0

I am trying to prove that in a trace of a protocol run a message will not be in an empty trace. The eventual goal is to prove that no host will send a message to itself. This seems intuitively simple so I'm not actually sure what is happening. The error I receive is

Failed to apply initial proof method⌂:
using this:
  [] ∈ ns_public
goal (1 subgoal):
 1. ∀A B X. Says A B X ∉ set_of_list []

Here is the code in question.

inductive_set ns_public :: "event list set"
where
  Nil[intro!,simp] : "[] ∈ ns_public"  |

....
<snip>
....

lemma "∀ A B X. [] ∈ ns_public ⟶ Says A B X ∉ set_of_list []"
proof
  assume "[] ∈ ns_public"
  from this have  "∀ A B X. Says A B X ∉ set_of_list []"
  from this show "True" by blast
oops
MSab
  • 58
  • 8
  • 1
    What's the definition of the `set_of_list` function? HOL already defines such a function, called `set`. If you use that, your lemma becomes trivial, because _nothing_ is element of `set []`, without any preconditions. – larsrh Feb 10 '16 at 12:33
  • set_of_list transforms a list into a set. I'm having trouble with the formatting but the code is below. Does `set` do this? `primrec set_of_list :: "'a list ⇒ 'a set" where "set_of_list [] = {}" | "set_of_list(x # xs) = (insert x (set_of_list xs))"` – MSab Feb 14 '16 at 23:42
  • Yes, this is what the `set` function does. – larsrh Feb 15 '16 at 17:15

0 Answers0