3 Although on the surface this chapter is mainly concerned with how to write |
3 Although on the surface this chapter is mainly concerned with how to write |
4 functional programs in HOL and how to verify them, most of the |
4 functional programs in HOL and how to verify them, most of the |
5 constructs and proof procedures introduced are general purpose and recur in |
5 constructs and proof procedures introduced are general purpose and recur in |
6 any specification or verification task. |
6 any specification or verification task. |
7 |
7 |
8 The dedicated functional programmer should be warned: HOL offers only {\em |
8 The dedicated functional programmer should be warned: HOL offers only |
9 total functional programming} --- all functions in HOL must be total; lazy |
9 \emph{total functional programming} --- all functions in HOL must be total; |
10 data structures are not directly available. On the positive side, functions |
10 lazy data structures are not directly available. On the positive side, |
11 in HOL need not be computable: HOL is a specification language that goes well |
11 functions in HOL need not be computable: HOL is a specification language that |
12 beyond what can be expressed as a program. However, for the time being we |
12 goes well beyond what can be expressed as a program. However, for the time |
13 concentrate on the computable. |
13 being we concentrate on the computable. |
14 |
14 |
15 \section{An introductory theory} |
15 \section{An introductory theory} |
16 \label{sec:intro-theory} |
16 \label{sec:intro-theory} |
17 |
17 |
18 Functional programming needs datatypes and functions. Both of them can be |
18 Functional programming needs datatypes and functions. Both of them can be |
117 string as a type in the current context. |
117 string as a type in the current context. |
118 \item[(Re)loading theories:] When you start your interaction you must open a |
118 \item[(Re)loading theories:] When you start your interaction you must open a |
119 named theory with the line \isa{\isacommand{theory}~T~=~\dots~:}. Isabelle |
119 named theory with the line \isa{\isacommand{theory}~T~=~\dots~:}. Isabelle |
120 automatically loads all the required parent theories from their respective |
120 automatically loads all the required parent theories from their respective |
121 files (which may take a moment, unless the theories are already loaded and |
121 files (which may take a moment, unless the theories are already loaded and |
122 the files have not been modified). The only time when you need to load a |
122 the files have not been modified). |
123 theory by hand is when you simply want to check if it loads successfully |
|
124 without wanting to make use of the theory itself. This you can do by typing |
|
125 \isa{\isacommand{use\_thy}\indexbold{*use_thy}~"T"}. |
|
126 |
123 |
127 If you suddenly discover that you need to modify a parent theory of your |
124 If you suddenly discover that you need to modify a parent theory of your |
128 current theory you must first abandon your current theory\indexbold{abandon |
125 current theory you must first abandon your current theory\indexbold{abandon |
129 theory}\indexbold{theory!abandon} (at the shell |
126 theory}\indexbold{theory!abandon} (at the shell |
130 level type \isacommand{kill}\indexbold{*kill}). After the parent theory has |
127 level type \isacommand{kill}\indexbold{*kill}). After the parent theory has |
131 been modified you go back to your original theory. When its first line |
128 been modified you go back to your original theory. When its first line |
132 \isacommand{theory}\texttt{~T~=}~\dots~\texttt{:} is processed, the |
129 \isacommand{theory}\texttt{~T~=}~\dots~\texttt{:} is processed, the |
133 modified parent is reloaded automatically. |
130 modified parent is reloaded automatically. |
|
131 |
|
132 The only time when you need to load a theory by hand is when you simply |
|
133 want to check if it loads successfully without wanting to make use of the |
|
134 theory itself. This you can do by typing |
|
135 \isa{\isacommand{use\_thy}\indexbold{*use_thy}~"T"}. |
134 \end{description} |
136 \end{description} |
135 Further commands are found in the Isabelle/Isar Reference Manual. |
137 Further commands are found in the Isabelle/Isar Reference Manual. |
136 |
138 |
137 We now examine Isabelle's functional programming constructs systematically, |
139 We now examine Isabelle's functional programming constructs systematically, |
138 starting with inductive datatypes. |
140 starting with inductive datatypes. |
370 |
372 |
371 \index{arithmetic|)} |
373 \index{arithmetic|)} |
372 |
374 |
373 |
375 |
374 \subsection{Products} |
376 \subsection{Products} |
375 |
377 \input{Misc/document/pairs.tex} |
376 HOL also has pairs: \isa{($a@1$,$a@2$)} is of type \isa{$\tau@1$ * |
|
377 $\tau@2$} provided each $a@i$ is of type $\tau@i$. The components of a pair |
|
378 are extracted by \isa{fst} and \isa{snd}: \isa{fst($x$,$y$) = $x$} and |
|
379 \isa{snd($x$,$y$) = $y$}. Tuples are simulated by pairs nested to the right: |
|
380 \isa{($a@1$,$a@2$,$a@3$)} stands for \isa{($a@1$,($a@2$,$a@3$))} and |
|
381 \isa{$\tau@1$ * $\tau@2$ * $\tau@3$} for \isa{$\tau@1$ * ($\tau@2$ * |
|
382 $\tau@3$)}. Therefore we have \isa{fst(snd($a@1$,$a@2$,$a@3$)) = $a@2$}. |
|
383 |
|
384 It is possible to use (nested) tuples as patterns in abstractions, for |
|
385 example \isa{\isasymlambda(x,y,z).x+y+z} and |
|
386 \isa{\isasymlambda((x,y),z).x+y+z}. |
|
387 In addition to explicit $\lambda$-abstractions, tuple patterns can be used in |
|
388 most variable binding constructs. Typical examples are |
|
389 |
|
390 \input{Misc/document/pairs.tex}% |
|
391 Further important examples are quantifiers and sets (see~\S\ref{quant-pats}). |
|
392 |
378 |
393 %FIXME move stuff below into section on proofs about products? |
379 %FIXME move stuff below into section on proofs about products? |
394 \begin{warn} |
380 \begin{warn} |
395 Abstraction over pairs and tuples is merely a convenient shorthand for a |
381 Abstraction over pairs and tuples is merely a convenient shorthand for a |
396 more complex internal representation. Thus the internal and external form |
382 more complex internal representation. Thus the internal and external form |
399 \isa{\isasymlambda{}p.~fst p + snd p} instead of |
385 \isa{\isasymlambda{}p.~fst p + snd p} instead of |
400 \isa{\isasymlambda(x,y).~x + y}. See~\S\ref{proofs-about-products} for |
386 \isa{\isasymlambda(x,y).~x + y}. See~\S\ref{proofs-about-products} for |
401 theorem proving with tuple patterns. |
387 theorem proving with tuple patterns. |
402 \end{warn} |
388 \end{warn} |
403 |
389 |
404 Finally note that products, like natural numbers, are datatypes, which means |
390 Note that products, like natural numbers, are datatypes, which means |
405 in particular that \isa{induct_tac} and \isa{case_tac} are applicable to |
391 in particular that \isa{induct_tac} and \isa{case_tac} are applicable to |
406 products (see \S\ref{proofs-about-products}). |
392 products (see \S\ref{proofs-about-products}). |
|
393 |
|
394 Instead of tuples with many components (where ``many'' is not much above 2), |
|
395 it is far preferable to use record types (see \S\ref{sec:records}). |
407 |
396 |
408 \section{Definitions} |
397 \section{Definitions} |
409 \label{sec:Definitions} |
398 \label{sec:Definitions} |
410 |
399 |
411 A definition is simply an abbreviation, i.e.\ a new name for an existing |
400 A definition is simply an abbreviation, i.e.\ a new name for an existing |
453 |
442 |
454 \section{Simplification} |
443 \section{Simplification} |
455 \label{sec:Simplification} |
444 \label{sec:Simplification} |
456 \index{simplification|(} |
445 \index{simplification|(} |
457 |
446 |
458 So far we have proved our theorems by \isa{auto}, which ``simplifies'' all |
447 So far we have proved our theorems by \isa{auto}, which ``simplifies'' |
459 subgoals. In fact, \isa{auto} can do much more than that, except that it |
448 \emph{all} subgoals. In fact, \isa{auto} can do much more than that, except |
460 did not need to so far. However, when you go beyond toy examples, you need to |
449 that it did not need to so far. However, when you go beyond toy examples, you |
461 understand the ingredients of \isa{auto}. This section covers the method |
450 need to understand the ingredients of \isa{auto}. This section covers the |
462 that \isa{auto} always applies first, namely simplification. |
451 method that \isa{auto} always applies first, namely simplification. |
463 |
452 |
464 Simplification is one of the central theorem proving tools in Isabelle and |
453 Simplification is one of the central theorem proving tools in Isabelle and |
465 many other systems. The tool itself is called the \bfindex{simplifier}. The |
454 many other systems. The tool itself is called the \bfindex{simplifier}. The |
466 purpose of this section is twofold: to introduce the many features of the |
455 purpose of this section is twofold: to introduce the many features of the |
467 simplifier (\S\ref{sec:SimpFeatures}) and to explain a little bit how the |
456 simplifier (\S\ref{sec:SimpFeatures}) and to explain a little bit how the |
503 \isasymnot$P$ is automatically turned into \isa{$P$ = False}. The details |
492 \isasymnot$P$ is automatically turned into \isa{$P$ = False}. The details |
504 are explained in \S\ref{sec:SimpHow}. |
493 are explained in \S\ref{sec:SimpHow}. |
505 |
494 |
506 The simplification attribute of theorems can be turned on and off as follows: |
495 The simplification attribute of theorems can be turned on and off as follows: |
507 \begin{ttbox} |
496 \begin{ttbox} |
508 theorems [simp] = \(list of theorem names\); |
497 lemmas [simp] = \(list of theorem names\); |
509 theorems [simp del] = \(list of theorem names\); |
498 lemmas [simp del] = \(list of theorem names\); |
510 \end{ttbox} |
499 \end{ttbox} |
511 As a rule of thumb, equations that really simplify (like \isa{rev(rev xs) = |
500 As a rule of thumb, equations that really simplify (like \isa{rev(rev xs) = |
512 xs} and \mbox{\isa{xs \at\ [] = xs}}) should be made simplification |
501 xs} and \mbox{\isa{xs \at\ [] = xs}}) should be made simplification |
513 rules. Those of a more specific nature (e.g.\ distributivity laws, which |
502 rules. Those of a more specific nature (e.g.\ distributivity laws, which |
514 alter the structure of terms considerably) should only be used selectively, |
503 alter the structure of terms considerably) should only be used selectively, |