|
13999
|
1 |
%
|
|
|
2 |
\begin{isabellebody}%
|
|
|
3 |
\def\isabellecontext{Induction}%
|
|
|
4 |
\isamarkupfalse%
|
|
|
5 |
%
|
|
|
6 |
\isamarkupsection{Case distinction and induction \label{sec:Induct}%
|
|
|
7 |
}
|
|
|
8 |
\isamarkuptrue%
|
|
|
9 |
%
|
|
|
10 |
\begin{isamarkuptext}%
|
|
|
11 |
Computer science applications abound with inductively defined
|
|
|
12 |
structures, which is why we treat them in more detail. HOL already
|
|
|
13 |
comes with a datatype of lists with the two constructors \isa{Nil}
|
|
|
14 |
and \isa{Cons}. \isa{Nil} is written \isa{{\isacharbrackleft}{\isacharbrackright}} and \isa{Cons\ x\ xs} is written \isa{x\ {\isacharhash}\ xs}.%
|
|
|
15 |
\end{isamarkuptext}%
|
|
|
16 |
\isamarkuptrue%
|
|
|
17 |
%
|
|
|
18 |
\isamarkupsubsection{Case distinction\label{sec:CaseDistinction}%
|
|
|
19 |
}
|
|
|
20 |
\isamarkuptrue%
|
|
|
21 |
%
|
|
|
22 |
\begin{isamarkuptext}%
|
|
|
23 |
We have already met the \isa{cases} method for performing
|
|
|
24 |
binary case splits. Here is another example:%
|
|
|
25 |
\end{isamarkuptext}%
|
|
|
26 |
\isamarkuptrue%
|
|
|
27 |
\isacommand{lemma}\ {\isachardoublequote}{\isasymnot}\ A\ {\isasymor}\ A{\isachardoublequote}\isanewline
|
|
|
28 |
\isamarkupfalse%
|
|
15909
|
29 |
\isamarkupfalse%
|
|
|
30 |
\isamarkupfalse%
|
|
|
31 |
\isamarkupfalse%
|
|
|
32 |
\isamarkupfalse%
|
|
13999
|
33 |
\isamarkupfalse%
|
|
15909
|
34 |
\isamarkupfalse%
|
|
13999
|
35 |
\isamarkupfalse%
|
|
15909
|
36 |
\isamarkupfalse%
|
|
|
37 |
\isamarkupfalse%
|
|
13999
|
38 |
%
|
|
|
39 |
\begin{isamarkuptext}%
|
|
|
40 |
\noindent The two cases must come in this order because \isa{cases} merely abbreviates \isa{{\isacharparenleft}rule\ case{\isacharunderscore}split{\isacharunderscore}thm{\isacharparenright}} where
|
|
|
41 |
\isa{case{\isacharunderscore}split{\isacharunderscore}thm} is \isa{{\isasymlbrakk}{\isacharquery}P\ {\isasymLongrightarrow}\ {\isacharquery}Q{\isacharsemicolon}\ {\isasymnot}\ {\isacharquery}P\ {\isasymLongrightarrow}\ {\isacharquery}Q{\isasymrbrakk}\ {\isasymLongrightarrow}\ {\isacharquery}Q}. If we reverse
|
|
|
42 |
the order of the two cases in the proof, the first case would prove
|
|
|
43 |
\isa{{\isasymnot}\ A\ {\isasymLongrightarrow}\ {\isasymnot}\ A\ {\isasymor}\ A} which would solve the first premise of
|
|
|
44 |
\isa{case{\isacharunderscore}split{\isacharunderscore}thm}, instantiating \isa{{\isacharquery}P} with \isa{{\isasymnot}\ A}, thus making the second premise \isa{{\isasymnot}\ {\isasymnot}\ A\ {\isasymLongrightarrow}\ {\isasymnot}\ A\ {\isasymor}\ A}.
|
|
|
45 |
Therefore the order of subgoals is not always completely arbitrary.
|
|
|
46 |
|
|
|
47 |
The above proof is appropriate if \isa{A} is textually small.
|
|
|
48 |
However, if \isa{A} is large, we do not want to repeat it. This can
|
|
|
49 |
be avoided by the following idiom%
|
|
|
50 |
\end{isamarkuptext}%
|
|
|
51 |
\isamarkuptrue%
|
|
|
52 |
\isacommand{lemma}\ {\isachardoublequote}{\isasymnot}\ A\ {\isasymor}\ A{\isachardoublequote}\isanewline
|
|
|
53 |
\isamarkupfalse%
|
|
15909
|
54 |
\isamarkupfalse%
|
|
|
55 |
\isamarkupfalse%
|
|
|
56 |
\isamarkupfalse%
|
|
|
57 |
\isamarkupfalse%
|
|
13999
|
58 |
\isamarkupfalse%
|
|
15909
|
59 |
\isamarkupfalse%
|
|
13999
|
60 |
\isamarkupfalse%
|
|
15909
|
61 |
\isamarkupfalse%
|
|
|
62 |
\isamarkupfalse%
|
|
13999
|
63 |
%
|
|
|
64 |
\begin{isamarkuptext}%
|
|
|
65 |
\noindent which is like the previous proof but instantiates
|
|
|
66 |
\isa{{\isacharquery}P} right away with \isa{A}. Thus we could prove the two
|
|
|
67 |
cases in any order. The phrase `\isakeyword{case}~\isa{True}'
|
|
|
68 |
abbreviates `\isakeyword{assume}~\isa{True{\isacharcolon}\ A}' and analogously for
|
|
|
69 |
\isa{False} and \isa{{\isasymnot}\ A}.
|
|
|
70 |
|
|
|
71 |
The same game can be played with other datatypes, for example lists,
|
|
|
72 |
where \isa{tl} is the tail of a list, and \isa{length} returns a
|
|
|
73 |
natural number (remember: $0-1=0$):%
|
|
|
74 |
\end{isamarkuptext}%
|
|
|
75 |
\isamarkuptrue%
|
|
|
76 |
\isamarkupfalse%
|
|
|
77 |
\isacommand{lemma}\ {\isachardoublequote}length{\isacharparenleft}tl\ xs{\isacharparenright}\ {\isacharequal}\ length\ xs\ {\isacharminus}\ {\isadigit{1}}{\isachardoublequote}\isanewline
|
|
|
78 |
\isamarkupfalse%
|
|
15909
|
79 |
\isamarkupfalse%
|
|
|
80 |
\isamarkupfalse%
|
|
|
81 |
\isamarkupfalse%
|
|
|
82 |
\isamarkupfalse%
|
|
13999
|
83 |
\isamarkupfalse%
|
|
15909
|
84 |
\isamarkupfalse%
|
|
13999
|
85 |
\isamarkupfalse%
|
|
15909
|
86 |
\isamarkupfalse%
|
|
|
87 |
\isamarkupfalse%
|
|
13999
|
88 |
%
|
|
|
89 |
\begin{isamarkuptext}%
|
|
|
90 |
\noindent Here `\isakeyword{case}~\isa{Nil}' abbreviates
|
|
|
91 |
`\isakeyword{assume}~\isa{Nil{\isacharcolon}}~\isa{xs\ {\isacharequal}\ {\isacharbrackleft}{\isacharbrackright}}' and
|
|
|
92 |
`\isakeyword{case}~\isa{Cons}'
|
|
|
93 |
abbreviates `\isakeyword{fix}~\isa{{\isacharquery}\ {\isacharquery}{\isacharquery}}
|
|
|
94 |
\isakeyword{assume}~\isa{Cons{\isacharcolon}}~\isa{xs\ {\isacharequal}\ {\isacharquery}\ {\isacharhash}\ {\isacharquery}{\isacharquery}}'
|
|
|
95 |
where \isa{{\isacharquery}} and \isa{{\isacharquery}{\isacharquery}}
|
|
|
96 |
stand for variable names that have been chosen by the system.
|
|
|
97 |
Therefore we cannot refer to them.
|
|
|
98 |
Luckily, this proof is simple enough we do not need to refer to them.
|
|
|
99 |
However, sometimes one may have to. Hence Isar offers a simple scheme for
|
|
|
100 |
naming those variables: replace the anonymous \isa{Cons} by
|
|
|
101 |
\isa{{\isacharparenleft}Cons\ y\ ys{\isacharparenright}}, which abbreviates `\isakeyword{fix}~\isa{y\ ys}
|
|
|
102 |
\isakeyword{assume}~\isa{Cons{\isacharcolon}}~\isa{xs\ {\isacharequal}\ y\ {\isacharhash}\ ys}'.
|
|
|
103 |
In each \isakeyword{case} the assumption can be
|
|
|
104 |
referred to inside the proof by the name of the constructor. In
|
|
|
105 |
Section~\ref{sec:full-Ind} below we will come across an example
|
|
|
106 |
of this.%
|
|
|
107 |
\end{isamarkuptext}%
|
|
|
108 |
\isamarkuptrue%
|
|
|
109 |
%
|
|
|
110 |
\isamarkupsubsection{Structural induction%
|
|
|
111 |
}
|
|
|
112 |
\isamarkuptrue%
|
|
|
113 |
%
|
|
|
114 |
\begin{isamarkuptext}%
|
|
|
115 |
We start with an inductive proof where both cases are proved automatically:%
|
|
|
116 |
\end{isamarkuptext}%
|
|
|
117 |
\isamarkuptrue%
|
|
15909
|
118 |
\isacommand{lemma}\ {\isachardoublequote}{\isadigit{2}}\ {\isacharasterisk}\ {\isacharparenleft}{\isasymSum}i{\isacharcolon}{\isacharcolon}nat\ {\isacharequal}\ {\isadigit{0}}{\isachardot}{\isachardot}{\isacharless}n{\isacharplus}{\isadigit{1}}{\isachardot}\ i{\isacharparenright}\ {\isacharequal}\ n{\isacharasterisk}{\isacharparenleft}n{\isacharplus}{\isadigit{1}}{\isacharparenright}{\isachardoublequote}\isanewline
|
|
13999
|
119 |
\isamarkupfalse%
|
|
15909
|
120 |
\isamarkupfalse%
|
|
13999
|
121 |
%
|
|
|
122 |
\begin{isamarkuptext}%
|
|
15909
|
123 |
\noindent The constraint \isa{{\isacharcolon}{\isacharcolon}nat} is needed because all of
|
|
|
124 |
the operations involved are overloaded.
|
|
|
125 |
|
|
|
126 |
If we want to expose more of the structure of the
|
|
13999
|
127 |
proof, we can use pattern matching to avoid having to repeat the goal
|
|
|
128 |
statement:%
|
|
|
129 |
\end{isamarkuptext}%
|
|
|
130 |
\isamarkuptrue%
|
|
15909
|
131 |
\isacommand{lemma}\ {\isachardoublequote}{\isadigit{2}}\ {\isacharasterisk}\ {\isacharparenleft}{\isasymSum}i{\isacharcolon}{\isacharcolon}nat\ {\isacharequal}\ {\isadigit{0}}{\isachardot}{\isachardot}{\isacharless}n{\isacharplus}{\isadigit{1}}{\isachardot}\ i{\isacharparenright}\ {\isacharequal}\ n{\isacharasterisk}{\isacharparenleft}n{\isacharplus}{\isadigit{1}}{\isacharparenright}{\isachardoublequote}\ {\isacharparenleft}\isakeyword{is}\ {\isachardoublequote}{\isacharquery}P\ n{\isachardoublequote}{\isacharparenright}\isanewline
|
|
|
132 |
\isamarkupfalse%
|
|
13999
|
133 |
\isamarkupfalse%
|
|
15909
|
134 |
\isamarkupfalse%
|
|
|
135 |
\isamarkupfalse%
|
|
13999
|
136 |
\isamarkupfalse%
|
|
15909
|
137 |
\isamarkupfalse%
|
|
|
138 |
\isamarkupfalse%
|
|
13999
|
139 |
\isamarkupfalse%
|
|
15909
|
140 |
\isamarkupfalse%
|
|
|
141 |
\isamarkupfalse%
|
|
13999
|
142 |
%
|
|
|
143 |
\begin{isamarkuptext}%
|
|
|
144 |
\noindent We could refine this further to show more of the equational
|
|
|
145 |
proof. Instead we explore the same avenue as for case distinctions:
|
|
|
146 |
introducing context via the \isakeyword{case} command:%
|
|
|
147 |
\end{isamarkuptext}%
|
|
|
148 |
\isamarkuptrue%
|
|
15909
|
149 |
\isacommand{lemma}\ {\isachardoublequote}{\isadigit{2}}\ {\isacharasterisk}\ {\isacharparenleft}{\isasymSum}i{\isacharcolon}{\isacharcolon}nat\ {\isacharequal}\ {\isadigit{0}}{\isachardot}{\isachardot}{\isacharless}n{\isacharplus}{\isadigit{1}}{\isachardot}\ i{\isacharparenright}\ {\isacharequal}\ n{\isacharasterisk}{\isacharparenleft}n{\isacharplus}{\isadigit{1}}{\isacharparenright}{\isachardoublequote}\isanewline
|
|
|
150 |
\isamarkupfalse%
|
|
13999
|
151 |
\isamarkupfalse%
|
|
15909
|
152 |
\isamarkupfalse%
|
|
|
153 |
\isamarkupfalse%
|
|
13999
|
154 |
\isamarkupfalse%
|
|
15909
|
155 |
\isamarkupfalse%
|
|
|
156 |
\isamarkupfalse%
|
|
13999
|
157 |
\isamarkupfalse%
|
|
15909
|
158 |
\isamarkupfalse%
|
|
|
159 |
\isamarkupfalse%
|
|
13999
|
160 |
%
|
|
|
161 |
\begin{isamarkuptext}%
|
|
|
162 |
\noindent The implicitly defined \isa{{\isacharquery}case} refers to the
|
|
|
163 |
corresponding case to be proved, i.e.\ \isa{{\isacharquery}P\ {\isadigit{0}}} in the first case and
|
|
|
164 |
\isa{{\isacharquery}P{\isacharparenleft}Suc\ n{\isacharparenright}} in the second case. Context \isakeyword{case}~\isa{{\isadigit{0}}} is
|
|
|
165 |
empty whereas \isakeyword{case}~\isa{Suc} assumes \isa{{\isacharquery}P\ n}. Again we
|
|
|
166 |
have the same problem as with case distinctions: we cannot refer to an anonymous \isa{n}
|
|
|
167 |
in the induction step because it has not been introduced via \isakeyword{fix}
|
|
|
168 |
(in contrast to the previous proof). The solution is the one outlined for
|
|
|
169 |
\isa{Cons} above: replace \isa{Suc} by \isa{{\isacharparenleft}Suc\ i{\isacharparenright}}:%
|
|
|
170 |
\end{isamarkuptext}%
|
|
|
171 |
\isamarkuptrue%
|
|
|
172 |
\isacommand{lemma}\ \isakeyword{fixes}\ n{\isacharcolon}{\isacharcolon}nat\ \isakeyword{shows}\ {\isachardoublequote}n\ {\isacharless}\ n{\isacharasterisk}n\ {\isacharplus}\ {\isadigit{1}}{\isachardoublequote}\isanewline
|
|
|
173 |
\isamarkupfalse%
|
|
15909
|
174 |
\isamarkupfalse%
|
|
|
175 |
\isamarkupfalse%
|
|
|
176 |
\isamarkupfalse%
|
|
|
177 |
\isamarkupfalse%
|
|
13999
|
178 |
\isamarkupfalse%
|
|
15909
|
179 |
\isamarkupfalse%
|
|
13999
|
180 |
\isamarkupfalse%
|
|
15909
|
181 |
\isamarkupfalse%
|
|
|
182 |
\isamarkupfalse%
|
|
13999
|
183 |
%
|
|
|
184 |
\begin{isamarkuptext}%
|
|
|
185 |
\noindent Of course we could again have written
|
|
|
186 |
\isakeyword{thus}~\isa{{\isacharquery}case} instead of giving the term explicitly
|
|
|
187 |
but we wanted to use \isa{i} somewhere.%
|
|
|
188 |
\end{isamarkuptext}%
|
|
|
189 |
\isamarkuptrue%
|
|
|
190 |
%
|
|
|
191 |
\isamarkupsubsection{Induction formulae involving \isa{{\isasymAnd}} or \isa{{\isasymLongrightarrow}}\label{sec:full-Ind}%
|
|
|
192 |
}
|
|
|
193 |
\isamarkuptrue%
|
|
|
194 |
%
|
|
|
195 |
\begin{isamarkuptext}%
|
|
|
196 |
Let us now consider the situation where the goal to be proved contains
|
|
|
197 |
\isa{{\isasymAnd}} or \isa{{\isasymLongrightarrow}}, say \isa{{\isasymAnd}x{\isachardot}\ P\ x\ {\isasymLongrightarrow}\ Q\ x} --- motivation and a
|
|
|
198 |
real example follow shortly. This means that in each case of the induction,
|
|
|
199 |
\isa{{\isacharquery}case} would be of the form \isa{{\isasymAnd}x{\isachardot}\ P{\isacharprime}\ x\ {\isasymLongrightarrow}\ Q{\isacharprime}\ x}. Thus the
|
|
|
200 |
first proof steps will be the canonical ones, fixing \isa{x} and assuming
|
|
|
201 |
\isa{P{\isacharprime}\ x}. To avoid this tedium, induction performs these steps
|
|
|
202 |
automatically: for example in case \isa{{\isacharparenleft}Suc\ n{\isacharparenright}}, \isa{{\isacharquery}case} is only
|
|
|
203 |
\isa{Q{\isacharprime}\ x} whereas the assumptions (named \isa{Suc}!) contain both the
|
|
|
204 |
usual induction hypothesis \emph{and} \isa{P{\isacharprime}\ x}.
|
|
|
205 |
It should be clear how this generalises to more complex formulae.
|
|
|
206 |
|
|
|
207 |
As an example we will now prove complete induction via
|
|
|
208 |
structural induction.%
|
|
|
209 |
\end{isamarkuptext}%
|
|
|
210 |
\isamarkuptrue%
|
|
|
211 |
\isacommand{lemma}\ \isakeyword{assumes}\ A{\isacharcolon}\ {\isachardoublequote}{\isacharparenleft}{\isasymAnd}n{\isachardot}\ {\isacharparenleft}{\isasymAnd}m{\isachardot}\ m\ {\isacharless}\ n\ {\isasymLongrightarrow}\ P\ m{\isacharparenright}\ {\isasymLongrightarrow}\ P\ n{\isacharparenright}{\isachardoublequote}\isanewline
|
|
|
212 |
\ \ \isakeyword{shows}\ {\isachardoublequote}P{\isacharparenleft}n{\isacharcolon}{\isacharcolon}nat{\isacharparenright}{\isachardoublequote}\isanewline
|
|
|
213 |
\isamarkupfalse%
|
|
15909
|
214 |
\isamarkupfalse%
|
|
|
215 |
\isamarkupfalse%
|
|
|
216 |
\isamarkupfalse%
|
|
|
217 |
\isamarkupfalse%
|
|
|
218 |
\isamarkupfalse%
|
|
|
219 |
\isamarkupfalse%
|
|
|
220 |
\isamarkupfalse%
|
|
|
221 |
\isamarkupfalse%
|
|
|
222 |
\isamarkupfalse%
|
|
|
223 |
\isamarkupfalse%
|
|
|
224 |
\isamarkupfalse%
|
|
|
225 |
\isamarkupfalse%
|
|
|
226 |
\isamarkupfalse%
|
|
13999
|
227 |
\isamarkupfalse%
|
|
15909
|
228 |
\isamarkupfalse%
|
|
|
229 |
\isamarkupfalse%
|
|
|
230 |
\isamarkupfalse%
|
|
|
231 |
\isamarkupfalse%
|
|
|
232 |
\isamarkupfalse%
|
|
|
233 |
\isamarkupfalse%
|
|
|
234 |
\isamarkupfalse%
|
|
|
235 |
\isamarkupfalse%
|
|
|
236 |
\isamarkupfalse%
|
|
|
237 |
\isamarkupfalse%
|
|
|
238 |
\isamarkupfalse%
|
|
|
239 |
\isamarkupfalse%
|
|
|
240 |
\isamarkupfalse%
|
|
13999
|
241 |
%
|
|
|
242 |
\begin{isamarkuptext}%
|
|
|
243 |
\noindent Given the explanations above and the comments in the
|
|
|
244 |
proof text (only necessary for novices), the proof should be quite
|
|
|
245 |
readable.
|
|
|
246 |
|
|
|
247 |
The statement of the lemma is interesting because it deviates from the style in
|
|
|
248 |
the Tutorial~\cite{LNCS2283}, which suggests to introduce \isa{{\isasymforall}} or
|
|
|
249 |
\isa{{\isasymlongrightarrow}} into a theorem to strengthen it for induction. In Isar
|
|
|
250 |
proofs we can use \isa{{\isasymAnd}} and \isa{{\isasymLongrightarrow}} instead. This simplifies the
|
|
|
251 |
proof and means we do not have to convert between the two kinds of
|
|
|
252 |
connectives.
|
|
|
253 |
|
|
|
254 |
Note that in a nested induction over the same data type, the inner
|
|
|
255 |
case labels hide the outer ones of the same name. If you want to refer
|
|
|
256 |
to the outer ones inside, you need to name them on the outside, e.g.\
|
|
|
257 |
\isakeyword{note}~\isa{outer{\isacharunderscore}IH\ {\isacharequal}\ Suc}.%
|
|
|
258 |
\end{isamarkuptext}%
|
|
|
259 |
\isamarkuptrue%
|
|
|
260 |
%
|
|
|
261 |
\isamarkupsubsection{Rule induction%
|
|
|
262 |
}
|
|
|
263 |
\isamarkuptrue%
|
|
|
264 |
%
|
|
|
265 |
\begin{isamarkuptext}%
|
|
|
266 |
HOL also supports inductively defined sets. See \cite{LNCS2283}
|
|
|
267 |
for details. As an example we define our own version of the reflexive
|
|
|
268 |
transitive closure of a relation --- HOL provides a predefined one as well.%
|
|
|
269 |
\end{isamarkuptext}%
|
|
|
270 |
\isamarkuptrue%
|
|
|
271 |
\isacommand{consts}\ rtc\ {\isacharcolon}{\isacharcolon}\ {\isachardoublequote}{\isacharparenleft}{\isacharprime}a\ {\isasymtimes}\ {\isacharprime}a{\isacharparenright}set\ {\isasymRightarrow}\ {\isacharparenleft}{\isacharprime}a\ {\isasymtimes}\ {\isacharprime}a{\isacharparenright}set{\isachardoublequote}\ \ \ {\isacharparenleft}{\isachardoublequote}{\isacharunderscore}{\isacharasterisk}{\isachardoublequote}\ {\isacharbrackleft}{\isadigit{1}}{\isadigit{0}}{\isadigit{0}}{\isadigit{0}}{\isacharbrackright}\ {\isadigit{9}}{\isadigit{9}}{\isadigit{9}}{\isacharparenright}\isanewline
|
|
|
272 |
\isamarkupfalse%
|
|
|
273 |
\isacommand{inductive}\ {\isachardoublequote}r{\isacharasterisk}{\isachardoublequote}\isanewline
|
|
|
274 |
\isakeyword{intros}\isanewline
|
|
|
275 |
refl{\isacharcolon}\ \ {\isachardoublequote}{\isacharparenleft}x{\isacharcomma}x{\isacharparenright}\ {\isasymin}\ r{\isacharasterisk}{\isachardoublequote}\isanewline
|
|
|
276 |
step{\isacharcolon}\ \ {\isachardoublequote}{\isasymlbrakk}\ {\isacharparenleft}x{\isacharcomma}y{\isacharparenright}\ {\isasymin}\ r{\isacharsemicolon}\ {\isacharparenleft}y{\isacharcomma}z{\isacharparenright}\ {\isasymin}\ r{\isacharasterisk}\ {\isasymrbrakk}\ {\isasymLongrightarrow}\ {\isacharparenleft}x{\isacharcomma}z{\isacharparenright}\ {\isasymin}\ r{\isacharasterisk}{\isachardoublequote}\isamarkupfalse%
|
|
|
277 |
%
|
|
|
278 |
\begin{isamarkuptext}%
|
|
|
279 |
\noindent
|
|
|
280 |
First the constant is declared as a function on binary
|
|
|
281 |
relations (with concrete syntax \isa{r{\isacharasterisk}} instead of \isa{rtc\ r}), then the defining clauses are given. We will now prove that
|
|
|
282 |
\isa{r{\isacharasterisk}} is indeed transitive:%
|
|
|
283 |
\end{isamarkuptext}%
|
|
|
284 |
\isamarkuptrue%
|
|
|
285 |
\isacommand{lemma}\ \isakeyword{assumes}\ A{\isacharcolon}\ {\isachardoublequote}{\isacharparenleft}x{\isacharcomma}y{\isacharparenright}\ {\isasymin}\ r{\isacharasterisk}{\isachardoublequote}\ \isakeyword{shows}\ {\isachardoublequote}{\isacharparenleft}y{\isacharcomma}z{\isacharparenright}\ {\isasymin}\ r{\isacharasterisk}\ {\isasymLongrightarrow}\ {\isacharparenleft}x{\isacharcomma}z{\isacharparenright}\ {\isasymin}\ r{\isacharasterisk}{\isachardoublequote}\isanewline
|
|
|
286 |
\isamarkupfalse%
|
|
15909
|
287 |
\isamarkupfalse%
|
|
13999
|
288 |
\isamarkupfalse%
|
|
15909
|
289 |
\isamarkupfalse%
|
|
|
290 |
\isamarkupfalse%
|
|
13999
|
291 |
\isamarkupfalse%
|
|
15909
|
292 |
\isamarkupfalse%
|
|
|
293 |
\isamarkupfalse%
|
|
13999
|
294 |
\isamarkupfalse%
|
|
15909
|
295 |
\isamarkupfalse%
|
|
|
296 |
\isamarkupfalse%
|
|
13999
|
297 |
%
|
|
|
298 |
\begin{isamarkuptext}%
|
|
|
299 |
\noindent Rule induction is triggered by a fact $(x_1,\dots,x_n)
|
|
|
300 |
\in R$ piped into the proof, here \isakeyword{using}~\isa{A}. The
|
|
|
301 |
proof itself follows the inductive definition very
|
|
|
302 |
closely: there is one case for each rule, and it has the same name as
|
|
|
303 |
the rule, analogous to structural induction.
|
|
|
304 |
|
|
|
305 |
However, this proof is rather terse. Here is a more readable version:%
|
|
|
306 |
\end{isamarkuptext}%
|
|
|
307 |
\isamarkuptrue%
|
|
|
308 |
\isacommand{lemma}\ \isakeyword{assumes}\ A{\isacharcolon}\ {\isachardoublequote}{\isacharparenleft}x{\isacharcomma}y{\isacharparenright}\ {\isasymin}\ r{\isacharasterisk}{\isachardoublequote}\ \isakeyword{and}\ B{\isacharcolon}\ {\isachardoublequote}{\isacharparenleft}y{\isacharcomma}z{\isacharparenright}\ {\isasymin}\ r{\isacharasterisk}{\isachardoublequote}\isanewline
|
|
|
309 |
\ \ \isakeyword{shows}\ {\isachardoublequote}{\isacharparenleft}x{\isacharcomma}z{\isacharparenright}\ {\isasymin}\ r{\isacharasterisk}{\isachardoublequote}\isanewline
|
|
|
310 |
\isamarkupfalse%
|
|
15909
|
311 |
\isamarkupfalse%
|
|
|
312 |
\isamarkupfalse%
|
|
|
313 |
\isamarkupfalse%
|
|
|
314 |
\isamarkupfalse%
|
|
|
315 |
\isamarkupfalse%
|
|
|
316 |
\isamarkupfalse%
|
|
|
317 |
\isamarkupfalse%
|
|
13999
|
318 |
\isamarkupfalse%
|
|
15909
|
319 |
\isamarkupfalse%
|
|
|
320 |
\isamarkupfalse%
|
|
|
321 |
\isamarkupfalse%
|
|
|
322 |
\isamarkupfalse%
|
|
|
323 |
\isamarkupfalse%
|
|
|
324 |
\isamarkupfalse%
|
|
|
325 |
\isamarkupfalse%
|
|
|
326 |
\isamarkupfalse%
|
|
13999
|
327 |
%
|
|
|
328 |
\begin{isamarkuptext}%
|
|
|
329 |
\noindent We start the proof with \isakeyword{from}~\isa{A\ B}. Only \isa{A} is ``consumed'' by the induction step.
|
|
|
330 |
Since \isa{B} is left over we don't just prove \isa{{\isacharquery}thesis} but \isa{B\ {\isasymLongrightarrow}\ {\isacharquery}thesis}, just as in the previous proof. The
|
|
|
331 |
base case is trivial. In the assumptions for the induction step we can
|
|
|
332 |
see very clearly how things fit together and permit ourselves the
|
|
|
333 |
obvious forward step \isa{IH{\isacharbrackleft}OF\ B{\isacharbrackright}}.
|
|
|
334 |
|
|
|
335 |
The notation `\isakeyword{case}~\isa{(}\emph{constructor} \emph{vars}\isa{)}'
|
|
|
336 |
is also supported for inductive definitions. The \emph{constructor} is (the
|
|
|
337 |
name of) the rule and the \emph{vars} fix the free variables in the
|
|
|
338 |
rule; the order of the \emph{vars} must correspond to the
|
|
|
339 |
\emph{alphabetical order} of the variables as they appear in the rule.
|
|
|
340 |
For example, we could start the above detailed proof of the induction
|
|
|
341 |
with \isakeyword{case}~\isa{(step x' x y)}. However, we can then only
|
|
|
342 |
refer to the assumptions named \isa{step} collectively and not
|
|
|
343 |
individually, as the above proof requires.%
|
|
|
344 |
\end{isamarkuptext}%
|
|
|
345 |
\isamarkuptrue%
|
|
|
346 |
%
|
|
|
347 |
\isamarkupsubsection{More induction%
|
|
|
348 |
}
|
|
|
349 |
\isamarkuptrue%
|
|
|
350 |
%
|
|
|
351 |
\begin{isamarkuptext}%
|
|
|
352 |
We close the section by demonstrating how arbitrary induction
|
|
|
353 |
rules are applied. As a simple example we have chosen recursion
|
|
|
354 |
induction, i.e.\ induction based on a recursive function
|
|
|
355 |
definition. However, most of what we show works for induction in
|
|
|
356 |
general.
|
|
|
357 |
|
|
|
358 |
The example is an unusual definition of rotation:%
|
|
|
359 |
\end{isamarkuptext}%
|
|
|
360 |
\isamarkuptrue%
|
|
|
361 |
\isacommand{consts}\ rot\ {\isacharcolon}{\isacharcolon}\ {\isachardoublequote}{\isacharprime}a\ list\ {\isasymRightarrow}\ {\isacharprime}a\ list{\isachardoublequote}\isanewline
|
|
|
362 |
\isamarkupfalse%
|
|
|
363 |
\isacommand{recdef}\ rot\ {\isachardoublequote}measure\ length{\isachardoublequote}\ \ %
|
|
|
364 |
\isamarkupcmt{for the internal termination proof%
|
|
|
365 |
}
|
|
|
366 |
\isanewline
|
|
|
367 |
{\isachardoublequote}rot\ {\isacharbrackleft}{\isacharbrackright}\ {\isacharequal}\ {\isacharbrackleft}{\isacharbrackright}{\isachardoublequote}\isanewline
|
|
|
368 |
{\isachardoublequote}rot\ {\isacharbrackleft}x{\isacharbrackright}\ {\isacharequal}\ {\isacharbrackleft}x{\isacharbrackright}{\isachardoublequote}\isanewline
|
|
|
369 |
{\isachardoublequote}rot\ {\isacharparenleft}x{\isacharhash}y{\isacharhash}zs{\isacharparenright}\ {\isacharequal}\ y\ {\isacharhash}\ rot{\isacharparenleft}x{\isacharhash}zs{\isacharparenright}{\isachardoublequote}\isamarkupfalse%
|
|
|
370 |
%
|
|
|
371 |
\begin{isamarkuptext}%
|
|
|
372 |
\noindent This yields, among other things, the induction rule
|
|
|
373 |
\isa{rot{\isachardot}induct}: \begin{isabelle}%
|
|
|
374 |
{\isasymlbrakk}P\ {\isacharbrackleft}{\isacharbrackright}{\isacharsemicolon}\ {\isasymAnd}x{\isachardot}\ P\ {\isacharbrackleft}x{\isacharbrackright}{\isacharsemicolon}\ {\isasymAnd}x\ y\ zs{\isachardot}\ P\ {\isacharparenleft}x\ {\isacharhash}\ zs{\isacharparenright}\ {\isasymLongrightarrow}\ P\ {\isacharparenleft}x\ {\isacharhash}\ y\ {\isacharhash}\ zs{\isacharparenright}{\isasymrbrakk}\ {\isasymLongrightarrow}\ P\ x%
|
|
|
375 |
\end{isabelle}
|
|
|
376 |
In the following proof we rely on a default naming scheme for cases: they are
|
|
|
377 |
called 1, 2, etc, unless they have been named explicitly. The latter happens
|
|
|
378 |
only with datatypes and inductively defined sets, but not with recursive
|
|
|
379 |
functions.%
|
|
|
380 |
\end{isamarkuptext}%
|
|
|
381 |
\isamarkuptrue%
|
|
|
382 |
\isacommand{lemma}\ {\isachardoublequote}xs\ {\isasymnoteq}\ {\isacharbrackleft}{\isacharbrackright}\ {\isasymLongrightarrow}\ rot\ xs\ {\isacharequal}\ tl\ xs\ {\isacharat}\ {\isacharbrackleft}hd\ xs{\isacharbrackright}{\isachardoublequote}\isanewline
|
|
|
383 |
\isamarkupfalse%
|
|
15909
|
384 |
\isamarkupfalse%
|
|
|
385 |
\isamarkupfalse%
|
|
|
386 |
\isamarkupfalse%
|
|
|
387 |
\isamarkupfalse%
|
|
13999
|
388 |
\isamarkupfalse%
|
|
15909
|
389 |
\isamarkupfalse%
|
|
|
390 |
\isamarkupfalse%
|
|
|
391 |
\isamarkupfalse%
|
|
|
392 |
\isamarkupfalse%
|
|
|
393 |
\isamarkupfalse%
|
|
13999
|
394 |
\isamarkupfalse%
|
|
15909
|
395 |
\isamarkupfalse%
|
|
|
396 |
\isamarkupfalse%
|
|
|
397 |
\isamarkupfalse%
|
|
|
398 |
\isamarkupfalse%
|
|
|
399 |
\isamarkupfalse%
|
|
13999
|
400 |
\isamarkupfalse%
|
|
15909
|
401 |
\isamarkupfalse%
|
|
|
402 |
\isamarkupfalse%
|
|
|
403 |
\isamarkupfalse%
|
|
|
404 |
\isamarkupfalse%
|
|
|
405 |
\isamarkupfalse%
|
|
13999
|
406 |
%
|
|
|
407 |
\begin{isamarkuptext}%
|
|
|
408 |
\noindent
|
|
|
409 |
The third case is only shown in gory detail (see \cite{BauerW-TPHOLs01}
|
|
|
410 |
for how to reason with chains of equations) to demonstrate that the
|
|
|
411 |
`\isakeyword{case}~\isa{(}\emph{constructor} \emph{vars}\isa{)}' notation also
|
|
|
412 |
works for arbitrary induction theorems with numbered cases. The order
|
|
|
413 |
of the \emph{vars} corresponds to the order of the
|
|
|
414 |
\isa{{\isasymAnd}}-quantified variables in each case of the induction
|
|
|
415 |
theorem. For induction theorems produced by \isakeyword{recdef} it is
|
|
|
416 |
the order in which the variables appear on the left-hand side of the
|
|
|
417 |
equation.
|
|
|
418 |
|
|
|
419 |
The proof is so simple that it can be condensed to%
|
|
|
420 |
\end{isamarkuptext}%
|
|
|
421 |
\isamarkuptrue%
|
|
|
422 |
\isamarkupfalse%
|
|
15909
|
423 |
\isanewline
|
|
13999
|
424 |
\isamarkupfalse%
|
|
|
425 |
\isamarkupfalse%
|
|
|
426 |
\end{isabellebody}%
|
|
|
427 |
%%% Local Variables:
|
|
|
428 |
%%% mode: latex
|
|
|
429 |
%%% TeX-master: "root"
|
|
|
430 |
%%% End:
|