1% Document Type: LaTeX
2
3\chapter{The \resquan\ Library}
4
5The \resquan\ library provides some basic facilities for working with
6restricted quantifications. It consists of a single theory \verb|res_quan.th|,
7which contains a number of theorems about the properties of some
8restricted quantifiers, and a set of ML functions for dealing with
9these quantifiers. It also contains some conditional
10rewriting tools which can be loaded as a separate library part.
11
12The description in this chapter begins with a brief introduction to
13the syntax for restricted quantification. This is followed by an
14overview of the ML functions available in the library and a
15description of the theory \verb|res_quan.th|. A complete reference
16manual for all ML functions appears in Chapter~2. The last chapter
17lists all theorems in the \verb|res_quan.th|.
18
19\section{Syntax for restricted quantification}
20
21Since Version 2.0, \HOL\ provides parser and pretty printer support
22for restricted quantification. This notation allows terms of the form
23\[
24\con{Q}\,x ::P.\, t[x],
25\]
26where \con{Q} is a quantifier and
27if $x:\alpha$ then $P$ can be any term of type $\alpha\fun\bool$; this
28denotes the quantification of $x$ over those values satisfying $P$.
29The qualifier {\small\verb|::|} can be used with {\small\verb|\|} and any
30binder, including user defined ones. The appropriate meanings are
31predefined for {\small\verb|\|} and the built-in binders
32{\small\verb|!|}, {\small\verb|?|} and {\small\verb|@|}.
33This syntax automatically translates as follows:
34
35\begin{hol}
36{\small\verb%   \%}$v${\small\verb%::%}$P${\small\verb%.%}$tm${\small\verb%    <---->   %}\con{RES\_ABSTRACT}\ $P${\small\verb% (\%}$v${\small\verb%.%}$tm${\small\verb%)%}\\
37{\small\verb%   !%}$v${\small\verb%::%}$P${\small\verb%.%}$tm${\small\verb%    <---->   %}\con{RES\_FORALL}\ \ \ $P${\small\verb% (\%}$v${\small\verb%.%}$tm${\small\verb%)%}\\
38{\small\verb%   ?%}$v${\small\verb%::%}$P${\small\verb%.%}$tm${\small\verb%    <---->   %}\con{RES\_EXISTS}\ \ \ $P${\small\verb% (\%}$v${\small\verb%.%}$tm${\small\verb%)%}\\
39{\small\verb%   @%}$v${\small\verb%::%}$P${\small\verb%.%}$tm${\small\verb%    <---->   %}\con{RES\_SELECT}\ \ \ $P${\small\verb% (\%}$v${\small\verb%.%}$tm${\small\verb%)%}
40\end{hol}
41
42The constants \con{RES\_ABSTRACT}, \con{RES\_FORALL}, \con{RES\_EXISTS} and
43\con{RES\_SELECT} are defined in the theory \ml{bool} to provide
44semantics for these restricted quantifiers as follows:
45
46\begin{hol}\begin{verbatim}
47   RES_ABSTRACT P tm  =  \x:*. (P x => tm x | ARB:**)
48
49   RES_FORALL   P tm  =  !x:*. P x ==> tm x
50
51   RES_EXISTS   P tm  =  ?x:*. P x /\ tm x
52
53   RES_SELECT   P tm  =  @x:*. P x /\ tm x
54\end{verbatim}\end{hol}
55
56\noindent where the constant \con{ARB} is defined in the theory \ml{bool} by:
57
58\begin{hol}\begin{verbatim}
59   ARB  =  @x:*. T
60\end{verbatim}\end{hol}
61
62User-defined binders can also have restricted forms, which are set up
63with the function:
64
65\begin{holboxed}\index{associate_restriction@\ml{associate\_restriction}}
66\begin{verbatim}
67   associate_restriction : (string # string) -> *
68\end{verbatim}\end{holboxed}
69
70
71\noindent If \m{B} is the name
72of a binder and \ml{RES\_}$B$ is the name of a suitable constant (which
73must be explicitly defined), then executing:
74
75\begin{hol}
76{\small\verb%   associate_restriction(`%}\m{B}{\small\verb%`, `RES_%}\m{B}{\small\verb%`)%}
77\end{hol}
78
79\noindent will cause the parser and pretty-printer to support:
80
81\begin{hol}
82{\small\verb%   %}$B$ $v${\small\verb%::%}$P${\small\verb%. %}$tm${\small\verb%    <---->   RES_%}$B$ $P${\small\verb% (\%}$v${\small\verb%. %}$tm${\small\verb%)%}
83\end{hol}
84
85\noindent Note that associations between user defined binders and their
86restrictions are not stored in theory files, so they have to be set up
87for each \HOL\ session (e.g. with a {\small\verb%hol-init.ml%} initialization file).
88
89The flag \ml{print\_restrict} has default \ml{true}, but if set to
90\ml{false} will
91disable the pretty printing. This is useful for seeing what the
92semantics of particular restricted abstractions are.
93Here is an example session:
94
95\setcounter{sessioncount}{1}
96\begin{session}\begin{verbatim}
97#"!x y::P. x<y";;
98"!x y :: P. x < y" : term
99
100#set_flag(`print_restrict`, false);;
101true : bool
102
103#"!x y::P. x<y";;
104"RES_FORALL P(\x. RES_FORALL P(\y. x < y))" : term
105
106#"?(x,y) p::(\(m,n).m<n). p=(x,y)";;
107"RES_EXISTS
108 (\(m,n). m < n)
109 (\(x,y). RES_EXISTS(\(m,n). m < n)(\p. p = x,y))"
110: term
111
112#"\x y z::P.[0;x;y;z]";;
113"RES_ABSTRACT P(\x. RES_ABSTRACT P(\y. RES_ABSTRACT P(\z. [0;x;y;z])))"
114: term
115\end{verbatim}\end{session}
116
117The syntax for restricted quantification provides a method of
118simulating subtypes and dependent types; the qualifying predicate $P$ can be
119an arbitrary term containing parameters. For example:
120{\small\verb|!|}$w${\small\verb|::|}$\con{Word}(n)${\small\verb|. |}$t[w]$,
121for a suitable constant \con{Word}, simulates a quantification over the
122`type' of $n$-bit words.\footnote{This approach is used in the library
123{\tt word} to model bit vectors.}
124
125\section{The theory {\tt res\_quan.{}th}}
126
127This theory contains a small number of theorems about the restricted
128universal quantifier and restricted existential quantifier.
129The following four theorems state the distributivity property of these
130quantifiers across conjunction and disjunction.
131\begin{verbatim}
132 RESQ_FORALL_CONJ_DIST
133  |- !P Q R.
134     (!(i:*) :: P. (Q i /\ R i)) = (!i :: P. Q i) /\ (!i :: P. R i)
135
136 RESQ_FORALL_DISJ_DIST
137  |- !P Q R.
138     (!(i:*) :: \i. P i \/ Q i. R i) = (!i :: P. R i) /\ (!i :: Q. R i)
139
140 RESQ_EXISTS_DISJ_DIST
141  |- !P Q R.
142     (?(i:*) :: P. (Q i \/ R i)) = (?i :: P. Q i) \/ (?i :: P. R i)
143
144 RESQ_DISJ_EXISTS_DIST
145  |- !P Q R.
146     (?(i:*) :: \i. P i \/ Q i. R i) = (?i :: P. R i) \/ (?i :: Q. R i)
147\end{verbatim}
148
149The theorems \ml{RESQ\_FORALL\_REORDER} and \ml{RESQ\_EXISTS\_REORDER}
150state the reordering property of these quantifiers.
151\begin{verbatim}
152 RESQ_FORALL_REORDER
153  |- !(P:*->bool) (Q:**->bool) (R:*->**->bool).
154      (!i :: P. !j :: Q. R i j) = (!j :: Q. !i :: P. R i j)
155
156 RESQ_EXISTS_REORDER
157  |- !(P:*->bool) (Q:**->bool) (R:*->**->bool).
158      (?i :: P. ?j :: Q. R i j) = (?j :: Q. ?i :: P. R i j)
159\end{verbatim}
160The theorem \ml{RESQ\_FORALL\_FORALL} states the reordering property of
161the restricted universal quantifier and the ordinary universal
162quantifier.
163\begin{verbatim}
164 RESQ_FORALL_FORALL
165  |- !(P:*->bool) (R:*->**->bool) x.
166      (!x. !i :: P. R i x) = (!i :: P. !x. R i x)
167\end{verbatim}
168
169\section{ML functions}
170
171The ML functions available when this library is loaded can be divided
172into six groups: conditional rewriting tools, syntax functions,
173derived rules, conversions, tactics, and constant definitions. They
174will be described in separate subsections.
175
176\subsection{Conditional rewriting tools}
177
178The conditional rewriting tools are not specific for restricted
179quantifiers. They are available as a separate part of the library
180which can be loaded into \HOL\ without loading other functions in this
181library. This is done by the command
182\begin{verbatim}
183 load_library `res_quan:cond_rewrite`;;
184\end{verbatim}
185
186The conditional rewriting tools consists of a simple tactic which is
187for use in goal-directed proof and a simple conversion which is
188usually used in forward proof.
189
190\subsubsection{Conditional theorems}
191
192Both the conditional rewriting tactic and conversion require a theorem
193to do the rewriting. This theorem should be an implication whose
194consequence is an equation, i.e., it should be of the following form:
195\begin{equation}
196   A \vdash \forall\,x_1 \ldots x_n\DOT P_1 \IMP \ldots P_m \IMP
197 (Q[x_1,\ldots,x_n] = R[x_1,\ldots,x_n]) \label{eq-cond-thm}
198\end{equation}
199where $x_1, \ldots, x_n$ are the only variables that occur free in the
200left-hand side of the conclusion of the theorem but do not occur free
201in the assumptions. Futhermore, none of the antecedents
202$P_1,\ldots,P_n$ should be
203conjunctions. The idea of  conditional rewriting is that the
204antecedents of this input theorem are treated as conditions which have
205to be satisfied before the equation $Q[x_1,\ldots,x_n] = R[x_1,\ldots,x_n]$
206can be used to rewrite a term.
207
208The ML function \ml{COND\_REWR\_CANON} transforms a theorem
209into the canonical form in~\ref{eq-cond-thm}. The antecedents of the
210input theorem to \ml{COND\_REWR\_CANON} may contain conjunctions and
211quantification. For example, suppose that {\tt th} is the theorem
212\begin{equation}
213   A \vdash \forall\,x\DOT P_1\,x \IMP  \forall y\,z.(P_2\,y \AND P_3\,z) \IMP
214 (\forall t. Q[x,y,z,t] = R[x,y,z,t]) \label{eq-cond-thm2}
215\end{equation}
216then \verb|COND_REWR_CANON th| returns the theorem
217\[
218   A \vdash \forall\,x\,y\,z\,t\DOT P_1\,x \IMP P_2\,y \IMP P_3\,z \IMP
219 (Q[x,y,z,t] = R[x,y,z,t])
220\]
221That is all universal quantifications are moved to the outer most level
222and conjunctions in the antecedents are converted to implication.
223
224\subsubsection{Conditional rewriting tactic}
225
226The basic conditional rewriting tactic is
227\begin{holboxed}
228\begin{verbatim}
229   COND_REWRITE1_TAC : thm_tactic
230\end{verbatim}
231\end{holboxed}
232Suppose {\tt th} is the theorem in~\ref{eq-cond-thm2},
233the effects of applying the tactic $\ml{COND\_REWRITE1\_TAC}\;th$ to the
234goal $(asm,gl)$ is that
235\begin{itemize}
236\item  all instances of $Q$ in the goal $gl$ are
237	replaced by corresponding instances of $R$, and
238\item the instances of the antecedents $P_i$ which do not appear in
239	the assumption $asm$ become new subgoals.
240\end{itemize}
241
242This tactic is implemented using a lower level tactic \ml{COND\_REWR\_TAC}.
243The theorem $th$ supplied to \ml{COND\_REWRITE1\_TAC} is processed by
244\ml{COND\_REWR\_CANON} first. The resulting theorem is passed to the low
245level conditional rewriting tactic \ml{COND\_REWR\_TAC} together with a
246search function \ml{search\_top\_down}. This function determines how to
247find the instantiations. By calling \ml{COND\_REWR\_TAC} with different
248search function, other conditional rewriting strategy can be
249implemented. The details of the tactics and search functions can be
250found in the reference entries in Chapter~2.
251Note that the {\tt 1} in the name of the tactic indicates that it
252takes only a single theorem as its argument.
253
254\subsubsection{Conditional rewriting conversion}
255
256The basic conditional rewriting conversion is
257\begin{holboxed}
258\begin{verbatim}
259   COND_REWRITE1_CONV : (thm list -> thm -> conv)
260\end{verbatim}
261\end{holboxed}
262which performs conversion in a way similar to the conditional
263rewriting tactics. The difference is that the instances of the
264antecedents are added to the list of assumptions of the resulting theorem. The
265extra argument to this conversion is a list of theorems which are
266used to eliminate instances of the antecedents from the assumptions.
267
268\subsection{Syntax functions}
269
270There are term constructors, term destructors and term testers for the
271four built-in restricted quantifiers. There are also iterative
272constructors and destructors for the restricted universal and
273existential quantifiers. Their names and types are:
274\begin{holboxed}
275\begin{verbatim}
276mk_resq_forall = - : ((term # term # term) -> term)
277mk_resq_exists = - : ((term # term # term) -> term)
278mk_resq_select = - : ((term # term # term) -> term)
279mk_resq_abstract = - : ((term # term # term) -> term)
280list_mk_resq_forall = - : (((term # term) list # term) -> term)
281list_mk_resq_exists = - : (((term # term) list # term) -> term)
282
283dest_resq_forall = - : (term -> (term # term # term))
284dest_resq_exists = - : (term -> (term # term # term))
285dest_resq_select = - : (term -> (term # term # term))
286dest_resq_abstract = - : (term -> (term # term # term))
287strip_resq_forall = - : (term -> ((term # term) list # term))
288strip_resq_exists = - : (term -> ((term # term) list # term))
289
290is_resq_forall = - : (term -> bool)
291is_resq_exists = - : (term -> bool)
292is_resq_select = - : (term -> bool)
293is_resq_abstract = - : (term -> bool)
294\end{verbatim}
295\end{holboxed}
296
297\subsection{Derived rules}
298
299The introduction and elimination rules for the restricted universal
300quantifier are \ml{RESQ\_SPEC} and \ml{RESQ\_GEN} which are in analogy
301to the rules for the universal quantifier. The specification of these
302rules are:
303\[
304\frac{\Gamma \THM \forall x :: P. t[x]}{\Gamma,P\,x'\THM t[x'/x]}
305\quad\mbox{{\tt RESQ\_SPEC "x'"}}
306\]
307\[
308\frac{\Gamma,P\,x\THM t[x]}{\Gamma \THM \forall x :: P. t[x]}
309\quad\mbox{{\tt RESQ\_GEN "x" "P"}}
310\]
311There is an extra rule \ml{RESQ\_HALF\_SPEC} which transform a
312restricted universal quantification into its underlying semantic
313representation, namely an implication.
314\[
315\frac{\Gamma \THM \forall x :: P. t[x]}{\Gamma \THM\forall x. P\,x\IMP t[x]}
316\quad\mbox{{\tt RESQ\_HALF\_SPEC}}
317\]
318
319There are iterative versions of the introduction and elimination rules:
320\begin{holboxed}
321\begin{verbatim}
322RESQ_SPECL = - : (term list -> thm -> thm)
323RESQ_SPEC_ALL = - : (thm -> thm)
324
325RESQ_GENL = - : (term list -> thm -> thm)
326RESQ_GEN_ALL = - : (thm -> thm)
327\end{verbatim}
328\end{holboxed}
329
330Since instantiation of a theorem is a very common operation, for
331convenience, the following ML functions are provided to instantiate a
332theorem with a mixture of ordinary and restricted universal quantifiers:
333\begin{holboxed}
334\begin{verbatim}
335GQSPEC = - : tm -> thm -> thm
336GQSPECL : term list -> thm -> thm
337GQSPEC_ALL : thm -> thm
338\end{verbatim}
339\end{holboxed}
340
341The rule for eliminating restricted existential quantification is
342\ml{RESQ\_HALF\_EXISTS} whose specification is:
343\[
344\frac{\Gamma \THM \exists x:: P. t[x]}{\Gamma \THM \exists x. P\,x
345\AND t[x]}\quad\mbox{{\tt RESQ\_HALF\_EXISTS}}
346\]
347This function only transforms the restricted existential quantifier to
348an ordinary existential quantifier.
349
350The function \ml{RESQ\_MATCH\_MP} eliminates a restricted universal
351quantifier using an instance of the condition. Its specification is:
352\[
353\frac{\Gamma_1 \THM \forall x::P. t[x]\qquad\Gamma_2\THM P\,x'}
354{\Gamma_1 \cup \Gamma_2 \THM t[x'/x]}\quad\mbox{{\tt RESQ\_MATCH\_MP}}
355\]
356
357\subsection{Conversions}
358
359There are a number of conversions for manipulating restricted
360universal quantification. The conversion \ml{RESQ\_FORALL\_CONV}
361converts a restricted universal quantification to its underlying
362semantic representation, namely an implication. For example,
363evaluating the ML expression
364\verb|RESQ_FORALL_CONV "!x :: P. t[x]"| returns the following theorem:
365\[
366\THM \forall x :: P. t[x] = \forall x. P x \IMP t[x]
367\]
368The ML function
369\ml{IMP\_RESQ\_FORALL\_CONV} performs the reverse conversion. The ML
370function \ml{LIST\_RESQ\_FORALL\_CONV} is an iterative version of
371\ml{RESQ\_FORALL\_CONV} which converts a term having multiple
372restricted universal quantifiers at the outer level.
373
374The conversions \ml{RESQ\_FORALL\_AND\_CONV} and
375\ml{AND\_RESQ\_FORALL\_CONV} move the restricted universal
376quantification in and out of a conjunction, respectively.
377The conversion \linebreak\ml{RESQ\_FORALL\_SWAP\_CONV} changes the order of two
378restricted universal quantifications. For instance, evaluating the
379following ML expression
380\begin{verbatim}
381   RESQ_FORALL_SWAP_CONV "!i :: P. !j :: Q. R"
382\end{verbatim}
383returns the theorem:
384\[
385\THM (\forall i :: P. \forall j :: Q. R) = (\forall j :: Q. \forall i :: P. R)
386\]
387providing that $i$ does not occur free in $Q$ and $j$ does not occur
388free in $P$.
389
390The conversion \ml{RESQ\_EXISTS\_CONV} transforms a restricted
391existential quantification to its underlying semantic representation.
392For instance, \verb|RESQ_EXISTS_CONV "?x::P. t"| returns the theorem
393\[
394\THM \exists x::P. t = \exists x. P x \AND t[x]
395\]
396
397A rewriting conversion \ml{RESQ\_REWRITE1\_CONV} uses a restricted
398universal quantified equation to rewrite a term. For instance, if {\tt
399th} is a theorem of the following form:
400\[
401\THM \forall x::P. u[x] = v[x]
402\]
403and {\tt tm} is a term containing some instances of $u$,
404then \verb|RESQ_REWRITE1_CONV ths th tm| will return the theorem
405\[
406\Gamma \THM tm = tm'
407\]
408where $tm'$ is obtained by replacing all instances of $u$ by
409corresponding instances of $v$ and $\Gamma$ contains instances of $P$
410which cannot be eliminated by the theorems in the list {\tt ths}. This
411conversion is implemented using the conditional rewriting conversion
412\ml{COND\_REWRITE1\_CONV}.
413
414\subsection{Tactics}
415
416The simple tactics \ml{RESQ\_GEN\_TAC} and \ml{RESQ\_EXISTS\_TAC} are
417provided for stripping of a restricted universal or existential
418quantifier, respectively. They reduce a restricted quantified goal to
419a goal in the underlying semantic representation. They are in analogy
420to \ml{GEN\_TAC} and \ml{EXISTS\_TAC}.
421
422The resolution tactics and tactical listed below are in analogy to
423\ml{RES\_TAC}, \ml{IMP\_RES\_TAC}, \ml{RES\_THEN} and
424\ml{IMP\_RES\_THEN}.
425\begin{holboxed}
426\begin{verbatim}
427RESQ_RES_THEN : (thm_tactic -> tactic)
428RESQ_IMP_RES_THEN : thm_tactical
429RESQ_RES_TAC : tactic
430RESQ_IMP_RES_TAC : thm_tactic
431\end{verbatim}
432\end{holboxed}
433The theorem-tactic \ml{RESQ\_IMP\_RES\_TAC} uses a restricted universally
434quantified theorem as if it is an implication to perform resolution.
435Similarly, the tactic \ml{RESQ\_RES\_TAC} uses a restricted universally
436quantified assumption as if it is an implication to
437perform resolution against other assumptions.
438
439The theorem-tactic \ml{RESQ\_REWRITE1\_TAC} uses a restricted universally
440quantified theorem to perform conditional rewriting.
441For instance, if {\tt th} is the following theorem
442\[
443\THM \forall x::P. u[x] = v[x]
444\]
445then applying the tactic \verb|RESQ_REWRITE1_TAC th| to a goal {\tt
446gl} will reduce it to one or more subgoals {\tt gl0}, \ldots, {\tt
447gln}. The main subgoal {\tt gl0} is obtained by replacing instances of
448$u$ in {\tt gl} with corresponding instances of $v$. The new subgoals
449are the instances of $P$ which do not occur in the assumption of $gl$.
450
451
452\subsection{Constant definitions}
453
454
455This library provides support for defining constants whose arguments
456can be restricted quantified variables. For example, one can defined a constant
457\con{C} by the following equation:
458\begin{eqnarray*}
459\lefteqn{\forall x_1::P_1. \ldots \forall x_n::P_n.} \\
460 & &  \mbox{{\sf C}}\, y\, x_1 \ldots x_n\, z = t[y,x_1,\ldots,x_n,z]
461\end{eqnarray*}
462The constant \con{C} may be an ordinary constant, or it may have
463either `infix' or `binder' status. The ML functions for defining
464restricted quantified constants are:
465\begin{holboxed}
466\begin{verbatim}
467new_resq_definition        : (string # term) -> thm
468new_infix_resq_definition  : (string # term) -> thm
469new_binder_resq_definition : (string # term) -> thm
470\end{verbatim}
471\end{holboxed}
472Suppose {\tt tm} is the term shown above, evaluating the ML expression
473\begin{verbatim}
474   new_resq_definition(`C_DEF`,tm)
475\end{verbatim}
476will store the definition under
477the name \verb|C_DEF| in the current theory. The definition is
478returned as the value of the expression.
479
480
481