HOL | Notes about a great book

nat set is interpreted as a function (that does not type correctly). The set of natural numbers can be expressed as UNIV :: nat set. Then, spec_2 reads

Pure is based on intuistionistic logic and there is no existential quantifier in this logic.

The rough equivalent is obtains:

A join option:

There is no need to put theory files into the Isabelle distribution (on the contrary, I'd better keep it intact to make sure your development can be used on other machines without touching Isabelle installation).

The issue with the failing proof lies in a different area: the definition of add_123 is inductive on the first argument and has no immediate rule how to handle the expression specified in lemma_02. (E.g., lemma add_01: "add_123 0 m = m" could be proved the way you used because it matches the first case specified in the definition.)

The solution is to use a proof by induction on the first argument:

Your script is trying to access image files from a directory relative to the script itself; this works when the script is installed unpacked, with resources actually on the file system. But when bundled into an executable, that can't work; the image isn't going to be there unless you've copied it in with the executable (an ugly hack of a solution); you need to bundle it into the executable itself in such a way that it can be extracted at runtime by your script.

You need to read the docs on spec files, specifically, adding data files (to bundle the data with the executable when you build it) and using data files from a module (to extract the bundled data in memory at runtime).

You'll only have access to the data from the file, it won't be a file on disk anymore, so you'll need to use alternate means of loading, e.g. from base64 encoded data.

There is only one case where such things are necessary: when defining a function in a proof. I have done so, but this is far from beginner friendly, because you have to derive the simp rules by hand.

The solution is to mimic what fun is doing internally and expressing your definition in terms of rec_nat:

As pointed out in the comments, you can use group_by from dplyr to accomplish this.

First, you can extract keywords for each comment/sentence. Then unnest so each keyword is in a separate row with a date.

Then, use group_by with both date and comment included (to get frequency for combination of date and keyword together). The use of summarise with n() will give number of mentions.

Here's a complete example:

Not in general, no.

First-order logic is semi-decidable. In short, this means that if there's a proof you can always find it. If there isn't, you may find a refutation, or loop forever trying to find one. No system will give you an out-of-the box proof/refutation for all first-order logic formulae.

Of course, even if there's a proof, there's no guarantee that you can find it quickly. So, in practice, finding proofs in a reasonable amount of time/resources is a tricky problem, even if they exist. In theory you can always do so if you're willing to wait long enough.

That's the theory side of it. In practice, modern SMT solvers can do a lot, especially if your interest is in lemmas that arise in practice in software-hardware verification; instead of pure mathematics. For instance, the example you've used can be coded in the SMTLib language as:

lemma bij_iff_ex_identity : "bij_betw f A B ⟷ (∃ g. g∘f = restrict id B ∧ f∘g = restrict id A)"

I think this is not exactly what you want an I am doubtful that it is true. g∘f = restrict id B does not mean that g∘f and id are equal on B. It means that the total function g∘f (and there are only total functions in HOL) equals the total function restrict id B. The latter returns id x on x∈B and undefined otherwise. So to make this equality true, g needs to output undefined whenever the input of f is not in B. But how would g know that!

If you want to use restrict, you could write restrict (g∘f) B = restrict id B. But personally, I would rather go for the simpler (∀x∈B. (g∘f) x = x).

So the corrected theorem would be:

lemma bij_iff_ex_identity : "bij_betw f A B ⟷ (∃ g. (∀x∈A. (g∘f) x = x) ∧ (∀y∈B. (f∘g) y = y))"

(Which is still wrong, by the way, as quickcheck tells me in Isabelle/jEdit, see the output window. If A has one element and B is empty, f cannot be a bijection. So the theorem you are attempting is actually mathematically not true. I will not attempt to fix it, but just answer the remaining lines.

unfolding bij_betw_def inj_on_def restrict_def iffI

The iffI here has no effect. Unfolding can only apply theorems of the form A = B (unconditional rewriting rules). iffI is not of that form. (Use thm iffI to see.)

proof

Personally, I don't use the bare form proof but always proof - or proof (some method). Because proof just applies some default method (in this case, equivalent to (rule iffI), so I think it's better to make it explicit. proof - just starts the proof without applying an extra method.

let ?g = "restrict (λ y. (if f x = y then x else undefined)) B"

You have an unbound variable x here. (Note the background color in the IDE.) That is most likely not what you want. Formally, it is allowed, but x will be treated as if it was some arbitrary constant.

Generally, I don't think there is any way to define g in a simple way (i.e., only with quantifiers and function applications and if-then-else). I think the only way to define an inverse (even if you know it exists), is to use the THE operator, because you need to say something like g y is "the" x such that f x = y. (And then later in the proof you will run into a proof obligation that it indeed exists and that it is unique.) See the definition of inv_into in Hilbert_Choice.thy (except it uses SOME not THE). Maybe for starters, try to do the proof just using the existing inv_into constant.

assume "(∀x∈A. ∀y∈A. f x = f y ⟶ x = y)"

All assume commands must have assumptions exactly as the are in the proof goal. You can test whether you wrote it right by just temporarily writing the command show A for A (that's an unprovable goal that would, however, finish the proof, so it tricks Isabelle into checking if it would). If this command does not give an error, you got the assumes right. In your cases, you didn't, it should be (∀x∈A. ∀y∈A. f x = f y ⟶ x = y) ∧ f ' A = B. (' is the backtick symbol here. Markup doesn't let me write it.)

My recommendation: Try the proof with bij instead of bij_betw first. (One direction is in BNF_Fixpoint_Base.o_bij if you want to cheat.) Once done, you can try to generalize.