1 |
2 |
theory Tutorial2s
3 |
imports Lambda
4 |
5 |
6 |
section {* Height of a Lambda-Term *}
7 |
8 |
text {*
9 |
The theory Lambda defines the notions of capture-avoiding
10 |
substitution and the height of lambda terms.
11 |
12 |
13 |
thm height.simps
14 |
thm subst.simps
15 |
16 |
subsection {* EXERCISE 7 *}
17 |
18 |
text {*
19 |
Lets prove a property about the height of substitutions.
20 |
21 |
Assume that the height of a lambda-term is always greater
22 |
or equal to 1.
23 |
24 |
25 |
lemma height_ge_one:
26 |
shows "1 \<le> height t"
27 |
by (induct t rule: lam.induct) (auto)
28 |
29 |
text {* Remove the sorries *}
30 |
31 |
32 |
shows "height (t[x ::= t']) \<le> height t - 1 + height t'"
33 |
proof (nominal_induct t avoiding: x t' rule: lam.strong_induct)
34 |
case (Var y)
35 |
have "1 \<le> height t'" using height_ge_one by simp
36 |
then show "height (Var y[x ::= t']) \<le> height (Var y) - 1 + height t'" by simp
37 |
38 |
case (App t1 t2)
39 |
have ih1: "height (t1[x::=t']) \<le> (height t1) - 1 + height t'"
40 |
and ih2: "height (t2[x::=t']) \<le> (height t2) - 1 + height t'" by fact+
41 |
then show "height ((App t1 t2)[x ::= t']) \<le> height (App t1 t2) - 1 + height t'" by simp
42 |
43 |
case (Lam y t1)
44 |
have ih: "height (t1[x::=t']) \<le> height t1 - 1 + height t'" by fact
45 |
46 |
have vc: "atom y \<sharp> x" "atom y \<sharp> t'" by fact+ -- {* usual variable convention *}
47 |
48 |
show "height ((Lam [y].t1)[x ::= t']) \<le> height (Lam [y].t1) - 1 + height t'" by simp
49 |
50 |
51 |
52 |
section {* Types and the Weakening Lemma *}
53 |
54 |
nominal_datatype ty =
55 |
tVar "string"
56 |
| tArr "ty" "ty" (infixr "\<rightarrow>" 100)
57 |
58 |
59 |
text {*
60 |
Having defined them as nominal datatypes gives us additional
61 |
definitions and theorems that come with types (see below).
62 |
63 |
We next define the type of typing contexts, a predicate that
64 |
defines valid contexts (i.e. lists that contain only unique
65 |
variables) and the typing judgement.
66 |
67 |
68 |
type_synonym ty_ctx = "(name \<times> ty) list"
69 |
70 |
71 |
valid :: "ty_ctx \<Rightarrow> bool"
72 |
73 |
v1[intro]: "valid []"
74 |
| v2[intro]: "\<lbrakk>valid \<Gamma>; atom x \<sharp> \<Gamma>\<rbrakk>\<Longrightarrow> valid ((x, T) # \<Gamma>)"
75 |
76 |
77 |
78 |
typing :: "ty_ctx \<Rightarrow> lam \<Rightarrow> ty \<Rightarrow> bool" ("_ \<turnstile> _ : _" [60, 60, 60] 60)
79 |
80 |
t_Var[intro]: "\<lbrakk>valid \<Gamma>; (x, T) \<in> set \<Gamma>\<rbrakk> \<Longrightarrow> \<Gamma> \<turnstile> Var x : T"
81 |
| t_App[intro]: "\<lbrakk>\<Gamma> \<turnstile> t1 : T1 \<rightarrow> T2; \<Gamma> \<turnstile> t2 : T1\<rbrakk> \<Longrightarrow> \<Gamma> \<turnstile> App t1 t2 : T2"
82 |
| t_Lam[intro]: "\<lbrakk>atom x \<sharp> \<Gamma>; (x, T1) # \<Gamma> \<turnstile> t : T2\<rbrakk> \<Longrightarrow> \<Gamma> \<turnstile> Lam [x].t : T1 \<rightarrow> T2"
83 |
84 |
85 |
text {*
86 |
The predicate atom x \<sharp> \<Gamma>, read as x fresh for \<Gamma>, is defined by
87 |
Nominal Isabelle. It is defined for lambda-terms, products, lists etc.
88 |
For example we have:
89 |
90 |
91 |
92 |
fixes x::"name"
93 |
shows "atom x \<sharp> Lam [x].t"
94 |
and "atom x \<sharp> (t1, t2) \<Longrightarrow> atom x \<sharp> App t1 t2"
95 |
and "atom x \<sharp> Var y \<Longrightarrow> atom x \<sharp> y"
96 |
and "\<lbrakk>atom x \<sharp> t1; atom x \<sharp> t2\<rbrakk> \<Longrightarrow> atom x \<sharp> (t1, t2)"
97 |
and "\<lbrakk>atom x \<sharp> l1; atom x \<sharp> l2\<rbrakk> \<Longrightarrow> atom x \<sharp> (l1 @ l2)"
98 |
and "atom x \<sharp> y \<Longrightarrow> x \<noteq> y"
99 |
by (simp_all add: lam.fresh fresh_append fresh_at_base)
100 |
101 |
text {*
102 |
We can also prove that every variable is fresh for a type.
103 |
104 |
105 |
lemma ty_fresh:
106 |
fixes x::"name"
107 |
and T::"ty"
108 |
shows "atom x \<sharp> T"
109 |
by (induct T rule: ty.induct)
110 |
(simp_all add: ty.fresh pure_fresh)
111 |
112 |
text {*
113 |
In order to state the weakening lemma in a convenient form, we
114 |
using the following abbreviation. Abbreviations behave like
115 |
definitions, except that they are always automatically folded
116 |
and unfolded.
117 |
118 |
119 |
120 |
"sub_ty_ctx" :: "ty_ctx \<Rightarrow> ty_ctx \<Rightarrow> bool" ("_ \<sqsubseteq> _" [60, 60] 60)
121 |
122 |
"\<Gamma>1 \<sqsubseteq> \<Gamma>2 \<equiv> \<forall>x. x \<in> set \<Gamma>1 \<longrightarrow> x \<in> set \<Gamma>2"
123 |
124 |
125 |
subsection {* EXERCISE 8 *}
126 |
127 |
text {*
128 |
Fill in the details and give a proof of the weakening lemma.
129 |
130 |
131 |
132 |
assumes a: "\<Gamma>1 \<turnstile> t : T"
133 |
and b: "valid \<Gamma>2"
134 |
and c: "\<Gamma>1 \<sqsubseteq> \<Gamma>2"
135 |
shows "\<Gamma>2 \<turnstile> t : T"
136 |
using a b c
137 |
proof (induct arbitrary: \<Gamma>2)
138 |
case (t_Var \<Gamma>1 x T)
139 |
have a1: "valid \<Gamma>1" by fact
140 |
have a2: "(x, T) \<in> set \<Gamma>1" by fact
141 |
have a3: "valid \<Gamma>2" by fact
142 |
have a4: "\<Gamma>1 \<sqsubseteq> \<Gamma>2" by fact
143 |
144 |
show "\<Gamma>2 \<turnstile> Var x : T" sorry
145 |
146 |
case (t_Lam x \<Gamma>1 T1 t T2)
147 |
have ih: "\<And>\<Gamma>3. \<lbrakk>valid \<Gamma>3; (x, T1) # \<Gamma>1 \<sqsubseteq> \<Gamma>3\<rbrakk> \<Longrightarrow> \<Gamma>3 \<turnstile> t : T2" by fact
148 |
have a0: "atom x \<sharp> \<Gamma>1" by fact
149 |
have a1: "valid \<Gamma>2" by fact
150 |
have a2: "\<Gamma>1 \<sqsubseteq> \<Gamma>2" by fact
151 |
152 |
show "\<Gamma>2 \<turnstile> Lam [x].t : T1 \<rightarrow> T2" sorry
153 |
qed (auto) -- {* the application case is automatic*}
154 |
155 |
156 |
text {*
157 |
Despite the frequent claim that the weakening lemma is trivial,
158 |
routine or obvious, the proof in the lambda-case does not go
159 |
through smoothly. Painful variable renamings seem to be necessary.
160 |
But the proof using renamings is horribly complicated (see below).
161 |
162 |
163 |
equivariance valid
164 |
equivariance typing
165 |
166 |
lemma weakening_NOT_TO_BE_TRIED_AT_HOME:
167 |
assumes a: "\<Gamma>1 \<turnstile> t : T"
168 |
and b: "valid \<Gamma>2"
169 |
and c: "\<Gamma>1 \<sqsubseteq> \<Gamma>2"
170 |
shows "\<Gamma>2 \<turnstile> t : T"
171 |
using a b c
172 |
proof (induct arbitrary: \<Gamma>2)
173 |
-- {* lambda case *}
174 |
case (t_Lam x \<Gamma>1 T1 t T2)
175 |
have fc0: "atom x \<sharp> \<Gamma>1" by fact
176 |
have ih: "\<And>\<Gamma>3. \<lbrakk>valid \<Gamma>3; (x, T1) # \<Gamma>1 \<sqsubseteq> \<Gamma>3\<rbrakk> \<Longrightarrow> \<Gamma>3 \<turnstile> t : T2" by fact
177 |
-- {* we choose a fresh variable *}
178 |
obtain c::"name" where fc1: "atom c \<sharp> (x, t, \<Gamma>1, \<Gamma>2)" by (rule obtain_fresh)
179 |
-- {* we alpha-rename the abstraction *}
180 |
have "Lam [c].((c \<leftrightarrow> x) \<bullet> t) = Lam [x].t" using fc1
181 |
by (auto simp add: lam.eq_iff Abs1_eq_iff flip_def)
182 |
183 |
-- {* we can then alpha rename the goal *}
184 |
have "\<Gamma>2 \<turnstile> Lam [c].((c \<leftrightarrow> x) \<bullet> t) : T1 \<rightarrow> T2"
185 |
proof -
186 |
-- {* we need to establish *}
187 |
-- {* (1) (x, T1) # \<Gamma>1 \<sqsubseteq> (x, T1) # ((c \<leftrightarrow> x) \<bullet> \<Gamma>2) *}
188 |
-- {* (2) valid ((x, T1) # ((c \<leftrightarrow> x) \<bullet> \<Gamma>2)) *}
189 |
have "(1)": "(x, T1) # \<Gamma>1 \<sqsubseteq> (x, T1) # ((c \<leftrightarrow> x) \<bullet> \<Gamma>2)"
190 |
proof -
191 |
have "\<Gamma>1 \<sqsubseteq> \<Gamma>2" by fact
192 |
then have "(c \<leftrightarrow> x) \<bullet> ((x, T1) # \<Gamma>1 \<sqsubseteq> (x, T1) # ((c \<leftrightarrow> x) \<bullet> \<Gamma>2))" using fc0 fc1
193 |
by (perm_simp) (simp add: flip_fresh_fresh)
194 |
then show "(x, T1) # \<Gamma>1 \<sqsubseteq> (x, T1) # ((c \<leftrightarrow> x) \<bullet> \<Gamma>2)" by (rule permute_boolE)
195 |
196 |
197 |
have "(2)": "valid ((x, T1) # ((c \<leftrightarrow> x) \<bullet> \<Gamma>2))"
198 |
proof -
199 |
have "valid \<Gamma>2" by fact
200 |
then show "valid ((x, T1) # ((c \<leftrightarrow> x) \<bullet> \<Gamma>2))" using fc1
201 |
by (auto simp add: fresh_permute_left atom_eqvt valid.eqvt)
202 |
203 |
-- {* these two facts give us by induction hypothesis the following *}
204 |
ultimately have "(x, T1) # ((c \<leftrightarrow> x) \<bullet> \<Gamma>2) \<turnstile> t : T2" using ih by simp
205 |
-- {* we now apply renamings to get to our goal *}
206 |
then have "(c \<leftrightarrow> x) \<bullet> ((x, T1) # ((c \<leftrightarrow> x) \<bullet> \<Gamma>2) \<turnstile> t : T2)" by (rule permute_boolI)
207 |
then have "(c, T1) # \<Gamma>2 \<turnstile> ((c \<leftrightarrow> x) \<bullet> t) : T2" using fc1
208 |
by (perm_simp) (simp add: flip_fresh_fresh ty_fresh)
209 |
then show "\<Gamma>2 \<turnstile> Lam [c].((c \<leftrightarrow> x) \<bullet> t) : T1 \<rightarrow> T2" using fc1 by auto
210 |
211 |
ultimately show "\<Gamma>2 \<turnstile> Lam [x].t : T1 \<rightarrow> T2" by (simp only:)
212 |
qed (auto) -- {* var and app cases, luckily, are automatic *}
213 |
214 |
215 |
text {*
216 |
The remedy is to use again a stronger induction principle that
217 |
has the usual "variable convention" already build in. The
218 |
following command derives this induction principle for the typing
219 |
relation. (We shall explain what happens here later.)
220 |
221 |
222 |
nominal_inductive typing
223 |
avoids t_Lam: "x"
224 |
unfolding fresh_star_def
225 |
by (simp_all add: fresh_Pair lam.fresh ty_fresh)
226 |
227 |
text {* Compare the two induction principles *}
228 |
229 |
thm typing.induct
230 |
thm typing.strong_induct -- {* note the additional assumption {atom x} \<sharp> c *}
231 |
232 |
text {*
233 |
We can use the stronger induction principle by replacing
234 |
the line
235 |
236 |
proof (induct arbitrary: \<Gamma>2)
237 |
238 |
239 |
240 |
proof (nominal_induct avoiding: \<Gamma>2 rule: typing.strong_induct)
241 |
242 |
Try now the proof.
243 |
244 |
245 |
subsection {* EXERCISE 9 *}
246 |
247 |
lemma weakening:
248 |
assumes a: "\<Gamma>1 \<turnstile> t : T"
249 |
and b: "valid \<Gamma>2"
250 |
and c: "\<Gamma>1 \<sqsubseteq> \<Gamma>2"
251 |
shows "\<Gamma>2 \<turnstile> t : T"
252 |
using a b c
253 |
proof (nominal_induct avoiding: \<Gamma>2 rule: typing.strong_induct)
254 |
case (t_Var \<Gamma>1 x T) -- {* variable case is as before *}
255 |
have "\<Gamma>1 \<sqsubseteq> \<Gamma>2" by fact
256 |
257 |
have "valid \<Gamma>2" by fact
258 |
259 |
have "(x, T)\<in> set \<Gamma>1" by fact
260 |
ultimately show "\<Gamma>2 \<turnstile> Var x : T" by auto
261 |
262 |
case (t_Lam x \<Gamma>1 T1 t T2)
263 |
have vc: "atom x \<sharp> \<Gamma>2" by fact -- {* additional fact afforded by the strong induction *}
264 |
have ih: "\<And>\<Gamma>3. \<lbrakk>valid \<Gamma>3; (x, T1) # \<Gamma>1 \<sqsubseteq> \<Gamma>3\<rbrakk> \<Longrightarrow> \<Gamma>3 \<turnstile> t : T2" by fact
265 |
have a0: "atom x \<sharp> \<Gamma>1" by fact
266 |
have a1: "valid \<Gamma>2" by fact
267 |
have a2: "\<Gamma>1 \<sqsubseteq> \<Gamma>2" by fact
268 |
have "valid ((x, T1) # \<Gamma>2)" using a1 vc by auto
269 |
270 |
have "(x, T1) # \<Gamma>1 \<sqsubseteq> (x, T1) # \<Gamma>2" using a2 by auto
271 |
272 |
have "(x, T1) # \<Gamma>2 \<turnstile> t : T2" using ih by simp
273 |
then show "\<Gamma>2 \<turnstile> Lam [x].t : T1 \<rightarrow> T2" using vc by auto
274 |
qed (auto) -- {* app case *}
275 |
276 |
277 |
278 |
section {* Unbind and an Inconsistency Example *}
279 |
280 |
text {*
281 |
You might wonder why we had to discharge some proof
282 |
obligations in order to obtain the stronger induction
283 |
principle for the typing relation. (Remember for
284 |
lambda terms this stronger induction principle is
285 |
derived automatically.)
286 |
287 |
This proof obligation is really needed, because if we
288 |
assume universally a stronger induction principle, then
289 |
in some cases we can derive false. This is "shown" below.
290 |
291 |
292 |
293 |
294 |
unbind :: "lam \<Rightarrow> lam \<Rightarrow> bool" (infixr "\<mapsto>" 60)
295 |
296 |
u_Var[intro]: "Var x \<mapsto> Var x"
297 |
| u_App[intro]: "App t1 t2 \<mapsto> App t1 t2"
298 |
| u_Lam[intro]: "t \<mapsto> t' \<Longrightarrow> Lam [x].t \<mapsto> t'"
299 |
300 |
text {* It is clear that the following judgement holds. *}
301 |
302 |
lemma unbind_simple:
303 |
shows "Lam [x].Var x \<mapsto> Var x"
304 |
by auto
305 |
306 |
text {*
307 |
Now lets derive the strong induction principle for unbind.
308 |
The point is that we cannot establish the proof obligations,
309 |
therefore we force Isabelle to accept them by using "sorry".
310 |
311 |
312 |
equivariance unbind
313 |
nominal_inductive unbind
314 |
avoids u_Lam: "x"
315 |
316 |
317 |
text {*
318 |
Using the stronger induction principle, we can establish
319 |
th follwoing bogus property.
320 |
321 |
322 |
lemma unbind_fake:
323 |
fixes y::"name"
324 |
assumes a: "t \<mapsto> t'"
325 |
and b: "atom y \<sharp> t"
326 |
shows "atom y \<sharp> t'"
327 |
using a b
328 |
proof (nominal_induct avoiding: y rule: unbind.strong_induct)
329 |
case (u_Lam t t' x y)
330 |
have ih: "atom y \<sharp> t \<Longrightarrow> atom y \<sharp> t'" by fact
331 |
have asm: "atom y \<sharp> Lam [x]. t" by fact
332 |
have fc: "atom x \<sharp> y" by fact
333 |
then have in_eq: "x \<noteq> y" by (simp add: fresh_at_base)
334 |
then have "atom y \<sharp> t" using asm by (simp add: lam.fresh)
335 |
then show "atom y \<sharp> t'" using ih by simp
336 |
337 |
338 |
text {*
339 |
And from this follows the inconsitency:
340 |
341 |
342 |
343 |
shows "False"
344 |
proof -
345 |
have "atom x \<sharp> Lam [x]. Var x" by (simp add: lam.fresh)
346 |
347 |
have "Lam [x]. Var x \<mapsto> Var x" using unbind_simple by auto
348 |
349 |
have "atom x \<sharp> Var x"
350 |
by (rule_tac unbind_fake) (auto)
351 |
then have "x \<noteq> x" by (simp add: lam.fresh fresh_at_base)
352 |
then show "False" by simp
353 |
354 |
355 |