Nominal/example.html
author Christian Urban <christian dot urban at kcl dot ac dot uk>
Wed, 30 Mar 2016 16:06:25 +0100
changeset 402 9e089afe5086
child 411 a430e494cb19
permissions -rw-r--r--
added Nominal

<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
  <title>Nominal Methods Group</title>
  <link rel="stylesheet" href="nominal.css">
</head>

<body>

<div align="right" style="position:relative; left:15%; width:80%">
<P>
<small>
<SCRIPT LANGUAGE="JAVASCRIPT" type="text/javascript">
<!--
var r_text = new Array ();
r_text[0] = "<em>\"Proving theorems about substitutions (and related operations such as alpha-conversion) required far more time and HOL code than any other variety of theorem.\"<br><\/em>M. VanInwegen using a concrete representation for binders in her PhD-thesis, 1996";

r_text[1] = "<em>\"When doing the formalization, I discovered that the core part of the proof... is fairly straightforward and only requires a good understanding of the paper version. However, in completing the proof I observed that in certain places I had to invest much more work than expected, e.g. proving lemmas about substitution and weakening.\"<\/em><br>T. Altenkirch using de Bruijn indices in Proc. of TLCA, 1993";

r_text[2] = "<em>\"Technical work, however, still represents the biggest part of our implementation, mainly due to the managing of de Bruijn indexes...Of our 800 proved lemmas, about 600 are concerned with operators on free names.\"<\/em><br>D. Hirschkoff in Proc. of TPHOLs, 1997";

r_text[3] = "<em>\"It took the author many long months to complete the work on this formalization...The part concerning substitution is by far the largest part of the whole development.\"<\/em><br>A. Koprowski using de Bruijn indices in a draft paper, 2006";

r_text[4] = "<em>\"We thank T. Thacher Robinson for showing us on August 19, 1962 by a counterexample the existence of an error in our handling of bound variables.\"<\/em><br>S. Kleene in J. of Symbolic Logic 21(1):11-18, 1962";

r_text[5] = "<em>\"The main drawback in HOAS is the difficulty of dealing with metatheoretic issues concerning names in processes...As a consequence, some metatheoretic properties involving substitution and freshness of names inside proofs and processes cannot be proved inside the framework and instead have to be postulated.\"<\/em><br>F. Honsell, M. Miculan and I. Scagnetto in Theoretical Computer Science, 253(2):239-285, 2001";

r_text[6] = "<em>\"Because Twelf metatheorems are proved using totality assertions about LF type families, the class of metatheorems that can be mechanized is restricted to All/Exists-statements over LF types. On the one hand, as the successful Twelf formalizations cited in Section 5 demonstrate, these All/Exists-statements have proved to be sufficient for formalizing a wide variety of metatheorems about programming languages and logics. On the other hand, we have no way to quantify when metatheorems of this form will be sufficient, and there are some well-known examples of proofs that cannot be formalized directly using Twelf as metatheorem language. For example, proofs by logical relations often require more quantifier complexity than All/Exists-statements afford.\"<\/em><br>Robert Harper and Daniel Licata in a paper on Twelf, 2007";

r_text[7] = "<em>\"So we cannot, hand-on-heart, recommend the vanilla LN style for anything but small, kernel language developments. \"<\/em><br>in F-ing Modules by Rossberg, Russo and Dreyer, TLDI 2010";

r_text[8] = "<em>\"Higher-order abstract syntax is a convenient way to approach languages with binding, but it is possible to imagine a problem where manipulating a fully concrete object without binding is simpler. In these cases, it is possible to establish a bijection between your HOAS terms and de Bruijn versions of the same terms. \"<\/em><br>Interesting responses from the <A HREF=\"http://twelf.plparty.org/wiki/Ask_Twelf_Elf\">Twelf wiki.</A> (To be honest, the same comment applies to Nominal. --cu)";


var i = Math.floor(r_text.length*Math.random());
document.write(r_text[i]);
//-->
</SCRIPT>
</small>
</P>
</div>


<H1>Barendregt's Substitution Lemma</H1>

<P>
Let us explain one of our results with a simple proof about the lambda calculus. 
An informal "pencil-and-paper" proof there looks typically as follows (this one is taken from <A
HREF="http://www.cs.ru.nl/~henk/" target="_top">Barendregt's</A> classic book
on the lambda calculus):
</P>

<!-- Barendregt's proof -->
<CENTER>
<TABLE style="text-align: left; width: 90%;" BORDER=0 CELLSPACING=0 CELLPADDING=5>
<TR>
 <TD style="background-color: rgb(180, 180, 180);">
  <B>2.1.16. Substitution Lemma:</B> If <I>x&ne;y</I> and <I>x</I> not free in <I>L</I>, 
  then
 </TD>
</TR>
<TR>
 <TD style="background-color: rgb(180, 180, 180);">
  <CENTER><I>M[x:=N][y:=L] = M[y:=L][x:=N[y:=L]]</I>.</CENTER>
 </TD> 
</TR>
<TR>
<TD style="background-color: rgb(210, 210, 210);">
<B>Proof:</B> By induction on the structure of <I>M</I>.
<DL>
<DT>Case 1. <I>M</I> is a variable.<DD>
<DL>
<DT>Case 1.1. <I>M=x</I>. Then both sides equal <I>N[y:=L]</I> since <I>x&ne;y</I>.
<DT>Case 1.2. <I>M=y</I>. Then both sides equal <I>L</I>, for <I>x</I> not free in <I>L</I> 
              implies <I>L[x:=...]=L</I>. 
<DT>Case 1.3. <I>M=z&ne;x,y</I>. Then both sides equal <I>z</I>.
</DL></DD>
<DT>Case 2. <I>M=&lambda;z.M<SUB>1</SUB></I>. <DD>By the variable convention we may assume that 
<I>z&ne;x,y</I> and <I>z</I> is not free in <I>N</I>, <I>L</I>. Then by the induction hypothesis<BR>
<CENTER>
<TABLE>
<TR><TD ALIGN=RIGHT><I>(&lambda;z.M<SUB>1</SUB>)[x:=N][y:=L]</I></TD>
    <TD ALIGN=CENTER><I>=</I></TD>
    <TD ALIGN=Left><I>&lambda;z.M<SUB>1</SUB>[x:=N][y:=L]</I></TD>
</TR>
<TR><TD ALIGN=RIGHT>&nbsp;</TD>
    <TD ALIGN=CENTER><I>=</I></TD>
    <TD ALIGN=Left><I>&lambda;z.M<SUB>1</SUB>[y:=L][x:=N[y:=L]]</I></TD>
</TR>
<TR><TD ALIGN=RIGHT>&nbsp;</TD>
    <TD ALIGN=CENTER><I>=</I></TD>
    <TD ALIGN=Left><I>(&lambda;z.M<SUB>1</SUB>)[y:=L][x:=N[y:=L]]</I>.</TD>
</TR>
</TABLE>
</CENTER>
<DT>Case 3. <I>M=M<SUB>1</SUB> M<SUB>2</SUB></I>.<DD>Then the statement follows
again from the induction hypothesis.
</DL>
</TD>
</TR>
</TABLE>
</CENTER>

<P>
 We want to make it as easy as possible to formalise such informal proofs (and
more complicated ones). Inspired by the <A
HREF="http://fling-l.seas.upenn.edu/~plclub/cgi-bin/poplmark/"
target="_top">PoplMark Challenge</A>, we want that masses use theorem
assistants to do their formal proofs.
</P>

<P>
Since the kind of informal reasoning illustrated by Barendregt's proof is very
common in the literature on programming languages, it might be surprising that 
implementing his proof
in a theorem assistant is not a trivial task. This is because he relies
implicitly on some assumptions and conventions. For example he states in his
book:
</P>

<CENTER>
<TABLE style="text-align: left; width: 90%;" BORDER=0 CELLSPACING=0 CELLPADDING=5>
<TR>
<TD style="background-color: rgb(180, 180, 180);">
<B>2.1.12. Convention.</B> Terms that are &alpha;-congruent are identified. So now we
write <I>&lambda;x.x=&lambda;y.y</I>, etcetera.
</TD>
</TR>
</TABLE>
</CENTER>

<CENTER>
<TABLE style="text-align: left; width: 90%;" BORDER=0 CELLSPACING=0 CELLPADDING=5>
<TR>
<TD style="background-color: rgb(180, 180, 180);">
<B>2.1.13. Variable Convention.</B> If <I>M<SUB>1</SUB>,...,M<SUB>n</SUB></I> occur
in a certain mathematical context (e.g. definition, proof), then in these terms all
bound variables are chosen to be different from the free variables.
</TD>
</TR>
</TABLE>
</CENTER>

<P>
The first convention is crucial for the proof above as it allows one to deal
with the variable case by using equational reasoning - one can just calculate
what the results of the substitutions are. If one uses un-equated, or raw, lambda-terms,
the same kind of reasoning cannot be performed (the reasoning then has to be 
modulo &alpha;-equivalence, which causes a lot of headaches in
the lambda-case.)  But if the data-structure over which the proof is
formulated is &alpha;-equivalence classes of lambda-terms, then what is the
principle "by induction over the structure of <I>M</I>"?  There is an
induction principle "over the structure" for (un-equated) lambda-terms. But
quotening lambda-terms by &alpha;-equivalence does not automatically lead to
such a principle for &alpha;-equivalence classes. This seems to be a point
that is nearly always ignored in the literature. In fact it takes, as we have
shown in [1] and [2], some serious work to provide such an induction principle
for &alpha;-equivalence classes.
</P>

<P>
The second problem for an implementation of Barendregt's proof is his use of
the variable convention: there is just no proof-principle "by convention" in a
theorem assistant. Taking a closer look at Barendregt's reasoning, it turns
out that for a proof obligation of the form "for all &alpha;-equated
lambda-terms <I>&lambda;z.M<SUB>1</SUB></I>...", he does not establish this
proof obligation for all <I>&lambda;z.M<SUB>1</SUB></I>, but only for some
carefully chosen &alpha;-equated lambda-terms, namely the ones for which
<I>z</I> is not free in <I>x,y,N</I> and <I>L</I>. This style of reasoning
clearly needs some justification and in fact depends on some assumptions of
the "context" of the induction. By "context" of the induction we mean the
variables <I>x,y,N</I> and <I>L</I>. When employing the variable convention in
a formal proof, one always implicitly assumes that one can choose a fresh name
for this context. This might, however, not always be possible, for example
when the context already mentions all names. Also we found out recently that the 
use of the variable convention in proofs by rule-induction can lead to
faulty reasoning [5]. So our work introduces safeguards that ensure that the 
use of the variable convention is always safe. 
</P>

<P>
One might conclude from our comments about Barendregt's proof that it is no
proof at all.  This is, however, not the case! With Nominal Isabelle
and its infrastructure one can easily formalise his reasoning. One first 
has to declare the structure of <U>&alpha;-equated</U>
lambda-terms as a nominal datatype:
</P>


<div class="codedisplay"> atom_decl name
 nominal_datatype term = Var "name"
                       | App "term" "term"
                       | Lam "&laquo;name&raquo;term"
</div>

<P>
Note though, that nominal datatypes are not datatypes in the traditional
sense, but stand for &alpha;-equivalence classes.  Indeed we have for terms of
type <code>term</code> the equation(!)
</P>

<div class="codedisplay"> lemma alpha: "Lam [a].(Var a) = Lam [b].(Var b)"
</div>


<P>
which does not hold for traditional datatypes (note that we write
lambda-abstractions as <code>Lam [a].t</code>). The proof of the substitution
lemma can then be formalised as follows:
</P>

<div class="codedisplay"> lemma substitution_lemma:
  assumes asm: "x&ne;y" "x#L"
  shows "M[x:=N][y:=L] = M[y:=L][x:=N[y:=L]]"
  using asm 
 by (nominal_induct M avoiding: x y N L rule: term.induct)
    (auto simp add: forget fresh_fact)
</div>


<P>
where the assumption "<I>x</I> is fresh for <I>L</I>", written <code>x#L</code>,
encodes the usual relation of "<I>x</I> not free in <I>L</I>". The method
<code>nominal_induct</code> takes as arguments the variable over which the 
induction is
performed (here <I>M</I>), and the context of the induction, which consists of
the variables mentioned in the variable convention (that is the part in
Barendregt's proof where he writes "...we may assume that <I>z&ne;x,y</I> and
<I>z</I> is not free in <I>N,L</I>"). The last argument of <code>nominal_induct</code>
specifies which induction rule should be applied - in this case induction over
&alpha;-equated lambda-terms, an induction-principle Nominal Isabelle provides 
automatically when the nominal datatype <code>term</code> is defined. The
implemented proof of the substitution lemma proceeds then completely
automatically, except for the need of having to mention the facts <code>forget</code> and
<code>fresh_fact</code>, which are proved separately (also by induction over
&alpha;-equated lambda-terms).</P>


<P>
The lemma <code>forget</code> shows that if <I>x</I> is not
free in <I>L</I>, then <I>L[x:=...]=L</I> (Barendregt's Case 1.2). Its formalised proof 
is as follows:
</P>

<div class="codedisplay"> lemma forget:
  assumes asm: "x#L"
  shows "L[x:=P] = L"
  using asm
 by (nominal_induct L avoiding: x P rule: term.induct)
    (auto simp add: abs_fresh fresh_atm)
</div>


<P>
In this proof <code>abs_fresh</code> is an automatically generated lemma that
establishes when <I>x</I> is fresh for a lambda-abstraction, namely <I>x#Lam
[z].P'</I> if and only if <I>x=z</I> or (<I>x&ne;z</I> and <I>x#P'</I>);
<code>fresh_atm</code> states that <I>x#y</I> if and only if <I>x&ne;y</I>. The lemma
<code>fresh_fact</code> proves the property that if <I>z</I> does not occur
freely in <I>N</I> and <I>L</I> then it also does not occur freely in
<I>N[y:=L]</I>. This fact can be formalised as follows:</P>

<div class="codedisplay"> lemma fresh_fact:
  assumes asm: "z#N" "z#L"
  shows "z#N[y:=L]"
  using asm 
 by (nominal_induct N avoiding: z y L rule: term.induct)
    (auto simp add: abs_fresh fresh_atm)
</div>

<P>
Although the latter lemma does not appear explicitly in Barendregt's reasoning, it is required 
in the last step of the lambda-case (Case 2) where he pulls the substitution from under
the binder <I>z</I> (the interesting step is marked with a&nbsp;&bull;):</P> 
<CENTER>
<TABLE>
<TR><TD>&nbsp;</TD><TD><I>&lambda;z.(M<SUB>1</SUB>[y:=L][x:=N[y:=L]])</I></TD><TD>&nbsp;</TD></TR>
<TR><TD>=</TD><TD><I>(&lambda;z.M<SUB>1</SUB>[y:=L])[x:=N[y:=L]]</I></TD><TD>&nbsp;&nbsp;&bull;</TD></TR>
<TR><TD>=</TD><TD><I>(&lambda;z.M<SUB>1</SUB>)[y:=L][x:=N[y:=L]]</I></TD><TD>&nbsp;</TD></TR>
</TABLE>
</CENTER>

<P>
After these 22 lines one has a completely formalised proof of the substitution
lemma. This proof does not rely on any axioms, apart from the ones on which
HOL is built.
</P><BR>

<B>References</B><BR><BR>
<CENTER>
<TABLE>
<TR><TD WIDTH="7%" VALIGN=Top>[1]</TD>
    <TD ALIGN=Left>
    <B>Nominal Reasoning Techniques in Isabelle/HOL.</B>  In
      Journal of Automatic Reasoning, 2008, Vol. 40(4), 327-356.
      [<A HREF="http://http://www.inf.kcl.ac.uk/staff/urbanc/Publications/nom-tech.ps" target="_top">ps</A>].
    </TD>
</TR>
<TR><TD VALIGN=Top>[2]</TD>
    <TD ALIGN=Left>
    <B>A Formal Treatment of the Barendregt Variable Convention in Rule Inductions</B> 
    (Christian Urban and Michael Norrish) 
    Proceedings of the ACM Workshop on Mechanized Reasoning about Languages with Variable
    Binding and Names (MERLIN 2005). Tallinn, Estonia. September 2005. Pages 25-32. &copy ACM, Inc.
    [<A HREF="http://http://www.inf.kcl.ac.uk/staff/urbanc/Publications/merlin-05.ps" target="_top">ps</A>]
    [<A HREF="http://http://www.inf.kcl.ac.uk/staff/urbanc/Publications/merlin-05.pdf" target="_top">pdf</A>]
    </TD>
</TR>
<TR><TD VALIGN=Top>[3]</TD>
    <TD ALIGN=Left>
    <B>A Recursion Combinator for Nominal Datatypes Implemented in Isabelle/HOL</B> 
    (Christian Urban and Stefan Berghofer) 
    Proceedings of the 3rd 
    International Joint Conference on Automated Deduction (IJCAR 2006). In volume 4130 of 
    Lecture Notes in Artificial Intelligence. Seattle, USA. August 2006. Pages 498-512.
    &copy <A HREF="http://link.springer.de/link/service/series/0558/" target="_top">Springer Verlag</A>
    [<A HREF="http://http://www.inf.kcl.ac.uk/staff/urbanc/Publications/ijcar-06.ps" target="_top">ps</A>]
    </TD>
</TR>

<TR><TD VALIGN=Top>[4]</TD>
    <TD ALIGN=Left>
    <B>A Head-to-Head Comparison of de Bruijn Indices and Names.</B> 
    (Stefan Berghofer and Christian Urban) 
    Proceedings of the International Workshop on Logical Frameworks and 
    Meta-Languages: Theory and Practice (LFMTP 2006). Seattle, USA. ENTCS. Pages 53-67.
    [<A HREF="http://http://www.inf.kcl.ac.uk/staff/urbanc/Publications/lfmtp-06.ps" target="_top">ps</A>]
    </TD>
</TR>

<TR><TD VALIGN=Top>[5]</TD>
    <TD ALIGN=Left>
    <B>Barendregt's Variable Convention in Rule Inductions.</B> (Christian
    Urban, Stefan Berghofer and Michael Norrish) Proceedings of the 21th
    Conference on Automated Deduction (CADE 2007). In volume 4603 of Lecture
    Notes in Artificial Intelligence. Bremen, Germany. July 2007. Pages 35-50.
    &copy <A HREF="http://link.springer.de/link/service/series/0558/tocs/t4603.htm" 
    target="_top">Springer Verlag</A> 
    [<A HREF="http://http://www.inf.kcl.ac.uk/staff/urbanc/Publications/cade07.ps" target="_top">ps</A>]
    </TD>
</TR>

<TR><TD VALIGN=Top>[6]</TD>
    <TD ALIGN=Left>
    <B>Mechanising the Metatheory of LF.</B> 
    (Christian Urban, James Cheney and Stefan Berghofer) 
    In Proc. of the 23rd IEEE Symposium on Logic in Computer Science (LICS 2008), IEEE Computer Society,
    June 2008. Pages 45-56.
    [<A HREF="http://http://www.inf.kcl.ac.uk/staff/urbanc/Publications/lics-08.pdf">pdf</A>] More
      information <A HREF="http://http://www.inf.kcl.ac.uk/staff/urbanc/Nominal/LF/index.html">elsewhere</A>.
    </TD>
</TR>
<TR><TD VALIGN=Top>[7]</TD>
    <TD ALIGN=Left>
    <B>Proof Pearl: A New Foundation for Nominal Isabelle.</B> 
    (Brian Huffman and Christian Urban) 
    In Proc. of the 1st Conference on Interactive Theorem Proving (ITP 2010). In volume 6172 in 
    Lecture Notes in Computer Science, Pages 35-50, 2010.
    [<A HREF="http://http://www.inf.kcl.ac.uk/staff/urbanc/Publications/nominal-atoms.pdf">pdf</A>] 
    </TD>
</TR>
</TR>
<TR><TD VALIGN=Top>[8]</TD>
    <TD ALIGN=Left>
    <B>General Bindings and Alpha-Equivalence in Nominal Isabelle.</B> 
      (Christian Urban and Cezary Kaliszyk) 
      In Proc. of the 20th European Symposium on Programming (ESOP 2011).
      In Volume 6602 of Lecture Notes in Computer Science, Pages 480-500, 2011.
      [<A HREF="http://http://www.inf.kcl.ac.uk/staff/urbanc/Publications/esop-11.pdf">pdf</A>]
    </TD>
</TR>

</TABLE>
</CENTER>

<P><!-- Created: Tue Mar  4 00:23:25 GMT 1997 -->
<!-- hhmts start -->
Last modified: Mon May  9 05:35:17 BST 2011
<!-- hhmts end -->
<a href="http://validator.w3.org/check/referer" target="_top">[Validate this page.]</a>

</body>
</html>