在Isabelle上自动执行此证明

Question

几周前，我与Isabelle一起工作，我很难自动做一些证明。 我只是使用规则“ less_induct”在列表上显示属性。

theorem cuenta_ordena_1:
"cuenta (ordena xs) y = cuenta xs y"

proof(induct "length xs" arbitrary: xs rule: less_induct)
case less
show ?case
proof(cases xs)
assume "xs=[]"
  then show ?thesis by simp
next
fix a list
assume "xs=a#list"
have "length(menores a list)<Suc(length list)" by simp
also have "... = length (a#list)" by simp
also have "... = length (xs)" using `xs=a#list` by simp
finally have 1:"length (menores a list)< length xs" by simp

have "length(mayores a list)<Suc(length list)" by simp
also have "... = length (a#list)" by simp
also have "... = length (xs)" using `xs=a#list` by simp
finally have 2:"length (mayores a list)< length xs" by simp

have " cuenta (ordena xs) y= cuenta (ordena (a#list)) y" using `xs=a#list` by simp
also have "...=  cuenta ((ordena (menores a list)) @ (a # (ordena (mayores a list)))) y " by simp
also have "... =  cuenta (ordena (menores a list)) y + cuenta (a # (ordena (mayores a list))) y " by (rule cuenta_append)
also have "... = cuenta (menores a list) y + cuenta (a # (ordena (mayores a list))) y " using less 1 by simp
finally have 3:"cuenta(ordena xs) y = cuenta (menores a list) y + cuenta (a # (ordena (mayores a list))) y" by simp
also have 4:"... = cuenta xs y"
  proof(cases "a=y")
  case False
    then have "cuenta (menores a list) y + cuenta (a # (ordena (mayores a list))) y 
              = cuenta (menores a list) y + cuenta (ordena (mayores a list)) y " by simp
    also have "... = cuenta (menores a list) y + cuenta (mayores a list) y " using less 2 by simp
    also have "... = cuenta xs y"
      proof (cases "y<a")
      case True
        hence "cuenta (menores a list) y + cuenta (mayores a list) y 
                = cuenta list y + cuenta (mayores a list) y" by (simp add: cuenta_menores)
        also have "... = cuenta list y" using "True" by (simp add: cuenta_mayores)
        also have "... = cuenta (a#list) y" using "False" by simp
        finally show ?thesis using `xs=a#list` by simp
      next
      case False
        hence "cuenta (menores a list) y + cuenta (mayores a list) y 
                =  cuenta (mayores a list) y" by (simp add: cuenta_menores)
        also have "... = cuenta list y" using "False" by (simp add: cuenta_mayores)
        also have "... = cuenta (a#list) y" using `¬(a=y)` by simp
        finally show ?thesis using `xs=a#list` by simp            
      qed
  finally show ?thesis by simp
  next
  case True
    hence "¬(y<a)" by simp
    have "cuenta (menores a list) y + cuenta (a # (ordena (mayores a list))) y 
              = cuenta (menores a list) y + Suc(cuenta (ordena (mayores a list)) y) " using "True" by simp 
    also have "... = cuenta (menores a list) y + Suc(cuenta (mayores a list) y) " using less 2 by simp
    also have "... = Suc(cuenta(mayores a list) y)" using `¬(y<a)` by (simp add: cuenta_menores) 
    also have "... = Suc(cuenta list y)" using `¬(y<a)` by (simp add: cuenta_mayores)
    also have "... = cuenta (a#list) y" using "True" by simp
    finally show ?thesis using `xs=a#list` by simp
  qed
  finally show ?thesis using 3 4 by simp   
 qed   
qed

为了做自动证明，我想我必须写这样的东西：

theorem cuenta_ordena:
  "cuenta (ordena xs) y = cuenta xs y"
apply (induction "length xs" arbitrary: xs rule: less_induct) 
apply (cases xs)
apply (auto simp add: cuenta_append cuenta_menores cuenta_mayores)

你能帮助我吗？

谢谢！

Answer 1

根据您的证明和我对西班牙语的微薄知识，我认为您的理论看起来像这样：

fun mejores :: "('a :: linorder) ⇒ 'a list ⇒ 'a list" where
  "mejores y [] = []"
| "mejores y (x#xs) = (if x ≥ y then [x] else []) @ mejores y xs"

fun menores :: "('a :: linorder) ⇒ 'a list ⇒ 'a list" where
  "menores y [] = []"
| "menores y (x#xs) = (if x < y then [x] else []) @ menores y xs"

lemma length_mejores [simp]: "length (mejores y xs) ≤ length xs"
  by (induction xs) simp_all

lemma length_menores [simp]: "length (menores y xs) ≤ length xs"
  by (induction xs) simp_all

fun ordena where
  "ordena [] = []"
| "ordena (x#xs) = ordena (menores x xs) @ [x] @ ordena (mejores x xs)"

fun cuenta :: "_ list ⇒ _ ⇒ nat" where
  "cuenta [] y = 0"
| "cuenta (x#xs) y = (if y = x then 1 else 0) + cuenta xs y"

您建议的自动证明在这里无法使用，因为在编写apply (cases xs) ， xs是在目标中普遍量化的变量。 如果要对此类变量进行大小写区分，则应进行Isar证明（如前所述）。

需要较少辅助引理的简单方法如下：

lemma cuenta_append [simp]: "cuenta (xs @ ys) y = cuenta xs y + cuenta ys y"
  by (induction xs) simp_all

lemma cuenta_mejores_menores: "cuenta (menores x xs) y + cuenta (mejores x xs) y = cuenta xs y"
  by (induction xs) auto

...并且证明是完全自动的：

lemma "cuenta (ordena xs) y = cuenta xs y"
  by (induction xs rule: ordena.induct) (auto simp: cuenta_mejores_menores)

请注意，我将归纳规则用于ordena函数。 您所做的列表长度归纳法比较笼统，但这使使用自动化变得更加困难。 规则ordena.induct看起来像这样：

P [] ⟹
(⋀x xs.
    P (menores x xs) ⟹
    P (mejores x xs) ⟹
    P (x # xs)) ⟹
P a0

这正是您所需要的。 另外，请注意，如果您确实想对列表长度进行归纳，则使用规则length_induct比对列表长度本身进行自然数归纳要容易得多，这就是您所做的。

另外，不需要辅助功能menores和mejores的ordena的更简单定义是：

fun ordena :: "('a :: linorder) list ⇒ 'a list" where
  "ordena [] = []"
| "ordena (x#xs) = ordena [y ← xs. y < x] @ [x] @ ordena [y ← xs. y ≥  x]"

注意[y ← xs. y < x] [y ← xs. y < x]只是filter (λy. y < x) xs语法糖。 然后，您不再需要cuenta_mejores_menores，并且可以在cuenta和filter之间的交互上使用以下非常一般的引理：

lemma cuenta_filter [simp]: "cuenta (filter P xs) y = (if P y then cuenta xs y else 0)"
  by (induction xs) simp_all

证明又自动通过：

lemma "cuenta (ordena xs) y = cuenta xs y"
  by (induction xs rule: ordena.induct) auto