isabelle: doc-src/TutorialI/Misc/AdvancedInd.thy@2d6b5e22e05d (annotated)

9645 20ae97cd2a16 * empty log message * nipkow parents: diff changeset	1	(<)
20ae97cd2a16 * empty log message * nipkow parents: diff changeset	2	theory AdvancedInd = Main:;
20ae97cd2a16 * empty log message * nipkow parents: diff changeset	3	(>)
20ae97cd2a16 * empty log message * nipkow parents: diff changeset	4
20ae97cd2a16 * empty log message * nipkow parents: diff changeset	5	text{*\noindent
20ae97cd2a16 * empty log message * nipkow parents: diff changeset	6	Now that we have learned about rules and logic, we take another look at the
11494 23a118849801 revisions and indexing paulson parents: 11428 diff changeset	7	finer points of induction. We consider two questions: what to do if the
10396 5ab08609e6c8 * empty log message * nipkow parents: 10363 diff changeset	8	proposition to be proved is not directly amenable to induction
5ab08609e6c8 * empty log message * nipkow parents: 10363 diff changeset	9	(\S\ref{sec:ind-var-in-prems}), and how to utilize (\S\ref{sec:complete-ind})
5ab08609e6c8 * empty log message * nipkow parents: 10363 diff changeset	10	and even derive (\S\ref{sec:derive-ind}) new induction schemas. We conclude
5ab08609e6c8 * empty log message * nipkow parents: 10363 diff changeset	11	with an extended example of induction (\S\ref{sec:CTL-revisited}).
9689 751fde5307e4 * empty log message * nipkow parents: 9645 diff changeset	12	*};
9645 20ae97cd2a16 * empty log message * nipkow parents: diff changeset	13
10885 90695f46440b lcp's pass over the book, chapters 1-8 paulson parents: 10654 diff changeset	14	subsection{Massaging the Proposition};
9645 20ae97cd2a16 * empty log message * nipkow parents: diff changeset	15
10217 e61e7e1eacaf * empty log message * nipkow parents: 10186 diff changeset	16	text{*\label{sec:ind-var-in-prems}
11494 23a118849801 revisions and indexing paulson parents: 11428 diff changeset	17	Often we have assumed that the theorem to be proved is already in a form
10885 90695f46440b lcp's pass over the book, chapters 1-8 paulson parents: 10654 diff changeset	18	that is amenable to induction, but sometimes it isn't.
90695f46440b lcp's pass over the book, chapters 1-8 paulson parents: 10654 diff changeset	19	Here is an example.
90695f46440b lcp's pass over the book, chapters 1-8 paulson parents: 10654 diff changeset	20	Since @{term"hd"} and @{term"last"} return the first and last element of a
90695f46440b lcp's pass over the book, chapters 1-8 paulson parents: 10654 diff changeset	21	non-empty list, this lemma looks easy to prove:
9689 751fde5307e4 * empty log message * nipkow parents: 9645 diff changeset	22	*};
9645 20ae97cd2a16 * empty log message * nipkow parents: diff changeset	23
10885 90695f46440b lcp's pass over the book, chapters 1-8 paulson parents: 10654 diff changeset	24	lemma "xs \<noteq> [] \<Longrightarrow> hd(rev xs) = last xs"
90695f46440b lcp's pass over the book, chapters 1-8 paulson parents: 10654 diff changeset	25	apply(induct_tac xs)
9645 20ae97cd2a16 * empty log message * nipkow parents: diff changeset	26
20ae97cd2a16 * empty log message * nipkow parents: diff changeset	27	txt{*\noindent
10885 90695f46440b lcp's pass over the book, chapters 1-8 paulson parents: 10654 diff changeset	28	But induction produces the warning
9645 20ae97cd2a16 * empty log message * nipkow parents: diff changeset	29	\begin{quote}\tt
20ae97cd2a16 * empty log message * nipkow parents: diff changeset	30	Induction variable occurs also among premises!
20ae97cd2a16 * empty log message * nipkow parents: diff changeset	31	\end{quote}
20ae97cd2a16 * empty log message * nipkow parents: diff changeset	32	and leads to the base case
10363 6e8002c1790e * empty log message * nipkow parents: 10328 diff changeset	33	@{subgoals[display,indent=0,goals_limit=1]}
11494 23a118849801 revisions and indexing paulson parents: 11428 diff changeset	34	Simplification reduces the base case to this:
9723 a977245dfc8a * empty log message * nipkow parents: 9689 diff changeset	35	\begin{isabelle}
9645 20ae97cd2a16 * empty log message * nipkow parents: diff changeset	36	\ 1.\ xs\ {\isasymnoteq}\ []\ {\isasymLongrightarrow}\ hd\ []\ =\ last\ []
9723 a977245dfc8a * empty log message * nipkow parents: 9689 diff changeset	37	\end{isabelle}
10242 028f54cd2cc9 * empty log message * nipkow parents: 10241 diff changeset	38	We cannot prove this equality because we do not know what @{term hd} and
028f54cd2cc9 * empty log message * nipkow parents: 10241 diff changeset	39	@{term last} return when applied to @{term"[]"}.
9645 20ae97cd2a16 * empty log message * nipkow parents: diff changeset	40
10885 90695f46440b lcp's pass over the book, chapters 1-8 paulson parents: 10654 diff changeset	41	We should not have ignored the warning. Because the induction
90695f46440b lcp's pass over the book, chapters 1-8 paulson parents: 10654 diff changeset	42	formula is only the conclusion, induction does not affect the occurrence of @{term xs} in the premises.
90695f46440b lcp's pass over the book, chapters 1-8 paulson parents: 10654 diff changeset	43	Thus the case that should have been trivial
11494 23a118849801 revisions and indexing paulson parents: 11428 diff changeset	44	becomes unprovable. Fortunately, the solution is easy:\footnote{A similar
10242 028f54cd2cc9 * empty log message * nipkow parents: 10241 diff changeset	45	heuristic applies to rule inductions; see \S\ref{sec:rtc}.}
9645 20ae97cd2a16 * empty log message * nipkow parents: diff changeset	46	\begin{quote}
20ae97cd2a16 * empty log message * nipkow parents: diff changeset	47	\emph{Pull all occurrences of the induction variable into the conclusion
9792 bbefb6ce5cb2 * empty log message * nipkow parents: 9723 diff changeset	48	using @{text"\<longrightarrow>"}.}
9645 20ae97cd2a16 * empty log message * nipkow parents: diff changeset	49	\end{quote}
10885 90695f46440b lcp's pass over the book, chapters 1-8 paulson parents: 10654 diff changeset	50	Thus we should state the lemma as an ordinary
90695f46440b lcp's pass over the book, chapters 1-8 paulson parents: 10654 diff changeset	51	implication~(@{text"\<longrightarrow>"}), letting
11494 23a118849801 revisions and indexing paulson parents: 11428 diff changeset	52	\attrdx{rule_format} (\S\ref{sec:forward}) convert the
10885 90695f46440b lcp's pass over the book, chapters 1-8 paulson parents: 10654 diff changeset	53	result to the usual @{text"\<Longrightarrow>"} form:
9689 751fde5307e4 * empty log message * nipkow parents: 9645 diff changeset	54	*};
751fde5307e4 * empty log message * nipkow parents: 9645 diff changeset	55	(<)oops;(>)
10885 90695f46440b lcp's pass over the book, chapters 1-8 paulson parents: 10654 diff changeset	56	lemma hd_rev [rule_format]: "xs \<noteq> [] \<longrightarrow> hd(rev xs) = last xs";
9645 20ae97cd2a16 * empty log message * nipkow parents: diff changeset	57	(<)
10420 ef006735bee8 * empty log message * nipkow parents: 10396 diff changeset	58	apply(induct_tac xs);
9645 20ae97cd2a16 * empty log message * nipkow parents: diff changeset	59	(>)
20ae97cd2a16 * empty log message * nipkow parents: diff changeset	60
10420 ef006735bee8 * empty log message * nipkow parents: 10396 diff changeset	61	txt{*\noindent
10885 90695f46440b lcp's pass over the book, chapters 1-8 paulson parents: 10654 diff changeset	62	This time, induction leaves us with a trivial base case:
10420 ef006735bee8 * empty log message * nipkow parents: 10396 diff changeset	63	@{subgoals[display,indent=0,goals_limit=1]}
10885 90695f46440b lcp's pass over the book, chapters 1-8 paulson parents: 10654 diff changeset	64	And @{text"auto"} completes the proof.
9645 20ae97cd2a16 * empty log message * nipkow parents: diff changeset	65
10885 90695f46440b lcp's pass over the book, chapters 1-8 paulson parents: 10654 diff changeset	66	If there are multiple premises $A@1$, \dots, $A@n$ containing the
9645 20ae97cd2a16 * empty log message * nipkow parents: diff changeset	67	induction variable, you should turn the conclusion $C$ into
11494 23a118849801 revisions and indexing paulson parents: 11428 diff changeset	68	\[ A@1 \longrightarrow \cdots A@n \longrightarrow C. \]
9645 20ae97cd2a16 * empty log message * nipkow parents: diff changeset	69	Additionally, you may also have to universally quantify some other variables,
11196 bb4ede27fcb7 * empty log message * nipkow parents: 10885 diff changeset	70	which can yield a fairly complex conclusion. However, @{text rule_format}
10885 90695f46440b lcp's pass over the book, chapters 1-8 paulson parents: 10654 diff changeset	71	can remove any number of occurrences of @{text"\<forall>"} and
90695f46440b lcp's pass over the book, chapters 1-8 paulson parents: 10654 diff changeset	72	@{text"\<longrightarrow>"}.
9645 20ae97cd2a16 * empty log message * nipkow parents: diff changeset	73
11494 23a118849801 revisions and indexing paulson parents: 11428 diff changeset	74	\index{induction!on a term}%
9645 20ae97cd2a16 * empty log message * nipkow parents: diff changeset	75	A second reason why your proposition may not be amenable to induction is that
11494 23a118849801 revisions and indexing paulson parents: 11428 diff changeset	76	you want to induct on a complex term, rather than a variable. In
23a118849801 revisions and indexing paulson parents: 11428 diff changeset	77	general, induction on a term~$t$ requires rephrasing the conclusion~$C$
10217 e61e7e1eacaf * empty log message * nipkow parents: 10186 diff changeset	78	as
11277 a2bff98d6e5d * empty log message * nipkow parents: 11256 diff changeset	79	\begin{equation}\label{eqn:ind-over-term}
11494 23a118849801 revisions and indexing paulson parents: 11428 diff changeset	80	\forall y@1 \dots y@n.~ x = t \longrightarrow C.
11277 a2bff98d6e5d * empty log message * nipkow parents: 11256 diff changeset	81	\end{equation}
11494 23a118849801 revisions and indexing paulson parents: 11428 diff changeset	82	where $y@1 \dots y@n$ are the free variables in $t$ and $x$ is a new variable.
23a118849801 revisions and indexing paulson parents: 11428 diff changeset	83	Now you can perform
23a118849801 revisions and indexing paulson parents: 11428 diff changeset	84	perform induction on~$x$. An example appears in
10217 e61e7e1eacaf * empty log message * nipkow parents: 10186 diff changeset	85	\S\ref{sec:complete-ind} below.
e61e7e1eacaf * empty log message * nipkow parents: 10186 diff changeset	86
e61e7e1eacaf * empty log message * nipkow parents: 10186 diff changeset	87	The very same problem may occur in connection with rule induction. Remember
e61e7e1eacaf * empty log message * nipkow parents: 10186 diff changeset	88	that it requires a premise of the form $(x@1,\dots,x@k) \in R$, where $R$ is
e61e7e1eacaf * empty log message * nipkow parents: 10186 diff changeset	89	some inductively defined set and the $x@i$ are variables. If instead we have
e61e7e1eacaf * empty log message * nipkow parents: 10186 diff changeset	90	a premise $t \in R$, where $t$ is not just an $n$-tuple of variables, we
e61e7e1eacaf * empty log message * nipkow parents: 10186 diff changeset	91	replace it with $(x@1,\dots,x@k) \in R$, and rephrase the conclusion $C$ as
11494 23a118849801 revisions and indexing paulson parents: 11428 diff changeset	92	\[ \forall y@1 \dots y@n.~ (x@1,\dots,x@k) = t \longrightarrow C. \]
10217 e61e7e1eacaf * empty log message * nipkow parents: 10186 diff changeset	93	For an example see \S\ref{sec:CTL-revisited} below.
10281 9554ce1c2e54 * empty log message * nipkow parents: 10242 diff changeset	94
9554ce1c2e54 * empty log message * nipkow parents: 10242 diff changeset	95	Of course, all premises that share free variables with $t$ need to be pulled into
9554ce1c2e54 * empty log message * nipkow parents: 10242 diff changeset	96	the conclusion as well, under the @{text"\<forall>"}, again using @{text"\<longrightarrow>"} as shown above.
11277 a2bff98d6e5d * empty log message * nipkow parents: 11256 diff changeset	97
a2bff98d6e5d * empty log message * nipkow parents: 11256 diff changeset	98	Readers who are puzzled by the form of statement
a2bff98d6e5d * empty log message * nipkow parents: 11256 diff changeset	99	(\ref{eqn:ind-over-term}) above should remember that the
a2bff98d6e5d * empty log message * nipkow parents: 11256 diff changeset	100	transformation is only performed to permit induction. Once induction
a2bff98d6e5d * empty log message * nipkow parents: 11256 diff changeset	101	has been applied, the statement can be transformed back into something quite
a2bff98d6e5d * empty log message * nipkow parents: 11256 diff changeset	102	intuitive. For example, applying wellfounded induction on $x$ (w.r.t.\
a2bff98d6e5d * empty log message * nipkow parents: 11256 diff changeset	103	$\prec$) to (\ref{eqn:ind-over-term}) and transforming the result a
a2bff98d6e5d * empty log message * nipkow parents: 11256 diff changeset	104	little leads to the goal
11278 9710486b886b * empty log message * nipkow parents: 11277 diff changeset	105	\[ \bigwedge\overline{y}.\
9710486b886b * empty log message * nipkow parents: 11277 diff changeset	106	\forall \overline{z}.\ t\,\overline{z} \prec t\,\overline{y}\ \longrightarrow\ C\,\overline{z}
9710486b886b * empty log message * nipkow parents: 11277 diff changeset	107	\ \Longrightarrow\ C\,\overline{y} \]
9710486b886b * empty log message * nipkow parents: 11277 diff changeset	108	where $\overline{y}$ stands for $y@1 \dots y@n$ and the dependence of $t$ and
9710486b886b * empty log message * nipkow parents: 11277 diff changeset	109	$C$ on the free variables of $t$ has been made explicit.
9710486b886b * empty log message * nipkow parents: 11277 diff changeset	110	Unfortunately, this induction schema cannot be expressed as a
9710486b886b * empty log message * nipkow parents: 11277 diff changeset	111	single theorem because it depends on the number of free variables in $t$ ---
9710486b886b * empty log message * nipkow parents: 11277 diff changeset	112	the notation $\overline{y}$ is merely an informal device.
11277 a2bff98d6e5d * empty log message * nipkow parents: 11256 diff changeset	113	*}
12492 a4dd02e744e0 * empty log message * nipkow parents: 11494 diff changeset	114	(<)by auto(>)
9645 20ae97cd2a16 * empty log message * nipkow parents: diff changeset	115
10885 90695f46440b lcp's pass over the book, chapters 1-8 paulson parents: 10654 diff changeset	116	subsection{Beyond Structural and Recursion Induction};
9645 20ae97cd2a16 * empty log message * nipkow parents: diff changeset	117
10217 e61e7e1eacaf * empty log message * nipkow parents: 10186 diff changeset	118	text{*\label{sec:complete-ind}
10885 90695f46440b lcp's pass over the book, chapters 1-8 paulson parents: 10654 diff changeset	119	So far, inductive proofs were by structural induction for
9645 20ae97cd2a16 * empty log message * nipkow parents: diff changeset	120	primitive recursive functions and recursion induction for total recursive
20ae97cd2a16 * empty log message * nipkow parents: diff changeset	121	functions. But sometimes structural induction is awkward and there is no
10885 90695f46440b lcp's pass over the book, chapters 1-8 paulson parents: 10654 diff changeset	122	recursive function that could furnish a more appropriate
90695f46440b lcp's pass over the book, chapters 1-8 paulson parents: 10654 diff changeset	123	induction schema. In such cases a general-purpose induction schema can
9645 20ae97cd2a16 * empty log message * nipkow parents: diff changeset	124	be helpful. We show how to apply such induction schemas by an example.
20ae97cd2a16 * empty log message * nipkow parents: diff changeset	125
9792 bbefb6ce5cb2 * empty log message * nipkow parents: 9723 diff changeset	126	Structural induction on @{typ"nat"} is
11494 23a118849801 revisions and indexing paulson parents: 11428 diff changeset	127	usually known as mathematical induction. There is also \textbf{complete}
23a118849801 revisions and indexing paulson parents: 11428 diff changeset	128	\index{induction!complete}%
23a118849801 revisions and indexing paulson parents: 11428 diff changeset	129	induction, where you prove $P(n)$ under the assumption that $P(m)$
23a118849801 revisions and indexing paulson parents: 11428 diff changeset	130	holds for all $m<n$. In Isabelle, this is the theorem \tdx{nat_less_induct}:
9933 9feb1e0c4cb3 * empty log message * nipkow parents: 9923 diff changeset	131	@{thm[display]"nat_less_induct"[no_vars]}
11494 23a118849801 revisions and indexing paulson parents: 11428 diff changeset	132	As an application, we prove a property of the following
11278 9710486b886b * empty log message * nipkow parents: 11277 diff changeset	133	function:
9689 751fde5307e4 * empty log message * nipkow parents: 9645 diff changeset	134	*};
9645 20ae97cd2a16 * empty log message * nipkow parents: diff changeset	135
10281 9554ce1c2e54 * empty log message * nipkow parents: 10242 diff changeset	136	consts f :: "nat \<Rightarrow> nat";
9689 751fde5307e4 * empty log message * nipkow parents: 9645 diff changeset	137	axioms f_ax: "f(f(n)) < f(Suc(n))";
9645 20ae97cd2a16 * empty log message * nipkow parents: diff changeset	138
11256 49afcce3bada * empty log message * nipkow parents: 11196 diff changeset	139	text{*
49afcce3bada * empty log message * nipkow parents: 11196 diff changeset	140	\begin{warn}
49afcce3bada * empty log message * nipkow parents: 11196 diff changeset	141	We discourage the use of axioms because of the danger of
49afcce3bada * empty log message * nipkow parents: 11196 diff changeset	142	inconsistencies. Axiom @{text f_ax} does
49afcce3bada * empty log message * nipkow parents: 11196 diff changeset	143	not introduce an inconsistency because, for example, the identity function
49afcce3bada * empty log message * nipkow parents: 11196 diff changeset	144	satisfies it. Axioms can be useful in exploratory developments, say when
49afcce3bada * empty log message * nipkow parents: 11196 diff changeset	145	you assume some well-known theorems so that you can quickly demonstrate some
49afcce3bada * empty log message * nipkow parents: 11196 diff changeset	146	point about methodology. If your example turns into a substantial proof
49afcce3bada * empty log message * nipkow parents: 11196 diff changeset	147	development, you should replace axioms by theorems.
49afcce3bada * empty log message * nipkow parents: 11196 diff changeset	148	\end{warn}\noindent
10885 90695f46440b lcp's pass over the book, chapters 1-8 paulson parents: 10654 diff changeset	149	The axiom for @{term"f"} implies @{prop"n <= f n"}, which can
11196 bb4ede27fcb7 * empty log message * nipkow parents: 10885 diff changeset	150	be proved by induction on \mbox{@{term"f n"}}. Following the recipe outlined
9645 20ae97cd2a16 * empty log message * nipkow parents: diff changeset	151	above, we have to phrase the proposition as follows to allow induction:
9689 751fde5307e4 * empty log message * nipkow parents: 9645 diff changeset	152	*};
9645 20ae97cd2a16 * empty log message * nipkow parents: diff changeset	153
9933 9feb1e0c4cb3 * empty log message * nipkow parents: 9923 diff changeset	154	lemma f_incr_lem: "\<forall>i. k = f i \<longrightarrow> i \<le> f i";
9645 20ae97cd2a16 * empty log message * nipkow parents: diff changeset	155
20ae97cd2a16 * empty log message * nipkow parents: diff changeset	156	txt{*\noindent
10363 6e8002c1790e * empty log message * nipkow parents: 10328 diff changeset	157	To perform induction on @{term k} using @{thm[source]nat_less_induct}, we use
6e8002c1790e * empty log message * nipkow parents: 10328 diff changeset	158	the same general induction method as for recursion induction (see
9645 20ae97cd2a16 * empty log message * nipkow parents: diff changeset	159	\S\ref{sec:recdef-induction}):
9689 751fde5307e4 * empty log message * nipkow parents: 9645 diff changeset	160	*};
9645 20ae97cd2a16 * empty log message * nipkow parents: diff changeset	161
9923 fe13743ffc8b renamed "rulify" to "rulified"; wenzelm parents: 9834 diff changeset	162	apply(induct_tac k rule: nat_less_induct);
10363 6e8002c1790e * empty log message * nipkow parents: 10328 diff changeset	163
6e8002c1790e * empty log message * nipkow parents: 10328 diff changeset	164	txt{*\noindent
11494 23a118849801 revisions and indexing paulson parents: 11428 diff changeset	165	We get the following proof state:
10363 6e8002c1790e * empty log message * nipkow parents: 10328 diff changeset	166	@{subgoals[display,indent=0,margin=65]}
6e8002c1790e * empty log message * nipkow parents: 10328 diff changeset	167	After stripping the @{text"\<forall>i"}, the proof continues with a case
12699 deae80045527 * empty log message * nipkow parents: 12492 diff changeset	168	distinction on @{term"i"}. The case @{prop"i = (0::nat)"} is trivial and we focus on
10363 6e8002c1790e * empty log message * nipkow parents: 10328 diff changeset	169	the other case:
6e8002c1790e * empty log message * nipkow parents: 10328 diff changeset	170	*}
6e8002c1790e * empty log message * nipkow parents: 10328 diff changeset	171
11196 bb4ede27fcb7 * empty log message * nipkow parents: 10885 diff changeset	172	apply(rule allI)
bb4ede27fcb7 * empty log message * nipkow parents: 10885 diff changeset	173	apply(case_tac i)
bb4ede27fcb7 * empty log message * nipkow parents: 10885 diff changeset	174	apply(simp)
10363 6e8002c1790e * empty log message * nipkow parents: 10328 diff changeset	175	txt{*
6e8002c1790e * empty log message * nipkow parents: 10328 diff changeset	176	@{subgoals[display,indent=0]}
11196 bb4ede27fcb7 * empty log message * nipkow parents: 10885 diff changeset	177	*}
bb4ede27fcb7 * empty log message * nipkow parents: 10885 diff changeset	178	by(blast intro!: f_ax Suc_leI intro: le_less_trans)
9645 20ae97cd2a16 * empty log message * nipkow parents: diff changeset	179
20ae97cd2a16 * empty log message * nipkow parents: diff changeset	180	text{*\noindent
11196 bb4ede27fcb7 * empty log message * nipkow parents: 10885 diff changeset	181	If you find the last step puzzling, here are the two lemmas it employs:
10885 90695f46440b lcp's pass over the book, chapters 1-8 paulson parents: 10654 diff changeset	182	\begin{isabelle}
90695f46440b lcp's pass over the book, chapters 1-8 paulson parents: 10654 diff changeset	183	@{thm Suc_leI[no_vars]}
90695f46440b lcp's pass over the book, chapters 1-8 paulson parents: 10654 diff changeset	184	\rulename{Suc_leI}\isanewline
90695f46440b lcp's pass over the book, chapters 1-8 paulson parents: 10654 diff changeset	185	@{thm le_less_trans[no_vars]}
90695f46440b lcp's pass over the book, chapters 1-8 paulson parents: 10654 diff changeset	186	\rulename{le_less_trans}
90695f46440b lcp's pass over the book, chapters 1-8 paulson parents: 10654 diff changeset	187	\end{isabelle}
90695f46440b lcp's pass over the book, chapters 1-8 paulson parents: 10654 diff changeset	188	%
9792 bbefb6ce5cb2 * empty log message * nipkow parents: 9723 diff changeset	189	The proof goes like this (writing @{term"j"} instead of @{typ"nat"}).
bbefb6ce5cb2 * empty log message * nipkow parents: 9723 diff changeset	190	Since @{prop"i = Suc j"} it suffices to show
10885 90695f46440b lcp's pass over the book, chapters 1-8 paulson parents: 10654 diff changeset	191	\hbox{@{prop"j < f(Suc j)"}},
90695f46440b lcp's pass over the book, chapters 1-8 paulson parents: 10654 diff changeset	192	by @{thm[source]Suc_leI}\@. This is
9792 bbefb6ce5cb2 * empty log message * nipkow parents: 9723 diff changeset	193	proved as follows. From @{thm[source]f_ax} we have @{prop"f (f j) < f (Suc j)"}
10885 90695f46440b lcp's pass over the book, chapters 1-8 paulson parents: 10654 diff changeset	194	(1) which implies @{prop"f j <= f (f j)"} by the induction hypothesis.
90695f46440b lcp's pass over the book, chapters 1-8 paulson parents: 10654 diff changeset	195	Using (1) once more we obtain @{prop"f j < f(Suc j)"} (2) by the transitivity
90695f46440b lcp's pass over the book, chapters 1-8 paulson parents: 10654 diff changeset	196	rule @{thm[source]le_less_trans}.
9792 bbefb6ce5cb2 * empty log message * nipkow parents: 9723 diff changeset	197	Using the induction hypothesis once more we obtain @{prop"j <= f j"}
bbefb6ce5cb2 * empty log message * nipkow parents: 9723 diff changeset	198	which, together with (2) yields @{prop"j < f (Suc j)"} (again by
bbefb6ce5cb2 * empty log message * nipkow parents: 9723 diff changeset	199	@{thm[source]le_less_trans}).
9645 20ae97cd2a16 * empty log message * nipkow parents: diff changeset	200
11494 23a118849801 revisions and indexing paulson parents: 11428 diff changeset	201	This last step shows both the power and the danger of automatic proofs. They
23a118849801 revisions and indexing paulson parents: 11428 diff changeset	202	will usually not tell you how the proof goes, because it can be hard to
23a118849801 revisions and indexing paulson parents: 11428 diff changeset	203	translate the internal proof into a human-readable format. Automatic
23a118849801 revisions and indexing paulson parents: 11428 diff changeset	204	proofs are easy to write but hard to read and understand.
9645 20ae97cd2a16 * empty log message * nipkow parents: diff changeset	205
11494 23a118849801 revisions and indexing paulson parents: 11428 diff changeset	206	The desired result, @{prop"i <= f i"}, follows from @{thm[source]f_incr_lem}:
9689 751fde5307e4 * empty log message * nipkow parents: 9645 diff changeset	207	*};
9645 20ae97cd2a16 * empty log message * nipkow parents: diff changeset	208
9941 fe05af7ec816 renamed atts: rulify to rule_format, elimify to elim_format; wenzelm parents: 9933 diff changeset	209	lemmas f_incr = f_incr_lem[rule_format, OF refl];
9645 20ae97cd2a16 * empty log message * nipkow parents: diff changeset	210
9689 751fde5307e4 * empty log message * nipkow parents: 9645 diff changeset	211	text{*\noindent
10885 90695f46440b lcp's pass over the book, chapters 1-8 paulson parents: 10654 diff changeset	212	The final @{thm[source]refl} gets rid of the premise @{text"?k = f ?i"}.
90695f46440b lcp's pass over the book, chapters 1-8 paulson parents: 10654 diff changeset	213	We could have included this derivation in the original statement of the lemma:
9689 751fde5307e4 * empty log message * nipkow parents: 9645 diff changeset	214	*};
9645 20ae97cd2a16 * empty log message * nipkow parents: diff changeset	215
9941 fe05af7ec816 renamed atts: rulify to rule_format, elimify to elim_format; wenzelm parents: 9933 diff changeset	216	lemma f_incr[rule_format, OF refl]: "\<forall>i. k = f i \<longrightarrow> i \<le> f i";
9689 751fde5307e4 * empty log message * nipkow parents: 9645 diff changeset	217	(<)oops;(>)
9645 20ae97cd2a16 * empty log message * nipkow parents: diff changeset	218
20ae97cd2a16 * empty log message * nipkow parents: diff changeset	219	text{*
11256 49afcce3bada * empty log message * nipkow parents: 11196 diff changeset	220	\begin{exercise}
49afcce3bada * empty log message * nipkow parents: 11196 diff changeset	221	From the axiom and lemma for @{term"f"}, show that @{term"f"} is the
49afcce3bada * empty log message * nipkow parents: 11196 diff changeset	222	identity function.
49afcce3bada * empty log message * nipkow parents: 11196 diff changeset	223	\end{exercise}
9645 20ae97cd2a16 * empty log message * nipkow parents: diff changeset	224
11428 332347b9b942 tidying the index paulson parents: 11278 diff changeset	225	Method \methdx{induct_tac} can be applied with any rule $r$
9792 bbefb6ce5cb2 * empty log message * nipkow parents: 9723 diff changeset	226	whose conclusion is of the form ${?}P~?x@1 \dots ?x@n$, in which case the
9645 20ae97cd2a16 * empty log message * nipkow parents: diff changeset	227	format is
9792 bbefb6ce5cb2 * empty log message * nipkow parents: 9723 diff changeset	228	\begin{quote}
bbefb6ce5cb2 * empty log message * nipkow parents: 9723 diff changeset	229	\isacommand{apply}@{text"(induct_tac"} $y@1 \dots y@n$ @{text"rule:"} $r$@{text")"}
11428 332347b9b942 tidying the index paulson parents: 11278 diff changeset	230	\end{quote}
9792 bbefb6ce5cb2 * empty log message * nipkow parents: 9723 diff changeset	231	where $y@1, \dots, y@n$ are variables in the first subgoal.
11256 49afcce3bada * empty log message * nipkow parents: 11196 diff changeset	232	The conclusion of $r$ can even be an (iterated) conjunction of formulae of
49afcce3bada * empty log message * nipkow parents: 11196 diff changeset	233	the above form in which case the application is
9792 bbefb6ce5cb2 * empty log message * nipkow parents: 9723 diff changeset	234	\begin{quote}
bbefb6ce5cb2 * empty log message * nipkow parents: 9723 diff changeset	235	\isacommand{apply}@{text"(induct_tac"} $y@1 \dots y@n$ @{text"and"} \dots\ @{text"and"} $z@1 \dots z@m$ @{text"rule:"} $r$@{text")"}
bbefb6ce5cb2 * empty log message * nipkow parents: 9723 diff changeset	236	\end{quote}
10885 90695f46440b lcp's pass over the book, chapters 1-8 paulson parents: 10654 diff changeset	237
11256 49afcce3bada * empty log message * nipkow parents: 11196 diff changeset	238	A further useful induction rule is @{thm[source]length_induct},
49afcce3bada * empty log message * nipkow parents: 11196 diff changeset	239	induction on the length of a list\indexbold{*length_induct}
49afcce3bada * empty log message * nipkow parents: 11196 diff changeset	240	@{thm[display]length_induct[no_vars]}
49afcce3bada * empty log message * nipkow parents: 11196 diff changeset	241	which is a special case of @{thm[source]measure_induct}
49afcce3bada * empty log message * nipkow parents: 11196 diff changeset	242	@{thm[display]measure_induct[no_vars]}
49afcce3bada * empty log message * nipkow parents: 11196 diff changeset	243	where @{term f} may be any function into type @{typ nat}.
49afcce3bada * empty log message * nipkow parents: 11196 diff changeset	244	*}
9645 20ae97cd2a16 * empty log message * nipkow parents: diff changeset	245
10885 90695f46440b lcp's pass over the book, chapters 1-8 paulson parents: 10654 diff changeset	246	subsection{Derivation of New Induction Schemas};
9689 751fde5307e4 * empty log message * nipkow parents: 9645 diff changeset	247
751fde5307e4 * empty log message * nipkow parents: 9645 diff changeset	248	text{*\label{sec:derive-ind}
11494 23a118849801 revisions and indexing paulson parents: 11428 diff changeset	249	\index{induction!deriving new schemas}%
9689 751fde5307e4 * empty log message * nipkow parents: 9645 diff changeset	250	Induction schemas are ordinary theorems and you can derive new ones
11494 23a118849801 revisions and indexing paulson parents: 11428 diff changeset	251	whenever you wish. This section shows you how, using the example
9933 9feb1e0c4cb3 * empty log message * nipkow parents: 9923 diff changeset	252	of @{thm[source]nat_less_induct}. Assume we only have structural induction
11494 23a118849801 revisions and indexing paulson parents: 11428 diff changeset	253	available for @{typ"nat"} and want to derive complete induction. We
23a118849801 revisions and indexing paulson parents: 11428 diff changeset	254	must generalize the statement as shown:
9689 751fde5307e4 * empty log message * nipkow parents: 9645 diff changeset	255	*};
751fde5307e4 * empty log message * nipkow parents: 9645 diff changeset	256
9933 9feb1e0c4cb3 * empty log message * nipkow parents: 9923 diff changeset	257	lemma induct_lem: "(\<And>n::nat. \<forall>m<n. P m \<Longrightarrow> P n) \<Longrightarrow> \<forall>m<n. P m";
9689 751fde5307e4 * empty log message * nipkow parents: 9645 diff changeset	258	apply(induct_tac n);
751fde5307e4 * empty log message * nipkow parents: 9645 diff changeset	259
751fde5307e4 * empty log message * nipkow parents: 9645 diff changeset	260	txt{*\noindent
11196 bb4ede27fcb7 * empty log message * nipkow parents: 10885 diff changeset	261	The base case is vacuously true. For the induction step (@{prop"m <
9933 9feb1e0c4cb3 * empty log message * nipkow parents: 9923 diff changeset	262	Suc n"}) we distinguish two cases: case @{prop"m < n"} is true by induction
9feb1e0c4cb3 * empty log message * nipkow parents: 9923 diff changeset	263	hypothesis and case @{prop"m = n"} follows from the assumption, again using
9689 751fde5307e4 * empty log message * nipkow parents: 9645 diff changeset	264	the induction hypothesis:
751fde5307e4 * empty log message * nipkow parents: 9645 diff changeset	265	*};
11196 bb4ede27fcb7 * empty log message * nipkow parents: 10885 diff changeset	266	apply(blast);
9933 9feb1e0c4cb3 * empty log message * nipkow parents: 9923 diff changeset	267	by(blast elim:less_SucE)
9689 751fde5307e4 * empty log message * nipkow parents: 9645 diff changeset	268
751fde5307e4 * empty log message * nipkow parents: 9645 diff changeset	269	text{*\noindent
11196 bb4ede27fcb7 * empty log message * nipkow parents: 10885 diff changeset	270	The elimination rule @{thm[source]less_SucE} expresses the case distinction:
9689 751fde5307e4 * empty log message * nipkow parents: 9645 diff changeset	271	@{thm[display]"less_SucE"[no_vars]}
751fde5307e4 * empty log message * nipkow parents: 9645 diff changeset	272
751fde5307e4 * empty log message * nipkow parents: 9645 diff changeset	273	Now it is straightforward to derive the original version of
11256 49afcce3bada * empty log message * nipkow parents: 11196 diff changeset	274	@{thm[source]nat_less_induct} by manipulating the conclusion of the above
49afcce3bada * empty log message * nipkow parents: 11196 diff changeset	275	lemma: instantiate @{term"n"} by @{term"Suc n"} and @{term"m"} by @{term"n"}
49afcce3bada * empty log message * nipkow parents: 11196 diff changeset	276	and remove the trivial condition @{prop"n < Suc n"}. Fortunately, this
9689 751fde5307e4 * empty log message * nipkow parents: 9645 diff changeset	277	happens automatically when we add the lemma as a new premise to the
751fde5307e4 * empty log message * nipkow parents: 9645 diff changeset	278	desired goal:
751fde5307e4 * empty log message * nipkow parents: 9645 diff changeset	279	*};
751fde5307e4 * empty log message * nipkow parents: 9645 diff changeset	280
9933 9feb1e0c4cb3 * empty log message * nipkow parents: 9923 diff changeset	281	theorem nat_less_induct: "(\<And>n::nat. \<forall>m<n. P m \<Longrightarrow> P n) \<Longrightarrow> P n";
9689 751fde5307e4 * empty log message * nipkow parents: 9645 diff changeset	282	by(insert induct_lem, blast);
751fde5307e4 * empty log message * nipkow parents: 9645 diff changeset	283
9933 9feb1e0c4cb3 * empty log message * nipkow parents: 9923 diff changeset	284	text{*
11494 23a118849801 revisions and indexing paulson parents: 11428 diff changeset	285	HOL already provides the mother of
10396 5ab08609e6c8 * empty log message * nipkow parents: 10363 diff changeset	286	all inductions, well-founded induction (see \S\ref{sec:Well-founded}). For
10885 90695f46440b lcp's pass over the book, chapters 1-8 paulson parents: 10654 diff changeset	287	example theorem @{thm[source]nat_less_induct} is
10396 5ab08609e6c8 * empty log message * nipkow parents: 10363 diff changeset	288	a special case of @{thm[source]wf_induct} where @{term r} is @{text"<"} on
10885 90695f46440b lcp's pass over the book, chapters 1-8 paulson parents: 10654 diff changeset	289	@{typ nat}. The details can be found in theory \isa{Wellfounded_Recursion}.
10654 458068404143 * empty log message * nipkow parents: 10420 diff changeset	290	*}
458068404143 * empty log message * nipkow parents: 10420 diff changeset	291	(<)end(>)

author	wenzelm
	Fri, 11 Jan 2002 14:44:24 +0100
changeset 12717	2d6b5e22e05d
parent 12699	deae80045527
child 12815	1f073030b97a
permissions	-rw-r--r--