diff -r 799769b40f0e -r 014f0ea2381c LMCS-Paper/Paper.thy --- a/LMCS-Paper/Paper.thy Thu Sep 15 01:01:43 2011 +0200 +++ b/LMCS-Paper/Paper.thy Fri Sep 16 08:00:15 2011 +0200 @@ -874,7 +874,7 @@ \begin{proof} If @{term "a = b"} the lemma is immediate, since @{term "(a \ b) = 0"}. - Also in the other case, it is straightforward using \eqref{abseqiff} and + Also in the other case it is straightforward using \eqref{abseqiff} and observing that the assumptions give us @{term "(a \ b) \ (supp x - as) = (supp x - as)"}. We therefore can use as permutation the swapping @{term "(a \ b)"}. @@ -1039,7 +1039,7 @@ There are also some restrictions we need to impose on our binding clauses in comparison to the ones of Ott. The main idea behind these restrictions is - that we obtain a sensible notion of alpha-equivalence where it is ensured + that we obtain a notion of alpha-equivalence where it is ensured that within a given scope an atom occurrence cannot be both bound and free at the same time. The first restriction is that a body can only occur in \emph{one} binding clause of a term constructor. So for example @@ -1215,15 +1215,16 @@ \noindent In this example the term constructor @{text "ACons'"} has four arguments with - a binding clause for two of them. This constructor is also used in the definition + a binding clause involving two of them. This constructor is also used in the definition of the binding function. The restriction we have to impose is that the - binding function can only return free atoms, that is the ones that are not + binding function can only return free atoms, that is the ones that are \emph{not} mentioned in a binding clause. Therefore @{text "y"} cannot be used in the binding function @{text "bn"} (since it is bound in @{text "ACons'"} by the binding clause), but @{text x} can (since it is a free atom). This restriction is sufficient for lifting the binding function to alpha-equated - terms. If we would permit that @{text "bn"} can also return @{text "y"}, - then it would not be respectful and therefore cannot be lifted. + terms. If we would permit @{text "bn"} to return @{text "y"}, + then it would not be respectful and therefore cannot be lifted to + alpha-equated lambda-terms. In the version of Nominal Isabelle described here, we also adopted the restriction from the Ott-tool that binding functions can only return: the @@ -1281,7 +1282,8 @@ for the corresponding notion given on the ``raw'' level. So for example we have @{text "ty\<^sup>\ \ ty"} and @{text "C\<^sup>\ \ C"} where @{term ty} is the type used in the quotient construction for - @{text "ty\<^sup>\"} and @{text "C"} is the term-constructor on the ``raw'' type @{text "ty"}. + @{text "ty\<^sup>\"} and @{text "C"} is the term-constructor in the ``raw'' type @{text "ty"}, + respectively @{text "C\<^sup>\"} is the corresponding term-constructor in @{text "ty\<^sup>\"}. The resulting datatype definition is legal in Isabelle/HOL provided the datatypes are non-empty and the types in the constructors only occur in positive @@ -1323,7 +1325,7 @@ \noindent The reason for this setup is that in a deep binder not all atoms have to be - bound, as we saw in the example with ``plain'' @{text Let}s. We need + bound, as we saw in \eqref{letrecs} with the example of ``plain'' @{text Let}s. We need therefore functions that calculate those free atoms in deep binders. While the idea behind these free-atom functions is simple (they just @@ -1687,7 +1689,7 @@ Again let us take a look at a concrete example for these definitions. For the specification given in \eqref{letrecs} we have three relations $\approx_{\textit{trm}}$, $\approx_{\textit{assn}}$ and - $\approx_{\textit{bn}}$ with the following clauses: + $\approx_{\textit{bn}}$ with the following rules: \begin{equation}\label{rawalpha}\mbox{ \begin{tabular}{@ {}c @ {}} @@ -1723,10 +1725,11 @@ The underlying reason is that the terms inside an assignment are not meant to be ``under'' the binder. Such a premise is \emph{not} needed in @{text "Let_rec"}, because there all components of an assignment are ``under'' the binder. - Note also that in case of more than one body (e.g.~in the @{text "Let_rec"}-case) + Note also that in case of more than one body (that is in the @{text "Let_rec"}-case) we need to parametrise the relation $\approx_{\textit{list}}$ with a compound equivalence relation and a compound free-atom function. This is because the - corresponding binding clause specifies a binder with two bodies. + corresponding binding clause specifies a binder with two bodies, namely + @{text "as"} and @{text "t"}. *} section {* Establishing the Reasoning Infrastructure *} @@ -1768,7 +1771,7 @@ \end{lem} \begin{proof} - The proof is by induction over the definitions. The non-trivial + The proofs are by induction. The non-trivial cases involve premises built up by $\approx_{\textit{set}}$, $\approx_{\textit{set+}}$ and $\approx_{\textit{list}}$. They can be dealt with as in Lemma~\ref{alphaeq}. However, the transitivity @@ -1843,11 +1846,30 @@ "bn"}$_{1..m}$ so that they return bound atoms and in this case the third implication is \emph{not} true. A result is that in general the lifting of the corresponding binding functions in Ott to alpha-equated terms is impossible. - Having established respectfulness for the ``raw'' term-constructors, the quotient package is able to automatically deduce \eqref{distinctalpha} from - \eqref{distinctraw}. Having the facts \eqref{fnresp} at our disposal, we can - also lift properties that characterise when two ``raw'' terms of the form + \eqref{distinctraw}. + + Next we can lift the permutation operations defined in \eqref{ceqvt}. In + order to make this lifting to go through, we have to show that the + permutation operations are respectful. This amounts to showing that the + alpha-equivalence relations are equivariant, which + we already established in Lemma~\ref{equiv}. As a result we can add the + equations + + \begin{equation}\label{calphaeqvt} + @{text "\ \ (C\<^sup>\ x\<^isub>1 \ x\<^isub>r) = C\<^sup>\ (\ \ x\<^isub>1) \ (\ \ x\<^isub>r)"} + \end{equation}\smallskip + + \noindent + to our infrastructure. In a similar fashion we can lift the defining equations + of the free-atom functions @{text "fa_ty\"}$_{1..n}$ and + @{text "fa_bn\"}$_{1..m}$ as well as of the binding functions @{text + "bn\"}$_{1..m}$ and size functions @{text "size_ty\"}$_{1..n}$. + The latter are defined automatically for the ``raw'' types @{text "ty"}$_{1..n}$ + by the datatype package of Isabelle/HOL. + + We also need to lift the properties that characterise when two ``raw'' terms of the form \[ \mbox{@{text "C x\<^isub>1 \ x\<^isub>r \ty C x\\<^isub>1 \ x\\<^isub>r"}} @@ -1862,11 +1884,13 @@ \]\smallskip \noindent - We call these conditions as \emph{quasi-injectivity}. They correspond to - the premises in our alpha-equiva\-lence relations, with the exception that - in case of binders the relations @{text "\ty"}$_{1..n}$ are all replaced - by equality. Recall the alpha-equivalence rules for @{text "Let"} and @{text "Let_rec"} - shown in \eqref{rawalpha}. For @{text "Let\<^sup>\"} and @{text "Let_rec\<^sup>\"} we have + We call these conditions as \emph{quasi-injectivity}. They correspond to the + premises in our alpha-equiva\-lence relations, with the exception that the + relations @{text "\ty"}$_{1..n}$ are all replaced by equality (and similarly + the free-atom and binding functions are replaced by their lifted + counterparts). Recall the alpha-equivalence rules for @{text "Let"} and + @{text "Let_rec"} shown in \eqref{rawalpha}. For @{text "Let\<^sup>\"} and + @{text "Let_rec\<^sup>\"} we have \begin{equation}\label{alphalift}\mbox{ \begin{tabular}{@ {}c @ {}} @@ -1879,30 +1903,7 @@ \end{tabular}} \end{equation}\smallskip - \noindent - where @{text "\\<^bsub>trm\<^esub>"} and @{text "\\<^bsub>assn\<^esub>"} are replaced by @{text "="} (and similarly - the free-atom and binding functions are replaced by their lifted counterparts). - - Next we can lift the permutation operations defined in \eqref{ceqvt}. In - order to make this lifting to go through, we have to show that the - permutation operations are respectful. This amounts to showing that the - alpha-equivalence relations are equivariant, which - we already established in Lemma~\ref{equiv}. As a result we can add the - equations - - \begin{equation}\label{calphaeqvt} - @{text "\ \ (C\<^sup>\ x\<^isub>1 \ x\<^isub>r) = C\<^sup>\ (\ \ x\<^isub>1) \ (\ \ x\<^isub>r)"} - \end{equation}\smallskip - - \noindent - to our infrastructure. In a similar fashion we can lift the defining equations - of the free-atom functions @{text "fn_ty\"}$_{1..n}$ and - @{text "fa_bn\"}$_{1..m}$ as well as of the binding functions @{text - "bn\"}$_{1..m}$ and size functions @{text "size_ty\"}$_{1..n}$. - The latter are defined automatically for the ``raw'' types @{text "ty"}$_{1..n}$ - by the datatype package of Isabelle/HOL. - - Finally we can add to our infrastructure cases lemmas and a (mutual) + We can also add to our infrastructure cases lemmas and a (mutual) induction principle for the types @{text "ty\"}$_{1..n}$. The cases lemmas allow the user to deduce a property @{text "P"} by exhaustively analysing how an element in a type, say @{text "ty\"}$_i$, can be @@ -1938,7 +1939,7 @@ whereby the @{text P}$_{1..n}$ are the properties established by the induction and the @{text y}$_{1..n}$ are of type @{text "ty\"}$_{1..n}$. Note that the induction principle has for the term constructors @{text "C"}$^\alpha_1$ a - premise of the form + hypothesis of the form \[ \mbox{@{text "\x\<^isub>1\x\<^isub>k. P\<^isub>i x\<^isub>i \ \ \ P\<^isub>j x\<^isub>j \ P (C\\<^sub>1 x\<^isub>1 \ x\<^isub>k)"}} @@ -1956,18 +1957,18 @@ on the right): \begin{equation}\label{inductex}\mbox{ - \begin{tabular}{c@ {\hspace{10mm}}c} + \begin{tabular}{@ {}c@ {\hspace{3mm}}c@ {}} \begin{tabular}{@ {}c@ {}} \infer{@{text "P\<^bsub>trm\<^esub>"}} - {\begin{array}{l} + {\begin{array}{@ {}l@ {}} @{text "\x. y = Var\<^sup>\ x \ P\<^bsub>trm\<^esub>"}\\ @{text "\x\<^isub>1 x\<^isub>2. y = App\<^sup>\ x\<^isub>1 x\<^isub>2 \ P\<^bsub>trm\<^esub>"}\\ @{text "\x\<^isub>1 x\<^isub>2. y = Lam\<^sup>\ x\<^isub>1 x\<^isub>2 \ P\<^bsub>trm\<^esub>"}\\ - @{text "\x\<^isub>1 x\<^isub>2. y = Let\<^sup>\ x\<^isub>1 x\<^isub>2 \ P\<^bsub>trm\<^esub>"} + @{text "\x\<^isub>1 x\<^isub>2 x\<^isub>3. y = Let\<^sup>\ x\<^isub>1 x\<^isub>2 x\<^isub>3 \ P\<^bsub>trm\<^esub>"} \end{array}}\medskip\\ \infer{@{text "P\<^bsub>pat\<^esub>"}} - {\begin{array}{l} + {\begin{array}{@ {}l@ {}} @{text "y = PNil\<^sup>\ \ P\<^bsub>pat\<^esub>"}\\ @{text "\x. y = PVar\<^sup>\ x \ P\<^bsub>pat\<^esub>"}\\ @{text "\x\<^isub>1 x\<^isub>2. y = PTup\<^sup>\ x\<^isub>1 x\<^isub>2 \ P\<^bsub>pat\<^esub>"} @@ -1977,11 +1978,11 @@ \begin{tabular}{@ {}c@ {}} \infer{@{text "P\<^bsub>trm\<^esub> y\<^isub>1 \ P\<^bsub>pat\<^esub> y\<^isub>2"}} - {\begin{array}{l} + {\begin{array}{@ {}l@ {}} @{text "\x. P\<^bsub>trm\<^esub> (Var\<^sup>\ x)"}\\ @{text "\x\<^isub>1 x\<^isub>2. P\<^bsub>trm\<^esub> x\<^isub>1 \ P\<^bsub>trm\<^esub> x\<^isub>2 \ P\<^bsub>trm\<^esub> (App\<^sup>\ x\<^isub>1 x\<^isub>2)"}\\ @{text "\x\<^isub>1 x\<^isub>2. P\<^bsub>trm\<^esub> x\<^isub>2 \ P\<^bsub>trm\<^esub> (Lam\<^sup>\ x\<^isub>1 x\<^isub>2)"}\\ - @{text "\x\<^isub>1 x\<^isub>2. P\<^bsub>pat\<^esub> x\<^isub>1 \ P\<^bsub>trm\<^esub> x\<^isub>2 \ P\<^bsub>trm\<^esub> (Let\<^sup>\ x\<^isub>1 x\<^isub>2)"}\\ + @{text "\x\<^isub>1 x\<^isub>2 x\<^isub>3. P\<^bsub>pat\<^esub> x\<^isub>1 \ P\<^bsub>trm\<^esub> x\<^isub>2 \ P\<^bsub>trm\<^esub> x\<^isub>3 \ P\<^bsub>trm\<^esub> (Let\<^sup>\ x\<^isub>1 x\<^isub>2 x\<^isub>3)"}\\ @{text "P\<^bsub>pat\<^esub> (PNil\<^sup>\)"}\\ @{text "\x. P\<^bsub>pat\<^esub> (PVar\<^sup>\ x)"}\\ @{text "\x\<^isub>1 x\<^isub>2. P\<^bsub>pat\<^esub> x\<^isub>1 \ P\<^bsub>pat\<^esub> x\<^isub>2 \ P\<^bsub>pat\<^esub> (PTup\<^sup>\ x\<^isub>1 x\<^isub>2)"} @@ -2022,13 +2023,13 @@ in terms of support and freshness, but also provides evidence that our notions of free-atoms and alpha-equivalence ``match up''. - \begin{thm} + \begin{thm}\label{suppfa} For @{text "x"}$_{1..n}$ with type @{text "ty\"}$_{1..n}$, we have @{text "supp x\<^isub>i = fa_ty\\<^isub>i x\<^isub>i"}. \end{thm} \begin{proof} - The proof is by induction. In each case + The proof is by induction on @{text "x"}$_{1..n}$. In each case we unfold the definition of @{text "supp"}, move the swapping inside the term-constructors and then use the quasi-injectivity lemmas in order to complete the proof. For the abstraction cases we use then the facts derived in Theorem~\ref{suppabs}, @@ -2052,9 +2053,11 @@ \]\smallskip \noindent - Taking the fact into account that @{term "equ2"} and @{term "supp2"} are - by definition equal to @{term "equal"} and @{term "supp"}, respectively, - the above rules simplify even further to + Taking the fact into account that the compound equivalence relation @{term + "equ2"} and the compound free-atom function @{term "supp2"} are by + definition equal to @{term "equal"} and @{term "supp"}, respectively, the + above rules simplify even further to + \[\mbox{ \begin{tabular}{@ {}c @ {}} @@ -2068,10 +2071,11 @@ \]\smallskip \noindent - which means we can characterise equality between term-constructors in terms - of equality between the abstractions defined in Section~\ref{sec:binders}. From this - we can derive the support for @{text "Let\<^sup>\"} and - @{text "Let_rec\<^sup>\"}, namely + which means we can characterise equality between term-constructors (on the + alpha-equated level) in terms of equality between the abstractions defined + in Section~\ref{sec:binders}. From this we can deduce the support for @{text + "Let\<^sup>\"} and @{text "Let_rec\<^sup>\"}, namely + \[\mbox{ \begin{tabular}{l@ {\hspace{2mm}}l@ {\hspace{2mm}}l} @@ -2096,32 +2100,31 @@ text {* In the previous section we derived induction principles for alpha-equated - terms (see \eqref{induct} and \eqref{inductex}). This was done by lifting - the corresponding inductions principles for ``raw'' terms. We already - employed these induction principles in order to derive several facts for - alpha-equated terms, including the property that the free-variable functions - and the notion of support coincide. Still, we call these induction - principles \emph{weak}, because for a term-constructor, say \mbox{@{text - "C\<^sup>\ x\<^isub>1\x\<^isub>r"}}, the induction hypothesis requires us to - establish (under some assumptions) a property @{text "P (C\<^sup>\ - x\<^isub>1\x\<^isub>r)"} for \emph{all} @{text "x"}$_{1..r}$. The problem is that in the - presence of binders we cannot make any assumptions about the atoms that are - bound, and we have to potentially rename them. This renaming has to be - done manually and is often very cumbersome (especially in the case for + terms (see \eqref{induct} for the general form and \eqref{inductex} for an + instance). This was done by lifting the corresponding inductions principles + for ``raw'' terms. We already employed these induction principles for + deriving several facts for alpha-equated terms, including the property that + the free-variable functions and the notion of support coincide. Still, we + call these induction principles \emph{weak}, because for a term-constructor, + say \mbox{@{text "C\<^sup>\ x\<^isub>1\x\<^isub>r"}}, the induction + hypothesis requires us to establish (under some assumptions) a property + @{text "P (C\<^sup>\ x\<^isub>1\x\<^isub>r)"} for \emph{all} @{text + "x"}$_{1..r}$. The problem is that in the presence of binders we cannot make + any assumptions about the atoms that are bound. One obvious way around this + problem is to rename them. Unfortunately, this leads to very clunky proofs + and makes formalisations grievous experiences (especially in the case for multiple bound atoms). + For the older versions of Nominal Isabelle we introduced in \cite{UrbanTasson05} a method for automatically strengthening weak induction - principles in case of single binders. These stronger induction principles - allow the user to make additional assumptions about bound atoms. The main - point is that these additional assumptions amount to a formal version of the - informal variable convention for binders and nearly always make manual - renaming of binders unnecessary. - - To explain how the strengthening works in the presence of multiple binders, - we use as running example the lambda-calculus with @{text "Let"}-patterns - shown in \eqref{letpat}. Its weak induction principle is given in \eqref{inductex}. - The stronger induction principle is as follows + principles. These stronger induction principles allow the user to make + additional assumptions about bound atoms. The advantage of these assumptions + is that they make in most cases any renaming of bound atoms unnecessary. To + explain how the strengthening works in the presence of multiple binders, we + use as running example the lambda-calculus with @{text "Let"}-patterns shown + in \eqref{letpat}. Its weak induction principle is given in + \eqref{inductex}. The stronger induction principle is as follows: \begin{equation}\label{stronginduct} \mbox{ @@ -2130,8 +2133,9 @@ {\begin{array}{l} @{text "\x c. P\<^bsub>trm\<^esub> c (Var\<^sup>\ x)"}\\ @{text "\x\<^isub>1 x\<^isub>2 c. (\d. P\<^bsub>trm\<^esub> d x\<^isub>1) \ (\d. P\<^bsub>trm\<^esub> d x\<^isub>2) \ P\<^bsub>trm\<^esub> c (App\<^sup>\ x\<^isub>1 x\<^isub>2)"}\\ - @{text "\x\<^isub>1 x\<^isub>2 c. {atom x\<^isub>1} #\<^sup>* c \ (\d. P\<^bsub>trm\<^esub> d x\<^isub>2) \ P\<^bsub>trm\<^esub> c (Lam\<^sup>\ x\<^isub>1 x\<^isub>2)"}\\ - @{text "\x\<^isub>1 x\<^isub>2 c. (set (bn\<^sup>\ x\<^isub>1)) #\<^sup>* c \ (\d. P\<^bsub>pat\<^esub> d x\<^isub>1) \ (\d. P\<^bsub>trm\<^esub> d x\<^isub>2) \ P\<^bsub>trm\<^esub> c (Let\<^sup>\ x\<^isub>1 x\<^isub>2)"}\\ + @{text "\x\<^isub>1 x\<^isub>2 c. atom x\<^isub>1 # c \ (\d. P\<^bsub>trm\<^esub> d x\<^isub>2) \ P\<^bsub>trm\<^esub> c (Lam\<^sup>\ x\<^isub>1 x\<^isub>2)"}\\ + @{text "\x\<^isub>1 x\<^isub>2 x\<^isub>3 c. (set (bn\<^sup>\ x\<^isub>1)) #\<^sup>* c \"}\\ + \hspace{10mm}@{text "(\d. P\<^bsub>pat\<^esub> d x\<^isub>1) \ (\d. P\<^bsub>trm\<^esub> d x\<^isub>2) \ (\d. P\<^bsub>trm\<^esub> d x\<^isub>3) \ P\<^bsub>trm\<^esub> c (Let\<^sup>\ x\<^isub>1 x\<^isub>2 x\<^isub>3)"}\\ @{text "\c. P\<^bsub>pat\<^esub> c (PNil\<^sup>\)"}\\ @{text "\x c. P\<^bsub>pat\<^esub> c (PVar\<^sup>\ x)"}\\ @{text "\x\<^isub>1 x\<^isub>2 c. (\d. P\<^bsub>pat\<^esub> d x\<^isub>1) \ (\d. P\<^bsub>pat\<^esub> d x\<^isub>2) \ P\<^bsub>pat\<^esub> c (PTup\<^sup>\ x\<^isub>1 x\<^isub>2)"} @@ -2141,45 +2145,122 @@ \noindent - Instead of establishing the two properties @{text " P\<^bsub>trm\<^esub> y\<^isub>1 \ - P\<^bsub>pat\<^esub> y\<^isub>2"}, as the weak one does, the stronger - induction principle establishes the properties @{text " P\<^bsub>trm\<^esub> c - y\<^isub>1 \ P\<^bsub>pat\<^esub> c y\<^isub>2"} in which the additional - parameter @{text c} is assumed to be of finite support. The purpose of - @{text "c"} is to ``control'' which freshness assumptions the binders should - satisfy in the @{text "Lam\<^sup>\"} and @{text "Let\<^sup>\"} cases (these are the cases - where the user specified some binding clauses). + Instead of establishing the two properties @{text " P\<^bsub>trm\<^esub> + y\<^isub>1 \ P\<^bsub>pat\<^esub> y\<^isub>2"}, as the weak one does, the + stronger induction principle establishes the properties @{text " + P\<^bsub>trm\<^esub> c y\<^isub>1 \ P\<^bsub>pat\<^esub> c y\<^isub>2"} in + which the additional parameter @{text c} is assumed to be of finite + support. The purpose of @{text "c"} is to ``control'' which freshness + assumptions the binders should satisfy in the @{text "Lam\<^sup>\"} and + @{text "Let\<^sup>\"} cases: for @{text "Lam\<^sup>\"} we can assume the + bound atom @{text "x\<^isub>1"} is fresh for @{text "c"}; for @{text + "Let\<^sup>\"} we can assume all bound atoms from an assignment are fresh + for @{text "c"}. If @{text "c"} is instantiated appropriately, the user can + mimic the ``pencil-and-paper'' reasoning employing the usual variable + convention. In what follows we will show that the induction principle in - \eqref{inductex} implies \eqref{stronginduct}. This fact was established in - \cite{UrbanTasson05} by some quite involved, nevertheless automated, - induction proof. In this paper we simplify the proof by leveraging the - automated proof methods from the function package of Isabelle/HOL - \cite{Krauss09}. The reasoning principle behind these methods is - well-founded induction. To use them in our setting, we have to discharge two - proof obligations: one is that we have well-founded measures (one for each type - @{text "ty"}$^\alpha_{1..n}$) that decrease in every induction step and the - other is that we have covered all cases. + \eqref{inductex} implies \eqref{stronginduct}. This fact was established for + single binders in \cite{UrbanTasson05} by some quite involved, nevertheless + automated, induction proof. In this paper we simplify the proof by + leveraging the automated proof methods from the function package of + Isabelle/HOL \cite{Krauss09}. The reasoning principle behind these methods + is well-founded induction. To use them in our setting, we have to discharge + two proof obligations: one is that we have well-founded measures (one for + each type @{text "ty"}$^\alpha_{1..n}$) that decrease in every induction + step and the other is that we have covered all cases. Once these two + proof obligations are discharged, the reasoning infrastructure in + the function package will automatically derive the stronger induction + principle. This considerably simplifies the work we have to do. As measures we can use the size functions @{text "size_ty"}$^\alpha_{1..n}$, which we lifted in the previous section and which are all well-founded. It - is straightforward to establish that these measures decrease in every + is straightforward to establish that the sizes decrease in every induction step. What is left to show is that we covered all cases. - To do so, we use a \emph{cases lemma} derived for each type. For the terms in \eqref{letpat} - this lemma is of the form - - \begin{equation}\label{weakcases} + To do so, we have to derive stronger cases lemmas, which look in our + running example as follows: + + \[\mbox{ + \begin{tabular}{@ {}c@ {\hspace{6mm}}c@ {}} \infer{@{text "P\<^bsub>trm\<^esub>"}} - {\begin{array}{l@ {\hspace{9mm}}l} - @{text "\x. t = Var x \ P\<^bsub>trm\<^esub>"} & @{text "\a t'. t = Lam a t' \ P\<^bsub>trm\<^esub>"}\\ - @{text "\t\<^isub>1 t\<^isub>2. t = App t\<^isub>1 t\<^isub>2 \ P\<^bsub>trm\<^esub>"} & @{text "\p t'. t = Let p t' \ P\<^bsub>trm\<^esub>"}\\ - \end{array}}\\[-1mm] - \end{equation} - - where we have a premise for each term-constructor. - The idea behind such cases lemmas is that we can conclude with a property @{text "P\<^bsub>trm\<^esub>"}, - provided we can show that this property holds if we substitute for @{text "t"} all - possible term-constructors. + {\begin{array}{@ {}l@ {}} + @{text "\x. y = Var\<^sup>\ x \ P\<^bsub>trm\<^esub>"}\\ + @{text "\x\<^isub>1 x\<^isub>2. y = App\<^sup>\ x\<^isub>1 x\<^isub>2 \ P\<^bsub>trm\<^esub>"}\\ + @{text "\x\<^isub>1 x\<^isub>2. atom x\<^isub>1 # c \ y = Lam\<^sup>\ x\<^isub>1 x\<^isub>2 \ P\<^bsub>trm\<^esub>"}\\ + @{text "\x\<^isub>1 x\<^isub>2 x\<^isub>3. set (bn\<^sup>\ x\<^isub>1) #\<^sup>* c \ y = Let\<^sup>\ x\<^isub>1 x\<^isub>2 x\<^isub>3 \ P\<^bsub>trm\<^esub>"} + \end{array}} & + + \infer{@{text "P\<^bsub>pat\<^esub>"}} + {\begin{array}{@ {}l@ {}} + @{text "y = PNil\<^sup>\ \ P\<^bsub>pat\<^esub>"}\\ + @{text "\x. y = PVar\<^sup>\ x \ P\<^bsub>pat\<^esub>"}\\ + @{text "\x\<^isub>1 x\<^isub>2. y = PTup\<^sup>\ x\<^isub>1 x\<^isub>2 \ P\<^bsub>pat\<^esub>"} + \end{array}} + \end{tabular}} + \]\smallskip + + \noindent + These stronger cases lemmas need to be derived from the `weak' cases lemmas given + in \eqref{inductex}. This is trivial in case of patterns (the one on the right-hand side) + since weak and strong cases lemma coincide (there is no binding in patterns). + Interesting are only the cases for @{text "Lam\<^sup>\"} and @{text "Let\<^sup>\"}. There the + stronger cases lemma allow us to assume that the bound atoms avoid the context @{text "c"} + (which is assumed to be finitely supported). + + Let us show first establish the simpler case for @{text "Lam\<^sup>\"}. By the weak cases lemma + \eqref{inductex} we can assume that + + \begin{equation}\label{assm} + @{text "y = Lam\<^sup>\ x\<^isub>1 x\<^isub>2"} + \end{equation}\smallskip + + \noindent + holds and need to establish @{text "P\<^bsub>trm\<^esub>"}. The stronger cases lemma has the implication + + \begin{equation}\label{imp} + @{text "\x\<^isub>1 x\<^isub>2. atom x\<^isub>1 # c \ y = Lam\<^sup>\ x\<^isub>1 x\<^isub>2 \ P\<^bsub>trm\<^esub>"} + \end{equation}\smallskip + + \noindent + which we can use to infer @{text "P\<^bsub>trm\<^esub>"}. Clearly, we cannot + use this implication directly, because we have no information whether @{text + "x\<^isub>1"} is fresh for @{text "c"}. However, we can use Properties + \ref{supppermeq} and \ref{avoiding} to rename @{text "x\<^isub>1"}. We know + by Theorem~\ref{suppfa} that @{text "{atom x\<^isub>1} #\<^sup>* Lam\<^sup>\ + x\<^isub>1 x\<^isub>2"} (since its support is @{text "supp x\<^isub>2 - + {atom x\<^isub>1}"}). Property \ref{avoiding} provides us therefore with a + permutation @{text "\"}, such that @{text "{atom (\ \ x\<^isub>1)} #\<^sup>* + c"} and \mbox{@{text "supp (Lam\<^sup>\ x\<^isub>1 x\<^isub>2) #\<^sup>* \"}} hold. + By using Property \ref{supppermeq}, we can infer from the latter that @{text + "Lam\<^sup>\ (\ \ x\<^isub>1) (\ \ x\<^isub>2) = Lam\<^sup>\ x\<^isub>1 x\<^isub>2"}. We can use this in the assumption + \eqref{assm} and then use \eqref{imp} to conclude this case. + + The @{text "Let\<^sup>\"}-case involving a (non-recursive) deep binder is more complicated. + We have the assumption + + \begin{equation}\label{assm} + @{text "y = Let\<^sup>\ x\<^isub>1 x\<^isub>2 x\<^isub>3"} + \end{equation}\smallskip + + \noindent + and as implication + + \[ + + \]\smallskip + + + The reason is that the we cannot apply Property \ref{avoiding} to the whole term @{text "Let p t"}, + because @{text p} might contain names bound by @{text bn}, but also some that are + free. To solve this problem we have to introduce a permutation function that only + permutes names bound by @{text bn} and leaves the other names unchanged. We do this again + by lifting. For a + clause @{text "bn (C x\<^isub>1 \ x\<^isub>r) = rhs"}, we define + + + {\bf NOT DONE YET} + + {\it The only remaining difficulty is that in order to derive the stronger induction principles conveniently, the cases lemma in \eqref{weakcases} is too weak. For this note that @@ -2187,31 +2268,8 @@ \emph{all} @{text Let}-terms. What we need instead is a cases lemma where we only have to consider terms that have binders that are fresh w.r.t.~a context @{text "c"}. This gives the implications - - \begin{center} - \begin{tabular}{l} - @{text "\a t'. t = Lam a t' \ {atom a} \\<^sup>* c \ P\<^bsub>trm\<^esub>"}\\ - @{text "\p t'. t = Let p t' \ (set (bn p)) \\<^sup>* c \ P\<^bsub>trm\<^esub>"}\\[-2mm] - \end{tabular} - \end{center} + - \noindent - which however can be relatively easily be derived from the implications in \eqref{weakcases} - by a renaming using Properties \ref{supppermeq} and \ref{avoiding}. In the first case we know - that @{text "{atom a} \\<^sup>* Lam a t"}. Property \eqref{avoiding} provides us therefore with - a permutation @{text q}, such that @{text "{atom (q \ a)} \\<^sup>* c"} and - @{text "supp (Lam a t) \\<^sup>* q"} hold. - By using Property \ref{supppermeq}, we can infer from the latter - that @{text "Lam (q \ a) (q \ t) = Lam a t"} - and we are done with this case. - - The @{text Let}-case involving a (non-recursive) deep binder is a bit more complicated. - The reason is that the we cannot apply Property \ref{avoiding} to the whole term @{text "Let p t"}, - because @{text p} might contain names bound by @{text bn}, but also some that are - free. To solve this problem we have to introduce a permutation function that only - permutes names bound by @{text bn} and leaves the other names unchanged. We do this again - by lifting. For a - clause @{text "bn (C x\<^isub>1 \ x\<^isub>r) = rhs"}, we define \begin{center} @{text "p \\<^bsub>bn\<^esub> (C x\<^isub>1 \ x\<^isub>r) \ C y\<^isub>1 \ y\<^isub>r"} with @@ -2242,12 +2300,6 @@ principle. - - A natural question is - whether we can also strengthen the weak induction principles involving - the general binders presented here. We will indeed be able to so, but for this we need an - additional notion for permuting deep binders. - Given a binding function @{text "bn"} we define an auxiliary permutation operation @{text "_ \\<^bsub>bn\<^esub> _"} which permutes only bound arguments in a deep binder. Assuming a clause of @{text bn} is given as @@ -2311,88 +2363,10 @@ This fact will be crucial when establishing the strong induction principles below. - In our running example about @{text "Let"}, the strong induction - principle means that instead - of establishing the implication - - \begin{center} - @{text "\p t\<^isub>1 t\<^isub>2. P\<^bsub>pat\<^esub> p \ P\<^bsub>trm\<^esub> t\<^isub>1 \ P\<^bsub>trm\<^esub> t\<^isub>2 \ P\<^bsub>trm\<^esub> (Let p t\<^isub>1 t\<^isub>2)"} - \end{center} - - \noindent - it is sufficient to establish the following implication - - \begin{equation}\label{strong} - \mbox{\begin{tabular}{l} - @{text "\p t\<^isub>1 t\<^isub>2 c."}\\ - \hspace{5mm}@{text "set (bn p) #\<^sup>* c \"}\\ - \hspace{5mm}@{text "(\d. P\<^bsub>pat\<^esub> d p) \ (\d. P\<^bsub>trm\<^esub> d t\<^isub>1) \ (\d. P\<^bsub>trm\<^esub> d t\<^isub>2)"}\\ - \hspace{15mm}@{text "\ P\<^bsub>trm\<^esub> c (Let p t\<^isub>1 t\<^isub>2)"} - \end{tabular}} - \end{equation} - - \noindent - While this implication contains an additional argument, namely @{text c}, and - also additional universal quantifications, it is usually easier to establish. - The reason is that we have the freshness - assumption @{text "set (bn\<^sup>\ p) #\<^sup>* c"}, whereby @{text c} can be arbitrarily - chosen by the user as long as it has finite support. - - Let us now show how we derive the strong induction principles from the - weak ones. In case of the @{text "Let"}-example we derive by the weak - induction the following two properties - - \begin{equation}\label{hyps} - @{text "\q c. P\<^bsub>trm\<^esub> c (q \ t)"} \hspace{4mm} - @{text "\q\<^isub>1 q\<^isub>2 c. P\<^bsub>pat\<^esub> (q\<^isub>1 \\\<^bsub>bn\<^esub> (q\<^isub>2 \ p))"} - \end{equation} - - \noindent - For the @{text Let} term-constructor we therefore have to establish @{text "P\<^bsub>trm\<^esub> c (q \ Let p t\<^isub>1 t\<^isub>2)"} - assuming \eqref{hyps} as induction hypotheses (the first for @{text t\<^isub>1} and @{text t\<^isub>2}). - By Property~\ref{avoiding} we - obtain a permutation @{text "r"} such that - - \begin{equation}\label{rprops} - @{term "(r \ set (bn (q \ p))) \* c "}\hspace{4mm} - @{term "supp (Abs_lst (bn (q \ p)) (q \ t\<^isub>2)) \* r"} - \end{equation} - - \noindent - hold. The latter fact and \eqref{renaming} give us - - \begin{center} - \begin{tabular}{l} - @{text "Let (q \ p) (q \ t\<^isub>1) (q \ t\<^isub>2) ="} \\ - \hspace{15mm}@{text "Let (r \\\<^bsub>bn\<^esub> (q \ p)) (q \ t\<^isub>1) (r \ (q \ t\<^isub>2))"} - \end{tabular} - \end{center} - - \noindent - So instead of proving @{text "P\<^bsub>trm\<^esub> c (q \ Let p t\<^isub>1 t\<^isub>2)"}, we can equally - establish @{text "P\<^bsub>trm\<^esub> c (Let (r \\\<^bsub>bn\<^esub> (q \ p)) (q \ t\<^isub>1) (r \ (q \ t\<^isub>2)))"}. - To do so, we will use the implication \eqref{strong} of the strong induction - principle, which requires us to discharge - the following four proof obligations: - - \begin{center} - \begin{tabular}{rl} - {\it (i)} & @{text "set (bn (r \\\<^bsub>bn\<^esub> (q \ p))) #\<^sup>* c"}\\ - {\it (ii)} & @{text "\d. P\<^bsub>pat\<^esub> d (r \\\<^bsub>bn\<^esub> (q \ p))"}\\ - {\it (iii)} & @{text "\d. P\<^bsub>trm\<^esub> d (q \ t\<^isub>1)"}\\ - {\it (iv)} & @{text "\d. P\<^bsub>trm\<^esub> d (r \ (q \ t\<^isub>2))"}\\ - \end{tabular} - \end{center} - - \noindent - The first follows from \eqref{rprops} and Lemma~\ref{permutebn}.{\it (i)}; the - others from the induction hypotheses in \eqref{hyps} (in the fourth case - we have to use the fact that @{term "(r \ (q \ t\<^isub>2)) = (r + q) \ t\<^isub>2"}). - - Taking now the identity permutation @{text 0} for the permutations in \eqref{hyps}, - we can establish our original goals, namely @{text "P\<^bsub>trm\<^esub> c t"} and \mbox{@{text "P\<^bsub>pat\<^esub> c p"}}. + This completes the proof showing that the weak induction principles imply the strong induction principles. + } *}