diff -r a378479996f7 -r 22855d091249 doc-src/TutorialI/Sets/sets.tex --- a/doc-src/TutorialI/Sets/sets.tex Wed Feb 07 12:15:59 2001 +0100 +++ b/doc-src/TutorialI/Sets/sets.tex Wed Feb 07 16:37:24 2001 +0100 @@ -1,22 +1,19 @@ % $Id$ \chapter{Sets, Functions and Relations} -\REMARK{The old version used lots of bold. I've cut down, -changing some \texttt{textbf} to \texttt{relax}. This can be undone. -See the source.} -Mathematics relies heavily on set theory: not just unions and intersections -but images, least fixed points and other concepts. In computer science, -sets are used to formalize grammars, state transition systems, etc. The set -theory of Isabelle/HOL should not be confused with traditional, untyped set -theory, in which everything is a set. Our sets are typed. In a given set, -all elements have the same type, say~$\tau$, and the set itself has type -\isa{$\tau$~set}. +This chapter describes the formalization of typed set theory, which is +the basis of much else in HOL\@. For example, an +inductive definition yields a set, and the abstract theories of relations +regard a relation as a set of pairs. The chapter introduces the well-known +constants such as union and intersection, as well as the main operations on relations, such as converse, composition and +transitive closure. Functions are also covered. They are not sets in +HOL, but many of their properties concern sets: the range of a +function is a set, and the inverse image of a function maps sets to sets. -Relations are simply sets of pairs. This chapter describes -the main operations on relations, such as converse, composition and -transitive closure. Functions are also covered. They are not sets in -Isabelle/HOL, but many of their properties concern sets. The range of a -function is a set, and the inverse image of a function maps sets to sets. +This chapter will be useful to anybody who plans to develop a substantial +proof. sets are convenient for formalizing computer science concepts such +as grammars, logical calculi and state transition systems. Isabelle can +prove many statements involving sets automatically. This chapter ends with a case study concerning model checking for the temporal logic CTL\@. Most of the other examples are simple. The @@ -25,17 +22,20 @@ the notation. Natural deduction rules are provided for the set theory constants, but they -are seldom used directly, so only a few are presented here. Many formulas -involving sets can be proved automatically or simplified to a great extent. -Expressing your concepts in terms of sets will probably make your proofs -easier. +are seldom used directly, so only a few are presented here. \section{Sets} -We begin with \relax{intersection}, \relax{union} and -\relax{complement}. In addition to the -\relax{membership} relation, there is a symbol for its negation. These +\index{sets|(}% +HOL's set theory should not be confused with traditional, untyped set +theory, in which everything is a set. Our sets are typed. In a given set, +all elements have the same type, say~$\tau$, and the set itself has type +\isa{$\tau$~set}. + +We begin with \bfindex{intersection}, \bfindex{union} and +\bfindex{complement}. In addition to the +\bfindex{membership relation}, there is a symbol for its negation. These points can be seen below. Here are the natural deduction rules for intersection. Note the @@ -59,9 +59,9 @@ \rulename{Compl_Un} \end{isabelle} -Set \relax{difference} is the intersection of a set with the -complement of another set. Here we also see the syntax for the -empty set and for the universal set. +Set \textbf{difference}\indexbold{difference!of sets} is the intersection +of a set with the complement of another set. Here we also see the syntax +for the empty set and for the universal set. \begin{isabelle} A\ \isasyminter\ (B\ -\ A)\ =\ \isacharbraceleft\isacharbraceright \rulename{Diff_disjoint}\isanewline @@ -69,7 +69,7 @@ \rulename{Compl_partition} \end{isabelle} -The \relax{subset} relation holds between two sets just if every element +The \bfindex{subset relation} holds between two sets just if every element of one is also an element of the other. This relation is reflexive. These are its natural deduction rules: \begin{isabelle} @@ -117,9 +117,10 @@ disjoint. \medskip -Two sets are \relax{equal} if they contain the same elements. -This is -the principle of \textbf{extensionality} for sets. +Two sets are \textbf{equal}\indexbold{equality!of sets} if they contain the +same elements. This is +the principle of \textbf{extensionality}\indexbold{extensionality!for sets} +for sets. \begin{isabelle} ({\isasymAnd}x.\ (x\ {\isasymin}\ A)\ =\ (x\ {\isasymin}\ B))\ {\isasymLongrightarrow}\ A\ =\ B @@ -144,7 +145,8 @@ \subsection{Finite Set Notation} -Finite sets are expressed using the constant {\isa{insert}}, which is +\indexbold{sets!notation for finite}\index{*insert (constant)} +Finite sets are expressed using the constant \isa{insert}, which is a form of union: \begin{isabelle} insert\ a\ A\ =\ \isacharbraceleft a\isacharbraceright\ \isasymunion\ A @@ -193,6 +195,7 @@ \subsection{Set Comprehension} +\index{set comprehensions|(}% The set comprehension \isa{\isacharbraceleft x.\ P\isacharbraceright} expresses the set of all elements that satisfy the predicate~\isa{P}. Two laws describe the relationship between set @@ -246,10 +249,12 @@ require writing \isa{A(x)} and \isa{{\isasymlambda}z.\ P}. +\index{set comprehensions|)} \subsection{Binding Operators} +\index{quantifiers!for sets|(}% Universal and existential quantifications may range over sets, with the obvious meaning. Here are the natural deduction rules for the bounded universal quantifier. Occasionally you will need to apply @@ -285,7 +290,9 @@ Q\isasymrbrakk\ \isasymLongrightarrow\ Q% \rulename{bexE} \end{isabelle} +\index{quantifiers!for sets|)} +\index{union!indexed}% Unions can be formed over the values of a given set. The syntax is \mbox{\isa{\isasymUnion x\isasymin A.\ B}} or \isa{UN x\isasymin A.\ B} in \textsc{ascii}. Indexed union satisfies this basic law: @@ -337,6 +344,7 @@ \rulename{Union_iff} \end{isabelle} +\index{intersection!indexed}% Intersections are treated dually, although they seem to be used less often than unions. The syntax below would be \isa{INT x:\ A.\ B} and \isa{Inter\ C} in \textsc{ascii}. Among others, these @@ -363,13 +371,24 @@ A\cup B$ is replaced by $x\in A\vee x\in B$. The internal form of a comprehension involves the constant -\isa{Collect}, which occasionally appears when a goal or theorem +\isa{Collect},\index{*Collect (constant)} +which occasionally appears when a goal or theorem is displayed. For example, \isa{Collect\ P} is the same term as \isa{\isacharbraceleft z.\ P\ x\isacharbraceright}. The same thing can -happen with quantifiers: for example, \isa{Ball\ A\ P} is -\isa{{\isasymforall}z\isasymin A.\ P\ x} and \isa{Bex\ A\ P} is +happen with quantifiers: \hbox{\isa{All\ P}}\index{*All (constant)} +is +\isa{{\isasymforall}z.\ P\ x} and +\hbox{\isa{Ex\ P}}\index{*Ex (constant)} is \isa{\isasymexists z.\ P\ x}; +also \isa{Ball\ A\ P}\index{*Ball (constant)} is +\isa{{\isasymforall}z\isasymin A.\ P\ x} and +\isa{Bex\ A\ P}\index{*Bex (constant)} is \isa{\isasymexists z\isasymin A.\ P\ x}. For indexed unions and -intersections, you may see the constants \isa{UNION} and \isa{INTER}\@. +intersections, you may see the constants +\isa{UNION}\index{*UNION (constant)} and +\isa{INTER}\index{*INTER (constant)}\@. +The internal constant for $\varepsilon x.P(x)$ is +\isa{Eps}\index{*Eps (constant)}. + We have only scratched the surface of Isabelle/HOL's set theory. One primitive not mentioned here is the powerset operator @@ -379,10 +398,11 @@ \subsection{Finiteness and Cardinality} +\index{sets!finite}% The predicate \isa{finite} holds of all finite sets. Isabelle/HOL includes many familiar theorems about finiteness and cardinality (\isa{card}). For example, we have theorems concerning the cardinalities -of unions, intersections and the powerset: +of unions, intersections and the powerset:\index{cardinality} % \begin{isabelle} {\isasymlbrakk}finite\ A;\ finite\ B\isasymrbrakk\isanewline @@ -402,7 +422,8 @@ \rulename{n_subsets} \end{isabelle} Writing $|A|$ as $n$, the last of these theorems says that the number of -$k$-element subsets of~$A$ is $\binom{n}{k}$. +$k$-element subsets of~$A$ is \index{binomial coefficients} +$\binom{n}{k}$. \begin{warn} The term \isa{Finite\ A} is an abbreviation for @@ -410,26 +431,31 @@ set of all finite sets of a given type. There is no constant \isa{Finite}. \end{warn} - +\index{sets|)} + \section{Functions} -This section describes a few concepts that involve functions. -Some of the more important theorems are given along with the +\index{functions|(}% +This section describes a few concepts that involve +functions. Some of the more important theorems are given along with the names. A few sample proofs appear. Unlike with set theory, however, we cannot simply state lemmas and expect them to be proved using \isa{blast}. \subsection{Function Basics} -Two functions are \relax{equal} if they yield equal results given equal arguments. -This is the principle of \textbf{extensionality} for functions: +Two functions are \textbf{equal}\indexbold{equality!of functions} +if they yield equal results given equal +arguments. This is the principle of +\textbf{extensionality}\indexbold{extensionality!for functions} for +functions: \begin{isabelle} ({\isasymAnd}x.\ f\ x\ =\ g\ x)\ {\isasymLongrightarrow}\ f\ =\ g \rulename{ext} \end{isabelle} - +\indexbold{function updates}% Function \textbf{update} is useful for modelling machine states. It has the obvious definition and many useful facts are proved about it. In particular, the following equation is installed as a simplification @@ -450,7 +476,9 @@ when it is not being applied to an argument. \medskip -The \relax{identity} function and function \relax{composition} are defined: +The \bfindex{identity function} and function +\textbf{composition}\indexbold{composition!of functions} are +defined: \begin{isabelle}% id\ \isasymequiv\ {\isasymlambda}x.\ x% \rulename{id_def}\isanewline @@ -469,7 +497,8 @@ \subsection{Injections, Surjections, Bijections} -A function may be \relax{injective}, \relax{surjective} or \relax{bijective}: +\index{injections}\index{surjections}\index{bijections}% +A function may be \textbf{injective}, \textbf{surjective} or \textbf{bijective}: \begin{isabelle} inj_on\ f\ A\ \isasymequiv\ {\isasymforall}x\isasymin A.\ {\isasymforall}y\isasymin A.\ f\ x\ =\ f\ y\ \isasymlongrightarrow\ x\ @@ -488,7 +517,9 @@ of its domain type. Writing \isa{inj\ f} abbreviates \isa{inj_on\ f\ UNIV}, for when \isa{f} is injective everywhere. -The operator {\isa{inv}} expresses the \relax{inverse} of a function. In +The operator \isa{inv} expresses the +\textbf{inverse}\indexbold{inverse!of a function} +of a function. In general the inverse may not be well behaved. We have the usual laws, such as these: \begin{isabelle} @@ -552,7 +583,8 @@ \subsection{Function Image} -The \relax{image} of a set under a function is a most useful notion. It +The \textbf{image}\indexbold{image!under a function} +of a set under a function is a most useful notion. It has the obvious definition: \begin{isabelle} f\ `\ A\ \isasymequiv\ \isacharbraceleft y.\ \isasymexists x\isasymin @@ -601,7 +633,8 @@ theorem concerning images. \medskip -\relax{Inverse image} is also useful. It is defined as follows: +\textbf{Inverse image}\index{inverse image!of a function} is also useful. +It is defined as follows: \begin{isabelle} f\ -`\ B\ \isasymequiv\ \isacharbraceleft x.\ f\ x\ \isasymin\ B\isacharbraceright \rulename{vimage_def} @@ -612,25 +645,28 @@ f\ -`\ (-\ A)\ =\ -\ f\ -`\ A% \rulename{vimage_Compl} \end{isabelle} +\index{functions|)} \section{Relations} \label{sec:Relations} -A \relax{relation} is a set of pairs. As such, the set operations apply +\index{relations|(}% +A \textbf{relation} is a set of pairs. As such, the set operations apply to them. For instance, we may form the union of two relations. Other primitives are defined specifically for relations. \subsection{Relation Basics} -The \relax{identity} relation, also known as equality, has the obvious +The \bfindex{identity relation}, also known as equality, has the obvious definition: \begin{isabelle} Id\ \isasymequiv\ \isacharbraceleft p.\ \isasymexists x.\ p\ =\ (x,x){\isacharbraceright}% \rulename{Id_def} \end{isabelle} -\relax{Composition} of relations (the infix \isa{O}) is also available: +\indexbold{composition!of relations}% +\textbf{Composition} of relations (the infix \isa{O}) is also available: \begin{isabelle} r\ O\ s\ \isasymequiv\ \isacharbraceleft(x,z).\ \isasymexists y.\ (x,y)\ \isasymin\ s\ \isasymand\ (y,z)\ \isasymin\ r\isacharbraceright \rulename{comp_def} @@ -652,23 +688,27 @@ \rulename{comp_mono} \end{isabelle} -The \relax{converse} or inverse of a relation exchanges the roles -of the two operands. Note that \isa{\isacharcircum-1} is a postfix -operator. +\indexbold{converse!of a relation}% +\indexbold{inverse!of a relation}% +The \textbf{converse} or inverse of a +relation exchanges the roles of the two operands. We use the postfix +notation~\isa{r\isasyminverse} or +\isa{r\isacharcircum-1} in ASCII\@. \begin{isabelle} -((a,b)\ \isasymin\ r\isacharcircum-1)\ =\ +((a,b)\ \isasymin\ r\isasyminverse)\ =\ ((b,a)\ \isasymin\ r) \rulename{converse_iff} \end{isabelle} % Here is a typical law proved about converse and composition: \begin{isabelle} -(r\ O\ s){\isacharcircum}-1\ =\ s\isacharcircum-1\ O\ r\isacharcircum-1 +(r\ O\ s)\isasyminverse\ =\ s\isasyminverse\ O\ r\isasyminverse \rulename{converse_comp} \end{isabelle} -The \relax{image} of a set under a relation is defined analogously -to image under a function: +\indexbold{image!under a relation}% +The \textbf{image} of a set under a relation is defined +analogously to image under a function: \begin{isabelle} (b\ \isasymin\ r\ ``\ A)\ =\ (\isasymexists x\isasymin A.\ (x,b)\ \isasymin\ r) @@ -689,7 +729,7 @@ %\end{isabelle} -The \relax{domain} and \relax{range} of a relation are defined in the +The \bfindex{domain} and \bfindex{range} of a relation are defined in the standard way: \begin{isabelle} (a\ \isasymin\ Domain\ r)\ =\ (\isasymexists y.\ (a,y)\ \isasymin\ @@ -708,15 +748,17 @@ \begin{isabelle} R\ \isacharcircum\ \isadigit{0}\ =\ Id\isanewline R\ \isacharcircum\ Suc\ n\ =\ R\ O\ R\isacharcircum n -\rulename{RelPow.relpow.simps} +\rulename{relpow.simps} \end{isabelle} -\subsection{The Reflexive Transitive Closure} +\subsection{The Reflexive and Transitive Closure} -The \relax{reflexive transitive closure} of the -relation~\isa{r} is written with the -postfix syntax \isa{r\isacharcircum{*}} and appears in X-symbol notation -as~\isa{r\isactrlsup *}. It is the least solution of the equation +\index{closure!reflexive and transitive|(}% +The \textbf{reflexive and transitive closure} of the +relation~\isa{r} is written with a +postfix syntax. In ASCII we write \isa{r\isacharcircum*} and in +X-symbol notation~\isa{r\isactrlsup *}. It is the least solution of the +equation \begin{isabelle} r\isactrlsup *\ =\ Id\ \isasymunion \ (r\ O\ r\isactrlsup *) \rulename{rtrancl_unfold} @@ -750,8 +792,8 @@ \end{isabelle} \smallskip -The transitive closure is similar. It has two -introduction rules: +The transitive closure is similar. The ASCII syntax is +\isa{r\isacharcircum+}. It has two introduction rules: \begin{isabelle} p\ \isasymin \ r\ \isasymLongrightarrow \ p\ \isasymin \ r\isactrlsup + \rulename{r_into_trancl}\isanewline @@ -774,18 +816,21 @@ proved separately. The two proofs are almost identical. Here is the first one: \begin{isabelle} -\isacommand{lemma}\ rtrancl_converseD:\ "(x,y)\ \isasymin \ (r\isacharcircum -1)\isacharcircum *\ \isasymLongrightarrow \ (y,x)\ \isasymin \ r\isacharcircum *"\isanewline +\isacommand{lemma}\ rtrancl_converseD:\ "(x,y)\ \isasymin \ +(r\isasyminverse)\isactrlsup *\ \isasymLongrightarrow \ (y,x)\ \isasymin +\ r\isactrlsup *"\isanewline \isacommand{apply}\ (erule\ rtrancl_induct)\isanewline \ \isacommand{apply}\ (rule\ rtrancl_refl)\isanewline -\isacommand{apply}\ (blast\ intro:\ r_into_rtrancl\ -rtrancl_trans)\isanewline +\isacommand{apply}\ (blast\ intro:\ rtrancl_trans)\isanewline \isacommand{done} \end{isabelle} % The first step of the proof applies induction, leaving these subgoals: \begin{isabelle} \ 1.\ (x,\ x)\ \isasymin \ r\isactrlsup *\isanewline -\ 2.\ \isasymAnd y\ z.\ \isasymlbrakk (x,y)\ \isasymin \ (r\isasyminverse )\isactrlsup *;\ (y,z)\ \isasymin \ r\isasyminverse ;\ (y,x)\ \isasymin \ r\isactrlsup *\isasymrbrakk \isanewline +\ 2.\ \isasymAnd y\ z.\ \isasymlbrakk (x,y)\ \isasymin \ +(r\isasyminverse)\isactrlsup *;\ (y,z)\ \isasymin \ r\isasyminverse ;\ +(y,x)\ \isasymin \ r\isactrlsup *\isasymrbrakk \isanewline \ \ \ \ \ \ \ \ \ \ \isasymLongrightarrow \ (z,x)\ \isasymin \ r\isactrlsup * \end{isabelle} % @@ -796,17 +841,17 @@ applying the introduction rules shown above. The same proof script handles the other direction: \begin{isabelle} -\isacommand{lemma}\ rtrancl_converseI:\ "(y,x)\ \isasymin \ r\isacharcircum *\ \isasymLongrightarrow \ (x,y)\ \isasymin \ (r\isacharcircum -1)\isacharcircum *"\isanewline +\isacommand{lemma}\ rtrancl_converseI:\ "(y,x)\ \isasymin \ r\isactrlsup *\ \isasymLongrightarrow \ (x,y)\ \isasymin \ (r\isasyminverse)\isactrlsup *"\isanewline \isacommand{apply}\ (erule\ rtrancl_induct)\isanewline \ \isacommand{apply}\ (rule\ rtrancl_refl)\isanewline -\isacommand{apply}\ (blast\ intro:\ r_into_rtrancl\ rtrancl_trans)\isanewline +\isacommand{apply}\ (blast\ intro:\ rtrancl_trans)\isanewline \isacommand{done} \end{isabelle} Finally, we combine the two lemmas to prove the desired equation: \begin{isabelle} -\isacommand{lemma}\ rtrancl_converse:\ "(r\isacharcircum-1){\isacharcircum}*\ =\ (r\isacharcircum{*}){\isacharcircum}-1"\isanewline +\isacommand{lemma}\ rtrancl_converse:\ "(r\isasyminverse)\isactrlsup *\ =\ (r\isactrlsup *)\isasyminverse"\isanewline \isacommand{by}\ (auto\ intro:\ rtrancl_converseI\ dest:\ rtrancl_converseD) \end{isabelle} @@ -832,55 +877,43 @@ * \end{isabelle} Now that \isa{x} has been replaced by the pair \isa{(a,b)}, we can -proceed. Other methods that split variables in this way are \isa{force} -and \isa{auto}. Section~\ref{sec:products} will discuss proof techniques -for ordered pairs in more detail. +proceed. Other methods that split variables in this way are \isa{force}, +\isa{auto}, \isa{fast} and \isa{best}. Section~\ref{sec:products} will discuss proof +techniques for ordered pairs in more detail. \end{warn} - +\index{relations|)}\index{closure!reflexive and transitive|)} \section{Well-Founded Relations and Induction} \label{sec:Well-founded} -Induction comes in many forms, including traditional mathematical -induction, structural induction on lists and induction on size. -More general than these is induction over a well-founded relation. -Such a relation expresses the notion of a terminating process. +\index{relations!well-founded|(}% +A well-founded relation captures the notion of a terminating process. +Each \isacommand{recdef}\index{recdef@\isacommand{recdef}} +declaration must specify a well-founded relation that +justifies the termination of the desired recursive function. Most of the +forms of induction found in mathematics are merely special cases of +induction over a well-founded relation. + Intuitively, the relation~$\prec$ is \textbf{well-founded} if it admits no infinite descending chains \[ \cdots \prec a@2 \prec a@1 \prec a@0. \] -If $\prec$ is well-founded then it can be used with the well-founded -induction rule: -\[ \infer{P(a)}{\infer*{P(x)}{[\forall y.\, y\prec x \imp P(y)]}} \] -To show $P(a)$ for a particular term~$a$, it suffices to show $P(x)$ for -arbitrary~$x$ under the assumption that $P(y)$ holds for $y\prec x$. -Intuitively, the well-foundedness of $\prec$ ensures that the chains of -reasoning are finite. - -\smallskip -In Isabelle, the induction rule is expressed like this: -\begin{isabelle} -{\isasymlbrakk}wf\ r;\ - {\isasymAnd}x.\ {\isasymforall}y.\ (y,x)\ \isasymin\ r\ -\isasymlongrightarrow\ P\ y\ \isasymLongrightarrow\ P\ x\isasymrbrakk\ -\isasymLongrightarrow\ P\ a -\rulename{wf_induct} -\end{isabelle} -Here \isa{wf\ r} expresses that the relation~\isa{r} is well-founded. - -Many familiar induction principles are instances of this rule. -For example, the predecessor relation on the natural numbers -is well-founded; induction over it is mathematical induction. -The ``tail of'' relation on lists is well-founded; induction over -it is structural induction. - -Well-foundedness can be difficult to show. The various +Well-foundedness can be hard to show. The various formulations are all complicated. However, often a relation is well-founded by construction. HOL provides -theorems concerning ways of constructing a well-founded relation. -For example, a relation can be defined by means of a measure function -involving an existing relation, or two relations can be -combined lexicographically. +theorems concerning ways of constructing a well-founded relation. The +most familiar way is to specify a \bfindex{measure function}~\isa{f} into +the natural numbers, when $\isa{x}\prec \isa{y}\iff \isa{f x} < \isa{f y}$; +we write this particular relation as +\isa{measure~f}. + +\begin{warn} +You may want to skip the rest of this section until you need to perform a +complex recursive function definition or induction. The induction rule +returned by +\isacommand{recdef} is good enough for most purposes. We use an explicit +well-founded induction only in \S\ref{sec:CTL-revisited}. +\end{warn} Isabelle/HOL declares \isa{less_than} as a relation object, that is, a set of pairs of natural numbers. Two theorems tell us that this @@ -892,11 +925,12 @@ \rulename{wf_less_than} \end{isabelle} -The notion of measure generalizes to the \textbf{inverse image} of +The notion of measure generalizes to the +\index{inverse image!of a relation}\textbf{inverse image} of a relation. Given a relation~\isa{r} and a function~\isa{f}, we express a new relation using \isa{f} as a measure. An infinite descending chain on this new relation would give rise to an infinite descending chain -on~\isa{r}. Isabelle/HOL holds the definition of this concept and a +on~\isa{r}. Isabelle/HOL defines this concept and proves a theorem stating that it preserves well-foundedness: \begin{isabelle} inv_image\ r\ f\ \isasymequiv\ \isacharbraceleft(x,y).\ (f\ x,\ f\ y)\ @@ -906,10 +940,10 @@ \rulename{wf_inv_image} \end{isabelle} -The most familiar notion of measure involves the natural numbers. This yields, -for example, induction on the length of a list (\isa{measure length}). -Isabelle/HOL defines -\isa{measure} specifically: +A measure function involves the natural numbers. The relation \isa{measure +size} justifies primitive recursion and structural induction over a +datatype. Isabelle/HOL defines +\isa{measure} as shown: \begin{isabelle} measure\ \isasymequiv\ inv_image\ less_than% \rulename{measure_def}\isanewline @@ -938,22 +972,58 @@ \textbf{recdef} declaration (\S\ref{sec:recdef-simplification}) to define the well-founded relation used to prove termination. -The \textbf{multiset ordering}, useful for hard termination proofs, is available -in the Library. Baader and Nipkow \cite[\S2.5]{Baader-Nipkow} discuss it. +The \bfindex{multiset ordering}, useful for hard termination proofs, is +available in the Library. Baader and Nipkow \cite[\S2.5]{Baader-Nipkow} +discuss it. + +\medskip +Induction comes in many forms, including traditional mathematical +induction, structural induction on lists and induction on size. All are +instances of the following rule, for a suitable well-founded +relation~$\prec$: +\[ \infer{P(a)}{\infer*{P(x)}{[\forall y.\, y\prec x \imp P(y)]}} \] +To show $P(a)$ for a particular term~$a$, it suffices to show $P(x)$ for +arbitrary~$x$ under the assumption that $P(y)$ holds for $y\prec x$. +Intuitively, the well-foundedness of $\prec$ ensures that the chains of +reasoning are finite. + +\smallskip +In Isabelle, the induction rule is expressed like this: +\begin{isabelle} +{\isasymlbrakk}wf\ r;\ + {\isasymAnd}x.\ {\isasymforall}y.\ (y,x)\ \isasymin\ r\ +\isasymlongrightarrow\ P\ y\ \isasymLongrightarrow\ P\ x\isasymrbrakk\ +\isasymLongrightarrow\ P\ a +\rulename{wf_induct} +\end{isabelle} +Here \isa{wf\ r} expresses that the relation~\isa{r} is well-founded. + +Many familiar induction principles are instances of this rule. +For example, the predecessor relation on the natural numbers +is well-founded; induction over it is mathematical induction. +The ``tail of'' relation on lists is well-founded; induction over +it is structural induction. +\index{relations!well-founded|)} \section{Fixed Point Operators} -Fixed point operators define sets recursively. They are invoked -implicitly when making an inductive definition, as discussed in -Chap.\ts\ref{chap:inductive} below. However, they can be used directly, too. -The -\relax{least} or \relax{strongest} fixed point yields an inductive -definition; the \relax{greatest} or \relax{weakest} fixed point yields a +\index{fixed points|(}% +Fixed point operators define sets +recursively. They are invoked implicitly when making an inductive +definition, as discussed in Chap.\ts\ref{chap:inductive} below. However, +they can be used directly, too. The +\emph{least} or \emph{strongest} fixed point yields an inductive +definition; the \emph{greatest} or \emph{weakest} fixed point yields a coinductive definition. Mathematicians may wish to note that the existence of these fixed points is guaranteed by the Knaster-Tarski theorem. +\begin{warn} +Casual readers should skip the rest of this section. We use fixed point +operators only in \S\ref{sec:VMC}. +\end{warn} + The theory applies only to monotonic functions. Isabelle's definition of monotone is overloaded over all orderings: \begin{isabelle} @@ -992,7 +1062,7 @@ one derived from the minimality of {\isa{lfp}}. Observe that both theorems demand \isa{mono\ f} as a premise. -The greatest fixed point is similar, but it has a \relax{coinduction} rule: +The greatest fixed point is similar, but it has a \bfindex{coinduction} rule: \begin{isabelle} mono\ f\ \isasymLongrightarrow\ gfp\ f\ =\ f\ (gfp\ f) \rulename{gfp_unfold}% @@ -1002,8 +1072,9 @@ gfp\ f% \rulename{coinduct} \end{isabelle} -A \relax{bisimulation} is perhaps the best-known concept defined as a +A \bfindex{bisimulation} is perhaps the best-known concept defined as a greatest fixed point. Exhibiting a bisimulation to prove the equality of two agents in a process algebra is an example of coinduction. The coinduction rule can be strengthened in various ways; see theory \isa{Gfp} for details. +\index{fixed points|)} \ No newline at end of file