\part{Advanced Definition Principles}
\section{Inductive and Coinductive Relations}
\item a relation is a function from some arguments to \texttt{bool}
\item the following example types are all types of relations:
\item \hol{:\ 'a -> 'a -> bool}
\item \hol{:\ 'a -> 'b -> bool}
\item \hol{:\ 'a -> 'b -> 'c -> 'd -> bool}
\item \hol{:\ ('a \# 'b \# 'c) -> bool}
\item \hol{:\ bool}
\item \hol{:\ 'a -> bool}
\item relations are closely related to sets
\item \hol{R a b c <=> (a, b, c) IN \{(a, b, c) | R a b c\}}
\item \hol{(a, b, c) IN S <=> (\textbsl{}a b c.\ (a, b, c) IN S) a b c}
\frametitle{Relations II}
\item relations are often defined by a set of \emph{rules}
\begin{exampleblock}{Definition of Reflexive-Transitive Closure}
The transitive reflexive closure of a relation \hol{R : 'a -> 'a -> bool} can
be defined as the least relation \hol{RTC R} that satisfies the following rules:
$\inferrule*{\hol{R x y}}{\hol{RTC R x y}}$\quad
$\inferrule*{\ }{\hol{RTC R x x}}$\quad
$\inferrule*{\hol{RTC R x y}\\\hol{RTC R y z}}{\hol{RTC R x z}}$
\item if the rules are monoton, a least and a greatest fix point exists (Knaster-Tarski theorem)
\item least fixpoints give rise to \emph{inductive relations}
\item greatest fixpoints give rise to \emph{coinductive relations}
\frametitle{(Co)inductive Relations in HOL}
\item \ml{(Co)IndDefLib} provides infrastructure for defining (co)inductive relations
\item given a set of rules \hol{Hol\_(co)reln} defines (co)inductive relations
\item 3 theorems are returned and stored in current theory
\item a rules theorem --- it states that the defined constant satisfies the rules
\item a cases theorem --- this is an equational form of the rules showing that the defined relation is indeed a fixpoint
\item a (co)induction theorem
\item additionally a strong (co)induction theorem is stored in current theory
\frametitle{Example: Transitive Reflexive Closure}
> \hol{val (RTC_REL_rules, RTC_REL_ind, RTC_REL_cases) = Hol_reln `
(!x y. R x y ==> RTC_REL R x y) \holAnd{}
(!x. RTC_REL R x x) \holAnd{}
(!x y z. RTC_REL R x y \holAnd{} RTC_REL R y z ==> RTC_REL R x z)`}
val RTC_REL_rules = |- !R.
(!x y. R x y ==> RTC_REL R x y) \holAnd{} (!x. RTC_REL R x x) \holAnd{}
(!x y z. RTC_REL R x y \holAnd{} RTC_REL R y z ==> RTC_REL R x z)
val RTC_REL_cases = |- !R a0 a1.
RTC_REL R a0 a1 <=>
(R a0 a1 \holOr{} (a1 = a0) \holOr{} ?y. RTC_REL R a0 y \holAnd{} RTC_REL R y a1)
\frametitle{Example: Transitive Reflexive Closure II}
val RTC_REL_ind = |- !R RTC_REL'.
((!x y. R x y ==> RTC_REL' x y) \holAnd{} (!x. RTC_REL' x x) \holAnd{}
(!x y z. RTC_REL' x y \holAnd{} RTC_REL' y z ==> RTC_REL' x z)) ==>
(!a0 a1. RTC_REL R a0 a1 ==> RTC_REL' a0 a1)
> \hol{val RTC_REL_strongind = DB.fetch "-" "RTC_REL_strongind"}
val RTC_REL_strongind = |- !R RTC_REL'.
(!x y. R x y ==> RTC_REL' x y) \holAnd{} (!x. RTC_REL' x x) \holAnd{}
(!x y z.
RTC_REL R x y \holAnd{} RTC_REL' x y \holAnd{} RTC_REL R y z \holAnd{}
RTC_REL' y z ==>
RTC_REL' x z) ==>
( !a0 a1. RTC_REL R a0 a1 ==> RTC_REL' a0 a1)
\frametitle{Example: \hol{EVEN}}
> \hol{val (EVEN_REL_rules, EVEN_REL_ind, EVEN_REL_cases) = Hol_reln
`(EVEN_REL 0) \holAnd{} (!n. EVEN_REL n ==> (EVEN_REL (n + 2)))`};
val EVEN_REL_cases =
|- !a0. EVEN_REL a0 <=> (a0 = 0) \holOr{} ?n. (a0 = n + 2) \holAnd{} EVEN_REL n
val EVEN_REL_rules =
|- EVEN_REL 0 \holAnd{} !n. EVEN_REL n ==> EVEN_REL (n + 2)
val EVEN_REL_ind = |- !EVEN_REL'.
(EVEN_REL' 0 \holAnd{} (!n. EVEN_REL' n ==> EVEN_REL' (n + 2))) ==>
(!a0. EVEN_REL a0 ==> EVEN_REL' a0)
\item notice that in this example there is exactly one fixpoint
\item therefore, for these rules the inductive and coinductive relation coincide
\frametitle{Example: Dummy Relations}
> \hol{val (DF_rules, DF_ind, DF_cases) = Hol_reln
`(!n. DF (n+1) ==> (DF n))`}
> \hol{val (DT_rules, DT_coind, DT_cases) = Hol_coreln
`(!n. DT (n+1) ==> (DT n))`}
val DT_coind =
|- !DT'. (!a0. DT' a0 ==> DT' (a0 + 1)) ==> !a0. DT' a0 ==> DT a0
val DF_ind =
|- !DF'. (!n. DF' (n + 1) ==> DF' n) ==> !a0. DF a0 ==> DF' a0
val DT_cases = |- !a0. DT a0 <=> DT (a0 + 1):
val DF_cases = |- !a0. DF a0 <=> DF (a0 + 1):
\item notice that the definitions of \hol{DT} and \hol{DF} look like a non-terminating recursive definition
\item \hol{DT} is always true, \ie \hol{|- !n.\ DT n}
\item \hol{DF} is always false, \ie \hol{|- !n.\ \holNeg{}(DF n)}
\section{Quotient Types}
\frametitle{Quotient Types}
\item \ml{quotientLib} allows to define types as quotients of existing types with respect to \emph{partial equivalence relation}
\item each equivalence class becomes a value of the new type
\item partiality allows ignoring certain values of original type
\item \ml{quotientLib} allows to lift definitions and lemmata as well
\item details are technical and won't be presented here
\frametitle{Quotient Types Example}
\item let's assume we have an implementation of finite sets of numbers as
binary trees with
\item type \hol{binset}
\item binary tree invariant \hol{WF\_BINSET :\ binset -> bool}
\item constant \hol{empty\_binset}
\item add and member functions \hol{add :\ num -> binset -> binset},\\ \hol{mem :\ binset -> num -> bool}
\item we can define a partial equivalence relation by\\
\hol{binset\_equiv b1 b2 := (\\
\-\ \ WF\_BINSET b1 \holAnd{} WF\_BINSET b2 \holAnd{}\\
\-\ \ (!n.\ mem b1 n <=> mem b2 n))}
\item this allows defining a quotient type of sets of numbers
\item functions \hol{empty\_binset}, \hol{add} and \hol{mem} as well as lemmata about them can be lifted automatically
\frametitle{Quotient Types Summary}
\item quotient types are sometimes very useful
\item \eg rational numbers are defined as a quotient type
\item there is powerful infrastructure for them
\item many tasks are automated
\item however, the details are technical and won't be discussed here
\section{Case Expressions}
\frametitle{Pattern Matching / Case Expressions}
\item pattern matching ubiquitous in functional programming
\item pattern matching is a powerful technique
\item it helps to write concise, readable definitions
\item very handy and frequently used for interactive theorem proving
\item however, it is \alert{not directly supported} by HOL's logic
\item representations in HOL
\item sets of equations as produced by \hol{Define}
\item decision trees (printed as case-expressions)
\frametitle{TFL / \texttt{Define}}
\item we have already used top-level pattern matches with the TFL package
\item \hol{Define} is able to handle them
\item all the semantic complexity is taken care of
\item no special syntax or functions remain
\item no special rewrite rules, reasoning tools needed afterwards
\item \hol{Define} produces a set of equations
\item this is the recommended way of using pattern matching in HOL
> \hol{val ZIP_def = Define `(ZIP (x::xs) (y::ys) = (x,y)::(ZIP xs ys)) \holAnd{}
(ZIP [] [] = [])`}
val ZIP_def = |- (!ys y xs x. ZIP (x::xs) (y::ys) = (x,y)::ZIP xs ys) \holAnd{}
(ZIP [] [] = [])
\frametitle{Case Expressions}
\item sometimes one does not want to use this compilation by TFL
\item one wants to use pattern-matches somewhere nested in a term
\item one might not want to introduce a new constant
\item one might want to avoid using TFL for technical reasons
\item in such situations, case-expressions can be used
\item their syntax is similar to the syntax used by SML
> \hol{val ZIP_def = Define `ZIP xs ys = case (xs, ys) of
(x::xs, y::ys) => (x,y)::(ZIP xs ys)
| ([], []) => []`}
val ZIP_def = |- !ys xs. ZIP xs ys =
case (xs,ys) of
([],[]) => []
| ([],v4::v5) => ARB
| (x::xs',[]) => ARB
| (x::xs',y::ys') => (x,y)::ZIP xs' ys'
\frametitle{Case Expressions II}
\item the datatype package defines case-constants for each datatype
\item the parser contains a pattern compilation algorithm
\item case-expressions are by the parser compiled to decision trees using case-constants
\item pretty printer prints these decision trees as case-expressions again
val ZIP_def = |- !ys xs. ZIP xs ys =
pair_CASE (xs,ys)
(\textbsl{}v v1.
list_CASE v (list_CASE v1 [] (\textbsl{}v4 v5. ARB))
(\textbsl{}x xs'. list_CASE v1 ARB (\textbsl{}y ys'. (x,y)::ZIP xs' ys'))):
\frametitle{Case Expression Issues}
\item using case expressions feels very natural to functional programmers
\item case-expressions allow concise, well-readable definitions
\item however, there are also many drawbacks
\item there is large, complicated code in the parser and pretty printer
\item this is outside the kernel
\item parsing a pretty-printed term can result in a non $\alpha$-equivalent one
\item there are bugs in this code (see \eg Issue \#416 reported 8 May 2017)
\item the results are hard to predict
\item heuristics involved in creating decision tree
\item however, it is beneficial that proofs follow this internal, volatile structure
\frametitle{Case Expression Issues II}
\item technical issues
\item it is tricky to reason about decision trees
\item rewrite rules about case-constants needs to be fetched from \hol{TypeBase}
\item alternative \hol{srw\_ss} often does more than wanted
\item partially evaluated decision-trees are not pretty printed nicely any more
\item underspecified functions
\item decision trees are exhaustive
\item they list underspecified cases explicitly with value \hol{ARB}
\item this can be lengthy
\item \hol{Define} in contrast hides underspecified cases
\frametitle{Case Expression Example I}
\begin{block}{Partial Proof Script}
val _ = prove (``!l1 l2.
(LENGTH l1 = LENGTH l2) ==>
((ZIP l1 l2 = []) <=> ((l1 = []) \holAnd{} (l2 = [])))``,
\begin{block}{Current Goal}
!l1 l2.
(LENGTH l1 = LENGTH l2) ==>
(((case (l1,l2) of
([],[]) => []
| ([],v4::v5) => ARB
| (x::xs',[]) => ARB
| (x::xs',y::ys') => (x,y)::ZIP xs' ys') =
[]) <=> (l1 = []) \holAnd{} (l2 = []))
\frametitle{Case Expression Example IIa -- partial evaluation}
\begin{block}{Partial Proof Script}
val _ = prove (``!l1 l2.
(LENGTH l1 = LENGTH l2) ==>
((ZIP l1 l2 = []) <=> ((l1 = []) \holAnd{} (l2 = [])))``,
REWRITE_TAC[pairTheory.pair_case_def] >> BETA_TAC
\begin{block}{Current Goal}
!l1 l2.
(LENGTH l1 = LENGTH l2) ==>
(((case l1 of
[] => (case l2 of [] => [] | v4::v5 => ARB)
| x::xs' => case l2 of [] => ARB | y::ys' => (x,y)::ZIP xs' ys') =
[]) <=> (l1 = []) \holAnd{} (l2 = []))
\frametitle{Case Expression Example IIb --- following tree structure}
\begin{block}{Partial Proof Script}
val _ = prove (``!l1 l2.
(LENGTH l1 = LENGTH l2) ==>
((ZIP l1 l2 = []) <=> ((l1 = []) \holAnd{} (l2 = [])))``,
Cases_on `l1` >| [
\begin{block}{Current Goal}
(LENGTH [] = LENGTH l2) ==>
(((case ([],l2) of
([],[]) => []
| ([],v4::v5) => ARB
| (x::xs',[]) => ARB
| (x::xs',y::ys') => (x,y)::ZIP xs' ys') =
[]) <=> (l2 = []))
\frametitle{Case Expression Summary}
\item case expressions are natural to functional programmers
\item they allow concise, readable definitions
\item however, fancy parser and pretty-printer needed
\item trustworthiness issues
\item sanity check lemmata advisable
\item reasoning about case expressions can be tricky and lengthy
\item proofs about case expression often hard to maintain
\item therefore, use top-level pattern matching via \hol{Define} if easily possible
