186 % |
186 % |
187 \begin{isamarkuptext}% |
187 \begin{isamarkuptext}% |
188 The \cmd{fun} command provides a |
188 The \cmd{fun} command provides a |
189 convenient shorthand notation for simple function definitions. In |
189 convenient shorthand notation for simple function definitions. In |
190 this mode, Isabelle tries to solve all the necessary proof obligations |
190 this mode, Isabelle tries to solve all the necessary proof obligations |
191 automatically. If a proof fails, the definition is |
191 automatically. If any proof fails, the definition is |
192 rejected. This can either mean that the definition is indeed faulty, |
192 rejected. This can either mean that the definition is indeed faulty, |
193 or that the default proof procedures are just not smart enough (or |
193 or that the default proof procedures are just not smart enough (or |
194 rather: not designed) to handle the definition. |
194 rather: not designed) to handle the definition. |
195 |
195 |
196 By expanding the abbreviation to the more verbose \cmd{function} command, these proof obligations become visible and can be analyzed or |
196 By expanding the abbreviation to the more verbose \cmd{function} command, these proof obligations become visible and can be analyzed or |
204 \cmd{where}\\% |
204 \cmd{where}\\% |
205 \hspace*{2ex}{\it equations}\\% |
205 \hspace*{2ex}{\it equations}\\% |
206 \hspace*{2ex}\vdots\vspace*{6pt} |
206 \hspace*{2ex}\vdots\vspace*{6pt} |
207 \end{minipage}\right] |
207 \end{minipage}\right] |
208 \quad\equiv\quad |
208 \quad\equiv\quad |
209 \left[\;\begin{minipage}{0.45\textwidth}\vspace{6pt} |
209 \left[\;\begin{minipage}{0.48\textwidth}\vspace{6pt} |
210 \cmd{function} \isa{{\isacharparenleft}}\cmd{sequential}\isa{{\isacharparenright}\ f\ {\isacharcolon}{\isacharcolon}\ {\isasymtau}}\\% |
210 \cmd{function} \isa{{\isacharparenleft}}\cmd{sequential}\isa{{\isacharparenright}\ f\ {\isacharcolon}{\isacharcolon}\ {\isasymtau}}\\% |
211 \cmd{where}\\% |
211 \cmd{where}\\% |
212 \hspace*{2ex}{\it equations}\\% |
212 \hspace*{2ex}{\it equations}\\% |
213 \hspace*{2ex}\vdots\\% |
213 \hspace*{2ex}\vdots\\% |
214 \cmd{by} \isa{pat{\isacharunderscore}completeness\ auto}\\% |
214 \cmd{by} \isa{pat{\isacharunderscore}completeness\ auto}\\% |
316 type \isa{{\isacharparenleft}{\isacharprime}a\ {\isasymtimes}\ {\isacharprime}a{\isacharparenright}\ set}, where \isa{{\isacharprime}a} is the argument type of |
316 type \isa{{\isacharparenleft}{\isacharprime}a\ {\isasymtimes}\ {\isacharprime}a{\isacharparenright}\ set}, where \isa{{\isacharprime}a} is the argument type of |
317 the function. If the function has multiple curried arguments, then |
317 the function. If the function has multiple curried arguments, then |
318 these are packed together into a tuple, as it happened in the above |
318 these are packed together into a tuple, as it happened in the above |
319 example. |
319 example. |
320 |
320 |
321 The predefined function \isa{measure{\isasymColon}{\isacharparenleft}{\isacharprime}a\ {\isasymRightarrow}\ nat{\isacharparenright}\ {\isasymRightarrow}\ {\isacharprime}a\ {\isasymtimes}\ {\isacharprime}a\ {\isasymRightarrow}\ bool} constructs a |
321 The predefined function \isa{{\isachardoublequote}measure\ {\isacharcolon}{\isacharcolon}\ {\isacharparenleft}{\isacharprime}a\ {\isasymRightarrow}\ nat{\isacharparenright}\ {\isasymRightarrow}\ {\isacharparenleft}{\isacharprime}a\ {\isasymtimes}\ {\isacharprime}a{\isacharparenright}\ set{\isachardoublequote}} constructs a |
322 wellfounded relation from a mapping into the natural numbers (a |
322 wellfounded relation from a mapping into the natural numbers (a |
323 \emph{measure function}). |
323 \emph{measure function}). |
324 |
324 |
325 After the invocation of \isa{relation}, we must prove that (a) |
325 After the invocation of \isa{relation}, we must prove that (a) |
326 the relation we supplied is wellfounded, and (b) that the arguments |
326 the relation we supplied is wellfounded, and (b) that the arguments |
591 % |
591 % |
592 \begin{isamarkuptext}% |
592 \begin{isamarkuptext}% |
593 In proofs like this, the simultaneous induction is really essential: |
593 In proofs like this, the simultaneous induction is really essential: |
594 Even if we are just interested in one of the results, the other |
594 Even if we are just interested in one of the results, the other |
595 one is necessary to strengthen the induction hypothesis. If we leave |
595 one is necessary to strengthen the induction hypothesis. If we leave |
596 out the statement about \isa{odd} (by substituting it with \isa{True}), the same proof fails:% |
596 out the statement about \isa{odd} and just write \isa{True} instead, |
|
597 the same proof fails:% |
597 \end{isamarkuptext}% |
598 \end{isamarkuptext}% |
598 \isamarkuptrue% |
599 \isamarkuptrue% |
599 \isacommand{lemma}\isamarkupfalse% |
600 \isacommand{lemma}\isamarkupfalse% |
600 \ failed{\isacharunderscore}attempt{\isacharcolon}\isanewline |
601 \ failed{\isacharunderscore}attempt{\isacharcolon}\isanewline |
601 \ \ {\isachardoublequoteopen}even\ n\ {\isacharequal}\ {\isacharparenleft}n\ mod\ {\isadigit{2}}\ {\isacharequal}\ {\isadigit{0}}{\isacharparenright}{\isachardoublequoteclose}\isanewline |
602 \ \ {\isachardoublequoteopen}even\ n\ {\isacharequal}\ {\isacharparenleft}n\ mod\ {\isadigit{2}}\ {\isacharequal}\ {\isadigit{0}}{\isacharparenright}{\isachardoublequoteclose}\isanewline |
752 |
753 |
753 The first subgoal expresses the completeness of the patterns. It has |
754 The first subgoal expresses the completeness of the patterns. It has |
754 the form of an elimination rule and states that every \isa{x} of |
755 the form of an elimination rule and states that every \isa{x} of |
755 the function's input type must match at least one of the patterns\footnote{Completeness could |
756 the function's input type must match at least one of the patterns\footnote{Completeness could |
756 be equivalently stated as a disjunction of existential statements: |
757 be equivalently stated as a disjunction of existential statements: |
757 \isa{{\isacharparenleft}{\isasymexists}p{\isachardot}\ x\ {\isacharequal}\ {\isacharparenleft}T{\isacharcomma}\ p{\isacharparenright}{\isacharparenright}\ {\isasymor}\ {\isacharparenleft}{\isasymexists}p{\isachardot}\ x\ {\isacharequal}\ {\isacharparenleft}p{\isacharcomma}\ T{\isacharparenright}{\isacharparenright}\ {\isasymor}\ {\isacharparenleft}{\isasymexists}p{\isachardot}\ x\ {\isacharequal}\ {\isacharparenleft}p{\isacharcomma}\ F{\isacharparenright}{\isacharparenright}\ {\isasymor}\ {\isacharparenleft}{\isasymexists}p{\isachardot}\ x\ {\isacharequal}\ {\isacharparenleft}F{\isacharcomma}\ p{\isacharparenright}{\isacharparenright}\ {\isasymor}\ x\ {\isacharequal}\ {\isacharparenleft}X{\isacharcomma}\ X{\isacharparenright}}.}. If the patterns just involve |
758 \isa{{\isacharparenleft}{\isasymexists}p{\isachardot}\ x\ {\isacharequal}\ {\isacharparenleft}T{\isacharcomma}\ p{\isacharparenright}{\isacharparenright}\ {\isasymor}\ {\isacharparenleft}{\isasymexists}p{\isachardot}\ x\ {\isacharequal}\ {\isacharparenleft}p{\isacharcomma}\ T{\isacharparenright}{\isacharparenright}\ {\isasymor}\ {\isacharparenleft}{\isasymexists}p{\isachardot}\ x\ {\isacharequal}\ {\isacharparenleft}p{\isacharcomma}\ F{\isacharparenright}{\isacharparenright}\ {\isasymor}\ {\isacharparenleft}{\isasymexists}p{\isachardot}\ x\ {\isacharequal}\ {\isacharparenleft}F{\isacharcomma}\ p{\isacharparenright}{\isacharparenright}\ {\isasymor}\ x\ {\isacharequal}\ {\isacharparenleft}X{\isacharcomma}\ X{\isacharparenright}}, and you can use the method \isa{atomize{\isacharunderscore}elim} to get that form instead.}. If the patterns just involve |
758 datatypes, we can solve it with the \isa{pat{\isacharunderscore}completeness} |
759 datatypes, we can solve it with the \isa{pat{\isacharunderscore}completeness} |
759 method:% |
760 method:% |
760 \end{isamarkuptxt}% |
761 \end{isamarkuptxt}% |
761 \isamarkuptrue% |
762 \isamarkuptrue% |
762 \isacommand{apply}\isamarkupfalse% |
763 \isacommand{apply}\isamarkupfalse% |
1790 \begin{isamarkuptext}% |
1791 \begin{isamarkuptext}% |
1791 \noindent We can define a function which swaps the left and right subtrees recursively, using the |
1792 \noindent We can define a function which swaps the left and right subtrees recursively, using the |
1792 list functions \isa{rev} and \isa{map}:% |
1793 list functions \isa{rev} and \isa{map}:% |
1793 \end{isamarkuptext}% |
1794 \end{isamarkuptext}% |
1794 \isamarkuptrue% |
1795 \isamarkuptrue% |
1795 \isacommand{function}\isamarkupfalse% |
1796 \isacommand{fun}\isamarkupfalse% |
1796 \ mirror\ {\isacharcolon}{\isacharcolon}\ {\isachardoublequoteopen}{\isacharprime}a\ tree\ {\isasymRightarrow}\ {\isacharprime}a\ tree{\isachardoublequoteclose}\isanewline |
1797 \ mirror\ {\isacharcolon}{\isacharcolon}\ {\isachardoublequoteopen}{\isacharprime}a\ tree\ {\isasymRightarrow}\ {\isacharprime}a\ tree{\isachardoublequoteclose}\isanewline |
1797 \isakeyword{where}\isanewline |
1798 \isakeyword{where}\isanewline |
1798 \ \ {\isachardoublequoteopen}mirror\ {\isacharparenleft}Leaf\ n{\isacharparenright}\ {\isacharequal}\ Leaf\ n{\isachardoublequoteclose}\isanewline |
1799 \ \ {\isachardoublequoteopen}mirror\ {\isacharparenleft}Leaf\ n{\isacharparenright}\ {\isacharequal}\ Leaf\ n{\isachardoublequoteclose}\isanewline |
1799 {\isacharbar}\ {\isachardoublequoteopen}mirror\ {\isacharparenleft}Branch\ l{\isacharparenright}\ {\isacharequal}\ Branch\ {\isacharparenleft}rev\ {\isacharparenleft}map\ mirror\ l{\isacharparenright}{\isacharparenright}{\isachardoublequoteclose}\isanewline |
1800 {\isacharbar}\ {\isachardoublequoteopen}mirror\ {\isacharparenleft}Branch\ l{\isacharparenright}\ {\isacharequal}\ Branch\ {\isacharparenleft}rev\ {\isacharparenleft}map\ mirror\ l{\isacharparenright}{\isacharparenright}{\isachardoublequoteclose}% |
1800 % |
1801 \begin{isamarkuptext}% |
1801 \isadelimproof |
1802 Although the definition is accepted without problems, let us look at the termination proof:% |
1802 % |
|
1803 \endisadelimproof |
|
1804 % |
|
1805 \isatagproof |
|
1806 \isacommand{by}\isamarkupfalse% |
|
1807 \ pat{\isacharunderscore}completeness\ auto% |
|
1808 \endisatagproof |
|
1809 {\isafoldproof}% |
|
1810 % |
|
1811 \isadelimproof |
|
1812 % |
|
1813 \endisadelimproof |
|
1814 % |
|
1815 \begin{isamarkuptext}% |
|
1816 \emph{Note: The handling of size functions is currently changing |
|
1817 in the developers version of Isabelle. So this documentation is outdated.}% |
|
1818 \end{isamarkuptext}% |
1803 \end{isamarkuptext}% |
1819 \isamarkuptrue% |
1804 \isamarkuptrue% |
1820 \isacommand{termination}\isamarkupfalse% |
1805 \isacommand{termination}\isamarkupfalse% |
1821 % |
1806 % |
1822 \isadelimproof |
1807 \isadelimproof |
1827 \isacommand{proof}\isamarkupfalse% |
1812 \isacommand{proof}\isamarkupfalse% |
1828 % |
1813 % |
1829 \begin{isamarkuptxt}% |
1814 \begin{isamarkuptxt}% |
1830 As usual, we have to give a wellfounded relation, such that the |
1815 As usual, we have to give a wellfounded relation, such that the |
1831 arguments of the recursive calls get smaller. But what exactly are |
1816 arguments of the recursive calls get smaller. But what exactly are |
1832 the arguments of the recursive calls? Isabelle gives us the |
1817 the arguments of the recursive calls when mirror is given as an |
|
1818 argument to map? Isabelle gives us the |
1833 subgoals |
1819 subgoals |
1834 |
1820 |
1835 \begin{isabelle}% |
1821 \begin{isabelle}% |
1836 \ {\isadigit{1}}{\isachardot}\ wf\ {\isacharquery}R\isanewline |
1822 \ {\isadigit{1}}{\isachardot}\ wf\ {\isacharquery}R\isanewline |
1837 \ {\isadigit{2}}{\isachardot}\ {\isasymAnd}l\ x{\isachardot}\ x\ {\isasymin}\ set\ l\ {\isasymLongrightarrow}\ {\isacharparenleft}x{\isacharcomma}\ Branch\ l{\isacharparenright}\ {\isasymin}\ {\isacharquery}R% |
1823 \ {\isadigit{2}}{\isachardot}\ {\isasymAnd}l\ x{\isachardot}\ x\ {\isasymin}\ set\ l\ {\isasymLongrightarrow}\ {\isacharparenleft}x{\isacharcomma}\ Branch\ l{\isacharparenright}\ {\isasymin}\ {\isacharquery}R% |
1838 \end{isabelle} |
1824 \end{isabelle} |
1839 |
1825 |
1840 So Isabelle seems to know that \isa{map} behaves nicely and only |
1826 So the system seems to know that \isa{map} only |
1841 applies the recursive call \isa{mirror} to elements |
1827 applies the recursive call \isa{mirror} to elements |
1842 of \isa{l}. Before we discuss where this knowledge comes from, |
1828 of \isa{l}, which is essential for the termination proof. |
1843 let us finish the termination proof:% |
1829 |
1844 \end{isamarkuptxt}% |
1830 This knowledge about map is encoded in so-called congruence rules, |
1845 \isamarkuptrue% |
|
1846 \ \ \isacommand{show}\isamarkupfalse% |
|
1847 \ {\isachardoublequoteopen}wf\ {\isacharparenleft}measure\ size{\isacharparenright}{\isachardoublequoteclose}\ \isacommand{by}\isamarkupfalse% |
|
1848 \ simp\isanewline |
|
1849 \isacommand{next}\isamarkupfalse% |
|
1850 \isanewline |
|
1851 \ \ \isacommand{fix}\isamarkupfalse% |
|
1852 \ f\ l\ \isakeyword{and}\ x\ {\isacharcolon}{\isacharcolon}\ {\isachardoublequoteopen}{\isacharprime}a\ tree{\isachardoublequoteclose}\isanewline |
|
1853 \ \ \isacommand{assume}\isamarkupfalse% |
|
1854 \ {\isachardoublequoteopen}x\ {\isasymin}\ set\ l{\isachardoublequoteclose}\isanewline |
|
1855 \ \ \isacommand{thus}\isamarkupfalse% |
|
1856 \ {\isachardoublequoteopen}{\isacharparenleft}x{\isacharcomma}\ Branch\ l{\isacharparenright}\ {\isasymin}\ measure\ size{\isachardoublequoteclose}\isanewline |
|
1857 \ \ \ \ \isacommand{apply}\isamarkupfalse% |
|
1858 \ simp% |
|
1859 \begin{isamarkuptxt}% |
|
1860 Simplification returns the following subgoal: |
|
1861 |
|
1862 \begin{isabelle}% |
|
1863 {\isadigit{1}}{\isachardot}\ x\ {\isasymin}\ set\ l\ {\isasymLongrightarrow}\ size\ x\ {\isacharless}\ Suc\ {\isacharparenleft}list{\isacharunderscore}size\ size\ l{\isacharparenright}% |
|
1864 \end{isabelle} |
|
1865 |
|
1866 We are lacking a property about the function \isa{tree{\isacharunderscore}list{\isacharunderscore}size}, which was generated automatically at the |
|
1867 definition of the \isa{tree} type. We should go back and prove |
|
1868 it, by induction.% |
|
1869 \end{isamarkuptxt}% |
|
1870 \isamarkuptrue% |
|
1871 \ \ \ \ % |
|
1872 \endisatagproof |
|
1873 {\isafoldproof}% |
|
1874 % |
|
1875 \isadelimproof |
|
1876 % |
|
1877 \endisadelimproof |
|
1878 % |
|
1879 \begin{isamarkuptext}% |
|
1880 Now the whole termination proof is automatic:% |
|
1881 \end{isamarkuptext}% |
|
1882 \isamarkuptrue% |
|
1883 \isacommand{termination}\isamarkupfalse% |
|
1884 \ \isanewline |
|
1885 % |
|
1886 \isadelimproof |
|
1887 \ \ % |
|
1888 \endisadelimproof |
|
1889 % |
|
1890 \isatagproof |
|
1891 \isacommand{by}\isamarkupfalse% |
|
1892 \ lexicographic{\isacharunderscore}order% |
|
1893 \endisatagproof |
|
1894 {\isafoldproof}% |
|
1895 % |
|
1896 \isadelimproof |
|
1897 % |
|
1898 \endisadelimproof |
|
1899 % |
|
1900 \isamarkupsubsection{Congruence Rules% |
|
1901 } |
|
1902 \isamarkuptrue% |
|
1903 % |
|
1904 \begin{isamarkuptext}% |
|
1905 Let's come back to the question how Isabelle knows about \isa{map}. |
|
1906 |
|
1907 The knowledge about map is encoded in so-called congruence rules, |
|
1908 which are special theorems known to the \cmd{function} command. The |
1831 which are special theorems known to the \cmd{function} command. The |
1909 rule for map is |
1832 rule for map is |
1910 |
1833 |
1911 \begin{isabelle}% |
1834 \begin{isabelle}% |
1912 {\isasymlbrakk}{\isacharquery}xs\ {\isacharequal}\ {\isacharquery}ys{\isacharsemicolon}\ {\isasymAnd}x{\isachardot}\ x\ {\isasymin}\ set\ {\isacharquery}ys\ {\isasymLongrightarrow}\ {\isacharquery}f\ x\ {\isacharequal}\ {\isacharquery}g\ x{\isasymrbrakk}\ {\isasymLongrightarrow}\ map\ {\isacharquery}f\ {\isacharquery}xs\ {\isacharequal}\ map\ {\isacharquery}g\ {\isacharquery}ys% |
1835 {\isasymlbrakk}{\isacharquery}xs\ {\isacharequal}\ {\isacharquery}ys{\isacharsemicolon}\ {\isasymAnd}x{\isachardot}\ x\ {\isasymin}\ set\ {\isacharquery}ys\ {\isasymLongrightarrow}\ {\isacharquery}f\ x\ {\isacharequal}\ {\isacharquery}g\ x{\isasymrbrakk}\ {\isasymLongrightarrow}\ map\ {\isacharquery}f\ {\isacharquery}xs\ {\isacharequal}\ map\ {\isacharquery}g\ {\isacharquery}ys% |
1913 \end{isabelle} |
1836 \end{isabelle} |
1914 |
1837 |
1915 You can read this in the following way: Two applications of \isa{map} are equal, if the list arguments are equal and the functions |
1838 You can read this in the following way: Two applications of \isa{map} are equal, if the list arguments are equal and the functions |
1916 coincide on the elements of the list. This means that for the value |
1839 coincide on the elements of the list. This means that for the value |
1917 \isa{map\ f\ l} we only have to know how \isa{f} behaves on |
1840 \isa{map\ f\ l} we only have to know how \isa{f} behaves on |
1918 \isa{l}. |
1841 the elements of \isa{l}. |
1919 |
1842 |
1920 Usually, one such congruence rule is |
1843 Usually, one such congruence rule is |
1921 needed for each higher-order construct that is used when defining |
1844 needed for each higher-order construct that is used when defining |
1922 new functions. In fact, even basic functions like \isa{If} and \isa{Let} are handled by this mechanism. The congruence |
1845 new functions. In fact, even basic functions like \isa{If} and \isa{Let} are handled by this mechanism. The congruence |
1923 rule for \isa{If} states that the \isa{then} branch is only |
1846 rule for \isa{If} states that the \isa{then} branch is only |
1932 Congruence rules can be added to the |
1855 Congruence rules can be added to the |
1933 function package by giving them the \isa{fundef{\isacharunderscore}cong} attribute. |
1856 function package by giving them the \isa{fundef{\isacharunderscore}cong} attribute. |
1934 |
1857 |
1935 The constructs that are predefined in Isabelle, usually |
1858 The constructs that are predefined in Isabelle, usually |
1936 come with the respective congruence rules. |
1859 come with the respective congruence rules. |
1937 But if you define your own higher-order functions, you will have to |
1860 But if you define your own higher-order functions, you may have to |
1938 come up with the congruence rules yourself, if you want to use your |
1861 state and prove the required congruence rules yourself, if you want to use your |
1939 functions in recursive definitions.% |
1862 functions in recursive definitions.% |
1940 \end{isamarkuptext}% |
1863 \end{isamarkuptxt}% |
1941 \isamarkuptrue% |
1864 \isamarkuptrue% |
|
1865 % |
|
1866 \endisatagproof |
|
1867 {\isafoldproof}% |
|
1868 % |
|
1869 \isadelimproof |
|
1870 % |
|
1871 \endisadelimproof |
1942 % |
1872 % |
1943 \isamarkupsubsection{Congruence Rules and Evaluation Order% |
1873 \isamarkupsubsection{Congruence Rules and Evaluation Order% |
1944 } |
1874 } |
1945 \isamarkuptrue% |
1875 \isamarkuptrue% |
1946 % |
1876 % |