isabelle: doc-src/TutorialI/Inductive/Star.thy@d848c6693185 (annotated)

10225 b9fd52525b69 * empty log message * nipkow parents: diff changeset	1	(<)theory Star = Main:(>)
b9fd52525b69 * empty log message * nipkow parents: diff changeset	2
10898 b086f4e1722f lcp's pass over the book, chapters 1-8 paulson parents: 10520 diff changeset	3	section{The Reflexive Transitive Closure}
10225 b9fd52525b69 * empty log message * nipkow parents: diff changeset	4
10242 028f54cd2cc9 * empty log message * nipkow parents: 10237 diff changeset	5	text{*\label{sec:rtc}
10898 b086f4e1722f lcp's pass over the book, chapters 1-8 paulson parents: 10520 diff changeset	6	An inductive definition may accept parameters, so it can express
b086f4e1722f lcp's pass over the book, chapters 1-8 paulson parents: 10520 diff changeset	7	functions that yield sets.
b086f4e1722f lcp's pass over the book, chapters 1-8 paulson parents: 10520 diff changeset	8	Relations too can be defined inductively, since they are just sets of pairs.
b086f4e1722f lcp's pass over the book, chapters 1-8 paulson parents: 10520 diff changeset	9	A perfect example is the function that maps a relation to its
b086f4e1722f lcp's pass over the book, chapters 1-8 paulson parents: 10520 diff changeset	10	reflexive transitive closure. This concept was already
11147 d848c6693185 * empty log message * nipkow parents: 10898 diff changeset	11	introduced in \S\ref{sec:Relations}, where the operator @{text"\<^sup>*"} was
10520 bb9dfcc87951 * empty log message * nipkow parents: 10396 diff changeset	12	defined as a least fixed point because inductive definitions were not yet
bb9dfcc87951 * empty log message * nipkow parents: 10396 diff changeset	13	available. But now they are:
10225 b9fd52525b69 * empty log message * nipkow parents: diff changeset	14	*}
b9fd52525b69 * empty log message * nipkow parents: diff changeset	15
10242 028f54cd2cc9 * empty log message * nipkow parents: 10237 diff changeset	16	consts rtc :: "('a \<times> 'a)set \<Rightarrow> ('a \<times> 'a)set" ("_*" [1000] 999)
10225 b9fd52525b69 * empty log message * nipkow parents: diff changeset	17	inductive "r*"
b9fd52525b69 * empty log message * nipkow parents: diff changeset	18	intros
10242 028f54cd2cc9 * empty log message * nipkow parents: 10237 diff changeset	19	rtc_refl[iff]: "(x,x) \<in> r*"
028f54cd2cc9 * empty log message * nipkow parents: 10237 diff changeset	20	rtc_step: "\<lbrakk> (x,y) \<in> r; (y,z) \<in> r* \<rbrakk> \<Longrightarrow> (x,z) \<in> r*"
028f54cd2cc9 * empty log message * nipkow parents: 10237 diff changeset	21
028f54cd2cc9 * empty log message * nipkow parents: 10237 diff changeset	22	text{*\noindent
028f54cd2cc9 * empty log message * nipkow parents: 10237 diff changeset	23	The function @{term rtc} is annotated with concrete syntax: instead of
10520 bb9dfcc87951 * empty log message * nipkow parents: 10396 diff changeset	24	@{text"rtc r"} we can read and write @{term"r*"}. The actual definition
bb9dfcc87951 * empty log message * nipkow parents: 10396 diff changeset	25	consists of two rules. Reflexivity is obvious and is immediately given the
bb9dfcc87951 * empty log message * nipkow parents: 10396 diff changeset	26	@{text iff} attribute to increase automation. The
10363 6e8002c1790e * empty log message * nipkow parents: 10243 diff changeset	27	second rule, @{thm[source]rtc_step}, says that we can always add one more
6e8002c1790e * empty log message * nipkow parents: 10243 diff changeset	28	@{term r}-step to the left. Although we could make @{thm[source]rtc_step} an
10520 bb9dfcc87951 * empty log message * nipkow parents: 10396 diff changeset	29	introduction rule, this is dangerous: the recursion in the second premise
bb9dfcc87951 * empty log message * nipkow parents: 10396 diff changeset	30	slows down and may even kill the automatic tactics.
10242 028f54cd2cc9 * empty log message * nipkow parents: 10237 diff changeset	31
028f54cd2cc9 * empty log message * nipkow parents: 10237 diff changeset	32	The above definition of the concept of reflexive transitive closure may
028f54cd2cc9 * empty log message * nipkow parents: 10237 diff changeset	33	be sufficiently intuitive but it is certainly not the only possible one:
10898 b086f4e1722f lcp's pass over the book, chapters 1-8 paulson parents: 10520 diff changeset	34	for a start, it does not even mention transitivity.
10242 028f54cd2cc9 * empty log message * nipkow parents: 10237 diff changeset	35	The rest of this section is devoted to proving that it is equivalent to
10898 b086f4e1722f lcp's pass over the book, chapters 1-8 paulson parents: 10520 diff changeset	36	the standard definition. We start with a simple lemma:
10242 028f54cd2cc9 * empty log message * nipkow parents: 10237 diff changeset	37	*}
10225 b9fd52525b69 * empty log message * nipkow parents: diff changeset	38
b9fd52525b69 * empty log message * nipkow parents: diff changeset	39	lemma [intro]: "(x,y) : r \<Longrightarrow> (x,y) \<in> r*"
10237 875bf54b5d74 * empty log message * nipkow parents: 10225 diff changeset	40	by(blast intro: rtc_step);
10225 b9fd52525b69 * empty log message * nipkow parents: diff changeset	41
10242 028f54cd2cc9 * empty log message * nipkow parents: 10237 diff changeset	42	text{*\noindent
028f54cd2cc9 * empty log message * nipkow parents: 10237 diff changeset	43	Although the lemma itself is an unremarkable consequence of the basic rules,
028f54cd2cc9 * empty log message * nipkow parents: 10237 diff changeset	44	it has the advantage that it can be declared an introduction rule without the
028f54cd2cc9 * empty log message * nipkow parents: 10237 diff changeset	45	danger of killing the automatic tactics because @{term"r*"} occurs only in
028f54cd2cc9 * empty log message * nipkow parents: 10237 diff changeset	46	the conclusion and not in the premise. Thus some proofs that would otherwise
028f54cd2cc9 * empty log message * nipkow parents: 10237 diff changeset	47	need @{thm[source]rtc_step} can now be found automatically. The proof also
10898 b086f4e1722f lcp's pass over the book, chapters 1-8 paulson parents: 10520 diff changeset	48	shows that @{text blast} is able to handle @{thm[source]rtc_step}. But
10242 028f54cd2cc9 * empty log message * nipkow parents: 10237 diff changeset	49	some of the other automatic tactics are more sensitive, and even @{text
028f54cd2cc9 * empty log message * nipkow parents: 10237 diff changeset	50	blast} can be lead astray in the presence of large numbers of rules.
028f54cd2cc9 * empty log message * nipkow parents: 10237 diff changeset	51
10520 bb9dfcc87951 * empty log message * nipkow parents: 10396 diff changeset	52	To prove transitivity, we need rule induction, i.e.\ theorem
bb9dfcc87951 * empty log message * nipkow parents: 10396 diff changeset	53	@{thm[source]rtc.induct}:
bb9dfcc87951 * empty log message * nipkow parents: 10396 diff changeset	54	@{thm[display]rtc.induct}
bb9dfcc87951 * empty log message * nipkow parents: 10396 diff changeset	55	It says that @{text"?P"} holds for an arbitrary pair @{text"(?xb,?xa) \<in>
bb9dfcc87951 * empty log message * nipkow parents: 10396 diff changeset	56	?r*"} if @{text"?P"} is preserved by all rules of the inductive definition,
bb9dfcc87951 * empty log message * nipkow parents: 10396 diff changeset	57	i.e.\ if @{text"?P"} holds for the conclusion provided it holds for the
bb9dfcc87951 * empty log message * nipkow parents: 10396 diff changeset	58	premises. In general, rule induction for an $n$-ary inductive relation $R$
bb9dfcc87951 * empty log message * nipkow parents: 10396 diff changeset	59	expects a premise of the form $(x@1,\dots,x@n) \in R$.
bb9dfcc87951 * empty log message * nipkow parents: 10396 diff changeset	60
bb9dfcc87951 * empty log message * nipkow parents: 10396 diff changeset	61	Now we turn to the inductive proof of transitivity:
10242 028f54cd2cc9 * empty log message * nipkow parents: 10237 diff changeset	62	*}
028f54cd2cc9 * empty log message * nipkow parents: 10237 diff changeset	63
10520 bb9dfcc87951 * empty log message * nipkow parents: 10396 diff changeset	64	lemma rtc_trans: "\<lbrakk> (x,y) \<in> r; (y,z) \<in> r \<rbrakk> \<Longrightarrow> (x,z) \<in> r*"
10363 6e8002c1790e * empty log message * nipkow parents: 10243 diff changeset	65	apply(erule rtc.induct)
6e8002c1790e * empty log message * nipkow parents: 10243 diff changeset	66
6e8002c1790e * empty log message * nipkow parents: 10243 diff changeset	67	txt{*\noindent
10520 bb9dfcc87951 * empty log message * nipkow parents: 10396 diff changeset	68	Unfortunately, even the resulting base case is a problem
10363 6e8002c1790e * empty log message * nipkow parents: 10243 diff changeset	69	@{subgoals[display,indent=0,goals_limit=1]}
10242 028f54cd2cc9 * empty log message * nipkow parents: 10237 diff changeset	70	and maybe not what you had expected. We have to abandon this proof attempt.
10520 bb9dfcc87951 * empty log message * nipkow parents: 10396 diff changeset	71	To understand what is going on, let us look again at @{thm[source]rtc.induct}.
bb9dfcc87951 * empty log message * nipkow parents: 10396 diff changeset	72	In the above application of @{text erule}, the first premise of
bb9dfcc87951 * empty log message * nipkow parents: 10396 diff changeset	73	@{thm[source]rtc.induct} is unified with the first suitable assumption, which
bb9dfcc87951 * empty log message * nipkow parents: 10396 diff changeset	74	is @{term"(x,y) \<in> r"} rather than @{term"(y,z) \<in> r"}. Although that
bb9dfcc87951 * empty log message * nipkow parents: 10396 diff changeset	75	is what we want, it is merely due to the order in which the assumptions occur
bb9dfcc87951 * empty log message * nipkow parents: 10396 diff changeset	76	in the subgoal, which it is not good practice to rely on. As a result,
bb9dfcc87951 * empty log message * nipkow parents: 10396 diff changeset	77	@{text"?xb"} becomes @{term x}, @{text"?xa"} becomes
bb9dfcc87951 * empty log message * nipkow parents: 10396 diff changeset	78	@{term y} and @{text"?P"} becomes @{term"%u v. (u,z) : r*"}, thus
10242 028f54cd2cc9 * empty log message * nipkow parents: 10237 diff changeset	79	yielding the above subgoal. So what went wrong?
028f54cd2cc9 * empty log message * nipkow parents: 10237 diff changeset	80
10520 bb9dfcc87951 * empty log message * nipkow parents: 10396 diff changeset	81	When looking at the instantiation of @{text"?P"} we see that it does not
bb9dfcc87951 * empty log message * nipkow parents: 10396 diff changeset	82	depend on its second parameter at all. The reason is that in our original
bb9dfcc87951 * empty log message * nipkow parents: 10396 diff changeset	83	goal, of the pair @{term"(x,y)"} only @{term x} appears also in the
bb9dfcc87951 * empty log message * nipkow parents: 10396 diff changeset	84	conclusion, but not @{term y}. Thus our induction statement is too
bb9dfcc87951 * empty log message * nipkow parents: 10396 diff changeset	85	weak. Fortunately, it can easily be strengthened:
10363 6e8002c1790e * empty log message * nipkow parents: 10243 diff changeset	86	transfer the additional premise @{prop"(y,z):r"} into the conclusion:}
6e8002c1790e * empty log message * nipkow parents: 10243 diff changeset	87	(<)oops(>)
10242 028f54cd2cc9 * empty log message * nipkow parents: 10237 diff changeset	88	lemma rtc_trans[rule_format]:
028f54cd2cc9 * empty log message * nipkow parents: 10237 diff changeset	89	"(x,y) \<in> r* \<Longrightarrow> (y,z) \<in> r* \<longrightarrow> (x,z) \<in> r*"
028f54cd2cc9 * empty log message * nipkow parents: 10237 diff changeset	90
028f54cd2cc9 * empty log message * nipkow parents: 10237 diff changeset	91	txt{*\noindent
028f54cd2cc9 * empty log message * nipkow parents: 10237 diff changeset	92	This is not an obscure trick but a generally applicable heuristic:
028f54cd2cc9 * empty log message * nipkow parents: 10237 diff changeset	93	\begin{quote}\em
028f54cd2cc9 * empty log message * nipkow parents: 10237 diff changeset	94	Whe proving a statement by rule induction on $(x@1,\dots,x@n) \in R$,
028f54cd2cc9 * empty log message * nipkow parents: 10237 diff changeset	95	pull all other premises containing any of the $x@i$ into the conclusion
028f54cd2cc9 * empty log message * nipkow parents: 10237 diff changeset	96	using $\longrightarrow$.
028f54cd2cc9 * empty log message * nipkow parents: 10237 diff changeset	97	\end{quote}
028f54cd2cc9 * empty log message * nipkow parents: 10237 diff changeset	98	A similar heuristic for other kinds of inductions is formulated in
028f54cd2cc9 * empty log message * nipkow parents: 10237 diff changeset	99	\S\ref{sec:ind-var-in-prems}. The @{text rule_format} directive turns
11147 d848c6693185 * empty log message * nipkow parents: 10898 diff changeset	100	@{text"\<longrightarrow>"} back into @{text"\<Longrightarrow>"}: in the end we obtain the original
10242 028f54cd2cc9 * empty log message * nipkow parents: 10237 diff changeset	101	statement of our lemma.
028f54cd2cc9 * empty log message * nipkow parents: 10237 diff changeset	102	*}
028f54cd2cc9 * empty log message * nipkow parents: 10237 diff changeset	103
10363 6e8002c1790e * empty log message * nipkow parents: 10243 diff changeset	104	apply(erule rtc.induct)
6e8002c1790e * empty log message * nipkow parents: 10243 diff changeset	105
6e8002c1790e * empty log message * nipkow parents: 10243 diff changeset	106	txt{*\noindent
6e8002c1790e * empty log message * nipkow parents: 10243 diff changeset	107	Now induction produces two subgoals which are both proved automatically:
6e8002c1790e * empty log message * nipkow parents: 10243 diff changeset	108	@{subgoals[display,indent=0]}
6e8002c1790e * empty log message * nipkow parents: 10243 diff changeset	109	*}
6e8002c1790e * empty log message * nipkow parents: 10243 diff changeset	110
10225 b9fd52525b69 * empty log message * nipkow parents: diff changeset	111	apply(blast);
10237 875bf54b5d74 * empty log message * nipkow parents: 10225 diff changeset	112	apply(blast intro: rtc_step);
10225 b9fd52525b69 * empty log message * nipkow parents: diff changeset	113	done
b9fd52525b69 * empty log message * nipkow parents: diff changeset	114
10242 028f54cd2cc9 * empty log message * nipkow parents: 10237 diff changeset	115	text{*
028f54cd2cc9 * empty log message * nipkow parents: 10237 diff changeset	116	Let us now prove that @{term"r*"} is really the reflexive transitive closure
028f54cd2cc9 * empty log message * nipkow parents: 10237 diff changeset	117	of @{term r}, i.e.\ the least reflexive and transitive
028f54cd2cc9 * empty log message * nipkow parents: 10237 diff changeset	118	relation containing @{term r}. The latter is easily formalized
028f54cd2cc9 * empty log message * nipkow parents: 10237 diff changeset	119	*}
10225 b9fd52525b69 * empty log message * nipkow parents: diff changeset	120
10237 875bf54b5d74 * empty log message * nipkow parents: 10225 diff changeset	121	consts rtc2 :: "('a \<times> 'a)set \<Rightarrow> ('a \<times> 'a)set"
875bf54b5d74 * empty log message * nipkow parents: 10225 diff changeset	122	inductive "rtc2 r"
10225 b9fd52525b69 * empty log message * nipkow parents: diff changeset	123	intros
10237 875bf54b5d74 * empty log message * nipkow parents: 10225 diff changeset	124	"(x,y) \<in> r \<Longrightarrow> (x,y) \<in> rtc2 r"
875bf54b5d74 * empty log message * nipkow parents: 10225 diff changeset	125	"(x,x) \<in> rtc2 r"
875bf54b5d74 * empty log message * nipkow parents: 10225 diff changeset	126	"\<lbrakk> (x,y) \<in> rtc2 r; (y,z) \<in> rtc2 r \<rbrakk> \<Longrightarrow> (x,z) \<in> rtc2 r"
10225 b9fd52525b69 * empty log message * nipkow parents: diff changeset	127
10242 028f54cd2cc9 * empty log message * nipkow parents: 10237 diff changeset	128	text{*\noindent
028f54cd2cc9 * empty log message * nipkow parents: 10237 diff changeset	129	and the equivalence of the two definitions is easily shown by the obvious rule
10237 875bf54b5d74 * empty log message * nipkow parents: 10225 diff changeset	130	inductions:
875bf54b5d74 * empty log message * nipkow parents: 10225 diff changeset	131	*}
10225 b9fd52525b69 * empty log message * nipkow parents: diff changeset	132
10237 875bf54b5d74 * empty log message * nipkow parents: 10225 diff changeset	133	lemma "(x,y) \<in> rtc2 r \<Longrightarrow> (x,y) \<in> r*"
875bf54b5d74 * empty log message * nipkow parents: 10225 diff changeset	134	apply(erule rtc2.induct);
10225 b9fd52525b69 * empty log message * nipkow parents: diff changeset	135	apply(blast);
10237 875bf54b5d74 * empty log message * nipkow parents: 10225 diff changeset	136	apply(blast);
875bf54b5d74 * empty log message * nipkow parents: 10225 diff changeset	137	apply(blast intro: rtc_trans);
875bf54b5d74 * empty log message * nipkow parents: 10225 diff changeset	138	done
875bf54b5d74 * empty log message * nipkow parents: 10225 diff changeset	139
875bf54b5d74 * empty log message * nipkow parents: 10225 diff changeset	140	lemma "(x,y) \<in> r* \<Longrightarrow> (x,y) \<in> rtc2 r"
875bf54b5d74 * empty log message * nipkow parents: 10225 diff changeset	141	apply(erule rtc.induct);
875bf54b5d74 * empty log message * nipkow parents: 10225 diff changeset	142	apply(blast intro: rtc2.intros);
875bf54b5d74 * empty log message * nipkow parents: 10225 diff changeset	143	apply(blast intro: rtc2.intros);
10225 b9fd52525b69 * empty log message * nipkow parents: diff changeset	144	done
b9fd52525b69 * empty log message * nipkow parents: diff changeset	145
10242 028f54cd2cc9 * empty log message * nipkow parents: 10237 diff changeset	146	text{*
028f54cd2cc9 * empty log message * nipkow parents: 10237 diff changeset	147	So why did we start with the first definition? Because it is simpler. It
028f54cd2cc9 * empty log message * nipkow parents: 10237 diff changeset	148	contains only two rules, and the single step rule is simpler than
028f54cd2cc9 * empty log message * nipkow parents: 10237 diff changeset	149	transitivity. As a consequence, @{thm[source]rtc.induct} is simpler than
10898 b086f4e1722f lcp's pass over the book, chapters 1-8 paulson parents: 10520 diff changeset	150	@{thm[source]rtc2.induct}. Since inductive proofs are hard enough
11147 d848c6693185 * empty log message * nipkow parents: 10898 diff changeset	151	anyway, we should always pick the simplest induction schema available.
10242 028f54cd2cc9 * empty log message * nipkow parents: 10237 diff changeset	152	Hence @{term rtc} is the definition of choice.
028f54cd2cc9 * empty log message * nipkow parents: 10237 diff changeset	153
10520 bb9dfcc87951 * empty log message * nipkow parents: 10396 diff changeset	154	\begin{exercise}\label{ex:converse-rtc-step}
10242 028f54cd2cc9 * empty log message * nipkow parents: 10237 diff changeset	155	Show that the converse of @{thm[source]rtc_step} also holds:
028f54cd2cc9 * empty log message * nipkow parents: 10237 diff changeset	156	@{prop[display]"[\| (x,y) : r; (y,z) : r \|] ==> (x,z) : r"}
028f54cd2cc9 * empty log message * nipkow parents: 10237 diff changeset	157	\end{exercise}
10520 bb9dfcc87951 * empty log message * nipkow parents: 10396 diff changeset	158	\begin{exercise}
bb9dfcc87951 * empty log message * nipkow parents: 10396 diff changeset	159	Repeat the development of this section, but starting with a definition of
bb9dfcc87951 * empty log message * nipkow parents: 10396 diff changeset	160	@{term rtc} where @{thm[source]rtc_step} is replaced by its converse as shown
bb9dfcc87951 * empty log message * nipkow parents: 10396 diff changeset	161	in exercise~\ref{ex:converse-rtc-step}.
bb9dfcc87951 * empty log message * nipkow parents: 10396 diff changeset	162	\end{exercise}
10242 028f54cd2cc9 * empty log message * nipkow parents: 10237 diff changeset	163	*}
028f54cd2cc9 * empty log message * nipkow parents: 10237 diff changeset	164	(<)
028f54cd2cc9 * empty log message * nipkow parents: 10237 diff changeset	165	lemma rtc_step2[rule_format]: "(x,y) : r* \<Longrightarrow> (y,z) : r --> (x,z) : r*"
028f54cd2cc9 * empty log message * nipkow parents: 10237 diff changeset	166	apply(erule rtc.induct);
028f54cd2cc9 * empty log message * nipkow parents: 10237 diff changeset	167	apply blast;
028f54cd2cc9 * empty log message * nipkow parents: 10237 diff changeset	168	apply(blast intro:rtc_step)
028f54cd2cc9 * empty log message * nipkow parents: 10237 diff changeset	169	done
028f54cd2cc9 * empty log message * nipkow parents: 10237 diff changeset	170
028f54cd2cc9 * empty log message * nipkow parents: 10237 diff changeset	171	end
028f54cd2cc9 * empty log message * nipkow parents: 10237 diff changeset	172	(>)

author	nipkow
	Fri, 16 Feb 2001 06:46:20 +0100
changeset 11147	d848c6693185
parent 10898	b086f4e1722f
child 11257	622331bbdb7f
permissions	-rw-r--r--