%{ = Bijection from indexed HOAS to natural numbers = }% %{ This file shows an *indexed* HOAS term type and a mapping from these terms to the natural numbers. It depends on John Boyland's library signatures, in particular void, bool, nat, natpair and multiset. This file shows some of the extensions needed to handle indexed HOAS terms above and beyond those of "regular" HOAS terms (which is the topic of the [HOAS_nat_bijection] page). In the comments here, I emphasize those different aspects rather than repeat the same discussion. }% %{| hidden = true }% % contents included from ../library/std.elf %%%%%% Proposed Twelf Standard Library %%%%%% John Boyland %%%%%% You may freely use, modify and distribute this file without restrictions. %%%% Structure %%% The uninhabited type void : type. %freeze void. %%% The uninteresting type unit : type. unit/ : unit. %freeze unit. %%% The three-way comparison type comp : type. less : comp. greater : comp. equal : comp. %freeze comp. %{| hidden = true }% % contents included from ../library/bool.elf %%%%% bool.elf %%%%% Boolean literals %%%%% John Boyland %%%% Definitions bool : type. true : bool. false : bool. %freeze bool. eq? : bool -> bool -> bool -> type. %abbrev eq = [B1] [B2] eq? B1 B2 true. %abbrev ne = [B1] [B2] eq? B1 B2 false. eq/ : eq B B. ne/TF : ne true false. ne/FT : ne false true. %abbrev eq?/yes = eq/. %abbrev eq?/no = [NE:ne B1 B2] NE. not : bool -> bool -> type. not/T : not true false. not/F : not false true. and : bool -> bool -> bool -> type. and/FX : and false B false. and/XF : and B false false. and/TT : and true true true. or : bool -> bool -> bool -> type. or/TX: or true B true. or/XT: or B true true. or/FF: or false false false. %%%% Theorems %%% theorems about eq %theorem false-implies-eq : forall* {X1} {X2} forall {F:void} exists {E:eq X1 X2} true. %worlds () (false-implies-eq _ _). %total { } (false-implies-eq _ _). %theorem meta-eq : forall {X1} {X2} {E:eq X1 X2} true. - : meta-eq _ _ eq/. %worlds () (meta-eq _ _ _). %total { } (meta-eq _ _ _). %reduces X = Y (meta-eq X Y _). %theorem eq-reflexive : forall {X} exists {E:eq X X} true. - : eq-reflexive _ eq/. %worlds () (eq-reflexive _ _). %total { } (eq-reflexive _ _). %theorem eq-symmetric : forall* {X} {Y} forall {E:eq X Y} exists {F:eq Y X} true. - : eq-symmetric (eq/) (eq/). %worlds () (eq-symmetric _ _). %total { } (eq-symmetric _ _). %theorem eq-transitive : forall* {X} {Y} {Z} forall {E1:eq X Y} {E2:eq Y Z} exists {F:eq X Z} true. - : eq-transitive (eq/) (eq/) (eq/). %worlds () (eq-transitive _ _ _). %total { } (eq-transitive _ _ _). %%% theorems about ne %theorem false-implies-ne : forall* {X1} {X2} forall {F:void} exists {G:ne X1 X2} true. %worlds () (false-implies-ne _ _). %total { } (false-implies-ne _ _). %theorem ne-respects-eq : forall* {X1} {X2} {Y1} {Y2} forall {D1:ne X1 X2} {E1:eq X1 Y1} {E2:eq X2 Y2} exists {D2:ne Y1 Y2} true. - : ne-respects-eq X1<>X2 eq/ eq/ X1<>X2. %worlds () (ne-respects-eq _ _ _ _). %total { } (ne-respects-eq _ _ _ _). %theorem ne-anti-reflexive : forall* {B} forall {R:ne B B} exists {F:void} true. %worlds () (ne-anti-reflexive _ _). %total { } (ne-anti-reflexive _ _). %theorem ne-symmetric : forall* {B1} {B2} forall {R1:ne B1 B2} exists {R2:ne B2 B1} true. - : ne-symmetric ne/TF ne/FT. - : ne-symmetric ne/FT ne/TF. %worlds () (ne-symmetric _ _). %total { } (ne-symmetric _ _). %theorem eq-ne-implies-false : forall* {B1} {B2} forall {D1:eq B1 B2} {D2:ne B1 B2} exists {F:void} true. %worlds () (eq-ne-implies-false _ _ _). %total { } (eq-ne-implies-false _ _ _). %%% theorems about eq? %theorem eq?-total* : forall {B1} {B2} exists {B} {EQ?:eq? B1 B2 B} true. - : eq?-total* true true _ (eq?/yes). - : eq?-total* false false _ (eq?/yes). - : eq?-total* true false _ (eq?/no ne/TF). - : eq?-total* false true _ (eq?/no ne/FT). %worlds () (eq?-total* _ _ _ _). %total { } (eq?-total* _ _ _ _). %abbrev eq?-total = eq?-total* _ _ _. %%% Theorems about not, and, or %theorem not-total*: forall {B1} exists {B2} {N:not B1 B2} true. %abbrev not-total = not-total* _ _. - : not-total not/T. - : not-total not/F. %worlds () (not-total* _ _ _). %theorem and-total* : forall {B1} {B2} exists {B3} {A:and B1 B2 B3} true. %abbrev and-total = and-total* _ _ _. - : and-total and/FX. - : and-total and/XF. - : and-total and/TT. %worlds () (and-total* _ _ _ _). %total { } (and-total* _ _ _ _). %theorem or-total* : forall {B1} {B2} exists {B3} {A:or B1 B2 B3} true. %abbrev or-total = or-total* _ _ _. - : or-total or/TX. - : or-total or/XT. - : or-total or/FF. %worlds () (or-total* _ _ _ _). %total { } (or-total* _ _ _ _). %abbrev bool`bool = bool. %abbrev bool`true = true. %abbrev bool`false = false. %abbrev bool`eq? = eq?. %abbrev bool`eq = eq. %abbrev bool`ne = ne. %abbrev bool`eq/ = eq/. %abbrev bool`ne/TF = ne/TF. %abbrev bool`ne/FT = ne/FT. %abbrev bool`eq?/yes = eq?/yes. %abbrev bool`eq?/no = eq?/no. %abbrev bool`not = not. %abbrev bool`not/T = not/T. %abbrev bool`not/F = not/F. %abbrev bool`and = and. %abbrev bool`and/FX = and/FX. %abbrev bool`and/XF = and/XF. %abbrev bool`and/TT = and/TT. %abbrev bool`or = or. %abbrev bool`or/TX = or/TX. %abbrev bool`or/XT = or/XT. %abbrev bool`or/FF = or/FF. %abbrev bool`false-implies-eq = false-implies-eq. %abbrev bool`meta-eq = meta-eq. %abbrev bool`eq-reflexive = eq-reflexive. %abbrev bool`eq-symmetric = eq-symmetric. %abbrev bool`eq-transitive = eq-transitive. %abbrev bool`false-implies-ne = false-implies-ne. %abbrev bool`ne-respects-eq = ne-respects-eq. %abbrev bool`ne-anti-reflexive = ne-anti-reflexive. %abbrev bool`ne-symmetric = ne-symmetric. %abbrev bool`eq-ne-implies-false = eq-ne-implies-false. %abbrev bool`eq?-total* = eq?-total*. %abbrev bool`eq?-total = eq?-total. %abbrev bool`not-total* = not-total*. %abbrev bool`not-total = not-total. %abbrev bool`and-total* = and-total*. %abbrev bool`and-total = and-total. %abbrev bool`or-total* = or-total*. %abbrev bool`or-total = or-total. %{| hidden = true }% % contents included from ../library/nat.elf %%%%% Natural numbers %%%%% John Boyland %%%%% Anyone may use, copy or modify this software without restriction %%%%% This file requires std.elf %%%%% nat-base.elf %%%%% Basic definitions, operations and theorems %%%%% This file is part of the nat.elf signature %%%% Definitions %%% Natural numbers: nat : type. %name nat N. z : nat. s : nat -> nat. %freeze nat. %%% Operations on natural numbers plus : nat -> nat -> nat -> type. plus/z : plus z Y Y. plus/s : plus (s X) Y (s Z) <- plus X Y Z. times : nat -> nat -> nat -> type. times/z : times z X z. times/s : times (s X) Y Z <- plus T Y Z <- times X Y T. eq : nat -> nat -> type. eq/ : eq N N. gt : nat -> nat -> type. gt/1 : gt (s M) M. gt/> : gt (s M) N <- gt M N. %%% Using the conditional for natural numbers compare : nat -> nat -> comp -> type. compare/= : compare N N equal. compare/< : compare M N less <- gt N M. compare/> : compare M N greater <- gt M N. %%%% Theorems %%% Theorems about eq %reduces X = Y (eq X Y). %theorem meta-eq : forall {M} {N} {E:eq M N} true. - : meta-eq N N eq/. %worlds () (meta-eq _ _ _). %total {} (meta-eq _ _ _). %reduces X = Y (meta-eq X Y _). %theorem false-implies-eq : forall* {M} {N} forall {P:void} exists {Q:eq M N} true. %worlds () (false-implies-eq _ M=N). %total {} (false-implies-eq _ _). %theorem eq-symmetric : forall* {M:nat} {N:nat} forall {E:eq M N} exists {F:eq N M} true. - : eq-symmetric (eq/) (eq/). %worlds () (eq-symmetric M>N N>M). %total {} (eq-symmetric _ _). %theorem eq-transitive : forall* {M:nat} {N:nat} {P:nat} forall {E1:eq M N} {E2:eq N P} exists {F:eq M P} true. - : eq-transitive (eq/) (eq/) (eq/). %worlds () (eq-transitive M>N N>P M>P). %total {} (eq-transitive _ _ _). %theorem succ-deterministic : forall* {N1:nat} {N2:nat} forall {E:eq N1 N2} exists {F:eq (s N1) (s N2)} true. - : succ-deterministic eq/ eq/. %worlds () (succ-deterministic N1=N2 N1+1=N2+1). %total {} (succ-deterministic E _). %theorem succ-cancels : forall* {N1:nat} {N2:nat} forall {E:eq (s N1) (s N2)} exists {F:eq N1 N2} true. - : succ-cancels eq/ eq/. %worlds () (succ-cancels N1+1=N2+1 N1=N2). %total {} (succ-cancels E _). %theorem succ-contradiction : forall* {N} forall {E:eq N (s N)} exists {F:void} true. %worlds () (succ-contradiction _ _). %total { } (succ-contradiction _ _). %theorem eq-contradiction : forall* {N} forall {E:eq z (s N)} exists {F:void} true. %worlds () (eq-contradiction ZERO=N+1 _). %total {} (eq-contradiction _ _). %%% Theorems about gt %reduces M < N (gt N M). %% If we want to prove the termination of a theorem using gt, %% we need the gt relation lifted to the meta level: %theorem meta-gt : forall {M} {N} {G:gt M N} true. - : meta-gt (s M) M (gt/1). - : meta-gt (s M) N (gt/> G) <- meta-gt M N G. %worlds () (meta-gt _ _ _). %total M (meta-gt M _ _). %reduces M < N (meta-gt N M _). %theorem false-implies-gt : forall* {M} {N} forall {P:void} exists {Q:gt M N} true. %worlds () (false-implies-gt _ M>N). %total {} (false-implies-gt _ _). %theorem gt-respects-eq : forall* {M1:nat} {M2:nat} {N1:nat} {N2:nat} forall {P:gt M1 N1} {E1:eq M1 M2} {E2:eq N1 N2} exists {Q:gt M2 N2} true. - : gt-respects-eq M1>N1 eq/ eq/ M1>N1. %worlds () (gt-respects-eq M1>N1 M1=M2 N1=N2 M2>N2). %total {} (gt-respects-eq _ _ _ _). %theorem succ-implies-gt : forall* {X} {X'} forall {E:eq X (s X')} exists {G:gt X X'} true. - : succ-implies-gt eq/ gt/1. %worlds () (succ-implies-gt X=sX' X>X'). %total {} (succ-implies-gt _ _). %theorem succ-implies-gt-zero: forall {M} exists {G:gt (s M) z} true. - : succ-implies-gt-zero z gt/1. - : succ-implies-gt-zero (s M) (gt/> SM>0) <- succ-implies-gt-zero M SM>0. %worlds () (succ-implies-gt-zero M SM>0). %total M (succ-implies-gt-zero M _). %theorem succ-preserves-gt: forall* {M} {N} forall {G1:gt M N} exists {G2:gt (s M) (s N)} true. - : succ-preserves-gt gt/1 gt/1. - : succ-preserves-gt (gt/> M>N) (gt/> SM>SN) <- succ-preserves-gt M>N SM>SN. %worlds () (succ-preserves-gt M>N SM>SN). %total G1 (succ-preserves-gt G1 _). %theorem succ-preserves-gt-converse: forall* {M} {N} forall {G1:gt (s M) (s N)} exists {G2:gt M N} true. - : succ-preserves-gt-converse gt/1 gt/1. - : succ-preserves-gt-converse (gt/> SM>SN) (gt/> M>N) <- succ-preserves-gt-converse SM>SN M>N. %worlds () (succ-preserves-gt-converse SM>SN M>N). %total G1 (succ-preserves-gt-converse G1 _). %theorem gt-implies-positive : forall* {M} {N} forall {G:gt M N} exists {M'} {E:eq M (s M')} true. - : gt-implies-positive gt/1 M eq/. - : gt-implies-positive (gt/> (G:gt M N)) M eq/. %worlds () (gt-implies-positive M>N M' M=sM'). %total {} (gt-implies-positive _ _ _). %theorem gt-anti-reflexive* : forall {M} {G:gt M M} exists {F:void} true. - : gt-anti-reflexive* (s M) (G:gt (s M) (s M)) F <- succ-preserves-gt-converse G G' <- gt-anti-reflexive* M G' F. %worlds () (gt-anti-reflexive* M M>M _). %total M (gt-anti-reflexive* M _ _). %abbrev gt-anti-reflexive = gt-anti-reflexive* _. %theorem gt-transitive : forall* {M} {N} {P} forall {G1:gt M N} {G2:gt N P} exists {G3:gt M P} true. - : gt-transitive gt/1 G (gt/> G). - : gt-transitive (gt/> M>N) N>P (gt/> M>P) <- gt-transitive M>N N>P M>P. %worlds () (gt-transitive M>N N>P M>P). %total (G1) (gt-transitive G1 _ _). %theorem gt-anti-symmetric : forall* {M} {N} forall {G1:gt M N} {G2:gt N M} exists {F:void} true. - : gt-anti-symmetric M>N N>M F <- gt-transitive M>N N>M M>M <- gt-anti-reflexive M>M F. %worlds () (gt-anti-symmetric M>N N>M _). %total {} (gt-anti-symmetric _ _ _). %theorem gt-implies-plus : forall* {M} {N} forall {G:gt M N} exists {D} {P:plus (s D) N M} true. - : gt-implies-plus gt/1 z (plus/s plus/z). - : gt-implies-plus (gt/> M>N) (s D) (plus/s SD+N=M) <- gt-implies-plus M>N D SD+N=M. %worlds () (gt-implies-plus M>N D SD+N=M). %total G (gt-implies-plus G _ _). %theorem gt-contradiction : forall* {M} forall {P:gt z M} exists {Q:void} true. %worlds () (gt-contradiction ZERO>N _). %total {} (gt-contradiction _ _). %%% Theorems about compare %theorem false-implies-compare : forall* {M} {N} {C} forall {P:void} exists {Q:compare M N C} true. %worlds () (false-implies-compare _ _). %total {} (false-implies-compare _ _). %theorem succ-preserves-compare : forall* {M} {N} {C} forall {CMP:compare M N C} exists {CMP':compare (s M) (s N) C} true. - : succ-preserves-compare compare/= compare/=. - : succ-preserves-compare (compare/< M>N) (compare/< M+1>N+1) <- succ-preserves-gt M>N M+1>N+1. - : succ-preserves-compare (compare/> M>N) (compare/> M+1>N+1) <- succ-preserves-gt M>N M+1>N+1. %worlds () (succ-preserves-compare _ _). %total {} (succ-preserves-compare _ _). %theorem compare-total* : forall {M} {N} exists {CMP} {P:(compare M N CMP)} true. - : compare-total* z z equal compare/=. - : compare-total* z (s M) less (compare/< M+1>0) <- succ-implies-gt-zero M M+1>0. - : compare-total* (s M) z greater (compare/> M+1>0) <- succ-implies-gt-zero M M+1>0. - : compare-total* (s M) (s N) R M+1-R-N+1 <- compare-total* M N R M-R-N <- succ-preserves-compare M-R-N M+1-R-N+1. %worlds () (compare-total* _ _ _ _). %total (M) (compare-total* M _ _ _). %abbrev compare-total = compare-total* _ _ _. %theorem greater-implies-gt : forall* {M} {N} forall {C:compare M N greater} exists {G:gt M N} true. - : greater-implies-gt (compare/> G) G. %worlds () (greater-implies-gt M>N M-gt-N). %total C (greater-implies-gt C _). %theorem less-is-reverse-greater : forall* {M} {N} forall {C1:compare M N less} exists {C2:compare N M greater} true. - : less-is-reverse-greater (compare/< G) (compare/> G). %worlds () (less-is-reverse-greater MM). %total C (less-is-reverse-greater C _). %theorem less-implies-lt : forall* {M} {N} forall {C:compare M N less} exists {G:gt N M} true. - : less-implies-lt (compare/< G) G. %worlds () (less-implies-lt MN2 plus/z plus/z N1>N2. - : plus-left-preserves-gt* N1>N2 (plus/s M+N1=O1) (plus/s M+N2=O2) SO1>SO2 <- plus-left-preserves-gt* N1>N2 M+N1=O1 M+N2=O2 O1>O2 <- succ-preserves-gt O1>O2 SO1>SO2. %worlds () (plus-left-preserves-gt* N1>N2 M+N1=O1 M+N2=O2 O1>O2). %total P1 (plus-left-preserves-gt* _ P1 _ _). %theorem plus-left-cancels-gt : forall* {X1:nat} {X2:nat} {Y:nat} {Z:nat} {S1:nat} {S2:nat} forall {P1:plus X1 Y S1} {P2:plus X2 Z S2} {EX:eq X1 X2} {G1:gt S1 S2} exists {G2:gt Y Z} true. - : plus-left-cancels-gt plus/z plus/z eq/ G G. - : plus-left-cancels-gt (plus/s X+Y1=Z1) (plus/s X+Y2=Z2) eq/ SZ1>SZ2 Y1>Y2 <- succ-preserves-gt-converse SZ1>SZ2 Z1>Z2 <- plus-left-cancels-gt X+Y1=Z1 X+Y2=Z2 eq/ Z1>Z2 Y1>Y2. %worlds () (plus-left-cancels-gt X1+Y1=Z1 X2+Y2=Z2 X1=X2 Z1>Z2 Y1>Y2). %total P1 (plus-left-cancels-gt P1 _ _ _ _). %theorem plus-left-preserves-gt : forall* {X1} {X2} {X4} forall {G:gt X2 X4} exists {X3} {X5} {O1:plus X1 X2 X3} {O2:plus X1 X4 X5} {G2:gt X3 X5} true. - : plus-left-preserves-gt X2>X4 X3 X5 X1+X2=A3 X1+X4=X5 X3>X5 <- plus-total X1+X2=A3 <- plus-total X1+X4=X5 <- plus-left-preserves-gt* X2>X4 X1+X2=A3 X1+X4=X5 X3>X5. %worlds () (plus-left-preserves-gt X2>X4 X3 X5 X1+X2=A3 X1+X4=X5 X3>X5). %total {} (plus-left-preserves-gt _ _ _ _ _ _). %theorem plus-right-preserves-gt* : forall* {X1} {X2} {X3} {X4} {X5} forall {G1:gt X1 X2} {O1:plus X1 X3 X4} {O2:plus X2 X3 X5} exists {G2:gt X4 X5} true. - : plus-right-preserves-gt* X1>X2 X1+X3=X4 X2+X3=X5 X4>X5 <- plus-commutative X1+X3=X4 X3+X1=X4 <- plus-commutative X2+X3=X5 X3+X2=X5 <- plus-left-preserves-gt* X1>X2 X3+X1=X4 X3+X2=X5 X4>X5. %worlds () (plus-right-preserves-gt* X1>X2 X1+X3=X4 X2+X3=X5 X4>X5). %total {} (plus-right-preserves-gt* _ _ _ _). %theorem plus-right-preserves-gt : forall* {X1} {X2} {X3} forall {G1:gt X1 X2} exists {X4} {X5} {O1:plus X1 X3 X4} {O2:plus X2 X3 X5} {G2:gt X4 X5} true. - : plus-right-preserves-gt X1>X2 X4 X5 X1+X3=X4 X2+X3=X5 X4>X5 <- plus-total X1+X3=X4 <- plus-total X2+X3=X5 <- plus-right-preserves-gt* X1>X2 X1+X3=X4 X2+X3=X5 X4>X5. %worlds () (plus-right-preserves-gt X1>X2 X4 X5 X1+X3=X4 X2+X3=X5 X4>X5). %total {} (plus-right-preserves-gt _ _ _ _ _ _). %theorem plus-preserves-gt* : forall* {X1} {X2} {X3} {Y1} {Y2} {Y3} forall {G1:gt X1 Y1} {G2:gt X2 Y2} {MX:plus X1 X2 X3} {MY:plus Y1 Y2 Y3} exists {G3:gt X3 Y3} true. - : plus-preserves-gt* X1>Y1 X2>Y2 X1+X2=X3 Y1+Y2=Y3 X3>Y3 <- plus-total Y1+X2=X <- plus-right-preserves-gt* X1>Y1 X1+X2=X3 Y1+X2=X X3>X <- plus-left-preserves-gt* X2>Y2 Y1+X2=X Y1+Y2=Y3 X>Y3 <- gt-transitive X3>X X>Y3 X3>Y3. %worlds () (plus-preserves-gt* X1>Y1 X2>Y2 X1+X2=X3 Y1+Y2=Y3 X3>Y3). %total {} (plus-preserves-gt* _ _ _ _ _). %theorem plus-preserves-gt : forall* {X1} {X2} {Y1} {Y2} forall {G1:gt X1 Y1} {G2:gt X2 Y2} exists {X3} {Y3} {MX:plus X1 X2 X3} {MY:plus Y1 Y2 Y3} {G3:gt X3 Y3} true. - : plus-preserves-gt X1>Y1 X2>Y2 X3 Y3 X1+X2=X3 Y1+Y2=Y3 X3>Y3 <- plus-total X1+X2=X3 <- plus-total Y1+Y2=Y3 <- plus-preserves-gt* X1>Y1 X2>Y2 X1+X2=X3 Y1+Y2=Y3 X3>Y3. %worlds () (plus-preserves-gt X1>Y1 X2>Y2 X3 Y3 X1+X2=X3 Y1+Y2=Y3 X3>Y3). %total {} (plus-preserves-gt _ _ _ _ _ _ _). %theorem plus-right-cancels-gt : forall* {X1} {X2} {X3} {Y1} {Y2} {Y3} forall {OP1:plus X1 X2 X3} {OP2:plus Y1 Y2 Y3} {E2:eq X2 Y2} {G3:gt X3 Y3} exists {G1:gt X1 Y1} true. - : plus-right-cancels-gt X1+X2=X3 Y1+Y2=Y3 X2=Y2 X3>Y3 X1>Y1 <- plus-commutative X1+X2=X3 X2+X1=X3 <- plus-commutative Y1+Y2=Y3 Y2+Y1=Y3 <- plus-left-cancels-gt X2+X1=X3 Y2+Y1=Y3 X2=Y2 X3>Y3 X1>Y1. %worlds () (plus-right-cancels-gt X1+X2=X3 Y1+Y2=Y3 X2=Y2 X3>Y3 X1>Y1). %total {} (plus-right-cancels-gt _ _ _ _ _). %theorem plus-implies-gt: forall* {M} {N} {O} {M'} forall {P:plus M N O} {E:eq M (s M')} exists {G:gt O N} true. - : plus-implies-gt X+Y=Z eq/ Z>Y <- succ-implies-gt-zero _ X>0 <- plus-right-preserves-gt* X>0 X+Y=Z plus/z Z>Y. %worlds () (plus-implies-gt X+Y=Z X=sX' Z>Y). %total {} (plus-implies-gt _ _ _). %theorem plus-gt-contradiction : forall* {M} {N} {O} forall {P:plus M N O} {G:gt M O} exists {F:void} true. - : plus-gt-contradiction M+0=O M>O F <- plus-right-identity _ M+0=M <- plus-deterministic M+0=O M+0=M eq/ eq/ O=M <- gt-respects-eq M>O eq/ O=M M>M <- gt-anti-reflexive M>M F. - : plus-gt-contradiction M+N=O M>O F % N > 0 <- plus-commutative M+N=O N+M=O <- plus-implies-gt N+M=O eq/ O>M <- gt-anti-symmetric M>O O>M F. %worlds () (plus-gt-contradiction M+N=O M>O _). %total {} (plus-gt-contradiction _ _ _). %%% Theorems about times %theorem false-implies-times : forall* {M} {N} {O} forall {P:void} exists {Q:times M N O} true. %worlds () (false-implies-times _ _). %total {} (false-implies-times _ _). %theorem times-respects-eq: forall* {M1:nat} {M2:nat} {N1:nat} {N2:nat} {P1:nat} {P2:nat} forall {P:times M1 N1 P1} {E1:eq M1 M2} {E2:eq N1 N2} {E3:eq P1 P2} exists {Q:times M2 N2 P2} true. - : times-respects-eq M1*N1=P1 eq/ eq/ eq/ M1*N1=P1. %worlds () (times-respects-eq M1*N1=P1 M1=M2 N1=N2 P1=P2 M2*N2=P2). %total {} (times-respects-eq _ _ _ _ _). %theorem times-total* : forall {N1:nat} {N2:nat} exists {N3:nat} {T:times N1 N2 N3} true. - : times-total* z N2 z times/z. - : times-total* (s X) Y Z (times/s X*Y=Z' Z'+Y=Z) <- times-total* X Y Z' X*Y=Z' <- plus-total Z'+Y=Z. %worlds () (times-total* N1 N2 N3 N1*N2=N3). %total (N1) (times-total* N1 _ _ _). %abbrev times-total = times-total* _ _ _. %theorem times-deterministic : forall* {N1:nat} {N1':nat} {N2:nat} {N2':nat} {N3:nat} {N3':nat} forall {P:times N1 N2 N3} {P':times N1' N2' N3'} {E1:eq N1 N1'} {E2:eq N2 N2'} exists {E3:eq N3 N3'} true. - : times-deterministic (times/z) (times/z) eq/ eq/ eq/. - : times-deterministic (times/s X*Y=Z1 Z1+Y=Z1') (times/s X*Y=Z2 Z2+Y=Z2') eq/ eq/ Z1'=Z2' <- times-deterministic X*Y=Z1 X*Y=Z2 eq/ eq/ Z1=Z2 <- plus-deterministic Z1+Y=Z1' Z2+Y=Z2' Z1=Z2 eq/ Z1'=Z2'. %worlds () (times-deterministic X1*Y1=Z1 X2*Y2=Z2 X1=X2 Y1=Y2 Z1=Z2). %total P (times-deterministic P _ _ _ _). %theorem times-left-identity : forall {N:nat} exists {T:times (s z) N N} true. - : times-left-identity N (times/s (times/z) plus/z). %worlds () (times-left-identity N ONE*N=N). %total {} (times-left-identity _ _). %theorem times-right-identity : forall {N:nat} exists {T:times N (s z) N} true. - : times-right-identity z times/z. - : times-right-identity (s M) (times/s M*1=M M+1=sM) <- times-right-identity M M*1=M <- plus-right-identity M M+0=M <- plus-right-increase M+0=M M+1=sM. %worlds () (times-right-identity N N*1=N). %total M (times-right-identity M _). %theorem times-right-zero : forall {N:nat} exists {T:times N z z} true. - : times-right-zero z times/z. - : times-right-zero (s M) (times/s M*0=0 plus/z) <- times-right-zero M M*0=0. %worlds () (times-right-zero N N*0=0). %total M (times-right-zero M _). %theorem times-preserves-positive: forall {M} {N} exists {P} {T:times (s M) (s N) (s P)} true. -: {T1:times M (s N) O} {P1:plus O (s N) (s P)} {P2:plus O N P} times-preserves-positive M N P (times/s T1 P1) <- times-total T1 <- plus-total P2 <- plus-right-increase P2 P1. %worlds () (times-preserves-positive M N P SM*SN=SP). %total {} (times-preserves-positive _ _ _ _). %theorem times-preserves-positive*: forall* {M} {N} {P} {M'} {N'} forall {T:times M N P} {M+:eq M (s M')} {N+:eq N (s N')} exists {P'} {P+:eq P (s P')} true. - : times-preserves-positive* M*N=P M=sM' N=sN' P' P=sP' <- times-respects-eq M*N=P M=sM' N=sN' eq/ (times/s M'*sN'=O' O'+sN'=P) <- plus-right-decrease O'+sN'=P P' P=sP' _. %worlds () (times-preserves-positive* M*N=P M=sM' N=sN' P' P=sP'). %total {} (times-preserves-positive* _ _ _ _ _). %theorem times-positive-implies-positive : forall* {M} {N} {P} {P'} forall {T:times M N P} {P+:eq P (s P')} exists {M'} {M+:eq M (s M')} {N'} {N+:eq N (s N')} true. - : times-positive-implies-positive (times/s M'*N=T plus/z) eq/ M' eq/ P' eq/. - : times-positive-implies-positive (times/s M'*N=sT' (plus/s T'+N=P')) eq/ M' eq/ N' N=sN' <- times-positive-implies-positive M'*N=sT' eq/ _ _ N' N=sN'. %worlds () (times-positive-implies-positive M*N=P P=sP' M' M=sM' N' N=sN'). %total T (times-positive-implies-positive T _ _ _ _ _). %theorem times-left-increase : forall* {M} {N} {O} {X} forall {T:times M N O} {P:plus O N X} exists {U:times (s M) N X} true. - : times-left-increase T P (times/s T P). %worlds () (times-left-increase M*N=O O+N=X SM*N=X). %total {} (times-left-increase _ _ _). %theorem times-right-increase : forall* {M:nat} {N:nat} {O:nat} {X:nat} forall {T:times M N O} {P:plus M O X} exists {U:times M (s N) X} true. - : times-right-increase times/z plus/z times/z. - : {M*N=O:times M N O} {M+O=Z:plus M O Z} times-right-increase (times/s M*N=O O+N=O1) (plus/s M+O1=Y) (times/s M*sN=Z Z+sN=sY) <- plus-associative-converse O+N=O1 M+O1=Y Z M+O=Z Z+N=Y <- times-right-increase M*N=O M+O=Z M*sN=Z <- plus-right-increase Z+N=Y Z+sN=sY. %worlds () (times-right-increase M*N=O M+O=X M*sN=X). %total T (times-right-increase T _ _). %theorem times-left-decrease : forall* {X} {Y} {Z} forall {T1:times (s X) Y Z} exists {Z1} {T2:times X Y Z1} {P:plus Z1 Y Z} true. - : times-left-decrease (times/s T P) _ T P. %worlds () (times-left-decrease SX*Y=Z Z1 X*Y=Z1 Z1+Y=Z). %total {} (times-left-decrease _ _ _ _). %theorem times-right-decrease : forall* {M} {N} {X} forall {T:times M (s N) X} exists {O} {U:times M N O} {P:plus M O X} true. - : times-right-decrease times/z z times/z plus/z. - : times-right-decrease (times/s M*sN=Y Y+sN=X) O (times/s M*N=P P+N=O) SM+O=X <- times-right-decrease M*sN=Y P M*N=P M+P=Y <- plus-total P+N=O <- plus-right-increase P+N=O P+sN=sO <- plus-associative* M+P=Y Y+sN=X P+sN=sO M+sO=X <- plus-swap-succ-converse M+sO=X SM+O=X. %worlds () (times-right-decrease M*sN=X O M*N=O M+O=X). %total (T) (times-right-decrease T _ _ _). %theorem times-commutative : forall* {N1} {N2} {N3} forall {T:times N1 N2 N3} exists {U:times N2 N1 N3} true. - : times-commutative times/z T <- (times-right-zero N2 T). - : {T1: times N1' N2 N3'} {P2: plus N3' N2 N3} {T1c: times N2 N1' N3'} {P2c: plus N2 N3' N3} {Tc: times N2 (s N1') N3} times-commutative (times/s T1 P2) Tc <- plus-commutative P2 P2c <- times-commutative T1 T1c <- times-right-increase T1c P2c Tc. %worlds () (times-commutative N1*N2=N3 N2*N1=N3). %total T (times-commutative T _). %theorem times-right-distributes-over-plus : forall* {N1} {N2} {N3} {N12} {N123} forall {P1:plus N1 N2 N12} {T1:times N12 N3 N123} exists {N13} {N23} {T13:times N1 N3 N13} {T23:times N2 N3 N23} {P123:plus N13 N23 N123} true. - : times-right-distributes-over-plus plus/z Y*Z=YZ z YZ times/z Y*Z=YZ plus/z. - : times-right-distributes-over-plus (plus/s X+Y=XY) (times/s XY*Z=XYZ XYZ+Z=SXYZ) SXZ YZ (times/s X*Z=XZ XZ+Z=SXZ) Y*Z=YZ SXZ+YZ=SXYZ <- times-right-distributes-over-plus X+Y=XY XY*Z=XYZ XZ YZ X*Z=XZ Y*Z=YZ XZ+YZ=XYZ <- plus-commutative XZ+YZ=XYZ YZ+XZ=XYZ <- plus-associative YZ+XZ=XYZ XYZ+Z=SXYZ SXZ XZ+Z=SXZ YZ+SXZ=SXYZ <- plus-commutative YZ+SXZ=SXYZ SXZ+YZ=SXYZ. %worlds () (times-right-distributes-over-plus X+Y=XY XY*Z=XYZ XZ YZ X*Z=XZ Y*Z=YZ XZ+YZ=XYZ). %total (P) (times-right-distributes-over-plus P _ _ _ _ _ _). %theorem times-right-distributes-over-plus* : forall* {X1} {X2} {X3} {X4} {X5} {X6} {X7} forall {A12:plus X1 X2 X3} {M34:times X3 X4 X7} {M14:times X1 X4 X5} {M24:times X2 X4 X6} exists {A56:plus X5 X6 X7} true. - : times-right-distributes-over-plus* X1+X2=X3 X3*X4=X7 X1*X4=X5 X2*X4=X6 X5+X6=X7 <- times-right-distributes-over-plus X1+X2=X3 X3*X4=X7 Y5 Y6 X1*X4=Y5 X2*X4=Y6 Y5+Y6=X7 <- times-deterministic X1*X4=Y5 X1*X4=X5 eq/ eq/ Y5=X5 <- times-deterministic X2*X4=Y6 X2*X4=X6 eq/ eq/ Y6=X6 <- plus-respects-eq Y5+Y6=X7 Y5=X5 Y6=X6 eq/ X5+X6=X7. %worlds () (times-right-distributes-over-plus* X1+X2=X3 X3*X4=X7 X1*X4=X5 X2*X4=X6 X5+X6=X7). %total {} (times-right-distributes-over-plus* _ _ _ _ _). %theorem times-left-distributes-over-plus* : forall* {X1} {X2} {X3} {X4} {X5} {X6} {X7} forall {A12:plus X2 X4 X6} {M34:times X1 X6 X7} {M14:times X1 X2 X3} {M24:times X1 X4 X5} exists {A56:plus X3 X5 X7} true. - : times-left-distributes-over-plus* X2+X4=X6 X1*X6=X7 X1*X2=X3 X1*X4=X5 X3+X5=X7 <- times-commutative X1*X6=X7 X6*X1=X7 <- times-commutative X1*X2=X3 X2*X1=X3 <- times-commutative X1*X4=X5 X4*X1=X5 <- times-right-distributes-over-plus* X2+X4=X6 X6*X1=X7 X2*X1=X3 X4*X1=X5 X3+X5=X7. %worlds () (times-left-distributes-over-plus* X2+X4=X6 X1*X6=X7 X1*X2=X3 X1*X4=X5 X3+X5=X7). %total {} (times-left-distributes-over-plus* _ _ _ _ _). %theorem times-left-distributes-over-plus : forall* {X1} {X2} {X4} {X6} {X7} forall {A12:plus X2 X4 X6} {M34:times X1 X6 X7} exists {X3} {X5} {M14:times X1 X2 X3} {M24:times X1 X4 X5} {A56:plus X3 X5 X7} true. - : times-left-distributes-over-plus X2+X4=X6 X1*X6=X7 X3 X5 X1*X2=X3 X1*X4=X5 X3+X5=X7 <- times-total X1*X2=X3 <- times-total X1*X4=X5 <- times-left-distributes-over-plus* X2+X4=X6 X1*X6=X7 X1*X2=X3 X1*X4=X5 X3+X5=X7. %worlds () (times-left-distributes-over-plus X2+X4=X6 X1*X6=X7 X3 X5 X1*X2=X3 X1*X4=X5 X3+X5=X7). %total {} (times-left-distributes-over-plus _ _ _ _ _ _ _). %theorem times-right-factors-over-plus : forall* {X1} {X2} {X4} {X5} {X6} {X7} forall {M14:times X1 X4 X5} {M24:times X2 X4 X6} {A56:plus X5 X6 X7} exists {X3} {A12:plus X1 X2 X3} {M34:times X3 X4 X7} true. - : times-right-factors-over-plus X1*X4=X5 X2*X4=X6 X5+X6=X7 X3 X1+X2=X3 X3*X4=X7 <- plus-total X1+X2=X3 <- times-total X3*X4=Y7 <- times-right-distributes-over-plus* X1+X2=X3 X3*X4=Y7 X1*X4=X5 X2*X4=X6 X5+X6=Y7 <- plus-deterministic X5+X6=Y7 X5+X6=X7 eq/ eq/ Y7=X7 <- times-respects-eq X3*X4=Y7 eq/ eq/ Y7=X7 X3*X4=X7. %worlds () (times-right-factors-over-plus X1*X4=X5 X2*X4=X6 X5+X6=X7 X3 X1+X2=X3 X3*X4=X7 ). %total {} (times-right-factors-over-plus _ _ _ _ _ _). %theorem times-right-factors-over-plus* : forall* {X1} {X2} {X3} {X4} {X5} {X6} {X7} forall {M14:times X1 X4 X5} {M24:times X2 X4 X6} {A56:plus X5 X6 X7} {A12:plus X1 X2 X3} exists {M34:times X3 X4 X7} true. - : times-right-factors-over-plus* X1*X4=X5 X2*X4=X6 X5+X6=X7 X1+X2=X3 X3*X4=X7 <- times-total X3*X4=Y7 <- times-right-distributes-over-plus* X1+X2=X3 X3*X4=Y7 X1*X4=X5 X2*X4=X6 X5+X6=Y7 <- plus-deterministic X5+X6=Y7 X5+X6=X7 eq/ eq/ Y7=X7 <- times-respects-eq X3*X4=Y7 eq/ eq/ Y7=X7 X3*X4=X7. %worlds () (times-right-factors-over-plus* X1*X4=X5 X2*X4=X6 X5+X6=X7 X1+X2=X3 X3*X4=X7 ). %total {} (times-right-factors-over-plus* _ _ _ _ _). %theorem times-left-factors-over-plus : forall* {X1} {X2} {X3} {X4} {X5} {X7} forall {M12:times X1 X2 X3} {M14:times X1 X4 X5} {A35:plus X3 X5 X7} exists {X6} {A24:plus X2 X4 X6} {M16:times X1 X6 X7} true. - : times-left-factors-over-plus X1*X2=X3 X1*X4=X5 X3+X5=X7 X6 X2+X4=X6 X1*X6=X7 <- times-commutative X1*X2=X3 X2*X1=X3 <- times-commutative X1*X4=X5 X4*X1=X5 <- times-right-factors-over-plus X2*X1=X3 X4*X1=X5 X3+X5=X7 X6 X2+X4=X6 X6*X1=X7 <- times-commutative X6*X1=X7 X1*X6=X7. %worlds () (times-left-factors-over-plus X1*X2=X3 X1*X4=X5 X3+X5=X7 X6 X2+X4=X6 X1*X6=X7). %total {} (times-left-factors-over-plus _ _ _ _ _ _). %theorem times-left-factors-over-plus* : forall* {X1} {X2} {X3} {X4} {X5} {X6} {X7} forall {M12:times X1 X2 X3} {M14:times X1 X4 X5} {A35:plus X3 X5 X7} {A24:plus X2 X4 X6} exists {M16:times X1 X6 X7} true. - : times-left-factors-over-plus* X1*X2=X3 X1*X4=X5 X3+X5=X7 X2+X4=X6 X1*X6=X7 <- times-total X1*X6=Y7 <- times-left-distributes-over-plus* X2+X4=X6 X1*X6=Y7 X1*X2=X3 X1*X4=X5 X3+X5=Y7 <- plus-deterministic X3+X5=Y7 X3+X5=X7 eq/ eq/ Y7=X7 <- times-respects-eq X1*X6=Y7 eq/ eq/ Y7=X7 X1*X6=X7. %worlds () (times-left-factors-over-plus* X1*X2=X3 X1*X4=X5 X3+X5=X7 X2+X4=X6 X1*X6=X7). %total {} (times-left-factors-over-plus* _ _ _ _ _). %theorem times-associative: forall* {N1} {N2} {N3} {N12} {N123} forall {T1:times N1 N2 N12} {T12:times N12 N3 N123} exists {N23} {T2:times N2 N3 N23} {T123:times N1 N23 N123} true. - : {T2:times N2 N3 N23} times-associative times/z times/z N23 T2 times/z <- times-total T2. - : {T1:times N1' N2 N1'2} {P2:plus N1'2 N2 N12} {T3:times N12 N3 N123} {T4:times N2 N3 N23} {T5:times N1' N23 N1'23} {P6:plus N1'23 N23 N123} {T7:times N1'2 N3 N1'23} times-associative (times/s T1 P2) T3 N23 T4 (times/s T5 P6) <- times-right-distributes-over-plus P2 T3 N1'23 N23 T7 T4 P6 <- times-associative T1 T7 N23' T4' T5' <- times-deterministic T4' T4 eq/ eq/ N23'=N23 <- times-respects-eq T5' eq/ N23'=N23 eq/ T5. %worlds () (times-associative _ _ _ _ _). %total T1 (times-associative T1 _ _ _ _). %theorem times-associative* : forall* {X1} {X2} {X12} {X3} {X23} {X123} forall {OP12:times X1 X2 X12} {OP12-3:times X12 X3 X123} {OP23:times X2 X3 X23} exists {OP1-23:times X1 X23 X123} true. - : times-associative* X1*X2=X3 X3*X4=X7 X2*X4=X6 X1*X6=X7 <- times-associative X1*X2=X3 X3*X4=X7 Y6 X2*X4=Y6 X1*Y6=X7 <- times-deterministic X2*X4=Y6 X2*X4=X6 eq/ eq/ Y6=X6 <- times-respects-eq X1*Y6=X7 eq/ Y6=X6 eq/ X1*X6=X7. %worlds () (times-associative* _ _ _ _). %total {} (times-associative* _ _ _ _). %theorem times-associative-converse : forall* {X1} {X2} {X4} {X6} {X7} forall {OP24:times X2 X4 X6} {OP16:times X1 X6 X7} exists {X3} {OP12:times X1 X2 X3} {OP34:times X3 X4 X7} true. - : times-associative-converse X2*X4=X6 X1*X6=X7 _ X1*X2=X3 X3*X4=X7 <- times-commutative X2*X4=X6 X4*X2=X6 <- times-commutative X1*X6=X7 X6*X1=X7 <- times-associative X4*X2=X6 X6*X1=X7 _ X2*X1=X3 X4*X3=X7 <- times-commutative X2*X1=X3 X1*X2=X3 <- times-commutative X4*X3=X7 X3*X4=X7. %worlds () (times-associative-converse X2*X4=X6 X1*X6=X7 X3 X1*X2=X3 X3*X4=X7). %total {} (times-associative-converse _ _ _ _ _). %theorem times-associative-converse* : forall* {X1} {X2} {X3} {X4} {X6} {X7} forall {OP24:times X2 X4 X6} {OP16:times X1 X6 X7} {OP12:times X1 X2 X3} exists {OP34:times X3 X4 X7} true. - : times-associative-converse* X2*X4=X6 X1*X6=X7 X1*X2=X3 X3*X4=X7 <- times-associative-converse X2*X4=X6 X1*X6=X7 X3P X1*X2=X3P X3P*X4=X7 <- times-deterministic X1*X2=X3P X1*X2=X3 eq/ eq/ X3P=X3 <- times-respects-eq X3P*X4=X7 X3P=X3 eq/ eq/ X3*X4=X7. %worlds () (times-associative-converse* X2*X4=X6 X1*X6=X7 X1*X2=X3 X3*X4=X7). %total {} (times-associative-converse* _ _ _ _). %theorem times-assoc-commutative* : forall* {X1} {X2} {X3} {X4} {X5} {X7} forall {OP1:times X1 X2 X3} {OP2:times X3 X4 X7} {OP3:times X1 X4 X5} exists {OP4:times X5 X2 X7} true. - : times-assoc-commutative* X1*X2=X3 X3*X4=X7 X1*X4=X5 X5*X2=X7 <- times-associative X1*X2=X3 X3*X4=X7 X6 X2*X4=X6 X1*X6=X7 <- times-commutative X2*X4=X6 X4*X2=X6 <- times-associative-converse* X4*X2=X6 X1*X6=X7 X1*X4=X5 X5*X2=X7. %worlds () (times-assoc-commutative* X1*X2=X3 X3*X4=X7 X1*X4=X5 X5*X2=X7). %total {} (times-assoc-commutative* _ _ _ _). %theorem times-assoc-commutative : forall* {X1} {X2} {X3} {X4} {X7} forall {OP1:times X1 X2 X3} {OP2:times X3 X4 X7} exists {X5} {OP3:times X1 X4 X5} {OP4:times X5 X2 X7} true. - : times-assoc-commutative X1*X2=X3 X3*X4=X7 X5 X1*X4=X5 X5*X2=X7 <- times-associative X1*X2=X3 X3*X4=X7 X6 X2*X4=X6 X1*X6=X7 <- times-commutative X2*X4=X6 X4*X2=X6 <- times-associative-converse X4*X2=X6 X1*X6=X7 X5 X1*X4=X5 X5*X2=X7. %worlds () (times-assoc-commutative X1*X2=X3 X3*X4=X7 X5 X1*X4=X5 X5*X2=X7). %total {} (times-assoc-commutative _ _ _ _ _). %theorem times-double-associative* : forall* {A} {B} {C} {D} {A+B} {C+D} {A+C} {B+D} {X} forall {AB:times A B A+B} {CD:times C D C+D} {ABCD:times A+B C+D X} {AC:times A C A+C} {BD:times B D B+D} exists {ACBD:times A+C B+D X} true. - : times-double-associative* X1*X2=X3 X4*X8=XC X3*XC=XF X1*X4=X5 X2*X8=XA X5*XA=XF <- times-associative X1*X2=X3 X3*XC=XF XE X2*XC=XE X1*XE=XF <- times-commutative X4*X8=XC X8*X4=XC <- times-associative-converse* X8*X4=XC X2*XC=XE X2*X8=XA XA*X4=XE <- times-commutative XA*X4=XE X4*XA=XE <- times-associative-converse* X4*XA=XE X1*XE=XF X1*X4=X5 X5*XA=XF. %worlds () (times-double-associative* X1*X2=X3 X4*X8=XC X3*XC=XF X1*X4=X5 X2*X8=XA X5*XA=XF). %total {} (times-double-associative* _ _ _ _ _ _). %theorem times-double-associative : forall* {A} {B} {C} {D} {A+B} {C+D} {X} forall {AB:times A B A+B} {CD:times C D C+D} {ABCD:times A+B C+D X} exists {A+C} {B+D} {AC:times A C A+C} {BD:times B D B+D} {ACBD:times A+C B+D X} true. - : times-double-associative X1*X2=X3 X4*X8=XC X3*XC=XF X5 XA X1*X4=X5 X2*X8=XA X5*XA=XF <- times-associative X1*X2=X3 X3*XC=XF XE X2*XC=XE X1*XE=XF <- times-commutative X4*X8=XC X8*X4=XC <- times-associative-converse X8*X4=XC X2*XC=XE XA X2*X8=XA XA*X4=XE <- times-commutative XA*X4=XE X4*XA=XE <- times-associative-converse X4*XA=XE X1*XE=XF X5 X1*X4=X5 X5*XA=XF. %worlds () (times-double-associative _ _ _ _ _ _ _ _). %total { } (times-double-associative _ _ _ _ _ _ _ _). %theorem times-right-cancels: forall* {X1} {Y1} {Z1} {X2} {Y2} {Z2} forall {T1:times X1 (s Y1) Z1} {T2:times X2 (s Y2) Z2} {EY:eq Y1 Y2} {EZ:eq Z1 Z2} exists {EX:eq X1 X2} true. - : times-right-cancels times/z times/z EY eq/ eq/. - : {T1:times X1 (s Y1) Z1'} {P1: plus Z1' (s Y1) Z1} {T2:times X2 (s Y2) Z2'} {P2: plus Z2' (s Y2) Z2} {EY: eq Y1 Y2} {EZ: eq Z1 Z2} {EX: eq X1 X2} times-right-cancels (times/s T1 P1) (times/s T2 P2) EY EZ EX' <- succ-deterministic EY EY' <- plus-right-cancels P1 P2 EY' EZ EZ' <- times-right-cancels T1 T2 EY EZ' EX <- succ-deterministic EX EX'. %worlds () (times-right-cancels X1*sY1=Z1 X2*sY2=Z2 Y1=Y2 Z1=Z2 X1=X2). %total T1 (times-right-cancels T1 _ _ _ _). %theorem times-right-cancels*: forall* {X1} {Y} {Y-1} {Z1} {X2} {Z2} forall {T1:times X1 Y Z1} {T2:times X2 Y Z2} {EY:eq Y (s Y-1)} {EZ:eq Z1 Z2} exists {EX:eq X1 X2} true. - : times-right-cancels* X1*Y=Z1 X2*Y=Z2 Y+ Z1=Z2 X1=X2 <- times-respects-eq X1*Y=Z1 eq/ Y+ eq/ X1*Y+=Z1 <- times-respects-eq X2*Y=Z2 eq/ Y+ eq/ X2*Y+=Z2 <- times-right-cancels X1*Y+=Z1 X2*Y+=Z2 eq/ Z1=Z2 X1=X2. %worlds () (times-right-cancels* X1*Y=Z1 X2*Y=Z2 Y+ Z1=Z2 X1=X2). %total {} (times-right-cancels* _ _ _ _ _). %theorem times-right-cancels**: forall* {X1} {Y1} {Z} {X2} {Y2} {Z-} forall {T1:times X1 Y1 Z} {T2:times X2 Y2 Z} {EY:eq Y1 Y2} {EZ:eq Z (s Z-)} exists {EX:eq X1 X2} true. - : times-right-cancels** X1*0=sZ X2*0=sZ eq/ eq/ X1=X2 <- times-right-zero _ X1*0=0 <- times-deterministic X1*0=0 X1*0=sZ eq/ eq/ ZERO=sZ <- succ-implies-gt ZERO=sZ ZERO>sZ <- gt-contradiction ZERO>sZ F <- false-implies-eq F X1=X2. - : times-right-cancels** X1*Y1-=sZ X2*Y1-=sZ eq/ eq/ X1=X2 <- times-right-cancels X1*Y1-=sZ X2*Y1-=sZ eq/ eq/ X1=X2. %worlds () (times-right-cancels** X1*Y1=Z X2*Y2=Z Y1=Y2 Z+ X1=X2). %total {} (times-right-cancels** _ _ _ _ _). %theorem times-left-cancels : forall* {X1} {Y1} {Z1} {X2} {Y2} {Z2} forall {T1:times (s X1) Y1 Z1} {T2:times (s X2) Y2 Z2} {E1:eq X1 X2} {E2:eq Z1 Z2} exists {F:eq Y1 Y2} true. - : times-left-cancels SX1*Y1=Z1 SX2*Y2=Z2 X1=X2 Z1=Z2 Y1=Y2 <- times-commutative SX1*Y1=Z1 Y1*sX1=Z1 <- times-commutative SX2*Y2=Z2 Y2*sX2=Z2 <- times-right-cancels Y1*sX1=Z1 Y2*sX2=Z2 X1=X2 Z1=Z2 Y1=Y2. %worlds () (times-left-cancels SX1*Y1=Z1 SX2*Y2=Z2 X1=X2 Z1=Z2 Y1=Y2). %total {} (times-left-cancels _ _ _ _ _). %theorem times-left-cancels* : forall* {X} {Y1} {Z1} {X-} {Y2} {Z2} forall {T1:times X Y1 Z1} {T2:times X Y2 Z2} {E1:eq X (s X-)} {E2:eq Z1 Z2} exists {F:eq Y1 Y2} true. - : times-left-cancels* X*Y1=Z1 X*Y2=Z2 X+ Z1=Z2 Y1=Y2 <- times-commutative X*Y1=Z1 Y1*X=Z1 <- times-commutative X*Y2=Z2 Y2*X=Z2 <- times-right-cancels* Y1*X=Z1 Y2*X=Z2 X+ Z1=Z2 Y1=Y2. %worlds () (times-left-cancels* X*Y1=Z1 X*Y2=Z2 X+ Z1=Z2 Y1=Y2). %total {} (times-left-cancels* _ _ _ _ _). %theorem times-left-preserves-gt : forall* {M} {N1} {N2} {P1} {P2} forall {GN:gt N1 N2} {T1:times (s M) N1 P1} {T2:times (s M) N2 P2} exists {GP:gt P1 P2} true. - : times-left-preserves-gt N1>N2 (times/s times/z plus/z) (times/s times/z plus/z) N1>N2. - : times-left-preserves-gt N1>N2 (times/s (T1:times (s M) N1 X1) X1+N1=O1) (times/s (T2:times (s M) N2 X2) X2+N2=O2) O1>O2 <- times-left-preserves-gt N1>N2 T1 T2 X1>X2 <- plus-preserves-gt* X1>X2 N1>N2 X1+N1=O1 X2+N2=O2 O1>O2. %worlds () (times-left-preserves-gt N1>N2 SM*N1=P1 SM*N2=P2 P1>P2). %total T1 (times-left-preserves-gt _ T1 _ _). %theorem times-left-preserves-gt* : forall* {M} {M-} {N1} {N2} {P1} {P2} forall {GN:gt N1 N2} {T1:times M N1 P1} {T2:times M N2 P2} {M+:eq M (s M-)} exists {GP:gt P1 P2} true. - : times-left-preserves-gt* N1>N2 M*N1=P1 M*N2=P2 M+ P1>P2 <- times-respects-eq M*N1=P1 M+ eq/ eq/ SM-*N1=P1 <- times-respects-eq M*N2=P2 M+ eq/ eq/ SM-*N2=P2 <- times-left-preserves-gt N1>N2 SM-*N1=P1 SM-*N2=P2 P1>P2. %worlds () (times-left-preserves-gt* N1>N2 M*N1=P1 M*N2=P2 M+ P1>P2). %total {} (times-left-preserves-gt* _ _ _ _ _). %theorem times-right-preserves-gt : forall* {M1} {M2} {N} {P1} {P2} forall {G1:gt M1 M2} {T1:times M1 (s N) P1} {T2:times M2 (s N) P2} exists {G2:gt P1 P2} true. - : times-right-preserves-gt M1>M2 M1*sN=P1 M2*sN=P2 P1>P2 <- times-commutative M1*sN=P1 SN*M1=P1 <- times-commutative M2*sN=P2 SN*M2=P2 <- times-left-preserves-gt M1>M2 SN*M1=P1 SN*M2=P2 P1>P2. %worlds () (times-right-preserves-gt M1>M2 M1*sN=P1 M2*sN=P2 P1>P2). %total {} (times-right-preserves-gt _ _ _ _). %theorem times-right-preserves-gt* : forall* {M1} {M2} {N} {N-1} {P1} {P2} forall {G1:gt M1 M2} {T1:times M1 N P1} {T2:times M2 N P2} {N+:eq N (s N-1)} exists {G2:gt P1 P2} true. - : times-right-preserves-gt* M1>M2 M1*N=P1 M2*N=P2 N=sN-1 P1>P2 <- times-respects-eq M1*N=P1 eq/ N=sN-1 eq/ M1*N+=P1 <- times-respects-eq M2*N=P2 eq/ N=sN-1 eq/ M2*N+=P2 <- times-right-preserves-gt M1>M2 M1*N+=P1 M2*N+=P2 P1>P2. %worlds () (times-right-preserves-gt* M1>M2 M1*N=P1 M2*N=P2 N=sN-1 P1>P2). %total {} (times-right-preserves-gt* _ _ _ _ _). %theorem times-preserves-gt : forall* {M1} {N1} {P1} {M2} {N2} {P2} forall {GM:gt M1 M2} {GN:gt N1 N2} {T1:times M1 N1 P1} {T2:times M2 N2 P2} exists {GP:gt P1 P2} true. - : {0=0': eq z _} times-preserves-gt (M1>M2:gt M1 M2) (N1>0:gt N1 z) (M1*N1=P1:times M1 N1 P1) M2*0=0' P1>0' <- gt-implies-positive M1>M2 M1' M1=sM1' <- times-respects-eq M1*N1=P1 M1=sM1' eq/ eq/ SM1'*N1=P1 <- times-right-zero M2 M2*0=0 <- times-deterministic M2*0=0 M2*0=0' eq/ eq/ 0=0' <- times-right-zero (s M1') SM1'*0=0 <- times-left-preserves-gt N1>0 SM1'*N1=P1 SM1'*0=0 P1>0 <- gt-respects-eq P1>0 eq/ 0=0' P1>0'. - : times-preserves-gt M1>M2 (N1>sN2':gt N1 (s N2')) M1*N1=P1 M2*sN2'=P2 P1>P2 <- gt-implies-positive M1>M2 M1' M1=sM1' <- times-respects-eq M1*N1=P1 M1=sM1' eq/ eq/ SM1'*N1=P1 <- times-total (SM1'*sN2'=PX:times (s M1') (s N2') _) <- times-left-preserves-gt N1>sN2' SM1'*N1=P1 SM1'*sN2'=PX P1>PX <- eq-symmetric M1=sM1' SM1'=M1 <- times-respects-eq SM1'*sN2'=PX SM1'=M1 eq/ eq/ M1*sN2'=PX <- times-right-preserves-gt M1>M2 M1*sN2'=PX M2*sN2'=P2 PX>P2 <- gt-transitive P1>PX PX>P2 P1>P2. %worlds () (times-preserves-gt M1>M2 N1>N2 M1*N1=P1 M2*N2=P2 P1>P2). %total {} (times-preserves-gt _ _ _ _ _). %theorem times-right-cancels-gt : forall* {X1:nat} {X2:nat} {Y1:nat} {Y2:nat} {Z1:nat} {Z2:nat} forall {P1:times X1 Y1 Z1} {P2:times X2 Y2 Z2} {EY:eq Y1 Y2} {G1:gt Z1 Z2} exists {G2:gt X1 X2} true. - : times-right-cancels-gt (times/s X1*Y=N1 N1+Y=Z1) times/z eq/ Z1>0 SX1>0 <- succ-implies-gt-zero _ SX1>0. - : times-right-cancels-gt (times/s X1*Y=N1 N1+Y=Z1) (times/s X2*Y=N2 N2+Y=Z2) eq/ Z1>Z2 SX1>SX2 <- plus-right-cancels-gt N1+Y=Z1 N2+Y=Z2 eq/ Z1>Z2 N1>N2 <- times-right-cancels-gt X1*Y=N1 X2*Y=N2 eq/ N1>N2 X1>X2 <- succ-preserves-gt X1>X2 SX1>SX2. %worlds () (times-right-cancels-gt X1*Y1=Z1 X2*Y2=Z2 Y1=Y2 Z1>Z2 X1>X2). %total [P1 P2] (times-right-cancels-gt P1 P2 _ _ _). %theorem times-left-cancels-gt : forall* {X1:nat} {X2:nat} {Y1:nat} {Y2:nat} {Z1:nat} {Z2:nat} forall {P1:times X1 Y1 Z1} {P2:times X2 Y2 Z2} {EX:eq X1 X2} {G1:gt Z1 Z2} exists {G2:gt Y1 Y2} true. - : times-left-cancels-gt X1*Y1=Z1 X2*Y2=Z2 X1=X2 Z1>Z2 Y1>Y2 <- times-commutative X1*Y1=Z1 Y1*X1=Z1 <- times-commutative X2*Y2=Z2 Y2*X2=Z2 <- times-right-cancels-gt Y1*X1=Z1 Y2*X2=Z2 X1=X2 Z1>Z2 Y1>Y2. %worlds () (times-left-cancels-gt X1*Y1=Z1 X2*Y2=Z2 X1=X2 Z1>Z2 Y1>Y2). %total P1 (times-left-cancels-gt P1 _ _ _ _). %%%%% nat-inv.elf %%%%% Minus for natural numbers %%%%% This file is part of the nat.elf signature %%%% Definitions %abbrev minus = [X1] [X2] [X3] plus X3 X2 X1. %%%% Theorems %%% Theorems about minus %abbrev false-implies-minus = false-implies-plus. %theorem minus-respects-eq : forall* {X1} {X2} {X3} {X4} {X5} {X6} forall {D:minus X1 X2 X3} {E1:eq X1 X4} {E2:eq X2 X5} {E3:eq X3 X6} exists {DP:minus X4 X5 X6} true. - : minus-respects-eq S eq/ eq/ eq/ S. %worlds () (minus-respects-eq _ _ _ _ _). %total {} (minus-respects-eq _ _ _ _ _). %theorem minus-deterministic : forall* {X1} {X2} {X3} {X4} {X5} {X6} forall {S:minus X1 X2 X3} {SP:minus X4 X5 X6} {E1:eq X1 X4} {E2:eq X2 X5} exists {E3:eq X3 X6} true. - : minus-deterministic X3+X2=X1 X6+X5=X4 X1=X4 X2=X5 X3=X6 <- plus-right-cancels X3+X2=X1 X6+X5=X4 X2=X5 X1=X4 X3=X6. %worlds () (minus-deterministic X1-X2=X3 X4-X5=X6 X1=X4 X2=X5 X3=X6). %total {} (minus-deterministic _ _ _ _ _). %theorem plus-associates-with-minus* : forall* {X1} {X2} {X3} {X4} {X6} {X7} forall {OP1:plus X1 X2 X3} {IOP1:minus X3 X4 X7} {IOP2:minus X2 X4 X6} exists {OP2:plus X1 X6 X7} true. - : plus-associates-with-minus* X1+X2=X3 X7+X4=X3 X6+X4=X2 X1+X6=X7 <- plus-associative-converse X6+X4=X2 X1+X2=X3 X7P X1+X6=X7P X7P+X4=X3 <- plus-right-cancels X7P+X4=X3 X7+X4=X3 eq/ eq/ X7P=X7 <- plus-respects-eq X1+X6=X7P eq/ eq/ X7P=X7 X1+X6=X7. %worlds () (plus-associates-with-minus* X1+X2=X3 X3-X4=X7 X2-X4=X6 X1+X6=X7). %total {} (plus-associates-with-minus* _ _ _ _). %theorem plus-associates-with-minus-converse* : forall* {X1} {X2} {X3} {X4} {X6} {X7} forall {IOP2:minus X2 X4 X6} {OP2:plus X1 X6 X7} {OP1:plus X1 X2 X3} exists {IOP1:minus X3 X4 X7} true. - : plus-associates-with-minus-converse* X6+X4=X2 X1+X6=X7 X1+X2=X3 X7+X4=X3 <- plus-associative-converse* X6+X4=X2 X1+X2=X3 X1+X6=X7 X7+X4=X3. %worlds () (plus-associates-with-minus-converse* X2-X4=X6 X1+X6=X7 X1+X2=X3 X3-X4=X7). %total {} (plus-associates-with-minus-converse* _ _ _ _). %theorem plus-associates-with-minus-converse : forall* {X1} {X2} {X4} {X6} {X7} forall {IOP2:minus X2 X4 X6} {OP2:plus X1 X6 X7} exists {X3} {OP1:plus X1 X2 X3} {IOP1:minus X3 X4 X7} true. - : plus-associates-with-minus-converse X6+X4=X2 X1+X6=X7 X3 X1+X2=X3 X7+X4=X3 <- plus-total X1+X2=X3 <- plus-associates-with-minus-converse* X6+X4=X2 X1+X6=X7 X1+X2=X3 X7+X4=X3. %worlds () (plus-associates-with-minus-converse X2-X4=X6 X1+X6=X7 X3 X1+X2=X3 X3-X4=X7). %total {} (plus-associates-with-minus-converse _ _ _ _ _). %theorem minus-associates-from-plus* : forall* {X1} {X2} {X3} {X4} {X6} {X7} forall {IOP1:minus X1 X2 X3} {OP1:plus X3 X4 X7} {IOP2:minus X2 X4 X6} exists {IOP3:minus X1 X6 X7} true. - : minus-associates-from-plus* X3+X2=X1 X3+X4=X7 X6+X4=X2 X7+X6=X1 <- plus-commutative X6+X4=X2 X4+X6=X2 <- plus-associative-converse* X4+X6=X2 X3+X2=X1 X3+X4=X7 X7+X6=X1. %worlds () (minus-associates-from-plus* X1-X2=X3 X3+X4=X7 X2-X4=X6 X1-X6=X7). %total {} (minus-associates-from-plus* _ _ _ _). %theorem minus-associates-from-plus-converse* : forall* {X1} {X2} {X3} {X4} {X6} {X7} forall {IOP2:minus X2 X4 X6} {IOP3:minus X1 X6 X7} {IOP1:minus X1 X2 X3} exists {OP1:plus X3 X4 X7} true. - : minus-associates-from-plus-converse* X6+X4=X2 X7+X6=X1 X3+X2=X1 X3+X4=X7 <- plus-commutative X6+X4=X2 X4+X6=X2 <- plus-associative-converse X4+X6=X2 X3+X2=X1 X7P X3+X4=X7P X7P+X6=X1 <- plus-right-cancels X7P+X6=X1 X7+X6=X1 eq/ eq/ X7P=X7 <- plus-respects-eq X3+X4=X7P eq/ eq/ X7P=X7 X3+X4=X7. %worlds () (minus-associates-from-plus-converse* X2-X4=X6 X1-X6=X7 X1-X2=X3 X3+X4=X7). %total {} (minus-associates-from-plus-converse* _ _ _ _). %theorem minus-associates-to-plus* : forall* {X1} {X2} {X3} {X4} {X6} {X7} forall {IOP1:minus X1 X2 X3} {IOP2:minus X3 X4 X7} {OP1:plus X2 X4 X6} exists {IOP3:minus X1 X6 X7} true. - : minus-associates-to-plus* X3+X2=X1 X7+X4=X3 X2+X4=X6 X7+X6=X1 <- plus-commutative X2+X4=X6 X4+X2=X6 <- plus-associative* X7+X4=X3 X3+X2=X1 X4+X2=X6 X7+X6=X1. %worlds () (minus-associates-to-plus* X1-X2=X3 X3-X4=X7 X2+X4=X6 X1-X6=X7). %total {} (minus-associates-to-plus* _ _ _ _). %theorem minus-associates-to-plus : forall* {X1} {X2} {X3} {X4} {X7} forall {IOP1:minus X1 X2 X3} {IOP2:minus X3 X4 X7} exists {X6} {OP1:plus X2 X4 X6} {IOP3:minus X1 X6 X7} true. - : minus-associates-to-plus X3+X2=X1 X7+X4=X3 X6 X2+X4=X6 X7+X6=X1 <- plus-associative X7+X4=X3 X3+X2=X1 X6 X4+X2=X6 X7+X6=X1 <- plus-commutative X4+X2=X6 X2+X4=X6. %worlds () (minus-associates-to-plus X1-X2=X3 X3-X4=X7 X6 X2+X4=X6 X1-X6=X7). %total {} (minus-associates-to-plus _ _ _ _ _). %theorem minus-associates-to-plus-converse* : forall* {X1} {X2} {X3} {X4} {X6} {X7} forall {OP1:plus X2 X4 X6} {IOP3:minus X1 X6 X7} {IOP1:minus X1 X2 X3} exists {IOP2:minus X3 X4 X7} true. - : minus-associates-to-plus-converse* X2+X4=X6 X7+X6=X1 X3+X2=X1 X7+X4=X3 <- plus-commutative X2+X4=X6 X4+X2=X6 <- plus-associative-converse X4+X2=X6 X7+X6=X1 X3P X7+X4=X3P X3P+X2=X1 <- plus-right-cancels X3P+X2=X1 X3+X2=X1 eq/ eq/ X3P=X3 <- plus-respects-eq X7+X4=X3P eq/ eq/ X3P=X3 X7+X4=X3. %worlds () (minus-associates-to-plus-converse* X2+X4=X6 X1-X6=X7 X1-X2=X3 X3-X4=X7). %total {} (minus-associates-to-plus-converse* _ _ _ _). %theorem minus-associates-to-plus-converse : forall* {X1} {X2} {X4} {X6} {X7} forall {OP1:plus X2 X4 X6} {IOP3:minus X1 X6 X7} exists {X3} {IOP1:minus X1 X2 X3} {IOP2:minus X3 X4 X7} true. - : minus-associates-to-plus-converse X2+X4=X6 X7+X6=X1 X3 X3+X2=X1 X7+X4=X3 <- plus-commutative X2+X4=X6 X4+X2=X6 <- plus-associative-converse X4+X2=X6 X7+X6=X1 X3 X7+X4=X3 X3+X2=X1. %worlds () (minus-associates-to-plus-converse X2+X4=X6 X1-X6=X7 X3 X1-X2=X3 X3-X4=X7). %total {} (minus-associates-to-plus-converse _ _ _ _ _). %theorem minus-is-zero-implies-eq : forall* {N1} {N2} {N3} forall {P:minus N1 N2 N3} {E3:eq N3 z} exists {E1:eq N1 N2} true. - : minus-is-zero-implies-eq plus/z eq/ eq/. %worlds () (minus-is-zero-implies-eq X-Y=Z Z=0 X=Y). %total {} (minus-is-zero-implies-eq _ _ _). %abbrev minus-implies-gt = plus-implies-gt. %theorem minus-left-cancels : forall* {X1} {X2} {X3} {X4} {X5} {X6} forall {IOP1:minus X1 X2 X3} {IOP2:minus X4 X5 X6} {E1:eq X1 X4} {E3:eq X3 X6} exists {E2:eq X2 X5} true. - : minus-left-cancels X3+X2=X1 X6+X5=X4 X1=X4 X3=X6 X2=X5 <- plus-left-cancels X3+X2=X1 X6+X5=X4 X3=X6 X1=X4 X2=X5. %worlds () (minus-left-cancels X1-X2=X3 X4-X5=X6 X1=X4 X3=X6 X2=X5). %total {} (minus-left-cancels _ _ _ _ _). %theorem minus-right-cancels : forall* {X1} {X2} {X3} {X4} {X5} {X6} forall {IOP1:minus X1 X2 X3} {IOP2:minus X4 X5 X6} {E2:eq X2 X5} {E3:eq X3 X6} exists {E1:eq X1 X4} true. - : minus-right-cancels X3+X2=X1 X6+X5=X4 X2=X5 X3=X6 X1=X4 <- plus-deterministic X3+X2=X1 X6+X5=X4 X3=X6 X2=X5 X1=X4. %worlds () (minus-right-cancels X1-X2=X3 X4-X5=X6 X2=X5 X3=X6 X1=X4). %total {} (minus-right-cancels _ _ _ _ _). %theorem minus-left-inverts-gt* : forall* {X1} {X2} {X3} {X4} {X5} forall {G:gt X2 X4} {IOP1:minus X1 X2 X3} {IOP2:minus X1 X4 X5} exists {GP:gt X5 X3} true. - : minus-left-inverts-gt* X2>X4 X3+X2=X1 X5+X4=X1 X5>X3 <- plus-total X3+X4=X7 <- plus-left-preserves-gt* X2>X4 X3+X2=X1 X3+X4=X7 X1>X7 <- plus-right-cancels-gt X5+X4=X1 X3+X4=X7 eq/ X1>X7 X5>X3. %worlds () (minus-left-inverts-gt* X2>X4 X1-X2=X3 X1-X4=X5 X5>X3). %total {} (minus-left-inverts-gt* _ _ _ _). %theorem minus-right-preserves-gt* : forall* {X1} {X2} {X3} {X4} {X5} forall {G:gt X1 X2} {IOP1:minus X1 X3 X4} {IOP2:minus X2 X3 X5} exists {GP:gt X4 X5} true. - : minus-right-preserves-gt* X1>X2 X4+X3=X1 X5+X3=X2 X4>X5 <- plus-right-cancels-gt X4+X3=X1 X5+X3=X2 eq/ X1>X2 X4>X5. %worlds () (minus-right-preserves-gt* X1>X2 X1-X3=X4 X2-X3=X5 X4>X5). %total {} (minus-right-preserves-gt* _ _ _ _). %theorem minus-left-cancels-inverts-gt : forall* {X1} {X2} {X3} {X4} {X5} {X6} forall {IOP1:minus X1 X2 X3} {IOP2:minus X4 X5 X6} {E:eq X1 X4} {G:gt X3 X6} exists {GP:gt X5 X2} true. - : minus-left-cancels-inverts-gt X3+X2=X1 X6+X5=X4 X1=X4 X3>X6 X5>X2 <- plus-total X6+X2=X7 <- plus-right-preserves-gt* X3>X6 X3+X2=X1 X6+X2=X7 X1>X7 <- eq-symmetric X1=X4 X4=X1 <- plus-respects-eq X6+X5=X4 eq/ eq/ X4=X1 X6+X5=X1 <- plus-left-cancels-gt X6+X5=X1 X6+X2=X7 eq/ X1>X7 X5>X2. %worlds () (minus-left-cancels-inverts-gt X1-X2=X3 X4-X5=X6 X1=X4 X3>X6 X5>X2). %total {} (minus-left-cancels-inverts-gt _ _ _ _ _). %theorem minus-right-cancels-gt : forall* {X1} {X2} {X3} {X4} {X5} {X6} forall {IOP1:minus X1 X2 X3} {IOP2:minus X4 X5 X6} {E2:eq X2 X5} {G3:gt X3 X6} exists {G1:gt X1 X4} true. - : minus-right-cancels-gt X3+X2=X1 X6+X5=X4 X2=X5 X3>X6 X1>X4 <- plus-respects-eq X3+X2=X1 eq/ X2=X5 eq/ X3+X5=X1 <- plus-right-preserves-gt* X3>X6 X3+X5=X1 X6+X5=X4 X1>X4. %worlds () (minus-right-cancels-gt X1-X2=X3 X4-X5=X6 X2=X5 X3>X6 X1>X4). %total {} (minus-right-cancels-gt _ _ _ _ _). %theorem times-right-distributes-over-minus : forall* {X1} {X2} {X3} {X4} {X7} forall {S12:minus X1 X2 X3} {M34:times X3 X4 X7} exists {X5} {X6} {M14:times X1 X4 X5} {M24:times X2 X4 X6} {S56:minus X5 X6 X7} true. - : times-right-distributes-over-minus X3+X2=X1 X3*X4=X7 _ _ X1*X4=X5 X2*X4=X6 X7+X6=X5 <- times-total X1*X4=X5 <- times-right-distributes-over-plus X3+X2=X1 X1*X4=X5 _ _ X3*X4=Y7 X2*X4=X6 Y7+X6=X5 <- times-deterministic X3*X4=Y7 X3*X4=X7 eq/ eq/ Y7=X7 <- plus-respects-eq Y7+X6=X5 Y7=X7 eq/ eq/ X7+X6=X5. %worlds () (times-right-distributes-over-minus X1-X2=X3 X3*X4=X7 X5 X6 X1*X4=X5 X2*X4=X6 X5-X6=X7). %total {} (times-right-distributes-over-minus _ _ _ _ _ _ _). %theorem times-right-distributes-over-minus* : forall* {X1} {X2} {X3} {X4} {X5} {X6} {X7} forall {A12:minus X1 X2 X3} {M34:times X3 X4 X7} {M14:times X1 X4 X5} {M24:times X2 X4 X6} exists {A56:minus X5 X6 X7} true. - : times-right-distributes-over-minus* X1-X2=X3 X3*X4=X7 X1*X4=X5 X2*X4=X6 X5-X6=X7 <- times-right-distributes-over-minus X1-X2=X3 X3*X4=X7 Y5 Y6 X1*X4=Y5 X2*X4=Y6 Y5-Y6=X7 <- times-deterministic X1*X4=Y5 X1*X4=X5 eq/ eq/ Y5=X5 <- times-deterministic X2*X4=Y6 X2*X4=X6 eq/ eq/ Y6=X6 <- minus-respects-eq Y5-Y6=X7 Y5=X5 Y6=X6 eq/ X5-X6=X7. %worlds () (times-right-distributes-over-minus* X1-X2=X3 X3*X4=X7 X1*X4=X5 X2*X4=X6 X5-X6=X7). %total {} (times-right-distributes-over-minus* _ _ _ _ _). %theorem times-left-distributes-over-minus* : forall* {X1} {X2} {X3} {X4} {X5} {X6} {X7} forall {A12:minus X2 X4 X6} {M34:times X1 X6 X7} {M14:times X1 X2 X3} {M24:times X1 X4 X5} exists {A56:minus X3 X5 X7} true. - : times-left-distributes-over-minus* X2-X4=X6 X1*X6=X7 X1*X2=X3 X1*X4=X5 X3-X5=X7 <- times-commutative X1*X6=X7 X6*X1=X7 <- times-commutative X1*X2=X3 X2*X1=X3 <- times-commutative X1*X4=X5 X4*X1=X5 <- times-right-distributes-over-minus* X2-X4=X6 X6*X1=X7 X2*X1=X3 X4*X1=X5 X3-X5=X7. %worlds () (times-left-distributes-over-minus* X2-X4=X6 X1*X6=X7 X1*X2=X3 X1*X4=X5 X3-X5=X7). %total {} (times-left-distributes-over-minus* _ _ _ _ _). %theorem times-left-distributes-over-minus : forall* {X1} {X2} {X4} {X6} {X7} forall {A12:minus X2 X4 X6} {M34:times X1 X6 X7} exists {X3} {X5} {M14:times X1 X2 X3} {M24:times X1 X4 X5} {A56:minus X3 X5 X7} true. - : times-left-distributes-over-minus X2-X4=X6 X1*X6=X7 X3 X5 X1*X2=X3 X1*X4=X5 X3-X5=X7 <- times-total X1*X2=X3 <- times-total X1*X4=X5 <- times-left-distributes-over-minus* X2-X4=X6 X1*X6=X7 X1*X2=X3 X1*X4=X5 X3-X5=X7. %worlds () (times-left-distributes-over-minus X2-X4=X6 X1*X6=X7 X3 X5 X1*X2=X3 X1*X4=X5 X3-X5=X7). %total {} (times-left-distributes-over-minus _ _ _ _ _ _ _). %theorem times-right-factors-over-minus* : forall* {X1} {X2} {X3} {X4} {X5} {X6} {X7} forall {M14:times X1 X4 X5} {M24:times X2 X4 X6} {A56:minus X5 X6 X7} {A12:minus X1 X2 X3} exists {M34:times X3 X4 X7} true. - : times-right-factors-over-minus* X1*X4=X5 X2*X4=X6 X5-X6=X7 X1-X2=X3 X3*X4=X7 <- times-total X3*X4=Y7 <- times-right-distributes-over-minus* X1-X2=X3 X3*X4=Y7 X1*X4=X5 X2*X4=X6 X5-X6=Y7 <- minus-deterministic X5-X6=Y7 X5-X6=X7 eq/ eq/ Y7=X7 <- times-respects-eq X3*X4=Y7 eq/ eq/ Y7=X7 X3*X4=X7. %worlds () (times-right-factors-over-minus* X1*X4=X5 X2*X4=X6 X5-X6=X7 X1-X2=X3 X3*X4=X7 ). %total {} (times-right-factors-over-minus* _ _ _ _ _). %theorem times-left-factors-over-minus* : forall* {X1} {X2} {X3} {X4} {X5} {X6} {X7} forall {M12:times X1 X2 X3} {M14:times X1 X4 X5} {A35:minus X3 X5 X7} {A24:minus X2 X4 X6} exists {M16:times X1 X6 X7} true. - : times-left-factors-over-minus* X1*X2=X3 X1*X4=X5 X3-X5=X7 X2-X4=X6 X1*X6=X7 <- times-total X1*X6=Y7 <- times-left-distributes-over-minus* X2-X4=X6 X1*X6=Y7 X1*X2=X3 X1*X4=X5 X3-X5=Y7 <- minus-deterministic X3-X5=Y7 X3-X5=X7 eq/ eq/ Y7=X7 <- times-respects-eq X1*X6=Y7 eq/ eq/ Y7=X7 X1*X6=X7. %worlds () (times-left-factors-over-minus* X1*X2=X3 X1*X4=X5 X3-X5=X7 X2-X4=X6 X1*X6=X7). %total {} (times-left-factors-over-minus* _ _ _ _ _). %theorem times-right-factors-over-minus : forall* {Y} {Z} {XY} {XZ} {YZ} {XYZ} {Z-} forall {TXY:times XY Z XYZ} {TY:times Y Z YZ} {M:minus XYZ YZ XZ} {EZ:eq Z (s Z-)} exists {X} {M':minus XY Y X} {TX:times X Z XZ} true. % minus isn't total, so this is harder. - : times-right-factors-over-minus XY*Z=YZ Y*Z=YZ plus/z eq/ z ZERO+Y=XY times/z <- times-right-cancels* XY*Z=YZ Y*Z=YZ eq/ eq/ XY=Y <- plus-respects-eq plus/z eq/ XY=Y eq/ ZERO+Y=XY. - : times-right-factors-over-minus XY*Z=XYZ Y*Z=YZ XZ+YZ=XYZ _ (s X-) X+Y=XY X*Z=XZ %% we assume XZ is of the form (s XZ-) <- plus-implies-gt XZ+YZ=XYZ eq/ XYZ>YZ <- times-right-cancels-gt XY*Z=XYZ Y*Z=YZ eq/ XYZ>YZ XY>Y <- gt-implies-plus XY>Y X- X+Y=XY <- times-right-factors-over-minus* XY*Z=XYZ Y*Z=YZ XZ+YZ=XYZ X+Y=XY X*Z=XZ. %worlds () (times-right-factors-over-minus XY*Z=XYZ Y*Z=YZ XYZ-YZ=XZ Z+ X XY-Y=X X*Z=XZ). %total {} (times-right-factors-over-minus _ _ _ _ _ _ _). %theorem times-left-factors-over-minus : forall* {X} {Y} {Z} {XY} {XZ} {XYZ} {X-} forall {TXY:times X Y XY} {TXZ:times X Z XZ} {M:minus XY XZ XYZ} {EX:eq X (s X-)} exists {YZ} {MYZ:minus Y Z YZ} {TXYZ:times X YZ XYZ} true. - : times-left-factors-over-minus X*Y=XY X*Z=XZ XY-XZ=XYZ X=sX- YZ Y-Z=YZ X*YZ=XYZ <- times-commutative X*Y=XY Y*X=XY <- times-commutative X*Z=XZ Z*X=XZ <- times-right-factors-over-minus Y*X=XY Z*X=XZ XY-XZ=XYZ X=sX- YZ Y-Z=YZ YZ*X=XYZ <- times-commutative YZ*X=XYZ X*YZ=XYZ. %worlds () (times-left-factors-over-minus X*Y=XY X*Z=XZ XY-XZ=XYZ X=sX- YZ Y-Z=YZ X*YZ=XYZ). %total {} (times-left-factors-over-minus _ _ _ _ _ _ _). %%%%% nat-comp.elf %%%%% Composed relations for natural numbers %%%%% This file is part of the nat.elf signature %%%% Definitions ge : nat -> nat -> type. ge/= : ge X Y <- eq X Y. ge/> : ge X Y <- gt X Y. %%%% Theorems %%% Theorems about ge %theorem false-implies-ge : forall* {X1} {X2} forall {F:void} exists {G:ge X1 X2} true. %worlds () (false-implies-ge _ _). %total { } (false-implies-ge _ _). %theorem ge-respects-eq : forall* {X1} {X2} {Y1} {Y2} forall {D1:ge X1 X2} {E1:eq X1 Y1} {E2:eq X2 Y2} exists {D2:ge Y1 Y2} true. - : ge-respects-eq X1>=X2 eq/ eq/ X1>=X2. %worlds () (ge-respects-eq _ _ _ _). %total { } (ge-respects-eq _ _ _ _). %theorem ge-reflexive : forall {X} exists {G:ge X X} true. - : ge-reflexive _ (ge/= eq/). %worlds () (ge-reflexive X X>=X). %total {} (ge-reflexive _ _). %theorem ge-transitive: forall* {X1} {X2} {X3} forall {G1:ge X1 X2} {G2:ge X2 X3} exists {G3:ge X1 X3} true. - : ge-transitive (ge/= eq/) (ge/= eq/) (ge/= eq/). - : ge-transitive (ge/= eq/) (ge/> X>X3) (ge/> X>X3). - : ge-transitive (ge/> X1>X) (ge/= eq/) (ge/> X1>X). - : ge-transitive (ge/> X1>X2) (ge/> X2>X3) (ge/> X1>X3) <- gt-transitive X1>X2 X2>X3 X1>X3. %worlds () (ge-transitive X1>=X2 X2>=X3 X1>=X3). %total {} (ge-transitive _ _ _). %theorem ge-anti-symmetric : forall* {X1} {X2} forall {G1:ge X1 X2} {G2:ge X2 X1} exists {E:eq X1 X2} true. - : ge-anti-symmetric (ge/= eq/) _ eq/. - : ge-anti-symmetric _ (ge/= eq/) eq/. - : ge-anti-symmetric (ge/> X1>X2) (ge/> X2>X1) X1=X2 <- gt-anti-symmetric X1>X2 X2>X1 F <- false-implies-eq F X1=X2. %worlds () (ge-anti-symmetric X1>=X2 X2>=X1 X1=X2). %total {} (ge-anti-symmetric _ _ _). %theorem ge-transitive-gt: forall* {X1} {X2} {X3} forall {G1:ge X1 X2} {G2:gt X2 X3} exists {G3:gt X1 X3} true. - : ge-transitive-gt (ge/= eq/) X>X3 X>X3. - : ge-transitive-gt (ge/> X1>X2) X2>X3 X1>X3 <- gt-transitive X1>X2 X2>X3 X1>X3. %worlds () (ge-transitive-gt X1>=X2 X2>X3 X1>X3). %total {} (ge-transitive-gt _ _ _). %theorem gt-transitive-ge: forall* {X1} {X2} {X3} forall {G1:gt X1 X2} {G2:ge X2 X3} exists {G3:gt X1 X3} true. - : gt-transitive-ge X1>X2 (ge/= eq/) X1>X2. - : gt-transitive-ge X1>X2 (ge/> X2>X3) X1>X3 <- gt-transitive X1>X2 X2>X3 X1>X3. %worlds () (gt-transitive-ge X1>X2 X2>=X3 X1>X3). %total {} (gt-transitive-ge _ _ _). %theorem meta-ge : forall {M} {N} {G:ge M N} true. - : meta-ge _ _ (ge/= eq/). - : meta-ge _ _ (ge/> M>N) <- meta-gt _ _ M>N. %worlds () (meta-ge _ _ _). %total { } (meta-ge _ _ _). %reduces N <= M (meta-ge M N _). %theorem succ-preserves-ge : forall* {M} {N} forall {G:ge M N} exists {G':ge (s M) (s N)} true. - : succ-preserves-ge (ge/= eq/) (ge/= eq/). - : succ-preserves-ge (ge/> N>M) (ge/> N+1>M+1) <- succ-preserves-gt N>M N+1>M+1. %worlds () (succ-preserves-ge M>=N M+1>=N+1). %total {} (succ-preserves-ge _ _). %theorem succ-preserves-ge-converse : forall* {M} {N} forall {G':ge (s M) (s N)} exists {G:ge M N} true. - : succ-preserves-ge-converse (ge/= eq/) (ge/= eq/). - : succ-preserves-ge-converse (ge/> N+1>M+1) (ge/> N>M) <- succ-preserves-gt-converse N+1>M+1 N>M. %worlds () (succ-preserves-ge-converse M+1>=N+1 M>=N). %total {} (succ-preserves-ge-converse _ _). %theorem ge-succ-implies-gt : forall* {N1} {N2} forall {G:ge N1 (s N2)} exists {G':gt N1 N2} true. - : ge-succ-implies-gt (ge/= eq/) (gt/1). - : ge-succ-implies-gt (ge/> N1>sN2) N1>N2 <- gt-transitive N1>sN2 (gt/1) N1>N2. %worlds () (ge-succ-implies-gt _ _). %total { } (ge-succ-implies-gt _ _). %theorem ge-implies-succ-gt : forall* {N1} {N2} forall {G:ge N1 N2} exists {G':gt (s N1) N2} true. - : ge-implies-succ-gt N1>=N2 N1+1>N2 <- succ-preserves-ge N1>=N2 N1+1>=N2+1 <- ge-succ-implies-gt N1+1>=N2+1 N1+1>N2. %worlds () (ge-implies-succ-gt _ _). %total { } (ge-implies-succ-gt _ _). %theorem succ-gt-implies-ge : forall* {N1} {N2} forall {G:gt (s N1) N2} exists {G':ge N1 N2} true. - : succ-gt-implies-ge (gt/1) (ge/= eq/). - : succ-gt-implies-ge (gt/> N1>N2) (ge/> N1>N2). %worlds () (succ-gt-implies-ge _ _). %total { } (succ-gt-implies-ge _ _). %theorem gt-implies-ge-succ : forall* {N1} {N2} forall {G':gt N1 N2} exists {G:ge N1 (s N2)} true. - : gt-implies-ge-succ N1>N2 N1>=N2+1 <- succ-preserves-gt N1>N2 N1+1>N2+1 <- succ-gt-implies-ge N1+1>N2+1 N1>=N2+1. %worlds () (gt-implies-ge-succ _ _). %total { } (gt-implies-ge-succ _ _). %theorem ge-implies-plus: forall* {N1} {N2} forall {G:ge N2 N1} exists {N0} {P:plus N0 N1 N2} true. - : ge-implies-plus (ge/= eq/) z plus/z. - : ge-implies-plus (ge/> N2>N1) (s N0) P <- gt-implies-plus N2>N1 N0 P. %worlds () (ge-implies-plus N2>=N1 N0 N0+N1=N2). %total { } (ge-implies-plus _ _ _). %theorem plus-implies-ge: forall* {N0} {N1} {N2} forall {P:plus N0 N1 N2} exists {G:ge N2 N1} true. - : plus-implies-ge plus/z (ge/= eq/). - : plus-implies-ge P (ge/> N2>N1) <- plus-implies-gt P eq/ N2>N1. %worlds () (plus-implies-ge N0+N1=N2 N2>=N1). %total { } (plus-implies-ge _ _). %theorem ge-zero-always : forall {N} exists {G:ge N z} true. - : ge-zero-always _ N>=0 <- plus-right-identity _ N+0=N <- plus-implies-ge N+0=N N>=0. %worlds () (ge-zero-always _ _). %total { } (ge-zero-always _ _). %theorem nonzero-times-implies-ge : forall* {N0} {N1} {N2} forall {P:times (s N0) N1 N2} exists {G:ge N2 N1} true. - : nonzero-times-implies-ge (times/s _ X+N1=N2) N2>=N1 <- plus-implies-ge X+N1=N2 N2>=N1. %worlds () (nonzero-times-implies-ge N0*N1=N2 N2>=N1). %total { } (nonzero-times-implies-ge _ _). %theorem times-nonzero-implies-ge : forall* {N0} {N1} {N2} forall {P:times N0 (s N1) N2} exists {G:ge N2 N0} true. - : times-nonzero-implies-ge A*B=C C>=A <- times-commutative A*B=C B*A=C <- nonzero-times-implies-ge B*A=C C>=A. %worlds () (times-nonzero-implies-ge _ _). %total { } (times-nonzero-implies-ge _ _). %theorem non-trivial-times-implies-much-gt* : forall* {N1} {N2} {N3} forall {D:times (s (s N1)) (s (s N2)) N3} exists {G:gt N3 (s (s (s N1)))} true. - : non-trivial-times-implies-much-gt* (times/s (times/s N1*ssN2=P1 P1+ssN2=P2) P2+ssN2=N3) N3>sssN1 <- times-nonzero-implies-ge N1*ssN2=P1 P1>=N1 <- succ-preserves-ge P1>=N1 SP1>=sN1 <- plus-swap-succ-converse P1+ssN2=P2 SP1+sN2=P2 <- plus-commutative SP1+sN2=P2 SN2+sP1=P2 <- plus-implies-gt SN2+sP1=P2 eq/ P2>sP1 <- gt-transitive-ge P2>sP1 SP1>=sN1 P2>sN1 <- succ-preserves-gt P2>sN1 SP2>ssN1 <- gt-implies-ge-succ SP2>ssN1 SP2>=sssN1 <- plus-commutative P2+ssN2=N3 SSN2+P2=N3 <- plus-swap-succ SSN2+P2=N3 SN2+sP2=N3 <- plus-implies-gt SN2+sP2=N3 eq/ N3>sP2 <- gt-transitive-ge N3>sP2 SP2>=sssN1 N3>sssN1. %worlds () (non-trivial-times-implies-much-gt* _ _). %total { } (non-trivial-times-implies-much-gt* _ _). %theorem non-trivial-times-implies-much-gt : forall* {N1} {N2} {N3} forall {D:times (s (s N1)) (s (s N2)) N3} exists {G1:gt N3 (s (s (s N1)))} {G2:gt N3 (s (s (s N2)))} true. - : non-trivial-times-implies-much-gt T G1 G2 <- non-trivial-times-implies-much-gt* T G1 <- times-commutative T Tc <- non-trivial-times-implies-much-gt* Tc G2. %worlds () (non-trivial-times-implies-much-gt _ _ _). %total { } (non-trivial-times-implies-much-gt _ _ _). %theorem plus-left-preserves-ge* : forall* {X1} {X2} {X3} {X4} {X5} forall {G:ge X2 X4} {OP1:plus X1 X2 X3} {OP2:plus X1 X4 X5} exists {G2:ge X3 X5} true. - : plus-left-preserves-ge* (ge/= eq/) X1+X2=X3 X1+X2=X5 (ge/= X3=X5) <- plus-deterministic X1+X2=X3 X1+X2=X5 eq/ eq/ X3=X5. - : plus-left-preserves-ge* (ge/> X2>X4) X1+X2=X3 X1+X4=X5 (ge/> X3>X5) <- plus-left-preserves-gt* X2>X4 X1+X2=X3 X1+X4=X5 X3>X5. %worlds () (plus-left-preserves-ge* X2>=X4 X1+X2=X3 X1+X4=X5 X3>=X5). %total {} (plus-left-preserves-ge* _ _ _ _). %theorem plus-left-cancels-ge : forall* {X1} {X2} {X3} {Y1} {Y2} {Y3} forall {OP1:plus X1 X2 X3} {OP2:plus Y1 Y2 Y3} {E1:eq X1 Y1} {G3:ge X3 Y3} exists {G2:ge X2 Y2} true. - : plus-left-cancels-ge X1+X2=X3 X1+Y2=X3 eq/ (ge/= eq/) (ge/= X2=Y2) <- plus-left-cancels X1+X2=X3 X1+Y2=X3 eq/ eq/ X2=Y2. - : plus-left-cancels-ge X1+X2=X3 X1+Y2=Y3 eq/ (ge/> X3>Y3) (ge/> X2>Y2) <- plus-left-cancels-gt X1+X2=X3 X1+Y2=Y3 eq/ X3>Y3 X2>Y2. %worlds () (plus-left-cancels-ge X1+X2=X3 Y1+Y2=Y3 X1=Y1 X3>=Y3 X2>=Y2). %total {} (plus-left-cancels-ge _ _ _ _ _). %theorem plus-left-preserves-ge : forall* {X1} {X2} {X4} forall {G:ge X2 X4} exists {X3} {X5} {O1:plus X1 X2 X3} {O2:plus X1 X4 X5} {G2:ge X3 X5} true. - : plus-left-preserves-ge X2>=X4 X3 X5 X1+X2=A3 X1+X4=X5 X3>=X5 <- plus-total X1+X2=A3 <- plus-total X1+X4=X5 <- plus-left-preserves-ge* X2>=X4 X1+X2=A3 X1+X4=X5 X3>=X5. %worlds () (plus-left-preserves-ge X2>=X4 X3 X5 X1+X2=A3 X1+X4=X5 X3>=X5). %total {} (plus-left-preserves-ge _ _ _ _ _ _). %theorem plus-right-preserves-ge* : forall* {X1} {X2} {X3} {X4} {X5} forall {G1:ge X1 X2} {O1:plus X1 X3 X4} {O2:plus X2 X3 X5} exists {G2:ge X4 X5} true. - : plus-right-preserves-ge* X1>=X2 X1+X3=X4 X2+X3=X5 X4>=X5 <- plus-commutative X1+X3=X4 X3+X1=X4 <- plus-commutative X2+X3=X5 X3+X2=X5 <- plus-left-preserves-ge* X1>=X2 X3+X1=X4 X3+X2=X5 X4>=X5. %worlds () (plus-right-preserves-ge* X1>=X2 X1+X3=X4 X2+X3=X5 X4>=X5). %total {} (plus-right-preserves-ge* _ _ _ _). %theorem plus-right-preserves-ge : forall* {X1} {X2} {X3} forall {G1:ge X1 X2} exists {X4} {X5} {O1:plus X1 X3 X4} {O2:plus X2 X3 X5} {G2:ge X4 X5} true. - : plus-right-preserves-ge X1>=X2 X4 X5 X1+X3=X4 X2+X3=X5 X4>=X5 <- plus-total X1+X3=X4 <- plus-total X2+X3=X5 <- plus-right-preserves-ge* X1>=X2 X1+X3=X4 X2+X3=X5 X4>=X5. %worlds () (plus-right-preserves-ge X1>=X2 X4 X5 X1+X3=X4 X2+X3=X5 X4>=X5). %total {} (plus-right-preserves-ge _ _ _ _ _ _). %theorem plus-preserves-ge* : forall* {X1} {X2} {X3} {Y1} {Y2} {Y3} forall {G1:ge X1 Y1} {G2:ge X2 Y2} {MX:plus X1 X2 X3} {MY:plus Y1 Y2 Y3} exists {G3:ge X3 Y3} true. - : plus-preserves-ge* X1>=Y1 X2>=Y2 X1+X2=X3 Y1+Y2=Y3 X3>=Y3 <- plus-total Y1+X2=X <- plus-right-preserves-ge* X1>=Y1 X1+X2=X3 Y1+X2=X X3>=X <- plus-left-preserves-ge* X2>=Y2 Y1+X2=X Y1+Y2=Y3 X>=Y3 <- ge-transitive X3>=X X>=Y3 X3>=Y3. %worlds () (plus-preserves-ge* X1>=Y1 X2>=Y2 X1+X2=X3 Y1+Y2=Y3 X3>=Y3). %total {} (plus-preserves-ge* _ _ _ _ _). %theorem plus-preserves-ge : forall* {X1} {X2} {Y1} {Y2} forall {G1:ge X1 Y1} {G2:ge X2 Y2} exists {X3} {Y3} {MX:plus X1 X2 X3} {MY:plus Y1 Y2 Y3} {G3:ge X3 Y3} true. - : plus-preserves-ge X1>=Y1 X2>=Y2 X3 Y3 X1+X2=X3 Y1+Y2=Y3 X3>=Y3 <- plus-total X1+X2=X3 <- plus-total Y1+Y2=Y3 <- plus-preserves-ge* X1>=Y1 X2>=Y2 X1+X2=X3 Y1+Y2=Y3 X3>=Y3. %worlds () (plus-preserves-ge X1>=Y1 X2>=Y2 X3 Y3 X1+X2=X3 Y1+Y2=Y3 X3>=Y3). %total {} (plus-preserves-ge _ _ _ _ _ _ _). %theorem plus-right-cancels-ge : forall* {X1} {X2} {X3} {Y1} {Y2} {Y3} forall {OP1:plus X1 X2 X3} {OP2:plus Y1 Y2 Y3} {E2:eq X2 Y2} {G3:ge X3 Y3} exists {G1:ge X1 Y1} true. - : plus-right-cancels-ge X1+X2=X3 Y1+Y2=Y3 X2=Y2 X3>=Y3 X1>=Y1 <- plus-commutative X1+X2=X3 X2+X1=X3 <- plus-commutative Y1+Y2=Y3 Y2+Y1=Y3 <- plus-left-cancels-ge X2+X1=X3 Y2+Y1=Y3 X2=Y2 X3>=Y3 X1>=Y1. %worlds () (plus-right-cancels-ge X1+X2=X3 Y1+Y2=Y3 X2=Y2 X3>=Y3 X1>=Y1). %total {} (plus-right-cancels-ge _ _ _ _ _). % Times preserves ge only because multiplying with zero yields equality. %theorem times-left-preserves-ge* : forall* {X1} {X2} {X3} {X4} {X5} forall {G:ge X2 X4} {OP1:times X1 X2 X3} {OP2:times X1 X4 X5} exists {G2:ge X3 X5} true. - : times-left-preserves-ge* _ times/z times/z (ge/= eq/). - : times-left-preserves-ge* (ge/= eq/) X1*X2=X3 X1*X2=X5 (ge/= X3=X5) <- times-deterministic X1*X2=X3 X1*X2=X5 eq/ eq/ X3=X5. - : times-left-preserves-ge* (ge/> X2>X4) X1*X2=X3 X1*X4=X5 (ge/> X3>X5) <- times-left-preserves-gt X2>X4 X1*X2=X3 X1*X4=X5 X3>X5. %worlds () (times-left-preserves-ge* X2>=X4 X1*X2=X3 X1*X4=X5 X3>=X5). %total {} (times-left-preserves-ge* _ _ _ _). %theorem times-left-preserves-ge : forall* {X1} {X2} {X4} forall {G:ge X2 X4} exists {X3} {X5} {O1:times X1 X2 X3} {O2:times X1 X4 X5} {G2:ge X3 X5} true. - : times-left-preserves-ge X2>=X4 X3 X5 X1*X2=A3 X1*X4=X5 X3>=X5 <- times-total X1*X2=A3 <- times-total X1*X4=X5 <- times-left-preserves-ge* X2>=X4 X1*X2=A3 X1*X4=X5 X3>=X5. %worlds () (times-left-preserves-ge X2>=X4 X3 X5 X1*X2=A3 X1*X4=X5 X3>=X5). %total {} (times-left-preserves-ge _ _ _ _ _ _). %theorem times-right-preserves-ge* : forall* {X1} {X2} {X3} {X4} {X5} forall {G1:ge X1 X2} {O1:times X1 X3 X4} {O2:times X2 X3 X5} exists {G2:ge X4 X5} true. - : times-right-preserves-ge* X1>=X2 X1*X3=X4 X2*X3=X5 X4>=X5 <- times-commutative X1*X3=X4 X3*X1=X4 <- times-commutative X2*X3=X5 X3*X2=X5 <- times-left-preserves-ge* X1>=X2 X3*X1=X4 X3*X2=X5 X4>=X5. %worlds () (times-right-preserves-ge* X1>=X2 X1*X3=X4 X2*X3=X5 X4>=X5). %total {} (times-right-preserves-ge* _ _ _ _). %theorem times-right-preserves-ge : forall* {X1} {X2} {X3} forall {G1:ge X1 X2} exists {X4} {X5} {O1:times X1 X3 X4} {O2:times X2 X3 X5} {G2:ge X4 X5} true. - : times-right-preserves-ge X1>=X2 X4 X5 X1*X3=X4 X2*X3=X5 X4>=X5 <- times-total X1*X3=X4 <- times-total X2*X3=X5 <- times-right-preserves-ge* X1>=X2 X1*X3=X4 X2*X3=X5 X4>=X5. %worlds () (times-right-preserves-ge X1>=X2 X4 X5 X1*X3=X4 X2*X3=X5 X4>=X5). %total {} (times-right-preserves-ge _ _ _ _ _ _). %%%% Definitions ne : nat -> nat -> type. ne/< : ne X Y <- gt Y X. ne/> : ne X Y <- gt X Y. eq? : nat -> nat -> bool -> type. eq?/yes : eq? X X true. eq?/no : eq? X Y false <- ne X Y. %%%% Theorems %%% Theorems about ne %theorem false-implies-ne : forall* {X1} {X2} forall {F:void} exists {G:ne X1 X2} true. %worlds () (false-implies-ne _ _). %total { } (false-implies-ne _ _). %theorem ne-respects-eq : forall* {X1} {X2} {Y1} {Y2} forall {D1:ne X1 X2} {E1:eq X1 Y1} {E2:eq X2 Y2} exists {D2:ne Y1 Y2} true. - : ne-respects-eq X1<>X2 eq/ eq/ X1<>X2. %worlds () (ne-respects-eq _ _ _ _). %total { } (ne-respects-eq _ _ _ _). %theorem ne-anti-reflexive : forall* {X} forall {R:ne X X} exists {F:void} true. - : ne-anti-reflexive (ne/< X X>X) F <- gt-anti-reflexive X>X F. %worlds () (ne-anti-reflexive X<>X _). %total {} (ne-anti-reflexive _ _). %theorem ne-symmetric : forall* {X} {Y} forall {R1:ne X Y} exists {R2:ne Y X} true. - : ne-symmetric (ne/< X X X>Y) (ne/< X>Y). %worlds () (ne-symmetric X<>Y Y<>X). %total {} (ne-symmetric _ _). %theorem eq-ne-implies-false : forall* {X} {Y} forall {D1:eq X Y} {D2:ne X Y} exists {F:void} true. - : eq-ne-implies-false eq/ X<>X F <- ne-anti-reflexive X<>X F. %worlds () (eq-ne-implies-false X=Y X<>Y _). %total {} (eq-ne-implies-false _ _ _). %theorem ge-ne-implies-gt : forall* {X} {Y} forall {D1:ge X Y} {D2:ne X Y} exists {D3:gt X Y} true. - : ge-ne-implies-gt (ge/> X>Y) _ X>Y. - : ge-ne-implies-gt (ge/= eq/) X<>X X>X <- ne-anti-reflexive X<>X F <- false-implies-gt F X>X. %worlds () (ge-ne-implies-gt X>=Y X<>Y X>Y). %total {} (ge-ne-implies-gt _ _ _). %theorem eq?-total* : forall {M} {N} exists {B} {T:eq? M N B} true. %theorem eq?-total*/L : forall* {M} {N} {C} forall {CMP:compare M N C} exists {B} {T:eq? M N B} true. - : eq?-total*/L compare/= true eq?/yes. - : eq?-total*/L (compare/< X X>Y) false (eq?/no (ne/> X>Y)). %worlds () (eq?-total*/L _ _ _). %total { } (eq?-total*/L _ _ _). - : eq?-total* M N B T <- compare-total CMP <- eq?-total*/L CMP B T. %worlds () (eq?-total* _ _ _ _). %total { } (eq?-total* _ _ _ _). %abbrev eq?-total = eq?-total* _ _ _. %theorem succ-preserves-ne : forall* {M} {N} forall {D:ne M N} exists {D':ne (s M) (s N)} true. - : succ-preserves-ne (ne/< N>M) (ne/< N+1>M+1) <- succ-preserves-gt N>M N+1>M+1. - : succ-preserves-ne (ne/> N>M) (ne/> N+1>M+1) <- succ-preserves-gt N>M N+1>M+1. %worlds () (succ-preserves-ne M<>N M+1<>N+1). %total {} (succ-preserves-ne _ _). %theorem succ-preserves-ne-converse : forall* {M} {N} forall {D':ne (s M) (s N)} exists {D:ne M N} true. - : succ-preserves-ne-converse (ne/< N+1>M+1) (ne/< N>M) <- succ-preserves-gt-converse N+1>M+1 N>M. - : succ-preserves-ne-converse (ne/> N+1>M+1) (ne/> N>M) <- succ-preserves-gt-converse N+1>M+1 N>M. %worlds () (succ-preserves-ne-converse M+1<>N+1 M<>N). %total {} (succ-preserves-ne-converse _ _). %theorem plus-left-preserves-ne* : forall* {X1} {X2} {X3} {X4} {X5} forall {G:ne X2 X4} {OP1:plus X1 X2 X3} {OP2:plus X1 X4 X5} exists {G2:ne X3 X5} true. - : plus-left-preserves-ne* (ne/< X4>X2) X1+X2=X3 X1+X4=X5 (ne/< X5>X3) <- plus-left-preserves-gt* X4>X2 X1+X4=X5 X1+X2=X3 X5>X3. - : plus-left-preserves-ne* (ne/> X2>X4) X1+X2=X3 X1+X4=X5 (ne/> X3>X5) <- plus-left-preserves-gt* X2>X4 X1+X2=X3 X1+X4=X5 X3>X5. %worlds () (plus-left-preserves-ne* X2<>X4 X1+X2=X3 X1+X4=X5 X3<>X5). %total {} (plus-left-preserves-ne* _ _ _ _). %theorem plus-left-cancels-ne : forall* {X1} {X2} {X3} {Y1} {Y2} {Y3} forall {OP1:plus X1 X2 X3} {OP2:plus Y1 Y2 Y3} {E1:eq X1 Y1} {G3:ne X3 Y3} exists {G2:ne X2 Y2} true. - : plus-left-cancels-ne X1+X2=X3 X1+Y2=Y3 eq/ (ne/< Y3>X3) (ne/< Y2>X2) <- plus-left-cancels-gt X1+Y2=Y3 X1+X2=X3 eq/ Y3>X3 Y2>X2. - : plus-left-cancels-ne X1+X2=X3 X1+Y2=Y3 eq/ (ne/> X3>Y3) (ne/> X2>Y2) <- plus-left-cancels-gt X1+X2=X3 X1+Y2=Y3 eq/ X3>Y3 X2>Y2. %worlds () (plus-left-cancels-ne X1+X2=X3 Y1+Y2=Y3 X1=Y1 X3<>Y3 X2<>Y2). %total {} (plus-left-cancels-ne _ _ _ _ _). %theorem plus-left-preserves-ne : forall* {X1} {X2} {X4} forall {G:ne X2 X4} exists {X3} {X5} {O1:plus X1 X2 X3} {O2:plus X1 X4 X5} {G2:ne X3 X5} true. - : plus-left-preserves-ne X2<>X4 X3 X5 X1+X2=A3 X1+X4=X5 X3<>X5 <- plus-total X1+X2=A3 <- plus-total X1+X4=X5 <- plus-left-preserves-ne* X2<>X4 X1+X2=A3 X1+X4=X5 X3<>X5. %worlds () (plus-left-preserves-ne X2<>X4 X3 X5 X1+X2=A3 X1+X4=X5 X3<>X5). %total {} (plus-left-preserves-ne _ _ _ _ _ _). %theorem plus-right-preserves-ne* : forall* {X1} {X2} {X3} {X4} {X5} forall {G1:ne X1 X2} {O1:plus X1 X3 X4} {O2:plus X2 X3 X5} exists {G2:ne X4 X5} true. - : plus-right-preserves-ne* X1<>X2 X1+X3=X4 X2+X3=X5 X4<>X5 <- plus-commutative X1+X3=X4 X3+X1=X4 <- plus-commutative X2+X3=X5 X3+X2=X5 <- plus-left-preserves-ne* X1<>X2 X3+X1=X4 X3+X2=X5 X4<>X5. %worlds () (plus-right-preserves-ne* X1<>X2 X1+X3=X4 X2+X3=X5 X4<>X5). %total {} (plus-right-preserves-ne* _ _ _ _). %theorem plus-right-preserves-ne : forall* {X1} {X2} {X3} forall {G1:ne X1 X2} exists {X4} {X5} {O1:plus X1 X3 X4} {O2:plus X2 X3 X5} {G2:ne X4 X5} true. - : plus-right-preserves-ne X1<>X2 X4 X5 X1+X3=X4 X2+X3=X5 X4<>X5 <- plus-total X1+X3=X4 <- plus-total X2+X3=X5 <- plus-right-preserves-ne* X1<>X2 X1+X3=X4 X2+X3=X5 X4<>X5. %worlds () (plus-right-preserves-ne X1<>X2 X4 X5 X1+X3=X4 X2+X3=X5 X4<>X5). %total {} (plus-right-preserves-ne _ _ _ _ _ _). %theorem plus-right-cancels-ne : forall* {X1} {X2} {X3} {Y1} {Y2} {Y3} forall {OP1:plus X1 X2 X3} {OP2:plus Y1 Y2 Y3} {E2:eq X2 Y2} {G3:ne X3 Y3} exists {G1:ne X1 Y1} true. - : plus-right-cancels-ne X1+X2=X3 Y1+Y2=Y3 X2=Y2 X3<>Y3 X1<>Y1 <- plus-commutative X1+X2=X3 X2+X1=X3 <- plus-commutative Y1+Y2=Y3 Y2+Y1=Y3 <- plus-left-cancels-ne X2+X1=X3 Y2+Y1=Y3 X2=Y2 X3<>Y3 X1<>Y1. %worlds () (plus-right-cancels-ne X1+X2=X3 Y1+Y2=Y3 X2=Y2 X3<>Y3 X1<>Y1). %total {} (plus-right-cancels-ne _ _ _ _ _). %%%%% nat-less.elf %%%%% Inverse relations for natural numbers %%%%% This file is part of the nat.elf signature %%%% Definitions %abbrev lt = [X] [Y] gt Y X. %%%% Theorems about lt %theorem false-implies-lt : forall* {X1} {X2} forall {F:void} exists {G:lt X1 X2} true. %worlds () (false-implies-lt _ _). %total { } (false-implies-lt _ _). %theorem lt-respects-eq : forall* {X1} {X2} {Y1} {Y2} forall {D1:lt X1 X2} {E1:eq X1 Y1} {E2:eq X2 Y2} exists {D2:lt Y1 Y2} true. - : lt-respects-eq X1X1 X1>X2 R <- gt-anti-symmetric X1>X2 X2>X1 R. %worlds () (lt-anti-symmetric _ _ _). %total {} (lt-anti-symmetric _ _ _). %theorem lt-transitive : forall* {X1} {X2} {X3} forall {G1:lt X1 X2} {G2:lt X2 X3} exists {G3:lt X1 X3} true. - : lt-transitive X1X2 X1+X2=X3 X1+X4=X5 X5>X3 <- plus-left-preserves-gt* X4>X2 X1+X4=X5 X1+X2=X3 X5>X3. %worlds () (plus-left-preserves-lt* X2X3 Y2>X2 <- plus-left-cancels-gt X1+Y2=X3 X1+X2=X3 eq/ Y3>X3 Y2>X2. %worlds () (plus-left-cancels-lt X1+X2=X3 Y1+Y2=Y3 X1=Y1 X3=X1 X1>=X2 R <- ge-anti-symmetric X1>=X2 X2>=X1 R. %worlds () (le-anti-symmetric _ _ _). %total {} (le-anti-symmetric _ _ _). %theorem le-transitive : forall* {X1} {X2} {X3} forall {G1:le X1 X2} {G2:le X2 X3} exists {G3:le X1 X3} true. - : le-transitive X1<=X2 X2<=X3 X1<=X3 <- ge-transitive X2<=X3 X1<=X2 X1<=X3. %worlds () (le-transitive X1<=X2 X2<=X3 X1<=X3). %total {} (le-transitive _ _ _). %abbrev le-reflexive = ge-reflexive. %theorem le-transitive-lt: forall* {X1} {X2} {X3} forall {L1:le X1 X2} {L2:lt X2 X3} exists {L3:lt X1 X3} true. - : le-transitive-lt X2>=X1 X3>X2 X3>X1 <- gt-transitive-ge X3>X2 X2>=X1 X3>X1. %worlds () (le-transitive-lt X1<=X2 X2X1 X3>=X2 X3>X1 <- ge-transitive-gt X3>=X2 X2>X1 X3>X1. %worlds () (lt-transitive-le X1=X2 X1+X2=X3 X1+X4=X5 X5>=X3 <- plus-left-preserves-ge* X4>=X2 X1+X4=X5 X1+X2=X3 X5>=X3. %worlds () (plus-left-preserves-le* X2<=X4 X1+X2=X3 X1+X4=X5 X3<=X5). %total {} (plus-left-preserves-le* _ _ _ _). %theorem plus-left-cancels-le : forall* {X1} {X2} {X3} {Y1} {Y2} {Y3} forall {OP1:plus X1 X2 X3} {OP2:plus Y1 Y2 Y3} {E1:eq X1 Y1} {R3:le X3 Y3} exists {R2:le X2 Y2} true. - : plus-left-cancels-le X1+X2=X3 X1+Y2=X3 eq/ Y3>=X3 Y2>=X2 <- plus-left-cancels-ge X1+Y2=X3 X1+X2=X3 eq/ Y3>=X3 Y2>=X2. %worlds () (plus-left-cancels-le X1+X2=X3 Y1+Y2=Y3 X1=Y1 X3<=Y3 X2<=Y2). %total {} (plus-left-cancels-le _ _ _ _ _). %theorem plus-left-preserves-le : forall* {X1} {X2} {X4} forall {G:le X2 X4} exists {X3} {X5} {O1:plus X1 X2 X3} {O2:plus X1 X4 X5} {G2:le X3 X5} true. - : plus-left-preserves-le X2<=X4 X3 X5 X1+X2=A3 X1+X4=X5 X3<=X5 <- plus-total X1+X2=A3 <- plus-total X1+X4=X5 <- plus-left-preserves-le* X2<=X4 X1+X2=A3 X1+X4=X5 X3<=X5. %worlds () (plus-left-preserves-le X2<=X4 X3 X5 X1+X2=A3 X1+X4=X5 X3<=X5). %total {} (plus-left-preserves-le _ _ _ _ _ _). %theorem plus-right-preserves-le* : forall* {X1} {X2} {X3} {X4} {X5} forall {G1:le X1 X2} {O1:plus X1 X3 X4} {O2:plus X2 X3 X5} exists {G2:le X4 X5} true. - : plus-right-preserves-le* X1<=X2 X1+X3=X4 X2+X3=X5 X4<=X5 <- plus-commutative X1+X3=X4 X3+X1=X4 <- plus-commutative X2+X3=X5 X3+X2=X5 <- plus-left-preserves-le* X1<=X2 X3+X1=X4 X3+X2=X5 X4<=X5. %worlds () (plus-right-preserves-le* X1<=X2 X1+X3=X4 X2+X3=X5 X4<=X5). %total {} (plus-right-preserves-le* _ _ _ _). %theorem plus-right-preserves-le : forall* {X1} {X2} {X3} forall {G1:le X1 X2} exists {X4} {X5} {O1:plus X1 X3 X4} {O2:plus X2 X3 X5} {G2:le X4 X5} true. - : plus-right-preserves-le X1<=X2 X4 X5 X1+X3=X4 X2+X3=X5 X4<=X5 <- plus-total X1+X3=X4 <- plus-total X2+X3=X5 <- plus-right-preserves-le* X1<=X2 X1+X3=X4 X2+X3=X5 X4<=X5. %worlds () (plus-right-preserves-le X1<=X2 X4 X5 X1+X3=X4 X2+X3=X5 X4<=X5). %total {} (plus-right-preserves-le _ _ _ _ _ _). %theorem plus-preserves-le* : forall* {X1} {X2} {X3} {Y1} {Y2} {Y3} forall {G1:le X1 Y1} {G2:le X2 Y2} {MX:plus X1 X2 X3} {MY:plus Y1 Y2 Y3} exists {G3:le X3 Y3} true. - : plus-preserves-le* X1<=Y1 X2<=Y2 X1+X2=X3 Y1+Y2=Y3 X3<=Y3 <- plus-total Y1+X2=X <- plus-right-preserves-le* X1<=Y1 X1+X2=X3 Y1+X2=X X3<=X <- plus-left-preserves-le* X2<=Y2 Y1+X2=X Y1+Y2=Y3 X<=Y3 <- le-transitive X3<=X X<=Y3 X3<=Y3. %worlds () (plus-preserves-le* X1<=Y1 X2<=Y2 X1+X2=X3 Y1+Y2=Y3 X3<=Y3). %total {} (plus-preserves-le* _ _ _ _ _). %theorem plus-preserves-le : forall* {X1} {X2} {Y1} {Y2} forall {G1:le X1 Y1} {G2:le X2 Y2} exists {X3} {Y3} {MX:plus X1 X2 X3} {MY:plus Y1 Y2 Y3} {G3:le X3 Y3} true. - : plus-preserves-le X1<=Y1 X2<=Y2 X3 Y3 X1+X2=X3 Y1+Y2=Y3 X3<=Y3 <- plus-total X1+X2=X3 <- plus-total Y1+Y2=Y3 <- plus-preserves-le* X1<=Y1 X2<=Y2 X1+X2=X3 Y1+Y2=Y3 X3<=Y3. %worlds () (plus-preserves-le X1<=Y1 X2<=Y2 X3 Y3 X1+X2=X3 Y1+Y2=Y3 X3<=Y3). %total {} (plus-preserves-le _ _ _ _ _ _ _). %theorem plus-right-cancels-le : forall* {X1} {X2} {X3} {Y1} {Y2} {Y3} forall {OP1:plus X1 X2 X3} {OP2:plus Y1 Y2 Y3} {E2:eq X2 Y2} {G3:le X3 Y3} exists {G1:le X1 Y1} true. - : plus-right-cancels-le X1+X2=X3 Y1+Y2=Y3 X2=Y2 X3<=Y3 X1<=Y1 <- plus-commutative X1+X2=X3 X2+X1=X3 <- plus-commutative Y1+Y2=Y3 Y2+Y1=Y3 <- plus-left-cancels-le X2+X1=X3 Y2+Y1=Y3 X2=Y2 X3<=Y3 X1<=Y1. %worlds () (plus-right-cancels-le X1+X2=X3 Y1+Y2=Y3 X2=Y2 X3<=Y3 X1<=Y1). %total {} (plus-right-cancels-le _ _ _ _ _). %theorem times-left-preserves-le* : forall* {X1} {X2} {X3} {X4} {X5} forall {R1:le X2 X4} {OP1:times X1 X2 X3} {OP2:times X1 X4 X5} exists {R2:le X3 X5} true. - : times-left-preserves-le* X4>=X2 X1*X2=X3 X1*X4=X5 X5>=X3 <- times-left-preserves-ge* X4>=X2 X1*X4=X5 X1*X2=X3 X5>=X3. %worlds () (times-left-preserves-le* X2<=X4 X1*X2=X3 X1*X4=X5 X3<=X5). %total {} (times-left-preserves-le* _ _ _ _). %theorem times-left-preserves-le : forall* {X1} {X2} {X4} forall {G:le X2 X4} exists {X3} {X5} {O1:times X1 X2 X3} {O2:times X1 X4 X5} {G2:le X3 X5} true. - : times-left-preserves-le X2<=X4 X3 X5 X1*X2=A3 X1*X4=X5 X3<=X5 <- times-total X1*X2=A3 <- times-total X1*X4=X5 <- times-left-preserves-le* X2<=X4 X1*X2=A3 X1*X4=X5 X3<=X5. %worlds () (times-left-preserves-le X2<=X4 X3 X5 X1*X2=A3 X1*X4=X5 X3<=X5). %total {} (times-left-preserves-le _ _ _ _ _ _). %theorem times-right-preserves-le* : forall* {X1} {X2} {X3} {X4} {X5} forall {G1:le X1 X2} {O1:times X1 X3 X4} {O2:times X2 X3 X5} exists {G2:le X4 X5} true. - : times-right-preserves-le* X1<=X2 X1*X3=X4 X2*X3=X5 X4<=X5 <- times-commutative X1*X3=X4 X3*X1=X4 <- times-commutative X2*X3=X5 X3*X2=X5 <- times-left-preserves-le* X1<=X2 X3*X1=X4 X3*X2=X5 X4<=X5. %worlds () (times-right-preserves-le* X1<=X2 X1*X3=X4 X2*X3=X5 X4<=X5). %total {} (times-right-preserves-le* _ _ _ _). %theorem times-right-preserves-le : forall* {X1} {X2} {X3} forall {G1:le X1 X2} exists {X4} {X5} {O1:times X1 X3 X4} {O2:times X2 X3 X5} {G2:le X4 X5} true. - : times-right-preserves-le X1<=X2 X4 X5 X1*X3=X4 X2*X3=X5 X4<=X5 <- times-total X1*X3=X4 <- times-total X2*X3=X5 <- times-right-preserves-le* X1<=X2 X1*X3=X4 X2*X3=X5 X4<=X5. %worlds () (times-right-preserves-le X1<=X2 X4 X5 X1*X3=X4 X2*X3=X5 X4<=X5). %total {} (times-right-preserves-le _ _ _ _ _ _). %theorem times-preserves-le* : forall* {X1} {X2} {X3} {Y1} {Y2} {Y3} forall {G1:le X1 Y1} {G2:le X2 Y2} {MX:times X1 X2 X3} {MY:times Y1 Y2 Y3} exists {G3:le X3 Y3} true. - : times-preserves-le* X1<=Y1 X2<=Y2 X1*X2=X3 Y1*Y2=Y3 X3<=Y3 <- times-total Y1*X2=X <- times-right-preserves-le* X1<=Y1 X1*X2=X3 Y1*X2=X X3<=X <- times-left-preserves-le* X2<=Y2 Y1*X2=X Y1*Y2=Y3 X<=Y3 <- le-transitive X3<=X X<=Y3 X3<=Y3. %worlds () (times-preserves-le* X1<=Y1 X2<=Y2 X1*X2=X3 Y1*Y2=Y3 X3<=Y3). %total {} (times-preserves-le* _ _ _ _ _). %theorem times-preserves-le : forall* {X1} {X2} {Y1} {Y2} forall {G1:le X1 Y1} {G2:le X2 Y2} exists {X3} {Y3} {MX:times X1 X2 X3} {MY:times Y1 Y2 Y3} {G3:le X3 Y3} true. - : times-preserves-le X1<=Y1 X2<=Y2 X3 Y3 X1*X2=X3 Y1*Y2=Y3 X3<=Y3 <- times-total X1*X2=X3 <- times-total Y1*Y2=Y3 <- times-preserves-le* X1<=Y1 X2<=Y2 X1*X2=X3 Y1*Y2=Y3 X3<=Y3. %worlds () (times-preserves-le X1<=Y1 X2<=Y2 X3 Y3 X1*X2=X3 Y1*Y2=Y3 X3<=Y3). %total {} (times-preserves-le _ _ _ _ _ _ _). %%%%% nat-inv-comp.elf %%%%% Theorems about minus and composed relations %%%%% This file is part of the nat.elf signature %%%% Theorems %%% Theorems about minus %theorem minus-left-inverts-ge* : forall* {X1} {X2} {X3} {X4} {X5} forall {G:ge X2 X4} {IOP1:minus X1 X2 X3} {IOP2:minus X1 X4 X5} exists {GP:ge X5 X3} true. - : minus-left-inverts-ge* X2>=X4 X3+X2=X1 X5+X4=X1 X5>=X3 <- plus-total X3+X4=X7 <- plus-left-preserves-ge* X2>=X4 X3+X2=X1 X3+X4=X7 X1>=X7 <- plus-right-cancels-ge X5+X4=X1 X3+X4=X7 eq/ X1>=X7 X5>=X3. %worlds () (minus-left-inverts-ge* X2>=X4 X1-X2=X3 X1-X4=X5 X5>=X3). %total {} (minus-left-inverts-ge* _ _ _ _). %theorem minus-right-preserves-ge* : forall* {X1} {X2} {X3} {X4} {X5} forall {G:ge X1 X2} {IOP1:minus X1 X3 X4} {IOP2:minus X2 X3 X5} exists {GP:ge X4 X5} true. - : minus-right-preserves-ge* X1>=X2 X4+X3=X1 X5+X3=X2 X4>=X5 <- plus-right-cancels-ge X4+X3=X1 X5+X3=X2 eq/ X1>=X2 X4>=X5. %worlds () (minus-right-preserves-ge* X1>=X2 X1-X3=X4 X2-X3=X5 X4>=X5). %total {} (minus-right-preserves-ge* _ _ _ _). %theorem minus-left-cancels-inverts-ge : forall* {X1} {X2} {X3} {X4} {X5} {X6} forall {IOP1:minus X1 X2 X3} {IOP2:minus X4 X5 X6} {E:eq X1 X4} {G:ge X3 X6} exists {GP:ge X5 X2} true. - : minus-left-cancels-inverts-ge X3+X2=X1 X6+X5=X4 X1=X4 X3>=X6 X5>=X2 <- plus-total X6+X2=X7 <- plus-right-preserves-ge* X3>=X6 X3+X2=X1 X6+X2=X7 X1>=X7 <- eq-symmetric X1=X4 X4=X1 <- plus-respects-eq X6+X5=X4 eq/ eq/ X4=X1 X6+X5=X1 <- plus-left-cancels-ge X6+X5=X1 X6+X2=X7 eq/ X1>=X7 X5>=X2. %worlds () (minus-left-cancels-inverts-ge X1-X2=X3 X4-X5=X6 X1=X4 X3>=X6 X5>=X2). %total {} (minus-left-cancels-inverts-ge _ _ _ _ _). %theorem minus-right-cancels-ge : forall* {X1} {X2} {X3} {X4} {X5} {X6} forall {IOP1:minus X1 X2 X3} {IOP2:minus X4 X5 X6} {E2:eq X2 X5} {G3:ge X3 X6} exists {G1:ge X1 X4} true. - : minus-right-cancels-ge X3+X2=X1 X6+X5=X4 X2=X5 X3>=X6 X1>=X4 <- plus-respects-eq X3+X2=X1 eq/ X2=X5 eq/ X3+X5=X1 <- plus-right-preserves-ge* X3>=X6 X3+X5=X1 X6+X5=X4 X1>=X4. %worlds () (minus-right-cancels-ge X1-X2=X3 X4-X5=X6 X2=X5 X3>=X6 X1>=X4). %total {} (minus-right-cancels-ge _ _ _ _ _). %theorem minus-left-preserves-ne* : forall* {X1} {X2} {X3} {X4} {X5} forall {G:ne X2 X4} {IOP1:minus X1 X2 X3} {IOP2:minus X1 X4 X5} exists {GP:ne X3 X5} true. - : minus-left-preserves-ne* X2<>X4 X3+X2=X1 X5+X4=X1 X3<>X5 <- plus-total X3+X4=X7 <- plus-left-preserves-ne* X2<>X4 X3+X2=X1 X3+X4=X7 X1<>X7 <- plus-right-cancels-ne X5+X4=X1 X3+X4=X7 eq/ X1<>X7 X5<>X3 <- ne-symmetric X5<>X3 X3<>X5. %worlds () (minus-left-preserves-ne* X2<>X4 X1-X2=X3 X1-X4=X5 X3<>X5). %total {} (minus-left-preserves-ne* _ _ _ _). %theorem minus-right-preserves-ne* : forall* {X1} {X2} {X3} {X4} {X5} forall {G:ne X1 X2} {IOP1:minus X1 X3 X4} {IOP2:minus X2 X3 X5} exists {GP:ne X4 X5} true. - : minus-right-preserves-ne* X1<>X2 X4+X3=X1 X5+X3=X2 X4<>X5 <- plus-right-cancels-ne X4+X3=X1 X5+X3=X2 eq/ X1<>X2 X4<>X5. %worlds () (minus-right-preserves-ne* X1<>X2 X1-X3=X4 X2-X3=X5 X4<>X5). %total {} (minus-right-preserves-ne* _ _ _ _). %theorem minus-left-cancels-ne : forall* {X1} {X2} {X3} {X4} {X5} {X6} forall {IOP1:minus X1 X2 X3} {IOP2:minus X4 X5 X6} {E:eq X1 X4} {G:ne X3 X6} exists {GP:ne X2 X5} true. - : minus-left-cancels-ne X3+X2=X1 X6+X5=X4 X1=X4 X3<>X6 X2<>X5 <- plus-total X6+X2=X7 <- plus-right-preserves-ne* X3<>X6 X3+X2=X1 X6+X2=X7 X1<>X7 <- eq-symmetric X1=X4 X4=X1 <- plus-respects-eq X6+X5=X4 eq/ eq/ X4=X1 X6+X5=X1 <- plus-left-cancels-ne X6+X5=X1 X6+X2=X7 eq/ X1<>X7 X5<>X2 <- ne-symmetric X5<>X2 X2<>X5. %worlds () (minus-left-cancels-ne X1-X2=X3 X4-X5=X6 X1=X4 X3<>X6 X2<>X5). %total {} (minus-left-cancels-ne _ _ _ _ _). %theorem minus-right-cancels-ne : forall* {X1} {X2} {X3} {X4} {X5} {X6} forall {IOP1:minus X1 X2 X3} {IOP2:minus X4 X5 X6} {E2:eq X2 X5} {G3:ne X3 X6} exists {G1:ne X1 X4} true. - : minus-right-cancels-ne X3+X2=X1 X6+X5=X4 X2=X5 X3<>X6 X1<>X4 <- plus-respects-eq X3+X2=X1 eq/ X2=X5 eq/ X3+X5=X1 <- plus-right-preserves-ne* X3<>X6 X3+X5=X1 X6+X5=X4 X1<>X4. %worlds () (minus-right-cancels-ne X1-X2=X3 X4-X5=X6 X2=X5 X3<>X6 X1<>X4). %total {} (minus-right-cancels-ne _ _ _ _ _). %%%%% nat-inv-less.elf %%%%% Theorems about minus and inverted relations %%%%% This file is part of the nat.elf signature %%%% Theorems %%% Theorems about minus %theorem minus-left-inverts-lt* : forall* {X1} {X2} {X3} {X4} {X5} forall {G:lt X2 X4} {IOP1:minus X1 X2 X3} {IOP2:minus X1 X4 X5} exists {GP:lt X5 X3} true. - : minus-left-inverts-lt* X2 nat -> nat -> nat -> type. divrem/z : divrem M N z M <- gt N M. divrem/s : divrem M (s N-) (s Q) R <- plus D (s N-) M <- divrem D (s N-) Q R. %%%% Theorems %%% Theorems about divrem %theorem false-implies-divrem : forall* {M} {N} {Q} {R} forall {F:void} exists {D:divrem M N Q R} true. %worlds () (false-implies-divrem _ M/N=Q,R). %total {} (false-implies-divrem _ _). %theorem divrem-respects-eq : forall* {M} {N} {Q} {R} {M'} {N'} {Q'} {R'} forall {D:divrem M N Q R} {E1:eq M M'} {E2:eq N N'} {E3:eq Q Q'} {E4:eq R R'} exists {D':divrem M' N' Q' R'} true. - : divrem-respects-eq D eq/ eq/ eq/ eq/ D. %worlds () (divrem-respects-eq M/N=Q,R M=M' N=N' Q=Q' R=R' M'/N'=Q',R'). %total {} (divrem-respects-eq _ _ _ _ _ _). %theorem divrem-total** : forall {M} {N-1} {C} {CMP:compare M N-1 C} exists {Q} {R} {D:divrem M (s N-1) Q R} true. - : divrem-total** M N-1 equal CMP z M (divrem/z N>M) <- equal-implies-eq CMP M=N-1 <- succ-implies-gt eq/ N>N-1 <- eq-symmetric M=N-1 N-1=M <- gt-respects-eq N>N-1 eq/ N-1=M N>M. - : divrem-total** M N-1 less CMP z M (divrem/z N>M) <- less-implies-lt CMP N-1>M <- succ-implies-gt eq/ N>N-1 <- gt-transitive N>N-1 N-1>M N>M. - : divrem-total** M N-1 greater CMP (s Q) R (divrem/s D/N=Q,R D+N=M) <- greater-implies-gt CMP M>N-1 <- gt-implies-plus M>N-1 D SD+N-1=M <- plus-swap-succ SD+N-1=M D+N=M <- plus-commutative D+N=M N+D=M <- plus-implies-gt N+D=M eq/ M>D <- meta-gt M D M>D <- compare-total* D N-1 C' CMP' <- divrem-total** D N-1 C' CMP' Q R D/N=Q,R. %worlds () (divrem-total** M N-1 C MCN Q R M/N=Q,R). %total (M) (divrem-total** M _ _ _ _ _ _). %theorem divrem-total* : forall {M} {N-} exists {Q} {R} {D:divrem M (s N-) Q R} true. - : divrem-total* M N-1 Q R M/N=Q,R <- compare-total* M N-1 C CMP <- divrem-total** M N-1 C CMP Q R M/N=Q,R. %worlds () (divrem-total* M N-1 Q R M/N=Q,R). %total {} (divrem-total* _ _ _ _ _). %abbrev divrem-total = divrem-total* _ _ _ _. %theorem divrem-deterministic : forall* {M} {N} {Q} {R} {M'} {N'} {Q'} {R'} forall {D:divrem M N Q R} {D':divrem M' N' Q' R'} {E1:eq M M'} {E2:eq N N'} exists {E3:eq Q Q'} {E4:eq R R'} true. - : divrem-deterministic (divrem/z _) (divrem/z _) eq/ eq/ eq/ eq/. - : divrem-deterministic (divrem/s D/N=Q,R D+N=M) (divrem/s D'/N=Q',R' D'+N=M) eq/ eq/ SQ=SQ' R=R' <- plus-right-cancels D+N=M D'+N=M eq/ eq/ D=D' <- divrem-deterministic D/N=Q,R D'/N=Q',R' D=D' eq/ Q=Q' R=R' <- succ-deterministic Q=Q' SQ=SQ'. %% contradiction cases: - : divrem-deterministic (divrem/z N>M) (divrem/s _ D+N=M) eq/ eq/ Q=Q' R=R' <- plus-commutative D+N=M N+D=M <- plus-gt-contradiction N+D=M N>M F <- false-implies-eq F Q=Q' <- false-implies-eq F R=R'. - : divrem-deterministic (divrem/s _ D+N=M) (divrem/z N>M) eq/ eq/ Q=Q' R=R' <- plus-commutative D+N=M N+D=M <- plus-gt-contradiction N+D=M N>M F <- false-implies-eq F Q=Q' <- false-implies-eq F R=R'. %worlds () (divrem-deterministic M/N=Q,R M'/N'=Q'/R' M=M' N=N' Q=Q' R=R'). %total (D) (divrem-deterministic D _ _ _ _ _). %theorem divrem-implies-positive : forall* {M} {N} {Q} {R} forall {D:divrem M N Q R} exists {N-1} {E:eq N (s N-1)} true. - : divrem-implies-positive (divrem/z N>M) N-1 N=sN-1 <- gt-implies-positive N>M N-1 N=sN-1. - : divrem-implies-positive (divrem/s _ _) _ eq/. %worlds () (divrem-implies-positive M/N=Q,R N-1 N=sN-1). %total {} (divrem-implies-positive _ _ _). %theorem divrem-implies-gt : forall* {M} {N} {Q} {R} forall {D:divrem M N Q R} exists {G:gt N R} true. - : divrem-implies-gt (divrem/z N>M) N>M. - : divrem-implies-gt (divrem/s D/N=Q,R _) N>R <- divrem-implies-gt D/N=Q,R N>R. %worlds () (divrem-implies-gt M/N=Q,R N>R). %total D (divrem-implies-gt D _). %theorem divrem-contradiction : forall* {M} {N} {Q} {R} {X} forall {D:divrem M N Q R} {P:plus N X R} exists {F:void} true. - : divrem-contradiction D P F <- divrem-implies-gt D N>R <- plus-commutative P Pc <- plus-implies-ge Pc R>=N <- gt-transitive-ge N>R R>=N N>N <- gt-anti-reflexive N>N F. %worlds () (divrem-contradiction _ _ _). %total { } (divrem-contradiction _ _ _). %theorem divrem-can-be-inverted : forall* {M} {N} {Q} {R} forall {D:divrem M N Q R} exists {X} {T:times Q N X} {P:plus X R M} true. - : divrem-can-be-inverted (divrem/z _) z times/z plus/z. - : divrem-can-be-inverted (divrem/s D/N=Q,R D+N=M) X (times/s Q*N=Y Y+N=X) X+R=M <- divrem-can-be-inverted D/N=Q,R Y Q*N=Y Y+R=D <- plus-commutative Y+R=D R+Y=D <- plus-associative R+Y=D D+N=M X Y+N=X R+X=M <- plus-commutative R+X=M X+R=M. %worlds () (divrem-can-be-inverted M/N=Q,R X Q*N=X X+R=M). %total (D) (divrem-can-be-inverted D _ _ _). %theorem div-can-be-inverted : forall* {M} {N} {Q} forall {D:divrem M N Q z} exists {T:times Q N M} true. - : div-can-be-inverted (divrem/z _) times/z. - : div-can-be-inverted (divrem/s D/N=Q,z D+N=M) (times/s Q*N=D D+N=M) <- div-can-be-inverted D/N=Q,z Q*N=D. %worlds () (div-can-be-inverted _ _). %total (D) (div-can-be-inverted D _). %theorem divrem-can-be-constructed : forall* {M} {N} {Q} {R} {X} forall {T:times Q N X} {P:plus X R M} {G:gt N R} exists {D:divrem M N Q R} true. - : divrem-can-be-constructed (times/z) (plus/z) N>R (divrem/z N>R). - : divrem-can-be-constructed (times/s Q*N=Y Y+N=X) X+R=M N>R (divrem/s Z/N=Q,R Z+N=M) <- plus-commutative Y+N=X N+Y=X <- plus-associative N+Y=X X+R=M Z Y+R=Z N+Z=M <- plus-commutative N+Z=M Z+N=M <- divrem-can-be-constructed Q*N=Y Y+R=Z N>R Z/N=Q,R. - : divrem-can-be-constructed _ _ ZERO>R D <- gt-contradiction ZERO>R F <- false-implies-divrem F D. %worlds () (divrem-can-be-constructed Q*N=X X+R=M N>R M/N=Q,R). %total (T) (divrem-can-be-constructed T _ _ _). %theorem div-can-be-constructed : forall* {M} {N} {Q} forall {T:times Q (s N) M} exists {D:divrem M (s N) Q z} true. - : div-can-be-constructed (times/z) (divrem/z N+1>0) <- succ-implies-gt-zero _ N+1>0. - : div-can-be-constructed (times/s Q*sN=D D+sN=M) (divrem/s D/sN=Q,z D+sN=M) <- div-can-be-constructed Q*sN=D D/sN=Q,z. %worlds () (div-can-be-constructed _ _). %total (T) (div-can-be-constructed T _). %theorem remainder-implies-gt-quotient : forall* {M} {N} {Q} {R} forall {D:divrem M N Q (s R)} exists {G:gt M Q} true. - : remainder-implies-gt-quotient (divrem/z _) R+1>0 <- succ-implies-gt-zero _ R+1>0. - : remainder-implies-gt-quotient (divrem/s D/N=Q,sR D+N=M) M>sQ <- remainder-implies-gt-quotient D/N=Q,sR D>Q <- gt-implies-ge-succ D>Q D>=sQ <- plus-commutative D+N=M N+D=M <- plus-implies-gt N+D=M eq/ M>D <- gt-transitive-ge M>D D>=sQ M>sQ. %worlds () (remainder-implies-gt-quotient _ _). %total (D) (remainder-implies-gt-quotient D _). %theorem quotient-of-nonzero-is-smaller : forall* {M} {N} {Q} {R} {M-} forall {DR:divrem M (s (s N)) Q R} {EN:eq M (s M-)} exists {G:gt M Q} true. - : quotient-of-nonzero-is-smaller _ eq/ M>0 <- succ-implies-gt-zero _ M>0. - : quotient-of-nonzero-is-smaller M/N=Q,R eq/ M>Q <- divrem-can-be-inverted M/N=Q,R X Q*N=X X+R=M <- times-right-identity _ Q*1=Q <- succ-implies-gt-zero _ N->0 <- succ-preserves-gt N->0 N>1 <- times-left-preserves-gt N>1 Q*N=X Q*1=Q X>Q <- plus-commutative X+R=M R+X=M <- plus-implies-ge R+X=M M>=X <- ge-transitive-gt M>=X X>Q M>Q. %worlds () (quotient-of-nonzero-is-smaller _ _ _). %total { } (quotient-of-nonzero-is-smaller _ _ _). %theorem quotient-is-no-greater : forall* {M} {N} {Q} {R} forall {DR:divrem M N Q R} exists {ge:ge M Q} true. - : quotient-is-no-greater M/N=Q,R M>=Q <- divrem-can-be-inverted M/N=Q,R X Q*N=X X+R=M <- divrem-implies-positive M/N=Q,R NN N=NN+1 <- eq-symmetric N=NN+1 NN+1=N <- succ-implies-gt-zero NN NN+1>0 <- gt-respects-eq NN+1>0 NN+1=N eq/ N>0 <- gt-implies-ge-succ N>0 N>=1 <- times-right-identity _ Q*1=Q <- times-left-preserves-ge* N>=1 Q*N=X Q*1=Q X>=Q <- plus-commutative X+R=M R+X=M <- plus-implies-ge R+X=M M>=X <- ge-transitive M>=X X>=Q M>=Q. %worlds () (quotient-is-no-greater _ _). %total { } (quotient-is-no-greater _ _). %%%%% minmax.elf %%%%% Minimum and Maximum functor %%%%% John Boyland %%%% Definitions min : nat -> nat -> nat -> type. min/= : min X X X. min/> : gt X1 X2 -> min X1 X2 X2. min/< : gt X2 X1 -> min X1 X2 X1. max : nat -> nat -> nat -> type. max/= : max X X X. max/> : gt X1 X2 -> max X1 X2 X1. max/< : gt X2 X1 -> max X1 X2 X2. %%%% Theorems %%% Theorems about min %theorem false-implies-min : forall* {X1} {X2} {X3} forall {F:void} exists {M:min X1 X2 X3} true. %worlds () (false-implies-min _ _). %total { } (false-implies-min _ _). %theorem min-respects-eq : forall* {X1} {X2} {X3} {Y1} {Y2} {Y3} forall {MX:min X1 X2 X3} {E1:eq X1 Y1} {E2:eq X2 Y2} {E3:eq X3 Y3} exists {MY:min Y1 Y2 Y3} true. - : min-respects-eq M eq/ eq/ eq/ M. %worlds () (min-respects-eq _ _ _ _ _). %total { } (min-respects-eq _ _ _ _ _). %theorem min-total** : forall* {X1} {X2} {C} forall {D:compare X1 X2 C} exists {X3} {M:min X1 X2 X3} true. - : min-total** compare/= _ min/=. - : min-total** (compare/> X1>X2) _ (min/> X1>X2). - : min-total** (compare/< X2>X1) _ (min/< X2>X1). %worlds () (min-total** _ _ _). %total { } (min-total** _ _ _). %theorem min-total* : forall {X1} {X2} exists {X3} {M:min X1 X2 X3} true. - : min-total* X1 X2 X3 M <- compare-total D <- min-total** D X3 M. %worlds () (min-total* _ _ _ _). %total { } (min-total* _ _ _ _). %abbrev min-total = min-total* _ _ _. %theorem min-deterministic : forall* {X1} {X2} {X3} {Y1} {Y2} {Y3} forall {MX:min X1 X2 X3} {MY:min Y1 Y2 Y3} {E1:eq X1 Y1} {E2:eq X2 Y2} exists {E3:eq X3 Y3} true. - : min-deterministic (min/=) (min/=) eq/ eq/ eq/. - : min-deterministic (min/=) (min/> X>X) eq/ eq/ eq/. - : min-deterministic (min/=) (min/< X>X) eq/ eq/ eq/. - : min-deterministic (min/> X>X) (min/=) eq/ eq/ eq/. - : min-deterministic (min/> X>Y) (min/> X>YP) eq/ eq/ eq/. - : min-deterministic (min/> X>Y) (min/< Y>X) eq/ eq/ E <- gt-anti-symmetric X>Y Y>X F <- false-implies-eq F E. - : min-deterministic (min/< X>X) (min/=) eq/ eq/ eq/. - : min-deterministic (min/< X>Y) (min/> Y>X) eq/ eq/ E <- gt-anti-symmetric X>Y Y>X F <- false-implies-eq F E. - : min-deterministic (min/< X>Y) (min/< X>YP) eq/ eq/ eq/. %worlds () (min-deterministic _ _ _ _ _). %total { } (min-deterministic _ _ _ _ _). %theorem min-commutative : forall* {X1} {X2} {X3} forall {M:min X1 X2 X3} exists {Mc:min X2 X1 X3} true. - : min-commutative min/= min/=. - : min-commutative (min/> X>Y) (min/< X>Y). - : min-commutative (min/< X>Y) (min/> X>Y). %worlds () (min-commutative _ _). %total { } (min-commutative _ _). %theorem ge-implies-min : forall* {X1} {X2} forall {G:ge X1 X2} exists {M:min X1 X2 X2} true. - : ge-implies-min (ge/> X1>X2) (min/> X1>X2). - : ge-implies-min (ge/= eq/) (min/=). %worlds () (ge-implies-min _ _). %total { } (ge-implies-min _ _). %theorem le-implies-min : forall* {X1} {X2} forall {G:le X1 X2} exists {M:min X1 X2 X1} true. - : le-implies-min X2>=X1 M <- ge-implies-min X2>=X1 Mc <- min-commutative Mc M. %worlds () (le-implies-min _ _). %total { } (le-implies-min _ _). %theorem min-implies-ge : forall* {X1} {X2} {X3} forall {M:min X1 X2 X3} exists {G1:ge X1 X3} {G2:ge X2 X3} true. - : min-implies-ge min/= (ge/= eq/) (ge/= eq/). - : min-implies-ge (min/> X1>X2) (ge/> X1>X2) (ge/= eq/). - : min-implies-ge (min/< X2>X1) (ge/= eq/) (ge/> X2>X1). %worlds () (min-implies-ge _ _ _). %total { } (min-implies-ge _ _ _). %theorem min-left-preserves-ge* : forall* {X1} {X2} {X3} {X4} {X5} forall {G:ge X2 X4} {M12:min X1 X2 X3} {M14:min X1 X4 X5} exists {G:ge X3 X5} true. - : min-left-preserves-ge* _ min/= M G <- min-implies-ge M G _. - : min-left-preserves-ge* X2>=X4 (min/> X1>X2) X1&X4=X5 X2>=X5 <- min-implies-ge X1&X4=X5 _ X4>=X5 <- ge-transitive X2>=X4 X4>=X5 X2>=X5. - : min-left-preserves-ge* _ (min/< _) X1&X4=X5 X1>=X5 <- min-implies-ge X1&X4=X5 X1>=X5 _. %worlds () (min-left-preserves-ge* _ _ _ _). %total { } (min-left-preserves-ge* _ _ _ _). %theorem min-left-preserves-le* : forall* {X1} {X2} {X3} {X4} {X5} forall {G:le X2 X4} {M12:min X1 X2 X3} {M14:min X1 X4 X5} exists {G:le X3 X5} true. - : min-left-preserves-le* G1 M12 M14 G2 <- min-left-preserves-ge* G1 M14 M12 G2. %worlds () (min-left-preserves-le* _ _ _ _). %total { } (min-left-preserves-le* _ _ _ _). %theorem min-left-preserves-ge : forall* {X1} {X2} {X4} forall {G:ge X2 X4} exists {X3} {X5} {O1:min X1 X2 X3} {O2:min X1 X4 X5} {G2:ge X3 X5} true. - : min-left-preserves-ge X2>=X4 X3 X5 X1&X2=A3 X1&X4=X5 X3>=X5 <- min-total X1&X2=A3 <- min-total X1&X4=X5 <- min-left-preserves-ge* X2>=X4 X1&X2=A3 X1&X4=X5 X3>=X5. %worlds () (min-left-preserves-ge X2>=X4 X3 X5 X1&X2=A3 X1&X4=X5 X3>=X5). %total {} (min-left-preserves-ge _ _ _ _ _ _). %theorem min-right-preserves-ge* : forall* {X1} {X2} {X3} {X4} {X5} forall {G1:ge X1 X2} {O1:min X1 X3 X4} {O2:min X2 X3 X5} exists {G2:ge X4 X5} true. - : min-right-preserves-ge* X1>=X2 X1&X3=X4 X2&X3=X5 X4>=X5 <- min-commutative X1&X3=X4 X3&X1=X4 <- min-commutative X2&X3=X5 X3&X2=X5 <- min-left-preserves-ge* X1>=X2 X3&X1=X4 X3&X2=X5 X4>=X5. %worlds () (min-right-preserves-ge* X1>=X2 X1&X3=X4 X2&X3=X5 X4>=X5). %total {} (min-right-preserves-ge* _ _ _ _). %theorem min-right-preserves-ge : forall* {X1} {X2} {X3} forall {G1:ge X1 X2} exists {X4} {X5} {O1:min X1 X3 X4} {O2:min X2 X3 X5} {G2:ge X4 X5} true. - : min-right-preserves-ge X1>=X2 X4 X5 X1&X3=X4 X2&X3=X5 X4>=X5 <- min-total X1&X3=X4 <- min-total X2&X3=X5 <- min-right-preserves-ge* X1>=X2 X1&X3=X4 X2&X3=X5 X4>=X5. %worlds () (min-right-preserves-ge X1>=X2 X4 X5 X1&X3=X4 X2&X3=X5 X4>=X5). %total {} (min-right-preserves-ge _ _ _ _ _ _). %theorem min-preserves-ge* : forall* {X1} {X2} {X3} {Y1} {Y2} {Y3} forall {G1:ge X1 Y1} {G2:ge X2 Y2} {MX:min X1 X2 X3} {MY:min Y1 Y2 Y3} exists {G3:ge X3 Y3} true. - : min-preserves-ge* X1>=Y1 X2>=Y2 X1&X2=X3 Y1&Y2=Y3 X3>=Y3 <- min-total Y1&X2=X <- min-right-preserves-ge* X1>=Y1 X1&X2=X3 Y1&X2=X X3>=X <- min-left-preserves-ge* X2>=Y2 Y1&X2=X Y1&Y2=Y3 X>=Y3 <- ge-transitive X3>=X X>=Y3 X3>=Y3. %worlds () (min-preserves-ge* X1>=Y1 X2>=Y2 X1&X2=X3 Y1&Y2=Y3 X3>=Y3). %total {} (min-preserves-ge* _ _ _ _ _). %theorem min-preserves-ge : forall* {X1} {X2} {Y1} {Y2} forall {G1:ge X1 Y1} {G2:ge X2 Y2} exists {X3} {Y3} {MX:min X1 X2 X3} {MY:min Y1 Y2 Y3} {G3:ge X3 Y3} true. - : min-preserves-ge X1>=Y1 X2>=Y2 X3 Y3 X1&X2=X3 Y1&Y2=Y3 X3>=Y3 <- min-total X1&X2=X3 <- min-total Y1&Y2=Y3 <- min-preserves-ge* X1>=Y1 X2>=Y2 X1&X2=X3 Y1&Y2=Y3 X3>=Y3. %worlds () (min-preserves-ge X1>=Y1 X2>=Y2 X3 Y3 X1&X2=X3 Y1&Y2=Y3 X3>=Y3). %total {} (min-preserves-ge _ _ _ _ _ _ _). %theorem min-left-preserves-le : forall* {X1} {X2} {X4} forall {G:le X2 X4} exists {X3} {X5} {O1:min X1 X2 X3} {O2:min X1 X4 X5} {G2:le X3 X5} true. - : min-left-preserves-le X2<=X4 X3 X5 X1&X2=A3 X1&X4=X5 X3<=X5 <- min-total X1&X2=A3 <- min-total X1&X4=X5 <- min-left-preserves-le* X2<=X4 X1&X2=A3 X1&X4=X5 X3<=X5. %worlds () (min-left-preserves-le X2<=X4 X3 X5 X1&X2=A3 X1&X4=X5 X3<=X5). %total {} (min-left-preserves-le _ _ _ _ _ _). %theorem min-right-preserves-le* : forall* {X1} {X2} {X3} {X4} {X5} forall {G1:le X1 X2} {O1:min X1 X3 X4} {O2:min X2 X3 X5} exists {G2:le X4 X5} true. - : min-right-preserves-le* X1<=X2 X1&X3=X4 X2&X3=X5 X4<=X5 <- min-commutative X1&X3=X4 X3&X1=X4 <- min-commutative X2&X3=X5 X3&X2=X5 <- min-left-preserves-le* X1<=X2 X3&X1=X4 X3&X2=X5 X4<=X5. %worlds () (min-right-preserves-le* X1<=X2 X1&X3=X4 X2&X3=X5 X4<=X5). %total {} (min-right-preserves-le* _ _ _ _). %theorem min-right-preserves-le : forall* {X1} {X2} {X3} forall {G1:le X1 X2} exists {X4} {X5} {O1:min X1 X3 X4} {O2:min X2 X3 X5} {G2:le X4 X5} true. - : min-right-preserves-le X1<=X2 X4 X5 X1&X3=X4 X2&X3=X5 X4<=X5 <- min-total X1&X3=X4 <- min-total X2&X3=X5 <- min-right-preserves-le* X1<=X2 X1&X3=X4 X2&X3=X5 X4<=X5. %worlds () (min-right-preserves-le X1<=X2 X4 X5 X1&X3=X4 X2&X3=X5 X4<=X5). %total {} (min-right-preserves-le _ _ _ _ _ _). %theorem min-preserves-le* : forall* {X1} {X2} {X3} {Y1} {Y2} {Y3} forall {G1:le X1 Y1} {G2:le X2 Y2} {MX:min X1 X2 X3} {MY:min Y1 Y2 Y3} exists {G3:le X3 Y3} true. - : min-preserves-le* X1<=Y1 X2<=Y2 X1&X2=X3 Y1&Y2=Y3 X3<=Y3 <- min-total Y1&X2=X <- min-right-preserves-le* X1<=Y1 X1&X2=X3 Y1&X2=X X3<=X <- min-left-preserves-le* X2<=Y2 Y1&X2=X Y1&Y2=Y3 X<=Y3 <- le-transitive X3<=X X<=Y3 X3<=Y3. %worlds () (min-preserves-le* X1<=Y1 X2<=Y2 X1&X2=X3 Y1&Y2=Y3 X3<=Y3). %total {} (min-preserves-le* _ _ _ _ _). %theorem min-preserves-le : forall* {X1} {X2} {Y1} {Y2} forall {G1:le X1 Y1} {G2:le X2 Y2} exists {X3} {Y3} {MX:min X1 X2 X3} {MY:min Y1 Y2 Y3} {G3:le X3 Y3} true. - : min-preserves-le X1<=Y1 X2<=Y2 X3 Y3 X1&X2=X3 Y1&Y2=Y3 X3<=Y3 <- min-total X1&X2=X3 <- min-total Y1&Y2=Y3 <- min-preserves-le* X1<=Y1 X2<=Y2 X1&X2=X3 Y1&Y2=Y3 X3<=Y3. %worlds () (min-preserves-le X1<=Y1 X2<=Y2 X3 Y3 X1&X2=X3 Y1&Y2=Y3 X3<=Y3). %total {} (min-preserves-le _ _ _ _ _ _ _). %theorem min-is-glb : forall* {X1} {X2} {X3} {X4} forall {M:min X1 X2 X3} {G1:ge X1 X4} {G2:ge X2 X4} exists {G3:ge X3 X4} true. - : min-is-glb min/= G _ G. - : min-is-glb (min/> X1>X2) _ G G. - : min-is-glb (min/< X2>X1) G _ G. %worlds () (min-is-glb _ _ _ _). %total { } (min-is-glb _ _ _ _). %theorem min-associative : forall* {X1} {X2} {X3} {X4} {X7} forall {M12:min X1 X2 X3} {M34:min X3 X4 X7} exists {X6} {M24:min X2 X4 X6} {M16:min X1 X6 X7} true. - : min-associative min/= min/= _ min/= min/=. - : min-associative min/= (min/> X3>X4) _ (min/> X3>X4) (min/> X3>X4). - : min-associative min/= (min/< X4>X3) _ (min/< X4>X3) (min/=). - : min-associative (min/> X1>X2) min/= _ (min/=) (min/> X1>X2). - : min-associative (min/> X1>X2) (min/> X2>X4) _ (min/> X2>X4) (min/> X1>X4) <- gt-transitive X1>X2 X2>X4 X1>X4. - : min-associative (min/> X1>X2) (min/< X4>X2) _ (min/< X4>X2) (min/> X1>X2). - : min-associative (min/< X2>X1) min/= _ (min/> X2>X1) min/=. - : min-associative (min/< X2>X1) (min/> X1>X4) _ (min/> X2>X4) (min/> X1>X4) <- gt-transitive X2>X1 X1>X4 X2>X4. - : min-associative (min/< X2>X1) (min/< X4>X1) _ M24 M16 <- min-total M24 <- min-is-glb M24 (ge/> X2>X1) (ge/> X4>X1) (X6>=X1: ge X6 X1) <- ge-implies-min X6>=X1 M16c <- min-commutative M16c M16. %worlds () (min-associative _ _ _ _ _). %total { } (min-associative _ _ _ _ _). %theorem min-associative* : forall* {X1} {X2} {X12} {X3} {X23} {X123} forall {OP12:min X1 X2 X12} {OP12-3:min X12 X3 X123} {OP23:min X2 X3 X23} exists {OP1-23:min X1 X23 X123} true. - : min-associative* X1&X2=X3 X3&X4=X7 X2&X4=X6 X1&X6=X7 <- min-associative X1&X2=X3 X3&X4=X7 Y6 X2&X4=Y6 X1&Y6=X7 <- min-deterministic X2&X4=Y6 X2&X4=X6 eq/ eq/ Y6=X6 <- min-respects-eq X1&Y6=X7 eq/ Y6=X6 eq/ X1&X6=X7. %worlds () (min-associative* _ _ _ _). %total {} (min-associative* _ _ _ _). %theorem min-associative-converse : forall* {X1} {X2} {X4} {X6} {X7} forall {OP24:min X2 X4 X6} {OP16:min X1 X6 X7} exists {X3} {OP12:min X1 X2 X3} {OP34:min X3 X4 X7} true. - : min-associative-converse X2&X4=X6 X1&X6=X7 _ X1&X2=X3 X3&X4=X7 <- min-commutative X2&X4=X6 X4&X2=X6 <- min-commutative X1&X6=X7 X6&X1=X7 <- min-associative X4&X2=X6 X6&X1=X7 _ X2&X1=X3 X4&X3=X7 <- min-commutative X2&X1=X3 X1&X2=X3 <- min-commutative X4&X3=X7 X3&X4=X7. %worlds () (min-associative-converse X2&X4=X6 X1&X6=X7 X3 X1&X2=X3 X3&X4=X7). %total {} (min-associative-converse _ _ _ _ _). %theorem min-associative-converse* : forall* {X1} {X2} {X3} {X4} {X6} {X7} forall {OP24:min X2 X4 X6} {OP16:min X1 X6 X7} {OP12:min X1 X2 X3} exists {OP34:min X3 X4 X7} true. - : min-associative-converse* X2&X4=X6 X1&X6=X7 X1&X2=X3 X3&X4=X7 <- min-associative-converse X2&X4=X6 X1&X6=X7 X3P X1&X2=X3P X3P&X4=X7 <- min-deterministic X1&X2=X3P X1&X2=X3 eq/ eq/ X3P=X3 <- min-respects-eq X3P&X4=X7 X3P=X3 eq/ eq/ X3&X4=X7. %worlds () (min-associative-converse* X2&X4=X6 X1&X6=X7 X1&X2=X3 X3&X4=X7). %total {} (min-associative-converse* _ _ _ _). %theorem min-assoc-commutative* : forall* {X1} {X2} {X3} {X4} {X5} {X7} forall {OP1:min X1 X2 X3} {OP2:min X3 X4 X7} {OP3:min X1 X4 X5} exists {OP4:min X5 X2 X7} true. - : min-assoc-commutative* X1&X2=X3 X3&X4=X7 X1&X4=X5 X5&X2=X7 <- min-associative X1&X2=X3 X3&X4=X7 X6 X2&X4=X6 X1&X6=X7 <- min-commutative X2&X4=X6 X4&X2=X6 <- min-associative-converse* X4&X2=X6 X1&X6=X7 X1&X4=X5 X5&X2=X7. %worlds () (min-assoc-commutative* X1&X2=X3 X3&X4=X7 X1&X4=X5 X5&X2=X7). %total {} (min-assoc-commutative* _ _ _ _). %theorem min-assoc-commutative : forall* {X1} {X2} {X3} {X4} {X7} forall {OP1:min X1 X2 X3} {OP2:min X3 X4 X7} exists {X5} {OP3:min X1 X4 X5} {OP4:min X5 X2 X7} true. - : min-assoc-commutative X1&X2=X3 X3&X4=X7 X5 X1&X4=X5 X5&X2=X7 <- min-associative X1&X2=X3 X3&X4=X7 X6 X2&X4=X6 X1&X6=X7 <- min-commutative X2&X4=X6 X4&X2=X6 <- min-associative-converse X4&X2=X6 X1&X6=X7 X5 X1&X4=X5 X5&X2=X7. %worlds () (min-assoc-commutative X1&X2=X3 X3&X4=X7 X5 X1&X4=X5 X5&X2=X7). %total {} (min-assoc-commutative _ _ _ _ _). %theorem min-double-associative* : forall* {A} {B} {C} {D} {A+B} {C+D} {A+C} {B+D} {X} forall {AB:min A B A+B} {CD:min C D C+D} {ABCD:min A+B C+D X} {AC:min A C A+C} {BD:min B D B+D} exists {ACBD:min A+C B+D X} true. - : min-double-associative* X1&X2=X3 X4&X8=XC X3&XC=XF X1&X4=X5 X2&X8=XA X5&XA=XF <- min-associative X1&X2=X3 X3&XC=XF XE X2&XC=XE X1&XE=XF <- min-commutative X4&X8=XC X8&X4=XC <- min-associative-converse* X8&X4=XC X2&XC=XE X2&X8=XA XA&X4=XE <- min-commutative XA&X4=XE X4&XA=XE <- min-associative-converse* X4&XA=XE X1&XE=XF X1&X4=X5 X5&XA=XF. %worlds () (min-double-associative* X1&X2=X3 X4&X8=XC X3&XC=XF X1&X4=X5 X2&X8=XA X5&XA=XF). %total {} (min-double-associative* _ _ _ _ _ _). %theorem min-double-associative : forall* {A} {B} {C} {D} {A+B} {C+D} {X} forall {AB:min A B A+B} {CD:min C D C+D} {ABCD:min A+B C+D X} exists {A+C} {B+D} {AC:min A C A+C} {BD:min B D B+D} {ACBD:min A+C B+D X} true. - : min-double-associative X1&X2=X3 X4&X8=XC X3&XC=XF X5 XA X1&X4=X5 X2&X8=XA X5&XA=XF <- min-associative X1&X2=X3 X3&XC=XF XE X2&XC=XE X1&XE=XF <- min-commutative X4&X8=XC X8&X4=XC <- min-associative-converse X8&X4=XC X2&XC=XE XA X2&X8=XA XA&X4=XE <- min-commutative XA&X4=XE X4&XA=XE <- min-associative-converse X4&XA=XE X1&XE=XF X5 X1&X4=X5 X5&XA=XF. %worlds () (min-double-associative _ _ _ _ _ _ _ _). %total { } (min-double-associative _ _ _ _ _ _ _ _). %%% Theorems about max %theorem false-implies-max : forall* {X1} {X2} {X3} forall {F:void} exists {M:max X1 X2 X3} true. %worlds () (false-implies-max _ _). %total { } (false-implies-max _ _). %theorem max-respects-eq : forall* {X1} {X2} {X3} {Y1} {Y2} {Y3} forall {MX:max X1 X2 X3} {E1:eq X1 Y1} {E2:eq X2 Y2} {E3:eq X3 Y3} exists {MY:max Y1 Y2 Y3} true. - : max-respects-eq M eq/ eq/ eq/ M. %worlds () (max-respects-eq _ _ _ _ _). %total { } (max-respects-eq _ _ _ _ _). %theorem max-total** : forall* {X1} {X2} {C} forall {D:compare X1 X2 C} exists {X3} {M:max X1 X2 X3} true. - : max-total** compare/= _ max/=. - : max-total** (compare/> X1>X2) _ (max/> X1>X2). - : max-total** (compare/< X2>X1) _ (max/< X2>X1). %worlds () (max-total** _ _ _). %total { } (max-total** _ _ _). %theorem max-total* : forall {X1} {X2} exists {X3} {M:max X1 X2 X3} true. - : max-total* X1 X2 X3 M <- compare-total D <- max-total** D X3 M. %worlds () (max-total* _ _ _ _). %total { } (max-total* _ _ _ _). %abbrev max-total = max-total* _ _ _. %theorem max-deterministic : forall* {X1} {X2} {X3} {Y1} {Y2} {Y3} forall {MX:max X1 X2 X3} {MY:max Y1 Y2 Y3} {E1:eq X1 Y1} {E2:eq X2 Y2} exists {E3:eq X3 Y3} true. - : max-deterministic (max/=) (max/=) eq/ eq/ eq/. - : max-deterministic (max/=) (max/> X>X) eq/ eq/ eq/. - : max-deterministic (max/=) (max/< X>X) eq/ eq/ eq/. - : max-deterministic (max/> X>X) (max/=) eq/ eq/ eq/. - : max-deterministic (max/> X>Y) (max/> X>YP) eq/ eq/ eq/. - : max-deterministic (max/> X>Y) (max/< Y>X) eq/ eq/ E <- gt-anti-symmetric X>Y Y>X F <- false-implies-eq F E. - : max-deterministic (max/< X>X) (max/=) eq/ eq/ eq/. - : max-deterministic (max/< X>Y) (max/> Y>X) eq/ eq/ E <- gt-anti-symmetric X>Y Y>X F <- false-implies-eq F E. - : max-deterministic (max/< X>Y) (max/< X>YP) eq/ eq/ eq/. %worlds () (max-deterministic _ _ _ _ _). %total { } (max-deterministic _ _ _ _ _). %theorem max-commutative : forall* {X1} {X2} {X3} forall {M:max X1 X2 X3} exists {Mc:max X2 X1 X3} true. - : max-commutative max/= max/=. - : max-commutative (max/> X>Y) (max/< X>Y). - : max-commutative (max/< X>Y) (max/> X>Y). %worlds () (max-commutative _ _). %total { } (max-commutative _ _). %theorem ge-implies-max : forall* {X1} {X2} forall {G:ge X1 X2} exists {M:max X1 X2 X1} true. - : ge-implies-max (ge/> X1>X2) (max/> X1>X2). - : ge-implies-max (ge/= eq/) (max/=). %worlds () (ge-implies-max _ _). %total { } (ge-implies-max _ _). %theorem le-implies-max : forall* {X1} {X2} forall {G:le X1 X2} exists {M:max X1 X2 X2} true. - : le-implies-max X2>=X1 M <- ge-implies-max X2>=X1 Mc <- max-commutative Mc M. %worlds () (le-implies-max _ _). %total { } (le-implies-max _ _). %theorem max-implies-ge : forall* {X1} {X2} {X3} forall {M:max X1 X2 X3} exists {G1:ge X3 X1} {G2:ge X3 X2} true. - : max-implies-ge max/= (ge/= eq/) (ge/= eq/). - : max-implies-ge (max/> X1>X2) (ge/= eq/) (ge/> X1>X2). - : max-implies-ge (max/< X2>X1) (ge/> X2>X1) (ge/= eq/). %worlds () (max-implies-ge _ _ _). %total { } (max-implies-ge _ _ _). %theorem max-is-lub : forall* {X0} {X1} {X2} {X3} forall {M:max X1 X2 X3} {G1:ge X0 X1} {G2:ge X0 X2} exists {G3:ge X0 X3} true. - : max-is-lub max/= G _ G. - : max-is-lub (max/> X1>X2) G _ G. - : max-is-lub (max/< X2>X1) _ G G. %worlds () (max-is-lub _ _ _ _). %total { } (max-is-lub _ _ _ _). %theorem max-left-preserves-ge* : forall* {X1} {X2} {X3} {X4} {X5} forall {G:ge X2 X4} {M12:max X1 X2 X3} {M14:max X1 X4 X5} exists {G:ge X3 X5} true. - : max-left-preserves-ge* X>=X4 max/= X|X4=X5 X>=X5 <- ge-reflexive _ X>=X <- max-is-lub X|X4=X5 X>=X X>=X4 X>=X5. - : max-left-preserves-ge* X2>=X4 (max/> X1>X2) X1|X4=X5 X1>=X5 <- ge-transitive (ge/> X1>X2) X2>=X4 X1>=X4 <- ge-reflexive _ X1>=X1 <- max-is-lub X1|X4=X5 X1>=X1 X1>=X4 X1>=X5. - : max-left-preserves-ge* X2>=X4 (max/< X2>X1) X1|X4=X5 X2>=X5 <- max-is-lub X1|X4=X5 (ge/> X2>X1) X2>=X4 X2>=X5. %worlds () (max-left-preserves-ge* _ _ _ _). %total { } (max-left-preserves-ge* _ _ _ _). %theorem max-left-preserves-le* : forall* {X1} {X2} {X3} {X4} {X5} forall {G:le X2 X4} {M12:max X1 X2 X3} {M14:max X1 X4 X5} exists {G:le X3 X5} true. - : max-left-preserves-le* G1 M12 M14 G2 <- max-left-preserves-ge* G1 M14 M12 G2. %worlds () (max-left-preserves-le* _ _ _ _). %total { } (max-left-preserves-le* _ _ _ _). %theorem max-left-preserves-ge : forall* {X1} {X2} {X4} forall {G:ge X2 X4} exists {X3} {X5} {O1:max X1 X2 X3} {O2:max X1 X4 X5} {G2:ge X3 X5} true. - : max-left-preserves-ge X2>=X4 X3 X5 X1&X2=A3 X1&X4=X5 X3>=X5 <- max-total X1&X2=A3 <- max-total X1&X4=X5 <- max-left-preserves-ge* X2>=X4 X1&X2=A3 X1&X4=X5 X3>=X5. %worlds () (max-left-preserves-ge X2>=X4 X3 X5 X1&X2=A3 X1&X4=X5 X3>=X5). %total {} (max-left-preserves-ge _ _ _ _ _ _). %theorem max-right-preserves-ge* : forall* {X1} {X2} {X3} {X4} {X5} forall {G1:ge X1 X2} {O1:max X1 X3 X4} {O2:max X2 X3 X5} exists {G2:ge X4 X5} true. - : max-right-preserves-ge* X1>=X2 X1&X3=X4 X2&X3=X5 X4>=X5 <- max-commutative X1&X3=X4 X3&X1=X4 <- max-commutative X2&X3=X5 X3&X2=X5 <- max-left-preserves-ge* X1>=X2 X3&X1=X4 X3&X2=X5 X4>=X5. %worlds () (max-right-preserves-ge* X1>=X2 X1&X3=X4 X2&X3=X5 X4>=X5). %total {} (max-right-preserves-ge* _ _ _ _). %theorem max-right-preserves-ge : forall* {X1} {X2} {X3} forall {G1:ge X1 X2} exists {X4} {X5} {O1:max X1 X3 X4} {O2:max X2 X3 X5} {G2:ge X4 X5} true. - : max-right-preserves-ge X1>=X2 X4 X5 X1&X3=X4 X2&X3=X5 X4>=X5 <- max-total X1&X3=X4 <- max-total X2&X3=X5 <- max-right-preserves-ge* X1>=X2 X1&X3=X4 X2&X3=X5 X4>=X5. %worlds () (max-right-preserves-ge X1>=X2 X4 X5 X1&X3=X4 X2&X3=X5 X4>=X5). %total {} (max-right-preserves-ge _ _ _ _ _ _). %theorem max-preserves-ge* : forall* {X1} {X2} {X3} {Y1} {Y2} {Y3} forall {G1:ge X1 Y1} {G2:ge X2 Y2} {MX:max X1 X2 X3} {MY:max Y1 Y2 Y3} exists {G3:ge X3 Y3} true. - : max-preserves-ge* X1>=Y1 X2>=Y2 X1&X2=X3 Y1&Y2=Y3 X3>=Y3 <- max-total Y1&X2=X <- max-right-preserves-ge* X1>=Y1 X1&X2=X3 Y1&X2=X X3>=X <- max-left-preserves-ge* X2>=Y2 Y1&X2=X Y1&Y2=Y3 X>=Y3 <- ge-transitive X3>=X X>=Y3 X3>=Y3. %worlds () (max-preserves-ge* X1>=Y1 X2>=Y2 X1&X2=X3 Y1&Y2=Y3 X3>=Y3). %total {} (max-preserves-ge* _ _ _ _ _). %theorem max-preserves-ge : forall* {X1} {X2} {Y1} {Y2} forall {G1:ge X1 Y1} {G2:ge X2 Y2} exists {X3} {Y3} {MX:max X1 X2 X3} {MY:max Y1 Y2 Y3} {G3:ge X3 Y3} true. - : max-preserves-ge X1>=Y1 X2>=Y2 X3 Y3 X1&X2=X3 Y1&Y2=Y3 X3>=Y3 <- max-total X1&X2=X3 <- max-total Y1&Y2=Y3 <- max-preserves-ge* X1>=Y1 X2>=Y2 X1&X2=X3 Y1&Y2=Y3 X3>=Y3. %worlds () (max-preserves-ge X1>=Y1 X2>=Y2 X3 Y3 X1&X2=X3 Y1&Y2=Y3 X3>=Y3). %total {} (max-preserves-ge _ _ _ _ _ _ _). %theorem max-left-preserves-le : forall* {X1} {X2} {X4} forall {G:le X2 X4} exists {X3} {X5} {O1:max X1 X2 X3} {O2:max X1 X4 X5} {G2:le X3 X5} true. - : max-left-preserves-le X2<=X4 X3 X5 X1&X2=A3 X1&X4=X5 X3<=X5 <- max-total X1&X2=A3 <- max-total X1&X4=X5 <- max-left-preserves-le* X2<=X4 X1&X2=A3 X1&X4=X5 X3<=X5. %worlds () (max-left-preserves-le X2<=X4 X3 X5 X1&X2=A3 X1&X4=X5 X3<=X5). %total {} (max-left-preserves-le _ _ _ _ _ _). %theorem max-right-preserves-le* : forall* {X1} {X2} {X3} {X4} {X5} forall {G1:le X1 X2} {O1:max X1 X3 X4} {O2:max X2 X3 X5} exists {G2:le X4 X5} true. - : max-right-preserves-le* X1<=X2 X1&X3=X4 X2&X3=X5 X4<=X5 <- max-commutative X1&X3=X4 X3&X1=X4 <- max-commutative X2&X3=X5 X3&X2=X5 <- max-left-preserves-le* X1<=X2 X3&X1=X4 X3&X2=X5 X4<=X5. %worlds () (max-right-preserves-le* X1<=X2 X1&X3=X4 X2&X3=X5 X4<=X5). %total {} (max-right-preserves-le* _ _ _ _). %theorem max-right-preserves-le : forall* {X1} {X2} {X3} forall {G1:le X1 X2} exists {X4} {X5} {O1:max X1 X3 X4} {O2:max X2 X3 X5} {G2:le X4 X5} true. - : max-right-preserves-le X1<=X2 X4 X5 X1&X3=X4 X2&X3=X5 X4<=X5 <- max-total X1&X3=X4 <- max-total X2&X3=X5 <- max-right-preserves-le* X1<=X2 X1&X3=X4 X2&X3=X5 X4<=X5. %worlds () (max-right-preserves-le X1<=X2 X4 X5 X1&X3=X4 X2&X3=X5 X4<=X5). %total {} (max-right-preserves-le _ _ _ _ _ _). %theorem max-preserves-le* : forall* {X1} {X2} {X3} {Y1} {Y2} {Y3} forall {G1:le X1 Y1} {G2:le X2 Y2} {MX:max X1 X2 X3} {MY:max Y1 Y2 Y3} exists {G3:le X3 Y3} true. - : max-preserves-le* X1<=Y1 X2<=Y2 X1&X2=X3 Y1&Y2=Y3 X3<=Y3 <- max-total Y1&X2=X <- max-right-preserves-le* X1<=Y1 X1&X2=X3 Y1&X2=X X3<=X <- max-left-preserves-le* X2<=Y2 Y1&X2=X Y1&Y2=Y3 X<=Y3 <- le-transitive X3<=X X<=Y3 X3<=Y3. %worlds () (max-preserves-le* X1<=Y1 X2<=Y2 X1&X2=X3 Y1&Y2=Y3 X3<=Y3). %total {} (max-preserves-le* _ _ _ _ _). %theorem max-preserves-le : forall* {X1} {X2} {Y1} {Y2} forall {G1:le X1 Y1} {G2:le X2 Y2} exists {X3} {Y3} {MX:max X1 X2 X3} {MY:max Y1 Y2 Y3} {G3:le X3 Y3} true. - : max-preserves-le X1<=Y1 X2<=Y2 X3 Y3 X1&X2=X3 Y1&Y2=Y3 X3<=Y3 <- max-total X1&X2=X3 <- max-total Y1&Y2=Y3 <- max-preserves-le* X1<=Y1 X2<=Y2 X1&X2=X3 Y1&Y2=Y3 X3<=Y3. %worlds () (max-preserves-le X1<=Y1 X2<=Y2 X3 Y3 X1&X2=X3 Y1&Y2=Y3 X3<=Y3). %total {} (max-preserves-le _ _ _ _ _ _ _). %theorem max-associative : forall* {X1} {X2} {X3} {X4} {X7} forall {M12:max X1 X2 X3} {M34:max X3 X4 X7} exists {X6} {M24:max X2 X4 X6} {M16:max X1 X6 X7} true. - : max-associative max/= max/= _ max/= max/=. - : max-associative max/= (max/> X3>X4) _ (max/> X3>X4) max/=. - : max-associative max/= (max/< X4>X3) _ (max/< X4>X3) (max/< X4>X3). - : max-associative (max/> X1>X2) max/= _ (max/< X1>X2) max/=. - : max-associative (max/> X1>X2) (max/> X1>X4) _ M24 M16 <- max-total M24 <- max-is-lub M24 (ge/> X1>X2) (ge/> X1>X4) X1>=X6 <- ge-implies-max X1>=X6 M16. - : max-associative (max/> X1>X2) (max/< X4>X1) _ (max/< X4>X2) (max/< X4>X1) <- gt-transitive X4>X1 X1>X2 X4>X2. - : max-associative (max/< X2>X1) max/= _ max/= (max/< X2>X1). - : max-associative (max/< X2>X1) (max/> X2>X4) _ (max/> X2>X4) (max/< X2>X1). - : max-associative (max/< X2>X1) (max/< X4>X2) _ (max/< X4>X2) (max/< X4>X1) <- gt-transitive X4>X2 X2>X1 X4>X1. %worlds () (max-associative _ _ _ _ _). %total { } (max-associative _ _ _ _ _). %theorem max-associative* : forall* {X1} {X2} {X12} {X3} {X23} {X123} forall {OP12:max X1 X2 X12} {OP12-3:max X12 X3 X123} {OP23:max X2 X3 X23} exists {OP1-23:max X1 X23 X123} true. - : max-associative* X1|X2=X3 X3|X4=X7 X2|X4=X6 X1|X6=X7 <- max-associative X1|X2=X3 X3|X4=X7 Y6 X2|X4=Y6 X1|Y6=X7 <- max-deterministic X2|X4=Y6 X2|X4=X6 eq/ eq/ Y6=X6 <- max-respects-eq X1|Y6=X7 eq/ Y6=X6 eq/ X1|X6=X7. %worlds () (max-associative* _ _ _ _). %total {} (max-associative* _ _ _ _). %theorem max-associative-converse : forall* {X1} {X2} {X4} {X6} {X7} forall {OP24:max X2 X4 X6} {OP16:max X1 X6 X7} exists {X3} {OP12:max X1 X2 X3} {OP34:max X3 X4 X7} true. - : max-associative-converse X2|X4=X6 X1|X6=X7 _ X1|X2=X3 X3|X4=X7 <- max-commutative X2|X4=X6 X4|X2=X6 <- max-commutative X1|X6=X7 X6|X1=X7 <- max-associative X4|X2=X6 X6|X1=X7 _ X2|X1=X3 X4|X3=X7 <- max-commutative X2|X1=X3 X1|X2=X3 <- max-commutative X4|X3=X7 X3|X4=X7. %worlds () (max-associative-converse X2|X4=X6 X1|X6=X7 X3 X1|X2=X3 X3|X4=X7). %total {} (max-associative-converse _ _ _ _ _). %theorem max-associative-converse* : forall* {X1} {X2} {X3} {X4} {X6} {X7} forall {OP24:max X2 X4 X6} {OP16:max X1 X6 X7} {OP12:max X1 X2 X3} exists {OP34:max X3 X4 X7} true. - : max-associative-converse* X2|X4=X6 X1|X6=X7 X1|X2=X3 X3|X4=X7 <- max-associative-converse X2|X4=X6 X1|X6=X7 X3P X1|X2=X3P X3P|X4=X7 <- max-deterministic X1|X2=X3P X1|X2=X3 eq/ eq/ X3P=X3 <- max-respects-eq X3P|X4=X7 X3P=X3 eq/ eq/ X3|X4=X7. %worlds () (max-associative-converse* X2|X4=X6 X1|X6=X7 X1|X2=X3 X3|X4=X7). %total {} (max-associative-converse* _ _ _ _). %theorem max-assoc-commutative* : forall* {X1} {X2} {X3} {X4} {X5} {X7} forall {OP1:max X1 X2 X3} {OP2:max X3 X4 X7} {OP3:max X1 X4 X5} exists {OP4:max X5 X2 X7} true. - : max-assoc-commutative* X1|X2=X3 X3|X4=X7 X1|X4=X5 X5|X2=X7 <- max-associative X1|X2=X3 X3|X4=X7 X6 X2|X4=X6 X1|X6=X7 <- max-commutative X2|X4=X6 X4|X2=X6 <- max-associative-converse* X4|X2=X6 X1|X6=X7 X1|X4=X5 X5|X2=X7. %worlds () (max-assoc-commutative* X1|X2=X3 X3|X4=X7 X1|X4=X5 X5|X2=X7). %total {} (max-assoc-commutative* _ _ _ _). %theorem max-assoc-commutative : forall* {X1} {X2} {X3} {X4} {X7} forall {OP1:max X1 X2 X3} {OP2:max X3 X4 X7} exists {X5} {OP3:max X1 X4 X5} {OP4:max X5 X2 X7} true. - : max-assoc-commutative X1|X2=X3 X3|X4=X7 X5 X1|X4=X5 X5|X2=X7 <- max-associative X1|X2=X3 X3|X4=X7 X6 X2|X4=X6 X1|X6=X7 <- max-commutative X2|X4=X6 X4|X2=X6 <- max-associative-converse X4|X2=X6 X1|X6=X7 X5 X1|X4=X5 X5|X2=X7. %worlds () (max-assoc-commutative X1|X2=X3 X3|X4=X7 X5 X1|X4=X5 X5|X2=X7). %total {} (max-assoc-commutative _ _ _ _ _). %theorem max-double-associative* : forall* {A} {B} {C} {D} {A+B} {C+D} {A+C} {B+D} {X} forall {AB:max A B A+B} {CD:max C D C+D} {ABCD:max A+B C+D X} {AC:max A C A+C} {BD:max B D B+D} exists {ACBD:max A+C B+D X} true. - : max-double-associative* X1|X2=X3 X4|X8=XC X3|XC=XF X1|X4=X5 X2|X8=XA X5|XA=XF <- max-associative X1|X2=X3 X3|XC=XF XE X2|XC=XE X1|XE=XF <- max-commutative X4|X8=XC X8|X4=XC <- max-associative-converse* X8|X4=XC X2|XC=XE X2|X8=XA XA|X4=XE <- max-commutative XA|X4=XE X4|XA=XE <- max-associative-converse* X4|XA=XE X1|XE=XF X1|X4=X5 X5|XA=XF. %worlds () (max-double-associative* X1|X2=X3 X4|X8=XC X3|XC=XF X1|X4=X5 X2|X8=XA X5|XA=XF). %total {} (max-double-associative* _ _ _ _ _ _). %theorem max-double-associative : forall* {A} {B} {C} {D} {A+B} {C+D} {X} forall {AB:max A B A+B} {CD:max C D C+D} {ABCD:max A+B C+D X} exists {A+C} {B+D} {AC:max A C A+C} {BD:max B D B+D} {ACBD:max A+C B+D X} true. - : max-double-associative X1|X2=X3 X4|X8=XC X3|XC=XF X5 XA X1|X4=X5 X2|X8=XA X5|XA=XF <- max-associative X1|X2=X3 X3|XC=XF XE X2|XC=XE X1|XE=XF <- max-commutative X4|X8=XC X8|X4=XC <- max-associative-converse X8|X4=XC X2|XC=XE XA X2|X8=XA XA|X4=XE <- max-commutative XA|X4=XE X4|XA=XE <- max-associative-converse X4|XA=XE X1|XE=XF X5 X1|X4=X5 X5|XA=XF. %worlds () (max-double-associative _ _ _ _ _ _ _ _). %total { } (max-double-associative _ _ _ _ _ _ _ _). %%% Distributivity theorems %theorem min-right-distributes-over-max : forall* {X1} {X2} {X3} {X4} {X7} forall {A12:max X1 X2 X3} {M34:min X3 X4 X7} exists {X5} {X6} {M14:min X1 X4 X5} {M24:min X2 X4 X6} {A56:max X5 X6 X7} true. - : min-right-distributes-over-max max/= M _ _ M M max/=. - : min-right-distributes-over-max (max/> X1>X2) X1&X4=X7 _ _ X1&X4=X7 X2&X4=X6 X7|X6=X7 <- min-total X2&X4=X6 <- min-right-preserves-ge* (ge/> X1>X2) X1&X4=X7 X2&X4=X6 X7>=X6 <- ge-implies-max X7>=X6 X7|X6=X7. - : min-right-distributes-over-max (max/< X2>X1) X2&X4=X7 _ _ X1&X4=X5 X2&X4=X7 X5|X7=X7 <- min-total X1&X4=X5 <- min-right-preserves-ge* (ge/> X2>X1) X2&X4=X7 X1&X4=X5 X7>=X5 <- ge-implies-max X7>=X5 X7|X5=X7 <- max-commutative X7|X5=X7 X5|X7=X7. %worlds () (min-right-distributes-over-max _ _ _ _ _ _ _). %total { } (min-right-distributes-over-max _ _ _ _ _ _ _). %theorem max-right-distributes-over-min : forall* {X1} {X2} {X3} {X4} {X7} forall {A12:min X1 X2 X3} {M34:max X3 X4 X7} exists {X5} {X6} {M14:max X1 X4 X5} {M24:max X2 X4 X6} {A56:min X5 X6 X7} true. - : max-right-distributes-over-min min/= M _ _ M M min/=. - : max-right-distributes-over-min (min/> X1>X2) X2|X4=X7 _ _ X1|X4=X5 X2|X4=X7 X5&X7=X7 <- max-total X1|X4=X5 <- max-right-preserves-ge* (ge/> X1>X2) X1|X4=X5 X2|X4=X7 X5>=X7 <- ge-implies-min X5>=X7 X5&X7=X7. - : max-right-distributes-over-min (min/< X2>X1) X1|X4=X7 _ _ X1|X4=X7 X2|X4=X6 X7&X6=X7 <- max-total X2|X4=X6 <- max-right-preserves-ge* (ge/> X2>X1) X2|X4=X6 X1|X4=X7 X6>=X7 <- le-implies-min X6>=X7 X7&X6=X7. %worlds () (max-right-distributes-over-min _ _ _ _ _ _ _). %total { } (max-right-distributes-over-min _ _ _ _ _ _ _). %theorem min-right-distributes-over-max* : forall* {X1} {X2} {X3} {X4} {X5} {X6} {X7} forall {A12:max X1 X2 X3} {M34:min X3 X4 X7} {M14:min X1 X4 X5} {M24:min X2 X4 X6} exists {A56:max X5 X6 X7} true. - : min-right-distributes-over-max* X1|X2=X3 X3&X4=X7 X1&X4=X5 X2&X4=X6 X5|X6=X7 <- min-right-distributes-over-max X1|X2=X3 X3&X4=X7 Y5 Y6 X1&X4=Y5 X2&X4=Y6 Y5|Y6=X7 <- min-deterministic X1&X4=Y5 X1&X4=X5 eq/ eq/ Y5=X5 <- min-deterministic X2&X4=Y6 X2&X4=X6 eq/ eq/ Y6=X6 <- max-respects-eq Y5|Y6=X7 Y5=X5 Y6=X6 eq/ X5|X6=X7. %worlds () (min-right-distributes-over-max* X1|X2=X3 X3&X4=X7 X1&X4=X5 X2&X4=X6 X5|X6=X7). %total {} (min-right-distributes-over-max* _ _ _ _ _). %theorem min-left-distributes-over-max* : forall* {X1} {X2} {X3} {X4} {X5} {X6} {X7} forall {A12:max X2 X4 X6} {M34:min X1 X6 X7} {M14:min X1 X2 X3} {M24:min X1 X4 X5} exists {A56:max X3 X5 X7} true. - : min-left-distributes-over-max* X2|X4=X6 X1&X6=X7 X1&X2=X3 X1&X4=X5 X3|X5=X7 <- min-commutative X1&X6=X7 X6&X1=X7 <- min-commutative X1&X2=X3 X2&X1=X3 <- min-commutative X1&X4=X5 X4&X1=X5 <- min-right-distributes-over-max* X2|X4=X6 X6&X1=X7 X2&X1=X3 X4&X1=X5 X3|X5=X7. %worlds () (min-left-distributes-over-max* X2|X4=X6 X1&X6=X7 X1&X2=X3 X1&X4=X5 X3|X5=X7). %total {} (min-left-distributes-over-max* _ _ _ _ _). %theorem min-left-distributes-over-max : forall* {X1} {X2} {X4} {X6} {X7} forall {A12:max X2 X4 X6} {M34:min X1 X6 X7} exists {X3} {X5} {M14:min X1 X2 X3} {M24:min X1 X4 X5} {A56:max X3 X5 X7} true. - : min-left-distributes-over-max X2|X4=X6 X1&X6=X7 X3 X5 X1&X2=X3 X1&X4=X5 X3|X5=X7 <- min-total X1&X2=X3 <- min-total X1&X4=X5 <- min-left-distributes-over-max* X2|X4=X6 X1&X6=X7 X1&X2=X3 X1&X4=X5 X3|X5=X7. %worlds () (min-left-distributes-over-max X2|X4=X6 X1&X6=X7 X3 X5 X1&X2=X3 X1&X4=X5 X3|X5=X7). %total {} (min-left-distributes-over-max _ _ _ _ _ _ _). %theorem min-right-factors-over-max : forall* {X1} {X2} {X4} {X5} {X6} {X7} forall {M14:min X1 X4 X5} {M24:min X2 X4 X6} {A56:max X5 X6 X7} exists {X3} {A12:max X1 X2 X3} {M34:min X3 X4 X7} true. - : min-right-factors-over-max X1&X4=X5 X2&X4=X6 X5|X6=X7 X3 X1|X2=X3 X3&X4=X7 <- max-total X1|X2=X3 <- min-total X3&X4=Y7 <- min-right-distributes-over-max* X1|X2=X3 X3&X4=Y7 X1&X4=X5 X2&X4=X6 X5|X6=Y7 <- max-deterministic X5|X6=Y7 X5|X6=X7 eq/ eq/ Y7=X7 <- min-respects-eq X3&X4=Y7 eq/ eq/ Y7=X7 X3&X4=X7. %worlds () (min-right-factors-over-max X1&X4=X5 X2&X4=X6 X5|X6=X7 X3 X1|X2=X3 X3&X4=X7 ). %total {} (min-right-factors-over-max _ _ _ _ _ _). %theorem min-right-factors-over-max* : forall* {X1} {X2} {X3} {X4} {X5} {X6} {X7} forall {M14:min X1 X4 X5} {M24:min X2 X4 X6} {A56:max X5 X6 X7} {A12:max X1 X2 X3} exists {M34:min X3 X4 X7} true. - : min-right-factors-over-max* X1&X4=X5 X2&X4=X6 X5|X6=X7 X1|X2=X3 X3&X4=X7 <- min-total X3&X4=Y7 <- min-right-distributes-over-max* X1|X2=X3 X3&X4=Y7 X1&X4=X5 X2&X4=X6 X5|X6=Y7 <- max-deterministic X5|X6=Y7 X5|X6=X7 eq/ eq/ Y7=X7 <- min-respects-eq X3&X4=Y7 eq/ eq/ Y7=X7 X3&X4=X7. %worlds () (min-right-factors-over-max* X1&X4=X5 X2&X4=X6 X5|X6=X7 X1|X2=X3 X3&X4=X7 ). %total {} (min-right-factors-over-max* _ _ _ _ _). %theorem min-left-factors-over-max : forall* {X1} {X2} {X3} {X4} {X5} {X7} forall {M12:min X1 X2 X3} {M14:min X1 X4 X5} {A35:max X3 X5 X7} exists {X6} {A24:max X2 X4 X6} {M16:min X1 X6 X7} true. - : min-left-factors-over-max X1&X2=X3 X1&X4=X5 X3|X5=X7 X6 X2|X4=X6 X1&X6=X7 <- min-commutative X1&X2=X3 X2&X1=X3 <- min-commutative X1&X4=X5 X4&X1=X5 <- min-right-factors-over-max X2&X1=X3 X4&X1=X5 X3|X5=X7 X6 X2|X4=X6 X6&X1=X7 <- min-commutative X6&X1=X7 X1&X6=X7. %worlds () (min-left-factors-over-max X1&X2=X3 X1&X4=X5 X3|X5=X7 X6 X2|X4=X6 X1&X6=X7). %total {} (min-left-factors-over-max _ _ _ _ _ _). %theorem min-left-factors-over-max* : forall* {X1} {X2} {X3} {X4} {X5} {X6} {X7} forall {M12:min X1 X2 X3} {M14:min X1 X4 X5} {A35:max X3 X5 X7} {A24:max X2 X4 X6} exists {M16:min X1 X6 X7} true. - : min-left-factors-over-max* X1&X2=X3 X1&X4=X5 X3|X5=X7 X2|X4=X6 X1&X6=X7 <- min-total X1&X6=Y7 <- min-left-distributes-over-max* X2|X4=X6 X1&X6=Y7 X1&X2=X3 X1&X4=X5 X3|X5=Y7 <- max-deterministic X3|X5=Y7 X3|X5=X7 eq/ eq/ Y7=X7 <- min-respects-eq X1&X6=Y7 eq/ eq/ Y7=X7 X1&X6=X7. %worlds () (min-left-factors-over-max* X1&X2=X3 X1&X4=X5 X3|X5=X7 X2|X4=X6 X1&X6=X7). %total {} (min-left-factors-over-max* _ _ _ _ _). %theorem max-right-distributes-over-min* : forall* {X1} {X2} {X3} {X4} {X5} {X6} {X7} forall {A12:min X1 X2 X3} {M34:max X3 X4 X7} {M14:max X1 X4 X5} {M24:max X2 X4 X6} exists {A56:min X5 X6 X7} true. - : max-right-distributes-over-min* X1&X2=X3 X3|X4=X7 X1|X4=X5 X2|X4=X6 X5&X6=X7 <- max-right-distributes-over-min X1&X2=X3 X3|X4=X7 Y5 Y6 X1|X4=Y5 X2|X4=Y6 Y5&Y6=X7 <- max-deterministic X1|X4=Y5 X1|X4=X5 eq/ eq/ Y5=X5 <- max-deterministic X2|X4=Y6 X2|X4=X6 eq/ eq/ Y6=X6 <- min-respects-eq Y5&Y6=X7 Y5=X5 Y6=X6 eq/ X5&X6=X7. %worlds () (max-right-distributes-over-min* X1&X2=X3 X3|X4=X7 X1|X4=X5 X2|X4=X6 X5&X6=X7). %total {} (max-right-distributes-over-min* _ _ _ _ _). %theorem max-left-distributes-over-min* : forall* {X1} {X2} {X3} {X4} {X5} {X6} {X7} forall {A12:min X2 X4 X6} {M34:max X1 X6 X7} {M14:max X1 X2 X3} {M24:max X1 X4 X5} exists {A56:min X3 X5 X7} true. - : max-left-distributes-over-min* X2&X4=X6 X1|X6=X7 X1|X2=X3 X1|X4=X5 X3&X5=X7 <- max-commutative X1|X6=X7 X6|X1=X7 <- max-commutative X1|X2=X3 X2|X1=X3 <- max-commutative X1|X4=X5 X4|X1=X5 <- max-right-distributes-over-min* X2&X4=X6 X6|X1=X7 X2|X1=X3 X4|X1=X5 X3&X5=X7. %worlds () (max-left-distributes-over-min* X2&X4=X6 X1|X6=X7 X1|X2=X3 X1|X4=X5 X3&X5=X7). %total {} (max-left-distributes-over-min* _ _ _ _ _). %theorem max-left-distributes-over-min : forall* {X1} {X2} {X4} {X6} {X7} forall {A12:min X2 X4 X6} {M34:max X1 X6 X7} exists {X3} {X5} {M14:max X1 X2 X3} {M24:max X1 X4 X5} {A56:min X3 X5 X7} true. - : max-left-distributes-over-min X2&X4=X6 X1|X6=X7 X3 X5 X1|X2=X3 X1|X4=X5 X3&X5=X7 <- max-total X1|X2=X3 <- max-total X1|X4=X5 <- max-left-distributes-over-min* X2&X4=X6 X1|X6=X7 X1|X2=X3 X1|X4=X5 X3&X5=X7. %worlds () (max-left-distributes-over-min X2&X4=X6 X1|X6=X7 X3 X5 X1|X2=X3 X1|X4=X5 X3&X5=X7). %total {} (max-left-distributes-over-min _ _ _ _ _ _ _). %theorem max-right-factors-over-min : forall* {X1} {X2} {X4} {X5} {X6} {X7} forall {M14:max X1 X4 X5} {M24:max X2 X4 X6} {A56:min X5 X6 X7} exists {X3} {A12:min X1 X2 X3} {M34:max X3 X4 X7} true. - : max-right-factors-over-min X1|X4=X5 X2|X4=X6 X5&X6=X7 X3 X1&X2=X3 X3|X4=X7 <- min-total X1&X2=X3 <- max-total X3|X4=Y7 <- max-right-distributes-over-min* X1&X2=X3 X3|X4=Y7 X1|X4=X5 X2|X4=X6 X5&X6=Y7 <- min-deterministic X5&X6=Y7 X5&X6=X7 eq/ eq/ Y7=X7 <- max-respects-eq X3|X4=Y7 eq/ eq/ Y7=X7 X3|X4=X7. %worlds () (max-right-factors-over-min X1|X4=X5 X2|X4=X6 X5&X6=X7 X3 X1&X2=X3 X3|X4=X7 ). %total {} (max-right-factors-over-min _ _ _ _ _ _). %theorem max-right-factors-over-min* : forall* {X1} {X2} {X3} {X4} {X5} {X6} {X7} forall {M14:max X1 X4 X5} {M24:max X2 X4 X6} {A56:min X5 X6 X7} {A12:min X1 X2 X3} exists {M34:max X3 X4 X7} true. - : max-right-factors-over-min* X1|X4=X5 X2|X4=X6 X5&X6=X7 X1&X2=X3 X3|X4=X7 <- max-total X3|X4=Y7 <- max-right-distributes-over-min* X1&X2=X3 X3|X4=Y7 X1|X4=X5 X2|X4=X6 X5&X6=Y7 <- min-deterministic X5&X6=Y7 X5&X6=X7 eq/ eq/ Y7=X7 <- max-respects-eq X3|X4=Y7 eq/ eq/ Y7=X7 X3|X4=X7. %worlds () (max-right-factors-over-min* X1|X4=X5 X2|X4=X6 X5&X6=X7 X1&X2=X3 X3|X4=X7 ). %total {} (max-right-factors-over-min* _ _ _ _ _). %theorem max-left-factors-over-min : forall* {X1} {X2} {X3} {X4} {X5} {X7} forall {M12:max X1 X2 X3} {M14:max X1 X4 X5} {A35:min X3 X5 X7} exists {X6} {A24:min X2 X4 X6} {M16:max X1 X6 X7} true. - : max-left-factors-over-min X1|X2=X3 X1|X4=X5 X3&X5=X7 X6 X2&X4=X6 X1|X6=X7 <- max-commutative X1|X2=X3 X2|X1=X3 <- max-commutative X1|X4=X5 X4|X1=X5 <- max-right-factors-over-min X2|X1=X3 X4|X1=X5 X3&X5=X7 X6 X2&X4=X6 X6|X1=X7 <- max-commutative X6|X1=X7 X1|X6=X7. %worlds () (max-left-factors-over-min X1|X2=X3 X1|X4=X5 X3&X5=X7 X6 X2&X4=X6 X1|X6=X7). %total {} (max-left-factors-over-min _ _ _ _ _ _). %theorem max-left-factors-over-min* : forall* {X1} {X2} {X3} {X4} {X5} {X6} {X7} forall {M12:max X1 X2 X3} {M14:max X1 X4 X5} {A35:min X3 X5 X7} {A24:min X2 X4 X6} exists {M16:max X1 X6 X7} true. - : max-left-factors-over-min* X1|X2=X3 X1|X4=X5 X3&X5=X7 X2&X4=X6 X1|X6=X7 <- max-total X1|X6=Y7 <- max-left-distributes-over-min* X2&X4=X6 X1|X6=Y7 X1|X2=X3 X1|X4=X5 X3&X5=Y7 <- min-deterministic X3&X5=Y7 X3&X5=X7 eq/ eq/ Y7=X7 <- max-respects-eq X1|X6=Y7 eq/ eq/ Y7=X7 X1|X6=X7. %worlds () (max-left-factors-over-min* X1|X2=X3 X1|X4=X5 X3&X5=X7 X2&X4=X6 X1|X6=X7). %total {} (max-left-factors-over-min* _ _ _ _ _). %theorem succ-preserves-min : forall* {N1} {N2} {N3} forall {M: min N1 N2 N3} exists {MS: min (s N1) (s N2) (s N3)} true. - : succ-preserves-min min/= min/=. - : succ-preserves-min (min/< N2>N1) (min/< N2+1>N1+1) <- succ-preserves-gt N2>N1 N2+1>N1+1. - : succ-preserves-min (min/> N1>N2) (min/> N1+1>N2+1) <- succ-preserves-gt N1>N2 N1+1>N2+1. %worlds () (succ-preserves-min _ _). %total { } (succ-preserves-min _ _). %theorem succ-preserves-min-converse : forall* {N1} {N2} {N3} forall {MS: min (s N1) (s N2) (s N3)} exists {M: min N1 N2 N3} true. - : succ-preserves-min-converse min/= min/=. - : succ-preserves-min-converse (min/< N2+1>N1+1) (min/< N2>N1) <- succ-preserves-gt-converse N2+1>N1+1 N2>N1. - : succ-preserves-min-converse (min/> N1+1>N2+1) (min/> N1>N2) <- succ-preserves-gt-converse N1+1>N2+1 N1>N2. %worlds () (succ-preserves-min-converse _ _). %total { } (succ-preserves-min-converse _ _). %theorem succ-preserves-max : forall* {N1} {N2} {N3} forall {M: max N1 N2 N3} exists {MS: max (s N1) (s N2) (s N3)} true. - : succ-preserves-max max/= max/=. - : succ-preserves-max (max/< N2>N1) (max/< N2+1>N1+1) <- succ-preserves-gt N2>N1 N2+1>N1+1. - : succ-preserves-max (max/> N1>N2) (max/> N1+1>N2+1) <- succ-preserves-gt N1>N2 N1+1>N2+1. %worlds () (succ-preserves-max _ _). %total { } (succ-preserves-max _ _). %theorem succ-preserves-max-converse : forall* {N1} {N2} {N3} forall {MS: max (s N1) (s N2) (s N3)} exists {M: max N1 N2 N3} true. - : succ-preserves-max-converse max/= max/=. - : succ-preserves-max-converse (max/< N2+1>N1+1) (max/< N2>N1) <- succ-preserves-gt-converse N2+1>N1+1 N2>N1. - : succ-preserves-max-converse (max/> N1+1>N2+1) (max/> N1>N2) <- succ-preserves-gt-converse N1+1>N2+1 N1>N2. %worlds () (succ-preserves-max-converse _ _). %total { } (succ-preserves-max-converse _ _). %abbrev nat`nat = nat. %abbrev nat`z = z. %abbrev nat`s = s. %abbrev nat`plus = plus. %abbrev nat`plus/z = plus/z. %abbrev nat`plus/s = plus/s. %abbrev nat`times = times. %abbrev nat`times/z = times/z. %abbrev nat`times/s = times/s. %abbrev nat`eq = eq. %abbrev nat`eq/ = eq/. %abbrev nat`gt = gt. %abbrev nat`gt/1 = gt/1. %abbrev nat`gt/> = gt/>. %abbrev nat`compare = compare. %abbrev nat`compare/= = compare/=. %abbrev nat`compare/< = compare/<. %abbrev nat`compare/> = compare/>. %abbrev nat`meta-eq = meta-eq. %abbrev nat`false-implies-eq = false-implies-eq. %abbrev nat`eq-symmetric = eq-symmetric. %abbrev nat`eq-transitive = eq-transitive. %abbrev nat`succ-deterministic = succ-deterministic. %abbrev nat`succ-cancels = succ-cancels. %abbrev nat`succ-contradiction = succ-contradiction. %abbrev nat`eq-contradiction = eq-contradiction. %abbrev nat`meta-gt = meta-gt. %abbrev nat`false-implies-gt = false-implies-gt. %abbrev nat`gt-respects-eq = gt-respects-eq. %abbrev nat`succ-implies-gt = succ-implies-gt. %abbrev nat`succ-implies-gt-zero = succ-implies-gt-zero. %abbrev nat`succ-preserves-gt = succ-preserves-gt. %abbrev nat`succ-preserves-gt-converse = succ-preserves-gt-converse. %abbrev nat`gt-implies-positive = gt-implies-positive. %abbrev nat`gt-anti-reflexive* = gt-anti-reflexive*. %abbrev nat`gt-anti-reflexive = gt-anti-reflexive. %abbrev nat`gt-transitive = gt-transitive. %abbrev nat`gt-anti-symmetric = gt-anti-symmetric. %abbrev nat`gt-implies-plus = gt-implies-plus. %abbrev nat`gt-contradiction = gt-contradiction. %abbrev nat`false-implies-compare = false-implies-compare. %abbrev nat`succ-preserves-compare = succ-preserves-compare. %abbrev nat`compare-total* = compare-total*. %abbrev nat`compare-total = compare-total. %abbrev nat`greater-implies-gt = greater-implies-gt. %abbrev nat`less-is-reverse-greater = less-is-reverse-greater. %abbrev nat`less-implies-lt = less-implies-lt. %abbrev nat`equal-implies-eq = equal-implies-eq. %abbrev nat`false-implies-plus = false-implies-plus. %abbrev nat`plus-respects-eq = plus-respects-eq. %abbrev nat`plus-total* = plus-total*. %abbrev nat`plus-total = plus-total. %abbrev nat`plus-deterministic = plus-deterministic. %abbrev nat`plus-left-identity = plus-left-identity. %abbrev nat`plus-left-increase = plus-left-increase. %abbrev nat`plus-right-identity = plus-right-identity. %abbrev nat`plus-right-increase = plus-right-increase. %abbrev nat`plus-left-decrease = plus-left-decrease. %abbrev nat`plus-right-decrease = plus-right-decrease. %abbrev nat`plus-swap-succ = plus-swap-succ. %abbrev nat`plus-swap-succ-converse = plus-swap-succ-converse. %abbrev nat`plus-left-preserves-positive = plus-left-preserves-positive. %abbrev nat`plus-right-preserves-positive = plus-right-preserves-positive. %abbrev nat`plus-is-zero-implies-zero = plus-is-zero-implies-zero. %abbrev nat`plus-commutative = plus-commutative. %abbrev nat`plus-associative = plus-associative. %abbrev nat`plus-associative* = plus-associative*. %abbrev nat`plus-associative-converse = plus-associative-converse. %abbrev nat`plus-associative-converse* = plus-associative-converse*. %abbrev nat`plus-assoc-commutative* = plus-assoc-commutative*. %abbrev nat`plus-assoc-commutative = plus-assoc-commutative. %abbrev nat`plus-double-associative* = plus-double-associative*. %abbrev nat`plus-double-associative = plus-double-associative. %abbrev nat`plus-left-cancels = plus-left-cancels. %abbrev nat`plus-right-cancels* = plus-right-cancels*. %abbrev nat`plus-right-cancels = plus-right-cancels. %abbrev nat`plus-left-preserves-gt* = plus-left-preserves-gt*. %abbrev nat`plus-left-cancels-gt = plus-left-cancels-gt. %abbrev nat`plus-left-preserves-gt = plus-left-preserves-gt. %abbrev nat`plus-right-preserves-gt* = plus-right-preserves-gt*. %abbrev nat`plus-right-preserves-gt = plus-right-preserves-gt. %abbrev nat`plus-preserves-gt* = plus-preserves-gt*. %abbrev nat`plus-preserves-gt = plus-preserves-gt. %abbrev nat`plus-right-cancels-gt = plus-right-cancels-gt. %abbrev nat`plus-implies-gt = plus-implies-gt. %abbrev nat`plus-gt-contradiction = plus-gt-contradiction. %abbrev nat`false-implies-times = false-implies-times. %abbrev nat`times-respects-eq = times-respects-eq. %abbrev nat`times-total* = times-total*. %abbrev nat`times-total = times-total. %abbrev nat`times-deterministic = times-deterministic. %abbrev nat`times-left-identity = times-left-identity. %abbrev nat`times-right-identity = times-right-identity. %abbrev nat`times-right-zero = times-right-zero. %abbrev nat`times-preserves-positive = times-preserves-positive. %abbrev nat`times-preserves-positive* = times-preserves-positive*. %abbrev nat`times-positive-implies-positive = times-positive-implies-positive. %abbrev nat`times-left-increase = times-left-increase. %abbrev nat`times-right-increase = times-right-increase. %abbrev nat`times-left-decrease = times-left-decrease. %abbrev nat`times-right-decrease = times-right-decrease. %abbrev nat`times-commutative = times-commutative. %abbrev nat`times-right-distributes-over-plus = times-right-distributes-over-plus. %abbrev nat`times-right-distributes-over-plus* = times-right-distributes-over-plus*. %abbrev nat`times-left-distributes-over-plus* = times-left-distributes-over-plus*. %abbrev nat`times-left-distributes-over-plus = times-left-distributes-over-plus. %abbrev nat`times-right-factors-over-plus = times-right-factors-over-plus. %abbrev nat`times-right-factors-over-plus* = times-right-factors-over-plus*. %abbrev nat`times-left-factors-over-plus = times-left-factors-over-plus. %abbrev nat`times-left-factors-over-plus* = times-left-factors-over-plus*. %abbrev nat`times-associative = times-associative. %abbrev nat`times-associative* = times-associative*. %abbrev nat`times-associative-converse = times-associative-converse. %abbrev nat`times-associative-converse* = times-associative-converse*. %abbrev nat`times-assoc-commutative* = times-assoc-commutative*. %abbrev nat`times-assoc-commutative = times-assoc-commutative. %abbrev nat`times-double-associative* = times-double-associative*. %abbrev nat`times-double-associative = times-double-associative. %abbrev nat`times-right-cancels = times-right-cancels. %abbrev nat`times-right-cancels* = times-right-cancels*. %abbrev nat`times-right-cancels** = times-right-cancels**. %abbrev nat`times-left-cancels = times-left-cancels. %abbrev nat`times-left-cancels* = times-left-cancels*. %abbrev nat`times-left-preserves-gt = times-left-preserves-gt. %abbrev nat`times-left-preserves-gt* = times-left-preserves-gt*. %abbrev nat`times-right-preserves-gt = times-right-preserves-gt. %abbrev nat`times-right-preserves-gt* = times-right-preserves-gt*. %abbrev nat`times-preserves-gt = times-preserves-gt. %abbrev nat`times-right-cancels-gt = times-right-cancels-gt. %abbrev nat`times-left-cancels-gt = times-left-cancels-gt. %abbrev nat`minus = minus. %abbrev nat`false-implies-minus = false-implies-minus. %abbrev nat`minus-respects-eq = minus-respects-eq. %abbrev nat`minus-deterministic = minus-deterministic. %abbrev nat`plus-associates-with-minus* = plus-associates-with-minus*. %abbrev nat`plus-associates-with-minus-converse* = plus-associates-with-minus-converse*. %abbrev nat`plus-associates-with-minus-converse = plus-associates-with-minus-converse. %abbrev nat`minus-associates-from-plus* = minus-associates-from-plus*. %abbrev nat`minus-associates-from-plus-converse* = minus-associates-from-plus-converse*. %abbrev nat`minus-associates-to-plus* = minus-associates-to-plus*. %abbrev nat`minus-associates-to-plus = minus-associates-to-plus. %abbrev nat`minus-associates-to-plus-converse* = minus-associates-to-plus-converse*. %abbrev nat`minus-associates-to-plus-converse = minus-associates-to-plus-converse. %abbrev nat`minus-is-zero-implies-eq = minus-is-zero-implies-eq. %abbrev nat`minus-implies-gt = minus-implies-gt. %abbrev nat`minus-left-cancels = minus-left-cancels. %abbrev nat`minus-right-cancels = minus-right-cancels. %abbrev nat`minus-left-inverts-gt* = minus-left-inverts-gt*. %abbrev nat`minus-right-preserves-gt* = minus-right-preserves-gt*. %abbrev nat`minus-left-cancels-inverts-gt = minus-left-cancels-inverts-gt. %abbrev nat`minus-right-cancels-gt = minus-right-cancels-gt. %abbrev nat`times-right-distributes-over-minus = times-right-distributes-over-minus. %abbrev nat`times-right-distributes-over-minus* = times-right-distributes-over-minus*. %abbrev nat`times-left-distributes-over-minus* = times-left-distributes-over-minus*. %abbrev nat`times-left-distributes-over-minus = times-left-distributes-over-minus. %abbrev nat`times-right-factors-over-minus* = times-right-factors-over-minus*. %abbrev nat`times-left-factors-over-minus* = times-left-factors-over-minus*. %abbrev nat`times-right-factors-over-minus = times-right-factors-over-minus. %abbrev nat`times-left-factors-over-minus = times-left-factors-over-minus. %abbrev nat`ge = ge. %abbrev nat`ge/= = ge/=. %abbrev nat`ge/> = ge/>. %abbrev nat`false-implies-ge = false-implies-ge. %abbrev nat`ge-respects-eq = ge-respects-eq. %abbrev nat`ge-reflexive = ge-reflexive. %abbrev nat`ge-transitive = ge-transitive. %abbrev nat`ge-anti-symmetric = ge-anti-symmetric. %abbrev nat`ge-transitive-gt = ge-transitive-gt. %abbrev nat`gt-transitive-ge = gt-transitive-ge. %abbrev nat`meta-ge = meta-ge. %abbrev nat`succ-preserves-ge = succ-preserves-ge. %abbrev nat`succ-preserves-ge-converse = succ-preserves-ge-converse. %abbrev nat`ge-succ-implies-gt = ge-succ-implies-gt. %abbrev nat`ge-implies-succ-gt = ge-implies-succ-gt. %abbrev nat`succ-gt-implies-ge = succ-gt-implies-ge. %abbrev nat`gt-implies-ge-succ = gt-implies-ge-succ. %abbrev nat`ge-implies-plus = ge-implies-plus. %abbrev nat`plus-implies-ge = plus-implies-ge. %abbrev nat`ge-zero-always = ge-zero-always. %abbrev nat`nonzero-times-implies-ge = nonzero-times-implies-ge. %abbrev nat`times-nonzero-implies-ge = times-nonzero-implies-ge. %abbrev nat`non-trivial-times-implies-much-gt* = non-trivial-times-implies-much-gt*. %abbrev nat`non-trivial-times-implies-much-gt = non-trivial-times-implies-much-gt. %abbrev nat`plus-left-preserves-ge* = plus-left-preserves-ge*. %abbrev nat`plus-left-cancels-ge = plus-left-cancels-ge. %abbrev nat`plus-left-preserves-ge = plus-left-preserves-ge. %abbrev nat`plus-right-preserves-ge* = plus-right-preserves-ge*. %abbrev nat`plus-right-preserves-ge = plus-right-preserves-ge. %abbrev nat`plus-preserves-ge* = plus-preserves-ge*. %abbrev nat`plus-preserves-ge = plus-preserves-ge. %abbrev nat`plus-right-cancels-ge = plus-right-cancels-ge. %abbrev nat`times-left-preserves-ge* = times-left-preserves-ge*. %abbrev nat`times-left-preserves-ge = times-left-preserves-ge. %abbrev nat`times-right-preserves-ge* = times-right-preserves-ge*. %abbrev nat`times-right-preserves-ge = times-right-preserves-ge. %abbrev nat`ne = ne. %abbrev nat`ne/< = ne/<. %abbrev nat`ne/> = ne/>. %abbrev nat`eq? = eq?. %abbrev nat`eq?/yes = eq?/yes. %abbrev nat`eq?/no = eq?/no. %abbrev nat`false-implies-ne = false-implies-ne. %abbrev nat`ne-respects-eq = ne-respects-eq. %abbrev nat`ne-anti-reflexive = ne-anti-reflexive. %abbrev nat`ne-symmetric = ne-symmetric. %abbrev nat`eq-ne-implies-false = eq-ne-implies-false. %abbrev nat`ge-ne-implies-gt = ge-ne-implies-gt. %abbrev nat`eq?-total* = eq?-total*. %abbrev nat`eq?-total*/L = eq?-total*/L. %abbrev nat`eq?-total = eq?-total. %abbrev nat`succ-preserves-ne = succ-preserves-ne. %abbrev nat`succ-preserves-ne-converse = succ-preserves-ne-converse. %abbrev nat`plus-left-preserves-ne* = plus-left-preserves-ne*. %abbrev nat`plus-left-cancels-ne = plus-left-cancels-ne. %abbrev nat`plus-left-preserves-ne = plus-left-preserves-ne. %abbrev nat`plus-right-preserves-ne* = plus-right-preserves-ne*. %abbrev nat`plus-right-preserves-ne = plus-right-preserves-ne. %abbrev nat`plus-right-cancels-ne = plus-right-cancels-ne. %abbrev nat`lt = lt. %abbrev nat`false-implies-lt = false-implies-lt. %abbrev nat`lt-respects-eq = lt-respects-eq. %abbrev nat`lt-anti-symmetric = lt-anti-symmetric. %abbrev nat`lt-transitive = lt-transitive. %abbrev nat`lt-anti-reflexive = lt-anti-reflexive. %abbrev nat`plus-left-preserves-lt* = plus-left-preserves-lt*. %abbrev nat`plus-left-cancels-lt = plus-left-cancels-lt. %abbrev nat`plus-left-preserves-lt = plus-left-preserves-lt. %abbrev nat`plus-right-preserves-lt* = plus-right-preserves-lt*. %abbrev nat`plus-right-preserves-lt = plus-right-preserves-lt. %abbrev nat`plus-preserves-lt* = plus-preserves-lt*. %abbrev nat`plus-preserves-lt = plus-preserves-lt. %abbrev nat`plus-right-cancels-lt = plus-right-cancels-lt. %abbrev nat`le = le. %abbrev nat`false-implies-le = false-implies-le. %abbrev nat`le-respects-eq = le-respects-eq. %abbrev nat`le-anti-symmetric = le-anti-symmetric. %abbrev nat`le-transitive = le-transitive. %abbrev nat`le-reflexive = le-reflexive. %abbrev nat`le-transitive-lt = le-transitive-lt. %abbrev nat`lt-transitive-le = lt-transitive-le. %abbrev nat`plus-left-preserves-le* = plus-left-preserves-le*. %abbrev nat`plus-left-cancels-le = plus-left-cancels-le. %abbrev nat`plus-left-preserves-le = plus-left-preserves-le. %abbrev nat`plus-right-preserves-le* = plus-right-preserves-le*. %abbrev nat`plus-right-preserves-le = plus-right-preserves-le. %abbrev nat`plus-preserves-le* = plus-preserves-le*. %abbrev nat`plus-preserves-le = plus-preserves-le. %abbrev nat`plus-right-cancels-le = plus-right-cancels-le. %abbrev nat`times-left-preserves-le* = times-left-preserves-le*. %abbrev nat`times-left-preserves-le = times-left-preserves-le. %abbrev nat`times-right-preserves-le* = times-right-preserves-le*. %abbrev nat`times-right-preserves-le = times-right-preserves-le. %abbrev nat`times-preserves-le* = times-preserves-le*. %abbrev nat`times-preserves-le = times-preserves-le. %abbrev nat`minus-left-inverts-ge* = minus-left-inverts-ge*. %abbrev nat`minus-right-preserves-ge* = minus-right-preserves-ge*. %abbrev nat`minus-left-cancels-inverts-ge = minus-left-cancels-inverts-ge. %abbrev nat`minus-right-cancels-ge = minus-right-cancels-ge. %abbrev nat`minus-left-preserves-ne* = minus-left-preserves-ne*. %abbrev nat`minus-right-preserves-ne* = minus-right-preserves-ne*. %abbrev nat`minus-left-cancels-ne = minus-left-cancels-ne. %abbrev nat`minus-right-cancels-ne = minus-right-cancels-ne. %abbrev nat`minus-left-inverts-lt* = minus-left-inverts-lt*. %abbrev nat`minus-right-preserves-lt* = minus-right-preserves-lt*. %abbrev nat`minus-left-cancels-inverts-lt = minus-left-cancels-inverts-lt. %abbrev nat`minus-right-cancels-lt = minus-right-cancels-lt. %abbrev nat`minus-left-inverts-le* = minus-left-inverts-le*. %abbrev nat`minus-right-preserves-le* = minus-right-preserves-le*. %abbrev nat`minus-left-cancels-inverts-le = minus-left-cancels-inverts-le. %abbrev nat`minus-right-cancels-le = minus-right-cancels-le. %abbrev nat`divrem = divrem. %abbrev nat`divrem/z = divrem/z. %abbrev nat`divrem/s = divrem/s. %abbrev nat`false-implies-divrem = false-implies-divrem. %abbrev nat`divrem-respects-eq = divrem-respects-eq. %abbrev nat`divrem-total** = divrem-total**. %abbrev nat`divrem-total* = divrem-total*. %abbrev nat`divrem-total = divrem-total. %abbrev nat`divrem-deterministic = divrem-deterministic. %abbrev nat`divrem-implies-positive = divrem-implies-positive. %abbrev nat`divrem-implies-gt = divrem-implies-gt. %abbrev nat`divrem-contradiction = divrem-contradiction. %abbrev nat`divrem-can-be-inverted = divrem-can-be-inverted. %abbrev nat`div-can-be-inverted = div-can-be-inverted. %abbrev nat`divrem-can-be-constructed = divrem-can-be-constructed. %abbrev nat`div-can-be-constructed = div-can-be-constructed. %abbrev nat`remainder-implies-gt-quotient = remainder-implies-gt-quotient. %abbrev nat`quotient-of-nonzero-is-smaller = quotient-of-nonzero-is-smaller. %abbrev nat`quotient-is-no-greater = quotient-is-no-greater. %abbrev nat`min = min. %abbrev nat`min/= = min/=. %abbrev nat`min/> = min/>. %abbrev nat`min/< = min/<. %abbrev nat`max = max. %abbrev nat`max/= = max/=. %abbrev nat`max/> = max/>. %abbrev nat`max/< = max/<. %abbrev nat`false-implies-min = false-implies-min. %abbrev nat`min-respects-eq = min-respects-eq. %abbrev nat`min-total** = min-total**. %abbrev nat`min-total* = min-total*. %abbrev nat`min-total = min-total. %abbrev nat`min-deterministic = min-deterministic. %abbrev nat`min-commutative = min-commutative. %abbrev nat`ge-implies-min = ge-implies-min. %abbrev nat`le-implies-min = le-implies-min. %abbrev nat`min-implies-ge = min-implies-ge. %abbrev nat`min-left-preserves-ge* = min-left-preserves-ge*. %abbrev nat`min-left-preserves-le* = min-left-preserves-le*. %abbrev nat`min-left-preserves-ge = min-left-preserves-ge. %abbrev nat`min-right-preserves-ge* = min-right-preserves-ge*. %abbrev nat`min-right-preserves-ge = min-right-preserves-ge. %abbrev nat`min-preserves-ge* = min-preserves-ge*. %abbrev nat`min-preserves-ge = min-preserves-ge. %abbrev nat`min-left-preserves-le = min-left-preserves-le. %abbrev nat`min-right-preserves-le* = min-right-preserves-le*. %abbrev nat`min-right-preserves-le = min-right-preserves-le. %abbrev nat`min-preserves-le* = min-preserves-le*. %abbrev nat`min-preserves-le = min-preserves-le. %abbrev nat`min-is-glb = min-is-glb. %abbrev nat`min-associative = min-associative. %abbrev nat`min-associative* = min-associative*. %abbrev nat`min-associative-converse = min-associative-converse. %abbrev nat`min-associative-converse* = min-associative-converse*. %abbrev nat`min-assoc-commutative* = min-assoc-commutative*. %abbrev nat`min-assoc-commutative = min-assoc-commutative. %abbrev nat`min-double-associative* = min-double-associative*. %abbrev nat`min-double-associative = min-double-associative. %abbrev nat`false-implies-max = false-implies-max. %abbrev nat`max-respects-eq = max-respects-eq. %abbrev nat`max-total** = max-total**. %abbrev nat`max-total* = max-total*. %abbrev nat`max-total = max-total. %abbrev nat`max-deterministic = max-deterministic. %abbrev nat`max-commutative = max-commutative. %abbrev nat`ge-implies-max = ge-implies-max. %abbrev nat`le-implies-max = le-implies-max. %abbrev nat`max-implies-ge = max-implies-ge. %abbrev nat`max-is-lub = max-is-lub. %abbrev nat`max-left-preserves-ge* = max-left-preserves-ge*. %abbrev nat`max-left-preserves-le* = max-left-preserves-le*. %abbrev nat`max-left-preserves-ge = max-left-preserves-ge. %abbrev nat`max-right-preserves-ge* = max-right-preserves-ge*. %abbrev nat`max-right-preserves-ge = max-right-preserves-ge. %abbrev nat`max-preserves-ge* = max-preserves-ge*. %abbrev nat`max-preserves-ge = max-preserves-ge. %abbrev nat`max-left-preserves-le = max-left-preserves-le. %abbrev nat`max-right-preserves-le* = max-right-preserves-le*. %abbrev nat`max-right-preserves-le = max-right-preserves-le. %abbrev nat`max-preserves-le* = max-preserves-le*. %abbrev nat`max-preserves-le = max-preserves-le. %abbrev nat`max-associative = max-associative. %abbrev nat`max-associative* = max-associative*. %abbrev nat`max-associative-converse = max-associative-converse. %abbrev nat`max-associative-converse* = max-associative-converse*. %abbrev nat`max-assoc-commutative* = max-assoc-commutative*. %abbrev nat`max-assoc-commutative = max-assoc-commutative. %abbrev nat`max-double-associative* = max-double-associative*. %abbrev nat`max-double-associative = max-double-associative. %abbrev nat`min-right-distributes-over-max = min-right-distributes-over-max. %abbrev nat`max-right-distributes-over-min = max-right-distributes-over-min. %abbrev nat`min-right-distributes-over-max* = min-right-distributes-over-max*. %abbrev nat`min-left-distributes-over-max* = min-left-distributes-over-max*. %abbrev nat`min-left-distributes-over-max = min-left-distributes-over-max. %abbrev nat`min-right-factors-over-max = min-right-factors-over-max. %abbrev nat`min-right-factors-over-max* = min-right-factors-over-max*. %abbrev nat`min-left-factors-over-max = min-left-factors-over-max. %abbrev nat`min-left-factors-over-max* = min-left-factors-over-max*. %abbrev nat`max-right-distributes-over-min* = max-right-distributes-over-min*. %abbrev nat`max-left-distributes-over-min* = max-left-distributes-over-min*. %abbrev nat`max-left-distributes-over-min = max-left-distributes-over-min. %abbrev nat`max-right-factors-over-min = max-right-factors-over-min. %abbrev nat`max-right-factors-over-min* = max-right-factors-over-min*. %abbrev nat`max-left-factors-over-min = max-left-factors-over-min. %abbrev nat`max-left-factors-over-min* = max-left-factors-over-min*. %abbrev nat`succ-preserves-min = succ-preserves-min. %abbrev nat`succ-preserves-min-converse = succ-preserves-min-converse. %abbrev nat`succ-preserves-max = succ-preserves-max. %abbrev nat`succ-preserves-max-converse = succ-preserves-max-converse. %{| hidden = true }% % contents included from ../library/natpair.elf %%%%% natpair.elf %%%%% Pairs of natural numbers %%%%% John Boyland %%%% Functor use %%%%% pair.elf %%%%% a pseudo-functor %%%%% John Boyland %%%% Definitions pair : type. pair/ : nat -> nat -> pair. eq : pair -> pair -> type. eq/ : eq P P. ne : pair -> pair -> type. ne/1 : ne (pair/ X1 Y1) (pair/ X2 Y2) <- nat`ne X1 X2. ne/2 : ne (pair/ X1 Y1) (pair/ X2 Y2) <- nat`ne Y1 Y2. eq? : pair -> pair -> bool -> type. eq?/yes : eq? P P true. eq?/no : eq? P1 P2 false <- ne P1 P2. %%%% Theorems %%% theorems about eq %theorem false-implies-eq : forall* {X1} {X2} forall {F:void} exists {E:eq X1 X2} true. %worlds () (false-implies-eq _ _). %total { } (false-implies-eq _ _). %theorem meta-eq : forall {X1} {X2} {E:eq X1 X2} true. - : meta-eq _ _ eq/. %worlds () (meta-eq _ _ _). %total { } (meta-eq _ _ _). %reduces X = Y (meta-eq X Y _). %theorem eq-reflexive : forall {X} exists {E:eq X X} true. - : eq-reflexive _ eq/. %worlds () (eq-reflexive _ _). %total { } (eq-reflexive _ _). %theorem eq-symmetric : forall* {X} {Y} forall {E:eq X Y} exists {F:eq Y X} true. - : eq-symmetric (eq/) (eq/). %worlds () (eq-symmetric _ _). %total { } (eq-symmetric _ _). %theorem eq-transitive : forall* {X} {Y} {Z} forall {E1:eq X Y} {E2:eq Y Z} exists {F:eq X Z} true. - : eq-transitive (eq/) (eq/) (eq/). %worlds () (eq-transitive _ _ _). %total { } (eq-transitive _ _ _). %theorem pair-eq-implies-eq : forall* {D1a} {D1b} {D2a} {D2b} forall {E:eq (pair/ D1a D2a) (pair/ D1b D2b)} exists {E1:nat`eq D1a D1b} {E2:nat`eq D2a D2b} true. - : pair-eq-implies-eq eq/ nat`eq/ nat`eq/. %worlds () (pair-eq-implies-eq _ _ _). %total { } (pair-eq-implies-eq _ _ _). %theorem pair-preserves-eq : forall* {D1a} {D1b} {D2a} {D2b} forall {E1:nat`eq D1a D1b} {E2:nat`eq D2a D2b} exists {E:eq (pair/ D1a D2a) (pair/ D1b D2b)} true. - : pair-preserves-eq nat`eq/ nat`eq/ eq/. %worlds () (pair-preserves-eq _ _ _). %total { } (pair-preserves-eq _ _ _). %%% theorems about ne %theorem false-implies-ne : forall* {X1} {X2} forall {F:void} exists {G:ne X1 X2} true. %worlds () (false-implies-ne _ _). %total { } (false-implies-ne _ _). %theorem ne-respects-eq : forall* {X1} {X2} {Y1} {Y2} forall {D1:ne X1 X2} {E1:eq X1 Y1} {E2:eq X2 Y2} exists {D2:ne Y1 Y2} true. - : ne-respects-eq X1<>X2 eq/ eq/ X1<>X2. %worlds () (ne-respects-eq _ _ _ _). %total { } (ne-respects-eq _ _ _ _). %theorem ne-anti-reflexive : forall* {P} forall {R:ne P P} exists {F:void} true. - : ne-anti-reflexive (ne/1 X<>X) F <- nat`ne-anti-reflexive X<>X F. - : ne-anti-reflexive (ne/2 Y<>Y) F <- nat`ne-anti-reflexive Y<>Y F. %worlds () (ne-anti-reflexive _ _). %total { } (ne-anti-reflexive _ _). %theorem ne-symmetric : forall* {P1} {P2} forall {R1:ne P1 P2} exists {R2:ne P2 P1} true. - : ne-symmetric (ne/1 X1<>X2) (ne/1 X2<>X1) <- nat`ne-symmetric X1<>X2 X2<>X1. - : ne-symmetric (ne/2 Y1<>Y2) (ne/2 Y2<>Y1) <- nat`ne-symmetric Y1<>Y2 Y2<>Y1. %worlds () (ne-symmetric _ _). %total { } (ne-symmetric _ _). %theorem eq-ne-implies-false : forall* {P1} {P2} forall {D1:eq P1 P2} {D2:ne P1 P2} exists {F:void} true. - : eq-ne-implies-false eq/ X<>X F <- ne-anti-reflexive X<>X F. %worlds () (eq-ne-implies-false _ _ _). %total { } (eq-ne-implies-false _ _ _). %%% theorems about eq? %theorem eq?-total* : forall {P1} {P2} exists {B} {T:eq? P1 P2 B} true. %theorem eq?-total*/L : forall* {X1} {Y1} {X2} {Y2} {B1} {B2} forall {T1:nat`eq? X1 Y1 B1} {T2:nat`eq? X2 Y2 B2} exists {B} {T:eq? (pair/ X1 X2) (pair/ Y1 Y2) B} true. - : eq?-total*/L (nat`eq?/yes) (nat`eq?/yes) _ (eq?/yes). - : eq?-total*/L (nat`eq?/no X1<>Y1) _ _ (eq?/no (ne/1 X1<>Y1)). - : eq?-total*/L _ (nat`eq?/no X2<>Y2) _ (eq?/no (ne/2 X2<>Y2)). %worlds () (eq?-total*/L _ _ _ _). %total { } (eq?-total*/L _ _ _ _). - : eq?-total* _ _ _ T <- nat`eq?-total E?1 <- nat`eq?-total E?2 <- eq?-total*/L E?1 E?2 _ T. %worlds () (eq?-total* _ _ _ _). %total { } (eq?-total* _ _ _ _). %abbrev eq?-total = eq?-total* _ _ _. %%%% Definitions %%% local abbreviations: %abbrev ssN>N = (gt/> gt/1). %abbrev 2>0 : gt (s (s z)) z = ssN>N. %abbrev 1*N=N = (times/s times/z plus/z). %abbrev 1*2=2 : times (s z) (s (s z)) (s (s z)) = 1*N=N. %abbrev 2*2=4 = (times/s 1*N=N (plus/s (plus/s plus/z))). %abbrev 2+1=3 : plus (s (s z)) (s z) (s (s (s z))) = (plus/s (plus/s plus/z)). %%% mapping from a pair to a nat pair2nat : pair -> nat -> type. pair2nat/00 : pair2nat (pair/ z z) z. pair2nat/XX : plus Z3 Y0 Z -> plus Z2 X2 Z3 -> times X0 (s (s z)) X2 -> times Z1 (s (s (s (s z)))) Z2 -> pair2nat (pair/ X1 Y1) Z1 -> divrem Y (s (s z)) Y1 Y0 -> divrem X (s (s z)) X1 X0 -> pair2nat (pair/ X Y) Z. %%% mapping from a nat to pair %abbrev nat2pair : nat -> pair -> type = [N] [P] pair2nat P N. %%%% Theorems %theorem false-implies-pair2nat : forall* {P} {N} forall {F:void} exists {P2N:pair2nat P N} true. %worlds () (false-implies-pair2nat _ _). %total { } (false-implies-pair2nat _ _). %abbrev false-implies-not2pair = false-implies-pair2nat. %theorem pair2nat-respects-eq : forall* {P1} {N1} {P2} {N2} forall {D1:pair2nat P1 N1} {EP:eq P1 P2} {EN:nat`eq N1 N2} exists {D2:pair2nat P2 N2} true. - : pair2nat-respects-eq P2N eq/ nat`eq/ P2N. %worlds () (pair2nat-respects-eq _ _ _ _). %total { } (pair2nat-respects-eq _ _ _ _). %reduces D1 = D2 (pair2nat-respects-eq D1 _ _ D2). %abbrev nat2pair-respects-eq : (nat2pair N1 P1) -> (nat`eq N1 N2) -> (eq P1 P2) -> (nat2pair N2 P2) -> type = [D1] [EN] [EP] [D2] pair2nat-respects-eq D1 EP EN D2. %theorem pair2nat-total** : forall {X:nat} {Y:nat} exists {Z} {P2N:pair2nat (pair/ X Y) Z} true. - : pair2nat-total** z z z pair2nat/00. - : pair2nat-total** (s X-) Y Z (pair2nat/XX Z3+Y0=Z Z2+X2=Z3 X0*2=X2 Z1*4=Z2 (P2N:pair2nat (pair/ X1 Y1) Z1) Y/2=Y1,Y0 X/2=X1,X0) <- divrem-total X/2=X1,X0 <- divrem-total Y/2=Y1,Y0 <- quotient-of-nonzero-is-smaller X/2=X1,X0 nat`eq/ X>X1 <- quotient-is-no-greater Y/2=Y1,Y0 Y>=Y1 <- meta-gt _ _ X>X1 <- meta-ge _ _ Y>=Y1 <- pair2nat-total** _ _ _ P2N <- times-total Z1*4=Z2 <- times-total X0*2=X2 <- plus-total Z2+X2=Z3 <- plus-total Z3+Y0=Z. - : pair2nat-total** X (s Y-) Z (pair2nat/XX Z3+Y0=Z Z2+X2=Z3 X0*2=X2 Z1*4=Z2 (P2N:pair2nat (pair/ X1 Y1) Z1) Y/2=Y1,Y0 X/2=X1,X0) <- divrem-total X/2=X1,X0 <- divrem-total Y/2=Y1,Y0 <- quotient-is-no-greater X/2=X1,X0 X>=X1 <- quotient-of-nonzero-is-smaller Y/2=Y1,Y0 nat`eq/ Y>Y1 <- meta-ge _ _ X>=X1 <- meta-gt _ _ Y>Y1 <- pair2nat-total** _ _ _ P2N <- times-total Z1*4=Z2 <- times-total X0*2=X2 <- plus-total Z2+X2=Z3 <- plus-total Z3+Y0=Z. %worlds () (pair2nat-total** _ _ _ _). %total [X Y] (pair2nat-total** X Y _ _). %theorem pair2nat-total* : forall {P:pair} exists {N:nat} {P2N:pair2nat P N} true. - : pair2nat-total* (pair/ X Y) Z P2N <- pair2nat-total** X Y Z P2N. %worlds () (pair2nat-total* _ _ _). %total { } (pair2nat-total* _ _ _). %abbrev pair2nat-total = pair2nat-total* _ _. %theorem nat2pair-total* : forall {N:nat} exists {P:pair} {N2P:nat2pair N P} true. - : nat2pair-total* z (pair/ z z) (pair2nat/00). - : nat2pair-total* (s Z-) (pair/ X Y) (pair2nat/XX Z3+Y0=Z Z2+X2=Z3 X0*2=X2 Z1*4=Z2 (P2N:pair2nat (pair/ X1 Y1) Z1) Y/2=Y1,Y0 X/2=X1,X0) <- divrem-total Z/4=Z1,R <- divrem-implies-gt Z/4=Z1,R FOUR>R <- divrem-can-be-inverted Z/4=Z1,R Z2 Z1*4=Z2 Z2+R=Z <- divrem-total R/2=X0,Y0 <- divrem-implies-gt R/2=X0,Y0 TWO>Y0 <- divrem-can-be-inverted R/2=X0,Y0 X2 X0*2=X2 X2+Y0=R <- plus-associative-converse X2+Y0=R Z2+R=Z Z3 Z2+X2=Z3 Z3+Y0=Z % now we need to get 2>X0 <- plus-commutative X2+Y0=R Y0+X2=R <- plus-implies-ge Y0+X2=R R>=X2 <- gt-transitive-ge FOUR>R R>=X2 FOUR>X2 <- times-right-cancels-gt 2*2=4 X0*2=X2 nat`eq/ FOUR>X2 TWO>X0 % now we need to prove Z>Z1 (for termination) <- quotient-of-nonzero-is-smaller Z/4=Z1,R nat`eq/ Z>Z1 <- meta-gt _ _ Z>Z1 <- nat2pair-total* Z1 (pair/ X1 Y1) P2N <- times-total X1*2=XE <- times-total Y1*2=YE <- plus-total XE+X0=X <- plus-total YE+Y0=Y <- divrem-can-be-constructed X1*2=XE XE+X0=X TWO>X0 X/2=X1,X0 <- divrem-can-be-constructed Y1*2=YE YE+Y0=Y TWO>Y0 Y/2=Y1,Y0. %worlds () (nat2pair-total* _ _ _). %total (Z) (nat2pair-total* Z _ _). % %reduces X <= N (nat2pair-total* N (pair/ X _) _). % %reduces Y <= N (pair2nat-total* N (pair/ _ Y) _). %abbrev nat2pair-total = nat2pair-total* _ _. %theorem pair2nat-deterministic : forall* {P1} {P2} {N1} {N2} forall {D1:pair2nat P1 N1} {D2:pair2nat P2 N2} {EP:eq P1 P2} exists {EN:nat`eq N1 N2} true. - : pair2nat-deterministic pair2nat/00 pair2nat/00 eq/ nat`eq/. % lemma %theorem pair2nat-deterministic/00 : forall* {Z} forall {P2N:pair2nat (pair/ z z) Z} exists {E:nat`eq Z z} true. - : pair2nat-deterministic/00 pair2nat/00 nat`eq/. - : pair2nat-deterministic/00 (pair2nat/XX Z3+Y0=Z Z2+X2=Z3 X0*2=X2 Z1*4=Z2 (P2N:pair2nat (pair/ X1 Y1) Z1) ZERO/2=Y1,Y0 ZERO/2=X1,X0) Z=0 <- divrem-deterministic ZERO/2=X1,X0 (divrem/z 2>0) nat`eq/ nat`eq/ X1=0 X0=0 <- divrem-deterministic ZERO/2=Y1,Y0 (divrem/z 2>0) nat`eq/ nat`eq/ Y1=0 Y0=0 <- pair-preserves-eq X1=0 Y1=0 X1,Y1=0,0 <- pair2nat-respects-eq P2N X1,Y1=0,0 nat`eq/ ZERO,ZERO->Z1 <- pair2nat-deterministic/00 ZERO,ZERO->Z1 Z1=0 <- times-deterministic Z1*4=Z2 times/z Z1=0 nat`eq/ Z2=0 <- times-deterministic X0*2=X2 times/z X0=0 nat`eq/ X2=0 <- plus-deterministic Z2+X2=Z3 plus/z Z2=0 X2=0 Z3=0 <- plus-deterministic Z3+Y0=Z plus/z Z3=0 Y0=0 Z=0. %worlds () (pair2nat-deterministic/00 _ _). %total (D) (pair2nat-deterministic/00 D _). - : pair2nat-deterministic pair2nat/00 P2N eq/ ZERO=Z <- pair2nat-deterministic/00 P2N Z=0 <- nat`eq-symmetric Z=0 ZERO=Z. - : pair2nat-deterministic P2N pair2nat/00 eq/ Z=0 <- pair2nat-deterministic/00 P2N Z=0. - : pair2nat-deterministic (pair2nat/XX Z3+Y0=Z Z2+X2=Z3 X0*2=X2 Z1*4=Z2 (P2N:pair2nat (pair/ X1 Y1) Z1) Y/2=Y1,Y0 X/2=X1,X0) (pair2nat/XX Z3'+Y0'=Z' Z2'+X2'=Z3' X0'*2=X2' Z1'*4=Z2' (P2N':pair2nat (pair/ X1' Y1')Z1') Y/2=Y1',Y0' X/2=X1',X0') eq/ Z=Z' <- divrem-deterministic X/2=X1,X0 X/2=X1',X0' nat`eq/ nat`eq/ X1=X1' X0=X0' <- divrem-deterministic Y/2=Y1,Y0 Y/2=Y1',Y0' nat`eq/ nat`eq/ Y1=Y1' Y0=Y0' <- pair-preserves-eq X1=X1' Y1=Y1' X1,Y1=X1',Y1' <- pair2nat-deterministic P2N P2N' X1,Y1=X1',Y1' Z1=Z1' <- times-deterministic Z1*4=Z2 Z1'*4=Z2' Z1=Z1' nat`eq/ Z2=Z2' <- times-deterministic X0*2=X2 X0'*2=X2' X0=X0' nat`eq/ X2=X2' <- plus-deterministic Z2+X2=Z3 Z2'+X2'=Z3' Z2=Z2' X2=X2' Z3=Z3' <- plus-deterministic Z3+Y0=Z Z3'+Y0'=Z' Z3=Z3' Y0=Y0' Z=Z'. %worlds () (pair2nat-deterministic _ _ _ _). %total (D) (pair2nat-deterministic D _ _ _). %theorem nat2pair-deterministic : forall* {P1} {P2} {N1} {N2} forall {D1:nat2pair N1 P1} {D2:nat2pair N2 P2} {EN:nat`eq N1 N2} exists {EP:eq P1 P2} true. % lemma %theorem nat2pair-deterministic/0 : forall* {P} forall {D:nat2pair z P} exists {EP:eq P (pair/ z z)} true. - : nat2pair-deterministic/0 pair2nat/00 eq/. - : nat2pair-deterministic/0 (pair2nat/XX Z3+Y0=0 Z2+X2=Z3 X0*2=X2 Z1*4=Z2 (P2N:pair2nat (pair/ X1 Y1) Z1) Y/2=Y1,Y0 X/2=X1,X0) X,Y=0,0 <- plus-is-zero-implies-zero Z3+Y0=0 nat`eq/ Z3=0 Y0=0 <- plus-is-zero-implies-zero Z2+X2=Z3 Z3=0 Z2=0 X2=0 <- times-right-cancels X0*2=X2 times/z nat`eq/ X2=0 X0=0 <- times-right-cancels Z1*4=Z2 times/z nat`eq/ Z2=0 Z1=0 <- nat2pair-respects-eq P2N Z1=0 eq/ N2P <- nat2pair-deterministic/0 N2P X1,Y1=0,0 <- pair-eq-implies-eq X1,Y1=0,0 X1=0 Y1=0 <- divrem-can-be-inverted X/2=X1,X0 XM X1*2=XM XM+X0=X <- divrem-can-be-inverted Y/2=Y1,Y0 YM Y1*2=YM YM+Y0=Y <- times-deterministic X1*2=XM times/z X1=0 nat`eq/ XM=0 <- times-deterministic Y1*2=YM times/z Y1=0 nat`eq/ YM=0 <- plus-deterministic XM+X0=X plus/z XM=0 X0=0 X=0 <- plus-deterministic YM+Y0=Y plus/z YM=0 Y0=0 Y=0 <- pair-preserves-eq X=0 Y=0 X,Y=0,0. %worlds () (nat2pair-deterministic/0 _ _). %total (D) (nat2pair-deterministic/0 D _). - : nat2pair-deterministic N2P N2P' nat`eq/ X,Y=X',Y' <- nat2pair-deterministic/0 N2P X,Y=0,0 <- nat2pair-deterministic/0 N2P' X',Y'=0,0 <- eq-symmetric X',Y'=0,0 ZERO,ZERO=X',Y' <- eq-transitive X,Y=0,0 ZERO,ZERO=X',Y' X,Y=X',Y'. - : nat2pair-deterministic (pair2nat/XX Z3+Y0=Z Z2+X2=Z3 X0*2=X2 Z1*4=Z2 (P2N:pair2nat (pair/ X1 Y1) Z1) Y/2=Y1,Y0 X/2=X1,X0) (pair2nat/XX Z3'+Y0'=Z Z2'+X2'=Z3' X0'*2=X2' Z1'*4=Z2' (P2N':pair2nat (pair/ X1' Y1') Z1') Y'/2=Y1',Y0' X'/2=X1',X0') nat`eq/ X,Y=X',Y' <- plus-associative Z2+X2=Z3 Z3+Y0=Z R X2+Y0=R Z2+R=Z <- divrem-implies-gt X/2=X1,X0 TWO>X0 <- divrem-implies-gt Y/2=Y1,Y0 TWO>Y0 <- succ-gt-implies-ge TWO>X0 ONE>=X0 <- succ-gt-implies-ge TWO>Y0 ONE>=Y0 <- times-right-preserves-ge* ONE>=X0 1*2=2 X0*2=X2 TWO>=X2 <- plus-preserves-ge* TWO>=X2 ONE>=Y0 2+1=3 X2+Y0=R THREE>=R <- ge-implies-succ-gt THREE>=R FOUR>R <- divrem-can-be-constructed Z1*4=Z2 Z2+R=Z FOUR>R Z/4=Z1,R <- plus-associative Z2'+X2'=Z3' Z3'+Y0'=Z R' X2'+Y0'=R' Z2'+R'=Z <- divrem-implies-gt X'/2=X1',X0' TWO>X0' <- divrem-implies-gt Y'/2=Y1',Y0' TWO>Y0' <- succ-gt-implies-ge TWO>X0' ONE>=X0' <- succ-gt-implies-ge TWO>Y0' ONE>=Y0' <- times-right-preserves-ge* ONE>=X0' 1*2=2 X0'*2=X2' TWO>=X2' <- plus-preserves-ge* TWO>=X2' ONE>=Y0' 2+1=3 X2'+Y0'=R' THREE>=R' <- ge-implies-succ-gt THREE>=R' FOUR>R' <- divrem-can-be-constructed Z1'*4=Z2' Z2'+R'=Z FOUR>R' Z/4=Z1',R' <- divrem-deterministic Z/4=Z1,R Z/4=Z1',R' nat`eq/ nat`eq/ Z1=Z1' R=R' <- divrem-can-be-constructed X0*2=X2 X2+Y0=R TWO>Y0 R/2=X0,Y0 <- divrem-can-be-constructed X0'*2=X2' X2'+Y0'=R' TWO>Y0' R'/2=X0',Y0' <- divrem-deterministic R/2=X0,Y0 R'/2=X0',Y0' R=R' nat`eq/ X0=X0' Y0=Y0' <- nat2pair-deterministic P2N P2N' Z1=Z1' X1,Y1=X1',Y1' <- pair-eq-implies-eq X1,Y1=X1',Y1' X1=X1' Y1=Y1' <- divrem-can-be-inverted X/2=X1,X0 XM X1*2=XM XM+X0=X <- divrem-can-be-inverted Y/2=Y1,Y0 YM Y1*2=YM YM+Y0=Y <- divrem-can-be-inverted X'/2=X1',X0' XM' X1'*2=XM' XM'+X0'=X' <- divrem-can-be-inverted Y'/2=Y1',Y0' YM' Y1'*2=YM' YM'+Y0'=Y' <- times-deterministic X1*2=XM X1'*2=XM' X1=X1' nat`eq/ XM=XM' <- plus-deterministic XM+X0=X XM'+X0'=X' XM=XM' X0=X0' X=X' <- times-deterministic Y1*2=YM Y1'*2=YM' Y1=Y1' nat`eq/ YM=YM' <- plus-deterministic YM+Y0=Y YM'+Y0'=Y' YM=YM' Y0=Y0' Y=Y' <- pair-preserves-eq X=X' Y=Y' X,Y=X',Y'. %worlds () (nat2pair-deterministic _ _ _ _). %total (D) (nat2pair-deterministic D _ _ _). %theorem pair2nat-preserves-ne* : forall* {P1} {P2} {N1} {N2} forall {PNE: ne P1 P2} {T1:pair2nat P1 N1} {T2:pair2nat P2 N2} exists {NE: nat`ne N1 N2} true. %theorem pair2nat-preserves-ne*/L : forall* {P1} {P2} {N1} {N2} {B} forall {PNE: ne P1 P2} {T1:pair2nat P1 N1} {T2:pair2nat P2 N2} {NT: nat`eq? N1 N2 B} exists {NE: nat`ne N1 N2} true. - : pair2nat-preserves-ne* P1<>P2 P1->N1 P2->N2 N1<>N2 <- nat`eq?-total EQ? <- pair2nat-preserves-ne*/L P1<>P2 P1->N1 P2->N2 EQ? N1<>N2. - : pair2nat-preserves-ne*/L _ _ _ (nat`eq?/no N1<>N2) N1<>N2. - : pair2nat-preserves-ne*/L P1<>P2 P1->N P2->N (nat`eq?/yes) N<>N <- nat2pair-deterministic P1->N P2->N nat`eq/ P1=P2 <- eq-ne-implies-false P1=P2 P1<>P2 F <- nat`false-implies-ne F N<>N. %worlds () (pair2nat-preserves-ne*/L _ _ _ _ _). %total { } (pair2nat-preserves-ne*/L _ _ _ _ _). %worlds () (pair2nat-preserves-ne* _ _ _ _). %total { } (pair2nat-preserves-ne* _ _ _ _). %theorem pair2nat-preserves-ne : forall* {P1} {P2} forall {PNE: ne P1 P2} exists {N1} {N2} {T1:pair2nat P1 N1} {T2:pair2nat P2 N2} {NE: nat`ne N1 N2} true. - : pair2nat-preserves-ne P1<>P2 N1 N2 T1 T2 N1<>N2 <- pair2nat-total T1 <- pair2nat-total T2 <- pair2nat-preserves-ne* P1<>P2 T1 T2 N1<>N2. %worlds () (pair2nat-preserves-ne _ _ _ _ _ _). %total { } (pair2nat-preserves-ne _ _ _ _ _ _). %theorem nat2pair-preserves-ne* : forall* {P1} {P2} {N1} {N2} forall {NE: nat`ne N1 N2} {T1:nat2pair N1 P1} {T2:nat2pair N2 P2} exists {PNE: ne P1 P2} true. %theorem nat2pair-preserves-ne*/L : forall* {P1} {P2} {N1} {N2} {B} forall {NE: nat`ne N1 N2} {T1:nat2pair N1 P1} {T2:nat2pair N2 P2} {PT: eq? P1 P2 B} exists {PNE: ne P1 P2} true. - : nat2pair-preserves-ne* N1<>N2 N1->P1 N2->P2 P1<>P2 <- eq?-total EP? <- nat2pair-preserves-ne*/L N1<>N2 N1->P1 N2->P2 EP? P1<>P2. - : nat2pair-preserves-ne*/L _ _ _ (eq?/no P1<>P2) P1<>P2. - : nat2pair-preserves-ne*/L N1<>N2 N1->P N2->P (eq?/yes) P<>P <- pair2nat-deterministic N1->P N2->P eq/ N1=N2 <- nat`eq-ne-implies-false N1=N2 N1<>N2 F <- false-implies-ne F P<>P. %worlds () (nat2pair-preserves-ne*/L _ _ _ _ _). %total { } (nat2pair-preserves-ne*/L _ _ _ _ _). %worlds () (nat2pair-preserves-ne* _ _ _ _). %total { } (nat2pair-preserves-ne* _ _ _ _). %theorem nat2pair-preserves-ne : forall* {N1} {N2} forall {NNE: nat`ne N1 N2} exists {P1} {P2} {T1:nat2pair N1 P1} {T2:nat2pair N2 P2} {PE: ne P1 P2} true. - : nat2pair-preserves-ne N1<>N2 P1 P2 T1 T2 P1<>P2 <- nat2pair-total T1 <- nat2pair-total T2 <- nat2pair-preserves-ne* N1<>N2 T1 T2 P1<>P2. %worlds () (nat2pair-preserves-ne _ _ _ _ _ _). %total { } (nat2pair-preserves-ne _ _ _ _ _ _). %theorem nonzero-nat2pair-implies-gt-ge : forall* {N} {X} {Y} forall {D:nat2pair (s N) (pair/ X Y)} exists {G1: gt (s N) X} {G2: ge (s N) Y} true. - : nonzero-nat2pair-implies-gt-ge (pair2nat/XX plus/z plus/z times/z times/z _ (divrem/z _) (divrem/z _)) N+1>0 (nat`ge/= nat`eq/) <- succ-implies-gt-zero _ N+1>0. - : nonzero-nat2pair-implies-gt-ge (pair2nat/XX X2+Y=sN plus/z (times/s X-1*2=X2-2 X2-2+2=X2) times/z _ (divrem/z _) (divrem/z TWO>X)) N+1>X N+1>=Y <- plus-implies-ge X2+Y=sN (N+1>=Y:ge (s N) Y) <- succ-gt-implies-ge TWO>X ONE>=X <- ge-succ-implies-gt ONE>=X ONE>X-1 <- succ-gt-implies-ge ONE>X-1 ZERO>=X-1 <- ge-zero-always _ X-1>=0 <- ge-anti-symmetric ZERO>=X-1 X-1>=0 ZERO=X-1 <- succ-deterministic ZERO=X-1 ONE=X <- times-deterministic times/z X-1*2=X2-2 ZERO=X-1 nat`eq/ ZERO=X2-2 <- plus-deterministic plus/z X2-2+2=X2 ZERO=X2-2 nat`eq/ TWO=X2 <- gt-respects-eq (gt/1) TWO=X2 ONE=X X2>X <- plus-commutative X2+Y=sN Y+X2=sN <- plus-implies-ge Y+X2=sN N+1>=X2 <- ge-transitive-gt N+1>=X2 X2>X N+1>X. - : nonzero-nat2pair-implies-gt-ge (pair2nat/XX _ _ _ _ (P2z:pair2nat (pair/ (s _) _) z) _ _) GT GE <- nat2pair-deterministic pair2nat/00 P2z nat`eq/ ZERO,0=sN,_ <- pair-eq-implies-eq ZERO,0=sN,_ ZERO=sN _ <- nat`eq-contradiction ZERO=sN F <- nat`false-implies-gt F GT <- nat`false-implies-ge F GE. - : nonzero-nat2pair-implies-gt-ge (pair2nat/XX _ _ _ _ (P2z:pair2nat (pair/ _ (s _)) z) _ _) GT GE <- nat2pair-deterministic pair2nat/00 P2z nat`eq/ ZERO,0=_,sN <- pair-eq-implies-eq ZERO,0=_,sN _ ZERO=sN <- nat`eq-contradiction ZERO=sN F <- nat`false-implies-gt F GT <- nat`false-implies-ge F GE. - : nonzero-nat2pair-implies-gt-ge (pair2nat/XX Z3+Y0=sN Z2+X2=Z3 X0*2=X2 Z1*4=Z2 Z1->X1,Y1 Y/2=Y1,Y0 X/2=X1,X0) N+1>X (ge/> N+1>Y) <- plus-commutative Z3+Y0=sN Y0+Z3=sN <- plus-implies-ge Y0+Z3=sN N+1>=Z3 <- plus-commutative Z2+X2=Z3 X2+Z2=Z3 <- plus-implies-ge X2+Z2=Z3 Z3>=Z2 <- ge-transitive N+1>=Z3 Z3>=Z2 N+1>=Z2 <- nonzero-nat2pair-implies-gt-ge Z1->X1,Y1 Z1>X1 Z1>=Y1 <- times-associative-converse 2*2=4 Z1*4=Z2 Z2/2 Z1*2=Z2/2 Z2/2*2=Z2 <- divrem-can-be-inverted Y/2=Y1,Y0 Y12 Y1*2=Y12 Y12+Y0=Y <- divrem-can-be-inverted X/2=X1,X0 X12 X1*2=X12 X12+X0=X <- times-right-preserves-gt* Z1>X1 Z1*2=Z2/2 X1*2=X12 nat`eq/ Z2/2>X12 <- succ-implies-gt-zero _ Z1>0 <- gt-implies-ge-succ Z1>0 Z1>=1 <- times-right-preserves-ge* Z1>=1 Z1*2=Z2/2 1*2=2 Z2/2>=2 <- ge-implies-plus Z2/2>=2 ZZ ZZ+2=Z2/2 <- plus-commutative ZZ+2=Z2/2 TWO+ZZ=Z2/2 <- plus-deterministic TWO+ZZ=Z2/2 (plus/s (plus/s plus/z)) nat`eq/ nat`eq/ Z2/2=ssZZ <- times-respects-eq Z2/2*2=Z2 Z2/2=ssZZ nat`eq/ nat`eq/ SSZZ*2=Z2 <- non-trivial-times-implies-much-gt* SSZZ*2=Z2 Z2>sssZZ <- divrem-implies-gt X/2=X1,X0 TWO>X0 <- succ-gt-implies-ge TWO>X0 ONE>=X0 <- plus-right-identity _ X12+0=X12 <- plus-right-increase X12+0=X12 X12+1=sX12 <- plus-left-preserves-ge* ONE>=X0 X12+1=sX12 X12+X0=X SX12>=X <- gt-implies-ge-succ Z2/2>X12 Z2/2>=sX12 <- ge-transitive Z2/2>=sX12 SX12>=X Z2/2>=X <- ge-respects-eq Z2/2>=X Z2/2=ssZZ nat`eq/ SSZZ>=X <- ge-implies-succ-gt SSZZ>=X SSSZZ>X <- gt-transitive Z2>sssZZ SSSZZ>X Z2>X <- ge-transitive-gt N+1>=Z2 Z2>X N+1>X <- times-right-preserves-ge* Z1>=Y1 Z1*2=Z2/2 Y1*2=Y12 Z2/2>=Y12 <- ge-respects-eq Z2/2>=Y12 Z2/2=ssZZ nat`eq/ SSZZ>=Y12 <- divrem-implies-gt Y/2=Y1,Y0 TWO>Y0 <- succ-gt-implies-ge TWO>Y0 ONE>=Y0 <- plus-right-identity _ Y12+0=Y12 <- plus-right-increase Y12+0=Y12 Y12+1=sY12 <- plus-left-preserves-ge* ONE>=Y0 Y12+1=sY12 Y12+Y0=Y SY12>=Y <- succ-preserves-ge SSZZ>=Y12 SSSZZ>=SY12 <- ge-transitive SSSZZ>=SY12 SY12>=Y SSSZZ>=Y <- gt-transitive-ge Z2>sssZZ SSSZZ>=Y Z2>Y <- ge-transitive-gt N+1>=Z2 Z2>Y N+1>Y. %worlds () (nonzero-nat2pair-implies-gt-ge _ _ _). %total (N) (nonzero-nat2pair-implies-gt-ge N _ _). %theorem nat2pair-implies-ge : forall* {N} {X} {Y} forall {D:nat2pair N (pair/ X Y)} exists {G1: ge N X} {G2: ge N Y} true. - : nat2pair-implies-ge N2P (ge/> N>X) N>=Y <- nonzero-nat2pair-implies-gt-ge N2P N>X N>=Y. - : nat2pair-implies-ge Z2P (ge/= ZERO=X) (ge/= ZERO=Y) <- nat2pair-deterministic pair2nat/00 Z2P nat`eq/ ZERO,ZERO=X,Y <- pair-eq-implies-eq ZERO,ZERO=X,Y ZERO=X ZERO=Y. %worlds () (nat2pair-implies-ge _ _ _). %total { } (nat2pair-implies-ge _ _ _). %theorem constrained1-pair2nat-unbounded : forall {N1} {B} exists {N2} {N} {D:pair2nat (pair/ N1 N2) N} {G:gt N B} true. - : constrained1-pair2nat-unbounded N1 B (s B) N N1,N2->N N>B <- pair2nat-total N1,N2->N <- nat2pair-implies-ge N1,N2->N N>=N1 N>=N2 <- ge-succ-implies-gt N>=N2 N>B. %worlds () (constrained1-pair2nat-unbounded _ _ _ _ _ _). %total { } (constrained1-pair2nat-unbounded _ _ _ _ _ _). %theorem constrained2-pair2nat-unbounded : forall {N2} {B} exists {N1} {N} {D:pair2nat (pair/ N1 N2) N} {G:gt N B} true. - : constrained2-pair2nat-unbounded N2 B (s B) N N1,N2->N N>B <- pair2nat-total N1,N2->N <- nat2pair-implies-ge N1,N2->N N>=N1 N>=N2 <- ge-succ-implies-gt N>=N1 N>B. %worlds () (constrained2-pair2nat-unbounded _ _ _ _ _ _). %total { } (constrained2-pair2nat-unbounded _ _ _ _ _ _). %%%% Renamings %abbrev natpair = pair. %abbrev natpair/ = pair/. %%%% Exports %abbrev natpair`pair = pair. %abbrev natpair`pair/ = pair/. %abbrev natpair`eq = eq. %abbrev natpair`eq/ = eq/. %abbrev natpair`ne = ne. %abbrev natpair`ne/1 = ne/1. %abbrev natpair`ne/2 = ne/2. %abbrev natpair`eq? = eq?. %abbrev natpair`eq?/yes = eq?/yes. %abbrev natpair`eq?/no = eq?/no. %abbrev natpair`false-implies-eq = false-implies-eq. %abbrev natpair`meta-eq = meta-eq. %abbrev natpair`eq-reflexive = eq-reflexive. %abbrev natpair`eq-symmetric = eq-symmetric. %abbrev natpair`eq-transitive = eq-transitive. %abbrev natpair`pair-eq-implies-eq = pair-eq-implies-eq. %abbrev natpair`pair-preserves-eq = pair-preserves-eq. %abbrev natpair`false-implies-ne = false-implies-ne. %abbrev natpair`ne-respects-eq = ne-respects-eq. %abbrev natpair`ne-anti-reflexive = ne-anti-reflexive. %abbrev natpair`ne-symmetric = ne-symmetric. %abbrev natpair`eq-ne-implies-false = eq-ne-implies-false. %abbrev natpair`eq?-total* = eq?-total*. %abbrev natpair`eq?-total*/L = eq?-total*/L. %abbrev natpair`eq?-total = eq?-total. %abbrev natpair`pair2nat = pair2nat. %abbrev natpair`pair2nat/00 = pair2nat/00. %abbrev natpair`pair2nat/XX = pair2nat/XX. %abbrev natpair`nat2pair = nat2pair. %abbrev natpair`false-implies-pair2nat = false-implies-pair2nat. %abbrev natpair`false-implies-not2pair = false-implies-not2pair. %abbrev natpair`pair2nat-respects-eq = pair2nat-respects-eq. %abbrev natpair`nat2pair-respects-eq = nat2pair-respects-eq. %abbrev natpair`pair2nat-total** = pair2nat-total**. %abbrev natpair`pair2nat-total* = pair2nat-total*. %abbrev natpair`pair2nat-total = pair2nat-total. %abbrev natpair`nat2pair-total* = nat2pair-total*. %abbrev natpair`nat2pair-total = nat2pair-total. %abbrev natpair`pair2nat-deterministic = pair2nat-deterministic. %abbrev natpair`pair2nat-deterministic/00 = pair2nat-deterministic/00. %abbrev natpair`nat2pair-deterministic = nat2pair-deterministic. %abbrev natpair`nat2pair-deterministic/0 = nat2pair-deterministic/0. %abbrev natpair`pair2nat-preserves-ne* = pair2nat-preserves-ne*. %abbrev natpair`pair2nat-preserves-ne*/L = pair2nat-preserves-ne*/L. %abbrev natpair`pair2nat-preserves-ne = pair2nat-preserves-ne. %abbrev natpair`nat2pair-preserves-ne* = nat2pair-preserves-ne*. %abbrev natpair`nat2pair-preserves-ne*/L = nat2pair-preserves-ne*/L. %abbrev natpair`nat2pair-preserves-ne = nat2pair-preserves-ne. %abbrev natpair`nonzero-nat2pair-implies-gt-ge = nonzero-nat2pair-implies-gt-ge. %abbrev natpair`nat2pair-implies-ge = nat2pair-implies-ge. %abbrev natpair`constrained1-pair2nat-unbounded = constrained1-pair2nat-unbounded. %abbrev natpair`constrained2-pair2nat-unbounded = constrained2-pair2nat-unbounded. %abbrev natpair`natpair = natpair. %abbrev natpair`natpair/ = natpair/. %{| hidden = true }% % contents included from ../library/multiset.elf %%%%%% Multisets of natural numbers %%%%%% John Boyland %%%%%% You may freely use, modify and distribute this file without restrictions. %%%%% This file requires the "nat.elf" signature %%%%% multiset-help.elf %%%%% Theorems needed to help 'multiset' use 'map.' %%%%% This file is part of the multiset.elf signature %%%% Renamings %abbrev nat`leq = nat`le. %abbrev nat`false-implies-leq = nat`false-implies-le. %abbrev nat`leq-reflexive = nat`le-reflexive. %abbrev nat`leq-transitive = nat`le-transitive. %abbrev nat`leq-anti-symmetric = nat`le-anti-symmetric. %abbrev nat`union = nat`max. %abbrev nat`false-implies-union = nat`false-implies-max. %abbrev nat`union-deterministic = nat`max-deterministic. %abbrev nat`union-total* = nat`max-total*. %abbrev nat`union-commutative = nat`max-commutative. %abbrev nat`union-associative = nat`max-associative. %abbrev nat`union-associative* = nat`max-associative*. %abbrev nat`union-left-preserves-leq* = nat`max-left-preserves-le*. %abbrev nat`union-preserves-leq = nat`max-preserves-le. %abbrev nat`union-implies-leq* = [G] [L] nat`max-implies-ge G L IG. %abbrev nat`union-implies-leq = nat`max-implies-ge. %abbrev nat`union-is-lub = nat`max-is-lub. %abbrev nat`intersection = nat`min. %abbrev nat`false-implies-intersection = nat`false-implies-min. %abbrev nat`intersection-deterministic = nat`min-deterministic. %abbrev nat`intersection-total* = nat`min-total*. %abbrev nat`intersection-commutative = nat`min-commutative. %abbrev nat`intersection-associative = nat`min-associative. %abbrev nat`intersection-associative* = nat`min-associative*. %abbrev nat`intersection-implies-leq* = [M] [L] nat`min-implies-ge M L IG. %abbrev nat`intersection-left-preserves-leq* = nat`min-left-preserves-le*. %abbrev nat`intersection-is-glb = nat`min-is-glb. %abbrev nat`intersection-right-distributes-over-union = nat`min-right-distributes-over-max. %abbrev nat`union-right-distributes-over-intersection = nat`max-right-distributes-over-min. %%%% Functor Use %%%% Definitions of Maps map : type. map/0 : map. map/+ : nat -> nat -> map -> map. %%%% Relations on maps eq : map -> map -> type. eq/ : eq M M. ne : map -> map -> type. ne/L : ne map/0 (map/+ _ _ _). ne/R : ne (map/+ _ _ _) map/0. ne/N : nat`ne N1 N2 -> ne (map/+ N1 _ _) (map/+ N2 _ _). ne/D : nat`ne D1 D2 -> ne (map/+ _ D1 _) (map/+ _ D2 _). ne/+ : ne M1 M2 -> ne (map/+ _ _ M1) (map/+ _ _ M2). eq? : map -> map -> bool -> type. eq?/yes : eq? X X true. eq?/no : eq? X Y false <- ne X Y. lookup : map -> nat -> nat -> type. lookup/= : lookup (map/+ N1 D _) N2 D <- nat`eq N1 N2. lookup/> : lookup (map/+ N1 _ F) N2 D <- plus (s N0) N1 N2 <- lookup F N0 D. not-member : map -> nat -> type. not-member/0 : not-member map/0 M. not-member/< : not-member (map/+ N _ F) M <- gt N M. not-member/> : not-member (map/+ N _ F) M <- plus (s M1) N M <- not-member F M1. member? : map -> nat -> bool -> type. member?/in : member? M N true <- lookup M N _. member?/out : member? M N false <- not-member M N. disjoint : map -> map -> type. disjoint/L : disjoint map/0 M. disjoint/R : disjoint M map/0. disjoint/< : disjoint (map/+ N1 D1 M1) (map/+ N2 D2 M2) <- nat`plus (s N0) N1 N2 <- disjoint M1 (map/+ N0 D2 M2). disjoint/> : disjoint (map/+ N1 D1 M1) (map/+ N2 D2 M2) <- nat`plus (s N3) N2 N1 <- disjoint (map/+ N3 D1 M1) M2. disjoint? : map -> map -> bool -> type. disjoint?/yes : disjoint M1 M2 -> disjoint? M1 M2 true. disjoint?/no : lookup M1 N D1 -> lookup M2 N D2 -> disjoint? M1 M2 false. size : map -> nat -> type. size/0 : size map/0 z. size/+ : size (map/+ _ _ M) (s N) <- size M N. %% useful for proving termination on map operations: bound : map -> nat -> type. bound/0 : bound map/0 z. bound/+ : bound (map/+ N1 D M) N3 <- bound M N2 <- plus (s N1) N2 N3. shift : nat -> map -> map -> type. shift/0 : shift _ map/0 map/0. shift/+ : shift N1 (map/+ N2 D M) (map/+ N3 D M) <- plus (s N1) N2 N3. update : map -> nat -> nat -> map -> type. update/0 : update map/0 N D (map/+ N D map/0). update/= : update (map/+ N1 _ F) N2 D (map/+ N2 D F) <- nat`eq N1 N2. update/< : update (map/+ N1 D1 F) N2 D2 (map/+ N2 D2 (map/+ N3 D1 F)) <- plus (s N3) N2 N1. update/> : update (map/+ N1 D1 F1) N2 D2 (map/+ N1 D1 F2) <- plus (s N0) N1 N2 <- update F1 N0 D2 F2. %%%% Theorems %%% Theorems about eq %theorem meta-eq : forall {M} {N} {E:eq M N} true. - : meta-eq M M eq/. %worlds () (meta-eq _ _ _). %total {} (meta-eq _ _ _). %reduces M = N (meta-eq M N _). %theorem false-implies-eq : forall* {M} {M'} forall {F:void} exists {E:eq M M'} true. %worlds () (false-implies-eq _ M=M'). %total {} (false-implies-eq _ _). %theorem eq-reflexive : forall {M} exists {E:eq M M} true. - : eq-reflexive _ eq/. %worlds () (eq-reflexive M M=M). %total {} (eq-reflexive _ _). %theorem eq-symmetric : forall* {M} {M'} forall {E1:eq M M'} exists {E2:eq M' M} true. - : eq-symmetric eq/ eq/. %worlds () (eq-symmetric M=M' M'=M). %total {} (eq-symmetric _ _). %theorem eq-transitive: forall* {M1} {M2} {M3} forall {E12:eq M1 M2} {E23:eq M2 M3} exists {E13:eq M1 M3} true. - : eq-transitive eq/ eq/ eq/. %worlds () (eq-transitive M1=M2 M2=M3 M1=M3). %total {} (eq-transitive _ _ _). %theorem map/+-preserves-eq : forall* {N} {NP} {D} {DP} {F} {FP} forall {EN:nat`eq N NP} {ED:nat`eq D DP} {EF:eq F FP} exists {E:eq (map/+ N D F) (map/+ NP DP FP)} true. - : map/+-preserves-eq nat`eq/ nat`eq/ eq/ eq/. %worlds () (map/+-preserves-eq N=N' D=D' F=F' NDF=N'D'F'). %total {} (map/+-preserves-eq _ _ _ _). %theorem map/+-preserves-eq-converse : forall* {N} {NP} {D} {DP} {F} {FP} forall {E:eq (map/+ N D F) (map/+ NP DP FP)} exists {EN:nat`eq N NP} {ED:nat`eq D DP} {EF:eq F FP} true. - : map/+-preserves-eq-converse eq/ nat`eq/ nat`eq/ eq/. %worlds () (map/+-preserves-eq-converse _ _ _ _). %total {} (map/+-preserves-eq-converse _ _ _ _). %theorem eq-no-occur : forall* {M} {N} {D} forall {E:eq M (map/+ N D M)} exists {F:void} true. %worlds () (eq-no-occur _ _). %total {} (eq-no-occur _ _). %theorem eq-contradiction : forall* {N} {D} {M} forall {E:eq map/0 (map/+ N D M)} exists {F:void} true. %worlds () (eq-contradiction _ _). %total {} (eq-contradiction _ _). %%% Theorems about ne %theorem false-implies-ne : forall* {M1} {M2} forall {F:void} exists {N:ne M1 M2} true. %worlds () (false-implies-ne _ _). %total { } (false-implies-ne _ _). %theorem ne-respects-eq : forall* {M11} {M12} {M21} {M22} forall {N1:ne M11 M12} {E1:eq M11 M21} {E2:eq M12 M22} exists {N2:ne M21 M22} true. - : ne-respects-eq N eq/ eq/ N. %worlds () (ne-respects-eq _ _ _ _). %total { } (ne-respects-eq _ _ _ _). %theorem ne-anti-reflexive : forall* {M} forall {N:ne M M} exists {F:void} true. - : ne-anti-reflexive (ne/N N) F <- nat`ne-anti-reflexive N F. - : ne-anti-reflexive (ne/D N) F <- nat`ne-anti-reflexive N F. - : ne-anti-reflexive (ne/+ N) F <- ne-anti-reflexive N F. %worlds () (ne-anti-reflexive _ _). %total (N) (ne-anti-reflexive N _). %theorem ne-symmetric : forall* {M1} {M2} forall {N1:ne M1 M2} exists {N2:ne M2 M1} true. - : ne-symmetric ne/L ne/R. - : ne-symmetric ne/R ne/L. - : ne-symmetric (ne/N N1) (ne/N N2) <- nat`ne-symmetric N1 N2. - : ne-symmetric (ne/D N1) (ne/D N2) <- nat`ne-symmetric N1 N2. - : ne-symmetric (ne/+ N1) (ne/+ N2) <- ne-symmetric N1 N2. %worlds () (ne-symmetric _ _). %total (N) (ne-symmetric N _). %theorem eq-ne-implies-false : forall* {X} {Y} forall {D1:eq X Y} {D2:ne X Y} exists {F:void} true. - : eq-ne-implies-false eq/ X<>X F <- ne-anti-reflexive X<>X F. %worlds () (eq-ne-implies-false _ _ _). %total { } (eq-ne-implies-false _ _ _). %theorem eq?-total* : forall {M} {N} exists {B} {T:eq? M N B} true. %abbrev eq?-total = eq?-total* _ _ _. %theorem eq?-total/+ : forall* {N1} {D1} {N2} {D2} {M2} {EN} {ED} {EM} forall {M1} {EN?:nat`eq? N1 N2 EN} {ED?:nat`eq? D1 D2 ED} {EM?:eq? M1 M2 EM} exists {B} {E?:eq? (map/+ N1 D1 M1) (map/+ N2 D2 M2) B} true. - : eq?-total eq?/yes. - : eq?-total (eq?/no ne/L). - : eq?-total (eq?/no ne/R). - : eq?-total E? <- nat`eq?-total EN? <- nat`eq?-total ED? <- eq?-total EM? <- eq?-total/+ _ EN? ED? EM? _ E?. - : eq?-total/+ _ (nat`eq?/yes) (nat`eq?/yes) (eq?/yes) _ eq?/yes. - : eq?-total/+ _ (nat`eq?/no N) _ _ _ (eq?/no (ne/N N)). - : eq?-total/+ _ _ (nat`eq?/no N) _ _ (eq?/no (ne/D N)). - : eq?-total/+ _ _ _ (eq?/no N) _ (eq?/no (ne/+ N)). %worlds () (eq?-total* _ _ _ _) (eq?-total/+ _ _ _ _ _ _). %total (M W) (eq?-total* M _ _ _) (eq?-total/+ W _ _ _ _ _). %%% Theorems about lookup %theorem false-implies-lookup : forall* {M} {N} {D} forall {F:void} exists {L:lookup M N D} true. %worlds () (false-implies-lookup _ F^N=D). %total {} (false-implies-lookup _ _). %theorem lookup-respects-eq : forall* {M} {N} {D} {MP} {NP} {DP} forall {L:lookup M N D} {EM:eq M MP} {EN:nat`eq N NP} {ED:nat`eq D DP} exists {LP:lookup MP NP DP} true. - : lookup-respects-eq L eq/ nat`eq/ nat`eq/ L. %worlds () (lookup-respects-eq M^N=D M=M' N=N' D=D' M'^N'=D'). %total {} (lookup-respects-eq _ _ _ _ _). %theorem lookup-deterministic : forall* {M} {N} {D} {MP} {NP} {DP} forall {L:lookup M N D} {LP:lookup MP NP DP} {EM:eq M MP} {EN:nat`eq N NP} exists {ED:nat`eq D DP} true. - : lookup-deterministic (lookup/= nat`eq/) (lookup/= nat`eq/) eq/ nat`eq/ nat`eq/. - : lookup-deterministic (lookup/> F^N0=D N0+1+N1=N2) (lookup/> F^N0'=D' N0'+1+N1=N2) eq/ nat`eq/ D=D' <- plus-right-cancels N0+1+N1=N2 N0'+1+N1=N2 nat`eq/ nat`eq/ N0+1=N0'+1 <- succ-cancels N0+1=N0'+1 N0=N0' <- lookup-deterministic F^N0=D F^N0'=D' eq/ N0=N0' D=D'. %% contradiction cases - : lookup-deterministic (lookup/= nat`eq/) (lookup/> _ N0+1+N=N) eq/ nat`eq/ D=D' <- plus-implies-gt N0+1+N=N nat`eq/ N>N <- gt-anti-reflexive N>N FALSE <- nat`false-implies-eq FALSE D=D'. - : lookup-deterministic (lookup/> _ N0+1+N=N) (lookup/= nat`eq/) eq/ nat`eq/ D=D' <- plus-implies-gt N0+1+N=N nat`eq/ N>N <- gt-anti-reflexive N>N FALSE <- nat`false-implies-eq FALSE D=D'. %worlds () (lookup-deterministic M^N=D M'^N'=D' M=M' N=N' D=D'). %total (L) (lookup-deterministic L _ _ _ _). %% lookup is NOT total %theorem lookup-contradiction : forall* {N} {D} forall {L:lookup map/0 N D} exists {F:void} true. %worlds () (lookup-contradiction _ _). %total { } (lookup-contradiction _ _). %theorem lookup-one-choice : forall* {N1} {D1} {N2} {D2} forall {L:lookup (map/+ N1 D1 map/0) N2 D2} exists {NE:nat`eq N1 N2} {DE:nat`eq D1 D2} true. - : lookup-one-choice (lookup/= nat`eq/) nat`eq/ nat`eq/. %worlds () (lookup-one-choice _ _ _). %total { } (lookup-one-choice _ _ _). %theorem lookup-ne-implies-ne : forall* {M1} {N1} {D1} {M2} {N2} {D2} forall {L1:lookup M1 N1 D1} {L2:lookup M2 N2 D2} {EN:nat`eq N1 N2} {ND:nat`ne D1 D2} exists {NM:ne M1 M2} true. %theorem lookup-ne-implies-ne/L : forall* {M1} {N1} {D1} {M2} {N2} {D2} {B} forall {L1:lookup M1 N1 D1} {L2:lookup M2 N2 D2} {EN:nat`eq N1 N2} {ND:nat`ne D1 D2} {EM?:eq? M1 M2 B} exists {NM:ne M1 M2} true. - : lookup-ne-implies-ne L1 L2 EN ND NM <- eq?-total EM? <- lookup-ne-implies-ne/L L1 L2 EN ND EM? NM. - : lookup-ne-implies-ne/L L1 L2 _ _ (eq?/no NM) NM. - : lookup-ne-implies-ne/L L1 L2 nat`eq/ D1<>D2 eq?/yes NM <- lookup-deterministic L1 L2 eq/ nat`eq/ D1=D2 <- nat`eq-ne-implies-false D1=D2 D1<>D2 F <- false-implies-ne F NM. %worlds () (lookup-ne-implies-ne/L _ _ _ _ _ _). %total { } (lookup-ne-implies-ne/L _ _ _ _ _ _). %worlds () (lookup-ne-implies-ne _ _ _ _ _). %total { } (lookup-ne-implies-ne _ _ _ _ _). %%% Theorems about not-member %theorem false-implies-not-member : forall* {M} {N} forall {F:void} exists {D:not-member M N} true. %worlds () (false-implies-not-member _ N-not-in-member-M). %total {} (false-implies-not-member _ _). %theorem not-member-respects-eq : forall* {M} {N} {MP} {NP} forall {D:not-member M N} {EM:eq M MP} {EN:nat`eq N NP} exists {DP:not-member MP NP} true. - : not-member-respects-eq D eq/ nat`eq/ D. %worlds () (not-member-respects-eq _ _ _ _). %total {} (not-member-respects-eq _ _ _ _). %% not-member is NOT deterministic %theorem not-member-total* : forall {M} exists {N} {F:not-member M N} true. - : not-member-total* map/0 z not-member/0. - : not-member-total* (map/+ N1 _ M) N3 (not-member/> F N+1+N1=N3) <- not-member-total* M N F <- plus-total* (s N) N1 N3 N+1+N1=N3. %worlds () (not-member-total* M N N-not-in-member-of-M). %total (M) (not-member-total* M _ _). %abbrev not-member-total = not-member-total* _ _. %theorem not-member-lookup-not-equal : forall* {M} {N1} {N2} {D2} forall {F:not-member M N1} {L:lookup M N2 D2} exists {NE:nat`ne N1 N2} true. - : not-member-lookup-not-equal (not-member/< N2>N1) (lookup/= nat`eq/) (nat`ne/< N2>N1). - : not-member-lookup-not-equal (not-member/< N1>N3) (lookup/> _ N0+1+N1=N2) (nat`ne/< N2>N3) <- plus-implies-gt N0+1+N1=N2 nat`eq/ N2>N1 <- gt-transitive N2>N1 N1>N3 N2>N3. - : not-member-lookup-not-equal (not-member/> _ X+1+N2=N1) (lookup/= nat`eq/) (nat`ne/> N1>N2) <- plus-implies-gt X+1+N2=N1 nat`eq/ N1>N2. - : not-member-lookup-not-equal (not-member/> F N4+1+N1=N3) (lookup/> L N0+1+N1=N2) N3<>N2 <- not-member-lookup-not-equal F L N4<>N0 <- succ-preserves-ne N4<>N0 N4+1<>N0+1 <- plus-right-preserves-ne* N4+1<>N0+1 N4+1+N1=N3 N0+1+N1=N2 N3<>N2. %worlds () (not-member-lookup-not-equal N1-not-in-member-of-M M^N2=D N1<>N2). %total (F) (not-member-lookup-not-equal F _ _). %theorem not-member-contradiction : forall* {M} {N} {D} forall {F:not-member (map/+ N D M) N} exists {V:void} true. - : not-member-contradiction (not-member/< N>N) V <- nat`gt-anti-reflexive N>N V. - : not-member-contradiction (not-member/> _ N0+1+N=N) V <- nat`plus-implies-gt N0+1+N=N nat`eq/ N>N <- nat`gt-anti-reflexive N>N V. %worlds () (not-member-contradiction _ _). %total {} (not-member-contradiction _ _). %theorem ne-implies-unit-map-not-member : forall* {N1} {D} {N2} forall {NE:nat`ne N1 N2} exists {F:not-member (map/+ N1 D map/0) N2} true. - : ne-implies-unit-map-not-member (nat`ne/< N1 not-member/0 N0+1+N1=N2) <- nat`gt-implies-plus N1 N1>N2) (not-member/< N1>N2). %worlds () (ne-implies-unit-map-not-member _ _). %total { } (ne-implies-unit-map-not-member _ _). %theorem plus-right-preserves-not-member* : forall* {M} {N1} {D} {N2} {N} {N3} {N4} forall {F:not-member (map/+ N1 D M) N2} {P1:plus N1 N N3} {P2:plus N2 N N4} exists {FP:not-member (map/+ N3 D M) N4} true. - : plus-right-preserves-not-member* (not-member/< N2>N1) N1+N=N3 N2+N=N4 (not-member/< N4>N3) <- nat`plus-right-preserves-gt* N2>N1 N1+N=N3 N2+N=N4 N4>N3. - : plus-right-preserves-not-member* (not-member/> F10 N0+1+N1=N2) N1+N=N3 N2+N=N4 (not-member/> F10 N0+1+N3=N4) <- nat`plus-associative* N0+1+N1=N2 N2+N=N4 N1+N=N3 N0+1+N3=N4. %worlds () (plus-right-preserves-not-member* _ _ _ _). %total {} (plus-right-preserves-not-member* _ _ _ _). %theorem not-member-lookup-implies-ne : forall* {M1} {N1} {M2} {N2} {D2} forall {L1:not-member M1 N1} {L2:lookup M2 N2 D2} {EN:nat`eq N1 N2} exists {NM:ne M1 M2} true. %theorem not-member-lookup-implies-ne/L : forall* {M1} {N1} {M2} {N2} {D2} {B} forall {L1:not-member M1 N1} {L2:lookup M2 N2 D2} {EN:nat`eq N1 N2} {EM?:eq? M1 M2 B} exists {NM:ne M1 M2} true. - : not-member-lookup-implies-ne F1 L2 EN NM <- eq?-total EM? <- not-member-lookup-implies-ne/L F1 L2 EN EM? NM. - : not-member-lookup-implies-ne/L _ _ _ (eq?/no NM) NM. - : not-member-lookup-implies-ne/L F1 L2 nat`eq/ eq?/yes NM <- not-member-lookup-not-equal F1 L2 N<>N <- nat`ne-anti-reflexive N<>N F <- false-implies-ne F NM. %worlds () (not-member-lookup-implies-ne/L _ _ _ _ _). %total { } (not-member-lookup-implies-ne/L _ _ _ _ _). %worlds () (not-member-lookup-implies-ne _ _ _ _). %total { } (not-member-lookup-implies-ne _ _ _ _). %%% Theorems about map/member %theorem false-implies-member? : forall* {M} {N} {D} forall {F:void} exists {MD:member? M N D} true. %worlds () (false-implies-member? _ _). %total {} (false-implies-member? _ _). %theorem member?-respects-eq : forall* {M1} {N1} {B1} {M2} {N2} {B2} forall {MD1:member? M1 N1 B1} {EM:eq M1 M2} {EN:nat`eq N1 N2} {BE:bool`eq B1 B2} exists {MD2:member? M2 N2 B2} true. - : member?-respects-eq MD eq/ nat`eq/ bool`eq/ MD. %worlds () (member?-respects-eq _ _ _ _ _). %total { } (member?-respects-eq _ _ _ _ _). %theorem member?-deterministic : forall* {M1} {N1} {B1} {M2} {N2} {B2} forall {MD1:member? M1 N1 B1} {MD2:member? M2 N2 B2} {EM:eq M1 M2} {EN:nat`eq N1 N2} exists {BE:bool`eq B1 B2} true. - : member?-deterministic _ _ _ _ bool`eq/. - : member?-deterministic (member?/in L) (member?/out F) eq/ nat`eq/ BE <- not-member-lookup-not-equal F L NE <- nat`ne-anti-reflexive NE V <- bool`false-implies-eq V BE. - : member?-deterministic (member?/out F) (member?/in L) eq/ nat`eq/ BE <- not-member-lookup-not-equal F L NE <- nat`ne-anti-reflexive NE V <- bool`false-implies-eq V BE. %worlds () (member?-deterministic _ _ _ _ _). %total { } (member?-deterministic _ _ _ _ _). %theorem member?-total* : forall {M} {N} exists {B} {MD:member? M N B} true. %% we need a lemma %theorem member?-map/+-total : forall {N1} {D1} {M1} {N2} {C} {CMP:nat`compare N1 N2 C} exists {B} {MD:member? (map/+ N1 D1 M1) N2 B} true. %% and this lemma needs a lemma %theorem member?-map/+-complete : forall {N1} {D1} {M1} {N2} {N0} {P:plus (s N0) N1 N2} {B} {MD1:member? M1 N0 B} exists {MD:member? (map/+ N1 D1 M1) N2 B} true. - : member?-total* map/0 N false (member?/out not-member/0). - : member?-total* (map/+ N1 D1 M1) N2 B MD <- nat`compare-total* N1 N2 C CMP <- member?-map/+-total N1 D1 M1 N2 C CMP B MD. - : member?-map/+-total N1 D1 M1 N2 equal CMP true (member?/in (lookup/= N1=N2)) <- equal-implies-eq CMP N1=N2. - : member?-map/+-total N1 D1 M1 N2 greater CMP false (member?/out (not-member/< N1>N2)) <- greater-implies-gt CMP N1>N2. - : member?-map/+-total N1 D1 M1 N2 less CMP B MD <- less-implies-lt CMP N2>N1 <- gt-implies-plus N2>N1 N0 N0+1+N1=N2 <- member?-total* M1 N0 B MD1 <- member?-map/+-complete N1 D1 M1 N2 N0 N0+1+N1=N2 B MD1 MD. - : member?-map/+-complete N1 D1 M1 N2 N0 N0+1+N1=N2 true (member?/in L1) (member?/in (lookup/> L1 N0+1+N1=N2)). - : member?-map/+-complete N1 D1 M1 N2 N0 N0+1+N1=N2 false (member?/out F1) (member?/out (not-member/> F1 N0+1+N1=N2)). %worlds () (member?-map/+-complete _ _ _ _ _ _ _ _ _). %total {} (member?-map/+-complete _ _ _ _ _ _ _ _ _). %worlds () (member?-total* _ _ _ _) (member?-map/+-total _ _ _ _ _ _ _ _). %total (M M1) (member?-total* M _ _ _) (member?-map/+-total _ _ M1 _ _ _ _ _). %abbrev member?-total = member?-total* _ _ _. %theorem in-implies-lookup : forall* {M} {N} forall {MD:member? M N true} exists {D} {L:lookup M N D} true. - : in-implies-lookup (member?/in L) _ L. %worlds () (in-implies-lookup _ _ _). %total {} (in-implies-lookup _ _ _). %theorem out-implies-not-member : forall* {M} {N} forall {MD:member? M N false} exists {F:not-member M N} true. - : out-implies-not-member (member?/out F) F. %worlds () (out-implies-not-member _ _). %total {} (out-implies-not-member _ _). %%% Theorems about disjoint %theorem false-implies-disjoint : forall* {M1} {M2} forall {F:void} exists {D:disjoint M1 M2} true. %worlds () (false-implies-disjoint _ _). %total { } (false-implies-disjoint _ _). %theorem disjoint-respects-eq : forall* {M1} {M2} {M1P} {M2P} forall {A:disjoint M1 M2} {E1:eq M1 M1P} {E2:eq M2 M2P} exists {AP:disjoint M1P M2P} true. - : disjoint-respects-eq A eq/ eq/ A. %worlds () (disjoint-respects-eq _ _ _ _). %total {} (disjoint-respects-eq _ _ _ _). %reduces A = AP (disjoint-respects-eq A _ _ AP). %theorem disjoint/=-contradiction : forall* {N1} {D1} {M1} {N2} {D2} {M2} forall {A:disjoint (map/+ N1 D1 M1) (map/+ N2 D2 M2)} {G:nat`eq N1 N2} exists {F:void} true. - : disjoint/=-contradiction (disjoint/< _ N0+1+N=N) nat`eq/ F <- nat`plus-implies-gt N0+1+N=N nat`eq/ N>N <- nat`gt-anti-reflexive N>N F. - : disjoint/=-contradiction (disjoint/> _ N3+1+N=N) nat`eq/ F <- nat`plus-implies-gt N3+1+N=N nat`eq/ N>N <- nat`gt-anti-reflexive N>N F. %worlds () (disjoint/=-contradiction _ _ _). %total { } (disjoint/=-contradiction _ _ _). %theorem disjoint/<-inversion : forall* {N1} {D1} {M1} {N2} {D2} {M2} {N0} forall {A:disjoint (map/+ N1 D1 M1) (map/+ N2 D2 M2)} {P:plus (s N0) N1 N2} exists {AP:disjoint M1 (map/+ N0 D2 M2)} true. - : disjoint/<-inversion (disjoint/< A P) P' A' <- nat`plus-right-cancels P P' nat`eq/ nat`eq/ N0+1=N0'+1 <- succ-cancels N0+1=N0'+1 N0=N0P <- map/+-preserves-eq N0=N0P nat`eq/ eq/ M022=M022' <- disjoint-respects-eq A eq/ M022=M022' A'. - : disjoint/<-inversion (disjoint/> A' N3+1+N2=N1) N0+1+N1=N2 A <- nat`plus-implies-gt N3+1+N2=N1 nat`eq/ N1>N2 <- nat`plus-implies-gt N0+1+N1=N2 nat`eq/ N2>N1 <- nat`gt-anti-symmetric N1>N2 N2>N1 F <- false-implies-eq F M311=M1 <- false-implies-eq F M2=M022 <- disjoint-respects-eq A' M311=M1 M2=M022 A. %worlds () (disjoint/<-inversion _ _ _). %total {} (disjoint/<-inversion _ _ _). %reduces AP < A (disjoint/<-inversion A _ AP). %theorem disjoint/>-inversion : forall* {N1} {D1} {M1} {N2} {D2} {M2} {N3} forall {A:disjoint (map/+ N1 D1 M1) (map/+ N2 D2 M2)} {P:plus (s N3) N2 N1} exists {AP:disjoint (map/+ N3 D1 M1) M2} true. - : disjoint/>-inversion (disjoint/> A P) P' A' <- nat`plus-right-cancels P P' nat`eq/ nat`eq/ N3+1=N3'+1 <- succ-cancels N3+1=N3'+1 N3=N3P <- map/+-preserves-eq N3=N3P nat`eq/ eq/ M311=M311' <- disjoint-respects-eq A M311=M311' eq/ A'. - : disjoint/>-inversion (disjoint/< A' N0+1+N1=N2) N3+1+N2=N1 A <- nat`plus-implies-gt N3+1+N2=N1 nat`eq/ N1>N2 <- nat`plus-implies-gt N0+1+N1=N2 nat`eq/ N2>N1 <- nat`gt-anti-symmetric N1>N2 N2>N1 F <- false-implies-eq F M1=M311 <- false-implies-eq F M022=M2 <- disjoint-respects-eq A' M1=M311 M022=M2 A. %worlds () (disjoint/>-inversion _ _ _). %total { } (disjoint/>-inversion _ _ _). %reduces AP < A (disjoint/>-inversion A _ AP). %theorem disjoint-anti-reflexive : forall* {M} forall {D:disjoint M M} exists {E:eq map/0 M} true. - : disjoint-anti-reflexive disjoint/L eq/. - : disjoint-anti-reflexive disjoint/R eq/. - : disjoint-anti-reflexive (A:disjoint (map/+ N D M) (map/+ N D M)) E <- disjoint/=-contradiction A nat`eq/ F <- false-implies-eq F E. %worlds () (disjoint-anti-reflexive _ _). %total { } (disjoint-anti-reflexive _ _). %theorem disjoint-symmetric : forall* {M1} {M2} forall {D:disjoint M1 M2} exists {D:disjoint M2 M1} true. - : disjoint-symmetric disjoint/L disjoint/R. - : disjoint-symmetric disjoint/R disjoint/L. - : disjoint-symmetric (disjoint/< D P) (disjoint/> D' P) <- disjoint-symmetric D D'. - : disjoint-symmetric (disjoint/> D P) (disjoint/< D' P) <- disjoint-symmetric D D'. %worlds () (disjoint-symmetric _ _). %total (D) (disjoint-symmetric D _). %theorem disjoint-lookup-contradiction : forall* {M1} {M2} {N} {D1} {D2} forall {A:disjoint M1 M2} {L1:lookup M1 N D1} {L2:lookup M2 N D2} exists {F:void} true. - : disjoint-lookup-contradiction disjoint/L L _ F <- lookup-contradiction L F. - : disjoint-lookup-contradiction disjoint/R _ L F <- lookup-contradiction L F. - : disjoint-lookup-contradiction (disjoint/< _ N0+1+N=N) (lookup/= nat`eq/) (lookup/= nat`eq/) F <- plus-implies-gt N0+1+N=N nat`eq/ N>N <- gt-anti-reflexive N>N F. - : disjoint-lookup-contradiction (disjoint/< _ N0+1+N1=N2) (lookup/= nat`eq/) (lookup/> _ N3+1+N2=N1) F <- plus-implies-gt N0+1+N1=N2 nat`eq/ N2>N1 <- plus-implies-gt N3+1+N2=N1 nat`eq/ N1>N2 <- gt-anti-symmetric N2>N1 N1>N2 F. - : disjoint-lookup-contradiction (disjoint/< D N0+1+N1=N2) (lookup/> L1P N0P+1+N1=N2) (lookup/= nat`eq/) F <- plus-right-cancels N0P+1+N1=N2 N0+1+N1=N2 nat`eq/ nat`eq/ N0P+1=N0+1 <- succ-cancels N0P+1=N0+1 N0P=N0 <- lookup-respects-eq L1P eq/ N0P=N0 nat`eq/ L1 <- disjoint-lookup-contradiction D L1 (lookup/= nat`eq/) F. - : disjoint-lookup-contradiction (disjoint/< D N0+1+N1=N2) (lookup/> L1 N1P+1+N1=N) (lookup/> L2 N2P+1+N2=N) F <- plus-swap-succ N0+1+N1=N2 N0+N1+1=N2 <- plus-associative-converse N0+N1+1=N2 N2P+1+N2=N NX N2P+1+N0=NX NX+N1+1=N <- plus-swap-succ N1P+1+N1=N N1P+N1+1=N <- plus-right-cancels NX+N1+1=N N1P+N1+1=N nat`eq/ nat`eq/ NX=N1P <- plus-respects-eq N2P+1+N0=NX nat`eq/ nat`eq/ NX=N1P N2P+1+N0=N1P <- disjoint-lookup-contradiction D L1 (lookup/> L2 N2P+1+N0=N1P) F. - : disjoint-lookup-contradiction (disjoint/> _ N3+1+N=N) (lookup/= nat`eq/) (lookup/= nat`eq/) F <- plus-implies-gt N3+1+N=N nat`eq/ N>N <- gt-anti-reflexive N>N F. - : disjoint-lookup-contradiction (disjoint/> _ N3+1+N2=N1) (lookup/> _ N3+1+N1=N2) (lookup/= nat`eq/) F <- plus-implies-gt N3+1+N2=N1 nat`eq/ N1>N2 <- plus-implies-gt N3+1+N1=N2 nat`eq/ N2>N1 <- gt-anti-symmetric N1>N2 N2>N1 F. - : disjoint-lookup-contradiction (disjoint/> D N3+1+N2=N1) (lookup/= nat`eq/) (lookup/> L2P N3P+1+N2=N1) F <- plus-right-cancels N3P+1+N2=N1 N3+1+N2=N1 nat`eq/ nat`eq/ N3P+1=N3+1 <- succ-cancels N3P+1=N3+1 N3P=N3 <- lookup-respects-eq L2P eq/ N3P=N3 nat`eq/ L2 <- disjoint-lookup-contradiction D (lookup/= nat`eq/) L2 F. - : disjoint-lookup-contradiction (disjoint/> D N3+1+N2=N1) (lookup/> L1 N1P+1+N1=N) (lookup/> L2 N2P+1+N2=N) F <- plus-swap-succ N3+1+N2=N1 N3+N2+1=N1 <- plus-associative-converse N3+N2+1=N1 N1P+1+N1=N NX N1P+1+N3=NX NX+N2+1=N <- plus-swap-succ N2P+1+N2=N N2P+N2+1=N <- plus-right-cancels NX+N2+1=N N2P+N2+1=N nat`eq/ nat`eq/ NX=N2P <- plus-respects-eq N1P+1+N3=NX nat`eq/ nat`eq/ NX=N2P N1P+1+N3=N2P <- disjoint-lookup-contradiction D (lookup/> L1 N1P+1+N3=N2P) L2 F. %worlds () (disjoint-lookup-contradiction _ _ _ _). %total (D) (disjoint-lookup-contradiction D _ _ _). %theorem shift-left-preserves-disjoint : forall* {N} {D} {M1} {M2} {SM1} forall {A:disjoint M1 M2} {S1:shift N M1 SM1} exists {SA:disjoint SM1 (map/+ N D M2)} true. - : shift-left-preserves-disjoint _ shift/0 disjoint/L. - : shift-left-preserves-disjoint M111*M2 (shift/+ N+1+N1=N1P) (disjoint/> M111*M2 N1+1+N=N1P) <- plus-swap-succ N+1+N1=N1P N+N1+1=N1P <- plus-commutative N+N1+1=N1P N1+1+N=N1P. %worlds () (shift-left-preserves-disjoint _ _ _). %total { } (shift-left-preserves-disjoint _ _ _). %theorem shift-left-preserves-disjoint-converse : forall* {N} {D} {M1} {M2} {SM1} forall {SA:disjoint SM1 (map/+ N D M2)} {S1:shift N M1 SM1} exists {A:disjoint M1 M2} true. - : shift-left-preserves-disjoint-converse _ shift/0 disjoint/L. - : shift-left-preserves-disjoint-converse M111*M222 (shift/+ N2+1+N3=N1) M311*M2 <- plus-swap-succ N2+1+N3=N1 N2+N3+1=N1 <- plus-commutative N2+N3+1=N1 N3+1+N2=N1 <- disjoint/>-inversion M111*M222 N3+1+N2=N1 M311*M2. %worlds () (shift-left-preserves-disjoint-converse _ _ _). %total { } (shift-left-preserves-disjoint-converse _ _ _). %theorem shift-right-preserves-disjoint : forall* {N} {D} {M1} {M2} {SM2} forall {A:disjoint M1 M2} {S2:shift N M2 SM2} exists {SA:disjoint (map/+ N D M1) SM2} true. - : shift-right-preserves-disjoint _ shift/0 disjoint/R. - : shift-right-preserves-disjoint M1*M222 (shift/+ N+1+N2=N2P) (disjoint/< M1*M222 N2+1+N=N2P) <- plus-swap-succ N+1+N2=N2P N+N2+1=N2P <- plus-commutative N+N2+1=N2P N2+1+N=N2P. %worlds () (shift-right-preserves-disjoint _ _ _). %total { } (shift-right-preserves-disjoint _ _ _). %theorem shift-right-preserves-disjoint-converse : forall* {N} {D} {M1} {M2} {SM2} forall {SA:disjoint (map/+ N D M1) SM2} {S2:shift N M2 SM2} exists {A:disjoint M1 M2} true. - : shift-right-preserves-disjoint-converse _ shift/0 disjoint/R. - : shift-right-preserves-disjoint-converse M111*M322 (shift/+ N1+1+N2=N3) M1*M222 <- plus-swap-succ N1+1+N2=N3 N1+N2+1=N3 <- plus-commutative N1+N2+1=N3 N2+1+N1=N3 <- disjoint/<-inversion M111*M322 N2+1+N1=N3 M1*M222. %worlds () (shift-right-preserves-disjoint-converse _ _ _). %total { } (shift-right-preserves-disjoint-converse _ _ _). %theorem shift-preserves-disjoint : forall* {N} {M1} {M2} {SM1} {SM2} forall {A:disjoint M1 M2} {S1:shift N M1 SM1} {S2:shift N M2 SM2} exists {SA:disjoint SM1 SM2} true. - : shift-preserves-disjoint _ shift/0 _ disjoint/L. - : shift-preserves-disjoint _ _ shift/0 disjoint/R. - : shift-preserves-disjoint (disjoint/< M1*M022 N0+1+N1=N2) (shift/+ N+1+N1=N4) (shift/+ N+1+N2=N5) (disjoint/< M1*M022 N0+1+N4=N5) <- plus-swap-succ N+1+N1=N4 N+N1+1=N4 <- plus-commutative N+N1+1=N4 N1+1+N=N4 <- plus-commutative N0+1+N1=N2 N1+N0+1=N2 <- plus-associative-converse* N1+N0+1=N2 N+1+N2=N5 N+1+N1=N4 N4+N0+1=N5 <- plus-commutative N4+N0+1=N5 N0+1+N4=N5. - : shift-preserves-disjoint (disjoint/> M311*M2 N3+1+N2=N1) (shift/+ N+1+N1=N4) (shift/+ N+1+N2=N5) (disjoint/> M311*M2 N3+1+N5=N4) <- plus-swap-succ N+1+N2=N5 N+N2+1=N5 <- plus-commutative N+N2+1=N5 N2+1+N=N5 <- plus-commutative N3+1+N2=N1 N2+N3+1=N1 <- plus-associative-converse* N2+N3+1=N1 N+1+N1=N4 N+1+N2=N5 N5+N3+1=N4 <- plus-commutative N5+N3+1=N4 N3+1+N5=N4. %worlds () (shift-preserves-disjoint _ _ _ _). %total { } (shift-preserves-disjoint _ _ _ _). %theorem shift-preserves-disjoint-converse : forall* {N} {M1} {M2} {SM1} {SM2} forall {SA:disjoint SM1 SM2} {S1:shift N M1 SM1} {S2:shift N M2 SM2} exists {A:disjoint M1 M2} true. - : shift-preserves-disjoint-converse _ shift/0 _ disjoint/L. - : shift-preserves-disjoint-converse _ _ shift/0 disjoint/R. - : shift-preserves-disjoint-converse (disjoint/< M1*M055 N0+1+N4=N5) (shift/+ N+1+N1=N4) (shift/+ N+1+N2=N5) (disjoint/< M1*M055 N0+1+N1=N2) <- plus-commutative N+1+N1=N4 N1+N+1=N4 <- plus-swap-succ-converse N1+N+1=N4 N1+1+N=N4 <- plus-associative-converse N1+N+1=N4 N0+1+N4=N5 N2P N0+1+N1=N2P N2P+N+1=N5 <- plus-commutative N+1+N2=N5 N2+N+1=N5 <- plus-right-cancels N2P+N+1=N5 N2+N+1=N5 nat`eq/ nat`eq/ N2P=N2 <- plus-respects-eq N0+1+N1=N2P nat`eq/ nat`eq/ N2P=N2 N0+1+N1=N2. - : shift-preserves-disjoint-converse (disjoint/> M611*M2 N6+1+N5=N4) (shift/+ N+1+N1=N4) (shift/+ N+1+N2=N5) (disjoint/> M611*M2 N6+1+N2=N1) <- plus-commutative N+1+N2=N5 N2+N+1=N5 <- plus-swap-succ-converse N2+N+1=N5 N2+1+N=N5 <- plus-associative-converse N2+N+1=N5 N6+1+N5=N4 N1P N6+1+N2=N1P N1P+N+1=N4 <- plus-commutative N+1+N1=N4 N1+N+1=N4 <- plus-right-cancels N1P+N+1=N4 N1+N+1=N4 nat`eq/ nat`eq/ N1P=N1 <- plus-respects-eq N6+1+N2=N1P nat`eq/ nat`eq/ N1P=N1 N6+1+N2=N1. %worlds () (shift-preserves-disjoint-converse _ _ _ _). %total { } (shift-preserves-disjoint-converse _ _ _ _). %theorem ne-implies-disjoint : forall* {N1} {D1} {N2} {D2} forall {NE:nat`ne N1 N2} exists {D:disjoint (map/+ N1 D1 map/0) (map/+ N2 D2 map/0)} true. - : ne-implies-disjoint (nat`ne/< N1 N1>N2) (disjoint/> disjoint/R N3+1+N2=N1) <- gt-implies-plus N1>N2 _ N3+1+N2=N1. %worlds () (ne-implies-disjoint _ _). %total { } (ne-implies-disjoint _ _). %%% Theorems about size %theorem false-implies-size : forall* {M} {N} forall {F:void} exists {SZ:size M N} true. %worlds () (false-implies-size _ _). %total { } (false-implies-size _ _). %theorem size-total* : forall {M} exists {N} {MX:size M N} true. - : size-total* map/0 _ size/0. - : size-total* _ _ (size/+ SZ) <- size-total* _ _ SZ. %worlds () (size-total* _ _ _). %total (M) (size-total* M _ _). %abbrev size-total = size-total* _ _. %theorem size-deterministic : forall* {M1} {M2} {N1} {N2} forall {SZ1:size M1 N1} {SZ2:size M2 N2} {EM:eq M1 M2} exists {EN:nat`eq N1 N2} true. - : size-deterministic size/0 size/0 eq/ nat`eq/. - : size-deterministic (size/+ N1=|M1|) (size/+ N2=|M2|) eq/ N1+1=N2+1 <- size-deterministic N1=|M1| N2=|M2| eq/ N1=N2 <- succ-deterministic N1=N2 N1+1=N2+1. %worlds () (size-deterministic _ _ _ _). %total (S) (size-deterministic S _ _ _). %%% Theorems about bound %theorem false-implies-bound : forall* {M} {N} forall {F:void} exists {MX:bound M N} true. %worlds () (false-implies-bound _ _). %total { } (false-implies-bound _ _). %theorem bound-total* : forall {M} exists {N} {MX:bound M N} true. - : bound-total* map/0 _ bound/0. - : bound-total* _ _ (bound/+ P MX) <- bound-total* _ _ MX <- plus-total P. %worlds () (bound-total* _ _ _). %total (M) (bound-total* M _ _). %abbrev bound-total = bound-total* _ _. %theorem ge-bound-implies-not-member : forall* {M} {X} {N} forall {B:bound M X} {G:nat`ge N X} exists {F:not-member M N} true. - : ge-bound-implies-not-member bound/0 _ not-member/0. - : ge-bound-implies-not-member (bound/+ M1+1+X1=X B) N>=X (not-member/> F1 N1+1+M1=N) <- nat`ge-implies-plus N>=X Y1 Y1+X=N <- nat`plus-commutative M1+1+X1=X X1+M1+1=X <- nat`plus-associative-converse X1+M1+1=X Y1+X=N N1 Y1+X1=N1 N1+M1+1=N <- plus-swap-succ-converse N1+M1+1=N N1+1+M1=N <- plus-implies-ge Y1+X1=N1 N1>=X1 <- ge-bound-implies-not-member B N1>=X1 F1. %worlds () (ge-bound-implies-not-member _ _ _). %total (B) (ge-bound-implies-not-member B _ _). %%% Theorems about shift %theorem false-implies-shift : forall* {M} {N} {M'} forall {F:void} exists {S:shift N M M'} true. %worlds () (false-implies-shift _ _). %total { } (false-implies-shift _ _). %theorem shift-respects-eq : forall* {N} {M1} {M2} {N'} {M1'} {M2'} forall {S:shift N M1 M2} {EN:nat`eq N N'} {E1:eq M1 M1'} {E2:eq M2 M2'} exists {S':shift N' M1' M2'} true. - : shift-respects-eq S nat`eq/ eq/ eq/ S. %worlds () (shift-respects-eq _ _ _ _ _). %total { } (shift-respects-eq _ _ _ _ _). %theorem shift-total* : forall {N} {M1} exists {M2} {S:shift N M1 M2} true. - : shift-total* N map/0 map/0 shift/0. - : shift-total* N1 (map/+ N2 D M) (map/+ N3 D M) (shift/+ N1+1+N2=N3) <- plus-total N1+1+N2=N3. %worlds () (shift-total* _ _ _ _). %total { } (shift-total* _ _ _ _). %abbrev shift-total = shift-total* _ _ _. %theorem shift-deterministic : forall* {N} {M1} {M2} {N'} {M1'} {M2'} forall {S:shift N M1 M2} {S':shift N' M1' M2'} {EN:nat`eq N N'} {EM1:eq M1 M1'} exists {EM2:eq M2 M2'} true. - : shift-deterministic shift/0 shift/0 nat`eq/ eq/ eq/. - : shift-deterministic (shift/+ N1+1+N2=N3) (shift/+ N1+1+N2=N3') nat`eq/ eq/ E <- plus-deterministic N1+1+N2=N3 N1+1+N2=N3' nat`eq/ nat`eq/ N3=N3P <- map/+-preserves-eq N3=N3P nat`eq/ eq/ E. %worlds () (shift-deterministic _ _ _ _ _). %total { } (shift-deterministic _ _ _ _ _). %theorem shifts-add : forall* {N1} {N2} {N3} {M0} {M1} {M3} forall {S1:shift N1 M0 M1} {S2:shift N2 M1 M3} {P:plus (s N1) N2 N3} exists {S3:shift N3 M0 M3} true. - : shifts-add shift/0 shift/0 _ shift/0. - : shifts-add (shift/+ N1+1+N4=N5) (shift/+ N2+1+N5=N7) N1+1+N2=N3 (shift/+ N3+1+N4=N7) <- plus-total N3+1+N4=N7' <- plus-swap-succ N3+1+N4=N7' N3+N4+1=N7' <- plus-swap-succ N1+1+N2=N3 N1+N2+1=N3 <- plus-swap-succ N1+1+N4=N5 N1+N4+1=N5 <- plus-commutative N1+N2+1=N3 N2+1+N1=N3 <- plus-associative* N2+1+N1=N3 N3+N4+1=N7' N1+N4+1=N5 N2+1+N5=N7' <- plus-deterministic N2+1+N5=N7' N2+1+N5=N7 nat`eq/ nat`eq/ N7'=N7 <- plus-respects-eq N3+1+N4=N7' nat`eq/ nat`eq/ N7'=N7 N3+1+N4=N7. %worlds () (shifts-add _ _ _ _). %total { } (shifts-add _ _ _ _). %theorem shifts-add-converse : forall* {N1} {N2} {N3} {M0} {M3} forall {S3:shift N3 M0 M3} {P:plus (s N1) N2 N3} exists {M1} {S1:shift N1 M0 M1} {S2:shift N2 M1 M3} true. - : shifts-add-converse S3 P M1 S1 S2 <- shift-total S1 <- shift-total S2' <- shifts-add S1 S2' P S3' <- shift-deterministic S3' S3 nat`eq/ eq/ M3'=M3 <- shift-respects-eq S2' nat`eq/ eq/ M3'=M3 S2. %worlds () (shifts-add-converse _ _ _ _ _). %total { } (shifts-add-converse _ _ _ _ _). %theorem shift-preserves-not-member-converse* : forall* {M1} {N1} {N2} {M2} {N0} forall {L2:not-member M2 N2} {S:shift N0 M1 M2} {P:plus (s N0) N1 N2} exists {L1:not-member M1 N1} true. - : shift-preserves-not-member-converse* not-member/0 shift/0 _ not-member/0. - : shift-preserves-not-member-converse* (not-member/< N1>N) (shift/+ S+1+N2=N1) S+1+N'=N (not-member/< N2>N') <- plus-left-cancels-gt S+1+N2=N1 S+1+N'=N nat`eq/ N1>N N2>N'. - : shift-preserves-not-member-converse* (not-member/> F NX+1+N2=N) (shift/+ S+1+N1=N2) S+1+N'=N (not-member/> F NX+1+N1=N') <- plus-commutative S+1+N1=N2 N1+S+1=N2 <- plus-associative-converse N1+S+1=N2 NX+1+N2=N N'' NX+1+N1=N'' N''+S+1=N <- plus-commutative N''+S+1=N S+1+N''=N <- plus-left-cancels S+1+N''=N S+1+N'=N nat`eq/ nat`eq/ N''=N' <- plus-respects-eq NX+1+N1=N'' nat`eq/ nat`eq/ N''=N' NX+1+N1=N'. %worlds () (shift-preserves-not-member-converse* _ _ _ _). %total { } (shift-preserves-not-member-converse* _ _ _ _). %theorem shift-preserves-lookup : forall* {M1} {N1} {D} {N0} {M2} forall {L1:lookup M1 N1 D} {S:shift N0 M1 M2} exists {N2} {P:plus (s N0) N1 N2} {L2:lookup M2 N2 D} true. - : shift-preserves-lookup (lookup/= nat`eq/) (shift/+ N0+1+N1=N2) _ N0+1+N1=N2 (lookup/= nat`eq/). - : shift-preserves-lookup (lookup/> L N3+1+N1=N4) (shift/+ N0+1+N1=N2) _ N0+1+N4=N5 (lookup/> L N3+1+N2=N5) <- plus-total N0+1+N4=N5 <- plus-commutative N3+1+N1=N4 N1+N3+1=N4 <- plus-associative-converse* N1+N3+1=N4 N0+1+N4=N5 N0+1+N1=N2 N2+N3+1=N5 <- plus-commutative N2+N3+1=N5 N3+1+N2=N5. %worlds () (shift-preserves-lookup _ _ _ _ _). %total { } (shift-preserves-lookup _ _ _ _ _). %theorem shift-preserves-lookup* : forall* {M1} {N1} {D} {N0} {M2} {N2} forall {L1:lookup M1 N1 D} {S:shift N0 M1 M2} {P:plus (s N0) N1 N2} exists {L2:lookup M2 N2 D} true. - : shift-preserves-lookup* L1 S P L2 <- shift-preserves-lookup L1 S _ P' L2' <- plus-deterministic P' P nat`eq/ nat`eq/ N2'=N2 <- lookup-respects-eq L2' eq/ N2'=N2 nat`eq/ L2. %worlds () (shift-preserves-lookup* _ _ _ _). %total { } (shift-preserves-lookup* _ _ _ _). %theorem shift-preserves-lookup-converse : forall* {M1} {N0} {D} {N2} {M2} forall {L2:lookup M2 N2 D} {S:shift N0 M1 M2} exists {N1} {P:plus (s N0) N1 N2} {L1:lookup M1 N1 D} true. - : shift-preserves-lookup-converse (lookup/= nat`eq/) (shift/+ N0+1+N1=N2) _ N0+1+N1=N2 (lookup/= nat`eq/). - : shift-preserves-lookup-converse (lookup/> L N3+1+N2=N5) (shift/+ N0+1+N1=N2) _ N0+1+N4=N5 (lookup/> L N3+1+N1=N4) <- plus-commutative N0+1+N1=N2 N1+N0+1=N2 <- plus-associative-converse N1+N0+1=N2 N3+1+N2=N5 N4 N3+1+N1=N4 N4+N0+1=N5 <- plus-commutative N4+N0+1=N5 N0+1+N4=N5. %worlds () (shift-preserves-lookup-converse _ _ _ _ _). %total { } (shift-preserves-lookup-converse _ _ _ _ _). %theorem shift-preserves-lookup-converse* : forall* {M1} {N1} {D} {N2} {M2} {N0} forall {L2:lookup M2 N2 D} {S:shift N0 M1 M2} {P:plus (s N0) N1 N2} exists {L1:lookup M1 N1 D} true. - : shift-preserves-lookup-converse* L2 S P L1 <- shift-preserves-lookup-converse L2 S _ P' L1' <- plus-left-cancels P' P nat`eq/ nat`eq/ N1'=N1 <- lookup-respects-eq L1' eq/ N1'=N1 nat`eq/ L1. %worlds () (shift-preserves-lookup-converse* _ _ _ _). %total { } (shift-preserves-lookup-converse* _ _ _ _). %theorem shift-preserves-size : forall* {M} {N1} {N2} {S2M} forall {SZ:size M N1} {SH:shift N2 M S2M} exists {SHSZ:size S2M N1} true. - : shift-preserves-size size/0 shift/0 size/0. - : shift-preserves-size (size/+ SZ) (shift/+ _) (size/+ SZ). %worlds () (shift-preserves-size _ _ _). %total { } (shift-preserves-size _ _ _). %%% Theorems about disjoint? %theorem disjoint?-total* : forall {M1} {M2} exists {B} {D:disjoint? M1 M2 B} true. - : disjoint?-total* _ _ _ (disjoint?/yes disjoint/L). - : disjoint?-total* _ _ _ (disjoint?/yes disjoint/R). %theorem disjoint?-total*/+ : forall* {N1} {D1} {M1} {N2} {D2} {M2} {C} forall {S1} {S2} {SZ1:size M1 S1} {SZ2:size M2 S2} {CMP:nat`compare N1 N2 C} exists {B} {D:disjoint? (map/+ N1 D1 M1) (map/+ N2 D2 M2) B} true. %theorem disjoint?-total*/< : forall* {N1} {D1} {M1} {N2} {D2} {M2} {N0} {B1} forall {P:plus (s N0) N1 N2} {D?1:disjoint? M1 (map/+ N0 D2 M2) B1} exists {B} {D:disjoint? (map/+ N1 D1 M1) (map/+ N2 D2 M2) B} true. %theorem disjoint?-total*/> : forall* {N1} {D1} {M1} {N2} {D2} {M2} {N3} {B1} forall {P:plus (s N3) N2 N1} {D?1:disjoint? (map/+ N3 D1 M1) M2 B1} exists {B} {D:disjoint? (map/+ N1 D1 M1) (map/+ N2 D2 M2) B} true. - : disjoint?-total* _ _ _ D? <- size-total SZ1 <- size-total SZ2 <- nat`compare-total CMP <- disjoint?-total*/+ _ _ SZ1 SZ2 CMP _ D?. - : disjoint?-total*/+ _ _ _ _ (nat`compare/=) _ (disjoint?/no (lookup/= nat`eq/) (lookup/= nat`eq/)). - : disjoint?-total*/+ _ _ _ _ (nat`compare/< N2>N1) _ D? <- gt-implies-plus N2>N1 _ N0+1+N1=N2 <- disjoint?-total*/< N0+1+N1=N2 (disjoint?/yes disjoint/L) _ D?. - : disjoint?-total*/+ _ _ (size/+ SZ1) SZ2 (nat`compare/< N2>N1) _ D? <- gt-implies-plus N2>N1 _ N0+1+N1=N2 <- nat`compare-total CMP <- disjoint?-total*/+ _ _ SZ1 SZ2 CMP _ D?1 <- disjoint?-total*/< N0+1+N1=N2 D?1 _ D?. - : disjoint?-total*/< N0+1+N1=N2 (disjoint?/yes M1*M022) _ (disjoint?/yes (disjoint/< M1*M022 N0+1+N1=N2)). - : disjoint?-total*/< N0+1+N1=N2 (disjoint?/no M1^N3=D1 M022^N3=D2) _ (disjoint?/no (lookup/> M1^N3=D1 N3+1+N1=N4) M222^N4=D2) <- plus-total N3+1+N1=N4 <- plus-swap-succ N3+1+N1=N4 N3+N1+1=N4 <- plus-commutative N3+N1+1=N4 N1+1+N3=N4 <- plus-swap-succ N0+1+N1=N2 N0+N1+1=N2 <- plus-commutative N0+N1+1=N2 N1+1+N0=N2 <- shift-preserves-lookup* M022^N3=D2 (shift/+ N1+1+N0=N2) N1+1+N3=N4 M222^N4=D2. %worlds () (disjoint?-total*/< _ _ _ _). %total { } (disjoint?-total*/< _ _ _ _). - : disjoint?-total*/+ _ _ _ _ (nat`compare/> N1>N2) _ D? <- gt-implies-plus N1>N2 _ N3+1+N2=N1 <- disjoint?-total*/> N3+1+N2=N1 (disjoint?/yes disjoint/R) _ D?. - : disjoint?-total*/+ _ _ SZ1 (size/+ SZ2) (nat`compare/> N1>N2) _ D? <- gt-implies-plus N1>N2 _ N3+1+N2=N1 <- nat`compare-total CMP <- disjoint?-total*/+ _ _ SZ1 SZ2 CMP _ D?1 <- disjoint?-total*/> N3+1+N2=N1 D?1 _ D?. - : disjoint?-total*/> P (disjoint?/yes D) _ (disjoint?/yes (disjoint/> D P)). - : disjoint?-total*/> N3+1+N2=N1 (disjoint?/no M311^N4=D1 M2^N4=D2) _ (disjoint?/no M111^N5=D1 (lookup/> M2^N4=D2 N4+1+N2=N5)) <- plus-total N4+1+N2=N5 <- plus-swap-succ N4+1+N2=N5 N4+N2+1=N5 <- plus-commutative N4+N2+1=N5 N2+1+N4=N5 <- plus-swap-succ N3+1+N2=N1 N3+N2+1=N1 <- plus-commutative N3+N2+1=N1 N2+1+N3=N1 <- shift-preserves-lookup* M311^N4=D1 (shift/+ N2+1+N3=N1) N2+1+N4=N5 M111^N5=D1. %worlds () (disjoint?-total*/> _ _ _ _). %total { } (disjoint?-total*/> _ _ _ _). %worlds () (disjoint?-total*/+ _ _ _ _ _ _ _). %total [S1 S2] (disjoint?-total*/+ S1 S2 _ _ _ _ _). %worlds () (disjoint?-total* _ _ _ _). %total { } (disjoint?-total* _ _ _ _). %abbrev disjoint?-total = disjoint?-total* _ _ _. %%% Theorems about update %theorem false-implies-update : forall* {M} {N} {D} {M'} forall {F:void} exists {U:update M N D M'} true. %worlds () (false-implies-update _ M^N=D->M'). %total {} (false-implies-update _ _). %theorem update-respects-eq : forall* {M1} {N} {D} {M2} {M1P} {NP} {DP} {M2P} forall {U:update M1 N D M2} {EM1:eq M1 M1P} {EN:nat`eq N NP} {ED:nat`eq D DP} {EM2:eq M2 M2P} exists {UP:update M1P NP DP M2P} true. - : update-respects-eq U eq/ nat`eq/ nat`eq/ eq/ U. %worlds () (update-respects-eq M1^N=D->M2 M1=M1' N=N' D=D' M2=M2' M1'^N'=D'->M2'). %total {} (update-respects-eq _ _ _ _ _ _). %reduces U = U' (update-respects-eq U _ _ _ _ U'). %%% technical lemmas to help prove reduction arguments update-eq : {M1} {N1} {D1} {M1'} {M2} {N2} {D2} {M2'} update M1 N1 D1 M1' -> update M2 N2 D2 M2' -> type. update-eq/ : update-eq M1 N1 D1 M1' M1 N1 D1 M1' U U. %theorem false-implies-update-eq : forall* {M1} {N1} {D1} {M1'} {M2} {N2} {D2} {M2'} {U} {U'} forall {F:void} exists {UE:update-eq M1 N1 D1 M1' M2 N2 D2 M2' U U'} true. %worlds () (false-implies-update-eq _ _). %total { } (false-implies-update-eq _ _). %theorem meta-update-eq : forall* {M1} {N1} {D1} {M1'} {M2} {N2} {D2} {M2'} forall {U} {U'} {UE:update-eq M1 N1 D1 M1' M2 N2 D2 M2' U U'} true. - : meta-update-eq U U (update-eq/). %worlds () (meta-update-eq _ _ _). %total { } (meta-update-eq _ _ _). %reduces U = U' (meta-update-eq U U' _). %%% inversion lemmas %theorem update/=-inversion : forall* {N1} {D1} {M1} {N2} {D2} {M2} forall {U:update (map/+ N1 D1 M1) N2 D2 M2} {E:nat`eq N1 N2} exists {EM:eq (map/+ N2 D2 M1) M2} true. - : update/=-inversion (update/= nat`eq/) nat`eq/ eq/. - : update/=-inversion (update/< N3+1+N=N) nat`eq/ E <- nat`plus-implies-gt N3+1+N=N nat`eq/ N>N <- nat`gt-anti-reflexive N>N F <- false-implies-eq F E. - : update/=-inversion (update/> U1022 N3+1+N=N) nat`eq/ E <- nat`plus-implies-gt N3+1+N=N nat`eq/ N>N <- nat`gt-anti-reflexive N>N F <- false-implies-eq F E. %worlds () (update/=-inversion _ _ _). %total { } (update/=-inversion _ _ _). %theorem update/<-inversion: forall* {N1} {D1} {M1} {N2} {D2} {M2} {N3} forall {U:update (map/+ N1 D1 M1) N2 D2 M2} {P:plus (s N3) N2 N1} exists {E:eq (map/+ N2 D2 (map/+ N3 D1 M1)) M2} true. - : update/<-inversion (update/= nat`eq/) N3+1+N=N E <- nat`plus-implies-gt N3+1+N=N nat`eq/ N>N <- nat`gt-anti-reflexive N>N F <- false-implies-eq F E. - : update/<-inversion (update/< N3+1+N2=N1) N3P+1+N2=N1 E <- nat`plus-right-cancels N3P+1+N2=N1 N3+1+N2=N1 nat`eq/ nat`eq/ N3P+1=N3+1 <- nat`succ-cancels N3P+1=N3+1 N3P=N3 <- map/+-preserves-eq N3P=N3 nat`eq/ eq/ M311P=M311 <- map/+-preserves-eq nat`eq/ nat`eq/ M311P=M311 E. - : update/<-inversion (update/> _ N0+1+N1=N2) N3+1+N2=N1 E <- nat`plus-implies-gt N3+1+N2=N1 nat`eq/ N1>N2 <- nat`plus-implies-gt N0+1+N1=N2 nat`eq/ N2>N1 <- nat`gt-anti-symmetric N1>N2 N2>N1 F <- false-implies-eq F E. %worlds () (update/<-inversion _ _ _). %total { } (update/<-inversion _ _ _). %theorem update/>-inversion : forall* {N1} {D1} {M1} {N2} {D2} {M} {N0} forall {U:update (map/+ N1 D1 M1) N2 D2 M} {P:plus (s N0) N1 N2} exists {M2} {UP:update M1 N0 D2 M2} {E:eq (map/+ N1 D1 M2) M} true. % a little more complex than might be expected % because we want to prove reduction - : update/>-inversion (update/= nat`eq/: update (map/+ N D1 M1) N D2 (map/+ N D2 M1)) N0+1+N=N M1 U' E <- plus-implies-gt N0+1+N=N nat`eq/ N>N <- gt-anti-reflexive N>N F <- false-implies-eq F E <- false-implies-update F U' <- false-implies-update-eq F (UE:update-eq (map/+ N D1 M1) N D2 (map/+ N D2 M1) (map/+ N D1 M1) N D2 (map/+ N D1 M1) _ _) <- meta-update-eq (update/= nat`eq/) (update/> U' N0+1+N=N) UE. - : update/>-inversion (update/< N3+1+N2=N1: update (map/+ N1 D1 M1) _ _ _) N0+1+N1=N2 M1 U' E <- nat`plus-implies-gt N3+1+N2=N1 nat`eq/ N1>N2 <- nat`plus-implies-gt N0+1+N1=N2 nat`eq/ N2>N1 <- nat`gt-anti-symmetric N1>N2 N2>N1 F <- false-implies-update F U' <- false-implies-eq F E <- false-implies-update-eq F (UE:update-eq (map/+ N1 D1 M1) N2 D2 (map/+ N2 D2 (map/+ N3 D1 M1)) (map/+ N1 D1 M1) N2 D2 (map/+ N1 D1 M1) _ _) <- meta-update-eq (update/< N3+1+N2=N1) (update/> U' N0+1+N1=N2) UE. - : update/>-inversion (update/> U N0+1+N1=N2) N0P+1+N1=N2 _ UP eq/ <- nat`plus-right-cancels N0+1+N1=N2 N0P+1+N1=N2 nat`eq/ nat`eq/ N0+1=N0P+1 <- nat`succ-cancels N0+1=N0P+1 N0=N0P <- update-respects-eq U eq/ N0=N0P nat`eq/ eq/ UP. %worlds () (update/>-inversion _ _ _ _ _). %total { } (update/>-inversion _ _ _ _ _). %reduces U' < U (update/>-inversion U _ _ U' _). %theorem update-deterministic : forall* {M1} {N1} {D1} {M1'} {M2} {N2} {D2} {M2'} forall {U1:update M1 N1 D1 M1'} {U2:update M2 N2 D2 M2'} {EM:eq M1 M2} {EN:nat`eq N1 N2} {ED:nat`eq D1 D2} exists {EM':eq M1' M2'} true. - : update-deterministic update/0 update/0 eq/ nat`eq/ nat`eq/ eq/. - : update-deterministic (update/= nat`eq/) (update/= nat`eq/) eq/ nat`eq/ nat`eq/ eq/. - : update-deterministic (update/< N3+1+N2=N1) (update/< N3'+1+N2=N1) eq/ nat`eq/ nat`eq/ M1'=M2' <- plus-right-cancels N3+1+N2=N1 N3'+1+N2=N1 nat`eq/ nat`eq/ SN3=SN3' <- succ-cancels SN3=SN3' N3E <- map/+-preserves-eq N3E nat`eq/ eq/ MM1=MM2 <- map/+-preserves-eq nat`eq/ nat`eq/ MM1=MM2 M1'=M2'. - : update-deterministic (update/> F1^N0=D2->F2 N0+1+N1=N2) (update/> F1^N0'=D2->F2' N0'+1+N1=N2) eq/ nat`eq/ nat`eq/ M1'=M2' <- plus-right-cancels N0+1+N1=N2 N0'+1+N1=N2 nat`eq/ nat`eq/ N0+1=N0'+1 <- succ-cancels N0+1=N0'+1 N0=N0' <- update-deterministic F1^N0=D2->F2 F1^N0'=D2->F2' eq/ N0=N0' nat`eq/ F2=F2' <- map/+-preserves-eq nat`eq/ nat`eq/ F2=F2' M1'=M2'. %% contradiction cases: - : update-deterministic (update/= nat`eq/) (update/< N3+1+N=N) eq/ nat`eq/ nat`eq/ E <- plus-implies-gt N3+1+N=N nat`eq/ N>N <- gt-anti-reflexive N>N F <- false-implies-eq F E. - : update-deterministic (update/= nat`eq/) (update/> _ N0+1+N=N) eq/ nat`eq/ nat`eq/ E <- plus-implies-gt N0+1+N=N nat`eq/ N>N <- gt-anti-reflexive N>N F <- false-implies-eq F E. - : update-deterministic (update/< N3+1+N=N) (update/= nat`eq/) eq/ nat`eq/ nat`eq/ E <- plus-implies-gt N3+1+N=N nat`eq/ N>N <- gt-anti-reflexive N>N F <- false-implies-eq F E. - : update-deterministic (update/< N3+1+N2=N1) (update/> _ N0+1+N1=N2) eq/ nat`eq/ nat`eq/ E <- nat`plus-implies-gt N3+1+N2=N1 nat`eq/ N1>N2 <- nat`plus-implies-gt N0+1+N1=N2 nat`eq/ N2>N1 <- nat`gt-anti-symmetric N1>N2 N2>N1 F <- false-implies-eq F E. - : update-deterministic (update/> _ N0+1+N=N) (update/= nat`eq/) eq/ nat`eq/ nat`eq/ E <- plus-implies-gt N0+1+N=N nat`eq/ N>N <- gt-anti-reflexive N>N F <- false-implies-eq F E. - : update-deterministic (update/> _ N0+1+N1=N2) (update/< N3+1+N2=N1) eq/ nat`eq/ nat`eq/ E <- nat`plus-implies-gt N3+1+N2=N1 nat`eq/ N1>N2 <- nat`plus-implies-gt N0+1+N1=N2 nat`eq/ N2>N1 <- nat`gt-anti-symmetric N1>N2 N2>N1 F <- false-implies-eq F E. %worlds () (update-deterministic M1^N1=D1->M1' M2^N2=D2->M2' M1=M2 N1=N2 D1=D2 M1'=M2'). %total (U) (update-deterministic U _ _ _ _ _). %theorem update-total* : forall {M} {N} {D} exists {M'} {U:update M N D M'} true. %% we need a mutually recursive lemma %theorem update-map/+-total : forall {N1} {D1} {M1} {N2} {D2} {C} {CMP:nat`compare N1 N2 C} exists {M2} {U:update (map/+ N1 D1 M1) N2 D2 M2} true. - : update-total* map/0 N D (map/+ N D map/0) update/0. - : update-total* (map/+ N1 D1 M1) N2 D2 M2 U <- nat`compare-total* N1 N2 C CMP <- update-map/+-total N1 D1 M1 N2 D2 C CMP M2 U. - : update-map/+-total N1 D1 M1 N2 D2 equal CMP (map/+ N2 D2 M1) (update/= N1=N2) <- equal-implies-eq CMP N1=N2. - : update-map/+-total N1 D1 M1 N2 D2 less CMP (map/+ N1 D1 M1') (update/> U1 N0+1+N1=N2) <- less-implies-lt CMP N2>N1 <- gt-implies-plus N2>N1 N0 N0+1+N1=N2 <- update-total* M1 N0 D2 M1' U1. - : update-map/+-total N1 D1 M1 N2 D2 greater CMP (map/+ N2 D2 (map/+ N3 D1 M1)) (update/< N3+1+N2=N1) <- greater-implies-gt CMP N1>N2 <- gt-implies-plus N1>N2 N3 N3+1+N2=N1. %worlds () (update-total* M N D M' M^N=D->M') (update-map/+-total _ _ _ _ _ _ _ _ _). %total (M1 M2) (update-total* M1 _ _ _ _) (update-map/+-total _ _ M2 _ _ _ _ _ _). %abbrev update-total = update-total* _ _ _ _. %theorem lookup-implies-update : forall* {F} {N} {D} forall {L:lookup F N D} exists {U:update F N D F} true. - : lookup-implies-update (lookup/= nat`eq/) (update/= nat`eq/). - : lookup-implies-update (lookup/> L P) (update/> U P) <- lookup-implies-update L U. %worlds () (lookup-implies-update _ _). %total (L) (lookup-implies-update L _). %theorem update-implies-lookup : forall* {F} {N} {D} {F'} forall {U:update F N D F'} exists {L:lookup F' N D} true. - : update-implies-lookup update/0 (lookup/= nat`eq/). - : update-implies-lookup (update/= nat`eq/) (lookup/= nat`eq/). - : update-implies-lookup (update/< _) (lookup/= nat`eq/). - : update-implies-lookup (update/> F^N0=D2->F' N0+1+N1=N2) (lookup/> F'^N0=D2 N0+1+N1=N2) <- update-implies-lookup F^N0=D2->F' F'^N0=D2. %worlds () (update-implies-lookup F^N=D->F' F'^N=D). %total (U) (update-implies-lookup U _). %theorem update-preserves-lookup : forall* {F} {N1} {D1} {F'} {N2} {D2} forall {L:lookup F N2 D2} {U:update F N1 D1 F'} {X:nat`ne N2 N1} exists {L':lookup F' N2 D2} true. %% update/0 is impossible - : update-preserves-lookup (lookup/= nat`eq/) (update/= nat`eq/) N<>N L' <- nat`ne-anti-reflexive N<>N FALSE <- false-implies-lookup FALSE L'. - : update-preserves-lookup (lookup/> L1 P1) (update/= nat`eq/) _ (lookup/> L1 P1). - : update-preserves-lookup (lookup/= nat`eq/) (update/< N3+1+N2=N1) _ (lookup/> (lookup/= nat`eq/) N3+1+N2=N1). - : update-preserves-lookup (lookup/> L N0+1+N1=N2') (update/< N3+1+N2=N1) _ (lookup/> (lookup/> L N0+1+N3=N4) N4+1+N2=N2') <- plus-left-decrease N3+1+N2=N1 N1-1 N1=N1-1+1 N3+N2=N1-1 <- plus-right-increase N3+N2=N1-1 N3+N2+1=N1-1+1 <- nat`eq-symmetric N1=N1-1+1 N1-1+1=N1 <- plus-respects-eq N3+N2+1=N1-1+1 nat`eq/ nat`eq/ N1-1+1=N1 N3+N2+1=N1 <- plus-associative-converse N3+N2+1=N1 N0+1+N1=N2' N4 N0+1+N3=N4 N4+N2+1=N2' <- plus-swap-succ-converse N4+N2+1=N2' N4+1+N2=N2'. - : update-preserves-lookup (lookup/= nat`eq/) (update/> _ _) _ (lookup/= nat`eq/). - : update-preserves-lookup (lookup/> L N0+1+N1=N2) ((update/> U N0'+1+N1=N2') : update (map/+ N1 D1 M1) N2' D' (map/+ N1 D1 M1')) N2<>N2' ((lookup/> L' N0+1+N1=N2) : lookup (map/+ N1 D1 M1') N2 D) <- plus-right-cancels-ne N0+1+N1=N2 N0'+1+N1=N2' nat`eq/ N2<>N2' N0+1<>N0'+1 <- succ-preserves-ne-converse N0+1<>N0'+1 N0<>N0' <- update-preserves-lookup L U N0<>N0' L'. %worlds () (update-preserves-lookup F^N2=D2 F^N1=D1->F' N1<>N2 F'^N2=D2). %total (L) (update-preserves-lookup L _ _ _). %theorem update-preserves-lookup-converse : forall* {F1} {N1} {D1} {F2} {N2} {D2} forall {L2:lookup F2 N2 D2} {U:update F1 N1 D1 F2} {X:nat`ne N2 N1} exists {L1:lookup F1 N2 D2} true. - : update-preserves-lookup-converse (lookup/= nat`eq/) update/0 N<>N L1 <- nat`ne-anti-reflexive N<>N F <- false-implies-lookup F L1. - : update-preserves-lookup-converse (lookup/= nat`eq/) (update/= nat`eq/) N<>N L1 <- nat`ne-anti-reflexive N<>N F <- false-implies-lookup F L1. - : update-preserves-lookup-converse (lookup/= nat`eq/) (update/< N3+1+N2=N1) N<>N L1 <- nat`ne-anti-reflexive N<>N F <- false-implies-lookup F L1. - : update-preserves-lookup-converse (lookup/= nat`eq/) (update/> _ _) _ (lookup/= nat`eq/). - : update-preserves-lookup-converse (lookup/> L1 P) (update/= nat`eq/) _ (lookup/> L1 P). - : update-preserves-lookup-converse (lookup/> (lookup/= nat`eq/) N3+1+N2=N4) (update/< N3+1+N2=N1) _ (lookup/= N1=N4) <- plus-deterministic N3+1+N2=N1 N3+1+N2=N4 nat`eq/ nat`eq/ N1=N4. - : update-preserves-lookup-converse (lookup/> (lookup/> L1 N6+1+N3=N5) N5+1+N2=N4) (update/< N3+1+N2=N1) _ (lookup/> L1 N6+1+N1=N4) <- plus-swap-succ N3+1+N2=N1 N3+N2+1=N1 <- plus-swap-succ N5+1+N2=N4 N5+N2+1=N4 <- plus-associative* N6+1+N3=N5 N5+N2+1=N4 N3+N2+1=N1 N6+1+N1=N4. - : update-preserves-lookup-converse (lookup/> L2 N5+1+N1=N4) (update/> U1 N0+1+N1=N2) N4<>N2 (lookup/> L1 N5+1+N1=N4) <- plus-right-cancels-ne N5+1+N1=N4 N0+1+N1=N2 nat`eq/ N4<>N2 N5+1<>N0+1 <- succ-preserves-ne-converse N5+1<>N0+1 N5<>N0 <- update-preserves-lookup-converse L2 U1 N5<>N0 L1. %worlds () (update-preserves-lookup-converse _ _ _ _). %total (L) (update-preserves-lookup-converse L _ _ _). %theorem update-preserves-not-member : forall* {M1} {N1} {N2} {D} {M2} forall {F1:not-member M1 N1} {U:update M1 N2 D M2} {N:nat`ne N1 N2} exists {F2:not-member M2 N1} true. - : update-preserves-not-member not-member/0 update/0 (nat`ne/< N>M) (not-member/< N>M). - : update-preserves-not-member not-member/0 update/0 (nat`ne/> M>N) (not-member/> not-member/0 M1+1+N=M) <- gt-implies-plus M>N M1 M1+1+N=M. - : update-preserves-not-member (not-member/< N>M) (update/= nat`eq/) _ (not-member/< N>M). - : update-preserves-not-member (not-member/< N1>M) (update/< N3+1+N2=N1) (nat`ne/< N2>M) (not-member/< N2>M). - : update-preserves-not-member (not-member/< N1>M) (update/< N3+1+N2=N1) (nat`ne/> M>N2) (not-member/> (not-member/< N3>M1) M1+1+N2=M) <- gt-implies-plus M>N2 M1 M1+1+N2=M <- plus-swap-succ N3+1+N2=N1 N3+N2+1=N1 <- plus-swap-succ M1+1+N2=M M1+N2+1=M <- plus-right-cancels-gt N3+N2+1=N1 M1+N2+1=M nat`eq/ N1>M N3>M1. - : update-preserves-not-member (not-member/< N1>M) (update/> _ _) _ (not-member/< N1>M). - : update-preserves-not-member (not-member/> F P) (update/= nat`eq/) _ (not-member/> F P). - : update-preserves-not-member (not-member/> F M1+1+N1=M) (update/< N3+1+N2=N1) _ (not-member/> (not-member/> F M1+1+N3=MM) MM+1+N2=M) <- plus-swap-succ N3+1+N2=N1 N3+N2+1=N1 <- plus-associative-converse N3+N2+1=N1 M1+1+N1=M MM M1+1+N3=MM MM+N2+1=M <- plus-swap-succ-converse MM+N2+1=M MM+1+N2=M. - : update-preserves-not-member (not-member/> F M1+1+N1=M) (update/> U N0+1+N1=N2) M<>N2 (not-member/> F' M1+1+N1=M) <- plus-right-cancels-ne M1+1+N1=M N0+1+N1=N2 nat`eq/ M<>N2 M1+1<>N0+1 <- succ-preserves-ne-converse M1+1<>N0+1 M1<>N0 <- update-preserves-not-member F U M1<>N0 F'. %worlds () (update-preserves-not-member N1-not-member-M1 M1^N2=D->M2 N1<>N2 N1-not-member-M2). %total (F) (update-preserves-not-member F _ _ _). %theorem update-preserves-not-member-converse : forall* {M1} {N1} {N2} {D} {M2} forall {F1:not-member M2 N1} {U:update M1 N2 D M2} exists {F2:not-member M1 N1} true. %theorem update-preserves-not-member-converse-helper : forall* {M1} {N1} {N2} {D} {M2} {B} {B2} forall {F1:not-member M2 N1} {U:update M1 N2 D M2} {D:member? M1 N1 B} {E:nat`eq? N1 N2 B2} exists {F2:not-member M1 N1} true. - : update-preserves-not-member-converse-helper _ _ (member?/out F) _ F. - : update-preserves-not-member-converse-helper F2 U (member?/in L1) (nat`eq?/no N) F1 <- update-preserves-lookup L1 U N L2 <- not-member-lookup-not-equal F2 L2 N<>N <- nat`ne-anti-reflexive N<>N F <- false-implies-not-member F F1. - : update-preserves-not-member-converse-helper F2 U _ nat`eq?/yes F1 <- update-implies-lookup U L2 <- not-member-lookup-not-equal F2 L2 N<>N <- nat`ne-anti-reflexive N<>N F <- false-implies-not-member F F1. %worlds () (update-preserves-not-member-converse-helper _ _ _ _ _). %total { } (update-preserves-not-member-converse-helper _ _ _ _ _). - : update-preserves-not-member-converse F2 U F1 <- member?-total D <- nat`eq?-total E <- update-preserves-not-member-converse-helper F2 U D E F1. %worlds () (update-preserves-not-member-converse _ _ _). %total { } (update-preserves-not-member-converse _ _ _). %theorem update-is-cause-of-change : forall* {M1} {N1} {N2} {M2} {D1} {D2} forall {F:not-member M1 N1} {U:update M1 N2 D2 M2} {L:lookup M2 N1 D1} exists {EN:nat`eq N1 N2} {ED:nat`eq D1 D2} true. %theorem update-is-cause-of-change/L : forall* {M1} {N1} {N2} {M2} {D1} {D2} {B} forall {F:not-member M1 N1} {U:update M1 N2 D2 M2} {L:lookup M2 N1 D1} {E:nat`eq? N1 N2 B} exists {EN:nat`eq N1 N2} {ED:nat`eq D1 D2} true. - : update-is-cause-of-change F U L EN ED <- nat`eq?-total E? <- update-is-cause-of-change/L F U L E? EN ED. - : update-is-cause-of-change/L F U L (nat`eq?/yes) nat`eq/ ED <- update-implies-lookup U L' <- lookup-deterministic L L' eq/ nat`eq/ ED. - : update-is-cause-of-change/L F U L (nat`eq?/no N1<>N2) EN ED <- update-preserves-not-member F U N1<>N2 F' <- not-member-lookup-not-equal F' L N1<>N1 <- nat`ne-anti-reflexive N1<>N1 V <- nat`false-implies-eq V EN <- nat`false-implies-eq V ED. %worlds () (update-is-cause-of-change/L _ _ _ _ _ _). %total { } (update-is-cause-of-change/L _ _ _ _ _ _). %worlds () (update-is-cause-of-change _ _ _ _ _). %total { } (update-is-cause-of-change _ _ _ _ _). %theorem update-preserves-membership : forall* {M1} {N1} {B} {N2} {D} {M2} forall {MD1:member? M1 N1 B} {U:update M1 N2 D M2} {N:nat`ne N1 N2} exists {MD2:member? M2 N1 B} true. - : update-preserves-membership (member?/in L) U NE (member?/in L') <- update-preserves-lookup L U NE L'. - : update-preserves-membership (member?/out F) U NE (member?/out F') <- update-preserves-not-member F U NE F'. %worlds () (update-preserves-membership _ _ _ _). %total {} (update-preserves-membership _ _ _ _). %theorem update-preserves-membership-converse : forall* {M1} {N1} {B} {N2} {D} {M2} forall {MD2:member? M2 N1 B} {U:update M1 N2 D M2} {N:nat`ne N1 N2} exists {MD1:member? M1 N1 B} true. - : update-preserves-membership-converse (member?/in L2) U NE (member?/in L1) <- update-preserves-lookup-converse L2 U NE L1. - : update-preserves-membership-converse (member?/out F2) U NE (member?/out F1) <- update-preserves-not-member-converse F2 U F1. %worlds () (update-preserves-membership-converse _ _ _ _). %total { } (update-preserves-membership-converse _ _ _ _). %theorem lookup-update-preserves-membership : forall* {M1} {N1} {B} {N2} {D1} {D2} {M2} forall {MD1:member? M1 N1 B} {L:lookup M1 N2 D1} {U:update M1 N2 D2 M2} exists {MD2:member? M2 N1 B} true. %theorem lookup-update-preserves-membership/L : forall* {M1} {N1} {B} {N2} {D1} {D2} {M2} {B2} forall {MD1:member? M1 N1 B} {L:lookup M1 N2 D1} {U:update M1 N2 D2 M2} {EQ?:nat`eq? N1 N2 B2} exists {MD2:member? M2 N1 B} true. - : lookup-update-preserves-membership/L MD1 _ Ux1 (nat`eq?/no N1<>N2) MD2 <- update-preserves-membership MD1 Ux1 N1<>N2 MD2. - : lookup-update-preserves-membership/L (member?/in _) _ U (nat`eq?/yes) (member?/in L2) <- update-implies-lookup U L2. - : lookup-update-preserves-membership/L (member?/out F1) L1 _ nat`eq?/yes (member?/out F2) <- not-member-lookup-not-equal F1 L1 NE <- nat`ne-anti-reflexive NE F <- false-implies-not-member F F2. %worlds () (lookup-update-preserves-membership/L _ _ _ _ _). %total { } (lookup-update-preserves-membership/L _ _ _ _ _). - : lookup-update-preserves-membership MD1 L1 U MD2 <- nat`eq?-total EQ? <- lookup-update-preserves-membership/L MD1 L1 U EQ? MD2. %worlds () (lookup-update-preserves-membership _ _ _ _). %total { } (lookup-update-preserves-membership _ _ _ _). %theorem lookup-update-preserves-membership-converse : forall* {M1} {N1} {B} {N2} {D1} {D2} {M2} forall {MD1:member? M2 N1 B} {L:lookup M1 N2 D1} {U:update M1 N2 D2 M2} exists {MD2:member? M1 N1 B} true. - : lookup-update-preserves-membership-converse MD2 ML MU MD1 <- member?-total MD1' <- lookup-update-preserves-membership MD1' ML MU MD2' <- member?-deterministic MD2' MD2 eq/ nat`eq/ B'=B <- member?-respects-eq MD1' eq/ nat`eq/ B'=B MD1. %worlds () (lookup-update-preserves-membership-converse _ _ _ _). %total { } (lookup-update-preserves-membership-converse _ _ _ _). %theorem update-preserves-in-member : forall* {M1} {N1} {N2} {D} {M2} forall {MD1:member? M1 N1 true} {U:update M1 N2 D M2} exists {MD2:member? M2 N1 true} true. %theorem update-preserves-in-member/L : forall* {M1} {N1} {N2} {D} {M2} {B} forall {MD1:member? M1 N1 true} {U:update M1 N2 D M2} {E: nat`eq? N1 N2 B} exists {MD2:member? M2 N1 true} true. - : update-preserves-in-member/L (member?/in ML1) U (nat`eq?/no N1<>N2) (member?/in ML2) <- update-preserves-lookup ML1 U N1<>N2 ML2. - : update-preserves-in-member/L _ U (nat`eq?/yes) (member?/in ML) <- update-implies-lookup U ML. %worlds () (update-preserves-in-member/L _ _ _ _). %total { } (update-preserves-in-member/L _ _ _ _). - : update-preserves-in-member MD1 U MD2 <- nat`eq?-total E <- update-preserves-in-member/L MD1 U E MD2. %worlds () (update-preserves-in-member _ _ _). %total { } (update-preserves-in-member _ _ _). %theorem shift-preserves-update : forall* {M1} {N1} {D} {M1'} {N0} {M2} forall {U1:update M1 N1 D M1'} {S:shift N0 M1 M2} exists {N2} {M2'} {P:plus (s N0) N1 N2} {SS:shift N0 M1' M2'} {U2:update M2 N2 D M2'} true. - : shift-preserves-update update/0 shift/0 _ _ P (shift/+ P) update/0 <- plus-total P. - : shift-preserves-update (update/= nat`eq/) (shift/+ P) _ _ P (shift/+ P) (update/= nat`eq/). - : shift-preserves-update (update/< N4+1+N1=N3) (shift/+ N0+1+N3=N5) _ _ N0+1+N1=N2 (shift/+ N0+1+N1=N2) (update/< N4+1+N2=N5) <- plus-commutative N4+1+N1=N3 N1+N4+1=N3 <- plus-associative-converse N1+N4+1=N3 N0+1+N3=N5 _ N0+1+N1=N2 N2+N4+1=N5 <- plus-commutative N2+N4+1=N5 N4+1+N2=N5. - : shift-preserves-update (update/> U N4+1+N3=N1) (shift/+ N0+1+N3=N5) _ _ N0+1+N1=N2 (shift/+ N0+1+N3=N5) (update/> U N4+1+N5=N2) <- plus-total N0+1+N1=N2 <- plus-commutative N4+1+N3=N1 N3+N4+1=N1 <- plus-associative-converse* N3+N4+1=N1 N0+1+N1=N2 N0+1+N3=N5 N5+N4+1=N2 <- plus-commutative N5+N4+1=N2 N4+1+N5=N2. %worlds () (shift-preserves-update _ _ _ _ _ _ _). %total { } (shift-preserves-update _ _ _ _ _ _ _). %theorem shift-preserves-update* : forall* {M1} {N1} {D} {M1'} {N0} {M2} {N2} {M2'} forall {U1:update M1 N1 D M1'} {S:shift N0 M1 M2} {P:plus (s N0) N1 N2} {SS:shift N0 M1' M2'} exists {U2:update M2 N2 D M2'} true. - : shift-preserves-update* U1 S P SS U2 <- shift-preserves-update U1 S _ _ P' SS' U2' <- plus-deterministic P' P nat`eq/ nat`eq/ N2'=N2 <- shift-deterministic SS' SS nat`eq/ eq/ M2'=M2 <- update-respects-eq U2' eq/ N2'=N2 nat`eq/ M2'=M2 U2. %worlds () (shift-preserves-update* _ _ _ _ _). %total { } (shift-preserves-update* _ _ _ _ _). %theorem shift-preserves-update-converse : forall* {M1} {N1} {D} {N0} {M2} {N2} {M2'} forall {U2:update M2 N2 D M2'} {S:shift N0 M1 M2} {P:plus (s N0) N1 N2} exists {M1'} {SS:shift N0 M1' M2'} {U1:update M1 N1 D M1'} true. - : shift-preserves-update-converse U2 S P _ SS U1 <- update-total U1 <- shift-preserves-update U1 S _ _ P' SS' U2' <- plus-deterministic P' P nat`eq/ nat`eq/ N2'=N2 <- update-deterministic U2' U2 eq/ N2'=N2 nat`eq/ M2'=M2 <- shift-respects-eq SS' nat`eq/ eq/ M2'=M2 SS. %worlds () (shift-preserves-update-converse _ _ _ _ _ _). %total { } (shift-preserves-update-converse _ _ _ _ _ _). %theorem update-overwrites : forall* {M1} {N1} {D1} {M2} {N2} {D2} {M3} forall {U1:update M1 N1 D1 M2} {U2:update M2 N2 D2 M3} {E:nat`eq N1 N2} exists {U12:update M1 N1 D2 M3} true. - : update-overwrites (update/0) (update/= nat`eq/) nat`eq/ (update/0). - : update-overwrites (update/= nat`eq/) (update/= nat`eq/) nat`eq/ (update/= nat`eq/). - : update-overwrites (update/< P) (update/= nat`eq/) nat`eq/ (update/< P). - : update-overwrites (update/> U1 P) (update/> U2 P') nat`eq/ (update/> U3 P) <- plus-right-cancels P P' nat`eq/ nat`eq/ N0+1=N0'+1 <- succ-cancels N0+1=N0'+1 N0=N0' <- update-overwrites U1 U2 N0=N0' U3. %% contradiction cases - : update-overwrites (update/0) (update/< N3+1+N=N) nat`eq/ U <- plus-implies-gt N3+1+N=N nat`eq/ N>N <- gt-anti-reflexive N>N F <- false-implies-update F U. - : update-overwrites (update/0) (update/> _ N0+1+N=N) nat`eq/ U <- plus-implies-gt N0+1+N=N nat`eq/ N>N <- gt-anti-reflexive N>N F <- false-implies-update F U. - : update-overwrites (update/= nat`eq/) (update/< N3+1+N=N) nat`eq/ U <- plus-implies-gt N3+1+N=N nat`eq/ N>N <- gt-anti-reflexive N>N F <- false-implies-update F U. - : update-overwrites (update/= nat`eq/) (update/> _ N0+1+N=N) nat`eq/ U <- plus-implies-gt N0+1+N=N nat`eq/ N>N <- gt-anti-reflexive N>N F <- false-implies-update F U. - : update-overwrites (update/< _) (update/< N3+1+N=N) nat`eq/ U <- plus-implies-gt N3+1+N=N nat`eq/ N>N <- gt-anti-reflexive N>N F <- false-implies-update F U. - : update-overwrites (update/< _) (update/> _ N0+1+N=N) nat`eq/ U <- plus-implies-gt N0+1+N=N nat`eq/ N>N <- gt-anti-reflexive N>N F <- false-implies-update F U. - : update-overwrites (update/> _ N0+1+N=N) (update/= nat`eq/) nat`eq/ U <- plus-implies-gt N0+1+N=N nat`eq/ N>N <- gt-anti-reflexive N>N F <- false-implies-update F U. - : update-overwrites (update/> _ N0+1+N1=N2) (update/< N3+1+N2=N1) nat`eq/ U <- nat`plus-implies-gt N3+1+N2=N1 nat`eq/ N1>N2 <- nat`plus-implies-gt N0+1+N1=N2 nat`eq/ N2>N1 <- nat`gt-anti-symmetric N1>N2 N2>N1 F <- false-implies-update F U. %worlds () (update-overwrites M1^N1=D1->M2 M2^N2=D2->M3 N1=N2 M1^N1=D2->M3). %total (U) (update-overwrites U _ _ _). %theorem update-overwrites-converse : forall* {M1} {N1} {D1} {M2} {D2} {M3} forall {U12:update M1 N1 D1 M3} {U1:update M1 N1 D2 M2} exists {U2:update M2 N1 D1 M3} true. - : update-overwrites-converse U12 U1 U2 <- update-total U2P <- update-overwrites U1 U2P nat`eq/ U12P <- update-deterministic U12P U12 eq/ nat`eq/ nat`eq/ M2P=M2 <- update-respects-eq U2P eq/ nat`eq/ nat`eq/ M2P=M2 U2. %worlds () (update-overwrites-converse _ _ _). %total { } (update-overwrites-converse _ _ _). %theorem update-may-have-no-effect : forall* {M1} {N} {D} {M2} forall {L:lookup M1 N D} {U:update M1 N D M2} exists {E:eq M1 M2} true. - : update-may-have-no-effect (lookup/= nat`eq/) U E <- update/=-inversion U nat`eq/ E. - : update-may-have-no-effect (lookup/> L1 N0+1+N1=N2) U E <- update/>-inversion U N0+1+N1=N2 _ U1 M112=M2 <- update-may-have-no-effect L1 U1 M1=M2 <- map/+-preserves-eq nat`eq/ nat`eq/ M1=M2 M111=M112 <- eq-transitive M111=M112 M112=M2 E. %worlds () (update-may-have-no-effect _ _ _). %total (L) (update-may-have-no-effect L _ _). %theorem update-idempotent : forall* {M1} {N1} {D1} {M2} {N2} {D2} {M3} forall {U1:update M1 N1 D1 M2} {U2:update M2 N2 D2 M3} {EN:nat`eq N1 N2} {ED:nat`eq D1 D2} exists {EM:eq M2 M3} true. - : update-idempotent U1 U2 nat`eq/ nat`eq/ M2=M3 <- update-overwrites U1 U2 nat`eq/ M1^N=D->M3 <- update-deterministic U1 M1^N=D->M3 eq/ nat`eq/ nat`eq/ M2=M3. %worlds () (update-idempotent M1^N1=D1->M2 M2^N2=D2->M3 N1=N2 D1=D2 M2=M3). %total {} (update-idempotent _ _ _ _ _). %theorem update-commutes : forall* {M} {N1} {D1} {M1} {N2} {D2} {M12} forall {U1:update M N1 D1 M1} {U12:update M1 N2 D2 M12} {NE:nat`ne N1 N2} exists {M2} {U2:update M N2 D2 M2} {U21:update M2 N1 D1 M12} true. - : update-commutes update/0 (update/= nat`eq/) N<>N map/0 U2 U21 <- nat`ne-anti-reflexive N<>N F <- false-implies-update F U2 <- false-implies-update F U21. - : update-commutes update/0 (update/< N'+1+N2=N1) _ _ update/0 (update/> update/0 N'+1+N2=N1). - : update-commutes update/0 (update/> update/0 N'+1+N1=N2) _ _ update/0 (update/< N'+1+N1=N2). - : update-commutes (update/= nat`eq/) (update/= nat`eq/) N<>N map/0 U2 U21 <- nat`ne-anti-reflexive N<>N F <- false-implies-update F U2 <- false-implies-update F U21. - : update-commutes (update/= nat`eq/) (update/< N'+1+N2=N1) _ _ (update/< N'+1+N2=N1) (update/> (update/= nat`eq/) N'+1+N2=N1). - : update-commutes (update/= nat`eq/) (update/> U N'+1+N1=N2) _ _ (update/> U N'+1+N1=N2) (update/= nat`eq/). - : update-commutes (update/< _) (update/= nat`eq/) N<>N map/0 U2 U21 <- nat`ne-anti-reflexive N<>N F <- false-implies-update F U2 <- false-implies-update F U21. - : update-commutes (update/< N1'+1+N1=N) (update/< N2'+1+N2=N1) _ _ (update/< N2''+1+N2=N) (update/> (update/< N1'+1+N2'=N2'') N2'+1+N2=N1) <- plus-swap-succ N2'+1+N2=N1 N2'+N2+1=N1 <- plus-associative-converse N2'+N2+1=N1 N1'+1+N1=N N2'' N1'+1+N2'=N2'' N2''+N2+1=N <- plus-swap-succ-converse N2''+N2+1=N N2''+1+N2=N. - : update-commutes ((update/< N11+1+N1=N):update (map/+ N D M) _ _ _) (update/> (update/= nat`eq/) N11+1+N1=N2) _ (map/+ N2 D2 M) (update/= N=N2) ((update/< N11+1+N1=N2):update _ N1 D1 _) <- plus-deterministic N11+1+N1=N N11+1+N1=N2 nat`eq/ nat`eq/ N=N2. - : update-commutes (update/< N11+1+N1=N) (update/> (update/< N2''+1+N2'=N11) N2'+1+N1=N2) _ _ (update/< N2''+1+N2=N) (update/< N2'+1+N1=N2) <- plus-swap-succ N11+1+N1=N N11+N1+1=N <- plus-swap-succ N2'+1+N1=N2 N2'+N1+1=N2 <- plus-associative* N2''+1+N2'=N11 N11+N1+1=N N2'+N1+1=N2 N2''+1+N2=N. - : update-commutes (update/< N11+1+N1=N) (update/> (update/> U N2''+1+N11=N2') N2'+1+N1=N2) _ _ (update/> U N2''+1+N=N2) (update/< N11+1+N1=N) <- plus-swap-succ N11+1+N1=N N11+N1+1=N <- plus-swap-succ N2'+1+N1=N2 N2'+N1+1=N2 <- plus-associative* N2''+1+N11=N2' N2'+N1+1=N2 N11+N1+1=N N2''+1+N=N2. - : update-commutes (update/> U N11+1+N=N1) (update/= nat`eq/) _ _ (update/= nat`eq/) (update/> U N11+1+N=N1). - : update-commutes (update/> U N11+1+N=N1) (update/< N2'+1+N2=N) _ _ (update/< N2'+1+N2=N) (update/> (update/> U N11+1+N2'=N11') N11'+1+N2=N1) <- plus-swap-succ N2'+1+N2=N N2'+N2+1=N <- plus-associative-converse N2'+N2+1=N N11+1+N=N1 N11' N11+1+N2'=N11' N11'+N2+1=N1 <- plus-swap-succ-converse N11'+N2+1=N1 N11'+1+N2=N1. - : update-commutes (update/> U1 N11+1+N=N1) (update/> U12 N2'+1+N=N2) N1<>N2 (map/+ N D M2) (update/> U2 N2'+1+N=N2) (update/> U21 N11+1+N=N1) <- plus-right-cancels-ne N11+1+N=N1 N2'+1+N=N2 nat`eq/ N1<>N2 N11+1<>N2'+1 <- succ-preserves-ne-converse N11+1<>N2'+1 N11<>N2' <- update-commutes U1 U12 N11<>N2' M2 U2 U21. %worlds () (update-commutes M^N1=D1->M1 M1^D2=N2->M12 N1<>N2 M2 M^N2=D2->M2 M2^N1=D1->M12). %total (U1) (update-commutes U1 _ _ _ _ _). %theorem update-commutes* : forall* {M} {N1} {D1} {M1} {N2} {D2} {M12} {M2} forall {U1:update M N1 D1 M1} {U12:update M1 N2 D2 M12} {NE:nat`ne N1 N2} {U2:update M N2 D2 M2} exists {U21:update M2 N1 D1 M12} true. - : update-commutes* M^N1=D1->M1 M1^D2=N2->M12 N1<>N2 M^N2=D2->M2 M2^N1=D1->M12 <- update-commutes M^N1=D1->M1 M1^D2=N2->M12 N1<>N2 M2' M^N2=D2->M2' M2'^N1=D1->M12 <- update-deterministic M^N2=D2->M2' M^N2=D2->M2 eq/ nat`eq/ nat`eq/ M2'=M2 <- update-respects-eq M2'^N1=D1->M12 M2'=M2 nat`eq/ nat`eq/ eq/ M2^N1=D1->M12. %worlds () (update-commutes* M^N1=D1->M1 M1^D2=N2->M12 N1<>N2 M^N2=D2->M2 M2^N1=D1->M12). %total {} (update-commutes* _ _ _ _ _). %% The following theorem is needed if you want to iteratively %% do something with a set. It says that you can take out an element %% and (using the update-preserves-X-converse theorems) get a smaller set %% that differs only for this element: %theorem can-remove : forall* {M} {S} {N} {D} forall {SZ:size M S} {L:lookup M N D} exists {M-} {S-} {SZ-:size M- S-} {E:nat`eq (s S-) S} {U:update M- N D M} {F:not-member M- N} true. - : can-remove (size/+ _) (lookup/= _) _ _ size/0 nat`eq/ update/0 not-member/0. - : can-remove (size/+ (size/+ SZ)) (lookup/= nat`eq/) _ _ (size/+ SZ) nat`eq/ (update/< N3+1+N2=N1) (not-member/< N1>N2) <- plus-total N3+1+N2=N1 <- plus-implies-gt N3+1+N2=N1 nat`eq/ N1>N2. - : can-remove (size/+ SZ) (lookup/> LK N0+1+N1=N2) _ _ (size/+ SZ2) E (update/> U2 N0+1+N1=N2) (not-member/> F2 N0+1+N1=N2) <- can-remove SZ LK M- S- SZ2 E2 U2 F2 <- succ-deterministic E2 E. %worlds () (can-remove _ _ _ _ _ _ _ _). %total (L) (can-remove _ L _ _ _ _ _ _). %%%% Map comparison %%% Definition of leq leq : map -> map -> type. leq/0 : leq map/0 M. leq/= : leq (map/+ N1 D1 M1) (map/+ N2 D2 M2) <- nat`eq N1 N2 <- nat`leq D1 D2 <- leq M1 M2. leq/> : leq (map/+ N1 D1 M1) (map/+ N2 D2 M2) <- nat`plus (s N3) N2 N1 <- leq (map/+ N3 D1 M1) M2. %%% Theorems about leq %theorem false-implies-leq : forall* {M1} {M2} forall {F:void} exists {L:leq M1 M2} true. %worlds () (false-implies-leq _ _). %total {} (false-implies-leq _ _). %theorem leq-respects-eq : forall* {M1} {M2} {M1'} {M2'} forall {L:leq M1 M2} {E1:eq M1 M1'} {E2:eq M2 M2'} exists {LP:leq M1' M2'} true. - : leq-respects-eq L eq/ eq/ L. %worlds () (leq-respects-eq _ _ _ _). %total {} (leq-respects-eq _ _ _ _). %reduces L1 = L2 (leq-respects-eq L1 _ _ L2). %theorem leq/0-inversion : forall* {M1} {M2} forall {L:leq M1 M2} {E2:eq M2 map/0} exists {E1:eq M1 map/0} true. - : leq/0-inversion leq/0 eq/ eq/. %worlds () (leq/0-inversion _ _ _). %total { } (leq/0-inversion _ _ _). %theorem leq/=-inversion : forall* {N1} {D1} {M1} {N2} {D2} {M2} forall {L:leq (map/+ N1 D1 M1) (map/+ N2 D2 M2)} {EN:nat`eq N1 N2} exists {ED:nat`leq D1 D2} {EM:leq M1 M2} true. - : leq/=-inversion (leq/= M1<=M2 D1<=D2 nat`eq/) nat`eq/ D1<=D2 M1<=M2. - : leq/=-inversion (leq/> M311<=M2 N3+1+N=N) nat`eq/ ED M1<=M2 <- plus-implies-gt N3+1+N=N nat`eq/ N>N <- gt-anti-reflexive N>N F <- nat`false-implies-leq F ED <- false-implies-eq F M311=M1 <- leq-respects-eq M311<=M2 M311=M1 eq/ M1<=M2. %worlds () (leq/=-inversion _ _ _ _). %total { } (leq/=-inversion _ _ _ _). %reduces L1 < L (leq/=-inversion L _ _ L1). %theorem leq/>-inversion : forall* {N1} {D1} {M1} {N2} {D2} {M2} {N3} forall {L:leq (map/+ N1 D1 M1) (map/+ N2 D2 M2)} {P:plus (s N3) N2 N1} exists {EM:leq (map/+ N3 D1 M1) M2} true. - : leq/>-inversion (leq/= M1<=M2 D1<=D2 nat`eq/) N3+1+N=N M311<=M2 <- plus-implies-gt N3+1+N=N nat`eq/ N>N <- gt-anti-reflexive N>N F <- false-implies-eq F M1=M311 <- leq-respects-eq M1<=M2 M1=M311 eq/ M311<=M2. - : leq/>-inversion (leq/> M311'<=M2 N3P+1+N2=N1) N3+1+N2=N1 M311<=M2 <- plus-right-cancels N3P+1+N2=N1 N3+1+N2=N1 nat`eq/ nat`eq/ N3P+1=N3+1 <- succ-cancels N3P+1=N3+1 N3P=N3 <- map/+-preserves-eq N3P=N3 nat`eq/ eq/ M311'=M311 <- leq-respects-eq M311'<=M2 M311'=M311 eq/ M311<=M2. %worlds () (leq/>-inversion _ _ _). %total { } (leq/>-inversion _ _ _). %reduces LP < L (leq/>-inversion L _ LP). %theorem leq-contradiction : forall* {N1} {D1} {M1} {N2} {D2} {M2} {N0} forall {L:leq (map/+ N1 D1 M1) (map/+ N2 D2 M2)} {P:plus (s N0) N1 N2} exists {F:void} true. - : leq-contradiction (leq/= _ _ nat`eq/) N0+1+N=N F <- plus-implies-gt N0+1+N=N nat`eq/ N>N <- gt-anti-reflexive N>N F. - : leq-contradiction (leq/> _ N3+1+N2=N1) N0+1+N1=N2 F <- nat`plus-implies-gt N3+1+N2=N1 nat`eq/ N1>N2 <- nat`plus-implies-gt N0+1+N1=N2 nat`eq/ N2>N1 <- nat`gt-anti-symmetric N1>N2 N2>N1 F. %worlds () (leq-contradiction _ _ _). %total { } (leq-contradiction _ _ _). %theorem leq-reflexive : forall {M} exists {L:leq M M} true. - : leq-reflexive map/0 leq/0. - : leq-reflexive (map/+ N D M) (leq/= M<=M D<=D nat`eq/) <- nat`leq-reflexive D D<=D <- leq-reflexive M M<=M. %worlds () (leq-reflexive _ _). %total (M) (leq-reflexive M _). %theorem leq-anti-symmetric : forall* {M1} {M2} forall {L1: leq M1 M2} {L2:leq M2 M1} exists {E: eq M1 M2} true. - : leq-anti-symmetric leq/0 leq/0 eq/. - : leq-anti-symmetric (leq/= M1<=M2 D1<=D2 nat`eq/) (leq/= M2<=M1 D2<=D1 nat`eq/) E <- nat`leq-anti-symmetric D1<=D2 D2<=D1 D1=D2 <- leq-anti-symmetric M1<=M2 M2<=M1 M1=M2 <- map/+-preserves-eq nat`eq/ D1=D2 M1=M2 E. - : leq-anti-symmetric (leq/= _ _ nat`eq/) (leq/> _ N3+1+N=N) E <- nat`plus-implies-gt N3+1+N=N nat`eq/ N>N <- nat`gt-anti-reflexive N>N F <- false-implies-eq F E. - : leq-anti-symmetric (leq/> _ N3+1+N=N) (leq/= _ _ nat`eq/) E <- nat`plus-implies-gt N3+1+N=N nat`eq/ N>N <- nat`gt-anti-reflexive N>N F <- false-implies-eq F E. - : leq-anti-symmetric (leq/> _ N3+1+N2=N1) (leq/> _ N0+1+N1=N2) E <- nat`plus-implies-gt N3+1+N2=N1 nat`eq/ N1>N2 <- nat`plus-implies-gt N0+1+N1=N2 nat`eq/ N2>N1 <- nat`gt-anti-symmetric N1>N2 N2>N1 F <- false-implies-eq F E. %worlds () (leq-anti-symmetric _ _ _). %total (L) (leq-anti-symmetric L _ _). %theorem leq-transitive : forall* {M1} {M2} {M3} forall {L1:leq M1 M2} {L2:leq M2 M3} exists {L3:leq M1 M3} true. - : leq-transitive leq/0 _ leq/0. - : leq-transitive (leq/= M1<=M2 D1<=D2 nat`eq/) (leq/= M2<=M3 D2<=D3 nat`eq/) (leq/= M1<=M3 D1<=D3 nat`eq/) <- nat`leq-transitive D1<=D2 D2<=D3 D1<=D3 <- leq-transitive M1<=M2 M2<=M3 M1<=M3. - : leq-transitive (leq/= M1<=M2 D1<=D2 nat`eq/) (leq/> M522<=M3 N5+1+N3=N2) (leq/> M511<=M3 N5+1+N3=N2) <- leq-transitive (leq/= M1<=M2 D1<=D2 nat`eq/) M522<=M3 M511<=M3. - : leq-transitive (leq/> M011<=M2 N0+1+N=N1) (leq/= M2<=M3 D2<=D3 nat`eq/) (leq/> M011<=M3 N0+1+N=N1) <- leq-transitive M011<=M2 M2<=M3 M011<=M3. - : leq-transitive (leq/> M011<=M2 N0+1+N2=N1) (leq/> M522<=M3 N5+1+N3=N2) (leq/> M411<=M3 N4+1+N3=N1) <- nat`plus-swap-succ N5+1+N3=N2 N5+N3+1=N2 <- nat`plus-associative-converse N5+N3+1=N2 N0+1+N2=N1 N4 N0+1+N5=N4 N4+N3+1=N1 <- nat`plus-swap-succ-converse N4+N3+1=N1 N4+1+N3=N1 <- leq-transitive (leq/> M011<=M2 N0+1+N5=N4) M522<=M3 M411<=M3. %worlds () (leq-transitive _ _ _). %total (L) (leq-transitive _ L _). %theorem map/+-preserves-leq : forall* {N1} {N2} {D1} {D2} {M1} {M2} forall {E:nat`eq N1 N2} {LD:nat`leq D1 D2} {LM:leq M1 M2} exists {L:leq (map/+ N1 D1 M1) (map/+ N2 D2 M2)} true. - : map/+-preserves-leq N1=N2 D1<=D2 M1<=M2 (leq/= M1<=M2 D1<=D2 N1=N2). %worlds () (map/+-preserves-leq _ _ _ _). %total { } (map/+-preserves-leq _ _ _ _). %theorem lookup-respects-leq : forall* {M} {N} {D} {MP} forall {L:lookup M N D} {ME:leq M MP} exists {DP} {L:lookup MP N DP} {DE:nat`leq D DP} true. - : lookup-respects-leq (lookup/= nat`eq/) (leq/= _ D1<=D2 nat`eq/) _ (lookup/= nat`eq/) D1<=D2. - : lookup-respects-leq (lookup/= nat`eq/) (leq/> M311<=M2 N3+1+N2=N1) D2 (lookup/> L13 N3+1+N2=N1) D1<=D2 <- lookup-respects-leq (lookup/= nat`eq/) M311<=M2 D2 L13 D1<=D2. - : lookup-respects-leq (lookup/> L13 N3+1+N2=N1) (leq/= M1<=M2 _ nat`eq/) D2 (lookup/> L13' N3+1+N2=N1) D1<=D2 <- lookup-respects-leq L13 M1<=M2 D2 L13' D1<=D2. - : lookup-respects-leq (lookup/> L10 N0+1+N1=N) (leq/> M311<=M2 N3+1+N2=N1) D2 (lookup/> L14' N4+1+N2=N) D1<=D2 <- nat`plus-swap-succ N3+1+N2=N1 N3+N2+1=N1 <- nat`plus-associative-converse N3+N2+1=N1 N0+1+N1=N N4 N0+1+N3=N4 N4+N2+1=N <- nat`plus-swap-succ-converse N4+N2+1=N N4+1+N2=N <- lookup-respects-leq (lookup/> L10 N0+1+N3=N4) M311<=M2 D2 L14' D1<=D2. %worlds () (lookup-respects-leq _ _ _ _ _). %total (L) (lookup-respects-leq _ L _ _ _). %theorem not-member-respects-geq : forall* {M} {MP} {N} forall {FP:not-member MP N} {L:leq M MP} exists {F:not-member M N} true. - : not-member-respects-geq F leq/0 not-member/0. - : not-member-respects-geq (not-member/< R) (leq/= _ _ nat`eq/) (not-member/< R). - : not-member-respects-geq (not-member/< N2>N) (leq/> _ N3+1+N2=N1) (not-member/< N1>N) <- nat`plus-implies-gt N3+1+N2=N1 nat`eq/ N1>N2 <- gt-transitive N1>N2 N2>N N1>N. - : not-member-respects-geq (not-member/> F20 N0+1+N2=N) (leq/= M1<=M2 _ nat`eq/) (not-member/> F10 N0+1+N2=N) <- not-member-respects-geq F20 M1<=M2 F10. - : {F3110:not-member (map/+ N3 D1 M1) N0} {N0+1+N2=N:plus (s N0) N2 N} {N3+1+N2=N1:plus (s N3) N2 N1} not-member-respects-geq (not-member/> F20 N0+1+N2=N: not-member (map/+ N2 D2 M2) N) (leq/> M311<=M2 N3+1+N2=N1) F' <- not-member-respects-geq F20 M311<=M2 F3110 <- nat`plus-swap-succ N0+1+N2=N N0+N2+1=N <- nat`plus-swap-succ N3+1+N2=N1 N3+N2+1=N1 <- plus-right-preserves-not-member* F3110 N3+N2+1=N1 N0+N2+1=N F'. %worlds () (not-member-respects-geq _ _ _). %total (F) (not-member-respects-geq F _ _). %theorem leq-implies-size-le: forall* {M1} {M2} {N1} {N2} forall {L:leq M1 M2} {SZ1:size M1 N1} {SZ2:size M2 N2} exists {G:ge N2 N1} true. - : leq-implies-size-le leq/0 size/0 N2=|M2| N2>=0 <- plus-commutative (plus/z:plus z N2 N2) N2+0=N2 <- plus-implies-ge N2+0=N2 N2>=0. - : leq-implies-size-le (leq/= M1<=M2 _ _) (size/+ N1=|M1|) (size/+ N2=|M2|) N2+1>=N1+1 <- leq-implies-size-le M1<=M2 N1=|M1| N2=|M2| N2>=N1 <- succ-preserves-ge N2>=N1 N2+1>=N1+1. - : leq-implies-size-le (leq/> M311<=M2 _) (size/+ N1=|M1|) (size/+ N2=|M2|) (ge/> N2+1>N1+1) <- leq-implies-size-le M311<=M2 (size/+ N1=|M1|) N2=|M2| N2>=N1+1 <- succ-implies-gt nat`eq/ N2+1>N2 <- gt-transitive-ge N2+1>N2 N2>=N1+1 N2+1>N1+1. %worlds () (leq-implies-size-le _ _ _ _). %total (L) (leq-implies-size-le L _ _ _). %theorem leq-implies-bound-le: forall* {M1} {M2} {N1} {N2} forall {L:leq M1 M2} {BD1:bound M1 N1} {BD2:bound M2 N2} exists {G:ge N2 N1} true. - : leq-implies-bound-le leq/0 bound/0 _ N2>=0 <- plus-commutative plus/z N2+0=N2 <- plus-implies-ge N2+0=N2 N2>=0. - : leq-implies-bound-le (leq/= M1<=M2 _ nat`eq/) (bound/+ N+1+N1=N3 DM1=N3 <- leq-implies-bound-le M1<=M2 DM1=N1 <- plus-left-preserves-ge* N2>=N1 N+1+N2=N4 N+1+N1=N3 N4>=N3. - : leq-implies-bound-le (leq/> M311<=M2 N3+1+N2=N1) (bound/+ N1+1+N10=N11 DM1=N11 <- plus-total N3+1+N10=N13 <- leq-implies-bound-le M311<=M2 (bound/+ N3+1+N10=N13 DM1=N13 <- plus-swap-succ N1+1+N10=N11 N1+N10+1=N11 <- plus-swap-succ N3+1+N2=N1 N3+N2+1=N1 <- plus-commutative N3+N2+1=N1 N2+1+N3=N1 <- plus-swap-succ N3+1+N10=N13 N3+N10+1=N13 <- plus-associative* N2+1+N3=N1 N1+N10+1=N11 N3+N10+1=N13 N2+1+N13=N11 <- plus-left-preserves-ge* N20>=N13 N2+1+N20=N22 N2+1+N13=N11 N22>=N11. %worlds () (leq-implies-bound-le _ _ _ _). %total (L) (leq-implies-bound-le L _ _ _). %theorem shift-left-preserves-leq*: forall* {M1} {M2} {N} {SM1} {D} forall {L:leq M1 M2} {S1:shift N M1 SM1} exists {SL:leq SM1 (map/+ N D M2)} true. - : shift-left-preserves-leq* _ shift/0 leq/0. - : shift-left-preserves-leq* M111<=M2 (shift/+ N+1+N1=N1') (leq/> M111<=M2 N1+1+N=N1') <- plus-swap-succ N+1+N1=N1' N+N1+1=N1' <- plus-commutative N+N1+1=N1' N1+1+N=N1'. %worlds () (shift-left-preserves-leq* _ _ _). %total { } (shift-left-preserves-leq* _ _ _). %theorem shift-preserves-leq*: forall* {M1} {M2} {N} {SM1} {SM2} forall {L:leq M1 M2} {S1:shift N M1 SM1} {S1:shift N M2 SM2} exists {SL:leq SM1 SM2} true. - : shift-preserves-leq* _ shift/0 _ leq/0. - : shift-preserves-leq* (leq/= M1<=M2 D1<=D2 nat`eq/) (shift/+ N+1+N1=N1') (shift/+ N+1+N1=N2') (leq/= M1<=M2 D1<=D2 N1'=N2') <- plus-deterministic N+1+N1=N1' N+1+N1=N2' nat`eq/ nat`eq/ N1'=N2'. - : shift-preserves-leq* (leq/> M311<=M2 N3+1+N2=N1) (shift/+ N+1+N1=N1') (shift/+ N+1+N2=N2') (leq/> M311<=M2 N3+1+N2'=N1') <- plus-commutative N3+1+N2=N1 N2+N3+1=N1 <- plus-associative-converse* N2+N3+1=N1 N+1+N1=N1' N+1+N2=N2' N2'+N3+1=N1' <- plus-commutative N2'+N3+1=N1' N3+1+N2'=N1'. %worlds () (shift-preserves-leq* _ _ _ _). %total { } (shift-preserves-leq* _ _ _ _). %theorem update-left-preserves-leq*: forall* {M1} {M2} {N} {D} {M1'} {M2'} forall {L:leq M1 M2} {U1:update M1 N D M1'} {U2:update M2 N D M2'} exists {LP:leq M1' M2'} true. - : update-left-preserves-leq* leq/0 update/0 update/0 (leq/= leq/0 D<=D nat`eq/) <- nat`leq-reflexive _ D<=D. - : update-left-preserves-leq* leq/0 update/0 (update/= nat`eq/) (leq/= leq/0 D<=D nat`eq/) <- nat`leq-reflexive _ D<=D. - : update-left-preserves-leq* leq/0 update/0 (update/< _) (leq/= leq/0 D<=D nat`eq/) <- nat`leq-reflexive _ D<=D. - : update-left-preserves-leq* leq/0 update/0 (update/> U2505 N5+1+N2=N) (leq/> M500<=M5 N5+1+N2=N) <- update-left-preserves-leq* leq/0 update/0 U2505 M500<=M5. - : update-left-preserves-leq* (leq/= M1<=M2 D1<=D2 nat`eq/) (update/= nat`eq/) (U2:update (map/+ N D2 M2) N D M) M001<=M <- update/=-inversion U2 nat`eq/ M002=M <- nat`leq-reflexive _ D<=D <- leq-respects-eq (leq/= M1<=M2 D<=D nat`eq/) eq/ M002=M M001<=M. - : update-left-preserves-leq* (leq/= M1<=M2 D1<=D2 nat`eq/) (update/< N3+1+N=N1) (U2:update (map/+ N1 D2 M2) N D M) M00M311<=M <- update/<-inversion U2 N3+1+N=N1 M00M322=M <- nat`leq-reflexive _ D<=D <- leq-respects-eq (leq/= (leq/= M1<=M2 D1<=D2 nat`eq/) D<=D nat`eq/) eq/ M00M322=M M00M311<=M. - : update-left-preserves-leq* (leq/= M1<=M2 D1<=D2 nat`eq/) (update/> U1303 N3+1+N1=N) (U2:update (map/+ N1 D2 M2) N D M) M113<=M <- update/>-inversion U2 N3+1+N1=N M4 U2304 M124=M <- update-left-preserves-leq* M1<=M2 U1303 U2304 M3<=M4 <- leq-respects-eq (leq/= M3<=M4 D1<=D2 nat`eq/) eq/ M124=M M113<=M. - : update-left-preserves-leq* (leq/> M311<=M2 N3+1+N2=N1) (update/= nat`eq/) (U2:update (map/+ N2 D2 M2) N1 D M) M101<=M <- update/>-inversion U2 N3+1+N2=N1 M4 U2304 M224=M <- update-left-preserves-leq* M311<=M2 (update/= nat`eq/) U2304 M301<=M4 <- leq-respects-eq (leq/> M301<=M4 N3+1+N2=N1) eq/ M224=M M101<=M. - : update-left-preserves-leq* (leq/> M311<=M2 N3+1+N=N1) (update/< N4+1+N=N1) (update/= nat`eq/) %% hence N=N2 (leq/= M411<=M2 D<=D nat`eq/) <- nat`plus-right-cancels N3+1+N=N1 N4+1+N=N1 nat`eq/ nat`eq/ N3+1=N4+1 <- nat`succ-cancels N3+1=N4+1 N3=N4 <- map/+-preserves-eq N3=N4 nat`eq/ eq/ M311=M411 <- leq-respects-eq M311<=M2 M311=M411 eq/ M411<=M2 <- nat`leq-reflexive _ D<=D. - : update-left-preserves-leq* (leq/> M311<=M2 N3+1+N2=N1) (update/< N4+1+N=N1) (update/< N5+1+N=N2) (leq/= (leq/> M311<=M2 N3+1+N5=N4) D<=D nat`eq/) <- nat`plus-swap-succ N5+1+N=N2 N5+N+1=N2 <- nat`plus-associative-converse N5+N+1=N2 N3+1+N2=N1 N4' N3+1+N5=N4' N4'+N+1=N1 <- nat`plus-swap-succ N4+1+N=N1 N4+N+1=N1 <- nat`plus-right-cancels N4'+N+1=N1 N4+N+1=N1 nat`eq/ nat`eq/ N4'=N4 <- nat`plus-respects-eq N3+1+N5=N4' nat`eq/ nat`eq/ N4'=N4 N3+1+N5=N4 <- nat`leq-reflexive _ D<=D. - : update-left-preserves-leq* (leq/> M311<=M2 N3+1+N2=N1) (update/< N4+1+N=N1) (update/> U2505 N5+1+N2=N) (leq/> M50M411<=M5 N5+1+N2=N) <- nat`plus-swap-succ N5+1+N2=N N5+N2+1=N <- nat`plus-associative-converse N5+N2+1=N N4+1+N=N1 N3P N4+1+N5=N3P N3P+N2+1=N1 <- nat`plus-swap-succ N3+1+N2=N1 N3+N2+1=N1 <- nat`plus-right-cancels N3P+N2+1=N1 N3+N2+1=N1 nat`eq/ nat`eq/ N3P=N3 <- nat`plus-respects-eq N4+1+N5=N3P nat`eq/ nat`eq/ N3P=N3 N4+1+N5=N3 <- update-left-preserves-leq* M311<=M2 (update/< N4+1+N5=N3) U2505 M50M411<=M5. - : update-left-preserves-leq* (leq/> M311<=M2 N3+1+N2=N1) (update/> U1404 N4+1+N1=N) (U2:update (map/+ N2 D2 M2) N D M) M114<=M <- nat`plus-swap-succ N3+1+N2=N1 N3+N2+1=N1 <- nat`plus-associative-converse N3+N2+1=N1 N4+1+N1=N N5 N4+1+N3=N5 N5+N2+1=N <- nat`plus-swap-succ-converse N5+N2+1=N N5+1+N2=N <- update/>-inversion U2 N5+1+N2=N M5 U2505 M225=M <- update-left-preserves-leq* M311<=M2 (update/> U1404 N4+1+N3=N5) U2505 M314<=M5 <- leq-respects-eq (leq/> M314<=M5 N3+1+N2=N1) eq/ M225=M M114<=M. %worlds () (update-left-preserves-leq* _ _ _ _). %total (U) (update-left-preserves-leq* _ _ U _). %theorem update-right-preserves-leq*: forall* {M} {N} {D1} {D2} {M1'} {M2'} forall {L:nat`leq D1 D2} {U1:update M N D1 M1'} {U2:update M N D2 M2'} exists {LP:leq M1' M2'} true. - : update-right-preserves-leq* D1<=D2 update/0 update/0 (leq/= leq/0 D1<=D2 nat`eq/). - : update-right-preserves-leq* D1<=D2 (update/= nat`eq/) U2 L <- update/=-inversion U2 nat`eq/ M221=M2' <- leq-reflexive _ M1<=M1 <- leq-respects-eq (leq/= M1<=M1 D1<=D2 nat`eq/) eq/ M221=M2' L. - : update-right-preserves-leq* D1<=D2 (update/< P) U2 L <- update/<-inversion U2 P M22311=M2' <- leq-reflexive _ M311<=M311 <- leq-respects-eq (leq/= M311<=M311 D1<=D2 nat`eq/) eq/ M22311=M2' L. - : update-right-preserves-leq* D1<=D2 (update/> U1 P) U22 L <- update/>-inversion U22 P M2' U2 M112=M <- update-right-preserves-leq* D1<=D2 U1 U2 M1'<=M2' <- nat`leq-reflexive _ D<=D <- leq-respects-eq (leq/= M1'<=M2' D<=D nat`eq/) eq/ M112=M L. %worlds () (update-right-preserves-leq* _ _ _ _). %total (U) (update-right-preserves-leq* _ U _ _). %theorem update-preserves-leq* : forall* {M1} {M2} {N} {D1} {D2} {M1'} {M2'} forall {L:leq M1 M2} {L:nat`leq D1 D2} {U1:update M1 N D1 M1'} {U2:update M2 N D2 M2'} exists {LP:leq M1' M2'} true. - : update-preserves-leq* M1<=M2 D1<=D2 M1^N=D1->M1' M2^N=D2->M2' M1'<=M2' <- update-total M2^N=D1->MM <- update-left-preserves-leq* M1<=M2 M1^N=D1->M1' M2^N=D1->MM M1'<=MM <- update-right-preserves-leq* D1<=D2 M2^N=D1->MM M2^N=D2->M2' MM<=M2' <- leq-transitive M1'<=MM MM<=M2' M1'<=M2'. %worlds () (update-preserves-leq* _ _ _ _ _). %total { } (update-preserves-leq* _ _ _ _ _). %theorem not-member-update-implies-leq : forall* {M1} {N} {D} {M2} forall {F:not-member M1 N} {U:update M1 N D M2} exists {L:leq M1 M2} true. - : not-member-update-implies-leq not-member/0 U leq/0. - : not-member-update-implies-leq (not-member/< N2 M311<=M311 N3+1+N2=N1) eq/ M22311=M2 L. - : not-member-update-implies-leq (not-member/> F1 N0+1+N1=N2) U L <- update/>-inversion U N0+1+N1=N2 _ U1 M112=M <- not-member-update-implies-leq F1 U1 L1 <- nat`leq-reflexive _ DL <- leq-respects-eq (leq/= L1 DL nat`eq/) eq/ M112=M L. %worlds () (not-member-update-implies-leq _ _ _). %total (F) (not-member-update-implies-leq F _ _). %theorem lookup-update-preserves-leq : forall* {M1} {N} {D1} {D2} {M2} forall {L:lookup M1 N D1} {U:update M1 N D2 M2} {L:nat`leq D1 D2} exists {L:leq M1 M2} true. - : lookup-update-preserves-leq (lookup/= nat`eq/) U D1<=D2 L <- update/=-inversion U nat`eq/ M221=M2 <- leq-reflexive _ M1<=M1 <- leq-respects-eq (leq/= M1<=M1 D1<=D2 nat`eq/) eq/ M221=M2 L. - : lookup-update-preserves-leq (lookup/> L1 N0+1+N1=N2) U D1<=D2 L <- update/>-inversion U N0+1+N1=N2 M2 U1 M112=M <- lookup-update-preserves-leq L1 U1 D1<=D2 L1' <- nat`leq-reflexive _ D1<=D1 <- leq-respects-eq (leq/= L1' D1<=D1 nat`eq/) eq/ M112=M L. %worlds () (lookup-update-preserves-leq _ _ _ _). %total (L) (lookup-update-preserves-leq L _ _ _). %%%% Map addition %%% Definition of union union : map -> map -> map -> type. union/L : union map/0 M M. union/R : union M map/0 M. union/= : union (map/+ N1 D1 M1) (map/+ N2 D2 M2) (map/+ N1 D3 M3) <- nat`eq N1 N2 <- nat`union D1 D2 D3 <- union M1 M2 M3. union/< : union (map/+ N1 D1 M1) (map/+ N2 D2 M2) (map/+ N1 D1 M3) <- nat`plus (s N0) N1 N2 <- union M1 (map/+ N0 D2 M2) M3. union/> : union (map/+ N1 D1 M1) (map/+ N2 D2 M2) (map/+ N2 D2 M3) <- nat`plus (s N3) N2 N1 <- union (map/+ N3 D1 M1) M2 M3. %%% Theorems about union %theorem false-implies-union : forall* {M1} {M2} {M3} forall {F:void} exists {D:union M1 M2 M3} true. %worlds () (false-implies-union _ _). %total {} (false-implies-union _ _). %theorem union-respects-eq : forall* {M1} {M2} {M3} {M1P} {M2P} {M3P} forall {A:union M1 M2 M3} {E1:eq M1 M1P} {E2:eq M2 M2P} {E3:eq M3 M3P} exists {AP:union M1P M2P M3P} true. - : union-respects-eq A eq/ eq/ eq/ A. %worlds () (union-respects-eq _ _ _ _ _). %total {} (union-respects-eq _ _ _ _ _). %reduces A = AP (union-respects-eq A _ _ _ AP). %% Inversion lemmas for union %theorem union/=-inversion : forall* {N1} {D1} {M1} {N2} {D2} {M2} {M} forall {A:union (map/+ N1 D1 M1) (map/+ N2 D2 M2) M} {G:nat`eq N1 N2} exists {D3} {M3} {D:nat`union D1 D2 D3} {AP:union M1 M2 M3} {E:eq M (map/+ N1 D3 M3)} true. - : union/=-inversion (union/= MM DD nat`eq/) _ _ _ DD MM eq/. - : union/=-inversion (union/< (JP:union _ (map/+ N0 D2 M2) M3) N0+1+N=N) nat`eq/ D2 M3 DJ MJ ME <- plus-implies-gt N0+1+N=N nat`eq/ N>N <- gt-anti-reflexive N>N F <- nat`false-implies-union F DJ <- false-implies-eq F (M022=M2:eq (map/+ N0 D2 M2) M2) <- union-respects-eq JP eq/ M022=M2 eq/ MJ <- false-implies-eq F ME. - : union/=-inversion (union/> (JP:union (map/+ _ D1 M1) M2 M3) N3+1+N=N) nat`eq/ D1 M3 DJ MJ ME <- nat`plus-implies-gt N3+1+N=N nat`eq/ N>N <- nat`gt-anti-reflexive N>N F <- nat`false-implies-union F DJ <- false-implies-eq F (M311=M1:eq (map/+ N3 D1 M1) M1) <- union-respects-eq JP M311=M1 eq/ eq/ MJ <- false-implies-eq F ME. %worlds () (union/=-inversion _ _ _ _ _ _ _). %total {} (union/=-inversion _ _ _ _ _ _ _). %reduces JP < J (union/=-inversion J _ _ _ _ JP _). %theorem union/<-inversion : forall* {N1} {D1} {M1} {N2} {D2} {M2} {M} {N0} forall {A:union (map/+ N1 D1 M1) (map/+ N2 D2 M2) M} {P:plus (s N0) N1 N2} exists {M3} {AP:union M1 (map/+ N0 D2 M2) M3} {E:eq M (map/+ N1 D1 M3)} true. - : union/<-inversion (union/< J P) P' _ J' eq/ <- nat`plus-right-cancels P P' nat`eq/ nat`eq/ N0+1=N0'+1 <- succ-cancels N0+1=N0'+1 N0=N0P <- map/+-preserves-eq N0=N0P nat`eq/ eq/ M022=M022' <- union-respects-eq J eq/ M022=M022' eq/ J'. - : union/<-inversion (union/= J' _ nat`eq/) N0+1+N=N M3 J E <- plus-implies-gt N0+1+N=N nat`eq/ N>N <- gt-anti-reflexive N>N F <- false-implies-eq F M2=M022 <- union-respects-eq J' eq/ M2=M022 eq/ J <- false-implies-eq F E. - : union/<-inversion (union/> J' N3+1+N2=N1) N0+1+N1=N2 M3 J E <- nat`plus-implies-gt N3+1+N2=N1 nat`eq/ N1>N2 <- nat`plus-implies-gt N0+1+N1=N2 nat`eq/ N2>N1 <- nat`gt-anti-symmetric N1>N2 N2>N1 F <- false-implies-eq F M311=M1 <- false-implies-eq F M2=M022 <- union-respects-eq J' M311=M1 M2=M022 eq/ J <- false-implies-eq F E. %worlds () (union/<-inversion _ _ _ _ _). %total {} (union/<-inversion _ _ _ _ _). %reduces JP < J (union/<-inversion J _ _ JP _). %theorem union/>-inversion : forall* {N1} {D1} {M1} {N2} {D2} {M2} {N3} {M} forall {A:union (map/+ N1 D1 M1) (map/+ N2 D2 M2) M} {P:plus (s N3) N2 N1} exists {M3} {AP:union (map/+ N3 D1 M1) M2 M3} {E:eq M (map/+ N2 D2 M3)} true. - : union/>-inversion (union/> J P) P' _ J' eq/ <- nat`plus-right-cancels P P' nat`eq/ nat`eq/ N3+1=N3'+1 <- succ-cancels N3+1=N3'+1 N3=N3P <- map/+-preserves-eq N3=N3P nat`eq/ eq/ M311=M311' <- union-respects-eq J M311=M311' eq/ eq/ J'. - : union/>-inversion (union/= J' _ nat`eq/) N3+1+N=N M3 J E <- nat`plus-implies-gt N3+1+N=N nat`eq/ N>N <- gt-anti-reflexive N>N F <- false-implies-eq F M1=M311 <- union-respects-eq J' M1=M311 eq/ eq/ J <- false-implies-eq F E. - : union/>-inversion (union/< J' N0+1+N1=N2) N3+1+N2=N1 M3 J E <- nat`plus-implies-gt N3+1+N2=N1 nat`eq/ N1>N2 <- nat`plus-implies-gt N0+1+N1=N2 nat`eq/ N2>N1 <- nat`gt-anti-symmetric N1>N2 N2>N1 F <- false-implies-eq F M1=M311 <- false-implies-eq F M022=M2 <- union-respects-eq J' M1=M311 M022=M2 eq/ J <- false-implies-eq F E. %worlds () (union/>-inversion _ _ _ _ _). %total {} (union/>-inversion _ _ _ _ _). %reduces JP < J (union/>-inversion J _ _ JP _). %theorem union-deterministic : forall* {M1} {M2} {M3} {M1P} {M2P} {M3P} forall {A:union M1 M2 M3} {AP:union M1P M2P M3P} {E1:eq M1 M1P} {E2:eq M2 M2P} exists {E3:eq M3 M3P} true. - : union-deterministic union/L union/L eq/ eq/ eq/. - : union-deterministic union/L union/R eq/ eq/ eq/. - : union-deterministic union/R union/L eq/ eq/ eq/. - : union-deterministic union/R union/R eq/ eq/ eq/. - : union-deterministic (union/= M1+M2=M3 D1+D2=D3 nat`eq/) (union/= M1+M2=M3' D1+D2=D3P nat`eq/) eq/ eq/ M=M' <- nat`union-deterministic D1+D2=D3 D1+D2=D3P nat`eq/ nat`eq/ D3=D3' <- union-deterministic M1+M2=M3 M1+M2=M3' eq/ eq/ M3=M3' <- map/+-preserves-eq nat`eq/ D3=D3' M3=M3' M=M'. - : union-deterministic (union/< M1+MT=M3 N0+1+N1=N2) (union/< M1+MT'=M3' N0'+1+N1=N2) eq/ eq/ M=M' <- plus-right-cancels N0+1+N1=N2 N0'+1+N1=N2 nat`eq/ nat`eq/ N0+1=N0'+1 <- succ-cancels N0+1=N0'+1 N0=N0P <- map/+-preserves-eq N0=N0P nat`eq/ eq/ MT=MT' <- union-deterministic M1+MT=M3 M1+MT'=M3' eq/ MT=MT' M3=M3' <- map/+-preserves-eq nat`eq/ nat`eq/ M3=M3' M=M'. - : union-deterministic (union/> MT+M2=M3 N3+1+N2=N1) (union/> MT'+M2=M3' N3'+1+N2=N1) eq/ eq/ E <- plus-right-cancels N3+1+N2=N1 N3'+1+N2=N1 nat`eq/ nat`eq/ N3+1=N3'+1 <- succ-cancels N3+1=N3'+1 N3=N3P <- map/+-preserves-eq N3=N3P nat`eq/ eq/ MT=MT' <- union-deterministic MT+M2=M3 MT'+M2=M3' MT=MT' eq/ M3=M3' <- map/+-preserves-eq nat`eq/ nat`eq/ M3=M3' E. %% contradiction cases: - : union-deterministic (union/= _ _ nat`eq/) (union/< _ N'+1+N=N) eq/ eq/ E <- plus-implies-gt N'+1+N=N nat`eq/ N>N <- gt-anti-reflexive N>N F <- false-implies-eq F E. - : union-deterministic (union/= _ _ nat`eq/) (union/> _ N'+1+N=N) eq/ eq/ E <- plus-implies-gt N'+1+N=N nat`eq/ N>N <- gt-anti-reflexive N>N F <- false-implies-eq F E. - : union-deterministic (union/< _ NP+1+N=N) (union/= _ _ nat`eq/) eq/ eq/ E <- plus-implies-gt NP+1+N=N nat`eq/ N>N <- gt-anti-reflexive N>N F <- false-implies-eq F E. - : union-deterministic (union/< _ N0+1+N1=N2) (union/> _ N3+1+N2=N1) eq/ eq/ E <- nat`plus-implies-gt N3+1+N2=N1 nat`eq/ N1>N2 <- nat`plus-implies-gt N0+1+N1=N2 nat`eq/ N2>N1 <- nat`gt-anti-symmetric N1>N2 N2>N1 F <- false-implies-eq F E. - : union-deterministic (union/> _ NP+1+N=N) (union/= _ _ nat`eq/) eq/ eq/ E <- plus-implies-gt NP+1+N=N nat`eq/ N>N <- gt-anti-reflexive N>N F <- false-implies-eq F E. - : union-deterministic (union/> _ N3+1+N2=N1) (union/< _ N0+1+N1=N2) eq/ eq/ E <- nat`plus-implies-gt N3+1+N2=N1 nat`eq/ N1>N2 <- nat`plus-implies-gt N0+1+N1=N2 nat`eq/ N2>N1 <- nat`gt-anti-symmetric N1>N2 N2>N1 F <- false-implies-eq F E. %worlds () (union-deterministic _ _ _ _ _). %total (A) (union-deterministic A _ _ _ _). %theorem union-total* : forall {M1} {M2} exists {M3} {A:union M1 M2 M3} true. %% we need some lemmas %% We need them to ensure termination because %% union substitutes new maps on recursive calls which %% makes it hard to prove the arguments get smaller. %theorem union-map/+-M-total* : forall {N1} {D1} {M1} {M2} exists {M3} {A:union (map/+ N1 D1 M1) M2 M3} true. %theorem union-M-map/+-total* : forall {M1} {N2} {D2} {M2} exists {M3} {A:union M1 (map/+ N2 D2 M2) M3} true. %theorem union-map/+-map/+-total* : forall {N1} {D1} {M1} {N2} {D2} {M2} {C} {CMP:nat`compare N1 N2 C} exists {M3} {A:union (map/+ N1 D1 M1) (map/+ N2 D2 M2) M3} true. - : union-total* map/0 M M union/L. - : union-total* M map/0 M union/R. - : union-total* (map/+ N1 D1 M1) (map/+ N2 D2 M2) M3 A <- nat`compare-total* N1 N2 C CMP <- union-map/+-map/+-total* N1 D1 M1 N2 D2 M2 C CMP M3 A. - : union-map/+-map/+-total* N1 D1 M1 N2 D2 M2 equal CMP (map/+ N1 D3 M3) (union/= M1+M2=M3 D1+D2=D3 N1=N2) <- equal-implies-eq CMP N1=N2 <- nat`union-total* D1 D2 D3 D1+D2=D3 <- union-total* M1 M2 M3 M1+M2=M3. - : union-map/+-map/+-total* N1 D1 M1 N2 D2 M2 less CMP (map/+ N1 D1 M3) (union/< M1+T=M3 N0+1+N1=N2) <- less-implies-lt CMP N2>N1 <- gt-implies-plus N2>N1 _ N0+1+N1=N2 <- union-M-map/+-total* M1 N0 D2 M2 M3 M1+T=M3. - : union-map/+-map/+-total* N1 D1 M1 N2 D2 M2 greater CMP (map/+ N2 D2 M3) (union/> T+M2=M3 N3+1+N2=N1) <- greater-implies-gt CMP N1>N2 <- gt-implies-plus N1>N2 _ N3+1+N2=N1 <- union-map/+-M-total* N3 D1 M1 M2 M3 T+M2=M3. - : union-M-map/+-total* map/0 N2 D2 M2 (map/+ N2 D2 M2) union/L. - : union-M-map/+-total* (map/+ N1 D1 M1) N2 D2 M2 M3 A <- nat`compare-total* N1 N2 C CMP <- union-map/+-map/+-total* N1 D1 M1 N2 D2 M2 C CMP M3 A. - : union-map/+-M-total* N1 D1 M1 map/0 (map/+ N1 D1 M1) union/R. - : union-map/+-M-total* N1 D1 M1 (map/+ N2 D2 M2) M3 A <- nat`compare-total* N1 N2 C CMP <- union-map/+-map/+-total* N1 D1 M1 N2 D2 M2 C CMP M3 A. %worlds () (union-total* _ _ _ _) (union-M-map/+-total* _ _ _ _ _ _) (union-map/+-M-total* _ _ _ _ _ _) (union-map/+-map/+-total* _ _ _ _ _ _ _ _ _ _). %total [ (M1a M1b M1c M1d) (M2a M2b M2c M2d) ] (union-total* M1d M2d _ _) (union-M-map/+-total* M1c _ _ M2c _ _) (union-map/+-M-total* _ _ M1b M2b _ _) (union-map/+-map/+-total* _ _ M1a _ _ M2a _ _ _ _). %abbrev union-total = union-total* _ _ _. %theorem disjoint-union-total : forall* {M1} {M2} forall {D:disjoint M1 M2} exists {M3} {A:union M1 M2 M3} true. - : disjoint-union-total disjoint/L _ union/L. - : disjoint-union-total disjoint/R _ union/R. - : disjoint-union-total (disjoint/< D P) _ (union/< J P) <- disjoint-union-total D _ J. - : disjoint-union-total (disjoint/> D P) _ (union/> J P) <- disjoint-union-total D _ J. %worlds () (disjoint-union-total _ _ _). %total (D) (disjoint-union-total D _ _). %theorem union-empty-implies-empty : forall* {M1} {M2} forall {A:union M1 M2 map/0} exists {E1:eq M1 map/0} {E2:eq M2 map/0} true. - : union-empty-implies-empty union/L eq/ eq/. - : union-empty-implies-empty union/R eq/ eq/. %worlds () (union-empty-implies-empty _ _ _). %total { } (union-empty-implies-empty _ _ _). %theorem union-preserves-disjoint* : forall* {M1} {M2} {M3} {M4} forall {D1:disjoint M1 M4} {D2:disjoint M2 M4} {A:union M1 M2 M3} exists {D3:disjoint M3 M4} true. % a lemma that counts the size of maps to help prove termination %theorem union-preserves-disjoint*/L : forall* {M1} {M2} {M3} {M4} forall {S1} {S2} {SZ1:size M1 S1} {SZ2:size M2 S2} {D1:disjoint M1 M4} {D2:disjoint M2 M4} {A:union M1 M2 M3} exists {D3:disjoint M3 M4} true. - : union-preserves-disjoint* D1 D2 J D3 <- size-total SZ1 <- size-total SZ2 <- union-preserves-disjoint*/L _ _ SZ1 SZ2 D1 D2 J D3. - : union-preserves-disjoint*/L _ _ _ _ disjoint/R _ _ disjoint/R. - : union-preserves-disjoint*/L _ _ _ _ _ disjoint/R _ disjoint/R. - : union-preserves-disjoint*/L _ _ _ _ _ D union/L D. - : union-preserves-disjoint*/L _ _ _ _ D _ union/R D. - : union-preserves-disjoint*/L (s S1) (s S2) (size/+ SZ1) (size/+ SZ2) (disjoint/< D1 N5+1+N1=N4) D2X (union/= J _ nat`eq/) (disjoint/< D3 N5+1+N1=N4) <- disjoint/<-inversion D2X N5+1+N1=N4 D2 <- union-preserves-disjoint*/L S1 S2 SZ1 SZ2 D1 D2 J D3. - : union-preserves-disjoint*/L (s S1) (s S2) (size/+ SZ1) (size/+ SZ2) (disjoint/< D1 N5+1+N1=N4) D2X (union/> J N3+1+N2=N1) (disjoint/< D3 N6+1+N2=N4) <- plus-swap-succ N3+1+N2=N1 N3+N2+1=N1 <- plus-associative-converse N3+N2+1=N1 N5+1+N1=N4 N6 N5+1+N3=N6 N6+N2+1=N4 <- plus-swap-succ-converse N6+N2+1=N4 N6+1+N2=N4 <- disjoint/<-inversion D2X N6+1+N2=N4 D2 <- plus-swap-succ N5+1+N3=N6 N5+N3+1=N6 <- plus-commutative N5+N3+1=N6 N3+1+N5=N6 <- shift-right-preserves-disjoint D1 (shift/+ N3+1+N5=N6) D1< D1 N5+1+N4=N1) D2X (union/= J DJ nat`eq/) (disjoint/> D3 N5+1+N4=N1) <- disjoint/>-inversion D2X N5+1+N4=N1 D2 <- union-preserves-disjoint*/L _ _ (size/+ SZ1) (size/+ SZ2) D1 D2 (union/= J DJ nat`eq/) D3. - : union-preserves-disjoint*/L (s S1) (s S2) (size/+ SZ1) (size/+ SZ2) (disjoint/> D1 N5+1+N4=N1) D2X (union/< J N0+1+N1=N2) (disjoint/> D3 N5+1+N4=N1) <- plus-swap-succ N5+1+N4=N1 N5+N4+1=N1 <- plus-associative-converse N5+N4+1=N1 N0+1+N1=N2 N6 N0+1+N5=N6 N6+N4+1=N2 <- plus-swap-succ-converse N6+N4+1=N2 N6+1+N4=N2 <- disjoint/>-inversion D2X N6+1+N4=N2 D2 <- union-preserves-disjoint*/L _ _ (size/+ SZ1) (size/+ SZ2) D1 D2 (union/< J N0+1+N5=N6) D3. - : union-preserves-disjoint*/L (s S1) (s S2) (size/+ SZ1) (size/+ SZ2) D1X (disjoint/< D2 N6+1+N2=N4) (union/< J N0+1+N1=N2) (disjoint/< D3 N5+1+N1=N4) <- plus-swap-succ N0+1+N1=N2 N0+N1+1=N2 <- plus-associative-converse N0+N1+1=N2 N6+1+N2=N4 N5 N6+1+N0=N5 N5+N1+1=N4 <- plus-swap-succ-converse N5+N1+1=N4 N5+1+N1=N4 <- disjoint/<-inversion D1X N5+1+N1=N4 D1 <- plus-swap-succ N6+1+N0=N5 N6+N0+1=N5 <- plus-commutative N6+N0+1=N5 N0+1+N6=N5 <- shift-right-preserves-disjoint D2 (shift/+ N0+1+N6=N5) D2< D2 N6+1+N4=N2) (union/> J N3+1+N2=N1) (disjoint/> D3 N6+1+N4=N2) <- plus-swap-succ N6+1+N4=N2 N6+N4+1=N2 <- plus-associative-converse N6+N4+1=N2 N3+1+N2=N1 N5 N3+1+N6=N5 N5+N4+1=N1 <- plus-swap-succ-converse N5+N4+1=N1 N5+1+N4=N1 <- disjoint/>-inversion D1X N5+1+N4=N1 D1 <- union-preserves-disjoint*/L _ _ (size/+ SZ1) (size/+ SZ2) D1 D2 (union/> J N3+1+N6=N5) D3. - : union-preserves-disjoint*/L (s S1) (s S2) (size/+ SZ1) (size/+ SZ2) (disjoint/< D1 N5+1+N1=N4) (disjoint/> D2 N6+1+N4=N2) JX D3X <- plus-swap-succ N5+1+N1=N4 N5+N1+1=N4 <- plus-associative-converse N5+N1+1=N4 N6+1+N4=N2 N0 N6+1+N5=N0 N0+N1+1=N2 <- plus-swap-succ-converse N0+N1+1=N2 N0+1+N1=N2 <- union/<-inversion JX N0+1+N1=N2 _ J M=M113 <- eq-symmetric M=M113 M113=M <- union-preserves-disjoint*/L S1 (s S2) SZ1 (size/+ SZ2) D1 (disjoint/> D2 N6+1+N5=N0) J D3 <- disjoint-respects-eq (disjoint/< D3 N5+1+N1=N4) M113=M eq/ D3X. - : union-preserves-disjoint*/L (s S1) (s S2) (size/+ SZ1) (size/+ SZ2) (disjoint/> D1 N5+1+N4=N1) (disjoint/< D2 N6+1+N2=N4) JX D3X <- plus-swap-succ N6+1+N2=N4 N6+N2+1=N4 <- plus-associative-converse N6+N2+1=N4 N5+1+N4=N1 N3 N5+1+N6=N3 N3+N2+1=N1 <- plus-swap-succ-converse N3+N2+1=N1 N3+1+N2=N1 <- union/>-inversion JX N3+1+N2=N1 _ J M=M223 <- eq-symmetric M=M223 M223=M <- union-preserves-disjoint*/L _ _ (size/+ SZ1) SZ2 (disjoint/> D1 N5+1+N6=N3) D2 J D3 <- disjoint-respects-eq (disjoint/< D3 N6+1+N2=N4) M223=M eq/ D3X. %worlds () (union-preserves-disjoint*/L _ _ _ _ _ _ _ _). %total {S1 S2 D1} (union-preserves-disjoint*/L S1 S2 _ _ D1 _ _ _). %worlds () (union-preserves-disjoint* _ _ _ _). %total { } (union-preserves-disjoint* _ _ _ _). %theorem shift-left-preserves-union : forall* {N} {D} {M1} {M2} {M3} {SM1} forall {A:union M1 M2 M3} {S1:shift N M1 SM1} exists {SA:union SM1 (map/+ N D M2) (map/+ N D M3)} true. - : shift-left-preserves-union union/L shift/0 union/L. - : shift-left-preserves-union union/R shift/0 union/L. - : shift-left-preserves-union M111+M2=M3 (shift/+ N+1+N1=N1') (union/> M111+M2=M3 N1+1+N=N1') <- plus-swap-succ N+1+N1=N1' N+N1+1=N1' <- plus-commutative N+N1+1=N1' N1+1+N=N1'. %worlds () (shift-left-preserves-union _ _ _). %total { } (shift-left-preserves-union _ _ _). %theorem shift-left-preserves-union-converse : forall* {N} {D} {M1} {M2} {SM1} {SM3} forall {SA:union SM1 (map/+ N D M2) SM3} {S1:shift N M1 SM1} exists {M3} {A:union M1 M2 M3} {E:eq (map/+ N D M3) SM3} true. - : shift-left-preserves-union-converse union/L shift/0 _ union/L eq/. - : shift-left-preserves-union-converse M111+M222=SM3 (shift/+ N2+1+N3=N1) M3 M311+M2=M3 M223=SM3 <- plus-swap-succ N2+1+N3=N1 N2+N3+1=N1 <- plus-commutative N2+N3+1=N1 N3+1+N2=N1 <- union/>-inversion M111+M222=SM3 N3+1+N2=N1 M3 M311+M2=M3 SM3=M223 <- eq-symmetric SM3=M223 M223=SM3. %worlds () (shift-left-preserves-union-converse _ _ _ _ _). %total { } (shift-left-preserves-union-converse _ _ _ _ _). %theorem shift-right-preserves-union : forall* {N} {D} {M1} {M2} {M3} {SM2} forall {A:union M1 M2 M3} {S2:shift N M2 SM2} exists {SA:union (map/+ N D M1) SM2 (map/+ N D M3)} true. - : shift-right-preserves-union union/L shift/0 union/R. - : shift-right-preserves-union union/R shift/0 union/R. - : shift-right-preserves-union M1+M222=M3 (shift/+ N+1+N2=N2') (union/< M1+M222=M3 N2+1+N=N2') <- plus-swap-succ N+1+N2=N2' N+N2+1=N2' <- plus-commutative N+N2+1=N2' N2+1+N=N2'. %worlds () (shift-right-preserves-union _ _ _). %total { } (shift-right-preserves-union _ _ _). %theorem shift-right-preserves-union-converse : forall* {N} {D} {M1} {M2} {SM2} {SM3} forall {SA:union (map/+ N D M1) SM2 SM3} {S2:shift N M2 SM2} exists {M3} {A:union M1 M2 M3} {E:eq (map/+ N D M3) SM3} true. - : shift-right-preserves-union-converse union/R shift/0 _ union/R eq/. - : shift-right-preserves-union-converse M111+M322=SM3 (shift/+ N1+1+N2=N3) M3 M1+M222=M3 M133=SM3 <- plus-swap-succ N1+1+N2=N3 N1+N2+1=N3 <- plus-commutative N1+N2+1=N3 N2+1+N1=N3 <- union/<-inversion M111+M322=SM3 N2+1+N1=N3 M3 M1+M222=M3 SM3=M133 <- eq-symmetric SM3=M133 M133=SM3. %worlds () (shift-right-preserves-union-converse _ _ _ _ _). %total { } (shift-right-preserves-union-converse _ _ _ _ _). %theorem shift-preserves-union : forall* {N} {M1} {M2} {M3} {SM1} {SM2} {SM3} forall {A:union M1 M2 M3} {S1:shift N M1 SM1} {S2:shift N M2 SM2} {S3:shift N M3 SM3} exists {SA:union SM1 SM2 SM3} true. - : shift-preserves-union union/L shift/0 M2< M311+M2=M3 N3+1+N2=N1) (shift/+ N+1+N1=N4) (shift/+ N+1+N2=N5) (shift/+ N+1+N2=N6) M411+M522=M623 <- plus-deterministic N+1+N2=N5 N+1+N2=N6 nat`eq/ nat`eq/ N5=N6 <- plus-swap-succ N+1+N2=N5 N+N2+1=N5 <- plus-commutative N+N2+1=N5 N2+1+N=N5 <- plus-commutative N3+1+N2=N1 N2+N3+1=N1 <- plus-associative-converse* N2+N3+1=N1 N+1+N1=N4 N+1+N2=N5 N5+N3+1=N4 <- plus-commutative N5+N3+1=N4 N3+1+N5=N4 <- map/+-preserves-eq N5=N6 nat`eq/ eq/ M523=M623 <- union-respects-eq (union/> M311+M2=M3 N3+1+N5=N4) eq/ eq/ M523=M623 M411+M522=M623. %worlds () (shift-preserves-union _ _ _ _ _). %total { } (shift-preserves-union _ _ _ _ _). %theorem shift-preserves-union-converse : forall* {N} {M1} {M2} {SM1} {SM2} {SM3} forall {SA:union SM1 SM2 SM3} {S1:shift N M1 SM1} {S2:shift N M2 SM2} exists {M3} {A:union M1 M2 M3} {S3:shift N M3 SM3} true. - : shift-preserves-union-converse union/L shift/0 M2< M611+M2=M3 N6+1+N5=N4) (shift/+ N+1+N1=N4) (shift/+ N+1+N2=N5) _ (union/> M611+M2=M3 N6+1+N2=N1) (shift/+ N+1+N2=N5) <- plus-commutative N+1+N2=N5 N2+N+1=N5 <- plus-swap-succ-converse N2+N+1=N5 N2+1+N=N5 <- plus-associative-converse N2+N+1=N5 N6+1+N5=N4 N1' N6+1+N2=N1' N1'+N+1=N4 <- plus-commutative N+1+N1=N4 N1+N+1=N4 <- plus-right-cancels N1'+N+1=N4 N1+N+1=N4 nat`eq/ nat`eq/ N1'=N1 <- plus-respects-eq N6+1+N2=N1' nat`eq/ nat`eq/ N1'=N1 N6+1+N2=N1. %worlds () (shift-preserves-union-converse _ _ _ _ _ _). %total { } (shift-preserves-union-converse _ _ _ _ _ _). %theorem union-commutative : forall* {M1} {M2} {M3} forall {A:union M1 M2 M3} exists {AP:union M2 M1 M3} true. - : union-commutative union/L union/R. - : union-commutative union/R union/L. - : union-commutative (union/= M1+M2=M3 D1+D2=D3 nat`eq/) (union/= M2+M1=M3 D2+D1=D3 nat`eq/) <- nat`union-commutative D1+D2=D3 D2+D1=D3 <- union-commutative M1+M2=M3 M2+M1=M3. - : union-commutative (union/< M1+MT=M3 N0+1+N1=N2) (union/> MT+M1=M3 N0+1+N1=N2) <- union-commutative M1+MT=M3 MT+M1=M3. - : union-commutative (union/> MT+M2=M3 N3+1+N2=N1) (union/< M2+MT=M3 N3+1+N2=N1) <- union-commutative MT+M2=M3 M2+MT=M3. %worlds () (union-commutative _ _). %total (A) (union-commutative A _). %theorem union-associative : forall* {M1} {M2} {M3} {M4} {M7} forall {A12:union M1 M2 M3} {A34:union M3 M4 M7} exists {M6} {A24:union M2 M4 M6} {A16:union M1 M6 M7} true. %% a lemma %theorem union-associative-union/<-union/< : forall* {N1} {D1} {M1} {N2} {D2} {M2} {N0} {N5} {N4} {D4} {M4} {M6} {M7} forall {PLUS012:nat`plus (s N0) N1 N2} {PLUS514:nat`plus (s N5) N1 N4} {JOIN246:union (map/+ N0 D2 M2) (map/+ N5 D4 M4) M6} {JOIN167:union M1 M6 M7} exists {M} {JOIN24: union (map/+ N2 D2 M2) (map/+ N4 D4 M4) M} {JOIN:union (map/+ N1 D1 M1) M (map/+ N1 D1 M7)} true. - : union-associative union/L A _ A union/L. - : union-associative A union/R _ union/R A. - : union-associative union/R A _ union/L A. - : union-associative (union/= M1+M2=M3 D1+D2=D3 nat`eq/) (union/= M3+M4=M7 D3+D4=D7 nat`eq/) (map/+ _ D6 M6) (union/= M2+M4=M6 D2+D4=D6 nat`eq/) (union/= M1+M6=M7 D1+D6=D7 nat`eq/) <- nat`union-associative D1+D2=D3 D3+D4=D7 D6 D2+D4=D6 D1+D6=D7 <- union-associative M1+M2=M3 M3+M4=M7 M6 M2+M4=M6 M1+M6=M7. - : union-associative (union/= M1+M2=M3 D1+D2=D3 nat`eq/) (union/< M3+M044=M7 N0+1+N3=N4) (map/+ _ _ M6) (union/< M2+M044=M6 N0+1+N3=N4) (union/= M1+M6=M7 D1+D2=D3 nat`eq/) <- union-associative M1+M2=M3 M3+M044=M7 M6 M2+M044=M6 M1+M6=M7. - : union-associative (union/= M1+M2=M3 D1+D2=D3 nat`eq/) (union/> M533+M4=M7 N5+1+N4=N3) (map/+ _ _ M6) (union/> M522+M4=M6 N5+1+N4=N3) (union/> M511+M6=M7 N5+1+N4=N3) <- union-associative (union/= M1+M2=M3 D1+D2=D3 nat`eq/) M533+M4=M7 M6 M522+M4=M6 M511+M6=M7. - : union-associative (union/< M1+M022=M3 N0+1+N1=N2) (union/= M3+M4=M7 D1+D4=D7 nat`eq/) (map/+ _ _ M6) (union/> M022+M3=M6 N0+1+N1=N2) (union/= M1+M6=M7 D1+D4=D7 nat`eq/) <- union-associative M1+M022=M3 M3+M4=M7 M6 M022+M3=M6 M1+M6=M7. %% the hardest of all 11 cases! - : {M111+M=M117: union (map/+ N1 D1 M1) M (map/+ N1 D1 M7)} {M3+M544=M7: union M3 (map/+ N5 D4 M4) M7} {M1+M022=M3: union M1 (map/+ N0 D2 M2) M3} {M1+M6=M7: union M1 M6 M7} union-associative (union/< M1+M022=M3 N0+1+N1=N2) (union/< M3+M544=M7 N5+1+N1=N4) M M222+M444=M M111+M=M117 <- union-associative M1+M022=M3 M3+M544=M7 M6 M022+M544=M6 M1+M6=M7 <- union-associative-union/<-union/< N0+1+N1=N2 N5+1+N1=N4 M022+M544=M6 M1+M6=M7 M M222+M444=M M111+M=M117. - : union-associative-union/<-union/< N+1+N1=N2 N+1+N1=N4 (union/= M2+M4=M6 D2+D4=D6 nat`eq/) M1+M066=M7 (map/+ N2 D6 M6) (union/= M2+M4=M6 D2+D4=D6 N2=N4) (union/< M1+M066=M7 N+1+N1=N2) <- nat`plus-deterministic N+1+N1=N2 N+1+N1=N4 nat`eq/ nat`eq/ N2=N4. - : union-associative-union/<-union/< N0+1+N1=N2 N5+1+N1=N4 (union/< M2+M744=M6 N7+1+N0=N5) M1+M026=M7 (map/+ N2 D2 M6) (union/< M2+M744=M6 N7+1+N2=N4) (union/< M1+M026=M7 N0+1+N1=N2) <- nat`plus-swap-succ N5+1+N1=N4 N5+N1+1=N4 <- nat`plus-swap-succ N0+1+N1=N2 N0+N1+1=N2 <- nat`plus-associative* N7+1+N0=N5 N5+N1+1=N4 N0+N1+1=N2 N7+1+N2=N4. - : union-associative-union/<-union/< N0+1+N1=N2 N5+1+N1=N4 (union/> M722+M4=M6 N7+1+N5=N0) M1+M546=M7 (map/+ N4 D4 M6) (union/> M722+M4=M6 N7+1+N4=N2) (union/< M1+M546=M7 N5+1+N1=N4) <- nat`plus-swap-succ N0+1+N1=N2 N0+N1+1=N2 <- nat`plus-swap-succ N5+1+N1=N4 N5+N1+1=N4 <- nat`plus-associative* N7+1+N5=N0 N0+N1+1=N2 N5+N1+1=N4 N7+1+N4=N2. %% and now we return to the main theorem - : union-associative (union/< M1+M022=M3 N0+1+N1=N2) (union/> M513+M4=M7 N5+1+N3=N1) (map/+ _ _ M6) (union/> M622+M4=M6 N6+1+N3=N2) (union/> M511+M6=M7 N5+1+N3=N1) <- nat`plus-swap-succ N5+1+N3=N1 N5+N3+1=N1 <- nat`plus-associative-converse N5+N3+1=N1 N0+1+N1=N2 N6 N0+1+N5=N6 N6+N3+1=N2 <- nat`plus-swap-succ-converse N6+N3+1=N2 N6+1+N3=N2 <- union-associative (union/< M1+M022=M3 N0+1+N5=N6) M513+M4=M7 M6 M622+M4=M6 M511+M6=M7. - : union-associative (union/> M311+M2=M3 N3+1+N2=N1) (union/= M3+M4=M7 D2+D4=D7 nat`eq/) (map/+ _ _ M6) (union/= M2+M4=M6 D2+D4=D7 nat`eq/) (union/> M311+M6=M7 N3+1+N2=N1) <- union-associative M311+M2=M3 M3+M4=M7 M6 M2+M4=M6 M311+M6=M7. - : union-associative (union/> M311+M2=M3 N3+1+N2=N1) (union/< M3+M044=M7 N0+1+N2=N4) (map/+ _ _ M6) (union/< M2+M044=M6 N0+1+N2=N4) (union/> M311+M6=M7 N3+1+N2=N1) <- union-associative M311+M2=M3 M3+M044=M7 M6 M2+M044=M6 M311+M6=M7. - : union-associative (union/> M311+M2=M3 N3+1+N2=N1) (union/> M523+M4=M7 N5+1+N4=N2) (map/+ _ _ M6) (union/> M522+M4=M6 N5+1+N4=N2) (union/> M711+M6=M7 N7+1+N4=N1) <- nat`plus-swap-succ N5+1+N4=N2 N5+N4+1=N2 <- nat`plus-associative-converse N5+N4+1=N2 N3+1+N2=N1 N7 N3+1+N5=N7 N7+N4+1=N1 <- nat`plus-swap-succ-converse N7+N4+1=N1 N7+1+N4=N1 <- union-associative (union/> M311+M2=M3 N3+1+N5=N7) M523+M4=M7 M6 M522+M4=M6 M711+M6=M7. %worlds () (union-associative-union/<-union/< _ _ _ _ _ _ _). %total {} (union-associative-union/<-union/< _ _ _ _ _ _ _). %worlds () (union-associative _ _ _ _ _). %total (J) (union-associative _ J _ _ _). %theorem union-associative* : forall* {X1} {X2} {X12} {X3} {X23} {X123} forall {OP12:union X1 X2 X12} {OP12-3:union X12 X3 X123} {OP23:union X2 X3 X23} exists {OP1-23:union X1 X23 X123} true. - : union-associative* X1+X2=X3 X3+X4=X7 X2+X4=X6 X1+X6=X7 <- union-associative X1+X2=X3 X3+X4=X7 Y6 X2+X4=Y6 X1+Y6=X7 <- union-deterministic X2+X4=Y6 X2+X4=X6 eq/ eq/ Y6=X6 <- union-respects-eq X1+Y6=X7 eq/ Y6=X6 eq/ X1+X6=X7. %worlds () (union-associative* _ _ _ _). %total {} (union-associative* _ _ _ _). %theorem union-associative-converse : forall* {X1} {X2} {X4} {X6} {X7} forall {OP24:union X2 X4 X6} {OP16:union X1 X6 X7} exists {X3} {OP12:union X1 X2 X3} {OP34:union X3 X4 X7} true. - : union-associative-converse X2+X4=X6 X1+X6=X7 _ X1+X2=X3 X3+X4=X7 <- union-commutative X2+X4=X6 X4+X2=X6 <- union-commutative X1+X6=X7 X6+X1=X7 <- union-associative X4+X2=X6 X6+X1=X7 _ X2+X1=X3 X4+X3=X7 <- union-commutative X2+X1=X3 X1+X2=X3 <- union-commutative X4+X3=X7 X3+X4=X7. %worlds () (union-associative-converse X2+X4=X6 X1+X6=X7 X3 X1+X2=X3 X3+X4=X7). %total {} (union-associative-converse _ _ _ _ _). %theorem union-associative-converse* : forall* {X1} {X2} {X3} {X4} {X6} {X7} forall {OP24:union X2 X4 X6} {OP16:union X1 X6 X7} {OP12:union X1 X2 X3} exists {OP34:union X3 X4 X7} true. - : union-associative-converse* X2+X4=X6 X1+X6=X7 X1+X2=X3 X3+X4=X7 <- union-associative-converse X2+X4=X6 X1+X6=X7 X3P X1+X2=X3P X3P+X4=X7 <- union-deterministic X1+X2=X3P X1+X2=X3 eq/ eq/ X3P=X3 <- union-respects-eq X3P+X4=X7 X3P=X3 eq/ eq/ X3+X4=X7. %worlds () (union-associative-converse* X2+X4=X6 X1+X6=X7 X1+X2=X3 X3+X4=X7). %total {} (union-associative-converse* _ _ _ _). %% The following two theorems are useful for reordering elements %% is a left-associative sequence of operations. %theorem union-assoc-commutative* : forall* {X1} {X2} {X3} {X4} {X5} {X7} forall {OP1:union X1 X2 X3} {OP2:union X3 X4 X7} {OP3:union X1 X4 X5} exists {OP4:union X5 X2 X7} true. - : union-assoc-commutative* X1+X2=X3 X3+X4=X7 X1+X4=X5 X5+X2=X7 <- union-associative X1+X2=X3 X3+X4=X7 X6 X2+X4=X6 X1+X6=X7 <- union-commutative X2+X4=X6 X4+X2=X6 <- union-associative-converse* X4+X2=X6 X1+X6=X7 X1+X4=X5 X5+X2=X7. %worlds () (union-assoc-commutative* X1+X2=X3 X3+X4=X7 X1+X4=X5 X5+X2=X7). %total {} (union-assoc-commutative* _ _ _ _). %theorem union-assoc-commutative : forall* {X1} {X2} {X3} {X4} {X7} forall {OP1:union X1 X2 X3} {OP2:union X3 X4 X7} exists {X5} {OP3:union X1 X4 X5} {OP4:union X5 X2 X7} true. - : union-assoc-commutative X1+X2=X3 X3+X4=X7 X5 X1+X4=X5 X5+X2=X7 <- union-associative X1+X2=X3 X3+X4=X7 X6 X2+X4=X6 X1+X6=X7 <- union-commutative X2+X4=X6 X4+X2=X6 <- union-associative-converse X4+X2=X6 X1+X6=X7 X5 X1+X4=X5 X5+X2=X7. %worlds () (union-assoc-commutative X1+X2=X3 X3+X4=X7 X5 X1+X4=X5 X5+X2=X7). %total {} (union-assoc-commutative _ _ _ _ _). %% The following theorem is a useful shortcut to %% re-associate (AB)(CD) to (AC)(BD): %theorem union-double-associative* : forall* {A} {B} {C} {D} {A+B} {C+D} {A+C} {B+D} {X} forall {AB:union A B A+B} {CD:union C D C+D} {ABCD:union A+B C+D X} {AC:union A C A+C} {BD:union B D B+D} exists {ACBD:union A+C B+D X} true. - : union-double-associative* X1+X2=X3 X4+X8=XC X3+XC=XF X1+X4=X5 X2+X8=XA X5+XA=XF <- union-associative X1+X2=X3 X3+XC=XF XE X2+XC=XE X1+XE=XF <- union-commutative X4+X8=XC X8+X4=XC <- union-associative-converse* X8+X4=XC X2+XC=XE X2+X8=XA XA+X4=XE <- union-commutative XA+X4=XE X4+XA=XE <- union-associative-converse* X4+XA=XE X1+XE=XF X1+X4=X5 X5+XA=XF. %worlds () (union-double-associative* X1+X2=X3 X4+X8=XC X3+XC=XF X1+X4=X5 X2+X8=XA X5+XA=XF). %total {} (union-double-associative* _ _ _ _ _ _). %theorem union-double-associative : forall* {A} {B} {C} {D} {A+B} {C+D} {X} forall {AB:union A B A+B} {CD:union C D C+D} {ABCD:union A+B C+D X} exists {A+C} {B+D} {AC:union A C A+C} {BD:union B D B+D} {ACBD:union A+C B+D X} true. - : union-double-associative X1+X2=X3 X4+X8=XC X3+XC=XF X5 XA X1+X4=X5 X2+X8=XA X5+XA=XF <- union-associative X1+X2=X3 X3+XC=XF XE X2+XC=XE X1+XE=XF <- union-commutative X4+X8=XC X8+X4=XC <- union-associative-converse X8+X4=XC X2+XC=XE XA X2+X8=XA XA+X4=XE <- union-commutative XA+X4=XE X4+XA=XE <- union-associative-converse X4+XA=XE X1+XE=XF X5 X1+X4=X5 X5+XA=XF. %worlds () (union-double-associative _ _ _ _ _ _ _ _). %total { } (union-double-associative _ _ _ _ _ _ _ _). %theorem lookup-implies-union : forall* {M} {N} {D} forall {L:lookup M N D} exists {M-} {F:not-member M- N} {A:union (map/+ N D map/0) M- M} true. - : lookup-implies-union (lookup/= nat`eq/) _ (not-member/0) (union/R). - : lookup-implies-union (lookup/= nat`eq/) _ (not-member/< N2>N1) (union/< union/L N0+1+N1=N2) <- nat`plus-total N0+1+N1=N2 <- nat`plus-implies-gt N0+1+N1=N2 nat`eq/ N2>N1. - : lookup-implies-union (lookup/> L N0+1+N1=N2) _ (not-member/> F N0+1+N1=N2) (union/> A N0+1+N1=N2) <- lookup-implies-union L _ F A. %worlds () (lookup-implies-union _ _ _ _). %total (L) (lookup-implies-union L _ _ _). %theorem union-joins-lookup : forall* {M1} {M2} {M3} {N} {D1} {D2} forall {L1:lookup M1 N D1} {L2:lookup M2 N D2} {A:union M1 M2 M3} exists {D3} {J:nat`union D1 D2 D3} {L3:lookup M3 N D3} true. - : union-joins-lookup (lookup/= nat`eq/) (lookup/= nat`eq/) A _ AD L3 <- union/=-inversion A nat`eq/ _ _ AD _ M=M133 <- eq-symmetric M=M133 M133=M <- lookup-respects-eq (lookup/= nat`eq/) M133=M nat`eq/ nat`eq/ L3. - : union-joins-lookup (lookup/> L1 N0+1+N1=N2) (lookup/= nat`eq/) A _ AD L3P <- union/<-inversion A N0+1+N1=N2 M3 M1+M022=M3 M=M113 <- union-joins-lookup L1 (lookup/= nat`eq/) M1+M022=M3 _ AD L3 <- eq-symmetric M=M113 M113=M <- lookup-respects-eq (lookup/> L3 N0+1+N1=N2) M113=M nat`eq/ nat`eq/ L3P. - : union-joins-lookup (lookup/= nat`eq/) (lookup/> L2 N3+1+N2=N1) A _ AD L3P <- union/>-inversion A N3+1+N2=N1 M3 M311+M2=M3 M=M223 <- union-joins-lookup (lookup/= nat`eq/) L2 M311+M2=M3 _ AD L3 <- eq-symmetric M=M223 M223=M <- lookup-respects-eq (lookup/> L3 N3+1+N2=N1) M223=M nat`eq/ nat`eq/ L3P. - : union-joins-lookup (lookup/> L1P N4+1+N1=N) (lookup/> L2 N5+1+N2=N) (union/= M1+M2=M3 _ nat`eq/) _ AD (lookup/> L N5+1+N2=N) <- plus-right-cancels N4+1+N1=N N5+1+N2=N nat`eq/ nat`eq/ N4+1=N5+1 <- succ-cancels N4+1=N5+1 N4=N5 <- lookup-respects-eq L1P eq/ N4=N5 nat`eq/ L1 <- union-joins-lookup L1 L2 M1+M2=M3 _ AD L. - : union-joins-lookup (lookup/> L1 N4+1+N1=N) (lookup/> L2 N5+1+N2=N) (union/< M1+M022=M3 N0+1+N1=N2) _ AD (lookup/> L3 N4+1+N1=N) <- plus-swap-succ N0+1+N1=N2 N0+N1+1=N2 <- plus-associative-converse N0+N1+1=N2 N5+1+N2=N N6 N5+1+N0=N6 N6+N1+1=N <- plus-swap-succ N4+1+N1=N N4+N1+1=N <- plus-right-cancels N6+N1+1=N N4+N1+1=N nat`eq/ nat`eq/ N6=N4 <- plus-respects-eq N5+1+N0=N6 nat`eq/ nat`eq/ N6=N4 N5+1+N0=N4 <- union-joins-lookup L1 (lookup/> L2 N5+1+N0=N4) M1+M022=M3 _ AD L3. - : union-joins-lookup (lookup/> L1 N4+1+N1=N) (lookup/> L2 N5+1+N2=N) (union/> M311+M2=M3 N3+1+N2=N1) _ AD (lookup/> L3 N5+1+N2=N) <- plus-swap-succ N3+1+N2=N1 N3+N2+1=N1 <- plus-associative-converse N3+N2+1=N1 N4+1+N1=N N6 N4+1+N3=N6 N6+N2+1=N <- plus-swap-succ N5+1+N2=N N5+N2+1=N <- plus-right-cancels N6+N2+1=N N5+N2+1=N nat`eq/ nat`eq/ N6=N5 <- plus-respects-eq N4+1+N3=N6 nat`eq/ nat`eq/ N6=N5 N4+1+N3=N5 <- union-joins-lookup (lookup/> L1 N4+1+N3=N5) L2 M311+M2=M3 _ AD L3. %worlds () (union-joins-lookup _ _ _ _ _ _). %total (A) (union-joins-lookup _ _ A _ _ _). %theorem union-preserves-not-member* : forall* {M1} {M2} {M3} {N} forall {F1:not-member M1 N} {F2:not-member M2 N} {A:union M1 M2 M3} exists {F3:not-member M3 N} true. - : union-preserves-not-member* _ F union/L F. - : union-preserves-not-member* F _ union/R F. - : union-preserves-not-member* (not-member/< N _ _) (not-member/< N F2 N4+1+N2=N) AX F3X <- gt-implies-plus N-inversion AX N3+1+N2=N1 M3 A M=M223 <- plus-implies-gt N0+1+N4=N3 nat`eq/ N4 F3 N4+1+N2=N) M223=M nat`eq/ F3X. - : union-preserves-not-member* (not-member/> F1 N3+1+N1=N) (not-member/< N F3 N3+1+N1=N) M113=M nat`eq/ F3X. - : union-preserves-not-member* (not-member/> F1 N3+1+N1=N) (not-member/> F2P N4+1+N2=N) (union/= A _ N1=N2) (not-member/> F3 N3+1+N1=N) <- plus-right-cancels N3+1+N1=N N4+1+N2=N N1=N2 nat`eq/ N3+1=N4+1 <- succ-cancels N3+1=N4+1 N3=N4 <- nat`eq-symmetric N3=N4 N4=N3 <- not-member-respects-eq F2P eq/ N4=N3 F2 <- union-preserves-not-member* F1 F2 A F3. - : union-preserves-not-member* (not-member/> F1 N3+1+N1=N) (not-member/> F2 N4+1+N2=N) (union/< A N0+1+N1=N2) (not-member/> F3 N3+1+N1=N) <- plus-swap-succ N0+1+N1=N2 N0+N1+1=N2 <- plus-associative-converse N0+N1+1=N2 N4+1+N2=N N6 N4+1+N0=N6 N6+N1+1=N <- plus-swap-succ N3+1+N1=N N3+N1+1=N <- plus-right-cancels N6+N1+1=N N3+N1+1=N nat`eq/ nat`eq/ N6=N3 <- plus-respects-eq N4+1+N0=N6 nat`eq/ nat`eq/ N6=N3 N4+1+N0=N3 <- union-preserves-not-member* F1 (not-member/> F2 N4+1+N0=N3) A F3. - : union-preserves-not-member* (not-member/> F1 N3+1+N1=N) (not-member/> F2 N4+1+N2=N) (union/> A N0+1+N2=N1) (not-member/> F3 N4+1+N2=N) <- plus-swap-succ N0+1+N2=N1 N0+N2+1=N1 <- plus-associative-converse N0+N2+1=N1 N3+1+N1=N N6 N3+1+N0=N6 N6+N2+1=N <- plus-swap-succ N4+1+N2=N N4+N2+1=N <- plus-right-cancels N6+N2+1=N N4+N2+1=N nat`eq/ nat`eq/ N6=N4 <- plus-respects-eq N3+1+N0=N6 nat`eq/ nat`eq/ N6=N4 N3+1+N0=N4 <- union-preserves-not-member* (not-member/> F1 N3+1+N0=N4) F2 A F3. %worlds () (union-preserves-not-member* _ _ _ _). %total (A) (union-preserves-not-member* _ _ A _). %theorem not-member-union-left-preserves-lookup* : forall* {M1} {M2} {M3} {N} {D} forall {F1:not-member M1 N} {L2:lookup M2 N D} {A:union M1 M2 M3} exists {L3:lookup M3 N D} true. - : not-member-union-left-preserves-lookup* _ L union/L L. - : not-member-union-left-preserves-lookup* (not-member/< N2-inversion AX N3+1+N2=N1 M3 A M=M223 <- eq-symmetric M=M223 M223=M <- lookup-respects-eq (lookup/= nat`eq/) M223=M nat`eq/ nat`eq/ L3X. - : not-member-union-left-preserves-lookup* (not-member/< N L2 N4+1+N2=N) AX L3X <- gt-implies-plus N-inversion AX N3+1+N2=N1 M3 A M=M223 <- eq-symmetric M=M223 M223=M <- plus-implies-gt N0+1+N4=N3 nat`eq/ N3>N4 <- not-member-union-left-preserves-lookup* (not-member/< N3>N4) L2 A L3 <- lookup-respects-eq (lookup/> L3 N4+1+N2=N) M223=M nat`eq/ nat`eq/ L3X. - : not-member-union-left-preserves-lookup* (not-member/> F1 N0+1+N1=N2) (lookup/= nat`eq/) AX L3X <- union/<-inversion AX N0+1+N1=N2 M3 A M=M113 <- eq-symmetric M=M113 M113=M <- not-member-union-left-preserves-lookup* F1 (lookup/= nat`eq/) A L3 <- lookup-respects-eq (lookup/> L3 N0+1+N1=N2) M113=M nat`eq/ nat`eq/ L3X. - : not-member-union-left-preserves-lookup* (not-member/> F1P N4+1+N1=N) (lookup/> L2 N5+1+N1=N) (union/= A _ nat`eq/) (lookup/> L3 N5+1+N1=N) <- plus-right-cancels N4+1+N1=N N5+1+N1=N nat`eq/ nat`eq/ N4+1=N5+1 <- succ-cancels N4+1=N5+1 N4=N5 <- not-member-respects-eq F1P eq/ N4=N5 F1 <- not-member-union-left-preserves-lookup* F1 L2 A L3. - : not-member-union-left-preserves-lookup* (not-member/> F1 N4+1+N1=N) (lookup/> L2 N5+1+N2=N) (union/< A N0+1+N1=N2) (lookup/> L3 N4+1+N1=N) <- plus-swap-succ N0+1+N1=N2 N0+N1+1=N2 <- plus-associative-converse N0+N1+1=N2 N5+1+N2=N N3 N5+1+N0=N3 N3+N1+1=N <- plus-swap-succ N4+1+N1=N N4+N1+1=N <- plus-right-cancels N3+N1+1=N N4+N1+1=N nat`eq/ nat`eq/ N3=N4 <- plus-respects-eq N5+1+N0=N3 nat`eq/ nat`eq/ N3=N4 N5+1+N0=N4 <- not-member-union-left-preserves-lookup* F1 (lookup/> L2 N5+1+N0=N4) A L3. - : not-member-union-left-preserves-lookup* (not-member/> F1 N4+1+N1=N) (lookup/> L2 N5+1+N2=N) (union/> A N3+1+N2=N1) (lookup/> L3 N5+1+N2=N) <- plus-swap-succ N3+1+N2=N1 N3+N2+1=N1 <- plus-associative-converse N3+N2+1=N1 N4+1+N1=N N6 N4+1+N3=N6 N6+N2+1=N <- plus-swap-succ N5+1+N2=N N5+N2+1=N <- plus-right-cancels N6+N2+1=N N5+N2+1=N nat`eq/ nat`eq/ N6=N5 <- plus-respects-eq N4+1+N3=N6 nat`eq/ nat`eq/ N6=N5 N4+1+N3=N5 <- not-member-union-left-preserves-lookup* (not-member/> F1 N4+1+N3=N5) L2 A L3. %worlds () (not-member-union-left-preserves-lookup* _ _ _ _). %total (A) (not-member-union-left-preserves-lookup* _ _ A _). %theorem not-member-union-left-preserves-lookup-converse : forall* {M1} {M2} {M3} {N} {D} forall {F1:not-member M1 N} {L3:lookup M3 N D} {A:union M1 M2 M3} exists {L2:lookup M2 N D} true. %theorem not-member-union-left-preserves-lookup-converse/L : forall* {M1} {M2} {M3} {N} {D} {B} forall {F1:not-member M1 N} {L3:lookup M3 N D} {A:union M1 M2 M3} {D?:member? M2 N B} exists {L2:lookup M2 N D} true. - : not-member-union-left-preserves-lookup-converse F1 L3 A L2 <- member?-total D? <- not-member-union-left-preserves-lookup-converse/L F1 L3 A D? L2. - : not-member-union-left-preserves-lookup-converse/L F1 L3 A (member?/in L2') L2 <- not-member-union-left-preserves-lookup* F1 L2' A L3' <- lookup-deterministic L3' L3 eq/ nat`eq/ D'=D <- lookup-respects-eq L2' eq/ nat`eq/ D'=D L2. - : not-member-union-left-preserves-lookup-converse/L F1 L3 A (member?/out F2) L2 <- union-preserves-not-member* F1 F2 A F3 <- not-member-lookup-not-equal F3 L3 N<>N <- nat`ne-anti-reflexive N<>N F <- false-implies-lookup F L2. %worlds () (not-member-union-left-preserves-lookup-converse/L _ _ _ _ _). %total { } (not-member-union-left-preserves-lookup-converse/L _ _ _ _ _). %worlds () (not-member-union-left-preserves-lookup-converse _ _ _ _). %total { } (not-member-union-left-preserves-lookup-converse _ _ _ _). %theorem union-left-affects-lookup : forall* {M1} {N} {D2} {M2} {M3} forall {L:lookup M2 N D2} {A:union M1 M2 M3} exists {D3} {N:lookup M3 N D3} true. %theorem union-left-affects-lookup/L : forall* {M1} {N} {D2} {M2} {M3} {B} forall {L:lookup M2 N D2} {A:union M1 M2 M3} {D:member? M1 N B} exists {D3} {N:lookup M3 N D3} true. - : union-left-affects-lookup/L L2 A (member?/in L1) _ L3 <- union-joins-lookup L1 L2 A _ _ L3. - : union-left-affects-lookup/L L2 A (member?/out F1) _ L3 <- not-member-union-left-preserves-lookup* F1 L2 A L3. %worlds () (union-left-affects-lookup/L _ _ _ _ _). %total { } (union-left-affects-lookup/L _ _ _ _ _). - : union-left-affects-lookup L2 A _ L3 <- member?-total D <- union-left-affects-lookup/L L2 A D _ L3. %worlds () (union-left-affects-lookup _ _ _ _). %total { } (union-left-affects-lookup _ _ _ _). %theorem not-member-union-right-preserves-lookup* : forall* {M1} {M2} {M3} {N} {D} forall {L1:lookup M1 N D} {F2:not-member M2 N} {A:union M1 M2 M3} exists {L3:lookup M3 N D} true. - : not-member-union-right-preserves-lookup* L1 F2 A L3 <- union-commutative A Ac <- not-member-union-left-preserves-lookup* F2 L1 Ac L3. %worlds () (not-member-union-right-preserves-lookup* _ _ _ _). %total { } (not-member-union-right-preserves-lookup* _ _ _ _). %theorem not-member-union-right-preserves-lookup-converse : forall* {M1} {M2} {M3} {N} {D} forall {L3:lookup M3 N D} {F2:not-member M2 N} {A:union M1 M2 M3} exists {L1:lookup M1 N D} true. %theorem not-member-union-right-preserves-lookup-converse/L : forall* {M1} {M2} {M3} {N} {D} {B} forall {L3:lookup M3 N D} {F2:not-member M2 N} {A:union M1 M2 M3} {D?:member? M1 N B} exists {L1:lookup M1 N D} true. - : not-member-union-right-preserves-lookup-converse L3 F2 A L1 <- member?-total D? <- not-member-union-right-preserves-lookup-converse/L L3 F2 A D? L1. - : not-member-union-right-preserves-lookup-converse/L L3 F2 A (member?/in L1') L1 <- not-member-union-right-preserves-lookup* L1' F2 A L3' <- lookup-deterministic L3' L3 eq/ nat`eq/ D'=D <- lookup-respects-eq L1' eq/ nat`eq/ D'=D L1. - : not-member-union-right-preserves-lookup-converse/L L3 F2 A (member?/out F1) L1 <- union-preserves-not-member* F1 F2 A F3 <- not-member-lookup-not-equal F3 L3 N<>N <- nat`ne-anti-reflexive N<>N F <- false-implies-lookup F L1. %worlds () (not-member-union-right-preserves-lookup-converse/L _ _ _ _ _). %total { } (not-member-union-right-preserves-lookup-converse/L _ _ _ _ _). %worlds () (not-member-union-right-preserves-lookup-converse _ _ _ _). %total { } (not-member-union-right-preserves-lookup-converse _ _ _ _). %theorem union-right-affects-lookup : forall* {M1} {N} {D1} {M2} {M3} forall {L:lookup M1 N D1} {A:union M1 M2 M3} exists {D3} {N:lookup M3 N D3} true. %theorem union-right-affects-lookup/L : forall* {M1} {N} {D1} {M2} {M3} {B} forall {L:lookup M1 N D1} {A:union M1 M2 M3} {D:member? M2 N B} exists {D3} {N:lookup M3 N D3} true. - : union-right-affects-lookup/L L1 A (member?/in L2) _ L3 <- union-joins-lookup L1 L2 A _ _ L3. - : union-right-affects-lookup/L L1 A (member?/out F2) _ L3 <- not-member-union-right-preserves-lookup* L1 F2 A L3. %worlds () (union-right-affects-lookup/L _ _ _ _ _). %total { } (union-right-affects-lookup/L _ _ _ _ _). - : union-right-affects-lookup L1 A _ L3 <- member?-total D <- union-right-affects-lookup/L L1 A D _ L3. %worlds () (union-right-affects-lookup _ _ _ _). %total { } (union-right-affects-lookup _ _ _ _). %theorem union-preserves-not-member-converse* : forall* {M1} {M2} {M3} {N} forall {F3:not-member M3 N} {A:union M1 M2 M3} exists {F1:not-member M1 N} {F2:not-member M2 N} true. %theorem union-preserves-not-member-converse/L : forall* {M1} {M2} {M3} {N} {B1} {B2} forall {F3:not-member M3 N} {A:union M1 M2 M3} {D1:member? M1 N B1} {D2:member? M2 N B2} exists {F1:not-member M1 N} {F2:not-member M2 N} true. - : union-preserves-not-member-converse* F3 A F1 F2 <- member?-total D1 <- member?-total D2 <- union-preserves-not-member-converse/L F3 A D1 D2 F1 F2. - : union-preserves-not-member-converse/L _ _ (member?/out F1) (member?/out F2) F1 F2. - : union-preserves-not-member-converse/L F3 A (member?/out F1) (member?/in L2) F1 F2 <- not-member-union-left-preserves-lookup* F1 L2 A L3 <- not-member-lookup-not-equal F3 L3 N<>N <- nat`ne-anti-reflexive N<>N F <- false-implies-not-member F F2. - : union-preserves-not-member-converse/L F3 A (member?/in L1) (member?/out F2) F1 F2 <- not-member-union-right-preserves-lookup* L1 F2 A L3 <- not-member-lookup-not-equal F3 L3 N<>N <- nat`ne-anti-reflexive N<>N F <- false-implies-not-member F F1. - : union-preserves-not-member-converse/L F3 A (member?/in L1) (member?/in L2) F1 F2 <- union-joins-lookup L1 L2 A _ _ L3 <- not-member-lookup-not-equal F3 L3 N<>N <- nat`ne-anti-reflexive N<>N F <- false-implies-not-member F F1 <- false-implies-not-member F F2. %worlds () (union-preserves-not-member-converse/L _ _ _ _ _ _). %total { } (union-preserves-not-member-converse/L _ _ _ _ _ _). %worlds () (union-preserves-not-member-converse* _ _ _ _). %total { } (union-preserves-not-member-converse* _ _ _ _). %theorem disjoint-union-left-preserves-lookup* : forall* {M1} {M2} {M3} {N} {D} forall {L2:lookup M2 N D} {X:disjoint M1 M2} {A:union M1 M2 M3} exists {L3:lookup M3 N D} true. %theorem disjoint-union-left-preserves-lookup*/L : forall* {M1} {M2} {M3} {N} {D} {B} forall {L2:lookup M2 N D} {X:disjoint M1 M2} {A:union M1 M2 M3} {D?:member? M1 N B} exists {L3:lookup M3 N D} true. - : disjoint-union-left-preserves-lookup* L2 X A L3 <- member?-total D? <- disjoint-union-left-preserves-lookup*/L L2 X A D? L3. - : disjoint-union-left-preserves-lookup*/L L2 X A (member?/in L1) L3 <- disjoint-lookup-contradiction X L1 L2 F <- false-implies-lookup F L3. - : disjoint-union-left-preserves-lookup*/L L2 X A (member?/out F1) L3 <- not-member-union-left-preserves-lookup* F1 L2 A L3. %worlds () (disjoint-union-left-preserves-lookup*/L _ _ _ _ _). %total { } (disjoint-union-left-preserves-lookup*/L _ _ _ _ _). %worlds () (disjoint-union-left-preserves-lookup* _ _ _ _). %total { } (disjoint-union-left-preserves-lookup* _ _ _ _). %theorem disjoint-union-right-preserves-lookup* : forall* {M1} {M2} {M3} {N} {D} forall {L1:lookup M1 N D} {X:disjoint M1 M2} {A:union M1 M2 M3} exists {L3:lookup M3 N D} true. %theorem disjoint-union-right-preserves-lookup*/L : forall* {M1} {M2} {M3} {N} {D} {B} forall {L1:lookup M1 N D} {X:disjoint M1 M2} {A:union M1 M2 M3} {D?:member? M2 N B} exists {L3:lookup M3 N D} true. - : disjoint-union-right-preserves-lookup* L1 X A L3 <- member?-total D? <- disjoint-union-right-preserves-lookup*/L L1 X A D? L3. - : disjoint-union-right-preserves-lookup*/L L1 X A (member?/in L2) L3 <- disjoint-lookup-contradiction X L1 L2 F <- false-implies-lookup F L3. - : disjoint-union-right-preserves-lookup*/L L1 X A (member?/out F2) L3 <- not-member-union-right-preserves-lookup* L1 F2 A L3. %worlds () (disjoint-union-right-preserves-lookup*/L _ _ _ _ _). %total { } (disjoint-union-right-preserves-lookup*/L _ _ _ _ _). %worlds () (disjoint-union-right-preserves-lookup* _ _ _ _). %total { } (disjoint-union-right-preserves-lookup* _ _ _ _). %theorem union-implies-leq* : forall* {M1} {M2} {M3} forall {J:union M1 M2 M3} exists {L:leq M1 M3} true. - : union-implies-leq* union/L leq/0. - : union-implies-leq* union/R M2=M2 <- leq-reflexive _ M2=M2. - : union-implies-leq* (union/= M1+M2=M3 D1+D2=D3 nat`eq/) (leq/= M1<=M3 D1<=D3 nat`eq/) <- nat`union-implies-leq* D1+D2=D3 D1<=D3 <- union-implies-leq* M1+M2=M3 M1<=M3. - : union-implies-leq* (union/< M1+_=M3 _) (leq/= M1<=M3 D1<=D1 nat`eq/) <- nat`leq-reflexive _ D1<=D1 <- union-implies-leq* M1+_=M3 M1<=M3. - : union-implies-leq* (union/> M311+M2=M3 P) (leq/> M311<=M3 P) <- union-implies-leq* M311+M2=M3 M311<=M3. %worlds () (union-implies-leq* _ _). %total (J) (union-implies-leq* J _). %theorem union-implies-leq : forall* {M1} {M2} {M3} forall {A:union M1 M2 M3} exists {L1:leq M1 M3} {L2:leq M2 M3} true. - : union-implies-leq M1*M2=M3 M1<=M3 M2<=M3 <- union-implies-leq* M1*M2=M3 M1<=M3 <- union-commutative M1*M2=M3 M2*M1=M3 <- union-implies-leq* M2*M1=M3 M2<=M3. %worlds () (union-implies-leq _ _ _). %total { } (union-implies-leq _ _ _). %theorem union-is-lub : forall* {M1} {M2} {M3} {M4} forall {J:union M1 M2 M3} {L1:leq M1 M4} {L2:leq M2 M4} exists {L3:leq M3 M4} true. - : union-is-lub union/L _ L L. - : union-is-lub union/R L _ L. - : union-is-lub (union/= M1+M2=M3 D1+D2=D3 nat`eq/) (leq/= M1<=M4 D1<=D4 nat`eq/) (leq/= M2<=M4 D2<=D4 nat`eq/) (leq/= M3<=M4 D3<=D4 nat`eq/) <- nat`union-is-lub D1+D2=D3 D1<=D4 D2<=D4 D3<=D4 <- union-is-lub M1+M2=M3 M1<=M4 M2<=M4 M3<=M4. - : union-is-lub (union/= _ _ nat`eq/) (leq/= _ _ nat`eq/) (leq/> _ N3+1+N=N) L <- nat`plus-implies-gt N3+1+N=N nat`eq/ N>N <- gt-anti-reflexive N>N F <- false-implies-leq F L. - : union-is-lub (union/= _ _ nat`eq/) (leq/> _ N3+1+N=N) (leq/= _ _ nat`eq/) L <- nat`plus-implies-gt N3+1+N=N nat`eq/ N>N <- gt-anti-reflexive N>N F <- false-implies-leq F L. - : union-is-lub (union/= M1+M2=M3 D1+D2=D3 nat`eq/) (leq/> M511<=M4 N5+1+N4=N) (leq/> M622<=M4 N6+1+N4=N) (leq/> M633<=M4 N6+1+N4=N) <- nat`plus-right-cancels N5+1+N4=N N6+1+N4=N nat`eq/ nat`eq/ N5+1=N6+1 <- nat`succ-cancels N5+1=N6+1 N5=N6 <- map/+-preserves-eq N5=N6 nat`eq/ eq/ M511=M611 <- leq-respects-eq M511<=M4 M511=M611 eq/ M611<=M4 <- union-is-lub (union/= M1+M2=M3 D1+D2=D3 nat`eq/) M611<=M4 M622<=M4 M633<=M4. - : union-is-lub (union/< _ N0+1+N=N) (leq/= _ _ nat`eq/) (leq/= _ _ nat`eq/) L <- nat`plus-implies-gt N0+1+N=N nat`eq/ N>N <- gt-anti-reflexive N>N F <- false-implies-leq F L. - : union-is-lub (union/< M1+M022=M3 N0+1+N1=N2) (leq/= M1<=M4 D1<=D4 nat`eq/) (leq/> M622<=M4 N6+1+N1=N2) (leq/= M3<=M4 D1<=D4 nat`eq/) <- nat`plus-right-cancels N6+1+N1=N2 N0+1+N1=N2 nat`eq/ nat`eq/ N6+1=N0+1 <- succ-cancels N6+1=N0+1 N6=N0 <- map/+-preserves-eq N6=N0 nat`eq/ eq/ M622=M022 <- leq-respects-eq M622<=M4 M622=M022 eq/ M022<=M4 <- union-is-lub M1+M022=M3 M1<=M4 M022<=M4 M3<=M4. - : union-is-lub (union/< _ N0+1+N1=N2) (leq/> _ N3+1+N2=N1) (leq/= _ _ nat`eq/) L <- nat`plus-implies-gt N3+1+N2=N1 nat`eq/ N1>N2 <- nat`plus-implies-gt N0+1+N1=N2 nat`eq/ N2>N1 <- nat`gt-anti-symmetric N1>N2 N2>N1 F <- false-implies-leq F L. - : union-is-lub (union/< M1+M022=M3 N0+1+N1=N2) (leq/> M511<=M4 N5+1+N4=N1) (leq/> M622<=M4 N6+1+N4=N2) (leq/> M513<=M4 N5+1+N4=N1) <- nat`plus-swap-succ N5+1+N4=N1 N5+N4+1=N1 <- nat`plus-associative-converse N5+N4+1=N1 N0+1+N1=N2 N6' N0+1+N5=N6' N6'+N4+1=N2 <- nat`plus-swap-succ-converse N6'+N4+1=N2 N6'+1+N4=N2 <- nat`plus-right-cancels N6'+1+N4=N2 N6+1+N4=N2 nat`eq/ nat`eq/ N6'+1=N6+1 <- nat`succ-cancels N6'+1=N6+1 N6'=N6 <- nat`plus-respects-eq N0+1+N5=N6' nat`eq/ nat`eq/ N6'=N6 N0+1+N5=N6 <- union-is-lub (union/< M1+M022=M3 N0+1+N5=N6) M511<=M4 M622<=M4 M513<=M4. - : union-is-lub (union/> _ N3+1+N=N) (leq/= _ _ nat`eq/) (leq/= _ _ nat`eq/) L <- nat`plus-implies-gt N3+1+N=N nat`eq/ N>N <- gt-anti-reflexive N>N F <- false-implies-leq F L. - : union-is-lub (union/> _ N3+1+N2=N1) (leq/= _ _ nat`eq/) (leq/> _ N0+1+N1=N2) L <- nat`plus-implies-gt N3+1+N2=N1 nat`eq/ N1>N2 <- nat`plus-implies-gt N0+1+N1=N2 nat`eq/ N2>N1 <- nat`gt-anti-symmetric N1>N2 N2>N1 F <- false-implies-leq F L. - : union-is-lub (union/> M311+M2=M3 N3+1+N2=N1) (leq/> M511<=M4 N5+1+N2=N1) (leq/= M2<=M4 D2<=D4 nat`eq/) (leq/= M3<=M4 D2<=D4 nat`eq/) <- nat`plus-right-cancels N3+1+N2=N1 N5+1+N2=N1 nat`eq/ nat`eq/ N3+1=N5+1 <- nat`succ-cancels N3+1=N5+1 N3=N5 <- map/+-preserves-eq N3=N5 nat`eq/ eq/ M311=M511 <- union-respects-eq M311+M2=M3 M311=M511 eq/ eq/ M511+M2=M3 <- union-is-lub M511+M2=M3 M511<=M4 M2<=M4 M3<=M4. - : union-is-lub (union/> M311+M2=M3 N3+1+N2=N1) (leq/> M511<=M4 N5+1+N4=N1) (leq/> M622<=M4 N6+1+N4=N2) (leq/> M623<=M4 N6+1+N4=N2) <- nat`plus-swap-succ N6+1+N4=N2 N6+N4+1=N2 <- nat`plus-associative-converse N6+N4+1=N2 N3+1+N2=N1 N5' N3+1+N6=N5' N5'+N4+1=N1 <- nat`plus-swap-succ N5+1+N4=N1 N5+N4+1=N1 <- nat`plus-right-cancels N5'+N4+1=N1 N5+N4+1=N1 nat`eq/ nat`eq/ N5'=N5 <- nat`plus-respects-eq N3+1+N6=N5' nat`eq/ nat`eq/ N5'=N5 N3+1+N6=N5 <- union-is-lub (union/> M311+M2=M3 N3+1+N6=N5) M511<=M4 M622<=M4 M623<=M4. %worlds () (union-is-lub _ _ _ _). %total (L) (union-is-lub _ L _ _). %theorem union-idempotent : forall* {S} exists {J:union S S S} true. - : union-idempotent S+S=S <- union-total S+S=S' <- union-implies-leq* S+S=S' S<=S' <- leq-reflexive _ S<=S <- union-is-lub S+S=S' S<=S S<=S S'<=S <- leq-anti-symmetric S'<=S S<=S' S'=S <- union-respects-eq S+S=S' eq/ eq/ S'=S S+S=S. %worlds () (union-idempotent _). %total { } (union-idempotent _). %theorem leq-implies-union : forall* {M1} {M2} forall {L:leq M1 M2} exists {J:union M1 M2 M2} true. - : leq-implies-union M1<=M2 M1+M2=M2 <- union-total M1+M2=M3 <- leq-reflexive _ M2<=M2 <- union-is-lub M1+M2=M3 M1<=M2 M2<=M2 M3<=M2 <- union-implies-leq M1+M2=M3 _ M2<=M3 <- leq-anti-symmetric M3<=M2 M2<=M3 M3=M2 <- union-respects-eq M1+M2=M3 eq/ eq/ M3=M2 M1+M2=M2. %worlds () (leq-implies-union _ _). %total { } (leq-implies-union _ _). %theorem disjoint-leq-implies-union-leq* : forall* {C1} {C2} {C} {C3} forall {D:disjoint C1 C2} {L1:leq C1 C} {L2:leq C2 C} {J:union C1 C2 C3} exists {L3:leq C3 C} true. - : disjoint-leq-implies-union-leq* disjoint/L _ C2<=C Z+C2=C3 C3<=C <- union-deterministic union/L Z+C2=C3 eq/ eq/ C2=C3 <- leq-respects-eq C2<=C C2=C3 eq/ C3<=C. - : disjoint-leq-implies-union-leq* disjoint/R C1<=C _ C1+0=C3 C3<=C <- union-deterministic union/R C1+0=C3 eq/ eq/ C1=C3 <- leq-respects-eq C1<=C C1=C3 eq/ C3<=C. - : disjoint-leq-implies-union-leq* (disjoint/< C1^C022 P) (leq/= C1<=C4 D1<=D4 nat`eq/) C222<=C444 C111+C222=C333 C333<=C444 <- union/<-inversion C111+C222=C333 P _ C1+C022=C5 C333=C115 <- leq/>-inversion C222<=C444 P C022<=C4 <- disjoint-leq-implies-union-leq* C1^C022 C1<=C4 C022<=C4 C1+C022=C5 C5<=C4 <- eq-symmetric C333=C115 C115=C333 <- leq-respects-eq (leq/= C5<=C4 D1<=D4 nat`eq/) C115=C333 eq/ C333<=C444. - : disjoint-leq-implies-union-leq* (disjoint/< C1^C022 N0+1+N1=N2) (leq/> C611<=C4 N6+1+N4=N1) C222<=C444 C111+C222=C333 C333<=C444 <- union/<-inversion C111+C222=C333 N0+1+N1=N2 _ C1+C022=C5 C333=C115 <- plus-swap-succ N6+1+N4=N1 N6+N4+1=N1 <- plus-associative-converse N6+N4+1=N1 N0+1+N1=N2 N7 N0+1+N6=N7 N7+N4+1=N2 <- plus-swap-succ-converse N7+N4+1=N2 N7+1+N4=N2 <- leq/>-inversion C222<=C444 N7+1+N4=N2 C722<=C4 <- disjoint-leq-implies-union-leq* (disjoint/< C1^C022 N0+1+N6=N7) C611<=C4 C722<=C4 (union/< C1+C022=C5 N0+1+N6=N7) C615<=C4 <- eq-symmetric C333=C115 C115=C333 <- leq-respects-eq (leq/> C615<=C4 N6+1+N4=N1) C115=C333 eq/ C333<=C444. - : disjoint-leq-implies-union-leq* (disjoint/> C011^C2 P) C111<=C444 (leq/= C2<=C4 D2<=D4 nat`eq/) C111+C222=C333 C333<=C444 <- union/>-inversion C111+C222=C333 P _ C011+C2=C5 C333=C225 <- leq/>-inversion C111<=C444 P C011<=C4 <- disjoint-leq-implies-union-leq* C011^C2 C011<=C4 C2<=C4 C011+C2=C5 C5<=C4 <- eq-symmetric C333=C225 C225=C333 <- leq-respects-eq (leq/= C5<=C4 D2<=D4 nat`eq/) C225=C333 eq/ C333<=C444. - : disjoint-leq-implies-union-leq* (disjoint/> C011^C2 N0+1+N2=N1) C111<=C444 (leq/> C622<=C4 N6+1+N4=N2) C111+C222=C333 C333<=C444 <- union/>-inversion C111+C222=C333 N0+1+N2=N1 _ C011+C2=C5 C333=C225 <- plus-swap-succ N6+1+N4=N2 N6+N4+1=N2 <- plus-associative-converse N6+N4+1=N2 N0+1+N2=N1 N7 N0+1+N6=N7 N7+N4+1=N1 <- plus-swap-succ-converse N7+N4+1=N1 N7+1+N4=N1 <- leq/>-inversion C111<=C444 N7+1+N4=N1 C711<=C4 <- disjoint-leq-implies-union-leq* (disjoint/> C011^C2 N0+1+N6=N7) C711<=C4 C622<=C4 (union/> C011+C2=C5 N0+1+N6=N7) C625<=C4 <- eq-symmetric C333=C225 C225=C333 <- leq-respects-eq (leq/> C625<=C4 N6+1+N4=N2) C225=C333 eq/ C333<=C444. %worlds () (disjoint-leq-implies-union-leq* _ _ _ _ _). %total (L) (disjoint-leq-implies-union-leq* _ L _ _ _). %theorem union-left-preserves-leq* : forall* {M1} {M2} {M3} {M4} {M5} forall {L1:leq M2 M4} {J:union M1 M2 M3} {JP:union M1 M4 M5} exists {L3:leq M3 M5} true. - : union-left-preserves-leq* L union/L union/L L. - : union-left-preserves-leq* _ union/L union/R leq/0. - : union-left-preserves-leq* leq/0 union/R M1+M4=M5 M1<=M5 <- union-implies-leq* M1+M4=M5 M1<=M5. - : union-left-preserves-leq* (leq/= M2<=M4 D2<=D4 nat`eq/) (union/= M1+M2=M3 D1+D2=D3 nat`eq/) M111+M144=M M133<=M <- union/=-inversion M111+M144=M nat`eq/ D5 M5 D1+D4=D5 M1+M4=M5 M=M155 <- eq-symmetric M=M155 M155=M <- meta-eq (map/+ N1 D5 M5) M M155=M <- nat`union-left-preserves-leq* D2<=D4 D1+D2=D3 D1+D4=D5 D3<=D5 <- union-left-preserves-leq* M2<=M4 M1+M2=M3 M1+M4=M5 M3<=M5 <- leq-respects-eq (leq/= M3<=M5 D3<=D5 nat`eq/) eq/ M155=M M133<=M. - : {M1+M044=M5:union M1 (map/+ N0 D4 M4) M5} {M115=M: eq (map/+ N1 D1 M5) M} union-left-preserves-leq* (leq/= M2<=M4 D2<=D4 nat`eq/) (union/< M1+M022=M3 N0+1+N1=N2) M111+M244=M M113<=M <- union/<-inversion M111+M244=M N0+1+N1=N2 M5 M1+M044=M5 M=M115 <- eq-symmetric M=M115 M115=M <- meta-eq (map/+ N1 D1 M5) M M115=M <- union-left-preserves-leq* (leq/= M2<=M4 D2<=D4 nat`eq/) M1+M022=M3 M1+M044=M5 M3<=M5 <- nat`leq-reflexive _ D1<=D1 <- leq-respects-eq (leq/= M3<=M5 D1<=D1 nat`eq/) eq/ M115=M M113<=M. - : union-left-preserves-leq* (leq/= M2<=M4 D2<=D4 nat`eq/) (union/> M311+M2=M3 N3+1+N2=N1) M111+M244=M M223<=M <- union/>-inversion M111+M244=M N3+1+N2=N1 M5 M311+M4=M5 M=M245 <- eq-symmetric M=M245 M245=M <- meta-eq (map/+ N2 D4 M5) M M245=M <- union-left-preserves-leq* M2<=M4 M311+M2=M3 M311+M4=M5 M3<=M5 <- leq-respects-eq (leq/= M3<=M5 D2<=D4 nat`eq/) eq/ M245=M M223<=M. - : union-left-preserves-leq* (leq/> M622<=M4 N6+1+N4=N2) (union/= M1+M2=M3 D1+D2=D3 nat`eq/) % N1=N2 M211+M444=M M233<=M <- union/>-inversion M211+M444=M N6+1+N4=N2 M5 M611+M4=M5 M=M445 <- eq-symmetric M=M445 M445=M <- meta-eq (map/+ N4 D4 M5) M M445=M <- union-left-preserves-leq* M622<=M4 (union/= M1+M2=M3 D1+D2=D3 nat`eq/) M611+M4=M5 M633<=M5 <- leq-respects-eq (leq/> M633<=M5 N6+1+N4=N2) eq/ M445=M M233<=M. - : union-left-preserves-leq* (leq/> M622<=M4 N6+1+N4=N2) (union/< M1+M022=M3 N0+1+N4=N2) (union/= M1+M4=M5 D1+D4=D5 nat`eq/) (leq/= M3<=M5 D1<=D5 nat`eq/) <- nat`plus-right-cancels N6+1+N4=N2 N0+1+N4=N2 nat`eq/ nat`eq/ N6+1=N0+1 <- nat`succ-cancels N6+1=N0+1 N6=N0 <- map/+-preserves-eq N6=N0 nat`eq/ eq/ M622=M022 <- leq-respects-eq M622<=M4 M622=M022 eq/ M022<=M4 <- union-left-preserves-leq* M022<=M4 M1+M022=M3 M1+M4=M5 M3<=M5 <- nat`union-implies-leq* D1+D4=D5 D1<=D5. - : union-left-preserves-leq* (leq/> M622<=M4 N6+1+N4=N2) (union/< M1+M022=M3 N0+1+N1=N2) (union/< M1+M544=M5 N5+1+N1=N4) (leq/= M3<=M5 D1<=D1 nat`eq/) <- nat`plus-swap-succ N5+1+N1=N4 N5+N1+1=N4 <- nat`plus-associative-converse N5+N1+1=N4 N6+1+N4=N2 N0' N6+1+N5=N0' N0'+N1+1=N2 <- nat`plus-swap-succ N0+1+N1=N2 N0+N1+1=N2 <- nat`plus-right-cancels N0'+N1+1=N2 N0+N1+1=N2 nat`eq/ nat`eq/ N0'=N0 <- nat`plus-respects-eq N6+1+N5=N0' nat`eq/ nat`eq/ N0'=N0 N6+1+N5=N0 <- union-left-preserves-leq* (leq/> M622<=M4 N6+1+N5=N0) M1+M022=M3 M1+M544=M5 M3<=M5 <- nat`leq-reflexive _ D1<=D1. % for some reason, twelf needs a lot of help inferring types here: - : union-left-preserves-leq* ((leq/> M622<=M4 N6+1+N4=N2):leq (map/+ N2 D2 M2) (map/+ N4 D4 M4)) (union/< M1+M022=M3 N0+1+N1=N2) (union/> M511+M4=M5 N5+1+N4=N1) (leq/> M513<=M5 N5+1+N4=N1) <- nat`plus-swap-succ N5+1+N4=N1 N5+N4+1=N1 <- nat`plus-associative-converse N5+N4+1=N1 N0+1+N1=N2 N6' N0+1+N5=N6' N6'+N4+1=N2 <- nat`plus-swap-succ N6+1+N4=N2 N6+N4+1=N2 <- nat`plus-right-cancels N6'+N4+1=N2 N6+N4+1=N2 nat`eq/ nat`eq/ N6'=N6 <- nat`plus-respects-eq N0+1+N5=N6' nat`eq/ nat`eq/ N6'=N6 N0+1+N5=N6 <- union-left-preserves-leq* M622<=M4 ((union/< M1+M022=M3 N0+1+N5=N6):union (map/+ N5 D1 M1) (map/+ N6 D2 M2) (map/+ N5 D1 M3)) M511+M4=M5 M513<=M5. - : union-left-preserves-leq* (leq/> M622<=M4 N6+1+N4=N2) (union/> M311+M2=M3 N3+1+N2=N1) M111+M444=M M223<=M <- nat`plus-swap-succ N6+1+N4=N2 N6+N4+1=N2 <- nat`plus-associative-converse N6+N4+1=N2 N3+1+N2=N1 N5 N3+1+N6=N5 N5+N4+1=N1 <- nat`plus-swap-succ-converse N5+N4+1=N1 N5+1+N4=N1 <- union/>-inversion M111+M444=M N5+1+N4=N1 M5 M511+M4=M5 M=M445 <- eq-symmetric M=M445 M445=M <- meta-eq _ _ M445=M <- union-left-preserves-leq* M622<=M4 (union/> M311+M2=M3 N3+1+N6=N5) M511+M4=M5 M623<=M5 <- leq-respects-eq (leq/> M623<=M5 N6+1+N4=N2) eq/ M445=M M223<=M. %worlds () (union-left-preserves-leq* _ _ _ _). %total (J) (union-left-preserves-leq* _ _ J _). %theorem union-right-preserves-leq* : forall* {X1} {X2} {X3} {X4} {X5} forall {G1:leq X1 X2} {O1:union X1 X3 X4} {O2:union X2 X3 X5} exists {G2:leq X4 X5} true. - : union-right-preserves-leq* X1<=X2 X1+X3=X4 X2+X3=X5 X4<=X5 <- union-commutative X1+X3=X4 X3+X1=X4 <- union-commutative X2+X3=X5 X3+X2=X5 <- union-left-preserves-leq* X1<=X2 X3+X1=X4 X3+X2=X5 X4<=X5. %worlds () (union-right-preserves-leq* X1<=X2 X1+X3=X4 X2+X3=X5 X4<=X5). %total {} (union-right-preserves-leq* _ _ _ _). %%%% Map ``multiplication'' %%% Definition of intersection intersection : map -> map -> map -> type. intersection/L : intersection map/0 M map/0. intersection/R : intersection M map/0 map/0. intersection/= : intersection (map/+ N1 D1 M1) (map/+ N2 D2 M2) (map/+ N1 D3 M3) <- nat`eq N1 N2 <- nat`intersection D1 D2 D3 <- intersection M1 M2 M3. intersection/< : intersection (map/+ N1 D1 M1) (map/+ N2 D2 M2) S1M3 <- nat`plus (s N0) N1 N2 <- intersection M1 (map/+ N0 D2 M2) M3 <- shift N1 M3 S1M3. intersection/> : intersection (map/+ N1 D1 M1) (map/+ N2 D2 M2) S2M3 <- nat`plus (s N3) N2 N1 <- intersection (map/+ N3 D1 M1) M2 M3 <- shift N2 M3 S2M3. %%% Theorems about intersection %theorem false-implies-intersection : forall* {M1} {M2} {M3} forall {F:void} exists {D:intersection M1 M2 M3} true. %worlds () (false-implies-intersection _ _). %total {} (false-implies-intersection _ _). %theorem intersection-respects-eq : forall* {M1} {M2} {M3} {M1P} {M2P} {M3P} forall {A:intersection M1 M2 M3} {E1:eq M1 M1P} {E2:eq M2 M2P} {E3:eq M3 M3P} exists {AP:intersection M1P M2P M3P} true. - : intersection-respects-eq A eq/ eq/ eq/ A. %worlds () (intersection-respects-eq _ _ _ _ _). %total {} (intersection-respects-eq _ _ _ _ _). %reduces A = AP (intersection-respects-eq A _ _ _ AP). %% Inversion lemmas for intersection %theorem intersection/L-inversion : forall* {M1} {M2} {M3} forall {A:intersection M1 M2 M3} {E1:eq map/0 M1} exists {E3:eq map/0 M3} true. - : intersection/L-inversion intersection/L eq/ eq/. - : intersection/L-inversion intersection/R eq/ eq/. %worlds () (intersection/L-inversion _ _ _). %total { } (intersection/L-inversion _ _ _). %theorem intersection/R-inversion : forall* {M1} {M2} {M3} forall {A:intersection M1 M2 M3} {E1:eq map/0 M2} exists {E3:eq map/0 M3} true. - : intersection/R-inversion intersection/L eq/ eq/. - : intersection/R-inversion intersection/R eq/ eq/. %worlds () (intersection/R-inversion _ _ _). %total { } (intersection/R-inversion _ _ _). %theorem intersection/=-inversion : forall* {N1} {D1} {M1} {N2} {D2} {M2} {M} forall {A:intersection (map/+ N1 D1 M1) (map/+ N2 D2 M2) M} {G:nat`eq N1 N2} exists {D3} {M3} {D:nat`intersection D1 D2 D3} {AP:intersection M1 M2 M3} {E:eq (map/+ N1 D3 M3) M} true. - : intersection/=-inversion (intersection/= MM DD nat`eq/) _ _ _ DD MM eq/. - : intersection/=-inversion (intersection/< S A' N0+1+N=N) nat`eq/ D2 M3 DA MA ME <- nat`plus-implies-gt N0+1+N=N nat`eq/ N>N <- nat`gt-anti-reflexive N>N F <- nat`false-implies-intersection F DA <- false-implies-eq F (M022=M2:eq (map/+ N0 D2 M2) M2) <- intersection-respects-eq A' eq/ M022=M2 eq/ MA <- false-implies-eq F ME. - : intersection/=-inversion (intersection/> S (AP:intersection (map/+ _ D1 M1) M2 _) N3+1+N=N) nat`eq/ D1 M3 DA MA ME <- nat`plus-implies-gt N3+1+N=N nat`eq/ N>N <- nat`gt-anti-reflexive N>N F <- nat`false-implies-intersection F DA <- false-implies-eq F (M311=M1:eq (map/+ N3 D1 M1) M1) <- intersection-respects-eq AP M311=M1 eq/ eq/ MA <- false-implies-eq F ME. %worlds () (intersection/=-inversion _ _ _ _ _ _ _). %total {} (intersection/=-inversion _ _ _ _ _ _ _). %reduces AP < A (intersection/=-inversion A _ _ _ _ AP _). %theorem intersection/<-inversion : forall* {N1} {D1} {M1} {N2} {D2} {M2} {S1M3} {N0} forall {A:intersection (map/+ N1 D1 M1) (map/+ N2 D2 M2) S1M3} {P:plus (s N0) N1 N2} exists {M3} {AP:intersection M1 (map/+ N0 D2 M2) M3} {S:shift N1 M3 S1M3} true. - : intersection/<-inversion (intersection/< S A P) P' _ A' S <- nat`plus-right-cancels P P' nat`eq/ nat`eq/ N0+1=N0'+1 <- succ-cancels N0+1=N0'+1 N0=N0P <- map/+-preserves-eq N0=N0P nat`eq/ eq/ M022=M022' <- intersection-respects-eq A eq/ M022=M022' eq/ A'. - : intersection/<-inversion (intersection/= A' _ nat`eq/) N0+1+N=N map/0 A S <- nat`plus-implies-gt N0+1+N=N nat`eq/ N>N <- gt-anti-reflexive N>N F <- false-implies-eq F M2=M022 <- false-implies-eq F M3=M333 <- intersection-respects-eq A' eq/ M2=M022 M3=M333 A <- false-implies-shift F S. - : intersection/<-inversion (intersection/> S A' N3+1+N2=N1) N0+1+N1=N2 _ A S' <- nat`plus-implies-gt N3+1+N2=N1 nat`eq/ N1>N2 <- nat`plus-implies-gt N0+1+N1=N2 nat`eq/ N2>N1 <- nat`gt-anti-symmetric N1>N2 N2>N1 F <- false-implies-eq F M311=M1 <- false-implies-eq F M2=M022 <- intersection-respects-eq A' M311=M1 M2=M022 eq/ A <- false-implies-shift F S'. %worlds () (intersection/<-inversion _ _ _ _ _). %total {} (intersection/<-inversion _ _ _ _ _). %reduces AP < A (intersection/<-inversion A _ _ AP _). %theorem intersection/>-inversion : forall* {N1} {D1} {M1} {N2} {D2} {M2} {N3} {S2M3} forall {A:intersection (map/+ N1 D1 M1) (map/+ N2 D2 M2) S2M3} {P:plus (s N3) N2 N1} exists {M3} {AP:intersection (map/+ N3 D1 M1) M2 M3} {S:shift N2 M3 S2M3} true. - : intersection/>-inversion (intersection/> S A P) P' _ A' S <- nat`plus-right-cancels P P' nat`eq/ nat`eq/ N3+1=N3'+1 <- succ-cancels N3+1=N3'+1 N3=N3P <- map/+-preserves-eq N3=N3P nat`eq/ eq/ M311=M311' <- intersection-respects-eq A M311=M311' eq/ eq/ A'. - : intersection/>-inversion (intersection/= A' _ nat`eq/) N3+1+N=N map/0 A S <- nat`plus-implies-gt N3+1+N=N nat`eq/ N>N <- gt-anti-reflexive N>N F <- false-implies-eq F M1=M311 <- false-implies-eq F M3=M333 <- intersection-respects-eq A' M1=M311 eq/ M3=M333 A <- false-implies-shift F S. - : intersection/>-inversion (intersection/< S A' N0+1+N1=N2) N3+1+N2=N1 _ A S' <- nat`plus-implies-gt N3+1+N2=N1 nat`eq/ N1>N2 <- nat`plus-implies-gt N0+1+N1=N2 nat`eq/ N2>N1 <- nat`gt-anti-symmetric N1>N2 N2>N1 F <- false-implies-eq F M1=M311 <- false-implies-eq F M022=M2 <- intersection-respects-eq A' M1=M311 M022=M2 eq/ A <- false-implies-shift F S'. %worlds () (intersection/>-inversion _ _ _ _ _). %total { } (intersection/>-inversion _ _ _ _ _). %reduces AP < A (intersection/>-inversion A _ _ AP _). %theorem intersection-implies-ge : forall* {N1} {D1} {M1} {N2} {D2} {M2} {N3} {D3} {M3} forall {A:intersection (map/+ N1 D1 M1) (map/+ N2 D2 M2) (map/+ N3 D3 M3)} exists {G1:ge N3 N1} {G2:ge N3 N2} true. - : intersection-implies-ge (intersection/= _ _ nat`eq/) (ge/= nat`eq/) (ge/= nat`eq/). - : intersection-implies-ge (intersection/< (shift/+ N1+1+N3=N4) M1*M022=M333 N0+1+N1=N2) (ge/> N4>N1) N4>=N2 <- plus-swap-succ N1+1+N3=N4 N1+N3+1=N4 <- plus-commutative N1+N3+1=N4 N3+1+N1=N4 <- plus-implies-gt N3+1+N1=N4 nat`eq/ N4>N1 <- intersection-implies-ge M1*M022=M333 _ N3>=N0 <- succ-preserves-ge N3>=N0 N3+1>=N0+1 <- plus-right-preserves-ge* N3+1>=N0+1 N3+1+N1=N4 N0+1+N1=N2 N4>=N2. - : intersection-implies-ge (intersection/> (shift/+ N2+1+N3=N5) M011*M2=M333 N0+1+N2=N1) N5>=N1 (ge/> N5>N2) <- plus-swap-succ N2+1+N3=N5 N2+N3+1=N5 <- plus-commutative N2+N3+1=N5 N3+1+N2=N5 <- plus-implies-gt N3+1+N2=N5 nat`eq/ N5>N2 <- intersection-implies-ge M011*M2=M333 N3>=N0 _ <- succ-preserves-ge N3>=N0 N3+1>=N0+1 <- plus-right-preserves-ge* N3+1>=N0+1 N3+1+N2=N5 N0+1+N2=N1 N5>=N1. %worlds () (intersection-implies-ge _ _ _). %total (A) (intersection-implies-ge A _ _). %theorem intersection-deterministic : forall* {M1} {M2} {M3} {M1P} {M2P} {M3P} forall {A:intersection M1 M2 M3} {AP:intersection M1P M2P M3P} {E1:eq M1 M1P} {E2:eq M2 M2P} exists {E3:eq M3 M3P} true. - : intersection-deterministic intersection/L intersection/L eq/ eq/ eq/. - : intersection-deterministic intersection/L intersection/R eq/ eq/ eq/. - : intersection-deterministic intersection/R intersection/L eq/ eq/ eq/. - : intersection-deterministic intersection/R intersection/R eq/ eq/ eq/. - : intersection-deterministic (intersection/= M1*M2=M3 D1*D2=D3 nat`eq/) (AP:intersection _ _ M') eq/ eq/ M133=M' <- intersection/=-inversion AP nat`eq/ D3' M3' D1*D2=D3P M1*M2=M3' M133'=M' <- nat`intersection-deterministic D1*D2=D3 D1*D2=D3P nat`eq/ nat`eq/ D3=D3' <- intersection-deterministic M1*M2=M3 M1*M2=M3' eq/ eq/ M3=M3' <- map/+-preserves-eq nat`eq/ D3=D3' M3=M3' M133=M133' <- eq-transitive M133=M133' M133'=M' M133=M'. - : intersection-deterministic (intersection/< M3< M3<-inversion A' N3+1+N2=N1 M3' M311*M2=M3' M3'<N1 <- gt-implies-plus N2>N1 _ N0+1+N1=N2 <- intersection-M-map/+-total* M1 N0 D2 M2 M3 M1*M022=M3 <- shift-total* N1 M3 S1M3 M3< M3<N2 <- gt-implies-plus N1>N2 _ N3+1+N2=N1 <- intersection-map/+-M-total* N3 D1 M1 M2 M3 M311*M2=M3 <- shift-total* N2 M3 S2M3 M3< M3< M3< M3<-inversion M111*M222=SM3 N3+1+N2=N1 M3 M311*M2=M3 M3< M3< M3< M3< M3<B1 <- meta-gt _ _ B>B1 <- intersection-associativeM _ BD1 M1*M2=M3 M3*M4=M7 M2*M4=M6 M1*M6=M7 <- intersection-respects-eq (intersection/= M1*M6=M7 D1*D6=D7 nat`eq/) eq/ M166=M24 M177=M34 A16. - : intersection-associativeM* B (bound/+ N1+1+B1=B BD1) (nat`compare/=) (nat`compare/< N4>N1) _ A12 A34 A24 A16 <- intersection/=-inversion A12 nat`eq/ D3 M3 D1*D2=D3 M1*M2=M3 M133=M12 <- eq-symmetric M133=M12 M12=M133 <- intersection-respects-eq A34 M12=M133 eq/ eq/ A34' <- gt-implies-plus N4>N1 N5 N5+1+N1=N4 <- intersection/<-inversion A34' N5+1+N1=N4 M7 M3*M544=M7 M7<B1 <- meta-gt _ _ B>B1 <- intersection-associativeM _ BD1 M1*M2=M3 M3*M544=M7 M2*M544=M6 M1*M6=M7 <- shift-right-preserves-intersection M1*M6=M7 M6< N1>N4) _ A12 A34 A24 A16 <- intersection/=-inversion A12 nat`eq/ D3 M3 D1*D2=D3 M1*M2=M3 M133=M12 <- eq-symmetric M133=M12 M12=M133 <- intersection-respects-eq A34 M12=M133 eq/ eq/ A34' <- gt-implies-plus N1>N4 N6 N6+1+N4=N1 %% NB N2 eq N1 <- intersection/>-inversion A34' N6+1+N4=N1 M7 M633*M4=M7 M7<-inversion A24 N6+1+N4=N1 M6 M622*M4=M6 M6<N6 <- succ-preserves-gt N1>N6 N1+1>N6+1 <- plus-total N6+1+B1=B6 <- plus-right-preserves-gt* N1+1>N6+1 N1+1+B1=B N6+1+B1=B6 B>B6 <- meta-gt _ _ B>B6 <- intersection-associativeM _ (bound/+ N6+1+B1=B6 BD1) (intersection/= M1*M2=M3 D1*D2=D3 nat`eq/) M633*M4=M7 M622*M4=M6 M611*M6=M7 <- shift-preserves-intersection M611*M6=M7 (shift/+ N4+1+N6=N1) M6<N1) (nat`compare/=) _ A12 A34 A24 A16 <- gt-implies-plus N2>N1 N0 N0+1+N1=N2 <- intersection/<-inversion A12 N0+1+N1=N2 M3 M1*M022=M3 M3<B1 <- meta-gt _ _ B>B1 <- intersection-associativeM _ BD1 M1*M022=M3 M3*M044=M7 (intersection/= M2*M4=M6 D2*D4=D6 nat`eq/) M1*M066=M7 <- shift-right-preserves-intersection M1*M066=M7 (shift/+ N1+1+N0=N2) M7< N1>N2) (nat`compare/=) _ A12 A34 A24 A16 <- gt-implies-plus N1>N2 N3 N3+1+N2=N1 <- intersection/>-inversion A12 N3+1+N2=N1 M3 M311*M2=M3 M3<N3 <- succ-preserves-gt N1>N3 N1+1>N3+1 <- plus-total N3+1+B1=B3 <- plus-right-preserves-gt* N1+1>N3+1 N1+1+B1=B N3+1+B1=B3 B>B3 <- meta-gt _ _ B>B3 <- intersection-associativeM _ (bound/+ N3+1+B1=B3 BD1) M311*M2=M3 M3*M4=M7 M2*M4=M6 M311*M6=M7 <- intersection-respects-eq (intersection/> M7<N1) _ (nat`compare/=) A12 A34 A24 A16 <- gt-implies-plus N2>N1 N0 N0+1+N1=N2 <- intersection/<-inversion A12 N0+1+N1=N2 M3 M1*M022=M3 M3<-inversion A24 N0+1+N1=N2 M6 M022*M4=M6 M6<B1 <- meta-gt _ _ B>B1 <- intersection-associativeM _ BD1 M1*M022=M3 M3*M4=M7 M022*M4=M6 M1*M6=M7 <- shift-right-preserves-intersection M1*M6=M7 M6< N1>N2) _ (nat`compare/=) A12 A34 A24 A16 <- gt-implies-plus N1>N2 N3 N3+1+N2=N1 <- plus-swap-succ N3+1+N2=N1 N3+N2+1=N1 <- plus-commutative N3+N2+1=N1 N2+1+N3=N1 <- intersection/>-inversion A12 N3+1+N2=N1 M3 M311*M2=M3 M3<N3 <- succ-preserves-gt N1>N3 N1+1>N3+1 <- plus-total N3+1+B1=B3 <- plus-right-preserves-gt* N1+1>N3+1 N1+1+B1=B N3+1+B1=B3 B>B3 <- meta-gt _ _ B>B3 <- intersection-associativeM _ (bound/+ N3+1+B1=B3 BD1) M311*M2=M3 M3*M344=M7 M2*M344=M6 M311*M6=M7 <- shift-preserves-intersection M311*M6=M7 (shift/+ N2+1+N3=N1) M6<N1) (nat`compare/< N4>N2) _ A12 A34 A24 A16 <- gt-implies-plus N2>N1 N0 N0+1+N1=N2 <- intersection/<-inversion A12 N0+1+N1=N2 M3 M1*M022=M3 M3<N2 N6 N6+1+N2=N4 <- intersection/<-inversion A24 N6+1+N2=N4 M6 M2*M644=M6 M6<B1 <- meta-gt _ _ B>B1 <- intersection-associativeM _ BD1 M1*M022=M3 M3*M744=M7 (intersection/< M6< N1>N2) (nat`compare/> N2>N4) _ A12 A34 A24 A16 <- gt-implies-plus N1>N2 N3 N3+1+N2=N1 <- intersection/>-inversion A12 N3+1+N2=N1 M3 M311*M2=M3 M3<N4 N6 N6+1+N4=N2 <- intersection/>-inversion A24 N6+1+N4=N2 M6 M622*M4=M6 M6<N9 <- succ-preserves-gt N1>N9 N1+1>N9+1 <- plus-total N9+1+B1=B9 <- plus-right-preserves-gt* N1+1>N9+1 N1+1+B1=B N9+1+B1=B9 B>B9 <- meta-gt _ _ B>B9 <- intersection-associativeM _ (bound/+ N9+1+B1=B9 BD1) M911*M622=S6M3 S6M3*M4=M7 M622*M4=M6 M911*M6=M7 <- shift-preserves-intersection M911*M6=M7 (shift/+ N4+1+N9=N1) M6< N2>N4) (nat`compare/< N4>N1) A12 A34 A24 A16 <- gt-implies-plus N2>N4 N6 N6+1+N4=N2 <- gt-implies-plus N4>N1 N5 N5+1+N1=N4 <- plus-swap-succ N5+1+N1=N4 N5+N1+1=N4 <- plus-associative-converse N5+N1+1=N4 N6+1+N4=N2 N0 N6+1+N5=N0 N0+N1+1=N2 <- plus-swap-succ-converse N0+N1+1=N2 N0+1+N1=N2 <- intersection/<-inversion A12 N0+1+N1=N2 M3 M1*M022=M3 M3<-inversion A24 N6+1+N4=N2 M6 M622*M4=M6 M6<B1 <- meta-gt _ _ B>B1 <- intersection-associativeM _ BD1 M1*M022=M3 M3*M544=M7 M022*M544=S5M6 M1*S5M6=M7 <- shift-right-preserves-intersection M1*S5M6=M7 S5M6<N2) (nat`compare/> N1>N4) A12 A34 A24 A16 <- gt-implies-plus N4>N2 N6 N6+1+N2=N4 <- gt-implies-plus N1>N4 N5 N5+1+N4=N1 <- plus-swap-succ N6+1+N2=N4 N6+N2+1=N4 <- plus-associative-converse N6+N2+1=N4 N5+1+N4=N1 N3 N5+1+N6=N3 N3+N2+1=N1 <- plus-swap-succ-converse N3+N2+1=N1 N3+1+N2=N1 <- intersection/>-inversion A12 N3+1+N2=N1 M3 M311*M2=M3 M3<N3 <- succ-preserves-gt N1>N3 N1+1>N3+1 <- plus-total N3+1+B1=B3 <- plus-right-preserves-gt* N1+1>N3+1 N1+1+B1=B N3+1+B1=B3 B>B3 <- meta-gt _ _ B>B3 <- intersection-associativeM _ (bound/+ N3+1+B1=B3 BD1) M311*M2=M3 M3*M644=M7 M2*M644=M6 M311*M6=M7 <- shift-preserves-intersection M311*M6=M7 (shift/+ N2+1+N3=N1) M6< N1>N2) _ (nat`compare/< N4>N1) A12 A34 A24 A16 <- gt-implies-plus N1>N2 N3 N3+1+N2=N1 <- gt-implies-plus N4>N1 N5 N5+1+N1=N4 <- plus-swap-succ N3+1+N2=N1 N3+N2+1=N1 <- plus-associative-converse N3+N2+1=N1 N5+1+N1=N4 N6 N5+1+N3=N6 N6+N2+1=N4 <- plus-swap-succ-converse N6+N2+1=N4 N6+1+N2=N4 <- intersection/>-inversion A12 N3+1+N2=N1 M3 M311*M2=M3 M3<N3 <- succ-preserves-gt N1>N3 N1+1>N3+1 <- plus-total N3+1+B1=B3 <- plus-right-preserves-gt* N1+1>N3+1 N1+1+B1=B N3+1+B1=B3 B>B3 <- meta-gt _ _ B>B3 <- intersection-associativeM _ (bound/+ N3+1+B1=B3 BD1) M311*M2=M3 M3*M644=M7 M2*M644=M6 M311*M6=M7 <- shift-preserves-intersection M311*M6=M7 (shift/+ N2+1+N3=N1) M6<N1) _ (nat`compare/> N1>N4) A12 A34 A24 A16 <- gt-implies-plus N2>N1 N0 N0+1+N1=N2 <- gt-implies-plus N1>N4 N5 N5+1+N4=N1 <- plus-swap-succ N5+1+N4=N1 N5+N4+1=N1 <- plus-associative-converse N5+N4+1=N1 N0+1+N1=N2 N6 N0+1+N5=N6 N6+N4+1=N2 <- plus-swap-succ-converse N6+N4+1=N2 N6+1+N4=N2 <- intersection/<-inversion A12 N0+1+N1=N2 M3 M1*M022=M3 M3<-inversion A24 N6+1+N4=N2 M6 M622*M4=M6 M6<N5 <- succ-preserves-gt N1>N5 N1+1>N5+1 <- plus-total N5+1+B1=B5 <- plus-right-preserves-gt* N1+1>N5+1 N1+1+B1=B N5+1+B1=B5 B>B5 <- meta-gt _ _ B>B5 <- intersection-associativeM _ (bound/+ N5+1+B1=B5 BD1) M511*M622=S5M3 S5M3*M4=M7 M622*M4=M6 M511*M6=M7 <- shift-preserves-intersection M511*M6=M7 (shift/+ N4+1+N5=N1) M6< M3< M400<=M1 N4+1+N1=N0) L2 (leq/> M400<=M3 N4+1+N1=N0) <- leq/>-inversion L2 N4+1+N1=N0 M400<=M2 <- intersection-is-glb M1*M2=M3 M400<=M1 M400<=M2 M400<=M3. - : intersection-is-glb (intersection/< M3< M500<=M1 N5+1+N1=N2) (leq/= M0<=M2 D0<=D2 nat`eq/) M200<=S1M3 <- plus-right-cancels N5+1+N1=N2 N3+1+N1=N2 nat`eq/ nat`eq/ N5+1=N3+1 <- succ-cancels N5+1=N3+1 N5=N3 <- map/+-preserves-eq N5=N3 nat`eq/ eq/ M500=M300 <- leq-respects-eq M500<=M1 M500=M300 eq/ M300<=M1 <- intersection-is-glb M1*M322=M3 M300<=M1 (leq/= M0<=M2 D0<=D2 nat`eq/) M300<=M3 <- plus-swap-succ N3+1+N1=N2 N3+N1+1=N2 <- plus-commutative N3+N1+1=N2 N1+1+N3=N2 <- shift-preserves-leq* M300<=M3 (shift/+ N1+1+N3=N2) M3< M500<=M1 N5+1+N1=N0) (leq/> M600<=M2 N6+1+N2=N0) M000<=S1M3 <- plus-swap-succ N3+1+N1=N2 N3+N1+1=N2 <- plus-associative-converse N3+N1+1=N2 N6+1+N2=N0 N5' N6+1+N3=N5' N5'+N1+1=N0 <- plus-swap-succ N5+1+N1=N0 N5+N1+1=N0 <- plus-right-cancels N5'+N1+1=N0 N5+N1+1=N0 nat`eq/ nat`eq/ N5'=N5 <- plus-respects-eq N6+1+N3=N5' nat`eq/ nat`eq/ N5'=N5 N6+1+N3=N5 <- plus-swap-succ N6+1+N3=N5 N6+N3+1=N5 <- plus-commutative N6+N3+1=N5 N3+1+N6=N5 <- shift-left-preserves-leq* M600<=M2 (shift/+ N3+1+N6=N5) M500<=M322 <- intersection-is-glb M1*M322=M3 M500<=M1 M500<=M322 M500<=M3 <- plus-commutative N5+N1+1=N0 N1+1+N5=N0 <- shift-preserves-leq* M500<=M3 (shift/+ N1+1+N5=N0) M3< M3<-inversion L2 N3+1+N2=N1 M300<=M2 <- intersection-is-glb M311*M2=M3 (leq/= M0<=M1 D0<=D1 nat`eq/) M300<=M2 M300<=M3 <- plus-swap-succ N3+1+N2=N1 N3+N2+1=N1 <- plus-commutative N3+N2+1=N1 N2+1+N3=N1 <- shift-preserves-leq* M300<=M3 (shift/+ N2+1+N3=N1) M3< M3< M500<=M1 N5+1+N1=N0) L2 M000<=S2M3 <- plus-swap-succ N3+1+N2=N1 N3+N2+1=N1 <- plus-associative-converse N3+N2+1=N1 N5+1+N1=N0 N6 N5+1+N3=N6 N6+N2+1=N0 <- plus-swap-succ-converse N6+N2+1=N0 N6+1+N2=N0 <- leq/>-inversion L2 N6+1+N2=N0 M600<=M2 <- plus-swap-succ N5+1+N3=N6 N5+N3+1=N6 <- plus-commutative N5+N3+1=N6 N3+1+N5=N6 <- shift-left-preserves-leq* M500<=M1 (shift/+ N3+1+N5=N6) M600<=M311 <- intersection-is-glb M311*M2=M3 M600<=M311 M600<=M2 M600<=M3 <- plus-commutative N6+N2+1=N0 N2+1+N6=N0 <- shift-preserves-leq* M600<=M3 (shift/+ N2+1+N6=N0) M3< M3<-inversion M111*M244=M N3+1+N2=N1 M5 M311*M4=M5 M5< M622<=M4 N6+1+N4=N2) (intersection/= M1*M2=M3 D1*D2=D3 nat`eq/) % N1=N2 M211*M444=M M233<=M <- intersection/>-inversion M211*M444=M N6+1+N4=N2 M5 M611*M4=M5 M5< M622<=M4 N6+1+N4=N2) (intersection/> M3<-inversion M111*M444=M N5+1+N4=N1 M5 M511*M4=M5 M5< M3< M622<=M4 N6+1+N4=N2) A1 (intersection/= M1*M4=M5 D1*D4=D5 nat`eq/) S1M3<=M455 <- intersection/<-inversion A1 N6+1+N4=N2 M3 M1*M622=M3 M3< M622<=M4 N6+1+N4=N2) A1 (intersection/< M5< M5<-inversion L N6+1+N4=N2 M622<=M4 <- plus-swap-succ N0+1+N5=N6 N0+N5+1=N6 <- plus-commutative N0+N5+1=N6 N5+1+N0=N6 <- shift-total M3< M7< M5< M6< M6< M7< M5< M6< M311+M2=M3 N3+1+N2=N1) (intersection/= M3*M4=M7 D2*D4=D7 nat`eq/) _ _ (intersection/> M5< M311+M2=M3 N3+1+N2=N1) (intersection/< M7< M311+M2=M3 N3+1+N2=N1) (intersection/> M7< M5< M6< nat -> nat -> type. count/s : lookup M N C -> count M N (s C). count/z : not-member M N -> count M N z. add : map -> nat -> map -> type. add/0 : not-member M N -> update M N z M' -> add M N M'. add/+ : lookup M N C -> update M N (s C) M' -> add M N M'. %%%% Theorems %%% Theorems about count %theorem false-implies-count : forall* {M} {N} {C} forall {F:void} exists {MC:count M N C} true. %worlds () (false-implies-count _ _). %total { } (false-implies-count _ _). %theorem count-respects-eq : forall* {M1} {N1} {C1} {M2} {N2} {C2} forall {MC1:count M1 N1 C1} {EM:eq M1 M2} {EN:nat`eq N1 N2} {EC:nat`eq C1 C2} exists {MC2:count M2 N2 C2} true. - : count-respects-eq C eq/ nat`eq/ nat`eq/ C. %worlds () (count-respects-eq _ _ _ _ _). %total { } (count-respects-eq _ _ _ _ _). %theorem count-total** : forall* {M} {N} {B} forall {D?:member? M N B} exists {C} {MC:count M N C} true. - : count-total** (member?/in L) _ (count/s L). - : count-total** (member?/out F) _ (count/z F). %worlds () (count-total** _ _ _). %total { } (count-total** _ _ _). %theorem count-total* : forall {M} {N} exists {C} {MC:count M N C} true. - : count-total* M N _ MC <- member?-total M? <- count-total** M? _ MC. %worlds () (count-total* _ _ _ _). %total { } (count-total* _ _ _ _). %abbrev count-total = count-total* _ _ _. %theorem count-deterministic : forall* {M1} {N1} {C1} {M2} {N2} {C2} forall {MC1:count M1 N1 C1} {MC2:count M2 N2 C2} {EM:eq M1 M2} {EN:nat`eq N1 N2} exists {EC:nat`eq C1 C2} true. - : count-deterministic (count/z _) (count/z _) _ _ nat`eq/. - : count-deterministic (count/s L) (count/s L') eq/ nat`eq/ SC=sC' <- lookup-deterministic L L' eq/ nat`eq/ C=C' <- succ-deterministic C=C' SC=sC'. - : count-deterministic (count/z F) (count/s L) eq/ nat`eq/ E <- not-member-lookup-not-equal F L N<>N <- nat`ne-anti-reflexive N<>N V <- nat`false-implies-eq V E. - : count-deterministic (count/s L) (count/z F) eq/ nat`eq/ E <- not-member-lookup-not-equal F L N<>N <- nat`ne-anti-reflexive N<>N V <- nat`false-implies-eq V E. %worlds () (count-deterministic _ _ _ _ _). %total { } (count-deterministic _ _ _ _ _). %theorem count-empty-is-zero : forall* {N} {M} forall {K:count map/0 N M} exists {E:nat`eq M z} true. - : count-empty-is-zero (count/z _) nat`eq/. %worlds () (count-empty-is-zero _ _). %total { } (count-empty-is-zero _ _). %%% Theorems about add %theorem false-implies-add : forall* {M} {N} {M'} forall {F:void} exists {A:add M N M'} true. %worlds () (false-implies-add _ _). %total { } (false-implies-add _ _). %theorem add-respects-eq : forall* {M1} {N1} {M1'} {M2} {N2} {M2'} forall {A1: add M1 N1 M1'} {EM: eq M1 M2} {EN: nat`eq N1 N2} {EM': eq M1' M2'} exists {A2: add M2 N2 M2'} true. - : add-respects-eq A eq/ nat`eq/ eq/ A. %worlds () (add-respects-eq _ _ _ _ _). %total { } (add-respects-eq _ _ _ _ _). %theorem add-total* : forall {M} {N} exists {M'} {A:add M N M'} true. %abbrev add-total = add-total* _ _ _. %theorem add-total/L : forall* {M} {N} {B} forall {M?:member? M N B} exists {M'} {A:add M N M'} true. - : add-total/L (member?/out MF) _ (add/0 MF MU) <- update-total MU. - : add-total/L (member?/in ML) _ (add/+ ML MU) <- update-total MU. %worlds () (add-total/L _ _ _). %total { } (add-total/L _ _ _). - : add-total A <- member?-total M <- add-total/L M _ A. %worlds () (add-total* _ _ _ _). %total { } (add-total* _ _ _ _). %theorem add-deterministic: forall* {M1} {N1} {M1'} {M2} {N2} {M2'} forall {A1: add M1 N1 M1'} {A2: add M2 N2 M2'} {EM: eq M1 M2} {EN: nat`eq N1 N2} exists {EM': eq M1' M2'} true. - : add-deterministic (add/0 _ U) (add/0 _ U') eq/ nat`eq/ EM' <- update-deterministic U U' eq/ nat`eq/ nat`eq/ EM'. - : add-deterministic (add/0 NM _) (add/+ M _) eq/ nat`eq/ EM <- not-member-lookup-not-equal NM M NE <- nat`ne-anti-reflexive NE F <- false-implies-eq F EM. - : add-deterministic (add/+ M _) (add/0 NM _) eq/ nat`eq/ EM <- not-member-lookup-not-equal NM M NE <- nat`ne-anti-reflexive NE F <- false-implies-eq F EM. - : add-deterministic (add/+ ML1 U1) (add/+ ML2 U2) EM EN EM' <- lookup-deterministic ML1 ML2 EM EN EC <- succ-deterministic EC SEC <- update-deterministic U1 U2 EM EN SEC EM'. %worlds () (add-deterministic _ _ _ _ _). %total { } (add-deterministic _ _ _ _ _). %theorem add-commutes : forall* {M0} {N1} {M1} {N2} {M2} forall {A01:add M0 N1 M1} {A12:add M1 N2 M2} exists {M3} {A02:add M0 N2 M3} {A32:add M3 N1 M2} true. %theorem add-commutes/L : forall* {M0} {N1} {M1} {N2} {M2} {B} forall {A01:add M0 N1 M1} {A12:add M1 N2 M2} {EQ?: nat`eq? N1 N2 B} exists {M3} {A02:add M0 N2 M3} {A32:add M3 N1 M2} true. - : add-commutes/L A0 A1 nat`eq?/yes _ A0 A1. - : add-commutes/L (add/0 NM1 U01) (add/0 NM2 U12) (nat`eq?/no N1<>N2) _ (add/0 NM2' U02) (add/0 NM1' U32) <- update-preserves-not-member-converse NM2 U01 NM2' <- update-total U02 <- update-preserves-not-member NM1 U02 N1<>N2 NM1' <- update-commutes* U01 U12 N1<>N2 U02 U32. - : add-commutes/L (add/0 NM1 U01) (add/+ L2 U12) (nat`eq?/no N1<>N2) _ (add/+ L2' U02) (add/0 NM1' U32) <- nat`ne-symmetric N1<>N2 N2<>N1 <- update-preserves-lookup-converse L2 U01 N2<>N1 L2' <- update-total U02 <- update-preserves-not-member NM1 U02 N1<>N2 NM1' <- update-commutes* U01 U12 N1<>N2 U02 U32. - : add-commutes/L (add/+ L1 U01) (add/0 NM2 U12) (nat`eq?/no N1<>N2) _ (add/0 NM2' U02) (add/+ L1' U32) <- update-preserves-not-member-converse NM2 U01 NM2' <- update-total U02 <- update-preserves-lookup L1 U02 N1<>N2 L1' <- update-commutes* U01 U12 N1<>N2 U02 U32. - : add-commutes/L (add/+ L1 U01) (add/+ L2 U12) (nat`eq?/no N1<>N2) _ (add/+ L2' U02) (add/+ L1' U32) <- nat`ne-symmetric N1<>N2 N2<>N1 <- update-preserves-lookup-converse L2 U01 N2<>N1 L2' <- update-total U02 <- update-preserves-lookup L1 U02 N1<>N2 L1' <- update-commutes* U01 U12 N1<>N2 U02 U32. %worlds () (add-commutes/L _ _ _ _ _ _). %total { } (add-commutes/L _ _ _ _ _ _). - : add-commutes A01 A12 _ A02 A23 <- nat`eq?-total EQ? <- add-commutes/L A01 A12 EQ? _ A02 A23. %worlds () (add-commutes _ _ _ _ _). %total { } (add-commutes _ _ _ _ _). %theorem count-add-implies-count : forall* {M} {N} {C} {M'} forall {K:count M N C} {A:add M N M'} exists {K':count M' N (s C)} true. - : count-add-implies-count (count/z NM) A K' <- update-total U <- add-deterministic (add/0 NM U) A eq/ nat`eq/ EM' <- update-implies-lookup U L <- count-respects-eq (count/s L) EM' nat`eq/ nat`eq/ K'. - : count-add-implies-count (count/s L) A K' <- update-total U <- add-deterministic (add/+ L U) A eq/ nat`eq/ EM' <- update-implies-lookup U L' <- count-respects-eq (count/s L') EM' nat`eq/ nat`eq/ K'. %worlds () (count-add-implies-count _ _ _). %total { } (count-add-implies-count _ _ _). %theorem update-preserves-count : forall* {M} {N} {C} {M'} {N'} {C'} forall {K:count M N C} {A:update M N' C' M'} {NE: nat`ne N N'} exists {K':count M' N C} true. - : update-preserves-count (count/z NM) U NE (count/z NM') <- update-preserves-not-member NM U NE NM'. - : update-preserves-count (count/s L) U NE (count/s L') <- update-preserves-lookup L U NE L'. %worlds () (update-preserves-count _ _ _ _). %total { } (update-preserves-count _ _ _ _). %theorem add-preserves-count : forall* {M} {N} {C} {M'} {N'} forall {K:count M N C} {A:add M N' M'} {NE: nat`ne N N'} exists {K':count M' N C} true. - : add-preserves-count K (add/0 _ U) NE K' <- update-preserves-count K U NE K'. - : add-preserves-count K (add/+ _ U) NE K' <- update-preserves-count K U NE K'. %worlds () (add-preserves-count _ _ _ _). %total { } (add-preserves-count _ _ _ _). %theorem add-preserves-count-converse : forall* {M} {N} {C} {M'} {N'} forall {K':count M' N C} {A:add M N' M'} {NE: nat`ne N N'} exists {K:count M N C} true. - : add-preserves-count-converse K2 A NE K1 <- count-total K1' <- add-preserves-count K1' A NE K2' <- count-deterministic K2' K2 eq/ nat`eq/ EQ <- count-respects-eq K1' eq/ nat`eq/ EQ K1. %worlds () (add-preserves-count-converse _ _ _ _). %total { } (add-preserves-count-converse _ _ _ _). %theorem shift-preserves-count-converse : forall* {N} {M1} {N1} {M2} {N2} {C} forall {C2: count M2 N2 C} {MS: shift N M1 M2} {P: plus (s N) N1 N2} exists {C1: count M1 N1 C} true. - : shift-preserves-count-converse (count/z MF) MS P (count/z MF') <- shift-preserves-not-member-converse* MF MS P MF'. - : shift-preserves-count-converse (count/s ML) MS P (count/s ML') <- shift-preserves-lookup-converse* ML MS P ML'. %worlds () (shift-preserves-count-converse _ _ _ _). %total { } (shift-preserves-count-converse _ _ _ _). %theorem shift-preserves-add-converse : forall* {N} {M1} {N1} {M2} {N2} {M2'} forall {A2: add M2 N2 M2'} {MS: shift N M1 M2} {P: plus (s N) N1 N2} exists {M1'} {MS': shift N M1' M2'} {A1: add M1 N1 M1'} true. - : shift-preserves-add-converse (add/+ ML MU) MS P _ MS' (add/+ ML' MU') <- shift-preserves-update-converse MU MS P _ MS' MU' <- shift-preserves-lookup-converse* ML MS P ML'. - : shift-preserves-add-converse (add/0 MF MU) MS P _ MS' (add/0 MF' MU') <- shift-preserves-update-converse MU MS P _ MS' MU' <- shift-preserves-not-member-converse* MF MS P MF'. %worlds () (shift-preserves-add-converse _ _ _ _ _ _). %total { } (shift-preserves-add-converse _ _ _ _ _ _). %%%%% multiset-extra.elf %%%%% Extra theorems about multisets not derived from map. %%%%% This file is part of the multiset.elf signature %%%% Theorems %theorem union-right-distributes-over-intersection : forall* {S1} {S2} {S3} {S4} {S7} forall {I12:intersection S1 S2 S3} {U34:union S3 S4 S7} exists {S5} {S6} {U14:union S1 S4 S5} {U24:union S2 S4 S6} {I56:intersection S5 S6 S7} true. - : union-right-distributes-over-intersection S1*S2=S3 S3+S4=S7 S5 S6 S1+S4=S5 S2+S4=S6 S5*S6=S7 <- union-total S1+S4=S5 <- union-total S2+S4=S6 <- intersection-total S5*S6=S7' <- union-implies-leq S2+S4=S6 _ S4<=S6 <- leq-implies-intersection S4<=S6 S4*S6=S4 <- intersection-total S1*S6=S8 <- intersection-total S1*S4=S9 <- intersection-right-distributes-over-union* S1+S4=S5 S5*S6=S7' S1*S6=S8 S4*S6=S4 S8+S4=S7' <- intersection-left-distributes-over-union* S2+S4=S6 S1*S6=S8 S1*S2=S3 S1*S4=S9 S3+S9=S8 <- intersection-implies-leq S1*S4=S9 _ S9<=S4 <- leq-implies-union S9<=S4 S9+S4=S4 <- union-associative* S3+S9=S8 S8+S4=S7' S9+S4=S4 S3+S4=S7' <- union-deterministic S3+S4=S7' S3+S4=S7 eq/ eq/ S7'=S7 <- intersection-respects-eq S5*S6=S7' eq/ eq/ S7'=S7 S5*S6=S7. %worlds () (union-right-distributes-over-intersection _ _ _ _ _ _ _). %total { } (union-right-distributes-over-intersection _ _ _ _ _ _ _). %theorem union-right-distributes-over-intersection* : forall* {X1} {X2} {X3} {X4} {X5} {X6} {X7} forall {A12:intersection X1 X2 X3} {M34:union X3 X4 X7} {M14:union X1 X4 X5} {M24:union X2 X4 X6} exists {A56:intersection X5 X6 X7} true. - : union-right-distributes-over-intersection* X1*X2=X3 X3+X4=X7 X1+X4=X5 X2+X4=X6 X5*X6=X7 <- union-right-distributes-over-intersection X1*X2=X3 X3+X4=X7 Y5 Y6 X1+X4=Y5 X2+X4=Y6 Y5*Y6=X7 <- union-deterministic X1+X4=Y5 X1+X4=X5 eq/ eq/ Y5=X5 <- union-deterministic X2+X4=Y6 X2+X4=X6 eq/ eq/ Y6=X6 <- intersection-respects-eq Y5*Y6=X7 Y5=X5 Y6=X6 eq/ X5*X6=X7. %worlds () (union-right-distributes-over-intersection* X1*X2=X3 X3+X4=X7 X1+X4=X5 X2+X4=X6 X5*X6=X7). %total {} (union-right-distributes-over-intersection* _ _ _ _ _). %theorem union-left-distributes-over-intersection* : forall* {X1} {X2} {X3} {X4} {X5} {X6} {X7} forall {A12:intersection X2 X4 X6} {M34:union X1 X6 X7} {M14:union X1 X2 X3} {M24:union X1 X4 X5} exists {A56:intersection X3 X5 X7} true. - : union-left-distributes-over-intersection* X2*X4=X6 X1+X6=X7 X1+X2=X3 X1+X4=X5 X3*X5=X7 <- union-commutative X1+X6=X7 X6+X1=X7 <- union-commutative X1+X2=X3 X2+X1=X3 <- union-commutative X1+X4=X5 X4+X1=X5 <- union-right-distributes-over-intersection* X2*X4=X6 X6+X1=X7 X2+X1=X3 X4+X1=X5 X3*X5=X7. %worlds () (union-left-distributes-over-intersection* X2*X4=X6 X1+X6=X7 X1+X2=X3 X1+X4=X5 X3*X5=X7). %total {} (union-left-distributes-over-intersection* _ _ _ _ _). %theorem union-left-distributes-over-intersection : forall* {X1} {X2} {X4} {X6} {X7} forall {A12:intersection X2 X4 X6} {M34:union X1 X6 X7} exists {X3} {X5} {M14:union X1 X2 X3} {M24:union X1 X4 X5} {A56:intersection X3 X5 X7} true. - : union-left-distributes-over-intersection X2*X4=X6 X1+X6=X7 X3 X5 X1+X2=X3 X1+X4=X5 X3*X5=X7 <- union-total X1+X2=X3 <- union-total X1+X4=X5 <- union-left-distributes-over-intersection* X2*X4=X6 X1+X6=X7 X1+X2=X3 X1+X4=X5 X3*X5=X7. %worlds () (union-left-distributes-over-intersection X2*X4=X6 X1+X6=X7 X3 X5 X1+X2=X3 X1+X4=X5 X3*X5=X7). %total {} (union-left-distributes-over-intersection _ _ _ _ _ _ _). %theorem union-right-factors-over-intersection : forall* {X1} {X2} {X4} {X5} {X6} {X7} forall {M14:union X1 X4 X5} {M24:union X2 X4 X6} {A56:intersection X5 X6 X7} exists {X3} {A12:intersection X1 X2 X3} {M34:union X3 X4 X7} true. - : union-right-factors-over-intersection X1+X4=X5 X2+X4=X6 X5*X6=X7 X3 X1*X2=X3 X3+X4=X7 <- intersection-total X1*X2=X3 <- union-total X3+X4=Y7 <- union-right-distributes-over-intersection* X1*X2=X3 X3+X4=Y7 X1+X4=X5 X2+X4=X6 X5*X6=Y7 <- intersection-deterministic X5*X6=Y7 X5*X6=X7 eq/ eq/ Y7=X7 <- union-respects-eq X3+X4=Y7 eq/ eq/ Y7=X7 X3+X4=X7. %worlds () (union-right-factors-over-intersection X1+X4=X5 X2+X4=X6 X5*X6=X7 X3 X1*X2=X3 X3+X4=X7 ). %total {} (union-right-factors-over-intersection _ _ _ _ _ _). %theorem union-right-factors-over-intersection* : forall* {X1} {X2} {X3} {X4} {X5} {X6} {X7} forall {M14:union X1 X4 X5} {M24:union X2 X4 X6} {A56:intersection X5 X6 X7} {A12:intersection X1 X2 X3} exists {M34:union X3 X4 X7} true. - : union-right-factors-over-intersection* X1+X4=X5 X2+X4=X6 X5*X6=X7 X1*X2=X3 X3+X4=X7 <- union-total X3+X4=Y7 <- union-right-distributes-over-intersection* X1*X2=X3 X3+X4=Y7 X1+X4=X5 X2+X4=X6 X5*X6=Y7 <- intersection-deterministic X5*X6=Y7 X5*X6=X7 eq/ eq/ Y7=X7 <- union-respects-eq X3+X4=Y7 eq/ eq/ Y7=X7 X3+X4=X7. %worlds () (union-right-factors-over-intersection* X1+X4=X5 X2+X4=X6 X5*X6=X7 X1*X2=X3 X3+X4=X7 ). %total {} (union-right-factors-over-intersection* _ _ _ _ _). %theorem union-left-factors-over-intersection : forall* {X1} {X2} {X3} {X4} {X5} {X7} forall {M12:union X1 X2 X3} {M14:union X1 X4 X5} {A35:intersection X3 X5 X7} exists {X6} {A24:intersection X2 X4 X6} {M16:union X1 X6 X7} true. - : union-left-factors-over-intersection X1+X2=X3 X1+X4=X5 X3*X5=X7 X6 X2*X4=X6 X1+X6=X7 <- union-commutative X1+X2=X3 X2+X1=X3 <- union-commutative X1+X4=X5 X4+X1=X5 <- union-right-factors-over-intersection X2+X1=X3 X4+X1=X5 X3*X5=X7 X6 X2*X4=X6 X6+X1=X7 <- union-commutative X6+X1=X7 X1+X6=X7. %worlds () (union-left-factors-over-intersection X1+X2=X3 X1+X4=X5 X3*X5=X7 X6 X2*X4=X6 X1+X6=X7). %total {} (union-left-factors-over-intersection _ _ _ _ _ _). %theorem union-left-factors-over-intersection* : forall* {X1} {X2} {X3} {X4} {X5} {X6} {X7} forall {M12:union X1 X2 X3} {M14:union X1 X4 X5} {A35:intersection X3 X5 X7} {A24:intersection X2 X4 X6} exists {M16:union X1 X6 X7} true. - : union-left-factors-over-intersection* X1+X2=X3 X1+X4=X5 X3*X5=X7 X2*X4=X6 X1+X6=X7 <- union-total X1+X6=Y7 <- union-left-distributes-over-intersection* X2*X4=X6 X1+X6=Y7 X1+X2=X3 X1+X4=X5 X3*X5=Y7 <- intersection-deterministic X3*X5=Y7 X3*X5=X7 eq/ eq/ Y7=X7 <- union-respects-eq X1+X6=Y7 eq/ eq/ Y7=X7 X1+X6=X7. %worlds () (union-left-factors-over-intersection* X1+X2=X3 X1+X4=X5 X3*X5=X7 X2*X4=X6 X1+X6=X7). %total {} (union-left-factors-over-intersection* _ _ _ _ _). %%%% Redefinitions %abbrev multiset = map. %abbrev multiset/0 = map/0. %abbrev multiset/+ = map/+. %abbrev member = [S] [N] lookup S N C. %%% Theorem renamings. %% using "member" %abbrev false-implies-member = false-implies-lookup. %abbrev not-member-member-implies-ne = not-member-lookup-not-equal. %abbrev in-implies-member = in-implies-lookup. %abbrev member-respects-eq = [L:member M N] [EM:eq M MP] [EN:nat`eq N NP] [LP:member MP NP] lookup-respects-eq L EM EN nat`eq/ LP. %abbrev multiset`map = map. %abbrev multiset`map/0 = map/0. %abbrev multiset`map/+ = map/+. %abbrev multiset`eq = eq. %abbrev multiset`eq/ = eq/. %abbrev multiset`ne = ne. %abbrev multiset`ne/L = ne/L. %abbrev multiset`ne/R = ne/R. %abbrev multiset`ne/N = ne/N. %abbrev multiset`ne/D = ne/D. %abbrev multiset`ne/+ = ne/+. %abbrev multiset`eq? = eq?. %abbrev multiset`eq?/yes = eq?/yes. %abbrev multiset`eq?/no = eq?/no. %abbrev multiset`lookup = lookup. %abbrev multiset`lookup/= = lookup/=. %abbrev multiset`lookup/> = lookup/>. %abbrev multiset`not-member = not-member. %abbrev multiset`not-member/0 = not-member/0. %abbrev multiset`not-member/< = not-member/<. %abbrev multiset`not-member/> = not-member/>. %abbrev multiset`member? = member?. %abbrev multiset`member?/in = member?/in. %abbrev multiset`member?/out = member?/out. %abbrev multiset`disjoint = disjoint. %abbrev multiset`disjoint/L = disjoint/L. %abbrev multiset`disjoint/R = disjoint/R. %abbrev multiset`disjoint/< = disjoint/<. %abbrev multiset`disjoint/> = disjoint/>. %abbrev multiset`disjoint? = disjoint?. %abbrev multiset`disjoint?/yes = disjoint?/yes. %abbrev multiset`disjoint?/no = disjoint?/no. %abbrev multiset`size = size. %abbrev multiset`size/0 = size/0. %abbrev multiset`size/+ = size/+. %abbrev multiset`bound = bound. %abbrev multiset`bound/0 = bound/0. %abbrev multiset`bound/+ = bound/+. %abbrev multiset`shift = shift. %abbrev multiset`shift/0 = shift/0. %abbrev multiset`shift/+ = shift/+. %abbrev multiset`update = update. %abbrev multiset`update/0 = update/0. %abbrev multiset`update/= = update/=. %abbrev multiset`update/< = update/<. %abbrev multiset`update/> = update/>. %abbrev multiset`meta-eq = meta-eq. %abbrev multiset`false-implies-eq = false-implies-eq. %abbrev multiset`eq-reflexive = eq-reflexive. %abbrev multiset`eq-symmetric = eq-symmetric. %abbrev multiset`eq-transitive = eq-transitive. %abbrev multiset`map/+-preserves-eq = map/+-preserves-eq. %abbrev multiset`map/+-preserves-eq-converse = map/+-preserves-eq-converse. %abbrev multiset`eq-no-occur = eq-no-occur. %abbrev multiset`eq-contradiction = eq-contradiction. %abbrev multiset`false-implies-ne = false-implies-ne. %abbrev multiset`ne-respects-eq = ne-respects-eq. %abbrev multiset`ne-anti-reflexive = ne-anti-reflexive. %abbrev multiset`ne-symmetric = ne-symmetric. %abbrev multiset`eq-ne-implies-false = eq-ne-implies-false. %abbrev multiset`eq?-total* = eq?-total*. %abbrev multiset`eq?-total = eq?-total. %abbrev multiset`eq?-total/+ = eq?-total/+. %abbrev multiset`false-implies-lookup = false-implies-lookup. %abbrev multiset`lookup-respects-eq = lookup-respects-eq. %abbrev multiset`lookup-deterministic = lookup-deterministic. %abbrev multiset`lookup-contradiction = lookup-contradiction. %abbrev multiset`lookup-one-choice = lookup-one-choice. %abbrev multiset`lookup-ne-implies-ne = lookup-ne-implies-ne. %abbrev multiset`lookup-ne-implies-ne/L = lookup-ne-implies-ne/L. %abbrev multiset`false-implies-not-member = false-implies-not-member. %abbrev multiset`not-member-respects-eq = not-member-respects-eq. %abbrev multiset`not-member-total* = not-member-total*. %abbrev multiset`not-member-total = not-member-total. %abbrev multiset`not-member-lookup-not-equal = not-member-lookup-not-equal. %abbrev multiset`not-member-contradiction = not-member-contradiction. %abbrev multiset`ne-implies-unit-map-not-member = ne-implies-unit-map-not-member. %abbrev multiset`plus-right-preserves-not-member* = plus-right-preserves-not-member*. %abbrev multiset`not-member-lookup-implies-ne = not-member-lookup-implies-ne. %abbrev multiset`not-member-lookup-implies-ne/L = not-member-lookup-implies-ne/L. %abbrev multiset`false-implies-member? = false-implies-member?. %abbrev multiset`member?-respects-eq = member?-respects-eq. %abbrev multiset`member?-deterministic = member?-deterministic. %abbrev multiset`member?-total* = member?-total*. %abbrev multiset`member?-map/+-total = member?-map/+-total. %abbrev multiset`member?-map/+-complete = member?-map/+-complete. %abbrev multiset`member?-total = member?-total. %abbrev multiset`in-implies-lookup = in-implies-lookup. %abbrev multiset`out-implies-not-member = out-implies-not-member. %abbrev multiset`false-implies-disjoint = false-implies-disjoint. %abbrev multiset`disjoint-respects-eq = disjoint-respects-eq. %abbrev multiset`disjoint/=-contradiction = disjoint/=-contradiction. %abbrev multiset`disjoint/<-inversion = disjoint/<-inversion. %abbrev multiset`disjoint/>-inversion = disjoint/>-inversion. %abbrev multiset`disjoint-anti-reflexive = disjoint-anti-reflexive. %abbrev multiset`disjoint-symmetric = disjoint-symmetric. %abbrev multiset`disjoint-lookup-contradiction = disjoint-lookup-contradiction. %abbrev multiset`shift-left-preserves-disjoint = shift-left-preserves-disjoint. %abbrev multiset`shift-left-preserves-disjoint-converse = shift-left-preserves-disjoint-converse. %abbrev multiset`shift-right-preserves-disjoint = shift-right-preserves-disjoint. %abbrev multiset`shift-right-preserves-disjoint-converse = shift-right-preserves-disjoint-converse. %abbrev multiset`shift-preserves-disjoint = shift-preserves-disjoint. %abbrev multiset`shift-preserves-disjoint-converse = shift-preserves-disjoint-converse. %abbrev multiset`ne-implies-disjoint = ne-implies-disjoint. %abbrev multiset`false-implies-size = false-implies-size. %abbrev multiset`size-total* = size-total*. %abbrev multiset`size-total = size-total. %abbrev multiset`size-deterministic = size-deterministic. %abbrev multiset`false-implies-bound = false-implies-bound. %abbrev multiset`bound-total* = bound-total*. %abbrev multiset`bound-total = bound-total. %abbrev multiset`ge-bound-implies-not-member = ge-bound-implies-not-member. %abbrev multiset`false-implies-shift = false-implies-shift. %abbrev multiset`shift-respects-eq = shift-respects-eq. %abbrev multiset`shift-total* = shift-total*. %abbrev multiset`shift-total = shift-total. %abbrev multiset`shift-deterministic = shift-deterministic. %abbrev multiset`shifts-add = shifts-add. %abbrev multiset`shifts-add-converse = shifts-add-converse. %abbrev multiset`shift-preserves-not-member-converse* = shift-preserves-not-member-converse*. %abbrev multiset`shift-preserves-lookup = shift-preserves-lookup. %abbrev multiset`shift-preserves-lookup* = shift-preserves-lookup*. %abbrev multiset`shift-preserves-lookup-converse = shift-preserves-lookup-converse. %abbrev multiset`shift-preserves-lookup-converse* = shift-preserves-lookup-converse*. %abbrev multiset`shift-preserves-size = shift-preserves-size. %abbrev multiset`disjoint?-total* = disjoint?-total*. %abbrev multiset`disjoint?-total*/+ = disjoint?-total*/+. %abbrev multiset`disjoint?-total*/< = disjoint?-total*/<. %abbrev multiset`disjoint?-total*/> = disjoint?-total*/>. %abbrev multiset`disjoint?-total = disjoint?-total. %abbrev multiset`false-implies-update = false-implies-update. %abbrev multiset`update-respects-eq = update-respects-eq. %abbrev multiset`update-eq = update-eq. %abbrev multiset`update-eq/ = update-eq/. %abbrev multiset`false-implies-update-eq = false-implies-update-eq. %abbrev multiset`meta-update-eq = meta-update-eq. %abbrev multiset`update/=-inversion = update/=-inversion. %abbrev multiset`update/<-inversion = update/<-inversion. %abbrev multiset`update/>-inversion = update/>-inversion. %abbrev multiset`update-deterministic = update-deterministic. %abbrev multiset`update-total* = update-total*. %abbrev multiset`update-map/+-total = update-map/+-total. %abbrev multiset`update-total = update-total. %abbrev multiset`lookup-implies-update = lookup-implies-update. %abbrev multiset`update-implies-lookup = update-implies-lookup. %abbrev multiset`update-preserves-lookup = update-preserves-lookup. %abbrev multiset`update-preserves-lookup-converse = update-preserves-lookup-converse. %abbrev multiset`update-preserves-not-member = update-preserves-not-member. %abbrev multiset`update-preserves-not-member-converse = update-preserves-not-member-converse. %abbrev multiset`update-preserves-not-member-converse-helper = update-preserves-not-member-converse-helper. %abbrev multiset`update-is-cause-of-change = update-is-cause-of-change. %abbrev multiset`update-is-cause-of-change/L = update-is-cause-of-change/L. %abbrev multiset`update-preserves-membership = update-preserves-membership. %abbrev multiset`update-preserves-membership-converse = update-preserves-membership-converse. %abbrev multiset`lookup-update-preserves-membership = lookup-update-preserves-membership. %abbrev multiset`lookup-update-preserves-membership/L = lookup-update-preserves-membership/L. %abbrev multiset`lookup-update-preserves-membership-converse = lookup-update-preserves-membership-converse. %abbrev multiset`update-preserves-in-member = update-preserves-in-member. %abbrev multiset`update-preserves-in-member/L = update-preserves-in-member/L. %abbrev multiset`shift-preserves-update = shift-preserves-update. %abbrev multiset`shift-preserves-update* = shift-preserves-update*. %abbrev multiset`shift-preserves-update-converse = shift-preserves-update-converse. %abbrev multiset`update-overwrites = update-overwrites. %abbrev multiset`update-overwrites-converse = update-overwrites-converse. %abbrev multiset`update-may-have-no-effect = update-may-have-no-effect. %abbrev multiset`update-idempotent = update-idempotent. %abbrev multiset`update-commutes = update-commutes. %abbrev multiset`update-commutes* = update-commutes*. %abbrev multiset`can-remove = can-remove. %abbrev multiset`leq = leq. %abbrev multiset`leq/0 = leq/0. %abbrev multiset`leq/= = leq/=. %abbrev multiset`leq/> = leq/>. %abbrev multiset`false-implies-leq = false-implies-leq. %abbrev multiset`leq-respects-eq = leq-respects-eq. %abbrev multiset`leq/0-inversion = leq/0-inversion. %abbrev multiset`leq/=-inversion = leq/=-inversion. %abbrev multiset`leq/>-inversion = leq/>-inversion. %abbrev multiset`leq-contradiction = leq-contradiction. %abbrev multiset`leq-reflexive = leq-reflexive. %abbrev multiset`leq-anti-symmetric = leq-anti-symmetric. %abbrev multiset`leq-transitive = leq-transitive. %abbrev multiset`map/+-preserves-leq = map/+-preserves-leq. %abbrev multiset`lookup-respects-leq = lookup-respects-leq. %abbrev multiset`not-member-respects-geq = not-member-respects-geq. %abbrev multiset`leq-implies-size-le = leq-implies-size-le. %abbrev multiset`leq-implies-bound-le = leq-implies-bound-le. %abbrev multiset`shift-left-preserves-leq* = shift-left-preserves-leq*. %abbrev multiset`shift-preserves-leq* = shift-preserves-leq*. %abbrev multiset`update-left-preserves-leq* = update-left-preserves-leq*. %abbrev multiset`update-right-preserves-leq* = update-right-preserves-leq*. %abbrev multiset`update-preserves-leq* = update-preserves-leq*. %abbrev multiset`not-member-update-implies-leq = not-member-update-implies-leq. %abbrev multiset`lookup-update-preserves-leq = lookup-update-preserves-leq. %abbrev multiset`union = union. %abbrev multiset`union/L = union/L. %abbrev multiset`union/R = union/R. %abbrev multiset`union/= = union/=. %abbrev multiset`union/< = union/<. %abbrev multiset`union/> = union/>. %abbrev multiset`false-implies-union = false-implies-union. %abbrev multiset`union-respects-eq = union-respects-eq. %abbrev multiset`union/=-inversion = union/=-inversion. %abbrev multiset`union/<-inversion = union/<-inversion. %abbrev multiset`union/>-inversion = union/>-inversion. %abbrev multiset`union-deterministic = union-deterministic. %abbrev multiset`union-total* = union-total*. %abbrev multiset`union-map/+-M-total* = union-map/+-M-total*. %abbrev multiset`union-M-map/+-total* = union-M-map/+-total*. %abbrev multiset`union-map/+-map/+-total* = union-map/+-map/+-total*. %abbrev multiset`union-total = union-total. %abbrev multiset`disjoint-union-total = disjoint-union-total. %abbrev multiset`union-empty-implies-empty = union-empty-implies-empty. %abbrev multiset`union-preserves-disjoint* = union-preserves-disjoint*. %abbrev multiset`union-preserves-disjoint*/L = union-preserves-disjoint*/L. %abbrev multiset`shift-left-preserves-union = shift-left-preserves-union. %abbrev multiset`shift-left-preserves-union-converse = shift-left-preserves-union-converse. %abbrev multiset`shift-right-preserves-union = shift-right-preserves-union. %abbrev multiset`shift-right-preserves-union-converse = shift-right-preserves-union-converse. %abbrev multiset`shift-preserves-union = shift-preserves-union. %abbrev multiset`shift-preserves-union-converse = shift-preserves-union-converse. %abbrev multiset`union-commutative = union-commutative. %abbrev multiset`union-associative = union-associative. %abbrev multiset`union-associative-union/<-union/< = union-associative-union/<-union/<. %abbrev multiset`union-associative* = union-associative*. %abbrev multiset`union-associative-converse = union-associative-converse. %abbrev multiset`union-associative-converse* = union-associative-converse*. %abbrev multiset`union-assoc-commutative* = union-assoc-commutative*. %abbrev multiset`union-assoc-commutative = union-assoc-commutative. %abbrev multiset`union-double-associative* = union-double-associative*. %abbrev multiset`union-double-associative = union-double-associative. %abbrev multiset`lookup-implies-union = lookup-implies-union. %abbrev multiset`union-joins-lookup = union-joins-lookup. %abbrev multiset`union-preserves-not-member* = union-preserves-not-member*. %abbrev multiset`not-member-union-left-preserves-lookup* = not-member-union-left-preserves-lookup*. %abbrev multiset`not-member-union-left-preserves-lookup-converse = not-member-union-left-preserves-lookup-converse. %abbrev multiset`not-member-union-left-preserves-lookup-converse/L = not-member-union-left-preserves-lookup-converse/L. %abbrev multiset`union-left-affects-lookup = union-left-affects-lookup. %abbrev multiset`union-left-affects-lookup/L = union-left-affects-lookup/L. %abbrev multiset`not-member-union-right-preserves-lookup* = not-member-union-right-preserves-lookup*. %abbrev multiset`not-member-union-right-preserves-lookup-converse = not-member-union-right-preserves-lookup-converse. %abbrev multiset`not-member-union-right-preserves-lookup-converse/L = not-member-union-right-preserves-lookup-converse/L. %abbrev multiset`union-right-affects-lookup = union-right-affects-lookup. %abbrev multiset`union-right-affects-lookup/L = union-right-affects-lookup/L. %abbrev multiset`union-preserves-not-member-converse* = union-preserves-not-member-converse*. %abbrev multiset`union-preserves-not-member-converse/L = union-preserves-not-member-converse/L. %abbrev multiset`disjoint-union-left-preserves-lookup* = disjoint-union-left-preserves-lookup*. %abbrev multiset`disjoint-union-left-preserves-lookup*/L = disjoint-union-left-preserves-lookup*/L. %abbrev multiset`disjoint-union-right-preserves-lookup* = disjoint-union-right-preserves-lookup*. %abbrev multiset`disjoint-union-right-preserves-lookup*/L = disjoint-union-right-preserves-lookup*/L. %abbrev multiset`union-implies-leq* = union-implies-leq*. %abbrev multiset`union-implies-leq = union-implies-leq. %abbrev multiset`union-is-lub = union-is-lub. %abbrev multiset`union-idempotent = union-idempotent. %abbrev multiset`leq-implies-union = leq-implies-union. %abbrev multiset`disjoint-leq-implies-union-leq* = disjoint-leq-implies-union-leq*. %abbrev multiset`union-left-preserves-leq* = union-left-preserves-leq*. %abbrev multiset`union-right-preserves-leq* = union-right-preserves-leq*. %abbrev multiset`intersection = intersection. %abbrev multiset`intersection/L = intersection/L. %abbrev multiset`intersection/R = intersection/R. %abbrev multiset`intersection/= = intersection/=. %abbrev multiset`intersection/< = intersection/<. %abbrev multiset`intersection/> = intersection/>. %abbrev multiset`false-implies-intersection = false-implies-intersection. %abbrev multiset`intersection-respects-eq = intersection-respects-eq. %abbrev multiset`intersection/L-inversion = intersection/L-inversion. %abbrev multiset`intersection/R-inversion = intersection/R-inversion. %abbrev multiset`intersection/=-inversion = intersection/=-inversion. %abbrev multiset`intersection/<-inversion = intersection/<-inversion. %abbrev multiset`intersection/>-inversion = intersection/>-inversion. %abbrev multiset`intersection-implies-ge = intersection-implies-ge. %abbrev multiset`intersection-deterministic = intersection-deterministic. %abbrev multiset`intersection-total* = intersection-total*. %abbrev multiset`intersection-map/+-M-total* = intersection-map/+-M-total*. %abbrev multiset`intersection-M-map/+-total* = intersection-M-map/+-total*. %abbrev multiset`intersection-map/+-map/+-total* = intersection-map/+-map/+-total*. %abbrev multiset`intersection-total = intersection-total. %abbrev multiset`intersection-commutative = intersection-commutative. %abbrev multiset`shift-left-preserves-intersection = shift-left-preserves-intersection. %abbrev multiset`shift-left-preserves-intersection-converse = shift-left-preserves-intersection-converse. %abbrev multiset`shift-right-preserves-intersection = shift-right-preserves-intersection. %abbrev multiset`shift-right-preserves-intersection-converse = shift-right-preserves-intersection-converse. %abbrev multiset`shift-preserves-intersection = shift-preserves-intersection. %abbrev multiset`shift-preserves-intersection-converse = shift-preserves-intersection-converse. %abbrev multiset`intersection-associativeM = intersection-associativeM. %abbrev multiset`intersection-associativeM* = intersection-associativeM*. %abbrev multiset`intersection-associative = intersection-associative. %abbrev multiset`intersection-associative* = intersection-associative*. %abbrev multiset`intersection-associative-converse = intersection-associative-converse. %abbrev multiset`intersection-associative-converse* = intersection-associative-converse*. %abbrev multiset`intersection-assoc-commutative* = intersection-assoc-commutative*. %abbrev multiset`intersection-assoc-commutative = intersection-assoc-commutative. %abbrev multiset`intersection-double-associative* = intersection-double-associative*. %abbrev multiset`intersection-double-associative = intersection-double-associative. %abbrev multiset`intersection-implies-leq* = intersection-implies-leq*. %abbrev multiset`intersection-implies-leq = intersection-implies-leq. %abbrev multiset`intersection-is-glb = intersection-is-glb. %abbrev multiset`intersection-idempotent = intersection-idempotent. %abbrev multiset`leq-implies-intersection = leq-implies-intersection. %abbrev multiset`intersection-left-preserves-leq* = intersection-left-preserves-leq*. %abbrev multiset`intersection-right-preserves-leq* = intersection-right-preserves-leq*. %abbrev multiset`intersection-right-distributes-over-union = intersection-right-distributes-over-union. %abbrev multiset`intersection-right-distributes-over-union* = intersection-right-distributes-over-union*. %abbrev multiset`intersection-left-distributes-over-union* = intersection-left-distributes-over-union*. %abbrev multiset`intersection-left-distributes-over-union = intersection-left-distributes-over-union. %abbrev multiset`intersection-right-factors-over-union* = intersection-right-factors-over-union*. %abbrev multiset`intersection-left-factors-over-union* = intersection-left-factors-over-union*. %abbrev multiset`count = count. %abbrev multiset`count/s = count/s. %abbrev multiset`count/z = count/z. %abbrev multiset`add = add. %abbrev multiset`add/0 = add/0. %abbrev multiset`add/+ = add/+. %abbrev multiset`false-implies-count = false-implies-count. %abbrev multiset`count-respects-eq = count-respects-eq. %abbrev multiset`count-total** = count-total**. %abbrev multiset`count-total* = count-total*. %abbrev multiset`count-total = count-total. %abbrev multiset`count-deterministic = count-deterministic. %abbrev multiset`count-empty-is-zero = count-empty-is-zero. %abbrev multiset`false-implies-add = false-implies-add. %abbrev multiset`add-respects-eq = add-respects-eq. %abbrev multiset`add-total* = add-total*. %abbrev multiset`add-total = add-total. %abbrev multiset`add-total/L = add-total/L. %abbrev multiset`add-deterministic = add-deterministic. %abbrev multiset`add-commutes = add-commutes. %abbrev multiset`add-commutes/L = add-commutes/L. %abbrev multiset`count-add-implies-count = count-add-implies-count. %abbrev multiset`add-preserves-count = add-preserves-count. %abbrev multiset`add-preserves-count-converse = add-preserves-count-converse. %abbrev multiset`shift-preserves-count-converse = shift-preserves-count-converse. %abbrev multiset`shift-preserves-add-converse = shift-preserves-add-converse. %abbrev multiset`union-right-distributes-over-intersection = union-right-distributes-over-intersection. %abbrev multiset`union-right-distributes-over-intersection* = union-right-distributes-over-intersection*. %abbrev multiset`union-left-distributes-over-intersection* = union-left-distributes-over-intersection*. %abbrev multiset`union-left-distributes-over-intersection = union-left-distributes-over-intersection. %abbrev multiset`union-right-factors-over-intersection = union-right-factors-over-intersection. %abbrev multiset`union-right-factors-over-intersection* = union-right-factors-over-intersection*. %abbrev multiset`union-left-factors-over-intersection = union-left-factors-over-intersection. %abbrev multiset`union-left-factors-over-intersection* = union-left-factors-over-intersection*. %abbrev multiset`multiset = multiset. %abbrev multiset`multiset/0 = multiset/0. %abbrev multiset`multiset/+ = multiset/+. %abbrev multiset`member = member. %abbrev multiset`false-implies-member = false-implies-member. %abbrev multiset`not-member-member-implies-ne = not-member-member-implies-ne. %abbrev multiset`in-implies-member = in-implies-member. %abbrev multiset`member-respects-eq = member-respects-eq. %{ == Definitions == }% %{ === The syntax === }% %{ Here we define multi-arity functions that are typed to avoid type errors (hence, no higher-order functions in the syntax -- but see "rec" which is the typed Y combinator). This syntax is rather impoverished, but it would be fairly easily to add "succ", "ifzero" terms. By "easy", I mean the addition would cause no new technical issues. It would still change al he arithmetic parts of the proofs dramatically. For this reason, I would like to implement a tool that would generate such proofs for any HOAS family of terms. }% term : nat -> type. %abbrev t = term z. lit : nat -> t. app : term (s N) -> t -> term N. lam : (t -> term N) -> term (s N). rec : (term (s N) -> term (s N)) -> term (s N). %block blocksimple : some {n} block {v:term n}. %{ === Equality === }% eq : term N1 -> term N2 -> type. eq/ : eq T T. %{ === Variable levels === }% %{ As with the non-indexed case, a variable level is the (nonzero) natural number for a variable. But unlike before 'varlevel' is now an abbreviation for a more complex relation that permits adjustment of the index level. }% varadjlevel : term N -> nat -> nat -> type. %abbrev varlevel : term N -> nat -> type = [T] [L] varadjlevel T N L. %block blockvar : some {n} {l} block {v:term n} {vl:varlevel v (s l)}. %{ === Mapping === }% %{ The bijection from terms to nat is called "tonat". There is a separate mapping for each index, which makes sense becaue each index represents a different type. Unlike the non-indexed case, we need to handle an unbounded number of different types of variables, so we can't just pass one extra int, or even a fixed number of ints. Instead we need to pass a structure that represents an unbounded number of ints. We use `multiset' to represent this structure. The elements of the multiset represent the levels that came "before". Another interesting aspect is that not all constructors for the indexed type are available for all indices. For instane `lit' is only for the 0-index and rec only for non-zero indices. On the other hand, `app' can occur for any index. Since the mapping is separate for every index, and the mapping must be one-to-one as well as onto, we must work carefully that every natural number is mapped onto exactly once. Variables are handled (as before) by reserving the first VN spots for variables, where (unlike before) VN depends on the index. Ignoring variables, `lit' takes the veen numbers and `app' takes the odd numbers for the 0-indexed terms. For the nonzero-indexed terms, app takes the odd numbers (of course) and lam and rec share the even numbers. }% tonat* : {N} multiset -> term N -> nat -> type. %abbrev tonat = tonat* _ multiset/0. tonat/var : count MS N VN -> varlevel V L -> plus M L VN -> tonat* N MS V M. tonat/lit : count MS z VN -> times (s (s z)) M TM -> plus VN TM M' -> tonat* z MS (lit M) M'. tonat/app : count MS N VN -> tonat* _ MS T1 M1 -> tonat* _ MS T2 M2 -> natpair`pair2nat (natpair/ M1 M2) M -> times (s (s z)) M TM -> plus VN (s TM) M' -> tonat* N MS (app T1 T2) M'. tonat/lam : count MS (s N) VN -> count MS z ZN -> multiset`add MS z MS' -> ({v:term z} (varlevel v (s ZN)) -> tonat* N MS' (F v) M) -> times (s (s (s (s z)))) M TM -> plus VN TM M' -> tonat* (s N) MS (lam F) M'. tonat/rec : count MS (s N) VN -> multiset`add MS (s N) MS' -> ({f} (varlevel f (s VN)) -> tonat* (s N) MS' (F f) M) -> times (s (s (s (s z)))) M TM -> plus VN (s (s TM)) M' -> tonat* (s N) MS (rec F) M'. %{ === Utility lemmas === }% %{ The following theorems prove obvious simple things about the basic relations. They following the conventions established in John Boyland's library signatures. }% %theorem false-implies-eq : forall* {N1} {N2} {T1:term N1} {T2:term N2} forall {F:void} exists {EQ:eq T1 T2} true. %worlds (blocksimple) (false-implies-eq _ _). %total { } (false-implies-eq _ _). %theorem false-implies-varlevel : forall* {N} {V:term N} {L} forall {F:void} exists {VL:varlevel V L} true. %worlds (blocksimple | blockvar) (false-implies-varlevel _ _). %total { } (false-implies-varlevel _ _). %theorem varlevel-respects-eq : forall* {N} {V:term N} {L1} {L2} forall {VL1:varlevel V L1} {E:nat`eq L1 L2} exists {VL2:varlevel V L2} true. - : varlevel-respects-eq VL nat`eq/ VL. %worlds (blocksimple | blockvar) (varlevel-respects-eq _ _ _). %total { } (varlevel-respects-eq _ _ _). %theorem false-implies-tonat : forall* {N} {MS} {T} {M} forall {F:void} exists {TN:tonat* N MS T M} true. %worlds (blocksimple | blockvar) (false-implies-tonat _ _). %total { } (false-implies-tonat _ _). %theorem tonat-respects-eq : forall* {N1} {MS1} {T1} {M1} {N2} {MS2} {T2} {M2} forall {TN1:tonat* N1 MS1 T1 M1} {EM: multiset`eq MS1 MS2} {ET: eq T1 T2} {EN: nat`eq M1 M2} exists {TN2: tonat* N2 MS2 T2 M2} true. - : tonat-respects-eq TN multiset`eq/ eq/ nat`eq/ TN. %worlds (blocksimple | blockvar) (tonat-respects-eq _ _ _ _ _). %total { } (tonat-respects-eq _ _ _ _ _). %{ == Proof of totality of tonat == }% %{ As with the non-indexed case, proving totality is surprisingly tricky. The problem is that when we get to a variable, we need to make sure that (1) the variable has a level associated with it and (2) the level is in the range 1..VN where VN is the number of variables of this index that have been seen in the context. Twelf's blocks are useful for (1) but not for (2) because there's no way to connect the context with the current nesting level. For this proof, I generalized/extended the "case" technique to handle indexed variables. The proof is almost the same. The multisets add extra paremeters but the basic structure is the same. }% %{ === Auxiliary definitions === }% %{ ==== raw variables ==== }% %{ A variable is raw if we haven't verified that it has a level in range. Non variables are not raw. }% israw* : {N} term N -> bool -> type. %abbrev israw = israw* _. %abbrev rawvar = [T] israw T true. israw/lit : israw (lit _) false. israw/app : israw (app _ _) false. israw/lam : israw (lam _) false. israw/rec : israw (rec _) false. %{ ==== case analysis ==== }% %{ We case analysis terms with two cases for variables. The raw case is used only internally and can be ignored in "clients" that don't use israw. }% case* : {N} multiset -> term N -> type. %abbrev case = case* _. case/lit : case _ (lit _). case/app : case MS T1 -> case MS T2 -> case MS (app T1 T2). case/lam : count MS z VN -> add MS z MS' -> ({v} varlevel v (s VN) -> case MS' (F v)) -> case MS (lam F). case/rec : count MS (s N) VN -> multiset`add MS (s N) MS' -> ({f} varlevel f (s VN) -> case MS' (F f)) -> case* (s N) MS (rec F). case/var : count MS N VN -> varlevel V FL -> nat`ge VN FL -> case* N MS V. case/raw : rawvar V -> case _ V. %{ === Theorems about auxiliary definitions === }% %theorem israw-total* : forall* {N} forall {T:term N} exists {B} {I:israw T B} true. %abbrev israw-total = israw-total* _ _. - : israw-total israw/lit. - : israw-total israw/app. - : israw-total israw/lam. - : israw-total israw/rec. fake : type. - : fake <- {i:israw-total* T B I} israw-total* T' B' I'. - : fake <- {i:israw-total* T B I} israw T' B'. %block blockraw : some {n} block {v:term n} {rv:rawvar v} {irt:israw-total rv}. %worlds (blockraw) (israw-total* _ _ _). %total { } (israw-total* _ _ _). %{ The following theorem handles one variable converting it from raw to handle a level that is in the required range. This is an important technique for handle variables in Twelf: one at a time. Unlike the one2one theorem (see later), we don't have to do extraordinary things to handle having multiple types. (Although we do need some extra lemmas to ahndle facts about multisets.) }% %theorem var-gets-level : forall* {M} {N} {VN} {T:term M -> term N} {L} {MS} forall {F: {v:term M} {rv:rawvar v} {i:israw-total rv} case MS (T v)} {MC: count MS M VN} {GE: nat`ge VN L} exists {F': {v:term M} (varlevel v L) -> case MS (T v)} true. - : var-gets-level ([f] [r] [i] (case/raw r)) MC GE ([f] [fl] (case/var MC fl GE)). - : var-gets-level ([f] [r] [i] (case/raw R)) _ _ ([f] [fl] (case/raw R)). - : var-gets-level ([f] [r] [i] (case/var MC VL GE)) _ _ ([f] [fl] (case/var MC VL GE)). - : var-gets-level ([f] [r] [i] (case/lit: case MS (lit O))) _ _ ([f] [fl] (case/lit)). - : var-gets-level ([f] [r] [i] (case/app (C1 f r i) (C2 f r i))) MC GE ([f] [fl] (case/app (C1' f fl) (C2' f fl))) <- var-gets-level C1 MC GE C1' <- var-gets-level C2 MC GE C2'. %theorem var-gets-level/L : forall* {MS} {N1} {FN1} {N2} {FN2} {MS'} {L1} {B} forall {MC1: multiset`count MS N1 FN1} {MC2: multiset`count MS N2 FN2} {MA2: multiset`add MS N2 MS'} {GE: nat`ge FN1 L1} {EQ?: nat`eq? N1 N2 B} exists {FN1'} {MC1': multiset`count MS' N1 FN1'} {GE': nat`ge FN1' L1} true. - : var-gets-level/L MC _ MA FN>=L nat`eq?/yes _ MC' (ge/> FN+1>L) <- ge-implies-succ-gt FN>=L FN+1>L <- multiset`count-add-implies-count MC MA MC'. - : var-gets-level/L MC1 _ MA2 GE (nat`eq?/no N1<>N2) _ MC1' GE <- multiset`add-preserves-count MC1 MA2 N1<>N2 MC1'. %worlds () (var-gets-level/L _ _ _ _ _ _ _ _). %total { } (var-gets-level/L _ _ _ _ _ _ _ _). - : var-gets-level ([f] [r] [i] (case/lam MS^0=FN' MSU ([v] [vl] C v vl f r i))) MC GE ([f] [fl] (case/lam MS^0=FN' MSU ([v] [vl] C' v vl f fl))) <- nat`eq?-total EQ? <- var-gets-level/L MC MS^0=FN' MSU GE EQ? _ MC' GE' <- ({v} {vl:varlevel v _} (var-gets-level (C v vl) MC' GE' (C' v vl))). - : var-gets-level ([f] [r] [i] (case/rec MS^N'=FN' MSU ([f'] [fl'] (C f' fl' f r i)))) MS^N=FN FN>=L ([f] [fl] (case/rec MS^N'=FN' MSU ([f'] [fl'] (C' f' fl' f fl)))) <- nat`eq?-total EQ? <- var-gets-level/L MS^N=FN MS^N'=FN' MSU FN>=L EQ? _ MS'^N=FN'' FN''>=L <- ({f'} {fl'} (var-gets-level (C f' fl') MS'^N=FN'' FN''>=L (C' f' fl'))). %worlds (blockvar | blockraw) (var-gets-level _ _ _ _). %total F (var-gets-level F _ _ _). %{ We are now ready to prove that we can always "case" a term. This works almost the same as for non-indexed terms. }% %theorem case-total* : forall* {N} forall {T:term N} exists {C:case multiset/0 T} true. %abbrev case-total = case-total* _. %theorem case-total/L : forall* {B} {N} {MS} forall {T:term N} {I:israw T B} exists {C:case MS T} true. - : case-total/L _ _ (case/lit). - : case-total/L _ _ (case/app C1 C2) <- israw-total I1 <- case-total/L _ I1 C1 <- israw-total I2 <- case-total/L _ I2 C2. - : case-total/L _ _ (case/lam MC MA ([f] [fl] (C' f fl))) <- multiset`count-total MC <- multiset`add-total MA <- ({v} {r:rawvar v} {i:israw-total r} israw-total (I v r i: israw _ B)) <- ({v} {r:rawvar v} {i:israw-total r} case-total/L _ (I v r i) (C v r i)) <- multiset`count-add-implies-count MC MA MC' <- var-gets-level C MC' (nat`ge/= nat`eq/) C'. - : case-total/L _ _ (case/rec MC MA ([f] [fl] (C' f fl))) <- multiset`count-total MC <- multiset`add-total MA <- ({v} {r:rawvar v} {i:israw-total r} israw-total (I v r i: israw _ B)) <- ({v} {r:rawvar v} {i:israw-total r} case-total/L _ (I v r i) (C v r i)) <- multiset`count-add-implies-count MC MA MC' <- var-gets-level C MC' (nat`ge/= nat`eq/) C'. - : case-total/L V R (case/raw R). %worlds (blockraw) (case-total/L _ _ _). %total T (case-total/L T _ _). - : case-total* T C <- israw-total I <- case-total/L T I C. %worlds () (case-total* _ _). %total { } (case-total* _ _). %{ === Main theorem === }% %{ We are ready now to prove totality of the relation. We case the term first and then have everything we need to push through totality. }% %theorem tonat-total* : forall* {N} forall {T:term N} exists {M:nat} {D:tonat T M} true. %abbrev tonat-total = tonat-total* _ _. %theorem tonat-total/L : forall* {N:nat} {T:term N} {MS} forall {C:case MS T} exists {M:nat} {D:tonat* N MS T M} true. - : tonat-total/L (case/var MC VL GE) _ (tonat/var MC VL P) <- ge-implies-plus GE _ P. - : tonat-total/L (case/lit) _ (tonat/lit MC T P) <- count-total MC <- times-total T <- plus-total P. - : tonat-total/L (case/app C1 C2) _ (tonat/app MC TN1 TN2 P2N T P) <- count-total MC <- tonat-total/L C1 _ TN1 <- tonat-total/L C2 _ TN2 <- pair2nat-total P2N <- times-total T <- plus-total P. - : tonat-total/L (case/lam MCz MSU ([v] [vl] (C v vl))) _ (tonat/lam MC MCz MSU ([v] [vl] (TN v vl)) T P) <- ({v} {vl:varlevel v (s N)} tonat-total/L (C v vl) _ (TN v vl)) <- count-total MC <- times-total T <- plus-total P. - : tonat-total/L (case/rec MC MA ([v] [vl] (C v vl))) _ (tonat/rec MC MA ([v] [vl] (TN v vl)) T P) <- ({v} {vl} tonat-total/L (C v vl) _ (TN v vl)) <- times-total T <- plus-total P. %worlds (blockvar) (tonat-total/L _ _ _). %total (C) (tonat-total/L C _ _). - : tonat-total TN <- case-total C <- tonat-total/L C _ TN. %worlds () (tonat-total* _ _ _). %total { } (tonat-total* _ _ _). %{ == Proof of the determinicity of the mapping == }% %{ As with the non-indexed case, this aspect is easy to prove. }% %{ === Auxiliary theorems === }% %{ We prove that variable levels are "unique" and that they are never zero. The proofs are trivial: Twelf can accept them from the context alone. }% %theorem varlevel-deterministic : forall* {N} {V:term N} {L1} {L2} forall {VL1:varlevel V L1} {VL2:varlevel V L2} exists {E:nat`eq L1 L2} true. - : varlevel-deterministic _ _ nat`eq/. %worlds (blockvar) (varlevel-deterministic _ _ _). %total { } (varlevel-deterministic _ _ _). %theorem varlevel-contradiction : forall* {N} {V:term N} {L} forall {VL:varlevel V L} {E:nat`eq L z} exists {F:void} true. %worlds (blockvar) (varlevel-contradiction _ _ _). %total { } (varlevel-contradiction _ _ _). %{ === Main Theorem === }% %theorem tonat-deterministic : forall* {N1} {N2} {T1:term N1} {T2:term N2} {M1} {M2} forall {TN1:tonat T1 M1} {TN2:tonat T2 M2} {E: eq T1 T2} exists {E: nat`eq M1 M2} true. %theorem tonat-deterministic/L : forall* {N} {T:term N} {MS1} {MS2} {M1} {M2} forall {TN1:tonat* N MS1 T M1} {TN2:tonat* N MS2 T M2} {E: multiset`eq MS1 MS2} exists {E: nat`eq M1 M2} true. - : tonat-deterministic/L (tonat/var MC1 VL1 P1) (tonat/var MC2 VL2 P2) _ N1=N2 <- count-deterministic MC1 MC2 multiset`eq/ nat`eq/ C1=C2 <- varlevel-deterministic VL1 VL2 L1=L2 <- plus-right-cancels P1 P2 L1=L2 C1=C2 N1=N2. - : tonat-deterministic/L (tonat/lit MC1 T1 P1) (tonat/lit MC2 T2 P2) _ M1'=M2' <- count-deterministic MC1 MC2 multiset`eq/ nat`eq/ C1=C2 <- times-deterministic T1 T2 nat`eq/ nat`eq/ TM1=TM2 <- plus-deterministic P1 P2 C1=C2 TM1=TM2 M1'=M2'. - : tonat-deterministic/L (tonat/app MC1 TN1a TN1b P2N1 T1 P1) (tonat/app MC2 TN2a TN2b P2N2 T2 P2) MSE M1'=M2' <- count-deterministic MC1 MC2 multiset`eq/ nat`eq/ C1=C2 <- tonat-deterministic/L TN1a TN2a MSE M1a=M2a <- tonat-deterministic/L TN1b TN2b MSE M1b=M2b <- natpair`pair-preserves-eq M1a=M2a M1b=M2b P1=P2 <- pair2nat-deterministic P2N1 P2N2 P1=P2 M1=M2 <- times-deterministic T1 T2 nat`eq/ M1=M2 TM1=TM2 <- succ-deterministic TM1=TM2 TM1+1=TM2+1 <- plus-deterministic P1 P2 C1=C2 TM1+1=TM2+1 M1'=M2'. %theorem tonat-deterministic/L2 : forall* {N1} {N2} {M1} {M2} {MS} {F:term N1 -> term N2} {M} forall {F1:{f:term N1} {fl:varlevel f (s M1)} tonat* N2 MS (F f) M} {ME: nat`eq M1 M2} exists {F2:{f:term N1} {fl:varlevel f (s M2)} tonat* N2 MS (F f) M} true. - : tonat-deterministic/L2 F nat`eq/ F. %worlds (blockvar) (tonat-deterministic/L2 _ _ _). %total { } (tonat-deterministic/L2 _ _ _). - : tonat-deterministic/L (tonat/lam MC1 MCz1 MA1 ([v] [vl] (TN1 v vl)) T1 P1) (tonat/lam MC2 MCz2 MA2 ([v] [vl] (TN2 v vl)) T2 P2) MS1=MS2 M1'=M2' <- multiset`count-deterministic MC1 MC2 MS1=MS2 nat`eq/ VN1=VN2 <- multiset`count-deterministic MCz1 MCz2 MS1=MS2 nat`eq/ ZN1=ZN2 <- multiset`add-deterministic MA1 MA2 MS1=MS2 nat`eq/ MS1'=MS2' <- tonat-deterministic/L2 TN1 ZN1=ZN2 TN1' <- ({v} {vl:varlevel v (s ZN2)} tonat-deterministic/L (TN1' v vl) (TN2 v vl) MS1'=MS2' M1=M2) <- times-deterministic T1 T2 nat`eq/ M1=M2 TM1=TM2 <- plus-deterministic P1 P2 VN1=VN2 TM1=TM2 M1'=M2'. - : tonat-deterministic/L (tonat/rec MC1 MA1 ([f] [fl] (TN1 f fl)) T1 P1) (tonat/rec MC2 MA2 ([f] [fl] (TN2 f fl)) T2 P2) MS1=MS2 M1'=M2' <- multiset`count-deterministic MC1 MC2 MS1=MS2 nat`eq/ FN1=FN2 <- multiset`add-deterministic MA1 MA2 MS1=MS2 nat`eq/ MS1'=MS2' <- tonat-deterministic/L2 TN1 FN1=FN2 TN1' <- ({f} {fl:varlevel f (s N)} tonat-deterministic/L (TN1' f fl) (TN2 f fl) MS1'=MS2' M1=M2) <- times-deterministic T1 T2 nat`eq/ M1=M2 TM1=TM2 <- succ-deterministic TM1=TM2 TM1'=TM2' <- succ-deterministic TM1'=TM2' TM1''=TM2'' <- plus-deterministic P1 P2 FN1=FN2 TM1''=TM2'' M1'=M2'. %worlds (blockvar) (tonat-deterministic/L _ _ _ _). %total (T) (tonat-deterministic/L _ T _ _). - : tonat-deterministic TN1 TN2 eq/ N1=N2 <- tonat-deterministic/L TN1 TN2 multiset`eq/ N1=N2. %worlds () (tonat-deterministic _ _ _ _). %total { } (tonat-deterministic _ _ _ _). %{ == Proving that the mapping is onto. == }% %{ Again, this aspect has the same structure as with non-indexed terms. }% %{ === Auxiliary definitions === }% %{ We define a relation that builds on the context relation. In the non-indexed case, it took a nat, here it takes the multiset representing the levels of variables in the context. }% upto : multiset -> type. upto/0 : upto multiset/0. upto/+ : upto MS -> multiset`count MS N FN -> varlevel (V:term N) (s FN) -> multiset`add MS N MS' -> upto MS'. %{ === Lemmas about regular definitions === }% %theorem term-inhabited : forall {N} exists {T:term N} true. - : term-inhabited _ (lit z). - : term-inhabited _ (lam ([x] T)) <- term-inhabited _ T. %worlds (blockvar) (term-inhabited _ _). %total (N) (term-inhabited N _). %{ === Theorems about auxiliary definitions === }% %{ The obvious lemma that makes use of the main purpose of the relation: that a variable is always available. }% %theorem upto-implies-varlevel : forall* {MS} {N} {L} {FN} forall {U:upto MS} {MC:multiset`count MS N FN} {LT:nat`gt FN L} exists {V:term N} {VL:varlevel V (s L)} true. - : upto-implies-varlevel upto/0 MC FN>L T FL <- count-empty-is-zero MC FN=0 <- nat`gt-respects-eq FN>L FN=0 nat`eq/ ZERO>L <- term-inhabited _ T <- nat`gt-contradiction ZERO>L F <- false-implies-varlevel F FL. %theorem upto-implies-varlevel/L : forall* {MS1} {N1} {L} {FN1} {MS2} {N2} {FN2} {V1:term N1} {B} forall {U: upto MS1} {MC1: multiset`count MS1 N1 FN1} {FL1: varlevel V1 (s FN1)} {MA: multiset`add MS1 N1 MS2} {MC2: multiset`count MS2 N2 FN2} {LT:nat`gt FN2 L} {EQ?: nat`eq? N1 N2 B} exists {V:term N2} {VL:varlevel V (s L)} true. - : upto-implies-varlevel/L _ MC1 FL1 MA MC2 (gt/1) nat`eq?/yes _ FL2 <- count-add-implies-count MC1 MA MC2' <- count-deterministic MC2' MC2 multiset`eq/ nat`eq/ FN1+1=FN2+1 <- varlevel-respects-eq FL1 FN1+1=FN2+1 FL2. - : upto-implies-varlevel/L U MC1 FL1 MA MC2 (gt/> FN2>L) nat`eq?/yes _ FL2 <- count-add-implies-count MC1 MA MC2' <- count-deterministic MC2 MC2' multiset`eq/ nat`eq/ FN2+1=FN1+1 <- succ-cancels FN2+1=FN1+1 FN2=FN1 <- gt-respects-eq FN2>L FN2=FN1 nat`eq/ FN1>L <- upto-implies-varlevel U MC1 FN1>L _ FL2. - : upto-implies-varlevel/L U _ _ MA MC2 GT (nat`eq?/no N1<>N2) _ FL <- nat`ne-symmetric N1<>N2 N2<>N1 <- add-preserves-count-converse MC2 MA N2<>N1 MC1 <- upto-implies-varlevel U MC1 GT _ FL. - : upto-implies-varlevel (upto/+ U MC1 FL1 MA) MC2 GT _ FL <- nat`eq?-total EQ? <- upto-implies-varlevel/L U MC1 FL1 MA MC2 GT EQ? _ FL. %worlds (blockvar) (upto-implies-varlevel/L _ _ _ _ _ _ _ _ _) (upto-implies-varlevel _ _ _ _ _). %total (U V) (upto-implies-varlevel U _ _ _ _) (upto-implies-varlevel/L V _ _ _ _ _ _ _ _). %{ === Main theorem === }% %{ We prove the main result using two lemmas that do the case analysis on the number against the nesting level and the parity. (In general, one would use a divisor counting all cases that are recursive.) The proofs are long but simply arithmetic manipulation. Proving termination uses meta-gt for strong induction over the natural numbers. }% %theorem tonat-onto* : forall* {N} forall {M:nat} exists {T:term N} {TN:tonat T M} true. %abbrev tonat-onto = tonat-onto* _ _. %theorem tonat-onto/L : forall* {N} {MS:multiset} forall {U:upto MS} {M:nat} exists {T:term N} {TN:tonat* _ MS T M} true. %theorem tonat-onto/L0 : forall* {N} {MS:multiset} {VN} {C} forall {U:upto MS} {M:nat} {MC:count MS N VN} {CMP:nat`compare VN M C} exists {T} {TN:tonat* N MS T M} true. - : tonat-onto/L U M _ TN <- multiset`count-total MC <- nat`compare-total CMP <- tonat-onto/L0 U M MC CMP _ TN. - : tonat-onto/L0 U M MC (compare/> VN>M) _ (tonat/var MC VL M+L+1=VN) <- nat`gt-implies-plus VN>M L L+1+M=VN <- plus-commutative L+1+M=VN M+L+1=VN <- plus-implies-ge M+L+1=VN VN>=L+1 <- ge-succ-implies-gt VN>=L+1 VN>L <- upto-implies-varlevel U MC VN>L _ VL. %theorem tonat-onto/L1 : forall* {TM} {MS} {N} {VN} forall {UF:upto MS} {M:nat} {MC:count MS N VN} {P:plus VN TM M} {Q} {R} {DR:divrem TM (s (s z)) Q R} exists {T} {TN:tonat* N MS T M} true. - : tonat-onto/L0 U M MC (compare/=) _ TN <- plus-right-identity _ P <- divrem-total M/2=Q,R <- tonat-onto/L1 U M MC P Q R M/2=Q,R _ TN. - : tonat-onto/L0 U M MC (compare/< M>VN) _ TN <- gt-implies-plus M>VN _ Pc <- plus-commutative Pc P <- divrem-total M/2=Q,R <- tonat-onto/L1 U M MC P Q R M/2=Q,R _ TN. - : tonat-onto/L1 _ _ _ _ _ (s (s _)) DR T TN <- divrem-contradiction DR (plus/s (plus/s plus/z)) F <- term-inhabited _ T <- false-implies-tonat F TN. - : tonat-onto/L1 U M' MC VN+TM'=M' M (s z) TM'/2=M,1 _ (tonat/app MC TN1 TN2 P2N TWO*M=TM VN+TM+1=M') <- plus-implies-ge VN+TM'=M' M'>=TM' <- divrem-can-be-inverted TM'/2=M,1 TM M*2=TM TM+ONE=TM' <- times-commutative M*2=TM TWO*M=TM <- plus-commutative (plus/s plus/z) TM+ONE=TM+1 <- plus-deterministic TM+ONE=TM' TM+ONE=TM+1 nat`eq/ nat`eq/ TM'=TM+1 <- plus-respects-eq VN+TM'=M' nat`eq/ TM'=TM+1 nat`eq/ VN+TM+1=M' <- nat2pair-total P2N <- quotient-of-nonzero-is-smaller TM'/2=M,1 TM'=TM+1 TM'>M <- nat`ge-transitive-gt M'>=TM' TM'>M M'>M <- nat2pair-implies-ge P2N M>=M1 M>=M2 <- nat`gt-transitive-ge M'>M M>=M1 M'>M1 <- nat`gt-transitive-ge M'>M M>=M2 M'>M2 <- meta-gt _ _ M'>M1 <- meta-gt _ _ M'>M2 <- tonat-onto/L U M1 _ TN1 <- tonat-onto/L U M2 _ TN2. - : tonat-onto/L1 _ M' MC VN+TM=M' M z TM/2=M _ (tonat/lit MC TWO*M=TM VN+TM=M') <- div-can-be-inverted TM/2=M M*2=TM <- times-commutative M*2=TM TWO*M=TM. %theorem tonat-onto/L2 : forall* {TM} {MS} {N} {VN} {Q2} forall {U:upto MS} {M:nat} {MC:count MS (s N) VN} {P:plus VN TM M} {DR:divrem TM (s (s z)) Q2 z} {Q4} {R} {DR:divrem Q2 (s (s z)) Q4 R} exists {T} {TN:tonat* (s N) MS T M} true. - : tonat-onto/L1 U M' MC VN+FM=M' TM z FM/2=TM _ TN <- divrem-total TM/2=Q,R <- tonat-onto/L2 U M' MC VN+FM=M' FM/2=TM Q R TM/2=Q,R _ TN. %abbrev 2*2=4 = (times/s (times/s times/z plus/z) (plus/s (plus/s plus/z))). - : tonat-onto/L2 _ _ _ _ _ _ (s (s _)) DR T TN <- divrem-contradiction DR (plus/s (plus/s plus/z)) F <- term-inhabited _ T <- false-implies-tonat F TN. - : tonat-onto/L2 U M' MC VN+FM'=M' FM'/2=TM' M (s z) TM'/2=M,1 _ (tonat/rec MC MA ([f] [fl] (TN f fl)) FOUR*M=FM VN+FM+2=M') <- divrem-can-be-inverted TM'/2=M,1 TM M*2=TM TM+ONE=TM' <- div-can-be-inverted FM'/2=TM' TM'*2=FM' <- times-total* TM (s (s z)) FM TM*2=FM <- times-right-distributes-over-plus* TM+ONE=TM' TM'*2=FM' TM*2=FM (times/s times/z plus/z) FM+TWO=FM' <- times-associative* M*2=TM TM*2=FM 2*2=4 M*4=FM <- times-commutative M*4=FM FOUR*M=FM <- plus-commutative (plus/s (plus/s plus/z)) FM+TWO=FM+2 <- plus-deterministic FM+TWO=FM' FM+TWO=FM+2 nat`eq/ nat`eq/ FM'=FM+2 <- plus-respects-eq VN+FM'=M' nat`eq/ FM'=FM+2 nat`eq/ VN+FM+2=M' <- plus-swap-succ-converse VN+FM+2=M' VN+1+FM+1=M' <- plus-swap-succ-converse VN+1+FM+1=M' VN+2+FM=M' <- multiset`add-total MA <- plus-implies-gt VN+2+FM=M' nat`eq/ M'>FM <- times-nonzero-implies-ge M*4=FM FM>=M <- nat`gt-transitive-ge M'>FM FM>=M M'>M <- meta-gt _ _ M'>M <- ({f} {fl} tonat-onto/L (upto/+ U MC fl MA) M _ (TN f fl)). % 0 needs a special case for termination: %theorem tonat-onto/0 : forall* {MS} forall {N} {U:upto MS} {VN} {MC:count MS N VN} exists {T} {TN:tonat* N MS T z} true. %abbrev 2*0=0 = (times/s (times/s times/z plus/z) plus/z). %abbrev 4*0=0 = (times/s (times/s 2*0=0 plus/z) plus/z). - : tonat-onto/0 _ U z MC _ (tonat/lit MC 2*0=0 plus/z). - : tonat-onto/0 _ U z MC _ (tonat/lam MC MCz MA TN 4*0=0 plus/z) <- multiset`count-total MCz <- multiset`add-total MA <- multiset`count-total MC' <- ({v} {vl} (tonat-onto/0 _ (upto/+ U MCz vl MA) _ MC' _ (TN v vl))). - : tonat-onto/0 N U (s VN-1) MC _ (tonat/var MC VL plus/z) <- upto-implies-varlevel U MC gt/1 _ VL. %worlds (blockvar) (tonat-onto/0 _ _ _ _ _ _). %total (N) (tonat-onto/0 N _ _ _ _ _). - : tonat-onto/L2 U z MC _ _ _ _ _ _ TN <- tonat-onto/0 _ U _ MC _ TN. %theorem tonat-onto/L2/L : forall* {M} {X} {Y} {Z} {XM} forall {T:times M (s (s X)) XM} {P:plus Y XM (s Z)} exists {G:gt (s Z) M} true. - : tonat-onto/L2/L M*2=XM plus/z XM>M <- div-can-be-constructed M*2=XM XM/2=M <- quotient-of-nonzero-is-smaller XM/2=M nat`eq/ XM>M. - : tonat-onto/L2/L M*2=XM Y+XM=X' X'>M <- plus-implies-gt Y+XM=X' nat`eq/ X'>MX <- times-nonzero-implies-ge M*2=XM XM>=M <- nat`gt-transitive-ge X'>MX XM>=M X'>M. %worlds () (tonat-onto/L2/L _ _ _). %total { } (tonat-onto/L2/L _ _ _). - : tonat-onto/L2 U (s X) MC VN+FM=M' FM/2=TM M z TM/2=M _ (tonat/lam MC MCz MA TN FOUR*M=FM VN+FM=M') <- div-can-be-inverted TM/2=M M*2=TM <- div-can-be-inverted FM/2=TM TM*2=FM <- times-associative* M*2=TM TM*2=FM 2*2=4 M*4=FM <- times-commutative M*4=FM FOUR*M=FM <- multiset`count-total MCz <- multiset`add-total MA <- tonat-onto/L2/L M*4=FM VN+FM=M' M'>M <- meta-gt (s X) M M'>M <- ({v} {vl} tonat-onto/L (upto/+ U MCz vl MA) _ _ (TN v vl)). %worlds (blockvar) (tonat-onto/L2 _ _ _ _ _ _ _ _ _ _) (tonat-onto/L1 _ _ _ _ _ _ _ _ _) (tonat-onto/L0 _ _ _ _ _ _) (tonat-onto/L _ _ _ _). %total (M2 M1 M0 M) (tonat-onto/L2 _ M2 _ _ _ _ _ _ _ _) (tonat-onto/L1 _ M1 _ _ _ _ _ _ _) (tonat-onto/L0 _ M0 _ _ _ _) (tonat-onto/L _ M _ _). %{ == Proof that mapping is "one to one" == }% %{ As with the simple HOAS syntax, this is the hardest of the four theorems to prove. As before, the basic structure is the same: we first show that the terms that result in the same number must be identical except that two variables may be equal just by having the same level. As before we then 'chip' away at variables with low levels and shift the others down. We need to work at low levels because contexts cannot be parameterized by an 'N' and must be absolute. The additional problem with indexed terms is that the first variable we encounter may be of a higher-index than zero. In any case, there can be level 1 variables inside that have a different index than the one we are removing. So the context cannot simply assert that all variables will have level 2 or higher, as with did in the non-indexed case. The basic idea is that we handle one index level at a time. But again because Twelf contexts cannot have be parameterized, we need to shift index levels down too. Of course, we cannot actually change index values. Instead, we keep a index-adjustment. Then a variable of index type (term N) has two parts to its level M L, where M+A=N and L is the original level. The multiset that keeps track of the next level is similarly shifted. We then do a shift such as we had for non-indexed terms while removing all variables of adjusted index zero (M = z). Then when these are all removed, we can adjust the indices one more step until there are no more variables of any index needing levels. }% %{ === Auxiliary definitions === }% %{ In this section, we use the full generality of varadjlevel because we need to recurse in two different directions: the original var level and the term level. }% %block blockvaradj : some {m} {n} {l} block {v:term n} {vl:varadjlevel v m (s l)}. %{ ==== Equality (permitting variables with the same level). ==== }% %{ Some variables are are bound with levels, others are not given levels. We do this in order to gradually squeeze out those that need levels. The lam1 and rec1 cases use variables that don't need levels, whereas the lam2, rec2 cases handle variables that still need level. We also take a natural number A that indicates the minimum term level that will be used. Notice that lam2 is only legal while A is still zero. }% eql* : {N} {A:nat} multiset -> term N -> term N -> type. %abbrev eql = eql* _. eql/eq : eq T1 T2 -> eql A MS T1 T2. eql/app : eql A MS F1 F2 -> eql A MS A1 A2 -> eql A MS (app F1 A1) (app F2 A2). eql/lam1 : ({v} (eql A MS (F1 v) (F2 v))) -> eql A MS (lam F1) (lam F2). eql/lam2 : count MS z VN -> add MS z MS' -> ({v} {vl: varadjlevel v z (s VN)} eql z MS' (F1 v) (F2 v)) -> eql z MS (lam F1) (lam F2). eql/rec1 : ({v} (eql A MS (F1 v) (F2 v))) -> eql A MS (rec F1) (rec F2). eql/rec2 : plus A M (s N) -> count MS M VN -> add MS M MS' -> ({v} {vl:varadjlevel v M (s VN)} eql A MS' (F1 v) (F2 v)) -> eql A MS (rec F1) (rec F2). eql/var : plus A M N -> varadjlevel V1 M L -> varadjlevel V2 M L -> eql* N A MS V1 V2. %{ ==== Measure of eql sizes. ==== }% %{ We use this measure to be able to prove termination. We need eqlsize/var = eqlsize/eq, eqlsize/lam1 = eqlsize/lam2. (Less than is ok in each case but would require that we rephrase the lemmas.) We have three measures: N B M. - N is the height of the term - B is the minimum of any M for a varlevel (or (s z)) - M is greater than the M for any varlevel used. The first measure is used to ensure that regular recursion through the tree terminates. We don't use normal structure recursion because everytime we change variable levels, the tree changes. The second measure is not used for termination, but when non-zero means there are no variables with that need adjusted index zero. Once this is the case, we can adjust all levels down one notch. The third measure is used to ensure that chipping away at indices eventually terminates: M is the maximum adjusted index used. Once M drops to zero, it means no variables need levels for equality and we can convert to an 'eq' proof easily. }% eqlsize : (eql* A N MS T1 T2) -> nat -> nat -> nat -> type. eqlsize/eq : eqlsize (eql/eq _) z (s z) z. eqlsize/app : eqlsize E1 N1 B1 M1 -> eqlsize E2 N2 B2 M2 -> nat`max N1 N2 N -> nat`min B1 B2 B -> nat`max M1 M2 M -> eqlsize (eql/app E1 E2) (s N) B M. eqlsize/lam1 : ({v} eqlsize (E v) N B M) -> eqlsize (eql/lam1 E) (s N) B M. eqlsize/lam2 : ({v} {vl} eqlsize (E v vl) N B M) -> nat`max (s z) M M' -> eqlsize (eql/lam2 _ _ E) (s N) z M'. eqlsize/rec1 : ({v} eqlsize (E v) N B M) -> eqlsize (eql/rec1 E) (s N) B M. eqlsize/rec2 : ({v} {vl:varadjlevel v M _} eqlsize (E v vl) N B1 M1) -> nat`min M B1 B2 -> nat`max (s M) M1 M2 -> eqlsize (eql/rec2 _ _ _ E) (s N) B2 M2. eqlsize/var : eqlsize (eql/var _ _ _) z (s z) z. %{ ==== Copied definitions ==== }% %{ As with the non-indexed case, we need to use an alternate form for levels as we shift them down or adjust them down. (Remember there are two dimensions to a level!) }% varadjlevel' : term N -> nat -> nat -> type. eql*' : {N} {A:nat} multiset -> term N -> term N -> type. %abbrev eql' = eql*' _. eql'/eq : eq T1 T2 -> eql' A MS T1 T2. eql'/app : eql' A MS F1 F2 -> eql' A MS A1 A2 -> eql' A MS (app F1 A1) (app F2 A2). eql'/lam1 : ({v} (eql' A MS (F1 v) (F2 v))) -> eql' A MS (lam F1) (lam F2). eql'/lam2 : count MS z VN -> add MS z MS' -> ({v} {vl: varadjlevel' v z (s VN)} eql' z MS' (F1 v) (F2 v)) -> eql' z MS (lam F1) (lam F2). eql'/rec1 : ({v} (eql' A MS (F1 v) (F2 v))) -> eql' A MS (rec F1) (rec F2). eql'/rec2 : plus A M (s N) -> count MS M VN -> add MS M MS' -> ({v} {vl:varadjlevel' v M (s VN)} eql' A MS' (F1 v) (F2 v)) -> eql' A MS (rec F1) (rec F2). eql'/var : plus A M N -> varadjlevel' V1 M L -> varadjlevel' V2 M L -> eql*' N A MS V1 V2. eqlsize' : (eql*' A N MS T1 T2) -> nat -> nat -> nat -> type. eqlsize'/eq : eqlsize' (eql'/eq _) z (s z) z. eqlsize'/app : eqlsize' E1 N1 B1 M1 -> eqlsize' E2 N2 B2 M2 -> nat`max N1 N2 N -> nat`min B1 B2 B -> nat`max M1 M2 M -> eqlsize' (eql'/app E1 E2) (s N) B M. eqlsize'/lam1 : ({v} eqlsize' (E v) N B M) -> eqlsize' (eql'/lam1 E) (s N) B M. eqlsize'/lam2 : ({v} {vl} eqlsize' (E v vl) N B M1) -> nat`max (s z) M1 M2 -> eqlsize' (eql'/lam2 _ _ E) (s N) z M2. eqlsize'/rec1 : ({v} eqlsize' (E v) N B M) -> eqlsize' (eql'/rec1 E) (s N) B M. eqlsize'/rec2 : ({v} {vl:varadjlevel' v M _} eqlsize' (E v vl) N B1 M1) -> nat`min M B1 B2 -> nat`max (s M) M1 M2 -> eqlsize' (eql'/rec2 _ _ _ E) (s N) B2 M2. eqlsize'/var : eqlsize' (eql'/var _ _ _) z (s z) z. %{ === Theorems about auxiliary definitions === }% %{ Some of the lemmas that would normally belong here are proved later when we have more blocks available. }% %theorem false-implies-eql : forall* {MS} {N} {A} {T1} {T2} forall {F:void} exists {E:eql* N A MS T1 T2} true. %worlds (blocksimple | blockvaradj) (false-implies-eql _ _). %total { } (false-implies-eql _ _). %theorem false-implies-eqlsize : forall* {N} {A} {MS} {T1} {T2} {S} {B} {M} {E:eql* N A MS T1 T2} forall {F:void} exists {ES1:eqlsize E S B M} true. %worlds (blocksimple | blockvaradj) (false-implies-eqlsize _ _). %total { } (false-implies-eqlsize _ _). %theorem eqlsize-total* : forall* {N} {A} {MS} {T1} {T2} forall {E:eql* N A MS T1 T2} exists {S} {M} {B} {ES:eqlsize E S B M} true. %abbrev eqlsize-total = eqlsize-total* _ _ _ _. - : eqlsize-total eqlsize/eq. - : eqlsize-total (eqlsize/app S1 S2 M B M2) <- eqlsize-total S1 <- eqlsize-total S2 <- nat`max-total M <- nat`min-total B <- nat`max-total M2. - : eqlsize-total (eqlsize/lam1 F) <- ({v} eqlsize-total (F v)). - : eqlsize-total (eqlsize/lam2 F M) <- ({v} {vl} (eqlsize-total (F v vl))) <- nat`max-total M. - : eqlsize-total (eqlsize/rec1 F) <- ({v} eqlsize-total (F v)). - : eqlsize-total (eqlsize/rec2 F MN M) <- ({v} {vl} (eqlsize-total (F v vl))) <- nat`min-total MN <- nat`max-total M. - : eqlsize-total eqlsize/var. %worlds (blocksimple | blockvaradj) (eqlsize-total* _ _ _ _ _). %total (E) (eqlsize-total* E _ _ _ _). %{ === Shifting varlevels down === }% %{ Now as with the non-indexed case, we shift variable levels down. As before, we need to use the alternate definitions. The astute reader will notice that we don't have a block that just handles nonzero (adjusted) index variables being shifted over. Instead we handle a double context "noshift" that handles both directions. That's because when these lemmas are used to shift levels down, the outer context may have non-zero (adjusted) index that will need to handle being shifted in both directions. }% %theorem varlevel-zero-shifts-down : forall* {N} {V:term N} {L} forall {VL:varadjlevel V z (s (s L))} exists {VL':varadjlevel' V z (s L)} true. %theorem varlevel-nonzero-shifts-over : forall* {N} {V:term N} {M} {L} forall {VL:varadjlevel V (s M) (s L)} exists {VL':varadjlevel' V (s M) (s L)} true. %theorem varlevel-shifts-back : forall* {N} {V:term N} {M} {L} forall {VL':varadjlevel' V M (s L)} exists {VL:varadjlevel V M (s L)} true. %block shiftdown : some {l} {n} block {v:term n} {vl:varadjlevel v z (s (s l))} {vl':varadjlevel' v z (s l)} {vsd:varlevel-zero-shifts-down vl vl'}. %block noshift : some {l} {m} {n} block {v:term n} {vl:varadjlevel v (s m) (s l)} {vl':varadjlevel' v (s m) (s l)} {vsd:varlevel-nonzero-shifts-over vl vl'} {vsd:varlevel-shifts-back vl' vl}. %block shiftback : some {n} {m} {l} block {v:term n} {vl':varadjlevel' v m (s l)} {vl:varadjlevel v m (s l)} {vsb:varlevel-shifts-back vl' vl}. fake : type. - : fake <- ({x:varlevel-zero-shifts-down X Y} varlevel-zero-shifts-down X' Y'). - : fake <- ({x:varlevel-nonzero-shifts-over X Y} varlevel-nonzero-shifts-over X' Y'). - : fake <- ({x:varlevel-shifts-back X Y} varlevel-shifts-back X' Y'). %worlds (blocksimple | shiftdown | noshift) (varlevel-zero-shifts-down _ _). %worlds (blocksimple | shiftdown | noshift) (varlevel-nonzero-shifts-over _ _). %worlds (blocksimple | shiftback | noshift) (varlevel-shifts-back _ _). %total { } (varlevel-zero-shifts-down _ _). %total { } (varlevel-nonzero-shifts-over _ _). %total { } (varlevel-shifts-back _ _). %theorem shift-varlevel/L1 : forall* {N} {A} {M0} {M1} {T1} {T2} {S} {MN} {MM} forall {E: eql* N A M1 T1 T2} {ES:eqlsize E S MN MM} {MA:multiset`add M0 z M1} exists {E': eql*' N A M0 T1 T2} {ES':eqlsize' E' S MN MM} true. - : shift-varlevel/L1 (eql/eq eq/) eqlsize/eq _ (eql'/eq eq/) eqlsize'/eq. - : shift-varlevel/L1 (eql/app E1 E2) (eqlsize/app ES1 ES2 MX MN MX2) MA (eql'/app E1' E2') (eqlsize'/app ES1' ES2' MX MN MX2) <- shift-varlevel/L1 E1 ES1 MA E1' ES1' <- shift-varlevel/L1 E2 ES2 MA E2' ES2'. - : shift-varlevel/L1 (eql/lam1 ([v] (F v))) (eqlsize/lam1 FS) MA (eql'/lam1 ([v] (F' v))) (eqlsize'/lam1 FS') <- {v} shift-varlevel/L1 (F v) (FS v) MA (F' v) (FS' v). %theorem shift-varlevel/L1/rec : forall* {N0} {N} {N'} {N1} {F1} {F2} {A} {S} {M1} {M2} {MN} {MM} forall {F: {v:term N0} {vl:varadjlevel v z (s N)} (eql* N1 A M2 (F1 v) (F2 v))} {FS: {v:term N0} {vl:varadjlevel v z (s N)} (eqlsize (F v vl) S MN MM)} {MA1: multiset`add M1 z M2} {EQ: nat`eq N (s N')} exists {F': {v:term N0} {vl':varadjlevel' v z (s N')} (eql*' N1 A M1 (F1 v) (F2 v))} {FS': {v:term N0} {vl':varadjlevel' v z (s N')} (eqlsize' (F' v vl') S MN MM)} true. - : shift-varlevel/L1/rec F FS MA1 nat`eq/ F' FS' <- {v} {vl} {vl':varadjlevel' v z (s N)} {vsd:varlevel-zero-shifts-down vl vl'} shift-varlevel/L1 (F v vl) (FS v vl) MA1 (F' v vl') (FS' v vl'). - : shift-varlevel/L1 (eql/lam2 MC1 MA1 ([v] [vl:varadjlevel v z (s N)] (F v vl))) (eqlsize/lam2 FS MM) MA0 (eql'/lam2 MC0 MA0 ([v] [vl:varadjlevel' v z (s N')] (F' v vl))) (eqlsize'/lam2 FS' MM) <- multiset`count-total MC0 <- count-add-implies-count MC0 MA0 MC1' <- count-deterministic MC1 MC1' multiset`eq/ nat`eq/ EQ <- shift-varlevel/L1/rec F FS MA1 EQ F' FS'. - : shift-varlevel/L1 (eql/rec1 ([v] (F v))) (eqlsize/rec1 FS) MA (eql'/rec1 ([v] (F' v))) (eqlsize'/rec1 FS') <- {v} shift-varlevel/L1 (F v) (FS v) MA (F' v) (FS' v). - : shift-varlevel/L1 (eql/rec2 P MC1 MA1 ([v] [vl:varadjlevel v z (s N)] (F v vl))) (eqlsize/rec2 FS MN MM) MA0 (eql'/rec2 P MC0 MA0 ([v] [vl:varadjlevel' v z (s N')] (F' v vl))) (eqlsize'/rec2 FS' MN MM) <- multiset`count-total MC0 <- count-add-implies-count MC0 MA0 MC1' <- count-deterministic MC1 MC1' multiset`eq/ nat`eq/ EQ <- shift-varlevel/L1/rec F FS MA1 EQ F' FS'. - : shift-varlevel/L1 (eql/rec2 P MC1 MA1 ([v] [vl:varadjlevel v (s M) (s N)] (F v vl))) (eqlsize/rec2 FS MN MM) MA (eql'/rec2 P MC1' MA1' ([v] [vl:varadjlevel' v (s M) (s N)] (F' v vl))) (eqlsize'/rec2 FS' MN MM) <- add-commutes MA MA1 _ MA1' MA' <- succ-implies-gt-zero _ GT <- add-preserves-count-converse MC1 MA (nat`ne/> GT) MC1' <- {v} {vl} {vl':varadjlevel' v (s M) (s N)} {vsd:varlevel-nonzero-shifts-over vl vl'} {vsb:varlevel-shifts-back vl' vl} shift-varlevel/L1 (F v vl) (FS v vl) MA' (F' v vl') (FS' v vl'). - : shift-varlevel/L1 (eql/var P VL1 VL2) eqlsize/var MA (eql'/var P VL1' VL2') eqlsize'/var <- varlevel-zero-shifts-down VL1 VL1' <- varlevel-zero-shifts-down VL2 VL2'. - : shift-varlevel/L1 (eql/var P VL1 VL2) eqlsize/var MA (eql'/var P VL1' VL2') eqlsize'/var <- varlevel-nonzero-shifts-over VL1 VL1' <- varlevel-nonzero-shifts-over VL2 VL2'. %worlds (blocksimple | shiftdown | noshift) (shift-varlevel/L1 _ _ _ _ _) (shift-varlevel/L1/rec _ _ _ _ _ _). %total (E El) (shift-varlevel/L1 E _ _ _ _) (shift-varlevel/L1/rec El _ _ _ _ _). %theorem shift-varlevel/L2 : forall* {N} {M} {A} {T1} {T2} {S} {MN} {MM} forall {E': eql*' N M A T1 T2} {ES': eqlsize' E' S MN MM} exists {E: eql* N M A T1 T2} {ES: eqlsize E S MN MM} true. - : shift-varlevel/L2 (eql'/eq eq/) eqlsize'/eq (eql/eq eq/) eqlsize/eq. - : shift-varlevel/L2 (eql'/app E1' E2') (eqlsize'/app ES1' ES2' MAX MIN MAX2) (eql/app E1 E2) (eqlsize/app ES1 ES2 MAX MIN MAX2) <- shift-varlevel/L2 E1' ES1' E1 ES1 <- shift-varlevel/L2 E2' ES2' E2 ES2. - : shift-varlevel/L2 (eql'/lam1 ([v] (F v))) (eqlsize'/lam1 FS) (eql/lam1 ([v] (F' v))) (eqlsize/lam1 FS') <- {v} shift-varlevel/L2 (F v) (FS v) (F' v) (FS' v). - : shift-varlevel/L2 (eql'/lam2 MC MA ([v] [vl'] (F v vl'))) (eqlsize'/lam2 FS MM) (eql/lam2 MC MA ([v] [vl] (F' v vl))) (eqlsize/lam2 FS' MM) <- {v} {vl'} {vl} {vsb:varlevel-shifts-back vl' vl} shift-varlevel/L2 (F v vl') (FS v vl') (F' v vl) (FS' v vl). - : shift-varlevel/L2 (eql'/rec1 ([v] (F v))) (eqlsize'/rec1 FS) (eql/rec1 ([v] (F' v))) (eqlsize/rec1 FS') <- {v} shift-varlevel/L2 (F v) (FS v) (F' v) (FS' v). - : shift-varlevel/L2 (eql'/rec2 P MC MA ([v] [vl'] (F v vl'))) (eqlsize'/rec2 FS MN MM) (eql/rec2 P MC MA ([v] [vl] (F' v vl))) (eqlsize/rec2 FS' MN MM) <- {v} {vl'} {vl} {vsb:varlevel-shifts-back vl' vl} shift-varlevel/L2 (F v vl') (FS v vl') (F' v vl) (FS' v vl). - : shift-varlevel/L2 (eql'/var P VL1 VL2) eqlsize'/var (eql/var P VL1' VL2') eqlsize/var <- varlevel-shifts-back VL1 VL1' <- varlevel-shifts-back VL2 VL2'. %worlds (blocksimple | shiftback | noshift) (shift-varlevel/L2 _ _ _ _). %total (E) (shift-varlevel/L2 E _ _ _). %{ Now we put these two parts into one that hides the alternative definitions. }% %theorem shift-varlevel : forall* {N} {A} {M0} {M1} {T1} {T2} {S} {MN} {MM} forall {E: eql* N A M1 T1 T2} {ES:eqlsize E S MN MM} {MA:multiset`add M0 z M1} exists {E': eql* N A M0 T1 T2} {ES':eqlsize E' S MN MM} true. - : shift-varlevel E1 ES1 MA E3 ES3 <- shift-varlevel/L1 E1 ES1 MA E2 ES2 <- shift-varlevel/L2 E2 ES2 E3 ES3. %worlds (blocksimple | noshift) (shift-varlevel _ _ _ _ _). %total { } (shift-varlevel _ _ _ _ _). %{ Now the whole reason for the two stage var-levels: we have a lemma that says we can adjust the M of all variables down if the minimum varlevel used is greater than zero. First we need some helper lemmas and the ubiquitous blocks. }% %theorem varlevel-adjusts-down : forall* {N} {V:term N} {M} {L} forall {VL:varadjlevel V (s M) (s L)} exists {VL':varadjlevel' V M (s L)} true. %block adjustdown : some {n} {m} {l} block {v:term n} {vl:varadjlevel v (s m) (s l)} {vl':varadjlevel' v m (s l)} {vsd:varlevel-adjusts-down vl vl'}. fake : type. - : fake <- ({x:varlevel-adjusts-down X Y} varlevel-adjusts-down X' Y'). %worlds (blocksimple | adjustdown) (varlevel-adjusts-down _ _). %total { } (varlevel-adjusts-down _ _). %theorem false-implies-eql' : forall* {MS} {N} {A} {T1} {T2} forall {F:void} exists {E:eql*' N A MS T1 T2} true. %worlds (blocksimple | adjustdown) (false-implies-eql' _ _). %total { } (false-implies-eql' _ _). %theorem false-implies-eqlsize' : forall* {N} {A} {MS} {T1} {T2} {S} {B} {M} {E:eql*' N A MS T1 T2} forall {F:void} exists {ES1:eqlsize' E S B M} true. %worlds (blocksimple | adjustdown) (false-implies-eqlsize' _ _). %total { } (false-implies-eqlsize' _ _). %theorem eqlsize-respects-eq : forall* {N} {A} {MS} {T1} {T2} {S1} {B1} {M1} {S2} {B2} {M2} {E:eql* N A MS T1 T2} forall {ES1:eqlsize E S1 B1 M1} {SE: nat`eq S1 S2} {BE: nat`eq B1 B2} {ME: nat`eq M1 M2} exists {ES2:eqlsize E S2 B2 M2} true. - : eqlsize-respects-eq ES nat`eq/ nat`eq/ nat`eq/ ES. %worlds (blocksimple | blockvaradj | adjustdown) (eqlsize-respects-eq _ _ _ _ _). %total { } (eqlsize-respects-eq _ _ _ _ _). %theorem adjust-varlevel/L0 : forall* {N} {A} {M0} {M1} {T1} {T2} {S} {MN} forall {E: eql* N A M1 T1 T2} {ES:eqlsize E S (s MN) z} exists {E': eql*' N (s A) M0 T1 T2} {MN'} {ES':eqlsize' E' S MN' z} true. - : adjust-varlevel/L0 (eql/eq eq/) (eqlsize/eq) (eql'/eq eq/) _ (eqlsize'/eq). - : adjust-varlevel/L0 (eql/app E1 E2) (eqlsize/app ES1 ES2 MAX MIN MAX2) (eql'/app E1' E2') _ (eqlsize'/app ES1'' ES2'' MAX MIN' nat`max/=) <- max-implies-ge MAX2 ZERO>=M1 ZERO>=M2 <- ge-zero-always M1 M1>=0 <- ge-zero-always M2 M2>=0 <- nat`ge-anti-symmetric M1>=0 ZERO>=M1 M1=0 <- nat`ge-anti-symmetric M2>=0 ZERO>=M2 M2=0 <- min-implies-ge MIN B1>=B+1 B2>=B+1 <- ge-succ-implies-gt B1>=B+1 B1>B <- ge-succ-implies-gt B2>=B+1 B2>B <- gt-implies-positive B1>B B1' B1=B1'+1 <- gt-implies-positive B2>B B2' B2=B2'+1 <- eqlsize-respects-eq ES1 nat`eq/ B1=B1'+1 M1=0 ES1' <- eqlsize-respects-eq ES2 nat`eq/ B2=B2'+1 M2=0 ES2' <- adjust-varlevel/L0 E1 ES1' E1' _ ES1'' <- adjust-varlevel/L0 E2 ES2' E2' _ ES2'' <- nat`min-total MIN'. - : adjust-varlevel/L0 (eql/lam1 ([v] (F v))) (eqlsize/lam1 FS) (eql'/lam1 ([v] (F' v))) MN' (eqlsize'/lam1 FS') <- {v} adjust-varlevel/L0 (F v) (FS v) (F' v) MN' (FS' v). - : adjust-varlevel/L0 (eql/rec1 ([v] (F v))) (eqlsize/rec1 FS) (eql'/rec1 ([v] (F' v))) MN' (eqlsize'/rec1 FS') <- {v} adjust-varlevel/L0 (F v) (FS v) (F' v) MN' (FS' v). - : adjust-varlevel/L0 (eql/var P VL1 VL2) eqlsize/var (eql'/var P' VL1' VL2') _ eqlsize'/var <- plus-swap-succ-converse P P' <- varlevel-adjusts-down VL1 VL1' <- varlevel-adjusts-down VL2 VL2'. %worlds (blocksimple | adjustdown) (adjust-varlevel/L0 _ _ _ _ _). %total (E) (adjust-varlevel/L0 E _ _ _ _). %theorem adjust-varlevel/L1 : forall* {N} {A} {M0} {M1} {T1} {T2} {S} {MN} {MM} forall {E: eql* N A M1 T1 T2} {ES:eqlsize E S (s MN) (s MM)} {MS:multiset`shift z M0 M1} exists {E': eql*' N (s A) M0 T1 T2} {MN'} {ES':eqlsize' E' S MN' MM} true. % MAX2 = max z z case (contradiction) - : adjust-varlevel/L1 (eql/app E1 E2) (eqlsize/app ES1 ES2 MAX MIN (MAX2:nat`max z z (s MM))) _ E' z ES' <- nat`max-deterministic nat`max/= MAX2 nat`eq/ nat`eq/ ZERO=MM+1 <- nat`eq-contradiction ZERO=MM+1 F <- false-implies-eql' F E' <- false-implies-eqlsize' F ES'. % MAX2 = max z (s MM2) (s MM) - : adjust-varlevel/L1 (eql/app E1 E2) (eqlsize/app ES1 ES2 MAX MIN MAX2) MS (eql'/app E1' E2') _ (eqlsize'/app ES1'' ES2'' MAX MIN' MAX2') <- min-implies-ge MIN B1>=B+1 B2>=B+1 <- ge-succ-implies-gt B1>=B+1 B1>B <- ge-succ-implies-gt B2>=B+1 B2>B <- gt-implies-positive B1>B B1' B1=B1'+1 <- gt-implies-positive B2>B B2' B2=B2'+1 <- eqlsize-respects-eq ES1 nat`eq/ B1=B1'+1 nat`eq/ ES1' <- eqlsize-respects-eq ES2 nat`eq/ B2=B2'+1 nat`eq/ ES2' <- adjust-varlevel/L0 E1 ES1' E1' _ ES1'' <- adjust-varlevel/L1 E2 ES2' MS E2' _ ES2'' <- succ-implies-gt-zero _ MM2+1>0 <- nat`max-deterministic (max/< MM2+1>0) MAX2 nat`eq/ nat`eq/ MM2+1=MM+1 <- succ-cancels MM2+1=MM+1 MM2=MM <- nat`ge-zero-always _ MM2>=0 <- nat`le-implies-max MM2>=0 MAX2'' <- nat`max-respects-eq MAX2'' nat`eq/ nat`eq/ MM2=MM MAX2' <- nat`min-total MIN'. % MAX2 = max (s MM1) z (s MM) - : adjust-varlevel/L1 (eql/app E1 E2) (eqlsize/app ES1 ES2 MAX MIN MAX2) MS (eql'/app E1' E2') _ (eqlsize'/app ES1'' ES2'' MAX MIN' MAX2') <- min-implies-ge MIN B1>=B+1 B2>=B+1 <- ge-succ-implies-gt B1>=B+1 B1>B <- ge-succ-implies-gt B2>=B+1 B2>B <- gt-implies-positive B1>B B1' B1=B1'+1 <- gt-implies-positive B2>B B2' B2=B2'+1 <- eqlsize-respects-eq ES1 nat`eq/ B1=B1'+1 nat`eq/ ES1' <- eqlsize-respects-eq ES2 nat`eq/ B2=B2'+1 nat`eq/ ES2' <- adjust-varlevel/L1 E1 ES1' MS E1' _ ES1'' <- adjust-varlevel/L0 E2 ES2' E2' _ ES2'' <- succ-implies-gt-zero _ MM1+1>0 <- nat`max-deterministic (max/> MM1+1>0) MAX2 nat`eq/ nat`eq/ MM1+1=MM+1 <- succ-cancels MM1+1=MM+1 MM1=MM <- nat`ge-zero-always _ MM1>=0 <- nat`ge-implies-max MM1>=0 MAX2'' <- nat`max-respects-eq MAX2'' nat`eq/ nat`eq/ MM1=MM MAX2' <- nat`min-total MIN'. - : adjust-varlevel/L1 (eql/app E1 E2) (eqlsize/app ES1 ES2 MAX MIN MAX2) MS (eql'/app E1' E2') _ (eqlsize'/app ES1'' ES2'' MAX MIN' MAX2') <- min-implies-ge MIN B1>=B+1 B2>=B+1 <- ge-succ-implies-gt B1>=B+1 B1>B <- ge-succ-implies-gt B2>=B+1 B2>B <- gt-implies-positive B1>B B1' B1=B1'+1 <- gt-implies-positive B2>B B2' B2=B2'+1 <- eqlsize-respects-eq ES1 nat`eq/ B1=B1'+1 nat`eq/ ES1' <- eqlsize-respects-eq ES2 nat`eq/ B2=B2'+1 nat`eq/ ES2' <- adjust-varlevel/L1 E1 ES1' MS E1' _ ES1'' <- adjust-varlevel/L1 E2 ES2' MS E2' _ ES2'' <- succ-preserves-max-converse MAX2 MAX2' <- nat`min-total MIN'. - : adjust-varlevel/L1 (eql/lam1 ([v] (F v))) (eqlsize/lam1 FS) MS (eql'/lam1 ([v] (F' v))) MN' (eqlsize'/lam1 FS') <- {v} adjust-varlevel/L1 (F v) (FS v) MS (F' v) MN' (FS' v). - : adjust-varlevel/L1 (eql/rec1 ([v] (F v))) (eqlsize/rec1 FS) MS (eql'/rec1 ([v] (F' v))) MN' (eqlsize'/rec1 FS') <- {v} adjust-varlevel/L1 (F v) (FS v) MS (F' v) MN' (FS' v). - : adjust-varlevel/L1 (eql/rec2 P MC1 MA1 ([v] [vl:varadjlevel v z (s N)] (F v vl))) (eqlsize/rec2 FS MN MM) _ EQ z ES <- min-implies-ge MN ZERO>=B+1 _ <- ge-succ-implies-gt ZERO>=B+1 ZERO>B <- gt-contradiction ZERO>B V <- false-implies-eql' V EQ <- false-implies-eqlsize' V ES. - : adjust-varlevel/L1 (eql/rec2 P MC1 MA1 ([v] [vl:varadjlevel v (s M) (s N)] (F v vl))) (eqlsize/rec2 FS MN MM) MS (eql'/rec2 P' MC1' MA1' ([v] [vl:varadjlevel' v M (s N)] (F' v vl))) _ (eqlsize'/rec2 FS'' MN' MM') <- plus-swap-succ-converse P P' <- nat`min-implies-ge MN _ B2>=B+1 <- ge-succ-implies-gt B2>=B+1 B2>B <- gt-implies-positive B2>B B2' B2=B2'+1 <- ({v} {vl} eqlsize-respects-eq (FS v vl) nat`eq/ B2=B2'+1 nat`eq/ (FS' v vl)) <- shift-preserves-add-converse MA1 MS (plus/s plus/z) _ MS' MA1' <- ({v} {vl} {vl':varadjlevel' v M (s N)} {vsd:varlevel-adjusts-down vl vl'} adjust-varlevel/L0 (F v vl) (FS' v vl) (F' v vl') _ (FS'' v vl')) <- shift-preserves-count-converse MC1 MS (plus/s plus/z) MC1' <- succ-implies-gt-zero _ MM1+1>0 <- nat`max-deterministic (max/> MM1+1>0) MM nat`eq/ nat`eq/ MM1+1=MM+1 <- succ-cancels MM1+1=MM+1 MM1=MM <- nat`ge-zero-always _ MM1>=0 <- nat`ge-implies-max MM1>=0 MAX2'' <- nat`max-respects-eq MAX2'' nat`eq/ nat`eq/ MM1=MM MM' <- nat`min-total MN'. - : adjust-varlevel/L1 (eql/rec2 P MC1 MA1 ([v] [vl:varadjlevel v (s M) (s N)] (F v vl))) (eqlsize/rec2 FS MN MM) MS (eql'/rec2 P' MC1' MA1' ([v] [vl:varadjlevel' v M (s N)] (F' v vl))) _ (eqlsize'/rec2 FS'' MN' MM') <- plus-swap-succ-converse P P' <- nat`min-implies-ge MN _ B2>=B+1 <- ge-succ-implies-gt B2>=B+1 B2>B <- gt-implies-positive B2>B B2' B2=B2'+1 <- ({v} {vl} eqlsize-respects-eq (FS v vl) nat`eq/ B2=B2'+1 nat`eq/ (FS' v vl)) <- shift-preserves-add-converse MA1 MS (plus/s plus/z) _ MS' MA1' <- ({v} {vl} {vl':varadjlevel' v M (s N)} {vsd:varlevel-adjusts-down vl vl'} adjust-varlevel/L1 (F v vl) (FS' v vl) MS' (F' v vl') _ (FS'' v vl')) <- shift-preserves-count-converse MC1 MS (plus/s plus/z) MC1' <- nat`min-total MN' <- succ-preserves-max-converse MM MM'. %worlds (blocksimple | adjustdown) (adjust-varlevel/L1 _ _ _ _ _ _). %total (E) (adjust-varlevel/L1 E _ _ _ _ _). %theorem adjust-varlevel : forall* {N} {A} {M0} {M1} {T1} {T2} {S} {MN} {MM} forall {E: eql* N A M1 T1 T2} {ES:eqlsize E S (s MN) (s MM)} {MS:multiset`shift z M0 M1} exists {E': eql* N (s A) M0 T1 T2} {MN'} {ES':eqlsize E' S MN' MM} true. - : adjust-varlevel E ES MS E'' _ ES'' <- adjust-varlevel/L1 E ES MS E' _ ES' <- shift-varlevel/L2 E' ES' E'' ES''. %worlds (blocksimple) (adjust-varlevel _ _ _ _ _ _). %total { } (adjust-varlevel _ _ _ _ _ _). %{ === Removing variable levels altogether === }% %{ The following blocks are used when we remove the level for the outermost (level 1) variable of adjusted index zero. All other variables are at least level 2 or non-zero adjusted index. "blockvar2" and "blockvaradj" makes this context explicit. (I probably could substitute noshift for blockvaradj }% %block blockvar2 : some {l} {n} block {v:term n} {vl:varadjlevel v z (s (s l))}. %block blockvaradj : some {m} {l} {n} block {v:term n} {vl:varadjlevel v (s m) (s l)}. %theorem remove-one-var : forall* {N} {N'} {F1} {F2} {S} {A} {M} {NZ} {MN} {MM} forall {E:{v:term N} {vl:varadjlevel v z (s z)} (eql* N' A M (F1 v) (F2 v))} {ES:{v} {vl} eqlsize (E v vl) S MN MM} {MC: multiset`count M z (s NZ)} exists {E':{v:term N} (eql A M (F1 v) (F2 v))} {ES':{v} eqlsize (E' v) S MN MM} true. - : remove-one-var ([v] [vl] eql/eq eq/) ([v] [vl] eqlsize/eq) _ ([v] eql/eq eq/) ([v] eqlsize/eq). - : remove-one-var ([v] [vl] (eql/app (FE v vl) (AE v vl))) ([v] [vl] (eqlsize/app (ESF v vl) (ESA v vl) MX MN MX2)) MC ([v] (eql/app (FE' v) (AE' v))) ([v] (eqlsize/app (ESF' v) (ESA' v) MX MN MX2)) <- remove-one-var FE ESF MC FE' ESF' <- remove-one-var AE ESA MC AE' ESA'. - : remove-one-var ([v] [vl] eql/lam1 ([v'] (F v' v vl))) ([v] [vl] eqlsize/lam1 ([v'] (FS v' v vl))) MC ([v] eql/lam1 ([v'] (F' v' v))) ([v] eqlsize/lam1 ([v'] (FS' v' v))) <- {v'} remove-one-var (F v') (FS v') MC (F' v') (FS' v'). %theorem remove-one-var/lam2 : forall* {N0} {N1} {N2} {N3} {N1'} {S} {A} {M0} {M1} {F1} {F2} {MN} {MM} forall {E:{v':term N0} {vl':varadjlevel v' z (s N1)} {v:term N2} {vl:varadjlevel v z (s z)} (eql* N3 A M1 (F1 v' v) (F2 v' v))} {ES:{v':term N0} {vl':varadjlevel v' z (s N1)} {v:term N2} {vl:varadjlevel v z (s z)} (eqlsize (E v' vl' v vl) S MN MM)} {MC: multiset`count M0 z N1} {MA: multiset`add M0 z M1} {EQ: nat`eq N1 (s N1')} exists {E': {v':term N0} {vl':varadjlevel v' z (s N1)} {v:term N2} (eql* N3 A M1 (F1 v' v) (F2 v' v))} {ES':{v':term N0} {vl':varadjlevel v' z (s N1)} {v:term N2} (eqlsize (E' v' vl' v) S MN MM)} true. - : remove-one-var/lam2 E ES MC0 MA nat`eq/ E' ES' <- count-add-implies-count MC0 MA MC1 <- {v'} {vl'} remove-one-var (E v' vl') (ES v' vl') MC1 (E' v' vl') (ES' v' vl'). - : remove-one-var ([v] [vl] eql/lam2 MC MA ([v'] [vl'] (F v' vl' v vl))) ([v] [vl] eqlsize/lam2 ([v'] [vl'] (FS v' vl' v vl)) MM) MC0 ([v] eql/lam2 MC MA ([v'] [vl'] (F' v' vl' v))) ([v] eqlsize/lam2 ([v'] [vl'] (FS' v' vl' v)) MM) <- count-deterministic MC MC0 multiset`eq/ nat`eq/ EQ <- remove-one-var/lam2 F FS MC (MA:add M0 z M1) EQ F' FS'. - : remove-one-var ([v] [vl] eql/rec1 ([v'] (F v' v vl))) ([v] [vl] eqlsize/rec1 ([v'] (FS v' v vl))) MC ([v] eql/rec1 ([v'] (F' v' v))) ([v] eqlsize/rec1 ([v'] (FS' v' v))) <- {v'} remove-one-var (F v') (FS v') MC (F' v') (FS' v'). - : remove-one-var ([v] [vl] eql/rec2 P MC MA ([v'] [vl'] (F v' vl' v vl))) ([v] [vl] eqlsize/rec2 ([v'] [vl'] (FS v' vl' v vl)) MN MM) MC0 ([v] eql/rec2 P MC MA ([v'] [vl'] (F' v' vl' v))) ([v] eqlsize/rec2 ([v'] [vl'] (FS' v' vl' v)) MN MM) <- count-deterministic MC MC0 multiset`eq/ nat`eq/ EQ <- remove-one-var/lam2 F FS MC MA EQ F' FS'. - : remove-one-var ([v] [vl] eql/rec2 P MC MA ([v'] [vl'] (F v' vl' v vl))) ([v] [vl] eqlsize/rec2 ([v'] [vl'] (FS v' vl' v vl)) MN MM) MC0 ([v] eql/rec2 P MC MA ([v'] [vl'] (F' v' vl' v))) ([v] eqlsize/rec2 ([v'] [vl'] (FS' v' vl' v)) MN MM) <- succ-implies-gt-zero _ GT <- add-preserves-count MC0 MA (nat`ne/< GT) MC1 <- {v'} {vl'} remove-one-var (F v' vl') (FS v' vl') MC1 (F' v' vl') (FS' v' vl'). - : remove-one-var ([v] [vl] eql/var P vl vl) ([v] [vl] eqlsize/var) _ ([v] eql/eq eq/) ([v] eqlsize/eq). - : remove-one-var ([v] [vl] eql/var P VL1 VL2) ([v] [vl] eqlsize/var) _ ([v] eql/var P VL1 VL2) ([v] eqlsize/var). %worlds (blocksimple | blockvar2 | blockvaradj | noshift) (remove-one-var _ _ _ _ _) (remove-one-var/lam2 _ _ _ _ _ _ _). %total (E El) (remove-one-var E _ _ _ _) (remove-one-var/lam2 El _ _ _ _ _ _). %{ We now have the machinery needed to get rid of all level 0 variables in one recursive sweep. }% %theorem remove-zero-index-vars : forall* {N} {A} {MS} {T1} {T2} {MN} {MM} forall {E: eql* N A MS T1 T2} {S} {ES:eqlsize E S MN MM} {MC:multiset`count MS z z} exists {E': eql* N A MS T1 T2} {MN'} {MM'} {ES':eqlsize E' S (s MN') MM'} {G: nat`ge MM MM'} true. - : remove-zero-index-vars (eql/eq E) _ (eqlsize/eq) _ (eql/eq E) _ _ (eqlsize/eq) (nat`ge/= nat`eq/). - : remove-zero-index-vars (eql/app E1 E2) (s S) (eqlsize/app ES1 ES2 MAX1 _ MAX2) MC (eql/app E1' E2') _ _ (eqlsize/app ES1' ES2' MAX1 MIN' MAX2') GE <- nat`max-implies-ge MAX1 S>=S1 S>=S2 <- ge-implies-succ-gt S>=S1 S+1>S1 <- ge-implies-succ-gt S>=S2 S+1>S2 <- nat`meta-gt _ _ S+1>S1 <- nat`meta-gt _ _ S+1>S2 <- remove-zero-index-vars E1 S1 ES1 MC E1' _ _ ES1' GE1 <- remove-zero-index-vars E2 S2 ES2 MC E2' _ _ ES2' GE2 <- nat`min-total MIN <- succ-preserves-min MIN MIN' <- nat`max-total MAX2' <- max-preserves-ge* GE1 GE2 MAX2 MAX2' GE. - : remove-zero-index-vars (eql/lam1 FE) _ (eqlsize/lam1 FES) MC (eql/lam1 FE') _ _ (eqlsize/lam1 FES') GE <- {v} remove-zero-index-vars (FE v) _ (FES v) MC (FE' v) _ _ (FES' v) GE. - : remove-zero-index-vars (eql/lam2 MC0 (MA0:add MS0 z MS1) ([v] [vl] FE0 v vl)) _ (eqlsize/lam2 ([v] [vl] FES0 v vl) MAX) MC (eql/lam1 ([v] FE3 v)) _ _ (eqlsize/lam1 ([v] FES3 v)) GE' <- count-add-implies-count MC0 MA0 MC1 <- remove-one-var FE0 FES0 MC1 FE1 FES1 <- ({v} shift-varlevel (FE1 v) (FES1 v) MA0 (FE2 v) (FES2 v)) <- ({v} remove-zero-index-vars (FE2 v) S' (FES2 v) MC (FE3 v) _ _ (FES3 v) GE) <- nat`max-implies-ge MAX _ GE1 <- nat`ge-transitive GE1 GE GE'. - : remove-zero-index-vars (eql/lam2 (MC0:count MS0 z (s C)) MA0 ([v] [vl] FE0 v vl)) _ (eqlsize/lam2 ([v] [vl] FES0 v vl) MAX) MC EQ z z EQS GE <- multiset`count-deterministic MC MC0 multiset`eq/ nat`eq/ ZERO=C+1 <- nat`eq-contradiction ZERO=C+1 F <- false-implies-eql F EQ <- false-implies-eqlsize F EQS <- nat`false-implies-ge F GE. - : remove-zero-index-vars (eql/rec1 FE) _ (eqlsize/rec1 FES) MC (eql/rec1 FE') _ _ (eqlsize/rec1 FES') GE <- {v} remove-zero-index-vars (FE v) _ (FES v) MC (FE' v) _ _ (FES' v) GE. - : remove-zero-index-vars (eql/rec2 P MC0 (MA0:add MS0 z MS1) ([v] [vl] FE0 v vl)) _ (eqlsize/rec2 ([v] [vl] FES0 v vl) MIN MAX) MC (eql/rec1 ([v] FE3 v)) _ _ (eqlsize/rec1 ([v] FES3 v)) GE' <- count-add-implies-count MC0 MA0 MC1 <- remove-one-var FE0 FES0 MC1 FE1 FES1 <- ({v} shift-varlevel (FE1 v) (FES1 v) MA0 (FE2 v) (FES2 v)) <- ({v} remove-zero-index-vars (FE2 v) S' (FES2 v) MC (FE3 v) _ _ (FES3 v) GE) <- nat`max-implies-ge MAX _ GE1 <- nat`ge-transitive GE1 GE GE'. - : remove-zero-index-vars (eql/rec2 P MC0 (MA0:add MS0 z MS1) ([v] [vl] FE0 v vl)) _ (eqlsize/rec2 ([v] [vl] FES0 v vl) MIN MAX) MC EQ z z EQS GE <- multiset`count-deterministic MC MC0 multiset`eq/ nat`eq/ ZERO=C+1 <- nat`eq-contradiction ZERO=C+1 F <- false-implies-eql F EQ <- false-implies-eqlsize F EQS <- nat`false-implies-ge F GE. - : remove-zero-index-vars (eql/rec2 P MC0 (MA0:add MS0 (s M) MS1) ([v] [vl] FE0 v vl)) _ (eqlsize/rec2 ([v] [vl] FES0 v vl) _ (MAX:max (s (s M)) MM2 MM)) MC (eql/rec2 P MC0 MA0 ([v] [vl] FE1 v vl)) _ _ (eqlsize/rec2 ([v] [vl] FES1 v vl) MIN' MAX') GE' <- ge-zero-always M M>=0 <- ge-implies-succ-gt M>=0 M+1>0 <- add-preserves-count MC MA0 (nat`ne/< M+1>0) MC' <- ({v} {vl} {vl'} (varlevel-nonzero-shifts-over vl vl') -> (varlevel-shifts-back vl' vl) -> (remove-zero-index-vars (FE0 v vl) S' (FES0 v vl) MC' (FE1 v vl) _ _ (FES1 v vl) GE)) <- nat`min-total MIN <- succ-preserves-min MIN MIN' <- nat`max-total MAX' <- max-preserves-ge* (nat`ge/= nat`eq/) GE MAX MAX' GE'. - : remove-zero-index-vars (eql/var P VL1 VL2) _ (eqlsize/var) _ (eql/var P VL1 VL2) _ _ (eqlsize/var) (nat`ge/= nat`eq/). %worlds (blocksimple | noshift) (remove-zero-index-vars _ _ _ _ _ _ _ _ _). %total (S) (remove-zero-index-vars _ S _ _ _ _ _ _ _). %theorem lit-preserves-eq : forall* {M1} {M2} forall {EQ:nat`eq M1 M2} exists {EQ':eq (lit M1) (lit M2)} true. - : lit-preserves-eq nat`eq/ eq/. %worlds (blocksimple | blockvar) (lit-preserves-eq _ _). %total { } (lit-preserves-eq _ _). %theorem app-preserves-eq : forall* {N1} {N2} {T1:term (s N1)} {T2:term (s N2)} {T3} {T4} forall {E:eq T1 T2} {E: eq T3 T4} exists {BE:eq (app T1 T3) (app T2 T4)} true. - : app-preserves-eq eq/ eq/ eq/. %worlds (blocksimple) (app-preserves-eq _ _ _). %total { } (app-preserves-eq _ _ _). %theorem lam-preserves-eq : forall* {N1} {N2} {F1:t -> term N1} {F2: t -> term N2} forall {E:{v} eq (F1 v) (F2 v)} exists {E:eq (lam F1) (lam F2)} true. - : lam-preserves-eq ([v] eq/) eq/. %worlds (blocksimple) (lam-preserves-eq _ _). %total { } (lam-preserves-eq _ _). %theorem rec-preserves-eq : forall* {N} {F1:term (s N) -> term (s N)} {F2:term (s N) -> term (s N)} forall {E:{v} eq (F1 v) (F2 v)} exists {E:eq (rec F1) (rec F2)} true. - : rec-preserves-eq ([v] eq/) eq/. %worlds (blocksimple) (rec-preserves-eq _ _). %total { } (rec-preserves-eq _ _). %{ Next the main lemma that says we can avoid looking at varlevels in checking equality. We remove the outside variable, shift remaining variables, and then recurse (hence the need for tracking eqlsize). Note that we never put var levels in the context. }% %theorem eql-implies-eq : forall* {N} {T1:term N} {T2:term N} forall {E:eql z multiset`map/0 T1 T2} exists {E':eq T1 T2} true. %theorem eql-implies-eq/L0 : forall* {N} {A} {MS} {T1} {T2} {S} {MN} forall {E: eql* N A MS T1 T2} {ES:eqlsize E S MN z} exists {E: eq T1 T2} true. - : eql-implies-eq/L0 (eql/eq E) _ E. - : eql-implies-eq/L0 (eql/app E1 E2) (eqlsize/app ES1 ES2 MAX1 MIN MAX2) E' <- max-implies-ge MAX2 ZERO>=M1 ZERO>=M2 <- ge-zero-always _ M1>=0 <- ge-zero-always _ M2>=0 <- ge-anti-symmetric M1>=0 ZERO>=M1 M1=0 <- ge-anti-symmetric M2>=0 ZERO>=M2 M2=0 <- eqlsize-respects-eq ES1 nat`eq/ nat`eq/ M1=0 ES1' <- eqlsize-respects-eq ES2 nat`eq/ nat`eq/ M2=0 ES2' <- eql-implies-eq/L0 E1 ES1' E1' <- eql-implies-eq/L0 E2 ES2' E2' <- app-preserves-eq E1' E2' E'. - : eql-implies-eq/L0 (eql/lam1 ([v] E v)) (eqlsize/lam1 ([v] ES v)) E'' <- ({v} eql-implies-eq/L0 (E v) (ES v) (E' v)) <- lam-preserves-eq E' E''. - : eql-implies-eq/L0 (eql/lam2 _ _ _) (eqlsize/lam2 _ MAX) E <- nat`max-implies-ge MAX ZERO>=ONE _ <- ge-succ-implies-gt ZERO>=ONE ZERO>ZERO <- nat`gt-contradiction ZERO>ZERO F <- false-implies-eq F E. - : eql-implies-eq/L0 (eql/rec1 ([v] E v)) (eqlsize/rec1 ([v] ES v)) E'' <- ({v} eql-implies-eq/L0 (E v) (ES v) (E' v)) <- rec-preserves-eq E' E''. - : eql-implies-eq/L0 (eql/rec2 _ _ _ _) (eqlsize/rec2 _ _ MAX) E <- nat`max-implies-ge MAX ZERO>=ONE _ <- ge-succ-implies-gt ZERO>=ONE ZERO>ZERO <- nat`gt-contradiction ZERO>ZERO F <- false-implies-eq F E. %worlds (blocksimple) (eql-implies-eq/L0 _ _ _). %total (E) (eql-implies-eq/L0 E _ _). %theorem eql-implies-eq/L1 : forall* {N} {A} {T1} {T2} {S} {MN} forall {E: eql* N A multiset`map/0 T1 T2} {MM} {ES:eqlsize E S MN MM} exists {E: eq T1 T2} true. - : eql-implies-eq/L1 EQL z ES E <- eql-implies-eq/L0 EQL ES E. %theorem eql-implies-eq/L2 : forall* {N} {A} {T1} {T2} {S} {MN} forall {E: eql* N A multiset`map/0 T1 T2} {MM} {ES:eqlsize E S (s MN) MM} exists {E: eq T1 T2} true. - : eql-implies-eq/L2 EQL z ES E <- eql-implies-eq/L0 EQL ES E. - : eql-implies-eq/L2 EQL (s M) ES E <- adjust-varlevel EQL ES multiset`shift/0 E' _ ES' <- eql-implies-eq/L1 E' _ ES' E. - : eql-implies-eq/L1 EQL (s M) ES E <- remove-zero-index-vars EQL _ ES (multiset`count/z multiset`not-member/0) EQL' _ _ ES' GE <- meta-ge _ _ GE <- eql-implies-eq/L2 EQL' _ ES' E. %worlds () (eql-implies-eq/L1 _ _ _ _) (eql-implies-eq/L2 _ _ _ _). %total (M1 M2) (eql-implies-eq/L2 _ M2 _ _) (eql-implies-eq/L1 _ M1 _ _). - : eql-implies-eq E E' <- eqlsize-total ES <- eql-implies-eq/L1 E _ ES E'. %worlds () (eql-implies-eq _ _). %total { } (eql-implies-eq _ _). %{ === Main Theorem === }% %{ Finally the statement of the main theorem of this section. As with the non-indexed case, it is proved by using eql as a between station. Again, as with the non-indexed code, this theorem (or rather its main lemma) uses reasoning-from-false extensively because the cases cannot be distinguished by Twelf's case analysis. It also uses the "divrem" part of the nat signature extensively as well as theorems about plus and times. The proofs of the cases are uninteresting arithmetic fiddling. }% %theorem tonat-one2one : forall* {N} {T1:term N} {N1} {T2:term N} {N2} forall {TN1:tonat T1 N1} {TN2:tonat T2 N2} {E:nat`eq N1 N2} exists {ET:eq T1 T2} true. %theorem tonat-one2one/L : forall* {N} {MS} {T1} {M1} {T2} {M2} forall {TN1:tonat* N MS T1 M1} {TN2:tonat* N MS T2 M2} {E:nat`eq M1 M2} exists {ET:eql* N z MS T1 T2} true. - : tonat-one2one/L (tonat/var MC1 VL1 P1) (tonat/var MC2 VL2 P2) nat`eq/ (eql/var plus/z VL1' VL2) <- count-deterministic MC1 MC2 multiset`eq/ nat`eq/ VN1=VN2 <- plus-left-cancels P1 P2 nat`eq/ VN1=VN2 L1=L2 <- varlevel-respects-eq VL1 L1=L2 VL1'. - : tonat-one2one/L (tonat/var MC VL M+L=VN) (tonat/lit MC' _ VN'+X=M) nat`eq/ E <- count-deterministic MC' MC multiset`eq/ nat`eq/ VN'=VN <- plus-respects-eq VN'+X=M VN'=VN nat`eq/ nat`eq/ VN+X=M <- plus-commutative VN+X=M X+VN=M <- plus-commutative M+L=VN L+M=VN <- plus-implies-ge X+VN=M M>=VN <- plus-implies-ge L+M=VN VN>=M <- nat`ge-anti-symmetric M>=VN VN>=M M=VN <- plus-right-cancels L+M=VN plus/z M=VN nat`eq/ L=0 <- varlevel-contradiction VL L=0 F <- false-implies-eql F E. - : tonat-one2one/L (tonat/lit MC' _ VN'+X=M) (tonat/var MC VL M+L=VN) nat`eq/ E <- count-deterministic MC' MC multiset`eq/ nat`eq/ VN'=VN <- plus-respects-eq VN'+X=M VN'=VN nat`eq/ nat`eq/ VN+X=M <- plus-commutative VN+X=M X+VN=M <- plus-commutative M+L=VN L+M=VN <- plus-implies-ge X+VN=M M>=VN <- plus-implies-ge L+M=VN VN>=M <- nat`ge-anti-symmetric M>=VN VN>=M M=VN <- plus-right-cancels L+M=VN plus/z M=VN nat`eq/ L=0 <- varlevel-contradiction VL L=0 F <- false-implies-eql F E. - : tonat-one2one/L (tonat/var MC VL M+L=VN) (tonat/app MC' _ _ _ _ VN'+X=M) nat`eq/ E <- count-deterministic MC' MC multiset`eq/ nat`eq/ VN'=VN <- plus-respects-eq VN'+X=M VN'=VN nat`eq/ nat`eq/ VN+X=M <- plus-commutative VN+X=M X+VN=M <- plus-commutative M+L=VN L+M=VN <- plus-implies-ge X+VN=M M>=VN <- plus-implies-ge L+M=VN VN>=M <- nat`ge-anti-symmetric M>=VN VN>=M M=VN <- plus-right-cancels L+M=VN plus/z M=VN nat`eq/ L=0 <- varlevel-contradiction VL L=0 F <- false-implies-eql F E. - : tonat-one2one/L (tonat/app MC' _ _ _ _ VN'+X=M) (tonat/var MC VL M+L=VN) nat`eq/ E <- count-deterministic MC' MC multiset`eq/ nat`eq/ VN'=VN <- plus-respects-eq VN'+X=M VN'=VN nat`eq/ nat`eq/ VN+X=M <- plus-commutative VN+X=M X+VN=M <- plus-commutative M+L=VN L+M=VN <- plus-implies-ge X+VN=M M>=VN <- plus-implies-ge L+M=VN VN>=M <- nat`ge-anti-symmetric M>=VN VN>=M M=VN <- plus-right-cancels L+M=VN plus/z M=VN nat`eq/ L=0 <- varlevel-contradiction VL L=0 F <- false-implies-eql F E. - : tonat-one2one/L (tonat/var MC VL M+L=VN) (tonat/lam MC' _ _ _ _ VN'+X=M) nat`eq/ E <- count-deterministic MC' MC multiset`eq/ nat`eq/ VN'=VN <- plus-respects-eq VN'+X=M VN'=VN nat`eq/ nat`eq/ VN+X=M <- plus-commutative VN+X=M X+VN=M <- plus-commutative M+L=VN L+M=VN <- plus-implies-ge X+VN=M M>=VN <- plus-implies-ge L+M=VN VN>=M <- nat`ge-anti-symmetric M>=VN VN>=M M=VN <- plus-right-cancels L+M=VN plus/z M=VN nat`eq/ L=0 <- varlevel-contradiction VL L=0 F <- false-implies-eql F E. - : tonat-one2one/L (tonat/lam MC' _ _ _ _ VN'+X=M) (tonat/var MC VL M+L=VN) nat`eq/ E <- count-deterministic MC' MC multiset`eq/ nat`eq/ VN'=VN <- plus-respects-eq VN'+X=M VN'=VN nat`eq/ nat`eq/ VN+X=M <- plus-commutative VN+X=M X+VN=M <- plus-commutative M+L=VN L+M=VN <- plus-implies-ge X+VN=M M>=VN <- plus-implies-ge L+M=VN VN>=M <- nat`ge-anti-symmetric M>=VN VN>=M M=VN <- plus-right-cancels L+M=VN plus/z M=VN nat`eq/ L=0 <- varlevel-contradiction VL L=0 F <- false-implies-eql F E. - : tonat-one2one/L (tonat/var MC VL M+L=VN) (tonat/rec MC' _ _ _ VN'+X=M) nat`eq/ E <- count-deterministic MC' MC multiset`eq/ nat`eq/ VN'=VN <- plus-respects-eq VN'+X=M VN'=VN nat`eq/ nat`eq/ VN+X=M <- plus-commutative VN+X=M X+VN=M <- plus-commutative M+L=VN L+M=VN <- plus-implies-ge X+VN=M M>=VN <- plus-implies-ge L+M=VN VN>=M <- nat`ge-anti-symmetric M>=VN VN>=M M=VN <- plus-right-cancels L+M=VN plus/z M=VN nat`eq/ L=0 <- varlevel-contradiction VL L=0 F <- false-implies-eql F E. - : tonat-one2one/L (tonat/rec MC' _ _ _ VN'+X=M) (tonat/var MC VL M+L=VN) nat`eq/ E <- count-deterministic MC' MC multiset`eq/ nat`eq/ VN'=VN <- plus-respects-eq VN'+X=M VN'=VN nat`eq/ nat`eq/ VN+X=M <- plus-commutative VN+X=M X+VN=M <- plus-commutative M+L=VN L+M=VN <- plus-implies-ge X+VN=M M>=VN <- plus-implies-ge L+M=VN VN>=M <- nat`ge-anti-symmetric M>=VN VN>=M M=VN <- plus-right-cancels L+M=VN plus/z M=VN nat`eq/ L=0 <- varlevel-contradiction VL L=0 F <- false-implies-eql F E. - : tonat-one2one/L (tonat/lit MC1 T1 P1) (tonat/lit MC2 T2 P2) nat`eq/ (eql/eq T1=T2) <- count-deterministic MC1 MC2 multiset`eq/ nat`eq/ VN1=VN2 <- plus-left-cancels P1 P2 VN1=VN2 nat`eq/ TM1=TM2 <- times-left-cancels T1 T2 nat`eq/ TM1=TM2 M1=M2 <- lit-preserves-eq M1=M2 T1=T2. %abbrev 2>1 = gt/1. - : tonat-one2one/L (tonat/lit MC T P) (tonat/app MC' _ _ _ T' P') nat`eq/ E <- count-deterministic MC' MC multiset`eq/ nat`eq/ VN'=VN <- plus-left-cancels P' P VN'=VN nat`eq/ TM'+1=TM <- times-commutative T Tc <- div-can-be-constructed Tc DR <- plus-commutative (plus/s plus/z) TM'+ONE=TM'+1 <- plus-respects-eq TM'+ONE=TM'+1 nat`eq/ nat`eq/ TM'+1=TM TM'+ONE=TM <- times-commutative T' Tc' <- divrem-can-be-constructed Tc' TM'+ONE=TM 2>1 DR' <- divrem-deterministic DR DR' nat`eq/ nat`eq/ QE ZERO=ONE <- nat`eq-contradiction ZERO=ONE F <- false-implies-eql F E. - : tonat-one2one/L (tonat/app MC' _ _ _ T' P') (tonat/lit MC T P) nat`eq/ E <- count-deterministic MC' MC multiset`eq/ nat`eq/ VN'=VN <- plus-left-cancels P' P VN'=VN nat`eq/ TM'+1=TM <- times-commutative T Tc <- div-can-be-constructed Tc DR <- plus-commutative (plus/s plus/z) TM'+ONE=TM'+1 <- plus-respects-eq TM'+ONE=TM'+1 nat`eq/ nat`eq/ TM'+1=TM TM'+ONE=TM <- times-commutative T' Tc' <- divrem-can-be-constructed Tc' TM'+ONE=TM 2>1 DR' <- divrem-deterministic DR DR' nat`eq/ nat`eq/ QE ZERO=ONE <- nat`eq-contradiction ZERO=ONE F <- false-implies-eql F E. - : tonat-one2one/L (tonat/app MC1 TN1a TN1b P2N1 T1 P1) (tonat/app MC2 TN2a TN2b P2N2 T2 P2) nat`eq/ (eql/app E1 E2) <- count-deterministic MC1 MC2 multiset`eq/ nat`eq/ VN1=VN2 <- plus-left-cancels P1 P2 VN1=VN2 nat`eq/ TM1+1=TM2+1 <- succ-cancels TM1+1=TM2+1 TM1=TM2 <- times-left-cancels T1 T2 nat`eq/ TM1=TM2 (M1=M2:nat`eq M1 M2) <- nat2pair-deterministic P2N1 P2N2 M1=M2 PR1=PR2 <- natpair`pair-eq-implies-eq PR1=PR2 EQa EQb <- tonat-one2one/L TN1a TN2a EQa E1 <- tonat-one2one/L TN1b TN2b EQb E2. %abbrev 2+2=4 : plus (s (s z)) (s (s z)) (s (s (s (s z)))) = (plus/s (plus/s plus/z)). %abbrev 2x2=4 : times (s (s z)) (s (s z)) (s (s (s (s z)))) = (times/s (times/s times/z plus/z) 2+2=4). - : tonat-one2one/L (tonat/app MC1 TN1a TN1b P2N1 T1 P1) (tonat/lam MC2 MC0 MA0 _ T2 P2) nat`eq/ E <- count-deterministic MC1 MC2 multiset`eq/ nat`eq/ VN1=VN2 <- plus-left-cancels P1 P2 VN1=VN2 nat`eq/ TM1+1=TM2 <- times-associative 2x2=4 T2 _ T2' T2'' <- times-commutative T2'' T2''c <- div-can-be-constructed T2''c DR2 <- plus-commutative (plus/s plus/z) TM1+ONE=TM1+1 <- plus-respects-eq TM1+ONE=TM1+1 nat`eq/ nat`eq/ TM1+1=TM2 TM1+ONE=TM2 <- times-commutative T1 T1c <- divrem-can-be-constructed T1c TM1+ONE=TM2 2>1 DR1 <- divrem-deterministic DR2 DR1 nat`eq/ nat`eq/ QE ZERO=ONE <- nat`eq-contradiction ZERO=ONE F <- false-implies-eql F E. - : tonat-one2one/L (tonat/lam MC2 MC0 MA0 _ T2 P2) (tonat/app MC1 TN1a TN1b P2N1 T1 P1) nat`eq/ E <- count-deterministic MC1 MC2 multiset`eq/ nat`eq/ VN1=VN2 <- plus-left-cancels P1 P2 VN1=VN2 nat`eq/ TM1+1=TM2 <- times-associative 2x2=4 T2 _ T2' T2'' <- times-commutative T2'' T2''c <- div-can-be-constructed T2''c DR2 <- plus-commutative (plus/s plus/z) TM1+ONE=TM1+1 <- plus-respects-eq TM1+ONE=TM1+1 nat`eq/ nat`eq/ TM1+1=TM2 TM1+ONE=TM2 <- times-commutative T1 T1c <- divrem-can-be-constructed T1c TM1+ONE=TM2 2>1 DR1 <- divrem-deterministic DR2 DR1 nat`eq/ nat`eq/ QE ZERO=ONE <- nat`eq-contradiction ZERO=ONE F <- false-implies-eql F E. - : tonat-one2one/L (tonat/app MC1 _ _ _ T1 P1) (tonat/rec MC2 _ _ T2 P2) nat`eq/ E <- count-deterministic MC1 MC2 multiset`eq/ nat`eq/ VN1=VN2 <- plus-left-cancels P1 P2 VN1=VN2 nat`eq/ TM1+1=TM2+2 <- times-associative 2x2=4 T2 _ _ T2' <- times-commutative T2' T2'c <- plus-commutative (plus/s (plus/s plus/z)) P2'c <- div-can-be-constructed (times/s T2'c P2'c) DR2 <- plus-commutative (plus/s plus/z) TM1+ONE=TM1+1 <- plus-respects-eq TM1+ONE=TM1+1 nat`eq/ nat`eq/ TM1+1=TM2+2 TM1+ONE=TM2+2 <- times-commutative T1 T1c <- divrem-can-be-constructed T1c TM1+ONE=TM2+2 2>1 DR1 <- divrem-deterministic DR2 DR1 nat`eq/ nat`eq/ QE ZERO=ONE <- nat`eq-contradiction ZERO=ONE F <- false-implies-eql F E. - : tonat-one2one/L (tonat/rec MC2 _ _ T2 P2) (tonat/app MC1 _ _ _ T1 P1) nat`eq/ E <- count-deterministic MC1 MC2 multiset`eq/ nat`eq/ VN1=VN2 <- plus-left-cancels P1 P2 VN1=VN2 nat`eq/ TM1+1=TM2+2 <- times-associative 2x2=4 T2 _ _ T2' <- times-commutative T2' T2'c <- plus-commutative (plus/s (plus/s plus/z)) P2'c <- div-can-be-constructed (times/s T2'c P2'c) DR2 <- plus-commutative (plus/s plus/z) TM1+ONE=TM1+1 <- plus-respects-eq TM1+ONE=TM1+1 nat`eq/ nat`eq/ TM1+1=TM2+2 TM1+ONE=TM2+2 <- times-commutative T1 T1c <- divrem-can-be-constructed T1c TM1+ONE=TM2+2 2>1 DR1 <- divrem-deterministic DR2 DR1 nat`eq/ nat`eq/ QE ZERO=ONE <- nat`eq-contradiction ZERO=ONE F <- false-implies-eql F E. %theorem tonat-one2one/L/eq : forall* {N} {VN1} {VN2} {N1} {MS1} {MS2} {M} {F} forall {FTN: {v:term N} (varlevel v (s VN1)) -> tonat* N1 MS1 (F v) M} {EQ: nat`eq VN1 VN2} {ME: multiset`eq MS1 MS2} exists {FTN': {v:term N} (varlevel v (s VN2)) -> tonat* N1 MS2 (F v) M} true. - : tonat-one2one/L/eq FTN nat`eq/ multiset`eq/ FTN. %worlds (blocksimple | blockvar) (tonat-one2one/L/eq _ _ _ _). %total { } (tonat-one2one/L/eq _ _ _ _). %reduces F1 = F2 (tonat-one2one/L/eq F1 _ _ F2). - : tonat-one2one/L (tonat/lam MC1 MC01 MA1 ([v] [vl] (F1 v vl)) T1 P1) (tonat/lam MC2 MC02 MA2 ([v] [vl] (F2 v vl)) T2 P2) nat`eq/ (eql/lam2 MC02 MA2 FE) <- count-deterministic MC1 MC2 multiset`eq/ nat`eq/ VN1=VN2 <- plus-left-cancels P1 P2 VN1=VN2 nat`eq/ TM1=TM2 <- times-left-cancels T1 T2 nat`eq/ TM1=TM2 M1=M2 <- count-deterministic MC01 MC02 multiset`eq/ nat`eq/ ZN1=ZN2 <- add-deterministic MA1 MA2 multiset`eq/ nat`eq/ MS1=MS2 <- tonat-one2one/L/eq F1 ZN1=ZN2 MS1=MS2 F1' <- ({v} {vl:varlevel v (s ZN2)} tonat-one2one/L (F1' v vl) (F2 v vl) M1=M2 (FE v vl)). %abbrev 4>2 : nat`gt (s (s (s (s z)))) (s (s z)) = (gt/> gt/1). - : tonat-one2one/L (tonat/lam MC1 _ _ _ T1 P1) (tonat/rec MC2 _ _ T2 P2) nat`eq/ E <- count-deterministic MC2 MC1 multiset`eq/ nat`eq/ VN2=VN1 <- plus-left-cancels P2 P1 VN2=VN1 nat`eq/ TM2+2=TM1 <- times-commutative T1 T1c <- div-can-be-constructed T1c DR1 <- plus-commutative (plus/s (plus/s plus/z)) TM2+TWO=TM2+2 <- plus-respects-eq TM2+TWO=TM2+2 nat`eq/ nat`eq/ TM2+2=TM1 TM2+TWO=TM1 <- times-commutative T2 T2c <- divrem-can-be-constructed T2c TM2+TWO=TM1 4>2 DR2 <- divrem-deterministic DR1 DR2 nat`eq/ nat`eq/ QE ZERO=TWO <- nat`eq-contradiction ZERO=TWO F <- false-implies-eql F E. - : tonat-one2one/L (tonat/rec MC2 _ _ T2 P2) (tonat/lam MC1 _ _ _ T1 P1) nat`eq/ E <- count-deterministic MC2 MC1 multiset`eq/ nat`eq/ VN2=VN1 <- plus-left-cancels P2 P1 VN2=VN1 nat`eq/ TM2+2=TM1 <- times-commutative T1 T1c <- div-can-be-constructed T1c DR1 <- plus-commutative (plus/s (plus/s plus/z)) TM2+TWO=TM2+2 <- plus-respects-eq TM2+TWO=TM2+2 nat`eq/ nat`eq/ TM2+2=TM1 TM2+TWO=TM1 <- times-commutative T2 T2c <- divrem-can-be-constructed T2c TM2+TWO=TM1 4>2 DR2 <- divrem-deterministic DR1 DR2 nat`eq/ nat`eq/ QE ZERO=TWO <- nat`eq-contradiction ZERO=TWO F <- false-implies-eql F E. - : tonat-one2one/L (tonat/rec MC1 MA1 ([v] [vl] (F1 v vl)) T1 P1) (tonat/rec MC2 MA2 ([v] [vl] (F2 v vl)) T2 P2) nat`eq/ (eql/rec2 plus/z MC2 MA2 FE) <- count-deterministic MC1 MC2 multiset`eq/ nat`eq/ VN1=VN2 <- plus-left-cancels P1 P2 VN1=VN2 nat`eq/ TM1+2=TM2+2 <- succ-cancels TM1+2=TM2+2 TM1+1=TM2+1 <- succ-cancels TM1+1=TM2+1 TM1=TM2 <- times-left-cancels T1 T2 nat`eq/ TM1=TM2 M1=M2 <- add-deterministic MA1 MA2 multiset`eq/ nat`eq/ MS1=MS2 <- tonat-one2one/L/eq F1 VN1=VN2 MS1=MS2 F1' <- ({v} {vl:varlevel v (s VN2)} tonat-one2one/L (F1' v vl) (F2 v vl) M1=M2 (FE v vl)). %worlds (blockvar) (tonat-one2one/L _ _ _ _). %total (T) (tonat-one2one/L T _ _ _). - : tonat-one2one TN1 TN2 EQ TEQ <- tonat-one2one/L TN1 TN2 EQ EQL <- eql-implies-eq EQL TEQ. %worlds () (tonat-one2one _ _ _ _). %total { } (tonat-one2one _ _ _ _).