theory Inductive_Predicate


imports Setup


begin


(*<*)

hide_const %invisible append

inductive %invisible append where

"append [] ys ys"

 "append xs ys zs \<Longrightarrow> append (x # xs) ys (x # zs)"

lemma %invisible append: "append xs ys zs = (xs @ ys = zs)"


by (induct xs arbitrary: ys zs) (auto elim: append.cases intro: append.intros)

(*>*)

section {* Inductive Predicates \label{sec:inductive} *}


text {*

The @{text "predicate compiler"} is an extension of the code generator

which turns inductive specifications into equational ones, from


which in turn executable code can be generated. The mechanisms of


this compiler are described in detail in


\cite{BerghoferBulwahnHaftmann:2009:TPHOL}.


Consider the simple predicate @{const append} given by these two


introduction rules:

*}

text %quote {*


@{thm append.intros(1)[of ys]} \\


@{thm append.intros(2)[of xs ys zs x]}


*}


text {*

\noindent To invoke the compiler, simply use @{command_def "code_pred"}:

*}


code_pred %quote append .


text {*


\noindent The @{command "code_pred"} command takes the name of the


inductive predicate and then you put a period to discharge a trivial


correctness proof. The compiler infers possible modes for the


predicate and produces the derived code equations. Modes annotate


which (parts of the) arguments are to be taken as input, and which


output. Modes are similar to types, but use the notation @{text "i"}


for input and @{text "o"} for output.


For @{term "append"}, the compiler can infer the following modes:


\begin{itemize}


\item @{text "i \<Rightarrow> i \<Rightarrow> i \<Rightarrow> bool"}


\item @{text "i \<Rightarrow> i \<Rightarrow> o \<Rightarrow> bool"}


\item @{text "o \<Rightarrow> o \<Rightarrow> i \<Rightarrow> bool"}


\end{itemize}


You can compute sets of predicates using @{command_def "values"}:


*}


values %quote "{zs. append [(1::nat),2,3] [4,5] zs}"


text {* \noindent outputs @{text "{[1, 2, 3, 4, 5]}"}, and *}


values %quote "{(xs, ys). append xs ys [(2::nat),3]}"


64 
text {* \noindent outputs @{text "{([], [2, 3]), ([2], [3]), ([2, 3], [])}"}. *}

text {*

\noindent If you are only interested in the first elements of the


set comprehension (with respect to a depthfirst search on the


introduction rules), you can pass an argument to @{command "values"}


to specify the number of elements you want:


*}

values %quote 1 "{(xs, ys). append xs ys [(1::nat), 2, 3, 4]}"


values %quote 3 "{(xs, ys). append xs ys [(1::nat), 2, 3, 4]}"


text {*

\noindent The @{command "values"} command can only compute set


comprehensions for which a mode has been inferred.


The code equations for a predicate are made available as theorems with


81 
the suffix @{text "equation"}, and can be inspected with:

*}

84 
thm %quote append.equation


86 
text {*


87 
\noindent More advanced options are described in the following subsections.


88 
*}


90 
subsection {* Alternative names for functions *}


text {*

By default, the functions generated from a predicate are named after


the predicate with the mode mangled into the name (e.g., @{text


"append_i_i_o"}). You can specify your own names as follows:

*}

98 
code_pred %quote (modes: i \<Rightarrow> i \<Rightarrow> o \<Rightarrow> bool as concat,


99 
o \<Rightarrow> o \<Rightarrow> i \<Rightarrow> bool as split,


100 
i \<Rightarrow> o \<Rightarrow> i \<Rightarrow> bool as suffix) append .

38441

102 
subsection {* Alternative introduction rules *}


text {*

38441

105 
Sometimes the introduction rules of an predicate are not executable


106 
because they contain nonexecutable constants or specific modes


107 
could not be inferred. It is also possible that the introduction


108 
rules yield a function that loops forever due to the execution in a


109 
depthfirst search manner. Therefore, you can declare alternative


110 
introduction rules for predicates with the attribute @{attribute


111 
"code_pred_intro"}. For example, the transitive closure is defined


112 
by:

113 
*}

115 
text %quote {*

38441

116 
@{thm tranclp.intros(1)[of r a b]} \\


117 
@{thm tranclp.intros(2)[of r a b c]}

*}

120 
text {*

38441

121 
\noindent These rules do not suit well for executing the transitive


122 
closure with the mode @{text "(i \<Rightarrow> o \<Rightarrow> bool) \<Rightarrow> i \<Rightarrow> o \<Rightarrow> bool"}, as


123 
the second rule will cause an infinite loop in the recursive call.


124 
This can be avoided using the following alternative rules which are


125 
declared to the predicate compiler by the attribute @{attribute


126 
"code_pred_intro"}:

37613

127 
*}

38441

129 
lemma %quote [code_pred_intro]:


130 
"r a b \<Longrightarrow> r\<^sup>+\<^sup>+ a b"


131 
"r a b \<Longrightarrow> r\<^sup>+\<^sup>+ b c \<Longrightarrow> r\<^sup>+\<^sup>+ a c"


132 
by auto

134 
text {*

\noindent After declaring all alternative rules for the transitive


closure, you invoke @{command "code_pred"} as usual. As you have


declared alternative rules for the predicate, you are urged to prove


that these introduction rules are complete, i.e., that you can


derive an elimination rule for the alternative rules:

37613

140 
*}

142 
code_pred %quote tranclp


143 
proof 


144 
case tranclp

145 
from this converse_tranclpE [OF this(1)] show thesis by metis

146 
qed

148 
text {*

\noindent Alternative rules can also be used for constants that have


not been defined inductively. For example, the lexicographic order


which is defined as:

*}

154 
text %quote {*


155 
@{thm [display] lexord_def[of "r"]}

*}

158 
text {*


159 
\noindent To make it executable, you can derive the following two


160 
rules and prove the elimination rule:


161 
*}


lemma %quote [code_pred_intro]:


164 
"append xs (a # v) ys \<Longrightarrow> lexord r (xs, ys)"


165 
(*<*)unfolding lexord_def Collect_def by (auto simp add: append)(*>*)


167 
lemma %quote [code_pred_intro]:


168 
"append u (a # v) xs \<Longrightarrow> append u (b # w) ys \<Longrightarrow> r (a, b)


169 
\<Longrightarrow> lexord r (xs, ys)"


170 
(*<*)unfolding lexord_def Collect_def append mem_def apply simp

171 
apply (rule disjI2) by auto(*>*)

173 
code_pred %quote lexord

174 
(*<*)proof 

175 
fix r xs ys


176 
assume lexord: "lexord r (xs, ys)"


177 
assume 1: "\<And> r' xs' ys' a v. r = r' \<Longrightarrow> (xs, ys) = (xs', ys') \<Longrightarrow> append xs' (a # v) ys' \<Longrightarrow> thesis"


178 
assume 2: "\<And> r' xs' ys' u a v b w. r = r' \<Longrightarrow> (xs, ys) = (xs', ys') \<Longrightarrow> append u (a # v) xs' \<Longrightarrow> append u (b # w) ys' \<Longrightarrow> r' (a, b) \<Longrightarrow> thesis"


179 
{


180 
assume "\<exists>a v. ys = xs @ a # v"


181 
from this 1 have thesis


182 
by (fastsimp simp add: append)


183 
} moreover


184 
{


185 
assume "\<exists>u a b v w. (a, b) \<in> r \<and> xs = u @ a # v \<and> ys = u @ b # w"


186 
from this 2 have thesis by (fastsimp simp add: append mem_def)


187 
} moreover


188 
note lexord


189 
ultimately show thesis


190 
unfolding lexord_def


191 
by (fastsimp simp add: Collect_def)

192 
qed(*>*)


195 
subsection {* Options for values *}


text {*

In the presence of higherorder predicates, multiple modes for some


predicate could be inferred that are not disambiguated by the


pattern of the set comprehension. To disambiguate the modes for the


arguments of a predicate, you can state the modes explicitly in the


@{command "values"} command. Consider the simple predicate @{term


"succ"}:

*}

206 
inductive %quote succ :: "nat \<Rightarrow> nat \<Rightarrow> bool" where

"succ 0 (Suc 0)"


208 
 "succ x y \<Longrightarrow> succ (Suc x) (Suc y)"


210 
code_pred %quote succ .

text {*

\noindent For this, the predicate compiler can infer modes @{text "o


\<Rightarrow> o \<Rightarrow> bool"}, @{text "i \<Rightarrow> o \<Rightarrow> bool"}, @{text "o \<Rightarrow> i \<Rightarrow> bool"} and


@{text "i \<Rightarrow> i \<Rightarrow> bool"}. The invocation of @{command "values"}


@{text "{n. tranclp succ 10 n}"} loops, as multiple modes for the


predicate @{text "succ"} are possible and here the first mode @{text


"o \<Rightarrow> o \<Rightarrow> bool"} is chosen. To choose another mode for the argument,


you can declare the mode for the argument between the @{command


"values"} and the number of elements.

*}

223 
values %quote [mode: i \<Rightarrow> o \<Rightarrow> bool] 1 "{n. tranclp succ 10 n}" (*FIMXE does not terminate for n\<ge>1*)


224 
values %quote [mode: o \<Rightarrow> i \<Rightarrow> bool] 1 "{n. tranclp succ n 10}"

227 
subsection {* Embedding into functional code within Isabelle/HOL *}


text {*

To embed the computation of an inductive predicate into functions


that are defined in Isabelle/HOL, you have a number of options:


233 
\begin{itemize}


234 


235 
\item You want to use the firstorder predicate with the mode


236 
where all arguments are input. Then you can use the predicate directly, e.g.


237 


238 
\begin{quote}


239 
@{text "valid_suffix ys zs = "} \\


240 
@{text "(if append [Suc 0, 2] ys zs then Some ys else None)"}


241 
\end{quote}


242 


243 
\item If you know that the execution returns only one value (it is


244 
deterministic), then you can use the combinator @{term


245 
"Predicate.the"}, e.g., a functional concatenation of lists is


246 
defined with


247 


248 
\begin{quote}


249 
@{term "functional_concat xs ys = Predicate.the (append_i_i_o xs ys)"}


250 
\end{quote}


251 


252 
Note that if the evaluation does not return a unique value, it


253 
raises a runtime error @{term "not_unique"}.


254 


255 
\end{itemize}

*}

259 
subsection {* Further Examples *}


261 
text {*


262 
Further examples for compiling inductive predicates can be found in


263 
the @{text "HOL/ex/Predicate_Compile_ex,thy"} theory file. There are


264 
also some examples in the Archive of Formal Proofs, notably in the


265 
@{text "POPLmarkdeBruijn"} and the @{text "FeatherweightJava"}


266 
sessions.

*}

269 
end
