136 @{text "\<union>"}, as list append. |
136 @{text "\<union>"}, as list append. |
137 |
137 |
138 Quotients are important in a variety of areas, but they are really ubiquitous in |
138 Quotients are important in a variety of areas, but they are really ubiquitous in |
139 the area of reasoning about programming language calculi. A simple example |
139 the area of reasoning about programming language calculi. A simple example |
140 is the lambda-calculus, whose raw terms are defined as |
140 is the lambda-calculus, whose raw terms are defined as |
141 % |
141 |
142 %\begin{isabelle}\ \ \ \ \ %%% |
142 \begin{isabelle}\ \ \ \ \ %%% |
143 @{text "t ::= x | t t | \<lambda>x.t"}%\hfill\numbered{lambda} |
143 @{text "t ::= x | t t | \<lambda>x.t"}%\hfill\numbered{lambda} |
144 %\end{isabelle} |
144 \end{isabelle} |
145 % |
145 |
146 %\noindent |
146 \noindent |
147 The problem with this definition arises, for instance, when one attempts to |
147 The problem with this definition arises, for instance, when one attempts to |
148 prove formally the substitution lemma \cite{Barendregt81} by induction |
148 prove formally the substitution lemma \cite{Barendregt81} by induction |
149 over the structure of terms. This can be fiendishly complicated (see |
149 over the structure of terms. This can be fiendishly complicated (see |
150 \cite[Pages 94--104]{CurryFeys58} for some ``rough'' sketches of a proof |
150 \cite[Pages 94--104]{CurryFeys58} for some ``rough'' sketches of a proof |
151 about raw lambda-terms). In contrast, if we reason about |
151 about raw lambda-terms). In contrast, if we reason about |
152 $\alpha$-equated lambda-terms, that means terms quotient according to |
152 $\alpha$-equated lambda-terms, that means terms quotient according to |
153 $\alpha$-equivalence, then the reasoning infrastructure provided, |
153 $\alpha$-equivalence, then the reasoning infrastructure provided, |
154 for example, by Nominal Isabelle %\cite{UrbanKaliszyk11} |
154 for example, by Nominal Isabelle %%\cite{UrbanKaliszyk11} |
155 makes the formal |
155 makes the formal |
156 proof of the substitution lemma almost trivial. |
156 proof of the substitution lemma almost trivial. |
157 |
157 |
158 The difficulty is that in order to be able to reason about integers, finite |
158 The difficulty is that in order to be able to reason about integers, finite |
159 sets or $\alpha$-equated lambda-terms one needs to establish a reasoning |
159 sets or $\alpha$-equated lambda-terms one needs to establish a reasoning |
260 @{thm concat.simps(1)[THEN eq_reflection]}\hspace{10mm} |
260 @{thm concat.simps(1)[THEN eq_reflection]}\hspace{10mm} |
261 @{thm concat.simps(2)[THEN eq_reflection, no_vars]} |
261 @{thm concat.simps(2)[THEN eq_reflection, no_vars]} |
262 \end{isabelle} |
262 \end{isabelle} |
263 |
263 |
264 \noindent |
264 \noindent |
265 where @{text "@"} is %the usual |
265 where @{text "@"} is the usual |
266 list append. We expect that the corresponding |
266 list append. We expect that the corresponding |
267 operator on finite sets, written @{term "fconcat"}, |
267 operator on finite sets, written @{term "fconcat"}, |
268 builds finite unions of finite sets: |
268 builds finite unions of finite sets: |
269 |
269 |
270 \begin{isabelle}\ \ \ \ \ %%% |
270 \begin{isabelle}\ \ \ \ \ %%% |
315 following the structure of the theorem being lifted and the theorem |
315 following the structure of the theorem being lifted and the theorem |
316 on the quotient level. Space constraints, unfortunately, allow us to only |
316 on the quotient level. Space constraints, unfortunately, allow us to only |
317 sketch this part of our work in Section 5 and we defer the reader to a longer |
317 sketch this part of our work in Section 5 and we defer the reader to a longer |
318 version for the details. However, we will give in Section 3 and 4 all |
318 version for the details. However, we will give in Section 3 and 4 all |
319 definitions that specify the input and output data of our three-step |
319 definitions that specify the input and output data of our three-step |
320 lifting procedure. |
320 lifting procedure. Appendix A gives an example how our quotient |
321 %Appendix A gives an example how our quotient package works in practise. |
321 package works in practise. |
322 *} |
322 *} |
323 |
323 |
324 section {* Preliminaries and General\\ Quotients\label{sec:prelims} *} |
324 section {* Preliminaries and General\\ Quotients\label{sec:prelims} *} |
325 |
325 |
326 text {* |
326 text {* |
688 |
688 |
689 \noindent |
689 \noindent |
690 In our implementation we further |
690 In our implementation we further |
691 simplify this function by rewriting with the usual laws about @{text |
691 simplify this function by rewriting with the usual laws about @{text |
692 "map"}s and @{text "id"}, for example @{term "map_list id = id"} and @{text "f \<circ> id = |
692 "map"}s and @{text "id"}, for example @{term "map_list id = id"} and @{text "f \<circ> id = |
693 id \<circ> f = f"}. This gives us %%%the simpler abstraction function |
693 id \<circ> f = f"}. This gives us the simpler abstraction function |
694 |
694 |
695 \begin{isabelle}\ \ \ \ \ %%% |
695 \begin{isabelle}\ \ \ \ \ %%% |
696 @{text "(map_list Rep_fset \<circ> Rep_fset) \<singlearr> Abs_fset"} |
696 @{text "(map_list Rep_fset \<circ> Rep_fset) \<singlearr> Abs_fset"} |
697 \end{isabelle} |
697 \end{isabelle} |
698 |
698 |
707 Note that by using the operator @{text "\<singlearr>"} and special clauses |
707 Note that by using the operator @{text "\<singlearr>"} and special clauses |
708 for function types in \eqref{ABSREP}, we do not have to |
708 for function types in \eqref{ABSREP}, we do not have to |
709 distinguish between arguments and results, but can deal with them uniformly. |
709 distinguish between arguments and results, but can deal with them uniformly. |
710 Consequently, all definitions in the quotient package |
710 Consequently, all definitions in the quotient package |
711 are of the general form |
711 are of the general form |
712 % |
712 |
713 %\begin{isabelle}\ \ \ \ \ %%% |
713 \begin{isabelle}\ \ \ \ \ %%% |
714 \mbox{@{text "c \<equiv> ABS (\<sigma>, \<tau>) t"}} |
714 \mbox{@{text "c \<equiv> ABS (\<sigma>, \<tau>) t"}} |
715 %\end{isabelle} |
715 \end{isabelle} |
716 % |
716 |
717 %\noindent |
717 \noindent |
718 where @{text \<sigma>} is the type of the definiens @{text "t"} and @{text "\<tau>"} the |
718 where @{text \<sigma>} is the type of the definiens @{text "t"} and @{text "\<tau>"} the |
719 type of the defined quotient constant @{text "c"}. This data can be easily |
719 type of the defined quotient constant @{text "c"}. This data can be easily |
720 generated from the declaration given by the user. |
720 generated from the declaration given by the user. |
721 To increase the confidence in this way of making definitions, we can prove |
721 To increase the confidence in this way of making definitions, we can prove |
722 that the terms involved are all typable. |
722 that the terms involved are all typable. |
756 involving constants over the raw type to theorems involving constants over |
756 involving constants over the raw type to theorems involving constants over |
757 the quotient type. Before we can describe this lifting process, we need to impose |
757 the quotient type. Before we can describe this lifting process, we need to impose |
758 two restrictions in form of proof obligations that arise during the |
758 two restrictions in form of proof obligations that arise during the |
759 lifting. The reason is that even if definitions for all raw constants |
759 lifting. The reason is that even if definitions for all raw constants |
760 can be given, \emph{not} all theorems can be lifted to the quotient type. Most |
760 can be given, \emph{not} all theorems can be lifted to the quotient type. Most |
761 notable is the bound variable function %%, that is the constant @{text bn}, |
761 notable is the bound variable function, that is the constant @{text bn}, |
762 defined |
762 defined |
763 for raw lambda-terms as follows |
763 for raw lambda-terms as follows |
764 |
764 |
765 \begin{isabelle} |
765 \begin{isabelle} |
766 \begin{center} |
766 \begin{center} |
810 Let us return to the lifting procedure of theorems. Assume we have a theorem |
810 Let us return to the lifting procedure of theorems. Assume we have a theorem |
811 that contains the raw constant @{text "c\<^isub>r :: \<sigma>"} and which we want to |
811 that contains the raw constant @{text "c\<^isub>r :: \<sigma>"} and which we want to |
812 lift to a theorem where @{text "c\<^isub>r"} is replaced by the corresponding |
812 lift to a theorem where @{text "c\<^isub>r"} is replaced by the corresponding |
813 constant @{text "c\<^isub>q :: \<tau>"} defined over a quotient type. In this situation |
813 constant @{text "c\<^isub>q :: \<tau>"} defined over a quotient type. In this situation |
814 we generate the following proof obligation |
814 we generate the following proof obligation |
815 % |
815 |
816 %\begin{isabelle}\ \ \ \ \ %%% |
816 \begin{isabelle}\ \ \ \ \ %%% |
817 @{text "REL (\<sigma>, \<tau>) c\<^isub>r c\<^isub>r"}. |
817 @{text "REL (\<sigma>, \<tau>) c\<^isub>r c\<^isub>r"}. |
818 %\end{isabelle} |
818 \end{isabelle} |
819 % |
819 |
820 %\noindent |
820 \noindent |
821 Homeier calls these proof obligations \emph{respectfulness |
821 Homeier calls these proof obligations \emph{respectfulness |
822 theorems}. However, unlike his quotient package, we might have several |
822 theorems}. However, unlike his quotient package, we might have several |
823 respectfulness theorems for one constant---he has at most one. |
823 respectfulness theorems for one constant---he has at most one. |
824 The reason is that because of our quotient compositions, the types |
824 The reason is that because of our quotient compositions, the types |
825 @{text \<sigma>} and @{text \<tau>} are not completely determined by @{text "c\<^bsub>r\<^esub>"}. |
825 @{text \<sigma>} and @{text \<tau>} are not completely determined by @{text "c\<^bsub>r\<^esub>"}. |
827 respectfulness theorem is necessary. |
827 respectfulness theorem is necessary. |
828 |
828 |
829 Before lifting a theorem, we require the user to discharge |
829 Before lifting a theorem, we require the user to discharge |
830 respectfulness proof obligations. In case of @{text bn} |
830 respectfulness proof obligations. In case of @{text bn} |
831 this obligation is %%as follows |
831 this obligation is %%as follows |
832 % |
832 |
833 %\begin{isabelle}\ \ \ \ \ %%% |
833 \begin{isabelle}\ \ \ \ \ %%% |
834 @{text "(\<approx>\<^isub>\<alpha> \<doublearr> =) bn bn"} |
834 @{text "(\<approx>\<^isub>\<alpha> \<doublearr> =) bn bn"} |
835 %\end{isabelle} |
835 \end{isabelle} |
836 % |
836 |
837 %\noindent |
837 \noindent |
838 and the point is that the user cannot discharge it: because it is not true. To see this, |
838 and the point is that the user cannot discharge it: because it is not true. To see this, |
839 we can just unfold the definition of @{text "\<doublearr>"} \eqref{relfun} |
839 we can just unfold the definition of @{text "\<doublearr>"} \eqref{relfun} |
840 using extensionality to obtain the false statement |
840 using extensionality to obtain the false statement |
841 |
841 |
842 \begin{isabelle}\ \ \ \ \ %%% |
842 \begin{isabelle}\ \ \ \ \ %%% |
1240 %% |
1240 %% |
1241 \smallskip |
1241 \smallskip |
1242 |
1242 |
1243 \noindent |
1243 \noindent |
1244 {\bf Acknowledgements:} We would like to thank Peter Homeier for the many |
1244 {\bf Acknowledgements:} We would like to thank Peter Homeier for the many |
1245 discussions about his HOL4 quotient package.\\[-5mm]% and explaining to us |
1245 discussions about his HOL4 quotient package and explaining to us |
1246 %some of its finer points in the implementation. Without his patient |
1246 some of its finer points in the implementation. Without his patient |
1247 %help, this work would have been impossible. |
1247 help, this work would have been impossible. |
1248 |
|
1249 % \appendix |
|
1250 |
|
1251 *} |
1248 *} |
1252 |
1249 |
1253 (* section {* Examples \label{sec:examples} *} |
1250 text_raw {* |
|
1251 %%\bibliographystyle{abbrv} |
|
1252 \bibliography{root} |
|
1253 |
|
1254 \appendix |
|
1255 |
|
1256 *} |
|
1257 |
|
1258 section {* Examples \label{sec:examples} *} |
1254 |
1259 |
1255 text {* |
1260 text {* |
1256 |
1261 |
1257 %%% FIXME Reviewer 1 would like an example of regularized and injected |
1262 %%% FIXME Reviewer 1 would like an example of regularized and injected |
1258 %%% statements. He asks for the examples twice, but I would still ignore |
1263 %%% statements. He asks for the examples twice, but I would still ignore |
1339 Both methods give the same result, namely @{text "0 + x = x"} |
1344 Both methods give the same result, namely @{text "0 + x = x"} |
1340 where @{text x} is of type integer. |
1345 where @{text x} is of type integer. |
1341 Although seemingly simple, arriving at this result without the help of a quotient |
1346 Although seemingly simple, arriving at this result without the help of a quotient |
1342 package requires a substantial reasoning effort (see \cite{Paulson06}). |
1347 package requires a substantial reasoning effort (see \cite{Paulson06}). |
1343 *} |
1348 *} |
1344 *) |
1349 |
1345 |
1350 |
1346 |
1351 |
1347 (*<*) |
1352 (*<*) |
1348 end |
1353 end |
1349 (*>*) |
1354 (*>*) |