47269
|
1 |
(*<*)
|
|
2 |
theory Logic
|
|
3 |
imports LaTeXsugar
|
|
4 |
begin
|
|
5 |
(*>*)
|
|
6 |
text{*
|
|
7 |
\vspace{-5ex}
|
47711
|
8 |
\section{Logic and proof beyond equality}
|
47269
|
9 |
\label{sec:Logic}
|
|
10 |
|
|
11 |
\subsection{Formulas}
|
|
12 |
|
47711
|
13 |
The core syntax of formulas (\textit{form} below)
|
47720
|
14 |
provides the standard logical constructs, in decreasing order of precedence:
|
47269
|
15 |
\[
|
|
16 |
\begin{array}{rcl}
|
|
17 |
|
|
18 |
\mathit{form} & ::= &
|
|
19 |
@{text"(form)"} ~\mid~
|
|
20 |
@{const True} ~\mid~
|
|
21 |
@{const False} ~\mid~
|
|
22 |
@{prop "term = term"}\\
|
|
23 |
&\mid& @{prop"\<not> form"} ~\mid~
|
|
24 |
@{prop "form \<and> form"} ~\mid~
|
|
25 |
@{prop "form \<or> form"} ~\mid~
|
|
26 |
@{prop "form \<longrightarrow> form"}\\
|
|
27 |
&\mid& @{prop"\<forall>x. form"} ~\mid~ @{prop"\<exists>x. form"}
|
|
28 |
\end{array}
|
|
29 |
\]
|
47711
|
30 |
Terms are the ones we have seen all along, built from constants, variables,
|
47269
|
31 |
function application and @{text"\<lambda>"}-abstraction, including all the syntactic
|
|
32 |
sugar like infix symbols, @{text "if"}, @{text "case"} etc.
|
|
33 |
\begin{warn}
|
|
34 |
Remember that formulas are simply terms of type @{text bool}. Hence
|
|
35 |
@{text "="} also works for formulas. Beware that @{text"="} has a higher
|
|
36 |
precedence than the other logical operators. Hence @{prop"s = t \<and> A"} means
|
47711
|
37 |
@{text"(s = t) \<and> A"}, and @{prop"A\<and>B = B\<and>A"} means @{text"A \<and> (B = B) \<and> A"}.
|
47269
|
38 |
Logical equivalence can also be written with
|
|
39 |
@{text "\<longleftrightarrow>"} instead of @{text"="}, where @{text"\<longleftrightarrow>"} has the same low
|
|
40 |
precedence as @{text"\<longrightarrow>"}. Hence @{text"A \<and> B \<longleftrightarrow> B \<and> A"} really means
|
|
41 |
@{text"(A \<and> B) \<longleftrightarrow> (B \<and> A)"}.
|
|
42 |
\end{warn}
|
|
43 |
\begin{warn}
|
|
44 |
Quantifiers need to be enclosed in parentheses if they are nested within
|
|
45 |
other constructs (just like @{text "if"}, @{text case} and @{text let}).
|
|
46 |
\end{warn}
|
|
47 |
The most frequent logical symbols have the following ASCII representations:
|
|
48 |
\begin{center}
|
|
49 |
\begin{tabular}{l@ {\qquad}l@ {\qquad}l}
|
|
50 |
@{text "\<forall>"} & \xsymbol{forall} & \texttt{ALL}\\
|
|
51 |
@{text "\<exists>"} & \xsymbol{exists} & \texttt{EX}\\
|
|
52 |
@{text "\<lambda>"} & \xsymbol{lambda} & \texttt{\%}\\
|
|
53 |
@{text "\<longrightarrow>"} & \texttt{-{}->}\\
|
47711
|
54 |
@{text "\<longleftrightarrow>"} & \texttt{<->}\\
|
47269
|
55 |
@{text "\<and>"} & \texttt{/\char`\\} & \texttt{\&}\\
|
|
56 |
@{text "\<or>"} & \texttt{\char`\\/} & \texttt{|}\\
|
|
57 |
@{text "\<not>"} & \xsymbol{not} & \texttt{\char`~}\\
|
|
58 |
@{text "\<noteq>"} & \xsymbol{noteq} & \texttt{\char`~=}
|
|
59 |
\end{tabular}
|
|
60 |
\end{center}
|
|
61 |
The first column shows the symbols, the second column ASCII representations
|
|
62 |
that Isabelle interfaces convert into the corresponding symbol,
|
|
63 |
and the third column shows ASCII representations that stay fixed.
|
|
64 |
\begin{warn}
|
|
65 |
The implication @{text"\<Longrightarrow>"} is part of the Isabelle framework. It structures
|
47711
|
66 |
theorems and proof states, separating assumptions from conclusions.
|
47269
|
67 |
The implication @{text"\<longrightarrow>"} is part of the logic HOL and can occur inside the
|
|
68 |
formulas that make up the assumptions and conclusion.
|
|
69 |
Theorems should be of the form @{text"\<lbrakk> A\<^isub>1; \<dots>; A\<^isub>n \<rbrakk> \<Longrightarrow> A"},
|
|
70 |
not @{text"A\<^isub>1 \<and> \<dots> \<and> A\<^isub>n \<longrightarrow> A"}. Both are logically equivalent
|
|
71 |
but the first one works better when using the theorem in further proofs.
|
|
72 |
\end{warn}
|
|
73 |
|
|
74 |
\subsection{Sets}
|
51038
|
75 |
\label{sec:Sets}
|
47269
|
76 |
|
|
77 |
Sets of elements of type @{typ 'a} have type @{typ"'a set"}.
|
47711
|
78 |
They can be finite or infinite. Sets come with the usual notation:
|
47269
|
79 |
\begin{itemize}
|
|
80 |
\item @{term"{}"},\quad @{text"{e\<^isub>1,\<dots>,e\<^isub>n}"}
|
|
81 |
\item @{prop"e \<in> A"},\quad @{prop"A \<subseteq> B"}
|
|
82 |
\item @{term"A \<union> B"},\quad @{term"A \<inter> B"},\quad @{term"A - B"},\quad @{term"-A"}
|
|
83 |
\end{itemize}
|
|
84 |
and much more. @{const UNIV} is the set of all elements of some type.
|
|
85 |
Set comprehension is written @{term"{x. P}"}
|
|
86 |
rather than @{text"{x | P}"}, to emphasize the variable binding nature
|
|
87 |
of the construct.
|
|
88 |
\begin{warn}
|
|
89 |
In @{term"{x. P}"} the @{text x} must be a variable. Set comprehension
|
|
90 |
involving a proper term @{text t} must be written
|
49615
|
91 |
\noquotes{@{term[source] "{t | x y. P}"}},
|
|
92 |
where @{text "x y"} are those free variables in @{text t}
|
|
93 |
that occur in @{text P}.
|
|
94 |
This is just a shorthand for @{term"{v. EX x y. v = t \<and> P}"}, where
|
|
95 |
@{text v} is a new variable. For example, @{term"{x+y|x. x \<in> A}"}
|
|
96 |
is short for \noquotes{@{term[source]"{v. \<exists>x. v = x+y \<and> x \<in> A}"}}.
|
47269
|
97 |
\end{warn}
|
|
98 |
|
|
99 |
Here are the ASCII representations of the mathematical symbols:
|
|
100 |
\begin{center}
|
|
101 |
\begin{tabular}{l@ {\quad}l@ {\quad}l}
|
|
102 |
@{text "\<in>"} & \texttt{\char`\\\char`\<in>} & \texttt{:}\\
|
|
103 |
@{text "\<subseteq>"} & \texttt{\char`\\\char`\<subseteq>} & \texttt{<=}\\
|
|
104 |
@{text "\<union>"} & \texttt{\char`\\\char`\<union>} & \texttt{Un}\\
|
|
105 |
@{text "\<inter>"} & \texttt{\char`\\\char`\<inter>} & \texttt{Int}
|
|
106 |
\end{tabular}
|
|
107 |
\end{center}
|
|
108 |
Sets also allow bounded quantifications @{prop"ALL x : A. P"} and
|
|
109 |
@{prop"EX x : A. P"}.
|
|
110 |
|
|
111 |
\subsection{Proof automation}
|
|
112 |
|
|
113 |
So far we have only seen @{text simp} and @{text auto}: Both perform
|
|
114 |
rewriting, both can also prove linear arithmetic facts (no multiplication),
|
|
115 |
and @{text auto} is also able to prove simple logical or set-theoretic goals:
|
|
116 |
*}
|
|
117 |
|
|
118 |
lemma "\<forall>x. \<exists>y. x = y"
|
|
119 |
by auto
|
|
120 |
|
|
121 |
lemma "A \<subseteq> B \<inter> C \<Longrightarrow> A \<subseteq> B \<union> C"
|
|
122 |
by auto
|
|
123 |
|
|
124 |
text{* where
|
|
125 |
\begin{quote}
|
|
126 |
\isacom{by} \textit{proof-method}
|
|
127 |
\end{quote}
|
|
128 |
is short for
|
|
129 |
\begin{quote}
|
|
130 |
\isacom{apply} \textit{proof-method}\\
|
|
131 |
\isacom{done}
|
|
132 |
\end{quote}
|
|
133 |
The key characteristics of both @{text simp} and @{text auto} are
|
|
134 |
\begin{itemize}
|
|
135 |
\item They show you were they got stuck, giving you an idea how to continue.
|
|
136 |
\item They perform the obvious steps but are highly incomplete.
|
|
137 |
\end{itemize}
|
|
138 |
A proof method is \concept{complete} if it can prove all true formulas.
|
|
139 |
There is no complete proof method for HOL, not even in theory.
|
|
140 |
Hence all our proof methods only differ in how incomplete they are.
|
|
141 |
|
|
142 |
A proof method that is still incomplete but tries harder than @{text auto} is
|
|
143 |
@{text fastforce}. It either succeeds or fails, it acts on the first
|
|
144 |
subgoal only, and it can be modified just like @{text auto}, e.g.\
|
|
145 |
with @{text "simp add"}. Here is a typical example of what @{text fastforce}
|
|
146 |
can do:
|
|
147 |
*}
|
|
148 |
|
|
149 |
lemma "\<lbrakk> \<forall>xs \<in> A. \<exists>ys. xs = ys @ ys; us \<in> A \<rbrakk>
|
|
150 |
\<Longrightarrow> \<exists>n. length us = n+n"
|
|
151 |
by fastforce
|
|
152 |
|
|
153 |
text{* This lemma is out of reach for @{text auto} because of the
|
|
154 |
quantifiers. Even @{text fastforce} fails when the quantifier structure
|
|
155 |
becomes more complicated. In a few cases, its slow version @{text force}
|
|
156 |
succeeds where @{text fastforce} fails.
|
|
157 |
|
|
158 |
The method of choice for complex logical goals is @{text blast}. In the
|
47711
|
159 |
following example, @{text T} and @{text A} are two binary predicates. It
|
|
160 |
is shown that if @{text T} is total, @{text A} is antisymmetric and @{text T} is
|
47269
|
161 |
a subset of @{text A}, then @{text A} is a subset of @{text T}:
|
|
162 |
*}
|
|
163 |
|
|
164 |
lemma
|
|
165 |
"\<lbrakk> \<forall>x y. T x y \<or> T y x;
|
|
166 |
\<forall>x y. A x y \<and> A y x \<longrightarrow> x = y;
|
|
167 |
\<forall>x y. T x y \<longrightarrow> A x y \<rbrakk>
|
|
168 |
\<Longrightarrow> \<forall>x y. A x y \<longrightarrow> T x y"
|
|
169 |
by blast
|
|
170 |
|
|
171 |
text{*
|
|
172 |
We leave it to the reader to figure out why this lemma is true.
|
|
173 |
Method @{text blast}
|
|
174 |
\begin{itemize}
|
|
175 |
\item is (in principle) a complete proof procedure for first-order formulas,
|
|
176 |
a fragment of HOL. In practice there is a search bound.
|
|
177 |
\item does no rewriting and knows very little about equality.
|
|
178 |
\item covers logic, sets and relations.
|
|
179 |
\item either succeeds or fails.
|
|
180 |
\end{itemize}
|
|
181 |
Because of its strength in logic and sets and its weakness in equality reasoning, it complements the earlier proof methods.
|
|
182 |
|
|
183 |
|
|
184 |
\subsubsection{Sledgehammer}
|
|
185 |
|
|
186 |
Command \isacom{sledgehammer} calls a number of external automatic
|
|
187 |
theorem provers (ATPs) that run for up to 30 seconds searching for a
|
|
188 |
proof. Some of these ATPs are part of the Isabelle installation, others are
|
|
189 |
queried over the internet. If successful, a proof command is generated and can
|
|
190 |
be inserted into your proof. The biggest win of \isacom{sledgehammer} is
|
|
191 |
that it will take into account the whole lemma library and you do not need to
|
|
192 |
feed in any lemma explicitly. For example,*}
|
|
193 |
|
|
194 |
lemma "\<lbrakk> xs @ ys = ys @ xs; length xs = length ys \<rbrakk> \<Longrightarrow> xs = ys"
|
|
195 |
|
|
196 |
txt{* cannot be solved by any of the standard proof methods, but
|
|
197 |
\isacom{sledgehammer} finds the following proof: *}
|
|
198 |
|
|
199 |
by (metis append_eq_conv_conj)
|
|
200 |
|
|
201 |
text{* We do not explain how the proof was found but what this command
|
|
202 |
means. For a start, Isabelle does not trust external tools (and in particular
|
|
203 |
not the translations from Isabelle's logic to those tools!)
|
|
204 |
and insists on a proof that it can check. This is what @{text metis} does.
|
|
205 |
It is given a list of lemmas and tries to find a proof just using those lemmas
|
|
206 |
(and pure logic). In contrast to @{text simp} and friends that know a lot of
|
|
207 |
lemmas already, using @{text metis} manually is tedious because one has
|
|
208 |
to find all the relevant lemmas first. But that is precisely what
|
|
209 |
\isacom{sledgehammer} does for us.
|
|
210 |
In this case lemma @{thm[source]append_eq_conv_conj} alone suffices:
|
|
211 |
@{thm[display] append_eq_conv_conj}
|
|
212 |
We leave it to the reader to figure out why this lemma suffices to prove
|
|
213 |
the above lemma, even without any knowledge of what the functions @{const take}
|
|
214 |
and @{const drop} do. Keep in mind that the variables in the two lemmas
|
|
215 |
are independent of each other, despite the same names, and that you can
|
|
216 |
substitute arbitrary values for the free variables in a lemma.
|
|
217 |
|
|
218 |
Just as for the other proof methods we have seen, there is no guarantee that
|
|
219 |
\isacom{sledgehammer} will find a proof if it exists. Nor is
|
|
220 |
\isacom{sledgehammer} superior to the other proof methods. They are
|
|
221 |
incomparable. Therefore it is recommended to apply @{text simp} or @{text
|
|
222 |
auto} before invoking \isacom{sledgehammer} on what is left.
|
|
223 |
|
|
224 |
\subsubsection{Arithmetic}
|
|
225 |
|
|
226 |
By arithmetic formulas we mean formulas involving variables, numbers, @{text
|
|
227 |
"+"}, @{text"-"}, @{text "="}, @{text "<"}, @{text "\<le>"} and the usual logical
|
|
228 |
connectives @{text"\<not>"}, @{text"\<and>"}, @{text"\<or>"}, @{text"\<longrightarrow>"},
|
|
229 |
@{text"\<longleftrightarrow>"}. Strictly speaking, this is known as \concept{linear arithmetic}
|
|
230 |
because it does not involve multiplication, although multiplication with
|
|
231 |
numbers, e.g.\ @{text"2*n"} is allowed. Such formulas can be proved by
|
|
232 |
@{text arith}:
|
|
233 |
*}
|
|
234 |
|
|
235 |
lemma "\<lbrakk> (a::nat) \<le> x + b; 2*x < c \<rbrakk> \<Longrightarrow> 2*a + 1 \<le> 2*b + c"
|
|
236 |
by arith
|
|
237 |
|
|
238 |
text{* In fact, @{text auto} and @{text simp} can prove many linear
|
|
239 |
arithmetic formulas already, like the one above, by calling a weak but fast
|
|
240 |
version of @{text arith}. Hence it is usually not necessary to invoke
|
|
241 |
@{text arith} explicitly.
|
|
242 |
|
|
243 |
The above example involves natural numbers, but integers (type @{typ int})
|
|
244 |
and real numbers (type @{text real}) are supported as well. As are a number
|
|
245 |
of further operators like @{const min} and @{const max}. On @{typ nat} and
|
|
246 |
@{typ int}, @{text arith} can even prove theorems with quantifiers in them,
|
|
247 |
but we will not enlarge on that here.
|
|
248 |
|
|
249 |
|
47727
|
250 |
\subsubsection{Trying them all}
|
|
251 |
|
|
252 |
If you want to try all of the above automatic proof methods you simply type
|
|
253 |
\begin{isabelle}
|
|
254 |
\isacom{try}
|
|
255 |
\end{isabelle}
|
|
256 |
You can also add specific simplification and introduction rules:
|
|
257 |
\begin{isabelle}
|
|
258 |
\isacom{try} @{text"simp: \<dots> intro: \<dots>"}
|
|
259 |
\end{isabelle}
|
|
260 |
There is also a lightweight variant \isacom{try0} that does not call
|
|
261 |
sledgehammer.
|
|
262 |
|
47269
|
263 |
\subsection{Single step proofs}
|
|
264 |
|
|
265 |
Although automation is nice, it often fails, at least initially, and you need
|
|
266 |
to find out why. When @{text fastforce} or @{text blast} simply fail, you have
|
|
267 |
no clue why. At this point, the stepwise
|
|
268 |
application of proof rules may be necessary. For example, if @{text blast}
|
|
269 |
fails on @{prop"A \<and> B"}, you want to attack the two
|
|
270 |
conjuncts @{text A} and @{text B} separately. This can
|
|
271 |
be achieved by applying \emph{conjunction introduction}
|
|
272 |
\[ @{thm[mode=Rule,show_question_marks]conjI}\ @{text conjI}
|
|
273 |
\]
|
|
274 |
to the proof state. We will now examine the details of this process.
|
|
275 |
|
|
276 |
\subsubsection{Instantiating unknowns}
|
|
277 |
|
|
278 |
We had briefly mentioned earlier that after proving some theorem,
|
|
279 |
Isabelle replaces all free variables @{text x} by so called \concept{unknowns}
|
|
280 |
@{text "?x"}. We can see this clearly in rule @{thm[source] conjI}.
|
|
281 |
These unknowns can later be instantiated explicitly or implicitly:
|
|
282 |
\begin{itemize}
|
|
283 |
\item By hand, using @{text of}.
|
|
284 |
The expression @{text"conjI[of \"a=b\" \"False\"]"}
|
|
285 |
instantiates the unknowns in @{thm[source] conjI} from left to right with the
|
|
286 |
two formulas @{text"a=b"} and @{text False}, yielding the rule
|
|
287 |
@{thm[display,mode=Rule]conjI[of "a=b" False]}
|
|
288 |
|
|
289 |
In general, @{text"th[of string\<^isub>1 \<dots> string\<^isub>n]"} instantiates
|
|
290 |
the unknowns in the theorem @{text th} from left to right with the terms
|
|
291 |
@{text string\<^isub>1} to @{text string\<^isub>n}.
|
|
292 |
|
|
293 |
\item By unification. \concept{Unification} is the process of making two
|
|
294 |
terms syntactically equal by suitable instantiations of unknowns. For example,
|
|
295 |
unifying @{text"?P \<and> ?Q"} with \mbox{@{prop"a=b \<and> False"}} instantiates
|
|
296 |
@{text "?P"} with @{prop "a=b"} and @{text "?Q"} with @{prop False}.
|
|
297 |
\end{itemize}
|
|
298 |
We need not instantiate all unknowns. If we want to skip a particular one we
|
|
299 |
can just write @{text"_"} instead, for example @{text "conjI[of _ \"False\"]"}.
|
|
300 |
Unknowns can also be instantiated by name, for example
|
|
301 |
@{text "conjI[where ?P = \"a=b\" and ?Q = \"False\"]"}.
|
|
302 |
|
|
303 |
|
|
304 |
\subsubsection{Rule application}
|
|
305 |
|
|
306 |
\concept{Rule application} means applying a rule backwards to a proof state.
|
|
307 |
For example, applying rule @{thm[source]conjI} to a proof state
|
|
308 |
\begin{quote}
|
|
309 |
@{text"1. \<dots> \<Longrightarrow> A \<and> B"}
|
|
310 |
\end{quote}
|
|
311 |
results in two subgoals, one for each premise of @{thm[source]conjI}:
|
|
312 |
\begin{quote}
|
|
313 |
@{text"1. \<dots> \<Longrightarrow> A"}\\
|
|
314 |
@{text"2. \<dots> \<Longrightarrow> B"}
|
|
315 |
\end{quote}
|
|
316 |
In general, the application of a rule @{text"\<lbrakk> A\<^isub>1; \<dots>; A\<^isub>n \<rbrakk> \<Longrightarrow> A"}
|
|
317 |
to a subgoal \mbox{@{text"\<dots> \<Longrightarrow> C"}} proceeds in two steps:
|
|
318 |
\begin{enumerate}
|
|
319 |
\item
|
|
320 |
Unify @{text A} and @{text C}, thus instantiating the unknowns in the rule.
|
|
321 |
\item
|
|
322 |
Replace the subgoal @{text C} with @{text n} new subgoals @{text"A\<^isub>1"} to @{text"A\<^isub>n"}.
|
|
323 |
\end{enumerate}
|
|
324 |
This is the command to apply rule @{text xyz}:
|
|
325 |
\begin{quote}
|
|
326 |
\isacom{apply}@{text"(rule xyz)"}
|
|
327 |
\end{quote}
|
|
328 |
This is also called \concept{backchaining} with rule @{text xyz}.
|
|
329 |
|
|
330 |
\subsubsection{Introduction rules}
|
|
331 |
|
|
332 |
Conjunction introduction (@{thm[source] conjI}) is one example of a whole
|
|
333 |
class of rules known as \concept{introduction rules}. They explain under which
|
|
334 |
premises some logical construct can be introduced. Here are some further
|
|
335 |
useful introduction rules:
|
|
336 |
\[
|
|
337 |
\inferrule*[right=\mbox{@{text impI}}]{\mbox{@{text"?P \<Longrightarrow> ?Q"}}}{\mbox{@{text"?P \<longrightarrow> ?Q"}}}
|
|
338 |
\qquad
|
|
339 |
\inferrule*[right=\mbox{@{text allI}}]{\mbox{@{text"\<And>x. ?P x"}}}{\mbox{@{text"\<forall>x. ?P x"}}}
|
|
340 |
\]
|
|
341 |
\[
|
|
342 |
\inferrule*[right=\mbox{@{text iffI}}]{\mbox{@{text"?P \<Longrightarrow> ?Q"}} \\ \mbox{@{text"?Q \<Longrightarrow> ?P"}}}
|
|
343 |
{\mbox{@{text"?P = ?Q"}}}
|
|
344 |
\]
|
|
345 |
These rules are part of the logical system of \concept{natural deduction}
|
|
346 |
(e.g.\ \cite{HuthRyan}). Although we intentionally de-emphasize the basic rules
|
|
347 |
of logic in favour of automatic proof methods that allow you to take bigger
|
|
348 |
steps, these rules are helpful in locating where and why automation fails.
|
|
349 |
When applied backwards, these rules decompose the goal:
|
|
350 |
\begin{itemize}
|
|
351 |
\item @{thm[source] conjI} and @{thm[source]iffI} split the goal into two subgoals,
|
|
352 |
\item @{thm[source] impI} moves the left-hand side of a HOL implication into the list of assumptions,
|
|
353 |
\item and @{thm[source] allI} removes a @{text "\<forall>"} by turning the quantified variable into a fixed local variable of the subgoal.
|
|
354 |
\end{itemize}
|
|
355 |
Isabelle knows about these and a number of other introduction rules.
|
|
356 |
The command
|
|
357 |
\begin{quote}
|
|
358 |
\isacom{apply} @{text rule}
|
|
359 |
\end{quote}
|
|
360 |
automatically selects the appropriate rule for the current subgoal.
|
|
361 |
|
|
362 |
You can also turn your own theorems into introduction rules by giving them
|
47711
|
363 |
the @{text"intro"} attribute, analogous to the @{text simp} attribute. In
|
47269
|
364 |
that case @{text blast}, @{text fastforce} and (to a limited extent) @{text
|
|
365 |
auto} will automatically backchain with those theorems. The @{text intro}
|
|
366 |
attribute should be used with care because it increases the search space and
|
47711
|
367 |
can lead to nontermination. Sometimes it is better to use it only in
|
|
368 |
specific calls of @{text blast} and friends. For example,
|
47269
|
369 |
@{thm[source] le_trans}, transitivity of @{text"\<le>"} on type @{typ nat},
|
|
370 |
is not an introduction rule by default because of the disastrous effect
|
|
371 |
on the search space, but can be useful in specific situations:
|
|
372 |
*}
|
|
373 |
|
|
374 |
lemma "\<lbrakk> (a::nat) \<le> b; b \<le> c; c \<le> d; d \<le> e \<rbrakk> \<Longrightarrow> a \<le> e"
|
|
375 |
by(blast intro: le_trans)
|
|
376 |
|
|
377 |
text{*
|
|
378 |
Of course this is just an example and could be proved by @{text arith}, too.
|
|
379 |
|
|
380 |
\subsubsection{Forward proof}
|
|
381 |
\label{sec:forward-proof}
|
|
382 |
|
|
383 |
Forward proof means deriving new theorems from old theorems. We have already
|
|
384 |
seen a very simple form of forward proof: the @{text of} operator for
|
|
385 |
instantiating unknowns in a theorem. The big brother of @{text of} is @{text
|
|
386 |
OF} for applying one theorem to others. Given a theorem @{prop"A \<Longrightarrow> B"} called
|
|
387 |
@{text r} and a theorem @{text A'} called @{text r'}, the theorem @{text
|
|
388 |
"r[OF r']"} is the result of applying @{text r} to @{text r'}, where @{text
|
|
389 |
r} should be viewed as a function taking a theorem @{text A} and returning
|
|
390 |
@{text B}. More precisely, @{text A} and @{text A'} are unified, thus
|
|
391 |
instantiating the unknowns in @{text B}, and the result is the instantiated
|
|
392 |
@{text B}. Of course, unification may also fail.
|
|
393 |
\begin{warn}
|
|
394 |
Application of rules to other rules operates in the forward direction: from
|
|
395 |
the premises to the conclusion of the rule; application of rules to proof
|
|
396 |
states operates in the backward direction, from the conclusion to the
|
|
397 |
premises.
|
|
398 |
\end{warn}
|
|
399 |
|
|
400 |
In general @{text r} can be of the form @{text"\<lbrakk> A\<^isub>1; \<dots>; A\<^isub>n \<rbrakk> \<Longrightarrow> A"}
|
|
401 |
and there can be multiple argument theorems @{text r\<^isub>1} to @{text r\<^isub>m}
|
|
402 |
(with @{text"m \<le> n"}), in which case @{text "r[OF r\<^isub>1 \<dots> r\<^isub>m]"} is obtained
|
|
403 |
by unifying and thus proving @{text "A\<^isub>i"} with @{text "r\<^isub>i"}, @{text"i = 1\<dots>m"}.
|
|
404 |
Here is an example, where @{thm[source]refl} is the theorem
|
|
405 |
@{thm[show_question_marks] refl}:
|
|
406 |
*}
|
|
407 |
|
|
408 |
thm conjI[OF refl[of "a"] refl[of "b"]]
|
|
409 |
|
|
410 |
text{* yields the theorem @{thm conjI[OF refl[of "a"] refl[of "b"]]}.
|
|
411 |
The command \isacom{thm} merely displays the result.
|
|
412 |
|
|
413 |
Forward reasoning also makes sense in connection with proof states.
|
|
414 |
Therefore @{text blast}, @{text fastforce} and @{text auto} support a modifier
|
|
415 |
@{text dest} which instructs the proof method to use certain rules in a
|
|
416 |
forward fashion. If @{text r} is of the form \mbox{@{text "A \<Longrightarrow> B"}}, the modifier
|
|
417 |
\mbox{@{text"dest: r"}}
|
|
418 |
allows proof search to reason forward with @{text r}, i.e.\
|
|
419 |
to replace an assumption @{text A'}, where @{text A'} unifies with @{text A},
|
|
420 |
with the correspondingly instantiated @{text B}. For example, @{thm[source,show_question_marks] Suc_leD} is the theorem \mbox{@{thm Suc_leD}}, which works well for forward reasoning:
|
|
421 |
*}
|
|
422 |
|
|
423 |
lemma "Suc(Suc(Suc a)) \<le> b \<Longrightarrow> a \<le> b"
|
|
424 |
by(blast dest: Suc_leD)
|
|
425 |
|
|
426 |
text{* In this particular example we could have backchained with
|
|
427 |
@{thm[source] Suc_leD}, too, but because the premise is more complicated than the conclusion this can easily lead to nontermination.
|
|
428 |
|
47727
|
429 |
\subsubsection{Finding theorems}
|
|
430 |
|
|
431 |
Command \isacom{find\_theorems} searches for specific theorems in the current
|
|
432 |
theory. Search criteria include pattern matching on terms and on names.
|
|
433 |
For details see the Isabelle/Isar Reference Manual~\cite{IsarRef}.
|
|
434 |
\bigskip
|
|
435 |
|
47269
|
436 |
\begin{warn}
|
|
437 |
To ease readability we will drop the question marks
|
|
438 |
in front of unknowns from now on.
|
|
439 |
\end{warn}
|
|
440 |
|
47727
|
441 |
|
47269
|
442 |
\section{Inductive definitions}
|
|
443 |
\label{sec:inductive-defs}
|
|
444 |
|
|
445 |
Inductive definitions are the third important definition facility, after
|
47711
|
446 |
datatypes and recursive function.
|
|
447 |
\sem
|
|
448 |
In fact, they are the key construct in the
|
47269
|
449 |
definition of operational semantics in the second part of the book.
|
47711
|
450 |
\endsem
|
47269
|
451 |
|
|
452 |
\subsection{An example: even numbers}
|
|
453 |
\label{sec:Logic:even}
|
|
454 |
|
|
455 |
Here is a simple example of an inductively defined predicate:
|
|
456 |
\begin{itemize}
|
|
457 |
\item 0 is even
|
|
458 |
\item If $n$ is even, so is $n+2$.
|
|
459 |
\end{itemize}
|
|
460 |
The operative word ``inductive'' means that these are the only even numbers.
|
|
461 |
In Isabelle we give the two rules the names @{text ev0} and @{text evSS}
|
|
462 |
and write
|
|
463 |
*}
|
|
464 |
|
|
465 |
inductive ev :: "nat \<Rightarrow> bool" where
|
|
466 |
ev0: "ev 0" |
|
|
467 |
evSS: (*<*)"ev n \<Longrightarrow> ev (Suc(Suc n))"(*>*)
|
47306
|
468 |
text_raw{* @{prop[source]"ev n \<Longrightarrow> ev (n + 2)"} *}
|
47269
|
469 |
|
|
470 |
text{* To get used to inductive definitions, we will first prove a few
|
|
471 |
properties of @{const ev} informally before we descend to the Isabelle level.
|
|
472 |
|
|
473 |
How do we prove that some number is even, e.g.\ @{prop "ev 4"}? Simply by combining the defining rules for @{const ev}:
|
|
474 |
\begin{quote}
|
|
475 |
@{text "ev 0 \<Longrightarrow> ev (0 + 2) \<Longrightarrow> ev((0 + 2) + 2) = ev 4"}
|
|
476 |
\end{quote}
|
|
477 |
|
|
478 |
\subsubsection{Rule induction}
|
|
479 |
|
|
480 |
Showing that all even numbers have some property is more complicated. For
|
|
481 |
example, let us prove that the inductive definition of even numbers agrees
|
|
482 |
with the following recursive one:*}
|
|
483 |
|
|
484 |
fun even :: "nat \<Rightarrow> bool" where
|
|
485 |
"even 0 = True" |
|
|
486 |
"even (Suc 0) = False" |
|
|
487 |
"even (Suc(Suc n)) = even n"
|
|
488 |
|
|
489 |
text{* We prove @{prop"ev m \<Longrightarrow> even m"}. That is, we
|
|
490 |
assume @{prop"ev m"} and by induction on the form of its derivation
|
|
491 |
prove @{prop"even m"}. There are two cases corresponding to the two rules
|
|
492 |
for @{const ev}:
|
|
493 |
\begin{description}
|
|
494 |
\item[Case @{thm[source]ev0}:]
|
|
495 |
@{prop"ev m"} was derived by rule @{prop "ev 0"}: \\
|
|
496 |
@{text"\<Longrightarrow>"} @{prop"m=(0::nat)"} @{text"\<Longrightarrow>"} @{text "even m = even 0 = True"}
|
|
497 |
\item[Case @{thm[source]evSS}:]
|
|
498 |
@{prop"ev m"} was derived by rule @{prop "ev n \<Longrightarrow> ev(n+2)"}: \\
|
|
499 |
@{text"\<Longrightarrow>"} @{prop"m=n+(2::nat)"} and by induction hypothesis @{prop"even n"}\\
|
|
500 |
@{text"\<Longrightarrow>"} @{text"even m = even(n + 2) = even n = True"}
|
|
501 |
\end{description}
|
|
502 |
|
|
503 |
What we have just seen is a special case of \concept{rule induction}.
|
|
504 |
Rule induction applies to propositions of this form
|
|
505 |
\begin{quote}
|
|
506 |
@{prop "ev n \<Longrightarrow> P n"}
|
|
507 |
\end{quote}
|
|
508 |
That is, we want to prove a property @{prop"P n"}
|
|
509 |
for all even @{text n}. But if we assume @{prop"ev n"}, then there must be
|
|
510 |
some derivation of this assumption using the two defining rules for
|
|
511 |
@{const ev}. That is, we must prove
|
|
512 |
\begin{description}
|
|
513 |
\item[Case @{thm[source]ev0}:] @{prop"P(0::nat)"}
|
|
514 |
\item[Case @{thm[source]evSS}:] @{prop"\<lbrakk> ev n; P n \<rbrakk> \<Longrightarrow> P(n + 2::nat)"}
|
|
515 |
\end{description}
|
|
516 |
The corresponding rule is called @{thm[source] ev.induct} and looks like this:
|
|
517 |
\[
|
|
518 |
\inferrule{
|
|
519 |
\mbox{@{thm (prem 1) ev.induct[of "n"]}}\\
|
|
520 |
\mbox{@{thm (prem 2) ev.induct}}\\
|
|
521 |
\mbox{@{prop"!!n. \<lbrakk> ev n; P n \<rbrakk> \<Longrightarrow> P(n+2)"}}}
|
|
522 |
{\mbox{@{thm (concl) ev.induct[of "n"]}}}
|
|
523 |
\]
|
|
524 |
The first premise @{prop"ev n"} enforces that this rule can only be applied
|
|
525 |
in situations where we know that @{text n} is even.
|
|
526 |
|
|
527 |
Note that in the induction step we may not just assume @{prop"P n"} but also
|
|
528 |
\mbox{@{prop"ev n"}}, which is simply the premise of rule @{thm[source]
|
|
529 |
evSS}. Here is an example where the local assumption @{prop"ev n"} comes in
|
|
530 |
handy: we prove @{prop"ev m \<Longrightarrow> ev(m - 2)"} by induction on @{prop"ev m"}.
|
|
531 |
Case @{thm[source]ev0} requires us to prove @{prop"ev(0 - 2)"}, which follows
|
|
532 |
from @{prop"ev 0"} because @{prop"0 - 2 = (0::nat)"} on type @{typ nat}. In
|
|
533 |
case @{thm[source]evSS} we have \mbox{@{prop"m = n+(2::nat)"}} and may assume
|
|
534 |
@{prop"ev n"}, which implies @{prop"ev (m - 2)"} because @{text"m - 2 = (n +
|
|
535 |
2) - 2 = n"}. We did not need the induction hypothesis at all for this proof,
|
47711
|
536 |
it is just a case analysis of which rule was used, but having @{prop"ev
|
47269
|
537 |
n"} at our disposal in case @{thm[source]evSS} was essential.
|
47711
|
538 |
This case analysis of rules is also called ``rule inversion''
|
47269
|
539 |
and is discussed in more detail in \autoref{ch:Isar}.
|
|
540 |
|
|
541 |
\subsubsection{In Isabelle}
|
|
542 |
|
|
543 |
Let us now recast the above informal proofs in Isabelle. For a start,
|
|
544 |
we use @{const Suc} terms instead of numerals in rule @{thm[source]evSS}:
|
|
545 |
@{thm[display] evSS}
|
|
546 |
This avoids the difficulty of unifying @{text"n+2"} with some numeral,
|
|
547 |
which is not automatic.
|
|
548 |
|
|
549 |
The simplest way to prove @{prop"ev(Suc(Suc(Suc(Suc 0))))"} is in a forward
|
|
550 |
direction: @{text "evSS[OF evSS[OF ev0]]"} yields the theorem @{thm evSS[OF
|
|
551 |
evSS[OF ev0]]}. Alternatively, you can also prove it as a lemma in backwards
|
|
552 |
fashion. Although this is more verbose, it allows us to demonstrate how each
|
|
553 |
rule application changes the proof state: *}
|
|
554 |
|
|
555 |
lemma "ev(Suc(Suc(Suc(Suc 0))))"
|
|
556 |
txt{*
|
|
557 |
@{subgoals[display,indent=0,goals_limit=1]}
|
|
558 |
*}
|
|
559 |
apply(rule evSS)
|
|
560 |
txt{*
|
|
561 |
@{subgoals[display,indent=0,goals_limit=1]}
|
|
562 |
*}
|
|
563 |
apply(rule evSS)
|
|
564 |
txt{*
|
|
565 |
@{subgoals[display,indent=0,goals_limit=1]}
|
|
566 |
*}
|
|
567 |
apply(rule ev0)
|
|
568 |
done
|
|
569 |
|
|
570 |
text{* \indent
|
|
571 |
Rule induction is applied by giving the induction rule explicitly via the
|
|
572 |
@{text"rule:"} modifier:*}
|
|
573 |
|
|
574 |
lemma "ev m \<Longrightarrow> even m"
|
|
575 |
apply(induction rule: ev.induct)
|
|
576 |
by(simp_all)
|
|
577 |
|
|
578 |
text{* Both cases are automatic. Note that if there are multiple assumptions
|
|
579 |
of the form @{prop"ev t"}, method @{text induction} will induct on the leftmost
|
|
580 |
one.
|
|
581 |
|
|
582 |
As a bonus, we also prove the remaining direction of the equivalence of
|
|
583 |
@{const ev} and @{const even}:
|
|
584 |
*}
|
|
585 |
|
|
586 |
lemma "even n \<Longrightarrow> ev n"
|
|
587 |
apply(induction n rule: even.induct)
|
|
588 |
|
|
589 |
txt{* This is a proof by computation induction on @{text n} (see
|
|
590 |
\autoref{sec:recursive-funs}) that sets up three subgoals corresponding to
|
|
591 |
the three equations for @{const even}:
|
|
592 |
@{subgoals[display,indent=0]}
|
|
593 |
The first and third subgoals follow with @{thm[source]ev0} and @{thm[source]evSS}, and the second subgoal is trivially true because @{prop"even(Suc 0)"} is @{const False}:
|
|
594 |
*}
|
|
595 |
|
|
596 |
by (simp_all add: ev0 evSS)
|
|
597 |
|
|
598 |
text{* The rules for @{const ev} make perfect simplification and introduction
|
|
599 |
rules because their premises are always smaller than the conclusion. It
|
|
600 |
makes sense to turn them into simplification and introduction rules
|
|
601 |
permanently, to enhance proof automation: *}
|
|
602 |
|
|
603 |
declare ev.intros[simp,intro]
|
|
604 |
|
|
605 |
text{* The rules of an inductive definition are not simplification rules by
|
|
606 |
default because, in contrast to recursive functions, there is no termination
|
|
607 |
requirement for inductive definitions.
|
|
608 |
|
|
609 |
\subsubsection{Inductive versus recursive}
|
|
610 |
|
|
611 |
We have seen two definitions of the notion of evenness, an inductive and a
|
|
612 |
recursive one. Which one is better? Much of the time, the recursive one is
|
|
613 |
more convenient: it allows us to do rewriting in the middle of terms, and it
|
|
614 |
expresses both the positive information (which numbers are even) and the
|
|
615 |
negative information (which numbers are not even) directly. An inductive
|
|
616 |
definition only expresses the positive information directly. The negative
|
|
617 |
information, for example, that @{text 1} is not even, has to be proved from
|
|
618 |
it (by induction or rule inversion). On the other hand, rule induction is
|
47711
|
619 |
tailor-made for proving \mbox{@{prop"ev n \<Longrightarrow> P n"}} because it only asks you
|
47269
|
620 |
to prove the positive cases. In the proof of @{prop"even n \<Longrightarrow> P n"} by
|
|
621 |
computation induction via @{thm[source]even.induct}, we are also presented
|
|
622 |
with the trivial negative cases. If you want the convenience of both
|
|
623 |
rewriting and rule induction, you can make two definitions and show their
|
|
624 |
equivalence (as above) or make one definition and prove additional properties
|
|
625 |
from it, for example rule induction from computation induction.
|
|
626 |
|
|
627 |
But many concepts do not admit a recursive definition at all because there is
|
|
628 |
no datatype for the recursion (for example, the transitive closure of a
|
47711
|
629 |
relation), or the recursion would not terminate (for example,
|
|
630 |
an interpreter for a programming language). Even if there is a recursive
|
47269
|
631 |
definition, if we are only interested in the positive information, the
|
|
632 |
inductive definition may be much simpler.
|
|
633 |
|
|
634 |
\subsection{The reflexive transitive closure}
|
|
635 |
\label{sec:star}
|
|
636 |
|
|
637 |
Evenness is really more conveniently expressed recursively than inductively.
|
|
638 |
As a second and very typical example of an inductive definition we define the
|
47711
|
639 |
reflexive transitive closure.
|
|
640 |
\sem
|
|
641 |
It will also be an important building block for
|
47269
|
642 |
some of the semantics considered in the second part of the book.
|
47711
|
643 |
\endsem
|
47269
|
644 |
|
|
645 |
The reflexive transitive closure, called @{text star} below, is a function
|
|
646 |
that maps a binary predicate to another binary predicate: if @{text r} is of
|
|
647 |
type @{text"\<tau> \<Rightarrow> \<tau> \<Rightarrow> bool"} then @{term "star r"} is again of type @{text"\<tau> \<Rightarrow>
|
|
648 |
\<tau> \<Rightarrow> bool"}, and @{prop"star r x y"} means that @{text x} and @{text y} are in
|
|
649 |
the relation @{term"star r"}. Think @{term"r^*"} when you see @{term"star
|
|
650 |
r"}, because @{text"star r"} is meant to be the reflexive transitive closure.
|
|
651 |
That is, @{prop"star r x y"} is meant to be true if from @{text x} we can
|
|
652 |
reach @{text y} in finitely many @{text r} steps. This concept is naturally
|
|
653 |
defined inductively: *}
|
|
654 |
|
|
655 |
inductive star :: "('a \<Rightarrow> 'a \<Rightarrow> bool) \<Rightarrow> 'a \<Rightarrow> 'a \<Rightarrow> bool" for r where
|
|
656 |
refl: "star r x x" |
|
|
657 |
step: "r x y \<Longrightarrow> star r y z \<Longrightarrow> star r x z"
|
|
658 |
|
|
659 |
text{* The base case @{thm[source] refl} is reflexivity: @{term "x=y"}. The
|
|
660 |
step case @{thm[source]step} combines an @{text r} step (from @{text x} to
|
47711
|
661 |
@{text y}) and a @{term"star r"} step (from @{text y} to @{text z}) into a
|
|
662 |
@{term"star r"} step (from @{text x} to @{text z}).
|
47269
|
663 |
The ``\isacom{for}~@{text r}'' in the header is merely a hint to Isabelle
|
|
664 |
that @{text r} is a fixed parameter of @{const star}, in contrast to the
|
|
665 |
further parameters of @{const star}, which change. As a result, Isabelle
|
|
666 |
generates a simpler induction rule.
|
|
667 |
|
|
668 |
By definition @{term"star r"} is reflexive. It is also transitive, but we
|
|
669 |
need rule induction to prove that: *}
|
|
670 |
|
|
671 |
lemma star_trans: "star r x y \<Longrightarrow> star r y z \<Longrightarrow> star r x z"
|
|
672 |
apply(induction rule: star.induct)
|
|
673 |
(*<*)
|
|
674 |
defer
|
|
675 |
apply(rename_tac u x y)
|
|
676 |
defer
|
|
677 |
(*>*)
|
|
678 |
txt{* The induction is over @{prop"star r x y"} and we try to prove
|
|
679 |
\mbox{@{prop"star r y z \<Longrightarrow> star r x z"}},
|
|
680 |
which we abbreviate by @{prop"P x y"}. These are our two subgoals:
|
|
681 |
@{subgoals[display,indent=0]}
|
|
682 |
The first one is @{prop"P x x"}, the result of case @{thm[source]refl},
|
|
683 |
and it is trivial.
|
|
684 |
*}
|
|
685 |
apply(assumption)
|
|
686 |
txt{* Let us examine subgoal @{text 2}, case @{thm[source] step}.
|
|
687 |
Assumptions @{prop"r u x"} and \mbox{@{prop"star r x y"}}
|
|
688 |
are the premises of rule @{thm[source]step}.
|
|
689 |
Assumption @{prop"star r y z \<Longrightarrow> star r x z"} is \mbox{@{prop"P x y"}},
|
|
690 |
the IH coming from @{prop"star r x y"}. We have to prove @{prop"P u y"},
|
|
691 |
which we do by assuming @{prop"star r y z"} and proving @{prop"star r u z"}.
|
|
692 |
The proof itself is straightforward: from \mbox{@{prop"star r y z"}} the IH
|
|
693 |
leads to @{prop"star r x z"} which, together with @{prop"r u x"},
|
|
694 |
leads to \mbox{@{prop"star r u z"}} via rule @{thm[source]step}:
|
|
695 |
*}
|
|
696 |
apply(metis step)
|
|
697 |
done
|
|
698 |
|
|
699 |
text{*
|
|
700 |
|
|
701 |
\subsection{The general case}
|
|
702 |
|
|
703 |
Inductive definitions have approximately the following general form:
|
|
704 |
\begin{quote}
|
|
705 |
\isacom{inductive} @{text"I :: \"\<tau> \<Rightarrow> bool\""} \isacom{where}
|
|
706 |
\end{quote}
|
|
707 |
followed by a sequence of (possibly named) rules of the form
|
|
708 |
\begin{quote}
|
|
709 |
@{text "\<lbrakk> I a\<^isub>1; \<dots>; I a\<^isub>n \<rbrakk> \<Longrightarrow> I a"}
|
|
710 |
\end{quote}
|
|
711 |
separated by @{text"|"}. As usual, @{text n} can be 0.
|
|
712 |
The corresponding rule induction principle
|
|
713 |
@{text I.induct} applies to propositions of the form
|
|
714 |
\begin{quote}
|
|
715 |
@{prop "I x \<Longrightarrow> P x"}
|
|
716 |
\end{quote}
|
|
717 |
where @{text P} may itself be a chain of implications.
|
|
718 |
\begin{warn}
|
|
719 |
Rule induction is always on the leftmost premise of the goal.
|
|
720 |
Hence @{text "I x"} must be the first premise.
|
|
721 |
\end{warn}
|
|
722 |
Proving @{prop "I x \<Longrightarrow> P x"} by rule induction means proving
|
|
723 |
for every rule of @{text I} that @{text P} is invariant:
|
|
724 |
\begin{quote}
|
|
725 |
@{text "\<lbrakk> I a\<^isub>1; P a\<^isub>1; \<dots>; I a\<^isub>n; P a\<^isub>n \<rbrakk> \<Longrightarrow> P a"}
|
|
726 |
\end{quote}
|
|
727 |
|
|
728 |
The above format for inductive definitions is simplified in a number of
|
|
729 |
respects. @{text I} can have any number of arguments and each rule can have
|
|
730 |
additional premises not involving @{text I}, so-called \concept{side
|
|
731 |
conditions}. In rule inductions, these side-conditions appear as additional
|
|
732 |
assumptions. The \isacom{for} clause seen in the definition of the reflexive
|
|
733 |
transitive closure merely simplifies the form of the induction rule.
|
|
734 |
*}
|
|
735 |
(*<*)
|
|
736 |
end
|
|
737 |
(*>*)
|