The Nominal Datatype Package in Isabelle/HOL Christian Urban - - PowerPoint PPT Presentation

the nominal datatype package in isabelle hol
SMART_READER_LITE
LIVE PREVIEW

The Nominal Datatype Package in Isabelle/HOL Christian Urban - - PowerPoint PPT Presentation

Sep 09, 2023 315 likes •557 views

The Nominal Datatype Package in Isabelle/HOL Christian Urban University of Munich joint work with Stefan Berghofer, Markus Wenzel, Alexander Krauss. . . Not tingham, 18. April 2006 p.1 (1/1) The POPLmark-Challenge How close are we

slide-1
SLIDE 1

The Nominal Datatype Package in Isabelle/HOL

Christian Urban University of Munich joint work with Stefan Berghofer, Markus Wenzel, Alexander Krauss. . .

Not tingham, 18. April 2006 – p.1 (1/1)

slide-2
SLIDE 2

The POPLmark-Challenge

“How close are we to a world where program- ming language papers are routinely supported by machine-checked metatheory proofs, where full-scale language definitions are expressed in machine-processed mathematics. . . ?”

Obviously we aren’t there yet: for binders reasonable powerful tools are available: de-Bruijn indices (in Coq, Isabelle,. . . ) or HOAS (mainly in Twelf) but apart from some theorem-proving experts, nobody seems to use them; non-experts are still routinely do their proofs on paper, only

Not tingham, 18. April 2006 – p.2 (1/2)

slide-3
SLIDE 3

The POPLmark-Challenge

“How close are we to a world where program- ming language papers are routinely supported by machine-checked metatheory proofs, where full-scale language definitions are expressed in machine-processed mathematics. . . ?”

Obviously we aren’t there yet: for binders reasonable powerful tools are available: de-Bruijn indices (in Coq, Isabelle,. . . ) or HOAS (mainly in Twelf) but apart from some theorem-proving experts, nobody seems to use them; non-experts are still routinely do their proofs on paper, only

The aim of the nominal datatype package is to support the kind of reasoning that is employed on paper. The hope is: if you can do formal proofs on paper, then you can implement them in Isabelle/HOL with ease. That is not a trivial task.

Not tingham, 18. April 2006 – p.2 (2/2)

slide-4
SLIDE 4

Substitution Lemma: If

x 6 y and x 62 F V (L), then M [x := N ℄[y := L℄
  • M
[y := L℄[x := N [y := L℄℄.

Proof: By induction on the structure of

M. Case 1: M is a variable.

Case 1.1.

M
  • x. Then both sides equal
N [y := L℄ since x 6 y.

Case 1.2.

M
  • y. Then both sides equal
L, for x 62 F V (L)

implies

L[x := : : :℄
  • L.

Case 1.3.

M
  • z
6 x;
  • y. Then both sides equal
z. Case 2: M
  • z
:M
  • 1. By the variable convention we may assume

that

z 6 x; y and z is not free in N ;
  • L. Then by induction hypothesis
(z :M 1 )[x := N ℄[y := L℄
  • z
:(M 1 [x := N ℄[y := L℄)
  • z
:(M 1 [y := L℄[x := N [y := L℄℄)
  • (z
:M 1 )[y := L℄[x := N [y := L℄℄. Case 3: M
  • M
1 M
  • 2. The statement follows again from the induc-

tion hypothesis.

  • This is a simple example illustrating

a point. We have already implemented much more complicated proofs, e.g. Church-Rosser, SN, transitivity of subtyping in POPLmark, etc.

Not tingham, 18. April 2006 – p.3 (1/8)

slide-5
SLIDE 5

Substitution Lemma: If

x 6 y and x 62 F V (L), then M [x := N ℄[y := L℄
  • M
[y := L℄[x := N [y := L℄℄.

Proof: By induction on the structure of

M. Case 1: M is a variable.

Case 1.1.

M
  • x. Then both sides equal
N [y := L℄ since x 6 y.

Case 1.2.

M
  • y. Then both sides equal
L, for x 62 F V (L)

implies

L[x := : : :℄
  • L.

Case 1.3.

M
  • z
6 x;
  • y. Then both sides equal
z. Case 2: M
  • z
:M
  • 1. By the variable convention we may assume

that

z 6 x; y and z is not free in N ;
  • L. Then by induction hypothesis
(z :M 1 )[x := N ℄[y := L℄
  • z
:(M 1 [x := N ℄[y := L℄)
  • z
:(M 1 [y := L℄[x := N [y := L℄℄)
  • (z
:M 1 )[y := L℄[x := N [y := L℄℄. Case 3: M
  • M
1 M
  • 2. The statement follows again from the induc-

tion hypothesis.

  • Not

tingham, 18. April 2006 – p.3 (2/8)

slide-6
SLIDE 6

Substitution Lemma: If

x 6 y and x 62 F V (L), then M [x := N ℄[y := L℄
  • M
[y := L℄[x := N [y := L℄℄.

Proof: By induction on the structure of

M. Case 1: M is a variable.

Case 1.1.

M
  • x. Then both sides equal
N [y := L℄ since x 6 y.

Case 1.2.

M
  • y. Then both sides equal
L, for x 62 F V (L)

implies

L[x := : : :℄
  • L.

Case 1.3.

M
  • z
6 x;
  • y. Then both sides equal
z. Case 2: M
  • z
:M
  • 1. By the variable convention we may assume

that

z 6 x; y and z is not free in N ;
  • L. Then by induction hypothesis
(z :M 1 )[x := N ℄[y := L℄
  • z
:(M 1 [x := N ℄[y := L℄)
  • z
:(M 1 [y := L℄[x := N [y := L℄℄)
  • (z
:M 1 )[y := L℄[x := N [y := L℄℄. Case 3: M
  • M
1 M
  • 2. The statement follows again from the induc-

tion hypothesis.

  • Not

tingham, 18. April 2006 – p.3 (3/8)

slide-7
SLIDE 7

Substitution Lemma: If

x 6 y and x 62 F V (L), then M [x := N ℄[y := L℄
  • M
[y := L℄[x := N [y := L℄℄.

Proof: By induction on the structure of

M. Case 1: M is a variable.

Case 1.1.

M
  • x. Then both sides equal
N [y := L℄ since x 6 y.

Case 1.2.

M
  • y. Then both sides equal
L, for x 62 F V (L)

implies

L[x := : : :℄
  • L.

Case 1.3.

M
  • z
6 x;
  • y. Then both sides equal
z. Case 2: M
  • z
:M
  • 1. By the variable convention we may assume

that

z 6 x; y and z is not free in N ;
  • L. Then by induction hypothesis
(z :M 1 )[x := N ℄[y := L℄
  • z
:(M 1 [x := N ℄[y := L℄)
  • z
:(M 1 [y := L℄[x := N [y := L℄℄)
  • (z
:M 1 )[y := L℄[x := N [y := L℄℄. Case 3: M
  • M
1 M
  • 2. The statement follows again from the induc-

tion hypothesis.

  • Not

tingham, 18. April 2006 – p.3 (4/8)

slide-8
SLIDE 8

Substitution Lemma: If

x 6 y and x 62 F V (L), then M [x := N ℄[y := L℄
  • M
[y := L℄[x := N [y := L℄℄.

Proof: By induction on the structure of

M. Case 1: M is a variable.

Case 1.1.

M
  • x. Then both sides equal
N [y := L℄ since x 6 y.

Case 1.2.

M
  • y. Then both sides equal
L, for x 62 F V (L)

implies

L[x := : : :℄
  • L.

Case 1.3.

M
  • z
6 x;
  • y. Then both sides equal
z. Case 2: M
  • z
:M
  • 1. By the variable convention we may assume

that

z 6 x; y and z is not free in N ;
  • L. Then by induction hypothesis
(z :M 1 )[x := N ℄[y := L℄
  • z
:(M 1 [x := N ℄[y := L℄)
  • z
:(M 1 [y := L℄[x := N [y := L℄℄)
  • (z
:M 1 )[y := L℄[x := N [y := L℄℄. Case 3: M
  • M
1 M
  • 2. The statement follows again from the induc-

tion hypothesis.

  • Not

tingham, 18. April 2006 – p.3 (5/8)

slide-9
SLIDE 9

Substitution Lemma: If

x 6 y and x 62 F V (L), then M [x := N ℄[y := L℄
  • M
[y := L℄[x := N [y := L℄℄.

Proof: By induction on the structure of

M. Case 1: M is a variable.

Case 1.1.

M
  • x. Then both sides equal
N [y := L℄ since x 6 y.

Case 1.2.

M
  • y. Then both sides equal
L, for x 62 F V (L)

implies

L[x := : : :℄
  • L.

Case 1.3.

M
  • z
6 x;
  • y. Then both sides equal
z. Case 2: M
  • z
:M
  • 1. By the variable convention we may assume

that

z 6 x; y and z is not free in N ;
  • L. Then by induction hypothesis
(z :M 1 )[x := N ℄[y := L℄
  • z
:(M 1 [x := N ℄[y := L℄)
  • z
:(M 1 [y := L℄[x := N [y := L℄℄)
  • (z
:M 1 )[y := L℄[x := N [y := L℄℄. Case 3: M
  • M
1 M
  • 2. The statement follows again from the induc-

tion hypothesis.

  • Not

tingham, 18. April 2006 – p.3 (6/8)

slide-10
SLIDE 10

Substitution Lemma: If

x 6 y and x 62 F V (L), then M [x := N ℄[y := L℄
  • M
[y := L℄[x := N [y := L℄℄.

Proof: By induction on the structure of

M. Case 1: M is a variable.

Case 1.1.

M
  • x. Then both sides equal
N [y := L℄ since x 6 y.

Case 1.2.

M
  • y. Then both sides equal
L, for x 62 F V (L)

implies

L[x := : : :℄
  • L.

Case 1.3.

M
  • z
6 x;
  • y. Then both sides equal
z. Case 2: M
  • z
:M
  • 1. By the variable convention we may assume

that

z 6 x; y and z is not free in N ;
  • L. Then by induction hypothesis
(z :M 1 )[x := N ℄[y := L℄
  • z
:(M 1 [x := N ℄[y := L℄)
  • z
:(M 1 [y := L℄[x := N [y := L℄℄)
  • (z
:M 1 )[y := L℄[x := N [y := L℄℄. Case 3: M
  • M
1 M
  • 2. The statement follows again from the induc-

tion hypothesis.

  • Remember: only if
y 6= x and x 62 F V (N ) then (y :M )[x := N ℄ = y :(M [x := N ℄) (z :M 1 )[x := N ℄[y := L℄
  • (z
:(M 1 [x := N ℄))[y := L℄ 1
  • z
:(M 1 [x := N ℄[y := L℄) 2
  • z
:(M 1 [y := L℄[x := N [y := L℄℄)

IH

  • (z
:(M 1 [y := L℄))[x := N [y := L℄℄) 2 ! !
  • (z
:M 1 )[y := L℄[x := N [y := L℄℄. 1 !

Not tingham, 18. April 2006 – p.3 (7/8)

slide-11
SLIDE 11

Substitution Lemma: If

x 6 y and x 62 F V (L), then M [x := N ℄[y := L℄
  • M
[y := L℄[x := N [y := L℄℄.

Proof: By induction on the structure of

M. Case 1: M is a variable.

Case 1.1.

M
  • x. Then both sides equal
N [y := L℄ since x 6 y.

Case 1.2.

M
  • y. Then both sides equal
L, for x 62 F V (L)

implies

L[x := : : :℄
  • L.

Case 1.3.

M
  • z
6 x;
  • y. Then both sides equal
z. Case 2: M
  • z
:M
  • 1. By the variable convention we may assume

that

z 6 x; y and z is not free in N ;
  • L. Then by induction hypothesis
(z :M 1 )[x := N ℄[y := L℄
  • z
:(M 1 [x := N ℄[y := L℄)
  • z
:(M 1 [y := L℄[x := N [y := L℄℄)
  • (z
:M 1 )[y := L℄[x := N [y := L℄℄. Case 3: M
  • M
1 M
  • 2. The statement follows again from the induc-

tion hypothesis.

  • Not

tingham, 18. April 2006 – p.3 (8/8)

slide-12
SLIDE 12

Formal Proof in Isabelle

lemma forget: assumes a: ”

x # L”

shows ”

L[x ::= P ℄ = L”

using a by (nominal induct

L avoiding: x P rule: lam.induct)

(auto simp add: abs fresh fresh atm) lemma fresh fact: fixes

z :: ”name”

assumes a: ”

z # N” and b: ” z # L”

shows ”

z # N [y ::= L℄”

using a b by (nominal induct

N avoiding: z y L rule: lam.induct)

(auto simp add: abs fresh fresh atm) lemma subst lemma: assumes a: ”

x 6= y” and b: ” x # L”

shows ”

M [x ::= N ℄[y ::= L℄ = M [y ::= L℄[x ::= N [y ::= L℄℄”

using a b by (nominal induct

M avoiding: x y N L rule: lam.induct)

(auto simp add: forget fresh fact)

Not tingham, 18. April 2006 – p.4 (1/3)

slide-13
SLIDE 13

Formal Proof in Isabelle

lemma forget: assumes a: ”

x # L”

shows ”

L[x ::= P ℄ = L”

using a by (nominal induct

L avoiding: x P rule: lam.induct)

(auto simp add: abs fresh fresh atm) lemma fresh fact: fixes

z :: ”name”

assumes a: ”

z # N” and b: ” z # L”

shows ”

z # N [y ::= L℄”

using a b by (nominal induct

N avoiding: z y L rule: lam.induct)

(auto simp add: abs fresh fresh atm) lemma subst lemma: assumes a: ”

x 6= y” and b: ” x # L”

shows ”

M [x ::= N ℄[y ::= L℄ = M [y ::= L℄[x ::= N [y ::= L℄℄”

using a b by (nominal induct

M avoiding: x y N L rule: lam.induct)

(auto simp add: forget fresh fact)

stands for

x 62 F V (L)

reads as “x fresh for

L”

is a polymorphic construction from the Nominal Logic Work by Pitts

Not tingham, 18. April 2006 – p.4 (2/3)

slide-14
SLIDE 14

Formal Proof in Isabelle

lemma forget: assumes a: ”

x # L”

shows ”

L[x ::= P ℄ = L”

using a by (nominal induct

L avoiding: x P rule: lam.induct)

(auto simp add: abs fresh fresh atm) lemma fresh fact: fixes

z :: ”name”

assumes a: ”

z # N” and b: ” z # L”

shows ”

z # N [y ::= L℄”

using a b by (nominal induct

N avoiding: z y L rule: lam.induct)

(auto simp add: abs fresh fresh atm) lemma subst lemma: assumes a: ”

x 6= y” and b: ” x # L”

shows ”

M [x ::= N ℄[y ::= L℄ = M [y ::= L℄[x ::= N [y ::= L℄℄”

using a b by (nominal induct

M avoiding: x y N L rule: lam.induct)

(auto simp add: forget fresh fact)

Not tingham, 18. April 2006 – p.4 (3/3)

slide-15
SLIDE 15

Crucial Points

The nominal datatype package generates the

  • equivalence classes as a type in Isabelle/HOL.

atom decl name nominal datatype lam =

j Var “name” j App “lam” ”lam” j Lam “ h hname i ilam” (“Lam [ ℄. ” [100,100℄ 100)

The type lam is defined so that we have equations Lam

[a℄:(Var a) = Lam [b℄:(Var b)

which do not hold for “normal” datatypes.

Not tingham, 18. April 2006 – p.5 (1/1)

slide-16
SLIDE 16

Structural Induction

Then automatically generated is a structural induction principle that has Barendregt’s convention already build in:

8a x: P x (Var a) 8t 1 t 2 x: (8z : P z t 1 ) ^ (8z : P z t 2 ) ) P x (App t 1 t 2 ) 8a t x: a # x ^ (8z : P z t) ) P x (Lam [a℄:t) P x t

Not tingham, 18. April 2006 – p.6 (1/7)

slide-17
SLIDE 17

Structural Induction

Then automatically generated is a structural induction principle that has Barendregt’s convention already build in:

8a x: P x (Var a) 8t 1 t 2 x: (8z : P z t 1 ) ^ (8z : P z t 2 ) ) P x (App t 1 t 2 ) 8a t x: a # x ^ (8z : P z t) ) P x (Lam [a℄:t) P x t

the variable over which the induction proceeds: “. . . By induction over the structure of

  • M. . . ”

Not tingham, 18. April 2006 – p.6 (2/7)

slide-18
SLIDE 18

Structural Induction

Then automatically generated is a structural induction principle that has Barendregt’s convention already build in:

8a x: P x (Var a) 8t 1 t 2 x: (8z : P z t 1 ) ^ (8z : P z t 2 ) ) P x (App t 1 t 2 ) 8a t x: a # x ^ (8z : P z t) ) P x (Lam [a℄:t) P x t

the context of the induction; for which the binder should be fresh

) (x; y ; N ; L):

“. . . By the variable convention we can assume

z 6 x; y and z not free in N,
  • L. . . ”

Not tingham, 18. April 2006 – p.6 (3/7)

slide-19
SLIDE 19

Structural Induction

Then automatically generated is a structural induction principle that has Barendregt’s convention already build in:

8a x: P x (Var a) 8t 1 t 2 x: (8z : P z t 1 ) ^ (8z : P z t 2 ) ) P x (App t 1 t 2 ) 8a t x: a # x ^ (8z : P z t) ) P x (Lam [a℄:t) P x t

the property to be proved by induction:

(x;y ;N ;L): M : x 6= y ^ x # L ) M [x ::= N ℄[y ::= L℄ = M [y ::= L℄[x ::= N [y ::= L℄℄

Not tingham, 18. April 2006 – p.6 (4/7)

slide-20
SLIDE 20

Structural Induction

Then automatically generated is a structural induction principle that has Barendregt’s convention already build in:

8a x: P x (Var a) 8t 1 t 2 x: (8z : P z t 1 ) ^ (8z : P z t 2 ) ) P x (App t 1 t 2 ) 8a t x: a # x ^ (8z : P z t) ) P x (Lam [a℄:t) P x t

One only has to write (more in the talk of Markus Wenzel): by (nominal induct

M avoiding: x y N L rule: lam.induct)

Not tingham, 18. April 2006 – p.6 (5/7)

slide-21
SLIDE 21

Structural Induction

Then automatically generated is a structural induction principle that has Barendregt’s convention already build in:

8a x: P x (Var a) 8t 1 t 2 x: (8z : P z t 1 ) ^ (8z : P z t 2 ) ) P x (App t 1 t 2 ) 8a t x: a # x ^ (8z : P z t) ) P x (Lam [a℄:t) P x t

The lambda-case amounts to:

z # (x; y ; N ; L) !! 8xy N L: x 6= y ^ x # L ) M [x ::= N ℄[y ::= L℄ = M [y ::= L℄[x ::= N [y ::= L℄℄ x 6= y ; x # L (Lam [z ℄:M )[x ::= N ℄[y ::= L℄ = (Lam [z ℄:M )[y ::= L℄[x ::= N [y ::= L℄℄

Not tingham, 18. April 2006 – p.6 (6/7)

slide-22
SLIDE 22

Structural Induction

Then automatically generated is a structural induction principle that has Barendregt’s convention already build in:

8a x: P x (Var a) 8t 1 t 2 x: (8z : P z t 1 ) ^ (8z : P z t 2 ) ) P x (App t 1 t 2 ) 8a t x: a # x ^ (8z : P z t) ) P x (Lam [a℄:t) P x t

By the way: There is a condition for when Barendregt’s variable convention is applicable—it is almost always satisfied, but not always:

x needs to be finitely supported (is not allowed to mention

all names as free)

Not tingham, 18. April 2006 – p.6 (7/7)

slide-23
SLIDE 23

Conclusion

the nominal datatype package is still work in progress already quite usable for the lambda-calculus Church-Rosser strong normalisation using candidates weakening (transitivity of subtyping,

  • calc.)

mailing list and download

nominal-isabelle@mailbroy.informatik.tu-muenchen.de http://isabelle.in.tum.de/nominal/

Not tingham, 18. April 2006 – p.7 (1/1)