1\chapter{The pred{\und}sets Library} 2 3The \ml{pred\_sets} library contains a theory of predicates regarded as sets. 4A predicate {\small\verb!s:'a->bool!} is considered as a collection or `set' of 5elements of type \ml{'a}, and the standard operations on sets such as union, 6intersection, and set difference are appropriately defined for this 7representation. The library was originally written in 1989 by Ton Kalker. It 8was completely rewritten by the present author for \HOL\ version 2.01 in early 91992. The aim of this revision was to make the \ml{pred\_sets} library closely 10parallel to the much more developed \HOL\ \ml{sets} library, with the same 11names for constants and theorems and the same form of definitions for 12operations on sets. The present document is itself also adapted from the 13manual for the \ml{sets} library~\cite{melham}. 14 15There is only one theory in the \ml{pred\_sets} library, namely the theory 16`\ml{pred\_set}'. This document explains the logical basis of this theory and 17the theorem-proving support provided by library. The latter includes 18conversions for expanding set specifications and for evaluating various 19operations on finite sets described by enumeration of their elements. The 20library also provides parser and pretty-printer support for terms that denote 21sets. 22 23\section{Membership and the axioms of set theory} 24 25A value \ml{x} is defined to be an element of a set exactly when the 26characteristic predicate of the set is true of \ml{x}. Since sets in the 27\ml{pred\_sets} library are just represented by their characteristic 28predicates, this membership relation is straightforward to define as follows: 29 30\begin{hol} 31\index{definition!of IN@of {\ptt IN}} 32\index{SPECIFICATION@{\ptt SPECIFICATION}} 33\begin{verbatim} 34 SPECIFICATION |- !P x. x IN P = P x 35\end{verbatim}\end{hol} 36 37\noindent The infix function constant \ml{IN} defined here constitutes the 38basic language for the entire theory of sets in the \ml{pred\_sets} library; 39all operators and predicates on sets are ultimately defined in terms of this 40one function. 41 42The definition of \ml{IN} shown above loosely corresponds to what is usually 43called the {\it axiom of specification\/}\index{axiom of specification} for 44sets (hence the name \ml{SPECIFICATION}). This axiom states that sets can be 45constructed from predicates that describe or `specify' their elements. A value 46is an element of the constructed set exactly when the predicate is true of that 47value. Since sets and predicates are identical in the \ml{pred\_sets} library, 48we can simply say that \ml{x} is in the `set' \ml{P} exactly when 49{\small\verb!P x!} holds. 50 51The definition of \ml{IN} is one of two fundamental theorems in the 52\ml{pred\_sets} library, from which all others are derived. The second of 53these fundamental theorems states what is usually called the {\it axiom of 54extension\/}\index{axiom of extension} for sets. This is not, of course, 55literally an {\it axiom\/} of the \ml{pred\_sets} theory, but rather a theorem 56derived by proof: 57 58\begin{hol} 59\index{EXTENSION@{\ptt EXTENSION}} 60\begin{verbatim} 61 EXTENSION |- !s t. (s = t) <=> (!x. x IN s = x IN t) 62\end{verbatim}\end{hol} 63 64\noindent \ml{EXTENSION} states that two sets are equal exactly when they have 65the same elements. This follows directly from the definition of the constant 66\ml{IN} and the extensionality functions in higher order logic. 67 68Once the theorems \ml{EXTENSION} and \ml{SPECIFICATION} have been proved, they 69provide a complete basis for all further reasoning about sets and membership. 70The library theory \ml{pred\_sets} is developed entirely on the basis of these 71two `axioms' of set theory. 72 73\section{Generalized set specifications} 74 75In addition to the basic constant \ml{IN}, which allows one to regard a 76predicate as the set of all values that satisfy it, the \ml{pred\_sets} library 77also provides a general way of constructing sets by describing or specifying 78their elements. Roughly speaking, there are two components to a generalized 79set specification: an expression \ml{E[x]} and a predicate \ml{P[x]}. For any 80such expression and predicate, there is a corresponding set 81{\small\verb!{E[x] | P[x]}!}, the set of all values {\small\verb!E[x]!} for 82which {\small\verb!P[x]!} holds. 83 84The \ml{pred\_sets} library supports generalized set specifications by means of 85the constant: 86 87\begin{hol} 88\index{GSPEC@{\ptt GSPEC}} 89\begin{verbatim} 90 GSPEC : ('b -> ('a # bool)) -> 'a -> bool 91\end{verbatim} 92\end{hol} 93 94\noindent The function \ml{GSPEC} takes a function \ml{f :\ 'b -> ('a \# bool)} 95and constructs the set (i.e. predicate of type {\small\verb!'a->bool!}) of all 96values \ml{FST(f x)} for which \ml{SND(f x)} holds, for some value \ml{x} of 97type \ml{'b}. The formal definition of the constant \ml{GSPEC} is given by the 98following constant specification: 99 100\begin{hol} 101\index{definition!of GSPEC@of {\ptt GSPEC}} 102\index{GSPECIFICATION@{\ptt GSPECIFICATION}} 103\begin{verbatim} 104 GSPECIFICATION |- !f v. v IN (GSPEC f) = (?x. v,T = f x) 105\end{verbatim} 106\end{hol} 107 108\noindent This theorem is analogous to the axiom of specification\index{axiom 109of specification!for generalized set specifications} for \ml{IN}. 110This states that a value \ml{v} is an element of the set specified by 111\ml{f} exactly when \ml{v} is one of the values of \ml{FST(f x)} for which 112\ml{SND(f x)} is true. 113 114To see how this supports the notion of generalized set specification described 115above, let \ml{f} in this definition be the function 116{\small\verb!\x.E[x],P[x]!}. With a little simplification, we would then have: 117 118\begin{hol} 119\begin{verbatim} 120 |- !v. v IN (GSPEC \x.E[x],P[x]) = ?x. (v = E[x]) /\ P[x] 121\end{verbatim} 122\end{hol} 123 124\noindent That is, a value \ml{v} is in the set constructed by \ml{GSPEC} 125exactly when for some \ml{x} for which \ml{P[x]}, the value \ml{v} is equal to 126\ml{E[x]}. The constructed set therefore contains all values \ml{E[x]} for 127which \ml{P[x]} holds. 128 129\subsection{Parser and pretty-printer support}\label{abst} 130 131To facilitate the use of sets constructed by generalized set specification, the 132\ml{pred\_sets}\linebreak[3] library provides parser and pretty-printer support 133for set abstractions expressed by the notation 134{\small\verb!"{!$E$\verb! | !$P$\verb!}"!}. The built-in \ML\ function 135\ml{define\_set\_abstraction\_syntax}% 136\index{define\_set\_abstraction\_syntax@{\ptt 137define\_set\_abstraction\_syntax}} (see the manual~\cite{description} for 138details) is used to introduce this \mbox{notation} when the library is loaded. 139The call made to this function extends the \HOL\ parser so that a quotation of 140the form {\small\verb!"{!$E$\verb! | !$P$\verb!}"!} {\samepage parses to: 141 142\begin{hol} 143\begin{alltt} 144 GSPEC (\bk(\m{x\sb{1}},\(\dots\),\m{x\sb{n}}).(\(E\),\(P\))) 145\end{alltt} 146\end{hol} 147 148\noindent where $x_1$, \dots, $x_n$ are} the variables that occur free in both 149the expression $E$ and the proposition $P$ (i.e.\ the set $\{x_1,\dots,x_n\}$ 150is the intersection of the set of free variables of $E$ and the set of free 151variables of $P$). If there are {\it no\/} variables free in both $E$ and $P$, 152then a parser error is generated. When the 153\ml{print\_set}\index{print\_set@{\ptt print\_set} (flag)} flag is \ml{true}, 154the quotation pretty-printer inverts this transformation. 155 156A simple example of this set abstraction notation is shown in the following 157\HOL\ session, in which it is assumed that the \ml{pred\_sets} library has 158already been loaded. (See section~\ref{using} for a description of how 159\ml{pred\_sets} is loaded.) 160 161\setcounter{sessioncount}{1} 162\begin{session} 163\begin{verbatim} 164#let gtr = new_definition (`gtr`, "gtr N = {n | n > N}");; 165gtr = |- !N. gtr N = {n | n > N} 166 167#set_flag (`print_set`,false);; 168true : bool 169 170#"{n | n > N}";; 171"GSPEC(\n. (n,n > N))" : term 172\end{verbatim}\end{session} 173 174 175\noindent The term {\small\verb!{n | n > N}!} in the definition of \ml{gtr} 176denotes the set of all natural numbers greater than \ml{N}. It is important to 177note that the variable \ml{N} is a free variable in this term, since it occurs 178on only one side of the bar `{\small\verb!|!}'. The set abstraction 179{\small\verb!{n | n > N}!} therefore parses to the generalized set 180specification 181 182\begin{hol} 183\begin{verbatim} 184 GSPEC(\n. (n,n > N)) 185\end{verbatim}\end{hol} 186 187\noindent This is what gives this set abstraction the (presumably intended) 188interpretation `the set of all \ml{n} greater than \ml{N}'. By contrast, the 189term 190 191\begin{hol} 192\begin{verbatim} 193 GSPEC(\(n,N). (n,n > N)) 194\end{verbatim}\end{hol} 195 196\noindent denotes the set of all numbers \ml{n} greater than some number 197\ml{N}---i.e., the set $\{\ml{1},\ml{2},\ml{3},\dots\}$. This is {\it not\/} 198the default interpretation of the parser, which constructs a generalized set 199specification that binds the variable \ml{n} only. Note that only 200default\pagebreak[3] interpretations are pretty-printed using the {\samepage 201set abstraction notation: 202 203\begin{session} 204\begin{verbatim} 205#set_flag(`print_set`,true);; 206false : bool 207 208#"GSPEC (\n. (n,n>N))";; 209"{n | n > N}" : term 210 211#"GSPEC (\(n,N). (n,n>N))";; 212"GSPEC(\(n,N). (n,n > N))" : term 213\end{verbatim}\end{session} 214 215\noindent That is, a term of the form: 216 217\begin{hol} 218\begin{alltt} 219 GSPEC (\bk(\m{x\sb{1}},\(\dots\),\m{x\sb{n}}).(\(E\),\(P\))) 220\end{alltt}\end{hol} 221 222\noindent prints as {\small\verb!"{!$E$\verb! | !$P$\verb!}"!} only if the 223variables $x_1$, \dots, $x_n$ occur free in both $E$ and $P$.} 224 225 226In general, the expression $E$ in a set abstraction 227{\small\verb!"{!$E$\verb! | !$P$\verb!}"!} need not be just a variable. 228Consider, for example, the following \HOL\ session: 229 230\begin{session} 231\begin{verbatim} 232#let S = "{(n,m) | n < m}";; 233S = "{(n,m) | n < m}" : term 234 235#set_flag(`print_set`,false);; 236true : bool 237 238#"{(n,m) | n < m}";; 239"GSPEC(\(n,m). ((n,m),n < m))" : term 240\end{verbatim}\end{session} 241 242\noindent Here, a set abstraction is used to construct the set of all pairs of 243numbers \ml{(n,m)} for which \ml{n} is less than \ml{m}. Note that both 244variables \ml{n} and \ml{m} are bound in the underlying generalized set 245specification. 246 247\subsection{Theorem-proving support} 248 249\index{SET\_SPEC\_CONV@{\ptt SET\_SPEC\_CONV}|(} 250\index{conversions!SET\_SPEC\_CONV@{\ptt SET\_SPEC\_CONV}|(} 251The \ml{pred\_sets} library provides proof support for the set abstraction 252notation in the form of a conversion called \ml{SET\_SPEC\_CONV}. This 253conversion implements the axiom of specification for set abstractions.% 254\index{axiom of specification!for set abstractions} 255When $v$ is a variable, evaluating: 256 257\begin{hol}\def\m#1{\mbox{\small$#1$}} 258\begin{alltt} 259 SET_SPEC_CONV "\m{t} IN \lb\m{v} \vb \m{P}\rb";; 260\end{alltt}\end{hol} 261 262\noindent returns the theorem: 263 264\begin{hol}\def\m#1{\mbox{\small$#1$}} 265\begin{alltt} 266 {\vb}- \m{t} IN \lb\m{v} \vb \m{P}\rb = \m{P[t/v]} 267\end{alltt}\end{hol} 268 269\noindent This states that $t$ is an element of the set of all $v$ such that 270$P$ exactly when $P[t/v]$ holds. Note that, in general, the term $t$ need not 271be a variable. The following session illustrates this use of 272\ml{SET\_SPEC\_CONV} for membership {\samepage in a particular set abstraction: 273 274\setcounter{sessioncount}{1} 275\begin{session} 276\begin{verbatim} 277#SET_SPEC_CONV ``12 IN {n | n > N}``; 278|- 12 IN {n | n > N} = 12 > N 279\end{verbatim}\end{session}} 280 281\pagebreak[3] 282 283The conversion \ml{SET\_SPEC\_CONV} behaves differently when applied to terms 284of the form {\small\verb!"!$t$\verb! IN {!$E$\verb! | !$P$\verb!}"!} where 285{\small $E$} is not a variable. Applying the conversion to a term of this kind 286yields the theorem: 287 288\begin{hol}\def\m#1{\mbox{\small$#1$}} 289\begin{alltt} 290 {\vb}- \m{t} IN \lb\m{E} \vb \m{P}\rb = ?\m{x\sb{1}\dots x\sb{n}}. (\m{t} = \m{E}) /\bk \m{P} 291\end{alltt}\end{hol} 292 293\noindent where $x_1$, \dots, $x_n$ are the variables that occur free in both 294$E$ and $P$. The expression $E$ cannot in general be eliminated in this case, 295as it can by the substitution $P[t/v]$ when $E$ is just a variable $v$. 296 297\pagebreak[3] 298 299The following session illustrates the form of the theorem proved by 300\ml{SET\_SPEC\_CONV} for the second type of input term discussed above: 301 302\setcounter{sessioncount}{1} 303\begin{session} 304\begin{verbatim} 305#let th1 = SET_SPEC_CONV "p IN {(n,m) | n < m}";; 306th1 = |- p IN {(n,m) | n < m} = (?n m. (p = n,m) /\ n < m) 307 308#let th2 = SET_SPEC_CONV "(a,b) IN {(n,m) | n < m}";; 309th2 = |- (a,b) IN {(n,m) | n < m} = (?n m. (a,b = n,m) /\ n < m) 310 311#let th3 = SET_SPEC_CONV "a IN {n + m | n < m}";; 312th3 = |- a IN {n + m | n < m} = (?n m. (a = n + m) /\ n < m) 313\end{verbatim}\end{session} 314 315\noindent The right-hand sides of \ml{th1} and \ml{th2} could, in principle, be 316further simplified. The value of the expression `\ml{(n,m)}' is an injective 317function of the values of \ml{n} and \ml{m}, and so by eliminating the 318existential quantifiers these two theorems could be simplified to: 319 320\begin{hol} 321\begin{verbatim} 322 th1 |- p IN {(n,m) | n < m} = (FST p < SND p) 323 324 th2 |- (a,b) IN {(n,m) | n < m} = (a < b) 325\end{verbatim}\end{hol} 326 327\noindent But in general the value of {\small $E$} in a set abstraction 328{\small\verb!"{!$E$\verb! | !$P$\verb!}"!} will not be an injective function of 329its free variables, as for example is the case in theorem \ml{th3}. The 330conversion \ml{SET\_SPEC\_CONV} therefore attempts no further simplification of 331its result than is described above for the general 332case.\index{SET\_SPEC\_CONV@{\ptt SET\_SPEC\_CONV}|)}% 333\index{conversions!SET\_SPEC\_CONV@{\ptt SET\_SPEC\_CONV}|)} 334 335\section{The empty and universal sets} 336 337The following two constants are defined in the \ml{pred\_sets} library: 338{\small\verb!EMPTY:'a->bool!}, which denotes the empty set; and 339{\small\verb!UNIV:'a->bool!}, which denotes the universe, or set of all values 340of type \ml{'a}.{\samepage These constants are defined formally as follows: 341 342\begin{hol} 343\index{definition!of EMPTY@of {\ptt EMPTY}} 344\index{EMPTY\_DEF@{\ptt EMPTY\_DEF}} 345\index{definition!of UNIV@of {\ptt UNIV}} 346\index{UNIV\_DEF@{\ptt UNIV\_DEF}} 347\begin{verbatim} 348 EMPTY_DEF |- EMPTY = \x. F 349 UNIV_DEF |- UNIV = \x. T 350\end{verbatim}\end{hol} 351 352\noindent The\index{naming conventions!for definitions|(} theorems 353\ml{EMPTY\_DEF} and \ml{UNIV\_DEF} shown above are named according 354to the general convention that all definitions in the \ml{pred\_sets} library 355are given names ending 356in `{\small\verb!_DEF!}'.\index{naming conventions!for definitions|)}} 357 358\pagebreak[3] 359 360Note that because of the restriction on free variables discussed above, the set 361abstractions {\small\verb!"{x | T}"!} and {\small\verb!"{x | F}"!} cannot be 362used in these definitions; the more primitive form of set construction given by 363the above lambda-abstractions must be used instead. But users of the library 364will never need to appeal to these definitions, since the following theorems 365about \ml{EMPTY} and \ml{UNIV} are also made available in the theory 366\ml{pred\_sets}: 367 368\begin{hol} 369\index{NOT\_IN\_EMPTY@{\ptt NOT\_IN\_EMPTY}} 370\index{IN\_UNIV@{\ptt IN\_UNIV}} 371\begin{verbatim} 372 NOT_IN_EMPTY |- !x. ~x IN EMPTY 373 IN_UNIV |- !x. x IN UNIV 374\end{verbatim}\end{hol} 375 376\noindent That is, nothing is an element of \ml{EMPTY} and everything is an 377element of \ml{UNIV}. These properties follow directly from the definitions and 378the theorem \ml{SPECIFICATION}. Other pre-proved theorems about the empty and 379universal sets are also available in the library; see chapter~\ref{theorems} 380for a complete list. 381 382\section{Set inclusion} 383 384The infix functions \ml{SUBSET} and \ml{PSUBSET} denote the binary relations of 385set inclusion and proper set inclusion, respectively. These are defined 386formally in the obvious way: 387 388\begin{hol} 389\index{definition!of SUBSET@of {\ptt SUBSET}} 390\index{SUBSET\_DEF@{\ptt SUBSET\_DEF}} 391\index{definition!of PSUBSET@of {\ptt PSUBSET}} 392\index{PSUBSET\_DEF@{\ptt PSUBSET\_DEF}} 393\begin{verbatim} 394 SUBSET_DEF |- !s t. s SUBSET t = (!x. x IN s ==> x IN t) 395 PSUBSET_DEF |- !s t. s PSUBSET t = s SUBSET t /\ ~(s = t) 396\end{verbatim}\end{hol} 397 398\noindent That is, \ml{s} is a subset of \ml{t} if every element of \ml{s} is 399also an element of \ml{t}; and \ml{s} is a proper subset of \ml{t} if it is a 400subset of \ml{t} but not equal to \ml{t}. 401 402Various pre-proved theorems about the subset and proper subset relations are 403supplied by the \ml{pred\_sets} library. For example, the fact that 404\ml{SUBSET} is a partial order is stated by the three built-in theorems shown 405below. 406 407\begin{hol} 408\index{SUBSET\_TRANS@{\ptt SUBSET\_TRANS}} 409\index{SUBSET\_REFL@{\ptt SUBSET\_REFL}} 410\index{SUBSET\_ANTISYM@{\ptt SUBSET\_ANTISYM}} 411\begin{verbatim} 412 SUBSET_REFL |- !s. s SUBSET s 413 SUBSET_TRANS |- !s t u. s SUBSET t /\ t SUBSET u ==> s SUBSET u 414 SUBSET_ANTISYM |- !s t. s SUBSET t /\ t SUBSET s ==> (s = t) 415\end{verbatim}\end{hol} 416 417\noindent Also provided are built-in theorems about the relationship between 418set inclusion and other constants or operations on sets. For example, there 419are the following facts about set inclusion and the empty and universal sets: 420 421\begin{hol} 422\index{EMPTY\_SUBSET@{\ptt EMPTY\_SUBSET}} 423\index{SUBSET\_UNIV@{\ptt SUBSET\_UNIV}} 424\index{NOT\_PSUBSET\_EMPTY@{\ptt NOT\_PSUBSET\_EMPTY}} 425\index{NOT\_UNIV\_PSUBSET@{\ptt NOT\_UNIV\_PSUBSET}} 426\begin{verbatim} 427 EMPTY_SUBSET |- !s. {} SUBSET s 428 SUBSET_UNIV |- !s. s SUBSET UNIV 429 NOT_PSUBSET_EMPTY |- !s. ~s PSUBSET {} 430 NOT_UNIV_PSUBSET |- !s. ~UNIV PSUBSET s 431\end{verbatim}\end{hol} 432 433\noindent As\index{naming conventions!for theorems generally|(} these examples 434illustrate, the names of theorems in the \ml{pred\_sets} library are generally 435constructed from the names of the constants they contain. Furthermore, the 436ordering of elements in the name of a theorem attempts to reflect the content 437of the theorem itself.\index{naming conventions!for theorems generally|)} 438 439\section{Union, intersection, and set difference} 440 441The binary operations of union, intersection and set difference are all defined 442using the set abstraction notation introduced above in section~\ref{abst}. The 443formal definitions are: 444 445\begin{hol} 446\index{definition!of UNION@of {\ptt UNION}} 447\index{UNION\_DEF@{\ptt UNION\_DEF}} 448\index{definition!of INTER@of {\ptt INTER}} 449\index{INTER\_DEF@{\ptt INTER\_DEF}} 450\index{definition!of DIFF@of {\ptt DIFF}} 451\index{DIFF\_DEF@{\ptt DIFF\_DEF}} 452\begin{verbatim} 453 UNION_DEF |- !s t. s UNION t = {x | x IN s \/ x IN t} 454 INTER_DEF |- !s t. s INTER t = {x | x IN s /\ x IN t} 455 DIFF_DEF |- !s t. s DIFF t = {x | x IN s /\ ~x IN t} 456\end{verbatim}\end{hol} 457 458\noindent These definitions illustrate the practical utility of the scheme for 459variable binding in set abstractions discussed above in section~\ref{abst}. An 460abstraction {\small\verb!"{!$E$\verb! | !$P$\verb!}"!} binds only the variables 461that occur in both {\small $E$} and {\small $P$}, and the variables \ml{s} and 462\ml{t} in the set abstractions shown above may therefore be made parameters to 463the sets\pagebreak[3] constructed by them. 464 465Using \ml{SET\_EQ\_CONV}, it is trivial to derive the following membership 466conditions for \ml{UNION}, \ml{INTER} and \ml{DIFF} from the definitions given 467above. As\index{naming conventions!for membership conditions|(} a general rule, 468theorems stating membership conditions of the kind illustrated by these 469examples are given names of the form {\small\verb!IN_!$\langle\hbox{\it 470constant\/}\rangle$} ending in the name of the operation used to construct the 471set in question.\index{naming conventions!for membership conditions|)} 472 473\begin{hol} 474\index{IN\_UNION@{\ptt IN\_UNION}} 475\index{IN\_INTER@{\ptt IN\_INTER}} 476\index{IN\_DIFF@{\ptt IN\_DIFF}} 477\begin{verbatim} 478 IN_UNION |- !s t x. x IN (s UNION t) = x IN s \/ x IN t 479 IN_INTER |- !s t x. x IN (s INTER t) = x IN s /\ x IN t 480 IN_DIFF |- !s t x. x IN (s DIFF t) = x IN s /\ ~x IN t 481\end{verbatim}\end{hol} 482 483\noindent These theorems, which are saved in the library under the names 484indicated above, may in practice be used as the defining properties of union, 485intersection and set difference; users should almost never have to appeal 486directly to the definitions of these operations. Other built-in theorems about 487\ml{UNION}, \ml{INTER} and \ml{DIFF} may be found in chapter~\ref{theorems}. 488 489\section{Disjoint sets} 490 491Two sets are {\it disjoint\/} if they have no elements in common. This concept 492is formalized in the \ml{pred\_sets} library by the constant \ml{DISJOINT}, the 493definition of which is: 494 495\begin{hol} 496\index{definition!of DISJOINT@of {\ptt DISJOINT}} 497\index{DISJOINT\_DEF@{\ptt DISJOINT\_DEF}} 498\begin{verbatim} 499 DISJOINT_DEF |- !s t. DISJOINT s t = (s INTER t = {}) 500\end{verbatim}\end{hol} 501 502\noindent At present, there are relatively few pre-proved theorems about the 503\ml{DISJOINT} relation in the library. But see chapter~\ref{theorems} for the 504few theorems about \ml{DISJOINT} that are in fact available in the 505\ml{pred\_sets} library. 506 507\section{Insertion and deletion of an element} 508 509To aid in the construction of particular sets of values (especially finite 510sets) the library contains definitions of two constants \ml{INSERT} and 511\ml{DELETE}. These denote the operations of augmenting a set with a given 512value and removing a value from a set, respectively. The formal definitions of 513these operations are: 514 515\begin{hol} 516\index{definition!of INSERT@of {\ptt INSERT}} 517\index{INSERT\_DEF@{\ptt INSERT\_DEF}} 518\index{definition!of DELETE@of {\ptt DELETE}} 519\index{DELETE\_DEF@{\ptt DELETE\_DEF}} 520\begin{verbatim} 521 INSERT_DEF |- !x s. x INSERT s = {y | (y = x) \/ y IN s} 522 DELETE_DEF |- !s x. s DELETE x = s DIFF (INSERT x EMPTY) 523\end{verbatim}\end{hol} 524 525\noindent The elements of the set denoted by {\small\verb!x INSERT s!} are all 526the elements of the set \ml{s} together with the value \ml{x}, which may or may 527not be an element of \ml{s} itself. The set denoted by 528{\small\verb!s DELETE x!} contains all the elements of \ml{s} 529except the value \ml{x}. 530 531{\samepage The membership conditions for sets constructed using \ml{INSERT} and 532\ml{DELETE} are given by the following pre-proved theorems: 533 534\begin{hol} 535\index{IN\_INSERT@{\ptt IN\_INSERT}} 536\index{IN\_DELETE@{\ptt IN\_DELETE}} 537\begin{verbatim} 538 IN_INSERT |- !x y s. x IN (y INSERT s) = (x = y) \/ x IN s 539 IN_DELETE |- !s x y. x IN (s DELETE y) = x IN s /\ ~(x = y) 540\end{verbatim}\end{hol} 541 542\noindent In addition, the library} contains a substantial collection of 543theorems about the relationship between the operations \ml{INSERT} and 544\ml{DELETE} and other relations and operations on sets. Chapter~\ref{theorems} 545gives a complete list of these theorems. 546 547\subsection{Parser and pretty-printer support}\label{finite} 548 549The \ml{pred\_sets} library provides special parser and pretty-printer support 550for finite sets that are constructed by enumeration of their elements. This 551notation is introduced by a call made when the library is loaded to the 552built-in \ML\ function \ml{define\_finite\_set\_syntax}% 553\index{define\_finite\_set\_syntax@{\ptt define\_finite\_set\_syntax}} 554(see~\cite{description} for details of this function). This has the effect of 555extending the \HOL\ parser so that a quotation of the form 556{\small\verb!"{!\tt$t_1$,$t_2$,\dots,$t_n$\verb!}"!} parses to the following 557set built up from \ml{EMPTY} by repeatedly using the function \ml{INSERT}: 558 559\begin{hol} 560\begin{alltt} 561 INSERT \m{t\sb{1}} (INSERT \m{t\sb{2}} \dots (INSERT \m{t\sb{n}} EMPTY)\dots) 562\end{alltt}\end{hol} 563 564\noindent Note that the quotation {\small\verb!"{}"!} just parses to the 565constant \ml{EMPTY}. When the 566\ml{print\_set}\index{print\_set@{\ptt print\_set} (flag)} 567flag is \ml{true}, the \HOL\ pretty-printer for terms inverts this 568transformation. 569 570Users should note that care must be taken with regard to the precedence of 571comma in a context {\small\verb!"{!\dots\verb!}"!}, as the following session 572illustrates: 573 574\setcounter{sessioncount}{1} 575\begin{session} 576\begin{verbatim} 577#set_flag(`print_set`,false);; 578true : bool 579 580#"{1,2,3,4}";; 581"1 INSERT (2 INSERT (3 INSERT (4 INSERT EMPTY)))" : term 582 583#"{(1,2),(3,4)}";; 584"(1,2) INSERT ((3,4) INSERT EMPTY)" : term 585 586#"{((1,2),(3,4))}";; 587"((1,2),3,4) INSERT EMPTY" : term 588\end{verbatim}\end{session} 589 590\noindent Different grouping by means of enclosing parentheses has given sets 591with four elements (each a number), two elements (each of which is a pair), and 592one element (a pair of pairs) respectively. 593 594\subsection{Conversions for enumerated finite sets} 595 596The \ml{pred\_sets} library provides a collection of optimized conversions for 597computing the results of operations and predicates on finite sets specified by 598enumeration of their elements. All these conversions, the current 599implementations of which are somewhat experimental, are designed to work only 600for finite sets of the form {\small\verb!"{!\tt$t_1$,\dots,$t_n$\verb!}"!}. 601The sections that follow describe most of these conversions; the remainder are 602discussed in later sections of this manual. 603 604\subsubsection{Membership}\label{inconv} 605 606The\index{IN\_CONV@{\ptt IN\_CONV}|(}% 607\index{conversions!IN\_CONV@{\ptt IN\_CONV}|(} most basic 608conversion for finite sets is a decision procedure for membership called 609\ml{IN\_CONV}. In general, a way of deciding equality of elements is needed in 610order to determine whether a given value is an element of a particular finite 611set. The function 612 613\begin{hol} 614\begin{verbatim} 615 IN_CONV : conv -> conv 616\end{verbatim}\end{hol} 617 618\noindent must therefore be supplied with a conversion that implements a 619decision procedure for equality of set elements. It is assumed that this 620conversion will map equations {\small\tt"$e_1$ = $e_2$"} between elements of a 621base type \ml{ty} to the theorem {\small\tt |- ($e_1$ = $e_2$) = T} or to the 622theorem {\small\tt |- ($e_1$ = $e_2$) = F}, as appropriate. 623 624If \ml{conv} is an equality conversion of the kind described above, then the 625function returned by \ml{IN\_CONV conv} is a conversion that decides membership 626in finite sets of values of the base type \ml{ty}. In particular, a call: 627 628\begin{hol} 629\begin{alltt} 630 IN\_CONV conv "\m{t} IN \lb\m{t\sb{1}},\dots,\m{t\sb{n}}\rb" 631\end{alltt}\end{hol} 632 633\noindent returns the theorem 634 635\begin{hol} 636\begin{alltt} 637 |- \m{t} IN \lb\m{t\sb{1}},\dots,\m{t\sb{n}}\rb = T 638\end{alltt}\end{hol} 639 640\noindent if the term $t$ is alpha-equivalent to some term $t_i$ or if the 641supplied conversion \ml{conv} proves {\tt |- ($t$ = $t_i$) = T} for some $i$ 642where $1 \leq i \leq n$. If, on the other hand \ml{conv} proves the theorem 643{\tt |- ($t$ = $t_i$) = F} for all $i$ where $1 \leq i \leq n$, then the result 644is the theorem 645 646\begin{hol} 647\begin{alltt} 648 |- \m{t} IN \lb\m{t\sb{1}},\dots,\m{t\sb{n}}\rb = F 649\end{alltt}\end{hol} 650 651\noindent In all other cases, the call to \ml{IN\_CONV} shown above will fail. 652 653The following session shows how \ml{IN\_CONV} can be used in practice. 654 655\setcounter{sessioncount}{1} 656\begin{session} 657\begin{verbatim} 658#IN_CONV num_EQ_CONV "1 IN {2,1,3}";; 659|- 1 IN {2,1,3} = T 660 661#IN_CONV num_EQ_CONV "4 IN {2,1,3}";; 662|- 4 IN {2,1,3} = F 663\end{verbatim}\end{session} 664 665\noindent The built-in conversion \ml{num\_EQ\_CONV} is used here to decide 666equality of the natural numbers involved in the membership 667assertions\pagebreak[3] being proved. 668 669An example in which \ml{IN\_CONV} fails is the following: 670 671\begin{session} 672\begin{verbatim} 673#IN_CONV num_EQ_CONV "x IN {1,2,3}";; 674evaluation failed IN_CONV 675 676#num_EQ_CONV "x = 1";; 677evaluation failed num_EQ_CONV 678\end{verbatim}\end{session} 679 680\noindent Failure occurs in this case because the term \ml{x} is a variable, 681and \ml{num\_EQ\_CONV} therefore cannot determine if it is equal to any of the 682set elements \ml{1}, \ml{2} or \ml{3}. Note, however, that the supplied 683conversion is not required to prove anything if the value being tested for 684membership happens to be syntactically identical to an element of the given 685set: 686 687\begin{session} 688\begin{verbatim} 689#IN_CONV NO_CONV "x IN {1,x,3}";; 690|- x IN {1,x,3} = T 691\end{verbatim}\end{session} 692 693\noindent In this case, the supplied conversion, namely \ml{NO\_CONV}, always 694fails; but the call to \ml{IN\_CONV} nonetheless succeeds and returns the 695appropriate result.\index{IN\_CONV@{\ptt IN\_CONV}|)}% 696\index{conversions!IN\_CONV@{\ptt IN\_CONV}|)} 697 698\subsubsection{Union} 699 700The\index{UNION\_CONV@{\ptt UNION\_CONV}|(}% 701\index{conversions!UNION\_CONV@{\ptt UNION\_CONV}|(} 702\ml{pred\_sets} library contains a conversion 703 704\begin{hol} 705\begin{verbatim} 706 UNION_CONV : conv -> conv 707\end{verbatim}\end{hol} 708 709\noindent that can be used to compute the union of two finite sets. The first 710argument to \ml{UNION\_CONV} (i.e.\ the conversion argument) is expected to be 711an equality conversion of the same kind required as an argument by 712\ml{IN\_CONV} (see section~\ref{inconv}). As will be seen below, this 713conversion is used by \ml{UNION\_CONV} to simplify the set that it computes as 714the result of taking the union of two finite sets. 715 716Given an equality conversion \ml{conv}, the function \ml{UNION\_CONV} returns a 717conversion that computes the union of a finite set 718{\small\verb!"{!\tt$t_1$,\dots,$t_n$\verb!}"!} and another set {\small$s$}. The 719second set {\small$s$} in fact need not be finite. Ignoring, for the moment, 720the possible simplification done using the supplied conversion \ml{conv}, a 721call: 722 723\begin{hol}\begin{alltt} 724 UNION\_CONV conv "\lb\m{t\sb{1}},\dots,\m{t\sb{n}}\rb UNION \m{s}" 725\end{alltt}\end{hol} 726 727\noindent just returns the theorem 728 729\begin{hol}\begin{alltt} 730 |- \lb\m{t\sb{1}},\dots,\m{t\sb{n}}\rb UNION \m{s} = \m{t\sb{1}} INSERT (\m{\dots} (\m{t\sb{n}} INSERT \m{s})\m{\dots}) 731\end{alltt}\end{hol} 732 733\noindent That is, \ml{UNION\_CONV} computes the required union as a repeated 734insertion of values into the set {\small$s$}.\pagebreak[3] When {\small$s$} is 735a finite set of the form {\small\verb!"{!\tt$u_1$,\dots,$u_m$\verb!}"!}, the 736{\samepage resulting theorem will have the form shown below. 737 738\begin{hol} 739\begin{alltt} 740 |- \lb\m{t\sb{1}},\dots,\m{t\sb{n}}\rb UNION \lb\m{u\sb{1}},\dots,\m{u\sb{m}}\rb = \lb\m{t\sb{1}},\m{\dots},\m{t\sb{n}},\m{u\sb{1}},\m{\dots},\m{u\sb{m}}\rb 741\end{alltt}\end{hol} 742 743\noindent When computing} theorems of this form (i.e.\ when the second set of 744the union is a finite set {\small\verb!"{!\tt$u_1$,\dots,$u_m$\verb!}"!}) the 745function \ml{UNION\_CONV} attempts to remove redundant elements in the 746resulting set using the supplied equality conversion \ml{conv}. In particular, 747if \ml{conv} is able to prove that some element {\small$t_i$} of 748{\small\verb!"{!\tt$t_1$,\dots,$t_n$\verb!}"!} is equal to any element 749{\small$u_j$} of {\small\verb!"{!\tt$u_1$,\dots,$u_m$\verb!}"!}, that is if the 750conversion \ml{conv} maps the term {\small\verb!"!$t_i$\verb! = !$u_j$\verb!"!} 751to the theorem {\small\verb!|- (!$t_i$\verb! = !$u_j$\verb!) = T!}, then the 752resulting theorem will be 753 754\begin{hol} 755\begin{alltt} 756 |- \lb\m{t\sb{1}},\dots\m{t\sb{i}},\dots,\m{t\sb{n}}\rb UNION \lb\m{u\sb{1}},\dots,\m{u\sb{j}},\dots,\m{u\sb{m}}\rb = \lb\m{t\sb{1}},\m{\dots},\m{t\sb{n}},\m{u\sb{1}},\dots,\m{u\sb{j}},\dots,\m{u\sb{m}}\rb 757\end{alltt}\end{hol} 758 759\noindent That is, the redundant term \m{t_i} will be removed from the initial 760sequence of elements in the resulting finite set. The function 761\ml{UNION\_CONV} also checks for and eliminates alpha-equivalent elements. 762 763Some examples of \ml{UNION\_CONV} in use are shown in the following \HOL\ 764session: 765 766\begin{session} 767\begin{verbatim} 768#UNION_CONV NO_CONV "{1,2,3} UNION {4,5,6}";; 769|- {1,2,3} UNION {4,5,6} = {1,2,3,4,5,6} 770 771#UNION_CONV NO_CONV "{1,2,3} UNION {3,2,SUC 0}";; 772|- {1,2,3} UNION {3,2,SUC 0} = {1,3,2,SUC 0} 773\end{verbatim}\end{session} 774 775\noindent The supplied equality conversion in these examples is \ml{NO\_CONV}, 776and only the elements of the first set {\small\verb!{1,2,3}!} that are 777redundant by virtue of being alpha-equivalent to elements of the second set 778are eliminated from the resulting set. An example in which the equality 779conversion is actually used is: 780 781\begin{session} 782\begin{verbatim} 783#UNION_CONV num_EQ_CONV "{1,2,3} UNION {3,2,SUC 0}";; 784|- {1,2,3} UNION {3,2,SUC 0} = {3,2,SUC 0} 785\end{verbatim}\end{session} 786 787\noindent In this case, \ml{num\_EQ\_CONV} is used to prove that 788{\small\verb!1!} is equal to {\small\verb!SUC 0!}, so that the resulting union 789is the set {\small\verb!"{3,2,SUC 0}"!}, rather than 790{\small\verb!"{1,3,2,SUC 0}!"}.\index{UNION\_CONV@{\ptt UNION\_CONV}|)}% 791\index{conversions!UNION\_CONV@{\ptt UNION\_CONV}|)} 792 793\subsubsection{Insertion} 794 795The\index{INSERT\_CONV@{\ptt INSERT\_CONV}|(}% 796\index{conversions!INSERT\_CONV@{\ptt INSERT\_CONV}|(} 797conversion \ml{INSERT\_CONV} performs the following reduction 798on finite sets: 799 800\begin{hol} 801\begin{alltt} 802 {\normalsize\rm reduce}\quad"\m{t} INSERT \lb\m{t\sb{1}},\dots,\m{t\sb{i}},\dots,\m{t\sb{n}}\rb"\quad\m{\normalsize\rm to}\quad"\lb\m{t\sb{1}},\dots,\m{t\sb{i}},\dots,\m{t\sb{n}}\rb" 803\end{alltt}\end{hol} 804 805\noindent if a supplied equality conversion can prove 806{\small\verb!|- (!$t$\verb! = !$t_i$\verb!) = T!}. Since the 807enumerated set notation 808{\small\verb!"{!\tt$t_1$,\dots,$t_n$\verb!}"!} is just a parser-supported 809abbreviation (see section~\ref{finite}), this is equivalent to reducing the set 810{\small\verb!"{!\tt$t$,$t_1$,\dots,$t_i$,\dots,$t_n$\verb!}"!} to 811{\small\verb!"{!\tt$t_1$,\dots,$t_i$,\dots,$t_n$\verb!}"!} when the terms 812{\small$t$} and {\small$t_i$} are provably equal.\pagebreak[3] 813 814More specifically, if for some {\small$t_i$} in 815{\small\verb!{!$t_1$\verb!,!\dots\verb!,!$t_n$\verb!}!}, 816the terms {\small$t$} and {\small$t_i$} are alpha-equivalent, of if 817the conversion \ml{conv} maps {\small\verb!"!$t$\verb! = !$t_i$\verb!"!} to 818the theorem {\small\verb!|- (!$t$\verb! = !$t_i$\verb!) = T!}, then the call: 819 820\begin{hol} 821\begin{alltt} 822 INSERT\_CONV conv "\m{t} INSERT \lb\m{t\sb{1}},\dots,\m{t\sb{n}}\rb";; 823\end{alltt}\end{hol} 824 825\noindent will return the theorem: 826 827\begin{hol} 828\begin{alltt} 829 |- \m{t} INSERT \lb\m{t\sb{1}},\dots,\m{t\sb{n}}\rb = \lb\m{t\sb{1}},\dots,\m{t\sb{n}}\rb 830\end{alltt}\end{hol} 831 832Here is an example of \ml{INSERT\_CONV} in use: 833 834\setcounter{sessioncount}{1} 835\begin{session} 836\begin{verbatim} 837#INSERT_CONV num_EQ_CONV "(SUC 2) INSERT {0,1,2,3}";; 838|- {SUC 2,0,1,2,3} = {0,1,2,3} 839\end{verbatim}\end{session} 840 841When applied repeatedly, \ml{INSERT\_CONV} can be used to reduce finite sets by 842eliminating as many redundant occurrences of elements as possible. An easy to 843program, but slow-running, way of doing this is to use \ml{DEPTH\_CONV}: 844 845\begin{session} 846\begin{verbatim} 847#DEPTH_CONV (INSERT_CONV num_EQ_CONV) "{1,3,x,SUC 1,SUC(SUC 1),2,1,3,x}";; 848|- {1,3,x,SUC 1,SUC(SUC 1),2,1,3,x} = {2,1,3,x} 849\end{verbatim}\end{session} 850 851\noindent For a faster alternative to this method, see the reference entry for 852\ml{INSERT\_CONV} in 853chapter~\ref{entries}.\index{INSERT\_CONV@{\ptt INSERT\_CONV}|)}% 854\index{conversions!INSERT\_CONV@{\ptt INSERT\_CONV}|)} 855 856\subsubsection{Deletion} 857 858The\index{DELETE\_CONV@{\ptt DELETE\_CONV}|(}% 859\index{conversions!DELETE\_CONV@{\ptt DELETE\_CONV}|(} 860conversion \ml{DELETE\_CONV} reduces terms of the form 861{\small\verb!"{!\tt$t_1$,\dots,$t_n$\verb!} DELETE !$t$\verb!"!} 862by deleting all elements provably equal to {\small$t$} from the set 863{\small\verb!{!\tt$t_1$,\dots,$t_n$\verb!}!}. 864Like \ml{IN\_CONV} and \ml{INSERT\_CONV}, the function \ml{DELETE\_CONV} takes 865a conversion for deciding equality of set elements as an argument. 866If \ml{conv} 867is such a conversion, the call: 868 869\begin{hol}\begin{alltt} 870 DELETE\_CONV conv "\lb\m{t\sb{1}},\dots,\m{t\sb{n}}\rb DELETE \m{t}";; 871\end{alltt}\end{hol} 872 873\noindent will return the theorem: 874 875\begin{hol}\begin{alltt} 876 |- \lb\m{t\sb{1}},\dots,\m{t\sb{n}}\rb DELETE \m{t} = \lb\m{t\sb{i}},\dots,\m{t\sb{j}}\rb 877\end{alltt}\end{hol} 878 879\noindent where the resulting set 880 {\small\verb!{!\tt$t_i$,\dots,$t_j$\verb!}!} is the set of all 881values {\small$t_k$} in the original set 882 {\small\verb!{!\tt$t_1$,\dots,$t_n$\verb!}!} for which \ml{conv} proves 883{\tt |- ($t_k$ = $t$) = F}, and where for all {\small$t_k$} in 884{\small\verb!{!\tt$t_1$,\dots,$t_n$\verb!}!} but not in 885 {\small\verb!{!\tt$t_i$,\dots,$t_j$\verb!}!}, either {\small$t_k$} 886is alpha-equivalent to {\small$t$} or \ml{conv} proves 887{\tt |- ($t_k$ = $t$) = T}. Note that the conversion \ml{conv} must 888prove either equality or inequality for every element of the original set that 889is not simply alpha-equivalent to the deleted value. 890 891The following session shows \ml{DELETE\_CONV} in use: 892 893\setcounter{sessioncount}{1} 894\begin{session} 895\begin{verbatim} 896#DELETE_CONV num_EQ_CONV "{0,1,2,3} DELETE (SUC 1)";; 897|- {0,1,2,3} DELETE (SUC 1) = {0,1,3} 898\end{verbatim}\end{session}% 899\index{DELETE\_CONV@{\ptt DELETE\_CONV}|)}% 900\index{conversions!DELETE\_CONV@{\ptt DELETE\_CONV}|)} 901 902 903\section{Singleton sets} 904 905A {\it singleton\/} set is a set that contains precisely one element. In the 906\ml{pred\_sets} library, the property of being a singleton set is expressed by 907the definition: 908 909\begin{hol} 910\index{definition!of SING@of {\ptt SING}} 911\index{SING\_DEF@{\ptt SING\_DEF}} 912\begin{verbatim} 913 SING_DEF |- !s. SING s = (?x. s = {x}) 914\end{verbatim}\end{hol} 915 916\noindent The library contains several built-in theorems about singleton sets. 917These are sometimes expressed in terms of the predicate \ml{SING}, as for 918example in the theorem 919 920\begin{hol} 921\index{SING@{\ptt SING}} 922\begin{verbatim} 923 SING |- !x. SING{x} 924\end{verbatim}\end{hol} 925 926\noindent But properties of singleton sets are more usually formulated as 927theorems about sets of the form `{\small\verb"{x}"}'. For example, the built-in 928theorems about singleton sets include: 929 930\begin{hol} 931\index{SING@{\ptt SING}} 932\begin{verbatim} 933 NOT_SING_EMPTY |- !x. ~({x} = {}) 934 IN_SING |- !x y. x IN {y} = (x = y) 935 EQUAL_SING |- !x y. ({x} = {y}) = (x = y) 936\end{verbatim}\end{hol} 937 938\noindent A\index{naming conventions!for theorems about singletons|(} general 939convention is that theorems about singleton sets are given names that contain 940the element `\ml{SING}', regardless of whether or not they actually contain the 941predicate \ml{SING}.\index{naming conventions!for theorems about singletons|)} 942 943\section{The {\tt CHOICE} and {\tt REST} functions} 944 945The \ml{pred\_sets} library contains the definition of a functions \ml{CHOICE} 946which can be used to select an arbitrary element from a non-empty set. The 947function \ml{CHOICE} is defined formally by the following constant 948specification: 949 950\begin{hol} 951\index{definition!of CHOICE@of {\ptt CHOICE}} 952\index{CHOICE\_DEF@{\ptt CHOICE\_DEF}} 953\begin{verbatim} 954 CHOICE_DEF |- !s. ~(s = {}) ==> (CHOICE s) IN s 955\end{verbatim}\end{hol} 956 957\noindent This theorem alone is the defining property for the constant 958\ml{CHOICE}, which is therefore an only partially specified function from sets 959to values. Note, in particular, that there is no information given by this 960definition about the result of applying \ml{CHOICE} to an empty set. 961 962The library also contains a function \ml{REST}, which is defined in terms of 963the \ml{CHOICE} function as follows 964 965\begin{hol} 966\index{definition!of REST@of {\ptt REST}} 967\index{REST\_DEF@{\ptt REST\_DEF}} 968\begin{verbatim} 969 REST_DEF |- !s. REST s = s DELETE (CHOICE s) 970\end{verbatim}\end{hol} 971 972\noindent For any non-empty set \ml{s}, the set \ml{REST s} comprises all those 973elements of \ml{s} except the value selected from \ml{s} by \ml{CHOICE}. 974 975The library contains various built-in theorems about the functions \ml{CHOICE} 976and \ml{REST}; for a full list of these theorems, see chapter~\ref{theorems}. 977 978\section{Image of a function on a set} 979 980The {\it image\/} of a function {\small\verb!f:'a->'b!} on a set 981{\small\verb!s:'a->bool!} is the set of values {\small\verb!f(x)!} for all 982\ml{x} in \ml{s}. In the \ml{pred\_sets} library, the image of a function on a 983set is defined in terms of the obvious set abstraction: 984 985\begin{hol} 986\index{definition!of IMAGE@of {\ptt IMAGE}} 987\index{IMAGE\_DEF@{\ptt IMAGE\_DEF}} 988\begin{verbatim} 989 IMAGE_DEF |- !f s. IMAGE f s = {f x | x IN s} 990\end{verbatim}\end{hol} 991 992\noindent Using \ml{SET\_SPEC\_CONV}, is trivial to prove from this 993definition the following membership condition for sets constructed using 994\ml{IMAGE}: 995 996\begin{hol} 997\index{IN\_IMAGE@{\ptt IN\_IMAGE}} 998\begin{verbatim} 999 IN_IMAGE |- !y s f. y IN (IMAGE f s) = (?x. (y = f x) /\ x IN s) 1000\end{verbatim}\end{hol} 1001 1002\noindent The \ml{pred\_sets} library contains various theorems about 1003\ml{IMAGE} in addition to this membership theorem. These include, for example, 1004theorems about the image of a function on sets constructed by the operations of 1005union and intersection. For a full list of theorems about \ml{IMAGE}, see 1006chapter~\ref{theorems}. 1007 1008\subsection{Theorem-proving support} 1009 1010The\index{IMAGE\_CONV@{\ptt IMAGE\_CONV}|(}% 1011\index{conversions!IMAGE\_CONV@{\ptt IMAGE\_CONV}|(} 1012\ml{pred\_sets} library contains 1013a conversion for computing the image of a function {\small\verb!f!} on a finite 1014set {\small\verb!{!\tt$t_1$,\dots,$t_n$\verb!}!}. The function 1015 1016\begin{hol} 1017\begin{verbatim} 1018 IMAGE_CONV : conv -> conv -> conv 1019\end{verbatim}\end{hol} 1020 1021\noindent is parameterized by two conversions. The first conversion is 1022expected to compute the result of applying the function {\small\verb!f!} to 1023each element {\small$t_1$}, \dots, {\small $t_n$}. The second parameter is an 1024equality conversion which is used to simplify the resulting image set by 1025removing redundant occurrences of its elements. 1026 1027The following session shows a simple example of the use of \ml{IMAGE\_CONV} on 1028terms of the form 1029{\small\tt\verb!"IMAGE (\x.x+2) {!$t_1$,\dots,$t_n$\verb!}"!}. 1030We first define a conversion that evaluates the 1031result of applying the function {\small\verb!(\x.x+2)!} to a term {\small$t$}. 1032 1033\setcounter{sessioncount}{1} 1034\begin{session} 1035\begin{verbatim} 1036- val AP_CONV = BETA_CONV THENC (TRY_CONV ADD_CONV);; 1037AP_CONV = - : conv 1038 1039- AP_CONV ``(\n.n+2) 7``; 1040|- (\n. n + 2)7 = 9 1041\end{verbatim}\end{session} 1042 1043\noindent This conversion, together with the function \ml{IMAGE\_CONV}, gives a 1044conversion for computing the image of {\small\verb!(\x.x+2)!} on a finite set 1045of numerical values. 1046 1047\begin{session} 1048\begin{verbatim} 1049- IMAGE_CONV AP_CONV NO_CONV ``IMAGE (\x.x+2) {1;2;3;4}``; 1050val it = |- IMAGE(\x. x + 2){1;2;3;4} = {3;4;5;6} : thm 1051 1052- IMAGE_CONV AP_CONV NO_CONV ``IMAGE (\x.x+2) {n;1;n}``; 1053val it = |- IMAGE(\x. x + 2){n;1;n} = {3;n + 2} : thm 1054\end{verbatim}\end{session} 1055 1056\noindent In this case, the second parameter supplied to \ml{IMAGE\_CONV} is 1057the conversion \ml{NO\_CONV}. This means that no reduction of the resulting 1058image set is done, beyond the elimination of elements that are provably 1059redundant by virtue of being alpha-equivalent to some other element (as in the 1060second example above). 1061 1062The following session illustrates the use of the second parameter to 1063\ml{IMAGE\_CONV}. 1064 1065\begin{session} 1066\begin{verbatim} 1067#IMAGE_CONV BETA_CONV NO_CONV "IMAGE (\x. SUC x) {1,SUC 0,2,0}";; 1068|- IMAGE(\x. SUC x){1,SUC 0,2,0} = {SUC 1,SUC(SUC 0),SUC 2,SUC 0} 1069 1070#IMAGE_CONV BETA_CONV num_EQ_CONV "IMAGE (\x. SUC x) {1,SUC 0,2,0}";; 1071|- IMAGE(\x. SUC x){1,SUC 0,2,0} = {SUC(SUC 0),SUC 2,SUC 0} 1072\end{verbatim}\end{session} 1073 1074\noindent In the first evaluation, just applying \ml{BETA\_CONV} to the 1075application of {\small\verb!(\x. SUC x)!} to each element has resulted in an 1076image set containing both {\small\verb!SUC 1!} and {\small\verb!SUC(SUC 0)!}. 1077In the second example, \ml{num\_EQ\_CONV} is used to prove these values equal, 1078and therefore to simplify the resulting set by eliminating one of them from it. 1079For more detail about \ml{IMAGE\_CONV}, see the reference entry for this 1080conversion in chapter~\ref{entries}.\index{IMAGE\_CONV@{\ptt IMAGE\_CONV}|)}% 1081\index{conversions!IMAGE\_CONV@{\ptt IMAGE\_CONV}|)} 1082 1083\section{Mappings between sets} 1084 1085The \ml{pred\_sets} library contains a few basic definitions and theorems 1086having to do with mappings between sets. A function \ml{f:'a->'b} is an {\it 1087injective\/} (one-to-one) mapping from a set {\small\verb!s:'a->bool!} to a set 1088{\small\verb!t:'b->bool!} if it takes distinct elements of the set \ml{s} to 1089distinct element of the set \ml{t}: 1090 1091\begin{hol} 1092\index{definition!of INJ@of {\ptt INJ}} 1093\index{INJ\_DEF@{\ptt INJ\_DEF}} 1094\begin{verbatim} 1095 INJ_DEF = 1096 |- !f s t. 1097 INJ f s t = 1098 (!x. x IN s ==> (f x) IN t) /\ 1099 (!x y. x IN s /\ y IN s ==> (f x = f y) ==> (x = y)) 1100\end{verbatim}\end{hol} 1101 1102\noindent Likewise, a function \ml{f:'a->'b} is a {\it surjective\/} (onto) 1103mapping from \ml{s} to \ml{t} if for every element \ml{x} of \ml{t} there is 1104some element \ml{y} of \ml{s} for which {\small\verb!f y = x!}: 1105 1106\begin{hol} 1107\index{definition!of SURJ@of {\ptt SURJ}} 1108\index{SURJ\_DEF@{\ptt SURJ\_DEF}} 1109\begin{verbatim} 1110 SURJ_DEF = 1111 |- !f s t. 1112 SURJ f s t = 1113 (!x. x IN s ==> (f x) IN t) /\ 1114 (!x. x IN t ==> (?y. y IN s /\ (f y = x))) 1115\end{verbatim}\end{hol} 1116 1117\noindent Finally, a function \ml{f:'a->'b} is a {\it bijection\/} from \ml{s} 1118to \ml{t} if it is both injective and surjective: 1119 1120\begin{hol} 1121\index{definition!of BIJ@of {\ptt BIJ}} 1122\index{BIJ\_DEF@{\ptt BIJ\_DEF}} 1123\begin{verbatim} 1124 BIJ_DEF = |- !f s t. BIJ f s t = INJ f s t /\ SURJ f s t 1125\end{verbatim}\end{hol} 1126 1127There are a few pre-proved theorems about the predicates \ml{INJ}, \ml{SURJ}, 1128and \ml{BIJ} available in the library; see chapter~\ref{theorems} for a full 1129list of these theorems. 1130 1131The library also contains constant specifications for two functions \ml{LINV} 1132and \ml{RINV}, which yield left and right inverses to injective and surjective 1133mappings respectively. These functions are defined by: 1134 1135\begin{hol} 1136\index{definition!of LINV@of {\ptt LINV}} 1137\index{LINV\_DEF@{\ptt LINV\_DEF}} 1138\index{definition!of RINV@of {\ptt RINV}} 1139\index{RINV\_DEF@{\ptt RINV\_DEF}} 1140\begin{verbatim} 1141 LINV_DEF = |- !f s t. INJ f s t ==> (!x. x IN s ==> (LINV f s(f x) = x)) 1142 RINV_DEF = |- !f s t. SURJ f s t ==> (!x. x IN t ==> (f(RINV f s x) = x)) 1143\end{verbatim}\end{hol} 1144 1145\noindent There are, at present, no additional built-in theorems about these 1146two functions. Furthermore, the definitions of \ml{LINV} and \ml{RINV} shown 1147above should be regarded as only provisional; they may be changed in future 1148versions. 1149 1150\section{Finite and infinite sets} 1151 1152The \ml{pred\_sets} library includes the definition of a predicate called 1153\ml{FINITE}, which is true of finite sets and false of infinite ones. The 1154definition of this constant is shown below. 1155 1156\begin{hol} 1157\index{definition!of FINITE@of {\ptt FINITE}} 1158\index{FINITE\_DEF@{\ptt FINITE\_DEF}} 1159\begin{verbatim} 1160 FINITE_DEF 1161 |- !s. 1162 FINITE s = 1163 (!P. P{} /\ (!s'. P s' ==> (!e. P(e INSERT s'))) ==> P s) 1164\end{verbatim}\end{hol} 1165 1166\noindent That is, a set \ml{s} is finite precisely when it is in the smallest 1167class of sets that contains the empty set and is closed under the \ml{INSERT} 1168operation. This inductive definition makes \ml{FINITE} true of just those sets 1169that can be constructed from the empty set by a finite sequence of applications 1170of the \ml{INSERT} operation. 1171 1172The \ml{pred\_sets} library contains various built-in theorems that follow from 1173the definition of \ml{FINITE} given above. Among these are the two fundamental 1174theorems shown below: 1175 1176\begin{hol} 1177\index{FINITE\_EMPTY@{\ptt FINITE\_EMPTY}} 1178\index{FINITE\_INSERT@{\ptt FINITE\_INSERT}} 1179\begin{verbatim} 1180 FINITE_EMPTY |- FINITE{} 1181 FINITE_INSERT |- !x s. FINITE(x INSERT s) = FINITE s 1182\end{verbatim}\end{hol} 1183 1184\noindent These state that the empty set is indeed finite and insertion 1185constructs finite sets only from other finite sets. See chapter~\ref{theorems} 1186for other built-in theorems about finite sets. 1187 1188The above definition of \ml{FINITE} formalizes the notion of a finite set in 1189logic, and it therefore also determines the form of definition for the 1190complementary notion of an infinite set. In the \ml{pred\_sets} library, the 1191predicate \ml{INFINITE} is defined as follows: 1192 1193\begin{hol} 1194\index{definition!of INFINITE@of {\ptt INFINITE}} 1195\index{INFINITE\_DEF@{\ptt INFINITE\_DEF}} 1196\begin{verbatim} 1197 INFINITE_DEF |- !s. INFINITE s = ~FINITE s 1198\end{verbatim}\end{hol} 1199 1200\noindent There are a few consequences of this definition stored in the 1201\ml{pred\_sets} library. The following theorem, for example, states that the 1202image of an injective function on an infinite set is infinite: 1203 1204\begin{hol} 1205\index{IMAGE\_11\_INFINITE@{\ptt IMAGE\_11\_INFINITE}} 1206\begin{verbatim} 1207 IMAGE_11_INFINITE 1208 |- !f. (!x y. (f x = f y) ==> (x = y)) ==> 1209 (!s. INFINITE s ==> INFINITE(IMAGE f s)) 1210\end{verbatim}\end{hol} 1211 1212\noindent Other built-in theorems about \ml{INFINITE} can be found in 1213chapter~\ref{theorems}. 1214 1215\subsection{Theorem-proving support} 1216 1217There are two \ML\ functions in the \ml{pred\_sets} library for reasoning about 1218propositions that involve the finiteness predicate \ml{FINITE}. 1219The\index{FINITE\_CONV@{\ptt FINITE\_CONV}|(} 1220\index{conversions!FINITE\_CONV@{\ptt FINITE\_CONV}|(} first of these is a 1221conversion \ml{FINITE\_CONV} which automatically proves that sets of the form 1222{\small\verb!"{!\tt$t_1$,\dots,$t_n$\verb!}"!} are finite. Evaluating 1223 1224\begin{hol} 1225\begin{alltt} 1226 FINITE\_CONV "FINITE \lb\m{t\sb{1}},\dots,\m{t\sb{n}}\rb";; 1227\end{alltt}\end{hol} 1228 1229\noindent yields the theorem 1230{\small\verb!|- FINITE {!\tt$t_1$,\dots,$t_n$\verb!} = T!}.% 1231\index{FINITE\_CONV@{\ptt FINITE\_CONV}|)}% 1232\index{conversions!FINITE\_CONV@{\ptt FINITE\_CONV}|)} 1233 1234The\index{SET\_INDUCT\_TAC@{\ptt SET\_INDUCT\_TAC}|(} 1235\index{tactics!SET\_INDUCT\_TAC@{\ptt SET\_INDUCT\_TAC}|(} 1236second \ML\ function for 1237reasoning about the predicate \ml{FINITE} is an induction tactic called 1238\ml{SET\_INDUCT\_TAC}. When applied to a goal of the form 1239{\small\verb!"!!$s$\verb!. FINITE !$s$\verb! ==> !$P$\verb!"!}, this tactic 1240reduces it to proving that the property of sets expressed by 1241{\small\verb!\!$s$\verb!.!$P$} holds of the empty set and is preserved by the 1242insertion of an element into an arbitrary finite set. Since every finite set 1243can be built up from the empty set by repeated insertion of values, these 1244subgoals imply that this property holds of all finite sets. 1245 1246The following session illustrates the use of the tactic \ml{SET\_INDUCT\_TAC} 1247for proving that the intersection of an arbitrary set \ml{t} with a finite set 1248\ml{s} is finite. We first set up an appropriate goal: 1249 1250\setcounter{sessioncount}{1} 1251\begin{session} 1252\begin{verbatim} 1253#g "!s:'a->bool. FINITE s ==> !t. FINITE(s INTER t)";; 1254"!s. FINITE s ==> (!t. FINITE(s INTER t))" 1255 1256() : void 1257\end{verbatim}\end{session} 1258 1259\noindent Expanding with \ml{SET\_INDUCT\_TAC} yields: 1260 1261\begin{session} 1262\begin{verbatim} 1263#expand SET_INDUCT_TAC;; 1264OK.. 12652 subgoals 1266"!t. FINITE((e INSERT s) INTER t)" 1267 [ "FINITE s" ] 1268 [ "!t. FINITE(s INTER t)" ] 1269 [ "~e IN s" ] 1270 1271"!t. FINITE({} INTER t)" 1272 1273() : void 1274\end{verbatim}\end{session} 1275 1276\noindent The resulting subgoals are easy to prove, given the two basic 1277theorems \ml{FINITE\_EMPTY} and \ml{FINITE\_INSERT} shown in the previous 1278section. Note that it may be assumed in the step case that the value \ml{e} 1279being inserted into the set \ml{s} is not already an element of 1280\ml{s}.\index{SET\_INDUCT\_TAC@{\ptt SET\_INDUCT\_TAC}|)}% 1281\index{tactics!SET\_INDUCT\_TAC@{\ptt SET\_INDUCT\_TAC}|)} 1282 1283\section{Cardinality of finite sets} 1284 1285The {\it cardinality\/} of a finite set is the number of elements it contains. 1286In the \ml{pred\_sets} library, this is formalized by a constant \ml{CARD} 1287defined by means of the following constant specification: 1288 1289\begin{hol} 1290\index{definition!of CARD@of {\ptt CARD}} 1291\index{CARD\_DEF@{\ptt CARD\_DEF}} 1292\begin{verbatim} 1293 CARD_DEF 1294 |- (CARD{} = 0) /\ 1295 (!s. 1296 FINITE s ==> 1297 (!x. CARD(x INSERT s) = (x IN s => CARD s | SUC(CARD s)))) 1298\end{verbatim}\end{hol} 1299 1300\noindent This theorem is the sole defining property of \ml{CARD}. Because the 1301equation in the second clause holds only under the assumption that \ml{s} is 1302finite, this form of definition allows nothing significant to be deduced about 1303the cardinality `\ml{CARD s}' of an {\it infinite\/} set \ml{s}. 1304 1305The built-in theorems about cardinality are all restricted to finite sets only, 1306either implicitly as in the theorem: 1307 1308\begin{hol} 1309\index{CARD\_SING@{\ptt CARD\_SING}} 1310\begin{verbatim} 1311 CARD_SING |- !x. CARD{x} = 1 1312\end{verbatim}\end{hol} 1313 1314\noindent or explicitly, as in: 1315 1316\begin{hol} 1317\index{FINITE\_ISO\_NUM@{\ptt FINITE\_ISO\_NUM}} 1318\begin{verbatim} 1319 FINITE_ISO_NUM 1320 |- !s:'a->bool. 1321 FINITE s ==> 1322 (?f:num->'a. 1323 (!n m. 1324 n < (CARD s) /\ m < (CARD s) ==> (f n = f m) ==> (n = m)) /\ 1325 (s = {f n | n < (CARD s)})) 1326\end{verbatim}\end{hol} 1327 1328\noindent This second theorem states that the elements of a finite set can 1329always be put into a one-to-one correspondence with the natural numbers less 1330than the set's cardinality---i.e. the elements of a finite set \ml{s} can be 1331numbered \ml{0}, \ml{1}, \dots, {\small\verb!(CARD s)-1!}. Other theorems 1332involving the cardinality function \ml{CARD} can be found in 1333chapter~\ref{theorems}. 1334 1335\section{Using the library}\label{using} 1336 1337The \ml{pred\_sets} library is loaded into a user's \HOL\ session using the 1338function \ml{load\_library} (see the \HOL\ manual for a general description of 1339library loading). The first action in the load sequence is to update the 1340internal \HOL\ search paths. A pathname to the library is added to the search 1341path so that theorems may be autoloaded from the library theory 1342\ml{pred\_sets}; and the \HOL\ help search path is updated with a pathname to 1343online help files for the \ML\ functions in the library. 1344 1345After the search paths are updated, the actions taken by the load sequence for 1346\ml{pred\_sets} depend on the current state of the \HOL\ session. If the system 1347is in draft mode, the library theory \ml{pred\_sets} is added as a new parent 1348to the current theory. If the system is not in draft mode, but the current 1349theory is an ancestor of the \ml{pred\_sets} theory in the library (e.g.\ the 1350user is in a fresh \HOL\ session) then \ml{pred\_sets} is made the current 1351theory. In both cases, the \ML\ functions provided by the library are loaded 1352into \HOL\, and all the theorems in the library (including definitions) are set 1353up to be autoloaded on demand. The parser and pretty-printer for the notation 1354described above in sections~\ref{abst} and~\ref{finite} are then activated, and 1355the \ML\ functions provided by the library for reasoning about sets are loaded. 1356The \ml{pred\_sets} library is then fully loaded into the user's \HOL\ session. 1357 1358\subsection{Example session} 1359 1360The following session shows how the \ml{pred\_sets} library may be loaded using 1361\ml{load\_library}. Suppose, beginning in a fresh \HOL\ session, the user 1362wishes to create a theory \ml{foo} whose parents include the theory 1363\ml{pred\_sets} in the library. This may be done as follows: 1364 1365\setcounter{sessioncount}{1} 1366\begin{session} 1367\begin{alltt} 1368#new_theory `foo`;; 1369() : void 1370 1371#load_library `pred_sets`;; 1372 \(\vdots\) 1373Library pred_sets loaded. 1374() : void 1375\end{alltt}\end{session} 1376 1377\noindent Loading the library while drafting the theory \ml{foo} makes the 1378library theory \ml{pred\_sets} into a parent of \ml{foo}. The same effect 1379could have been achieved (in a fresh session) by first loading the library and 1380then creating \ml{foo}: 1381 1382\setcounter{sessioncount}{1} 1383\begin{session} 1384\begin{alltt} 1385#load_library `pred_sets`;; 1386 \(\vdots\) 1387Library pred_sets loaded. 1388() : void 1389 1390#new_theory `foo`;; 1391() : void 1392\end{alltt}\end{session} 1393 1394\noindent The theory \ml{pred\_sets} is first made the current theory of the 1395new session. It then automatically becomes a parent of \ml{foo} when this 1396theory is created by \ml{new\_theory}. 1397 1398Now, suppose that \ml{foo} has been created as shown above, and the user does 1399some work in this theory, quits \HOL, and in a later session wishes to load the 1400theory \ml{foo}. This must be done by {\it first\/} loading the 1401\ml{pred\_sets} library and {\it then\/} loading the theory \ml{foo}. 1402 1403\setcounter{sessioncount}{1} 1404\begin{session} 1405\begin{alltt} 1406#load_library `pred_sets`;; 1407 \(\vdots\) 1408Library pred_sets loaded. 1409() : void 1410 1411#load_theory `foo`;; 1412Theory foo loaded 1413() : void 1414\end{alltt}\end{session} 1415 1416\noindent This sequence of actions ensures that the system can find the parent 1417theory \ml{pred\_sets} when it comes to load \ml{foo}, since loading the 1418library updates the search path. 1419 1420\subsection{The {\tt load\_pred\_sets} function}% 1421\index{load\_pred\_sets@{\ptt load\_pred\_sets}|(} 1422 1423The \ml{pred\_sets} library may in many cases simply be loaded into the system 1424as illustrated by the examples given above. There are, however, certain 1425situations in which the library cannot be fully loaded at the time when the 1426\ml{load\_library} is used. This occurs when the system is not in draft mode 1427and the current theory is not an ancestor of the theory \ml{pred\_sets}. In 1428this case, loading the library can (and will) update the search paths. But the 1429theory \ml{pred\_sets} can neither be made into a parent of the current theory 1430nor be made the current theory. This means that autoloading from the library 1431can not at this stage be activated; and the \ML\ code in the library can not be 1432loaded into \HOL, since it requires access to some of the theorems in the 1433library. 1434 1435In the situation described above---when the system is not in draft mode and the 1436current theory is not an ancestor of the theory \ml{pred\_sets}---the library 1437load sequence defines an \ML\ function called \ml{load\_pred\_sets} in the 1438current \HOL\ session. If at a future point in the session the \ml{pred\_sets} 1439theory (now accessible via the search path) becomes an ancestor of the current 1440theory, this function can then be used to complete loading of the library. 1441Evaluating {\small\verb!load_pred_sets()!} in such a context loads the \ML\ 1442functions of the \ml{pred\_sets} library into \HOL\ and activates autoloading 1443from its theory files. It also activates the parser and pretty-printer support 1444for set abstractions and finite sets. The function \ml{load\_pred\_sets} fails 1445if the theory \ml{pred\_sets} is not an ancestor of the current \HOL\ theory. 1446 1447Note that the function \ml{load\_pred\_sets} becomes available upon loading the 1448\ml{pred\_sets} library only if the library theory \ml{pred\_sets} at the point 1449of loading the library can neither be made into a new parent (i.e.\ the system 1450is not in draft mode) nor be made the current 1451theory.\index{load\_pred\_sets@{\ptt load\_pred\_sets}|)} 1452