Tutorial on Isabelle/HOL

More documents

Recommendations

Info

3.1 Simplification 31lemma "(let xs = [] in xs@ys@xs) = ys"apply(simp add: Let_def)doneIf, in a particular context, there is no danger of a combinatorial explosionof nested lets, you could even simplify with Let_def by default:declare Let_def [simp]3.1.8 Conditional Simplification RulesSo far all examples of rewrite rules were equations. The simplifier also acceptsconditional equations, for examplelemma hd_Cons_tl[simp]: "xs ≠ [] =⇒ hd xs # tl xs = xs"apply(case_tac xs, simp, simp)doneNote the use of “,” to string together a sequence of methods. Assumingthat the simplification rule (rev xs = []) = (xs = []) is present as well, thelemma below is proved by plain simplification:lemma "xs ≠ [] =⇒ hd(rev xs) # tl(rev xs) = rev xs"The conditional equation hd_Cons_tl above can simplify hd (rev xs) # tl(rev xs) to rev xs because the corresponding precondition rev xs ≠ [] simplifiesto xs ≠ [], which is exactly the local assumption of the subgoal.3.1.9 Automatic Case SplitsGoals containing if-expressions are usually proved by case distinction on theboolean condition. Here is an example:lemma "∀ xs. if xs = [] then rev xs = [] else rev xs ≠ []"The goal can be split by a special method, split:apply(split split_if)1. ∀ xs. (xs = [] −→ rev xs = []) ∧ (xs ≠ [] −→ rev xs ≠ [])where split_if is a theorem that expresses splitting of ifs. Because splittingthe ifs is usually the right proof strategy, the simplifier does it automatically.Try apply(simp) on the initial goal above.This splitting idea generalizes from if to case. Let us simplify a caseanalysis over lists:lemma "(case xs of [] ⇒ zs | y#ys ⇒ y#(ys@zs)) = xs@zs"apply(split list.split)1. (xs = [] −→ zs = xs @ zs) ∧(∀ a list. xs = a # list −→ a # list @ zs = xs @ zs)
32 3. More Functional ProgrammingThe simplifier does not split case-expressions, as it does if-expressions, becausewith recursive datatypes it could lead to nontermination. Instead, thesimplifier has a modifier split for adding splitting rules explicitly. The lemmaabove can be proved in one step byapply(simp split: list.split)whereas apply(simp) alone will not succeed.Every datatype t comes with a theorem t.split which can be declaredto be a split rule either locally as above, or by giving it the split attributeglobally:declare list.split [split]The split attribute can be removed with the del modifier, either locallyapply(simp split del: split_if)or globally:declare list.split [split del]Polished proofs typically perform splitting within simp rather than invokingthe split method. However, if a goal contains several if and caseexpressions, the split method can be helpful in selectively exploring theeffects of splitting.The split rules shown above are intended to affect only the subgoal’sconclusion. If you want to split an if or case-expression in the assumptions,you have to apply split_if_asm or t.split_asm:lemma "if xs = [] then ys ≠ [] else ys = [] =⇒ xs @ ys ≠ []"apply(split split_if_asm)Unlike splitting the conclusion, this step creates two separate subgoals, whichhere can be solved by simp_all:1. [[xs = []; ys ≠ []]] =⇒ xs @ ys ≠ []2. [[xs ≠ []; ys = []]] =⇒ xs @ ys ≠ []If you need to split both in the assumptions and the conclusion, use t.splitswhich subsumes t.split and t.split_asm. Analogously, there is if_splits.!!The simplifier merely simplifies the condition of an if but not the then orelse parts. The latter are simplified only after the condition reduces to Trueor False, or after splitting. The same is true for case-expressions: only the selectoris simplified at first, until either the expression reduces to one of the cases or it issplit.3.1.10 TracingUsing the simplifier effectively may take a bit of experimentation. Set theProof General flag Isabelle > Settings > Trace Simplifier to get a better ideaof what is going on:
Page 1 and 2: Tobias NipkowMarkus WenzelLawrence
Page 3 and 4: viPrefacegives the best performance
Page 5 and 6: viiiContents3.1.3 The simp Method .
Page 7 and 8: xContents6.6 Case Study: Verified M
Page 9 and 10: xiiContents
Page 12 and 13: 1. The Basics1.1 IntroductionThis b
Page 14 and 15: 1.3 Types, Terms and Formulae 5base
Page 16 and 17: 1.4 Variables 71.4 VariablesIsabell
Page 18: 2. Functional Programming in HOLThi
Page 21 and 22: 12 2. Functional Programming in HOL
Page 36 and 37: 3. More Functional ProgrammingThe p
Page 38 and 39: 3.1 Simplification 29could have bee
Page 42 and 43: 3.1 Simplification 33lemma "rev [a]
Page 44 and 45: 3.2 Induction Heuristics 35Proof Ge
Page 46 and 47: 3.3 Case Study: Compiling Expressio
Page 48 and 49: 3.4 Advanced Datatypes 39two case-e
Page 50 and 51: apply simp_all3.4 Advanced Datatype
Page 52 and 53: 3.4 Advanced Datatypes 43lemma [sim
Page 54 and 55: 3.4 Advanced Datatypes 45✑◗ ✑
Page 56 and 57: 3.5 Total Recursive Functions: fun
Page 58 and 59: "ack2 n 0 = Suc n" |"ack2 0 (Suc m)
Page 60: 3.5 Total Recursive Functions: fun
Page 63 and 64: 54 4. Presenting Theoriesdefinition
Page 65 and 66: 56 4. Presenting Theories| Yen nat
Page 67 and 68: 58 4. Presenting Theories4.2.1 Isab
Page 69 and 70: 60 4. Presenting Theoriesheader {*
Page 71 and 72: 62 4. Presenting Theoriestext {*Thi
Page 73 and 74: 64 4. Presenting TheoriesTagged com
Page 76 and 77: 5. The Rules of the GameThis chapte
Page 79: 70 5. The Rules of the GameThe assu
Page 83 and 84: 74 5. The Rules of the Game¬(P →
Page 85 and 86: 76 5. The Rules of the GameOther me
Page 87 and 88: 78 5. The Rules of the Gamere-orien
Page 89 and 90: 80 5. The Rules of the Gamelemma "[
Page 91 and 92:
82 5. The Rules of the GameAs befor
Page 93 and 94:
84 5. The Rules of the Gamelemma "[
Page 95 and 96:
86 5. The Rules of the Game5.10.1 D
Page 97 and 98:
88 5. The Rules of the Game5.11 Som
Page 99 and 100:
90 5. The Rules of the GameThe next
Page 101 and 102:
92 5. The Rules of the Gameit can p
Page 103 and 104:
94 5. The Rules of the Game5.15.1 M
Page 105 and 106:
96 5. The Rules of the Game5.15.2 M
Page 107 and 108:
98 5. The Rules of the Game5.16.1 T
Page 109 and 110:
100 5. The Rules of the Game5.17 Ma
Page 111 and 112:
102 5. The Rules of the GameWe deci
Page 113 and 114:
104 5. The Rules of the Gamegcd ?m1
Page 116 and 117:
6. Sets, Functions and RelationsThi
Page 118 and 119:
6.1 Sets 1096.1.1 Finite Set Notati
Page 120 and 121:
6.2 Functions 111The internal form
Page 122 and 123:
6.3 Relations 1131. ∀ x y. f x =
Page 124 and 125:
Induction over the reflexive transi
Page 126 and 127:
inv_image r f ≡ {(x,y). (f x, f y
Page 128 and 129:
6.6 Case Study: Verified Model Chec
Page 130 and 131:
Page 132 and 133:
6.6.2 Computation Tree Logic — CT
Page 134 and 135:
Page 136:
Page 139 and 140:
130 7. Inductively Defined Setsan e
Page 141 and 142:
132 7. Inductively Defined Sets1. n
Page 143 and 144:
134 7. Inductively Defined Setsindu
Page 145 and 146:
136 7. Inductively Defined SetsNow
Page 147 and 148:
138 7. Inductively Defined Sets7.3.
Page 149 and 150:
140 7. Inductively Defined Setswher
Page 151 and 152:
142 7. Inductively Defined Sets7.3.
Page 153 and 154:
144 7. Inductively Defined Sets| "[
Page 155 and 156:
146 7. Inductively Defined Setstheo
Page 158:
Part IIIAdvanced Material
Page 161 and 162:
152 8. More about TypesThe intuitiv
Page 163 and 164:
154 8. More about Typesthe simplifi
Page 165 and 166:
156 8. More about Typesmore is impl
Page 167 and 168:
158 8. More about TypesThe cases me
Page 169 and 170:
160 8. More about Types8.3 Axiomati
Page 171 and 172:
162 8. More about Typesprefix_def:"
Page 173 and 174:
164 8. More about TypesLinear Order
Page 175 and 176:
166 8. More about Types8.4 NumbersU
Page 177 and 178:
168 8. More about Types2 + n = Suc
Page 179 and 180:
170 8. More about Typeswhen the lef
Page 181 and 182:
172 8. More about Types((c::’a::r
Page 183 and 184:
174 8. More about Types8.5.2 Defini
Page 185 and 186:
176 8. More about TypesThe fact tha
Page 187 and 188:
178 9. Advanced Simplification and
Page 189 and 190:
Page 191 and 192:
Page 193 and 194:
Page 195 and 196:
Page 198 and 199:
10. Case Study: Verifying a Securit
Page 200 and 201:
10.2 Agents and Messages 1911. A
Page 202 and 203:
analz (synth H) = analz H ∪ synth
Page 204 and 205:
10.6 Proving Elementary Properties
Page 206 and 207:
10.7 Proving Secrecy Theorems 197No
Page 208 and 209:
10.7 Proving Secrecy Theorems 199ca
Page 210:
201You know my methods. Apply them!
Page 213 and 214:
204 A. AppendixConstant Type Syntax
Page 215 and 216:
206 BIBLIOGRAPHY[13] Florian Haftma
Page 217 and 218:
Index!, 203?, 203∃! , 203?!, 203&
Page 219 and 220:
210 Index- defining inductively, 12
Page 221 and 222:
212 Index- and fun, 48patterns- hig
show all

Tutorial on Isabelle/HOL

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?