83 also member in the other. The empty finite set, written @{term "{||}"}, can |
83 also member in the other. The empty finite set, written @{term "{||}"}, can |
84 then be defined as the empty list and the union of two finite sets, written |
84 then be defined as the empty list and the union of two finite sets, written |
85 @{text "\<union>"}, as list append. |
85 @{text "\<union>"}, as list append. |
86 |
86 |
87 An area where quotients are ubiquitous is reasoning about programming language |
87 An area where quotients are ubiquitous is reasoning about programming language |
88 calculi. A simple example is the lambda-calculus, whose ``raw'' terms are defined as |
88 calculi. A simple example is the lambda-calculus, whose raw terms are defined as |
89 |
89 |
90 @{text [display, indent=10] "t ::= x | t t | \<lambda>x.t"} |
90 @{text [display, indent=10] "t ::= x | t t | \<lambda>x.t"} |
91 |
91 |
92 \noindent |
92 \noindent |
93 The problem with this definition arises when one attempts to |
93 The problem with this definition arises when one attempts to |
94 prove formally, for example, the substitution lemma \cite{Barendregt81} by induction |
94 prove formally, for example, the substitution lemma \cite{Barendregt81} by induction |
95 over the structure of terms. This can be fiendishly complicated (see |
95 over the structure of terms. This can be fiendishly complicated (see |
96 \cite[Pages 94--104]{CurryFeys58} for some ``rough'' sketches of a proof |
96 \cite[Pages 94--104]{CurryFeys58} for some ``rough'' sketches of a proof |
97 about ``raw'' lambda-terms). In contrast, if we reason about |
97 about raw lambda-terms). In contrast, if we reason about |
98 $\alpha$-equated lambda-terms, that means terms quotient according to |
98 $\alpha$-equated lambda-terms, that means terms quotient according to |
99 $\alpha$-equivalence, then the reasoning infrastructure provided, |
99 $\alpha$-equivalence, then the reasoning infrastructure provided, |
100 for example, by Nominal Isabelle \cite{UrbanKaliszyk11} makes the formal |
100 for example, by Nominal Isabelle \cite{UrbanKaliszyk11} makes the formal |
101 proof of the substitution lemma almost trivial. |
101 proof of the substitution lemma almost trivial. |
102 |
102 |
103 The difficulty is that in order to be able to reason about integers, finite |
103 The difficulty is that in order to be able to reason about integers, finite |
104 sets or $\alpha$-equated lambda-terms one needs to establish a reasoning |
104 sets or $\alpha$-equated lambda-terms one needs to establish a reasoning |
105 infrastructure by transferring, or \emph{lifting}, definitions and theorems |
105 infrastructure by transferring, or \emph{lifting}, definitions and theorems |
106 from the ``raw'' type @{typ "nat \<times> nat"} to the quotient type @{typ int} |
106 from the raw type @{typ "nat \<times> nat"} to the quotient type @{typ int} |
107 (similarly for finite sets and $\alpha$-equated lambda-terms). This lifting |
107 (similarly for finite sets and $\alpha$-equated lambda-terms). This lifting |
108 usually requires a \emph{lot} of tedious reasoning effort \cite{Paulson06}. |
108 usually requires a \emph{lot} of tedious reasoning effort \cite{Paulson06}. |
109 It is feasible to to this work manually, if one has only a few quotient |
109 It is feasible to to this work manually, if one has only a few quotient |
110 constructions at hand. But if they have to be done over and over again as in |
110 constructions at hand. But if they have to be done over and over again as in |
111 Nominal Isabelle, then manual reasoning is not an option. |
111 Nominal Isabelle, then manual reasoning is not an option. |
141 |
141 |
142 \end{tikzpicture} |
142 \end{tikzpicture} |
143 \end{center} |
143 \end{center} |
144 |
144 |
145 \noindent |
145 \noindent |
146 The starting point is an existing type over which an equivalence relation |
146 The starting point is an existing type, often referred to as the |
147 given by the user is defined. With this input the package introduces a new |
147 \emph{raw level}, over which an equivalence relation given by the user is |
148 type that comes with associated \emph{abstraction} and \emph{representation} |
148 defined. With this input the package introduces a new type, to which we |
149 functions, written @{text Abs} and @{text Rep}. These functions relate |
149 refer as the \emph{quotient level}. This type comes with an |
150 elements in the existing type to ones in the new type and vice versa; they |
150 \emph{abstraction} and a \emph{representation} function, written @{text Abs} |
151 can be uniquely identified by their type. For example for the integer |
151 and @{text Rep}. These functions relate elements in the existing type to |
152 quotient construction the types of @{text Abs} and @{text Rep} are |
152 ones in the new type and vice versa; they can be uniquely identified by |
|
153 their type. For example for the integer quotient construction the types of |
|
154 @{text Abs} and @{text Rep} are |
|
155 |
153 |
156 |
154 \begin{isabelle}\ \ \ \ \ \ \ \ \ \ %%% |
157 \begin{isabelle}\ \ \ \ \ \ \ \ \ \ %%% |
155 @{text "Abs::nat \<times> nat \<Rightarrow> int"}\hspace{10mm}@{text "Rep::int \<Rightarrow> nat \<times> nat"} |
158 @{text "Abs::nat \<times> nat \<Rightarrow> int"}\hspace{10mm}@{text "Rep::int \<Rightarrow> nat \<times> nat"} |
156 \end{isabelle} |
159 \end{isabelle} |
157 |
160 |
158 \noindent |
161 \noindent |
159 However we often leave this typing information implicit for better |
162 However we often leave this typing information implicit for better |
160 readability. Every abstraction and representation function represents an |
163 readability. Every abstraction and representation function stands for an |
161 isomorphism between the non-empty subset and elements in the new type. They |
164 isomorphism between the non-empty subset and elements in the new type. They |
162 are necessary for making definitions involving the new type. For example |
165 are necessary for making definitions involving the new type. For example |
163 @{text "0"} and @{text "1"} of type @{typ int} can be defined as |
166 @{text "0"} and @{text "1"} of type @{typ int} can be defined as |
164 |
167 |
165 |
168 |
173 |
176 |
174 @{text [display, indent=10] "add n m \<equiv> Abs (add_pair (Rep n) (Rep m))"} |
177 @{text [display, indent=10] "add n m \<equiv> Abs (add_pair (Rep n) (Rep m))"} |
175 |
178 |
176 \noindent |
179 \noindent |
177 where we take the representation of the arguments @{text n} and @{text m}, |
180 where we take the representation of the arguments @{text n} and @{text m}, |
178 add them according to @{text "add_pair"} and then take the |
181 add them according to the function @{text "add_pair"} and then take the |
179 abstraction of the result. This is all straightforward and the existing |
182 abstraction of the result. This is all straightforward and the existing |
180 quotient packages can deal with such definitions. But what is surprising |
183 quotient packages can deal with such definitions. But what is surprising |
181 that none of them can deal with slightly more complicated definitions involving |
184 that none of them can deal with slightly more complicated definitions involving |
182 \emph{compositions} of quotients. Such compositions are needed for example |
185 \emph{compositions} of quotients. Such compositions are needed for example |
183 in case of quotienting lists and the operator that flattens lists of lists, defined |
186 in case of quotienting lists to obtain finite sets and the operator that |
184 as follows |
187 flattens lists of lists, defined as follows |
185 |
188 |
186 @{thm [display, indent=10] concat.simps(1) concat.simps(2)[no_vars]} |
189 @{thm [display, indent=10] concat.simps(1) concat.simps(2)[no_vars]} |
187 |
190 |
188 \noindent |
191 \noindent |
189 We expect that the corresponding operator on finite sets, written @{term "fconcat"}, |
192 We expect that the corresponding operator on finite sets, written @{term "fconcat"}, |
193 |
196 |
194 \noindent |
197 \noindent |
195 The quotient package should provide us with a definition for @{text "\<Union>"} in |
198 The quotient package should provide us with a definition for @{text "\<Union>"} in |
196 terms of @{text flat}, @{text Rep} and @{text Abs} (the latter two having |
199 terms of @{text flat}, @{text Rep} and @{text Abs} (the latter two having |
197 the type @{text "\<alpha> fset \<Rightarrow> \<alpha> list"} and @{text "\<alpha> list \<Rightarrow> \<alpha> fset"}, |
200 the type @{text "\<alpha> fset \<Rightarrow> \<alpha> list"} and @{text "\<alpha> list \<Rightarrow> \<alpha> fset"}, |
198 respectively). The problem is that the method is used in the existing quotient |
201 respectively). The problem is that the method used in the existing quotient |
199 packages of just taking the representation of the arguments and then take |
202 packages of just taking the representation of the arguments and then take |
200 the abstraction of the result is \emph{not} enough. The reason is that case in case |
203 the abstraction of the result is \emph{not} enough. The reason is that case in case |
201 of @{text "\<Union>"} we obtain the incorrect definition |
204 of @{text "\<Union>"} we obtain the incorrect definition |
202 |
205 |
203 @{text [display, indent=10] "\<Union> S \<equiv> Abs (flat (Rep S))"} |
206 @{text [display, indent=10] "\<Union> S \<equiv> Abs (flat (Rep S))"} |
204 |
207 |
205 \noindent |
208 \noindent |
206 where the right-hand side is not even typable! This problem can be remedied in the |
209 where the right-hand side is not even typable! This problem can be remedied in the |
207 existing quotient packages by introducing an intermediate step and reasoning |
210 existing quotient packages by introducing an intermediate step and reasoning |
208 about faltening of lists of finite sets. However, this remedy is rather |
211 about flattening of lists of finite sets. However, this remedy is rather |
209 cumbersome and inelegant in light of our work, which can deal with such |
212 cumbersome and inelegant in light of our work, which can deal with such |
210 definitions directly. The solution is that we need to build aggregate |
213 definitions directly. The solution is that we need to build aggregate |
211 representation and abstraction functions, which in case of @{text "\<Union>"} |
214 representation and abstraction functions, which in case of @{text "\<Union>"} |
212 generate the following definition |
215 generate the following definition |
213 |
216 |
216 \noindent |
219 \noindent |
217 where @{term map} is the usual mapping function for lists. In this paper we |
220 where @{term map} is the usual mapping function for lists. In this paper we |
218 will present a formal definition of our aggregate abstraction and |
221 will present a formal definition of our aggregate abstraction and |
219 representation functions (this definition was omitted in \cite{Homeier05}). |
222 representation functions (this definition was omitted in \cite{Homeier05}). |
220 They generate definitions, like the one above for @{text "\<Union>"}, |
223 They generate definitions, like the one above for @{text "\<Union>"}, |
221 according to the type of the ``raw'' constant and the type |
224 according to the type of the raw constant and the type |
222 of the quotient constant. This means we also have to extend the notions |
225 of the quotient constant. This means we also have to extend the notions |
223 of \emph{respectfulness} and \emph{preservation} from Homeier |
226 of \emph{respectfulness} and \emph{preservation} from Homeier |
224 \cite{Homeier05}. |
227 \cite{Homeier05}. |
225 |
228 |
226 We will also address the criticism by Paulson \cite{Paulson06} cited at the |
229 We will also address the criticism by Paulson \cite{Paulson06} cited at the |
227 beginning of this section about having to collect theorems that are lifted from the raw |
230 beginning of this section about having to collect theorems that are lifted from the raw |
228 level to the quotient level. Our quotient package is modular so that it |
231 level to the quotient level. Our quotient package id the first one that is modular so that it |
229 allows to lift single theorems separately. This has the advantage for the |
232 allows to lift single theorems separately. This has the advantage for the |
230 user to develop a formal theory interactively an a natural progression. A |
233 user to develop a formal theory interactively an a natural progression. A |
231 pleasing result of the modularity is also that we are able to clearly |
234 pleasing result of the modularity is also that we are able to clearly |
232 specify what needs to be done in the lifting process (this was only hinted at in |
235 specify what needs to be done in the lifting process (this was only hinted at in |
233 \cite{Homeier05} and implemented as a ``rough recipe'' in ML-code). |
236 \cite{Homeier05} and implemented as a ``rough recipe'' in ML-code). |