You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
ZF<strong>Steven</strong> <strong>Obua</strong>December 5, <strong>2013</strong>theory HOLZFimports Mainbegintypedecl ZFaxiomatizationEmpty :: ZF andElem :: ZF ⇒ ZF ⇒ bool andSum :: ZF ⇒ ZF andPower :: ZF ⇒ ZF andRepl :: ZF ⇒ (ZF ⇒ ZF ) ⇒ ZF andInf :: ZFdefinition Upair :: ZF ⇒ ZF ⇒ ZF whereUpair a b == Repl (Power (Power Empty)) (% x. if x = Empty then a else b)definition Singleton:: ZF ⇒ ZF whereSingleton x == Upair x xdefinition union :: ZF ⇒ ZF ⇒ ZF whereunion A B == Sum (Upair A B)definition SucNat:: ZF ⇒ ZF whereSucNat x == union x (Singleton x)definition subset :: ZF ⇒ ZF ⇒ bool wheresubset A B == ! x. Elem x A −→ Elem x Baxiomatization whereEmpty: Not (Elem x Empty) andExt: (x = y) = (! z. Elem z x = Elem z y) andSum: Elem z (Sum x) = (? y. Elem z y & Elem y x) andPower: Elem y (Power x) = (subset y x) andRepl: Elem b (Repl A f ) = (? a. Elem a A & b = f a) andRegularity: A ≠ Empty −→ (? x. Elem x A & (! y. Elem y x −→ Not (Elem y1
A))) andInfinity: Elem Empty Inf & (! x. Elem x Inf −→ Elem (SucNat x) Inf )definition Sep :: ZF ⇒ (ZF ⇒ bool) ⇒ ZF whereSep A p == (if (!x. Elem x A −→ Not (p x)) then Empty else(let z = (ɛ x. Elem x A & p x) inlet f = % x. (if p x then x else z) in Repl A f ))thm Power[unfolded subset-def ]theorem Sep: Elem b (Sep A p) = (Elem b A & p b)〈proof 〉lemma subset-empty: subset Empty A〈proof 〉theorem Upair: Elem x (Upair a b) = (x = a | x = b)〈proof 〉lemma Singleton: Elem x (Singleton y) = (x = y)〈proof 〉definition Opair :: ZF ⇒ ZF ⇒ ZF whereOpair a b == Upair (Upair a a) (Upair a b)lemma Upair-singleton: (Upair a a = Upair c d) = (a = c & a = d)〈proof 〉lemma Upair-fsteq: (Upair a b = Upair a c) = ((a = b & a = c) | (b = c))〈proof 〉lemma Upair-comm: Upair a b = Upair b a〈proof 〉theorem Opair: (Opair a b = Opair c d) = (a = c & b = d)〈proof 〉definition Replacement :: ZF ⇒ (ZF ⇒ ZF option) ⇒ ZF whereReplacement A f == Repl (Sep A (% a. f a ≠ None)) (the o f )theorem Replacement: Elem y (Replacement A f ) = (? x. Elem x A & f x = Somey)〈proof 〉definition Fst :: ZF ⇒ ZF whereFst q == SOME x. ? y. q = Opair x ydefinition Snd :: ZF ⇒ ZF whereSnd q == SOME y. ? x. q = Opair x y2
theorem Fst: Fst (Opair x y) = x〈proof 〉theorem Snd: Snd (Opair x y) = y〈proof 〉definition isOpair :: ZF ⇒ bool whereisOpair q == ? x y. q = Opair x ylemma isOpair: isOpair (Opair x y) = True〈proof 〉lemma FstSnd: isOpair x =⇒ Opair (Fst x) (Snd x) = x〈proof 〉definition CartProd :: ZF ⇒ ZF ⇒ ZF whereCartProd A B == Sum(Repl A (% a. Repl B (% b. Opair a b)))lemma CartProd: Elem x (CartProd A B) = (? a b. Elem a A & Elem b B & x= (Opair a b))〈proof 〉definition explode :: ZF ⇒ ZF set whereexplode z == { x. Elem x z }lemma explode-Empty: (explode x = {}) = (x = Empty)〈proof 〉lemma explode-Elem: (x ∈ explode X ) = (Elem x X )〈proof 〉lemma Elem-explode-in: [ Elem a A; explode A ⊆ B ] =⇒ a ∈ B〈proof 〉lemma explode-CartProd-eq: explode (CartProd a b) = (% (x,y). Opair x y) ‘((explode a) × (explode b))〈proof 〉lemma explode-Repl-eq: explode (Repl A f ) = image f (explode A)〈proof 〉definition Domain :: ZF ⇒ ZF whereDomain f == Replacement f (% p. if isOpair p then Some (Fst p) else None)definition Range :: ZF ⇒ ZF whereRange f == Replacement f (% p. if isOpair p then Some (Snd p) else None)theorem Domain: Elem x (Domain f ) = (? y. Elem (Opair x y) f )3
〈proof 〉theorem Range: Elem y (Range f ) = (? x. Elem (Opair x y) f )〈proof 〉theorem union: Elem x (union A B) = (Elem x A | Elem x B)〈proof 〉definition Field :: ZF ⇒ ZF whereField A == union (Domain A) (Range A)definition app :: ZF ⇒ ZF => ZF (infixl ´ 90 ) — function application wheref ´ x == (THE y. Elem (Opair x y) f )definition isFun :: ZF ⇒ bool whereisFun f == (! x y1 y2 . Elem (Opair x y1 ) f & Elem (Opair x y2 ) f −→ y1 =y2 )definition Lambda :: ZF ⇒ (ZF ⇒ ZF ) ⇒ ZF whereLambda A f == Repl A (% x. Opair x (f x))lemma Lambda-app: Elem x A =⇒ (Lambda A f )´x = f x〈proof 〉lemma isFun-Lambda: isFun (Lambda A f )〈proof 〉lemma domain-Lambda: Domain (Lambda A f ) = A〈proof 〉lemma Lambda-ext: (Lambda s f = Lambda t g) = (s = t & (! x. Elem x s −→ fx = g x))〈proof 〉definition PFun :: ZF ⇒ ZF ⇒ ZF wherePFun A B == Sep (Power (CartProd A B)) isFundefinition Fun :: ZF ⇒ ZF ⇒ ZF whereFun A B == Sep (PFun A B) (λ f . Domain f = A)lemma Fun-Range: Elem f (Fun U V ) =⇒ subset (Range f ) V〈proof 〉lemma Elem-Elem-PFun: Elem F (PFun U V ) =⇒ Elem p F =⇒ isOpair p &Elem (Fst p) U & Elem (Snd p) V〈proof 〉lemma Fun-implies-PFun[simp]: Elem f (Fun U V ) =⇒ Elem f (PFun U V )〈proof 〉4
lemma Elem-Elem-Fun: Elem F (Fun U V ) =⇒ Elem p F =⇒ isOpair p & Elem(Fst p) U & Elem (Snd p) V〈proof 〉lemma PFun-inj : Elem F (PFun U V ) =⇒ Elem x F =⇒ Elem y F =⇒ Fst x =Fst y =⇒ Snd x = Snd y〈proof 〉lemma Fun-total: [Elem F (Fun U V ); Elem a U ] =⇒ ∃ x. Elem (Opair a x) F〈proof 〉lemma unique-fun-value: [isFun f ; Elem x (Domain f )] =⇒ ?! y. Elem (Opair xy) f〈proof 〉lemma fun-value-in-range: [isFun f ; Elem x (Domain f )] =⇒ Elem (f ´x) (Rangef )〈proof 〉lemma fun-range-witness: [isFun f ; Elem y (Range f )] =⇒ ? x. Elem x (Domainf ) & f ´x = y〈proof 〉lemma Elem-Fun-Lambda: Elem F (Fun U V ) =⇒ ? f . F = Lambda U f〈proof 〉lemma Elem-Lambda-Fun: Elem (Lambda A f ) (Fun U V ) = (A = U & (! x.Elem x A −→ Elem (f x) V ))〈proof 〉definition is-Elem-of :: (ZF ∗ ZF ) set whereis-Elem-of == { (a,b) | a b. Elem a b }lemma cond-wf-Elem:assumes hyps:∀ x. (∀ y. Elem y x −→ Elem y U −→ P y) −→ Elem x U −→ Px Elem a Ushows P a〈proof 〉term Pterm Sep〈proof 〉lemma cond2-wf-Elem:assumesspecial-P: ? U . ! x. Not(Elem x U ) −→ (P x)and P-induct: ∀ x. (∀ y. Elem y x −→ P y) −→ P x5
showsP a〈proof 〉primrec nat2Nat :: nat ⇒ ZF wherenat2Nat-0 [intro]: nat2Nat 0 = Empty| nat2Nat-Suc[intro]: nat2Nat (Suc n) = SucNat (nat2Nat n)definition Nat2nat :: ZF ⇒ nat whereNat2nat == inv nat2Natlemma Elem-nat2Nat-inf [intro]: Elem (nat2Nat n) Inf〈proof 〉definition Nat :: ZFwhere Nat == Sep Inf (λ N . ? n. nat2Nat n = N )lemma Elem-nat2Nat-Nat[intro]: Elem (nat2Nat n) Nat〈proof 〉lemma Elem-Empty-Nat: Elem Empty Nat〈proof 〉lemma Elem-SucNat-Nat: Elem N Nat =⇒ Elem (SucNat N ) Nat〈proof 〉lemma no-infinite-Elem-down-chain:Not (? f . isFun f & Domain f = Nat & (! N . Elem N Nat −→ Elem (f ´(SucNatN )) (f ´N )))〈proof 〉lemma Upair-nonEmpty: Upair a b ≠ Empty〈proof 〉lemma Singleton-nonEmpty: Singleton x ≠ Empty〈proof 〉lemma notsym-Elem: Not(Elem a b & Elem b a)〈proof 〉lemma irreflexiv-Elem: Not(Elem a a)〈proof 〉lemma antisym-Elem: Elem a b =⇒ Not (Elem b a)〈proof 〉primrec NatInterval :: nat ⇒ nat ⇒ ZF whereNatInterval n 0 = Singleton (nat2Nat n)| NatInterval n (Suc m) = union (NatInterval n m) (Singleton (nat2Nat (n+m+1 )))6
lemma n-Elem-NatInterval[rule-format]: ! q. q
| Ext-ZF-n R s (Suc n) = Sum (Repl (Ext-ZF-n R s n) (Ext-ZF R))definition Ext-ZF-hull :: (ZF ∗ ZF ) set ⇒ ZF ⇒ ZF whereExt-ZF-hull R s == SeqSum (Ext-ZF-n R s)lemma Elem-Ext-ZF-hull:assumes set-like-R: set-like Rshows Elem x (Ext-ZF-hull R S) = (? n. Elem x (Ext-ZF-n R S n))〈proof 〉lemma Elem-Elem-Ext-ZF-hull:assumes set-like-R: set-like Rand x-hull: Elem x (Ext-ZF-hull R S)and y-R-x: (y, x) ∈ Rshows Elem y (Ext-ZF-hull R S)〈proof 〉lemma wfzf-minimal:assumes hyps: wfzf R C ≠ {}shows ∃ x. x ∈ C ∧ (∀ y. (y, x) ∈ R −→ y /∈ C )〈proof 〉lemma wfzf-implies-wf : wfzf R =⇒ wf R〈proof 〉lemma wf-is-Elem-of : wf is-Elem-of〈proof 〉lemma in-Ext-RTrans-implies-Elem-Ext-ZF-hull:set-like R =⇒ x ∈ (Ext (Rˆ+) s) =⇒ Elem x (Ext-ZF-hull R s)〈proof 〉lemma implodeable-Ext-trancl: set-like R =⇒ set-like (Rˆ+)〈proof 〉lemma Elem-Ext-ZF-hull-implies-in-Ext-RTrans[rule-format]:set-like R =⇒ ! x. Elem x (Ext-ZF-n R s n) −→ x ∈ (Ext (Rˆ+) s)〈proof 〉lemma set-like R =⇒ Ext-ZF (Rˆ+) s = Ext-ZF-hull R s〈proof 〉lemma wf-implies-regular: wf R =⇒ regular R〈proof 〉lemma wf-eq-wfzf : (wf R ∧ set-like R) = wfzf R〈proof 〉lemma wfzf-trancl: wfzf R =⇒ wfzf (Rˆ+)9
〈proof 〉lemma Ext-subset-mono: R ⊆ S =⇒ Ext R y ⊆ Ext S y〈proof 〉lemma set-like-subset: set-like R =⇒ S ⊆ R =⇒ set-like S〈proof 〉lemma wfzf-subset: wfzf S =⇒ R ⊆ S =⇒ wfzf R〈proof 〉endtheory Zetimports HOLZFbegindefinition zet = {A :: ′ a set | A f z. inj-on f A ∧ f ‘ A ⊆ explode z}typedef ′ a zet = zet :: ′ a set set〈proof 〉definition zin :: ′ a ⇒ ′ a zet ⇒ bool wherezin x A == x ∈ (Rep-zet A)lemma zet-ext-eq: (A = B) = (! x. zin x A = zin x B)〈proof 〉definition zimage :: ( ′ a ⇒ ′ b) ⇒ ′ a zet ⇒ ′ b zet wherezimage f A == Abs-zet (image f (Rep-zet A))lemma zet-def ′ : zet = {A :: ′ a set | A f z. inj-on f A ∧ f ‘ A = explode z}〈proof 〉lemma image-zet-rep: A ∈ zet =⇒ ? z . g ‘ A = explode z〈proof 〉lemma zet-image-mem:assumes Azet: A ∈ zetshows g ‘ A ∈ zet〈proof 〉lemma Rep-zimage-eq: Rep-zet (zimage f A) = image f (Rep-zet A)〈proof 〉lemma zimage-iff : zin y (zimage f A) = (? x. zin x A & y = f x)10
〈proof 〉definition zimplode :: ZF zet ⇒ ZF wherezimplode A == implode (Rep-zet A)definition zexplode :: ZF ⇒ ZF zet wherezexplode z == Abs-zet (explode z)lemma Rep-zet-eq-explode: ? z. Rep-zet A = explode z〈proof 〉lemma zexplode-zimplode: zexplode (zimplode A) = A〈proof 〉lemma explode-mem-zet: explode z ∈ zet〈proof 〉lemma zimplode-zexplode: zimplode (zexplode z) = z〈proof 〉lemma zin-zexplode-eq: zin x (zexplode A) = Elem x A〈proof 〉lemma comp-zimage-eq: zimage g (zimage f A) = zimage (g o f ) A〈proof 〉definition zunion :: ′ a zet ⇒ ′ a zet ⇒ ′ a zet wherezunion a b ≡ Abs-zet ((Rep-zet a) ∪ (Rep-zet b))definition zsubset :: ′ a zet ⇒ ′ a zet ⇒ bool wherezsubset a b ≡ ! x. zin x a −→ zin x blemma explode-union: explode (union a b) = (explode a) ∪ (explode b)〈proof 〉lemma Rep-zet-zunion: Rep-zet (zunion a b) = (Rep-zet a) ∪ (Rep-zet b)〈proof 〉lemma zunion: zin x (zunion a b) = ((zin x a) ∨ (zin x b))〈proof 〉lemma zimage-zexplode-eq: zimage f (zexplode z) = zexplode (Repl z f )〈proof 〉lemma range-explode-eq-zet: range explode = zet〈proof 〉lemma Elem-zimplode: (Elem x (zimplode z)) = (zin x z)〈proof 〉11
definition zempty :: ′ a zet wherezempty ≡ Abs-zet {}lemma zempty[simp]: ¬ (zin x zempty)〈proof 〉lemma zimage-zempty[simp]: zimage f zempty = zempty〈proof 〉lemma zunion-zempty-left[simp]: zunion zempty a = a〈proof 〉lemma zunion-zempty-right[simp]: zunion a zempty = a〈proof 〉lemma zimage-id[simp]: zimage id A = A〈proof 〉lemma zimage-cong[fundef-cong]: [ M = N ; !! x. zin x N =⇒ f x = g x ] =⇒zimage f M = zimage g N〈proof 〉end1 (Finite) multisetstheory Multisetimports Mainbegin1.1 The type of multisetsdefinition multiset = {f :: ′ a => nat. finite {x. f x > 0 }}typedef ′ a multiset = multiset :: ( ′ a => nat) setmorphisms count Abs-multiset〈proof 〉setup-lifting type-definition-multisetabbreviation Melem :: ′ a => ′ a multiset => bool ((-/ :# -) [50 , 51 ] 50 ) wherea :# M == 0 < count M anotation (xsymbols)Melem (infix ∈# 50 )lemma multiset-eq-iff :<strong>12</strong>
M = N ←→ (∀ a. count M a = count N a)〈proof 〉lemma multiset-eqI :( ∧ x. count A x = count B x) =⇒ A = B〈proof 〉Preservation of the representing set multiset.lemma const0-in-multiset:(λa. 0 ) ∈ multiset〈proof 〉lemma only1-in-multiset:(λb. if b = a then n else 0 ) ∈ multiset〈proof 〉lemma union-preserves-multiset:M ∈ multiset =⇒ N ∈ multiset =⇒ (λa. M a + N a) ∈ multiset〈proof 〉lemma diff-preserves-multiset:assumes M ∈ multisetshows (λa. M a − N a) ∈ multiset〈proof 〉lemma filter-preserves-multiset:assumes M ∈ multisetshows (λx. if P x then M x else 0 ) ∈ multiset〈proof 〉lemmas in-multiset = const0-in-multiset only1-in-multisetunion-preserves-multiset diff-preserves-multiset filter-preserves-multiset1.2 Representing multisetsMultiset enumerationinstantiation multiset :: (type) cancel-comm-monoid-addbeginlift-definition zero-multiset :: ′ a multiset is λa. 0〈proof 〉abbreviation Mempty :: ′ a multiset ({#}) whereMempty ≡ 0lift-definition plus-multiset :: ′ a multiset => ′ a multiset => ′ a multiset is λMN . (λa. M a + N a)〈proof 〉13
instance〈proof 〉endlift-definition single :: ′ a => ′ a multiset is λa b. if b = a then 1 else 0〈proof 〉syntax-multiset :: args => ′ a multiset ({#(-)#})translations{#x, xs#} == {#x#} + {#xs#}{#x#} == CONST single xlemma count-empty [simp]: count {#} a = 0〈proof 〉lemma count-single [simp]: count {#b#} a = (if b = a then 1 else 0 )〈proof 〉1.3 Basic operations1.3.1 Unionlemma count-union [simp]: count (M + N ) a = count M a + count N a〈proof 〉1.3.2 Differenceinstantiation multiset :: (type) comm-monoid-diffbeginlift-definition minus-multiset :: ′ a multiset => ′ a multiset => ′ a multiset is λM N . λa. M a − N a〈proof 〉instance〈proof 〉endlemma count-diff [simp]: count (M − N ) a = count M a − count N a〈proof 〉lemma diff-empty [simp]: M − {#} = M ∧ {#} − M = {#}〈proof 〉lemma diff-cancel[simp]: A − A = {#}〈proof 〉14
lemma diff-union-cancelR [simp]: M + N − N = (M :: ′ a multiset)〈proof 〉lemma diff-union-cancelL [simp]: N + M − N = (M :: ′ a multiset)〈proof 〉lemma diff-right-commute:(M :: ′ a multiset) − N − Q = M − Q − N〈proof 〉lemma diff-add:(M :: ′ a multiset) − (N + Q) = M − N − Q〈proof 〉lemma insert-DiffM :x ∈# M =⇒ {#x#} + (M − {#x#}) = M〈proof 〉lemma insert-DiffM2 [simp]:x ∈# M =⇒ M − {#x#} + {#x#} = M〈proof 〉lemma diff-union-swap:a ≠ b =⇒ M − {#a#} + {#b#} = M + {#b#} − {#a#}〈proof 〉lemma diff-union-single-conv:a ∈# J =⇒ I + J − {#a#} = I + (J − {#a#})〈proof 〉1.3.3 Equality of multisetslemma single-not-empty [simp]: {#a#} ≠ {#} ∧ {#} ≠ {#a#}〈proof 〉lemma single-eq-single [simp]: {#a#} = {#b#} ←→ a = b〈proof 〉lemma union-eq-empty [iff ]: M + N = {#} ←→ M = {#} ∧ N = {#}〈proof 〉lemma empty-eq-union [iff ]: {#} = M + N ←→ M = {#} ∧ N = {#}〈proof 〉lemma multi-self-add-other-not-self [simp]: M = M + {#x#} ←→ False〈proof 〉lemma diff-single-trivial:15
¬ x ∈# M =⇒ M − {#x#} = M〈proof 〉lemma diff-single-eq-union:x ∈# M =⇒ M − {#x#} = N ←→ M = N + {#x#}〈proof 〉lemma union-single-eq-diff :M + {#x#} = N =⇒ M = N − {#x#}〈proof 〉lemma union-single-eq-member:M + {#x#} = N =⇒ x ∈# N〈proof 〉lemma union-is-single:M + N = {#a#} ←→ M = {#a#} ∧ N ={#} ∨ M = {#} ∧ N = {#a#} (is?lhs = ?rhs)〈proof 〉lemma single-is-union:{#a#} = M + N ←→ {#a#} = M ∧ N = {#} ∨ M = {#} ∧ {#a#} = N〈proof 〉lemma add-eq-conv-diff :M + {#a#} = N + {#b#} ←→ M = N ∧ a = b ∨ M = N − {#a#} +{#b#} ∧ N = M − {#b#} + {#a#} (is ?lhs = ?rhs)〈proof 〉lemma insert-noteq-member:assumes BC : B + {#b#} = C + {#c#}and bnotc: b ≠ cshows c ∈# B〈proof 〉lemma add-eq-conv-ex:(M + {#a#} = N + {#b#}) =(M = N ∧ a = b ∨ (∃ K . M = K + {#b#} ∧ N = K + {#a#}))〈proof 〉lemma multi-member-split:x ∈# M =⇒ ∃ A. M = A + {#x#}〈proof 〉1.3.4 Pointwise ordering induced by countinstantiation multiset :: (type) ordered-ab-semigroup-add-imp-lebegin16
lift-definition less-eq-multiset :: ′ a multiset ⇒ ′ a multiset ⇒ bool is λ A B. (∀ a.A a ≤ B a)〈proof 〉lemmas mset-le-def = less-eq-multiset-defdefinition less-multiset :: ′ a multiset ⇒ ′ a multiset ⇒ bool wheremset-less-def : (A:: ′ a multiset) < B ←→ A ≤ B ∧ A ≠ Binstance〈proof 〉endlemma mset-less-eqI :( ∧ x. count A x ≤ count B x) =⇒ A ≤ B〈proof 〉lemma mset-le-exists-conv:(A:: ′ a multiset) ≤ B ←→ (∃ C . B = A + C )〈proof 〉instance multiset :: (type) ordered-cancel-comm-monoid-diff〈proof 〉lemma mset-le-mono-add-right-cancel [simp]:(A:: ′ a multiset) + C ≤ B + C ←→ A ≤ B〈proof 〉lemma mset-le-mono-add-left-cancel [simp]:C + (A:: ′ a multiset) ≤ C + B ←→ A ≤ B〈proof 〉lemma mset-le-mono-add:(A:: ′ a multiset) ≤ B =⇒ C ≤ D =⇒ A + C ≤ B + D〈proof 〉lemma mset-le-add-left [simp]:(A:: ′ a multiset) ≤ A + B〈proof 〉lemma mset-le-add-right [simp]:B ≤ (A:: ′ a multiset) + B〈proof 〉lemma mset-le-single:a :# B =⇒ {#a#} ≤ B〈proof 〉17
lemma multiset-diff-union-assoc:C ≤ B =⇒ (A:: ′ a multiset) + B − C = A + (B − C )〈proof 〉lemma mset-le-multiset-union-diff-commute:B ≤ A =⇒ (A:: ′ a multiset) − B + C = A + C − B〈proof 〉lemma diff-le-self [simp]: (M :: ′ a multiset) − N ≤ M〈proof 〉lemma mset-lessD: A < B =⇒ x ∈# A =⇒ x ∈# B〈proof 〉lemma mset-leD: A ≤ B =⇒ x ∈# A =⇒ x ∈# B〈proof 〉lemma mset-less-insertD: (A + {#x#} < B) =⇒ (x ∈# B ∧ A < B)〈proof 〉lemma mset-le-insertD: (A + {#x#} ≤ B) =⇒ (x ∈# B ∧ A ≤ B)〈proof 〉lemma mset-less-of-empty[simp]: A < {#} ←→ False〈proof 〉lemma multi-psub-of-add-self [simp]: A < A + {#x#}〈proof 〉lemma multi-psub-self [simp]: (A:: ′ a multiset) < A = False〈proof 〉lemma mset-less-add-bothsides:T + {#x#} < S + {#x#} =⇒ T < S〈proof 〉lemma mset-less-empty-nonempty:{#} < S ←→ S ≠ {#}〈proof 〉lemma mset-less-diff-self :c ∈# B =⇒ B − {#c#} < B〈proof 〉1.3.5 Intersectioninstantiation multiset :: (type) semilattice-infbegin18
definition inf-multiset :: ′ a multiset ⇒ ′ a multiset ⇒ ′ a multiset wheremultiset-inter-def : inf-multiset A B = A − (A − B)instance〈proof 〉endabbreviation multiset-inter :: ′ a multiset ⇒ ′ a multiset ⇒ ′ a multiset (infixl #∩70 ) wheremultiset-inter ≡ inflemma multiset-inter-count [simp]:count (A #∩ B) x = min (count A x) (count B x)〈proof 〉lemma multiset-inter-single: a ≠ b =⇒ {#a#} #∩ {#b#} = {#}〈proof 〉lemma multiset-union-diff-commute:assumes B #∩ C = {#}shows A + B − C = A − C + B〈proof 〉lemma empty-inter [simp]:{#} #∩ M = {#}〈proof 〉lemma inter-empty [simp]:M #∩ {#} = {#}〈proof 〉lemma inter-add-left1 :¬ x ∈# N =⇒ (M + {#x#}) #∩ N = M #∩ N〈proof 〉lemma inter-add-left2 :x ∈# N =⇒ (M + {#x#}) #∩ N = (M #∩ (N − {#x#})) + {#x#}〈proof 〉lemma inter-add-right1 :¬ x ∈# N =⇒ N #∩ (M + {#x#}) = N #∩ M〈proof 〉lemma inter-add-right2 :x ∈# N =⇒ N #∩ (M + {#x#}) = ((N − {#x#}) #∩ M ) + {#x#}〈proof 〉19
1.3.6 Bounded unioninstantiation multiset :: (type) semilattice-supbegindefinition sup-multiset :: ′ a multiset ⇒ ′ a multiset ⇒ ′ a multiset wheresup-multiset A B = A + (B − A)instance〈proof 〉endabbreviation sup-multiset :: ′ a multiset ⇒ ′ a multiset ⇒ ′ a multiset (infixl #∪70 ) wheresup-multiset ≡ suplemma sup-multiset-count [simp]:count (A #∪ B) x = max (count A x) (count B x)〈proof 〉lemma empty-sup [simp]:{#} #∪ M = M〈proof 〉lemma sup-empty [simp]:M #∪ {#} = M〈proof 〉lemma sup-add-left1 :¬ x ∈# N =⇒ (M + {#x#}) #∪ N = (M #∪ N ) + {#x#}〈proof 〉lemma sup-add-left2 :x ∈# N =⇒ (M + {#x#}) #∪ N = (M #∪ (N − {#x#})) + {#x#}〈proof 〉lemma sup-add-right1 :¬ x ∈# N =⇒ N #∪ (M + {#x#}) = (N #∪ M ) + {#x#}〈proof 〉lemma sup-add-right2 :x ∈# N =⇒ N #∪ (M + {#x#}) = ((N − {#x#}) #∪ M ) + {#x#}〈proof 〉1.3.7 Filter (with comprehension syntax)Multiset comprehensionlift-definition filter :: ( ′ a ⇒ bool) ⇒ ′ a multiset ⇒ ′ a multiset is λP M . λx. if20
P x then M x else 0〈proof 〉hide-const (open) filterlemma count-filter [simp]:count (Multiset.filter P M ) a = (if P a then count M a else 0 )〈proof 〉lemma filter-empty [simp]:Multiset.filter P {#} = {#}〈proof 〉lemma filter-single [simp]:Multiset.filter P {#x#} = (if P x then {#x#} else {#})〈proof 〉lemma filter-union [simp]:Multiset.filter P (M + N ) = Multiset.filter P M + Multiset.filter P N〈proof 〉lemma filter-diff [simp]:Multiset.filter P (M − N ) = Multiset.filter P M − Multiset.filter P N〈proof 〉lemma filter-inter [simp]:Multiset.filter P (M #∩ N ) = Multiset.filter P M #∩ Multiset.filter P N〈proof 〉syntax-MCollect :: pttrn ⇒ ′ a multiset ⇒ bool ⇒ ′ a multiset ((1 {# - :# -./ -#}))syntax (xsymbol)-MCollect :: pttrn ⇒ ′ a multiset ⇒ bool ⇒ ′ a multiset ((1 {# - ∈# -./ -#}))translations{#x ∈# M . P#} == CONST Multiset.filter (λx. P) M1.3.8 Set of elementsdefinition set-of :: ′ a multiset => ′ a set whereset-of M = {x. x :# M }lemma set-of-empty [simp]: set-of {#} = {}〈proof 〉lemma set-of-single [simp]: set-of {#b#} = {b}〈proof 〉lemma set-of-union [simp]: set-of (M + N ) = set-of M ∪ set-of N〈proof 〉21
lemma set-of-eq-empty-iff [simp]: (set-of M = {}) = (M = {#})〈proof 〉lemma mem-set-of-iff [simp]: (x ∈ set-of M ) = (x :# M )〈proof 〉lemma set-of-filter [simp]: set-of {# x:#M . P x #} = set-of M ∩ {x. P x}〈proof 〉lemma finite-set-of [iff ]: finite (set-of M )〈proof 〉lemma finite-Collect-mem [iff ]: finite {x. x :# M }〈proof 〉1.3.9 Sizeinstantiation multiset :: (type) sizebegindefinition size-def :size M = setsum (count M ) (set-of M )instance 〈proof 〉endlemma size-empty [simp]: size {#} = 0〈proof 〉lemma size-single [simp]: size {#b#} = 1〈proof 〉lemma setsum-count-Int:finite A ==> setsum (count N ) (A ∩ set-of N ) = setsum (count N ) A〈proof 〉lemma size-union [simp]: size (M + N :: ′ a multiset) = size M + size N〈proof 〉lemma size-eq-0-iff-empty [iff ]: (size M = 0 ) = (M = {#})〈proof 〉lemma nonempty-has-size: (S ≠ {#}) = (0 < size S)〈proof 〉lemma size-eq-Suc-imp-elem: size M = Suc n ==> ∃ a. a :# M〈proof 〉22
lemma size-eq-Suc-imp-eq-union:assumes size M = Suc nshows ∃ a N . M = N + {#a#}〈proof 〉1.4 Induction and case splitstheorem multiset-induct [case-names empty add, induct type: multiset]:assumes empty: P {#}assumes add: ∧ M x. P M =⇒ P (M + {#x#})shows P M〈proof 〉lemma multi-nonempty-split: M ≠ {#} =⇒ ∃ A a. M = A + {#a#}〈proof 〉lemma multiset-cases [cases type, case-names empty add]:assumes em: M = {#} =⇒ Passumes add: ∧ N x. M = N + {#x#} =⇒ Pshows P〈proof 〉lemma multi-drop-mem-not-eq: c ∈# B =⇒ B − {#c#} ≠ B〈proof 〉lemma multiset-partition: M = {# x:#M . P x #} + {# x:#M . ¬ P x #}〈proof 〉lemma mset-less-size: (A:: ′ a multiset) < B =⇒ size A < size B〈proof 〉1.4.1 Strong induction and subset induction for multisetsWell-foundedness of proper subset operator:proper multiset subsetdefinitionmset-less-rel :: ( ′ a multiset ∗ ′ a multiset) set wheremset-less-rel = {(A,B). A < B}lemma multiset-add-sub-el-shuffle:assumes c ∈# B and b ≠ cshows B − {#c#} + {#b#} = B + {#b#} − {#c#}〈proof 〉lemma wf-mset-less-rel: wf mset-less-rel〈proof 〉The induction rules:23
lemma full-multiset-induct [case-names less]:assumes ih: ∧ B. ∀ (A:: ′ a multiset). A < B −→ P A =⇒ P Bshows P B〈proof 〉lemma multi-subset-induct [consumes 2 , case-names empty add]:assumes F ≤ Aand empty: P {#}and insert: ∧ a F . a ∈# A =⇒ P F =⇒ P (F + {#a#})shows P F〈proof 〉1.5 The fold combinatordefinition fold :: ( ′ a ⇒ ′ b ⇒ ′ b) ⇒ ′ b ⇒ ′ a multiset ⇒ ′ bwherefold f s M = Finite-Set.fold (λx. f x ˆˆ count M x) s (set-of M )lemma fold-mset-empty [simp]:fold f s {#} = s〈proof 〉context comp-fun-commutebeginlemma fold-mset-insert:fold f s (M + {#x#}) = f x (fold f s M )〈proof 〉corollary fold-mset-single [simp]:fold f s {#x#} = f x s〈proof 〉lemma fold-mset-fun-left-comm:f x (fold f s M ) = fold f (f x s) M〈proof 〉lemma fold-mset-union [simp]:fold f s (M + N ) = fold f (fold f s M ) N〈proof 〉lemma fold-mset-fusion:assumes comp-fun-commute gshows ( ∧ x y. h (g x y) = f x (h y)) =⇒ h (fold g w A) = fold f (h w) A (isPROP ?P)〈proof 〉endA note on code generation: When defining some function containing a sub-24
term Multiset.fold F, code generation is not automatic. When interpretinglocale left-commutative with F, the would be code thms for Multiset.foldbecome thms like Multiset.fold F z {#} = z where F is not a pattern butcontains defined symbols, i.e. is not a code thm. Hence a separate constantwith its own code thms needs to be introduced for F. See the image operatorbelow.1.6 Imagedefinition image-mset :: ( ′ a ⇒ ′ b) ⇒ ′ a multiset ⇒ ′ b multiset whereimage-mset f = fold (plus o single o f ) {#}lemma comp-fun-commute-mset-image:comp-fun-commute (plus o single o f )〈proof 〉lemma image-mset-empty [simp]: image-mset f {#} = {#}〈proof 〉lemma image-mset-single [simp]: image-mset f {#x#} = {#f x#}〈proof 〉lemma image-mset-union [simp]:image-mset f (M + N ) = image-mset f M + image-mset f N〈proof 〉corollary image-mset-insert:image-mset f (M + {#a#}) = image-mset f M + {#f a#}〈proof 〉lemma set-of-image-mset [simp]:set-of (image-mset f M ) = image f (set-of M )〈proof 〉lemma size-image-mset [simp]:size (image-mset f M ) = size M〈proof 〉lemma image-mset-is-empty-iff [simp]:image-mset f M = {#} ←→ M = {#}〈proof 〉syntax-comprehension1-mset :: ′ a ⇒ ′ b ⇒ ′ b multiset ⇒ ′ a multiset(({#-/. - :# -#}))translations{#e. x:#M #} == CONST image-mset (%x. e) M25
syntax-comprehension2-mset :: ′ a ⇒ ′ b ⇒ ′ b multiset ⇒ bool ⇒ ′ a multiset(({#-/ | - :# -./ -#}))translations{#e | x:#M . P#} => {#e. x :# {# x:#M . P#}#}This allows to write not just filters like {# x :# M . x < c#} but also imageslike {#x + x. x :# M #} and {#x+x|x:#M . x
〈proof 〉lemma multiset-of-rev [simp]:multiset-of (rev xs) = multiset-of xs〈proof 〉lemma surj-multiset-of : surj multiset-of〈proof 〉lemma set-count-greater-0 : set x = {a. count (multiset-of x) a > 0 }〈proof 〉lemma distinct-count-atmost-1 :distinct x = (! a. count (multiset-of x) a = (if a ∈ set x then 1 else 0 ))〈proof 〉lemma multiset-of-eq-setD:multiset-of xs = multiset-of ys =⇒ set xs = set ys〈proof 〉lemma set-eq-iff-multiset-of-eq-distinct:distinct x =⇒ distinct y =⇒(set x = set y) = (multiset-of x = multiset-of y)〈proof 〉lemma set-eq-iff-multiset-of-remdups-eq:(set x = set y) = (multiset-of (remdups x) = multiset-of (remdups y))〈proof 〉lemma multiset-of-compl-union [simp]:multiset-of [x←xs. P x] + multiset-of [x←xs. ¬P x] = multiset-of xs〈proof 〉lemma count-multiset-of-length-filter:count (multiset-of xs) x = length (filter (λy. x = y) xs)〈proof 〉lemma nth-mem-multiset-of : i < length ls =⇒ (ls ! i) :# multiset-of ls〈proof 〉lemma multiset-of-remove1 [simp]:multiset-of (remove1 a xs) = multiset-of xs − {#a#}〈proof 〉lemma multiset-of-eq-length:assumes multiset-of xs = multiset-of ysshows length xs = length ys〈proof 〉27
lemma multiset-of-eq-length-filter:assumes multiset-of xs = multiset-of ysshows length (filter (λx. z = x) xs) = length (filter (λy. z = y) ys)〈proof 〉lemma fold-multiset-equiv:assumes f : ∧ x y. x ∈ set xs =⇒ y ∈ set xs =⇒ f x ◦ f y = f y ◦ f xand equiv: multiset-of xs = multiset-of ysshows List.fold f xs = List.fold f ys〈proof 〉lemma multiset-of-insort [simp]:multiset-of (insort x xs) = multiset-of xs + {#x#}〈proof 〉lemma in-multiset-of :x ∈# multiset-of xs ←→ x ∈ set xs〈proof 〉lemma multiset-of-map:multiset-of (map f xs) = image-mset f (multiset-of xs)〈proof 〉definition multiset-of-set :: ′ a set ⇒ ′ a multisetwheremultiset-of-set = folding.F (λx M . {#x#} + M ) {#}interpretation multiset-of-set!: folding λx M . {#x#} + M {#}wherefolding.F (λx M . {#x#} + M ) {#} = multiset-of-set〈proof 〉lemma count-multiset-of-set [simp]:finite A =⇒ x ∈ A =⇒ count (multiset-of-set A) x = 1 (is PROP ?P)¬ finite A =⇒ count (multiset-of-set A) x = 0 (is PROP ?Q)x /∈ A =⇒ count (multiset-of-set A) x = 0 (is PROP ?R)〈proof 〉context linorderbegindefinition sorted-list-of-multiset :: ′ a multiset ⇒ ′ a listwheresorted-list-of-multiset M = fold insort [] Mlemma sorted-list-of-multiset-empty [simp]:sorted-list-of-multiset {#} = []〈proof 〉28
lemma sorted-list-of-multiset-singleton [simp]:sorted-list-of-multiset {#x#} = [x]〈proof 〉lemma sorted-list-of-multiset-insert [simp]:sorted-list-of-multiset (M + {#x#}) = List.insort x (sorted-list-of-multiset M )〈proof 〉endlemma multiset-of-sorted-list-of-multiset [simp]:multiset-of (sorted-list-of-multiset M ) = M〈proof 〉lemma sorted-list-of-multiset-multiset-of [simp]:sorted-list-of-multiset (multiset-of xs) = sort xs〈proof 〉lemma finite-set-of-multiset-of-set:assumes finite Ashows set-of (multiset-of-set A) = A〈proof 〉lemma infinite-set-of-multiset-of-set:assumes ¬ finite Ashows set-of (multiset-of-set A) = {}〈proof 〉lemma set-sorted-list-of-multiset [simp]:set (sorted-list-of-multiset M ) = set-of M〈proof 〉lemma sorted-list-of-multiset-of-set [simp]:sorted-list-of-multiset (multiset-of-set A) = sorted-list-of-set A〈proof 〉1.8 Big operatorsno-notation times (infixl ∗ 70 )no-notation Groups.one (1 )locale comm-monoid-mset = comm-monoidbegindefinition F :: ′ a multiset ⇒ ′ awhereeq-fold: F M = Multiset.fold f 1 Mlemma empty [simp]:29
F {#} = 1〈proof 〉lemma singleton [simp]:F {#x#} = x〈proof 〉lemma union [simp]:F (M + N ) = F M ∗ F N〈proof 〉endnotation times (infixl ∗ 70 )notation Groups.one (1 )definition (in comm-monoid-add) msetsum :: ′ a multiset ⇒ ′ awheremsetsum = comm-monoid-mset.F plus 0definition (in comm-monoid-mult) msetprod :: ′ a multiset ⇒ ′ awheremsetprod = comm-monoid-mset.F times 1sublocale comm-monoid-add < msetsum!: comm-monoid-mset plus 0wherecomm-monoid-mset.F plus 0 = msetsum〈proof 〉context comm-monoid-addbeginlemma setsum-unfold-msetsum:setsum f A = msetsum (image-mset f (multiset-of-set A))〈proof 〉abbreviation msetsum-image :: ( ′ b ⇒ ′ a) ⇒ ′ b multiset ⇒ ′ awheremsetsum-image f M ≡ msetsum (image-mset f M )endsyntax-msetsum-image :: pttrn ⇒ ′ b set ⇒ ′ a ⇒ ′ a::comm-monoid-add((3SUM -:#-. -) [0 , 51 , 10 ] 10 )syntax (xsymbols)-msetsum-image :: pttrn ⇒ ′ b set ⇒ ′ a ⇒ ′ a::comm-monoid-add((3 ∑ -:#-. -) [0 , 51 , 10 ] 10 )30
syntax (HTML output)-msetsum-image :: pttrn ⇒ ′ b set ⇒ ′ a ⇒ ′ a::comm-monoid-add((3 ∑ -∈#-. -) [0 , 51 , 10 ] 10 )translationsSUM i :# A. b == CONST msetsum-image (λi. b) Asublocale comm-monoid-mult < msetprod!: comm-monoid-mset times 1wherecomm-monoid-mset.F times 1 = msetprod〈proof 〉context comm-monoid-multbeginlemma msetprod-empty:msetprod {#} = 1〈proof 〉lemma msetprod-singleton:msetprod {#x#} = x〈proof 〉lemma msetprod-Un:msetprod (A + B) = msetprod A ∗ msetprod B〈proof 〉lemma setprod-unfold-msetprod:setprod f A = msetprod (image-mset f (multiset-of-set A))〈proof 〉lemma msetprod-multiplicity:msetprod M = setprod (λx. x ˆ count M x) (set-of M )〈proof 〉abbreviation msetprod-image :: ( ′ b ⇒ ′ a) ⇒ ′ b multiset ⇒ ′ awheremsetprod-image f M ≡ msetprod (image-mset f M )endsyntax-msetprod-image :: pttrn ⇒ ′ b set ⇒ ′ a ⇒ ′ a::comm-monoid-mult((3PROD -:#-. -) [0 , 51 , 10 ] 10 )syntax (xsymbols)-msetprod-image :: pttrn ⇒ ′ b set ⇒ ′ a ⇒ ′ a::comm-monoid-mult((3 ∏ -∈#-. -) [0 , 51 , 10 ] 10 )31
syntax (HTML output)-msetprod-image :: pttrn ⇒ ′ b set ⇒ ′ a ⇒ ′ a::comm-monoid-mult((3 ∏ -∈#-. -) [0 , 51 , 10 ] 10 )translationsPROD i :# A. b == CONST msetprod-image (λi. b) Alemma (in comm-semiring-1 ) dvd-msetprod:assumes x ∈# Ashows x dvd msetprod A〈proof 〉1.9 Cardinalitydefinition mcard :: ′ a multiset ⇒ natwheremcard = msetsum ◦ image-mset (λ-. 1 )lemma mcard-empty [simp]:mcard {#} = 0〈proof 〉lemma mcard-singleton [simp]:mcard {#a#} = Suc 0〈proof 〉lemma mcard-plus [simp]:mcard (M + N ) = mcard M + mcard N〈proof 〉lemma mcard-empty-iff [simp]:mcard M = 0 ←→ M = {#}〈proof 〉lemma mcard-unfold-setsum:mcard M = setsum (count M ) (set-of M )〈proof 〉lemma size-eq-mcard:size = mcard〈proof 〉lemma mcard-multiset-of :mcard (multiset-of xs) = length xs〈proof 〉32
1.10 Alternative representations1.10.1 Listscontext linorderbeginlemma multiset-of-insort [simp]:multiset-of (insort-key k x xs) = {#x#} + multiset-of xs〈proof 〉lemma multiset-of-sort [simp]:multiset-of (sort-key k xs) = multiset-of xs〈proof 〉This lemma shows which properties suffice to show that a function f with fxs = ys behaves like sort.lemma properties-for-sort-key:assumes multiset-of ys = multiset-of xsand ∧ k. k ∈ set ys =⇒ filter (λx. f k = f x) ys = filter (λx. f k = f x) xsand sorted (map f ys)shows sort-key f xs = ys〈proof 〉lemma properties-for-sort:assumes multiset: multiset-of ys = multiset-of xsand sorted ysshows sort xs = ys〈proof 〉lemma sort-key-by-quicksort:sort-key f xs = sort-key f [x←xs. f x < f (xs ! (length xs div 2 ))]@ [x←xs. f x = f (xs ! (length xs div 2 ))]@ sort-key f [x←xs. f x > f (xs ! (length xs div 2 ))] (is sort-key f ?lhs = ?rhs)〈proof 〉lemma sort-by-quicksort:sort xs = sort [x←xs. x < xs ! (length xs div 2 )]@ [x←xs. x = xs ! (length xs div 2 )]@ sort [x←xs. x > xs ! (length xs div 2 )] (is sort ?lhs = ?rhs)〈proof 〉A stable parametrized quicksortdefinition part :: ( ′ b ⇒ ′ a) ⇒ ′ a ⇒ ′ b list ⇒ ′ b list × ′ b list × ′ b list wherepart f pivot xs = ([x ← xs. f x < pivot], [x ← xs. f x = pivot], [x ← xs. pivot
if x ′ < pivot then (x # lts, eqs, gts)else if x ′ > pivot then (lts, eqs, x # gts)else (lts, x # eqs, gts))〈proof 〉lemma sort-key-by-quicksort-code [code]:sort-key f xs = (case xs of [] ⇒ []| [x] ⇒ xs| [x, y] ⇒ (if f x ≤ f y then xs else [y, x])| - ⇒ (let (lts, eqs, gts) = part f (f (xs ! (length xs div 2 ))) xsin sort-key f lts @ eqs @ sort-key f gts))〈proof 〉endhide-const (open) partlemma multiset-of-remdups-le: multiset-of (remdups xs) ≤ multiset-of xs〈proof 〉lemma multiset-of-update:i < length ls =⇒ multiset-of (ls[i := v]) = multiset-of ls − {#ls ! i#} + {#v#}〈proof 〉lemma multiset-of-swap:i < length ls =⇒ j < length ls =⇒multiset-of (ls[j := ls ! i, i := ls ! j ]) = multiset-of ls〈proof 〉1.11 The multiset order1.11.1 Well-foundednessdefinition mult1 :: ( ′ a × ′ a) set => ( ′ a multiset × ′ a multiset) set wheremult1 r = {(N , M ). ∃ a M0 K . M = M0 + {#a#} ∧ N = M0 + K ∧(∀ b. b :# K −−> (b, a) ∈ r)}definition mult :: ( ′ a × ′ a) set => ( ′ a multiset × ′ a multiset) set wheremult r = (mult1 r) +lemma not-less-empty [iff ]: (M , {#}) /∈ mult1 r〈proof 〉lemma less-add: (N , M0 + {#a#}) ∈ mult1 r ==>(∃ M . (M , M0 ) ∈ mult1 r ∧ N = M + {#a#}) ∨(∃ K . (∀ b. b :# K −−> (b, a) ∈ r) ∧ N = M0 + K )(is - =⇒ ?case1 (mult1 r) ∨ ?case2 )〈proof 〉lemma all-accessible: wf r ==> ∀ M . M ∈ acc (mult1 r)34
〈proof 〉theorem wf-mult1 : wf r ==> wf (mult1 r)〈proof 〉theorem wf-mult: wf r ==> wf (mult r)〈proof 〉1.11.2 Closure-free presentationOne direction.lemma mult-implies-one-step:trans r ==> (M , N ) ∈ mult r ==>∃ I J K . N = I + J ∧ M = I + K ∧ J ≠ {#} ∧(∀ k ∈ set-of K . ∃ j ∈ set-of J . (k, j ) ∈ r)〈proof 〉lemma one-step-implies-mult-aux:trans r ==>∀ I J K . (size J = n ∧ J ≠ {#} ∧ (∀ k ∈ set-of K . ∃ j ∈ set-of J . (k, j ) ∈ r))−−> (I + K , I + J ) ∈ mult r〈proof 〉lemma one-step-implies-mult:trans r ==> J ≠ {#} ==> ∀ k ∈ set-of K . ∃ j ∈ set-of J . (k, j ) ∈ r==> (I + K , I + J ) ∈ mult r〈proof 〉1.11.3 Partial-order propertiesdefinition less-multiset :: ′ a::order multiset ⇒ ′ a multiset ⇒ bool (infix
1.11.4 Monotonicity of multiset unionlemma mult1-union: (B, D) ∈ mult1 r ==> (C + B, C + D) ∈ mult1 r〈proof 〉lemma union-less-mono2 : B ⊂# D ==> C + B ⊂# C + (D:: ′ a::order multiset)〈proof 〉lemma union-less-mono1 : B ⊂# D ==> B + C ⊂# D + (C :: ′ a::order multiset)〈proof 〉lemma union-less-mono:A ⊂# C ==> B ⊂# D ==> A + B ⊂# C + (D:: ′ a::order multiset)〈proof 〉interpretation multiset-order: ordered-ab-semigroup-add plus le-multiset less-multiset〈proof 〉1.<strong>12</strong> Termination proofs with multiset orderslemma multi-member-skip: x ∈# XS =⇒ x ∈# {# y #} + XSand multi-member-this: x ∈# {# x #} + XSand multi-member-last: x ∈# {# x #}〈proof 〉definition ms-strict = mult pair-lessdefinition ms-weak = ms-strict ∪ Idlemma ms-reduction-pair: reduction-pair (ms-strict, ms-weak)〈proof 〉lemma smsI :(set-of A, set-of B) ∈ max-strict =⇒ (Z + A, Z + B) ∈ ms-strict〈proof 〉lemma wmsI :(set-of A, set-of B) ∈ max-strict ∨ A = {#} ∧ B = {#}=⇒ (Z + A, Z + B) ∈ ms-weak〈proof 〉inductive pw-leqwherepw-leq-empty: pw-leq {#} {#}| pw-leq-step: [(x,y) ∈ pair-leq; pw-leq X Y ] =⇒ pw-leq ({#x#} + X ) ({#y#}+ Y )lemma pw-leq-lstep:(x, y) ∈ pair-leq =⇒ pw-leq {#x#} {#y#}〈proof 〉36
lemma pw-leq-split:assumes pw-leq X Yshows ∃ A B Z . X = A + Z ∧ Y = B + Z ∧ ((set-of A, set-of B) ∈ max-strict∨ (B = {#} ∧ A = {#}))〈proof 〉lemmaassumes pwleq: pw-leq Z Z ′shows ms-strictI : (set-of A, set-of B) ∈ max-strict =⇒ (Z + A, Z ′ + B) ∈ms-strictand ms-weakI1 : (set-of A, set-of B) ∈ max-strict =⇒ (Z + A, Z ′ + B) ∈ms-weakand ms-weakI2 : (Z + {#}, Z ′ + {#}) ∈ ms-weak〈proof 〉lemma empty-neutral: {#} + x = x x + {#} = xand nonempty-plus: {# x #} + rs ≠ {#}and nonempty-single: {# x #} ≠ {#}〈proof 〉〈ML〉1.13 Legacy theorem bindingslemmas multi-count-eq = multiset-eq-iff [symmetric]lemma union-commute: M + N = N + (M :: ′ a multiset)〈proof 〉lemma union-assoc: (M + N ) + K = M + (N + (K :: ′ a multiset))〈proof 〉lemma union-lcomm: M + (N + K ) = N + (M + (K :: ′ a multiset))〈proof 〉lemmas union-ac = union-assoc union-commute union-lcommlemma union-right-cancel: M + K = N + K ←→ M = (N :: ′ a multiset)〈proof 〉lemma union-left-cancel: K + M = K + N ←→ M = (N :: ′ a multiset)〈proof 〉lemma multi-union-self-other-eq: (A:: ′ a multiset) + X = A + Y =⇒ X = Y〈proof 〉lemma mset-less-trans: (M :: ′ a multiset) < K =⇒ K < N =⇒ M < N〈proof 〉37
lemma multiset-inter-commute: A #∩ B = B #∩ A〈proof 〉lemma multiset-inter-assoc: A #∩ (B #∩ C ) = A #∩ B #∩ C〈proof 〉lemma multiset-inter-left-commute: A #∩ (B #∩ C ) = B #∩ (A #∩ C )〈proof 〉lemmas multiset-inter-ac =multiset-inter-commutemultiset-inter-assocmultiset-inter-left-commutelemma mult-less-not-refl:¬ M ⊂# (M :: ′ a::order multiset)〈proof 〉lemma mult-less-trans:K ⊂# M ==> M ⊂# N ==> K ⊂# (N :: ′ a::order multiset)〈proof 〉lemma mult-less-not-sym:M ⊂# N ==> ¬ N ⊂# (M :: ′ a::order multiset)〈proof 〉lemma mult-less-asym:M ⊂# N ==> (¬ P ==> N ⊂# (M :: ′ a::order multiset)) ==> P〈proof 〉〈ML〉hide-const (open) fold1.14 Naive implementation using listscode-datatype multiset-oflemma [code]:{#} = multiset-of []〈proof 〉lemma [code]:{#x#} = multiset-of [x]〈proof 〉lemma union-code [code]:multiset-of xs + multiset-of ys = multiset-of (xs @ ys)〈proof 〉38
lemma [code]:image-mset f (multiset-of xs) = multiset-of (map f xs)〈proof 〉lemma [code]:Multiset.filter f (multiset-of xs) = multiset-of (filter f xs)〈proof 〉lemma [code]:multiset-of xs − multiset-of ys = multiset-of (fold remove1 ys xs)〈proof 〉lemma [code]:multiset-of xs #∩ multiset-of ys =multiset-of (snd (fold (λx (ys, zs).if x ∈ set ys then (remove1 x ys, x # zs) else (ys, zs)) xs (ys, [])))〈proof 〉lemma [code]:multiset-of xs #∪ multiset-of ys =multiset-of (split append (fold (λx (ys, zs). (remove1 x ys, x # zs)) xs (ys,[])))〈proof 〉lemma [code-unfold]:x ∈# multiset-of xs ←→ x ∈ set xs〈proof 〉lemma [code]:count (multiset-of xs) x = fold (λy. if x = y then Suc else id) xs 0〈proof 〉lemma [code]:set-of (multiset-of xs) = set xs〈proof 〉lemma [code]:sorted-list-of-multiset (multiset-of xs) = sort xs〈proof 〉lemma [code]: — not very efficient, but representation-ignorant!multiset-of-set A = multiset-of (sorted-list-of-set A)〈proof 〉lemma [code]:mcard (multiset-of xs) = length xs〈proof 〉39
lemma [code]:A ≤ B ←→ A #∩ B = A〈proof 〉instantiation multiset :: (equal) equalbegindefinition[code]: HOL.equal A B ←→ (A:: ′ a multiset) ≤ B ∧ B ≤ Ainstance〈proof 〉endlemma [code]:(A:: ′ a multiset) < B ←→ A ≤ B ∧ A ≠ B〈proof 〉lemma [code]:msetsum (multiset-of xs) = listsum xs〈proof 〉lemma [code]:msetprod (multiset-of xs) = fold times xs 1〈proof 〉lemma [code]:size = mcard〈proof 〉Exercise for the casual reader: add implementations for op ⊆# and op ⊂#(multiset order).Quickcheck generatorsdefinition (in term-syntax)msetify :: ′ a::typerep list × (unit ⇒ Code-Evaluation.term)⇒ ′ a multiset × (unit ⇒ Code-Evaluation.term) where[code-unfold]: msetify xs = Code-Evaluation.valtermify multiset-of {·} xsnotation fcomp (infixl ◦> 60 )notation scomp (infixl ◦→ 60 )instantiation multiset :: (random) randombegindefinitionQuickcheck-Random.random i = Quickcheck-Random.random i ◦→ (λxs. Pair(msetify xs))40
instance 〈proof 〉endno-notation fcomp (infixl ◦> 60 )no-notation scomp (infixl ◦→ 60 )instantiation multiset :: (full-exhaustive) full-exhaustivebegindefinition full-exhaustive-multiset :: ( ′ a multiset × (unit ⇒ term) ⇒ (bool × termlist) option) ⇒ natural ⇒ (bool × term list) optionwherefull-exhaustive-multiset f i = Quickcheck-Exhaustive.full-exhaustive (λxs. f (msetifyxs)) iinstance 〈proof 〉endhide-const (open) msetifyendtheory LProdimports ∼∼ /src/HOL/Library/Multisetbegininductive-setlprod :: ( ′ a ∗ ′ a) set ⇒ ( ′ a list ∗ ′ a list) setfor R :: ( ′ a ∗ ′ a) setwherelprod-single[intro!]: (a, b) ∈ R =⇒ ([a], [b]) ∈ lprod R| lprod-list[intro!]: (ah@at, bh@bt) ∈ lprod R =⇒ (a,b) ∈ R ∨ a = b =⇒ (ah@a#at,bh@b#bt) ∈ lprod Rlemma (as,bs) ∈ lprod R =⇒ length as = length bs〈proof 〉lemma (as, bs) ∈ lprod R =⇒ 1 ≤ length as ∧ 1 ≤ length bs〈proof 〉lemma lprod-subset-elem: (as, bs) ∈ lprod S =⇒ S ⊆ R =⇒ (as, bs) ∈ lprod R〈proof 〉41
lemma lprod-subset: S ⊆ R =⇒ lprod S ⊆ lprod R〈proof 〉lemma lprod-implies-mult: (as, bs) ∈ lprod R =⇒ trans R =⇒ (multiset-of as,multiset-of bs) ∈ mult R〈proof 〉lemma wf-lprod[simp,intro]:assumes wf-R: wf Rshows wf (lprod R)〈proof 〉definition gprod-2-2 :: ( ′ a ∗ ′ a) set ⇒ (( ′ a ∗ ′ a) ∗ ( ′ a ∗ ′ a)) set wheregprod-2-2 R ≡ { ((a,b), (c,d)) . (a = c ∧ (b,d) ∈ R) ∨ (b = d ∧ (a,c) ∈ R) }definition gprod-2-1 :: ( ′ a ∗ ′ a) set ⇒ (( ′ a ∗ ′ a) ∗ ( ′ a ∗ ′ a)) set wheregprod-2-1 R ≡ { ((a,b), (c,d)) . (a = d ∧ (b,c) ∈ R) ∨ (b = c ∧ (a,d) ∈ R) }lemma lprod-2-3 : (a, b) ∈ R =⇒ ([a, c], [b, c]) ∈ lprod R〈proof 〉lemma lprod-2-4 : (a, b) ∈ R =⇒ ([c, a], [c, b]) ∈ lprod R〈proof 〉lemma lprod-2-1 : (a, b) ∈ R =⇒ ([c, a], [b, c]) ∈ lprod R〈proof 〉lemma lprod-2-2 : (a, b) ∈ R =⇒ ([a, c], [c, b]) ∈ lprod R〈proof 〉lemma [simp, intro]:assumes wfR: wf R shows wf (gprod-2-1 R)〈proof 〉lemma [simp, intro]:assumes wfR: wf R shows wf (gprod-2-2 R)〈proof 〉lemma lprod-3-1 : assumes (x ′ , x) ∈ R shows ([y, z, x ′ ], [x, y, z]) ∈ lprod R〈proof 〉lemma lprod-3-2 : assumes (z ′ ,z) ∈ R shows ([z ′ , x, y], [x,y,z]) ∈ lprod R〈proof 〉lemma lprod-3-3 : assumes xr: (xr, x) ∈ R shows ([xr, y, z], [x, y, z]) ∈ lprod R〈proof 〉lemma lprod-3-4 : assumes yr: (yr, y) ∈ R shows ([x, yr, z], [x, y, z]) ∈ lprod R〈proof 〉42
lemma lprod-3-5 : assumes zr: (zr, z) ∈ R shows ([x, y, zr], [x, y, z]) ∈ lprod R〈proof 〉lemma lprod-3-6 : assumes y ′ : (y ′ , y) ∈ R shows ([x, z, y ′ ], [x, y, z]) ∈ lprod R〈proof 〉lemma lprod-3-7 : assumes z ′ : (z ′ ,z) ∈ R shows ([x, z ′ , y], [x, y, z]) ∈ lprod R〈proof 〉definition perm :: ( ′ a ⇒ ′ a) ⇒ ′ a set ⇒ bool whereperm f A ≡ inj-on f A ∧ f ‘ A = Alemma ((as,bs) ∈ lprod R) =(∃ f . perm f {0 ..< (length as)} ∧(∀ j . j < length as −→ ((nth as j , nth bs (f j )) ∈ R ∨ (nth as j = nth bs (f j ))))∧(∃ i. i < length as ∧ (nth as i, nth bs (f i)) ∈ R))〈proof 〉lemma trans R =⇒ (ah@a#at, bh@b#bt) ∈ lprod R =⇒ (b, a) ∈ R ∨ a = b =⇒(ah@at, bh@bt) ∈ lprod R〈proof 〉endtheory MainZFimports Zet LProdbeginendtheory Gamesimports MainZFbegindefinition fixgames :: ZF set ⇒ ZF set wherefixgames A ≡ { Opair l r | l r. explode l ⊆ A & explode r ⊆ A}definition games-lfp :: ZF set wheregames-lfp ≡ lfp fixgamesdefinition games-gfp :: ZF set wheregames-gfp ≡ gfp fixgames43
lemma mono-fixgames: mono (fixgames)〈proof 〉lemma games-lfp-unfold: games-lfp = fixgames games-lfp〈proof 〉lemma games-gfp-unfold: games-gfp = fixgames games-gfp〈proof 〉lemma games-lfp-nonempty: Opair Empty Empty ∈ games-lfp〈proof 〉definition left-option :: ZF ⇒ ZF ⇒ bool whereleft-option g opt ≡ (Elem opt (Fst g))definition right-option :: ZF ⇒ ZF ⇒ bool whereright-option g opt ≡ (Elem opt (Snd g))definition is-option-of :: (ZF ∗ ZF ) set whereis-option-of ≡ { (opt, g) | opt g. g ∈ games-gfp ∧ (left-option g opt ∨ right-optiong opt) }lemma games-lfp-subset-gfp: games-lfp ⊆ games-gfp〈proof 〉lemma games-option-stable:assumes fixgames: games = fixgames gamesand g: g ∈ gamesand opt: left-option g opt ∨ right-option g optshows opt ∈ games〈proof 〉lemma option2elem: (opt,g) ∈ is-option-of =⇒ ∃ u v. Elem opt u ∧ Elem u v ∧Elem v g〈proof 〉lemma is-option-of-subset-is-Elem-of : is-option-of ⊆ (is-Elem-ofˆ+)〈proof 〉lemma wfzf-is-option-of : wfzf is-option-of〈proof 〉lemma games-gfp-imp-lfp: g ∈ games-gfp −→ g ∈ games-lfp〈proof 〉theorem games-lfp-eq-gfp: games-lfp = games-gfp〈proof 〉44
theorem unique-games: (g = fixgames g) = (g = games-lfp)〈proof 〉lemma games-lfp-option-stable:assumes g: g ∈ games-lfpand opt: left-option g opt ∨ right-option g optshows opt ∈ games-lfp〈proof 〉lemma is-option-of-imp-games:assumes hyp: (opt, g) ∈ is-option-ofshows opt ∈ games-lfp ∧ g ∈ games-lfp〈proof 〉lemma games-lfp-represent: x ∈ games-lfp =⇒ ∃ l r. x = Opair l r〈proof 〉definition game = games-lfptypedef game = game〈proof 〉definition left-options :: game ⇒ game zet whereleft-options g ≡ zimage Abs-game (zexplode (Fst (Rep-game g)))definition right-options :: game ⇒ game zet whereright-options g ≡ zimage Abs-game (zexplode (Snd (Rep-game g)))definition options :: game ⇒ game zet whereoptions g ≡ zunion (left-options g) (right-options g)definition Game :: game zet ⇒ game zet ⇒ game whereGame L R ≡ Abs-game (Opair (zimplode (zimage Rep-game L)) (zimplode (zimageRep-game R)))lemma Repl-Rep-game-Abs-game: ∀ e. Elem e z −→ e ∈ games-lfp =⇒ Repl z(Rep-game o Abs-game) = z〈proof 〉lemma game-split: g = Game (left-options g) (right-options g)〈proof 〉lemma Opair-in-games-lfp:assumes l: explode l ⊆ games-lfpand r: explode r ⊆ games-lfpshows Opair l r ∈ games-lfp〈proof 〉lemma left-options[simp]: left-options (Game l r) = l45
〈proof 〉lemma right-options[simp]: right-options (Game l r) = r〈proof 〉lemma Game-ext: (Game l1 r1 = Game l2 r2 ) = ((l1 = l2 ) ∧ (r1 = r2 ))〈proof 〉definition option-of :: (game ∗ game) set whereoption-of ≡ image (λ (option, g). (Abs-game option, Abs-game g)) is-option-oflemma option-to-is-option-of : ((option, g) ∈ option-of ) = ((Rep-game option,Rep-game g) ∈ is-option-of )〈proof 〉lemma wf-is-option-of : wf is-option-of〈proof 〉lemma wf-option-of [simp, intro]: wf option-of〈proof 〉lemma right-option-is-option[simp, intro]: zin x (right-options g) =⇒ zin x (optionsg)〈proof 〉lemma left-option-is-option[simp, intro]: zin x (left-options g) =⇒ zin x (optionsg)〈proof 〉lemma zin-options[simp, intro]: zin x (options g) =⇒ (x, g) ∈ option-of〈proof 〉functionneg-game :: game ⇒ gamewhere[simp del]: neg-game g = Game (zimage neg-game (right-options g)) (zimageneg-game (left-options g))〈proof 〉termination 〈proof 〉lemma neg-game (neg-game g) = g〈proof 〉functionge-game :: (game ∗ game) ⇒ boolwhere[simp del]: ge-game (G, H ) = (∀ x. if zin x (right-options G) then (if zin x (left-options H ) then ¬ (ge-game (H , x) ∨ (ge-game(x, G)))46
else ¬ (ge-game (H , x)))else (if zin x (left-options H ) then ¬ (ge-game (x, G)) elseTrue))〈proof 〉termination 〈proof 〉lemma ge-game-eq: ge-game (G, H ) = (∀ x. (zin x (right-options G) −→ ¬ge-game (H , x)) ∧ (zin x (left-options H ) −→ ¬ ge-game (x, G)))〈proof 〉lemma ge-game-leftright-refl[rule-format]:∀ y. (zin y (right-options x) −→ ¬ ge-game (x, y)) ∧ (zin y (left-options x) −→¬ (ge-game (y, x))) ∧ ge-game (x, x)〈proof 〉lemma ge-game-refl: ge-game (x,x) 〈proof 〉lemma ∀ y. (zin y (right-options x) −→ ¬ ge-game (x, y)) ∧ (zin y (left-optionsx) −→ ¬ (ge-game (y, x))) ∧ ge-game (x, x)〈proof 〉definition eq-game :: game ⇒ game ⇒ bool whereeq-game G H ≡ ge-game (G, H ) ∧ ge-game (H , G)lemma eq-game-sym: (eq-game G H ) = (eq-game H G)〈proof 〉lemma eq-game-refl: eq-game G G〈proof 〉lemma induct-game: ( ∧ x. ∀ y. (y, x) ∈ lprod option-of −→ P y =⇒ P x) =⇒ Pa〈proof 〉lemma ge-game-trans:assumes ge-game (x, y) ge-game (y, z)shows ge-game (x, z)〈proof 〉lemma eq-game-trans: eq-game a b =⇒ eq-game b c =⇒ eq-game a c〈proof 〉definition zero-game :: gamewhere zero-game ≡ Game zempty zemptyfunctionplus-game :: game ⇒ game ⇒ gamewhere[simp del]: plus-game G H = Game (zunion (zimage (λ g. plus-game g H )47
(left-options G))(zimage (λ h. plus-game G h) (left-options H )))(zunion (zimage (λ g. plus-game g H ) (right-options G))(zimage (λ h. plus-game G h) (right-options H )))〈proof 〉termination 〈proof 〉lemma plus-game-comm: plus-game G H = plus-game H G〈proof 〉lemma game-ext-eq: (G = H ) = (left-options G = left-options H ∧ right-optionsG = right-options H )〈proof 〉lemma left-zero-game[simp]: left-options (zero-game) = zempty〈proof 〉lemma right-zero-game[simp]: right-options (zero-game) = zempty〈proof 〉lemma plus-game-zero-right[simp]: plus-game G zero-game = G〈proof 〉lemma plus-game-zero-left: plus-game zero-game G = G〈proof 〉lemma left-imp-options[simp]: zin opt (left-options g) =⇒ zin opt (options g)〈proof 〉lemma right-imp-options[simp]: zin opt (right-options g) =⇒ zin opt (options g)〈proof 〉lemma left-options-plus:left-options (plus-game u v) = zunion (zimage (λg. plus-game g v) (left-optionsu)) (zimage (λh. plus-game u h) (left-options v))〈proof 〉lemma right-options-plus:right-options (plus-game u v) = zunion (zimage (λg. plus-game g v) (right-optionsu)) (zimage (λh. plus-game u h) (right-options v))〈proof 〉lemma left-options-neg: left-options (neg-game u) = zimage neg-game (right-optionsu)〈proof 〉lemma right-options-neg: right-options (neg-game u) = zimage neg-game (left-optionsu)〈proof 〉48
lemma plus-game-assoc: plus-game (plus-game F G) H = plus-game F (plus-gameG H )〈proof 〉lemma neg-plus-game: neg-game (plus-game G H ) = plus-game (neg-game G)(neg-game H )〈proof 〉lemma eq-game-plus-inverse: eq-game (plus-game x (neg-game x)) zero-game〈proof 〉lemma ge-plus-game-left: ge-game (y,z) = ge-game (plus-game x y, plus-game xz)〈proof 〉lemma ge-plus-game-right: ge-game (y,z) = ge-game(plus-game y x, plus-game zx)〈proof 〉lemma ge-neg-game: ge-game (neg-game x, neg-game y) = ge-game (y, x)〈proof 〉definition eq-game-rel :: (game ∗ game) set whereeq-game-rel ≡ { (p, q) . eq-game p q }definition Pg = UNIV //eq-game-reltypedef Pg = Pg〈proof 〉lemma equiv-eq-game[simp]: equiv UNIV eq-game-rel〈proof 〉instantiation Pg :: {ord, zero, plus, minus, uminus}begindefinitionPg-zero-def : 0 = Abs-Pg (eq-game-rel ‘‘ {zero-game})definitionPg-le-def : G ≤ H ←→ (∃ g h. g ∈ Rep-Pg G ∧ h ∈ Rep-Pg H ∧ ge-game (h,g))definitionPg-less-def : G < H ←→ G ≤ H ∧ G ≠ (H ::Pg)definitionPg-minus-def : − G = the-elem ( ⋃ g ∈ Rep-Pg G. {Abs-Pg (eq-game-rel ‘‘49
{neg-game g})})definitionPg-plus-def : G + H = the-elem ( ⋃ g ∈ Rep-Pg G. ⋃ h ∈ Rep-Pg H . {Abs-Pg(eq-game-rel ‘‘ {plus-game g h})})definitionPg-diff-def : G − H = G + (− (H ::Pg))instance 〈proof 〉endlemma Rep-Abs-eq-Pg[simp]: Rep-Pg (Abs-Pg (eq-game-rel ‘‘ {g})) = eq-game-rel‘‘ {g}〈proof 〉lemma char-Pg-le[simp]: (Abs-Pg (eq-game-rel ‘‘ {g}) ≤ Abs-Pg (eq-game-rel ‘‘{h})) = (ge-game (h, g))〈proof 〉lemma char-Pg-eq[simp]: (Abs-Pg (eq-game-rel ‘‘ {g}) = Abs-Pg (eq-game-rel ‘‘{h})) = (eq-game g h)〈proof 〉lemma char-Pg-plus[simp]: Abs-Pg (eq-game-rel ‘‘ {g}) + Abs-Pg (eq-game-rel ‘‘{h}) = Abs-Pg (eq-game-rel ‘‘ {plus-game g h})〈proof 〉lemma char-Pg-minus[simp]: − Abs-Pg (eq-game-rel ‘‘ {g}) = Abs-Pg (eq-game-rel‘‘ {neg-game g})〈proof 〉lemma eq-Abs-Pg[rule-format, cases type: Pg]: (∀ g. z = Abs-Pg (eq-game-rel ‘‘{g}) −→ P) −→ P〈proof 〉instance Pg :: ordered-ab-group-add〈proof 〉end50
Change language