nominal2: comparison Paper/Paper.thy

equal deleted inserted replaced

-:9a894c42e80e
+:a2d5f9ea17ad
 in Isabelle/HOL). We then define the user-specified binding
 functions, called @{term "bn"}, by primitive recursion over the corresponding
 raw datatype. We can also easily define permutation operations by
 primitive recursion so that for each term constructor @{text "C ty\<^isub>1 \<dots> ty\<^isub>n"}
 we have that
+%
-\begin{center}
+\begin{equation}\label{ceqvt}
 @{text "p \<bullet> (C x\<^isub>1 \<dots> x\<^isub>n) = C (p \<bullet> x\<^isub>1) \<dots> (p \<bullet> x\<^isub>n)"}
-\end{center}
+\end{equation}
 % TODO: we did not define permutation types
 %\noindent
 %From this definition we can easily show that the raw datatypes are
 %all permutation types (Def ??) by a simple structural induction over
 *}
 section {* Establishing the Reasoning Infrastructure *}
 text {*
-Having made all necessary definitions for raw terms, we can start introducing
+Having made all necessary definitions for raw terms, we can start
-the reasoning infrastructure for the types the user specified. For this we first
+introducing the reasoning infrastructure for the alpha-equated types the
-have to show that the alpha-equivalence relations defined in the previous
+user specified. We sketch in this section the facts we need for establishing
-section are indeed equivalence relations.
+this reasoning infrastructure. We first have to show that the
+alpha-equivalence relations defined in the previous section are indeed
-\begin{lemma}
+equivalence relations.
+\begin{lemma}\label{equiv}
 Given the raw types @{text "ty\<^isub>1, \<dots>, ty\<^isub>n"} and binding functions
 @{text "bn\<^isub>1, \<dots>, bn\<^isub>m"}, the relations @{text "\<approx>ty\<^isub>1, \<dots>, \<approx>ty\<^isub>n"} and
 @{text "\<approx>bn\<^isub>1 \<dots> \<approx>bn\<^isub>m"} are equivalence relations and equivariant.
 \end{lemma}
 \end{center}
 \noindent
 under the assumption that @{text "x\<^isub>i \<approx>ty\<^isub>i y\<^isub>i"} holds for all recursive arguments
 and  @{text "x\<^isub>i = y\<^isub>i"} for all non-recursive arguments. We can prove this by
-analysing the definition of @{text "\<approx>ty"}. For this to succed we have to establish an
+analysing the definition of @{text "\<approx>ty"}. For this to succeed we have to establish an
 auxiliary fact: given a binding function @{text bn} defined for the type @{text ty}
 we have that
 \begin{center}
 @{text "x \<approx>ty y"} implies @{text "x \<approx>bn y"}
 \end{center}
 \noindent
 This can be established by induction on the definition of @{text "\<approx>ty"}.
-Having established respectfullness for every raw term-constructor, the
+Having established respectfulness for every raw term-constructor, the
-quotient package will automaticaly deduce \eqref{distinctalpha} from \eqref{distinctraw}.
+quotient package will automatically deduce \eqref{distinctalpha} from \eqref{distinctraw}.
 In fact we can lift any fact from the raw level to the alpha-equated level that
 apart from variables only contains the raw term-constructors @{text "C\<^isub>i"}. The
 induction principles derived by the datatype package of Isabelle/HOL for @{text
 "ty"}$^\alpha_{1..n}$ fall into this category. So we can also add to our infrastructure
 induction principles that establish
 @{text "\<forall>x\<^isub>1\<dots>x\<^isub>n. P\<^bsub>ty\<^isub>i\<^esub> x\<^isub>i \<and> \<dots> \<and> P\<^bsub>ty\<^isub>j\<^esub> x\<^isub>j \<Rightarrow> P\<^bsub>ty\<^esub> (C\<^sup>\<alpha> x\<^isub>1 \<dots> x\<^isub>n)"}
 \end{center}
 \noindent
 where the @{text "x\<^isub>i, \<dots>, x\<^isub>j"} are the recursive arguments of @{text "C\<^sup>\<alpha>"}.
+Next we lift the permutation operations defined in \eqref{ceqvt} for
+the raw term-constructors @{text "C"}. These facts contain, in addition
-To lift
+to the term-constructors, also permutations operations. Therefore
-the raw definitions to the quotient type, we need to prove that they
+we have to know that permutation operations are respectful
-\emph{respect} the relation. We follow the definition of respectfullness given
+w.r.t.~alpha-equivalence, which amounts to knowing that the
-by Homeier~\cite{Homeier05}. The intuition behind a respectfullness condition
+alpha-equivalence relations are equivariant, which we established
-is that when a function (or constructor) is given arguments that are
+in Lemma~\ref{equiv}. As a result we can add the equations
-alpha-equivalent the results are also alpha equivalent. For arguments that are
-not of any of the relations taken into account, equivalence is replaced by
+\begin{equation}\label{ceqvt}
-equality. In particular the respectfullness condition for a @{text "bn"}
+@{text "p \<bullet> (C\<^sup>\<alpha> x\<^isub>1 \<dots> x\<^isub>n) = C\<^sup>\<alpha> (p \<bullet> x\<^isub>1) \<dots> (p \<bullet> x\<^isub>n)"}
-function means that for alpha equivalent raw terms it returns the same bound
+\end{equation}
-names. Thanks to the restrictions on the binding functions introduced in
-Section~\ref{sec:alpha} we can show that are respectful.
+\noindent
+to our infrastructure. In a similar fashion we can lift the equations
-\begin{lemma} The functions @{text "bn\<^isub>1 \<dots> bn\<^isub>m"}, @{text "fv_ty\<^isub>1 \<dots> fv_ty\<^isub>n"},
+characterising our free-variable functions and the binding functions.
-the raw constructors, the raw permutations and @{text "\<approx>bn\<^isub>1 \<dots> \<approx>bn\<^isub>m"} are
+The necessary respectfulness lemmas are
-respectful w.r.t. the relations @{text "\<approx>\<^isub>1 \<dots> \<approx>\<^isub>n"}.
+%
+\begin{equation}\label{fnresp}
+\mbox{%
+\begin{tabular}{l}
+@{text "x \<approx>ty y"} implies @{text "fv_ty x = fv_ty y"}\\
+@{text "x \<approx>ty y"} implies @{text "bn x = bn y"}
+\end{tabular}}
+\end{equation}
+\noindent
+which can be established by induction on @{text "\<approx>ty"}. While the first
+kind of lemma is always ensured by way of how we defined the free variable
+functions, the second does not hold in general. It only if the @{text bn}-functions
+do not return any atom that is also bound. Hence our restriction imposed
+on the binding functions that excludes this possibility.
+Having the facts \eqref{fnresp} at our disposal, we can finally lift the
+definitions that characterise when two terms of the form
+\begin{center}
+@{text "C x\<^isub>1 \<dots> x\<^isub>n \<approx>ty C y\<^isub>1 \<dots> y\<^isub>n"}
+\end{center}
+\noindent
+are alpha-equivalent. This gives us conditions when the corresponding
+alpha-equated terms are equal, namely
+\begin{center}
+@{text "C\<^sup>\<alpha> x\<^isub>1 \<dots> x\<^isub>n = C\<^sup>\<alpha> y\<^isub>1 \<dots> y\<^isub>n"}
+\end{center}
+\noindent
+We call these conditions as \emph{quasi-injectivity}. Except for one definition we have
+to lift in the next section, this completes
+the lifting part of establishing the reasoning infrastructure. From
+now on we can ``forget'' about the raw types @{text "ty\<^bsub>1..n\<^esub>"} and only
+reason with @{text "ty\<AL>\<^bsub>1..n\<^esub>"}
+We can first show that the free-variable function and binding functions
+are equivariant, namely
+\begin{center}
+\begin{tabular}{rcl}
+@{text "p \<bullet> (fv_ty\<^sup>\<alpha> x)"} & $=$ & @{text "fv_ty\<^sup>\<alpha> (p \<bullet> x)"}\\
+@{text "p \<bullet> (bn\<^sup>\<alpha> x)"}    & $=$ & @{text "bn\<^sup>\<alpha> (p \<bullet> x)"}
+\end{tabular}
+\end{center}
+\noindent
+These facts can be established by structural induction over the @{text x}.
+Until now we have not yet derived any fact about the support of the
+alpha-equated terms. Using the equivariance properties in \eqref{ceqvt} we can
+show for every term-constructor @{text "C\<^sup>\<alpha>"} that
+\begin{center}
+@{text "supp x\<^isub>1 \<union> \<dots> supp x\<^isub>n supports (C\<^sup>\<alpha> x\<^isub>1 \<dots> x\<^isub>n)"}
+\end{center}
+\noindent
+holds. This together with Property~\ref{supportsprobs} allows us to show
+\begin{center}
+@{text "finite (supp x\<^isub>i)"}
+\end{center}
+\noindent
+by mutual structural induction over @{text "x\<^isub>1, \<dots>, x\<^isub>n"} (whereby @{text "x\<^isub>i"} ranges over the types
+@{text "ty\<AL>\<^isub>1 \<dots> ty\<AL>\<^isub>n"}). Lastly, we can show that the support of elements in
+@{text "ty\<AL>\<^bsub>1..n\<^esub>"} coincides with @{text "fv_ty\<AL>\<^bsub>1..n\<^esub>"}.
+\begin{lemma} For every @{text "x\<^isub>i"} of type @{text "ty\<AL>\<^bsub>1..n\<^esub>"}, we have that
+@{text "supp x\<^isub>i = fv_ty\<AL>\<^isub>i x\<^isub>i"} holds.
 \end{lemma}
-\begin{proof} Respectfullness of permutations is a direct consequence of
-equivariance.  All other properties by induction on the alpha-equivalence
-relation.  For @{text "bn"} the thesis follows by simple calculations thanks
-to the restrictions on the binding functions. For @{text "fv"} functions it
-follows using respectfullness of @{text "bn"}. For type constructors it is a
-simple calculation thanks to the way alpha-equivalence was defined. For @{text
-"alpha_bn"} after a second induction on the second relation by simple
-calculations.  \end{proof}
-With these respectfullness properties we can use the quotient package
-to define the above constants on the quotient level. We can then automatically
-lift the theorems that talk about the raw constants to theorems on the quotient
-level. The following lifted properties are proved:
-\begin{center}
-\begin{tabular}{cp{7cm}}
-%skipped permute_zero and permute_add, since we do not have a permutation
-%definition
-$\bullet$ & permutation defining equations \\
-$\bullet$ & @{term "bn"} defining equations \\
-$\bullet$ & @{term "fv_ty"} and @{term "fv_bn"} defining equations \\
-$\bullet$ & induction. The induction principle that we obtain by lifting
-is the weak induction principle, just on the term structure \\
-$\bullet$ & quasi-injectivity. This means the equations that specify
-when two constructors are equal and comes from lifting the alpha
-equivalence defining relations\\
-$\bullet$ & distinctness\\
-%may be skipped
-$\bullet$ & equivariance of @{term "fv"} and @{term "bn"} functions\\
-\end{tabular}
-\end{center}
-Until now we have not said anything about the support of the
-defined type. This is because we could not use the general definition of
-support in lifted theorems, since it does not preserve the relation.
-Indeed, take the term @{text "\<lambda>x. x"}. The support of the term is empty @{term "{}"},
-since the @{term "x"} is bound. On the raw level, before the binding is
-introduced the term has the support equal to @{text "{x}"}.
-To show the support equations for the lifted types we want to use the
-Theorem \ref{suppabs}, so we start with showing that they have a finite
-support.
-\begin{lemma} The types @{text "ty\<^isup>\<alpha>\<^isub>1 \<dots> ty\<^isup>\<alpha>\<^isub>n"} have finite support.
-\end{lemma}
 \begin{proof}
-By induction on the lifted types. For each constructor its support is
+The proof proceeds by structural induction over the @{text "x\<^isub>i"}. In each case
-supported by the union of the supports of all arguments. By induction
+we unfold the definition of @{text "supp"}, move the swapping inside the
-hypothesis we know that each of the recursive arguments has finite
+term-constructors and the use the quasi-injectivity lemmas in order to complete the
-support. We also know that atoms and finite atom sets and lists that
+proof.
-occur in the constructors have finite support. A union of finite
-sets is finite thus the support of the constructor is finite.
 \end{proof}
-% Very vague...
+\noindent
-\begin{lemma} For each lifted type @{text "ty\<^isup>\<alpha>\<^isub>i"}, for every @{text "x"}
+To sum up this section, we established a reasoning infrastructure
-of this type:
+for the types @{text "ty\<AL>\<^isub>1 \<dots> ty\<AL>\<^isub>n"}
-\begin{equation}
+by first lifting definitions from the raw level to the quotient level and
-@{term "supp x = fv_ty\<^isup>\<alpha>\<^isub>i x"}.
+then establish facts about these lifted definitions. All necessary proofs
-\end{equation}
+are generated automatically by custom ML-code. This code can deal with
-\end{lemma}
+specifications as shown in Figure~\ref{nominalcorehas} for Core-Haskell.
-\begin{proof}
-We will show this by induction together with equations that characterize
-@{term "fv_bn\<^isup>\<alpha>\<^isub>"} in terms of @{term "alpha_bn\<^isup>\<alpha>"}. For each of @{text "fv_bn\<^isup>\<alpha>"}
-functions this equation is:
-\begin{center}
-@{term "{a. infinite {b. \<not> alpha_bn\<^isup>\<alpha> ((a \<rightleftharpoons> b) \<bullet> x) x}} = fv_bn\<^isup>\<alpha> x"}
-\end{center}
-In the induction we need to show these equations together with the goal
-for the appropriate constructors. We first transform the right hand sides.
-The free variable functions are applied to theirs respective constructors
-so we can apply the lifted free variable defining equations to obtain
-free variable functions applied to subterms minus binders. Using the
-induction hypothesis we can replace free variable functions applied to
-subterms by support. Using Theorem \ref{suppabs} we replace the differences
-by supports of appropriate abstractions.
-Unfolding the definition of supports on both sides of the equations we
-obtain by simple calculations the equalities.
-\end{proof}
-With the above equations we can substitute free variables for support in
-the lifted free variable equations, which gives us the support equations
-for the term constructors. With this we can show that for each binding in
-a constructors the bindings can be renamed. To rename a shallow binder
-or a deep recursive binder a permutation is sufficient. This is not the
-case for a deep non-recursive bindings. Take the term
-@{text "Let (ACons x (Vr x) ANil) (Vr x)"}, representing the language construct
-@{text "let x = x in x"}. To rename the binder the permutation cannot
-be applied to the whole assignment since it would rename the free @{term "x"}
-as well. To avoid this we introduce a new construction operation
-that applies a permutation under a binding function.
-*}
-section {* Strong Induction Principles *}
-text {*
-In the previous section we were able to provide induction principles that
-allow us to perform structural inductions over alpha-equated terms.
-We call such induction principles \emph{weak}, because in case of a term-contructor @{text "C\<^sup>\<alpha> x\<^isub>1 \<dots> x\<^isub>n"},
-the induction hypothesis requires us to establish the implication
-%
-\begin{equation}\label{weakprem}
-@{text "\<forall>x\<^isub>1\<dots>x\<^isub>n. P\<^isub>i x\<^isub>i \<and> \<dots> \<and> P\<^isub>j x\<^isub>j \<Rightarrow> P (C\<^sup>\<alpha> x\<^isub>1 \<dots> x\<^isub>n)"}
-\end{equation}
-\noindent
-where the @{text "x\<^isub>i, \<dots>, x\<^isub>j"} are the recursive arguments of @{text "C\<^sup>\<alpha>"}.
-The problem with this implication is that in general it is not easy to establish.
-The reason is we cannot make any assumption about the binders in @{text "C\<^sup>\<alpha>"}
-(for example we cannot assume the variable convention).
-In \cite{UrbanTasson05} we introduced a method for automatically
-strengthening weak induction principles for terms containing single
-binders. These stronger induction principles allow us to make additional
-assumptions about binders. These additional assumptions amount to a formal
-version of the usual variable convention for binders. A natural question is
-whether we can also strengthen the weak induction principles in the presence
-general binders. We will indeed be able to so, but for this we need an
-additional notion of permuting deep binders.
-Given a binding function @{text "bn"} we need to define an auxiliary permutation
-operation @{text "_ \<bullet>\<^bsub>bn\<^esub> _"} which permutes only bound arguments in a deep binder.
-Given a clause of @{text bn} is defined as @{text "bn (C x\<^isub>1 \<dots> x\<^isub>n) = rhs"}, then
-%
-\begin{center}
-@{text "p \<bullet>\<^bsub>bn\<^esub> (C x\<^isub>1 \<dots> x\<^isub>n) \<equiv> C y\<^isub>1 \<dots> y\<^isub>n"}
-\end{center}
-\noindent
-with @{text "y\<^isub>i"} determined as follows:
-%
-\begin{center}
-\begin{tabular}{c@ {\hspace{2mm}}p{7cm}}
-$\bullet$ & @{text "y\<^isub>i \<equiv> x\<^isub>i"} provided @{text "x\<^isub>i"} does not occur in @{text "rhs"}\\
-$\bullet$ & @{text "y\<^isub>i \<equiv> p \<bullet>\<^bsub>bn'\<^esub> x\<^isub>i"} provided @{text "bn' x\<^isub>i"} is in @{text "rhs"}\\
-$\bullet$ & @{text "y\<^isub>i \<equiv> p \<bullet> x\<^isub>i"} otherwise
-\end{tabular}
-\end{center}
-\noindent
-Using the quotient package we can lift the @{text "_ \<bullet>\<^bsub>bn\<^esub> _"} function to alpha
-equated terms. We can then prove
-\begin{lemma} Given a binding function @{text "bn\<^sup>\<alpha>"}. Then
-{\it i)} @{text "p \<bullet> (bn\<^sup>\<alpha> x) = bn\<^sup>\<alpha> (p \<bullet>\<^bsub>bn\<^sup>\<alpha>\<^esub> x)"} and {\it ii)}
-for all permutations @{text p},  @{text "fv_bn\<^isup>\<alpha> x = fv_bn\<^isup>\<alpha> (p \<bullet>\<^bsub>bn\<^sup>\<alpha>\<^esub> x)"}.
-\end{lemma}
-\begin{proof}
-By induction on @{text x}. The equation follow by simple unfolding
-of the definitions.
-\end{proof}
-This allows is to strengthen the induction principles. We will explain
-the details with the @{text "Let"} term-constructor from \eqref{letpat}.
-Instead of establishing the implication
-\begin{center}
-@{text "\<forall>p t\<^isub>1 t\<^isub>2. P\<^bsub>pat\<^esub> p \<and> P\<^bsub>trm\<^esub> t\<^isub>1 \<and> P\<^bsub>trm\<^esub> t\<^isub>2 \<Rightarrow> P\<^bsub>trm\<^esub> (Let p t\<^isub>1 t\<^isub>2)"}
-\end{center}
-\noindent
-from the weak induction principle, we will show that it is sufficient
-to establish
-\begin{center}
-\begin{tabular}{l}
-@{text "\<forall>p t\<^isub>1 t\<^isub>2 c."}\\
-\hspace{5mm}@{text "set (bn\<^sup>\<alpha> p) #\<^sup>* c \<and>"}\\
-\hspace{5mm}@{text "(\<forall>d. P\<^bsub>pat\<^esub> d p) \<and> (\<forall>d. P\<^bsub>trm\<^esub> d t\<^isub>1) \<and> (\<forall>d. P\<^bsub>trm\<^esub> d t\<^isub>2)"}\\
-\hspace{15mm}@{text "\<Rightarrow> P\<^bsub>trm\<^esub> c (Let p t\<^isub>1 t\<^isub>2)"}
-\end{tabular}
-\end{center}
-With the help of @{text "\<bullet>bn"} functions defined in the previous section
-we can show that binders can be substituted in term constructors. We show
-this only for the specification from Figure~\ref{nominalcorehas}. The only
-constructor with a complicated binding structure is @{text "ACons"}. For this
-constructor we prove:
-\begin{eqnarray}
-\lefteqn{@{text "supp (Abs_lst (bv pat) trm) \<sharp>* \<pi> \<Longrightarrow>"}} \nonumber \\
-& & @{text "ACons pat trm al = ACons (\<pi> \<bullet>bv pat) (\<pi> \<bullet> trm) al"} \nonumber
-\end{eqnarray}
-\noindent With the Property~\ref{avoiding} we can prove a strong induction principle
-which we show again only for the interesting constructors in the Core Haskell
-example. We first show the weak induction principle for comparison:
-\begin{equation}\nonumber
-\infer
-{
-\textrm{The properties }@{text "P1, P2, \<dots>, P12"}\textrm{ hold for all }@{text "tkind, ckind, \<dots>"}
-}{
-\begin{tabular}{cp{7cm}}
-%%  @{text "P1 KStar"}\\
-%%  @{text "\<forall>tk1 tk2. \<^raw:\big(>P1 tk1 \<and> P1 tk2\<^raw:\big)> \<Longrightarrow> P1 (KFun tk1 tk2)"}\\
-%%  @{text "\<dots>"}\\
-@{text "\<forall>v ty t1 t2. \<^raw:\big(>P3 ty \<and> P7 t1 \<and> P7 t2\<^raw:\big)> \<Longrightarrow> P7 (Let v ty t1 t2)"}\\
-@{text "\<forall>p t al. \<^raw:\big(>P9 p \<and> P7 t \<and> P8 al\<^raw:\big)> \<Longrightarrow> P8 (ACons p t al)"}\\
-@{text "\<dots>"}
-\end{tabular}
-}
-\end{equation}
-\noindent In comparison, the cases for the same constructors in the derived strong
-induction principle are:
-\begin{equation}\nonumber
-\infer
-{
-\begin{tabular}{cp{7cm}}
-\textrm{The properties }@{text "P1, P2, \<dots>, P12"}\textrm{ hold for all }@{text "tkind, ckind, \<dots>"}\\
-\textrm{ avoiding any atoms in a given }@{text "y"}
-\end{tabular}
-}{
-\begin{tabular}{cp{7cm}}
-%%  @{text "\<forall>b. P1 b KStar"}\\
-%%  @{text "\<forall>tk1 tk2 b. \<^raw:\big(>\<forall>c. P1 c tk1 \<and> \<forall>c. P1 c tk2\<^raw:\big)> \<Longrightarrow> P1 b (KFun tk1 tk2)"}\\
-%%  @{text "\<dots>"}\\
-@{text "\<forall>v ty t1 t2 b. \<^raw:\big(>\<forall>c. P3 c ty \<and> \<forall>c. P7 c t1 \<and> \<forall>c. P7 c t2 \<and>"}\\
-@{text "\<^raw:\hfill>\<and> atom var \<sharp> b\<^raw:\big)> \<Longrightarrow> P7 b (Let v ty t1 t2)"}\\
-@{text "\<forall>p t al b. \<^raw:\big(>\<forall>c. P9 c p \<and> \<forall>c. P7 c t \<and> \<forall>c. P8 c al \<and>"}\\
-@{text "\<^raw:\hfill>\<and> set (bv p) \<sharp>* b\<^raw:\big)> \<Longrightarrow> P8 b (ACons p t al)"}\\
-@{text "\<dots>"}
-\end{tabular}
-}
-\end{equation}
-*}
-text {*
 \begin{figure}[t!]
 \begin{boxedminipage}{\linewidth}
 \small
 \begin{tabular}{l}
 one obtains automatically a reasoning infrastructure for Core-Haskell.
 \label{nominalcorehas}}
 \end{figure}
 *}
+section {* Strong Induction Principles *}
+text {*
+In the previous section we were able to provide induction principles that
+allow us to perform structural inductions over alpha-equated terms.
+We call such induction principles \emph{weak}, because in case of a term-contructor @{text "C\<^sup>\<alpha> x\<^isub>1 \<dots> x\<^isub>n"},
+the induction hypothesis requires us to establish the implication
+%
+\begin{equation}\label{weakprem}
+@{text "\<forall>x\<^isub>1\<dots>x\<^isub>n. P\<^isub>i x\<^isub>i \<and> \<dots> \<and> P\<^isub>j x\<^isub>j \<Rightarrow> P (C\<^sup>\<alpha> x\<^isub>1 \<dots> x\<^isub>n)"}
+\end{equation}
+\noindent
+where the @{text "x\<^isub>i, \<dots>, x\<^isub>j"} are the recursive arguments of @{text "C\<^sup>\<alpha>"}.
+The problem with this implication is that in general it is not easy to establish.
+The reason is we cannot make any assumption about the binders in @{text "C\<^sup>\<alpha>"}
+(for example we cannot assume the variable convention).
+In \cite{UrbanTasson05} we introduced a method for automatically
+strengthening weak induction principles for terms containing single
+binders. These stronger induction principles allow us to make additional
+assumptions about binders. These additional assumptions amount to a formal
+version of the usual variable convention for binders. A natural question is
+whether we can also strengthen the weak induction principles in the presence
+general binders. We will indeed be able to so, but for this we need an
+additional notion of permuting deep binders.
+Given a binding function @{text "bn"} we need to define an auxiliary permutation
+operation @{text "_ \<bullet>\<^bsub>bn\<^esub> _"} which permutes only bound arguments in a deep binder.
+Given a clause of @{text bn} is defined as @{text "bn (C x\<^isub>1 \<dots> x\<^isub>n) = rhs"}, then
+%
+\begin{center}
+@{text "p \<bullet>\<^bsub>bn\<^esub> (C x\<^isub>1 \<dots> x\<^isub>n) \<equiv> C y\<^isub>1 \<dots> y\<^isub>n"}
+\end{center}
+\noindent
+with @{text "y\<^isub>i"} determined as follows:
+%
+\begin{center}
+\begin{tabular}{c@ {\hspace{2mm}}p{7cm}}
+$\bullet$ & @{text "y\<^isub>i \<equiv> x\<^isub>i"} provided @{text "x\<^isub>i"} does not occur in @{text "rhs"}\\
+$\bullet$ & @{text "y\<^isub>i \<equiv> p \<bullet>\<^bsub>bn'\<^esub> x\<^isub>i"} provided @{text "bn' x\<^isub>i"} is in @{text "rhs"}\\
+$\bullet$ & @{text "y\<^isub>i \<equiv> p \<bullet> x\<^isub>i"} otherwise
+\end{tabular}
+\end{center}
+\noindent
+Using the quotient package we can lift the @{text "_ \<bullet>\<^bsub>bn\<^esub> _"} function to alpha
+equated terms. We can then prove
+\begin{lemma} Given a binding function @{text "bn\<^sup>\<alpha>"}. Then
+{\it i)} @{text "p \<bullet> (bn\<^sup>\<alpha> x) = bn\<^sup>\<alpha> (p \<bullet>\<^bsub>bn\<^sup>\<alpha>\<^esub> x)"} and {\it ii)}
+for all permutations @{text p},  @{text "fv_bn\<^isup>\<alpha> x = fv_bn\<^isup>\<alpha> (p \<bullet>\<^bsub>bn\<^sup>\<alpha>\<^esub> x)"}.
+\end{lemma}
+\begin{proof}
+By induction on @{text x}. The equation follow by simple unfolding
+of the definitions.
+\end{proof}
+This allows is to strengthen the induction principles. We will explain
+the details with the @{text "Let"} term-constructor from \eqref{letpat}.
+Instead of establishing the implication
+\begin{center}
+@{text "\<forall>p t\<^isub>1 t\<^isub>2. P\<^bsub>pat\<^esub> p \<and> P\<^bsub>trm\<^esub> t\<^isub>1 \<and> P\<^bsub>trm\<^esub> t\<^isub>2 \<Rightarrow> P\<^bsub>trm\<^esub> (Let p t\<^isub>1 t\<^isub>2)"}
+\end{center}
+\noindent
+from the weak induction principle, we will show that it is sufficient
+to establish
+\begin{center}
+\begin{tabular}{l}
+@{text "\<forall>p t\<^isub>1 t\<^isub>2 c."}\\
+\hspace{5mm}@{text "set (bn\<^sup>\<alpha> p) #\<^sup>* c \<and>"}\\
+\hspace{5mm}@{text "(\<forall>d. P\<^bsub>pat\<^esub> d p) \<and> (\<forall>d. P\<^bsub>trm\<^esub> d t\<^isub>1) \<and> (\<forall>d. P\<^bsub>trm\<^esub> d t\<^isub>2)"}\\
+\hspace{15mm}@{text "\<Rightarrow> P\<^bsub>trm\<^esub> c (Let p t\<^isub>1 t\<^isub>2)"}
+\end{tabular}
+\end{center}
+With the help of @{text "\<bullet>bn"} functions defined in the previous section
+we can show that binders can be substituted in term constructors. We show
+this only for the specification from Figure~\ref{nominalcorehas}. The only
+constructor with a complicated binding structure is @{text "ACons"}. For this
+constructor we prove:
+\begin{eqnarray}
+\lefteqn{@{text "supp (Abs_lst (bv pat) trm) \<sharp>* \<pi> \<Longrightarrow>"}} \nonumber \\
+& & @{text "ACons pat trm al = ACons (\<pi> \<bullet>bv pat) (\<pi> \<bullet> trm) al"} \nonumber
+\end{eqnarray}
+\noindent With the Property~\ref{avoiding} we can prove a strong induction principle
+which we show again only for the interesting constructors in the Core Haskell
+example. We first show the weak induction principle for comparison:
+\begin{equation}\nonumber
+\infer
+{
+\textrm{The properties }@{text "P1, P2, \<dots>, P12"}\textrm{ hold for all }@{text "tkind, ckind, \<dots>"}
+}{
+\begin{tabular}{cp{7cm}}
+%%  @{text "P1 KStar"}\\
+%%  @{text "\<forall>tk1 tk2. \<^raw:\big(>P1 tk1 \<and> P1 tk2\<^raw:\big)> \<Longrightarrow> P1 (KFun tk1 tk2)"}\\
+%%  @{text "\<dots>"}\\
+@{text "\<forall>v ty t1 t2. \<^raw:\big(>P3 ty \<and> P7 t1 \<and> P7 t2\<^raw:\big)> \<Longrightarrow> P7 (Let v ty t1 t2)"}\\
+@{text "\<forall>p t al. \<^raw:\big(>P9 p \<and> P7 t \<and> P8 al\<^raw:\big)> \<Longrightarrow> P8 (ACons p t al)"}\\
+@{text "\<dots>"}
+\end{tabular}
+}
+\end{equation}
+\noindent In comparison, the cases for the same constructors in the derived strong
+induction principle are:
+\begin{equation}\nonumber
+\infer
+{
+\begin{tabular}{cp{7cm}}
+\textrm{The properties }@{text "P1, P2, \<dots>, P12"}\textrm{ hold for all }@{text "tkind, ckind, \<dots>"}\\
+\textrm{ avoiding any atoms in a given }@{text "y"}
+\end{tabular}
+}{
+\begin{tabular}{cp{7cm}}
+%%  @{text "\<forall>b. P1 b KStar"}\\
+%%  @{text "\<forall>tk1 tk2 b. \<^raw:\big(>\<forall>c. P1 c tk1 \<and> \<forall>c. P1 c tk2\<^raw:\big)> \<Longrightarrow> P1 b (KFun tk1 tk2)"}\\
+%%  @{text "\<dots>"}\\
+@{text "\<forall>v ty t1 t2 b. \<^raw:\big(>\<forall>c. P3 c ty \<and> \<forall>c. P7 c t1 \<and> \<forall>c. P7 c t2 \<and>"}\\
+@{text "\<^raw:\hfill>\<and> atom var \<sharp> b\<^raw:\big)> \<Longrightarrow> P7 b (Let v ty t1 t2)"}\\
+@{text "\<forall>p t al b. \<^raw:\big(>\<forall>c. P9 c p \<and> \<forall>c. P7 c t \<and> \<forall>c. P8 c al \<and>"}\\
+@{text "\<^raw:\hfill>\<and> set (bv p) \<sharp>* b\<^raw:\big)> \<Longrightarrow> P8 b (ACons p t al)"}\\
+@{text "\<dots>"}
+\end{tabular}
+}
+\end{equation}
+*}
 section {* Related Work *}
 text {*
 To our knowledge, the earliest usage of general binders in a theorem prover
 is described in \cite{NaraschewskiNipkow99} about a formalisation of the

changeset 1766	a2d5f9ea17ad
parent 1765	9a894c42e80e
child 1767	e6a5651a1d81