isabelle: src/HOL/Examples/Ackermann.thy@ab08604729a2 (annotated)

72029 83456d9f0ed5 clarified examples; wenzelm parents: 71930 diff changeset	1	(* Title: HOL/Examples/Ackermann.thy
83456d9f0ed5 clarified examples; wenzelm parents: 71930 diff changeset	2	Author: Larry Paulson
83456d9f0ed5 clarified examples; wenzelm parents: 71930 diff changeset	3	*)
83456d9f0ed5 clarified examples; wenzelm parents: 71930 diff changeset	4
71930 35a2ac83a262 New Ackermann development paulson <lp15@cam.ac.uk> parents: diff changeset	5	section \<open>A Tail-Recursive, Stack-Based Ackermann's Function\<close>
35a2ac83a262 New Ackermann development paulson <lp15@cam.ac.uk> parents: diff changeset	6
76302 8d2bf9ce5302 Added the multiset termination proof paulson <lp15@cam.ac.uk> parents: 75013 diff changeset	7	theory Ackermann imports "HOL-Library.Multiset_Order" "HOL-Library.Product_Lexorder"
71930 35a2ac83a262 New Ackermann development paulson <lp15@cam.ac.uk> parents: diff changeset	8
35a2ac83a262 New Ackermann development paulson <lp15@cam.ac.uk> parents: diff changeset	9	begin
35a2ac83a262 New Ackermann development paulson <lp15@cam.ac.uk> parents: diff changeset	10
35a2ac83a262 New Ackermann development paulson <lp15@cam.ac.uk> parents: diff changeset	11	text\<open>This theory investigates a stack-based implementation of Ackermann's function.
35a2ac83a262 New Ackermann development paulson <lp15@cam.ac.uk> parents: diff changeset	12	Let's recall the traditional definition,
35a2ac83a262 New Ackermann development paulson <lp15@cam.ac.uk> parents: diff changeset	13	as modified by R{\'o}zsa P\'eter and Raphael Robinson.\<close>
35a2ac83a262 New Ackermann development paulson <lp15@cam.ac.uk> parents: diff changeset	14
35a2ac83a262 New Ackermann development paulson <lp15@cam.ac.uk> parents: diff changeset	15	fun ack :: "[nat,nat] \<Rightarrow> nat" where
35a2ac83a262 New Ackermann development paulson <lp15@cam.ac.uk> parents: diff changeset	16	"ack 0 n = Suc n"
35a2ac83a262 New Ackermann development paulson <lp15@cam.ac.uk> parents: diff changeset	17	\| "ack (Suc m) 0 = ack m 1"
35a2ac83a262 New Ackermann development paulson <lp15@cam.ac.uk> parents: diff changeset	18	\| "ack (Suc m) (Suc n) = ack m (ack (Suc m) n)"
35a2ac83a262 New Ackermann development paulson <lp15@cam.ac.uk> parents: diff changeset	19
76302 8d2bf9ce5302 Added the multiset termination proof paulson <lp15@cam.ac.uk> parents: 75013 diff changeset	20	subsection \<open>Example of proving termination by reasoning about the domain\<close>
8d2bf9ce5302 Added the multiset termination proof paulson <lp15@cam.ac.uk> parents: 75013 diff changeset	21
8d2bf9ce5302 Added the multiset termination proof paulson <lp15@cam.ac.uk> parents: 75013 diff changeset	22	text\<open>The stack-based version uses lists.\<close>
71930 35a2ac83a262 New Ackermann development paulson <lp15@cam.ac.uk> parents: diff changeset	23
35a2ac83a262 New Ackermann development paulson <lp15@cam.ac.uk> parents: diff changeset	24	function (domintros) ackloop :: "nat list \<Rightarrow> nat" where
35a2ac83a262 New Ackermann development paulson <lp15@cam.ac.uk> parents: diff changeset	25	"ackloop (n # 0 # l) = ackloop (Suc n # l)"
35a2ac83a262 New Ackermann development paulson <lp15@cam.ac.uk> parents: diff changeset	26	\| "ackloop (0 # Suc m # l) = ackloop (1 # m # l)"
35a2ac83a262 New Ackermann development paulson <lp15@cam.ac.uk> parents: diff changeset	27	\| "ackloop (Suc n # Suc m # l) = ackloop (n # Suc m # m # l)"
35a2ac83a262 New Ackermann development paulson <lp15@cam.ac.uk> parents: diff changeset	28	\| "ackloop [m] = m"
35a2ac83a262 New Ackermann development paulson <lp15@cam.ac.uk> parents: diff changeset	29	\| "ackloop [] = 0"
35a2ac83a262 New Ackermann development paulson <lp15@cam.ac.uk> parents: diff changeset	30	by pat_completeness auto
35a2ac83a262 New Ackermann development paulson <lp15@cam.ac.uk> parents: diff changeset	31
35a2ac83a262 New Ackermann development paulson <lp15@cam.ac.uk> parents: diff changeset	32	text\<open>
35a2ac83a262 New Ackermann development paulson <lp15@cam.ac.uk> parents: diff changeset	33	The key task is to prove termination. In the first recursive call, the head of the list gets bigger
35a2ac83a262 New Ackermann development paulson <lp15@cam.ac.uk> parents: diff changeset	34	while the list gets shorter, suggesting that the length of the list should be the primary
35a2ac83a262 New Ackermann development paulson <lp15@cam.ac.uk> parents: diff changeset	35	termination criterion. But in the third recursive call, the list gets longer. The idea of trying
35a2ac83a262 New Ackermann development paulson <lp15@cam.ac.uk> parents: diff changeset	36	a multiset-based termination argument is frustrated by the second recursive call when m = 0:
35a2ac83a262 New Ackermann development paulson <lp15@cam.ac.uk> parents: diff changeset	37	the list elements are simply permuted.
35a2ac83a262 New Ackermann development paulson <lp15@cam.ac.uk> parents: diff changeset	38
35a2ac83a262 New Ackermann development paulson <lp15@cam.ac.uk> parents: diff changeset	39	Fortunately, the function definition package allows us to define a function and only later identify its domain of termination.
35a2ac83a262 New Ackermann development paulson <lp15@cam.ac.uk> parents: diff changeset	40	Instead, it makes all the recursion equations conditional on satisfying
35a2ac83a262 New Ackermann development paulson <lp15@cam.ac.uk> parents: diff changeset	41	the function's domain predicate. Here we shall eventually be able
35a2ac83a262 New Ackermann development paulson <lp15@cam.ac.uk> parents: diff changeset	42	to show that the predicate is always satisfied.\<close>
35a2ac83a262 New Ackermann development paulson <lp15@cam.ac.uk> parents: diff changeset	43
35a2ac83a262 New Ackermann development paulson <lp15@cam.ac.uk> parents: diff changeset	44	text\<open>@{thm [display] ackloop.domintros[no_vars]}\<close>
35a2ac83a262 New Ackermann development paulson <lp15@cam.ac.uk> parents: diff changeset	45	declare ackloop.domintros [simp]
35a2ac83a262 New Ackermann development paulson <lp15@cam.ac.uk> parents: diff changeset	46
35a2ac83a262 New Ackermann development paulson <lp15@cam.ac.uk> parents: diff changeset	47	text \<open>Termination is trivial if the length of the list is less then two.
35a2ac83a262 New Ackermann development paulson <lp15@cam.ac.uk> parents: diff changeset	48	The following lemma is the key to proving termination for longer lists.\<close>
73531 c89922715bf5 Cosmetic: no !! in the lemma statement paulson <lp15@cam.ac.uk> parents: 72029 diff changeset	49	lemma "ackloop_dom (ack m n # l) \<Longrightarrow> ackloop_dom (n # m # l)"
c89922715bf5 Cosmetic: no !! in the lemma statement paulson <lp15@cam.ac.uk> parents: 72029 diff changeset	50	proof (induction m arbitrary: n l)
71930 35a2ac83a262 New Ackermann development paulson <lp15@cam.ac.uk> parents: diff changeset	51	case 0
35a2ac83a262 New Ackermann development paulson <lp15@cam.ac.uk> parents: diff changeset	52	then show ?case
35a2ac83a262 New Ackermann development paulson <lp15@cam.ac.uk> parents: diff changeset	53	by auto
35a2ac83a262 New Ackermann development paulson <lp15@cam.ac.uk> parents: diff changeset	54	next
35a2ac83a262 New Ackermann development paulson <lp15@cam.ac.uk> parents: diff changeset	55	case (Suc m)
73531 c89922715bf5 Cosmetic: no !! in the lemma statement paulson <lp15@cam.ac.uk> parents: 72029 diff changeset	56	show ?case
c89922715bf5 Cosmetic: no !! in the lemma statement paulson <lp15@cam.ac.uk> parents: 72029 diff changeset	57	using Suc.prems
c89922715bf5 Cosmetic: no !! in the lemma statement paulson <lp15@cam.ac.uk> parents: 72029 diff changeset	58	by (induction n arbitrary: l) (simp_all add: Suc)
71930 35a2ac83a262 New Ackermann development paulson <lp15@cam.ac.uk> parents: diff changeset	59	qed
35a2ac83a262 New Ackermann development paulson <lp15@cam.ac.uk> parents: diff changeset	60
35a2ac83a262 New Ackermann development paulson <lp15@cam.ac.uk> parents: diff changeset	61	text \<open>The proof above (which actually is unused) can be expressed concisely as follows.\<close>
35a2ac83a262 New Ackermann development paulson <lp15@cam.ac.uk> parents: diff changeset	62	lemma ackloop_dom_longer:
35a2ac83a262 New Ackermann development paulson <lp15@cam.ac.uk> parents: diff changeset	63	"ackloop_dom (ack m n # l) \<Longrightarrow> ackloop_dom (n # m # l)"
35a2ac83a262 New Ackermann development paulson <lp15@cam.ac.uk> parents: diff changeset	64	by (induction m n arbitrary: l rule: ack.induct) auto
35a2ac83a262 New Ackermann development paulson <lp15@cam.ac.uk> parents: diff changeset	65
35a2ac83a262 New Ackermann development paulson <lp15@cam.ac.uk> parents: diff changeset	66	text\<open>This function codifies what @{term ackloop} is designed to do.
35a2ac83a262 New Ackermann development paulson <lp15@cam.ac.uk> parents: diff changeset	67	Proving the two functions equivalent also shows that @{term ackloop} can be used
35a2ac83a262 New Ackermann development paulson <lp15@cam.ac.uk> parents: diff changeset	68	to compute Ackermann's function.\<close>
35a2ac83a262 New Ackermann development paulson <lp15@cam.ac.uk> parents: diff changeset	69	fun acklist :: "nat list \<Rightarrow> nat" where
35a2ac83a262 New Ackermann development paulson <lp15@cam.ac.uk> parents: diff changeset	70	"acklist (n#m#l) = acklist (ack m n # l)"
35a2ac83a262 New Ackermann development paulson <lp15@cam.ac.uk> parents: diff changeset	71	\| "acklist [m] = m"
35a2ac83a262 New Ackermann development paulson <lp15@cam.ac.uk> parents: diff changeset	72	\| "acklist [] = 0"
35a2ac83a262 New Ackermann development paulson <lp15@cam.ac.uk> parents: diff changeset	73
35a2ac83a262 New Ackermann development paulson <lp15@cam.ac.uk> parents: diff changeset	74	text\<open>The induction rule for @{term acklist} is @{thm [display] acklist.induct[no_vars]}.\<close>
35a2ac83a262 New Ackermann development paulson <lp15@cam.ac.uk> parents: diff changeset	75
35a2ac83a262 New Ackermann development paulson <lp15@cam.ac.uk> parents: diff changeset	76	lemma ackloop_dom: "ackloop_dom l"
35a2ac83a262 New Ackermann development paulson <lp15@cam.ac.uk> parents: diff changeset	77	by (induction l rule: acklist.induct) (auto simp: ackloop_dom_longer)
35a2ac83a262 New Ackermann development paulson <lp15@cam.ac.uk> parents: diff changeset	78
35a2ac83a262 New Ackermann development paulson <lp15@cam.ac.uk> parents: diff changeset	79	termination ackloop
35a2ac83a262 New Ackermann development paulson <lp15@cam.ac.uk> parents: diff changeset	80	by (simp add: ackloop_dom)
35a2ac83a262 New Ackermann development paulson <lp15@cam.ac.uk> parents: diff changeset	81
35a2ac83a262 New Ackermann development paulson <lp15@cam.ac.uk> parents: diff changeset	82	text\<open>This result is trivial even by inspection of the function definitions
35a2ac83a262 New Ackermann development paulson <lp15@cam.ac.uk> parents: diff changeset	83	(which faithfully follow the definition of Ackermann's function).
35a2ac83a262 New Ackermann development paulson <lp15@cam.ac.uk> parents: diff changeset	84	All that we needed was termination.\<close>
35a2ac83a262 New Ackermann development paulson <lp15@cam.ac.uk> parents: diff changeset	85	lemma ackloop_acklist: "ackloop l = acklist l"
35a2ac83a262 New Ackermann development paulson <lp15@cam.ac.uk> parents: diff changeset	86	by (induction l rule: ackloop.induct) auto
35a2ac83a262 New Ackermann development paulson <lp15@cam.ac.uk> parents: diff changeset	87
35a2ac83a262 New Ackermann development paulson <lp15@cam.ac.uk> parents: diff changeset	88	theorem ack: "ack m n = ackloop [n,m]"
35a2ac83a262 New Ackermann development paulson <lp15@cam.ac.uk> parents: diff changeset	89	by (simp add: ackloop_acklist)
35a2ac83a262 New Ackermann development paulson <lp15@cam.ac.uk> parents: diff changeset	90
76302 8d2bf9ce5302 Added the multiset termination proof paulson <lp15@cam.ac.uk> parents: 75013 diff changeset	91	subsection \<open>Example of proving termination using a multiset ordering\<close>
8d2bf9ce5302 Added the multiset termination proof paulson <lp15@cam.ac.uk> parents: 75013 diff changeset	92
8d2bf9ce5302 Added the multiset termination proof paulson <lp15@cam.ac.uk> parents: 75013 diff changeset	93	text \<open>This termination proof uses the argument from
8d2bf9ce5302 Added the multiset termination proof paulson <lp15@cam.ac.uk> parents: 75013 diff changeset	94	Nachum Dershowitz and Zohar Manna. Proving termination with multiset orderings.
8d2bf9ce5302 Added the multiset termination proof paulson <lp15@cam.ac.uk> parents: 75013 diff changeset	95	Communications of the ACM 22 (8) 1979, 465–476.\<close>
8d2bf9ce5302 Added the multiset termination proof paulson <lp15@cam.ac.uk> parents: 75013 diff changeset	96
8d2bf9ce5302 Added the multiset termination proof paulson <lp15@cam.ac.uk> parents: 75013 diff changeset	97	text\<open>Setting up the termination proof. Note that Dershowitz had @{term z} as a global variable.
8d2bf9ce5302 Added the multiset termination proof paulson <lp15@cam.ac.uk> parents: 75013 diff changeset	98	The top two stack elements are treated differently from the rest.\<close>
8d2bf9ce5302 Added the multiset termination proof paulson <lp15@cam.ac.uk> parents: 75013 diff changeset	99
8d2bf9ce5302 Added the multiset termination proof paulson <lp15@cam.ac.uk> parents: 75013 diff changeset	100	fun ack_mset :: "nat list \<Rightarrow> (nat\<times>nat) multiset" where
8d2bf9ce5302 Added the multiset termination proof paulson <lp15@cam.ac.uk> parents: 75013 diff changeset	101	"ack_mset [] = {#}"
8d2bf9ce5302 Added the multiset termination proof paulson <lp15@cam.ac.uk> parents: 75013 diff changeset	102	\| "ack_mset [x] = {#}"
8d2bf9ce5302 Added the multiset termination proof paulson <lp15@cam.ac.uk> parents: 75013 diff changeset	103	\| "ack_mset (z#y#l) = mset ((y,z) # map (\<lambda>x. (Suc x, 0)) l)"
8d2bf9ce5302 Added the multiset termination proof paulson <lp15@cam.ac.uk> parents: 75013 diff changeset	104
76304 e5162a8baa24 tiny renaming paulson <lp15@cam.ac.uk> parents: 76302 diff changeset	105	lemma case1: "ack_mset (Suc n # l) < add_mset (0,n) {# (Suc x, 0). x \<in># mset l #}"
76302 8d2bf9ce5302 Added the multiset termination proof paulson <lp15@cam.ac.uk> parents: 75013 diff changeset	106	proof (cases l)
8d2bf9ce5302 Added the multiset termination proof paulson <lp15@cam.ac.uk> parents: 75013 diff changeset	107	case (Cons m list)
8d2bf9ce5302 Added the multiset termination proof paulson <lp15@cam.ac.uk> parents: 75013 diff changeset	108	have "{#(m, Suc n)#} < {#(Suc m, 0)#}"
8d2bf9ce5302 Added the multiset termination proof paulson <lp15@cam.ac.uk> parents: 75013 diff changeset	109	by auto
8d2bf9ce5302 Added the multiset termination proof paulson <lp15@cam.ac.uk> parents: 75013 diff changeset	110	also have "\<dots> \<le> {#(Suc m, 0), (0,n)#}"
8d2bf9ce5302 Added the multiset termination proof paulson <lp15@cam.ac.uk> parents: 75013 diff changeset	111	by auto
8d2bf9ce5302 Added the multiset termination proof paulson <lp15@cam.ac.uk> parents: 75013 diff changeset	112	finally show ?thesis
8d2bf9ce5302 Added the multiset termination proof paulson <lp15@cam.ac.uk> parents: 75013 diff changeset	113	by (simp add: Cons)
8d2bf9ce5302 Added the multiset termination proof paulson <lp15@cam.ac.uk> parents: 75013 diff changeset	114	qed auto
8d2bf9ce5302 Added the multiset termination proof paulson <lp15@cam.ac.uk> parents: 75013 diff changeset	115
8d2bf9ce5302 Added the multiset termination proof paulson <lp15@cam.ac.uk> parents: 75013 diff changeset	116	text\<open>The stack-based version again. We need a fresh copy because
8d2bf9ce5302 Added the multiset termination proof paulson <lp15@cam.ac.uk> parents: 75013 diff changeset	117	we've already proved the termination of @{term ackloop}.\<close>
8d2bf9ce5302 Added the multiset termination proof paulson <lp15@cam.ac.uk> parents: 75013 diff changeset	118
8d2bf9ce5302 Added the multiset termination proof paulson <lp15@cam.ac.uk> parents: 75013 diff changeset	119	function Ackloop :: "nat list \<Rightarrow> nat" where
8d2bf9ce5302 Added the multiset termination proof paulson <lp15@cam.ac.uk> parents: 75013 diff changeset	120	"Ackloop (n # 0 # l) = Ackloop (Suc n # l)"
8d2bf9ce5302 Added the multiset termination proof paulson <lp15@cam.ac.uk> parents: 75013 diff changeset	121	\| "Ackloop (0 # Suc m # l) = Ackloop (1 # m # l)"
8d2bf9ce5302 Added the multiset termination proof paulson <lp15@cam.ac.uk> parents: 75013 diff changeset	122	\| "Ackloop (Suc n # Suc m # l) = Ackloop (n # Suc m # m # l)"
8d2bf9ce5302 Added the multiset termination proof paulson <lp15@cam.ac.uk> parents: 75013 diff changeset	123	\| "Ackloop [m] = m"
8d2bf9ce5302 Added the multiset termination proof paulson <lp15@cam.ac.uk> parents: 75013 diff changeset	124	\| "Ackloop [] = 0"
8d2bf9ce5302 Added the multiset termination proof paulson <lp15@cam.ac.uk> parents: 75013 diff changeset	125	by pat_completeness auto
8d2bf9ce5302 Added the multiset termination proof paulson <lp15@cam.ac.uk> parents: 75013 diff changeset	126
8d2bf9ce5302 Added the multiset termination proof paulson <lp15@cam.ac.uk> parents: 75013 diff changeset	127
8d2bf9ce5302 Added the multiset termination proof paulson <lp15@cam.ac.uk> parents: 75013 diff changeset	128	text \<open>In each recursive call, the function @{term ack_mset} decreases according to the multiset
8d2bf9ce5302 Added the multiset termination proof paulson <lp15@cam.ac.uk> parents: 75013 diff changeset	129	ordering.\<close>
8d2bf9ce5302 Added the multiset termination proof paulson <lp15@cam.ac.uk> parents: 75013 diff changeset	130	termination
76304 e5162a8baa24 tiny renaming paulson <lp15@cam.ac.uk> parents: 76302 diff changeset	131	by (relation "inv_image {(x,y). x<y} ack_mset") (auto simp: wf case1)
76302 8d2bf9ce5302 Added the multiset termination proof paulson <lp15@cam.ac.uk> parents: 75013 diff changeset	132
8d2bf9ce5302 Added the multiset termination proof paulson <lp15@cam.ac.uk> parents: 75013 diff changeset	133	text \<open>Another shortcut compared with before: equivalence follows directly from this lemma.\<close>
8d2bf9ce5302 Added the multiset termination proof paulson <lp15@cam.ac.uk> parents: 75013 diff changeset	134	lemma Ackloop_ack: "Ackloop (n # m # l) = Ackloop (ack m n # l)"
8d2bf9ce5302 Added the multiset termination proof paulson <lp15@cam.ac.uk> parents: 75013 diff changeset	135	by (induction m n arbitrary: l rule: ack.induct) auto
8d2bf9ce5302 Added the multiset termination proof paulson <lp15@cam.ac.uk> parents: 75013 diff changeset	136
8d2bf9ce5302 Added the multiset termination proof paulson <lp15@cam.ac.uk> parents: 75013 diff changeset	137	theorem "ack m n = Ackloop [n,m]"
8d2bf9ce5302 Added the multiset termination proof paulson <lp15@cam.ac.uk> parents: 75013 diff changeset	138	by (simp add: Ackloop_ack)
8d2bf9ce5302 Added the multiset termination proof paulson <lp15@cam.ac.uk> parents: 75013 diff changeset	139
71930 35a2ac83a262 New Ackermann development paulson <lp15@cam.ac.uk> parents: diff changeset	140	end

author	paulson <lp15@cam.ac.uk>
	Fri, 30 Dec 2022 17:48:41 +0000
changeset 76832	ab08604729a2
parent 76304	e5162a8baa24
child 77569	a8fa53c086a4
permissions	-rw-r--r--