From @CUNYVM.CUNY.EDU:ploegaer%chaos.imec.be%imec.be@blekul60.bitnet  Thu Aug 16 14:24:48 1990
Received: by iris.ucdavis.edu (5.57/UCD.EECS.2.0)
        id AA29970; Thu, 16 Aug 90 14:24:48 PDT
Received: from cunyvm.cuny.edu by clover.ucdavis.edu (5.59/UCD.EECS.1.11)
        id AA23792; Thu, 16 Aug 90 14:28:21 PDT
Received: from BLEKUL60.BITNET by CUNYVM.CUNY.EDU (IBM VM SMTP R1.2.2MX) with BSMTP id 2498; Thu, 16 Aug 90 17:24:10 EDT
From: <ploegaer%chaos.imec.be%imec.be%BLEKUL60.BITNET@CUNYVM.CUNY.EDU>
Received: by kulcs.uucp; Thu, 16 Aug 90 11:16:24 +0200
Date: Thu, 16 Aug 90 10:35:55 GMT
Message-Id: <9008161035.AA00932@esat.kuleuven.ac.be>
Received: by esat.kuleuven.ac.be Thu, 16 Aug 90 10:35:56 GMT
To: info-hol@clover.ucdavis.edu

Hello!

   I've been having troubles with the existential quantifier when
doing hardware related proofs. Therefore I made a list of all inference
rules, conversion and tactics dealing with "?"  in HOL88. I post this
(latex) document with the following questions:

    - Is there something missing or wrong? All comments are wellcome.

    - Is there some generous soul who has some home-brewed stuff pertaining
      this subject and who is willing to share it?

   I will post a new document containing all answers if some others out there
   are interested in this subject.


                                            Thanks,

                                               Wim Ploegaerts
                                               (ploegaer@imec.be)


%<--------------------------  cut here  ----------------------------------->%

%  This document uses the latex style files from the HOL distribution tape

\documentstyle[12pt,fleqn,../LaTeX/alltt,
               ../LaTeX/layout]{article}


\input{../LaTeX/commands}


\begin{document}

   \setlength{\unitlength}{1mm}           % unit of length = 1mm
   \setlength{\baselineskip}{16pt}        % line spacing = 16pt

   \pagenumbering{arabic}                % arabic page numbers
   \setcounter{page}{1}                  % start at page 1

\thispagestyle{empty}
\hrule height1pt \vskip 14pt
{\bf\LARGE\begin{center} The Existential Quantifier in HOL88  \\
                      Tactics, Rules and Conversions
         \end{center}}
\vskip 14pt\hrule height1pt\normalsize\vskip 50pt
\begin{center}
{\rm\large Wim Ploegaerts \\
Imec vzw. \\
Kapeldreef 75 \\
3030 Leuven, Belgium \\
\vspace{1cm}
tel: (32) 16 281 220 \\
e-mail: ploegaer@imec.be \\
}
\end{center}

\vspace{3cm}
{\abstract
In this document all (?) HOL88 inference rules, conversions and tactics
that deal with the existential quantifier have been put together. Any
comments, corrections and additions are more then wellcome. }

\newpage

\section{Introduction}

Hardware description using the ``description style'' of e.g. Gordon's
paper ``Why higher order logic is a good formalism \ldots''
involves a large amount of existential quantifications.
Consequently, the related correctness proofs will require several
manipulations of these existential quantifiers for which special purpose
inference rules are needed. It has therefore been tried
to put together all HOL88 rules, conversions and tactics dealing with the
existential quantifier. Most of these come from David Shepherd's
``convert'' library and are documented in the file ``convert.tex''.


\section{Definition}

The constant ``\$ ?'' is a binder
and is defined by means of the choice operator ``@''.


\begin{session}\begin{verbatim}

 EXISTS_DEF : thm  (in theory `bool')

 |- $? = \P:*->bool. P($@ P)

\end{verbatim}\end{session}

As for other binders, the primitive term ``$ \$?(\lambda x . t) $'' is
represented in ML as ``$ ?x . t$''.



\section{Exists and Select}

As the existential quantifier is defined by means of the choice
operator, the latter can easily be introduced with SELECT\_RULE.

\begin{session}\begin{verbatim}

SELECT_RULE : thm -> thm

    A |- ?x. t[x]
  -----------------
    A |- t[@x.t[x]]

\end{verbatim}\end{session}

The related tactic is called SELECT\_TAC, which is defined in the file
``start\_groups.ml'' in the library ``group''.

\begin{session}\begin{verbatim}

SELECT_TAC : term -> tactic

     A |- P[@x.P[x]]
    -----------------
      A |- ?x.P[x]

\end{verbatim}\end{session}

The related conversion is SELECT\_CONV

\begin{session}\begin{verbatim}

SELECT_CONV : conv

SELECT_CONV "P[@x.P[x]]''
     |- P[@x.P[x]] = ?x.P[x]

\end{verbatim}\end{session}

The previous functions are documented in Brian Graham's paper ``Dealing
with the Choice Operator in HOL88''.

\section{Elementary Rules and Tactics}

Once it has been proven that, given certain assumptions, a predicate
holds for a specific ``value'' of its argument, it can be deduced that
there exists a value for which  the predicate holds.

\begin{session}\begin{verbatim}

EXISTS : (term # term) -> thm -> thm

    A |- t[t']
  --------------
   A |- ?x.t[x]

  The parameters are: EXISTS("?x.t[x]", "t'") (|- t[t'])

\end{verbatim}\end{session}

This inference rule is the basis of the EXISTS\_TAC

\begin{session}\begin{verbatim}

EXISTS_TAC : term -> tactic

        ?x.A(x)
    ==============   EXISTS_TAC "t"
         A(t)

\end{verbatim}\end{session}

The goal, if this is an existential quantification, is reduced to a
subgoal where ``x'' is substituted by the term ``t'' (in case the latter
is not a free variable in the assumptions). \\


The order of the existentialy quantified variables can be changed by

\begin{session}\begin{verbatim}

SWAP_EXISTS_CONV : conv

SWAP_EXISTS_CONV "?x y.t[x,y]
    |- ? x y. t[x,y] = ? y x. t[x,y]

\end{verbatim}\end{session}

A tactic to finish existential proofs, if the body is an equality of
predicates with different arguments.

\begin{session}\begin{verbatim}

EXISTS_REFL_TAC

     A, ?x1...xn. (tm[t1'...tn'] = tm[x1....xn])
     -----------------------------------------
               -

\end{verbatim}\end{session}


\section{Exists, Forall and Negation}

The well-known relation between the negation and the existential and
universal quantifier are given by the following conversions

\begin{session}\begin{verbatim}

NOT_EXISTS_CONV : conv

NOT_EXISTS_CONV "~?x.t[x]"
   |- ~?x.t[x] = !x.~t[x]


NOT_FORALL_CONV : conv

NOT_FORALL_CONV "~!x.t"
    |- (~!x.t) = (?x.~t)

\end{verbatim}\end{session}


The following conversion, defined in the file unwind.ml (library ``convert'')
can be used to swap an existential and a universal quantifier.

\begin{session}\begin{verbatim}

EXISTS_FORALL_CONV : conv

EXISTS_FORALL_CONV "?s . ! t ... (s t) ... "

    |- ? s . ! t . ....(s t)....  = ! t . ? st . ....st....

Example:

EXISTS_FORALL_CONV "?s . !t:* . s t";;
    |- (?s. !t. s t) = (!t. ?st. st)

\end{verbatim}\end{session}



\section{Exists and Equality}

The following inference rules result in an equality of existentialy
quantified predicate, starting from an equality of predicates.
The related tactics can easily be defined but have to be used with great
care (as they are not true in general).

\begin{session}\begin{verbatim}

MK_EXISTS : thm -> thm

       A |-  (!x. t1 = t2)
   ---------------------------
    A |- (?x.t1)  =  (?x.t2)



LIST_MK_EXISTS : term list -> thm -> thm

               A |-  t1 = t2
   ------------------------------------------- (xi not free in A)
    A |- (?x1 ... xn. t1)  =  (?x1 ... xn. t2)



EXISTS_EQ : term -> thm -> thm

          A |- t1 = t2
     -----------------------
      A |- (?x.t1) = (?x.t2)

\end{verbatim}\end{session}




\section{Exists and redundant existential quantifiers}

If ``t'' is a predicate and ``x'' is a variable which is not free in ``t'',
than the predicates ``?x.t'' and ``t'' itself are the same. This is
incorporated in two conversion in the file prune.ml (library ``convert'').

\begin{session}\begin{verbatim}

EXISTS_DEL1 : conv

EXISTS_DEL1 "?x.t"
    |- (?x.t) = t                      (if x not free in t)


EXISTS_DEL : conv

EXISTS_DEL "?x1 ... xn.t"
    |- (?x1 ... xn.t) = t              (if x1,...,xn not free in t)

\end{verbatim}\end{session}



\section{Exists and Conjunctions}

The next four conversions are defined in the file prune.ml (library ``convert''
). They provide a mechanism to push an existential quantifier in a conjunction.

\begin{session}\begin{verbatim}

EXISTS_AND_LEFT : conv

EXISTS_AND_LEFT "?x. t1 /\ t2"
    |- ?x. t1 /\ t2 = t1 /\ (?x. t2)   (If x not free in t1)


EXISTS_AND_RIGHT : conv

EXISTS_AND_RIGHT "?x. t1 /\ t2"
    |- ?x. t1 /\ t2 = (?x. t1) /\ t2"  (If x not free in t2)


EXISTS_AND_BOTH : conv

EXISTS_AND_BOTH "?x.t1/\t2"
    |- ?x. t1 /\ t2 = t1 /\ t2"        (If x not free in t1 or t2)

\end{verbatim}\end{session}

In EXISTS\_AND these three conversions are put together

\begin{session}\begin{verbatim}

EXISTS_AND : term -> thm

EXISTS_AND "?x.t1/\t2"

    |- ?x. t1 /\ t2 = t1 /\ t2"        (If x not free in t1 or t2)

    |- ?x. t1 /\ t2 = t1 /\ (?x. t2)"  (If x not free in t1)

    |- ?x. t1 /\ t2 = (?x. t1) /\ t2"  (If x not free in t2)

\end{verbatim}\end{session}

An existential quantifier can also be moved out of a conjunction.

\begin{session}\begin{verbatim}

MOVE_EXISTS_OUT_CONV: term -> thm

MOVE_EXISTS_OUT_CONV "t1 /\ ?x.t2"     (If x not free in t1)

    | - t1 /\ ?x.t2 = ?x. t1 /\ t2

\end{verbatim}\end{session}





PRUNE\_ONCE\_CONV removes an existentialy quantified variable that is
equated to a term having substituted that term for all occurences of that
variable. If x is free in the body then just deletes the quantifier. Fails
if x not free but not equated anywhere. (copied from ``convert.tex'').
PRUNE\_CONV applies PRUNE\_ONCE\_CONV to remove as many existentialy quantified
variables as possible. PRUNE\_RULE applies PRUNE\_CONV to the right hand side
of an equation.

\begin{session}\begin{verbatim}

PRUNE_ONCE_CONV : conv

PRUNE_ONCE_CONV  "? x . eqn1 /\ .... /\ x=t /\ ... /\ eqnn"
   |- (? x . eqn1 /\ ... /\ x=t /\ ... /\ eqnn) =
      (? x . eqn1[t/x] /\ ... /\ eqnn[t/x])


PRUNE_CONV : conv

PRUNE_RULE : thm -> thm

\end{verbatim}\end{session}


In the file ``convert.tex'' it is also stated that \ldots
 ``UNWIND\_EXISTS\_ONCE\_CONV and  UNWIND\_EXISTS\_CONV unwind the body
of a existentially quantified term using conjuncts specifying the values of the
quantified variables as the rewriting terms. {\em These are problably
redundant now that PRUNE\_ONCE\_CONV performs rewriting}.''

\begin{session}\begin{verbatim}

UNWIND_EXISTS_ONCE_CONV and UNWIND_EXISTS_CONV


   ? l1 ... ln . eqn1 /\ ... /\ eqnm
   ----------------------------------------
   |- (? l1 ... ln . eqn1 /\ ... /\ eqnm) =
      (? l1 ... ln . eqn1'/\ ... /\ eqnm')

   where any eqs (li = ti) are used as rewrites

\end{verbatim}\end{session}





Another useful conversion defined in the library ``convert'' (file unfold.ml)
is

\begin{session}\begin{verbatim}

UNFOLD : thm list -> conv

UNFOLD  "A1 |- t1 = t1' , ... , An |- tn = tn'"
    |-  A1 u ... u An  |- ?l1 ... lm. t1  /\ ... /\ tn =
                         ?l1 ... lm. t1' /\ ... /\ tn'

\end{verbatim}\end{session}

The related inference rule is

\begin{session}\begin{verbatim}

UNFOLD_RULE : thm list -> thm -> thm

       A1 |- t1 = t1' , ... , An |- tn = tn'

        A |- t = (?l1 ... lm. t1 /\ ... /\ tn)
      ------------------------------------------
        A |- t = (?l1 ... lm. t1' /\ ... /\ tn')

\end{verbatim}\end{session}




\section{Exists and Assumptions}


Variables that are existentially quantified in the
antecedant of an implication but don't appear free in the consequent, can be
generalized:

\begin{session}\begin{verbatim}

EXISTS_IMP_FORALL_CONV : conv

EXISTS_IMP_FORALL_CONV "(?x. t1[x]) ==> t2"

    |- (?x. t1[x]) ==> t2  =  !x. t1[x] ==> t2  (if x is not free in t2)

and the iterated version

E_I_CONV : conv

\end{verbatim}\end{session}



An existential quantification can be eliminated when given a second theorem
which states or assumes that a value for which the given predicate holds
does really exist.

\begin{session}\begin{verbatim}

CHOOSE : (term # thm) -> thm -> thm

   A1 |- ?x.t[x]   ,   A2, "t[v]" |- t'
   ------------------------------------     (variable v occurs nowhere)
            A1 u A2 |- t'

\end{verbatim}\end{session}


The related tactic is called X\_CHOOSE\_TAC. Given a theorem which is
an existential quantification ``?x.t[x]'' and a term ``u'' of the type of
``x'', the theorem ``t[u]'' is put on the assumption list if ``u'' is not
a free variable.

\begin{session}\begin{verbatim}

X_CHOOSE_TAC : term -> thm_tactic

            A |- gl
      ------------------  X_CHOOSE_TAC "u" (|- ?x.t[x])
       A u {t[u]} |- gl

\end{verbatim}\end{session}

The latter is implemented by means of the more general tactical
X\_CHOOSE\_THEN. The term ``y'' is specialized in the body of an existential
quantification. The resulting term is used as the argument of a
tactic-generating function which, on its turn, is applied to the goal.
The tern ``y'' should be free in the  goal.

\begin{session}\begin{verbatim}

X_CHOOSE_THEN : term -> (thm -> tactic) -> (thm -> tactic)

X_CHOOSE_THEN "y" f (|-?x.u) ([...],t) = f(u[y/x]|-u[y/x]) ([...],t)

\end{verbatim}\end{session}%

The tactical CHOOSE\_THEN does nearly  same as the previous tactical.
The only difference is that it chooses a non-free variable for ``y'' itself.

\begin{session}\begin{verbatim}

CHOOSE_THEN : (thm -> tactic) -> (thm -> tactic)

CHOOSE_THEN f (|-?x.u) ([...],t) = f(u|-u) ([...],t)

\end{verbatim}\end{session}


In the file tydefs.ml the following conversions are defined

\begin{session}\begin{verbatim}

ELIM_ANTE_EQN_CONV : conv

  For eliminating the "!v... (?x. v = x) /\ P ==> tm[v]",
  giving !x... P ==> tm[x]


ELIM_ANTE_EQNS_CONV : conv

  For eliminating the "!v... (?x. v = x) /\ P ==> tm[v]",
  giving !x... P ==> tm[x]

  The ml code of these conversions is different, but the exact difference is
  not clear to me.


LEN_SIMPLE_CONV : conv

LEN_SIMP_CONV : "?l.  (?a1..an. l = tm[a1...an]) /\ tm2[l]"
      ---> "?a1...an. tm2[tm[a1...an]]"


\end{verbatim}\end{session}




\section{Existence of non-recursive functions}

The following conversions, defined in ``prune.ml''
 can be used for proving the existence of non-recursive functions (I don't
 know what they are actually used for.


\begin{session}\begin{verbatim}

EXISTS_EQN : conv

EXISTS_EQN  "?l. (l x1 ... xn = t)"
    |- (?l.l x1 ... xn = t) = T        (if l not free in t)


EXISTS_EQNF : conv

EXISTS_EQNF  "?l. (!x1 ... xn. l x1 ... xn) = t"
    |- (?l. !x1 ... xn. l x1 ... xn = t) = T   (if l not free in t)

\end{verbatim}\end{session}


\end{document}



