Paper/Paper.thy
author Christian Urban <christian dot urban at kcl dot ac dot uk>
Thu, 03 Oct 2013 15:29:03 +0100
changeset 391 5c283ecefda6
parent 385 e5e32faa2446
permissions -rw-r--r--
added slides

(*<*)
theory Paper
imports "../Closures2" "../Attic/Prefix_subtract" 
begin

declare [[show_question_marks = false]]

consts
 REL :: "(string \<times> string) set"
 UPLUS :: "'a set \<Rightarrow> 'a set \<Rightarrow> (nat \<times> 'a) set"

abbreviation
  "EClass x R \<equiv> R `` {x}"

abbreviation
  "Append_rexp2 r_itm r == Append_rexp r r_itm"

abbreviation
  "pow" (infixl "\<up>" 100)
where
  "A \<up> n \<equiv> A ^^ n"


abbreviation "NULL \<equiv> Zero"
abbreviation "EMPTY \<equiv> One"
abbreviation "CHAR \<equiv> Atom"
abbreviation "ALT \<equiv> Plus"
abbreviation "SEQ \<equiv> Times"
abbreviation "STAR \<equiv> Star"


ML {* @{term "op ^^"} *}

notation (latex output)
  str_eq ("\<approx>\<^bsub>_\<^esub>") and
  str_eq_applied ("_ \<approx>\<^bsub>_\<^esub> _") and
  conc (infixr "\<cdot>" 100) and
  star ("_\<^bsup>\<star>\<^esup>") and
  pow ("_\<^bsup>_\<^esup>" [100, 100] 100) and
  Suc ("_+1" [100] 100) and
  quotient ("_ \<^raw:\ensuremath{\!\sslash\!}> _" [90, 90] 90) and
  REL ("\<approx>") and
  UPLUS ("_ \<^raw:\ensuremath{\uplus}> _" [90, 90] 90) and
  lang ("\<^raw:\ensuremath{\cal{L}}>'(_')" [0] 101) and
  Lam ("\<lambda>'(_')" [100] 100) and 
  Trn ("'(_, _')" [100, 100] 100) and 
  EClass ("\<lbrakk>_\<rbrakk>\<^bsub>_\<^esub>" [100, 100] 100) and
  transition ("_ \<^raw:\ensuremath{\stackrel{\text{>_\<^raw:}}{\Longmapsto}}> _" [100, 100, 100] 100) and
  Setalt ("\<^raw:\ensuremath{\bigplus}>_" [1000] 999) and
  Append_rexp2 ("_ \<^raw:\ensuremath{\triangleleft}> _" [100, 100] 100) and
  Append_rexp_rhs ("_ \<^raw:\ensuremath{\triangleleft}> _" [100, 100] 50) and
  
  uminus ("\<^raw:\ensuremath{\overline{>_\<^raw:}}>" [100] 100) and
  tag_Plus ("tag\<^sub>A\<^sub>L\<^sub>T _ _" [100, 100] 100) and
  tag_Plus ("tag\<^sub>A\<^sub>L\<^sub>T _ _ _" [100, 100, 100] 100) and
  tag_Times ("tag\<^sub>S\<^sub>E\<^sub>Q _ _" [100, 100] 100) and
  tag_Times ("tag\<^sub>S\<^sub>E\<^sub>Q _ _ _" [100, 100, 100] 100) and
  tag_Star ("tag\<^sub>S\<^sub>T\<^sub>A\<^sub>R _" [100] 100) and
  tag_Star ("tag\<^sub>S\<^sub>T\<^sub>A\<^sub>R _ _" [100, 100] 100)

lemma meta_eq_app:
  shows "f \<equiv> \<lambda>x. g x \<Longrightarrow> f x \<equiv> g x"
  by auto

lemma conc_def':
  "A \<cdot> B = {s\<^sub>1 @ s\<^sub>2 | s\<^sub>1 s\<^sub>2. s\<^sub>1 \<in> A \<and> s\<^sub>2 \<in> B}"
unfolding conc_def by simp

lemma str_eq_def':
  shows "x \<approx>A y \<equiv> (\<forall>z. x @ z \<in> A \<longleftrightarrow> y @ z \<in> A)"
unfolding str_eq_def by simp

(* THEOREMS *)

lemma conc_Union_left: 
  shows "B \<cdot> (\<Union>n. A \<up> n) = (\<Union>n. B \<cdot> (A \<up> n))"
unfolding conc_def by auto

notation (Rule output)
  "==>"  ("\<^raw:\mbox{}\inferrule{\mbox{>_\<^raw:}}>\<^raw:{\mbox{>_\<^raw:}}>")

syntax (Rule output)
  "_bigimpl" :: "asms \<Rightarrow> prop \<Rightarrow> prop"
  ("\<^raw:\mbox{}\inferrule{>_\<^raw:}>\<^raw:{\mbox{>_\<^raw:}}>")

  "_asms" :: "prop \<Rightarrow> asms \<Rightarrow> asms" 
  ("\<^raw:\mbox{>_\<^raw:}\\>/ _")

  "_asm" :: "prop \<Rightarrow> asms" ("\<^raw:\mbox{>_\<^raw:}>")

notation (Axiom output)
  "Trueprop"  ("\<^raw:\mbox{}\inferrule{\mbox{}}{\mbox{>_\<^raw:}}>")

notation (IfThen output)
  "==>"  ("\<^raw:{\normalsize{}>If\<^raw:\,}> _/ \<^raw:{\normalsize \,>then\<^raw:\,}>/ _.")
syntax (IfThen output)
  "_bigimpl" :: "asms \<Rightarrow> prop \<Rightarrow> prop"
  ("\<^raw:{\normalsize{}>If\<^raw:\,}> _ /\<^raw:{\normalsize \,>then\<^raw:\,}>/ _.")
  "_asms" :: "prop \<Rightarrow> asms \<Rightarrow> asms" ("\<^raw:\mbox{>_\<^raw:}> /\<^raw:{\normalsize \,>and\<^raw:\,}>/ _")
  "_asm" :: "prop \<Rightarrow> asms" ("\<^raw:\mbox{>_\<^raw:}>")

notation (IfThenNoBox output)
  "==>"  ("\<^raw:{\normalsize{}>If\<^raw:\,}> _/ \<^raw:{\normalsize \,>then\<^raw:\,}>/ _.")
syntax (IfThenNoBox output)
  "_bigimpl" :: "asms \<Rightarrow> prop \<Rightarrow> prop"
  ("\<^raw:{\normalsize{}>If\<^raw:\,}> _ /\<^raw:{\normalsize \,>then\<^raw:\,}>/ _.")
  "_asms" :: "prop \<Rightarrow> asms \<Rightarrow> asms" ("_ /\<^raw:{\normalsize \,>and\<^raw:\,}>/ _")
  "_asm" :: "prop \<Rightarrow> asms" ("_")

lemma pow_length:
  assumes a: "[] \<notin> A"
  and     b: "s \<in> A \<up> Suc n"
  shows "n < length s"
using b
proof (induct n arbitrary: s)
  case 0
  have "s \<in> A \<up> Suc 0" by fact
  with a have "s \<noteq> []" by auto
  then show "0 < length s" by auto
next
  case (Suc n)
  have ih: "\<And>s. s \<in> A \<up> Suc n \<Longrightarrow> n < length s" by fact
  have "s \<in> A \<up> Suc (Suc n)" by fact
  then obtain s1 s2 where eq: "s = s1 @ s2" and *: "s1 \<in> A" and **: "s2 \<in> A \<up> Suc n"
    by (auto simp add: Seq_def)
  from ih ** have "n < length s2" by simp
  moreover have "0 < length s1" using * a by auto
  ultimately show "Suc n < length s" unfolding eq 
    by (simp only: length_append)
qed

(*>*)


section {* Introduction *}

text {*
  Regular languages are an important and well-understood subject in Computer
  Science, with many beautiful theorems and many useful algorithms. There is a
  wide range of textbooks on this subject, many of which are aimed at students
  and contain very detailed `pencil-and-paper' proofs
  (e.g.~\cite{Kozen97}). It seems natural to exercise theorem provers by
  formalising the theorems and by verifying formally the algorithms.

  There is however a problem: the typical approach to regular languages is to
  introduce finite automata and then define everything in terms of them.  For
  example, a regular language is normally defined as one whose strings are
  recognised by a finite deterministic automaton. This approach has many
  benefits. Among them is the fact that it is easy to convince oneself that
  regular languages are closed under complementation: one just has to exchange
  the accepting and non-accepting states in the corresponding automaton to
  obtain an automaton for the complement language.  The problem, however, lies with
  formalising such reasoning in a HOL-based theorem prover, in our case
  Isabelle/HOL. Automata are built up from states and transitions that 
  need to be represented as graphs, matrices or functions, none
  of which can be defined as an inductive datatype. 

  In case of graphs and matrices, this means we have to build our own
  reasoning infrastructure for them, as neither Isabelle/HOL nor HOL4 nor
  HOLlight support them with libraries. Even worse, reasoning about graphs and
  matrices can be a real hassle in HOL-based theorem provers.  Consider for
  example the operation of sequencing two automata, say $A_1$ and $A_2$, by
  connecting the accepting states of $A_1$ to the initial state of $A_2$:\\[-5.5mm]  
  %  
  \begin{center}
  \begin{tabular}{ccc}
  \begin{tikzpicture}[scale=0.8]
  %\draw[step=2mm] (-1,-1) grid (1,1);
  
  \draw[rounded corners=1mm, very thick] (-1.0,-0.3) rectangle (-0.2,0.3);
  \draw[rounded corners=1mm, very thick] ( 0.2,-0.3) rectangle ( 1.0,0.3);

  \node (A) at (-1.0,0.0) [circle, very thick, draw, fill=white, inner sep=0.4mm] {};
  \node (B) at ( 0.2,0.0) [circle, very thick, draw, fill=white, inner sep=0.4mm] {};
  
  \node (C) at (-0.2, 0.13) [circle, very thick, draw, fill=white, inner sep=0.4mm] {};
  \node (D) at (-0.2,-0.13) [circle, very thick, draw, fill=white, inner sep=0.4mm] {};

  \node (E) at (1.0, 0.2) [circle, very thick, draw, fill=white, inner sep=0.4mm] {};
  \node (F) at (1.0,-0.0) [circle, very thick, draw, fill=white, inner sep=0.4mm] {};
  \node (G) at (1.0,-0.2) [circle, very thick, draw, fill=white, inner sep=0.4mm] {};

  \draw (-0.6,0.0) node {\footnotesize$A_1$};
  \draw ( 0.6,0.0) node {\footnotesize$A_2$};
  \end{tikzpicture}

  & 

  \raisebox{1.1mm}{\bf\Large$\;\;\;\Rightarrow\,\;\;$}

  &

  \begin{tikzpicture}[scale=0.8]
  %\draw[step=2mm] (-1,-1) grid (1,1);
  
  \draw[rounded corners=1mm, very thick] (-1.0,-0.3) rectangle (-0.2,0.3);
  \draw[rounded corners=1mm, very thick] ( 0.2,-0.3) rectangle ( 1.0,0.3);

  \node (A) at (-1.0,0.0) [circle, very thick, draw, fill=white, inner sep=0.4mm] {};
  \node (B) at ( 0.2,0.0) [circle, very thick, draw, fill=white, inner sep=0.4mm] {};
  
  \node (C) at (-0.2, 0.13) [circle, very thick, draw, fill=white, inner sep=0.4mm] {};
  \node (D) at (-0.2,-0.13) [circle, very thick, draw, fill=white, inner sep=0.4mm] {};

  \node (E) at (1.0, 0.2) [circle, very thick, draw, fill=white, inner sep=0.4mm] {};
  \node (F) at (1.0,-0.0) [circle, very thick, draw, fill=white, inner sep=0.4mm] {};
  \node (G) at (1.0,-0.2) [circle, very thick, draw, fill=white, inner sep=0.4mm] {};
  
  \draw (C) to [very thick, bend left=45] (B);
  \draw (D) to [very thick, bend right=45] (B);

  \draw (-0.6,0.0) node {\footnotesize$A_1$};
  \draw ( 0.6,0.0) node {\footnotesize$A_2$};
  \end{tikzpicture}

  \end{tabular}
  \end{center}

  \noindent
  On `paper' we can define the corresponding graph in terms of the disjoint 
  union of the state nodes. Unfortunately in HOL, the standard definition for disjoint 
  union, namely 
  %
  \begin{equation}\label{disjointunion}
  @{term "UPLUS A\<^sub>1 A\<^sub>2 \<equiv> {(1, x) | x. x \<in> A\<^sub>1} \<union> {(2, y) | y. y \<in> A\<^sub>2}"}
  \end{equation}

  \noindent
  changes the type---the disjoint union is not a set, but a set of pairs. 
  Using this definition for disjoint union means we do not have a single type for automata
  and hence will not be able to state certain properties about \emph{all}
  automata, since there is no type quantification available in HOL (unlike in Coq, for example). An
  alternative, which provides us with a single type for automata, is to give every 
  state node an identity, for example a natural
  number, and then be careful to rename these identities apart whenever
  connecting two automata. This results in clunky proofs
  establishing that properties are invariant under renaming. Similarly,
  connecting two automata represented as matrices results in very adhoc
  constructions, which are not pleasant to reason about.

  Functions are much better supported in Isabelle/HOL, but they still lead to similar
  problems as with graphs.  Composing, for example, two non-deterministic automata in parallel
  requires also the formalisation of disjoint unions. Nipkow \cite{Nipkow98} 
  dismisses for this the option of using identities, because it leads according to 
  him to ``messy proofs''. He
  opts for a variant of \eqref{disjointunion} using bit lists, but writes 

  \begin{quote}
  \it%
  \begin{tabular}{@ {}l@ {}p{0.88\textwidth}@ {}}
  `` & All lemmas appear obvious given a picture of the composition of automata\ldots
       Yet their proofs require a painful amount of detail.''
  \end{tabular}
  \end{quote}

  \noindent
  and
  
  \begin{quote}
  \it%
  \begin{tabular}{@ {}l@ {}p{0.88\textwidth}@ {}}
  `` & If the reader finds the above treatment in terms of bit lists revoltingly
       concrete, I cannot disagree. A more abstract approach is clearly desirable.''
  \end{tabular}
  \end{quote}


  \noindent
  Moreover, it is not so clear how to conveniently impose a finiteness condition 
  upon functions in order to represent \emph{finite} automata. The best is
  probably to resort to more advanced reasoning frameworks, such as \emph{locales}
  or \emph{type classes},
  which are \emph{not} available in all HOL-based theorem provers.

  Because of these problems to do with representing automata, there seems
  to be no substantial formalisation of automata theory and regular languages 
  carried out in HOL-based theorem provers. Nipkow  \cite{Nipkow98} establishes
  the link between regular expressions and automata in
  the context of lexing. Berghofer and Reiter \cite{BerghoferReiter09} 
  formalise automata working over 
  bit strings in the context of Presburger arithmetic.
  The only larger formalisations of automata theory 
  are carried out in Nuprl \cite{Constable00} and in Coq \cite{Filliatre97}.
  
  In this paper, we will not attempt to formalise automata theory in
  Isabelle/HOL, but take a different approach to regular
  languages. Instead of defining a regular language as one where there exists
  an automaton that recognises all strings of the language, we define a
  regular language as:

  \begin{definition}
  A language @{text A} is \emph{regular}, provided there is a regular expression that matches all
  strings of @{text "A"}.
  \end{definition}
  
  \noindent
  The reason is that regular expressions, unlike graphs, matrices and functions, can
  be easily defined as inductive datatype. Consequently a corresponding reasoning 
  infrastructure comes for free. This has recently been exploited in HOL4 with a formalisation
  of regular expression matching based on derivatives \cite{OwensSlind08} and
  with an equivalence checker for regular expressions in Isabelle/HOL \cite{KraussNipkow11}.  
  The purpose of this paper is to
  show that a central result about regular languages---the Myhill-Nerode theorem---can 
  be recreated by only using regular expressions. This theorem gives necessary
  and sufficient conditions for when a language is regular. As a corollary of this
  theorem we can easily establish the usual closure properties, including 
  complementation, for regular languages.\smallskip
  
  \noindent
  {\bf Contributions:} 
  There is an extensive literature on regular languages.
  To our best knowledge, our proof of the Myhill-Nerode theorem is the
  first that is based on regular expressions, only. We prove the part of this theorem 
  stating that a regular expression has only finitely many partitions using certain 
  tagging-functions. Again to our best knowledge, these tagging-functions have
  not been used before to establish the Myhill-Nerode theorem.
*}

section {* Preliminaries *}

text {*
  Strings in Isabelle/HOL are lists of characters with the \emph{empty string}
  being represented by the empty list, written @{term "[]"}.  \emph{Languages}
  are sets of strings. The language containing all strings is written in
  Isabelle/HOL as @{term "UNIV::string set"}. The concatenation of two languages 
  is written @{term "A \<cdot> B"} and a language raised to the power @{text n} is written 
  @{term "A \<up> n"}. They are defined as usual

  \begin{center}
  @{thm conc_def'[THEN eq_reflection, where A1="A" and B1="B"]}
  \hspace{7mm}
  @{thm lang_pow.simps(1)[THEN eq_reflection, where A1="A"]}
  \hspace{7mm}
  @{thm lang_pow.simps(2)[THEN eq_reflection, where A1="A" and n1="n"]}
  \end{center}

  \noindent
  where @{text "@"} is the list-append operation. The Kleene-star of a language @{text A}
  is defined as the union over all powers, namely @{thm star_def}. In the paper
  we will make use of the following properties of these constructions.
  
  \begin{proposition}\label{langprops}\mbox{}\\
  \begin{tabular}{@ {}ll}
  (i)   & @{thm star_unfold_left}     \\ 
  (ii)  & @{thm[mode=IfThen] pow_length}\\
  (iii) & @{thm conc_Union_left} \\ 
  \end{tabular}
  \end{proposition}

  \noindent
  In @{text "(ii)"} we use the notation @{term "length s"} for the length of a
  string; this property states that if \mbox{@{term "[] \<notin> A"}} then the lengths of
  the strings in @{term "A \<up> (Suc n)"} must be longer than @{text n}.  We omit
  the proofs for these properties, but invite the reader to consult our
  formalisation.\footnote{Available at \url{http://www4.in.tum.de/~urbanc/regexp.html}}

  The notation in Isabelle/HOL for the quotient of a language @{text A} according to an 
  equivalence relation @{term REL} is @{term "A // REL"}. We will write 
  @{text "\<lbrakk>x\<rbrakk>\<^sub>\<approx>"} for the equivalence class defined 
  as \mbox{@{text "{y | y \<approx> x}"}}.


  Central to our proof will be the solution of equational systems
  involving equivalence classes of languages. For this we will use Arden's Lemma \cite{Brzozowski64},
  which solves equations of the form @{term "X = A \<cdot> X \<union> B"} provided
  @{term "[] \<notin> A"}. However we will need the following `reverse' 
  version of Arden's Lemma (`reverse' in the sense of changing the order of @{term "A \<cdot> X"} to
  \mbox{@{term "X \<cdot> A"}}).

  \begin{lemma}[Reverse Arden's Lemma]\label{arden}\mbox{}\\
  If @{thm (prem 1) reversed_Arden} then
  @{thm (lhs) reversed_Arden} if and only if
  @{thm (rhs) reversed_Arden}.
  \end{lemma}

  \begin{proof}
  For the right-to-left direction we assume @{thm (rhs) reversed_Arden} and show
  that @{thm (lhs) reversed_Arden} holds. From Prop.~\ref{langprops}@{text "(i)"} 
  we have @{term "A\<star> = {[]} \<union> A \<cdot> A\<star>"},
  which is equal to @{term "A\<star> = {[]} \<union> A\<star> \<cdot> A"}. Adding @{text B} to both 
  sides gives @{term "B \<cdot> A\<star> = B \<cdot> ({[]} \<union> A\<star> \<cdot> A)"}, whose right-hand side
  is equal to @{term "(B \<cdot> A\<star>) \<cdot> A \<union> B"}. This completes this direction. 

  For the other direction we assume @{thm (lhs) reversed_Arden}. By a simple induction
  on @{text n}, we can establish the property

  \begin{center}
  @{text "(*)"}\hspace{5mm} @{thm (concl) reversed_arden_helper}
  \end{center}
  
  \noindent
  Using this property we can show that @{term "B \<cdot> (A \<up> n) \<subseteq> X"} holds for
  all @{text n}. From this we can infer @{term "B \<cdot> A\<star> \<subseteq> X"} using the definition
  of @{text "\<star>"}.
  For the inclusion in the other direction we assume a string @{text s}
  with length @{text k} is an element in @{text X}. Since @{thm (prem 1) reversed_Arden}
  we know by Prop.~\ref{langprops}@{text "(ii)"} that 
  @{term "s \<notin> X \<cdot> (A \<up> Suc k)"} since its length is only @{text k}
  (the strings in @{term "X \<cdot> (A \<up> Suc k)"} are all longer). 
  From @{text "(*)"} it follows then that
  @{term s} must be an element in @{term "(\<Union>m\<in>{0..k}. B \<cdot> (A \<up> m))"}. This in turn
  implies that @{term s} is in @{term "(\<Union>n. B \<cdot> (A \<up> n))"}. Using Prop.~\ref{langprops}@{text "(iii)"} 
  this is equal to @{term "B \<cdot> A\<star>"}, as we needed to show.\qed
  \end{proof}

  \noindent
  Regular expressions are defined as the inductive datatype

  \begin{center}
  @{text r} @{text "::="}
  @{term NULL}\hspace{1.5mm}@{text"|"}\hspace{1.5mm} 
  @{term EMPTY}\hspace{1.5mm}@{text"|"}\hspace{1.5mm} 
  @{term "CHAR c"}\hspace{1.5mm}@{text"|"}\hspace{1.5mm} 
  @{term "SEQ r r"}\hspace{1.5mm}@{text"|"}\hspace{1.5mm} 
  @{term "ALT r r"}\hspace{1.5mm}@{text"|"}\hspace{1.5mm} 
  @{term "STAR r"}
  \end{center}

  \noindent
  and the language matched by a regular expression is defined as

  \begin{center}
  \begin{tabular}{c@ {\hspace{10mm}}c}
  \begin{tabular}{rcl}
  @{thm (lhs) lang.simps(1)} & @{text "\<equiv>"} & @{thm (rhs) lang.simps(1)}\\
  @{thm (lhs) lang.simps(2)} & @{text "\<equiv>"} & @{thm (rhs) lang.simps(2)}\\
  @{thm (lhs) lang.simps(3)[where a="c"]} & @{text "\<equiv>"} & @{thm (rhs) lang.simps(3)[where a="c"]}\\
  \end{tabular}
  &
  \begin{tabular}{rcl}
  @{thm (lhs) lang.simps(4)[where ?r="r\<^sub>1" and ?s="r\<^sub>2"]} & @{text "\<equiv>"} &
       @{thm (rhs) lang.simps(4)[where ?r="r\<^sub>1" and ?s="r\<^sub>2"]}\\
  @{thm (lhs) lang.simps(5)[where ?r="r\<^sub>1" and ?s="r\<^sub>2"]} & @{text "\<equiv>"} &
       @{thm (rhs) lang.simps(5)[where ?r="r\<^sub>1" and ?s="r\<^sub>2"]}\\
  @{thm (lhs) lang.simps(6)[where r="r"]} & @{text "\<equiv>"} &
      @{thm (rhs) lang.simps(6)[where r="r"]}\\
  \end{tabular}
  \end{tabular}
  \end{center}

  Given a finite set of regular expressions @{text rs}, we will make use of the operation of generating 
  a regular expression that matches the union of all languages of @{text rs}. We only need to know the 
  existence
  of such a regular expression and therefore we use Isabelle/HOL's @{const "fold_graph"} and Hilbert's
  @{text "\<epsilon>"} to define @{term "\<Uplus>rs"}. This operation, roughly speaking, folds @{const ALT} over the 
  set @{text rs} with @{const NULL} for the empty set. We can prove that for a finite set @{text rs}
  %
  \begin{equation}\label{uplus}
  \mbox{@{thm (lhs) folds_plus_simp} @{text "= \<Union> (\<calL> ` rs)"}}
  \end{equation}

  \noindent
  holds, whereby @{text "\<calL> ` rs"} stands for the 
  image of the set @{text rs} under function @{text "\<calL>"}.
*}


section {* The Myhill-Nerode Theorem, First Part *}

text {*
  The key definition in the Myhill-Nerode theorem is the
  \emph{Myhill-Nerode relation}, which states that w.r.t.~a language two 
  strings are related, provided there is no distinguishing extension in this
  language. This can be defined as a tertiary relation.

  \begin{definition}[Myhill-Nerode Relation] Given a language @{text A}, two strings @{text x} and
  @{text y} are Myhill-Nerode related provided
  \begin{center}
  @{thm str_eq_def'}
  \end{center}
  \end{definition}

  \noindent
  It is easy to see that @{term "\<approx>A"} is an equivalence relation, which
  partitions the set of all strings, @{text "UNIV"}, into a set of disjoint
  equivalence classes. To illustrate this quotient construction, let us give a simple 
  example: consider the regular language containing just
  the string @{text "[c]"}. The relation @{term "\<approx>({[c]})"} partitions @{text UNIV}
  into three equivalence classes @{text "X\<^sub>1"}, @{text "X\<^sub>2"} and  @{text "X\<^sub>3"}
  as follows
  
  \begin{center}
  @{text "X\<^sub>1 = {[]}"}\hspace{5mm}
  @{text "X\<^sub>2 = {[c]}"}\hspace{5mm}
  @{text "X\<^sub>3 = UNIV - {[], [c]}"}
  \end{center}

  One direction of the Myhill-Nerode theorem establishes 
  that if there are finitely many equivalence classes, like in the example above, then 
  the language is regular. In our setting we therefore have to show:
  
  \begin{theorem}\label{myhillnerodeone}
  @{thm[mode=IfThen] Myhill_Nerode1}
  \end{theorem}

  \noindent
  To prove this theorem, we first define the set @{term "finals A"} as those equivalence
  classes from @{term "UNIV // \<approx>A"} that contain strings of @{text A}, namely
  %
  \begin{equation} 
  @{thm finals_def}
  \end{equation}

  \noindent
  In our running example, @{text "X\<^sub>2"} is the only 
  equivalence class in @{term "finals {[c]}"}.
  It is straightforward to show that in general @{thm lang_is_union_of_finals} and 
  @{thm finals_in_partitions} hold. 
  Therefore if we know that there exists a regular expression for every
  equivalence class in \mbox{@{term "finals A"}} (which by assumption must be
  a finite set), then we can use @{text "\<bigplus>"} to obtain a regular expression 
  that matches every string in @{text A}.


  Our proof of Thm.~\ref{myhillnerodeone} relies on a method that can calculate a
  regular expression for \emph{every} equivalence class, not just the ones 
  in @{term "finals A"}. We
  first define the notion of \emph{one-character-transition} between 
  two equivalence classes
  %
  \begin{equation} 
  @{thm transition_def}
  \end{equation}

  \noindent
  which means that if we concatenate the character @{text c} to the end of all 
  strings in the equivalence class @{text Y}, we obtain a subset of 
  @{text X}. Note that we do not define an automaton here, we merely relate two sets
  (with the help of a character). In our concrete example we have 
  @{term "X\<^sub>1 \<Turnstile>c\<Rightarrow> X\<^sub>2"}, @{term "X\<^sub>1 \<Turnstile>d\<Rightarrow> X\<^sub>3"} with @{text d} being any 
  other character than @{text c}, and @{term "X\<^sub>3 \<Turnstile>d\<Rightarrow> X\<^sub>3"} for any @{text d}.
  
  Next we construct an \emph{initial equational system} that
  contains an equation for each equivalence class. We first give
  an informal description of this construction. Suppose we have 
  the equivalence classes @{text "X\<^sub>1,\<dots>,X\<^sub>n"}, there must be one and only one that
  contains the empty string @{text "[]"} (since equivalence classes are disjoint).
  Let us assume @{text "[] \<in> X\<^sub>1"}. We build the following equational system
  
  \begin{center}
  \begin{tabular}{rcl}
  @{text "X\<^sub>1"} & @{text "="} & @{text "(Y\<^sub>1\<^sub>1, CHAR c\<^sub>1\<^sub>1) + \<dots> + (Y\<^sub>1\<^sub>p, CHAR c\<^sub>1\<^sub>p) + \<lambda>(EMPTY)"} \\
  @{text "X\<^sub>2"} & @{text "="} & @{text "(Y\<^sub>2\<^sub>1, CHAR c\<^sub>2\<^sub>1) + \<dots> + (Y\<^sub>2\<^sub>o, CHAR c\<^sub>2\<^sub>o)"} \\
  & $\vdots$ \\
  @{text "X\<^sub>n"} & @{text "="} & @{text "(Y\<^sub>n\<^sub>1, CHAR c\<^sub>n\<^sub>1) + \<dots> + (Y\<^sub>n\<^sub>q, CHAR c\<^sub>n\<^sub>q)"}\\
  \end{tabular}
  \end{center}

  \noindent
  where the terms @{text "(Y\<^sub>i\<^sub>j, CHAR c\<^sub>i\<^sub>j)"}
  stand for all transitions @{term "Y\<^sub>i\<^sub>j \<Turnstile>c\<^sub>i\<^sub>j\<Rightarrow>
  X\<^sub>i"}. 
  %The intuition behind the equational system is that every 
  %equation @{text "X\<^sub>i = rhs\<^sub>i"} in this system
  %corresponds roughly to a state of an automaton whose name is @{text X\<^sub>i} and its predecessor states 
  %are the @{text "Y\<^sub>i\<^sub>j"}; the @{text "c\<^sub>i\<^sub>j"} are the labels of the transitions from these 
  %predecessor states to @{text X\<^sub>i}. 
  There can only be
  finitely many terms of the form @{text "(Y\<^sub>i\<^sub>j, CHAR c\<^sub>i\<^sub>j)"} in a right-hand side 
  since by assumption there are only finitely many
  equivalence classes and only finitely many characters.
  The term @{text "\<lambda>(EMPTY)"} in the first equation acts as a marker for the initial state, that
  is the equivalence class
  containing @{text "[]"}.\footnote{Note that we mark, roughly speaking, the
  single `initial' state in the equational system, which is different from
  the method by Brzozowski \cite{Brzozowski64}, where he marks the
  `terminal' states. We are forced to set up the equational system in our
  way, because the Myhill-Nerode relation determines the `direction' of the
  transitions---the successor `state' of an equivalence class @{text Y} can
  be reached by adding a character to the end of @{text Y}. This is also the
  reason why we have to use our reverse version of Arden's Lemma.}
  %In our initial equation system there can only be
  %finitely many terms of the form @{text "(Y\<^sub>i\<^sub>j, CHAR c\<^sub>i\<^sub>j)"} in a right-hand side 
  %since by assumption there are only finitely many
  %equivalence classes and only finitely many characters. 
  Overloading the function @{text \<calL>} for the two kinds of terms in the
  equational system, we have
  
  \begin{center}
  @{text "\<calL>(Y, r) \<equiv>"} %
  @{thm (rhs) lang_trm.simps(2)[where X="Y" and r="r", THEN eq_reflection]}\hspace{10mm}
  @{thm lang_trm.simps(1)[where r="r", THEN eq_reflection]}
  \end{center}

  \noindent
  and we can prove for @{text "X\<^sub>2\<^sub>.\<^sub>.\<^sub>n"} that the following equations
  %
  \begin{equation}\label{inv1}
  @{text "X\<^sub>i = \<calL>(Y\<^sub>i\<^sub>1, CHAR c\<^sub>i\<^sub>1) \<union> \<dots> \<union> \<calL>(Y\<^sub>i\<^sub>q, CHAR c\<^sub>i\<^sub>q)"}.
  \end{equation}

  \noindent
  hold. Similarly for @{text "X\<^sub>1"} we can show the following equation
  %
  \begin{equation}\label{inv2}
  @{text "X\<^sub>1 = \<calL>(Y\<^sub>1\<^sub>1, CHAR c\<^sub>1\<^sub>1) \<union> \<dots> \<union> \<calL>(Y\<^sub>1\<^sub>p, CHAR c\<^sub>1\<^sub>p) \<union> \<calL>(\<lambda>(EMPTY))"}.
  \end{equation}

  \noindent
  holds. The reason for adding the @{text \<lambda>}-marker to our initial equational system is 
  to obtain this equation: it only holds with the marker, since none of 
  the other terms contain the empty string. The point of the initial equational system is
  that solving it means we will be able to extract a regular expression for every equivalence class. 

  Our representation for the equations in Isabelle/HOL are pairs,
  where the first component is an equivalence class (a set of strings)
  and the second component
  is a set of terms. Given a set of equivalence
  classes @{text CS}, our initial equational system @{term "Init CS"} is thus 
  formally defined as
  %
  \begin{equation}\label{initcs}
  \mbox{\begin{tabular}{rcl}     
  @{thm (lhs) Init_rhs_def} & @{text "\<equiv>"} & 
  @{text "if"}~@{term "[] \<in> X"}\\
  & & @{text "then"}~@{term "{Trn Y (CHAR c) | Y c. Y \<in> CS \<and> Y \<Turnstile>c\<Rightarrow> X} \<union> {Lam EMPTY}"}\\
  & & @{text "else"}~@{term "{Trn Y (CHAR c)| Y c. Y \<in> CS \<and> Y \<Turnstile>c\<Rightarrow> X}"}\\
  @{thm (lhs) Init_def}     & @{text "\<equiv>"} & @{thm (rhs) Init_def}
  \end{tabular}}
  \end{equation}
*}(*<*)

lemma test:
  assumes X_in_eqs: "(X, rhs) \<in> Init (UNIV // \<approx>A)"
  shows "X = \<Union> (lang_trm `  rhs)"
using assms l_eq_r_in_eqs by (simp)

(*>*)text {*
  \noindent
  Because we use sets of terms 
  for representing the right-hand sides of equations, we can 
  prove \eqref{inv1} and \eqref{inv2} more concisely as
  %
  \begin{lemma}\label{inv}
  If @{thm (prem 1) test} then @{text "X = \<Union> \<calL> ` rhs"}.
  \end{lemma}

  \noindent
  Our proof of Thm.~\ref{myhillnerodeone} will proceed by transforming the
  initial equational system into one in \emph{solved form} maintaining the invariant
  in Lem.~\ref{inv}. From the solved form we will be able to read
  off the regular expressions. 

  In order to transform an equational system into solved form, we have two 
  operations: one that takes an equation of the form @{text "X = rhs"} and removes
  any recursive occurrences of @{text X} in the @{text rhs} using our variant of Arden's 
  Lemma. The other operation takes an equation @{text "X = rhs"}
  and substitutes @{text X} throughout the rest of the equational system
  adjusting the remaining regular expressions appropriately. To define this adjustment 
  we define the \emph{append-operation} taking a term and a regular expression as argument

  \begin{center}
  @{thm Append_rexp.simps(2)[where X="Y" and r="r\<^sub>1" and rexp="r\<^sub>2", THEN eq_reflection]}\hspace{10mm}
  @{thm Append_rexp.simps(1)[where r="r\<^sub>1" and rexp="r\<^sub>2", THEN eq_reflection]}
  \end{center}

  \noindent
  We lift this operation to entire right-hand sides of equations, written as
  @{thm (lhs) Append_rexp_rhs_def[where rexp="r"]}. With this we can define
  the \emph{arden-operation} for an equation of the form @{text "X = rhs"} as:
  %
  \begin{equation}\label{arden_def}
  \mbox{\begin{tabular}{rc@ {\hspace{2mm}}r@ {\hspace{1mm}}l}
  @{thm (lhs) Arden_def} & @{text "\<equiv>"}~~\mbox{} & \multicolumn{2}{@ {\hspace{-2mm}}l}{@{text "let"}}\\ 
   & & @{text "rhs' ="} & @{term "rhs - {Trn X r | r. Trn X r \<in> rhs}"} \\
   & & @{text "r' ="}   & @{term "STAR (\<Uplus> {r. Trn X r \<in> rhs})"}\\
   & &  \multicolumn{2}{@ {\hspace{-2mm}}l}{@{text "in"}~~@{term "append_rhs_rexp rhs' r'"}}\\ 
  \end{tabular}}
  \end{equation}

  \noindent
  In this definition, we first delete all terms of the form @{text "(X, r)"} from @{text rhs};
  then we calculate the combined regular expressions for all @{text r} coming 
  from the deleted @{text "(X, r)"}, and take the @{const STAR} of it;
  finally we append this regular expression to @{text rhs'}. It can be easily seen 
  that this operation mimics Arden's Lemma on the level of equations. To ensure
  the non-emptiness condition of Arden's Lemma we say that a right-hand side is
  @{text ardenable} provided

  \begin{center}
  @{thm ardenable_def}
  \end{center}

  \noindent
  This allows us to prove a version of Arden's Lemma on the level of equations.

  \begin{lemma}\label{ardenable}
  Given an equation @{text "X = rhs"}.
  If @{text "X = \<Union>\<calL> ` rhs"},
  @{thm (prem 2) Arden_preserves_soundness}, and
  @{thm (prem 3) Arden_preserves_soundness}, then
  @{text "X = \<Union>\<calL> ` (Arden X rhs)"}.
  \end{lemma}
  
  \noindent
  Our @{text ardenable} condition is slightly stronger than needed for applying Arden's Lemma,
  but we can still ensure that it holds troughout our algorithm of transforming equations
  into solved form. The \emph{substitution-operation} takes an equation
  of the form @{text "X = xrhs"} and substitutes it into the right-hand side @{text rhs}.

  \begin{center}
  \begin{tabular}{rc@ {\hspace{2mm}}r@ {\hspace{1mm}}l}
  @{thm (lhs) Subst_def} & @{text "\<equiv>"}~~\mbox{} & \multicolumn{2}{@ {\hspace{-2mm}}l}{@{text "let"}}\\ 
   & & @{text "rhs' ="} & @{term "rhs - {Trn X r | r. Trn X r \<in> rhs}"} \\
   & & @{text "r' ="}   & @{term "\<Uplus> {r. Trn X r \<in> rhs}"}\\
   & &  \multicolumn{2}{@ {\hspace{-2mm}}l}{@{text "in"}~~@{term "rhs' \<union> append_rhs_rexp xrhs r'"}}\\ 
  \end{tabular}
  \end{center}

  \noindent
  We again delete first all occurrences of @{text "(X, r)"} in @{text rhs}; we then calculate
  the regular expression corresponding to the deleted terms; finally we append this
  regular expression to @{text "xrhs"} and union it up with @{text rhs'}. When we use
  the substitution operation we will arrange it so that @{text "xrhs"} does not contain
  any occurrence of @{text X}.

  With these two operations in place, we can define the operation that removes one equation
  from an equational systems @{text ES}. The operation @{const Subst_all}
  substitutes an equation @{text "X = xrhs"} throughout an equational system @{text ES}; 
  @{const Remove} then completely removes such an equation from @{text ES} by substituting 
  it to the rest of the equational system, but first eliminating all recursive occurrences
  of @{text X} by applying @{const Arden} to @{text "xrhs"}.

  \begin{center}
  \begin{tabular}{rcl}
  @{thm (lhs) Subst_all_def} & @{text "\<equiv>"} & @{thm (rhs) Subst_all_def}\\
  @{thm (lhs) Remove_def}    & @{text "\<equiv>"} & @{thm (rhs) Remove_def}
  \end{tabular}
  \end{center}

  \noindent
  Finally, we can define how an equational system should be solved. For this 
  we will need to iterate the process of eliminating equations until only one equation
  will be left in the system. However, we do not just want to have any equation
  as being the last one, but the one involving the equivalence class for 
  which we want to calculate the regular 
  expression. Let us suppose this equivalence class is @{text X}. 
  Since @{text X} is the one to be solved, in every iteration step we have to pick an
  equation to be eliminated that is different from @{text X}. In this way 
  @{text X} is kept to the final step. The choice is implemented using Hilbert's choice 
  operator, written @{text SOME} in the definition below.
  
  \begin{center}
  \begin{tabular}{rc@ {\hspace{4mm}}r@ {\hspace{1mm}}l}
  @{thm (lhs) Iter_def} & @{text "\<equiv>"}~~\mbox{} & \multicolumn{2}{@ {\hspace{-4mm}}l}{@{text "let"}}\\ 
   & & @{text "(Y, yrhs) ="} & @{term "SOME (Y, yrhs). (Y, yrhs) \<in> ES \<and> X \<noteq> Y"} \\
   & &  \multicolumn{2}{@ {\hspace{-4mm}}l}{@{text "in"}~~@{term "Remove ES Y yrhs"}}\\ 
  \end{tabular}
  \end{center}

  \noindent
  The last definition we need applies @{term Iter} over and over until a condition 
  @{text Cond} is \emph{not} satisfied anymore. This condition states that there
  are more than one equation left in the equational system @{text ES}. To solve
  an equational system we use Isabelle/HOL's @{text while}-operator as follows:
  
  \begin{center}
  @{thm Solve_def}
  \end{center}

  \noindent
  We are not concerned here with the definition of this operator
  (see Berghofer and Nipkow \cite{BerghoferNipkow00}), but note that we eliminate
  in each @{const Iter}-step a single equation, and therefore 
  have a well-founded termination order by taking the cardinality 
  of the equational system @{text ES}. This enables us to prove
  properties about our definition of @{const Solve} when we `call' it with
  the equivalence class @{text X} and the initial equational system 
  @{term "Init (UNIV // \<approx>A)"} from
  \eqref{initcs} using the principle:
  %
  \begin{equation}\label{whileprinciple}
  \mbox{\begin{tabular}{l}
  @{term "invariant (Init (UNIV // \<approx>A))"} \\
  @{term "\<forall>ES. invariant ES \<and> Cond ES \<longrightarrow> invariant (Iter X ES)"}\\
  @{term "\<forall>ES. invariant ES \<and> Cond ES \<longrightarrow> card (Iter X ES) < card ES"}\\
  @{term "\<forall>ES. invariant ES \<and> \<not> Cond ES \<longrightarrow> P ES"}\\
  \hline
  \multicolumn{1}{c}{@{term "P (Solve X (Init (UNIV // \<approx>A)))"}}
  \end{tabular}}
  \end{equation}

  \noindent
  This principle states that given an invariant (which we will specify below) 
  we can prove a property
  @{text "P"} involving @{const Solve}. For this we have to discharge the following
  proof obligations: first the
  initial equational system satisfies the invariant; second the iteration
  step @{text "Iter"} preserves the invariant as long as the condition @{term Cond} holds;
  third @{text "Iter"} decreases the termination order, and fourth that
  once the condition does not hold anymore then the property @{text P} must hold.

  The property @{term P} in our proof will state that @{term "Solve X (Init (UNIV // \<approx>A))"}
  returns with a single equation @{text "X = xrhs"} for some @{text "xrhs"}, and
  that this equational system still satisfies the invariant. In order to get
  the proof through, the invariant is composed of the following six properties:

  \begin{center}
  \begin{tabular}{@ {}rcl@ {\hspace{-13mm}}l @ {}}
  @{text "invariant ES"} & @{text "\<equiv>"} &
      @{term "finite ES"} & @{text "(finiteness)"}\\
  & @{text "\<and>"} & @{thm (rhs) finite_rhs_def} & @{text "(finiteness rhs)"}\\
  & @{text "\<and>"} & @{text "\<forall>(X, rhs)\<in>ES. X = \<Union>\<calL> ` rhs"} & @{text "(soundness)"}\\
  & @{text "\<and>"} & @{thm (rhs) distinctness_def}\\
  &             &  & @{text "(distinctness)"}\\
  & @{text "\<and>"} & @{thm (rhs) ardenable_all_def} & @{text "(ardenable)"}\\   
  & @{text "\<and>"} & @{thm (rhs) validity_def} & @{text "(validity)"}\\
  \end{tabular}
  \end{center}
 
  \noindent
  The first two ensure that the equational system is always finite (number of equations
  and number of terms in each equation); the third makes sure the `meaning' of the 
  equations is preserved under our transformations. The other properties are a bit more
  technical, but are needed to get our proof through. Distinctness states that every
  equation in the system is distinct. @{text Ardenable} ensures that we can always
  apply the @{text Arden} operation. 
  The last property states that every @{text rhs} can only contain equivalence classes
  for which there is an equation. Therefore @{text lhss} is just the set containing 
  the first components of an equational system,
  while @{text "rhss"} collects all equivalence classes @{text X} in the terms of the 
  form @{term "Trn X r"}. That means formally @{thm (lhs) lhss_def}~@{text "\<equiv> {X | (X, rhs) \<in> ES}"} 
  and @{thm (lhs) rhss_def}~@{text "\<equiv> {X | (X, r) \<in> rhs}"}.
  

  It is straightforward to prove that the initial equational system satisfies the
  invariant.

  \begin{lemma}\label{invzero}
  @{thm[mode=IfThen] Init_ES_satisfies_invariant}
  \end{lemma}

  \begin{proof}
  Finiteness is given by the assumption and the way how we set up the 
  initial equational system. Soundness is proved in Lem.~\ref{inv}. Distinctness
  follows from the fact that the equivalence classes are disjoint. The @{text ardenable}
  property also follows from the setup of the initial equational system, as does 
  validity.\qed
  \end{proof}

  \noindent
  Next we show that @{text Iter} preserves the invariant.

  \begin{lemma}\label{iterone}
  @{thm[mode=IfThen] iteration_step_invariant[where xrhs="rhs"]}
  \end{lemma}

  \begin{proof} 
  The argument boils down to choosing an equation @{text "Y = yrhs"} to be eliminated
  and to show that @{term "Subst_all (ES - {(Y, yrhs)}) Y (Arden Y yrhs)"} 
  preserves the invariant.
  We prove this as follows:

  \begin{center}
  @{text "\<forall> ES."} @{thm (prem 1) Subst_all_satisfies_invariant} implies
  @{thm (concl) Subst_all_satisfies_invariant}
  \end{center}

  \noindent
  Finiteness is straightforward, as the @{const Subst} and @{const Arden} operations 
  keep the equational system finite. These operations also preserve soundness 
  and distinctness (we proved soundness for @{const Arden} in Lem.~\ref{ardenable}).
  The property @{text ardenable} is clearly preserved because the append-operation
  cannot make a regular expression to match the empty string. Validity is
  given because @{const Arden} removes an equivalence class from @{text yrhs}
  and then @{const Subst_all} removes @{text Y} from the equational system.
  Having proved the implication above, we can instantiate @{text "ES"} with @{text "ES - {(Y, yrhs)}"}
  which matches with our proof-obligation of @{const "Subst_all"}. Since
  \mbox{@{term "ES = ES - {(Y, yrhs)} \<union> {(Y, yrhs)}"}}, we can use the assumption 
  to complete the proof.\qed 
  \end{proof}

  \noindent
  We also need the fact that @{text Iter} decreases the termination measure.

  \begin{lemma}\label{itertwo}
  @{thm[mode=IfThen] iteration_step_measure[simplified (no_asm), where xrhs="rhs"]}
  \end{lemma}

  \begin{proof}
  By assumption we know that @{text "ES"} is finite and has more than one element.
  Therefore there must be an element @{term "(Y, yrhs) \<in> ES"} with 
  @{term "(Y, yrhs) \<noteq> (X, rhs)"}. Using the distinctness property we can infer
  that @{term "Y \<noteq> X"}. We further know that @{text "Remove ES Y yrhs"}
  removes the equation @{text "Y = yrhs"} from the system, and therefore 
  the cardinality of @{const Iter} strictly decreases.\qed
  \end{proof}

  \noindent
  This brings us to our property we want to establish for @{text Solve}.


  \begin{lemma}
  If @{thm (prem 1) Solve} and @{thm (prem 2) Solve} then there exists
  a @{text rhs} such that  @{term "Solve X (Init (UNIV // \<approx>A)) = {(X, rhs)}"}
  and @{term "invariant {(X, rhs)}"}.
  \end{lemma}

  \begin{proof} 
  In order to prove this lemma using \eqref{whileprinciple}, we have to use a slightly
  stronger invariant since Lem.~\ref{iterone} and \ref{itertwo} have the precondition 
  that @{term "(X, rhs) \<in> ES"} for some @{text rhs}. This precondition is needed
  in order to choose in the @{const Iter}-step an equation that is not \mbox{@{term "X = rhs"}}.
  Therefore our invariant cannot be just @{term "invariant ES"}, but must be 
  @{term "invariant ES \<and> (\<exists>rhs. (X, rhs) \<in> ES)"}. By assumption 
  @{thm (prem 2) Solve} and Lem.~\ref{invzero}, the more general invariant holds for
  the initial equational system. This is premise 1 of~\eqref{whileprinciple}.
  Premise 2 is given by Lem.~\ref{iterone} and the fact that @{const Iter} might
  modify the @{text rhs} in the equation @{term "X = rhs"}, but does not remove it.
  Premise 3 of~\eqref{whileprinciple} is by Lem.~\ref{itertwo}. Now in premise 4
  we like to show that there exists a @{text rhs} such that @{term "ES = {(X, rhs)}"}
  and that @{text "invariant {(X, rhs)}"} holds, provided the condition @{text "Cond"}
  does not holds. By the stronger invariant we know there exists such a @{text "rhs"}
  with @{term "(X, rhs) \<in> ES"}. Because @{text Cond} is not true, we know the cardinality
  of @{text ES} is @{text 1}. This means @{text "ES"} must actually be the set @{text "{(X, rhs)}"},
  for which the invariant holds. This allows us to conclude that 
  @{term "Solve X (Init (UNIV // \<approx>A)) = {(X, rhs)}"} and @{term "invariant {(X, rhs)}"} hold,
  as needed.\qed
  \end{proof}

  \noindent
  With this lemma in place we can show that for every equivalence class in @{term "UNIV // \<approx>A"}
  there exists a regular expression.

  \begin{lemma}\label{every_eqcl_has_reg}
  @{thm[mode=IfThen] every_eqcl_has_reg}
  \end{lemma}

  \begin{proof}
  By the preceding lemma, we know that there exists a @{text "rhs"} such
  that @{term "Solve X (Init (UNIV // \<approx>A))"} returns the equation @{text "X = rhs"},
  and that the invariant holds for this equation. That means we 
  know @{text "X = \<Union>\<calL> ` rhs"}. We further know that
  this is equal to \mbox{@{text "\<Union>\<calL> ` (Arden X rhs)"}} using the properties of the 
  invariant and Lem.~\ref{ardenable}. Using the validity property for the equation @{text "X = rhs"},
  we can infer that @{term "rhss rhs \<subseteq> {X}"} and because the @{text Arden} operation
  removes that @{text X} from @{text rhs}, that @{term "rhss (Arden X rhs) = {}"}.
  This means the right-hand side @{term "Arden X rhs"} can only consist of terms of the form @{term "Lam r"}.
  So we can collect those (finitely many) regular expressions @{text rs} and have @{term "X = L (\<Uplus>rs)"}.
  With this we can conclude the proof.\qed
  \end{proof}

  \noindent
  Lem.~\ref{every_eqcl_has_reg} allows us to finally give a proof for the first direction
  of the Myhill-Nerode theorem.

  \begin{proof}[of Thm.~\ref{myhillnerodeone}]
  By Lem.~\ref{every_eqcl_has_reg} we know that there exists a regular expression for
  every equivalence class in @{term "UNIV // \<approx>A"}. Since @{text "finals A"} is
  a subset of  @{term "UNIV // \<approx>A"}, we also know that for every equivalence class
  in @{term "finals A"} there exists a regular expression. Moreover by assumption 
  we know that @{term "finals A"} must be finite, and therefore there must be a finite
  set of regular expressions @{text "rs"} such that
  @{term "\<Union>(finals A) = L (\<Uplus>rs)"}.
  Since the left-hand side is equal to @{text A}, we can use @{term "\<Uplus>rs"} 
  as the regular expression that is needed in the theorem.\qed
  \end{proof}
*}




section {* Myhill-Nerode, Second Part *}

text {*
  We will prove in this section the second part of the Myhill-Nerode
  theorem. It can be formulated in our setting as follows:

  \begin{theorem}
  Given @{text "r"} is a regular expression, then @{thm Myhill_Nerode2}.
  \end{theorem}  

  \noindent
  The proof will be by induction on the structure of @{text r}. It turns out
  the base cases are straightforward.


  \begin{proof}[Base Cases]
  The cases for @{const NULL}, @{const EMPTY} and @{const CHAR} are routine, because 
  we can easily establish that

  \begin{center}
  \begin{tabular}{l}
  @{thm quot_zero_eq}\\
  @{thm quot_one_subset}\\
  @{thm quot_atom_subset}
  \end{tabular}
  \end{center}

  \noindent
  hold, which shows that @{term "UNIV // \<approx>(L r)"} must be finite.\qed
  \end{proof}

  \noindent
  Much more interesting, however, are the inductive cases. They seem hard to solve 
  directly. The reader is invited to try. 

  Our proof will rely on some
  \emph{tagging-functions} defined over strings. Given the inductive hypothesis, it will 
  be easy to prove that the \emph{range} of these tagging-functions is finite
  (the range of a function @{text f} is defined as @{text "range f \<equiv> f ` UNIV"}).
  With this we will be able to infer that the tagging-functions, seen as relations,
  give rise to finitely many equivalence classes of @{const UNIV}. Finally we 
  will show that the tagging-relations are more refined than @{term "\<approx>(L r)"}, which
  implies that @{term "UNIV // \<approx>(L r)"} must also be finite (a relation @{text "R\<^sub>1"} 
  is said to \emph{refine} @{text "R\<^sub>2"} provided @{text "R\<^sub>1 \<subseteq> R\<^sub>2"}).
  We formally define the notion of a \emph{tagging-relation} as follows.

  \begin{definition}[Tagging-Relation] Given a tagging-function @{text tag}, then two strings @{text x}
  and @{text y} are \emph{tag-related} provided
  \begin{center}
  @{text "x =tag= y \<equiv> tag x = tag y"}\;.
  \end{center}
  \end{definition}


  In order to establish finiteness of a set @{text A}, we shall use the following powerful
  principle from Isabelle/HOL's library.
  %
  \begin{equation}\label{finiteimageD}
  @{thm[mode=IfThen] finite_imageD}
  \end{equation}

  \noindent
  It states that if an image of a set under an injective function @{text f} (injective over this set) 
  is finite, then the set @{text A} itself must be finite. We can use it to establish the following 
  two lemmas.

  \begin{lemma}\label{finone}
  @{thm[mode=IfThen] finite_eq_tag_rel}
  \end{lemma}

  \begin{proof}
  We set in \eqref{finiteimageD}, @{text f} to be @{text "X \<mapsto> tag ` X"}. We have
  @{text "range f"} to be a subset of @{term "Pow (range tag)"}, which we know must be
  finite by assumption. Now @{term "f (UNIV // =tag=)"} is a subset of @{text "range f"},
  and so also finite. Injectivity amounts to showing that @{text "X = Y"} under the
  assumptions that @{text "X, Y \<in> "}~@{term "UNIV // =tag="} and @{text "f X = f Y"}.
  From the assumptions we can obtain @{text "x \<in> X"} and @{text "y \<in> Y"} with 
  @{text "tag x = tag y"}. Since @{text x} and @{text y} are tag-related, this in 
  turn means that the equivalence classes @{text X}
  and @{text Y} must be equal.\qed
  \end{proof}

  \begin{lemma}\label{fintwo} 
  Given two equivalence relations @{text "R\<^sub>1"} and @{text "R\<^sub>2"}, whereby
  @{text "R\<^sub>1"} refines @{text "R\<^sub>2"}.
  If @{thm (prem 1) refined_partition_finite[where ?R1.0="R\<^sub>1" and ?R2.0="R\<^sub>2"]}
  then @{thm (concl) refined_partition_finite[where ?R1.0="R\<^sub>1" and ?R2.0="R\<^sub>2"]}.
  \end{lemma}

  \begin{proof}
  We prove this lemma again using \eqref{finiteimageD}. This time we set @{text f} to
  be @{text "X \<mapsto>"}~@{term "{R\<^sub>1 `` {x} | x. x \<in> X}"}. It is easy to see that 
  @{term "finite (f ` (UNIV // R\<^sub>2))"} because it is a subset of @{term "Pow (UNIV // R\<^sub>1)"},
  which is finite by assumption. What remains to be shown is that @{text f} is injective
  on @{term "UNIV // R\<^sub>2"}. This is equivalent to showing that two equivalence 
  classes, say @{text "X"} and @{text Y}, in @{term "UNIV // R\<^sub>2"} are equal, provided
  @{text "f X = f Y"}. For @{text "X = Y"} to be equal, we have to find two elements
  @{text "x \<in> X"} and @{text "y \<in> Y"} such that they are @{text R\<^sub>2} related.
  We know there exists a @{text "x \<in> X"} with \mbox{@{term "X = R\<^sub>2 `` {x}"}}. 
  From the latter fact we can infer that @{term "R\<^sub>1 ``{x} \<in> f X"}
  and further @{term "R\<^sub>1 ``{x} \<in> f Y"}. This means we can obtain a @{text y}
  such that @{term "R\<^sub>1 `` {x} = R\<^sub>1 `` {y}"} holds. Consequently @{text x} and @{text y}
  are @{text "R\<^sub>1"}-related. Since by assumption @{text "R\<^sub>1"} refines @{text "R\<^sub>2"},
  they must also be @{text "R\<^sub>2"}-related, as we need to show.\qed
  \end{proof}

  \noindent
  Chaining Lem.~\ref{finone} and \ref{fintwo} together, means in order to show
  that @{term "UNIV // \<approx>(L r)"} is finite, we have to find a tagging-function whose
  range can be shown to be finite and whose tagging-relation refines @{term "\<approx>(L r)"}.
  Let us attempt the @{const ALT}-case first.

  \begin{proof}[@{const "ALT"}-Case] 
  We take as tagging-function 
  %
  \begin{center}
  @{thm tag_str_Plus_def[where A="A" and B="B", THEN meta_eq_app]}
  \end{center}

  \noindent
  where @{text "A"} and @{text "B"} are some arbitrary languages.
  We can show in general, if @{term "finite (UNIV // \<approx>A)"} and @{term "finite (UNIV // \<approx>B)"}
  then @{term "finite ((UNIV // \<approx>A) \<times> (UNIV // \<approx>B))"} holds. The range of
  @{term "tag_str_ALT A B"} is a subset of this product set---so finite. It remains to be shown
  that @{text "=tag\<^sub>A\<^sub>L\<^sub>T A B="} refines @{term "\<approx>(A \<union> B)"}. This amounts to 
  showing
  %
  \begin{center}
  @{term "tag\<^sub>A\<^sub>L\<^sub>T A B x = tag\<^sub>A\<^sub>L\<^sub>T A B y \<longrightarrow> x \<approx>(A \<union> B) y"}
  \end{center}
  %
  \noindent
  which by unfolding the Myhill-Nerode relation is identical to
  %
  \begin{equation}\label{pattern}
  @{text "\<forall>z. tag\<^sub>A\<^sub>L\<^sub>T A B x = tag\<^sub>A\<^sub>L\<^sub>T A B y \<and> x @ z \<in> A \<union> B \<longrightarrow> y @ z \<in> A \<union> B"}
  \end{equation}
  %
  \noindent
  since both @{text "=tag\<^sub>A\<^sub>L\<^sub>T A B="} and @{term "\<approx>(A \<union> B)"} are symmetric. To solve
  \eqref{pattern} we just have to unfold the definition of the tagging-function and analyse 
  in which set, @{text A} or @{text B}, the string @{term "x @ z"} is. 
  The definition of the tagging-function will give us in each case the
  information to infer that @{text "y @ z \<in> A \<union> B"}.
  Finally we
  can discharge this case by setting @{text A} to @{term "L r\<^sub>1"} and @{text B} to @{term "L r\<^sub>2"}.\qed
  \end{proof}


  \noindent
  The pattern in \eqref{pattern} is repeated for the other two cases. Unfortunately,
  they are slightly more complicated. In the @{const SEQ}-case we essentially have
  to be able to infer that 
  %
  \begin{center}
  @{text "\<dots>"}@{term "x @ z \<in> A \<cdot> B \<longrightarrow> y @ z \<in> A \<cdot> B"}
  \end{center}
  %
  \noindent
  using the information given by the appropriate tagging-function. The complication 
  is to find out what the possible splits of @{text "x @ z"} are to be in @{term "A \<cdot> B"}
  (this was easy in case of @{term "A \<union> B"}). To deal with this complication we define the
  notions of \emph{string prefixes} 
  %
  \begin{center}
  @{text "x \<le> y \<equiv> \<exists>z. y = x @ z"}\hspace{10mm}
  @{text "x < y \<equiv> x \<le> y \<and> x \<noteq> y"}
  \end{center}
  %
  \noindent
  and \emph{string subtraction}:
  %
  \begin{center}
  @{text "[] - y \<equiv> []"}\hspace{10mm}
  @{text "x - [] \<equiv> x"}\hspace{10mm}
  @{text "cx - dy \<equiv> if c = d then x - y else cx"}
  \end{center}
  %
  \noindent
  where @{text c} and @{text d} are characters, and @{text x} and @{text y} are strings. 
  
  Now assuming  @{term "x @ z \<in> A \<cdot> B"} there are only two possible ways of how to `split' 
  this string to be in @{term "A \<cdot> B"}:
  %
  \begin{center}
  \begin{tabular}{@ {}c@ {\hspace{10mm}}c@ {}}
  \scalebox{0.7}{
  \begin{tikzpicture}
    \node[draw,minimum height=3.8ex] (xa) { $\hspace{3em}@{text "x'"}\hspace{3em}$ };
    \node[draw,minimum height=3.8ex, right=-0.03em of xa] (xxa) { $\hspace{0.2em}@{text "x - x'"}\hspace{0.2em}$ };
    \node[draw,minimum height=3.8ex, right=-0.03em of xxa] (z) { $\hspace{5em}@{text z}\hspace{5em}$ };

    \draw[decoration={brace,transform={yscale=3}},decorate]
           (xa.north west) -- ($(xxa.north east)+(0em,0em)$)
               node[midway, above=0.5em]{@{text x}};

    \draw[decoration={brace,transform={yscale=3}},decorate]
           (z.north west) -- ($(z.north east)+(0em,0em)$)
               node[midway, above=0.5em]{@{text z}};

    \draw[decoration={brace,transform={yscale=3}},decorate]
           ($(xa.north west)+(0em,3ex)$) -- ($(z.north east)+(0em,3ex)$)
               node[midway, above=0.8em]{@{term "x @ z \<in> A \<cdot> B"}};

    \draw[decoration={brace,transform={yscale=3}},decorate]
           ($(z.south east)+(0em,0ex)$) -- ($(xxa.south west)+(0em,0ex)$)
               node[midway, below=0.5em]{@{term "(x - x') @ z \<in> B"}};

    \draw[decoration={brace,transform={yscale=3}},decorate]
           ($(xa.south east)+(0em,0ex)$) -- ($(xa.south west)+(0em,0ex)$)
               node[midway, below=0.5em]{@{term "x' \<in> A"}};
  \end{tikzpicture}}
  &
  \scalebox{0.7}{
  \begin{tikzpicture}
    \node[draw,minimum height=3.8ex] (x) { $\hspace{4.8em}@{text x}\hspace{4.8em}$ };
    \node[draw,minimum height=3.8ex, right=-0.03em of x] (za) { $\hspace{0.6em}@{text "z'"}\hspace{0.6em}$ };
    \node[draw,minimum height=3.8ex, right=-0.03em of za] (zza) { $\hspace{2.6em}@{text "z - z'"}\hspace{2.6em}$  };

    \draw[decoration={brace,transform={yscale=3}},decorate]
           (x.north west) -- ($(za.north west)+(0em,0em)$)
               node[midway, above=0.5em]{@{text x}};

    \draw[decoration={brace,transform={yscale=3}},decorate]
           ($(za.north west)+(0em,0ex)$) -- ($(zza.north east)+(0em,0ex)$)
               node[midway, above=0.5em]{@{text z}};

    \draw[decoration={brace,transform={yscale=3}},decorate]
           ($(x.north west)+(0em,3ex)$) -- ($(zza.north east)+(0em,3ex)$)
               node[midway, above=0.8em]{@{term "x @ z \<in> A \<cdot> B"}};

    \draw[decoration={brace,transform={yscale=3}},decorate]
           ($(za.south east)+(0em,0ex)$) -- ($(x.south west)+(0em,0ex)$)
               node[midway, below=0.5em]{@{text "x @ z' \<in> A"}};

    \draw[decoration={brace,transform={yscale=3}},decorate]
           ($(zza.south east)+(0em,0ex)$) -- ($(za.south east)+(0em,0ex)$)
               node[midway, below=0.5em]{@{text "(z - z') \<in> B"}};
  \end{tikzpicture}}
  \end{tabular}
  \end{center}
  %
  \noindent
  Either there is a prefix of @{text x} in @{text A} and the rest is in @{text B} (first picture),
  or @{text x} and a prefix of @{text "z"} is in @{text A} and the rest in @{text B} (second picture).
  In both cases we have to show that @{term "y @ z \<in> A \<cdot> B"}. For this we use the 
  following tagging-function
  %
  \begin{center}
  @{thm tag_str_Times_def[where ?L1.0="A" and ?L2.0="B", THEN meta_eq_app]}
  \end{center}

  \noindent
  with the idea that in the first split we have to make sure that @{text "(x - x') @ z"}
  is in the language @{text B}.

  \begin{proof}[@{const SEQ}-Case]
  If @{term "finite (UNIV // \<approx>A)"} and @{term "finite (UNIV // \<approx>B)"}
  then @{term "finite ((UNIV // \<approx>A) \<times> (Pow (UNIV // \<approx>B)))"} holds. The range of
  @{term "tag_str_SEQ A B"} is a subset of this product set, and therefore finite.
  We have to show injectivity of this tagging-function as
  %
  \begin{center}
  @{term "\<forall>z. tag_str_SEQ A B x = tag_str_SEQ A B y \<and> x @ z \<in> A \<cdot> B \<longrightarrow> y @ z \<in> A \<cdot> B"}
  \end{center}
  %
  \noindent
  There are two cases to be considered (see pictures above). First, there exists 
  a @{text "x'"} such that
  @{text "x' \<in> A"}, @{text "x' \<le> x"} and @{text "(x - x') @ z \<in> B"} hold. We therefore have
  %
  \begin{center}
  @{term "(\<approx>B `` {x - x'}) \<in> ({\<approx>B `` {x - x'} |x'. x' \<le> x \<and> x' \<in> A})"}
  \end{center}
  %
  \noindent
  and by the assumption about @{term "tag_str_SEQ A B"} also 
  %
  \begin{center}
  @{term "(\<approx>B `` {x - x'}) \<in> ({\<approx>B `` {y - y'} |y'. y' \<le> y \<and> y' \<in> A})"}
  \end{center}
  %
  \noindent
  That means there must be a @{text "y'"} such that @{text "y' \<in> A"} and 
  @{term "\<approx>B `` {x - x'} = \<approx>B `` {y - y'}"}. This equality means that
  @{term "(x - x') \<approx>B (y - y')"} holds. Unfolding the Myhill-Nerode
  relation and together with the fact that @{text "(x - x') @ z \<in> B"}, we
  have @{text "(y - y') @ z \<in> B"}. We already know @{text "y' \<in> A"}, therefore
  @{term "y @ z \<in> A \<cdot> B"}, as needed in this case.

  Second, there exists a @{text "z'"} such that @{term "x @ z' \<in> A"} and @{text "z - z' \<in> B"}.
  By the assumption about @{term "tag_str_SEQ A B"} we have
  @{term "\<approx>A `` {x} = \<approx>A `` {y}"} and thus @{term "x \<approx>A y"}. Which means by the Myhill-Nerode
  relation that @{term "y @ z' \<in> A"} holds. Using @{text "z - z' \<in> B"}, we can conclude also in this case
  with @{term "y @ z \<in> A \<cdot> B"}. We again can complete the @{const SEQ}-case
  by setting @{text A} to @{term "L r\<^sub>1"} and @{text B} to @{term "L r\<^sub>2"}.\qed 
  \end{proof}
  
  \noindent
  The case for @{const STAR} is similar to @{const SEQ}, but poses a few extra challenges. When
  we analyse the case that @{text "x @ z"} is an element in @{term "A\<star>"} and @{text x} is not the 
  empty string, we 
  have the following picture:
  %
  \begin{center}
  \scalebox{0.7}{
  \begin{tikzpicture}
    \node[draw,minimum height=3.8ex] (xa) { $\hspace{4em}@{text "x'\<^sub>m\<^sub>a\<^sub>x"}\hspace{4em}$ };
    \node[draw,minimum height=3.8ex, right=-0.03em of xa] (xxa) { $\hspace{0.5em}@{text "x - x'\<^sub>m\<^sub>a\<^sub>x"}\hspace{0.5em}$ };
    \node[draw,minimum height=3.8ex, right=-0.03em of xxa] (za) { $\hspace{2em}@{text "z\<^sub>a"}\hspace{2em}$ };
    \node[draw,minimum height=3.8ex, right=-0.03em of za] (zb) { $\hspace{7em}@{text "z\<^sub>b"}\hspace{7em}$ };

    \draw[decoration={brace,transform={yscale=3}},decorate]
           (xa.north west) -- ($(xxa.north east)+(0em,0em)$)
               node[midway, above=0.5em]{@{text x}};

    \draw[decoration={brace,transform={yscale=3}},decorate]
           (za.north west) -- ($(zb.north east)+(0em,0em)$)
               node[midway, above=0.5em]{@{text z}};

    \draw[decoration={brace,transform={yscale=3}},decorate]
           ($(xa.north west)+(0em,3ex)$) -- ($(zb.north east)+(0em,3ex)$)
               node[midway, above=0.8em]{@{term "x @ z \<in> A\<star>"}};

    \draw[decoration={brace,transform={yscale=3}},decorate]
           ($(za.south east)+(0em,0ex)$) -- ($(xxa.south west)+(0em,0ex)$)
               node[midway, below=0.5em]{@{text "(x - x'\<^sub>m\<^sub>a\<^sub>x) @ z\<^sub>a \<in> A"}};

    \draw[decoration={brace,transform={yscale=3}},decorate]
           ($(xa.south east)+(0em,0ex)$) -- ($(xa.south west)+(0em,0ex)$)
               node[midway, below=0.5em]{@{term "x'\<^sub>m\<^sub>a\<^sub>x \<in> A\<star>"}};

    \draw[decoration={brace,transform={yscale=3}},decorate]
           ($(zb.south east)+(0em,0ex)$) -- ($(zb.south west)+(0em,0ex)$)
               node[midway, below=0.5em]{@{term "z\<^sub>b \<in> A\<star>"}};

    \draw[decoration={brace,transform={yscale=3}},decorate]
           ($(zb.south east)+(0em,-4ex)$) -- ($(xxa.south west)+(0em,-4ex)$)
               node[midway, below=0.5em]{@{term "(x - x'\<^sub>m\<^sub>a\<^sub>x) @ z \<in> A\<star>"}};
  \end{tikzpicture}}
  \end{center}
  %
  \noindent
  We can find a strict prefix @{text "x'"} of @{text x} such that @{term "x' \<in> A\<star>"},
  @{text "x' < x"} and the rest @{term "(x - x') @ z \<in> A\<star>"}. For example the empty string 
  @{text "[]"} would do.
  There are potentially many such prefixes, but there can only be finitely many of them (the 
  string @{text x} is finite). Let us therefore choose the longest one and call it 
  @{text "x'\<^sub>m\<^sub>a\<^sub>x"}. Now for the rest of the string @{text "(x - x'\<^sub>m\<^sub>a\<^sub>x) @ z"} we
  know it is in @{term "A\<star>"}. By definition of @{term "A\<star>"}, we can separate
  this string into two parts, say @{text "a"} and @{text "b"}, such that @{text "a \<in> A"}
  and @{term "b \<in> A\<star>"}. Now @{text a} must be strictly longer than @{text "x - x'\<^sub>m\<^sub>a\<^sub>x"},
  otherwise @{text "x'\<^sub>m\<^sub>a\<^sub>x"} is not the longest prefix. That means @{text a}
  `overlaps' with @{text z}, splitting it into two components @{text "z\<^sub>a"} and
   @{text "z\<^sub>b"}. For this we know that @{text "(x - x'\<^sub>m\<^sub>a\<^sub>x) @ z\<^sub>a \<in> A"} and
  @{term "z\<^sub>b \<in> A\<star>"}. To cut a story short, we have divided @{term "x @ z \<in> A\<star>"}
  such that we have a string @{text a} with @{text "a \<in> A"} that lies just on the
  `border' of @{text x} and @{text z}. This string is @{text "(x - x'\<^sub>m\<^sub>a\<^sub>x) @ z\<^sub>a"}.

  In order to show that @{term "x @ z \<in> A\<star>"} implies @{term "y @ z \<in> A\<star>"}, we use
  the following tagging-function:
  %
  \begin{center}
  @{thm tag_str_Star_def[where ?L1.0="A", THEN meta_eq_app]}\smallskip
  \end{center}

  \begin{proof}[@{const STAR}-Case]
  If @{term "finite (UNIV // \<approx>A)"} 
  then @{term "finite (Pow (UNIV // \<approx>A))"} holds. The range of
  @{term "tag_str_STAR A"} is a subset of this set, and therefore finite.
  Again we have to show injectivity of this tagging-function as  
  %
  \begin{center}
  @{term "\<forall>z. tag_str_STAR A x = tag_str_STAR A y \<and> x @ z \<in> A\<star> \<longrightarrow> y @ z \<in> A\<star>"}
  \end{center}  
  %
  \noindent
  We first need to consider the case that @{text x} is the empty string.
  From the assumption we can infer @{text y} is the empty string and
  clearly have @{term "y @ z \<in> A\<star>"}. In case @{text x} is not the empty
  string, we can divide the string @{text "x @ z"} as shown in the picture 
  above. By the tagging-function we have
  %
  \begin{center}
  @{term "\<approx>A `` {(x - x'\<^sub>m\<^sub>a\<^sub>x)} \<in> ({\<approx>A `` {x - x'} |x'. x' < x \<and> x' \<in> A\<star>})"}
  \end{center}
  %
  \noindent
  which by assumption is equal to
  %
  \begin{center}
  @{term "\<approx>A `` {(x - x'\<^sub>m\<^sub>a\<^sub>x)} \<in> ({\<approx>A `` {y - y'} |y'. y' < y \<and> y' \<in> A\<star>})"}
  \end{center}
  %
  \noindent 
  and we know that we have a @{term "y' \<in> A\<star>"} and @{text "y' < y"}
  and also know @{term "(x - x'\<^sub>m\<^sub>a\<^sub>x) \<approx>A (y - y')"}. Unfolding the Myhill-Nerode
  relation we know @{term "(y - y') @ z\<^sub>a \<in> A"}. We also know that @{term "z\<^sub>b \<in> A\<star>"}.
  Therefore @{term "y' @ ((y - y') @ z\<^sub>a) @ z\<^sub>b \<in> A\<star>"}, which means
  @{term "y @ z \<in> A\<star>"}. As the last step we have to set @{text "A"} to @{term "L r"} and
  complete the proof.\qed
  \end{proof}
*}



section {* Conclusion and Related Work *}

text {*
  In this paper we took the view that a regular language is one where there
  exists a regular expression that matches all of its strings. Regular
  expressions can conveniently be defined as a datatype in HOL-based theorem
  provers. For us it was therefore interesting to find out how far we can push
  this point of view. We have established in Isabelle/HOL both directions 
  of the Myhill-Nerode theorem.
  %
  \begin{theorem}[The Myhill-Nerode Theorem]\mbox{}\\
  A language @{text A} is regular if and only if @{thm (rhs) Myhill_Nerode}.
  \end{theorem}
  %
  \noindent
  Having formalised this theorem means we
  pushed our point of view quite far. Using this theorem we can obviously prove when a language
  is \emph{not} regular---by establishing that it has infinitely many
  equivalence classes generated by the Myhill-Nerode relation (this is usually
  the purpose of the pumping lemma \cite{Kozen97}).  We can also use it to
  establish the standard textbook results about closure properties of regular
  languages. Interesting is the case of closure under complement, because
  it seems difficult to construct a regular expression for the complement
  language by direct means. However the existence of such a regular expression
  can be easily proved using the Myhill-Nerode theorem since 
  %
  \begin{center}
  @{term "s\<^sub>1 \<approx>A s\<^sub>2"} if and only if @{term "s\<^sub>1 \<approx>(-A) s\<^sub>2"}
  \end{center}
  %
  \noindent
  holds for any strings @{text "s\<^sub>1"} and @{text
  "s\<^sub>2"}. Therefore @{text A} and the complement language @{term "-A"} give rise to the same
  partitions.  Proving the existence of such a regular expression via automata 
  using the standard method would 
  be quite involved. It includes the
  steps: regular expression @{text "\<Rightarrow>"} non-deterministic automaton @{text
  "\<Rightarrow>"} deterministic automaton @{text "\<Rightarrow>"} complement automaton @{text "\<Rightarrow>"}
  regular expression.

  While regular expressions are convenient in formalisations, they have some
  limitations. One is that there seems to be no method of calculating a
  minimal regular expression (for example in terms of length) for a regular
  language, like there is
  for automata. On the other hand, efficient regular expression matching,
  without using automata, poses no problem \cite{OwensReppyTuron09}.
  For an implementation of a simple regular expression matcher,
  whose correctness has been formally established, we refer the reader to
  Owens and Slind \cite{OwensSlind08}.


  Our formalisation consists of 780 lines of Isabelle/Isar code for the first
  direction and 460 for the second, plus around 300 lines of standard material about
  regular languages. While this might be seen as too large to count as a
  concise proof pearl, this should be seen in the context of the work done by
  Constable at al \cite{Constable00} who formalised the Myhill-Nerode theorem
  in Nuprl using automata. They write that their four-member team needed
  something on the magnitude of 18 months for their formalisation. The
  estimate for our formalisation is that we needed approximately 3 months and
  this included the time to find our proof arguments. Unlike Constable et al,
  who were able to follow the proofs from \cite{HopcroftUllman69}, we had to
  find our own arguments.  So for us the formalisation was not the
  bottleneck. It is hard to gauge the size of a formalisation in Nurpl, but
  from what is shown in the Nuprl Math Library about their development it
  seems substantially larger than ours. The code of ours can be found in the
  Mercurial Repository at
  \mbox{\url{http://www4.in.tum.de/~urbanc/regexp.html}}.


  Our proof of the first direction is very much inspired by \emph{Brzozowski's
  algebraic method} used to convert a finite automaton to a regular
  expression \cite{Brzozowski64}. The close connection can be seen by considering the equivalence
  classes as the states of the minimal automaton for the regular language.
  However there are some subtle differences. Since we identify equivalence
  classes with the states of the automaton, then the most natural choice is to
  characterise each state with the set of strings starting from the initial
  state leading up to that state. Usually, however, the states are characterised as the
  strings starting from that state leading to the terminal states.  The first
  choice has consequences about how the initial equational system is set up. We have
  the $\lambda$-term on our `initial state', while Brzozowski has it on the
  terminal states. This means we also need to reverse the direction of Arden's
  Lemma.

  We briefly considered using the method Brzozowski presented in the Appendix
  of~\cite{Brzozowski64} in order to prove the second direction of the
  Myhill-Nerode theorem. There he calculates the derivatives for regular
  expressions and shows that for every language there can be only 
  finitely many of them %derivations
  (if regarded equal modulo ACI). We could
  have used as tagging-function the set of derivatives of a regular expression
  with respect to a language.  Using the fact that two strings are
  Myhill-Nerode related whenever their derivative is the same, together with
  the fact that there are only finitely such derivatives
  would give us a similar argument as ours. However it seems not so easy to
  calculate the set of derivatives modulo ACI. Therefore we preferred our
  direct method of using tagging-functions. This
  is also where our method shines, because we can completely side-step the
  standard argument \cite{Kozen97} where automata need to be composed, which
  as stated in the Introduction is not so easy to formalise in a 
  HOL-based theorem prover. However, it is also the direction where we had to 
  spend most of the `conceptual' time, as our proof-argument based on tagging-functions
  is new for establishing the Myhill-Nerode theorem. All standard proofs 
  of this direction use %proceed by 
  arguments over automata.\\[-6mm]%\medskip
  %
  %\noindent
  %{\bf Acknowledgements:} We are grateful for the comments we received from Larry
  %Paulson and the referees of the paper.

*}


(*<*)
end
(*>*)