isabelle: src/Doc/Tutorial/Misc/AdvancedInd.thy@990ffb84489b (annotated)

9645 20ae97cd2a16 * empty log message * nipkow parents: diff changeset	1	(<)
16417 9bc16273c2d4 migrated theory headers to new format haftmann parents: 12815 diff changeset	2	theory AdvancedInd imports Main begin;
9645 20ae97cd2a16 * empty log message * nipkow parents: diff changeset	3	(>)
20ae97cd2a16 * empty log message * nipkow parents: diff changeset	4
20ae97cd2a16 * empty log message * nipkow parents: diff changeset	5	text{*\noindent
20ae97cd2a16 * empty log message * nipkow parents: diff changeset	6	Now that we have learned about rules and logic, we take another look at the
11494 23a118849801 revisions and indexing paulson parents: 11428 diff changeset	7	finer points of induction. We consider two questions: what to do if the
10396 5ab08609e6c8 * empty log message * nipkow parents: 10363 diff changeset	8	proposition to be proved is not directly amenable to induction
5ab08609e6c8 * empty log message * nipkow parents: 10363 diff changeset	9	(\S\ref{sec:ind-var-in-prems}), and how to utilize (\S\ref{sec:complete-ind})
5ab08609e6c8 * empty log message * nipkow parents: 10363 diff changeset	10	and even derive (\S\ref{sec:derive-ind}) new induction schemas. We conclude
5ab08609e6c8 * empty log message * nipkow parents: 10363 diff changeset	11	with an extended example of induction (\S\ref{sec:CTL-revisited}).
9689 751fde5307e4 * empty log message * nipkow parents: 9645 diff changeset	12	*};
9645 20ae97cd2a16 * empty log message * nipkow parents: diff changeset	13
10885 90695f46440b lcp's pass over the book, chapters 1-8 paulson parents: 10654 diff changeset	14	subsection{Massaging the Proposition};
9645 20ae97cd2a16 * empty log message * nipkow parents: diff changeset	15
10217 e61e7e1eacaf * empty log message * nipkow parents: 10186 diff changeset	16	text{*\label{sec:ind-var-in-prems}
11494 23a118849801 revisions and indexing paulson parents: 11428 diff changeset	17	Often we have assumed that the theorem to be proved is already in a form
10885 90695f46440b lcp's pass over the book, chapters 1-8 paulson parents: 10654 diff changeset	18	that is amenable to induction, but sometimes it isn't.
90695f46440b lcp's pass over the book, chapters 1-8 paulson parents: 10654 diff changeset	19	Here is an example.
90695f46440b lcp's pass over the book, chapters 1-8 paulson parents: 10654 diff changeset	20	Since @{term"hd"} and @{term"last"} return the first and last element of a
90695f46440b lcp's pass over the book, chapters 1-8 paulson parents: 10654 diff changeset	21	non-empty list, this lemma looks easy to prove:
9689 751fde5307e4 * empty log message * nipkow parents: 9645 diff changeset	22	*};
9645 20ae97cd2a16 * empty log message * nipkow parents: diff changeset	23
10885 90695f46440b lcp's pass over the book, chapters 1-8 paulson parents: 10654 diff changeset	24	lemma "xs \<noteq> [] \<Longrightarrow> hd(rev xs) = last xs"
90695f46440b lcp's pass over the book, chapters 1-8 paulson parents: 10654 diff changeset	25	apply(induct_tac xs)
9645 20ae97cd2a16 * empty log message * nipkow parents: diff changeset	26
20ae97cd2a16 * empty log message * nipkow parents: diff changeset	27	txt{*\noindent
10885 90695f46440b lcp's pass over the book, chapters 1-8 paulson parents: 10654 diff changeset	28	But induction produces the warning
9645 20ae97cd2a16 * empty log message * nipkow parents: diff changeset	29	\begin{quote}\tt
20ae97cd2a16 * empty log message * nipkow parents: diff changeset	30	Induction variable occurs also among premises!
20ae97cd2a16 * empty log message * nipkow parents: diff changeset	31	\end{quote}
20ae97cd2a16 * empty log message * nipkow parents: diff changeset	32	and leads to the base case
10363 6e8002c1790e * empty log message * nipkow parents: 10328 diff changeset	33	@{subgoals[display,indent=0,goals_limit=1]}
11494 23a118849801 revisions and indexing paulson parents: 11428 diff changeset	34	Simplification reduces the base case to this:
9723 a977245dfc8a * empty log message * nipkow parents: 9689 diff changeset	35	\begin{isabelle}
9645 20ae97cd2a16 * empty log message * nipkow parents: diff changeset	36	\ 1.\ xs\ {\isasymnoteq}\ []\ {\isasymLongrightarrow}\ hd\ []\ =\ last\ []
9723 a977245dfc8a * empty log message * nipkow parents: 9689 diff changeset	37	\end{isabelle}
10242 028f54cd2cc9 * empty log message * nipkow parents: 10241 diff changeset	38	We cannot prove this equality because we do not know what @{term hd} and
028f54cd2cc9 * empty log message * nipkow parents: 10241 diff changeset	39	@{term last} return when applied to @{term"[]"}.
9645 20ae97cd2a16 * empty log message * nipkow parents: diff changeset	40
10885 90695f46440b lcp's pass over the book, chapters 1-8 paulson parents: 10654 diff changeset	41	We should not have ignored the warning. Because the induction
90695f46440b lcp's pass over the book, chapters 1-8 paulson parents: 10654 diff changeset	42	formula is only the conclusion, induction does not affect the occurrence of @{term xs} in the premises.
90695f46440b lcp's pass over the book, chapters 1-8 paulson parents: 10654 diff changeset	43	Thus the case that should have been trivial
11494 23a118849801 revisions and indexing paulson parents: 11428 diff changeset	44	becomes unprovable. Fortunately, the solution is easy:\footnote{A similar
10242 028f54cd2cc9 * empty log message * nipkow parents: 10241 diff changeset	45	heuristic applies to rule inductions; see \S\ref{sec:rtc}.}
9645 20ae97cd2a16 * empty log message * nipkow parents: diff changeset	46	\begin{quote}
20ae97cd2a16 * empty log message * nipkow parents: diff changeset	47	\emph{Pull all occurrences of the induction variable into the conclusion
9792 bbefb6ce5cb2 * empty log message * nipkow parents: 9723 diff changeset	48	using @{text"\<longrightarrow>"}.}
9645 20ae97cd2a16 * empty log message * nipkow parents: diff changeset	49	\end{quote}
10885 90695f46440b lcp's pass over the book, chapters 1-8 paulson parents: 10654 diff changeset	50	Thus we should state the lemma as an ordinary
90695f46440b lcp's pass over the book, chapters 1-8 paulson parents: 10654 diff changeset	51	implication~(@{text"\<longrightarrow>"}), letting
11494 23a118849801 revisions and indexing paulson parents: 11428 diff changeset	52	\attrdx{rule_format} (\S\ref{sec:forward}) convert the
10885 90695f46440b lcp's pass over the book, chapters 1-8 paulson parents: 10654 diff changeset	53	result to the usual @{text"\<Longrightarrow>"} form:
9689 751fde5307e4 * empty log message * nipkow parents: 9645 diff changeset	54	*};
751fde5307e4 * empty log message * nipkow parents: 9645 diff changeset	55	(<)oops;(>)
10885 90695f46440b lcp's pass over the book, chapters 1-8 paulson parents: 10654 diff changeset	56	lemma hd_rev [rule_format]: "xs \<noteq> [] \<longrightarrow> hd(rev xs) = last xs";
9645 20ae97cd2a16 * empty log message * nipkow parents: diff changeset	57	(<)
10420 ef006735bee8 * empty log message * nipkow parents: 10396 diff changeset	58	apply(induct_tac xs);
9645 20ae97cd2a16 * empty log message * nipkow parents: diff changeset	59	(>)
20ae97cd2a16 * empty log message * nipkow parents: diff changeset	60
10420 ef006735bee8 * empty log message * nipkow parents: 10396 diff changeset	61	txt{*\noindent
10885 90695f46440b lcp's pass over the book, chapters 1-8 paulson parents: 10654 diff changeset	62	This time, induction leaves us with a trivial base case:
10420 ef006735bee8 * empty log message * nipkow parents: 10396 diff changeset	63	@{subgoals[display,indent=0,goals_limit=1]}
10885 90695f46440b lcp's pass over the book, chapters 1-8 paulson parents: 10654 diff changeset	64	And @{text"auto"} completes the proof.
9645 20ae97cd2a16 * empty log message * nipkow parents: diff changeset	65
10885 90695f46440b lcp's pass over the book, chapters 1-8 paulson parents: 10654 diff changeset	66	If there are multiple premises $A@1$, \dots, $A@n$ containing the
9645 20ae97cd2a16 * empty log message * nipkow parents: diff changeset	67	induction variable, you should turn the conclusion $C$ into
11494 23a118849801 revisions and indexing paulson parents: 11428 diff changeset	68	\[ A@1 \longrightarrow \cdots A@n \longrightarrow C. \]
9645 20ae97cd2a16 * empty log message * nipkow parents: diff changeset	69	Additionally, you may also have to universally quantify some other variables,
11196 bb4ede27fcb7 * empty log message * nipkow parents: 10885 diff changeset	70	which can yield a fairly complex conclusion. However, @{text rule_format}
10885 90695f46440b lcp's pass over the book, chapters 1-8 paulson parents: 10654 diff changeset	71	can remove any number of occurrences of @{text"\<forall>"} and
90695f46440b lcp's pass over the book, chapters 1-8 paulson parents: 10654 diff changeset	72	@{text"\<longrightarrow>"}.
9645 20ae97cd2a16 * empty log message * nipkow parents: diff changeset	73
11494 23a118849801 revisions and indexing paulson parents: 11428 diff changeset	74	\index{induction!on a term}%
9645 20ae97cd2a16 * empty log message * nipkow parents: diff changeset	75	A second reason why your proposition may not be amenable to induction is that
11494 23a118849801 revisions and indexing paulson parents: 11428 diff changeset	76	you want to induct on a complex term, rather than a variable. In
23a118849801 revisions and indexing paulson parents: 11428 diff changeset	77	general, induction on a term~$t$ requires rephrasing the conclusion~$C$
10217 e61e7e1eacaf * empty log message * nipkow parents: 10186 diff changeset	78	as
11277 a2bff98d6e5d * empty log message * nipkow parents: 11256 diff changeset	79	\begin{equation}\label{eqn:ind-over-term}
11494 23a118849801 revisions and indexing paulson parents: 11428 diff changeset	80	\forall y@1 \dots y@n.~ x = t \longrightarrow C.
11277 a2bff98d6e5d * empty log message * nipkow parents: 11256 diff changeset	81	\end{equation}
11494 23a118849801 revisions and indexing paulson parents: 11428 diff changeset	82	where $y@1 \dots y@n$ are the free variables in $t$ and $x$ is a new variable.
12815 1f073030b97a tuned; wenzelm parents: 12699 diff changeset	83	Now you can perform induction on~$x$. An example appears in
10217 e61e7e1eacaf * empty log message * nipkow parents: 10186 diff changeset	84	\S\ref{sec:complete-ind} below.
e61e7e1eacaf * empty log message * nipkow parents: 10186 diff changeset	85
e61e7e1eacaf * empty log message * nipkow parents: 10186 diff changeset	86	The very same problem may occur in connection with rule induction. Remember
e61e7e1eacaf * empty log message * nipkow parents: 10186 diff changeset	87	that it requires a premise of the form $(x@1,\dots,x@k) \in R$, where $R$ is
e61e7e1eacaf * empty log message * nipkow parents: 10186 diff changeset	88	some inductively defined set and the $x@i$ are variables. If instead we have
e61e7e1eacaf * empty log message * nipkow parents: 10186 diff changeset	89	a premise $t \in R$, where $t$ is not just an $n$-tuple of variables, we
e61e7e1eacaf * empty log message * nipkow parents: 10186 diff changeset	90	replace it with $(x@1,\dots,x@k) \in R$, and rephrase the conclusion $C$ as
11494 23a118849801 revisions and indexing paulson parents: 11428 diff changeset	91	\[ \forall y@1 \dots y@n.~ (x@1,\dots,x@k) = t \longrightarrow C. \]
10217 e61e7e1eacaf * empty log message * nipkow parents: 10186 diff changeset	92	For an example see \S\ref{sec:CTL-revisited} below.
10281 9554ce1c2e54 * empty log message * nipkow parents: 10242 diff changeset	93
9554ce1c2e54 * empty log message * nipkow parents: 10242 diff changeset	94	Of course, all premises that share free variables with $t$ need to be pulled into
9554ce1c2e54 * empty log message * nipkow parents: 10242 diff changeset	95	the conclusion as well, under the @{text"\<forall>"}, again using @{text"\<longrightarrow>"} as shown above.
11277 a2bff98d6e5d * empty log message * nipkow parents: 11256 diff changeset	96
a2bff98d6e5d * empty log message * nipkow parents: 11256 diff changeset	97	Readers who are puzzled by the form of statement
a2bff98d6e5d * empty log message * nipkow parents: 11256 diff changeset	98	(\ref{eqn:ind-over-term}) above should remember that the
a2bff98d6e5d * empty log message * nipkow parents: 11256 diff changeset	99	transformation is only performed to permit induction. Once induction
a2bff98d6e5d * empty log message * nipkow parents: 11256 diff changeset	100	has been applied, the statement can be transformed back into something quite
a2bff98d6e5d * empty log message * nipkow parents: 11256 diff changeset	101	intuitive. For example, applying wellfounded induction on $x$ (w.r.t.\
a2bff98d6e5d * empty log message * nipkow parents: 11256 diff changeset	102	$\prec$) to (\ref{eqn:ind-over-term}) and transforming the result a
a2bff98d6e5d * empty log message * nipkow parents: 11256 diff changeset	103	little leads to the goal
11278 9710486b886b * empty log message * nipkow parents: 11277 diff changeset	104	\[ \bigwedge\overline{y}.\
9710486b886b * empty log message * nipkow parents: 11277 diff changeset	105	\forall \overline{z}.\ t\,\overline{z} \prec t\,\overline{y}\ \longrightarrow\ C\,\overline{z}
9710486b886b * empty log message * nipkow parents: 11277 diff changeset	106	\ \Longrightarrow\ C\,\overline{y} \]
9710486b886b * empty log message * nipkow parents: 11277 diff changeset	107	where $\overline{y}$ stands for $y@1 \dots y@n$ and the dependence of $t$ and
9710486b886b * empty log message * nipkow parents: 11277 diff changeset	108	$C$ on the free variables of $t$ has been made explicit.
9710486b886b * empty log message * nipkow parents: 11277 diff changeset	109	Unfortunately, this induction schema cannot be expressed as a
9710486b886b * empty log message * nipkow parents: 11277 diff changeset	110	single theorem because it depends on the number of free variables in $t$ ---
9710486b886b * empty log message * nipkow parents: 11277 diff changeset	111	the notation $\overline{y}$ is merely an informal device.
11277 a2bff98d6e5d * empty log message * nipkow parents: 11256 diff changeset	112	*}
12492 a4dd02e744e0 * empty log message * nipkow parents: 11494 diff changeset	113	(<)by auto(>)
9645 20ae97cd2a16 * empty log message * nipkow parents: diff changeset	114
10885 90695f46440b lcp's pass over the book, chapters 1-8 paulson parents: 10654 diff changeset	115	subsection{Beyond Structural and Recursion Induction};
9645 20ae97cd2a16 * empty log message * nipkow parents: diff changeset	116
10217 e61e7e1eacaf * empty log message * nipkow parents: 10186 diff changeset	117	text{*\label{sec:complete-ind}
10885 90695f46440b lcp's pass over the book, chapters 1-8 paulson parents: 10654 diff changeset	118	So far, inductive proofs were by structural induction for
9645 20ae97cd2a16 * empty log message * nipkow parents: diff changeset	119	primitive recursive functions and recursion induction for total recursive
20ae97cd2a16 * empty log message * nipkow parents: diff changeset	120	functions. But sometimes structural induction is awkward and there is no
10885 90695f46440b lcp's pass over the book, chapters 1-8 paulson parents: 10654 diff changeset	121	recursive function that could furnish a more appropriate
90695f46440b lcp's pass over the book, chapters 1-8 paulson parents: 10654 diff changeset	122	induction schema. In such cases a general-purpose induction schema can
9645 20ae97cd2a16 * empty log message * nipkow parents: diff changeset	123	be helpful. We show how to apply such induction schemas by an example.
20ae97cd2a16 * empty log message * nipkow parents: diff changeset	124
9792 bbefb6ce5cb2 * empty log message * nipkow parents: 9723 diff changeset	125	Structural induction on @{typ"nat"} is
11494 23a118849801 revisions and indexing paulson parents: 11428 diff changeset	126	usually known as mathematical induction. There is also \textbf{complete}
23a118849801 revisions and indexing paulson parents: 11428 diff changeset	127	\index{induction!complete}%
23a118849801 revisions and indexing paulson parents: 11428 diff changeset	128	induction, where you prove $P(n)$ under the assumption that $P(m)$
23a118849801 revisions and indexing paulson parents: 11428 diff changeset	129	holds for all $m<n$. In Isabelle, this is the theorem \tdx{nat_less_induct}:
9933 9feb1e0c4cb3 * empty log message * nipkow parents: 9923 diff changeset	130	@{thm[display]"nat_less_induct"[no_vars]}
11494 23a118849801 revisions and indexing paulson parents: 11428 diff changeset	131	As an application, we prove a property of the following
11278 9710486b886b * empty log message * nipkow parents: 11277 diff changeset	132	function:
9689 751fde5307e4 * empty log message * nipkow parents: 9645 diff changeset	133	*};
9645 20ae97cd2a16 * empty log message * nipkow parents: diff changeset	134
48994 c84278efa9d5 modernized specifications; wenzelm parents: 48985 diff changeset	135	axiomatization f :: "nat \<Rightarrow> nat"
c84278efa9d5 modernized specifications; wenzelm parents: 48985 diff changeset	136	where f_ax: "f(f(n)) < f(Suc(n))"
9645 20ae97cd2a16 * empty log message * nipkow parents: diff changeset	137
11256 49afcce3bada * empty log message * nipkow parents: 11196 diff changeset	138	text{*
49afcce3bada * empty log message * nipkow parents: 11196 diff changeset	139	\begin{warn}
49afcce3bada * empty log message * nipkow parents: 11196 diff changeset	140	We discourage the use of axioms because of the danger of
49afcce3bada * empty log message * nipkow parents: 11196 diff changeset	141	inconsistencies. Axiom @{text f_ax} does
49afcce3bada * empty log message * nipkow parents: 11196 diff changeset	142	not introduce an inconsistency because, for example, the identity function
49afcce3bada * empty log message * nipkow parents: 11196 diff changeset	143	satisfies it. Axioms can be useful in exploratory developments, say when
49afcce3bada * empty log message * nipkow parents: 11196 diff changeset	144	you assume some well-known theorems so that you can quickly demonstrate some
49afcce3bada * empty log message * nipkow parents: 11196 diff changeset	145	point about methodology. If your example turns into a substantial proof
49afcce3bada * empty log message * nipkow parents: 11196 diff changeset	146	development, you should replace axioms by theorems.
49afcce3bada * empty log message * nipkow parents: 11196 diff changeset	147	\end{warn}\noindent
10885 90695f46440b lcp's pass over the book, chapters 1-8 paulson parents: 10654 diff changeset	148	The axiom for @{term"f"} implies @{prop"n <= f n"}, which can
11196 bb4ede27fcb7 * empty log message * nipkow parents: 10885 diff changeset	149	be proved by induction on \mbox{@{term"f n"}}. Following the recipe outlined
9645 20ae97cd2a16 * empty log message * nipkow parents: diff changeset	150	above, we have to phrase the proposition as follows to allow induction:
9689 751fde5307e4 * empty log message * nipkow parents: 9645 diff changeset	151	*};
9645 20ae97cd2a16 * empty log message * nipkow parents: diff changeset	152
9933 9feb1e0c4cb3 * empty log message * nipkow parents: 9923 diff changeset	153	lemma f_incr_lem: "\<forall>i. k = f i \<longrightarrow> i \<le> f i";
9645 20ae97cd2a16 * empty log message * nipkow parents: diff changeset	154
20ae97cd2a16 * empty log message * nipkow parents: diff changeset	155	txt{*\noindent
10363 6e8002c1790e * empty log message * nipkow parents: 10328 diff changeset	156	To perform induction on @{term k} using @{thm[source]nat_less_induct}, we use
6e8002c1790e * empty log message * nipkow parents: 10328 diff changeset	157	the same general induction method as for recursion induction (see
25258 22d16596c306 recdef -> fun nipkow parents: 16417 diff changeset	158	\S\ref{sec:fun-induction}):
9689 751fde5307e4 * empty log message * nipkow parents: 9645 diff changeset	159	*};
9645 20ae97cd2a16 * empty log message * nipkow parents: diff changeset	160
9923 fe13743ffc8b renamed "rulify" to "rulified"; wenzelm parents: 9834 diff changeset	161	apply(induct_tac k rule: nat_less_induct);
10363 6e8002c1790e * empty log message * nipkow parents: 10328 diff changeset	162
6e8002c1790e * empty log message * nipkow parents: 10328 diff changeset	163	txt{*\noindent
11494 23a118849801 revisions and indexing paulson parents: 11428 diff changeset	164	We get the following proof state:
10363 6e8002c1790e * empty log message * nipkow parents: 10328 diff changeset	165	@{subgoals[display,indent=0,margin=65]}
6e8002c1790e * empty log message * nipkow parents: 10328 diff changeset	166	After stripping the @{text"\<forall>i"}, the proof continues with a case
12699 deae80045527 * empty log message * nipkow parents: 12492 diff changeset	167	distinction on @{term"i"}. The case @{prop"i = (0::nat)"} is trivial and we focus on
10363 6e8002c1790e * empty log message * nipkow parents: 10328 diff changeset	168	the other case:
6e8002c1790e * empty log message * nipkow parents: 10328 diff changeset	169	*}
6e8002c1790e * empty log message * nipkow parents: 10328 diff changeset	170
11196 bb4ede27fcb7 * empty log message * nipkow parents: 10885 diff changeset	171	apply(rule allI)
bb4ede27fcb7 * empty log message * nipkow parents: 10885 diff changeset	172	apply(case_tac i)
bb4ede27fcb7 * empty log message * nipkow parents: 10885 diff changeset	173	apply(simp)
10363 6e8002c1790e * empty log message * nipkow parents: 10328 diff changeset	174	txt{*
6e8002c1790e * empty log message * nipkow parents: 10328 diff changeset	175	@{subgoals[display,indent=0]}
11196 bb4ede27fcb7 * empty log message * nipkow parents: 10885 diff changeset	176	*}
bb4ede27fcb7 * empty log message * nipkow parents: 10885 diff changeset	177	by(blast intro!: f_ax Suc_leI intro: le_less_trans)
9645 20ae97cd2a16 * empty log message * nipkow parents: diff changeset	178
20ae97cd2a16 * empty log message * nipkow parents: diff changeset	179	text{*\noindent
11196 bb4ede27fcb7 * empty log message * nipkow parents: 10885 diff changeset	180	If you find the last step puzzling, here are the two lemmas it employs:
10885 90695f46440b lcp's pass over the book, chapters 1-8 paulson parents: 10654 diff changeset	181	\begin{isabelle}
90695f46440b lcp's pass over the book, chapters 1-8 paulson parents: 10654 diff changeset	182	@{thm Suc_leI[no_vars]}
90695f46440b lcp's pass over the book, chapters 1-8 paulson parents: 10654 diff changeset	183	\rulename{Suc_leI}\isanewline
90695f46440b lcp's pass over the book, chapters 1-8 paulson parents: 10654 diff changeset	184	@{thm le_less_trans[no_vars]}
90695f46440b lcp's pass over the book, chapters 1-8 paulson parents: 10654 diff changeset	185	\rulename{le_less_trans}
90695f46440b lcp's pass over the book, chapters 1-8 paulson parents: 10654 diff changeset	186	\end{isabelle}
90695f46440b lcp's pass over the book, chapters 1-8 paulson parents: 10654 diff changeset	187	%
9792 bbefb6ce5cb2 * empty log message * nipkow parents: 9723 diff changeset	188	The proof goes like this (writing @{term"j"} instead of @{typ"nat"}).
bbefb6ce5cb2 * empty log message * nipkow parents: 9723 diff changeset	189	Since @{prop"i = Suc j"} it suffices to show
10885 90695f46440b lcp's pass over the book, chapters 1-8 paulson parents: 10654 diff changeset	190	\hbox{@{prop"j < f(Suc j)"}},
90695f46440b lcp's pass over the book, chapters 1-8 paulson parents: 10654 diff changeset	191	by @{thm[source]Suc_leI}\@. This is
9792 bbefb6ce5cb2 * empty log message * nipkow parents: 9723 diff changeset	192	proved as follows. From @{thm[source]f_ax} we have @{prop"f (f j) < f (Suc j)"}
10885 90695f46440b lcp's pass over the book, chapters 1-8 paulson parents: 10654 diff changeset	193	(1) which implies @{prop"f j <= f (f j)"} by the induction hypothesis.
90695f46440b lcp's pass over the book, chapters 1-8 paulson parents: 10654 diff changeset	194	Using (1) once more we obtain @{prop"f j < f(Suc j)"} (2) by the transitivity
90695f46440b lcp's pass over the book, chapters 1-8 paulson parents: 10654 diff changeset	195	rule @{thm[source]le_less_trans}.
9792 bbefb6ce5cb2 * empty log message * nipkow parents: 9723 diff changeset	196	Using the induction hypothesis once more we obtain @{prop"j <= f j"}
bbefb6ce5cb2 * empty log message * nipkow parents: 9723 diff changeset	197	which, together with (2) yields @{prop"j < f (Suc j)"} (again by
bbefb6ce5cb2 * empty log message * nipkow parents: 9723 diff changeset	198	@{thm[source]le_less_trans}).
9645 20ae97cd2a16 * empty log message * nipkow parents: diff changeset	199
11494 23a118849801 revisions and indexing paulson parents: 11428 diff changeset	200	This last step shows both the power and the danger of automatic proofs. They
23a118849801 revisions and indexing paulson parents: 11428 diff changeset	201	will usually not tell you how the proof goes, because it can be hard to
23a118849801 revisions and indexing paulson parents: 11428 diff changeset	202	translate the internal proof into a human-readable format. Automatic
23a118849801 revisions and indexing paulson parents: 11428 diff changeset	203	proofs are easy to write but hard to read and understand.
9645 20ae97cd2a16 * empty log message * nipkow parents: diff changeset	204
11494 23a118849801 revisions and indexing paulson parents: 11428 diff changeset	205	The desired result, @{prop"i <= f i"}, follows from @{thm[source]f_incr_lem}:
9689 751fde5307e4 * empty log message * nipkow parents: 9645 diff changeset	206	*};
9645 20ae97cd2a16 * empty log message * nipkow parents: diff changeset	207
9941 fe05af7ec816 renamed atts: rulify to rule_format, elimify to elim_format; wenzelm parents: 9933 diff changeset	208	lemmas f_incr = f_incr_lem[rule_format, OF refl];
9645 20ae97cd2a16 * empty log message * nipkow parents: diff changeset	209
9689 751fde5307e4 * empty log message * nipkow parents: 9645 diff changeset	210	text{*\noindent
10885 90695f46440b lcp's pass over the book, chapters 1-8 paulson parents: 10654 diff changeset	211	The final @{thm[source]refl} gets rid of the premise @{text"?k = f ?i"}.
90695f46440b lcp's pass over the book, chapters 1-8 paulson parents: 10654 diff changeset	212	We could have included this derivation in the original statement of the lemma:
9689 751fde5307e4 * empty log message * nipkow parents: 9645 diff changeset	213	*};
9645 20ae97cd2a16 * empty log message * nipkow parents: diff changeset	214
9941 fe05af7ec816 renamed atts: rulify to rule_format, elimify to elim_format; wenzelm parents: 9933 diff changeset	215	lemma f_incr[rule_format, OF refl]: "\<forall>i. k = f i \<longrightarrow> i \<le> f i";
9689 751fde5307e4 * empty log message * nipkow parents: 9645 diff changeset	216	(<)oops;(>)
9645 20ae97cd2a16 * empty log message * nipkow parents: diff changeset	217
20ae97cd2a16 * empty log message * nipkow parents: diff changeset	218	text{*
11256 49afcce3bada * empty log message * nipkow parents: 11196 diff changeset	219	\begin{exercise}
49afcce3bada * empty log message * nipkow parents: 11196 diff changeset	220	From the axiom and lemma for @{term"f"}, show that @{term"f"} is the
49afcce3bada * empty log message * nipkow parents: 11196 diff changeset	221	identity function.
49afcce3bada * empty log message * nipkow parents: 11196 diff changeset	222	\end{exercise}
9645 20ae97cd2a16 * empty log message * nipkow parents: diff changeset	223
11428 332347b9b942 tidying the index paulson parents: 11278 diff changeset	224	Method \methdx{induct_tac} can be applied with any rule $r$
9792 bbefb6ce5cb2 * empty log message * nipkow parents: 9723 diff changeset	225	whose conclusion is of the form ${?}P~?x@1 \dots ?x@n$, in which case the
9645 20ae97cd2a16 * empty log message * nipkow parents: diff changeset	226	format is
9792 bbefb6ce5cb2 * empty log message * nipkow parents: 9723 diff changeset	227	\begin{quote}
bbefb6ce5cb2 * empty log message * nipkow parents: 9723 diff changeset	228	\isacommand{apply}@{text"(induct_tac"} $y@1 \dots y@n$ @{text"rule:"} $r$@{text")"}
11428 332347b9b942 tidying the index paulson parents: 11278 diff changeset	229	\end{quote}
27320 b7443e5a5335 induct_tac: old conjunctive rules no longer supported; wenzelm parents: 25258 diff changeset	230	where $y@1, \dots, y@n$ are variables in the conclusion of the first subgoal.
10885 90695f46440b lcp's pass over the book, chapters 1-8 paulson parents: 10654 diff changeset	231
11256 49afcce3bada * empty log message * nipkow parents: 11196 diff changeset	232	A further useful induction rule is @{thm[source]length_induct},
49afcce3bada * empty log message * nipkow parents: 11196 diff changeset	233	induction on the length of a list\indexbold{*length_induct}
49afcce3bada * empty log message * nipkow parents: 11196 diff changeset	234	@{thm[display]length_induct[no_vars]}
49afcce3bada * empty log message * nipkow parents: 11196 diff changeset	235	which is a special case of @{thm[source]measure_induct}
49afcce3bada * empty log message * nipkow parents: 11196 diff changeset	236	@{thm[display]measure_induct[no_vars]}
49afcce3bada * empty log message * nipkow parents: 11196 diff changeset	237	where @{term f} may be any function into type @{typ nat}.
49afcce3bada * empty log message * nipkow parents: 11196 diff changeset	238	*}
9645 20ae97cd2a16 * empty log message * nipkow parents: diff changeset	239
10885 90695f46440b lcp's pass over the book, chapters 1-8 paulson parents: 10654 diff changeset	240	subsection{Derivation of New Induction Schemas};
9689 751fde5307e4 * empty log message * nipkow parents: 9645 diff changeset	241
751fde5307e4 * empty log message * nipkow parents: 9645 diff changeset	242	text{*\label{sec:derive-ind}
11494 23a118849801 revisions and indexing paulson parents: 11428 diff changeset	243	\index{induction!deriving new schemas}%
9689 751fde5307e4 * empty log message * nipkow parents: 9645 diff changeset	244	Induction schemas are ordinary theorems and you can derive new ones
11494 23a118849801 revisions and indexing paulson parents: 11428 diff changeset	245	whenever you wish. This section shows you how, using the example
9933 9feb1e0c4cb3 * empty log message * nipkow parents: 9923 diff changeset	246	of @{thm[source]nat_less_induct}. Assume we only have structural induction
11494 23a118849801 revisions and indexing paulson parents: 11428 diff changeset	247	available for @{typ"nat"} and want to derive complete induction. We
23a118849801 revisions and indexing paulson parents: 11428 diff changeset	248	must generalize the statement as shown:
9689 751fde5307e4 * empty log message * nipkow parents: 9645 diff changeset	249	*};
751fde5307e4 * empty log message * nipkow parents: 9645 diff changeset	250
9933 9feb1e0c4cb3 * empty log message * nipkow parents: 9923 diff changeset	251	lemma induct_lem: "(\<And>n::nat. \<forall>m<n. P m \<Longrightarrow> P n) \<Longrightarrow> \<forall>m<n. P m";
9689 751fde5307e4 * empty log message * nipkow parents: 9645 diff changeset	252	apply(induct_tac n);
751fde5307e4 * empty log message * nipkow parents: 9645 diff changeset	253
751fde5307e4 * empty log message * nipkow parents: 9645 diff changeset	254	txt{*\noindent
11196 bb4ede27fcb7 * empty log message * nipkow parents: 10885 diff changeset	255	The base case is vacuously true. For the induction step (@{prop"m <
9933 9feb1e0c4cb3 * empty log message * nipkow parents: 9923 diff changeset	256	Suc n"}) we distinguish two cases: case @{prop"m < n"} is true by induction
9feb1e0c4cb3 * empty log message * nipkow parents: 9923 diff changeset	257	hypothesis and case @{prop"m = n"} follows from the assumption, again using
9689 751fde5307e4 * empty log message * nipkow parents: 9645 diff changeset	258	the induction hypothesis:
751fde5307e4 * empty log message * nipkow parents: 9645 diff changeset	259	*};
11196 bb4ede27fcb7 * empty log message * nipkow parents: 10885 diff changeset	260	apply(blast);
12815 1f073030b97a tuned; wenzelm parents: 12699 diff changeset	261	by(blast elim: less_SucE)
9689 751fde5307e4 * empty log message * nipkow parents: 9645 diff changeset	262
751fde5307e4 * empty log message * nipkow parents: 9645 diff changeset	263	text{*\noindent
11196 bb4ede27fcb7 * empty log message * nipkow parents: 10885 diff changeset	264	The elimination rule @{thm[source]less_SucE} expresses the case distinction:
9689 751fde5307e4 * empty log message * nipkow parents: 9645 diff changeset	265	@{thm[display]"less_SucE"[no_vars]}
751fde5307e4 * empty log message * nipkow parents: 9645 diff changeset	266
751fde5307e4 * empty log message * nipkow parents: 9645 diff changeset	267	Now it is straightforward to derive the original version of
11256 49afcce3bada * empty log message * nipkow parents: 11196 diff changeset	268	@{thm[source]nat_less_induct} by manipulating the conclusion of the above
49afcce3bada * empty log message * nipkow parents: 11196 diff changeset	269	lemma: instantiate @{term"n"} by @{term"Suc n"} and @{term"m"} by @{term"n"}
49afcce3bada * empty log message * nipkow parents: 11196 diff changeset	270	and remove the trivial condition @{prop"n < Suc n"}. Fortunately, this
9689 751fde5307e4 * empty log message * nipkow parents: 9645 diff changeset	271	happens automatically when we add the lemma as a new premise to the
751fde5307e4 * empty log message * nipkow parents: 9645 diff changeset	272	desired goal:
751fde5307e4 * empty log message * nipkow parents: 9645 diff changeset	273	*};
751fde5307e4 * empty log message * nipkow parents: 9645 diff changeset	274
9933 9feb1e0c4cb3 * empty log message * nipkow parents: 9923 diff changeset	275	theorem nat_less_induct: "(\<And>n::nat. \<forall>m<n. P m \<Longrightarrow> P n) \<Longrightarrow> P n";
9689 751fde5307e4 * empty log message * nipkow parents: 9645 diff changeset	276	by(insert induct_lem, blast);
751fde5307e4 * empty log message * nipkow parents: 9645 diff changeset	277
9933 9feb1e0c4cb3 * empty log message * nipkow parents: 9923 diff changeset	278	text{*
11494 23a118849801 revisions and indexing paulson parents: 11428 diff changeset	279	HOL already provides the mother of
10396 5ab08609e6c8 * empty log message * nipkow parents: 10363 diff changeset	280	all inductions, well-founded induction (see \S\ref{sec:Well-founded}). For
10885 90695f46440b lcp's pass over the book, chapters 1-8 paulson parents: 10654 diff changeset	281	example theorem @{thm[source]nat_less_induct} is
10396 5ab08609e6c8 * empty log message * nipkow parents: 10363 diff changeset	282	a special case of @{thm[source]wf_induct} where @{term r} is @{text"<"} on
10885 90695f46440b lcp's pass over the book, chapters 1-8 paulson parents: 10654 diff changeset	283	@{typ nat}. The details can be found in theory \isa{Wellfounded_Recursion}.
10654 458068404143 * empty log message * nipkow parents: 10420 diff changeset	284	*}
458068404143 * empty log message * nipkow parents: 10420 diff changeset	285	(<)end(>)

author	wenzelm
	Wed, 23 Jul 2014 11:19:24 +0200
changeset 57612	990ffb84489b
parent 48994	c84278efa9d5
child 58860	fee7cfa69c50
permissions	-rw-r--r--