2716 intrs |
2716 intrs |
2717 accI "ALL y. (y, x) : r --> y : acc r ==> x : acc r" |
2717 accI "ALL y. (y, x) : r --> y : acc r ==> x : acc r" |
2718 |
2718 |
2719 end |
2719 end |
2720 \end{ttbox} |
2720 \end{ttbox} |
2721 The Isabelle distribution contains many other inductive definitions. Simple |
2721 The Isabelle distribution contains many other inductive definitions. |
2722 examples are collected on subdirectory \texttt{HOL/Induct}. The theory |
|
2723 \texttt{HOL/Induct/LList} contains coinductive definitions. Larger examples |
|
2724 may be found on other subdirectories of \texttt{HOL}, such as \texttt{IMP}, |
|
2725 \texttt{Lambda} and \texttt{Auth}. |
|
2726 |
2722 |
2727 \index{*coinductive|)} \index{*inductive|)} |
2723 \index{*coinductive|)} \index{*inductive|)} |
2728 |
2724 |
2729 |
2725 |
2730 \section{The examples directories} |
|
2731 |
|
2732 Directory \texttt{HOL/Auth} contains theories for proving the correctness of |
|
2733 cryptographic protocols~\cite{paulson-jcs}. The approach is based upon |
|
2734 operational semantics rather than the more usual belief logics. On the same |
|
2735 directory are proofs for some standard examples, such as the Needham-Schroeder |
|
2736 public-key authentication protocol and the Otway-Rees |
|
2737 protocol. |
|
2738 |
|
2739 Directory \texttt{HOL/IMP} contains a formalization of various denotational, |
|
2740 operational and axiomatic semantics of a simple while-language, the necessary |
|
2741 equivalence proofs, soundness and completeness of the Hoare rules with |
|
2742 respect to the denotational semantics, and soundness and completeness of a |
|
2743 verification condition generator. Much of development is taken from |
|
2744 Winskel~\cite{winskel93}. For details see~\cite{nipkow-IMP}. |
|
2745 |
|
2746 Directory \texttt{HOL/Hoare} contains a user friendly surface syntax for Hoare |
|
2747 logic, including a tactic for generating verification-conditions. |
|
2748 |
|
2749 Directory \texttt{HOL/MiniML} contains a formalization of the type system of |
|
2750 the core functional language Mini-ML and a correctness proof for its type |
|
2751 inference algorithm $\cal W$~\cite{milner78,nipkow-W}. |
|
2752 |
|
2753 Directory \texttt{HOL/Lambda} contains a formalization of untyped |
|
2754 $\lambda$-calculus in de~Bruijn notation and Church-Rosser proofs for $\beta$ |
|
2755 and $\eta$ reduction~\cite{Nipkow-CR}. |
|
2756 |
|
2757 Directory \texttt{HOL/Subst} contains Martin Coen's mechanization of a theory |
|
2758 of substitutions and unifiers. It is based on Paulson's previous |
|
2759 mechanisation in LCF~\cite{paulson85} of Manna and Waldinger's |
|
2760 theory~\cite{mw81}. It demonstrates a complicated use of \texttt{recdef}, |
|
2761 with nested recursion. |
|
2762 |
|
2763 Directory \texttt{HOL/Induct} presents simple examples of (co)inductive |
|
2764 definitions and datatypes. |
|
2765 \begin{itemize} |
|
2766 \item Theory \texttt{PropLog} proves the soundness and completeness of |
|
2767 classical propositional logic, given a truth table semantics. The only |
|
2768 connective is $\imp$. A Hilbert-style axiom system is specified, and its |
|
2769 set of theorems defined inductively. A similar proof in ZF is described |
|
2770 elsewhere~\cite{paulson-set-II}. |
|
2771 |
|
2772 \item Theory \texttt{Term} defines the datatype \texttt{term}. |
|
2773 |
|
2774 \item Theory \texttt{ABexp} defines arithmetic and boolean expressions |
|
2775 as mutually recursive datatypes. |
|
2776 |
|
2777 \item The definition of lazy lists demonstrates methods for handling |
|
2778 infinite data structures and coinduction in higher-order |
|
2779 logic~\cite{paulson-coind}.% |
|
2780 \footnote{To be precise, these lists are \emph{potentially infinite} rather |
|
2781 than lazy. Lazy implies a particular operational semantics.} |
|
2782 Theory \thydx{LList} defines an operator for |
|
2783 corecursion on lazy lists, which is used to define a few simple functions |
|
2784 such as map and append. A coinduction principle is defined |
|
2785 for proving equations on lazy lists. |
|
2786 |
|
2787 \item Theory \thydx{LFilter} defines the filter functional for lazy lists. |
|
2788 This functional is notoriously difficult to define because finding the next |
|
2789 element meeting the predicate requires possibly unlimited search. It is not |
|
2790 computable, but can be expressed using a combination of induction and |
|
2791 corecursion. |
|
2792 |
|
2793 \item Theory \thydx{Exp} illustrates the use of iterated inductive definitions |
|
2794 to express a programming language semantics that appears to require mutual |
|
2795 induction. Iterated induction allows greater modularity. |
|
2796 \end{itemize} |
|
2797 |
|
2798 Directory \texttt{HOL/ex} contains other examples and experimental proofs in |
|
2799 HOL. |
|
2800 \begin{itemize} |
|
2801 \item Theory \texttt{Recdef} presents many examples of using \texttt{recdef} |
|
2802 to define recursive functions. Another example is \texttt{Fib}, which |
|
2803 defines the Fibonacci function. |
|
2804 |
|
2805 \item Theory \texttt{Primes} defines the Greatest Common Divisor of two |
|
2806 natural numbers and proves a key lemma of the Fundamental Theorem of |
|
2807 Arithmetic: if $p$ is prime and $p$ divides $m\times n$ then $p$ divides~$m$ |
|
2808 or $p$ divides~$n$. |
|
2809 |
|
2810 \item Theory \texttt{Primrec} develops some computation theory. It |
|
2811 inductively defines the set of primitive recursive functions and presents a |
|
2812 proof that Ackermann's function is not primitive recursive. |
|
2813 |
|
2814 \item File \texttt{cla.ML} demonstrates the classical reasoner on over sixty |
|
2815 predicate calculus theorems, ranging from simple tautologies to |
|
2816 moderately difficult problems involving equality and quantifiers. |
|
2817 |
|
2818 \item File \texttt{meson.ML} contains an experimental implementation of the {\sc |
|
2819 meson} proof procedure, inspired by Plaisted~\cite{plaisted90}. It is |
|
2820 much more powerful than Isabelle's classical reasoner. But it is less |
|
2821 useful in practice because it works only for pure logic; it does not |
|
2822 accept derived rules for the set theory primitives, for example. |
|
2823 |
|
2824 \item File \texttt{mesontest.ML} contains test data for the {\sc meson} proof |
|
2825 procedure. These are mostly taken from Pelletier \cite{pelletier86}. |
|
2826 |
|
2827 \item File \texttt{set.ML} proves Cantor's Theorem, which is presented in |
|
2828 {\S}\ref{sec:hol-cantor} below, and the Schr{\"o}der-Bernstein Theorem. |
|
2829 |
|
2830 \item Theory \texttt{MT} contains Jacob Frost's formalization~\cite{frost93} of |
|
2831 Milner and Tofte's coinduction example~\cite{milner-coind}. This |
|
2832 substantial proof concerns the soundness of a type system for a simple |
|
2833 functional language. The semantics of recursion is given by a cyclic |
|
2834 environment, which makes a coinductive argument appropriate. |
|
2835 \end{itemize} |
|
2836 |
|
2837 |
|
2838 \goodbreak |
|
2839 \section{Example: Cantor's Theorem}\label{sec:hol-cantor} |
2726 \section{Example: Cantor's Theorem}\label{sec:hol-cantor} |
2840 Cantor's Theorem states that every set has more subsets than it has |
2727 Cantor's Theorem states that every set has more subsets than it has |
2841 elements. It has become a favourite example in higher-order logic since |
2728 elements. It has become a favourite example in higher-order logic since |
2842 it is so easily expressed: |
2729 it is so easily expressed: |
2843 \[ \forall f::\alpha \To \alpha \To bool. \exists S::\alpha\To bool. |
2730 \[ \forall f::\alpha \To \alpha \To bool. \exists S::\alpha\To bool. |