isabelle: doc-src/TutorialI/Inductive/Star.thy@469f19c4bf97 (annotated)

10225 b9fd52525b69 * empty log message * nipkow parents: diff changeset	1	(<)theory Star = Main:(>)
b9fd52525b69 * empty log message * nipkow parents: diff changeset	2
10237 875bf54b5d74 * empty log message * nipkow parents: 10225 diff changeset	3	section{The reflexive transitive closure}
10225 b9fd52525b69 * empty log message * nipkow parents: diff changeset	4
10242 028f54cd2cc9 * empty log message * nipkow parents: 10237 diff changeset	5	text{*\label{sec:rtc}
028f54cd2cc9 * empty log message * nipkow parents: 10237 diff changeset	6	{\bf Say something about inductive relations as opposed to sets? Or has that
028f54cd2cc9 * empty log message * nipkow parents: 10237 diff changeset	7	been said already? If not, explain induction!}
028f54cd2cc9 * empty log message * nipkow parents: 10237 diff changeset	8
10237 875bf54b5d74 * empty log message * nipkow parents: 10225 diff changeset	9	A perfect example of an inductive definition is the reflexive transitive
10225 b9fd52525b69 * empty log message * nipkow parents: diff changeset	10	closure of a relation. This concept was already introduced in
10396 5ab08609e6c8 * empty log message * nipkow parents: 10363 diff changeset	11	\S\ref{sec:Relations}, where the operator @{text"^*"} was
5ab08609e6c8 * empty log message * nipkow parents: 10363 diff changeset	12	defined as a least fixed point because
5ab08609e6c8 * empty log message * nipkow parents: 10363 diff changeset	13	inductive definitions were not yet available. But now they are:
10225 b9fd52525b69 * empty log message * nipkow parents: diff changeset	14	*}
b9fd52525b69 * empty log message * nipkow parents: diff changeset	15
10242 028f54cd2cc9 * empty log message * nipkow parents: 10237 diff changeset	16	consts rtc :: "('a \<times> 'a)set \<Rightarrow> ('a \<times> 'a)set" ("_*" [1000] 999)
10225 b9fd52525b69 * empty log message * nipkow parents: diff changeset	17	inductive "r*"
b9fd52525b69 * empty log message * nipkow parents: diff changeset	18	intros
10242 028f54cd2cc9 * empty log message * nipkow parents: 10237 diff changeset	19	rtc_refl[iff]: "(x,x) \<in> r*"
028f54cd2cc9 * empty log message * nipkow parents: 10237 diff changeset	20	rtc_step: "\<lbrakk> (x,y) \<in> r; (y,z) \<in> r* \<rbrakk> \<Longrightarrow> (x,z) \<in> r*"
028f54cd2cc9 * empty log message * nipkow parents: 10237 diff changeset	21
028f54cd2cc9 * empty log message * nipkow parents: 10237 diff changeset	22	text{*\noindent
028f54cd2cc9 * empty log message * nipkow parents: 10237 diff changeset	23	The function @{term rtc} is annotated with concrete syntax: instead of
028f54cd2cc9 * empty log message * nipkow parents: 10237 diff changeset	24	@{text"rtc r"} we can read and write {term"r*"}. The actual definition
028f54cd2cc9 * empty log message * nipkow parents: 10237 diff changeset	25	consists of two rules. Reflexivity is obvious and is immediately declared an
10363 6e8002c1790e * empty log message * nipkow parents: 10243 diff changeset	26	equivalence rule. Thus the automatic tools will apply it automatically. The
6e8002c1790e * empty log message * nipkow parents: 10243 diff changeset	27	second rule, @{thm[source]rtc_step}, says that we can always add one more
6e8002c1790e * empty log message * nipkow parents: 10243 diff changeset	28	@{term r}-step to the left. Although we could make @{thm[source]rtc_step} an
10242 028f54cd2cc9 * empty log message * nipkow parents: 10237 diff changeset	29	introduction rule, this is dangerous: the recursion slows down and may
028f54cd2cc9 * empty log message * nipkow parents: 10237 diff changeset	30	even kill the automatic tactics.
028f54cd2cc9 * empty log message * nipkow parents: 10237 diff changeset	31
028f54cd2cc9 * empty log message * nipkow parents: 10237 diff changeset	32	The above definition of the concept of reflexive transitive closure may
028f54cd2cc9 * empty log message * nipkow parents: 10237 diff changeset	33	be sufficiently intuitive but it is certainly not the only possible one:
028f54cd2cc9 * empty log message * nipkow parents: 10237 diff changeset	34	for a start, it does not even mention transitivity explicitly.
028f54cd2cc9 * empty log message * nipkow parents: 10237 diff changeset	35	The rest of this section is devoted to proving that it is equivalent to
028f54cd2cc9 * empty log message * nipkow parents: 10237 diff changeset	36	the ``standard'' definition. We start with a simple lemma:
028f54cd2cc9 * empty log message * nipkow parents: 10237 diff changeset	37	*}
10225 b9fd52525b69 * empty log message * nipkow parents: diff changeset	38
b9fd52525b69 * empty log message * nipkow parents: diff changeset	39	lemma [intro]: "(x,y) : r \<Longrightarrow> (x,y) \<in> r*"
10237 875bf54b5d74 * empty log message * nipkow parents: 10225 diff changeset	40	by(blast intro: rtc_step);
10225 b9fd52525b69 * empty log message * nipkow parents: diff changeset	41
10242 028f54cd2cc9 * empty log message * nipkow parents: 10237 diff changeset	42	text{*\noindent
028f54cd2cc9 * empty log message * nipkow parents: 10237 diff changeset	43	Although the lemma itself is an unremarkable consequence of the basic rules,
028f54cd2cc9 * empty log message * nipkow parents: 10237 diff changeset	44	it has the advantage that it can be declared an introduction rule without the
028f54cd2cc9 * empty log message * nipkow parents: 10237 diff changeset	45	danger of killing the automatic tactics because @{term"r*"} occurs only in
028f54cd2cc9 * empty log message * nipkow parents: 10237 diff changeset	46	the conclusion and not in the premise. Thus some proofs that would otherwise
028f54cd2cc9 * empty log message * nipkow parents: 10237 diff changeset	47	need @{thm[source]rtc_step} can now be found automatically. The proof also
028f54cd2cc9 * empty log message * nipkow parents: 10237 diff changeset	48	shows that @{term blast} is quite able to handle @{thm[source]rtc_step}. But
028f54cd2cc9 * empty log message * nipkow parents: 10237 diff changeset	49	some of the other automatic tactics are more sensitive, and even @{text
028f54cd2cc9 * empty log message * nipkow parents: 10237 diff changeset	50	blast} can be lead astray in the presence of large numbers of rules.
028f54cd2cc9 * empty log message * nipkow parents: 10237 diff changeset	51
028f54cd2cc9 * empty log message * nipkow parents: 10237 diff changeset	52	Let us now turn to transitivity. It should be a consequence of the definition.
028f54cd2cc9 * empty log message * nipkow parents: 10237 diff changeset	53	*}
028f54cd2cc9 * empty log message * nipkow parents: 10237 diff changeset	54
028f54cd2cc9 * empty log message * nipkow parents: 10237 diff changeset	55	lemma rtc_trans:
028f54cd2cc9 * empty log message * nipkow parents: 10237 diff changeset	56	"\<lbrakk> (x,y) \<in> r; (y,z) \<in> r \<rbrakk> \<Longrightarrow> (x,z) \<in> r*"
028f54cd2cc9 * empty log message * nipkow parents: 10237 diff changeset	57
028f54cd2cc9 * empty log message * nipkow parents: 10237 diff changeset	58	txt{*\noindent
028f54cd2cc9 * empty log message * nipkow parents: 10237 diff changeset	59	The proof starts canonically by rule induction:
028f54cd2cc9 * empty log message * nipkow parents: 10237 diff changeset	60	*}
028f54cd2cc9 * empty log message * nipkow parents: 10237 diff changeset	61
10363 6e8002c1790e * empty log message * nipkow parents: 10243 diff changeset	62	apply(erule rtc.induct)
6e8002c1790e * empty log message * nipkow parents: 10243 diff changeset	63
6e8002c1790e * empty log message * nipkow parents: 10243 diff changeset	64	txt{*\noindent
10242 028f54cd2cc9 * empty log message * nipkow parents: 10237 diff changeset	65	However, even the resulting base case is a problem
10363 6e8002c1790e * empty log message * nipkow parents: 10243 diff changeset	66	@{subgoals[display,indent=0,goals_limit=1]}
10242 028f54cd2cc9 * empty log message * nipkow parents: 10237 diff changeset	67	and maybe not what you had expected. We have to abandon this proof attempt.
028f54cd2cc9 * empty log message * nipkow parents: 10237 diff changeset	68	To understand what is going on,
028f54cd2cc9 * empty log message * nipkow parents: 10237 diff changeset	69	let us look at the induction rule @{thm[source]rtc.induct}:
028f54cd2cc9 * empty log message * nipkow parents: 10237 diff changeset	70	\[ \frac{(x,y) \in r^* \qquad \bigwedge x.~P~x~x \quad \dots}{P~x~y} \]
028f54cd2cc9 * empty log message * nipkow parents: 10237 diff changeset	71	When applying this rule, $x$ becomes @{term x}, $y$ becomes
028f54cd2cc9 * empty log message * nipkow parents: 10237 diff changeset	72	@{term y} and $P~x~y$ becomes @{prop"(x,z) : r*"}, thus
028f54cd2cc9 * empty log message * nipkow parents: 10237 diff changeset	73	yielding the above subgoal. So what went wrong?
028f54cd2cc9 * empty log message * nipkow parents: 10237 diff changeset	74
028f54cd2cc9 * empty log message * nipkow parents: 10237 diff changeset	75	When looking at the instantiation of $P~x~y$ we see
028f54cd2cc9 * empty log message * nipkow parents: 10237 diff changeset	76	that $P$ does not depend on its second parameter at
028f54cd2cc9 * empty log message * nipkow parents: 10237 diff changeset	77	all. The reason is that in our original goal, of the pair @{term"(x,y)"} only
028f54cd2cc9 * empty log message * nipkow parents: 10237 diff changeset	78	@{term x} appears also in the conclusion, but not @{term y}. Thus our
028f54cd2cc9 * empty log message * nipkow parents: 10237 diff changeset	79	induction statement is too weak. Fortunately, it can easily be strengthened:
10363 6e8002c1790e * empty log message * nipkow parents: 10243 diff changeset	80	transfer the additional premise @{prop"(y,z):r"} into the conclusion:}
6e8002c1790e * empty log message * nipkow parents: 10243 diff changeset	81	(<)oops(>)
10242 028f54cd2cc9 * empty log message * nipkow parents: 10237 diff changeset	82	lemma rtc_trans[rule_format]:
028f54cd2cc9 * empty log message * nipkow parents: 10237 diff changeset	83	"(x,y) \<in> r* \<Longrightarrow> (y,z) \<in> r* \<longrightarrow> (x,z) \<in> r*"
028f54cd2cc9 * empty log message * nipkow parents: 10237 diff changeset	84
028f54cd2cc9 * empty log message * nipkow parents: 10237 diff changeset	85	txt{*\noindent
028f54cd2cc9 * empty log message * nipkow parents: 10237 diff changeset	86	This is not an obscure trick but a generally applicable heuristic:
028f54cd2cc9 * empty log message * nipkow parents: 10237 diff changeset	87	\begin{quote}\em
028f54cd2cc9 * empty log message * nipkow parents: 10237 diff changeset	88	Whe proving a statement by rule induction on $(x@1,\dots,x@n) \in R$,
028f54cd2cc9 * empty log message * nipkow parents: 10237 diff changeset	89	pull all other premises containing any of the $x@i$ into the conclusion
028f54cd2cc9 * empty log message * nipkow parents: 10237 diff changeset	90	using $\longrightarrow$.
028f54cd2cc9 * empty log message * nipkow parents: 10237 diff changeset	91	\end{quote}
028f54cd2cc9 * empty log message * nipkow parents: 10237 diff changeset	92	A similar heuristic for other kinds of inductions is formulated in
028f54cd2cc9 * empty log message * nipkow parents: 10237 diff changeset	93	\S\ref{sec:ind-var-in-prems}. The @{text rule_format} directive turns
028f54cd2cc9 * empty log message * nipkow parents: 10237 diff changeset	94	@{text"\<longrightarrow>"} back into @{text"\<Longrightarrow>"}. Thus in the end we obtain the original
028f54cd2cc9 * empty log message * nipkow parents: 10237 diff changeset	95	statement of our lemma.
028f54cd2cc9 * empty log message * nipkow parents: 10237 diff changeset	96	*}
028f54cd2cc9 * empty log message * nipkow parents: 10237 diff changeset	97
10363 6e8002c1790e * empty log message * nipkow parents: 10243 diff changeset	98	apply(erule rtc.induct)
6e8002c1790e * empty log message * nipkow parents: 10243 diff changeset	99
6e8002c1790e * empty log message * nipkow parents: 10243 diff changeset	100	txt{*\noindent
6e8002c1790e * empty log message * nipkow parents: 10243 diff changeset	101	Now induction produces two subgoals which are both proved automatically:
6e8002c1790e * empty log message * nipkow parents: 10243 diff changeset	102	@{subgoals[display,indent=0]}
6e8002c1790e * empty log message * nipkow parents: 10243 diff changeset	103	*}
6e8002c1790e * empty log message * nipkow parents: 10243 diff changeset	104
10225 b9fd52525b69 * empty log message * nipkow parents: diff changeset	105	apply(blast);
10237 875bf54b5d74 * empty log message * nipkow parents: 10225 diff changeset	106	apply(blast intro: rtc_step);
10225 b9fd52525b69 * empty log message * nipkow parents: diff changeset	107	done
b9fd52525b69 * empty log message * nipkow parents: diff changeset	108
10242 028f54cd2cc9 * empty log message * nipkow parents: 10237 diff changeset	109	text{*
028f54cd2cc9 * empty log message * nipkow parents: 10237 diff changeset	110	Let us now prove that @{term"r*"} is really the reflexive transitive closure
028f54cd2cc9 * empty log message * nipkow parents: 10237 diff changeset	111	of @{term r}, i.e.\ the least reflexive and transitive
028f54cd2cc9 * empty log message * nipkow parents: 10237 diff changeset	112	relation containing @{term r}. The latter is easily formalized
028f54cd2cc9 * empty log message * nipkow parents: 10237 diff changeset	113	*}
10225 b9fd52525b69 * empty log message * nipkow parents: diff changeset	114
10237 875bf54b5d74 * empty log message * nipkow parents: 10225 diff changeset	115	consts rtc2 :: "('a \<times> 'a)set \<Rightarrow> ('a \<times> 'a)set"
875bf54b5d74 * empty log message * nipkow parents: 10225 diff changeset	116	inductive "rtc2 r"
10225 b9fd52525b69 * empty log message * nipkow parents: diff changeset	117	intros
10237 875bf54b5d74 * empty log message * nipkow parents: 10225 diff changeset	118	"(x,y) \<in> r \<Longrightarrow> (x,y) \<in> rtc2 r"
875bf54b5d74 * empty log message * nipkow parents: 10225 diff changeset	119	"(x,x) \<in> rtc2 r"
875bf54b5d74 * empty log message * nipkow parents: 10225 diff changeset	120	"\<lbrakk> (x,y) \<in> rtc2 r; (y,z) \<in> rtc2 r \<rbrakk> \<Longrightarrow> (x,z) \<in> rtc2 r"
10225 b9fd52525b69 * empty log message * nipkow parents: diff changeset	121
10242 028f54cd2cc9 * empty log message * nipkow parents: 10237 diff changeset	122	text{*\noindent
028f54cd2cc9 * empty log message * nipkow parents: 10237 diff changeset	123	and the equivalence of the two definitions is easily shown by the obvious rule
10237 875bf54b5d74 * empty log message * nipkow parents: 10225 diff changeset	124	inductions:
875bf54b5d74 * empty log message * nipkow parents: 10225 diff changeset	125	*}
10225 b9fd52525b69 * empty log message * nipkow parents: diff changeset	126
10237 875bf54b5d74 * empty log message * nipkow parents: 10225 diff changeset	127	lemma "(x,y) \<in> rtc2 r \<Longrightarrow> (x,y) \<in> r*"
875bf54b5d74 * empty log message * nipkow parents: 10225 diff changeset	128	apply(erule rtc2.induct);
10225 b9fd52525b69 * empty log message * nipkow parents: diff changeset	129	apply(blast);
10237 875bf54b5d74 * empty log message * nipkow parents: 10225 diff changeset	130	apply(blast);
875bf54b5d74 * empty log message * nipkow parents: 10225 diff changeset	131	apply(blast intro: rtc_trans);
875bf54b5d74 * empty log message * nipkow parents: 10225 diff changeset	132	done
875bf54b5d74 * empty log message * nipkow parents: 10225 diff changeset	133
875bf54b5d74 * empty log message * nipkow parents: 10225 diff changeset	134	lemma "(x,y) \<in> r* \<Longrightarrow> (x,y) \<in> rtc2 r"
875bf54b5d74 * empty log message * nipkow parents: 10225 diff changeset	135	apply(erule rtc.induct);
875bf54b5d74 * empty log message * nipkow parents: 10225 diff changeset	136	apply(blast intro: rtc2.intros);
875bf54b5d74 * empty log message * nipkow parents: 10225 diff changeset	137	apply(blast intro: rtc2.intros);
10225 b9fd52525b69 * empty log message * nipkow parents: diff changeset	138	done
b9fd52525b69 * empty log message * nipkow parents: diff changeset	139
10242 028f54cd2cc9 * empty log message * nipkow parents: 10237 diff changeset	140	text{*
028f54cd2cc9 * empty log message * nipkow parents: 10237 diff changeset	141	So why did we start with the first definition? Because it is simpler. It
028f54cd2cc9 * empty log message * nipkow parents: 10237 diff changeset	142	contains only two rules, and the single step rule is simpler than
028f54cd2cc9 * empty log message * nipkow parents: 10237 diff changeset	143	transitivity. As a consequence, @{thm[source]rtc.induct} is simpler than
028f54cd2cc9 * empty log message * nipkow parents: 10237 diff changeset	144	@{thm[source]rtc2.induct}. Since inductive proofs are hard enough, we should
028f54cd2cc9 * empty log message * nipkow parents: 10237 diff changeset	145	certainly pick the simplest induction schema available for any concept.
028f54cd2cc9 * empty log message * nipkow parents: 10237 diff changeset	146	Hence @{term rtc} is the definition of choice.
028f54cd2cc9 * empty log message * nipkow parents: 10237 diff changeset	147
028f54cd2cc9 * empty log message * nipkow parents: 10237 diff changeset	148	\begin{exercise}
028f54cd2cc9 * empty log message * nipkow parents: 10237 diff changeset	149	Show that the converse of @{thm[source]rtc_step} also holds:
028f54cd2cc9 * empty log message * nipkow parents: 10237 diff changeset	150	@{prop[display]"[\| (x,y) : r; (y,z) : r \|] ==> (x,z) : r"}
028f54cd2cc9 * empty log message * nipkow parents: 10237 diff changeset	151	\end{exercise}
028f54cd2cc9 * empty log message * nipkow parents: 10237 diff changeset	152	*}
028f54cd2cc9 * empty log message * nipkow parents: 10237 diff changeset	153	(<)
028f54cd2cc9 * empty log message * nipkow parents: 10237 diff changeset	154	lemma rtc_step2[rule_format]: "(x,y) : r* \<Longrightarrow> (y,z) : r --> (x,z) : r*"
028f54cd2cc9 * empty log message * nipkow parents: 10237 diff changeset	155	apply(erule rtc.induct);
028f54cd2cc9 * empty log message * nipkow parents: 10237 diff changeset	156	apply blast;
028f54cd2cc9 * empty log message * nipkow parents: 10237 diff changeset	157	apply(blast intro:rtc_step)
028f54cd2cc9 * empty log message * nipkow parents: 10237 diff changeset	158	done
028f54cd2cc9 * empty log message * nipkow parents: 10237 diff changeset	159
028f54cd2cc9 * empty log message * nipkow parents: 10237 diff changeset	160	end
028f54cd2cc9 * empty log message * nipkow parents: 10237 diff changeset	161	(>)

author	nipkow
	Fri, 10 Nov 2000 15:05:09 +0100
changeset 10426	469f19c4bf97
parent 10396	5ab08609e6c8
child 10520	bb9dfcc87951
permissions	-rw-r--r--