| author | paulson <lp15@cam.ac.uk> |
| Fri, 18 Feb 2022 21:40:01 +0000 | |
| changeset 75101 | f0e2023f361a |
| parent 67399 | eab6ce8368fa |
| child 78107 | 0366e49dab85 |
| permissions | -rw-r--r-- |
| 61368 | 1 |
(* Title: HOL/ex/Transfer_Debug.thy |
2 |
Author: Ondřej Kunčar, TU München |
|
3 |
*) |
|
4 |
theory Transfer_Debug |
|
|
66453
cc19f7ca2ed6
session-qualified theory imports: isabelle imports -U -i -d '~~/src/Benchmarks' -a;
wenzelm
parents:
61368
diff
changeset
|
5 |
imports Main "HOL-Library.FSet" |
| 61368 | 6 |
begin |
7 |
||
8 |
(* |
|
9 |
This file demonstrates some of the typical scenarios |
|
10 |
when transfer or transfer_prover does not produce expected results |
|
11 |
and how the user might handle such cases. |
|
12 |
*) |
|
13 |
||
14 |
(* As an example, we use finite sets. The following command recreates the environment in which |
|
15 |
the type of finite sets was created and allows us to do transferring on this type. *) |
|
16 |
context |
|
17 |
includes fset.lifting |
|
18 |
begin |
|
19 |
||
20 |
subsection \<open>1. A missing transfer rule\<close> |
|
21 |
||
22 |
(* We will simulate the situation in which there is not any transfer rules for fmember. *) |
|
23 |
declare fmember.transfer[transfer_rule del] fmember_transfer[transfer_rule del] |
|
24 |
||
25 |
(* We want to prove the following theorem about |\<subseteq>| by transfer *) |
|
26 |
lemma "(A |\<subseteq>| B) = fBall A (\<lambda>x. x |\<in>| B)" |
|
27 |
apply transfer |
|
28 |
(* |
|
29 |
Transfer complains that it could not find a transfer rule for |\<subseteq>| with a matching transfer |
|
30 |
relation. An experienced user could notice that |\<in>| was transferred to |\<in>| by a |
|
31 |
a default reflexivity transfer rule (because there was not any genuine transfer rule for |\<in>|) |
|
32 |
and fBall was transferred to Ball using the transfer relation pcr_fset. Therefore transfer |
|
| 67399 | 33 |
is looking for a transfer rule for |\<subseteq>| with a transfer relation that mixes (=) and pcr_fset. |
| 61368 | 34 |
This situation might be confusing because the real problem (a missing transfer rule) propagates |
35 |
during the transferring algorithm and manifests later in an obfuscated way. Fortunately, |
|
36 |
we could inspect the behavior of transfer in a more interactive way to pin down the real problem. |
|
37 |
*) |
|
38 |
oops |
|
39 |
||
40 |
lemma "(A |\<subseteq>| B) = fBall A (\<lambda>x. x |\<in>| B)" |
|
41 |
apply transfer_start |
|
42 |
(* Setups 6 goals for 6 transfer rules that have to be found and the result as the 7. goal, which |
|
43 |
gets synthesized to the final result of transferring when we find the 6 transfer rules. *) |
|
44 |
apply transfer_step |
|
45 |
(* We can see that the default reflexivity transfer rule was applied and |\<in>| |
|
46 |
was transferred to |\<in>| \<Longrightarrow> there is no genuine transfer rule for |\<in>|. *) |
|
47 |
oops |
|
48 |
||
49 |
(* We provide a transfer rule for |\<in>|. *) |
|
| 67399 | 50 |
lemma [transfer_rule]: "bi_unique A \<Longrightarrow> rel_fun A (rel_fun (pcr_fset A) (=)) (\<in>) (|\<in>|)" |
| 61368 | 51 |
by (rule fmember.transfer) |
52 |
||
53 |
lemma "(A |\<subseteq>| B) = fBall A (\<lambda>x. x |\<in>| B)" |
|
54 |
apply transfer_start |
|
55 |
apply transfer_step (* The new transfer rule was selected and |\<in>| was transferred to \<in>. *) |
|
56 |
apply transfer_step+ |
|
57 |
apply transfer_end |
|
58 |
by blast |
|
59 |
||
60 |
(* Of course in the real life, we would use transfer instead of transfer_start, transfer_step+ and |
|
61 |
transfer_end. *) |
|
62 |
lemma "(A |\<subseteq>| B) = fBall A (\<lambda>x. x |\<in>| B)" |
|
63 |
by transfer blast |
|
64 |
||
65 |
subsection \<open>2. Unwanted instantiation of a transfer relation variable\<close> |
|
66 |
||
67 |
(* We want to prove the following fact. *) |
|
68 |
lemma "finite (UNIV :: 'a::finite fset set)" |
|
69 |
apply transfer |
|
70 |
(* Transfer does not do anything here. *) |
|
71 |
oops |
|
72 |
||
73 |
(* Let us inspect interactively what happened. *) |
|
74 |
lemma "finite (UNIV :: 'a::finite fset set)" |
|
75 |
apply transfer_start |
|
76 |
apply transfer_step |
|
77 |
(* |
|
78 |
Here we can realize that not an expected transfer rule was chosen. |
|
79 |
We stumbled upon a limitation of Transfer: the tool used the rule Lifting_Set.UNIV_transfer, |
|
80 |
which transfers UNIV to UNIV and assumes that the transfer relation has to be bi-total. |
|
81 |
The problem is that at this point the transfer relation is not known (it is represented by |
|
82 |
a schematic variable ?R) and therefore in order to discharge the assumption "bi_total ?R", ?R is |
|
| 67399 | 83 |
instantiated to (=.) If the relation had been known (we wish pcr_fset (=), which is not bi-total), |
84 |
the assumption bi_total pcr_fset (=) could not have been discharged and the tool would have |
|
| 61368 | 85 |
backtracked and chosen Lifting.right_total_UNIV_transfer, which assumes only right-totalness |
86 |
(and pcr_fset is right-total). |
|
87 |
*) |
|
88 |
back back (* We can force the tool to backtrack and choose the desired transfer rule. *) |
|
89 |
apply transfer_step |
|
90 |
apply transfer_end |
|
91 |
by auto |
|
92 |
||
93 |
(* Of course, to use "back" in proofs is not a desired style. But we can prioritize |
|
94 |
the rule Lifting.right_total_UNIV_transfer by redeclaring it LOCALLY as a transfer rule. |
|
95 |
*) |
|
96 |
lemma "finite (UNIV :: 'a::finite fset set)" |
|
97 |
proof - |
|
98 |
note right_total_UNIV_transfer[transfer_rule] |
|
99 |
show ?thesis by transfer auto |
|
100 |
qed |
|
101 |
||
102 |
end |
|
103 |
||
104 |
(* Let us close the environment of fset transferring and add the rule that we deleted. *) |
|
105 |
lifting_forget fset.lifting (* deletes the extra added transfer rule for |\<in>| *) |
|
106 |
declare fmember_transfer[transfer_rule] (* we want to keep parametricity of |\<in>| *) |
|
107 |
||
108 |
end |