\chapter{The pred{\und}sets Library} The \ml{pred\_sets} library contains a theory of predicates regarded as sets. A predicate {\small\verb!s:'a->bool!} is considered as a collection or `set' of elements of type \ml{'a}, and the standard operations on sets such as union, intersection, and set difference are appropriately defined for this representation. The library was originally written in 1989 by Ton Kalker. It was completely rewritten by the present author for \HOL\ version 2.01 in early 1992. The aim of this revision was to make the \ml{pred\_sets} library closely parallel to the much more developed \HOL\ \ml{sets} library, with the same names for constants and theorems and the same form of definitions for operations on sets. The present document is itself also adapted from the manual for the \ml{sets} library~\cite{melham}. There is only one theory in the \ml{pred\_sets} library, namely the theory `\ml{pred\_set}'. This document explains the logical basis of this theory and the theorem-proving support provided by library. The latter includes conversions for expanding set specifications and for evaluating various operations on finite sets described by enumeration of their elements. The library also provides parser and pretty-printer support for terms that denote sets. \section{Membership and the axioms of set theory} A value \ml{x} is defined to be an element of a set exactly when the characteristic predicate of the set is true of \ml{x}. Since sets in the \ml{pred\_sets} library are just represented by their characteristic predicates, this membership relation is straightforward to define as follows: \begin{hol} \index{definition!of IN@of {\ptt IN}} \index{SPECIFICATION@{\ptt SPECIFICATION}} \begin{verbatim} SPECIFICATION |- !P x. x IN P = P x \end{verbatim}\end{hol} \noindent The infix function constant \ml{IN} defined here constitutes the basic language for the entire theory of sets in the \ml{pred\_sets} library; all operators and predicates on sets are ultimately defined in terms of this one function. The definition of \ml{IN} shown above loosely corresponds to what is usually called the {\it axiom of specification\/}\index{axiom of specification} for sets (hence the name \ml{SPECIFICATION}). This axiom states that sets can be constructed from predicates that describe or `specify' their elements. A value is an element of the constructed set exactly when the predicate is true of that value. Since sets and predicates are identical in the \ml{pred\_sets} library, we can simply say that \ml{x} is in the `set' \ml{P} exactly when {\small\verb!P x!} holds. The definition of \ml{IN} is one of two fundamental theorems in the \ml{pred\_sets} library, from which all others are derived. The second of these fundamental theorems states what is usually called the {\it axiom of extension\/}\index{axiom of extension} for sets. This is not, of course, literally an {\it axiom\/} of the \ml{pred\_sets} theory, but rather a theorem derived by proof: \begin{hol} \index{EXTENSION@{\ptt EXTENSION}} \begin{verbatim} EXTENSION |- !s t. (s = t) <=> (!x. x IN s = x IN t) \end{verbatim}\end{hol} \noindent \ml{EXTENSION} states that two sets are equal exactly when they have the same elements. This follows directly from the definition of the constant \ml{IN} and the extensionality functions in higher order logic. Once the theorems \ml{EXTENSION} and \ml{SPECIFICATION} have been proved, they provide a complete basis for all further reasoning about sets and membership. The library theory \ml{pred\_sets} is developed entirely on the basis of these two `axioms' of set theory. \section{Generalized set specifications} In addition to the basic constant \ml{IN}, which allows one to regard a predicate as the set of all values that satisfy it, the \ml{pred\_sets} library also provides a general way of constructing sets by describing or specifying their elements. Roughly speaking, there are two components to a generalized set specification: an expression \ml{E[x]} and a predicate \ml{P[x]}. For any such expression and predicate, there is a corresponding set {\small\verb!{E[x] | P[x]}!}, the set of all values {\small\verb!E[x]!} for which {\small\verb!P[x]!} holds. The \ml{pred\_sets} library supports generalized set specifications by means of the constant: \begin{hol} \index{GSPEC@{\ptt GSPEC}} \begin{verbatim} GSPEC : ('b -> ('a # bool)) -> 'a -> bool \end{verbatim} \end{hol} \noindent The function \ml{GSPEC} takes a function \ml{f :\ 'b -> ('a \# bool)} and constructs the set (i.e. predicate of type {\small\verb!'a->bool!}) of all values \ml{FST(f x)} for which \ml{SND(f x)} holds, for some value \ml{x} of type \ml{'b}. The formal definition of the constant \ml{GSPEC} is given by the following constant specification: \begin{hol} \index{definition!of GSPEC@of {\ptt GSPEC}} \index{GSPECIFICATION@{\ptt GSPECIFICATION}} \begin{verbatim} GSPECIFICATION |- !f v. v IN (GSPEC f) = (?x. v,T = f x) \end{verbatim} \end{hol} \noindent This theorem is analogous to the axiom of specification\index{axiom of specification!for generalized set specifications} for \ml{IN}. This states that a value \ml{v} is an element of the set specified by \ml{f} exactly when \ml{v} is one of the values of \ml{FST(f x)} for which \ml{SND(f x)} is true. To see how this supports the notion of generalized set specification described above, let \ml{f} in this definition be the function {\small\verb!\x.E[x],P[x]!}. With a little simplification, we would then have: \begin{hol} \begin{verbatim} |- !v. v IN (GSPEC \x.E[x],P[x]) = ?x. (v = E[x]) /\ P[x] \end{verbatim} \end{hol} \noindent That is, a value \ml{v} is in the set constructed by \ml{GSPEC} exactly when for some \ml{x} for which \ml{P[x]}, the value \ml{v} is equal to \ml{E[x]}. The constructed set therefore contains all values \ml{E[x]} for which \ml{P[x]} holds. \subsection{Parser and pretty-printer support}\label{abst} To facilitate the use of sets constructed by generalized set specification, the \ml{pred\_sets}\linebreak[3] library provides parser and pretty-printer support for set abstractions expressed by the notation {\small\verb!"{!$E$\verb! | !$P$\verb!}"!}. The built-in \ML\ function \ml{define\_set\_abstraction\_syntax}% \index{define\_set\_abstraction\_syntax@{\ptt define\_set\_abstraction\_syntax}} (see the manual~\cite{description} for details) is used to introduce this \mbox{notation} when the library is loaded. The call made to this function extends the \HOL\ parser so that a quotation of the form {\small\verb!"{!$E$\verb! | !$P$\verb!}"!} {\samepage parses to: \begin{hol} \begin{alltt} GSPEC (\bk(\m{x\sb{1}},\(\dots\),\m{x\sb{n}}).(\(E\),\(P\))) \end{alltt} \end{hol} \noindent where $x_1$, \dots, $x_n$ are} the variables that occur free in both the expression $E$ and the proposition $P$ (i.e.\ the set $\{x_1,\dots,x_n\}$ is the intersection of the set of free variables of $E$ and the set of free variables of $P$). If there are {\it no\/} variables free in both $E$ and $P$, then a parser error is generated. When the \ml{print\_set}\index{print\_set@{\ptt print\_set} (flag)} flag is \ml{true}, the quotation pretty-printer inverts this transformation. A simple example of this set abstraction notation is shown in the following \HOL\ session, in which it is assumed that the \ml{pred\_sets} library has already been loaded. (See section~\ref{using} for a description of how \ml{pred\_sets} is loaded.) \setcounter{sessioncount}{1} \begin{session} \begin{verbatim} #let gtr = new_definition (`gtr`, "gtr N = {n | n > N}");; gtr = |- !N. gtr N = {n | n > N} #set_flag (`print_set`,false);; true : bool #"{n | n > N}";; "GSPEC(\n. (n,n > N))" : term \end{verbatim}\end{session} \noindent The term {\small\verb!{n | n > N}!} in the definition of \ml{gtr} denotes the set of all natural numbers greater than \ml{N}. It is important to note that the variable \ml{N} is a free variable in this term, since it occurs on only one side of the bar `{\small\verb!|!}'. The set abstraction {\small\verb!{n | n > N}!} therefore parses to the generalized set specification \begin{hol} \begin{verbatim} GSPEC(\n. (n,n > N)) \end{verbatim}\end{hol} \noindent This is what gives this set abstraction the (presumably intended) interpretation `the set of all \ml{n} greater than \ml{N}'. By contrast, the term \begin{hol} \begin{verbatim} GSPEC(\(n,N). (n,n > N)) \end{verbatim}\end{hol} \noindent denotes the set of all numbers \ml{n} greater than some number \ml{N}---i.e., the set $\{\ml{1},\ml{2},\ml{3},\dots\}$. This is {\it not\/} the default interpretation of the parser, which constructs a generalized set specification that binds the variable \ml{n} only. Note that only default\pagebreak[3] interpretations are pretty-printed using the {\samepage set abstraction notation: \begin{session} \begin{verbatim} #set_flag(`print_set`,true);; false : bool #"GSPEC (\n. (n,n>N))";; "{n | n > N}" : term #"GSPEC (\(n,N). (n,n>N))";; "GSPEC(\(n,N). (n,n > N))" : term \end{verbatim}\end{session} \noindent That is, a term of the form: \begin{hol} \begin{alltt} GSPEC (\bk(\m{x\sb{1}},\(\dots\),\m{x\sb{n}}).(\(E\),\(P\))) \end{alltt}\end{hol} \noindent prints as {\small\verb!"{!$E$\verb! | !$P$\verb!}"!} only if the variables $x_1$, \dots, $x_n$ occur free in both $E$ and $P$.} In general, the expression $E$ in a set abstraction {\small\verb!"{!$E$\verb! | !$P$\verb!}"!} need not be just a variable. Consider, for example, the following \HOL\ session: \begin{session} \begin{verbatim} #let S = "{(n,m) | n < m}";; S = "{(n,m) | n < m}" : term #set_flag(`print_set`,false);; true : bool #"{(n,m) | n < m}";; "GSPEC(\(n,m). ((n,m),n < m))" : term \end{verbatim}\end{session} \noindent Here, a set abstraction is used to construct the set of all pairs of numbers \ml{(n,m)} for which \ml{n} is less than \ml{m}. Note that both variables \ml{n} and \ml{m} are bound in the underlying generalized set specification. \subsection{Theorem-proving support} \index{SET\_SPEC\_CONV@{\ptt SET\_SPEC\_CONV}|(} \index{conversions!SET\_SPEC\_CONV@{\ptt SET\_SPEC\_CONV}|(} The \ml{pred\_sets} library provides proof support for the set abstraction notation in the form of a conversion called \ml{SET\_SPEC\_CONV}. This conversion implements the axiom of specification for set abstractions.% \index{axiom of specification!for set abstractions} When $v$ is a variable, evaluating: \begin{hol}\def\m#1{\mbox{\small$#1$}} \begin{alltt} SET_SPEC_CONV "\m{t} IN \lb\m{v} \vb \m{P}\rb";; \end{alltt}\end{hol} \noindent returns the theorem: \begin{hol}\def\m#1{\mbox{\small$#1$}} \begin{alltt} {\vb}- \m{t} IN \lb\m{v} \vb \m{P}\rb = \m{P[t/v]} \end{alltt}\end{hol} \noindent This states that $t$ is an element of the set of all $v$ such that $P$ exactly when $P[t/v]$ holds. Note that, in general, the term $t$ need not be a variable. The following session illustrates this use of \ml{SET\_SPEC\_CONV} for membership {\samepage in a particular set abstraction: \setcounter{sessioncount}{1} \begin{session} \begin{verbatim} #SET_SPEC_CONV ``12 IN {n | n > N}``; |- 12 IN {n | n > N} = 12 > N \end{verbatim}\end{session}} \pagebreak[3] The conversion \ml{SET\_SPEC\_CONV} behaves differently when applied to terms of the form {\small\verb!"!$t$\verb! IN {!$E$\verb! | !$P$\verb!}"!} where {\small $E$} is not a variable. Applying the conversion to a term of this kind yields the theorem: \begin{hol}\def\m#1{\mbox{\small$#1$}} \begin{alltt} {\vb}- \m{t} IN \lb\m{E} \vb \m{P}\rb = ?\m{x\sb{1}\dots x\sb{n}}. (\m{t} = \m{E}) /\bk \m{P} \end{alltt}\end{hol} \noindent where $x_1$, \dots, $x_n$ are the variables that occur free in both $E$ and $P$. The expression $E$ cannot in general be eliminated in this case, as it can by the substitution $P[t/v]$ when $E$ is just a variable $v$. \pagebreak[3] The following session illustrates the form of the theorem proved by \ml{SET\_SPEC\_CONV} for the second type of input term discussed above: \setcounter{sessioncount}{1} \begin{session} \begin{verbatim} #let th1 = SET_SPEC_CONV "p IN {(n,m) | n < m}";; th1 = |- p IN {(n,m) | n < m} = (?n m. (p = n,m) /\ n < m) #let th2 = SET_SPEC_CONV "(a,b) IN {(n,m) | n < m}";; th2 = |- (a,b) IN {(n,m) | n < m} = (?n m. (a,b = n,m) /\ n < m) #let th3 = SET_SPEC_CONV "a IN {n + m | n < m}";; th3 = |- a IN {n + m | n < m} = (?n m. (a = n + m) /\ n < m) \end{verbatim}\end{session} \noindent The right-hand sides of \ml{th1} and \ml{th2} could, in principle, be further simplified. The value of the expression `\ml{(n,m)}' is an injective function of the values of \ml{n} and \ml{m}, and so by eliminating the existential quantifiers these two theorems could be simplified to: \begin{hol} \begin{verbatim} th1 |- p IN {(n,m) | n < m} = (FST p < SND p) th2 |- (a,b) IN {(n,m) | n < m} = (a < b) \end{verbatim}\end{hol} \noindent But in general the value of {\small $E$} in a set abstraction {\small\verb!"{!$E$\verb! | !$P$\verb!}"!} will not be an injective function of its free variables, as for example is the case in theorem \ml{th3}. The conversion \ml{SET\_SPEC\_CONV} therefore attempts no further simplification of its result than is described above for the general case.\index{SET\_SPEC\_CONV@{\ptt SET\_SPEC\_CONV}|)}% \index{conversions!SET\_SPEC\_CONV@{\ptt SET\_SPEC\_CONV}|)} \section{The empty and universal sets} The following two constants are defined in the \ml{pred\_sets} library: {\small\verb!EMPTY:'a->bool!}, which denotes the empty set; and {\small\verb!UNIV:'a->bool!}, which denotes the universe, or set of all values of type \ml{'a}.{\samepage These constants are defined formally as follows: \begin{hol} \index{definition!of EMPTY@of {\ptt EMPTY}} \index{EMPTY\_DEF@{\ptt EMPTY\_DEF}} \index{definition!of UNIV@of {\ptt UNIV}} \index{UNIV\_DEF@{\ptt UNIV\_DEF}} \begin{verbatim} EMPTY_DEF |- EMPTY = \x. F UNIV_DEF |- UNIV = \x. T \end{verbatim}\end{hol} \noindent The\index{naming conventions!for definitions|(} theorems \ml{EMPTY\_DEF} and \ml{UNIV\_DEF} shown above are named according to the general convention that all definitions in the \ml{pred\_sets} library are given names ending in `{\small\verb!_DEF!}'.\index{naming conventions!for definitions|)}} \pagebreak[3] Note that because of the restriction on free variables discussed above, the set abstractions {\small\verb!"{x | T}"!} and {\small\verb!"{x | F}"!} cannot be used in these definitions; the more primitive form of set construction given by the above lambda-abstractions must be used instead. But users of the library will never need to appeal to these definitions, since the following theorems about \ml{EMPTY} and \ml{UNIV} are also made available in the theory \ml{pred\_sets}: \begin{hol} \index{NOT\_IN\_EMPTY@{\ptt NOT\_IN\_EMPTY}} \index{IN\_UNIV@{\ptt IN\_UNIV}} \begin{verbatim} NOT_IN_EMPTY |- !x. ~x IN EMPTY IN_UNIV |- !x. x IN UNIV \end{verbatim}\end{hol} \noindent That is, nothing is an element of \ml{EMPTY} and everything is an element of \ml{UNIV}. These properties follow directly from the definitions and the theorem \ml{SPECIFICATION}. Other pre-proved theorems about the empty and universal sets are also available in the library; see chapter~\ref{theorems} for a complete list. \section{Set inclusion} The infix functions \ml{SUBSET} and \ml{PSUBSET} denote the binary relations of set inclusion and proper set inclusion, respectively. These are defined formally in the obvious way: \begin{hol} \index{definition!of SUBSET@of {\ptt SUBSET}} \index{SUBSET\_DEF@{\ptt SUBSET\_DEF}} \index{definition!of PSUBSET@of {\ptt PSUBSET}} \index{PSUBSET\_DEF@{\ptt PSUBSET\_DEF}} \begin{verbatim} SUBSET_DEF |- !s t. s SUBSET t = (!x. x IN s ==> x IN t) PSUBSET_DEF |- !s t. s PSUBSET t = s SUBSET t /\ ~(s = t) \end{verbatim}\end{hol} \noindent That is, \ml{s} is a subset of \ml{t} if every element of \ml{s} is also an element of \ml{t}; and \ml{s} is a proper subset of \ml{t} if it is a subset of \ml{t} but not equal to \ml{t}. Various pre-proved theorems about the subset and proper subset relations are supplied by the \ml{pred\_sets} library. For example, the fact that \ml{SUBSET} is a partial order is stated by the three built-in theorems shown below. \begin{hol} \index{SUBSET\_TRANS@{\ptt SUBSET\_TRANS}} \index{SUBSET\_REFL@{\ptt SUBSET\_REFL}} \index{SUBSET\_ANTISYM@{\ptt SUBSET\_ANTISYM}} \begin{verbatim} SUBSET_REFL |- !s. s SUBSET s SUBSET_TRANS |- !s t u. s SUBSET t /\ t SUBSET u ==> s SUBSET u SUBSET_ANTISYM |- !s t. s SUBSET t /\ t SUBSET s ==> (s = t) \end{verbatim}\end{hol} \noindent Also provided are built-in theorems about the relationship between set inclusion and other constants or operations on sets. For example, there are the following facts about set inclusion and the empty and universal sets: \begin{hol} \index{EMPTY\_SUBSET@{\ptt EMPTY\_SUBSET}} \index{SUBSET\_UNIV@{\ptt SUBSET\_UNIV}} \index{NOT\_PSUBSET\_EMPTY@{\ptt NOT\_PSUBSET\_EMPTY}} \index{NOT\_UNIV\_PSUBSET@{\ptt NOT\_UNIV\_PSUBSET}} \begin{verbatim} EMPTY_SUBSET |- !s. {} SUBSET s SUBSET_UNIV |- !s. s SUBSET UNIV NOT_PSUBSET_EMPTY |- !s. ~s PSUBSET {} NOT_UNIV_PSUBSET |- !s. ~UNIV PSUBSET s \end{verbatim}\end{hol} \noindent As\index{naming conventions!for theorems generally|(} these examples illustrate, the names of theorems in the \ml{pred\_sets} library are generally constructed from the names of the constants they contain. Furthermore, the ordering of elements in the name of a theorem attempts to reflect the content of the theorem itself.\index{naming conventions!for theorems generally|)} \section{Union, intersection, and set difference} The binary operations of union, intersection and set difference are all defined using the set abstraction notation introduced above in section~\ref{abst}. The formal definitions are: \begin{hol} \index{definition!of UNION@of {\ptt UNION}} \index{UNION\_DEF@{\ptt UNION\_DEF}} \index{definition!of INTER@of {\ptt INTER}} \index{INTER\_DEF@{\ptt INTER\_DEF}} \index{definition!of DIFF@of {\ptt DIFF}} \index{DIFF\_DEF@{\ptt DIFF\_DEF}} \begin{verbatim} UNION_DEF |- !s t. s UNION t = {x | x IN s \/ x IN t} INTER_DEF |- !s t. s INTER t = {x | x IN s /\ x IN t} DIFF_DEF |- !s t. s DIFF t = {x | x IN s /\ ~x IN t} \end{verbatim}\end{hol} \noindent These definitions illustrate the practical utility of the scheme for variable binding in set abstractions discussed above in section~\ref{abst}. An abstraction {\small\verb!"{!$E$\verb! | !$P$\verb!}"!} binds only the variables that occur in both {\small $E$} and {\small $P$}, and the variables \ml{s} and \ml{t} in the set abstractions shown above may therefore be made parameters to the sets\pagebreak[3] constructed by them. Using \ml{SET\_EQ\_CONV}, it is trivial to derive the following membership conditions for \ml{UNION}, \ml{INTER} and \ml{DIFF} from the definitions given above. As\index{naming conventions!for membership conditions|(} a general rule, theorems stating membership conditions of the kind illustrated by these examples are given names of the form {\small\verb!IN_!$\langle\hbox{\it constant\/}\rangle$} ending in the name of the operation used to construct the set in question.\index{naming conventions!for membership conditions|)} \begin{hol} \index{IN\_UNION@{\ptt IN\_UNION}} \index{IN\_INTER@{\ptt IN\_INTER}} \index{IN\_DIFF@{\ptt IN\_DIFF}} \begin{verbatim} IN_UNION |- !s t x. x IN (s UNION t) = x IN s \/ x IN t IN_INTER |- !s t x. x IN (s INTER t) = x IN s /\ x IN t IN_DIFF |- !s t x. x IN (s DIFF t) = x IN s /\ ~x IN t \end{verbatim}\end{hol} \noindent These theorems, which are saved in the library under the names indicated above, may in practice be used as the defining properties of union, intersection and set difference; users should almost never have to appeal directly to the definitions of these operations. Other built-in theorems about \ml{UNION}, \ml{INTER} and \ml{DIFF} may be found in chapter~\ref{theorems}. \section{Disjoint sets} Two sets are {\it disjoint\/} if they have no elements in common. This concept is formalized in the \ml{pred\_sets} library by the constant \ml{DISJOINT}, the definition of which is: \begin{hol} \index{definition!of DISJOINT@of {\ptt DISJOINT}} \index{DISJOINT\_DEF@{\ptt DISJOINT\_DEF}} \begin{verbatim} DISJOINT_DEF |- !s t. DISJOINT s t = (s INTER t = {}) \end{verbatim}\end{hol} \noindent At present, there are relatively few pre-proved theorems about the \ml{DISJOINT} relation in the library. But see chapter~\ref{theorems} for the few theorems about \ml{DISJOINT} that are in fact available in the \ml{pred\_sets} library. \section{Insertion and deletion of an element} To aid in the construction of particular sets of values (especially finite sets) the library contains definitions of two constants \ml{INSERT} and \ml{DELETE}. These denote the operations of augmenting a set with a given value and removing a value from a set, respectively. The formal definitions of these operations are: \begin{hol} \index{definition!of INSERT@of {\ptt INSERT}} \index{INSERT\_DEF@{\ptt INSERT\_DEF}} \index{definition!of DELETE@of {\ptt DELETE}} \index{DELETE\_DEF@{\ptt DELETE\_DEF}} \begin{verbatim} INSERT_DEF |- !x s. x INSERT s = {y | (y = x) \/ y IN s} DELETE_DEF |- !s x. s DELETE x = s DIFF (INSERT x EMPTY) \end{verbatim}\end{hol} \noindent The elements of the set denoted by {\small\verb!x INSERT s!} are all the elements of the set \ml{s} together with the value \ml{x}, which may or may not be an element of \ml{s} itself. The set denoted by {\small\verb!s DELETE x!} contains all the elements of \ml{s} except the value \ml{x}. {\samepage The membership conditions for sets constructed using \ml{INSERT} and \ml{DELETE} are given by the following pre-proved theorems: \begin{hol} \index{IN\_INSERT@{\ptt IN\_INSERT}} \index{IN\_DELETE@{\ptt IN\_DELETE}} \begin{verbatim} IN_INSERT |- !x y s. x IN (y INSERT s) = (x = y) \/ x IN s IN_DELETE |- !s x y. x IN (s DELETE y) = x IN s /\ ~(x = y) \end{verbatim}\end{hol} \noindent In addition, the library} contains a substantial collection of theorems about the relationship between the operations \ml{INSERT} and \ml{DELETE} and other relations and operations on sets. Chapter~\ref{theorems} gives a complete list of these theorems. \subsection{Parser and pretty-printer support}\label{finite} The \ml{pred\_sets} library provides special parser and pretty-printer support for finite sets that are constructed by enumeration of their elements. This notation is introduced by a call made when the library is loaded to the built-in \ML\ function \ml{define\_finite\_set\_syntax}% \index{define\_finite\_set\_syntax@{\ptt define\_finite\_set\_syntax}} (see~\cite{description} for details of this function). This has the effect of extending the \HOL\ parser so that a quotation of the form {\small\verb!"{!\tt$t_1$,$t_2$,\dots,$t_n$\verb!}"!} parses to the following set built up from \ml{EMPTY} by repeatedly using the function \ml{INSERT}: \begin{hol} \begin{alltt} INSERT \m{t\sb{1}} (INSERT \m{t\sb{2}} \dots (INSERT \m{t\sb{n}} EMPTY)\dots) \end{alltt}\end{hol} \noindent Note that the quotation {\small\verb!"{}"!} just parses to the constant \ml{EMPTY}. When the \ml{print\_set}\index{print\_set@{\ptt print\_set} (flag)} flag is \ml{true}, the \HOL\ pretty-printer for terms inverts this transformation. Users should note that care must be taken with regard to the precedence of comma in a context {\small\verb!"{!\dots\verb!}"!}, as the following session illustrates: \setcounter{sessioncount}{1} \begin{session} \begin{verbatim} #set_flag(`print_set`,false);; true : bool #"{1,2,3,4}";; "1 INSERT (2 INSERT (3 INSERT (4 INSERT EMPTY)))" : term #"{(1,2),(3,4)}";; "(1,2) INSERT ((3,4) INSERT EMPTY)" : term #"{((1,2),(3,4))}";; "((1,2),3,4) INSERT EMPTY" : term \end{verbatim}\end{session} \noindent Different grouping by means of enclosing parentheses has given sets with four elements (each a number), two elements (each of which is a pair), and one element (a pair of pairs) respectively. \subsection{Conversions for enumerated finite sets} The \ml{pred\_sets} library provides a collection of optimized conversions for computing the results of operations and predicates on finite sets specified by enumeration of their elements. All these conversions, the current implementations of which are somewhat experimental, are designed to work only for finite sets of the form {\small\verb!"{!\tt$t_1$,\dots,$t_n$\verb!}"!}. The sections that follow describe most of these conversions; the remainder are discussed in later sections of this manual. \subsubsection{Membership}\label{inconv} The\index{IN\_CONV@{\ptt IN\_CONV}|(}% \index{conversions!IN\_CONV@{\ptt IN\_CONV}|(} most basic conversion for finite sets is a decision procedure for membership called \ml{IN\_CONV}. In general, a way of deciding equality of elements is needed in order to determine whether a given value is an element of a particular finite set. The function \begin{hol} \begin{verbatim} IN_CONV : conv -> conv \end{verbatim}\end{hol} \noindent must therefore be supplied with a conversion that implements a decision procedure for equality of set elements. It is assumed that this conversion will map equations {\small\tt"$e_1$ = $e_2$"} between elements of a base type \ml{ty} to the theorem {\small\tt |- ($e_1$ = $e_2$) = T} or to the theorem {\small\tt |- ($e_1$ = $e_2$) = F}, as appropriate. If \ml{conv} is an equality conversion of the kind described above, then the function returned by \ml{IN\_CONV conv} is a conversion that decides membership in finite sets of values of the base type \ml{ty}. In particular, a call: \begin{hol} \begin{alltt} IN\_CONV conv "\m{t} IN \lb\m{t\sb{1}},\dots,\m{t\sb{n}}\rb" \end{alltt}\end{hol} \noindent returns the theorem \begin{hol} \begin{alltt} |- \m{t} IN \lb\m{t\sb{1}},\dots,\m{t\sb{n}}\rb = T \end{alltt}\end{hol} \noindent if the term $t$ is alpha-equivalent to some term $t_i$ or if the supplied conversion \ml{conv} proves {\tt |- ($t$ = $t_i$) = T} for some $i$ where $1 \leq i \leq n$. If, on the other hand \ml{conv} proves the theorem {\tt |- ($t$ = $t_i$) = F} for all $i$ where $1 \leq i \leq n$, then the result is the theorem \begin{hol} \begin{alltt} |- \m{t} IN \lb\m{t\sb{1}},\dots,\m{t\sb{n}}\rb = F \end{alltt}\end{hol} \noindent In all other cases, the call to \ml{IN\_CONV} shown above will fail. The following session shows how \ml{IN\_CONV} can be used in practice. \setcounter{sessioncount}{1} \begin{session} \begin{verbatim} #IN_CONV num_EQ_CONV "1 IN {2,1,3}";; |- 1 IN {2,1,3} = T #IN_CONV num_EQ_CONV "4 IN {2,1,3}";; |- 4 IN {2,1,3} = F \end{verbatim}\end{session} \noindent The built-in conversion \ml{num\_EQ\_CONV} is used here to decide equality of the natural numbers involved in the membership assertions\pagebreak[3] being proved. An example in which \ml{IN\_CONV} fails is the following: \begin{session} \begin{verbatim} #IN_CONV num_EQ_CONV "x IN {1,2,3}";; evaluation failed IN_CONV #num_EQ_CONV "x = 1";; evaluation failed num_EQ_CONV \end{verbatim}\end{session} \noindent Failure occurs in this case because the term \ml{x} is a variable, and \ml{num\_EQ\_CONV} therefore cannot determine if it is equal to any of the set elements \ml{1}, \ml{2} or \ml{3}. Note, however, that the supplied conversion is not required to prove anything if the value being tested for membership happens to be syntactically identical to an element of the given set: \begin{session} \begin{verbatim} #IN_CONV NO_CONV "x IN {1,x,3}";; |- x IN {1,x,3} = T \end{verbatim}\end{session} \noindent In this case, the supplied conversion, namely \ml{NO\_CONV}, always fails; but the call to \ml{IN\_CONV} nonetheless succeeds and returns the appropriate result.\index{IN\_CONV@{\ptt IN\_CONV}|)}% \index{conversions!IN\_CONV@{\ptt IN\_CONV}|)} \subsubsection{Union} The\index{UNION\_CONV@{\ptt UNION\_CONV}|(}% \index{conversions!UNION\_CONV@{\ptt UNION\_CONV}|(} \ml{pred\_sets} library contains a conversion \begin{hol} \begin{verbatim} UNION_CONV : conv -> conv \end{verbatim}\end{hol} \noindent that can be used to compute the union of two finite sets. The first argument to \ml{UNION\_CONV} (i.e.\ the conversion argument) is expected to be an equality conversion of the same kind required as an argument by \ml{IN\_CONV} (see section~\ref{inconv}). As will be seen below, this conversion is used by \ml{UNION\_CONV} to simplify the set that it computes as the result of taking the union of two finite sets. Given an equality conversion \ml{conv}, the function \ml{UNION\_CONV} returns a conversion that computes the union of a finite set {\small\verb!"{!\tt$t_1$,\dots,$t_n$\verb!}"!} and another set {\small$s$}. The second set {\small$s$} in fact need not be finite. Ignoring, for the moment, the possible simplification done using the supplied conversion \ml{conv}, a call: \begin{hol}\begin{alltt} UNION\_CONV conv "\lb\m{t\sb{1}},\dots,\m{t\sb{n}}\rb UNION \m{s}" \end{alltt}\end{hol} \noindent just returns the theorem \begin{hol}\begin{alltt} |- \lb\m{t\sb{1}},\dots,\m{t\sb{n}}\rb UNION \m{s} = \m{t\sb{1}} INSERT (\m{\dots} (\m{t\sb{n}} INSERT \m{s})\m{\dots}) \end{alltt}\end{hol} \noindent That is, \ml{UNION\_CONV} computes the required union as a repeated insertion of values into the set {\small$s$}.\pagebreak[3] When {\small$s$} is a finite set of the form {\small\verb!"{!\tt$u_1$,\dots,$u_m$\verb!}"!}, the {\samepage resulting theorem will have the form shown below. \begin{hol} \begin{alltt} |- \lb\m{t\sb{1}},\dots,\m{t\sb{n}}\rb UNION \lb\m{u\sb{1}},\dots,\m{u\sb{m}}\rb = \lb\m{t\sb{1}},\m{\dots},\m{t\sb{n}},\m{u\sb{1}},\m{\dots},\m{u\sb{m}}\rb \end{alltt}\end{hol} \noindent When computing} theorems of this form (i.e.\ when the second set of the union is a finite set {\small\verb!"{!\tt$u_1$,\dots,$u_m$\verb!}"!}) the function \ml{UNION\_CONV} attempts to remove redundant elements in the resulting set using the supplied equality conversion \ml{conv}. In particular, if \ml{conv} is able to prove that some element {\small$t_i$} of {\small\verb!"{!\tt$t_1$,\dots,$t_n$\verb!}"!} is equal to any element {\small$u_j$} of {\small\verb!"{!\tt$u_1$,\dots,$u_m$\verb!}"!}, that is if the conversion \ml{conv} maps the term {\small\verb!"!$t_i$\verb! = !$u_j$\verb!"!} to the theorem {\small\verb!|- (!$t_i$\verb! = !$u_j$\verb!) = T!}, then the resulting theorem will be \begin{hol} \begin{alltt} |- \lb\m{t\sb{1}},\dots\m{t\sb{i}},\dots,\m{t\sb{n}}\rb UNION \lb\m{u\sb{1}},\dots,\m{u\sb{j}},\dots,\m{u\sb{m}}\rb = \lb\m{t\sb{1}},\m{\dots},\m{t\sb{n}},\m{u\sb{1}},\dots,\m{u\sb{j}},\dots,\m{u\sb{m}}\rb \end{alltt}\end{hol} \noindent That is, the redundant term \m{t_i} will be removed from the initial sequence of elements in the resulting finite set. The function \ml{UNION\_CONV} also checks for and eliminates alpha-equivalent elements. Some examples of \ml{UNION\_CONV} in use are shown in the following \HOL\ session: \begin{session} \begin{verbatim} #UNION_CONV NO_CONV "{1,2,3} UNION {4,5,6}";; |- {1,2,3} UNION {4,5,6} = {1,2,3,4,5,6} #UNION_CONV NO_CONV "{1,2,3} UNION {3,2,SUC 0}";; |- {1,2,3} UNION {3,2,SUC 0} = {1,3,2,SUC 0} \end{verbatim}\end{session} \noindent The supplied equality conversion in these examples is \ml{NO\_CONV}, and only the elements of the first set {\small\verb!{1,2,3}!} that are redundant by virtue of being alpha-equivalent to elements of the second set are eliminated from the resulting set. An example in which the equality conversion is actually used is: \begin{session} \begin{verbatim} #UNION_CONV num_EQ_CONV "{1,2,3} UNION {3,2,SUC 0}";; |- {1,2,3} UNION {3,2,SUC 0} = {3,2,SUC 0} \end{verbatim}\end{session} \noindent In this case, \ml{num\_EQ\_CONV} is used to prove that {\small\verb!1!} is equal to {\small\verb!SUC 0!}, so that the resulting union is the set {\small\verb!"{3,2,SUC 0}"!}, rather than {\small\verb!"{1,3,2,SUC 0}!"}.\index{UNION\_CONV@{\ptt UNION\_CONV}|)}% \index{conversions!UNION\_CONV@{\ptt UNION\_CONV}|)} \subsubsection{Insertion} The\index{INSERT\_CONV@{\ptt INSERT\_CONV}|(}% \index{conversions!INSERT\_CONV@{\ptt INSERT\_CONV}|(} conversion \ml{INSERT\_CONV} performs the following reduction on finite sets: \begin{hol} \begin{alltt} {\normalsize\rm reduce}\quad"\m{t} INSERT \lb\m{t\sb{1}},\dots,\m{t\sb{i}},\dots,\m{t\sb{n}}\rb"\quad\m{\normalsize\rm to}\quad"\lb\m{t\sb{1}},\dots,\m{t\sb{i}},\dots,\m{t\sb{n}}\rb" \end{alltt}\end{hol} \noindent if a supplied equality conversion can prove {\small\verb!|- (!$t$\verb! = !$t_i$\verb!) = T!}. Since the enumerated set notation {\small\verb!"{!\tt$t_1$,\dots,$t_n$\verb!}"!} is just a parser-supported abbreviation (see section~\ref{finite}), this is equivalent to reducing the set {\small\verb!"{!\tt$t$,$t_1$,\dots,$t_i$,\dots,$t_n$\verb!}"!} to {\small\verb!"{!\tt$t_1$,\dots,$t_i$,\dots,$t_n$\verb!}"!} when the terms {\small$t$} and {\small$t_i$} are provably equal.\pagebreak[3] More specifically, if for some {\small$t_i$} in {\small\verb!{!$t_1$\verb!,!\dots\verb!,!$t_n$\verb!}!}, the terms {\small$t$} and {\small$t_i$} are alpha-equivalent, of if the conversion \ml{conv} maps {\small\verb!"!$t$\verb! = !$t_i$\verb!"!} to the theorem {\small\verb!|- (!$t$\verb! = !$t_i$\verb!) = T!}, then the call: \begin{hol} \begin{alltt} INSERT\_CONV conv "\m{t} INSERT \lb\m{t\sb{1}},\dots,\m{t\sb{n}}\rb";; \end{alltt}\end{hol} \noindent will return the theorem: \begin{hol} \begin{alltt} |- \m{t} INSERT \lb\m{t\sb{1}},\dots,\m{t\sb{n}}\rb = \lb\m{t\sb{1}},\dots,\m{t\sb{n}}\rb \end{alltt}\end{hol} Here is an example of \ml{INSERT\_CONV} in use: \setcounter{sessioncount}{1} \begin{session} \begin{verbatim} #INSERT_CONV num_EQ_CONV "(SUC 2) INSERT {0,1,2,3}";; |- {SUC 2,0,1,2,3} = {0,1,2,3} \end{verbatim}\end{session} When applied repeatedly, \ml{INSERT\_CONV} can be used to reduce finite sets by eliminating as many redundant occurrences of elements as possible. An easy to program, but slow-running, way of doing this is to use \ml{DEPTH\_CONV}: \begin{session} \begin{verbatim} #DEPTH_CONV (INSERT_CONV num_EQ_CONV) "{1,3,x,SUC 1,SUC(SUC 1),2,1,3,x}";; |- {1,3,x,SUC 1,SUC(SUC 1),2,1,3,x} = {2,1,3,x} \end{verbatim}\end{session} \noindent For a faster alternative to this method, see the reference entry for \ml{INSERT\_CONV} in chapter~\ref{entries}.\index{INSERT\_CONV@{\ptt INSERT\_CONV}|)}% \index{conversions!INSERT\_CONV@{\ptt INSERT\_CONV}|)} \subsubsection{Deletion} The\index{DELETE\_CONV@{\ptt DELETE\_CONV}|(}% \index{conversions!DELETE\_CONV@{\ptt DELETE\_CONV}|(} conversion \ml{DELETE\_CONV} reduces terms of the form {\small\verb!"{!\tt$t_1$,\dots,$t_n$\verb!} DELETE !$t$\verb!"!} by deleting all elements provably equal to {\small$t$} from the set {\small\verb!{!\tt$t_1$,\dots,$t_n$\verb!}!}. Like \ml{IN\_CONV} and \ml{INSERT\_CONV}, the function \ml{DELETE\_CONV} takes a conversion for deciding equality of set elements as an argument. If \ml{conv} is such a conversion, the call: \begin{hol}\begin{alltt} DELETE\_CONV conv "\lb\m{t\sb{1}},\dots,\m{t\sb{n}}\rb DELETE \m{t}";; \end{alltt}\end{hol} \noindent will return the theorem: \begin{hol}\begin{alltt} |- \lb\m{t\sb{1}},\dots,\m{t\sb{n}}\rb DELETE \m{t} = \lb\m{t\sb{i}},\dots,\m{t\sb{j}}\rb \end{alltt}\end{hol} \noindent where the resulting set {\small\verb!{!\tt$t_i$,\dots,$t_j$\verb!}!} is the set of all values {\small$t_k$} in the original set {\small\verb!{!\tt$t_1$,\dots,$t_n$\verb!}!} for which \ml{conv} proves {\tt |- ($t_k$ = $t$) = F}, and where for all {\small$t_k$} in {\small\verb!{!\tt$t_1$,\dots,$t_n$\verb!}!} but not in {\small\verb!{!\tt$t_i$,\dots,$t_j$\verb!}!}, either {\small$t_k$} is alpha-equivalent to {\small$t$} or \ml{conv} proves {\tt |- ($t_k$ = $t$) = T}. Note that the conversion \ml{conv} must prove either equality or inequality for every element of the original set that is not simply alpha-equivalent to the deleted value. The following session shows \ml{DELETE\_CONV} in use: \setcounter{sessioncount}{1} \begin{session} \begin{verbatim} #DELETE_CONV num_EQ_CONV "{0,1,2,3} DELETE (SUC 1)";; |- {0,1,2,3} DELETE (SUC 1) = {0,1,3} \end{verbatim}\end{session}% \index{DELETE\_CONV@{\ptt DELETE\_CONV}|)}% \index{conversions!DELETE\_CONV@{\ptt DELETE\_CONV}|)} \section{Singleton sets} A {\it singleton\/} set is a set that contains precisely one element. In the \ml{pred\_sets} library, the property of being a singleton set is expressed by the definition: \begin{hol} \index{definition!of SING@of {\ptt SING}} \index{SING\_DEF@{\ptt SING\_DEF}} \begin{verbatim} SING_DEF |- !s. SING s = (?x. s = {x}) \end{verbatim}\end{hol} \noindent The library contains several built-in theorems about singleton sets. These are sometimes expressed in terms of the predicate \ml{SING}, as for example in the theorem \begin{hol} \index{SING@{\ptt SING}} \begin{verbatim} SING |- !x. SING{x} \end{verbatim}\end{hol} \noindent But properties of singleton sets are more usually formulated as theorems about sets of the form `{\small\verb"{x}"}'. For example, the built-in theorems about singleton sets include: \begin{hol} \index{SING@{\ptt SING}} \begin{verbatim} NOT_SING_EMPTY |- !x. ~({x} = {}) IN_SING |- !x y. x IN {y} = (x = y) EQUAL_SING |- !x y. ({x} = {y}) = (x = y) \end{verbatim}\end{hol} \noindent A\index{naming conventions!for theorems about singletons|(} general convention is that theorems about singleton sets are given names that contain the element `\ml{SING}', regardless of whether or not they actually contain the predicate \ml{SING}.\index{naming conventions!for theorems about singletons|)} \section{The {\tt CHOICE} and {\tt REST} functions} The \ml{pred\_sets} library contains the definition of a functions \ml{CHOICE} which can be used to select an arbitrary element from a non-empty set. The function \ml{CHOICE} is defined formally by the following constant specification: \begin{hol} \index{definition!of CHOICE@of {\ptt CHOICE}} \index{CHOICE\_DEF@{\ptt CHOICE\_DEF}} \begin{verbatim} CHOICE_DEF |- !s. ~(s = {}) ==> (CHOICE s) IN s \end{verbatim}\end{hol} \noindent This theorem alone is the defining property for the constant \ml{CHOICE}, which is therefore an only partially specified function from sets to values. Note, in particular, that there is no information given by this definition about the result of applying \ml{CHOICE} to an empty set. The library also contains a function \ml{REST}, which is defined in terms of the \ml{CHOICE} function as follows \begin{hol} \index{definition!of REST@of {\ptt REST}} \index{REST\_DEF@{\ptt REST\_DEF}} \begin{verbatim} REST_DEF |- !s. REST s = s DELETE (CHOICE s) \end{verbatim}\end{hol} \noindent For any non-empty set \ml{s}, the set \ml{REST s} comprises all those elements of \ml{s} except the value selected from \ml{s} by \ml{CHOICE}. The library contains various built-in theorems about the functions \ml{CHOICE} and \ml{REST}; for a full list of these theorems, see chapter~\ref{theorems}. \section{Image of a function on a set} The {\it image\/} of a function {\small\verb!f:'a->'b!} on a set {\small\verb!s:'a->bool!} is the set of values {\small\verb!f(x)!} for all \ml{x} in \ml{s}. In the \ml{pred\_sets} library, the image of a function on a set is defined in terms of the obvious set abstraction: \begin{hol} \index{definition!of IMAGE@of {\ptt IMAGE}} \index{IMAGE\_DEF@{\ptt IMAGE\_DEF}} \begin{verbatim} IMAGE_DEF |- !f s. IMAGE f s = {f x | x IN s} \end{verbatim}\end{hol} \noindent Using \ml{SET\_SPEC\_CONV}, is trivial to prove from this definition the following membership condition for sets constructed using \ml{IMAGE}: \begin{hol} \index{IN\_IMAGE@{\ptt IN\_IMAGE}} \begin{verbatim} IN_IMAGE |- !y s f. y IN (IMAGE f s) = (?x. (y = f x) /\ x IN s) \end{verbatim}\end{hol} \noindent The \ml{pred\_sets} library contains various theorems about \ml{IMAGE} in addition to this membership theorem. These include, for example, theorems about the image of a function on sets constructed by the operations of union and intersection. For a full list of theorems about \ml{IMAGE}, see chapter~\ref{theorems}. \subsection{Theorem-proving support} The\index{IMAGE\_CONV@{\ptt IMAGE\_CONV}|(}% \index{conversions!IMAGE\_CONV@{\ptt IMAGE\_CONV}|(} \ml{pred\_sets} library contains a conversion for computing the image of a function {\small\verb!f!} on a finite set {\small\verb!{!\tt$t_1$,\dots,$t_n$\verb!}!}. The function \begin{hol} \begin{verbatim} IMAGE_CONV : conv -> conv -> conv \end{verbatim}\end{hol} \noindent is parameterized by two conversions. The first conversion is expected to compute the result of applying the function {\small\verb!f!} to each element {\small$t_1$}, \dots, {\small $t_n$}. The second parameter is an equality conversion which is used to simplify the resulting image set by removing redundant occurrences of its elements. The following session shows a simple example of the use of \ml{IMAGE\_CONV} on terms of the form {\small\tt\verb!"IMAGE (\x.x+2) {!$t_1$,\dots,$t_n$\verb!}"!}. We first define a conversion that evaluates the result of applying the function {\small\verb!(\x.x+2)!} to a term {\small$t$}. \setcounter{sessioncount}{1} \begin{session} \begin{verbatim} - val AP_CONV = BETA_CONV THENC (TRY_CONV ADD_CONV);; AP_CONV = - : conv - AP_CONV ``(\n.n+2) 7``; |- (\n. n + 2)7 = 9 \end{verbatim}\end{session} \noindent This conversion, together with the function \ml{IMAGE\_CONV}, gives a conversion for computing the image of {\small\verb!(\x.x+2)!} on a finite set of numerical values. \begin{session} \begin{verbatim} - IMAGE_CONV AP_CONV NO_CONV ``IMAGE (\x.x+2) {1;2;3;4}``; val it = |- IMAGE(\x. x + 2){1;2;3;4} = {3;4;5;6} : thm - IMAGE_CONV AP_CONV NO_CONV ``IMAGE (\x.x+2) {n;1;n}``; val it = |- IMAGE(\x. x + 2){n;1;n} = {3;n + 2} : thm \end{verbatim}\end{session} \noindent In this case, the second parameter supplied to \ml{IMAGE\_CONV} is the conversion \ml{NO\_CONV}. This means that no reduction of the resulting image set is done, beyond the elimination of elements that are provably redundant by virtue of being alpha-equivalent to some other element (as in the second example above). The following session illustrates the use of the second parameter to \ml{IMAGE\_CONV}. \begin{session} \begin{verbatim} #IMAGE_CONV BETA_CONV NO_CONV "IMAGE (\x. SUC x) {1,SUC 0,2,0}";; |- IMAGE(\x. SUC x){1,SUC 0,2,0} = {SUC 1,SUC(SUC 0),SUC 2,SUC 0} #IMAGE_CONV BETA_CONV num_EQ_CONV "IMAGE (\x. SUC x) {1,SUC 0,2,0}";; |- IMAGE(\x. SUC x){1,SUC 0,2,0} = {SUC(SUC 0),SUC 2,SUC 0} \end{verbatim}\end{session} \noindent In the first evaluation, just applying \ml{BETA\_CONV} to the application of {\small\verb!(\x. SUC x)!} to each element has resulted in an image set containing both {\small\verb!SUC 1!} and {\small\verb!SUC(SUC 0)!}. In the second example, \ml{num\_EQ\_CONV} is used to prove these values equal, and therefore to simplify the resulting set by eliminating one of them from it. For more detail about \ml{IMAGE\_CONV}, see the reference entry for this conversion in chapter~\ref{entries}.\index{IMAGE\_CONV@{\ptt IMAGE\_CONV}|)}% \index{conversions!IMAGE\_CONV@{\ptt IMAGE\_CONV}|)} \section{Mappings between sets} The \ml{pred\_sets} library contains a few basic definitions and theorems having to do with mappings between sets. A function \ml{f:'a->'b} is an {\it injective\/} (one-to-one) mapping from a set {\small\verb!s:'a->bool!} to a set {\small\verb!t:'b->bool!} if it takes distinct elements of the set \ml{s} to distinct element of the set \ml{t}: \begin{hol} \index{definition!of INJ@of {\ptt INJ}} \index{INJ\_DEF@{\ptt INJ\_DEF}} \begin{verbatim} INJ_DEF = |- !f s t. INJ f s t = (!x. x IN s ==> (f x) IN t) /\ (!x y. x IN s /\ y IN s ==> (f x = f y) ==> (x = y)) \end{verbatim}\end{hol} \noindent Likewise, a function \ml{f:'a->'b} is a {\it surjective\/} (onto) mapping from \ml{s} to \ml{t} if for every element \ml{x} of \ml{t} there is some element \ml{y} of \ml{s} for which {\small\verb!f y = x!}: \begin{hol} \index{definition!of SURJ@of {\ptt SURJ}} \index{SURJ\_DEF@{\ptt SURJ\_DEF}} \begin{verbatim} SURJ_DEF = |- !f s t. SURJ f s t = (!x. x IN s ==> (f x) IN t) /\ (!x. x IN t ==> (?y. y IN s /\ (f y = x))) \end{verbatim}\end{hol} \noindent Finally, a function \ml{f:'a->'b} is a {\it bijection\/} from \ml{s} to \ml{t} if it is both injective and surjective: \begin{hol} \index{definition!of BIJ@of {\ptt BIJ}} \index{BIJ\_DEF@{\ptt BIJ\_DEF}} \begin{verbatim} BIJ_DEF = |- !f s t. BIJ f s t = INJ f s t /\ SURJ f s t \end{verbatim}\end{hol} There are a few pre-proved theorems about the predicates \ml{INJ}, \ml{SURJ}, and \ml{BIJ} available in the library; see chapter~\ref{theorems} for a full list of these theorems. The library also contains constant specifications for two functions \ml{LINV} and \ml{RINV}, which yield left and right inverses to injective and surjective mappings respectively. These functions are defined by: \begin{hol} \index{definition!of LINV@of {\ptt LINV}} \index{LINV\_DEF@{\ptt LINV\_DEF}} \index{definition!of RINV@of {\ptt RINV}} \index{RINV\_DEF@{\ptt RINV\_DEF}} \begin{verbatim} LINV_DEF = |- !f s t. INJ f s t ==> (!x. x IN s ==> (LINV f s(f x) = x)) RINV_DEF = |- !f s t. SURJ f s t ==> (!x. x IN t ==> (f(RINV f s x) = x)) \end{verbatim}\end{hol} \noindent There are, at present, no additional built-in theorems about these two functions. Furthermore, the definitions of \ml{LINV} and \ml{RINV} shown above should be regarded as only provisional; they may be changed in future versions. \section{Finite and infinite sets} The \ml{pred\_sets} library includes the definition of a predicate called \ml{FINITE}, which is true of finite sets and false of infinite ones. The definition of this constant is shown below. \begin{hol} \index{definition!of FINITE@of {\ptt FINITE}} \index{FINITE\_DEF@{\ptt FINITE\_DEF}} \begin{verbatim} FINITE_DEF |- !s. FINITE s = (!P. P{} /\ (!s'. P s' ==> (!e. P(e INSERT s'))) ==> P s) \end{verbatim}\end{hol} \noindent That is, a set \ml{s} is finite precisely when it is in the smallest class of sets that contains the empty set and is closed under the \ml{INSERT} operation. This inductive definition makes \ml{FINITE} true of just those sets that can be constructed from the empty set by a finite sequence of applications of the \ml{INSERT} operation. The \ml{pred\_sets} library contains various built-in theorems that follow from the definition of \ml{FINITE} given above. Among these are the two fundamental theorems shown below: \begin{hol} \index{FINITE\_EMPTY@{\ptt FINITE\_EMPTY}} \index{FINITE\_INSERT@{\ptt FINITE\_INSERT}} \begin{verbatim} FINITE_EMPTY |- FINITE{} FINITE_INSERT |- !x s. FINITE(x INSERT s) = FINITE s \end{verbatim}\end{hol} \noindent These state that the empty set is indeed finite and insertion constructs finite sets only from other finite sets. See chapter~\ref{theorems} for other built-in theorems about finite sets. The above definition of \ml{FINITE} formalizes the notion of a finite set in logic, and it therefore also determines the form of definition for the complementary notion of an infinite set. In the \ml{pred\_sets} library, the predicate \ml{INFINITE} is defined as follows: \begin{hol} \index{definition!of INFINITE@of {\ptt INFINITE}} \index{INFINITE\_DEF@{\ptt INFINITE\_DEF}} \begin{verbatim} INFINITE_DEF |- !s. INFINITE s = ~FINITE s \end{verbatim}\end{hol} \noindent There are a few consequences of this definition stored in the \ml{pred\_sets} library. The following theorem, for example, states that the image of an injective function on an infinite set is infinite: \begin{hol} \index{IMAGE\_11\_INFINITE@{\ptt IMAGE\_11\_INFINITE}} \begin{verbatim} IMAGE_11_INFINITE |- !f. (!x y. (f x = f y) ==> (x = y)) ==> (!s. INFINITE s ==> INFINITE(IMAGE f s)) \end{verbatim}\end{hol} \noindent Other built-in theorems about \ml{INFINITE} can be found in chapter~\ref{theorems}. \subsection{Theorem-proving support} There are two \ML\ functions in the \ml{pred\_sets} library for reasoning about propositions that involve the finiteness predicate \ml{FINITE}. The\index{FINITE\_CONV@{\ptt FINITE\_CONV}|(} \index{conversions!FINITE\_CONV@{\ptt FINITE\_CONV}|(} first of these is a conversion \ml{FINITE\_CONV} which automatically proves that sets of the form {\small\verb!"{!\tt$t_1$,\dots,$t_n$\verb!}"!} are finite. Evaluating \begin{hol} \begin{alltt} FINITE\_CONV "FINITE \lb\m{t\sb{1}},\dots,\m{t\sb{n}}\rb";; \end{alltt}\end{hol} \noindent yields the theorem {\small\verb!|- FINITE {!\tt$t_1$,\dots,$t_n$\verb!} = T!}.% \index{FINITE\_CONV@{\ptt FINITE\_CONV}|)}% \index{conversions!FINITE\_CONV@{\ptt FINITE\_CONV}|)} The\index{SET\_INDUCT\_TAC@{\ptt SET\_INDUCT\_TAC}|(} \index{tactics!SET\_INDUCT\_TAC@{\ptt SET\_INDUCT\_TAC}|(} second \ML\ function for reasoning about the predicate \ml{FINITE} is an induction tactic called \ml{SET\_INDUCT\_TAC}. When applied to a goal of the form {\small\verb!"!!$s$\verb!. FINITE !$s$\verb! ==> !$P$\verb!"!}, this tactic reduces it to proving that the property of sets expressed by {\small\verb!\!$s$\verb!.!$P$} holds of the empty set and is preserved by the insertion of an element into an arbitrary finite set. Since every finite set can be built up from the empty set by repeated insertion of values, these subgoals imply that this property holds of all finite sets. The following session illustrates the use of the tactic \ml{SET\_INDUCT\_TAC} for proving that the intersection of an arbitrary set \ml{t} with a finite set \ml{s} is finite. We first set up an appropriate goal: \setcounter{sessioncount}{1} \begin{session} \begin{verbatim} #g "!s:'a->bool. FINITE s ==> !t. FINITE(s INTER t)";; "!s. FINITE s ==> (!t. FINITE(s INTER t))" () : void \end{verbatim}\end{session} \noindent Expanding with \ml{SET\_INDUCT\_TAC} yields: \begin{session} \begin{verbatim} #expand SET_INDUCT_TAC;; OK.. 2 subgoals "!t. FINITE((e INSERT s) INTER t)" [ "FINITE s" ] [ "!t. FINITE(s INTER t)" ] [ "~e IN s" ] "!t. FINITE({} INTER t)" () : void \end{verbatim}\end{session} \noindent The resulting subgoals are easy to prove, given the two basic theorems \ml{FINITE\_EMPTY} and \ml{FINITE\_INSERT} shown in the previous section. Note that it may be assumed in the step case that the value \ml{e} being inserted into the set \ml{s} is not already an element of \ml{s}.\index{SET\_INDUCT\_TAC@{\ptt SET\_INDUCT\_TAC}|)}% \index{tactics!SET\_INDUCT\_TAC@{\ptt SET\_INDUCT\_TAC}|)} \section{Cardinality of finite sets} The {\it cardinality\/} of a finite set is the number of elements it contains. In the \ml{pred\_sets} library, this is formalized by a constant \ml{CARD} defined by means of the following constant specification: \begin{hol} \index{definition!of CARD@of {\ptt CARD}} \index{CARD\_DEF@{\ptt CARD\_DEF}} \begin{verbatim} CARD_DEF |- (CARD{} = 0) /\ (!s. FINITE s ==> (!x. CARD(x INSERT s) = (x IN s => CARD s | SUC(CARD s)))) \end{verbatim}\end{hol} \noindent This theorem is the sole defining property of \ml{CARD}. Because the equation in the second clause holds only under the assumption that \ml{s} is finite, this form of definition allows nothing significant to be deduced about the cardinality `\ml{CARD s}' of an {\it infinite\/} set \ml{s}. The built-in theorems about cardinality are all restricted to finite sets only, either implicitly as in the theorem: \begin{hol} \index{CARD\_SING@{\ptt CARD\_SING}} \begin{verbatim} CARD_SING |- !x. CARD{x} = 1 \end{verbatim}\end{hol} \noindent or explicitly, as in: \begin{hol} \index{FINITE\_ISO\_NUM@{\ptt FINITE\_ISO\_NUM}} \begin{verbatim} FINITE_ISO_NUM |- !s:'a->bool. FINITE s ==> (?f:num->'a. (!n m. n < (CARD s) /\ m < (CARD s) ==> (f n = f m) ==> (n = m)) /\ (s = {f n | n < (CARD s)})) \end{verbatim}\end{hol} \noindent This second theorem states that the elements of a finite set can always be put into a one-to-one correspondence with the natural numbers less than the set's cardinality---i.e. the elements of a finite set \ml{s} can be numbered \ml{0}, \ml{1}, \dots, {\small\verb!(CARD s)-1!}. Other theorems involving the cardinality function \ml{CARD} can be found in chapter~\ref{theorems}. \section{Using the library}\label{using} The \ml{pred\_sets} library is loaded into a user's \HOL\ session using the function \ml{load\_library} (see the \HOL\ manual for a general description of library loading). The first action in the load sequence is to update the internal \HOL\ search paths. A pathname to the library is added to the search path so that theorems may be autoloaded from the library theory \ml{pred\_sets}; and the \HOL\ help search path is updated with a pathname to online help files for the \ML\ functions in the library. After the search paths are updated, the actions taken by the load sequence for \ml{pred\_sets} depend on the current state of the \HOL\ session. If the system is in draft mode, the library theory \ml{pred\_sets} is added as a new parent to the current theory. If the system is not in draft mode, but the current theory is an ancestor of the \ml{pred\_sets} theory in the library (e.g.\ the user is in a fresh \HOL\ session) then \ml{pred\_sets} is made the current theory. In both cases, the \ML\ functions provided by the library are loaded into \HOL\, and all the theorems in the library (including definitions) are set up to be autoloaded on demand. The parser and pretty-printer for the notation described above in sections~\ref{abst} and~\ref{finite} are then activated, and the \ML\ functions provided by the library for reasoning about sets are loaded. The \ml{pred\_sets} library is then fully loaded into the user's \HOL\ session. \subsection{Example session} The following session shows how the \ml{pred\_sets} library may be loaded using \ml{load\_library}. Suppose, beginning in a fresh \HOL\ session, the user wishes to create a theory \ml{foo} whose parents include the theory \ml{pred\_sets} in the library. This may be done as follows: \setcounter{sessioncount}{1} \begin{session} \begin{alltt} #new_theory `foo`;; () : void #load_library `pred_sets`;; \(\vdots\) Library pred_sets loaded. () : void \end{alltt}\end{session} \noindent Loading the library while drafting the theory \ml{foo} makes the library theory \ml{pred\_sets} into a parent of \ml{foo}. The same effect could have been achieved (in a fresh session) by first loading the library and then creating \ml{foo}: \setcounter{sessioncount}{1} \begin{session} \begin{alltt} #load_library `pred_sets`;; \(\vdots\) Library pred_sets loaded. () : void #new_theory `foo`;; () : void \end{alltt}\end{session} \noindent The theory \ml{pred\_sets} is first made the current theory of the new session. It then automatically becomes a parent of \ml{foo} when this theory is created by \ml{new\_theory}. Now, suppose that \ml{foo} has been created as shown above, and the user does some work in this theory, quits \HOL, and in a later session wishes to load the theory \ml{foo}. This must be done by {\it first\/} loading the \ml{pred\_sets} library and {\it then\/} loading the theory \ml{foo}. \setcounter{sessioncount}{1} \begin{session} \begin{alltt} #load_library `pred_sets`;; \(\vdots\) Library pred_sets loaded. () : void #load_theory `foo`;; Theory foo loaded () : void \end{alltt}\end{session} \noindent This sequence of actions ensures that the system can find the parent theory \ml{pred\_sets} when it comes to load \ml{foo}, since loading the library updates the search path. \subsection{The {\tt load\_pred\_sets} function}% \index{load\_pred\_sets@{\ptt load\_pred\_sets}|(} The \ml{pred\_sets} library may in many cases simply be loaded into the system as illustrated by the examples given above. There are, however, certain situations in which the library cannot be fully loaded at the time when the \ml{load\_library} is used. This occurs when the system is not in draft mode and the current theory is not an ancestor of the theory \ml{pred\_sets}. In this case, loading the library can (and will) update the search paths. But the theory \ml{pred\_sets} can neither be made into a parent of the current theory nor be made the current theory. This means that autoloading from the library can not at this stage be activated; and the \ML\ code in the library can not be loaded into \HOL, since it requires access to some of the theorems in the library. In the situation described above---when the system is not in draft mode and the current theory is not an ancestor of the theory \ml{pred\_sets}---the library load sequence defines an \ML\ function called \ml{load\_pred\_sets} in the current \HOL\ session. If at a future point in the session the \ml{pred\_sets} theory (now accessible via the search path) becomes an ancestor of the current theory, this function can then be used to complete loading of the library. Evaluating {\small\verb!load_pred_sets()!} in such a context loads the \ML\ functions of the \ml{pred\_sets} library into \HOL\ and activates autoloading from its theory files. It also activates the parser and pretty-printer support for set abstractions and finite sets. The function \ml{load\_pred\_sets} fails if the theory \ml{pred\_sets} is not an ancestor of the current \HOL\ theory. Note that the function \ml{load\_pred\_sets} becomes available upon loading the \ml{pred\_sets} library only if the library theory \ml{pred\_sets} at the point of loading the library can neither be made into a new parent (i.e.\ the system is not in draft mode) nor be made the current theory.\index{load\_pred\_sets@{\ptt load\_pred\_sets}|)}