10187
|
1 |
%
|
|
2 |
\begin{isabellebody}%
|
|
3 |
\def\isabellecontext{WFrec}%
|
11866
|
4 |
\isamarkupfalse%
|
10187
|
5 |
%
|
|
6 |
\begin{isamarkuptext}%
|
|
7 |
\noindent
|
11161
|
8 |
So far, all recursive definitions were shown to terminate via measure
|
11494
|
9 |
functions. Sometimes this can be inconvenient or
|
10187
|
10 |
impossible. Fortunately, \isacommand{recdef} supports much more
|
|
11 |
general definitions. For example, termination of Ackermann's function
|
10654
|
12 |
can be shown by means of the \rmindex{lexicographic product} \isa{{\isacharless}{\isacharasterisk}lex{\isacharasterisk}{\isachargreater}}:%
|
10187
|
13 |
\end{isamarkuptext}%
|
11866
|
14 |
\isamarkuptrue%
|
10187
|
15 |
\isacommand{consts}\ ack\ {\isacharcolon}{\isacharcolon}\ {\isachardoublequote}nat{\isasymtimes}nat\ {\isasymRightarrow}\ nat{\isachardoublequote}\isanewline
|
11866
|
16 |
\isamarkupfalse%
|
10187
|
17 |
\isacommand{recdef}\ ack\ {\isachardoublequote}measure{\isacharparenleft}{\isasymlambda}m{\isachardot}\ m{\isacharparenright}\ {\isacharless}{\isacharasterisk}lex{\isacharasterisk}{\isachargreater}\ measure{\isacharparenleft}{\isasymlambda}n{\isachardot}\ n{\isacharparenright}{\isachardoublequote}\isanewline
|
|
18 |
\ \ {\isachardoublequote}ack{\isacharparenleft}{\isadigit{0}}{\isacharcomma}n{\isacharparenright}\ \ \ \ \ \ \ \ \ {\isacharequal}\ Suc\ n{\isachardoublequote}\isanewline
|
|
19 |
\ \ {\isachardoublequote}ack{\isacharparenleft}Suc\ m{\isacharcomma}{\isadigit{0}}{\isacharparenright}\ \ \ \ \ {\isacharequal}\ ack{\isacharparenleft}m{\isacharcomma}\ {\isadigit{1}}{\isacharparenright}{\isachardoublequote}\isanewline
|
11866
|
20 |
\ \ {\isachardoublequote}ack{\isacharparenleft}Suc\ m{\isacharcomma}Suc\ n{\isacharparenright}\ {\isacharequal}\ ack{\isacharparenleft}m{\isacharcomma}ack{\isacharparenleft}Suc\ m{\isacharcomma}n{\isacharparenright}{\isacharparenright}{\isachardoublequote}\isamarkupfalse%
|
|
21 |
%
|
10187
|
22 |
\begin{isamarkuptext}%
|
|
23 |
\noindent
|
|
24 |
The lexicographic product decreases if either its first component
|
|
25 |
decreases (as in the second equation and in the outer call in the
|
|
26 |
third equation) or its first component stays the same and the second
|
|
27 |
component decreases (as in the inner call in the third equation).
|
|
28 |
|
|
29 |
In general, \isacommand{recdef} supports termination proofs based on
|
10396
|
30 |
arbitrary well-founded relations as introduced in \S\ref{sec:Well-founded}.
|
|
31 |
This is called \textbf{well-founded
|
11494
|
32 |
recursion}\indexbold{recursion!well-founded}. A function definition
|
|
33 |
is total if and only if the set of
|
|
34 |
all pairs $(r,l)$, where $l$ is the argument on the
|
10396
|
35 |
left-hand side of an equation and $r$ the argument of some recursive call on
|
|
36 |
the corresponding right-hand side, induces a well-founded relation. For a
|
|
37 |
systematic account of termination proofs via well-founded relations see, for
|
10878
|
38 |
example, Baader and Nipkow~\cite{Baader-Nipkow}.
|
10187
|
39 |
|
11494
|
40 |
Each \isacommand{recdef} definition should be accompanied (after the function's
|
|
41 |
name) by a well-founded relation on the function's argument type.
|
|
42 |
Isabelle/HOL formalizes some of the most important
|
10396
|
43 |
constructions of well-founded relations (see \S\ref{sec:Well-founded}). For
|
11494
|
44 |
example, \isa{measure\ f} is always well-founded. The lexicographic
|
10396
|
45 |
product of two well-founded relations is again well-founded, which we relied
|
|
46 |
on when defining Ackermann's function above.
|
11308
|
47 |
Of course the lexicographic product can also be iterated:%
|
10189
|
48 |
\end{isamarkuptext}%
|
11866
|
49 |
\isamarkuptrue%
|
10189
|
50 |
\isacommand{consts}\ contrived\ {\isacharcolon}{\isacharcolon}\ {\isachardoublequote}nat\ {\isasymtimes}\ nat\ {\isasymtimes}\ nat\ {\isasymRightarrow}\ nat{\isachardoublequote}\isanewline
|
11866
|
51 |
\isamarkupfalse%
|
10189
|
52 |
\isacommand{recdef}\ contrived\isanewline
|
|
53 |
\ \ {\isachardoublequote}measure{\isacharparenleft}{\isasymlambda}i{\isachardot}\ i{\isacharparenright}\ {\isacharless}{\isacharasterisk}lex{\isacharasterisk}{\isachargreater}\ measure{\isacharparenleft}{\isasymlambda}j{\isachardot}\ j{\isacharparenright}\ {\isacharless}{\isacharasterisk}lex{\isacharasterisk}{\isachargreater}\ measure{\isacharparenleft}{\isasymlambda}k{\isachardot}\ k{\isacharparenright}{\isachardoublequote}\isanewline
|
|
54 |
{\isachardoublequote}contrived{\isacharparenleft}i{\isacharcomma}j{\isacharcomma}Suc\ k{\isacharparenright}\ {\isacharequal}\ contrived{\isacharparenleft}i{\isacharcomma}j{\isacharcomma}k{\isacharparenright}{\isachardoublequote}\isanewline
|
|
55 |
{\isachardoublequote}contrived{\isacharparenleft}i{\isacharcomma}Suc\ j{\isacharcomma}{\isadigit{0}}{\isacharparenright}\ {\isacharequal}\ contrived{\isacharparenleft}i{\isacharcomma}j{\isacharcomma}j{\isacharparenright}{\isachardoublequote}\isanewline
|
|
56 |
{\isachardoublequote}contrived{\isacharparenleft}Suc\ i{\isacharcomma}{\isadigit{0}}{\isacharcomma}{\isadigit{0}}{\isacharparenright}\ {\isacharequal}\ contrived{\isacharparenleft}i{\isacharcomma}i{\isacharcomma}i{\isacharparenright}{\isachardoublequote}\isanewline
|
11866
|
57 |
{\isachardoublequote}contrived{\isacharparenleft}{\isadigit{0}}{\isacharcomma}{\isadigit{0}}{\isacharcomma}{\isadigit{0}}{\isacharparenright}\ \ \ \ \ {\isacharequal}\ {\isadigit{0}}{\isachardoublequote}\isamarkupfalse%
|
|
58 |
%
|
10189
|
59 |
\begin{isamarkuptext}%
|
10396
|
60 |
Lexicographic products of measure functions already go a long
|
10878
|
61 |
way. Furthermore, you may embed a type in an
|
10396
|
62 |
existing well-founded relation via the inverse image construction \isa{inv{\isacharunderscore}image}. All these constructions are known to \isacommand{recdef}. Thus you
|
10241
|
63 |
will never have to prove well-foundedness of any relation composed
|
10189
|
64 |
solely of these building blocks. But of course the proof of
|
11494
|
65 |
termination of your function definition --- that the arguments
|
|
66 |
decrease with every recursive call --- may still require you to provide
|
10189
|
67 |
additional lemmas.
|
|
68 |
|
10842
|
69 |
It is also possible to use your own well-founded relations with
|
|
70 |
\isacommand{recdef}. For example, the greater-than relation can be made
|
|
71 |
well-founded by cutting it off at a certain point. Here is an example
|
|
72 |
of a recursive function that calls itself with increasing values up to ten:%
|
10187
|
73 |
\end{isamarkuptext}%
|
11866
|
74 |
\isamarkuptrue%
|
10189
|
75 |
\isacommand{consts}\ f\ {\isacharcolon}{\isacharcolon}\ {\isachardoublequote}nat\ {\isasymRightarrow}\ nat{\isachardoublequote}\isanewline
|
11866
|
76 |
\isamarkupfalse%
|
11706
|
77 |
\isacommand{recdef}\ f\ {\isachardoublequote}{\isacharbraceleft}{\isacharparenleft}i{\isacharcomma}j{\isacharparenright}{\isachardot}\ j{\isacharless}i\ {\isasymand}\ i\ {\isasymle}\ {\isacharparenleft}{\isadigit{1}}{\isadigit{0}}{\isacharcolon}{\isacharcolon}nat{\isacharparenright}{\isacharbraceright}{\isachardoublequote}\isanewline
|
11866
|
78 |
{\isachardoublequote}f\ i\ {\isacharequal}\ {\isacharparenleft}if\ {\isadigit{1}}{\isadigit{0}}\ {\isasymle}\ i\ then\ {\isadigit{0}}\ else\ i\ {\isacharasterisk}\ f{\isacharparenleft}Suc\ i{\isacharparenright}{\isacharparenright}{\isachardoublequote}\isamarkupfalse%
|
|
79 |
%
|
11636
|
80 |
\begin{isamarkuptext}%
|
|
81 |
\noindent
|
|
82 |
Since \isacommand{recdef} is not prepared for the relation supplied above,
|
|
83 |
Isabelle rejects the definition. We should first have proved that
|
|
84 |
our relation was well-founded:%
|
|
85 |
\end{isamarkuptext}%
|
11866
|
86 |
\isamarkuptrue%
|
|
87 |
\isacommand{lemma}\ wf{\isacharunderscore}greater{\isacharcolon}\ {\isachardoublequote}wf\ {\isacharbraceleft}{\isacharparenleft}i{\isacharcomma}j{\isacharparenright}{\isachardot}\ j{\isacharless}i\ {\isasymand}\ i\ {\isasymle}\ {\isacharparenleft}N{\isacharcolon}{\isacharcolon}nat{\isacharparenright}{\isacharbraceright}{\isachardoublequote}\isamarkupfalse%
|
|
88 |
%
|
11636
|
89 |
\begin{isamarkuptxt}%
|
|
90 |
\noindent
|
|
91 |
The proof is by showing that our relation is a subset of another well-founded
|
|
92 |
relation: one given by a measure function.\index{*wf_subset (theorem)}%
|
|
93 |
\end{isamarkuptxt}%
|
11866
|
94 |
\isamarkuptrue%
|
|
95 |
\isacommand{apply}\ {\isacharparenleft}rule\ wf{\isacharunderscore}subset\ {\isacharbrackleft}of\ {\isachardoublequote}measure\ {\isacharparenleft}{\isasymlambda}k{\isacharcolon}{\isacharcolon}nat{\isachardot}\ N{\isacharminus}k{\isacharparenright}{\isachardoublequote}{\isacharbrackright}{\isacharcomma}\ blast{\isacharparenright}\isamarkupfalse%
|
|
96 |
%
|
11636
|
97 |
\begin{isamarkuptxt}%
|
|
98 |
\begin{isabelle}%
|
|
99 |
\ {\isadigit{1}}{\isachardot}\ {\isacharbraceleft}{\isacharparenleft}i{\isacharcomma}\ j{\isacharparenright}{\isachardot}\ j\ {\isacharless}\ i\ {\isasymand}\ i\ {\isasymle}\ N{\isacharbraceright}\ {\isasymsubseteq}\ measure\ {\isacharparenleft}op\ {\isacharminus}\ N{\isacharparenright}%
|
|
100 |
\end{isabelle}
|
|
101 |
|
|
102 |
\noindent
|
|
103 |
The inclusion remains to be proved. After unfolding some definitions,
|
|
104 |
we are left with simple arithmetic:%
|
|
105 |
\end{isamarkuptxt}%
|
11866
|
106 |
\isamarkuptrue%
|
|
107 |
\isacommand{apply}\ {\isacharparenleft}clarify{\isacharcomma}\ simp\ add{\isacharcolon}\ measure{\isacharunderscore}def\ inv{\isacharunderscore}image{\isacharunderscore}def{\isacharparenright}\isamarkupfalse%
|
|
108 |
%
|
11636
|
109 |
\begin{isamarkuptxt}%
|
|
110 |
\begin{isabelle}%
|
|
111 |
\ {\isadigit{1}}{\isachardot}\ {\isasymAnd}a\ b{\isachardot}\ {\isasymlbrakk}b\ {\isacharless}\ a{\isacharsemicolon}\ a\ {\isasymle}\ N{\isasymrbrakk}\ {\isasymLongrightarrow}\ N\ {\isacharminus}\ a\ {\isacharless}\ N\ {\isacharminus}\ b%
|
|
112 |
\end{isabelle}
|
|
113 |
|
|
114 |
\noindent
|
|
115 |
And that is dispatched automatically:%
|
|
116 |
\end{isamarkuptxt}%
|
11866
|
117 |
\isamarkuptrue%
|
|
118 |
\isacommand{by}\ arith\isamarkupfalse%
|
|
119 |
%
|
11636
|
120 |
\begin{isamarkuptext}%
|
|
121 |
\noindent
|
|
122 |
|
|
123 |
Armed with this lemma, we use the \attrdx{recdef_wf} attribute to attach a
|
13111
|
124 |
crucial hint\cmmdx{hints} to our definition:%
|
11636
|
125 |
\end{isamarkuptext}%
|
11866
|
126 |
\isamarkuptrue%
|
|
127 |
\isamarkupfalse%
|
|
128 |
{\isacharparenleft}\isakeyword{hints}\ recdef{\isacharunderscore}wf{\isacharcolon}\ wf{\isacharunderscore}greater{\isacharparenright}\isamarkupfalse%
|
|
129 |
%
|
11636
|
130 |
\begin{isamarkuptext}%
|
|
131 |
\noindent
|
11706
|
132 |
Alternatively, we could have given \isa{measure\ {\isacharparenleft}{\isasymlambda}k{\isacharcolon}{\isacharcolon}nat{\isachardot}\ {\isadigit{1}}{\isadigit{0}}{\isacharminus}k{\isacharparenright}} for the
|
11636
|
133 |
well-founded relation in our \isacommand{recdef}. However, the arithmetic
|
|
134 |
goal in the lemma above would have arisen instead in the \isacommand{recdef}
|
|
135 |
termination proof, where we have less control. A tailor-made termination
|
|
136 |
relation makes even more sense when it can be used in several function
|
|
137 |
declarations.%
|
|
138 |
\end{isamarkuptext}%
|
11866
|
139 |
\isamarkuptrue%
|
|
140 |
\isamarkupfalse%
|
11636
|
141 |
\end{isabellebody}%
|
10187
|
142 |
%%% Local Variables:
|
|
143 |
%%% mode: latex
|
|
144 |
%%% TeX-master: "root"
|
|
145 |
%%% End:
|