### isabelle

#### What happens during function proofs

I am trying to proof a property of the icmp6 checksum function (sum 16bit integers, add carry, invert 16bit integer). I defined the functions in isabelle. (I know my proofs are terrible) But for some reason, isabelle can't proof something about the icmp_csum function, it wants to have. When I replace the oops in the paste with done it produces thousands of lines that just says: "linarith_split_limit exceeded (current value is 9)" theory Scratch imports Main Int List begin fun norm_helper :: "nat ⇒ nat" where "norm_helper x = (let y = divide x 65536 in (y + x - y * 65536))" lemma "x ≥ 65536 ⟹ norm_helper x < x" by simp lemma h: "norm_helper x ≤ x" by simp fun normalize :: "nat ⇒ nat" where "normalize x = (if x ≥ 65536 then normalize (norm_helper x) else x)" inductive norm_to :: "nat ⇒ nat ⇒ bool" where "(x < 65536) ⟹ norm_to x x" | "norm_to y z ⟹ y = norm_helper x ⟹ norm_to x z" lemma ne: "norm_to x y ⟹ y = normalize x" apply (induct x y rule: norm_to.induct) by simp+ lemma i: "norm_to x y ⟹ x ≥ y" apply (induct x y rule: norm_to.induct) by simp+ lemma l: "norm_to x y ⟹ y < 65536" apply (induct x y rule: norm_to.induct) by simp+ lemma en: "y = normalize x ⟹ norm_to x y" apply (induct x rule: normalize.induct) proof - fix x :: nat assume 1: "(x ≥ 65536 ⟹ y = Scratch.normalize (norm_helper x) ⟹ norm_to (norm_helper x) y)" assume 2: "y = Scratch.normalize x" show "norm_to x y" proof (cases "x ≥ 65536") show "¬ 65536 ≤ x ⟹ norm_to x y" using norm_to.intros(1)[of x] 2 by simp { assume s: "65536 ≤ x" have d: "y = normalize (norm_helper x)" using 2 s by simp show "65536 ≤ x ⟹ norm_to x y" using 1 d norm_to.intros(2)[of "norm_helper x" y x] by blast } qed qed lemma "normalize x ≤ x" using en i by simp lemma n[simp]: "normalize x < 65536" using en l by blast fun sum :: "nat list ⇒ nat" where "sum [] = 0" | "sum (x#xs) = x + sum xs" fun csum :: "nat list ⇒ nat" where "csum xs = normalize (sum xs)" fun invert :: "nat ⇒ nat" where "invert x = 65535 - x" lemma c: "csum xs ≤ 65535" using n[of "sum xs"] by simp lemma ic: "invert (csum xs) ≥ 0" using c[of xs] by blast lemma asdf: assumes "xs = ys" shows "invert (csum xs) = invert (csum ys)" using HOL.arg_cong[of "csum xs" "csum ys" invert, OF HOL.arg_cong[of xs ys csum]] assms(1) by blast function icmp_csum :: "nat list ⇒ nat" where "icmp_csum xs = invert (csum xs)" apply simp apply (rule asdf) apply simp oops end

I have no idea why there is tracing output from linarith there, but given that your definition is neither recursive nor performs pattern matching, you can write it as a definition: definition icmp_csum :: "nat list ⇒ nat" where "icmp_csum xs = invert (csum xs)" Another possibility is to change invert to a definition instead of a fun. (In general, if it's neither recursive nor performs pattern matching, definition is preferable because it has much less overhead than fun.) NB, just import Main, not Main Int List. Edit: An explanation from Tobias Nipkow on the mailing list: This is a known issue. In the outdated LNCS 2283 you can find a discussion what to do about it in Section 3.5.3 Simplification and Recursive Functions. The gist: don't use "if", use pattern matching or "case". Or disable if_split.

### Related Links

How do I do simple multithreading in Isabelle ML?

Isabelle: Proof on difference between 2 lists

Printing out / showing detailed steps of proof methods (like simp) in a proof in isabelle

Defining disjoint union of different types in Isabelle and more

Case names for locale interpretation

“invalid map function” when defining a corecursive tree

Trying to generalize a bit vector that uses typedef, bool list, and nat length

Factoring out a lemma premise as a definition causes failure in proof method (auto) application in isabelle

How do I convert “thm conjI” to an ASCII string I can save to a file?

Express that a function is constant on a set

What's the difference between the empty sort, 'a::{}, and a sort of “type”, 'a::type

How can I pass a ML value as an argument to an outer syntax command?

How to prove the reversion of a doubling function equals the doubling of a reversion function in Isabelle?

Giving a list a partial order in Isabelle/HOLCF

Calculating transitive closures

Again, transitive closure and identity