isabelle: doc-src/TutorialI/Inductive/advanced-examples.tex@aed0a0450797 (annotated)

10879 ca2b00c4bba7 renaming to avoid clashes paulson parents: diff changeset	1	% $Id$
ca2b00c4bba7 renaming to avoid clashes paulson parents: diff changeset	2	This section describes advanced features of inductive definitions.
ca2b00c4bba7 renaming to avoid clashes paulson parents: diff changeset	3	The premises of introduction rules may contain universal quantifiers and
ca2b00c4bba7 renaming to avoid clashes paulson parents: diff changeset	4	monotonic functions. Theorems may be proved by rule inversion.
ca2b00c4bba7 renaming to avoid clashes paulson parents: diff changeset	5
ca2b00c4bba7 renaming to avoid clashes paulson parents: diff changeset	6	\subsection{Universal Quantifiers in Introduction Rules}
ca2b00c4bba7 renaming to avoid clashes paulson parents: diff changeset	7	\label{sec:gterm-datatype}
ca2b00c4bba7 renaming to avoid clashes paulson parents: diff changeset	8
ca2b00c4bba7 renaming to avoid clashes paulson parents: diff changeset	9	As a running example, this section develops the theory of \textbf{ground
ca2b00c4bba7 renaming to avoid clashes paulson parents: diff changeset	10	terms}: terms constructed from constant and function
ca2b00c4bba7 renaming to avoid clashes paulson parents: diff changeset	11	symbols but not variables. To simplify matters further, we regard a
ca2b00c4bba7 renaming to avoid clashes paulson parents: diff changeset	12	constant as a function applied to the null argument list. Let us declare a
ca2b00c4bba7 renaming to avoid clashes paulson parents: diff changeset	13	datatype \isa{gterm} for the type of ground terms. It is a type constructor
ca2b00c4bba7 renaming to avoid clashes paulson parents: diff changeset	14	whose argument is a type of function symbols.
ca2b00c4bba7 renaming to avoid clashes paulson parents: diff changeset	15	\begin{isabelle}
ca2b00c4bba7 renaming to avoid clashes paulson parents: diff changeset	16	\isacommand{datatype}\ 'f\ gterm\ =\ Apply\ 'f\ "'f\ gterm\ list"
ca2b00c4bba7 renaming to avoid clashes paulson parents: diff changeset	17	\end{isabelle}
ca2b00c4bba7 renaming to avoid clashes paulson parents: diff changeset	18	To try it out, we declare a datatype of some integer operations:
ca2b00c4bba7 renaming to avoid clashes paulson parents: diff changeset	19	integer constants, the unary minus operator and the addition
ca2b00c4bba7 renaming to avoid clashes paulson parents: diff changeset	20	operator.
ca2b00c4bba7 renaming to avoid clashes paulson parents: diff changeset	21	\begin{isabelle}
ca2b00c4bba7 renaming to avoid clashes paulson parents: diff changeset	22	\isacommand{datatype}\ integer_op\ =\ Number\ int\ \|\ UnaryMinus\ \|\ Plus
ca2b00c4bba7 renaming to avoid clashes paulson parents: diff changeset	23	\end{isabelle}
ca2b00c4bba7 renaming to avoid clashes paulson parents: diff changeset	24	Now the type \isa{integer\_op gterm} denotes the ground
ca2b00c4bba7 renaming to avoid clashes paulson parents: diff changeset	25	terms built over those symbols.
ca2b00c4bba7 renaming to avoid clashes paulson parents: diff changeset	26
ca2b00c4bba7 renaming to avoid clashes paulson parents: diff changeset	27	The type constructor \texttt{gterm} can be generalized to a function
ca2b00c4bba7 renaming to avoid clashes paulson parents: diff changeset	28	over sets. It returns
ca2b00c4bba7 renaming to avoid clashes paulson parents: diff changeset	29	the set of ground terms that can be formed over a set \isa{F} of function symbols. For
ca2b00c4bba7 renaming to avoid clashes paulson parents: diff changeset	30	example, we could consider the set of ground terms formed from the finite
10889 aed0a0450797 wrong font for braces paulson parents: 10879 diff changeset	31	set \isa{\isacharbraceleft Number 2, UnaryMinus,
aed0a0450797 wrong font for braces paulson parents: 10879 diff changeset	32	Plus\isacharbraceright}.
10879 ca2b00c4bba7 renaming to avoid clashes paulson parents: diff changeset	33
ca2b00c4bba7 renaming to avoid clashes paulson parents: diff changeset	34	This concept is inductive. If we have a list \isa{args} of ground terms
ca2b00c4bba7 renaming to avoid clashes paulson parents: diff changeset	35	over~\isa{F} and a function symbol \isa{f} in \isa{F}, then we
ca2b00c4bba7 renaming to avoid clashes paulson parents: diff changeset	36	can apply \isa{f} to \isa{args} to obtain another ground term.
ca2b00c4bba7 renaming to avoid clashes paulson parents: diff changeset	37	The only difficulty is that the argument list may be of any length. Hitherto,
ca2b00c4bba7 renaming to avoid clashes paulson parents: diff changeset	38	each rule in an inductive definition referred to the inductively
ca2b00c4bba7 renaming to avoid clashes paulson parents: diff changeset	39	defined set a fixed number of times, typically once or twice.
ca2b00c4bba7 renaming to avoid clashes paulson parents: diff changeset	40	A universal quantifier in the premise of the introduction rule
ca2b00c4bba7 renaming to avoid clashes paulson parents: diff changeset	41	expresses that every element of \isa{args} belongs
ca2b00c4bba7 renaming to avoid clashes paulson parents: diff changeset	42	to our inductively defined set: is a ground term
ca2b00c4bba7 renaming to avoid clashes paulson parents: diff changeset	43	over~\isa{F}. The function {\isa{set}} denotes the set of elements in a given
ca2b00c4bba7 renaming to avoid clashes paulson parents: diff changeset	44	list.
ca2b00c4bba7 renaming to avoid clashes paulson parents: diff changeset	45	\begin{isabelle}
ca2b00c4bba7 renaming to avoid clashes paulson parents: diff changeset	46	\isacommand{consts}\ gterms\ ::\ "'f\ set\ \isasymRightarrow \ 'f\ gterm\ set"\isanewline
ca2b00c4bba7 renaming to avoid clashes paulson parents: diff changeset	47	\isacommand{inductive}\ "gterms\ F"\isanewline
ca2b00c4bba7 renaming to avoid clashes paulson parents: diff changeset	48	\isakeyword{intros}\isanewline
ca2b00c4bba7 renaming to avoid clashes paulson parents: diff changeset	49	step[intro!]:\ "\isasymlbrakk \isasymforall t\ \isasymin \ set\ args.\ t\ \isasymin \ gterms\ F;\ \ f\ \isasymin \ F\isasymrbrakk \isanewline
ca2b00c4bba7 renaming to avoid clashes paulson parents: diff changeset	50	\ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \isasymLongrightarrow \ (Apply\ f\ args)\ \isasymin \ gterms\
ca2b00c4bba7 renaming to avoid clashes paulson parents: diff changeset	51	F"
ca2b00c4bba7 renaming to avoid clashes paulson parents: diff changeset	52	\end{isabelle}
ca2b00c4bba7 renaming to avoid clashes paulson parents: diff changeset	53
ca2b00c4bba7 renaming to avoid clashes paulson parents: diff changeset	54	To demonstrate a proof from this definition, let us
ca2b00c4bba7 renaming to avoid clashes paulson parents: diff changeset	55	show that the function \isa{gterms}
ca2b00c4bba7 renaming to avoid clashes paulson parents: diff changeset	56	is \textbf{monotonic}. We shall need this concept shortly.
ca2b00c4bba7 renaming to avoid clashes paulson parents: diff changeset	57	\begin{isabelle}
ca2b00c4bba7 renaming to avoid clashes paulson parents: diff changeset	58	\isacommand{lemma}\ gterms_mono:\ "F\isasymsubseteq G\ \isasymLongrightarrow \ gterms\ F\ \isasymsubseteq \ gterms\ G"\isanewline
ca2b00c4bba7 renaming to avoid clashes paulson parents: diff changeset	59	\isacommand{apply}\ clarify\isanewline
ca2b00c4bba7 renaming to avoid clashes paulson parents: diff changeset	60	\isacommand{apply}\ (erule\ gterms.induct)\isanewline
ca2b00c4bba7 renaming to avoid clashes paulson parents: diff changeset	61	\isacommand{apply}\ blast\isanewline
ca2b00c4bba7 renaming to avoid clashes paulson parents: diff changeset	62	\isacommand{done}
ca2b00c4bba7 renaming to avoid clashes paulson parents: diff changeset	63	\end{isabelle}
ca2b00c4bba7 renaming to avoid clashes paulson parents: diff changeset	64	Intuitively, this theorem says that
ca2b00c4bba7 renaming to avoid clashes paulson parents: diff changeset	65	enlarging the set of function symbols enlarges the set of ground
ca2b00c4bba7 renaming to avoid clashes paulson parents: diff changeset	66	terms. The proof is a trivial rule induction.
ca2b00c4bba7 renaming to avoid clashes paulson parents: diff changeset	67	First we use the \isa{clarify} method to assume the existence of an element of
ca2b00c4bba7 renaming to avoid clashes paulson parents: diff changeset	68	\isa{terms~F}. (We could have used \isa{intro subsetI}.) We then
ca2b00c4bba7 renaming to avoid clashes paulson parents: diff changeset	69	apply rule induction. Here is the resulting subgoal:
ca2b00c4bba7 renaming to avoid clashes paulson parents: diff changeset	70	\begin{isabelle}
ca2b00c4bba7 renaming to avoid clashes paulson parents: diff changeset	71	\ 1.\ \isasymAnd x\ args\ f.\isanewline
ca2b00c4bba7 renaming to avoid clashes paulson parents: diff changeset	72	\ \ \ \ \ \ \ \isasymlbrakk F\ \isasymsubseteq \ G;\ \isasymforall t\isasymin set\ args.\ t\ \isasymin \ gterms\ F\ \isasymand \ t\ \isasymin \ gterms\ G;\ f\ \isasymin \ F\isasymrbrakk \isanewline
ca2b00c4bba7 renaming to avoid clashes paulson parents: diff changeset	73	\ \ \ \ \ \ \ \isasymLongrightarrow \ Apply\ f\ args\ \isasymin \ gterms\ G%
ca2b00c4bba7 renaming to avoid clashes paulson parents: diff changeset	74	\end{isabelle}
ca2b00c4bba7 renaming to avoid clashes paulson parents: diff changeset	75	%
ca2b00c4bba7 renaming to avoid clashes paulson parents: diff changeset	76	The assumptions state that \isa{f} belongs
ca2b00c4bba7 renaming to avoid clashes paulson parents: diff changeset	77	to~\isa{F}, which is included in~\isa{G}, and that every element of the list \isa{args} is
ca2b00c4bba7 renaming to avoid clashes paulson parents: diff changeset	78	a ground term over~\isa{G}. The \isa{blast} method finds this chain of reasoning easily.
ca2b00c4bba7 renaming to avoid clashes paulson parents: diff changeset	79
ca2b00c4bba7 renaming to avoid clashes paulson parents: diff changeset	80	\begin{warn}
ca2b00c4bba7 renaming to avoid clashes paulson parents: diff changeset	81	Why do we call this function \isa{gterms} instead
ca2b00c4bba7 renaming to avoid clashes paulson parents: diff changeset	82	of {\isa{gterm}}? A constant may have the same name as a type. However,
ca2b00c4bba7 renaming to avoid clashes paulson parents: diff changeset	83	name clashes could arise in the theorems that Isabelle generates.
ca2b00c4bba7 renaming to avoid clashes paulson parents: diff changeset	84	Our choice of names keeps {\isa{gterms.induct}} separate from
ca2b00c4bba7 renaming to avoid clashes paulson parents: diff changeset	85	{\isa{gterm.induct}}.
ca2b00c4bba7 renaming to avoid clashes paulson parents: diff changeset	86	\end{warn}
ca2b00c4bba7 renaming to avoid clashes paulson parents: diff changeset	87
ca2b00c4bba7 renaming to avoid clashes paulson parents: diff changeset	88
ca2b00c4bba7 renaming to avoid clashes paulson parents: diff changeset	89	\subsection{Rule Inversion}\label{sec:rule-inversion}
ca2b00c4bba7 renaming to avoid clashes paulson parents: diff changeset	90
ca2b00c4bba7 renaming to avoid clashes paulson parents: diff changeset	91	Case analysis on an inductive definition is called \textbf{rule inversion}.
ca2b00c4bba7 renaming to avoid clashes paulson parents: diff changeset	92	It is frequently used in proofs about operational semantics. It can be
ca2b00c4bba7 renaming to avoid clashes paulson parents: diff changeset	93	highly effective when it is applied automatically. Let us look at how rule
ca2b00c4bba7 renaming to avoid clashes paulson parents: diff changeset	94	inversion is done in Isabelle.
ca2b00c4bba7 renaming to avoid clashes paulson parents: diff changeset	95
ca2b00c4bba7 renaming to avoid clashes paulson parents: diff changeset	96	Recall that \isa{even} is the minimal set closed under these two rules:
ca2b00c4bba7 renaming to avoid clashes paulson parents: diff changeset	97	\begin{isabelle}
ca2b00c4bba7 renaming to avoid clashes paulson parents: diff changeset	98	0\ \isasymin \ even\isanewline
ca2b00c4bba7 renaming to avoid clashes paulson parents: diff changeset	99	n\ \isasymin \ even\ \isasymLongrightarrow \ (Suc\ (Suc\ n))\ \isasymin
ca2b00c4bba7 renaming to avoid clashes paulson parents: diff changeset	100	\ even
ca2b00c4bba7 renaming to avoid clashes paulson parents: diff changeset	101	\end{isabelle}
ca2b00c4bba7 renaming to avoid clashes paulson parents: diff changeset	102	Minimality means that \isa{even} contains only the elements that these
ca2b00c4bba7 renaming to avoid clashes paulson parents: diff changeset	103	rules force it to contain. If we are told that \isa{a}
ca2b00c4bba7 renaming to avoid clashes paulson parents: diff changeset	104	belongs to
ca2b00c4bba7 renaming to avoid clashes paulson parents: diff changeset	105	\isa{even} then there are only two possibilities. Either \isa{a} is \isa{0}
ca2b00c4bba7 renaming to avoid clashes paulson parents: diff changeset	106	or else \isa{a} has the form \isa{Suc(Suc~n)}, for an arbitrary \isa{n}
ca2b00c4bba7 renaming to avoid clashes paulson parents: diff changeset	107	that belongs to
ca2b00c4bba7 renaming to avoid clashes paulson parents: diff changeset	108	\isa{even}. That is the gist of the \isa{cases} rule, which Isabelle proves
ca2b00c4bba7 renaming to avoid clashes paulson parents: diff changeset	109	for us when it accepts an inductive definition:
ca2b00c4bba7 renaming to avoid clashes paulson parents: diff changeset	110	\begin{isabelle}
ca2b00c4bba7 renaming to avoid clashes paulson parents: diff changeset	111	\isasymlbrakk a\ \isasymin \ even;\isanewline
ca2b00c4bba7 renaming to avoid clashes paulson parents: diff changeset	112	\ a\ =\ 0\ \isasymLongrightarrow \ P;\isanewline
ca2b00c4bba7 renaming to avoid clashes paulson parents: diff changeset	113	\ \isasymAnd n.\ \isasymlbrakk a\ =\ Suc(Suc\ n);\ n\ \isasymin \
ca2b00c4bba7 renaming to avoid clashes paulson parents: diff changeset	114	even\isasymrbrakk \ \isasymLongrightarrow \ P\isasymrbrakk \
ca2b00c4bba7 renaming to avoid clashes paulson parents: diff changeset	115	\isasymLongrightarrow \ P
ca2b00c4bba7 renaming to avoid clashes paulson parents: diff changeset	116	\rulename{even.cases}
ca2b00c4bba7 renaming to avoid clashes paulson parents: diff changeset	117	\end{isabelle}
ca2b00c4bba7 renaming to avoid clashes paulson parents: diff changeset	118
ca2b00c4bba7 renaming to avoid clashes paulson parents: diff changeset	119	This general rule is less useful than instances of it for
ca2b00c4bba7 renaming to avoid clashes paulson parents: diff changeset	120	specific patterns. For example, if \isa{a} has the form
ca2b00c4bba7 renaming to avoid clashes paulson parents: diff changeset	121	\isa{Suc(Suc~n)} then the first case becomes irrelevant, while the second
ca2b00c4bba7 renaming to avoid clashes paulson parents: diff changeset	122	case tells us that \isa{n} belongs to \isa{even}. Isabelle will generate
ca2b00c4bba7 renaming to avoid clashes paulson parents: diff changeset	123	this instance for us:
ca2b00c4bba7 renaming to avoid clashes paulson parents: diff changeset	124	\begin{isabelle}
ca2b00c4bba7 renaming to avoid clashes paulson parents: diff changeset	125	\isacommand{inductive\_cases}\ Suc_Suc_cases\ [elim!]:
ca2b00c4bba7 renaming to avoid clashes paulson parents: diff changeset	126	\ "Suc(Suc\ n)\ \isasymin \ even"
ca2b00c4bba7 renaming to avoid clashes paulson parents: diff changeset	127	\end{isabelle}
ca2b00c4bba7 renaming to avoid clashes paulson parents: diff changeset	128	The \isacommand{inductive\_cases} command generates an instance of the
ca2b00c4bba7 renaming to avoid clashes paulson parents: diff changeset	129	\isa{cases} rule for the supplied pattern and gives it the supplied name:
ca2b00c4bba7 renaming to avoid clashes paulson parents: diff changeset	130	%
ca2b00c4bba7 renaming to avoid clashes paulson parents: diff changeset	131	\begin{isabelle}
ca2b00c4bba7 renaming to avoid clashes paulson parents: diff changeset	132	\isasymlbrakk Suc\ (Suc\ n)\ \isasymin \ even;\ n\ \isasymin \ even\
ca2b00c4bba7 renaming to avoid clashes paulson parents: diff changeset	133	\isasymLongrightarrow \ P\isasymrbrakk \ \isasymLongrightarrow \ P%
ca2b00c4bba7 renaming to avoid clashes paulson parents: diff changeset	134	\rulename{Suc_Suc_cases}
ca2b00c4bba7 renaming to avoid clashes paulson parents: diff changeset	135	\end{isabelle}
ca2b00c4bba7 renaming to avoid clashes paulson parents: diff changeset	136	%
ca2b00c4bba7 renaming to avoid clashes paulson parents: diff changeset	137	Applying this as an elimination rule yields one case where \isa{even.cases}
ca2b00c4bba7 renaming to avoid clashes paulson parents: diff changeset	138	would yield two. Rule inversion works well when the conclusions of the
ca2b00c4bba7 renaming to avoid clashes paulson parents: diff changeset	139	introduction rules involve datatype constructors like \isa{Suc} and \isa{\#}
ca2b00c4bba7 renaming to avoid clashes paulson parents: diff changeset	140	(list `cons'); freeness reasoning discards all but one or two cases.
ca2b00c4bba7 renaming to avoid clashes paulson parents: diff changeset	141
ca2b00c4bba7 renaming to avoid clashes paulson parents: diff changeset	142	In the \isacommand{inductive\_cases} command we supplied an
ca2b00c4bba7 renaming to avoid clashes paulson parents: diff changeset	143	attribute, \isa{elim!}, indicating that this elimination rule can be applied
ca2b00c4bba7 renaming to avoid clashes paulson parents: diff changeset	144	aggressively. The original
ca2b00c4bba7 renaming to avoid clashes paulson parents: diff changeset	145	\isa{cases} rule would loop if used in that manner because the
ca2b00c4bba7 renaming to avoid clashes paulson parents: diff changeset	146	pattern~\isa{a} matches everything.
ca2b00c4bba7 renaming to avoid clashes paulson parents: diff changeset	147
ca2b00c4bba7 renaming to avoid clashes paulson parents: diff changeset	148	The rule \isa{Suc_Suc_cases} is equivalent to the following implication:
ca2b00c4bba7 renaming to avoid clashes paulson parents: diff changeset	149	\begin{isabelle}
ca2b00c4bba7 renaming to avoid clashes paulson parents: diff changeset	150	Suc (Suc\ n)\ \isasymin \ even\ \isasymLongrightarrow \ n\ \isasymin \
ca2b00c4bba7 renaming to avoid clashes paulson parents: diff changeset	151	even
ca2b00c4bba7 renaming to avoid clashes paulson parents: diff changeset	152	\end{isabelle}
ca2b00c4bba7 renaming to avoid clashes paulson parents: diff changeset	153	%
ca2b00c4bba7 renaming to avoid clashes paulson parents: diff changeset	154	In {\S}\ref{sec:gen-rule-induction} we devoted some effort to proving precisely
ca2b00c4bba7 renaming to avoid clashes paulson parents: diff changeset	155	this result. Yet we could have obtained it by a one-line declaration.
ca2b00c4bba7 renaming to avoid clashes paulson parents: diff changeset	156	This example also justifies the terminology \textbf{rule inversion}: the new
ca2b00c4bba7 renaming to avoid clashes paulson parents: diff changeset	157	rule inverts the introduction rule \isa{even.step}.
ca2b00c4bba7 renaming to avoid clashes paulson parents: diff changeset	158
ca2b00c4bba7 renaming to avoid clashes paulson parents: diff changeset	159	For one-off applications of rule inversion, use the \isa{ind_cases} method.
ca2b00c4bba7 renaming to avoid clashes paulson parents: diff changeset	160	Here is an example:
ca2b00c4bba7 renaming to avoid clashes paulson parents: diff changeset	161	\begin{isabelle}
ca2b00c4bba7 renaming to avoid clashes paulson parents: diff changeset	162	\isacommand{apply}\ (ind_cases\ "Suc(Suc\ n)\ \isasymin \ even")
ca2b00c4bba7 renaming to avoid clashes paulson parents: diff changeset	163	\end{isabelle}
ca2b00c4bba7 renaming to avoid clashes paulson parents: diff changeset	164	The specified instance of the \isa{cases} rule is generated, applied, and
ca2b00c4bba7 renaming to avoid clashes paulson parents: diff changeset	165	discarded.
ca2b00c4bba7 renaming to avoid clashes paulson parents: diff changeset	166
ca2b00c4bba7 renaming to avoid clashes paulson parents: diff changeset	167	\medskip
ca2b00c4bba7 renaming to avoid clashes paulson parents: diff changeset	168	Let us try rule inversion on our ground terms example:
ca2b00c4bba7 renaming to avoid clashes paulson parents: diff changeset	169	\begin{isabelle}
ca2b00c4bba7 renaming to avoid clashes paulson parents: diff changeset	170	\isacommand{inductive\_cases}\ gterm_Apply_elim\ [elim!]:\ "Apply\ f\ args\
ca2b00c4bba7 renaming to avoid clashes paulson parents: diff changeset	171	\isasymin\ gterms\ F"
ca2b00c4bba7 renaming to avoid clashes paulson parents: diff changeset	172	\end{isabelle}
ca2b00c4bba7 renaming to avoid clashes paulson parents: diff changeset	173	%
ca2b00c4bba7 renaming to avoid clashes paulson parents: diff changeset	174	Here is the result. No cases are discarded (there was only one to begin
ca2b00c4bba7 renaming to avoid clashes paulson parents: diff changeset	175	with) but the rule applies specifically to the pattern \isa{Apply\ f\ args}.
ca2b00c4bba7 renaming to avoid clashes paulson parents: diff changeset	176	It can be applied repeatedly as an elimination rule without looping, so we
ca2b00c4bba7 renaming to avoid clashes paulson parents: diff changeset	177	have given the
ca2b00c4bba7 renaming to avoid clashes paulson parents: diff changeset	178	\isa{elim!}\ attribute.
ca2b00c4bba7 renaming to avoid clashes paulson parents: diff changeset	179	\begin{isabelle}
ca2b00c4bba7 renaming to avoid clashes paulson parents: diff changeset	180	\isasymlbrakk Apply\ f\ args\ \isasymin \ gterms\ F;\isanewline
ca2b00c4bba7 renaming to avoid clashes paulson parents: diff changeset	181	\ \isasymlbrakk
ca2b00c4bba7 renaming to avoid clashes paulson parents: diff changeset	182	\isasymforall t\isasymin set\ args.\ t\ \isasymin \ gterms\ F;\ f\ \isasymin
ca2b00c4bba7 renaming to avoid clashes paulson parents: diff changeset	183	\ F\isasymrbrakk \ \isasymLongrightarrow \ P\isasymrbrakk\isanewline
ca2b00c4bba7 renaming to avoid clashes paulson parents: diff changeset	184	\isasymLongrightarrow \ P%
ca2b00c4bba7 renaming to avoid clashes paulson parents: diff changeset	185	\rulename{gterm_Apply_elim}
ca2b00c4bba7 renaming to avoid clashes paulson parents: diff changeset	186	\end{isabelle}
ca2b00c4bba7 renaming to avoid clashes paulson parents: diff changeset	187
ca2b00c4bba7 renaming to avoid clashes paulson parents: diff changeset	188	This rule replaces an assumption about \isa{Apply\ f\ args} by
ca2b00c4bba7 renaming to avoid clashes paulson parents: diff changeset	189	assumptions about \isa{f} and~\isa{args}. Here is a proof in which this
ca2b00c4bba7 renaming to avoid clashes paulson parents: diff changeset	190	inference is essential. We show that if \isa{t} is a ground term over both
ca2b00c4bba7 renaming to avoid clashes paulson parents: diff changeset	191	of the sets
ca2b00c4bba7 renaming to avoid clashes paulson parents: diff changeset	192	\isa{F} and~\isa{G} then it is also a ground term over their intersection,
ca2b00c4bba7 renaming to avoid clashes paulson parents: diff changeset	193	\isa{F\isasyminter G}.
ca2b00c4bba7 renaming to avoid clashes paulson parents: diff changeset	194	\begin{isabelle}
ca2b00c4bba7 renaming to avoid clashes paulson parents: diff changeset	195	\isacommand{lemma}\ gterms_IntI\ [rule_format]:\isanewline
ca2b00c4bba7 renaming to avoid clashes paulson parents: diff changeset	196	\ \ \ \ \ "t\ \isasymin \ gterms\ F\ \isasymLongrightarrow \ t\ \isasymin \ gterms\ G\ \isasymlongrightarrow \ t\ \isasymin \ gterms\ (F\isasyminter G)"\isanewline
ca2b00c4bba7 renaming to avoid clashes paulson parents: diff changeset	197	\isacommand{apply}\ (erule\ gterms.induct)\isanewline
ca2b00c4bba7 renaming to avoid clashes paulson parents: diff changeset	198	\isacommand{apply}\ blast\isanewline
ca2b00c4bba7 renaming to avoid clashes paulson parents: diff changeset	199	\isacommand{done}
ca2b00c4bba7 renaming to avoid clashes paulson parents: diff changeset	200	\end{isabelle}
ca2b00c4bba7 renaming to avoid clashes paulson parents: diff changeset	201	%
ca2b00c4bba7 renaming to avoid clashes paulson parents: diff changeset	202	The proof begins with rule induction over the definition of
ca2b00c4bba7 renaming to avoid clashes paulson parents: diff changeset	203	\isa{gterms}, which leaves a single subgoal:
ca2b00c4bba7 renaming to avoid clashes paulson parents: diff changeset	204	\begin{isabelle}
ca2b00c4bba7 renaming to avoid clashes paulson parents: diff changeset	205	1.\ \isasymAnd args\ f.\isanewline
ca2b00c4bba7 renaming to avoid clashes paulson parents: diff changeset	206	\ \ \ \ \ \ \isasymlbrakk \isasymforall t\isasymin set\ args.\ t\ \isasymin \ gterms\ F\ \isasymand\isanewline
ca2b00c4bba7 renaming to avoid clashes paulson parents: diff changeset	207	\ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ (t\ \isasymin \ gterms\ G\ \isasymlongrightarrow \ t\ \isasymin \ gterms\ (F\ \isasyminter \ G));\isanewline
ca2b00c4bba7 renaming to avoid clashes paulson parents: diff changeset	208	\ \ \ \ \ \ \ f\ \isasymin \ F\isasymrbrakk \isanewline
ca2b00c4bba7 renaming to avoid clashes paulson parents: diff changeset	209	\ \ \ \ \ \ \isasymLongrightarrow \ Apply\ f\ args\ \isasymin \ gterms\ G\ \isasymlongrightarrow \ Apply\ f\ args\ \isasymin \ gterms\ (F\ \isasyminter \ G)
ca2b00c4bba7 renaming to avoid clashes paulson parents: diff changeset	210	\end{isabelle}
ca2b00c4bba7 renaming to avoid clashes paulson parents: diff changeset	211	%
ca2b00c4bba7 renaming to avoid clashes paulson parents: diff changeset	212	The induction hypothesis states that every element of \isa{args} belongs to
ca2b00c4bba7 renaming to avoid clashes paulson parents: diff changeset	213	\isa{gterms\ (F\ \isasyminter \ G)} --- provided it already belongs to
ca2b00c4bba7 renaming to avoid clashes paulson parents: diff changeset	214	\isa{gterms\ G}. How do we meet that condition?
ca2b00c4bba7 renaming to avoid clashes paulson parents: diff changeset	215
ca2b00c4bba7 renaming to avoid clashes paulson parents: diff changeset	216	By assuming (as we may) the formula \isa{Apply\ f\ args\ \isasymin \ gterms\
ca2b00c4bba7 renaming to avoid clashes paulson parents: diff changeset	217	G}. Rule inversion, in the form of \isa{gterm_Apply_elim}, infers that every
ca2b00c4bba7 renaming to avoid clashes paulson parents: diff changeset	218	element of \isa{args} belongs to
ca2b00c4bba7 renaming to avoid clashes paulson parents: diff changeset	219	\isa{gterms~G}. It also yields \isa{f\ \isasymin \ G}, which will allow us
ca2b00c4bba7 renaming to avoid clashes paulson parents: diff changeset	220	to conclude \isa{f\ \isasymin \ F\ \isasyminter \ G}. All of this reasoning
ca2b00c4bba7 renaming to avoid clashes paulson parents: diff changeset	221	is done by \isa{blast}.
ca2b00c4bba7 renaming to avoid clashes paulson parents: diff changeset	222
ca2b00c4bba7 renaming to avoid clashes paulson parents: diff changeset	223	\medskip
ca2b00c4bba7 renaming to avoid clashes paulson parents: diff changeset	224
ca2b00c4bba7 renaming to avoid clashes paulson parents: diff changeset	225	To summarize, every inductive definition produces a \isa{cases} rule. The
ca2b00c4bba7 renaming to avoid clashes paulson parents: diff changeset	226	\isacommand{inductive\_cases} command stores an instance of the \isa{cases}
ca2b00c4bba7 renaming to avoid clashes paulson parents: diff changeset	227	rule for a given pattern. Within a proof, the \isa{ind_cases} method
ca2b00c4bba7 renaming to avoid clashes paulson parents: diff changeset	228	applies an instance of the \isa{cases}
ca2b00c4bba7 renaming to avoid clashes paulson parents: diff changeset	229	rule.
ca2b00c4bba7 renaming to avoid clashes paulson parents: diff changeset	230
ca2b00c4bba7 renaming to avoid clashes paulson parents: diff changeset	231
ca2b00c4bba7 renaming to avoid clashes paulson parents: diff changeset	232	\subsection{Continuing the Ground Terms Example}
ca2b00c4bba7 renaming to avoid clashes paulson parents: diff changeset	233
ca2b00c4bba7 renaming to avoid clashes paulson parents: diff changeset	234	Call a term \textbf{well-formed} if each symbol occurring in it has
ca2b00c4bba7 renaming to avoid clashes paulson parents: diff changeset	235	the correct number of arguments. To formalize this concept, we
ca2b00c4bba7 renaming to avoid clashes paulson parents: diff changeset	236	introduce a function mapping each symbol to its \textbf{arity}, a natural
ca2b00c4bba7 renaming to avoid clashes paulson parents: diff changeset	237	number.
ca2b00c4bba7 renaming to avoid clashes paulson parents: diff changeset	238
ca2b00c4bba7 renaming to avoid clashes paulson parents: diff changeset	239	Let us define the set of well-formed ground terms.
ca2b00c4bba7 renaming to avoid clashes paulson parents: diff changeset	240	Suppose we are given a function called \isa{arity}, specifying the arities to be used.
ca2b00c4bba7 renaming to avoid clashes paulson parents: diff changeset	241	In the inductive step, we have a list \isa{args} of such terms and a function
ca2b00c4bba7 renaming to avoid clashes paulson parents: diff changeset	242	symbol~\isa{f}. If the length of the list matches the function's arity
ca2b00c4bba7 renaming to avoid clashes paulson parents: diff changeset	243	then applying \isa{f} to \isa{args} yields a well-formed term.
ca2b00c4bba7 renaming to avoid clashes paulson parents: diff changeset	244	\begin{isabelle}
ca2b00c4bba7 renaming to avoid clashes paulson parents: diff changeset	245	\isacommand{consts}\ well_formed_gterm\ ::\ "('f\ \isasymRightarrow \ nat)\ \isasymRightarrow \ 'f\ gterm\ set"\isanewline
ca2b00c4bba7 renaming to avoid clashes paulson parents: diff changeset	246	\isacommand{inductive}\ "well_formed_gterm\ arity"\isanewline
ca2b00c4bba7 renaming to avoid clashes paulson parents: diff changeset	247	\isakeyword{intros}\isanewline
ca2b00c4bba7 renaming to avoid clashes paulson parents: diff changeset	248	step[intro!]:\ "\isasymlbrakk \isasymforall t\ \isasymin \ set\ args.\ t\ \isasymin \ well_formed_gterm\ arity;\ \ \isanewline
ca2b00c4bba7 renaming to avoid clashes paulson parents: diff changeset	249	\ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ length\ args\ =\ arity\ f\isasymrbrakk \isanewline
ca2b00c4bba7 renaming to avoid clashes paulson parents: diff changeset	250	\ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \isasymLongrightarrow \ (Apply\ f\ args)\ \isasymin \ well_formed_gterm\
ca2b00c4bba7 renaming to avoid clashes paulson parents: diff changeset	251	arity"
ca2b00c4bba7 renaming to avoid clashes paulson parents: diff changeset	252	\end{isabelle}
ca2b00c4bba7 renaming to avoid clashes paulson parents: diff changeset	253	%
ca2b00c4bba7 renaming to avoid clashes paulson parents: diff changeset	254	The inductive definition neatly captures the reasoning above.
ca2b00c4bba7 renaming to avoid clashes paulson parents: diff changeset	255	It is just an elaboration of the previous one, consisting of a single
ca2b00c4bba7 renaming to avoid clashes paulson parents: diff changeset	256	introduction rule. The universal quantification over the
ca2b00c4bba7 renaming to avoid clashes paulson parents: diff changeset	257	\isa{set} of arguments expresses that all of them are well-formed.
ca2b00c4bba7 renaming to avoid clashes paulson parents: diff changeset	258
ca2b00c4bba7 renaming to avoid clashes paulson parents: diff changeset	259	\subsection{Alternative Definition Using a Monotonic Function}
ca2b00c4bba7 renaming to avoid clashes paulson parents: diff changeset	260
ca2b00c4bba7 renaming to avoid clashes paulson parents: diff changeset	261	An inductive definition may refer to the inductively defined
ca2b00c4bba7 renaming to avoid clashes paulson parents: diff changeset	262	set through an arbitrary monotonic function. To demonstrate this
ca2b00c4bba7 renaming to avoid clashes paulson parents: diff changeset	263	powerful feature, let us
ca2b00c4bba7 renaming to avoid clashes paulson parents: diff changeset	264	change the inductive definition above, replacing the
ca2b00c4bba7 renaming to avoid clashes paulson parents: diff changeset	265	quantifier by a use of the function \isa{lists}. This
ca2b00c4bba7 renaming to avoid clashes paulson parents: diff changeset	266	function, from the Isabelle theory of lists, is analogous to the
ca2b00c4bba7 renaming to avoid clashes paulson parents: diff changeset	267	function \isa{gterms} declared above: if \isa{A} is a set then
ca2b00c4bba7 renaming to avoid clashes paulson parents: diff changeset	268	{\isa{lists A}} is the set of lists whose elements belong to
ca2b00c4bba7 renaming to avoid clashes paulson parents: diff changeset	269	\isa{A}.
ca2b00c4bba7 renaming to avoid clashes paulson parents: diff changeset	270
ca2b00c4bba7 renaming to avoid clashes paulson parents: diff changeset	271	In the inductive definition of well-formed terms, examine the one
ca2b00c4bba7 renaming to avoid clashes paulson parents: diff changeset	272	introduction rule. The first premise states that \isa{args} belongs to
ca2b00c4bba7 renaming to avoid clashes paulson parents: diff changeset	273	the \isa{lists} of well-formed terms. This formulation is more
ca2b00c4bba7 renaming to avoid clashes paulson parents: diff changeset	274	direct, if more obscure, than using a universal quantifier.
ca2b00c4bba7 renaming to avoid clashes paulson parents: diff changeset	275	\begin{isabelle}
ca2b00c4bba7 renaming to avoid clashes paulson parents: diff changeset	276	\isacommand{consts}\ well_formed_gterm'\ ::\ "('f\ \isasymRightarrow \ nat)\ \isasymRightarrow \ 'f\ gterm\ set"\isanewline
ca2b00c4bba7 renaming to avoid clashes paulson parents: diff changeset	277	\isacommand{inductive}\ "well_formed_gterm'\ arity"\isanewline
ca2b00c4bba7 renaming to avoid clashes paulson parents: diff changeset	278	\isakeyword{intros}\isanewline
ca2b00c4bba7 renaming to avoid clashes paulson parents: diff changeset	279	step[intro!]:\ "\isasymlbrakk args\ \isasymin \ lists\ (well_formed_gterm'\ arity);\ \ \isanewline
ca2b00c4bba7 renaming to avoid clashes paulson parents: diff changeset	280	\ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ length\ args\ =\ arity\ f\isasymrbrakk \isanewline
ca2b00c4bba7 renaming to avoid clashes paulson parents: diff changeset	281	\ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \isasymLongrightarrow \ (Apply\ f\ args)\ \isasymin \ well_formed_gterm'\ arity"\isanewline
ca2b00c4bba7 renaming to avoid clashes paulson parents: diff changeset	282	\isakeyword{monos}\ lists_mono
ca2b00c4bba7 renaming to avoid clashes paulson parents: diff changeset	283	\end{isabelle}
ca2b00c4bba7 renaming to avoid clashes paulson parents: diff changeset	284
ca2b00c4bba7 renaming to avoid clashes paulson parents: diff changeset	285	We must cite the theorem \isa{lists_mono} in order to justify
ca2b00c4bba7 renaming to avoid clashes paulson parents: diff changeset	286	using the function \isa{lists}.
ca2b00c4bba7 renaming to avoid clashes paulson parents: diff changeset	287	\begin{isabelle}
ca2b00c4bba7 renaming to avoid clashes paulson parents: diff changeset	288	A\ \isasymsubseteq\ B\ \isasymLongrightarrow \ lists\ A\ \isasymsubseteq
ca2b00c4bba7 renaming to avoid clashes paulson parents: diff changeset	289	\ lists\ B\rulename{lists_mono}
ca2b00c4bba7 renaming to avoid clashes paulson parents: diff changeset	290	\end{isabelle}
ca2b00c4bba7 renaming to avoid clashes paulson parents: diff changeset	291	%
ca2b00c4bba7 renaming to avoid clashes paulson parents: diff changeset	292	Why must the function be monotonic? An inductive definition describes
ca2b00c4bba7 renaming to avoid clashes paulson parents: diff changeset	293	an iterative construction: each element of the set is constructed by a
ca2b00c4bba7 renaming to avoid clashes paulson parents: diff changeset	294	finite number of introduction rule applications. For example, the
ca2b00c4bba7 renaming to avoid clashes paulson parents: diff changeset	295	elements of \isa{even} are constructed by finitely many applications of
ca2b00c4bba7 renaming to avoid clashes paulson parents: diff changeset	296	the rules
ca2b00c4bba7 renaming to avoid clashes paulson parents: diff changeset	297	\begin{isabelle}
ca2b00c4bba7 renaming to avoid clashes paulson parents: diff changeset	298	0\ \isasymin \ even\isanewline
ca2b00c4bba7 renaming to avoid clashes paulson parents: diff changeset	299	n\ \isasymin \ even\ \isasymLongrightarrow \ (Suc\ (Suc\ n))\ \isasymin
ca2b00c4bba7 renaming to avoid clashes paulson parents: diff changeset	300	\ even
ca2b00c4bba7 renaming to avoid clashes paulson parents: diff changeset	301	\end{isabelle}
ca2b00c4bba7 renaming to avoid clashes paulson parents: diff changeset	302	All references to a set in its
ca2b00c4bba7 renaming to avoid clashes paulson parents: diff changeset	303	inductive definition must be positive. Applications of an
ca2b00c4bba7 renaming to avoid clashes paulson parents: diff changeset	304	introduction rule cannot invalidate previous applications, allowing the
ca2b00c4bba7 renaming to avoid clashes paulson parents: diff changeset	305	construction process to converge.
ca2b00c4bba7 renaming to avoid clashes paulson parents: diff changeset	306	The following pair of rules do not constitute an inductive definition:
ca2b00c4bba7 renaming to avoid clashes paulson parents: diff changeset	307	\begin{isabelle}
ca2b00c4bba7 renaming to avoid clashes paulson parents: diff changeset	308	0\ \isasymin \ even\isanewline
ca2b00c4bba7 renaming to avoid clashes paulson parents: diff changeset	309	n\ \isasymnotin \ even\ \isasymLongrightarrow \ (Suc\ n)\ \isasymin
ca2b00c4bba7 renaming to avoid clashes paulson parents: diff changeset	310	\ even
ca2b00c4bba7 renaming to avoid clashes paulson parents: diff changeset	311	\end{isabelle}
ca2b00c4bba7 renaming to avoid clashes paulson parents: diff changeset	312	%
ca2b00c4bba7 renaming to avoid clashes paulson parents: diff changeset	313	Showing that 4 is even using these rules requires showing that 3 is not
ca2b00c4bba7 renaming to avoid clashes paulson parents: diff changeset	314	even. It is far from trivial to show that this set of rules
ca2b00c4bba7 renaming to avoid clashes paulson parents: diff changeset	315	characterizes the even numbers.
ca2b00c4bba7 renaming to avoid clashes paulson parents: diff changeset	316
ca2b00c4bba7 renaming to avoid clashes paulson parents: diff changeset	317	Even with its use of the function \isa{lists}, the premise of our
ca2b00c4bba7 renaming to avoid clashes paulson parents: diff changeset	318	introduction rule is positive:
ca2b00c4bba7 renaming to avoid clashes paulson parents: diff changeset	319	\begin{isabelle}
ca2b00c4bba7 renaming to avoid clashes paulson parents: diff changeset	320	args\ \isasymin \ lists\ (well_formed_gterm'\ arity)
ca2b00c4bba7 renaming to avoid clashes paulson parents: diff changeset	321	\end{isabelle}
ca2b00c4bba7 renaming to avoid clashes paulson parents: diff changeset	322	To apply the rule we construct a list \isa{args} of previously
ca2b00c4bba7 renaming to avoid clashes paulson parents: diff changeset	323	constructed well-formed terms. We obtain a
ca2b00c4bba7 renaming to avoid clashes paulson parents: diff changeset	324	new term, \isa{Apply\ f\ args}. Because \isa{lists} is monotonic,
ca2b00c4bba7 renaming to avoid clashes paulson parents: diff changeset	325	applications of the rule remain valid as new terms are constructed.
ca2b00c4bba7 renaming to avoid clashes paulson parents: diff changeset	326	Further lists of well-formed
ca2b00c4bba7 renaming to avoid clashes paulson parents: diff changeset	327	terms become available and none are taken away.
ca2b00c4bba7 renaming to avoid clashes paulson parents: diff changeset	328
ca2b00c4bba7 renaming to avoid clashes paulson parents: diff changeset	329
ca2b00c4bba7 renaming to avoid clashes paulson parents: diff changeset	330	\subsection{A Proof of Equivalence}
ca2b00c4bba7 renaming to avoid clashes paulson parents: diff changeset	331
ca2b00c4bba7 renaming to avoid clashes paulson parents: diff changeset	332	We naturally hope that these two inductive definitions of ``well-formed''
ca2b00c4bba7 renaming to avoid clashes paulson parents: diff changeset	333	coincide. The equality can be proved by separate inclusions in
ca2b00c4bba7 renaming to avoid clashes paulson parents: diff changeset	334	each direction. Each is a trivial rule induction.
ca2b00c4bba7 renaming to avoid clashes paulson parents: diff changeset	335	\begin{isabelle}
ca2b00c4bba7 renaming to avoid clashes paulson parents: diff changeset	336	\isacommand{lemma}\ "well_formed_gterm\ arity\ \isasymsubseteq \ well_formed_gterm'\ arity"\isanewline
ca2b00c4bba7 renaming to avoid clashes paulson parents: diff changeset	337	\isacommand{apply}\ clarify\isanewline
ca2b00c4bba7 renaming to avoid clashes paulson parents: diff changeset	338	\isacommand{apply}\ (erule\ well_formed_gterm.induct)\isanewline
ca2b00c4bba7 renaming to avoid clashes paulson parents: diff changeset	339	\isacommand{apply}\ auto\isanewline
ca2b00c4bba7 renaming to avoid clashes paulson parents: diff changeset	340	\isacommand{done}
ca2b00c4bba7 renaming to avoid clashes paulson parents: diff changeset	341	\end{isabelle}
ca2b00c4bba7 renaming to avoid clashes paulson parents: diff changeset	342
ca2b00c4bba7 renaming to avoid clashes paulson parents: diff changeset	343	The \isa{clarify} method gives
ca2b00c4bba7 renaming to avoid clashes paulson parents: diff changeset	344	us an element of \isa{well_formed_gterm\ arity} on which to perform
ca2b00c4bba7 renaming to avoid clashes paulson parents: diff changeset	345	induction. The resulting subgoal can be proved automatically:
ca2b00c4bba7 renaming to avoid clashes paulson parents: diff changeset	346	\begin{isabelle}
ca2b00c4bba7 renaming to avoid clashes paulson parents: diff changeset	347	{\isadigit{1}}{\isachardot}\ {\isasymAnd}x\ args\ f{\isachardot}\isanewline
ca2b00c4bba7 renaming to avoid clashes paulson parents: diff changeset	348	\ \ \ \ \ \ {\isasymlbrakk}{\isasymforall}t{\isasymin}set\ args{\isachardot}\isanewline
ca2b00c4bba7 renaming to avoid clashes paulson parents: diff changeset	349	\ \ \ \ \ \ \ \ \ \ t\ {\isasymin}\ well{\isacharunderscore}formed{\isacharunderscore}gterm\ arity\ {\isasymand}\ t\ {\isasymin}\ well{\isacharunderscore}formed{\isacharunderscore}gterm{\isacharprime}\ arity{\isacharsemicolon}\isanewline
ca2b00c4bba7 renaming to avoid clashes paulson parents: diff changeset	350	\ \ \ \ \ \ \ length\ args\ {\isacharequal}\ arity\ f{\isasymrbrakk}\isanewline
ca2b00c4bba7 renaming to avoid clashes paulson parents: diff changeset	351	\ \ \ \ \ \ {\isasymLongrightarrow}\ Apply\ f\ args\ {\isasymin}\ well{\isacharunderscore}formed{\isacharunderscore}gterm{\isacharprime}\ arity%
ca2b00c4bba7 renaming to avoid clashes paulson parents: diff changeset	352	\end{isabelle}
ca2b00c4bba7 renaming to avoid clashes paulson parents: diff changeset	353	%
ca2b00c4bba7 renaming to avoid clashes paulson parents: diff changeset	354	This proof resembles the one given in
ca2b00c4bba7 renaming to avoid clashes paulson parents: diff changeset	355	{\S}\ref{sec:gterm-datatype} above, especially in the form of the
ca2b00c4bba7 renaming to avoid clashes paulson parents: diff changeset	356	induction hypothesis. Next, we consider the opposite inclusion:
ca2b00c4bba7 renaming to avoid clashes paulson parents: diff changeset	357	\begin{isabelle}
ca2b00c4bba7 renaming to avoid clashes paulson parents: diff changeset	358	\isacommand{lemma}\ "well_formed_gterm'\ arity\ \isasymsubseteq \ well_formed_gterm\ arity"\isanewline
ca2b00c4bba7 renaming to avoid clashes paulson parents: diff changeset	359	\isacommand{apply}\ clarify\isanewline
ca2b00c4bba7 renaming to avoid clashes paulson parents: diff changeset	360	\isacommand{apply}\ (erule\ well_formed_gterm'.induct)\isanewline
ca2b00c4bba7 renaming to avoid clashes paulson parents: diff changeset	361	\isacommand{apply}\ auto\isanewline
ca2b00c4bba7 renaming to avoid clashes paulson parents: diff changeset	362	\isacommand{done}
ca2b00c4bba7 renaming to avoid clashes paulson parents: diff changeset	363	\end{isabelle}
ca2b00c4bba7 renaming to avoid clashes paulson parents: diff changeset	364	%
ca2b00c4bba7 renaming to avoid clashes paulson parents: diff changeset	365	The proof script is identical, but the subgoal after applying induction may
ca2b00c4bba7 renaming to avoid clashes paulson parents: diff changeset	366	be surprising:
ca2b00c4bba7 renaming to avoid clashes paulson parents: diff changeset	367	\begin{isabelle}
ca2b00c4bba7 renaming to avoid clashes paulson parents: diff changeset	368	1.\ \isasymAnd x\ args\ f.\isanewline
ca2b00c4bba7 renaming to avoid clashes paulson parents: diff changeset	369	\ \ \ \ \ \ \isasymlbrakk args\ \isasymin \ lists\ (well_formed_gterm'\ arity\ \isasyminter\isanewline
ca2b00c4bba7 renaming to avoid clashes paulson parents: diff changeset	370	\ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \isacharbraceleft u.\ u\ \isasymin \ well_formed_gterm\ arity\isacharbraceright );\isanewline
ca2b00c4bba7 renaming to avoid clashes paulson parents: diff changeset	371	\ \ \ \ \ \ \ length\ args\ =\ arity\ f\isasymrbrakk \isanewline
ca2b00c4bba7 renaming to avoid clashes paulson parents: diff changeset	372	\ \ \ \ \ \ \isasymLongrightarrow \ Apply\ f\ args\ \isasymin \ well_formed_gterm\ arity%
ca2b00c4bba7 renaming to avoid clashes paulson parents: diff changeset	373	\end{isabelle}
ca2b00c4bba7 renaming to avoid clashes paulson parents: diff changeset	374	The induction hypothesis contains an application of \isa{lists}. Using a
ca2b00c4bba7 renaming to avoid clashes paulson parents: diff changeset	375	monotonic function in the inductive definition always has this effect. The
ca2b00c4bba7 renaming to avoid clashes paulson parents: diff changeset	376	subgoal may look uninviting, but fortunately a useful rewrite rule concerning
ca2b00c4bba7 renaming to avoid clashes paulson parents: diff changeset	377	\isa{lists} is available:
ca2b00c4bba7 renaming to avoid clashes paulson parents: diff changeset	378	\begin{isabelle}
ca2b00c4bba7 renaming to avoid clashes paulson parents: diff changeset	379	lists\ (A\ \isasyminter \ B)\ =\ lists\ A\ \isasyminter \ lists\ B
ca2b00c4bba7 renaming to avoid clashes paulson parents: diff changeset	380	\rulename{lists_Int_eq}
ca2b00c4bba7 renaming to avoid clashes paulson parents: diff changeset	381	\end{isabelle}
ca2b00c4bba7 renaming to avoid clashes paulson parents: diff changeset	382	%
ca2b00c4bba7 renaming to avoid clashes paulson parents: diff changeset	383	Thanks to this default simplification rule, the induction hypothesis
ca2b00c4bba7 renaming to avoid clashes paulson parents: diff changeset	384	is quickly replaced by its two parts:
ca2b00c4bba7 renaming to avoid clashes paulson parents: diff changeset	385	\begin{isabelle}
ca2b00c4bba7 renaming to avoid clashes paulson parents: diff changeset	386	\ \ \ \ \ \ \ args\ \isasymin \ lists\ (well_formed_gterm'\ arity)\isanewline
ca2b00c4bba7 renaming to avoid clashes paulson parents: diff changeset	387	\ \ \ \ \ \ \ args\ \isasymin \ lists\ (well_formed_gterm\ arity)
ca2b00c4bba7 renaming to avoid clashes paulson parents: diff changeset	388	\end{isabelle}
ca2b00c4bba7 renaming to avoid clashes paulson parents: diff changeset	389	Invoking the rule \isa{well_formed_gterm.step} completes the proof. The
ca2b00c4bba7 renaming to avoid clashes paulson parents: diff changeset	390	call to
ca2b00c4bba7 renaming to avoid clashes paulson parents: diff changeset	391	\isa{auto} does all this work.
ca2b00c4bba7 renaming to avoid clashes paulson parents: diff changeset	392
ca2b00c4bba7 renaming to avoid clashes paulson parents: diff changeset	393	This example is typical of how monotonic functions can be used. In
ca2b00c4bba7 renaming to avoid clashes paulson parents: diff changeset	394	particular, a rewrite rule analogous to \isa{lists_Int_eq} holds in most
ca2b00c4bba7 renaming to avoid clashes paulson parents: diff changeset	395	cases. Monotonicity implies one direction of this set equality; we have
ca2b00c4bba7 renaming to avoid clashes paulson parents: diff changeset	396	this theorem:
ca2b00c4bba7 renaming to avoid clashes paulson parents: diff changeset	397	\begin{isabelle}
ca2b00c4bba7 renaming to avoid clashes paulson parents: diff changeset	398	mono\ f\ \isasymLongrightarrow \ f\ (A\ \isasyminter \ B)\ \isasymsubseteq \
ca2b00c4bba7 renaming to avoid clashes paulson parents: diff changeset	399	f\ A\ \isasyminter \ f\ B%
ca2b00c4bba7 renaming to avoid clashes paulson parents: diff changeset	400	\rulename{mono_Int}
ca2b00c4bba7 renaming to avoid clashes paulson parents: diff changeset	401	\end{isabelle}
ca2b00c4bba7 renaming to avoid clashes paulson parents: diff changeset	402
ca2b00c4bba7 renaming to avoid clashes paulson parents: diff changeset	403
ca2b00c4bba7 renaming to avoid clashes paulson parents: diff changeset	404	To summarize: a universal quantifier in an introduction rule
ca2b00c4bba7 renaming to avoid clashes paulson parents: diff changeset	405	lets it refer to any number of instances of
ca2b00c4bba7 renaming to avoid clashes paulson parents: diff changeset	406	the inductively defined set. A monotonic function in an introduction
ca2b00c4bba7 renaming to avoid clashes paulson parents: diff changeset	407	rule lets it refer to constructions over the inductively defined
ca2b00c4bba7 renaming to avoid clashes paulson parents: diff changeset	408	set. Each element of an inductively defined set is created
ca2b00c4bba7 renaming to avoid clashes paulson parents: diff changeset	409	through finitely many applications of the introduction rules. So each rule
ca2b00c4bba7 renaming to avoid clashes paulson parents: diff changeset	410	must be positive, and never can it refer to \textit{infinitely} many
ca2b00c4bba7 renaming to avoid clashes paulson parents: diff changeset	411	previous instances of the inductively defined set.
ca2b00c4bba7 renaming to avoid clashes paulson parents: diff changeset	412
ca2b00c4bba7 renaming to avoid clashes paulson parents: diff changeset	413
ca2b00c4bba7 renaming to avoid clashes paulson parents: diff changeset	414
ca2b00c4bba7 renaming to avoid clashes paulson parents: diff changeset	415	\begin{exercise}
ca2b00c4bba7 renaming to avoid clashes paulson parents: diff changeset	416	Prove this theorem, one direction of which was proved in
ca2b00c4bba7 renaming to avoid clashes paulson parents: diff changeset	417	{\S}\ref{sec:rule-inversion} above.
ca2b00c4bba7 renaming to avoid clashes paulson parents: diff changeset	418	\begin{isabelle}
ca2b00c4bba7 renaming to avoid clashes paulson parents: diff changeset	419	\isacommand{lemma}\ gterms_Int_eq\ [simp]:\ "gterms\ (F\isasyminter G)\ =\
ca2b00c4bba7 renaming to avoid clashes paulson parents: diff changeset	420	gterms\ F\ \isasyminter \ gterms\ G"\isanewline
ca2b00c4bba7 renaming to avoid clashes paulson parents: diff changeset	421	\end{isabelle}
ca2b00c4bba7 renaming to avoid clashes paulson parents: diff changeset	422	\end{exercise}
ca2b00c4bba7 renaming to avoid clashes paulson parents: diff changeset	423
ca2b00c4bba7 renaming to avoid clashes paulson parents: diff changeset	424
ca2b00c4bba7 renaming to avoid clashes paulson parents: diff changeset	425	\begin{exercise}
ca2b00c4bba7 renaming to avoid clashes paulson parents: diff changeset	426	A function mapping function symbols to their
ca2b00c4bba7 renaming to avoid clashes paulson parents: diff changeset	427	types is called a \textbf{signature}. Given a type
ca2b00c4bba7 renaming to avoid clashes paulson parents: diff changeset	428	ranging over type symbols, we can represent a function's type by a
ca2b00c4bba7 renaming to avoid clashes paulson parents: diff changeset	429	list of argument types paired with the result type.
ca2b00c4bba7 renaming to avoid clashes paulson parents: diff changeset	430	Complete this inductive definition:
ca2b00c4bba7 renaming to avoid clashes paulson parents: diff changeset	431	\begin{isabelle}
ca2b00c4bba7 renaming to avoid clashes paulson parents: diff changeset	432	\isacommand{consts}\ well_typed_gterm::\ "('f\ \isasymRightarrow \ 't\ list\ \ 't)\ \isasymRightarrow \ ('f\ gterm\ \ 't)set"\isanewline
ca2b00c4bba7 renaming to avoid clashes paulson parents: diff changeset	433	\isacommand{inductive}\ "well_typed_gterm\ sig"\isanewline
ca2b00c4bba7 renaming to avoid clashes paulson parents: diff changeset	434	\end{isabelle}
ca2b00c4bba7 renaming to avoid clashes paulson parents: diff changeset	435	\end{exercise}

author	paulson
	Fri, 12 Jan 2001 18:00:40 +0100
changeset 10889	aed0a0450797
parent 10879	ca2b00c4bba7
child 10978	5eebea8f359f
permissions	-rw-r--r--