2 theory AdvancedInd = Main:; |
2 theory AdvancedInd = Main:; |
3 (*>*) |
3 (*>*) |
4 |
4 |
5 text{*\noindent |
5 text{*\noindent |
6 Now that we have learned about rules and logic, we take another look at the |
6 Now that we have learned about rules and logic, we take another look at the |
7 finer points of induction. The two questions we answer are: what to do if the |
7 finer points of induction. We consider two questions: what to do if the |
8 proposition to be proved is not directly amenable to induction |
8 proposition to be proved is not directly amenable to induction |
9 (\S\ref{sec:ind-var-in-prems}), and how to utilize (\S\ref{sec:complete-ind}) |
9 (\S\ref{sec:ind-var-in-prems}), and how to utilize (\S\ref{sec:complete-ind}) |
10 and even derive (\S\ref{sec:derive-ind}) new induction schemas. We conclude |
10 and even derive (\S\ref{sec:derive-ind}) new induction schemas. We conclude |
11 with an extended example of induction (\S\ref{sec:CTL-revisited}). |
11 with an extended example of induction (\S\ref{sec:CTL-revisited}). |
12 *}; |
12 *}; |
13 |
13 |
14 subsection{*Massaging the Proposition*}; |
14 subsection{*Massaging the Proposition*}; |
15 |
15 |
16 text{*\label{sec:ind-var-in-prems} |
16 text{*\label{sec:ind-var-in-prems} |
17 Often we have assumed that the theorem we want to prove is already in a form |
17 Often we have assumed that the theorem to be proved is already in a form |
18 that is amenable to induction, but sometimes it isn't. |
18 that is amenable to induction, but sometimes it isn't. |
19 Here is an example. |
19 Here is an example. |
20 Since @{term"hd"} and @{term"last"} return the first and last element of a |
20 Since @{term"hd"} and @{term"last"} return the first and last element of a |
21 non-empty list, this lemma looks easy to prove: |
21 non-empty list, this lemma looks easy to prove: |
22 *}; |
22 *}; |
29 \begin{quote}\tt |
29 \begin{quote}\tt |
30 Induction variable occurs also among premises! |
30 Induction variable occurs also among premises! |
31 \end{quote} |
31 \end{quote} |
32 and leads to the base case |
32 and leads to the base case |
33 @{subgoals[display,indent=0,goals_limit=1]} |
33 @{subgoals[display,indent=0,goals_limit=1]} |
34 After simplification, it becomes |
34 Simplification reduces the base case to this: |
35 \begin{isabelle} |
35 \begin{isabelle} |
36 \ 1.\ xs\ {\isasymnoteq}\ []\ {\isasymLongrightarrow}\ hd\ []\ =\ last\ [] |
36 \ 1.\ xs\ {\isasymnoteq}\ []\ {\isasymLongrightarrow}\ hd\ []\ =\ last\ [] |
37 \end{isabelle} |
37 \end{isabelle} |
38 We cannot prove this equality because we do not know what @{term hd} and |
38 We cannot prove this equality because we do not know what @{term hd} and |
39 @{term last} return when applied to @{term"[]"}. |
39 @{term last} return when applied to @{term"[]"}. |
40 |
40 |
41 We should not have ignored the warning. Because the induction |
41 We should not have ignored the warning. Because the induction |
42 formula is only the conclusion, induction does not affect the occurrence of @{term xs} in the premises. |
42 formula is only the conclusion, induction does not affect the occurrence of @{term xs} in the premises. |
43 Thus the case that should have been trivial |
43 Thus the case that should have been trivial |
44 becomes unprovable. Fortunately, the solution is easy:\footnote{A very similar |
44 becomes unprovable. Fortunately, the solution is easy:\footnote{A similar |
45 heuristic applies to rule inductions; see \S\ref{sec:rtc}.} |
45 heuristic applies to rule inductions; see \S\ref{sec:rtc}.} |
46 \begin{quote} |
46 \begin{quote} |
47 \emph{Pull all occurrences of the induction variable into the conclusion |
47 \emph{Pull all occurrences of the induction variable into the conclusion |
48 using @{text"\<longrightarrow>"}.} |
48 using @{text"\<longrightarrow>"}.} |
49 \end{quote} |
49 \end{quote} |
50 Thus we should state the lemma as an ordinary |
50 Thus we should state the lemma as an ordinary |
51 implication~(@{text"\<longrightarrow>"}), letting |
51 implication~(@{text"\<longrightarrow>"}), letting |
52 @{text rule_format} (\S\ref{sec:forward}) convert the |
52 \attrdx{rule_format} (\S\ref{sec:forward}) convert the |
53 result to the usual @{text"\<Longrightarrow>"} form: |
53 result to the usual @{text"\<Longrightarrow>"} form: |
54 *}; |
54 *}; |
55 (*<*)oops;(*>*) |
55 (*<*)oops;(*>*) |
56 lemma hd_rev [rule_format]: "xs \<noteq> [] \<longrightarrow> hd(rev xs) = last xs"; |
56 lemma hd_rev [rule_format]: "xs \<noteq> [] \<longrightarrow> hd(rev xs) = last xs"; |
57 (*<*) |
57 (*<*) |
63 @{subgoals[display,indent=0,goals_limit=1]} |
63 @{subgoals[display,indent=0,goals_limit=1]} |
64 And @{text"auto"} completes the proof. |
64 And @{text"auto"} completes the proof. |
65 |
65 |
66 If there are multiple premises $A@1$, \dots, $A@n$ containing the |
66 If there are multiple premises $A@1$, \dots, $A@n$ containing the |
67 induction variable, you should turn the conclusion $C$ into |
67 induction variable, you should turn the conclusion $C$ into |
68 \[ A@1 \longrightarrow \cdots A@n \longrightarrow C \] |
68 \[ A@1 \longrightarrow \cdots A@n \longrightarrow C. \] |
69 Additionally, you may also have to universally quantify some other variables, |
69 Additionally, you may also have to universally quantify some other variables, |
70 which can yield a fairly complex conclusion. However, @{text rule_format} |
70 which can yield a fairly complex conclusion. However, @{text rule_format} |
71 can remove any number of occurrences of @{text"\<forall>"} and |
71 can remove any number of occurrences of @{text"\<forall>"} and |
72 @{text"\<longrightarrow>"}. |
72 @{text"\<longrightarrow>"}. |
73 *} |
73 *} |
80 lemma simple[rule_format]: "\<forall>y. A y \<longrightarrow> B y \<longrightarrow> B y \<and> A y"; |
80 lemma simple[rule_format]: "\<forall>y. A y \<longrightarrow> B y \<longrightarrow> B y \<and> A y"; |
81 by blast; |
81 by blast; |
82 *) |
82 *) |
83 |
83 |
84 text{* |
84 text{* |
|
85 \index{induction!on a term}% |
85 A second reason why your proposition may not be amenable to induction is that |
86 A second reason why your proposition may not be amenable to induction is that |
86 you want to induct on a whole term, rather than an individual variable. In |
87 you want to induct on a complex term, rather than a variable. In |
87 general, when inducting on some term $t$ you must rephrase the conclusion $C$ |
88 general, induction on a term~$t$ requires rephrasing the conclusion~$C$ |
88 as |
89 as |
89 \begin{equation}\label{eqn:ind-over-term} |
90 \begin{equation}\label{eqn:ind-over-term} |
90 \forall y@1 \dots y@n.~ x = t \longrightarrow C |
91 \forall y@1 \dots y@n.~ x = t \longrightarrow C. |
91 \end{equation} |
92 \end{equation} |
92 where $y@1 \dots y@n$ are the free variables in $t$ and $x$ is new, and |
93 where $y@1 \dots y@n$ are the free variables in $t$ and $x$ is a new variable. |
93 perform induction on $x$ afterwards. An example appears in |
94 Now you can perform |
|
95 perform induction on~$x$. An example appears in |
94 \S\ref{sec:complete-ind} below. |
96 \S\ref{sec:complete-ind} below. |
95 |
97 |
96 The very same problem may occur in connection with rule induction. Remember |
98 The very same problem may occur in connection with rule induction. Remember |
97 that it requires a premise of the form $(x@1,\dots,x@k) \in R$, where $R$ is |
99 that it requires a premise of the form $(x@1,\dots,x@k) \in R$, where $R$ is |
98 some inductively defined set and the $x@i$ are variables. If instead we have |
100 some inductively defined set and the $x@i$ are variables. If instead we have |
99 a premise $t \in R$, where $t$ is not just an $n$-tuple of variables, we |
101 a premise $t \in R$, where $t$ is not just an $n$-tuple of variables, we |
100 replace it with $(x@1,\dots,x@k) \in R$, and rephrase the conclusion $C$ as |
102 replace it with $(x@1,\dots,x@k) \in R$, and rephrase the conclusion $C$ as |
101 \[ \forall y@1 \dots y@n.~ (x@1,\dots,x@k) = t \longrightarrow C \] |
103 \[ \forall y@1 \dots y@n.~ (x@1,\dots,x@k) = t \longrightarrow C. \] |
102 For an example see \S\ref{sec:CTL-revisited} below. |
104 For an example see \S\ref{sec:CTL-revisited} below. |
103 |
105 |
104 Of course, all premises that share free variables with $t$ need to be pulled into |
106 Of course, all premises that share free variables with $t$ need to be pulled into |
105 the conclusion as well, under the @{text"\<forall>"}, again using @{text"\<longrightarrow>"} as shown above. |
107 the conclusion as well, under the @{text"\<forall>"}, again using @{text"\<longrightarrow>"} as shown above. |
106 |
108 |
130 recursive function that could furnish a more appropriate |
132 recursive function that could furnish a more appropriate |
131 induction schema. In such cases a general-purpose induction schema can |
133 induction schema. In such cases a general-purpose induction schema can |
132 be helpful. We show how to apply such induction schemas by an example. |
134 be helpful. We show how to apply such induction schemas by an example. |
133 |
135 |
134 Structural induction on @{typ"nat"} is |
136 Structural induction on @{typ"nat"} is |
135 usually known as mathematical induction. There is also \emph{complete} |
137 usually known as mathematical induction. There is also \textbf{complete} |
136 induction, where you must prove $P(n)$ under the assumption that $P(m)$ |
138 \index{induction!complete}% |
137 holds for all $m<n$. In Isabelle, this is the theorem @{thm[source]nat_less_induct}: |
139 induction, where you prove $P(n)$ under the assumption that $P(m)$ |
|
140 holds for all $m<n$. In Isabelle, this is the theorem \tdx{nat_less_induct}: |
138 @{thm[display]"nat_less_induct"[no_vars]} |
141 @{thm[display]"nat_less_induct"[no_vars]} |
139 As an example of its application we prove a property of the following |
142 As an application, we prove a property of the following |
140 function: |
143 function: |
141 *}; |
144 *}; |
142 |
145 |
143 consts f :: "nat \<Rightarrow> nat"; |
146 consts f :: "nat \<Rightarrow> nat"; |
144 axioms f_ax: "f(f(n)) < f(Suc(n))"; |
147 axioms f_ax: "f(f(n)) < f(Suc(n))"; |
167 *}; |
170 *}; |
168 |
171 |
169 apply(induct_tac k rule: nat_less_induct); |
172 apply(induct_tac k rule: nat_less_induct); |
170 |
173 |
171 txt{*\noindent |
174 txt{*\noindent |
172 which leaves us with the following proof state: |
175 We get the following proof state: |
173 @{subgoals[display,indent=0,margin=65]} |
176 @{subgoals[display,indent=0,margin=65]} |
174 After stripping the @{text"\<forall>i"}, the proof continues with a case |
177 After stripping the @{text"\<forall>i"}, the proof continues with a case |
175 distinction on @{term"i"}. The case @{prop"i = 0"} is trivial and we focus on |
178 distinction on @{term"i"}. The case @{prop"i = 0"} is trivial and we focus on |
176 the other case: |
179 the other case: |
177 *} |
180 *} |
203 rule @{thm[source]le_less_trans}. |
206 rule @{thm[source]le_less_trans}. |
204 Using the induction hypothesis once more we obtain @{prop"j <= f j"} |
207 Using the induction hypothesis once more we obtain @{prop"j <= f j"} |
205 which, together with (2) yields @{prop"j < f (Suc j)"} (again by |
208 which, together with (2) yields @{prop"j < f (Suc j)"} (again by |
206 @{thm[source]le_less_trans}). |
209 @{thm[source]le_less_trans}). |
207 |
210 |
208 This last step shows both the power and the danger of automatic proofs: they |
211 This last step shows both the power and the danger of automatic proofs. They |
209 will usually not tell you how the proof goes, because it can be very hard to |
212 will usually not tell you how the proof goes, because it can be hard to |
210 translate the internal proof into a human-readable format. Therefore |
213 translate the internal proof into a human-readable format. Automatic |
211 Chapter~\ref{sec:part2?} introduces a language for writing readable |
214 proofs are easy to write but hard to read and understand. |
212 proofs. |
215 |
213 |
216 The desired result, @{prop"i <= f i"}, follows from @{thm[source]f_incr_lem}: |
214 We can now derive the desired @{prop"i <= f i"} from @{thm[source]f_incr_lem}: |
|
215 *}; |
217 *}; |
216 |
218 |
217 lemmas f_incr = f_incr_lem[rule_format, OF refl]; |
219 lemmas f_incr = f_incr_lem[rule_format, OF refl]; |
218 |
220 |
219 text{*\noindent |
221 text{*\noindent |
252 *} |
254 *} |
253 |
255 |
254 subsection{*Derivation of New Induction Schemas*}; |
256 subsection{*Derivation of New Induction Schemas*}; |
255 |
257 |
256 text{*\label{sec:derive-ind} |
258 text{*\label{sec:derive-ind} |
|
259 \index{induction!deriving new schemas}% |
257 Induction schemas are ordinary theorems and you can derive new ones |
260 Induction schemas are ordinary theorems and you can derive new ones |
258 whenever you wish. This section shows you how to, using the example |
261 whenever you wish. This section shows you how, using the example |
259 of @{thm[source]nat_less_induct}. Assume we only have structural induction |
262 of @{thm[source]nat_less_induct}. Assume we only have structural induction |
260 available for @{typ"nat"} and want to derive complete induction. This |
263 available for @{typ"nat"} and want to derive complete induction. We |
261 requires us to generalize the statement first: |
264 must generalize the statement as shown: |
262 *}; |
265 *}; |
263 |
266 |
264 lemma induct_lem: "(\<And>n::nat. \<forall>m<n. P m \<Longrightarrow> P n) \<Longrightarrow> \<forall>m<n. P m"; |
267 lemma induct_lem: "(\<And>n::nat. \<forall>m<n. P m \<Longrightarrow> P n) \<Longrightarrow> \<forall>m<n. P m"; |
265 apply(induct_tac n); |
268 apply(induct_tac n); |
266 |
269 |
287 |
290 |
288 theorem nat_less_induct: "(\<And>n::nat. \<forall>m<n. P m \<Longrightarrow> P n) \<Longrightarrow> P n"; |
291 theorem nat_less_induct: "(\<And>n::nat. \<forall>m<n. P m \<Longrightarrow> P n) \<Longrightarrow> P n"; |
289 by(insert induct_lem, blast); |
292 by(insert induct_lem, blast); |
290 |
293 |
291 text{* |
294 text{* |
292 Finally we should remind the reader that HOL already provides the mother of |
295 HOL already provides the mother of |
293 all inductions, well-founded induction (see \S\ref{sec:Well-founded}). For |
296 all inductions, well-founded induction (see \S\ref{sec:Well-founded}). For |
294 example theorem @{thm[source]nat_less_induct} is |
297 example theorem @{thm[source]nat_less_induct} is |
295 a special case of @{thm[source]wf_induct} where @{term r} is @{text"<"} on |
298 a special case of @{thm[source]wf_induct} where @{term r} is @{text"<"} on |
296 @{typ nat}. The details can be found in theory \isa{Wellfounded_Recursion}. |
299 @{typ nat}. The details can be found in theory \isa{Wellfounded_Recursion}. |
297 *} |
300 *} |