276 |
276 |
277 See \cite{isabelle-HOL} for further information on inductive definitions in |
277 See \cite{isabelle-HOL} for further information on inductive definitions in |
278 HOL. |
278 HOL. |
279 |
279 |
280 |
280 |
281 \section{Proof by cases and induction}\label{sec:induct-method} |
281 \section{Arithmetic} |
282 %FIXME move to generic.tex |
282 |
283 |
283 \indexisarmeth{arith}\indexisaratt{arith-split} |
284 \subsection{Proof methods}\label{sec:induct-method-proper} |
284 \begin{matharray}{rcl} |
285 |
285 arith & : & \isarmeth \\ |
286 \indexisarmeth{cases}\indexisarmeth{induct} |
286 arith_split & : & \isaratt \\ |
287 \begin{matharray}{rcl} |
287 \end{matharray} |
288 cases & : & \isarmeth \\ |
288 |
289 induct & : & \isarmeth \\ |
289 \begin{rail} |
290 \end{matharray} |
290 'arith' '!'? |
291 |
291 ; |
292 The $cases$ and $induct$ methods provide a uniform interface to case analysis |
292 \end{rail} |
293 and induction over datatypes, inductive sets, and recursive functions. The |
293 |
294 corresponding rules may be specified and instantiated in a casual manner. |
294 The $arith$ method decides linear arithmetic problems (on types $nat$, $int$, |
295 Furthermore, these methods provide named local contexts that may be invoked |
295 $real$). Any current facts are inserted into the goal before running the |
296 via the $\CASENAME$ proof command within the subsequent proof text (cf.\ |
296 procedure. The ``!''~argument causes the full context of assumptions to be |
297 \S\ref{sec:cases}). This accommodates compact proof texts even when reasoning |
297 included. The $arith_split$ attribute declares case split rules to be |
298 about large specifications. |
298 expanded before the arithmetic procedure is invoked. |
299 |
299 |
300 \begin{rail} |
300 Note that a simpler (but faster) version of arithmetic reasoning is already |
301 'cases' ('(' 'simplified' ')')? spec |
301 performed by the Simplifier. |
302 ; |
302 |
303 'induct' ('(' 'stripped' ')')? spec |
303 |
304 ; |
304 \section{Cases and induction: emulating tactic scripts}\label{sec:induct_tac} |
305 |
305 |
306 spec: open? args rule? params? |
306 The following important tactical tools of Isabelle/HOL have been ported to |
307 ; |
307 Isar. These should be never used in proper proof texts! |
308 open: '(' 'open' ')' |
|
309 ; |
|
310 args: (insts * 'and') |
|
311 ; |
|
312 rule: ('type' | 'set') ':' nameref | 'rule' ':' thmref |
|
313 ; |
|
314 params: 'of' ':' insts |
|
315 ; |
|
316 \end{rail} |
|
317 |
|
318 \begin{descr} |
|
319 \item [$cases~insts~R~ps$] applies method $rule$ with an appropriate case |
|
320 distinction theorem, instantiated to the subjects $insts$. Symbolic case |
|
321 names are bound according to the rule's local contexts. |
|
322 |
|
323 The rule is determined as follows, according to the facts and arguments |
|
324 passed to the $cases$ method: |
|
325 \begin{matharray}{llll} |
|
326 \Text{facts} & & \Text{arguments} & \Text{rule} \\\hline |
|
327 & cases & & \Text{classical case split} \\ |
|
328 & cases & t & \Text{datatype exhaustion (type of $t$)} \\ |
|
329 \edrv a \in A & cases & \dots & \Text{inductive set elimination (of $A$)} \\ |
|
330 \dots & cases & \dots ~ R & \Text{explicit rule $R$} \\ |
|
331 \end{matharray} |
|
332 |
|
333 Several instantiations may be given, referring to the \emph{suffix} of |
|
334 premises of the case rule; within each premise, the \emph{prefix} of |
|
335 variables is instantiated. In most situations, only a single term needs to |
|
336 be specified; this refers to the first variable of the last premise (it is |
|
337 usually the same for all cases). |
|
338 |
|
339 Additional parameters may be specified as $ps$; these are applied after the |
|
340 primary instantiation in the same manner as by the $of$ attribute (cf.\ |
|
341 \S\ref{sec:pure-meth-att}). This feature is rarely needed in practice; a |
|
342 typical application would be to specify additional arguments for rules |
|
343 stemming from parameterized inductive definitions (see also |
|
344 \S\ref{sec:inductive}). |
|
345 |
|
346 The $simplified$ option causes ``obvious cases'' of the rule to be solved |
|
347 beforehand, while the others are left unscathed. |
|
348 |
|
349 The $open$ option causes the parameters of the new local contexts to be |
|
350 exposed to the current proof context. Thus local variables stemming from |
|
351 distant parts of the theory development may be introduced in an implicit |
|
352 manner, which can be quite confusing to the reader. Furthermore, this |
|
353 option may cause unwanted hiding of existing local variables, resulting in |
|
354 less robust proof texts. |
|
355 |
|
356 \item [$induct~insts~R~ps$] is analogous to the $cases$ method, but refers to |
|
357 induction rules, which are determined as follows: |
|
358 \begin{matharray}{llll} |
|
359 \Text{facts} & & \Text{arguments} & \Text{rule} \\\hline |
|
360 & induct & P ~ x ~ \dots & \Text{datatype induction (type of $x$)} \\ |
|
361 \edrv x \in A & induct & \dots & \Text{set induction (of $A$)} \\ |
|
362 \dots & induct & \dots ~ R & \Text{explicit rule $R$} \\ |
|
363 \end{matharray} |
|
364 |
|
365 Several instantiations may be given, each referring to some part of a mutual |
|
366 inductive definition or datatype --- only related partial induction rules |
|
367 may be used together, though. Any of the lists of terms $P, x, \dots$ |
|
368 refers to the \emph{suffix} of variables present in the induction rule. |
|
369 This enables the writer to specify only induction variables, or both |
|
370 predicates and variables, for example. |
|
371 |
|
372 Additional parameters may be given in the same way as for $cases$. |
|
373 |
|
374 The $stripped$ option causes implications and (bounded) universal |
|
375 quantifiers to be removed from each new subgoal emerging from the |
|
376 application of the induction rule. This accommodates special applications |
|
377 of ``strengthened induction predicates''. This option is rarely needed, the |
|
378 $induct$ method already handles proper rules appropriately by default. |
|
379 |
|
380 The $open$ option has the same effect as for the $cases$ method, see above. |
|
381 \end{descr} |
|
382 |
|
383 Above methods produce named local contexts (cf.\ \S\ref{sec:cases}), as |
|
384 determined by the instantiated rule \emph{before} it has been applied to the |
|
385 internal proof state.\footnote{As a general principle, Isar proof text may |
|
386 never refer to parts of proof states directly.} Thus proper use of symbolic |
|
387 cases usually require the rule to be instantiated fully, as far as the |
|
388 emerging local contexts and subgoals are concerned. In particular, for |
|
389 induction both the predicates and variables have to be specified. Otherwise |
|
390 the $\CASENAME$ command would refuse to invoke cases containing schematic |
|
391 variables. Furthermore the resulting local goal statement is bound to the |
|
392 term variable $\Var{case}$\indexisarvar{case} --- for each case where it is |
|
393 fully specified. |
|
394 |
|
395 The $\isarkeyword{print_cases}$ command (\S\ref{sec:cases}) prints all named |
|
396 cases present in the current proof state. |
|
397 |
|
398 \medskip |
|
399 |
|
400 It is important to note that there is a fundamental difference of the $cases$ |
|
401 and $induct$ methods in handling of non-atomic goal statements: $cases$ just |
|
402 applies a certain rule in backward fashion, splitting the result into new |
|
403 goals with the local contexts being augmented in a purely monotonic manner. |
|
404 |
|
405 In contrast, $induct$ passes the full goal statement through the ``recursive'' |
|
406 course involved in the induction. Thus the original statement is basically |
|
407 replaced by separate copies, corresponding to the induction hypotheses and |
|
408 conclusion; the original goal context is no longer available. This behavior |
|
409 allows \emph{strengthened induction predicates} to be expressed concisely as |
|
410 meta-level rule statements, i.e.\ $\All{\vec x} \vec\phi \Imp \psi$ to |
|
411 indicate ``variable'' parameters $\vec x$ and ``recursive'' assumptions |
|
412 $\vec\phi$. Also note that local definitions may be expressed as $\All{\vec |
|
413 x} n \equiv t[\vec x] \Imp \phi[n]$, with induction over $n$. |
|
414 |
|
415 \medskip |
|
416 |
|
417 Facts presented to either method are consumed according to the number of |
|
418 ``major premises'' of the rule involved (see also \S\ref{sec:induct-att} and |
|
419 \S\ref{sec:cases}), which is usually $0$ for plain cases and induction rules |
|
420 of datatypes etc.\ and $1$ for rules of inductive sets and the like. The |
|
421 remaining facts are inserted into the goal verbatim before the actual $cases$ |
|
422 or $induct$ rule is applied (thus facts may be even passed through an |
|
423 induction). |
|
424 |
|
425 Note that whenever facts are present, the default rule selection scheme would |
|
426 provide a ``set'' rule only, with the first fact consumed and the rest |
|
427 inserted into the goal. In order to pass all facts into a ``type'' rule |
|
428 instead, one would have to specify this explicitly, e.g.\ by appending |
|
429 ``$type: name$'' to the method argument. |
|
430 |
|
431 |
|
432 \subsection{Declaring rules}\label{sec:induct-att} |
|
433 |
|
434 \indexisarcmd{print-induct-rules}\indexisaratt{cases}\indexisaratt{induct} |
|
435 \begin{matharray}{rcl} |
|
436 \isarcmd{print_induct_rules}^* & : & \isarkeep{theory~|~proof} \\ |
|
437 cases & : & \isaratt \\ |
|
438 induct & : & \isaratt \\ |
|
439 \end{matharray} |
|
440 |
|
441 \begin{rail} |
|
442 'cases' spec |
|
443 ; |
|
444 'induct' spec |
|
445 ; |
|
446 |
|
447 spec: ('type' | 'set') ':' nameref |
|
448 ; |
|
449 \end{rail} |
|
450 |
|
451 The $cases$ and $induct$ attributes augment the corresponding context of rules |
|
452 for reasoning about inductive sets and types. The standard rules are already |
|
453 declared by HOL definitional packages. For special applications, these may be |
|
454 replaced manually by variant versions. |
|
455 |
|
456 Refer to the $case_names$ and $ps$ attributes (see \S\ref{sec:cases}) to |
|
457 adjust names of cases and parameters of a rule. |
|
458 |
|
459 The $consumes$ declaration (cf.\ \S\ref{sec:cases}) is taken care of |
|
460 automatically (if none had been given already): $consumes~0$ is specified for |
|
461 ``type'' rules and $consumes~1$ for ``set'' rules. |
|
462 |
|
463 |
|
464 \subsection{Emulating tactic scripts}\label{sec:induct_tac} |
|
465 |
308 |
466 \indexisarmeth{case-tac}\indexisarmeth{induct-tac} |
309 \indexisarmeth{case-tac}\indexisarmeth{induct-tac} |
467 \indexisarmeth{ind-cases}\indexisarcmd{inductive-cases} |
310 \indexisarmeth{ind-cases}\indexisarcmd{inductive-cases} |
468 \begin{matharray}{rcl} |
311 \begin{matharray}{rcl} |
469 case_tac^* & : & \isarmeth \\ |
312 case_tac^* & : & \isarmeth \\ |