|
1 theory HOL_Specific |
|
2 imports Base Main "~~/src/HOL/Library/Old_Recdef" "~~/src/Tools/Adhoc_Overloading" |
|
3 begin |
|
4 |
|
5 chapter {* Higher-Order Logic *} |
|
6 |
|
7 text {* Isabelle/HOL is based on Higher-Order Logic, a polymorphic |
|
8 version of Church's Simple Theory of Types. HOL can be best |
|
9 understood as a simply-typed version of classical set theory. The |
|
10 logic was first implemented in Gordon's HOL system |
|
11 \cite{mgordon-hol}. It extends Church's original logic |
|
12 \cite{church40} by explicit type variables (naive polymorphism) and |
|
13 a sound axiomatization scheme for new types based on subsets of |
|
14 existing types. |
|
15 |
|
16 Andrews's book \cite{andrews86} is a full description of the |
|
17 original Church-style higher-order logic, with proofs of correctness |
|
18 and completeness wrt.\ certain set-theoretic interpretations. The |
|
19 particular extensions of Gordon-style HOL are explained semantically |
|
20 in two chapters of the 1993 HOL book \cite{pitts93}. |
|
21 |
|
22 Experience with HOL over decades has demonstrated that higher-order |
|
23 logic is widely applicable in many areas of mathematics and computer |
|
24 science. In a sense, Higher-Order Logic is simpler than First-Order |
|
25 Logic, because there are fewer restrictions and special cases. Note |
|
26 that HOL is \emph{weaker} than FOL with axioms for ZF set theory, |
|
27 which is traditionally considered the standard foundation of regular |
|
28 mathematics, but for most applications this does not matter. If you |
|
29 prefer ML to Lisp, you will probably prefer HOL to ZF. |
|
30 |
|
31 \medskip The syntax of HOL follows @{text "\<lambda>"}-calculus and |
|
32 functional programming. Function application is curried. To apply |
|
33 the function @{text f} of type @{text "\<tau>\<^sub>1 \<Rightarrow> \<tau>\<^sub>2 \<Rightarrow> \<tau>\<^sub>3"} to the |
|
34 arguments @{text a} and @{text b} in HOL, you simply write @{text "f |
|
35 a b"} (as in ML or Haskell). There is no ``apply'' operator; the |
|
36 existing application of the Pure @{text "\<lambda>"}-calculus is re-used. |
|
37 Note that in HOL @{text "f (a, b)"} means ``@{text "f"} applied to |
|
38 the pair @{text "(a, b)"} (which is notation for @{text "Pair a |
|
39 b"}). The latter typically introduces extra formal efforts that can |
|
40 be avoided by currying functions by default. Explicit tuples are as |
|
41 infrequent in HOL formalizations as in good ML or Haskell programs. |
|
42 |
|
43 \medskip Isabelle/HOL has a distinct feel, compared to other |
|
44 object-logics like Isabelle/ZF. It identifies object-level types |
|
45 with meta-level types, taking advantage of the default |
|
46 type-inference mechanism of Isabelle/Pure. HOL fully identifies |
|
47 object-level functions with meta-level functions, with native |
|
48 abstraction and application. |
|
49 |
|
50 These identifications allow Isabelle to support HOL particularly |
|
51 nicely, but they also mean that HOL requires some sophistication |
|
52 from the user. In particular, an understanding of Hindley-Milner |
|
53 type-inference with type-classes, which are both used extensively in |
|
54 the standard libraries and applications. Beginners can set |
|
55 @{attribute show_types} or even @{attribute show_sorts} to get more |
|
56 explicit information about the result of type-inference. *} |
|
57 |
|
58 |
|
59 chapter {* Derived specification elements *} |
|
60 |
|
61 section {* Inductive and coinductive definitions \label{sec:hol-inductive} *} |
|
62 |
|
63 text {* |
|
64 \begin{matharray}{rcl} |
|
65 @{command_def (HOL) "inductive"} & : & @{text "local_theory \<rightarrow> local_theory"} \\ |
|
66 @{command_def (HOL) "inductive_set"} & : & @{text "local_theory \<rightarrow> local_theory"} \\ |
|
67 @{command_def (HOL) "coinductive"} & : & @{text "local_theory \<rightarrow> local_theory"} \\ |
|
68 @{command_def (HOL) "coinductive_set"} & : & @{text "local_theory \<rightarrow> local_theory"} \\ |
|
69 @{command_def "print_inductives"}@{text "\<^sup>*"} & : & @{text "context \<rightarrow>"} \\ |
|
70 @{attribute_def (HOL) mono} & : & @{text attribute} \\ |
|
71 \end{matharray} |
|
72 |
|
73 An \emph{inductive definition} specifies the least predicate or set |
|
74 @{text R} closed under given rules: applying a rule to elements of |
|
75 @{text R} yields a result within @{text R}. For example, a |
|
76 structural operational semantics is an inductive definition of an |
|
77 evaluation relation. |
|
78 |
|
79 Dually, a \emph{coinductive definition} specifies the greatest |
|
80 predicate or set @{text R} that is consistent with given rules: |
|
81 every element of @{text R} can be seen as arising by applying a rule |
|
82 to elements of @{text R}. An important example is using |
|
83 bisimulation relations to formalise equivalence of processes and |
|
84 infinite data structures. |
|
85 |
|
86 Both inductive and coinductive definitions are based on the |
|
87 Knaster-Tarski fixed-point theorem for complete lattices. The |
|
88 collection of introduction rules given by the user determines a |
|
89 functor on subsets of set-theoretic relations. The required |
|
90 monotonicity of the recursion scheme is proven as a prerequisite to |
|
91 the fixed-point definition and the resulting consequences. This |
|
92 works by pushing inclusion through logical connectives and any other |
|
93 operator that might be wrapped around recursive occurrences of the |
|
94 defined relation: there must be a monotonicity theorem of the form |
|
95 @{text "A \<le> B \<Longrightarrow> \<M> A \<le> \<M> B"}, for each premise @{text "\<M> R t"} in an |
|
96 introduction rule. The default rule declarations of Isabelle/HOL |
|
97 already take care of most common situations. |
|
98 |
|
99 @{rail \<open> |
|
100 (@@{command (HOL) inductive} | @@{command (HOL) inductive_set} | |
|
101 @@{command (HOL) coinductive} | @@{command (HOL) coinductive_set}) |
|
102 @{syntax target}? \<newline> |
|
103 @{syntax "fixes"} (@'for' @{syntax "fixes"})? (@'where' clauses)? \<newline> |
|
104 (@'monos' @{syntax thmrefs})? |
|
105 ; |
|
106 clauses: (@{syntax thmdecl}? @{syntax prop} + '|') |
|
107 ; |
|
108 @@{attribute (HOL) mono} (() | 'add' | 'del') |
|
109 \<close>} |
|
110 |
|
111 \begin{description} |
|
112 |
|
113 \item @{command (HOL) "inductive"} and @{command (HOL) |
|
114 "coinductive"} define (co)inductive predicates from the introduction |
|
115 rules. |
|
116 |
|
117 The propositions given as @{text "clauses"} in the @{keyword |
|
118 "where"} part are either rules of the usual @{text "\<And>/\<Longrightarrow>"} format |
|
119 (with arbitrary nesting), or equalities using @{text "\<equiv>"}. The |
|
120 latter specifies extra-logical abbreviations in the sense of |
|
121 @{command_ref abbreviation}. Introducing abstract syntax |
|
122 simultaneously with the actual introduction rules is occasionally |
|
123 useful for complex specifications. |
|
124 |
|
125 The optional @{keyword "for"} part contains a list of parameters of |
|
126 the (co)inductive predicates that remain fixed throughout the |
|
127 definition, in contrast to arguments of the relation that may vary |
|
128 in each occurrence within the given @{text "clauses"}. |
|
129 |
|
130 The optional @{keyword "monos"} declaration contains additional |
|
131 \emph{monotonicity theorems}, which are required for each operator |
|
132 applied to a recursive set in the introduction rules. |
|
133 |
|
134 \item @{command (HOL) "inductive_set"} and @{command (HOL) |
|
135 "coinductive_set"} are wrappers for to the previous commands for |
|
136 native HOL predicates. This allows to define (co)inductive sets, |
|
137 where multiple arguments are simulated via tuples. |
|
138 |
|
139 \item @{command "print_inductives"} prints (co)inductive definitions and |
|
140 monotonicity rules. |
|
141 |
|
142 \item @{attribute (HOL) mono} declares monotonicity rules in the |
|
143 context. These rule are involved in the automated monotonicity |
|
144 proof of the above inductive and coinductive definitions. |
|
145 |
|
146 \end{description} |
|
147 *} |
|
148 |
|
149 |
|
150 subsection {* Derived rules *} |
|
151 |
|
152 text {* A (co)inductive definition of @{text R} provides the following |
|
153 main theorems: |
|
154 |
|
155 \begin{description} |
|
156 |
|
157 \item @{text R.intros} is the list of introduction rules as proven |
|
158 theorems, for the recursive predicates (or sets). The rules are |
|
159 also available individually, using the names given them in the |
|
160 theory file; |
|
161 |
|
162 \item @{text R.cases} is the case analysis (or elimination) rule; |
|
163 |
|
164 \item @{text R.induct} or @{text R.coinduct} is the (co)induction |
|
165 rule; |
|
166 |
|
167 \item @{text R.simps} is the equation unrolling the fixpoint of the |
|
168 predicate one step. |
|
169 |
|
170 \end{description} |
|
171 |
|
172 When several predicates @{text "R\<^sub>1, \<dots>, R\<^sub>n"} are |
|
173 defined simultaneously, the list of introduction rules is called |
|
174 @{text "R\<^sub>1_\<dots>_R\<^sub>n.intros"}, the case analysis rules are |
|
175 called @{text "R\<^sub>1.cases, \<dots>, R\<^sub>n.cases"}, and the list |
|
176 of mutual induction rules is called @{text |
|
177 "R\<^sub>1_\<dots>_R\<^sub>n.inducts"}. |
|
178 *} |
|
179 |
|
180 |
|
181 subsection {* Monotonicity theorems *} |
|
182 |
|
183 text {* The context maintains a default set of theorems that are used |
|
184 in monotonicity proofs. New rules can be declared via the |
|
185 @{attribute (HOL) mono} attribute. See the main Isabelle/HOL |
|
186 sources for some examples. The general format of such monotonicity |
|
187 theorems is as follows: |
|
188 |
|
189 \begin{itemize} |
|
190 |
|
191 \item Theorems of the form @{text "A \<le> B \<Longrightarrow> \<M> A \<le> \<M> B"}, for proving |
|
192 monotonicity of inductive definitions whose introduction rules have |
|
193 premises involving terms such as @{text "\<M> R t"}. |
|
194 |
|
195 \item Monotonicity theorems for logical operators, which are of the |
|
196 general form @{text "(\<dots> \<longrightarrow> \<dots>) \<Longrightarrow> \<dots> (\<dots> \<longrightarrow> \<dots>) \<Longrightarrow> \<dots> \<longrightarrow> \<dots>"}. For example, in |
|
197 the case of the operator @{text "\<or>"}, the corresponding theorem is |
|
198 \[ |
|
199 \infer{@{text "P\<^sub>1 \<or> P\<^sub>2 \<longrightarrow> Q\<^sub>1 \<or> Q\<^sub>2"}}{@{text "P\<^sub>1 \<longrightarrow> Q\<^sub>1"} & @{text "P\<^sub>2 \<longrightarrow> Q\<^sub>2"}} |
|
200 \] |
|
201 |
|
202 \item De Morgan style equations for reasoning about the ``polarity'' |
|
203 of expressions, e.g. |
|
204 \[ |
|
205 @{prop "\<not> \<not> P \<longleftrightarrow> P"} \qquad\qquad |
|
206 @{prop "\<not> (P \<and> Q) \<longleftrightarrow> \<not> P \<or> \<not> Q"} |
|
207 \] |
|
208 |
|
209 \item Equations for reducing complex operators to more primitive |
|
210 ones whose monotonicity can easily be proved, e.g. |
|
211 \[ |
|
212 @{prop "(P \<longrightarrow> Q) \<longleftrightarrow> \<not> P \<or> Q"} \qquad\qquad |
|
213 @{prop "Ball A P \<equiv> \<forall>x. x \<in> A \<longrightarrow> P x"} |
|
214 \] |
|
215 |
|
216 \end{itemize} |
|
217 *} |
|
218 |
|
219 subsubsection {* Examples *} |
|
220 |
|
221 text {* The finite powerset operator can be defined inductively like this: *} |
|
222 |
|
223 inductive_set Fin :: "'a set \<Rightarrow> 'a set set" for A :: "'a set" |
|
224 where |
|
225 empty: "{} \<in> Fin A" |
|
226 | insert: "a \<in> A \<Longrightarrow> B \<in> Fin A \<Longrightarrow> insert a B \<in> Fin A" |
|
227 |
|
228 text {* The accessible part of a relation is defined as follows: *} |
|
229 |
|
230 inductive acc :: "('a \<Rightarrow> 'a \<Rightarrow> bool) \<Rightarrow> 'a \<Rightarrow> bool" |
|
231 for r :: "'a \<Rightarrow> 'a \<Rightarrow> bool" (infix "\<prec>" 50) |
|
232 where acc: "(\<And>y. y \<prec> x \<Longrightarrow> acc r y) \<Longrightarrow> acc r x" |
|
233 |
|
234 text {* Common logical connectives can be easily characterized as |
|
235 non-recursive inductive definitions with parameters, but without |
|
236 arguments. *} |
|
237 |
|
238 inductive AND for A B :: bool |
|
239 where "A \<Longrightarrow> B \<Longrightarrow> AND A B" |
|
240 |
|
241 inductive OR for A B :: bool |
|
242 where "A \<Longrightarrow> OR A B" |
|
243 | "B \<Longrightarrow> OR A B" |
|
244 |
|
245 inductive EXISTS for B :: "'a \<Rightarrow> bool" |
|
246 where "B a \<Longrightarrow> EXISTS B" |
|
247 |
|
248 text {* Here the @{text "cases"} or @{text "induct"} rules produced by |
|
249 the @{command inductive} package coincide with the expected |
|
250 elimination rules for Natural Deduction. Already in the original |
|
251 article by Gerhard Gentzen \cite{Gentzen:1935} there is a hint that |
|
252 each connective can be characterized by its introductions, and the |
|
253 elimination can be constructed systematically. *} |
|
254 |
|
255 |
|
256 section {* Recursive functions \label{sec:recursion} *} |
|
257 |
|
258 text {* |
|
259 \begin{matharray}{rcl} |
|
260 @{command_def (HOL) "primrec"} & : & @{text "local_theory \<rightarrow> local_theory"} \\ |
|
261 @{command_def (HOL) "fun"} & : & @{text "local_theory \<rightarrow> local_theory"} \\ |
|
262 @{command_def (HOL) "function"} & : & @{text "local_theory \<rightarrow> proof(prove)"} \\ |
|
263 @{command_def (HOL) "termination"} & : & @{text "local_theory \<rightarrow> proof(prove)"} \\ |
|
264 @{command_def (HOL) "fun_cases"} & : & @{text "local_theory \<rightarrow> local_theory"} \\ |
|
265 \end{matharray} |
|
266 |
|
267 @{rail \<open> |
|
268 @@{command (HOL) primrec} @{syntax target}? @{syntax "fixes"} @'where' equations |
|
269 ; |
|
270 (@@{command (HOL) fun} | @@{command (HOL) function}) @{syntax target}? functionopts? |
|
271 @{syntax "fixes"} \<newline> @'where' equations |
|
272 ; |
|
273 |
|
274 equations: (@{syntax thmdecl}? @{syntax prop} + '|') |
|
275 ; |
|
276 functionopts: '(' (('sequential' | 'domintros') + ',') ')' |
|
277 ; |
|
278 @@{command (HOL) termination} @{syntax term}? |
|
279 ; |
|
280 @@{command (HOL) fun_cases} (@{syntax thmdecl}? @{syntax prop} + @'and') |
|
281 \<close>} |
|
282 |
|
283 \begin{description} |
|
284 |
|
285 \item @{command (HOL) "primrec"} defines primitive recursive |
|
286 functions over datatypes (see also @{command_ref (HOL) datatype} and |
|
287 @{command_ref (HOL) rep_datatype}). The given @{text equations} |
|
288 specify reduction rules that are produced by instantiating the |
|
289 generic combinator for primitive recursion that is available for |
|
290 each datatype. |
|
291 |
|
292 Each equation needs to be of the form: |
|
293 |
|
294 @{text [display] "f x\<^sub>1 \<dots> x\<^sub>m (C y\<^sub>1 \<dots> y\<^sub>k) z\<^sub>1 \<dots> z\<^sub>n = rhs"} |
|
295 |
|
296 such that @{text C} is a datatype constructor, @{text rhs} contains |
|
297 only the free variables on the left-hand side (or from the context), |
|
298 and all recursive occurrences of @{text "f"} in @{text "rhs"} are of |
|
299 the form @{text "f \<dots> y\<^sub>i \<dots>"} for some @{text i}. At most one |
|
300 reduction rule for each constructor can be given. The order does |
|
301 not matter. For missing constructors, the function is defined to |
|
302 return a default value, but this equation is made difficult to |
|
303 access for users. |
|
304 |
|
305 The reduction rules are declared as @{attribute simp} by default, |
|
306 which enables standard proof methods like @{method simp} and |
|
307 @{method auto} to normalize expressions of @{text "f"} applied to |
|
308 datatype constructions, by simulating symbolic computation via |
|
309 rewriting. |
|
310 |
|
311 \item @{command (HOL) "function"} defines functions by general |
|
312 wellfounded recursion. A detailed description with examples can be |
|
313 found in \cite{isabelle-function}. The function is specified by a |
|
314 set of (possibly conditional) recursive equations with arbitrary |
|
315 pattern matching. The command generates proof obligations for the |
|
316 completeness and the compatibility of patterns. |
|
317 |
|
318 The defined function is considered partial, and the resulting |
|
319 simplification rules (named @{text "f.psimps"}) and induction rule |
|
320 (named @{text "f.pinduct"}) are guarded by a generated domain |
|
321 predicate @{text "f_dom"}. The @{command (HOL) "termination"} |
|
322 command can then be used to establish that the function is total. |
|
323 |
|
324 \item @{command (HOL) "fun"} is a shorthand notation for ``@{command |
|
325 (HOL) "function"}~@{text "(sequential)"}, followed by automated |
|
326 proof attempts regarding pattern matching and termination. See |
|
327 \cite{isabelle-function} for further details. |
|
328 |
|
329 \item @{command (HOL) "termination"}~@{text f} commences a |
|
330 termination proof for the previously defined function @{text f}. If |
|
331 this is omitted, the command refers to the most recent function |
|
332 definition. After the proof is closed, the recursive equations and |
|
333 the induction principle is established. |
|
334 |
|
335 \item @{command (HOL) "fun_cases"} generates specialized elimination |
|
336 rules for function equations. It expects one or more function equations |
|
337 and produces rules that eliminate the given equalities, following the cases |
|
338 given in the function definition. |
|
339 \end{description} |
|
340 |
|
341 Recursive definitions introduced by the @{command (HOL) "function"} |
|
342 command accommodate reasoning by induction (cf.\ @{method induct}): |
|
343 rule @{text "f.induct"} refers to a specific induction rule, with |
|
344 parameters named according to the user-specified equations. Cases |
|
345 are numbered starting from 1. For @{command (HOL) "primrec"}, the |
|
346 induction principle coincides with structural recursion on the |
|
347 datatype where the recursion is carried out. |
|
348 |
|
349 The equations provided by these packages may be referred later as |
|
350 theorem list @{text "f.simps"}, where @{text f} is the (collective) |
|
351 name of the functions defined. Individual equations may be named |
|
352 explicitly as well. |
|
353 |
|
354 The @{command (HOL) "function"} command accepts the following |
|
355 options. |
|
356 |
|
357 \begin{description} |
|
358 |
|
359 \item @{text sequential} enables a preprocessor which disambiguates |
|
360 overlapping patterns by making them mutually disjoint. Earlier |
|
361 equations take precedence over later ones. This allows to give the |
|
362 specification in a format very similar to functional programming. |
|
363 Note that the resulting simplification and induction rules |
|
364 correspond to the transformed specification, not the one given |
|
365 originally. This usually means that each equation given by the user |
|
366 may result in several theorems. Also note that this automatic |
|
367 transformation only works for ML-style datatype patterns. |
|
368 |
|
369 \item @{text domintros} enables the automated generation of |
|
370 introduction rules for the domain predicate. While mostly not |
|
371 needed, they can be helpful in some proofs about partial functions. |
|
372 |
|
373 \end{description} |
|
374 *} |
|
375 |
|
376 subsubsection {* Example: evaluation of expressions *} |
|
377 |
|
378 text {* Subsequently, we define mutual datatypes for arithmetic and |
|
379 boolean expressions, and use @{command primrec} for evaluation |
|
380 functions that follow the same recursive structure. *} |
|
381 |
|
382 datatype 'a aexp = |
|
383 IF "'a bexp" "'a aexp" "'a aexp" |
|
384 | Sum "'a aexp" "'a aexp" |
|
385 | Diff "'a aexp" "'a aexp" |
|
386 | Var 'a |
|
387 | Num nat |
|
388 and 'a bexp = |
|
389 Less "'a aexp" "'a aexp" |
|
390 | And "'a bexp" "'a bexp" |
|
391 | Neg "'a bexp" |
|
392 |
|
393 |
|
394 text {* \medskip Evaluation of arithmetic and boolean expressions *} |
|
395 |
|
396 primrec evala :: "('a \<Rightarrow> nat) \<Rightarrow> 'a aexp \<Rightarrow> nat" |
|
397 and evalb :: "('a \<Rightarrow> nat) \<Rightarrow> 'a bexp \<Rightarrow> bool" |
|
398 where |
|
399 "evala env (IF b a1 a2) = (if evalb env b then evala env a1 else evala env a2)" |
|
400 | "evala env (Sum a1 a2) = evala env a1 + evala env a2" |
|
401 | "evala env (Diff a1 a2) = evala env a1 - evala env a2" |
|
402 | "evala env (Var v) = env v" |
|
403 | "evala env (Num n) = n" |
|
404 | "evalb env (Less a1 a2) = (evala env a1 < evala env a2)" |
|
405 | "evalb env (And b1 b2) = (evalb env b1 \<and> evalb env b2)" |
|
406 | "evalb env (Neg b) = (\<not> evalb env b)" |
|
407 |
|
408 text {* Since the value of an expression depends on the value of its |
|
409 variables, the functions @{const evala} and @{const evalb} take an |
|
410 additional parameter, an \emph{environment} that maps variables to |
|
411 their values. |
|
412 |
|
413 \medskip Substitution on expressions can be defined similarly. The |
|
414 mapping @{text f} of type @{typ "'a \<Rightarrow> 'a aexp"} given as a |
|
415 parameter is lifted canonically on the types @{typ "'a aexp"} and |
|
416 @{typ "'a bexp"}, respectively. |
|
417 *} |
|
418 |
|
419 primrec substa :: "('a \<Rightarrow> 'b aexp) \<Rightarrow> 'a aexp \<Rightarrow> 'b aexp" |
|
420 and substb :: "('a \<Rightarrow> 'b aexp) \<Rightarrow> 'a bexp \<Rightarrow> 'b bexp" |
|
421 where |
|
422 "substa f (IF b a1 a2) = IF (substb f b) (substa f a1) (substa f a2)" |
|
423 | "substa f (Sum a1 a2) = Sum (substa f a1) (substa f a2)" |
|
424 | "substa f (Diff a1 a2) = Diff (substa f a1) (substa f a2)" |
|
425 | "substa f (Var v) = f v" |
|
426 | "substa f (Num n) = Num n" |
|
427 | "substb f (Less a1 a2) = Less (substa f a1) (substa f a2)" |
|
428 | "substb f (And b1 b2) = And (substb f b1) (substb f b2)" |
|
429 | "substb f (Neg b) = Neg (substb f b)" |
|
430 |
|
431 text {* In textbooks about semantics one often finds substitution |
|
432 theorems, which express the relationship between substitution and |
|
433 evaluation. For @{typ "'a aexp"} and @{typ "'a bexp"}, we can prove |
|
434 such a theorem by mutual induction, followed by simplification. |
|
435 *} |
|
436 |
|
437 lemma subst_one: |
|
438 "evala env (substa (Var (v := a')) a) = evala (env (v := evala env a')) a" |
|
439 "evalb env (substb (Var (v := a')) b) = evalb (env (v := evala env a')) b" |
|
440 by (induct a and b) simp_all |
|
441 |
|
442 lemma subst_all: |
|
443 "evala env (substa s a) = evala (\<lambda>x. evala env (s x)) a" |
|
444 "evalb env (substb s b) = evalb (\<lambda>x. evala env (s x)) b" |
|
445 by (induct a and b) simp_all |
|
446 |
|
447 |
|
448 subsubsection {* Example: a substitution function for terms *} |
|
449 |
|
450 text {* Functions on datatypes with nested recursion are also defined |
|
451 by mutual primitive recursion. *} |
|
452 |
|
453 datatype ('a, 'b) "term" = Var 'a | App 'b "('a, 'b) term list" |
|
454 |
|
455 text {* A substitution function on type @{typ "('a, 'b) term"} can be |
|
456 defined as follows, by working simultaneously on @{typ "('a, 'b) |
|
457 term list"}: *} |
|
458 |
|
459 primrec subst_term :: "('a \<Rightarrow> ('a, 'b) term) \<Rightarrow> ('a, 'b) term \<Rightarrow> ('a, 'b) term" and |
|
460 subst_term_list :: "('a \<Rightarrow> ('a, 'b) term) \<Rightarrow> ('a, 'b) term list \<Rightarrow> ('a, 'b) term list" |
|
461 where |
|
462 "subst_term f (Var a) = f a" |
|
463 | "subst_term f (App b ts) = App b (subst_term_list f ts)" |
|
464 | "subst_term_list f [] = []" |
|
465 | "subst_term_list f (t # ts) = subst_term f t # subst_term_list f ts" |
|
466 |
|
467 text {* The recursion scheme follows the structure of the unfolded |
|
468 definition of type @{typ "('a, 'b) term"}. To prove properties of this |
|
469 substitution function, mutual induction is needed: |
|
470 *} |
|
471 |
|
472 lemma "subst_term (subst_term f1 \<circ> f2) t = subst_term f1 (subst_term f2 t)" and |
|
473 "subst_term_list (subst_term f1 \<circ> f2) ts = subst_term_list f1 (subst_term_list f2 ts)" |
|
474 by (induct t and ts) simp_all |
|
475 |
|
476 |
|
477 subsubsection {* Example: a map function for infinitely branching trees *} |
|
478 |
|
479 text {* Defining functions on infinitely branching datatypes by |
|
480 primitive recursion is just as easy. |
|
481 *} |
|
482 |
|
483 datatype 'a tree = Atom 'a | Branch "nat \<Rightarrow> 'a tree" |
|
484 |
|
485 primrec map_tree :: "('a \<Rightarrow> 'b) \<Rightarrow> 'a tree \<Rightarrow> 'b tree" |
|
486 where |
|
487 "map_tree f (Atom a) = Atom (f a)" |
|
488 | "map_tree f (Branch ts) = Branch (\<lambda>x. map_tree f (ts x))" |
|
489 |
|
490 text {* Note that all occurrences of functions such as @{text ts} |
|
491 above must be applied to an argument. In particular, @{term |
|
492 "map_tree f \<circ> ts"} is not allowed here. *} |
|
493 |
|
494 text {* Here is a simple composition lemma for @{term map_tree}: *} |
|
495 |
|
496 lemma "map_tree g (map_tree f t) = map_tree (g \<circ> f) t" |
|
497 by (induct t) simp_all |
|
498 |
|
499 |
|
500 subsection {* Proof methods related to recursive definitions *} |
|
501 |
|
502 text {* |
|
503 \begin{matharray}{rcl} |
|
504 @{method_def (HOL) pat_completeness} & : & @{text method} \\ |
|
505 @{method_def (HOL) relation} & : & @{text method} \\ |
|
506 @{method_def (HOL) lexicographic_order} & : & @{text method} \\ |
|
507 @{method_def (HOL) size_change} & : & @{text method} \\ |
|
508 @{method_def (HOL) induction_schema} & : & @{text method} \\ |
|
509 \end{matharray} |
|
510 |
|
511 @{rail \<open> |
|
512 @@{method (HOL) relation} @{syntax term} |
|
513 ; |
|
514 @@{method (HOL) lexicographic_order} (@{syntax clasimpmod} * ) |
|
515 ; |
|
516 @@{method (HOL) size_change} ( orders (@{syntax clasimpmod} * ) ) |
|
517 ; |
|
518 @@{method (HOL) induction_schema} |
|
519 ; |
|
520 orders: ( 'max' | 'min' | 'ms' ) * |
|
521 \<close>} |
|
522 |
|
523 \begin{description} |
|
524 |
|
525 \item @{method (HOL) pat_completeness} is a specialized method to |
|
526 solve goals regarding the completeness of pattern matching, as |
|
527 required by the @{command (HOL) "function"} package (cf.\ |
|
528 \cite{isabelle-function}). |
|
529 |
|
530 \item @{method (HOL) relation}~@{text R} introduces a termination |
|
531 proof using the relation @{text R}. The resulting proof state will |
|
532 contain goals expressing that @{text R} is wellfounded, and that the |
|
533 arguments of recursive calls decrease with respect to @{text R}. |
|
534 Usually, this method is used as the initial proof step of manual |
|
535 termination proofs. |
|
536 |
|
537 \item @{method (HOL) "lexicographic_order"} attempts a fully |
|
538 automated termination proof by searching for a lexicographic |
|
539 combination of size measures on the arguments of the function. The |
|
540 method accepts the same arguments as the @{method auto} method, |
|
541 which it uses internally to prove local descents. The @{syntax |
|
542 clasimpmod} modifiers are accepted (as for @{method auto}). |
|
543 |
|
544 In case of failure, extensive information is printed, which can help |
|
545 to analyse the situation (cf.\ \cite{isabelle-function}). |
|
546 |
|
547 \item @{method (HOL) "size_change"} also works on termination goals, |
|
548 using a variation of the size-change principle, together with a |
|
549 graph decomposition technique (see \cite{krauss_phd} for details). |
|
550 Three kinds of orders are used internally: @{text max}, @{text min}, |
|
551 and @{text ms} (multiset), which is only available when the theory |
|
552 @{text Multiset} is loaded. When no order kinds are given, they are |
|
553 tried in order. The search for a termination proof uses SAT solving |
|
554 internally. |
|
555 |
|
556 For local descent proofs, the @{syntax clasimpmod} modifiers are |
|
557 accepted (as for @{method auto}). |
|
558 |
|
559 \item @{method (HOL) induction_schema} derives user-specified |
|
560 induction rules from well-founded induction and completeness of |
|
561 patterns. This factors out some operations that are done internally |
|
562 by the function package and makes them available separately. See |
|
563 @{file "~~/src/HOL/ex/Induction_Schema.thy"} for examples. |
|
564 |
|
565 \end{description} |
|
566 *} |
|
567 |
|
568 |
|
569 subsection {* Functions with explicit partiality *} |
|
570 |
|
571 text {* |
|
572 \begin{matharray}{rcl} |
|
573 @{command_def (HOL) "partial_function"} & : & @{text "local_theory \<rightarrow> local_theory"} \\ |
|
574 @{attribute_def (HOL) "partial_function_mono"} & : & @{text attribute} \\ |
|
575 \end{matharray} |
|
576 |
|
577 @{rail \<open> |
|
578 @@{command (HOL) partial_function} @{syntax target}? |
|
579 '(' @{syntax nameref} ')' @{syntax "fixes"} \<newline> |
|
580 @'where' @{syntax thmdecl}? @{syntax prop} |
|
581 \<close>} |
|
582 |
|
583 \begin{description} |
|
584 |
|
585 \item @{command (HOL) "partial_function"}~@{text "(mode)"} defines |
|
586 recursive functions based on fixpoints in complete partial |
|
587 orders. No termination proof is required from the user or |
|
588 constructed internally. Instead, the possibility of non-termination |
|
589 is modelled explicitly in the result type, which contains an |
|
590 explicit bottom element. |
|
591 |
|
592 Pattern matching and mutual recursion are currently not supported. |
|
593 Thus, the specification consists of a single function described by a |
|
594 single recursive equation. |
|
595 |
|
596 There are no fixed syntactic restrictions on the body of the |
|
597 function, but the induced functional must be provably monotonic |
|
598 wrt.\ the underlying order. The monotonicity proof is performed |
|
599 internally, and the definition is rejected when it fails. The proof |
|
600 can be influenced by declaring hints using the |
|
601 @{attribute (HOL) partial_function_mono} attribute. |
|
602 |
|
603 The mandatory @{text mode} argument specifies the mode of operation |
|
604 of the command, which directly corresponds to a complete partial |
|
605 order on the result type. By default, the following modes are |
|
606 defined: |
|
607 |
|
608 \begin{description} |
|
609 |
|
610 \item @{text option} defines functions that map into the @{type |
|
611 option} type. Here, the value @{term None} is used to model a |
|
612 non-terminating computation. Monotonicity requires that if @{term |
|
613 None} is returned by a recursive call, then the overall result must |
|
614 also be @{term None}. This is best achieved through the use of the |
|
615 monadic operator @{const "Option.bind"}. |
|
616 |
|
617 \item @{text tailrec} defines functions with an arbitrary result |
|
618 type and uses the slightly degenerated partial order where @{term |
|
619 "undefined"} is the bottom element. Now, monotonicity requires that |
|
620 if @{term undefined} is returned by a recursive call, then the |
|
621 overall result must also be @{term undefined}. In practice, this is |
|
622 only satisfied when each recursive call is a tail call, whose result |
|
623 is directly returned. Thus, this mode of operation allows the |
|
624 definition of arbitrary tail-recursive functions. |
|
625 |
|
626 \end{description} |
|
627 |
|
628 Experienced users may define new modes by instantiating the locale |
|
629 @{const "partial_function_definitions"} appropriately. |
|
630 |
|
631 \item @{attribute (HOL) partial_function_mono} declares rules for |
|
632 use in the internal monotonicity proofs of partial function |
|
633 definitions. |
|
634 |
|
635 \end{description} |
|
636 |
|
637 *} |
|
638 |
|
639 |
|
640 subsection {* Old-style recursive function definitions (TFL) *} |
|
641 |
|
642 text {* |
|
643 \begin{matharray}{rcl} |
|
644 @{command_def (HOL) "recdef"} & : & @{text "theory \<rightarrow> theory)"} \\ |
|
645 @{command_def (HOL) "recdef_tc"}@{text "\<^sup>*"} & : & @{text "theory \<rightarrow> proof(prove)"} \\ |
|
646 \end{matharray} |
|
647 |
|
648 The old TFL commands @{command (HOL) "recdef"} and @{command (HOL) |
|
649 "recdef_tc"} for defining recursive are mostly obsolete; @{command |
|
650 (HOL) "function"} or @{command (HOL) "fun"} should be used instead. |
|
651 |
|
652 @{rail \<open> |
|
653 @@{command (HOL) recdef} ('(' @'permissive' ')')? \<newline> |
|
654 @{syntax name} @{syntax term} (@{syntax prop} +) hints? |
|
655 ; |
|
656 recdeftc @{syntax thmdecl}? tc |
|
657 ; |
|
658 hints: '(' @'hints' ( recdefmod * ) ')' |
|
659 ; |
|
660 recdefmod: (('recdef_simp' | 'recdef_cong' | 'recdef_wf') |
|
661 (() | 'add' | 'del') ':' @{syntax thmrefs}) | @{syntax clasimpmod} |
|
662 ; |
|
663 tc: @{syntax nameref} ('(' @{syntax nat} ')')? |
|
664 \<close>} |
|
665 |
|
666 \begin{description} |
|
667 |
|
668 \item @{command (HOL) "recdef"} defines general well-founded |
|
669 recursive functions (using the TFL package), see also |
|
670 \cite{isabelle-HOL}. The ``@{text "(permissive)"}'' option tells |
|
671 TFL to recover from failed proof attempts, returning unfinished |
|
672 results. The @{text recdef_simp}, @{text recdef_cong}, and @{text |
|
673 recdef_wf} hints refer to auxiliary rules to be used in the internal |
|
674 automated proof process of TFL. Additional @{syntax clasimpmod} |
|
675 declarations may be given to tune the context of the Simplifier |
|
676 (cf.\ \secref{sec:simplifier}) and Classical reasoner (cf.\ |
|
677 \secref{sec:classical}). |
|
678 |
|
679 \item @{command (HOL) "recdef_tc"}~@{text "c (i)"} recommences the |
|
680 proof for leftover termination condition number @{text i} (default |
|
681 1) as generated by a @{command (HOL) "recdef"} definition of |
|
682 constant @{text c}. |
|
683 |
|
684 Note that in most cases, @{command (HOL) "recdef"} is able to finish |
|
685 its internal proofs without manual intervention. |
|
686 |
|
687 \end{description} |
|
688 |
|
689 \medskip Hints for @{command (HOL) "recdef"} may be also declared |
|
690 globally, using the following attributes. |
|
691 |
|
692 \begin{matharray}{rcl} |
|
693 @{attribute_def (HOL) recdef_simp} & : & @{text attribute} \\ |
|
694 @{attribute_def (HOL) recdef_cong} & : & @{text attribute} \\ |
|
695 @{attribute_def (HOL) recdef_wf} & : & @{text attribute} \\ |
|
696 \end{matharray} |
|
697 |
|
698 @{rail \<open> |
|
699 (@@{attribute (HOL) recdef_simp} | @@{attribute (HOL) recdef_cong} | |
|
700 @@{attribute (HOL) recdef_wf}) (() | 'add' | 'del') |
|
701 \<close>} |
|
702 *} |
|
703 |
|
704 |
|
705 section {* Datatypes \label{sec:hol-datatype} *} |
|
706 |
|
707 text {* |
|
708 \begin{matharray}{rcl} |
|
709 @{command_def (HOL) "datatype"} & : & @{text "theory \<rightarrow> theory"} \\ |
|
710 @{command_def (HOL) "rep_datatype"} & : & @{text "theory \<rightarrow> proof(prove)"} \\ |
|
711 \end{matharray} |
|
712 |
|
713 @{rail \<open> |
|
714 @@{command (HOL) datatype} (spec + @'and') |
|
715 ; |
|
716 @@{command (HOL) rep_datatype} ('(' (@{syntax name} +) ')')? (@{syntax term} +) |
|
717 ; |
|
718 |
|
719 spec: @{syntax typespec_sorts} @{syntax mixfix}? '=' (cons + '|') |
|
720 ; |
|
721 cons: @{syntax name} (@{syntax type} * ) @{syntax mixfix}? |
|
722 \<close>} |
|
723 |
|
724 \begin{description} |
|
725 |
|
726 \item @{command (HOL) "datatype"} defines inductive datatypes in |
|
727 HOL. |
|
728 |
|
729 \item @{command (HOL) "rep_datatype"} represents existing types as |
|
730 datatypes. |
|
731 |
|
732 For foundational reasons, some basic types such as @{typ nat}, @{typ |
|
733 "'a \<times> 'b"}, @{typ "'a + 'b"}, @{typ bool} and @{typ unit} are |
|
734 introduced by more primitive means using @{command_ref typedef}. To |
|
735 recover the rich infrastructure of @{command datatype} (e.g.\ rules |
|
736 for @{method cases} and @{method induct} and the primitive recursion |
|
737 combinators), such types may be represented as actual datatypes |
|
738 later. This is done by specifying the constructors of the desired |
|
739 type, and giving a proof of the induction rule, distinctness and |
|
740 injectivity of constructors. |
|
741 |
|
742 For example, see @{file "~~/src/HOL/Sum_Type.thy"} for the |
|
743 representation of the primitive sum type as fully-featured datatype. |
|
744 |
|
745 \end{description} |
|
746 |
|
747 The generated rules for @{method induct} and @{method cases} provide |
|
748 case names according to the given constructors, while parameters are |
|
749 named after the types (see also \secref{sec:cases-induct}). |
|
750 |
|
751 See \cite{isabelle-HOL} for more details on datatypes, but beware of |
|
752 the old-style theory syntax being used there! Apart from proper |
|
753 proof methods for case-analysis and induction, there are also |
|
754 emulations of ML tactics @{method (HOL) case_tac} and @{method (HOL) |
|
755 induct_tac} available, see \secref{sec:hol-induct-tac}; these admit |
|
756 to refer directly to the internal structure of subgoals (including |
|
757 internally bound parameters). |
|
758 *} |
|
759 |
|
760 |
|
761 subsubsection {* Examples *} |
|
762 |
|
763 text {* We define a type of finite sequences, with slightly different |
|
764 names than the existing @{typ "'a list"} that is already in @{theory |
|
765 Main}: *} |
|
766 |
|
767 datatype 'a seq = Empty | Seq 'a "'a seq" |
|
768 |
|
769 text {* We can now prove some simple lemma by structural induction: *} |
|
770 |
|
771 lemma "Seq x xs \<noteq> xs" |
|
772 proof (induct xs arbitrary: x) |
|
773 case Empty |
|
774 txt {* This case can be proved using the simplifier: the freeness |
|
775 properties of the datatype are already declared as @{attribute |
|
776 simp} rules. *} |
|
777 show "Seq x Empty \<noteq> Empty" |
|
778 by simp |
|
779 next |
|
780 case (Seq y ys) |
|
781 txt {* The step case is proved similarly. *} |
|
782 show "Seq x (Seq y ys) \<noteq> Seq y ys" |
|
783 using `Seq y ys \<noteq> ys` by simp |
|
784 qed |
|
785 |
|
786 text {* Here is a more succinct version of the same proof: *} |
|
787 |
|
788 lemma "Seq x xs \<noteq> xs" |
|
789 by (induct xs arbitrary: x) simp_all |
|
790 |
|
791 |
|
792 section {* Records \label{sec:hol-record} *} |
|
793 |
|
794 text {* |
|
795 In principle, records merely generalize the concept of tuples, where |
|
796 components may be addressed by labels instead of just position. The |
|
797 logical infrastructure of records in Isabelle/HOL is slightly more |
|
798 advanced, though, supporting truly extensible record schemes. This |
|
799 admits operations that are polymorphic with respect to record |
|
800 extension, yielding ``object-oriented'' effects like (single) |
|
801 inheritance. See also \cite{NaraschewskiW-TPHOLs98} for more |
|
802 details on object-oriented verification and record subtyping in HOL. |
|
803 *} |
|
804 |
|
805 |
|
806 subsection {* Basic concepts *} |
|
807 |
|
808 text {* |
|
809 Isabelle/HOL supports both \emph{fixed} and \emph{schematic} records |
|
810 at the level of terms and types. The notation is as follows: |
|
811 |
|
812 \begin{center} |
|
813 \begin{tabular}{l|l|l} |
|
814 & record terms & record types \\ \hline |
|
815 fixed & @{text "\<lparr>x = a, y = b\<rparr>"} & @{text "\<lparr>x :: A, y :: B\<rparr>"} \\ |
|
816 schematic & @{text "\<lparr>x = a, y = b, \<dots> = m\<rparr>"} & |
|
817 @{text "\<lparr>x :: A, y :: B, \<dots> :: M\<rparr>"} \\ |
|
818 \end{tabular} |
|
819 \end{center} |
|
820 |
|
821 \noindent The ASCII representation of @{text "\<lparr>x = a\<rparr>"} is @{text |
|
822 "(| x = a |)"}. |
|
823 |
|
824 A fixed record @{text "\<lparr>x = a, y = b\<rparr>"} has field @{text x} of value |
|
825 @{text a} and field @{text y} of value @{text b}. The corresponding |
|
826 type is @{text "\<lparr>x :: A, y :: B\<rparr>"}, assuming that @{text "a :: A"} |
|
827 and @{text "b :: B"}. |
|
828 |
|
829 A record scheme like @{text "\<lparr>x = a, y = b, \<dots> = m\<rparr>"} contains fields |
|
830 @{text x} and @{text y} as before, but also possibly further fields |
|
831 as indicated by the ``@{text "\<dots>"}'' notation (which is actually part |
|
832 of the syntax). The improper field ``@{text "\<dots>"}'' of a record |
|
833 scheme is called the \emph{more part}. Logically it is just a free |
|
834 variable, which is occasionally referred to as ``row variable'' in |
|
835 the literature. The more part of a record scheme may be |
|
836 instantiated by zero or more further components. For example, the |
|
837 previous scheme may get instantiated to @{text "\<lparr>x = a, y = b, z = |
|
838 c, \<dots> = m'\<rparr>"}, where @{text m'} refers to a different more part. |
|
839 Fixed records are special instances of record schemes, where |
|
840 ``@{text "\<dots>"}'' is properly terminated by the @{text "() :: unit"} |
|
841 element. In fact, @{text "\<lparr>x = a, y = b\<rparr>"} is just an abbreviation |
|
842 for @{text "\<lparr>x = a, y = b, \<dots> = ()\<rparr>"}. |
|
843 |
|
844 \medskip Two key observations make extensible records in a simply |
|
845 typed language like HOL work out: |
|
846 |
|
847 \begin{enumerate} |
|
848 |
|
849 \item the more part is internalized, as a free term or type |
|
850 variable, |
|
851 |
|
852 \item field names are externalized, they cannot be accessed within |
|
853 the logic as first-class values. |
|
854 |
|
855 \end{enumerate} |
|
856 |
|
857 \medskip In Isabelle/HOL record types have to be defined explicitly, |
|
858 fixing their field names and types, and their (optional) parent |
|
859 record. Afterwards, records may be formed using above syntax, while |
|
860 obeying the canonical order of fields as given by their declaration. |
|
861 The record package provides several standard operations like |
|
862 selectors and updates. The common setup for various generic proof |
|
863 tools enable succinct reasoning patterns. See also the Isabelle/HOL |
|
864 tutorial \cite{isabelle-hol-book} for further instructions on using |
|
865 records in practice. |
|
866 *} |
|
867 |
|
868 |
|
869 subsection {* Record specifications *} |
|
870 |
|
871 text {* |
|
872 \begin{matharray}{rcl} |
|
873 @{command_def (HOL) "record"} & : & @{text "theory \<rightarrow> theory"} \\ |
|
874 \end{matharray} |
|
875 |
|
876 @{rail \<open> |
|
877 @@{command (HOL) record} @{syntax typespec_sorts} '=' \<newline> |
|
878 (@{syntax type} '+')? (constdecl +) |
|
879 ; |
|
880 constdecl: @{syntax name} '::' @{syntax type} @{syntax mixfix}? |
|
881 \<close>} |
|
882 |
|
883 \begin{description} |
|
884 |
|
885 \item @{command (HOL) "record"}~@{text "(\<alpha>\<^sub>1, \<dots>, \<alpha>\<^sub>m) t = \<tau> + c\<^sub>1 :: \<sigma>\<^sub>1 |
|
886 \<dots> c\<^sub>n :: \<sigma>\<^sub>n"} defines extensible record type @{text "(\<alpha>\<^sub>1, \<dots>, \<alpha>\<^sub>m) t"}, |
|
887 derived from the optional parent record @{text "\<tau>"} by adding new |
|
888 field components @{text "c\<^sub>i :: \<sigma>\<^sub>i"} etc. |
|
889 |
|
890 The type variables of @{text "\<tau>"} and @{text "\<sigma>\<^sub>i"} need to be |
|
891 covered by the (distinct) parameters @{text "\<alpha>\<^sub>1, \<dots>, |
|
892 \<alpha>\<^sub>m"}. Type constructor @{text t} has to be new, while @{text |
|
893 \<tau>} needs to specify an instance of an existing record type. At |
|
894 least one new field @{text "c\<^sub>i"} has to be specified. |
|
895 Basically, field names need to belong to a unique record. This is |
|
896 not a real restriction in practice, since fields are qualified by |
|
897 the record name internally. |
|
898 |
|
899 The parent record specification @{text \<tau>} is optional; if omitted |
|
900 @{text t} becomes a root record. The hierarchy of all records |
|
901 declared within a theory context forms a forest structure, i.e.\ a |
|
902 set of trees starting with a root record each. There is no way to |
|
903 merge multiple parent records! |
|
904 |
|
905 For convenience, @{text "(\<alpha>\<^sub>1, \<dots>, \<alpha>\<^sub>m) t"} is made a |
|
906 type abbreviation for the fixed record type @{text "\<lparr>c\<^sub>1 :: |
|
907 \<sigma>\<^sub>1, \<dots>, c\<^sub>n :: \<sigma>\<^sub>n\<rparr>"}, likewise is @{text |
|
908 "(\<alpha>\<^sub>1, \<dots>, \<alpha>\<^sub>m, \<zeta>) t_scheme"} made an abbreviation for |
|
909 @{text "\<lparr>c\<^sub>1 :: \<sigma>\<^sub>1, \<dots>, c\<^sub>n :: \<sigma>\<^sub>n, \<dots> :: |
|
910 \<zeta>\<rparr>"}. |
|
911 |
|
912 \end{description} |
|
913 *} |
|
914 |
|
915 |
|
916 subsection {* Record operations *} |
|
917 |
|
918 text {* |
|
919 Any record definition of the form presented above produces certain |
|
920 standard operations. Selectors and updates are provided for any |
|
921 field, including the improper one ``@{text more}''. There are also |
|
922 cumulative record constructor functions. To simplify the |
|
923 presentation below, we assume for now that @{text "(\<alpha>\<^sub>1, \<dots>, |
|
924 \<alpha>\<^sub>m) t"} is a root record with fields @{text "c\<^sub>1 :: |
|
925 \<sigma>\<^sub>1, \<dots>, c\<^sub>n :: \<sigma>\<^sub>n"}. |
|
926 |
|
927 \medskip \textbf{Selectors} and \textbf{updates} are available for |
|
928 any field (including ``@{text more}''): |
|
929 |
|
930 \begin{matharray}{lll} |
|
931 @{text "c\<^sub>i"} & @{text "::"} & @{text "\<lparr>\<^vec>c :: \<^vec>\<sigma>, \<dots> :: \<zeta>\<rparr> \<Rightarrow> \<sigma>\<^sub>i"} \\ |
|
932 @{text "c\<^sub>i_update"} & @{text "::"} & @{text "\<sigma>\<^sub>i \<Rightarrow> \<lparr>\<^vec>c :: \<^vec>\<sigma>, \<dots> :: \<zeta>\<rparr> \<Rightarrow> \<lparr>\<^vec>c :: \<^vec>\<sigma>, \<dots> :: \<zeta>\<rparr>"} \\ |
|
933 \end{matharray} |
|
934 |
|
935 There is special syntax for application of updates: @{text "r\<lparr>x := |
|
936 a\<rparr>"} abbreviates term @{text "x_update a r"}. Further notation for |
|
937 repeated updates is also available: @{text "r\<lparr>x := a\<rparr>\<lparr>y := b\<rparr>\<lparr>z := |
|
938 c\<rparr>"} may be written @{text "r\<lparr>x := a, y := b, z := c\<rparr>"}. Note that |
|
939 because of postfix notation the order of fields shown here is |
|
940 reverse than in the actual term. Since repeated updates are just |
|
941 function applications, fields may be freely permuted in @{text "\<lparr>x |
|
942 := a, y := b, z := c\<rparr>"}, as far as logical equality is concerned. |
|
943 Thus commutativity of independent updates can be proven within the |
|
944 logic for any two fields, but not as a general theorem. |
|
945 |
|
946 \medskip The \textbf{make} operation provides a cumulative record |
|
947 constructor function: |
|
948 |
|
949 \begin{matharray}{lll} |
|
950 @{text "t.make"} & @{text "::"} & @{text "\<sigma>\<^sub>1 \<Rightarrow> \<dots> \<sigma>\<^sub>n \<Rightarrow> \<lparr>\<^vec>c :: \<^vec>\<sigma>\<rparr>"} \\ |
|
951 \end{matharray} |
|
952 |
|
953 \medskip We now reconsider the case of non-root records, which are |
|
954 derived of some parent. In general, the latter may depend on |
|
955 another parent as well, resulting in a list of \emph{ancestor |
|
956 records}. Appending the lists of fields of all ancestors results in |
|
957 a certain field prefix. The record package automatically takes care |
|
958 of this by lifting operations over this context of ancestor fields. |
|
959 Assuming that @{text "(\<alpha>\<^sub>1, \<dots>, \<alpha>\<^sub>m) t"} has ancestor |
|
960 fields @{text "b\<^sub>1 :: \<rho>\<^sub>1, \<dots>, b\<^sub>k :: \<rho>\<^sub>k"}, |
|
961 the above record operations will get the following types: |
|
962 |
|
963 \medskip |
|
964 \begin{tabular}{lll} |
|
965 @{text "c\<^sub>i"} & @{text "::"} & @{text "\<lparr>\<^vec>b :: \<^vec>\<rho>, \<^vec>c :: \<^vec>\<sigma>, \<dots> :: \<zeta>\<rparr> \<Rightarrow> \<sigma>\<^sub>i"} \\ |
|
966 @{text "c\<^sub>i_update"} & @{text "::"} & @{text "\<sigma>\<^sub>i \<Rightarrow> |
|
967 \<lparr>\<^vec>b :: \<^vec>\<rho>, \<^vec>c :: \<^vec>\<sigma>, \<dots> :: \<zeta>\<rparr> \<Rightarrow> |
|
968 \<lparr>\<^vec>b :: \<^vec>\<rho>, \<^vec>c :: \<^vec>\<sigma>, \<dots> :: \<zeta>\<rparr>"} \\ |
|
969 @{text "t.make"} & @{text "::"} & @{text "\<rho>\<^sub>1 \<Rightarrow> \<dots> \<rho>\<^sub>k \<Rightarrow> \<sigma>\<^sub>1 \<Rightarrow> \<dots> \<sigma>\<^sub>n \<Rightarrow> |
|
970 \<lparr>\<^vec>b :: \<^vec>\<rho>, \<^vec>c :: \<^vec>\<sigma>\<rparr>"} \\ |
|
971 \end{tabular} |
|
972 \medskip |
|
973 |
|
974 \noindent Some further operations address the extension aspect of a |
|
975 derived record scheme specifically: @{text "t.fields"} produces a |
|
976 record fragment consisting of exactly the new fields introduced here |
|
977 (the result may serve as a more part elsewhere); @{text "t.extend"} |
|
978 takes a fixed record and adds a given more part; @{text |
|
979 "t.truncate"} restricts a record scheme to a fixed record. |
|
980 |
|
981 \medskip |
|
982 \begin{tabular}{lll} |
|
983 @{text "t.fields"} & @{text "::"} & @{text "\<sigma>\<^sub>1 \<Rightarrow> \<dots> \<sigma>\<^sub>n \<Rightarrow> \<lparr>\<^vec>c :: \<^vec>\<sigma>\<rparr>"} \\ |
|
984 @{text "t.extend"} & @{text "::"} & @{text "\<lparr>\<^vec>b :: \<^vec>\<rho>, \<^vec>c :: \<^vec>\<sigma>\<rparr> \<Rightarrow> |
|
985 \<zeta> \<Rightarrow> \<lparr>\<^vec>b :: \<^vec>\<rho>, \<^vec>c :: \<^vec>\<sigma>, \<dots> :: \<zeta>\<rparr>"} \\ |
|
986 @{text "t.truncate"} & @{text "::"} & @{text "\<lparr>\<^vec>b :: \<^vec>\<rho>, \<^vec>c :: \<^vec>\<sigma>, \<dots> :: \<zeta>\<rparr> \<Rightarrow> \<lparr>\<^vec>b :: \<^vec>\<rho>, \<^vec>c :: \<^vec>\<sigma>\<rparr>"} \\ |
|
987 \end{tabular} |
|
988 \medskip |
|
989 |
|
990 \noindent Note that @{text "t.make"} and @{text "t.fields"} coincide |
|
991 for root records. |
|
992 *} |
|
993 |
|
994 |
|
995 subsection {* Derived rules and proof tools *} |
|
996 |
|
997 text {* |
|
998 The record package proves several results internally, declaring |
|
999 these facts to appropriate proof tools. This enables users to |
|
1000 reason about record structures quite conveniently. Assume that |
|
1001 @{text t} is a record type as specified above. |
|
1002 |
|
1003 \begin{enumerate} |
|
1004 |
|
1005 \item Standard conversions for selectors or updates applied to |
|
1006 record constructor terms are made part of the default Simplifier |
|
1007 context; thus proofs by reduction of basic operations merely require |
|
1008 the @{method simp} method without further arguments. These rules |
|
1009 are available as @{text "t.simps"}, too. |
|
1010 |
|
1011 \item Selectors applied to updated records are automatically reduced |
|
1012 by an internal simplification procedure, which is also part of the |
|
1013 standard Simplifier setup. |
|
1014 |
|
1015 \item Inject equations of a form analogous to @{prop "(x, y) = (x', |
|
1016 y') \<equiv> x = x' \<and> y = y'"} are declared to the Simplifier and Classical |
|
1017 Reasoner as @{attribute iff} rules. These rules are available as |
|
1018 @{text "t.iffs"}. |
|
1019 |
|
1020 \item The introduction rule for record equality analogous to @{text |
|
1021 "x r = x r' \<Longrightarrow> y r = y r' \<dots> \<Longrightarrow> r = r'"} is declared to the Simplifier, |
|
1022 and as the basic rule context as ``@{attribute intro}@{text "?"}''. |
|
1023 The rule is called @{text "t.equality"}. |
|
1024 |
|
1025 \item Representations of arbitrary record expressions as canonical |
|
1026 constructor terms are provided both in @{method cases} and @{method |
|
1027 induct} format (cf.\ the generic proof methods of the same name, |
|
1028 \secref{sec:cases-induct}). Several variations are available, for |
|
1029 fixed records, record schemes, more parts etc. |
|
1030 |
|
1031 The generic proof methods are sufficiently smart to pick the most |
|
1032 sensible rule according to the type of the indicated record |
|
1033 expression: users just need to apply something like ``@{text "(cases |
|
1034 r)"}'' to a certain proof problem. |
|
1035 |
|
1036 \item The derived record operations @{text "t.make"}, @{text |
|
1037 "t.fields"}, @{text "t.extend"}, @{text "t.truncate"} are \emph{not} |
|
1038 treated automatically, but usually need to be expanded by hand, |
|
1039 using the collective fact @{text "t.defs"}. |
|
1040 |
|
1041 \end{enumerate} |
|
1042 *} |
|
1043 |
|
1044 |
|
1045 subsubsection {* Examples *} |
|
1046 |
|
1047 text {* See @{file "~~/src/HOL/ex/Records.thy"}, for example. *} |
|
1048 |
|
1049 section {* Typedef axiomatization \label{sec:hol-typedef} *} |
|
1050 |
|
1051 text {* |
|
1052 \begin{matharray}{rcl} |
|
1053 @{command_def (HOL) "typedef"} & : & @{text "local_theory \<rightarrow> proof(prove)"} \\ |
|
1054 \end{matharray} |
|
1055 |
|
1056 A Gordon/HOL-style type definition is a certain axiom scheme that |
|
1057 identifies a new type with a subset of an existing type. More |
|
1058 precisely, the new type is defined by exhibiting an existing type |
|
1059 @{text \<tau>}, a set @{text "A :: \<tau> set"}, and a theorem that proves |
|
1060 @{prop "\<exists>x. x \<in> A"}. Thus @{text A} is a non-empty subset of @{text |
|
1061 \<tau>}, and the new type denotes this subset. New functions are |
|
1062 postulated that establish an isomorphism between the new type and |
|
1063 the subset. In general, the type @{text \<tau>} may involve type |
|
1064 variables @{text "\<alpha>\<^sub>1, \<dots>, \<alpha>\<^sub>n"} which means that the type definition |
|
1065 produces a type constructor @{text "(\<alpha>\<^sub>1, \<dots>, \<alpha>\<^sub>n) t"} depending on |
|
1066 those type arguments. |
|
1067 |
|
1068 The axiomatization can be considered a ``definition'' in the sense |
|
1069 of the particular set-theoretic interpretation of HOL |
|
1070 \cite{pitts93}, where the universe of types is required to be |
|
1071 downwards-closed wrt.\ arbitrary non-empty subsets. Thus genuinely |
|
1072 new types introduced by @{command "typedef"} stay within the range |
|
1073 of HOL models by construction. Note that @{command_ref |
|
1074 type_synonym} from Isabelle/Pure merely introduces syntactic |
|
1075 abbreviations, without any logical significance. |
|
1076 |
|
1077 @{rail \<open> |
|
1078 @@{command (HOL) typedef} abs_type '=' rep_set |
|
1079 ; |
|
1080 abs_type: @{syntax typespec_sorts} @{syntax mixfix}? |
|
1081 ; |
|
1082 rep_set: @{syntax term} (@'morphisms' @{syntax name} @{syntax name})? |
|
1083 \<close>} |
|
1084 |
|
1085 \begin{description} |
|
1086 |
|
1087 \item @{command (HOL) "typedef"}~@{text "(\<alpha>\<^sub>1, \<dots>, \<alpha>\<^sub>n) t = A"} |
|
1088 axiomatizes a type definition in the background theory of the |
|
1089 current context, depending on a non-emptiness result of the set |
|
1090 @{text A} that needs to be proven here. The set @{text A} may |
|
1091 contain type variables @{text "\<alpha>\<^sub>1, \<dots>, \<alpha>\<^sub>n"} as specified on the LHS, |
|
1092 but no term variables. |
|
1093 |
|
1094 Even though a local theory specification, the newly introduced type |
|
1095 constructor cannot depend on parameters or assumptions of the |
|
1096 context: this is structurally impossible in HOL. In contrast, the |
|
1097 non-emptiness proof may use local assumptions in unusual situations, |
|
1098 which could result in different interpretations in target contexts: |
|
1099 the meaning of the bijection between the representing set @{text A} |
|
1100 and the new type @{text t} may then change in different application |
|
1101 contexts. |
|
1102 |
|
1103 For @{command (HOL) "typedef"}~@{text "t = A"} the newly introduced |
|
1104 type @{text t} is accompanied by a pair of morphisms to relate it to |
|
1105 the representing set over the old type. By default, the injection |
|
1106 from type to set is called @{text Rep_t} and its inverse @{text |
|
1107 Abs_t}: An explicit @{keyword (HOL) "morphisms"} specification |
|
1108 allows to provide alternative names. |
|
1109 |
|
1110 The core axiomatization uses the locale predicate @{const |
|
1111 type_definition} as defined in Isabelle/HOL. Various basic |
|
1112 consequences of that are instantiated accordingly, re-using the |
|
1113 locale facts with names derived from the new type constructor. Thus |
|
1114 the generic @{thm type_definition.Rep} is turned into the specific |
|
1115 @{text "Rep_t"}, for example. |
|
1116 |
|
1117 Theorems @{thm type_definition.Rep}, @{thm |
|
1118 type_definition.Rep_inverse}, and @{thm type_definition.Abs_inverse} |
|
1119 provide the most basic characterization as a corresponding |
|
1120 injection/surjection pair (in both directions). The derived rules |
|
1121 @{thm type_definition.Rep_inject} and @{thm |
|
1122 type_definition.Abs_inject} provide a more convenient version of |
|
1123 injectivity, suitable for automated proof tools (e.g.\ in |
|
1124 declarations involving @{attribute simp} or @{attribute iff}). |
|
1125 Furthermore, the rules @{thm type_definition.Rep_cases}~/ @{thm |
|
1126 type_definition.Rep_induct}, and @{thm type_definition.Abs_cases}~/ |
|
1127 @{thm type_definition.Abs_induct} provide alternative views on |
|
1128 surjectivity. These rules are already declared as set or type rules |
|
1129 for the generic @{method cases} and @{method induct} methods, |
|
1130 respectively. |
|
1131 |
|
1132 \end{description} |
|
1133 |
|
1134 \begin{warn} |
|
1135 If you introduce a new type axiomatically, i.e.\ via @{command_ref |
|
1136 typedecl} and @{command_ref axiomatization}, the minimum requirement |
|
1137 is that it has a non-empty model, to avoid immediate collapse of the |
|
1138 HOL logic. Moreover, one needs to demonstrate that the |
|
1139 interpretation of such free-form axiomatizations can coexist with |
|
1140 that of the regular @{command_def typedef} scheme, and any extension |
|
1141 that other people might have introduced elsewhere. |
|
1142 \end{warn} |
|
1143 *} |
|
1144 |
|
1145 subsubsection {* Examples *} |
|
1146 |
|
1147 text {* Type definitions permit the introduction of abstract data |
|
1148 types in a safe way, namely by providing models based on already |
|
1149 existing types. Given some abstract axiomatic description @{text P} |
|
1150 of a type, this involves two steps: |
|
1151 |
|
1152 \begin{enumerate} |
|
1153 |
|
1154 \item Find an appropriate type @{text \<tau>} and subset @{text A} which |
|
1155 has the desired properties @{text P}, and make a type definition |
|
1156 based on this representation. |
|
1157 |
|
1158 \item Prove that @{text P} holds for @{text \<tau>} by lifting @{text P} |
|
1159 from the representation. |
|
1160 |
|
1161 \end{enumerate} |
|
1162 |
|
1163 You can later forget about the representation and work solely in |
|
1164 terms of the abstract properties @{text P}. |
|
1165 |
|
1166 \medskip The following trivial example pulls a three-element type |
|
1167 into existence within the formal logical environment of HOL. *} |
|
1168 |
|
1169 typedef three = "{(True, True), (True, False), (False, True)}" |
|
1170 by blast |
|
1171 |
|
1172 definition "One = Abs_three (True, True)" |
|
1173 definition "Two = Abs_three (True, False)" |
|
1174 definition "Three = Abs_three (False, True)" |
|
1175 |
|
1176 lemma three_distinct: "One \<noteq> Two" "One \<noteq> Three" "Two \<noteq> Three" |
|
1177 by (simp_all add: One_def Two_def Three_def Abs_three_inject) |
|
1178 |
|
1179 lemma three_cases: |
|
1180 fixes x :: three obtains "x = One" | "x = Two" | "x = Three" |
|
1181 by (cases x) (auto simp: One_def Two_def Three_def Abs_three_inject) |
|
1182 |
|
1183 text {* Note that such trivial constructions are better done with |
|
1184 derived specification mechanisms such as @{command datatype}: *} |
|
1185 |
|
1186 datatype three' = One' | Two' | Three' |
|
1187 |
|
1188 text {* This avoids re-doing basic definitions and proofs from the |
|
1189 primitive @{command typedef} above. *} |
|
1190 |
|
1191 |
|
1192 |
|
1193 section {* Functorial structure of types *} |
|
1194 |
|
1195 text {* |
|
1196 \begin{matharray}{rcl} |
|
1197 @{command_def (HOL) "functor"} & : & @{text "local_theory \<rightarrow> proof(prove)"} |
|
1198 \end{matharray} |
|
1199 |
|
1200 @{rail \<open> |
|
1201 @@{command (HOL) functor} (@{syntax name} ':')? @{syntax term} |
|
1202 \<close>} |
|
1203 |
|
1204 \begin{description} |
|
1205 |
|
1206 \item @{command (HOL) "functor"}~@{text "prefix: m"} allows to |
|
1207 prove and register properties about the functorial structure of type |
|
1208 constructors. These properties then can be used by other packages |
|
1209 to deal with those type constructors in certain type constructions. |
|
1210 Characteristic theorems are noted in the current local theory. By |
|
1211 default, they are prefixed with the base name of the type |
|
1212 constructor, an explicit prefix can be given alternatively. |
|
1213 |
|
1214 The given term @{text "m"} is considered as \emph{mapper} for the |
|
1215 corresponding type constructor and must conform to the following |
|
1216 type pattern: |
|
1217 |
|
1218 \begin{matharray}{lll} |
|
1219 @{text "m"} & @{text "::"} & |
|
1220 @{text "\<sigma>\<^sub>1 \<Rightarrow> \<dots> \<sigma>\<^sub>k \<Rightarrow> (\<^vec>\<alpha>\<^sub>n) t \<Rightarrow> (\<^vec>\<beta>\<^sub>n) t"} \\ |
|
1221 \end{matharray} |
|
1222 |
|
1223 \noindent where @{text t} is the type constructor, @{text |
|
1224 "\<^vec>\<alpha>\<^sub>n"} and @{text "\<^vec>\<beta>\<^sub>n"} are distinct |
|
1225 type variables free in the local theory and @{text "\<sigma>\<^sub>1"}, |
|
1226 \ldots, @{text "\<sigma>\<^sub>k"} is a subsequence of @{text "\<alpha>\<^sub>1 \<Rightarrow> |
|
1227 \<beta>\<^sub>1"}, @{text "\<beta>\<^sub>1 \<Rightarrow> \<alpha>\<^sub>1"}, \ldots, |
|
1228 @{text "\<alpha>\<^sub>n \<Rightarrow> \<beta>\<^sub>n"}, @{text "\<beta>\<^sub>n \<Rightarrow> |
|
1229 \<alpha>\<^sub>n"}. |
|
1230 |
|
1231 \end{description} |
|
1232 *} |
|
1233 |
|
1234 |
|
1235 section {* Quotient types *} |
|
1236 |
|
1237 text {* |
|
1238 \begin{matharray}{rcl} |
|
1239 @{command_def (HOL) "quotient_type"} & : & @{text "local_theory \<rightarrow> proof(prove)"}\\ |
|
1240 @{command_def (HOL) "quotient_definition"} & : & @{text "local_theory \<rightarrow> proof(prove)"}\\ |
|
1241 @{command_def (HOL) "print_quotmapsQ3"} & : & @{text "context \<rightarrow>"}\\ |
|
1242 @{command_def (HOL) "print_quotientsQ3"} & : & @{text "context \<rightarrow>"}\\ |
|
1243 @{command_def (HOL) "print_quotconsts"} & : & @{text "context \<rightarrow>"}\\ |
|
1244 @{method_def (HOL) "lifting"} & : & @{text method} \\ |
|
1245 @{method_def (HOL) "lifting_setup"} & : & @{text method} \\ |
|
1246 @{method_def (HOL) "descending"} & : & @{text method} \\ |
|
1247 @{method_def (HOL) "descending_setup"} & : & @{text method} \\ |
|
1248 @{method_def (HOL) "partiality_descending"} & : & @{text method} \\ |
|
1249 @{method_def (HOL) "partiality_descending_setup"} & : & @{text method} \\ |
|
1250 @{method_def (HOL) "regularize"} & : & @{text method} \\ |
|
1251 @{method_def (HOL) "injection"} & : & @{text method} \\ |
|
1252 @{method_def (HOL) "cleaning"} & : & @{text method} \\ |
|
1253 @{attribute_def (HOL) "quot_thm"} & : & @{text attribute} \\ |
|
1254 @{attribute_def (HOL) "quot_lifted"} & : & @{text attribute} \\ |
|
1255 @{attribute_def (HOL) "quot_respect"} & : & @{text attribute} \\ |
|
1256 @{attribute_def (HOL) "quot_preserve"} & : & @{text attribute} \\ |
|
1257 \end{matharray} |
|
1258 |
|
1259 The quotient package defines a new quotient type given a raw type |
|
1260 and a partial equivalence relation. The package also historically |
|
1261 includes automation for transporting definitions and theorems. |
|
1262 But most of this automation was superseded by the Lifting and Transfer |
|
1263 packages. The user should consider using these two new packages for |
|
1264 lifting definitions and transporting theorems. |
|
1265 |
|
1266 @{rail \<open> |
|
1267 @@{command (HOL) quotient_type} (spec) |
|
1268 ; |
|
1269 spec: @{syntax typespec} @{syntax mixfix}? '=' \<newline> |
|
1270 @{syntax type} '/' ('partial' ':')? @{syntax term} \<newline> |
|
1271 (@'morphisms' @{syntax name} @{syntax name})? (@'parametric' @{syntax thmref})? |
|
1272 \<close>} |
|
1273 |
|
1274 @{rail \<open> |
|
1275 @@{command (HOL) quotient_definition} constdecl? @{syntax thmdecl}? \<newline> |
|
1276 @{syntax term} 'is' @{syntax term} |
|
1277 ; |
|
1278 constdecl: @{syntax name} ('::' @{syntax type})? @{syntax mixfix}? |
|
1279 \<close>} |
|
1280 |
|
1281 @{rail \<open> |
|
1282 @@{method (HOL) lifting} @{syntax thmrefs}? |
|
1283 ; |
|
1284 @@{method (HOL) lifting_setup} @{syntax thmrefs}? |
|
1285 \<close>} |
|
1286 |
|
1287 \begin{description} |
|
1288 |
|
1289 \item @{command (HOL) "quotient_type"} defines a new quotient type @{text \<tau>}. The |
|
1290 injection from a quotient type to a raw type is called @{text |
|
1291 rep_\<tau>}, its inverse @{text abs_\<tau>} unless explicit @{keyword (HOL) |
|
1292 "morphisms"} specification provides alternative names. @{command |
|
1293 (HOL) "quotient_type"} requires the user to prove that the relation |
|
1294 is an equivalence relation (predicate @{text equivp}), unless the |
|
1295 user specifies explicitly @{text partial} in which case the |
|
1296 obligation is @{text part_equivp}. A quotient defined with @{text |
|
1297 partial} is weaker in the sense that less things can be proved |
|
1298 automatically. |
|
1299 |
|
1300 The command internally proves a Quotient theorem and sets up the Lifting |
|
1301 package by the command @{command (HOL) setup_lifting}. Thus the Lifting |
|
1302 and Transfer packages can be used also with quotient types defined by |
|
1303 @{command (HOL) "quotient_type"} without any extra set-up. The parametricity |
|
1304 theorem for the equivalence relation R can be provided as an extra argument |
|
1305 of the command and is passed to the corresponding internal call of @{command (HOL) setup_lifting}. |
|
1306 This theorem allows the Lifting package to generate a stronger transfer rule for equality. |
|
1307 |
|
1308 \end{description} |
|
1309 |
|
1310 The most of the rest of the package was superseded by the Lifting and Transfer |
|
1311 packages. The user should consider using these two new packages for |
|
1312 lifting definitions and transporting theorems. |
|
1313 |
|
1314 \begin{description} |
|
1315 |
|
1316 \item @{command (HOL) "quotient_definition"} defines a constant on |
|
1317 the quotient type. |
|
1318 |
|
1319 \item @{command (HOL) "print_quotmapsQ3"} prints quotient map |
|
1320 functions. |
|
1321 |
|
1322 \item @{command (HOL) "print_quotientsQ3"} prints quotients. |
|
1323 |
|
1324 \item @{command (HOL) "print_quotconsts"} prints quotient constants. |
|
1325 |
|
1326 \item @{method (HOL) "lifting"} and @{method (HOL) "lifting_setup"} |
|
1327 methods match the current goal with the given raw theorem to be |
|
1328 lifted producing three new subgoals: regularization, injection and |
|
1329 cleaning subgoals. @{method (HOL) "lifting"} tries to apply the |
|
1330 heuristics for automatically solving these three subgoals and |
|
1331 leaves only the subgoals unsolved by the heuristics to the user as |
|
1332 opposed to @{method (HOL) "lifting_setup"} which leaves the three |
|
1333 subgoals unsolved. |
|
1334 |
|
1335 \item @{method (HOL) "descending"} and @{method (HOL) |
|
1336 "descending_setup"} try to guess a raw statement that would lift |
|
1337 to the current subgoal. Such statement is assumed as a new subgoal |
|
1338 and @{method (HOL) "descending"} continues in the same way as |
|
1339 @{method (HOL) "lifting"} does. @{method (HOL) "descending"} tries |
|
1340 to solve the arising regularization, injection and cleaning |
|
1341 subgoals with the analogous method @{method (HOL) |
|
1342 "descending_setup"} which leaves the four unsolved subgoals. |
|
1343 |
|
1344 \item @{method (HOL) "partiality_descending"} finds the regularized |
|
1345 theorem that would lift to the current subgoal, lifts it and |
|
1346 leaves as a subgoal. This method can be used with partial |
|
1347 equivalence quotients where the non regularized statements would |
|
1348 not be true. @{method (HOL) "partiality_descending_setup"} leaves |
|
1349 the injection and cleaning subgoals unchanged. |
|
1350 |
|
1351 \item @{method (HOL) "regularize"} applies the regularization |
|
1352 heuristics to the current subgoal. |
|
1353 |
|
1354 \item @{method (HOL) "injection"} applies the injection heuristics |
|
1355 to the current goal using the stored quotient respectfulness |
|
1356 theorems. |
|
1357 |
|
1358 \item @{method (HOL) "cleaning"} applies the injection cleaning |
|
1359 heuristics to the current subgoal using the stored quotient |
|
1360 preservation theorems. |
|
1361 |
|
1362 \item @{attribute (HOL) quot_lifted} attribute tries to |
|
1363 automatically transport the theorem to the quotient type. |
|
1364 The attribute uses all the defined quotients types and quotient |
|
1365 constants often producing undesired results or theorems that |
|
1366 cannot be lifted. |
|
1367 |
|
1368 \item @{attribute (HOL) quot_respect} and @{attribute (HOL) |
|
1369 quot_preserve} attributes declare a theorem as a respectfulness |
|
1370 and preservation theorem respectively. These are stored in the |
|
1371 local theory store and used by the @{method (HOL) "injection"} |
|
1372 and @{method (HOL) "cleaning"} methods respectively. |
|
1373 |
|
1374 \item @{attribute (HOL) quot_thm} declares that a certain theorem |
|
1375 is a quotient extension theorem. Quotient extension theorems |
|
1376 allow for quotienting inside container types. Given a polymorphic |
|
1377 type that serves as a container, a map function defined for this |
|
1378 container using @{command (HOL) "functor"} and a relation |
|
1379 map defined for for the container type, the quotient extension |
|
1380 theorem should be @{term "Quotient3 R Abs Rep \<Longrightarrow> Quotient3 |
|
1381 (rel_map R) (map Abs) (map Rep)"}. Quotient extension theorems |
|
1382 are stored in a database and are used all the steps of lifting |
|
1383 theorems. |
|
1384 |
|
1385 \end{description} |
|
1386 *} |
|
1387 |
|
1388 |
|
1389 section {* Definition by specification \label{sec:hol-specification} *} |
|
1390 |
|
1391 text {* |
|
1392 \begin{matharray}{rcl} |
|
1393 @{command_def (HOL) "specification"} & : & @{text "theory \<rightarrow> proof(prove)"} \\ |
|
1394 \end{matharray} |
|
1395 |
|
1396 @{rail \<open> |
|
1397 @@{command (HOL) specification} '(' (decl +) ')' \<newline> |
|
1398 (@{syntax thmdecl}? @{syntax prop} +) |
|
1399 ; |
|
1400 decl: (@{syntax name} ':')? @{syntax term} ('(' @'overloaded' ')')? |
|
1401 \<close>} |
|
1402 |
|
1403 \begin{description} |
|
1404 |
|
1405 \item @{command (HOL) "specification"}~@{text "decls \<phi>"} sets up a |
|
1406 goal stating the existence of terms with the properties specified to |
|
1407 hold for the constants given in @{text decls}. After finishing the |
|
1408 proof, the theory will be augmented with definitions for the given |
|
1409 constants, as well as with theorems stating the properties for these |
|
1410 constants. |
|
1411 |
|
1412 @{text decl} declares a constant to be defined by the |
|
1413 specification given. The definition for the constant @{text c} is |
|
1414 bound to the name @{text c_def} unless a theorem name is given in |
|
1415 the declaration. Overloaded constants should be declared as such. |
|
1416 |
|
1417 \end{description} |
|
1418 *} |
|
1419 |
|
1420 |
|
1421 section {* Adhoc overloading of constants *} |
|
1422 |
|
1423 text {* |
|
1424 \begin{tabular}{rcll} |
|
1425 @{command_def "adhoc_overloading"} & : & @{text "local_theory \<rightarrow> local_theory"} \\ |
|
1426 @{command_def "no_adhoc_overloading"} & : & @{text "local_theory \<rightarrow> local_theory"} \\ |
|
1427 @{attribute_def "show_variants"} & : & @{text "attribute"} & default @{text false} \\ |
|
1428 \end{tabular} |
|
1429 |
|
1430 \medskip |
|
1431 |
|
1432 Adhoc overloading allows to overload a constant depending on |
|
1433 its type. Typically this involves the introduction of an |
|
1434 uninterpreted constant (used for input and output) and the addition |
|
1435 of some variants (used internally). For examples see |
|
1436 @{file "~~/src/HOL/ex/Adhoc_Overloading_Examples.thy"} and |
|
1437 @{file "~~/src/HOL/Library/Monad_Syntax.thy"}. |
|
1438 |
|
1439 @{rail \<open> |
|
1440 (@@{command adhoc_overloading} | @@{command no_adhoc_overloading}) |
|
1441 (@{syntax nameref} (@{syntax term} + ) + @'and') |
|
1442 \<close>} |
|
1443 |
|
1444 \begin{description} |
|
1445 |
|
1446 \item @{command "adhoc_overloading"}~@{text "c v\<^sub>1 ... v\<^sub>n"} |
|
1447 associates variants with an existing constant. |
|
1448 |
|
1449 \item @{command "no_adhoc_overloading"} is similar to |
|
1450 @{command "adhoc_overloading"}, but removes the specified variants |
|
1451 from the present context. |
|
1452 |
|
1453 \item @{attribute "show_variants"} controls printing of variants |
|
1454 of overloaded constants. If enabled, the internally used variants |
|
1455 are printed instead of their respective overloaded constants. This |
|
1456 is occasionally useful to check whether the system agrees with a |
|
1457 user's expectations about derived variants. |
|
1458 |
|
1459 \end{description} |
|
1460 *} |
|
1461 |
|
1462 chapter {* Proof tools *} |
|
1463 |
|
1464 section {* Adhoc tuples *} |
|
1465 |
|
1466 text {* |
|
1467 \begin{matharray}{rcl} |
|
1468 @{attribute_def (HOL) split_format}@{text "\<^sup>*"} & : & @{text attribute} \\ |
|
1469 \end{matharray} |
|
1470 |
|
1471 @{rail \<open> |
|
1472 @@{attribute (HOL) split_format} ('(' 'complete' ')')? |
|
1473 \<close>} |
|
1474 |
|
1475 \begin{description} |
|
1476 |
|
1477 \item @{attribute (HOL) split_format}\ @{text "(complete)"} causes |
|
1478 arguments in function applications to be represented canonically |
|
1479 according to their tuple type structure. |
|
1480 |
|
1481 Note that this operation tends to invent funny names for new local |
|
1482 parameters introduced. |
|
1483 |
|
1484 \end{description} |
|
1485 *} |
|
1486 |
|
1487 |
|
1488 section {* Transfer package *} |
|
1489 |
|
1490 text {* |
|
1491 \begin{matharray}{rcl} |
|
1492 @{method_def (HOL) "transfer"} & : & @{text method} \\ |
|
1493 @{method_def (HOL) "transfer'"} & : & @{text method} \\ |
|
1494 @{method_def (HOL) "transfer_prover"} & : & @{text method} \\ |
|
1495 @{attribute_def (HOL) "Transfer.transferred"} & : & @{text attribute} \\ |
|
1496 @{attribute_def (HOL) "untransferred"} & : & @{text attribute} \\ |
|
1497 @{attribute_def (HOL) "transfer_rule"} & : & @{text attribute} \\ |
|
1498 @{attribute_def (HOL) "transfer_domain_rule"} & : & @{text attribute} \\ |
|
1499 @{attribute_def (HOL) "relator_eq"} & : & @{text attribute} \\ |
|
1500 @{attribute_def (HOL) "relator_domain"} & : & @{text attribute} \\ |
|
1501 \end{matharray} |
|
1502 |
|
1503 \begin{description} |
|
1504 |
|
1505 \item @{method (HOL) "transfer"} method replaces the current subgoal |
|
1506 with a logically equivalent one that uses different types and |
|
1507 constants. The replacement of types and constants is guided by the |
|
1508 database of transfer rules. Goals are generalized over all free |
|
1509 variables by default; this is necessary for variables whose types |
|
1510 change, but can be overridden for specific variables with e.g. |
|
1511 @{text "transfer fixing: x y z"}. |
|
1512 |
|
1513 \item @{method (HOL) "transfer'"} is a variant of @{method (HOL) |
|
1514 transfer} that allows replacing a subgoal with one that is |
|
1515 logically stronger (rather than equivalent). For example, a |
|
1516 subgoal involving equality on a quotient type could be replaced |
|
1517 with a subgoal involving equality (instead of the corresponding |
|
1518 equivalence relation) on the underlying raw type. |
|
1519 |
|
1520 \item @{method (HOL) "transfer_prover"} method assists with proving |
|
1521 a transfer rule for a new constant, provided the constant is |
|
1522 defined in terms of other constants that already have transfer |
|
1523 rules. It should be applied after unfolding the constant |
|
1524 definitions. |
|
1525 |
|
1526 \item @{attribute (HOL) "untransferred"} proves the same equivalent theorem |
|
1527 as @{method (HOL) "transfer"} internally does. |
|
1528 |
|
1529 \item @{attribute (HOL) Transfer.transferred} works in the opposite |
|
1530 direction than @{method (HOL) "transfer'"}. E.g., given the transfer |
|
1531 relation @{text "ZN x n \<equiv> (x = int n)"}, corresponding transfer rules and the theorem |
|
1532 @{text "\<forall>x::int \<in> {0..}. x < x + 1"}, the attribute would prove |
|
1533 @{text "\<forall>n::nat. n < n + 1"}. The attribute is still in experimental |
|
1534 phase of development. |
|
1535 |
|
1536 \item @{attribute (HOL) "transfer_rule"} attribute maintains a |
|
1537 collection of transfer rules, which relate constants at two |
|
1538 different types. Typical transfer rules may relate different type |
|
1539 instances of the same polymorphic constant, or they may relate an |
|
1540 operation on a raw type to a corresponding operation on an |
|
1541 abstract type (quotient or subtype). For example: |
|
1542 |
|
1543 @{text "((A ===> B) ===> list_all2 A ===> list_all2 B) map map"}\\ |
|
1544 @{text "(cr_int ===> cr_int ===> cr_int) (\<lambda>(x,y) (u,v). (x+u, y+v)) plus"} |
|
1545 |
|
1546 Lemmas involving predicates on relations can also be registered |
|
1547 using the same attribute. For example: |
|
1548 |
|
1549 @{text "bi_unique A \<Longrightarrow> (list_all2 A ===> op =) distinct distinct"}\\ |
|
1550 @{text "\<lbrakk>bi_unique A; bi_unique B\<rbrakk> \<Longrightarrow> bi_unique (rel_prod A B)"} |
|
1551 |
|
1552 \item @{attribute (HOL) "transfer_domain_rule"} attribute maintains a collection |
|
1553 of rules, which specify a domain of a transfer relation by a predicate. |
|
1554 E.g., given the transfer relation @{text "ZN x n \<equiv> (x = int n)"}, |
|
1555 one can register the following transfer domain rule: |
|
1556 @{text "Domainp ZN = (\<lambda>x. x \<ge> 0)"}. The rules allow the package to produce |
|
1557 more readable transferred goals, e.g., when quantifiers are transferred. |
|
1558 |
|
1559 \item @{attribute (HOL) relator_eq} attribute collects identity laws |
|
1560 for relators of various type constructors, e.g. @{text "list_all2 |
|
1561 (op =) = (op =)"}. The @{method (HOL) transfer} method uses these |
|
1562 lemmas to infer transfer rules for non-polymorphic constants on |
|
1563 the fly. |
|
1564 |
|
1565 \item @{attribute_def (HOL) "relator_domain"} attribute collects rules |
|
1566 describing domains of relators by predicators. E.g., @{text "Domainp A = P \<Longrightarrow> |
|
1567 Domainp (list_all2 A) = (list_all P)"}. This allows the package to lift transfer |
|
1568 domain rules through type constructors. |
|
1569 |
|
1570 \end{description} |
|
1571 |
|
1572 Theoretical background can be found in \cite{Huffman-Kuncar:2013:lifting_transfer}. |
|
1573 *} |
|
1574 |
|
1575 |
|
1576 section {* Lifting package *} |
|
1577 |
|
1578 text {* |
|
1579 The Lifting package allows users to lift terms of the raw type to the abstract type, which is |
|
1580 a necessary step in building a library for an abstract type. Lifting defines a new constant |
|
1581 by combining coercion functions (Abs and Rep) with the raw term. It also proves an appropriate |
|
1582 transfer rule for the Transfer package and, if possible, an equation for the code generator. |
|
1583 |
|
1584 The Lifting package provides two main commands: @{command (HOL) "setup_lifting"} for initializing |
|
1585 the package to work with a new type, and @{command (HOL) "lift_definition"} for lifting constants. |
|
1586 The Lifting package works with all four kinds of type abstraction: type copies, subtypes, |
|
1587 total quotients and partial quotients. |
|
1588 |
|
1589 Theoretical background can be found in \cite{Huffman-Kuncar:2013:lifting_transfer}. |
|
1590 |
|
1591 \begin{matharray}{rcl} |
|
1592 @{command_def (HOL) "setup_lifting"} & : & @{text "local_theory \<rightarrow> local_theory"}\\ |
|
1593 @{command_def (HOL) "lift_definition"} & : & @{text "local_theory \<rightarrow> proof(prove)"}\\ |
|
1594 @{command_def (HOL) "lifting_forget"} & : & @{text "local_theory \<rightarrow> local_theory"}\\ |
|
1595 @{command_def (HOL) "lifting_update"} & : & @{text "local_theory \<rightarrow> local_theory"}\\ |
|
1596 @{command_def (HOL) "print_quot_maps"} & : & @{text "context \<rightarrow>"}\\ |
|
1597 @{command_def (HOL) "print_quotients"} & : & @{text "context \<rightarrow>"}\\ |
|
1598 @{attribute_def (HOL) "quot_map"} & : & @{text attribute} \\ |
|
1599 @{attribute_def (HOL) "invariant_commute"} & : & @{text attribute} \\ |
|
1600 @{attribute_def (HOL) "reflexivity_rule"} & : & @{text attribute} \\ |
|
1601 @{attribute_def (HOL) "relator_mono"} & : & @{text attribute} \\ |
|
1602 @{attribute_def (HOL) "relator_distr"} & : & @{text attribute} \\ |
|
1603 @{attribute_def (HOL) "quot_del"} & : & @{text attribute} \\ |
|
1604 @{attribute_def (HOL) "lifting_restore"} & : & @{text attribute} \\ |
|
1605 \end{matharray} |
|
1606 |
|
1607 @{rail \<open> |
|
1608 @@{command (HOL) setup_lifting} ('(' 'no_code' ')')? \<newline> |
|
1609 @{syntax thmref} @{syntax thmref}? (@'parametric' @{syntax thmref})?; |
|
1610 \<close>} |
|
1611 |
|
1612 @{rail \<open> |
|
1613 @@{command (HOL) lift_definition} @{syntax name} '::' @{syntax type} @{syntax mixfix}? \<newline> |
|
1614 'is' @{syntax term} (@'parametric' @{syntax thmref})?; |
|
1615 \<close>} |
|
1616 |
|
1617 @{rail \<open> |
|
1618 @@{command (HOL) lifting_forget} @{syntax nameref}; |
|
1619 \<close>} |
|
1620 |
|
1621 @{rail \<open> |
|
1622 @@{command (HOL) lifting_update} @{syntax nameref}; |
|
1623 \<close>} |
|
1624 |
|
1625 @{rail \<open> |
|
1626 @@{attribute (HOL) lifting_restore} @{syntax thmref} (@{syntax thmref} @{syntax thmref})?; |
|
1627 \<close>} |
|
1628 |
|
1629 \begin{description} |
|
1630 |
|
1631 \item @{command (HOL) "setup_lifting"} Sets up the Lifting package |
|
1632 to work with a user-defined type. |
|
1633 The command supports two modes. The first one is a low-level mode when |
|
1634 the user must provide as a first |
|
1635 argument of @{command (HOL) "setup_lifting"} a |
|
1636 quotient theorem @{text "Quotient R Abs Rep T"}. The |
|
1637 package configures a transfer rule for equality, a domain transfer |
|
1638 rules and sets up the @{command_def (HOL) "lift_definition"} |
|
1639 command to work with the abstract type. An optional theorem @{text "reflp R"}, which certifies that |
|
1640 the equivalence relation R is total, |
|
1641 can be provided as a second argument. This allows the package to generate stronger transfer |
|
1642 rules. And finally, the parametricity theorem for R can be provided as a third argument. |
|
1643 This allows the package to generate a stronger transfer rule for equality. |
|
1644 |
|
1645 Users generally will not prove the @{text Quotient} theorem manually for |
|
1646 new types, as special commands exist to automate the process. |
|
1647 |
|
1648 When a new subtype is defined by @{command (HOL) typedef}, @{command (HOL) "lift_definition"} |
|
1649 can be used in its |
|
1650 second mode, where only the type_definition theorem @{text "type_definition Rep Abs A"} |
|
1651 is used as an argument of the command. The command internally proves the corresponding |
|
1652 Quotient theorem and registers it with @{command (HOL) setup_lifting} using its first mode. |
|
1653 |
|
1654 For quotients, the command @{command (HOL) quotient_type} can be used. The command defines |
|
1655 a new quotient type and similarly to the previous case, the corresponding Quotient theorem is proved |
|
1656 and registered by @{command (HOL) setup_lifting}. |
|
1657 |
|
1658 The command @{command (HOL) "setup_lifting"} also sets up the code generator |
|
1659 for the new type. Later on, when a new constant is defined by @{command (HOL) "lift_definition"}, |
|
1660 the Lifting package proves and registers a code equation (if there is one) for the new constant. |
|
1661 If the option @{text "no_code"} is specified, the Lifting package does not set up the code |
|
1662 generator and as a consequence no code equations involving an abstract type are registered |
|
1663 by @{command (HOL) "lift_definition"}. |
|
1664 |
|
1665 \item @{command (HOL) "lift_definition"} @{text "f :: \<tau>"} @{keyword (HOL) "is"} @{text t} |
|
1666 Defines a new function @{text f} with an abstract type @{text \<tau>} |
|
1667 in terms of a corresponding operation @{text t} on a |
|
1668 representation type. More formally, if @{text "t :: \<sigma>"}, then |
|
1669 the command builds a term @{text "F"} as a corresponding combination of abstraction |
|
1670 and representation functions such that @{text "F :: \<sigma> \<Rightarrow> \<tau>" } and |
|
1671 defines @{text f} is as @{text "f \<equiv> F t"}. |
|
1672 The term @{text t} does not have to be necessarily a constant but it can be any term. |
|
1673 |
|
1674 The command opens a proof environment and the user must discharge |
|
1675 a respectfulness proof obligation. For a type copy, i.e., a typedef with @{text |
|
1676 UNIV}, the obligation is discharged automatically. The proof goal is |
|
1677 presented in a user-friendly, readable form. A respectfulness |
|
1678 theorem in the standard format @{text f.rsp} and a transfer rule |
|
1679 @{text f.transfer} for the Transfer package are generated by the |
|
1680 package. |
|
1681 |
|
1682 The user can specify a parametricity theorem for @{text t} after the keyword |
|
1683 @{keyword "parametric"}, which allows the command |
|
1684 to generate a parametric transfer rule for @{text f}. |
|
1685 |
|
1686 For each constant defined through trivial quotients (type copies or |
|
1687 subtypes) @{text f.rep_eq} is generated. The equation is a code certificate |
|
1688 that defines @{text f} using the representation function. |
|
1689 |
|
1690 For each constant @{text f.abs_eq} is generated. The equation is unconditional |
|
1691 for total quotients. The equation defines @{text f} using |
|
1692 the abstraction function. |
|
1693 |
|
1694 Integration with [@{attribute code} abstract]: For subtypes (e.g., |
|
1695 corresponding to a datatype invariant, such as dlist), @{command |
|
1696 (HOL) "lift_definition"} uses a code certificate theorem |
|
1697 @{text f.rep_eq} as a code equation. |
|
1698 |
|
1699 Integration with [@{attribute code} equation]: For total quotients, @{command |
|
1700 (HOL) "lift_definition"} uses @{text f.abs_eq} as a code equation. |
|
1701 |
|
1702 \item @{command (HOL) lifting_forget} and @{command (HOL) lifting_update} |
|
1703 These two commands serve for storing and deleting the set-up of |
|
1704 the Lifting package and corresponding transfer rules defined by this package. |
|
1705 This is useful for hiding of type construction details of an abstract type |
|
1706 when the construction is finished but it still allows additions to this construction |
|
1707 when this is later necessary. |
|
1708 |
|
1709 Whenever the Lifting package is set up with a new abstract type @{text "\<tau>"} by |
|
1710 @{command_def (HOL) "lift_definition"}, the package defines a new bundle |
|
1711 that is called @{text "\<tau>.lifting"}. This bundle already includes set-up for the Lifting package. |
|
1712 The new transfer rules |
|
1713 introduced by @{command (HOL) "lift_definition"} can be stored in the bundle by |
|
1714 the command @{command (HOL) "lifting_update"} @{text "\<tau>.lifting"}. |
|
1715 |
|
1716 The command @{command (HOL) "lifting_forget"} @{text "\<tau>.lifting"} deletes set-up of the Lifting |
|
1717 package |
|
1718 for @{text \<tau>} and deletes all the transfer rules that were introduced |
|
1719 by @{command (HOL) "lift_definition"} using @{text \<tau>} as an abstract type. |
|
1720 |
|
1721 The stored set-up in a bundle can be reintroduced by the Isar commands for including a bundle |
|
1722 (@{command "include"}, @{keyword "includes"} and @{command "including"}). |
|
1723 |
|
1724 \item @{command (HOL) "print_quot_maps"} prints stored quotient map |
|
1725 theorems. |
|
1726 |
|
1727 \item @{command (HOL) "print_quotients"} prints stored quotient |
|
1728 theorems. |
|
1729 |
|
1730 \item @{attribute (HOL) quot_map} registers a quotient map |
|
1731 theorem. E.g., @{text "Quotient R Abs Rep T \<Longrightarrow> |
|
1732 Quotient (list_all2 R) (map Abs) (map Rep) (list_all2 T)"}. |
|
1733 For examples see @{file |
|
1734 "~~/src/HOL/List.thy"} or @{file "~~/src/HOL/Lifting.thy"} or Lifting_*.thy files |
|
1735 in the same directory. |
|
1736 |
|
1737 \item @{attribute (HOL) invariant_commute} registers a theorem that |
|
1738 shows a relationship between the constant @{text |
|
1739 Lifting.invariant} (used for internal encoding of proper subtypes) |
|
1740 and a relator. Such theorems allows the package to hide @{text |
|
1741 Lifting.invariant} from a user in a user-readable form of a |
|
1742 respectfulness theorem. For examples see @{file |
|
1743 "~~/src/HOL/List.thy"} or Lifting_*.thy files in the same directory. |
|
1744 |
|
1745 \item @{attribute (HOL) reflexivity_rule} registers a theorem that shows |
|
1746 that a relator respects left-totality and left_uniqueness. For examples |
|
1747 see @{file "~~/src/HOL/List.thy"} or @{file "~~/src/HOL/Lifting.thy"} or Lifting_*.thy files |
|
1748 in the same directory. |
|
1749 The property is used in a reflexivity prover, which is used for discharging respectfulness |
|
1750 theorems for type copies and also for discharging assumptions of abstraction function equations. |
|
1751 |
|
1752 \item @{attribute (HOL) "relator_mono"} registers a property describing a monotonicity of a relator. |
|
1753 E.g., @{text "A \<le> B \<Longrightarrow> list_all2 A \<le> list_all2 B"}. For examples |
|
1754 see @{file "~~/src/HOL/List.thy"} or @{file "~~/src/HOL/Lifting.thy"} |
|
1755 or Lifting_*.thy files in the same directory. |
|
1756 This property is needed for proving a stronger transfer rule in @{command_def (HOL) "lift_definition"} |
|
1757 when a parametricity theorem for the raw term is specified. |
|
1758 |
|
1759 \item @{attribute (HOL) "relator_distr"} registers a property describing a distributivity |
|
1760 of the relation composition and a relator. E.g., |
|
1761 @{text "list_all2 R \<circ>\<circ> list_all2 S = list_all2 (R \<circ>\<circ> S)"}. |
|
1762 This property is needed for proving a stronger transfer rule in @{command_def (HOL) "lift_definition"} |
|
1763 when a parametricity theorem for the raw term is specified. |
|
1764 When this equality does not hold unconditionally (e.g., for the function type), the user can specified |
|
1765 each direction separately and also register multiple theorems with different set of assumptions. |
|
1766 This attribute can be used only after the monotonicity property was already registered by |
|
1767 @{attribute (HOL) "relator_mono"}. For examples |
|
1768 see @{file "~~/src/HOL/List.thy"} or @{file "~~/src/HOL/Lifting.thy"} |
|
1769 or Lifting_*.thy files in the same directory. |
|
1770 |
|
1771 \item @{attribute (HOL) quot_del} deletes a corresponding Quotient theorem |
|
1772 from the Lifting infrastructure and thus de-register the corresponding quotient. |
|
1773 This effectively causes that @{command (HOL) lift_definition} will not |
|
1774 do any lifting for the corresponding type. This attribute is rather used for low-level |
|
1775 manipulation with set-up of the Lifting package because @{command (HOL) lifting_forget} is |
|
1776 preferred for normal usage. |
|
1777 |
|
1778 \item @{attribute (HOL) lifting_restore} @{text "Quotient_thm pcr_def pcr_cr_eq_thm"} |
|
1779 registers the Quotient theorem @{text Quotient_thm} in the Lifting infrastructure |
|
1780 and thus sets up lifting for an abstract type @{text \<tau>} (that is defined by @{text Quotient_thm}). |
|
1781 Optional theorems @{text pcr_def} and @{text pcr_cr_eq_thm} can be specified to register |
|
1782 the parametrized |
|
1783 correspondence relation for @{text \<tau>}. E.g., for @{text "'a dlist"}, @{text pcr_def} is |
|
1784 @{text "pcr_dlist A \<equiv> list_all2 A \<circ>\<circ> cr_dlist"} and @{text pcr_cr_eq_thm} is |
|
1785 @{text "pcr_dlist op= = op="}. |
|
1786 This attribute is rather used for low-level |
|
1787 manipulation with set-up of the Lifting package because using of the bundle @{text \<tau>.lifting} |
|
1788 together with the commands @{command (HOL) lifting_forget} and @{command (HOL) lifting_update} is |
|
1789 preferred for normal usage. |
|
1790 |
|
1791 \end{description} |
|
1792 *} |
|
1793 |
|
1794 |
|
1795 section {* Coercive subtyping *} |
|
1796 |
|
1797 text {* |
|
1798 \begin{matharray}{rcl} |
|
1799 @{attribute_def (HOL) coercion} & : & @{text attribute} \\ |
|
1800 @{attribute_def (HOL) coercion_enabled} & : & @{text attribute} \\ |
|
1801 @{attribute_def (HOL) coercion_map} & : & @{text attribute} \\ |
|
1802 \end{matharray} |
|
1803 |
|
1804 Coercive subtyping allows the user to omit explicit type |
|
1805 conversions, also called \emph{coercions}. Type inference will add |
|
1806 them as necessary when parsing a term. See |
|
1807 \cite{traytel-berghofer-nipkow-2011} for details. |
|
1808 |
|
1809 @{rail \<open> |
|
1810 @@{attribute (HOL) coercion} (@{syntax term})? |
|
1811 ; |
|
1812 @@{attribute (HOL) coercion_map} (@{syntax term})? |
|
1813 \<close>} |
|
1814 |
|
1815 \begin{description} |
|
1816 |
|
1817 \item @{attribute (HOL) "coercion"}~@{text "f"} registers a new |
|
1818 coercion function @{text "f :: \<sigma>\<^sub>1 \<Rightarrow> \<sigma>\<^sub>2"} where @{text "\<sigma>\<^sub>1"} and |
|
1819 @{text "\<sigma>\<^sub>2"} are type constructors without arguments. Coercions are |
|
1820 composed by the inference algorithm if needed. Note that the type |
|
1821 inference algorithm is complete only if the registered coercions |
|
1822 form a lattice. |
|
1823 |
|
1824 \item @{attribute (HOL) "coercion_map"}~@{text "map"} registers a |
|
1825 new map function to lift coercions through type constructors. The |
|
1826 function @{text "map"} must conform to the following type pattern |
|
1827 |
|
1828 \begin{matharray}{lll} |
|
1829 @{text "map"} & @{text "::"} & |
|
1830 @{text "f\<^sub>1 \<Rightarrow> \<dots> \<Rightarrow> f\<^sub>n \<Rightarrow> (\<alpha>\<^sub>1, \<dots>, \<alpha>\<^sub>n) t \<Rightarrow> (\<beta>\<^sub>1, \<dots>, \<beta>\<^sub>n) t"} \\ |
|
1831 \end{matharray} |
|
1832 |
|
1833 where @{text "t"} is a type constructor and @{text "f\<^sub>i"} is of type |
|
1834 @{text "\<alpha>\<^sub>i \<Rightarrow> \<beta>\<^sub>i"} or @{text "\<beta>\<^sub>i \<Rightarrow> \<alpha>\<^sub>i"}. Registering a map function |
|
1835 overwrites any existing map function for this particular type |
|
1836 constructor. |
|
1837 |
|
1838 \item @{attribute (HOL) "coercion_enabled"} enables the coercion |
|
1839 inference algorithm. |
|
1840 |
|
1841 \end{description} |
|
1842 *} |
|
1843 |
|
1844 |
|
1845 section {* Arithmetic proof support *} |
|
1846 |
|
1847 text {* |
|
1848 \begin{matharray}{rcl} |
|
1849 @{method_def (HOL) arith} & : & @{text method} \\ |
|
1850 @{attribute_def (HOL) arith} & : & @{text attribute} \\ |
|
1851 @{attribute_def (HOL) arith_split} & : & @{text attribute} \\ |
|
1852 \end{matharray} |
|
1853 |
|
1854 \begin{description} |
|
1855 |
|
1856 \item @{method (HOL) arith} decides linear arithmetic problems (on |
|
1857 types @{text nat}, @{text int}, @{text real}). Any current facts |
|
1858 are inserted into the goal before running the procedure. |
|
1859 |
|
1860 \item @{attribute (HOL) arith} declares facts that are supplied to |
|
1861 the arithmetic provers implicitly. |
|
1862 |
|
1863 \item @{attribute (HOL) arith_split} attribute declares case split |
|
1864 rules to be expanded before @{method (HOL) arith} is invoked. |
|
1865 |
|
1866 \end{description} |
|
1867 |
|
1868 Note that a simpler (but faster) arithmetic prover is already |
|
1869 invoked by the Simplifier. |
|
1870 *} |
|
1871 |
|
1872 |
|
1873 section {* Intuitionistic proof search *} |
|
1874 |
|
1875 text {* |
|
1876 \begin{matharray}{rcl} |
|
1877 @{method_def (HOL) iprover} & : & @{text method} \\ |
|
1878 \end{matharray} |
|
1879 |
|
1880 @{rail \<open> |
|
1881 @@{method (HOL) iprover} (@{syntax rulemod} *) |
|
1882 \<close>} |
|
1883 |
|
1884 \begin{description} |
|
1885 |
|
1886 \item @{method (HOL) iprover} performs intuitionistic proof search, |
|
1887 depending on specifically declared rules from the context, or given |
|
1888 as explicit arguments. Chained facts are inserted into the goal |
|
1889 before commencing proof search. |
|
1890 |
|
1891 Rules need to be classified as @{attribute (Pure) intro}, |
|
1892 @{attribute (Pure) elim}, or @{attribute (Pure) dest}; here the |
|
1893 ``@{text "!"}'' indicator refers to ``safe'' rules, which may be |
|
1894 applied aggressively (without considering back-tracking later). |
|
1895 Rules declared with ``@{text "?"}'' are ignored in proof search (the |
|
1896 single-step @{method (Pure) rule} method still observes these). An |
|
1897 explicit weight annotation may be given as well; otherwise the |
|
1898 number of rule premises will be taken into account here. |
|
1899 |
|
1900 \end{description} |
|
1901 *} |
|
1902 |
|
1903 |
|
1904 section {* Model Elimination and Resolution *} |
|
1905 |
|
1906 text {* |
|
1907 \begin{matharray}{rcl} |
|
1908 @{method_def (HOL) "meson"} & : & @{text method} \\ |
|
1909 @{method_def (HOL) "metis"} & : & @{text method} \\ |
|
1910 \end{matharray} |
|
1911 |
|
1912 @{rail \<open> |
|
1913 @@{method (HOL) meson} @{syntax thmrefs}? |
|
1914 ; |
|
1915 @@{method (HOL) metis} |
|
1916 ('(' ('partial_types' | 'full_types' | 'no_types' | @{syntax name}) ')')? |
|
1917 @{syntax thmrefs}? |
|
1918 \<close>} |
|
1919 |
|
1920 \begin{description} |
|
1921 |
|
1922 \item @{method (HOL) meson} implements Loveland's model elimination |
|
1923 procedure \cite{loveland-78}. See @{file |
|
1924 "~~/src/HOL/ex/Meson_Test.thy"} for examples. |
|
1925 |
|
1926 \item @{method (HOL) metis} combines ordered resolution and ordered |
|
1927 paramodulation to find first-order (or mildly higher-order) proofs. |
|
1928 The first optional argument specifies a type encoding; see the |
|
1929 Sledgehammer manual \cite{isabelle-sledgehammer} for details. The |
|
1930 directory @{file "~~/src/HOL/Metis_Examples"} contains several small |
|
1931 theories developed to a large extent using @{method (HOL) metis}. |
|
1932 |
|
1933 \end{description} |
|
1934 *} |
|
1935 |
|
1936 |
|
1937 section {* Algebraic reasoning via Gr\"obner bases *} |
|
1938 |
|
1939 text {* |
|
1940 \begin{matharray}{rcl} |
|
1941 @{method_def (HOL) "algebra"} & : & @{text method} \\ |
|
1942 @{attribute_def (HOL) algebra} & : & @{text attribute} \\ |
|
1943 \end{matharray} |
|
1944 |
|
1945 @{rail \<open> |
|
1946 @@{method (HOL) algebra} |
|
1947 ('add' ':' @{syntax thmrefs})? |
|
1948 ('del' ':' @{syntax thmrefs})? |
|
1949 ; |
|
1950 @@{attribute (HOL) algebra} (() | 'add' | 'del') |
|
1951 \<close>} |
|
1952 |
|
1953 \begin{description} |
|
1954 |
|
1955 \item @{method (HOL) algebra} performs algebraic reasoning via |
|
1956 Gr\"obner bases, see also \cite{Chaieb-Wenzel:2007} and |
|
1957 \cite[\S3.2]{Chaieb-thesis}. The method handles deals with two main |
|
1958 classes of problems: |
|
1959 |
|
1960 \begin{enumerate} |
|
1961 |
|
1962 \item Universal problems over multivariate polynomials in a |
|
1963 (semi)-ring/field/idom; the capabilities of the method are augmented |
|
1964 according to properties of these structures. For this problem class |
|
1965 the method is only complete for algebraically closed fields, since |
|
1966 the underlying method is based on Hilbert's Nullstellensatz, where |
|
1967 the equivalence only holds for algebraically closed fields. |
|
1968 |
|
1969 The problems can contain equations @{text "p = 0"} or inequations |
|
1970 @{text "q \<noteq> 0"} anywhere within a universal problem statement. |
|
1971 |
|
1972 \item All-exists problems of the following restricted (but useful) |
|
1973 form: |
|
1974 |
|
1975 @{text [display] "\<forall>x\<^sub>1 \<dots> x\<^sub>n. |
|
1976 e\<^sub>1(x\<^sub>1, \<dots>, x\<^sub>n) = 0 \<and> \<dots> \<and> e\<^sub>m(x\<^sub>1, \<dots>, x\<^sub>n) = 0 \<longrightarrow> |
|
1977 (\<exists>y\<^sub>1 \<dots> y\<^sub>k. |
|
1978 p\<^sub>1\<^sub>1(x\<^sub>1, \<dots> ,x\<^sub>n) * y\<^sub>1 + \<dots> + p\<^sub>1\<^sub>k(x\<^sub>1, \<dots>, x\<^sub>n) * y\<^sub>k = 0 \<and> |
|
1979 \<dots> \<and> |
|
1980 p\<^sub>t\<^sub>1(x\<^sub>1, \<dots>, x\<^sub>n) * y\<^sub>1 + \<dots> + p\<^sub>t\<^sub>k(x\<^sub>1, \<dots>, x\<^sub>n) * y\<^sub>k = 0)"} |
|
1981 |
|
1982 Here @{text "e\<^sub>1, \<dots>, e\<^sub>n"} and the @{text "p\<^sub>i\<^sub>j"} are multivariate |
|
1983 polynomials only in the variables mentioned as arguments. |
|
1984 |
|
1985 \end{enumerate} |
|
1986 |
|
1987 The proof method is preceded by a simplification step, which may be |
|
1988 modified by using the form @{text "(algebra add: ths\<^sub>1 del: ths\<^sub>2)"}. |
|
1989 This acts like declarations for the Simplifier |
|
1990 (\secref{sec:simplifier}) on a private simpset for this tool. |
|
1991 |
|
1992 \item @{attribute algebra} (as attribute) manages the default |
|
1993 collection of pre-simplification rules of the above proof method. |
|
1994 |
|
1995 \end{description} |
|
1996 *} |
|
1997 |
|
1998 |
|
1999 subsubsection {* Example *} |
|
2000 |
|
2001 text {* The subsequent example is from geometry: collinearity is |
|
2002 invariant by rotation. *} |
|
2003 |
|
2004 type_synonym point = "int \<times> int" |
|
2005 |
|
2006 fun collinear :: "point \<Rightarrow> point \<Rightarrow> point \<Rightarrow> bool" where |
|
2007 "collinear (Ax, Ay) (Bx, By) (Cx, Cy) \<longleftrightarrow> |
|
2008 (Ax - Bx) * (By - Cy) = (Ay - By) * (Bx - Cx)" |
|
2009 |
|
2010 lemma collinear_inv_rotation: |
|
2011 assumes "collinear (Ax, Ay) (Bx, By) (Cx, Cy)" and "c\<^sup>2 + s\<^sup>2 = 1" |
|
2012 shows "collinear (Ax * c - Ay * s, Ay * c + Ax * s) |
|
2013 (Bx * c - By * s, By * c + Bx * s) (Cx * c - Cy * s, Cy * c + Cx * s)" |
|
2014 using assms by (algebra add: collinear.simps) |
|
2015 |
|
2016 text {* |
|
2017 See also @{file "~~/src/HOL/ex/Groebner_Examples.thy"}. |
|
2018 *} |
|
2019 |
|
2020 |
|
2021 section {* Coherent Logic *} |
|
2022 |
|
2023 text {* |
|
2024 \begin{matharray}{rcl} |
|
2025 @{method_def (HOL) "coherent"} & : & @{text method} \\ |
|
2026 \end{matharray} |
|
2027 |
|
2028 @{rail \<open> |
|
2029 @@{method (HOL) coherent} @{syntax thmrefs}? |
|
2030 \<close>} |
|
2031 |
|
2032 \begin{description} |
|
2033 |
|
2034 \item @{method (HOL) coherent} solves problems of \emph{Coherent |
|
2035 Logic} \cite{Bezem-Coquand:2005}, which covers applications in |
|
2036 confluence theory, lattice theory and projective geometry. See |
|
2037 @{file "~~/src/HOL/ex/Coherent.thy"} for some examples. |
|
2038 |
|
2039 \end{description} |
|
2040 *} |
|
2041 |
|
2042 |
|
2043 section {* Proving propositions *} |
|
2044 |
|
2045 text {* |
|
2046 In addition to the standard proof methods, a number of diagnosis |
|
2047 tools search for proofs and provide an Isar proof snippet on success. |
|
2048 These tools are available via the following commands. |
|
2049 |
|
2050 \begin{matharray}{rcl} |
|
2051 @{command_def (HOL) "solve_direct"}@{text "\<^sup>*"} & : & @{text "proof \<rightarrow>"} \\ |
|
2052 @{command_def (HOL) "try"}@{text "\<^sup>*"} & : & @{text "proof \<rightarrow>"} \\ |
|
2053 @{command_def (HOL) "try0"}@{text "\<^sup>*"} & : & @{text "proof \<rightarrow>"} \\ |
|
2054 @{command_def (HOL) "sledgehammer"}@{text "\<^sup>*"} & : & @{text "proof \<rightarrow>"} \\ |
|
2055 @{command_def (HOL) "sledgehammer_params"} & : & @{text "theory \<rightarrow> theory"} |
|
2056 \end{matharray} |
|
2057 |
|
2058 @{rail \<open> |
|
2059 @@{command (HOL) try} |
|
2060 ; |
|
2061 |
|
2062 @@{command (HOL) try0} ( ( ( 'simp' | 'intro' | 'elim' | 'dest' ) ':' @{syntax thmrefs} ) + ) ? |
|
2063 @{syntax nat}? |
|
2064 ; |
|
2065 |
|
2066 @@{command (HOL) sledgehammer} ( '[' args ']' )? facts? @{syntax nat}? |
|
2067 ; |
|
2068 |
|
2069 @@{command (HOL) sledgehammer_params} ( ( '[' args ']' ) ? ) |
|
2070 ; |
|
2071 args: ( @{syntax name} '=' value + ',' ) |
|
2072 ; |
|
2073 facts: '(' ( ( ( ( 'add' | 'del' ) ':' ) ? @{syntax thmrefs} ) + ) ? ')' |
|
2074 \<close>} % FIXME check args "value" |
|
2075 |
|
2076 \begin{description} |
|
2077 |
|
2078 \item @{command (HOL) "solve_direct"} checks whether the current |
|
2079 subgoals can be solved directly by an existing theorem. Duplicate |
|
2080 lemmas can be detected in this way. |
|
2081 |
|
2082 \item @{command (HOL) "try0"} attempts to prove a subgoal |
|
2083 using a combination of standard proof methods (@{method auto}, |
|
2084 @{method simp}, @{method blast}, etc.). Additional facts supplied |
|
2085 via @{text "simp:"}, @{text "intro:"}, @{text "elim:"}, and @{text |
|
2086 "dest:"} are passed to the appropriate proof methods. |
|
2087 |
|
2088 \item @{command (HOL) "try"} attempts to prove or disprove a subgoal |
|
2089 using a combination of provers and disprovers (@{command (HOL) |
|
2090 "solve_direct"}, @{command (HOL) "quickcheck"}, @{command (HOL) |
|
2091 "try0"}, @{command (HOL) "sledgehammer"}, @{command (HOL) |
|
2092 "nitpick"}). |
|
2093 |
|
2094 \item @{command (HOL) "sledgehammer"} attempts to prove a subgoal |
|
2095 using external automatic provers (resolution provers and SMT |
|
2096 solvers). See the Sledgehammer manual \cite{isabelle-sledgehammer} |
|
2097 for details. |
|
2098 |
|
2099 \item @{command (HOL) "sledgehammer_params"} changes @{command (HOL) |
|
2100 "sledgehammer"} configuration options persistently. |
|
2101 |
|
2102 \end{description} |
|
2103 *} |
|
2104 |
|
2105 |
|
2106 section {* Checking and refuting propositions *} |
|
2107 |
|
2108 text {* |
|
2109 Identifying incorrect propositions usually involves evaluation of |
|
2110 particular assignments and systematic counterexample search. This |
|
2111 is supported by the following commands. |
|
2112 |
|
2113 \begin{matharray}{rcl} |
|
2114 @{command_def (HOL) "value"}@{text "\<^sup>*"} & : & @{text "context \<rightarrow>"} \\ |
|
2115 @{command_def (HOL) "values"}@{text "\<^sup>*"} & : & @{text "context \<rightarrow>"} \\ |
|
2116 @{command_def (HOL) "quickcheck"}@{text "\<^sup>*"} & : & @{text "proof \<rightarrow>"} \\ |
|
2117 @{command_def (HOL) "nitpick"}@{text "\<^sup>*"} & : & @{text "proof \<rightarrow>"} \\ |
|
2118 @{command_def (HOL) "quickcheck_params"} & : & @{text "theory \<rightarrow> theory"} \\ |
|
2119 @{command_def (HOL) "nitpick_params"} & : & @{text "theory \<rightarrow> theory"} \\ |
|
2120 @{command_def (HOL) "quickcheck_generator"} & : & @{text "theory \<rightarrow> theory"} \\ |
|
2121 @{command_def (HOL) "find_unused_assms"} & : & @{text "context \<rightarrow>"} |
|
2122 \end{matharray} |
|
2123 |
|
2124 @{rail \<open> |
|
2125 @@{command (HOL) value} ( '[' @{syntax name} ']' )? modes? @{syntax term} |
|
2126 ; |
|
2127 |
|
2128 @@{command (HOL) values} modes? @{syntax nat}? @{syntax term} |
|
2129 ; |
|
2130 |
|
2131 (@@{command (HOL) quickcheck} | @@{command (HOL) nitpick}) |
|
2132 ( '[' args ']' )? @{syntax nat}? |
|
2133 ; |
|
2134 |
|
2135 (@@{command (HOL) quickcheck_params} | |
|
2136 @@{command (HOL) nitpick_params}) ( '[' args ']' )? |
|
2137 ; |
|
2138 |
|
2139 @@{command (HOL) quickcheck_generator} @{syntax nameref} \<newline> |
|
2140 'operations:' ( @{syntax term} +) |
|
2141 ; |
|
2142 |
|
2143 @@{command (HOL) find_unused_assms} @{syntax name}? |
|
2144 ; |
|
2145 modes: '(' (@{syntax name} +) ')' |
|
2146 ; |
|
2147 args: ( @{syntax name} '=' value + ',' ) |
|
2148 \<close>} % FIXME check "value" |
|
2149 |
|
2150 \begin{description} |
|
2151 |
|
2152 \item @{command (HOL) "value"}~@{text t} evaluates and prints a |
|
2153 term; optionally @{text modes} can be specified, which are appended |
|
2154 to the current print mode; see \secref{sec:print-modes}. |
|
2155 Internally, the evaluation is performed by registered evaluators, |
|
2156 which are invoked sequentially until a result is returned. |
|
2157 Alternatively a specific evaluator can be selected using square |
|
2158 brackets; typical evaluators use the current set of code equations |
|
2159 to normalize and include @{text simp} for fully symbolic evaluation |
|
2160 using the simplifier, @{text nbe} for \emph{normalization by |
|
2161 evaluation} and \emph{code} for code generation in SML. |
|
2162 |
|
2163 \item @{command (HOL) "values"}~@{text t} enumerates a set |
|
2164 comprehension by evaluation and prints its values up to the given |
|
2165 number of solutions; optionally @{text modes} can be specified, |
|
2166 which are appended to the current print mode; see |
|
2167 \secref{sec:print-modes}. |
|
2168 |
|
2169 \item @{command (HOL) "quickcheck"} tests the current goal for |
|
2170 counterexamples using a series of assignments for its free |
|
2171 variables; by default the first subgoal is tested, an other can be |
|
2172 selected explicitly using an optional goal index. Assignments can |
|
2173 be chosen exhausting the search space up to a given size, or using a |
|
2174 fixed number of random assignments in the search space, or exploring |
|
2175 the search space symbolically using narrowing. By default, |
|
2176 quickcheck uses exhaustive testing. A number of configuration |
|
2177 options are supported for @{command (HOL) "quickcheck"}, notably: |
|
2178 |
|
2179 \begin{description} |
|
2180 |
|
2181 \item[@{text tester}] specifies which testing approach to apply. |
|
2182 There are three testers, @{text exhaustive}, @{text random}, and |
|
2183 @{text narrowing}. An unknown configuration option is treated as |
|
2184 an argument to tester, making @{text "tester ="} optional. When |
|
2185 multiple testers are given, these are applied in parallel. If no |
|
2186 tester is specified, quickcheck uses the testers that are set |
|
2187 active, i.e., configurations @{attribute |
|
2188 quickcheck_exhaustive_active}, @{attribute |
|
2189 quickcheck_random_active}, @{attribute |
|
2190 quickcheck_narrowing_active} are set to true. |
|
2191 |
|
2192 \item[@{text size}] specifies the maximum size of the search space |
|
2193 for assignment values. |
|
2194 |
|
2195 \item[@{text genuine_only}] sets quickcheck only to return genuine |
|
2196 counterexample, but not potentially spurious counterexamples due |
|
2197 to underspecified functions. |
|
2198 |
|
2199 \item[@{text abort_potential}] sets quickcheck to abort once it |
|
2200 found a potentially spurious counterexample and to not continue |
|
2201 to search for a further genuine counterexample. |
|
2202 For this option to be effective, the @{text genuine_only} option |
|
2203 must be set to false. |
|
2204 |
|
2205 \item[@{text eval}] takes a term or a list of terms and evaluates |
|
2206 these terms under the variable assignment found by quickcheck. |
|
2207 This option is currently only supported by the default |
|
2208 (exhaustive) tester. |
|
2209 |
|
2210 \item[@{text iterations}] sets how many sets of assignments are |
|
2211 generated for each particular size. |
|
2212 |
|
2213 \item[@{text no_assms}] specifies whether assumptions in |
|
2214 structured proofs should be ignored. |
|
2215 |
|
2216 \item[@{text locale}] specifies how to process conjectures in |
|
2217 a locale context, i.e., they can be interpreted or expanded. |
|
2218 The option is a whitespace-separated list of the two words |
|
2219 @{text interpret} and @{text expand}. The list determines the |
|
2220 order they are employed. The default setting is to first use |
|
2221 interpretations and then test the expanded conjecture. |
|
2222 The option is only provided as attribute declaration, but not |
|
2223 as parameter to the command. |
|
2224 |
|
2225 \item[@{text timeout}] sets the time limit in seconds. |
|
2226 |
|
2227 \item[@{text default_type}] sets the type(s) generally used to |
|
2228 instantiate type variables. |
|
2229 |
|
2230 \item[@{text report}] if set quickcheck reports how many tests |
|
2231 fulfilled the preconditions. |
|
2232 |
|
2233 \item[@{text use_subtype}] if set quickcheck automatically lifts |
|
2234 conjectures to registered subtypes if possible, and tests the |
|
2235 lifted conjecture. |
|
2236 |
|
2237 \item[@{text quiet}] if set quickcheck does not output anything |
|
2238 while testing. |
|
2239 |
|
2240 \item[@{text verbose}] if set quickcheck informs about the current |
|
2241 size and cardinality while testing. |
|
2242 |
|
2243 \item[@{text expect}] can be used to check if the user's |
|
2244 expectation was met (@{text no_expectation}, @{text |
|
2245 no_counterexample}, or @{text counterexample}). |
|
2246 |
|
2247 \end{description} |
|
2248 |
|
2249 These option can be given within square brackets. |
|
2250 |
|
2251 Using the following type classes, the testers generate values and convert |
|
2252 them back into Isabelle terms for displaying counterexamples. |
|
2253 \begin{description} |
|
2254 \item[@{text exhaustive}] The parameters of the type classes @{class exhaustive} |
|
2255 and @{class full_exhaustive} implement the testing. They take a |
|
2256 testing function as a parameter, which takes a value of type @{typ "'a"} |
|
2257 and optionally produces a counterexample, and a size parameter for the test values. |
|
2258 In @{class full_exhaustive}, the testing function parameter additionally |
|
2259 expects a lazy term reconstruction in the type @{typ Code_Evaluation.term} |
|
2260 of the tested value. |
|
2261 |
|
2262 The canonical implementation for @{text exhaustive} testers calls the given |
|
2263 testing function on all values up to the given size and stops as soon |
|
2264 as a counterexample is found. |
|
2265 |
|
2266 \item[@{text random}] The operation @{const Quickcheck_Random.random} |
|
2267 of the type class @{class random} generates a pseudo-random |
|
2268 value of the given size and a lazy term reconstruction of the value |
|
2269 in the type @{typ Code_Evaluation.term}. A pseudo-randomness generator |
|
2270 is defined in theory @{theory Random}. |
|
2271 |
|
2272 \item[@{text narrowing}] implements Haskell's Lazy Smallcheck~\cite{runciman-naylor-lindblad} |
|
2273 using the type classes @{class narrowing} and @{class partial_term_of}. |
|
2274 Variables in the current goal are initially represented as symbolic variables. |
|
2275 If the execution of the goal tries to evaluate one of them, the test engine |
|
2276 replaces it with refinements provided by @{const narrowing}. |
|
2277 Narrowing views every value as a sum-of-products which is expressed using the operations |
|
2278 @{const Quickcheck_Narrowing.cons} (embedding a value), |
|
2279 @{const Quickcheck_Narrowing.apply} (product) and @{const Quickcheck_Narrowing.sum} (sum). |
|
2280 The refinement should enable further evaluation of the goal. |
|
2281 |
|
2282 For example, @{const narrowing} for the list type @{typ "'a :: narrowing list"} |
|
2283 can be recursively defined as |
|
2284 @{term "Quickcheck_Narrowing.sum (Quickcheck_Narrowing.cons []) |
|
2285 (Quickcheck_Narrowing.apply |
|
2286 (Quickcheck_Narrowing.apply |
|
2287 (Quickcheck_Narrowing.cons (op #)) |
|
2288 narrowing) |
|
2289 narrowing)"}. |
|
2290 If a symbolic variable of type @{typ "_ list"} is evaluated, it is replaced by (i)~the empty |
|
2291 list @{term "[]"} and (ii)~by a non-empty list whose head and tail can then be recursively |
|
2292 refined if needed. |
|
2293 |
|
2294 To reconstruct counterexamples, the operation @{const partial_term_of} transforms |
|
2295 @{text narrowing}'s deep representation of terms to the type @{typ Code_Evaluation.term}. |
|
2296 The deep representation models symbolic variables as |
|
2297 @{const Quickcheck_Narrowing.Narrowing_variable}, which are normally converted to |
|
2298 @{const Code_Evaluation.Free}, and refined values as |
|
2299 @{term "Quickcheck_Narrowing.Narrowing_constructor i args"}, where @{term "i :: integer"} |
|
2300 denotes the index in the sum of refinements. In the above example for lists, |
|
2301 @{term "0"} corresponds to @{term "[]"} and @{term "1"} |
|
2302 to @{term "op #"}. |
|
2303 |
|
2304 The command @{command (HOL) "code_datatype"} sets up @{const partial_term_of} |
|
2305 such that the @{term "i"}-th refinement is interpreted as the @{term "i"}-th constructor, |
|
2306 but it does not ensures consistency with @{const narrowing}. |
|
2307 \end{description} |
|
2308 |
|
2309 \item @{command (HOL) "quickcheck_params"} changes @{command (HOL) |
|
2310 "quickcheck"} configuration options persistently. |
|
2311 |
|
2312 \item @{command (HOL) "quickcheck_generator"} creates random and |
|
2313 exhaustive value generators for a given type and operations. It |
|
2314 generates values by using the operations as if they were |
|
2315 constructors of that type. |
|
2316 |
|
2317 \item @{command (HOL) "nitpick"} tests the current goal for |
|
2318 counterexamples using a reduction to first-order relational |
|
2319 logic. See the Nitpick manual \cite{isabelle-nitpick} for details. |
|
2320 |
|
2321 \item @{command (HOL) "nitpick_params"} changes @{command (HOL) |
|
2322 "nitpick"} configuration options persistently. |
|
2323 |
|
2324 \item @{command (HOL) "find_unused_assms"} finds potentially superfluous |
|
2325 assumptions in theorems using quickcheck. |
|
2326 It takes the theory name to be checked for superfluous assumptions as |
|
2327 optional argument. If not provided, it checks the current theory. |
|
2328 Options to the internal quickcheck invocations can be changed with |
|
2329 common configuration declarations. |
|
2330 |
|
2331 \end{description} |
|
2332 *} |
|
2333 |
|
2334 |
|
2335 section {* Unstructured case analysis and induction \label{sec:hol-induct-tac} *} |
|
2336 |
|
2337 text {* |
|
2338 The following tools of Isabelle/HOL support cases analysis and |
|
2339 induction in unstructured tactic scripts; see also |
|
2340 \secref{sec:cases-induct} for proper Isar versions of similar ideas. |
|
2341 |
|
2342 \begin{matharray}{rcl} |
|
2343 @{method_def (HOL) case_tac}@{text "\<^sup>*"} & : & @{text method} \\ |
|
2344 @{method_def (HOL) induct_tac}@{text "\<^sup>*"} & : & @{text method} \\ |
|
2345 @{method_def (HOL) ind_cases}@{text "\<^sup>*"} & : & @{text method} \\ |
|
2346 @{command_def (HOL) "inductive_cases"}@{text "\<^sup>*"} & : & @{text "local_theory \<rightarrow> local_theory"} \\ |
|
2347 \end{matharray} |
|
2348 |
|
2349 @{rail \<open> |
|
2350 @@{method (HOL) case_tac} @{syntax goal_spec}? @{syntax term} rule? |
|
2351 ; |
|
2352 @@{method (HOL) induct_tac} @{syntax goal_spec}? (@{syntax insts} * @'and') rule? |
|
2353 ; |
|
2354 @@{method (HOL) ind_cases} (@{syntax prop}+) (@'for' (@{syntax name}+))? |
|
2355 ; |
|
2356 @@{command (HOL) inductive_cases} (@{syntax thmdecl}? (@{syntax prop}+) + @'and') |
|
2357 ; |
|
2358 rule: 'rule' ':' @{syntax thmref} |
|
2359 \<close>} |
|
2360 |
|
2361 \begin{description} |
|
2362 |
|
2363 \item @{method (HOL) case_tac} and @{method (HOL) induct_tac} admit |
|
2364 to reason about inductive types. Rules are selected according to |
|
2365 the declarations by the @{attribute cases} and @{attribute induct} |
|
2366 attributes, cf.\ \secref{sec:cases-induct}. The @{command (HOL) |
|
2367 datatype} package already takes care of this. |
|
2368 |
|
2369 These unstructured tactics feature both goal addressing and dynamic |
|
2370 instantiation. Note that named rule cases are \emph{not} provided |
|
2371 as would be by the proper @{method cases} and @{method induct} proof |
|
2372 methods (see \secref{sec:cases-induct}). Unlike the @{method |
|
2373 induct} method, @{method induct_tac} does not handle structured rule |
|
2374 statements, only the compact object-logic conclusion of the subgoal |
|
2375 being addressed. |
|
2376 |
|
2377 \item @{method (HOL) ind_cases} and @{command (HOL) |
|
2378 "inductive_cases"} provide an interface to the internal @{ML_text |
|
2379 mk_cases} operation. Rules are simplified in an unrestricted |
|
2380 forward manner. |
|
2381 |
|
2382 While @{method (HOL) ind_cases} is a proof method to apply the |
|
2383 result immediately as elimination rules, @{command (HOL) |
|
2384 "inductive_cases"} provides case split theorems at the theory level |
|
2385 for later use. The @{keyword "for"} argument of the @{method (HOL) |
|
2386 ind_cases} method allows to specify a list of variables that should |
|
2387 be generalized before applying the resulting rule. |
|
2388 |
|
2389 \end{description} |
|
2390 *} |
|
2391 |
|
2392 |
|
2393 chapter {* Executable code *} |
|
2394 |
|
2395 text {* For validation purposes, it is often useful to \emph{execute} |
|
2396 specifications. In principle, execution could be simulated by |
|
2397 Isabelle's inference kernel, i.e. by a combination of resolution and |
|
2398 simplification. Unfortunately, this approach is rather inefficient. |
|
2399 A more efficient way of executing specifications is to translate |
|
2400 them into a functional programming language such as ML. |
|
2401 |
|
2402 Isabelle provides a generic framework to support code generation |
|
2403 from executable specifications. Isabelle/HOL instantiates these |
|
2404 mechanisms in a way that is amenable to end-user applications. Code |
|
2405 can be generated for functional programs (including overloading |
|
2406 using type classes) targeting SML \cite{SML}, OCaml \cite{OCaml}, |
|
2407 Haskell \cite{haskell-revised-report} and Scala |
|
2408 \cite{scala-overview-tech-report}. Conceptually, code generation is |
|
2409 split up in three steps: \emph{selection} of code theorems, |
|
2410 \emph{translation} into an abstract executable view and |
|
2411 \emph{serialization} to a specific \emph{target language}. |
|
2412 Inductive specifications can be executed using the predicate |
|
2413 compiler which operates within HOL. See \cite{isabelle-codegen} for |
|
2414 an introduction. |
|
2415 |
|
2416 \begin{matharray}{rcl} |
|
2417 @{command_def (HOL) "export_code"}@{text "\<^sup>*"} & : & @{text "context \<rightarrow>"} \\ |
|
2418 @{attribute_def (HOL) code} & : & @{text attribute} \\ |
|
2419 @{command_def (HOL) "code_datatype"} & : & @{text "theory \<rightarrow> theory"} \\ |
|
2420 @{command_def (HOL) "print_codesetup"}@{text "\<^sup>*"} & : & @{text "context \<rightarrow>"} \\ |
|
2421 @{attribute_def (HOL) code_unfold} & : & @{text attribute} \\ |
|
2422 @{attribute_def (HOL) code_post} & : & @{text attribute} \\ |
|
2423 @{attribute_def (HOL) code_abbrev} & : & @{text attribute} \\ |
|
2424 @{command_def (HOL) "print_codeproc"}@{text "\<^sup>*"} & : & @{text "context \<rightarrow>"} \\ |
|
2425 @{command_def (HOL) "code_thms"}@{text "\<^sup>*"} & : & @{text "context \<rightarrow>"} \\ |
|
2426 @{command_def (HOL) "code_deps"}@{text "\<^sup>*"} & : & @{text "context \<rightarrow>"} \\ |
|
2427 @{command_def (HOL) "code_reserved"} & : & @{text "theory \<rightarrow> theory"} \\ |
|
2428 @{command_def (HOL) "code_printing"} & : & @{text "theory \<rightarrow> theory"} \\ |
|
2429 @{command_def (HOL) "code_identifier"} & : & @{text "theory \<rightarrow> theory"} \\ |
|
2430 @{command_def (HOL) "code_monad"} & : & @{text "theory \<rightarrow> theory"} \\ |
|
2431 @{command_def (HOL) "code_reflect"} & : & @{text "theory \<rightarrow> theory"} \\ |
|
2432 @{command_def (HOL) "code_pred"} & : & @{text "theory \<rightarrow> proof(prove)"} |
|
2433 \end{matharray} |
|
2434 |
|
2435 @{rail \<open> |
|
2436 @@{command (HOL) export_code} ( @'open' ) ? ( constexpr + ) \<newline> |
|
2437 ( ( @'in' target ( @'module_name' @{syntax string} ) ? \<newline> |
|
2438 ( @'file' @{syntax string} ) ? ( '(' args ')' ) ?) + ) ? |
|
2439 ; |
|
2440 |
|
2441 const: @{syntax term} |
|
2442 ; |
|
2443 |
|
2444 constexpr: ( const | 'name._' | '_' ) |
|
2445 ; |
|
2446 |
|
2447 typeconstructor: @{syntax nameref} |
|
2448 ; |
|
2449 |
|
2450 class: @{syntax nameref} |
|
2451 ; |
|
2452 |
|
2453 target: 'SML' | 'OCaml' | 'Haskell' | 'Scala' | 'Eval' |
|
2454 ; |
|
2455 |
|
2456 @@{attribute (HOL) code} ( 'del' | 'equation' | 'abstype' | 'abstract' |
|
2457 | 'drop:' ( const + ) | 'abort:' ( const + ) )? |
|
2458 ; |
|
2459 |
|
2460 @@{command (HOL) code_datatype} ( const + ) |
|
2461 ; |
|
2462 |
|
2463 @@{attribute (HOL) code_unfold} ( 'del' ) ? |
|
2464 ; |
|
2465 |
|
2466 @@{attribute (HOL) code_post} ( 'del' ) ? |
|
2467 ; |
|
2468 |
|
2469 @@{attribute (HOL) code_abbrev} |
|
2470 ; |
|
2471 |
|
2472 @@{command (HOL) code_thms} ( constexpr + ) ? |
|
2473 ; |
|
2474 |
|
2475 @@{command (HOL) code_deps} ( constexpr + ) ? |
|
2476 ; |
|
2477 |
|
2478 @@{command (HOL) code_reserved} target ( @{syntax string} + ) |
|
2479 ; |
|
2480 |
|
2481 symbol_const: ( @'constant' const ) |
|
2482 ; |
|
2483 |
|
2484 symbol_typeconstructor: ( @'type_constructor' typeconstructor ) |
|
2485 ; |
|
2486 |
|
2487 symbol_class: ( @'type_class' class ) |
|
2488 ; |
|
2489 |
|
2490 symbol_class_relation: ( @'class_relation' class ( '<' | '\<subseteq>' ) class ) |
|
2491 ; |
|
2492 |
|
2493 symbol_class_instance: ( @'class_instance' typeconstructor @'::' class ) |
|
2494 ; |
|
2495 |
|
2496 symbol_module: ( @'code_module' name ) |
|
2497 ; |
|
2498 |
|
2499 syntax: @{syntax string} | ( @'infix' | @'infixl' | @'infixr' ) @{syntax nat} @{syntax string} |
|
2500 ; |
|
2501 |
|
2502 printing_const: symbol_const ( '\<rightharpoonup>' | '=>' ) \<newline> |
|
2503 ( '(' target ')' syntax ? + @'and' ) |
|
2504 ; |
|
2505 |
|
2506 printing_typeconstructor: symbol_typeconstructor ( '\<rightharpoonup>' | '=>' ) \<newline> |
|
2507 ( '(' target ')' syntax ? + @'and' ) |
|
2508 ; |
|
2509 |
|
2510 printing_class: symbol_class ( '\<rightharpoonup>' | '=>' ) \<newline> |
|
2511 ( '(' target ')' @{syntax string} ? + @'and' ) |
|
2512 ; |
|
2513 |
|
2514 printing_class_relation: symbol_class_relation ( '\<rightharpoonup>' | '=>' ) \<newline> |
|
2515 ( '(' target ')' @{syntax string} ? + @'and' ) |
|
2516 ; |
|
2517 |
|
2518 printing_class_instance: symbol_class_instance ( '\<rightharpoonup>' | '=>' ) \<newline> |
|
2519 ( '(' target ')' '-' ? + @'and' ) |
|
2520 ; |
|
2521 |
|
2522 printing_module: symbol_module ( '\<rightharpoonup>' | '=>' ) \<newline> |
|
2523 ( '(' target ')' ( @{syntax string} ( @'attach' ( const + ) ) ? ) ? + @'and' ) |
|
2524 ; |
|
2525 |
|
2526 @@{command (HOL) code_printing} ( ( printing_const | printing_typeconstructor |
|
2527 | printing_class | printing_class_relation | printing_class_instance |
|
2528 | printing_module ) + '|' ) |
|
2529 ; |
|
2530 |
|
2531 @@{command (HOL) code_identifier} ( ( symbol_const | symbol_typeconstructor |
|
2532 | symbol_class | symbol_class_relation | symbol_class_instance |
|
2533 | symbol_module ) ( '\<rightharpoonup>' | '=>' ) \<newline> |
|
2534 ( '(' target ')' @{syntax string} ? + @'and' ) + '|' ) |
|
2535 ; |
|
2536 |
|
2537 @@{command (HOL) code_monad} const const target |
|
2538 ; |
|
2539 |
|
2540 @@{command (HOL) code_reflect} @{syntax string} \<newline> |
|
2541 ( @'datatypes' ( @{syntax string} '=' ( '_' | ( @{syntax string} + '|' ) + @'and' ) ) ) ? \<newline> |
|
2542 ( @'functions' ( @{syntax string} + ) ) ? ( @'file' @{syntax string} ) ? |
|
2543 ; |
|
2544 |
|
2545 @@{command (HOL) code_pred} \<newline> ('(' @'modes' ':' modedecl ')')? \<newline> const |
|
2546 ; |
|
2547 |
|
2548 modedecl: (modes | ((const ':' modes) \<newline> |
|
2549 (@'and' ((const ':' modes @'and') +))?)) |
|
2550 ; |
|
2551 |
|
2552 modes: mode @'as' const |
|
2553 \<close>} |
|
2554 |
|
2555 \begin{description} |
|
2556 |
|
2557 \item @{command (HOL) "export_code"} generates code for a given list |
|
2558 of constants in the specified target language(s). If no |
|
2559 serialization instruction is given, only abstract code is generated |
|
2560 internally. |
|
2561 |
|
2562 Constants may be specified by giving them literally, referring to |
|
2563 all executable constants within a certain theory by giving @{text |
|
2564 "name._"}, or referring to \emph{all} executable constants currently |
|
2565 available by giving @{text "_"}. |
|
2566 |
|
2567 By default, exported identifiers are minimized per module. This |
|
2568 can be suppressed by prepending @{keyword "open"} before the list |
|
2569 of contants. |
|
2570 |
|
2571 By default, for each involved theory one corresponding name space |
|
2572 module is generated. Alternatively, a module name may be specified |
|
2573 after the @{keyword "module_name"} keyword; then \emph{all} code is |
|
2574 placed in this module. |
|
2575 |
|
2576 For \emph{SML}, \emph{OCaml} and \emph{Scala} the file specification |
|
2577 refers to a single file; for \emph{Haskell}, it refers to a whole |
|
2578 directory, where code is generated in multiple files reflecting the |
|
2579 module hierarchy. Omitting the file specification denotes standard |
|
2580 output. |
|
2581 |
|
2582 Serializers take an optional list of arguments in parentheses. |
|
2583 For \emph{Haskell} a module name prefix may be given using the |
|
2584 ``@{text "root:"}'' argument; ``@{text string_classes}'' adds a |
|
2585 ``@{verbatim "deriving (Read, Show)"}'' clause to each appropriate |
|
2586 datatype declaration. |
|
2587 |
|
2588 \item @{attribute (HOL) code} declare code equations for code |
|
2589 generation. Variant @{text "code equation"} declares a conventional |
|
2590 equation as code equation. Variants @{text "code abstype"} and |
|
2591 @{text "code abstract"} declare abstract datatype certificates or |
|
2592 code equations on abstract datatype representations respectively. |
|
2593 Vanilla @{text "code"} falls back to @{text "code equation"} |
|
2594 or @{text "code abstype"} depending on the syntactic shape |
|
2595 of the underlying equation. Variant @{text "code del"} |
|
2596 deselects a code equation for code generation. |
|
2597 |
|
2598 Variants @{text "code drop:"} and @{text "code abort:"} take |
|
2599 a list of constant as arguments and drop all code equations declared |
|
2600 for them. In the case of {text abort}, these constants then are |
|
2601 are not required to have a definition by means of code equations; |
|
2602 if needed these are implemented by program abort (exception) instead. |
|
2603 |
|
2604 Usually packages introducing code equations provide a reasonable |
|
2605 default setup for selection. |
|
2606 |
|
2607 \item @{command (HOL) "code_datatype"} specifies a constructor set |
|
2608 for a logical type. |
|
2609 |
|
2610 \item @{command (HOL) "print_codesetup"} gives an overview on |
|
2611 selected code equations and code generator datatypes. |
|
2612 |
|
2613 \item @{attribute (HOL) code_unfold} declares (or with option |
|
2614 ``@{text "del"}'' removes) theorems which during preprocessing |
|
2615 are applied as rewrite rules to any code equation or evaluation |
|
2616 input. |
|
2617 |
|
2618 \item @{attribute (HOL) code_post} declares (or with option ``@{text |
|
2619 "del"}'' removes) theorems which are applied as rewrite rules to any |
|
2620 result of an evaluation. |
|
2621 |
|
2622 \item @{attribute (HOL) code_abbrev} declares equations which are |
|
2623 applied as rewrite rules to any result of an evaluation and |
|
2624 symmetrically during preprocessing to any code equation or evaluation |
|
2625 input. |
|
2626 |
|
2627 \item @{command (HOL) "print_codeproc"} prints the setup of the code |
|
2628 generator preprocessor. |
|
2629 |
|
2630 \item @{command (HOL) "code_thms"} prints a list of theorems |
|
2631 representing the corresponding program containing all given |
|
2632 constants after preprocessing. |
|
2633 |
|
2634 \item @{command (HOL) "code_deps"} visualizes dependencies of |
|
2635 theorems representing the corresponding program containing all given |
|
2636 constants after preprocessing. |
|
2637 |
|
2638 \item @{command (HOL) "code_reserved"} declares a list of names as |
|
2639 reserved for a given target, preventing it to be shadowed by any |
|
2640 generated code. |
|
2641 |
|
2642 \item @{command (HOL) "code_printing"} associates a series of symbols |
|
2643 (constants, type constructors, classes, class relations, instances, |
|
2644 module names) with target-specific serializations; omitting a serialization |
|
2645 deletes an existing serialization. |
|
2646 |
|
2647 \item @{command (HOL) "code_monad"} provides an auxiliary mechanism |
|
2648 to generate monadic code for Haskell. |
|
2649 |
|
2650 \item @{command (HOL) "code_identifier"} associates a a series of symbols |
|
2651 (constants, type constructors, classes, class relations, instances, |
|
2652 module names) with target-specific hints how these symbols shall be named. |
|
2653 These hints gain precedence over names for symbols with no hints at all. |
|
2654 Conflicting hints are subject to name disambiguation. |
|
2655 \emph{Warning:} It is at the discretion |
|
2656 of the user to ensure that name prefixes of identifiers in compound |
|
2657 statements like type classes or datatypes are still the same. |
|
2658 |
|
2659 \item @{command (HOL) "code_reflect"} without a ``@{text "file"}'' |
|
2660 argument compiles code into the system runtime environment and |
|
2661 modifies the code generator setup that future invocations of system |
|
2662 runtime code generation referring to one of the ``@{text |
|
2663 "datatypes"}'' or ``@{text "functions"}'' entities use these |
|
2664 precompiled entities. With a ``@{text "file"}'' argument, the |
|
2665 corresponding code is generated into that specified file without |
|
2666 modifying the code generator setup. |
|
2667 |
|
2668 \item @{command (HOL) "code_pred"} creates code equations for a |
|
2669 predicate given a set of introduction rules. Optional mode |
|
2670 annotations determine which arguments are supposed to be input or |
|
2671 output. If alternative introduction rules are declared, one must |
|
2672 prove a corresponding elimination rule. |
|
2673 |
|
2674 \end{description} |
|
2675 *} |
|
2676 |
|
2677 end |