View
5
Download
0
Category
Preview:
Citation preview
NICTA Advanced Course
Theorem Proving
Principles, Techniques, Applications
Recursion
1
CONTENT
➜ Intro & motivation, getting started with Isabelle
➜ Foundations & Principles
• Lambda Calculus
• Higher Order Logic, natural deduction
• Term rewriting
➜ Proof & Specification Techniques
• Inductively defined sets, rule induction
• Datatypes, recursion, induction
• Calculational reasoning, mathematics style proofs
• Hoare logic, proofs about programs
CONTENT 2
LAST TIME
➜ Sets in Isabelle
➜ Inductive Definitions
➜ Rule induction
➜ Fixpoints
➜ Isar: induct and cases
LAST TIME 3
LAST TIME
➜ Sets in Isabelle
➜ Inductive Definitions
➜ Rule induction
➜ Fixpoints
➜ Isar: induct and cases
LAST TIME 3-A
LAST TIME
➜ Sets in Isabelle
➜ Inductive Definitions
➜ Rule induction
➜ Fixpoints
➜ Isar: induct and cases
LAST TIME 3-B
LAST TIME
➜ Sets in Isabelle
➜ Inductive Definitions
➜ Rule induction
➜ Fixpoints
➜ Isar: induct and cases
LAST TIME 3-C
LAST TIME
➜ Sets in Isabelle
➜ Inductive Definitions
➜ Rule induction
➜ Fixpoints
➜ Isar: induct and cases
LAST TIME 3-D
DATATYPES
Example:datatype ’a list = Nil | Cons ’a ”’a list”
Properties:
➜ Constructors:
Nil :: ’a list
Cons :: ’a ⇒ ’a list ⇒ ’a list
➜ Distinctness: Nil 6= Cons x xs
➜ Injectivity: (Cons x xs = Cons y ys) = (x = y ∧ xs = ys)
DATATYPES 4
DATATYPES
Example:datatype ’a list = Nil | Cons ’a ”’a list”
Properties:
➜ Constructors:
Nil :: ’a list
Cons :: ’a ⇒ ’a list ⇒ ’a list
➜ Distinctness: Nil 6= Cons x xs
➜ Injectivity: (Cons x xs = Cons y ys) = (x = y ∧ xs = ys)
DATATYPES 4-A
DATATYPES
Example:datatype ’a list = Nil | Cons ’a ”’a list”
Properties:
➜ Constructors:
Nil :: ’a list
Cons :: ’a ⇒ ’a list ⇒ ’a list
➜ Distinctness: Nil 6= Cons x xs
➜ Injectivity: (Cons x xs = Cons y ys) = (x = y ∧ xs = ys)
DATATYPES 4-B
DATATYPES
Example:datatype ’a list = Nil | Cons ’a ”’a list”
Properties:
➜ Constructors:
Nil :: ’a list
Cons :: ’a ⇒ ’a list ⇒ ’a list
➜ Distinctness: Nil 6= Cons x xs
➜ Injectivity: (Cons x xs = Cons y ys) = (x = y ∧ xs = ys)
DATATYPES 4-C
THE GENERAL CASE
datatype (α1, . . . , αn) τ = C1 τ1,1 . . . τ1,n1
| . . .| Ck τk,1 . . . τk,nk
➜ Constructors: Ci :: τi,1 ⇒ . . . ⇒ τi,ni⇒ (α1, . . . , αn) τ
➜ Distinctness: Ci . . . 6= Cj . . . if i 6= j
➜ Injectivity: (Ci x1 . . . xni= Ci y1 . . . yni
) = (x1 = y1 ∧ . . . ∧ xni= yni
)
Distinctness and Injectivity applied automatically
THE GENERAL CASE 5
THE GENERAL CASE
datatype (α1, . . . , αn) τ = C1 τ1,1 . . . τ1,n1
| . . .| Ck τk,1 . . . τk,nk
➜ Constructors: Ci :: τi,1 ⇒ . . . ⇒ τi,ni⇒ (α1, . . . , αn) τ
➜ Distinctness: Ci . . . 6= Cj . . . if i 6= j
➜ Injectivity: (Ci x1 . . . xni= Ci y1 . . . yni
) = (x1 = y1 ∧ . . . ∧ xni= yni
)
Distinctness and Injectivity applied automatically
THE GENERAL CASE 5-A
THE GENERAL CASE
datatype (α1, . . . , αn) τ = C1 τ1,1 . . . τ1,n1
| . . .| Ck τk,1 . . . τk,nk
➜ Constructors: Ci :: τi,1 ⇒ . . . ⇒ τi,ni⇒ (α1, . . . , αn) τ
➜ Distinctness: Ci . . . 6= Cj . . . if i 6= j
➜ Injectivity: (Ci x1 . . . xni= Ci y1 . . . yni
) = (x1 = y1 ∧ . . . ∧ xni= yni
)
Distinctness and Injectivity applied automatically
THE GENERAL CASE 5-B
THE GENERAL CASE
datatype (α1, . . . , αn) τ = C1 τ1,1 . . . τ1,n1
| . . .| Ck τk,1 . . . τk,nk
➜ Constructors: Ci :: τi,1 ⇒ . . . ⇒ τi,ni⇒ (α1, . . . , αn) τ
➜ Distinctness: Ci . . . 6= Cj . . . if i 6= j
➜ Injectivity: (Ci x1 . . . xni= Ci y1 . . . yni
) = (x1 = y1 ∧ . . . ∧ xni= yni
)
Distinctness and Injectivity applied automatically
THE GENERAL CASE 5-C
THE GENERAL CASE
datatype (α1, . . . , αn) τ = C1 τ1,1 . . . τ1,n1
| . . .| Ck τk,1 . . . τk,nk
➜ Constructors: Ci :: τi,1 ⇒ . . . ⇒ τi,ni⇒ (α1, . . . , αn) τ
➜ Distinctness: Ci . . . 6= Cj . . . if i 6= j
➜ Injectivity: (Ci x1 . . . xni= Ci y1 . . . yni
) = (x1 = y1 ∧ . . . ∧ xni= yni
)
Distinctness and Injectivity applied automatically
THE GENERAL CASE 5-D
HOW IS THIS TYPE DEFINED?
datatype ’a list = Nil | Cons ’a ”’a list”
➜ internally defined using typedef
➜ hence: describes a set
➜ set = trees with constructors as nodes
➜ inductive definition to characterize which trees belong to datatype
More detail: Datatype Universe.thy
HOW IS THIS TYPE DEFINED? 6
HOW IS THIS TYPE DEFINED?
datatype ’a list = Nil | Cons ’a ”’a list”
➜ internally defined using typedef
➜ hence: describes a set
➜ set = trees with constructors as nodes
➜ inductive definition to characterize which trees belong to datatype
More detail: Datatype Universe.thy
HOW IS THIS TYPE DEFINED? 6-A
HOW IS THIS TYPE DEFINED?
datatype ’a list = Nil | Cons ’a ”’a list”
➜ internally defined using typedef
➜ hence: describes a set
➜ set = trees with constructors as nodes
➜ inductive definition to characterize which trees belong to datatype
More detail: Datatype Universe.thy
HOW IS THIS TYPE DEFINED? 6-B
HOW IS THIS TYPE DEFINED?
datatype ’a list = Nil | Cons ’a ”’a list”
➜ internally defined using typedef
➜ hence: describes a set
➜ set = trees with constructors as nodes
➜ inductive definition to characterize which trees belong to datatype
More detail: Datatype Universe.thy
HOW IS THIS TYPE DEFINED? 6-C
HOW IS THIS TYPE DEFINED?
datatype ’a list = Nil | Cons ’a ”’a list”
➜ internally defined using typedef
➜ hence: describes a set
➜ set = trees with constructors as nodes
➜ inductive definition to characterize which trees belong to datatype
More detail: Datatype Universe.thy
HOW IS THIS TYPE DEFINED? 6-D
DATATYPE LIMITATIONS
Must be definable as set.
➜ Infinitely branching ok.
➜ Mutually recursive ok.
➜ Stricly positive (left of function arrow) occurence ok.
Not ok:
datatype t = C (t ⇒ bool)| D ((bool ⇒ t) ⇒ bool)| E ((t ⇒ bool) ⇒ bool)
Because: Cantor’s theorem (α set is larger than α)
DATATYPE LIMITATIONS 7
DATATYPE LIMITATIONS
Must be definable as set.
➜ Infinitely branching ok.
➜ Mutually recursive ok.
➜ Stricly positive (left of function arrow) occurence ok.
Not ok:
datatype t = C (t ⇒ bool)| D ((bool ⇒ t) ⇒ bool)| E ((t ⇒ bool) ⇒ bool)
Because: Cantor’s theorem (α set is larger than α)
DATATYPE LIMITATIONS 7-A
DATATYPE LIMITATIONS
Must be definable as set.
➜ Infinitely branching ok.
➜ Mutually recursive ok.
➜ Stricly positive (left of function arrow) occurence ok.
Not ok:
datatype t = C (t ⇒ bool)| D ((bool ⇒ t) ⇒ bool)| E ((t ⇒ bool) ⇒ bool)
Because: Cantor’s theorem (α set is larger than α)
DATATYPE LIMITATIONS 7-B
DATATYPE LIMITATIONS
Must be definable as set.
➜ Infinitely branching ok.
➜ Mutually recursive ok.
➜ Stricly positive (left of function arrow) occurence ok.
Not ok:
datatype t = C (t ⇒ bool)| D ((bool ⇒ t) ⇒ bool)| E ((t ⇒ bool) ⇒ bool)
Because: Cantor’s theorem (α set is larger than α)
DATATYPE LIMITATIONS 7-C
DATATYPE LIMITATIONS
Must be definable as set.
➜ Infinitely branching ok.
➜ Mutually recursive ok.
➜ Stricly positive (left of function arrow) occurence ok.
Not ok:
datatype t = C (t ⇒ bool)
| D ((bool ⇒ t) ⇒ bool)| E ((t ⇒ bool) ⇒ bool)
Because: Cantor’s theorem (α set is larger than α)
DATATYPE LIMITATIONS 7-D
DATATYPE LIMITATIONS
Must be definable as set.
➜ Infinitely branching ok.
➜ Mutually recursive ok.
➜ Stricly positive (left of function arrow) occurence ok.
Not ok:
datatype t = C (t ⇒ bool)| D ((bool ⇒ t) ⇒ bool)
| E ((t ⇒ bool) ⇒ bool)
Because: Cantor’s theorem (α set is larger than α)
DATATYPE LIMITATIONS 7-E
DATATYPE LIMITATIONS
Must be definable as set.
➜ Infinitely branching ok.
➜ Mutually recursive ok.
➜ Stricly positive (left of function arrow) occurence ok.
Not ok:
datatype t = C (t ⇒ bool)| D ((bool ⇒ t) ⇒ bool)| E ((t ⇒ bool) ⇒ bool)
Because: Cantor’s theorem (α set is larger than α)
DATATYPE LIMITATIONS 7-F
CASE
Every datatype introduces a case construct, e.g.
(case xs of [] ⇒ . . . | y #ys ⇒ ... y ... ys ...)
In general: one case per constructor
➜ Same order of cases as in datatype
➜ No nested patterns (e.g. x#y#zs)
(But nested cases)
➜ Needs () in context
CASE 8
CASE
Every datatype introduces a case construct, e.g.
(case xs of [] ⇒ . . . | y #ys ⇒ ... y ... ys ...)
In general: one case per constructor
➜ Same order of cases as in datatype
➜ No nested patterns (e.g. x#y#zs)
(But nested cases)
➜ Needs () in context
CASE 8-A
CASE
Every datatype introduces a case construct, e.g.
(case xs of [] ⇒ . . . | y #ys ⇒ ... y ... ys ...)
In general: one case per constructor
➜ Same order of cases as in datatype
➜ No nested patterns (e.g. x#y#zs)
(But nested cases)
➜ Needs () in context
CASE 8-B
CASE
Every datatype introduces a case construct, e.g.
(case xs of [] ⇒ . . . | y #ys ⇒ ... y ... ys ...)
In general: one case per constructor
➜ Same order of cases as in datatype
➜ No nested patterns (e.g. x#y#zs)
(But nested cases)
➜ Needs () in context
CASE 8-C
CASE
Every datatype introduces a case construct, e.g.
(case xs of [] ⇒ . . . | y #ys ⇒ ... y ... ys ...)
In general: one case per constructor
➜ Same order of cases as in datatype
➜ No nested patterns (e.g. x#y#zs)
(But nested cases)
➜ Needs () in context
CASE 8-D
CASE
Every datatype introduces a case construct, e.g.
(case xs of [] ⇒ . . . | y #ys ⇒ ... y ... ys ...)
In general: one case per constructor
➜ Same order of cases as in datatype
➜ No nested patterns (e.g. x#y#zs)
(But nested cases)
➜ Needs () in context
CASE 8-E
CASES
apply (case tac t)
creates k subgoals
[[t = Ci x1 . . . xp; . . . ]] =⇒ . . .
one for each constructor Ci
CASES 9
CASES
apply (case tac t)
creates k subgoals
[[t = Ci x1 . . . xp; . . . ]] =⇒ . . .
one for each constructor Ci
CASES 9-A
DEMO
10
RECURSION
11
WHY NONTERMINATION CAN BE HARMFUL
How about f x = f x + 1?
Subtract f x on both sides.
=⇒0 = 1
! All functions in HOL must be total !
WHY NONTERMINATION CAN BE HARMFUL 12
WHY NONTERMINATION CAN BE HARMFUL
How about f x = f x + 1?
Subtract f x on both sides.
=⇒0 = 1
! All functions in HOL must be total !
WHY NONTERMINATION CAN BE HARMFUL 12-A
WHY NONTERMINATION CAN BE HARMFUL
How about f x = f x + 1?
Subtract f x on both sides.
=⇒0 = 1
! All functions in HOL must be total !
WHY NONTERMINATION CAN BE HARMFUL 12-B
WHY NONTERMINATION CAN BE HARMFUL
How about f x = f x + 1?
Subtract f x on both sides.
=⇒0 = 1
! All functions in HOL must be total !
WHY NONTERMINATION CAN BE HARMFUL 12-C
PRIMITIVE RECURSION
primrec guarantees termination structurally
Example primrec def:
consts app :: ”’a list ⇒ ’a list ⇒ ’a list”
primrec
”app Nil ys = ys”
”app (Cons x xs) ys = Cons x (app xs ys)”
PRIMITIVE RECURSION 13
PRIMITIVE RECURSION
primrec guarantees termination structurally
Example primrec def:
consts app :: ”’a list ⇒ ’a list ⇒ ’a list”
primrec
”app Nil ys = ys”
”app (Cons x xs) ys = Cons x (app xs ys)”
PRIMITIVE RECURSION 13-A
THE GENERAL CASE
If τ is a datatype (with constructors C1, . . . , Ck) then f :: τ ⇒ τ ′ canbe defined by primitive recursion:
f (C1 y1,1 . . . y1,n1) = r1
...
f (Ck yk,1 . . . yk,nk) = rk
The recursive calls in ri must be structurally smaller(of the form f a1 . . . yi,j . . . ap)
THE GENERAL CASE 14
THE GENERAL CASE
If τ is a datatype (with constructors C1, . . . , Ck) then f :: τ ⇒ τ ′ canbe defined by primitive recursion:
f (C1 y1,1 . . . y1,n1) = r1
...
f (Ck yk,1 . . . yk,nk) = rk
The recursive calls in ri must be structurally smaller(of the form f a1 . . . yi,j . . . ap)
THE GENERAL CASE 14-A
HOW DOES THIS WORK?primrec just fancy syntax for a recursion operator
Example:
list rec :: ”’b ⇒ (’a ⇒ ’a list ⇒ ’b ⇒ ’b) ⇒ ’a list ⇒ ’b”list rec f1 f2 Nil = f1
list rec f1 f2 (Cons x xs) = f2 x xs (list rec f1 f2 xs)
app ≡ list rec (λys. ys) (λx xs xs′. λys. Cons x (xs′ ys))
Defined: automatically, first inductively (set), then by epsilon
(Nil, f1) ∈ list rel f1 f2
(xs, xs′) ∈ list rel f1 f2
(Cons x xs, f2 x xs xs′) ∈ list rel f1 f2
list rec f1 f2 xs ≡ SOME y. (xs, y) ∈ list rel f1 f2
HOW DOES THIS WORK? 15
HOW DOES THIS WORK?primrec just fancy syntax for a recursion operator
Example:
list rec :: ”’b ⇒ (’a ⇒ ’a list ⇒ ’b ⇒ ’b) ⇒ ’a list ⇒ ’b”list rec f1 f2 Nil = f1
list rec f1 f2 (Cons x xs) = f2 x xs (list rec f1 f2 xs)
app ≡ list rec (λys. ys) (λx xs xs′. λys. Cons x (xs′ ys))
Defined: automatically, first inductively (set), then by epsilon
(Nil, f1) ∈ list rel f1 f2
(xs, xs′) ∈ list rel f1 f2
(Cons x xs, f2 x xs xs′) ∈ list rel f1 f2
list rec f1 f2 xs ≡ SOME y. (xs, y) ∈ list rel f1 f2
HOW DOES THIS WORK? 15-A
HOW DOES THIS WORK?primrec just fancy syntax for a recursion operator
Example:
list rec :: ”’b ⇒ (’a ⇒ ’a list ⇒ ’b ⇒ ’b) ⇒ ’a list ⇒ ’b”list rec f1 f2 Nil = f1
list rec f1 f2 (Cons x xs) = f2 x xs (list rec f1 f2 xs)
app ≡ list rec (λys. ys) (λx xs xs′. λys. Cons x (xs′ ys))
Defined: automatically, first inductively (set), then by epsilon
(Nil, f1) ∈ list rel f1 f2
(xs, xs′) ∈ list rel f1 f2
(Cons x xs, f2 x xs xs′) ∈ list rel f1 f2
list rec f1 f2 xs ≡ SOME y. (xs, y) ∈ list rel f1 f2
HOW DOES THIS WORK? 15-B
HOW DOES THIS WORK?primrec just fancy syntax for a recursion operator
Example:
list rec :: ”’b ⇒ (’a ⇒ ’a list ⇒ ’b ⇒ ’b) ⇒ ’a list ⇒ ’b”list rec f1 f2 Nil = f1
list rec f1 f2 (Cons x xs) = f2 x xs (list rec f1 f2 xs)
app ≡ list rec (λys. ys) (λx xs xs′. λys. Cons x (xs′ ys))
Defined: automatically, first inductively (set), then by epsilon
(Nil, f1) ∈ list rel f1 f2
(xs, xs′) ∈ list rel f1 f2
(Cons x xs, f2 x xs xs′) ∈ list rel f1 f2
list rec f1 f2 xs ≡ SOME y. (xs, y) ∈ list rel f1 f2
HOW DOES THIS WORK? 15-C
HOW DOES THIS WORK?primrec just fancy syntax for a recursion operator
Example:
list rec :: ”’b ⇒ (’a ⇒ ’a list ⇒ ’b ⇒ ’b) ⇒ ’a list ⇒ ’b”list rec f1 f2 Nil = f1
list rec f1 f2 (Cons x xs) = f2 x xs (list rec f1 f2 xs)
app ≡ list rec (λys. ys) (λx xs xs′. λys. Cons x (xs′ ys))
Defined: automatically, first inductively (set), then by epsilon
(Nil, f1) ∈ list rel f1 f2
(xs, xs′) ∈ list rel f1 f2
(Cons x xs, f2 x xs xs′) ∈ list rel f1 f2
list rec f1 f2 xs ≡ SOME y. (xs, y) ∈ list rel f1 f2
HOW DOES THIS WORK? 15-D
PREDEFINED DATATYPES
16
NAT IS A DATATYPE
datatype nat = 0 | Suc nat
Functions on nat definable by primrec!
primrec
f 0 = ...
f (Suc n) = ... f n ...
NAT IS A DATATYPE 17
NAT IS A DATATYPE
datatype nat = 0 | Suc nat
Functions on nat definable by primrec!
primrec
f 0 = ...
f (Suc n) = ... f n ...
NAT IS A DATATYPE 17-A
OPTION
datatype ’a option = None | Some ’a
Important application:
’b ⇒ ’a option ∼ partial function:
None ∼ no resultSome a ∼ result a
Example:consts lookup :: ’k ⇒ (’k × ’v) list ⇒ ’v optionprimrec
lookup k [] = None
lookup k (x #xs) = (if fst x = k then Some (snd x) else lookup k xs)
OPTION 18
OPTION
datatype ’a option = None | Some ’a
Important application:
’b ⇒ ’a option ∼ partial function:
None ∼ no resultSome a ∼ result a
Example:consts lookup :: ’k ⇒ (’k × ’v) list ⇒ ’v optionprimrec
lookup k [] = None
lookup k (x #xs) = (if fst x = k then Some (snd x) else lookup k xs)
OPTION 18-A
OPTION
datatype ’a option = None | Some ’a
Important application:
’b ⇒ ’a option ∼ partial function:
None ∼ no resultSome a ∼ result a
Example:consts lookup :: ’k ⇒ (’k × ’v) list ⇒ ’v optionprimrec
lookup k [] = None
lookup k (x #xs) =
(if fst x = k then Some (snd x) else lookup k xs)
OPTION 18-B
OPTION
datatype ’a option = None | Some ’a
Important application:
’b ⇒ ’a option ∼ partial function:
None ∼ no resultSome a ∼ result a
Example:consts lookup :: ’k ⇒ (’k × ’v) list ⇒ ’v optionprimrec
lookup k [] = None
lookup k (x #xs) = (if fst x = k then Some (snd x) else lookup k xs)
OPTION 18-C
DEMO: PRIMREC
19
INDUCTION
20
STRUCTURAL INDUCTION
P xs holds for all lists xs if
➜ P Nil
➜ and for arbitrary x and xs, P xs =⇒ P (x#xs)
Induction theorem list.induct:[[P [];
V
a list. P list =⇒ P (a#list)]] =⇒ P list
➜ General proof method for induction: (induct x)
• x must be a free variable in the first subgoal.
• type of x must be a datatype.
STRUCTURAL INDUCTION 21
STRUCTURAL INDUCTION
P xs holds for all lists xs if
➜ P Nil
➜ and for arbitrary x and xs, P xs =⇒ P (x#xs)
Induction theorem list.induct:[[P [];
V
a list. P list =⇒ P (a#list)]] =⇒ P list
➜ General proof method for induction: (induct x)
• x must be a free variable in the first subgoal.
• type of x must be a datatype.
STRUCTURAL INDUCTION 21-A
STRUCTURAL INDUCTION
P xs holds for all lists xs if
➜ P Nil
➜ and for arbitrary x and xs, P xs =⇒ P (x#xs)
Induction theorem list.induct:[[P [];
V
a list. P list =⇒ P (a#list)]] =⇒ P list
➜ General proof method for induction: (induct x)
• x must be a free variable in the first subgoal.
• type of x must be a datatype.
STRUCTURAL INDUCTION 21-B
BASIC HEURISTICS
Theorems about recursive functions are proved by induction
Induction on argument number i of f
if f is defined by recursion on argument number i
BASIC HEURISTICS 22
EXAMPLE
A tail recursive list reverse:
consts itrev :: ’a list ⇒ ’a list ⇒ ’a list
primrec
itrev [] ys =
ys
itrev (x#xs) ys = itrev xs (x#ys)
lemma itrev xs [] = rev xs
EXAMPLE 23
EXAMPLE
A tail recursive list reverse:
consts itrev :: ’a list ⇒ ’a list ⇒ ’a list
primrec
itrev [] ys = ys
itrev (x#xs) ys =
itrev xs (x#ys)
lemma itrev xs [] = rev xs
EXAMPLE 23-A
EXAMPLE
A tail recursive list reverse:
consts itrev :: ’a list ⇒ ’a list ⇒ ’a list
primrec
itrev [] ys = ys
itrev (x#xs) ys = itrev xs (x#ys)
lemma itrev xs [] = rev xs
EXAMPLE 23-B
EXAMPLE
A tail recursive list reverse:
consts itrev :: ’a list ⇒ ’a list ⇒ ’a list
primrec
itrev [] ys = ys
itrev (x#xs) ys = itrev xs (x#ys)
lemma itrev xs [] = rev xs
EXAMPLE 23-C
DEMO: PROOF ATTEMPT
24
GENERALISATION
Replace constants by variables
lemma itrev xs ys = rev xs@ys
Quantify free variables by ∀
(except the induction variable)
lemma ∀ys. itrev xs ys = rev xs@ys
GENERALISATION 25
GENERALISATION
Replace constants by variables
lemma itrev xs ys = rev xs@ys
Quantify free variables by ∀
(except the induction variable)
lemma ∀ys. itrev xs ys = rev xs@ys
GENERALISATION 25-A
GENERALISATION
Replace constants by variables
lemma itrev xs ys = rev xs@ys
Quantify free variables by ∀
(except the induction variable)
lemma ∀ys. itrev xs ys = rev xs@ys
GENERALISATION 25-B
ISAR
26
DATATYPE CASE DISTINCTION
proof (cases term)case Constructor1...
next...next
case (Constructork ~x)· · · ~x · · ·
qed
case (Constructori ~x) ≡
fix ~x assume Constructori : ”term = Constructori ~x”
DATATYPE CASE DISTINCTION 27
DATATYPE CASE DISTINCTION
proof (cases term)case Constructor1...
next...next
case (Constructork ~x)· · · ~x · · ·
qed
case (Constructori ~x) ≡
fix ~x assume Constructori : ”term = Constructori ~x”
DATATYPE CASE DISTINCTION 27-A
STRUCTURAL INDUCTION FOR TYPE NAT
show P n
proof (induct n)
case 0 ≡ let ?case = P 0
. . .
show ?case
next
case (Suc n) ≡ fix n assume Suc: P n
. . . let ?case = P (Suc n)
· · · n · · ·
show ?case
qed
STRUCTURAL INDUCTION FOR TYPE NAT 28
STRUCTURAL INDUCTION WITH =⇒ AND∧
show ”∧
x. A n =⇒ P n”proof (induct n)
case 0 ≡ fix x assume 0: ”A 0”. . . let ?case = ”P 0”show ?case
nextcase (Suc n) ≡ fix n and x
. . . assume Suc: ”∧
x. A n =⇒ P n”· · · n · · · ”A (Suc n)”. . . let ?case = ”P (Suc n)”show ?case
qed
STRUCTURAL INDUCTION WITH =⇒ ANDV
29
DEMO
30
WE HAVE SEEN TODAY ...
➜ Datatypes
➜ Primite Recursion
➜ Case distinction
➜ Induction
WE HAVE SEEN TODAY ... 31
WE HAVE SEEN TODAY ...
➜ Datatypes
➜ Primite Recursion
➜ Case distinction
➜ Induction
WE HAVE SEEN TODAY ... 31-A
WE HAVE SEEN TODAY ...
➜ Datatypes
➜ Primite Recursion
➜ Case distinction
➜ Induction
WE HAVE SEEN TODAY ... 31-B
WE HAVE SEEN TODAY ...
➜ Datatypes
➜ Primite Recursion
➜ Case distinction
➜ Induction
WE HAVE SEEN TODAY ... 31-C
EXERCISES
➜ look at http://isabelle.in.tum.de/library/HOL/Datatype_Universe.html
➜ define a primitive recursive function listsum :: nat list ⇒ natthat returns the sum of the elements in a list.
➜ show ”2 ∗ listsum [0..n] = n ∗ (n + 1)”
➜ show ”listsum (replicate n a) = n ∗ a”
➜ define a function listsumT using a tail recursive version of listsum.
➜ show that the two functions are equivalent: listsum xs = listsumT xs
EXERCISES 32
NEXT LECTURE
Nicolas Magaud
on
The Coq System
Monday 15:00 – 16:30
NEXT LECTURE 33
Recommended