From grahamb@cpsc.ucalgary.ca  Thu Apr 19 13:44:09 1990
Received: by iris.ucdavis.edu (5.57/UCD.EECS.2.0)
        id AA20515; Thu, 19 Apr 90 13:44:09 PDT
Received: from relay.cdnnet.ca by clover.ucdavis.edu (5.59/UCD.EECS.1.11)
        id AA09241; Thu, 19 Apr 90 13:47:15 PDT
Received: by relay.CDNnet.CA (4.1/1.14)
        id AA12138; Thu, 19 Apr 90 13:42:58 PDT
Date: 19 Apr 90 14:32 -0600
From: Brian Graham <grahamb@cpsc.ucalgary.ca>
To: <info-hol@clover.ucdavis.edu>
Message-Id: <196*grahamb@cpsc.ucalgary.ca>
Subject: Choice operator in HOL88

Here is the paper I mentioned on dealing with the choice operator in
HOL88 - I have had several requests so am posting it here.  Any
feedback will be appreciated.

   Brian Graham                       |  grahamb@cpsc.ucalgary.ca
   Computer Science Department        |
   University of Calgary              |
   2500 University Drive              |
   Calgary                            |
   Alberta                            |
   Canada T2N 1N4.                    |

#! /bin/sh
# This is a shell archive.  Remove anything before this line, then unpack
# it by saving it into a file and typing "sh file".  To overwrite existing
# files, type "sh file -c".  You can also feed this as standard input via
# unshar, or by typing "sh <file", e.g..  If this archive is complete, you
# will see the following message at the end:
#               "End of shell archive."
# Contents:  select.tex select.bib select_appendix.tex BoxMacro.tex
# Wrapped by grahamb@cpsc.UCalgary.CA on Thu Apr 19 14:21:43 1990
PATH=/bin:/usr/bin:/usr/ucb ; export PATH
if test -f 'select.tex' -a "${1}" != "-c" ; then
  echo shar: Will not clobber existing file \"'select.tex'\"
else
echo shar: Extracting \"'select.tex'\" \(19004 characters\)
sed "s/^X//" >'select.tex' <<'END_OF_FILE'
X\documentstyle[11pt,a4,bezier]{article}
X\parskip=8pt plus2pt minus2pt
X\begin{document}
X
X\input{./BoxMacro}
X
X% newcommand definitions
X% ======================
X\newcommand{\ie}       {\mbox{\it i.e.}}
X\newcommand{\inbox}[1] {\begin{center}
X                        \framebox{\parbox{0.984\textwidth}{#1}}
X                        \end{center}}
X\newcommand{\AND}      {\mbox{$\wedge$}}
X
X% title, etc.
X% ======================
X{\LARGE
X\begin{center} Dealing with the Choice Operator in
XHOL88\footnote{supported in part by Contract No.W2213-8-6362/01-SS
Xwith the Department of National Defence}
X\end{center}
X}
X\begin{center}
Xby\\
X\ \ \\
XBrian Graham\\
X\ \ \\
XComputer Science Department,
XUniversity of Calgary \\
XCalgary, Alberta, Canada T2N 1N4 \\
XTel: (403) 220 7691 \\
XFax: (403) 284 4707 \\
XNet: grahamb@cpsc.ucalgary.ca \\
X\ \ \\
XApril 3, 1990 \\
X\end{center}
X\vfill
X{\abstract This paper discusses the choice operator \verb+@+ in HOL88.
XIt gives an intuitive interpretation, as well as the definition, and
Xpresents proof strategies for goals that contain this operator, broken
Xdown into cases based on the number of values which satisfy the
Xpredicate argument.  A working knowlege of the HOL system is assumed.}
X\vfill
X\vfill
X\vfill
X\vfill
X\begin{center}
X\copyright Brian Graham
X\end{center}
X\clearpage
X
X% the paper ...
X% ======================
XMy recent work on the proof of the SECD microprocessor
X(\cite{Graham89c}, \cite{Simpson89c}, \cite{Birtwistle90a}) has
Xsuffered from close encounters with the choice operator
X(``\verb+@+'').  It is a powerful device for making definitions, but
Xwe have quite limited capabilities of manipulating this constant.
XThis is unfortunate, as it shows up in many fundamental definitions,
Xincluding the definitions of {\it REP\/} functions created when new
Xtypes are defined.  It is also used in the definition of the temporal
Xabstraction function {\it TimeOf\/}\footnote{This function was defined
Xby Tom Melham in~\cite{Melham88a} and Inder Dhingra
Xin~\cite{Dhingra88b}.}, which is used when relating two granularities
Xof time in hardware representation.
X
XI thought it useful to draw together all the axioms, rules,
Xconversions, and tactics concerned with it, and suggest some
Xtechniques to handle it in (backward) proofs.
X
X\section{What the HOL88 System Supplies}
X
XThe constant ``\verb+$@+'' is a binder, having the type
X\verb+$@:(*->bool)->*+.
XIn~\cite{Hol89b}, it is described as follows:
X\begin{quotation}
X\ldots if $t$ is a term having type $\sigma${\small\verb%->bool%},
Xthen {\small\verb%@x.%}$t${\small\verb% x%} (or, equivalently,
X{\small\verb%$@%}$t$) denotes {\it some\/} member of the set whose
Xcharacteristic
Xfunction is $t$. If the set is empty, then
X{\small\verb%@x.%}$t${\small\verb% x%} denotes an arbitrary member of the
Xset denoted by $\sigma$. The constant {\small\verb%@%} is a higher order
Xversion of Hilbert's
X$\varepsilon$-operator; it is related to the constant
X$\iota$ in Church's formulation of higher order logic. For more details,
Xsee Church's original paper \cite{Church}, Leisenring's book
Xon Hilbert's $\varepsilon$-symbol \cite{Leisenring}, or
XAndrews' textbook on type theory \cite{Andrews}.
X\end{quotation}
X
XWhen applied to a predicate, it returns an
Xarbitrary value of the correct type that satisfies the predicate, and
Xin the case where no such value exists, it returns an arbitrary but
Xundetermined value of the correct type.  It can be used to make a
Xtotal function from a partial function.
X
XThe following listing includes all built-in tools in the HOL88 system
Xthat are specific to the choice operator.
X
X\subsection{Axioms}
X\begintt
X    SELECT_AX : thm                   (in theory "bool")
X
X    |- !(P:* -> bool) (x:*). P x ==> P($@ P)
X\endtt
X\subsection{Forward Inference Rules}
X\begintt
X    SELECT_INTRO : (thm -> thm)
X
X        A |- P t
X      -----------------
X       A |- P($@ P)
X
X
X    SELECT_ELIM : (thm -> (term # thm -> thm))         (cases)
X
X       A1 |- P($@ P)    ,    A2, "P v" |- t
X      ------------------------------------------ (v occurs nowhere
X                  A1 u A2 |- t                    except in "P v")
X
X    SELECT_RULE : (thm -> thm)
X
X        A |- ?x. t[x]
X      -----------------
X       A |- t[@x.t[x]]
X
X
X    SELECT_EQ : (term -> thm -> thm)           (@ abstraction)
X
X              A |- t1 = t2
X         -----------------------
X          A |- (@x.t1) = (@x.t2)
X\endtt
X\subsection{Conversions}
X\begintt
X    SELECT_CONV : conv
X
X     "P [@x.P [x]]" ---> |- P [@x.P [x]] = ?x. P[x]
X\endtt
X\subsection{Tactics}
X\begintt
X    SELECT_TAC : (term -> tactic)           ( term = @x.P(x) )
X       (found in start_groups.ml in the "group" library)
X
X        [A] P[@x.P(x)]
X    ======================
X         [A] ?x.P(x)
X\endtt
X\section{Manipulating the Choice Operator}
X
XWe distinguish three cases for the values that the operator may return:
X\begin{enumerate}
X\item the predicate holds for no values, so the operator returns an
X   arbitrary but unspecified value of the correct type.
X\item the predicate holds for a single unique value.
X\item the predicate holds for more than one value.
X\end{enumerate}
XWe deal with these cases individually in Sections~\ref{sec:none}~to~\ref{sec:many}.
X
X\subsection{No values satisfy}\label{sec:none}
X
XIt is useful to observe the equivalence given by SELECT\_CONV.  The
XSELECT'ed value satisfies the predicate if and only if some value
Xexists that satisfies the predicate.  From this we can prove the
Xfollowing is false:
X\begin{center}
X\verb+((@x. Q x) = y)  ==> Q y+
X\end{center}
X(\ie{} if the value at which Q holds equals y then Q holds at y.)
XBy using AP\_TERM {\it Q\/} on the lhs of the implication, we get:
X\begin{center}
X\verb+(Q(@x. Q x) = Q y) ==> Q y+
X\end{center}
XUsing SELECT\_CONV on the lhs gives:
X\begin{center}
X\verb+((?x. Q x) = Q y) ==> Q y+
X\end{center}
XIf no value exists, then the equation simplifies to:
X\begin{center}
X\verb+(F = F) ==> F+
X\end{center}
Xwhich is clearly false.
X
XIn short this means that it is not possible to prove
Xanything about the specific value returned by the choice operator
X{\it unless\/} some value exists at which the predicate holds.  This
Xis relevent to the attempt to define an `arbitrary' value of the
Xform \verb+"@x.F"+.
XIt is not possible to prove inequality of this term to any value of
Xthe appropriate type, but all such arbitrary terms are equal.
X
X\subsection{One value satisfies}\label{sec:one}
X
XIn the case where a predicate is satisfied by a unique value, the
Xchoice operator applied to the predicate can be shown to be equivalent
Xto that unique value.  We can prove:
X\begin{center}
X\verb+|- (?!x. Q x) ==> Q c ==> ((@x. Q x) = c)+
X\end{center}
XThe definition of ``\verb+$?!+'' is:
X\begin{center}
X\verb+|- $?! = (\P. $? P /\ (!x y. P x /\ P y ==> (x = y)))+
X\end{center}
XFrom ``\verb+Q c+'' one can derive ``\verb+?x. Q x+'' (using EXISTS),
Xso we can reduce the earlier theorem to :
X\begin{center}
X\verb+|- (!x y. Q x /\ Q y ==> (x = y)) ==> Q c ==> ((@x. Q x) = c)+
X\end{center}
XThis has been implemented as a forward inference rule and tactic
X(see Appendix~\ref{AppendixA} for definitions).  SELECT\_UNIQUE\_RULE
Xtakes a pair of terms, a theorem that the predicate holds at the
Xsecond term, and a theorem that the predicate has a unique value that
Xsatisfies it, and generates a theorem that the value returned by the
Xchoice operator applied to the predicate is the unique value.
X\begintt
X    SELECT_UNIQUE_RULE : (term # term) -> thm -> thm -> thm
X
X    ("x","y")   A1 |- Q[y]  A2 |- !x y.(Q[x] \AND Q[y]) ==> (x=y)
X    ===========================================================
X       A1 U A2 |- (@x.Q[x]) = y
X
X
X    SELECT_UNIQUE_TAC : tactic
X
X            [ A ] "(@x. Q[x]) = y"
X    =====================================================
X    [ A ] "Q[y]"   [ A ] "!x y.(Q[x] \AND Q[y]) ==> (x=y)"
X\endtt
X
XAn example problem using this tactic arose in the proof of the
Xcorrectness of the initial state of the SECD machine.  The essentials
Xof the situation in that complex system are captured in the following
Xsimple example.
X
XWe define a circuit composed of a mux, 2 inverters, and 2 D-type flip
Xflops.  We sample all lines once per clock cycle, and assume that the
XD-types start up with the value {\it F\/} initially (a forced reset at a
Xlower level of description).  Definitions for all components are in
XAppendix~\ref{AppendixB}.  Here we define only the circuit
Ximplementation:
X\begintt
Xlet circuit_imp = new_definition
X(`circuit_imp`,
X "circuit_imp s0 s1 =
X  ? q c in0 in1:num->bool.
X    (D_type q s0)  \AND
X    (D_type s0 s1) \AND
X    (inv s1 in1)   \AND
X    (inv s0 c)     \AND
X    (mux2 c in0 in1 q) \AND
X    (gnd in0)"
X );;
X\endtt
X\inbox{
X% origin:      ll
X% size:        13 x 13
X% inputs left: (0,2) (0,11)
X% input right: (13,6.5)
X% input top:   (5,13)
X% input bot:   (5,0)
X\newsavebox{\MUX}
X\savebox{\MUX}
X{\setlength{\unitlength}{1mm}\begin{picture}(13,13)
X\put(0,0) {\line (0,1) {4}}
X\put(0,4) {\line (4,1) {4}}
X\put(4,5) {\line (0,1) {3}}
X%\bezier{50}(3,6)(1.5,6.5)(0,7)
X\put(0,9) {\line (4,-1) {4}}
X\put(0,9) {\line (0,1) {4}}
X\put(0,13) {\line (1,0) {5}}
X\put(5,13) {\line (2,-1) {8}}
X\put(13,4) {\line (0,1) {5}}
X\put(5,0) {\line (2,1) {8}}
X\put(0,0) {\line (1,0) {5}}
X%\put(5.5,4.5) {\makebox(0,0)[b]{\tiny 2:1}}
X%\put(5.5,2.5) {\makebox(0,0)[b]{\tiny mux}}
X\put(5,5) {\shortstack{\tiny 2:1 \\ \tiny mux}}
X\end{picture}}
X
X\newsavebox{\BUFGATE}
X\savebox{\BUFGATE}
X{\setlength{\unitlength}{1mm}\begin{picture}(6,8)
X\put(0,0) {\line (0,1) {8}}
X\put(0,0) {\line (3,2) {6}}
X\put(0,8) {\line (3,-2) {6}}
X\end{picture}}
X
X% origin       ll
X% size:        8 x 8
X% inputs left: (0,4)
X% input right: (8,4)
X\newsavebox{\INVGATE}
X\savebox{\INVGATE}
X{\setlength{\unitlength}{1mm}\begin{picture}(8,8)
X\put(0,0){\usebox{\BUFGATE}}
X\put(7,4) {\circle {2}}
X\end{picture}}
X
X% origin       ll
X% size:        8 x 8
X% inputs left: (0,4)
X% input right: (8,4)
X\newsavebox{\revINVGATE}
X\savebox{\revINVGATE}
X{\setlength{\unitlength}{1mm}\begin{picture}(8,8)
X\put(8,0) {\line (0,1) {8}}
X\put(8,0) {\line (-3,2) {6}}
X\put(8,8) {\line (-3,-2) {6}}
X\put(1,4) {\circle {2}}
X\end{picture}}
X
X\newsavebox{\GND}
X\savebox{\GND}
X{\setlength{\unitlength}{1mm}\begin{picture}(4,4)
X\put(2,2) {\line (0,1) {2}}
X\put(0,2) {\line (1,0) {4}}
X\put(0.75,1) {\line (1,0) {2.5}}
X\put(1.5,0) {\line (1,0) {1}}
X\end{picture}}
X
X
X
X\begin{center}
X\setlength{\unitlength}{1mm}
X\begin{picture}(104,31)(0,6)
X    \put(10,15){\usebox{\MUX}}
X    \put(40,15){\framebox(13,13){D\_type}}
X    \put(70,15){\framebox(13,13){D\_type}}
X    \put(0,22){\usebox{\GND}}
X    \put(25,6){\usebox{\revINVGATE}}
X    \put(25,29){\usebox{\revINVGATE}}
X
X    \put(23,21.5){\line(1,0){17}}
X    \put(53,21.5){\line(1,0){17}}
X    \put(61.5,21.5){\line(0,1){11.5}}
X    \put(61.5,21.5){\circle*{1}}
X    \put(61.5,33){\circle*{1}}
X    \put(83,21.5){\vector(1,0){17}}
X    \put(91.5,21.5){\line(0,-1){11.5}}
X    \put(91.5,21.5){\circle*{1}}
X
X    \put(33,10){\line(1,0){58.5}}
X    \put(25,10){\line(-1,0){20}}
X    \put(5,10){\line(0,1){7}}
X    \put(5,17){\line(1,0){5}}
X    \put(33,33){\vector(1,0){67}}
X    \put(25,33){\line(-1,0){10}}
X    \put(15,33){\line(0,-1){5}}
X    \put(10,26){\line(-1,0){8}}
X
X\tiny
X% Internal labels
X    \put(30,23){\makebox(0,0)[b]{q}}
X    \put(16,30){\makebox(0,0)[l]{c}}
X    \put(7.5,27){\makebox(0,0)[b]{in$_0$}}
X    \put(7.5,16){\makebox(0,0)[t]{in$_1$}}
X% Output labels
X    \put(102,33){\makebox(0,0)[l]{s$_0$}}
X    \put(102,21.5){\makebox(0,0)[l]{s$_1$}}
X
X
X\end{picture}
X\end{center}
X}
X
XThis circuit implements a modulo 3 counter (convince yourself).  In
Xorder to show that the first time that the \verb+s1+ line is
Xasserted is at time t = 2, we establish the goal:
X\begintt
X"TimeOf s1 0 = 2"
X    [ "circuit_imp s0 s1" ]
X\endtt
XNote that this use of the TimeOf function defines a mapping from the
Xclock cycle time granularity to one that is sampled only when the
X{\it s1\/} line is asserted.
X
XThe definition of TimeOf is:
X\begin{center}
X\verb+|- !f n. TimeOf f n = (@t. IsTimeOf n f t)+.
X\end{center}
XAfter rewriting the goal with this definition, the choice operator is
Xintroduced.
X\begintt
X"(@t. IsTimeOf 0 s1 t) = 2"
X    [ "circuit_imp s0 s1" ]
X\endtt
XApplying SELECT\_UNIQUE\_TAC reduces the goal to two subgoals, neither
Xof which contains the choice operator.
X\begintt
X"!t t'. IsTimeOf 0 s1 t \AND IsTimeOf 0 s1 t' ==> (t = t')"
X    [ "circuit_imp s0 s1" ]
X
X"IsTimeOf 0 s1 2"
X    [ "circuit_imp s0 s1" ]
X\endtt
XThe proof is simple. The first goal is proven by an existing
Xtheorem IsTimeOf\_IDENTITY\footnote{See Appendix~\ref{AppendixC}.}:
X\begin{center}
X\verb+|- !n f t1 t2. IsTimeOf n f t1 /\ IsTimeOf n f t2 ==> (t1 = t2)+
X\end{center}
XThe second is solved by rewriting with the definition of IsTimeOf, and
Xthe various component definitions.
X(A complete proof is given in Appendix~\ref{AppendixB}.)
X
XThe use of SELECT\_UNIQUE\_TAC has permitted us to eliminate the
Xchoice operator entirely from the subgoals, and prove that the value
Xit represents is equal to a specific value.  Thus time {\it 0\/} of the
Xcoarser granularity of time corresponds to time {\it 2\/} at the finer
Xgranularity.
X
X\subsection{More than one value satisfies}\label{sec:many}
X
XWhen the choice operator is applied to a predicate that is satisfied
Xat multiple different values, there is no way to determine which
Xspecific value the expression represents.  One can only make use of
Xthe fact that the predicate is satisfied by the value.  An approach to
Xproof in this situation is supplied by Elsa Gunter, and contained
Xwithin the {\it start\_groups.ml\/} file in the {\it group\/}
Xlibrary\footnote{See the Modular Arithmetic Case Study
Xin~\cite{Hol89c}.}.  The following tactic is provided:
X\begintt
XSUPPOSE_TAC : term -> tactic  (term = t)
X
X            [A] t1
X    =======================
X       [A;t] t1    [A] t
X\endtt
X(There is also a REV\_SUPPOSE\_TAC which merely reverses the order of
Xthe subgoals.)  The idea is to add an assumption that will be useful
Xin solving the goal, and also requiring that the assumtion itself be
Xproved.  This approach is useful in splitting a goal into major
Xsubgoals, and proceeding along one branch, while deferring some of the
Xproof steps to a more convenient time.  This tactic can be useful on a
Xgoal of the form:
X\begin{center}
X\verb+[ A ] "Q (@x. P x)"+
X\end{center}
X\verb+SUPPOSE_TAC "?x. P x"+ gives the following subgoals:
X\vspace{-\parskip}
X\begin{center}
X\makebox[60mm][l]{\verb+[ A ; "?x. P x" ] "Q (@x. P x)"+}\\
X\makebox[60mm][l]{\verb+[ A ] "?x. P x"+}
X\end{center}
XIn the first subgoal, using SELECT\_RULE on the new assumption gives:
X\begin{center}
X\verb+[ A ; "P (@x. P x)" ] "Q (@x. P x)"+
X\end{center}
XThe properties given by the assumption \verb+"P (@x. P x)"+ may be
Xhelpful in solving the goal.
X
XWe revert to the previously given circuit for a concrete example.  We
Xstart with the goal:
X\begintt
X"~s0(SUC(TimeOf s1 n))"
X    [ "circuit_imp s0 s1" ]
X\endtt
XWe want to show that the line \verb+s0+ is always F following the
Xpoint corresponding to the coarser granularity of time.  Using the
Xdefinition of TimeOf to rewrite the goal,
X\begintt
X"~s0(SUC(@t. IsTimeOf n s1 t))"
X    [ "circuit_imp s0 s1" ]
X\endtt
Xfollowed by the tactic:
X\verb+SUPPOSE_TAC "!n:num. ?t. IsTimeOf n s1 t"+, we get 2 subgoals:
X\begintt
X"!n. ?t. IsTimeOf n s1 t"
X    [ "circuit_imp s0 s1" ]
X
X"~s0(SUC(@t. IsTimeOf n s1 t))"
X    [ "circuit_imp s0 s1" ]
X    [ "!n. ?t. IsTimeOf n s1 t" ]
X\endtt
XThe upper subgoal corresponds to proving a {\it liveness\/} property for
Xthe circuit: there is a finer grain time {\it t\/} that corresponds
Xto every point in the coarser grain time.  In effect, the predicate
X{\it s1 t\/} is satisfied infinitely often.  The lower subgoal
Xwill permit us to use this property and the definition of the circuit
Xin its proof.  Thus we have effectively separated
Xthe goal into 2 distinct parts: the {\it liveness\/} of the circuit, and
Xthe essential property of the circuit that we are trying to prove.
XTackling the bottom subgoal, we can apply SELECT\_RULE to the bottom
Xassumption to obtain
X\begin{center}
X\verb+"IsTimeOf n s1(@t. IsTimeOf n s1 t)"+,
X\end{center}
Xand resolve this with the theorem IsTimeOf\_TRUE:
X\begin{center}
X\verb+IsTimeOf_TRUE = |- !n f t.  IsTimeOf n f t ==> f t+
X\end{center}
Xto get the goal:
X\begintt
X"~s0(SUC(@t. IsTimeOf n s1 t))"
X    [ "circuit_imp s0 s1" ]
X    [ "IsTimeOf n s1(@t. IsTimeOf n s1 t)" ]
X    [ "s1(@t. IsTimeOf n s1 t)" ]
X\endtt
X
XResolving the first assumption with an unwound circuit definition:
X\begin{center}
X\makebox[60mm][l]{\tt circuit\char'137unwound = }\\
X\makebox[60mm][l]{\tt |- circuit\char'137{}imp s0 s1 ==>}\\
X\makebox[60mm][l]{\tt \ \ \ (!t. s0 0 = F) /\char'134 x}\\
X\makebox[60mm][l]{\tt \ \ \ (!t. s0(SUC t) = ((~s0 t) => ~s1 t | F)) /\char'134 }\\
X\makebox[60mm][l]{\tt \ \ \ (!t. s1 0 = F) /\char'134 }\\
X\makebox[60mm][l]{\tt \ \ \ (!t. s1(SUC t) = s0 t) }
X\end{center}
Xthen rewriting with the theorem same\_branches:
X\begin{center}
X\verb+same_branches = |- !x (y:*). x => y | y = y+,
X\end{center}
Xsolves this subgoal.
X
XThe previous subgoal can be solved using another application of
XSUPPOSE\_TAC, with the assumption \verb+"Inf s1"+, giving the
Xsubgoals:
X\begintt
X"Inf s1"
X    [ "circuit_imp s0 s1" ]
X
X"!n. ?t. IsTimeOf n s1 t"
X    [ "circuit_imp s0 s1" ]
X    [ "Inf s1" ]
X\endtt
XThe bottom subgoal is solved by resolving with the theorem
XIsTimeOf\_EXISTS:
X\begin{center}
X\verb+|- !f. Inf f ==> !n. ?t. IsTimeOf n f t+.
X\end{center}
XThe last subgoal requires proving that \verb+s1+ is asserted
Xinfinitely often.  This simple subgoal can be proven by a surprisingly
Xlengthy proof using induction.  It is provided in
XAppendix~\ref{AppendixB} for the interested reader.
X
XIt should be noted that SUPPOSE\_TAC is more generally useful than
Xjust the cases given here, and it can be applied in the case where the
Xpredicate holds for only one value as well.
X
X\section{Conclusions}
XWe have attempted to provide some useful examples of the approach to
Xsolving problems that involve the choice operator in HOL.  An informal
Xanalysis based on the number of values satisfying the predicate to
Xwhich the choice operator was applied, examined what is provable about
Xgoals containing the operator.  A new tactic and inference rule for
Xthe case where a unique value satisfies the predicate were supplied.
XThe techniques described were developed during the verification of the
XSECD microprocessor design.
X
X\section*{Acknowledgements}
XThis work was supported by Strategic, Operating, and Equipment Grants
Xfrom the Natural Sciences and Engineering Research Council of Canada
Xand The Canadian Microelectronics Corporation.  The Strategic Grant
Xwas also supported by The Alberta Microelectronic Centre and LSI
XCanada Inc.  The SECD verification effort was also supported by The
XCommunication Research Establishment, Ottawa.
XWe are indebted to Mike Gordon, Tom Melham, and Inder Dhingra for
Xassistance in learning and using the HOL system, and to Elsa Gunter,
Xwhose initial input on this topic led to this report.
X
X
X\nocite{Hol89a}
X{\small
X\bibliography{./select}
X\bibliographystyle{alpha}
X\include{select_appendix}
X}
X\end{document}
END_OF_FILE
if test 19004 -ne `wc -c <'select.tex'`; then
    echo shar: \"'select.tex'\" unpacked with wrong size!
fi
# end of 'select.tex'
fi
if test -f 'select.bib' -a "${1}" != "-c" ; then
  echo shar: Will not clobber existing file \"'select.bib'\"
else
echo shar: Extracting \"'select.bib'\" \(3043 characters\)
sed "s/^X//" >'select.bib' <<'END_OF_FILE'
X@book{Andrews,
X  Author    = {P.B. Andrews},
X  Title     = {An Introduction to Mathematical Logic and Type Theory:
Xto Truth through Proof},
X  Publisher = {Academic Press},
X  Year      = 1986,
X  Series    = {Computer Science and Applied Mathematics Series}}
X
X@InProceedings{Birtwistle90a,
X  Author  = {G. Birtwistle and B. Graham},
X  Title   = {Verifying {SECD} in {HOL}},
X  Editor  = {J. Staunstrup},
X  Booktitle = {Formal Methods for VLSI Design},
X  Organization = {Proceedings of the 1990 IFIP WG 10.5 Summer School to be held at Lyngby, Denmark},
X  Publisher =  {North Holland},
X  Year    = 1990}
X
X@article{Church,
X  Author    = {A.\ Church},
X  Title     = {A {F}ormulation of the {S}imple {T}heory of {T}ypes},
X  Journal   = {Journal of Symbolic Logic},
X  Year      = 1940,
X  Pages     = {56--68},
X  Volume    = 5 }
X
X@Phdthesis{Dhingra88b,
X  Author  = {I. S. Dhingra},
X  Title   = {Formal {V}alidation of an {I}ntegrated {C}ircuit {D}esign {S}tyle},
X  School  = {University of Cambridge Computer Laboratory},
X  Year    = {1988}}
X
X@InProceedings{Graham89c,
X  Author    = {B. Graham and G. Birtwistle},
X  Title     = {Formalising the {D}esign of an {SECD} chip},
X  BookTitle = {Proceedings of the {C}ornell {W}orkshop on
X               {H}ardware {S}pecification, {V}erification, and {S}ynthesis:
X               {M}athematical {A}spects},
X  Publisher = {Springer-Verlag},
X  Address   = {New York},
X  Year      = {1989}}
X
X@Manual{Hol89a,
X  Title        = {The {HOL} {S}ystem: {R}eference {M}anual},
X  Organization = {Cambridge Research Center, SRI International},
X  Address      = {Cambridge, England},
X  Pages        = {564},
X  Year         = {1989}}
X
X@Manual{Hol89b,
X  Title        = {The {HOL} {S}ystem: {D}escription},
X  Organization = {Cambridge Research Center, SRI International},
X  Address      = {Cambridge, England},
X  Pages        = {287},
X  Year         = {1989}}
X
X@Manual{Hol89c,
X  Title        = {The {HOL} {S}ystem: {T}utorial},
X  Organization = {Cambridge Research Center, SRI International},
X  Address      = {Cambridge, England},
X  Pages        = {345},
X  Year         = {1989}}
X
X@book{Leisenring,
X  Author     = {A.\ Leisenring},
X  Title      = {Mathematical Logic and Hilbert's $\epsilon$-Symbol},
X  publisher  = {Macdonald \& Co.\ Ltd.},
X  address    = {London},
X  year       = 1969,
X  Series     = {University Mathematical Series}
X}
X
X@InProceedings{Melham88a,
X  Author    = {T. F. Melham},
X  Title     = {Abstraction Mechanisms for Hardware Verification},
X  BookTitle = {VLSI Specification, Verification and Synthesis},
X  Editor    = {G. Birtwistle and P. A. Subrahmanyam},
X  Publisher = {Kluwer},
X  Address   = {Norwell, Massachusetts},
X  Year      = {1988},
X  Pages     = {267-291}}
X
X@InProceedings{Simpson89c,
X  Author    = {T. Simpson and B. Graham and G. Birtwistle},
X  Title     = {From {L}isp{K}it to {SECD} {C}hip: {S}ome {S}teps on the way to a
X{V}erified {S}ystem},
X  BookTitle = {Proceedings of the {T}hird {B}anff {V}erification {W}orkshop},
X  Note      = {submitted for publication},
X  Year      = {1989}}
END_OF_FILE
if test 3043 -ne `wc -c <'select.bib'`; then
    echo shar: \"'select.bib'\" unpacked with wrong size!
fi
# end of 'select.bib'
fi
if test -f 'select_appendix.tex' -a "${1}" != "-c" ; then
  echo shar: Will not clobber existing file \"'select_appendix.tex'\"
else
echo shar: Extracting \"'select_appendix.tex'\" \(19454 characters\)
sed "s/^X//" >'select_appendix.tex' <<'END_OF_FILE'
X\appendix
X
X\section{SELECT\_UNIQUE.ml}\label{AppendixA}
X\begin{verbatim}
X%
X       SELECT_UNIQUE_RULE:
X       ===================
X
X       ("x","y")   A1 |- Q[y]  A2 |- !x y.(Q[x]/\Q[y]) ==> (x=y)
X       =========================================================
X               A1 U A2 |- (@x.Q[x]) = y
X
XPermits substitution for values specified by the Hilbert Choice
Xoperator with a specific value, if and only if unique existance
Xof the specific value is proven.
X%
X
Xlet SELECT_UNIQUE_RULE (x,y) th1 th2 =
X  let Q = mk_abs (x, subst [x,y] (concl th1))
X  in
X  let th1' = SUBST [SYM (BETA_CONV "^Q ^y"), "b:bool"] "b:bool" th1
X  in
X  (MP (SPECL ["$@ ^Q"; y] th2)
X      (CONJ (in1_conv_rule BETA_CONV (SELECT_INTRO th1')) th1));;
X
X
X%
X       SELECT_UNIQUE_TAC:
X       ==================
X
X               [ A ] "(@x. Q[x]) = y"
X       ===================================================
X        [ A ] "Q[y]"   [ A ] "!x y.(Q[x]/\Q[y]) ==> (x=y)"
X
XGiven a goal that requires proof of the value specified by the
XHilbert choice operator, it returns 2 subgoals:
X  1. "y" satisfies the predicate, and
X  2. unique existance of the value that satisfies the predicate.
X%
X
Xlet SELECT_UNIQUE_TAC:tactic (gl,g) =
X  let Q,y = dest_eq g
X  in
X  let x,Qx = dest_select Q
X  in
X  let x' = variant (x.freesl(g.gl))x
X  in
X  let Qx' = subst [x', x] Qx
X  in
X  ([gl,subst [y,x]Qx;
X    gl, "!^x ^x'. (^Qx /\ ^Qx') ==> (^x = ^x')"],
X   (\thl. SELECT_UNIQUE_RULE (x,y) (hd thl) (hd (tl thl))));;
X\end{verbatim}
X
X% \appendix
X\newpage
X
X\section{hilbert.ml}\label{AppendixB}
X\begin{verbatim}
Xnew_theory `hilbert`;;
X
Xnew_parent `when`;;
X
Xloadt `SELECT_UNIQUE`;;
Xloadf `start_groups`;;
Xload_all `when`;;
X
X% ***************************************************************** %
Xlet mux2 = new_definition
X(`mux2`,
X "!cnt in0 in1 out:num->bool.
X   mux2 cnt in0 in1 out = !t:num. out t = cnt t => in1 t | in0 t"
X );;
X
Xlet inv = new_definition
X(`inv`,
X "!in out:num->bool. inv in out = !t. out t = ~in t"
X );;
X
Xlet D_type = new_definition
X(`D_type`,
X "!in out:num->bool.
X   D_type in out =
X     (out 0 = F) /\
X     !t. out (SUC t) = in t"
X );;
X
Xlet gnd = new_definition
X(`gnd`,
X "!p:num->bool. gnd p = !t. p t = F"
X );;
X
Xlet circuit_imp = new_definition
X(`circuit_imp`,
X "circuit_imp s0 s1 =
X  ? q c in0 in1:num->bool.
X    (D_type q s0)  /\
X    (D_type s0 s1) /\
X    (inv s1 in1)   /\
X    (inv s0 c)     /\
X    (mux2 c in0 in1 q) /\
X    (gnd in0)"
X );;
X
X% ***************************************************************** %
Xlet lemma_0 = TAC_PROOF
X(([], "circuit_imp s0 s1 ==> ~s1 0"),
X prt[circuit_imp; D_type]
X THEN DISCH_THEN (REPEAT_TCL CHOOSE_THEN (\th.rt[th]))
X );;
X
Xlet lemma_1 = TAC_PROOF
X(([], "circuit_imp s0 s1 ==> ~s1 1"),
X prt[circuit_imp; D_type; num_CONV "1"]
X THEN DISCH_THEN (REPEAT_TCL CHOOSE_THEN (\th.rt[th])));;
X
Xlet lemma_2 = TAC_PROOF
X(([], "circuit_imp s0 s1 ==> s1 2"),
X prt[circuit_imp; D_type; inv; mux2; num_CONV "2"; num_CONV "1"]
X THEN DISCH_THEN (REPEAT_TCL CHOOSE_THEN (\th. rt[th])));;
X
X% ***************************************************************** %
Xset_goal(["circuit_imp s0 s1"], "TimeOf s1 0 = 2");;
X
Xexpand (port[TimeOf]);;
Xexpand (SELECT_UNIQUE_TAC);;
Xrotate 1;;
Xexpand (rt[IsTimeOf_IDENTITY]);;
Xexpand (port[IsTimeOf]);;
Xexpand (IMP_RES_THEN (\th.rt[th]) lemma_2);;
Xexpand (re_conv_tac num_CONV);;
Xexpand (GEN_TAC THEN prt[LESS_THM] THEN STRIP_TAC);;
X
Xexpand (art[]);;
Xexpand (port[(SYM o num_CONV) "1"]);;
Xexpand (IMP_RES_THEN ACCEPT_TAC lemma_1);;
X
Xexpand (art[]);;
Xexpand (IMP_RES_THEN ACCEPT_TAC lemma_0);;
X
Xexpand (IMP_RES_TAC NOT_LESS_0);;
Xlet initial_thm = save_top_thm `initial_thm`;;
X
X% ***************************************************************** %
Xlet same_branches = TAC_PROOF (([],"!x (y:*). x => y | y = y"),
X       GEN_TAC THEN GEN_TAC THEN COND_CASES_TAC THEN rt[]);;
X
Xlet not_both = TAC_PROOF
X((["circuit_imp s0 s1"], "!t:num. s1 t ==> ~s0 t"),
X INDUCT_TAC
X THENL
X [ IMP_RES_TAC lemma_0
X   THEN art[]
X ; RULE_ASSUM_TAC (prr[circuit_imp; D_type; inv; mux2; gnd])
X   THEN FIRST_ASSUM
X     (\th.(CHOOSE_THEN (REPEAT_TCL CHOOSE_THEN ASSUME_TAC))th ?
X      NO_TAC)
X   THEN art[]
X   THEN ASM_CASES_TAC "(s1:num->bool) t"
X   THENL
X   [ RES_TAC
X     THEN art[]
X   ; ASM_CASES_TAC "(s0:num->bool) t"
X     THEN art[]
X   ]
X ]);;
X
Xlet circuit_unwound =
X(fst o EQ_IMP_RULE o SPEC_ALL o (prr[D_type; inv; mux2; gnd]))
X  circuit_imp;;
X
X% ***************************************************************** %
Xset_goal (["circuit_imp s0 s1"], "~s0 (SUC(TimeOf s1 n))");;
X
Xexpand (port[TimeOf]);;
Xexpand (SUPPOSE_TAC "!n:num. ?t. IsTimeOf n s1 t");;
X
X expand (poke (SELECT_RULE o (SPEC "n:num")));;
X expand (IMP_RES_TAC IsTimeOf_TRUE);;
X expand (IMP_RES_THEN STRIP_ASSUME_TAC circuit_unwound);;
X expand (art[same_branches]);;
X
X expand (SUPPOSE_TAC "Inf s1");;
X
X  expand (IMP_RES_THEN (\th.rt[th]) IsTimeOf_EXISTS);;
X
X   expand (port[Inf]);;
X   expand (INDUCT_TAC);;
X
X    expand (EXISTS_TAC "2"
X            THEN CONJ_TAC
X           THENL
X           [ prt[num_CONV "2"; LESS_0]
X           ; IMP_RES_THEN ACCEPT_TAC lemma_2
X           ]);;
X
X    expand (poke (porr[SYM_RULE LESS_MONO_EQ]));;
X    expand (poke (porr[LESS_THM]));;
X    expand (POP_ASSUM STRIP_ASSUME_TAC);;
X
X     expand (IMP_RES_THEN STRIP_ASSUME_TAC circuit_unwound);;
X     expand (EXISTS_TAC "SUC (SUC (SUC t'))");;
X     expand (art[LESS_THM; same_branches]);;
X     expand (IMP_RES_TAC not_both);;
X
X     expand (EXISTS_TAC "t':num" THEN art[]);;
Xlet s0_thm = save_top_thm `s0_thm`;;
X
X% ***************************************************************** %
X\end{verbatim}
X
X
X% \appendix
X\newpage
X
X\section{when.ml}\label{AppendixC}
X\begin{verbatim}
X%------------------------------------------------------------------------
X| FILE         : when.ml
X|
X| DESCRIPTION  : Defines the predicates `Next`, `Inf`, `IsTimeOf`
X|                and `TimeOf` and derives several major theorems
X|                which provide a basis for temporal abstraction.
X|
X|                These predicates and theorems are taken from
X|                T.Melham's paper, "Abstraction Mechanisms for
X|                Hardware Verification", Hardware Verification
X|                Workshop, University of Calgary, January 1987.
X|
X|                 This file was written by I.S.Dhingra.
X|
X------------------------------------------------------------------------%
X
Xnew_theory `when`;;
X
Xlet Next = new_definition
X  (`Next`,
X   "Next t1 t2 f  =  (t1<t2)  /\
X                     ( f t2)  /\
X                 !t. (t1<t )  /\  (t<t2)  ==>  ~f t"
X  );;
X
Xlet IsTimeOf = new_prim_rec_definition
X  (`IsTimeOf`,
X  "(IsTimeOf      0  f t  =  f t  /\  !t'.  (t'<t) ==> ~f t') /\
X   (IsTimeOf (SUC n) f t  =  ?t'.  IsTimeOf n f t' /\
X                                   Next t' t f              )"
X  );;
X
Xlet TimeOf = new_definition
X  (`TimeOf`,
X   "TimeOf f n  =  @t. IsTimeOf n f t"
X  );;
X
Xlet when = new_infix_definition
X  (`when`,
X   "when (s:num->*) (p:num->bool)  =  \n. s (TimeOf p n)"
X  );;
X
Xlet Inf = new_definition
X  (`Inf`,
X   "Inf f =  !t. ?t'.  (t<t') /\ (f t')"
X  );;
X
X%------------------------------------------------------------------------
X| Define "LEAST P" to represent that P has a smallest element.
X------------------------------------------------------------------------%
Xlet LEAST = new_definition
X  (`LEAST`,
X   "LEAST P  =  ?x. P x  /\  (!y. y<x ==> ~P y)"
X );;
X
Xclose_theory();;
X
X%------------------------------------------------------------------------
X|   wop = |- !P.  (?n. P n)  ==>  LEAST P
X------------------------------------------------------------------------%
Xlet wop = prove_thm
X  (`wop`,
X   "!P. (?n. P n)  ==>  LEAST P",
X   REWRITE_TAC [WOP; LEAST]
X  );;
X
X%------------------------------------------------------------------------
X|   Inf_EXISTS = |- !f.  Inf f  ==>  ?n.  f n
X------------------------------------------------------------------------%
Xlet Inf_EXISTS = prove_thm
X  (`Inf_EXISTS`,
X   "!f.  Inf f  ==>  ?n.  f n",
X   PURE_REWRITE_TAC [Inf]
X   THEN REPEAT STRIP_TAC
X   THEN FIRST_ASSUM (STRIP_ASSUME_TAC  o (SPEC "t:num"))
X   THEN EXISTS_TAC "t':num"
X   THEN FIRST_ASSUM ACCEPT_TAC
X  );;
X
X%------------------------------------------------------------------------
X|   Inf_LEAST = |- !f.  Inf f  ==>  LEAST f
X------------------------------------------------------------------------%
Xlet Inf_LEAST = prove_thm
X  (`Inf_LEAST`,
X   "!f.  Inf f  ==>  LEAST f",
X   REPEAT STRIP_TAC
X   THEN IMP_RES_TAC Inf_EXISTS
X   THEN IMP_RES_TAC wop
X  );;
X
X%------------------------------------------------------------------------
X|   Inf_Next = |- !f. Inf f ==> !t. f t ==> ?t'. Next t t' f
X------------------------------------------------------------------------%
Xlet Inf_Next = prove_thm
X  (`Inf_Next`,
X   "!f. Inf f ==> !t. f t ==> ?t'. Next t t' f",
X   PURE_REWRITE_TAC [Inf; Next]
X   THEN REPEAT (X_GEN_TAC "v:num" ORELSE STRIP_TAC)
X   THEN RULE_ASSUM_TAC (\th. SPEC "v:num" th ? th)
X   THEN IMP_RES_THEN (X_CHOOSE_THEN "n:num" STRIP_ASSUME_TAC) wop'
X   THEN EXISTS_TAC "n:num"
X   THEN ASM_REWRITE_TAC []
X   THEN REPEAT STRIP_TAC
X   THEN RES_THEN (STRIP_ASSUME_TAC o (REWRITE_RULE[DE_MORGAN_THM]))
X   THEN RES_TAC
X  )
Xwhere wop' =
X CONV_RULE (DEPTH_CONV BETA_CONV) (SPEC (( mk_abs
X                                         o dest_exists
X                                         o snd
X                                         o dest_forall
X                                         o rhs
X                                         o concl
X                                         o SPEC_ALL
X                                         ) Inf)
X                                        WOP
X                                  );;
X
X%------------------------------------------------------------------------
X|   Next_ADD1 = |- !f t.  f (t+1)  ==>  Next t (t+1) f
X------------------------------------------------------------------------%
Xlet Next_ADD1 = prove_thm
X  (`Next_ADD1`,
X   "!f t.  f (t+1)  ==>  Next t (t+1) f",
X   REWRITE_TAC [ Next
X               ; SYM (SPEC_ALL ADD1)
X               ; LESS_SUC_REFL
X               ]
X   THEN REPEAT STRIP_TAC
X   THENL [ FIRST_ASSUM ACCEPT_TAC
X         ; IMP_RES_THEN
X             (STRIP_ASSUME_TAC o (CONV_RULE (ONCE_DEPTH_CONV SYM_CONV)))
X             LESS_NOT_EQ
X          THEN IMP_RES_TAC LESS_SUC_IMP
X          THEN IMP_RES_TAC LESS_ANTISYM
X         ]
X  );;
X
X%------------------------------------------------------------------------
X|   Next_INCREAST = |- !f t1 t2.   ~f(t1+1)       ==>
X|                               Next (t1+1) t2 f  ==>  Next t1 t2 f
X------------------------------------------------------------------------%
Xlet Next_INCREASE = prove_thm
X  (`Next_INCREASE`,
X   "!f t1 t2.   ~f(t1+1)       ==>
X             Next (t1+1) t2 f  ==>  Next t1 t2 f",
X   PURE_REWRITE_TAC [Next; SYM (SPEC_ALL ADD1)]
X   THEN REPEAT STRIP_TAC
X   THENL [ IMP_RES_TAC SUC_LESS
X         ; FIRST_ASSUM ACCEPT_TAC
X         ; MATCH_UNDISCH_TAC "~^(genvar":bool")"
X           THEN IMP_RES_TAC (PURE_REWRITE_RULE [LESS_OR_EQ] LESS_SUC_EQ)
X           THEN RES_TAC
X           THEN ASM_REWRITE_TAC []
X        ]
X  );;
X
X%------------------------------------------------------------------------
X|   Next_IDENTITY = |- !t1 t2 f.   Next t1 t2 f  ==>
X|                           !t3.   Next t1 t3 f  ==>  (t2 = t3)
X------------------------------------------------------------------------%
Xlet Next_IDENTITY = prove_thm
X  (`Next_IDENTITY`,
X   "!t1 t2 f.   Next t1 t2 f  ==>
X          !t3.  Next t1 t3 f  ==>  (t2 = t3)",
X   PURE_REWRITE_TAC [Next]
X   THEN REPEAT STRIP_TAC
X   THEN PURE_ONCE_REWRITE_TAC
X          [(SYM o SPEC_ALL o hd o CONJUNCTS) NOT_CLAUSES]
X   THEN DISCH_TAC
X   THEN STRIP_ASSUME_TAC
X          (SPECL ["t2:num"; "t3:num"]
X                 (REWRITE_RULE [DE_MORGAN_THM] LESS_ANTISYM))
X   THENL [ ALL_TAC
X         ; RULE_ASSUM_TAC (CONV_RULE (ONCE_DEPTH_CONV SYM_CONV))
X         ]
X   THEN IMP_RES_TAC LESS_CASES_IMP
X   THEN RES_TAC
X  );;
X
X%------------------------------------------------------------------------
X|   IsTimeOf_TRUE = |- !n f t.  IsTimeOf n f t ==> f t
X------------------------------------------------------------------------%
Xlet IsTimeOf_TRUE = prove_thm
X  (`IsTimeOf_TRUE`,
X   "!n f t.  IsTimeOf n f t ==> f t",
X   INDUCT_TAC
X   THEN REWRITE_TAC [IsTimeOf; Next]
X   THEN REPEAT STRIP_TAC
X  );;
X
X%------------------------------------------------------------------------
X|   IsTimeOf_EXISTS = |- !f. Inf f ==> !n. ?t. IsTimeOf n f t
X------------------------------------------------------------------------%
Xlet IsTimeOf_EXISTS = prove_thm
X  (`IsTimeOf_EXISTS`,
X   "!f. Inf f ==> !n. ?t. IsTimeOf n f t",
X   GEN_TAC
X   THEN DISCH_TAC
X   THEN INDUCT_TAC
X   THENL [ IMP_RES_TAC Inf_EXISTS
X           THEN IMP_RES_THEN
X                  (ASSUME_TAC o (PURE_REWRITE_RULE [LEAST]))
X                  Inf_LEAST
X           THEN ASM_REWRITE_TAC [IsTimeOf]
X         ; FIRST_ASSUM STRIP_ASSUME_TAC
X           THEN IMP_RES_TAC IsTimeOf_TRUE
X           THEN IMP_RES_TAC Inf_Next
X           THEN FIRST_ASSUM STRIP_ASSUME_TAC
X           THEN REWRITE_TAC [IsTimeOf]
X           THEN EXISTS_TAC "t':num"
X           THEN EXISTS_TAC "t:num"
X           THEN ASM_REWRITE_TAC []
X         ]
X  );;
X
X%------------------------------------------------------------------------
X|   TimeOf_DEFINED = |- !f. Inf f ==> (!n. IsTimeOf n f (TimeOf f n))
X------------------------------------------------------------------------%
Xlet TimeOf_DEFINED = save_thm
X  (`TimeOf_DEFINED`, ( GEN_ALL
X                     o DISCH_ALL
X                     o GEN_ALL
X                     o (REWRITE_RULE [SYM(SPEC_ALL TimeOf)])
X                     o CONV_RULE (DEPTH_CONV BETA_CONV)
X                     o (REWRITE_RULE [EXISTS_DEF])
X                     o SPEC_ALL
X                     o UNDISCH_ALL
X                     o SPEC_ALL
X                     ) IsTimeOf_EXISTS
X  );;
X
X%------------------------------------------------------------------------
X|   TimeOf_TRUE = |- !f. Inf f ==> (!n. f (TimeOf f n))
X------------------------------------------------------------------------%
Xlet TimeOf_TRUE = save_thm
X  (`TimeOf_TRUE`, ( GEN_ALL
X                  o DISCH_ALL
X                  o GEN_ALL
X                  o (MATCH_MP IsTimeOf_TRUE)
X                  o SPEC_ALL
X                  o UNDISCH_ALL
X                  o SPEC_ALL
X                  ) TimeOf_DEFINED
X  );;
X
X%------------------------------------------------------------------------
X|   IsTimeOf_IDENTITY =
X|   |- !n f t1 t2. IsTimeOf n f t1 /\ IsTimeOf n f t2 ==> (t1 = t2)
X------------------------------------------------------------------------%
Xlet IsTimeOf_IDENTITY = prove_thm
X  (`IsTimeOf_IDENTITY`,
X   "!n f t1 t2. IsTimeOf n f t1 /\ IsTimeOf n f t2 ==> (t1 = t2)",
X   INDUCT_TAC
X   THEN PURE_REWRITE_TAC [IsTimeOf; Next]
X   THEN X_GEN_TAC "f:num->bool"
X   THEN X_GEN_TAC "t1:num"
X   THEN X_GEN_TAC "t2:num"
X   THEN REPEAT STRIP_TAC
X   THENL [ ALL_TAC
X         ; RES_THEN
X             (\th. EVERY_ASSUM
X                     (STRIP_ASSUME_TAC o (\thm. SUBS [th] thm? thm)))
X         ]
X   THEN STRIP_ASSUME_TAC
X          (SPECL ["t2:num"; "t1:num"]
X                 (REWRITE_RULE [LESS_OR_EQ] LESS_CASES))
X   THEN RES_TAC
X  );;
X
X%-----------------------------------------------------------------------
X|   TimeOf_INCREASING =
X|   |- !f. Inf f  ==>  !n. (TimeOf f n) < (TimeOf f (n+1))
X-----------------------------------------------------------------------%
Xlet TimeOf_INCREASING = prove_thm
X  (`TimeOf_INCREASING`,
X   "!f. Inf f ==> (!n. (TimeOf f n) < (TimeOf f(n+1)))",
X   GEN_TAC
X   THEN DISCH_TAC
X   THEN X_GEN_TAC "n:num"
X   THEN IMP_RES_TAC Inf_Next
X   THEN IMP_RES_THEN (STRIP_ASSUME_TAC o (SPEC "n:num")) TimeOf_DEFINED
X   THEN IMP_RES_THEN
X         ( CHOOSE_THEN ( STRIP_ASSUME_TAC
X                       o (\thl. CONJ (el 1 thl) (el 2 thl))
X                       o CONJUNCTS
X                       )
X         o (REWRITE_RULE [IsTimeOf; Next])
X         o (SPEC "SUC n")
X         ) TimeOf_DEFINED
X   THEN MATCH_UNDISCH_TAC "x<y"
X   THEN IMP_RES_TAC IsTimeOf_TRUE
X   THEN IMP_RES_THEN
X         (\th. ONCE_REWRITE_TAC[ADD1; th]) IsTimeOf_IDENTITY
X  );;
X
X%-----------------------------------------------------------------------
X|   TimeOf_INTERVAL =
X|   |- !f. Inf f ==>
X|      !n t. (TimeOf f n)<t  /\  t<(TimeOf f (n+1)) ==> ~f t
X-----------------------------------------------------------------------%
Xlet TimeOf_INTERVAL = prove_thm
X  (`TimeOf_INTERVAL`,
X   "!f. Inf f ==>
X    !n t. (TimeOf f n)<t  /\  t<(TimeOf f (n+1)) ==> ~f t",
X   GEN_TAC
X   THEN DISCH_TAC
X   THEN X_GEN_TAC "n:num"
X   THEN X_GEN_TAC "t:num"
X   THEN IMP_RES_TAC Inf_Next
X   THEN IMP_RES_THEN (STRIP_ASSUME_TAC o (SPEC "n:num")) TimeOf_DEFINED
X   THEN IMP_RES_THEN
X         ( CHOOSE_THEN ( STRIP_ASSUME_TAC
X                       o (\thl.  CONJ (el 1 thl) (SPEC "t:num" (el 4 thl)))
X                       o CONJUNCTS
X                       )
X         o (REWRITE_RULE [IsTimeOf; Next])
X         o (SPEC "SUC n")
X         ) TimeOf_DEFINED
X   THEN FIRST_ASSUM (UNDISCH_TAC o concl)
X   THEN IMP_RES_TAC IsTimeOf_TRUE
X   THEN IMP_RES_THEN  (\th. ONCE_REWRITE_TAC[ADD1; th])  IsTimeOf_IDENTITY
X  );;
X
X%-----------------------------------------------------------------------
X|   TimeOf_Next = |- !f. Inf f ==> !n. Next (TimeOf f n) (TimeOf f (n+1)) f
X-----------------------------------------------------------------------%
Xlet TimeOf_Next = prove_thm
X  (`TimeOf_Next`,
X   "!f. Inf f ==> !n. Next (TimeOf f n) (TimeOf f (n+1)) f",
X   PURE_REWRITE_TAC [Next]
X   THEN REPEAT STRIP_TAC
X   THENL [ IMP_RES_THEN (\th. REWRITE_TAC [th]) TimeOf_INCREASING
X         ; IMP_RES_THEN (\th. REWRITE_TAC [th]) TimeOf_TRUE
X         ; IMP_RES_TAC TimeOf_INTERVAL THEN RES_TAC
X         ]
X  );;
X
Xprint_theory `when`;;
X%<----------------------------------------------------------------------
XThe Theory when
XParents --  HOL     wop
XConstants --
X  Next ":num -> (num -> ((num -> bool) -> bool))"
X  IsTimeOf ":num -> ((num -> bool) -> (num -> bool))"
X  TimeOf ":(num -> bool) -> (num -> num)"
X  Inf ":(num -> bool) -> bool"
XCurried Infixes --
X  when ":(num -> *) -> ((num -> bool) -> (num -> *))"
XDefinitions --
X  Next
X    |- !t1 t2 f.
X        Next t1 t2 f =
X        t1 < t2 /\ f t2 /\ (!t. t1 < t /\ t < t2 ==> ~f t)
X  IsTimeOf_DEF
X    |- IsTimeOf =
X       PRIM_REC
X       (\f t. f t /\ (!t'. t' < t ==> ~f t'))
X       (\g00004 n f t. ?t'. g00004 f t' /\ Next t' t f)
X  TimeOf  |- !f n. TimeOf f n = (@t. IsTimeOf n f t)
X  when    |- !s p. s when p = (\n. s(TimeOf p n))
X  Inf     |- !f. Inf f = (!t. ?t'. t < t' /\ f t')
XTheorems --
X  IsTimeOf
X    |- (!  f t. IsTimeOf 0 f t = f t /\ (!t'. t' < t ==> ~f t')) /\
X       (!n f t. IsTimeOf(SUC n)f t = (?t'. IsTimeOf n f t' /\ Next t' t f))
X  Inf_EXISTS  |- !f. Inf f ==> (?n. f n)
X  Inf_LEAST   |- !f. Inf f ==> LEAST f
X  Inf_Next    |- !f. Inf f ==> (!t. f t ==> (?t'. Next t t' f))
X  Next_ADD1   |- !f t. f(t + 1) ==> Next t(t + 1)f
X  Next_INCREASE
X    |- !f t1 t2. ~f(t1 + 1) ==> Next(t1 + 1)t2 f ==> Next t1 t2 f
X  Next_IDENTITY
X    |- !t1 t2 f. Next t1 t2 f ==> (!t3. Next t1 t3 f ==> (t2 = t3))
X  IsTimeOf_TRUE    |- !n f t. IsTimeOf n f t ==> f t
X  IsTimeOf_EXISTS  |- !f. Inf f ==> (!n. ?t. IsTimeOf n f t)
X  TimeOf_DEFINED   |- !f. Inf f ==> (!n. IsTimeOf n f(TimeOf f n))
X  TimeOf_TRUE      |- !f. Inf f ==> (!n. f(TimeOf f n))
X  IsTimeOf_IDENTITY
X    |- !n f t1 t2. IsTimeOf n f t1 /\ IsTimeOf n f t2 ==> (t1 = t2)
X  TimeOf_INCREASING
X    |- !f. Inf f ==> (!n. (TimeOf f n) < (TimeOf f(n + 1)))
X  TimeOf_INTERVAL
X    |- !f. Inf f ==>
X        (!n t. (TimeOf f n) < t /\ t < (TimeOf f(n + 1)) ==> ~f t)
X  TimeOf_Next  |- !f. Inf f ==> (!n. Next(TimeOf f n)(TimeOf f(n + 1))f)
X*************************************--------------------------------->%
X\end{verbatim}
END_OF_FILE
if test 19454 -ne `wc -c <'select_appendix.tex'`; then
    echo shar: \"'select_appendix.tex'\" unpacked with wrong size!
fi
# end of 'select_appendix.tex'
fi
if test -f 'BoxMacro.tex' -a "${1}" != "-c" ; then
  echo shar: Will not clobber existing file \"'BoxMacro.tex'\"
else
echo shar: Extracting \"'BoxMacro.tex'\" \(4803 characters\)
sed "s/^X//" >'BoxMacro.tex' <<'END_OF_FILE'
X%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
X%%                                                                      %%
X%%   Set of LaTeX macros for typesetting scripts framed in a box.       %%
X%%                                                                      %%
X%%   Some of this code is taken from the TeX book p421.                 %%
X%%                                                                      %%
X%%----------------------------------------------------------------------%%
X%%   DATE:    1.Mar.89                                                  %%
X%%   AUTHOR:  ISD                                                       %%
X%%----------------------------------------------------------------------%%
X%%                                                                      %%
X%%   The following macros provide two commands, namely:                 %%
X%%                                                                      %%
X%%       \begintt                                                       %%
X%%                                                                      %%
X%%       \endtt                                                         %%
X%%                                                                      %%
X%%   Anything between these two commands is typeset using the almost    %%
X%%   verbatim environment.  There are three major diffeences;           %%
X%%                                                                      %%
X%%   1.  The back-slash "\" is retained as the escape character.        %%
X%%       So now other funny characters can easily be included.  For     %%
X%%       example the forall symbol can be included using \(\forall\)    %%
X%%                                                                      %%
X%%   2.  A box is drawn around the entire block of text with width      %%
X%%       equal to the present \textwidth and height variable to         %%
X%%       accomodate the typed text.                                     %%
X%%                                                                      %%
X%%   3.  There is no check to ensure that the text isn't too wide,      %%
X%%       it merely runs off the right side of the page without any      %%
X%%       errors or warnings.                                            %%
X%%                                                                      %%
X%%   Finally there are twoplaces which allow the macro to be            %%
X%%   customised depending on which pointsize of documentstyle one is    %%
X%%   using.  These places are clearly indicated with comments.          %%
X%%   Comment out the appropriate lines depending on which               %%
X%%   documentstyle you are using.                                       %%
X%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
X
X\chardef\other=12
X
X\def\ttverbatim{\begingroup
X                \catcode`\{=\other
X                \catcode`\}=\other
X                \catcode`\$=\other     % Matching $
X                \catcode`\&=\other
X                \catcode`\#=\other
X                \catcode`\%=\other
X                \catcode`\~=\other
X                \catcode`\_=\other
X                \catcode`\^=\other
X                \catcode`\<=\other
X                \obeyspaces
X                \def\par{\leavevmode\endgraf}
X                \obeylines
X                \tt}
X
X{\obeyspaces\gdef {\ }}
X
X\newlength{\ttboxwidth}
X\setlength{\ttboxwidth}{\textwidth}
X\addtolength{\ttboxwidth}{-0.4pt}    % Width of two lines on either side
X\addtolength{\ttboxwidth}{-0.8em}    % hspace inserted after the left line.
X
X\outer\def\begintt{\begin{flushleft}
X                   \begin{tabular}{@{}|@{\hspace{0.8em}}l@{}|@{}}
X                   \hline
X                   \begin{minipage}{\ttboxwidth}
X%                 \begin{normalsize}   % for default documentstyle (10pt)
X                  \begin{small}        % for documentstyle[11pt, ... ]
X%                 \begin{footnotesize} % for documentstyle[12pt, ... ]
X                   $$
X                   %   Matching $$
X                   \let\par=\endgraf
X                   \ttverbatim
X                   \parskip=0pt
X                   \rightskip=-5pc
X                   \ttfinish}
X
X{\obeylines\gdef\ttfinish#1^^M#2\endtt{#1\vbox{#2}\endgroup$$
X                   %   Matching $$
X                   \vspace{0.5ex}
X%                 \end{normalsize}     % for default documentstyle (10pt)
X                  \end{small}          % for documentstyle[11pt, ... ]
X%                 \end{footnotesize}   % for documentstyle[12pt, ... ]
X                   \end{minipage}\\ \hline\end{tabular}
X                   \end{flushleft}}}
X
X%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
X%%                           End of Macro...                            %%
X%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
END_OF_FILE
if test 4803 -ne `wc -c <'BoxMacro.tex'`; then
    echo shar: \"'BoxMacro.tex'\" unpacked with wrong size!
fi
# end of 'BoxMacro.tex'
fi
echo shar: End of shell archive.
exit 0

