isabelle: doc-src/Logics/FOL.tex@00ed040f66e1 (annotated)

104 d8205bb279a7 Initial revision lcp parents: diff changeset	1	%% $Id$
313 a45ae7b38672 penultimate Springer draft lcp parents: 287 diff changeset	2	\chapter{First-Order Logic}
a45ae7b38672 penultimate Springer draft lcp parents: 287 diff changeset	3	\index{first-order logic\|(}
a45ae7b38672 penultimate Springer draft lcp parents: 287 diff changeset	4
a45ae7b38672 penultimate Springer draft lcp parents: 287 diff changeset	5	Isabelle implements Gentzen's natural deduction systems {\sc nj} and {\sc
a45ae7b38672 penultimate Springer draft lcp parents: 287 diff changeset	6	nk}. Intuitionistic first-order logic is defined first, as theory
a45ae7b38672 penultimate Springer draft lcp parents: 287 diff changeset	7	\thydx{IFOL}. Classical logic, theory \thydx{FOL}, is
104 d8205bb279a7 Initial revision lcp parents: diff changeset	8	obtained by adding the double negation rule. Basic proof procedures are
d8205bb279a7 Initial revision lcp parents: diff changeset	9	provided. The intuitionistic prover works with derived rules to simplify
313 a45ae7b38672 penultimate Springer draft lcp parents: 287 diff changeset	10	implications in the assumptions. Classical~{\tt FOL} employs Isabelle's
a45ae7b38672 penultimate Springer draft lcp parents: 287 diff changeset	11	classical reasoner, which simulates a sequent calculus.
104 d8205bb279a7 Initial revision lcp parents: diff changeset	12
d8205bb279a7 Initial revision lcp parents: diff changeset	13	\section{Syntax and rules of inference}
313 a45ae7b38672 penultimate Springer draft lcp parents: 287 diff changeset	14	The logic is many-sorted, using Isabelle's type classes. The class of
a45ae7b38672 penultimate Springer draft lcp parents: 287 diff changeset	15	first-order terms is called \cldx{term} and is a subclass of {\tt logic}.
a45ae7b38672 penultimate Springer draft lcp parents: 287 diff changeset	16	No types of individuals are provided, but extensions can define types such
a45ae7b38672 penultimate Springer draft lcp parents: 287 diff changeset	17	as {\tt nat::term} and type constructors such as {\tt list::(term)term}
a45ae7b38672 penultimate Springer draft lcp parents: 287 diff changeset	18	(see the examples directory, {\tt FOL/ex}). Below, the type variable
a45ae7b38672 penultimate Springer draft lcp parents: 287 diff changeset	19	$\alpha$ ranges over class {\tt term}; the equality symbol and quantifiers
a45ae7b38672 penultimate Springer draft lcp parents: 287 diff changeset	20	are polymorphic (many-sorted). The type of formulae is~\tydx{o}, which
a45ae7b38672 penultimate Springer draft lcp parents: 287 diff changeset	21	belongs to class~\cldx{logic}. Figure~\ref{fol-syntax} gives the syntax.
a45ae7b38672 penultimate Springer draft lcp parents: 287 diff changeset	22	Note that $a$\verb\|~=\|$b$ is translated to $\neg(a=b)$.
104 d8205bb279a7 Initial revision lcp parents: diff changeset	23
313 a45ae7b38672 penultimate Springer draft lcp parents: 287 diff changeset	24	Figure~\ref{fol-rules} shows the inference rules with their~\ML\ names.
a45ae7b38672 penultimate Springer draft lcp parents: 287 diff changeset	25	Negation is defined in the usual way for intuitionistic logic; $\neg P$
a45ae7b38672 penultimate Springer draft lcp parents: 287 diff changeset	26	abbreviates $P\imp\bot$. The biconditional~($\bimp$) is defined through
a45ae7b38672 penultimate Springer draft lcp parents: 287 diff changeset	27	$\conj$ and~$\imp$; introduction and elimination rules are derived for it.
104 d8205bb279a7 Initial revision lcp parents: diff changeset	28
d8205bb279a7 Initial revision lcp parents: diff changeset	29	The unique existence quantifier, $\exists!x.P(x)$, is defined in terms
d8205bb279a7 Initial revision lcp parents: diff changeset	30	of~$\exists$ and~$\forall$. An Isabelle binder, it admits nested
d8205bb279a7 Initial revision lcp parents: diff changeset	31	quantifications. For instance, $\exists!x y.P(x,y)$ abbreviates
d8205bb279a7 Initial revision lcp parents: diff changeset	32	$\exists!x. \exists!y.P(x,y)$; note that this does not mean that there
d8205bb279a7 Initial revision lcp parents: diff changeset	33	exists a unique pair $(x,y)$ satisfying~$P(x,y)$.
d8205bb279a7 Initial revision lcp parents: diff changeset	34
d8205bb279a7 Initial revision lcp parents: diff changeset	35	Some intuitionistic derived rules are shown in
287 6b62a6ddbe15 first draft of Springer book lcp parents: 157 diff changeset	36	Fig.\ts\ref{fol-int-derived}, again with their \ML\ names. These include
104 d8205bb279a7 Initial revision lcp parents: diff changeset	37	rules for the defined symbols $\neg$, $\bimp$ and $\exists!$. Natural
333 2ca08f62df33 final Springer copy lcp parents: 313 diff changeset	38	deduction typically involves a combination of forward and backward
104 d8205bb279a7 Initial revision lcp parents: diff changeset	39	reasoning, particularly with the destruction rules $(\conj E)$,
333 2ca08f62df33 final Springer copy lcp parents: 313 diff changeset	40	$({\imp}E)$, and~$(\forall E)$. Isabelle's backward style handles these
104 d8205bb279a7 Initial revision lcp parents: diff changeset	41	rules badly, so sequent-style rules are derived to eliminate conjunctions,
d8205bb279a7 Initial revision lcp parents: diff changeset	42	implications, and universal quantifiers. Used with elim-resolution,
313 a45ae7b38672 penultimate Springer draft lcp parents: 287 diff changeset	43	\tdx{allE} eliminates a universal quantifier while \tdx{all_dupE}
104 d8205bb279a7 Initial revision lcp parents: diff changeset	44	re-inserts the quantified formula for later use. The rules {\tt
d8205bb279a7 Initial revision lcp parents: diff changeset	45	conj_impE}, etc., support the intuitionistic proof procedure
d8205bb279a7 Initial revision lcp parents: diff changeset	46	(see~\S\ref{fol-int-prover}).
d8205bb279a7 Initial revision lcp parents: diff changeset	47
333 2ca08f62df33 final Springer copy lcp parents: 313 diff changeset	48	See the files {\tt FOL/IFOL.thy}, {\tt FOL/IFOL.ML} and
287 6b62a6ddbe15 first draft of Springer book lcp parents: 157 diff changeset	49	{\tt FOL/intprover.ML} for complete listings of the rules and
104 d8205bb279a7 Initial revision lcp parents: diff changeset	50	derived rules.
d8205bb279a7 Initial revision lcp parents: diff changeset	51
d8205bb279a7 Initial revision lcp parents: diff changeset	52	\begin{figure}
d8205bb279a7 Initial revision lcp parents: diff changeset	53	\begin{center}
d8205bb279a7 Initial revision lcp parents: diff changeset	54	\begin{tabular}{rrr}
111 1b3cddf41b2d Various updates for Isabelle-93 lcp parents: 104 diff changeset	55	\it name &\it meta-type & \it description \\
313 a45ae7b38672 penultimate Springer draft lcp parents: 287 diff changeset	56	\cdx{Trueprop}& $o\To prop$ & coercion to $prop$\\
a45ae7b38672 penultimate Springer draft lcp parents: 287 diff changeset	57	\cdx{Not} & $o\To o$ & negation ($\neg$) \\
a45ae7b38672 penultimate Springer draft lcp parents: 287 diff changeset	58	\cdx{True} & $o$ & tautology ($\top$) \\
a45ae7b38672 penultimate Springer draft lcp parents: 287 diff changeset	59	\cdx{False} & $o$ & absurdity ($\bot$)
104 d8205bb279a7 Initial revision lcp parents: diff changeset	60	\end{tabular}
d8205bb279a7 Initial revision lcp parents: diff changeset	61	\end{center}
d8205bb279a7 Initial revision lcp parents: diff changeset	62	\subcaption{Constants}
d8205bb279a7 Initial revision lcp parents: diff changeset	63
d8205bb279a7 Initial revision lcp parents: diff changeset	64	\begin{center}
d8205bb279a7 Initial revision lcp parents: diff changeset	65	\begin{tabular}{llrrr}
313 a45ae7b38672 penultimate Springer draft lcp parents: 287 diff changeset	66	\it symbol &\it name &\it meta-type & \it priority & \it description \\
a45ae7b38672 penultimate Springer draft lcp parents: 287 diff changeset	67	\sdx{ALL} & \cdx{All} & $(\alpha\To o)\To o$ & 10 &
111 1b3cddf41b2d Various updates for Isabelle-93 lcp parents: 104 diff changeset	68	universal quantifier ($\forall$) \\
313 a45ae7b38672 penultimate Springer draft lcp parents: 287 diff changeset	69	\sdx{EX} & \cdx{Ex} & $(\alpha\To o)\To o$ & 10 &
111 1b3cddf41b2d Various updates for Isabelle-93 lcp parents: 104 diff changeset	70	existential quantifier ($\exists$) \\
313 a45ae7b38672 penultimate Springer draft lcp parents: 287 diff changeset	71	{\tt EX!} & \cdx{Ex1} & $(\alpha\To o)\To o$ & 10 &
111 1b3cddf41b2d Various updates for Isabelle-93 lcp parents: 104 diff changeset	72	unique existence ($\exists!$)
104 d8205bb279a7 Initial revision lcp parents: diff changeset	73	\end{tabular}
313 a45ae7b38672 penultimate Springer draft lcp parents: 287 diff changeset	74	\index{*"E"X"! symbol}
104 d8205bb279a7 Initial revision lcp parents: diff changeset	75	\end{center}
d8205bb279a7 Initial revision lcp parents: diff changeset	76	\subcaption{Binders}
d8205bb279a7 Initial revision lcp parents: diff changeset	77
d8205bb279a7 Initial revision lcp parents: diff changeset	78	\begin{center}
313 a45ae7b38672 penultimate Springer draft lcp parents: 287 diff changeset	79	\index{*"= symbol}
a45ae7b38672 penultimate Springer draft lcp parents: 287 diff changeset	80	\index{&@{\tt\&} symbol}
a45ae7b38672 penultimate Springer draft lcp parents: 287 diff changeset	81	\index{*"\| symbol}
a45ae7b38672 penultimate Springer draft lcp parents: 287 diff changeset	82	\index{*"-"-"> symbol}
a45ae7b38672 penultimate Springer draft lcp parents: 287 diff changeset	83	\index{*"<"-"> symbol}
104 d8205bb279a7 Initial revision lcp parents: diff changeset	84	\begin{tabular}{rrrr}
313 a45ae7b38672 penultimate Springer draft lcp parents: 287 diff changeset	85	\it symbol & \it meta-type & \it priority & \it description \\
111 1b3cddf41b2d Various updates for Isabelle-93 lcp parents: 104 diff changeset	86	\tt = & $[\alpha,\alpha]\To o$ & Left 50 & equality ($=$) \\
1b3cddf41b2d Various updates for Isabelle-93 lcp parents: 104 diff changeset	87	\tt \& & $[o,o]\To o$ & Right 35 & conjunction ($\conj$) \\
1b3cddf41b2d Various updates for Isabelle-93 lcp parents: 104 diff changeset	88	\tt \| & $[o,o]\To o$ & Right 30 & disjunction ($\disj$) \\
1b3cddf41b2d Various updates for Isabelle-93 lcp parents: 104 diff changeset	89	\tt --> & $[o,o]\To o$ & Right 25 & implication ($\imp$) \\
1b3cddf41b2d Various updates for Isabelle-93 lcp parents: 104 diff changeset	90	\tt <-> & $[o,o]\To o$ & Right 25 & biconditional ($\bimp$)
104 d8205bb279a7 Initial revision lcp parents: diff changeset	91	\end{tabular}
d8205bb279a7 Initial revision lcp parents: diff changeset	92	\end{center}
d8205bb279a7 Initial revision lcp parents: diff changeset	93	\subcaption{Infixes}
d8205bb279a7 Initial revision lcp parents: diff changeset	94
d8205bb279a7 Initial revision lcp parents: diff changeset	95	\dquotes
d8205bb279a7 Initial revision lcp parents: diff changeset	96	\[\begin{array}{rcl}
d8205bb279a7 Initial revision lcp parents: diff changeset	97	formula & = & \hbox{expression of type~$o$} \\
111 1b3cddf41b2d Various updates for Isabelle-93 lcp parents: 104 diff changeset	98	& \| & term " = " term \\
1b3cddf41b2d Various updates for Isabelle-93 lcp parents: 104 diff changeset	99	& \| & term " \ttilde= " term \\
1b3cddf41b2d Various updates for Isabelle-93 lcp parents: 104 diff changeset	100	& \| & "\ttilde\ " formula \\
1b3cddf41b2d Various updates for Isabelle-93 lcp parents: 104 diff changeset	101	& \| & formula " \& " formula \\
1b3cddf41b2d Various updates for Isabelle-93 lcp parents: 104 diff changeset	102	& \| & formula " \| " formula \\
1b3cddf41b2d Various updates for Isabelle-93 lcp parents: 104 diff changeset	103	& \| & formula " --> " formula \\
1b3cddf41b2d Various updates for Isabelle-93 lcp parents: 104 diff changeset	104	& \| & formula " <-> " formula \\
1b3cddf41b2d Various updates for Isabelle-93 lcp parents: 104 diff changeset	105	& \| & "ALL~" id~id^* " . " formula \\
1b3cddf41b2d Various updates for Isabelle-93 lcp parents: 104 diff changeset	106	& \| & "EX~~" id~id^* " . " formula \\
1b3cddf41b2d Various updates for Isabelle-93 lcp parents: 104 diff changeset	107	& \| & "EX!~" id~id^* " . " formula
104 d8205bb279a7 Initial revision lcp parents: diff changeset	108	\end{array}
d8205bb279a7 Initial revision lcp parents: diff changeset	109	\]
d8205bb279a7 Initial revision lcp parents: diff changeset	110	\subcaption{Grammar}
d8205bb279a7 Initial revision lcp parents: diff changeset	111	\caption{Syntax of {\tt FOL}} \label{fol-syntax}
d8205bb279a7 Initial revision lcp parents: diff changeset	112	\end{figure}
d8205bb279a7 Initial revision lcp parents: diff changeset	113
d8205bb279a7 Initial revision lcp parents: diff changeset	114
d8205bb279a7 Initial revision lcp parents: diff changeset	115	\begin{figure}
d8205bb279a7 Initial revision lcp parents: diff changeset	116	\begin{ttbox}
313 a45ae7b38672 penultimate Springer draft lcp parents: 287 diff changeset	117	\tdx{refl} a=a
a45ae7b38672 penultimate Springer draft lcp parents: 287 diff changeset	118	\tdx{subst} [\| a=b; P(a) \|] ==> P(b)
104 d8205bb279a7 Initial revision lcp parents: diff changeset	119	\subcaption{Equality rules}
d8205bb279a7 Initial revision lcp parents: diff changeset	120
313 a45ae7b38672 penultimate Springer draft lcp parents: 287 diff changeset	121	\tdx{conjI} [\| P; Q \|] ==> P&Q
a45ae7b38672 penultimate Springer draft lcp parents: 287 diff changeset	122	\tdx{conjunct1} P&Q ==> P
a45ae7b38672 penultimate Springer draft lcp parents: 287 diff changeset	123	\tdx{conjunct2} P&Q ==> Q
104 d8205bb279a7 Initial revision lcp parents: diff changeset	124
313 a45ae7b38672 penultimate Springer draft lcp parents: 287 diff changeset	125	\tdx{disjI1} P ==> P\|Q
a45ae7b38672 penultimate Springer draft lcp parents: 287 diff changeset	126	\tdx{disjI2} Q ==> P\|Q
a45ae7b38672 penultimate Springer draft lcp parents: 287 diff changeset	127	\tdx{disjE} [\| P\|Q; P ==> R; Q ==> R \|] ==> R
104 d8205bb279a7 Initial revision lcp parents: diff changeset	128
313 a45ae7b38672 penultimate Springer draft lcp parents: 287 diff changeset	129	\tdx{impI} (P ==> Q) ==> P-->Q
a45ae7b38672 penultimate Springer draft lcp parents: 287 diff changeset	130	\tdx{mp} [\| P-->Q; P \|] ==> Q
104 d8205bb279a7 Initial revision lcp parents: diff changeset	131
313 a45ae7b38672 penultimate Springer draft lcp parents: 287 diff changeset	132	\tdx{FalseE} False ==> P
104 d8205bb279a7 Initial revision lcp parents: diff changeset	133	\subcaption{Propositional rules}
d8205bb279a7 Initial revision lcp parents: diff changeset	134
313 a45ae7b38672 penultimate Springer draft lcp parents: 287 diff changeset	135	\tdx{allI} (!!x. P(x)) ==> (ALL x.P(x))
a45ae7b38672 penultimate Springer draft lcp parents: 287 diff changeset	136	\tdx{spec} (ALL x.P(x)) ==> P(x)
104 d8205bb279a7 Initial revision lcp parents: diff changeset	137
313 a45ae7b38672 penultimate Springer draft lcp parents: 287 diff changeset	138	\tdx{exI} P(x) ==> (EX x.P(x))
a45ae7b38672 penultimate Springer draft lcp parents: 287 diff changeset	139	\tdx{exE} [\| EX x.P(x); !!x. P(x) ==> R \|] ==> R
104 d8205bb279a7 Initial revision lcp parents: diff changeset	140	\subcaption{Quantifier rules}
d8205bb279a7 Initial revision lcp parents: diff changeset	141
313 a45ae7b38672 penultimate Springer draft lcp parents: 287 diff changeset	142	\tdx{True_def} True == False-->False
a45ae7b38672 penultimate Springer draft lcp parents: 287 diff changeset	143	\tdx{not_def} ~P == P-->False
a45ae7b38672 penultimate Springer draft lcp parents: 287 diff changeset	144	\tdx{iff_def} P<->Q == (P-->Q) & (Q-->P)
a45ae7b38672 penultimate Springer draft lcp parents: 287 diff changeset	145	\tdx{ex1_def} EX! x. P(x) == EX x. P(x) & (ALL y. P(y) --> y=x)
104 d8205bb279a7 Initial revision lcp parents: diff changeset	146	\subcaption{Definitions}
d8205bb279a7 Initial revision lcp parents: diff changeset	147	\end{ttbox}
d8205bb279a7 Initial revision lcp parents: diff changeset	148
313 a45ae7b38672 penultimate Springer draft lcp parents: 287 diff changeset	149	\caption{Rules of intuitionistic logic} \label{fol-rules}
104 d8205bb279a7 Initial revision lcp parents: diff changeset	150	\end{figure}
d8205bb279a7 Initial revision lcp parents: diff changeset	151
d8205bb279a7 Initial revision lcp parents: diff changeset	152
d8205bb279a7 Initial revision lcp parents: diff changeset	153	\begin{figure}
d8205bb279a7 Initial revision lcp parents: diff changeset	154	\begin{ttbox}
313 a45ae7b38672 penultimate Springer draft lcp parents: 287 diff changeset	155	\tdx{sym} a=b ==> b=a
a45ae7b38672 penultimate Springer draft lcp parents: 287 diff changeset	156	\tdx{trans} [\| a=b; b=c \|] ==> a=c
a45ae7b38672 penultimate Springer draft lcp parents: 287 diff changeset	157	\tdx{ssubst} [\| b=a; P(a) \|] ==> P(b)
104 d8205bb279a7 Initial revision lcp parents: diff changeset	158	\subcaption{Derived equality rules}
d8205bb279a7 Initial revision lcp parents: diff changeset	159
313 a45ae7b38672 penultimate Springer draft lcp parents: 287 diff changeset	160	\tdx{TrueI} True
104 d8205bb279a7 Initial revision lcp parents: diff changeset	161
313 a45ae7b38672 penultimate Springer draft lcp parents: 287 diff changeset	162	\tdx{notI} (P ==> False) ==> ~P
a45ae7b38672 penultimate Springer draft lcp parents: 287 diff changeset	163	\tdx{notE} [\| ~P; P \|] ==> R
104 d8205bb279a7 Initial revision lcp parents: diff changeset	164
313 a45ae7b38672 penultimate Springer draft lcp parents: 287 diff changeset	165	\tdx{iffI} [\| P ==> Q; Q ==> P \|] ==> P<->Q
a45ae7b38672 penultimate Springer draft lcp parents: 287 diff changeset	166	\tdx{iffE} [\| P <-> Q; [\| P-->Q; Q-->P \|] ==> R \|] ==> R
a45ae7b38672 penultimate Springer draft lcp parents: 287 diff changeset	167	\tdx{iffD1} [\| P <-> Q; P \|] ==> Q
a45ae7b38672 penultimate Springer draft lcp parents: 287 diff changeset	168	\tdx{iffD2} [\| P <-> Q; Q \|] ==> P
104 d8205bb279a7 Initial revision lcp parents: diff changeset	169
313 a45ae7b38672 penultimate Springer draft lcp parents: 287 diff changeset	170	\tdx{ex1I} [\| P(a); !!x. P(x) ==> x=a \|] ==> EX! x. P(x)
a45ae7b38672 penultimate Springer draft lcp parents: 287 diff changeset	171	\tdx{ex1E} [\| EX! x.P(x); !!x.[\| P(x); ALL y. P(y) --> y=x \|] ==> R
104 d8205bb279a7 Initial revision lcp parents: diff changeset	172	\|] ==> R
d8205bb279a7 Initial revision lcp parents: diff changeset	173	\subcaption{Derived rules for $\top$, $\neg$, $\bimp$ and $\exists!$}
d8205bb279a7 Initial revision lcp parents: diff changeset	174
313 a45ae7b38672 penultimate Springer draft lcp parents: 287 diff changeset	175	\tdx{conjE} [\| P&Q; [\| P; Q \|] ==> R \|] ==> R
a45ae7b38672 penultimate Springer draft lcp parents: 287 diff changeset	176	\tdx{impE} [\| P-->Q; P; Q ==> R \|] ==> R
a45ae7b38672 penultimate Springer draft lcp parents: 287 diff changeset	177	\tdx{allE} [\| ALL x.P(x); P(x) ==> R \|] ==> R
a45ae7b38672 penultimate Springer draft lcp parents: 287 diff changeset	178	\tdx{all_dupE} [\| ALL x.P(x); [\| P(x); ALL x.P(x) \|] ==> R \|] ==> R
104 d8205bb279a7 Initial revision lcp parents: diff changeset	179	\subcaption{Sequent-style elimination rules}
d8205bb279a7 Initial revision lcp parents: diff changeset	180
313 a45ae7b38672 penultimate Springer draft lcp parents: 287 diff changeset	181	\tdx{conj_impE} [\| (P&Q)-->S; P-->(Q-->S) ==> R \|] ==> R
a45ae7b38672 penultimate Springer draft lcp parents: 287 diff changeset	182	\tdx{disj_impE} [\| (P\|Q)-->S; [\| P-->S; Q-->S \|] ==> R \|] ==> R
a45ae7b38672 penultimate Springer draft lcp parents: 287 diff changeset	183	\tdx{imp_impE} [\| (P-->Q)-->S; [\| P; Q-->S \|] ==> Q; S ==> R \|] ==> R
a45ae7b38672 penultimate Springer draft lcp parents: 287 diff changeset	184	\tdx{not_impE} [\| ~P --> S; P ==> False; S ==> R \|] ==> R
a45ae7b38672 penultimate Springer draft lcp parents: 287 diff changeset	185	\tdx{iff_impE} [\| (P<->Q)-->S; [\| P; Q-->S \|] ==> Q; [\| Q; P-->S \|] ==> P;
104 d8205bb279a7 Initial revision lcp parents: diff changeset	186	S ==> R \|] ==> R
313 a45ae7b38672 penultimate Springer draft lcp parents: 287 diff changeset	187	\tdx{all_impE} [\| (ALL x.P(x))-->S; !!x.P(x); S ==> R \|] ==> R
a45ae7b38672 penultimate Springer draft lcp parents: 287 diff changeset	188	\tdx{ex_impE} [\| (EX x.P(x))-->S; P(a)-->S ==> R \|] ==> R
104 d8205bb279a7 Initial revision lcp parents: diff changeset	189	\end{ttbox}
d8205bb279a7 Initial revision lcp parents: diff changeset	190	\subcaption{Intuitionistic simplification of implication}
313 a45ae7b38672 penultimate Springer draft lcp parents: 287 diff changeset	191	\caption{Derived rules for intuitionistic logic} \label{fol-int-derived}
104 d8205bb279a7 Initial revision lcp parents: diff changeset	192	\end{figure}
d8205bb279a7 Initial revision lcp parents: diff changeset	193
d8205bb279a7 Initial revision lcp parents: diff changeset	194
d8205bb279a7 Initial revision lcp parents: diff changeset	195	\section{Generic packages}
d8205bb279a7 Initial revision lcp parents: diff changeset	196	\FOL{} instantiates most of Isabelle's generic packages;
287 6b62a6ddbe15 first draft of Springer book lcp parents: 157 diff changeset	197	see {\tt FOL/ROOT.ML} for details.
104 d8205bb279a7 Initial revision lcp parents: diff changeset	198	\begin{itemize}
d8205bb279a7 Initial revision lcp parents: diff changeset	199	\item
d8205bb279a7 Initial revision lcp parents: diff changeset	200	Because it includes a general substitution rule, \FOL{} instantiates the
d8205bb279a7 Initial revision lcp parents: diff changeset	201	tactic \ttindex{hyp_subst_tac}, which substitutes for an equality
d8205bb279a7 Initial revision lcp parents: diff changeset	202	throughout a subgoal and its hypotheses.
d8205bb279a7 Initial revision lcp parents: diff changeset	203	\item
d8205bb279a7 Initial revision lcp parents: diff changeset	204	It instantiates the simplifier. \ttindexbold{IFOL_ss} is the simplification
d8205bb279a7 Initial revision lcp parents: diff changeset	205	set for intuitionistic first-order logic, while \ttindexbold{FOL_ss} is the
d8205bb279a7 Initial revision lcp parents: diff changeset	206	simplification set for classical logic. Both equality ($=$) and the
d8205bb279a7 Initial revision lcp parents: diff changeset	207	biconditional ($\bimp$) may be used for rewriting. See the file
287 6b62a6ddbe15 first draft of Springer book lcp parents: 157 diff changeset	208	{\tt FOL/simpdata.ML} for a complete listing of the simplification
313 a45ae7b38672 penultimate Springer draft lcp parents: 287 diff changeset	209	rules%
a45ae7b38672 penultimate Springer draft lcp parents: 287 diff changeset	210	\iflabelundefined{sec:setting-up-simp}{}%
a45ae7b38672 penultimate Springer draft lcp parents: 287 diff changeset	211	{, and \S\ref{sec:setting-up-simp} for discussion}.
a45ae7b38672 penultimate Springer draft lcp parents: 287 diff changeset	212
104 d8205bb279a7 Initial revision lcp parents: diff changeset	213	\item
313 a45ae7b38672 penultimate Springer draft lcp parents: 287 diff changeset	214	It instantiates the classical reasoner. See~\S\ref{fol-cla-prover}
104 d8205bb279a7 Initial revision lcp parents: diff changeset	215	for details.
d8205bb279a7 Initial revision lcp parents: diff changeset	216	\end{itemize}
d8205bb279a7 Initial revision lcp parents: diff changeset	217
d8205bb279a7 Initial revision lcp parents: diff changeset	218
d8205bb279a7 Initial revision lcp parents: diff changeset	219	\section{Intuitionistic proof procedures} \label{fol-int-prover}
d8205bb279a7 Initial revision lcp parents: diff changeset	220	Implication elimination (the rules~{\tt mp} and~{\tt impE}) pose
313 a45ae7b38672 penultimate Springer draft lcp parents: 287 diff changeset	221	difficulties for automated proof. In intuitionistic logic, the assumption
a45ae7b38672 penultimate Springer draft lcp parents: 287 diff changeset	222	$P\imp Q$ cannot be treated like $\neg P\disj Q$. Given $P\imp Q$, we may
a45ae7b38672 penultimate Springer draft lcp parents: 287 diff changeset	223	use~$Q$ provided we can prove~$P$; the proof of~$P$ may require repeated
a45ae7b38672 penultimate Springer draft lcp parents: 287 diff changeset	224	use of $P\imp Q$. If the proof of~$P$ fails then the whole branch of the
a45ae7b38672 penultimate Springer draft lcp parents: 287 diff changeset	225	proof must be abandoned. Thus intuitionistic propositional logic requires
a45ae7b38672 penultimate Springer draft lcp parents: 287 diff changeset	226	backtracking.
a45ae7b38672 penultimate Springer draft lcp parents: 287 diff changeset	227
a45ae7b38672 penultimate Springer draft lcp parents: 287 diff changeset	228	For an elementary example, consider the intuitionistic proof of $Q$ from
a45ae7b38672 penultimate Springer draft lcp parents: 287 diff changeset	229	$P\imp Q$ and $(P\imp Q)\imp P$. The implication $P\imp Q$ is needed
a45ae7b38672 penultimate Springer draft lcp parents: 287 diff changeset	230	twice:
104 d8205bb279a7 Initial revision lcp parents: diff changeset	231	\[ \infer[({\imp}E)]{Q}{P\imp Q &
d8205bb279a7 Initial revision lcp parents: diff changeset	232	\infer[({\imp}E)]{P}{(P\imp Q)\imp P & P\imp Q}}
d8205bb279a7 Initial revision lcp parents: diff changeset	233	\]
d8205bb279a7 Initial revision lcp parents: diff changeset	234	The theorem prover for intuitionistic logic does not use~{\tt impE}.\@
d8205bb279a7 Initial revision lcp parents: diff changeset	235	Instead, it simplifies implications using derived rules
287 6b62a6ddbe15 first draft of Springer book lcp parents: 157 diff changeset	236	(Fig.\ts\ref{fol-int-derived}). It reduces the antecedents of implications
313 a45ae7b38672 penultimate Springer draft lcp parents: 287 diff changeset	237	to atoms and then uses Modus Ponens: from $P\imp Q$ and~$P$ deduce~$Q$.
a45ae7b38672 penultimate Springer draft lcp parents: 287 diff changeset	238	The rules \tdx{conj_impE} and \tdx{disj_impE} are
104 d8205bb279a7 Initial revision lcp parents: diff changeset	239	straightforward: $(P\conj Q)\imp S$ is equivalent to $P\imp (Q\imp S)$, and
d8205bb279a7 Initial revision lcp parents: diff changeset	240	$(P\disj Q)\imp S$ is equivalent to the conjunction of $P\imp S$ and $Q\imp
d8205bb279a7 Initial revision lcp parents: diff changeset	241	S$. The other \ldots{\tt_impE} rules are unsafe; the method requires
313 a45ae7b38672 penultimate Springer draft lcp parents: 287 diff changeset	242	backtracking. All the rules are derived in the same simple manner.
104 d8205bb279a7 Initial revision lcp parents: diff changeset	243
d8205bb279a7 Initial revision lcp parents: diff changeset	244	Dyckhoff has independently discovered similar rules, and (more importantly)
d8205bb279a7 Initial revision lcp parents: diff changeset	245	has demonstrated their completeness for propositional
d8205bb279a7 Initial revision lcp parents: diff changeset	246	logic~\cite{dyckhoff}. However, the tactics given below are not complete
d8205bb279a7 Initial revision lcp parents: diff changeset	247	for first-order logic because they discard universally quantified
d8205bb279a7 Initial revision lcp parents: diff changeset	248	assumptions after a single use.
d8205bb279a7 Initial revision lcp parents: diff changeset	249	\begin{ttbox}
d8205bb279a7 Initial revision lcp parents: diff changeset	250	mp_tac : int -> tactic
d8205bb279a7 Initial revision lcp parents: diff changeset	251	eq_mp_tac : int -> tactic
d8205bb279a7 Initial revision lcp parents: diff changeset	252	Int.safe_step_tac : int -> tactic
d8205bb279a7 Initial revision lcp parents: diff changeset	253	Int.safe_tac : tactic
313 a45ae7b38672 penultimate Springer draft lcp parents: 287 diff changeset	254	Int.inst_step_tac : int -> tactic
104 d8205bb279a7 Initial revision lcp parents: diff changeset	255	Int.step_tac : int -> tactic
d8205bb279a7 Initial revision lcp parents: diff changeset	256	Int.fast_tac : int -> tactic
d8205bb279a7 Initial revision lcp parents: diff changeset	257	Int.best_tac : int -> tactic
d8205bb279a7 Initial revision lcp parents: diff changeset	258	\end{ttbox}
313 a45ae7b38672 penultimate Springer draft lcp parents: 287 diff changeset	259	Most of these belong to the structure {\tt Int} and resemble the
a45ae7b38672 penultimate Springer draft lcp parents: 287 diff changeset	260	tactics of Isabelle's classical reasoner.
104 d8205bb279a7 Initial revision lcp parents: diff changeset	261
313 a45ae7b38672 penultimate Springer draft lcp parents: 287 diff changeset	262	\begin{ttdescription}
104 d8205bb279a7 Initial revision lcp parents: diff changeset	263	\item[\ttindexbold{mp_tac} {\it i}]
313 a45ae7b38672 penultimate Springer draft lcp parents: 287 diff changeset	264	attempts to use \tdx{notE} or \tdx{impE} within the assumptions in
104 d8205bb279a7 Initial revision lcp parents: diff changeset	265	subgoal $i$. For each assumption of the form $\neg P$ or $P\imp Q$, it
d8205bb279a7 Initial revision lcp parents: diff changeset	266	searches for another assumption unifiable with~$P$. By
d8205bb279a7 Initial revision lcp parents: diff changeset	267	contradiction with $\neg P$ it can solve the subgoal completely; by Modus
d8205bb279a7 Initial revision lcp parents: diff changeset	268	Ponens it can replace the assumption $P\imp Q$ by $Q$. The tactic can
d8205bb279a7 Initial revision lcp parents: diff changeset	269	produce multiple outcomes, enumerating all suitable pairs of assumptions.
d8205bb279a7 Initial revision lcp parents: diff changeset	270
d8205bb279a7 Initial revision lcp parents: diff changeset	271	\item[\ttindexbold{eq_mp_tac} {\it i}]
d8205bb279a7 Initial revision lcp parents: diff changeset	272	is like {\tt mp_tac} {\it i}, but may not instantiate unknowns --- thus, it
d8205bb279a7 Initial revision lcp parents: diff changeset	273	is safe.
d8205bb279a7 Initial revision lcp parents: diff changeset	274
d8205bb279a7 Initial revision lcp parents: diff changeset	275	\item[\ttindexbold{Int.safe_step_tac} $i$] performs a safe step on
313 a45ae7b38672 penultimate Springer draft lcp parents: 287 diff changeset	276	subgoal~$i$. This may include proof by assumption or Modus Ponens (taking
a45ae7b38672 penultimate Springer draft lcp parents: 287 diff changeset	277	care not to instantiate unknowns), or {\tt hyp_subst_tac}.
104 d8205bb279a7 Initial revision lcp parents: diff changeset	278
d8205bb279a7 Initial revision lcp parents: diff changeset	279	\item[\ttindexbold{Int.safe_tac}] repeatedly performs safe steps on all
d8205bb279a7 Initial revision lcp parents: diff changeset	280	subgoals. It is deterministic, with at most one outcome.
d8205bb279a7 Initial revision lcp parents: diff changeset	281
d8205bb279a7 Initial revision lcp parents: diff changeset	282	\item[\ttindexbold{Int.inst_step_tac} $i$] is like {\tt safe_step_tac},
d8205bb279a7 Initial revision lcp parents: diff changeset	283	but allows unknowns to be instantiated.
d8205bb279a7 Initial revision lcp parents: diff changeset	284
313 a45ae7b38672 penultimate Springer draft lcp parents: 287 diff changeset	285	\item[\ttindexbold{Int.step_tac} $i$] tries {\tt safe_tac} or {\tt
a45ae7b38672 penultimate Springer draft lcp parents: 287 diff changeset	286	inst_step_tac}, or applies an unsafe rule. This is the basic step of
a45ae7b38672 penultimate Springer draft lcp parents: 287 diff changeset	287	the intuitionistic proof procedure.
104 d8205bb279a7 Initial revision lcp parents: diff changeset	288
d8205bb279a7 Initial revision lcp parents: diff changeset	289	\item[\ttindexbold{Int.fast_tac} $i$] applies {\tt step_tac}, using
d8205bb279a7 Initial revision lcp parents: diff changeset	290	depth-first search, to solve subgoal~$i$.
d8205bb279a7 Initial revision lcp parents: diff changeset	291
d8205bb279a7 Initial revision lcp parents: diff changeset	292	\item[\ttindexbold{Int.best_tac} $i$] applies {\tt step_tac}, using
d8205bb279a7 Initial revision lcp parents: diff changeset	293	best-first search (guided by the size of the proof state) to solve subgoal~$i$.
313 a45ae7b38672 penultimate Springer draft lcp parents: 287 diff changeset	294	\end{ttdescription}
104 d8205bb279a7 Initial revision lcp parents: diff changeset	295	Here are some of the theorems that {\tt Int.fast_tac} proves
d8205bb279a7 Initial revision lcp parents: diff changeset	296	automatically. The latter three date from {\it Principia Mathematica}
d8205bb279a7 Initial revision lcp parents: diff changeset	297	(11.53, 11.55, *11.61)~\cite{principia}.
d8205bb279a7 Initial revision lcp parents: diff changeset	298	\begin{ttbox}
d8205bb279a7 Initial revision lcp parents: diff changeset	299	~~P & ~~(P --> Q) --> ~~Q
d8205bb279a7 Initial revision lcp parents: diff changeset	300	(ALL x y. P(x) --> Q(y)) <-> ((EX x. P(x)) --> (ALL y. Q(y)))
d8205bb279a7 Initial revision lcp parents: diff changeset	301	(EX x y. P(x) & Q(x,y)) <-> (EX x. P(x) & (EX y. Q(x,y)))
d8205bb279a7 Initial revision lcp parents: diff changeset	302	(EX y. ALL x. P(x) --> Q(x,y)) --> (ALL x. P(x) --> (EX y. Q(x,y)))
d8205bb279a7 Initial revision lcp parents: diff changeset	303	\end{ttbox}
d8205bb279a7 Initial revision lcp parents: diff changeset	304
d8205bb279a7 Initial revision lcp parents: diff changeset	305
d8205bb279a7 Initial revision lcp parents: diff changeset	306
d8205bb279a7 Initial revision lcp parents: diff changeset	307	\begin{figure}
d8205bb279a7 Initial revision lcp parents: diff changeset	308	\begin{ttbox}
313 a45ae7b38672 penultimate Springer draft lcp parents: 287 diff changeset	309	\tdx{excluded_middle} ~P \| P
104 d8205bb279a7 Initial revision lcp parents: diff changeset	310
313 a45ae7b38672 penultimate Springer draft lcp parents: 287 diff changeset	311	\tdx{disjCI} (~Q ==> P) ==> P\|Q
a45ae7b38672 penultimate Springer draft lcp parents: 287 diff changeset	312	\tdx{exCI} (ALL x. ~P(x) ==> P(a)) ==> EX x.P(x)
a45ae7b38672 penultimate Springer draft lcp parents: 287 diff changeset	313	\tdx{impCE} [\| P-->Q; ~P ==> R; Q ==> R \|] ==> R
a45ae7b38672 penultimate Springer draft lcp parents: 287 diff changeset	314	\tdx{iffCE} [\| P<->Q; [\| P; Q \|] ==> R; [\| ~P; ~Q \|] ==> R \|] ==> R
a45ae7b38672 penultimate Springer draft lcp parents: 287 diff changeset	315	\tdx{notnotD} ~~P ==> P
a45ae7b38672 penultimate Springer draft lcp parents: 287 diff changeset	316	\tdx{swap} ~P ==> (~Q ==> P) ==> Q
104 d8205bb279a7 Initial revision lcp parents: diff changeset	317	\end{ttbox}
d8205bb279a7 Initial revision lcp parents: diff changeset	318	\caption{Derived rules for classical logic} \label{fol-cla-derived}
d8205bb279a7 Initial revision lcp parents: diff changeset	319	\end{figure}
d8205bb279a7 Initial revision lcp parents: diff changeset	320
d8205bb279a7 Initial revision lcp parents: diff changeset	321
d8205bb279a7 Initial revision lcp parents: diff changeset	322	\section{Classical proof procedures} \label{fol-cla-prover}
313 a45ae7b38672 penultimate Springer draft lcp parents: 287 diff changeset	323	The classical theory, \thydx{FOL}, consists of intuitionistic logic plus
a45ae7b38672 penultimate Springer draft lcp parents: 287 diff changeset	324	the rule
104 d8205bb279a7 Initial revision lcp parents: diff changeset	325	$$ \vcenter{\infer{P}{\infer*{P}{[\neg P]}}} \eqno(classical) $$
d8205bb279a7 Initial revision lcp parents: diff changeset	326	\noindent
d8205bb279a7 Initial revision lcp parents: diff changeset	327	Natural deduction in classical logic is not really all that natural.
d8205bb279a7 Initial revision lcp parents: diff changeset	328	{\FOL} derives classical introduction rules for $\disj$ and~$\exists$, as
d8205bb279a7 Initial revision lcp parents: diff changeset	329	well as classical elimination rules for~$\imp$ and~$\bimp$, and the swap
287 6b62a6ddbe15 first draft of Springer book lcp parents: 157 diff changeset	330	rule (see Fig.\ts\ref{fol-cla-derived}).
104 d8205bb279a7 Initial revision lcp parents: diff changeset	331
313 a45ae7b38672 penultimate Springer draft lcp parents: 287 diff changeset	332	The classical reasoner is set up for \FOL, as the
a45ae7b38672 penultimate Springer draft lcp parents: 287 diff changeset	333	structure~{\tt Cla}. This structure is open, so \ML{} identifiers
104 d8205bb279a7 Initial revision lcp parents: diff changeset	334	such as {\tt step_tac}, {\tt fast_tac}, {\tt best_tac}, etc., refer to it.
d8205bb279a7 Initial revision lcp parents: diff changeset	335	Single-step proofs can be performed, using \ttindex{swap_res_tac} to deal
313 a45ae7b38672 penultimate Springer draft lcp parents: 287 diff changeset	336	with negated assumptions.\index{assumptions!negated}
104 d8205bb279a7 Initial revision lcp parents: diff changeset	337
d8205bb279a7 Initial revision lcp parents: diff changeset	338	{\FOL} defines the following classical rule sets:
d8205bb279a7 Initial revision lcp parents: diff changeset	339	\begin{ttbox}
d8205bb279a7 Initial revision lcp parents: diff changeset	340	prop_cs : claset
d8205bb279a7 Initial revision lcp parents: diff changeset	341	FOL_cs : claset
d8205bb279a7 Initial revision lcp parents: diff changeset	342	\end{ttbox}
313 a45ae7b38672 penultimate Springer draft lcp parents: 287 diff changeset	343	\begin{ttdescription}
104 d8205bb279a7 Initial revision lcp parents: diff changeset	344	\item[\ttindexbold{prop_cs}] contains the propositional rules, namely
d8205bb279a7 Initial revision lcp parents: diff changeset	345	those for~$\top$, $\bot$, $\conj$, $\disj$, $\neg$, $\imp$ and~$\bimp$,
313 a45ae7b38672 penultimate Springer draft lcp parents: 287 diff changeset	346	along with the rule~{\tt refl}.
104 d8205bb279a7 Initial revision lcp parents: diff changeset	347
d8205bb279a7 Initial revision lcp parents: diff changeset	348	\item[\ttindexbold{FOL_cs}]
313 a45ae7b38672 penultimate Springer draft lcp parents: 287 diff changeset	349	extends {\tt prop_cs} with the safe rules {\tt allI} and~{\tt exE}
a45ae7b38672 penultimate Springer draft lcp parents: 287 diff changeset	350	and the unsafe rules {\tt allE} and~{\tt exI}, as well as rules for
104 d8205bb279a7 Initial revision lcp parents: diff changeset	351	unique existence. Search using this is incomplete since quantified
d8205bb279a7 Initial revision lcp parents: diff changeset	352	formulae are used at most once.
313 a45ae7b38672 penultimate Springer draft lcp parents: 287 diff changeset	353	\end{ttdescription}
104 d8205bb279a7 Initial revision lcp parents: diff changeset	354	\noindent
333 2ca08f62df33 final Springer copy lcp parents: 313 diff changeset	355	See the file {\tt FOL/FOL.ML} for derivations of the
313 a45ae7b38672 penultimate Springer draft lcp parents: 287 diff changeset	356	classical rules, and
a45ae7b38672 penultimate Springer draft lcp parents: 287 diff changeset	357	\iflabelundefined{chap:classical}{the {\em Reference Manual\/}}%
a45ae7b38672 penultimate Springer draft lcp parents: 287 diff changeset	358	{Chap.\ts\ref{chap:classical}}
a45ae7b38672 penultimate Springer draft lcp parents: 287 diff changeset	359	for more discussion of classical proof methods.
104 d8205bb279a7 Initial revision lcp parents: diff changeset	360
d8205bb279a7 Initial revision lcp parents: diff changeset	361
d8205bb279a7 Initial revision lcp parents: diff changeset	362	\section{An intuitionistic example}
d8205bb279a7 Initial revision lcp parents: diff changeset	363	Here is a session similar to one in {\em Logic and Computation}
d8205bb279a7 Initial revision lcp parents: diff changeset	364	\cite[pages~222--3]{paulson87}. Isabelle treats quantifiers differently
d8205bb279a7 Initial revision lcp parents: diff changeset	365	from {\sc lcf}-based theorem provers such as {\sc hol}. The proof begins
d8205bb279a7 Initial revision lcp parents: diff changeset	366	by entering the goal in intuitionistic logic, then applying the rule
d8205bb279a7 Initial revision lcp parents: diff changeset	367	$({\imp}I)$.
d8205bb279a7 Initial revision lcp parents: diff changeset	368	\begin{ttbox}
d8205bb279a7 Initial revision lcp parents: diff changeset	369	goal IFOL.thy "(EX y. ALL x. Q(x,y)) --> (ALL x. EX y. Q(x,y))";
d8205bb279a7 Initial revision lcp parents: diff changeset	370	{\out Level 0}
d8205bb279a7 Initial revision lcp parents: diff changeset	371	{\out (EX y. ALL x. Q(x,y)) --> (ALL x. EX y. Q(x,y))}
d8205bb279a7 Initial revision lcp parents: diff changeset	372	{\out 1. (EX y. ALL x. Q(x,y)) --> (ALL x. EX y. Q(x,y))}
d8205bb279a7 Initial revision lcp parents: diff changeset	373	\ttbreak
d8205bb279a7 Initial revision lcp parents: diff changeset	374	by (resolve_tac [impI] 1);
d8205bb279a7 Initial revision lcp parents: diff changeset	375	{\out Level 1}
d8205bb279a7 Initial revision lcp parents: diff changeset	376	{\out (EX y. ALL x. Q(x,y)) --> (ALL x. EX y. Q(x,y))}
d8205bb279a7 Initial revision lcp parents: diff changeset	377	{\out 1. EX y. ALL x. Q(x,y) ==> ALL x. EX y. Q(x,y)}
d8205bb279a7 Initial revision lcp parents: diff changeset	378	\end{ttbox}
313 a45ae7b38672 penultimate Springer draft lcp parents: 287 diff changeset	379	In this example, we shall never have more than one subgoal. Applying
104 d8205bb279a7 Initial revision lcp parents: diff changeset	380	$({\imp}I)$ replaces~\verb\|-->\| by~\verb\|==>\|, making
d8205bb279a7 Initial revision lcp parents: diff changeset	381	$\ex{y}\all{x}Q(x,y)$ an assumption. We have the choice of
d8205bb279a7 Initial revision lcp parents: diff changeset	382	$({\exists}E)$ and $({\forall}I)$; let us try the latter.
d8205bb279a7 Initial revision lcp parents: diff changeset	383	\begin{ttbox}
d8205bb279a7 Initial revision lcp parents: diff changeset	384	by (resolve_tac [allI] 1);
d8205bb279a7 Initial revision lcp parents: diff changeset	385	{\out Level 2}
d8205bb279a7 Initial revision lcp parents: diff changeset	386	{\out (EX y. ALL x. Q(x,y)) --> (ALL x. EX y. Q(x,y))}
d8205bb279a7 Initial revision lcp parents: diff changeset	387	{\out 1. !!x. EX y. ALL x. Q(x,y) ==> EX y. Q(x,y)}
d8205bb279a7 Initial revision lcp parents: diff changeset	388	\end{ttbox}
d8205bb279a7 Initial revision lcp parents: diff changeset	389	Applying $({\forall}I)$ replaces the \hbox{\tt ALL x} by \hbox{\tt!!x},
d8205bb279a7 Initial revision lcp parents: diff changeset	390	changing the universal quantifier from object~($\forall$) to
313 a45ae7b38672 penultimate Springer draft lcp parents: 287 diff changeset	391	meta~($\Forall$). The bound variable is a {\bf parameter} of the
104 d8205bb279a7 Initial revision lcp parents: diff changeset	392	subgoal. We now must choose between $({\exists}I)$ and $({\exists}E)$. What
d8205bb279a7 Initial revision lcp parents: diff changeset	393	happens if the wrong rule is chosen?
d8205bb279a7 Initial revision lcp parents: diff changeset	394	\begin{ttbox}
d8205bb279a7 Initial revision lcp parents: diff changeset	395	by (resolve_tac [exI] 1);
d8205bb279a7 Initial revision lcp parents: diff changeset	396	{\out Level 3}
d8205bb279a7 Initial revision lcp parents: diff changeset	397	{\out (EX y. ALL x. Q(x,y)) --> (ALL x. EX y. Q(x,y))}
d8205bb279a7 Initial revision lcp parents: diff changeset	398	{\out 1. !!x. EX y. ALL x. Q(x,y) ==> Q(x,?y2(x))}
d8205bb279a7 Initial revision lcp parents: diff changeset	399	\end{ttbox}
d8205bb279a7 Initial revision lcp parents: diff changeset	400	The new subgoal~1 contains the function variable {\tt?y2}. Instantiating
d8205bb279a7 Initial revision lcp parents: diff changeset	401	{\tt?y2} can replace~{\tt?y2(x)} by a term containing~{\tt x}, even
d8205bb279a7 Initial revision lcp parents: diff changeset	402	though~{\tt x} is a bound variable. Now we analyse the assumption
d8205bb279a7 Initial revision lcp parents: diff changeset	403	$\exists y.\forall x. Q(x,y)$ using elimination rules:
d8205bb279a7 Initial revision lcp parents: diff changeset	404	\begin{ttbox}
d8205bb279a7 Initial revision lcp parents: diff changeset	405	by (eresolve_tac [exE] 1);
d8205bb279a7 Initial revision lcp parents: diff changeset	406	{\out Level 4}
d8205bb279a7 Initial revision lcp parents: diff changeset	407	{\out (EX y. ALL x. Q(x,y)) --> (ALL x. EX y. Q(x,y))}
d8205bb279a7 Initial revision lcp parents: diff changeset	408	{\out 1. !!x y. ALL x. Q(x,y) ==> Q(x,?y2(x))}
d8205bb279a7 Initial revision lcp parents: diff changeset	409	\end{ttbox}
d8205bb279a7 Initial revision lcp parents: diff changeset	410	Applying $(\exists E)$ has produced the parameter {\tt y} and stripped the
313 a45ae7b38672 penultimate Springer draft lcp parents: 287 diff changeset	411	existential quantifier from the assumption. But the subgoal is unprovable:
a45ae7b38672 penultimate Springer draft lcp parents: 287 diff changeset	412	there is no way to unify {\tt ?y2(x)} with the bound variable~{\tt y}.
a45ae7b38672 penultimate Springer draft lcp parents: 287 diff changeset	413	Using {\tt choplev} we can return to the critical point. This time we
a45ae7b38672 penultimate Springer draft lcp parents: 287 diff changeset	414	apply $({\exists}E)$:
104 d8205bb279a7 Initial revision lcp parents: diff changeset	415	\begin{ttbox}
d8205bb279a7 Initial revision lcp parents: diff changeset	416	choplev 2;
d8205bb279a7 Initial revision lcp parents: diff changeset	417	{\out Level 2}
d8205bb279a7 Initial revision lcp parents: diff changeset	418	{\out (EX y. ALL x. Q(x,y)) --> (ALL x. EX y. Q(x,y))}
d8205bb279a7 Initial revision lcp parents: diff changeset	419	{\out 1. !!x. EX y. ALL x. Q(x,y) ==> EX y. Q(x,y)}
d8205bb279a7 Initial revision lcp parents: diff changeset	420	\ttbreak
d8205bb279a7 Initial revision lcp parents: diff changeset	421	by (eresolve_tac [exE] 1);
d8205bb279a7 Initial revision lcp parents: diff changeset	422	{\out Level 3}
d8205bb279a7 Initial revision lcp parents: diff changeset	423	{\out (EX y. ALL x. Q(x,y)) --> (ALL x. EX y. Q(x,y))}
d8205bb279a7 Initial revision lcp parents: diff changeset	424	{\out 1. !!x y. ALL x. Q(x,y) ==> EX y. Q(x,y)}
d8205bb279a7 Initial revision lcp parents: diff changeset	425	\end{ttbox}
313 a45ae7b38672 penultimate Springer draft lcp parents: 287 diff changeset	426	We now have two parameters and no scheme variables. Applying
a45ae7b38672 penultimate Springer draft lcp parents: 287 diff changeset	427	$({\exists}I)$ and $({\forall}E)$ produces two scheme variables, which are
a45ae7b38672 penultimate Springer draft lcp parents: 287 diff changeset	428	applied to those parameters. Parameters should be produced early, as this
a45ae7b38672 penultimate Springer draft lcp parents: 287 diff changeset	429	example demonstrates.
104 d8205bb279a7 Initial revision lcp parents: diff changeset	430	\begin{ttbox}
d8205bb279a7 Initial revision lcp parents: diff changeset	431	by (resolve_tac [exI] 1);
d8205bb279a7 Initial revision lcp parents: diff changeset	432	{\out Level 4}
d8205bb279a7 Initial revision lcp parents: diff changeset	433	{\out (EX y. ALL x. Q(x,y)) --> (ALL x. EX y. Q(x,y))}
d8205bb279a7 Initial revision lcp parents: diff changeset	434	{\out 1. !!x y. ALL x. Q(x,y) ==> Q(x,?y3(x,y))}
d8205bb279a7 Initial revision lcp parents: diff changeset	435	\ttbreak
d8205bb279a7 Initial revision lcp parents: diff changeset	436	by (eresolve_tac [allE] 1);
d8205bb279a7 Initial revision lcp parents: diff changeset	437	{\out Level 5}
d8205bb279a7 Initial revision lcp parents: diff changeset	438	{\out (EX y. ALL x. Q(x,y)) --> (ALL x. EX y. Q(x,y))}
d8205bb279a7 Initial revision lcp parents: diff changeset	439	{\out 1. !!x y. Q(?x4(x,y),y) ==> Q(x,?y3(x,y))}
d8205bb279a7 Initial revision lcp parents: diff changeset	440	\end{ttbox}
d8205bb279a7 Initial revision lcp parents: diff changeset	441	The subgoal has variables {\tt ?y3} and {\tt ?x4} applied to both
d8205bb279a7 Initial revision lcp parents: diff changeset	442	parameters. The obvious projection functions unify {\tt?x4(x,y)} with~{\tt
d8205bb279a7 Initial revision lcp parents: diff changeset	443	x} and \verb\|?y3(x,y)\| with~{\tt y}.
d8205bb279a7 Initial revision lcp parents: diff changeset	444	\begin{ttbox}
d8205bb279a7 Initial revision lcp parents: diff changeset	445	by (assume_tac 1);
d8205bb279a7 Initial revision lcp parents: diff changeset	446	{\out Level 6}
d8205bb279a7 Initial revision lcp parents: diff changeset	447	{\out (EX y. ALL x. Q(x,y)) --> (ALL x. EX y. Q(x,y))}
d8205bb279a7 Initial revision lcp parents: diff changeset	448	{\out No subgoals!}
d8205bb279a7 Initial revision lcp parents: diff changeset	449	\end{ttbox}
d8205bb279a7 Initial revision lcp parents: diff changeset	450	The theorem was proved in six tactic steps, not counting the abandoned
313 a45ae7b38672 penultimate Springer draft lcp parents: 287 diff changeset	451	ones. But proof checking is tedious; \ttindex{Int.fast_tac} proves the
104 d8205bb279a7 Initial revision lcp parents: diff changeset	452	theorem in one step.
d8205bb279a7 Initial revision lcp parents: diff changeset	453	\begin{ttbox}
d8205bb279a7 Initial revision lcp parents: diff changeset	454	goal IFOL.thy "(EX y. ALL x. Q(x,y)) --> (ALL x. EX y. Q(x,y))";
d8205bb279a7 Initial revision lcp parents: diff changeset	455	{\out Level 0}
d8205bb279a7 Initial revision lcp parents: diff changeset	456	{\out (EX y. ALL x. Q(x,y)) --> (ALL x. EX y. Q(x,y))}
d8205bb279a7 Initial revision lcp parents: diff changeset	457	{\out 1. (EX y. ALL x. Q(x,y)) --> (ALL x. EX y. Q(x,y))}
d8205bb279a7 Initial revision lcp parents: diff changeset	458	by (Int.fast_tac 1);
d8205bb279a7 Initial revision lcp parents: diff changeset	459	{\out Level 1}
d8205bb279a7 Initial revision lcp parents: diff changeset	460	{\out (EX y. ALL x. Q(x,y)) --> (ALL x. EX y. Q(x,y))}
d8205bb279a7 Initial revision lcp parents: diff changeset	461	{\out No subgoals!}
d8205bb279a7 Initial revision lcp parents: diff changeset	462	\end{ttbox}
d8205bb279a7 Initial revision lcp parents: diff changeset	463
d8205bb279a7 Initial revision lcp parents: diff changeset	464
d8205bb279a7 Initial revision lcp parents: diff changeset	465	\section{An example of intuitionistic negation}
d8205bb279a7 Initial revision lcp parents: diff changeset	466	The following example demonstrates the specialized forms of implication
d8205bb279a7 Initial revision lcp parents: diff changeset	467	elimination. Even propositional formulae can be difficult to prove from
d8205bb279a7 Initial revision lcp parents: diff changeset	468	the basic rules; the specialized rules help considerably.
d8205bb279a7 Initial revision lcp parents: diff changeset	469
313 a45ae7b38672 penultimate Springer draft lcp parents: 287 diff changeset	470	Propositional examples are easy to invent. As Dummett notes~\cite[page
104 d8205bb279a7 Initial revision lcp parents: diff changeset	471	28]{dummett}, $\neg P$ is classically provable if and only if it is
313 a45ae7b38672 penultimate Springer draft lcp parents: 287 diff changeset	472	intuitionistically provable; therefore, $P$ is classically provable if and
a45ae7b38672 penultimate Springer draft lcp parents: 287 diff changeset	473	only if $\neg\neg P$ is intuitionistically provable.%
a45ae7b38672 penultimate Springer draft lcp parents: 287 diff changeset	474	\footnote{Of course this holds only for propositional logic, not if $P$ is
a45ae7b38672 penultimate Springer draft lcp parents: 287 diff changeset	475	allowed to contain quantifiers.} Proving $\neg\neg P$ intuitionistically is
a45ae7b38672 penultimate Springer draft lcp parents: 287 diff changeset	476	much harder than proving~$P$ classically.
104 d8205bb279a7 Initial revision lcp parents: diff changeset	477
313 a45ae7b38672 penultimate Springer draft lcp parents: 287 diff changeset	478	Our example is the double negation of the classical tautology $(P\imp
a45ae7b38672 penultimate Springer draft lcp parents: 287 diff changeset	479	Q)\disj (Q\imp P)$. When stating the goal, we command Isabelle to expand
a45ae7b38672 penultimate Springer draft lcp parents: 287 diff changeset	480	negations to implications using the definition $\neg P\equiv P\imp\bot$.
a45ae7b38672 penultimate Springer draft lcp parents: 287 diff changeset	481	This allows use of the special implication rules.
104 d8205bb279a7 Initial revision lcp parents: diff changeset	482	\begin{ttbox}
d8205bb279a7 Initial revision lcp parents: diff changeset	483	goalw IFOL.thy [not_def] "~ ~ ((P-->Q) \| (Q-->P))";
d8205bb279a7 Initial revision lcp parents: diff changeset	484	{\out Level 0}
d8205bb279a7 Initial revision lcp parents: diff changeset	485	{\out ~ ~ ((P --> Q) \| (Q --> P))}
d8205bb279a7 Initial revision lcp parents: diff changeset	486	{\out 1. ((P --> Q) \| (Q --> P) --> False) --> False}
d8205bb279a7 Initial revision lcp parents: diff changeset	487	\end{ttbox}
d8205bb279a7 Initial revision lcp parents: diff changeset	488	The first step is trivial.
d8205bb279a7 Initial revision lcp parents: diff changeset	489	\begin{ttbox}
d8205bb279a7 Initial revision lcp parents: diff changeset	490	by (resolve_tac [impI] 1);
d8205bb279a7 Initial revision lcp parents: diff changeset	491	{\out Level 1}
d8205bb279a7 Initial revision lcp parents: diff changeset	492	{\out ~ ~ ((P --> Q) \| (Q --> P))}
d8205bb279a7 Initial revision lcp parents: diff changeset	493	{\out 1. (P --> Q) \| (Q --> P) --> False ==> False}
d8205bb279a7 Initial revision lcp parents: diff changeset	494	\end{ttbox}
313 a45ae7b38672 penultimate Springer draft lcp parents: 287 diff changeset	495	By $(\imp E)$ it would suffice to prove $(P\imp Q)\disj (Q\imp P)$, but
a45ae7b38672 penultimate Springer draft lcp parents: 287 diff changeset	496	that formula is not a theorem of intuitionistic logic. Instead we apply
a45ae7b38672 penultimate Springer draft lcp parents: 287 diff changeset	497	the specialized implication rule \tdx{disj_impE}. It splits the
a45ae7b38672 penultimate Springer draft lcp parents: 287 diff changeset	498	assumption into two assumptions, one for each disjunct.
104 d8205bb279a7 Initial revision lcp parents: diff changeset	499	\begin{ttbox}
d8205bb279a7 Initial revision lcp parents: diff changeset	500	by (eresolve_tac [disj_impE] 1);
d8205bb279a7 Initial revision lcp parents: diff changeset	501	{\out Level 2}
d8205bb279a7 Initial revision lcp parents: diff changeset	502	{\out ~ ~ ((P --> Q) \| (Q --> P))}
d8205bb279a7 Initial revision lcp parents: diff changeset	503	{\out 1. [\| (P --> Q) --> False; (Q --> P) --> False \|] ==> False}
d8205bb279a7 Initial revision lcp parents: diff changeset	504	\end{ttbox}
d8205bb279a7 Initial revision lcp parents: diff changeset	505	We cannot hope to prove $P\imp Q$ or $Q\imp P$ separately, but
313 a45ae7b38672 penultimate Springer draft lcp parents: 287 diff changeset	506	their negations are inconsistent. Applying \tdx{imp_impE} breaks down
104 d8205bb279a7 Initial revision lcp parents: diff changeset	507	the assumption $\neg(P\imp Q)$, asking to show~$Q$ while providing new
d8205bb279a7 Initial revision lcp parents: diff changeset	508	assumptions~$P$ and~$\neg Q$.
d8205bb279a7 Initial revision lcp parents: diff changeset	509	\begin{ttbox}
d8205bb279a7 Initial revision lcp parents: diff changeset	510	by (eresolve_tac [imp_impE] 1);
d8205bb279a7 Initial revision lcp parents: diff changeset	511	{\out Level 3}
d8205bb279a7 Initial revision lcp parents: diff changeset	512	{\out ~ ~ ((P --> Q) \| (Q --> P))}
d8205bb279a7 Initial revision lcp parents: diff changeset	513	{\out 1. [\| (Q --> P) --> False; P; Q --> False \|] ==> Q}
d8205bb279a7 Initial revision lcp parents: diff changeset	514	{\out 2. [\| (Q --> P) --> False; False \|] ==> False}
d8205bb279a7 Initial revision lcp parents: diff changeset	515	\end{ttbox}
d8205bb279a7 Initial revision lcp parents: diff changeset	516	Subgoal~2 holds trivially; let us ignore it and continue working on
d8205bb279a7 Initial revision lcp parents: diff changeset	517	subgoal~1. Thanks to the assumption~$P$, we could prove $Q\imp P$;
313 a45ae7b38672 penultimate Springer draft lcp parents: 287 diff changeset	518	applying \tdx{imp_impE} is simpler.
104 d8205bb279a7 Initial revision lcp parents: diff changeset	519	\begin{ttbox}
d8205bb279a7 Initial revision lcp parents: diff changeset	520	by (eresolve_tac [imp_impE] 1);
d8205bb279a7 Initial revision lcp parents: diff changeset	521	{\out Level 4}
d8205bb279a7 Initial revision lcp parents: diff changeset	522	{\out ~ ~ ((P --> Q) \| (Q --> P))}
d8205bb279a7 Initial revision lcp parents: diff changeset	523	{\out 1. [\| P; Q --> False; Q; P --> False \|] ==> P}
d8205bb279a7 Initial revision lcp parents: diff changeset	524	{\out 2. [\| P; Q --> False; False \|] ==> Q}
d8205bb279a7 Initial revision lcp parents: diff changeset	525	{\out 3. [\| (Q --> P) --> False; False \|] ==> False}
d8205bb279a7 Initial revision lcp parents: diff changeset	526	\end{ttbox}
d8205bb279a7 Initial revision lcp parents: diff changeset	527	The three subgoals are all trivial.
d8205bb279a7 Initial revision lcp parents: diff changeset	528	\begin{ttbox}
d8205bb279a7 Initial revision lcp parents: diff changeset	529	by (REPEAT (eresolve_tac [FalseE] 2));
d8205bb279a7 Initial revision lcp parents: diff changeset	530	{\out Level 5}
d8205bb279a7 Initial revision lcp parents: diff changeset	531	{\out ~ ~ ((P --> Q) \| (Q --> P))}
d8205bb279a7 Initial revision lcp parents: diff changeset	532	{\out 1. [\| P; Q --> False; Q; P --> False \|] ==> P}
287 6b62a6ddbe15 first draft of Springer book lcp parents: 157 diff changeset	533	\ttbreak
104 d8205bb279a7 Initial revision lcp parents: diff changeset	534	by (assume_tac 1);
d8205bb279a7 Initial revision lcp parents: diff changeset	535	{\out Level 6}
d8205bb279a7 Initial revision lcp parents: diff changeset	536	{\out ~ ~ ((P --> Q) \| (Q --> P))}
d8205bb279a7 Initial revision lcp parents: diff changeset	537	{\out No subgoals!}
d8205bb279a7 Initial revision lcp parents: diff changeset	538	\end{ttbox}
d8205bb279a7 Initial revision lcp parents: diff changeset	539	This proof is also trivial for {\tt Int.fast_tac}.
d8205bb279a7 Initial revision lcp parents: diff changeset	540
d8205bb279a7 Initial revision lcp parents: diff changeset	541
d8205bb279a7 Initial revision lcp parents: diff changeset	542	\section{A classical example} \label{fol-cla-example}
d8205bb279a7 Initial revision lcp parents: diff changeset	543	To illustrate classical logic, we shall prove the theorem
313 a45ae7b38672 penultimate Springer draft lcp parents: 287 diff changeset	544	$\ex{y}\all{x}P(y)\imp P(x)$. Informally, the theorem can be proved as
104 d8205bb279a7 Initial revision lcp parents: diff changeset	545	follows. Choose~$y$ such that~$\neg P(y)$, if such exists; otherwise
d8205bb279a7 Initial revision lcp parents: diff changeset	546	$\all{x}P(x)$ is true. Either way the theorem holds.
d8205bb279a7 Initial revision lcp parents: diff changeset	547
d8205bb279a7 Initial revision lcp parents: diff changeset	548	The formal proof does not conform in any obvious way to the sketch given
313 a45ae7b38672 penultimate Springer draft lcp parents: 287 diff changeset	549	above. The key inference is the first one, \tdx{exCI}; this classical
104 d8205bb279a7 Initial revision lcp parents: diff changeset	550	version of~$(\exists I)$ allows multiple instantiation of the quantifier.
d8205bb279a7 Initial revision lcp parents: diff changeset	551	\begin{ttbox}
d8205bb279a7 Initial revision lcp parents: diff changeset	552	goal FOL.thy "EX y. ALL x. P(y)-->P(x)";
d8205bb279a7 Initial revision lcp parents: diff changeset	553	{\out Level 0}
d8205bb279a7 Initial revision lcp parents: diff changeset	554	{\out EX y. ALL x. P(y) --> P(x)}
d8205bb279a7 Initial revision lcp parents: diff changeset	555	{\out 1. EX y. ALL x. P(y) --> P(x)}
d8205bb279a7 Initial revision lcp parents: diff changeset	556	\ttbreak
d8205bb279a7 Initial revision lcp parents: diff changeset	557	by (resolve_tac [exCI] 1);
d8205bb279a7 Initial revision lcp parents: diff changeset	558	{\out Level 1}
d8205bb279a7 Initial revision lcp parents: diff changeset	559	{\out EX y. ALL x. P(y) --> P(x)}
d8205bb279a7 Initial revision lcp parents: diff changeset	560	{\out 1. ALL y. ~ (ALL x. P(y) --> P(x)) ==> ALL x. P(?a) --> P(x)}
d8205bb279a7 Initial revision lcp parents: diff changeset	561	\end{ttbox}
313 a45ae7b38672 penultimate Springer draft lcp parents: 287 diff changeset	562	We can either exhibit a term {\tt?a} to satisfy the conclusion of
104 d8205bb279a7 Initial revision lcp parents: diff changeset	563	subgoal~1, or produce a contradiction from the assumption. The next
313 a45ae7b38672 penultimate Springer draft lcp parents: 287 diff changeset	564	steps are routine.
104 d8205bb279a7 Initial revision lcp parents: diff changeset	565	\begin{ttbox}
d8205bb279a7 Initial revision lcp parents: diff changeset	566	by (resolve_tac [allI] 1);
d8205bb279a7 Initial revision lcp parents: diff changeset	567	{\out Level 2}
d8205bb279a7 Initial revision lcp parents: diff changeset	568	{\out EX y. ALL x. P(y) --> P(x)}
d8205bb279a7 Initial revision lcp parents: diff changeset	569	{\out 1. !!x. ALL y. ~ (ALL x. P(y) --> P(x)) ==> P(?a) --> P(x)}
d8205bb279a7 Initial revision lcp parents: diff changeset	570	\ttbreak
d8205bb279a7 Initial revision lcp parents: diff changeset	571	by (resolve_tac [impI] 1);
d8205bb279a7 Initial revision lcp parents: diff changeset	572	{\out Level 3}
d8205bb279a7 Initial revision lcp parents: diff changeset	573	{\out EX y. ALL x. P(y) --> P(x)}
d8205bb279a7 Initial revision lcp parents: diff changeset	574	{\out 1. !!x. [\| ALL y. ~ (ALL x. P(y) --> P(x)); P(?a) \|] ==> P(x)}
313 a45ae7b38672 penultimate Springer draft lcp parents: 287 diff changeset	575	\end{ttbox}
a45ae7b38672 penultimate Springer draft lcp parents: 287 diff changeset	576	By the duality between $\exists$ and~$\forall$, applying~$(\forall E)$
333 2ca08f62df33 final Springer copy lcp parents: 313 diff changeset	577	in effect applies~$(\exists I)$ again.
313 a45ae7b38672 penultimate Springer draft lcp parents: 287 diff changeset	578	\begin{ttbox}
104 d8205bb279a7 Initial revision lcp parents: diff changeset	579	by (eresolve_tac [allE] 1);
d8205bb279a7 Initial revision lcp parents: diff changeset	580	{\out Level 4}
d8205bb279a7 Initial revision lcp parents: diff changeset	581	{\out EX y. ALL x. P(y) --> P(x)}
d8205bb279a7 Initial revision lcp parents: diff changeset	582	{\out 1. !!x. [\| P(?a); ~ (ALL xa. P(?y3(x)) --> P(xa)) \|] ==> P(x)}
d8205bb279a7 Initial revision lcp parents: diff changeset	583	\end{ttbox}
d8205bb279a7 Initial revision lcp parents: diff changeset	584	In classical logic, a negated assumption is equivalent to a conclusion. To
313 a45ae7b38672 penultimate Springer draft lcp parents: 287 diff changeset	585	get this effect, we create a swapped version of~$(\forall I)$ and apply it
104 d8205bb279a7 Initial revision lcp parents: diff changeset	586	using \ttindex{eresolve_tac}; we could equivalently have applied~$(\forall
d8205bb279a7 Initial revision lcp parents: diff changeset	587	I)$ using \ttindex{swap_res_tac}.
d8205bb279a7 Initial revision lcp parents: diff changeset	588	\begin{ttbox}
d8205bb279a7 Initial revision lcp parents: diff changeset	589	allI RSN (2,swap);
d8205bb279a7 Initial revision lcp parents: diff changeset	590	{\out val it = "[\| ~ (ALL x. ?P1(x)); !!x. ~ ?Q ==> ?P1(x) \|] ==> ?Q" : thm}
d8205bb279a7 Initial revision lcp parents: diff changeset	591	by (eresolve_tac [it] 1);
d8205bb279a7 Initial revision lcp parents: diff changeset	592	{\out Level 5}
d8205bb279a7 Initial revision lcp parents: diff changeset	593	{\out EX y. ALL x. P(y) --> P(x)}
d8205bb279a7 Initial revision lcp parents: diff changeset	594	{\out 1. !!x xa. [\| P(?a); ~ P(x) \|] ==> P(?y3(x)) --> P(xa)}
d8205bb279a7 Initial revision lcp parents: diff changeset	595	\end{ttbox}
313 a45ae7b38672 penultimate Springer draft lcp parents: 287 diff changeset	596	The previous conclusion, {\tt P(x)}, has become a negated assumption.
104 d8205bb279a7 Initial revision lcp parents: diff changeset	597	\begin{ttbox}
d8205bb279a7 Initial revision lcp parents: diff changeset	598	by (resolve_tac [impI] 1);
d8205bb279a7 Initial revision lcp parents: diff changeset	599	{\out Level 6}
d8205bb279a7 Initial revision lcp parents: diff changeset	600	{\out EX y. ALL x. P(y) --> P(x)}
d8205bb279a7 Initial revision lcp parents: diff changeset	601	{\out 1. !!x xa. [\| P(?a); ~ P(x); P(?y3(x)) \|] ==> P(xa)}
d8205bb279a7 Initial revision lcp parents: diff changeset	602	\end{ttbox}
d8205bb279a7 Initial revision lcp parents: diff changeset	603	The subgoal has three assumptions. We produce a contradiction between the
313 a45ae7b38672 penultimate Springer draft lcp parents: 287 diff changeset	604	\index{assumptions!contradictory} assumptions~\verb\|~P(x)\| and~{\tt
a45ae7b38672 penultimate Springer draft lcp parents: 287 diff changeset	605	P(?y3(x))}. The proof never instantiates the unknown~{\tt?a}.
104 d8205bb279a7 Initial revision lcp parents: diff changeset	606	\begin{ttbox}
d8205bb279a7 Initial revision lcp parents: diff changeset	607	by (eresolve_tac [notE] 1);
d8205bb279a7 Initial revision lcp parents: diff changeset	608	{\out Level 7}
d8205bb279a7 Initial revision lcp parents: diff changeset	609	{\out EX y. ALL x. P(y) --> P(x)}
d8205bb279a7 Initial revision lcp parents: diff changeset	610	{\out 1. !!x xa. [\| P(?a); P(?y3(x)) \|] ==> P(x)}
d8205bb279a7 Initial revision lcp parents: diff changeset	611	\ttbreak
d8205bb279a7 Initial revision lcp parents: diff changeset	612	by (assume_tac 1);
d8205bb279a7 Initial revision lcp parents: diff changeset	613	{\out Level 8}
d8205bb279a7 Initial revision lcp parents: diff changeset	614	{\out EX y. ALL x. P(y) --> P(x)}
d8205bb279a7 Initial revision lcp parents: diff changeset	615	{\out No subgoals!}
d8205bb279a7 Initial revision lcp parents: diff changeset	616	\end{ttbox}
874 2432820efbfe removed mention of FOL_dup_cs lcp parents: 706 diff changeset	617	The civilised way to prove this theorem is through \ttindex{deepen_tac},
2432820efbfe removed mention of FOL_dup_cs lcp parents: 706 diff changeset	618	which automatically uses the classical version of~$(\exists I)$:
104 d8205bb279a7 Initial revision lcp parents: diff changeset	619	\begin{ttbox}
d8205bb279a7 Initial revision lcp parents: diff changeset	620	goal FOL.thy "EX y. ALL x. P(y)-->P(x)";
d8205bb279a7 Initial revision lcp parents: diff changeset	621	{\out Level 0}
d8205bb279a7 Initial revision lcp parents: diff changeset	622	{\out EX y. ALL x. P(y) --> P(x)}
d8205bb279a7 Initial revision lcp parents: diff changeset	623	{\out 1. EX y. ALL x. P(y) --> P(x)}
874 2432820efbfe removed mention of FOL_dup_cs lcp parents: 706 diff changeset	624	by (deepen_tac FOL_cs 0 1);
2432820efbfe removed mention of FOL_dup_cs lcp parents: 706 diff changeset	625	{\out Depth = 0}
2432820efbfe removed mention of FOL_dup_cs lcp parents: 706 diff changeset	626	{\out Depth = 2}
104 d8205bb279a7 Initial revision lcp parents: diff changeset	627	{\out Level 1}
d8205bb279a7 Initial revision lcp parents: diff changeset	628	{\out EX y. ALL x. P(y) --> P(x)}
d8205bb279a7 Initial revision lcp parents: diff changeset	629	{\out No subgoals!}
d8205bb279a7 Initial revision lcp parents: diff changeset	630	\end{ttbox}
d8205bb279a7 Initial revision lcp parents: diff changeset	631	If this theorem seems counterintuitive, then perhaps you are an
d8205bb279a7 Initial revision lcp parents: diff changeset	632	intuitionist. In constructive logic, proving $\ex{y}\all{x}P(y)\imp P(x)$
d8205bb279a7 Initial revision lcp parents: diff changeset	633	requires exhibiting a particular term~$t$ such that $\all{x}P(t)\imp P(x)$,
d8205bb279a7 Initial revision lcp parents: diff changeset	634	which we cannot do without further knowledge about~$P$.
d8205bb279a7 Initial revision lcp parents: diff changeset	635
d8205bb279a7 Initial revision lcp parents: diff changeset	636
d8205bb279a7 Initial revision lcp parents: diff changeset	637	\section{Derived rules and the classical tactics}
d8205bb279a7 Initial revision lcp parents: diff changeset	638	Classical first-order logic can be extended with the propositional
d8205bb279a7 Initial revision lcp parents: diff changeset	639	connective $if(P,Q,R)$, where
d8205bb279a7 Initial revision lcp parents: diff changeset	640	$$ if(P,Q,R) \equiv P\conj Q \disj \neg P \conj R. \eqno(if) $$
d8205bb279a7 Initial revision lcp parents: diff changeset	641	Theorems about $if$ can be proved by treating this as an abbreviation,
d8205bb279a7 Initial revision lcp parents: diff changeset	642	replacing $if(P,Q,R)$ by $P\conj Q \disj \neg P \conj R$ in subgoals. But
d8205bb279a7 Initial revision lcp parents: diff changeset	643	this duplicates~$P$, causing an exponential blowup and an unreadable
d8205bb279a7 Initial revision lcp parents: diff changeset	644	formula. Introducing further abbreviations makes the problem worse.
d8205bb279a7 Initial revision lcp parents: diff changeset	645
d8205bb279a7 Initial revision lcp parents: diff changeset	646	Natural deduction demands rules that introduce and eliminate $if(P,Q,R)$
d8205bb279a7 Initial revision lcp parents: diff changeset	647	directly, without reference to its definition. The simple identity
313 a45ae7b38672 penultimate Springer draft lcp parents: 287 diff changeset	648	\[ if(P,Q,R) \,\bimp\, (P\imp Q)\conj (\neg P\imp R) \]
104 d8205bb279a7 Initial revision lcp parents: diff changeset	649	suggests that the
d8205bb279a7 Initial revision lcp parents: diff changeset	650	$if$-introduction rule should be
157 8258c26ae084 Correction to page 16; thanks to Markus W. lcp parents: 111 diff changeset	651	\[ \infer[({if}\,I)]{if(P,Q,R)}{\infer{Q}{[P]} & \infer{R}{[\neg P]}} \]
104 d8205bb279a7 Initial revision lcp parents: diff changeset	652	The $if$-elimination rule reflects the definition of $if(P,Q,R)$ and the
d8205bb279a7 Initial revision lcp parents: diff changeset	653	elimination rules for~$\disj$ and~$\conj$.
d8205bb279a7 Initial revision lcp parents: diff changeset	654	\[ \infer[({if}\,E)]{S}{if(P,Q,R) & \infer*{S}{[P,Q]}
d8205bb279a7 Initial revision lcp parents: diff changeset	655	& \infer*{S}{[\neg P,R]}}
d8205bb279a7 Initial revision lcp parents: diff changeset	656	\]
d8205bb279a7 Initial revision lcp parents: diff changeset	657	Having made these plans, we get down to work with Isabelle. The theory of
313 a45ae7b38672 penultimate Springer draft lcp parents: 287 diff changeset	658	classical logic, {\tt FOL}, is extended with the constant
a45ae7b38672 penultimate Springer draft lcp parents: 287 diff changeset	659	$if::[o,o,o]\To o$. The axiom \tdx{if_def} asserts the
104 d8205bb279a7 Initial revision lcp parents: diff changeset	660	equation~$(if)$.
d8205bb279a7 Initial revision lcp parents: diff changeset	661	\begin{ttbox}
d8205bb279a7 Initial revision lcp parents: diff changeset	662	If = FOL +
d8205bb279a7 Initial revision lcp parents: diff changeset	663	consts if :: "[o,o,o]=>o"
d8205bb279a7 Initial revision lcp parents: diff changeset	664	rules if_def "if(P,Q,R) == P&Q \| ~P&R"
d8205bb279a7 Initial revision lcp parents: diff changeset	665	end
d8205bb279a7 Initial revision lcp parents: diff changeset	666	\end{ttbox}
d8205bb279a7 Initial revision lcp parents: diff changeset	667	The derivations of the introduction and elimination rules demonstrate the
d8205bb279a7 Initial revision lcp parents: diff changeset	668	methods for rewriting with definitions. Classical reasoning is required,
313 a45ae7b38672 penultimate Springer draft lcp parents: 287 diff changeset	669	so we use {\tt fast_tac}.
104 d8205bb279a7 Initial revision lcp parents: diff changeset	670
d8205bb279a7 Initial revision lcp parents: diff changeset	671
d8205bb279a7 Initial revision lcp parents: diff changeset	672	\subsection{Deriving the introduction rule}
d8205bb279a7 Initial revision lcp parents: diff changeset	673	The introduction rule, given the premises $P\Imp Q$ and $\neg P\Imp R$,
d8205bb279a7 Initial revision lcp parents: diff changeset	674	concludes $if(P,Q,R)$. We propose the conclusion as the main goal
d8205bb279a7 Initial revision lcp parents: diff changeset	675	using~\ttindex{goalw}, which uses {\tt if_def} to rewrite occurrences
d8205bb279a7 Initial revision lcp parents: diff changeset	676	of $if$ in the subgoal.
d8205bb279a7 Initial revision lcp parents: diff changeset	677	\begin{ttbox}
d8205bb279a7 Initial revision lcp parents: diff changeset	678	val prems = goalw If.thy [if_def]
d8205bb279a7 Initial revision lcp parents: diff changeset	679	"[\| P ==> Q; ~ P ==> R \|] ==> if(P,Q,R)";
d8205bb279a7 Initial revision lcp parents: diff changeset	680	{\out Level 0}
d8205bb279a7 Initial revision lcp parents: diff changeset	681	{\out if(P,Q,R)}
d8205bb279a7 Initial revision lcp parents: diff changeset	682	{\out 1. P & Q \| ~ P & R}
d8205bb279a7 Initial revision lcp parents: diff changeset	683	\end{ttbox}
d8205bb279a7 Initial revision lcp parents: diff changeset	684	The premises (bound to the {\ML} variable {\tt prems}) are passed as
d8205bb279a7 Initial revision lcp parents: diff changeset	685	introduction rules to \ttindex{fast_tac}:
d8205bb279a7 Initial revision lcp parents: diff changeset	686	\begin{ttbox}
d8205bb279a7 Initial revision lcp parents: diff changeset	687	by (fast_tac (FOL_cs addIs prems) 1);
d8205bb279a7 Initial revision lcp parents: diff changeset	688	{\out Level 1}
d8205bb279a7 Initial revision lcp parents: diff changeset	689	{\out if(P,Q,R)}
d8205bb279a7 Initial revision lcp parents: diff changeset	690	{\out No subgoals!}
d8205bb279a7 Initial revision lcp parents: diff changeset	691	val ifI = result();
d8205bb279a7 Initial revision lcp parents: diff changeset	692	\end{ttbox}
d8205bb279a7 Initial revision lcp parents: diff changeset	693
d8205bb279a7 Initial revision lcp parents: diff changeset	694
d8205bb279a7 Initial revision lcp parents: diff changeset	695	\subsection{Deriving the elimination rule}
d8205bb279a7 Initial revision lcp parents: diff changeset	696	The elimination rule has three premises, two of which are themselves rules.
d8205bb279a7 Initial revision lcp parents: diff changeset	697	The conclusion is simply $S$.
d8205bb279a7 Initial revision lcp parents: diff changeset	698	\begin{ttbox}
d8205bb279a7 Initial revision lcp parents: diff changeset	699	val major::prems = goalw If.thy [if_def]
d8205bb279a7 Initial revision lcp parents: diff changeset	700	"[\| if(P,Q,R); [\| P; Q \|] ==> S; [\| ~ P; R \|] ==> S \|] ==> S";
d8205bb279a7 Initial revision lcp parents: diff changeset	701	{\out Level 0}
d8205bb279a7 Initial revision lcp parents: diff changeset	702	{\out S}
d8205bb279a7 Initial revision lcp parents: diff changeset	703	{\out 1. S}
d8205bb279a7 Initial revision lcp parents: diff changeset	704	\end{ttbox}
d8205bb279a7 Initial revision lcp parents: diff changeset	705	The major premise contains an occurrence of~$if$, but the version returned
d8205bb279a7 Initial revision lcp parents: diff changeset	706	by \ttindex{goalw} (and bound to the {\ML} variable~{\tt major}) has the
d8205bb279a7 Initial revision lcp parents: diff changeset	707	definition expanded. Now \ttindex{cut_facts_tac} inserts~{\tt major} as an
d8205bb279a7 Initial revision lcp parents: diff changeset	708	assumption in the subgoal, so that \ttindex{fast_tac} can break it down.
d8205bb279a7 Initial revision lcp parents: diff changeset	709	\begin{ttbox}
d8205bb279a7 Initial revision lcp parents: diff changeset	710	by (cut_facts_tac [major] 1);
d8205bb279a7 Initial revision lcp parents: diff changeset	711	{\out Level 1}
d8205bb279a7 Initial revision lcp parents: diff changeset	712	{\out S}
d8205bb279a7 Initial revision lcp parents: diff changeset	713	{\out 1. P & Q \| ~ P & R ==> S}
d8205bb279a7 Initial revision lcp parents: diff changeset	714	\ttbreak
d8205bb279a7 Initial revision lcp parents: diff changeset	715	by (fast_tac (FOL_cs addIs prems) 1);
d8205bb279a7 Initial revision lcp parents: diff changeset	716	{\out Level 2}
d8205bb279a7 Initial revision lcp parents: diff changeset	717	{\out S}
d8205bb279a7 Initial revision lcp parents: diff changeset	718	{\out No subgoals!}
d8205bb279a7 Initial revision lcp parents: diff changeset	719	val ifE = result();
d8205bb279a7 Initial revision lcp parents: diff changeset	720	\end{ttbox}
313 a45ae7b38672 penultimate Springer draft lcp parents: 287 diff changeset	721	As you may recall from
a45ae7b38672 penultimate Springer draft lcp parents: 287 diff changeset	722	\iflabelundefined{definitions}{{\em Introduction to Isabelle}}%
a45ae7b38672 penultimate Springer draft lcp parents: 287 diff changeset	723	{\S\ref{definitions}}, there are other
104 d8205bb279a7 Initial revision lcp parents: diff changeset	724	ways of treating definitions when deriving a rule. We can start the
313 a45ae7b38672 penultimate Springer draft lcp parents: 287 diff changeset	725	proof using {\tt goal}, which does not expand definitions, instead of
a45ae7b38672 penultimate Springer draft lcp parents: 287 diff changeset	726	{\tt goalw}. We can use \ttindex{rewrite_goals_tac}
104 d8205bb279a7 Initial revision lcp parents: diff changeset	727	to expand definitions in the subgoals --- perhaps after calling
d8205bb279a7 Initial revision lcp parents: diff changeset	728	\ttindex{cut_facts_tac} to insert the rule's premises. We can use
d8205bb279a7 Initial revision lcp parents: diff changeset	729	\ttindex{rewrite_rule}, which is a meta-inference rule, to expand
d8205bb279a7 Initial revision lcp parents: diff changeset	730	definitions in the premises directly.
d8205bb279a7 Initial revision lcp parents: diff changeset	731
d8205bb279a7 Initial revision lcp parents: diff changeset	732
d8205bb279a7 Initial revision lcp parents: diff changeset	733	\subsection{Using the derived rules}
313 a45ae7b38672 penultimate Springer draft lcp parents: 287 diff changeset	734	The rules just derived have been saved with the {\ML} names \tdx{ifI}
a45ae7b38672 penultimate Springer draft lcp parents: 287 diff changeset	735	and~\tdx{ifE}. They permit natural proofs of theorems such as the
104 d8205bb279a7 Initial revision lcp parents: diff changeset	736	following:
d8205bb279a7 Initial revision lcp parents: diff changeset	737	\begin{eqnarray*}
111 1b3cddf41b2d Various updates for Isabelle-93 lcp parents: 104 diff changeset	738	if(P, if(Q,A,B), if(Q,C,D)) & \bimp & if(Q,if(P,A,C),if(P,B,D)) \\
1b3cddf41b2d Various updates for Isabelle-93 lcp parents: 104 diff changeset	739	if(if(P,Q,R), A, B) & \bimp & if(P,if(Q,A,B),if(R,A,B))
104 d8205bb279a7 Initial revision lcp parents: diff changeset	740	\end{eqnarray*}
d8205bb279a7 Initial revision lcp parents: diff changeset	741	Proofs also require the classical reasoning rules and the $\bimp$
313 a45ae7b38672 penultimate Springer draft lcp parents: 287 diff changeset	742	introduction rule (called~\tdx{iffI}: do not confuse with~{\tt ifI}).
104 d8205bb279a7 Initial revision lcp parents: diff changeset	743
d8205bb279a7 Initial revision lcp parents: diff changeset	744	To display the $if$-rules in action, let us analyse a proof step by step.
d8205bb279a7 Initial revision lcp parents: diff changeset	745	\begin{ttbox}
d8205bb279a7 Initial revision lcp parents: diff changeset	746	goal If.thy
d8205bb279a7 Initial revision lcp parents: diff changeset	747	"if(P, if(Q,A,B), if(Q,C,D)) <-> if(Q, if(P,A,C), if(P,B,D))";
d8205bb279a7 Initial revision lcp parents: diff changeset	748	{\out Level 0}
d8205bb279a7 Initial revision lcp parents: diff changeset	749	{\out if(P,if(Q,A,B),if(Q,C,D)) <-> if(Q,if(P,A,C),if(P,B,D))}
d8205bb279a7 Initial revision lcp parents: diff changeset	750	{\out 1. if(P,if(Q,A,B),if(Q,C,D)) <-> if(Q,if(P,A,C),if(P,B,D))}
d8205bb279a7 Initial revision lcp parents: diff changeset	751	\ttbreak
d8205bb279a7 Initial revision lcp parents: diff changeset	752	by (resolve_tac [iffI] 1);
d8205bb279a7 Initial revision lcp parents: diff changeset	753	{\out Level 1}
d8205bb279a7 Initial revision lcp parents: diff changeset	754	{\out if(P,if(Q,A,B),if(Q,C,D)) <-> if(Q,if(P,A,C),if(P,B,D))}
d8205bb279a7 Initial revision lcp parents: diff changeset	755	{\out 1. if(P,if(Q,A,B),if(Q,C,D)) ==> if(Q,if(P,A,C),if(P,B,D))}
d8205bb279a7 Initial revision lcp parents: diff changeset	756	{\out 2. if(Q,if(P,A,C),if(P,B,D)) ==> if(P,if(Q,A,B),if(Q,C,D))}
d8205bb279a7 Initial revision lcp parents: diff changeset	757	\end{ttbox}
d8205bb279a7 Initial revision lcp parents: diff changeset	758	The $if$-elimination rule can be applied twice in succession.
d8205bb279a7 Initial revision lcp parents: diff changeset	759	\begin{ttbox}
d8205bb279a7 Initial revision lcp parents: diff changeset	760	by (eresolve_tac [ifE] 1);
d8205bb279a7 Initial revision lcp parents: diff changeset	761	{\out Level 2}
d8205bb279a7 Initial revision lcp parents: diff changeset	762	{\out if(P,if(Q,A,B),if(Q,C,D)) <-> if(Q,if(P,A,C),if(P,B,D))}
d8205bb279a7 Initial revision lcp parents: diff changeset	763	{\out 1. [\| P; if(Q,A,B) \|] ==> if(Q,if(P,A,C),if(P,B,D))}
d8205bb279a7 Initial revision lcp parents: diff changeset	764	{\out 2. [\| ~ P; if(Q,C,D) \|] ==> if(Q,if(P,A,C),if(P,B,D))}
d8205bb279a7 Initial revision lcp parents: diff changeset	765	{\out 3. if(Q,if(P,A,C),if(P,B,D)) ==> if(P,if(Q,A,B),if(Q,C,D))}
d8205bb279a7 Initial revision lcp parents: diff changeset	766	\ttbreak
d8205bb279a7 Initial revision lcp parents: diff changeset	767	by (eresolve_tac [ifE] 1);
d8205bb279a7 Initial revision lcp parents: diff changeset	768	{\out Level 3}
d8205bb279a7 Initial revision lcp parents: diff changeset	769	{\out if(P,if(Q,A,B),if(Q,C,D)) <-> if(Q,if(P,A,C),if(P,B,D))}
d8205bb279a7 Initial revision lcp parents: diff changeset	770	{\out 1. [\| P; Q; A \|] ==> if(Q,if(P,A,C),if(P,B,D))}
d8205bb279a7 Initial revision lcp parents: diff changeset	771	{\out 2. [\| P; ~ Q; B \|] ==> if(Q,if(P,A,C),if(P,B,D))}
d8205bb279a7 Initial revision lcp parents: diff changeset	772	{\out 3. [\| ~ P; if(Q,C,D) \|] ==> if(Q,if(P,A,C),if(P,B,D))}
d8205bb279a7 Initial revision lcp parents: diff changeset	773	{\out 4. if(Q,if(P,A,C),if(P,B,D)) ==> if(P,if(Q,A,B),if(Q,C,D))}
d8205bb279a7 Initial revision lcp parents: diff changeset	774	\end{ttbox}
333 2ca08f62df33 final Springer copy lcp parents: 313 diff changeset	775	%
2ca08f62df33 final Springer copy lcp parents: 313 diff changeset	776	In the first two subgoals, all assumptions have been reduced to atoms. Now
104 d8205bb279a7 Initial revision lcp parents: diff changeset	777	$if$-introduction can be applied. Observe how the $if$-rules break down
d8205bb279a7 Initial revision lcp parents: diff changeset	778	occurrences of $if$ when they become the outermost connective.
d8205bb279a7 Initial revision lcp parents: diff changeset	779	\begin{ttbox}
d8205bb279a7 Initial revision lcp parents: diff changeset	780	by (resolve_tac [ifI] 1);
d8205bb279a7 Initial revision lcp parents: diff changeset	781	{\out Level 4}
d8205bb279a7 Initial revision lcp parents: diff changeset	782	{\out if(P,if(Q,A,B),if(Q,C,D)) <-> if(Q,if(P,A,C),if(P,B,D))}
d8205bb279a7 Initial revision lcp parents: diff changeset	783	{\out 1. [\| P; Q; A; Q \|] ==> if(P,A,C)}
d8205bb279a7 Initial revision lcp parents: diff changeset	784	{\out 2. [\| P; Q; A; ~ Q \|] ==> if(P,B,D)}
d8205bb279a7 Initial revision lcp parents: diff changeset	785	{\out 3. [\| P; ~ Q; B \|] ==> if(Q,if(P,A,C),if(P,B,D))}
d8205bb279a7 Initial revision lcp parents: diff changeset	786	{\out 4. [\| ~ P; if(Q,C,D) \|] ==> if(Q,if(P,A,C),if(P,B,D))}
d8205bb279a7 Initial revision lcp parents: diff changeset	787	{\out 5. if(Q,if(P,A,C),if(P,B,D)) ==> if(P,if(Q,A,B),if(Q,C,D))}
d8205bb279a7 Initial revision lcp parents: diff changeset	788	\ttbreak
d8205bb279a7 Initial revision lcp parents: diff changeset	789	by (resolve_tac [ifI] 1);
d8205bb279a7 Initial revision lcp parents: diff changeset	790	{\out Level 5}
d8205bb279a7 Initial revision lcp parents: diff changeset	791	{\out if(P,if(Q,A,B),if(Q,C,D)) <-> if(Q,if(P,A,C),if(P,B,D))}
d8205bb279a7 Initial revision lcp parents: diff changeset	792	{\out 1. [\| P; Q; A; Q; P \|] ==> A}
d8205bb279a7 Initial revision lcp parents: diff changeset	793	{\out 2. [\| P; Q; A; Q; ~ P \|] ==> C}
d8205bb279a7 Initial revision lcp parents: diff changeset	794	{\out 3. [\| P; Q; A; ~ Q \|] ==> if(P,B,D)}
d8205bb279a7 Initial revision lcp parents: diff changeset	795	{\out 4. [\| P; ~ Q; B \|] ==> if(Q,if(P,A,C),if(P,B,D))}
d8205bb279a7 Initial revision lcp parents: diff changeset	796	{\out 5. [\| ~ P; if(Q,C,D) \|] ==> if(Q,if(P,A,C),if(P,B,D))}
d8205bb279a7 Initial revision lcp parents: diff changeset	797	{\out 6. if(Q,if(P,A,C),if(P,B,D)) ==> if(P,if(Q,A,B),if(Q,C,D))}
d8205bb279a7 Initial revision lcp parents: diff changeset	798	\end{ttbox}
d8205bb279a7 Initial revision lcp parents: diff changeset	799	Where do we stand? The first subgoal holds by assumption; the second and
d8205bb279a7 Initial revision lcp parents: diff changeset	800	third, by contradiction. This is getting tedious. Let us revert to the
d8205bb279a7 Initial revision lcp parents: diff changeset	801	initial proof state and let \ttindex{fast_tac} solve it. The classical
d8205bb279a7 Initial revision lcp parents: diff changeset	802	rule set {\tt if_cs} contains the rules of~{\FOL} plus the derived rules
d8205bb279a7 Initial revision lcp parents: diff changeset	803	for~$if$.
d8205bb279a7 Initial revision lcp parents: diff changeset	804	\begin{ttbox}
d8205bb279a7 Initial revision lcp parents: diff changeset	805	choplev 0;
d8205bb279a7 Initial revision lcp parents: diff changeset	806	{\out Level 0}
d8205bb279a7 Initial revision lcp parents: diff changeset	807	{\out if(P,if(Q,A,B),if(Q,C,D)) <-> if(Q,if(P,A,C),if(P,B,D))}
d8205bb279a7 Initial revision lcp parents: diff changeset	808	{\out 1. if(P,if(Q,A,B),if(Q,C,D)) <-> if(Q,if(P,A,C),if(P,B,D))}
d8205bb279a7 Initial revision lcp parents: diff changeset	809	val if_cs = FOL_cs addSIs [ifI] addSEs[ifE];
d8205bb279a7 Initial revision lcp parents: diff changeset	810	by (fast_tac if_cs 1);
d8205bb279a7 Initial revision lcp parents: diff changeset	811	{\out Level 1}
d8205bb279a7 Initial revision lcp parents: diff changeset	812	{\out if(P,if(Q,A,B),if(Q,C,D)) <-> if(Q,if(P,A,C),if(P,B,D))}
d8205bb279a7 Initial revision lcp parents: diff changeset	813	{\out No subgoals!}
d8205bb279a7 Initial revision lcp parents: diff changeset	814	\end{ttbox}
d8205bb279a7 Initial revision lcp parents: diff changeset	815	This tactic also solves the other example.
d8205bb279a7 Initial revision lcp parents: diff changeset	816	\begin{ttbox}
d8205bb279a7 Initial revision lcp parents: diff changeset	817	goal If.thy "if(if(P,Q,R), A, B) <-> if(P, if(Q,A,B), if(R,A,B))";
d8205bb279a7 Initial revision lcp parents: diff changeset	818	{\out Level 0}
d8205bb279a7 Initial revision lcp parents: diff changeset	819	{\out if(if(P,Q,R),A,B) <-> if(P,if(Q,A,B),if(R,A,B))}
d8205bb279a7 Initial revision lcp parents: diff changeset	820	{\out 1. if(if(P,Q,R),A,B) <-> if(P,if(Q,A,B),if(R,A,B))}
d8205bb279a7 Initial revision lcp parents: diff changeset	821	\ttbreak
d8205bb279a7 Initial revision lcp parents: diff changeset	822	by (fast_tac if_cs 1);
d8205bb279a7 Initial revision lcp parents: diff changeset	823	{\out Level 1}
d8205bb279a7 Initial revision lcp parents: diff changeset	824	{\out if(if(P,Q,R),A,B) <-> if(P,if(Q,A,B),if(R,A,B))}
d8205bb279a7 Initial revision lcp parents: diff changeset	825	{\out No subgoals!}
d8205bb279a7 Initial revision lcp parents: diff changeset	826	\end{ttbox}
d8205bb279a7 Initial revision lcp parents: diff changeset	827
d8205bb279a7 Initial revision lcp parents: diff changeset	828
d8205bb279a7 Initial revision lcp parents: diff changeset	829	\subsection{Derived rules versus definitions}
d8205bb279a7 Initial revision lcp parents: diff changeset	830	Dispensing with the derived rules, we can treat $if$ as an
d8205bb279a7 Initial revision lcp parents: diff changeset	831	abbreviation, and let \ttindex{fast_tac} prove the expanded formula. Let
d8205bb279a7 Initial revision lcp parents: diff changeset	832	us redo the previous proof:
d8205bb279a7 Initial revision lcp parents: diff changeset	833	\begin{ttbox}
d8205bb279a7 Initial revision lcp parents: diff changeset	834	choplev 0;
d8205bb279a7 Initial revision lcp parents: diff changeset	835	{\out Level 0}
d8205bb279a7 Initial revision lcp parents: diff changeset	836	{\out if(if(P,Q,R),A,B) <-> if(P,if(Q,A,B),if(R,A,B))}
d8205bb279a7 Initial revision lcp parents: diff changeset	837	{\out 1. if(if(P,Q,R),A,B) <-> if(P,if(Q,A,B),if(R,A,B))}
287 6b62a6ddbe15 first draft of Springer book lcp parents: 157 diff changeset	838	\end{ttbox}
6b62a6ddbe15 first draft of Springer book lcp parents: 157 diff changeset	839	This time, simply unfold using the definition of $if$:
6b62a6ddbe15 first draft of Springer book lcp parents: 157 diff changeset	840	\begin{ttbox}
104 d8205bb279a7 Initial revision lcp parents: diff changeset	841	by (rewrite_goals_tac [if_def]);
d8205bb279a7 Initial revision lcp parents: diff changeset	842	{\out Level 1}
d8205bb279a7 Initial revision lcp parents: diff changeset	843	{\out if(if(P,Q,R),A,B) <-> if(P,if(Q,A,B),if(R,A,B))}
d8205bb279a7 Initial revision lcp parents: diff changeset	844	{\out 1. (P & Q \| ~ P & R) & A \| ~ (P & Q \| ~ P & R) & B <->}
d8205bb279a7 Initial revision lcp parents: diff changeset	845	{\out P & (Q & A \| ~ Q & B) \| ~ P & (R & A \| ~ R & B)}
287 6b62a6ddbe15 first draft of Springer book lcp parents: 157 diff changeset	846	\end{ttbox}
6b62a6ddbe15 first draft of Springer book lcp parents: 157 diff changeset	847	We are left with a subgoal in pure first-order logic:
6b62a6ddbe15 first draft of Springer book lcp parents: 157 diff changeset	848	\begin{ttbox}
104 d8205bb279a7 Initial revision lcp parents: diff changeset	849	by (fast_tac FOL_cs 1);
d8205bb279a7 Initial revision lcp parents: diff changeset	850	{\out Level 2}
d8205bb279a7 Initial revision lcp parents: diff changeset	851	{\out if(if(P,Q,R),A,B) <-> if(P,if(Q,A,B),if(R,A,B))}
d8205bb279a7 Initial revision lcp parents: diff changeset	852	{\out No subgoals!}
d8205bb279a7 Initial revision lcp parents: diff changeset	853	\end{ttbox}
d8205bb279a7 Initial revision lcp parents: diff changeset	854	Expanding definitions reduces the extended logic to the base logic. This
d8205bb279a7 Initial revision lcp parents: diff changeset	855	approach has its merits --- especially if the prover for the base logic is
d8205bb279a7 Initial revision lcp parents: diff changeset	856	good --- but can be slow. In these examples, proofs using {\tt if_cs} (the
d8205bb279a7 Initial revision lcp parents: diff changeset	857	derived rules) run about six times faster than proofs using {\tt FOL_cs}.
d8205bb279a7 Initial revision lcp parents: diff changeset	858
d8205bb279a7 Initial revision lcp parents: diff changeset	859	Expanding definitions also complicates error diagnosis. Suppose we are having
d8205bb279a7 Initial revision lcp parents: diff changeset	860	difficulties in proving some goal. If by expanding definitions we have
d8205bb279a7 Initial revision lcp parents: diff changeset	861	made it unreadable, then we have little hope of diagnosing the problem.
d8205bb279a7 Initial revision lcp parents: diff changeset	862
d8205bb279a7 Initial revision lcp parents: diff changeset	863	Attempts at program verification often yield invalid assertions.
d8205bb279a7 Initial revision lcp parents: diff changeset	864	Let us try to prove one:
d8205bb279a7 Initial revision lcp parents: diff changeset	865	\begin{ttbox}
d8205bb279a7 Initial revision lcp parents: diff changeset	866	goal If.thy "if(if(P,Q,R), A, B) <-> if(P, if(Q,A,B), if(R,B,A))";
d8205bb279a7 Initial revision lcp parents: diff changeset	867	{\out Level 0}
d8205bb279a7 Initial revision lcp parents: diff changeset	868	{\out if(if(P,Q,R),A,B) <-> if(P,if(Q,A,B),if(R,B,A))}
d8205bb279a7 Initial revision lcp parents: diff changeset	869	{\out 1. if(if(P,Q,R),A,B) <-> if(P,if(Q,A,B),if(R,B,A))}
d8205bb279a7 Initial revision lcp parents: diff changeset	870	by (fast_tac FOL_cs 1);
d8205bb279a7 Initial revision lcp parents: diff changeset	871	{\out by: tactic failed}
d8205bb279a7 Initial revision lcp parents: diff changeset	872	\end{ttbox}
d8205bb279a7 Initial revision lcp parents: diff changeset	873	This failure message is uninformative, but we can get a closer look at the
d8205bb279a7 Initial revision lcp parents: diff changeset	874	situation by applying \ttindex{step_tac}.
d8205bb279a7 Initial revision lcp parents: diff changeset	875	\begin{ttbox}
d8205bb279a7 Initial revision lcp parents: diff changeset	876	by (REPEAT (step_tac if_cs 1));
d8205bb279a7 Initial revision lcp parents: diff changeset	877	{\out Level 1}
d8205bb279a7 Initial revision lcp parents: diff changeset	878	{\out if(if(P,Q,R),A,B) <-> if(P,if(Q,A,B),if(R,B,A))}
d8205bb279a7 Initial revision lcp parents: diff changeset	879	{\out 1. [\| A; ~ P; R; ~ P; R \|] ==> B}
d8205bb279a7 Initial revision lcp parents: diff changeset	880	{\out 2. [\| B; ~ P; ~ R; ~ P; ~ R \|] ==> A}
d8205bb279a7 Initial revision lcp parents: diff changeset	881	{\out 3. [\| ~ P; R; B; ~ P; R \|] ==> A}
d8205bb279a7 Initial revision lcp parents: diff changeset	882	{\out 4. [\| ~ P; ~ R; A; ~ B; ~ P \|] ==> R}
d8205bb279a7 Initial revision lcp parents: diff changeset	883	\end{ttbox}
d8205bb279a7 Initial revision lcp parents: diff changeset	884	Subgoal~1 is unprovable and yields a countermodel: $P$ and~$B$ are false
d8205bb279a7 Initial revision lcp parents: diff changeset	885	while~$R$ and~$A$ are true. This truth assignment reduces the main goal to
d8205bb279a7 Initial revision lcp parents: diff changeset	886	$true\bimp false$, which is of course invalid.
d8205bb279a7 Initial revision lcp parents: diff changeset	887
d8205bb279a7 Initial revision lcp parents: diff changeset	888	We can repeat this analysis by expanding definitions, using just
d8205bb279a7 Initial revision lcp parents: diff changeset	889	the rules of {\FOL}:
d8205bb279a7 Initial revision lcp parents: diff changeset	890	\begin{ttbox}
d8205bb279a7 Initial revision lcp parents: diff changeset	891	choplev 0;
d8205bb279a7 Initial revision lcp parents: diff changeset	892	{\out Level 0}
d8205bb279a7 Initial revision lcp parents: diff changeset	893	{\out if(if(P,Q,R),A,B) <-> if(P,if(Q,A,B),if(R,B,A))}
d8205bb279a7 Initial revision lcp parents: diff changeset	894	{\out 1. if(if(P,Q,R),A,B) <-> if(P,if(Q,A,B),if(R,B,A))}
d8205bb279a7 Initial revision lcp parents: diff changeset	895	\ttbreak
d8205bb279a7 Initial revision lcp parents: diff changeset	896	by (rewrite_goals_tac [if_def]);
d8205bb279a7 Initial revision lcp parents: diff changeset	897	{\out Level 1}
d8205bb279a7 Initial revision lcp parents: diff changeset	898	{\out if(if(P,Q,R),A,B) <-> if(P,if(Q,A,B),if(R,B,A))}
d8205bb279a7 Initial revision lcp parents: diff changeset	899	{\out 1. (P & Q \| ~ P & R) & A \| ~ (P & Q \| ~ P & R) & B <->}
d8205bb279a7 Initial revision lcp parents: diff changeset	900	{\out P & (Q & A \| ~ Q & B) \| ~ P & (R & B \| ~ R & A)}
d8205bb279a7 Initial revision lcp parents: diff changeset	901	by (fast_tac FOL_cs 1);
d8205bb279a7 Initial revision lcp parents: diff changeset	902	{\out by: tactic failed}
d8205bb279a7 Initial revision lcp parents: diff changeset	903	\end{ttbox}
d8205bb279a7 Initial revision lcp parents: diff changeset	904	Again we apply \ttindex{step_tac}:
d8205bb279a7 Initial revision lcp parents: diff changeset	905	\begin{ttbox}
d8205bb279a7 Initial revision lcp parents: diff changeset	906	by (REPEAT (step_tac FOL_cs 1));
d8205bb279a7 Initial revision lcp parents: diff changeset	907	{\out Level 2}
d8205bb279a7 Initial revision lcp parents: diff changeset	908	{\out if(if(P,Q,R),A,B) <-> if(P,if(Q,A,B),if(R,B,A))}
d8205bb279a7 Initial revision lcp parents: diff changeset	909	{\out 1. [\| A; ~ P; R; ~ P; R; ~ False \|] ==> B}
d8205bb279a7 Initial revision lcp parents: diff changeset	910	{\out 2. [\| A; ~ P; R; R; ~ False; ~ B; ~ B \|] ==> Q}
d8205bb279a7 Initial revision lcp parents: diff changeset	911	{\out 3. [\| B; ~ P; ~ R; ~ P; ~ A \|] ==> R}
d8205bb279a7 Initial revision lcp parents: diff changeset	912	{\out 4. [\| B; ~ P; ~ R; ~ Q; ~ A \|] ==> R}
d8205bb279a7 Initial revision lcp parents: diff changeset	913	{\out 5. [\| B; ~ R; ~ P; ~ A; ~ R; Q; ~ False \|] ==> A}
d8205bb279a7 Initial revision lcp parents: diff changeset	914	{\out 6. [\| ~ P; R; B; ~ P; R; ~ False \|] ==> A}
d8205bb279a7 Initial revision lcp parents: diff changeset	915	{\out 7. [\| ~ P; ~ R; A; ~ B; ~ R \|] ==> P}
d8205bb279a7 Initial revision lcp parents: diff changeset	916	{\out 8. [\| ~ P; ~ R; A; ~ B; ~ R \|] ==> Q}
d8205bb279a7 Initial revision lcp parents: diff changeset	917	\end{ttbox}
d8205bb279a7 Initial revision lcp parents: diff changeset	918	Subgoal~1 yields the same countermodel as before. But each proof step has
d8205bb279a7 Initial revision lcp parents: diff changeset	919	taken six times as long, and the final result contains twice as many subgoals.
d8205bb279a7 Initial revision lcp parents: diff changeset	920
d8205bb279a7 Initial revision lcp parents: diff changeset	921	Expanding definitions causes a great increase in complexity. This is why
d8205bb279a7 Initial revision lcp parents: diff changeset	922	the classical prover has been designed to accept derived rules.
313 a45ae7b38672 penultimate Springer draft lcp parents: 287 diff changeset	923
a45ae7b38672 penultimate Springer draft lcp parents: 287 diff changeset	924	\index{first-order logic\|)}

author	nipkow
	Sat, 22 Apr 1995 12:21:41 +0200
changeset 1067	00ed040f66e1
parent 874	2432820efbfe
child 1388	7705e6211865
permissions	-rw-r--r--