(* Title: HOL/Extraction/Pigeonhole.thy


Author: Stefan Berghofer, TU Muenchen


*)


header {* The pigeonhole principle *}


theory Pigeonhole imports EfficientNat begin


text {*


We formalize two proofs of the pigeonhole principle, which lead


to extracted programs of quite different complexity. The original


formalization of these proofs in {\sc Nuprl} is due to


Aleksey Nogin \cite{NoginENTCS2000}.


16 
We need decidability of equality on natural numbers:


17 
*}


lemma nat_eq_dec: "\<And>n::nat. m = n \<or> m \<noteq> n"


apply (induct m)


apply (case_tac n)


apply (case_tac [3] n)

apply (simp only: nat.simps, iprover?)+

done


text {*

We can decide whether an array @{term "f"} of length @{term "l"}

contains an element @{term "x"}.


*}


lemma search: "(\<exists>j<(l::nat). (x::nat) = f j) \<or> \<not> (\<exists>j<l. x = f j)"


proof (induct l)


case 0


have "\<not> (\<exists>j<0. x = f j)"


proof


assume "\<exists>j<0. x = f j"

then obtain j where j: "j < (0::nat)" by iprover

thus "False" by simp


qed


thus ?case ..


next


case (Suc l)


thus ?case


proof


assume "\<exists>j<l. x = f j"


then obtain j where j: "j < l"

47 
17024

from j have "j < Suc l" by simp

49 
with eq show ?case by iprover

17024

next


assume nex: "\<not> (\<exists>j<l. x = f j)"


from nat_eq_dec show ?case


proof


assume eq: "x = f l"


have "l < Suc l" by simp

56 
17024

next


assume neq: "x \<noteq> f l"


have "\<not> (\<exists>j<Suc l. x = f j)"


proof


assume "\<exists>j<Suc l. x = f j"


then obtain j where j: "j < Suc l"

63 
17024

show False


proof cases


assume "j = l"


with eq have "x = f l" by simp


with neq show False ..


next


assume "j \<noteq> l"


with j have "j < l" by simp

72 
17024

qed


qed


thus ?case ..


qed


qed


qed


81 
82 
83 


theorem pigeonhole:


"\<And>f. (\<And>i. i \<le> Suc n \<Longrightarrow> f i \<le> n) \<Longrightarrow> \<exists>i j. i \<le> Suc n \<and> j < i \<and> f i = f j"


proof (induct n)


case 0


hence "Suc 0 \<le> Suc 0 \<and> 0 < Suc 0 \<and> f (Suc 0) = f 0" by simp

89 
17024

next


case (Suc n)


{


fix k


"k \<le> Suc (Suc n) \<Longrightarrow>


(\<And>i j. Suc k \<le> i \<Longrightarrow> i \<le> Suc (Suc n) \<Longrightarrow> j < i \<Longrightarrow> f i \<noteq> f j) \<Longrightarrow>


(\<exists>i j. i \<le> k \<and> j < i \<and> f i = f j)"


proof (induct k)


case 0


let ?f = "\<lambda>i. if f i = Suc n then f (Suc (Suc n)) else f i"


have "\<not> (\<exists>i j. i \<le> Suc n \<and> j < i \<and> ?f i = ?f j)"


proof


assume "\<exists>i j. i \<le> Suc n \<and> j < i \<and> ?f i = ?f j"


then obtain i j where i: "i \<le> Suc n" and j: "j < i"

105 
17024

from j have i_nz: "Suc 0 \<le> i" by simp


from i have iSSn: "i \<le> Suc (Suc n)" by simp


have S0SSn: "Suc 0 \<le> Suc (Suc n)" by simp


show False


proof cases


assume fi: "f i = Suc n"


show False


proof cases


assume fj: "f j = Suc n"


from i_nz and iSSn and j have "f i \<noteq> f j" by (rule 0)


moreover from fi have "f i = f j"


by (simp add: fj [symmetric])


ultimately show ?thesis ..


next


from i and j have "j < Suc (Suc n)" by simp


with S0SSn and le_refl have "f (Suc (Suc n)) \<noteq> f j"


by (rule 0)


moreover assume "f j \<noteq> Suc n"


with fi and f have "f (Suc (Suc n)) = f j" by simp


ultimately show False ..


qed


next


assume fi: "f i \<noteq> Suc n"


from i have "i < Suc (Suc n)" by simp


with S0SSn and le_refl have "f (Suc (Suc n)) \<noteq> f i"


by (rule 0)


moreover assume "f j = Suc n"


with fi and f have "f (Suc (Suc n)) = f i" by simp


ultimately show False ..


next


from i_nz and iSSn and j


have "f i \<noteq> f j" by (rule 0)


moreover assume "f j \<noteq> Suc n"


with fi and f have "f i = f j" by simp


ultimately show False ..


qed


qed


qed


moreover have "\<And>i. i \<le> Suc n \<Longrightarrow> ?f i \<le> n"


proof 


fix i assume "i \<le> Suc n"


hence i: "i < Suc (Suc n)" by simp


have "f (Suc (Suc n)) \<noteq> f i"


by (rule 0) (simp_all add: i)


moreover have "f (Suc (Suc n)) \<le> Suc n"


by (rule Suc) simp


moreover from i have "i \<le> Suc (Suc n)" by simp


hence "f i \<le> Suc n" by (rule Suc)


ultimately show "?thesis i"


by simp


qed


hence "\<exists>i j. i \<le> Suc n \<and> j < i \<and> ?f i = ?f j"


by (rule Suc)


ultimately show ?case ..


162 
next


163 
case (Suc k)


164 
from search show ?case


165 
proof


166 
assume "\<exists>j<Suc k. f (Suc k) = f j"

17604

167 
thus ?case by (iprover intro: le_refl)

17024

168 
next


169 
assume nex: "\<not> (\<exists>j<Suc k. f (Suc k) = f j)"


170 
have "\<exists>i j. i \<le> k \<and> j < i \<and> f i = f j"


171 
proof (rule Suc)


172 
from Suc show "k \<le> Suc (Suc n)" by simp


173 
fix i j assume k: "Suc k \<le> i" and i: "i \<le> Suc (Suc n)"


174 
and j: "j < i"


175 
show "f i \<noteq> f j"


176 
proof cases


177 
assume eq: "i = Suc k"


178 
show ?thesis


179 
proof


180 
assume "f i = f j"


181 
hence "f (Suc k) = f j" by (simp add: eq)

17604

182 
with nex and j and eq show False by iprover

17024

183 
qed


184 
next


185 
assume "i \<noteq> Suc k"


186 
with k have "Suc (Suc k) \<le> i" by simp


187 
thus ?thesis using i and j by (rule Suc)


188 
qed


189 
qed

thus ?thesis by (iprover intro: le_SucI)

qed


192 
qed


193 
}


194 
note r = this


195 
show ?case by (rule r) simp_all


196 
qed


text {*


199 
The following proof, although quite elegant from a mathematical point of view,


200 
leads to an exponential program:


201 
*}


theorem pigeonhole_slow:


204 
"\<And>f. (\<And>i. i \<le> Suc n \<Longrightarrow> f i \<le> n) \<Longrightarrow> \<exists>i j. i \<le> Suc n \<and> j < i \<and> f i = f j"


205 
proof (induct n)


206 
case 0


207 
have "Suc 0 \<le> Suc 0" ..


208 
moreover have "0 < Suc 0" ..


209 
moreover from 0 have "f (Suc 0) = f 0" by simp

ultimately show ?case by iprover

next


212 
case (Suc n)


213 
from search show ?case


214 
proof


215 
assume "\<exists>j < Suc (Suc n). f (Suc (Suc n)) = f j"

thus ?case by (iprover intro: le_refl)

next


218 
assume "\<not> (\<exists>j < Suc (Suc n). f (Suc (Suc n)) = f j)"

hence nex: "\<forall>j < Suc (Suc n). f (Suc (Suc n)) \<noteq> f j" by iprover

let ?f = "\<lambda>i. if f i = Suc n then f (Suc (Suc n)) else f i"


221 
have "\<And>i. i \<le> Suc n \<Longrightarrow> ?f i \<le> n"


222 
proof 


223 
fix i assume i: "i \<le> Suc n"


224 
show "?thesis i"


225 
proof (cases "f i = Suc n")


226 
case True


227 
from i and nex have "f (Suc (Suc n)) \<noteq> f i" by simp


228 
with True have "f (Suc (Suc n)) \<noteq> Suc n" by simp


229 
moreover from Suc have "f (Suc (Suc n)) \<le> Suc n" by simp


230 
ultimately have "f (Suc (Suc n)) \<le> n" by simp


231 
with True show ?thesis by simp


232 
next


233 
case False


234 
from Suc and i have "f i \<le> Suc n" by simp


235 
with False show ?thesis by simp


236 
qed


237 
qed


238 
hence "\<exists>i j. i \<le> Suc n \<and> j < i \<and> ?f i = ?f j" by (rule Suc)


239 
then obtain i j where i: "i \<le> Suc n" and ji: "j < i" and f: "?f i = ?f j"

by iprover

have "f i = f j"


242 
proof (cases "f i = Suc n")


243 
case True


244 
show ?thesis


245 
proof (cases "f j = Suc n")


246 
assume "f j = Suc n"


247 
with True show ?thesis by simp


248 
next


249 
assume "f j \<noteq> Suc n"


250 
moreover from i ji nex have "f (Suc (Suc n)) \<noteq> f j" by simp


251 
ultimately show ?thesis using True f by simp


252 
qed


253 
next


254 
case False


255 
show ?thesis


256 
proof (cases "f j = Suc n")


257 
assume "f j = Suc n"


258 
moreover from i nex have "f (Suc (Suc n)) \<noteq> f i" by simp


259 
ultimately show ?thesis using False f by simp


260 
next


261 
assume "f j \<noteq> Suc n"


262 
with False f show ?thesis by simp


263 
qed


264 
qed


265 
moreover from i have "i \<le> Suc (Suc n)" by simp

ultimately show ?thesis using ji by iprover

qed


268 
qed


extract pigeonhole pigeonhole_slow


text {*


273 
The programs extracted from the above proofs look as follows:


274 
@{thm [display] pigeonhole_def}


275 
@{thm [display] pigeonhole_slow_def}


276 
The program for searching for an element in an array is


277 
@{thm [display,eta_contract=false] search_def}


278 
The correctness statement for @{term "pigeonhole"} is


279 
@{thm [display] pigeonhole_correctness [no_vars]}


In order to analyze the speed of the above programs,


282 
we generate ML code from them.


283 
*}


consts_code


286 
arbitrary :: "nat \<times> nat" ("{* (0::nat, 0::nat) *}")


287 

code_module PH


289 
contains

test = "\<lambda>n. pigeonhole n (\<lambda>m. m  1)"


test' = "\<lambda>n. pigeonhole_slow n (\<lambda>m. m  1)"


sel = "op !"


ML "timeit (fn () => PH.test 10)"


ML "timeit (fn () => PH.test' 10)"


ML "timeit (fn () => PH.test 20)"


ML "timeit (fn () => PH.test' 20)"


ML "timeit (fn () => PH.test 25)"


ML "timeit (fn () => PH.test' 25)"


ML "timeit (fn () => PH.test 500)"

ML "PH.pigeonhole 8 (PH.sel [0,1,2,3,4,5,6,3,7,8])"

definition


305 
arbitrary_nat :: "nat \<times> nat"

[symmetric, code inline]: "arbitrary_nat = arbitrary"

arbitrary_nat_subst :: "nat \<times> nat"


308 
"arbitrary_nat_subst = (0, 0)"

310 
lemma [code func]:


311 
"arbitrary_nat = arbitrary_nat" ..


313 
code_axioms

arbitrary_nat \<equiv> arbitrary_nat_subst

316 
definition


317 
"test n = pigeonhole n (\<lambda>m. m  1)"


318 
"test' n = pigeonhole_slow n (\<lambda>m. m  1)"


320 
code_gen test test' "op !" (SML )


322 
ML "timeit (fn () => ROOT.Pigeonhole.test 10)"


323 
ML "timeit (fn () => ROOT.Pigeonhole.test' 10)"


324 
ML "timeit (fn () => ROOT.Pigeonhole.test 20)"


325 
ML "timeit (fn () => ROOT.Pigeonhole.test' 20)"


326 
ML "timeit (fn () => ROOT.Pigeonhole.test 25)"


327 
ML "timeit (fn () => ROOT.Pigeonhole.test' 25)"


328 
ML "timeit (fn () => ROOT.Pigeonhole.test 500)"


330 
ML "ROOT.Pigeonhole.pigeonhole 8 (ROOT.List.nth [0,1,2,3,4,5,6,3,7,8])"


end
