The Nominal Datatype Package in Isabelle/HOL

The Nominal Datatype Package in Isabelle/HOL Christian Urban University of Munich joint work with Stefan Berghofer, Markus Wenzel, Alexander Krauss... Notingham, 18. April 2006 p.1 (1/1)

The POPLmark-Challenge How close are we to a world where programming language papers are routinely supported by machine-checked metatheory proofs, where full-scale language definitions are expressed in machine-processed mathematics...? Obviously we aren t there yet: for binders reasonable powerful tools are available: de-bruijn indices (in Coq, Isabelle,...) or HOAS (mainly in Twelf) but apart from some theorem-proving experts, nobody seems to use them; non-experts are still routinely do their proofs on paper, only Notingham, 18. April 2006 p.2 (1/2)

The POPLmark-Challenge How close are we to a world where programming The language aim of papers the nominal are routinely datatypesupported by machine-checked package is to support metatheory the kind proofs, of where full-scale reasoning language thatdefinitions is employed areon expressed paper. in machine-processed The hope is: ifmathematics...? you can do formal proofs on paper, then you can implement them in Isabelle/HOL with ease. Obviously we aren t there yet: for binders reasonable powerful tools are available: That isde-bruijn not a trivial indices task. (in Coq, Isabelle,...) or HOAS (mainly in Twelf) but apart from some theorem-proving experts, nobody seems to use them; non-experts are still routinely do their proofs on paper, only Notingham, 18. April 2006 p.2 (2/2)

Substitution Lemma: If Ü Ý and Ü ¾ Πĵ, then ÅÜ Æ Ý Ä ÅÝ Ä Ü ÆÝ Ä. Proof: By induction on the structure of Å. This is a simple example illustrating Case 1.1. Å Ü. Then both sides equal ÆÝ Ä since Ü Ý. Case 1: Å is a variable. Case Å 1.2. Ý. Then both sides equal Ä, Ü ¾ Πĵ for a point. We have already implies ÄÜ Ä. implemented much more complicated Case 1.3. Å Þ Ü Ý. Then both sides equal Þ. proofs, e.g. Church-Rosser, SN, transitivity of subtyping in Case 2: Å ÞŽ. By the variable convention we may assume Þ Ü Ý that Þ and Æ isnotfreein Ä. Thenbyinductionhypothesis POPLmark, etc. ÞŽµÜ Æ Ý Ä Þ Å½Ü Æ Ý Ä µ Þ Å½Ý Ä Ü ÆÝ Ä µ ÞŽµÝ Ä Ü ÆÝ Ä. Case 3: ŠŽž. The statement follows again from the induc- tion hypothesis. Notingham, 18. April 2006 p.3 (1/8)

Substitution Lemma: If Ü Ý and Ü ¾ Πĵ, then ÅÜ Æ Ý Ä ÅÝ Ä Ü ÆÝ Ä. Proof: By induction on the structure of Å. Case 1: Å is a variable. Case Å 1.1. Ü. Then both sides ÆÝ Ä equal Ü since Ý. Case 1.2. Å Ý. Then both sides equal Ä, for Ü ¾ Πĵ implies ÄÜ Ä. Case 1.3. Å Þ Ü Ý. Then both sides equal Þ. ÞŽ. By the variable convention we may assume Þ Ü Ý that Þ and Æ isnotfreein Ä. Thenbyinductionhypothesis Case 2: Å ÞŽµÜ Æ Ý Ä Þ Å½Ü Æ Ý Ä µ Þ Å½Ý Ä Ü ÆÝ Ä µ ÞŽµÝ Ä Ü ÆÝ Ä. Case 3: ŠŽž. The statement follows again from the induc- tion hypothesis. Notingham, 18. April 2006 p.3 (2/8)

Substitution Lemma: If Ü Ý and Ü ¾ Πĵ, then ÅÜ Æ Ý Ä ÅÝ Ä Ü ÆÝ Ä. Proof: By induction on the structure of Å. Case 1: Å is a variable. Case Å 1.1. Ü. Then both sides ÆÝ Ä equal Ü since Ý. Case 1.2. Å Ý. Then both sides equal Ä, for Ü ¾ Πĵ implies ÄÜ Ä. Case 1.3. Å Þ Ü Ý. Then both sides equal Þ. ÞŽ. By the variable convention we may assume Þ Ü Ý that Þ and Æ isnotfreein Ä. Thenbyinductionhypothesis Case 2: Å ÞŽµÜ Æ Ý Ä Þ Å½Ü Æ Ý Ä µ Þ Å½Ý Ä Ü ÆÝ Ä µ ÞŽµÝ Ä Ü ÆÝ Ä. Case 3: ŠŽž. The statement follows again from the induc- tion hypothesis. Notingham, 18. April 2006 p.3 (3/8)

Substitution Lemma: If Ü Ý and Ü ¾ Πĵ, then ÅÜ Æ Ý Ä ÅÝ Ä Ü ÆÝ Ä. Proof: By induction on the structure of Å. Case 1: Å is a variable. Case Å 1.1. Ü. Then both sides ÆÝ Ä equal Ü since Ý. Case 1.2. Å Ý. Then both sides equal Ä, for Ü ¾ Πĵ implies ÄÜ Ä. Case 1.3. Å Þ Ü Ý. Then both sides equal Þ. ÞŽ. By the variable convention we may assume Þ Ü Ý that Þ and Æ isnotfreein Ä. Thenbyinductionhypothesis Case 2: Å ÞŽµÜ Æ Ý Ä Þ Å½Ü Æ Ý Ä µ Þ Å½Ý Ä Ü ÆÝ Ä µ ÞŽµÝ Ä Ü ÆÝ Ä. Case 3: ŠŽž. The statement follows again from the induc- tion hypothesis. Notingham, 18. April 2006 p.3 (4/8)

Substitution Lemma: If Ü Ý and Ü ¾ Πĵ, then ÅÜ Æ Ý Ä ÅÝ Ä Ü ÆÝ Ä. Proof: By induction on the structure of Å. Case 1: Å is a variable. Case Å 1.1. Ü. Then both sides ÆÝ Ä equal Ü since Ý. Case 1.2. Å Ý. Then both sides equal Ä, for Ü ¾ Πĵ implies ÄÜ Ä. Case 1.3. Å Þ Ü Ý. Then both sides equal Þ. ÞŽ. By the variable convention we may assume Þ Ü Ý that Þ and Æ isnotfreein Ä. Thenbyinductionhypothesis Case 2: Å ÞŽµÜ Æ Ý Ä Þ Å½Ü Æ Ý Ä µ Þ Å½Ý Ä Ü ÆÝ Ä µ ÞŽµÝ Ä Ü ÆÝ Ä. Case 3: ŠŽž. The statement follows again from the induc- tion hypothesis. Notingham, 18. April 2006 p.3 (5/8)

Substitution Lemma: If Ü Ý and Ü ¾ Πĵ, then ÅÜ Æ Ý Ä ÅÝ Ä Ü ÆÝ Ä. Proof: By induction on the structure of Å. Case 1: Å is a variable. Case Å 1.1. Ü. Then both sides ÆÝ Ä equal Ü since Ý. Case 1.2. Å Ý. Then both sides equal Ä, for Ü ¾ Πĵ implies ÄÜ Ä. Case 1.3. Å Þ Ü Ý. Then both sides equal Þ. ÞŽ. By the variable convention we may assume Þ Ü Ý that Þ and Æ isnotfreein Ä. Thenbyinductionhypothesis Case 2: Å ÞŽµÜ Æ Ý Ä Þ Å½Ü Æ Ý Ä µ Þ Å½Ý Ä Ü ÆÝ Ä µ ÞŽµÝ Ä Ü ÆÝ Ä. Case 3: ŠŽž. The statement follows again from the induc- tion hypothesis. Notingham, 18. April 2006 p.3 (6/8)

Remember: only if Ý Ü and Ü ¾ ΠƵ then Substitution Lemma: If Ü Ý and Ü ¾ Πĵ, then Æ Ý Ä ÅÝ Ä Ü ÆÝ Ä. ÝÅµÜ Æ Ý ÅÜ Æ µ ÅÜ Proof: By induction on the structure of ÞŽµÜ Æ Ý Ä Å. Å Case 1.1. Ü. Then both ÆÝ Ä sides Ü equal since Ý. Case 1: Å is a variable. Þ Å½Ü Æ µµý Ä Case Å 1.2. Ý. Then both sides equal Ä, Ü ¾ Πĵ Þ Å½Ü Æ Ý Ä µ for ÄÜ implies Þ Å½Ý Ä Ü ÆÝ Ä µ Ä. Case 1.3. Å Þ Ü Ý. Then both sides equal Þ. ¾ Þ Å½Ý Ä µµü ÆÝ Ä µ! Case 2: ÞŽ. Å By the variable convention we may ½ assume Ä Ü ÆÝ Ä. ÞŽµÝ that and Æ isnotfreein Þ Ä. Ý Ü Þ Thenbyinductionhypothesis ½ ¾ IH ÞŽµÜ Æ Ý Ä Þ Å½Ü Æ Ý Ä µ Þ Å½Ý Ä Ü ÆÝ Ä µ ÞŽµÝ Ä Ü ÆÝ Ä. Case 3: ŠŽž. The statement follows again from the induc- tion hypothesis. Notingham, 18. April 2006 p.3 (7/8)

Substitution Lemma: If Ü Ý and Ü ¾ Πĵ, then ÅÜ Æ Ý Ä ÅÝ Ä Ü ÆÝ Ä. Proof: By induction on the structure of Å. Case 1: Å is a variable. Case Å 1.1. Ü. Then both sides ÆÝ Ä equal Ü since Ý. Case 1.2. Å Ý. Then both sides equal Ä, for Ü ¾ Πĵ implies ÄÜ Ä. Case 1.3. Å Þ Ü Ý. Then both sides equal Þ. ÞŽ. By the variable convention we may assume Þ Ü Ý that Þ and Æ isnotfreein Ä. Thenbyinductionhypothesis Case 2: Å ÞŽµÜ Æ Ý Ä Þ Å½Ü Æ Ý Ä µ Þ Å½Ý Ä Ü ÆÝ Ä µ ÞŽµÝ Ä Ü ÆÝ Ä. Case 3: ŠŽž. The statement follows again from the induc- tion hypothesis. Notingham, 18. April 2006 p.3 (8/8)

Formal Proof in Isabelle lemma forget: assumes a: Ü Ä shows ÄÜ È Ä using a by (nominal induct Ä avoiding: Ü È rule: lam.induct) (auto simp add: abs fresh fresh atm) lemma fresh fact: fixes Þ:: name assumes a: Þ Æ and b: Þ Ä shows Þ ÆÝ Ä using a b by (nominal induct Æ avoiding: Þ Ý Ä rule: lam.induct) (auto simp add: abs fresh fresh atm) lemma subst lemma: assumes a: Ü Ý and b: Ü Ä shows ÅÜ Æ Ý Ä ÅÝ Ä Ü ÆÝ Ä using a b by (nominal induct Å avoiding: Ü Ý Æ Ä rule: lam.induct) (auto simp add: forget fresh fact) Notingham, 18. April 2006 p.4 (1/3)

Formal Proof in Isabelle lemma forget: assumes Ü a: Ä ÄÜ È shows Ä using a by (nominal Ä induct Ü È avoiding: rule: lam.induct) (auto simp add: abs fresh fresh atm) lemma fresh fact: fixes Þ:: name assumes a: Þ Æ and b: Þ Ä shows Þ ÆÝ Ä stands Ü ¾ Πĵ for as Ü reads fresh for Ä is a polymorphic construction from the Nominal Logic Work by Pitts using a b by (nominal induct Æ avoiding: Þ Ý Ä rule: lam.induct) (auto simp add: abs fresh fresh atm) lemma subst lemma: assumes Ü a: Ý and Ü b: Ä ÅÜ Æ Ý Ä ÅÝ Ä Ü ÆÝ shows Ä using a b by (nominal Å induct Ü Ý Æ Ä avoiding: rule: lam.induct) (auto simp add: forget fresh fact) Notingham, 18. April 2006 p.4 (2/3)

Formal Proof in Isabelle lemma forget: assumes a: Ü Ä shows ÄÜ È Ä using a by (nominal induct Ä avoiding: Ü È rule: lam.induct) (auto simp add: abs fresh fresh atm) lemma fresh fact: fixes Þ:: name assumes a: Þ Æ and b: Þ Ä shows Þ ÆÝ Ä using a b by (nominal induct Æ avoiding: Þ Ý Ä rule: lam.induct) (auto simp add: abs fresh fresh atm) lemma subst lemma: assumes a: Ü Ý and b: Ü Ä shows ÅÜ Æ Ý Ä ÅÝ Ä Ü ÆÝ Ä using a b by (nominal induct Å avoiding: Ü Ý Æ Ä rule: lam.induct) (auto simp add: forget fresh fact) Notingham, 18. April 2006 p.4 (3/3)

Crucial Points The nominal datatype package generates the «-equivalence classes as a type in Isabelle/HOL. atom decl name nominal datatype lam = Var name App lam lam Lam name lam ( Lam. 100,100 100) The type lam is defined so that we have equations Lam µ Var Lam µ Var which do not hold for normal datatypes. Notingham, 18. April 2006 p.5 (1/1)

Structural Induction Then automatically generated is a structural induction principle that has Barendregt s convention already build in: Ü È Ü Var µ Ø ½ Ø ¾ Ü Þ È Þ Ø ½ µ Þ È Þ Ø ¾ µ µ È Ü App Ø ½ Ø ¾ µ Ø Ü Ü Þ È Þ Øµ µ È Ü Lam ص È Ü Ø Notingham, 18. April 2006 p.6 (1/7)

Structural Induction Then automatically generated is a structural induction principle that has Barendregt s convention already build in: Ü È Ü Var µ Ø ½ Ø ¾ Ü Þ È Þ Ø ½ µ Þ È Þ Ø ¾ µ µ È Ü App Ø ½ Ø ¾ µ Ø Ü Ü Þ È Þ Øµ µ È Ü Lam ص È Ü Ø the variable over which the induction proceeds:...by induction over the structure of Å... Notingham, 18. April 2006 p.6 (2/7)

Structural Induction Then automatically generated is a structural induction principle that has Barendregt s convention already build in: Ü È Ü Var µ Ø ½ Ø ¾ Ü Þ È Þ Ø ½ µ Þ È Þ Ø ¾ µ µ È Ü App Ø ½ Ø ¾ µ Ø Ü Ü Þ È Þ Øµ µ È Ü Lam ص È Ü Ø the context of the induction; for which the binder should be fresh µ Ü Ý Æ Äµ:...By the variable convention we can assume Þ Ü Ý and Þ not free in Æ, Ä... Notingham, 18. April 2006 p.6 (3/7)

Å Ü Ý Ü Ä µ ÜÝÆĵ Æ Ý Ä ÅÝ Ä Ü ÆÝ Ä ÅÜ Structural Induction Then automatically generated is a structural induction principle that has Barendregt s convention already build in: Ü È Ü Var µ Ø ½ Ø ¾ Ü Þ È Þ Ø ½ µ Þ È Þ Ø ¾ µ µ È Ü App Ø ½ Ø ¾ µ Ø Ü Ü Þ È Þ Øµ µ È Ü Lam ص È Ü Ø the property to be proved by induction: Notingham, 18. April 2006 p.6 (4/7)

Structural Induction Then automatically generated is a structural induction principle that has Barendregt s convention already build in: Ü È Ü Var µ Ø ½ Ø ¾ Ü Þ È Þ Ø ½ µ Þ È Þ Ø ¾ µ µ È Ü App Ø ½ Ø ¾ µ Ø Ü Ü Þ È Þ Øµ µ È Ü Lam ص È Ü Ø One only has to write (more in the talk of Markus Wenzel): by (nominal induct Å avoiding: Ü Ý Æ Ä rule: lam.induct) Notingham, 18. April 2006 p.6 (5/7)

Structural Induction Then automatically generated is a structural induction principle that has Barendregt s convention already build in: Ü È Ü Var µ Ø ½ Ø ¾ Ü Þ È Þ Ø ½ µ Þ È Þ Ø ¾ µ µ È Ü App Ø ½ Ø ¾ µ Ø Ü Ü Þ È Þ Øµ µ È Ü Lam ص Ü Ø È The lambda-case amounts to: Þ Ü Ý Æ Äµ Ä Ü Ý Ü Ä µ ÜÝÆ Æ Ý Ä ÅÝ Ä Ü ÆÝ Ä ÅÜ Ü Ý Ü Ä Lam Þ ÅµÜ Æ Ý Ä Þ ÅµÝ Ä Ü ÆÝ Ä Lam Notingham, 18. April 2006 p.6 (6/7)

Structural Induction Then automatically generated is a structural induction principle that has Barendregt s convention already build in: Ü È Ü Var µ Ø ½ Ø ¾ Ü Þ È Þ Ø ½ µ Þ È Þ Ø ¾ µ µ È Ü App Ø ½ Ø ¾ µ Ø Ü Ü Þ È Þ Øµ µ È Ü Lam ص È Ü Ø By the way: There is a condition for when Barendregt s variable convention is applicable it is almost always satisfied, but not always: needs to be finitely supported (is not allowed to mention Ü all names as free) Notingham, 18. April 2006 p.6 (7/7)

Conclusion the nominal datatype package is still work in progress already quite usable for the lambda-calculus Church-Rosser strong normalisation using candidates weakening (transitivity of subtyping, -calc.) mailing list and download nominal-isabelle@mailbroy.informatik.tu-muenchen.de http://isabelle.in.tum.de/nominal/ Notingham, 18. April 2006 p.7 (1/1)