0

I have a datatype and an inductive predicate over it (which is actually a small-step semantics of some transition system):

datatype dtype = E | A | B dtype

inductive dsem :: "dtype ⇒ dtype ⇒ bool" where  
  "dsem A E"
| "dsem (B E) E"
| "dsem d d' ⟹ dsem (B d) (B d')"

and also a function which is computed by case distinction:

fun f :: "dtype ⇒ nat" where
  "f E = 0"  
| "f A = 1"
| "f (B _) = 2"

I'm trying to prove some property about the inductive predicate, and assumptions also involve computing the value of f which doesn't participate in induction.

lemma
  assumes d: "dsem s s'"
    and h: "h s v"
    and v: "v = f s"
  shows "P v"
using d h
proof (induct rule: dsem.induct)

For the 3rd semantics rule Isabelle computes the subgoal

⋀d d'. dsem d d' ⟹ (h d v ⟹ P v) ⟹ h (B d) v ⟹ P v

where the value of s is lost so it is impossible to compute the value v. I can neither include v into the induction assumptions because then Isabelle generates the subgoal 

⋀d d'. dsem d d' ⟹ (h d v ⟹ v = f d ⟹ P v) ⟹ h (B d) v ⟹ v = f (B d) ⟹ P v

where the induction hypothesis says v = f d which is incorrect since v = f (B d) in this case. Nor can I put v into arbitrary: ... because the value of v must be fixed throughout the proof.

It would be nice to have an explicit binding s = B d in the generated subgoal; unfortunately, the rule dsem.induct doesn't provide it.

Does anybody know a workaround for computing the value v in this case?

chris
  • 4,988
  • 20
  • 36
Nadezhda Baklanova
  • 97
  • 3
  • Does it help to rephrase your lemma as `lemma "dsem s s' ⟹ (⋀v. ⟦ h s v ; v = f s ⟧ ⟹ P v)"`? – John Wickerson Jan 30 '14 at 10:47
  • 1
    Since the fact `v` (i.e., `v = f s`) contains the variable `s` and you are doing induction on `dsem s s'` (which also contains `s`) there is no way around also including `v` into the induction assumptions. If the statement is not provable after doing so, you will have to reformulate it appropriately (whatever that means). – chris Jan 30 '14 at 11:11
  • @JohnWickerson No, it is the same problem. – Nadezhda Baklanova Jan 30 '14 at 13:27
  • You might try the proof with assumption `v` unfolded, i.e. `lemma "dsem s s' ⟹ h s (f s) ⟹ P (f s)"`. This version is logically equivalent to the one stated in the question (and to the one suggested by John Wickerson above). – Brian Huffman Jan 30 '14 at 18:09

1 Answers1

1

It seems strange to me that v should be at the same time fixed and computed from s and that is what chris is saying in the comments.

If the solution Brian gives in the comments is what you want, it could duplicate the expression f s which could be big (and use s several times) and perhaps the point of the assumption v = f s was to avoid this.

A first workaround (that was possibly what Brian implicitly proposed) is to make Isabelle do the unfolding:

lemma
  assumes d: "dsem s s'"
    and h: "h s v"
    and v: "v = big_f s s"
  shows "P v"
using d h
unfolding v -- {* <<<< *}
proof (induct rule: dsem.induct)

A second workaround could be to abbreviate big_f instead of big_f s s:

lemma
  assumes d: "dsem s s'"
    and h: "h s (f s)"
    and v: "f = (λs. big_f s s)" -- {* <<<< *}
  shows "P (f s)"
using d h
proof (induct rule: dsem.induct)
Community
  • 1
  • 1
Mathieu
  • 726
  • 3
  • 11
  • Thanks for your suggestions. Unfortunately, all these propositions lead to the described issue. The lemma in the form I wanted it seems to be unprovable, so I had to reformulate it. – Nadezhda Baklanova Feb 05 '14 at 12:21