diff -r 6ca795b1cd76 -r 26e44bcddb5b Paper/Paper.thy --- a/Paper/Paper.thy Fri Apr 02 07:59:03 2010 +0200 +++ b/Paper/Paper.thy Fri Apr 02 13:12:10 2010 +0200 @@ -1485,7 +1485,7 @@ \noindent We can feed this lemma into our quotient package and obtain new types @{text - "ty"}$^\alpha_{1..n}$ representing alpha-equated terms. We also obtain + "ty\\<^bsub>1..n\<^esub>"} representing alpha-equated terms of types @{text "ty\<^bsub>1..n\<^esub>"}. We also obtain definitions for the term-constructors @{text "C"}$^\alpha_{1..m}$ from the raw term-constructors @{text "C"}$_{1..m}$, and similar definitions for the free-variable functions @{text @@ -1516,16 +1516,16 @@ package needs to know that the term-constructors @{text "C\<^isub>i"} and @{text "C\<^isub>j"} are \emph{respectful} w.r.t.~the alpha-equivalence relations (see \cite{Homeier05}). Assuming @{text "C\<^isub>i"} is of type @{text "ty"} with argument types - @{text "C ty\<^isub>1 \ ty\<^isub>n"}, then respectfulness amounts to showing + @{text "ty\<^isub>1, \, ty\<^isub>n"}, then respectfulness amounts to showing that \begin{center} - @{text "C x\<^isub>1 \ x\<^isub>n \ty C y\<^isub>1 \ y\<^isub>n"} + @{text "C\<^isub>i x\<^isub>1 \ x\<^isub>n \ty C\<^isub>i y\<^isub>1 \ y\<^isub>n"} \end{center} \noindent are alpha-equivalent under the assumption that @{text "x\<^isub>i \ty\<^isub>i y\<^isub>i"} holds for all recursive arguments - and @{text "x\<^isub>i = y\<^isub>i"} holds for all non-recursive arguments. We can prove this by - analysing the definition of @{text "\ty"}. For this to succeed we have to establish + and @{text "x\<^isub>i = y\<^isub>i"} holds for all non-recursive arguments of @{text "C\<^isub>i"}. We can prove this by + analysing the definition of @{text "\ty"}. For this proof to succeed we have to establish the following auxiliary fact about binding functions. Given a binding function @{text bn\<^isub>i} defined for the type @{text ty\<^isub>i}, we have that % @@ -1538,10 +1538,10 @@ Having established respectfulness for every raw term-constructor, the quotient package is able to automatically deduce \eqref{distinctalpha} from \eqref{distinctraw}. - In fact we can from now on lift any fact from the raw level to the alpha-equated level that - apart from variables only contains the raw term-constructors. The - induction principles derived by the datatype package in Isabelle/HOL for teh types @{text - "ty"}$^\alpha_{1..n}$ fall into this category. So we can also add to our infrastructure + In fact we can from now on lift facts from the raw level to the alpha-equated level + as long as they contain raw term-constructors only. The + induction principles derived by the datatype package in Isabelle/HOL for the types @{text + "ty\\<^bsub>1..n\<^esub>"} fall into this category. So we can also add to our infrastructure induction principles that establish \begin{center} @@ -1550,7 +1550,7 @@ \noindent for all @{text "y\<^isub>i"} wherby the variables @{text "P\<^bsub>ty\<^isub>i\<^esub>"} stand for properties - defined over the types @{text "ty\<^isub>1\<^isup>\ \ ty\<^isub>n\<^isup>\"}. The premises of + defined over the types @{text "ty\\<^isub>1 \ ty\\<^isub>n"}. The premises of these induction principles look as follows @@ -1567,32 +1567,33 @@ we have to know that the permutation operations are respectful w.r.t.~alpha-equivalence. This amounts to showing that the alpha-equivalence relations are equivariant, which we already established - in Lemma~\ref{equiv}. As a result we can add the equations + in Lemma~\ref{equiv}. As a result we can establish the equations \begin{equation}\label{ceqvt} @{text "p \ (C\<^sup>\ x\<^isub>1 \ x\<^isub>n) = C\<^sup>\ (p \ x\<^isub>1) \ (p \ x\<^isub>n)"} \end{equation} \noindent - to our infrastructure. In a similar fashion we can lift the equations - characterising the free-variable functions @{text "fn_ty\\<^isub>j"} and the + for our infrastructure. In a similar fashion we can lift the equations + characterising the free-variable functions @{text "fn_ty\\<^isub>j"} and @{text "fv_bn\\<^isub>k"}, and the binding functions @{text "bn\\<^isub>k"}. The necessary respectfulness lemmas for this - lifting are the two properties: + lifting are the properties: % \begin{equation}\label{fnresp} \mbox{% \begin{tabular}{l} @{text "x \ty\<^isub>j y"} implies @{text "fv_ty\<^isub>j x = fv_ty\<^isub>j y"}\\ - @{text "x \ty\<^isub>j y"} implies @{text "bn\<^isub>k x = bn\<^isub>k y"} + @{text "x \ty\<^isub>k y"} implies @{text "fv_bn\<^isub>k x = fv_bn\<^isub>k y"}\\ + @{text "x \ty\<^isub>k y"} implies @{text "bn\<^isub>k x = bn\<^isub>k y"} \end{tabular}} \end{equation} \noindent which can be established by induction on @{text "\ty"}. Whereas the first property is always true by the way how we defined the free-variable - functions, the second does \emph{not} hold in general. There is, in principle, + functions for types, the second and third do \emph{not} hold in general. There is, in principle, the possibility that the user defines @{text "bn\<^isub>k"} so that it returns an already bound - variable. Then the second property is just not true. However, our + variable. Then the third property is just not true. However, our restrictions imposed on the binding functions exclude this possibility. @@ -1613,36 +1614,38 @@ \noindent We call these conditions as \emph{quasi-injectivity}. Except for one function, which - we have to lift in the next section, this stage completes - the lifting part of establishing the reasoning infrastructure. From - now on, we can almost completely ``forget'' about the raw types @{text "ty\<^bsub>1..n\<^esub>"} and only - reason about @{text "ty\\<^bsub>1..n\<^esub>"}. + we have to lift in the next section, we completed + the lifting part of establishing the reasoning infrastructure. - We can first show that the free-variable functions and binding functions + Working bow completely on the alpha-equated level, we can first show that + the free-variable functions and binding functions are equivariant, namely \begin{center} \begin{tabular}{rcl} @{text "p \ (fv_ty\<^sup>\ x)"} & $=$ & @{text "fv_ty\<^sup>\ (p \ x)"}\\ + @{text "p \ (fv_bn\<^sup>\ x)"} & $=$ & @{text "fv_bn\<^sup>\ (p \ x)"}\\ @{text "p \ (bn\<^sup>\ x)"} & $=$ & @{text "bn\<^sup>\ (p \ x)"} \end{tabular} \end{center} \noindent - These two properties can be established by structural induction over the @{text x}. + These properties can be established by structural induction over the @{text x} + (using the induction principles we lifted above for the types @{text "ty\\<^bsub>1..n\<^esub>"}). - Until now we have not yet derived any fact about the support of the - alpha-equated terms. Using the equivariance properties in \eqref{ceqvt} we can + Until now we have not yet derived anything about the support of the + alpha-equated terms. This however will be necessary in order to derive + the strong induction principles in the next section. + Using the equivariance properties in \eqref{ceqvt} we can show for every term-constructor @{text "C\<^sup>\"} that \begin{center} - @{text "supp x\<^isub>1 \ \ supp x\<^isub>n supports (C\<^sup>\ x\<^isub>1 \ x\<^isub>n)"}. + @{text "(supp x\<^isub>1 \ \ supp x\<^isub>n) supports (C\<^sup>\ x\<^isub>1 \ x\<^isub>n)"} \end{center} \noindent - This together with Property~\ref{supportsprop} allows us to show + holds. This together with Property~\ref{supportsprop} allows us to show - \begin{center} @{text "finite (supp x\<^isub>i)"} \end{center} @@ -1660,16 +1663,16 @@ \begin{proof} The proof proceeds by structural induction over the @{text "x\<^isub>i"}. In each case we unfold the definition of @{text "supp"}, move the swapping inside the - term-constructors and the use the quasi-injectivity lemmas in order to complete the - proof. + term-constructors and the use then quasi-injectivity lemmas in order to complete the + proof. For the abstraction cases we use the facts derived in Theorem~\ref{suppabs}. \end{proof} \noindent - To sum up this section, we established a reasoning infrastructure + To sum up, we can established automatically a reasoning infrastructure for the types @{text "ty\\<^isub>1, \, ty\\<^isub>n"} by first lifting definitions from the raw level to the quotient level and then establish facts about these lifted definitions. All necessary proofs - are generated automatically by custom ML-code we implemented. This code can deal with + are generated automatically by custom ML-code. This code can deal with specifications like the one shown in Figure~\ref{nominalcorehas} for Core-Haskell. \begin{figure}[t!] @@ -1750,7 +1753,7 @@ text {* In the previous section we were able to provide induction principles that allow us to perform structural inductions over alpha-equated terms. - We call such induction principles \emph{weak}, because in case of a term-contructor @{text "C\<^sup>\ x\<^isub>1 \ x\<^isub>n"}, + We call such induction principles \emph{weak}, because in case of a term-constructor @{text "C\<^sup>\ x\<^isub>1 \ x\<^isub>n"}, the induction hypothesis requires us to establish the implication % \begin{equation}\label{weakprem} @@ -1759,10 +1762,9 @@ \noindent where the @{text "x\<^isub>i, \, x\<^isub>j"} are the recursive arguments of @{text "C\<^sup>\"}. - The problem with this implication is that in general it is not easy to establish this - implication + The problem with this implication is that in general it is not easy to establish it. The reason is we cannot make any assumption about the binders in @{text "C\<^sup>\"} - (for example we cannot assume the variable convention). + (for example we cannot assume the variable convention for them). In \cite{UrbanTasson05} we introduced a method for automatically strengthening weak induction principles for terms containing single @@ -1772,12 +1774,12 @@ version of the informal variable convention for binders. A natural question is whether we can also strengthen the weak induction principles involving general binders. We will indeed be able to so, but for this we need an - additional notion of permuting deep binders. + additional notion for permuting deep binders. Given a binding function @{text "bn"} we define an auxiliary permutation operation @{text "_ \\<^bsub>bn\<^esub> _"} which permutes only bound arguments in a deep binder. - Given a clause of @{text bn} is defined as @{text "bn (C x\<^isub>1 \ x\<^isub>n) = rhs"}, then - % + Assuming a clause of @{text bn} is defined as @{text "bn (C x\<^isub>1 \ x\<^isub>n) = rhs"}, then + we define % \begin{center} @{text "p \\<^bsub>bn\<^esub> (C x\<^isub>1 \ x\<^isub>n) \ C y\<^isub>1 \ y\<^isub>n"} \end{center} @@ -1795,9 +1797,10 @@ \noindent Using the quotient package again we can lift the @{text "_ \\<^bsub>bn\<^esub> _"} function to - alpha-equated terms. We can then prove: + alpha-equated terms. We can then prove the following two facts - \begin{lemma} Given a binding function @{text "bn\<^sup>\"} then for all @{text p} + \begin{lemma}\label{permutebn} + Given a binding function @{text "bn\<^sup>\"} then for all @{text p} {\it i)} @{text "p \ (bn\<^sup>\ x) = bn\<^sup>\ (p \\<^bsub>bn\<^sup>\\<^esub> x)"} and {\it ii)} @{text "fv_bn\<^isup>\ x = fv_bn\<^isup>\ (p \\<^bsub>bn\<^sup>\\<^esub> x)"}. \end{lemma} @@ -1814,96 +1817,103 @@ effect on the free-variable function. The main point of this permutation function, however, is that if we have a permutation that is fresh for the support of an object @{text x}, then we can use this permutation - to rename the binders, without ``changing'' the term. In case of the + to rename the binders in @{text x}, without ``changing'' @{text x}. In case of the @{text "Let"} term-constructor from the example shown - in \eqref{letpat} this means: - - \begin{center} - if @{term "supp (Abs_lst (bn p) t) \* q"} then @{text "Let p t = Let (q \\<^bsub>bn\<^bsub>pat\<^esub>\<^esub> p) (q \ t)"} - \end{center} + \eqref{letpat} this means for a permutation @{text "r"}: + % + \begin{equation}\label{renaming} + \mbox{if @{term "supp (Abs_lst (bn p) t) \* r"} + then @{text "Let p t = Let (r \\<^bsub>bn\<^bsub>pat\<^esub>\<^esub> p) (r \ t)"}} + \end{equation} \noindent This fact will be used when establishing the strong induction principles. - They state that instead of establishing the implication + + + In our running example about @{text "Let"}, they state that instead + of establishing the implication \begin{center} - @{text "\p t\<^isub>1 t\<^isub>2. P\<^bsub>pat\<^esub> p \ P\<^bsub>trm\<^esub> t\<^isub>1 \ P\<^bsub>trm\<^esub> t\<^isub>2 \ P\<^bsub>trm\<^esub> (Let p t\<^isub>1 t\<^isub>2)"} + @{text "\p t. P\<^bsub>pat\<^esub> p \ P\<^bsub>trm\<^esub> t \ P\<^bsub>trm\<^esub> (Let p t)"} \end{center} \noindent it is sufficient to establish the following implication - + % + \begin{equation}\label{strong} + \mbox{\begin{tabular}{l} + @{text "\p t c."}\\ + \hspace{5mm}@{text "set (bn p) #\<^sup>* c \ (\d. P\<^bsub>pat\<^esub> d p) \ (\d. P\<^bsub>trm\<^esub> d t)"}\\ + \hspace{15mm}@{text "\ P\<^bsub>trm\<^esub> c (Let p t)"} + \end{tabular}} + \end{equation} + + \noindent + While this implication contains an additional argument, namely @{text c}, and + also additional universal quantifications, it is usually easier to establish. + The reason is that we can make the freshness + assumption @{text "set (bn\<^sup>\ p) #\<^sup>* c"}, whereby @{text c} can be arbitrarily + chosen by the user as long as it has finite support. + + Let us now show how we derive the strong induction principles from the + weak ones. In case of the @{text "Let"}-example we derive by the weak + induction the following two properties + % + \begin{equation}\label{hyps} + @{text "\q c. P\<^bsub>trm\<^esub> c (q \ t)"} \hspace{4mm} + @{text "\q\<^isub>1 q\<^isub>2 c. P\<^bsub>pat\<^esub> (q\<^isub>1 \\<^bsub>bn\<^esub> (q\<^isub>2 \ p))"} + \end{equation} + + \noindent + For the @{text Let} term-constructor we therefore have to establish @{text "P\<^bsub>trm\<^esub> c (q \ Let p t)"} + assuming \eqref{hyps} as induction hypotheses. By Property~\ref{avoiding} we + obtain a permutation @{text "r"} such that + % + \begin{equation}\label{rprops} + @{term "(r \ set (bn (q \ p))) \* c "}\hspace{4mm} + @{term "supp (Abs_lst (bn (q \ p)) (q \ t)) \* r"} + \end{equation} + + \noindent + hold. The latter fact and \eqref{renaming} give us + \begin{center} - \begin{tabular}{l} - @{text "\p t\<^isub>1 t\<^isub>2 c."}\\ - \hspace{5mm}@{text "set (bn\<^sup>\ p) #\<^sup>* c \"}\\ - \hspace{5mm}@{text "(\d. P\<^bsub>pat\<^esub> d p) \ (\d. P\<^bsub>trm\<^esub> d t\<^isub>1) \ (\d. P\<^bsub>trm\<^esub> d t\<^isub>2)"}\\ - \hspace{15mm}@{text "\ P\<^bsub>trm\<^esub> c (Let p t\<^isub>1 t\<^isub>2)"} + @{text "Let (q \ p) (q \ t) = Let (r \\<^bsub>bn\<^esub> (q \ p)) (r \ (q \ t))"} + \end{center} + + \noindent + So instead of proving @{text "P\<^bsub>trm\<^esub> c (q \ Let p t)"}, we are can equally + establish + + \begin{center} + @{text "P\<^bsub>trm\<^esub> c (Let (r \\<^bsub>bn\<^esub> (q \ p)) (r \ (q \ t)))"} + \end{center} + + \noindent + To do so, we will use the implication \eqref{strong} of the strong induction + principle, which requires us to discharge + the following three proof obligations: + + \begin{center} + \begin{tabular}{rl} + {\it i)} & @{text "set (bn (r \\<^bsub>bn\<^esub> (q \ p))) #\<^sup>* c"}\\ + {\it ii)} & @{text "\d. P\<^bsub>pat\<^esub> d (r \\<^bsub>bn\<^esub> (q \ p))"}\\ + {\it iii)} & @{text "\d. P\<^bsub>trm\<^esub> d (r \ (q \ t))"}\\ \end{tabular} \end{center} - \noindent - While this implication contains an additional argument, @{text c}, and - also additional universal quantifications, it is usually easier to establish. - The reason is that in the case of @{text "Let"} we can make the freshness - assumption @{text "set (bn\<^sup>\ p) #\<^sup>* c"}, wherby @{text c} can be arbitrarily - chosen by the user as long as it has finite support. - - With the help of @{text "\bn"} functions defined in the previous section - we can show that binders can be substituted in term constructors. We show - this only for the specification from Figure~\ref{nominalcorehas}. The only - constructor with a complicated binding structure is @{text "ACons"}. For this - constructor we prove: - \begin{eqnarray} - \lefteqn{@{text "supp (Abs_lst (bv pat) trm) \* \ \"}} \nonumber \\ - & & @{text "ACons pat trm al = ACons (\ \bv pat) (\ \ trm) al"} \nonumber - \end{eqnarray} - - \noindent With the Property~\ref{avoiding} we can prove a strong induction principle - which we show again only for the interesting constructors in the Core Haskell - example. We first show the weak induction principle for comparison: + \noindent + The first follows from \eqref{rprops} and Lemma~\ref{permutebn}.{\it i)}; the + second and third from the induction hypotheses in \eqref{hyps} (in the latter case + we have to use the fact that @{term "(r \ (q \ t)) = (r + q) \ t"}). -\begin{equation}\nonumber -\infer -{ - \textrm{The properties }@{text "P1, P2, \, P12"}\textrm{ hold for all }@{text "tkind, ckind, \"} -}{ - \begin{tabular}{cp{7cm}} -%% @{text "P1 KStar"}\\ -%% @{text "\tk1 tk2. \<^raw:\big(>P1 tk1 \ P1 tk2\<^raw:\big)> \ P1 (KFun tk1 tk2)"}\\ -%% @{text "\"}\\ - @{text "\v ty t1 t2. \<^raw:\big(>P3 ty \ P7 t1 \ P7 t2\<^raw:\big)> \ P7 (Let v ty t1 t2)"}\\ - @{text "\p t al. \<^raw:\big(>P9 p \ P7 t \ P8 al\<^raw:\big)> \ P8 (ACons p t al)"}\\ - @{text "\"} - \end{tabular} -} -\end{equation} - - - \noindent In comparison, the cases for the same constructors in the derived strong - induction principle are: - -\begin{equation}\nonumber -\infer -{ - \begin{tabular}{cp{7cm}} - \textrm{The properties }@{text "P1, P2, \, P12"}\textrm{ hold for all }@{text "tkind, ckind, \"}\\ - \textrm{ avoiding any atoms in a given }@{text "y"} - \end{tabular} -}{ - \begin{tabular}{cp{7cm}} -%% @{text "\b. P1 b KStar"}\\ -%% @{text "\tk1 tk2 b. \<^raw:\big(>\c. P1 c tk1 \ \c. P1 c tk2\<^raw:\big)> \ P1 b (KFun tk1 tk2)"}\\ -%% @{text "\"}\\ - @{text "\v ty t1 t2 b. \<^raw:\big(>\c. P3 c ty \ \c. P7 c t1 \ \c. P7 c t2 \"}\\ - @{text "\<^raw:\hfill>\ atom var \ b\<^raw:\big)> \ P7 b (Let v ty t1 t2)"}\\ - @{text "\p t al b. \<^raw:\big(>\c. P9 c p \ \c. P7 c t \ \c. P8 c al \"}\\ - @{text "\<^raw:\hfill>\ set (bv p) \* b\<^raw:\big)> \ P8 b (ACons p t al)"}\\ - @{text "\"} - \end{tabular} -} -\end{equation} - + Taking now the identity permutation @{text 0} for the permutations in \eqref{hyps}, + we can establish our original goals, namely @{text "P\<^bsub>trm\<^esub> c t"} and \mbox{@{text "P\<^bsub>pat\<^esub> c p"}}. + This completes the proof showing that the strong induction principle derives from + the weak induction principle. At the moment we can derive the difficult cases of + the strong induction principles only by hand, but they are very schematically + so that with little effort we can even derive the strong induction principle for + Core-Haskell given in Figure~\ref{nominalcorehas}. *}