author | wenzelm |

Wed Jul 20 21:26:11 2016 +0200 (2016-07-20) | |

changeset 63531 | 847eefdca90d |

parent 63530 | 045490f55f69 |

child 63532 | b01154b74314 |

clarified imports;

tuned;

tuned;

1.1 --- a/src/Doc/Isar_Ref/Document_Preparation.thy Wed Jul 20 20:24:21 2016 +0200 1.2 +++ b/src/Doc/Isar_Ref/Document_Preparation.thy Wed Jul 20 21:26:11 2016 +0200 1.3 @@ -1,7 +1,7 @@ 1.4 (*:maxLineLen=78:*) 1.5 1.6 theory Document_Preparation 1.7 -imports Base Main 1.8 + imports Main Base 1.9 begin 1.10 1.11 chapter \<open>Document preparation \label{ch:document-prep}\<close>

2.1 --- a/src/Doc/Isar_Ref/Framework.thy Wed Jul 20 20:24:21 2016 +0200 2.2 +++ b/src/Doc/Isar_Ref/Framework.thy Wed Jul 20 21:26:11 2016 +0200 2.3 @@ -1,7 +1,7 @@ 2.4 (*:maxLineLen=78:*) 2.5 2.6 theory Framework 2.7 -imports Base Main 2.8 + imports Main Base 2.9 begin 2.10 2.11 chapter \<open>The Isabelle/Isar Framework \label{ch:isar-framework}\<close>

3.1 --- a/src/Doc/Isar_Ref/Generic.thy Wed Jul 20 20:24:21 2016 +0200 3.2 +++ b/src/Doc/Isar_Ref/Generic.thy Wed Jul 20 21:26:11 2016 +0200 3.3 @@ -1,23 +1,22 @@ 3.4 (*:maxLineLen=78:*) 3.5 3.6 theory Generic 3.7 -imports Base Main 3.8 +imports Main Base 3.9 begin 3.10 3.11 chapter \<open>Generic tools and packages \label{ch:gen-tools}\<close> 3.12 3.13 section \<open>Configuration options \label{sec:config}\<close> 3.14 3.15 -text \<open>Isabelle/Pure maintains a record of named configuration 3.16 - options within the theory or proof context, with values of type 3.17 - @{ML_type bool}, @{ML_type int}, @{ML_type real}, or @{ML_type 3.18 - string}. Tools may declare options in ML, and then refer to these 3.19 - values (relative to the context). Thus global reference variables 3.20 - are easily avoided. The user may change the value of a 3.21 - configuration option by means of an associated attribute of the same 3.22 - name. This form of context declaration works particularly well with 3.23 - commands such as @{command "declare"} or @{command "using"} like 3.24 - this: 3.25 +text \<open> 3.26 + Isabelle/Pure maintains a record of named configuration options within the 3.27 + theory or proof context, with values of type @{ML_type bool}, @{ML_type 3.28 + int}, @{ML_type real}, or @{ML_type string}. Tools may declare options in 3.29 + ML, and then refer to these values (relative to the context). Thus global 3.30 + reference variables are easily avoided. The user may change the value of a 3.31 + configuration option by means of an associated attribute of the same name. 3.32 + This form of context declaration works particularly well with commands such 3.33 + as @{command "declare"} or @{command "using"} like this: 3.34 \<close> 3.35 3.36 (*<*)experiment begin(*>*) 3.37 @@ -40,14 +39,14 @@ 3.38 @{syntax name} ('=' ('true' | 'false' | @{syntax int} | @{syntax float} | @{syntax name}))? 3.39 \<close>} 3.40 3.41 - \<^descr> @{command "print_options"} prints the available configuration 3.42 - options, with names, types, and current values; the ``\<open>!\<close>'' option 3.43 - indicates extra verbosity. 3.44 + \<^descr> @{command "print_options"} prints the available configuration options, 3.45 + with names, types, and current values; the ``\<open>!\<close>'' option indicates extra 3.46 + verbosity. 3.47 3.48 - \<^descr> \<open>name = value\<close> as an attribute expression modifies the 3.49 - named option, with the syntax of the value depending on the option's 3.50 - type. For @{ML_type bool} the default value is \<open>true\<close>. Any 3.51 - attempt to change a global option in a local context is ignored. 3.52 + \<^descr> \<open>name = value\<close> as an attribute expression modifies the named option, with 3.53 + the syntax of the value depending on the option's type. For @{ML_type bool} 3.54 + the default value is \<open>true\<close>. Any attempt to change a global option in a 3.55 + local context is ignored. 3.56 \<close> 3.57 3.58 3.59 @@ -81,46 +80,41 @@ 3.60 @@{method sleep} @{syntax real} 3.61 \<close>} 3.62 3.63 - \<^descr> @{method unfold}~\<open>a\<^sub>1 \<dots> a\<^sub>n\<close> and @{method fold}~\<open>a\<^sub>1 \<dots> a\<^sub>n\<close> expand (or fold back) the given definitions throughout 3.64 - all goals; any chained facts provided are inserted into the goal and 3.65 - subject to rewriting as well. 3.66 - 3.67 - \<^descr> @{method insert}~\<open>a\<^sub>1 \<dots> a\<^sub>n\<close> inserts theorems as facts 3.68 - into all goals of the proof state. Note that current facts 3.69 - indicated for forward chaining are ignored. 3.70 + \<^descr> @{method unfold}~\<open>a\<^sub>1 \<dots> a\<^sub>n\<close> and @{method fold}~\<open>a\<^sub>1 \<dots> a\<^sub>n\<close> expand (or 3.71 + fold back) the given definitions throughout all goals; any chained facts 3.72 + provided are inserted into the goal and subject to rewriting as well. 3.73 3.74 - \<^descr> @{method erule}~\<open>a\<^sub>1 \<dots> a\<^sub>n\<close>, @{method 3.75 - drule}~\<open>a\<^sub>1 \<dots> a\<^sub>n\<close>, and @{method frule}~\<open>a\<^sub>1 \<dots> a\<^sub>n\<close> are similar to the basic @{method rule} 3.76 - method (see \secref{sec:pure-meth-att}), but apply rules by 3.77 - elim-resolution, destruct-resolution, and forward-resolution, 3.78 - respectively @{cite "isabelle-implementation"}. The optional natural 3.79 - number argument (default 0) specifies additional assumption steps to 3.80 - be performed here. 3.81 + \<^descr> @{method insert}~\<open>a\<^sub>1 \<dots> a\<^sub>n\<close> inserts theorems as facts into all goals of 3.82 + the proof state. Note that current facts indicated for forward chaining are 3.83 + ignored. 3.84 + 3.85 + \<^descr> @{method erule}~\<open>a\<^sub>1 \<dots> a\<^sub>n\<close>, @{method drule}~\<open>a\<^sub>1 \<dots> a\<^sub>n\<close>, and @{method 3.86 + frule}~\<open>a\<^sub>1 \<dots> a\<^sub>n\<close> are similar to the basic @{method rule} method (see 3.87 + \secref{sec:pure-meth-att}), but apply rules by elim-resolution, 3.88 + destruct-resolution, and forward-resolution, respectively @{cite 3.89 + "isabelle-implementation"}. The optional natural number argument (default 0) 3.90 + specifies additional assumption steps to be performed here. 3.91 3.92 Note that these methods are improper ones, mainly serving for 3.93 - experimentation and tactic script emulation. Different modes of 3.94 - basic rule application are usually expressed in Isar at the proof 3.95 - language level, rather than via implicit proof state manipulations. 3.96 - For example, a proper single-step elimination would be done using 3.97 - the plain @{method rule} method, with forward chaining of current 3.98 - facts. 3.99 + experimentation and tactic script emulation. Different modes of basic rule 3.100 + application are usually expressed in Isar at the proof language level, 3.101 + rather than via implicit proof state manipulations. For example, a proper 3.102 + single-step elimination would be done using the plain @{method rule} method, 3.103 + with forward chaining of current facts. 3.104 3.105 - \<^descr> @{method intro} and @{method elim} repeatedly refine some goal 3.106 - by intro- or elim-resolution, after having inserted any chained 3.107 - facts. Exactly the rules given as arguments are taken into account; 3.108 - this allows fine-tuned decomposition of a proof problem, in contrast 3.109 - to common automated tools. 3.110 + \<^descr> @{method intro} and @{method elim} repeatedly refine some goal by intro- 3.111 + or elim-resolution, after having inserted any chained facts. Exactly the 3.112 + rules given as arguments are taken into account; this allows fine-tuned 3.113 + decomposition of a proof problem, in contrast to common automated tools. 3.114 3.115 - \<^descr> @{method fail} yields an empty result sequence; it is the 3.116 - identity of the ``\<open>|\<close>'' method combinator (cf.\ 3.117 - \secref{sec:proof-meth}). 3.118 + \<^descr> @{method fail} yields an empty result sequence; it is the identity of the 3.119 + ``\<open>|\<close>'' method combinator (cf.\ \secref{sec:proof-meth}). 3.120 3.121 - \<^descr> @{method succeed} yields a single (unchanged) result; it is 3.122 - the identity of the ``\<open>,\<close>'' method combinator (cf.\ 3.123 - \secref{sec:proof-meth}). 3.124 + \<^descr> @{method succeed} yields a single (unchanged) result; it is the identity 3.125 + of the ``\<open>,\<close>'' method combinator (cf.\ \secref{sec:proof-meth}). 3.126 3.127 - \<^descr> @{method sleep}~\<open>s\<close> succeeds after a real-time delay of \<open>s\<close> seconds. This is occasionally useful for demonstration and testing 3.128 - purposes. 3.129 + \<^descr> @{method sleep}~\<open>s\<close> succeeds after a real-time delay of \<open>s\<close> seconds. This 3.130 + is occasionally useful for demonstration and testing purposes. 3.131 3.132 3.133 \begin{matharray}{rcl} 3.134 @@ -147,38 +141,35 @@ 3.135 @@{attribute rotated} @{syntax int}? 3.136 \<close>} 3.137 3.138 - \<^descr> @{attribute tagged}~\<open>name value\<close> and @{attribute 3.139 - untagged}~\<open>name\<close> add and remove \<^emph>\<open>tags\<close> of some theorem. 3.140 - Tags may be any list of string pairs that serve as formal comment. 3.141 - The first string is considered the tag name, the second its value. 3.142 - Note that @{attribute untagged} removes any tags of the same name. 3.143 + \<^descr> @{attribute tagged}~\<open>name value\<close> and @{attribute untagged}~\<open>name\<close> add and 3.144 + remove \<^emph>\<open>tags\<close> of some theorem. Tags may be any list of string pairs that 3.145 + serve as formal comment. The first string is considered the tag name, the 3.146 + second its value. Note that @{attribute untagged} removes any tags of the 3.147 + same name. 3.148 3.149 - \<^descr> @{attribute THEN}~\<open>a\<close> composes rules by resolution; it 3.150 - resolves with the first premise of \<open>a\<close> (an alternative 3.151 - position may be also specified). See also @{ML_op "RS"} in 3.152 - @{cite "isabelle-implementation"}. 3.153 + \<^descr> @{attribute THEN}~\<open>a\<close> composes rules by resolution; it resolves with the 3.154 + first premise of \<open>a\<close> (an alternative position may be also specified). See 3.155 + also @{ML_op "RS"} in @{cite "isabelle-implementation"}. 3.156 3.157 - \<^descr> @{attribute unfolded}~\<open>a\<^sub>1 \<dots> a\<^sub>n\<close> and @{attribute 3.158 - folded}~\<open>a\<^sub>1 \<dots> a\<^sub>n\<close> expand and fold back again the given 3.159 - definitions throughout a rule. 3.160 + \<^descr> @{attribute unfolded}~\<open>a\<^sub>1 \<dots> a\<^sub>n\<close> and @{attribute folded}~\<open>a\<^sub>1 \<dots> a\<^sub>n\<close> 3.161 + expand and fold back again the given definitions throughout a rule. 3.162 3.163 - \<^descr> @{attribute abs_def} turns an equation of the form @{prop "f x 3.164 - y \<equiv> t"} into @{prop "f \<equiv> \<lambda>x y. t"}, which ensures that @{method 3.165 - simp} or @{method unfold} steps always expand it. This also works 3.166 - for object-logic equality. 3.167 + \<^descr> @{attribute abs_def} turns an equation of the form @{prop "f x y \<equiv> t"} 3.168 + into @{prop "f \<equiv> \<lambda>x y. t"}, which ensures that @{method simp} or @{method 3.169 + unfold} steps always expand it. This also works for object-logic equality. 3.170 3.171 - \<^descr> @{attribute rotated}~\<open>n\<close> rotate the premises of a 3.172 - theorem by \<open>n\<close> (default 1). 3.173 + \<^descr> @{attribute rotated}~\<open>n\<close> rotate the premises of a theorem by \<open>n\<close> (default 3.174 + 1). 3.175 3.176 - \<^descr> @{attribute (Pure) elim_format} turns a destruction rule into 3.177 - elimination rule format, by resolving with the rule @{prop "PROP A \<Longrightarrow> 3.178 - (PROP A \<Longrightarrow> PROP B) \<Longrightarrow> PROP B"}. 3.179 + \<^descr> @{attribute (Pure) elim_format} turns a destruction rule into elimination 3.180 + rule format, by resolving with the rule @{prop "PROP A \<Longrightarrow> (PROP A \<Longrightarrow> PROP B) \<Longrightarrow> 3.181 + PROP B"}. 3.182 3.183 - Note that the Classical Reasoner (\secref{sec:classical}) provides 3.184 - its own version of this operation. 3.185 + Note that the Classical Reasoner (\secref{sec:classical}) provides its own 3.186 + version of this operation. 3.187 3.188 - \<^descr> @{attribute no_vars} replaces schematic variables by free 3.189 - ones; this is mainly for tuning output of pretty printed theorems. 3.190 + \<^descr> @{attribute no_vars} replaces schematic variables by free ones; this is 3.191 + mainly for tuning output of pretty printed theorems. 3.192 \<close> 3.193 3.194 3.195 @@ -197,51 +188,45 @@ 3.196 @@{method split} @{syntax thms} 3.197 \<close>} 3.198 3.199 - These methods provide low-level facilities for equational reasoning 3.200 - that are intended for specialized applications only. Normally, 3.201 - single step calculations would be performed in a structured text 3.202 - (see also \secref{sec:calculation}), while the Simplifier methods 3.203 - provide the canonical way for automated normalization (see 3.204 - \secref{sec:simplifier}). 3.205 + These methods provide low-level facilities for equational reasoning that are 3.206 + intended for specialized applications only. Normally, single step 3.207 + calculations would be performed in a structured text (see also 3.208 + \secref{sec:calculation}), while the Simplifier methods provide the 3.209 + canonical way for automated normalization (see \secref{sec:simplifier}). 3.210 + 3.211 + \<^descr> @{method subst}~\<open>eq\<close> performs a single substitution step using rule \<open>eq\<close>, 3.212 + which may be either a meta or object equality. 3.213 3.214 - \<^descr> @{method subst}~\<open>eq\<close> performs a single substitution step 3.215 - using rule \<open>eq\<close>, which may be either a meta or object 3.216 - equality. 3.217 - 3.218 - \<^descr> @{method subst}~\<open>(asm) eq\<close> substitutes in an 3.219 - assumption. 3.220 + \<^descr> @{method subst}~\<open>(asm) eq\<close> substitutes in an assumption. 3.221 3.222 - \<^descr> @{method subst}~\<open>(i \<dots> j) eq\<close> performs several 3.223 - substitutions in the conclusion. The numbers \<open>i\<close> to \<open>j\<close> 3.224 - indicate the positions to substitute at. Positions are ordered from 3.225 - the top of the term tree moving down from left to right. For 3.226 - example, in \<open>(a + b) + (c + d)\<close> there are three positions 3.227 - where commutativity of \<open>+\<close> is applicable: 1 refers to \<open>a + b\<close>, 2 to the whole term, and 3 to \<open>c + d\<close>. 3.228 + \<^descr> @{method subst}~\<open>(i \<dots> j) eq\<close> performs several substitutions in the 3.229 + conclusion. The numbers \<open>i\<close> to \<open>j\<close> indicate the positions to substitute at. 3.230 + Positions are ordered from the top of the term tree moving down from left to 3.231 + right. For example, in \<open>(a + b) + (c + d)\<close> there are three positions where 3.232 + commutativity of \<open>+\<close> is applicable: 1 refers to \<open>a + b\<close>, 2 to the whole 3.233 + term, and 3 to \<open>c + d\<close>. 3.234 3.235 - If the positions in the list \<open>(i \<dots> j)\<close> are non-overlapping 3.236 - (e.g.\ \<open>(2 3)\<close> in \<open>(a + b) + (c + d)\<close>) you may 3.237 - assume all substitutions are performed simultaneously. Otherwise 3.238 - the behaviour of \<open>subst\<close> is not specified. 3.239 + If the positions in the list \<open>(i \<dots> j)\<close> are non-overlapping (e.g.\ \<open>(2 3)\<close> in 3.240 + \<open>(a + b) + (c + d)\<close>) you may assume all substitutions are performed 3.241 + simultaneously. Otherwise the behaviour of \<open>subst\<close> is not specified. 3.242 3.243 - \<^descr> @{method subst}~\<open>(asm) (i \<dots> j) eq\<close> performs the 3.244 - substitutions in the assumptions. The positions refer to the 3.245 - assumptions in order from left to right. For example, given in a 3.246 - goal of the form \<open>P (a + b) \<Longrightarrow> P (c + d) \<Longrightarrow> \<dots>\<close>, position 1 of 3.247 - commutativity of \<open>+\<close> is the subterm \<open>a + b\<close> and 3.248 - position 2 is the subterm \<open>c + d\<close>. 3.249 + \<^descr> @{method subst}~\<open>(asm) (i \<dots> j) eq\<close> performs the substitutions in the 3.250 + assumptions. The positions refer to the assumptions in order from left to 3.251 + right. For example, given in a goal of the form \<open>P (a + b) \<Longrightarrow> P (c + d) \<Longrightarrow> \<dots>\<close>, 3.252 + position 1 of commutativity of \<open>+\<close> is the subterm \<open>a + b\<close> and position 2 is 3.253 + the subterm \<open>c + d\<close>. 3.254 3.255 - \<^descr> @{method hypsubst} performs substitution using some 3.256 - assumption; this only works for equations of the form \<open>x = 3.257 - t\<close> where \<open>x\<close> is a free or bound variable. 3.258 + \<^descr> @{method hypsubst} performs substitution using some assumption; this only 3.259 + works for equations of the form \<open>x = t\<close> where \<open>x\<close> is a free or bound 3.260 + variable. 3.261 3.262 - \<^descr> @{method split}~\<open>a\<^sub>1 \<dots> a\<^sub>n\<close> performs single-step case 3.263 - splitting using the given rules. Splitting is performed in the 3.264 - conclusion or some assumption of the subgoal, depending of the 3.265 - structure of the rule. 3.266 + \<^descr> @{method split}~\<open>a\<^sub>1 \<dots> a\<^sub>n\<close> performs single-step case splitting using the 3.267 + given rules. Splitting is performed in the conclusion or some assumption of 3.268 + the subgoal, depending of the structure of the rule. 3.269 3.270 - Note that the @{method simp} method already involves repeated 3.271 - application of split rules as declared in the current context, using 3.272 - @{attribute split}, for example. 3.273 + Note that the @{method simp} method already involves repeated application of 3.274 + split rules as declared in the current context, using @{attribute split}, 3.275 + for example. 3.276 \<close> 3.277 3.278

4.1 --- a/src/Doc/Isar_Ref/HOL_Specific.thy Wed Jul 20 20:24:21 2016 +0200 4.2 +++ b/src/Doc/Isar_Ref/HOL_Specific.thy Wed Jul 20 21:26:11 2016 +0200 4.3 @@ -1,68 +1,65 @@ 4.4 (*:maxLineLen=78:*) 4.5 4.6 theory HOL_Specific 4.7 -imports 4.8 - Base 4.9 - "~~/src/HOL/Library/Old_Datatype" 4.10 - "~~/src/HOL/Library/Old_Recdef" 4.11 - "~~/src/Tools/Adhoc_Overloading" 4.12 - "~~/src/HOL/Library/Dlist" 4.13 - "~~/src/HOL/Library/FSet" 4.14 + imports 4.15 + Main 4.16 + "~~/src/HOL/Library/Old_Datatype" 4.17 + "~~/src/HOL/Library/Old_Recdef" 4.18 + "~~/src/Tools/Adhoc_Overloading" 4.19 + "~~/src/HOL/Library/Dlist" 4.20 + "~~/src/HOL/Library/FSet" 4.21 + Base 4.22 begin 4.23 4.24 4.25 chapter \<open>Higher-Order Logic\<close> 4.26 4.27 -text \<open>Isabelle/HOL is based on Higher-Order Logic, a polymorphic 4.28 - version of Church's Simple Theory of Types. HOL can be best 4.29 - understood as a simply-typed version of classical set theory. The 4.30 - logic was first implemented in Gordon's HOL system 4.31 - @{cite "mgordon-hol"}. It extends Church's original logic 4.32 - @{cite "church40"} by explicit type variables (naive polymorphism) and 4.33 - a sound axiomatization scheme for new types based on subsets of 4.34 - existing types. 4.35 - 4.36 - Andrews's book @{cite andrews86} is a full description of the 4.37 - original Church-style higher-order logic, with proofs of correctness 4.38 - and completeness wrt.\ certain set-theoretic interpretations. The 4.39 - particular extensions of Gordon-style HOL are explained semantically 4.40 - in two chapters of the 1993 HOL book @{cite pitts93}. 4.41 - 4.42 - Experience with HOL over decades has demonstrated that higher-order 4.43 - logic is widely applicable in many areas of mathematics and computer 4.44 - science. In a sense, Higher-Order Logic is simpler than First-Order 4.45 - Logic, because there are fewer restrictions and special cases. Note 4.46 - that HOL is \<^emph>\<open>weaker\<close> than FOL with axioms for ZF set theory, 4.47 - which is traditionally considered the standard foundation of regular 4.48 - mathematics, but for most applications this does not matter. If you 4.49 - prefer ML to Lisp, you will probably prefer HOL to ZF. 4.50 - 4.51 - \<^medskip> 4.52 - The syntax of HOL follows \<open>\<lambda>\<close>-calculus and 4.53 - functional programming. Function application is curried. To apply 4.54 - the function \<open>f\<close> of type \<open>\<tau>\<^sub>1 \<Rightarrow> \<tau>\<^sub>2 \<Rightarrow> \<tau>\<^sub>3\<close> to the 4.55 - arguments \<open>a\<close> and \<open>b\<close> in HOL, you simply write \<open>f 4.56 - a b\<close> (as in ML or Haskell). There is no ``apply'' operator; the 4.57 - existing application of the Pure \<open>\<lambda>\<close>-calculus is re-used. 4.58 - Note that in HOL \<open>f (a, b)\<close> means ``\<open>f\<close> applied to 4.59 - the pair \<open>(a, b)\<close> (which is notation for \<open>Pair a 4.60 - b\<close>). The latter typically introduces extra formal efforts that can 4.61 - be avoided by currying functions by default. Explicit tuples are as 4.62 - infrequent in HOL formalizations as in good ML or Haskell programs. 4.63 - 4.64 - \<^medskip> 4.65 - Isabelle/HOL has a distinct feel, compared to other 4.66 - object-logics like Isabelle/ZF. It identifies object-level types 4.67 - with meta-level types, taking advantage of the default 4.68 - type-inference mechanism of Isabelle/Pure. HOL fully identifies 4.69 - object-level functions with meta-level functions, with native 4.70 - abstraction and application. 4.71 - 4.72 - These identifications allow Isabelle to support HOL particularly 4.73 - nicely, but they also mean that HOL requires some sophistication 4.74 - from the user. In particular, an understanding of Hindley-Milner 4.75 - type-inference with type-classes, which are both used extensively in 4.76 - the standard libraries and applications.\<close> 4.77 +text \<open> 4.78 + Isabelle/HOL is based on Higher-Order Logic, a polymorphic version of 4.79 + Church's Simple Theory of Types. HOL can be best understood as a 4.80 + simply-typed version of classical set theory. The logic was first 4.81 + implemented in Gordon's HOL system @{cite "mgordon-hol"}. It extends 4.82 + Church's original logic @{cite "church40"} by explicit type variables (naive 4.83 + polymorphism) and a sound axiomatization scheme for new types based on 4.84 + subsets of existing types. 4.85 + 4.86 + Andrews's book @{cite andrews86} is a full description of the original 4.87 + Church-style higher-order logic, with proofs of correctness and completeness 4.88 + wrt.\ certain set-theoretic interpretations. The particular extensions of 4.89 + Gordon-style HOL are explained semantically in two chapters of the 1993 HOL 4.90 + book @{cite pitts93}. 4.91 + 4.92 + Experience with HOL over decades has demonstrated that higher-order logic is 4.93 + widely applicable in many areas of mathematics and computer science. In a 4.94 + sense, Higher-Order Logic is simpler than First-Order Logic, because there 4.95 + are fewer restrictions and special cases. Note that HOL is \<^emph>\<open>weaker\<close> than 4.96 + FOL with axioms for ZF set theory, which is traditionally considered the 4.97 + standard foundation of regular mathematics, but for most applications this 4.98 + does not matter. If you prefer ML to Lisp, you will probably prefer HOL to 4.99 + ZF. 4.100 + 4.101 + \<^medskip> The syntax of HOL follows \<open>\<lambda>\<close>-calculus and functional programming. 4.102 + Function application is curried. To apply the function \<open>f\<close> of type \<open>\<tau>\<^sub>1 \<Rightarrow> 4.103 + \<tau>\<^sub>2 \<Rightarrow> \<tau>\<^sub>3\<close> to the arguments \<open>a\<close> and \<open>b\<close> in HOL, you simply write \<open>f a b\<close> (as 4.104 + in ML or Haskell). There is no ``apply'' operator; the existing application 4.105 + of the Pure \<open>\<lambda>\<close>-calculus is re-used. Note that in HOL \<open>f (a, b)\<close> means ``\<open>f\<close> 4.106 + applied to the pair \<open>(a, b)\<close> (which is notation for \<open>Pair a b\<close>). The latter 4.107 + typically introduces extra formal efforts that can be avoided by currying 4.108 + functions by default. Explicit tuples are as infrequent in HOL 4.109 + formalizations as in good ML or Haskell programs. 4.110 + 4.111 + \<^medskip> Isabelle/HOL has a distinct feel, compared to other object-logics like 4.112 + Isabelle/ZF. It identifies object-level types with meta-level types, taking 4.113 + advantage of the default type-inference mechanism of Isabelle/Pure. HOL 4.114 + fully identifies object-level functions with meta-level functions, with 4.115 + native abstraction and application. 4.116 + 4.117 + These identifications allow Isabelle to support HOL particularly nicely, but 4.118 + they also mean that HOL requires some sophistication from the user. In 4.119 + particular, an understanding of Hindley-Milner type-inference with 4.120 + type-classes, which are both used extensively in the standard libraries and 4.121 + applications. 4.122 +\<close> 4.123 4.124 4.125 chapter \<open>Derived specification elements\<close> 4.126 @@ -79,31 +76,27 @@ 4.127 @{attribute_def (HOL) mono} & : & \<open>attribute\<close> \\ 4.128 \end{matharray} 4.129 4.130 - An \<^emph>\<open>inductive definition\<close> specifies the least predicate or set 4.131 - \<open>R\<close> closed under given rules: applying a rule to elements of 4.132 - \<open>R\<close> yields a result within \<open>R\<close>. For example, a 4.133 - structural operational semantics is an inductive definition of an 4.134 - evaluation relation. 4.135 - 4.136 - Dually, a \<^emph>\<open>coinductive definition\<close> specifies the greatest 4.137 - predicate or set \<open>R\<close> that is consistent with given rules: 4.138 - every element of \<open>R\<close> can be seen as arising by applying a rule 4.139 - to elements of \<open>R\<close>. An important example is using 4.140 - bisimulation relations to formalise equivalence of processes and 4.141 - infinite data structures. 4.142 - 4.143 - Both inductive and coinductive definitions are based on the 4.144 - Knaster-Tarski fixed-point theorem for complete lattices. The 4.145 - collection of introduction rules given by the user determines a 4.146 - functor on subsets of set-theoretic relations. The required 4.147 - monotonicity of the recursion scheme is proven as a prerequisite to 4.148 - the fixed-point definition and the resulting consequences. This 4.149 - works by pushing inclusion through logical connectives and any other 4.150 - operator that might be wrapped around recursive occurrences of the 4.151 - defined relation: there must be a monotonicity theorem of the form 4.152 - \<open>A \<le> B \<Longrightarrow> \<M> A \<le> \<M> B\<close>, for each premise \<open>\<M> R t\<close> in an 4.153 - introduction rule. The default rule declarations of Isabelle/HOL 4.154 - already take care of most common situations. 4.155 + An \<^emph>\<open>inductive definition\<close> specifies the least predicate or set \<open>R\<close> closed 4.156 + under given rules: applying a rule to elements of \<open>R\<close> yields a result within 4.157 + \<open>R\<close>. For example, a structural operational semantics is an inductive 4.158 + definition of an evaluation relation. 4.159 + 4.160 + Dually, a \<^emph>\<open>coinductive definition\<close> specifies the greatest predicate or set 4.161 + \<open>R\<close> that is consistent with given rules: every element of \<open>R\<close> can be seen as 4.162 + arising by applying a rule to elements of \<open>R\<close>. An important example is using 4.163 + bisimulation relations to formalise equivalence of processes and infinite 4.164 + data structures. 4.165 + 4.166 + Both inductive and coinductive definitions are based on the Knaster-Tarski 4.167 + fixed-point theorem for complete lattices. The collection of introduction 4.168 + rules given by the user determines a functor on subsets of set-theoretic 4.169 + relations. The required monotonicity of the recursion scheme is proven as a 4.170 + prerequisite to the fixed-point definition and the resulting consequences. 4.171 + This works by pushing inclusion through logical connectives and any other 4.172 + operator that might be wrapped around recursive occurrences of the defined 4.173 + relation: there must be a monotonicity theorem of the form \<open>A \<le> B \<Longrightarrow> \<M> A \<le> \<M> 4.174 + B\<close>, for each premise \<open>\<M> R t\<close> in an introduction rule. The default rule 4.175 + declarations of Isabelle/HOL already take care of most common situations. 4.176 4.177 @{rail \<open> 4.178 (@@{command (HOL) inductive} | @@{command (HOL) inductive_set} | 4.179 @@ -116,101 +109,98 @@ 4.180 @@{attribute (HOL) mono} (() | 'add' | 'del') 4.181 \<close>} 4.182 4.183 - \<^descr> @{command (HOL) "inductive"} and @{command (HOL) 4.184 - "coinductive"} define (co)inductive predicates from the introduction 4.185 - rules. 4.186 - 4.187 - The propositions given as \<open>clauses\<close> in the @{keyword 4.188 - "where"} part are either rules of the usual \<open>\<And>/\<Longrightarrow>\<close> format 4.189 - (with arbitrary nesting), or equalities using \<open>\<equiv>\<close>. The 4.190 - latter specifies extra-logical abbreviations in the sense of 4.191 - @{command_ref abbreviation}. Introducing abstract syntax 4.192 - simultaneously with the actual introduction rules is occasionally 4.193 - useful for complex specifications. 4.194 - 4.195 - The optional @{keyword "for"} part contains a list of parameters of 4.196 - the (co)inductive predicates that remain fixed throughout the 4.197 - definition, in contrast to arguments of the relation that may vary 4.198 - in each occurrence within the given \<open>clauses\<close>. 4.199 + \<^descr> @{command (HOL) "inductive"} and @{command (HOL) "coinductive"} define 4.200 + (co)inductive predicates from the introduction rules. 4.201 + 4.202 + The propositions given as \<open>clauses\<close> in the @{keyword "where"} part are 4.203 + either rules of the usual \<open>\<And>/\<Longrightarrow>\<close> format (with arbitrary nesting), or 4.204 + equalities using \<open>\<equiv>\<close>. The latter specifies extra-logical abbreviations in 4.205 + the sense of @{command_ref abbreviation}. Introducing abstract syntax 4.206 + simultaneously with the actual introduction rules is occasionally useful for 4.207 + complex specifications. 4.208 + 4.209 + The optional @{keyword "for"} part contains a list of parameters of the 4.210 + (co)inductive predicates that remain fixed throughout the definition, in 4.211 + contrast to arguments of the relation that may vary in each occurrence 4.212 + within the given \<open>clauses\<close>. 4.213 4.214 The optional @{keyword "monos"} declaration contains additional 4.215 - \<^emph>\<open>monotonicity theorems\<close>, which are required for each operator 4.216 - applied to a recursive set in the introduction rules. 4.217 - 4.218 - \<^descr> @{command (HOL) "inductive_set"} and @{command (HOL) 4.219 - "coinductive_set"} are wrappers for to the previous commands for 4.220 - native HOL predicates. This allows to define (co)inductive sets, 4.221 - where multiple arguments are simulated via tuples. 4.222 + \<^emph>\<open>monotonicity theorems\<close>, which are required for each operator applied to a 4.223 + recursive set in the introduction rules. 4.224 + 4.225 + \<^descr> @{command (HOL) "inductive_set"} and @{command (HOL) "coinductive_set"} 4.226 + are wrappers for to the previous commands for native HOL predicates. This 4.227 + allows to define (co)inductive sets, where multiple arguments are simulated 4.228 + via tuples. 4.229 4.230 \<^descr> @{command "print_inductives"} prints (co)inductive definitions and 4.231 monotonicity rules; the ``\<open>!\<close>'' option indicates extra verbosity. 4.232 4.233 - \<^descr> @{attribute (HOL) mono} declares monotonicity rules in the 4.234 - context. These rule are involved in the automated monotonicity 4.235 - proof of the above inductive and coinductive definitions. 4.236 + \<^descr> @{attribute (HOL) mono} declares monotonicity rules in the context. These 4.237 + rule are involved in the automated monotonicity proof of the above inductive 4.238 + and coinductive definitions. 4.239 \<close> 4.240 4.241 4.242 subsection \<open>Derived rules\<close> 4.243 4.244 -text \<open>A (co)inductive definition of \<open>R\<close> provides the following 4.245 - main theorems: 4.246 - 4.247 - \<^descr> \<open>R.intros\<close> is the list of introduction rules as proven 4.248 - theorems, for the recursive predicates (or sets). The rules are 4.249 - also available individually, using the names given them in the 4.250 - theory file; 4.251 +text \<open> 4.252 + A (co)inductive definition of \<open>R\<close> provides the following main theorems: 4.253 + 4.254 + \<^descr> \<open>R.intros\<close> is the list of introduction rules as proven theorems, for the 4.255 + recursive predicates (or sets). The rules are also available individually, 4.256 + using the names given them in the theory file; 4.257 4.258 \<^descr> \<open>R.cases\<close> is the case analysis (or elimination) rule; 4.259 4.260 - \<^descr> \<open>R.induct\<close> or \<open>R.coinduct\<close> is the (co)induction 4.261 - rule; 4.262 - 4.263 - \<^descr> \<open>R.simps\<close> is the equation unrolling the fixpoint of the 4.264 - predicate one step. 4.265 - 4.266 - 4.267 - When several predicates \<open>R\<^sub>1, \<dots>, R\<^sub>n\<close> are defined simultaneously, 4.268 - the list of introduction rules is called \<open>R\<^sub>1_\<dots>_R\<^sub>n.intros\<close>, the 4.269 - case analysis rules are called \<open>R\<^sub>1.cases, \<dots>, R\<^sub>n.cases\<close>, and the 4.270 - list of mutual induction rules is called \<open>R\<^sub>1_\<dots>_R\<^sub>n.inducts\<close>. 4.271 + \<^descr> \<open>R.induct\<close> or \<open>R.coinduct\<close> is the (co)induction rule; 4.272 + 4.273 + \<^descr> \<open>R.simps\<close> is the equation unrolling the fixpoint of the predicate one 4.274 + step. 4.275 + 4.276 + 4.277 + When several predicates \<open>R\<^sub>1, \<dots>, R\<^sub>n\<close> are defined simultaneously, the list 4.278 + of introduction rules is called \<open>R\<^sub>1_\<dots>_R\<^sub>n.intros\<close>, the case analysis rules 4.279 + are called \<open>R\<^sub>1.cases, \<dots>, R\<^sub>n.cases\<close>, and the list of mutual induction rules 4.280 + is called \<open>R\<^sub>1_\<dots>_R\<^sub>n.inducts\<close>. 4.281 \<close> 4.282 4.283 4.284 subsection \<open>Monotonicity theorems\<close> 4.285 4.286 -text \<open>The context maintains a default set of theorems that are used 4.287 - in monotonicity proofs. New rules can be declared via the 4.288 - @{attribute (HOL) mono} attribute. See the main Isabelle/HOL 4.289 - sources for some examples. The general format of such monotonicity 4.290 - theorems is as follows: 4.291 - 4.292 - \<^item> Theorems of the form \<open>A \<le> B \<Longrightarrow> \<M> A \<le> \<M> B\<close>, for proving 4.293 - monotonicity of inductive definitions whose introduction rules have 4.294 - premises involving terms such as \<open>\<M> R t\<close>. 4.295 - 4.296 - \<^item> Monotonicity theorems for logical operators, which are of the 4.297 - general form \<open>(\<dots> \<longrightarrow> \<dots>) \<Longrightarrow> \<dots> (\<dots> \<longrightarrow> \<dots>) \<Longrightarrow> \<dots> \<longrightarrow> \<dots>\<close>. For example, in 4.298 - the case of the operator \<open>\<or>\<close>, the corresponding theorem is 4.299 +text \<open> 4.300 + The context maintains a default set of theorems that are used in 4.301 + monotonicity proofs. New rules can be declared via the @{attribute (HOL) 4.302 + mono} attribute. See the main Isabelle/HOL sources for some examples. The 4.303 + general format of such monotonicity theorems is as follows: 4.304 + 4.305 + \<^item> Theorems of the form \<open>A \<le> B \<Longrightarrow> \<M> A \<le> \<M> B\<close>, for proving monotonicity of 4.306 + inductive definitions whose introduction rules have premises involving terms 4.307 + such as \<open>\<M> R t\<close>. 4.308 + 4.309 + \<^item> Monotonicity theorems for logical operators, which are of the general form 4.310 + \<open>(\<dots> \<longrightarrow> \<dots>) \<Longrightarrow> \<dots> (\<dots> \<longrightarrow> \<dots>) \<Longrightarrow> \<dots> \<longrightarrow> \<dots>\<close>. For example, in the case of the operator \<open>\<or>\<close>, 4.311 + the corresponding theorem is 4.312 \[ 4.313 \infer{\<open>P\<^sub>1 \<or> P\<^sub>2 \<longrightarrow> Q\<^sub>1 \<or> Q\<^sub>2\<close>}{\<open>P\<^sub>1 \<longrightarrow> Q\<^sub>1\<close> & \<open>P\<^sub>2 \<longrightarrow> Q\<^sub>2\<close>} 4.314 \] 4.315 4.316 - \<^item> De Morgan style equations for reasoning about the ``polarity'' 4.317 - of expressions, e.g. 4.318 + \<^item> De Morgan style equations for reasoning about the ``polarity'' of 4.319 + expressions, e.g. 4.320 \[ 4.321 @{prop "\<not> \<not> P \<longleftrightarrow> P"} \qquad\qquad 4.322 @{prop "\<not> (P \<and> Q) \<longleftrightarrow> \<not> P \<or> \<not> Q"} 4.323 \] 4.324 4.325 - \<^item> Equations for reducing complex operators to more primitive 4.326 - ones whose monotonicity can easily be proved, e.g. 4.327 + \<^item> Equations for reducing complex operators to more primitive ones whose 4.328 + monotonicity can easily be proved, e.g. 4.329 \[ 4.330 @{prop "(P \<longrightarrow> Q) \<longleftrightarrow> \<not> P \<or> Q"} \qquad\qquad 4.331 @{prop "Ball A P \<equiv> \<forall>x. x \<in> A \<longrightarrow> P x"} 4.332 \] 4.333 \<close> 4.334 4.335 + 4.336 subsubsection \<open>Examples\<close> 4.337 4.338 text \<open>The finite powerset operator can be defined inductively like this:\<close> 4.339 @@ -228,9 +218,10 @@ 4.340 where acc: "(\<And>y. y \<prec> x \<Longrightarrow> acc r y) \<Longrightarrow> acc r x" 4.341 (*<*)end(*>*) 4.342 4.343 -text \<open>Common logical connectives can be easily characterized as 4.344 - non-recursive inductive definitions with parameters, but without 4.345 - arguments.\<close> 4.346 +text \<open> 4.347 + Common logical connectives can be easily characterized as non-recursive 4.348 + inductive definitions with parameters, but without arguments. 4.349 +\<close> 4.350 4.351 (*<*)experiment begin(*>*) 4.352 inductive AND for A B :: bool 4.353 @@ -244,12 +235,13 @@ 4.354 where "B a \<Longrightarrow> EXISTS B" 4.355 (*<*)end(*>*) 4.356 4.357 -text \<open>Here the \<open>cases\<close> or \<open>induct\<close> rules produced by the 4.358 - @{command inductive} package coincide with the expected elimination rules 4.359 - for Natural Deduction. Already in the original article by Gerhard Gentzen 4.360 - @{cite "Gentzen:1935"} there is a hint that each connective can be 4.361 - characterized by its introductions, and the elimination can be constructed 4.362 - systematically.\<close> 4.363 +text \<open> 4.364 + Here the \<open>cases\<close> or \<open>induct\<close> rules produced by the @{command inductive} 4.365 + package coincide with the expected elimination rules for Natural Deduction. 4.366 + Already in the original article by Gerhard Gentzen @{cite "Gentzen:1935"} 4.367 + there is a hint that each connective can be characterized by its 4.368 + introductions, and the elimination can be constructed systematically. 4.369 +\<close> 4.370 4.371 4.372 section \<open>Recursive functions \label{sec:recursion}\<close> 4.373 @@ -275,22 +267,21 @@ 4.374 @@{command (HOL) fun_cases} (@{syntax thmdecl}? @{syntax prop} + @'and') 4.375 \<close>} 4.376 4.377 - \<^descr> @{command (HOL) "primrec"} defines primitive recursive functions 4.378 - over datatypes (see also @{command_ref (HOL) datatype}). The given \<open>equations\<close> specify reduction rules that are produced by instantiating the 4.379 - generic combinator for primitive recursion that is available for each 4.380 - datatype. 4.381 + \<^descr> @{command (HOL) "primrec"} defines primitive recursive functions over 4.382 + datatypes (see also @{command_ref (HOL) datatype}). The given \<open>equations\<close> 4.383 + specify reduction rules that are produced by instantiating the generic 4.384 + combinator for primitive recursion that is available for each datatype. 4.385 4.386 Each equation needs to be of the form: 4.387 4.388 @{text [display] "f x\<^sub>1 \<dots> x\<^sub>m (C y\<^sub>1 \<dots> y\<^sub>k) z\<^sub>1 \<dots> z\<^sub>n = rhs"} 4.389 4.390 - such that \<open>C\<close> is a datatype constructor, \<open>rhs\<close> contains only 4.391 - the free variables on the left-hand side (or from the context), and all 4.392 - recursive occurrences of \<open>f\<close> in \<open>rhs\<close> are of the form 4.393 - \<open>f \<dots> y\<^sub>i \<dots>\<close> for some \<open>i\<close>. At most one reduction rule for 4.394 - each constructor can be given. The order does not matter. For missing 4.395 - constructors, the function is defined to return a default value, but this 4.396 - equation is made difficult to access for users. 4.397 + such that \<open>C\<close> is a datatype constructor, \<open>rhs\<close> contains only the free 4.398 + variables on the left-hand side (or from the context), and all recursive 4.399 + occurrences of \<open>f\<close> in \<open>rhs\<close> are of the form \<open>f \<dots> y\<^sub>i \<dots>\<close> for some \<open>i\<close>. At 4.400 + most one reduction rule for each constructor can be given. The order does 4.401 + not matter. For missing constructors, the function is defined to return a 4.402 + default value, but this equation is made difficult to access for users. 4.403 4.404 The reduction rules are declared as @{attribute simp} by default, which 4.405 enables standard proof methods like @{method simp} and @{method auto} to 4.406 @@ -304,62 +295,62 @@ 4.407 command generates proof obligations for the completeness and the 4.408 compatibility of patterns. 4.409 4.410 - The defined function is considered partial, and the resulting 4.411 - simplification rules (named \<open>f.psimps\<close>) and induction rule (named 4.412 - \<open>f.pinduct\<close>) are guarded by a generated domain predicate \<open>f_dom\<close>. The @{command (HOL) "termination"} command can then be used to 4.413 - establish that the function is total. 4.414 + The defined function is considered partial, and the resulting simplification 4.415 + rules (named \<open>f.psimps\<close>) and induction rule (named \<open>f.pinduct\<close>) are guarded 4.416 + by a generated domain predicate \<open>f_dom\<close>. The @{command (HOL) "termination"} 4.417 + command can then be used to establish that the function is total. 4.418 4.419 \<^descr> @{command (HOL) "fun"} is a shorthand notation for ``@{command (HOL) 4.420 - "function"}~\<open>(sequential)\<close>'', followed by automated proof attempts 4.421 - regarding pattern matching and termination. See @{cite 4.422 - "isabelle-function"} for further details. 4.423 - 4.424 - \<^descr> @{command (HOL) "termination"}~\<open>f\<close> commences a termination 4.425 - proof for the previously defined function \<open>f\<close>. If this is omitted, 4.426 - the command refers to the most recent function definition. After the proof 4.427 - is closed, the recursive equations and the induction principle is 4.428 - established. 4.429 - 4.430 - \<^descr> @{command (HOL) "fun_cases"} generates specialized elimination rules 4.431 - for function equations. It expects one or more function equations and 4.432 - produces rules that eliminate the given equalities, following the cases 4.433 - given in the function definition. 4.434 - 4.435 - 4.436 - Recursive definitions introduced by the @{command (HOL) "function"} 4.437 - command accommodate reasoning by induction (cf.\ @{method induct}): rule 4.438 - \<open>f.induct\<close> refers to a specific induction rule, with parameters 4.439 - named according to the user-specified equations. Cases are numbered 4.440 - starting from 1. For @{command (HOL) "primrec"}, the induction principle 4.441 - coincides with structural recursion on the datatype where the recursion is 4.442 - carried out. 4.443 + "function"}~\<open>(sequential)\<close>'', followed by automated proof attempts regarding 4.444 + pattern matching and termination. See @{cite "isabelle-function"} for 4.445 + further details. 4.446 + 4.447 + \<^descr> @{command (HOL) "termination"}~\<open>f\<close> commences a termination proof for the 4.448 + previously defined function \<open>f\<close>. If this is omitted, the command refers to 4.449 + the most recent function definition. After the proof is closed, the 4.450 + recursive equations and the induction principle is established. 4.451 + 4.452 + \<^descr> @{command (HOL) "fun_cases"} generates specialized elimination rules for 4.453 + function equations. It expects one or more function equations and produces 4.454 + rules that eliminate the given equalities, following the cases given in the 4.455 + function definition. 4.456 + 4.457 + 4.458 + Recursive definitions introduced by the @{command (HOL) "function"} command 4.459 + accommodate reasoning by induction (cf.\ @{method induct}): rule \<open>f.induct\<close> 4.460 + refers to a specific induction rule, with parameters named according to the 4.461 + user-specified equations. Cases are numbered starting from 1. For @{command 4.462 + (HOL) "primrec"}, the induction principle coincides with structural 4.463 + recursion on the datatype where the recursion is carried out. 4.464 4.465 The equations provided by these packages may be referred later as theorem 4.466 - list \<open>f.simps\<close>, where \<open>f\<close> is the (collective) name of the 4.467 - functions defined. Individual equations may be named explicitly as well. 4.468 + list \<open>f.simps\<close>, where \<open>f\<close> is the (collective) name of the functions defined. 4.469 + Individual equations may be named explicitly as well. 4.470 4.471 The @{command (HOL) "function"} command accepts the following options. 4.472 4.473 - \<^descr> \<open>sequential\<close> enables a preprocessor which disambiguates 4.474 - overlapping patterns by making them mutually disjoint. Earlier equations 4.475 - take precedence over later ones. This allows to give the specification in 4.476 - a format very similar to functional programming. Note that the resulting 4.477 - simplification and induction rules correspond to the transformed 4.478 - specification, not the one given originally. This usually means that each 4.479 - equation given by the user may result in several theorems. Also note that 4.480 - this automatic transformation only works for ML-style datatype patterns. 4.481 - 4.482 - \<^descr> \<open>domintros\<close> enables the automated generation of introduction 4.483 - rules for the domain predicate. While mostly not needed, they can be 4.484 - helpful in some proofs about partial functions. 4.485 + \<^descr> \<open>sequential\<close> enables a preprocessor which disambiguates overlapping 4.486 + patterns by making them mutually disjoint. Earlier equations take precedence 4.487 + over later ones. This allows to give the specification in a format very 4.488 + similar to functional programming. Note that the resulting simplification 4.489 + and induction rules correspond to the transformed specification, not the one 4.490 + given originally. This usually means that each equation given by the user 4.491 + may result in several theorems. Also note that this automatic transformation 4.492 + only works for ML-style datatype patterns. 4.493 + 4.494 + \<^descr> \<open>domintros\<close> enables the automated generation of introduction rules for the 4.495 + domain predicate. While mostly not needed, they can be helpful in some 4.496 + proofs about partial functions. 4.497 \<close> 4.498 4.499 4.500 subsubsection \<open>Example: evaluation of expressions\<close> 4.501 4.502 -text \<open>Subsequently, we define mutual datatypes for arithmetic and boolean 4.503 - expressions, and use @{command primrec} for evaluation functions that 4.504 - follow the same recursive structure.\<close> 4.505 +text \<open> 4.506 + Subsequently, we define mutual datatypes for arithmetic and boolean 4.507 + expressions, and use @{command primrec} for evaluation functions that follow 4.508 + the same recursive structure. 4.509 +\<close> 4.510 4.511 (*<*)experiment begin(*>*) 4.512 datatype 'a aexp = 4.513 @@ -387,16 +378,15 @@ 4.514 | "evalb env (And b1 b2) = (evalb env b1 \<and> evalb env b2)" 4.515 | "evalb env (Neg b) = (\<not> evalb env b)" 4.516 4.517 -text \<open>Since the value of an expression depends on the value of its 4.518 - variables, the functions @{const evala} and @{const evalb} take an 4.519 - additional parameter, an \<^emph>\<open>environment\<close> that maps variables to their 4.520 - values. 4.521 +text \<open> 4.522 + Since the value of an expression depends on the value of its variables, the 4.523 + functions @{const evala} and @{const evalb} take an additional parameter, an 4.524 + \<^emph>\<open>environment\<close> that maps variables to their values. 4.525 4.526 \<^medskip> 4.527 - Substitution on expressions can be defined similarly. The mapping 4.528 - \<open>f\<close> of type @{typ "'a \<Rightarrow> 'a aexp"} given as a parameter is lifted 4.529 - canonically on the types @{typ "'a aexp"} and @{typ "'a bexp"}, 4.530 - respectively. 4.531 + Substitution on expressions can be defined similarly. The mapping \<open>f\<close> of 4.532 + type @{typ "'a \<Rightarrow> 'a aexp"} given as a parameter is lifted canonically on the 4.533 + types @{typ "'a aexp"} and @{typ "'a bexp"}, respectively. 4.534 \<close> 4.535 4.536 primrec substa :: "('a \<Rightarrow> 'b aexp) \<Rightarrow> 'a aexp \<Rightarrow> 'b aexp" 4.537 @@ -411,10 +401,11 @@ 4.538 | "substb f (And b1 b2) = And (substb f b1) (substb f b2)" 4.539 | "substb f (Neg b) = Neg (substb f b)" 4.540 4.541 -text \<open>In textbooks about semantics one often finds substitution theorems, 4.542 - which express the relationship between substitution and evaluation. For 4.543 - @{typ "'a aexp"} and @{typ "'a bexp"}, we can prove such a theorem by 4.544 - mutual induction, followed by simplification. 4.545 +text \<open> 4.546 + In textbooks about semantics one often finds substitution theorems, which 4.547 + express the relationship between substitution and evaluation. For @{typ "'a 4.548 + aexp"} and @{typ "'a bexp"}, we can prove such a theorem by mutual 4.549 + induction, followed by simplification. 4.550 \<close> 4.551 4.552 lemma subst_one: 4.553 @@ -437,9 +428,10 @@ 4.554 (*<*)experiment begin(*>*) 4.555 datatype ('a, 'b) "term" = Var 'a | App 'b "('a, 'b) term list" 4.556 4.557 -text \<open>A substitution function on type @{typ "('a, 'b) term"} can be 4.558 - defined as follows, by working simultaneously on @{typ "('a, 'b) 4.559 - term list"}:\<close> 4.560 +text \<open> 4.561 + A substitution function on type @{typ "('a, 'b) term"} can be defined as 4.562 + follows, by working simultaneously on @{typ "('a, 'b) term list"}: 4.563 +\<close> 4.564 4.565 primrec subst_term :: "('a \<Rightarrow> ('a, 'b) term) \<Rightarrow> ('a, 'b) term \<Rightarrow> ('a, 'b) term" and 4.566 subst_term_list :: "('a \<Rightarrow> ('a, 'b) term) \<Rightarrow> ('a, 'b) term list \<Rightarrow> ('a, 'b) term list" 4.567 @@ -449,9 +441,10 @@ 4.568 | "subst_term_list f [] = []" 4.569 | "subst_term_list f (t # ts) = subst_term f t # subst_term_list f ts" 4.570 4.571 -text \<open>The recursion scheme follows the structure of the unfolded 4.572 - definition of type @{typ "('a, 'b) term"}. To prove properties of this 4.573 - substitution function, mutual induction is needed: 4.574 +text \<open> 4.575 + The recursion scheme follows the structure of the unfolded definition of 4.576 + type @{typ "('a, 'b) term"}. To prove properties of this substitution 4.577 + function, mutual induction is needed: 4.578 \<close> 4.579 4.580 lemma "subst_term (subst_term f1 \<circ> f2) t = 4.581 @@ -475,9 +468,9 @@ 4.582 "map_tree f (Atom a) = Atom (f a)" 4.583 | "map_tree f (Branch ts) = Branch (\<lambda>x. map_tree f (ts x))" 4.584 4.585 -text \<open>Note that all occurrences of functions such as \<open>ts\<close> above must 4.586 - be applied to an argument. In particular, @{term "map_tree f \<circ> ts"} is not 4.587 - allowed here. 4.588 +text \<open> 4.589 + Note that all occurrences of functions such as \<open>ts\<close> above must be applied to 4.590 + an argument. In particular, @{term "map_tree f \<circ> ts"} is not allowed here. 4.591 4.592 \<^medskip> 4.593 Here is a simple composition lemma for @{term map_tree}: 4.594 @@ -511,45 +504,42 @@ 4.595 orders: ( 'max' | 'min' | 'ms' ) * 4.596 \<close>} 4.597 4.598 - \<^descr> @{method (HOL) pat_completeness} is a specialized method to 4.599 - solve goals regarding the completeness of pattern matching, as 4.600 - required by the @{command (HOL) "function"} package (cf.\ 4.601 - @{cite "isabelle-function"}). 4.602 - 4.603 - \<^descr> @{method (HOL) relation}~\<open>R\<close> introduces a termination 4.604 - proof using the relation \<open>R\<close>. The resulting proof state will 4.605 - contain goals expressing that \<open>R\<close> is wellfounded, and that the 4.606 - arguments of recursive calls decrease with respect to \<open>R\<close>. 4.607 - Usually, this method is used as the initial proof step of manual 4.608 - termination proofs. 4.609 - 4.610 - \<^descr> @{method (HOL) "lexicographic_order"} attempts a fully 4.611 - automated termination proof by searching for a lexicographic 4.612 - combination of size measures on the arguments of the function. The 4.613 - method accepts the same arguments as the @{method auto} method, 4.614 - which it uses internally to prove local descents. The @{syntax 4.615 - clasimpmod} modifiers are accepted (as for @{method auto}). 4.616 - 4.617 - In case of failure, extensive information is printed, which can help 4.618 - to analyse the situation (cf.\ @{cite "isabelle-function"}). 4.619 - 4.620 - \<^descr> @{method (HOL) "size_change"} also works on termination goals, 4.621 - using a variation of the size-change principle, together with a 4.622 - graph decomposition technique (see @{cite krauss_phd} for details). 4.623 - Three kinds of orders are used internally: \<open>max\<close>, \<open>min\<close>, 4.624 - and \<open>ms\<close> (multiset), which is only available when the theory 4.625 - \<open>Multiset\<close> is loaded. When no order kinds are given, they are 4.626 - tried in order. The search for a termination proof uses SAT solving 4.627 + \<^descr> @{method (HOL) pat_completeness} is a specialized method to solve goals 4.628 + regarding the completeness of pattern matching, as required by the @{command 4.629 + (HOL) "function"} package (cf.\ @{cite "isabelle-function"}). 4.630 + 4.631 + \<^descr> @{method (HOL) relation}~\<open>R\<close> introduces a termination proof using the 4.632 + relation \<open>R\<close>. The resulting proof state will contain goals expressing that 4.633 + \<open>R\<close> is wellfounded, and that the arguments of recursive calls decrease with 4.634 + respect to \<open>R\<close>. Usually, this method is used as the initial proof step of 4.635 + manual termination proofs. 4.636 + 4.637 + \<^descr> @{method (HOL) "lexicographic_order"} attempts a fully automated 4.638 + termination proof by searching for a lexicographic combination of size 4.639 + measures on the arguments of the function. The method accepts the same 4.640 + arguments as the @{method auto} method, which it uses internally to prove 4.641 + local descents. The @{syntax clasimpmod} modifiers are accepted (as for 4.642 + @{method auto}). 4.643 + 4.644 + In case of failure, extensive information is printed, which can help to 4.645 + analyse the situation (cf.\ @{cite "isabelle-function"}). 4.646 + 4.647 + \<^descr> @{method (HOL) "size_change"} also works on termination goals, using a 4.648 + variation of the size-change principle, together with a graph decomposition 4.649 + technique (see @{cite krauss_phd} for details). Three kinds of orders are 4.650 + used internally: \<open>max\<close>, \<open>min\<close>, and \<open>ms\<close> (multiset), which is only available 4.651 + when the theory \<open>Multiset\<close> is loaded. When no order kinds are given, they 4.652 + are tried in order. The search for a termination proof uses SAT solving 4.653 internally. 4.654 4.655 - For local descent proofs, the @{syntax clasimpmod} modifiers are 4.656 - accepted (as for @{method auto}). 4.657 - 4.658 - \<^descr> @{method (HOL) induction_schema} derives user-specified 4.659 - induction rules from well-founded induction and completeness of 4.660 - patterns. This factors out some operations that are done internally 4.661 - by the function package and makes them available separately. See 4.662 - @{file "~~/src/HOL/ex/Induction_Schema.thy"} for examples. 4.663 + For local descent proofs, the @{syntax clasimpmod} modifiers are accepted 4.664 + (as for @{method auto}). 4.665 + 4.666 + \<^descr> @{method (HOL) induction_schema} derives user-specified induction rules 4.667 + from well-founded induction and completeness of patterns. This factors out 4.668 + some operations that are done internally by the function package and makes 4.669 + them available separately. See @{file "~~/src/HOL/ex/Induction_Schema.thy"} 4.670 + for examples. 4.671 \<close> 4.672 4.673 4.674 @@ -566,51 +556,45 @@ 4.675 @{syntax specification} 4.676 \<close>} 4.677 4.678 - \<^descr> @{command (HOL) "partial_function"}~\<open>(mode)\<close> defines 4.679 - recursive functions based on fixpoints in complete partial 4.680 - orders. No termination proof is required from the user or 4.681 - constructed internally. Instead, the possibility of non-termination 4.682 - is modelled explicitly in the result type, which contains an 4.683 - explicit bottom element. 4.684 - 4.685 - Pattern matching and mutual recursion are currently not supported. 4.686 - Thus, the specification consists of a single function described by a 4.687 - single recursive equation. 4.688 - 4.689 - There are no fixed syntactic restrictions on the body of the 4.690 - function, but the induced functional must be provably monotonic 4.691 - wrt.\ the underlying order. The monotonicity proof is performed 4.692 - internally, and the definition is rejected when it fails. The proof 4.693 - can be influenced by declaring hints using the 4.694 - @{attribute (HOL) partial_function_mono} attribute. 4.695 - 4.696 - The mandatory \<open>mode\<close> argument specifies the mode of operation 4.697 - of the command, which directly corresponds to a complete partial 4.698 - order on the result type. By default, the following modes are 4.699 - defined: 4.700 - 4.701 - \<^descr> \<open>option\<close> defines functions that map into the @{type 4.702 - option} type. Here, the value @{term None} is used to model a 4.703 - non-terminating computation. Monotonicity requires that if @{term 4.704 - None} is returned by a recursive call, then the overall result must 4.705 - also be @{term None}. This is best achieved through the use of the 4.706 - monadic operator @{const "Option.bind"}. 4.707 - 4.708 - \<^descr> \<open>tailrec\<close> defines functions with an arbitrary result 4.709 - type and uses the slightly degenerated partial order where @{term 4.710 - "undefined"} is the bottom element. Now, monotonicity requires that 4.711 - if @{term undefined} is returned by a recursive call, then the 4.712 - overall result must also be @{term undefined}. In practice, this is 4.713 - only satisfied when each recursive call is a tail call, whose result 4.714 - is directly returned. Thus, this mode of operation allows the 4.715 - definition of arbitrary tail-recursive functions. 4.716 - 4.717 - Experienced users may define new modes by instantiating the locale 4.718 - @{const "partial_function_definitions"} appropriately. 4.719 - 4.720 - \<^descr> @{attribute (HOL) partial_function_mono} declares rules for 4.721 - use in the internal monotonicity proofs of partial function 4.722 - definitions. 4.723 + \<^descr> @{command (HOL) "partial_function"}~\<open>(mode)\<close> defines recursive functions 4.724 + based on fixpoints in complete partial orders. No termination proof is 4.725 + required from the user or constructed internally. Instead, the possibility 4.726 + of non-termination is modelled explicitly in the result type, which contains 4.727 + an explicit bottom element. 4.728 + 4.729 + Pattern matching and mutual recursion are currently not supported. Thus, the 4.730 + specification consists of a single function described by a single recursive 4.731 + equation. 4.732 + 4.733 + There are no fixed syntactic restrictions on the body of the function, but 4.734 + the induced functional must be provably monotonic wrt.\ the underlying 4.735 + order. The monotonicity proof is performed internally, and the definition is 4.736 + rejected when it fails. The proof can be influenced by declaring hints using 4.737 + the @{attribute (HOL) partial_function_mono} attribute. 4.738 + 4.739 + The mandatory \<open>mode\<close> argument specifies the mode of operation of the 4.740 + command, which directly corresponds to a complete partial order on the 4.741 + result type. By default, the following modes are defined: 4.742 + 4.743 + \<^descr> \<open>option\<close> defines functions that map into the @{type option} type. Here, 4.744 + the value @{term None} is used to model a non-terminating computation. 4.745 + Monotonicity requires that if @{term None} is returned by a recursive 4.746 + call, then the overall result must also be @{term None}. This is best 4.747 + achieved through the use of the monadic operator @{const "Option.bind"}. 4.748 + 4.749 + \<^descr> \<open>tailrec\<close> defines functions with an arbitrary result type and uses the 4.750 + slightly degenerated partial order where @{term "undefined"} is the bottom 4.751 + element. Now, monotonicity requires that if @{term undefined} is returned 4.752 + by a recursive call, then the overall result must also be @{term 4.753 + undefined}. In practice, this is only satisfied when each recursive call 4.754 + is a tail call, whose result is directly returned. Thus, this mode of 4.755 + operation allows the definition of arbitrary tail-recursive functions. 4.756 + 4.757 + Experienced users may define new modes by instantiating the locale @{const 4.758 + "partial_function_definitions"} appropriately. 4.759 + 4.760 + \<^descr> @{attribute (HOL) partial_function_mono} declares rules for use in the 4.761 + internal monotonicity proofs of partial function definitions. 4.762 \<close> 4.763 4.764 4.765 @@ -635,21 +619,19 @@ 4.766 (() | 'add' | 'del') ':' @{syntax thms}) | @{syntax clasimpmod} 4.767 \<close>} 4.768 4.769 - \<^descr> @{command (HOL) "recdef"} defines general well-founded 4.770 - recursive functions (using the TFL package). The 4.771 - ``\<open>(permissive)\<close>'' option tells TFL to recover from 4.772 - failed proof attempts, returning unfinished results. The 4.773 - \<open>recdef_simp\<close>, \<open>recdef_cong\<close>, and 4.774 - \<open>recdef_wf\<close> hints refer to auxiliary rules to be used 4.775 - in the internal automated proof process of TFL. Additional 4.776 - @{syntax clasimpmod} declarations may be given to tune the context 4.777 - of the Simplifier (cf.\ \secref{sec:simplifier}) and Classical 4.778 - reasoner (cf.\ \secref{sec:classical}). 4.779 + \<^descr> @{command (HOL) "recdef"} defines general well-founded recursive functions 4.780 + (using the TFL package). The ``\<open>(permissive)\<close>'' option tells TFL to recover 4.781 + from failed proof attempts, returning unfinished results. The \<open>recdef_simp\<close>, 4.782 + \<open>recdef_cong\<close>, and \<open>recdef_wf\<close> hints refer to auxiliary rules to be used in 4.783 + the internal automated proof process of TFL. Additional @{syntax clasimpmod} 4.784 + declarations may be given to tune the context of the Simplifier (cf.\ 4.785 + \secref{sec:simplifier}) and Classical reasoner (cf.\ 4.786 + \secref{sec:classical}). 4.787 4.788 4.789 \<^medskip> 4.790 - Hints for @{command (HOL) "recdef"} may be also declared 4.791 - globally, using the following attributes. 4.792 + Hints for @{command (HOL) "recdef"} may be also declared globally, using the 4.793 + following attributes. 4.794 4.795 \begin{matharray}{rcl} 4.796 @{attribute_def (HOL) recdef_simp} & : & \<open>attribute\<close> \\ 4.797 @@ -674,11 +656,10 @@ 4.798 \end{tabular} 4.799 4.800 \<^medskip> 4.801 - Adhoc overloading allows to overload a constant depending on 4.802 - its type. Typically this involves the introduction of an 4.803 - uninterpreted constant (used for input and output) and the addition 4.804 - of some variants (used internally). For examples see 4.805 - @{file "~~/src/HOL/ex/Adhoc_Overloading_Examples.thy"} and 4.806 + Adhoc overloading allows to overload a constant depending on its type. 4.807 + Typically this involves the introduction of an uninterpreted constant (used 4.808 + for input and output) and the addition of some variants (used internally). 4.809 + For examples see @{file "~~/src/HOL/ex/Adhoc_Overloading_Examples.thy"} and 4.810 @{file "~~/src/HOL/Library/Monad_Syntax.thy"}. 4.811 4.812 @{rail \<open> 4.813 @@ -686,18 +667,17 @@ 4.814 (@{syntax name} (@{syntax term} + ) + @'and') 4.815 \<close>} 4.816 4.817 - \<^descr> @{command "adhoc_overloading"}~\<open>c v\<^sub>1 ... v\<^sub>n\<close> 4.818 - associates variants with an existing constant. 4.819 - 4.820 - \<^descr> @{command "no_adhoc_overloading"} is similar to 4.821 - @{command "adhoc_overloading"}, but removes the specified variants 4.822 - from the present context. 4.823 - 4.824 - \<^descr> @{attribute "show_variants"} controls printing of variants 4.825 - of overloaded constants. If enabled, the internally used variants 4.826 - are printed instead of their respective overloaded constants. This 4.827 - is occasionally useful to check whether the system agrees with a 4.828 - user's expectations about derived variants. 4.829 + \<^descr> @{command "adhoc_overloading"}~\<open>c v\<^sub>1 ... v\<^sub>n\<close> associates variants with an 4.830 + existing constant. 4.831 + 4.832 + \<^descr> @{command "no_adhoc_overloading"} is similar to @{command 4.833 + "adhoc_overloading"}, but removes the specified variants from the present 4.834 + context. 4.835 + 4.836 + \<^descr> @{attribute "show_variants"} controls printing of variants of overloaded 4.837 + constants. If enabled, the internally used variants are printed instead of 4.838 + their respective overloaded constants. This is occasionally useful to check 4.839 + whether the system agrees with a user's expectations about derived variants. 4.840 \<close> 4.841 4.842 4.843 @@ -715,17 +695,16 @@ 4.844 decl: (@{syntax name} ':')? @{syntax term} ('(' @'overloaded' ')')? 4.845 \<close>} 4.846 4.847 - \<^descr> @{command (HOL) "specification"}~\<open>decls \<phi>\<close> sets up a 4.848 - goal stating the existence of terms with the properties specified to 4.849 - hold for the constants given in \<open>decls\<close>. After finishing the 4.850 - proof, the theory will be augmented with definitions for the given 4.851 - constants, as well as with theorems stating the properties for these 4.852 - constants. 4.853 - 4.854 - \<open>decl\<close> declares a constant to be defined by the 4.855 - specification given. The definition for the constant \<open>c\<close> is 4.856 - bound to the name \<open>c_def\<close> unless a theorem name is given in 4.857 - the declaration. Overloaded constants should be declared as such. 4.858 + \<^descr> @{command (HOL) "specification"}~\<open>decls \<phi>\<close> sets up a goal stating the 4.859 + existence of terms with the properties specified to hold for the constants 4.860 + given in \<open>decls\<close>. After finishing the proof, the theory will be augmented 4.861 + with definitions for the given constants, as well as with theorems stating 4.862 + the properties for these constants. 4.863 + 4.864 + \<open>decl\<close> declares a constant to be defined by the specification given. The 4.865 + definition for the constant \<open>c\<close> is bound to the name \<open>c_def\<close> unless a 4.866 + theorem name is given in the declaration. Overloaded constants should be 4.867 + declared as such. 4.868 \<close> 4.869 4.870 4.871 @@ -755,22 +734,24 @@ 4.872 old-style datatypes. 4.873 4.874 4.875 - These commands are mostly obsolete; @{command (HOL) "datatype"} 4.876 - should be used instead. 4.877 - 4.878 - See @{cite "isabelle-datatypes"} for more details on datatypes. Apart from proper 4.879 - proof methods for case analysis and induction, there are also 4.880 + These commands are mostly obsolete; @{command (HOL) "datatype"} should be 4.881 + used instead. 4.882 + 4.883 + See @{cite "isabelle-datatypes"} for more details on datatypes. Apart from 4.884 + proper proof methods for case analysis and induction, there are also 4.885 emulations of ML tactics @{method (HOL) case_tac} and @{method (HOL) 4.886 - induct_tac} available, see \secref{sec:hol-induct-tac}; these admit 4.887 - to refer directly to the internal structure of subgoals (including 4.888 - internally bound parameters). 4.889 + induct_tac} available, see \secref{sec:hol-induct-tac}; these admit to refer 4.890 + directly to the internal structure of subgoals (including internally bound 4.891 + parameters). 4.892 \<close> 4.893 4.894 4.895 subsubsection \<open>Examples\<close> 4.896 4.897 -text \<open>We define a type of finite sequences, with slightly different names 4.898 - than the existing @{typ "'a list"} that is already in @{theory Main}:\<close> 4.899 +text \<open> 4.900 + We define a type of finite sequences, with slightly different names than the 4.901 + existing @{typ "'a list"} that is already in @{theory Main}: 4.902 +\<close> 4.903 4.904 (*<*)experiment begin(*>*) 4.905 datatype 'a seq = Empty | Seq 'a "'a seq" 4.906 @@ -803,21 +784,21 @@ 4.907 4.908 text \<open> 4.909 In principle, records merely generalize the concept of tuples, where 4.910 - components may be addressed by labels instead of just position. The 4.911 - logical infrastructure of records in Isabelle/HOL is slightly more 4.912 - advanced, though, supporting truly extensible record schemes. This 4.913 - admits operations that are polymorphic with respect to record 4.914 - extension, yielding ``object-oriented'' effects like (single) 4.915 - inheritance. See also @{cite "NaraschewskiW-TPHOLs98"} for more 4.916 - details on object-oriented verification and record subtyping in HOL. 4.917 + components may be addressed by labels instead of just position. The logical 4.918 + infrastructure of records in Isabelle/HOL is slightly more advanced, though, 4.919 + supporting truly extensible record schemes. This admits operations that are 4.920 + polymorphic with respect to record extension, yielding ``object-oriented'' 4.921 + effects like (single) inheritance. See also @{cite "NaraschewskiW-TPHOLs98"} 4.922 + for more details on object-oriented verification and record subtyping in 4.923 + HOL. 4.924 \<close> 4.925 4.926 4.927 subsection \<open>Basic concepts\<close> 4.928 4.929 text \<open> 4.930 - Isabelle/HOL supports both \<^emph>\<open>fixed\<close> and \<^emph>\<open>schematic\<close> records 4.931 - at the level of terms and types. The notation is as follows: 4.932 + Isabelle/HOL supports both \<^emph>\<open>fixed\<close> and \<^emph>\<open>schematic\<close> records at the level of 4.933 + terms and types. The notation is as follows: 4.934 4.935 \begin{center} 4.936 \begin{tabular}{l|l|l} 4.937 @@ -830,47 +811,41 @@ 4.938 4.939 The ASCII representation of \<open>\<lparr>x = a\<rparr>\<close> is \<open>(| x = a |)\<close>. 4.940 4.941 - A fixed record \<open>\<lparr>x = a, y = b\<rparr>\<close> has field \<open>x\<close> of value 4.942 - \<open>a\<close> and field \<open>y\<close> of value \<open>b\<close>. The corresponding 4.943 - type is \<open>\<lparr>x :: A, y :: B\<rparr>\<close>, assuming that \<open>a :: A\<close> 4.944 - and \<open>b :: B\<close>. 4.945 - 4.946 - A record scheme like \<open>\<lparr>x = a, y = b, \<dots> = m\<rparr>\<close> contains fields 4.947 - \<open>x\<close> and \<open>y\<close> as before, but also possibly further fields 4.948 - as indicated by the ``\<open>\<dots>\<close>'' notation (which is actually part 4.949 - of the syntax). The improper field ``\<open>\<dots>\<close>'' of a record 4.950 - scheme is called the \<^emph>\<open>more part\<close>. Logically it is just a free 4.951 - variable, which is occasionally referred to as ``row variable'' in 4.952 - the literature. The more part of a record scheme may be 4.953 - instantiated by zero or more further components. For example, the 4.954 - previous scheme may get instantiated to \<open>\<lparr>x = a, y = b, z = 4.955 - c, \<dots> = m'\<rparr>\<close>, where \<open>m'\<close> refers to a different more part. 4.956 - Fixed records are special instances of record schemes, where 4.957 - ``\<open>\<dots>\<close>'' is properly terminated by the \<open>() :: unit\<close> 4.958 - element. In fact, \<open>\<lparr>x = a, y = b\<rparr>\<close> is just an abbreviation 4.959 - for \<open>\<lparr>x = a, y = b, \<dots> = ()\<rparr>\<close>. 4.960 + A fixed record \<open>\<lparr>x = a, y = b\<rparr>\<close> has field \<open>x\<close> of value \<open>a\<close> and field \<open>y\<close> of 4.961 + value \<open>b\<close>. The corresponding type is \<open>\<lparr>x :: A, y :: B\<rparr>\<close>, assuming that \<open>a :: 4.962 + A\<close> and \<open>b :: B\<close>. 4.963 + 4.964 + A record scheme like \<open>\<lparr>x = a, y = b, \<dots> = m\<rparr>\<close> contains fields \<open>x\<close> and \<open>y\<close> as 4.965 + before, but also possibly further fields as indicated by the ``\<open>\<dots>\<close>'' 4.966 + notation (which is actually part of the syntax). The improper field ``\<open>\<dots>\<close>'' 4.967 + of a record scheme is called the \<^emph>\<open>more part\<close>. Logically it is just a free 4.968 + variable, which is occasionally referred to as ``row variable'' in the 4.969 + literature. The more part of a record scheme may be instantiated by zero or 4.970 + more further components. For example, the previous scheme may get 4.971 + instantiated to \<open>\<lparr>x = a, y = b, z = c, \<dots> = m'\<rparr>\<close>, where \<open>m'\<close> refers to a 4.972 + different more part. Fixed records are special instances of record schemes, 4.973 + where ``\<open>\<dots>\<close>'' is properly terminated by the \<open>() :: unit\<close> element. In fact, 4.974 + \<open>\<lparr>x = a, y = b\<rparr>\<close> is just an abbreviation for \<open>\<lparr>x = a, y = b, \<dots> = ()\<rparr>\<close>. 4.975 4.976 \<^medskip> 4.977 - Two key observations make extensible records in a simply 4.978 - typed language like HOL work out: 4.979 - 4.980 - \<^enum> the more part is internalized, as a free term or type 4.981 - variable, 4.982 - 4.983 - \<^enum> field names are externalized, they cannot be accessed within 4.984 - the logic as first-class values. 4.985 + Two key observations make extensible records in a simply typed language like 4.986 + HOL work out: 4.987 + 4.988 + \<^enum> the more part is internalized, as a free term or type variable, 4.989 + 4.990 + \<^enum> field names are externalized, they cannot be accessed within the logic as 4.991 + first-class values. 4.992 4.993 4.994 \<^medskip> 4.995 - In Isabelle/HOL record types have to be defined explicitly, 4.996 - fixing their field names and types, and their (optional) parent 4.997 - record. Afterwards, records may be formed using above syntax, while 4.998 - obeying the canonical order of fields as given by their declaration. 4.999 - The record package provides several standard operations like 4.1000 - selectors and updates. The common setup for various generic proof 4.1001 - tools enable succinct reasoning patterns. See also the Isabelle/HOL 4.1002 - tutorial @{cite "isabelle-hol-book"} for further instructions on using 4.1003 - records in practice. 4.1004 + In Isabelle/HOL record types have to be defined explicitly, fixing their 4.1005 + field names and types, and their (optional) parent record. Afterwards, 4.1006 + records may be formed using above syntax, while obeying the canonical order 4.1007 + of fields as given by their declaration. The record package provides several 4.1008 + standard operations like selectors and updates. The common setup for various 4.1009 + generic proof tools enable succinct reasoning patterns. See also the 4.1010 + Isabelle/HOL tutorial @{cite "isabelle-hol-book"} for further instructions 4.1011 + on using records in practice. 4.1012 \<close> 4.1013 4.1014 4.1015 @@ -893,45 +868,40 @@ 4.1016 modes: '(' (@{syntax name} +) ')' 4.1017 \<close>} 4.1018 4.1019 - \<^descr> @{command (HOL) "record"}~\<open>(\<alpha>\<^sub>1, \<dots>, \<alpha>\<^sub>m) t = \<tau> + c\<^sub>1 :: \<sigma>\<^sub>1 4.1020 - \<dots> c\<^sub>n :: \<sigma>\<^sub>n\<close> defines extensible record type \<open>(\<alpha>\<^sub>1, \<dots>, \<alpha>\<^sub>m) t\<close>, 4.1021 - derived from the optional parent record \<open>\<tau>\<close> by adding new 4.1022 - field components \<open>c\<^sub>i :: \<sigma>\<^sub>i\<close> etc. 4.1023 - 4.1024 - The type variables of \<open>\<tau>\<close> and \<open>\<sigma>\<^sub>i\<close> need to be 4.1025 - covered by the (distinct) parameters \<open>\<alpha>\<^sub>1, \<dots>, 4.1026 - \<alpha>\<^sub>m\<close>. Type constructor \<open>t\<close> has to be new, while \<open>\<tau>\<close> needs to specify an instance of an existing record type. At 4.1027 - least one new field \<open>c\<^sub>i\<close> has to be specified. 4.1028 - Basically, field names need to belong to a unique record. This is 4.1029 - not a real restriction in practice, since fields are qualified by 4.1030 - the record name internally. 4.1031 - 4.1032 - The parent record specification \<open>\<tau>\<close> is optional; if omitted 4.1033 - \<open>t\<close> becomes a root record. The hierarchy of all records 4.1034 - declared within a theory context forms a forest structure, i.e.\ a 4.1035 - set of trees starting with a root record each. There is no way to 4.1036 - merge multiple parent records! 4.1037 - 4.1038 - For convenience, \<open>(\<alpha>\<^sub>1, \<dots>, \<alpha>\<^sub>m) t\<close> is made a 4.1039 - type abbreviation for the fixed record type \<open>\<lparr>c\<^sub>1 :: 4.1040 - \<sigma>\<^sub>1, \<dots>, c\<^sub>n :: \<sigma>\<^sub>n\<rparr>\<close>, likewise is \<open>(\<alpha>\<^sub>1, \<dots>, \<alpha>\<^sub>m, \<zeta>) t_scheme\<close> made an abbreviation for 4.1041 - \<open>\<lparr>c\<^sub>1 :: \<sigma>\<^sub>1, \<dots>, c\<^sub>n :: \<sigma>\<^sub>n, \<dots> :: 4.1042 - \<zeta>\<rparr>\<close>. 4.1043 - 4.1044 - \<^descr> @{command (HOL) "print_record"}~\<open>(\<alpha>\<^sub>1, \<dots>, \<alpha>\<^sub>m) t\<close> prints the definition 4.1045 - of record \<open>(\<alpha>\<^sub>1, \<dots>, \<alpha>\<^sub>m) t\<close>. Optionally \<open>modes\<close> can be specified, which are 4.1046 - appended to the current print mode; see \secref{sec:print-modes}. 4.1047 + \<^descr> @{command (HOL) "record"}~\<open>(\<alpha>\<^sub>1, \<dots>, \<alpha>\<^sub>m) t = \<tau> + c\<^sub>1 :: \<sigma>\<^sub>1 \<dots> c\<^sub>n :: \<sigma>\<^sub>n\<close> 4.1048 + defines extensible record type \<open>(\<alpha>\<^sub>1, \<dots>, \<alpha>\<^sub>m) t\<close>, derived from the optional 4.1049 + parent record \<open>\<tau>\<close> by adding new field components \<open>c\<^sub>i :: \<sigma>\<^sub>i\<close> etc. 4.1050 + 4.1051 + The type variables of \<open>\<tau>\<close> and \<open>\<sigma>\<^sub>i\<close> need to be covered by the (distinct) 4.1052 + parameters \<open>\<alpha>\<^sub>1, \<dots>, \<alpha>\<^sub>m\<close>. Type constructor \<open>t\<close> has to be new, while \<open>\<tau>\<close> 4.1053 + needs to specify an instance of an existing record type. At least one new 4.1054 + field \<open>c\<^sub>i\<close> has to be specified. Basically, field names need to belong to a 4.1055 + unique record. This is not a real restriction in practice, since fields are 4.1056 + qualified by the record name internally. 4.1057 + 4.1058 + The parent record specification \<open>\<tau>\<close> is optional; if omitted \<open>t\<close> becomes a 4.1059 + root record. The hierarchy of all records declared within a theory context 4.1060 + forms a forest structure, i.e.\ a set of trees starting with a root record 4.1061 + each. There is no way to merge multiple parent records! 4.1062 + 4.1063 + For convenience, \<open>(\<alpha>\<^sub>1, \<dots>, \<alpha>\<^sub>m) t\<close> is made a type abbreviation for the fixed 4.1064 + record type \<open>\<lparr>c\<^sub>1 :: \<sigma>\<^sub>1, \<dots>, c\<^sub>n :: \<sigma>\<^sub>n\<rparr>\<close>, likewise is \<open>(\<alpha>\<^sub>1, \<dots>, \<alpha>\<^sub>m, \<zeta>) 4.1065 + t_scheme\<close> made an abbreviation for \<open>\<lparr>c\<^sub>1 :: \<sigma>\<^sub>1, \<dots>, c\<^sub>n :: \<sigma>\<^sub>n, \<dots> :: \<zeta>\<rparr>\<close>. 4.1066 + 4.1067 + \<^descr> @{command (HOL) "print_record"}~\<open>(\<alpha>\<^sub>1, \<dots>, \<alpha>\<^sub>m) t\<close> prints the definition of 4.1068 + record \<open>(\<alpha>\<^sub>1, \<dots>, \<alpha>\<^sub>m) t\<close>. Optionally \<open>modes\<close> can be specified, which are 4.1069 + appended to the current print mode; see \secref{sec:print-modes}. 4.1070 \<close> 4.1071 4.1072 4.1073 subsection \<open>Record operations\<close> 4.1074 4.1075 -text \<open>Any record definition of the form presented above produces certain 4.1076 - standard operations. Selectors and updates are provided for any field, 4.1077 - including the improper one ``\<open>more\<close>''. There are also cumulative 4.1078 - record constructor functions. To simplify the presentation below, we 4.1079 - assume for now that \<open>(\<alpha>\<^sub>1, \<dots>, \<alpha>\<^sub>m) t\<close> is a root record with fields 4.1080 - \<open>c\<^sub>1 :: \<sigma>\<^sub>1, \<dots>, c\<^sub>n :: \<sigma>\<^sub>n\<close>. 4.1081 +text \<open> 4.1082 + Any record definition of the form presented above produces certain standard 4.1083 + operations. Selectors and updates are provided for any field, including the 4.1084 + improper one ``\<open>more\<close>''. There are also cumulative record constructor 4.1085 + functions. To simplify the presentation below, we assume for now that \<open>(\<alpha>\<^sub>1, 4.1086 + \<dots>, \<alpha>\<^sub>m) t\<close> is a root record with fields \<open>c\<^sub>1 :: \<sigma>\<^sub>1, \<dots>, c\<^sub>n :: \<sigma>\<^sub>n\<close>. 4.1087 4.1088 \<^medskip> 4.1089 \<^bold>\<open>Selectors\<close> and \<^bold>\<open>updates\<close> are available for any 4.1090 @@ -942,33 +912,32 @@ 4.1091 \<open>c\<^sub>i_update\<close> & \<open>::\<close> & \<open>\<sigma>\<^sub>i \<Rightarrow> \<lparr>\<^vec>c :: \<^vec>\<sigma>, \<dots> :: \<zeta>\<rparr> \<Rightarrow> \<lparr>\<^vec>c :: \<^vec>\<sigma>, \<dots> :: \<zeta>\<rparr>\<close> \\ 4.1092 \end{matharray} 4.1093 4.1094 - There is special syntax for application of updates: \<open>r\<lparr>x := a\<rparr>\<close> 4.1095 - abbreviates term \<open>x_update a r\<close>. Further notation for repeated 4.1096 - updates is also available: \<open>r\<lparr>x := a\<rparr>\<lparr>y := b\<rparr>\<lparr>z := c\<rparr>\<close> may be 4.1097 - written \<open>r\<lparr>x := a, y := b, z := c\<rparr>\<close>. Note that because of postfix 4.1098 - notation the order of fields shown here is reverse than in the actual 4.1099 - term. Since repeated updates are just function applications, fields may be 4.1100 - freely permuted in \<open>\<lparr>x := a, y := b, z := c\<rparr>\<close>, as far as logical 4.1101 - equality is concerned. Thus commutativity of independent updates can be 4.1102 - proven within the logic for any two fields, but not as a general theorem. 4.1103 + There is special syntax for application of updates: \<open>r\<lparr>x := a\<rparr>\<close> abbreviates 4.1104 + term \<open>x_update a r\<close>. Further notation for repeated updates is also 4.1105 + available: \<open>r\<lparr>x := a\<rparr>\<lparr>y := b\<rparr>\<lparr>z := c\<rparr>\<close> may be written \<open>r\<lparr>x := a, y := b, z 4.1106 + := c\<rparr>\<close>. Note that because of postfix notation the order of fields shown here 4.1107 + is reverse than in the actual term. Since repeated updates are just function 4.1108 + applications, fields may be freely permuted in \<open>\<lparr>x := a, y := b, z := c\<rparr>\<close>, 4.1109 + as far as logical equality is concerned. Thus commutativity of independent 4.1110 + updates can be proven within the logic for any two fields, but not as a 4.1111 + general theorem. 4.1112 4.1113 \<^medskip> 4.1114 - The \<^bold>\<open>make\<close> operation provides a cumulative record 4.1115 - constructor function: 4.1116 + The \<^bold>\<open>make\<close> operation provides a cumulative record constructor function: 4.1117 4.1118 \begin{matharray}{lll} 4.1119 \<open>t.make\<close> & \<open>::\<close> & \<open>\<sigma>\<^sub>1 \<Rightarrow> \<dots> \<sigma>\<^sub>n \<Rightarrow> \<lparr>\<^vec>c :: \<^vec>\<sigma>\<rparr>\<close> \\ 4.1120 \end{matharray} 4.1121 4.1122 \<^medskip> 4.1123 - We now reconsider the case of non-root records, which are derived 4.1124 - of some parent. In general, the latter may depend on another parent as 4.1125 - well, resulting in a list of \<^emph>\<open>ancestor records\<close>. Appending the lists 4.1126 - of fields of all ancestors results in a certain field prefix. The record 4.1127 - package automatically takes care of this by lifting operations over this 4.1128 - context of ancestor fields. Assuming that \<open>(\<alpha>\<^sub>1, \<dots>, \<alpha>\<^sub>m) t\<close> has 4.1129 - ancestor fields \<open>b\<^sub>1 :: \<rho>\<^sub>1, \<dots>, b\<^sub>k :: \<rho>\<^sub>k\<close>, the above record 4.1130 - operations will get the following types: 4.1131 + We now reconsider the case of non-root records, which are derived of some 4.1132 + parent. In general, the latter may depend on another parent as well, 4.1133 + resulting in a list of \<^emph>\<open>ancestor records\<close>. Appending the lists of fields of 4.1134 + all ancestors results in a certain field prefix. The record package 4.1135 + automatically takes care of this by lifting operations over this context of 4.1136 + ancestor fields. Assuming that \<open>(\<alpha>\<^sub>1, \<dots>, \<alpha>\<^sub>m) t\<close> has ancestor fields \<open>b\<^sub>1 :: 4.1137 + \<rho>\<^sub>1, \<dots>, b\<^sub>k :: \<rho>\<^sub>k\<close>, the above record operations will get the following 4.1138 + types: 4.1139 4.1140 \<^medskip> 4.1141 \begin{tabular}{lll} 4.1142 @@ -981,12 +950,11 @@ 4.1143 \end{tabular} 4.1144 \<^medskip> 4.1145 4.1146 - Some further operations address the extension aspect of a 4.1147 - derived record scheme specifically: \<open>t.fields\<close> produces a record 4.1148 - fragment consisting of exactly the new fields introduced here (the result 4.1149 - may serve as a more part elsewhere); \<open>t.extend\<close> takes a fixed 4.1150 - record and adds a given more part; \<open>t.truncate\<close> restricts a record 4.1151 - scheme to a fixed record. 4.1152 + Some further operations address the extension aspect of a derived record 4.1153 + scheme specifically: \<open>t.fields\<close> produces a record fragment consisting of 4.1154 + exactly the new fields introduced here (the result may serve as a more part 4.1155 + elsewhere); \<open>t.extend\<close> takes a fixed record and adds a given more part; 4.1156 + \<open>t.truncate\<close> restricts a record scheme to a fixed record. 4.1157 4.1158 \<^medskip> 4.1159 \begin{tabular}{lll} 4.1160 @@ -997,52 +965,49 @@ 4.1161 \end{tabular} 4.1162 \<^medskip> 4.1163 4.1164 - Note that \<open>t.make\<close> and \<open>t.fields\<close> coincide for 4.1165 - root records. 4.1166 + Note that \<open>t.make\<close> and \<open>t.fields\<close> coincide for root records. 4.1167 \<close> 4.1168 4.1169 4.1170 subsection \<open>Derived rules and proof tools\<close> 4.1171 4.1172 text \<open> 4.1173 - The record package proves several results internally, declaring 4.1174 - these facts to appropriate proof tools. This enables users to 4.1175 - reason about record structures quite conveniently. Assume that 4.1176 - \<open>t\<close> is a record type as specified above. 4.1177 + The record package proves several results internally, declaring these facts 4.1178 + to appropriate proof tools. This enables users to reason about record 4.1179 + structures quite conveniently. Assume that \<open>t\<close> is a record type as specified 4.1180 + above. 4.1181 4.1182 \<^enum> Standard conversions for selectors or updates applied to record 4.1183 constructor terms are made part of the default Simplifier context; thus 4.1184 proofs by reduction of basic operations merely require the @{method simp} 4.1185 - method without further arguments. These rules are available as \<open>t.simps\<close>, too. 4.1186 + method without further arguments. These rules are available as \<open>t.simps\<close>, 4.1187 + too. 4.1188 4.1189 \<^enum> Selectors applied to updated records are automatically reduced by an 4.1190 internal simplification procedure, which is also part of the standard 4.1191 Simplifier setup. 4.1192 4.1193 - \<^enum> Inject equations of a form analogous to @{prop "(x, y) = (x', y') \<equiv> 4.1194 - x = x' \<and> y = y'"} are declared to the Simplifier and Classical Reasoner as 4.1195 + \<^enum> Inject equations of a form analogous to @{prop "(x, y) = (x', y') \<equiv> x = x' 4.1196 + \<and> y = y'"} are declared to the Simplifier and Classical Reasoner as 4.1197 @{attribute iff} rules. These rules are available as \<open>t.iffs\<close>. 4.1198 4.1199 - \<^enum> The introduction rule for record equality analogous to \<open>x r = 4.1200 - x r' \<Longrightarrow> y r = y r' \<dots> \<Longrightarrow> r = r'\<close> is declared to the Simplifier, and as the 4.1201 - basic rule context as ``@{attribute intro}\<open>?\<close>''. The rule is 4.1202 - called \<open>t.equality\<close>. 4.1203 - 4.1204 - \<^enum> Representations of arbitrary record expressions as canonical 4.1205 - constructor terms are provided both in @{method cases} and @{method 4.1206 - induct} format (cf.\ the generic proof methods of the same name, 4.1207 - \secref{sec:cases-induct}). Several variations are available, for fixed 4.1208 - records, record schemes, more parts etc. 4.1209 + \<^enum> The introduction rule for record equality analogous to \<open>x r = x r' \<Longrightarrow> y r = 4.1210 + y r' \<dots> \<Longrightarrow> r = r'\<close> is declared to the Simplifier, and as the basic rule 4.1211 + context as ``@{attribute intro}\<open>?\<close>''. The rule is called \<open>t.equality\<close>. 4.1212 + 4.1213 + \<^enum> Representations of arbitrary record expressions as canonical constructor 4.1214 + terms are provided both in @{method cases} and @{method induct} format (cf.\ 4.1215 + the generic proof methods of the same name, \secref{sec:cases-induct}). 4.1216 + Several variations are available, for fixed records, record schemes, more 4.1217 + parts etc. 4.1218 4.1219 The generic proof methods are sufficiently smart to pick the most sensible 4.1220 rule according to the type of the indicated record expression: users just 4.1221 - need to apply something like ``\<open>(cases r)\<close>'' to a certain proof 4.1222 - problem. 4.1223 - 4.1224 - \<^enum> The derived record operations \<open>t.make\<close>, \<open>t.fields\<close>, 4.1225 - \<open>t.extend\<close>, \<open>t.truncate\<close> are \<^emph>\<open>not\<close> treated 4.1226 - automatically, but usually need to be expanded by hand, using the 4.1227 - collective fact \<open>t.defs\<close>. 4.1228 + need to apply something like ``\<open>(cases r)\<close>'' to a certain proof problem. 4.1229 + 4.1230 + \<^enum> The derived record operations \<open>t.make\<close>, \<open>t.fields\<close>, \<open>t.extend\<close>, 4.1231 + \<open>t.truncate\<close> are \<^emph>\<open>not\<close> treated automatically, but usually need to be 4.1232 + expanded by hand, using the collective fact \<open>t.defs\<close>. 4.1233 \<close> 4.1234 4.1235 4.1236 @@ -1060,13 +1025,12 @@ 4.1237 4.1238 A type definition identifies a new type with a non-empty subset of an 4.1239 existing type. More precisely, the new type is defined by exhibiting an 4.1240 - existing type \<open>\<tau>\<close>, a set \<open>A :: \<tau> set\<close>, and proving @{prop 4.1241 - "\<exists>x. x \<in> A"}. Thus \<open>A\<close> is a non-empty subset of \<open>\<tau>\<close>, and the 4.1242 - new type denotes this subset. New functions are postulated that establish 4.1243 - an isomorphism between the new type and the subset. In general, the type 4.1244 - \<open>\<tau>\<close> may involve type variables \<open>\<alpha>\<^sub>1, \<dots>, \<alpha>\<^sub>n\<close> which means 4.1245 - that the type definition produces a type constructor \<open>(\<alpha>\<^sub>1, \<dots>, \<alpha>\<^sub>n) 4.1246 - t\<close> depending on those type arguments. 4.1247 + existing type \<open>\<tau>\<close>, a set \<open>A :: \<tau> set\<close>, and proving @{prop "\<exists>x. x \<in> A"}. Thus 4.1248 + \<open>A\<close> is a non-empty subset of \<open>\<tau>\<close>, and the new type denotes this subset. New 4.1249 + functions are postulated that establish an isomorphism between the new type 4.1250 + and the subset. In general, the type \<open>\<tau>\<close> may involve type variables \<open>\<alpha>\<^sub>1, \<dots>, 4.1251 + \<alpha>\<^sub>n\<close> which means that the type definition produces a type constructor \<open>(\<alpha>\<^sub>1, 4.1252 + \<dots>, \<alpha>\<^sub>n) t\<close> depending on those type arguments. 4.1253 4.1254 @{rail \<open> 4.1255 @@{command (HOL) typedef} @{syntax "overloaded"}? abs_type '=' rep_set 4.1256 @@ -1078,98 +1042,94 @@ 4.1257 rep_set: @{syntax term} (@'morphisms' @{syntax name} @{syntax name})? 4.1258 \<close>} 4.1259 4.1260 - To understand the concept of type definition better, we need to recount 4.1261 - its somewhat complex history. The HOL logic goes back to the ``Simple 4.1262 - Theory of Types'' (STT) of A. Church @{cite "church40"}, which is further 4.1263 - explained in the book by P. Andrews @{cite "andrews86"}. The overview 4.1264 - article by W. Farmer @{cite "Farmer:2008"} points out the ``seven 4.1265 - virtues'' of this relatively simple family of logics. STT has only ground 4.1266 - types, without polymorphism and without type definitions. 4.1267 + To understand the concept of type definition better, we need to recount its 4.1268 + somewhat complex history. The HOL logic goes back to the ``Simple Theory of 4.1269 + Types'' (STT) of A. Church @{cite "church40"}, which is further explained in 4.1270 + the book by P. Andrews @{cite "andrews86"}. The overview article by W. 4.1271 + Farmer @{cite "Farmer:2008"} points out the ``seven virtues'' of this 4.1272 + relatively simple family of logics. STT has only ground types, without 4.1273 + polymorphism and without type definitions. 4.1274 4.1275 \<^medskip> 4.1276 - M. Gordon @{cite "Gordon:1985:HOL"} augmented Church's STT by 4.1277 - adding schematic polymorphism (type variables and type constructors) and a 4.1278 - facility to introduce new types as semantic subtypes from existing types. 4.1279 - This genuine extension of the logic was explained semantically by A. Pitts 4.1280 - in the book of the original Cambridge HOL88 system @{cite "pitts93"}. Type 4.1281 - definitions work in this setting, because the general model-theory of STT 4.1282 - is restricted to models that ensure that the universe of type 4.1283 - interpretations is closed by forming subsets (via predicates taken from 4.1284 - the logic). 4.1285 + M. Gordon @{cite "Gordon:1985:HOL"} augmented Church's STT by adding 4.1286 + schematic polymorphism (type variables and type constructors) and a facility 4.1287 + to introduce new types as semantic subtypes from existing types. This 4.1288 + genuine extension of the logic was explained semantically by A. Pitts in the 4.1289 + book of the original Cambridge HOL88 system @{cite "pitts93"}. Type 4.1290 + definitions work in this setting, because the general model-theory of STT is 4.1291 + restricted to models that ensure that the universe of type interpretations 4.1292 + is closed by forming subsets (via predicates taken from the logic). 4.1293 4.1294 \<^medskip> 4.1295 - Isabelle/HOL goes beyond Gordon-style HOL by admitting overloaded 4.1296 - constant definitions @{cite "Wenzel:1997:TPHOL" and 4.1297 - "Haftmann-Wenzel:2006:classes"}, which are actually a concept of 4.1298 - Isabelle/Pure and do not depend on particular set-theoretic semantics of 4.1299 - HOL. Over many years, there was no formal checking of semantic type 4.1300 - definitions in Isabelle/HOL versus syntactic constant definitions in 4.1301 - Isabelle/Pure. So the @{command typedef} command was described as 4.1302 - ``axiomatic'' in the sense of \secref{sec:axiomatizations}, only with some 4.1303 - local checks of the given type and its representing set. 4.1304 + Isabelle/HOL goes beyond Gordon-style HOL by admitting overloaded constant 4.1305 + definitions @{cite "Wenzel:1997:TPHOL" and "Haftmann-Wenzel:2006:classes"}, 4.1306 + which are actually a concept of Isabelle/Pure and do not depend on 4.1307 + particular set-theoretic semantics of HOL. Over many years, there was no 4.1308 + formal checking of semantic type definitions in Isabelle/HOL versus 4.1309 + syntactic constant definitions in Isabelle/Pure. So the @{command typedef} 4.1310 + command was described as ``axiomatic'' in the sense of 4.1311 + \secref{sec:axiomatizations}, only with some local checks of the given type 4.1312 + and its representing set. 4.1313 4.1314 Recent clarification of overloading in the HOL logic proper @{cite 4.1315 "Kuncar-Popescu:2015"} demonstrates how the dissimilar concepts of constant 4.1316 definitions versus type definitions may be understood uniformly. This 4.1317 requires an interpretation of Isabelle/HOL that substantially reforms the 4.1318 set-theoretic model of A. Pitts @{cite "pitts93"}, by taking a schematic 4.1319 - view on polymorphism and interpreting only ground types in the 4.1320 - set-theoretic sense of HOL88. Moreover, type-constructors may be 4.1321 - explicitly overloaded, e.g.\ by making the subset depend on type-class 4.1322 - parameters (cf.\ \secref{sec:class}). This is semantically like a 4.1323 - dependent type: the meaning relies on the operations provided by different 4.1324 - type-class instances. 4.1325 - 4.1326 - \<^descr> @{command (HOL) "typedef"}~\<open>(\<alpha>\<^sub>1, \<dots>, \<alpha>\<^sub>n) t = A\<close> defines a 4.1327 - new type \<open>(\<alpha>\<^sub>1, \<dots>, \<alpha>\<^sub>n) t\<close> from the set \<open>A\<close> over an existing 4.1328 - type. The set \<open>A\<close> may contain type variables \<open>\<alpha>\<^sub>1, \<dots>, \<alpha>\<^sub>n\<close> 4.1329 - as specified on the LHS, but no term variables. Non-emptiness of \<open>A\<close> 4.1330 - needs to be proven on the spot, in order to turn the internal conditional 4.1331 - characterization into usable theorems. 4.1332 - 4.1333 - The ``\<open>(overloaded)\<close>'' option allows the @{command 4.1334 - "typedef"} specification to depend on constants that are not (yet) 4.1335 - specified and thus left open as parameters, e.g.\ type-class parameters. 4.1336 + view on polymorphism and interpreting only ground types in the set-theoretic 4.1337 + sense of HOL88. Moreover, type-constructors may be explicitly overloaded, 4.1338 + e.g.\ by making the subset depend on type-class parameters (cf.\ 4.1339 + \secref{sec:class}). This is semantically like a dependent type: the meaning 4.1340 + relies on the operations provided by different type-class instances. 4.1341 + 4.1342 + \<^descr> @{command (HOL) "typedef"}~\<open>(\<alpha>\<^sub>1, \<dots>, \<alpha>\<^sub>n) t = A\<close> defines a new type \<open>(\<alpha>\<^sub>1, 4.1343 + \<dots>, \<alpha>\<^sub>n) t\<close> from the set \<open>A\<close> over an existing type. The set \<open>A\<close> may contain 4.1344 + type variables \<open>\<alpha>\<^sub>1, \<dots>, \<alpha>\<^sub>n\<close> as specified on the LHS, but no term variables. 4.1345 + Non-emptiness of \<open>A\<close> needs to be proven on the spot, in order to turn the 4.1346 + internal conditional characterization into usable theorems. 4.1347 + 4.1348 + The ``\<open>(overloaded)\<close>'' option allows the @{command "typedef"} specification 4.1349 + to depend on constants that are not (yet) specified and thus left open as 4.1350 + parameters, e.g.\ type-class parameters. 4.1351 4.1352 Within a local theory specification, the newly introduced type constructor 4.1353 cannot depend on parameters or assumptions of the context: this is 4.1354 - syntactically impossible in HOL. The non-emptiness proof may formally 4.1355 - depend on local assumptions, but this has little practical relevance. 4.1356 - 4.1357 - For @{command (HOL) "typedef"}~\<open>t = A\<close> the newly introduced 4.1358 - type \<open>t\<close> is accompanied by a pair of morphisms to relate it to 4.1359 - the representing set over the old type. By default, the injection 4.1360 - from type to set is called \<open>Rep_t\<close> and its inverse \<open>Abs_t\<close>: An explicit @{keyword (HOL) "morphisms"} specification 4.1361 - allows to provide alternative names. 4.1362 + syntactically impossible in HOL. The non-emptiness proof may formally depend 4.1363 + on local assumptions, but this has little practical relevance. 4.1364 + 4.1365 + For @{command (HOL) "typedef"}~\<open>t = A\<close> the newly introduced type \<open>t\<close> is 4.1366 + accompanied by a pair of morphisms to relate it to the representing set over 4.1367 + the old type. By default, the injection from type to set is called \<open>Rep_t\<close> 4.1368 + and its inverse \<open>Abs_t\<close>: An explicit @{keyword (HOL) "morphisms"} 4.1369 + specification allows to provide alternative names. 4.1370 4.1371 The logical characterization of @{command typedef} uses the predicate of 4.1372 locale @{const type_definition} that is defined in Isabelle/HOL. Various 4.1373 - basic consequences of that are instantiated accordingly, re-using the 4.1374 - locale facts with names derived from the new type constructor. Thus the 4.1375 - generic theorem @{thm type_definition.Rep} is turned into the specific 4.1376 - \<open>Rep_t\<close>, for example. 4.1377 - 4.1378 - Theorems @{thm type_definition.Rep}, @{thm 4.1379 - type_definition.Rep_inverse}, and @{thm type_definition.Abs_inverse} 4.1380 - provide the most basic characterization as a corresponding 4.1381 - injection/surjection pair (in both directions). The derived rules 4.1382 - @{thm type_definition.Rep_inject} and @{thm 4.1383 + basic consequences of that are instantiated accordingly, re-using the locale 4.1384 + facts with names derived from the new type constructor. Thus the generic 4.1385 + theorem @{thm type_definition.Rep} is turned into the specific \<open>Rep_t\<close>, for 4.1386 + example. 4.1387 + 4.1388 + Theorems @{thm type_definition.Rep}, @{thm type_definition.Rep_inverse}, and 4.1389 + @{thm type_definition.Abs_inverse} provide the most basic characterization 4.1390 + as a corresponding injection/surjection pair (in both directions). The 4.1391 + derived rules @{thm type_definition.Rep_inject} and @{thm 4.1392 type_definition.Abs_inject} provide a more convenient version of 4.1393 - injectivity, suitable for automated proof tools (e.g.\ in 4.1394 - declarations involving @{attribute simp} or @{attribute iff}). 4.1395 - Furthermore, the rules @{thm type_definition.Rep_cases}~/ @{thm 4.1396 - type_definition.Rep_induct}, and @{thm type_definition.Abs_cases}~/ 4.1397 - @{thm type_definition.Abs_induct} provide alternative views on 4.1398 - surjectivity. These rules are already declared as set or type rules 4.1399 - for the generic @{method cases} and @{method induct} methods, 4.1400 + injectivity, suitable for automated proof tools (e.g.\ in declarations 4.1401 + involving @{attribute simp} or @{attribute iff}). Furthermore, the rules 4.1402 + @{thm type_definition.Rep_cases}~/ @{thm type_definition.Rep_induct}, and 4.1403 + @{thm type_definition.Abs_cases}~/ @{thm type_definition.Abs_induct} provide 4.1404 + alternative views on surjectivity. These rules are already declared as set 4.1405 + or type rules for the generic @{method cases} and @{method induct} methods, 4.1406 respectively. 4.1407 \<close> 4.1408 4.1409 4.1410 subsubsection \<open>Examples\<close> 4.1411 4.1412 -text \<open>The following trivial example pulls a three-element type into 4.1413 -existence within the formal logical environment of Isabelle/HOL.\<close> 4.1414 +text \<open> 4.1415 + The following trivial example pulls a three-element type into existence 4.1416 + within the formal logical environment of Isabelle/HOL.\<close> 4.1417 4.1418 (*<*)experiment begin(*>*) 4.1419 typedef three = "{(True, True), (True, False), (False, True)}" 4.1420 @@ -1210,37 +1170,38 @@ 4.1421 @@{command (HOL) functor} (@{syntax name} ':')? @{syntax term} 4.1422 \<close>} 4.1423 4.1424 - \<^descr> @{command (HOL) "functor"}~\<open>prefix: m\<close> allows to prove and 4.1425 - register properties about the functorial structure of type constructors. 4.1426 - These properties then can be used by other packages to deal with those 4.1427 - type constructors in certain type constructions. Characteristic theorems 4.1428 - are noted in the current local theory. By default, they are prefixed with 4.1429 - the base name of the type constructor, an explicit prefix can be given 4.1430 + \<^descr> @{command (HOL) "functor"}~\<open>prefix: m\<close> allows to prove and register 4.1431 + properties about the functorial structure of type constructors. These 4.1432 + properties then can be used by other packages to deal with those type 4.1433 + constructors in certain type constructions. Characteristic theorems are 4.1434 + noted in the current local theory. By default, they are prefixed with the 4.1435 + base name of the type constructor, an explicit prefix can be given 4.1436 alternatively. 4.1437 4.1438 - The given term \<open>m\<close> is considered as \<^emph>\<open>mapper\<close> for the 4.1439 - corresponding type constructor and must conform to the following type 4.1440 - pattern: 4.1441 + The given term \<open>m\<close> is considered as \<^emph>\<open>mapper\<close> for the corresponding type 4.1442 + constructor and must conform to the following type pattern: 4.1443 4.1444 \begin{matharray}{lll} 4.1445 \<open>m\<close> & \<open>::\<close> & 4.1446 \<open>\<sigma>\<^sub>1 \<Rightarrow> \<dots> \<sigma>\<^sub>k \<Rightarrow> (\<^vec>\<alpha>\<^sub>n) t \<Rightarrow> (\<^vec>\<beta>\<^sub>n) t\<close> \\ 4.1447 \end{matharray} 4.1448 4.1449 - where \<open>t\<close> is the type constructor, \<open>\<^vec>\<alpha>\<^sub>n\<close> 4.1450 - and \<open>\<^vec>\<beta>\<^sub>n\<close> are distinct type variables free in the local 4.1451 - theory and \<open>\<sigma>\<^sub>1\<close>, \ldots, \<open>\<sigma>\<^sub>k\<close> is a subsequence of \<open>\<alpha>\<^sub>1 \<Rightarrow> \<beta>\<^sub>1\<close>, \<open>\<beta>\<^sub>1 \<Rightarrow> \<alpha>\<^sub>1\<close>, \ldots, \<open>\<alpha>\<^sub>n \<Rightarrow> \<beta>\<^sub>n\<close>, \<open>\<beta>\<^sub>n \<Rightarrow> \<alpha>\<^sub>n\<close>. 4.1452 + where \<open>t\<close> is the type constructor, \<open>\<^vec>\<alpha>\<^sub>n\<close> and \<open>\<^vec>\<beta>\<^sub>n\<close> are 4.1453 + distinct type variables free in the local theory and \<open>\<sigma>\<^sub>1\<close>, \ldots, \<open>\<sigma>\<^sub>k\<close> is 4.1454 + a subsequence of \<open>\<alpha>\<^sub>1 \<Rightarrow> \<beta>\<^sub>1\<close>, \<open>\<beta>\<^sub>1 \<Rightarrow> \<alpha>\<^sub>1\<close>, \ldots, \<open>\<alpha>\<^sub>n \<Rightarrow> \<beta>\<^sub>n\<close>, \<open>\<beta>\<^sub>n \<Rightarrow> \<alpha>\<^sub>n\<close>. 4.1455 \<close> 4.1456 4.1457 4.1458 section \<open>Quotient types with lifting and transfer\<close> 4.1459 4.1460 -text \<open>The quotient package defines a new quotient type given a raw type and 4.1461 - a partial equivalence relation (\secref{sec:quotient-type}). The package 4.1462 - also historically includes automation for transporting definitions and 4.1463 - theorems (\secref{sec:old-quotient}), but most of this automation was 4.1464 - superseded by the Lifting (\secref{sec:lifting}) and Transfer 4.1465 - (\secref{sec:transfer}) packages.\<close> 4.1466 +text \<open> 4.1467 + The quotient package defines a new quotient type given a raw type and a 4.1468 + partial equivalence relation (\secref{sec:quotient-type}). The package also 4.1469 + historically includes automation for transporting definitions and theorems 4.1470 + (\secref{sec:old-quotient}), but most of this automation was superseded by 4.1471 + the Lifting (\secref{sec:lifting}) and Transfer (\secref{sec:transfer}) 4.1472 + packages. 4.1473 +\<close> 4.1474 4.1475 4.1476 subsection \<open>Quotient type definition \label{sec:quotient-type}\<close> 4.1477 @@ -1262,21 +1223,23 @@ 4.1478 quot_parametric: @'parametric' @{syntax thm} 4.1479 \<close>} 4.1480 4.1481 - \<^descr> @{command (HOL) "quotient_type"} defines a new quotient type \<open>\<tau>\<close>. The injection from a quotient type to a raw type is called \<open>rep_\<tau>\<close>, its inverse \<open>abs_\<tau>\<close> unless explicit @{keyword (HOL) 4.1482 - "morphisms"} specification provides alternative names. @{command (HOL) 4.1483 - "quotient_type"} requires the user to prove that the relation is an 4.1484 - equivalence relation (predicate \<open>equivp\<close>), unless the user specifies 4.1485 - explicitly \<open>partial\<close> in which case the obligation is \<open>part_equivp\<close>. A quotient defined with \<open>partial\<close> is weaker in the 4.1486 - sense that less things can be proved automatically. 4.1487 + \<^descr> @{command (HOL) "quotient_type"} defines a new quotient type \<open>\<tau>\<close>. The 4.1488 + injection from a quotient type to a raw type is called \<open>rep_\<tau>\<close>, its inverse 4.1489 + \<open>abs_\<tau>\<close> unless explicit @{keyword (HOL) "morphisms"} specification provides 4.1490 + alternative names. @{command (HOL) "quotient_type"} requires the user to 4.1491 + prove that the relation is an equivalence relation (predicate \<open>equivp\<close>), 4.1492 + unless the user specifies explicitly \<open>partial\<close> in which case the obligation 4.1493 + is \<open>part_equivp\<close>. A quotient defined with \<open>partial\<close> is weaker in the sense 4.1494 + that less things can be proved automatically. 4.1495 4.1496 The command internally proves a Quotient theorem and sets up the Lifting 4.1497 - package by the command @{command (HOL) setup_lifting}. Thus the Lifting 4.1498 - and Transfer packages can be used also with quotient types defined by 4.1499 - @{command (HOL) "quotient_type"} without any extra set-up. The 4.1500 - parametricity theorem for the equivalence relation R can be provided as an 4.1501 - extra argument of the command and is passed to the corresponding internal 4.1502 - call of @{command (HOL) setup_lifting}. This theorem allows the Lifting 4.1503 - package to generate a stronger transfer rule for equality. 4.1504 + package by the command @{command (HOL) setup_lifting}. Thus the Lifting and 4.1505 + Transfer packages can be used also with quotient types defined by @{command 4.1506 + (HOL) "quotient_type"} without any extra set-up. The parametricity theorem 4.1507 + for the equivalence relation R can be provided as an extra argument of the 4.1508 + command and is passed to the corresponding internal call of @{command (HOL) 4.1509 + setup_lifting}. This theorem allows the Lifting package to generate a 4.1510 + stronger transfer rule for equality. 4.1511 \<close> 4.1512 4.1513 4.1514 @@ -1286,9 +1249,9 @@ 4.1515 The Lifting package allows users to lift terms of the raw type to the 4.1516 abstract type, which is a necessary step in building a library for an 4.1517 abstract type. Lifting defines a new constant by combining coercion 4.1518 - functions (@{term Abs} and @{term Rep}) with the raw term. It also proves 4.1519 - an appropriate transfer rule for the Transfer (\secref{sec:transfer}) 4.1520 - package and, if possible, an equation for the code generator. 4.1521 + functions (@{term Abs} and @{term Rep}) with the raw term. It also proves an 4.1522 + appropriate transfer rule for the Transfer (\secref{sec:transfer}) package 4.1523 + and, if possible, an equation for the code generator. 4.1524 4.1525 The Lifting package provides two main commands: @{command (HOL) 4.1526 "setup_lifting"} for initializing the package to work with a new type, and 4.1527 @@ -1330,12 +1293,12 @@ 4.1528 @{syntax thm} (@{syntax thm} @{syntax thm})? 4.1529 \<close>} 4.1530 4.1531 - \<^descr> @{command (HOL) "setup_lifting"} Sets up the Lifting package to work 4.1532 - with a user-defined type. The command supports two modes. 4.1533 - 4.1534 - \<^enum> The first one is a low-level mode when the user must provide as a 4.1535 - first argument of @{command (HOL) "setup_lifting"} a quotient theorem 4.1536 - @{term "Quotient R Abs Rep T"}. The package configures a transfer rule for 4.1537 + \<^descr> @{command (HOL) "setup_lifting"} Sets up the Lifting package to work with 4.1538 + a user-defined type. The command supports two modes. 4.1539 + 4.1540 + \<^enum> The first one is a low-level mode when the user must provide as a first 4.1541 + argument of @{command (HOL) "setup_lifting"} a quotient theorem @{term 4.1542 + "Quotient R Abs Rep T"}. The package configures a transfer rule for 4.1543 equality, a domain transfer rules and sets up the @{command_def (HOL) 4.1544 "lift_definition"} command to work with the abstract type. An optional 4.1545 theorem @{term "reflp R"}, which certifies that the equivalence relation R 4.1546 @@ -1344,8 +1307,8 @@ 4.1547 for @{term R} can be provided as a third argument. This allows the package 4.1548 to generate a stronger transfer rule for equality. 4.1549 4.1550 - Users generally will not prove the \<open>Quotient\<close> theorem manually for 4.1551 - new types, as special commands exist to automate the process. 4.1552 + Users generally will not prove the \<open>Quotient\<close> theorem manually for new 4.1553 + types, as special commands exist to automate the process. 4.1554 4.1555 \<^enum> When a new subtype is defined by @{command (HOL) typedef}, @{command 4.1556 (HOL) "lift_definition"} can be used in its second mode, where only the 4.1557 @@ -1355,166 +1318,162 @@ 4.1558 (HOL) setup_lifting} using its first mode. 4.1559 4.1560 For quotients, the command @{command (HOL) quotient_type} can be used. The 4.1561 - command defines a new quotient type and similarly to the previous case, 4.1562 - the corresponding Quotient theorem is proved and registered by @{command 4.1563 - (HOL) setup_lifting}. 4.1564 + command defines a new quotient type and similarly to the previous case, the 4.1565 + corresponding Quotient theorem is proved and registered by @{command (HOL) 4.1566 + setup_lifting}. 4.1567 4.1568 \<^medskip> 4.1569 - The command @{command (HOL) "setup_lifting"} also sets up the 4.1570 - code generator for the new type. Later on, when a new constant is defined 4.1571 - by @{command (HOL) "lift_definition"}, the Lifting package proves and 4.1572 - registers a code equation (if there is one) for the new constant. 4.1573 - 4.1574 - \<^descr> @{command (HOL) "lift_definition"} \<open>f :: \<tau>\<close> @{keyword (HOL) 4.1575 - "is"} \<open>t\<close> Defines a new function \<open>f\<close> with an abstract type 4.1576 - \<open>\<tau>\<close> in terms of a corresponding operation \<open>t\<close> on a 4.1577 - representation type. More formally, if \<open>t :: \<sigma>\<close>, then the command 4.1578 - builds a term \<open>F\<close> as a corresponding combination of abstraction 4.1579 - and representation functions such that \<open>F :: \<sigma> \<Rightarrow> \<tau>\<close> and defines 4.1580 - \<open>f \<equiv> F t\<close>. The term \<open>t\<close> does not have to be necessarily a 4.1581 - constant but it can be any term. 4.1582 - 4.1583 - The command opens a proof and the user must discharge a respectfulness 4.1584 - proof obligation. For a type copy, i.e.\ a typedef with \<open>UNIV\<close>, the 4.1585 - obligation is discharged automatically. The proof goal is presented in a 4.1586 - user-friendly, readable form. A respectfulness theorem in the standard 4.1587 - format \<open>f.rsp\<close> and a transfer rule \<open>f.transfer\<close> for the 4.1588 - Transfer package are generated by the package. 4.1589 - 4.1590 - The user can specify a parametricity theorems for \<open>t\<close> after the 4.1591 - keyword @{keyword "parametric"}, which allows the command to generate 4.1592 - parametric transfer rules for \<open>f\<close>. 4.1593 + The command @{command (HOL) "setup_lifting"} also sets up the code generator 4.1594 + for the new type. Later on, when a new constant is defined by @{command 4.1595 + (HOL) "lift_definition"}, the Lifting package proves and registers a code 4.1596 + equation (if there is one) for the new constant. 4.1597 + 4.1598 + \<^descr> @{command (HOL) "lift_definition"} \<open>f :: \<tau>\<close> @{keyword (HOL) "is"} \<open>t\<close> 4.1599 + Defines a new function \<open>f\<close> with an abstract type \<open>\<tau>\<close> in terms of a 4.1600 + corresponding operation \<open>t\<close> on a representation type. More formally, if \<open>t 4.1601 + :: \<sigma>\<close>, then the command builds a term \<open>F\<close> as a corresponding combination of 4.1602 + abstraction and representation functions such that \<open>F :: \<sigma> \<Rightarrow> \<tau>\<close> and defines 4.1603 + \<open>f \<equiv> F t\<close>. The term \<open>t\<close> does not have to be necessarily a constant but it 4.1604 + can be any term. 4.1605 + 4.1606 + The command opens a proof and the user must discharge a respectfulness proof 4.1607 + obligation. For a type copy, i.e.\ a typedef with \<open>UNIV\<close>, the obligation is 4.1608 + discharged automatically. The proof goal is presented in a user-friendly, 4.1609 + readable form. A respectfulness theorem in the standard format \<open>f.rsp\<close> and a 4.1610 + transfer rule \<open>f.transfer\<close> for the Transfer package are generated by the 4.1611 + package. 4.1612 + 4.1613 + The user can specify a parametricity theorems for \<open>t\<close> after the keyword 4.1614 + @{keyword "parametric"}, which allows the command to generate parametric 4.1615 + transfer rules for \<open>f\<close>. 4.1616 4.1617 For each constant defined through trivial quotients (type copies or 4.1618 - subtypes) \<open>f.rep_eq\<close> is generated. The equation is a code 4.1619 - certificate that defines \<open>f\<close> using the representation function. 4.1620 - 4.1621 - For each constant \<open>f.abs_eq\<close> is generated. The equation is 4.1622 - unconditional for total quotients. The equation defines \<open>f\<close> using 4.1623 - the abstraction function. 4.1624 + subtypes) \<open>f.rep_eq\<close> is generated. The equation is a code certificate that 4.1625 + defines \<open>f\<close> using the representation function. 4.1626 + 4.1627 + For each constant \<open>f.abs_eq\<close> is generated. The equation is unconditional for 4.1628 + total quotients. The equation defines \<open>f\<close> using the abstraction function. 4.1629 4.1630 \<^medskip> 4.1631 - Integration with [@{attribute code} abstract]: For subtypes 4.1632 - (e.g.\ corresponding to a datatype invariant, such as @{typ "'a dlist"}), 4.1633 - @{command (HOL) "lift_definition"} uses a code certificate theorem \<open>f.rep_eq\<close> as a code equation. Because of the limitation of the code 4.1634 - generator, \<open>f.rep_eq\<close> cannot be used as a code equation if the 4.1635 - subtype occurs inside the result type rather than at the top level (e.g.\ 4.1636 - function returning @{typ "'a dlist option"} vs. @{typ "'a dlist"}). 4.1637 + Integration with [@{attribute code} abstract]: For subtypes (e.g.\ 4.1638 + corresponding to a datatype invariant, such as @{typ "'a dlist"}), @{command 4.1639 + (HOL) "lift_definition"} uses a code certificate theorem \<open>f.rep_eq\<close> as a 4.1640 + code equation. Because of the limitation of the code generator, \<open>f.rep_eq\<close> 4.1641 + cannot be used as a code equation if the subtype occurs inside the result 4.1642 + type rather than at the top level (e.g.\ function returning @{typ "'a dlist 4.1643 + option"} vs. @{typ "'a dlist"}). 4.1644 4.1645 In this case, an extension of @{command (HOL) "lift_definition"} can be 4.1646 - invoked by specifying the flag \<open>code_dt\<close>. This extension enables 4.1647 - code execution through series of internal type and lifting definitions if 4.1648 - the return type \<open>\<tau>\<close> meets the following inductive conditions: 4.1649 + invoked by specifying the flag \<open>code_dt\<close>. This extension enables code 4.1650 + execution through series of internal type and lifting definitions if the 4.1651 + return type \<open>\<tau>\<close> meets the following inductive conditions: 4.1652 4.1653 \<^descr> \<open>\<tau>\<close> is a type variable 4.1654 4.1655 - \<^descr> \<open>\<tau> = \<tau>\<^sub>1 \<dots> \<tau>\<^sub>n \<kappa>\<close>, 4.1656 - where \<open>\<kappa>\<close> is an abstract type constructor and \<open>\<tau>\<^sub>1 \<dots> \<tau>\<^sub>n\<close> 4.1657 - do not contain abstract types (i.e.\ @{typ "int dlist"} is allowed whereas 4.1658 - @{typ "int dlist dlist"} not) 4.1659 - 4.1660 - \<^descr> \<open>\<tau> = \<tau>\<^sub>1 \<dots> \<tau>\<^sub>n \<kappa>\<close>, \<open>\<kappa>\<close> is a type constructor that 4.1661 - was defined as a (co)datatype whose constructor argument types do not 4.1662 - contain either non-free datatypes or the function type. 4.1663 + \<^descr> \<open>\<tau> = \<tau>\<^sub>1 \<dots> \<tau>\<^sub>n \<kappa>\<close>, where \<open>\<kappa>\<close> is an abstract type constructor and \<open>\<tau>\<^sub>1 \<dots> 4.1664 + \<tau>\<^sub>n\<close> do not contain abstract types (i.e.\ @{typ "int dlist"} is allowed 4.1665 + whereas @{typ "int dlist dlist"} not) 4.1666 + 4.1667 + \<^descr> \<open>\<tau> = \<tau>\<^sub>1 \<dots> \<tau>\<^sub>n \<kappa>\<close>, \<open>\<kappa>\<close> is a type constructor that was defined as a 4.1668 + (co)datatype whose constructor argument types do not contain either 4.1669 + non-free datatypes or the function type. 4.1670 4.1671 Integration with [@{attribute code} equation]: For total quotients, 4.1672 - @{command (HOL) "lift_definition"} uses \<open>f.abs_eq\<close> as a code 4.1673 - equation. 4.1674 - 4.1675 - \<^descr> @{command (HOL) lifting_forget} and @{command (HOL) lifting_update} 4.1676 - These two commands serve for storing and deleting the set-up of the 4.1677 - Lifting package and corresponding transfer rules defined by this package. 4.1678 - This is useful for hiding of type construction details of an abstract type 4.1679 - when the construction is finished but it still allows additions to this 4.1680 - construction when this is later necessary. 4.1681 - 4.1682 - Whenever the Lifting package is set up with a new abstract type \<open>\<tau>\<close> by @{command_def (HOL) "lift_definition"}, the package defines a new 4.1683 - bundle that is called \<open>\<tau>.lifting\<close>. This bundle already includes 4.1684 - set-up for the Lifting package. The new transfer rules introduced by 4.1685 - @{command (HOL) "lift_definition"} can be stored in the bundle by the 4.1686 - command @{command (HOL) "lifting_update"} \<open>\<tau>.lifting\<close>. 4.1687 - 4.1688 - The command @{command (HOL) "lifting_forget"} \<open>\<tau>.lifting\<close> deletes 4.1689 - set-up of the Lifting package for \<open>\<tau>\<close> and deletes all the transfer 4.1690 - rules that were introduced by @{command (HOL) "lift_definition"} using 4.1691 - \<open>\<tau>\<close> as an abstract type. 4.1692 + @{command (HOL) "lift_definition"} uses \<open>f.abs_eq\<close> as a code equation. 4.1693 + 4.1694 + \<^descr> @{command (HOL) lifting_forget} and @{command (HOL) lifting_update} These 4.1695 + two commands serve for storing and deleting the set-up of the Lifting 4.1696 + package and corresponding transfer rules defined by this package. This is 4.1697 + useful for hiding of type construction details of an abstract type when the 4.1698 + construction is finished but it still allows additions to this construction 4.1699 + when this is later necessary. 4.1700 + 4.1701 + Whenever the Lifting package is set up with a new abstract type \<open>\<tau>\<close> by 4.1702 + @{command_def (HOL) "lift_definition"}, the package defines a new bundle 4.1703 + that is called \<open>\<tau>.lifting\<close>. This bundle already includes set-up for the 4.1704 + Lifting package. The new transfer rules introduced by @{command (HOL) 4.1705 + "lift_definition"} can be stored in the bundle by the command @{command 4.1706 + (HOL) "lifting_update"} \<open>\<tau>.lifting\<close>. 4.1707 + 4.1708 + The command @{command (HOL) "lifting_forget"} \<open>\<tau>.lifting\<close> deletes set-up of 4.1709 + the Lifting package for \<open>\<tau>\<close> and deletes all the transfer rules that were 4.1710 + introduced by @{command (HOL) "lift_definition"} using \<open>\<tau>\<close> as an abstract 4.1711 + type. 4.1712 4.1713 The stored set-up in a bundle can be reintroduced by the Isar commands for 4.1714 including a bundle (@{command "include"}, @{keyword "includes"} and 4.1715 @{command "including"}). 4.1716 4.1717 - \<^descr> @{command (HOL) "print_quot_maps"} prints stored quotient map 4.1718 - theorems. 4.1719 + \<^descr> @{command (HOL) "print_quot_maps"} prints stored quotient map theorems. 4.1720 4.1721 \<^descr> @{command (HOL) "print_quotients"} prints stored quotient theorems. 4.1722 4.1723 - \<^descr> @{attribute (HOL) quot_map} registers a quotient map theorem, a 4.1724 - theorem showing how to ``lift'' quotients over type constructors. E.g.\ 4.1725 - @{term "Quotient R Abs Rep T \<Longrightarrow> Quotient (rel_set R) (image Abs) (image 4.1726 - Rep) (rel_set T)"}. For examples see @{file "~~/src/HOL/Lifting_Set.thy"} 4.1727 - or @{file "~~/src/HOL/Lifting.thy"}. This property is proved automatically 4.1728 - if the involved type is BNF without dead variables. 4.1729 - 4.1730 - \<^descr> @{attribute (HOL) relator_eq_onp} registers a theorem that shows 4.1731 - that a relator applied to an equality restricted by a predicate @{term P} 4.1732 - (i.e.\ @{term "eq_onp P"}) is equal to a predicator applied to the @{term 4.1733 - P}. The combinator @{const eq_onp} is used for internal encoding of proper 4.1734 - subtypes. Such theorems allows the package to hide \<open>eq_onp\<close> from a 4.1735 - user in a user-readable form of a respectfulness theorem. For examples see 4.1736 - @{file "~~/src/HOL/Lifting_Set.thy"} or @{file "~~/src/HOL/Lifting.thy"}. 4.1737 - This property is proved automatically if the involved type is BNF without 4.1738 - dead variables. 4.1739 + \<^descr> @{attribute (HOL) quot_map} registers a quotient map theorem, a theorem 4.1740 + showing how to ``lift'' quotients over type constructors. E.g.\ @{term 4.1741 + "Quotient R Abs Rep T \<Longrightarrow> Quotient (rel_set R) (image Abs) (image Rep) 4.1742 + (rel_set T)"}. For examples see @{file "~~/src/HOL/Lifting_Set.thy"} or 4.1743 + @{file "~~/src/HOL/Lifting.thy"}. This property is proved automatically if 4.1744 + the involved type is BNF without dead variables. 4.1745 + 4.1746 + \<^descr> @{attribute (HOL) relator_eq_onp} registers a theorem that shows that a 4.1747 + relator applied to an equality restricted by a predicate @{term P} (i.e.\ 4.1748 + @{term "eq_onp P"}) is equal to a predicator applied to the @{term P}. The 4.1749 + combinator @{const eq_onp} is used for internal encoding of proper subtypes. 4.1750 + Such theorems allows the package to hide \<open>eq_onp\<close> from a user in a 4.1751 + user-readable form of a respectfulness theorem. For examples see @{file 4.1752 + "~~/src/HOL/Lifting_Set.thy"} or @{file "~~/src/HOL/Lifting.thy"}. This 4.1753 + property is proved automatically if the involved type is BNF without dead 4.1754 + variables. 4.1755 4.1756 \<^descr> @{attribute (HOL) "relator_mono"} registers a property describing a 4.1757 monotonicity of a relator. E.g.\ @{prop "A \<le> B \<Longrightarrow> rel_set A \<le> rel_set B"}. 4.1758 This property is needed for proving a stronger transfer rule in 4.1759 - @{command_def (HOL) "lift_definition"} when a parametricity theorem for 4.1760 - the raw term is specified and also for the reflexivity prover. For 4.1761 - examples see @{file "~~/src/HOL/Lifting_Set.thy"} or @{file 4.1762 - "~~/src/HOL/Lifting.thy"}. This property is proved automatically if the 4.1763 - involved type is BNF without dead variables. 4.1764 + @{command_def (HOL) "lift_definition"} when a parametricity theorem for the 4.1765 + raw term is specified and also for the reflexivity prover. For examples see 4.1766 + @{file "~~/src/HOL/Lifting_Set.thy"} or @{file "~~/src/HOL/Lifting.thy"}. 4.1767 + This property is proved automatically if the involved type is BNF without 4.1768 + dead variables. 4.1769 4.1770 \<^descr> @{attribute (HOL) "relator_distr"} registers a property describing a 4.1771 - distributivity of the relation composition and a relator. E.g.\ \<open>rel_set R \<circ>\<circ> rel_set S = rel_set (R \<circ>\<circ> S)\<close>. This property is needed for 4.1772 - proving a stronger transfer rule in @{command_def (HOL) "lift_definition"} 4.1773 - when a parametricity theorem for the raw term is specified. When this 4.1774 - equality does not hold unconditionally (e.g.\ for the function type), the 4.1775 - user can specified each direction separately and also register multiple 4.1776 - theorems with different set of assumptions. This attribute can be used 4.1777 - only after the monotonicity property was already registered by @{attribute 4.1778 - (HOL) "relator_mono"}. For examples see @{file 4.1779 - "~~/src/HOL/Lifting_Set.thy"} or @{file "~~/src/HOL/Lifting.thy"}. This 4.1780 - property is proved automatically if the involved type is BNF without dead 4.1781 - variables. 4.1782 - 4.1783 - \<^descr> @{attribute (HOL) quot_del} deletes a corresponding Quotient theorem 4.1784 - from the Lifting infrastructure and thus de-register the corresponding 4.1785 - quotient. This effectively causes that @{command (HOL) lift_definition} 4.1786 - will not do any lifting for the corresponding type. This attribute is 4.1787 - rather used for low-level manipulation with set-up of the Lifting package 4.1788 - because @{command (HOL) lifting_forget} is preferred for normal usage. 4.1789 - 4.1790 - \<^descr> @{attribute (HOL) lifting_restore} \<open>Quotient_thm pcr_def 4.1791 - pcr_cr_eq_thm\<close> registers the Quotient theorem \<open>Quotient_thm\<close> in the 4.1792 - Lifting infrastructure and thus sets up lifting for an abstract type 4.1793 - \<open>\<tau>\<close> (that is defined by \<open>Quotient_thm\<close>). Optional theorems 4.1794 - \<open>pcr_def\<close> and \<open>pcr_cr_eq_thm\<close> can be specified to register the 4.1795 - parametrized correspondence relation for \<open>\<tau>\<close>. E.g.\ for @{typ "'a 4.1796 - dlist"}, \<open>pcr_def\<close> is \<open>pcr_dlist A \<equiv> list_all2 A \<circ>\<circ> 4.1797 - cr_dlist\<close> and \<open>pcr_cr_eq_thm\<close> is \<open>pcr_dlist (op =) = (op 4.1798 - =)\<close>. This attribute is rather used for low-level manipulation with set-up 4.1799 - of the Lifting package because using of the bundle \<open>\<tau>.lifting\<close> 4.1800 - together with the commands @{command (HOL) lifting_forget} and @{command 4.1801 - (HOL) lifting_update} is preferred for normal usage. 4.1802 - 4.1803 - \<^descr> Integration with the BNF package @{cite "isabelle-datatypes"}: As 4.1804 - already mentioned, the theorems that are registered by the following 4.1805 - attributes are proved and registered automatically if the involved type is 4.1806 - BNF without dead variables: @{attribute (HOL) quot_map}, @{attribute (HOL) 4.1807 - relator_eq_onp}, @{attribute (HOL) "relator_mono"}, @{attribute (HOL) 4.1808 - "relator_distr"}. Also the definition of a relator and predicator is 4.1809 - provided automatically. Moreover, if the BNF represents a datatype, 4.1810 - simplification rules for a predicator are again proved automatically. 4.1811 + distributivity of the relation composition and a relator. E.g.\ \<open>rel_set R 4.1812 + \<circ>\<circ> rel_set S = rel_set (R \<circ>\<circ> S)\<close>. This property is needed for proving a 4.1813 + stronger transfer rule in @{command_def (HOL) "lift_definition"} when a 4.1814 + parametricity theorem for the raw term is specified. When this equality does 4.1815 + not hold unconditionally (e.g.\ for the function type), the user can 4.1816 + specified each direction separately and also register multiple theorems with 4.1817 + different set of assumptions. This attribute can be used only after the 4.1818 + monotonicity property was already registered by @{attribute (HOL) 4.1819 + "relator_mono"}. For examples see @{file "~~/src/HOL/Lifting_Set.thy"} or 4.1820 + @{file "~~/src/HOL/Lifting.thy"}. This property is proved automatically if 4.1821 + the involved type is BNF without dead variables. 4.1822 + 4.1823 + \<^descr> @{attribute (HOL) quot_del} deletes a corresponding Quotient theorem from 4.1824 + the Lifting infrastructure and thus de-register the corresponding quotient. 4.1825 + This effectively causes that @{command (HOL) lift_definition} will not do 4.1826 + any lifting for the corresponding type. This attribute is rather used for 4.1827 + low-level manipulation with set-up of the Lifting package because @{command 4.1828 + (HOL) lifting_forget} is preferred for normal usage. 4.1829 + 4.1830 + \<^descr> @{attribute (HOL) lifting_restore} \<open>Quotient_thm pcr_def pcr_cr_eq_thm\<close> 4.1831 + registers the Quotient theorem \<open>Quotient_thm\<close> in the Lifting infrastructure 4.1832 + and thus sets up lifting for an abstract type \<open>\<tau>\<close> (that is defined by 4.1833 + \<open>Quotient_thm\<close>). Optional theorems \<open>pcr_def\<close> and \<open>pcr_cr_eq_thm\<close> can be 4.1834 + specified to register the parametrized correspondence relation for \<open>\<tau>\<close>. 4.1835 + E.g.\ for @{typ "'a dlist"}, \<open>pcr_def\<close> is \<open>pcr_dlist A \<equiv> list_all2 A \<circ>\<circ> 4.1836 + cr_dlist\<close> and \<open>pcr_cr_eq_thm\<close> is \<open>pcr_dlist (op =) = (op =)\<close>. This attribute 4.1837 + is rather used for low-level manipulation with set-up of the Lifting package 4.1838 + because using of the bundle \<open>\<tau>.lifting\<close> together with the commands @{command 4.1839 + (HOL) lifting_forget} and @{command (HOL) lifting_update} is preferred for 4.1840 + normal usage. 4.1841 + 4.1842 + \<^descr> Integration with the BNF package @{cite "isabelle-datatypes"}: As already 4.1843 + mentioned, the theorems that are registered by the following attributes are 4.1844 + proved and registered automatically if the involved type is BNF without dead 4.1845 + variables: @{attribute (HOL) quot_map}, @{attribute (HOL) relator_eq_onp}, 4.1846 + @{attribute (HOL) "relator_mono"}, @{attribute (HOL) "relator_distr"}. Also 4.1847 + the definition of a relator and predicator is provided automatically. 4.1848 + Moreover, if the BNF represents a datatype, simplification rules for a 4.1849 + predicator are again proved automatically. 4.1850 \<close> 4.1851 4.1852 4.1853 @@ -1538,47 +1497,46 @@ 4.1854 @{attribute_def (HOL) "relator_domain"} & : & \<open>attribute\<close> \\ 4.1855 \end{matharray} 4.1856 4.1857 - \<^descr> @{method (HOL) "transfer"} method replaces the current subgoal with 4.1858 - a logically equivalent one that uses different types and constants. The 4.1859 + \<^descr> @{method (HOL) "transfer"} method replaces the current subgoal with a 4.1860 + logically equivalent one that uses different types and constants. The 4.1861 replacement of types and constants is guided by the database of transfer 4.1862 rules. Goals are generalized over all free variables by default; this is 4.1863 necessary for variables whose types change, but can be overridden for 4.1864 specific variables with e.g. \<open>transfer fixing: x y z\<close>. 4.1865 4.1866 - \<^descr> @{method (HOL) "transfer'"} is a variant of @{method (HOL) transfer} 4.1867 - that allows replacing a subgoal with one that is logically stronger 4.1868 - (rather than equivalent). For example, a subgoal involving equality on a 4.1869 - quotient type could be replaced with a subgoal involving equality (instead 4.1870 - of the corresponding equivalence relation) on the underlying raw type. 4.1871 - 4.1872 - \<^descr> @{method (HOL) "transfer_prover"} method assists with proving a 4.1873 - transfer rule for a new constant, provided the constant is defined in 4.1874 - terms of other constants that already have transfer rules. It should be 4.1875 - applied after unfolding the constant definitions. 4.1876 + \<^descr> @{method (HOL) "transfer'"} is a variant of @{method (HOL) transfer} that 4.1877 + allows replacing a subgoal with one that is logically stronger (rather than 4.1878 + equivalent). For example, a subgoal involving equality on a quotient type 4.1879 + could be replaced with a subgoal involving equality (instead of the 4.1880 + corresponding equivalence relation) on the underlying raw type. 4.1881 + 4.1882 + \<^descr> @{method (HOL) "transfer_prover"} method assists with proving a transfer 4.1883 + rule for a new constant, provided the constant is defined in terms of other 4.1884 + constants that already have transfer rules. It should be applied after 4.1885 + unfolding the constant definitions. 4.1886 4.1887 \<^descr> @{method (HOL) "transfer_start"}, @{method (HOL) "transfer_step"}, 4.1888 - @{method (HOL) "transfer_end"}, @{method (HOL) "transfer_prover_start"} 4.1889 - and @{method (HOL) "transfer_prover_end"} methods are meant to be used 4.1890 - for debugging of @{method (HOL) "transfer"} and @{method (HOL) "transfer_prover"}, 4.1891 - which we can decompose as follows: 4.1892 - @{method (HOL) "transfer"} = (@{method (HOL) "transfer_start"}, 4.1893 - @{method (HOL) "transfer_step"}+, @{method (HOL) "transfer_end"}) and 4.1894 - @{method (HOL) "transfer_prover"} = (@{method (HOL) "transfer_prover_start"}, 4.1895 - @{method (HOL) "transfer_step"}+, @{method (HOL) "transfer_prover_end"}). 4.1896 - For usage examples see @{file "~~/src/HOL/ex/Transfer_Debug.thy"} 4.1897 - 4.1898 - \<^descr> @{attribute (HOL) "untransferred"} proves the same equivalent 4.1899 - theorem as @{method (HOL) "transfer"} internally does. 4.1900 - 4.1901 - \<^descr> @{attribute (HOL) Transfer.transferred} works in the opposite 4.1902 - direction than @{method (HOL) "transfer'"}. E.g.\ given the transfer 4.1903 - relation \<open>ZN x n \<equiv> (x = int n)\<close>, corresponding transfer rules and 4.1904 - the theorem \<open>\<forall>x::int \<in> {0..}. x < x + 1\<close>, the attribute would 4.1905 - prove \<open>\<forall>n::nat. n < n + 1\<close>. The attribute is still in experimental 4.1906 - phase of development. 4.1907 - 4.1908 - \<^descr> @{attribute (HOL) "transfer_rule"} attribute maintains a collection 4.1909 - of transfer rules, which relate constants at two different types. Typical 4.1910 + @{method (HOL) "transfer_end"}, @{method (HOL) "transfer_prover_start"} and 4.1911 + @{method (HOL) "transfer_prover_end"} methods are meant to be used for 4.1912 + debugging of @{method (HOL) "transfer"} and @{method (HOL) 4.1913 + "transfer_prover"}, which we can decompose as follows: @{method (HOL) 4.1914 + "transfer"} = (@{method (HOL) "transfer_start"}, @{method (HOL) 4.1915 + "transfer_step"}+, @{method (HOL) "transfer_end"}) and @{method (HOL) 4.1916 + "transfer_prover"} = (@{method (HOL) "transfer_prover_start"}, @{method 4.1917 + (HOL) "transfer_step"}+, @{method (HOL) "transfer_prover_end"}). For usage 4.1918 + examples see @{file "~~/src/HOL/ex/Transfer_Debug.thy"} 4.1919 + 4.1920 + \<^descr> @{attribute (HOL) "untransferred"} proves the same equivalent theorem as 4.1921 + @{method (HOL) "transfer"} internally does. 4.1922 + 4.1923 + \<^descr> @{attribute (HOL) Transfer.transferred} works in the opposite direction 4.1924 + than @{method (HOL) "transfer'"}. E.g.\ given the transfer relation \<open>ZN x n 4.1925 + \<equiv> (x = int n)\<close>, corresponding transfer rules and the theorem \<open>\<forall>x::int \<in> 4.1926 + {0..}. x < x + 1\<close>, the attribute would prove \<open>\<forall>n::nat. n < n + 1\<close>. The 4.1927 + attribute is still in experimental phase of development. 4.1928 + 4.1929 + \<^descr> @{attribute (HOL) "transfer_rule"} attribute maintains a collection of 4.1930 + transfer rules, which relate constants at two different types. Typical 4.1931 transfer rules may relate different type instances of the same polymorphic 4.1932 constant, or they may relate an operation on a raw type to a corresponding 4.1933 operation on an abstract type (quotient or subtype). For example: 4.1934 @@ -1592,17 +1550,17 @@ 4.1935 \<open>bi_unique A \<Longrightarrow> (list_all2 A ===> op =) distinct distinct\<close> \\ 4.1936 \<open>\<lbrakk>bi_unique A; bi_unique B\<rbrakk> \<Longrightarrow> bi_unique (rel_prod A B)\<close> 4.1937 4.1938 - Preservation of predicates on relations (\<open>bi_unique, bi_total, 4.1939 - right_unique, right_total, left_unique, left_total\<close>) with the respect to 4.1940 - a relator is proved automatically if the involved type is BNF @{cite 4.1941 + Preservation of predicates on relations (\<open>bi_unique, bi_total, right_unique, 4.1942 + right_total, left_unique, left_total\<close>) with the respect to a relator is 4.1943 + proved automatically if the involved type is BNF @{cite 4.1944 "isabelle-datatypes"} without dead variables. 4.1945 4.1946 - \<^descr> @{attribute (HOL) "transfer_domain_rule"} attribute maintains a 4.1947 - collection of rules, which specify a domain of a transfer relation by a 4.1948 - predicate. E.g.\ given the transfer relation \<open>ZN x n \<equiv> (x = int 4.1949 - n)\<close>, one can register the following transfer domain rule: \<open>Domainp 4.1950 - ZN = (\<lambda>x. x \<ge> 0)\<close>. The rules allow the package to produce more readable 4.1951 - transferred goals, e.g.\ when quantifiers are transferred. 4.1952 + \<^descr> @{attribute (HOL) "transfer_domain_rule"} attribute maintains a collection 4.1953 + of rules, which specify a domain of a transfer relation by a predicate. 4.1954 + E.g.\ given the transfer relation \<open>ZN x n \<equiv> (x = int n)\<close>, one can register 4.1955 + the following transfer domain rule: \<open>Domainp ZN = (\<lambda>x. x \<ge> 0)\<close>. The rules 4.1956 + allow the package to produce more readable transferred goals, e.g.\ when 4.1957 + quantifiers are transferred. 4.1958 4.1959 \<^descr> @{attribute (HOL) relator_eq} attribute collects identity laws for 4.1960 relators of various type constructors, e.g. @{term "rel_set (op =) = (op 4.1961 @@ -1660,8 +1618,8 @@ 4.1962 @@{method (HOL) lifting_setup} @{syntax thms}? 4.1963 \<close>} 4.1964 4.1965 - \<^descr> @{command (HOL) "quotient_definition"} defines a constant on the 4.1966 - quotient type. 4.1967 + \<^descr> @{command (HOL) "quotient_definition"} defines a constant on the quotient 4.1968 + type. 4.1969 4.1970 \<^descr> @{command (HOL) "print_quotmapsQ3"} prints quotient map functions. 4.1971 4.1972 @@ -1669,42 +1627,42 @@ 4.1973 4.1974 \<^descr> @{command (HOL) "print_quotconsts"} prints quotient constants. 4.1975 4.1976 - \<^descr> @{method (HOL) "lifting"} and @{method (HOL) "lifting_setup"} 4.1977 - methods match the current goal with the given raw theorem to be lifted 4.1978 - producing three new subgoals: regularization, injection and cleaning 4.1979 - subgoals. @{method (HOL) "lifting"} tries to apply the heuristics for 4.1980 - automatically solving these three subgoals and leaves only the subgoals 4.1981 - unsolved by the heuristics to the user as opposed to @{method (HOL) 4.1982 - "lifting_setup"} which leaves the three subgoals unsolved. 4.1983 - 4.1984 - \<^descr> @{method (HOL) "descending"} and @{method (HOL) "descending_setup"} 4.1985 - try to guess a raw statement that would lift to the current subgoal. Such 4.1986 - statement is assumed as a new subgoal and @{method (HOL) "descending"} 4.1987 - continues in the same way as @{method (HOL) "lifting"} does. @{method 4.1988 - (HOL) "descending"} tries to solve the arising regularization, injection 4.1989 - and cleaning subgoals with the analogous method @{method (HOL) 4.1990 - "descending_setup"} which leaves the four unsolved subgoals. 4.1991 - 4.1992 - \<^descr> @{method (HOL) "partiality_descending"} finds the regularized 4.1993 - theorem that would lift to the current subgoal, lifts it and leaves as a 4.1994 - subgoal. This method can be used with partial equivalence quotients where 4.1995 - the non regularized statements would not be true. @{method (HOL) 4.1996 + \<^descr> @{method (HOL) "lifting"} and @{method (HOL) "lifting_setup"} methods 4.1997 + match the current goal with the given raw theorem to be lifted producing 4.1998 + three new subgoals: regularization, injection and cleaning subgoals. 4.1999 + @{method (HOL) "lifting"} tries to apply the heuristics for automatically 4.2000 + solving these three subgoals and leaves only the subgoals unsolved by the 4.2001 + heuristics to the user as opposed to @{method (HOL) "lifting_setup"} which 4.2002 + leaves the three subgoals unsolved. 4.2003 + 4.2004 + \<^descr> @{method (HOL) "descending"} and @{method (HOL) "descending_setup"} try to 4.2005 + guess a raw statement that would lift to the current subgoal. Such statement 4.2006 + is assumed as a new subgoal and @{method (HOL) "descending"} continues in 4.2007 + the same way as @{method (HOL) "lifting"} does. @{method (HOL) "descending"} 4.2008 + tries to solve the arising regularization, injection and cleaning subgoals 4.2009 + with the analogous method @{method (HOL) "descending_setup"} which leaves 4.2010 + the four unsolved subgoals. 4.2011 + 4.2012 + \<^descr> @{method (HOL) "partiality_descending"} finds the regularized theorem that 4.2013 + would lift to the current subgoal, lifts it and leaves as a subgoal. This 4.2014 + method can be used with partial equivalence quotients where the non 4.2015 + regularized statements would not be true. @{method (HOL) 4.2016 "partiality_descending_setup"} leaves the injection and cleaning subgoals 4.2017 unchanged. 4.2018 4.2019 - \<^descr> @{method (HOL) "regularize"} applies the regularization heuristics 4.2020 - to the current subgoal. 4.2021 + \<^descr> @{method (HOL) "regularize"} applies the regularization heuristics to the 4.2022 + current subgoal. 4.2023 4.2024 \<^descr> @{method (HOL) "injection"} applies the injection heuristics to the 4.2025 current goal using the stored quotient respectfulness theorems. 4.2026 4.2027 - \<^descr> @{method (HOL) "cleaning"} applies the injection cleaning heuristics 4.2028 - to the current subgoal using the stored quotient preservation theorems. 4.2029 - 4.2030 - \<^descr> @{attribute (HOL) quot_lifted} attribute tries to automatically 4.2031 - transport the theorem to the quotient type. The attribute uses all the 4.2032 - defined quotients types and quotient constants often producing undesired 4.2033 - results or theorems that cannot be lifted. 4.2034 + \<^descr> @{method (HOL) "cleaning"} applies the injection cleaning heuristics to 4.2035 + the current subgoal using the stored quotient preservation theorems. 4.2036 + 4.2037 + \<^descr> @{attribute (HOL) quot_lifted} attribute tries to automatically transport 4.2038 + the theorem to the quotient type. The attribute uses all the defined 4.2039 + quotients types and quotient constants often producing undesired results or 4.2040 + theorems that cannot be lifted. 4.2041 4.2042 \<^descr> @{attribute (HOL) quot_respect} and @{attribute (HOL) quot_preserve} 4.2043 attributes declare a theorem as a respectfulness and preservation theorem 4.2044 @@ -1712,14 +1670,14 @@ 4.2045 @{method (HOL) "injection"} and @{method (HOL) "cleaning"} methods 4.2046 respectively. 4.2047 4.2048 - \<^descr> @{attribute (HOL) quot_thm} declares that a certain theorem is a 4.2049 - quotient extension theorem. Quotient extension theorems allow for 4.2050 - quotienting inside container types. Given a polymorphic type that serves 4.2051 - as a container, a map function defined for this container using @{command 4.2052 - (HOL) "functor"} and a relation map defined for for the container type, 4.2053 - the quotient extension theorem should be @{term "Quotient3 R Abs Rep \<Longrightarrow> 4.2054 - Quotient3 (rel_map R) (map Abs) (map Rep)"}. Quotient extension theorems 4.2055 - are stored in a database and are used all the steps of lifting theorems. 4.2056 + \<^descr> @{attribute (HOL) quot_thm} declares that a certain theorem is a quotient 4.2057 + extension theorem. Quotient extension theorems allow for quotienting inside 4.2058 + container types. Given a polymorphic type that serves as a container, a map 4.2059 + function defined for this container using @{command (HOL) "functor"} and a 4.2060 + relation map defined for for the container type, the quotient extension 4.2061 + theorem should be @{term "Quotient3 R Abs Rep \<Longrightarrow> Quotient3 (rel_map R) (map 4.2062 + Abs) (map Rep)"}. Quotient extension theorems are stored in a database and 4.2063 + are used all the steps of lifting theorems. 4.2064 \<close> 4.2065 4.2066 4.2067 @@ -1728,9 +1686,9 @@ 4.2068 section \<open>Proving propositions\<close> 4.2069 4.2070 text \<open> 4.2071 - In addition to the standard proof methods, a number of diagnosis 4.2072 - tools search for proofs and provide an Isar proof snippet on success. 4.2073 - These tools are available via the following commands. 4.2074 + In addition to the standard proof methods, a number of diagnosis tools 4.2075 + search for proofs and provide an Isar proof snippet on success. These tools 4.2076 + are available via the following commands. 4.2077 4.2078 \begin{matharray}{rcl} 4.2079 @{command_def (HOL) "solve_direct"}\<open>\<^sup>*\<close> & : & \<open>proof \<rightarrow>\<close> \\ 4.2080 @@ -1758,25 +1716,23 @@ 4.2081 facts: '(' ( ( ( ( 'add' | 'del' ) ':' ) ? @{syntax thms} ) + ) ? ')' 4.2082 \<close>} % FIXME check args "value" 4.2083 4.2084 - \<^descr> @{command (HOL) "solve_direct"} checks whether the current 4.2085 - subgoals can be solved directly by an existing theorem. Duplicate 4.2086 - lemmas can be detected in this way. 4.2087 - 4.2088 - \<^descr> @{command (HOL) "try0"} attempts to prove a subgoal 4.2089 - using a combination of standard proof methods (@{method auto}, 4.2090 - @{method simp}, @{method blast}, etc.). Additional facts supplied 4.2091 - via \<open>simp:\<close>, \<open>intro:\<close>, \<open>elim:\<close>, and \<open>dest:\<close> are passed to the appropriate proof methods. 4.2092 - 4.2093 - \<^descr> @{command (HOL) "try"} attempts to prove or disprove a subgoal 4.2094 - using a combination of provers and disprovers (@{command (HOL) 4.2095 - "solve_direct"}, @{command (HOL) "quickcheck"}, @{command (HOL) 4.2096 - "try0"}, @{command (HOL) "sledgehammer"}, @{command (HOL) 4.2097 - "nitpick"}). 4.2098 - 4.2099 - \<^descr> @{command (HOL) "sledgehammer"} attempts to prove a subgoal 4.2100 - using external automatic provers (resolution provers and SMT 4.2101 - solvers). See the Sledgehammer manual @{cite "isabelle-sledgehammer"} 4.2102 - for details. 4.2103 + \<^descr> @{command (HOL) "solve_direct"} checks whether the current subgoals can be 4.2104 + solved directly by an existing theorem. Duplicate lemmas can be detected in 4.2105 + this way. 4.2106 + 4.2107 + \<^descr> @{command (HOL) "try0"} attempts to prove a subgoal using a combination of 4.2108 + standard proof methods (@{method auto}, @{method simp}, @{method blast}, 4.2109 + etc.). Additional facts supplied via \<open>simp:\<close>, \<open>intro:\<close>, \<open>elim:\<close>, and \<open>dest:\<close> 4.2110 + are passed to the appropriate proof methods. 4.2111 + 4.2112 + \<^descr> @{command (HOL) "try"} attempts to prove or disprove a subgoal using a 4.2113 + combination of provers and disprovers (@{command (HOL) "solve_direct"}, 4.2114 + @{command (HOL) "quickcheck"}, @{command (HOL) "try0"}, @{command (HOL) 4.2115 + "sledgehammer"}, @{command (HOL) "nitpick"}). 4.2116 + 4.2117 + \<^descr> @{command (HOL) "sledgehammer"} attempts to prove a subgoal using external 4.2118 + automatic provers (resolution provers and SMT solvers). See the Sledgehammer 4.2119 + manual @{cite "isabelle-sledgehammer"} for details. 4.2120 4.2121 \<^descr> @{command (HOL) "sledgehammer_params"} changes @{command (HOL) 4.2122 "sledgehammer"} configuration options persistently. 4.2123 @@ -1786,9 +1742,9 @@ 4.2124 section \<open>Checking and refuting propositions\<close> 4.2125 4.2126 text \<open> 4.2127 - Identifying incorrect propositions usually involves evaluation of 4.2128 - particular assignments and systematic counterexample search. This 4.2129 - is supported by the following commands. 4.2130 + Identifying incorrect propositions usually involves evaluation of particular 4.2131 + assignments and systematic counterexample search. This is supported by the 4.2132 + following commands. 4.2133 4.2134 \begin{matharray}{rcl} 4.2135 @{command_def (HOL) "value"}\<open>\<^sup>*\<close> & : & \<open>context \<rightarrow>\<close> \\ 4.2136 @@ -1827,130 +1783,121 @@ 4.2137 args: ( @{syntax name} '=' value + ',' ) 4.2138 \<close>} % FIXME check "value" 4.2139 4.2140 - \<^descr> @{command (HOL) "value"}~\<open>t\<close> evaluates and prints a 4.2141 - term; optionally \<open>modes\<close> can be specified, which are appended 4.2142 - to the current print mode; see \secref{sec:print-modes}. 4.2143 - Evaluation is tried first using ML, falling 4.2144 - back to normalization by evaluation if this fails. 4.2145 - Alternatively a specific evaluator can be selected using square 4.2146 - brackets; typical evaluators use the current set of code equations 4.2147 - to normalize and include \<open>simp\<close> for fully symbolic evaluation 4.2148 - using the simplifier, \<open>nbe\<close> for \<^emph>\<open>normalization by 4.2149 + \<^descr> @{command (HOL) "value"}~\<open>t\<close> evaluates and prints a term; optionally 4.2150 + \<open>modes\<close> can be specified, which are appended to the current print mode; see 4.2151 + \secref{sec:print-modes}. Evaluation is tried first using ML, falling back 4.2152 + to normalization by evaluation if this fails. Alternatively a specific 4.2153 + evaluator can be selected using square brackets; typical evaluators use the 4.2154 + current set of code equations to normalize and include \<open>simp\<close> for fully 4.2155 + symbolic evaluation using the simplifier, \<open>nbe\<close> for \<^emph>\<open>normalization by 4.2156 evaluation\<close> and \<^emph>\<open>code\<close> for code generation in SML. 4.2157 4.2158 - \<^descr> @{command (HOL) "values"}~\<open>t\<close> enumerates a set 4.2159 - comprehension by evaluation and prints its values up to the given 4.2160 - number of solutions; optionally \<open>modes\<close> can be specified, 4.2161 - which are appended to the current print mode; see 4.2162 + \<^descr> @{command (HOL) "values"}~\<open>t\<close> enumerates a set comprehension by evaluation 4.2163 + and prints its values up to the given number of solutions; optionally 4.2164 + \<open>modes\<close> can be specified, which are appended to the current print mode; see 4.2165 \secref{sec:print-modes}. 4.2166 4.2167 - \<^descr> @{command (HOL) "quickcheck"} tests the current goal for 4.2168 - counterexamples using a series of assignments for its free 4.2169 - variables; by default the first subgoal is tested, an other can be 4.2170 - selected explicitly using an optional goal index. Assignments can 4.2171 - be chosen exhausting the search space up to a given size, or using a 4.2172 - fixed number of random assignments in the search space, or exploring 4.2173 - the search space symbolically using narrowing. By default, 4.2174 - quickcheck uses exhaustive testing. A number of configuration 4.2175 + \<^descr> @{command (HOL) "quickcheck"} tests the current goal for counterexamples 4.2176 + using a series of assignments for its free variables; by default the first 4.2177 + subgoal is tested, an other can be selected explicitly using an optional 4.2178 + goal index. Assignments can be chosen exhausting the search space up to a 4.2179 + given size, or using a fixed number of random assignments in the search 4.2180 + space, or exploring the search space symbolically using narrowing. By 4.2181 + default, quickcheck uses exhaustive testing. A number of configuration 4.2182 options are supported for @{command (HOL) "quickcheck"}, notably: 4.2183 4.2184 - \<^descr>[\<open>tester\<close>] specifies which testing approach to apply. 4.2185 - There are three testers, \<open>exhaustive\<close>, \<open>random\<close>, and 4.2186 - \<open>narrowing\<close>. An unknown configuration option is treated as 4.2187 - an argument to tester, making \<open>tester =\<close> optional. When 4.2188 - multiple testers are given, these are applied in parallel. If no 4.2189 - tester is specified, quickcheck uses the testers that are set 4.2190 - active, i.e.\ configurations @{attribute 4.2191 - quickcheck_exhaustive_active}, @{attribute 4.2192 - quickcheck_random_active}, @{attribute 4.2193 + \<^descr>[\<open>tester\<close>] specifies which testing approach to apply. There are three 4.2194 + testers, \<open>exhaustive\<close>, \<open>random\<close>, and \<open>narrowing\<close>. An unknown configuration 4.2195 + option is treated as an argument to tester, making \<open>tester =\<close> optional. 4.2196 + When multiple testers are given, these are applied in parallel. If no 4.2197 + tester is specified, quickcheck uses the testers that are set active, 4.2198 + i.e.\ configurations @{attribute quickcheck_exhaustive_active}, 4.2199 + @{attribute quickcheck_random_active}, @{attribute 4.2200 quickcheck_narrowing_active} are set to true. 4.2201 4.2202 - \<^descr>[\<open>size\<close>] specifies the maximum size of the search space 4.2203 - for assignment values. 4.2204 - 4.2205 - \<^descr>[\<open>genuine_only\<close>] sets quickcheck only to return genuine 4.2206 - counterexample, but not potentially spurious counterexamples due 4.2207 - to underspecified functions. 4.2208 - 4.2209 - \<^descr>[\<open>abort_potential\<close>] sets quickcheck to abort once it 4.2210 - found a potentially spurious counterexample and to not continue 4.2211 - to search for a further genuine counterexample. 4.2212 - For this option to be effective, the \<open>genuine_only\<close> option 4.2213 - must be set to false. 4.2214 - 4.2215 - \<^descr>[\<open>eval\<close>] takes a term or a list of terms and evaluates 4.2216 - these terms under the variable assignment found by quickcheck. 4.2217 - This option is currently only supported by the default 4.2218 - (exhaustive) tester. 4.2219 - 4.2220 - \<^descr>[\<open>iterations\<close>] sets how many sets of assignments are 4.2221 - generated for each particular size. 4.2222 - 4.2223 - \<^descr>[\<open>no_assms\<close>] specifies whether assumptions in 4.2224 - structured proofs should be ignored. 4.2225 - 4.2226 - \<^descr>[\<open>locale\<close>] specifies how to process conjectures in 4.2227 - a locale context, i.e.\ they can be interpreted or expanded. 4.2228 - The option is a whitespace-separated list of the two words 4.2229 - \<open>interpret\<close> and \<open>expand\<close>. The list determines the 4.2230 - order they are employed. The default setting is to first use 4.2231 - interpretations and then test the expanded conjecture. 4.2232 - The option is only provided as attribute declaration, but not 4.2233 - as parameter to the command. 4.2234 + \<^descr>[\<open>size\<close>] specifies the maximum size of the search space for assignment 4.2235 + values. 4.2236 + 4.2237 + \<^descr>[\<open>genuine_only\<close>] sets quickcheck only to return genuine counterexample, 4.2238 + but not potentially spurious counterexamples due to underspecified 4.2239 + functions. 4.2240 + 4.2241 + \<^descr>[\<open>abort_potential\<close>] sets quickcheck to abort once it found a potentially 4.2242 + spurious counterexample and to not continue to search for a further 4.2243 + genuine counterexample. For this option to be effective, the 4.2244 + \<open>genuine_only\<close> option must be set to false. 4.2245 + 4.2246 + \<^descr>[\<open>eval\<close>] takes a term or a list of terms and evaluates these terms under 4.2247 + the variable assignment found by quickcheck. This option is currently only 4.2248 + supported by the default (exhaustive) tester. 4.2249 + 4.2250 + \<^descr>[\<open>iterations\<close>] sets how many sets of assignments are generated for each 4.2251 + particular size. 4.2252 + 4.2253 + \<^descr>[\<open>no_assms\<close>] specifies whether assumptions in structured proofs should be 4.2254 + ignored. 4.2255 + 4.2256 + \<^descr>[\<open>locale\<close>] specifies how to process conjectures in a locale context, 4.2257 + i.e.\ they can be interpreted or expanded. The option is a 4.2258 + whitespace-separated list of the two words \<open>interpret\<close> and \<open>expand\<close>. The 4.2259 + list determines the order they are employed. The default setting is to 4.2260 + first use interpretations and then test the expanded conjecture. The 4.2261 + option is only provided as attribute declaration, but not as parameter to 4.2262 + the command. 4.2263 4.2264 \<^descr>[\<open>timeout\<close>] sets the time limit in seconds. 4.2265 4.2266 - \<^descr>[\<open>default_type\<close>] sets the type(s) generally used to 4.2267 - instantiate type variables. 4.2268 - 4.2269 - \<^descr>[\<open>report\<close>] if set quickcheck reports how many tests 4.2270 - fulfilled the preconditions. 4.2271 - 4.2272 - \<^descr>[\<open>use_subtype\<close>] if set quickcheck automatically lifts 4.2273 - conjectures to registered subtypes if possible, and tests the 4.2274 - lifted conjecture. 4.2275 - 4.2276 - \<^descr>[\<open>quiet\<close>] if set quickcheck does not output anything 4.2277 - while testing. 4.2278 - 4.2279 - \<^descr>[\<open>verbose\<close>] if set quickcheck informs about the current 4.2280 - size and cardinality while testing. 4.2281 - 4.2282 - \<^descr>[\<open>expect\<close>] can be used to check if the user's 4.2283 - expectation was met (\<open>no_expectation\<close>, \<open>no_counterexample\<close>, or \<open>counterexample\<close>). 4.2284 + \<^descr>[\<open>default_type\<close>] sets the type(s) generally used to instantiate type 4.2285 + variables. 4.2286 + 4.2287 + \<^descr>[\<open>report\<close>] if set quickcheck reports how many tests fulfilled the 4.2288 + preconditions. 4.2289 + 4.2290 + \<^descr>[\<open>use_subtype\<close>] if set quickcheck automatically lifts conjectures to 4.2291 + registered subtypes if possible, and tests the lifted conjecture. 4.2292 + 4.2293 + \<^descr>[\<open>quiet\<close>] if set quickcheck does not output anything while testing. 4.2294 + 4.2295 + \<^descr>[\<open>verbose\<close>] if set quickcheck informs about the current size and 4.2296 + cardinality while testing. 4.2297 + 4.2298 + \<^descr>[\<open>expect\<close>] can be used to check if the user's expectation was met 4.2299 + (\<open>no_expectation\<close>, \<open>no_counterexample\<close>, or \<open>counterexample\<close>). 4.2300 4.2301 These option can be given within square brackets. 4.2302 4.2303 Using the following type classes, the testers generate values and convert 4.2304 them back into Isabelle terms for displaying counterexamples. 4.2305 4.2306 - \<^descr>[\<open>exhaustive\<close>] The parameters of the type classes @{class exhaustive} 4.2307 - and @{class full_exhaustive} implement the testing. They take a 4.2308 - testing function as a parameter, which takes a value of type @{typ "'a"} 4.2309 - and optionally produces a counterexample, and a size parameter for the test values. 4.2310 - In @{class full_exhaustive}, the testing function parameter additionally 4.2311 - expects a lazy term reconstruction in the type @{typ Code_Evaluation.term} 4.2312 - of the tested value. 4.2313 + \<^descr>[\<open>exhaustive\<close>] The parameters of the type classes @{class exhaustive} and 4.2314 + @{class full_exhaustive} implement the testing. They take a testing 4.2315 + function as a parameter, which takes a value of type @{typ "'a"} and 4.2316 + optionally produces a counterexample, and a size parameter for the test 4.2317 + values. In @{class full_exhaustive}, the testing function parameter 4.2318 + additionally expects a lazy term reconstruction in the type @{typ 4.2319 + Code_Evaluation.term} of the tested value. 4.2320 4.2321 The canonical implementation for \<open>exhaustive\<close> testers calls the given 4.2322 - testing function on all values up to the given size and stops as soon 4.2323 - as a counterexample is found. 4.2324 - 4.2325 - \<^descr>[\<open>random\<close>] The operation @{const Quickcheck_Random.random} 4.2326 - of the type class @{class random} generates a pseudo-random 4.2327 - value of the given size and a lazy term reconstruction of the value 4.2328 - in the type @{typ Code_Evaluation.term}. A pseudo-randomness generator 4.2329 - is defined in theory @{theory Random}. 4.2330 - 4.2331 - \<^descr>[\<open>narrowing\<close>] implements Haskell's Lazy Smallcheck @{cite "runciman-naylor-lindblad"} 4.2332 - using the type classes @{class narrowing} and @{class partial_term_of}. 4.2333 - Variables in the current goal are initially represented as symbolic variables. 4.2334 - If the execution of the goal tries to evaluate one of them, the test engine 4.2335 - replaces it with refinements provided by @{const narrowing}. 4.2336 - Narrowing views every value as a sum-of-products which is expressed using the operations 4.2337 - @{const Quickcheck_Narrowing.cons} (embedding a value), 4.2338 - @{const Quickcheck_Narrowing.apply} (product) and @{const Quickcheck_Narrowing.sum} (sum). 4.2339 - The refinement should enable further evaluation of the goal. 4.2340 + testing function on all values up to the given size and stops as soon as a 4.2341 + counterexample is found. 4.2342 + 4.2343 + \<^descr>[\<open>random\<close>] The operation @{const Quickcheck_Random.random} of the type 4.2344 + class @{class random} generates a pseudo-random value of the given size 4.2345 + and a lazy term reconstruction of the value in the type @{typ 4.2346 + Code_Evaluation.term}. A pseudo-randomness generator is defined in theory 4.2347 + @{theory Random}. 4.2348 + 4.2349 + \<^descr>[\<open>narrowing\<close>] implements Haskell's Lazy Smallcheck @{cite 4.2350 + "runciman-naylor-lindblad"} using the type classes @{class narrowing} and 4.2351 + @{class partial_term_of}. Variables in the current goal are initially 4.2352 + represented as symbolic variables. If the execution of the goal tries to 4.2353 + evaluate one of them, the test engine replaces it with refinements 4.2354 + provided by @{const narrowing}. Narrowing views every value as a 4.2355 + sum-of-products which is expressed using the operations @{const 4.2356 + Quickcheck_Narrowing.cons} (embedding a value), @{const 4.2357 + Quickcheck_Narrowing.apply} (product) and @{const 4.2358 + Quickcheck_Narrowing.sum} (sum). The refinement should enable further 4.2359 + evaluation of the goal. 4.2360 4.2361 For example, @{const narrowing} for the list type @{typ "'a :: narrowing list"} 4.2362 can be recursively defined as 4.2363 @@ -1960,45 +1907,44 @@ 4.2364 (Quickcheck_Narrowing.cons (op #)) 4.2365 narrowing) 4.2366 narrowing)"}. 4.2367 - If a symbolic variable of type @{typ "_ list"} is evaluated, it is replaced by (i)~the empty 4.2368 - list @{term "[]"} and (ii)~by a non-empty list whose head and tail can then be recursively 4.2369 - refined if needed. 4.2370 - 4.2371 - To reconstruct counterexamples, the operation @{const partial_term_of} transforms 4.2372 - \<open>narrowing\<close>'s deep representation of terms to the type @{typ Code_Evaluation.term}. 4.2373 - The deep representation models symbolic variables as 4.2374 - @{const Quickcheck_Narrowing.Narrowing_variable}, which are normally converted to 4.2375 - @{const Code_Evaluation.Free}, and refined values as 4.2376 - @{term "Quickcheck_Narrowing.Narrowing_constructor i args"}, where @{term "i :: integer"} 4.2377 - denotes the index in the sum of refinements. In the above example for lists, 4.2378 - @{term "0"} corresponds to @{term "[]"} and @{term "1"} 4.2379 + If a symbolic variable of type @{typ "_ list"} is evaluated, it is 4.2380 + replaced by (i)~the empty list @{term "[]"} and (ii)~by a non-empty list 4.2381 + whose head and tail can then be recursively refined if needed. 4.2382 + 4.2383 + To reconstruct counterexamples, the operation @{const partial_term_of} 4.2384 + transforms \<open>narrowing\<close>'s deep representation of terms to the type @{typ 4.2385 + Code_Evaluation.term}. The deep representation models symbolic variables 4.2386 + as @{const Quickcheck_Narrowing.Narrowing_variable}, which are normally 4.2387 + converted to @{const Code_Evaluation.Free}, and refined values as @{term 4.2388 + "Quickcheck_Narrowing.Narrowing_constructor i args"}, where @{term "i :: 4.2389 + integer"} denotes the index in the sum of refinements. In the above 4.2390 + example for lists, @{term "0"} corresponds to @{term "[]"} and @{term "1"} 4.2391 to @{term "op #"}. 4.2392 4.2393 - The command @{command (HOL) "code_datatype"} sets up @{const partial_term_of} 4.2394 - such that the @{term "i"}-th refinement is interpreted as the @{term "i"}-th constructor, 4.2395 - but it does not ensures consistency with @{const narrowing}. 4.2396 - 4.2397 - \<^descr> @{command (HOL) "quickcheck_params"} changes @{command (HOL) 4.2398 - "quickcheck"} configuration options persistently. 4.2399 - 4.2400 - \<^descr> @{command (HOL) "quickcheck_generator"} creates random and 4.2401 - exhaustive value generators for a given type and operations. It 4.2402 - generates values by using the operations as if they were 4.2403 - constructors of that type. 4.2404 - 4.2405 - \<^descr> @{command (HOL) "nitpick"} tests the current goal for 4.2406 - counterexamples using a reduction to first-order relational 4.2407 - logic. See the Nitpick manual @{cite "isabelle-nitpick"} for details. 4.2408 - 4.2409 - \<^descr> @{command (HOL) "nitpick_params"} changes @{command (HOL) 4.2410 - "nitpick"} configuration options persistently. 4.2411 + The command @{command (HOL) "code_datatype"} sets up @{const 4.2412 + partial_term_of} such that the @{term "i"}-th refinement is interpreted as 4.2413 + the @{term "i"}-th constructor, but it does not ensures consistency with 4.2414 + @{const narrowing}. 4.2415 + 4.2416 + \<^descr> @{command (HOL) "quickcheck_params"} changes @{command (HOL) "quickcheck"} 4.2417 + configuration options persistently. 4.2418 + 4.2419 + \<^descr> @{command (HOL) "quickcheck_generator"} creates random and exhaustive 4.2420 + value generators for a given type and operations. It generates values by 4.2421 + using the operations as if they were constructors of that type. 4.2422 + 4.2423 + \<^descr> @{command (HOL) "nitpick"} tests the current goal for counterexamples 4.2424 + using a reduction to first-order relational logic. See the Nitpick manual 4.2425 + @{cite "isabelle-nitpick"} for details. 4.2426 + 4.2427 + \<^descr> @{command (HOL) "nitpick_params"} changes @{command (HOL) "nitpick"} 4.2428 + configuration options persistently. 4.2429 4.2430 \<^descr> @{command (HOL) "find_unused_assms"} finds potentially superfluous 4.2431 - assumptions in theorems using quickcheck. 4.2432 - It takes the theory name to be checked for superfluous assumptions as 4.2433 - optional argument. If not provided, it checks the current theory. 4.2434 - Options to the internal quickcheck invocations can be changed with 4.2435 - common configuration declarations. 4.2436 + assumptions in theorems using quickcheck. It takes the theory name to be 4.2437 + checked for superfluous assumptions as optional argument. If not provided, 4.2438 + it checks the current theory. Options to the internal quickcheck invocations 4.2439 + can be changed with common configuration declarations. 4.2440 \<close> 4.2441 4.2442 4.2443 @@ -2013,10 +1959,9 @@ 4.2444 @{attribute_def (HOL) coercion_args} & : & \<open>attribute\<close> \\ 4.2445 \end{matharray} 4.2446 4.2447 - Coercive subtyping allows the user to omit explicit type 4.2448 - conversions, also called \<^emph>\<open>coercions\<close>. Type inference will add 4.2449 - them as necessary when parsing a term. See 4.2450 - @{cite "traytel-berghofer-nipkow-2011"} for details. 4.2451 + Coercive subtyping allows the user to omit explicit type conversions, also 4.2452 + called \<^emph>\<open>coercions\<close>. Type inference will add them as necessary when parsing 4.2453 + a term. See @{cite "traytel-berghofer-nipkow-2011"} for details. 4.2454 4.2455 @{rail \<open> 4.2456 @@{attribute (HOL) coercion} (@{syntax term}) 4.2457 @@ -2028,48 +1973,44 @@ 4.2458 @@{attribute (HOL) coercion_args} (@{syntax const}) (('+' | '0' | '-')+) 4.2459 \<close>} 4.2460 4.2461 - \<^descr> @{attribute (HOL) "coercion"}~\<open>f\<close> registers a new 4.2462 - coercion function \<open>f :: \<sigma>\<^sub>1 \<Rightarrow> \<sigma>\<^sub>2\<close> where \<open>\<sigma>\<^sub>1\<close> and 4.2463 - \<open>\<sigma>\<^sub>2\<close> are type constructors without arguments. Coercions are 4.2464 - composed by the inference algorithm if needed. Note that the type 4.2465 - inference algorithm is complete only if the registered coercions 4.2466 - form a lattice. 4.2467 - 4.2468 - \<^descr> @{attribute (HOL) "coercion_delete"}~\<open>f\<close> deletes a 4.2469 - preceding declaration (using @{attribute (HOL) "coercion"}) of the 4.2470 - function \<open>f :: \<sigma>\<^sub>1 \<Rightarrow> \<sigma>\<^sub>2\<close> as a coercion. 4.2471 - 4.2472 - \<^descr> @{attribute (HOL) "coercion_map"}~\<open>map\<close> registers a 4.2473 - new map function to lift coercions through type constructors. The 4.2474 - function \<open>map\<close> must conform to the following type pattern 4.2475 + \<^descr> @{attribute (HOL) "coercion"}~\<open>f\<close> registers a new coercion function \<open>f :: 4.2476 + \<sigma>\<^sub>1 \<Rightarrow> \<sigma>\<^sub>2\<close> where \<open>\<sigma>\<^sub>1\<close> and \<open>\<sigma>\<^sub>2\<close> are type constructors without arguments. 4.2477 + Coercions are composed by the inference algorithm if needed. Note that the 4.2478 + type inference algorithm is complete only if the registered coercions form a 4.2479 + lattice. 4.2480 + 4.2481 + \<^descr> @{attribute (HOL) "coercion_delete"}~\<open>f\<close> deletes a preceding declaration 4.2482 + (using @{attribute (HOL) "coercion"}) of the function \<open>f :: \<sigma>\<^sub>1 \<Rightarrow> \<sigma>\<^sub>2\<close> as a 4.2483 + coercion. 4.2484 + 4.2485 + \<^descr> @{attribute (HOL) "coercion_map"}~\<open>map\<close> registers a new map function to 4.2486 + lift coercions through type constructors. The function \<open>map\<close> must conform to 4.2487 + the following type pattern 4.2488 4.2489 \begin{matharray}{lll} 4.2490 \<open>map\<close> & \<open>::\<close> & 4.2491 \<open>f\<^sub>1 \<Rightarrow> \<dots> \<Rightarrow> f\<^sub>n \<Rightarrow> (\<alpha>\<^sub>1, \<dots>, \<alpha>\<^sub>n) t \<Rightarrow> (\<beta>\<^sub>1, \<dots>, \<beta>\<^sub>n) t\<close> \\ 4.2492 \end{matharray} 4.2493 4.2494 - where \<open>t\<close> is a type constructor and \<open>f\<^sub>i\<close> is of type 4.2495 - \<open>\<alpha>\<^sub>i \<Rightarrow> \<beta>\<^sub>i\<close> or \<open>\<beta>\<^sub>i \<Rightarrow> \<alpha>\<^sub>i\<close>. Registering a map function 4.2496 - overwrites any existing map function for this particular type 4.2497 - constructor. 4.2498 - 4.2499 - \<^descr> @{attribute (HOL) "coercion_args"} can be used to disallow 4.2500 - coercions to be inserted in certain positions in a term. For example, 4.2501 - given the constant \<open>c :: \<sigma>\<^sub>1 \<Rightarrow> \<sigma>\<^sub>2 \<Rightarrow> \<sigma>\<^sub>3 \<Rightarrow> \<sigma>\<^sub>4\<close> and the list 4.2502 - of policies \<open>- + 0\<close> as arguments, coercions will not be 4.2503 - inserted in the first argument of \<open>c\<close> (policy \<open>-\<close>); 4.2504 - they may be inserted in the second argument (policy \<open>+\<close>) 4.2505 - even if the constant \<open>c\<close> itself is in a position where 4.2506 - coercions are disallowed; the third argument inherits the allowance 4.2507 - of coercsion insertion from the position of the constant \<open>c\<close> 4.2508 - (policy \<open>0\<close>). The standard usage of policies is the definition 4.2509 - of syntatic constructs (usually extralogical, i.e., processed and 4.2510 - stripped during type inference), that should not be destroyed by the 4.2511 - insertion of coercions (see, for example, the setup for the case syntax 4.2512 - in @{theory Ctr_Sugar}). 4.2513 - 4.2514 - \<^descr> @{attribute (HOL) "coercion_enabled"} enables the coercion 4.2515 - inference algorithm. 4.2516 + where \<open>t\<close> is a type constructor and \<open>f\<^sub>i\<close> is of type \<open>\<alpha>\<^sub>i \<Rightarrow> \<beta>\<^sub>i\<close> or \<open>\<beta>\<^sub>i \<Rightarrow> 4.2517 + \<alpha>\<^sub>i\<close>. Registering a map function overwrites any existing map function for 4.2518 + this particular type constructor. 4.2519 + 4.2520 + \<^descr> @{attribute (HOL) "coercion_args"} can be used to disallow coercions to be 4.2521 + inserted in certain positions in a term. For example, given the constant \<open>c 4.2522 + :: \<sigma>\<^sub>1 \<Rightarrow> \<sigma>\<^sub>2 \<Rightarrow> \<sigma>\<^sub>3 \<Rightarrow> \<sigma>\<^sub>4\<close> and the list of policies \<open>- + 0\<close> as arguments, 4.2523 + coercions will not be inserted in the first argument of \<open>c\<close> (policy \<open>-\<close>); 4.2524 + they may be inserted in the second argument (policy \<open>+\<close>) even if the 4.2525 + constant \<open>c\<close> itself is in a position where coercions are disallowed; the 4.2526 + third argument inherits the allowance of coercsion insertion from the 4.2527 + position of the constant \<open>c\<close> (policy \<open>0\<close>). The standard usage of policies is 4.2528 + the definition of syntatic constructs (usually extralogical, i.e., processed 4.2529 + and stripped during type inference), that should not be destroyed by the 4.2530 + insertion of coercions (see, for example, the setup for the case syntax in 4.2531 + @{theory Ctr_Sugar}). 4.2532 + 4.2533 + \<^descr> @{attribute (HOL) "coercion_enabled"} enables the coercion inference 4.2534 + algorithm. 4.2535 \<close> 4.2536 4.2537 4.2538 @@ -2082,19 +2023,19 @@ 4.2539 @{attribute_def (HOL) arith_split} & : & \<open>attribute\<close> \\ 4.2540 \end{matharray} 4.2541 4.2542 - \<^descr> @{method (HOL) arith} decides linear arithmetic problems (on 4.2543 - types \<open>nat\<close>, \<open>int\<close>, \<open>real\<close>). Any current facts 4.2544 - are inserted into the goal before running the procedure. 4.2545 - 4.2546 - \<^descr> @{attribute (HOL) arith} declares facts that are supplied to 4.2547 - the arithmetic provers implicitly. 4.2548 - 4.2549 - \<^descr> @{attribute (HOL) arith_split} attribute declares case split 4.2550 - rules to be expanded before @{method (HOL) arith} is invoked. 4.2551 - 4.2552 - 4.2553 - Note that a simpler (but faster) arithmetic prover is already 4.2554 - invoked by the Simplifier. 4.2555 + \<^descr> @{method (HOL) arith} decides linear arithmetic problems (on types \<open>nat\<close>, 4.2556 + \<open>int\<close>, \<open>real\<close>). Any current facts are inserted into the goal before running 4.2557 + the procedure. 4.2558 + 4.2559 + \<^descr> @{attribute (HOL) arith} declares facts that are supplied to the 4.2560 + arithmetic provers implicitly. 4.2561 + 4.2562 + \<^descr> @{attribute (HOL) arith_split} attribute declares case split rules to be 4.2563 + expanded before @{method (HOL) arith} is invoked. 4.2564 + 4.2565 + 4.2566 + Note that a simpler (but faster) arithmetic prover is already invoked by the 4.2567 + Simplifier. 4.2568 \<close> 4.2569 4.2570 4.2571 @@ -2109,19 +2050,18 @@ 4.2572 @@{method (HOL) iprover} (@{syntax rulemod} *) 4.2573 \<close>} 4.2574 4.2575 - \<^descr> @{method (HOL) iprover} performs intuitionistic proof search, 4.2576 - depending on specifically declared rules from the context, or given 4.2577 - as explicit arguments. Chained facts are inserted into the goal 4.2578 - before commencing proof search. 4.2579 - 4.2580 - Rules need to be classified as @{attribute (Pure) intro}, 4.2581 - @{attribute (Pure) elim}, or @{attribute (Pure) dest}; here the 4.2582 - ``\<open>!\<close>'' indicator refers to ``safe'' rules, which may be 4.2583 - applied aggressively (without considering back-tracking later). 4.2584 - Rules declared with ``\<open>?\<close>'' are ignored in proof search (the 4.2585 - single-step @{method (Pure) rule} method still observes these). An 4.2586 - explicit weight annotation may be given as well; otherwise the 4.2587 - number of rule premises will be taken into account here. 4.2588 + \<^descr> @{method (HOL) iprover} performs intuitionistic proof search, depending on 4.2589 + specifically declared rules from the context, or given as explicit 4.2590 + arguments. Chained facts are inserted into the goal before commencing proof 4.2591 + search. 4.2592 + 4.2593 + Rules need to be classified as @{attribute (Pure) intro}, @{attribute (Pure) 4.2594 + elim}, or @{attribute (Pure) dest}; here the ``\<open>!\<close>'' indicator refers to 4.2595 + ``safe'' rules, which may be applied aggressively (without considering 4.2596 + back-tracking later). Rules declared with ``\<open>?\<close>'' are ignored in proof 4.2597 + search (the single-step @{method (Pure) rule} method still observes these). 4.2598 + An explicit weight annotation may be given as well; otherwise the number of 4.2599 + rule premises will be taken into account here. 4.2600 \<close> 4.2601 4.2602 4.2603 @@ -2141,16 +2081,16 @@ 4.2604 @{syntax thms}? 4.2605 \<close>} 4.2606 4.2607 - \<^descr> @{method (HOL) meson} implements Loveland's model elimination 4.2608 - procedure @{cite "loveland-78"}. See @{file 4.2609 - "~~/src/HOL/ex/Meson_Test.thy"} for examples. 4.2610 + \<^descr> @{method (HOL) meson} implements Loveland's model elimination procedure 4.2611 + @{cite "loveland-78"}. See @{file "~~/src/HOL/ex/Meson_Test.thy"} for 4.2612 + examples. 4.2613 4.2614 \<^descr> @{method (HOL) metis} combines ordered resolution and ordered 4.2615 - paramodulation to find first-order (or mildly higher-order) proofs. 4.2616 - The first optional argument specifies a type encoding; see the 4.2617 - Sledgehammer manual @{cite "isabelle-sledgehammer"} for details. The 4.2618 - directory @{file "~~/src/HOL/Metis_Examples"} contains several small 4.2619 - theories developed to a large extent using @{method (HOL) metis}. 4.2620 + paramodulation to find first-order (or mildly higher-order) proofs. The 4.2621 + first optional argument specifies a type encoding; see the Sledgehammer 4.2622 + manual @{cite "isabelle-sledgehammer"} for details. The directory @{file 4.2623 + "~~/src/HOL/Metis_Examples"} contains several small theories developed to a 4.2624 + large extent using @{method (HOL) metis}. 4.2625 \<close> 4.2626 4.2627 4.2628 @@ -2170,23 +2110,21 @@ 4.2629 @@{attribute (HOL) algebra} (() | 'add' | 'del') 4.2630 \<close>} 4.2631 4.2632 - \<^descr> @{method (HOL) algebra} performs algebraic reasoning via 4.2633 - Gr\"obner bases, see also @{cite "Chaieb-Wenzel:2007"} and 4.2634 - @{cite \<open>\S3.2\<close> "Chaieb-thesis"}. The method handles deals with two main 4.2635 - classes of problems: 4.2636 + \<^descr> @{method (HOL) algebra} performs algebraic reasoning via Gr\"obner bases, 4.2637 + see also @{cite "Chaieb-Wenzel:2007"} and @{cite \<open>\S3.2\<close> "Chaieb-thesis"}. 4.2638 + The method handles deals with two main classes of problems: 4.2639 4.2640 \<^enum> Universal problems over multivariate polynomials in a 4.2641 (semi)-ring/field/idom; the capabilities of the method are augmented 4.2642 - according to properties of these structures. For this problem class 4.2643 - the method is only complete for algebraically closed fields, since 4.2644 - the underlying method is based on Hilbert's Nullstellensatz, where 4.2645 - the equivalence only holds for algebraically closed fields. 4.2646 - 4.2647 - The problems can contain equations \<open>p = 0\<close> or inequations 4.2648 - \<open>q \<noteq> 0\<close> anywhere within a universal problem statement. 4.2649 - 4.2650 - \<^enum> All-exists problems of the following restricted (but useful) 4.2651 - form: 4.2652 + according to properties of these structures. For this problem class the 4.2653 + method is only complete for algebraically closed fields, since the 4.2654 + underlying method is based on Hilbert's Nullstellensatz, where the 4.2655 + equivalence only holds for algebraically closed fields. 4.2656 + 4.2657 + The problems can contain equations \<open>p = 0\<close> or inequations \<open>q \<noteq> 0\<close> anywhere 4.2658 + within a universal problem statement. 4.2659 + 4.2660 + \<^enum> All-exists problems of the following restricted (but useful) form: 4.2661 4.2662 @{text [display] "\<forall>x\<^sub>1 \<dots> x\<^sub>n. 4.2663 e\<^sub>1(x\<^sub>1, \<dots>, x\<^sub>n) = 0 \<and> \<dots> \<and> e\<^sub>m(x\<^sub>1, \<dots>, x\<^sub>n) = 0 \<longrightarrow> 4.2664 @@ -2195,23 +2133,25 @@ 4.2665 \<dots> \<and> 4.2666 p\<^sub>t\<^sub>1(x\<^sub>1, \<dots>, x\<^sub>n) * y\<^sub>1 + \<dots> + p\<^sub>t\<^sub>k(x\<^sub>1, \<dots>, x\<^sub>n) * y\<^sub>k = 0)"} 4.2667 4.2668 - Here \<open>e\<^sub>1, \<dots>, e\<^sub>n\<close> and the \<open>p\<^sub>i\<^sub>j\<close> are multivariate 4.2669 - polynomials only in the variables mentioned as arguments. 4.2670 - 4.2671 - The proof method is preceded by a simplification step, which may be 4.2672 - modified by using the form \<open>(algebra add: ths\<^sub>1 del: ths\<^sub>2)\<close>. 4.2673 - This acts like declarations for the Simplifier 4.2674 - (\secref{sec:simplifier}) on a private simpset for this tool. 4.2675 - 4.2676 - \<^descr> @{attribute algebra} (as attribute) manages the default 4.2677 - collection of pre-simplification rules of the above proof method. 4.2678 + Here \<open>e\<^sub>1, \<dots>, e\<^sub>n\<close> and the \<open>p\<^sub>i\<^sub>j\<close> are multivariate polynomials only in 4.2679 + the variables mentioned as arguments. 4.2680 + 4.2681 + The proof method is preceded by a simplification step, which may be modified 4.2682 + by using the form \<open>(algebra add: ths\<^sub>1 del: ths\<^sub>2)\<close>. This acts like 4.2683 + declarations for the Simplifier (\secref{sec:simplifier}) on a private 4.2684 + simpset for this tool. 4.2685 + 4.2686 + \<^descr> @{attribute algebra} (as attribute) manages the default collection of 4.2687 + pre-simplification rules of the above proof method. 4.2688 \<close> 4.2689 4.2690 4.2691 subsubsection \<open>Example\<close> 4.2692 4.2693 -text \<open>The subsequent example is from geometry: collinearity is 4.2694 - invariant by rotation.\<close> 4.2695 +text \<open> 4.2696 + The subsequent example is from geometry: collinearity is invariant by 4.2697 + rotation. 4.2698 +\<close> 4.2699 4.2700 (*<*)experiment begin(*>*) 4.2701 type_synonym point = "int \<times> int" 4.2702 @@ -2243,19 +2183,19 @@ 4.2703 @@{method (HOL) coherent} @{syntax thms}? 4.2704 \<close>} 4.2705 4.2706 - \<^descr> @{method (HOL) coherent} solves problems of \<^emph>\<open>Coherent 4.2707 - Logic\<close> @{cite "Bezem-Coquand:2005"}, which covers applications in 4.2708 - confluence theory, lattice theory and projective geometry. See 4.2709 - @{file "~~/src/HOL/ex/Coherent.thy"} for some examples. 4.2710 + \<^descr> @{method (HOL) coherent} solves problems of \<^emph>\<open>Coherent Logic\<close> @{cite 4.2711 + "Bezem-Coquand:2005"}, which covers applications in confluence theory, 4.2712 + lattice theory and projective geometry. See @{file 4.2713 + "~~/src/HOL/ex/Coherent.thy"} for some examples. 4.2714 \<close> 4.2715 4.2716 4.2717 section \<open>Unstructured case analysis and induction \label{sec:hol-induct-tac}\<close> 4.2718 4.2719 text \<open> 4.2720 - The following tools of Isabelle/HOL support cases analysis and 4.2721 - induction in unstructured tactic scripts; see also 4.2722 - \secref{sec:cases-induct} for proper Isar versions of similar ideas. 4.2723 + The following tools of Isabelle/HOL support cases analysis and induction in 4.2724 + unstructured tactic scripts; see also \secref{sec:cases-induct} for proper 4.2725 + Isar versions of similar ideas. 4.2726 4.2727 \begin{matharray}{rcl} 4.2728 @{method_def (HOL) case_tac}\<open>\<^sup>*\<close> & : & \<open>method\<close> \\ 4.2729 @@ -2276,31 +2216,29 @@ 4.2730 rule: 'rule' ':' @{syntax thm} 4.2731 \<close>} 4.2732 4.2733 - \<^descr> @{method (HOL) case_tac} and @{method (HOL) induct_tac} admit 4.2734 - to reason about inductive types. Rules are selected according to 4.2735 - the declarations by the @{attribute cases} and @{attribute induct} 4.2736 - attributes, cf.\ \secref{sec:cases-induct}. The @{command (HOL) 4.2737 - datatype} package already takes care of this. 4.2738 + \<^descr> @{method (HOL) case_tac} and @{method (HOL) induct_tac} admit to reason 4.2739 + about inductive types. Rules are selected according to the declarations by 4.2740 + the @{attribute cases} and @{attribute induct} attributes, cf.\ 4.2741 + \secref{sec:cases-induct}. The @{command (HOL) datatype} package already 4.2742 + takes care of this. 4.2743 4.2744 These unstructured tactics feature both goal addressing and dynamic 4.2745 - instantiation. Note that named rule cases are \<^emph>\<open>not\<close> provided 4.2746 - as would be by the proper @{method cases} and @{method induct} proof 4.2747 - methods (see \secref{sec:cases-induct}). Unlike the @{method 4.2748 - induct} method, @{method induct_tac} does not handle structured rule 4.2749 - statements, only the compact object-logic conclusion of the subgoal 4.2750 - being addressed. 4.2751 - 4.2752 - \<^descr> @{method (HOL) ind_cases} and @{command (HOL) 4.2753 - "inductive_cases"} provide an interface to the internal @{ML_text 4.2754 - mk_cases} operation. Rules are simplified in an unrestricted 4.2755 - forward manner. 4.2756 - 4.2757 - While @{method (HOL) ind_cases} is a proof method to apply the 4.2758 - result immediately as elimination rules, @{command (HOL) 4.2759 - "inductive_cases"} provides case split theorems at the theory level 4.2760 - for later use. The @{keyword "for"} argument of the @{method (HOL) 4.2761 - ind_cases} method allows to specify a list of variables that should 4.2762 - be generalized before applying the resulting rule. 4.2763 + instantiation. Note that named rule cases are \<^emph>\<open>not\<close> provided as would be by 4.2764 + the proper @{method cases} and @{method induct} proof methods (see 4.2765 + \secref{sec:cases-induct}). Unlike the @{method induct} method, @{method 4.2766 + induct_tac} does not handle structured rule statements, only the compact 4.2767 + object-logic conclusion of the subgoal being addressed. 4.2768 + 4.2769 + \<^descr> @{method (HOL) ind_cases} and @{command (HOL) "inductive_cases"} provide 4.2770 + an interface to the internal @{ML_text mk_cases} operation. Rules are 4.2771 + simplified in an unrestricted forward manner. 4.2772 + 4.2773 + While @{method (HOL) ind_cases} is a proof method to apply the result 4.2774 + immediately as elimination rules, @{command (HOL) "inductive_cases"} 4.2775 + provides case split theorems at the theory level for later use. The 4.2776 + @{keyword "for"} argument of the @{method (HOL) ind_cases} method allows to 4.2777 + specify a list of variables that should be generalized before applying the 4.2778 + resulting rule. 4.2779 \<close> 4.2780 4.2781 4.2782 @@ -2315,9 +2253,9 @@ 4.2783 @@{attribute (HOL) split_format} ('(' 'complete' ')')? 4.2784 \<close>} 4.2785 4.2786 - \<^descr> @{attribute (HOL) split_format}\ \<open>(complete)\<close> causes 4.2787 - arguments in function applications to be represented canonically 4.2788 - according to their tuple type structure. 4.2789 + \<^descr> @{attribute (HOL) split_format}\ \<open>(complete)\<close> causes arguments in function 4.2790 + applications to be represented canonically according to their tuple type 4.2791 + structure. 4.2792 4.2793 Note that this operation tends to invent funny names for new local 4.2794 parameters introduced. 4.2795 @@ -2326,24 +2264,25 @@ 4.2796 4.2797 chapter \<open>Executable code\<close> 4.2798 4.2799 -text \<open>For validation purposes, it is often useful to \<^emph>\<open>execute\<close> 4.2800 - specifications. In principle, execution could be simulated by Isabelle's 4.2801 - inference kernel, i.e. by a combination of resolution and simplification. 4.2802 - Unfortunately, this approach is rather inefficient. A more efficient way 4.2803 - of executing specifications is to translate them into a functional 4.2804 - programming language such as ML. 4.2805 +text \<open> 4.2806 + For validation purposes, it is often useful to \<^emph>\<open>execute\<close> specifications. In 4.2807 + principle, execution could be simulated by Isabelle's inference kernel, i.e. 4.2808 + by a combination of resolution and simplification. Unfortunately, this 4.2809 + approach is rather inefficient. A more efficient way of executing 4.2810 + specifications is to translate them into a functional programming language 4.2811 + such as ML. 4.2812 4.2813 Isabelle provides a generic framework to support code generation from 4.2814 executable specifications. Isabelle/HOL instantiates these mechanisms in a 4.2815 way that is amenable to end-user applications. Code can be generated for 4.2816 - functional programs (including overloading using type classes) targeting 4.2817 - SML @{cite SML}, OCaml @{cite OCaml}, Haskell @{cite 4.2818 - "haskell-revised-report"} and Scala @{cite "scala-overview-tech-report"}. 4.2819 - Conceptually, code generation is split up in three steps: \<^emph>\<open>selection\<close> 4.2820 - of code theorems, \<^emph>\<open>translation\<close> into an abstract executable view and 4.2821 - \<^emph>\<open>serialization\<close> to a specific \<^emph>\<open>target language\<close>. Inductive 4.2822 - specifications can be executed using the predicate compiler which operates 4.2823 - within HOL. See @{cite "isabelle-codegen"} for an introduction. 4.2824 + functional programs (including overloading using type classes) targeting SML 4.2825 + @{cite SML}, OCaml @{cite OCaml}, Haskell @{cite "haskell-revised-report"} 4.2826 + and Scala @{cite "scala-overview-tech-report"}. Conceptually, code 4.2827 + generation is split up in three steps: \<^emph>\<open>selection\<close> of code theorems, 4.2828 + \<^emph>\<open>translation\<close> into an abstract executable view and \<^emph>\<open>serialization\<close> to a 4.2829 + specific \<^emph>\<open>target language\<close>. Inductive specifications can be executed using 4.2830 + the predicate compiler which operates within HOL. See @{cite 4.2831 + "isabelle-codegen"} for an introduction. 4.2832 4.2833 \begin{matharray}{rcl} 4.2834 @{command_def (HOL) "export_code"}\<open>\<^sup>*\<close> & : & \<open>context \<rightarrow>\<close> \\ 4.2835 @@ -2456,22 +2395,20 @@ 4.2836 instruction is given, only abstract code is generated internally. 4.2837 4.2838 Constants may be specified by giving them literally, referring to all 4.2839 - executable constants within a certain theory by giving \<open>name._\<close>, 4.2840 - or referring to \<^emph>\<open>all\<close> executable constants currently available by 4.2841 - giving \<open>_\<close>. 4.2842 + executable constants within a certain theory by giving \<open>name._\<close>, or 4.2843 + referring to \<^emph>\<open>all\<close> executable constants currently available by giving \<open>_\<close>. 4.2844 4.2845 By default, exported identifiers are minimized per module. This can be 4.2846 suppressed by prepending @{keyword "open"} before the list of constants. 4.2847 4.2848 - By default, for each involved theory one corresponding name space module 4.2849 - is generated. Alternatively, a module name may be specified after the 4.2850 - @{keyword "module_name"} keyword; then \<^emph>\<open>all\<close> code is placed in this 4.2851 - module. 4.2852 - 4.2853 - For \<^emph>\<open>SML\<close>, \<^emph>\<open>OCaml\<close> and \<^emph>\<open>Scala\<close> the file specification 4.2854 - refers to a single file; for \<^emph>\<open>Haskell\<close>, it refers to a whole 4.2855 - directory, where code is generated in multiple files reflecting the module 4.2856 - hierarchy. Omitting the file specification denotes standard output. 4.2857 + By default, for each involved theory one corresponding name space module is 4.2858 + generated. Alternatively, a module name may be specified after the @{keyword 4.2859 + "module_name"} keyword; then \<^emph>\<open>all\<close> code is placed in this module. 4.2860 + 4.2861 + For \<^emph>\<open>SML\<close>, \<^emph>\<open>OCaml\<close> and \<^emph>\<open>Scala\<close> the file specification refers to a single 4.2862 + file; for \<^emph>\<open>Haskell\<close>, it refers to a whole directory, where code is 4.2863 + generated in multiple files reflecting the module hierarchy. Omitting the 4.2864 + file specification denotes standard output. 4.2865 4.2866 Serializers take an optional list of arguments in parentheses. For 4.2867 \<^emph>\<open>Haskell\<close> a module name prefix may be given using the ``\<open>root:\<close>'' argument; 4.2868 @@ -2479,82 +2416,80 @@ 4.2869 appropriate datatype declaration. 4.2870 4.2871 \<^descr> @{attribute (HOL) code} declare code equations for code generation. 4.2872 - Variant \<open>code equation\<close> declares a conventional equation as code 4.2873 - equation. Variants \<open>code abstype\<close> and \<open>code abstract\<close> 4.2874 - declare abstract datatype certificates or code equations on abstract 4.2875 - datatype representations respectively. Vanilla \<open>code\<close> falls back 4.2876 - to \<open>code equation\<close> or \<open>code abstype\<close> depending on the 4.2877 - syntactic shape of the underlying equation. Variant \<open>code del\<close> 4.2878 - deselects a code equation for code generation. 4.2879 - 4.2880 - Variants \<open>code drop:\<close> and \<open>code abort:\<close> take a list of 4.2881 - constant as arguments and drop all code equations declared for them. In 4.2882 - the case of {text abort}, these constants then are are not required to 4.2883 - have a definition by means of code equations; if needed these are 4.2884 - implemented by program abort (exception) instead. 4.2885 + Variant \<open>code equation\<close> declares a conventional equation as code equation. 4.2886 + Variants \<open>code abstype\<close> and \<open>code abstract\<close> declare abstract datatype 4.2887 + certificates or code equations on abstract datatype representations 4.2888 + respectively. Vanilla \<open>code\<close> falls back to \<open>code equation\<close> or \<open>code abstype\<close> 4.2889 + depending on the syntactic shape of the underlying equation. Variant \<open>code 4.2890 + del\<close> deselects a code equation for code generation. 4.2891 + 4.2892 + Variants \<open>code drop:\<close> and \<open>code abort:\<close> take a list of constant as arguments 4.2893 + and drop all code equations declared for them. In the case of {text abort}, 4.2894 + these constants then are are not required to have a definition by means of 4.2895 + code equations; if needed these are implemented by program abort (exception) 4.2896 + instead. 4.2897 4.2898 Usually packages introducing code equations provide a reasonable default 4.2899 setup for selection. 4.2900 4.2901 - \<^descr> @{command (HOL) "code_datatype"} specifies a constructor set for a 4.2902 - logical type. 4.2903 - 4.2904 - \<^descr> @{command (HOL) "print_codesetup"} gives an overview on selected 4.2905 - code equations and code generator datatypes. 4.2906 - 4.2907 - \<^descr> @{attribute (HOL) code_unfold} declares (or with option ``\<open>del\<close>'' removes) theorems which during preprocessing are applied as 4.2908 - rewrite rules to any code equation or evaluation input. 4.2909 - 4.2910 - \<^descr> @{attribute (HOL) code_post} declares (or with option ``\<open>del\<close>'' removes) theorems which are applied as rewrite rules to any 4.2911 - result of an evaluation. 4.2912 - 4.2913 - \<^descr> @{attribute (HOL) code_abbrev} declares (or with option ``\<open>del\<close>'' removes) equations which are applied as rewrite rules to any 4.2914 - result of an evaluation and symmetrically during preprocessing to any code 4.2915 + \<^descr> @{command (HOL) "code_datatype"} specifies a constructor set for a logical 4.2916 + type. 4.2917 + 4.2918 + \<^descr> @{command (HOL) "print_codesetup"} gives an overview on selected code 4.2919 + equations and code generator datatypes. 4.2920 + 4.2921 + \<^descr> @{attribute (HOL) code_unfold} declares (or with option ``\<open>del\<close>'' removes) 4.2922 + theorems which during preprocessing are applied as rewrite rules to any code 4.2923 equation or evaluation input. 4.2924 4.2925 - \<^descr> @{command (HOL) "print_codeproc"} prints the setup of the code 4.2926 - generator preprocessor. 4.2927 - 4.2928 - \<^descr> @{command (HOL) "code_thms"} prints a list of theorems representing 4.2929 - the corresponding program containing all given constants after 4.2930 - preprocessing. 4.2931 + \<^descr> @{attribute (HOL) code_post} declares (or with option ``\<open>del\<close>'' removes) 4.2932 + theorems which are applied as rewrite rules to any result of an evaluation. 4.2933 + 4.2934 + \<^descr> @{attribute (HOL) code_abbrev} declares (or with option ``\<open>del\<close>'' removes) 4.2935 + equations which are applied as rewrite rules to any result of an evaluation 4.2936 + and symmetrically during preprocessing to any code equation or evaluation 4.2937 + input. 4.2938 + 4.2939 + \<^descr> @{command (HOL) "print_codeproc"} prints the setup of the code generator 4.2940 + preprocessor. 4.2941 + 4.2942 + \<^descr> @{command (HOL) "code_thms"} prints a list of theorems representing the 4.2943 + corresponding program containing all given constants after preprocessing. 4.2944 4.2945 \<^descr> @{command (HOL) "code_deps"} visualizes dependencies of theorems 4.2946 - representing the corresponding program containing all given constants 4.2947 - after preprocessing. 4.2948 - 4.2949 - \<^descr> @{command (HOL) "code_reserved"} declares a list of names as 4.2950 - reserved for a given target, preventing it to be shadowed by any generated 4.2951 - code. 4.2952 + representing the corresponding program containing all given constants after 4.2953 + preprocessing. 4.2954 + 4.2955 + \<^descr> @{command (HOL) "code_reserved"} declares a list of names as reserved for 4.2956 + a given target, preventing it to be shadowed by any generated code. 4.2957 4.2958 \<^descr> @{command (HOL) "code_printing"} associates a series of symbols 4.2959 (constants, type constructors, classes, class relations, instances, module 4.2960 - names) with target-specific serializations; omitting a serialization 4.2961 - deletes an existing serialization. 4.2962 - 4.2963 - \<^descr> @{command (HOL) "code_monad"} provides an auxiliary mechanism to 4.2964 - generate monadic code for Haskell. 4.2965 + names) with target-specific serializations; omitting a serialization deletes 4.2966 + an existing serialization. 4.2967 + 4.2968 + \<^descr> @{command (HOL) "code_monad"} provides an auxiliary mechanism to generate 4.2969 + monadic code for Haskell. 4.2970 4.2971 \<^descr> @{command (HOL) "code_identifier"} associates a a series of symbols 4.2972 (constants, type constructors, classes, class relations, instances, module 4.2973 names) with target-specific hints how these symbols shall be named. These 4.2974 hints gain precedence over names for symbols with no hints at all. 4.2975 - Conflicting hints are subject to name disambiguation. \<^emph>\<open>Warning:\<close> It 4.2976 - is at the discretion of the user to ensure that name prefixes of 4.2977 - identifiers in compound statements like type classes or datatypes are 4.2978 - still the same. 4.2979 - 4.2980 - \<^descr> @{command (HOL) "code_reflect"} without a ``\<open>file\<close>'' 4.2981 - argument compiles code into the system runtime environment and modifies 4.2982 - the code generator setup that future invocations of system runtime code 4.2983 - generation referring to one of the ``\<open>datatypes\<close>'' or ``\<open>functions\<close>'' entities use these precompiled entities. With a ``\<open>file\<close>'' argument, the corresponding code is generated into that 4.2984 - specified file without modifying the code generator setup. 4.2985 - 4.2986 - \<^descr> @{command (HOL) "code_pred"} creates code equations for a predicate 4.2987 - given a set of introduction rules. Optional mode annotations determine 4.2988 - which arguments are supposed to be input or output. If alternative 4.2989 - introduction rules are declared, one must prove a corresponding 4.2990 - elimination rule. 4.2991 + Conflicting hints are subject to name disambiguation. \<^emph>\<open>Warning:\<close> It is at 4.2992 + the discretion of the user to ensure that name prefixes of identifiers in 4.2993 + compound statements like type classes or datatypes are still the same. 4.2994 + 4.2995 + \<^descr> @{command (HOL) "code_reflect"} without a ``\<open>file\<close>'' argument compiles 4.2996 + code into the system runtime environment and modifies the code generator 4.2997 + setup that future invocations of system runtime code generation referring to 4.2998 + one of the ``\<open>datatypes\<close>'' or ``\<open>functions\<close>'' entities use these precompiled 4.2999 + entities. With a ``\<open>file\<close>'' argument, the corresponding code is generated 4.3000 + into that specified file without modifying the code generator setup. 4.3001 + 4.3002 + \<^descr> @{command (HOL) "code_pred"} creates code equations for a predicate given 4.3003 + a set of introduction rules. Optional mode annotations determine which 4.3004 + arguments are supposed to be input or output. If alternative introduction 4.3005 + rules are declared, one must prove a corresponding elimination rule. 4.3006 \<close> 4.3007 4.3008 end

5.1 --- a/src/Doc/Isar_Ref/Inner_Syntax.thy Wed Jul 20 20:24:21 2016 +0200 5.2 +++ b/src/Doc/Isar_Ref/Inner_Syntax.thy Wed Jul 20 21:26:11 2016 +0200 5.3 @@ -1,7 +1,7 @@ 5.4 (*:maxLineLen=78:*) 5.5 5.6 theory Inner_Syntax 5.7 -imports Base Main 5.8 + imports Main Base 5.9 begin 5.10 5.11 chapter \<open>Inner syntax --- the term language \label{ch:inner-syntax}\<close>

6.1 --- a/src/Doc/Isar_Ref/Outer_Syntax.thy Wed Jul 20 20:24:21 2016 +0200 6.2 +++ b/src/Doc/Isar_Ref/Outer_Syntax.thy Wed Jul 20 21:26:11 2016 +0200 6.3 @@ -1,7 +1,7 @@ 6.4 (*:maxLineLen=78:*) 6.5 6.6 theory Outer_Syntax 6.7 -imports Base Main 6.8 + imports Main Base 6.9 begin 6.10 6.11 chapter \<open>Outer syntax --- the theory language \label{ch:outer-syntax}\<close>

7.1 --- a/src/Doc/Isar_Ref/Preface.thy Wed Jul 20 20:24:21 2016 +0200 7.2 +++ b/src/Doc/Isar_Ref/Preface.thy Wed Jul 20 21:26:11 2016 +0200 7.3 @@ -1,7 +1,7 @@ 7.4 (*:maxLineLen=78:*) 7.5 7.6 theory Preface 7.7 -imports Base Main 7.8 + imports Main Base 7.9 begin 7.10 7.11 text \<open>

8.1 --- a/src/Doc/Isar_Ref/Proof.thy Wed Jul 20 20:24:21 2016 +0200 8.2 +++ b/src/Doc/Isar_Ref/Proof.thy Wed Jul 20 21:26:11 2016 +0200 8.3 @@ -1,7 +1,7 @@ 8.4 (*:maxLineLen=78:*) 8.5 8.6 theory Proof 8.7 -imports Base Main 8.8 + imports Main Base 8.9 begin 8.10 8.11 chapter \<open>Proofs \label{ch:proofs}\<close>

9.1 --- a/src/Doc/Isar_Ref/Proof_Script.thy Wed Jul 20 20:24:21 2016 +0200 9.2 +++ b/src/Doc/Isar_Ref/Proof_Script.thy Wed Jul 20 21:26:11 2016 +0200 9.3 @@ -1,7 +1,7 @@ 9.4 (*:maxLineLen=78:*) 9.5 9.6 theory Proof_Script 9.7 -imports Base Main 9.8 + imports Main Base 9.9 begin 9.10 9.11 chapter \<open>Proof scripts\<close>

10.1 --- a/src/Doc/Isar_Ref/Quick_Reference.thy Wed Jul 20 20:24:21 2016 +0200 10.2 +++ b/src/Doc/Isar_Ref/Quick_Reference.thy Wed Jul 20 21:26:11 2016 +0200 10.3 @@ -1,7 +1,7 @@ 10.4 (*:maxLineLen=78:*) 10.5 10.6 theory Quick_Reference 10.7 -imports Base Main 10.8 + imports Main Base 10.9 begin 10.10 10.11 chapter \<open>Isabelle/Isar quick reference \label{ap:refcard}\<close>

11.1 --- a/src/Doc/Isar_Ref/Spec.thy Wed Jul 20 20:24:21 2016 +0200 11.2 +++ b/src/Doc/Isar_Ref/Spec.thy Wed Jul 20 21:26:11 2016 +0200 11.3 @@ -1,7 +1,7 @@ 11.4 (*:maxLineLen=78:*) 11.5 11.6 theory Spec 11.7 -imports Base Main 11.8 + imports Main Base 11.9 begin 11.10 11.11 chapter \<open>Specifications\<close>

12.1 --- a/src/Doc/Isar_Ref/Symbols.thy Wed Jul 20 20:24:21 2016 +0200 12.2 +++ b/src/Doc/Isar_Ref/Symbols.thy Wed Jul 20 21:26:11 2016 +0200 12.3 @@ -1,7 +1,7 @@ 12.4 (*:maxLineLen=78:*) 12.5 12.6 theory Symbols 12.7 -imports Base Main 12.8 + imports Main Base 12.9 begin 12.10 12.11 chapter \<open>Predefined Isabelle symbols \label{app:symbols}\<close>

13.1 --- a/src/Doc/Isar_Ref/Synopsis.thy Wed Jul 20 20:24:21 2016 +0200 13.2 +++ b/src/Doc/Isar_Ref/Synopsis.thy Wed Jul 20 21:26:11 2016 +0200 13.3 @@ -1,7 +1,7 @@ 13.4 (*:maxLineLen=78:*) 13.5 13.6 theory Synopsis 13.7 -imports Base Main 13.8 + imports Main Base 13.9 begin 13.10 13.11 chapter \<open>Synopsis\<close>