{warn}
119.95 +\begin{warn}
119.96 + The symbols \isadxboldpos{>}{$HOL2arithrel} and
119.97 + \isadxboldpos{\isasymge}{$HOL2arithrel} are merely syntax: \isa{x\ {\isaliteral{3E}{\isachargreater}}\ y}
119.98 + stands for \isa{y\ {\isaliteral{3C}{\isacharless}}\ x} and similary for \isa{{\isaliteral{5C3C67653E}{\isasymge}}} and
119.99 + \isa{{\isaliteral{5C3C6C653E}{\isasymle}}}.
119.100 +\end{warn}
119.101 +\begin{warn}
119.102 + Constant \isa{{\isadigit{1}}{\isaliteral{3A}{\isacharcolon}}{\isaliteral{3A}{\isacharcolon}}nat} is defined to equal \isa{Suc\ {\isadigit{0}}}. This definition
119.103 + (see \S\ref{sec:ConstDefinitions}) is unfolded automatically by some
119.104 + tactics (like \isa{auto}, \isa{simp} and \isa{arith}) but not by
119.105 + others (especially the single step tactics in Chapter~\ref{chap:rules}).
119.106 + If you need the full set of numerals, see~\S\ref{sec:numerals}.
119.107 + \emph{Novices are advised to stick to \isa{{\isadigit{0}}} and \isa{Suc}.}
119.108 +\end{warn}
119.109 +
119.110 +Both \isa{auto} and \isa{simp}
119.111 +(a method introduced below, \S\ref{sec:Simplification}) prove
119.112 +simple arithmetic goals automatically:%
119.113 +\end{isamarkuptext}%
119.114 +\isamarkuptrue%
119.115 +\isacommand{lemma}\isamarkupfalse%
119.116 +\ {\isaliteral{22}{\isachardoublequoteopen}}{\isaliteral{5C3C6C6272616B6B3E}{\isasymlbrakk}}\ {\isaliteral{5C3C6E6F743E}{\isasymnot}}\ m\ {\isaliteral{3C}{\isacharless}}\ n{\isaliteral{3B}{\isacharsemicolon}}\ m\ {\isaliteral{3C}{\isacharless}}\ n\ {\isaliteral{2B}{\isacharplus}}\ {\isaliteral{28}{\isacharparenleft}}{\isadigit{1}}{\isaliteral{3A}{\isacharcolon}}{\isaliteral{3A}{\isacharcolon}}nat{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C726272616B6B3E}{\isasymrbrakk}}\ {\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\ m\ {\isaliteral{3D}{\isacharequal}}\ n{\isaliteral{22}{\isachardoublequoteclose}}%
119.117 +\isadelimproof
119.118 +%
119.119 +\endisadelimproof
119.120 +%
119.121 +\isatagproof
119.122 +%
119.123 +\endisatagproof
119.124 +{\isafoldproof}%
119.125 +%
119.126 +\isadelimproof
119.127 +%
119.128 +\endisadelimproof
119.129 +%
119.130 +\begin{isamarkuptext}%
119.131 +\noindent
119.132 +For efficiency's sake, this built-in prover ignores quantified formulae,
119.133 +many logical connectives, and all arithmetic operations apart from addition.
119.134 +In consequence, \isa{auto} and \isa{simp} cannot prove this slightly more complex goal:%
119.135 +\end{isamarkuptext}%
119.136 +\isamarkuptrue%
119.137 +\isacommand{lemma}\isamarkupfalse%
119.138 +\ {\isaliteral{22}{\isachardoublequoteopen}}m\ {\isaliteral{5C3C6E6F7465713E}{\isasymnoteq}}\ {\isaliteral{28}{\isacharparenleft}}n{\isaliteral{3A}{\isacharcolon}}{\isaliteral{3A}{\isacharcolon}}nat{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\ m\ {\isaliteral{3C}{\isacharless}}\ n\ {\isaliteral{5C3C6F723E}{\isasymor}}\ n\ {\isaliteral{3C}{\isacharless}}\ m{\isaliteral{22}{\isachardoublequoteclose}}%
119.139 +\isadelimproof
119.140 +%
119.141 +\endisadelimproof
119.142 +%
119.143 +\isatagproof
119.144 +%
119.145 +\endisatagproof
119.146 +{\isafoldproof}%
119.147 +%
119.148 +\isadelimproof
119.149 +%
119.150 +\endisadelimproof
119.151 +%
119.152 +\begin{isamarkuptext}%
119.153 +\noindent The method \methdx{arith} is more general. It attempts to
119.154 +prove the first subgoal provided it is a \textbf{linear arithmetic} formula.
119.155 +Such formulas may involve the usual logical connectives (\isa{{\isaliteral{5C3C6E6F743E}{\isasymnot}}},
119.156 +\isa{{\isaliteral{5C3C616E643E}{\isasymand}}}, \isa{{\isaliteral{5C3C6F723E}{\isasymor}}}, \isa{{\isaliteral{5C3C6C6F6E6772696768746172726F773E}{\isasymlongrightarrow}}}, \isa{{\isaliteral{3D}{\isacharequal}}},
119.157 +\isa{{\isaliteral{5C3C666F72616C6C3E}{\isasymforall}}}, \isa{{\isaliteral{5C3C6578697374733E}{\isasymexists}}}), the relations \isa{{\isaliteral{3D}{\isacharequal}}},
119.158 +\isa{{\isaliteral{5C3C6C653E}{\isasymle}}} and \isa{{\isaliteral{3C}{\isacharless}}}, and the operations \isa{{\isaliteral{2B}{\isacharplus}}}, \isa{{\isaliteral{2D}{\isacharminus}}},
119.159 +\isa{min} and \isa{max}. For example,%
119.160 +\end{isamarkuptext}%
119.161 +\isamarkuptrue%
119.162 +\isacommand{lemma}\isamarkupfalse%
119.163 +\ {\isaliteral{22}{\isachardoublequoteopen}}min\ i\ {\isaliteral{28}{\isacharparenleft}}max\ j\ {\isaliteral{28}{\isacharparenleft}}k{\isaliteral{2A}{\isacharasterisk}}k{\isaliteral{29}{\isacharparenright}}{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{3D}{\isacharequal}}\ max\ {\isaliteral{28}{\isacharparenleft}}min\ {\isaliteral{28}{\isacharparenleft}}k{\isaliteral{2A}{\isacharasterisk}}k{\isaliteral{29}{\isacharparenright}}\ i{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{28}{\isacharparenleft}}min\ i\ {\isaliteral{28}{\isacharparenleft}}j{\isaliteral{3A}{\isacharcolon}}{\isaliteral{3A}{\isacharcolon}}nat{\isaliteral{29}{\isacharparenright}}{\isaliteral{29}{\isacharparenright}}{\isaliteral{22}{\isachardoublequoteclose}}\isanewline
119.164 +%
119.165 +\isadelimproof
119.166 +%
119.167 +\endisadelimproof
119.168 +%
119.169 +\isatagproof
119.170 +\isacommand{apply}\isamarkupfalse%
119.171 +{\isaliteral{28}{\isacharparenleft}}arith{\isaliteral{29}{\isacharparenright}}%
119.172 +\endisatagproof
119.173 +{\isafoldproof}%
119.174 +%
119.175 +\isadelimproof
119.176 +%
119.177 +\endisadelimproof
119.178 +%
119.179 +\begin{isamarkuptext}%
119.180 +\noindent
119.181 +succeeds because \isa{k\ {\isaliteral{2A}{\isacharasterisk}}\ k} can be treated as atomic. In contrast,%
119.182 +\end{isamarkuptext}%
119.183 +\isamarkuptrue%
119.184 +\isacommand{lemma}\isamarkupfalse%
119.185 +\ {\isaliteral{22}{\isachardoublequoteopen}}n{\isaliteral{2A}{\isacharasterisk}}n\ {\isaliteral{3D}{\isacharequal}}\ n{\isaliteral{2B}{\isacharplus}}{\isadigit{1}}\ {\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\ n{\isaliteral{3D}{\isacharequal}}{\isadigit{0}}{\isaliteral{22}{\isachardoublequoteclose}}%
119.186 +\isadelimproof
119.187 +%
119.188 +\endisadelimproof
119.189 +%
119.190 +\isatagproof
119.191 +%
119.192 +\endisatagproof
119.193 +{\isafoldproof}%
119.194 +%
119.195 +\isadelimproof
119.196 +%
119.197 +\endisadelimproof
119.198 +%
119.199 +\begin{isamarkuptext}%
119.200 +\noindent
119.201 +is not proved by \isa{arith} because the proof relies
119.202 +on properties of multiplication. Only multiplication by numerals (which is
119.203 +the same as iterated addition) is taken into account.
119.204 +
119.205 +\begin{warn} The running time of \isa{arith} is exponential in the number
119.206 + of occurrences of \ttindexboldpos{-}{$HOL2arithfun}, \cdx{min} and
119.207 + \cdx{max} because they are first eliminated by case distinctions.
119.208 +
119.209 +If \isa{k} is a numeral, \sdx{div}~\isa{k}, \sdx{mod}~\isa{k} and
119.210 +\isa{k}~\sdx{dvd} are also supported, where the former two are eliminated
119.211 +by case distinctions, again blowing up the running time.
119.212 +
119.213 +If the formula involves quantifiers, \isa{arith} may take
119.214 +super-exponential time and space.
119.215 +\end{warn}%
119.216 +\end{isamarkuptext}%
119.217 +\isamarkuptrue%
119.218 +%
119.219 +\isadelimtheory
119.220 +%
119.221 +\endisadelimtheory
119.222 +%
119.223 +\isatagtheory
119.224 +%
119.225 +\endisatagtheory
119.226 +{\isafoldtheory}%
119.227 +%
119.228 +\isadelimtheory
119.229 +%
119.230 +\endisadelimtheory
119.231 +\end{isabellebody}%
119.232 +%%% Local Variables:
119.233 +%%% mode: latex
119.234 +%%% TeX-master: "root"
119.235 +%%% End:
120.1 --- /dev/null Thu Jan 01 00:00:00 1970 +0000
120.2 +++ b/doc-src/TutorialI/document/pairs2.tex Thu Jul 26 19:59:06 2012 +0200
120.3 @@ -0,0 +1,66 @@
120.4 +%
120.5 +\begin{isabellebody}%
120.6 +\def\isabellecontext{pairs{\isadigit{2}}}%
120.7 +%
120.8 +\isadelimtheory
120.9 +%
120.10 +\endisadelimtheory
120.11 +%
120.12 +\isatagtheory
120.13 +%
120.14 +\endisatagtheory
120.15 +{\isafoldtheory}%
120.16 +%
120.17 +\isadelimtheory
120.18 +%
120.19 +\endisadelimtheory
120.20 +%
120.21 +\begin{isamarkuptext}%
120.22 +\label{sec:pairs}\index{pairs and tuples}
120.23 +HOL also has ordered pairs: \isa{($a@1$,$a@2$)} is of type $\tau@1$
120.24 +\indexboldpos{\isasymtimes}{$Isatype} $\tau@2$ provided each $a@i$ is of type
120.25 +$\tau@i$. The functions \cdx{fst} and
120.26 +\cdx{snd} extract the components of a pair:
120.27 + \isa{fst($x$,$y$) = $x$} and \isa{snd($x$,$y$) = $y$}. Tuples
120.28 +are simulated by pairs nested to the right: \isa{($a@1$,$a@2$,$a@3$)} stands
120.29 +for \isa{($a@1$,($a@2$,$a@3$))} and $\tau@1 \times \tau@2 \times \tau@3$ for
120.30 +$\tau@1 \times (\tau@2 \times \tau@3)$. Therefore we have
120.31 +\isa{fst(snd($a@1$,$a@2$,$a@3$)) = $a@2$}.
120.32 +
120.33 +Remarks:
120.34 +\begin{itemize}
120.35 +\item
120.36 +There is also the type \tydx{unit}, which contains exactly one
120.37 +element denoted by~\cdx{()}. This type can be viewed
120.38 +as a degenerate product with 0 components.
120.39 +\item
120.40 +Products, like type \isa{nat}, are datatypes, which means
120.41 +in particular that \isa{induct{\isaliteral{5F}{\isacharunderscore}}tac} and \isa{case{\isaliteral{5F}{\isacharunderscore}}tac} are applicable to
120.42 +terms of product type.
120.43 +Both split the term into a number of variables corresponding to the tuple structure
120.44 +(up to 7 components).
120.45 +\item
120.46 +Tuples with more than two or three components become unwieldy;
120.47 +records are preferable.
120.48 +\end{itemize}
120.49 +For more information on pairs and records see Chapter~\ref{ch:more-types}.%
120.50 +\end{isamarkuptext}%
120.51 +\isamarkuptrue%
120.52 +%
120.53 +\isadelimtheory
120.54 +%
120.55 +\endisadelimtheory
120.56 +%
120.57 +\isatagtheory
120.58 +%
120.59 +\endisatagtheory
120.60 +{\isafoldtheory}%
120.61 +%
120.62 +\isadelimtheory
120.63 +%
120.64 +\endisadelimtheory
120.65 +\end{isabellebody}%
120.66 +%%% Local Variables:
120.67 +%%% mode: latex
120.68 +%%% TeX-master: "root"
120.69 +%%% End:
121.1 --- /dev/null Thu Jan 01 00:00:00 1970 +0000
121.2 +++ b/doc-src/TutorialI/document/prime_def.tex Thu Jul 26 19:59:06 2012 +0200
121.3 @@ -0,0 +1,53 @@
121.4 +%
121.5 +\begin{isabellebody}%
121.6 +\def\isabellecontext{prime{\isaliteral{5F}{\isacharunderscore}}def}%
121.7 +%
121.8 +\isadelimtheory
121.9 +%
121.10 +\endisadelimtheory
121.11 +%
121.12 +\isatagtheory
121.13 +%
121.14 +\endisatagtheory
121.15 +{\isafoldtheory}%
121.16 +%
121.17 +\isadelimtheory
121.18 +%
121.19 +\endisadelimtheory
121.20 +%
121.21 +\begin{isamarkuptext}%
121.22 +\begin{warn}
121.23 +A common mistake when writing definitions is to introduce extra free
121.24 +variables on the right-hand side. Consider the following, flawed definition
121.25 +(where \isa{dvd} means ``divides''):
121.26 +\begin{isabelle}%
121.27 +\ \ \ \ \ {\isaliteral{22}{\isachardoublequote}}prime\ p\ {\isaliteral{5C3C65717569763E}{\isasymequiv}}\ {\isadigit{1}}\ {\isaliteral{3C}{\isacharless}}\ p\ {\isaliteral{5C3C616E643E}{\isasymand}}\ {\isaliteral{28}{\isacharparenleft}}m\ dvd\ p\ {\isaliteral{5C3C6C6F6E6772696768746172726F773E}{\isasymlongrightarrow}}\ m\ {\isaliteral{3D}{\isacharequal}}\ {\isadigit{1}}\ {\isaliteral{5C3C6F723E}{\isasymor}}\ m\ {\isaliteral{3D}{\isacharequal}}\ p{\isaliteral{29}{\isacharparenright}}{\isaliteral{22}{\isachardoublequote}}%
121.28 +\end{isabelle}
121.29 +\par\noindent\hangindent=0pt
121.30 +Isabelle rejects this ``definition'' because of the extra \isa{m} on the
121.31 +right-hand side, which would introduce an inconsistency (why?).
121.32 +The correct version is
121.33 +\begin{isabelle}%
121.34 +\ \ \ \ \ {\isaliteral{22}{\isachardoublequote}}prime\ p\ {\isaliteral{5C3C65717569763E}{\isasymequiv}}\ {\isadigit{1}}\ {\isaliteral{3C}{\isacharless}}\ p\ {\isaliteral{5C3C616E643E}{\isasymand}}\ {\isaliteral{28}{\isacharparenleft}}{\isaliteral{5C3C666F72616C6C3E}{\isasymforall}}m{\isaliteral{2E}{\isachardot}}\ m\ dvd\ p\ {\isaliteral{5C3C6C6F6E6772696768746172726F773E}{\isasymlongrightarrow}}\ m\ {\isaliteral{3D}{\isacharequal}}\ {\isadigit{1}}\ {\isaliteral{5C3C6F723E}{\isasymor}}\ m\ {\isaliteral{3D}{\isacharequal}}\ p{\isaliteral{29}{\isacharparenright}}{\isaliteral{22}{\isachardoublequote}}%
121.35 +\end{isabelle}
121.36 +\end{warn}%
121.37 +\end{isamarkuptext}%
121.38 +\isamarkuptrue%
121.39 +%
121.40 +\isadelimtheory
121.41 +%
121.42 +\endisadelimtheory
121.43 +%
121.44 +\isatagtheory
121.45 +%
121.46 +\endisatagtheory
121.47 +{\isafoldtheory}%
121.48 +%
121.49 +\isadelimtheory
121.50 +%
121.51 +\endisadelimtheory
121.52 +\end{isabellebody}%
121.53 +%%% Local Variables:
121.54 +%%% mode: latex
121.55 +%%% TeX-master: "root"
121.56 +%%% End:
122.1 --- /dev/null Thu Jan 01 00:00:00 1970 +0000
122.2 +++ b/doc-src/TutorialI/document/simp.tex Thu Jul 26 19:59:06 2012 +0200
122.3 @@ -0,0 +1,799 @@
122.4 +%
122.5 +\begin{isabellebody}%
122.6 +\def\isabellecontext{simp}%
122.7 +%
122.8 +\isadelimtheory
122.9 +%
122.10 +\endisadelimtheory
122.11 +%
122.12 +\isatagtheory
122.13 +%
122.14 +\endisatagtheory
122.15 +{\isafoldtheory}%
122.16 +%
122.17 +\isadelimtheory
122.18 +%
122.19 +\endisadelimtheory
122.20 +%
122.21 +\isamarkupsubsection{Simplification Rules%
122.22 +}
122.23 +\isamarkuptrue%
122.24 +%
122.25 +\begin{isamarkuptext}%
122.26 +\index{simplification rules}
122.27 +To facilitate simplification,
122.28 +the attribute \isa{{\isaliteral{5B}{\isacharbrackleft}}simp{\isaliteral{5D}{\isacharbrackright}}}\index{*simp (attribute)}
122.29 +declares theorems to be simplification rules, which the simplifier
122.30 +will use automatically. In addition, \isacommand{datatype} and
122.31 +\isacommand{primrec} declarations (and a few others)
122.32 +implicitly declare some simplification rules.
122.33 +Explicit definitions are \emph{not} declared as
122.34 +simplification rules automatically!
122.35 +
122.36 +Nearly any theorem can become a simplification
122.37 +rule. The simplifier will try to transform it into an equation.
122.38 +For example, the theorem
122.39 +\isa{{\isaliteral{5C3C6E6F743E}{\isasymnot}}\ P} is turned into \isa{P\ {\isaliteral{3D}{\isacharequal}}\ False}. The details
122.40 +are explained in \S\ref{sec:SimpHow}.
122.41 +
122.42 +The simplification attribute of theorems can be turned on and off:%
122.43 +\index{*simp del (attribute)}
122.44 +\begin{quote}
122.45 +\isacommand{declare} \textit{theorem-name}\isa{{\isaliteral{5B}{\isacharbrackleft}}simp{\isaliteral{5D}{\isacharbrackright}}}\\
122.46 +\isacommand{declare} \textit{theorem-name}\isa{{\isaliteral{5B}{\isacharbrackleft}}simp\ del{\isaliteral{5D}{\isacharbrackright}}}
122.47 +\end{quote}
122.48 +Only equations that really simplify, like \isa{rev\
122.49 +{\isacharparenleft}rev\ xs{\isacharparenright}\ {\isacharequal}\ xs} and
122.50 +\isa{xs\ {\isacharat}\ {\isacharbrackleft}{\isacharbrackright}\
122.51 +{\isacharequal}\ xs}, should be declared as default simplification rules.
122.52 +More specific ones should only be used selectively and should
122.53 +not be made default. Distributivity laws, for example, alter
122.54 +the structure of terms and can produce an exponential blow-up instead of
122.55 +simplification. A default simplification rule may
122.56 +need to be disabled in certain proofs. Frequent changes in the simplification
122.57 +status of a theorem may indicate an unwise use of defaults.
122.58 +\begin{warn}
122.59 + Simplification can run forever, for example if both $f(x) = g(x)$ and
122.60 + $g(x) = f(x)$ are simplification rules. It is the user's responsibility not
122.61 + to include simplification rules that can lead to nontermination, either on
122.62 + their own or in combination with other simplification rules.
122.63 +\end{warn}
122.64 +\begin{warn}
122.65 + It is inadvisable to toggle the simplification attribute of a
122.66 + theorem from a parent theory $A$ in a child theory $B$ for good.
122.67 + The reason is that if some theory $C$ is based both on $B$ and (via a
122.68 + different path) on $A$, it is not defined what the simplification attribute
122.69 + of that theorem will be in $C$: it could be either.
122.70 +\end{warn}%
122.71 +\end{isamarkuptext}%
122.72 +\isamarkuptrue%
122.73 +%
122.74 +\isamarkupsubsection{The {\tt\slshape simp} Method%
122.75 +}
122.76 +\isamarkuptrue%
122.77 +%
122.78 +\begin{isamarkuptext}%
122.79 +\index{*simp (method)|bold}
122.80 +The general format of the simplification method is
122.81 +\begin{quote}
122.82 +\isa{simp} \textit{list of modifiers}
122.83 +\end{quote}
122.84 +where the list of \emph{modifiers} fine tunes the behaviour and may
122.85 +be empty. Specific modifiers are discussed below. Most if not all of the
122.86 +proofs seen so far could have been performed
122.87 +with \isa{simp} instead of \isa{auto}, except that \isa{simp} attacks
122.88 +only the first subgoal and may thus need to be repeated --- use
122.89 +\methdx{simp_all} to simplify all subgoals.
122.90 +If nothing changes, \isa{simp} fails.%
122.91 +\end{isamarkuptext}%
122.92 +\isamarkuptrue%
122.93 +%
122.94 +\isamarkupsubsection{Adding and Deleting Simplification Rules%
122.95 +}
122.96 +\isamarkuptrue%
122.97 +%
122.98 +\begin{isamarkuptext}%
122.99 +\index{simplification rules!adding and deleting}%
122.100 +If a certain theorem is merely needed in a few proofs by simplification,
122.101 +we do not need to make it a global simplification rule. Instead we can modify
122.102 +the set of simplification rules used in a simplification step by adding rules
122.103 +to it and/or deleting rules from it. The two modifiers for this are
122.104 +\begin{quote}
122.105 +\isa{add{\isaliteral{3A}{\isacharcolon}}} \textit{list of theorem names}\index{*add (modifier)}\\
122.106 +\isa{del{\isaliteral{3A}{\isacharcolon}}} \textit{list of theorem names}\index{*del (modifier)}
122.107 +\end{quote}
122.108 +Or you can use a specific list of theorems and omit all others:
122.109 +\begin{quote}
122.110 +\isa{only{\isaliteral{3A}{\isacharcolon}}} \textit{list of theorem names}\index{*only (modifier)}
122.111 +\end{quote}
122.112 +In this example, we invoke the simplifier, adding two distributive
122.113 +laws:
122.114 +\begin{quote}
122.115 +\isacommand{apply}\isa{{\isaliteral{28}{\isacharparenleft}}simp\ add{\isaliteral{3A}{\isacharcolon}}\ mod{\isaliteral{5F}{\isacharunderscore}}mult{\isaliteral{5F}{\isacharunderscore}}distrib\ add{\isaliteral{5F}{\isacharunderscore}}mult{\isaliteral{5F}{\isacharunderscore}}distrib{\isaliteral{29}{\isacharparenright}}}
122.116 +\end{quote}%
122.117 +\end{isamarkuptext}%
122.118 +\isamarkuptrue%
122.119 +%
122.120 +\isamarkupsubsection{Assumptions%
122.121 +}
122.122 +\isamarkuptrue%
122.123 +%
122.124 +\begin{isamarkuptext}%
122.125 +\index{simplification!with/of assumptions}
122.126 +By default, assumptions are part of the simplification process: they are used
122.127 +as simplification rules and are simplified themselves. For example:%
122.128 +\end{isamarkuptext}%
122.129 +\isamarkuptrue%
122.130 +\isacommand{lemma}\isamarkupfalse%
122.131 +\ {\isaliteral{22}{\isachardoublequoteopen}}{\isaliteral{5C3C6C6272616B6B3E}{\isasymlbrakk}}\ xs\ {\isaliteral{40}{\isacharat}}\ zs\ {\isaliteral{3D}{\isacharequal}}\ ys\ {\isaliteral{40}{\isacharat}}\ xs{\isaliteral{3B}{\isacharsemicolon}}\ {\isaliteral{5B}{\isacharbrackleft}}{\isaliteral{5D}{\isacharbrackright}}\ {\isaliteral{40}{\isacharat}}\ xs\ {\isaliteral{3D}{\isacharequal}}\ {\isaliteral{5B}{\isacharbrackleft}}{\isaliteral{5D}{\isacharbrackright}}\ {\isaliteral{40}{\isacharat}}\ {\isaliteral{5B}{\isacharbrackleft}}{\isaliteral{5D}{\isacharbrackright}}\ {\isaliteral{5C3C726272616B6B3E}{\isasymrbrakk}}\ {\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\ ys\ {\isaliteral{3D}{\isacharequal}}\ zs{\isaliteral{22}{\isachardoublequoteclose}}\isanewline
122.132 +%
122.133 +\isadelimproof
122.134 +%
122.135 +\endisadelimproof
122.136 +%
122.137 +\isatagproof
122.138 +\isacommand{apply}\isamarkupfalse%
122.139 +\ simp\isanewline
122.140 +\isacommand{done}\isamarkupfalse%
122.141 +%
122.142 +\endisatagproof
122.143 +{\isafoldproof}%
122.144 +%
122.145 +\isadelimproof
122.146 +%
122.147 +\endisadelimproof
122.148 +%
122.149 +\begin{isamarkuptext}%
122.150 +\noindent
122.151 +The second assumption simplifies to \isa{xs\ {\isaliteral{3D}{\isacharequal}}\ {\isaliteral{5B}{\isacharbrackleft}}{\isaliteral{5D}{\isacharbrackright}}}, which in turn
122.152 +simplifies the first assumption to \isa{zs\ {\isaliteral{3D}{\isacharequal}}\ ys}, thus reducing the
122.153 +conclusion to \isa{ys\ {\isaliteral{3D}{\isacharequal}}\ ys} and hence to \isa{True}.
122.154 +
122.155 +In some cases, using the assumptions can lead to nontermination:%
122.156 +\end{isamarkuptext}%
122.157 +\isamarkuptrue%
122.158 +\isacommand{lemma}\isamarkupfalse%
122.159 +\ {\isaliteral{22}{\isachardoublequoteopen}}{\isaliteral{5C3C666F72616C6C3E}{\isasymforall}}x{\isaliteral{2E}{\isachardot}}\ f\ x\ {\isaliteral{3D}{\isacharequal}}\ g\ {\isaliteral{28}{\isacharparenleft}}f\ {\isaliteral{28}{\isacharparenleft}}g\ x{\isaliteral{29}{\isacharparenright}}{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\ f\ {\isaliteral{5B}{\isacharbrackleft}}{\isaliteral{5D}{\isacharbrackright}}\ {\isaliteral{3D}{\isacharequal}}\ f\ {\isaliteral{5B}{\isacharbrackleft}}{\isaliteral{5D}{\isacharbrackright}}\ {\isaliteral{40}{\isacharat}}\ {\isaliteral{5B}{\isacharbrackleft}}{\isaliteral{5D}{\isacharbrackright}}{\isaliteral{22}{\isachardoublequoteclose}}%
122.160 +\isadelimproof
122.161 +%
122.162 +\endisadelimproof
122.163 +%
122.164 +\isatagproof
122.165 +%
122.166 +\begin{isamarkuptxt}%
122.167 +\noindent
122.168 +An unmodified application of \isa{simp} loops. The culprit is the
122.169 +simplification rule \isa{f\ x\ {\isaliteral{3D}{\isacharequal}}\ g\ {\isaliteral{28}{\isacharparenleft}}f\ {\isaliteral{28}{\isacharparenleft}}g\ x{\isaliteral{29}{\isacharparenright}}{\isaliteral{29}{\isacharparenright}}}, which is extracted from
122.170 +the assumption. (Isabelle notices certain simple forms of
122.171 +nontermination but not this one.) The problem can be circumvented by
122.172 +telling the simplifier to ignore the assumptions:%
122.173 +\end{isamarkuptxt}%
122.174 +\isamarkuptrue%
122.175 +\isacommand{apply}\isamarkupfalse%
122.176 +{\isaliteral{28}{\isacharparenleft}}simp\ {\isaliteral{28}{\isacharparenleft}}no{\isaliteral{5F}{\isacharunderscore}}asm{\isaliteral{29}{\isacharparenright}}{\isaliteral{29}{\isacharparenright}}\isanewline
122.177 +\isacommand{done}\isamarkupfalse%
122.178 +%
122.179 +\endisatagproof
122.180 +{\isafoldproof}%
122.181 +%
122.182 +\isadelimproof
122.183 +%
122.184 +\endisadelimproof
122.185 +%
122.186 +\begin{isamarkuptext}%
122.187 +\noindent
122.188 +Three modifiers influence the treatment of assumptions:
122.189 +\begin{description}
122.190 +\item[\isa{{\isaliteral{28}{\isacharparenleft}}no{\isaliteral{5F}{\isacharunderscore}}asm{\isaliteral{29}{\isacharparenright}}}]\index{*no_asm (modifier)}
122.191 + means that assumptions are completely ignored.
122.192 +\item[\isa{{\isaliteral{28}{\isacharparenleft}}no{\isaliteral{5F}{\isacharunderscore}}asm{\isaliteral{5F}{\isacharunderscore}}simp{\isaliteral{29}{\isacharparenright}}}]\index{*no_asm_simp (modifier)}
122.193 + means that the assumptions are not simplified but
122.194 + are used in the simplification of the conclusion.
122.195 +\item[\isa{{\isaliteral{28}{\isacharparenleft}}no{\isaliteral{5F}{\isacharunderscore}}asm{\isaliteral{5F}{\isacharunderscore}}use{\isaliteral{29}{\isacharparenright}}}]\index{*no_asm_use (modifier)}
122.196 + means that the assumptions are simplified but are not
122.197 + used in the simplification of each other or the conclusion.
122.198 +\end{description}
122.199 +Only one of the modifiers is allowed, and it must precede all
122.200 +other modifiers.
122.201 +%\begin{warn}
122.202 +%Assumptions are simplified in a left-to-right fashion. If an
122.203 +%assumption can help in simplifying one to the left of it, this may get
122.204 +%overlooked. In such cases you have to rotate the assumptions explicitly:
122.205 +%\isacommand{apply}@ {text"("}\methdx{rotate_tac}~$n$@ {text")"}
122.206 +%causes a cyclic shift by $n$ positions from right to left, if $n$ is
122.207 +%positive, and from left to right, if $n$ is negative.
122.208 +%Beware that such rotations make proofs quite brittle.
122.209 +%\end{warn}%
122.210 +\end{isamarkuptext}%
122.211 +\isamarkuptrue%
122.212 +%
122.213 +\isamarkupsubsection{Rewriting with Definitions%
122.214 +}
122.215 +\isamarkuptrue%
122.216 +%
122.217 +\begin{isamarkuptext}%
122.218 +\label{sec:Simp-with-Defs}\index{simplification!with definitions}
122.219 +Constant definitions (\S\ref{sec:ConstDefinitions}) can be used as
122.220 +simplification rules, but by default they are not: the simplifier does not
122.221 +expand them automatically. Definitions are intended for introducing abstract
122.222 +concepts and not merely as abbreviations. Of course, we need to expand
122.223 +the definition initially, but once we have proved enough abstract properties
122.224 +of the new constant, we can forget its original definition. This style makes
122.225 +proofs more robust: if the definition has to be changed,
122.226 +only the proofs of the abstract properties will be affected.
122.227 +
122.228 +For example, given%
122.229 +\end{isamarkuptext}%
122.230 +\isamarkuptrue%
122.231 +\isacommand{definition}\isamarkupfalse%
122.232 +\ xor\ {\isaliteral{3A}{\isacharcolon}}{\isaliteral{3A}{\isacharcolon}}\ {\isaliteral{22}{\isachardoublequoteopen}}bool\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ bool\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ bool{\isaliteral{22}{\isachardoublequoteclose}}\ \isakeyword{where}\isanewline
122.233 +{\isaliteral{22}{\isachardoublequoteopen}}xor\ A\ B\ {\isaliteral{5C3C65717569763E}{\isasymequiv}}\ {\isaliteral{28}{\isacharparenleft}}A\ {\isaliteral{5C3C616E643E}{\isasymand}}\ {\isaliteral{5C3C6E6F743E}{\isasymnot}}B{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C6F723E}{\isasymor}}\ {\isaliteral{28}{\isacharparenleft}}{\isaliteral{5C3C6E6F743E}{\isasymnot}}A\ {\isaliteral{5C3C616E643E}{\isasymand}}\ B{\isaliteral{29}{\isacharparenright}}{\isaliteral{22}{\isachardoublequoteclose}}%
122.234 +\begin{isamarkuptext}%
122.235 +\noindent
122.236 +we may want to prove%
122.237 +\end{isamarkuptext}%
122.238 +\isamarkuptrue%
122.239 +\isacommand{lemma}\isamarkupfalse%
122.240 +\ {\isaliteral{22}{\isachardoublequoteopen}}xor\ A\ {\isaliteral{28}{\isacharparenleft}}{\isaliteral{5C3C6E6F743E}{\isasymnot}}A{\isaliteral{29}{\isacharparenright}}{\isaliteral{22}{\isachardoublequoteclose}}%
122.241 +\isadelimproof
122.242 +%
122.243 +\endisadelimproof
122.244 +%
122.245 +\isatagproof
122.246 +%
122.247 +\begin{isamarkuptxt}%
122.248 +\noindent
122.249 +Typically, we begin by unfolding some definitions:
122.250 +\indexbold{definitions!unfolding}%
122.251 +\end{isamarkuptxt}%
122.252 +\isamarkuptrue%
122.253 +\isacommand{apply}\isamarkupfalse%
122.254 +{\isaliteral{28}{\isacharparenleft}}simp\ only{\isaliteral{3A}{\isacharcolon}}\ xor{\isaliteral{5F}{\isacharunderscore}}def{\isaliteral{29}{\isacharparenright}}%
122.255 +\begin{isamarkuptxt}%
122.256 +\noindent
122.257 +In this particular case, the resulting goal
122.258 +\begin{isabelle}%
122.259 +\ {\isadigit{1}}{\isaliteral{2E}{\isachardot}}\ A\ {\isaliteral{5C3C616E643E}{\isasymand}}\ {\isaliteral{5C3C6E6F743E}{\isasymnot}}\ {\isaliteral{5C3C6E6F743E}{\isasymnot}}\ A\ {\isaliteral{5C3C6F723E}{\isasymor}}\ {\isaliteral{5C3C6E6F743E}{\isasymnot}}\ A\ {\isaliteral{5C3C616E643E}{\isasymand}}\ {\isaliteral{5C3C6E6F743E}{\isasymnot}}\ A%
122.260 +\end{isabelle}
122.261 +can be proved by simplification. Thus we could have proved the lemma outright by%
122.262 +\end{isamarkuptxt}%
122.263 +\isamarkuptrue%
122.264 +%
122.265 +\endisatagproof
122.266 +{\isafoldproof}%
122.267 +%
122.268 +\isadelimproof
122.269 +%
122.270 +\endisadelimproof
122.271 +%
122.272 +\isadelimproof
122.273 +%
122.274 +\endisadelimproof
122.275 +%
122.276 +\isatagproof
122.277 +\isacommand{apply}\isamarkupfalse%
122.278 +{\isaliteral{28}{\isacharparenleft}}simp\ add{\isaliteral{3A}{\isacharcolon}}\ xor{\isaliteral{5F}{\isacharunderscore}}def{\isaliteral{29}{\isacharparenright}}%
122.279 +\endisatagproof
122.280 +{\isafoldproof}%
122.281 +%
122.282 +\isadelimproof
122.283 +%
122.284 +\endisadelimproof
122.285 +%
122.286 +\begin{isamarkuptext}%
122.287 +\noindent
122.288 +Of course we can also unfold definitions in the middle of a proof.
122.289 +
122.290 +\begin{warn}
122.291 + If you have defined $f\,x\,y~\isasymequiv~t$ then you can only unfold
122.292 + occurrences of $f$ with at least two arguments. This may be helpful for unfolding
122.293 + $f$ selectively, but it may also get in the way. Defining
122.294 + $f$~\isasymequiv~\isasymlambda$x\,y.\;t$ allows to unfold all occurrences of $f$.
122.295 +\end{warn}
122.296 +
122.297 +There is also the special method \isa{unfold}\index{*unfold (method)|bold}
122.298 +which merely unfolds
122.299 +one or several definitions, as in \isacommand{apply}\isa{(unfold xor_def)}.
122.300 +This is can be useful in situations where \isa{simp} does too much.
122.301 +Warning: \isa{unfold} acts on all subgoals!%
122.302 +\end{isamarkuptext}%
122.303 +\isamarkuptrue%
122.304 +%
122.305 +\isamarkupsubsection{Simplifying {\tt\slshape let}-Expressions%
122.306 +}
122.307 +\isamarkuptrue%
122.308 +%
122.309 +\begin{isamarkuptext}%
122.310 +\index{simplification!of \isa{let}-expressions}\index{*let expressions}%
122.311 +Proving a goal containing \isa{let}-expressions almost invariably requires the
122.312 +\isa{let}-con\-structs to be expanded at some point. Since
122.313 +\isa{let}\ldots\isa{=}\ldots\isa{in}{\ldots} is just syntactic sugar for
122.314 +the predefined constant \isa{Let}, expanding \isa{let}-constructs
122.315 +means rewriting with \tdx{Let_def}:%
122.316 +\end{isamarkuptext}%
122.317 +\isamarkuptrue%
122.318 +\isacommand{lemma}\isamarkupfalse%
122.319 +\ {\isaliteral{22}{\isachardoublequoteopen}}{\isaliteral{28}{\isacharparenleft}}let\ xs\ {\isaliteral{3D}{\isacharequal}}\ {\isaliteral{5B}{\isacharbrackleft}}{\isaliteral{5D}{\isacharbrackright}}\ in\ xs{\isaliteral{40}{\isacharat}}ys{\isaliteral{40}{\isacharat}}xs{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{3D}{\isacharequal}}\ ys{\isaliteral{22}{\isachardoublequoteclose}}\isanewline
122.320 +%
122.321 +\isadelimproof
122.322 +%
122.323 +\endisadelimproof
122.324 +%
122.325 +\isatagproof
122.326 +\isacommand{apply}\isamarkupfalse%
122.327 +{\isaliteral{28}{\isacharparenleft}}simp\ add{\isaliteral{3A}{\isacharcolon}}\ Let{\isaliteral{5F}{\isacharunderscore}}def{\isaliteral{29}{\isacharparenright}}\isanewline
122.328 +\isacommand{done}\isamarkupfalse%
122.329 +%
122.330 +\endisatagproof
122.331 +{\isafoldproof}%
122.332 +%
122.333 +\isadelimproof
122.334 +%
122.335 +\endisadelimproof
122.336 +%
122.337 +\begin{isamarkuptext}%
122.338 +If, in a particular context, there is no danger of a combinatorial explosion
122.339 +of nested \isa{let}s, you could even simplify with \isa{Let{\isaliteral{5F}{\isacharunderscore}}def} by
122.340 +default:%
122.341 +\end{isamarkuptext}%
122.342 +\isamarkuptrue%
122.343 +\isacommand{declare}\isamarkupfalse%
122.344 +\ Let{\isaliteral{5F}{\isacharunderscore}}def\ {\isaliteral{5B}{\isacharbrackleft}}simp{\isaliteral{5D}{\isacharbrackright}}%
122.345 +\isamarkupsubsection{Conditional Simplification Rules%
122.346 +}
122.347 +\isamarkuptrue%
122.348 +%
122.349 +\begin{isamarkuptext}%
122.350 +\index{conditional simplification rules}%
122.351 +So far all examples of rewrite rules were equations. The simplifier also
122.352 +accepts \emph{conditional} equations, for example%
122.353 +\end{isamarkuptext}%
122.354 +\isamarkuptrue%
122.355 +\isacommand{lemma}\isamarkupfalse%
122.356 +\ hd{\isaliteral{5F}{\isacharunderscore}}Cons{\isaliteral{5F}{\isacharunderscore}}tl{\isaliteral{5B}{\isacharbrackleft}}simp{\isaliteral{5D}{\isacharbrackright}}{\isaliteral{3A}{\isacharcolon}}\ {\isaliteral{22}{\isachardoublequoteopen}}xs\ {\isaliteral{5C3C6E6F7465713E}{\isasymnoteq}}\ {\isaliteral{5B}{\isacharbrackleft}}{\isaliteral{5D}{\isacharbrackright}}\ \ {\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\ \ hd\ xs\ {\isaliteral{23}{\isacharhash}}\ tl\ xs\ {\isaliteral{3D}{\isacharequal}}\ xs{\isaliteral{22}{\isachardoublequoteclose}}\isanewline
122.357 +%
122.358 +\isadelimproof
122.359 +%
122.360 +\endisadelimproof
122.361 +%
122.362 +\isatagproof
122.363 +\isacommand{apply}\isamarkupfalse%
122.364 +{\isaliteral{28}{\isacharparenleft}}case{\isaliteral{5F}{\isacharunderscore}}tac\ xs{\isaliteral{2C}{\isacharcomma}}\ simp{\isaliteral{2C}{\isacharcomma}}\ simp{\isaliteral{29}{\isacharparenright}}\isanewline
122.365 +\isacommand{done}\isamarkupfalse%
122.366 +%
122.367 +\endisatagproof
122.368 +{\isafoldproof}%
122.369 +%
122.370 +\isadelimproof
122.371 +%
122.372 +\endisadelimproof
122.373 +%
122.374 +\begin{isamarkuptext}%
122.375 +\noindent
122.376 +Note the use of ``\ttindexboldpos{,}{$Isar}'' to string together a
122.377 +sequence of methods. Assuming that the simplification rule
122.378 +\isa{{\isaliteral{28}{\isacharparenleft}}rev\ xs\ {\isaliteral{3D}{\isacharequal}}\ {\isaliteral{5B}{\isacharbrackleft}}{\isaliteral{5D}{\isacharbrackright}}{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{3D}{\isacharequal}}\ {\isaliteral{28}{\isacharparenleft}}xs\ {\isaliteral{3D}{\isacharequal}}\ {\isaliteral{5B}{\isacharbrackleft}}{\isaliteral{5D}{\isacharbrackright}}{\isaliteral{29}{\isacharparenright}}}
122.379 +is present as well,
122.380 +the lemma below is proved by plain simplification:%
122.381 +\end{isamarkuptext}%
122.382 +\isamarkuptrue%
122.383 +\isacommand{lemma}\isamarkupfalse%
122.384 +\ {\isaliteral{22}{\isachardoublequoteopen}}xs\ {\isaliteral{5C3C6E6F7465713E}{\isasymnoteq}}\ {\isaliteral{5B}{\isacharbrackleft}}{\isaliteral{5D}{\isacharbrackright}}\ {\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\ hd{\isaliteral{28}{\isacharparenleft}}rev\ xs{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{23}{\isacharhash}}\ tl{\isaliteral{28}{\isacharparenleft}}rev\ xs{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{3D}{\isacharequal}}\ rev\ xs{\isaliteral{22}{\isachardoublequoteclose}}%
122.385 +\isadelimproof
122.386 +%
122.387 +\endisadelimproof
122.388 +%
122.389 +\isatagproof
122.390 +%
122.391 +\endisatagproof
122.392 +{\isafoldproof}%
122.393 +%
122.394 +\isadelimproof
122.395 +%
122.396 +\endisadelimproof
122.397 +%
122.398 +\begin{isamarkuptext}%
122.399 +\noindent
122.400 +The conditional equation \isa{hd{\isaliteral{5F}{\isacharunderscore}}Cons{\isaliteral{5F}{\isacharunderscore}}tl} above
122.401 +can simplify \isa{hd\ {\isaliteral{28}{\isacharparenleft}}rev\ xs{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{23}{\isacharhash}}\ tl\ {\isaliteral{28}{\isacharparenleft}}rev\ xs{\isaliteral{29}{\isacharparenright}}} to \isa{rev\ xs}
122.402 +because the corresponding precondition \isa{rev\ xs\ {\isaliteral{5C3C6E6F7465713E}{\isasymnoteq}}\ {\isaliteral{5B}{\isacharbrackleft}}{\isaliteral{5D}{\isacharbrackright}}}
122.403 +simplifies to \isa{xs\ {\isaliteral{5C3C6E6F7465713E}{\isasymnoteq}}\ {\isaliteral{5B}{\isacharbrackleft}}{\isaliteral{5D}{\isacharbrackright}}}, which is exactly the local
122.404 +assumption of the subgoal.%
122.405 +\end{isamarkuptext}%
122.406 +\isamarkuptrue%
122.407 +%
122.408 +\isamarkupsubsection{Automatic Case Splits%
122.409 +}
122.410 +\isamarkuptrue%
122.411 +%
122.412 +\begin{isamarkuptext}%
122.413 +\label{sec:AutoCaseSplits}\indexbold{case splits}%
122.414 +Goals containing \isa{if}-expressions\index{*if expressions!splitting of}
122.415 +are usually proved by case
122.416 +distinction on the boolean condition. Here is an example:%
122.417 +\end{isamarkuptext}%
122.418 +\isamarkuptrue%
122.419 +\isacommand{lemma}\isamarkupfalse%
122.420 +\ {\isaliteral{22}{\isachardoublequoteopen}}{\isaliteral{5C3C666F72616C6C3E}{\isasymforall}}xs{\isaliteral{2E}{\isachardot}}\ if\ xs\ {\isaliteral{3D}{\isacharequal}}\ {\isaliteral{5B}{\isacharbrackleft}}{\isaliteral{5D}{\isacharbrackright}}\ then\ rev\ xs\ {\isaliteral{3D}{\isacharequal}}\ {\isaliteral{5B}{\isacharbrackleft}}{\isaliteral{5D}{\isacharbrackright}}\ else\ rev\ xs\ {\isaliteral{5C3C6E6F7465713E}{\isasymnoteq}}\ {\isaliteral{5B}{\isacharbrackleft}}{\isaliteral{5D}{\isacharbrackright}}{\isaliteral{22}{\isachardoublequoteclose}}%
122.421 +\isadelimproof
122.422 +%
122.423 +\endisadelimproof
122.424 +%
122.425 +\isatagproof
122.426 +%
122.427 +\begin{isamarkuptxt}%
122.428 +\noindent
122.429 +The goal can be split by a special method, \methdx{split}:%
122.430 +\end{isamarkuptxt}%
122.431 +\isamarkuptrue%
122.432 +\isacommand{apply}\isamarkupfalse%
122.433 +{\isaliteral{28}{\isacharparenleft}}split\ split{\isaliteral{5F}{\isacharunderscore}}if{\isaliteral{29}{\isacharparenright}}%
122.434 +\begin{isamarkuptxt}%
122.435 +\noindent
122.436 +\begin{isabelle}%
122.437 +\ {\isadigit{1}}{\isaliteral{2E}{\isachardot}}\ {\isaliteral{5C3C666F72616C6C3E}{\isasymforall}}xs{\isaliteral{2E}{\isachardot}}\ {\isaliteral{28}{\isacharparenleft}}xs\ {\isaliteral{3D}{\isacharequal}}\ {\isaliteral{5B}{\isacharbrackleft}}{\isaliteral{5D}{\isacharbrackright}}\ {\isaliteral{5C3C6C6F6E6772696768746172726F773E}{\isasymlongrightarrow}}\ rev\ xs\ {\isaliteral{3D}{\isacharequal}}\ {\isaliteral{5B}{\isacharbrackleft}}{\isaliteral{5D}{\isacharbrackright}}{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C616E643E}{\isasymand}}\ {\isaliteral{28}{\isacharparenleft}}xs\ {\isaliteral{5C3C6E6F7465713E}{\isasymnoteq}}\ {\isaliteral{5B}{\isacharbrackleft}}{\isaliteral{5D}{\isacharbrackright}}\ {\isaliteral{5C3C6C6F6E6772696768746172726F773E}{\isasymlongrightarrow}}\ rev\ xs\ {\isaliteral{5C3C6E6F7465713E}{\isasymnoteq}}\ {\isaliteral{5B}{\isacharbrackleft}}{\isaliteral{5D}{\isacharbrackright}}{\isaliteral{29}{\isacharparenright}}%
122.438 +\end{isabelle}
122.439 +where \tdx{split_if} is a theorem that expresses splitting of
122.440 +\isa{if}s. Because
122.441 +splitting the \isa{if}s is usually the right proof strategy, the
122.442 +simplifier does it automatically. Try \isacommand{apply}\isa{{\isaliteral{28}{\isacharparenleft}}simp{\isaliteral{29}{\isacharparenright}}}
122.443 +on the initial goal above.
122.444 +
122.445 +This splitting idea generalizes from \isa{if} to \sdx{case}.
122.446 +Let us simplify a case analysis over lists:\index{*list.split (theorem)}%
122.447 +\end{isamarkuptxt}%
122.448 +\isamarkuptrue%
122.449 +%
122.450 +\endisatagproof
122.451 +{\isafoldproof}%
122.452 +%
122.453 +\isadelimproof
122.454 +%
122.455 +\endisadelimproof
122.456 +\isacommand{lemma}\isamarkupfalse%
122.457 +\ {\isaliteral{22}{\isachardoublequoteopen}}{\isaliteral{28}{\isacharparenleft}}case\ xs\ of\ {\isaliteral{5B}{\isacharbrackleft}}{\isaliteral{5D}{\isacharbrackright}}\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ zs\ {\isaliteral{7C}{\isacharbar}}\ y{\isaliteral{23}{\isacharhash}}ys\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ y{\isaliteral{23}{\isacharhash}}{\isaliteral{28}{\isacharparenleft}}ys{\isaliteral{40}{\isacharat}}zs{\isaliteral{29}{\isacharparenright}}{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{3D}{\isacharequal}}\ xs{\isaliteral{40}{\isacharat}}zs{\isaliteral{22}{\isachardoublequoteclose}}\isanewline
122.458 +%
122.459 +\isadelimproof
122.460 +%
122.461 +\endisadelimproof
122.462 +%
122.463 +\isatagproof
122.464 +\isacommand{apply}\isamarkupfalse%
122.465 +{\isaliteral{28}{\isacharparenleft}}split\ list{\isaliteral{2E}{\isachardot}}split{\isaliteral{29}{\isacharparenright}}%
122.466 +\begin{isamarkuptxt}%
122.467 +\begin{isabelle}%
122.468 +\ {\isadigit{1}}{\isaliteral{2E}{\isachardot}}\ {\isaliteral{28}{\isacharparenleft}}xs\ {\isaliteral{3D}{\isacharequal}}\ {\isaliteral{5B}{\isacharbrackleft}}{\isaliteral{5D}{\isacharbrackright}}\ {\isaliteral{5C3C6C6F6E6772696768746172726F773E}{\isasymlongrightarrow}}\ zs\ {\isaliteral{3D}{\isacharequal}}\ xs\ {\isaliteral{40}{\isacharat}}\ zs{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C616E643E}{\isasymand}}\isanewline
122.469 +\isaindent{\ {\isadigit{1}}{\isaliteral{2E}{\isachardot}}\ }{\isaliteral{28}{\isacharparenleft}}{\isaliteral{5C3C666F72616C6C3E}{\isasymforall}}a\ list{\isaliteral{2E}{\isachardot}}\ xs\ {\isaliteral{3D}{\isacharequal}}\ a\ {\isaliteral{23}{\isacharhash}}\ list\ {\isaliteral{5C3C6C6F6E6772696768746172726F773E}{\isasymlongrightarrow}}\ a\ {\isaliteral{23}{\isacharhash}}\ list\ {\isaliteral{40}{\isacharat}}\ zs\ {\isaliteral{3D}{\isacharequal}}\ xs\ {\isaliteral{40}{\isacharat}}\ zs{\isaliteral{29}{\isacharparenright}}%
122.470 +\end{isabelle}
122.471 +The simplifier does not split
122.472 +\isa{case}-expressions, as it does \isa{if}-expressions,
122.473 +because with recursive datatypes it could lead to nontermination.
122.474 +Instead, the simplifier has a modifier
122.475 +\isa{split}\index{*split (modifier)}
122.476 +for adding splitting rules explicitly. The
122.477 +lemma above can be proved in one step by%
122.478 +\end{isamarkuptxt}%
122.479 +\isamarkuptrue%
122.480 +%
122.481 +\endisatagproof
122.482 +{\isafoldproof}%
122.483 +%
122.484 +\isadelimproof
122.485 +%
122.486 +\endisadelimproof
122.487 +%
122.488 +\isadelimproof
122.489 +%
122.490 +\endisadelimproof
122.491 +%
122.492 +\isatagproof
122.493 +\isacommand{apply}\isamarkupfalse%
122.494 +{\isaliteral{28}{\isacharparenleft}}simp\ split{\isaliteral{3A}{\isacharcolon}}\ list{\isaliteral{2E}{\isachardot}}split{\isaliteral{29}{\isacharparenright}}%
122.495 +\endisatagproof
122.496 +{\isafoldproof}%
122.497 +%
122.498 +\isadelimproof
122.499 +%
122.500 +\endisadelimproof
122.501 +%
122.502 +\begin{isamarkuptext}%
122.503 +\noindent
122.504 +whereas \isacommand{apply}\isa{{\isaliteral{28}{\isacharparenleft}}simp{\isaliteral{29}{\isacharparenright}}} alone will not succeed.
122.505 +
122.506 +Every datatype $t$ comes with a theorem
122.507 +$t$\isa{{\isaliteral{2E}{\isachardot}}split} which can be declared to be a \bfindex{split rule} either
122.508 +locally as above, or by giving it the \attrdx{split} attribute globally:%
122.509 +\end{isamarkuptext}%
122.510 +\isamarkuptrue%
122.511 +\isacommand{declare}\isamarkupfalse%
122.512 +\ list{\isaliteral{2E}{\isachardot}}split\ {\isaliteral{5B}{\isacharbrackleft}}split{\isaliteral{5D}{\isacharbrackright}}%
122.513 +\begin{isamarkuptext}%
122.514 +\noindent
122.515 +The \isa{split} attribute can be removed with the \isa{del} modifier,
122.516 +either locally%
122.517 +\end{isamarkuptext}%
122.518 +\isamarkuptrue%
122.519 +%
122.520 +\isadelimproof
122.521 +%
122.522 +\endisadelimproof
122.523 +%
122.524 +\isatagproof
122.525 +\isacommand{apply}\isamarkupfalse%
122.526 +{\isaliteral{28}{\isacharparenleft}}simp\ split\ del{\isaliteral{3A}{\isacharcolon}}\ split{\isaliteral{5F}{\isacharunderscore}}if{\isaliteral{29}{\isacharparenright}}%
122.527 +\endisatagproof
122.528 +{\isafoldproof}%
122.529 +%
122.530 +\isadelimproof
122.531 +%
122.532 +\endisadelimproof
122.533 +%
122.534 +\begin{isamarkuptext}%
122.535 +\noindent
122.536 +or globally:%
122.537 +\end{isamarkuptext}%
122.538 +\isamarkuptrue%
122.539 +\isacommand{declare}\isamarkupfalse%
122.540 +\ list{\isaliteral{2E}{\isachardot}}split\ {\isaliteral{5B}{\isacharbrackleft}}split\ del{\isaliteral{5D}{\isacharbrackright}}%
122.541 +\begin{isamarkuptext}%
122.542 +Polished proofs typically perform splitting within \isa{simp} rather than
122.543 +invoking the \isa{split} method. However, if a goal contains
122.544 +several \isa{if} and \isa{case} expressions,
122.545 +the \isa{split} method can be
122.546 +helpful in selectively exploring the effects of splitting.
122.547 +
122.548 +The split rules shown above are intended to affect only the subgoal's
122.549 +conclusion. If you want to split an \isa{if} or \isa{case}-expression
122.550 +in the assumptions, you have to apply \tdx{split_if_asm} or
122.551 +$t$\isa{{\isaliteral{2E}{\isachardot}}split{\isaliteral{5F}{\isacharunderscore}}asm}:%
122.552 +\end{isamarkuptext}%
122.553 +\isamarkuptrue%
122.554 +\isacommand{lemma}\isamarkupfalse%
122.555 +\ {\isaliteral{22}{\isachardoublequoteopen}}if\ xs\ {\isaliteral{3D}{\isacharequal}}\ {\isaliteral{5B}{\isacharbrackleft}}{\isaliteral{5D}{\isacharbrackright}}\ then\ ys\ {\isaliteral{5C3C6E6F7465713E}{\isasymnoteq}}\ {\isaliteral{5B}{\isacharbrackleft}}{\isaliteral{5D}{\isacharbrackright}}\ else\ ys\ {\isaliteral{3D}{\isacharequal}}\ {\isaliteral{5B}{\isacharbrackleft}}{\isaliteral{5D}{\isacharbrackright}}\ {\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\ xs\ {\isaliteral{40}{\isacharat}}\ ys\ {\isaliteral{5C3C6E6F7465713E}{\isasymnoteq}}\ {\isaliteral{5B}{\isacharbrackleft}}{\isaliteral{5D}{\isacharbrackright}}{\isaliteral{22}{\isachardoublequoteclose}}\isanewline
122.556 +%
122.557 +\isadelimproof
122.558 +%
122.559 +\endisadelimproof
122.560 +%
122.561 +\isatagproof
122.562 +\isacommand{apply}\isamarkupfalse%
122.563 +{\isaliteral{28}{\isacharparenleft}}split\ split{\isaliteral{5F}{\isacharunderscore}}if{\isaliteral{5F}{\isacharunderscore}}asm{\isaliteral{29}{\isacharparenright}}%
122.564 +\begin{isamarkuptxt}%
122.565 +\noindent
122.566 +Unlike splitting the conclusion, this step creates two
122.567 +separate subgoals, which here can be solved by \isa{simp{\isaliteral{5F}{\isacharunderscore}}all}:
122.568 +\begin{isabelle}%
122.569 +\ {\isadigit{1}}{\isaliteral{2E}{\isachardot}}\ {\isaliteral{5C3C6C6272616B6B3E}{\isasymlbrakk}}xs\ {\isaliteral{3D}{\isacharequal}}\ {\isaliteral{5B}{\isacharbrackleft}}{\isaliteral{5D}{\isacharbrackright}}{\isaliteral{3B}{\isacharsemicolon}}\ ys\ {\isaliteral{5C3C6E6F7465713E}{\isasymnoteq}}\ {\isaliteral{5B}{\isacharbrackleft}}{\isaliteral{5D}{\isacharbrackright}}{\isaliteral{5C3C726272616B6B3E}{\isasymrbrakk}}\ {\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\ xs\ {\isaliteral{40}{\isacharat}}\ ys\ {\isaliteral{5C3C6E6F7465713E}{\isasymnoteq}}\ {\isaliteral{5B}{\isacharbrackleft}}{\isaliteral{5D}{\isacharbrackright}}\isanewline
122.570 +\ {\isadigit{2}}{\isaliteral{2E}{\isachardot}}\ {\isaliteral{5C3C6C6272616B6B3E}{\isasymlbrakk}}xs\ {\isaliteral{5C3C6E6F7465713E}{\isasymnoteq}}\ {\isaliteral{5B}{\isacharbrackleft}}{\isaliteral{5D}{\isacharbrackright}}{\isaliteral{3B}{\isacharsemicolon}}\ ys\ {\isaliteral{3D}{\isacharequal}}\ {\isaliteral{5B}{\isacharbrackleft}}{\isaliteral{5D}{\isacharbrackright}}{\isaliteral{5C3C726272616B6B3E}{\isasymrbrakk}}\ {\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\ xs\ {\isaliteral{40}{\isacharat}}\ ys\ {\isaliteral{5C3C6E6F7465713E}{\isasymnoteq}}\ {\isaliteral{5B}{\isacharbrackleft}}{\isaliteral{5D}{\isacharbrackright}}%
122.571 +\end{isabelle}
122.572 +If you need to split both in the assumptions and the conclusion,
122.573 +use $t$\isa{{\isaliteral{2E}{\isachardot}}splits} which subsumes $t$\isa{{\isaliteral{2E}{\isachardot}}split} and
122.574 +$t$\isa{{\isaliteral{2E}{\isachardot}}split{\isaliteral{5F}{\isacharunderscore}}asm}. Analogously, there is \isa{if{\isaliteral{5F}{\isacharunderscore}}splits}.
122.575 +
122.576 +\begin{warn}
122.577 + The simplifier merely simplifies the condition of an
122.578 + \isa{if}\index{*if expressions!simplification of} but not the
122.579 + \isa{then} or \isa{else} parts. The latter are simplified only after the
122.580 + condition reduces to \isa{True} or \isa{False}, or after splitting. The
122.581 + same is true for \sdx{case}-expressions: only the selector is
122.582 + simplified at first, until either the expression reduces to one of the
122.583 + cases or it is split.
122.584 +\end{warn}%
122.585 +\end{isamarkuptxt}%
122.586 +\isamarkuptrue%
122.587 +%
122.588 +\endisatagproof
122.589 +{\isafoldproof}%
122.590 +%
122.591 +\isadelimproof
122.592 +%
122.593 +\endisadelimproof
122.594 +%
122.595 +\isamarkupsubsection{Tracing%
122.596 +}
122.597 +\isamarkuptrue%
122.598 +%
122.599 +\begin{isamarkuptext}%
122.600 +\indexbold{tracing the simplifier}
122.601 +Using the simplifier effectively may take a bit of experimentation. Set the
122.602 +Proof General flag \pgmenu{Isabelle} $>$ \pgmenu{Settings} $>$ \pgmenu{Trace Simplifier} to get a better idea of what is going on:%
122.603 +\end{isamarkuptext}%
122.604 +\isamarkuptrue%
122.605 +\isacommand{lemma}\isamarkupfalse%
122.606 +\ {\isaliteral{22}{\isachardoublequoteopen}}rev\ {\isaliteral{5B}{\isacharbrackleft}}a{\isaliteral{5D}{\isacharbrackright}}\ {\isaliteral{3D}{\isacharequal}}\ {\isaliteral{5B}{\isacharbrackleft}}{\isaliteral{5D}{\isacharbrackright}}{\isaliteral{22}{\isachardoublequoteclose}}\isanewline
122.607 +%
122.608 +\isadelimproof
122.609 +%
122.610 +\endisadelimproof
122.611 +%
122.612 +\isatagproof
122.613 +\isacommand{apply}\isamarkupfalse%
122.614 +{\isaliteral{28}{\isacharparenleft}}simp{\isaliteral{29}{\isacharparenright}}%
122.615 +\endisatagproof
122.616 +{\isafoldproof}%
122.617 +%
122.618 +\isadelimproof
122.619 +%
122.620 +\endisadelimproof
122.621 +%
122.622 +\begin{isamarkuptext}%
122.623 +\noindent
122.624 +produces the following trace in Proof General's \pgmenu{Trace} buffer:
122.625 +
122.626 +\begin{ttbox}\makeatother
122.627 +[1]Applying instance of rewrite rule "List.rev.simps_2":
122.628 +rev (?x1 # ?xs1) \(\equiv\) rev ?xs1 @ [?x1]
122.629 +
122.630 +[1]Rewriting:
122.631 +rev [a] \(\equiv\) rev [] @ [a]
122.632 +
122.633 +[1]Applying instance of rewrite rule "List.rev.simps_1":
122.634 +rev [] \(\equiv\) []
122.635 +
122.636 +[1]Rewriting:
122.637 +rev [] \(\equiv\) []
122.638 +
122.639 +[1]Applying instance of rewrite rule "List.op @.append_Nil":
122.640 +[] @ ?y \(\equiv\) ?y
122.641 +
122.642 +[1]Rewriting:
122.643 +[] @ [a] \(\equiv\) [a]
122.644 +
122.645 +[1]Applying instance of rewrite rule
122.646 +?x2 # ?t1 = ?t1 \(\equiv\) False
122.647 +
122.648 +[1]Rewriting:
122.649 +[a] = [] \(\equiv\) False
122.650 +\end{ttbox}
122.651 +The trace lists each rule being applied, both in its general form and
122.652 +the instance being used. The \texttt{[}$i$\texttt{]} in front (where
122.653 +above $i$ is always \texttt{1}) indicates that we are inside the $i$th
122.654 +invocation of the simplifier. Each attempt to apply a
122.655 +conditional rule shows the rule followed by the trace of the
122.656 +(recursive!) simplification of the conditions, the latter prefixed by
122.657 +\texttt{[}$i+1$\texttt{]} instead of \texttt{[}$i$\texttt{]}.
122.658 +Another source of recursive invocations of the simplifier are
122.659 +proofs of arithmetic formulae. By default, recursive invocations are not shown,
122.660 +you must increase the trace depth via \pgmenu{Isabelle} $>$ \pgmenu{Settings} $>$ \pgmenu{Trace Simplifier Depth}.
122.661 +
122.662 +Many other hints about the simplifier's actions may appear.
122.663 +
122.664 +In more complicated cases, the trace can be very lengthy. Thus it is
122.665 +advisable to reset the \pgmenu{Trace Simplifier} flag after having
122.666 +obtained the desired trace.
122.667 +Since this is easily forgotten (and may have the unpleasant effect of
122.668 +swamping the interface with trace information), here is how you can switch
122.669 +the trace on locally in a proof:%
122.670 +\end{isamarkuptext}%
122.671 +\isamarkuptrue%
122.672 +%
122.673 +\isadelimproof
122.674 +%
122.675 +\endisadelimproof
122.676 +%
122.677 +\isatagproof
122.678 +\isacommand{using}\isamarkupfalse%
122.679 +\ {\isaliteral{5B}{\isacharbrackleft}}{\isaliteral{5B}{\isacharbrackleft}}simp{\isaliteral{5F}{\isacharunderscore}}trace{\isaliteral{3D}{\isacharequal}}true{\isaliteral{5D}{\isacharbrackright}}{\isaliteral{5D}{\isacharbrackright}}\isanewline
122.680 +\isacommand{apply}\isamarkupfalse%
122.681 +\ simp%
122.682 +\endisatagproof
122.683 +{\isafoldproof}%
122.684 +%
122.685 +\isadelimproof
122.686 +%
122.687 +\endisadelimproof
122.688 +%
122.689 +\begin{isamarkuptext}%
122.690 +\noindent
122.691 +Within the current proof, all simplifications in subsequent proof steps
122.692 +will be traced, but the text reminds you to remove the \isa{using} clause
122.693 +after it has done its job.%
122.694 +\end{isamarkuptext}%
122.695 +\isamarkuptrue%
122.696 +%
122.697 +\isamarkupsubsection{Finding Theorems\label{sec:find}%
122.698 +}
122.699 +\isamarkuptrue%
122.700 +%
122.701 +\begin{isamarkuptext}%
122.702 +\indexbold{finding theorems}\indexbold{searching theorems}
122.703 +Isabelle's large database of proved theorems
122.704 +offers a powerful search engine. Its chief limitation is
122.705 +its restriction to the theories currently loaded.
122.706 +
122.707 +\begin{pgnote}
122.708 +The search engine is started by clicking on Proof General's \pgmenu{Find} icon.
122.709 +You specify your search textually in the input buffer at the bottom
122.710 +of the window.
122.711 +\end{pgnote}
122.712 +
122.713 +The simplest form of search finds theorems containing specified
122.714 +patterns. A pattern can be any term (even
122.715 +a single identifier). It may contain ``\texttt{\_}'', a wildcard standing
122.716 +for any term. Here are some
122.717 +examples:
122.718 +\begin{ttbox}
122.719 +length
122.720 +"_ # _ = _ # _"
122.721 +"_ + _"
122.722 +"_ * (_ - (_::nat))"
122.723 +\end{ttbox}
122.724 +Specifying types, as shown in the last example,
122.725 +constrains searches involving overloaded operators.
122.726 +
122.727 +\begin{warn}
122.728 +Always use ``\texttt{\_}'' rather than variable names: searching for
122.729 +\texttt{"x + y"} will usually not find any matching theorems
122.730 +because they would need to contain \texttt{x} and~\texttt{y} literally.
122.731 +When searching for infix operators, do not just type in the symbol,
122.732 +such as~\texttt{+}, but a proper term such as \texttt{"_ + _"}.
122.733 +This remark applies to more complicated syntaxes, too.
122.734 +\end{warn}
122.735 +
122.736 +If you are looking for rewrite rules (possibly conditional) that could
122.737 +simplify some term, prefix the pattern with \texttt{simp:}.
122.738 +\begin{ttbox}
122.739 +simp: "_ * (_ + _)"
122.740 +\end{ttbox}
122.741 +This finds \emph{all} equations---not just those with a \isa{simp} attribute---whose conclusion has the form
122.742 +\begin{isabelle}%
122.743 +\ \ \ \ \ {\isaliteral{5F}{\isacharunderscore}}\ {\isaliteral{2A}{\isacharasterisk}}\ {\isaliteral{28}{\isacharparenleft}}{\isaliteral{5F}{\isacharunderscore}}\ {\isaliteral{2B}{\isacharplus}}\ {\isaliteral{5F}{\isacharunderscore}}{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{3D}{\isacharequal}}\ {\isaliteral{5C3C646F74733E}{\isasymdots}}%
122.744 +\end{isabelle}
122.745 +It only finds equations that can simplify the given pattern
122.746 +at the root, not somewhere inside: for example, equations of the form
122.747 +\isa{{\isaliteral{5F}{\isacharunderscore}}\ {\isaliteral{2B}{\isacharplus}}\ {\isaliteral{5F}{\isacharunderscore}}\ {\isaliteral{3D}{\isacharequal}}\ {\isaliteral{5C3C646F74733E}{\isasymdots}}} do not match.
122.748 +
122.749 +You may also search for theorems by name---you merely
122.750 +need to specify a substring. For example, you could search for all
122.751 +commutativity theorems like this:
122.752 +\begin{ttbox}
122.753 +name: comm
122.754 +\end{ttbox}
122.755 +This retrieves all theorems whose name contains \texttt{comm}.
122.756 +
122.757 +Search criteria can also be negated by prefixing them with ``\texttt{-}''.
122.758 +For example,
122.759 +\begin{ttbox}
122.760 +-name: List
122.761 +\end{ttbox}
122.762 +finds theorems whose name does not contain \texttt{List}. You can use this
122.763 +to exclude particular theories from the search: the long name of
122.764 +a theorem contains the name of the theory it comes from.
122.765 +
122.766 +Finallly, different search criteria can be combined arbitrarily.
122.767 +The effect is conjuctive: Find returns the theorems that satisfy all of
122.768 +the criteria. For example,
122.769 +\begin{ttbox}
122.770 +"_ + _" -"_ - _" -simp: "_ * (_ + _)" name: assoc
122.771 +\end{ttbox}
122.772 +looks for theorems containing plus but not minus, and which do not simplify
122.773 +\mbox{\isa{{\isaliteral{5F}{\isacharunderscore}}\ {\isaliteral{2A}{\isacharasterisk}}\ {\isaliteral{28}{\isacharparenleft}}{\isaliteral{5F}{\isacharunderscore}}\ {\isaliteral{2B}{\isacharplus}}\ {\isaliteral{5F}{\isacharunderscore}}{\isaliteral{29}{\isacharparenright}}}} at the root, and whose name contains \texttt{assoc}.
122.774 +
122.775 +Further search criteria are explained in \S\ref{sec:find2}.
122.776 +
122.777 +\begin{pgnote}
122.778 +Proof General keeps a history of all your search expressions.
122.779 +If you click on \pgmenu{Find}, you can use the arrow keys to scroll
122.780 +through previous searches and just modify them. This saves you having
122.781 +to type in lengthy expressions again and again.
122.782 +\end{pgnote}%
122.783 +\end{isamarkuptext}%
122.784 +\isamarkuptrue%
122.785 +%
122.786 +\isadelimtheory
122.787 +%
122.788 +\endisadelimtheory
122.789 +%
122.790 +\isatagtheory
122.791 +%
122.792 +\endisatagtheory
122.793 +{\isafoldtheory}%
122.794 +%
122.795 +\isadelimtheory
122.796 +%
122.797 +\endisadelimtheory
122.798 +\end{isabellebody}%
122.799 +%%% Local Variables:
122.800 +%%% mode: latex
122.801 +%%% TeX-master: "root"
122.802 +%%% End:
123.1 --- /dev/null Thu Jan 01 00:00:00 1970 +0000
123.2 +++ b/doc-src/TutorialI/document/simp2.tex Thu Jul 26 19:59:06 2012 +0200
123.3 @@ -0,0 +1,249 @@
123.4 +%
123.5 +\begin{isabellebody}%
123.6 +\def\isabellecontext{simp{\isadigit{2}}}%
123.7 +%
123.8 +\isadelimtheory
123.9 +%
123.10 +\endisadelimtheory
123.11 +%
123.12 +\isatagtheory
123.13 +%
123.14 +\endisatagtheory
123.15 +{\isafoldtheory}%
123.16 +%
123.17 +\isadelimtheory
123.18 +%
123.19 +\endisadelimtheory
123.20 +%
123.21 +\isamarkupsection{Simplification%
123.22 +}
123.23 +\isamarkuptrue%
123.24 +%
123.25 +\begin{isamarkuptext}%
123.26 +\label{sec:simplification-II}\index{simplification|(}
123.27 +This section describes features not covered until now. It also
123.28 +outlines the simplification process itself, which can be helpful
123.29 +when the simplifier does not do what you expect of it.%
123.30 +\end{isamarkuptext}%
123.31 +\isamarkuptrue%
123.32 +%
123.33 +\isamarkupsubsection{Advanced Features%
123.34 +}
123.35 +\isamarkuptrue%
123.36 +%
123.37 +\isamarkupsubsubsection{Congruence Rules%
123.38 +}
123.39 +\isamarkuptrue%
123.40 +%
123.41 +\begin{isamarkuptext}%
123.42 +\label{sec:simp-cong}
123.43 +While simplifying the conclusion $Q$
123.44 +of $P \Imp Q$, it is legal to use the assumption $P$.
123.45 +For $\Imp$ this policy is hardwired, but
123.46 +contextual information can also be made available for other
123.47 +operators. For example, \isa{xs\ {\isaliteral{3D}{\isacharequal}}\ {\isaliteral{5B}{\isacharbrackleft}}{\isaliteral{5D}{\isacharbrackright}}\ {\isaliteral{5C3C6C6F6E6772696768746172726F773E}{\isasymlongrightarrow}}\ xs\ {\isaliteral{40}{\isacharat}}\ xs\ {\isaliteral{3D}{\isacharequal}}\ xs} simplifies to \isa{True} because we may use \isa{xs\ {\isaliteral{3D}{\isacharequal}}\ {\isaliteral{5B}{\isacharbrackleft}}{\isaliteral{5D}{\isacharbrackright}}} when simplifying \isa{xs\ {\isaliteral{40}{\isacharat}}\ xs\ {\isaliteral{3D}{\isacharequal}}\ xs}. The generation of contextual information during simplification is
123.48 +controlled by so-called \bfindex{congruence rules}. This is the one for
123.49 +\isa{{\isaliteral{5C3C6C6F6E6772696768746172726F773E}{\isasymlongrightarrow}}}:
123.50 +\begin{isabelle}%
123.51 +\ \ \ \ \ {\isaliteral{5C3C6C6272616B6B3E}{\isasymlbrakk}}P\ {\isaliteral{3D}{\isacharequal}}\ P{\isaliteral{27}{\isacharprime}}{\isaliteral{3B}{\isacharsemicolon}}\ P{\isaliteral{27}{\isacharprime}}\ {\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\ Q\ {\isaliteral{3D}{\isacharequal}}\ Q{\isaliteral{27}{\isacharprime}}{\isaliteral{5C3C726272616B6B3E}{\isasymrbrakk}}\ {\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\ {\isaliteral{28}{\isacharparenleft}}P\ {\isaliteral{5C3C6C6F6E6772696768746172726F773E}{\isasymlongrightarrow}}\ Q{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{3D}{\isacharequal}}\ {\isaliteral{28}{\isacharparenleft}}P{\isaliteral{27}{\isacharprime}}\ {\isaliteral{5C3C6C6F6E6772696768746172726F773E}{\isasymlongrightarrow}}\ Q{\isaliteral{27}{\isacharprime}}{\isaliteral{29}{\isacharparenright}}%
123.52 +\end{isabelle}
123.53 +It should be read as follows:
123.54 +In order to simplify \isa{P\ {\isaliteral{5C3C6C6F6E6772696768746172726F773E}{\isasymlongrightarrow}}\ Q} to \isa{P{\isaliteral{27}{\isacharprime}}\ {\isaliteral{5C3C6C6F6E6772696768746172726F773E}{\isasymlongrightarrow}}\ Q{\isaliteral{27}{\isacharprime}}},
123.55 +simplify \isa{P} to \isa{P{\isaliteral{27}{\isacharprime}}}
123.56 +and assume \isa{P{\isaliteral{27}{\isacharprime}}} when simplifying \isa{Q} to \isa{Q{\isaliteral{27}{\isacharprime}}}.
123.57 +
123.58 +Here are some more examples. The congruence rules for bounded
123.59 +quantifiers supply contextual information about the bound variable:
123.60 +\begin{isabelle}%
123.61 +\ \ \ \ \ {\isaliteral{5C3C6C6272616B6B3E}{\isasymlbrakk}}A\ {\isaliteral{3D}{\isacharequal}}\ B{\isaliteral{3B}{\isacharsemicolon}}\ {\isaliteral{5C3C416E643E}{\isasymAnd}}x{\isaliteral{2E}{\isachardot}}\ x\ {\isaliteral{5C3C696E3E}{\isasymin}}\ B\ {\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\ P\ x\ {\isaliteral{3D}{\isacharequal}}\ Q\ x{\isaliteral{5C3C726272616B6B3E}{\isasymrbrakk}}\isanewline
123.62 +\isaindent{\ \ \ \ \ }{\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\ {\isaliteral{28}{\isacharparenleft}}{\isaliteral{5C3C666F72616C6C3E}{\isasymforall}}x{\isaliteral{5C3C696E3E}{\isasymin}}A{\isaliteral{2E}{\isachardot}}\ P\ x{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{3D}{\isacharequal}}\ {\isaliteral{28}{\isacharparenleft}}{\isaliteral{5C3C666F72616C6C3E}{\isasymforall}}x{\isaliteral{5C3C696E3E}{\isasymin}}B{\isaliteral{2E}{\isachardot}}\ Q\ x{\isaliteral{29}{\isacharparenright}}%
123.63 +\end{isabelle}
123.64 +One congruence rule for conditional expressions supplies contextual
123.65 +information for simplifying the \isa{then} and \isa{else} cases:
123.66 +\begin{isabelle}%
123.67 +\ \ \ \ \ {\isaliteral{5C3C6C6272616B6B3E}{\isasymlbrakk}}b\ {\isaliteral{3D}{\isacharequal}}\ c{\isaliteral{3B}{\isacharsemicolon}}\ c\ {\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\ x\ {\isaliteral{3D}{\isacharequal}}\ u{\isaliteral{3B}{\isacharsemicolon}}\ {\isaliteral{5C3C6E6F743E}{\isasymnot}}\ c\ {\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\ y\ {\isaliteral{3D}{\isacharequal}}\ v{\isaliteral{5C3C726272616B6B3E}{\isasymrbrakk}}\isanewline
123.68 +\isaindent{\ \ \ \ \ }{\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\ {\isaliteral{28}{\isacharparenleft}}if\ b\ then\ x\ else\ y{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{3D}{\isacharequal}}\ {\isaliteral{28}{\isacharparenleft}}if\ c\ then\ u\ else\ v{\isaliteral{29}{\isacharparenright}}%
123.69 +\end{isabelle}
123.70 +An alternative congruence rule for conditional expressions
123.71 +actually \emph{prevents} simplification of some arguments:
123.72 +\begin{isabelle}%
123.73 +\ \ \ \ \ b\ {\isaliteral{3D}{\isacharequal}}\ c\ {\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\ {\isaliteral{28}{\isacharparenleft}}if\ b\ then\ x\ else\ y{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{3D}{\isacharequal}}\ {\isaliteral{28}{\isacharparenleft}}if\ c\ then\ x\ else\ y{\isaliteral{29}{\isacharparenright}}%
123.74 +\end{isabelle}
123.75 +Only the first argument is simplified; the others remain unchanged.
123.76 +This makes simplification much faster and is faithful to the evaluation
123.77 +strategy in programming languages, which is why this is the default
123.78 +congruence rule for \isa{if}. Analogous rules control the evaluation of
123.79 +\isa{case} expressions.
123.80 +
123.81 +You can declare your own congruence rules with the attribute \attrdx{cong},
123.82 +either globally, in the usual manner,
123.83 +\begin{quote}
123.84 +\isacommand{declare} \textit{theorem-name} \isa{{\isaliteral{5B}{\isacharbrackleft}}cong{\isaliteral{5D}{\isacharbrackright}}}
123.85 +\end{quote}
123.86 +or locally in a \isa{simp} call by adding the modifier
123.87 +\begin{quote}
123.88 +\isa{cong{\isaliteral{3A}{\isacharcolon}}} \textit{list of theorem names}
123.89 +\end{quote}
123.90 +The effect is reversed by \isa{cong\ del} instead of \isa{cong}.
123.91 +
123.92 +\begin{warn}
123.93 +The congruence rule \isa{conj{\isaliteral{5F}{\isacharunderscore}}cong}
123.94 +\begin{isabelle}%
123.95 +\ \ \ \ \ {\isaliteral{5C3C6C6272616B6B3E}{\isasymlbrakk}}P\ {\isaliteral{3D}{\isacharequal}}\ P{\isaliteral{27}{\isacharprime}}{\isaliteral{3B}{\isacharsemicolon}}\ P{\isaliteral{27}{\isacharprime}}\ {\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\ Q\ {\isaliteral{3D}{\isacharequal}}\ Q{\isaliteral{27}{\isacharprime}}{\isaliteral{5C3C726272616B6B3E}{\isasymrbrakk}}\ {\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\ {\isaliteral{28}{\isacharparenleft}}P\ {\isaliteral{5C3C616E643E}{\isasymand}}\ Q{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{3D}{\isacharequal}}\ {\isaliteral{28}{\isacharparenleft}}P{\isaliteral{27}{\isacharprime}}\ {\isaliteral{5C3C616E643E}{\isasymand}}\ Q{\isaliteral{27}{\isacharprime}}{\isaliteral{29}{\isacharparenright}}%
123.96 +\end{isabelle}
123.97 +\par\noindent
123.98 +is occasionally useful but is not a default rule; you have to declare it explicitly.
123.99 +\end{warn}%
123.100 +\end{isamarkuptext}%
123.101 +\isamarkuptrue%
123.102 +%
123.103 +\isamarkupsubsubsection{Permutative Rewrite Rules%
123.104 +}
123.105 +\isamarkuptrue%
123.106 +%
123.107 +\begin{isamarkuptext}%
123.108 +\index{rewrite rules!permutative|bold}%
123.109 +An equation is a \textbf{permutative rewrite rule} if the left-hand
123.110 +side and right-hand side are the same up to renaming of variables. The most
123.111 +common permutative rule is commutativity: \isa{x\ {\isaliteral{2B}{\isacharplus}}\ y\ {\isaliteral{3D}{\isacharequal}}\ y\ {\isaliteral{2B}{\isacharplus}}\ x}. Other examples
123.112 +include \isa{x\ {\isaliteral{2D}{\isacharminus}}\ y\ {\isaliteral{2D}{\isacharminus}}\ z\ {\isaliteral{3D}{\isacharequal}}\ x\ {\isaliteral{2D}{\isacharminus}}\ z\ {\isaliteral{2D}{\isacharminus}}\ y} in arithmetic and \isa{insert\ x\ {\isaliteral{28}{\isacharparenleft}}insert\ y\ A{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{3D}{\isacharequal}}\ insert\ y\ {\isaliteral{28}{\isacharparenleft}}insert\ x\ A{\isaliteral{29}{\isacharparenright}}} for sets. Such rules are problematic because
123.113 +once they apply, they can be used forever. The simplifier is aware of this
123.114 +danger and treats permutative rules by means of a special strategy, called
123.115 +\bfindex{ordered rewriting}: a permutative rewrite
123.116 +rule is only applied if the term becomes smaller with respect to a fixed
123.117 +lexicographic ordering on terms. For example, commutativity rewrites
123.118 +\isa{b\ {\isaliteral{2B}{\isacharplus}}\ a} to \isa{a\ {\isaliteral{2B}{\isacharplus}}\ b}, but then stops because \isa{a\ {\isaliteral{2B}{\isacharplus}}\ b} is strictly
123.119 +smaller than \isa{b\ {\isaliteral{2B}{\isacharplus}}\ a}. Permutative rewrite rules can be turned into
123.120 +simplification rules in the usual manner via the \isa{simp} attribute; the
123.121 +simplifier recognizes their special status automatically.
123.122 +
123.123 +Permutative rewrite rules are most effective in the case of
123.124 +associative-commutative functions. (Associativity by itself is not
123.125 +permutative.) When dealing with an AC-function~$f$, keep the
123.126 +following points in mind:
123.127 +\begin{itemize}\index{associative-commutative function}
123.128 +
123.129 +\item The associative law must always be oriented from left to right,
123.130 + namely $f(f(x,y),z) = f(x,f(y,z))$. The opposite orientation, if
123.131 + used with commutativity, can lead to nontermination.
123.132 +
123.133 +\item To complete your set of rewrite rules, you must add not just
123.134 + associativity~(A) and commutativity~(C) but also a derived rule, {\bf
123.135 + left-com\-mut\-ativ\-ity} (LC): $f(x,f(y,z)) = f(y,f(x,z))$.
123.136 +\end{itemize}
123.137 +Ordered rewriting with the combination of A, C, and LC sorts a term
123.138 +lexicographically:
123.139 +\[\def\maps#1{~\stackrel{#1}{\leadsto}~}
123.140 + f(f(b,c),a) \maps{A} f(b,f(c,a)) \maps{C} f(b,f(a,c)) \maps{LC} f(a,f(b,c)) \]
123.141 +
123.142 +Note that ordered rewriting for \isa{{\isaliteral{2B}{\isacharplus}}} and \isa{{\isaliteral{2A}{\isacharasterisk}}} on numbers is rarely
123.143 +necessary because the built-in arithmetic prover often succeeds without
123.144 +such tricks.%
123.145 +\end{isamarkuptext}%
123.146 +\isamarkuptrue%
123.147 +%
123.148 +\isamarkupsubsection{How the Simplifier Works%
123.149 +}
123.150 +\isamarkuptrue%
123.151 +%
123.152 +\begin{isamarkuptext}%
123.153 +\label{sec:SimpHow}
123.154 +Roughly speaking, the simplifier proceeds bottom-up: subterms are simplified
123.155 +first. A conditional equation is only applied if its condition can be
123.156 +proved, again by simplification. Below we explain some special features of
123.157 +the rewriting process.%
123.158 +\end{isamarkuptext}%
123.159 +\isamarkuptrue%
123.160 +%
123.161 +\isamarkupsubsubsection{Higher-Order Patterns%
123.162 +}
123.163 +\isamarkuptrue%
123.164 +%
123.165 +\begin{isamarkuptext}%
123.166 +\index{simplification rule|(}
123.167 +So far we have pretended the simplifier can deal with arbitrary
123.168 +rewrite rules. This is not quite true. For reasons of feasibility,
123.169 +the simplifier expects the
123.170 +left-hand side of each rule to be a so-called \emph{higher-order
123.171 +pattern}~\cite{nipkow-patterns}\indexbold{patterns!higher-order}.
123.172 +This restricts where
123.173 +unknowns may occur. Higher-order patterns are terms in $\beta$-normal
123.174 +form. (This means there are no subterms of the form $(\lambda x. M)(N)$.)
123.175 +Each occurrence of an unknown is of the form
123.176 +$\Var{f}~x@1~\dots~x@n$, where the $x@i$ are distinct bound
123.177 +variables. Thus all ordinary rewrite rules, where all unknowns are
123.178 +of base type, for example \isa{{\isaliteral{3F}{\isacharquery}}a\ {\isaliteral{2B}{\isacharplus}}\ {\isaliteral{3F}{\isacharquery}}b\ {\isaliteral{2B}{\isacharplus}}\ {\isaliteral{3F}{\isacharquery}}c\ {\isaliteral{3D}{\isacharequal}}\ {\isaliteral{3F}{\isacharquery}}a\ {\isaliteral{2B}{\isacharplus}}\ {\isaliteral{28}{\isacharparenleft}}{\isaliteral{3F}{\isacharquery}}b\ {\isaliteral{2B}{\isacharplus}}\ {\isaliteral{3F}{\isacharquery}}c{\isaliteral{29}{\isacharparenright}}}, are acceptable: if an unknown is
123.179 +of base type, it cannot have any arguments. Additionally, the rule
123.180 +\isa{{\isaliteral{28}{\isacharparenleft}}{\isaliteral{5C3C666F72616C6C3E}{\isasymforall}}x{\isaliteral{2E}{\isachardot}}\ {\isaliteral{3F}{\isacharquery}}P\ x\ {\isaliteral{5C3C616E643E}{\isasymand}}\ {\isaliteral{3F}{\isacharquery}}Q\ x{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{3D}{\isacharequal}}\ {\isaliteral{28}{\isacharparenleft}}{\isaliteral{28}{\isacharparenleft}}{\isaliteral{5C3C666F72616C6C3E}{\isasymforall}}x{\isaliteral{2E}{\isachardot}}\ {\isaliteral{3F}{\isacharquery}}P\ x{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C616E643E}{\isasymand}}\ {\isaliteral{28}{\isacharparenleft}}{\isaliteral{5C3C666F72616C6C3E}{\isasymforall}}x{\isaliteral{2E}{\isachardot}}\ {\isaliteral{3F}{\isacharquery}}Q\ x{\isaliteral{29}{\isacharparenright}}{\isaliteral{29}{\isacharparenright}}} is also acceptable, in
123.181 +both directions: all arguments of the unknowns \isa{{\isaliteral{3F}{\isacharquery}}P} and
123.182 +\isa{{\isaliteral{3F}{\isacharquery}}Q} are distinct bound variables.
123.183 +
123.184 +If the left-hand side is not a higher-order pattern, all is not lost.
123.185 +The simplifier will still try to apply the rule provided it
123.186 +matches directly: without much $\lambda$-calculus hocus
123.187 +pocus. For example, \isa{{\isaliteral{28}{\isacharparenleft}}{\isaliteral{3F}{\isacharquery}}f\ {\isaliteral{3F}{\isacharquery}}x\ {\isaliteral{5C3C696E3E}{\isasymin}}\ range\ {\isaliteral{3F}{\isacharquery}}f{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{3D}{\isacharequal}}\ True} rewrites
123.188 +\isa{g\ a\ {\isaliteral{5C3C696E3E}{\isasymin}}\ range\ g} to \isa{True}, but will fail to match
123.189 +\isa{g{\isaliteral{28}{\isacharparenleft}}h\ b{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C696E3E}{\isasymin}}\ range{\isaliteral{28}{\isacharparenleft}}{\isaliteral{5C3C6C616D6264613E}{\isasymlambda}}x{\isaliteral{2E}{\isachardot}}\ g{\isaliteral{28}{\isacharparenleft}}h\ x{\isaliteral{29}{\isacharparenright}}{\isaliteral{29}{\isacharparenright}}}. However, you can
123.190 +eliminate the offending subterms --- those that are not patterns ---
123.191 +by adding new variables and conditions.
123.192 +In our example, we eliminate \isa{{\isaliteral{3F}{\isacharquery}}f\ {\isaliteral{3F}{\isacharquery}}x} and obtain
123.193 + \isa{{\isaliteral{3F}{\isacharquery}}y\ {\isaliteral{3D}{\isacharequal}}\ {\isaliteral{3F}{\isacharquery}}f\ {\isaliteral{3F}{\isacharquery}}x\ {\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\ {\isaliteral{28}{\isacharparenleft}}{\isaliteral{3F}{\isacharquery}}y\ {\isaliteral{5C3C696E3E}{\isasymin}}\ range\ {\isaliteral{3F}{\isacharquery}}f{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{3D}{\isacharequal}}\ True}, which is fine
123.194 +as a conditional rewrite rule since conditions can be arbitrary
123.195 +terms. However, this trick is not a panacea because the newly
123.196 +introduced conditions may be hard to solve.
123.197 +
123.198 +There is no restriction on the form of the right-hand
123.199 +sides. They may not contain extraneous term or type variables, though.%
123.200 +\end{isamarkuptext}%
123.201 +\isamarkuptrue%
123.202 +%
123.203 +\isamarkupsubsubsection{The Preprocessor%
123.204 +}
123.205 +\isamarkuptrue%
123.206 +%
123.207 +\begin{isamarkuptext}%
123.208 +\label{sec:simp-preprocessor}
123.209 +When a theorem is declared a simplification rule, it need not be a
123.210 +conditional equation already. The simplifier will turn it into a set of
123.211 +conditional equations automatically. For example, \isa{f\ x\ {\isaliteral{3D}{\isacharequal}}\ g\ x\ {\isaliteral{5C3C616E643E}{\isasymand}}\ h\ x\ {\isaliteral{3D}{\isacharequal}}\ k\ x} becomes the two separate
123.212 +simplification rules \isa{f\ x\ {\isaliteral{3D}{\isacharequal}}\ g\ x} and \isa{h\ x\ {\isaliteral{3D}{\isacharequal}}\ k\ x}. In
123.213 +general, the input theorem is converted as follows:
123.214 +\begin{eqnarray}
123.215 +\neg P &\mapsto& P = \hbox{\isa{False}} \nonumber\\
123.216 +P \longrightarrow Q &\mapsto& P \Longrightarrow Q \nonumber\\
123.217 +P \land Q &\mapsto& P,\ Q \nonumber\\
123.218 +\forall x.~P~x &\mapsto& P~\Var{x}\nonumber\\
123.219 +\forall x \in A.\ P~x &\mapsto& \Var{x} \in A \Longrightarrow P~\Var{x} \nonumber\\
123.220 +\isa{if}\ P\ \isa{then}\ Q\ \isa{else}\ R &\mapsto&
123.221 + P \Longrightarrow Q,\ \neg P \Longrightarrow R \nonumber
123.222 +\end{eqnarray}
123.223 +Once this conversion process is finished, all remaining non-equations
123.224 +$P$ are turned into trivial equations $P =\isa{True}$.
123.225 +For example, the formula
123.226 +\begin{center}\isa{{\isaliteral{28}{\isacharparenleft}}p\ {\isaliteral{5C3C6C6F6E6772696768746172726F773E}{\isasymlongrightarrow}}\ t\ {\isaliteral{3D}{\isacharequal}}\ u\ {\isaliteral{5C3C616E643E}{\isasymand}}\ {\isaliteral{5C3C6E6F743E}{\isasymnot}}\ r{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C616E643E}{\isasymand}}\ s}\end{center}
123.227 +is converted into the three rules
123.228 +\begin{center}
123.229 +\isa{p\ {\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\ t\ {\isaliteral{3D}{\isacharequal}}\ u},\quad \isa{p\ {\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\ r\ {\isaliteral{3D}{\isacharequal}}\ False},\quad \isa{s\ {\isaliteral{3D}{\isacharequal}}\ True}.
123.230 +\end{center}
123.231 +\index{simplification rule|)}
123.232 +\index{simplification|)}%
123.233 +\end{isamarkuptext}%
123.234 +\isamarkuptrue%
123.235 +%
123.236 +\isadelimtheory
123.237 +%
123.238 +\endisadelimtheory
123.239 +%
123.240 +\isatagtheory
123.241 +%
123.242 +\endisatagtheory
123.243 +{\isafoldtheory}%
123.244 +%
123.245 +\isadelimtheory
123.246 +%
123.247 +\endisadelimtheory
123.248 +\end{isabellebody}%
123.249 +%%% Local Variables:
123.250 +%%% mode: latex
123.251 +%%% TeX-master: "root"
123.252 +%%% End:
124.1 --- /dev/null Thu Jan 01 00:00:00 1970 +0000
124.2 +++ b/doc-src/TutorialI/document/types.tex Thu Jul 26 19:59:06 2012 +0200
124.3 @@ -0,0 +1,75 @@
124.4 +%
124.5 +\begin{isabellebody}%
124.6 +\def\isabellecontext{types}%
124.7 +%
124.8 +\isadelimtheory
124.9 +%
124.10 +\endisadelimtheory
124.11 +%
124.12 +\isatagtheory
124.13 +%
124.14 +\endisatagtheory
124.15 +{\isafoldtheory}%
124.16 +%
124.17 +\isadelimtheory
124.18 +%
124.19 +\endisadelimtheory
124.20 +\isacommand{type{\isaliteral{5F}{\isacharunderscore}}synonym}\isamarkupfalse%
124.21 +\ number\ {\isaliteral{3D}{\isacharequal}}\ nat\isanewline
124.22 +\isacommand{type{\isaliteral{5F}{\isacharunderscore}}synonym}\isamarkupfalse%
124.23 +\ gate\ {\isaliteral{3D}{\isacharequal}}\ {\isaliteral{22}{\isachardoublequoteopen}}bool\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ bool\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ bool{\isaliteral{22}{\isachardoublequoteclose}}\isanewline
124.24 +\isacommand{type{\isaliteral{5F}{\isacharunderscore}}synonym}\isamarkupfalse%
124.25 +\ {\isaliteral{28}{\isacharparenleft}}{\isaliteral{27}{\isacharprime}}a{\isaliteral{2C}{\isacharcomma}}\ {\isaliteral{27}{\isacharprime}}b{\isaliteral{29}{\isacharparenright}}\ alist\ {\isaliteral{3D}{\isacharequal}}\ {\isaliteral{22}{\isachardoublequoteopen}}{\isaliteral{28}{\isacharparenleft}}{\isaliteral{27}{\isacharprime}}a\ {\isaliteral{5C3C74696D65733E}{\isasymtimes}}\ {\isaliteral{27}{\isacharprime}}b{\isaliteral{29}{\isacharparenright}}\ list{\isaliteral{22}{\isachardoublequoteclose}}%
124.26 +\begin{isamarkuptext}%
124.27 +\noindent
124.28 +Internally all synonyms are fully expanded. As a consequence Isabelle's
124.29 +output never contains synonyms. Their main purpose is to improve the
124.30 +readability of theories. Synonyms can be used just like any other
124.31 +type.%
124.32 +\end{isamarkuptext}%
124.33 +\isamarkuptrue%
124.34 +%
124.35 +\isamarkupsubsection{Constant Definitions%
124.36 +}
124.37 +\isamarkuptrue%
124.38 +%
124.39 +\begin{isamarkuptext}%
124.40 +\label{sec:ConstDefinitions}\indexbold{definitions}%
124.41 +Nonrecursive definitions can be made with the \commdx{definition}
124.42 +command, for example \isa{nand} and \isa{xor} gates
124.43 +(based on type \isa{gate} above):%
124.44 +\end{isamarkuptext}%
124.45 +\isamarkuptrue%
124.46 +\isacommand{definition}\isamarkupfalse%
124.47 +\ nand\ {\isaliteral{3A}{\isacharcolon}}{\isaliteral{3A}{\isacharcolon}}\ gate\ \isakeyword{where}\ {\isaliteral{22}{\isachardoublequoteopen}}nand\ A\ B\ {\isaliteral{5C3C65717569763E}{\isasymequiv}}\ {\isaliteral{5C3C6E6F743E}{\isasymnot}}{\isaliteral{28}{\isacharparenleft}}A\ {\isaliteral{5C3C616E643E}{\isasymand}}\ B{\isaliteral{29}{\isacharparenright}}{\isaliteral{22}{\isachardoublequoteclose}}\isanewline
124.48 +\isacommand{definition}\isamarkupfalse%
124.49 +\ xor\ \ {\isaliteral{3A}{\isacharcolon}}{\isaliteral{3A}{\isacharcolon}}\ gate\ \isakeyword{where}\ {\isaliteral{22}{\isachardoublequoteopen}}xor\ \ A\ B\ {\isaliteral{5C3C65717569763E}{\isasymequiv}}\ A\ {\isaliteral{5C3C616E643E}{\isasymand}}\ {\isaliteral{5C3C6E6F743E}{\isasymnot}}B\ {\isaliteral{5C3C6F723E}{\isasymor}}\ {\isaliteral{5C3C6E6F743E}{\isasymnot}}A\ {\isaliteral{5C3C616E643E}{\isasymand}}\ B{\isaliteral{22}{\isachardoublequoteclose}}%
124.50 +\begin{isamarkuptext}%
124.51 +\noindent%
124.52 +The symbol \indexboldpos{\isasymequiv}{$IsaEq} is a special form of equality
124.53 +that must be used in constant definitions.
124.54 +Pattern-matching is not allowed: each definition must be of
124.55 +the form $f\,x@1\,\dots\,x@n~\isasymequiv~t$.
124.56 +Section~\ref{sec:Simp-with-Defs} explains how definitions are used
124.57 +in proofs. The default name of each definition is $f$\isa{{\isaliteral{5F}{\isacharunderscore}}def}, where
124.58 +$f$ is the name of the defined constant.%
124.59 +\end{isamarkuptext}%
124.60 +\isamarkuptrue%
124.61 +%
124.62 +\isadelimtheory
124.63 +%
124.64 +\endisadelimtheory
124.65 +%
124.66 +\isatagtheory
124.67 +%
124.68 +\endisatagtheory
124.69 +{\isafoldtheory}%
124.70 +%
124.71 +\isadelimtheory
124.72 +%
124.73 +\endisadelimtheory
124.74 +\end{isabellebody}%
124.75 +%%% Local Variables:
124.76 +%%% mode: latex
124.77 +%%% TeX-master: "root"
124.78 +%%% End:
125.1 --- /dev/null Thu Jan 01 00:00:00 1970 +0000
125.2 +++ b/doc-src/TutorialI/document/unfoldnested.tex Thu Jul 26 19:59:06 2012 +0200
125.3 @@ -0,0 +1,36 @@
125.4 +%
125.5 +\begin{isabellebody}%
125.6 +\def\isabellecontext{unfoldnested}%
125.7 +%
125.8 +\isadelimtheory
125.9 +%
125.10 +\endisadelimtheory
125.11 +%
125.12 +\isatagtheory
125.13 +%
125.14 +\endisatagtheory
125.15 +{\isafoldtheory}%
125.16 +%
125.17 +\isadelimtheory
125.18 +%
125.19 +\endisadelimtheory
125.20 +\isacommand{datatype}\isamarkupfalse%
125.21 +\ {\isaliteral{28}{\isacharparenleft}}{\isaliteral{27}{\isacharprime}}v{\isaliteral{2C}{\isacharcomma}}{\isaliteral{27}{\isacharprime}}f{\isaliteral{29}{\isacharparenright}}{\isaliteral{22}{\isachardoublequoteopen}}term{\isaliteral{22}{\isachardoublequoteclose}}\ {\isaliteral{3D}{\isacharequal}}\ Var\ {\isaliteral{27}{\isacharprime}}v\ {\isaliteral{7C}{\isacharbar}}\ App\ {\isaliteral{27}{\isacharprime}}f\ {\isaliteral{22}{\isachardoublequoteopen}}{\isaliteral{28}{\isacharparenleft}}{\isaliteral{27}{\isacharprime}}v{\isaliteral{2C}{\isacharcomma}}{\isaliteral{27}{\isacharprime}}f{\isaliteral{29}{\isacharparenright}}term{\isaliteral{5F}{\isacharunderscore}}list{\isaliteral{22}{\isachardoublequoteclose}}\isanewline
125.22 +\isakeyword{and}\ {\isaliteral{28}{\isacharparenleft}}{\isaliteral{27}{\isacharprime}}v{\isaliteral{2C}{\isacharcomma}}{\isaliteral{27}{\isacharprime}}f{\isaliteral{29}{\isacharparenright}}term{\isaliteral{5F}{\isacharunderscore}}list\ {\isaliteral{3D}{\isacharequal}}\ Nil\ {\isaliteral{7C}{\isacharbar}}\ Cons\ {\isaliteral{22}{\isachardoublequoteopen}}{\isaliteral{28}{\isacharparenleft}}{\isaliteral{27}{\isacharprime}}v{\isaliteral{2C}{\isacharcomma}}{\isaliteral{27}{\isacharprime}}f{\isaliteral{29}{\isacharparenright}}term{\isaliteral{22}{\isachardoublequoteclose}}\ {\isaliteral{22}{\isachardoublequoteopen}}{\isaliteral{28}{\isacharparenleft}}{\isaliteral{27}{\isacharprime}}v{\isaliteral{2C}{\isacharcomma}}{\isaliteral{27}{\isacharprime}}f{\isaliteral{29}{\isacharparenright}}term{\isaliteral{5F}{\isacharunderscore}}list{\isaliteral{22}{\isachardoublequoteclose}}%
125.23 +\isadelimtheory
125.24 +%
125.25 +\endisadelimtheory
125.26 +%
125.27 +\isatagtheory
125.28 +%
125.29 +\endisatagtheory
125.30 +{\isafoldtheory}%
125.31 +%
125.32 +\isadelimtheory
125.33 +%
125.34 +\endisadelimtheory
125.35 +\end{isabellebody}%
125.36 +%%% Local Variables:
125.37 +%%% mode: latex
125.38 +%%% TeX-master: "root"
125.39 +%%% End:
126.1 --- a/doc-src/TutorialI/fp.tex Thu Jul 26 16:08:16 2012 +0200
126.2 +++ b/doc-src/TutorialI/fp.tex Thu Jul 26 19:59:06 2012 +0200
126.3 @@ -32,7 +32,7 @@
126.4 \end{figure}
126.5
126.6 \index{*ToyList example|(}
126.7 -{\makeatother\medskip\input{ToyList/document/ToyList.tex}}
126.8 +{\makeatother\medskip\input{document/ToyList.tex}}
126.9
126.10 The complete proof script is shown in Fig.\ts\ref{fig:ToyList-proofs}. The
126.11 concatenation of Figs.\ts\ref{fig:ToyList} and~\ref{fig:ToyList-proofs}
126.12 @@ -203,12 +203,12 @@
126.13 {\S}\ref{sec:fun}.
126.14
126.15 \begin{exercise}\label{ex:Tree}
126.16 -\input{Misc/document/Tree.tex}%
126.17 +\input{document/Tree.tex}%
126.18 \end{exercise}
126.19
126.20 -\input{Misc/document/case_exprs.tex}
126.21 +\input{document/case_exprs.tex}
126.22
126.23 -\input{Ifexpr/document/Ifexpr.tex}
126.24 +\input{document/Ifexpr.tex}
126.25 \index{datatypes|)}
126.26
126.27
126.28 @@ -222,18 +222,18 @@
126.29 \label{sec:nat}\index{natural numbers}%
126.30 \index{linear arithmetic|(}
126.31
126.32 -\input{Misc/document/fakenat.tex}\medskip
126.33 -\input{Misc/document/natsum.tex}
126.34 +\input{document/fakenat.tex}\medskip
126.35 +\input{document/natsum.tex}
126.36
126.37 \index{linear arithmetic|)}
126.38
126.39
126.40 \subsection{Pairs}
126.41 -\input{Misc/document/pairs.tex}
126.42 +\input{document/pairs2.tex}
126.43
126.44 \subsection{Datatype {\tt\slshape option}}
126.45 \label{sec:option}
126.46 -\input{Misc/document/Option2.tex}
126.47 +\input{document/Option2.tex}
126.48
126.49 \section{Definitions}
126.50 \label{sec:Definitions}
126.51 @@ -252,9 +252,9 @@
126.52 \commdx{type\protect\_synonym} command:
126.53
126.54 \medskip
126.55 -\input{Misc/document/types.tex}
126.56 +\input{document/types.tex}
126.57
126.58 -\input{Misc/document/prime_def.tex}
126.59 +\input{document/prime_def.tex}
126.60
126.61
126.62 \section{The Definitional Approach}
126.63 @@ -331,19 +331,19 @@
126.64 can be coded and installed, but they are definitely not a matter for this
126.65 tutorial.
126.66
126.67 -\input{Misc/document/simp.tex}
126.68 +\input{document/simp.tex}
126.69
126.70 \index{simplification|)}
126.71
126.72 -\input{Misc/document/Itrev.tex}
126.73 +\input{document/Itrev.tex}
126.74 \begin{exercise}
126.75 -\input{Misc/document/Plus.tex}%
126.76 +\input{document/Plus.tex}%
126.77 \end{exercise}
126.78 \begin{exercise}
126.79 -\input{Misc/document/Tree2.tex}%
126.80 +\input{document/Tree2.tex}%
126.81 \end{exercise}
126.82
126.83 -\input{CodeGen/document/CodeGen.tex}
126.84 +\input{document/CodeGen.tex}
126.85
126.86
126.87 \section{Advanced Datatypes}
126.88 @@ -360,12 +360,12 @@
126.89 \subsection{Mutual Recursion}
126.90 \label{sec:datatype-mut-rec}
126.91
126.92 -\input{Datatype/document/ABexpr.tex}
126.93 +\input{document/ABexpr.tex}
126.94
126.95 \subsection{Nested Recursion}
126.96 \label{sec:nested-datatype}
126.97
126.98 -{\makeatother\input{Datatype/document/Nested.tex}}
126.99 +{\makeatother\input{document/Nested.tex}}
126.100
126.101
126.102 \subsection{The Limits of Nested Recursion}
126.103 @@ -392,7 +392,7 @@
126.104 infinitely branching tree is accepted:
126.105 \smallskip
126.106
126.107 -\input{Datatype/document/Fundata.tex}
126.108 +\input{document/Fundata.tex}
126.109
126.110 If you need nested recursion on the left of a function arrow, there are
126.111 alternatives to pure HOL\@. In the Logic for Computable Functions
126.112 @@ -462,7 +462,7 @@
126.113 information is stored only in the final node associated with the string, many
126.114 nodes do not carry any value. This distinction is modeled with the help
126.115 of the predefined datatype \isa{option} (see {\S}\ref{sec:option}).
126.116 -\input{Trie/document/Trie.tex}
126.117 +\input{document/Trie.tex}
126.118 \index{tries|)}
126.119
126.120 \section{Total Recursive Functions: \isacommand{fun}}
126.121 @@ -479,6 +479,6 @@
126.122 supplied termination proofs, nested recursion and partiality, are discussed
126.123 in a separate tutorial~\cite{isabelle-function}.
126.124
126.125 -\input{Fun/document/fun0.tex}
126.126 +\input{document/fun0.tex}
126.127
126.128 \index{fun@\isacommand {fun} (command)|)}\index{functions!total|)}
127.1 --- a/doc-src/TutorialI/settings.ML Thu Jul 26 16:08:16 2012 +0200
127.2 +++ /dev/null Thu Jan 01 00:00:00 1970 +0000
127.3 @@ -1,1 +0,0 @@
127.4 -Thy_Output.indent_default := 5;
128.1 --- a/doc-src/ZF/FOL_examples.thy Thu Jul 26 16:08:16 2012 +0200
128.2 +++ b/doc-src/ZF/FOL_examples.thy Thu Jul 26 19:59:06 2012 +0200
128.3 @@ -1,6 +1,6 @@
128.4 header{*Examples of Classical Reasoning*}
128.5
128.6 -theory FOL_examples imports FOL begin
128.7 +theory FOL_examples imports "~~/src/FOL/FOL" begin
128.8
128.9 lemma "EX y. ALL x. P(y)-->P(x)"
128.10 --{* @{subgoals[display,indent=0,margin=65]} *}
129.1 --- a/doc-src/ZF/IFOL_examples.thy Thu Jul 26 16:08:16 2012 +0200
129.2 +++ b/doc-src/ZF/IFOL_examples.thy Thu Jul 26 19:59:06 2012 +0200
129.3 @@ -1,6 +1,6 @@
129.4 header{*Examples of Intuitionistic Reasoning*}
129.5
129.6 -theory IFOL_examples imports IFOL begin
129.7 +theory IFOL_examples imports "~~/src/FOL/IFOL" begin
129.8
129.9 text{*Quantifier example from the book Logic and Computation*}
129.10 lemma "(EX y. ALL x. Q(x,y)) --> (ALL x. EX y. Q(x,y))"
130.1 --- a/doc-src/ZF/If.thy Thu Jul 26 16:08:16 2012 +0200
130.2 +++ b/doc-src/ZF/If.thy Thu Jul 26 19:59:06 2012 +0200
130.3 @@ -5,7 +5,7 @@
130.4 First-Order Logic: the 'if' example.
130.5 *)
130.6
130.7 -theory If imports FOL begin
130.8 +theory If imports "~~/src/FOL/FOL" begin
130.9
130.10 definition "if" :: "[o,o,o]=>o" where
130.11 "if(P,Q,R) == P&Q | ~P&R"
131.1 --- a/etc/options Thu Jul 26 16:08:16 2012 +0200
131.2 +++ b/etc/options Thu Jul 26 19:59:06 2012 +0200
131.3 @@ -1,13 +1,12 @@
131.4 (* :mode=isabelle-options: *)
131.5
131.6 declare browser_info : bool = false
131.7 -declare browser_info_remote : string = ""
131.8
131.9 declare document : string = ""
131.10 declare document_variants : string = "outline=/proof,/ML"
131.11 declare document_graph : bool = false
131.12 declare document_dump : string = ""
131.13 -declare document_dump_only : bool = false
131.14 +declare document_dump_mode : string = "all"
131.15 declare no_document : bool = false
131.16
131.17 declare threads : int = 0
131.18 @@ -28,5 +27,13 @@
131.19 declare names_short : bool = false
131.20 declare names_unique : bool = true
131.21
131.22 +declare pretty_margin : int = 76
131.23 +
131.24 +declare thy_output_display : bool = false
131.25 +declare thy_output_quotes : bool = false
131.26 +declare thy_output_indent : int = 0
131.27 +declare thy_output_source : bool = false
131.28 +declare thy_output_break : bool = false
131.29 +
131.30 declare timing : bool = false
131.31
132.1 --- a/lib/Tools/build Thu Jul 26 16:08:16 2012 +0200
132.2 +++ b/lib/Tools/build Thu Jul 26 19:59:06 2012 +0200
132.3 @@ -27,8 +27,9 @@
132.4 echo
132.5 echo " Options are:"
132.6 echo " -a all sessions"
132.7 - echo " -b build target images"
132.8 - echo " -d DIR additional session directory with ROOT file"
132.9 + echo " -b build heap images"
132.10 + echo " -d DIR include session directory with ROOT file"
132.11 + echo " -g NAME include session group NAME"
132.12 echo " -j INT maximum number of jobs (default 1)"
132.13 echo " -n no build -- test dependencies only"
132.14 echo " -o OPTION override session configuration OPTION (via NAME=VAL or NAME)"
132.15 @@ -57,28 +58,31 @@
132.16 ## process command line
132.17
132.18 ALL_SESSIONS=false
132.19 -BUILD_IMAGES=false
132.20 +BUILD_HEAP=false
132.21 +declare -a MORE_DIRS=()
132.22 +declare -a SESSION_GROUPS=()
132.23 MAX_JOBS=1
132.24 NO_BUILD=false
132.25 +eval "declare -a BUILD_OPTIONS=($ISABELLE_BUILD_OPTIONS)"
132.26 SYSTEM_MODE=false
132.27 TIMING=false
132.28 VERBOSE=false
132.29
132.30 -declare -a MORE_DIRS=()
132.31 -eval "declare -a BUILD_OPTIONS=($ISABELLE_BUILD_OPTIONS)"
132.32 -
132.33 -while getopts "abd:j:no:stv" OPT
132.34 +while getopts "abd:g:j:no:stv" OPT
132.35 do
132.36 case "$OPT" in
132.37 a)
132.38 ALL_SESSIONS="true"
132.39 ;;
132.40 b)
132.41 - BUILD_IMAGES="true"
132.42 + BUILD_HEAP="true"
132.43 ;;
132.44 d)
132.45 MORE_DIRS["${#MORE_DIRS[@]}"]="$OPTARG"
132.46 ;;
132.47 + g)
132.48 + SESSION_GROUPS["${#SESSION_GROUPS[@]}"]="$OPTARG"
132.49 + ;;
132.50 j)
132.51 check_number "$OPTARG"
132.52 MAX_JOBS="$OPTARG"
132.53 @@ -122,8 +126,8 @@
132.54 fi
132.55
132.56 "$ISABELLE_TOOL" java isabelle.Build \
132.57 - "$ALL_SESSIONS" "$BUILD_IMAGES" "$MAX_JOBS" "$NO_BUILD" "$SYSTEM_MODE" "$TIMING" \
132.58 - "$VERBOSE" "${MORE_DIRS[@]}" $'\n' "${BUILD_OPTIONS[@]}" $'\n' "$@"
132.59 + "$ALL_SESSIONS" "$BUILD_HEAP" "$MAX_JOBS" "$NO_BUILD" "$SYSTEM_MODE" "$TIMING" "$VERBOSE" \
132.60 + "${MORE_DIRS[@]}" $'\n' "${SESSION_GROUPS[@]}" $'\n' "${BUILD_OPTIONS[@]}" $'\n' "$@"
132.61 RC="$?"
132.62
132.63 if [ "$NO_BUILD" = false ]; then
133.1 --- a/lib/Tools/latex Thu Jul 26 16:08:16 2012 +0200
133.2 +++ b/lib/Tools/latex Thu Jul 26 19:59:06 2012 +0200
133.3 @@ -62,8 +62,8 @@
133.4
133.5 # root file
133.6
133.7 -DIR=$(dirname "$FILE")
133.8 -FILEBASE=$(basename "$FILE" .tex)
133.9 +DIR="$(dirname "$FILE")"
133.10 +FILEBASE="$(basename "$FILE" .tex)"
133.11 [ "$DIR" = . ] || FILEBASE="$DIR/$FILEBASE"
133.12
133.13 function check_root () { [ -f "$FILEBASE.tex" ] || fail "Bad file '$FILE'"; }
134.1 --- a/src/HOL/ROOT Thu Jul 26 16:08:16 2012 +0200
134.2 +++ b/src/HOL/ROOT Thu Jul 26 19:59:06 2012 +0200
134.3 @@ -1,4 +1,4 @@
134.4 -session HOL! (1) in "." = Pure +
134.5 +session HOL! (main) in "." = Pure +
134.6 description {* Classical Higher-order Logic *}
134.7 options [document_graph]
134.8 theories Complex_Main
134.9 @@ -19,8 +19,8 @@
134.10 options [document = false]
134.11 theories Main
134.12
134.13 -session "HOL-Proofs"! (4) in "." = Pure +
134.14 - description {* HOL-Main with proof terms *}
134.15 +session "HOL-Proofs"! in "." = Pure +
134.16 + description {* HOL-Main with explicit proof terms *}
134.17 options [document = false, proofs = 2, parallel_proofs = 0]
134.18 theories Main
134.19
134.20 @@ -571,7 +571,7 @@
134.21 "ex/Koepf_Duermuth_Countermeasure"
134.22 files "document/root.tex"
134.23
134.24 -session Nominal (2) = HOL +
134.25 +session Nominal (main) = HOL +
134.26 options [document = false]
134.27 theories Nominal
134.28
134.29 @@ -760,7 +760,7 @@
134.30 Predicate_Compile_Tests
134.31 Specialisation_Examples
134.32
134.33 -session HOLCF! (3) = HOL +
134.34 +session HOLCF! (main) = HOL +
134.35 description {*
134.36 Author: Franz Regensburger
134.37 Author: Brian Huffman
135.1 --- a/src/Pure/General/graph.scala Thu Jul 26 16:08:16 2012 +0200
135.2 +++ b/src/Pure/General/graph.scala Thu Jul 26 19:59:06 2012 +0200
135.3 @@ -39,6 +39,7 @@
135.4 /* graphs */
135.5
135.6 def is_empty: Boolean = rep.isEmpty
135.7 + def defined(x: Key): Boolean = rep.isDefinedAt(x)
135.8
135.9 def entries: Iterator[(Key, Entry)] = rep.iterator
135.10 def keys: Iterator[Key] = entries.map(_._1)
135.11 @@ -155,8 +156,7 @@
135.12 /* edge operations */
135.13
135.14 def is_edge(x: Key, y: Key): Boolean =
135.15 - try { imm_succs(x)(y) }
135.16 - catch { case _: Graph.Undefined[_] => false }
135.17 + defined(x) && defined(y) && imm_succs(x)(y)
135.18
135.19 def add_edge(x: Key, y: Key): Graph[Key, A] =
135.20 if (is_edge(x, y)) this
136.1 --- a/src/Pure/ROOT Thu Jul 26 16:08:16 2012 +0200
136.2 +++ b/src/Pure/ROOT Thu Jul 26 19:59:06 2012 +0200
136.3 @@ -21,5 +21,233 @@
136.4
136.5 session Pure in "." =
136.6 theories Pure
136.7 - files "ROOT.ML" (* FIXME *)
136.8 + files
136.9 + "General/exn.ML"
136.10 + "ML-Systems/compiler_polyml.ML"
136.11 + "ML-Systems/ml_name_space.ML"
136.12 + "ML-Systems/ml_pretty.ML"
136.13 + "ML-Systems/ml_system.ML"
136.14 + "ML-Systems/multithreading.ML"
136.15 + "ML-Systems/multithreading_polyml.ML"
136.16 + "ML-Systems/overloading_smlnj.ML"
136.17 + "ML-Systems/polyml.ML"
136.18 + "ML-Systems/pp_dummy.ML"
136.19 + "ML-Systems/proper_int.ML"
136.20 + "ML-Systems/single_assignment.ML"
136.21 + "ML-Systems/single_assignment_polyml.ML"
136.22 + "ML-Systems/smlnj.ML"
136.23 + "ML-Systems/thread_dummy.ML"
136.24 + "ML-Systems/universal.ML"
136.25 + "ML-Systems/unsynchronized.ML"
136.26 + "ML-Systems/use_context.ML"
136.27
136.28 + "Concurrent/bash.ML"
136.29 + "Concurrent/bash_sequential.ML"
136.30 + "Concurrent/cache.ML"
136.31 + "Concurrent/future.ML"
136.32 + "Concurrent/lazy.ML"
136.33 + "Concurrent/lazy_sequential.ML"
136.34 + "Concurrent/mailbox.ML"
136.35 + "Concurrent/par_exn.ML"
136.36 + "Concurrent/par_list.ML"
136.37 + "Concurrent/par_list_sequential.ML"
136.38 + "Concurrent/simple_thread.ML"
136.39 + "Concurrent/single_assignment.ML"
136.40 + "Concurrent/single_assignment_sequential.ML"
136.41 + "Concurrent/synchronized.ML"
136.42 + "Concurrent/synchronized_sequential.ML"
136.43 + "Concurrent/task_queue.ML"
136.44 + "Concurrent/time_limit.ML"
136.45 + "General/alist.ML"
136.46 + "General/antiquote.ML"
136.47 + "General/balanced_tree.ML"
136.48 + "General/basics.ML"
136.49 + "General/binding.ML"
136.50 + "General/buffer.ML"
136.51 + "General/file.ML"
136.52 + "General/graph.ML"
136.53 + "General/heap.ML"
136.54 + "General/integer.ML"
136.55 + "General/linear_set.ML"
136.56 + "General/long_name.ML"
136.57 + "General/name_space.ML"
136.58 + "General/ord_list.ML"
136.59 + "General/output.ML"
136.60 + "General/path.ML"
136.61 + "General/position.ML"
136.62 + "General/pretty.ML"
136.63 + "General/print_mode.ML"
136.64 + "General/properties.ML"
136.65 + "General/queue.ML"
136.66 + "General/same.ML"
136.67 + "General/scan.ML"
136.68 + "General/secure.ML"
136.69 + "General/seq.ML"
136.70 + "General/sha1.ML"
136.71 + "General/sha1_polyml.ML"
136.72 + "General/source.ML"
136.73 + "General/stack.ML"
136.74 + "General/symbol.ML"
136.75 + "General/symbol_pos.ML"
136.76 + "General/table.ML"
136.77 + "General/timing.ML"
136.78 + "General/url.ML"
136.79 + "Isar/args.ML"
136.80 + "Isar/attrib.ML"
136.81 + "Isar/auto_bind.ML"
136.82 + "Isar/bundle.ML"
136.83 + "Isar/calculation.ML"
136.84 + "Isar/class.ML"
136.85 + "Isar/class_declaration.ML"
136.86 + "Isar/code.ML"
136.87 + "Isar/context_rules.ML"
136.88 + "Isar/element.ML"
136.89 + "Isar/expression.ML"
136.90 + "Isar/generic_target.ML"
136.91 + "Isar/isar_cmd.ML"
136.92 + "Isar/isar_syn.ML"
136.93 + "Isar/keyword.ML"
136.94 + "Isar/local_defs.ML"
136.95 + "Isar/local_theory.ML"
136.96 + "Isar/locale.ML"
136.97 + "Isar/method.ML"
136.98 + "Isar/named_target.ML"
136.99 + "Isar/object_logic.ML"
136.100 + "Isar/obtain.ML"
136.101 + "Isar/outer_syntax.ML"
136.102 + "Isar/overloading.ML"
136.103 + "Isar/parse.ML"
136.104 + "Isar/parse_spec.ML"
136.105 + "Isar/proof.ML"
136.106 + "Isar/proof_context.ML"
136.107 + "Isar/proof_display.ML"
136.108 + "Isar/proof_node.ML"
136.109 + "Isar/rule_cases.ML"
136.110 + "Isar/rule_insts.ML"
136.111 + "Isar/runtime.ML"
136.112 + "Isar/skip_proof.ML"
136.113 + "Isar/spec_rules.ML"
136.114 + "Isar/specification.ML"
136.115 + "Isar/token.ML"
136.116 + "Isar/toplevel.ML"
136.117 + "Isar/typedecl.ML"
136.118 + "ML/install_pp_polyml.ML"
136.119 + "ML/ml_antiquote.ML"
136.120 + "ML/ml_compiler.ML"
136.121 + "ML/ml_compiler_polyml.ML"
136.122 + "ML/ml_context.ML"
136.123 + "ML/ml_env.ML"
136.124 + "ML/ml_lex.ML"
136.125 + "ML/ml_parse.ML"
136.126 + "ML/ml_syntax.ML"
136.127 + "ML/ml_thms.ML"
136.128 + "PIDE/command.ML"
136.129 + "PIDE/document.ML"
136.130 + "PIDE/isabelle_markup.ML"
136.131 + "PIDE/markup.ML"
136.132 + "PIDE/protocol.ML"
136.133 + "PIDE/xml.ML"
136.134 + "PIDE/yxml.ML"
136.135 + "Proof/extraction.ML"
136.136 + "Proof/proof_checker.ML"
136.137 + "Proof/proof_rewrite_rules.ML"
136.138 + "Proof/proof_syntax.ML"
136.139 + "Proof/reconstruct.ML"
136.140 + "ProofGeneral/pgip.ML"
136.141 + "ProofGeneral/pgip_input.ML"
136.142 + "ProofGeneral/pgip_isabelle.ML"
136.143 + "ProofGeneral/pgip_markup.ML"
136.144 + "ProofGeneral/pgip_output.ML"
136.145 + "ProofGeneral/pgip_parser.ML"
136.146 + "ProofGeneral/pgip_tests.ML"
136.147 + "ProofGeneral/pgip_types.ML"
136.148 + "ProofGeneral/pgml.ML"
136.149 + "ProofGeneral/preferences.ML"
136.150 + "ProofGeneral/proof_general_emacs.ML"
136.151 + "ProofGeneral/proof_general_pgip.ML"
136.152 + "ROOT.ML"
136.153 + "Syntax/ast.ML"
136.154 + "Syntax/lexicon.ML"
136.155 + "Syntax/local_syntax.ML"
136.156 + "Syntax/mixfix.ML"
136.157 + "Syntax/parser.ML"
136.158 + "Syntax/printer.ML"
136.159 + "Syntax/simple_syntax.ML"
136.160 + "Syntax/syntax.ML"
136.161 + "Syntax/syntax_ext.ML"
136.162 + "Syntax/syntax_phases.ML"
136.163 + "Syntax/syntax_trans.ML"
136.164 + "Syntax/term_position.ML"
136.165 + "System/build.ML"
136.166 + "System/invoke_scala.ML"
136.167 + "System/isabelle_process.ML"
136.168 + "System/isabelle_system.ML"
136.169 + "System/isar.ML"
136.170 + "System/options.ML"
136.171 + "System/session.ML"
136.172 + "System/system_channel.ML"
136.173 + "Thy/html.ML"
136.174 + "Thy/latex.ML"
136.175 + "Thy/present.ML"
136.176 + "Thy/rail.ML"
136.177 + "Thy/term_style.ML"
136.178 + "Thy/thm_deps.ML"
136.179 + "Thy/thy_header.ML"
136.180 + "Thy/thy_info.ML"
136.181 + "Thy/thy_load.ML"
136.182 + "Thy/thy_output.ML"
136.183 + "Thy/thy_syntax.ML"
136.184 + "Tools/find_consts.ML"
136.185 + "Tools/find_theorems.ML"
136.186 + "Tools/named_thms.ML"
136.187 + "Tools/xml_syntax.ML"
136.188 + "assumption.ML"
136.189 + "axclass.ML"
136.190 + "config.ML"
136.191 + "conjunction.ML"
136.192 + "consts.ML"
136.193 + "context.ML"
136.194 + "context_position.ML"
136.195 + "conv.ML"
136.196 + "defs.ML"
136.197 + "display.ML"
136.198 + "drule.ML"
136.199 + "envir.ML"
136.200 + "facts.ML"
136.201 + "global_theory.ML"
136.202 + "goal.ML"
136.203 + "goal_display.ML"
136.204 + "interpretation.ML"
136.205 + "item_net.ML"
136.206 + "library.ML"
136.207 + "logic.ML"
136.208 + "more_thm.ML"
136.209 + "morphism.ML"
136.210 + "name.ML"
136.211 + "net.ML"
136.212 + "pattern.ML"
136.213 + "primitive_defs.ML"
136.214 + "proofterm.ML"
136.215 + "pure_setup.ML"
136.216 + "pure_thy.ML"
136.217 + "raw_simplifier.ML"
136.218 + "search.ML"
136.219 + "sign.ML"
136.220 + "simplifier.ML"
136.221 + "sorts.ML"
136.222 + "subgoal.ML"
136.223 + "tactic.ML"
136.224 + "tactical.ML"
136.225 + "term.ML"
136.226 + "term_ord.ML"
136.227 + "term_sharing.ML"
136.228 + "term_subst.ML"
136.229 + "term_xml.ML"
136.230 + "theory.ML"
136.231 + "thm.ML"
136.232 + "type.ML"
136.233 + "type_infer.ML"
136.234 + "type_infer_context.ML"
136.235 + "unify.ML"
136.236 + "variable.ML"
136.237 +
137.1 --- a/src/Pure/System/build.ML Thu Jul 26 16:08:16 2012 +0200
137.2 +++ b/src/Pure/System/build.ML Thu Jul 26 19:59:06 2012 +0200
137.3 @@ -35,6 +35,12 @@
137.4 |> Unsynchronized.setmp Name_Space.names_long_default (Options.bool options "names_long")
137.5 |> Unsynchronized.setmp Name_Space.names_short_default (Options.bool options "names_short")
137.6 |> Unsynchronized.setmp Name_Space.names_unique_default (Options.bool options "names_unique")
137.7 + |> Unsynchronized.setmp Thy_Output.display_default (Options.bool options "thy_output_display")
137.8 + |> Unsynchronized.setmp Thy_Output.quotes_default (Options.bool options "thy_output_quotes")
137.9 + |> Unsynchronized.setmp Thy_Output.indent_default (Options.int options "thy_output_indent")
137.10 + |> Unsynchronized.setmp Thy_Output.source_default (Options.bool options "thy_output_source")
137.11 + |> Unsynchronized.setmp Thy_Output.break_default (Options.bool options "thy_output_break")
137.12 + |> Unsynchronized.setmp Pretty.margin_default (Options.int options "pretty_margin")
137.13 |> Unsynchronized.setmp Toplevel.timing (Options.bool options "timing");
137.14
137.15 fun use_theories (options, thys) =
137.16 @@ -42,7 +48,7 @@
137.17 (case filter_out (can getenv_strict) condition of
137.18 [] => use_thys options thys
137.19 | conds =>
137.20 - Output.physical_stderr ("Ignoring theories " ^ commas_quote thys ^
137.21 + Output.physical_stderr ("Skipping theories " ^ commas_quote thys ^
137.22 " (undefined " ^ commas conds ^ ")\n"))
137.23 end;
137.24
137.25 @@ -50,7 +56,7 @@
137.26
137.27 fun build args_file =
137.28 let
137.29 - val (save, (options, (timing, (verbose, (browser_info, (parent_base_name,
137.30 + val (do_output, (options, (timing, (verbose, (browser_info, (parent_base_name,
137.31 (name, (base_name, theories)))))))) =
137.32 File.read (Path.explode args_file) |> YXML.parse_body |>
137.33 let open XML.Decode in
137.34 @@ -59,18 +65,17 @@
137.35 end;
137.36
137.37 val _ =
137.38 - Session.init save false
137.39 + Session.init do_output false
137.40 (Options.bool options "browser_info") browser_info
137.41 (Options.string options "document")
137.42 (Options.bool options "document_graph")
137.43 (space_explode ":" (Options.string options "document_variants"))
137.44 parent_base_name base_name
137.45 - (not (Options.bool options "document_dump_only"), Options.string options "document_dump")
137.46 - (Options.string options "browser_info_remote")
137.47 - verbose;
137.48 + (Options.string options "document_dump", Options.string options "document_dump_mode")
137.49 + "" verbose;
137.50 val _ = Session.with_timing name timing (List.app use_theories) theories;
137.51 val _ = Session.finish ();
137.52 - val _ = if save then () else quit ();
137.53 + val _ = if do_output then () else quit ();
137.54 in () end
137.55 handle exn => (Output.error_msg (ML_Compiler.exn_message exn); exit 1);
137.56
138.1 --- a/src/Pure/System/build.scala Thu Jul 26 16:08:16 2012 +0200
138.2 +++ b/src/Pure/System/build.scala Thu Jul 26 19:59:06 2012 +0200
138.3 @@ -21,30 +21,11 @@
138.4
138.5 object Session
138.6 {
138.7 - /* Key */
138.8 -
138.9 - object Key
138.10 - {
138.11 - object Ordering extends scala.math.Ordering[Key]
138.12 - {
138.13 - def compare(key1: Key, key2: Key): Int =
138.14 - key1.order compare key2.order match {
138.15 - case 0 => key1.name compare key2.name
138.16 - case ord => ord
138.17 - }
138.18 - }
138.19 - }
138.20 -
138.21 - sealed case class Key(name: String, order: Int)
138.22 - {
138.23 - override def toString: String = name
138.24 - }
138.25 -
138.26 -
138.27 /* Info */
138.28
138.29 sealed case class Info(
138.30 base_name: String,
138.31 + groups: List[String],
138.32 dir: Path,
138.33 parent: Option[String],
138.34 parent_base_name: Option[String],
138.35 @@ -62,55 +43,49 @@
138.36 val empty: Queue = new Queue()
138.37 }
138.38
138.39 - final class Queue private(
138.40 - keys: Map[String, Key] = Map.empty,
138.41 - graph: Graph[Key, Info] = Graph.empty(Key.Ordering))
138.42 + final class Queue private(graph: Graph[String, Info] = Graph.string)
138.43 + extends PartialFunction[String, Info]
138.44 {
138.45 + def apply(name: String): Info = graph.get_node(name)
138.46 + def isDefinedAt(name: String): Boolean = graph.defined(name)
138.47 +
138.48 + def is_inner(name: String): Boolean = !graph.is_maximal(name)
138.49 +
138.50 def is_empty: Boolean = graph.is_empty
138.51
138.52 - def apply(name: String): Info = graph.get_node(keys(name))
138.53 - def defined(name: String): Boolean = keys.isDefinedAt(name)
138.54 - def is_inner(name: String): Boolean = !graph.is_maximal(keys(name))
138.55 -
138.56 - def + (key: Key, info: Info): Queue =
138.57 - {
138.58 - val keys1 =
138.59 - if (defined(key.name)) error("Duplicate session: " + quote(key.name))
138.60 - else keys + (key.name -> key)
138.61 -
138.62 - val graph1 =
138.63 - try {
138.64 - graph.new_node(key, info).add_deps_acyclic(key, info.parent.toList.map(keys(_)))
138.65 - }
138.66 + def + (name: String, info: Info): Queue =
138.67 + new Queue(
138.68 + try { graph.new_node(name, info).add_deps_acyclic(name, info.parent.toList) }
138.69 catch {
138.70 + case _: Graph.Duplicate[_] => error("Duplicate session: " + quote(name))
138.71 case exn: Graph.Cycles[_] =>
138.72 error(cat_lines(exn.cycles.map(cycle =>
138.73 "Cyclic session dependency of " +
138.74 - cycle.map(key => quote(key.toString)).mkString(" via "))))
138.75 - }
138.76 - new Queue(keys1, graph1)
138.77 - }
138.78 + cycle.map(c => quote(c.toString)).mkString(" via "))))
138.79 + })
138.80
138.81 - def - (name: String): Queue = new Queue(keys - name, graph.del_node(keys(name)))
138.82 + def - (name: String): Queue = new Queue(graph.del_node(name))
138.83
138.84 - def required(names: List[String]): Queue =
138.85 + def required(groups: List[String], names: List[String]): Queue =
138.86 {
138.87 - val req = graph.all_preds(names.map(keys(_))).map(_.name).toSet
138.88 - val keys1 = keys -- keys.keySet.filter(name => !req(name))
138.89 - val graph1 = graph.restrict(key => keys1.isDefinedAt(key.name))
138.90 - new Queue(keys1, graph1)
138.91 + val selected_group = groups.toSet
138.92 + val selected_name = names.toSet
138.93 + val selected =
138.94 + graph.keys.filter(name =>
138.95 + selected_name(name) || apply(name).groups.exists(selected_group)).toList
138.96 + new Queue(graph.restrict(graph.all_preds(selected).toSet))
138.97 }
138.98
138.99 def dequeue(skip: String => Boolean): Option[(String, Info)] =
138.100 {
138.101 val it = graph.entries.dropWhile(
138.102 - { case (key, (_, (deps, _))) => !deps.isEmpty || skip(key.name) })
138.103 - if (it.hasNext) { val (key, (info, _)) = it.next; Some((key.name, info)) }
138.104 + { case (name, (_, (deps, _))) => !deps.isEmpty || skip(name) })
138.105 + if (it.hasNext) { val (name, (info, _)) = it.next; Some((name, info)) }
138.106 else None
138.107 }
138.108
138.109 def topological_order: List[(String, Info)] =
138.110 - graph.topological_order.map(key => (key.name, graph.get_node(key)))
138.111 + graph.topological_order.map(name => (name, graph.get_node(name)))
138.112 }
138.113 }
138.114
138.115 @@ -120,7 +95,7 @@
138.116 private case class Session_Entry(
138.117 name: String,
138.118 this_name: Boolean,
138.119 - order: Int,
138.120 + groups: List[String],
138.121 path: Option[String],
138.122 parent: Option[String],
138.123 description: String,
138.124 @@ -155,7 +130,7 @@
138.125
138.126 ((keyword(SESSION) ~! session_name) ^^ { case _ ~ x => x }) ~
138.127 (keyword("!") ^^^ true | success(false)) ~
138.128 - (keyword("(") ~! (nat <~ keyword(")")) ^^ { case _ ~ x => x } | success(Integer.MAX_VALUE)) ~
138.129 + (keyword("(") ~! (rep1(name) <~ keyword(")")) ^^ { case _ ~ x => x } | success(Nil)) ~
138.130 (opt(keyword(IN) ~! string ^^ { case _ ~ x => x })) ~
138.131 (keyword("=") ~> opt(session_name <~ keyword("+"))) ~
138.132 (keyword(DESCRIPTION) ~! text ^^ { case _ ~ x => x } | success("")) ~
138.133 @@ -197,7 +172,7 @@
138.134 }
138.135 else
138.136 entry.parent match {
138.137 - case Some(parent_name) if queue1.defined(parent_name) =>
138.138 + case Some(parent_name) if queue1.isDefinedAt(parent_name) =>
138.139 val full_name =
138.140 if (entry.this_name) entry.name
138.141 else parent_name + "-" + entry.name
138.142 @@ -212,8 +187,6 @@
138.143 case None => Path.basic(entry.name)
138.144 }
138.145
138.146 - val key = Session.Key(full_name, entry.order)
138.147 -
138.148 val session_options = options ++ entry.options
138.149
138.150 val theories =
138.151 @@ -223,10 +196,10 @@
138.152 val digest = SHA1.digest((full_name, entry.parent, entry.options, entry.theories).toString)
138.153
138.154 val info =
138.155 - Session.Info(entry.name, dir + path, entry.parent, parent_base_name,
138.156 + Session.Info(entry.name, entry.groups, dir + path, entry.parent, parent_base_name,
138.157 entry.description, session_options, theories, files, digest)
138.158
138.159 - queue1 + (key, info)
138.160 + queue1 + (full_name, info)
138.161 }
138.162 catch {
138.163 case ERROR(msg) =>
138.164 @@ -261,8 +234,8 @@
138.165 })
138.166 }
138.167
138.168 - def find_sessions(options: Options, all_sessions: Boolean, sessions: List[String],
138.169 - more_dirs: List[Path]): Session.Queue =
138.170 + def find_sessions(options: Options, more_dirs: List[Path],
138.171 + all_sessions: Boolean, session_groups: List[String], sessions: List[String]): Session.Queue =
138.172 {
138.173 var queue = Session.Queue.empty
138.174
138.175 @@ -276,12 +249,12 @@
138.176
138.177 for (dir <- more_dirs) queue = sessions_dir(options, true, dir, queue)
138.178
138.179 - sessions.filter(name => !queue.defined(name)) match {
138.180 + sessions.filter(name => !queue.isDefinedAt(name)) match {
138.181 case Nil =>
138.182 case bad => error("Undefined session(s): " + commas_quote(bad))
138.183 }
138.184
138.185 - if (all_sessions) queue else queue.required(sessions)
138.186 + if (all_sessions) queue else queue.required(session_groups, sessions)
138.187 }
138.188
138.189
138.190 @@ -347,7 +320,7 @@
138.191 /* jobs */
138.192
138.193 private class Job(cwd: JFile, env: Map[String, String], script: String, args: String,
138.194 - val output_path: Option[Path])
138.195 + output: Path, do_output: Boolean)
138.196 {
138.197 private val args_file = File.tmp_file("args")
138.198 private val env1 = env + ("ARGS_FILE" -> Isabelle_System.posix_path(args_file.getPath))
138.199 @@ -359,9 +332,10 @@
138.200 def terminate: Unit = thread.interrupt
138.201 def is_finished: Boolean = result.is_finished
138.202 def join: (String, String, Int) = { val res = result.join; args_file.delete; res }
138.203 + def output_path: Option[Path] = if (do_output) Some(output) else None
138.204 }
138.205
138.206 - private def start_job(name: String, info: Session.Info, output_path: Option[Path],
138.207 + private def start_job(name: String, info: Session.Info, output: Path, do_output: Boolean,
138.208 options: Options, timing: Boolean, verbose: Boolean, browser_info: Path): Job =
138.209 {
138.210 // global browser info dir
138.211 @@ -379,21 +353,26 @@
138.212 val parent = info.parent.getOrElse("")
138.213 val parent_base_name = info.parent_base_name.getOrElse("")
138.214
138.215 - val output =
138.216 - output_path match { case Some(p) => Isabelle_System.standard_path(p) case None => "" }
138.217 -
138.218 val cwd = info.dir.file
138.219 - val env = Map("INPUT" -> parent, "TARGET" -> name, "OUTPUT" -> output)
138.220 + val env =
138.221 + Map("INPUT" -> parent, "TARGET" -> name, "OUTPUT" -> Isabelle_System.standard_path(output))
138.222 val script =
138.223 - if (is_pure(name)) "./build " + name + " \"$OUTPUT\""
138.224 + if (is_pure(name)) {
138.225 + if (do_output) "./build " + name + " \"$OUTPUT\""
138.226 + else """ rm -f "$OUTPUT"; ./build """ + name
138.227 + }
138.228 else {
138.229 """
138.230 . "$ISABELLE_HOME/lib/scripts/timestart.bash"
138.231 """ +
138.232 - (if (output_path.isDefined)
138.233 - """ "$ISABELLE_PROCESS" -e "Build.build \"$ARGS_FILE\";" -q -w "$INPUT" "$OUTPUT" """
138.234 + (if (do_output)
138.235 + """
138.236 + "$ISABELLE_PROCESS" -e "Build.build \"$ARGS_FILE\";" -q -w "$INPUT" "$OUTPUT"
138.237 + """
138.238 else
138.239 - """ "$ISABELLE_PROCESS" -e "Build.build \"$ARGS_FILE\";" -r -q "$INPUT" """) +
138.240 + """
138.241 + rm -f "$OUTPUT"; "$ISABELLE_PROCESS" -e "Build.build \"$ARGS_FILE\";" -r -q "$INPUT"
138.242 + """) +
138.243 """
138.244 RC="$?"
138.245
138.246 @@ -411,10 +390,10 @@
138.247 import XML.Encode._
138.248 pair(bool, pair(Options.encode, pair(bool, pair(bool, pair(Path.encode, pair(string,
138.249 pair(string, pair(string, list(pair(Options.encode, list(Path.encode)))))))))))(
138.250 - (output_path.isDefined, (options, (timing, (verbose, (browser_info, (parent_base_name,
138.251 + (do_output, (options, (timing, (verbose, (browser_info, (parent_base_name,
138.252 (name, (info.base_name, info.theories)))))))))
138.253 }
138.254 - new Job(cwd, env, script, YXML.string_of_body(args_xml), output_path)
138.255 + new Job(cwd, env, script, YXML.string_of_body(args_xml), output, do_output)
138.256 }
138.257
138.258
138.259 @@ -456,12 +435,21 @@
138.260
138.261 /* build */
138.262
138.263 - def build(all_sessions: Boolean, build_images: Boolean, max_jobs: Int,
138.264 - no_build: Boolean, system_mode: Boolean, timing: Boolean, verbose: Boolean,
138.265 - more_dirs: List[Path], more_options: List[String], sessions: List[String]): Int =
138.266 + def build(
138.267 + all_sessions: Boolean = false,
138.268 + build_heap: Boolean = false,
138.269 + more_dirs: List[Path] = Nil,
138.270 + session_groups: List[String] = Nil,
138.271 + max_jobs: Int = 1,
138.272 + no_build: Boolean = false,
138.273 + build_options: List[String] = Nil,
138.274 + system_mode: Boolean = false,
138.275 + timing: Boolean = false,
138.276 + verbose: Boolean = false,
138.277 + sessions: List[String] = Nil): Int =
138.278 {
138.279 - val options = (Options.init() /: more_options)(_.define_simple(_))
138.280 - val queue = find_sessions(options, all_sessions, sessions, more_dirs)
138.281 + val options = (Options.init() /: build_options)(_.define_simple(_))
138.282 + val queue = find_sessions(options, more_dirs, all_sessions, session_groups, sessions)
138.283 val deps = dependencies(verbose, queue)
138.284
138.285 def make_stamp(name: String): String =
138.286 @@ -514,27 +502,29 @@
138.287 { // check/start next job
138.288 pending.dequeue(running.isDefinedAt(_)) match {
138.289 case Some((name, info)) =>
138.290 - val output =
138.291 - if (build_images || queue.is_inner(name))
138.292 - Some(output_dir + Path.basic(name))
138.293 - else None
138.294 + val parents_ok = info.parent.map(results(_)).forall(_ == 0)
138.295
138.296 - val current =
138.297 + val output = output_dir + Path.basic(name)
138.298 + val do_output = build_heap || queue.is_inner(name)
138.299 +
138.300 + val all_current =
138.301 {
138.302 input_dirs.find(dir => (dir + log_gz(name)).file.isFile) match {
138.303 case Some(dir) =>
138.304 check_stamps(dir, name) match {
138.305 - case Some((s, h)) => s == make_stamp(name) && (h || output.isEmpty)
138.306 + case Some((s, h)) => s == make_stamp(name) && (h || !do_output)
138.307 case None => false
138.308 }
138.309 case None => false
138.310 }
138.311 - }
138.312 - if (current || no_build)
138.313 - loop(pending - name, running, results + (name -> (if (current) 0 else 1)))
138.314 - else if (info.parent.map(results(_)).forall(_ == 0)) {
138.315 - echo((if (output.isDefined) "Building " else "Running ") + name + " ...")
138.316 - val job = start_job(name, info, output, info.options, timing, verbose, browser_info)
138.317 + } && parents_ok
138.318 +
138.319 + if (all_current || no_build)
138.320 + loop(pending - name, running, results + (name -> (if (all_current) 0 else 1)))
138.321 + else if (parents_ok) {
138.322 + echo((if (do_output) "Building " else "Running ") + name + " ...")
138.323 + val job =
138.324 + start_job(name, info, output, do_output, info.options, timing, verbose, browser_info)
138.325 loop(pending, running + (name -> job), results)
138.326 }
138.327 else {
138.328 @@ -565,15 +555,15 @@
138.329 args.toList match {
138.330 case
138.331 Properties.Value.Boolean(all_sessions) ::
138.332 - Properties.Value.Boolean(build_images) ::
138.333 + Properties.Value.Boolean(build_heap) ::
138.334 Properties.Value.Int(max_jobs) ::
138.335 Properties.Value.Boolean(no_build) ::
138.336 Properties.Value.Boolean(system_mode) ::
138.337 Properties.Value.Boolean(timing) ::
138.338 Properties.Value.Boolean(verbose) ::
138.339 - Command_Line.Chunks(more_dirs, options, sessions) =>
138.340 - build(all_sessions, build_images, max_jobs, no_build, system_mode, timing,
138.341 - verbose, more_dirs.map(Path.explode), options, sessions)
138.342 + Command_Line.Chunks(more_dirs, session_groups, build_options, sessions) =>
138.343 + build(all_sessions, build_heap, more_dirs.map(Path.explode), session_groups,
138.344 + max_jobs, no_build, build_options, system_mode, timing, verbose, sessions)
138.345 case _ => error("Bad arguments:\n" + cat_lines(args))
138.346 }
138.347 }
139.1 --- a/src/Pure/System/session.ML Thu Jul 26 16:08:16 2012 +0200
139.2 +++ b/src/Pure/System/session.ML Thu Jul 26 19:59:06 2012 +0200
139.3 @@ -11,7 +11,7 @@
139.4 val welcome: unit -> string
139.5 val finish: unit -> unit
139.6 val init: bool -> bool -> bool -> string -> string -> bool -> string list ->
139.7 - string -> string -> bool * string -> string -> bool -> unit
139.8 + string -> string -> string * string -> string -> bool -> unit
139.9 val with_timing: string -> bool -> ('a -> 'b) -> 'a -> 'b
139.10 val use_dir: string -> string -> bool -> string list -> bool -> bool -> string ->
139.11 string -> bool -> string list -> string -> string -> bool * string ->
139.12 @@ -85,17 +85,6 @@
139.13
139.14 (* use_dir *)
139.15
139.16 -fun get_rpath rpath =
139.17 - (if rpath = "" then () else
139.18 - if is_some (! remote_path) then
139.19 - error "Path for remote theory browsing information may only be set once"
139.20 - else
139.21 - remote_path := SOME (Url.explode rpath);
139.22 - (! remote_path, rpath <> ""));
139.23 -
139.24 -fun dumping (_, "") = NONE
139.25 - | dumping (cp, path) = SOME (cp, Path.explode path);
139.26 -
139.27 fun with_timing _ false f x = f x
139.28 | with_timing item true f x =
139.29 let
139.30 @@ -110,17 +99,32 @@
139.31 Timing.message timing ^ ", factor " ^ factor ^ ")\n");
139.32 in y end;
139.33
139.34 -fun init build reset info info_path doc doc_graph doc_variants parent name dump rpath verbose =
139.35 +fun get_rpath rpath =
139.36 + (if rpath = "" then () else
139.37 + if is_some (! remote_path) then
139.38 + error "Path for remote theory browsing information may only be set once"
139.39 + else
139.40 + remote_path := SOME (Url.explode rpath);
139.41 + (! remote_path, rpath <> ""));
139.42 +
139.43 +fun init build reset info info_path doc doc_graph doc_variants parent name doc_dump rpath verbose =
139.44 (init_name reset parent name;
139.45 Present.init build info info_path (if doc = "false" then "" else doc) doc_graph doc_variants
139.46 - (path ()) name (dumping dump) (get_rpath rpath) verbose
139.47 + (path ()) name doc_dump (get_rpath rpath) verbose
139.48 (map Thy_Info.get_theory (Thy_Info.get_names ())));
139.49
139.50 +local
139.51 +
139.52 +fun doc_dump (cp, dump) = (dump, if cp then "all" else "tex+sty");
139.53 +
139.54 +in
139.55 +
139.56 fun use_dir item root build modes reset info info_path doc doc_graph doc_variants parent
139.57 name dump rpath level timing verbose max_threads trace_threads
139.58 parallel_proofs parallel_proofs_threshold =
139.59 ((fn () =>
139.60 - (init build reset info info_path doc doc_graph doc_variants parent name dump rpath verbose;
139.61 + (init build reset info info_path doc doc_graph doc_variants parent name
139.62 + (doc_dump dump) rpath verbose;
139.63 with_timing item timing use root;
139.64 finish ()))
139.65 |> Unsynchronized.setmp Proofterm.proofs level
139.66 @@ -134,3 +138,5 @@
139.67 handle exn => (Output.error_msg (ML_Compiler.exn_message exn); exit 1);
139.68
139.69 end;
139.70 +
139.71 +end;
140.1 --- a/src/Pure/Thy/present.ML Thu Jul 26 16:08:16 2012 +0200
140.2 +++ b/src/Pure/Thy/present.ML Thu Jul 26 19:59:06 2012 +0200
140.3 @@ -18,7 +18,7 @@
140.4 val display_graph: {name: string, ID: string, dir: string, unfold: bool,
140.5 path: string, parents: string list} list -> unit
140.6 val init: bool -> bool -> string -> string -> bool -> string list -> string list ->
140.7 - string -> (bool * Path.T) option -> Url.T option * bool -> bool ->
140.8 + string -> string * string -> Url.T option * bool -> bool ->
140.9 theory list -> unit (*not thread-safe!*)
140.10 val finish: unit -> unit (*not thread-safe!*)
140.11 val init_theory: string -> unit
140.12 @@ -210,15 +210,15 @@
140.13 type session_info =
140.14 {name: string, parent: string, session: string, path: string list, html_prefix: Path.T,
140.15 info: bool, doc_format: string, doc_graph: bool, documents: (string * string) list,
140.16 - dump_prefix: (bool * Path.T) option, remote_path: Url.T option, verbose: bool,
140.17 + doc_dump: (string * string), remote_path: Url.T option, verbose: bool,
140.18 readme: Path.T option};
140.19
140.20 fun make_session_info
140.21 (name, parent, session, path, html_prefix, info, doc_format, doc_graph, documents,
140.22 - dump_prefix, remote_path, verbose, readme) =
140.23 + doc_dump, remote_path, verbose, readme) =
140.24 {name = name, parent = parent, session = session, path = path, html_prefix = html_prefix,
140.25 info = info, doc_format = doc_format, doc_graph = doc_graph, documents = documents,
140.26 - dump_prefix = dump_prefix, remote_path = remote_path, verbose = verbose,
140.27 + doc_dump = doc_dump, remote_path = remote_path, verbose = verbose,
140.28 readme = readme}: session_info;
140.29
140.30
140.31 @@ -273,9 +273,9 @@
140.32
140.33 fun name_of_session elems = space_implode "/" ("Isabelle" :: elems);
140.34
140.35 -fun init build info info_path doc doc_graph doc_variants path name dump_prefix
140.36 - (remote_path, first_time) verbose thys =
140.37 - if not build andalso not info andalso doc = "" andalso is_none dump_prefix then
140.38 +fun init build info info_path doc doc_graph doc_variants path name
140.39 + (doc_dump as (dump_prefix, _)) (remote_path, first_time) verbose thys =
140.40 + if not build andalso not info andalso doc = "" andalso dump_prefix = "" then
140.41 (browser_info := empty_browser_info; session_info := NONE)
140.42 else
140.43 let
140.44 @@ -309,7 +309,7 @@
140.45 in
140.46 session_info :=
140.47 SOME (make_session_info (name, parent_name, session_name, path, html_prefix,
140.48 - info, doc, doc_graph, documents, dump_prefix, remote_path, verbose, readme));
140.49 + info, doc, doc_graph, documents, doc_dump, remote_path, verbose, readme));
140.50 browser_info := init_browser_info remote_path path thys;
140.51 add_html_index (0, index_text)
140.52 end;
140.53 @@ -360,32 +360,34 @@
140.54
140.55 fun finish () =
140.56 session_default () (fn {name, info, html_prefix, doc_format,
140.57 - doc_graph, documents, dump_prefix, path, verbose, readme, ...} =>
140.58 + doc_graph, documents, doc_dump = (dump_prefix, dump_mode), path, verbose, readme, ...} =>
140.59 let
140.60 val {theories, files, tex_index, html_index, graph} = ! browser_info;
140.61 val thys = Symtab.dest theories;
140.62 val parent_html_prefix = Path.append html_prefix Path.parent;
140.63
140.64 - fun finish_tex path (a, {tex_source, ...}: theory_info) = write_tex tex_source a path;
140.65 fun finish_html (a, {html, ...}: theory_info) =
140.66 File.write_buffer (Path.append html_prefix (html_path a)) (Buffer.add HTML.end_document html);
140.67
140.68 val sorted_graph = sorted_index graph;
140.69 val opt_graphs =
140.70 - if doc_graph andalso (not (null documents) orelse is_some dump_prefix) then
140.71 + if doc_graph andalso (not (null documents) orelse dump_prefix <> "") then
140.72 SOME (isabelle_browser sorted_graph)
140.73 else NONE;
140.74
140.75 - fun prepare_sources cp path =
140.76 - (Isabelle_System.mkdirs path;
140.77 - if cp then Isabelle_System.copy_dir document_path path else ();
140.78 - Isabelle_System.isabelle_tool "latex"
140.79 - ("-o sty " ^ File.shell_path (Path.append path (Path.basic "root.tex")));
140.80 + fun prepare_sources doc_dir doc_mode =
140.81 + (Isabelle_System.mkdirs doc_dir;
140.82 + if doc_mode = "all" then Isabelle_System.copy_dir document_path doc_dir
140.83 + else if doc_mode = "tex+sty" then
140.84 + ignore (Isabelle_System.isabelle_tool "latex"
140.85 + ("-o sty " ^ File.shell_path (Path.append doc_dir (Path.basic "root.tex"))))
140.86 + else if doc_mode = "tex" then ()
140.87 + else error ("Illegal document dump mode: " ^ quote doc_mode);
140.88 (case opt_graphs of NONE => () | SOME (pdf, eps) =>
140.89 - (File.write (Path.append path graph_pdf_path) pdf;
140.90 - File.write (Path.append path graph_eps_path) eps));
140.91 - write_tex_index tex_index path;
140.92 - List.app (finish_tex path) thys);
140.93 + (File.write (Path.append doc_dir graph_pdf_path) pdf;
140.94 + File.write (Path.append doc_dir graph_eps_path) eps));
140.95 + write_tex_index tex_index doc_dir;
140.96 + List.app (fn (a, {tex_source, ...}) => write_tex tex_source a doc_dir) thys);
140.97 val _ =
140.98 if info then
140.99 (Isabelle_System.mkdirs (Path.append html_prefix session_path);
140.100 @@ -407,16 +409,22 @@
140.101 else ();
140.102
140.103 val _ =
140.104 - (case dump_prefix of NONE => () | SOME (cp, path) =>
140.105 - (prepare_sources cp path;
140.106 - if verbose then Output.physical_stderr ("Document sources at " ^ show_path path ^ "\n")
140.107 - else ()));
140.108 + if dump_prefix = "" then ()
140.109 + else
140.110 + let
140.111 + val path = Path.explode dump_prefix;
140.112 + val _ = prepare_sources path dump_mode;
140.113 + in
140.114 + if verbose then
140.115 + Output.physical_stderr ("Document sources at " ^ show_path path ^ "\n")
140.116 + else ()
140.117 + end;
140.118
140.119 val doc_paths =
140.120 documents |> Par_List.map (fn (name, tags) =>
140.121 let
140.122 val path = Path.append html_prefix (Path.basic name);
140.123 - val _ = prepare_sources true path;
140.124 + val _ = prepare_sources path "all";
140.125 in isabelle_document true doc_format name tags path html_prefix end);
140.126 val _ =
140.127 if verbose then
141.1 --- a/src/Pure/build Thu Jul 26 16:08:16 2012 +0200
141.2 +++ b/src/Pure/build Thu Jul 26 19:59:06 2012 +0200
141.3 @@ -12,7 +12,7 @@
141.4 function usage()
141.5 {
141.6 echo
141.7 - echo "Usage: $PRG TARGET OUTPUT"
141.8 + echo "Usage: $PRG TARGET [OUTPUT]"
141.9 echo
141.10 exit 1
141.11 }
141.12 @@ -30,7 +30,10 @@
141.13
141.14 # args
141.15
141.16 -if [ "$#" -eq 2 ]; then
141.17 +if [ "$#" -eq 1 ]; then
141.18 + TARGET="$1"; shift
141.19 + OUTPUT=""; shift
141.20 +elif [ "$#" -eq 2 ]; then
141.21 TARGET="$1"; shift
141.22 OUTPUT="$1"; shift
141.23 else