%% $Id$
\documentclass[12pt,a4paper]{article}
\usepackage{latexsym,../iman,../extra,../ttbox,../proof,../pdfsetup}
\newif\ifshort%''Short'' means a published version, not the documentation
\shortfalse%%%%%\shorttrue
\title{A Fixedpoint Approach to\\
(Co)Inductive and (Co)Datatype Definitions%
\thanks{J. Grundy and S. Thompson made detailed comments. Mads Tofte and
the referees were also helpful. The research was funded by the SERC
grants GR/G53279, GR/H40570 and by the ESPRIT Project 6453 ``Types''.}}
\author{Lawrence C. Paulson\\{\tt lcp@cl.cam.ac.uk}\\
Computer Laboratory, University of Cambridge, England}
\date{\today}
\setcounter{secnumdepth}{2} \setcounter{tocdepth}{2}
\newcommand\sbs{\subseteq}
\let\To=\Rightarrow
\newcommand\defn[1]{{\bf#1}}
\newcommand\pow{{\cal P}}
\newcommand\RepFun{\hbox{\tt RepFun}}
\newcommand\cons{\hbox{\tt cons}}
\def\succ{\hbox{\tt succ}}
\newcommand\split{\hbox{\tt split}}
\newcommand\fst{\hbox{\tt fst}}
\newcommand\snd{\hbox{\tt snd}}
\newcommand\converse{\hbox{\tt converse}}
\newcommand\domain{\hbox{\tt domain}}
\newcommand\range{\hbox{\tt range}}
\newcommand\field{\hbox{\tt field}}
\newcommand\lfp{\hbox{\tt lfp}}
\newcommand\gfp{\hbox{\tt gfp}}
\newcommand\id{\hbox{\tt id}}
\newcommand\trans{\hbox{\tt trans}}
\newcommand\wf{\hbox{\tt wf}}
\newcommand\nat{\hbox{\tt nat}}
\newcommand\rank{\hbox{\tt rank}}
\newcommand\univ{\hbox{\tt univ}}
\newcommand\Vrec{\hbox{\tt Vrec}}
\newcommand\Inl{\hbox{\tt Inl}}
\newcommand\Inr{\hbox{\tt Inr}}
\newcommand\case{\hbox{\tt case}}
\newcommand\lst{\hbox{\tt list}}
\newcommand\Nil{\hbox{\tt Nil}}
\newcommand\Cons{\hbox{\tt Cons}}
\newcommand\lstcase{\hbox{\tt list\_case}}
\newcommand\lstrec{\hbox{\tt list\_rec}}
\newcommand\length{\hbox{\tt length}}
\newcommand\listn{\hbox{\tt listn}}
\newcommand\acc{\hbox{\tt acc}}
\newcommand\primrec{\hbox{\tt primrec}}
\newcommand\SC{\hbox{\tt SC}}
\newcommand\CONST{\hbox{\tt CONST}}
\newcommand\PROJ{\hbox{\tt PROJ}}
\newcommand\COMP{\hbox{\tt COMP}}
\newcommand\PREC{\hbox{\tt PREC}}
\newcommand\quniv{\hbox{\tt quniv}}
\newcommand\llist{\hbox{\tt llist}}
\newcommand\LNil{\hbox{\tt LNil}}
\newcommand\LCons{\hbox{\tt LCons}}
\newcommand\lconst{\hbox{\tt lconst}}
\newcommand\lleq{\hbox{\tt lleq}}
\newcommand\map{\hbox{\tt map}}
\newcommand\term{\hbox{\tt term}}
\newcommand\Apply{\hbox{\tt Apply}}
\newcommand\termcase{\hbox{\tt term\_case}}
\newcommand\rev{\hbox{\tt rev}}
\newcommand\reflect{\hbox{\tt reflect}}
\newcommand\tree{\hbox{\tt tree}}
\newcommand\forest{\hbox{\tt forest}}
\newcommand\Part{\hbox{\tt Part}}
\newcommand\TF{\hbox{\tt tree\_forest}}
\newcommand\Tcons{\hbox{\tt Tcons}}
\newcommand\Fcons{\hbox{\tt Fcons}}
\newcommand\Fnil{\hbox{\tt Fnil}}
\newcommand\TFcase{\hbox{\tt TF\_case}}
\newcommand\Fin{\hbox{\tt Fin}}
\newcommand\QInl{\hbox{\tt QInl}}
\newcommand\QInr{\hbox{\tt QInr}}
\newcommand\qsplit{\hbox{\tt qsplit}}
\newcommand\qcase{\hbox{\tt qcase}}
\newcommand\Con{\hbox{\tt Con}}
\newcommand\data{\hbox{\tt data}}
\binperiod %%%treat . like a binary operator
\begin{document}
\pagestyle{empty}
\begin{titlepage}
\maketitle
\begin{abstract}
This paper presents a fixedpoint approach to inductive definitions.
Instead of using a syntactic test such as ``strictly positive,'' the
approach lets definitions involve any operators that have been proved
monotone. It is conceptually simple, which has allowed the easy
implementation of mutual recursion and iterated definitions. It also
handles coinductive definitions: simply replace the least fixedpoint by a
greatest fixedpoint.
The method has been implemented in two of Isabelle's logics, \textsc{zf} set
theory and higher-order logic. It should be applicable to any logic in
which the Knaster-Tarski theorem can be proved. Examples include lists of
$n$ elements, the accessible part of a relation and the set of primitive
recursive functions. One example of a coinductive definition is
bisimulations for lazy lists. Recursive datatypes are examined in detail,
as well as one example of a \defn{codatatype}: lazy lists.
The Isabelle package has been applied in several large case studies,
including two proofs of the Church-Rosser theorem and a coinductive proof of
semantic consistency. The package can be trusted because it proves theorems
from definitions, instead of asserting desired properties as axioms.
\end{abstract}
%
\bigskip
\centerline{Copyright \copyright{} \number\year{} by Lawrence C. Paulson}
\thispagestyle{empty}
\end{titlepage}
\tableofcontents\cleardoublepage\pagestyle{plain}
\setcounter{page}{1}
\section{Introduction}
Several theorem provers provide commands for formalizing recursive data
structures, like lists and trees. Robin Milner implemented one of the first
of these, for Edinburgh \textsc{lcf}~\cite{milner-ind}. Given a description
of the desired data structure, Milner's package formulated appropriate
definitions and proved the characteristic theorems. Similar is Melham's
recursive type package for the Cambridge \textsc{hol} system~\cite{melham89}.
Such data structures are called \defn{datatypes}
below, by analogy with datatype declarations in Standard~\textsc{ml}\@.
Some logics take datatypes as primitive; consider Boyer and Moore's shell
principle~\cite{bm79} and the Coq type theory~\cite{paulin-tlca}.
A datatype is but one example of an \defn{inductive definition}. Such a
definition~\cite{aczel77} specifies the least set~$R$ \defn{closed under}
given rules: applying a rule to elements of~$R$ yields a result within~$R$.
Inductive definitions have many applications. The collection of theorems in a
logic is inductively defined. A structural operational
semantics~\cite{hennessy90} is an inductive definition of a reduction or
evaluation relation on programs. A few theorem provers provide commands for
formalizing inductive definitions; these include Coq~\cite{paulin-tlca} and
again the \textsc{hol} system~\cite{camilleri92}.
The dual notion is that of a \defn{coinductive definition}. Such a definition
specifies the greatest set~$R$ \defn{consistent with} given rules: every
element of~$R$ can be seen as arising by applying a rule to elements of~$R$.
Important examples include using bisimulation relations to formalize
equivalence of processes~\cite{milner89} or lazy functional
programs~\cite{abramsky90}. Other examples include lazy lists and other
infinite data structures; these are called \defn{codatatypes} below.
Not all inductive definitions are meaningful. \defn{Monotone} inductive
definitions are a large, well-behaved class. Monotonicity can be enforced
by syntactic conditions such as ``strictly positive,'' but this could lead to
monotone definitions being rejected on the grounds of their syntactic form.
More flexible is to formalize monotonicity within the logic and allow users
to prove it.
This paper describes a package based on a fixedpoint approach. Least
fixedpoints yield inductive definitions; greatest fixedpoints yield
coinductive definitions. Most of the discussion below applies equally to
inductive and coinductive definitions, and most of the code is shared.
The package supports mutual recursion and infinitely-branching datatypes and
codatatypes. It allows use of any operators that have been proved monotone,
thus accepting all provably monotone inductive definitions, including
iterated definitions.
The package has been implemented in
Isabelle~\cite{paulson-markt,paulson-isa-book} using
\textsc{zf} set theory \cite{paulson-set-I,paulson-set-II}; part of it has
since been ported to Isabelle/\textsc{hol} (higher-order logic). The
recursion equations are specified as introduction rules for the mutually
recursive sets. The package transforms these rules into a mapping over sets,
and attempts to prove that the mapping is monotonic and well-typed. If
successful, the package makes fixedpoint definitions and proves the
introduction, elimination and (co)induction rules. Users invoke the package
by making simple declarations in Isabelle theory files.
Most datatype packages equip the new datatype with some means of expressing
recursive functions. This is the main omission from my package. Its
fixedpoint operators define only recursive sets. The Isabelle/\textsc{zf}
theory provides well-founded recursion~\cite{paulson-set-II}, which is harder
to use than structural recursion but considerably more general.
Slind~\cite{slind-tfl} has written a package to automate the definition of
well-founded recursive functions in Isabelle/\textsc{hol}.
\paragraph*{Outline.} Section~2 introduces the least and greatest fixedpoint
operators. Section~3 discusses the form of introduction rules, mutual
recursion and other points common to inductive and coinductive definitions.
Section~4 discusses induction and coinduction rules separately. Section~5
presents several examples, including a coinductive definition. Section~6
describes datatype definitions. Section~7 presents related work.
Section~8 draws brief conclusions. \ifshort\else The appendices are simple
user's manuals for this Isabelle package.\fi
Most of the definitions and theorems shown below have been generated by the
package. I have renamed some variables to improve readability.
\section{Fixedpoint operators}
In set theory, the least and greatest fixedpoint operators are defined as
follows:
\begin{eqnarray*}
\lfp(D,h) & \equiv & \inter\{X\sbs D. h(X)\sbs X\} \\
\gfp(D,h) & \equiv & \union\{X\sbs D. X\sbs h(X)\}
\end{eqnarray*}
Let $D$ be a set. Say that $h$ is \defn{bounded by}~$D$ if $h(D)\sbs D$, and
\defn{monotone below~$D$} if
$h(A)\sbs h(B)$ for all $A$ and $B$ such that $A\sbs B\sbs D$. If $h$ is
bounded by~$D$ and monotone then both operators yield fixedpoints:
\begin{eqnarray*}
\lfp(D,h) & = & h(\lfp(D,h)) \\
\gfp(D,h) & = & h(\gfp(D,h))
\end{eqnarray*}
These equations are instances of the Knaster-Tarski theorem, which states
that every monotonic function over a complete lattice has a
fixedpoint~\cite{davey-priestley}. It is obvious from their definitions
that $\lfp$ must be the least fixedpoint, and $\gfp$ the greatest.
This fixedpoint theory is simple. The Knaster-Tarski theorem is easy to
prove. Showing monotonicity of~$h$ is trivial, in typical cases. We must
also exhibit a bounding set~$D$ for~$h$. Frequently this is trivial, as when
a set of theorems is (co)inductively defined over some previously existing set
of formul{\ae}. Isabelle/\textsc{zf} provides suitable bounding sets for
infinitely-branching (co)datatype definitions; see~\S\ref{univ-sec}. Bounding
sets are also called \defn{domains}.
The powerset operator is monotone, but by Cantor's theorem there is no
set~$A$ such that $A=\pow(A)$. We cannot put $A=\lfp(D,\pow)$ because
there is no suitable domain~$D$. But \S\ref{acc-sec} demonstrates
that~$\pow$ is still useful in inductive definitions.
\section{Elements of an inductive or coinductive definition}\label{basic-sec}
Consider a (co)inductive definition of the sets $R_1$, \ldots,~$R_n$, in
mutual recursion. They will be constructed from domains $D_1$,
\ldots,~$D_n$, respectively. The construction yields not $R_i\sbs D_i$ but
$R_i\sbs D_1+\cdots+D_n$, where $R_i$ is contained in the image of~$D_i$
under an injection. Reasons for this are discussed
elsewhere~\cite[\S4.5]{paulson-set-II}.
The definition may involve arbitrary parameters $\vec{p}=p_1$,
\ldots,~$p_k$. Each recursive set then has the form $R_i(\vec{p})$. The
parameters must be identical every time they occur within a definition. This
would appear to be a serious restriction compared with other systems such as
Coq~\cite{paulin-tlca}. For instance, we cannot define the lists of
$n$ elements as the set $\listn(A,n)$ using rules where the parameter~$n$
varies. Section~\ref{listn-sec} describes how to express this set using the
inductive definition package.
To avoid clutter below, the recursive sets are shown as simply $R_i$
instead of~$R_i(\vec{p})$.
\subsection{The form of the introduction rules}\label{intro-sec}
The body of the definition consists of the desired introduction rules. The
conclusion of each rule must have the form $t\in R_i$, where $t$ is any term.
Premises typically have the same form, but they can have the more general form
$t\in M(R_i)$ or express arbitrary side-conditions.
The premise $t\in M(R_i)$ is permitted if $M$ is a monotonic operator on
sets, satisfying the rule
\[ \infer{M(A)\sbs M(B)}{A\sbs B} \]
The user must supply the package with monotonicity rules for all such premises.
The ability to introduce new monotone operators makes the approach
flexible. A suitable choice of~$M$ and~$t$ can express a lot. The
powerset operator $\pow$ is monotone, and the premise $t\in\pow(R)$
expresses $t\sbs R$; see \S\ref{acc-sec} for an example. The \emph{list of}
operator is monotone, as is easily proved by induction. The premise
$t\in\lst(R)$ avoids having to encode the effect of~$\lst(R)$ using mutual
recursion; see \S\ref{primrec-sec} and also my earlier
paper~\cite[\S4.4]{paulson-set-II}.
Introduction rules may also contain \defn{side-conditions}. These are
premises consisting of arbitrary formul{\ae} not mentioning the recursive
sets. Side-conditions typically involve type-checking. One example is the
premise $a\in A$ in the following rule from the definition of lists:
\[ \infer{\Cons(a,l)\in\lst(A)}{a\in A & l\in\lst(A)} \]
\subsection{The fixedpoint definitions}
The package translates the list of desired introduction rules into a fixedpoint
definition. Consider, as a running example, the finite powerset operator
$\Fin(A)$: the set of all finite subsets of~$A$. It can be
defined as the least set closed under the rules
\[ \emptyset\in\Fin(A) \qquad
\infer{\{a\}\un b\in\Fin(A)}{a\in A & b\in\Fin(A)}
\]
The domain in a (co)inductive definition must be some existing set closed
under the rules. A suitable domain for $\Fin(A)$ is $\pow(A)$, the set of all
subsets of~$A$. The package generates the definition
\[ \Fin(A) \equiv \lfp(\pow(A), \,
\begin{array}[t]{r@{\,}l}
\lambda X. \{z\in\pow(A). & z=\emptyset \disj{} \\
&(\exists a\,b. z=\{a\}\un b\conj a\in A\conj b\in X)\})
\end{array}
\]
The contribution of each rule to the definition of $\Fin(A)$ should be
obvious. A coinductive definition is similar but uses $\gfp$ instead
of~$\lfp$.
The package must prove that the fixedpoint operator is applied to a
monotonic function. If the introduction rules have the form described
above, and if the package is supplied a monotonicity theorem for every
$t\in M(R_i)$ premise, then this proof is trivial.\footnote{Due to the
presence of logical connectives in the fixedpoint's body, the
monotonicity proof requires some unusual rules. These state that the
connectives $\conj$, $\disj$ and $\exists$ preserve monotonicity with respect
to the partial ordering on unary predicates given by $P\sqsubseteq Q$ if and
only if $\forall x.P(x)\imp Q(x)$.}
The package returns its result as an \textsc{ml} structure, which consists of named
components; we may regard it as a record. The result structure contains
the definitions of the recursive sets as a theorem list called {\tt defs}.
It also contains some theorems; {\tt dom\_subset} is an inclusion such as
$\Fin(A)\sbs\pow(A)$, while {\tt bnd\_mono} asserts that the fixedpoint
definition is monotonic.
Internally the package uses the theorem {\tt unfold}, a fixedpoint equation
such as
\[
\begin{array}[t]{r@{\,}l}
\Fin(A) = \{z\in\pow(A). & z=\emptyset \disj{} \\
&(\exists a\,b. z=\{a\}\un b\conj a\in A\conj b\in \Fin(A))\}
\end{array}
\]
In order to save space, this theorem is not exported.
\subsection{Mutual recursion} \label{mutual-sec}
In a mutually recursive definition, the domain of the fixedpoint construction
is the disjoint sum of the domain~$D_i$ of each~$R_i$, for $i=1$,
\ldots,~$n$. The package uses the injections of the
binary disjoint sum, typically $\Inl$ and~$\Inr$, to express injections
$h_{1n}$, \ldots, $h_{nn}$ for the $n$-ary disjoint sum $D_1+\cdots+D_n$.
As discussed elsewhere \cite[\S4.5]{paulson-set-II}, Isabelle/\textsc{zf} defines the
operator $\Part$ to support mutual recursion. The set $\Part(A,h)$
contains those elements of~$A$ having the form~$h(z)$:
\[ \Part(A,h) \equiv \{x\in A. \exists z. x=h(z)\}. \]
For mutually recursive sets $R_1$, \ldots,~$R_n$ with
$n>1$, the package makes $n+1$ definitions. The first defines a set $R$ using
a fixedpoint operator. The remaining $n$ definitions have the form
\[ R_i \equiv \Part(R,h_{in}), \qquad i=1,\ldots, n. \]
It follows that $R=R_1\un\cdots\un R_n$, where the $R_i$ are pairwise disjoint.
\subsection{Proving the introduction rules}
The user supplies the package with the desired form of the introduction
rules. Once it has derived the theorem {\tt unfold}, it attempts
to prove those rules. From the user's point of view, this is the
trickiest stage; the proofs often fail. The task is to show that the domain
$D_1+\cdots+D_n$ of the combined set $R_1\un\cdots\un R_n$ is
closed under all the introduction rules. This essentially involves replacing
each~$R_i$ by $D_1+\cdots+D_n$ in each of the introduction rules and
attempting to prove the result.
Consider the $\Fin(A)$ example. After substituting $\pow(A)$ for $\Fin(A)$
in the rules, the package must prove
\[ \emptyset\in\pow(A) \qquad
\infer{\{a\}\un b\in\pow(A)}{a\in A & b\in\pow(A)}
\]
Such proofs can be regarded as type-checking the definition.\footnote{The
Isabelle/\textsc{hol} version does not require these proofs, as \textsc{hol}
has implicit type-checking.} The user supplies the package with
type-checking rules to apply. Usually these are general purpose rules from
the \textsc{zf} theory. They could however be rules specifically proved for a
particular inductive definition; sometimes this is the easiest way to get the
definition through!
The result structure contains the introduction rules as the theorem list {\tt
intrs}.
\subsection{The case analysis rule}
The elimination rule, called {\tt elim}, performs case analysis. It is a
simple consequence of {\tt unfold}. There is one case for each introduction
rule. If $x\in\Fin(A)$ then either $x=\emptyset$ or else $x=\{a\}\un b$ for
some $a\in A$ and $b\in\Fin(A)$. Formally, the elimination rule for $\Fin(A)$
is written
\[ \infer{Q}{x\in\Fin(A) & \infer*{Q}{[x=\emptyset]}
& \infer*{Q}{[x=\{a\}\un b & a\in A &b\in\Fin(A)]_{a,b}} }
\]
The subscripted variables $a$ and~$b$ above the third premise are
eigenvariables, subject to the usual ``not free in \ldots'' proviso.
\section{Induction and coinduction rules}
Here we must consider inductive and coinductive definitions separately. For
an inductive definition, the package returns an induction rule derived
directly from the properties of least fixedpoints, as well as a modified rule
for mutual recursion. For a coinductive definition, the package returns a
basic coinduction rule.
\subsection{The basic induction rule}\label{basic-ind-sec}
The basic rule, called {\tt induct}, is appropriate in most situations.
For inductive definitions, it is strong rule induction~\cite{camilleri92}; for
datatype definitions (see below), it is just structural induction.
The induction rule for an inductively defined set~$R$ has the form described
below. For the time being, assume that $R$'s domain is not a Cartesian
product; inductively defined relations are treated slightly differently.
The major premise is $x\in R$. There is a minor premise for each
introduction rule:
\begin{itemize}
\item If the introduction rule concludes $t\in R_i$, then the minor premise
is~$P(t)$.
\item The minor premise's eigenvariables are precisely the introduction
rule's free variables that are not parameters of~$R$. For instance, the
eigenvariables in the $\Fin(A)$ rule below are $a$ and $b$, but not~$A$.
\item If the introduction rule has a premise $t\in R_i$, then the minor
premise discharges the assumption $t\in R_i$ and the induction
hypothesis~$P(t)$. If the introduction rule has a premise $t\in M(R_i)$
then the minor premise discharges the single assumption
\[ t\in M(\{z\in R_i. P(z)\}). \]
Because $M$ is monotonic, this assumption implies $t\in M(R_i)$. The
occurrence of $P$ gives the effect of an induction hypothesis, which may be
exploited by appealing to properties of~$M$.
\end{itemize}
The induction rule for $\Fin(A)$ resembles the elimination rule shown above,
but includes an induction hypothesis:
\[ \infer{P(x)}{x\in\Fin(A) & P(\emptyset)
& \infer*{P(\{a\}\un b)}{[a\in A & b\in\Fin(A) & P(b)]_{a,b}} }
\]
Stronger induction rules often suggest themselves. We can derive a rule for
$\Fin(A)$ whose third premise discharges the extra assumption $a\not\in b$.
The package provides rules for mutual induction and inductive relations. The
Isabelle/\textsc{zf} theory also supports well-founded induction and recursion
over datatypes, by reasoning about the \defn{rank} of a
set~\cite[\S3.4]{paulson-set-II}.
\subsection{Modified induction rules}
If the domain of $R$ is a Cartesian product $A_1\times\cdots\times A_m$
(however nested), then the corresponding predicate $P_i$ takes $m$ arguments.
The major premise becomes $\pair{z_1,\ldots,z_m}\in R$ instead of $x\in R$;
the conclusion becomes $P(z_1,\ldots,z_m)$. This simplifies reasoning about
inductively defined relations, eliminating the need to express properties of
$z_1$, \ldots,~$z_m$ as properties of the tuple $\pair{z_1,\ldots,z_m}$.
Occasionally it may require you to split up the induction variable
using {\tt SigmaE} and {\tt dom\_subset}, especially if the constant {\tt
split} appears in the rule.
The mutual induction rule is called {\tt
mutual\_induct}. It differs from the basic rule in two respects:
\begin{itemize}
\item Instead of a single predicate~$P$, it uses $n$ predicates $P_1$,
\ldots,~$P_n$: one for each recursive set.
\item There is no major premise such as $x\in R_i$. Instead, the conclusion
refers to all the recursive sets:
\[ (\forall z.z\in R_1\imp P_1(z))\conj\cdots\conj
(\forall z.z\in R_n\imp P_n(z))
\]
Proving the premises establishes $P_i(z)$ for $z\in R_i$ and $i=1$,
\ldots,~$n$.
\end{itemize}
%
If the domain of some $R_i$ is a Cartesian product, then the mutual induction
rule is modified accordingly. The predicates are made to take $m$ separate
arguments instead of a tuple, and the quantification in the conclusion is over
the separate variables $z_1$, \ldots, $z_m$.
\subsection{Coinduction}\label{coind-sec}
A coinductive definition yields a primitive coinduction rule, with no
refinements such as those for the induction rules. (Experience may suggest
refinements later.) Consider the codatatype of lazy lists as an example. For
suitable definitions of $\LNil$ and $\LCons$, lazy lists may be defined as the
greatest set consistent with the rules
\[ \LNil\in\llist(A) \qquad
\infer[(-)]{\LCons(a,l)\in\llist(A)}{a\in A & l\in\llist(A)}
\]
The $(-)$ tag stresses that this is a coinductive definition. A suitable
domain for $\llist(A)$ is $\quniv(A)$; this set is closed under the variant
forms of sum and product that are used to represent non-well-founded data
structures (see~\S\ref{univ-sec}).
The package derives an {\tt unfold} theorem similar to that for $\Fin(A)$.
Then it proves the theorem {\tt coinduct}, which expresses that $\llist(A)$
is the greatest solution to this equation contained in $\quniv(A)$:
\[ \infer{x\in\llist(A)}{x\in X & X\sbs \quniv(A) &
\infer*{
\begin{array}[b]{r@{}l}
z=\LNil\disj
\bigl(\exists a\,l.\, & z=\LCons(a,l) \conj a\in A \conj{}\\
& l\in X\un\llist(A) \bigr)
\end{array} }{[z\in X]_z}}
\]
This rule complements the introduction rules; it provides a means of showing
$x\in\llist(A)$ when $x$ is infinite. For instance, if $x=\LCons(0,x)$ then
applying the rule with $X=\{x\}$ proves $x\in\llist(\nat)$. (Here $\nat$
is the set of natural numbers.)
Having $X\un\llist(A)$ instead of simply $X$ in the third premise above
represents a slight strengthening of the greatest fixedpoint property. I
discuss several forms of coinduction rules elsewhere~\cite{paulson-coind}.
The clumsy form of the third premise makes the rule hard to use, especially in
large definitions. Probably a constant should be declared to abbreviate the
large disjunction, and rules derived to allow proving the separate disjuncts.
\section{Examples of inductive and coinductive definitions}\label{ind-eg-sec}
This section presents several examples from the literature: the finite
powerset operator, lists of $n$ elements, bisimulations on lazy lists, the
well-founded part of a relation, and the primitive recursive functions.
\subsection{The finite powerset operator}
This operator has been discussed extensively above. Here is the
corresponding invocation in an Isabelle theory file. Note that
$\cons(a,b)$ abbreviates $\{a\}\un b$ in Isabelle/\textsc{zf}.
\begin{ttbox}
Finite = Arith +
consts Fin :: i=>i
inductive
domains "Fin(A)" <= "Pow(A)"
intrs
emptyI "0 : Fin(A)"
consI "[| a: A; b: Fin(A) |] ==> cons(a,b) : Fin(A)"
type_intrs empty_subsetI, cons_subsetI, PowI
type_elims "[make_elim PowD]"
end
\end{ttbox}
Theory {\tt Finite} extends the parent theory {\tt Arith} by declaring the
unary function symbol~$\Fin$, which is defined inductively. Its domain is
specified as $\pow(A)$, where $A$ is the parameter appearing in the
introduction rules. For type-checking, we supply two introduction
rules:
\[ \emptyset\sbs A \qquad
\infer{\{a\}\un B\sbs C}{a\in C & B\sbs C}
\]
A further introduction rule and an elimination rule express both
directions of the equivalence $A\in\pow(B)\bimp A\sbs B$. Type-checking
involves mostly introduction rules.
Like all Isabelle theory files, this one yields a structure containing the
new theory as an \textsc{ml} value. Structure {\tt Finite} also has a
substructure, called~{\tt Fin}. After declaring \hbox{\tt open Finite;} we
can refer to the $\Fin(A)$ introduction rules as the list {\tt Fin.intrs}
or individually as {\tt Fin.emptyI} and {\tt Fin.consI}. The induction
rule is {\tt Fin.induct}.
\subsection{Lists of $n$ elements}\label{listn-sec}
This has become a standard example of an inductive definition. Following
Paulin-Mohring~\cite{paulin-tlca}, we could attempt to define a new datatype
$\listn(A,n)$, for lists of length~$n$, as an $n$-indexed family of sets.
But her introduction rules
\[ \hbox{\tt Niln}\in\listn(A,0) \qquad
\infer{\hbox{\tt Consn}(n,a,l)\in\listn(A,\succ(n))}
{n\in\nat & a\in A & l\in\listn(A,n)}
\]
are not acceptable to the inductive definition package:
$\listn$ occurs with three different parameter lists in the definition.
The Isabelle version of this example suggests a general treatment of
varying parameters. It uses the existing datatype definition of
$\lst(A)$, with constructors $\Nil$ and~$\Cons$, and incorporates the
parameter~$n$ into the inductive set itself. It defines $\listn(A)$ as a
relation consisting of pairs $\pair{n,l}$ such that $n\in\nat$
and~$l\in\lst(A)$ and $l$ has length~$n$. In fact, $\listn(A)$ is the
converse of the length function on~$\lst(A)$. The Isabelle/\textsc{zf} introduction
rules are
\[ \pair{0,\Nil}\in\listn(A) \qquad
\infer{\pair{\succ(n),\Cons(a,l)}\in\listn(A)}
{a\in A & \pair{n,l}\in\listn(A)}
\]
The Isabelle theory file takes, as parent, the theory~{\tt List} of lists.
We declare the constant~$\listn$ and supply an inductive definition,
specifying the domain as $\nat\times\lst(A)$:
\begin{ttbox}
ListN = List +
consts listn :: i=>i
inductive
domains "listn(A)" <= "nat*list(A)"
intrs
NilI "<0,Nil>: listn(A)"
ConsI "[| a:A; <n,l>:listn(A) |] ==> <succ(n), Cons(a,l)>: listn(A)"
type_intrs "nat_typechecks @ list.intrs"
end
\end{ttbox}
The type-checking rules include those for 0, $\succ$, $\Nil$ and $\Cons$.
Because $\listn(A)$ is a set of pairs, type-checking requires the
equivalence $\pair{a,b}\in A\times B \bimp a\in A \conj b\in B$. The
package always includes the rules for ordered pairs.
The package returns introduction, elimination and induction rules for
$\listn$. The basic induction rule, {\tt listn.induct}, is
\[ \infer{P(z_1,z_2)}{\pair{z_1,z_2}\in\listn(A) & P(0,\Nil) &
\infer*{P(\succ(n),\Cons(a,l))}
{[a\in A & \pair{n,l}\in\listn(A) & P(n,l)]_{a,l,n}}}
\]
This rule lets the induction formula to be a
binary property of pairs, $P(n,l)$.
It is now a simple matter to prove theorems about $\listn(A)$, such as
\[ \forall l\in\lst(A). \pair{\length(l),\, l}\in\listn(A) \]
\[ \listn(A)``\{n\} = \{l\in\lst(A). \length(l)=n\} \]
This latter result --- here $r``X$ denotes the image of $X$ under $r$
--- asserts that the inductive definition agrees with the obvious notion of
$n$-element list.
A ``list of $n$ elements'' really is a list, namely an element of ~$\lst(A)$.
It is subject to list operators such as append (concatenation). For example,
a trivial induction on $\pair{m,l}\in\listn(A)$ yields
\[ \infer{\pair{m\mathbin{+} m',\, l@l'}\in\listn(A)}
{\pair{m,l}\in\listn(A) & \pair{m',l'}\in\listn(A)}
\]
where $+$ denotes addition on the natural numbers and @ denotes append.
\subsection{Rule inversion: the function \texttt{mk\_cases}}
The elimination rule, {\tt listn.elim}, is cumbersome:
\[ \infer{Q}{x\in\listn(A) &
\infer*{Q}{[x = \pair{0,\Nil}]} &
\infer*{Q}
{\left[\begin{array}{l}
x = \pair{\succ(n),\Cons(a,l)} \\
a\in A \\
\pair{n,l}\in\listn(A)
\end{array} \right]_{a,l,n}}}
\]
The \textsc{ml} function {\tt listn.mk\_cases} generates simplified instances of
this rule. It works by freeness reasoning on the list constructors:
$\Cons(a,l)$ is injective in its two arguments and differs from~$\Nil$. If
$x$ is $\pair{i,\Nil}$ or $\pair{i,\Cons(a,l)}$ then {\tt listn.mk\_cases}
deduces the corresponding form of~$i$; this is called rule inversion.
Here is a sample session:
\begin{ttbox}
listn.mk_cases "<i,Nil> : listn(A)";
{\out "[| <?i, []> : listn(?A); ?i = 0 ==> ?Q |] ==> ?Q" : thm}
listn.mk_cases "<i,Cons(a,l)> : listn(A)";
{\out "[| <?i, Cons(?a, ?l)> : listn(?A);}
{\out !!n. [| ?a : ?A; <n, ?l> : listn(?A); ?i = succ(n) |] ==> ?Q }
{\out |] ==> ?Q" : thm}
\end{ttbox}
Each of these rules has only two premises. In conventional notation, the
second rule is
\[ \infer{Q}{\pair{i, \Cons(a,l)}\in\listn(A) &
\infer*{Q}
{\left[\begin{array}{l}
a\in A \\ \pair{n,l}\in\listn(A) \\ i = \succ(n)
\end{array} \right]_{n}}}
\]
The package also has built-in rules for freeness reasoning about $0$
and~$\succ$. So if $x$ is $\pair{0,l}$ or $\pair{\succ(i),l}$, then {\tt
listn.mk\_cases} can deduce the corresponding form of~$l$.
The function {\tt mk\_cases} is also useful with datatype definitions. The
instance from the definition of lists, namely {\tt list.mk\_cases}, can
prove that $\Cons(a,l)\in\lst(A)$ implies $a\in A $ and $l\in\lst(A)$:
\[ \infer{Q}{\Cons(a,l)\in\lst(A) &
& \infer*{Q}{[a\in A &l\in\lst(A)]} }
\]
A typical use of {\tt mk\_cases} concerns inductive definitions of evaluation
relations. Then rule inversion yields case analysis on possible evaluations.
For example, Isabelle/\textsc{zf} includes a short proof of the
diamond property for parallel contraction on combinators. Ole Rasmussen used
{\tt mk\_cases} extensively in his development of the theory of
residuals~\cite{rasmussen95}.
\subsection{A coinductive definition: bisimulations on lazy lists}
This example anticipates the definition of the codatatype $\llist(A)$, which
consists of finite and infinite lists over~$A$. Its constructors are $\LNil$
and~$\LCons$, satisfying the introduction rules shown in~\S\ref{coind-sec}.
Because $\llist(A)$ is defined as a greatest fixedpoint and uses the variant
pairing and injection operators, it contains non-well-founded elements such as
solutions to $\LCons(a,l)=l$.
The next step in the development of lazy lists is to define a coinduction
principle for proving equalities. This is done by showing that the equality
relation on lazy lists is the greatest fixedpoint of some monotonic
operation. The usual approach~\cite{pitts94} is to define some notion of
bisimulation for lazy lists, define equivalence to be the greatest
bisimulation, and finally to prove that two lazy lists are equivalent if and
only if they are equal. The coinduction rule for equivalence then yields a
coinduction principle for equalities.
A binary relation $R$ on lazy lists is a \defn{bisimulation} provided $R\sbs
R^+$, where $R^+$ is the relation
\[ \{\pair{\LNil,\LNil}\} \un
\{\pair{\LCons(a,l),\LCons(a,l')} . a\in A \conj \pair{l,l'}\in R\}.
\]
A pair of lazy lists are \defn{equivalent} if they belong to some
bisimulation. Equivalence can be coinductively defined as the greatest
fixedpoint for the introduction rules
\[ \pair{\LNil,\LNil} \in\lleq(A) \qquad
\infer[(-)]{\pair{\LCons(a,l),\LCons(a,l')} \in\lleq(A)}
{a\in A & \pair{l,l'}\in \lleq(A)}
\]
To make this coinductive definition, the theory file includes (after the
declaration of $\llist(A)$) the following lines:
\bgroup\leftmargini=\parindent
\begin{ttbox}
consts lleq :: i=>i
coinductive
domains "lleq(A)" <= "llist(A) * llist(A)"
intrs
LNil "<LNil,LNil> : lleq(A)"
LCons "[| a:A; <l,l'>:lleq(A) |] ==> <LCons(a,l),LCons(a,l')>: lleq(A)"
type_intrs "llist.intrs"
\end{ttbox}
\egroup
The domain of $\lleq(A)$ is $\llist(A)\times\llist(A)$. The type-checking
rules include the introduction rules for $\llist(A)$, whose
declaration is discussed below (\S\ref{lists-sec}).
The package returns the introduction rules and the elimination rule, as
usual. But instead of induction rules, it returns a coinduction rule.
The rule is too big to display in the usual notation; its conclusion is
$x\in\lleq(A)$ and its premises are $x\in X$,
${X\sbs\llist(A)\times\llist(A)}$ and
\[ \infer*{z=\pair{\LNil,\LNil}\disj \bigl(\exists a\,l\,l'.\,
\begin{array}[t]{@{}l}
z=\pair{\LCons(a,l),\LCons(a,l')} \conj a\in A \conj{}\\
\pair{l,l'}\in X\un\lleq(A) \bigr)
\end{array}
}{[z\in X]_z}
\]
Thus if $x\in X$, where $X$ is a bisimulation contained in the
domain of $\lleq(A)$, then $x\in\lleq(A)$. It is easy to show that
$\lleq(A)$ is reflexive: the equality relation is a bisimulation. And
$\lleq(A)$ is symmetric: its converse is a bisimulation. But showing that
$\lleq(A)$ coincides with the equality relation takes some work.
\subsection{The accessible part of a relation}\label{acc-sec}
Let $\prec$ be a binary relation on~$D$; in short, $(\prec)\sbs D\times D$.
The \defn{accessible} or \defn{well-founded} part of~$\prec$, written
$\acc(\prec)$, is essentially that subset of~$D$ for which $\prec$ admits
no infinite decreasing chains~\cite{aczel77}. Formally, $\acc(\prec)$ is
inductively defined to be the least set that contains $a$ if it contains
all $\prec$-predecessors of~$a$, for $a\in D$. Thus we need an
introduction rule of the form
\[ \infer{a\in\acc(\prec)}{\forall y.y\prec a\imp y\in\acc(\prec)} \]
Paulin-Mohring treats this example in Coq~\cite{paulin-tlca}, but it causes
difficulties for other systems. Its premise is not acceptable to the
inductive definition package of the Cambridge \textsc{hol}
system~\cite{camilleri92}. It is also unacceptable to the Isabelle package
(recall \S\ref{intro-sec}), but fortunately can be transformed into the
acceptable form $t\in M(R)$.
The powerset operator is monotonic, and $t\in\pow(R)$ is equivalent to
$t\sbs R$. This in turn is equivalent to $\forall y\in t. y\in R$. To
express $\forall y.y\prec a\imp y\in\acc(\prec)$ we need only find a
term~$t$ such that $y\in t$ if and only if $y\prec a$. A suitable $t$ is
the inverse image of~$\{a\}$ under~$\prec$.
The definition below follows this approach. Here $r$ is~$\prec$ and
$\field(r)$ refers to~$D$, the domain of $\acc(r)$. (The field of a
relation is the union of its domain and range.) Finally $r^{-}``\{a\}$
denotes the inverse image of~$\{a\}$ under~$r$. We supply the theorem {\tt
Pow\_mono}, which asserts that $\pow$ is monotonic.
\begin{ttbox}
consts acc :: i=>i
inductive
domains "acc(r)" <= "field(r)"
intrs
vimage "[| r-``\{a\}: Pow(acc(r)); a: field(r) |] ==> a: acc(r)"
monos Pow_mono
\end{ttbox}
The Isabelle theory proceeds to prove facts about $\acc(\prec)$. For
instance, $\prec$ is well-founded if and only if its field is contained in
$\acc(\prec)$.
As mentioned in~\S\ref{basic-ind-sec}, a premise of the form $t\in M(R)$
gives rise to an unusual induction hypothesis. Let us examine the
induction rule, {\tt acc.induct}:
\[ \infer{P(x)}{x\in\acc(r) &
\infer*{P(a)}{\left[
\begin{array}{r@{}l}
r^{-}``\{a\} &\, \in\pow(\{z\in\acc(r).P(z)\}) \\
a &\, \in\field(r)
\end{array}
\right]_a}}
\]
The strange induction hypothesis is equivalent to
$\forall y. \pair{y,a}\in r\imp y\in\acc(r)\conj P(y)$.
Therefore the rule expresses well-founded induction on the accessible part
of~$\prec$.
The use of inverse image is not essential. The Isabelle package can accept
introduction rules with arbitrary premises of the form $\forall
\vec{y}.P(\vec{y})\imp f(\vec{y})\in R$. The premise can be expressed
equivalently as
\[ \{z\in D. P(\vec{y}) \conj z=f(\vec{y})\} \in \pow(R) \]
provided $f(\vec{y})\in D$ for all $\vec{y}$ such that~$P(\vec{y})$. The
following section demonstrates another use of the premise $t\in M(R)$,
where $M=\lst$.
\subsection{The primitive recursive functions}\label{primrec-sec}
The primitive recursive functions are traditionally defined inductively, as
a subset of the functions over the natural numbers. One difficulty is that
functions of all arities are taken together, but this is easily
circumvented by regarding them as functions on lists. Another difficulty,
the notion of composition, is less easily circumvented.
Here is a more precise definition. Letting $\vec{x}$ abbreviate
$x_0,\ldots,x_{n-1}$, we can write lists such as $[\vec{x}]$,
$[y+1,\vec{x}]$, etc. A function is \defn{primitive recursive} if it
belongs to the least set of functions in $\lst(\nat)\to\nat$ containing
\begin{itemize}
\item The \defn{successor} function $\SC$, such that $\SC[y,\vec{x}]=y+1$.
\item All \defn{constant} functions $\CONST(k)$, such that
$\CONST(k)[\vec{x}]=k$.
\item All \defn{projection} functions $\PROJ(i)$, such that
$\PROJ(i)[\vec{x}]=x_i$ if $0\leq i<n$.
\item All \defn{compositions} $\COMP(g,[f_0,\ldots,f_{m-1}])$,
where $g$ and $f_0$, \ldots, $f_{m-1}$ are primitive recursive,
such that
\[ \COMP(g,[f_0,\ldots,f_{m-1}])[\vec{x}] =
g[f_0[\vec{x}],\ldots,f_{m-1}[\vec{x}]]. \]
\item All \defn{recursions} $\PREC(f,g)$, where $f$ and $g$ are primitive
recursive, such that
\begin{eqnarray*}
\PREC(f,g)[0,\vec{x}] & = & f[\vec{x}] \\
\PREC(f,g)[y+1,\vec{x}] & = & g[\PREC(f,g)[y,\vec{x}],\, y,\, \vec{x}].
\end{eqnarray*}
\end{itemize}
Composition is awkward because it combines not two functions, as is usual,
but $m+1$ functions. In her proof that Ackermann's function is not
primitive recursive, Nora Szasz was unable to formalize this definition
directly~\cite{szasz93}. So she generalized primitive recursion to
tuple-valued functions. This modified the inductive definition such that
each operation on primitive recursive functions combined just two functions.
\begin{figure}
\begin{ttbox}
Primrec_defs = Main +
consts SC :: i
\(\vdots\)
defs
SC_def "SC == lam l:list(nat).list_case(0, \%x xs.succ(x), l)"
\(\vdots\)
end
Primrec = Primrec_defs +
consts prim_rec :: i
inductive
domains "primrec" <= "list(nat)->nat"
intrs
SC "SC : primrec"
CONST "k: nat ==> CONST(k) : primrec"
PROJ "i: nat ==> PROJ(i) : primrec"
COMP "[| g: primrec; fs: list(primrec) |] ==> COMP(g,fs): primrec"
PREC "[| f: primrec; g: primrec |] ==> PREC(f,g): primrec"
monos list_mono
con_defs SC_def, CONST_def, PROJ_def, COMP_def, PREC_def
type_intrs "nat_typechecks @ list.intrs @
[lam_type, list_case_type, drop_type, map_type,
apply_type, rec_type]"
end
\end{ttbox}
\hrule
\caption{Inductive definition of the primitive recursive functions}
\label{primrec-fig}
\end{figure}
\def\fs{{\it fs}}
Szasz was using \textsc{alf}, but Coq and \textsc{hol} would also have
problems accepting this definition. Isabelle's package accepts it easily
since $[f_0,\ldots,f_{m-1}]$ is a list of primitive recursive functions and
$\lst$ is monotonic. There are five introduction rules, one for each of the
five forms of primitive recursive function. Let us examine the one for
$\COMP$:
\[ \infer{\COMP(g,\fs)\in\primrec}{g\in\primrec & \fs\in\lst(\primrec)} \]
The induction rule for $\primrec$ has one case for each introduction rule.
Due to the use of $\lst$ as a monotone operator, the composition case has
an unusual induction hypothesis:
\[ \infer*{P(\COMP(g,\fs))}
{[g\in\primrec & \fs\in\lst(\{z\in\primrec.P(z)\})]_{\fs,g}}
\]
The hypothesis states that $\fs$ is a list of primitive recursive functions,
each satisfying the induction formula. Proving the $\COMP$ case typically
requires structural induction on lists, yielding two subcases: either
$\fs=\Nil$ or else $\fs=\Cons(f,\fs')$, where $f\in\primrec$, $P(f)$, and
$\fs'$ is another list of primitive recursive functions satisfying~$P$.
Figure~\ref{primrec-fig} presents the theory file. Theory {\tt Primrec}
defines the constants $\SC$, $\CONST$, etc. These are not constructors of
a new datatype, but functions over lists of numbers. Their definitions,
most of which are omitted, consist of routine list programming. In
Isabelle/\textsc{zf}, the primitive recursive functions are defined as a subset of
the function set $\lst(\nat)\to\nat$.
The Isabelle theory goes on to formalize Ackermann's function and prove
that it is not primitive recursive, using the induction rule {\tt
primrec.induct}. The proof follows Szasz's excellent account.
\section{Datatypes and codatatypes}\label{data-sec}
A (co)datatype definition is a (co)inductive definition with automatically
defined constructors and a case analysis operator. The package proves that
the case operator inverts the constructors and can prove freeness theorems
involving any pair of constructors.
\subsection{Constructors and their domain}\label{univ-sec}
A (co)inductive definition selects a subset of an existing set; a (co)datatype
definition creates a new set. The package reduces the latter to the former.
Isabelle/\textsc{zf} supplies sets having strong closure properties to serve
as domains for (co)inductive definitions.
Isabelle/\textsc{zf} defines the Cartesian product $A\times
B$, containing ordered pairs $\pair{a,b}$; it also defines the
disjoint sum $A+B$, containing injections $\Inl(a)\equiv\pair{0,a}$ and
$\Inr(b)\equiv\pair{1,b}$. For use below, define the $m$-tuple
$\pair{x_1,\ldots,x_m}$ to be the empty set~$\emptyset$ if $m=0$, simply $x_1$
if $m=1$ and $\pair{x_1,\pair{x_2,\ldots,x_m}}$ if $m\geq2$.
A datatype constructor $\Con(x_1,\ldots,x_m)$ is defined to be
$h(\pair{x_1,\ldots,x_m})$, where $h$ is composed of $\Inl$ and~$\Inr$.
In a mutually recursive definition, all constructors for the set~$R_i$ have
the outer form~$h_{in}$, where $h_{in}$ is the injection described
in~\S\ref{mutual-sec}. Further nested injections ensure that the
constructors for~$R_i$ are pairwise distinct.
Isabelle/\textsc{zf} defines the set $\univ(A)$, which contains~$A$ and
furthermore contains $\pair{a,b}$, $\Inl(a)$ and $\Inr(b)$ for $a$,
$b\in\univ(A)$. In a typical datatype definition with set parameters
$A_1$, \ldots, $A_k$, a suitable domain for all the recursive sets is
$\univ(A_1\un\cdots\un A_k)$. This solves the problem for
datatypes~\cite[\S4.2]{paulson-set-II}.
The standard pairs and injections can only yield well-founded
constructions. This eases the (manual!) definition of recursive functions
over datatypes. But they are unsuitable for codatatypes, which typically
contain non-well-founded objects.
To support codatatypes, Isabelle/\textsc{zf} defines a variant notion of
ordered pair, written~$\pair{a;b}$. It also defines the corresponding variant
notion of Cartesian product $A\otimes B$, variant injections $\QInl(a)$
and~$\QInr(b)$ and variant disjoint sum $A\oplus B$. Finally it defines the
set $\quniv(A)$, which contains~$A$ and furthermore contains $\pair{a;b}$,
$\QInl(a)$ and $\QInr(b)$ for $a$, $b\in\quniv(A)$. In a typical codatatype
definition with set parameters $A_1$, \ldots, $A_k$, a suitable domain is
$\quniv(A_1\un\cdots\un A_k)$. Details are published
elsewhere~\cite{paulson-mscs}.
\subsection{The case analysis operator}
The (co)datatype package automatically defines a case analysis operator,
called {\tt$R$\_case}. A mutually recursive definition still has only one
operator, whose name combines those of the recursive sets: it is called
{\tt$R_1$\_\ldots\_$R_n$\_case}. The case operator is analogous to those
for products and sums.
Datatype definitions employ standard products and sums, whose operators are
$\split$ and $\case$ and satisfy the equations
\begin{eqnarray*}
\split(f,\pair{x,y}) & = & f(x,y) \\
\case(f,g,\Inl(x)) & = & f(x) \\
\case(f,g,\Inr(y)) & = & g(y)
\end{eqnarray*}
Suppose the datatype has $k$ constructors $\Con_1$, \ldots,~$\Con_k$. Then
its case operator takes $k+1$ arguments and satisfies an equation for each
constructor:
\[ R\hbox{\_case}(f_1,\ldots,f_k, {\tt Con}_i(\vec{x})) = f_i(\vec{x}),
\qquad i = 1, \ldots, k
\]
The case operator's definition takes advantage of Isabelle's representation of
syntax in the typed $\lambda$-calculus; it could readily be adapted to a
theorem prover for higher-order logic. If $f$ and~$g$ have meta-type $i\To i$
then so do $\split(f)$ and $\case(f,g)$. This works because $\split$ and
$\case$ operate on their last argument. They are easily combined to make
complex case analysis operators. For example, $\case(f,\case(g,h))$ performs
case analysis for $A+(B+C)$; let us verify one of the three equations:
\[ \case(f,\case(g,h), \Inr(\Inl(b))) = \case(g,h,\Inl(b)) = g(b) \]
Codatatype definitions are treated in precisely the same way. They express
case operators using those for the variant products and sums, namely
$\qsplit$ and~$\qcase$.
\medskip
To see how constructors and the case analysis operator are defined, let us
examine some examples. Further details are available
elsewhere~\cite{paulson-set-II}.
\subsection{Example: lists and lazy lists}\label{lists-sec}
Here is a declaration of the datatype of lists, as it might appear in a theory
file:
\begin{ttbox}
consts list :: i=>i
datatype "list(A)" = Nil | Cons ("a:A", "l: list(A)")
\end{ttbox}
And here is a declaration of the codatatype of lazy lists:
\begin{ttbox}
consts llist :: i=>i
codatatype "llist(A)" = LNil | LCons ("a: A", "l: llist(A)")
\end{ttbox}
Each form of list has two constructors, one for the empty list and one for
adding an element to a list. Each takes a parameter, defining the set of
lists over a given set~$A$. Each is automatically given the appropriate
domain: $\univ(A)$ for $\lst(A)$ and $\quniv(A)$ for $\llist(A)$. The default
can be overridden.
\ifshort
Now $\lst(A)$ is a datatype and enjoys the usual induction rule.
\else
Since $\lst(A)$ is a datatype, it has a structural induction rule, {\tt
list.induct}:
\[ \infer{P(x)}{x\in\lst(A) & P(\Nil)
& \infer*{P(\Cons(a,l))}{[a\in A & l\in\lst(A) & P(l)]_{a,l}} }
\]
Induction and freeness yield the law $l\not=\Cons(a,l)$. To strengthen this,
Isabelle/\textsc{zf} defines the rank of a set and proves that the standard
pairs and injections have greater rank than their components. An immediate
consequence, which justifies structural recursion on lists
\cite[\S4.3]{paulson-set-II}, is
\[ \rank(l) < \rank(\Cons(a,l)). \]
\par
\fi
But $\llist(A)$ is a codatatype and has no induction rule. Instead it has
the coinduction rule shown in \S\ref{coind-sec}. Since variant pairs and
injections are monotonic and need not have greater rank than their
components, fixedpoint operators can create cyclic constructions. For
example, the definition
\[ \lconst(a) \equiv \lfp(\univ(a), \lambda l. \LCons(a,l)) \]
yields $\lconst(a) = \LCons(a,\lconst(a))$.
\ifshort
\typeout{****SHORT VERSION}
\typeout{****Omitting discussion of constructors!}
\else
\medskip
It may be instructive to examine the definitions of the constructors and
case operator for $\lst(A)$. The definitions for $\llist(A)$ are similar.
The list constructors are defined as follows:
\begin{eqnarray*}
\Nil & \equiv & \Inl(\emptyset) \\
\Cons(a,l) & \equiv & \Inr(\pair{a,l})
\end{eqnarray*}
The operator $\lstcase$ performs case analysis on these two alternatives:
\[ \lstcase(c,h) \equiv \case(\lambda u.c, \split(h)) \]
Let us verify the two equations:
\begin{eqnarray*}
\lstcase(c, h, \Nil) & = &
\case(\lambda u.c, \split(h), \Inl(\emptyset)) \\
& = & (\lambda u.c)(\emptyset) \\
& = & c\\[1ex]
\lstcase(c, h, \Cons(x,y)) & = &
\case(\lambda u.c, \split(h), \Inr(\pair{x,y})) \\
& = & \split(h, \pair{x,y}) \\
& = & h(x,y)
\end{eqnarray*}
\fi
\ifshort
\typeout{****Omitting mutual recursion example!}
\else
\subsection{Example: mutual recursion}
In mutually recursive trees and forests~\cite[\S4.5]{paulson-set-II}, trees
have the one constructor $\Tcons$, while forests have the two constructors
$\Fnil$ and~$\Fcons$:
\begin{ttbox}
consts tree, forest, tree_forest :: i=>i
datatype "tree(A)" = Tcons ("a: A", "f: forest(A)")
and "forest(A)" = Fnil | Fcons ("t: tree(A)", "f: forest(A)")
\end{ttbox}
The three introduction rules define the mutual recursion. The
distinguishing feature of this example is its two induction rules.
The basic induction rule is called {\tt tree\_forest.induct}:
\[ \infer{P(x)}{x\in\TF(A) &
\infer*{P(\Tcons(a,f))}
{\left[\begin{array}{l} a\in A \\
f\in\forest(A) \\ P(f)
\end{array}
\right]_{a,f}}
& P(\Fnil)
& \infer*{P(\Fcons(t,f))}
{\left[\begin{array}{l} t\in\tree(A) \\ P(t) \\
f\in\forest(A) \\ P(f)
\end{array}
\right]_{t,f}} }
\]
This rule establishes a single predicate for $\TF(A)$, the union of the
recursive sets. Although such reasoning can be useful
\cite[\S4.5]{paulson-set-II}, a proper mutual induction rule should establish
separate predicates for $\tree(A)$ and $\forest(A)$. The package calls this
rule {\tt tree\_forest.mutual\_induct}. Observe the usage of $P$ and $Q$ in
the induction hypotheses:
\[ \infer{(\forall z. z\in\tree(A)\imp P(z)) \conj
(\forall z. z\in\forest(A)\imp Q(z))}
{\infer*{P(\Tcons(a,f))}
{\left[\begin{array}{l} a\in A \\
f\in\forest(A) \\ Q(f)
\end{array}
\right]_{a,f}}
& Q(\Fnil)
& \infer*{Q(\Fcons(t,f))}
{\left[\begin{array}{l} t\in\tree(A) \\ P(t) \\
f\in\forest(A) \\ Q(f)
\end{array}
\right]_{t,f}} }
\]
Elsewhere I describe how to define mutually recursive functions over trees and
forests \cite[\S4.5]{paulson-set-II}.
Both forest constructors have the form $\Inr(\cdots)$,
while the tree constructor has the form $\Inl(\cdots)$. This pattern would
hold regardless of how many tree or forest constructors there were.
\begin{eqnarray*}
\Tcons(a,l) & \equiv & \Inl(\pair{a,l}) \\
\Fnil & \equiv & \Inr(\Inl(\emptyset)) \\
\Fcons(a,l) & \equiv & \Inr(\Inr(\pair{a,l}))
\end{eqnarray*}
There is only one case operator; it works on the union of the trees and
forests:
\[ {\tt tree\_forest\_case}(f,c,g) \equiv
\case(\split(f),\, \case(\lambda u.c, \split(g)))
\]
\fi
\subsection{Example: a four-constructor datatype}
A bigger datatype will illustrate some efficiency
refinements. It has four constructors $\Con_0$, \ldots, $\Con_3$, with the
corresponding arities.
\begin{ttbox}
consts data :: [i,i] => i
datatype "data(A,B)" = Con0
| Con1 ("a: A")
| Con2 ("a: A", "b: B")
| Con3 ("a: A", "b: B", "d: data(A,B)")
\end{ttbox}
Because this datatype has two set parameters, $A$ and~$B$, the package
automatically supplies $\univ(A\un B)$ as its domain. The structural
induction rule has four minor premises, one per constructor, and only the last
has an induction hypothesis. (Details are left to the reader.)
The constructors are defined by the equations
\begin{eqnarray*}
\Con_0 & \equiv & \Inl(\Inl(\emptyset)) \\
\Con_1(a) & \equiv & \Inl(\Inr(a)) \\
\Con_2(a,b) & \equiv & \Inr(\Inl(\pair{a,b})) \\
\Con_3(a,b,c) & \equiv & \Inr(\Inr(\pair{a,b,c})).
\end{eqnarray*}
The case analysis operator is
\[ {\tt data\_case}(f_0,f_1,f_2,f_3) \equiv
\case(\begin{array}[t]{@{}l}
\case(\lambda u.f_0,\; f_1),\, \\
\case(\split(f_2),\; \split(\lambda v.\split(f_3(v)))) )
\end{array}
\]
This may look cryptic, but the case equations are trivial to verify.
In the constructor definitions, the injections are balanced. A more naive
approach is to define $\Con_3(a,b,c)$ as $\Inr(\Inr(\Inr(\pair{a,b,c})))$;
instead, each constructor has two injections. The difference here is small.
But the \textsc{zf} examples include a 60-element enumeration type, where each
constructor has 5 or~6 injections. The naive approach would require 1 to~59
injections; the definitions would be quadratic in size. It is like the
advantage of binary notation over unary.
The result structure contains the case operator and constructor definitions as
the theorem list \verb|con_defs|. It contains the case equations, such as
\[ {\tt data\_case}(f_0,f_1,f_2,f_3,\Con_3(a,b,c)) = f_3(a,b,c), \]
as the theorem list \verb|case_eqns|. There is one equation per constructor.
\subsection{Proving freeness theorems}
There are two kinds of freeness theorems:
\begin{itemize}
\item \defn{injectiveness} theorems, such as
\[ \Con_2(a,b) = \Con_2(a',b') \bimp a=a' \conj b=b' \]
\item \defn{distinctness} theorems, such as
\[ \Con_1(a) \not= \Con_2(a',b') \]
\end{itemize}
Since the number of such theorems is quadratic in the number of constructors,
the package does not attempt to prove them all. Instead it returns tools for
proving desired theorems --- either manually or during
simplification or classical reasoning.
The theorem list \verb|free_iffs| enables the simplifier to perform freeness
reasoning. This works by incremental unfolding of constructors that appear in
equations. The theorem list contains logical equivalences such as
\begin{eqnarray*}
\Con_0=c & \bimp & c=\Inl(\Inl(\emptyset)) \\
\Con_1(a)=c & \bimp & c=\Inl(\Inr(a)) \\
& \vdots & \\
\Inl(a)=\Inl(b) & \bimp & a=b \\
\Inl(a)=\Inr(b) & \bimp & {\tt False} \\
\pair{a,b} = \pair{a',b'} & \bimp & a=a' \conj b=b'
\end{eqnarray*}
For example, these rewrite $\Con_1(a)=\Con_1(b)$ to $a=b$ in four steps.
The theorem list \verb|free_SEs| enables the classical
reasoner to perform similar replacements. It consists of elimination rules
to replace $\Con_0=c$ by $c=\Inl(\Inl(\emptyset))$ and so forth, in the
assumptions.
Such incremental unfolding combines freeness reasoning with other proof
steps. It has the unfortunate side-effect of unfolding definitions of
constructors in contexts such as $\exists x.\Con_1(a)=x$, where they should
be left alone. Calling the Isabelle tactic {\tt fold\_tac con\_defs}
restores the defined constants.
\section{Related work}\label{related}
The use of least fixedpoints to express inductive definitions seems
obvious. Why, then, has this technique so seldom been implemented?
Most automated logics can only express inductive definitions by asserting
axioms. Little would be left of Boyer and Moore's logic~\cite{bm79} if their
shell principle were removed. With \textsc{alf} the situation is more
complex; earlier versions of Martin-L\"of's type theory could (using
wellordering types) express datatype definitions, but the version underlying
\textsc{alf} requires new rules for each definition~\cite{dybjer91}. With Coq
the situation is subtler still; its underlying Calculus of Constructions can
express inductive definitions~\cite{huet88}, but cannot quite handle datatype
definitions~\cite{paulin-tlca}. It seems that researchers tried hard to
circumvent these problems before finally extending the Calculus with rule
schemes for strictly positive operators. Recently Gim{\'e}nez has extended
the Calculus of Constructions with inductive and coinductive
types~\cite{gimenez-codifying}, with mechanized support in Coq.
Higher-order logic can express inductive definitions through quantification
over unary predicates. The following formula expresses that~$i$ belongs to the
least set containing~0 and closed under~$\succ$:
\[ \forall P. P(0)\conj (\forall x.P(x)\imp P(\succ(x))) \imp P(i) \]
This technique can be used to prove the Knaster-Tarski theorem, which (in its
general form) is little used in the Cambridge \textsc{hol} system.
Melham~\cite{melham89} describes the development. The natural numbers are
defined as shown above, but lists are defined as functions over the natural
numbers. Unlabelled trees are defined using G\"odel numbering; a labelled
tree consists of an unlabelled tree paired with a list of labels. Melham's
datatype package expresses the user's datatypes in terms of labelled trees.
It has been highly successful, but a fixedpoint approach might have yielded
greater power with less effort.
Elsa Gunter~\cite{gunter-trees} reports an ongoing project to generalize the
Cambridge \textsc{hol} system with mutual recursion and infinitely-branching
trees. She retains many features of Melham's approach.
Melham's inductive definition package~\cite{camilleri92} also uses
quantification over predicates. But instead of formalizing the notion of
monotone function, it requires definitions to consist of finitary rules, a
syntactic form that excludes many monotone inductive definitions.
\textsc{pvs}~\cite{pvs-language} is another proof assistant based on
higher-order logic. It supports both inductive definitions and datatypes,
apparently by asserting axioms. Datatypes may not be iterated in general, but
may use recursion over the built-in $\lst$ type.
The earliest use of least fixedpoints is probably Robin Milner's. Brian
Monahan extended this package considerably~\cite{monahan84}, as did I in
unpublished work.\footnote{The datatype package described in my \textsc{lcf}
book~\cite{paulson87} does {\it not\/} make definitions, but merely asserts
axioms.} \textsc{lcf} is a first-order logic of domain theory; the relevant
fixedpoint theorem is not Knaster-Tarski but concerns fixedpoints of
continuous functions over domains. \textsc{lcf} is too weak to express
recursive predicates. The Isabelle package might be the first to be based on
the Knaster-Tarski theorem.
\section{Conclusions and future work}
Higher-order logic and set theory are both powerful enough to express
inductive definitions. A growing number of theorem provers implement one
of these~\cite{IMPS,saaltink-fme}. The easiest sort of inductive
definition package to write is one that asserts new axioms, not one that
makes definitions and proves theorems about them. But asserting axioms
could introduce unsoundness.
The fixedpoint approach makes it fairly easy to implement a package for
(co)in\-duc\-tive definitions that does not assert axioms. It is efficient:
it processes most definitions in seconds and even a 60-constructor datatype
requires only a few minutes. It is also simple: The first working version took
under a week to code, consisting of under 1100 lines (35K bytes) of Standard
\textsc{ml}.
In set theory, care is needed to ensure that the inductive definition yields
a set (rather than a proper class). This problem is inherent to set theory,
whether or not the Knaster-Tarski theorem is employed. We must exhibit a
bounding set (called a domain above). For inductive definitions, this is
often trivial. For datatype definitions, I have had to formalize much set
theory. To justify infinitely-branching datatype definitions, I have had to
develop a theory of cardinal arithmetic~\cite{paulson-gr}, such as the theorem
that if $\kappa$ is an infinite cardinal and $|X(\alpha)| \le \kappa$ for all
$\alpha<\kappa$ then $|\union\sb{\alpha<\kappa} X(\alpha)| \le \kappa$.
The need for such efforts is not a drawback of the fixedpoint approach, for
the alternative is to take such definitions on faith.
Care is also needed to ensure that the greatest fixedpoint really yields a
coinductive definition. In set theory, standard pairs admit only well-founded
constructions. Aczel's anti-foundation axiom~\cite{aczel88} could be used to
get non-well-founded objects, but it does not seem easy to mechanize.
Isabelle/\textsc{zf} instead uses a variant notion of ordered pairing, which
can be generalized to a variant notion of function. Elsewhere I have
proved that this simple approach works (yielding final coalgebras) for a broad
class of definitions~\cite{paulson-mscs}.
Several large studies make heavy use of inductive definitions. L\"otzbeyer
and Sandner have formalized two chapters of a semantics book~\cite{winskel93},
proving the equivalence between the operational and denotational semantics of
a simple imperative language. A single theory file contains three datatype
definitions (of arithmetic expressions, boolean expressions and commands) and
three inductive definitions (the corresponding operational rules). Using
different techniques, Nipkow~\cite{nipkow-CR} and Rasmussen~\cite{rasmussen95}
have both proved the Church-Rosser theorem; inductive definitions specify
several reduction relations on $\lambda$-terms. Recently, I have applied
inductive definitions to the analysis of cryptographic
protocols~\cite{paulson-markt}.
To demonstrate coinductive definitions, Frost~\cite{frost95} has proved the
consistency of the dynamic and static semantics for a small functional
language. The example is due to Milner and Tofte~\cite{milner-coind}. It
concerns an extended correspondence relation, which is defined coinductively.
A codatatype definition specifies values and value environments in mutual
recursion. Non-well-founded values represent recursive functions. Value
environments are variant functions from variables into values. This one key
definition uses most of the package's novel features.
The approach is not restricted to set theory. It should be suitable for any
logic that has some notion of set and the Knaster-Tarski theorem. I have
ported the (co)inductive definition package from Isabelle/\textsc{zf} to
Isabelle/\textsc{hol} (higher-order logic).
\begin{footnotesize}
\bibliographystyle{plain}
\bibliography{../manual}
\end{footnotesize}
%%%%%\doendnotes
\end{document}