| author | wenzelm |
| Sun, 30 Jan 2011 13:02:18 +0100 | |
| changeset 41648 | 6d736d983d5c |
| parent 40406 | 313a24b66a8d |
| permissions | -rw-r--r-- |
| 13999 | 1 |
% |
2 |
\begin{isabellebody}%
|
|
3 |
\def\isabellecontext{Induction}%
|
|
| 17125 | 4 |
% |
5 |
\isadelimtheory |
|
6 |
% |
|
7 |
\endisadelimtheory |
|
8 |
% |
|
9 |
\isatagtheory |
|
10 |
% |
|
11 |
\endisatagtheory |
|
12 |
{\isafoldtheory}%
|
|
13 |
% |
|
14 |
\isadelimtheory |
|
15 |
% |
|
16 |
\endisadelimtheory |
|
| 13999 | 17 |
% |
18 |
\isamarkupsection{Case distinction and induction \label{sec:Induct}%
|
|
19 |
} |
|
20 |
\isamarkuptrue% |
|
21 |
% |
|
22 |
\begin{isamarkuptext}%
|
|
23 |
Computer science applications abound with inductively defined |
|
24 |
structures, which is why we treat them in more detail. HOL already |
|
25 |
comes with a datatype of lists with the two constructors \isa{Nil}
|
|
| 40406 | 26 |
and \isa{Cons}. \isa{Nil} is written \isa{{\isaliteral{5B}{\isacharbrackleft}}{\isaliteral{5D}{\isacharbrackright}}} and \isa{Cons\ x\ xs} is written \isa{x\ {\isaliteral{23}{\isacharhash}}\ xs}.%
|
| 13999 | 27 |
\end{isamarkuptext}%
|
28 |
\isamarkuptrue% |
|
29 |
% |
|
30 |
\isamarkupsubsection{Case distinction\label{sec:CaseDistinction}%
|
|
31 |
} |
|
32 |
\isamarkuptrue% |
|
33 |
% |
|
34 |
\begin{isamarkuptext}%
|
|
35 |
We have already met the \isa{cases} method for performing
|
|
36 |
binary case splits. Here is another example:% |
|
37 |
\end{isamarkuptext}%
|
|
| 17175 | 38 |
\isamarkuptrue% |
39 |
\isacommand{lemma}\isamarkupfalse%
|
|
| 40406 | 40 |
\ {\isaliteral{22}{\isachardoublequoteopen}}{\isaliteral{5C3C6E6F743E}{\isasymnot}}\ A\ {\isaliteral{5C3C6F723E}{\isasymor}}\ A{\isaliteral{22}{\isachardoublequoteclose}}\isanewline
|
| 17125 | 41 |
% |
42 |
\isadelimproof |
|
43 |
% |
|
44 |
\endisadelimproof |
|
45 |
% |
|
46 |
\isatagproof |
|
| 17175 | 47 |
\isacommand{proof}\isamarkupfalse%
|
48 |
\ cases\isanewline |
|
49 |
\ \ \isacommand{assume}\isamarkupfalse%
|
|
| 40406 | 50 |
\ {\isaliteral{22}{\isachardoublequoteopen}}A{\isaliteral{22}{\isachardoublequoteclose}}\ \isacommand{thus}\isamarkupfalse%
|
51 |
\ {\isaliteral{3F}{\isacharquery}}thesis\ \isacommand{{\isaliteral{2E}{\isachardot}}{\isaliteral{2E}{\isachardot}}}\isamarkupfalse%
|
|
| 17175 | 52 |
\isanewline |
53 |
\isacommand{next}\isamarkupfalse%
|
|
54 |
\isanewline |
|
55 |
\ \ \isacommand{assume}\isamarkupfalse%
|
|
| 40406 | 56 |
\ {\isaliteral{22}{\isachardoublequoteopen}}{\isaliteral{5C3C6E6F743E}{\isasymnot}}\ A{\isaliteral{22}{\isachardoublequoteclose}}\ \isacommand{thus}\isamarkupfalse%
|
57 |
\ {\isaliteral{3F}{\isacharquery}}thesis\ \isacommand{{\isaliteral{2E}{\isachardot}}{\isaliteral{2E}{\isachardot}}}\isamarkupfalse%
|
|
| 17175 | 58 |
\isanewline |
59 |
\isacommand{qed}\isamarkupfalse%
|
|
60 |
% |
|
| 17125 | 61 |
\endisatagproof |
62 |
{\isafoldproof}%
|
|
63 |
% |
|
64 |
\isadelimproof |
|
65 |
% |
|
66 |
\endisadelimproof |
|
| 13999 | 67 |
% |
68 |
\begin{isamarkuptext}%
|
|
| 40406 | 69 |
\noindent The two cases must come in this order because \isa{cases} merely abbreviates \isa{{\isaliteral{28}{\isacharparenleft}}rule\ case{\isaliteral{5F}{\isacharunderscore}}split{\isaliteral{29}{\isacharparenright}}} where
|
70 |
\isa{case{\isaliteral{5F}{\isacharunderscore}}split} is \isa{{\isaliteral{5C3C6C6272616B6B3E}{\isasymlbrakk}}{\isaliteral{3F}{\isacharquery}}P\ {\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\ {\isaliteral{3F}{\isacharquery}}Q{\isaliteral{3B}{\isacharsemicolon}}\ {\isaliteral{5C3C6E6F743E}{\isasymnot}}\ {\isaliteral{3F}{\isacharquery}}P\ {\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\ {\isaliteral{3F}{\isacharquery}}Q{\isaliteral{5C3C726272616B6B3E}{\isasymrbrakk}}\ {\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\ {\isaliteral{3F}{\isacharquery}}Q}. If we reverse
|
|
| 13999 | 71 |
the order of the two cases in the proof, the first case would prove |
| 40406 | 72 |
\isa{{\isaliteral{5C3C6E6F743E}{\isasymnot}}\ A\ {\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\ {\isaliteral{5C3C6E6F743E}{\isasymnot}}\ A\ {\isaliteral{5C3C6F723E}{\isasymor}}\ A} which would solve the first premise of
|
73 |
\isa{case{\isaliteral{5F}{\isacharunderscore}}split}, instantiating \isa{{\isaliteral{3F}{\isacharquery}}P} with \isa{{\isaliteral{5C3C6E6F743E}{\isasymnot}}\ A}, thus making the second premise \isa{{\isaliteral{5C3C6E6F743E}{\isasymnot}}\ {\isaliteral{5C3C6E6F743E}{\isasymnot}}\ A\ {\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\ {\isaliteral{5C3C6E6F743E}{\isasymnot}}\ A\ {\isaliteral{5C3C6F723E}{\isasymor}}\ A}.
|
|
| 13999 | 74 |
Therefore the order of subgoals is not always completely arbitrary. |
75 |
||
76 |
The above proof is appropriate if \isa{A} is textually small.
|
|
77 |
However, if \isa{A} is large, we do not want to repeat it. This can
|
|
78 |
be avoided by the following idiom% |
|
79 |
\end{isamarkuptext}%
|
|
| 17175 | 80 |
\isamarkuptrue% |
81 |
\isacommand{lemma}\isamarkupfalse%
|
|
| 40406 | 82 |
\ {\isaliteral{22}{\isachardoublequoteopen}}{\isaliteral{5C3C6E6F743E}{\isasymnot}}\ A\ {\isaliteral{5C3C6F723E}{\isasymor}}\ A{\isaliteral{22}{\isachardoublequoteclose}}\isanewline
|
| 17125 | 83 |
% |
84 |
\isadelimproof |
|
85 |
% |
|
86 |
\endisadelimproof |
|
87 |
% |
|
88 |
\isatagproof |
|
| 17175 | 89 |
\isacommand{proof}\isamarkupfalse%
|
| 40406 | 90 |
\ {\isaliteral{28}{\isacharparenleft}}cases\ {\isaliteral{22}{\isachardoublequoteopen}}A{\isaliteral{22}{\isachardoublequoteclose}}{\isaliteral{29}{\isacharparenright}}\isanewline
|
| 17175 | 91 |
\ \ \isacommand{case}\isamarkupfalse%
|
92 |
\ True\ \isacommand{thus}\isamarkupfalse%
|
|
| 40406 | 93 |
\ {\isaliteral{3F}{\isacharquery}}thesis\ \isacommand{{\isaliteral{2E}{\isachardot}}{\isaliteral{2E}{\isachardot}}}\isamarkupfalse%
|
| 17175 | 94 |
\isanewline |
95 |
\isacommand{next}\isamarkupfalse%
|
|
96 |
\isanewline |
|
97 |
\ \ \isacommand{case}\isamarkupfalse%
|
|
98 |
\ False\ \isacommand{thus}\isamarkupfalse%
|
|
| 40406 | 99 |
\ {\isaliteral{3F}{\isacharquery}}thesis\ \isacommand{{\isaliteral{2E}{\isachardot}}{\isaliteral{2E}{\isachardot}}}\isamarkupfalse%
|
| 17175 | 100 |
\isanewline |
101 |
\isacommand{qed}\isamarkupfalse%
|
|
102 |
% |
|
| 17125 | 103 |
\endisatagproof |
104 |
{\isafoldproof}%
|
|
105 |
% |
|
106 |
\isadelimproof |
|
107 |
% |
|
108 |
\endisadelimproof |
|
| 13999 | 109 |
% |
110 |
\begin{isamarkuptext}%
|
|
111 |
\noindent which is like the previous proof but instantiates |
|
| 40406 | 112 |
\isa{{\isaliteral{3F}{\isacharquery}}P} right away with \isa{A}. Thus we could prove the two
|
| 25412 | 113 |
cases in any order. The phrase \isakeyword{case}~\isa{True}
|
| 40406 | 114 |
abbreviates \isakeyword{assume}~\isa{True{\isaliteral{3A}{\isacharcolon}}\ A} and analogously for
|
115 |
\isa{False} and \isa{{\isaliteral{5C3C6E6F743E}{\isasymnot}}\ A}.
|
|
| 13999 | 116 |
|
117 |
The same game can be played with other datatypes, for example lists, |
|
118 |
where \isa{tl} is the tail of a list, and \isa{length} returns a
|
|
119 |
natural number (remember: $0-1=0$):% |
|
120 |
\end{isamarkuptext}%
|
|
| 17175 | 121 |
\isamarkuptrue% |
122 |
\isacommand{lemma}\isamarkupfalse%
|
|
| 40406 | 123 |
\ {\isaliteral{22}{\isachardoublequoteopen}}length{\isaliteral{28}{\isacharparenleft}}tl\ xs{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{3D}{\isacharequal}}\ length\ xs\ {\isaliteral{2D}{\isacharminus}}\ {\isadigit{1}}{\isaliteral{22}{\isachardoublequoteclose}}\isanewline
|
| 17125 | 124 |
% |
125 |
\isadelimproof |
|
126 |
% |
|
127 |
\endisadelimproof |
|
128 |
% |
|
129 |
\isatagproof |
|
| 17175 | 130 |
\isacommand{proof}\isamarkupfalse%
|
| 40406 | 131 |
\ {\isaliteral{28}{\isacharparenleft}}cases\ xs{\isaliteral{29}{\isacharparenright}}\isanewline
|
| 17175 | 132 |
\ \ \isacommand{case}\isamarkupfalse%
|
133 |
\ Nil\ \isacommand{thus}\isamarkupfalse%
|
|
| 40406 | 134 |
\ {\isaliteral{3F}{\isacharquery}}thesis\ \isacommand{by}\isamarkupfalse%
|
| 17175 | 135 |
\ simp\isanewline |
136 |
\isacommand{next}\isamarkupfalse%
|
|
137 |
\isanewline |
|
138 |
\ \ \isacommand{case}\isamarkupfalse%
|
|
139 |
\ Cons\ \isacommand{thus}\isamarkupfalse%
|
|
| 40406 | 140 |
\ {\isaliteral{3F}{\isacharquery}}thesis\ \isacommand{by}\isamarkupfalse%
|
| 17175 | 141 |
\ simp\isanewline |
142 |
\isacommand{qed}\isamarkupfalse%
|
|
143 |
% |
|
| 17125 | 144 |
\endisatagproof |
145 |
{\isafoldproof}%
|
|
146 |
% |
|
147 |
\isadelimproof |
|
148 |
% |
|
149 |
\endisadelimproof |
|
| 13999 | 150 |
% |
151 |
\begin{isamarkuptext}%
|
|
| 25412 | 152 |
\noindent Here \isakeyword{case}~\isa{Nil} abbreviates
|
| 40406 | 153 |
\isakeyword{assume}~\isa{Nil{\isaliteral{3A}{\isacharcolon}}}~\isa{xs\ {\isaliteral{3D}{\isacharequal}}\ {\isaliteral{5B}{\isacharbrackleft}}{\isaliteral{5D}{\isacharbrackright}}} and
|
154 |
\isakeyword{case}~\isa{Cons} abbreviates \isakeyword{fix}~\isa{{\isaliteral{3F}{\isacharquery}}\ {\isaliteral{3F}{\isacharquery}}{\isaliteral{3F}{\isacharquery}}}
|
|
155 |
\isakeyword{assume}~\isa{Cons{\isaliteral{3A}{\isacharcolon}}}~\isa{xs\ {\isaliteral{3D}{\isacharequal}}\ {\isaliteral{3F}{\isacharquery}}\ {\isaliteral{23}{\isacharhash}}\ {\isaliteral{3F}{\isacharquery}}{\isaliteral{3F}{\isacharquery}}},
|
|
156 |
where \isa{{\isaliteral{3F}{\isacharquery}}} and \isa{{\isaliteral{3F}{\isacharquery}}{\isaliteral{3F}{\isacharquery}}}
|
|
| 13999 | 157 |
stand for variable names that have been chosen by the system. |
158 |
Therefore we cannot refer to them. |
|
159 |
Luckily, this proof is simple enough we do not need to refer to them. |
|
160 |
However, sometimes one may have to. Hence Isar offers a simple scheme for |
|
161 |
naming those variables: replace the anonymous \isa{Cons} by
|
|
| 40406 | 162 |
\isa{{\isaliteral{28}{\isacharparenleft}}Cons\ y\ ys{\isaliteral{29}{\isacharparenright}}}, which abbreviates \isakeyword{fix}~\isa{y\ ys}
|
163 |
\isakeyword{assume}~\isa{Cons{\isaliteral{3A}{\isacharcolon}}}~\isa{xs\ {\isaliteral{3D}{\isacharequal}}\ y\ {\isaliteral{23}{\isacharhash}}\ ys}.
|
|
| 13999 | 164 |
In each \isakeyword{case} the assumption can be
|
165 |
referred to inside the proof by the name of the constructor. In |
|
166 |
Section~\ref{sec:full-Ind} below we will come across an example
|
|
| 25403 | 167 |
of this. |
168 |
||
169 |
\subsection{Structural induction}
|
|
170 |
||
| 13999 | 171 |
We start with an inductive proof where both cases are proved automatically:% |
172 |
\end{isamarkuptext}%
|
|
| 17175 | 173 |
\isamarkuptrue% |
174 |
\isacommand{lemma}\isamarkupfalse%
|
|
| 40406 | 175 |
\ {\isaliteral{22}{\isachardoublequoteopen}}{\isadigit{2}}\ {\isaliteral{2A}{\isacharasterisk}}\ {\isaliteral{28}{\isacharparenleft}}{\isaliteral{5C3C53756D3E}{\isasymSum}}i{\isaliteral{3A}{\isacharcolon}}{\isaliteral{3A}{\isacharcolon}}nat{\isaliteral{5C3C6C653E}{\isasymle}}n{\isaliteral{2E}{\isachardot}}\ i{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{3D}{\isacharequal}}\ n{\isaliteral{2A}{\isacharasterisk}}{\isaliteral{28}{\isacharparenleft}}n{\isaliteral{2B}{\isacharplus}}{\isadigit{1}}{\isaliteral{29}{\isacharparenright}}{\isaliteral{22}{\isachardoublequoteclose}}\isanewline
|
| 17125 | 176 |
% |
177 |
\isadelimproof |
|
178 |
% |
|
179 |
\endisadelimproof |
|
180 |
% |
|
181 |
\isatagproof |
|
| 17175 | 182 |
\isacommand{by}\isamarkupfalse%
|
| 40406 | 183 |
\ {\isaliteral{28}{\isacharparenleft}}induct\ n{\isaliteral{29}{\isacharparenright}}\ simp{\isaliteral{5F}{\isacharunderscore}}all%
|
| 17125 | 184 |
\endisatagproof |
185 |
{\isafoldproof}%
|
|
186 |
% |
|
187 |
\isadelimproof |
|
188 |
% |
|
189 |
\endisadelimproof |
|
| 13999 | 190 |
% |
191 |
\begin{isamarkuptext}%
|
|
| 40406 | 192 |
\noindent The constraint \isa{{\isaliteral{3A}{\isacharcolon}}{\isaliteral{3A}{\isacharcolon}}nat} is needed because all of
|
| 15909 | 193 |
the operations involved are overloaded. |
| 25427 | 194 |
This proof also demonstrates that \isakeyword{by} can take two arguments,
|
195 |
one to start and one to finish the proof --- the latter is optional. |
|
| 15909 | 196 |
|
197 |
If we want to expose more of the structure of the |
|
| 13999 | 198 |
proof, we can use pattern matching to avoid having to repeat the goal |
199 |
statement:% |
|
200 |
\end{isamarkuptext}%
|
|
| 17175 | 201 |
\isamarkuptrue% |
202 |
\isacommand{lemma}\isamarkupfalse%
|
|
| 40406 | 203 |
\ {\isaliteral{22}{\isachardoublequoteopen}}{\isadigit{2}}\ {\isaliteral{2A}{\isacharasterisk}}\ {\isaliteral{28}{\isacharparenleft}}{\isaliteral{5C3C53756D3E}{\isasymSum}}i{\isaliteral{3A}{\isacharcolon}}{\isaliteral{3A}{\isacharcolon}}nat{\isaliteral{5C3C6C653E}{\isasymle}}n{\isaliteral{2E}{\isachardot}}\ i{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{3D}{\isacharequal}}\ n{\isaliteral{2A}{\isacharasterisk}}{\isaliteral{28}{\isacharparenleft}}n{\isaliteral{2B}{\isacharplus}}{\isadigit{1}}{\isaliteral{29}{\isacharparenright}}{\isaliteral{22}{\isachardoublequoteclose}}\ {\isaliteral{28}{\isacharparenleft}}\isakeyword{is}\ {\isaliteral{22}{\isachardoublequoteopen}}{\isaliteral{3F}{\isacharquery}}P\ n{\isaliteral{22}{\isachardoublequoteclose}}{\isaliteral{29}{\isacharparenright}}\isanewline
|
| 17125 | 204 |
% |
205 |
\isadelimproof |
|
206 |
% |
|
207 |
\endisadelimproof |
|
208 |
% |
|
209 |
\isatagproof |
|
| 17175 | 210 |
\isacommand{proof}\isamarkupfalse%
|
| 40406 | 211 |
\ {\isaliteral{28}{\isacharparenleft}}induct\ n{\isaliteral{29}{\isacharparenright}}\isanewline
|
| 17175 | 212 |
\ \ \isacommand{show}\isamarkupfalse%
|
| 40406 | 213 |
\ {\isaliteral{22}{\isachardoublequoteopen}}{\isaliteral{3F}{\isacharquery}}P\ {\isadigit{0}}{\isaliteral{22}{\isachardoublequoteclose}}\ \isacommand{by}\isamarkupfalse%
|
| 17175 | 214 |
\ simp\isanewline |
215 |
\isacommand{next}\isamarkupfalse%
|
|
216 |
\isanewline |
|
217 |
\ \ \isacommand{fix}\isamarkupfalse%
|
|
218 |
\ n\ \isacommand{assume}\isamarkupfalse%
|
|
| 40406 | 219 |
\ {\isaliteral{22}{\isachardoublequoteopen}}{\isaliteral{3F}{\isacharquery}}P\ n{\isaliteral{22}{\isachardoublequoteclose}}\isanewline
|
| 17175 | 220 |
\ \ \isacommand{thus}\isamarkupfalse%
|
| 40406 | 221 |
\ {\isaliteral{22}{\isachardoublequoteopen}}{\isaliteral{3F}{\isacharquery}}P{\isaliteral{28}{\isacharparenleft}}Suc\ n{\isaliteral{29}{\isacharparenright}}{\isaliteral{22}{\isachardoublequoteclose}}\ \isacommand{by}\isamarkupfalse%
|
| 17175 | 222 |
\ simp\isanewline |
223 |
\isacommand{qed}\isamarkupfalse%
|
|
224 |
% |
|
| 17125 | 225 |
\endisatagproof |
226 |
{\isafoldproof}%
|
|
227 |
% |
|
228 |
\isadelimproof |
|
229 |
% |
|
230 |
\endisadelimproof |
|
| 13999 | 231 |
% |
232 |
\begin{isamarkuptext}%
|
|
233 |
\noindent We could refine this further to show more of the equational |
|
234 |
proof. Instead we explore the same avenue as for case distinctions: |
|
235 |
introducing context via the \isakeyword{case} command:%
|
|
236 |
\end{isamarkuptext}%
|
|
| 17175 | 237 |
\isamarkuptrue% |
238 |
\isacommand{lemma}\isamarkupfalse%
|
|
| 40406 | 239 |
\ {\isaliteral{22}{\isachardoublequoteopen}}{\isadigit{2}}\ {\isaliteral{2A}{\isacharasterisk}}\ {\isaliteral{28}{\isacharparenleft}}{\isaliteral{5C3C53756D3E}{\isasymSum}}i{\isaliteral{3A}{\isacharcolon}}{\isaliteral{3A}{\isacharcolon}}nat\ {\isaliteral{5C3C6C653E}{\isasymle}}\ n{\isaliteral{2E}{\isachardot}}\ i{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{3D}{\isacharequal}}\ n{\isaliteral{2A}{\isacharasterisk}}{\isaliteral{28}{\isacharparenleft}}n{\isaliteral{2B}{\isacharplus}}{\isadigit{1}}{\isaliteral{29}{\isacharparenright}}{\isaliteral{22}{\isachardoublequoteclose}}\isanewline
|
| 17125 | 240 |
% |
241 |
\isadelimproof |
|
242 |
% |
|
243 |
\endisadelimproof |
|
244 |
% |
|
245 |
\isatagproof |
|
| 17175 | 246 |
\isacommand{proof}\isamarkupfalse%
|
| 40406 | 247 |
\ {\isaliteral{28}{\isacharparenleft}}induct\ n{\isaliteral{29}{\isacharparenright}}\isanewline
|
| 17175 | 248 |
\ \ \isacommand{case}\isamarkupfalse%
|
249 |
\ {\isadigit{0}}\ \isacommand{show}\isamarkupfalse%
|
|
| 40406 | 250 |
\ {\isaliteral{3F}{\isacharquery}}case\ \isacommand{by}\isamarkupfalse%
|
| 17175 | 251 |
\ simp\isanewline |
252 |
\isacommand{next}\isamarkupfalse%
|
|
253 |
\isanewline |
|
254 |
\ \ \isacommand{case}\isamarkupfalse%
|
|
255 |
\ Suc\ \isacommand{thus}\isamarkupfalse%
|
|
| 40406 | 256 |
\ {\isaliteral{3F}{\isacharquery}}case\ \isacommand{by}\isamarkupfalse%
|
| 17175 | 257 |
\ simp\isanewline |
258 |
\isacommand{qed}\isamarkupfalse%
|
|
259 |
% |
|
| 17125 | 260 |
\endisatagproof |
261 |
{\isafoldproof}%
|
|
262 |
% |
|
263 |
\isadelimproof |
|
264 |
% |
|
265 |
\endisadelimproof |
|
| 13999 | 266 |
% |
267 |
\begin{isamarkuptext}%
|
|
| 40406 | 268 |
\noindent The implicitly defined \isa{{\isaliteral{3F}{\isacharquery}}case} refers to the
|
269 |
corresponding case to be proved, i.e.\ \isa{{\isaliteral{3F}{\isacharquery}}P\ {\isadigit{0}}} in the first case and
|
|
270 |
\isa{{\isaliteral{3F}{\isacharquery}}P{\isaliteral{28}{\isacharparenleft}}Suc\ n{\isaliteral{29}{\isacharparenright}}} in the second case. Context \isakeyword{case}~\isa{{\isadigit{0}}} is
|
|
271 |
empty whereas \isakeyword{case}~\isa{Suc} assumes \isa{{\isaliteral{3F}{\isacharquery}}P\ n}. Again we
|
|
| 13999 | 272 |
have the same problem as with case distinctions: we cannot refer to an anonymous \isa{n}
|
273 |
in the induction step because it has not been introduced via \isakeyword{fix}
|
|
274 |
(in contrast to the previous proof). The solution is the one outlined for |
|
| 40406 | 275 |
\isa{Cons} above: replace \isa{Suc} by \isa{{\isaliteral{28}{\isacharparenleft}}Suc\ i{\isaliteral{29}{\isacharparenright}}}:%
|
| 13999 | 276 |
\end{isamarkuptext}%
|
| 17175 | 277 |
\isamarkuptrue% |
278 |
\isacommand{lemma}\isamarkupfalse%
|
|
| 40406 | 279 |
\ \isakeyword{fixes}\ n{\isaliteral{3A}{\isacharcolon}}{\isaliteral{3A}{\isacharcolon}}nat\ \isakeyword{shows}\ {\isaliteral{22}{\isachardoublequoteopen}}n\ {\isaliteral{3C}{\isacharless}}\ n{\isaliteral{2A}{\isacharasterisk}}n\ {\isaliteral{2B}{\isacharplus}}\ {\isadigit{1}}{\isaliteral{22}{\isachardoublequoteclose}}\isanewline
|
| 17125 | 280 |
% |
281 |
\isadelimproof |
|
282 |
% |
|
283 |
\endisadelimproof |
|
284 |
% |
|
285 |
\isatagproof |
|
| 17175 | 286 |
\isacommand{proof}\isamarkupfalse%
|
| 40406 | 287 |
\ {\isaliteral{28}{\isacharparenleft}}induct\ n{\isaliteral{29}{\isacharparenright}}\isanewline
|
| 17175 | 288 |
\ \ \isacommand{case}\isamarkupfalse%
|
289 |
\ {\isadigit{0}}\ \isacommand{show}\isamarkupfalse%
|
|
| 40406 | 290 |
\ {\isaliteral{3F}{\isacharquery}}case\ \isacommand{by}\isamarkupfalse%
|
| 17175 | 291 |
\ simp\isanewline |
292 |
\isacommand{next}\isamarkupfalse%
|
|
293 |
\isanewline |
|
294 |
\ \ \isacommand{case}\isamarkupfalse%
|
|
| 40406 | 295 |
\ {\isaliteral{28}{\isacharparenleft}}Suc\ i{\isaliteral{29}{\isacharparenright}}\ \isacommand{thus}\isamarkupfalse%
|
296 |
\ {\isaliteral{22}{\isachardoublequoteopen}}Suc\ i\ {\isaliteral{3C}{\isacharless}}\ Suc\ i\ {\isaliteral{2A}{\isacharasterisk}}\ Suc\ i\ {\isaliteral{2B}{\isacharplus}}\ {\isadigit{1}}{\isaliteral{22}{\isachardoublequoteclose}}\ \isacommand{by}\isamarkupfalse%
|
|
| 17175 | 297 |
\ simp\isanewline |
298 |
\isacommand{qed}\isamarkupfalse%
|
|
299 |
% |
|
| 17125 | 300 |
\endisatagproof |
301 |
{\isafoldproof}%
|
|
302 |
% |
|
303 |
\isadelimproof |
|
304 |
% |
|
305 |
\endisadelimproof |
|
| 13999 | 306 |
% |
307 |
\begin{isamarkuptext}%
|
|
308 |
\noindent Of course we could again have written |
|
| 40406 | 309 |
\isakeyword{thus}~\isa{{\isaliteral{3F}{\isacharquery}}case} instead of giving the term explicitly
|
| 25403 | 310 |
but we wanted to use \isa{i} somewhere.
|
311 |
||
312 |
\subsection{Generalization via \isa{arbitrary}}
|
|
| 13999 | 313 |
|
| 25403 | 314 |
It is frequently necessary to generalize a claim before it becomes |
315 |
provable by induction. The tutorial~\cite{LNCS2283} demonstrates this
|
|
| 40406 | 316 |
with \isa{itrev\ xs\ ys\ {\isaliteral{3D}{\isacharequal}}\ rev\ xs\ {\isaliteral{40}{\isacharat}}\ ys}, where \isa{ys}
|
317 |
needs to be universally quantified before induction succeeds.\footnote{\isa{rev\ {\isaliteral{5B}{\isacharbrackleft}}{\isaliteral{5D}{\isacharbrackright}}\ {\isaliteral{3D}{\isacharequal}}\ {\isaliteral{5B}{\isacharbrackleft}}{\isaliteral{5D}{\isacharbrackright}}},\quad \isa{rev\ {\isaliteral{28}{\isacharparenleft}}x\ {\isaliteral{23}{\isacharhash}}\ xs{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{3D}{\isacharequal}}\ rev\ xs\ {\isaliteral{40}{\isacharat}}\ {\isaliteral{5B}{\isacharbrackleft}}x{\isaliteral{5D}{\isacharbrackright}}},\\ \isa{itrev\ {\isaliteral{5B}{\isacharbrackleft}}{\isaliteral{5D}{\isacharbrackright}}\ ys\ {\isaliteral{3D}{\isacharequal}}\ ys},\quad \isa{itrev\ {\isaliteral{28}{\isacharparenleft}}x\ {\isaliteral{23}{\isacharhash}}\ xs{\isaliteral{29}{\isacharparenright}}\ ys\ {\isaliteral{3D}{\isacharequal}}\ itrev\ xs\ {\isaliteral{28}{\isacharparenleft}}x\ {\isaliteral{23}{\isacharhash}}\ ys{\isaliteral{29}{\isacharparenright}}}} But
|
|
| 25403 | 318 |
strictly speaking, this quantification step is already part of the |
319 |
proof and the quantifiers should not clutter the original claim. This |
|
320 |
is how the quantification step can be combined with induction:% |
|
| 13999 | 321 |
\end{isamarkuptext}%
|
| 17175 | 322 |
\isamarkuptrue% |
323 |
\isacommand{lemma}\isamarkupfalse%
|
|
| 40406 | 324 |
\ {\isaliteral{22}{\isachardoublequoteopen}}itrev\ xs\ ys\ {\isaliteral{3D}{\isacharequal}}\ rev\ xs\ {\isaliteral{40}{\isacharat}}\ ys{\isaliteral{22}{\isachardoublequoteclose}}\isanewline
|
| 25403 | 325 |
% |
326 |
\isadelimproof |
|
327 |
% |
|
328 |
\endisadelimproof |
|
329 |
% |
|
330 |
\isatagproof |
|
331 |
\isacommand{by}\isamarkupfalse%
|
|
| 40406 | 332 |
\ {\isaliteral{28}{\isacharparenleft}}induct\ xs\ arbitrary{\isaliteral{3A}{\isacharcolon}}\ ys{\isaliteral{29}{\isacharparenright}}\ simp{\isaliteral{5F}{\isacharunderscore}}all%
|
| 25403 | 333 |
\endisatagproof |
334 |
{\isafoldproof}%
|
|
335 |
% |
|
336 |
\isadelimproof |
|
337 |
% |
|
338 |
\endisadelimproof |
|
339 |
% |
|
340 |
\begin{isamarkuptext}%
|
|
| 40406 | 341 |
\noindent The annotation \isa{arbitrary{\isaliteral{3A}{\isacharcolon}}}~\emph{vars}
|
| 25403 | 342 |
universally quantifies all \emph{vars} before the induction. Hence
|
343 |
they can be replaced by \emph{arbitrary} values in the proof.
|
|
344 |
||
|
30649
57753e0ec1d4
1. New cancellation simprocs for common factors in inequations
nipkow
parents:
27171
diff
changeset
|
345 |
Generalization via \isa{arbitrary} is particularly convenient
|
|
57753e0ec1d4
1. New cancellation simprocs for common factors in inequations
nipkow
parents:
27171
diff
changeset
|
346 |
if the induction step is a structured proof as opposed to the automatic |
|
57753e0ec1d4
1. New cancellation simprocs for common factors in inequations
nipkow
parents:
27171
diff
changeset
|
347 |
example above. Then the claim is available in unquantified form but |
| 40406 | 348 |
with the generalized variables replaced by \isa{{\isaliteral{3F}{\isacharquery}}}-variables, ready
|
|
30649
57753e0ec1d4
1. New cancellation simprocs for common factors in inequations
nipkow
parents:
27171
diff
changeset
|
349 |
for instantiation. In the above example, in the \isa{Cons} case the
|
| 40406 | 350 |
induction hypothesis is \isa{itrev\ xs\ {\isaliteral{3F}{\isacharquery}}ys\ {\isaliteral{3D}{\isacharequal}}\ rev\ xs\ {\isaliteral{40}{\isacharat}}\ {\isaliteral{3F}{\isacharquery}}ys} (available
|
|
30649
57753e0ec1d4
1. New cancellation simprocs for common factors in inequations
nipkow
parents:
27171
diff
changeset
|
351 |
under the name \isa{Cons}).
|
| 25403 | 352 |
|
353 |
||
354 |
\subsection{Inductive proofs of conditional formulae}
|
|
| 25412 | 355 |
\label{sec:full-Ind}
|
| 25403 | 356 |
|
| 40406 | 357 |
Induction also copes well with formulae involving \isa{{\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}}, for example%
|
| 25403 | 358 |
\end{isamarkuptext}%
|
359 |
\isamarkuptrue% |
|
360 |
\isacommand{lemma}\isamarkupfalse%
|
|
| 40406 | 361 |
\ {\isaliteral{22}{\isachardoublequoteopen}}xs\ {\isaliteral{5C3C6E6F7465713E}{\isasymnoteq}}\ {\isaliteral{5B}{\isacharbrackleft}}{\isaliteral{5D}{\isacharbrackright}}\ {\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\ hd{\isaliteral{28}{\isacharparenleft}}rev\ xs{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{3D}{\isacharequal}}\ last\ xs{\isaliteral{22}{\isachardoublequoteclose}}\isanewline
|
| 25403 | 362 |
% |
363 |
\isadelimproof |
|
364 |
% |
|
365 |
\endisadelimproof |
|
366 |
% |
|
367 |
\isatagproof |
|
368 |
\isacommand{by}\isamarkupfalse%
|
|
| 40406 | 369 |
\ {\isaliteral{28}{\isacharparenleft}}induct\ xs{\isaliteral{29}{\isacharparenright}}\ simp{\isaliteral{5F}{\isacharunderscore}}all%
|
| 25403 | 370 |
\endisatagproof |
371 |
{\isafoldproof}%
|
|
372 |
% |
|
373 |
\isadelimproof |
|
374 |
% |
|
375 |
\endisadelimproof |
|
376 |
% |
|
377 |
\begin{isamarkuptext}%
|
|
378 |
\noindent This is an improvement over that style the |
|
| 40406 | 379 |
tutorial~\cite{LNCS2283} advises, which requires \isa{{\isaliteral{5C3C6C6F6E6772696768746172726F773E}{\isasymlongrightarrow}}}.
|
| 25403 | 380 |
A further improvement is shown in the following proof:% |
381 |
\end{isamarkuptext}%
|
|
382 |
\isamarkuptrue% |
|
383 |
\isacommand{lemma}\isamarkupfalse%
|
|
| 40406 | 384 |
\ \ {\isaliteral{22}{\isachardoublequoteopen}}map\ f\ xs\ {\isaliteral{3D}{\isacharequal}}\ map\ f\ ys\ {\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\ length\ xs\ {\isaliteral{3D}{\isacharequal}}\ length\ ys{\isaliteral{22}{\isachardoublequoteclose}}\isanewline
|
| 17125 | 385 |
% |
386 |
\isadelimproof |
|
387 |
% |
|
388 |
\endisadelimproof |
|
389 |
% |
|
390 |
\isatagproof |
|
| 17175 | 391 |
\isacommand{proof}\isamarkupfalse%
|
| 40406 | 392 |
\ {\isaliteral{28}{\isacharparenleft}}induct\ ys\ arbitrary{\isaliteral{3A}{\isacharcolon}}\ xs{\isaliteral{29}{\isacharparenright}}\isanewline
|
| 25403 | 393 |
\ \ \isacommand{case}\isamarkupfalse%
|
394 |
\ Nil\ \isacommand{thus}\isamarkupfalse%
|
|
| 40406 | 395 |
\ {\isaliteral{3F}{\isacharquery}}case\ \isacommand{by}\isamarkupfalse%
|
| 17175 | 396 |
\ simp\isanewline |
| 25403 | 397 |
\isacommand{next}\isamarkupfalse%
|
398 |
\isanewline |
|
399 |
\ \ \isacommand{case}\isamarkupfalse%
|
|
| 40406 | 400 |
\ {\isaliteral{28}{\isacharparenleft}}Cons\ y\ ys{\isaliteral{29}{\isacharparenright}}\ \ \isacommand{note}\isamarkupfalse%
|
401 |
\ Asm\ {\isaliteral{3D}{\isacharequal}}\ Cons\isanewline
|
|
| 25403 | 402 |
\ \ \isacommand{show}\isamarkupfalse%
|
| 40406 | 403 |
\ {\isaliteral{3F}{\isacharquery}}case\isanewline
|
| 25403 | 404 |
\ \ \isacommand{proof}\isamarkupfalse%
|
| 40406 | 405 |
\ {\isaliteral{28}{\isacharparenleft}}cases\ xs{\isaliteral{29}{\isacharparenright}}\isanewline
|
| 25403 | 406 |
\ \ \ \ \isacommand{case}\isamarkupfalse%
|
407 |
\ Nil\isanewline |
|
408 |
\ \ \ \ \isacommand{hence}\isamarkupfalse%
|
|
409 |
\ False\ \isacommand{using}\isamarkupfalse%
|
|
| 40406 | 410 |
\ Asm{\isaliteral{28}{\isacharparenleft}}{\isadigit{2}}{\isaliteral{29}{\isacharparenright}}\ \isacommand{by}\isamarkupfalse%
|
| 25403 | 411 |
\ simp\isanewline |
412 |
\ \ \ \ \isacommand{thus}\isamarkupfalse%
|
|
| 40406 | 413 |
\ {\isaliteral{3F}{\isacharquery}}thesis\ \isacommand{{\isaliteral{2E}{\isachardot}}{\isaliteral{2E}{\isachardot}}}\isamarkupfalse%
|
| 25403 | 414 |
\isanewline |
| 17175 | 415 |
\ \ \isacommand{next}\isamarkupfalse%
|
416 |
\isanewline |
|
417 |
\ \ \ \ \isacommand{case}\isamarkupfalse%
|
|
| 40406 | 418 |
\ {\isaliteral{28}{\isacharparenleft}}Cons\ x\ xs{\isaliteral{27}{\isacharprime}}{\isaliteral{29}{\isacharparenright}}\isanewline
|
| 25403 | 419 |
\ \ \ \ \isacommand{with}\isamarkupfalse%
|
| 40406 | 420 |
\ Asm{\isaliteral{28}{\isacharparenleft}}{\isadigit{2}}{\isaliteral{29}{\isacharparenright}}\ \isacommand{have}\isamarkupfalse%
|
421 |
\ {\isaliteral{22}{\isachardoublequoteopen}}map\ f\ xs{\isaliteral{27}{\isacharprime}}\ {\isaliteral{3D}{\isacharequal}}\ map\ f\ ys{\isaliteral{22}{\isachardoublequoteclose}}\ \isacommand{by}\isamarkupfalse%
|
|
| 25427 | 422 |
\ simp\isanewline |
| 25403 | 423 |
\ \ \ \ \isacommand{from}\isamarkupfalse%
|
| 40406 | 424 |
\ Asm{\isaliteral{28}{\isacharparenleft}}{\isadigit{1}}{\isaliteral{29}{\isacharparenright}}{\isaliteral{5B}{\isacharbrackleft}}OF\ this{\isaliteral{5D}{\isacharbrackright}}\ {\isaliteral{60}{\isacharbackquoteopen}}xs\ {\isaliteral{3D}{\isacharequal}}\ x{\isaliteral{23}{\isacharhash}}xs{\isaliteral{27}{\isacharprime}}{\isaliteral{60}{\isacharbackquoteclose}}\ \isacommand{show}\isamarkupfalse%
|
425 |
\ {\isaliteral{3F}{\isacharquery}}thesis\ \isacommand{by}\isamarkupfalse%
|
|
| 17175 | 426 |
\ simp\isanewline |
427 |
\ \ \isacommand{qed}\isamarkupfalse%
|
|
428 |
\isanewline |
|
429 |
\isacommand{qed}\isamarkupfalse%
|
|
430 |
% |
|
| 17125 | 431 |
\endisatagproof |
432 |
{\isafoldproof}%
|
|
433 |
% |
|
434 |
\isadelimproof |
|
435 |
% |
|
436 |
\endisadelimproof |
|
| 13999 | 437 |
% |
438 |
\begin{isamarkuptext}%
|
|
| 25403 | 439 |
\noindent |
440 |
The base case is trivial. In the step case Isar assumes |
|
441 |
(under the name \isa{Cons}) two propositions:
|
|
442 |
\begin{center}
|
|
443 |
\begin{tabular}{l}
|
|
| 40406 | 444 |
\isa{map\ f\ {\isaliteral{3F}{\isacharquery}}xs\ {\isaliteral{3D}{\isacharequal}}\ map\ f\ ys\ {\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\ length\ {\isaliteral{3F}{\isacharquery}}xs\ {\isaliteral{3D}{\isacharequal}}\ length\ ys}\\
|
445 |
\isa{map\ f\ xs\ {\isaliteral{3D}{\isacharequal}}\ map\ f\ {\isaliteral{28}{\isacharparenleft}}y\ {\isaliteral{23}{\isacharhash}}\ ys{\isaliteral{29}{\isacharparenright}}}
|
|
| 25403 | 446 |
\end{tabular}
|
447 |
\end{center}
|
|
448 |
The first is the induction hypothesis, the second, and this is new, |
|
449 |
is the premise of the induction step. The actual goal at this point is merely |
|
| 40406 | 450 |
\isa{length\ xs\ {\isaliteral{3D}{\isacharequal}}\ length\ {\isaliteral{28}{\isacharparenleft}}y\ {\isaliteral{23}{\isacharhash}}\ ys{\isaliteral{29}{\isacharparenright}}}. The assumptions are given the new name
|
451 |
\isa{Asm} to avoid a name clash further down. The proof procedes with a case distinction on \isa{xs}. In the case \isa{xs\ {\isaliteral{3D}{\isacharequal}}\ {\isaliteral{5B}{\isacharbrackleft}}{\isaliteral{5D}{\isacharbrackright}}}, the second of our two
|
|
452 |
assumptions (\isa{Asm{\isaliteral{28}{\isacharparenleft}}{\isadigit{2}}{\isaliteral{29}{\isacharparenright}}}) implies the contradiction \isa{{\isadigit{0}}\ {\isaliteral{3D}{\isacharequal}}\ Suc{\isaliteral{28}{\isacharparenleft}}{\isaliteral{5C3C646F74733E}{\isasymdots}}{\isaliteral{29}{\isacharparenright}}}.
|
|
453 |
In the case \isa{xs\ {\isaliteral{3D}{\isacharequal}}\ x\ {\isaliteral{23}{\isacharhash}}\ xs{\isaliteral{27}{\isacharprime}}}, we first obtain
|
|
454 |
\isa{map\ f\ xs{\isaliteral{27}{\isacharprime}}\ {\isaliteral{3D}{\isacharequal}}\ map\ f\ ys}, from which a forward step with the first assumption (\isa{Asm{\isaliteral{28}{\isacharparenleft}}{\isadigit{1}}{\isaliteral{29}{\isacharparenright}}{\isaliteral{5B}{\isacharbrackleft}}OF\ this{\isaliteral{5D}{\isacharbrackright}}}) yields \isa{length\ xs{\isaliteral{27}{\isacharprime}}\ {\isaliteral{3D}{\isacharequal}}\ length\ ys}. Together
|
|
455 |
with \isa{xs\ {\isaliteral{3D}{\isacharequal}}\ x\ {\isaliteral{23}{\isacharhash}}\ xs} this yields the goal
|
|
456 |
\isa{length\ xs\ {\isaliteral{3D}{\isacharequal}}\ length\ {\isaliteral{28}{\isacharparenleft}}y\ {\isaliteral{23}{\isacharhash}}\ ys{\isaliteral{29}{\isacharparenright}}}.
|
|
| 13999 | 457 |
|
| 25403 | 458 |
|
| 40406 | 459 |
\subsection{Induction formulae involving \isa{{\isaliteral{5C3C416E643E}{\isasymAnd}}} or \isa{{\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}}}
|
| 25403 | 460 |
|
461 |
Let us now consider abstractly the situation where the goal to be proved |
|
| 40406 | 462 |
contains both \isa{{\isaliteral{5C3C416E643E}{\isasymAnd}}} and \isa{{\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}}, say \isa{{\isaliteral{5C3C416E643E}{\isasymAnd}}x{\isaliteral{2E}{\isachardot}}\ P\ x\ {\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\ Q\ x}.
|
| 25403 | 463 |
This means that in each case of the induction, |
| 40406 | 464 |
\isa{{\isaliteral{3F}{\isacharquery}}case} would be of the form \isa{{\isaliteral{5C3C416E643E}{\isasymAnd}}x{\isaliteral{2E}{\isachardot}}\ P{\isaliteral{27}{\isacharprime}}\ x\ {\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\ Q{\isaliteral{27}{\isacharprime}}\ x}. Thus the
|
| 25403 | 465 |
first proof steps will be the canonical ones, fixing \isa{x} and assuming
|
| 40406 | 466 |
\isa{P{\isaliteral{27}{\isacharprime}}\ x}. To avoid this tedium, induction performs the canonical steps
|
| 25403 | 467 |
automatically: in each step case, the assumptions contain both the |
| 40406 | 468 |
usual induction hypothesis and \isa{P{\isaliteral{27}{\isacharprime}}\ x}, whereas \isa{{\isaliteral{3F}{\isacharquery}}case} is only
|
469 |
\isa{Q{\isaliteral{27}{\isacharprime}}\ x}.
|
|
| 25403 | 470 |
|
471 |
\subsection{Rule induction}
|
|
472 |
||
| 13999 | 473 |
HOL also supports inductively defined sets. See \cite{LNCS2283}
|
474 |
for details. As an example we define our own version of the reflexive |
|
475 |
transitive closure of a relation --- HOL provides a predefined one as well.% |
|
476 |
\end{isamarkuptext}%
|
|
| 17175 | 477 |
\isamarkuptrue% |
| 40406 | 478 |
\isacommand{inductive{\isaliteral{5F}{\isacharunderscore}}set}\isamarkupfalse%
|
| 25056 | 479 |
\isanewline |
| 40406 | 480 |
\ \ rtc\ {\isaliteral{3A}{\isacharcolon}}{\isaliteral{3A}{\isacharcolon}}\ {\isaliteral{22}{\isachardoublequoteopen}}{\isaliteral{28}{\isacharparenleft}}{\isaliteral{27}{\isacharprime}}a\ {\isaliteral{5C3C74696D65733E}{\isasymtimes}}\ {\isaliteral{27}{\isacharprime}}a{\isaliteral{29}{\isacharparenright}}set\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ {\isaliteral{28}{\isacharparenleft}}{\isaliteral{27}{\isacharprime}}a\ {\isaliteral{5C3C74696D65733E}{\isasymtimes}}\ {\isaliteral{27}{\isacharprime}}a{\isaliteral{29}{\isacharparenright}}set{\isaliteral{22}{\isachardoublequoteclose}}\ \ \ {\isaliteral{28}{\isacharparenleft}}{\isaliteral{22}{\isachardoublequoteopen}}{\isaliteral{5F}{\isacharunderscore}}{\isaliteral{2A}{\isacharasterisk}}{\isaliteral{22}{\isachardoublequoteclose}}\ {\isaliteral{5B}{\isacharbrackleft}}{\isadigit{1}}{\isadigit{0}}{\isadigit{0}}{\isadigit{0}}{\isaliteral{5D}{\isacharbrackright}}\ {\isadigit{9}}{\isadigit{9}}{\isadigit{9}}{\isaliteral{29}{\isacharparenright}}\isanewline
|
481 |
\ \ \isakeyword{for}\ r\ {\isaliteral{3A}{\isacharcolon}}{\isaliteral{3A}{\isacharcolon}}\ {\isaliteral{22}{\isachardoublequoteopen}}{\isaliteral{28}{\isacharparenleft}}{\isaliteral{27}{\isacharprime}}a\ {\isaliteral{5C3C74696D65733E}{\isasymtimes}}\ {\isaliteral{27}{\isacharprime}}a{\isaliteral{29}{\isacharparenright}}set{\isaliteral{22}{\isachardoublequoteclose}}\isanewline
|
|
| 25056 | 482 |
\isakeyword{where}\isanewline
|
| 40406 | 483 |
\ \ refl{\isaliteral{3A}{\isacharcolon}}\ \ {\isaliteral{22}{\isachardoublequoteopen}}{\isaliteral{28}{\isacharparenleft}}x{\isaliteral{2C}{\isacharcomma}}x{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C696E3E}{\isasymin}}\ r{\isaliteral{2A}{\isacharasterisk}}{\isaliteral{22}{\isachardoublequoteclose}}\isanewline
|
484 |
{\isaliteral{7C}{\isacharbar}}\ step{\isaliteral{3A}{\isacharcolon}}\ \ {\isaliteral{22}{\isachardoublequoteopen}}{\isaliteral{5C3C6C6272616B6B3E}{\isasymlbrakk}}\ {\isaliteral{28}{\isacharparenleft}}x{\isaliteral{2C}{\isacharcomma}}y{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C696E3E}{\isasymin}}\ r{\isaliteral{3B}{\isacharsemicolon}}\ {\isaliteral{28}{\isacharparenleft}}y{\isaliteral{2C}{\isacharcomma}}z{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C696E3E}{\isasymin}}\ r{\isaliteral{2A}{\isacharasterisk}}\ {\isaliteral{5C3C726272616B6B3E}{\isasymrbrakk}}\ {\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\ {\isaliteral{28}{\isacharparenleft}}x{\isaliteral{2C}{\isacharcomma}}z{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C696E3E}{\isasymin}}\ r{\isaliteral{2A}{\isacharasterisk}}{\isaliteral{22}{\isachardoublequoteclose}}%
|
|
| 13999 | 485 |
\begin{isamarkuptext}%
|
486 |
\noindent |
|
487 |
First the constant is declared as a function on binary |
|
| 40406 | 488 |
relations (with concrete syntax \isa{r{\isaliteral{2A}{\isacharasterisk}}} instead of \isa{rtc\ r}), then the defining clauses are given. We will now prove that
|
489 |
\isa{r{\isaliteral{2A}{\isacharasterisk}}} is indeed transitive:%
|
|
| 13999 | 490 |
\end{isamarkuptext}%
|
| 17175 | 491 |
\isamarkuptrue% |
492 |
\isacommand{lemma}\isamarkupfalse%
|
|
| 40406 | 493 |
\ \isakeyword{assumes}\ A{\isaliteral{3A}{\isacharcolon}}\ {\isaliteral{22}{\isachardoublequoteopen}}{\isaliteral{28}{\isacharparenleft}}x{\isaliteral{2C}{\isacharcomma}}y{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C696E3E}{\isasymin}}\ r{\isaliteral{2A}{\isacharasterisk}}{\isaliteral{22}{\isachardoublequoteclose}}\ \isakeyword{shows}\ {\isaliteral{22}{\isachardoublequoteopen}}{\isaliteral{28}{\isacharparenleft}}y{\isaliteral{2C}{\isacharcomma}}z{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C696E3E}{\isasymin}}\ r{\isaliteral{2A}{\isacharasterisk}}\ {\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\ {\isaliteral{28}{\isacharparenleft}}x{\isaliteral{2C}{\isacharcomma}}z{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C696E3E}{\isasymin}}\ r{\isaliteral{2A}{\isacharasterisk}}{\isaliteral{22}{\isachardoublequoteclose}}\isanewline
|
| 17125 | 494 |
% |
495 |
\isadelimproof |
|
496 |
% |
|
497 |
\endisadelimproof |
|
498 |
% |
|
499 |
\isatagproof |
|
| 17175 | 500 |
\isacommand{using}\isamarkupfalse%
|
501 |
\ A\isanewline |
|
502 |
\isacommand{proof}\isamarkupfalse%
|
|
503 |
\ induct\isanewline |
|
504 |
\ \ \isacommand{case}\isamarkupfalse%
|
|
505 |
\ refl\ \isacommand{thus}\isamarkupfalse%
|
|
| 40406 | 506 |
\ {\isaliteral{3F}{\isacharquery}}case\ \isacommand{{\isaliteral{2E}{\isachardot}}}\isamarkupfalse%
|
| 17175 | 507 |
\isanewline |
508 |
\isacommand{next}\isamarkupfalse%
|
|
509 |
\isanewline |
|
510 |
\ \ \isacommand{case}\isamarkupfalse%
|
|
511 |
\ step\ \isacommand{thus}\isamarkupfalse%
|
|
| 40406 | 512 |
\ {\isaliteral{3F}{\isacharquery}}case\ \isacommand{by}\isamarkupfalse%
|
513 |
{\isaliteral{28}{\isacharparenleft}}blast\ intro{\isaliteral{3A}{\isacharcolon}}\ rtc{\isaliteral{2E}{\isachardot}}step{\isaliteral{29}{\isacharparenright}}\isanewline
|
|
| 17175 | 514 |
\isacommand{qed}\isamarkupfalse%
|
515 |
% |
|
| 17125 | 516 |
\endisatagproof |
517 |
{\isafoldproof}%
|
|
518 |
% |
|
519 |
\isadelimproof |
|
520 |
% |
|
521 |
\endisadelimproof |
|
| 13999 | 522 |
% |
523 |
\begin{isamarkuptext}%
|
|
524 |
\noindent Rule induction is triggered by a fact $(x_1,\dots,x_n) |
|
525 |
\in R$ piped into the proof, here \isakeyword{using}~\isa{A}. The
|
|
526 |
proof itself follows the inductive definition very |
|
527 |
closely: there is one case for each rule, and it has the same name as |
|
528 |
the rule, analogous to structural induction. |
|
529 |
||
530 |
However, this proof is rather terse. Here is a more readable version:% |
|
531 |
\end{isamarkuptext}%
|
|
| 17175 | 532 |
\isamarkuptrue% |
533 |
\isacommand{lemma}\isamarkupfalse%
|
|
| 40406 | 534 |
\ \isakeyword{assumes}\ {\isaliteral{22}{\isachardoublequoteopen}}{\isaliteral{28}{\isacharparenleft}}x{\isaliteral{2C}{\isacharcomma}}y{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C696E3E}{\isasymin}}\ r{\isaliteral{2A}{\isacharasterisk}}{\isaliteral{22}{\isachardoublequoteclose}}\ \isakeyword{and}\ {\isaliteral{22}{\isachardoublequoteopen}}{\isaliteral{28}{\isacharparenleft}}y{\isaliteral{2C}{\isacharcomma}}z{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C696E3E}{\isasymin}}\ r{\isaliteral{2A}{\isacharasterisk}}{\isaliteral{22}{\isachardoublequoteclose}}\ \isakeyword{shows}\ {\isaliteral{22}{\isachardoublequoteopen}}{\isaliteral{28}{\isacharparenleft}}x{\isaliteral{2C}{\isacharcomma}}z{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C696E3E}{\isasymin}}\ r{\isaliteral{2A}{\isacharasterisk}}{\isaliteral{22}{\isachardoublequoteclose}}\isanewline
|
| 17125 | 535 |
% |
536 |
\isadelimproof |
|
537 |
% |
|
538 |
\endisadelimproof |
|
539 |
% |
|
540 |
\isatagproof |
|
| 25403 | 541 |
\isacommand{using}\isamarkupfalse%
|
542 |
\ assms\isanewline |
|
| 17175 | 543 |
\isacommand{proof}\isamarkupfalse%
|
544 |
\ induct\isanewline |
|
| 25403 | 545 |
\ \ \isacommand{fix}\isamarkupfalse%
|
| 17175 | 546 |
\ x\ \isacommand{assume}\isamarkupfalse%
|
| 40406 | 547 |
\ {\isaliteral{22}{\isachardoublequoteopen}}{\isaliteral{28}{\isacharparenleft}}x{\isaliteral{2C}{\isacharcomma}}z{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C696E3E}{\isasymin}}\ r{\isaliteral{2A}{\isacharasterisk}}{\isaliteral{22}{\isachardoublequoteclose}}\ \ %
|
| 16459 | 548 |
\isamarkupcmt{\isa{B}[\isa{y} := \isa{x}]%
|
549 |
} |
|
550 |
\isanewline |
|
| 25403 | 551 |
\ \ \isacommand{thus}\isamarkupfalse%
|
| 40406 | 552 |
\ {\isaliteral{22}{\isachardoublequoteopen}}{\isaliteral{28}{\isacharparenleft}}x{\isaliteral{2C}{\isacharcomma}}z{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C696E3E}{\isasymin}}\ r{\isaliteral{2A}{\isacharasterisk}}{\isaliteral{22}{\isachardoublequoteclose}}\ \isacommand{{\isaliteral{2E}{\isachardot}}}\isamarkupfalse%
|
| 17175 | 553 |
\isanewline |
| 25403 | 554 |
\isacommand{next}\isamarkupfalse%
|
| 17175 | 555 |
\isanewline |
| 25403 | 556 |
\ \ \isacommand{fix}\isamarkupfalse%
|
| 40406 | 557 |
\ x{\isaliteral{27}{\isacharprime}}\ x\ y\isanewline
|
| 25403 | 558 |
\ \ \isacommand{assume}\isamarkupfalse%
|
| 40406 | 559 |
\ {\isadigit{1}}{\isaliteral{3A}{\isacharcolon}}\ {\isaliteral{22}{\isachardoublequoteopen}}{\isaliteral{28}{\isacharparenleft}}x{\isaliteral{27}{\isacharprime}}{\isaliteral{2C}{\isacharcomma}}x{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C696E3E}{\isasymin}}\ r{\isaliteral{22}{\isachardoublequoteclose}}\ \isakeyword{and}\isanewline
|
560 |
\ \ \ \ \ \ \ \ \ IH{\isaliteral{3A}{\isacharcolon}}\ {\isaliteral{22}{\isachardoublequoteopen}}{\isaliteral{28}{\isacharparenleft}}y{\isaliteral{2C}{\isacharcomma}}z{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C696E3E}{\isasymin}}\ r{\isaliteral{2A}{\isacharasterisk}}\ {\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\ {\isaliteral{28}{\isacharparenleft}}x{\isaliteral{2C}{\isacharcomma}}z{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C696E3E}{\isasymin}}\ r{\isaliteral{2A}{\isacharasterisk}}{\isaliteral{22}{\isachardoublequoteclose}}\ \isakeyword{and}\isanewline
|
|
561 |
\ \ \ \ \ \ \ \ \ B{\isaliteral{3A}{\isacharcolon}}\ \ {\isaliteral{22}{\isachardoublequoteopen}}{\isaliteral{28}{\isacharparenleft}}y{\isaliteral{2C}{\isacharcomma}}z{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C696E3E}{\isasymin}}\ r{\isaliteral{2A}{\isacharasterisk}}{\isaliteral{22}{\isachardoublequoteclose}}\isanewline
|
|
| 25403 | 562 |
\ \ \isacommand{from}\isamarkupfalse%
|
| 40406 | 563 |
\ {\isadigit{1}}\ IH{\isaliteral{5B}{\isacharbrackleft}}OF\ B{\isaliteral{5D}{\isacharbrackright}}\ \isacommand{show}\isamarkupfalse%
|
564 |
\ {\isaliteral{22}{\isachardoublequoteopen}}{\isaliteral{28}{\isacharparenleft}}x{\isaliteral{27}{\isacharprime}}{\isaliteral{2C}{\isacharcomma}}z{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C696E3E}{\isasymin}}\ r{\isaliteral{2A}{\isacharasterisk}}{\isaliteral{22}{\isachardoublequoteclose}}\ \isacommand{by}\isamarkupfalse%
|
|
565 |
{\isaliteral{28}{\isacharparenleft}}rule\ rtc{\isaliteral{2E}{\isachardot}}step{\isaliteral{29}{\isacharparenright}}\isanewline
|
|
| 17175 | 566 |
\isacommand{qed}\isamarkupfalse%
|
567 |
% |
|
| 17125 | 568 |
\endisatagproof |
569 |
{\isafoldproof}%
|
|
570 |
% |
|
571 |
\isadelimproof |
|
572 |
% |
|
573 |
\endisadelimproof |
|
| 13999 | 574 |
% |
575 |
\begin{isamarkuptext}%
|
|
| 25403 | 576 |
\noindent |
577 |
This time, merely for a change, we start the proof with by feeding both |
|
578 |
assumptions into the inductive proof. Only the first assumption is |
|
579 |
``consumed'' by the induction. |
|
| 40406 | 580 |
Since the second one is left over we don't just prove \isa{{\isaliteral{3F}{\isacharquery}}thesis} but
|
581 |
\isa{{\isaliteral{28}{\isacharparenleft}}y{\isaliteral{2C}{\isacharcomma}}z{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C696E3E}{\isasymin}}\ r{\isaliteral{2A}{\isacharasterisk}}\ {\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\ {\isaliteral{3F}{\isacharquery}}thesis}, just as in the previous proof.
|
|
| 25403 | 582 |
The base case is trivial. In the assumptions for the induction step we can |
| 13999 | 583 |
see very clearly how things fit together and permit ourselves the |
| 40406 | 584 |
obvious forward step \isa{IH{\isaliteral{5B}{\isacharbrackleft}}OF\ B{\isaliteral{5D}{\isacharbrackright}}}.
|
| 13999 | 585 |
|
| 25403 | 586 |
The notation \isakeyword{case}~\isa{(}\emph{constructor} \emph{vars}\isa{)}
|
587 |
is also supported for inductive definitions. The \emph{constructor} is the
|
|
588 |
name of the rule and the \emph{vars} fix the free variables in the
|
|
| 13999 | 589 |
rule; the order of the \emph{vars} must correspond to the
|
| 25403 | 590 |
left-to-right order of the variables as they appear in the rule. |
| 13999 | 591 |
For example, we could start the above detailed proof of the induction |
| 25403 | 592 |
with \isakeyword{case}~\isa{(step x' x y)}. In that case we don't need
|
| 40406 | 593 |
to spell out the assumptions but can refer to them by \isa{step{\isaliteral{28}{\isacharparenleft}}{\isaliteral{2E}{\isachardot}}{\isaliteral{29}{\isacharparenright}}},
|
| 25403 | 594 |
although the resulting text will be quite cryptic. |
595 |
||
596 |
\subsection{More induction}
|
|
597 |
||
| 13999 | 598 |
We close the section by demonstrating how arbitrary induction |
599 |
rules are applied. As a simple example we have chosen recursion |
|
600 |
induction, i.e.\ induction based on a recursive function |
|
601 |
definition. However, most of what we show works for induction in |
|
602 |
general. |
|
603 |
||
604 |
The example is an unusual definition of rotation:% |
|
605 |
\end{isamarkuptext}%
|
|
| 17175 | 606 |
\isamarkuptrue% |
| 25403 | 607 |
\isacommand{fun}\isamarkupfalse%
|
| 40406 | 608 |
\ rot\ {\isaliteral{3A}{\isacharcolon}}{\isaliteral{3A}{\isacharcolon}}\ {\isaliteral{22}{\isachardoublequoteopen}}{\isaliteral{27}{\isacharprime}}a\ list\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ {\isaliteral{27}{\isacharprime}}a\ list{\isaliteral{22}{\isachardoublequoteclose}}\ \isakeyword{where}\isanewline
|
609 |
{\isaliteral{22}{\isachardoublequoteopen}}rot\ {\isaliteral{5B}{\isacharbrackleft}}{\isaliteral{5D}{\isacharbrackright}}\ {\isaliteral{3D}{\isacharequal}}\ {\isaliteral{5B}{\isacharbrackleft}}{\isaliteral{5D}{\isacharbrackright}}{\isaliteral{22}{\isachardoublequoteclose}}\ {\isaliteral{7C}{\isacharbar}}\isanewline
|
|
610 |
{\isaliteral{22}{\isachardoublequoteopen}}rot\ {\isaliteral{5B}{\isacharbrackleft}}x{\isaliteral{5D}{\isacharbrackright}}\ {\isaliteral{3D}{\isacharequal}}\ {\isaliteral{5B}{\isacharbrackleft}}x{\isaliteral{5D}{\isacharbrackright}}{\isaliteral{22}{\isachardoublequoteclose}}\ {\isaliteral{7C}{\isacharbar}}\isanewline
|
|
611 |
{\isaliteral{22}{\isachardoublequoteopen}}rot\ {\isaliteral{28}{\isacharparenleft}}x{\isaliteral{23}{\isacharhash}}y{\isaliteral{23}{\isacharhash}}zs{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{3D}{\isacharequal}}\ y\ {\isaliteral{23}{\isacharhash}}\ rot{\isaliteral{28}{\isacharparenleft}}x{\isaliteral{23}{\isacharhash}}zs{\isaliteral{29}{\isacharparenright}}{\isaliteral{22}{\isachardoublequoteclose}}%
|
|
| 13999 | 612 |
\begin{isamarkuptext}%
|
613 |
\noindent This yields, among other things, the induction rule |
|
| 40406 | 614 |
\isa{rot{\isaliteral{2E}{\isachardot}}induct}: \begin{isabelle}%
|
615 |
{\isaliteral{5C3C6C6272616B6B3E}{\isasymlbrakk}}P\ {\isaliteral{5B}{\isacharbrackleft}}{\isaliteral{5D}{\isacharbrackright}}{\isaliteral{3B}{\isacharsemicolon}}\ {\isaliteral{5C3C416E643E}{\isasymAnd}}x{\isaliteral{2E}{\isachardot}}\ P\ {\isaliteral{5B}{\isacharbrackleft}}x{\isaliteral{5D}{\isacharbrackright}}{\isaliteral{3B}{\isacharsemicolon}}\ {\isaliteral{5C3C416E643E}{\isasymAnd}}x\ y\ zs{\isaliteral{2E}{\isachardot}}\ P\ {\isaliteral{28}{\isacharparenleft}}x\ {\isaliteral{23}{\isacharhash}}\ zs{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\ P\ {\isaliteral{28}{\isacharparenleft}}x\ {\isaliteral{23}{\isacharhash}}\ y\ {\isaliteral{23}{\isacharhash}}\ zs{\isaliteral{29}{\isacharparenright}}{\isaliteral{5C3C726272616B6B3E}{\isasymrbrakk}}\ {\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\ P\ a{\isadigit{0}}%
|
|
| 13999 | 616 |
\end{isabelle}
|
| 25403 | 617 |
The following proof relies on a default naming scheme for cases: they are |
| 13999 | 618 |
called 1, 2, etc, unless they have been named explicitly. The latter happens |
| 25403 | 619 |
only with datatypes and inductively defined sets, but (usually) |
620 |
not with recursive functions.% |
|
| 13999 | 621 |
\end{isamarkuptext}%
|
| 17175 | 622 |
\isamarkuptrue% |
623 |
\isacommand{lemma}\isamarkupfalse%
|
|
| 40406 | 624 |
\ {\isaliteral{22}{\isachardoublequoteopen}}xs\ {\isaliteral{5C3C6E6F7465713E}{\isasymnoteq}}\ {\isaliteral{5B}{\isacharbrackleft}}{\isaliteral{5D}{\isacharbrackright}}\ {\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\ rot\ xs\ {\isaliteral{3D}{\isacharequal}}\ tl\ xs\ {\isaliteral{40}{\isacharat}}\ {\isaliteral{5B}{\isacharbrackleft}}hd\ xs{\isaliteral{5D}{\isacharbrackright}}{\isaliteral{22}{\isachardoublequoteclose}}\isanewline
|
| 17125 | 625 |
% |
626 |
\isadelimproof |
|
627 |
% |
|
628 |
\endisadelimproof |
|
629 |
% |
|
630 |
\isatagproof |
|
| 17175 | 631 |
\isacommand{proof}\isamarkupfalse%
|
| 40406 | 632 |
\ {\isaliteral{28}{\isacharparenleft}}induct\ xs\ rule{\isaliteral{3A}{\isacharcolon}}\ rot{\isaliteral{2E}{\isachardot}}induct{\isaliteral{29}{\isacharparenright}}\isanewline
|
| 17175 | 633 |
\ \ \isacommand{case}\isamarkupfalse%
|
634 |
\ {\isadigit{1}}\ \isacommand{thus}\isamarkupfalse%
|
|
| 40406 | 635 |
\ {\isaliteral{3F}{\isacharquery}}case\ \isacommand{by}\isamarkupfalse%
|
| 17175 | 636 |
\ simp\isanewline |
637 |
\isacommand{next}\isamarkupfalse%
|
|
638 |
\isanewline |
|
639 |
\ \ \isacommand{case}\isamarkupfalse%
|
|
640 |
\ {\isadigit{2}}\ \isacommand{show}\isamarkupfalse%
|
|
| 40406 | 641 |
\ {\isaliteral{3F}{\isacharquery}}case\ \isacommand{by}\isamarkupfalse%
|
| 17175 | 642 |
\ simp\isanewline |
643 |
\isacommand{next}\isamarkupfalse%
|
|
644 |
\isanewline |
|
645 |
\ \ \isacommand{case}\isamarkupfalse%
|
|
| 40406 | 646 |
\ {\isaliteral{28}{\isacharparenleft}}{\isadigit{3}}\ a\ b\ cs{\isaliteral{29}{\isacharparenright}}\isanewline
|
| 17175 | 647 |
\ \ \isacommand{have}\isamarkupfalse%
|
| 40406 | 648 |
\ {\isaliteral{22}{\isachardoublequoteopen}}rot\ {\isaliteral{28}{\isacharparenleft}}a\ {\isaliteral{23}{\isacharhash}}\ b\ {\isaliteral{23}{\isacharhash}}\ cs{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{3D}{\isacharequal}}\ b\ {\isaliteral{23}{\isacharhash}}\ rot{\isaliteral{28}{\isacharparenleft}}a\ {\isaliteral{23}{\isacharhash}}\ cs{\isaliteral{29}{\isacharparenright}}{\isaliteral{22}{\isachardoublequoteclose}}\ \isacommand{by}\isamarkupfalse%
|
| 17175 | 649 |
\ simp\isanewline |
650 |
\ \ \isacommand{also}\isamarkupfalse%
|
|
651 |
\ \isacommand{have}\isamarkupfalse%
|
|
| 40406 | 652 |
\ {\isaliteral{22}{\isachardoublequoteopen}}{\isaliteral{5C3C646F74733E}{\isasymdots}}\ {\isaliteral{3D}{\isacharequal}}\ b\ {\isaliteral{23}{\isacharhash}}\ tl{\isaliteral{28}{\isacharparenleft}}a\ {\isaliteral{23}{\isacharhash}}\ cs{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{40}{\isacharat}}\ {\isaliteral{5B}{\isacharbrackleft}}hd{\isaliteral{28}{\isacharparenleft}}a\ {\isaliteral{23}{\isacharhash}}\ cs{\isaliteral{29}{\isacharparenright}}{\isaliteral{5D}{\isacharbrackright}}{\isaliteral{22}{\isachardoublequoteclose}}\ \isacommand{by}\isamarkupfalse%
|
653 |
{\isaliteral{28}{\isacharparenleft}}simp\ add{\isaliteral{3A}{\isacharcolon}}{\isadigit{3}}{\isaliteral{29}{\isacharparenright}}\isanewline
|
|
| 17175 | 654 |
\ \ \isacommand{also}\isamarkupfalse%
|
655 |
\ \isacommand{have}\isamarkupfalse%
|
|
| 40406 | 656 |
\ {\isaliteral{22}{\isachardoublequoteopen}}{\isaliteral{5C3C646F74733E}{\isasymdots}}\ {\isaliteral{3D}{\isacharequal}}\ tl\ {\isaliteral{28}{\isacharparenleft}}a\ {\isaliteral{23}{\isacharhash}}\ b\ {\isaliteral{23}{\isacharhash}}\ cs{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{40}{\isacharat}}\ {\isaliteral{5B}{\isacharbrackleft}}hd\ {\isaliteral{28}{\isacharparenleft}}a\ {\isaliteral{23}{\isacharhash}}\ b\ {\isaliteral{23}{\isacharhash}}\ cs{\isaliteral{29}{\isacharparenright}}{\isaliteral{5D}{\isacharbrackright}}{\isaliteral{22}{\isachardoublequoteclose}}\ \isacommand{by}\isamarkupfalse%
|
| 17175 | 657 |
\ simp\isanewline |
658 |
\ \ \isacommand{finally}\isamarkupfalse%
|
|
659 |
\ \isacommand{show}\isamarkupfalse%
|
|
| 40406 | 660 |
\ {\isaliteral{3F}{\isacharquery}}case\ \isacommand{{\isaliteral{2E}{\isachardot}}}\isamarkupfalse%
|
| 17175 | 661 |
\isanewline |
662 |
\isacommand{qed}\isamarkupfalse%
|
|
663 |
% |
|
| 17125 | 664 |
\endisatagproof |
665 |
{\isafoldproof}%
|
|
666 |
% |
|
667 |
\isadelimproof |
|
668 |
% |
|
669 |
\endisadelimproof |
|
| 13999 | 670 |
% |
671 |
\begin{isamarkuptext}%
|
|
672 |
\noindent |
|
673 |
The third case is only shown in gory detail (see \cite{BauerW-TPHOLs01}
|
|
674 |
for how to reason with chains of equations) to demonstrate that the |
|
| 25403 | 675 |
\isakeyword{case}~\isa{(}\emph{constructor} \emph{vars}\isa{)} notation also
|
| 13999 | 676 |
works for arbitrary induction theorems with numbered cases. The order |
677 |
of the \emph{vars} corresponds to the order of the
|
|
| 40406 | 678 |
\isa{{\isaliteral{5C3C416E643E}{\isasymAnd}}}-quantified variables in each case of the induction
|
| 25403 | 679 |
theorem. For induction theorems produced by \isakeyword{fun} it is
|
| 13999 | 680 |
the order in which the variables appear on the left-hand side of the |
681 |
equation. |
|
682 |
||
683 |
The proof is so simple that it can be condensed to% |
|
684 |
\end{isamarkuptext}%
|
|
| 17175 | 685 |
\isamarkuptrue% |
| 17125 | 686 |
% |
687 |
\isadelimproof |
|
688 |
% |
|
689 |
\endisadelimproof |
|
690 |
% |
|
691 |
\isatagproof |
|
| 17175 | 692 |
\isacommand{by}\isamarkupfalse%
|
| 40406 | 693 |
\ {\isaliteral{28}{\isacharparenleft}}induct\ xs\ rule{\isaliteral{3A}{\isacharcolon}}\ rot{\isaliteral{2E}{\isachardot}}induct{\isaliteral{29}{\isacharparenright}}\ simp{\isaliteral{5F}{\isacharunderscore}}all\isanewline
|
| 17125 | 694 |
% |
695 |
\endisatagproof |
|
696 |
{\isafoldproof}%
|
|
697 |
% |
|
698 |
\isadelimproof |
|
699 |
% |
|
700 |
\endisadelimproof |
|
701 |
% |
|
702 |
\isadelimtheory |
|
703 |
% |
|
704 |
\endisadelimtheory |
|
705 |
% |
|
706 |
\isatagtheory |
|
707 |
% |
|
708 |
\endisatagtheory |
|
709 |
{\isafoldtheory}%
|
|
710 |
% |
|
711 |
\isadelimtheory |
|
712 |
% |
|
713 |
\endisadelimtheory |
|
| 13999 | 714 |
\end{isabellebody}%
|
715 |
%%% Local Variables: |
|
716 |
%%% mode: latex |
|
717 |
%%% TeX-master: "root" |
|
718 |
%%% End: |