Formalization of Measure and Lebesgue Integration overExtended Reals in HOL

Tarek Mhamdi, Osman Hasan, and Sofiene Tahar

Department of Electrical and Computer Engineering,Concordia University, Montreal, Canada

mhamdi,o hasan,tahar@ece.concordia.ca

Technical Report

Jan, 2011

Abstract

Measure theory and Lebesgue integration are fundamental tools in a wide range of mathematical

theories such probability and information theory. Consequently, a formalization of these theories is

highly required to be able to tackle numerous application using a theorem prover. This report is primarily

focused towards overcoming the shortcomings of previous formalizations to raise the state-of-the-art in

higher-order-logic formalization of measure and Lebesgue integration from the existing level, where they

are applicable only to isolated facets, to a level allowing formal analysis of contemporary engineering and

scientific problems. In this regard, we propose to develop a rigorous higher-order-logic formalization of

measure, Lebesgue integration and probability theories over the extended real numbers, which are real

numbers extended with positive and negative infinity. We also formalize the Radon-Nikodym derivative

and prove some of its properties using the HOL theorem prover.

1 Introduction

Traditionally, paper-and-pencil based analytical techniques have been used for probabilisticor information-theoretic analysis but these methods do not scale very well to most real-world systems. Therefore, computer simulations are predominantly used for probabilisticanalysis these days. However, due to its inherent nature, computer simulation can neverascertain 100% accuracy. This fact is extremely undesirable due to the ever increasing usageof probabilistic and information theoretic analysis in the design of safety and mission criticalsystems. Formal methods tend to overcome such inaccuracy limitations. The main theoriesrequired to formalize probability and information theory are the theories of measure and

1

Lebesgue integration. In fact, they allow us to provide a rigorous treatment of probabilityand a unified framework where the definitions are valid for the discrete and continuous cases.Various higher-order-logic formalization of measure and Lebesgue integration have recentlybeen proposed [7, 2, 9]. However, the underlying theories of this development have certainconstraints and lack important properties of the quantities formalized, which are necessaryfor any probabilistic analysis. For example, the theories do not support infinite values forfunctions or integrals, which limits the scope of applications and most importantly preventsthe proof of important and necessary theorems, like the Radon Nikodym theorem [4].

This report is primarily focused towards overcoming these shortcomings as we attemptto raise the state-of-the-art in higher-order-logic formalization of measure and Lebesgueintegration from the existing level, where they are applicable only to isolated facets, toa level allowing formal analysis of contemporary engineering and scientific problems. Inthis regard, we propose to develop a rigorous higher-order-logic formalization of measureand Lebesgue integration theories over the extended real numbers, which are real numbersextended with positive and negative infinity.

Using extended reals to define the measure theory allows us to work with regular finitenon-negative measures, infinite measures as well as signed measures. Working with functionsor random variables that can take infinite values, allows us to prove important limitingtheorems that are not possible to prove when we do not consider infinite values. In fact, inthat case, the limit of a sequence is undefined when the sequence is not convergent. However,in the extended reals case, a limit is always defined and can be infinite. Finally, workingwith infinite Lebesgue integrals allows us to prove various convergence theorems withoutrequiring the sequences to be convergent.

Building on top of this framework, we define the Radon Nikodym derivative and prove itsproperties. The existence of this derivative for absolutely continuous measures is guaranteedby the so called Radon Nikodym theorem. The proof of this theorem was the main motivationto use the extended reals in the formalization.

All of the above mentioned formalization is done using the HOL theorem prover [5] andthe report provides the associated formalization and verification details. This infrastruc-ture paves the path to the formal probabilistic and information-theoretic analysis of manyengineering systems and protocols.

2 Related Work

Based on the work of Hurd [7] on measure theory, Coble [2] formalized the main conceptsof Lebesgue integration and probability and used them in the formalization of informationtheory in HOL. Coble used this framework to verify anonymity properties of the diningcryptographers protocol. This formalization, however, does not include important conver-gence theorems and properties of the Lebesgue integral and measurable functions, limitingthe scope of its applications. We provided a generalization of this work [9], based on Borelspaces, allowing us to verify those properties and theorems. Both formalizations, however,only consider finite-valued measures, functions and integrals. In this report, we propose todefine a new type for extended reals and use it to formalize measure, Lebesgue integration,probability and main concepts of information theory. Using extended reals in the formal-ization has many advantages. It allows us to define sigma-finite and other infinite measuresas well as signed measures. Properties of the Lebesgue integral like the monotonicity canbe proven even for non-integrable functions, but most importantly, it allows us to prove

2

convergence theorems that are valid even for non convergent sequences. The latter wasthe main reason to define extended-real-valued integrals, to be able to prove the impor-tant Radon Nikodym theorem. This theorem, and consequently some of the properties ofthe Radon Nikodym derivative, could not be proven using the formalizations in [2, 9]. TheRadon Nikodym derivative is needed in the definition of the relative entropy. To the best ourknowledge, this is the first higher-order-logic formalization of the Radon Nikodym derivativewhich also includes their properties.

A formalization of the positive extended reals in HOL was proposed by Hurd [8] and hasbeen imported to the Isabelle theorem prover [10]. We propose a formalization that includesall real numbers as well as the positive infinity +∞ and negative infinity −∞. This has,obviously, the advantage of working with negative extended real numbers, for example forsigned measures. A formalization of measure theory defined on the positive extended realshas been developed in Isabelle [6], based on the work of Coble [2]. This has been used toprove the Radon Nikodym theorem. The main difference with our work is the use of extendedreals, which allows us to define signed measures as well as have the integral defined on theextended reals for arbitrary functions.

A formalization of the Lebesgue integral on the extended reals has been proposed inMizar [11]. We provide a more general formalization that allowed us to formalize the RadonNikodym derivative and prove its properties. To the best of our knowledge, neither theRadon Nikodym derivative and its properties nor the relative entropy have been formalizedin Mizar.

3 Extended Real Numbers

The set of extended real numbers R is the set of real numbers R extended with two additionalelements, namely, the positive infinity +∞ and negative infinity −∞. R is useful to describevarious limiting behaviors in many mathematical fields. For instance, it is necessary touse the extended reals system to define the integration theory, otherwise the convergencetheorems such as the monotone convergence and dominated convergence theorems wouldbe less useful. Using the extended reals to define the measure theory makes it possible todefine sigma finite measures and other infinite measures. With extended reals, the limit ofa monotonic sequence is always defined, infinite when the sequence is divergent, but stilldefined and properties can be proven on it. The price to pay for these advantages is anincreased level of difficulty in the analysis and the need to prove a large body of theoremson the extended reals and operators on them.

An extended real is either a normal real number, positive infinity or negative infinity. weuse Hol_datatype to define the new type extreal as follows,

val _ = Hol_datatype‘extreal = NegInf | PosInf | Normal of real‘;

The arithmetic operations of R are extended to R with partial functions. For example theaddition is extended as follow.

∀a. a 6= −∞ ⇒ a+ (+∞) = +∞+ a = +∞

∀a. a 6= +∞ ⇒ a+ (−∞) = −∞+ a = −∞

This is formalized in higher-order logic as

3

val extreal_add_def = Define‘

(extreal_add (Normal x) (Normal y) = (Normal (x + y))) ∧(extreal_add (Normal _) a = a) ∧(extreal_add b (Normal _) = b) ∧(extreal_add NegInf NegInf = NegInf) ∧(extreal_add PosInf PosInf = PosInf)‘

The function is left undefined when one of the operands is PosInf and the other is NegInf.Similarly, we extend the other arithmetic operators and prove their properties.for all ∀a ∈ R, −∞ ≤ a ≤ +∞. With this order, R is a complete lattice where every subsethas a supremum and an infimum. The supremum is formalized in HOL as:

val extreal_sup_def = Define

‘extreal_sup p =

if ∀x. (∀y. p y ⇒ y ≤ x) ⇒ (x = PosInf) then PosInf

else (if ∀x. p x ⇒ (x = NegInf) then NegInf

else Normal (sup (λr. p (Normal r))))’;

In this definition, sup refers to the supremum over a set of real numbers. Next, we tacklethe following theorem, which we will use in the Radon Nikodym theorem proof in Section ??

Theorem 1. For any non-empty, upper bounded (by a finite number) set P of extended realnumbers, there exists a monotonically increasing sequence of elements of P that convergesto the supremum of P .

For the case where the supremum is an element of the set, we simply consider the sequence∀n, xp(n) = supP . Otherwise, we prove that xp(n), defined below, is one such sequence.

xp(0) = @r. r ∈ P ∧ (supP − 1) < r and

xp(n+ 1) = @r. r ∈ P ∧ max(xp(n), supP − 12n+1 ) < r < supP

where @ represents the Hilbert choice operator.We then define the sum of extended real numbers over a finite set and prove its propertieswhenever the sum is defined. The obvious way to define the sum is the following

val SIGMA_DEF = new_definition("SIGMA_DEF",

‘‘SIGMA f s = ITSET (λe acc. f e + acc) s (0:extreal)’’)

However, using this definition, we are not able to prove the recursive form without requiringthat all the elements we are adding are finite. In fact, to be able to prove the recursive form,we need to use the theorem

∀f e s b.

(∀x y z. f x (f y z) = f y (f x z)) ∧ FINITE s ⇒(ITSET f (e INSERT s) b = f e (ITSET f (s DELETE e) b))

This requires that the addition is associative and commutative for all the elements considered,which is not the case unless we restrict our definition to finite values. This is, obviously,undesirable when working with extended real numbers. Instead, we propose the followingdefinition for the sum.

4

val SIGMA_def = let open TotalDefn

in tDefine "SIGMA"

‘SIGMA (f:’a -> extreal) (s: ’a -> bool) =

if FINITE s then

if s= then 0:extreal

else f (CHOICE s) + SIGMA f (REST s)

else ARB‘

(WF_REL_TAC ‘measure (CARD o SND)‘ THEN

METIS_TAC [CARD_PSUBSET, REST_PSUBSET])

end;

We use WF_REL_TAC to initiate the termination proof of the definition with the measurefunction measure (CARD o SND). From this definition, we prove the recursive form, whichwill be used in proving the main properties of the sum.

∀f s. FINITE s ⇒∀e. (∀x. x ∈ e INSERT s ⇒ f x 6= NegInf) ∨

(∀x. x ∈ e INSERT s ⇒ f x 6= PosInf) ⇒(SIGMA f (e INSERT s) = f e + SIGMA f (s DELETE e))

Notice that we can have infinite values as long as the sum in defined. The properties thatwe proved include the linearity, monotonicity, and the summation over disjoint sets andproducts of sets.Finally, we define the infinite sum of extended real numbers

∑n∈N xn using the SIGMA and

sup operators and prove its properties.

val ext_suminf_def = Define

‘ext_suminf f = sup (IMAGE (λn. SIGMA f (count n)) UNIV)’

We provide an extensive formalization of the extended real numbers, which consists ofmore than 220 theorems written in around 3000 lines of code. It contains all the necessarytools to formalize most of the concepts that we need in measure, integration, probabilityand information theories. The proof script is available and can used in a variety of otherapplications as well. In the next sections, we present the formalization of these theoriesbased on the extended real numbers.

4 Formalization of Measure, Integration and Probability

Using measure theory to formalize probability has the advantage of providing a mathemati-cally rigorous treatment of probabilities and a unified framework for discrete and continuousprobability measures. In this context, a probability measure is a measure function, an eventis a measurable set and a random variable is a measurable function. The expectation ofa random variable is its integral with respect to the probability measure. The Lebesgueintegral is used because it provides a unique definition for discrete and continuous randomvariables, it handles a broader class of functions than the Reimann integral, and it exhibitsa better behavior when it comes to interchanging limits and integrals. Most of the conceptsof this section have already been formalized in HOL [9]. However, the formalization of thisreport is based on the extended reals. In this context, the limit of a monotonically increas-ing sequence becomes the supremum and can be infinite. This allows us to verify variouslimiting properties and convergence theorems.

5

4.1 Measure Theory

By definition, measurable functions satisfy the condition that the inverse image of a mea-surable set is also measurable, which we formalize in higher-order logic as follows

` ∀a b f. f ∈ measurable a b =

sigma_algebra a ∧ sigma_algebra b ∧f ∈ (space a → space b) ∧∀s. s ∈ subsets b ⇒ PREIMAGE f s ∩ space a ∈ subsets a

This definition applies to functions defined on arbitrary spaces. We are interested in real-valued measurable functions and hence the Borel sigma algebra on the set of extended realnumbers is used. Working with the Borel sigma algebra makes the set of measurable func-tions a vector space. It also allows us to formally verify various properties of the measurablefunctions necessary for the formalization of the Lebesgue integral and its properties in HOL.

We define the Borel sigma algebra on R, which we call Borel, as the smallest sigmaalgebra generated by the open rays

val Borel_def = Define

‘Borel = sigma (UNIV:extreal->bool)

(IMAGE (λa. x:extreal | x < a) UNIV)’

where sigma is defined as

sigma sp st = (sp,⋂

s | st ⊆ s ∧ sigma_algebra (sp,s))

We also prove that the Borel sigma algebra on the extended reals is the smallest sigmaalgebra generated by any of the following classes of intervals: [c,+∞], (c,+∞], [−∞, c],(c, d), [c, d), (c, d], [c, d], where c, d ∈ R. Using the above result, we prove that to check themeasurability of extended-real-valued function, it is sufficient to check that the inverse imageof the open ray is measurable. The same result is valid for the other classes of intervals.

Theorem 2. Let (X,A) be a measurable space. A function f : X → R is measurable with

respect to (A,B(R)) iff ∀c ∈ R, f−1([−∞, c[) ∈ A

We prove in HOL various properties of the extended-real-valued measurable functions.

• Every constant real function on a space X is measurable.

• The indicator function on a set A is measurable iff A is measurable.

• Let f and g be measurable functions and c ∈ R, then the following functions are alsomeasurable: cf, |f |, fn, f + g, fg and max(f, g).

• If (fn) is a monotonically increasing sequence of extended-real-valued measurable func-tions such that ∀x, f(x) = supn∈N fn(x), then f is a measurable function.

4.2 Lebesgue Integral

The Lebesgue integral is defined using a special class of functions called positive simplefunctions. They are measurable functions taking finitely many values. In other words, a

6

positive simple function g is represented by the triple (s, a, x) as a finite linear combinationof indicator functions of measurable sets (ai) that form a partition of the space X.

∀t ∈ X, g(t) =∑i∈s

xiIai(t) ci ≥ 0 (1)

We also add the condition that positive simple functions take finite values, i.e., ∀i ∈ s. xi <∞. Their Lebesgue integral can however be infinite.

The Lebesgue integral is first defined for positive simple functions then extended to non-negative functions and finally to arbitrary functions. Let (X,A, µ) be a measure space. Theintegral of the positive simple function g with respect to the measure µ is given by∫

X

g dµ =∑i∈s

xiµ(ai) (2)

This is formalized in HOL as

val pos_simple_fn_integral_def = Define

‘pos_simple_fn_integral m s a x =

SIGMA (λi. x i * measure m (a i)) s’

While the choice of ((xi), (ai), s) to represent g is not unique, we prove that the integralas defined above is independent of that choice. We also prove important properties of theLebesgue integral of positive simple functions such as the linearity and monotonicity. TheLebesgue integral of non-negative measurable functions is given by∫

X

f dµ = sup∫X

g dµ | g ≤ f and g positive simple function (3)

Its formalization in HOL is the following

val pos_fn_integral_def = Define

‘pos_fn_integral m f =

sup r | ∃g. r ∈ psfis m g ∧ ∀x. g x ≤ f x’

where psfis m g is used to represent the Lebesgue integral of the positive simple functiong. Finally, the integral for arbitrary measurable functions is given by∫

X

f dµ =

∫X

f+ dµ−∫X

f− dµ (4)

where f+ and f− are the non-negative measurable functions defined by f+(x) = max(f(x), 0)and f−(x) = max(−f(x), 0).

val fn_integral_def = Define

‘fn_integral m f = pos_fn_integral m (fn_plus f) -

pos_fn_integral m (fn_minus f)’

As defined above, the Lebesgue integral can be undefined when the integrals of bothf+ and f− are infinite. This requires that in most properties of the Lebesgue integral, weassume that the functions are integrable, as defined next.

7

Definition 1. Let (X,A, µ) be a measure space, a measurable function f is integrable iff∫Xf+ dµ <∞ and

∫Xf− dµ <∞

val integrable_def = Define

‘integrable m f =

f ∈ measurable (m_space m,measurable_sets m) Borel ∧pos_fn_integral m (fn_plus f) 6= PosInf ∧pos_fn_integral m (fn_minus f) 6= PosInf’;

4.2.1 Lebesgue Monotone Convergence

The monotone convergence is arguably the most important theorem of the Lebesgue inte-gration theory and it plays a major role in the proof of the Radon Nikodym theorem [1] andthe properties of the integral. We present in the sequel a proof of the theorem in HOL.

Theorem 3. gLet (fn) be a monotonically increasing sequence of non-negative measurable functions suchthat ∀x, f(x) = supn∈N fn(x), then∫

X

f dµ = supn∈N

∫X

fn dµ

` ∀m f fi. measure_space m ∧ ∀i x. 0 ≤ fi i x ∧∀i. fi i ∈ measurable (m_space m, measurable_sets m) Borel ∧∀x. mono_increasing (λi. fi i x) ∧∀x. x ∈ m_space m ⇒ f x = sup (IMAGE (λi. fi i x) UNIV) ⇒

pos_fn_integral m f =

sup (IMAGE (λi. pos_fn_integral m (fi i)) UNIV)

We prove the Lebesgue monotone convergence theorem by using the properties of the supre-mum and by proving the lemma stating that if f is the supremum of a monotonically in-creasing sequence of non-negative measurable functions fn and g is a positive simple functionsuch that g ≤ f , then the integral of g satisfies∫

X

g dµ ≤ supn∈N

∫X

fn dµ

Or, as formalized in HOL:

` ∀m f fi g r.

measure_space m ∧ ∀i x. 0 ≤ fi i x ∧∀i. fi i ∈ measurable (m_space m, measurable_sets m) Borel ∧∀x. mono_increasing (λi. fi i x) ∧∀x. x ∈ m_space m ⇒ f x = sup (IMAGE (λi. fi i x) UNIV) ∧r ∈ psfis m g ∧ ∀x. g x ≤ f x ⇒

r ≤ sup (IMAGE (λi. pos_fn_integral m (fi i)) UNIV)

4.2.2 Lebesgue Integral Properties

Most properties of the Lebesgue integral cannot be proved directly from the definition ofthe integral. We prove instead that any measurable function is the limit of a sequence ofpositive simple functions. The properties of the Lebesgue integral are then derived from theproperties on the positive simple functions.

8

Theorem 4. For any non-negative measurable function f there exists a monotonically in-creasing sequence of positive simple functions (fn) such that ∀x, f(x) = supn∈N fn(x).Besides ∫

X

f dµ = supn∈N

∫X

fn dµ

The above theorem is formalized in HOL as

` ∀m f. measure_space m ∧ ∀x. 0 ≤ f x ∧f ∈ measurable (m_space m,measurable_sets m) Borel ⇒∃fi ri. ∀x. mono_increasing (λi. fi i x) ∧∀x. x ∈ m_space m ⇒ sup (IMAGE (ı. fi i x) UNIV) = f x ∧∀i. ri i ∈ psfis m (fi i) ∧pos_fn_integral m f =

sup (IMAGE (λi. pos_fn_integral m (fi i)) UNIV)

We prove this theorem by showing that the sequence (fn), defined below, satisfies the condi-tions of the theorem and use the Lebesgue monotone convergence theorem to conclude that∫Xf dµ = supn∈N

∫Xfn dµ.

fn(x) =

4n−1∑k=0

k

2nIx| k

2n≤f(x)< k+1

2n + 2nIx|2n≤f(x)

For arbitrary integrable functions, Theorem 4 is applied to f+ and f− and results in awell-defined integral, given by∫

X

f dµ = supn∈N

∫X

f+n dµ− sup

n∈N

∫X

f−n dµ

Using Theorem 4, we extend the properties of the Lebesgue integral for positive simplefunctions to arbitrary integrable functions. The main properties we proved are the mono-tonicity and linearity of the Lebesgue integral. Let f and g be integrable functions andc ∈ R then

• ∀x, 0 ≤ f(x)⇒ 0 ≤∫Xf dµ

• ∀x, f(x) ≤ g(x)⇒∫Xf dµ ≤

∫Xg dµ

•∫Xcf dµ = c

∫Xf dµ

•∫Xf + g dµ =

∫Xf dµ+

∫Xg dµ

• A and B disjoint sets ⇒∫A∪Bf dµ =

∫Af dµ+

∫Bf dµ

4.2.3 Radon Nikodym Derivative

The Radon Nikodym derivative of ν with respect to µ.∫A

dν

dµdµ = ν(A)

The Radon Nikodym derivative is formalized in HOL as

9

val RN_deriv_def = Define

‘RN_deriv m v =

@f. f IN measurable (m_space m, measurable_sets m) Borel ∧(∀a. a ∈ measurable_sets m ⇒(fn_integral m (λx. f x * indicator_fn a x) = measure v a))’

The relative entropy is then formalized as

val KL_divergence_def = Define

‘KL_divergence b m v =

- fn_integral m (λx. logr b ((RN_deriv m v) x))’

The existence of the Radon Nikodym derivative is guaranteed for absolutely continuousmeasures by the Radon Nikodym theorem. A measure ν is absolutely continuous with respectto the measure µ iff for every measurable set A, µ(A) = 0 implies that ν(A) = 0. Next, westate and prove the Radon Nikodym theorem (RNT) for finite measures. The theorem canbe easily generalized to sigma finite measures.

Theorem 5. (RNT)If ν is absolutely continuous with respect to µ, then there exists a non-negative µ−integrablefunction f such that for any measurable sets,∫

A

f dµ = ν(A)

The Radon Nikodym theorem is formalized in HOL as follows,

` ∀m v. measure_space m ∧ measure_space v ∧(m_space v = m_space m) ∧(measurable_sets v = measurable_sets m) ∧(measure_absolutely_continuous m v) ∧(measure v (m_space v) 6= PosInf) ∧(measure m (m_space m) 6= PosInf) ⇒(∃f. f ∈ measurable (m_space m,measurable_sets m) Borel ∧(∀A. A ∈ measurable_sets m ⇒(pos_fn_integral m (λx. f x * indicator_fn A x) = measure v A)))

To prove the theorem, we prove the following lemma, which we propose as a generalization ofTheorem 1. To the best of our knowledge, this lemma has not been referred to in textbooksand we find that it is a useful result that can be used in other proofs.

Lemma 1. If P is a non-empty set of extended-real valued functions closed under the maxoperator, g is monotone over P and g(P ) is upper bounded, then there exists a monotonicallyincreasing sequence f(n) of functions, elements of P , such that

supn∈N

g(f(n)) = supf∈P

g(f)

Proving the Radon Nikodym theorem consists in defining the set F of non-negative mea-surable functions such that for any measurable set A,

∫Af dµ ≤ ν(A). Then we prove that

this set is non-empty, upper bounded by the finite measure of the space and is closed under

10

the max operator. Next, using the monotonicity of the integral and the lemma above, weprove the existence of a monotonically increasing sequence f(n) of functions in F such that

supn∈N

∫X

fn dµ = supf∈F

∫X

f dµ

Finally, we prove that the function g, defined below, satisfies the conditions of the theorem.

∀x. g(x) = supn∈N

fn(x)

The main reason we used the extended reals in our formalization was the inability toprove the Radon Nikodym theorem without considering infinite values. In fact, in our proof,we use the Lebesgue monotone convergence to prove that∫

X

g dµ = supn∈N

∫X

fn dµ

However, the Lebesgue monotone convergence in [9] which does not support the extendedreals, requires the sequence fn to be convergent, which is not necessarily the case here andcannot be added as an assumption because the sequence fn is generated inside the proof. TheLebesgue monotone convergence theorem with the extended reals is valid even for sequencesthat are not convergent since it uses the sup operator instead of the limit lim.

Next, we prove the following properties of the Radon Nikodym derivative.

• The Radon Nikodym derivative of ν with respect to µ is unique, µ almost-everywhere,i.e., unique up to a null set with respect to µ.

• If ν1 and ν2 are absolutely continuous with respect to µ, thend(ν1+ν2)

dµ = dν1dµ + dν2

dµ , µalmost-everywhere.

• If ν is absolutely continuous with respect to µ and c ≥ 0, thend(c∗ν)dµ = c ∗ dν

dµ , µalmost-everywhere.

For finite spaces, we prove that

∀x ∈ X,µx 6= 0⇒ dν

dµ(x) =

νxµx

4.3 Probability Theory

We formalize the Kolmogorov axiomatic definition of probability using measure theory bydefining the sample space Ω, the set F of events which are subsets of Ω and the probabilitymeasure p. A probability measure is a measure function and an event is a measurable set.(Ω, F, p) is a probability space iff it is a measure space and p(Ω) = 1. A random variable isby definition a measurable function.

val random_variable_def = Define

‘random_variable X p s = prob_space p ∧X ∈ measurable (p_space p, events p) s’

The properties we proved in the previous section for measurable functions are obviously validfor random variables.

11

Theorem 6. If X and Y are random variables and c ∈ R then the following functions arealso random variables: cX, |X|, Xn, X + Y,XY and max(X, Y ).

The probability mass function (PMF) of a random variable X is defined as the functionpX assigning to a set A the probability of the event X ∈ A. We also formalize the jointprobability mass function of two random variables and of a sequence of random variables.

val pmf_def = Define

‘pmf p X = (λA. prob p (PREIMAGE X A ∩ p_space p))’

Finally we use the formalization of the Lebesgue integral to define the expectation of arandom variable and its variance. The expectation of a random value X is defined as theintegral of X with respect to the probability measure, E[X] =

∫ΩX dp.

val expectation_def = Define ‘expectation = fn_integral’

The properties of the expectation are derived from the properties of the integral. Thevariance of a random variable is defined as E[|X −E[X]|2]. We also prove the properties ofthe variance in HOL.

5 Conclusions

In this report, we have presented a formalization in HOL of measure, Lebesgue integrationand probability theories defined on the extended reals. We used this infrastructure, to formal-ize the Radon Nikodym derivative and prove its properties. The Radon Nikodym derivativeis used, for instance, in the definition of relative entropy and probability density functions.The formalization based on the extended reals enables us to verify important properties andconvergence theorems as well as prove the important Radon Nikodym theorem.

We intend to use this higher-order-logic formalization of measure, Lebesgue integrationand probability theories to formalize main concepts of information theory such as the Shan-non entropy and relative entropy. The verification of properties of the Shannon entropy andrelative entropy makes it possible to perform information theoretic analysis on a wide rangeof applications. Using this formalization, we prove the Asymptotic Equipartition Propertyin HOL, which is used to define and verify the notion of typical sets. This, in turn, is thebasis to prove the Shannon source coding theorem, providing the fundamental limits of datacompression. The relative entropy is an important measure of divergence between probabil-ity distributions. It is used to define other concepts of information theory, but it is also usedin several other applications like the anonymity application in [3].

Our future work include the formalization of measures of entropy and applying the tech-nique in [3] to verify the anonymity properties of the Dining Cryptographers and Crowdsprotocols within the sound core of a theorem prover.

References

[1] V. I. Bogachev. Measure Theory. Springer, 2006.

[2] A. R. Coble. Anonymity, Information, and Machine-Assisted Proof. PhD thesis, Uni-versity of Cambridge, 2010.

[3] Y. Deng, J. Pang, and P. Wu. Measuring Anonymity with Relative Entropy. In FormalAspects in Security and Trust, volume 4691 of LNCS, pages 65–79. Springer, 2007.

12

[4] R. R. Goldberg. Methods of Real Analysis. Wiley, 1976.

[5] M. J. C. Gordon and T. F. Melham. Introduction to HOL: A Theorem Proving Envi-ronment for Higher-Order Logic. Cambridge University Press, 1993.

[6] J. Holzl. Mechanized Measure, Probability, and Information Theory.http://puma.in.tum.de/p-wiki/images/d/d6/szentendre hoelzl probability.pdf, Techni-cal University Munich, Germany, 2010.

[7] J. Hurd. Formal Verifcation of Probabilistic Algorithms. PhD thesis, University ofCambridge, 2002.

[8] J. Hurd, A. McIver, and C. Morgan. Probabilistic Guarded Commands Mechanized inHOL. Electronic Notes in Theoretical Computer Science, 112:95–111, 2005.

[9] T. Mhamdi, O. Hasan, and S. Tahar. On the Formalization of the Lebesgue IntegrationTheory in HOL. In Interactive Theorem Proving, volume 6172 of LNCS, pages 387–402.Springer, 2010.

[10] L. C. Paulson. Isabelle: a Generic Theorem Prover. Springer, 1994.

[11] Y. Shidama, N. Endou, and P.N. Kawamoto. On the formalization of lebesgue integrals.Studies in Logic, Grammar and Rhetoric, 10(23):167–177, 2007.

6 HOL Code Theories Signatures

signature extrealTheory =

sig

type thm = Thm.thm

(* Definitions *)

val EXTREAL_SUM_IMAGE_curried_def : thm

val EXTREAL_SUM_IMAGE_tupled_primitive_def : thm

val ext_mono_decreasing_def : thm

val ext_mono_increasing_def : thm

val ext_suminf_def : thm

val extreal_TY_DEF : thm

val extreal_abs_primitive_def : thm

val extreal_add_curried_def : thm

val extreal_add_tupled_primitive_def : thm

val extreal_ainv_def : thm

val extreal_case_def : thm

val extreal_div_def : thm

val extreal_inf_def : thm

val extreal_inv_def : thm

val extreal_le_curried_def : thm

val extreal_le_tupled_primitive_def : thm

val extreal_lt_def : thm

val extreal_max_def : thm

val extreal_min_def : thm

13

val extreal_mul_curried_def : thm

val extreal_mul_tupled_primitive_def : thm

val extreal_of_num_def : thm

val extreal_pow_def : thm

val extreal_repfns : thm

val extreal_size_def : thm

val extreal_sqrt_def : thm

val extreal_sub_curried_def : thm

val extreal_sub_tupled_primitive_def : thm

val extreal_sup_def : thm

val mono_decreasing_def : thm

val mono_increasing_def : thm

val real_def : thm

(* Theorems *)

val DISJOINT_DIFF : thm

val EXTREAL_ARCH : thm

val EXTREAL_ARCH_POW : thm

val EXTREAL_ARCH_POW_INV : thm

val EXTREAL_EQ_LADD : thm

val EXTREAL_SUM_IMAGE_0 : thm

val EXTREAL_SUM_IMAGE_ADD : thm

val EXTREAL_SUM_IMAGE_CMUL : thm

val EXTREAL_SUM_IMAGE_DISJOINT_UNION : thm

val EXTREAL_SUM_IMAGE_EMPTY : thm

val EXTREAL_SUM_IMAGE_EQ : thm

val EXTREAL_SUM_IMAGE_EQ_CARD : thm

val EXTREAL_SUM_IMAGE_EXTREAL_SUM_IMAGE : thm

val EXTREAL_SUM_IMAGE_FINITE_CONST : thm

val EXTREAL_SUM_IMAGE_FINITE_SAME : thm

val EXTREAL_SUM_IMAGE_IF_ELIM : thm

val EXTREAL_SUM_IMAGE_IMAGE : thm

val EXTREAL_SUM_IMAGE_IND : thm

val EXTREAL_SUM_IMAGE_INSERT : thm

val EXTREAL_SUM_IMAGE_INTER_ELIM : thm

val EXTREAL_SUM_IMAGE_INTER_NONZERO : thm

val EXTREAL_SUM_IMAGE_INV_CARD_EQ_1 : thm

val EXTREAL_SUM_IMAGE_IN_IF : thm

val EXTREAL_SUM_IMAGE_IN_IF_ALT : thm

val EXTREAL_SUM_IMAGE_MONO : thm

val EXTREAL_SUM_IMAGE_MONO_SET : thm

val EXTREAL_SUM_IMAGE_NORMAL : thm

val EXTREAL_SUM_IMAGE_NOT_INFTY : thm

val EXTREAL_SUM_IMAGE_NOT_NEG_INF : thm

val EXTREAL_SUM_IMAGE_NOT_POS_INF : thm

val EXTREAL_SUM_IMAGE_POS : thm

val EXTREAL_SUM_IMAGE_POS_MEM_LE : thm

14

val EXTREAL_SUM_IMAGE_PROPERTY : thm

val EXTREAL_SUM_IMAGE_PROPERTY_NEG : thm

val EXTREAL_SUM_IMAGE_PROPERTY_POS : thm

val EXTREAL_SUM_IMAGE_SING : thm

val EXTREAL_SUM_IMAGE_SPOS : thm

val EXTREAL_SUM_IMAGE_SUB : thm

val EXTREAL_SUM_IMAGE_THM : thm

val EXTREAL_SUM_IMAGE_ZERO : thm

val EXTREAL_SUM_IMAGE_def : thm

val EXTREAL_SUM_IMAGE_ind : thm

val POW_NEG_ODD : thm

val POW_POS_EVEN : thm

val REAL_ARCH_POW : thm

val REAL_LE_MUL_EPSILON : thm

val REAL_LE_RDIV_EQ_NEG : thm

val REAL_LT_LMUL_0_NEG : thm

val REAL_LT_LMUL_NEG_0 : thm

val REAL_LT_LMUL_NEG_0_NEG : thm

val REAL_LT_RDIV_EQ_NEG : thm

val REAL_LT_RMUL_0_NEG : thm

val REAL_LT_RMUL_NEG_0 : thm

val REAL_LT_RMUL_NEG_0_NEG : thm

val REAL_NEG_NZ : thm

val REAL_SUM_IMAGE_EQ_sum : thm

val SIMP_EXTREAL_ARCH : thm

val SIMP_REAL_ARCH : thm

val abs_bounds : thm

val abs_pos : thm

val abs_refl : thm

val add_assoc : thm

val add_comm : thm

val add_comm_normal : thm

val add_infty : thm

val add_ldistrib : thm

val add_ldistrib_neg : thm

val add_ldistrib_neg_neg : thm

val add_ldistrib_normal : thm

val add_ldistrib_pos : thm

val add_ldistrib_pos_pos : thm

val add_lzero : thm

val add_not_infty : thm

val add_pow2 : thm

val add_rdistrib : thm

val add_rdistrib_normal : thm

val add_rzero : thm

val add_sub : thm

val add_sub2 : thm

15

val datatype_extreal : thm

val div_one : thm

val eq_sub_ladd_normal : thm

val eq_sub_switch : thm

val ext_mono_decreasing_suc : thm

val ext_mono_increasing_suc : thm

val ext_suminf_add : thm

val ext_suminf_cmul : thm

val ext_suminf_cmul_alt : thm

val ext_suminf_lt_infty : thm

val ext_suminf_mono : thm

val ext_suminf_sub : thm

val ext_suminf_sum : thm

val ext_suminf_suminf : thm

val extreal_11 : thm

val extreal_Axiom : thm

val extreal_abs_def : thm

val extreal_abs_ind : thm

val extreal_add_def : thm

val extreal_add_ind : thm

val extreal_case_cong : thm

val extreal_cases : thm

val extreal_distinct : thm

val extreal_div_eq : thm

val extreal_eq_zero : thm

val extreal_induction : thm

val extreal_le_def : thm

val extreal_le_ind : thm

val extreal_lt_eq : thm

val extreal_mul_def : thm

val extreal_mul_ind : thm

val extreal_nchotomy : thm

val extreal_not_infty : thm

val extreal_sub_add : thm

val extreal_sub_def : thm

val extreal_sub_ind : thm

val half_between : thm

val inf_cminus : thm

val inf_const : thm

val inf_const_alt : thm

val inf_const_over_set : thm

val inf_eq : thm

val inf_le : thm

val inf_le_imp : thm

val inf_lt_infty : thm

val inf_min : thm

val inf_seq : thm

16

val inf_suc : thm

val inv_one : thm

val le_01 : thm

val le_add : thm

val le_add2 : thm

val le_addr : thm

val le_addr_imp : thm

val le_antisym : thm

val le_epsilon : thm

val le_inf : thm

val le_infty : thm

val le_ladd : thm

val le_ladd_imp : thm

val le_ldiv : thm

val le_lmul_imp : thm

val le_lneg : thm

val le_lsub_imp : thm

val le_lt : thm

val le_max : thm

val le_max1 : thm

val le_max2 : thm

val le_min : thm

val le_mul : thm

val le_mul_epsilon : thm

val le_neg : thm

val le_num : thm

val le_pow2 : thm

val le_radd : thm

val le_radd_imp : thm

val le_rdiv : thm

val le_refl : thm

val le_rmul_imp : thm

val le_sub_eq : thm

val le_sub_eq2 : thm

val le_sub_imp : thm

val le_sub_imp2 : thm

val le_sup : thm

val le_sup_imp : thm

val le_total : thm

val le_trans : thm

val let_add : thm

val let_add2 : thm

val let_trans : thm

val lt_01 : thm

val lt_add : thm

val lt_addl : thm

val lt_antisym : thm

17

val lt_imp_le : thm

val lt_imp_ne : thm

val lt_infty : thm

val lt_ladd : thm

val lt_ldiv : thm

val lt_le : thm

val lt_lmul : thm

val lt_mul : thm

val lt_mul2 : thm

val lt_neg : thm

val lt_radd : thm

val lt_rdiv : thm

val lt_rdiv_neg : thm

val lt_refl : thm

val lt_rmul : thm

val lt_sub : thm

val lt_sub_imp : thm

val lt_sub_imp2 : thm

val lt_total : thm

val lt_trans : thm

val lte_add : thm

val lte_trans : thm

val max_comm : thm

val max_infty : thm

val max_le : thm

val max_le2_imp : thm

val max_refl : thm

val min_comm : thm

val min_infty : thm

val min_le : thm

val min_le1 : thm

val min_le2 : thm

val min_le2_imp : thm

val min_refl : thm

val mono_decreasing_suc : thm

val mono_increasing_converges_to_sup : thm

val mono_increasing_suc : thm

val mul_assoc : thm

val mul_comm : thm

val mul_lneg : thm

val mul_lone : thm

val mul_lzero : thm

val mul_not_infty : thm

val mul_rneg : thm

val mul_rone : thm

val mul_rzero : thm

val ne_01 : thm

18

val neg_0 : thm

val neg_minus1 : thm

val neg_neg : thm

val normal_real : thm

val num_not_infty : thm

val pow2_sqrt : thm

val pow_0 : thm

val pow_1 : thm

val pow_2 : thm

val pow_add : thm

val pow_le : thm

val pow_le_mono : thm

val pow_lt : thm

val pow_lt2 : thm

val pow_minus1 : thm

val pow_mul : thm

val pow_neg_odd : thm

val pow_not_infty : thm

val pow_pos_even : thm

val pow_pos_le : thm

val pow_pos_lt : thm

val pow_zero : thm

val pow_zero_imp : thm

val real_normal : thm

val sqrt_mono_le : thm

val sqrt_pos_le : thm

val sqrt_pos_lt : thm

val sqrt_pow2 : thm

val sub_0 : thm

val sub_add : thm

val sub_add2 : thm

val sub_le_eq : thm

val sub_le_eq2 : thm

val sub_le_imp : thm

val sub_le_imp2 : thm

val sub_le_switch : thm

val sub_le_switch2 : thm

val sub_le_zero : thm

val sub_lt_imp : thm

val sub_lt_imp2 : thm

val sub_lt_zero : thm

val sub_lt_zero2 : thm

val sub_lzero : thm

val sub_not_infty : thm

val sub_refl : thm

val sub_rneg : thm

val sub_rzero : thm

19

val sub_zero_le : thm

val sub_zero_lt : thm

val sub_zero_lt2 : thm

val sup_add_mono : thm

val sup_cmul : thm

val sup_const : thm

val sup_const_alt : thm

val sup_const_over_set : thm

val sup_eq : thm

val sup_le : thm

val sup_le_mono : thm

val sup_le_sup_imp : thm

val sup_lt : thm

val sup_lt_epsilon : thm

val sup_lt_infty : thm

val sup_max : thm

val sup_mono : thm

val sup_num : thm

val sup_seq : thm

val sup_suc : thm

val sup_sum_mono : thm

val thirds_between : thm

val extreal_grammars : type_grammar.grammar * term_grammar.grammar

(*

[extra_pred_set] Parent theory of "extreal"

[EXTREAL_SUM_IMAGE_curried_def] Definition

|- !x x1. SIGMA x x1 = EXTREAL_SUM_IMAGE_tupled (x,x1)

[EXTREAL_SUM_IMAGE_tupled_primitive_def] Definition

|- EXTREAL_SUM_IMAGE_tupled =

WFREC (@R. WF R /\ !f s. FINITE s /\ s <> ==> R (f,REST s) (f,s))

(\EXTREAL_SUM_IMAGE_tupled a.

case a of

(f,s) ->

I

(if FINITE s then

if s = then

0

else

f (CHOICE s) + EXTREAL_SUM_IMAGE_tupled (f,REST s)

else

ARB))

20

[ext_mono_decreasing_def] Definition

|- !f. mono_decreasing f <=> !m n. m <= n ==> f n <= f m

[ext_mono_increasing_def] Definition

|- !f. mono_increasing f <=> !m n. m <= n ==> f m <= f n

[ext_suminf_def] Definition

|- !f. suminf f = sup (IMAGE (\n. SIGMA f (count n)) univ(:num))

[extreal_TY_DEF] Definition

|- ?rep.

TYPE_DEFINITION

(\a0.

!’extreal’ .

(!a0.

(a0 = ind_type$CONSTR 0 ARB (\n. ind_type$BOTTOM)) \/

(a0 = ind_type$CONSTR (SUC 0) ARB (\n. ind_type$BOTTOM)) \/

(?a.

a0 =

(\a. ind_type$CONSTR (SUC (SUC 0)) a (\n. ind_type$BOTTOM))

a) ==>

’extreal’ a0) ==>

’extreal’ a0) rep

[extreal_abs_primitive_def] Definition

|- abs =

WFREC (@R. WF R)

(\extreal_abs a.

case a of

NegInf -> I PosInf

|| PosInf -> I PosInf

|| Normal x -> I (Normal (abs x)))

[extreal_add_curried_def] Definition

|- !x x1. x + x1 = extreal_add_tupled (x,x1)

[extreal_add_tupled_primitive_def] Definition

|- extreal_add_tupled =

WFREC (@R. WF R)

(\extreal_add_tupled a’.

21

case a’ of

(NegInf,NegInf) -> I NegInf

|| (NegInf,PosInf) -> ARB

|| (NegInf,Normal v5) -> I NegInf

|| (PosInf,NegInf) -> ARB

|| (PosInf,PosInf) -> I PosInf

|| (PosInf,Normal v6) -> I PosInf

|| (Normal x,NegInf) -> I NegInf

|| (Normal x,PosInf) -> I PosInf

|| (Normal x,Normal y) -> I (Normal (x + y)))

[extreal_ainv_def] Definition

|- (-NegInf = PosInf) /\ (-PosInf = NegInf) /\ !x. -Normal x = Normal (-x)

[extreal_case_def] Definition

|- (!v v1 f. extreal_case v v1 f NegInf = v) /\

(!v v1 f. extreal_case v v1 f PosInf = v1) /\

!v v1 f a. extreal_case v v1 f (Normal a) = f a

[extreal_div_def] Definition

|- !x y. x / y = x * inv y

[extreal_inf_def] Definition

|- !p. inf p = -sup (IMAGE numeric_negate p)

[extreal_inv_def] Definition

|- (inv NegInf = Normal 0) /\ (inv PosInf = Normal 0) /\

!x. inv (Normal x) = if x = 0 then PosInf else Normal (inv x)

[extreal_le_curried_def] Definition

|- !x x1. x <= x1 <=> extreal_le_tupled (x,x1)

[extreal_le_tupled_primitive_def] Definition

|- extreal_le_tupled =

WFREC (@R. WF R)

(\extreal_le_tupled a’.

case a’ of

(NegInf,NegInf) -> I T

|| (NegInf,PosInf) -> I T

|| (NegInf,Normal v6) -> I T

22

|| (PosInf,NegInf) -> I F

|| (PosInf,PosInf) -> I T

|| (PosInf,Normal v8) -> I F

|| (Normal x,NegInf) -> I F

|| (Normal x,PosInf) -> I T

|| (Normal x,Normal y) -> I (x <= y))

[extreal_lt_def] Definition

|- !x y. x < y <=> ~(y <= x)

[extreal_max_def] Definition

|- !x y. max x y = if x <= y then y else x

[extreal_min_def] Definition

|- !x y. min x y = if x <= y then x else y

[extreal_mul_curried_def] Definition

|- !x x1. x * x1 = extreal_mul_tupled (x,x1)

[extreal_mul_tupled_primitive_def] Definition

|- extreal_mul_tupled =

WFREC (@R. WF R)

(\extreal_mul_tupled a.

case a of

(NegInf,NegInf) -> I PosInf

|| (NegInf,PosInf) -> I NegInf

|| (NegInf,Normal y) ->

I (if y = 0 then Normal 0 else if 0 < y then NegInf else PosInf)

|| (PosInf,NegInf) -> I NegInf

|| (PosInf,PosInf) -> I PosInf

|| (PosInf,Normal y’) ->

I (if y’ = 0 then Normal 0 else if 0 < y’ then PosInf else NegInf)

|| (Normal x,NegInf) ->

I (if x = 0 then Normal 0 else if 0 < x then NegInf else PosInf)

|| (Normal x,PosInf) ->

I (if x = 0 then Normal 0 else if 0 < x then PosInf else NegInf)

|| (Normal x,Normal y’’) -> I (Normal (x * y’’)))

[extreal_of_num_def] Definition

|- !n. &n = Normal (&n)

23

[extreal_pow_def] Definition

|- (!a n. Normal a pow n = Normal (a pow n)) /\

(!n. PosInf pow n = if n = 0 then Normal 1 else PosInf) /\

!n.

NegInf pow n =

if n = 0 then Normal 1 else if EVEN n then PosInf else NegInf

[extreal_repfns] Definition

|- (!a. mk_extreal (dest_extreal a) = a) /\

!r.

(\a0.

!’extreal’ .

(!a0.

(a0 = ind_type$CONSTR 0 ARB (\n. ind_type$BOTTOM)) \/

(a0 = ind_type$CONSTR (SUC 0) ARB (\n. ind_type$BOTTOM)) \/

(?a.

a0 =

(\a. ind_type$CONSTR (SUC (SUC 0)) a (\n. ind_type$BOTTOM))

a) ==>

’extreal’ a0) ==>

’extreal’ a0) r <=> (dest_extreal (mk_extreal r) = r)

[extreal_size_def] Definition

|- (extreal_size NegInf = 0) /\ (extreal_size PosInf = 0) /\

!a. extreal_size (Normal a) = 1

[extreal_sqrt_def] Definition

|- (!x. sqrt (Normal x) = Normal (sqrt x)) /\ (sqrt PosInf = PosInf)

[extreal_sub_curried_def] Definition

|- !x x1. x - x1 = extreal_sub_tupled (x,x1)

[extreal_sub_tupled_primitive_def] Definition

|- extreal_sub_tupled =

WFREC (@R. WF R)

(\extreal_sub_tupled a’.

case a’ of

(NegInf,NegInf) -> ARB

|| (NegInf,PosInf) -> I NegInf

|| (NegInf,Normal v6) -> I NegInf

|| (PosInf,NegInf) -> I PosInf

24

|| (PosInf,PosInf) -> ARB

|| (PosInf,Normal v7) -> I PosInf

|| (Normal x,NegInf) -> I PosInf

|| (Normal x,PosInf) -> I NegInf

|| (Normal x,Normal y) -> I (Normal (x - y)))

[extreal_sup_def] Definition

|- !p.

sup p =

if !x. (!y. p y ==> y <= x) ==> (x = PosInf) then

PosInf

else if !x. p x ==> (x = NegInf) then

NegInf

else

Normal (sup (\r. p (Normal r)))

[mono_decreasing_def] Definition

|- !f. mono_decreasing f <=> !m n. m <= n ==> f n <= f m

[mono_increasing_def] Definition

|- !f. mono_increasing f <=> !m n. m <= n ==> f m <= f n

[real_def] Definition

|- !x. real x = if (x = NegInf) \/ (x = PosInf) then 0 else @r. x = Normal r

[DISJOINT_DIFF] Theorem

|- !s t. DISJOINT t (s DIFF t) /\ DISJOINT (s DIFF t) t

[EXTREAL_ARCH] Theorem

|- !x. 0 < x ==> !y. y <> PosInf ==> ?n. y < &n * x

[EXTREAL_ARCH_POW] Theorem

|- !x. x <> PosInf ==> ?n. x < 2 pow n

[EXTREAL_ARCH_POW_INV] Theorem

|- !e. 0 < e ==> ?n. Normal ((1 / 2) pow n) < e

[EXTREAL_EQ_LADD] Theorem

25

|- !x y z. x <> NegInf /\ x <> PosInf ==> ((x + y = x + z) <=> (y = z))

[EXTREAL_SUM_IMAGE_0] Theorem

|- !f s. FINITE s /\ (!x. x IN s ==> (f x = 0)) ==> (SIGMA f s = 0)

[EXTREAL_SUM_IMAGE_ADD] Theorem

|- !s.

FINITE s ==>

!f f’.

(!x. x IN s ==> f x <> NegInf /\ f’ x <> NegInf) \/

(!x. x IN s ==> f x <> PosInf /\ f’ x <> PosInf) ==>

(SIGMA (\x. f x + f’ x) s = SIGMA f s + SIGMA f’ s)

[EXTREAL_SUM_IMAGE_CMUL] Theorem

|- !s.

FINITE s ==>

!f c.

(!x. x IN s ==> f x <> NegInf) \/ (!x. x IN s ==> f x <> PosInf) ==>

(SIGMA (\x. Normal c * f x) s = Normal c * SIGMA f s)

[EXTREAL_SUM_IMAGE_DISJOINT_UNION] Theorem

|- !s s’.

FINITE s /\ FINITE s’ /\ DISJOINT s s’ ==>

!f.

(!x. x IN s UNION s’ ==> f x <> NegInf) \/

(!x. x IN s UNION s’ ==> f x <> PosInf) ==>

(SIGMA f (s UNION s’) = SIGMA f s + SIGMA f s’)

[EXTREAL_SUM_IMAGE_EMPTY] Theorem

|- !f. SIGMA f = 0

[EXTREAL_SUM_IMAGE_EQ] Theorem

|- !s.

FINITE s ==>

!f f’.

((!x. x IN s ==> f x <> NegInf /\ f’ x <> NegInf) \/

!x. x IN s ==> f x <> PosInf /\ f’ x <> PosInf) /\

(!x. x IN s ==> (f x = f’ x)) ==>

(SIGMA f s = SIGMA f’ s)

[EXTREAL_SUM_IMAGE_EQ_CARD] Theorem

26

|- !s. FINITE s ==> (SIGMA (\x. if x IN s then 1 else 0) s = &CARD s)

[EXTREAL_SUM_IMAGE_EXTREAL_SUM_IMAGE] Theorem

|- !s s’ f.

FINITE s /\ FINITE s’ /\

(!x. x IN s CROSS s’ ==> f (FST x) (SND x) <> NegInf) ==>

(SIGMA (\x. SIGMA (f x) s’) s =

SIGMA (\x. f (FST x) (SND x)) (s CROSS s’))

[EXTREAL_SUM_IMAGE_FINITE_CONST] Theorem

|- !P.

FINITE P ==>

!f x.

(!y. f y = x) /\ (x <> NegInf \/ x <> PosInf) ==>

(SIGMA f P = &CARD P * x)

[EXTREAL_SUM_IMAGE_FINITE_SAME] Theorem

|- !s.

FINITE s ==>

!f p.

p IN s /\ (!q. q IN s ==> (f p = f q)) /\

((!x. x IN s ==> f x <> NegInf) \/ !x. x IN s ==> f x <> PosInf) ==>

(SIGMA f s = &CARD s * f p)

[EXTREAL_SUM_IMAGE_IF_ELIM] Theorem

|- !s P f.

FINITE s /\ (!x. x IN s ==> P x) /\

((!x. x IN s ==> f x <> NegInf) \/ !x. x IN s ==> f x <> PosInf) ==>

(SIGMA (\x. if P x then f x else 0) s = SIGMA f s)

[EXTREAL_SUM_IMAGE_IMAGE] Theorem

|- !s.

FINITE s ==>

!f’.

INJ f’ s (IMAGE f’ s) ==>

!f.

(!x. x IN IMAGE f’ s ==> f x <> NegInf) \/

(!x. x IN IMAGE f’ s ==> f x <> PosInf) ==>

(SIGMA f (IMAGE f’ s) = SIGMA (f o f’) s)

[EXTREAL_SUM_IMAGE_IND] Theorem

27

|- !P.

(!f s. (FINITE s /\ s <> ==> P f (REST s)) ==> P f s) ==> !v v1. P v v1

[EXTREAL_SUM_IMAGE_INSERT] Theorem

|- !s.

FINITE s ==>

!f x.

SIGMA f (x INSERT s) =

f (CHOICE (x INSERT s)) + SIGMA f (REST (x INSERT s))

[EXTREAL_SUM_IMAGE_INTER_ELIM] Theorem

|- !s.

FINITE s ==>

!f s’.

((!x. x IN s ==> f x <> NegInf) \/ !x. x IN s ==> f x <> PosInf) /\

(!x. x NOTIN s’ ==> (f x = 0)) ==>

(SIGMA f (s INTER s’) = SIGMA f s)

[EXTREAL_SUM_IMAGE_INTER_NONZERO] Theorem

|- !s.

FINITE s ==>

!f.

(!x. x IN s ==> f x <> NegInf) \/ (!x. x IN s ==> f x <> PosInf) ==>

(SIGMA f (s INTER (\p. f p <> 0)) = SIGMA f s)

[EXTREAL_SUM_IMAGE_INV_CARD_EQ_1] Theorem

|- !s.

s <> /\ FINITE s ==>

(SIGMA (\x. if x IN s then inv (&CARD s) else 0) s = 1)

[EXTREAL_SUM_IMAGE_IN_IF] Theorem

|- !s.

FINITE s ==>

!f.

(!x. x IN s ==> f x <> NegInf) \/ (!x. x IN s ==> f x <> PosInf) ==>

(SIGMA f s = SIGMA (\x. if x IN s then f x else 0) s)

[EXTREAL_SUM_IMAGE_IN_IF_ALT] Theorem

|- !s f z.

FINITE s /\

28

((!x. x IN s ==> f x <> NegInf) \/ !x. x IN s ==> f x <> PosInf) ==>

(SIGMA f s = SIGMA (\x. if x IN s then f x else z) s)

[EXTREAL_SUM_IMAGE_MONO] Theorem

|- !s.

FINITE s ==>

!f f’.

((!x. x IN s ==> f x <> NegInf /\ f’ x <> NegInf) \/

!x. x IN s ==> f x <> PosInf /\ f’ x <> PosInf) /\

(!x. x IN s ==> f x <= f’ x) ==>

SIGMA f s <= SIGMA f’ s

[EXTREAL_SUM_IMAGE_MONO_SET] Theorem

|- !f s t.

FINITE s /\ FINITE t /\ s SUBSET t /\ (!x. x IN t ==> 0 <= f x) ==>

SIGMA f s <= SIGMA f t

[EXTREAL_SUM_IMAGE_NORMAL] Theorem

|- !f s. FINITE s ==> (SIGMA (\x. Normal (f x)) s = Normal (SIGMA f s))

[EXTREAL_SUM_IMAGE_NOT_INFTY] Theorem

|- !f s.

(FINITE s /\ (!x. x IN s ==> f x <> NegInf) ==> SIGMA f s <> NegInf) /\

(FINITE s /\ (!x. x IN s ==> f x <> PosInf) ==> SIGMA f s <> PosInf)

[EXTREAL_SUM_IMAGE_NOT_NEG_INF] Theorem

|- !f s. FINITE s /\ (!x. x IN s ==> f x <> NegInf) ==> SIGMA f s <> NegInf

[EXTREAL_SUM_IMAGE_NOT_POS_INF] Theorem

|- !f s. FINITE s /\ (!x. x IN s ==> f x <> PosInf) ==> SIGMA f s <> PosInf

[EXTREAL_SUM_IMAGE_POS] Theorem

|- !f s. FINITE s /\ (!x. x IN s ==> 0 <= f x) ==> 0 <= SIGMA f s

[EXTREAL_SUM_IMAGE_POS_MEM_LE] Theorem

|- !f s.

FINITE s /\ (!x. x IN s ==> 0 <= f x) ==> !x. x IN s ==> f x <= SIGMA f s

[EXTREAL_SUM_IMAGE_PROPERTY] Theorem

29

|- !f s.

FINITE s ==>

!e.

(!x. x IN e INSERT s ==> f x <> NegInf) \/

(!x. x IN e INSERT s ==> f x <> PosInf) ==>

(SIGMA f (e INSERT s) = f e + SIGMA f (s DELETE e))

[EXTREAL_SUM_IMAGE_PROPERTY_NEG] Theorem

|- !f s.

FINITE s ==>

!e.

(!x. x IN e INSERT s ==> f x <> NegInf) ==>

(SIGMA f (e INSERT s) = f e + SIGMA f (s DELETE e))

[EXTREAL_SUM_IMAGE_PROPERTY_POS] Theorem

|- !f s.

FINITE s ==>

!e.

(!x. x IN e INSERT s ==> f x <> PosInf) ==>

(SIGMA f (e INSERT s) = f e + SIGMA f (s DELETE e))

[EXTREAL_SUM_IMAGE_SING] Theorem

|- !f e. SIGMA f e = f e

[EXTREAL_SUM_IMAGE_SPOS] Theorem

|- !f s. FINITE s /\ s <> /\ (!x. x IN s ==> 0 < f x) ==> 0 < SIGMA f s

[EXTREAL_SUM_IMAGE_SUB] Theorem

|- !s.

FINITE s ==>

!f f’.

(!x. x IN s ==> f x <> NegInf /\ f’ x <> PosInf) \/

(!x. x IN s ==> f x <> PosInf /\ f’ x <> NegInf) ==>

(SIGMA (\x. f x - f’ x) s = SIGMA f s - SIGMA f’ s)

[EXTREAL_SUM_IMAGE_THM] Theorem

|- !s f.

FINITE s ==>

(SIGMA f s = if s = then 0 else f (CHOICE s) + SIGMA f (REST s))

30

[EXTREAL_SUM_IMAGE_ZERO] Theorem

|- !s. FINITE s ==> (SIGMA (\x. 0) s = 0)

[EXTREAL_SUM_IMAGE_def] Theorem

|- SIGMA f s =

if FINITE s then

if s = then 0 else f (CHOICE s) + SIGMA f (REST s)

else

ARB

[EXTREAL_SUM_IMAGE_ind] Theorem

|- !P.

(!f s. (FINITE s /\ s <> ==> P f (REST s)) ==> P f s) ==> !v v1. P v v1

[POW_NEG_ODD] Theorem

|- !x. x < 0 ==> (x pow n < 0 <=> ODD n)

[POW_POS_EVEN] Theorem

|- !x. x < 0 ==> (0 < x pow n <=> EVEN n)

[REAL_ARCH_POW] Theorem

|- !x. ?n. x < 2 pow n

[REAL_LE_MUL_EPSILON] Theorem

|- !x y. (!z. 0 < z /\ z < 1 ==> z * x <= y) ==> x <= y

[REAL_LE_RDIV_EQ_NEG] Theorem

|- !x y z. z < 0 ==> (y / z <= x <=> x * z <= y)

[REAL_LT_LMUL_0_NEG] Theorem

|- !x y. 0 < x * y /\ x < 0 ==> y < 0

[REAL_LT_LMUL_NEG_0] Theorem

|- !x y. x * y < 0 /\ 0 < x ==> y < 0

[REAL_LT_LMUL_NEG_0_NEG] Theorem

31

|- !x y. x * y < 0 /\ x < 0 ==> 0 < y

[REAL_LT_RDIV_EQ_NEG] Theorem

|- !x y z. z < 0 ==> (y / z < x <=> x * z < y)

[REAL_LT_RMUL_0_NEG] Theorem

|- !x y. 0 < x * y /\ y < 0 ==> x < 0

[REAL_LT_RMUL_NEG_0] Theorem

|- !x y. x * y < 0 /\ 0 < y ==> x < 0

[REAL_LT_RMUL_NEG_0_NEG] Theorem

|- !x y. x * y < 0 /\ y < 0 ==> 0 < x

[REAL_NEG_NZ] Theorem

|- !x. x < 0 ==> x <> 0

[REAL_SUM_IMAGE_EQ_sum] Theorem

|- !n r. sum (0,n) r = SIGMA r (count n)

[SIMP_EXTREAL_ARCH] Theorem

|- !x. x <> PosInf ==> ?n. x <= &n

[SIMP_REAL_ARCH] Theorem

|- !x. ?n. x <= &n

[abs_bounds] Theorem

|- !x k. abs x <= k <=> -k <= x /\ x <= k

[abs_pos] Theorem

|- !x. 0 <= abs x

[abs_refl] Theorem

|- !x. (abs x = x) <=> 0 <= x

[add_assoc] Theorem

32

|- !x y z.

x <> NegInf /\ y <> NegInf /\ z <> NegInf \/

x <> PosInf /\ y <> PosInf /\ z <> PosInf ==>

(x + (y + z) = x + y + z)

[add_comm] Theorem

|- !x y.

x <> NegInf /\ y <> NegInf \/ x <> PosInf /\ y <> PosInf ==>

(x + y = y + x)

[add_comm_normal] Theorem

|- !x y. Normal x + y = y + Normal x

[add_infty] Theorem

|- (!x. x <> NegInf ==> (x + PosInf = PosInf) /\ (PosInf + x = PosInf)) /\

!x. x <> PosInf ==> (x + NegInf = NegInf) /\ (NegInf + x = NegInf)

[add_ldistrib] Theorem

|- !x y z.

0 <= y /\ 0 <= z \/ y <= 0 /\ z <= 0 \/

y <> NegInf /\ z <> NegInf /\ y <= 0 /\ z <= 0 \/

y <> PosInf /\ z <> PosInf /\ 0 <= y /\ 0 <= z ==>

(x * (y + z) = x * y + x * z)

[add_ldistrib_neg] Theorem

|- !x y z. y <= 0 /\ z <= 0 ==> (x * (y + z) = x * y + x * z)

[add_ldistrib_neg_neg] Theorem

|- !x y z.

y <> NegInf /\ z <> NegInf /\ y <= 0 /\ z <= 0 ==>

(x * (y + z) = x * y + x * z)

[add_ldistrib_normal] Theorem

|- !x y z.

y <> PosInf /\ z <> PosInf \/ y <> NegInf /\ z <> NegInf ==>

(Normal x * (y + z) = Normal x * y + Normal x * z)

[add_ldistrib_pos] Theorem

33

|- !x y z. 0 <= y /\ 0 <= z ==> (x * (y + z) = x * y + x * z)

[add_ldistrib_pos_pos] Theorem

|- !x y z.

y <> PosInf /\ z <> PosInf /\ 0 <= y /\ 0 <= z ==>

(x * (y + z) = x * y + x * z)

[add_lzero] Theorem

|- !x. 0 + x = x

[add_not_infty] Theorem

|- !x y.

(x <> NegInf /\ y <> NegInf ==> x + y <> NegInf) /\

(x <> PosInf /\ y <> PosInf ==> x + y <> PosInf)

[add_pow2] Theorem

|- !x y.

x <> NegInf /\ x <> PosInf /\ y <> NegInf /\ y <> PosInf ==>

((x + y) pow 2 = x pow 2 + y pow 2 + 2 * x * y)

[add_rdistrib] Theorem

|- !x y z.

0 <= y /\ 0 <= z \/ y <= 0 /\ z <= 0 \/

y <> NegInf /\ z <> NegInf /\ y <= 0 /\ z <= 0 \/

y <> PosInf /\ z <> PosInf /\ 0 <= y /\ 0 <= z ==>

((y + z) * x = y * x + z * x)

[add_rdistrib_normal] Theorem

|- !x y z.

y <> PosInf /\ z <> PosInf \/ y <> NegInf /\ z <> NegInf ==>

((y + z) * Normal x = y * Normal x + z * Normal x)

[add_rzero] Theorem

|- !x. x + 0 = x

[add_sub] Theorem

|- !x y. y <> NegInf /\ y <> PosInf ==> (x + y - y = x)

[add_sub2] Theorem

34

|- !x y. y <> NegInf /\ y <> PosInf ==> (y + x - y = x)

[datatype_extreal] Theorem

|- DATATYPE (extreal NegInf PosInf Normal)

[div_one] Theorem

|- !x. x / 1 = x

[eq_sub_ladd_normal] Theorem

|- !x y z. (x = y - Normal z) <=> (x + Normal z = y)

[eq_sub_switch] Theorem

|- !x y z. (x = Normal z - y) <=> (y = Normal z - x)

[ext_mono_decreasing_suc] Theorem

|- !f. mono_decreasing f <=> !n. f (SUC n) <= f n

[ext_mono_increasing_suc] Theorem

|- !f. mono_increasing f <=> !n. f n <= f (SUC n)

[ext_suminf_add] Theorem

[oracles: tactic_failed] [axioms: ] []

|- !f g.

(!n. 0 <= f n /\ 0 <= g n) ==>

(suminf (\n. f n + g n) = suminf f + suminf g)

[ext_suminf_cmul] Theorem

|- !f c. 0 <= c /\ (!n. 0 <= f n) ==> (suminf (\n. c * f n) = c * suminf f)

[ext_suminf_cmul_alt] Theorem

|- !f c.

0 <= c /\ ((!n. f n <> NegInf) \/ !n. f n <> PosInf) ==>

(suminf (\n. Normal c * f n) = Normal c * suminf f)

[ext_suminf_lt_infty] Theorem

|- !f. (!n. 0 <= f n) /\ suminf f <> PosInf ==> !n. f n < PosInf

35

[ext_suminf_mono] Theorem

|- !f g. (!n. g n <> NegInf /\ g n <= f n) ==> suminf g <= suminf f

[ext_suminf_sub] Theorem

|- !f g.

(!n. 0 <= g n /\ g n <= f n) /\ suminf f <> PosInf ==>

(suminf (\i. f i - g i) = suminf f - suminf g)

[ext_suminf_sum] Theorem

[oracles: tactic_failed] [axioms: ] []

|- !f n.

(!n. 0 <= f n) /\ (!m. n <= m ==> (f m = 0)) ==>

(suminf f = SIGMA f (count n))

[ext_suminf_suminf] Theorem

|- !r.

(!n. 0 <= r n) /\ suminf (\n. Normal (r n)) <> PosInf ==>

(suminf (\n. Normal (r n)) = Normal (suminf r))

[extreal_11] Theorem

|- !a a’. (Normal a = Normal a’) <=> (a = a’)

[extreal_Axiom] Theorem

|- !f0 f1 f2.

?fn. (fn NegInf = f0) /\ (fn PosInf = f1) /\ !a. fn (Normal a) = f2 a

[extreal_abs_def] Theorem

|- (abs (Normal x) = Normal (abs x)) /\ (abs NegInf = PosInf) /\

(abs PosInf = PosInf)

[extreal_abs_ind] Theorem

|- !P. (!x. P (Normal x)) /\ P NegInf /\ P PosInf ==> !v. P v

[extreal_add_def] Theorem

|- (Normal x + Normal y = Normal (x + y)) /\ (Normal v0 + NegInf = NegInf) /\

(Normal v0 + PosInf = PosInf) /\ (NegInf + Normal v1 = NegInf) /\

(PosInf + Normal v1 = PosInf) /\ (NegInf + NegInf = NegInf) /\

36

(PosInf + PosInf = PosInf)

[extreal_add_ind] Theorem

|- !P.

(!x y. P (Normal x) (Normal y)) /\ (!v0. P (Normal v0) NegInf) /\

(!v0. P (Normal v0) PosInf) /\ (!v1. P NegInf (Normal v1)) /\

(!v1. P PosInf (Normal v1)) /\ P NegInf NegInf /\ P PosInf PosInf /\

P NegInf PosInf /\ P PosInf NegInf ==>

!v v1. P v v1

[extreal_case_cong] Theorem

|- !M M’ v v1 f.

(M = M’) /\ ((M’ = NegInf) ==> (v = v’)) /\

((M’ = PosInf) ==> (v1 = v1’)) /\

(!a. (M’ = Normal a) ==> (f a = f’ a)) ==>

(extreal_case v v1 f M = extreal_case v’ v1’ f’ M’)

[extreal_cases] Theorem

|- !x. (x = NegInf) \/ (x = PosInf) \/ ?r. x = Normal r

[extreal_distinct] Theorem

|- NegInf <> PosInf /\ (!a. NegInf <> Normal a) /\ !a. PosInf <> Normal a

[extreal_div_eq] Theorem

|- !x y. y <> 0 ==> (Normal x / Normal y = Normal (x / y))

[extreal_eq_zero] Theorem

|- !x. (Normal x = 0) <=> (x = 0)

[extreal_induction] Theorem

|- !P. P NegInf /\ P PosInf /\ (!r. P (Normal r)) ==> !e. P e

[extreal_le_def] Theorem

|- (Normal x <= Normal y <=> x <= y) /\ (NegInf <= NegInf <=> T) /\

(NegInf <= PosInf <=> T) /\ (NegInf <= Normal v5 <=> T) /\

(PosInf <= PosInf <=> T) /\ (Normal v2 <= PosInf <=> T) /\

(PosInf <= NegInf <=> F) /\ (Normal v3 <= NegInf <=> F) /\

(PosInf <= Normal v7 <=> F)

37

[extreal_le_ind] Theorem

|- !P.

(!x y. P (Normal x) (Normal y)) /\ P NegInf NegInf /\ P NegInf PosInf /\

(!v5. P NegInf (Normal v5)) /\ P PosInf PosInf /\

(!v2. P (Normal v2) PosInf) /\ P PosInf NegInf /\

(!v3. P (Normal v3) NegInf) /\ (!v7. P PosInf (Normal v7)) ==>

!v v1. P v v1

[extreal_lt_eq] Theorem

|- !x y. Normal x < Normal y <=> x < y

[extreal_mul_def] Theorem

|- (NegInf * NegInf = PosInf) /\ (NegInf * PosInf = NegInf) /\

(PosInf * NegInf = NegInf) /\ (PosInf * PosInf = PosInf) /\

(Normal x * NegInf =

if x = 0 then Normal 0 else if 0 < x then NegInf else PosInf) /\

(NegInf * Normal y =

if y = 0 then Normal 0 else if 0 < y then NegInf else PosInf) /\

(Normal x * PosInf =

if x = 0 then Normal 0 else if 0 < x then PosInf else NegInf) /\

(PosInf * Normal y =

if y = 0 then Normal 0 else if 0 < y then PosInf else NegInf) /\

(Normal x * Normal y = Normal (x * y))

[extreal_mul_ind] Theorem

|- !P.

P NegInf NegInf /\ P NegInf PosInf /\ P PosInf NegInf /\

P PosInf PosInf /\ (!x. P (Normal x) NegInf) /\

(!y. P NegInf (Normal y)) /\ (!x. P (Normal x) PosInf) /\

(!y. P PosInf (Normal y)) /\ (!x y. P (Normal x) (Normal y)) ==>

!v v1. P v v1

[extreal_nchotomy] Theorem

|- !ee. (ee = NegInf) \/ (ee = PosInf) \/ ?r. ee = Normal r

[extreal_not_infty] Theorem

|- !x. Normal x <> NegInf /\ Normal x <> PosInf

[extreal_sub_add] Theorem

|- !x y.

38

x <> NegInf /\ y <> PosInf \/ x <> PosInf /\ y <> NegInf ==>

(x - y = x + -y)

[extreal_sub_def] Theorem

|- (Normal x - Normal y = Normal (x - y)) /\ (NegInf - Normal v0 = NegInf) /\

(PosInf - Normal v0 = PosInf) /\ (Normal v1 - NegInf = PosInf) /\

(Normal v2 - PosInf = NegInf) /\ (NegInf - PosInf = NegInf) /\

(PosInf - NegInf = PosInf)

[extreal_sub_ind] Theorem

|- !P.

(!x y. P (Normal x) (Normal y)) /\ (!v0. P NegInf (Normal v0)) /\

(!v0. P PosInf (Normal v0)) /\ (!v1. P (Normal v1) NegInf) /\

(!v2. P (Normal v2) PosInf) /\ P NegInf PosInf /\ P PosInf NegInf /\

P NegInf NegInf /\ P PosInf PosInf ==>

!v v1. P v v1

[half_between] Theorem

|- (0 < 1 / 2 /\ 1 / 2 < 1) /\ 0 <= 1 / 2 /\ 1 / 2 <= 1

[inf_cminus] Theorem

|- !f c.

Normal c - inf (IMAGE f univ(:’a)) =

sup (IMAGE (\n. Normal c - f n) univ(:’a))

[inf_const] Theorem

|- !x. inf (\y. y = x) = x

[inf_const_alt] Theorem

|- !p z. (?x. p x) /\ (!x. p x ==> (x = z)) ==> (inf p = z)

[inf_const_over_set] Theorem

|- !s k. s <> ==> (inf (IMAGE (\x. k) s) = k)

[inf_eq] Theorem

|- !p x.

(inf p = x) <=>

(!y. p y ==> x <= y) /\ !y. (!z. p z ==> y <= z) ==> y <= x

39

[inf_le] Theorem

|- !p x. inf p <= x <=> !y. (!z. p z ==> y <= z) ==> y <= x

[inf_le_imp] Theorem

|- !p x. p x ==> inf p <= x

[inf_lt_infty] Theorem

|- !p. NegInf < inf p ==> !x. p x ==> NegInf < x

[inf_min] Theorem

|- !p z. p z /\ (!x. p x ==> z <= x) ==> (inf p = z)

[inf_seq] Theorem

|- !f l.

mono_decreasing f ==>

(f --> l <=> (inf (IMAGE (\n. Normal (f n)) univ(:num)) = Normal l))

[inf_suc] Theorem

|- !f.

(!m n. m <= n ==> f n <= f m) ==>

(inf (IMAGE (\n. f (SUC n)) univ(:num)) = inf (IMAGE f univ(:num)))

[inv_one] Theorem

|- inv 1 = 1

[le_01] Theorem

|- 0 <= 1

[le_add] Theorem

|- !x y. 0 <= x /\ 0 <= y ==> 0 <= x + y

[le_add2] Theorem

|- !w x y z. w <= x /\ y <= z ==> w + y <= x + z

[le_addr] Theorem

|- !x y. x <> NegInf /\ x <> PosInf ==> (x <= x + y <=> 0 <= y)

40

[le_addr_imp] Theorem

|- !x y. 0 <= y ==> x <= x + y

[le_antisym] Theorem

|- !x y. x <= y /\ y <= x <=> (x = y)

[le_epsilon] Theorem

|- !x y. (!e. 0 < e /\ e <> PosInf ==> x <= y + e) ==> x <= y

[le_inf] Theorem

|- !p x. x <= inf p <=> !y. p y ==> x <= y

[le_infty] Theorem

|- (!x. NegInf <= x /\ x <= PosInf) /\ (!x. x <= NegInf <=> (x = NegInf)) /\

!x. PosInf <= x <=> (x = PosInf)

[le_ladd] Theorem

|- !x y z. x <> NegInf /\ x <> PosInf ==> (x + y <= x + z <=> y <= z)

[le_ladd_imp] Theorem

|- !x y z. y <= z ==> x + y <= x + z

[le_ldiv] Theorem

|- !x y z. 0 < x ==> (y <= z * Normal x <=> y / Normal x <= z)

[le_lmul_imp] Theorem

|- !x y z. 0 <= z /\ x <= y ==> z * x <= z * y

[le_lneg] Theorem

|- !x y.

x <> NegInf /\ y <> NegInf \/ x <> PosInf /\ y <> PosInf ==>

(-x <= y <=> 0 <= x + y)

[le_lsub_imp] Theorem

|- !x y z. y <= z ==> x - z <= x - y

41

[le_lt] Theorem

|- !x y. x <= y <=> x < y \/ (x = y)

[le_max] Theorem

|- !z x y. z <= max x y <=> z <= x \/ z <= y

[le_max1] Theorem

|- !x y. x <= max x y

[le_max2] Theorem

|- !x y. y <= max x y

[le_min] Theorem

|- !z x y. z <= min x y <=> z <= x /\ z <= y

[le_mul] Theorem

|- !x y. 0 <= x /\ 0 <= y ==> 0 <= x * y

[le_mul_epsilon] Theorem

|- !x y. (!z. 0 <= z /\ z < 1 ==> z * x <= y) ==> x <= y

[le_neg] Theorem

|- !x y. -x <= -y <=> y <= x

[le_num] Theorem

|- !n. 0 <= &n

[le_pow2] Theorem

|- !x. 0 <= x pow 2

[le_radd] Theorem

|- !x y z. x <> NegInf /\ x <> PosInf ==> (y + x <= z + x <=> y <= z)

[le_radd_imp] Theorem

42

|- !x y z. y <= z ==> y + x <= z + x

[le_rdiv] Theorem

|- !x y z. 0 < x ==> (y * Normal x <= z <=> y <= z / Normal x)

[le_refl] Theorem

|- !x. x <= x

[le_rmul_imp] Theorem

|- !x y z. 0 < z /\ x <= y ==> x * z <= y * z

[le_sub_eq] Theorem

|- !x y z. x <> NegInf /\ x <> PosInf ==> (y <= z - x <=> y + x <= z)

[le_sub_eq2] Theorem

|- !x y z.

z <> NegInf /\ z <> PosInf /\ x <> NegInf /\ y <> NegInf ==>

(y <= z - x <=> y + x <= z)

[le_sub_imp] Theorem

|- !x y z. x <> NegInf /\ x <> PosInf /\ y + x <= z ==> y <= z - x

[le_sub_imp2] Theorem

|- !x y z. z <> NegInf /\ z <> PosInf /\ y + x <= z ==> y <= z - x

[le_sup] Theorem

|- !p x. x <= sup p <=> !y. (!z. p z ==> z <= y) ==> x <= y

[le_sup_imp] Theorem

|- !p x. p x ==> x <= sup p

[le_total] Theorem

|- !x y. x <= y \/ y <= x

[le_trans] Theorem

|- !x y z. x <= y /\ y <= z ==> x <= z

43

[let_add] Theorem

|- !x y. 0 <= x /\ 0 < y ==> 0 < x + y

[let_add2] Theorem

|- !w x y z.

w <> NegInf /\ w <> PosInf /\ y <> NegInf /\ y <> PosInf /\ w <= x /\

y < z ==>

w + y < x + z

[let_trans] Theorem

|- !x y z. x <= y /\ y < z ==> x < z

[lt_01] Theorem

|- 0 < 1

[lt_add] Theorem

|- !x y. 0 < x /\ 0 < y ==> 0 < x + y

[lt_addl] Theorem

|- !x y. y <> NegInf /\ y <> PosInf ==> (y < x + y <=> 0 < x)

[lt_antisym] Theorem

|- !x y. ~(x < y /\ y < x)

[lt_imp_le] Theorem

|- !x y. x < y ==> x <= y

[lt_imp_ne] Theorem

|- !x y. x < y ==> x <> y

[lt_infty] Theorem

|- !x y.

NegInf < Normal y /\ Normal y < PosInf /\ NegInf < PosInf /\

~(x < NegInf) /\ ~(PosInf < x) /\ (x <> PosInf <=> x < PosInf) /\

(x <> NegInf <=> NegInf < x)

44

[lt_ladd] Theorem

|- !x y z. x <> NegInf /\ x <> PosInf ==> (x + y < x + z <=> y < z)

[lt_ldiv] Theorem

|- !x y z. 0 < z ==> (x / Normal z < y <=> x < y * Normal z)

[lt_le] Theorem

|- !x y. x < y <=> x <= y /\ x <> y

[lt_lmul] Theorem

|- !x y z. 0 < x /\ x <> PosInf ==> (x * y < x * z <=> y < z)

[lt_mul] Theorem

|- !x y. 0 < x /\ 0 < y ==> 0 < x * y

[lt_mul2] Theorem

|- !x1 x2 y1 y2.

0 <= x1 /\ 0 <= y1 /\ x1 <> PosInf /\ y1 <> PosInf /\ x1 < x2 /\

y1 < y2 ==>

x1 * y1 < x2 * y2

[lt_neg] Theorem

|- !x y. -x < -y <=> y < x

[lt_radd] Theorem

|- !x y z. x <> NegInf /\ x <> PosInf ==> (y + x < z + x <=> y < z)

[lt_rdiv] Theorem

|- !x y z. 0 < z ==> (x < y / Normal z <=> x * Normal z < y)

[lt_rdiv_neg] Theorem

|- !x y z. z < 0 ==> (y / Normal z < x <=> x * Normal z < y)

[lt_refl] Theorem

|- !x. ~(x < x)

45

[lt_rmul] Theorem

|- !x y z. 0 < z /\ z <> PosInf ==> (x * z < y * z <=> x < y)

[lt_sub] Theorem

|- !x y z.

x <> NegInf /\ y <> NegInf /\ z <> NegInf /\ z <> PosInf ==>

(y + x < z <=> y < z - x)

[lt_sub_imp] Theorem

|- !x y z. x <> NegInf /\ y <> NegInf /\ y + x < z ==> y < z - x

[lt_sub_imp2] Theorem

|- !x y z. x <> NegInf /\ x <> PosInf /\ y + x < z ==> y < z - x

[lt_total] Theorem

|- !x y. (x = y) \/ x < y \/ y < x

[lt_trans] Theorem

|- !x y z. x < y /\ y < z ==> x < z

[lte_add] Theorem

|- !x y. 0 < x /\ 0 <= y ==> 0 < x + y

[lte_trans] Theorem

|- !x y z. x < y /\ y <= z ==> x < z

[max_comm] Theorem

|- !x y. max x y = max y x

[max_infty] Theorem

|- !x.

(max x PosInf = PosInf) /\ (max PosInf x = PosInf) /\

(max NegInf x = x) /\ (max x NegInf = x)

[max_le] Theorem

|- !z x y. max x y <= z <=> x <= z /\ y <= z

46

[max_le2_imp] Theorem

|- !x1 x2 y1 y2. x1 <= y1 /\ x2 <= y2 ==> max x1 x2 <= max y1 y2

[max_refl] Theorem

|- !x. max x x = x

[min_comm] Theorem

|- !x y. min x y = min y x

[min_infty] Theorem

|- !x.

(min x PosInf = x) /\ (min PosInf x = x) /\ (min NegInf x = NegInf) /\

(min x NegInf = NegInf)

[min_le] Theorem

|- !z x y. min x y <= z <=> x <= z \/ y <= z

[min_le1] Theorem

|- !x y. min x y <= x

[min_le2] Theorem

|- !x y. min x y <= y

[min_le2_imp] Theorem

|- !x1 x2 y1 y2. x1 <= y1 /\ x2 <= y2 ==> min x1 x2 <= min y1 y2

[min_refl] Theorem

|- !x. min x x = x

[mono_decreasing_suc] Theorem

|- !f. mono_decreasing f <=> !n. f (SUC n) <= f n

[mono_increasing_converges_to_sup] Theorem

|- !f r. mono_increasing f /\ f --> r ==> (r = sup (IMAGE f univ(:num)))

47

[mono_increasing_suc] Theorem

|- !f. mono_increasing f <=> !n. f n <= f (SUC n)

[mul_assoc] Theorem

|- !x y z. x * (y * z) = x * y * z

[mul_comm] Theorem

|- !x y. x * y = y * x

[mul_lneg] Theorem

|- !x y. -x * y = -(x * y)

[mul_lone] Theorem

|- !x. 1 * x = x

[mul_lzero] Theorem

|- !x. 0 * x = 0

[mul_not_infty] Theorem

|- (!c y. 0 <= c /\ y <> NegInf ==> Normal c * y <> NegInf) /\

(!c y. 0 <= c /\ y <> PosInf ==> Normal c * y <> PosInf) /\

(!c y. c <= 0 /\ y <> NegInf ==> Normal c * y <> PosInf) /\

!c y. c <= 0 /\ y <> PosInf ==> Normal c * y <> NegInf

[mul_rneg] Theorem

|- !x y. x * -y = -(x * y)

[mul_rone] Theorem

|- !x. x * 1 = x

[mul_rzero] Theorem

|- !x. x * 0 = 0

[ne_01] Theorem

|- 0 <> 1

48

[neg_0] Theorem

|- -0 = 0

[neg_minus1] Theorem

|- !x. -x = -1 * x

[neg_neg] Theorem

|- !x. --x = x

[normal_real] Theorem

|- !x. x <> NegInf /\ x <> PosInf ==> (Normal (real x) = x)

[num_not_infty] Theorem

|- !n. &n <> NegInf /\ &n <> PosInf

[pow2_sqrt] Theorem

|- !x. 0 <= x ==> (sqrt (x pow 2) = x)

[pow_0] Theorem

|- !x. x pow 0 = 1

[pow_1] Theorem

|- !x. x pow 1 = x

[pow_2] Theorem

|- !x. x pow 2 = x * x

[pow_add] Theorem

|- !x n m. x pow (n + m) = x pow n * x pow m

[pow_le] Theorem

|- !n x y. 0 <= x /\ x <= y ==> x pow n <= y pow n

[pow_le_mono] Theorem

|- !x n m. 1 <= x /\ n <= m ==> x pow n <= x pow m

49

[pow_lt] Theorem

|- !n x y. 0 <= x /\ x < y ==> x pow SUC n < y pow SUC n

[pow_lt2] Theorem

|- !n x y. n <> 0 /\ 0 <= x /\ x < y ==> x pow n < y pow n

[pow_minus1] Theorem

|- !n. -1 pow (2 * n) = 1

[pow_mul] Theorem

|- !n x y. (x * y) pow n = x pow n * y pow n

[pow_neg_odd] Theorem

|- !x. x < 0 ==> (x pow n < 0 <=> ODD n)

[pow_not_infty] Theorem

|- !n x. x <> NegInf /\ x <> PosInf ==> x pow n <> NegInf /\ x pow n <> PosInf

[pow_pos_even] Theorem

|- !x. x < 0 ==> (0 < x pow n <=> EVEN n)

[pow_pos_le] Theorem

|- !x. 0 <= x ==> !n. 0 <= x pow n

[pow_pos_lt] Theorem

|- !x n. 0 < x ==> 0 < x pow n

[pow_zero] Theorem

|- !n x. (x pow SUC n = 0) <=> (x = 0)

[pow_zero_imp] Theorem

|- !n x. (x pow n = 0) ==> (x = 0)

[real_normal] Theorem

50

|- !x. real (Normal x) = x

[sqrt_mono_le] Theorem

|- !x y. 0 <= x /\ x <= y ==> sqrt x <= sqrt y

[sqrt_pos_le] Theorem

|- !x. 0 <= x ==> 0 <= sqrt x

[sqrt_pos_lt] Theorem

|- !x. 0 < x ==> 0 < sqrt x

[sqrt_pow2] Theorem

|- !x. (sqrt x pow 2 = x) <=> 0 <= x

[sub_0] Theorem

|- !x y. (x - y = 0) ==> (x = y)

[sub_add] Theorem

|- !x y. y <> NegInf /\ y <> PosInf ==> (x - y + y = x)

[sub_add2] Theorem

|- !x y. x <> NegInf /\ x <> PosInf ==> (x + (y - x) = y)

[sub_le_eq] Theorem

|- !x y z. x <> NegInf /\ x <> PosInf ==> (y - x <= z <=> y <= z + x)

[sub_le_eq2] Theorem

|- !x y z.

y <> NegInf /\ y <> PosInf /\ x <> NegInf /\ z <> NegInf ==>

(y - x <= z <=> y <= z + x)

[sub_le_imp] Theorem

|- !x y z. x <> NegInf /\ x <> PosInf /\ y <= z + x ==> y - x <= z

[sub_le_imp2] Theorem

|- !x y z. y <> NegInf /\ y <> PosInf /\ y <= z + x ==> y - x <= z

51

[sub_le_switch] Theorem

|- !x y z.

x <> NegInf /\ x <> PosInf /\ z <> NegInf /\ z <> PosInf ==>

(y - x <= z <=> y - z <= x)

[sub_le_switch2] Theorem

|- !x y z.

x <> NegInf /\ x <> PosInf /\ y <> NegInf /\ y <> PosInf ==>

(y - x <= z <=> y - z <= x)

[sub_le_zero] Theorem

|- !x y. y <> NegInf /\ y <> PosInf ==> (x <= y <=> x - y <= 0)

[sub_lt_imp] Theorem

|- !x y z. x <> NegInf /\ x <> PosInf /\ y < z + x ==> y - x < z

[sub_lt_imp2] Theorem

|- !x y z. z <> NegInf /\ z <> PosInf /\ y < z + x ==> y - x < z

[sub_lt_zero] Theorem

|- !x y. x < y ==> x - y < 0

[sub_lt_zero2] Theorem

|- !x y. y <> NegInf /\ y <> PosInf /\ x - y < 0 ==> x < y

[sub_lzero] Theorem

|- !x. 0 - x = -x

[sub_not_infty] Theorem

|- !x y.

(x <> NegInf /\ y <> PosInf ==> x - y <> NegInf) /\

(x <> PosInf /\ y <> NegInf ==> x - y <> PosInf)

[sub_refl] Theorem

|- !x. x <> NegInf /\ x <> PosInf ==> (x - x = 0)

52

[sub_rneg] Theorem

|- !c x. Normal c - -x = Normal c + x

[sub_rzero] Theorem

|- !x. x - 0 = x

[sub_zero_le] Theorem

|- !x y. x <> NegInf /\ x <> PosInf ==> (x <= y <=> 0 <= y - x)

[sub_zero_lt] Theorem

|- !x y. x < y ==> 0 < y - x

[sub_zero_lt2] Theorem

|- !x y. x <> NegInf /\ x <> PosInf /\ 0 < y - x ==> x < y

[sup_add_mono] Theorem

|- !f g.

(!n. 0 <= f n) /\ (!n. f n <= f (SUC n)) /\ (!n. 0 <= g n) /\

(!n. g n <= g (SUC n)) ==>

(sup (IMAGE (\n. f n + g n) univ(:num)) =

sup (IMAGE f univ(:num)) + sup (IMAGE g univ(:num)))

[sup_cmul] Theorem

|- !f c.

0 <= c ==>

(sup (IMAGE (\n. Normal c * f n) univ(:’a)) =

Normal c * sup (IMAGE f univ(:’a)))

[sup_const] Theorem

|- !x. sup (\y. y = x) = x

[sup_const_alt] Theorem

|- !p z. (?x. p x) /\ (!x. p x ==> (x = z)) ==> (sup p = z)

[sup_const_over_set] Theorem

|- !s k. s <> ==> (sup (IMAGE (\x. k) s) = k)

53

[sup_eq] Theorem

|- !p x.

(sup p = x) <=>

(!y. p y ==> y <= x) /\ !y. (!z. p z ==> z <= y) ==> x <= y

[sup_le] Theorem

|- !p x. sup p <= x <=> !y. p y ==> y <= x

[sup_le_mono] Theorem

|- !f z.

(!n. f n <= f (SUC n)) /\ z < sup (IMAGE f univ(:num)) ==> ?n. z <= f n

[sup_le_sup_imp] Theorem

|- !p q. (!x. p x ==> ?y. q y /\ x <= y) ==> sup p <= sup q

[sup_lt] Theorem

|- !P y. (?x. P x /\ y < x) <=> y < sup P

[sup_lt_epsilon] Theorem

|- !P e.

0 < e /\ (?x. P x /\ x <> NegInf) /\ sup P <> PosInf ==>

?x. P x /\ sup P < x + e

[sup_lt_infty] Theorem

|- !p. sup p < PosInf ==> !x. p x ==> x < PosInf

[sup_max] Theorem

|- !p z. p z /\ (!x. p x ==> x <= z) ==> (sup p = z)

[sup_mono] Theorem

|- !p q.

(!n. p n <= q n) ==> sup (IMAGE p univ(:num)) <= sup (IMAGE q univ(:num))

[sup_num] Theorem

|- sup (\x. ?n. x = &n) = PosInf

[sup_seq] Theorem

54

|- !f l.

mono_increasing f ==>

(f --> l <=> (sup (IMAGE (\n. Normal (f n)) univ(:num)) = Normal l))

[sup_suc] Theorem

|- !f.

(!m n. m <= n ==> f m <= f n) ==>

(sup (IMAGE (\n. f (SUC n)) univ(:num)) = sup (IMAGE f univ(:num)))

[sup_sum_mono] Theorem

|- !f s.

FINITE s /\ (!i. i IN s ==> !n. 0 <= f i n) /\

(!i. i IN s ==> !n. f i n <= f i (SUC n)) ==>

(sup (IMAGE (\n. SIGMA (\i. f i n) s) univ(:num)) =

SIGMA (\i. sup (IMAGE (f i) univ(:num))) s)

[thirds_between] Theorem

|- ((0 < 1 / 3 /\ 1 / 3 < 1) /\ 0 < 2 / 3 /\ 2 / 3 < 1) /\

(0 <= 1 / 3 /\ 1 / 3 <= 1) /\ 0 <= 2 / 3 /\ 2 / 3 <= 1

*)

end

signature rationalTheory =

sig

type thm = Thm.thm

(* Definitions *)

val Q_set_def : thm

val ceiling_def : thm

val open_interval_def : thm

val open_intervals_set_def : thm

val rational_intervals_def : thm

(* Theorems *)

val ADD_IN_Q : thm

val CEILING_LBOUND : thm

val CEILING_UBOUND : thm

55

val CMUL_IN_Q : thm

val COUNTABLE_ENUM_Q : thm

val COUNTABLE_RATIONAL_INTERVALS : thm

val CROSS_COUNTABLE : thm

val CROSS_COUNTABLE_LEMMA1 : thm

val CROSS_COUNTABLE_LEMMA2 : thm

val CROSS_COUNTABLE_UNIV : thm

val DIV_IN_Q : thm

val INV_IN_Q : thm

val MUL_IN_Q : thm

val NUM_2D_BIJ_NZ : thm

val NUM_2D_BIJ_NZ_ALT : thm

val NUM_2D_BIJ_NZ_ALT2 : thm

val NUM_2D_BIJ_NZ_ALT2_INV : thm

val NUM_2D_BIJ_NZ_ALT_INV : thm

val NUM_2D_BIJ_NZ_INV : thm

val NUM_IN_Q : thm

val OPP_IN_Q : thm

val Q_COUNTABLE : thm

val Q_DENSE_IN_R : thm

val Q_DENSE_IN_R_LEMMA : thm

val Q_INFINITE : thm

val Q_not_infty : thm

val SUB_IN_Q : thm

val rat_not_infty : thm

val rational_grammars : type_grammar.grammar * term_grammar.grammar

(*

[extreal] Parent theory of "rational"

[Q_set_def] Definition

|- Q_set =

x | ?a b. (x = &a / &b) /\ 0 < &b UNION

x | ?a b. (x = -(&a / &b)) /\ 0 < &b

[ceiling_def] Definition

|- !x. ceiling (Normal x) = LEAST n. x <= &n

[open_interval_def] Definition

|- !a b. open_interval a b = x | a < x /\ x < b

[open_intervals_set_def] Definition

|- open_intervals_set =

56

open_interval a b | a IN univ(:extreal) /\ b IN univ(:extreal)

[rational_intervals_def] Definition

|- rational_intervals = open_interval a b | a IN Q_set /\ b IN Q_set

[ADD_IN_Q] Theorem

|- !x y. x IN Q_set /\ y IN Q_set ==> x + y IN Q_set

[CEILING_LBOUND] Theorem

|- !x. Normal x <= &ceiling (Normal x)

[CEILING_UBOUND] Theorem

|- !x. 0 <= x ==> &ceiling (Normal x) < Normal x + 1

[CMUL_IN_Q] Theorem

|- !z x. x IN Q_set ==> &z * x IN Q_set /\ -&z * x IN Q_set

[COUNTABLE_ENUM_Q] Theorem

|- !c. countable c <=> (c = ) \/ ?f. c = IMAGE f Q_set

[COUNTABLE_RATIONAL_INTERVALS] Theorem

|- countable rational_intervals

[CROSS_COUNTABLE] Theorem

|- !s. countable s /\ countable t ==> countable (s CROSS t)

[CROSS_COUNTABLE_LEMMA1] Theorem

|- !s. countable s /\ FINITE s /\ countable t ==> countable (s CROSS t)

[CROSS_COUNTABLE_LEMMA2] Theorem

|- !s. countable s /\ countable t /\ FINITE t ==> countable (s CROSS t)

[CROSS_COUNTABLE_UNIV] Theorem

|- countable (univ(:num) CROSS univ(:num))

[DIV_IN_Q] Theorem

57

|- !x y. x IN Q_set /\ y IN Q_set /\ y <> 0 ==> x / y IN Q_set

[INV_IN_Q] Theorem

|- !x. x IN Q_set /\ x <> 0 ==> 1 / x IN Q_set

[MUL_IN_Q] Theorem

|- !x y. x IN Q_set /\ y IN Q_set ==> x * y IN Q_set

[NUM_2D_BIJ_NZ] Theorem

|- ?f. BIJ f (univ(:num) CROSS (univ(:num) DIFF 0)) univ(:num)

[NUM_2D_BIJ_NZ_ALT] Theorem

|- ?f. BIJ f (univ(:num) CROSS univ(:num)) (univ(:num) DIFF 0)

[NUM_2D_BIJ_NZ_ALT2] Theorem

|- ?f. BIJ f ((univ(:num) DIFF 0) CROSS (univ(:num) DIFF 0)) univ(:num)

[NUM_2D_BIJ_NZ_ALT2_INV] Theorem

|- ?f. BIJ f univ(:num) ((univ(:num) DIFF 0) CROSS (univ(:num) DIFF 0))

[NUM_2D_BIJ_NZ_ALT_INV] Theorem

|- ?f. BIJ f (univ(:num) DIFF 0) (univ(:num) CROSS univ(:num))

[NUM_2D_BIJ_NZ_INV] Theorem

|- ?f. BIJ f univ(:num) (univ(:num) CROSS (univ(:num) DIFF 0))

[NUM_IN_Q] Theorem

|- !n. &n IN Q_set /\ -&n IN Q_set

[OPP_IN_Q] Theorem

|- !x. x IN Q_set ==> -x IN Q_set

[Q_COUNTABLE] Theorem

|- countable Q_set

58

[Q_DENSE_IN_R] Theorem

|- !x y. x < y ==> ?r. r IN Q_set /\ x < r /\ r < y

[Q_DENSE_IN_R_LEMMA] Theorem

|- !x y. 0 <= x /\ x < y ==> ?r. r IN Q_set /\ x < r /\ r < y

[Q_INFINITE] Theorem

|- INFINITE Q_set

[Q_not_infty] Theorem

|- !x. x IN Q_set ==> ?y. x = Normal y

[SUB_IN_Q] Theorem

|- !x y. x IN Q_set /\ y IN Q_set ==> x - y IN Q_set

[rat_not_infty] Theorem

|- !r. r IN Q_set ==> r <> NegInf /\ r <> PosInf

*)

end

signature measureTheory =

sig

type thm = Thm.thm

(* Definitions *)

val Borel_def : thm

val additive_def : thm

val algebra_def : thm

val countably_additive_def : thm

val countably_subadditive_def : thm

val fn_abs_def : thm

val fn_minus_def : thm

val fn_plus_def : thm

val increasing_def : thm

val indicator_fn_def : thm

59

val inf_measure_def : thm

val m_space_def : thm

val measurable_def : thm

val measurable_sets_def : thm

val measure_def : thm

val measure_preserving_def : thm

val measure_space_def : thm

val null_set_def : thm

val outer_measure_space_def : thm

val pos_simple_fn_def : thm

val positive_def : thm

val sigma_algebra_def : thm

val sigma_def : thm

val space_def : thm

val subadditive_def : thm

val subset_class_def : thm

val subsets_def : thm

(* Theorems *)

val ADDITIVE : thm

val ADDITIVE_INCREASING : thm

val ADDITIVE_SUM : thm

val ALGEBRA_ALT_INTER : thm

val ALGEBRA_COMPL : thm

val ALGEBRA_DIFF : thm

val ALGEBRA_EMPTY : thm

val ALGEBRA_FINITE_UNION : thm

val ALGEBRA_INTER : thm

val ALGEBRA_INTER_SPACE : thm

val ALGEBRA_SPACE : thm

val ALGEBRA_UNION : thm

val BIGUNION_IMAGE_Q : thm

val BOREL_MEASURABLE_SETS : thm

val BOREL_MEASURABLE_SETS_CC : thm

val BOREL_MEASURABLE_SETS_CO : thm

val BOREL_MEASURABLE_SETS_CR : thm

val BOREL_MEASURABLE_SETS_OC : thm

val BOREL_MEASURABLE_SETS_OO : thm

val BOREL_MEASURABLE_SETS_OR : thm

val BOREL_MEASURABLE_SETS_RC : thm

val BOREL_MEASURABLE_SETS_RO : thm

val BOREL_MEASURABLE_SETS_SING : thm

val COUNTABLY_ADDITIVE : thm

val COUNTABLY_ADDITIVE_ADDITIVE : thm

val COUNTABLY_SUBADDITIVE : thm

val FN_MINUS_POS : thm

val FN_MINUS_POS_ZERO : thm

60

val FN_PLUS_POS : thm

val FN_PLUS_POS_ID : thm

val IMAGE_SING : thm

val INCREASING : thm

val INDICATOR_FN_MUL_INTER : thm

val IN_MEASURABLE : thm

val IN_MEASURABLE_BOREL : thm

val IN_MEASURABLE_BOREL_ABS : thm

val IN_MEASURABLE_BOREL_ADD : thm

val IN_MEASURABLE_BOREL_ALL : thm

val IN_MEASURABLE_BOREL_ALT1 : thm

val IN_MEASURABLE_BOREL_ALT10 : thm

val IN_MEASURABLE_BOREL_ALT2 : thm

val IN_MEASURABLE_BOREL_ALT3 : thm

val IN_MEASURABLE_BOREL_ALT4 : thm

val IN_MEASURABLE_BOREL_ALT4_IMP : thm

val IN_MEASURABLE_BOREL_ALT5 : thm

val IN_MEASURABLE_BOREL_ALT5_IMP : thm

val IN_MEASURABLE_BOREL_ALT6 : thm

val IN_MEASURABLE_BOREL_ALT6_IMP : thm

val IN_MEASURABLE_BOREL_ALT7 : thm

val IN_MEASURABLE_BOREL_ALT7_IMP : thm

val IN_MEASURABLE_BOREL_ALT8 : thm

val IN_MEASURABLE_BOREL_ALT9 : thm

val IN_MEASURABLE_BOREL_CMUL : thm

val IN_MEASURABLE_BOREL_CMUL_INDICATOR : thm

val IN_MEASURABLE_BOREL_CONST : thm

val IN_MEASURABLE_BOREL_FN_MINUS : thm

val IN_MEASURABLE_BOREL_FN_PLUS : thm

val IN_MEASURABLE_BOREL_INDICATOR : thm

val IN_MEASURABLE_BOREL_LE : thm

val IN_MEASURABLE_BOREL_LT : thm

val IN_MEASURABLE_BOREL_MAX : thm

val IN_MEASURABLE_BOREL_MONO_SUP : thm

val IN_MEASURABLE_BOREL_MUL : thm

val IN_MEASURABLE_BOREL_MUL_INDICATOR : thm

val IN_MEASURABLE_BOREL_POS_SIMPLE_FN : thm

val IN_MEASURABLE_BOREL_POW : thm

val IN_MEASURABLE_BOREL_SQR : thm

val IN_MEASURABLE_BOREL_SUB : thm

val IN_MEASURABLE_BOREL_SUM : thm

val IN_MEASURE_PRESERVING : thm

val IN_SIGMA : thm

val MEASUBABLE_BIGUNION_LEMMA : thm

val MEASURABLE_BIGUNION_PROPERTY : thm

val MEASURABLE_BOREL : thm

val MEASURABLE_COMP : thm

61

val MEASURABLE_COMP_STRONG : thm

val MEASURABLE_COMP_STRONGER : thm

val MEASURABLE_DIFF_PROPERTY : thm

val MEASURABLE_I : thm

val MEASURABLE_LIFT : thm

val MEASURABLE_POW_TO_POW : thm

val MEASURABLE_POW_TO_POW_IMAGE : thm

val MEASURABLE_PROD_SIGMA : thm

val MEASURABLE_RANGE_REDUCE : thm

val MEASURABLE_SETS_SUBSET_SPACE : thm

val MEASURABLE_SIGMA : thm

val MEASURABLE_SIGMA_PREIMAGES : thm

val MEASURABLE_SUBSET : thm

val MEASURABLE_UP_LIFT : thm

val MEASURABLE_UP_SIGMA : thm

val MEASURABLE_UP_SUBSET : thm

val MEASURE_ADDITIVE : thm

val MEASURE_COUNTABLE_INCREASING : thm

val MEASURE_COUNTABLY_ADDITIVE : thm

val MEASURE_DOWN : thm

val MEASURE_EMPTY : thm

val MEASURE_EXTREAL_SUM_IMAGE : thm

val MEASURE_PRESERVING_UP_LIFT : thm

val MEASURE_PRESERVING_UP_SIGMA : thm

val MEASURE_PRESERVING_UP_SUBSET : thm

val MEASURE_SPACE_ADDITIVE : thm

val MEASURE_SPACE_BIGINTER : thm

val MEASURE_SPACE_BIGUNION : thm

val MEASURE_SPACE_CMUL : thm

val MEASURE_SPACE_DIFF : thm

val MEASURE_SPACE_EMPTY_MEASURABLE : thm

val MEASURE_SPACE_FINITE_DIFF : thm

val MEASURE_SPACE_FINITE_DIFF_SUBSET : thm

val MEASURE_SPACE_FINITE_MEASURE : thm

val MEASURE_SPACE_INCREASING : thm

val MEASURE_SPACE_INTER : thm

val MEASURE_SPACE_IN_MSPACE : thm

val MEASURE_SPACE_MSPACE_MEASURABLE : thm

val MEASURE_SPACE_POSITIVE : thm

val MEASURE_SPACE_REDUCE : thm

val MEASURE_SPACE_RESTRICTED : thm

val MEASURE_SPACE_SUBSET : thm

val MEASURE_SPACE_SUBSET_MSPACE : thm

val MEASURE_SPACE_UNION : thm

val MONOTONE_CONVERGENCE : thm

val MONOTONE_CONVERGENCE2 : thm

val MONOTONE_CONVERGENCE_BIGINTER : thm

62

val MONOTONE_CONVERGENCE_BIGINTER2 : thm

val OUTER_MEASURE_SPACE_POSITIVE : thm

val POW_ALGEBRA : thm

val POW_SIGMA_ALGEBRA : thm

val SIGMA_ALGEBRA : thm

val SIGMA_ALGEBRA_ALGEBRA : thm

val SIGMA_ALGEBRA_ALT : thm

val SIGMA_ALGEBRA_ALT_DISJOINT : thm

val SIGMA_ALGEBRA_ALT_MONO : thm

val SIGMA_ALGEBRA_BOREL : thm

val SIGMA_ALGEBRA_COUNTABLE_UNION : thm

val SIGMA_ALGEBRA_ENUM : thm

val SIGMA_ALGEBRA_FN : thm

val SIGMA_ALGEBRA_FN_BIGINTER : thm

val SIGMA_ALGEBRA_FN_DISJOINT : thm

val SIGMA_ALGEBRA_SIGMA : thm

val SIGMA_POW : thm

val SIGMA_PROPERTY : thm

val SIGMA_PROPERTY_ALT : thm

val SIGMA_PROPERTY_DISJOINT_WEAK : thm

val SIGMA_REDUCE : thm

val SIGMA_SUBSET : thm

val SIGMA_SUBSET_MEASURABLE_SETS : thm

val SIGMA_SUBSET_SUBSETS : thm

val SPACE : thm

val SPACE_BOREL : thm

val SPACE_SIGMA : thm

val STRONG_MEASURE_SPACE_SUBSET : thm

val SUBADDITIVE : thm

val SUBSET_BIGINTER : thm

val UNIV_SIGMA_ALGEBRA : thm

val finite_additivity_sufficient_for_finite_spaces : thm

val finite_additivity_sufficient_for_finite_spaces2 : thm

val indicator_fn_split : thm

val indicator_fn_suminf : thm

val measure_split : thm

val positive_not_infty : thm

val measure_grammars : type_grammar.grammar * term_grammar.grammar

(*

[extra_real] Parent theory of "measure"

[rational] Parent theory of "measure"

[Borel_def] Definition

|- Borel = sigma univ(:extreal) (IMAGE (\a. x | x < Normal a) univ(:real))

63

[additive_def] Definition

|- !m.

additive m <=>

!s t.

s IN measurable_sets m /\ t IN measurable_sets m /\ DISJOINT s t ==>

(measure m (s UNION t) = measure m s + measure m t)

[algebra_def] Definition

|- !a.

algebra a <=>

subset_class (space a) (subsets a) /\ IN subsets a /\

(!s. s IN subsets a ==> space a DIFF s IN subsets a) /\

!s t. s IN subsets a /\ t IN subsets a ==> s UNION t IN subsets a

[countably_additive_def] Definition

|- !m.

countably_additive m <=>

!f.

f IN (univ(:num) -> measurable_sets m) /\

(!m n. m <> n ==> DISJOINT (f m) (f n)) /\

BIGUNION (IMAGE f univ(:num)) IN measurable_sets m ==>

(measure m (BIGUNION (IMAGE f univ(:num))) = suminf (measure m o f))

[countably_subadditive_def] Definition

|- !m.

countably_subadditive m <=>

!f.

f IN (univ(:num) -> measurable_sets m) /\

BIGUNION (IMAGE f univ(:num)) IN measurable_sets m ==>

measure m (BIGUNION (IMAGE f univ(:num))) <= suminf (measure m o f)

[fn_abs_def] Definition

|- !f. fn_abs f = (\x. abs (f x))

[fn_minus_def] Definition

|- !f. fn_minus f = (\x. if f x < 0 then -f x else 0)

[fn_plus_def] Definition

|- !f. fn_plus f = (\x. if 0 < f x then f x else 0)

64

[increasing_def] Definition

|- !m.

increasing m <=>

!s t.

s IN measurable_sets m /\ t IN measurable_sets m /\ s SUBSET t ==>

measure m s <= measure m t

[indicator_fn_def] Definition

|- !s. indicator_fn s = (\x. if x IN s then 1 else 0)

[inf_measure_def] Definition

|- !m s.

inf_measure m s =

inf

r |

?f.

f IN (univ(:num) -> measurable_sets m) /\

(!m n. m <> n ==> DISJOINT (f m) (f n)) /\

s SUBSET BIGUNION (IMAGE f univ(:num)) /\

(suminf (measure m o f) = r)

[m_space_def] Definition

|- !sp sts mu. m_space (sp,sts,mu) = sp

[measurable_def] Definition

|- !a b.

measurable a b =

f |

sigma_algebra a /\ sigma_algebra b /\ f IN (space a -> space b) /\

!s. s IN subsets b ==> PREIMAGE f s INTER space a IN subsets a

[measurable_sets_def] Definition

|- !sp sts mu. measurable_sets (sp,sts,mu) = sts

[measure_def] Definition

|- !sp sts mu. measure (sp,sts,mu) = mu

[measure_preserving_def] Definition

65

|- !m1 m2.

measure_preserving m1 m2 =

f |

f IN

measurable (m_space m1,measurable_sets m1)

(m_space m2,measurable_sets m2) /\

!s.

s IN measurable_sets m2 ==>

(measure m1 (PREIMAGE f s INTER m_space m1) = measure m2 s)

[measure_space_def] Definition

|- !m.

measure_space m <=>

sigma_algebra (m_space m,measurable_sets m) /\ positive m /\

countably_additive m

[null_set_def] Definition

|- !m s. null_set m s <=> s IN measurable_sets m /\ (measure m s = 0)

[outer_measure_space_def] Definition

|- !m.

outer_measure_space m <=>

positive m /\ increasing m /\ countably_subadditive m

[pos_simple_fn_def] Definition

|- !m f s a x.

pos_simple_fn m f s a x <=>

(!t. 0 <= f t) /\

(!t.

t IN m_space m ==>

(f t = SIGMA (\i. Normal (x i) * indicator_fn (a i) t) s)) /\

(!i. i IN s ==> a i IN measurable_sets m) /\ FINITE s /\

(!i. i IN s ==> 0 <= x i) /\

(!i j. i IN s /\ j IN s /\ i <> j ==> DISJOINT (a i) (a j)) /\

(BIGUNION (IMAGE a s) = m_space m)

[positive_def] Definition

|- !m.

positive m <=>

(measure m = 0) /\ !s. s IN measurable_sets m ==> 0 <= measure m s

[sigma_algebra_def] Definition

66

|- !a.

sigma_algebra a <=>

algebra a /\

!c. countable c /\ c SUBSET subsets a ==> BIGUNION c IN subsets a

[sigma_def] Definition

|- !sp st.

sigma sp st = (sp,BIGINTER s | st SUBSET s /\ sigma_algebra (sp,s))

[space_def] Definition

|- !x y. space (x,y) = x

[subadditive_def] Definition

|- !m.

subadditive m <=>

!s t.

s IN measurable_sets m /\ t IN measurable_sets m ==>

measure m (s UNION t) <= measure m s + measure m t

[subset_class_def] Definition

|- !sp sts. subset_class sp sts <=> !x. x IN sts ==> x SUBSET sp

[subsets_def] Definition

|- !x y. subsets (x,y) = y

[ADDITIVE] Theorem

|- !m s t u.

additive m /\ s IN measurable_sets m /\ t IN measurable_sets m /\

DISJOINT s t /\ (u = s UNION t) ==>

(measure m u = measure m s + measure m t)

[ADDITIVE_INCREASING] Theorem

|- !m.

algebra (m_space m,measurable_sets m) /\ positive m /\ additive m ==>

increasing m

[ADDITIVE_SUM] Theorem

|- !m f n.

67

algebra (m_space m,measurable_sets m) /\ positive m /\ additive m /\

f IN (univ(:num) -> measurable_sets m) /\

(!m n. m <> n ==> DISJOINT (f m) (f n)) ==>

(SIGMA (measure m o f) (count n) =

measure m (BIGUNION (IMAGE f (count n))))

[ALGEBRA_ALT_INTER] Theorem

|- !a.

algebra a <=>

subset_class (space a) (subsets a) /\ IN subsets a /\

(!s. s IN subsets a ==> space a DIFF s IN subsets a) /\

!s t. s IN subsets a /\ t IN subsets a ==> s INTER t IN subsets a

[ALGEBRA_COMPL] Theorem

|- !a s. algebra a /\ s IN subsets a ==> space a DIFF s IN subsets a

[ALGEBRA_DIFF] Theorem

|- !a s t.

algebra a /\ s IN subsets a /\ t IN subsets a ==> s DIFF t IN subsets a

[ALGEBRA_EMPTY] Theorem

|- !a. algebra a ==> IN subsets a

[ALGEBRA_FINITE_UNION] Theorem

|- !a c.

algebra a /\ FINITE c /\ c SUBSET subsets a ==> BIGUNION c IN subsets a

[ALGEBRA_INTER] Theorem

|- !a s t.

algebra a /\ s IN subsets a /\ t IN subsets a ==> s INTER t IN subsets a

[ALGEBRA_INTER_SPACE] Theorem

|- !a s.

algebra a /\ s IN subsets a ==>

(space a INTER s = s) /\ (s INTER space a = s)

[ALGEBRA_SPACE] Theorem

|- !a. algebra a ==> space a IN subsets a

68

[ALGEBRA_UNION] Theorem

|- !a s t.

algebra a /\ s IN subsets a /\ t IN subsets a ==> s UNION t IN subsets a

[BIGUNION_IMAGE_Q] Theorem

|- !a f.

sigma_algebra a /\ f IN (Q_set -> subsets a) ==>

BIGUNION (IMAGE f Q_set) IN subsets a

[BOREL_MEASURABLE_SETS] Theorem

|- (!c. x | x < Normal c IN subsets Borel) /\

(!c. x | Normal c <= x IN subsets Borel) /\

(!c. x | Normal c < x IN subsets Borel) /\

(!c. x | x <= Normal c IN subsets Borel) /\

(!c d. x | Normal c < x /\ x < Normal d IN subsets Borel) /\

(!c d. x | Normal c <= x /\ x < Normal d IN subsets Borel) /\

(!c d. x | Normal c < x /\ x <= Normal d IN subsets Borel) /\

(!c d. x | Normal c <= x /\ x <= Normal d IN subsets Borel) /\

!c. Normal c IN subsets Borel

[BOREL_MEASURABLE_SETS_CC] Theorem

|- !c d. x | Normal c <= x /\ x <= Normal d IN subsets Borel

[BOREL_MEASURABLE_SETS_CO] Theorem

|- !c d. x | Normal c <= x /\ x < Normal d IN subsets Borel

[BOREL_MEASURABLE_SETS_CR] Theorem

|- !c. x | Normal c <= x IN subsets Borel

[BOREL_MEASURABLE_SETS_OC] Theorem

|- !c d. x | Normal c < x /\ x <= Normal d IN subsets Borel

[BOREL_MEASURABLE_SETS_OO] Theorem

|- !c d. x | Normal c < x /\ x < Normal d IN subsets Borel

[BOREL_MEASURABLE_SETS_OR] Theorem

|- !c. x | Normal c < x IN subsets Borel

69

[BOREL_MEASURABLE_SETS_RC] Theorem

|- !c. x | x <= Normal c IN subsets Borel

[BOREL_MEASURABLE_SETS_RO] Theorem

|- !c. x | x < Normal c IN subsets Borel

[BOREL_MEASURABLE_SETS_SING] Theorem

|- !c. Normal c IN subsets Borel

[COUNTABLY_ADDITIVE] Theorem

|- !m s f.

countably_additive m /\ f IN (univ(:num) -> measurable_sets m) /\

(!m n. m <> n ==> DISJOINT (f m) (f n)) /\

(s = BIGUNION (IMAGE f univ(:num))) /\ s IN measurable_sets m ==>

(suminf (measure m o f) = measure m s)

[COUNTABLY_ADDITIVE_ADDITIVE] Theorem

|- !m.

algebra (m_space m,measurable_sets m) /\ positive m /\

countably_additive m ==>

additive m

[COUNTABLY_SUBADDITIVE] Theorem

|- !m f s.

countably_subadditive m /\ f IN (univ(:num) -> measurable_sets m) /\

(s = BIGUNION (IMAGE f univ(:num))) /\ s IN measurable_sets m ==>

measure m s <= suminf (measure m o f)

[FN_MINUS_POS] Theorem

|- !g x. 0 <= fn_minus g x

[FN_MINUS_POS_ZERO] Theorem

|- (!x. 0 <= g x) ==> (fn_minus g = (\x. 0))

[FN_PLUS_POS] Theorem

|- !g x. 0 <= fn_plus g x

[FN_PLUS_POS_ID] Theorem

70

|- (!x. 0 <= g x) ==> (fn_plus g = g)

[IMAGE_SING] Theorem

|- !f x. IMAGE f x = f x

[INCREASING] Theorem

|- !m s t.

increasing m /\ s SUBSET t /\ s IN measurable_sets m /\

t IN measurable_sets m ==>

measure m s <= measure m t

[INDICATOR_FN_MUL_INTER] Theorem

|- !A B.

(\t. indicator_fn A t * indicator_fn B t) =

(\t. indicator_fn (A INTER B) t)

[IN_MEASURABLE] Theorem

|- !a b f.

f IN measurable a b <=>

sigma_algebra a /\ sigma_algebra b /\ f IN (space a -> space b) /\

!s. s IN subsets b ==> PREIMAGE f s INTER space a IN subsets a

[IN_MEASURABLE_BOREL] Theorem

|- !f a.

f IN measurable a Borel <=>

sigma_algebra a /\ f IN (space a -> univ(:extreal)) /\

!c. x | f x < Normal c INTER space a IN subsets a

[IN_MEASURABLE_BOREL_ABS] Theorem

|- !a f g.

sigma_algebra a /\ f IN measurable a Borel /\

(!x. x IN space a ==> (g x = abs (f x))) ==>

g IN measurable a Borel

[IN_MEASURABLE_BOREL_ADD] Theorem

|- !a f g h.

sigma_algebra a /\ f IN measurable a Borel /\ g IN measurable a Borel /\

(!x. x IN space a ==> f x <> NegInf /\ g x <> NegInf) /\

(!x. x IN space a ==> (h x = f x + g x)) ==>

71

h IN measurable a Borel

[IN_MEASURABLE_BOREL_ALL] Theorem

|- !f a.

f IN measurable a Borel ==>

(!c. x | f x < Normal c INTER space a IN subsets a) /\

(!c. x | Normal c <= f x INTER space a IN subsets a) /\

(!c. x | f x <= Normal c INTER space a IN subsets a) /\

(!c. x | Normal c < f x INTER space a IN subsets a) /\

(!c d.

x | Normal c < f x /\ f x < Normal d INTER space a IN subsets a) /\

(!c d.

x | Normal c <= f x /\ f x < Normal d INTER space a IN subsets a) /\

(!c d.

x | Normal c < f x /\ f x <= Normal d INTER space a IN subsets a) /\

(!c d.

x | Normal c <= f x /\ f x <= Normal d INTER space a IN subsets a) /\

!c. x | f x = c INTER space a IN subsets a

[IN_MEASURABLE_BOREL_ALT1] Theorem

|- !f a.

f IN measurable a Borel <=>

sigma_algebra a /\ f IN (space a -> univ(:extreal)) /\

!c. x | Normal c <= f x INTER space a IN subsets a

[IN_MEASURABLE_BOREL_ALT10] Theorem

|- !f a.

f IN measurable a Borel ==>

sigma_algebra a /\ f IN (space a -> univ(:extreal)) /\

x | f x = NegInf INTER space a IN subsets a

[IN_MEASURABLE_BOREL_ALT2] Theorem

|- !f a.

f IN measurable a Borel <=>

sigma_algebra a /\ f IN (space a -> univ(:extreal)) /\

!c. x | f x <= Normal c INTER space a IN subsets a

[IN_MEASURABLE_BOREL_ALT3] Theorem

|- !f a.

f IN measurable a Borel <=>

sigma_algebra a /\ f IN (space a -> univ(:extreal)) /\

!c. x | Normal c < f x INTER space a IN subsets a

72

[IN_MEASURABLE_BOREL_ALT4] Theorem

|- !f a.

(!x. f x <> NegInf) ==>

(f IN measurable a Borel <=>

sigma_algebra a /\ f IN (space a -> univ(:extreal)) /\

!c d. x | Normal c <= f x /\ f x < Normal d INTER space a IN subsets a)

[IN_MEASURABLE_BOREL_ALT4_IMP] Theorem

|- !f a.

f IN measurable a Borel ==>

sigma_algebra a /\ f IN (space a -> univ(:extreal)) /\

!c d. x | Normal c <= f x /\ f x < Normal d INTER space a IN subsets a

[IN_MEASURABLE_BOREL_ALT5] Theorem

|- !f a.

(!x. f x <> NegInf) ==>

(f IN measurable a Borel <=>

sigma_algebra a /\ f IN (space a -> univ(:extreal)) /\

!c d. x | Normal c < f x /\ f x <= Normal d INTER space a IN subsets a)

[IN_MEASURABLE_BOREL_ALT5_IMP] Theorem

|- !f a.

f IN measurable a Borel ==>

sigma_algebra a /\ f IN (space a -> univ(:extreal)) /\

!c d. x | Normal c < f x /\ f x <= Normal d INTER space a IN subsets a

[IN_MEASURABLE_BOREL_ALT6] Theorem

|- !f a.

(!x. f x <> NegInf) ==>

(f IN measurable a Borel <=>

sigma_algebra a /\ f IN (space a -> univ(:extreal)) /\

!c d.

x | Normal c <= f x /\ f x <= Normal d INTER space a IN subsets a)

[IN_MEASURABLE_BOREL_ALT6_IMP] Theorem

|- !f a.

f IN measurable a Borel ==>

sigma_algebra a /\ f IN (space a -> univ(:extreal)) /\

!c d. x | Normal c <= f x /\ f x <= Normal d INTER space a IN subsets a

73

[IN_MEASURABLE_BOREL_ALT7] Theorem

|- !f a.

(!x. f x <> NegInf) ==>

(f IN measurable a Borel <=>

sigma_algebra a /\ f IN (space a -> univ(:extreal)) /\

!c d. x | Normal c < f x /\ f x < Normal d INTER space a IN subsets a)

[IN_MEASURABLE_BOREL_ALT7_IMP] Theorem

|- !f a.

f IN measurable a Borel ==>

sigma_algebra a /\ f IN (space a -> univ(:extreal)) /\

!c d. x | Normal c < f x /\ f x < Normal d INTER space a IN subsets a

[IN_MEASURABLE_BOREL_ALT8] Theorem

|- !f a.

f IN measurable a Borel ==>

sigma_algebra a /\ f IN (space a -> univ(:extreal)) /\

!c. x | f x = c INTER space a IN subsets a

[IN_MEASURABLE_BOREL_ALT9] Theorem

|- !f a.

f IN measurable a Borel ==>

sigma_algebra a /\ f IN (space a -> univ(:extreal)) /\

x | f x = PosInf INTER space a IN subsets a

[IN_MEASURABLE_BOREL_CMUL] Theorem

|- !a f g z.

sigma_algebra a /\ f IN measurable a Borel /\

(!x. x IN space a ==> (g x = Normal z * f x)) ==>

g IN measurable a Borel

[IN_MEASURABLE_BOREL_CMUL_INDICATOR] Theorem

|- !a z s.

sigma_algebra a /\ s IN subsets a /\ 0 <= z ==>

(\x. Normal z * indicator_fn s x) IN measurable a Borel

[IN_MEASURABLE_BOREL_CONST] Theorem

|- !a k f.

sigma_algebra a /\ (!x. x IN space a ==> (f x = k)) ==>

f IN measurable a Borel

74

[IN_MEASURABLE_BOREL_FN_MINUS] Theorem

|- !a f. f IN measurable a Borel ==> fn_minus f IN measurable a Borel

[IN_MEASURABLE_BOREL_FN_PLUS] Theorem

|- !a f. f IN measurable a Borel ==> fn_plus f IN measurable a Borel

[IN_MEASURABLE_BOREL_INDICATOR] Theorem

|- !a A f.

sigma_algebra a /\ A IN subsets a /\

(!x. x IN space a ==> (f x = indicator_fn A x)) ==>

f IN measurable a Borel

[IN_MEASURABLE_BOREL_LE] Theorem

|- !f g a.

f IN measurable a Borel /\ g IN measurable a Borel ==>

x | f x <= g x INTER space a IN subsets a

[IN_MEASURABLE_BOREL_LT] Theorem

|- !f g a.

f IN measurable a Borel /\ g IN measurable a Borel ==>

x | f x < g x INTER space a IN subsets a

[IN_MEASURABLE_BOREL_MAX] Theorem

|- !a f g.

sigma_algebra a /\ f IN measurable a Borel /\ g IN measurable a Borel ==>

(\x. max (f x) (g x)) IN measurable a Borel

[IN_MEASURABLE_BOREL_MONO_SUP] Theorem

|- !fn f a.

sigma_algebra a /\ (!n. fn n IN measurable a Borel) /\

(!n x. fn n x <= fn (SUC n) x) /\

(!x. x IN space a ==> (f x = sup (IMAGE (\n. fn n x) univ(:num)))) ==>

f IN measurable a Borel

[IN_MEASURABLE_BOREL_MUL] Theorem

|- !a f g h.

sigma_algebra a /\ f IN measurable a Borel /\

(!x.

75

x IN space a ==>

f x <> NegInf /\ f x <> PosInf /\ g x <> NegInf /\ g x <> PosInf) /\

g IN measurable a Borel /\ (!x. x IN space a ==> (h x = f x * g x)) ==>

h IN measurable a Borel

[IN_MEASURABLE_BOREL_MUL_INDICATOR] Theorem

|- !a f s.

sigma_algebra a /\ f IN measurable a Borel /\ s IN subsets a ==>

(\x. f x * indicator_fn s x) IN measurable a Borel

[IN_MEASURABLE_BOREL_POS_SIMPLE_FN] Theorem

|- !m f.

measure_space m /\ (?s a x. pos_simple_fn m f s a x) ==>

f IN measurable (m_space m,measurable_sets m) Borel

[IN_MEASURABLE_BOREL_POW] Theorem

|- !n a f.

sigma_algebra a /\ f IN measurable a Borel /\

(!x. x IN space a ==> f x <> NegInf /\ f x <> PosInf) ==>

(\x. f x pow n) IN measurable a Borel

[IN_MEASURABLE_BOREL_SQR] Theorem

|- !a f g.

sigma_algebra a /\ f IN measurable a Borel /\

(!x. x IN space a ==> (g x = f x pow 2)) ==>

g IN measurable a Borel

[IN_MEASURABLE_BOREL_SUB] Theorem

|- !a f g h.

sigma_algebra a /\ f IN measurable a Borel /\ g IN measurable a Borel /\

(!x. x IN space a ==> f x <> NegInf /\ g x <> PosInf) /\

(!x. x IN space a ==> (h x = f x - g x)) ==>

h IN measurable a Borel

[IN_MEASURABLE_BOREL_SUM] Theorem

|- !a f g s.

FINITE s /\ sigma_algebra a /\

(!i. i IN s ==> f i IN measurable a Borel) /\

(!i x. i IN s /\ x IN space a ==> f i x <> NegInf) /\

(!x. x IN space a ==> (g x = SIGMA (\i. f i x) s)) ==>

g IN measurable a Borel

76

[IN_MEASURE_PRESERVING] Theorem

|- !m1 m2 f.

f IN measure_preserving m1 m2 <=>

f IN

measurable (m_space m1,measurable_sets m1)

(m_space m2,measurable_sets m2) /\

!s.

s IN measurable_sets m2 ==>

(measure m1 (PREIMAGE f s INTER m_space m1) = measure m2 s)

[IN_SIGMA] Theorem

|- !sp a x. x IN a ==> x IN subsets (sigma sp a)

[MEASUBABLE_BIGUNION_LEMMA] Theorem

|- !a b f.

sigma_algebra a /\ sigma_algebra b /\ f IN (space a -> space b) /\

(!s. s IN subsets b ==> PREIMAGE f s IN subsets a) ==>

!c.

countable c /\ c SUBSET IMAGE (PREIMAGE f) (subsets b) ==>

BIGUNION c IN IMAGE (PREIMAGE f) (subsets b)

[MEASURABLE_BIGUNION_PROPERTY] Theorem

|- !a b f.

sigma_algebra a /\ sigma_algebra b /\ f IN (space a -> space b) /\

(!s. s IN subsets b ==> PREIMAGE f s IN subsets a) ==>

!c.

c SUBSET subsets b ==>

(PREIMAGE f (BIGUNION c) = BIGUNION (IMAGE (PREIMAGE f) c))

[MEASURABLE_BOREL] Theorem

|- !f a.

f IN measurable a Borel <=>

sigma_algebra a /\ f IN (space a -> univ(:extreal)) /\

!c. PREIMAGE f x | x < Normal c INTER space a IN subsets a

[MEASURABLE_COMP] Theorem

|- !f g a b c.

f IN measurable a b /\ g IN measurable b c ==> g o f IN measurable a c

[MEASURABLE_COMP_STRONG] Theorem

77

|- !f g a b c.

f IN measurable a b /\ sigma_algebra c /\ g IN (space b -> space c) /\

(!x.

x IN subsets c ==>

PREIMAGE g x INTER IMAGE f (space a) IN subsets b) ==>

g o f IN measurable a c

[MEASURABLE_COMP_STRONGER] Theorem

|- !f g a b c t.

f IN measurable a b /\ sigma_algebra c /\ g IN (space b -> space c) /\

IMAGE f (space a) SUBSET t /\

(!s. s IN subsets c ==> PREIMAGE g s INTER t IN subsets b) ==>

g o f IN measurable a c

[MEASURABLE_DIFF_PROPERTY] Theorem

|- !a b f.

sigma_algebra a /\ sigma_algebra b /\ f IN (space a -> space b) /\

(!s. s IN subsets b ==> PREIMAGE f s IN subsets a) ==>

!s.

s IN subsets b ==>

(PREIMAGE f (space b DIFF s) = space a DIFF PREIMAGE f s)

[MEASURABLE_I] Theorem

|- !a. sigma_algebra a ==> I IN measurable a a

[MEASURABLE_LIFT] Theorem

|- !f a b.

f IN measurable a b ==> f IN measurable a (sigma (space b) (subsets b))

[MEASURABLE_POW_TO_POW] Theorem

|- !m f.

measure_space m /\ (measurable_sets m = POW (m_space m)) ==>

f IN measurable (m_space m,measurable_sets m) (univ(:’b),POW univ(:’b))

[MEASURABLE_POW_TO_POW_IMAGE] Theorem

|- !m f.

measure_space m /\ (measurable_sets m = POW (m_space m)) ==>

f IN

measurable (m_space m,measurable_sets m)

(IMAGE f (m_space m),POW (IMAGE f (m_space m)))

78

[MEASURABLE_PROD_SIGMA] Theorem

|- !a a1 a2 f.

sigma_algebra a /\ FST o f IN measurable a a1 /\

SND o f IN measurable a a2 ==>

f IN

measurable a

(sigma (space a1 CROSS space a2) (prod_sets (subsets a1) (subsets a2)))

[MEASURABLE_RANGE_REDUCE] Theorem

|- !m f s.

measure_space m /\

f IN measurable (m_space m,measurable_sets m) (s,POW s) /\ s <> ==>

f IN

measurable (m_space m,measurable_sets m)

(s INTER IMAGE f (m_space m),POW (s INTER IMAGE f (m_space m)))

[MEASURABLE_SETS_SUBSET_SPACE] Theorem

|- !m s. measure_space m /\ s IN measurable_sets m ==> s SUBSET m_space m

[MEASURABLE_SIGMA] Theorem

|- !f a b sp.

sigma_algebra a /\ subset_class sp b /\ f IN (space a -> sp) /\

(!s. s IN b ==> PREIMAGE f s INTER space a IN subsets a) ==>

f IN measurable a (sigma sp b)

[MEASURABLE_SIGMA_PREIMAGES] Theorem

|- !a b f.

sigma_algebra a /\ sigma_algebra b /\ f IN (space a -> space b) /\

(!s. s IN subsets b ==> PREIMAGE f s IN subsets a) ==>

sigma_algebra (space a,IMAGE (PREIMAGE f) (subsets b))

[MEASURABLE_SUBSET] Theorem

|- !a b. measurable a b SUBSET measurable a (sigma (space b) (subsets b))

[MEASURABLE_UP_LIFT] Theorem

|- !sp a b c f.

f IN measurable (sp,a) c /\ sigma_algebra (sp,b) /\ a SUBSET b ==>

f IN measurable (sp,b) c

79

[MEASURABLE_UP_SIGMA] Theorem

|- !a b. measurable a b SUBSET measurable (sigma (space a) (subsets a)) b

[MEASURABLE_UP_SUBSET] Theorem

|- !sp a b c.

a SUBSET b /\ sigma_algebra (sp,b) ==>

measurable (sp,a) c SUBSET measurable (sp,b) c

[MEASURE_ADDITIVE] Theorem

|- !m s t u.

measure_space m /\ s IN measurable_sets m /\ t IN measurable_sets m /\

DISJOINT s t /\ (u = s UNION t) ==>

(measure m u = measure m s + measure m t)

[MEASURE_COUNTABLE_INCREASING] Theorem

|- !m s f.

measure_space m /\ f IN (univ(:num) -> measurable_sets m) /\ (f 0 = ) /\

(!n. f n SUBSET f (SUC n)) /\ (s = BIGUNION (IMAGE f univ(:num))) ==>

(sup (IMAGE (measure m o f) univ(:num)) = measure m s)

[MEASURE_COUNTABLY_ADDITIVE] Theorem

|- !m s f.

measure_space m /\ f IN (univ(:num) -> measurable_sets m) /\

(!m n. m <> n ==> DISJOINT (f m) (f n)) /\

(s = BIGUNION (IMAGE f univ(:num))) ==>

(suminf (measure m o f) = measure m s)

[MEASURE_DOWN] Theorem

|- !m0 m1.

sigma_algebra (m_space m0,measurable_sets m0) /\

measurable_sets m0 SUBSET measurable_sets m1 /\

(measure m0 = measure m1) /\ measure_space m1 ==>

measure_space m0

[MEASURE_EMPTY] Theorem

|- !m. measure_space m ==> (measure m = 0)

[MEASURE_EXTREAL_SUM_IMAGE] Theorem

|- !m s.

80

measure_space m /\ s IN measurable_sets m /\

(!x. x IN s ==> x IN measurable_sets m) /\ FINITE s ==>

(measure m s = SIGMA (\x. measure m x) s)

[MEASURE_PRESERVING_UP_LIFT] Theorem

|- !m1 m2 f.

f IN measure_preserving (m_space m1,a,measure m1) m2 /\

sigma_algebra (m_space m1,measurable_sets m1) /\

a SUBSET measurable_sets m1 ==>

f IN measure_preserving m1 m2

[MEASURE_PRESERVING_UP_SIGMA] Theorem

|- !m1 m2 a.

(measurable_sets m1 = subsets (sigma (m_space m1) a)) ==>

measure_preserving (m_space m1,a,measure m1) m2 SUBSET

measure_preserving m1 m2

[MEASURE_PRESERVING_UP_SUBSET] Theorem

|- !m1 m2.

a SUBSET measurable_sets m1 /\

sigma_algebra (m_space m1,measurable_sets m1) ==>

measure_preserving (m_space m1,a,measure m1) m2 SUBSET

measure_preserving m1 m2

[MEASURE_SPACE_ADDITIVE] Theorem

|- !m. measure_space m ==> additive m

[MEASURE_SPACE_BIGINTER] Theorem

|- !m s.

measure_space m /\ (!n. s n IN measurable_sets m) ==>

BIGINTER (IMAGE s univ(:num)) IN measurable_sets m

[MEASURE_SPACE_BIGUNION] Theorem

|- !m s.

measure_space m /\ (!n. s n IN measurable_sets m) ==>

BIGUNION (IMAGE s univ(:num)) IN measurable_sets m

[MEASURE_SPACE_CMUL] Theorem

|- !m c.

measure_space m /\ 0 <= c ==>

81

measure_space (m_space m,measurable_sets m,(\a. Normal c * measure m a))

[MEASURE_SPACE_DIFF] Theorem

|- !m s t.

measure_space m /\ s IN measurable_sets m /\ t IN measurable_sets m ==>

s DIFF t IN measurable_sets m

[MEASURE_SPACE_EMPTY_MEASURABLE] Theorem

|- !m. measure_space m ==> IN measurable_sets m

[MEASURE_SPACE_FINITE_DIFF] Theorem

|- !m s.

measure_space m /\ s IN measurable_sets m /\ measure m s <> PosInf ==>

(measure m (m_space m DIFF s) = measure m (m_space m) - measure m s)

[MEASURE_SPACE_FINITE_DIFF_SUBSET] Theorem

|- !m s t.

measure_space m /\ s IN measurable_sets m /\ t IN measurable_sets m /\

t SUBSET s /\ measure m s <> PosInf ==>

(measure m (s DIFF t) = measure m s - measure m t)

[MEASURE_SPACE_FINITE_MEASURE] Theorem

|- !m s.

measure_space m /\ s IN measurable_sets m /\

measure m (m_space m) <> PosInf ==>

measure m s <> PosInf

[MEASURE_SPACE_INCREASING] Theorem

|- !m. measure_space m ==> increasing m

[MEASURE_SPACE_INTER] Theorem

|- !m s t.

measure_space m /\ s IN measurable_sets m /\ t IN measurable_sets m ==>

s INTER t IN measurable_sets m

[MEASURE_SPACE_IN_MSPACE] Theorem

|- !m A.

measure_space m /\ A IN measurable_sets m ==>

!x. x IN A ==> x IN m_space m

82

[MEASURE_SPACE_MSPACE_MEASURABLE] Theorem

|- !m. measure_space m ==> m_space m IN measurable_sets m

[MEASURE_SPACE_POSITIVE] Theorem

|- !m. measure_space m ==> positive m

[MEASURE_SPACE_REDUCE] Theorem

|- !m. (m_space m,measurable_sets m,measure m) = m

[MEASURE_SPACE_RESTRICTED] Theorem

|- !m s.

measure_space m /\ s IN measurable_sets m ==>

measure_space (s,IMAGE (\t. s INTER t) (measurable_sets m),measure m)

[MEASURE_SPACE_SUBSET] Theorem

|- !s s’ m.

s’ SUBSET s /\ measure_space (s,POW s,m) ==> measure_space (s’,POW s’,m)

[MEASURE_SPACE_SUBSET_MSPACE] Theorem

|- !A m. measure_space m /\ A IN measurable_sets m ==> A SUBSET m_space m

[MEASURE_SPACE_UNION] Theorem

|- !m s t.

measure_space m /\ s IN measurable_sets m /\ t IN measurable_sets m ==>

s UNION t IN measurable_sets m

[MONOTONE_CONVERGENCE] Theorem

|- !m s f.

measure_space m /\ f IN (univ(:num) -> measurable_sets m) /\

(!n. f n SUBSET f (SUC n)) /\ (s = BIGUNION (IMAGE f univ(:num))) ==>

(sup (IMAGE (measure m o f) univ(:num)) = measure m s)

[MONOTONE_CONVERGENCE2] Theorem

|- !m f.

measure_space m /\ f IN (univ(:num) -> measurable_sets m) /\

(!n. f n SUBSET f (SUC n)) ==>

(sup (IMAGE (measure m o f) univ(:num)) =

83

measure m (BIGUNION (IMAGE f univ(:num))))

[MONOTONE_CONVERGENCE_BIGINTER] Theorem

|- !m s f.

measure_space m /\ f IN (univ(:num) -> measurable_sets m) /\

(!n. measure m (f n) <> PosInf) /\ (!n. f (SUC n) SUBSET f n) /\

(s = BIGINTER (IMAGE f univ(:num))) ==>

(inf (IMAGE (measure m o f) univ(:num)) = measure m s)

[MONOTONE_CONVERGENCE_BIGINTER2] Theorem

|- !m f.

measure_space m /\ f IN (univ(:num) -> measurable_sets m) /\

(!n. measure m (f n) <> PosInf) /\ (!n. f (SUC n) SUBSET f n) ==>

(inf (IMAGE (measure m o f) univ(:num)) =

measure m (BIGINTER (IMAGE f univ(:num))))

[OUTER_MEASURE_SPACE_POSITIVE] Theorem

|- !m. outer_measure_space m ==> positive m

[POW_ALGEBRA] Theorem

|- algebra (sp,POW sp)

[POW_SIGMA_ALGEBRA] Theorem

|- sigma_algebra (sp,POW sp)

[SIGMA_ALGEBRA] Theorem

|- !p.

sigma_algebra p <=>

subset_class (space p) (subsets p) /\ IN subsets p /\

(!s. s IN subsets p ==> space p DIFF s IN subsets p) /\

!c. countable c /\ c SUBSET subsets p ==> BIGUNION c IN subsets p

[SIGMA_ALGEBRA_ALGEBRA] Theorem

|- !a. sigma_algebra a ==> algebra a

[SIGMA_ALGEBRA_ALT] Theorem

|- !a.

sigma_algebra a <=>

algebra a /\

84

!f.

f IN (univ(:num) -> subsets a) ==>

BIGUNION (IMAGE f univ(:num)) IN subsets a

[SIGMA_ALGEBRA_ALT_DISJOINT] Theorem

|- !a.

sigma_algebra a <=>

algebra a /\

!f.

f IN (univ(:num) -> subsets a) /\

(!m n. m <> n ==> DISJOINT (f m) (f n)) ==>

BIGUNION (IMAGE f univ(:num)) IN subsets a

[SIGMA_ALGEBRA_ALT_MONO] Theorem

|- !a.

sigma_algebra a <=>

algebra a /\

!f.

f IN (univ(:num) -> subsets a) /\ (f 0 = ) /\

(!n. f n SUBSET f (SUC n)) ==>

BIGUNION (IMAGE f univ(:num)) IN subsets a

[SIGMA_ALGEBRA_BOREL] Theorem

|- sigma_algebra Borel

[SIGMA_ALGEBRA_COUNTABLE_UNION] Theorem

|- !a c.

sigma_algebra a /\ countable c /\ c SUBSET subsets a ==>

BIGUNION c IN subsets a

[SIGMA_ALGEBRA_ENUM] Theorem

|- !a f.

sigma_algebra a /\ f IN (univ(:num) -> subsets a) ==>

BIGUNION (IMAGE f univ(:num)) IN subsets a

[SIGMA_ALGEBRA_FN] Theorem

|- !a.

sigma_algebra a <=>

subset_class (space a) (subsets a) /\ IN subsets a /\

(!s. s IN subsets a ==> space a DIFF s IN subsets a) /\

!f.

85

f IN (univ(:num) -> subsets a) ==>

BIGUNION (IMAGE f univ(:num)) IN subsets a

[SIGMA_ALGEBRA_FN_BIGINTER] Theorem

|- !a.

sigma_algebra a ==>

subset_class (space a) (subsets a) /\ IN subsets a /\

(!s. s IN subsets a ==> space a DIFF s IN subsets a) /\

!f.

f IN (univ(:num) -> subsets a) ==>

BIGINTER (IMAGE f univ(:num)) IN subsets a

[SIGMA_ALGEBRA_FN_DISJOINT] Theorem

|- !a.

sigma_algebra a <=>

subset_class (space a) (subsets a) /\ IN subsets a /\

(!s. s IN subsets a ==> space a DIFF s IN subsets a) /\

(!s t. s IN subsets a /\ t IN subsets a ==> s UNION t IN subsets a) /\

!f.

f IN (univ(:num) -> subsets a) /\

(!m n. m <> n ==> DISJOINT (f m) (f n)) ==>

BIGUNION (IMAGE f univ(:num)) IN subsets a

[SIGMA_ALGEBRA_SIGMA] Theorem

|- !sp sts. subset_class sp sts ==> sigma_algebra (sigma sp sts)

[SIGMA_POW] Theorem

|- !s. sigma s (POW s) = (s,POW s)

[SIGMA_PROPERTY] Theorem

|- !sp p a.

subset_class sp p /\ IN p /\ a SUBSET p /\

(!s. s IN p INTER subsets (sigma sp a) ==> sp DIFF s IN p) /\

(!c.

countable c /\ c SUBSET p INTER subsets (sigma sp a) ==>

BIGUNION c IN p) ==>

subsets (sigma sp a) SUBSET p

[SIGMA_PROPERTY_ALT] Theorem

|- !sp p a.

subset_class sp p /\ IN p /\ a SUBSET p /\

86

(!s. s IN p INTER subsets (sigma sp a) ==> sp DIFF s IN p) /\

(!f.

f IN (univ(:num) -> p INTER subsets (sigma sp a)) ==>

BIGUNION (IMAGE f univ(:num)) IN p) ==>

subsets (sigma sp a) SUBSET p

[SIGMA_PROPERTY_DISJOINT_WEAK] Theorem

|- !sp p a.

subset_class sp p /\ IN p /\ a SUBSET p /\

(!s. s IN p INTER subsets (sigma sp a) ==> sp DIFF s IN p) /\

(!s t. s IN p /\ t IN p ==> s UNION t IN p) /\

(!f.

f IN (univ(:num) -> p INTER subsets (sigma sp a)) /\

(!m n. m <> n ==> DISJOINT (f m) (f n)) ==>

BIGUNION (IMAGE f univ(:num)) IN p) ==>

subsets (sigma sp a) SUBSET p

[SIGMA_REDUCE] Theorem

|- !sp a. (sp,subsets (sigma sp a)) = sigma sp a

[SIGMA_SUBSET] Theorem

|- !a b.

sigma_algebra b /\ a SUBSET subsets b ==>

subsets (sigma (space b) a) SUBSET subsets b

[SIGMA_SUBSET_MEASURABLE_SETS] Theorem

|- !a m.

measure_space m /\ a SUBSET measurable_sets m ==>

subsets (sigma (m_space m) a) SUBSET measurable_sets m

[SIGMA_SUBSET_SUBSETS] Theorem

|- !sp a. a SUBSET subsets (sigma sp a)

[SPACE] Theorem

|- !a. (space a,subsets a) = a

[SPACE_BOREL] Theorem

|- space Borel = univ(:extreal)

[SPACE_SIGMA] Theorem

87

|- !sp a. space (sigma sp a) = sp

[STRONG_MEASURE_SPACE_SUBSET] Theorem

|- !s s’.

s’ SUBSET m_space s /\ measure_space s /\

POW s’ SUBSET measurable_sets s ==>

measure_space (s’,POW s’,measure s)

[SUBADDITIVE] Theorem

|- !m s t u.

subadditive m /\ s IN measurable_sets m /\ t IN measurable_sets m /\

(u = s UNION t) ==>

measure m u <= measure m s + measure m t

[SUBSET_BIGINTER] Theorem

|- !X P. X SUBSET BIGINTER P <=> !Y. Y IN P ==> X SUBSET Y

[UNIV_SIGMA_ALGEBRA] Theorem

|- sigma_algebra (univ(:’a),univ(:’a -> bool))

[finite_additivity_sufficient_for_finite_spaces] Theorem

|- !s m.

sigma_algebra s /\ FINITE (space s) /\ positive (space s,subsets s,m) /\

additive (space s,subsets s,m) ==>

measure_space (space s,subsets s,m)

[finite_additivity_sufficient_for_finite_spaces2] Theorem

|- !m.

sigma_algebra (m_space m,measurable_sets m) /\ FINITE (m_space m) /\

positive m /\ additive m ==>

measure_space m

[indicator_fn_split] Theorem

|- !r s b.

FINITE r /\ (BIGUNION (IMAGE b r) = s) /\

(!i j. i IN r /\ j IN r /\ i <> j ==> DISJOINT (b i) (b j)) ==>

!a.

a SUBSET s ==>

(indicator_fn a = (\x. SIGMA (\i. indicator_fn (a INTER b i) x) r))

88

[indicator_fn_suminf] Theorem

|- !a x.

(!m n. m <> n ==> DISJOINT (a m) (a n)) ==>

(suminf (\i. indicator_fn (a i) x) =

indicator_fn (BIGUNION (IMAGE a univ(:num))) x)

[measure_split] Theorem

|- !r b m.

measure_space m /\ FINITE r /\ (BIGUNION (IMAGE b r) = m_space m) /\

(!i j. i IN r /\ j IN r /\ i <> j ==> DISJOINT (b i) (b j)) /\

(!i. i IN r ==> b i IN measurable_sets m) ==>

!a.

a IN measurable_sets m ==>

(measure m a = SIGMA (\i. measure m (a INTER b i)) r)

[positive_not_infty] Theorem

|- !m. positive m ==> !s. s IN measurable_sets m ==> measure m s <> NegInf

*)

end

signature lebesgueTheory =

sig

type thm = Thm.thm

(* Definitions *)

val RADON_F_def : thm

val RADON_F_integrals_def : thm

val finite_space_integral_def : thm

val fn_seq_def : thm

val fn_seq_integral_def : thm

val integrable_def : thm

val integral_def : thm

val max_fn_seq_def : thm

val measure_absolutely_continuous_def : thm

val negative_set_def : thm

val pos_fn_integral_def : thm

89

val pos_simple_fn_integral_def : thm

val psfis_def : thm

val psfs_def : thm

val seq_sup_def : thm

val signed_measure_space_def : thm

(* Theorems *)

val EXTREAL_SUP_FUN_SEQ_IMAGE : thm

val EXTREAL_SUP_FUN_SEQ_MONO_IMAGE : thm

val EXTREAL_SUP_SEQ : thm

val IN_psfis : thm

val IN_psfis_eq : thm

val RN_lemma1 : thm

val RN_lemma2 : thm

val Radon_Nikodym : thm

val integrable_bounded : thm

val integrable_fn_minus : thm

val integrable_fn_plus : thm

val integrable_infty : thm

val integrable_infty_null : thm

val integrable_not_infty : thm

val integrable_not_infty_alt : thm

val integrable_not_infty_alt2 : thm

val integrable_pos : thm

val integral_indicator : thm

val integral_pos_fn : thm

val integral_sequence : thm

val lebesgue_monotone_convergence : thm

val lebesgue_monotone_convergence_subset : thm

val lemma_fn_1 : thm

val lemma_fn_2 : thm

val lemma_fn_3 : thm

val lemma_fn_4 : thm

val lemma_fn_5 : thm

val lemma_fn_in_psfis : thm

val lemma_fn_mono_increasing : thm

val lemma_fn_sup : thm

val lemma_fn_upper_bounded : thm

val lemma_radon_max_in_F : thm

val lemma_radon_seq_conv_sup : thm

val max_fn_seq_mono : thm

val measurable_sequence : thm

val pos_fn_integral_add : thm

val pos_fn_integral_cmul : thm

val pos_fn_integral_cmul_indicator : thm

val pos_fn_integral_cmul_infty : thm

val pos_fn_integral_disjoint_sets : thm

90

val pos_fn_integral_disjoint_sets_sum : thm

val pos_fn_integral_indicator : thm

val pos_fn_integral_mono : thm

val pos_fn_integral_mono_mspace : thm

val pos_fn_integral_mspace : thm

val pos_fn_integral_pos : thm

val pos_fn_integral_pos_simple_fn : thm

val pos_fn_integral_split : thm

val pos_fn_integral_sum : thm

val pos_fn_integral_sum_cmul_indicator : thm

val pos_fn_integral_suminf : thm

val pos_fn_integral_zero : thm

val pos_mono_conv_mono_borel : thm

val pos_simple_fn_add : thm

val pos_simple_fn_add_alt : thm

val pos_simple_fn_cmul : thm

val pos_simple_fn_cmul_alt : thm

val pos_simple_fn_indicator : thm

val pos_simple_fn_indicator_alt : thm

val pos_simple_fn_integral_add : thm

val pos_simple_fn_integral_add_alt : thm

val pos_simple_fn_integral_cmul : thm

val pos_simple_fn_integral_cmul_alt : thm

val pos_simple_fn_integral_indicator : thm

val pos_simple_fn_integral_mono : thm

val pos_simple_fn_integral_not_infty : thm

val pos_simple_fn_integral_present : thm

val pos_simple_fn_integral_sub : thm

val pos_simple_fn_integral_sum : thm

val pos_simple_fn_integral_sum_alt : thm

val pos_simple_fn_integral_unique : thm

val pos_simple_fn_integral_zero : thm

val pos_simple_fn_integral_zero_alt : thm

val pos_simple_fn_le : thm

val pos_simple_fn_max : thm

val pos_simple_fn_not_infty : thm

val pos_simple_fn_thm1 : thm

val psfis_add : thm

val psfis_cmul : thm

val psfis_indicator : thm

val psfis_intro : thm

val psfis_mono : thm

val psfis_not_infty : thm

val psfis_pos : thm

val psfis_present : thm

val psfis_sub : thm

val psfis_sum : thm

91

val psfis_unique : thm

val psfis_zero : thm

val lebesgue_grammars : type_grammar.grammar * term_grammar.grammar

(*

[measure] Parent theory of "lebesgue"

[string] Parent theory of "lebesgue"

[RADON_F_def] Definition

|- !m v.

RADON_F m v =

f |

f IN measurable (m_space m,measurable_sets m) Borel /\ (!x. 0 <= f x) /\

!A.

A IN measurable_sets m ==>

pos_fn_integral m (\x. f x * indicator_fn A x) <= measure v A

[RADON_F_integrals_def] Definition

|- !m v.

RADON_F_integrals m v =

r | ?f. (r = pos_fn_integral m f) /\ f IN RADON_F m v

[finite_space_integral_def] Definition

|- !m f.

finite_space_integral m f =

SIGMA (\r. r * measure m (PREIMAGE f r INTER m_space m))

(IMAGE f (m_space m))

[fn_seq_def] Definition

|- !m f.

fn_seq m f =

(\n x.

SIGMA

(\k.

&k / 2 pow n *

indicator_fn

x |

x IN m_space m /\ &k / 2 pow n <= f x /\

f x < (&k + 1) / 2 pow n x) (count (4 ** n)) +

2 pow n * indicator_fn x | x IN m_space m /\ 2 pow n <= f x x)

[fn_seq_integral_def] Definition

92

|- !m f.

fn_seq_integral m f =

(\n.

SIGMA

(\k.

&k / 2 pow n *

measure m

x |

x IN m_space m /\ &k / 2 pow n <= f x /\

f x < (&k + 1) / 2 pow n) (count (4 ** n)) +

2 pow n * measure m x | x IN m_space m /\ 2 pow n <= f x)

[integrable_def] Definition

|- !m f.

integrable m f <=>

f IN measurable (m_space m,measurable_sets m) Borel /\

pos_fn_integral m (\x. if 0 < f x then f x else 0) <> PosInf /\

pos_fn_integral m (\x. if f x < 0 then -f x else 0) <> PosInf

[integral_def] Definition

|- !m f.

integral m f =

pos_fn_integral m (\x. if 0 < f x then f x else 0) -

pos_fn_integral m (\x. if f x < 0 then -f x else 0)

[max_fn_seq_def] Definition

|- (!g x. max_fn_seq g 0 x = g 0 x) /\

!g n x. max_fn_seq g (SUC n) x = max (max_fn_seq g n x) (g (SUC n) x)

[measure_absolutely_continuous_def] Definition

|- !m v.

measure_absolutely_continuous m v <=>

!A. A IN measurable_sets m /\ (measure v A = 0) ==> (measure m A = 0)

[negative_set_def] Definition

|- !m A.

negative_set m A <=>

A IN measurable_sets m /\

!s. s IN measurable_sets m /\ s SUBSET A ==> measure m s <= 0

[pos_fn_integral_def] Definition

93

|- !m f. pos_fn_integral m f = sup r | ?g. r IN psfis m g /\ !x. g x <= f x

[pos_simple_fn_integral_def] Definition

|- !m s a x.

pos_simple_fn_integral m s a x =

SIGMA (\i. Normal (x i) * measure m (a i)) s

[psfis_def] Definition

|- !m f.

psfis m f = IMAGE (\(s,a,x). pos_simple_fn_integral m s a x) (psfs m f)

[psfs_def] Definition

|- !m f. psfs m f = (s,a,x) | pos_simple_fn m f s a x

[seq_sup_def] Definition

|- (!P. seq_sup P 0 = @r. r IN P /\ sup P < r + 1) /\

!P n.

seq_sup P (SUC n) =

@r.

r IN P /\ sup P < r + Normal ((1 / 2) pow SUC n) /\ seq_sup P n < r /\

r < sup P

[signed_measure_space_def] Definition

|- !m.

signed_measure_space m <=>

sigma_algebra (m_space m,measurable_sets m) /\ countably_additive m

[EXTREAL_SUP_FUN_SEQ_IMAGE] Theorem

|- !P P’ f.

(?x. P x) /\ (?z. z <> PosInf /\ !x. P x ==> x <= z) /\

(P = IMAGE f P’) ==>

?g. (!n. g n IN P’) /\ (sup (IMAGE (\n. f (g n)) univ(:num)) = sup P)

[EXTREAL_SUP_FUN_SEQ_MONO_IMAGE] Theorem

|- !P P’.

(?x. P x) /\ (?z. z <> PosInf /\ !x. P x ==> x <= z) /\

(P = IMAGE f P’) /\

(!g1 g2. g1 IN P’ /\ g2 IN P’ /\ (!x. g1 x <= g2 x) ==> f g1 <= f g2) /\

(!g1 g2. g1 IN P’ /\ g2 IN P’ ==> (\x. max (g1 x) (g2 x)) IN P’) ==>

94

?g.

(!n. g n IN P’) /\ (!x n. g n x <= g (SUC n) x) /\

(sup (IMAGE (\n. f (g n)) univ(:num)) = sup P)

[EXTREAL_SUP_SEQ] Theorem

|- !P.

(?x. P x) /\ (?z. z <> PosInf /\ !x. P x ==> x <= z) ==>

?x.

(!n. x n IN P) /\ (!n. x n <= x (SUC n)) /\

(sup (IMAGE x univ(:num)) = sup P)

[IN_psfis] Theorem

|- !m r f.

r IN psfis m f ==>

?s a x. pos_simple_fn m f s a x /\ (r = pos_simple_fn_integral m s a x)

[IN_psfis_eq] Theorem

|- !m r f.

r IN psfis m f <=>

?s a x. pos_simple_fn m f s a x /\ (r = pos_simple_fn_integral m s a x)

[RN_lemma1] Theorem

|- !m v e.

measure_space m /\ measure_space v /\ 0 < e /\ (m_space v = m_space m) /\

(measurable_sets v = measurable_sets m) /\

measure v (m_space m) <> PosInf /\ measure m (m_space m) <> PosInf ==>

?A.

A IN measurable_sets m /\

measure m (m_space m) - measure v (m_space m) <=

measure m A - measure v A /\

!B.

B IN measurable_sets m /\ B SUBSET A ==>

-e < measure m B - measure v B

[RN_lemma2] Theorem

|- !m v.

measure_space m /\ measure_space v /\ (m_space v = m_space m) /\

(measurable_sets v = measurable_sets m) /\

measure v (m_space m) <> PosInf /\ measure m (m_space m) <> PosInf ==>

?A.

A IN measurable_sets m /\

measure m (m_space m) - measure v (m_space m) <=

95

measure m A - measure v A /\

!B.

B IN measurable_sets m /\ B SUBSET A ==>

0 <= measure m B - measure v B

[Radon_Nikodym] Theorem

|- !m v.

measure_space m /\ measure_space v /\ (m_space v = m_space m) /\

(measurable_sets v = measurable_sets m) /\

measure v (m_space v) <> PosInf /\ measure m (m_space m) <> PosInf /\

measure_absolutely_continuous v m ==>

?f.

f IN measurable (m_space m,measurable_sets m) Borel /\ (!x. 0 <= f x) /\

!A.

A IN measurable_sets m ==>

(pos_fn_integral m (\x. f x * indicator_fn A x) = measure v A)

[integrable_bounded] Theorem

|- !m f g.

measure_space m /\ integrable m f /\

g IN measurable (m_space m,measurable_sets m) Borel /\

(!x. abs (g x) <= f x) ==>

integrable m g

[integrable_fn_minus] Theorem

|- !m f. measure_space m /\ integrable m f ==> integrable m (fn_minus f)

[integrable_fn_plus] Theorem

|- !m f. measure_space m /\ integrable m f ==> integrable m (fn_plus f)

[integrable_infty] Theorem

|- !m f s.

measure_space m /\ integrable m f /\ s IN measurable_sets m /\

(!x. x IN s ==> (f x = PosInf)) ==>

(measure m s = 0)

[integrable_infty_null] Theorem

|- !m f.

measure_space m /\ integrable m f ==>

null_set m x | x IN m_space m /\ (f x = PosInf)

96

[integrable_not_infty] Theorem

|- !m f.

measure_space m /\ integrable m f /\ (!x. 0 <= f x) ==>

?g.

integrable m g /\ (!x. 0 <= g x) /\

(!x. x IN m_space m ==> g x <> PosInf) /\ (integral m f = integral m g)

[integrable_not_infty_alt] Theorem

|- !m f.

measure_space m /\ integrable m f /\ (!x. 0 <= f x) ==>

integrable m (\x. if f x = PosInf then 0 else f x) /\

(integral m f = integral m (\x. if f x = PosInf then 0 else f x))

[integrable_not_infty_alt2] Theorem

|- !m f.

measure_space m /\ integrable m f /\ (!x. 0 <= f x) ==>

integrable m (\x. if f x = PosInf then 0 else f x) /\

(pos_fn_integral m f =

pos_fn_integral m (\x. if f x = PosInf then 0 else f x))

[integrable_pos] Theorem

|- !m f.

measure_space m /\ (!x. 0 <= f x) ==>

(integrable m f <=>

f IN measurable (m_space m,measurable_sets m) Borel /\

pos_fn_integral m f <> PosInf)

[integral_indicator] Theorem

|- !m s.

measure_space m /\ s IN measurable_sets m ==>

(integral m (indicator_fn s) = measure m s)

[integral_pos_fn] Theorem

|- !m f.

measure_space m /\ (!x. 0 <= f x) ==> (integral m f = pos_fn_integral m f)

[integral_sequence] Theorem

|- !m f.

(!x. 0 <= f x) /\ measure_space m /\

f IN measurable (m_space m,measurable_sets m) Borel ==>

97

(pos_fn_integral m f =

sup (IMAGE (\i. pos_fn_integral m (fn_seq m f i)) univ(:num)))

[lebesgue_monotone_convergence] Theorem

|- !m f fi.

measure_space m /\

(!i. fi i IN measurable (m_space m,measurable_sets m) Borel) /\

(!i x. 0 <= fi i x) /\ (!x. 0 <= f x) /\

(!x. mono_increasing (\i. fi i x)) /\

(!x. x IN m_space m ==> (sup (IMAGE (\i. fi i x) univ(:num)) = f x)) ==>

(pos_fn_integral m f =

sup (IMAGE (\i. pos_fn_integral m (fi i)) univ(:num)))

[lebesgue_monotone_convergence_subset] Theorem

|- !m f fi A.

measure_space m /\

(!i. fi i IN measurable (m_space m,measurable_sets m) Borel) /\

(!i x. 0 <= fi i x) /\ (!x. 0 <= f x) /\

(!x. x IN m_space m ==> (sup (IMAGE (\i. fi i x) univ(:num)) = f x)) /\

(!x. mono_increasing (\i. fi i x)) /\ A IN measurable_sets m ==>

(pos_fn_integral m (\x. f x * indicator_fn A x) =

sup

(IMAGE (\i. pos_fn_integral m (\x. fi i x * indicator_fn A x))

univ(:num)))

[lemma_fn_1] Theorem

|- !m f n x k.

x IN m_space m /\ k IN count (4 ** n) /\ &k / 2 pow n <= f x /\

f x < (&k + 1) / 2 pow n ==>

(fn_seq m f n x = &k / 2 pow n)

[lemma_fn_2] Theorem

|- !m f n x. x IN m_space m /\ 2 pow n <= f x ==> (fn_seq m f n x = 2 pow n)

[lemma_fn_3] Theorem

|- !m f n x.

x IN m_space m /\ 0 <= f x ==>

2 pow n <= f x \/

?k. k IN count (4 ** n) /\ &k / 2 pow n <= f x /\ f x < (&k + 1) / 2 pow n

[lemma_fn_4] Theorem

98

|- !m f n x. x NOTIN m_space m ==> (fn_seq m f n x = 0)

[lemma_fn_5] Theorem

|- !m f n x. 0 <= f x ==> 0 <= fn_seq m f n x

[lemma_fn_in_psfis] Theorem

|- !m f n.

(!x. 0 <= f x) /\ measure_space m /\

f IN measurable (m_space m,measurable_sets m) Borel ==>

fn_seq_integral m f n IN psfis m (fn_seq m f n)

[lemma_fn_mono_increasing] Theorem

|- !m f x. 0 <= f x ==> mono_increasing (\n. fn_seq m f n x)

[lemma_fn_sup] Theorem

|- !m f x.

x IN m_space m /\ 0 <= f x ==>

(sup (IMAGE (\n. fn_seq m f n x) univ(:num)) = f x)

[lemma_fn_upper_bounded] Theorem

|- !m f n x. 0 <= f x ==> fn_seq m f n x <= f x

[lemma_radon_max_in_F] Theorem

|- !f g m v.

measure_space m /\ measure_space v /\ (m_space v = m_space m) /\

(measurable_sets v = measurable_sets m) /\ f IN RADON_F m v /\

g IN RADON_F m v ==>

(\x. max (f x) (g x)) IN RADON_F m v

[lemma_radon_seq_conv_sup] Theorem

|- !f m v.

(measure_space m /\ measure_space v /\ (m_space v = m_space m) /\

(measurable_sets v = measurable_sets m)) /\

measure v (m_space v) <> PosInf ==>

?f_n.

(!n. f_n n IN RADON_F m v) /\ (!x n. f_n n x <= f_n (SUC n) x) /\

(sup (IMAGE (\n. pos_fn_integral m (f_n n)) univ(:num)) =

sup (RADON_F_integrals m v))

[max_fn_seq_mono] Theorem

99

|- !g n x. max_fn_seq g n x <= max_fn_seq g (SUC n) x

[measurable_sequence] Theorem

|- !m f.

measure_space m /\ f IN measurable (m_space m,measurable_sets m) Borel ==>

(?fi ri.

(!x. mono_increasing (\i. fi i x)) /\

(!x.

x IN m_space m ==>

(sup (IMAGE (\i. fi i x) univ(:num)) = fn_plus f x)) /\

(!i. ri i IN psfis m (fi i)) /\ (!i x. fi i x <= fn_plus f x) /\

(!i x. 0 <= fi i x) /\

(pos_fn_integral m (fn_plus f) =

sup (IMAGE (\i. pos_fn_integral m (fi i)) univ(:num)))) /\

?gi vi.

(!x. mono_increasing (\i. gi i x)) /\

(!x.

x IN m_space m ==>

(sup (IMAGE (\i. gi i x) univ(:num)) = fn_minus f x)) /\

(!i. vi i IN psfis m (gi i)) /\ (!i x. gi i x <= fn_minus f x) /\

(!i x. 0 <= gi i x) /\

(pos_fn_integral m (fn_minus f) =

sup (IMAGE (\i. pos_fn_integral m (gi i)) univ(:num)))

[pos_fn_integral_add] Theorem

|- !m f g.

measure_space m /\ (!x. 0 <= f x /\ 0 <= g x) /\

f IN measurable (m_space m,measurable_sets m) Borel /\

g IN measurable (m_space m,measurable_sets m) Borel ==>

(pos_fn_integral m (\x. f x + g x) =

pos_fn_integral m f + pos_fn_integral m g)

[pos_fn_integral_cmul] Theorem

|- !f c.

measure_space m /\ (!x. x IN m_space m ==> 0 <= f x) /\ 0 <= c ==>

(pos_fn_integral m (\x. Normal c * f x) = Normal c * pos_fn_integral m f)

[pos_fn_integral_cmul_indicator] Theorem

|- !m s c.

measure_space m /\ s IN measurable_sets m /\ 0 <= c ==>

(pos_fn_integral m (\x. Normal c * indicator_fn s x) =

Normal c * measure m s)

100

[pos_fn_integral_cmul_infty] Theorem

|- !m s.

measure_space m /\ s IN measurable_sets m ==>

(pos_fn_integral m (\x. PosInf * indicator_fn s x) = PosInf * measure m s)

[pos_fn_integral_disjoint_sets] Theorem

|- !m f s t.

measure_space m /\ DISJOINT s t /\ s IN measurable_sets m /\

t IN measurable_sets m /\

f IN measurable (m_space m,measurable_sets m) Borel /\ (!x. 0 <= f x) ==>

(pos_fn_integral m (\x. f x * indicator_fn (s UNION t) x) =

pos_fn_integral m (\x. f x * indicator_fn s x) +

pos_fn_integral m (\x. f x * indicator_fn t x))

[pos_fn_integral_disjoint_sets_sum] Theorem

|- !m f s a.

FINITE s /\ measure_space m /\

(!i. i IN s ==> a i IN measurable_sets m) /\ (!x. 0 <= f x) /\

(!i j. i IN s /\ j IN s /\ i <> j ==> DISJOINT (a i) (a j)) /\

f IN measurable (m_space m,measurable_sets m) Borel ==>

(pos_fn_integral m (\x. f x * indicator_fn (BIGUNION (IMAGE a s)) x) =

SIGMA (\i. pos_fn_integral m (\x. f x * indicator_fn (a i) x)) s)

[pos_fn_integral_indicator] Theorem

|- !m s.

measure_space m /\ s IN measurable_sets m ==>

(pos_fn_integral m (indicator_fn s) = measure m s)

[pos_fn_integral_mono] Theorem

|- !f g.

(!x. 0 <= f x /\ f x <= g x) ==>

pos_fn_integral m f <= pos_fn_integral m g

[pos_fn_integral_mono_mspace] Theorem

|- !m f g.

measure_space m /\ (!x. x IN m_space m ==> g x <= f x) /\

(!x. 0 <= f x) /\ (!x. 0 <= g x) ==>

pos_fn_integral m g <= pos_fn_integral m f

[pos_fn_integral_mspace] Theorem

101

|- !m f.

measure_space m /\ (!x. 0 <= f x) ==>

(pos_fn_integral m f =

pos_fn_integral m (\x. f x * indicator_fn (m_space m) x))

[pos_fn_integral_pos] Theorem

|- !m f. measure_space m /\ (!x. 0 <= f x) ==> 0 <= pos_fn_integral m f

[pos_fn_integral_pos_simple_fn] Theorem

|- !m f s a x.

measure_space m /\ pos_simple_fn m f s a x ==>

(pos_fn_integral m f = pos_simple_fn_integral m s a x)

[pos_fn_integral_split] Theorem

|- !m f s.

measure_space m /\ s IN measurable_sets m /\ (!x. 0 <= f x) /\

f IN measurable (m_space m,measurable_sets m) Borel ==>

(pos_fn_integral m f =

pos_fn_integral m (\x. f x * indicator_fn s x) +

pos_fn_integral m (\x. f x * indicator_fn (m_space m DIFF s) x))

[pos_fn_integral_sum] Theorem

|- !m f s.

FINITE s /\ measure_space m /\ (!i. i IN s ==> !x. 0 <= f i x) /\

(!i. i IN s ==> f i IN measurable (m_space m,measurable_sets m) Borel) ==>

(pos_fn_integral m (\x. SIGMA (\i. f i x) s) =

SIGMA (\i. pos_fn_integral m (f i)) s)

[pos_fn_integral_sum_cmul_indicator] Theorem

|- !m s a x.

measure_space m /\ FINITE s /\ (!i. i IN s ==> 0 <= x i) /\

(!i. i IN s ==> a i IN measurable_sets m) ==>

(pos_fn_integral m

(\t. SIGMA (\i. Normal (x i) * indicator_fn (a i) t) s) =

SIGMA (\i. Normal (x i) * measure m (a i)) s)

[pos_fn_integral_suminf] Theorem

|- !m f.

measure_space m /\ (!i x. 0 <= f i x) /\

(!i. f i IN measurable (m_space m,measurable_sets m) Borel) ==>

102

(pos_fn_integral m (\x. suminf (\i. f i x)) =

suminf (\i. pos_fn_integral m (f i)))

[pos_fn_integral_zero] Theorem

|- !m. measure_space m ==> (pos_fn_integral m (\x. 0) = 0)

[pos_mono_conv_mono_borel] Theorem

|- !m f fi g r’.

measure_space m /\

(!i. fi i IN measurable (m_space m,measurable_sets m) Borel) /\

(!x. mono_increasing (\i. fi i x)) /\

(!x. x IN m_space m ==> (sup (IMAGE (\i. fi i x) univ(:num)) = f x)) /\

r’ IN psfis m g /\ (!x. g x <= f x) /\ (!i x. 0 <= fi i x) ==>

r’ <= sup (IMAGE (\i. pos_fn_integral m (fi i)) univ(:num))

[pos_simple_fn_add] Theorem

|- !m f g.

measure_space m /\ pos_simple_fn m f s a x /\

pos_simple_fn m g s’ a’ x’ ==>

?s’’ a’’ x’’. pos_simple_fn m (\t. f t + g t) s’’ a’’ x’’

[pos_simple_fn_add_alt] Theorem

|- !m f g s a x y.

measure_space m /\ pos_simple_fn m f s a x /\ pos_simple_fn m g s a y ==>

pos_simple_fn m (\t. f t + g t) s a (\i. x i + y i)

[pos_simple_fn_cmul] Theorem

|- !m f z.

measure_space m /\ pos_simple_fn m f s a x /\ 0 <= z ==>

?s’ a’ x’. pos_simple_fn m (\t. Normal z * f t) s’ a’ x’

[pos_simple_fn_cmul_alt] Theorem

|- !m f s a x z.

measure_space m /\ 0 <= z /\ pos_simple_fn m f s a x ==>

pos_simple_fn m (\t. Normal z * f t) s a (\i. z * x i)

[pos_simple_fn_indicator] Theorem

|- !m A.

measure_space m /\ A IN measurable_sets m ==>

?s a x. pos_simple_fn m (indicator_fn A) s a x

103

[pos_simple_fn_indicator_alt] Theorem

|- !m s.

measure_space m /\ s IN measurable_sets m ==>

pos_simple_fn m (indicator_fn s) 0; 1

(\i. if i = 0 then m_space m DIFF s else s) (\i. if i = 0 then 0 else 1)

[pos_simple_fn_integral_add] Theorem

|- !m f s a x g s’ b y.

measure_space m /\ pos_simple_fn m f s a x /\ pos_simple_fn m g s’ b y ==>

?s’’ c z.

pos_simple_fn m (\x. f x + g x) s’’ c z /\

(pos_simple_fn_integral m s a x + pos_simple_fn_integral m s’ b y =

pos_simple_fn_integral m s’’ c z)

[pos_simple_fn_integral_add_alt] Theorem

|- !m f s a x g y.

measure_space m /\ pos_simple_fn m f s a x /\ pos_simple_fn m g s a y ==>

(pos_simple_fn_integral m s a x + pos_simple_fn_integral m s a y =

pos_simple_fn_integral m s a (\i. x i + y i))

[pos_simple_fn_integral_cmul] Theorem

|- !m f s a x z.

measure_space m /\ pos_simple_fn m f s a x /\ 0 <= z ==>

pos_simple_fn m (\x. Normal z * f x) s a (\i. z * x i) /\

(pos_simple_fn_integral m s a (\i. z * x i) =

Normal z * pos_simple_fn_integral m s a x)

[pos_simple_fn_integral_cmul_alt] Theorem

|- !m f s a x z.

measure_space m /\ 0 <= z /\ pos_simple_fn m f s a x ==>

?s’ a’ x’.

pos_simple_fn m (\t. Normal z * f t) s’ a’ x’ /\

(pos_simple_fn_integral m s’ a’ x’ =

Normal z * pos_simple_fn_integral m s a x)

[pos_simple_fn_integral_indicator] Theorem

|- !m A.

measure_space m /\ A IN measurable_sets m ==>

?s a x.

pos_simple_fn m (indicator_fn A) s a x /\

104

(pos_simple_fn_integral m s a x = measure m A)

[pos_simple_fn_integral_mono] Theorem

|- !m f s a x g s’ b y.

measure_space m /\ pos_simple_fn m f s a x /\ pos_simple_fn m g s’ b y /\

(!x. x IN m_space m ==> f x <= g x) ==>

pos_simple_fn_integral m s a x <= pos_simple_fn_integral m s’ b y

[pos_simple_fn_integral_not_infty] Theorem

|- !m f s a x.

measure_space m /\ pos_simple_fn m f s a x ==>

pos_simple_fn_integral m s a x <> NegInf

[pos_simple_fn_integral_present] Theorem

|- !m f s a x g s’ b y.

measure_space m /\ pos_simple_fn m f s a x /\ pos_simple_fn m g s’ b y ==>

?z z’ c k.

(!t.

t IN m_space m ==>

(f t = SIGMA (\i. Normal (z i) * indicator_fn (c i) t) k)) /\

(!t.

t IN m_space m ==>

(g t = SIGMA (\i. Normal (z’ i) * indicator_fn (c i) t) k)) /\

(pos_simple_fn_integral m s a x = pos_simple_fn_integral m k c z) /\

(pos_simple_fn_integral m s’ b y = pos_simple_fn_integral m k c z’) /\

FINITE k /\ (!i. i IN k ==> 0 <= z i) /\ (!i. i IN k ==> 0 <= z’ i) /\

(!i j. i IN k /\ j IN k /\ i <> j ==> DISJOINT (c i) (c j)) /\

(!i. i IN k ==> c i IN measurable_sets m) /\

(BIGUNION (IMAGE c k) = m_space m)

[pos_simple_fn_integral_sub] Theorem

|- !m f s a x g s’ b y.

measure_space m /\ measure m (m_space m) <> PosInf /\ (!x. g x <= f x) /\

(!x. g x <> PosInf) /\ pos_simple_fn m f s a x /\

pos_simple_fn m g s’ b y ==>

?s’’ c z.

pos_simple_fn m (\x. f x - g x) s’’ c z /\

(pos_simple_fn_integral m s a x - pos_simple_fn_integral m s’ b y =

pos_simple_fn_integral m s’’ c z)

[pos_simple_fn_integral_sum] Theorem

|- !m f s a x P.

105

measure_space m /\ (!i. i IN P ==> pos_simple_fn m (f i) s a (x i)) /\

(!i t. i IN P ==> f i t <> NegInf) /\ FINITE P /\ P <> ==>

pos_simple_fn m (\t. SIGMA (\i. f i t) P) s a (\i. SIGMA (\j. x j i) P) /\

(pos_simple_fn_integral m s a (\j. SIGMA (\i. x i j) P) =

SIGMA (\i. pos_simple_fn_integral m s a (x i)) P)

[pos_simple_fn_integral_sum_alt] Theorem

|- !m f s a x P.

measure_space m /\

(!i. i IN P ==> pos_simple_fn m (f i) (s i) (a i) (x i)) /\

(!i t. i IN P ==> f i t <> NegInf) /\ FINITE P /\ P <> ==>

?c k z.

pos_simple_fn m (\t. SIGMA (\i. f i t) P) k c z /\

(pos_simple_fn_integral m k c z =

SIGMA (\i. pos_simple_fn_integral m (s i) (a i) (x i)) P)

[pos_simple_fn_integral_unique] Theorem

|- !m f s a x s’ b y.

measure_space m /\ pos_simple_fn m f s a x /\ pos_simple_fn m f s’ b y ==>

(pos_simple_fn_integral m s a x = pos_simple_fn_integral m s’ b y)

[pos_simple_fn_integral_zero] Theorem

|- !m s a x.

measure_space m /\ pos_simple_fn m (\t. 0) s a x ==>

(pos_simple_fn_integral m s a x = 0)

[pos_simple_fn_integral_zero_alt] Theorem

|- !m s a x.

measure_space m /\ pos_simple_fn m g s a x /\

(!x. x IN m_space m ==> (g x = 0)) ==>

(pos_simple_fn_integral m s a x = 0)

[pos_simple_fn_le] Theorem

|- !m f g s a x x’ i.

measure_space m /\ pos_simple_fn m f s a x /\ pos_simple_fn m g s a x’ /\

(!x. x IN m_space m ==> g x <= f x) /\ i IN s /\ a i <> ==>

Normal (x’ i) <= Normal (x i)

[pos_simple_fn_max] Theorem

|- !m f s a x g s’ b y.

measure_space m /\ pos_simple_fn m f s a x /\ pos_simple_fn m g s’ b y ==>

106

?s’’ a’’ x’’. pos_simple_fn m (\x. max (f x) (g x)) s’’ a’’ x’’

[pos_simple_fn_not_infty] Theorem

|- !m f s a x.

pos_simple_fn m f s a x ==>

!x. x IN m_space m ==> f x <> NegInf /\ f x <> PosInf

[pos_simple_fn_thm1] Theorem

|- !m f s a x i y.

measure_space m /\ pos_simple_fn m f s a x /\ i IN s /\ y IN a i ==>

(f y = Normal (x i))

[psfis_add] Theorem

|- !m f g a b.

measure_space m /\ a IN psfis m f /\ b IN psfis m g ==>

a + b IN psfis m (\x. f x + g x)

[psfis_cmul] Theorem

|- !m f a z.

measure_space m /\ a IN psfis m f /\ 0 <= z ==>

Normal z * a IN psfis m (\x. Normal z * f x)

[psfis_indicator] Theorem

|- !m A.

measure_space m /\ A IN measurable_sets m ==>

measure m A IN psfis m (indicator_fn A)

[psfis_intro] Theorem

|- !m a x P.

measure_space m /\ (!i. i IN P ==> a i IN measurable_sets m) /\

(!i. i IN P ==> 0 <= x i) /\ FINITE P ==>

SIGMA (\i. Normal (x i) * measure m (a i)) P IN

psfis m (\t. SIGMA (\i. Normal (x i) * indicator_fn (a i) t) P)

[psfis_mono] Theorem

|- !m f g a b.

measure_space m /\ a IN psfis m f /\ b IN psfis m g /\

(!x. x IN m_space m ==> f x <= g x) ==>

a <= b

107

[psfis_not_infty] Theorem

|- !m f a. measure_space m /\ a IN psfis m f ==> a <> NegInf

[psfis_pos] Theorem

|- !m f a.

measure_space m /\ a IN psfis m f ==> !x. x IN m_space m ==> 0 <= f x

[psfis_present] Theorem

|- !m f g a b.

measure_space m /\ a IN psfis m f /\ b IN psfis m g ==>

?z z’ c k.

(!t.

t IN m_space m ==>

(f t = SIGMA (\i. Normal (z i) * indicator_fn (c i) t) k)) /\

(!t.

t IN m_space m ==>

(g t = SIGMA (\i. Normal (z’ i) * indicator_fn (c i) t) k)) /\

(a = pos_simple_fn_integral m k c z) /\

(b = pos_simple_fn_integral m k c z’) /\ FINITE k /\

(!i. i IN k ==> 0 <= z i) /\ (!i. i IN k ==> 0 <= z’ i) /\

(!i j. i IN k /\ j IN k /\ i <> j ==> DISJOINT (c i) (c j)) /\

(!i. i IN k ==> c i IN measurable_sets m) /\

(BIGUNION (IMAGE c k) = m_space m)

[psfis_sub] Theorem

|- !m f g a b.

measure_space m /\ measure m (m_space m) <> PosInf /\ (!x. g x <= f x) /\

(!x. g x <> PosInf) /\ a IN psfis m f /\ b IN psfis m g ==>

a - b IN psfis m (\x. f x - g x)

[psfis_sum] Theorem

|- !m f a P.

measure_space m /\ (!i. i IN P ==> a i IN psfis m (f i)) /\

(!i t. i IN P ==> f i t <> NegInf) /\ FINITE P ==>

SIGMA a P IN psfis m (\t. SIGMA (\i. f i t) P)

[psfis_unique] Theorem

|- !m f a b. measure_space m /\ a IN psfis m f /\ b IN psfis m f ==> (a = b)

[psfis_zero] Theorem

108

|- !m a. measure_space m ==> (a IN psfis m (\x. 0) <=> (a = 0))

*)

end

signature probabilityTheory =

sig

type thm = Thm.thm

(* Definitions *)

val conditional_expectation_def : thm

val conditional_prob_def : thm

val distribution_def : thm

val events_def : thm

val expectation_def : thm

val indep_def : thm

val joint_distribution_def : thm

val p_space_def : thm

val possibly_def : thm

val prob_def : thm

val prob_space_def : thm

val probably_def : thm

val random_variable_def : thm

val real_random_variable_def : thm

val rv_conditional_expectation_def : thm

(* Theorems *)

val ABS_1_MINUS_PROB : thm

val ABS_PROB : thm

val ADDITIVE_PROB : thm

val COUNTABLY_ADDITIVE_PROB : thm

val EVENTS : thm

val EVENTS_ALGEBRA : thm

val EVENTS_COMPL : thm

val EVENTS_COUNTABLE_INTER : thm

val EVENTS_COUNTABLE_UNION : thm

val EVENTS_DIFF : thm

val EVENTS_EMPTY : thm

val EVENTS_INTER : thm

val EVENTS_SIGMA_ALGEBRA : thm

109

val EVENTS_SPACE : thm

val EVENTS_UNION : thm

val INCREASING_PROB : thm

val INDEP_EMPTY : thm

val INDEP_REFL : thm

val INDEP_SPACE : thm

val INDEP_SYM : thm

val INTER_PSPACE : thm

val POSITIVE_PROB : thm

val PROB : thm

val PROB_ADDITIVE : thm

val PROB_COMPL : thm

val PROB_COMPL_LE1 : thm

val PROB_COUNTABLY_ADDITIVE : thm

val PROB_COUNTABLY_SUBADDITIVE : thm

val PROB_COUNTABLY_ZERO : thm

val PROB_EMPTY : thm

val PROB_EQUIPROBABLE_FINITE_UNIONS : thm

val PROB_EQ_BIGUNION_IMAGE : thm

val PROB_EQ_COMPL : thm

val PROB_FINITE : thm

val PROB_FINITELY_ADDITIVE : thm

val PROB_INCREASING : thm

val PROB_INCREASING_UNION : thm

val PROB_INDEP : thm

val PROB_LE_1 : thm

val PROB_ONE_INTER : thm

val PROB_POSITIVE : thm

val PROB_REAL_SUM_IMAGE : thm

val PROB_REAL_SUM_IMAGE_FN : thm

val PROB_SPACE : thm

val PROB_SPACE_ADDITIVE : thm

val PROB_SPACE_COUNTABLY_ADDITIVE : thm

val PROB_SPACE_INCREASING : thm

val PROB_SPACE_POSITIVE : thm

val PROB_SUBADDITIVE : thm

val PROB_UNIV : thm

val PROB_ZERO_UNION : thm

val PSPACE : thm

val distribution_lebesgue_thm1 : thm

val distribution_lebesgue_thm2 : thm

val distribution_prob_space : thm

val distribution_x_eq_1_imp_distribution_y_eq_0 : thm

val finite_marginal_product_space_POW : thm

val finite_marginal_product_space_POW2 : thm

val prob_x_eq_1_imp_prob_y_eq_0 : thm

110

val probability_grammars : type_grammar.grammar * term_grammar.grammar

(*

[lebesgue] Parent theory of "probability"

[conditional_expectation_def] Definition

|- !p X s.

conditional_expectation p X s =

@f.

real_random_variable f p /\

!g.

g IN s ==>

(integral p (\x. f x * indicator_fn g x) =

integral p (\x. X x * indicator_fn g x))

[conditional_prob_def] Definition

|- !p e1 e2.

conditional_prob p e1 e2 = conditional_expectation p (indicator_fn e1) e2

[distribution_def] Definition

|- !p X. distribution p X = (\s. prob p (PREIMAGE X s INTER p_space p))

[events_def] Definition

|- events = measurable_sets

[expectation_def] Definition

|- expectation = integral

[indep_def] Definition

|- !p a b.

indep p a b <=>

a IN events p /\ b IN events p /\

(prob p (a INTER b) = prob p a * prob p b)

[joint_distribution_def] Definition

|- !p X Y.

joint_distribution p X Y =

(\a. prob p (PREIMAGE (\x. (X x,Y x)) a INTER p_space p))

[p_space_def] Definition

111

|- p_space = m_space

[possibly_def] Definition

|- !p e. possibly p e <=> e IN events p /\ prob p e <> 0

[prob_def] Definition

|- prob = measure

[prob_space_def] Definition

|- !p. prob_space p <=> measure_space p /\ (measure p (p_space p) = 1)

[probably_def] Definition

|- !p e. probably p e <=> e IN events p /\ (prob p e = 1)

[random_variable_def] Definition

|- !X p s.

random_variable X p s <=>

prob_space p /\ X IN measurable (p_space p,events p) s

[real_random_variable_def] Definition

|- !X p.

real_random_variable X p <=>

prob_space p /\ X IN measurable (p_space p,events p) Borel

[rv_conditional_expectation_def] Definition

|- !p s X Y.

rv_conditional_expectation p s X Y =

conditional_expectation p X

(IMAGE (\a. PREIMAGE Y a INTER p_space p) (subsets s))

[ABS_1_MINUS_PROB] Theorem

|- !p s.

prob_space p /\ s IN events p /\ prob p s <> 0 ==> abs (1 - prob p s) < 1

[ABS_PROB] Theorem

|- !p s. prob_space p /\ s IN events p ==> (abs (prob p s) = prob p s)

[ADDITIVE_PROB] Theorem

112

|- !p.

additive p <=>

!s t.

s IN events p /\ t IN events p /\ DISJOINT s t ==>

(prob p (s UNION t) = prob p s + prob p t)

[COUNTABLY_ADDITIVE_PROB] Theorem

|- !p.

countably_additive p <=>

!f.

f IN (univ(:num) -> events p) /\

(!m n. m <> n ==> DISJOINT (f m) (f n)) /\

BIGUNION (IMAGE f univ(:num)) IN events p ==>

(prob p (BIGUNION (IMAGE f univ(:num))) = suminf (prob p o f))

[EVENTS] Theorem

|- !a b c. events (a,b,c) = b

[EVENTS_ALGEBRA] Theorem

|- !p. prob_space p ==> algebra (p_space p,events p)

[EVENTS_COMPL] Theorem

|- !p s. prob_space p /\ s IN events p ==> p_space p DIFF s IN events p

[EVENTS_COUNTABLE_INTER] Theorem

|- !p c.

prob_space p /\ c SUBSET events p /\ countable c /\ c <> ==>

BIGINTER c IN events p

[EVENTS_COUNTABLE_UNION] Theorem

|- !p c.

prob_space p /\ c SUBSET events p /\ countable c ==>

BIGUNION c IN events p

[EVENTS_DIFF] Theorem

|- !p s t.

prob_space p /\ s IN events p /\ t IN events p ==> s DIFF t IN events p

[EVENTS_EMPTY] Theorem

113

|- !p. prob_space p ==> IN events p

[EVENTS_INTER] Theorem

|- !p s t.

prob_space p /\ s IN events p /\ t IN events p ==> s INTER t IN events p

[EVENTS_SIGMA_ALGEBRA] Theorem

|- !p. prob_space p ==> sigma_algebra (p_space p,events p)

[EVENTS_SPACE] Theorem

|- !p. prob_space p ==> p_space p IN events p

[EVENTS_UNION] Theorem

|- !p s t.

prob_space p /\ s IN events p /\ t IN events p ==> s UNION t IN events p

[INCREASING_PROB] Theorem

|- !p.

increasing p <=>

!s t.

s IN events p /\ t IN events p /\ s SUBSET t ==> prob p s <= prob p t

[INDEP_EMPTY] Theorem

|- !p s. prob_space p /\ s IN events p ==> indep p s

[INDEP_REFL] Theorem

|- !p a.

prob_space p /\ a IN events p ==>

(indep p a a <=> (prob p a = 0) \/ (prob p a = 1))

[INDEP_SPACE] Theorem

|- !p s. prob_space p /\ s IN events p ==> indep p (p_space p) s

[INDEP_SYM] Theorem

|- !p a b. prob_space p /\ indep p a b ==> indep p b a

[INTER_PSPACE] Theorem

114

|- !p s. prob_space p /\ s IN events p ==> (p_space p INTER s = s)

[POSITIVE_PROB] Theorem

|- !p. positive p <=> (prob p = 0) /\ !s. s IN events p ==> 0 <= prob p s

[PROB] Theorem

|- !a b c. prob (a,b,c) = c

[PROB_ADDITIVE] Theorem

|- !p s t u.

prob_space p /\ s IN events p /\ t IN events p /\ DISJOINT s t /\

(u = s UNION t) ==>

(prob p u = prob p s + prob p t)

[PROB_COMPL] Theorem

|- !p s.

prob_space p /\ s IN events p ==>

(prob p (p_space p DIFF s) = 1 - prob p s)

[PROB_COMPL_LE1] Theorem

|- !p s r.

prob_space p /\ s IN events p ==>

(prob p (p_space p DIFF s) <= r <=> 1 - r <= prob p s)

[PROB_COUNTABLY_ADDITIVE] Theorem

|- !p s f.

prob_space p /\ f IN (univ(:num) -> events p) /\

(!m n. m <> n ==> DISJOINT (f m) (f n)) /\

(s = BIGUNION (IMAGE f univ(:num))) ==>

(prob p s = suminf (prob p o f))

[PROB_COUNTABLY_SUBADDITIVE] Theorem

|- !p f.

prob_space p /\ IMAGE f univ(:num) SUBSET events p ==>

prob p (BIGUNION (IMAGE f univ(:num))) <= suminf (prob p o f)

[PROB_COUNTABLY_ZERO] Theorem

|- !p c.

115

prob_space p /\ countable c /\ c SUBSET events p /\

(!x. x IN c ==> (prob p x = 0)) ==>

(prob p (BIGUNION c) = 0)

[PROB_EMPTY] Theorem

|- !p. prob_space p ==> (prob p = 0)

[PROB_EQUIPROBABLE_FINITE_UNIONS] Theorem

|- !p s.

prob_space p /\ s IN events p /\ (!x. x IN s ==> x IN events p) /\

FINITE s /\ (!x y. x IN s /\ y IN s ==> (prob p x = prob p y)) ==>

(prob p s = &CARD s * prob p CHOICE s)

[PROB_EQ_BIGUNION_IMAGE] Theorem

|- !p.

prob_space p /\ f IN (univ(:num) -> events p) /\

g IN (univ(:num) -> events p) /\

(!m n. m <> n ==> DISJOINT (f m) (f n)) /\

(!m n. m <> n ==> DISJOINT (g m) (g n)) /\

(!n. prob p (f n) = prob p (g n)) ==>

(prob p (BIGUNION (IMAGE f univ(:num))) =

prob p (BIGUNION (IMAGE g univ(:num))))

[PROB_EQ_COMPL] Theorem

|- !p s t.

prob_space p /\ s IN events p /\ t IN events p /\

(prob p (p_space p DIFF s) = prob p (p_space p DIFF t)) ==>

(prob p s = prob p t)

[PROB_FINITE] Theorem

|- !p s.

prob_space p /\ s IN events p ==> prob p s <> NegInf /\ prob p s <> PosInf

[PROB_FINITELY_ADDITIVE] Theorem

[oracles: tactic_failed] [axioms: ] []

|- !p s f n.

prob_space p /\ f IN (count n -> events p) /\

(!a b. a < n /\ b < n /\ a <> b ==> DISJOINT (f a) (f b)) /\

(s = BIGUNION (IMAGE f (count n))) ==>

(prob p s = SIGMA (prob p o f) (count n))

116

[PROB_INCREASING] Theorem

|- !p s t.

prob_space p /\ s IN events p /\ t IN events p /\ s SUBSET t ==>

prob p s <= prob p t

[PROB_INCREASING_UNION] Theorem

|- !p f.

prob_space p /\ f IN (univ(:num) -> events p) /\

(!n. f n SUBSET f (SUC n)) ==>

(sup (IMAGE (prob p o f) univ(:num)) =

prob p (BIGUNION (IMAGE f univ(:num))))

[PROB_INDEP] Theorem

|- !p s t u.

indep p s t /\ (u = s INTER t) ==> (prob p u = prob p s * prob p t)

[PROB_LE_1] Theorem

|- !p s. prob_space p /\ s IN events p ==> prob p s <= 1

[PROB_ONE_INTER] Theorem

|- !p s t.

prob_space p /\ s IN events p /\ t IN events p /\ (prob p t = 1) ==>

(prob p (s INTER t) = prob p s)

[PROB_POSITIVE] Theorem

|- !p s. prob_space p /\ s IN events p ==> 0 <= prob p s

[PROB_REAL_SUM_IMAGE] Theorem

|- !p s.

prob_space p /\ s IN events p /\ (!x. x IN s ==> x IN events p) /\

FINITE s ==>

(prob p s = SIGMA (\x. prob p x) s)

[PROB_REAL_SUM_IMAGE_FN] Theorem

|- !p f e s.

prob_space p /\ e IN events p /\

(!x. x IN s ==> e INTER f x IN events p) /\ FINITE s /\

(!x y. x IN s /\ y IN s /\ x <> y ==> DISJOINT (f x) (f y)) /\

(BIGUNION (IMAGE f s) INTER p_space p = p_space p) ==>

117

(prob p e = SIGMA (\x. prob p (e INTER f x)) s)

[PROB_SPACE] Theorem

|- !p.

prob_space p <=>

sigma_algebra (p_space p,events p) /\ positive p /\

countably_additive p /\ (prob p (p_space p) = 1)

[PROB_SPACE_ADDITIVE] Theorem

|- !p. prob_space p ==> additive p

[PROB_SPACE_COUNTABLY_ADDITIVE] Theorem

|- !p. prob_space p ==> countably_additive p

[PROB_SPACE_INCREASING] Theorem

|- !p. prob_space p ==> increasing p

[PROB_SPACE_POSITIVE] Theorem

|- !p. prob_space p ==> positive p

[PROB_SUBADDITIVE] Theorem

|- !p t u.

prob_space p /\ t IN events p /\ u IN events p ==>

prob p (t UNION u) <= prob p t + prob p u

[PROB_UNIV] Theorem

|- !p. prob_space p ==> (prob p (p_space p) = 1)

[PROB_ZERO_UNION] Theorem

|- !p s t.

prob_space p /\ s IN events p /\ t IN events p /\ (prob p t = 0) ==>

(prob p (s UNION t) = prob p s)

[PSPACE] Theorem

|- !a b c. p_space (a,b,c) = a

[distribution_lebesgue_thm1] Theorem

118

|- !X p s A.

random_variable X p s /\ A IN subsets s ==>

(distribution p X A =

integral p (indicator_fn (PREIMAGE X A INTER p_space p)))

[distribution_lebesgue_thm2] Theorem

|- !X p s A.

random_variable X p s /\ A IN subsets s ==>

(distribution p X A =

integral (space s,subsets s,distribution p X) (indicator_fn A))

[distribution_prob_space] Theorem

|- !p X s.

random_variable X p s ==> prob_space (space s,subsets s,distribution p X)

[distribution_x_eq_1_imp_distribution_y_eq_0] Theorem

|- !X p x.

random_variable X p (IMAGE X (p_space p),POW (IMAGE X (p_space p))) /\

(distribution p X x = 1) ==>

!y. y <> x ==> (distribution p X y = 0)

[finite_marginal_product_space_POW] Theorem

|- !p X Y.

(POW (p_space p) = events p) /\

random_variable X p (IMAGE X (p_space p),POW (IMAGE X (p_space p))) /\

random_variable Y p (IMAGE Y (p_space p),POW (IMAGE Y (p_space p))) /\

FINITE (p_space p) ==>

measure_space

(IMAGE X (p_space p) CROSS IMAGE Y (p_space p),

POW (IMAGE X (p_space p) CROSS IMAGE Y (p_space p)),

(\a. prob p (PREIMAGE (\x. (X x,Y x)) a INTER p_space p)))

[finite_marginal_product_space_POW2] Theorem

|- !p s1 s2 X Y.

(POW (p_space p) = events p) /\ random_variable X p (s1,POW s1) /\

random_variable Y p (s2,POW s2) /\ FINITE (p_space p) /\ FINITE s1 /\

FINITE s2 ==>

measure_space (s1 CROSS s2,POW (s1 CROSS s2),joint_distribution p X Y)

[prob_x_eq_1_imp_prob_y_eq_0] Theorem

|- !p x.

119

prob_space p /\ x IN events p /\ (prob p x = 1) ==>

!y. y IN events p /\ y <> x ==> (prob p y = 0)

*)

end

120