(* Title: HOL/Isar_examples/BasicLogic.thy

ID: $Id$

Author: Markus Wenzel, TU Muenchen

Basic propositional and quantifier reasoning.

*)

header {* Basic reasoning *};

theory BasicLogic = Main:;

subsection {* Pure backward reasoning *};

text {*

In order to get a first idea of how Isabelle/Isar proof documents may

look like, we consider the propositions $I$, $K$, and $S$. The

following (rather explicit) proofs should require little extra

explanations.

*};

lemma I: "A > A";

proof;

assume A;

show A; by assumption;

qed;

lemma K: "A > B > A";

proof;

assume A;

show "B > A";

proof;

show A; by assumption;

qed;

qed;

lemma S: "(A > B > C) > (A > B) > A > C";

proof;

assume "A > B > C";

show "(A > B) > A > C";

proof;

assume "A > B";

show "A > C";

proof;

assume A;

show C;

proof (rule mp);

show "B > C"; by (rule mp);

show B; by (rule mp);

qed;

qed;

qed;

qed;

text {*

Isar provides several ways to finetune the reasoning, avoiding

irrelevant detail. Several abbreviated language elements are

available, enabling the writer to express proofs in a more concise

way, even without referring to any automated proof tools yet.

First of all, proof by assumption may be abbreviated as a single dot.

*};

lemma "A > A";

proof;

assume A;

show A; .;

qed;

text {*

In fact, concluding any (sub)proof already involves solving any

remaining goals by assumption\footnote{This is not a completely

trivial operation. As usual in Isabelle, proof by assumption

involves full higherorder unification.}. Thus we may skip the

rather vacuous body of the above proof as well.

*};

lemma "A > A";

proof;

qed;

text {*

Note that the \isacommand{proof} command refers to the $\idt{rule}$

method (without arguments) by default. Thus it implicitly applies a

single rule, as determined from the syntactic form of the statements

involved. The \isacommand{by} command abbreviates any proof with

empty body, so the proof may be further pruned.

*};

lemma "A > A";

by rule;

text {*

Proof by a single rule may be abbreviated as a double dot.

*};

lemma "A > A"; ..;

text {*

Thus we have arrived at an adequate representation of the proof of a

tautology that holds by a single standard rule.\footnote{Apparently,

the rule is implication introduction.}

*};

wenzelm@7820

wenzelm@7820

wenzelm@7820

wenzelm@7820

wenzelm@7820

The $\idt{intro}$ proof method repeatedly decomposes a goal's

conclusion.\footnote{The dual method is $\idt{elim}$, acting on a

goal's premises.}

*};

lemma "A > B > A";

proof intro;

assume A;

show A; .;

qed;

text {*

Again, the body may be collapsed.

*};

lemma "A > B > A";

by intro;

text {*

Just like $\idt{rule}$, the $\idt{intro}$ and $\idt{elim}$ proof

methods pick standard structural rules, in case no explicit arguments

are given. While implicit rules are usually just fine for single

rule application, this may go too far in iteration. Thus in

practice, $\idt{intro}$ and $\idt{elim}$ would be typically

restricted to certain structures by giving a few rules only, e.g.\

\isacommand{proof}~($\idt{intro}$~\name{impI}~\name{allI}) to strip

implications and universal quantifiers.

wenzelm@7820

wenzelm@7860

wenzelm@7820

wenzelm@7860

wenzelm@7820

wenzelm@7820

subsection {* Variations of backward vs.\ forward reasoning *};

text {*

Certainly, any proof may be performed in backwardstyle only. On the

other hand, small steps of reasoning are often more naturally

expressed in forwardstyle. Isar supports both backward and forward

reasoning as a firstclass concept. In order to demonstrate the

difference, we consider several proofs of $A \conj B \impl B \conj

A$.

wenzelm@7820

wenzelm@7820

*};

lemma "A & B > B & A";

proof;

assume "A & B";

show "B & A";

proof;

show B; by (rule conjunct2);

show A; by (rule conjunct1);

qed;

qed;

text {*

Above, the $\idt{conjunct}_{1/2}$ projection rules had to be named

explicitly, since the goals did not provide any structural clue.

This may be avoided using \isacommand{from} to focus on $\idt{prems}$

(i.e.\ the $A \conj B$ assumption) as the current facts, enabling the

use of doubledot proofs. Note that \isacommand{from} already

does forwardchaining, involving the \name{conjE} rule.

*};

lemma "A & B > B & A";

proof;

assume "A & B";

show "B & A";

proof;

from prems; show B; ..;

from prems; show A; ..;

qed;

qed;

text {*

In the next version, we move the forward step one level upwards.

Forwardchaining from the most recent facts is indicated by the

\isacommand{then} command. Thus the proof of $B \conj A$ from $A

\conj B$ actually becomes an elimination, rather than an

introduction. The resulting proof structure directly corresponds to

that of the $\name{conjE}$ rule, including the repeated goal

proposition that is abbreviated as $\var{thesis}$ below.

*};

lemma "A & B > B & A";

proof;

assume "A & B";

then; show "B & A";

proof  {* rule \name{conjE} of $A \conj B$ *};

assume A B;

show ?thesis; ..  {* rule \name{conjI} of $B \conj A$ *};

qed;

qed;

text {*

Subsequently, only the outermost decomposition step is left backward,

all the rest is forward.

*};

lemma "A & B > B & A";

proof;

assume ab: "A & B";

from ab; have a: A; ..;

from ab; have b: B; ..;

from b a; show "B & A"; ..;

qed;

text {*

We can still push forward reasoning a bit further, even at the risk

of getting ridiculous. Note that we force the initial proof step to

do nothing, by referring to the ``'' proof method.

*};

lemma "A & B > B & A";

proof ;

{{;

assume ab: "A & B";

from ab; have a: A; ..;

from ab; have b: B; ..;

from b a; have "B & A"; ..;

}};

thus ?thesis; ..  {* rule \name{impI} *};

qed;

text {*

\medskip With these examples we have shifted through a whole range

from purely backward to purely forward reasoning. Apparently, in the

extreme ends we get slightly illstructured proofs, which also

require much explicit naming of either rules (backward) or local

facts (forward).

The general lesson learned here is that good proof style would

achieve just the \emph{right} balance of topdown backward

decomposition, and bottomup forward composition. In practice, there

is no single best way to arrange some pieces of formal reasoning, of

course. Depending on the actual applications, the intended audience

etc., certain aspects such as rules~/ methods vs.\ facts have to be

emphasized in an appropriate way. This requires the proof writer to

develop good taste, and some practice, of course.

*};

text {*

For our example the most appropriate way of reasoning is probably the

middle one, with conjunction introduction done after elimination.

This reads even more concisely using \isacommand{thus}, which

abbreviates \isacommand{then}~\isacommand{show}.\footnote{In the same

vein, \isacommand{hence} abbreviates

\isacommand{then}~\isacommand{have}.}

*};

lemma "A & B > B & A";

proof;

assume "A & B";

thus "B & A";

proof;

assume A B;

show ?thesis; ..;

qed;

qed;

subsection {* A few examples from ``Introduction to Isabelle'' *};

text {*

We rephrase some of the basic reasoning examples of

\cite{isabelleintro} (using HOL rather than FOL).

*};

subsubsection {* A propositional proof *};

text {*

We consider the proposition $P \disj P \impl P$. The proof below

involves forwardchaining from $P \disj P$, followed by an explicit

caseanalysis on the two \emph{identical} cases.

*};

lemma "P  P > P";

proof;

assume "P  P";

thus P;

proof  {*

rule \name{disjE}: \smash{$\infer{C}{A \disj B & \infer*{C}{[A]} & \infer*{C}{[B]}}$}

*};

assume P; show P; .;

next;

assume P; show P; .;

qed;

qed;

text {*

Case splits are \emph{not} hardwired into the Isar language as a

special feature. The \isacommand{next} command used to separate the

cases above is just a short form of managing block structure.

\medskip In general, applying proof methods may split up a goal into

separate ``cases'', i.e.\ new subgoals with individual local

assumptions. The corresponding proof text typically mimics this by

establishing results in appropriate contexts, separated by blocks.

In order to avoid too much explicit parentheses, the Isar system

implicitly opens an additional block for any new goal, the

\isacommand{next} statement then closes one block level, opening a

new one. The resulting behavior is what one might expect from

separating cases, only that it is more flexible. E.g. an induction

wenzelm@7833

319 
base case (which does not introduce local assumptions) would

wenzelm@7833

320 
\emph{not} require \isacommand{next} to separate the subsequent step

wenzelm@7833

321 
case.

wenzelm@7833

322 

wenzelm@7833

323 
\medskip In our example the situation is even simpler, since the two

wenzelm@7833

324 
``cases'' actually coincide. Consequently the proof may be rephrased

wenzelm@7833

325 
as follows.

wenzelm@7833

326 
*};

wenzelm@7833

327 

wenzelm@7833

328 
lemma "P  P > P";

wenzelm@7833

329 
proof;

wenzelm@7833

330 
assume "P  P";

wenzelm@7833

331 
thus P;

wenzelm@6444

332 
proof;

wenzelm@6444

333 
assume P;

wenzelm@6444

334 
show P; .;

wenzelm@6444

335 
show P; .;

wenzelm@6444

336 
qed;

wenzelm@6444

337 
qed;

wenzelm@6444

338 

wenzelm@7833

339 
text {*

wenzelm@7833

340 
Again, the rather vacuous body of the proof may be collapsed. Thus

wenzelm@7860

341 
the case analysis degenerates into two assumption steps, which are

wenzelm@7860

342 
implicitly performed when concluding the single rule step of the

wenzelm@7860

343 
doubledot proof as follows.

wenzelm@7833

344 
*};

wenzelm@7833

345 

wenzelm@6444

346 
lemma "P  P > P";

wenzelm@6444

347 
proof;

wenzelm@6444

348 
assume "P  P";

wenzelm@7833

349 
thus P; ..;

wenzelm@6444

350 
qed;

wenzelm@6444

351 

wenzelm@6444

352 

wenzelm@7833

353 
subsubsection {* A quantifier proof *};

wenzelm@7833

354 

wenzelm@7833

355 
text {*

wenzelm@7833

356 
To illustrate quantifier reasoning, let us prove $(\ex x P \ap (f \ap

wenzelm@7833

357 
x)) \impl (\ex x P \ap x)$. Informally, this holds because any $a$

wenzelm@7833

358 
with $P \ap (f \ap a)$ may be taken as a witness for the second

wenzelm@7833

359 
existential statement.

wenzelm@6444

360 

wenzelm@7833

361 
The first proof is rather verbose, exhibiting quite a lot of

wenzelm@7833

362 
(redundant) detail. It gives explicit rules, even with some

wenzelm@7833

363 
instantiation. Furthermore, we encounter two new language elements:

wenzelm@7833

364 
the \isacommand{fix} command augments the context by some new

wenzelm@7833

365 
``arbitrary, but fixed'' element; the \isacommand{is} annotation

wenzelm@7833

366 
binds term abbreviations by higherorder pattern matching.

wenzelm@7833

367 
*};

wenzelm@7833

368 

wenzelm@7833

369 
lemma "(EX x. P (f x)) > (EX x. P x)";

wenzelm@6444

370 
proof;

wenzelm@7833

371 
assume "EX x. P (f x)";

wenzelm@7833

372 
thus "EX x. P x";

wenzelm@7833

373 
proof (rule exE)  {*

wenzelm@7833

374 
rule \name{exE}: \smash{$\infer{B}{\ex x A(x) & \infer*{B}{[A(x)]_x}}$}

wenzelm@7833

375 
*};

wenzelm@6444

376 
fix a;

wenzelm@7833

377 
assume "P (f a)" (is "P ?witness");

wenzelm@7480

378 
show ?thesis; by (rule exI [of P ?witness]);

wenzelm@6444

379 
qed;

wenzelm@6444

380 
qed;

wenzelm@6444

381 

wenzelm@7833

382 
text {*

wenzelm@7833

383 
While explicit rule instantiation may occasionally help to improve

wenzelm@7860

384 
the readability of certain aspects of reasoning, it is usually quite

wenzelm@7833

385 
redundant. Above, the basic proof outline gives already enough

wenzelm@7833

386 
structural clues for the system to infer both the rules and their

wenzelm@7833

387 
instances (by higherorder unification). Thus we may as well prune

wenzelm@7833

388 
the text as follows.

wenzelm@7833

389 
*};

wenzelm@7833

390 

wenzelm@7833

391 
lemma "(EX x. P (f x)) > (EX x. P x)";

wenzelm@6444

392 
proof;

wenzelm@7833

393 
assume "EX x. P (f x)";

wenzelm@7833

394 
thus "EX x. P x";

wenzelm@6444

395 
proof;

wenzelm@6444

396 
fix a;

wenzelm@7833

397 
assume "P (f a)";

wenzelm@7480

398 
show ?thesis; ..;

wenzelm@6444

399 
qed;

wenzelm@6444

400 
qed;

wenzelm@6444

401 

wenzelm@6444

402 

wenzelm@7740

403 
subsubsection {* Deriving rules in Isabelle *};

wenzelm@7001

404 

wenzelm@7833

405 
text {*

wenzelm@7833

406 
We derive the conjunction elimination rule from the projections. The

wenzelm@7860

407 
proof is quite straightforward, since Isabelle/Isar supports

wenzelm@7860

408 
nonatomic goals and assumptions fully transparently.

wenzelm@7833

409 
*};

wenzelm@7001

410 

wenzelm@7001

411 
theorem conjE: "A & B ==> (A ==> B ==> C) ==> C";

wenzelm@7133

412 
proof ;

wenzelm@7833

413 
assume "A & B";

wenzelm@7001

414 
assume ab_c: "A ==> B ==> C";

wenzelm@7001

415 
show C;

wenzelm@7001

416 
proof (rule ab_c);

wenzelm@7833

417 
show A; by (rule conjunct1);

wenzelm@7833

418 
show B; by (rule conjunct2);

wenzelm@7001

419 
qed;

wenzelm@7001

420 
qed;

wenzelm@7001

421 

wenzelm@7860

422 
text {*

wenzelm@7860

423 
Note that classic Isabelle handles higher rules in a slightly

wenzelm@7860

424 
different way. The tactic script as given in \cite{isabelleintro}

wenzelm@7860

425 
for the same example of \name{conjE} depends on the primitive

wenzelm@7860

426 
\texttt{goal} command to decompose the rule into premises and

wenzelm@7860

427 
conclusion. The proper result would then emerge by discharging of

wenzelm@7860

428 
the context at \texttt{qed} time.

wenzelm@7860

429 
*};

wenzelm@7860

430 

wenzelm@6444

431 
end;
