author paulson
Fri, 12 Jan 2001 18:00:12 +0100
changeset 10888 f321d21b9a6b
parent 10857 47b1f34ddd09
child 10978 5eebea8f359f
permissions -rw-r--r--
LateX-2e moans about using \\choose

% $Id$
\chapter{Sets, Functions and Relations}

\REMARK{The old version used lots of bold. I've cut down,
changing some \texttt{textbf} to \texttt{relax}. This can be undone.
See the source.}
Mathematics relies heavily on set theory: not just unions and intersections
but images, least fixed points and other concepts.  In computer science,
sets are used to formalize grammars, state transition systems, etc.  The set
theory of Isabelle/HOL should not be confused with traditional,  untyped set
theory, in which everything is a set.  Our sets are  typed. In a given set,
all elements have the same type, say~$\tau$,  and the set itself has type

Relations are simply sets of pairs.  This chapter describes
the main operations on relations, such as converse, composition and
transitive closure.  Functions are also covered.  They are not sets in
Isabelle/HOL, but many of their properties concern sets.  The range of a
function is a set, and the inverse image of a function maps sets to sets.

This chapter ends with a case study concerning model checking for the
temporal logic CTL\@.  Most of the other examples are simple.  The
chapter presents a small selection of built-in theorems in order to point
out some key properties of the various constants and to introduce you to
the notation. 

Natural deduction rules are provided for the set theory constants, but they
are seldom used directly, so only a few are presented here.  Many formulas
involving sets can be proved automatically or simplified to a great extent.
Expressing your concepts in terms of sets will probably  make your proofs


We begin with \relax{intersection}, \relax{union} and
\relax{complement}. In addition to the
\relax{membership} relation, there  is a symbol for its negation. These
points can be seen below.  

Here are the natural deduction rules for intersection.  Note the 
resemblance to those for conjunction.  
\isasymlbrakk c\ \isasymin\ A;\ c\ \isasymin\ B\isasymrbrakk\ 
\isasymLongrightarrow\ c\ \isasymin\ A\ \isasyminter\ B%
c\ \isasymin\ A\ \isasyminter\ B\ \isasymLongrightarrow\ c\ \isasymin\ A
c\ \isasymin\ A\ \isasyminter\ B\ \isasymLongrightarrow\ c\ \isasymin\ B

Here are two of the many installed theorems concerning set complement.
Note that it is denoted by a minus sign.
(c\ \isasymin\ -\ A)\ =\ (c\ \isasymnotin\ A)
-\ (A\ \isasymunion\ B)\ =\ -\ A\ \isasyminter\ -\ B

Set \relax{difference} is the intersection of a set with the 
complement of another set. Here we also see the syntax for the 
empty set and for the universal set. 
A\ \isasyminter\ (B\ -\ A)\ =\ \isacharbraceleft\isacharbraceright
A\ \isasymunion\ -\ A\ =\ UNIV%

The \relax{subset} relation holds between two sets just if every element 
of one is also an element of the other. This relation is reflexive.  These
are its natural deduction rules:
({\isasymAnd}x.\ x\ \isasymin\ A\ \isasymLongrightarrow\ x\ \isasymin\ B)\ \isasymLongrightarrow\ A\ \isasymsubseteq\ B%
\par\smallskip%          \isanewline didn't leave enough space
\isasymlbrakk A\ \isasymsubseteq\ B;\ c\ \isasymin\
A\isasymrbrakk\ \isasymLongrightarrow\ c\
\isasymin\ B%
In harder proofs, you may need to apply \isa{subsetD} giving a specific term
for~\isa{c}.  However, \isa{blast} can instantly prove facts such as this
(A\ \isasymunion\ B\ \isasymsubseteq\ C)\ =\
(A\ \isasymsubseteq\ C\ \isasymand\ B\ \isasymsubseteq\ C)
Here is another example, also proved automatically:
\isacommand{lemma}\ "(A\
\isasymsubseteq\ -B)\ =\ (B\ \isasymsubseteq\ -A)"\isanewline
\isacommand{by}\ blast
This is the same example using ASCII syntax, illustrating a pitfall: 
\isacommand{lemma}\ "(A\ <=\ -B)\ =\ (B\ <=\ -A)"
The proof fails.  It is not a statement about sets, due to overloading;
the relation symbol~\isa{<=} can be any relation, not just  
In this general form, the statement is not valid.  Putting
in a type constraint forces the variables to denote sets, allowing the
proof to succeed:

\isacommand{lemma}\ "((A::\ {\isacharprime}a\ set)\ <=\ -B)\ =\ (B\ <=\
Section~\ref{sec:axclass} below describes overloading.  Incidentally,
\isa{A~\isasymsubseteq~-B} asserts that the sets \isa{A} and \isa{B} are

Two sets are \relax{equal} if they contain the same elements.  
This is
the principle of \textbf{extensionality} for sets. 
({\isasymAnd}x.\ (x\ {\isasymin}\ A)\ =\ (x\ {\isasymin}\ B))\
{\isasymLongrightarrow}\ A\ =\ B
Extensionality is often expressed as 
$A=B\iff A\subseteq B\conj B\subseteq A$.  
The following rules express both
directions of this equivalence.  Proving a set equation using
\isa{equalityI} allows the two inclusions to be proved independently.
\isasymlbrakk A\ \isasymsubseteq\ B;\ B\ \isasymsubseteq\
A\isasymrbrakk\ \isasymLongrightarrow\ A\ =\ B
\par\smallskip%          \isanewline didn't leave enough space
\isasymlbrakk A\ =\ B;\ \isasymlbrakk A\ \isasymsubseteq\ B;\ B\
\isasymsubseteq\ A\isasymrbrakk\ \isasymLongrightarrow\ P\isasymrbrakk\
\isasymLongrightarrow\ P%

\subsection{Finite Set Notation} 

Finite sets are expressed using the constant {\isa{insert}}, which is
a form of union:
insert\ a\ A\ =\ \isacharbraceleft a\isacharbraceright\ \isasymunion\ A
The finite set expression \isa{\isacharbraceleft
a,b\isacharbraceright} abbreviates
\isa{insert\ a\ (insert\ b\ \isacharbraceleft\isacharbraceright)}.
Many facts about finite sets can be proved automatically: 
"\isacharbraceleft a,b\isacharbraceright\
\isasymunion\ \isacharbraceleft c,d\isacharbraceright\ =\
\isacharbraceleft a,b,c,d\isacharbraceright"\isanewline
\isacommand{by}\ blast

Not everything that we would like to prove is valid. 
Consider this attempt: 
\isacommand{lemma}\ "\isacharbraceleft a,b\isacharbraceright\ \isasyminter\ \isacharbraceleft b,c\isacharbraceright\ =\
\isacharbraceleft b\isacharbraceright"\isanewline
\isacommand{apply}\ auto
The proof fails, leaving the subgoal \isa{b=c}. To see why it 
fails, consider a correct version: 
\isacommand{lemma}\ "\isacharbraceleft a,b\isacharbraceright\ \isasyminter\ 
\isacharbraceleft b,c\isacharbraceright\ =\ (if\ a=c\ then\
\isacharbraceleft a,b\isacharbraceright\ else\ \isacharbraceleft
\isacommand{apply}\ simp\isanewline
\isacommand{by}\ blast

Our mistake was to suppose that the various items were distinct.  Another
remark: this proof uses two methods, namely {\isa{simp}}  and
{\isa{blast}}. Calling {\isa{simp}} eliminates the
\isa{if}-\isa{then}-\isa{else} expression,  which {\isa{blast}}
cannot break down. The combined methods (namely {\isa{force}}  and
\isa{auto}) can prove this fact in one step. 

\subsection{Set Comprehension}

The set comprehension \isa{\isacharbraceleft x.\
P\isacharbraceright} expresses the set of all elements that satisfy the
predicate~\isa{P}.  Two laws describe the relationship between set 
comprehension and the membership relation:
(a\ \isasymin\
\isacharbraceleft x.\ P\ x\isacharbraceright)\ =\ P\ a
\isacharbraceleft x.\ x\ \isasymin\ A\isacharbraceright\ =\ A

Facts such as these have trivial proofs:
\isacommand{lemma}\ "\isacharbraceleft x.\ P\ x\ \isasymor\
x\ \isasymin\ A\isacharbraceright\ =\
\isacharbraceleft x.\ P\ x\isacharbraceright\ \isasymunion\ A"
\isacommand{lemma}\ "\isacharbraceleft x.\ P\ x\
\isasymlongrightarrow\ Q\ x\isacharbraceright\ =\
-\isacharbraceleft x.\ P\ x\isacharbraceright\
\isasymunion\ \isacharbraceleft x.\ Q\ x\isacharbraceright"

Isabelle has a general syntax for comprehension, which is best 
described through an example: 
\isacommand{lemma}\ "\isacharbraceleft p*q\ \isacharbar\ p\ q.\ 
p{\isasymin}prime\ \isasymand\ q{\isasymin}prime\isacharbraceright\ =\ 
\ \ \ \ \ \ \ \ \isacharbraceleft z.\ \isasymexists p\ q.\ z\ =\ p*q\
\isasymand\ p{\isasymin}prime\ \isasymand\
The proof is trivial because the left and right hand side 
of the expression are synonymous. The syntax appearing on the 
left-hand side abbreviates the right-hand side: in this case, all numbers
that are the product of two primes.  The syntax provides a neat
way of expressing any set given by an expression built up from variables
under specific constraints.  The drawback is that it hides the true form of
the expression, with its existential quantifiers. 

\emph{Remark}.  We do not need sets at all.  They are essentially equivalent
to predicate variables, which are allowed in  higher-order logic.  The main
benefit of sets is their notation;  we can write \isa{x{\isasymin}A}
\isa{\isacharbraceleft z.\ P\isacharbraceright} where predicates would
require writing
\isa{A(x)} and
\isa{{\isasymlambda}z.\ P}. 

\subsection{Binding Operators}

Universal and existential quantifications may range over sets, 
with the obvious meaning.  Here are the natural deduction rules for the
bounded universal quantifier.  Occasionally you will need to apply
\isa{bspec} with an explicit instantiation of the variable~\isa{x}:
({\isasymAnd}x.\ x\ \isasymin\ A\ \isasymLongrightarrow\ P\ x)\ \isasymLongrightarrow\ {\isasymforall}x\isasymin
A.\ P\ x%
\isasymlbrakk{\isasymforall}x\isasymin A.\
P\ x;\ x\ \isasymin\
A\isasymrbrakk\ \isasymLongrightarrow\ P\
Dually, here are the natural deduction rules for the
bounded existential quantifier.  You may need to apply
\isa{bexI} with an explicit instantiation:
\isasymlbrakk P\ x;\
x\ \isasymin\ A\isasymrbrakk\
\isasymexists x\isasymin A.\ P\
\isasymlbrakk\isasymexists x\isasymin A.\
P\ x;\ {\isasymAnd}x.\
{\isasymlbrakk}x\ \isasymin\ A;\
P\ x\isasymrbrakk\ \isasymLongrightarrow\
Q\isasymrbrakk\ \isasymLongrightarrow\ Q%

Unions can be formed over the values of a given  set.  The syntax is
\isa{\isasymUnion x\isasymin A.\ B} or \isa{UN
x:\ A.\ B} in \textsc{ascii}. Indexed union satisfies this basic law:
(b\ \isasymin\
(\isasymUnion x\isasymin A.\ B\ x))\ =\ (\isasymexists x\isasymin A.\
b\ \isasymin\ B\ x)
It has two natural deduction rules similar to those for the existential
quantifier.  Sometimes \isa{UN_I} must be applied explicitly:
\isasymlbrakk a\ \isasymin\
A;\ b\ \isasymin\
B\ a\isasymrbrakk\ \isasymLongrightarrow\
b\ \isasymin\
({\isasymUnion}x\isasymin A.\
B\ x)
\isasymlbrakk b\ \isasymin\
({\isasymUnion}x\isasymin A.\
B\ x);\
{\isasymAnd}x.\ {\isasymlbrakk}x\ \isasymin\
A;\ b\ \isasymin\
B\ x\isasymrbrakk\ \isasymLongrightarrow\
R\isasymrbrakk\ \isasymLongrightarrow\ R%
The following built-in abbreviation lets us express the union
over a \emph{type}:
\ \ \ \ \
({\isasymUnion}x.\ B\ x)\ {==}\
({\isasymUnion}x{\isasymin}UNIV.\ B\ x)
Abbreviations work as you might expect.  The term on the left-hand side of
\isa{==} symbol is automatically translated to the right-hand side when the
term is parsed, the reverse translation being done when the term is

We may also express the union of a set of sets, written \isa{Union\ C} in
(A\ \isasymin\ \isasymUnion C)\ =\ (\isasymexists X\isasymin C.\ A\
\isasymin\ X)

Intersections are treated dually, although they seem to be used less often
than unions.  The syntax below would be \isa{INT
x:\ A.\ B} and \isa{Inter\ C} in \textsc{ascii}.  Among others, these
theorems are available:
(b\ \isasymin\
({\isasymInter}x\isasymin A.\
B\ x))\
({\isasymforall}x\isasymin A.\
b\ \isasymin\ B\ x)
(A\ \isasymin\
\isasymInter C)\ =\
({\isasymforall}X\isasymin C.\
A\ \isasymin\ X)

Isabelle uses logical equivalences such as those above in automatic proof. 
Unions, intersections and so forth are not simply replaced by their
definitions.  Instead, membership tests are simplified.  For example,  $x\in
A\cup B$ is replaced by $x\in A\vee x\in B$.

The internal form of a comprehension involves the constant  
\isa{Collect}, which occasionally appears when a goal or theorem
is displayed.  For example, \isa{Collect\ P}  is the same term as
\isa{\isacharbraceleft z.\ P\ x\isacharbraceright}.  The same thing can
happen with quantifiers:  for example, \isa{Ball\ A\ P} is 
\isa{{\isasymforall}z\isasymin A.\ P\ x} and \isa{Bex\ A\ P} is 
\isa{\isasymexists z\isasymin A.\ P\ x}.  For indexed unions and
intersections, you may see the constants \isa{UNION} and \isa{INTER}\@.

We have only scratched the surface of Isabelle/HOL's set theory. 
One primitive not mentioned here is the powerset operator
{\isa{Pow}}.  Hundreds of theorems are proved in theory \isa{Set} and its

\subsection{Finiteness and Cardinality}

The predicate \isa{finite} holds of all finite sets.  Isabelle/HOL includes
many familiar theorems about finiteness and cardinality 
(\isa{card}). For example, we have theorems concerning the cardinalities
of unions, intersections and the powerset:
{\isasymlbrakk}finite\ A;\ finite\ B\isasymrbrakk\isanewline
\isasymLongrightarrow\ card\ A\ \isacharplus\ card\ B\ =\ card\ (A\ \isasymunion\ B)\ \isacharplus\ card\ (A\ \isasyminter\ B)
finite\ A\ \isasymLongrightarrow\ card\
(Pow\ A)\  =\ 2\ \isacharcircum\ card\ A%
finite\ A\ \isasymLongrightarrow\isanewline
card\ \isacharbraceleft B.\ B\ \isasymsubseteq\
A\ \isasymand\ card\ B\ =\
k\isacharbraceright\ =\ card\ A\ choose\ k%
Writing $|A|$ as $n$, the last of these theorems says that the number of
$k$-element subsets of~$A$ is $\binom{n}{k}$.

The term \isa{Finite\ A} is an abbreviation for
\isa{A\ \isasymin\ Finites}, where the constant \isa{Finites} denotes the
set of all finite sets of a given type.  There is no constant


This section describes a few concepts that involve functions. 
Some of the more important theorems are given along with the 
names. A few sample proofs appear. Unlike with set theory, however, 
we cannot simply state lemmas and expect them to be proved using

\subsection{Function Basics}

Two functions are \relax{equal} if they yield equal results given equal arguments. 
This is the principle of \textbf{extensionality} for functions:
({\isasymAnd}x.\ f\ x\ =\ g\ x)\ {\isasymLongrightarrow}\ f\ =\ g

Function \textbf{update} is useful for modelling machine states. It has 
the obvious definition and many useful facts are proved about 
it.  In particular, the following equation is installed as a simplification
(f(x:=y))\ z\ =\ (if\ z\ =\ x\ then\ y\ else\ f\ z)
Two syntactic points must be noted.  In
\isa{(f(x:=y))\ z} we are applying an updated function to an
argument; the outer parentheses are essential.  A series of two or more
updates can be abbreviated as shown on the left-hand side of this theorem:
f(x:=y,\ x:=z)\ =\ f(x:=z)
Note also that we can write \isa{f(x:=z)} with only one pair of parentheses
when it is not being applied to an argument.

The \relax{identity} function and function \relax{composition} are defined:
id\ \isasymequiv\ {\isasymlambda}x.\ x%
f\ \isasymcirc\ g\ \isasymequiv\
{\isasymlambda}x.\ f\
(g\ x)%
Many familiar theorems concerning the identity and composition 
are proved. For example, we have the associativity of composition: 
f\ \isasymcirc\ (g\ \isasymcirc\ h)\ =\ f\ \isasymcirc\ g\ \isasymcirc\ h

\subsection{Injections, Surjections, Bijections}

A function may be \relax{injective}, \relax{surjective} or \relax{bijective}: 
inj_on\ f\ A\ \isasymequiv\ {\isasymforall}x\isasymin A.\
{\isasymforall}y\isasymin  A.\ f\ x\ =\ f\ y\ \isasymlongrightarrow\ x\
=\ y%
surj\ f\ \isasymequiv\ {\isasymforall}y.\
\isasymexists x.\ y\ =\ f\ x%
bij\ f\ \isasymequiv\ inj\ f\ \isasymand\ surj\ f
The second argument
of \isa{inj_on} lets us express that a function is injective over a
given set. This refinement is useful in higher-order logic, where
functions are total; in some cases, a function's natural domain is a subset
of its domain type.  Writing \isa{inj\ f} abbreviates \isa{inj_on\ f\
UNIV}, for when \isa{f} is injective everywhere.

The operator {\isa{inv}} expresses the \relax{inverse} of a function. In 
general the inverse may not be well behaved.  We have the usual laws,
such as these: 
inj\ f\ \ \isasymLongrightarrow\ inv\ f\ (f\ x)\ =\ x%
surj\ f\ \isasymLongrightarrow\ f\ (inv\ f\ y)\ =\ y
bij\ f\ \ \isasymLongrightarrow\ inv\ (inv\ f)\ =\ f
%Other useful facts are that the inverse of an injection 
%is a surjection and vice versa; the inverse of a bijection is 
%a bijection. 
%inj\ f\ \isasymLongrightarrow\ surj\
%(inv\ f)
%surj\ f\ \isasymLongrightarrow\ inj\ (inv\ f)
%bij\ f\ \isasymLongrightarrow\ bij\ (inv\ f)
%The converses of these results fail.  Unless a function is 
%well behaved, little can be said about its inverse. Here is another 
%{\isasymlbrakk}bij\ f;\ bij\ g\isasymrbrakk\ \isasymLongrightarrow\ inv\ (f\ \isasymcirc\ g)\ =\ inv\ g\ \isasymcirc\ inv\ f%

Theorems involving these concepts can be hard to prove. The following 
example is easy, but it cannot be proved automatically. To begin 
with, we need a law that relates the quality of functions to 
equality over all arguments: 
(f\ =\ g)\ =\ ({\isasymforall}x.\ f\ x\ =\ g\ x)
This is just a restatement of extensionality.  Our lemma states 
that an injection can be cancelled from the left 
side of function composition: 
\isacommand{lemma}\ "inj\ f\ \isasymLongrightarrow\ (f\ o\ g\ =\ f\ o\ h)\ =\ (g\ =\ h)"\isanewline
\isacommand{apply}\ (simp\ add:\ expand_fun_eq\ inj_on_def\ o_def)\isanewline
\isacommand{apply}\ auto\isanewline

The first step of the proof invokes extensionality and the definitions 
of injectiveness and composition. It leaves one subgoal:
\ 1.\ {\isasymforall}x\ y.\ f\ x\ =\ f\ y\ \isasymlongrightarrow\ x\ =\ y\
\ \ \ \ ({\isasymforall}x.\ f\ (g\ x)\ =\ f\ (h\ x))\ =\ ({\isasymforall}x.\ g\ x\ =\ h\ x)
This can be proved using the \isa{auto} method. 

\subsection{Function Image}

The \relax{image} of a set under a function is a most useful notion.  It
has the obvious definition: 
f\ `\ A\ \isasymequiv\ \isacharbraceleft y.\ \isasymexists x\isasymin
A.\ y\ =\ f\ x\isacharbraceright
Here are some of the many facts proved about image: 
(f\ \isasymcirc\ g)\ `\ r\ =\ f\ `\ g\ `\ r
f`(A\ \isasymunion\ B)\ =\ f`A\ \isasymunion\ f`B
inj\ f\ \isasymLongrightarrow\ f`(A\ \isasyminter\
B)\ =\ f`A\ \isasyminter\ f`B
%bij\ f\ \isasymLongrightarrow\ f\ `\ (-\ A)\ =\ -\ f\ `\ A%

Laws involving image can often be proved automatically. Here 
are two examples, illustrating connections with indexed union and with the
general syntax for comprehension:
\isacommand{lemma}\ "f`A\ \isasymunion\ g`A\ =\ ({\isasymUnion}x{\isasymin}A.\ \isacharbraceleft f\ x,\ g\
\isacommand{lemma}\ "f\ `\ \isacharbraceleft(x,y){.}\ P\ x\ y\isacharbraceright\ =\ \isacharbraceleft f(x,y)\ \isacharbar\ x\ y.\ P\ x\

 A function's \textbf{range} is the set of values that the function can 
take on. It is, in fact, the image of the universal set under 
that function. There is no constant {\isa{range}}.  Instead, {\isa{range}} 
abbreviates an application of image to {\isa{UNIV}}: 
\ \ \ \ \ range\ f\
{==}\ f`UNIV
Few theorems are proved specifically 
for {\isa{range}}; in most cases, you should look for a more general
theorem concerning images.

\relax{Inverse image} is also  useful. It is defined as follows: 
f\ -`\ B\ \isasymequiv\ \isacharbraceleft x.\ f\ x\ \isasymin\ B\isacharbraceright
This is one of the facts proved about it:
f\ -`\ (-\ A)\ =\ -\ f\ -`\ A%


A \relax{relation} is a set of pairs.  As such, the set operations apply
to them.  For instance, we may form the union of two relations.  Other
primitives are defined specifically for relations. 

\subsection{Relation Basics}

The \relax{identity} relation, also known as equality, has the obvious 
Id\ \isasymequiv\ \isacharbraceleft p.\ \isasymexists x.\ p\ =\ (x,x){\isacharbraceright}%

\relax{Composition} of relations (the infix \isa{O}) is also available: 
r\ O\ s\ \isasymequiv\ \isacharbraceleft(x,z).\ \isasymexists y.\ (x,y)\ \isasymin\ s\ \isasymand\ (y,z)\ \isasymin\ r\isacharbraceright
This is one of the many lemmas proved about these concepts: 
R\ O\ Id\ =\ R
Composition is monotonic, as are most of the primitives appearing 
in this chapter.  We have many theorems similar to the following 
\isasymlbrakk r\isacharprime\ \isasymsubseteq\ r;\ s\isacharprime\
\isasymsubseteq\ s\isasymrbrakk\ \isasymLongrightarrow\ r\isacharprime\ O\
s\isacharprime\ \isasymsubseteq\ r\ O\ s%

The \relax{converse} or inverse of a relation exchanges the roles 
of the two operands.  Note that \isa{\isacharcircum-1} is a postfix
((a,b)\ \isasymin\ r\isacharcircum-1)\ =\
((b,a)\ \isasymin\ r)
Here is a typical law proved about converse and composition: 
(r\ O\ s){\isacharcircum}-1\ =\ s\isacharcircum-1\ O\ r\isacharcircum-1

The \relax{image} of a set under a relation is defined analogously 
to image under a function: 
(b\ \isasymin\ r\ ``\ A)\ =\ (\isasymexists x\isasymin
A.\ (x,b)\ \isasymin\ r)
It satisfies many similar laws.

%Image under relations, like image under functions, distributes over unions: 
%r\ ``\ 
%x)\ =\ 
%r\ ``\ B\

The \relax{domain} and \relax{range} of a relation are defined in the 
standard way: 
(a\ \isasymin\ Domain\ r)\ =\ (\isasymexists y.\ (a,y)\ \isasymin\
(a\ \isasymin\ Range\ r)\
\ =\ (\isasymexists y.\
\isasymin\ r)

Iterated composition of a relation is available.  The notation overloads 
that of exponentiation: 
R\ \isacharcircum\ \isadigit{0}\ =\ Id\isanewline
R\ \isacharcircum\ Suc\ n\ =\ R\ O\ R\isacharcircum n

\subsection{The Reflexive Transitive Closure}

The \relax{reflexive transitive closure} of the
relation~\isa{r} is written with the
postfix syntax \isa{r\isacharcircum{*}} and appears in X-symbol notation
as~\isa{r\isactrlsup *}.  It is the least solution of the equation
r\isactrlsup *\ =\ Id\ \isasymunion \ (r\ O\ r\isactrlsup *)
Among its basic properties are three that serve as introduction 
(a,\ a)\ \isasymin \ r\isactrlsup *
p\ \isasymin \ r\ \isasymLongrightarrow \ p\ \isasymin \ r\isactrlsup *
\isasymlbrakk (a,b)\ \isasymin \ r\isactrlsup *;\ 
(b,c)\ \isasymin \ r\isactrlsup *\isasymrbrakk \ \isasymLongrightarrow \
(a,c)\ \isasymin \ r\isactrlsup *
Induction over the reflexive transitive closure is available: 
\isasymlbrakk (a,\ b)\ \isasymin \ r\isactrlsup *;\ P\ a;\ \isasymAnd y\ z.\ \isasymlbrakk (a,\ y)\ \isasymin \ r\isactrlsup *;\ (y,\ z)\ \isasymin \ r;\ P\ y\isasymrbrakk \ \isasymLongrightarrow \ P\ z\isasymrbrakk \isanewline
\isasymLongrightarrow \ P\ b%
Idempotence is one of the laws proved about the reflexive transitive 
(r\isactrlsup *)\isactrlsup *\ =\ r\isactrlsup *

The transitive closure is similar. It has two 
introduction rules: 
p\ \isasymin \ r\ \isasymLongrightarrow \ p\ \isasymin \ r\isactrlsup +
\isasymlbrakk (a,\ b)\ \isasymin \ r\isactrlsup +;\ (b,\ c)\ \isasymin \ r\isactrlsup +\isasymrbrakk \ \isasymLongrightarrow \ (a,\ c)\ \isasymin \ r\isactrlsup +
The induction rule resembles the one shown above. 
A typical lemma states that transitive closure commutes with the converse
(r\isasyminverse )\isactrlsup +\ =\ (r\isactrlsup +)\isasyminverse 

\subsection{A Sample Proof}

The reflexive transitive closure also commutes with the converse. 
Let us examine the proof. Each direction of the equivalence is 
proved separately. The two proofs are almost identical. Here 
is the first one: 
\isacommand{lemma}\ rtrancl_converseD:\ "(x,y)\ \isasymin \ (r\isacharcircum -1)\isacharcircum *\ \isasymLongrightarrow \ (y,x)\ \isasymin \ r\isacharcircum *"\isanewline
\isacommand{apply}\ (erule\ rtrancl_induct)\isanewline
\ \isacommand{apply}\ (rule\ rtrancl_refl)\isanewline
\isacommand{apply}\ (blast\ intro:\ r_into_rtrancl\
The first step of the proof applies induction, leaving these subgoals: 
\ 1.\ (x,\ x)\ \isasymin \ r\isactrlsup *\isanewline
\ 2.\ \isasymAnd y\ z.\ \isasymlbrakk (x,y)\ \isasymin \ (r\isasyminverse )\isactrlsup *;\ (y,z)\ \isasymin \ r\isasyminverse ;\ (y,x)\ \isasymin \ r\isactrlsup *\isasymrbrakk \isanewline
\ \ \ \ \ \ \ \ \ \ \isasymLongrightarrow \ (z,x)\ \isasymin \ r\isactrlsup *
The first subgoal is trivial by reflexivity. The second follows 
by first eliminating the converse operator, yielding the
assumption \isa{(z,y)\
\isasymin\ r}, and then
applying the introduction rules shown above.  The same proof script handles
the other direction: 
\isacommand{lemma}\ rtrancl_converseI:\ "(y,x)\ \isasymin \ r\isacharcircum *\ \isasymLongrightarrow \ (x,y)\ \isasymin \ (r\isacharcircum -1)\isacharcircum *"\isanewline
\isacommand{apply}\ (erule\ rtrancl_induct)\isanewline
\ \isacommand{apply}\ (rule\ rtrancl_refl)\isanewline
\isacommand{apply}\ (blast\ intro:\ r_into_rtrancl\ rtrancl_trans)\isanewline

Finally, we combine the two lemmas to prove the desired equation: 
\isacommand{lemma}\ rtrancl_converse:\ "(r\isacharcircum-1){\isacharcircum}*\ =\ (r\isacharcircum{*}){\isacharcircum}-1"\isanewline
\isacommand{by}\ (auto\ intro:\ rtrancl_converseI\ dest:\

Note that \isa{blast} cannot prove this theorem.  Here is a subgoal that
arises internally after  the rules \isa{equalityI} and \isa{subsetI} have
been applied:
\ 1.\ \isasymAnd x.\ x\ \isasymin \ (r\isasyminverse )\isactrlsup *\ \isasymLongrightarrow \ x\ \isasymin \ (r\isactrlsup
%ignore subgoal 2
%\ 2.\ \isasymAnd x.\ x\ \isasymin \ (r\isactrlsup *)\isasyminverse \
%\isasymLongrightarrow \ x\ \isasymin \ (r\isasyminverse )\isactrlsup *
We cannot use \isa{rtrancl_converseD}\@.  It refers to
ordered pairs, while \isa{x} is a variable of product type.
The \isa{simp} and \isa{blast} methods can do nothing, so let us try
\ 1.\ \isasymAnd a\ b.\ (a,b)\ \isasymin \ (r\isasyminverse )\isactrlsup *\ \isasymLongrightarrow \ (b,a)\ \isasymin \ r\isactrlsup
Now that \isa{x} has been replaced by the pair \isa{(a,b)}, we can
proceed.  Other methods that split variables in this way are \isa{force}
and \isa{auto}.  Section~\ref{sec:products} will discuss proof techniques
for ordered pairs in more detail.

\section{Well-Founded Relations and Induction}

Induction comes in many forms, including traditional mathematical 
induction, structural induction on lists and induction on size. 
More general than these is induction over a well-founded relation. 
Such A relation expresses the notion of a terminating process. 
Intuitively, the relation~$\prec$ is \textbf{well-founded} if it admits no
infinite  descending chains
\[ \cdots \prec a@2 \prec a@1 \prec a@0. \]
If $\prec$ is well-founded then it can be used with the well-founded 
induction rule: 
\[ \infer{P(a)}{\infer*{P(x)}{[\forall y.\, y\prec x \imp P(y)]}} \]
To show $P(a)$ for a particular term~$a$, it suffices to show $P(x)$ for
arbitrary~$x$ under the assumption that $P(y)$ holds for $y\prec x$. 
Intuitively, the well-foundedness of $\prec$ ensures that the chains of
reasoning are finite.

In Isabelle, the induction rule is expressed like this:
{\isasymlbrakk}wf\ r;\ 
  {\isasymAnd}x.\ {\isasymforall}y.\ (y,x)\ \isasymin\ r\
\isasymlongrightarrow\ P\ y\ \isasymLongrightarrow\ P\ x\isasymrbrakk\
\isasymLongrightarrow\ P\ a
Here \isa{wf\ r} expresses that the relation~\isa{r} is well-founded.

Many familiar induction principles are instances of this rule. 
For example, the predecessor relation on the natural numbers 
is well-founded; induction over it is mathematical induction. 
The `tail of' relation on lists is well-founded; induction over 
it is structural induction. 

Well-foundedness can be difficult to show. The various 
formulations are all complicated.  However,  often a relation
is well-founded by construction.  HOL provides
theorems concerning ways of constructing  a well-founded relation.
For example, a relation can be defined  by means of a measure function
involving an existing relation, or two relations can be
combined lexicographically.

Isabelle/HOL declares \isa{less_than} as a relation object, 
that is, a set of pairs of natural numbers. Two theorems tell us that this
relation  behaves as expected and that it is well-founded: 
((x,y)\ \isasymin\ less_than)\ =\ (x\ <\ y)
wf\ less_than

The notion of measure generalizes to the \textbf{inverse image} of
a relation. Given a relation~\isa{r} and a function~\isa{f}, we express  a
new relation using \isa{f} as a measure.  An infinite descending chain on
this new relation would give rise to an infinite descending chain
on~\isa{r}.  Isabelle/HOL holds the definition of this concept and a
theorem stating that it preserves well-foundedness: 
inv_image\ r\ f\ \isasymequiv\ \isacharbraceleft(x,y).\ (f\ x,\ f\ y)\
\isasymin\ r\isacharbraceright
wf\ r\ \isasymLongrightarrow\ wf\ (inv_image\ r\ f)

The most familiar notion of measure involves the natural numbers. This yields, 
for example, induction on the length of a list (\isa{measure length}). 
Isabelle/HOL defines
\isa{measure} specifically: 
measure\ \isasymequiv\ inv_image\ less_than%
wf\ (measure\ f)

Of the other constructions, the most important is the \textbf{lexicographic 
product} of two relations. It expresses the standard dictionary 
ordering over pairs.  We write \isa{ra\ <*lex*>\ rb}, where \isa{ra}
and \isa{rb} are the two operands.  The lexicographic product satisfies the
usual  definition and it preserves well-foundedness: 
ra\ <*lex*>\ rb\ \isasymequiv \isanewline
\ \ \isacharbraceleft ((a,b),(a',b')).\ (a,a')\ \isasymin \ ra\
\ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \,a=a'\ \isasymand \ (b,b')\
\isasymin \ rb\isacharbraceright 
\isasymlbrakk wf\ ra;\ wf\ rb\isasymrbrakk \ \isasymLongrightarrow \ wf\ (ra\ <*lex*>\ rb)

These constructions can be used in a
\textbf{recdef} declaration (\S\ref{sec:recdef-simplification}) to define
the well-founded relation used to prove termination.

The \textbf{multiset ordering}, useful for hard termination proofs, is available
in the Library.  Baader and Nipkow \cite[\S2.5]{Baader-Nipkow} discuss it. 

\section{Fixed Point Operators}

Fixed point operators define sets recursively.  Most users invoke 
them by making an inductive definition, as discussed in
Chap.\ts\ref{chap:inductive} below.  However, they can be used directly.
\relax{least}  or \relax{strongest} fixed point yields an inductive
definition;  the \relax{greatest} or \relax{weakest} fixed point yields a
coinductive  definition.  Mathematicians may wish to note that the
existence  of these fixed points is guaranteed by the Knaster-Tarski

The theory works applies only to monotonic functions. Isabelle's 
definition of monotone is overloaded over all orderings:
mono\ f\ \isasymequiv\ {\isasymforall}A\ B.\ A\ \isasymle\ B\ \isasymlongrightarrow\ f\ A\ \isasymle\ f\ B%
For fixed point operators, the ordering will be the subset relation: if
$A\subseteq B$ then we expect $f(A)\subseteq f(B)$.  In addition to its
definition, monotonicity has the obvious introduction and destruction
({\isasymAnd}A\ B.\ A\ \isasymle\ B\ \isasymLongrightarrow\ f\ A\ \isasymle\ f\ B)\ \isasymLongrightarrow\ mono\ f%
\par\smallskip%          \isanewline didn't leave enough space
{\isasymlbrakk}mono\ f;\ A\ \isasymle\ B\isasymrbrakk\
\isasymLongrightarrow\ f\ A\ \isasymle\ f\ B%

The most important properties of the least fixed point are that 
it is a fixed point and that it enjoys an induction rule: 
mono\ f\ \isasymLongrightarrow\ lfp\ f\ =\ f\ (lfp\ f)
\par\smallskip%          \isanewline didn't leave enough space
{\isasymlbrakk}a\ \isasymin\ lfp\ f;\ mono\ f;\isanewline
  \ {\isasymAnd}x.\ x\
\isasymin\ f\ (lfp\ f\ \isasyminter\ \isacharbraceleft x.\ P\
x\isacharbraceright)\ \isasymLongrightarrow\ P\ x\isasymrbrakk\
\isasymLongrightarrow\ P\ a%
The induction rule shown above is more convenient than the basic 
one derived from the minimality of {\isa{lfp}}.  Observe that both theorems
demand \isa{mono\ f} as a premise.

The greatest fixed point is similar, but it has a \relax{coinduction} rule: 
mono\ f\ \isasymLongrightarrow\ gfp\ f\ =\ f\ (gfp\ f)
{\isasymlbrakk}mono\ f;\ a\ \isasymin\ X;\ X\ \isasymsubseteq\ f\ (X\
\isasymunion\ gfp\ f)\isasymrbrakk\ \isasymLongrightarrow\ a\ \isasymin\
gfp\ f%
A \relax{bisimulation} is perhaps the best-known concept defined as a
greatest fixed point.  Exhibiting a bisimulation to prove the equality of
two agents in a process algebra is an example of coinduction.
The coinduction rule can be strengthened in various ways; see 
theory \isa{Gfp} for details.